Imported Upstream version 4.53
This commit is contained in:
commit
ce7eba2efe
4
AUTHORS
Normal file
4
AUTHORS
Normal file
@ -0,0 +1,4 @@
|
|||||||
|
stunnel authors
|
||||||
|
|
||||||
|
Michal Trojnara <Michal.Trojnara@mirt.net>
|
||||||
|
|
5
BUGS
Normal file
5
BUGS
Normal file
@ -0,0 +1,5 @@
|
|||||||
|
stunnel known bugs
|
||||||
|
|
||||||
|
|
||||||
|
- Shared library for transparent proxy does not support IPv6.
|
||||||
|
|
33
COPYING
Normal file
33
COPYING
Normal file
@ -0,0 +1,33 @@
|
|||||||
|
stunnel license (see COPYRIGHT.GPL for detailed GPL conditions)
|
||||||
|
|
||||||
|
Copyright (C) 1998-2012 Michal Trojnara
|
||||||
|
|
||||||
|
This program is free software; you can redistribute it and/or modify it under
|
||||||
|
the terms of the GNU General Public License as published by the Free Software
|
||||||
|
Foundation; either version 2 of the License, or (at your option) any later
|
||||||
|
version.
|
||||||
|
|
||||||
|
This program is distributed in the hope that it will be useful, but WITHOUT
|
||||||
|
ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
|
||||||
|
FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
|
||||||
|
|
||||||
|
You should have received a copy of the GNU General Public License along with
|
||||||
|
this program; if not, see <http://www.gnu.org/licenses>.
|
||||||
|
|
||||||
|
Linking stunnel statically or dynamically with other modules is making
|
||||||
|
a combined work based on stunnel. Thus, the terms and conditions of the
|
||||||
|
GNU General Public License cover the whole combination.
|
||||||
|
|
||||||
|
In addition, as a special exception, the copyright holder of stunnel gives you
|
||||||
|
permission to combine stunnel with free software programs or libraries that
|
||||||
|
are released under the GNU LGPL and with code included in the standard release
|
||||||
|
of OpenSSL under the OpenSSL License (or modified versions of such code, with
|
||||||
|
unchanged license). You may copy and distribute such a system following the
|
||||||
|
terms of the GNU GPL for stunnel and the licenses of the other code concerned.
|
||||||
|
|
||||||
|
Note that people who make modified versions of stunnel are not obligated to
|
||||||
|
grant this special exception for their modified versions; it is their choice
|
||||||
|
whether to do so. The GNU General Public License gives permission to release
|
||||||
|
a modified version without this exception; this exception also makes it
|
||||||
|
possible to release a modified version which carries forward this exception.
|
||||||
|
|
339
COPYRIGHT.GPL
Normal file
339
COPYRIGHT.GPL
Normal file
@ -0,0 +1,339 @@
|
|||||||
|
GNU GENERAL PUBLIC LICENSE
|
||||||
|
Version 2, June 1991
|
||||||
|
|
||||||
|
Copyright (C) 1989, 1991 Free Software Foundation, Inc.
|
||||||
|
51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA.
|
||||||
|
Everyone is permitted to copy and distribute verbatim copies
|
||||||
|
of this license document, but changing it is not allowed.
|
||||||
|
|
||||||
|
Preamble
|
||||||
|
|
||||||
|
The licenses for most software are designed to take away your
|
||||||
|
freedom to share and change it. By contrast, the GNU General Public
|
||||||
|
License is intended to guarantee your freedom to share and change free
|
||||||
|
software--to make sure the software is free for all its users. This
|
||||||
|
General Public License applies to most of the Free Software
|
||||||
|
Foundation's software and to any other program whose authors commit to
|
||||||
|
using it. (Some other Free Software Foundation software is covered by
|
||||||
|
the GNU Library General Public License instead.) You can apply it to
|
||||||
|
your programs, too.
|
||||||
|
|
||||||
|
When we speak of free software, we are referring to freedom, not
|
||||||
|
price. Our General Public Licenses are designed to make sure that you
|
||||||
|
have the freedom to distribute copies of free software (and charge for
|
||||||
|
this service if you wish), that you receive source code or can get it
|
||||||
|
if you want it, that you can change the software or use pieces of it
|
||||||
|
in new free programs; and that you know you can do these things.
|
||||||
|
|
||||||
|
To protect your rights, we need to make restrictions that forbid
|
||||||
|
anyone to deny you these rights or to ask you to surrender the rights.
|
||||||
|
These restrictions translate to certain responsibilities for you if you
|
||||||
|
distribute copies of the software, or if you modify it.
|
||||||
|
|
||||||
|
For example, if you distribute copies of such a program, whether
|
||||||
|
gratis or for a fee, you must give the recipients all the rights that
|
||||||
|
you have. You must make sure that they, too, receive or can get the
|
||||||
|
source code. And you must show them these terms so they know their
|
||||||
|
rights.
|
||||||
|
|
||||||
|
We protect your rights with two steps: (1) copyright the software, and
|
||||||
|
(2) offer you this license which gives you legal permission to copy,
|
||||||
|
distribute and/or modify the software.
|
||||||
|
|
||||||
|
Also, for each author's protection and ours, we want to make certain
|
||||||
|
that everyone understands that there is no warranty for this free
|
||||||
|
software. If the software is modified by someone else and passed on, we
|
||||||
|
want its recipients to know that what they have is not the original, so
|
||||||
|
that any problems introduced by others will not reflect on the original
|
||||||
|
authors' reputations.
|
||||||
|
|
||||||
|
Finally, any free program is threatened constantly by software
|
||||||
|
patents. We wish to avoid the danger that redistributors of a free
|
||||||
|
program will individually obtain patent licenses, in effect making the
|
||||||
|
program proprietary. To prevent this, we have made it clear that any
|
||||||
|
patent must be licensed for everyone's free use or not licensed at all.
|
||||||
|
|
||||||
|
The precise terms and conditions for copying, distribution and
|
||||||
|
modification follow.
|
||||||
|
|
||||||
|
GNU GENERAL PUBLIC LICENSE
|
||||||
|
TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
|
||||||
|
|
||||||
|
0. This License applies to any program or other work which contains
|
||||||
|
a notice placed by the copyright holder saying it may be distributed
|
||||||
|
under the terms of this General Public License. The "Program", below,
|
||||||
|
refers to any such program or work, and a "work based on the Program"
|
||||||
|
means either the Program or any derivative work under copyright law:
|
||||||
|
that is to say, a work containing the Program or a portion of it,
|
||||||
|
either verbatim or with modifications and/or translated into another
|
||||||
|
language. (Hereinafter, translation is included without limitation in
|
||||||
|
the term "modification".) Each licensee is addressed as "you".
|
||||||
|
|
||||||
|
Activities other than copying, distribution and modification are not
|
||||||
|
covered by this License; they are outside its scope. The act of
|
||||||
|
running the Program is not restricted, and the output from the Program
|
||||||
|
is covered only if its contents constitute a work based on the
|
||||||
|
Program (independent of having been made by running the Program).
|
||||||
|
Whether that is true depends on what the Program does.
|
||||||
|
|
||||||
|
1. You may copy and distribute verbatim copies of the Program's
|
||||||
|
source code as you receive it, in any medium, provided that you
|
||||||
|
conspicuously and appropriately publish on each copy an appropriate
|
||||||
|
copyright notice and disclaimer of warranty; keep intact all the
|
||||||
|
notices that refer to this License and to the absence of any warranty;
|
||||||
|
and give any other recipients of the Program a copy of this License
|
||||||
|
along with the Program.
|
||||||
|
|
||||||
|
You may charge a fee for the physical act of transferring a copy, and
|
||||||
|
you may at your option offer warranty protection in exchange for a fee.
|
||||||
|
|
||||||
|
2. You may modify your copy or copies of the Program or any portion
|
||||||
|
of it, thus forming a work based on the Program, and copy and
|
||||||
|
distribute such modifications or work under the terms of Section 1
|
||||||
|
above, provided that you also meet all of these conditions:
|
||||||
|
|
||||||
|
a) You must cause the modified files to carry prominent notices
|
||||||
|
stating that you changed the files and the date of any change.
|
||||||
|
|
||||||
|
b) You must cause any work that you distribute or publish, that in
|
||||||
|
whole or in part contains or is derived from the Program or any
|
||||||
|
part thereof, to be licensed as a whole at no charge to all third
|
||||||
|
parties under the terms of this License.
|
||||||
|
|
||||||
|
c) If the modified program normally reads commands interactively
|
||||||
|
when run, you must cause it, when started running for such
|
||||||
|
interactive use in the most ordinary way, to print or display an
|
||||||
|
announcement including an appropriate copyright notice and a
|
||||||
|
notice that there is no warranty (or else, saying that you provide
|
||||||
|
a warranty) and that users may redistribute the program under
|
||||||
|
these conditions, and telling the user how to view a copy of this
|
||||||
|
License. (Exception: if the Program itself is interactive but
|
||||||
|
does not normally print such an announcement, your work based on
|
||||||
|
the Program is not required to print an announcement.)
|
||||||
|
|
||||||
|
These requirements apply to the modified work as a whole. If
|
||||||
|
identifiable sections of that work are not derived from the Program,
|
||||||
|
and can be reasonably considered independent and separate works in
|
||||||
|
themselves, then this License, and its terms, do not apply to those
|
||||||
|
sections when you distribute them as separate works. But when you
|
||||||
|
distribute the same sections as part of a whole which is a work based
|
||||||
|
on the Program, the distribution of the whole must be on the terms of
|
||||||
|
this License, whose permissions for other licensees extend to the
|
||||||
|
entire whole, and thus to each and every part regardless of who wrote it.
|
||||||
|
|
||||||
|
Thus, it is not the intent of this section to claim rights or contest
|
||||||
|
your rights to work written entirely by you; rather, the intent is to
|
||||||
|
exercise the right to control the distribution of derivative or
|
||||||
|
collective works based on the Program.
|
||||||
|
|
||||||
|
In addition, mere aggregation of another work not based on the Program
|
||||||
|
with the Program (or with a work based on the Program) on a volume of
|
||||||
|
a storage or distribution medium does not bring the other work under
|
||||||
|
the scope of this License.
|
||||||
|
|
||||||
|
3. You may copy and distribute the Program (or a work based on it,
|
||||||
|
under Section 2) in object code or executable form under the terms of
|
||||||
|
Sections 1 and 2 above provided that you also do one of the following:
|
||||||
|
|
||||||
|
a) Accompany it with the complete corresponding machine-readable
|
||||||
|
source code, which must be distributed under the terms of Sections
|
||||||
|
1 and 2 above on a medium customarily used for software interchange; or,
|
||||||
|
|
||||||
|
b) Accompany it with a written offer, valid for at least three
|
||||||
|
years, to give any third party, for a charge no more than your
|
||||||
|
cost of physically performing source distribution, a complete
|
||||||
|
machine-readable copy of the corresponding source code, to be
|
||||||
|
distributed under the terms of Sections 1 and 2 above on a medium
|
||||||
|
customarily used for software interchange; or,
|
||||||
|
|
||||||
|
c) Accompany it with the information you received as to the offer
|
||||||
|
to distribute corresponding source code. (This alternative is
|
||||||
|
allowed only for noncommercial distribution and only if you
|
||||||
|
received the program in object code or executable form with such
|
||||||
|
an offer, in accord with Subsection b above.)
|
||||||
|
|
||||||
|
The source code for a work means the preferred form of the work for
|
||||||
|
making modifications to it. For an executable work, complete source
|
||||||
|
code means all the source code for all modules it contains, plus any
|
||||||
|
associated interface definition files, plus the scripts used to
|
||||||
|
control compilation and installation of the executable. However, as a
|
||||||
|
special exception, the source code distributed need not include
|
||||||
|
anything that is normally distributed (in either source or binary
|
||||||
|
form) with the major components (compiler, kernel, and so on) of the
|
||||||
|
operating system on which the executable runs, unless that component
|
||||||
|
itself accompanies the executable.
|
||||||
|
|
||||||
|
If distribution of executable or object code is made by offering
|
||||||
|
access to copy from a designated place, then offering equivalent
|
||||||
|
access to copy the source code from the same place counts as
|
||||||
|
distribution of the source code, even though third parties are not
|
||||||
|
compelled to copy the source along with the object code.
|
||||||
|
|
||||||
|
4. You may not copy, modify, sublicense, or distribute the Program
|
||||||
|
except as expressly provided under this License. Any attempt
|
||||||
|
otherwise to copy, modify, sublicense or distribute the Program is
|
||||||
|
void, and will automatically terminate your rights under this License.
|
||||||
|
However, parties who have received copies, or rights, from you under
|
||||||
|
this License will not have their licenses terminated so long as such
|
||||||
|
parties remain in full compliance.
|
||||||
|
|
||||||
|
5. You are not required to accept this License, since you have not
|
||||||
|
signed it. However, nothing else grants you permission to modify or
|
||||||
|
distribute the Program or its derivative works. These actions are
|
||||||
|
prohibited by law if you do not accept this License. Therefore, by
|
||||||
|
modifying or distributing the Program (or any work based on the
|
||||||
|
Program), you indicate your acceptance of this License to do so, and
|
||||||
|
all its terms and conditions for copying, distributing or modifying
|
||||||
|
the Program or works based on it.
|
||||||
|
|
||||||
|
6. Each time you redistribute the Program (or any work based on the
|
||||||
|
Program), the recipient automatically receives a license from the
|
||||||
|
original licensor to copy, distribute or modify the Program subject to
|
||||||
|
these terms and conditions. You may not impose any further
|
||||||
|
restrictions on the recipients' exercise of the rights granted herein.
|
||||||
|
You are not responsible for enforcing compliance by third parties to
|
||||||
|
this License.
|
||||||
|
|
||||||
|
7. If, as a consequence of a court judgment or allegation of patent
|
||||||
|
infringement or for any other reason (not limited to patent issues),
|
||||||
|
conditions are imposed on you (whether by court order, agreement or
|
||||||
|
otherwise) that contradict the conditions of this License, they do not
|
||||||
|
excuse you from the conditions of this License. If you cannot
|
||||||
|
distribute so as to satisfy simultaneously your obligations under this
|
||||||
|
License and any other pertinent obligations, then as a consequence you
|
||||||
|
may not distribute the Program at all. For example, if a patent
|
||||||
|
license would not permit royalty-free redistribution of the Program by
|
||||||
|
all those who receive copies directly or indirectly through you, then
|
||||||
|
the only way you could satisfy both it and this License would be to
|
||||||
|
refrain entirely from distribution of the Program.
|
||||||
|
|
||||||
|
If any portion of this section is held invalid or unenforceable under
|
||||||
|
any particular circumstance, the balance of the section is intended to
|
||||||
|
apply and the section as a whole is intended to apply in other
|
||||||
|
circumstances.
|
||||||
|
|
||||||
|
It is not the purpose of this section to induce you to infringe any
|
||||||
|
patents or other property right claims or to contest validity of any
|
||||||
|
such claims; this section has the sole purpose of protecting the
|
||||||
|
integrity of the free software distribution system, which is
|
||||||
|
implemented by public license practices. Many people have made
|
||||||
|
generous contributions to the wide range of software distributed
|
||||||
|
through that system in reliance on consistent application of that
|
||||||
|
system; it is up to the author/donor to decide if he or she is willing
|
||||||
|
to distribute software through any other system and a licensee cannot
|
||||||
|
impose that choice.
|
||||||
|
|
||||||
|
This section is intended to make thoroughly clear what is believed to
|
||||||
|
be a consequence of the rest of this License.
|
||||||
|
|
||||||
|
8. If the distribution and/or use of the Program is restricted in
|
||||||
|
certain countries either by patents or by copyrighted interfaces, the
|
||||||
|
original copyright holder who places the Program under this License
|
||||||
|
may add an explicit geographical distribution limitation excluding
|
||||||
|
those countries, so that distribution is permitted only in or among
|
||||||
|
countries not thus excluded. In such case, this License incorporates
|
||||||
|
the limitation as if written in the body of this License.
|
||||||
|
|
||||||
|
9. The Free Software Foundation may publish revised and/or new versions
|
||||||
|
of the General Public License from time to time. Such new versions will
|
||||||
|
be similar in spirit to the present version, but may differ in detail to
|
||||||
|
address new problems or concerns.
|
||||||
|
|
||||||
|
Each version is given a distinguishing version number. If the Program
|
||||||
|
specifies a version number of this License which applies to it and "any
|
||||||
|
later version", you have the option of following the terms and conditions
|
||||||
|
either of that version or of any later version published by the Free
|
||||||
|
Software Foundation. If the Program does not specify a version number of
|
||||||
|
this License, you may choose any version ever published by the Free Software
|
||||||
|
Foundation.
|
||||||
|
|
||||||
|
10. If you wish to incorporate parts of the Program into other free
|
||||||
|
programs whose distribution conditions are different, write to the author
|
||||||
|
to ask for permission. For software which is copyrighted by the Free
|
||||||
|
Software Foundation, write to the Free Software Foundation; we sometimes
|
||||||
|
make exceptions for this. Our decision will be guided by the two goals
|
||||||
|
of preserving the free status of all derivatives of our free software and
|
||||||
|
of promoting the sharing and reuse of software generally.
|
||||||
|
|
||||||
|
NO WARRANTY
|
||||||
|
|
||||||
|
11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
|
||||||
|
FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
|
||||||
|
OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
|
||||||
|
PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
|
||||||
|
OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
|
||||||
|
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
|
||||||
|
TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
|
||||||
|
PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
|
||||||
|
REPAIR OR CORRECTION.
|
||||||
|
|
||||||
|
12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
|
||||||
|
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
|
||||||
|
REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
|
||||||
|
INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
|
||||||
|
OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
|
||||||
|
TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
|
||||||
|
YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
|
||||||
|
PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
|
||||||
|
POSSIBILITY OF SUCH DAMAGES.
|
||||||
|
|
||||||
|
END OF TERMS AND CONDITIONS
|
||||||
|
|
||||||
|
Appendix: How to Apply These Terms to Your New Programs
|
||||||
|
|
||||||
|
If you develop a new program, and you want it to be of the greatest
|
||||||
|
possible use to the public, the best way to achieve this is to make it
|
||||||
|
free software which everyone can redistribute and change under these terms.
|
||||||
|
|
||||||
|
To do so, attach the following notices to the program. It is safest
|
||||||
|
to attach them to the start of each source file to most effectively
|
||||||
|
convey the exclusion of warranty; and each file should have at least
|
||||||
|
the "copyright" line and a pointer to where the full notice is found.
|
||||||
|
|
||||||
|
<one line to give the program's name and a brief idea of what it does.>
|
||||||
|
Copyright (C) 19yy <name of author>
|
||||||
|
|
||||||
|
This program is free software; you can redistribute it and/or modify
|
||||||
|
it under the terms of the GNU General Public License as published by
|
||||||
|
the Free Software Foundation; either version 2 of the License, or
|
||||||
|
(at your option) any later version.
|
||||||
|
|
||||||
|
This program is distributed in the hope that it will be useful,
|
||||||
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
GNU General Public License for more details.
|
||||||
|
|
||||||
|
You should have received a copy of the GNU General Public License
|
||||||
|
along with this program; if not, write to the Free Software
|
||||||
|
Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA.
|
||||||
|
|
||||||
|
Also add information on how to contact you by electronic and paper mail.
|
||||||
|
|
||||||
|
If the program is interactive, make it output a short notice like this
|
||||||
|
when it starts in an interactive mode:
|
||||||
|
|
||||||
|
Gnomovision version 69, Copyright (C) 19yy name of author
|
||||||
|
Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
|
||||||
|
This is free software, and you are welcome to redistribute it
|
||||||
|
under certain conditions; type `show c' for details.
|
||||||
|
|
||||||
|
The hypothetical commands `show w' and `show c' should show the appropriate
|
||||||
|
parts of the General Public License. Of course, the commands you use may
|
||||||
|
be called something other than `show w' and `show c'; they could even be
|
||||||
|
mouse-clicks or menu items--whatever suits your program.
|
||||||
|
|
||||||
|
You should also get your employer (if you work as a programmer) or your
|
||||||
|
school, if any, to sign a "copyright disclaimer" for the program, if
|
||||||
|
necessary. Here is a sample; alter the names:
|
||||||
|
|
||||||
|
Yoyodyne, Inc., hereby disclaims all copyright interest in the program
|
||||||
|
`Gnomovision' (which makes passes at compilers) written by James Hacker.
|
||||||
|
|
||||||
|
<signature of Ty Coon>, 1 April 1989
|
||||||
|
Ty Coon, President of Vice
|
||||||
|
|
||||||
|
This General Public License does not permit incorporating your program into
|
||||||
|
proprietary programs. If your program is a subroutine library, you may
|
||||||
|
consider it more useful to permit linking proprietary applications with the
|
||||||
|
library. If this is what you want to do, use the GNU Library General
|
||||||
|
Public License instead of this License.
|
9
CREDITS
Normal file
9
CREDITS
Normal file
@ -0,0 +1,9 @@
|
|||||||
|
Special thx to:
|
||||||
|
|
||||||
|
* Adam Hernik <adas@infocentrum.com>
|
||||||
|
* Pawel Krawczyk <kravietz@ceti.com.pl>
|
||||||
|
* Brian Hatch <bri@stunnel.org>
|
||||||
|
* Dirk O. Siebnich <dok@vossnet.de> for PTY support
|
||||||
|
|
||||||
|
and many others...
|
||||||
|
|
40
INSTALL
Normal file
40
INSTALL
Normal file
@ -0,0 +1,40 @@
|
|||||||
|
stunnel Unix install notes
|
||||||
|
|
||||||
|
|
||||||
|
1. If your machine supports POSIX threads make sure your SSL
|
||||||
|
library is compiled with -DTHREADS.
|
||||||
|
|
||||||
|
2. Compile the software:
|
||||||
|
|
||||||
|
./configure
|
||||||
|
make
|
||||||
|
make install
|
||||||
|
|
||||||
|
(see potential options for 'configure' at the end of this file)
|
||||||
|
|
||||||
|
3. Create stunnel configuration file (stunnel.conf).
|
||||||
|
|
||||||
|
4. Add stunnel invocation to your system's startup files.
|
||||||
|
For SysV-compatible init you can use stunnel.init script.
|
||||||
|
|
||||||
|
or
|
||||||
|
|
||||||
|
Modify /etc/services and /etc/inetd.conf, restart inetd (inetd mode).
|
||||||
|
|
||||||
|
See the manual for details.
|
||||||
|
|
||||||
|
5. There are a variety of compile-time options you may supply when
|
||||||
|
running configure. Most commonly used are:
|
||||||
|
|
||||||
|
--with-ssl=DIR
|
||||||
|
where your SSL libraries and include files are installed
|
||||||
|
|
||||||
|
--with-random=FILE
|
||||||
|
read randomness from FILE for PRNG seeding
|
||||||
|
|
||||||
|
--with-egd-socket=FILE
|
||||||
|
location of Entropy Gathering Daemon socket, if running EGD
|
||||||
|
(for example on a machine that lacks a /dev/urandom device)
|
||||||
|
|
||||||
|
Use `./configure --help' to see all the options.
|
||||||
|
|
23
INSTALL.FIPS
Normal file
23
INSTALL.FIPS
Normal file
@ -0,0 +1,23 @@
|
|||||||
|
stunnel FIPS install notes
|
||||||
|
|
||||||
|
|
||||||
|
Unix HOWTO:
|
||||||
|
FIPS mode is autodetected if possible. You can force it with:
|
||||||
|
./configure --enable-fips
|
||||||
|
or disable with:
|
||||||
|
./configure --disable-fips
|
||||||
|
|
||||||
|
WIN32 HOWTO:
|
||||||
|
* On 32-bit Windows install one of the following compilers:
|
||||||
|
- MSVC 8.0 (VS 2005) Standard or Professional Edition
|
||||||
|
- MSVC 9.0 (VS 2008) any edition including Express Edition
|
||||||
|
* On 64-bit Windows install one of the following compilers:
|
||||||
|
- MSVC 8.0 (VS 2005) Standard or Professional Edition
|
||||||
|
- MSVC 9.0 (VS 2008) Standard or Professional Edition
|
||||||
|
* Build FIPS-compliant OpenSSL DLLS according to:
|
||||||
|
http://www.openssl.org/docs/fips/UserGuide-1.2.pdf
|
||||||
|
* Build stunnel normally with MSVC or Mingw.
|
||||||
|
Mingw build requires DLL stubs. Stubs can be built with:
|
||||||
|
dlltool --def ms/libeay32.def --output-lib libcrypto.a
|
||||||
|
dlltool --def ms/ssleay32.def --output-lib libssl.a
|
||||||
|
|
51
INSTALL.W32
Normal file
51
INSTALL.W32
Normal file
@ -0,0 +1,51 @@
|
|||||||
|
stunnel Windows install notes
|
||||||
|
|
||||||
|
|
||||||
|
Building stunnel from source (optional):
|
||||||
|
|
||||||
|
1) Install mingw32 cross-compiler o a Unix/Linux machine.
|
||||||
|
In Debian all you need is:
|
||||||
|
apt-get install gcc-mingw32
|
||||||
|
Native compilation on a Windows machine is possible, but not supported.
|
||||||
|
|
||||||
|
2) Download the recent zlib from http://www.zlib.net/
|
||||||
|
Update the following definitions in win32/Makefile.gcc file:
|
||||||
|
SHARED_MODE=1
|
||||||
|
PREFIX = i586-mingw32msvc-
|
||||||
|
then build zlib with:
|
||||||
|
make -f win32/Makefile.gcc
|
||||||
|
and install it in mingw32 tree:
|
||||||
|
sudo BINARY_PATH=~/ \
|
||||||
|
INCLUDE_PATH=/usr/i586-mingw32msvc/include/ \
|
||||||
|
LIBRARY_PATH=/usr/i586-mingw32msvc/lib/ \
|
||||||
|
make -f win32/Makefile.gcc install
|
||||||
|
|
||||||
|
3) Download the recent OpenSSL in unpack it to /usr/src/ directory.
|
||||||
|
cd /usr/src
|
||||||
|
tar zvxf ~/openssl-(version).tar.gz
|
||||||
|
mv openssl-(version) openssl-(version)-i586
|
||||||
|
|
||||||
|
4) Build OpenSSL.
|
||||||
|
./Configure --cross-compile-prefix=i586-mingw32msvc- mingw shared zlib-dynamic
|
||||||
|
make
|
||||||
|
|
||||||
|
5) Download and unpack stunnel-(version).tar.gz.
|
||||||
|
|
||||||
|
6) Configure stunnel.
|
||||||
|
cd stunnel-(version)
|
||||||
|
./configure --with-ssl=/path/to/openssl-(version)
|
||||||
|
|
||||||
|
7) Build windows executable.
|
||||||
|
cd src
|
||||||
|
make stunnel.exe
|
||||||
|
|
||||||
|
|
||||||
|
Installing stunnel:
|
||||||
|
|
||||||
|
1) run installer to install precompiled binaries or copy stunnel.exe and
|
||||||
|
OpenSSL DLLs into a directory
|
||||||
|
|
||||||
|
2) read the manual (stunnel.html)
|
||||||
|
|
||||||
|
3) create/edit stunnel.conf configuration file
|
||||||
|
|
45
INSTALL.WCE
Normal file
45
INSTALL.WCE
Normal file
@ -0,0 +1,45 @@
|
|||||||
|
stunnel Windows CE install notes
|
||||||
|
|
||||||
|
|
||||||
|
Two stunnel executables are available for Windows CE platform:
|
||||||
|
|
||||||
|
1) stunnel.exe - version with interactive GUI
|
||||||
|
|
||||||
|
2) tstunnel.exe - non-iteractive version for headless devices
|
||||||
|
|
||||||
|
|
||||||
|
Building stunnel from source (optional):
|
||||||
|
|
||||||
|
1) install the following tools:
|
||||||
|
evt2002web_min.exe from http://www.microsoft.com/
|
||||||
|
ActivePerl from http://www.activestate.com/Products/ActivePerl/
|
||||||
|
unzip.exe (file needs to be renamed) from
|
||||||
|
http://www.mirrorservice.org/sites/ftp.info-zip.org/pub/infozip/WIN32/
|
||||||
|
|
||||||
|
2) download the OpenSSL source files (the whole directory):
|
||||||
|
ftp://ftp.stunnel.org/stunnel/openssl/ce/
|
||||||
|
|
||||||
|
3) your directory should look like this:
|
||||||
|
build.bat
|
||||||
|
build.pl
|
||||||
|
unzip.exe
|
||||||
|
src\openssl-0.9.8a.zip
|
||||||
|
src\wcecompat-1.2.zip
|
||||||
|
|
||||||
|
4) type "build" to build OpenSSL
|
||||||
|
|
||||||
|
5) download and unpack stunnel-(version).tar.gz
|
||||||
|
|
||||||
|
4) enter "stunnel-(version)\src" subdirectory
|
||||||
|
|
||||||
|
5) type "makece" to build stunnel
|
||||||
|
|
||||||
|
|
||||||
|
Installing stunnel:
|
||||||
|
|
||||||
|
1) copy OpenSSL DLLs and stunnel.exe or tstunnel.exe into \stunnel directory
|
||||||
|
|
||||||
|
2) read the manual (stunnel.html)
|
||||||
|
|
||||||
|
3) create/edit stunnel.conf configuration file
|
||||||
|
|
37
Makefile.am
Normal file
37
Makefile.am
Normal file
@ -0,0 +1,37 @@
|
|||||||
|
## Process this file with automake to produce Makefile.in
|
||||||
|
|
||||||
|
ACLOCAL_AMFLAGS = -I m4
|
||||||
|
|
||||||
|
SUBDIRS = src doc tools
|
||||||
|
|
||||||
|
LIBTOOL_DEPS = @LIBTOOL_DEPS@
|
||||||
|
libtool: $(LIBTOOL_DEPS)
|
||||||
|
$(SHELL) ./config.status libtool
|
||||||
|
|
||||||
|
EXTRA_DIST = PORTS BUGS COPYRIGHT.GPL CREDITS
|
||||||
|
EXTRA_DIST += INSTALL.W32 INSTALL.WCE INSTALL.FIPS
|
||||||
|
EXTRA_DIST += build-android.sh
|
||||||
|
|
||||||
|
docdir = $(datadir)/doc/stunnel
|
||||||
|
doc_DATA = INSTALL README TODO COPYING AUTHORS ChangeLog
|
||||||
|
doc_DATA += PORTS BUGS COPYRIGHT.GPL CREDITS
|
||||||
|
doc_DATA += INSTALL.W32 INSTALL.WCE INSTALL.FIPS
|
||||||
|
|
||||||
|
distcleancheck_listfiles = find -type f -exec sh -c 'test -f $(srcdir)/{} || echo {}' ';'
|
||||||
|
|
||||||
|
distclean-local:
|
||||||
|
rm -rf autom4te.cache
|
||||||
|
rm -f $(distdir)-installer.exe
|
||||||
|
|
||||||
|
dist-hook:
|
||||||
|
makensis -NOCD -DVERSION=${VERSION} -DSRCDIR=$(srcdir) \
|
||||||
|
-DDLLS=/usr/src/openssl-0.9.8s-fips/out32dll \
|
||||||
|
$(srcdir)/tools/stunnel.nsi
|
||||||
|
|
||||||
|
sign: dist
|
||||||
|
cp -f $(distdir).tar.gz ../dist
|
||||||
|
cp -f $(distdir)-installer.exe ../dist
|
||||||
|
gpg --yes --armor --detach-sign --force-v3-sigs ../dist/$(distdir).tar.gz
|
||||||
|
gpg --yes --armor --detach-sign --force-v3-sigs ../dist/$(distdir)-installer.exe
|
||||||
|
sha256sum $(distdir).tar.gz | tee ../dist/$(distdir).tar.gz.sha256
|
||||||
|
|
780
Makefile.in
Normal file
780
Makefile.in
Normal file
@ -0,0 +1,780 @@
|
|||||||
|
# Makefile.in generated by automake 1.11.1 from Makefile.am.
|
||||||
|
# @configure_input@
|
||||||
|
|
||||||
|
# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
|
||||||
|
# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation,
|
||||||
|
# Inc.
|
||||||
|
# This Makefile.in is free software; the Free Software Foundation
|
||||||
|
# gives unlimited permission to copy and/or distribute it,
|
||||||
|
# with or without modifications, as long as this notice is preserved.
|
||||||
|
|
||||||
|
# This program is distributed in the hope that it will be useful,
|
||||||
|
# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
|
||||||
|
# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
|
||||||
|
# PARTICULAR PURPOSE.
|
||||||
|
|
||||||
|
@SET_MAKE@
|
||||||
|
|
||||||
|
VPATH = @srcdir@
|
||||||
|
pkgdatadir = $(datadir)/@PACKAGE@
|
||||||
|
pkgincludedir = $(includedir)/@PACKAGE@
|
||||||
|
pkglibdir = $(libdir)/@PACKAGE@
|
||||||
|
pkglibexecdir = $(libexecdir)/@PACKAGE@
|
||||||
|
am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
|
||||||
|
install_sh_DATA = $(install_sh) -c -m 644
|
||||||
|
install_sh_PROGRAM = $(install_sh) -c
|
||||||
|
install_sh_SCRIPT = $(install_sh) -c
|
||||||
|
INSTALL_HEADER = $(INSTALL_DATA)
|
||||||
|
transform = $(program_transform_name)
|
||||||
|
NORMAL_INSTALL = :
|
||||||
|
PRE_INSTALL = :
|
||||||
|
POST_INSTALL = :
|
||||||
|
NORMAL_UNINSTALL = :
|
||||||
|
PRE_UNINSTALL = :
|
||||||
|
POST_UNINSTALL = :
|
||||||
|
build_triplet = @build@
|
||||||
|
host_triplet = @host@
|
||||||
|
subdir = .
|
||||||
|
DIST_COMMON = README $(am__configure_deps) $(srcdir)/Makefile.am \
|
||||||
|
$(srcdir)/Makefile.in $(top_srcdir)/configure AUTHORS COPYING \
|
||||||
|
ChangeLog INSTALL NEWS TODO auto/compile auto/config.guess \
|
||||||
|
auto/config.sub auto/depcomp auto/install-sh auto/ltmain.sh \
|
||||||
|
auto/missing
|
||||||
|
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
|
||||||
|
am__aclocal_m4_deps = $(top_srcdir)/m4/libtool.m4 \
|
||||||
|
$(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \
|
||||||
|
$(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \
|
||||||
|
$(top_srcdir)/configure.ac
|
||||||
|
am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
|
||||||
|
$(ACLOCAL_M4)
|
||||||
|
am__CONFIG_DISTCLEAN_FILES = config.status config.cache config.log \
|
||||||
|
configure.lineno config.status.lineno
|
||||||
|
mkinstalldirs = $(install_sh) -d
|
||||||
|
CONFIG_HEADER = $(top_builddir)/src/config.h
|
||||||
|
CONFIG_CLEAN_FILES =
|
||||||
|
CONFIG_CLEAN_VPATH_FILES =
|
||||||
|
SOURCES =
|
||||||
|
DIST_SOURCES =
|
||||||
|
RECURSIVE_TARGETS = all-recursive check-recursive dvi-recursive \
|
||||||
|
html-recursive info-recursive install-data-recursive \
|
||||||
|
install-dvi-recursive install-exec-recursive \
|
||||||
|
install-html-recursive install-info-recursive \
|
||||||
|
install-pdf-recursive install-ps-recursive install-recursive \
|
||||||
|
installcheck-recursive installdirs-recursive pdf-recursive \
|
||||||
|
ps-recursive uninstall-recursive
|
||||||
|
am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
|
||||||
|
am__vpath_adj = case $$p in \
|
||||||
|
$(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
|
||||||
|
*) f=$$p;; \
|
||||||
|
esac;
|
||||||
|
am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
|
||||||
|
am__install_max = 40
|
||||||
|
am__nobase_strip_setup = \
|
||||||
|
srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
|
||||||
|
am__nobase_strip = \
|
||||||
|
for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
|
||||||
|
am__nobase_list = $(am__nobase_strip_setup); \
|
||||||
|
for p in $$list; do echo "$$p $$p"; done | \
|
||||||
|
sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
|
||||||
|
$(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
|
||||||
|
if (++n[$$2] == $(am__install_max)) \
|
||||||
|
{ print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
|
||||||
|
END { for (dir in files) print dir, files[dir] }'
|
||||||
|
am__base_list = \
|
||||||
|
sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
|
||||||
|
sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
|
||||||
|
am__installdirs = "$(DESTDIR)$(docdir)"
|
||||||
|
DATA = $(doc_DATA)
|
||||||
|
RECURSIVE_CLEAN_TARGETS = mostlyclean-recursive clean-recursive \
|
||||||
|
distclean-recursive maintainer-clean-recursive
|
||||||
|
AM_RECURSIVE_TARGETS = $(RECURSIVE_TARGETS:-recursive=) \
|
||||||
|
$(RECURSIVE_CLEAN_TARGETS:-recursive=) tags TAGS ctags CTAGS \
|
||||||
|
distdir dist dist-all distcheck
|
||||||
|
ETAGS = etags
|
||||||
|
CTAGS = ctags
|
||||||
|
DIST_SUBDIRS = $(SUBDIRS)
|
||||||
|
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
|
||||||
|
distdir = $(PACKAGE)-$(VERSION)
|
||||||
|
top_distdir = $(distdir)
|
||||||
|
am__remove_distdir = \
|
||||||
|
{ test ! -d "$(distdir)" \
|
||||||
|
|| { find "$(distdir)" -type d ! -perm -200 -exec chmod u+w {} ';' \
|
||||||
|
&& rm -fr "$(distdir)"; }; }
|
||||||
|
am__relativize = \
|
||||||
|
dir0=`pwd`; \
|
||||||
|
sed_first='s,^\([^/]*\)/.*$$,\1,'; \
|
||||||
|
sed_rest='s,^[^/]*/*,,'; \
|
||||||
|
sed_last='s,^.*/\([^/]*\)$$,\1,'; \
|
||||||
|
sed_butlast='s,/*[^/]*$$,,'; \
|
||||||
|
while test -n "$$dir1"; do \
|
||||||
|
first=`echo "$$dir1" | sed -e "$$sed_first"`; \
|
||||||
|
if test "$$first" != "."; then \
|
||||||
|
if test "$$first" = ".."; then \
|
||||||
|
dir2=`echo "$$dir0" | sed -e "$$sed_last"`/"$$dir2"; \
|
||||||
|
dir0=`echo "$$dir0" | sed -e "$$sed_butlast"`; \
|
||||||
|
else \
|
||||||
|
first2=`echo "$$dir2" | sed -e "$$sed_first"`; \
|
||||||
|
if test "$$first2" = "$$first"; then \
|
||||||
|
dir2=`echo "$$dir2" | sed -e "$$sed_rest"`; \
|
||||||
|
else \
|
||||||
|
dir2="../$$dir2"; \
|
||||||
|
fi; \
|
||||||
|
dir0="$$dir0"/"$$first"; \
|
||||||
|
fi; \
|
||||||
|
fi; \
|
||||||
|
dir1=`echo "$$dir1" | sed -e "$$sed_rest"`; \
|
||||||
|
done; \
|
||||||
|
reldir="$$dir2"
|
||||||
|
DIST_ARCHIVES = $(distdir).tar.gz
|
||||||
|
GZIP_ENV = --best
|
||||||
|
distuninstallcheck_listfiles = find . -type f -print
|
||||||
|
ACLOCAL = @ACLOCAL@
|
||||||
|
AMTAR = @AMTAR@
|
||||||
|
AR = @AR@
|
||||||
|
AUTOCONF = @AUTOCONF@
|
||||||
|
AUTOHEADER = @AUTOHEADER@
|
||||||
|
AUTOMAKE = @AUTOMAKE@
|
||||||
|
AWK = @AWK@
|
||||||
|
CC = @CC@
|
||||||
|
CCDEPMODE = @CCDEPMODE@
|
||||||
|
CFLAGS = @CFLAGS@
|
||||||
|
CPP = @CPP@
|
||||||
|
CPPFLAGS = @CPPFLAGS@
|
||||||
|
CYGPATH_W = @CYGPATH_W@
|
||||||
|
DEFAULT_GROUP = @DEFAULT_GROUP@
|
||||||
|
DEFS = @DEFS@
|
||||||
|
DEPDIR = @DEPDIR@
|
||||||
|
DSYMUTIL = @DSYMUTIL@
|
||||||
|
DUMPBIN = @DUMPBIN@
|
||||||
|
ECHO_C = @ECHO_C@
|
||||||
|
ECHO_N = @ECHO_N@
|
||||||
|
ECHO_T = @ECHO_T@
|
||||||
|
EGREP = @EGREP@
|
||||||
|
EXEEXT = @EXEEXT@
|
||||||
|
FGREP = @FGREP@
|
||||||
|
GREP = @GREP@
|
||||||
|
INSTALL = @INSTALL@
|
||||||
|
INSTALL_DATA = @INSTALL_DATA@
|
||||||
|
INSTALL_PROGRAM = @INSTALL_PROGRAM@
|
||||||
|
INSTALL_SCRIPT = @INSTALL_SCRIPT@
|
||||||
|
INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
|
||||||
|
LD = @LD@
|
||||||
|
LDFLAGS = @LDFLAGS@
|
||||||
|
LIBOBJS = @LIBOBJS@
|
||||||
|
LIBS = @LIBS@
|
||||||
|
LIBTOOL = @LIBTOOL@
|
||||||
|
LIBTOOL_DEPS = @LIBTOOL_DEPS@
|
||||||
|
LIPO = @LIPO@
|
||||||
|
LN_S = @LN_S@
|
||||||
|
LTLIBOBJS = @LTLIBOBJS@
|
||||||
|
MAKEINFO = @MAKEINFO@
|
||||||
|
MKDIR_P = @MKDIR_P@
|
||||||
|
NM = @NM@
|
||||||
|
NMEDIT = @NMEDIT@
|
||||||
|
OBJDUMP = @OBJDUMP@
|
||||||
|
OBJEXT = @OBJEXT@
|
||||||
|
OTOOL = @OTOOL@
|
||||||
|
OTOOL64 = @OTOOL64@
|
||||||
|
PACKAGE = @PACKAGE@
|
||||||
|
PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
|
||||||
|
PACKAGE_NAME = @PACKAGE_NAME@
|
||||||
|
PACKAGE_STRING = @PACKAGE_STRING@
|
||||||
|
PACKAGE_TARNAME = @PACKAGE_TARNAME@
|
||||||
|
PACKAGE_URL = @PACKAGE_URL@
|
||||||
|
PACKAGE_VERSION = @PACKAGE_VERSION@
|
||||||
|
PATH_SEPARATOR = @PATH_SEPARATOR@
|
||||||
|
RANDOM_FILE = @RANDOM_FILE@
|
||||||
|
RANLIB = @RANLIB@
|
||||||
|
SED = @SED@
|
||||||
|
SET_MAKE = @SET_MAKE@
|
||||||
|
SHELL = @SHELL@
|
||||||
|
SSLDIR = @SSLDIR@
|
||||||
|
STRIP = @STRIP@
|
||||||
|
VERSION = @VERSION@
|
||||||
|
abs_builddir = @abs_builddir@
|
||||||
|
abs_srcdir = @abs_srcdir@
|
||||||
|
abs_top_builddir = @abs_top_builddir@
|
||||||
|
abs_top_srcdir = @abs_top_srcdir@
|
||||||
|
ac_ct_CC = @ac_ct_CC@
|
||||||
|
ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
|
||||||
|
am__include = @am__include@
|
||||||
|
am__leading_dot = @am__leading_dot@
|
||||||
|
am__quote = @am__quote@
|
||||||
|
am__tar = @am__tar@
|
||||||
|
am__untar = @am__untar@
|
||||||
|
bindir = @bindir@
|
||||||
|
build = @build@
|
||||||
|
build_alias = @build_alias@
|
||||||
|
build_cpu = @build_cpu@
|
||||||
|
build_os = @build_os@
|
||||||
|
build_vendor = @build_vendor@
|
||||||
|
builddir = @builddir@
|
||||||
|
datadir = @datadir@
|
||||||
|
datarootdir = @datarootdir@
|
||||||
|
docdir = $(datadir)/doc/stunnel
|
||||||
|
dvidir = @dvidir@
|
||||||
|
exec_prefix = @exec_prefix@
|
||||||
|
host = @host@
|
||||||
|
host_alias = @host_alias@
|
||||||
|
host_cpu = @host_cpu@
|
||||||
|
host_os = @host_os@
|
||||||
|
host_vendor = @host_vendor@
|
||||||
|
htmldir = @htmldir@
|
||||||
|
includedir = @includedir@
|
||||||
|
infodir = @infodir@
|
||||||
|
install_sh = @install_sh@
|
||||||
|
libdir = @libdir@
|
||||||
|
libexecdir = @libexecdir@
|
||||||
|
localedir = @localedir@
|
||||||
|
localstatedir = @localstatedir@
|
||||||
|
lt_ECHO = @lt_ECHO@
|
||||||
|
mandir = @mandir@
|
||||||
|
mkdir_p = @mkdir_p@
|
||||||
|
oldincludedir = @oldincludedir@
|
||||||
|
pdfdir = @pdfdir@
|
||||||
|
prefix = @prefix@
|
||||||
|
program_transform_name = @program_transform_name@
|
||||||
|
psdir = @psdir@
|
||||||
|
sbindir = @sbindir@
|
||||||
|
sharedstatedir = @sharedstatedir@
|
||||||
|
srcdir = @srcdir@
|
||||||
|
stunnel_CFLAGS = @stunnel_CFLAGS@
|
||||||
|
stunnel_LDFLAGF = @stunnel_LDFLAGF@
|
||||||
|
stunnel_LDFLAGS = @stunnel_LDFLAGS@
|
||||||
|
sysconfdir = @sysconfdir@
|
||||||
|
target_alias = @target_alias@
|
||||||
|
top_build_prefix = @top_build_prefix@
|
||||||
|
top_builddir = @top_builddir@
|
||||||
|
top_srcdir = @top_srcdir@
|
||||||
|
ACLOCAL_AMFLAGS = -I m4
|
||||||
|
SUBDIRS = src doc tools
|
||||||
|
EXTRA_DIST = PORTS BUGS COPYRIGHT.GPL CREDITS INSTALL.W32 INSTALL.WCE \
|
||||||
|
INSTALL.FIPS build-android.sh
|
||||||
|
doc_DATA = INSTALL README TODO COPYING AUTHORS ChangeLog PORTS BUGS \
|
||||||
|
COPYRIGHT.GPL CREDITS INSTALL.W32 INSTALL.WCE INSTALL.FIPS
|
||||||
|
distcleancheck_listfiles = find -type f -exec sh -c 'test -f $(srcdir)/{} || echo {}' ';'
|
||||||
|
all: all-recursive
|
||||||
|
|
||||||
|
.SUFFIXES:
|
||||||
|
am--refresh:
|
||||||
|
@:
|
||||||
|
$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps)
|
||||||
|
@for dep in $?; do \
|
||||||
|
case '$(am__configure_deps)' in \
|
||||||
|
*$$dep*) \
|
||||||
|
echo ' cd $(srcdir) && $(AUTOMAKE) --gnu'; \
|
||||||
|
$(am__cd) $(srcdir) && $(AUTOMAKE) --gnu \
|
||||||
|
&& exit 0; \
|
||||||
|
exit 1;; \
|
||||||
|
esac; \
|
||||||
|
done; \
|
||||||
|
echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu Makefile'; \
|
||||||
|
$(am__cd) $(top_srcdir) && \
|
||||||
|
$(AUTOMAKE) --gnu Makefile
|
||||||
|
.PRECIOUS: Makefile
|
||||||
|
Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
|
||||||
|
@case '$?' in \
|
||||||
|
*config.status*) \
|
||||||
|
echo ' $(SHELL) ./config.status'; \
|
||||||
|
$(SHELL) ./config.status;; \
|
||||||
|
*) \
|
||||||
|
echo ' cd $(top_builddir) && $(SHELL) ./config.status $@ $(am__depfiles_maybe)'; \
|
||||||
|
cd $(top_builddir) && $(SHELL) ./config.status $@ $(am__depfiles_maybe);; \
|
||||||
|
esac;
|
||||||
|
|
||||||
|
$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
|
||||||
|
$(SHELL) ./config.status --recheck
|
||||||
|
|
||||||
|
$(top_srcdir)/configure: $(am__configure_deps)
|
||||||
|
$(am__cd) $(srcdir) && $(AUTOCONF)
|
||||||
|
$(ACLOCAL_M4): $(am__aclocal_m4_deps)
|
||||||
|
$(am__cd) $(srcdir) && $(ACLOCAL) $(ACLOCAL_AMFLAGS)
|
||||||
|
$(am__aclocal_m4_deps):
|
||||||
|
|
||||||
|
mostlyclean-libtool:
|
||||||
|
-rm -f *.lo
|
||||||
|
|
||||||
|
clean-libtool:
|
||||||
|
-rm -rf .libs _libs
|
||||||
|
|
||||||
|
distclean-libtool:
|
||||||
|
-rm -f libtool config.lt
|
||||||
|
install-docDATA: $(doc_DATA)
|
||||||
|
@$(NORMAL_INSTALL)
|
||||||
|
test -z "$(docdir)" || $(MKDIR_P) "$(DESTDIR)$(docdir)"
|
||||||
|
@list='$(doc_DATA)'; test -n "$(docdir)" || list=; \
|
||||||
|
for p in $$list; do \
|
||||||
|
if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
|
||||||
|
echo "$$d$$p"; \
|
||||||
|
done | $(am__base_list) | \
|
||||||
|
while read files; do \
|
||||||
|
echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(docdir)'"; \
|
||||||
|
$(INSTALL_DATA) $$files "$(DESTDIR)$(docdir)" || exit $$?; \
|
||||||
|
done
|
||||||
|
|
||||||
|
uninstall-docDATA:
|
||||||
|
@$(NORMAL_UNINSTALL)
|
||||||
|
@list='$(doc_DATA)'; test -n "$(docdir)" || list=; \
|
||||||
|
files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
|
||||||
|
test -n "$$files" || exit 0; \
|
||||||
|
echo " ( cd '$(DESTDIR)$(docdir)' && rm -f" $$files ")"; \
|
||||||
|
cd "$(DESTDIR)$(docdir)" && rm -f $$files
|
||||||
|
|
||||||
|
# This directory's subdirectories are mostly independent; you can cd
|
||||||
|
# into them and run `make' without going through this Makefile.
|
||||||
|
# To change the values of `make' variables: instead of editing Makefiles,
|
||||||
|
# (1) if the variable is set in `config.status', edit `config.status'
|
||||||
|
# (which will cause the Makefiles to be regenerated when you run `make');
|
||||||
|
# (2) otherwise, pass the desired values on the `make' command line.
|
||||||
|
$(RECURSIVE_TARGETS):
|
||||||
|
@fail= failcom='exit 1'; \
|
||||||
|
for f in x $$MAKEFLAGS; do \
|
||||||
|
case $$f in \
|
||||||
|
*=* | --[!k]*);; \
|
||||||
|
*k*) failcom='fail=yes';; \
|
||||||
|
esac; \
|
||||||
|
done; \
|
||||||
|
dot_seen=no; \
|
||||||
|
target=`echo $@ | sed s/-recursive//`; \
|
||||||
|
list='$(SUBDIRS)'; for subdir in $$list; do \
|
||||||
|
echo "Making $$target in $$subdir"; \
|
||||||
|
if test "$$subdir" = "."; then \
|
||||||
|
dot_seen=yes; \
|
||||||
|
local_target="$$target-am"; \
|
||||||
|
else \
|
||||||
|
local_target="$$target"; \
|
||||||
|
fi; \
|
||||||
|
($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \
|
||||||
|
|| eval $$failcom; \
|
||||||
|
done; \
|
||||||
|
if test "$$dot_seen" = "no"; then \
|
||||||
|
$(MAKE) $(AM_MAKEFLAGS) "$$target-am" || exit 1; \
|
||||||
|
fi; test -z "$$fail"
|
||||||
|
|
||||||
|
$(RECURSIVE_CLEAN_TARGETS):
|
||||||
|
@fail= failcom='exit 1'; \
|
||||||
|
for f in x $$MAKEFLAGS; do \
|
||||||
|
case $$f in \
|
||||||
|
*=* | --[!k]*);; \
|
||||||
|
*k*) failcom='fail=yes';; \
|
||||||
|
esac; \
|
||||||
|
done; \
|
||||||
|
dot_seen=no; \
|
||||||
|
case "$@" in \
|
||||||
|
distclean-* | maintainer-clean-*) list='$(DIST_SUBDIRS)' ;; \
|
||||||
|
*) list='$(SUBDIRS)' ;; \
|
||||||
|
esac; \
|
||||||
|
rev=''; for subdir in $$list; do \
|
||||||
|
if test "$$subdir" = "."; then :; else \
|
||||||
|
rev="$$subdir $$rev"; \
|
||||||
|
fi; \
|
||||||
|
done; \
|
||||||
|
rev="$$rev ."; \
|
||||||
|
target=`echo $@ | sed s/-recursive//`; \
|
||||||
|
for subdir in $$rev; do \
|
||||||
|
echo "Making $$target in $$subdir"; \
|
||||||
|
if test "$$subdir" = "."; then \
|
||||||
|
local_target="$$target-am"; \
|
||||||
|
else \
|
||||||
|
local_target="$$target"; \
|
||||||
|
fi; \
|
||||||
|
($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \
|
||||||
|
|| eval $$failcom; \
|
||||||
|
done && test -z "$$fail"
|
||||||
|
tags-recursive:
|
||||||
|
list='$(SUBDIRS)'; for subdir in $$list; do \
|
||||||
|
test "$$subdir" = . || ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) tags); \
|
||||||
|
done
|
||||||
|
ctags-recursive:
|
||||||
|
list='$(SUBDIRS)'; for subdir in $$list; do \
|
||||||
|
test "$$subdir" = . || ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) ctags); \
|
||||||
|
done
|
||||||
|
|
||||||
|
ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
|
||||||
|
list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
|
||||||
|
unique=`for i in $$list; do \
|
||||||
|
if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
|
||||||
|
done | \
|
||||||
|
$(AWK) '{ files[$$0] = 1; nonempty = 1; } \
|
||||||
|
END { if (nonempty) { for (i in files) print i; }; }'`; \
|
||||||
|
mkid -fID $$unique
|
||||||
|
tags: TAGS
|
||||||
|
|
||||||
|
TAGS: tags-recursive $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \
|
||||||
|
$(TAGS_FILES) $(LISP)
|
||||||
|
set x; \
|
||||||
|
here=`pwd`; \
|
||||||
|
if ($(ETAGS) --etags-include --version) >/dev/null 2>&1; then \
|
||||||
|
include_option=--etags-include; \
|
||||||
|
empty_fix=.; \
|
||||||
|
else \
|
||||||
|
include_option=--include; \
|
||||||
|
empty_fix=; \
|
||||||
|
fi; \
|
||||||
|
list='$(SUBDIRS)'; for subdir in $$list; do \
|
||||||
|
if test "$$subdir" = .; then :; else \
|
||||||
|
test ! -f $$subdir/TAGS || \
|
||||||
|
set "$$@" "$$include_option=$$here/$$subdir/TAGS"; \
|
||||||
|
fi; \
|
||||||
|
done; \
|
||||||
|
list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
|
||||||
|
unique=`for i in $$list; do \
|
||||||
|
if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
|
||||||
|
done | \
|
||||||
|
$(AWK) '{ files[$$0] = 1; nonempty = 1; } \
|
||||||
|
END { if (nonempty) { for (i in files) print i; }; }'`; \
|
||||||
|
shift; \
|
||||||
|
if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
|
||||||
|
test -n "$$unique" || unique=$$empty_fix; \
|
||||||
|
if test $$# -gt 0; then \
|
||||||
|
$(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
|
||||||
|
"$$@" $$unique; \
|
||||||
|
else \
|
||||||
|
$(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
|
||||||
|
$$unique; \
|
||||||
|
fi; \
|
||||||
|
fi
|
||||||
|
ctags: CTAGS
|
||||||
|
CTAGS: ctags-recursive $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \
|
||||||
|
$(TAGS_FILES) $(LISP)
|
||||||
|
list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
|
||||||
|
unique=`for i in $$list; do \
|
||||||
|
if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
|
||||||
|
done | \
|
||||||
|
$(AWK) '{ files[$$0] = 1; nonempty = 1; } \
|
||||||
|
END { if (nonempty) { for (i in files) print i; }; }'`; \
|
||||||
|
test -z "$(CTAGS_ARGS)$$unique" \
|
||||||
|
|| $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
|
||||||
|
$$unique
|
||||||
|
|
||||||
|
GTAGS:
|
||||||
|
here=`$(am__cd) $(top_builddir) && pwd` \
|
||||||
|
&& $(am__cd) $(top_srcdir) \
|
||||||
|
&& gtags -i $(GTAGS_ARGS) "$$here"
|
||||||
|
|
||||||
|
distclean-tags:
|
||||||
|
-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
|
||||||
|
|
||||||
|
distdir: $(DISTFILES)
|
||||||
|
$(am__remove_distdir)
|
||||||
|
test -d "$(distdir)" || mkdir "$(distdir)"
|
||||||
|
@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
|
||||||
|
topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
|
||||||
|
list='$(DISTFILES)'; \
|
||||||
|
dist_files=`for file in $$list; do echo $$file; done | \
|
||||||
|
sed -e "s|^$$srcdirstrip/||;t" \
|
||||||
|
-e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
|
||||||
|
case $$dist_files in \
|
||||||
|
*/*) $(MKDIR_P) `echo "$$dist_files" | \
|
||||||
|
sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
|
||||||
|
sort -u` ;; \
|
||||||
|
esac; \
|
||||||
|
for file in $$dist_files; do \
|
||||||
|
if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
|
||||||
|
if test -d $$d/$$file; then \
|
||||||
|
dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
|
||||||
|
if test -d "$(distdir)/$$file"; then \
|
||||||
|
find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
|
||||||
|
fi; \
|
||||||
|
if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
|
||||||
|
cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
|
||||||
|
find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
|
||||||
|
fi; \
|
||||||
|
cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
|
||||||
|
else \
|
||||||
|
test -f "$(distdir)/$$file" \
|
||||||
|
|| cp -p $$d/$$file "$(distdir)/$$file" \
|
||||||
|
|| exit 1; \
|
||||||
|
fi; \
|
||||||
|
done
|
||||||
|
@list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
|
||||||
|
if test "$$subdir" = .; then :; else \
|
||||||
|
test -d "$(distdir)/$$subdir" \
|
||||||
|
|| $(MKDIR_P) "$(distdir)/$$subdir" \
|
||||||
|
|| exit 1; \
|
||||||
|
fi; \
|
||||||
|
done
|
||||||
|
@list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
|
||||||
|
if test "$$subdir" = .; then :; else \
|
||||||
|
dir1=$$subdir; dir2="$(distdir)/$$subdir"; \
|
||||||
|
$(am__relativize); \
|
||||||
|
new_distdir=$$reldir; \
|
||||||
|
dir1=$$subdir; dir2="$(top_distdir)"; \
|
||||||
|
$(am__relativize); \
|
||||||
|
new_top_distdir=$$reldir; \
|
||||||
|
echo " (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) top_distdir="$$new_top_distdir" distdir="$$new_distdir" \\"; \
|
||||||
|
echo " am__remove_distdir=: am__skip_length_check=: am__skip_mode_fix=: distdir)"; \
|
||||||
|
($(am__cd) $$subdir && \
|
||||||
|
$(MAKE) $(AM_MAKEFLAGS) \
|
||||||
|
top_distdir="$$new_top_distdir" \
|
||||||
|
distdir="$$new_distdir" \
|
||||||
|
am__remove_distdir=: \
|
||||||
|
am__skip_length_check=: \
|
||||||
|
am__skip_mode_fix=: \
|
||||||
|
distdir) \
|
||||||
|
|| exit 1; \
|
||||||
|
fi; \
|
||||||
|
done
|
||||||
|
$(MAKE) $(AM_MAKEFLAGS) \
|
||||||
|
top_distdir="$(top_distdir)" distdir="$(distdir)" \
|
||||||
|
dist-hook
|
||||||
|
-test -n "$(am__skip_mode_fix)" \
|
||||||
|
|| find "$(distdir)" -type d ! -perm -755 \
|
||||||
|
-exec chmod u+rwx,go+rx {} \; -o \
|
||||||
|
! -type d ! -perm -444 -links 1 -exec chmod a+r {} \; -o \
|
||||||
|
! -type d ! -perm -400 -exec chmod a+r {} \; -o \
|
||||||
|
! -type d ! -perm -444 -exec $(install_sh) -c -m a+r {} {} \; \
|
||||||
|
|| chmod -R a+r "$(distdir)"
|
||||||
|
dist-gzip: distdir
|
||||||
|
tardir=$(distdir) && $(am__tar) | GZIP=$(GZIP_ENV) gzip -c >$(distdir).tar.gz
|
||||||
|
$(am__remove_distdir)
|
||||||
|
|
||||||
|
dist-bzip2: distdir
|
||||||
|
tardir=$(distdir) && $(am__tar) | bzip2 -9 -c >$(distdir).tar.bz2
|
||||||
|
$(am__remove_distdir)
|
||||||
|
|
||||||
|
dist-lzma: distdir
|
||||||
|
tardir=$(distdir) && $(am__tar) | lzma -9 -c >$(distdir).tar.lzma
|
||||||
|
$(am__remove_distdir)
|
||||||
|
|
||||||
|
dist-xz: distdir
|
||||||
|
tardir=$(distdir) && $(am__tar) | xz -c >$(distdir).tar.xz
|
||||||
|
$(am__remove_distdir)
|
||||||
|
|
||||||
|
dist-tarZ: distdir
|
||||||
|
tardir=$(distdir) && $(am__tar) | compress -c >$(distdir).tar.Z
|
||||||
|
$(am__remove_distdir)
|
||||||
|
|
||||||
|
dist-shar: distdir
|
||||||
|
shar $(distdir) | GZIP=$(GZIP_ENV) gzip -c >$(distdir).shar.gz
|
||||||
|
$(am__remove_distdir)
|
||||||
|
|
||||||
|
dist-zip: distdir
|
||||||
|
-rm -f $(distdir).zip
|
||||||
|
zip -rq $(distdir).zip $(distdir)
|
||||||
|
$(am__remove_distdir)
|
||||||
|
|
||||||
|
dist dist-all: distdir
|
||||||
|
tardir=$(distdir) && $(am__tar) | GZIP=$(GZIP_ENV) gzip -c >$(distdir).tar.gz
|
||||||
|
$(am__remove_distdir)
|
||||||
|
|
||||||
|
# This target untars the dist file and tries a VPATH configuration. Then
|
||||||
|
# it guarantees that the distribution is self-contained by making another
|
||||||
|
# tarfile.
|
||||||
|
distcheck: dist
|
||||||
|
case '$(DIST_ARCHIVES)' in \
|
||||||
|
*.tar.gz*) \
|
||||||
|
GZIP=$(GZIP_ENV) gzip -dc $(distdir).tar.gz | $(am__untar) ;;\
|
||||||
|
*.tar.bz2*) \
|
||||||
|
bzip2 -dc $(distdir).tar.bz2 | $(am__untar) ;;\
|
||||||
|
*.tar.lzma*) \
|
||||||
|
lzma -dc $(distdir).tar.lzma | $(am__untar) ;;\
|
||||||
|
*.tar.xz*) \
|
||||||
|
xz -dc $(distdir).tar.xz | $(am__untar) ;;\
|
||||||
|
*.tar.Z*) \
|
||||||
|
uncompress -c $(distdir).tar.Z | $(am__untar) ;;\
|
||||||
|
*.shar.gz*) \
|
||||||
|
GZIP=$(GZIP_ENV) gzip -dc $(distdir).shar.gz | unshar ;;\
|
||||||
|
*.zip*) \
|
||||||
|
unzip $(distdir).zip ;;\
|
||||||
|
esac
|
||||||
|
chmod -R a-w $(distdir); chmod a+w $(distdir)
|
||||||
|
mkdir $(distdir)/_build
|
||||||
|
mkdir $(distdir)/_inst
|
||||||
|
chmod a-w $(distdir)
|
||||||
|
test -d $(distdir)/_build || exit 0; \
|
||||||
|
dc_install_base=`$(am__cd) $(distdir)/_inst && pwd | sed -e 's,^[^:\\/]:[\\/],/,'` \
|
||||||
|
&& dc_destdir="$${TMPDIR-/tmp}/am-dc-$$$$/" \
|
||||||
|
&& am__cwd=`pwd` \
|
||||||
|
&& $(am__cd) $(distdir)/_build \
|
||||||
|
&& ../configure --srcdir=.. --prefix="$$dc_install_base" \
|
||||||
|
$(DISTCHECK_CONFIGURE_FLAGS) \
|
||||||
|
&& $(MAKE) $(AM_MAKEFLAGS) \
|
||||||
|
&& $(MAKE) $(AM_MAKEFLAGS) dvi \
|
||||||
|
&& $(MAKE) $(AM_MAKEFLAGS) check \
|
||||||
|
&& $(MAKE) $(AM_MAKEFLAGS) install \
|
||||||
|
&& $(MAKE) $(AM_MAKEFLAGS) installcheck \
|
||||||
|
&& $(MAKE) $(AM_MAKEFLAGS) uninstall \
|
||||||
|
&& $(MAKE) $(AM_MAKEFLAGS) distuninstallcheck_dir="$$dc_install_base" \
|
||||||
|
distuninstallcheck \
|
||||||
|
&& chmod -R a-w "$$dc_install_base" \
|
||||||
|
&& ({ \
|
||||||
|
(cd ../.. && umask 077 && mkdir "$$dc_destdir") \
|
||||||
|
&& $(MAKE) $(AM_MAKEFLAGS) DESTDIR="$$dc_destdir" install \
|
||||||
|
&& $(MAKE) $(AM_MAKEFLAGS) DESTDIR="$$dc_destdir" uninstall \
|
||||||
|
&& $(MAKE) $(AM_MAKEFLAGS) DESTDIR="$$dc_destdir" \
|
||||||
|
distuninstallcheck_dir="$$dc_destdir" distuninstallcheck; \
|
||||||
|
} || { rm -rf "$$dc_destdir"; exit 1; }) \
|
||||||
|
&& rm -rf "$$dc_destdir" \
|
||||||
|
&& $(MAKE) $(AM_MAKEFLAGS) dist \
|
||||||
|
&& rm -rf $(DIST_ARCHIVES) \
|
||||||
|
&& $(MAKE) $(AM_MAKEFLAGS) distcleancheck \
|
||||||
|
&& cd "$$am__cwd" \
|
||||||
|
|| exit 1
|
||||||
|
$(am__remove_distdir)
|
||||||
|
@(echo "$(distdir) archives ready for distribution: "; \
|
||||||
|
list='$(DIST_ARCHIVES)'; for i in $$list; do echo $$i; done) | \
|
||||||
|
sed -e 1h -e 1s/./=/g -e 1p -e 1x -e '$$p' -e '$$x'
|
||||||
|
distuninstallcheck:
|
||||||
|
@$(am__cd) '$(distuninstallcheck_dir)' \
|
||||||
|
&& test `$(distuninstallcheck_listfiles) | wc -l` -le 1 \
|
||||||
|
|| { echo "ERROR: files left after uninstall:" ; \
|
||||||
|
if test -n "$(DESTDIR)"; then \
|
||||||
|
echo " (check DESTDIR support)"; \
|
||||||
|
fi ; \
|
||||||
|
$(distuninstallcheck_listfiles) ; \
|
||||||
|
exit 1; } >&2
|
||||||
|
distcleancheck: distclean
|
||||||
|
@if test '$(srcdir)' = . ; then \
|
||||||
|
echo "ERROR: distcleancheck can only run from a VPATH build" ; \
|
||||||
|
exit 1 ; \
|
||||||
|
fi
|
||||||
|
@test `$(distcleancheck_listfiles) | wc -l` -eq 0 \
|
||||||
|
|| { echo "ERROR: files left in build directory after distclean:" ; \
|
||||||
|
$(distcleancheck_listfiles) ; \
|
||||||
|
exit 1; } >&2
|
||||||
|
check-am: all-am
|
||||||
|
check: check-recursive
|
||||||
|
all-am: Makefile $(DATA)
|
||||||
|
installdirs: installdirs-recursive
|
||||||
|
installdirs-am:
|
||||||
|
for dir in "$(DESTDIR)$(docdir)"; do \
|
||||||
|
test -z "$$dir" || $(MKDIR_P) "$$dir"; \
|
||||||
|
done
|
||||||
|
install: install-recursive
|
||||||
|
install-exec: install-exec-recursive
|
||||||
|
install-data: install-data-recursive
|
||||||
|
uninstall: uninstall-recursive
|
||||||
|
|
||||||
|
install-am: all-am
|
||||||
|
@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
|
||||||
|
|
||||||
|
installcheck: installcheck-recursive
|
||||||
|
install-strip:
|
||||||
|
$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
|
||||||
|
install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
|
||||||
|
`test -z '$(STRIP)' || \
|
||||||
|
echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
|
||||||
|
mostlyclean-generic:
|
||||||
|
|
||||||
|
clean-generic:
|
||||||
|
|
||||||
|
distclean-generic:
|
||||||
|
-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
|
||||||
|
-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
|
||||||
|
|
||||||
|
maintainer-clean-generic:
|
||||||
|
@echo "This command is intended for maintainers to use"
|
||||||
|
@echo "it deletes files that may require special tools to rebuild."
|
||||||
|
clean: clean-recursive
|
||||||
|
|
||||||
|
clean-am: clean-generic clean-libtool mostlyclean-am
|
||||||
|
|
||||||
|
distclean: distclean-recursive
|
||||||
|
-rm -f $(am__CONFIG_DISTCLEAN_FILES)
|
||||||
|
-rm -f Makefile
|
||||||
|
distclean-am: clean-am distclean-generic distclean-libtool \
|
||||||
|
distclean-local distclean-tags
|
||||||
|
|
||||||
|
dvi: dvi-recursive
|
||||||
|
|
||||||
|
dvi-am:
|
||||||
|
|
||||||
|
html: html-recursive
|
||||||
|
|
||||||
|
html-am:
|
||||||
|
|
||||||
|
info: info-recursive
|
||||||
|
|
||||||
|
info-am:
|
||||||
|
|
||||||
|
install-data-am: install-docDATA
|
||||||
|
|
||||||
|
install-dvi: install-dvi-recursive
|
||||||
|
|
||||||
|
install-dvi-am:
|
||||||
|
|
||||||
|
install-exec-am:
|
||||||
|
|
||||||
|
install-html: install-html-recursive
|
||||||
|
|
||||||
|
install-html-am:
|
||||||
|
|
||||||
|
install-info: install-info-recursive
|
||||||
|
|
||||||
|
install-info-am:
|
||||||
|
|
||||||
|
install-man:
|
||||||
|
|
||||||
|
install-pdf: install-pdf-recursive
|
||||||
|
|
||||||
|
install-pdf-am:
|
||||||
|
|
||||||
|
install-ps: install-ps-recursive
|
||||||
|
|
||||||
|
install-ps-am:
|
||||||
|
|
||||||
|
installcheck-am:
|
||||||
|
|
||||||
|
maintainer-clean: maintainer-clean-recursive
|
||||||
|
-rm -f $(am__CONFIG_DISTCLEAN_FILES)
|
||||||
|
-rm -rf $(top_srcdir)/autom4te.cache
|
||||||
|
-rm -f Makefile
|
||||||
|
maintainer-clean-am: distclean-am maintainer-clean-generic
|
||||||
|
|
||||||
|
mostlyclean: mostlyclean-recursive
|
||||||
|
|
||||||
|
mostlyclean-am: mostlyclean-generic mostlyclean-libtool
|
||||||
|
|
||||||
|
pdf: pdf-recursive
|
||||||
|
|
||||||
|
pdf-am:
|
||||||
|
|
||||||
|
ps: ps-recursive
|
||||||
|
|
||||||
|
ps-am:
|
||||||
|
|
||||||
|
uninstall-am: uninstall-docDATA
|
||||||
|
|
||||||
|
.MAKE: $(RECURSIVE_CLEAN_TARGETS) $(RECURSIVE_TARGETS) ctags-recursive \
|
||||||
|
install-am install-strip tags-recursive
|
||||||
|
|
||||||
|
.PHONY: $(RECURSIVE_CLEAN_TARGETS) $(RECURSIVE_TARGETS) CTAGS GTAGS \
|
||||||
|
all all-am am--refresh check check-am clean clean-generic \
|
||||||
|
clean-libtool ctags ctags-recursive dist dist-all dist-bzip2 \
|
||||||
|
dist-gzip dist-hook dist-lzma dist-shar dist-tarZ dist-xz \
|
||||||
|
dist-zip distcheck distclean distclean-generic \
|
||||||
|
distclean-libtool distclean-local distclean-tags \
|
||||||
|
distcleancheck distdir distuninstallcheck dvi dvi-am html \
|
||||||
|
html-am info info-am install install-am install-data \
|
||||||
|
install-data-am install-docDATA install-dvi install-dvi-am \
|
||||||
|
install-exec install-exec-am install-html install-html-am \
|
||||||
|
install-info install-info-am install-man install-pdf \
|
||||||
|
install-pdf-am install-ps install-ps-am install-strip \
|
||||||
|
installcheck installcheck-am installdirs installdirs-am \
|
||||||
|
maintainer-clean maintainer-clean-generic mostlyclean \
|
||||||
|
mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
|
||||||
|
tags tags-recursive uninstall uninstall-am uninstall-docDATA
|
||||||
|
|
||||||
|
libtool: $(LIBTOOL_DEPS)
|
||||||
|
$(SHELL) ./config.status libtool
|
||||||
|
|
||||||
|
distclean-local:
|
||||||
|
rm -rf autom4te.cache
|
||||||
|
rm -f $(distdir)-installer.exe
|
||||||
|
|
||||||
|
dist-hook:
|
||||||
|
makensis -NOCD -DVERSION=${VERSION} -DSRCDIR=$(srcdir) \
|
||||||
|
-DDLLS=/usr/src/openssl-0.9.8s-fips/out32dll \
|
||||||
|
$(srcdir)/tools/stunnel.nsi
|
||||||
|
|
||||||
|
sign: dist
|
||||||
|
cp -f $(distdir).tar.gz ../dist
|
||||||
|
cp -f $(distdir)-installer.exe ../dist
|
||||||
|
gpg --yes --armor --detach-sign --force-v3-sigs ../dist/$(distdir).tar.gz
|
||||||
|
gpg --yes --armor --detach-sign --force-v3-sigs ../dist/$(distdir)-installer.exe
|
||||||
|
sha256sum $(distdir).tar.gz | tee ../dist/$(distdir).tar.gz.sha256
|
||||||
|
|
||||||
|
# Tell versions [3.59,3.63) of GNU make to not export all variables.
|
||||||
|
# Otherwise a system limit (for SysV at least) may be exceeded.
|
||||||
|
.NOEXPORT:
|
22
PORTS
Normal file
22
PORTS
Normal file
@ -0,0 +1,22 @@
|
|||||||
|
stunnel known port maintainers
|
||||||
|
|
||||||
|
|
||||||
|
* AmigaOS
|
||||||
|
- Diego Casorran <dcr8520@amiga.org>
|
||||||
|
* Cygwin
|
||||||
|
- Andrew Schulman <andrex@alumni.utexas.net>
|
||||||
|
* Debian GNU/Linux
|
||||||
|
- Luis Rodrigo Gallardo Cruz <rodrigo@nul-unu.com>
|
||||||
|
* FreeBSD
|
||||||
|
- Ryan Steinmetz <zi@FreeBSD.org>
|
||||||
|
* NetBSD
|
||||||
|
- Martti Kuparinen <martti.kuparinen@iki.fi>
|
||||||
|
* OpenBSD
|
||||||
|
- Jakob Schlyter <jakob@openbsd.org>
|
||||||
|
* OpenSolaris
|
||||||
|
- Mark Fenwick <Mark.Fenwick@sun.com>
|
||||||
|
* OS/2
|
||||||
|
- Paul Smedley <paul@smedley.info>
|
||||||
|
* RedHat Linux
|
||||||
|
- Damien Miller <dmiller@ilogic.com.au>
|
||||||
|
|
30
README
Normal file
30
README
Normal file
@ -0,0 +1,30 @@
|
|||||||
|
stunnel overview
|
||||||
|
|
||||||
|
Short description
|
||||||
|
|
||||||
|
The stunnel program is designed to work as an SSL encryption
|
||||||
|
wrapper between remote client and local (inetd-startable) or
|
||||||
|
remote servers. The goal is to facilitate SSL encryption and
|
||||||
|
authentication for non-SSL-aware programs.
|
||||||
|
|
||||||
|
stunnel can be used to add SSL functionality to commonly
|
||||||
|
used inetd daemons like POP-2, POP-3 and IMAP servers
|
||||||
|
without any changes in the programs' code.
|
||||||
|
|
||||||
|
Compile instructions
|
||||||
|
|
||||||
|
See INSTALL file.
|
||||||
|
|
||||||
|
License
|
||||||
|
|
||||||
|
See COPYING file.
|
||||||
|
|
||||||
|
Other files you should read
|
||||||
|
|
||||||
|
Changelog What I did
|
||||||
|
TODO What I'm going to do
|
||||||
|
|
||||||
|
Reporting problems and other contacts
|
||||||
|
|
||||||
|
See FAQ file.
|
||||||
|
|
39
TODO
Normal file
39
TODO
Normal file
@ -0,0 +1,39 @@
|
|||||||
|
stunnel TODO
|
||||||
|
|
||||||
|
|
||||||
|
High priority features. They will likely be supported some day.
|
||||||
|
A sponsor could allocate my time to get them faster.
|
||||||
|
* Command-line server control interface on both Unix and Windows.
|
||||||
|
* Separate GUI process running as current user on Windows.
|
||||||
|
* Optional line-buffering of the log file.
|
||||||
|
* etc/stunnel/conf.d/* files automatically processed while reading
|
||||||
|
etc/stunnel/stunnel.conf
|
||||||
|
* Android GUI.
|
||||||
|
* Support for CryptoAPI certificates and private keys with OpenSSL CAPI
|
||||||
|
engine (this feature is incompatible with FIPS support).
|
||||||
|
* Indirect CRL support (RFC 3280, section 5).
|
||||||
|
* Configuration file option to limit the number of concurrent connections.
|
||||||
|
* SOCKS 4 protocol support.
|
||||||
|
http://archive.socks.permeo.com/protocol/socks4.protocol
|
||||||
|
|
||||||
|
Low priority features. They will unlikely ever be supported.
|
||||||
|
* Provide 64-bit Windows builds (besides 32-bit builds).
|
||||||
|
This requires either Microsoft Visual Studio Standard Edition or Microsoft
|
||||||
|
Visual Studio Professional Edition in order to retain FIPS compliance.
|
||||||
|
* Service-level logging configuration (separate verbosity and destination).
|
||||||
|
* Key renegotiation (re-handshake) for long connections.
|
||||||
|
* Logging to NT EventLog on Windows.
|
||||||
|
* Internationalization of logged messages (i18n).
|
||||||
|
* Generic scripting engine instead or static protocol.c.
|
||||||
|
|
||||||
|
Features I won't support, unless convinced otherwise by a wealthy sponsor.
|
||||||
|
* Protocol support *after* SSL is negotiated:
|
||||||
|
- Support for adding X-Forwarded-For to HTTP request headers.
|
||||||
|
This feature is less useful since PROXY protocol support is available.
|
||||||
|
- Support for adding X-Forwarded-For to SMTP email headers.
|
||||||
|
This feature is most likely to be implemented as a separate proxy.
|
||||||
|
* Additional certificate checks (including wildcard comparison) based on CN
|
||||||
|
and X509v3 Subject Alternative Name.
|
||||||
|
* Set processes title that appear on the ps(1) and top(1) commands.
|
||||||
|
I could not find a portable *and* non-copyleft library for it.
|
||||||
|
|
991
aclocal.m4
vendored
Normal file
991
aclocal.m4
vendored
Normal file
@ -0,0 +1,991 @@
|
|||||||
|
# generated automatically by aclocal 1.11.1 -*- Autoconf -*-
|
||||||
|
|
||||||
|
# Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004,
|
||||||
|
# 2005, 2006, 2007, 2008, 2009 Free Software Foundation, Inc.
|
||||||
|
# This file is free software; the Free Software Foundation
|
||||||
|
# gives unlimited permission to copy and/or distribute it,
|
||||||
|
# with or without modifications, as long as this notice is preserved.
|
||||||
|
|
||||||
|
# This program is distributed in the hope that it will be useful,
|
||||||
|
# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
|
||||||
|
# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
|
||||||
|
# PARTICULAR PURPOSE.
|
||||||
|
|
||||||
|
m4_ifndef([AC_AUTOCONF_VERSION],
|
||||||
|
[m4_copy([m4_PACKAGE_VERSION], [AC_AUTOCONF_VERSION])])dnl
|
||||||
|
m4_if(m4_defn([AC_AUTOCONF_VERSION]), [2.67],,
|
||||||
|
[m4_warning([this file was generated for autoconf 2.67.
|
||||||
|
You have another version of autoconf. It may work, but is not guaranteed to.
|
||||||
|
If you have problems, you may need to regenerate the build system entirely.
|
||||||
|
To do so, use the procedure documented by the package, typically `autoreconf'.])])
|
||||||
|
|
||||||
|
# Copyright (C) 2002, 2003, 2005, 2006, 2007, 2008 Free Software Foundation, Inc.
|
||||||
|
#
|
||||||
|
# This file is free software; the Free Software Foundation
|
||||||
|
# gives unlimited permission to copy and/or distribute it,
|
||||||
|
# with or without modifications, as long as this notice is preserved.
|
||||||
|
|
||||||
|
# AM_AUTOMAKE_VERSION(VERSION)
|
||||||
|
# ----------------------------
|
||||||
|
# Automake X.Y traces this macro to ensure aclocal.m4 has been
|
||||||
|
# generated from the m4 files accompanying Automake X.Y.
|
||||||
|
# (This private macro should not be called outside this file.)
|
||||||
|
AC_DEFUN([AM_AUTOMAKE_VERSION],
|
||||||
|
[am__api_version='1.11'
|
||||||
|
dnl Some users find AM_AUTOMAKE_VERSION and mistake it for a way to
|
||||||
|
dnl require some minimum version. Point them to the right macro.
|
||||||
|
m4_if([$1], [1.11.1], [],
|
||||||
|
[AC_FATAL([Do not call $0, use AM_INIT_AUTOMAKE([$1]).])])dnl
|
||||||
|
])
|
||||||
|
|
||||||
|
# _AM_AUTOCONF_VERSION(VERSION)
|
||||||
|
# -----------------------------
|
||||||
|
# aclocal traces this macro to find the Autoconf version.
|
||||||
|
# This is a private macro too. Using m4_define simplifies
|
||||||
|
# the logic in aclocal, which can simply ignore this definition.
|
||||||
|
m4_define([_AM_AUTOCONF_VERSION], [])
|
||||||
|
|
||||||
|
# AM_SET_CURRENT_AUTOMAKE_VERSION
|
||||||
|
# -------------------------------
|
||||||
|
# Call AM_AUTOMAKE_VERSION and AM_AUTOMAKE_VERSION so they can be traced.
|
||||||
|
# This function is AC_REQUIREd by AM_INIT_AUTOMAKE.
|
||||||
|
AC_DEFUN([AM_SET_CURRENT_AUTOMAKE_VERSION],
|
||||||
|
[AM_AUTOMAKE_VERSION([1.11.1])dnl
|
||||||
|
m4_ifndef([AC_AUTOCONF_VERSION],
|
||||||
|
[m4_copy([m4_PACKAGE_VERSION], [AC_AUTOCONF_VERSION])])dnl
|
||||||
|
_AM_AUTOCONF_VERSION(m4_defn([AC_AUTOCONF_VERSION]))])
|
||||||
|
|
||||||
|
# AM_AUX_DIR_EXPAND -*- Autoconf -*-
|
||||||
|
|
||||||
|
# Copyright (C) 2001, 2003, 2005 Free Software Foundation, Inc.
|
||||||
|
#
|
||||||
|
# This file is free software; the Free Software Foundation
|
||||||
|
# gives unlimited permission to copy and/or distribute it,
|
||||||
|
# with or without modifications, as long as this notice is preserved.
|
||||||
|
|
||||||
|
# For projects using AC_CONFIG_AUX_DIR([foo]), Autoconf sets
|
||||||
|
# $ac_aux_dir to `$srcdir/foo'. In other projects, it is set to
|
||||||
|
# `$srcdir', `$srcdir/..', or `$srcdir/../..'.
|
||||||
|
#
|
||||||
|
# Of course, Automake must honor this variable whenever it calls a
|
||||||
|
# tool from the auxiliary directory. The problem is that $srcdir (and
|
||||||
|
# therefore $ac_aux_dir as well) can be either absolute or relative,
|
||||||
|
# depending on how configure is run. This is pretty annoying, since
|
||||||
|
# it makes $ac_aux_dir quite unusable in subdirectories: in the top
|
||||||
|
# source directory, any form will work fine, but in subdirectories a
|
||||||
|
# relative path needs to be adjusted first.
|
||||||
|
#
|
||||||
|
# $ac_aux_dir/missing
|
||||||
|
# fails when called from a subdirectory if $ac_aux_dir is relative
|
||||||
|
# $top_srcdir/$ac_aux_dir/missing
|
||||||
|
# fails if $ac_aux_dir is absolute,
|
||||||
|
# fails when called from a subdirectory in a VPATH build with
|
||||||
|
# a relative $ac_aux_dir
|
||||||
|
#
|
||||||
|
# The reason of the latter failure is that $top_srcdir and $ac_aux_dir
|
||||||
|
# are both prefixed by $srcdir. In an in-source build this is usually
|
||||||
|
# harmless because $srcdir is `.', but things will broke when you
|
||||||
|
# start a VPATH build or use an absolute $srcdir.
|
||||||
|
#
|
||||||
|
# So we could use something similar to $top_srcdir/$ac_aux_dir/missing,
|
||||||
|
# iff we strip the leading $srcdir from $ac_aux_dir. That would be:
|
||||||
|
# am_aux_dir='\$(top_srcdir)/'`expr "$ac_aux_dir" : "$srcdir//*\(.*\)"`
|
||||||
|
# and then we would define $MISSING as
|
||||||
|
# MISSING="\${SHELL} $am_aux_dir/missing"
|
||||||
|
# This will work as long as MISSING is not called from configure, because
|
||||||
|
# unfortunately $(top_srcdir) has no meaning in configure.
|
||||||
|
# However there are other variables, like CC, which are often used in
|
||||||
|
# configure, and could therefore not use this "fixed" $ac_aux_dir.
|
||||||
|
#
|
||||||
|
# Another solution, used here, is to always expand $ac_aux_dir to an
|
||||||
|
# absolute PATH. The drawback is that using absolute paths prevent a
|
||||||
|
# configured tree to be moved without reconfiguration.
|
||||||
|
|
||||||
|
AC_DEFUN([AM_AUX_DIR_EXPAND],
|
||||||
|
[dnl Rely on autoconf to set up CDPATH properly.
|
||||||
|
AC_PREREQ([2.50])dnl
|
||||||
|
# expand $ac_aux_dir to an absolute path
|
||||||
|
am_aux_dir=`cd $ac_aux_dir && pwd`
|
||||||
|
])
|
||||||
|
|
||||||
|
# AM_CONDITIONAL -*- Autoconf -*-
|
||||||
|
|
||||||
|
# Copyright (C) 1997, 2000, 2001, 2003, 2004, 2005, 2006, 2008
|
||||||
|
# Free Software Foundation, Inc.
|
||||||
|
#
|
||||||
|
# This file is free software; the Free Software Foundation
|
||||||
|
# gives unlimited permission to copy and/or distribute it,
|
||||||
|
# with or without modifications, as long as this notice is preserved.
|
||||||
|
|
||||||
|
# serial 9
|
||||||
|
|
||||||
|
# AM_CONDITIONAL(NAME, SHELL-CONDITION)
|
||||||
|
# -------------------------------------
|
||||||
|
# Define a conditional.
|
||||||
|
AC_DEFUN([AM_CONDITIONAL],
|
||||||
|
[AC_PREREQ(2.52)dnl
|
||||||
|
ifelse([$1], [TRUE], [AC_FATAL([$0: invalid condition: $1])],
|
||||||
|
[$1], [FALSE], [AC_FATAL([$0: invalid condition: $1])])dnl
|
||||||
|
AC_SUBST([$1_TRUE])dnl
|
||||||
|
AC_SUBST([$1_FALSE])dnl
|
||||||
|
_AM_SUBST_NOTMAKE([$1_TRUE])dnl
|
||||||
|
_AM_SUBST_NOTMAKE([$1_FALSE])dnl
|
||||||
|
m4_define([_AM_COND_VALUE_$1], [$2])dnl
|
||||||
|
if $2; then
|
||||||
|
$1_TRUE=
|
||||||
|
$1_FALSE='#'
|
||||||
|
else
|
||||||
|
$1_TRUE='#'
|
||||||
|
$1_FALSE=
|
||||||
|
fi
|
||||||
|
AC_CONFIG_COMMANDS_PRE(
|
||||||
|
[if test -z "${$1_TRUE}" && test -z "${$1_FALSE}"; then
|
||||||
|
AC_MSG_ERROR([[conditional "$1" was never defined.
|
||||||
|
Usually this means the macro was only invoked conditionally.]])
|
||||||
|
fi])])
|
||||||
|
|
||||||
|
# Copyright (C) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2009
|
||||||
|
# Free Software Foundation, Inc.
|
||||||
|
#
|
||||||
|
# This file is free software; the Free Software Foundation
|
||||||
|
# gives unlimited permission to copy and/or distribute it,
|
||||||
|
# with or without modifications, as long as this notice is preserved.
|
||||||
|
|
||||||
|
# serial 10
|
||||||
|
|
||||||
|
# There are a few dirty hacks below to avoid letting `AC_PROG_CC' be
|
||||||
|
# written in clear, in which case automake, when reading aclocal.m4,
|
||||||
|
# will think it sees a *use*, and therefore will trigger all it's
|
||||||
|
# C support machinery. Also note that it means that autoscan, seeing
|
||||||
|
# CC etc. in the Makefile, will ask for an AC_PROG_CC use...
|
||||||
|
|
||||||
|
|
||||||
|
# _AM_DEPENDENCIES(NAME)
|
||||||
|
# ----------------------
|
||||||
|
# See how the compiler implements dependency checking.
|
||||||
|
# NAME is "CC", "CXX", "GCJ", or "OBJC".
|
||||||
|
# We try a few techniques and use that to set a single cache variable.
|
||||||
|
#
|
||||||
|
# We don't AC_REQUIRE the corresponding AC_PROG_CC since the latter was
|
||||||
|
# modified to invoke _AM_DEPENDENCIES(CC); we would have a circular
|
||||||
|
# dependency, and given that the user is not expected to run this macro,
|
||||||
|
# just rely on AC_PROG_CC.
|
||||||
|
AC_DEFUN([_AM_DEPENDENCIES],
|
||||||
|
[AC_REQUIRE([AM_SET_DEPDIR])dnl
|
||||||
|
AC_REQUIRE([AM_OUTPUT_DEPENDENCY_COMMANDS])dnl
|
||||||
|
AC_REQUIRE([AM_MAKE_INCLUDE])dnl
|
||||||
|
AC_REQUIRE([AM_DEP_TRACK])dnl
|
||||||
|
|
||||||
|
ifelse([$1], CC, [depcc="$CC" am_compiler_list=],
|
||||||
|
[$1], CXX, [depcc="$CXX" am_compiler_list=],
|
||||||
|
[$1], OBJC, [depcc="$OBJC" am_compiler_list='gcc3 gcc'],
|
||||||
|
[$1], UPC, [depcc="$UPC" am_compiler_list=],
|
||||||
|
[$1], GCJ, [depcc="$GCJ" am_compiler_list='gcc3 gcc'],
|
||||||
|
[depcc="$$1" am_compiler_list=])
|
||||||
|
|
||||||
|
AC_CACHE_CHECK([dependency style of $depcc],
|
||||||
|
[am_cv_$1_dependencies_compiler_type],
|
||||||
|
[if test -z "$AMDEP_TRUE" && test -f "$am_depcomp"; then
|
||||||
|
# We make a subdir and do the tests there. Otherwise we can end up
|
||||||
|
# making bogus files that we don't know about and never remove. For
|
||||||
|
# instance it was reported that on HP-UX the gcc test will end up
|
||||||
|
# making a dummy file named `D' -- because `-MD' means `put the output
|
||||||
|
# in D'.
|
||||||
|
mkdir conftest.dir
|
||||||
|
# Copy depcomp to subdir because otherwise we won't find it if we're
|
||||||
|
# using a relative directory.
|
||||||
|
cp "$am_depcomp" conftest.dir
|
||||||
|
cd conftest.dir
|
||||||
|
# We will build objects and dependencies in a subdirectory because
|
||||||
|
# it helps to detect inapplicable dependency modes. For instance
|
||||||
|
# both Tru64's cc and ICC support -MD to output dependencies as a
|
||||||
|
# side effect of compilation, but ICC will put the dependencies in
|
||||||
|
# the current directory while Tru64 will put them in the object
|
||||||
|
# directory.
|
||||||
|
mkdir sub
|
||||||
|
|
||||||
|
am_cv_$1_dependencies_compiler_type=none
|
||||||
|
if test "$am_compiler_list" = ""; then
|
||||||
|
am_compiler_list=`sed -n ['s/^#*\([a-zA-Z0-9]*\))$/\1/p'] < ./depcomp`
|
||||||
|
fi
|
||||||
|
am__universal=false
|
||||||
|
m4_case([$1], [CC],
|
||||||
|
[case " $depcc " in #(
|
||||||
|
*\ -arch\ *\ -arch\ *) am__universal=true ;;
|
||||||
|
esac],
|
||||||
|
[CXX],
|
||||||
|
[case " $depcc " in #(
|
||||||
|
*\ -arch\ *\ -arch\ *) am__universal=true ;;
|
||||||
|
esac])
|
||||||
|
|
||||||
|
for depmode in $am_compiler_list; do
|
||||||
|
# Setup a source with many dependencies, because some compilers
|
||||||
|
# like to wrap large dependency lists on column 80 (with \), and
|
||||||
|
# we should not choose a depcomp mode which is confused by this.
|
||||||
|
#
|
||||||
|
# We need to recreate these files for each test, as the compiler may
|
||||||
|
# overwrite some of them when testing with obscure command lines.
|
||||||
|
# This happens at least with the AIX C compiler.
|
||||||
|
: > sub/conftest.c
|
||||||
|
for i in 1 2 3 4 5 6; do
|
||||||
|
echo '#include "conftst'$i'.h"' >> sub/conftest.c
|
||||||
|
# Using `: > sub/conftst$i.h' creates only sub/conftst1.h with
|
||||||
|
# Solaris 8's {/usr,}/bin/sh.
|
||||||
|
touch sub/conftst$i.h
|
||||||
|
done
|
||||||
|
echo "${am__include} ${am__quote}sub/conftest.Po${am__quote}" > confmf
|
||||||
|
|
||||||
|
# We check with `-c' and `-o' for the sake of the "dashmstdout"
|
||||||
|
# mode. It turns out that the SunPro C++ compiler does not properly
|
||||||
|
# handle `-M -o', and we need to detect this. Also, some Intel
|
||||||
|
# versions had trouble with output in subdirs
|
||||||
|
am__obj=sub/conftest.${OBJEXT-o}
|
||||||
|
am__minus_obj="-o $am__obj"
|
||||||
|
case $depmode in
|
||||||
|
gcc)
|
||||||
|
# This depmode causes a compiler race in universal mode.
|
||||||
|
test "$am__universal" = false || continue
|
||||||
|
;;
|
||||||
|
nosideeffect)
|
||||||
|
# after this tag, mechanisms are not by side-effect, so they'll
|
||||||
|
# only be used when explicitly requested
|
||||||
|
if test "x$enable_dependency_tracking" = xyes; then
|
||||||
|
continue
|
||||||
|
else
|
||||||
|
break
|
||||||
|
fi
|
||||||
|
;;
|
||||||
|
msvisualcpp | msvcmsys)
|
||||||
|
# This compiler won't grok `-c -o', but also, the minuso test has
|
||||||
|
# not run yet. These depmodes are late enough in the game, and
|
||||||
|
# so weak that their functioning should not be impacted.
|
||||||
|
am__obj=conftest.${OBJEXT-o}
|
||||||
|
am__minus_obj=
|
||||||
|
;;
|
||||||
|
none) break ;;
|
||||||
|
esac
|
||||||
|
if depmode=$depmode \
|
||||||
|
source=sub/conftest.c object=$am__obj \
|
||||||
|
depfile=sub/conftest.Po tmpdepfile=sub/conftest.TPo \
|
||||||
|
$SHELL ./depcomp $depcc -c $am__minus_obj sub/conftest.c \
|
||||||
|
>/dev/null 2>conftest.err &&
|
||||||
|
grep sub/conftst1.h sub/conftest.Po > /dev/null 2>&1 &&
|
||||||
|
grep sub/conftst6.h sub/conftest.Po > /dev/null 2>&1 &&
|
||||||
|
grep $am__obj sub/conftest.Po > /dev/null 2>&1 &&
|
||||||
|
${MAKE-make} -s -f confmf > /dev/null 2>&1; then
|
||||||
|
# icc doesn't choke on unknown options, it will just issue warnings
|
||||||
|
# or remarks (even with -Werror). So we grep stderr for any message
|
||||||
|
# that says an option was ignored or not supported.
|
||||||
|
# When given -MP, icc 7.0 and 7.1 complain thusly:
|
||||||
|
# icc: Command line warning: ignoring option '-M'; no argument required
|
||||||
|
# The diagnosis changed in icc 8.0:
|
||||||
|
# icc: Command line remark: option '-MP' not supported
|
||||||
|
if (grep 'ignoring option' conftest.err ||
|
||||||
|
grep 'not supported' conftest.err) >/dev/null 2>&1; then :; else
|
||||||
|
am_cv_$1_dependencies_compiler_type=$depmode
|
||||||
|
break
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
|
||||||
|
cd ..
|
||||||
|
rm -rf conftest.dir
|
||||||
|
else
|
||||||
|
am_cv_$1_dependencies_compiler_type=none
|
||||||
|
fi
|
||||||
|
])
|
||||||
|
AC_SUBST([$1DEPMODE], [depmode=$am_cv_$1_dependencies_compiler_type])
|
||||||
|
AM_CONDITIONAL([am__fastdep$1], [
|
||||||
|
test "x$enable_dependency_tracking" != xno \
|
||||||
|
&& test "$am_cv_$1_dependencies_compiler_type" = gcc3])
|
||||||
|
])
|
||||||
|
|
||||||
|
|
||||||
|
# AM_SET_DEPDIR
|
||||||
|
# -------------
|
||||||
|
# Choose a directory name for dependency files.
|
||||||
|
# This macro is AC_REQUIREd in _AM_DEPENDENCIES
|
||||||
|
AC_DEFUN([AM_SET_DEPDIR],
|
||||||
|
[AC_REQUIRE([AM_SET_LEADING_DOT])dnl
|
||||||
|
AC_SUBST([DEPDIR], ["${am__leading_dot}deps"])dnl
|
||||||
|
])
|
||||||
|
|
||||||
|
|
||||||
|
# AM_DEP_TRACK
|
||||||
|
# ------------
|
||||||
|
AC_DEFUN([AM_DEP_TRACK],
|
||||||
|
[AC_ARG_ENABLE(dependency-tracking,
|
||||||
|
[ --disable-dependency-tracking speeds up one-time build
|
||||||
|
--enable-dependency-tracking do not reject slow dependency extractors])
|
||||||
|
if test "x$enable_dependency_tracking" != xno; then
|
||||||
|
am_depcomp="$ac_aux_dir/depcomp"
|
||||||
|
AMDEPBACKSLASH='\'
|
||||||
|
fi
|
||||||
|
AM_CONDITIONAL([AMDEP], [test "x$enable_dependency_tracking" != xno])
|
||||||
|
AC_SUBST([AMDEPBACKSLASH])dnl
|
||||||
|
_AM_SUBST_NOTMAKE([AMDEPBACKSLASH])dnl
|
||||||
|
])
|
||||||
|
|
||||||
|
# Generate code to set up dependency tracking. -*- Autoconf -*-
|
||||||
|
|
||||||
|
# Copyright (C) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2008
|
||||||
|
# Free Software Foundation, Inc.
|
||||||
|
#
|
||||||
|
# This file is free software; the Free Software Foundation
|
||||||
|
# gives unlimited permission to copy and/or distribute it,
|
||||||
|
# with or without modifications, as long as this notice is preserved.
|
||||||
|
|
||||||
|
#serial 5
|
||||||
|
|
||||||
|
# _AM_OUTPUT_DEPENDENCY_COMMANDS
|
||||||
|
# ------------------------------
|
||||||
|
AC_DEFUN([_AM_OUTPUT_DEPENDENCY_COMMANDS],
|
||||||
|
[{
|
||||||
|
# Autoconf 2.62 quotes --file arguments for eval, but not when files
|
||||||
|
# are listed without --file. Let's play safe and only enable the eval
|
||||||
|
# if we detect the quoting.
|
||||||
|
case $CONFIG_FILES in
|
||||||
|
*\'*) eval set x "$CONFIG_FILES" ;;
|
||||||
|
*) set x $CONFIG_FILES ;;
|
||||||
|
esac
|
||||||
|
shift
|
||||||
|
for mf
|
||||||
|
do
|
||||||
|
# Strip MF so we end up with the name of the file.
|
||||||
|
mf=`echo "$mf" | sed -e 's/:.*$//'`
|
||||||
|
# Check whether this is an Automake generated Makefile or not.
|
||||||
|
# We used to match only the files named `Makefile.in', but
|
||||||
|
# some people rename them; so instead we look at the file content.
|
||||||
|
# Grep'ing the first line is not enough: some people post-process
|
||||||
|
# each Makefile.in and add a new line on top of each file to say so.
|
||||||
|
# Grep'ing the whole file is not good either: AIX grep has a line
|
||||||
|
# limit of 2048, but all sed's we know have understand at least 4000.
|
||||||
|
if sed -n 's,^#.*generated by automake.*,X,p' "$mf" | grep X >/dev/null 2>&1; then
|
||||||
|
dirpart=`AS_DIRNAME("$mf")`
|
||||||
|
else
|
||||||
|
continue
|
||||||
|
fi
|
||||||
|
# Extract the definition of DEPDIR, am__include, and am__quote
|
||||||
|
# from the Makefile without running `make'.
|
||||||
|
DEPDIR=`sed -n 's/^DEPDIR = //p' < "$mf"`
|
||||||
|
test -z "$DEPDIR" && continue
|
||||||
|
am__include=`sed -n 's/^am__include = //p' < "$mf"`
|
||||||
|
test -z "am__include" && continue
|
||||||
|
am__quote=`sed -n 's/^am__quote = //p' < "$mf"`
|
||||||
|
# When using ansi2knr, U may be empty or an underscore; expand it
|
||||||
|
U=`sed -n 's/^U = //p' < "$mf"`
|
||||||
|
# Find all dependency output files, they are included files with
|
||||||
|
# $(DEPDIR) in their names. We invoke sed twice because it is the
|
||||||
|
# simplest approach to changing $(DEPDIR) to its actual value in the
|
||||||
|
# expansion.
|
||||||
|
for file in `sed -n "
|
||||||
|
s/^$am__include $am__quote\(.*(DEPDIR).*\)$am__quote"'$/\1/p' <"$mf" | \
|
||||||
|
sed -e 's/\$(DEPDIR)/'"$DEPDIR"'/g' -e 's/\$U/'"$U"'/g'`; do
|
||||||
|
# Make sure the directory exists.
|
||||||
|
test -f "$dirpart/$file" && continue
|
||||||
|
fdir=`AS_DIRNAME(["$file"])`
|
||||||
|
AS_MKDIR_P([$dirpart/$fdir])
|
||||||
|
# echo "creating $dirpart/$file"
|
||||||
|
echo '# dummy' > "$dirpart/$file"
|
||||||
|
done
|
||||||
|
done
|
||||||
|
}
|
||||||
|
])# _AM_OUTPUT_DEPENDENCY_COMMANDS
|
||||||
|
|
||||||
|
|
||||||
|
# AM_OUTPUT_DEPENDENCY_COMMANDS
|
||||||
|
# -----------------------------
|
||||||
|
# This macro should only be invoked once -- use via AC_REQUIRE.
|
||||||
|
#
|
||||||
|
# This code is only required when automatic dependency tracking
|
||||||
|
# is enabled. FIXME. This creates each `.P' file that we will
|
||||||
|
# need in order to bootstrap the dependency handling code.
|
||||||
|
AC_DEFUN([AM_OUTPUT_DEPENDENCY_COMMANDS],
|
||||||
|
[AC_CONFIG_COMMANDS([depfiles],
|
||||||
|
[test x"$AMDEP_TRUE" != x"" || _AM_OUTPUT_DEPENDENCY_COMMANDS],
|
||||||
|
[AMDEP_TRUE="$AMDEP_TRUE" ac_aux_dir="$ac_aux_dir"])
|
||||||
|
])
|
||||||
|
|
||||||
|
# Do all the work for Automake. -*- Autoconf -*-
|
||||||
|
|
||||||
|
# Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004,
|
||||||
|
# 2005, 2006, 2008, 2009 Free Software Foundation, Inc.
|
||||||
|
#
|
||||||
|
# This file is free software; the Free Software Foundation
|
||||||
|
# gives unlimited permission to copy and/or distribute it,
|
||||||
|
# with or without modifications, as long as this notice is preserved.
|
||||||
|
|
||||||
|
# serial 16
|
||||||
|
|
||||||
|
# This macro actually does too much. Some checks are only needed if
|
||||||
|
# your package does certain things. But this isn't really a big deal.
|
||||||
|
|
||||||
|
# AM_INIT_AUTOMAKE(PACKAGE, VERSION, [NO-DEFINE])
|
||||||
|
# AM_INIT_AUTOMAKE([OPTIONS])
|
||||||
|
# -----------------------------------------------
|
||||||
|
# The call with PACKAGE and VERSION arguments is the old style
|
||||||
|
# call (pre autoconf-2.50), which is being phased out. PACKAGE
|
||||||
|
# and VERSION should now be passed to AC_INIT and removed from
|
||||||
|
# the call to AM_INIT_AUTOMAKE.
|
||||||
|
# We support both call styles for the transition. After
|
||||||
|
# the next Automake release, Autoconf can make the AC_INIT
|
||||||
|
# arguments mandatory, and then we can depend on a new Autoconf
|
||||||
|
# release and drop the old call support.
|
||||||
|
AC_DEFUN([AM_INIT_AUTOMAKE],
|
||||||
|
[AC_PREREQ([2.62])dnl
|
||||||
|
dnl Autoconf wants to disallow AM_ names. We explicitly allow
|
||||||
|
dnl the ones we care about.
|
||||||
|
m4_pattern_allow([^AM_[A-Z]+FLAGS$])dnl
|
||||||
|
AC_REQUIRE([AM_SET_CURRENT_AUTOMAKE_VERSION])dnl
|
||||||
|
AC_REQUIRE([AC_PROG_INSTALL])dnl
|
||||||
|
if test "`cd $srcdir && pwd`" != "`pwd`"; then
|
||||||
|
# Use -I$(srcdir) only when $(srcdir) != ., so that make's output
|
||||||
|
# is not polluted with repeated "-I."
|
||||||
|
AC_SUBST([am__isrc], [' -I$(srcdir)'])_AM_SUBST_NOTMAKE([am__isrc])dnl
|
||||||
|
# test to see if srcdir already configured
|
||||||
|
if test -f $srcdir/config.status; then
|
||||||
|
AC_MSG_ERROR([source directory already configured; run "make distclean" there first])
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
# test whether we have cygpath
|
||||||
|
if test -z "$CYGPATH_W"; then
|
||||||
|
if (cygpath --version) >/dev/null 2>/dev/null; then
|
||||||
|
CYGPATH_W='cygpath -w'
|
||||||
|
else
|
||||||
|
CYGPATH_W=echo
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
AC_SUBST([CYGPATH_W])
|
||||||
|
|
||||||
|
# Define the identity of the package.
|
||||||
|
dnl Distinguish between old-style and new-style calls.
|
||||||
|
m4_ifval([$2],
|
||||||
|
[m4_ifval([$3], [_AM_SET_OPTION([no-define])])dnl
|
||||||
|
AC_SUBST([PACKAGE], [$1])dnl
|
||||||
|
AC_SUBST([VERSION], [$2])],
|
||||||
|
[_AM_SET_OPTIONS([$1])dnl
|
||||||
|
dnl Diagnose old-style AC_INIT with new-style AM_AUTOMAKE_INIT.
|
||||||
|
m4_if(m4_ifdef([AC_PACKAGE_NAME], 1)m4_ifdef([AC_PACKAGE_VERSION], 1), 11,,
|
||||||
|
[m4_fatal([AC_INIT should be called with package and version arguments])])dnl
|
||||||
|
AC_SUBST([PACKAGE], ['AC_PACKAGE_TARNAME'])dnl
|
||||||
|
AC_SUBST([VERSION], ['AC_PACKAGE_VERSION'])])dnl
|
||||||
|
|
||||||
|
_AM_IF_OPTION([no-define],,
|
||||||
|
[AC_DEFINE_UNQUOTED(PACKAGE, "$PACKAGE", [Name of package])
|
||||||
|
AC_DEFINE_UNQUOTED(VERSION, "$VERSION", [Version number of package])])dnl
|
||||||
|
|
||||||
|
# Some tools Automake needs.
|
||||||
|
AC_REQUIRE([AM_SANITY_CHECK])dnl
|
||||||
|
AC_REQUIRE([AC_ARG_PROGRAM])dnl
|
||||||
|
AM_MISSING_PROG(ACLOCAL, aclocal-${am__api_version})
|
||||||
|
AM_MISSING_PROG(AUTOCONF, autoconf)
|
||||||
|
AM_MISSING_PROG(AUTOMAKE, automake-${am__api_version})
|
||||||
|
AM_MISSING_PROG(AUTOHEADER, autoheader)
|
||||||
|
AM_MISSING_PROG(MAKEINFO, makeinfo)
|
||||||
|
AC_REQUIRE([AM_PROG_INSTALL_SH])dnl
|
||||||
|
AC_REQUIRE([AM_PROG_INSTALL_STRIP])dnl
|
||||||
|
AC_REQUIRE([AM_PROG_MKDIR_P])dnl
|
||||||
|
# We need awk for the "check" target. The system "awk" is bad on
|
||||||
|
# some platforms.
|
||||||
|
AC_REQUIRE([AC_PROG_AWK])dnl
|
||||||
|
AC_REQUIRE([AC_PROG_MAKE_SET])dnl
|
||||||
|
AC_REQUIRE([AM_SET_LEADING_DOT])dnl
|
||||||
|
_AM_IF_OPTION([tar-ustar], [_AM_PROG_TAR([ustar])],
|
||||||
|
[_AM_IF_OPTION([tar-pax], [_AM_PROG_TAR([pax])],
|
||||||
|
[_AM_PROG_TAR([v7])])])
|
||||||
|
_AM_IF_OPTION([no-dependencies],,
|
||||||
|
[AC_PROVIDE_IFELSE([AC_PROG_CC],
|
||||||
|
[_AM_DEPENDENCIES(CC)],
|
||||||
|
[define([AC_PROG_CC],
|
||||||
|
defn([AC_PROG_CC])[_AM_DEPENDENCIES(CC)])])dnl
|
||||||
|
AC_PROVIDE_IFELSE([AC_PROG_CXX],
|
||||||
|
[_AM_DEPENDENCIES(CXX)],
|
||||||
|
[define([AC_PROG_CXX],
|
||||||
|
defn([AC_PROG_CXX])[_AM_DEPENDENCIES(CXX)])])dnl
|
||||||
|
AC_PROVIDE_IFELSE([AC_PROG_OBJC],
|
||||||
|
[_AM_DEPENDENCIES(OBJC)],
|
||||||
|
[define([AC_PROG_OBJC],
|
||||||
|
defn([AC_PROG_OBJC])[_AM_DEPENDENCIES(OBJC)])])dnl
|
||||||
|
])
|
||||||
|
_AM_IF_OPTION([silent-rules], [AC_REQUIRE([AM_SILENT_RULES])])dnl
|
||||||
|
dnl The `parallel-tests' driver may need to know about EXEEXT, so add the
|
||||||
|
dnl `am__EXEEXT' conditional if _AM_COMPILER_EXEEXT was seen. This macro
|
||||||
|
dnl is hooked onto _AC_COMPILER_EXEEXT early, see below.
|
||||||
|
AC_CONFIG_COMMANDS_PRE(dnl
|
||||||
|
[m4_provide_if([_AM_COMPILER_EXEEXT],
|
||||||
|
[AM_CONDITIONAL([am__EXEEXT], [test -n "$EXEEXT"])])])dnl
|
||||||
|
])
|
||||||
|
|
||||||
|
dnl Hook into `_AC_COMPILER_EXEEXT' early to learn its expansion. Do not
|
||||||
|
dnl add the conditional right here, as _AC_COMPILER_EXEEXT may be further
|
||||||
|
dnl mangled by Autoconf and run in a shell conditional statement.
|
||||||
|
m4_define([_AC_COMPILER_EXEEXT],
|
||||||
|
m4_defn([_AC_COMPILER_EXEEXT])[m4_provide([_AM_COMPILER_EXEEXT])])
|
||||||
|
|
||||||
|
|
||||||
|
# When config.status generates a header, we must update the stamp-h file.
|
||||||
|
# This file resides in the same directory as the config header
|
||||||
|
# that is generated. The stamp files are numbered to have different names.
|
||||||
|
|
||||||
|
# Autoconf calls _AC_AM_CONFIG_HEADER_HOOK (when defined) in the
|
||||||
|
# loop where config.status creates the headers, so we can generate
|
||||||
|
# our stamp files there.
|
||||||
|
AC_DEFUN([_AC_AM_CONFIG_HEADER_HOOK],
|
||||||
|
[# Compute $1's index in $config_headers.
|
||||||
|
_am_arg=$1
|
||||||
|
_am_stamp_count=1
|
||||||
|
for _am_header in $config_headers :; do
|
||||||
|
case $_am_header in
|
||||||
|
$_am_arg | $_am_arg:* )
|
||||||
|
break ;;
|
||||||
|
* )
|
||||||
|
_am_stamp_count=`expr $_am_stamp_count + 1` ;;
|
||||||
|
esac
|
||||||
|
done
|
||||||
|
echo "timestamp for $_am_arg" >`AS_DIRNAME(["$_am_arg"])`/stamp-h[]$_am_stamp_count])
|
||||||
|
|
||||||
|
# Copyright (C) 2001, 2003, 2005, 2008 Free Software Foundation, Inc.
|
||||||
|
#
|
||||||
|
# This file is free software; the Free Software Foundation
|
||||||
|
# gives unlimited permission to copy and/or distribute it,
|
||||||
|
# with or without modifications, as long as this notice is preserved.
|
||||||
|
|
||||||
|
# AM_PROG_INSTALL_SH
|
||||||
|
# ------------------
|
||||||
|
# Define $install_sh.
|
||||||
|
AC_DEFUN([AM_PROG_INSTALL_SH],
|
||||||
|
[AC_REQUIRE([AM_AUX_DIR_EXPAND])dnl
|
||||||
|
if test x"${install_sh}" != xset; then
|
||||||
|
case $am_aux_dir in
|
||||||
|
*\ * | *\ *)
|
||||||
|
install_sh="\${SHELL} '$am_aux_dir/install-sh'" ;;
|
||||||
|
*)
|
||||||
|
install_sh="\${SHELL} $am_aux_dir/install-sh"
|
||||||
|
esac
|
||||||
|
fi
|
||||||
|
AC_SUBST(install_sh)])
|
||||||
|
|
||||||
|
# Copyright (C) 2003, 2005 Free Software Foundation, Inc.
|
||||||
|
#
|
||||||
|
# This file is free software; the Free Software Foundation
|
||||||
|
# gives unlimited permission to copy and/or distribute it,
|
||||||
|
# with or without modifications, as long as this notice is preserved.
|
||||||
|
|
||||||
|
# serial 2
|
||||||
|
|
||||||
|
# Check whether the underlying file-system supports filenames
|
||||||
|
# with a leading dot. For instance MS-DOS doesn't.
|
||||||
|
AC_DEFUN([AM_SET_LEADING_DOT],
|
||||||
|
[rm -rf .tst 2>/dev/null
|
||||||
|
mkdir .tst 2>/dev/null
|
||||||
|
if test -d .tst; then
|
||||||
|
am__leading_dot=.
|
||||||
|
else
|
||||||
|
am__leading_dot=_
|
||||||
|
fi
|
||||||
|
rmdir .tst 2>/dev/null
|
||||||
|
AC_SUBST([am__leading_dot])])
|
||||||
|
|
||||||
|
# Check to see how 'make' treats includes. -*- Autoconf -*-
|
||||||
|
|
||||||
|
# Copyright (C) 2001, 2002, 2003, 2005, 2009 Free Software Foundation, Inc.
|
||||||
|
#
|
||||||
|
# This file is free software; the Free Software Foundation
|
||||||
|
# gives unlimited permission to copy and/or distribute it,
|
||||||
|
# with or without modifications, as long as this notice is preserved.
|
||||||
|
|
||||||
|
# serial 4
|
||||||
|
|
||||||
|
# AM_MAKE_INCLUDE()
|
||||||
|
# -----------------
|
||||||
|
# Check to see how make treats includes.
|
||||||
|
AC_DEFUN([AM_MAKE_INCLUDE],
|
||||||
|
[am_make=${MAKE-make}
|
||||||
|
cat > confinc << 'END'
|
||||||
|
am__doit:
|
||||||
|
@echo this is the am__doit target
|
||||||
|
.PHONY: am__doit
|
||||||
|
END
|
||||||
|
# If we don't find an include directive, just comment out the code.
|
||||||
|
AC_MSG_CHECKING([for style of include used by $am_make])
|
||||||
|
am__include="#"
|
||||||
|
am__quote=
|
||||||
|
_am_result=none
|
||||||
|
# First try GNU make style include.
|
||||||
|
echo "include confinc" > confmf
|
||||||
|
# Ignore all kinds of additional output from `make'.
|
||||||
|
case `$am_make -s -f confmf 2> /dev/null` in #(
|
||||||
|
*the\ am__doit\ target*)
|
||||||
|
am__include=include
|
||||||
|
am__quote=
|
||||||
|
_am_result=GNU
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
# Now try BSD make style include.
|
||||||
|
if test "$am__include" = "#"; then
|
||||||
|
echo '.include "confinc"' > confmf
|
||||||
|
case `$am_make -s -f confmf 2> /dev/null` in #(
|
||||||
|
*the\ am__doit\ target*)
|
||||||
|
am__include=.include
|
||||||
|
am__quote="\""
|
||||||
|
_am_result=BSD
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
fi
|
||||||
|
AC_SUBST([am__include])
|
||||||
|
AC_SUBST([am__quote])
|
||||||
|
AC_MSG_RESULT([$_am_result])
|
||||||
|
rm -f confinc confmf
|
||||||
|
])
|
||||||
|
|
||||||
|
# Copyright (C) 1999, 2000, 2001, 2003, 2004, 2005, 2008
|
||||||
|
# Free Software Foundation, Inc.
|
||||||
|
#
|
||||||
|
# This file is free software; the Free Software Foundation
|
||||||
|
# gives unlimited permission to copy and/or distribute it,
|
||||||
|
# with or without modifications, as long as this notice is preserved.
|
||||||
|
|
||||||
|
# serial 6
|
||||||
|
|
||||||
|
# AM_PROG_CC_C_O
|
||||||
|
# --------------
|
||||||
|
# Like AC_PROG_CC_C_O, but changed for automake.
|
||||||
|
AC_DEFUN([AM_PROG_CC_C_O],
|
||||||
|
[AC_REQUIRE([AC_PROG_CC_C_O])dnl
|
||||||
|
AC_REQUIRE([AM_AUX_DIR_EXPAND])dnl
|
||||||
|
AC_REQUIRE_AUX_FILE([compile])dnl
|
||||||
|
# FIXME: we rely on the cache variable name because
|
||||||
|
# there is no other way.
|
||||||
|
set dummy $CC
|
||||||
|
am_cc=`echo $[2] | sed ['s/[^a-zA-Z0-9_]/_/g;s/^[0-9]/_/']`
|
||||||
|
eval am_t=\$ac_cv_prog_cc_${am_cc}_c_o
|
||||||
|
if test "$am_t" != yes; then
|
||||||
|
# Losing compiler, so override with the script.
|
||||||
|
# FIXME: It is wrong to rewrite CC.
|
||||||
|
# But if we don't then we get into trouble of one sort or another.
|
||||||
|
# A longer-term fix would be to have automake use am__CC in this case,
|
||||||
|
# and then we could set am__CC="\$(top_srcdir)/compile \$(CC)"
|
||||||
|
CC="$am_aux_dir/compile $CC"
|
||||||
|
fi
|
||||||
|
dnl Make sure AC_PROG_CC is never called again, or it will override our
|
||||||
|
dnl setting of CC.
|
||||||
|
m4_define([AC_PROG_CC],
|
||||||
|
[m4_fatal([AC_PROG_CC cannot be called after AM_PROG_CC_C_O])])
|
||||||
|
])
|
||||||
|
|
||||||
|
# Fake the existence of programs that GNU maintainers use. -*- Autoconf -*-
|
||||||
|
|
||||||
|
# Copyright (C) 1997, 1999, 2000, 2001, 2003, 2004, 2005, 2008
|
||||||
|
# Free Software Foundation, Inc.
|
||||||
|
#
|
||||||
|
# This file is free software; the Free Software Foundation
|
||||||
|
# gives unlimited permission to copy and/or distribute it,
|
||||||
|
# with or without modifications, as long as this notice is preserved.
|
||||||
|
|
||||||
|
# serial 6
|
||||||
|
|
||||||
|
# AM_MISSING_PROG(NAME, PROGRAM)
|
||||||
|
# ------------------------------
|
||||||
|
AC_DEFUN([AM_MISSING_PROG],
|
||||||
|
[AC_REQUIRE([AM_MISSING_HAS_RUN])
|
||||||
|
$1=${$1-"${am_missing_run}$2"}
|
||||||
|
AC_SUBST($1)])
|
||||||
|
|
||||||
|
|
||||||
|
# AM_MISSING_HAS_RUN
|
||||||
|
# ------------------
|
||||||
|
# Define MISSING if not defined so far and test if it supports --run.
|
||||||
|
# If it does, set am_missing_run to use it, otherwise, to nothing.
|
||||||
|
AC_DEFUN([AM_MISSING_HAS_RUN],
|
||||||
|
[AC_REQUIRE([AM_AUX_DIR_EXPAND])dnl
|
||||||
|
AC_REQUIRE_AUX_FILE([missing])dnl
|
||||||
|
if test x"${MISSING+set}" != xset; then
|
||||||
|
case $am_aux_dir in
|
||||||
|
*\ * | *\ *)
|
||||||
|
MISSING="\${SHELL} \"$am_aux_dir/missing\"" ;;
|
||||||
|
*)
|
||||||
|
MISSING="\${SHELL} $am_aux_dir/missing" ;;
|
||||||
|
esac
|
||||||
|
fi
|
||||||
|
# Use eval to expand $SHELL
|
||||||
|
if eval "$MISSING --run true"; then
|
||||||
|
am_missing_run="$MISSING --run "
|
||||||
|
else
|
||||||
|
am_missing_run=
|
||||||
|
AC_MSG_WARN([`missing' script is too old or missing])
|
||||||
|
fi
|
||||||
|
])
|
||||||
|
|
||||||
|
# Copyright (C) 2003, 2004, 2005, 2006 Free Software Foundation, Inc.
|
||||||
|
#
|
||||||
|
# This file is free software; the Free Software Foundation
|
||||||
|
# gives unlimited permission to copy and/or distribute it,
|
||||||
|
# with or without modifications, as long as this notice is preserved.
|
||||||
|
|
||||||
|
# AM_PROG_MKDIR_P
|
||||||
|
# ---------------
|
||||||
|
# Check for `mkdir -p'.
|
||||||
|
AC_DEFUN([AM_PROG_MKDIR_P],
|
||||||
|
[AC_PREREQ([2.60])dnl
|
||||||
|
AC_REQUIRE([AC_PROG_MKDIR_P])dnl
|
||||||
|
dnl Automake 1.8 to 1.9.6 used to define mkdir_p. We now use MKDIR_P,
|
||||||
|
dnl while keeping a definition of mkdir_p for backward compatibility.
|
||||||
|
dnl @MKDIR_P@ is magic: AC_OUTPUT adjusts its value for each Makefile.
|
||||||
|
dnl However we cannot define mkdir_p as $(MKDIR_P) for the sake of
|
||||||
|
dnl Makefile.ins that do not define MKDIR_P, so we do our own
|
||||||
|
dnl adjustment using top_builddir (which is defined more often than
|
||||||
|
dnl MKDIR_P).
|
||||||
|
AC_SUBST([mkdir_p], ["$MKDIR_P"])dnl
|
||||||
|
case $mkdir_p in
|
||||||
|
[[\\/$]]* | ?:[[\\/]]*) ;;
|
||||||
|
*/*) mkdir_p="\$(top_builddir)/$mkdir_p" ;;
|
||||||
|
esac
|
||||||
|
])
|
||||||
|
|
||||||
|
# Helper functions for option handling. -*- Autoconf -*-
|
||||||
|
|
||||||
|
# Copyright (C) 2001, 2002, 2003, 2005, 2008 Free Software Foundation, Inc.
|
||||||
|
#
|
||||||
|
# This file is free software; the Free Software Foundation
|
||||||
|
# gives unlimited permission to copy and/or distribute it,
|
||||||
|
# with or without modifications, as long as this notice is preserved.
|
||||||
|
|
||||||
|
# serial 4
|
||||||
|
|
||||||
|
# _AM_MANGLE_OPTION(NAME)
|
||||||
|
# -----------------------
|
||||||
|
AC_DEFUN([_AM_MANGLE_OPTION],
|
||||||
|
[[_AM_OPTION_]m4_bpatsubst($1, [[^a-zA-Z0-9_]], [_])])
|
||||||
|
|
||||||
|
# _AM_SET_OPTION(NAME)
|
||||||
|
# ------------------------------
|
||||||
|
# Set option NAME. Presently that only means defining a flag for this option.
|
||||||
|
AC_DEFUN([_AM_SET_OPTION],
|
||||||
|
[m4_define(_AM_MANGLE_OPTION([$1]), 1)])
|
||||||
|
|
||||||
|
# _AM_SET_OPTIONS(OPTIONS)
|
||||||
|
# ----------------------------------
|
||||||
|
# OPTIONS is a space-separated list of Automake options.
|
||||||
|
AC_DEFUN([_AM_SET_OPTIONS],
|
||||||
|
[m4_foreach_w([_AM_Option], [$1], [_AM_SET_OPTION(_AM_Option)])])
|
||||||
|
|
||||||
|
# _AM_IF_OPTION(OPTION, IF-SET, [IF-NOT-SET])
|
||||||
|
# -------------------------------------------
|
||||||
|
# Execute IF-SET if OPTION is set, IF-NOT-SET otherwise.
|
||||||
|
AC_DEFUN([_AM_IF_OPTION],
|
||||||
|
[m4_ifset(_AM_MANGLE_OPTION([$1]), [$2], [$3])])
|
||||||
|
|
||||||
|
# Check to make sure that the build environment is sane. -*- Autoconf -*-
|
||||||
|
|
||||||
|
# Copyright (C) 1996, 1997, 2000, 2001, 2003, 2005, 2008
|
||||||
|
# Free Software Foundation, Inc.
|
||||||
|
#
|
||||||
|
# This file is free software; the Free Software Foundation
|
||||||
|
# gives unlimited permission to copy and/or distribute it,
|
||||||
|
# with or without modifications, as long as this notice is preserved.
|
||||||
|
|
||||||
|
# serial 5
|
||||||
|
|
||||||
|
# AM_SANITY_CHECK
|
||||||
|
# ---------------
|
||||||
|
AC_DEFUN([AM_SANITY_CHECK],
|
||||||
|
[AC_MSG_CHECKING([whether build environment is sane])
|
||||||
|
# Just in case
|
||||||
|
sleep 1
|
||||||
|
echo timestamp > conftest.file
|
||||||
|
# Reject unsafe characters in $srcdir or the absolute working directory
|
||||||
|
# name. Accept space and tab only in the latter.
|
||||||
|
am_lf='
|
||||||
|
'
|
||||||
|
case `pwd` in
|
||||||
|
*[[\\\"\#\$\&\'\`$am_lf]]*)
|
||||||
|
AC_MSG_ERROR([unsafe absolute working directory name]);;
|
||||||
|
esac
|
||||||
|
case $srcdir in
|
||||||
|
*[[\\\"\#\$\&\'\`$am_lf\ \ ]]*)
|
||||||
|
AC_MSG_ERROR([unsafe srcdir value: `$srcdir']);;
|
||||||
|
esac
|
||||||
|
|
||||||
|
# Do `set' in a subshell so we don't clobber the current shell's
|
||||||
|
# arguments. Must try -L first in case configure is actually a
|
||||||
|
# symlink; some systems play weird games with the mod time of symlinks
|
||||||
|
# (eg FreeBSD returns the mod time of the symlink's containing
|
||||||
|
# directory).
|
||||||
|
if (
|
||||||
|
set X `ls -Lt "$srcdir/configure" conftest.file 2> /dev/null`
|
||||||
|
if test "$[*]" = "X"; then
|
||||||
|
# -L didn't work.
|
||||||
|
set X `ls -t "$srcdir/configure" conftest.file`
|
||||||
|
fi
|
||||||
|
rm -f conftest.file
|
||||||
|
if test "$[*]" != "X $srcdir/configure conftest.file" \
|
||||||
|
&& test "$[*]" != "X conftest.file $srcdir/configure"; then
|
||||||
|
|
||||||
|
# If neither matched, then we have a broken ls. This can happen
|
||||||
|
# if, for instance, CONFIG_SHELL is bash and it inherits a
|
||||||
|
# broken ls alias from the environment. This has actually
|
||||||
|
# happened. Such a system could not be considered "sane".
|
||||||
|
AC_MSG_ERROR([ls -t appears to fail. Make sure there is not a broken
|
||||||
|
alias in your environment])
|
||||||
|
fi
|
||||||
|
|
||||||
|
test "$[2]" = conftest.file
|
||||||
|
)
|
||||||
|
then
|
||||||
|
# Ok.
|
||||||
|
:
|
||||||
|
else
|
||||||
|
AC_MSG_ERROR([newly created file is older than distributed files!
|
||||||
|
Check your system clock])
|
||||||
|
fi
|
||||||
|
AC_MSG_RESULT(yes)])
|
||||||
|
|
||||||
|
# Copyright (C) 2001, 2003, 2005 Free Software Foundation, Inc.
|
||||||
|
#
|
||||||
|
# This file is free software; the Free Software Foundation
|
||||||
|
# gives unlimited permission to copy and/or distribute it,
|
||||||
|
# with or without modifications, as long as this notice is preserved.
|
||||||
|
|
||||||
|
# AM_PROG_INSTALL_STRIP
|
||||||
|
# ---------------------
|
||||||
|
# One issue with vendor `install' (even GNU) is that you can't
|
||||||
|
# specify the program used to strip binaries. This is especially
|
||||||
|
# annoying in cross-compiling environments, where the build's strip
|
||||||
|
# is unlikely to handle the host's binaries.
|
||||||
|
# Fortunately install-sh will honor a STRIPPROG variable, so we
|
||||||
|
# always use install-sh in `make install-strip', and initialize
|
||||||
|
# STRIPPROG with the value of the STRIP variable (set by the user).
|
||||||
|
AC_DEFUN([AM_PROG_INSTALL_STRIP],
|
||||||
|
[AC_REQUIRE([AM_PROG_INSTALL_SH])dnl
|
||||||
|
# Installed binaries are usually stripped using `strip' when the user
|
||||||
|
# run `make install-strip'. However `strip' might not be the right
|
||||||
|
# tool to use in cross-compilation environments, therefore Automake
|
||||||
|
# will honor the `STRIP' environment variable to overrule this program.
|
||||||
|
dnl Don't test for $cross_compiling = yes, because it might be `maybe'.
|
||||||
|
if test "$cross_compiling" != no; then
|
||||||
|
AC_CHECK_TOOL([STRIP], [strip], :)
|
||||||
|
fi
|
||||||
|
INSTALL_STRIP_PROGRAM="\$(install_sh) -c -s"
|
||||||
|
AC_SUBST([INSTALL_STRIP_PROGRAM])])
|
||||||
|
|
||||||
|
# Copyright (C) 2006, 2008 Free Software Foundation, Inc.
|
||||||
|
#
|
||||||
|
# This file is free software; the Free Software Foundation
|
||||||
|
# gives unlimited permission to copy and/or distribute it,
|
||||||
|
# with or without modifications, as long as this notice is preserved.
|
||||||
|
|
||||||
|
# serial 2
|
||||||
|
|
||||||
|
# _AM_SUBST_NOTMAKE(VARIABLE)
|
||||||
|
# ---------------------------
|
||||||
|
# Prevent Automake from outputting VARIABLE = @VARIABLE@ in Makefile.in.
|
||||||
|
# This macro is traced by Automake.
|
||||||
|
AC_DEFUN([_AM_SUBST_NOTMAKE])
|
||||||
|
|
||||||
|
# AM_SUBST_NOTMAKE(VARIABLE)
|
||||||
|
# ---------------------------
|
||||||
|
# Public sister of _AM_SUBST_NOTMAKE.
|
||||||
|
AC_DEFUN([AM_SUBST_NOTMAKE], [_AM_SUBST_NOTMAKE($@)])
|
||||||
|
|
||||||
|
# Check how to create a tarball. -*- Autoconf -*-
|
||||||
|
|
||||||
|
# Copyright (C) 2004, 2005 Free Software Foundation, Inc.
|
||||||
|
#
|
||||||
|
# This file is free software; the Free Software Foundation
|
||||||
|
# gives unlimited permission to copy and/or distribute it,
|
||||||
|
# with or without modifications, as long as this notice is preserved.
|
||||||
|
|
||||||
|
# serial 2
|
||||||
|
|
||||||
|
# _AM_PROG_TAR(FORMAT)
|
||||||
|
# --------------------
|
||||||
|
# Check how to create a tarball in format FORMAT.
|
||||||
|
# FORMAT should be one of `v7', `ustar', or `pax'.
|
||||||
|
#
|
||||||
|
# Substitute a variable $(am__tar) that is a command
|
||||||
|
# writing to stdout a FORMAT-tarball containing the directory
|
||||||
|
# $tardir.
|
||||||
|
# tardir=directory && $(am__tar) > result.tar
|
||||||
|
#
|
||||||
|
# Substitute a variable $(am__untar) that extract such
|
||||||
|
# a tarball read from stdin.
|
||||||
|
# $(am__untar) < result.tar
|
||||||
|
AC_DEFUN([_AM_PROG_TAR],
|
||||||
|
[# Always define AMTAR for backward compatibility.
|
||||||
|
AM_MISSING_PROG([AMTAR], [tar])
|
||||||
|
m4_if([$1], [v7],
|
||||||
|
[am__tar='${AMTAR} chof - "$$tardir"'; am__untar='${AMTAR} xf -'],
|
||||||
|
[m4_case([$1], [ustar],, [pax],,
|
||||||
|
[m4_fatal([Unknown tar format])])
|
||||||
|
AC_MSG_CHECKING([how to create a $1 tar archive])
|
||||||
|
# Loop over all known methods to create a tar archive until one works.
|
||||||
|
_am_tools='gnutar m4_if([$1], [ustar], [plaintar]) pax cpio none'
|
||||||
|
_am_tools=${am_cv_prog_tar_$1-$_am_tools}
|
||||||
|
# Do not fold the above two line into one, because Tru64 sh and
|
||||||
|
# Solaris sh will not grok spaces in the rhs of `-'.
|
||||||
|
for _am_tool in $_am_tools
|
||||||
|
do
|
||||||
|
case $_am_tool in
|
||||||
|
gnutar)
|
||||||
|
for _am_tar in tar gnutar gtar;
|
||||||
|
do
|
||||||
|
AM_RUN_LOG([$_am_tar --version]) && break
|
||||||
|
done
|
||||||
|
am__tar="$_am_tar --format=m4_if([$1], [pax], [posix], [$1]) -chf - "'"$$tardir"'
|
||||||
|
am__tar_="$_am_tar --format=m4_if([$1], [pax], [posix], [$1]) -chf - "'"$tardir"'
|
||||||
|
am__untar="$_am_tar -xf -"
|
||||||
|
;;
|
||||||
|
plaintar)
|
||||||
|
# Must skip GNU tar: if it does not support --format= it doesn't create
|
||||||
|
# ustar tarball either.
|
||||||
|
(tar --version) >/dev/null 2>&1 && continue
|
||||||
|
am__tar='tar chf - "$$tardir"'
|
||||||
|
am__tar_='tar chf - "$tardir"'
|
||||||
|
am__untar='tar xf -'
|
||||||
|
;;
|
||||||
|
pax)
|
||||||
|
am__tar='pax -L -x $1 -w "$$tardir"'
|
||||||
|
am__tar_='pax -L -x $1 -w "$tardir"'
|
||||||
|
am__untar='pax -r'
|
||||||
|
;;
|
||||||
|
cpio)
|
||||||
|
am__tar='find "$$tardir" -print | cpio -o -H $1 -L'
|
||||||
|
am__tar_='find "$tardir" -print | cpio -o -H $1 -L'
|
||||||
|
am__untar='cpio -i -H $1 -d'
|
||||||
|
;;
|
||||||
|
none)
|
||||||
|
am__tar=false
|
||||||
|
am__tar_=false
|
||||||
|
am__untar=false
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
|
||||||
|
# If the value was cached, stop now. We just wanted to have am__tar
|
||||||
|
# and am__untar set.
|
||||||
|
test -n "${am_cv_prog_tar_$1}" && break
|
||||||
|
|
||||||
|
# tar/untar a dummy directory, and stop if the command works
|
||||||
|
rm -rf conftest.dir
|
||||||
|
mkdir conftest.dir
|
||||||
|
echo GrepMe > conftest.dir/file
|
||||||
|
AM_RUN_LOG([tardir=conftest.dir && eval $am__tar_ >conftest.tar])
|
||||||
|
rm -rf conftest.dir
|
||||||
|
if test -s conftest.tar; then
|
||||||
|
AM_RUN_LOG([$am__untar <conftest.tar])
|
||||||
|
grep GrepMe conftest.dir/file >/dev/null 2>&1 && break
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
rm -rf conftest.dir
|
||||||
|
|
||||||
|
AC_CACHE_VAL([am_cv_prog_tar_$1], [am_cv_prog_tar_$1=$_am_tool])
|
||||||
|
AC_MSG_RESULT([$am_cv_prog_tar_$1])])
|
||||||
|
AC_SUBST([am__tar])
|
||||||
|
AC_SUBST([am__untar])
|
||||||
|
]) # _AM_PROG_TAR
|
||||||
|
|
||||||
|
m4_include([m4/libtool.m4])
|
||||||
|
m4_include([m4/ltoptions.m4])
|
||||||
|
m4_include([m4/ltsugar.m4])
|
||||||
|
m4_include([m4/ltversion.m4])
|
||||||
|
m4_include([m4/lt~obsolete.m4])
|
143
auto/compile
Executable file
143
auto/compile
Executable file
@ -0,0 +1,143 @@
|
|||||||
|
#! /bin/sh
|
||||||
|
# Wrapper for compilers which do not understand `-c -o'.
|
||||||
|
|
||||||
|
scriptversion=2009-10-06.20; # UTC
|
||||||
|
|
||||||
|
# Copyright (C) 1999, 2000, 2003, 2004, 2005, 2009 Free Software
|
||||||
|
# Foundation, Inc.
|
||||||
|
# Written by Tom Tromey <tromey@cygnus.com>.
|
||||||
|
#
|
||||||
|
# This program is free software; you can redistribute it and/or modify
|
||||||
|
# it under the terms of the GNU General Public License as published by
|
||||||
|
# the Free Software Foundation; either version 2, or (at your option)
|
||||||
|
# any later version.
|
||||||
|
#
|
||||||
|
# This program is distributed in the hope that it will be useful,
|
||||||
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
# GNU General Public License for more details.
|
||||||
|
#
|
||||||
|
# You should have received a copy of the GNU General Public License
|
||||||
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
|
||||||
|
# As a special exception to the GNU General Public License, if you
|
||||||
|
# distribute this file as part of a program that contains a
|
||||||
|
# configuration script generated by Autoconf, you may include it under
|
||||||
|
# the same distribution terms that you use for the rest of that program.
|
||||||
|
|
||||||
|
# This file is maintained in Automake, please report
|
||||||
|
# bugs to <bug-automake@gnu.org> or send patches to
|
||||||
|
# <automake-patches@gnu.org>.
|
||||||
|
|
||||||
|
case $1 in
|
||||||
|
'')
|
||||||
|
echo "$0: No command. Try \`$0 --help' for more information." 1>&2
|
||||||
|
exit 1;
|
||||||
|
;;
|
||||||
|
-h | --h*)
|
||||||
|
cat <<\EOF
|
||||||
|
Usage: compile [--help] [--version] PROGRAM [ARGS]
|
||||||
|
|
||||||
|
Wrapper for compilers which do not understand `-c -o'.
|
||||||
|
Remove `-o dest.o' from ARGS, run PROGRAM with the remaining
|
||||||
|
arguments, and rename the output as expected.
|
||||||
|
|
||||||
|
If you are trying to build a whole package this is not the
|
||||||
|
right script to run: please start by reading the file `INSTALL'.
|
||||||
|
|
||||||
|
Report bugs to <bug-automake@gnu.org>.
|
||||||
|
EOF
|
||||||
|
exit $?
|
||||||
|
;;
|
||||||
|
-v | --v*)
|
||||||
|
echo "compile $scriptversion"
|
||||||
|
exit $?
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
|
||||||
|
ofile=
|
||||||
|
cfile=
|
||||||
|
eat=
|
||||||
|
|
||||||
|
for arg
|
||||||
|
do
|
||||||
|
if test -n "$eat"; then
|
||||||
|
eat=
|
||||||
|
else
|
||||||
|
case $1 in
|
||||||
|
-o)
|
||||||
|
# configure might choose to run compile as `compile cc -o foo foo.c'.
|
||||||
|
# So we strip `-o arg' only if arg is an object.
|
||||||
|
eat=1
|
||||||
|
case $2 in
|
||||||
|
*.o | *.obj)
|
||||||
|
ofile=$2
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
set x "$@" -o "$2"
|
||||||
|
shift
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
;;
|
||||||
|
*.c)
|
||||||
|
cfile=$1
|
||||||
|
set x "$@" "$1"
|
||||||
|
shift
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
set x "$@" "$1"
|
||||||
|
shift
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
fi
|
||||||
|
shift
|
||||||
|
done
|
||||||
|
|
||||||
|
if test -z "$ofile" || test -z "$cfile"; then
|
||||||
|
# If no `-o' option was seen then we might have been invoked from a
|
||||||
|
# pattern rule where we don't need one. That is ok -- this is a
|
||||||
|
# normal compilation that the losing compiler can handle. If no
|
||||||
|
# `.c' file was seen then we are probably linking. That is also
|
||||||
|
# ok.
|
||||||
|
exec "$@"
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Name of file we expect compiler to create.
|
||||||
|
cofile=`echo "$cfile" | sed 's|^.*[\\/]||; s|^[a-zA-Z]:||; s/\.c$/.o/'`
|
||||||
|
|
||||||
|
# Create the lock directory.
|
||||||
|
# Note: use `[/\\:.-]' here to ensure that we don't use the same name
|
||||||
|
# that we are using for the .o file. Also, base the name on the expected
|
||||||
|
# object file name, since that is what matters with a parallel build.
|
||||||
|
lockdir=`echo "$cofile" | sed -e 's|[/\\:.-]|_|g'`.d
|
||||||
|
while true; do
|
||||||
|
if mkdir "$lockdir" >/dev/null 2>&1; then
|
||||||
|
break
|
||||||
|
fi
|
||||||
|
sleep 1
|
||||||
|
done
|
||||||
|
# FIXME: race condition here if user kills between mkdir and trap.
|
||||||
|
trap "rmdir '$lockdir'; exit 1" 1 2 15
|
||||||
|
|
||||||
|
# Run the compile.
|
||||||
|
"$@"
|
||||||
|
ret=$?
|
||||||
|
|
||||||
|
if test -f "$cofile"; then
|
||||||
|
test "$cofile" = "$ofile" || mv "$cofile" "$ofile"
|
||||||
|
elif test -f "${cofile}bj"; then
|
||||||
|
test "${cofile}bj" = "$ofile" || mv "${cofile}bj" "$ofile"
|
||||||
|
fi
|
||||||
|
|
||||||
|
rmdir "$lockdir"
|
||||||
|
exit $ret
|
||||||
|
|
||||||
|
# Local Variables:
|
||||||
|
# mode: shell-script
|
||||||
|
# sh-indentation: 2
|
||||||
|
# eval: (add-hook 'write-file-hooks 'time-stamp)
|
||||||
|
# time-stamp-start: "scriptversion="
|
||||||
|
# time-stamp-format: "%:y-%02m-%02d.%02H"
|
||||||
|
# time-stamp-time-zone: "UTC"
|
||||||
|
# time-stamp-end: "; # UTC"
|
||||||
|
# End:
|
1522
auto/config.guess
vendored
Normal file
1522
auto/config.guess
vendored
Normal file
File diff suppressed because it is too large
Load Diff
1771
auto/config.sub
vendored
Normal file
1771
auto/config.sub
vendored
Normal file
File diff suppressed because it is too large
Load Diff
589
auto/depcomp
Executable file
589
auto/depcomp
Executable file
@ -0,0 +1,589 @@
|
|||||||
|
#! /bin/sh
|
||||||
|
# depcomp - compile a program generating dependencies as side-effects
|
||||||
|
|
||||||
|
scriptversion=2007-03-29.01
|
||||||
|
|
||||||
|
# Copyright (C) 1999, 2000, 2003, 2004, 2005, 2006, 2007 Free Software
|
||||||
|
# Foundation, Inc.
|
||||||
|
|
||||||
|
# This program is free software; you can redistribute it and/or modify
|
||||||
|
# it under the terms of the GNU General Public License as published by
|
||||||
|
# the Free Software Foundation; either version 2, or (at your option)
|
||||||
|
# any later version.
|
||||||
|
|
||||||
|
# This program is distributed in the hope that it will be useful,
|
||||||
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
# GNU General Public License for more details.
|
||||||
|
|
||||||
|
# You should have received a copy of the GNU General Public License
|
||||||
|
# along with this program; if not, write to the Free Software
|
||||||
|
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
|
||||||
|
# 02110-1301, USA.
|
||||||
|
|
||||||
|
# As a special exception to the GNU General Public License, if you
|
||||||
|
# distribute this file as part of a program that contains a
|
||||||
|
# configuration script generated by Autoconf, you may include it under
|
||||||
|
# the same distribution terms that you use for the rest of that program.
|
||||||
|
|
||||||
|
# Originally written by Alexandre Oliva <oliva@dcc.unicamp.br>.
|
||||||
|
|
||||||
|
case $1 in
|
||||||
|
'')
|
||||||
|
echo "$0: No command. Try \`$0 --help' for more information." 1>&2
|
||||||
|
exit 1;
|
||||||
|
;;
|
||||||
|
-h | --h*)
|
||||||
|
cat <<\EOF
|
||||||
|
Usage: depcomp [--help] [--version] PROGRAM [ARGS]
|
||||||
|
|
||||||
|
Run PROGRAMS ARGS to compile a file, generating dependencies
|
||||||
|
as side-effects.
|
||||||
|
|
||||||
|
Environment variables:
|
||||||
|
depmode Dependency tracking mode.
|
||||||
|
source Source file read by `PROGRAMS ARGS'.
|
||||||
|
object Object file output by `PROGRAMS ARGS'.
|
||||||
|
DEPDIR directory where to store dependencies.
|
||||||
|
depfile Dependency file to output.
|
||||||
|
tmpdepfile Temporary file to use when outputing dependencies.
|
||||||
|
libtool Whether libtool is used (yes/no).
|
||||||
|
|
||||||
|
Report bugs to <bug-automake@gnu.org>.
|
||||||
|
EOF
|
||||||
|
exit $?
|
||||||
|
;;
|
||||||
|
-v | --v*)
|
||||||
|
echo "depcomp $scriptversion"
|
||||||
|
exit $?
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
|
||||||
|
if test -z "$depmode" || test -z "$source" || test -z "$object"; then
|
||||||
|
echo "depcomp: Variables source, object and depmode must be set" 1>&2
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Dependencies for sub/bar.o or sub/bar.obj go into sub/.deps/bar.Po.
|
||||||
|
depfile=${depfile-`echo "$object" |
|
||||||
|
sed 's|[^\\/]*$|'${DEPDIR-.deps}'/&|;s|\.\([^.]*\)$|.P\1|;s|Pobj$|Po|'`}
|
||||||
|
tmpdepfile=${tmpdepfile-`echo "$depfile" | sed 's/\.\([^.]*\)$/.T\1/'`}
|
||||||
|
|
||||||
|
rm -f "$tmpdepfile"
|
||||||
|
|
||||||
|
# Some modes work just like other modes, but use different flags. We
|
||||||
|
# parameterize here, but still list the modes in the big case below,
|
||||||
|
# to make depend.m4 easier to write. Note that we *cannot* use a case
|
||||||
|
# here, because this file can only contain one case statement.
|
||||||
|
if test "$depmode" = hp; then
|
||||||
|
# HP compiler uses -M and no extra arg.
|
||||||
|
gccflag=-M
|
||||||
|
depmode=gcc
|
||||||
|
fi
|
||||||
|
|
||||||
|
if test "$depmode" = dashXmstdout; then
|
||||||
|
# This is just like dashmstdout with a different argument.
|
||||||
|
dashmflag=-xM
|
||||||
|
depmode=dashmstdout
|
||||||
|
fi
|
||||||
|
|
||||||
|
case "$depmode" in
|
||||||
|
gcc3)
|
||||||
|
## gcc 3 implements dependency tracking that does exactly what
|
||||||
|
## we want. Yay! Note: for some reason libtool 1.4 doesn't like
|
||||||
|
## it if -MD -MP comes after the -MF stuff. Hmm.
|
||||||
|
## Unfortunately, FreeBSD c89 acceptance of flags depends upon
|
||||||
|
## the command line argument order; so add the flags where they
|
||||||
|
## appear in depend2.am. Note that the slowdown incurred here
|
||||||
|
## affects only configure: in makefiles, %FASTDEP% shortcuts this.
|
||||||
|
for arg
|
||||||
|
do
|
||||||
|
case $arg in
|
||||||
|
-c) set fnord "$@" -MT "$object" -MD -MP -MF "$tmpdepfile" "$arg" ;;
|
||||||
|
*) set fnord "$@" "$arg" ;;
|
||||||
|
esac
|
||||||
|
shift # fnord
|
||||||
|
shift # $arg
|
||||||
|
done
|
||||||
|
"$@"
|
||||||
|
stat=$?
|
||||||
|
if test $stat -eq 0; then :
|
||||||
|
else
|
||||||
|
rm -f "$tmpdepfile"
|
||||||
|
exit $stat
|
||||||
|
fi
|
||||||
|
mv "$tmpdepfile" "$depfile"
|
||||||
|
;;
|
||||||
|
|
||||||
|
gcc)
|
||||||
|
## There are various ways to get dependency output from gcc. Here's
|
||||||
|
## why we pick this rather obscure method:
|
||||||
|
## - Don't want to use -MD because we'd like the dependencies to end
|
||||||
|
## up in a subdir. Having to rename by hand is ugly.
|
||||||
|
## (We might end up doing this anyway to support other compilers.)
|
||||||
|
## - The DEPENDENCIES_OUTPUT environment variable makes gcc act like
|
||||||
|
## -MM, not -M (despite what the docs say).
|
||||||
|
## - Using -M directly means running the compiler twice (even worse
|
||||||
|
## than renaming).
|
||||||
|
if test -z "$gccflag"; then
|
||||||
|
gccflag=-MD,
|
||||||
|
fi
|
||||||
|
"$@" -Wp,"$gccflag$tmpdepfile"
|
||||||
|
stat=$?
|
||||||
|
if test $stat -eq 0; then :
|
||||||
|
else
|
||||||
|
rm -f "$tmpdepfile"
|
||||||
|
exit $stat
|
||||||
|
fi
|
||||||
|
rm -f "$depfile"
|
||||||
|
echo "$object : \\" > "$depfile"
|
||||||
|
alpha=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
|
||||||
|
## The second -e expression handles DOS-style file names with drive letters.
|
||||||
|
sed -e 's/^[^:]*: / /' \
|
||||||
|
-e 's/^['$alpha']:\/[^:]*: / /' < "$tmpdepfile" >> "$depfile"
|
||||||
|
## This next piece of magic avoids the `deleted header file' problem.
|
||||||
|
## The problem is that when a header file which appears in a .P file
|
||||||
|
## is deleted, the dependency causes make to die (because there is
|
||||||
|
## typically no way to rebuild the header). We avoid this by adding
|
||||||
|
## dummy dependencies for each header file. Too bad gcc doesn't do
|
||||||
|
## this for us directly.
|
||||||
|
tr ' ' '
|
||||||
|
' < "$tmpdepfile" |
|
||||||
|
## Some versions of gcc put a space before the `:'. On the theory
|
||||||
|
## that the space means something, we add a space to the output as
|
||||||
|
## well.
|
||||||
|
## Some versions of the HPUX 10.20 sed can't process this invocation
|
||||||
|
## correctly. Breaking it into two sed invocations is a workaround.
|
||||||
|
sed -e 's/^\\$//' -e '/^$/d' -e '/:$/d' | sed -e 's/$/ :/' >> "$depfile"
|
||||||
|
rm -f "$tmpdepfile"
|
||||||
|
;;
|
||||||
|
|
||||||
|
hp)
|
||||||
|
# This case exists only to let depend.m4 do its work. It works by
|
||||||
|
# looking at the text of this script. This case will never be run,
|
||||||
|
# since it is checked for above.
|
||||||
|
exit 1
|
||||||
|
;;
|
||||||
|
|
||||||
|
sgi)
|
||||||
|
if test "$libtool" = yes; then
|
||||||
|
"$@" "-Wp,-MDupdate,$tmpdepfile"
|
||||||
|
else
|
||||||
|
"$@" -MDupdate "$tmpdepfile"
|
||||||
|
fi
|
||||||
|
stat=$?
|
||||||
|
if test $stat -eq 0; then :
|
||||||
|
else
|
||||||
|
rm -f "$tmpdepfile"
|
||||||
|
exit $stat
|
||||||
|
fi
|
||||||
|
rm -f "$depfile"
|
||||||
|
|
||||||
|
if test -f "$tmpdepfile"; then # yes, the sourcefile depend on other files
|
||||||
|
echo "$object : \\" > "$depfile"
|
||||||
|
|
||||||
|
# Clip off the initial element (the dependent). Don't try to be
|
||||||
|
# clever and replace this with sed code, as IRIX sed won't handle
|
||||||
|
# lines with more than a fixed number of characters (4096 in
|
||||||
|
# IRIX 6.2 sed, 8192 in IRIX 6.5). We also remove comment lines;
|
||||||
|
# the IRIX cc adds comments like `#:fec' to the end of the
|
||||||
|
# dependency line.
|
||||||
|
tr ' ' '
|
||||||
|
' < "$tmpdepfile" \
|
||||||
|
| sed -e 's/^.*\.o://' -e 's/#.*$//' -e '/^$/ d' | \
|
||||||
|
tr '
|
||||||
|
' ' ' >> $depfile
|
||||||
|
echo >> $depfile
|
||||||
|
|
||||||
|
# The second pass generates a dummy entry for each header file.
|
||||||
|
tr ' ' '
|
||||||
|
' < "$tmpdepfile" \
|
||||||
|
| sed -e 's/^.*\.o://' -e 's/#.*$//' -e '/^$/ d' -e 's/$/:/' \
|
||||||
|
>> $depfile
|
||||||
|
else
|
||||||
|
# The sourcefile does not contain any dependencies, so just
|
||||||
|
# store a dummy comment line, to avoid errors with the Makefile
|
||||||
|
# "include basename.Plo" scheme.
|
||||||
|
echo "#dummy" > "$depfile"
|
||||||
|
fi
|
||||||
|
rm -f "$tmpdepfile"
|
||||||
|
;;
|
||||||
|
|
||||||
|
aix)
|
||||||
|
# The C for AIX Compiler uses -M and outputs the dependencies
|
||||||
|
# in a .u file. In older versions, this file always lives in the
|
||||||
|
# current directory. Also, the AIX compiler puts `$object:' at the
|
||||||
|
# start of each line; $object doesn't have directory information.
|
||||||
|
# Version 6 uses the directory in both cases.
|
||||||
|
dir=`echo "$object" | sed -e 's|/[^/]*$|/|'`
|
||||||
|
test "x$dir" = "x$object" && dir=
|
||||||
|
base=`echo "$object" | sed -e 's|^.*/||' -e 's/\.o$//' -e 's/\.lo$//'`
|
||||||
|
if test "$libtool" = yes; then
|
||||||
|
tmpdepfile1=$dir$base.u
|
||||||
|
tmpdepfile2=$base.u
|
||||||
|
tmpdepfile3=$dir.libs/$base.u
|
||||||
|
"$@" -Wc,-M
|
||||||
|
else
|
||||||
|
tmpdepfile1=$dir$base.u
|
||||||
|
tmpdepfile2=$dir$base.u
|
||||||
|
tmpdepfile3=$dir$base.u
|
||||||
|
"$@" -M
|
||||||
|
fi
|
||||||
|
stat=$?
|
||||||
|
|
||||||
|
if test $stat -eq 0; then :
|
||||||
|
else
|
||||||
|
rm -f "$tmpdepfile1" "$tmpdepfile2" "$tmpdepfile3"
|
||||||
|
exit $stat
|
||||||
|
fi
|
||||||
|
|
||||||
|
for tmpdepfile in "$tmpdepfile1" "$tmpdepfile2" "$tmpdepfile3"
|
||||||
|
do
|
||||||
|
test -f "$tmpdepfile" && break
|
||||||
|
done
|
||||||
|
if test -f "$tmpdepfile"; then
|
||||||
|
# Each line is of the form `foo.o: dependent.h'.
|
||||||
|
# Do two passes, one to just change these to
|
||||||
|
# `$object: dependent.h' and one to simply `dependent.h:'.
|
||||||
|
sed -e "s,^.*\.[a-z]*:,$object:," < "$tmpdepfile" > "$depfile"
|
||||||
|
# That's a tab and a space in the [].
|
||||||
|
sed -e 's,^.*\.[a-z]*:[ ]*,,' -e 's,$,:,' < "$tmpdepfile" >> "$depfile"
|
||||||
|
else
|
||||||
|
# The sourcefile does not contain any dependencies, so just
|
||||||
|
# store a dummy comment line, to avoid errors with the Makefile
|
||||||
|
# "include basename.Plo" scheme.
|
||||||
|
echo "#dummy" > "$depfile"
|
||||||
|
fi
|
||||||
|
rm -f "$tmpdepfile"
|
||||||
|
;;
|
||||||
|
|
||||||
|
icc)
|
||||||
|
# Intel's C compiler understands `-MD -MF file'. However on
|
||||||
|
# icc -MD -MF foo.d -c -o sub/foo.o sub/foo.c
|
||||||
|
# ICC 7.0 will fill foo.d with something like
|
||||||
|
# foo.o: sub/foo.c
|
||||||
|
# foo.o: sub/foo.h
|
||||||
|
# which is wrong. We want:
|
||||||
|
# sub/foo.o: sub/foo.c
|
||||||
|
# sub/foo.o: sub/foo.h
|
||||||
|
# sub/foo.c:
|
||||||
|
# sub/foo.h:
|
||||||
|
# ICC 7.1 will output
|
||||||
|
# foo.o: sub/foo.c sub/foo.h
|
||||||
|
# and will wrap long lines using \ :
|
||||||
|
# foo.o: sub/foo.c ... \
|
||||||
|
# sub/foo.h ... \
|
||||||
|
# ...
|
||||||
|
|
||||||
|
"$@" -MD -MF "$tmpdepfile"
|
||||||
|
stat=$?
|
||||||
|
if test $stat -eq 0; then :
|
||||||
|
else
|
||||||
|
rm -f "$tmpdepfile"
|
||||||
|
exit $stat
|
||||||
|
fi
|
||||||
|
rm -f "$depfile"
|
||||||
|
# Each line is of the form `foo.o: dependent.h',
|
||||||
|
# or `foo.o: dep1.h dep2.h \', or ` dep3.h dep4.h \'.
|
||||||
|
# Do two passes, one to just change these to
|
||||||
|
# `$object: dependent.h' and one to simply `dependent.h:'.
|
||||||
|
sed "s,^[^:]*:,$object :," < "$tmpdepfile" > "$depfile"
|
||||||
|
# Some versions of the HPUX 10.20 sed can't process this invocation
|
||||||
|
# correctly. Breaking it into two sed invocations is a workaround.
|
||||||
|
sed 's,^[^:]*: \(.*\)$,\1,;s/^\\$//;/^$/d;/:$/d' < "$tmpdepfile" |
|
||||||
|
sed -e 's/$/ :/' >> "$depfile"
|
||||||
|
rm -f "$tmpdepfile"
|
||||||
|
;;
|
||||||
|
|
||||||
|
hp2)
|
||||||
|
# The "hp" stanza above does not work with aCC (C++) and HP's ia64
|
||||||
|
# compilers, which have integrated preprocessors. The correct option
|
||||||
|
# to use with these is +Maked; it writes dependencies to a file named
|
||||||
|
# 'foo.d', which lands next to the object file, wherever that
|
||||||
|
# happens to be.
|
||||||
|
# Much of this is similar to the tru64 case; see comments there.
|
||||||
|
dir=`echo "$object" | sed -e 's|/[^/]*$|/|'`
|
||||||
|
test "x$dir" = "x$object" && dir=
|
||||||
|
base=`echo "$object" | sed -e 's|^.*/||' -e 's/\.o$//' -e 's/\.lo$//'`
|
||||||
|
if test "$libtool" = yes; then
|
||||||
|
tmpdepfile1=$dir$base.d
|
||||||
|
tmpdepfile2=$dir.libs/$base.d
|
||||||
|
"$@" -Wc,+Maked
|
||||||
|
else
|
||||||
|
tmpdepfile1=$dir$base.d
|
||||||
|
tmpdepfile2=$dir$base.d
|
||||||
|
"$@" +Maked
|
||||||
|
fi
|
||||||
|
stat=$?
|
||||||
|
if test $stat -eq 0; then :
|
||||||
|
else
|
||||||
|
rm -f "$tmpdepfile1" "$tmpdepfile2"
|
||||||
|
exit $stat
|
||||||
|
fi
|
||||||
|
|
||||||
|
for tmpdepfile in "$tmpdepfile1" "$tmpdepfile2"
|
||||||
|
do
|
||||||
|
test -f "$tmpdepfile" && break
|
||||||
|
done
|
||||||
|
if test -f "$tmpdepfile"; then
|
||||||
|
sed -e "s,^.*\.[a-z]*:,$object:," "$tmpdepfile" > "$depfile"
|
||||||
|
# Add `dependent.h:' lines.
|
||||||
|
sed -ne '2,${; s/^ *//; s/ \\*$//; s/$/:/; p;}' "$tmpdepfile" >> "$depfile"
|
||||||
|
else
|
||||||
|
echo "#dummy" > "$depfile"
|
||||||
|
fi
|
||||||
|
rm -f "$tmpdepfile" "$tmpdepfile2"
|
||||||
|
;;
|
||||||
|
|
||||||
|
tru64)
|
||||||
|
# The Tru64 compiler uses -MD to generate dependencies as a side
|
||||||
|
# effect. `cc -MD -o foo.o ...' puts the dependencies into `foo.o.d'.
|
||||||
|
# At least on Alpha/Redhat 6.1, Compaq CCC V6.2-504 seems to put
|
||||||
|
# dependencies in `foo.d' instead, so we check for that too.
|
||||||
|
# Subdirectories are respected.
|
||||||
|
dir=`echo "$object" | sed -e 's|/[^/]*$|/|'`
|
||||||
|
test "x$dir" = "x$object" && dir=
|
||||||
|
base=`echo "$object" | sed -e 's|^.*/||' -e 's/\.o$//' -e 's/\.lo$//'`
|
||||||
|
|
||||||
|
if test "$libtool" = yes; then
|
||||||
|
# With Tru64 cc, shared objects can also be used to make a
|
||||||
|
# static library. This mechanism is used in libtool 1.4 series to
|
||||||
|
# handle both shared and static libraries in a single compilation.
|
||||||
|
# With libtool 1.4, dependencies were output in $dir.libs/$base.lo.d.
|
||||||
|
#
|
||||||
|
# With libtool 1.5 this exception was removed, and libtool now
|
||||||
|
# generates 2 separate objects for the 2 libraries. These two
|
||||||
|
# compilations output dependencies in $dir.libs/$base.o.d and
|
||||||
|
# in $dir$base.o.d. We have to check for both files, because
|
||||||
|
# one of the two compilations can be disabled. We should prefer
|
||||||
|
# $dir$base.o.d over $dir.libs/$base.o.d because the latter is
|
||||||
|
# automatically cleaned when .libs/ is deleted, while ignoring
|
||||||
|
# the former would cause a distcleancheck panic.
|
||||||
|
tmpdepfile1=$dir.libs/$base.lo.d # libtool 1.4
|
||||||
|
tmpdepfile2=$dir$base.o.d # libtool 1.5
|
||||||
|
tmpdepfile3=$dir.libs/$base.o.d # libtool 1.5
|
||||||
|
tmpdepfile4=$dir.libs/$base.d # Compaq CCC V6.2-504
|
||||||
|
"$@" -Wc,-MD
|
||||||
|
else
|
||||||
|
tmpdepfile1=$dir$base.o.d
|
||||||
|
tmpdepfile2=$dir$base.d
|
||||||
|
tmpdepfile3=$dir$base.d
|
||||||
|
tmpdepfile4=$dir$base.d
|
||||||
|
"$@" -MD
|
||||||
|
fi
|
||||||
|
|
||||||
|
stat=$?
|
||||||
|
if test $stat -eq 0; then :
|
||||||
|
else
|
||||||
|
rm -f "$tmpdepfile1" "$tmpdepfile2" "$tmpdepfile3" "$tmpdepfile4"
|
||||||
|
exit $stat
|
||||||
|
fi
|
||||||
|
|
||||||
|
for tmpdepfile in "$tmpdepfile1" "$tmpdepfile2" "$tmpdepfile3" "$tmpdepfile4"
|
||||||
|
do
|
||||||
|
test -f "$tmpdepfile" && break
|
||||||
|
done
|
||||||
|
if test -f "$tmpdepfile"; then
|
||||||
|
sed -e "s,^.*\.[a-z]*:,$object:," < "$tmpdepfile" > "$depfile"
|
||||||
|
# That's a tab and a space in the [].
|
||||||
|
sed -e 's,^.*\.[a-z]*:[ ]*,,' -e 's,$,:,' < "$tmpdepfile" >> "$depfile"
|
||||||
|
else
|
||||||
|
echo "#dummy" > "$depfile"
|
||||||
|
fi
|
||||||
|
rm -f "$tmpdepfile"
|
||||||
|
;;
|
||||||
|
|
||||||
|
#nosideeffect)
|
||||||
|
# This comment above is used by automake to tell side-effect
|
||||||
|
# dependency tracking mechanisms from slower ones.
|
||||||
|
|
||||||
|
dashmstdout)
|
||||||
|
# Important note: in order to support this mode, a compiler *must*
|
||||||
|
# always write the preprocessed file to stdout, regardless of -o.
|
||||||
|
"$@" || exit $?
|
||||||
|
|
||||||
|
# Remove the call to Libtool.
|
||||||
|
if test "$libtool" = yes; then
|
||||||
|
while test $1 != '--mode=compile'; do
|
||||||
|
shift
|
||||||
|
done
|
||||||
|
shift
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Remove `-o $object'.
|
||||||
|
IFS=" "
|
||||||
|
for arg
|
||||||
|
do
|
||||||
|
case $arg in
|
||||||
|
-o)
|
||||||
|
shift
|
||||||
|
;;
|
||||||
|
$object)
|
||||||
|
shift
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
set fnord "$@" "$arg"
|
||||||
|
shift # fnord
|
||||||
|
shift # $arg
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
done
|
||||||
|
|
||||||
|
test -z "$dashmflag" && dashmflag=-M
|
||||||
|
# Require at least two characters before searching for `:'
|
||||||
|
# in the target name. This is to cope with DOS-style filenames:
|
||||||
|
# a dependency such as `c:/foo/bar' could be seen as target `c' otherwise.
|
||||||
|
"$@" $dashmflag |
|
||||||
|
sed 's:^[ ]*[^: ][^:][^:]*\:[ ]*:'"$object"'\: :' > "$tmpdepfile"
|
||||||
|
rm -f "$depfile"
|
||||||
|
cat < "$tmpdepfile" > "$depfile"
|
||||||
|
tr ' ' '
|
||||||
|
' < "$tmpdepfile" | \
|
||||||
|
## Some versions of the HPUX 10.20 sed can't process this invocation
|
||||||
|
## correctly. Breaking it into two sed invocations is a workaround.
|
||||||
|
sed -e 's/^\\$//' -e '/^$/d' -e '/:$/d' | sed -e 's/$/ :/' >> "$depfile"
|
||||||
|
rm -f "$tmpdepfile"
|
||||||
|
;;
|
||||||
|
|
||||||
|
dashXmstdout)
|
||||||
|
# This case only exists to satisfy depend.m4. It is never actually
|
||||||
|
# run, as this mode is specially recognized in the preamble.
|
||||||
|
exit 1
|
||||||
|
;;
|
||||||
|
|
||||||
|
makedepend)
|
||||||
|
"$@" || exit $?
|
||||||
|
# Remove any Libtool call
|
||||||
|
if test "$libtool" = yes; then
|
||||||
|
while test $1 != '--mode=compile'; do
|
||||||
|
shift
|
||||||
|
done
|
||||||
|
shift
|
||||||
|
fi
|
||||||
|
# X makedepend
|
||||||
|
shift
|
||||||
|
cleared=no
|
||||||
|
for arg in "$@"; do
|
||||||
|
case $cleared in
|
||||||
|
no)
|
||||||
|
set ""; shift
|
||||||
|
cleared=yes ;;
|
||||||
|
esac
|
||||||
|
case "$arg" in
|
||||||
|
-D*|-I*)
|
||||||
|
set fnord "$@" "$arg"; shift ;;
|
||||||
|
# Strip any option that makedepend may not understand. Remove
|
||||||
|
# the object too, otherwise makedepend will parse it as a source file.
|
||||||
|
-*|$object)
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
set fnord "$@" "$arg"; shift ;;
|
||||||
|
esac
|
||||||
|
done
|
||||||
|
obj_suffix="`echo $object | sed 's/^.*\././'`"
|
||||||
|
touch "$tmpdepfile"
|
||||||
|
${MAKEDEPEND-makedepend} -o"$obj_suffix" -f"$tmpdepfile" "$@"
|
||||||
|
rm -f "$depfile"
|
||||||
|
cat < "$tmpdepfile" > "$depfile"
|
||||||
|
sed '1,2d' "$tmpdepfile" | tr ' ' '
|
||||||
|
' | \
|
||||||
|
## Some versions of the HPUX 10.20 sed can't process this invocation
|
||||||
|
## correctly. Breaking it into two sed invocations is a workaround.
|
||||||
|
sed -e 's/^\\$//' -e '/^$/d' -e '/:$/d' | sed -e 's/$/ :/' >> "$depfile"
|
||||||
|
rm -f "$tmpdepfile" "$tmpdepfile".bak
|
||||||
|
;;
|
||||||
|
|
||||||
|
cpp)
|
||||||
|
# Important note: in order to support this mode, a compiler *must*
|
||||||
|
# always write the preprocessed file to stdout.
|
||||||
|
"$@" || exit $?
|
||||||
|
|
||||||
|
# Remove the call to Libtool.
|
||||||
|
if test "$libtool" = yes; then
|
||||||
|
while test $1 != '--mode=compile'; do
|
||||||
|
shift
|
||||||
|
done
|
||||||
|
shift
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Remove `-o $object'.
|
||||||
|
IFS=" "
|
||||||
|
for arg
|
||||||
|
do
|
||||||
|
case $arg in
|
||||||
|
-o)
|
||||||
|
shift
|
||||||
|
;;
|
||||||
|
$object)
|
||||||
|
shift
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
set fnord "$@" "$arg"
|
||||||
|
shift # fnord
|
||||||
|
shift # $arg
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
done
|
||||||
|
|
||||||
|
"$@" -E |
|
||||||
|
sed -n -e '/^# [0-9][0-9]* "\([^"]*\)".*/ s:: \1 \\:p' \
|
||||||
|
-e '/^#line [0-9][0-9]* "\([^"]*\)".*/ s:: \1 \\:p' |
|
||||||
|
sed '$ s: \\$::' > "$tmpdepfile"
|
||||||
|
rm -f "$depfile"
|
||||||
|
echo "$object : \\" > "$depfile"
|
||||||
|
cat < "$tmpdepfile" >> "$depfile"
|
||||||
|
sed < "$tmpdepfile" '/^$/d;s/^ //;s/ \\$//;s/$/ :/' >> "$depfile"
|
||||||
|
rm -f "$tmpdepfile"
|
||||||
|
;;
|
||||||
|
|
||||||
|
msvisualcpp)
|
||||||
|
# Important note: in order to support this mode, a compiler *must*
|
||||||
|
# always write the preprocessed file to stdout, regardless of -o,
|
||||||
|
# because we must use -o when running libtool.
|
||||||
|
"$@" || exit $?
|
||||||
|
IFS=" "
|
||||||
|
for arg
|
||||||
|
do
|
||||||
|
case "$arg" in
|
||||||
|
"-Gm"|"/Gm"|"-Gi"|"/Gi"|"-ZI"|"/ZI")
|
||||||
|
set fnord "$@"
|
||||||
|
shift
|
||||||
|
shift
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
set fnord "$@" "$arg"
|
||||||
|
shift
|
||||||
|
shift
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
done
|
||||||
|
"$@" -E |
|
||||||
|
sed -n '/^#line [0-9][0-9]* "\([^"]*\)"/ s::echo "`cygpath -u \\"\1\\"`":p' | sort | uniq > "$tmpdepfile"
|
||||||
|
rm -f "$depfile"
|
||||||
|
echo "$object : \\" > "$depfile"
|
||||||
|
. "$tmpdepfile" | sed 's% %\\ %g' | sed -n '/^\(.*\)$/ s:: \1 \\:p' >> "$depfile"
|
||||||
|
echo " " >> "$depfile"
|
||||||
|
. "$tmpdepfile" | sed 's% %\\ %g' | sed -n '/^\(.*\)$/ s::\1\::p' >> "$depfile"
|
||||||
|
rm -f "$tmpdepfile"
|
||||||
|
;;
|
||||||
|
|
||||||
|
none)
|
||||||
|
exec "$@"
|
||||||
|
;;
|
||||||
|
|
||||||
|
*)
|
||||||
|
echo "Unknown depmode $depmode" 1>&2
|
||||||
|
exit 1
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
|
||||||
|
exit 0
|
||||||
|
|
||||||
|
# Local Variables:
|
||||||
|
# mode: shell-script
|
||||||
|
# sh-indentation: 2
|
||||||
|
# eval: (add-hook 'write-file-hooks 'time-stamp)
|
||||||
|
# time-stamp-start: "scriptversion="
|
||||||
|
# time-stamp-format: "%:y-%02m-%02d.%02H"
|
||||||
|
# time-stamp-end: "$"
|
||||||
|
# End:
|
519
auto/install-sh
Executable file
519
auto/install-sh
Executable file
@ -0,0 +1,519 @@
|
|||||||
|
#!/bin/sh
|
||||||
|
# install - install a program, script, or datafile
|
||||||
|
|
||||||
|
scriptversion=2006-12-25.00
|
||||||
|
|
||||||
|
# This originates from X11R5 (mit/util/scripts/install.sh), which was
|
||||||
|
# later released in X11R6 (xc/config/util/install.sh) with the
|
||||||
|
# following copyright and license.
|
||||||
|
#
|
||||||
|
# Copyright (C) 1994 X Consortium
|
||||||
|
#
|
||||||
|
# Permission is hereby granted, free of charge, to any person obtaining a copy
|
||||||
|
# of this software and associated documentation files (the "Software"), to
|
||||||
|
# deal in the Software without restriction, including without limitation the
|
||||||
|
# rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
|
||||||
|
# sell copies of the Software, and to permit persons to whom the Software is
|
||||||
|
# furnished to do so, subject to the following conditions:
|
||||||
|
#
|
||||||
|
# The above copyright notice and this permission notice shall be included in
|
||||||
|
# all copies or substantial portions of the Software.
|
||||||
|
#
|
||||||
|
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
||||||
|
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
||||||
|
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
||||||
|
# X CONSORTIUM BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN
|
||||||
|
# AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNEC-
|
||||||
|
# TION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
||||||
|
#
|
||||||
|
# Except as contained in this notice, the name of the X Consortium shall not
|
||||||
|
# be used in advertising or otherwise to promote the sale, use or other deal-
|
||||||
|
# ings in this Software without prior written authorization from the X Consor-
|
||||||
|
# tium.
|
||||||
|
#
|
||||||
|
#
|
||||||
|
# FSF changes to this file are in the public domain.
|
||||||
|
#
|
||||||
|
# Calling this script install-sh is preferred over install.sh, to prevent
|
||||||
|
# `make' implicit rules from creating a file called install from it
|
||||||
|
# when there is no Makefile.
|
||||||
|
#
|
||||||
|
# This script is compatible with the BSD install script, but was written
|
||||||
|
# from scratch.
|
||||||
|
|
||||||
|
nl='
|
||||||
|
'
|
||||||
|
IFS=" "" $nl"
|
||||||
|
|
||||||
|
# set DOITPROG to echo to test this script
|
||||||
|
|
||||||
|
# Don't use :- since 4.3BSD and earlier shells don't like it.
|
||||||
|
doit=${DOITPROG-}
|
||||||
|
if test -z "$doit"; then
|
||||||
|
doit_exec=exec
|
||||||
|
else
|
||||||
|
doit_exec=$doit
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Put in absolute file names if you don't have them in your path;
|
||||||
|
# or use environment vars.
|
||||||
|
|
||||||
|
chgrpprog=${CHGRPPROG-chgrp}
|
||||||
|
chmodprog=${CHMODPROG-chmod}
|
||||||
|
chownprog=${CHOWNPROG-chown}
|
||||||
|
cmpprog=${CMPPROG-cmp}
|
||||||
|
cpprog=${CPPROG-cp}
|
||||||
|
mkdirprog=${MKDIRPROG-mkdir}
|
||||||
|
mvprog=${MVPROG-mv}
|
||||||
|
rmprog=${RMPROG-rm}
|
||||||
|
stripprog=${STRIPPROG-strip}
|
||||||
|
|
||||||
|
posix_glob='?'
|
||||||
|
initialize_posix_glob='
|
||||||
|
test "$posix_glob" != "?" || {
|
||||||
|
if (set -f) 2>/dev/null; then
|
||||||
|
posix_glob=
|
||||||
|
else
|
||||||
|
posix_glob=:
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
'
|
||||||
|
|
||||||
|
posix_mkdir=
|
||||||
|
|
||||||
|
# Desired mode of installed file.
|
||||||
|
mode=0755
|
||||||
|
|
||||||
|
chgrpcmd=
|
||||||
|
chmodcmd=$chmodprog
|
||||||
|
chowncmd=
|
||||||
|
mvcmd=$mvprog
|
||||||
|
rmcmd="$rmprog -f"
|
||||||
|
stripcmd=
|
||||||
|
|
||||||
|
src=
|
||||||
|
dst=
|
||||||
|
dir_arg=
|
||||||
|
dst_arg=
|
||||||
|
|
||||||
|
copy_on_change=false
|
||||||
|
no_target_directory=
|
||||||
|
|
||||||
|
usage="\
|
||||||
|
Usage: $0 [OPTION]... [-T] SRCFILE DSTFILE
|
||||||
|
or: $0 [OPTION]... SRCFILES... DIRECTORY
|
||||||
|
or: $0 [OPTION]... -t DIRECTORY SRCFILES...
|
||||||
|
or: $0 [OPTION]... -d DIRECTORIES...
|
||||||
|
|
||||||
|
In the 1st form, copy SRCFILE to DSTFILE.
|
||||||
|
In the 2nd and 3rd, copy all SRCFILES to DIRECTORY.
|
||||||
|
In the 4th, create DIRECTORIES.
|
||||||
|
|
||||||
|
Options:
|
||||||
|
--help display this help and exit.
|
||||||
|
--version display version info and exit.
|
||||||
|
|
||||||
|
-c (ignored)
|
||||||
|
-C install only if different (preserve the last data modification time)
|
||||||
|
-d create directories instead of installing files.
|
||||||
|
-g GROUP $chgrpprog installed files to GROUP.
|
||||||
|
-m MODE $chmodprog installed files to MODE.
|
||||||
|
-o USER $chownprog installed files to USER.
|
||||||
|
-s $stripprog installed files.
|
||||||
|
-t DIRECTORY install into DIRECTORY.
|
||||||
|
-T report an error if DSTFILE is a directory.
|
||||||
|
|
||||||
|
Environment variables override the default commands:
|
||||||
|
CHGRPPROG CHMODPROG CHOWNPROG CMPPROG CPPROG MKDIRPROG MVPROG
|
||||||
|
RMPROG STRIPPROG
|
||||||
|
"
|
||||||
|
|
||||||
|
while test $# -ne 0; do
|
||||||
|
case $1 in
|
||||||
|
-c) ;;
|
||||||
|
|
||||||
|
-C) copy_on_change=true;;
|
||||||
|
|
||||||
|
-d) dir_arg=true;;
|
||||||
|
|
||||||
|
-g) chgrpcmd="$chgrpprog $2"
|
||||||
|
shift;;
|
||||||
|
|
||||||
|
--help) echo "$usage"; exit $?;;
|
||||||
|
|
||||||
|
-m) mode=$2
|
||||||
|
case $mode in
|
||||||
|
*' '* | *' '* | *'
|
||||||
|
'* | *'*'* | *'?'* | *'['*)
|
||||||
|
echo "$0: invalid mode: $mode" >&2
|
||||||
|
exit 1;;
|
||||||
|
esac
|
||||||
|
shift;;
|
||||||
|
|
||||||
|
-o) chowncmd="$chownprog $2"
|
||||||
|
shift;;
|
||||||
|
|
||||||
|
-s) stripcmd=$stripprog;;
|
||||||
|
|
||||||
|
-t) dst_arg=$2
|
||||||
|
shift;;
|
||||||
|
|
||||||
|
-T) no_target_directory=true;;
|
||||||
|
|
||||||
|
--version) echo "$0 $scriptversion"; exit $?;;
|
||||||
|
|
||||||
|
--) shift
|
||||||
|
break;;
|
||||||
|
|
||||||
|
-*) echo "$0: invalid option: $1" >&2
|
||||||
|
exit 1;;
|
||||||
|
|
||||||
|
*) break;;
|
||||||
|
esac
|
||||||
|
shift
|
||||||
|
done
|
||||||
|
|
||||||
|
if test $# -ne 0 && test -z "$dir_arg$dst_arg"; then
|
||||||
|
# When -d is used, all remaining arguments are directories to create.
|
||||||
|
# When -t is used, the destination is already specified.
|
||||||
|
# Otherwise, the last argument is the destination. Remove it from $@.
|
||||||
|
for arg
|
||||||
|
do
|
||||||
|
if test -n "$dst_arg"; then
|
||||||
|
# $@ is not empty: it contains at least $arg.
|
||||||
|
set fnord "$@" "$dst_arg"
|
||||||
|
shift # fnord
|
||||||
|
fi
|
||||||
|
shift # arg
|
||||||
|
dst_arg=$arg
|
||||||
|
done
|
||||||
|
fi
|
||||||
|
|
||||||
|
if test $# -eq 0; then
|
||||||
|
if test -z "$dir_arg"; then
|
||||||
|
echo "$0: no input file specified." >&2
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
# It's OK to call `install-sh -d' without argument.
|
||||||
|
# This can happen when creating conditional directories.
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
|
||||||
|
if test -z "$dir_arg"; then
|
||||||
|
trap '(exit $?); exit' 1 2 13 15
|
||||||
|
|
||||||
|
# Set umask so as not to create temps with too-generous modes.
|
||||||
|
# However, 'strip' requires both read and write access to temps.
|
||||||
|
case $mode in
|
||||||
|
# Optimize common cases.
|
||||||
|
*644) cp_umask=133;;
|
||||||
|
*755) cp_umask=22;;
|
||||||
|
|
||||||
|
*[0-7])
|
||||||
|
if test -z "$stripcmd"; then
|
||||||
|
u_plus_rw=
|
||||||
|
else
|
||||||
|
u_plus_rw='% 200'
|
||||||
|
fi
|
||||||
|
cp_umask=`expr '(' 777 - $mode % 1000 ')' $u_plus_rw`;;
|
||||||
|
*)
|
||||||
|
if test -z "$stripcmd"; then
|
||||||
|
u_plus_rw=
|
||||||
|
else
|
||||||
|
u_plus_rw=,u+rw
|
||||||
|
fi
|
||||||
|
cp_umask=$mode$u_plus_rw;;
|
||||||
|
esac
|
||||||
|
fi
|
||||||
|
|
||||||
|
for src
|
||||||
|
do
|
||||||
|
# Protect names starting with `-'.
|
||||||
|
case $src in
|
||||||
|
-*) src=./$src;;
|
||||||
|
esac
|
||||||
|
|
||||||
|
if test -n "$dir_arg"; then
|
||||||
|
dst=$src
|
||||||
|
dstdir=$dst
|
||||||
|
test -d "$dstdir"
|
||||||
|
dstdir_status=$?
|
||||||
|
else
|
||||||
|
|
||||||
|
# Waiting for this to be detected by the "$cpprog $src $dsttmp" command
|
||||||
|
# might cause directories to be created, which would be especially bad
|
||||||
|
# if $src (and thus $dsttmp) contains '*'.
|
||||||
|
if test ! -f "$src" && test ! -d "$src"; then
|
||||||
|
echo "$0: $src does not exist." >&2
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
if test -z "$dst_arg"; then
|
||||||
|
echo "$0: no destination specified." >&2
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
dst=$dst_arg
|
||||||
|
# Protect names starting with `-'.
|
||||||
|
case $dst in
|
||||||
|
-*) dst=./$dst;;
|
||||||
|
esac
|
||||||
|
|
||||||
|
# If destination is a directory, append the input filename; won't work
|
||||||
|
# if double slashes aren't ignored.
|
||||||
|
if test -d "$dst"; then
|
||||||
|
if test -n "$no_target_directory"; then
|
||||||
|
echo "$0: $dst_arg: Is a directory" >&2
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
dstdir=$dst
|
||||||
|
dst=$dstdir/`basename "$src"`
|
||||||
|
dstdir_status=0
|
||||||
|
else
|
||||||
|
# Prefer dirname, but fall back on a substitute if dirname fails.
|
||||||
|
dstdir=`
|
||||||
|
(dirname "$dst") 2>/dev/null ||
|
||||||
|
expr X"$dst" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
|
||||||
|
X"$dst" : 'X\(//\)[^/]' \| \
|
||||||
|
X"$dst" : 'X\(//\)$' \| \
|
||||||
|
X"$dst" : 'X\(/\)' \| . 2>/dev/null ||
|
||||||
|
echo X"$dst" |
|
||||||
|
sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{
|
||||||
|
s//\1/
|
||||||
|
q
|
||||||
|
}
|
||||||
|
/^X\(\/\/\)[^/].*/{
|
||||||
|
s//\1/
|
||||||
|
q
|
||||||
|
}
|
||||||
|
/^X\(\/\/\)$/{
|
||||||
|
s//\1/
|
||||||
|
q
|
||||||
|
}
|
||||||
|
/^X\(\/\).*/{
|
||||||
|
s//\1/
|
||||||
|
q
|
||||||
|
}
|
||||||
|
s/.*/./; q'
|
||||||
|
`
|
||||||
|
|
||||||
|
test -d "$dstdir"
|
||||||
|
dstdir_status=$?
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
obsolete_mkdir_used=false
|
||||||
|
|
||||||
|
if test $dstdir_status != 0; then
|
||||||
|
case $posix_mkdir in
|
||||||
|
'')
|
||||||
|
# Create intermediate dirs using mode 755 as modified by the umask.
|
||||||
|
# This is like FreeBSD 'install' as of 1997-10-28.
|
||||||
|
umask=`umask`
|
||||||
|
case $stripcmd.$umask in
|
||||||
|
# Optimize common cases.
|
||||||
|
*[2367][2367]) mkdir_umask=$umask;;
|
||||||
|
.*0[02][02] | .[02][02] | .[02]) mkdir_umask=22;;
|
||||||
|
|
||||||
|
*[0-7])
|
||||||
|
mkdir_umask=`expr $umask + 22 \
|
||||||
|
- $umask % 100 % 40 + $umask % 20 \
|
||||||
|
- $umask % 10 % 4 + $umask % 2
|
||||||
|
`;;
|
||||||
|
*) mkdir_umask=$umask,go-w;;
|
||||||
|
esac
|
||||||
|
|
||||||
|
# With -d, create the new directory with the user-specified mode.
|
||||||
|
# Otherwise, rely on $mkdir_umask.
|
||||||
|
if test -n "$dir_arg"; then
|
||||||
|
mkdir_mode=-m$mode
|
||||||
|
else
|
||||||
|
mkdir_mode=
|
||||||
|
fi
|
||||||
|
|
||||||
|
posix_mkdir=false
|
||||||
|
case $umask in
|
||||||
|
*[123567][0-7][0-7])
|
||||||
|
# POSIX mkdir -p sets u+wx bits regardless of umask, which
|
||||||
|
# is incompatible with FreeBSD 'install' when (umask & 300) != 0.
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
tmpdir=${TMPDIR-/tmp}/ins$RANDOM-$$
|
||||||
|
trap 'ret=$?; rmdir "$tmpdir/d" "$tmpdir" 2>/dev/null; exit $ret' 0
|
||||||
|
|
||||||
|
if (umask $mkdir_umask &&
|
||||||
|
exec $mkdirprog $mkdir_mode -p -- "$tmpdir/d") >/dev/null 2>&1
|
||||||
|
then
|
||||||
|
if test -z "$dir_arg" || {
|
||||||
|
# Check for POSIX incompatibilities with -m.
|
||||||
|
# HP-UX 11.23 and IRIX 6.5 mkdir -m -p sets group- or
|
||||||
|
# other-writeable bit of parent directory when it shouldn't.
|
||||||
|
# FreeBSD 6.1 mkdir -m -p sets mode of existing directory.
|
||||||
|
ls_ld_tmpdir=`ls -ld "$tmpdir"`
|
||||||
|
case $ls_ld_tmpdir in
|
||||||
|
d????-?r-*) different_mode=700;;
|
||||||
|
d????-?--*) different_mode=755;;
|
||||||
|
*) false;;
|
||||||
|
esac &&
|
||||||
|
$mkdirprog -m$different_mode -p -- "$tmpdir" && {
|
||||||
|
ls_ld_tmpdir_1=`ls -ld "$tmpdir"`
|
||||||
|
test "$ls_ld_tmpdir" = "$ls_ld_tmpdir_1"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
then posix_mkdir=:
|
||||||
|
fi
|
||||||
|
rmdir "$tmpdir/d" "$tmpdir"
|
||||||
|
else
|
||||||
|
# Remove any dirs left behind by ancient mkdir implementations.
|
||||||
|
rmdir ./$mkdir_mode ./-p ./-- 2>/dev/null
|
||||||
|
fi
|
||||||
|
trap '' 0;;
|
||||||
|
esac;;
|
||||||
|
esac
|
||||||
|
|
||||||
|
if
|
||||||
|
$posix_mkdir && (
|
||||||
|
umask $mkdir_umask &&
|
||||||
|
$doit_exec $mkdirprog $mkdir_mode -p -- "$dstdir"
|
||||||
|
)
|
||||||
|
then :
|
||||||
|
else
|
||||||
|
|
||||||
|
# The umask is ridiculous, or mkdir does not conform to POSIX,
|
||||||
|
# or it failed possibly due to a race condition. Create the
|
||||||
|
# directory the slow way, step by step, checking for races as we go.
|
||||||
|
|
||||||
|
case $dstdir in
|
||||||
|
/*) prefix='/';;
|
||||||
|
-*) prefix='./';;
|
||||||
|
*) prefix='';;
|
||||||
|
esac
|
||||||
|
|
||||||
|
eval "$initialize_posix_glob"
|
||||||
|
|
||||||
|
oIFS=$IFS
|
||||||
|
IFS=/
|
||||||
|
$posix_glob set -f
|
||||||
|
set fnord $dstdir
|
||||||
|
shift
|
||||||
|
$posix_glob set +f
|
||||||
|
IFS=$oIFS
|
||||||
|
|
||||||
|
prefixes=
|
||||||
|
|
||||||
|
for d
|
||||||
|
do
|
||||||
|
test -z "$d" && continue
|
||||||
|
|
||||||
|
prefix=$prefix$d
|
||||||
|
if test -d "$prefix"; then
|
||||||
|
prefixes=
|
||||||
|
else
|
||||||
|
if $posix_mkdir; then
|
||||||
|
(umask=$mkdir_umask &&
|
||||||
|
$doit_exec $mkdirprog $mkdir_mode -p -- "$dstdir") && break
|
||||||
|
# Don't fail if two instances are running concurrently.
|
||||||
|
test -d "$prefix" || exit 1
|
||||||
|
else
|
||||||
|
case $prefix in
|
||||||
|
*\'*) qprefix=`echo "$prefix" | sed "s/'/'\\\\\\\\''/g"`;;
|
||||||
|
*) qprefix=$prefix;;
|
||||||
|
esac
|
||||||
|
prefixes="$prefixes '$qprefix'"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
prefix=$prefix/
|
||||||
|
done
|
||||||
|
|
||||||
|
if test -n "$prefixes"; then
|
||||||
|
# Don't fail if two instances are running concurrently.
|
||||||
|
(umask $mkdir_umask &&
|
||||||
|
eval "\$doit_exec \$mkdirprog $prefixes") ||
|
||||||
|
test -d "$dstdir" || exit 1
|
||||||
|
obsolete_mkdir_used=true
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
if test -n "$dir_arg"; then
|
||||||
|
{ test -z "$chowncmd" || $doit $chowncmd "$dst"; } &&
|
||||||
|
{ test -z "$chgrpcmd" || $doit $chgrpcmd "$dst"; } &&
|
||||||
|
{ test "$obsolete_mkdir_used$chowncmd$chgrpcmd" = false ||
|
||||||
|
test -z "$chmodcmd" || $doit $chmodcmd $mode "$dst"; } || exit 1
|
||||||
|
else
|
||||||
|
|
||||||
|
# Make a couple of temp file names in the proper directory.
|
||||||
|
dsttmp=$dstdir/_inst.$$_
|
||||||
|
rmtmp=$dstdir/_rm.$$_
|
||||||
|
|
||||||
|
# Trap to clean up those temp files at exit.
|
||||||
|
trap 'ret=$?; rm -f "$dsttmp" "$rmtmp" && exit $ret' 0
|
||||||
|
|
||||||
|
# Copy the file name to the temp name.
|
||||||
|
(umask $cp_umask && $doit_exec $cpprog "$src" "$dsttmp") &&
|
||||||
|
|
||||||
|
# and set any options; do chmod last to preserve setuid bits.
|
||||||
|
#
|
||||||
|
# If any of these fail, we abort the whole thing. If we want to
|
||||||
|
# ignore errors from any of these, just make sure not to ignore
|
||||||
|
# errors from the above "$doit $cpprog $src $dsttmp" command.
|
||||||
|
#
|
||||||
|
{ test -z "$chowncmd" || $doit $chowncmd "$dsttmp"; } &&
|
||||||
|
{ test -z "$chgrpcmd" || $doit $chgrpcmd "$dsttmp"; } &&
|
||||||
|
{ test -z "$stripcmd" || $doit $stripcmd "$dsttmp"; } &&
|
||||||
|
{ test -z "$chmodcmd" || $doit $chmodcmd $mode "$dsttmp"; } &&
|
||||||
|
|
||||||
|
# If -C, don't bother to copy if it wouldn't change the file.
|
||||||
|
if $copy_on_change &&
|
||||||
|
old=`LC_ALL=C ls -dlL "$dst" 2>/dev/null` &&
|
||||||
|
new=`LC_ALL=C ls -dlL "$dsttmp" 2>/dev/null` &&
|
||||||
|
|
||||||
|
eval "$initialize_posix_glob" &&
|
||||||
|
$posix_glob set -f &&
|
||||||
|
set X $old && old=:$2:$4:$5:$6 &&
|
||||||
|
set X $new && new=:$2:$4:$5:$6 &&
|
||||||
|
$posix_glob set +f &&
|
||||||
|
|
||||||
|
test "$old" = "$new" &&
|
||||||
|
$cmpprog "$dst" "$dsttmp" >/dev/null 2>&1
|
||||||
|
then
|
||||||
|
rm -f "$dsttmp"
|
||||||
|
else
|
||||||
|
# Rename the file to the real destination.
|
||||||
|
$doit $mvcmd -f "$dsttmp" "$dst" 2>/dev/null ||
|
||||||
|
|
||||||
|
# The rename failed, perhaps because mv can't rename something else
|
||||||
|
# to itself, or perhaps because mv is so ancient that it does not
|
||||||
|
# support -f.
|
||||||
|
{
|
||||||
|
# Now remove or move aside any old file at destination location.
|
||||||
|
# We try this two ways since rm can't unlink itself on some
|
||||||
|
# systems and the destination file might be busy for other
|
||||||
|
# reasons. In this case, the final cleanup might fail but the new
|
||||||
|
# file should still install successfully.
|
||||||
|
{
|
||||||
|
test ! -f "$dst" ||
|
||||||
|
$doit $rmcmd -f "$dst" 2>/dev/null ||
|
||||||
|
{ $doit $mvcmd -f "$dst" "$rmtmp" 2>/dev/null &&
|
||||||
|
{ $doit $rmcmd -f "$rmtmp" 2>/dev/null; :; }
|
||||||
|
} ||
|
||||||
|
{ echo "$0: cannot unlink or rename $dst" >&2
|
||||||
|
(exit 1); exit 1
|
||||||
|
}
|
||||||
|
} &&
|
||||||
|
|
||||||
|
# Now rename the file to the real destination.
|
||||||
|
$doit $mvcmd "$dsttmp" "$dst"
|
||||||
|
}
|
||||||
|
fi || exit 1
|
||||||
|
|
||||||
|
trap '' 0
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
|
||||||
|
# Local variables:
|
||||||
|
# eval: (add-hook 'write-file-hooks 'time-stamp)
|
||||||
|
# time-stamp-start: "scriptversion="
|
||||||
|
# time-stamp-format: "%:y-%02m-%02d.%02H"
|
||||||
|
# time-stamp-end: "$"
|
||||||
|
# End:
|
8413
auto/ltmain.sh
Executable file
8413
auto/ltmain.sh
Executable file
File diff suppressed because it is too large
Load Diff
367
auto/missing
Executable file
367
auto/missing
Executable file
@ -0,0 +1,367 @@
|
|||||||
|
#! /bin/sh
|
||||||
|
# Common stub for a few missing GNU programs while installing.
|
||||||
|
|
||||||
|
scriptversion=2006-05-10.23
|
||||||
|
|
||||||
|
# Copyright (C) 1996, 1997, 1999, 2000, 2002, 2003, 2004, 2005, 2006
|
||||||
|
# Free Software Foundation, Inc.
|
||||||
|
# Originally by Fran,cois Pinard <pinard@iro.umontreal.ca>, 1996.
|
||||||
|
|
||||||
|
# This program is free software; you can redistribute it and/or modify
|
||||||
|
# it under the terms of the GNU General Public License as published by
|
||||||
|
# the Free Software Foundation; either version 2, or (at your option)
|
||||||
|
# any later version.
|
||||||
|
|
||||||
|
# This program is distributed in the hope that it will be useful,
|
||||||
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
# GNU General Public License for more details.
|
||||||
|
|
||||||
|
# You should have received a copy of the GNU General Public License
|
||||||
|
# along with this program; if not, write to the Free Software
|
||||||
|
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
|
||||||
|
# 02110-1301, USA.
|
||||||
|
|
||||||
|
# As a special exception to the GNU General Public License, if you
|
||||||
|
# distribute this file as part of a program that contains a
|
||||||
|
# configuration script generated by Autoconf, you may include it under
|
||||||
|
# the same distribution terms that you use for the rest of that program.
|
||||||
|
|
||||||
|
if test $# -eq 0; then
|
||||||
|
echo 1>&2 "Try \`$0 --help' for more information"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
run=:
|
||||||
|
sed_output='s/.* --output[ =]\([^ ]*\).*/\1/p'
|
||||||
|
sed_minuso='s/.* -o \([^ ]*\).*/\1/p'
|
||||||
|
|
||||||
|
# In the cases where this matters, `missing' is being run in the
|
||||||
|
# srcdir already.
|
||||||
|
if test -f configure.ac; then
|
||||||
|
configure_ac=configure.ac
|
||||||
|
else
|
||||||
|
configure_ac=configure.in
|
||||||
|
fi
|
||||||
|
|
||||||
|
msg="missing on your system"
|
||||||
|
|
||||||
|
case $1 in
|
||||||
|
--run)
|
||||||
|
# Try to run requested program, and just exit if it succeeds.
|
||||||
|
run=
|
||||||
|
shift
|
||||||
|
"$@" && exit 0
|
||||||
|
# Exit code 63 means version mismatch. This often happens
|
||||||
|
# when the user try to use an ancient version of a tool on
|
||||||
|
# a file that requires a minimum version. In this case we
|
||||||
|
# we should proceed has if the program had been absent, or
|
||||||
|
# if --run hadn't been passed.
|
||||||
|
if test $? = 63; then
|
||||||
|
run=:
|
||||||
|
msg="probably too old"
|
||||||
|
fi
|
||||||
|
;;
|
||||||
|
|
||||||
|
-h|--h|--he|--hel|--help)
|
||||||
|
echo "\
|
||||||
|
$0 [OPTION]... PROGRAM [ARGUMENT]...
|
||||||
|
|
||||||
|
Handle \`PROGRAM [ARGUMENT]...' for when PROGRAM is missing, or return an
|
||||||
|
error status if there is no known handling for PROGRAM.
|
||||||
|
|
||||||
|
Options:
|
||||||
|
-h, --help display this help and exit
|
||||||
|
-v, --version output version information and exit
|
||||||
|
--run try to run the given command, and emulate it if it fails
|
||||||
|
|
||||||
|
Supported PROGRAM values:
|
||||||
|
aclocal touch file \`aclocal.m4'
|
||||||
|
autoconf touch file \`configure'
|
||||||
|
autoheader touch file \`config.h.in'
|
||||||
|
autom4te touch the output file, or create a stub one
|
||||||
|
automake touch all \`Makefile.in' files
|
||||||
|
bison create \`y.tab.[ch]', if possible, from existing .[ch]
|
||||||
|
flex create \`lex.yy.c', if possible, from existing .c
|
||||||
|
help2man touch the output file
|
||||||
|
lex create \`lex.yy.c', if possible, from existing .c
|
||||||
|
makeinfo touch the output file
|
||||||
|
tar try tar, gnutar, gtar, then tar without non-portable flags
|
||||||
|
yacc create \`y.tab.[ch]', if possible, from existing .[ch]
|
||||||
|
|
||||||
|
Send bug reports to <bug-automake@gnu.org>."
|
||||||
|
exit $?
|
||||||
|
;;
|
||||||
|
|
||||||
|
-v|--v|--ve|--ver|--vers|--versi|--versio|--version)
|
||||||
|
echo "missing $scriptversion (GNU Automake)"
|
||||||
|
exit $?
|
||||||
|
;;
|
||||||
|
|
||||||
|
-*)
|
||||||
|
echo 1>&2 "$0: Unknown \`$1' option"
|
||||||
|
echo 1>&2 "Try \`$0 --help' for more information"
|
||||||
|
exit 1
|
||||||
|
;;
|
||||||
|
|
||||||
|
esac
|
||||||
|
|
||||||
|
# Now exit if we have it, but it failed. Also exit now if we
|
||||||
|
# don't have it and --version was passed (most likely to detect
|
||||||
|
# the program).
|
||||||
|
case $1 in
|
||||||
|
lex|yacc)
|
||||||
|
# Not GNU programs, they don't have --version.
|
||||||
|
;;
|
||||||
|
|
||||||
|
tar)
|
||||||
|
if test -n "$run"; then
|
||||||
|
echo 1>&2 "ERROR: \`tar' requires --run"
|
||||||
|
exit 1
|
||||||
|
elif test "x$2" = "x--version" || test "x$2" = "x--help"; then
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
;;
|
||||||
|
|
||||||
|
*)
|
||||||
|
if test -z "$run" && ($1 --version) > /dev/null 2>&1; then
|
||||||
|
# We have it, but it failed.
|
||||||
|
exit 1
|
||||||
|
elif test "x$2" = "x--version" || test "x$2" = "x--help"; then
|
||||||
|
# Could not run --version or --help. This is probably someone
|
||||||
|
# running `$TOOL --version' or `$TOOL --help' to check whether
|
||||||
|
# $TOOL exists and not knowing $TOOL uses missing.
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
|
||||||
|
# If it does not exist, or fails to run (possibly an outdated version),
|
||||||
|
# try to emulate it.
|
||||||
|
case $1 in
|
||||||
|
aclocal*)
|
||||||
|
echo 1>&2 "\
|
||||||
|
WARNING: \`$1' is $msg. You should only need it if
|
||||||
|
you modified \`acinclude.m4' or \`${configure_ac}'. You might want
|
||||||
|
to install the \`Automake' and \`Perl' packages. Grab them from
|
||||||
|
any GNU archive site."
|
||||||
|
touch aclocal.m4
|
||||||
|
;;
|
||||||
|
|
||||||
|
autoconf)
|
||||||
|
echo 1>&2 "\
|
||||||
|
WARNING: \`$1' is $msg. You should only need it if
|
||||||
|
you modified \`${configure_ac}'. You might want to install the
|
||||||
|
\`Autoconf' and \`GNU m4' packages. Grab them from any GNU
|
||||||
|
archive site."
|
||||||
|
touch configure
|
||||||
|
;;
|
||||||
|
|
||||||
|
autoheader)
|
||||||
|
echo 1>&2 "\
|
||||||
|
WARNING: \`$1' is $msg. You should only need it if
|
||||||
|
you modified \`acconfig.h' or \`${configure_ac}'. You might want
|
||||||
|
to install the \`Autoconf' and \`GNU m4' packages. Grab them
|
||||||
|
from any GNU archive site."
|
||||||
|
files=`sed -n 's/^[ ]*A[CM]_CONFIG_HEADER(\([^)]*\)).*/\1/p' ${configure_ac}`
|
||||||
|
test -z "$files" && files="config.h"
|
||||||
|
touch_files=
|
||||||
|
for f in $files; do
|
||||||
|
case $f in
|
||||||
|
*:*) touch_files="$touch_files "`echo "$f" |
|
||||||
|
sed -e 's/^[^:]*://' -e 's/:.*//'`;;
|
||||||
|
*) touch_files="$touch_files $f.in";;
|
||||||
|
esac
|
||||||
|
done
|
||||||
|
touch $touch_files
|
||||||
|
;;
|
||||||
|
|
||||||
|
automake*)
|
||||||
|
echo 1>&2 "\
|
||||||
|
WARNING: \`$1' is $msg. You should only need it if
|
||||||
|
you modified \`Makefile.am', \`acinclude.m4' or \`${configure_ac}'.
|
||||||
|
You might want to install the \`Automake' and \`Perl' packages.
|
||||||
|
Grab them from any GNU archive site."
|
||||||
|
find . -type f -name Makefile.am -print |
|
||||||
|
sed 's/\.am$/.in/' |
|
||||||
|
while read f; do touch "$f"; done
|
||||||
|
;;
|
||||||
|
|
||||||
|
autom4te)
|
||||||
|
echo 1>&2 "\
|
||||||
|
WARNING: \`$1' is needed, but is $msg.
|
||||||
|
You might have modified some files without having the
|
||||||
|
proper tools for further handling them.
|
||||||
|
You can get \`$1' as part of \`Autoconf' from any GNU
|
||||||
|
archive site."
|
||||||
|
|
||||||
|
file=`echo "$*" | sed -n "$sed_output"`
|
||||||
|
test -z "$file" && file=`echo "$*" | sed -n "$sed_minuso"`
|
||||||
|
if test -f "$file"; then
|
||||||
|
touch $file
|
||||||
|
else
|
||||||
|
test -z "$file" || exec >$file
|
||||||
|
echo "#! /bin/sh"
|
||||||
|
echo "# Created by GNU Automake missing as a replacement of"
|
||||||
|
echo "# $ $@"
|
||||||
|
echo "exit 0"
|
||||||
|
chmod +x $file
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
;;
|
||||||
|
|
||||||
|
bison|yacc)
|
||||||
|
echo 1>&2 "\
|
||||||
|
WARNING: \`$1' $msg. You should only need it if
|
||||||
|
you modified a \`.y' file. You may need the \`Bison' package
|
||||||
|
in order for those modifications to take effect. You can get
|
||||||
|
\`Bison' from any GNU archive site."
|
||||||
|
rm -f y.tab.c y.tab.h
|
||||||
|
if test $# -ne 1; then
|
||||||
|
eval LASTARG="\${$#}"
|
||||||
|
case $LASTARG in
|
||||||
|
*.y)
|
||||||
|
SRCFILE=`echo "$LASTARG" | sed 's/y$/c/'`
|
||||||
|
if test -f "$SRCFILE"; then
|
||||||
|
cp "$SRCFILE" y.tab.c
|
||||||
|
fi
|
||||||
|
SRCFILE=`echo "$LASTARG" | sed 's/y$/h/'`
|
||||||
|
if test -f "$SRCFILE"; then
|
||||||
|
cp "$SRCFILE" y.tab.h
|
||||||
|
fi
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
fi
|
||||||
|
if test ! -f y.tab.h; then
|
||||||
|
echo >y.tab.h
|
||||||
|
fi
|
||||||
|
if test ! -f y.tab.c; then
|
||||||
|
echo 'main() { return 0; }' >y.tab.c
|
||||||
|
fi
|
||||||
|
;;
|
||||||
|
|
||||||
|
lex|flex)
|
||||||
|
echo 1>&2 "\
|
||||||
|
WARNING: \`$1' is $msg. You should only need it if
|
||||||
|
you modified a \`.l' file. You may need the \`Flex' package
|
||||||
|
in order for those modifications to take effect. You can get
|
||||||
|
\`Flex' from any GNU archive site."
|
||||||
|
rm -f lex.yy.c
|
||||||
|
if test $# -ne 1; then
|
||||||
|
eval LASTARG="\${$#}"
|
||||||
|
case $LASTARG in
|
||||||
|
*.l)
|
||||||
|
SRCFILE=`echo "$LASTARG" | sed 's/l$/c/'`
|
||||||
|
if test -f "$SRCFILE"; then
|
||||||
|
cp "$SRCFILE" lex.yy.c
|
||||||
|
fi
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
fi
|
||||||
|
if test ! -f lex.yy.c; then
|
||||||
|
echo 'main() { return 0; }' >lex.yy.c
|
||||||
|
fi
|
||||||
|
;;
|
||||||
|
|
||||||
|
help2man)
|
||||||
|
echo 1>&2 "\
|
||||||
|
WARNING: \`$1' is $msg. You should only need it if
|
||||||
|
you modified a dependency of a manual page. You may need the
|
||||||
|
\`Help2man' package in order for those modifications to take
|
||||||
|
effect. You can get \`Help2man' from any GNU archive site."
|
||||||
|
|
||||||
|
file=`echo "$*" | sed -n "$sed_output"`
|
||||||
|
test -z "$file" && file=`echo "$*" | sed -n "$sed_minuso"`
|
||||||
|
if test -f "$file"; then
|
||||||
|
touch $file
|
||||||
|
else
|
||||||
|
test -z "$file" || exec >$file
|
||||||
|
echo ".ab help2man is required to generate this page"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
;;
|
||||||
|
|
||||||
|
makeinfo)
|
||||||
|
echo 1>&2 "\
|
||||||
|
WARNING: \`$1' is $msg. You should only need it if
|
||||||
|
you modified a \`.texi' or \`.texinfo' file, or any other file
|
||||||
|
indirectly affecting the aspect of the manual. The spurious
|
||||||
|
call might also be the consequence of using a buggy \`make' (AIX,
|
||||||
|
DU, IRIX). You might want to install the \`Texinfo' package or
|
||||||
|
the \`GNU make' package. Grab either from any GNU archive site."
|
||||||
|
# The file to touch is that specified with -o ...
|
||||||
|
file=`echo "$*" | sed -n "$sed_output"`
|
||||||
|
test -z "$file" && file=`echo "$*" | sed -n "$sed_minuso"`
|
||||||
|
if test -z "$file"; then
|
||||||
|
# ... or it is the one specified with @setfilename ...
|
||||||
|
infile=`echo "$*" | sed 's/.* \([^ ]*\) *$/\1/'`
|
||||||
|
file=`sed -n '
|
||||||
|
/^@setfilename/{
|
||||||
|
s/.* \([^ ]*\) *$/\1/
|
||||||
|
p
|
||||||
|
q
|
||||||
|
}' $infile`
|
||||||
|
# ... or it is derived from the source name (dir/f.texi becomes f.info)
|
||||||
|
test -z "$file" && file=`echo "$infile" | sed 's,.*/,,;s,.[^.]*$,,'`.info
|
||||||
|
fi
|
||||||
|
# If the file does not exist, the user really needs makeinfo;
|
||||||
|
# let's fail without touching anything.
|
||||||
|
test -f $file || exit 1
|
||||||
|
touch $file
|
||||||
|
;;
|
||||||
|
|
||||||
|
tar)
|
||||||
|
shift
|
||||||
|
|
||||||
|
# We have already tried tar in the generic part.
|
||||||
|
# Look for gnutar/gtar before invocation to avoid ugly error
|
||||||
|
# messages.
|
||||||
|
if (gnutar --version > /dev/null 2>&1); then
|
||||||
|
gnutar "$@" && exit 0
|
||||||
|
fi
|
||||||
|
if (gtar --version > /dev/null 2>&1); then
|
||||||
|
gtar "$@" && exit 0
|
||||||
|
fi
|
||||||
|
firstarg="$1"
|
||||||
|
if shift; then
|
||||||
|
case $firstarg in
|
||||||
|
*o*)
|
||||||
|
firstarg=`echo "$firstarg" | sed s/o//`
|
||||||
|
tar "$firstarg" "$@" && exit 0
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
case $firstarg in
|
||||||
|
*h*)
|
||||||
|
firstarg=`echo "$firstarg" | sed s/h//`
|
||||||
|
tar "$firstarg" "$@" && exit 0
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo 1>&2 "\
|
||||||
|
WARNING: I can't seem to be able to run \`tar' with the given arguments.
|
||||||
|
You may want to install GNU tar or Free paxutils, or check the
|
||||||
|
command line arguments."
|
||||||
|
exit 1
|
||||||
|
;;
|
||||||
|
|
||||||
|
*)
|
||||||
|
echo 1>&2 "\
|
||||||
|
WARNING: \`$1' is needed, and is $msg.
|
||||||
|
You might have modified some files without having the
|
||||||
|
proper tools for further handling them. Check the \`README' file,
|
||||||
|
it often tells you about the needed prerequisites for installing
|
||||||
|
this package. You may also peek at any GNU archive site, in case
|
||||||
|
some other package would contain this missing \`$1' program."
|
||||||
|
exit 1
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
|
||||||
|
exit 0
|
||||||
|
|
||||||
|
# Local variables:
|
||||||
|
# eval: (add-hook 'write-file-hooks 'time-stamp)
|
||||||
|
# time-stamp-start: "scriptversion="
|
||||||
|
# time-stamp-format: "%:y-%02m-%02d.%02H"
|
||||||
|
# time-stamp-end: "$"
|
||||||
|
# End:
|
28
build-android.sh
Executable file
28
build-android.sh
Executable file
@ -0,0 +1,28 @@
|
|||||||
|
#!/bin/sh
|
||||||
|
set -ev
|
||||||
|
VERSION=4.53
|
||||||
|
DST=stunnel-$VERSION-android
|
||||||
|
|
||||||
|
# to build Zlib:
|
||||||
|
# export CHOST=arm-linux-androideabi
|
||||||
|
# ./configure --static --prefix=/opt/androideabi/sysroot
|
||||||
|
# make
|
||||||
|
# make install
|
||||||
|
|
||||||
|
# to build OpenSSL:
|
||||||
|
# export CC=arm-linux-androideabi-gcc
|
||||||
|
# ./Configure linux-armv4 threads no-shared zlib no-dso --openssldir=/opt/androideabi/sysroot
|
||||||
|
# make
|
||||||
|
# make install
|
||||||
|
|
||||||
|
./configure --build=i686-pc-linux-gnu --host=arm-linux-androideabi --prefix=/data/local --with-ssl=/opt/androideabi/sysroot
|
||||||
|
make clean
|
||||||
|
make
|
||||||
|
mkdir $DST
|
||||||
|
cp src/stunnel /opt/androideabi/sysroot/bin/openssl $DST
|
||||||
|
# arm-linux-androideabi-strip $DST/stunnel $DST/openssl
|
||||||
|
arm-linux-androideabi-strip $DST/openssl
|
||||||
|
zip -r $DST.zip $DST
|
||||||
|
rm -rf $DST
|
||||||
|
sha256sum $DST.zip
|
||||||
|
mv $DST.zip ../dist/
|
494
configure.ac
Normal file
494
configure.ac
Normal file
@ -0,0 +1,494 @@
|
|||||||
|
# Process this file with autoconf to produce a configure script.
|
||||||
|
|
||||||
|
AC_INIT([stunnel],[4.53])
|
||||||
|
AC_MSG_NOTICE([**************************************** initialization])
|
||||||
|
AC_CONFIG_AUX_DIR(auto)
|
||||||
|
AC_CONFIG_MACRO_DIR([m4])
|
||||||
|
AM_INIT_AUTOMAKE(stunnel, 4.53)
|
||||||
|
AC_CONFIG_HEADERS([src/config.h])
|
||||||
|
AC_CONFIG_SRCDIR([src/stunnel.c])
|
||||||
|
AC_DEFINE([_GNU_SOURCE], [1], [Use GNU source])
|
||||||
|
|
||||||
|
AC_CANONICAL_HOST
|
||||||
|
AC_SUBST([host])
|
||||||
|
AC_DEFINE_UNQUOTED([HOST], ["$host"], [Host description])
|
||||||
|
define([esc], [`echo ]$1[ | tr abcdefghijklmnopqrstuvwxyz.- ABCDEFGHIJKLMNOPQRSTUVWXYZ__ | tr -dc ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890_`])
|
||||||
|
AC_DEFINE_UNQUOTED(esc(CPU_$host_cpu))
|
||||||
|
AC_DEFINE_UNQUOTED(esc(VENDOR_$host_vendor))
|
||||||
|
AC_DEFINE_UNQUOTED(esc(OS_$host_os))
|
||||||
|
|
||||||
|
AC_PROG_CC
|
||||||
|
AM_PROG_CC_C_O
|
||||||
|
AC_PROG_INSTALL
|
||||||
|
AC_PROG_MAKE_SET
|
||||||
|
|
||||||
|
# Checks for typedefs, structures, and compiler characteristics
|
||||||
|
# AC_C_CONST
|
||||||
|
# AC_TYPE_SIZE_T
|
||||||
|
# AC_TYPE_PID_T
|
||||||
|
# AC_HEADER_TIME
|
||||||
|
|
||||||
|
AC_MSG_NOTICE([**************************************** compiler/linker flags])
|
||||||
|
AC_SUBST([stunnel_LDFLAGS])
|
||||||
|
|
||||||
|
AC_MSG_CHECKING([whether $CC accepts -pthread])
|
||||||
|
valid_CFLAGS="$CFLAGS"; CFLAGS="$CFLAGS -pthread"
|
||||||
|
valid_LDFLAGS="$LDFLAGS"; LDFLAGS="$LDFLAGS -pthread"
|
||||||
|
AC_LINK_IFELSE([int main() {return 0;}],
|
||||||
|
[
|
||||||
|
AC_MSG_RESULT([yes])
|
||||||
|
AC_SUBST([stunnel_CFLAGS], ["$stunnel_CFLAGS -pthread"])
|
||||||
|
AC_SUBST([stunnel_LDFLAGF], ["$stunnel_LDFLAGF -pthread"])
|
||||||
|
], [
|
||||||
|
AC_MSG_RESULT([no])
|
||||||
|
])
|
||||||
|
CFLAGS="$valid_CFLAGS"; LDFLAGS="$valid_LDFLAGS"
|
||||||
|
|
||||||
|
AC_MSG_CHECKING([whether $CC accepts -fstack-protector])
|
||||||
|
valid_CFLAGS="$CFLAGS"; CFLAGS="$CFLAGS -fstack-protector"
|
||||||
|
valid_LDFLAGS="$LDFLAGS"; LDFLAGS="$LDFLAGS -fstack-protector"
|
||||||
|
AC_LINK_IFELSE([int main() {return 0;}],
|
||||||
|
[
|
||||||
|
AC_MSG_RESULT([yes])
|
||||||
|
AC_SUBST([stunnel_CFLAGS], ["$stunnel_CFLAGS -fstack-protector"])
|
||||||
|
AC_SUBST([stunnel_LDFLAGF], ["$stunnel_LDFLAGF -fstack-protector"])
|
||||||
|
], [
|
||||||
|
AC_MSG_RESULT([no])
|
||||||
|
])
|
||||||
|
CFLAGS="$valid_CFLAGS"; LDFLAGS="$valid_LDFLAGS"
|
||||||
|
|
||||||
|
AC_MSG_CHECKING([whether $CC accepts -pie])
|
||||||
|
valid_CFLAGS="$CFLAGS"; CFLAGS="$CFLAGS -fPIE"
|
||||||
|
valid_LDFLAGS="$LDFLAGS"; LDFLAGS="$LDFLAGS -pie -fPIE"
|
||||||
|
AC_LINK_IFELSE([int main() {return 0;}],
|
||||||
|
[
|
||||||
|
AC_MSG_RESULT([yes])
|
||||||
|
AC_SUBST([stunnel_CFLAGS], ["$stunnel_CFLAGS -fPIE"])
|
||||||
|
AC_SUBST([stunnel_LDFLAGF], ["$stunnel_LDFLAGF -pie -fPIE"])
|
||||||
|
], [
|
||||||
|
AC_MSG_RESULT([no])
|
||||||
|
])
|
||||||
|
CFLAGS="$valid_CFLAGS"; LDFLAGS="$valid_LDFLAGS"
|
||||||
|
|
||||||
|
AC_MSG_CHECKING([whether $CC accepts -Wall])
|
||||||
|
valid_CFLAGS="$CFLAGS"; CFLAGS="$CFLAGS -Wall"
|
||||||
|
AC_LINK_IFELSE([int main() {return 0;}],
|
||||||
|
[AC_MSG_RESULT([yes])],
|
||||||
|
[AC_MSG_RESULT([no]); CFLAGS="$valid_CFLAGS"])
|
||||||
|
|
||||||
|
AC_MSG_CHECKING([whether $CC accepts -Wextra])
|
||||||
|
valid_CFLAGS="$CFLAGS"; CFLAGS="$CFLAGS -Wextra"
|
||||||
|
AC_LINK_IFELSE([int main() {return 0;}],
|
||||||
|
[AC_MSG_RESULT([yes])],
|
||||||
|
[AC_MSG_RESULT([no]); CFLAGS="$valid_CFLAGS"])
|
||||||
|
|
||||||
|
AC_MSG_CHECKING([whether $CC accepts -Wno-long-long])
|
||||||
|
valid_CFLAGS="$CFLAGS"; CFLAGS="$CFLAGS -Wno-long-long"
|
||||||
|
AC_LINK_IFELSE([int main() {return 0;}],
|
||||||
|
[AC_MSG_RESULT([yes])],
|
||||||
|
[AC_MSG_RESULT([no]); CFLAGS="$valid_CFLAGS"])
|
||||||
|
|
||||||
|
AC_MSG_CHECKING([whether $CC accepts -pedantic])
|
||||||
|
valid_CFLAGS="$CFLAGS"; CFLAGS="$CFLAGS -pedantic"
|
||||||
|
AC_LINK_IFELSE([int main() {return 0;}],
|
||||||
|
[AC_MSG_RESULT([yes])],
|
||||||
|
[AC_MSG_RESULT([no]); CFLAGS="$valid_CFLAGS"])
|
||||||
|
|
||||||
|
AC_MSG_NOTICE([**************************************** libtool])
|
||||||
|
LT_INIT([disable-static])
|
||||||
|
AC_SUBST([LIBTOOL_DEPS])
|
||||||
|
|
||||||
|
AC_MSG_NOTICE([**************************************** types])
|
||||||
|
AC_CHECK_SIZEOF(unsigned char)
|
||||||
|
AC_CHECK_SIZEOF(unsigned short)
|
||||||
|
AC_CHECK_SIZEOF(unsigned int)
|
||||||
|
AC_CHECK_SIZEOF(unsigned long)
|
||||||
|
|
||||||
|
AC_MSG_CHECKING([for socklen_t])
|
||||||
|
AC_EGREP_HEADER(socklen_t, sys/socket.h,
|
||||||
|
AC_MSG_RESULT([yes]),
|
||||||
|
AC_MSG_RESULT([no (defined as int)])
|
||||||
|
AC_DEFINE([socklen_t], [int], [Type of socklen_t]))
|
||||||
|
|
||||||
|
AC_CHECK_TYPES([struct sockaddr_un], [], [], [#include <sys/un.h>])
|
||||||
|
AC_CHECK_TYPES([struct addrinfo], [], [], [#include <netdb.h>])
|
||||||
|
|
||||||
|
AC_MSG_NOTICE([**************************************** PTY device files])
|
||||||
|
if test "$cross_compiling" = "no"; then
|
||||||
|
AC_CHECK_FILE("/dev/ptmx", AC_DEFINE([HAVE_DEV_PTMX], [1],
|
||||||
|
[Define to 1 if you have '/dev/ptmx' device.]))
|
||||||
|
AC_CHECK_FILE("/dev/ptc", AC_DEFINE([HAVE_DEV_PTS_AND_PTC], [1],
|
||||||
|
[Define to 1 if you have '/dev/ptc' device.]))
|
||||||
|
else
|
||||||
|
AC_MSG_WARN([cross-compilation: assuming /dev/ptmx and /dev/ptc are not available])
|
||||||
|
fi
|
||||||
|
|
||||||
|
AC_MSG_NOTICE([**************************************** entropy sources])
|
||||||
|
|
||||||
|
if test "$cross_compiling" = "no"; then
|
||||||
|
AC_ARG_WITH(egd-socket,
|
||||||
|
[ --with-egd-socket=FILE Entropy Gathering Daemon socket path],
|
||||||
|
[EGD_SOCKET="$withval"]
|
||||||
|
)
|
||||||
|
if test -n "$EGD_SOCKET"; then
|
||||||
|
AC_DEFINE_UNQUOTED([EGD_SOCKET], ["$EGD_SOCKET"], [Entropy Gathering Daemon socket path])
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Check for user-specified random device
|
||||||
|
AC_ARG_WITH(random,
|
||||||
|
[ --with-random=FILE read randomness from file (default=/dev/urandom)],
|
||||||
|
[RANDOM_FILE="$withval"],
|
||||||
|
[
|
||||||
|
# Check for random device
|
||||||
|
AC_CHECK_FILE("/dev/urandom", RANDOM_FILE="/dev/urandom")
|
||||||
|
]
|
||||||
|
)
|
||||||
|
if test -n "$RANDOM_FILE"; then
|
||||||
|
AC_SUBST([RANDOM_FILE])
|
||||||
|
AC_DEFINE_UNQUOTED([RANDOM_FILE], ["$RANDOM_FILE"], [Random file path])
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
AC_MSG_WARN([cross-compilation: assuming entropy sources are not available])
|
||||||
|
fi
|
||||||
|
|
||||||
|
AC_MSG_NOTICE([**************************************** default group])
|
||||||
|
DEFAULT_GROUP=nobody
|
||||||
|
if test "$cross_compiling" = "no"; then
|
||||||
|
grep '^nogroup:' /etc/group >/dev/null && DEFAULT_GROUP=nogroup
|
||||||
|
else
|
||||||
|
AC_MSG_WARN([cross-compilation: assuming nogroup is not available])
|
||||||
|
fi
|
||||||
|
AC_MSG_CHECKING([for default group])
|
||||||
|
AC_MSG_RESULT([$DEFAULT_GROUP])
|
||||||
|
AC_SUBST([DEFAULT_GROUP])
|
||||||
|
|
||||||
|
AC_MSG_NOTICE([**************************************** header files])
|
||||||
|
# AC_HEADER_DIRENT
|
||||||
|
# AC_HEADER_STDC
|
||||||
|
# AC_HEADER_SYS_WAIT
|
||||||
|
AC_CHECK_HEADERS([malloc.h ucontext.h pthread.h poll.h tcpd.h stropts.h grp.h unistd.h util.h libutil.h pty.h])
|
||||||
|
AC_CHECK_HEADERS([sys/types.h sys/select.h sys/poll.h sys/socket.h sys/un.h sys/ioctl.h sys/filio.h sys/resource.h sys/uio.h])
|
||||||
|
AC_CHECK_MEMBERS([struct msghdr.msg_control],
|
||||||
|
[AC_DEFINE([HAVE_MSGHDR_MSG_CONTROL], [1],
|
||||||
|
[Define to 1 if you have 'msghdr.msg_control' structure.])], [], [
|
||||||
|
AC_INCLUDES_DEFAULT
|
||||||
|
#include <sys/socket.h>
|
||||||
|
])
|
||||||
|
AC_CHECK_HEADERS([linux/netfilter_ipv4.h], , ,
|
||||||
|
[
|
||||||
|
#include <limits.h>
|
||||||
|
#include <linux/types.h>
|
||||||
|
#include <sys/socket.h>
|
||||||
|
#include <netdb.h>
|
||||||
|
])
|
||||||
|
|
||||||
|
AC_MSG_NOTICE([**************************************** libraries])
|
||||||
|
# Checks for standard libraries
|
||||||
|
AC_SEARCH_LIBS([gethostbyname], [nsl])
|
||||||
|
AC_SEARCH_LIBS([yp_get_default_domain], [nsl])
|
||||||
|
AC_SEARCH_LIBS([socket], [socket])
|
||||||
|
AC_SEARCH_LIBS([openpty], [util])
|
||||||
|
# Checks for dynamic loader and zlib needed by OpenSSL
|
||||||
|
AC_SEARCH_LIBS([dlopen], [dl])
|
||||||
|
AC_SEARCH_LIBS([shl_load], [dld])
|
||||||
|
AC_SEARCH_LIBS([inflateEnd], [z])
|
||||||
|
|
||||||
|
# Add BeOS libraries
|
||||||
|
if test "$host_os" = "beos"; then
|
||||||
|
LIBS="$LIBS -lbe -lroot -lbind"
|
||||||
|
fi
|
||||||
|
|
||||||
|
AC_MSG_NOTICE([**************************************** thread model])
|
||||||
|
|
||||||
|
checkpthreadlib() { :
|
||||||
|
# 1. BSD hack: attempt to use alternative libc implementation if available
|
||||||
|
AC_CHECK_LIB([c_r], [pthread_create],
|
||||||
|
[
|
||||||
|
LIBS="$LIBS -pthread"
|
||||||
|
HAVE_LIBPTHREAD="yes"
|
||||||
|
AC_DEFINE([HAVE_LIBPTHREAD], [1], [Define to 1 if you have 'libpthread' library.])
|
||||||
|
]
|
||||||
|
)
|
||||||
|
|
||||||
|
# 2. try to use from standard libc (required by Android and possibly other platforms)
|
||||||
|
AC_CHECK_LIB([c], [pthread_create],
|
||||||
|
[
|
||||||
|
HAVE_LIBPTHREAD="yes"
|
||||||
|
AC_DEFINE([HAVE_LIBPTHREAD], [1], [Define to 1 if you have 'libpthread' library.])
|
||||||
|
]
|
||||||
|
)
|
||||||
|
|
||||||
|
# 3. try libpthread: OSF hack instead of simple AC_CHECK_LIB here
|
||||||
|
AC_MSG_CHECKING([for pthread_create in -lpthread])
|
||||||
|
valid_LIBS="$LIBS"
|
||||||
|
LIBS="$valid_LIBS -lpthread"
|
||||||
|
AC_LINK_IFELSE(
|
||||||
|
[AC_LANG_PROGRAM(
|
||||||
|
[
|
||||||
|
#include <pthread.h>
|
||||||
|
],
|
||||||
|
[
|
||||||
|
pthread_create((void *)0, (void *)0, (void *)0, (void *)0)
|
||||||
|
]
|
||||||
|
)],
|
||||||
|
[
|
||||||
|
AC_MSG_RESULT([yes])
|
||||||
|
HAVE_LIBPTHREAD="yes"
|
||||||
|
AC_DEFINE([HAVE_LIBPTHREAD], [1], [Define to 1 if you have 'libpthread' library.])
|
||||||
|
], [
|
||||||
|
AC_MSG_RESULT([no])
|
||||||
|
LIBS="$valid_LIBS"
|
||||||
|
]
|
||||||
|
)
|
||||||
|
}
|
||||||
|
|
||||||
|
AC_ARG_WITH(threads,
|
||||||
|
[ --with-threads=model select threading model (ucontext/pthread/fork)],
|
||||||
|
[
|
||||||
|
case "$withval" in
|
||||||
|
ucontext)
|
||||||
|
AC_MSG_NOTICE([UCONTEXT mode selected])
|
||||||
|
AC_DEFINE([USE_UCONTEXT], [1], [Define to 1 to select UCONTEXT mode])
|
||||||
|
;;
|
||||||
|
pthread)
|
||||||
|
checkpthreadlib
|
||||||
|
AC_MSG_NOTICE([PTHREAD mode selected])
|
||||||
|
AC_DEFINE([USE_PTHREAD], [1], [Define to 1 to select PTHREAD mode])
|
||||||
|
;;
|
||||||
|
fork)
|
||||||
|
AC_MSG_NOTICE([FORK mode selected])
|
||||||
|
AC_DEFINE([USE_FORK], [1], [Define to 1 to select FORK mode])
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
AC_MSG_ERROR([Unknown thread model \"${withval}\"])
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
], [
|
||||||
|
checkpthreadlib
|
||||||
|
if test "$HAVE_LIBPTHREAD" = "yes" -a "$ac_cv_header_pthread_h" = "yes"; then
|
||||||
|
AC_MSG_NOTICE([PTHREAD thread model detected])
|
||||||
|
AC_DEFINE([USE_PTHREAD], [1], [Define to 1 to select PTHREAD mode])
|
||||||
|
elif test "$ac_cv_func_getcontext" = "yes" -a "$ac_cv_header_ucontext_h" = "yes"; then
|
||||||
|
AC_MSG_NOTICE([UCONTEXT thread model detected])
|
||||||
|
AC_DEFINE([USE_UCONTEXT], [1], [Define to 1 to select UCONTEXT mode])
|
||||||
|
else
|
||||||
|
AC_MSG_NOTICE([FORK thread model detected])
|
||||||
|
AC_DEFINE([USE_FORK], [1], [Define to 1 to select FORK mode])
|
||||||
|
fi
|
||||||
|
])
|
||||||
|
|
||||||
|
AC_MSG_NOTICE([**************************************** library functions])
|
||||||
|
# safe string operations
|
||||||
|
AC_CHECK_FUNCS(snprintf vsnprintf)
|
||||||
|
# pseudoterminal
|
||||||
|
AC_CHECK_FUNCS(openpty _getpty)
|
||||||
|
# Unix
|
||||||
|
AC_CHECK_FUNCS(daemon waitpid wait4 setsid setgroups chroot)
|
||||||
|
# limits
|
||||||
|
AC_CHECK_FUNCS(sysconf getrlimit)
|
||||||
|
# threads/reentrant functions
|
||||||
|
AC_CHECK_FUNCS(pthread_sigmask localtime_r)
|
||||||
|
# threads
|
||||||
|
AC_CHECK_FUNCS(getcontext __makecontext_v2)
|
||||||
|
# sockets
|
||||||
|
AC_CHECK_FUNCS(poll gethostbyname2 endhostent getnameinfo)
|
||||||
|
AC_MSG_CHECKING([for getaddrinfo])
|
||||||
|
case "$host_os" in
|
||||||
|
*androideabi*)
|
||||||
|
# http://stackoverflow.com/questions/7818246/segmentation-fault-in-getaddrinfo
|
||||||
|
AC_MSG_RESULT([no (buggy Android implementation)])
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
# Tru64 UNIX has getaddrinfo() but has it renamed in libc as
|
||||||
|
# something else so we must include <netdb.h> to get the
|
||||||
|
# redefinition.
|
||||||
|
AC_LINK_IFELSE(
|
||||||
|
[AC_LANG_PROGRAM(
|
||||||
|
[
|
||||||
|
AC_INCLUDES_DEFAULT
|
||||||
|
#include <sys/socket.h>
|
||||||
|
#include <netdb.h>
|
||||||
|
],
|
||||||
|
[
|
||||||
|
getaddrinfo(NULL, NULL, NULL, NULL);
|
||||||
|
],)],
|
||||||
|
[AC_MSG_RESULT([yes]); AC_DEFINE([HAVE_GETADDRINFO], [1], [Define to 1 if you have 'getaddrinfo' function.])],
|
||||||
|
[AC_MSG_RESULT([no])])
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
# poll() is not recommended on Mac OS X <=10.3 and broken on Mac OS X >=10.4
|
||||||
|
AC_MSG_CHECKING([for broken poll() implementation])
|
||||||
|
case "$host_os" in
|
||||||
|
darwin*)
|
||||||
|
AC_MSG_RESULT([yes (poll() disabled)])
|
||||||
|
AC_DEFINE([BROKEN_POLL], [1], [Define to 1 if you have a broken 'poll' implementation.])
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
AC_MSG_RESULT([no])
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
# GNU extensions
|
||||||
|
AC_CHECK_FUNCS(pipe2 accept4)
|
||||||
|
|
||||||
|
AC_MSG_NOTICE([**************************************** optional features])
|
||||||
|
# Use IPv6?
|
||||||
|
AC_MSG_CHECKING([whether to enable IPv6 support])
|
||||||
|
AC_ARG_ENABLE(ipv6,
|
||||||
|
[ --enable-ipv6 Enable IPv6 support],
|
||||||
|
[
|
||||||
|
case "$enableval" in
|
||||||
|
yes) AC_MSG_RESULT([yes])
|
||||||
|
AC_DEFINE([USE_IPv6], [1], [Define to 1 to enable IPv6 support])
|
||||||
|
;;
|
||||||
|
no) AC_MSG_RESULT([no])
|
||||||
|
;;
|
||||||
|
*) AC_MSG_RESULT([error])
|
||||||
|
AC_MSG_ERROR([bad value \"${enableval}\"])
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
],
|
||||||
|
[AC_MSG_RESULT([yes]); AC_DEFINE([USE_IPv6], [1], [Define to 1 to enable IPv6 support])],
|
||||||
|
[AC_MSG_RESULT([no])]
|
||||||
|
)
|
||||||
|
|
||||||
|
# Disable use of libwrap (TCP wrappers)
|
||||||
|
# it should be the last check!
|
||||||
|
AC_MSG_CHECKING([whether to disable TCP wrappers library support])
|
||||||
|
AC_ARG_ENABLE(libwrap,
|
||||||
|
[ --disable-libwrap Disable TCP wrappers library support],
|
||||||
|
[
|
||||||
|
case "$enableval" in
|
||||||
|
yes) AC_MSG_RESULT([no])
|
||||||
|
AC_DEFINE([HAVE_LIBWRAP], [1], [Define to 1 if you have 'libwrap' library.])
|
||||||
|
LIBS="$LIBS -lwrap"
|
||||||
|
;;
|
||||||
|
no) AC_MSG_RESULT([yes])
|
||||||
|
;;
|
||||||
|
*) AC_MSG_RESULT([error])
|
||||||
|
AC_MSG_ERROR([Bad value \"${enableval}\"])
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
],
|
||||||
|
[
|
||||||
|
AC_MSG_RESULT([autodetecting])
|
||||||
|
AC_MSG_CHECKING([for hosts_access in -lwrap])
|
||||||
|
valid_LIBS="$LIBS"
|
||||||
|
LIBS="$valid_LIBS -lwrap"
|
||||||
|
AC_LINK_IFELSE(
|
||||||
|
[AC_LANG_PROGRAM(
|
||||||
|
[
|
||||||
|
int hosts_access(); int allow_severity, deny_severity;
|
||||||
|
],
|
||||||
|
[
|
||||||
|
hosts_access()
|
||||||
|
]
|
||||||
|
)],
|
||||||
|
[AC_MSG_RESULT([yes]); AC_DEFINE([HAVE_LIBWRAP], [1], [Define to 1 if you have 'libwrap' library.])],
|
||||||
|
[AC_MSG_RESULT([no]); LIBS="$valid_LIBS"]
|
||||||
|
)
|
||||||
|
]
|
||||||
|
)
|
||||||
|
|
||||||
|
# FIPS Mode
|
||||||
|
AC_MSG_CHECKING([whether to enable FIPS mode support])
|
||||||
|
AC_ARG_ENABLE(fips,
|
||||||
|
[ --enable-fips Enable OpenSSL FIPS mode],
|
||||||
|
[
|
||||||
|
case "$enableval" in
|
||||||
|
yes) AC_MSG_RESULT([yes])
|
||||||
|
sub_dirs="/ssl/fips /ssl/fips-1.0 /"
|
||||||
|
fips="yes"
|
||||||
|
AC_DEFINE([USE_FIPS], [1], [Define to 1 to enable OpenSSL FIPS mode])
|
||||||
|
;;
|
||||||
|
no) AC_MSG_RESULT([no])
|
||||||
|
sub_dirs="/ssl /openssl /"
|
||||||
|
fips="no"
|
||||||
|
;;
|
||||||
|
*) AC_MSG_RESULT([error])
|
||||||
|
AC_MSG_ERROR([bad value \"${enableval}\"])
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
],
|
||||||
|
[
|
||||||
|
sub_dirs="/ssl/fips /ssl/fips-1.0 /ssl /openssl /"
|
||||||
|
fips="auto"
|
||||||
|
AC_MSG_RESULT([autodetecting])
|
||||||
|
]
|
||||||
|
)
|
||||||
|
|
||||||
|
AC_MSG_NOTICE([**************************************** SSL])
|
||||||
|
check_ssl_dir() { :
|
||||||
|
SSLDIR="$1"
|
||||||
|
if test -f "$1/include/openssl/ssl.h"; then
|
||||||
|
return 0
|
||||||
|
fi
|
||||||
|
return 1
|
||||||
|
}
|
||||||
|
|
||||||
|
# Check for SSL directory
|
||||||
|
AC_MSG_CHECKING([for SSL directory])
|
||||||
|
AC_ARG_WITH(ssl,
|
||||||
|
[ --with-ssl=DIR location of installed SSL libraries/include files],
|
||||||
|
[
|
||||||
|
check_ssl_dir "$withval"
|
||||||
|
],
|
||||||
|
[
|
||||||
|
for main_dir in /usr/local /usr/lib /usr/pkg /opt/local /opt /usr; do
|
||||||
|
for sub_dir in $sub_dirs; do
|
||||||
|
check_ssl_dir "$main_dir$sub_dir" && break 2
|
||||||
|
done
|
||||||
|
done
|
||||||
|
]
|
||||||
|
)
|
||||||
|
if test ! -d "$SSLDIR"; then
|
||||||
|
AC_MSG_RESULT([not found])
|
||||||
|
AC_MSG_ERROR([
|
||||||
|
Couldn't find your SSL library installation dir
|
||||||
|
Use --with-ssl option to fix this problem
|
||||||
|
])
|
||||||
|
fi
|
||||||
|
AC_MSG_RESULT([$SSLDIR])
|
||||||
|
AC_SUBST([SSLDIR])
|
||||||
|
AC_DEFINE_UNQUOTED([SSLDIR], ["$SSLDIR"], [SSL directory])
|
||||||
|
|
||||||
|
valid_CPPFLAGS="$CPPFLAGS"; CPPFLAGS="$CPPFLAGS -I$SSLDIR/include"
|
||||||
|
valid_LIBS="$LIBS"; LIBS="$LIBS -L$SSLDIR/lib64 -L$SSLDIR/lib -lssl -lcrypto"
|
||||||
|
|
||||||
|
AC_CHECK_HEADER([$SSLDIR/include/openssl/engine.h],
|
||||||
|
[AC_DEFINE([HAVE_OSSL_ENGINE_H], [1], [Define to 1 if you have <engine.h> header file.])],
|
||||||
|
[AC_MSG_WARN([OpenSSL engine header not found])])
|
||||||
|
|
||||||
|
AC_CHECK_HEADER([$SSLDIR/include/openssl/ocsp.h],
|
||||||
|
[AC_DEFINE([HAVE_OSSL_OCSP_H], [1], [Define to 1 if you have <ocsp.h> header file.])],
|
||||||
|
[AC_MSG_WARN([OpenSSL ocsp header not found])])
|
||||||
|
|
||||||
|
AC_MSG_CHECKING([for FIPS_mode_set])
|
||||||
|
if test "$fips" = "auto"; then
|
||||||
|
AC_LINK_IFELSE(
|
||||||
|
[AC_LANG_PROGRAM(
|
||||||
|
[
|
||||||
|
#include <openssl/fips.h>
|
||||||
|
],
|
||||||
|
[
|
||||||
|
FIPS_mode_set(1);
|
||||||
|
],
|
||||||
|
)],
|
||||||
|
[AC_MSG_RESULT([yes])
|
||||||
|
AC_DEFINE([USE_FIPS], [1], [Define to 1 to enable OpenSSL FIPS mode.])
|
||||||
|
], [
|
||||||
|
AC_MSG_RESULT([no])
|
||||||
|
]
|
||||||
|
)
|
||||||
|
else
|
||||||
|
AC_MSG_RESULT([test skipped])
|
||||||
|
fi
|
||||||
|
|
||||||
|
CPPFLAGS="$valid_CPPFLAGS"
|
||||||
|
LIBS="$valid_LIBS"
|
||||||
|
|
||||||
|
AC_MSG_NOTICE([**************************************** write the results])
|
||||||
|
AC_CONFIG_FILES([Makefile src/Makefile src/stunnel3 doc/Makefile tools/Makefile tools/stunnel.conf-sample tools/stunnel.init tools/stunnel.service])
|
||||||
|
AC_OUTPUT
|
||||||
|
|
||||||
|
AC_MSG_NOTICE([**************************************** success])
|
||||||
|
# End of configure.ac
|
21
doc/Makefile.am
Normal file
21
doc/Makefile.am
Normal file
@ -0,0 +1,21 @@
|
|||||||
|
## Process this file with automake to produce Makefile.in
|
||||||
|
|
||||||
|
EXTRA_DIST = stunnel.pod stunnel.pl.pod stunnel.fr.pod \
|
||||||
|
stunnel.8 stunnel.pl.8 stunnel.fr.8 \
|
||||||
|
stunnel.html stunnel.pl.html stunnel.fr.html en pl
|
||||||
|
|
||||||
|
man_MANS = stunnel.8 stunnel.pl.8 stunnel.fr.8
|
||||||
|
|
||||||
|
docdir = $(datadir)/doc/stunnel
|
||||||
|
doc_DATA = stunnel.html stunnel.pl.html stunnel.fr.html
|
||||||
|
|
||||||
|
SUFFIXES = .pod .8 .html
|
||||||
|
|
||||||
|
.pod.8:
|
||||||
|
pod2man -u --section=8 --release=$(VERSION) --center=stunnel \
|
||||||
|
--date=`date +%Y.%m.%d` $< $@
|
||||||
|
|
||||||
|
.pod.html:
|
||||||
|
pod2html --noindex --title stunnel.8 --infile=$< --outfile=$@
|
||||||
|
rm -f pod2htmd.tmp pod2htmi.tmp
|
||||||
|
|
478
doc/Makefile.in
Normal file
478
doc/Makefile.in
Normal file
@ -0,0 +1,478 @@
|
|||||||
|
# Makefile.in generated by automake 1.11.1 from Makefile.am.
|
||||||
|
# @configure_input@
|
||||||
|
|
||||||
|
# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
|
||||||
|
# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation,
|
||||||
|
# Inc.
|
||||||
|
# This Makefile.in is free software; the Free Software Foundation
|
||||||
|
# gives unlimited permission to copy and/or distribute it,
|
||||||
|
# with or without modifications, as long as this notice is preserved.
|
||||||
|
|
||||||
|
# This program is distributed in the hope that it will be useful,
|
||||||
|
# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
|
||||||
|
# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
|
||||||
|
# PARTICULAR PURPOSE.
|
||||||
|
|
||||||
|
@SET_MAKE@
|
||||||
|
|
||||||
|
VPATH = @srcdir@
|
||||||
|
pkgdatadir = $(datadir)/@PACKAGE@
|
||||||
|
pkgincludedir = $(includedir)/@PACKAGE@
|
||||||
|
pkglibdir = $(libdir)/@PACKAGE@
|
||||||
|
pkglibexecdir = $(libexecdir)/@PACKAGE@
|
||||||
|
am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
|
||||||
|
install_sh_DATA = $(install_sh) -c -m 644
|
||||||
|
install_sh_PROGRAM = $(install_sh) -c
|
||||||
|
install_sh_SCRIPT = $(install_sh) -c
|
||||||
|
INSTALL_HEADER = $(INSTALL_DATA)
|
||||||
|
transform = $(program_transform_name)
|
||||||
|
NORMAL_INSTALL = :
|
||||||
|
PRE_INSTALL = :
|
||||||
|
POST_INSTALL = :
|
||||||
|
NORMAL_UNINSTALL = :
|
||||||
|
PRE_UNINSTALL = :
|
||||||
|
POST_UNINSTALL = :
|
||||||
|
build_triplet = @build@
|
||||||
|
host_triplet = @host@
|
||||||
|
subdir = doc
|
||||||
|
DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
|
||||||
|
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
|
||||||
|
am__aclocal_m4_deps = $(top_srcdir)/m4/libtool.m4 \
|
||||||
|
$(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \
|
||||||
|
$(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \
|
||||||
|
$(top_srcdir)/configure.ac
|
||||||
|
am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
|
||||||
|
$(ACLOCAL_M4)
|
||||||
|
mkinstalldirs = $(install_sh) -d
|
||||||
|
CONFIG_HEADER = $(top_builddir)/src/config.h
|
||||||
|
CONFIG_CLEAN_FILES =
|
||||||
|
CONFIG_CLEAN_VPATH_FILES =
|
||||||
|
SOURCES =
|
||||||
|
DIST_SOURCES =
|
||||||
|
am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
|
||||||
|
am__vpath_adj = case $$p in \
|
||||||
|
$(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
|
||||||
|
*) f=$$p;; \
|
||||||
|
esac;
|
||||||
|
am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
|
||||||
|
am__install_max = 40
|
||||||
|
am__nobase_strip_setup = \
|
||||||
|
srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
|
||||||
|
am__nobase_strip = \
|
||||||
|
for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
|
||||||
|
am__nobase_list = $(am__nobase_strip_setup); \
|
||||||
|
for p in $$list; do echo "$$p $$p"; done | \
|
||||||
|
sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
|
||||||
|
$(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
|
||||||
|
if (++n[$$2] == $(am__install_max)) \
|
||||||
|
{ print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
|
||||||
|
END { for (dir in files) print dir, files[dir] }'
|
||||||
|
am__base_list = \
|
||||||
|
sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
|
||||||
|
sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
|
||||||
|
man8dir = $(mandir)/man8
|
||||||
|
am__installdirs = "$(DESTDIR)$(man8dir)" "$(DESTDIR)$(docdir)"
|
||||||
|
NROFF = nroff
|
||||||
|
MANS = $(man_MANS)
|
||||||
|
DATA = $(doc_DATA)
|
||||||
|
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
|
||||||
|
ACLOCAL = @ACLOCAL@
|
||||||
|
AMTAR = @AMTAR@
|
||||||
|
AR = @AR@
|
||||||
|
AUTOCONF = @AUTOCONF@
|
||||||
|
AUTOHEADER = @AUTOHEADER@
|
||||||
|
AUTOMAKE = @AUTOMAKE@
|
||||||
|
AWK = @AWK@
|
||||||
|
CC = @CC@
|
||||||
|
CCDEPMODE = @CCDEPMODE@
|
||||||
|
CFLAGS = @CFLAGS@
|
||||||
|
CPP = @CPP@
|
||||||
|
CPPFLAGS = @CPPFLAGS@
|
||||||
|
CYGPATH_W = @CYGPATH_W@
|
||||||
|
DEFAULT_GROUP = @DEFAULT_GROUP@
|
||||||
|
DEFS = @DEFS@
|
||||||
|
DEPDIR = @DEPDIR@
|
||||||
|
DSYMUTIL = @DSYMUTIL@
|
||||||
|
DUMPBIN = @DUMPBIN@
|
||||||
|
ECHO_C = @ECHO_C@
|
||||||
|
ECHO_N = @ECHO_N@
|
||||||
|
ECHO_T = @ECHO_T@
|
||||||
|
EGREP = @EGREP@
|
||||||
|
EXEEXT = @EXEEXT@
|
||||||
|
FGREP = @FGREP@
|
||||||
|
GREP = @GREP@
|
||||||
|
INSTALL = @INSTALL@
|
||||||
|
INSTALL_DATA = @INSTALL_DATA@
|
||||||
|
INSTALL_PROGRAM = @INSTALL_PROGRAM@
|
||||||
|
INSTALL_SCRIPT = @INSTALL_SCRIPT@
|
||||||
|
INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
|
||||||
|
LD = @LD@
|
||||||
|
LDFLAGS = @LDFLAGS@
|
||||||
|
LIBOBJS = @LIBOBJS@
|
||||||
|
LIBS = @LIBS@
|
||||||
|
LIBTOOL = @LIBTOOL@
|
||||||
|
LIBTOOL_DEPS = @LIBTOOL_DEPS@
|
||||||
|
LIPO = @LIPO@
|
||||||
|
LN_S = @LN_S@
|
||||||
|
LTLIBOBJS = @LTLIBOBJS@
|
||||||
|
MAKEINFO = @MAKEINFO@
|
||||||
|
MKDIR_P = @MKDIR_P@
|
||||||
|
NM = @NM@
|
||||||
|
NMEDIT = @NMEDIT@
|
||||||
|
OBJDUMP = @OBJDUMP@
|
||||||
|
OBJEXT = @OBJEXT@
|
||||||
|
OTOOL = @OTOOL@
|
||||||
|
OTOOL64 = @OTOOL64@
|
||||||
|
PACKAGE = @PACKAGE@
|
||||||
|
PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
|
||||||
|
PACKAGE_NAME = @PACKAGE_NAME@
|
||||||
|
PACKAGE_STRING = @PACKAGE_STRING@
|
||||||
|
PACKAGE_TARNAME = @PACKAGE_TARNAME@
|
||||||
|
PACKAGE_URL = @PACKAGE_URL@
|
||||||
|
PACKAGE_VERSION = @PACKAGE_VERSION@
|
||||||
|
PATH_SEPARATOR = @PATH_SEPARATOR@
|
||||||
|
RANDOM_FILE = @RANDOM_FILE@
|
||||||
|
RANLIB = @RANLIB@
|
||||||
|
SED = @SED@
|
||||||
|
SET_MAKE = @SET_MAKE@
|
||||||
|
SHELL = @SHELL@
|
||||||
|
SSLDIR = @SSLDIR@
|
||||||
|
STRIP = @STRIP@
|
||||||
|
VERSION = @VERSION@
|
||||||
|
abs_builddir = @abs_builddir@
|
||||||
|
abs_srcdir = @abs_srcdir@
|
||||||
|
abs_top_builddir = @abs_top_builddir@
|
||||||
|
abs_top_srcdir = @abs_top_srcdir@
|
||||||
|
ac_ct_CC = @ac_ct_CC@
|
||||||
|
ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
|
||||||
|
am__include = @am__include@
|
||||||
|
am__leading_dot = @am__leading_dot@
|
||||||
|
am__quote = @am__quote@
|
||||||
|
am__tar = @am__tar@
|
||||||
|
am__untar = @am__untar@
|
||||||
|
bindir = @bindir@
|
||||||
|
build = @build@
|
||||||
|
build_alias = @build_alias@
|
||||||
|
build_cpu = @build_cpu@
|
||||||
|
build_os = @build_os@
|
||||||
|
build_vendor = @build_vendor@
|
||||||
|
builddir = @builddir@
|
||||||
|
datadir = @datadir@
|
||||||
|
datarootdir = @datarootdir@
|
||||||
|
docdir = $(datadir)/doc/stunnel
|
||||||
|
dvidir = @dvidir@
|
||||||
|
exec_prefix = @exec_prefix@
|
||||||
|
host = @host@
|
||||||
|
host_alias = @host_alias@
|
||||||
|
host_cpu = @host_cpu@
|
||||||
|
host_os = @host_os@
|
||||||
|
host_vendor = @host_vendor@
|
||||||
|
htmldir = @htmldir@
|
||||||
|
includedir = @includedir@
|
||||||
|
infodir = @infodir@
|
||||||
|
install_sh = @install_sh@
|
||||||
|
libdir = @libdir@
|
||||||
|
libexecdir = @libexecdir@
|
||||||
|
localedir = @localedir@
|
||||||
|
localstatedir = @localstatedir@
|
||||||
|
lt_ECHO = @lt_ECHO@
|
||||||
|
mandir = @mandir@
|
||||||
|
mkdir_p = @mkdir_p@
|
||||||
|
oldincludedir = @oldincludedir@
|
||||||
|
pdfdir = @pdfdir@
|
||||||
|
prefix = @prefix@
|
||||||
|
program_transform_name = @program_transform_name@
|
||||||
|
psdir = @psdir@
|
||||||
|
sbindir = @sbindir@
|
||||||
|
sharedstatedir = @sharedstatedir@
|
||||||
|
srcdir = @srcdir@
|
||||||
|
stunnel_CFLAGS = @stunnel_CFLAGS@
|
||||||
|
stunnel_LDFLAGF = @stunnel_LDFLAGF@
|
||||||
|
stunnel_LDFLAGS = @stunnel_LDFLAGS@
|
||||||
|
sysconfdir = @sysconfdir@
|
||||||
|
target_alias = @target_alias@
|
||||||
|
top_build_prefix = @top_build_prefix@
|
||||||
|
top_builddir = @top_builddir@
|
||||||
|
top_srcdir = @top_srcdir@
|
||||||
|
EXTRA_DIST = stunnel.pod stunnel.pl.pod stunnel.fr.pod \
|
||||||
|
stunnel.8 stunnel.pl.8 stunnel.fr.8 \
|
||||||
|
stunnel.html stunnel.pl.html stunnel.fr.html en pl
|
||||||
|
|
||||||
|
man_MANS = stunnel.8 stunnel.pl.8 stunnel.fr.8
|
||||||
|
doc_DATA = stunnel.html stunnel.pl.html stunnel.fr.html
|
||||||
|
SUFFIXES = .pod .8 .html
|
||||||
|
all: all-am
|
||||||
|
|
||||||
|
.SUFFIXES:
|
||||||
|
.SUFFIXES: .pod .8 .html
|
||||||
|
$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps)
|
||||||
|
@for dep in $?; do \
|
||||||
|
case '$(am__configure_deps)' in \
|
||||||
|
*$$dep*) \
|
||||||
|
( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
|
||||||
|
&& { if test -f $@; then exit 0; else break; fi; }; \
|
||||||
|
exit 1;; \
|
||||||
|
esac; \
|
||||||
|
done; \
|
||||||
|
echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu doc/Makefile'; \
|
||||||
|
$(am__cd) $(top_srcdir) && \
|
||||||
|
$(AUTOMAKE) --gnu doc/Makefile
|
||||||
|
.PRECIOUS: Makefile
|
||||||
|
Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
|
||||||
|
@case '$?' in \
|
||||||
|
*config.status*) \
|
||||||
|
cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
|
||||||
|
*) \
|
||||||
|
echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
|
||||||
|
cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
|
||||||
|
esac;
|
||||||
|
|
||||||
|
$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
|
||||||
|
cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
|
||||||
|
|
||||||
|
$(top_srcdir)/configure: $(am__configure_deps)
|
||||||
|
cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
|
||||||
|
$(ACLOCAL_M4): $(am__aclocal_m4_deps)
|
||||||
|
cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
|
||||||
|
$(am__aclocal_m4_deps):
|
||||||
|
|
||||||
|
mostlyclean-libtool:
|
||||||
|
-rm -f *.lo
|
||||||
|
|
||||||
|
clean-libtool:
|
||||||
|
-rm -rf .libs _libs
|
||||||
|
install-man8: $(man_MANS)
|
||||||
|
@$(NORMAL_INSTALL)
|
||||||
|
test -z "$(man8dir)" || $(MKDIR_P) "$(DESTDIR)$(man8dir)"
|
||||||
|
@list=''; test -n "$(man8dir)" || exit 0; \
|
||||||
|
{ for i in $$list; do echo "$$i"; done; \
|
||||||
|
l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done | \
|
||||||
|
sed -n '/\.8[a-z]*$$/p'; \
|
||||||
|
} | while read p; do \
|
||||||
|
if test -f $$p; then d=; else d="$(srcdir)/"; fi; \
|
||||||
|
echo "$$d$$p"; echo "$$p"; \
|
||||||
|
done | \
|
||||||
|
sed -e 'n;s,.*/,,;p;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \
|
||||||
|
-e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,' | \
|
||||||
|
sed 'N;N;s,\n, ,g' | { \
|
||||||
|
list=; while read file base inst; do \
|
||||||
|
if test "$$base" = "$$inst"; then list="$$list $$file"; else \
|
||||||
|
echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \
|
||||||
|
$(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst" || exit $$?; \
|
||||||
|
fi; \
|
||||||
|
done; \
|
||||||
|
for i in $$list; do echo "$$i"; done | $(am__base_list) | \
|
||||||
|
while read files; do \
|
||||||
|
test -z "$$files" || { \
|
||||||
|
echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(man8dir)'"; \
|
||||||
|
$(INSTALL_DATA) $$files "$(DESTDIR)$(man8dir)" || exit $$?; }; \
|
||||||
|
done; }
|
||||||
|
|
||||||
|
uninstall-man8:
|
||||||
|
@$(NORMAL_UNINSTALL)
|
||||||
|
@list=''; test -n "$(man8dir)" || exit 0; \
|
||||||
|
files=`{ for i in $$list; do echo "$$i"; done; \
|
||||||
|
l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done | \
|
||||||
|
sed -n '/\.8[a-z]*$$/p'; \
|
||||||
|
} | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \
|
||||||
|
-e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \
|
||||||
|
test -z "$$files" || { \
|
||||||
|
echo " ( cd '$(DESTDIR)$(man8dir)' && rm -f" $$files ")"; \
|
||||||
|
cd "$(DESTDIR)$(man8dir)" && rm -f $$files; }
|
||||||
|
install-docDATA: $(doc_DATA)
|
||||||
|
@$(NORMAL_INSTALL)
|
||||||
|
test -z "$(docdir)" || $(MKDIR_P) "$(DESTDIR)$(docdir)"
|
||||||
|
@list='$(doc_DATA)'; test -n "$(docdir)" || list=; \
|
||||||
|
for p in $$list; do \
|
||||||
|
if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
|
||||||
|
echo "$$d$$p"; \
|
||||||
|
done | $(am__base_list) | \
|
||||||
|
while read files; do \
|
||||||
|
echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(docdir)'"; \
|
||||||
|
$(INSTALL_DATA) $$files "$(DESTDIR)$(docdir)" || exit $$?; \
|
||||||
|
done
|
||||||
|
|
||||||
|
uninstall-docDATA:
|
||||||
|
@$(NORMAL_UNINSTALL)
|
||||||
|
@list='$(doc_DATA)'; test -n "$(docdir)" || list=; \
|
||||||
|
files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
|
||||||
|
test -n "$$files" || exit 0; \
|
||||||
|
echo " ( cd '$(DESTDIR)$(docdir)' && rm -f" $$files ")"; \
|
||||||
|
cd "$(DESTDIR)$(docdir)" && rm -f $$files
|
||||||
|
tags: TAGS
|
||||||
|
TAGS:
|
||||||
|
|
||||||
|
ctags: CTAGS
|
||||||
|
CTAGS:
|
||||||
|
|
||||||
|
|
||||||
|
distdir: $(DISTFILES)
|
||||||
|
@list='$(MANS)'; if test -n "$$list"; then \
|
||||||
|
list=`for p in $$list; do \
|
||||||
|
if test -f $$p; then d=; else d="$(srcdir)/"; fi; \
|
||||||
|
if test -f "$$d$$p"; then echo "$$d$$p"; else :; fi; done`; \
|
||||||
|
if test -n "$$list" && \
|
||||||
|
grep 'ab help2man is required to generate this page' $$list >/dev/null; then \
|
||||||
|
echo "error: found man pages containing the \`missing help2man' replacement text:" >&2; \
|
||||||
|
grep -l 'ab help2man is required to generate this page' $$list | sed 's/^/ /' >&2; \
|
||||||
|
echo " to fix them, install help2man, remove and regenerate the man pages;" >&2; \
|
||||||
|
echo " typically \`make maintainer-clean' will remove them" >&2; \
|
||||||
|
exit 1; \
|
||||||
|
else :; fi; \
|
||||||
|
else :; fi
|
||||||
|
@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
|
||||||
|
topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
|
||||||
|
list='$(DISTFILES)'; \
|
||||||
|
dist_files=`for file in $$list; do echo $$file; done | \
|
||||||
|
sed -e "s|^$$srcdirstrip/||;t" \
|
||||||
|
-e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
|
||||||
|
case $$dist_files in \
|
||||||
|
*/*) $(MKDIR_P) `echo "$$dist_files" | \
|
||||||
|
sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
|
||||||
|
sort -u` ;; \
|
||||||
|
esac; \
|
||||||
|
for file in $$dist_files; do \
|
||||||
|
if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
|
||||||
|
if test -d $$d/$$file; then \
|
||||||
|
dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
|
||||||
|
if test -d "$(distdir)/$$file"; then \
|
||||||
|
find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
|
||||||
|
fi; \
|
||||||
|
if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
|
||||||
|
cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
|
||||||
|
find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
|
||||||
|
fi; \
|
||||||
|
cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
|
||||||
|
else \
|
||||||
|
test -f "$(distdir)/$$file" \
|
||||||
|
|| cp -p $$d/$$file "$(distdir)/$$file" \
|
||||||
|
|| exit 1; \
|
||||||
|
fi; \
|
||||||
|
done
|
||||||
|
check-am: all-am
|
||||||
|
check: check-am
|
||||||
|
all-am: Makefile $(MANS) $(DATA)
|
||||||
|
installdirs:
|
||||||
|
for dir in "$(DESTDIR)$(man8dir)" "$(DESTDIR)$(docdir)"; do \
|
||||||
|
test -z "$$dir" || $(MKDIR_P) "$$dir"; \
|
||||||
|
done
|
||||||
|
install: install-am
|
||||||
|
install-exec: install-exec-am
|
||||||
|
install-data: install-data-am
|
||||||
|
uninstall: uninstall-am
|
||||||
|
|
||||||
|
install-am: all-am
|
||||||
|
@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
|
||||||
|
|
||||||
|
installcheck: installcheck-am
|
||||||
|
install-strip:
|
||||||
|
$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
|
||||||
|
install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
|
||||||
|
`test -z '$(STRIP)' || \
|
||||||
|
echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
|
||||||
|
mostlyclean-generic:
|
||||||
|
|
||||||
|
clean-generic:
|
||||||
|
|
||||||
|
distclean-generic:
|
||||||
|
-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
|
||||||
|
-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
|
||||||
|
|
||||||
|
maintainer-clean-generic:
|
||||||
|
@echo "This command is intended for maintainers to use"
|
||||||
|
@echo "it deletes files that may require special tools to rebuild."
|
||||||
|
clean: clean-am
|
||||||
|
|
||||||
|
clean-am: clean-generic clean-libtool mostlyclean-am
|
||||||
|
|
||||||
|
distclean: distclean-am
|
||||||
|
-rm -f Makefile
|
||||||
|
distclean-am: clean-am distclean-generic
|
||||||
|
|
||||||
|
dvi: dvi-am
|
||||||
|
|
||||||
|
dvi-am:
|
||||||
|
|
||||||
|
html: html-am
|
||||||
|
|
||||||
|
html-am:
|
||||||
|
|
||||||
|
info: info-am
|
||||||
|
|
||||||
|
info-am:
|
||||||
|
|
||||||
|
install-data-am: install-docDATA install-man
|
||||||
|
|
||||||
|
install-dvi: install-dvi-am
|
||||||
|
|
||||||
|
install-dvi-am:
|
||||||
|
|
||||||
|
install-exec-am:
|
||||||
|
|
||||||
|
install-html: install-html-am
|
||||||
|
|
||||||
|
install-html-am:
|
||||||
|
|
||||||
|
install-info: install-info-am
|
||||||
|
|
||||||
|
install-info-am:
|
||||||
|
|
||||||
|
install-man: install-man8
|
||||||
|
|
||||||
|
install-pdf: install-pdf-am
|
||||||
|
|
||||||
|
install-pdf-am:
|
||||||
|
|
||||||
|
install-ps: install-ps-am
|
||||||
|
|
||||||
|
install-ps-am:
|
||||||
|
|
||||||
|
installcheck-am:
|
||||||
|
|
||||||
|
maintainer-clean: maintainer-clean-am
|
||||||
|
-rm -f Makefile
|
||||||
|
maintainer-clean-am: distclean-am maintainer-clean-generic
|
||||||
|
|
||||||
|
mostlyclean: mostlyclean-am
|
||||||
|
|
||||||
|
mostlyclean-am: mostlyclean-generic mostlyclean-libtool
|
||||||
|
|
||||||
|
pdf: pdf-am
|
||||||
|
|
||||||
|
pdf-am:
|
||||||
|
|
||||||
|
ps: ps-am
|
||||||
|
|
||||||
|
ps-am:
|
||||||
|
|
||||||
|
uninstall-am: uninstall-docDATA uninstall-man
|
||||||
|
|
||||||
|
uninstall-man: uninstall-man8
|
||||||
|
|
||||||
|
.MAKE: install-am install-strip
|
||||||
|
|
||||||
|
.PHONY: all all-am check check-am clean clean-generic clean-libtool \
|
||||||
|
distclean distclean-generic distclean-libtool distdir dvi \
|
||||||
|
dvi-am html html-am info info-am install install-am \
|
||||||
|
install-data install-data-am install-docDATA install-dvi \
|
||||||
|
install-dvi-am install-exec install-exec-am install-html \
|
||||||
|
install-html-am install-info install-info-am install-man \
|
||||||
|
install-man8 install-pdf install-pdf-am install-ps \
|
||||||
|
install-ps-am install-strip installcheck installcheck-am \
|
||||||
|
installdirs maintainer-clean maintainer-clean-generic \
|
||||||
|
mostlyclean mostlyclean-generic mostlyclean-libtool pdf pdf-am \
|
||||||
|
ps ps-am uninstall uninstall-am uninstall-docDATA \
|
||||||
|
uninstall-man uninstall-man8
|
||||||
|
|
||||||
|
|
||||||
|
.pod.8:
|
||||||
|
pod2man -u --section=8 --release=$(VERSION) --center=stunnel \
|
||||||
|
--date=`date +%Y.%m.%d` $< $@
|
||||||
|
|
||||||
|
.pod.html:
|
||||||
|
pod2html --noindex --title stunnel.8 --infile=$< --outfile=$@
|
||||||
|
rm -f pod2htmd.tmp pod2htmi.tmp
|
||||||
|
|
||||||
|
# Tell versions [3.59,3.63) of GNU make to not export all variables.
|
||||||
|
# Otherwise a system limit (for SysV at least) may be exceeded.
|
||||||
|
.NOEXPORT:
|
190
doc/en/VNC_StunnelHOWTO.html
Normal file
190
doc/en/VNC_StunnelHOWTO.html
Normal file
@ -0,0 +1,190 @@
|
|||||||
|
<!-- saved from url=(0022)http://internet.e-mail -->
|
||||||
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
|
||||||
|
<HTML>
|
||||||
|
<HEAD>
|
||||||
|
<META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=iso-8859-1">
|
||||||
|
<TITLE></TITLE>
|
||||||
|
<META NAME="GENERATOR" CONTENT="StarOffice/5.2 (Win32)">
|
||||||
|
<META NAME="CREATED" CONTENT="20010220;7501784">
|
||||||
|
<META NAME="CHANGED" CONTENT="16010101;0">
|
||||||
|
<STYLE>
|
||||||
|
<!--
|
||||||
|
@page { margin: 2cm }
|
||||||
|
-->
|
||||||
|
</STYLE>
|
||||||
|
</HEAD>
|
||||||
|
<BODY>
|
||||||
|
<P ALIGN=CENTER STYLE="margin-bottom: 0cm"><FONT SIZE=4 STYLE="font-size: 16pt"><U><B>VNC
|
||||||
|
over STUNNEL with a Linux server and Windows 2000 client HOWTO</B></U></FONT></P>
|
||||||
|
<P ALIGN=CENTER STYLE="margin-bottom: 0cm"><BR>
|
||||||
|
</P>
|
||||||
|
<P STYLE="margin-bottom: 0cm">19 February 2001</P>
|
||||||
|
<P STYLE="margin-bottom: 0cm">ver 1.0</P>
|
||||||
|
<P STYLE="margin-bottom: 0cm">by Craig Furter and Arno van der Walt</P>
|
||||||
|
<P STYLE="margin-bottom: 0cm">contact us at <A HREF="mailto:cfurter@vexen.co.za">cfurter@vexen.co.za</A>
|
||||||
|
and <A HREF="mailto:arnovdw@mycomax.com">arnovdw@mycomax.com</A></P>
|
||||||
|
<P STYLE="margin-bottom: 0cm"><BR>
|
||||||
|
</P>
|
||||||
|
<P STYLE="margin-bottom: 0cm"><BR>
|
||||||
|
</P>
|
||||||
|
<P STYLE="margin-bottom: 0cm">We assume that you have already
|
||||||
|
downloaded VNCServer and VNCViewer.</P>
|
||||||
|
<P STYLE="margin-bottom: 0cm"><BR>
|
||||||
|
</P>
|
||||||
|
<P STYLE="margin-bottom: 0cm">First of all there is a step by step
|
||||||
|
HOWTO and then we'll look at the theory behind all this.</P>
|
||||||
|
<P STYLE="margin-bottom: 0cm"><BR>
|
||||||
|
</P>
|
||||||
|
<OL>
|
||||||
|
<LI><P STYLE="margin-bottom: 0cm">Download and install openSSL,
|
||||||
|
SSLEay, and Stunnel on the Linux/Unix box. Download the modules.</P>
|
||||||
|
</OL>
|
||||||
|
<P STYLE="margin-left: 0.5cm; margin-bottom: 0cm">a)
|
||||||
|
[root@anthrax$]gunzip openssl-x.xx.tar.gz (repeat for all 3 the
|
||||||
|
modules)</P>
|
||||||
|
<P STYLE="margin-left: 0.5cm; margin-bottom: 0cm">b)
|
||||||
|
[root@anthrax$]tar – xvf openssl-x.xx.tar (repeat for all 3 the
|
||||||
|
modules)</P>
|
||||||
|
<P STYLE="margin-left: 0.5cm; margin-bottom: 0cm"><BR>
|
||||||
|
</P>
|
||||||
|
<OL>
|
||||||
|
<LI><P STYLE="margin-bottom: 0cm">Copy the following to Notepad and
|
||||||
|
save the file as VNCRegEdit.REG on the Windows 2000 box</P>
|
||||||
|
</OL>
|
||||||
|
<P STYLE="margin-left: 0.5cm; margin-bottom: 0cm">--cut here and copy
|
||||||
|
to VNCRegEdit.REG the double click file to
|
||||||
|
import--<BR>REGEDIT4<BR><BR>[HKEY_LOCAL_MACHINE\Software\ORL\WinVNC3]<BR>AllowLoopback=dword:00000001<BR><BR>[HKEY_LOCAL_MACHINE\Software\ORL\WinVNC3\Default]<BR>AllowLoopback=dword:00000001<BR>--stop
|
||||||
|
here--<BR><BR>
|
||||||
|
</P>
|
||||||
|
<P STYLE="margin-left: 0.5cm; margin-bottom: 0cm"><BR>
|
||||||
|
</P>
|
||||||
|
<OL>
|
||||||
|
<LI><P STYLE="margin-bottom: 0cm">Install Stunnel on the Windows
|
||||||
|
2000 machine by copying the following files to your \WINNT\SYSTEM32\
|
||||||
|
directory</P>
|
||||||
|
</OL>
|
||||||
|
<P STYLE="margin-left: 0.5cm; margin-bottom: 0cm">a)libeay32.dll</P>
|
||||||
|
<P STYLE="margin-left: 0.5cm; margin-bottom: 0cm">b)libssl.dll</P>
|
||||||
|
<P STYLE="margin-left: 0.5cm; margin-bottom: 0cm">c)stunnel.pem</P>
|
||||||
|
<P STYLE="margin-left: 0.5cm; margin-bottom: 0cm"><BR>
|
||||||
|
</P>
|
||||||
|
<OL>
|
||||||
|
<LI><P STYLE="margin-bottom: 0cm">On the Linux box execute the
|
||||||
|
following command as root and let it run in its own terminal.</P>
|
||||||
|
</OL>
|
||||||
|
<P STYLE="margin-left: 0.5cm; margin-bottom: 0cm">./stunnel -d 5900
|
||||||
|
-r 5901</P>
|
||||||
|
<P STYLE="margin-left: 0.5cm; margin-bottom: 0cm"><BR>
|
||||||
|
</P>
|
||||||
|
<OL>
|
||||||
|
<LI><P STYLE="margin-bottom: 0cm">Execute vncserver (it should run
|
||||||
|
as display:1 when you execute the ps aux |grep vnc command)</P>
|
||||||
|
</OL>
|
||||||
|
<P STYLE="margin-left: 0.5cm; margin-bottom: 0cm"><BR>
|
||||||
|
</P>
|
||||||
|
<OL>
|
||||||
|
<LI><P STYLE="margin-bottom: 0cm">Now on the Windows 2000 machine
|
||||||
|
execute the following command and let it run in its own terminal.</P>
|
||||||
|
</OL>
|
||||||
|
<P STYLE="margin-left: 0.5cm; margin-bottom: 0cm">stunnel -d 5900 -r
|
||||||
|
unix.ip.adress:5900 -c</P>
|
||||||
|
<P STYLE="margin-left: 0.5cm; margin-bottom: 0cm">.</P>
|
||||||
|
<OL>
|
||||||
|
<LI><P STYLE="margin-bottom: 0cm">And on the Windows 2000 machine
|
||||||
|
open VNCviewer and connect to localhost specifying no display</P>
|
||||||
|
</OL>
|
||||||
|
<P STYLE="margin-left: 0.5cm; margin-bottom: 0cm">ie. 10.10.1.53 in
|
||||||
|
the window</P>
|
||||||
|
<P STYLE="margin-left: 0.5cm; margin-bottom: 0cm"><BR>
|
||||||
|
</P>
|
||||||
|
<OL>
|
||||||
|
<LI><P STYLE="margin-bottom: 0cm">For each additional display repeat
|
||||||
|
steps 4 – 6 and increment the specified ports with 2 ie. The
|
||||||
|
Linux command will look as follows:</P>
|
||||||
|
</OL>
|
||||||
|
<P STYLE="margin-left: 0.5cm; margin-bottom: 0cm"> ./stunnel -d 5902
|
||||||
|
-r 5903
|
||||||
|
</P>
|
||||||
|
<P STYLE="margin-left: 0.5cm; margin-bottom: 0cm">and the Windows
|
||||||
|
2000 command as follows:
|
||||||
|
</P>
|
||||||
|
<P STYLE="margin-left: 0.5cm; margin-bottom: 0cm">stunnel -d 5902 -r
|
||||||
|
unix.ip.adress:5902</P>
|
||||||
|
<P STYLE="margin-left: 0.5cm; margin-bottom: 0cm">and remember to
|
||||||
|
start another vncserver on the Linux box for each VNC display</P>
|
||||||
|
<P STYLE="margin-bottom: 0cm"><BR>
|
||||||
|
</P>
|
||||||
|
<P STYLE="margin-bottom: 0cm"><BR>
|
||||||
|
</P>
|
||||||
|
<OL>
|
||||||
|
<LI><P STYLE="margin-bottom: 0cm">The display number on the
|
||||||
|
vncviewer must also be incremented with two ie:</P>
|
||||||
|
</OL>
|
||||||
|
<P STYLE="margin-left: 0.5cm; margin-bottom: 0cm">10.10.1.53:2 etc.</P>
|
||||||
|
<P STYLE="margin-bottom: 0cm"><BR>
|
||||||
|
</P>
|
||||||
|
<P STYLE="margin-bottom: 0cm"><FONT SIZE=4><U>The THEORY</U></FONT></P>
|
||||||
|
<P STYLE="margin-bottom: 0cm"><BR>
|
||||||
|
</P>
|
||||||
|
<P STYLE="margin-bottom: 0cm"><U>Tunneling:</U></P>
|
||||||
|
<P STYLE="margin-bottom: 0cm"><BR>
|
||||||
|
</P>
|
||||||
|
<P STYLE="margin-bottom: 0cm">What this means is that software
|
||||||
|
(daemon) runs on the client and server machine. In this case, the
|
||||||
|
Windows 2000 machine is the client and the server is the *NIX
|
||||||
|
machine. Stunnel will then run as client on Windows 2000 and server
|
||||||
|
mode on the UNIX box.<BR><BR>eg:<BR>Windows:<BR>stunnel -d 5900 -r
|
||||||
|
unix.ip.address:5900 -c<BR><BR>UNIX<BR>stunnel -d 5900 -r 5901<BR><BR>This
|
||||||
|
means that connecting to VNC display 0 in the localhost will transfer
|
||||||
|
all the calls to the *NIX machine on display 1. So the VNC server on
|
||||||
|
the *NIX machine must be running on display 1. Not display 0. If you
|
||||||
|
run stunnel before VNC, VNC will automatically move to display 1
|
||||||
|
noticing that port 5900 ("display" 0) is already in
|
||||||
|
use).<BR><BR>What happens now is that when you connect to port 5900
|
||||||
|
on the Windows machine via an "unsecured" connection, a
|
||||||
|
secure "tunnel" is opened from Windows 2000 to the *NIX
|
||||||
|
machine on port 5900. The *NIX machine then opens a "unsecured"
|
||||||
|
connection to itself on port 5901. We now have a secure tunnel
|
||||||
|
available.</P>
|
||||||
|
<P STYLE="margin-bottom: 0cm"><BR>
|
||||||
|
</P>
|
||||||
|
<P STYLE="margin-bottom: 0cm"><U>A bit about VNC and displays</U></P>
|
||||||
|
<P STYLE="margin-bottom: 0cm"><BR>
|
||||||
|
</P>
|
||||||
|
<P STYLE="margin-bottom: 0cm">The -d is the listening IPaddress:port
|
||||||
|
and the -r is the remote IPaddress:port. VNC uses port 5900 for
|
||||||
|
display 0. That means that display 1 will be 5901. If you want VNC
|
||||||
|
server to listen for a connection on port 80 then the display number
|
||||||
|
will be 80 - 5900 = -5820. If you want VNC server to<BR>listen on
|
||||||
|
port 14000 then the display number is 14000 - 5900 = 8100.<BR><BR>So
|
||||||
|
all you have to do is run stunnel on the UNIX machine and VNC on the
|
||||||
|
desired "display" number.</P>
|
||||||
|
<P STYLE="margin-bottom: 0cm"><BR>
|
||||||
|
</P>
|
||||||
|
<P STYLE="margin-bottom: 0cm"><U>VNC on the Windows 2000 machine</U></P>
|
||||||
|
<P STYLE="margin-bottom: 0cm"><BR>
|
||||||
|
</P>
|
||||||
|
<P STYLE="margin-bottom: 0cm">To connect from the client machine you
|
||||||
|
need to enter the client machines IP address and the "display"
|
||||||
|
(from the port conversion). But VNC will think that you are trying to
|
||||||
|
connect to the local machine and does not allow this. To override
|
||||||
|
this add the following to you registry.<BR><BR>--cut here and copy to
|
||||||
|
anything.reg. the double click file to
|
||||||
|
import--<BR>REGEDIT4<BR><BR>[HKEY_LOCAL_MACHINE\Software\ORL\WinVNC3]<BR>AllowLoopback=dword:00000001<BR><BR>[HKEY_LOCAL_MACHINE\Software\ORL\WinVNC3\Default]<BR>AllowLoopback=dword:00000001<BR>--stop
|
||||||
|
here--<BR><BR>Now VNC will not complain. So you need to always run
|
||||||
|
stunnel in client mode on the Windows machine and then connect with
|
||||||
|
VNCViewer to the localhost on the correct "display". By the
|
||||||
|
way, *NIX doesn't complain about this. There is no setting needed if
|
||||||
|
*NIX to *NIX.</P>
|
||||||
|
<P STYLE="margin-bottom: 0cm"><BR>
|
||||||
|
</P>
|
||||||
|
<P STYLE="margin-bottom: 0cm"><U>VNC's Java client</U></P>
|
||||||
|
<P STYLE="margin-bottom: 0cm"><BR>
|
||||||
|
</P>
|
||||||
|
<P STYLE="margin-bottom: 0cm">Unfortunately this will not work well
|
||||||
|
with the build in web version. If you did not known about it, try
|
||||||
|
http'ing into a machine running VNC server on it, to port 58XX (where
|
||||||
|
XX is the display number), and the Java client will be loaded.<BR><BR>
|
||||||
|
</P>
|
||||||
|
</BODY>
|
||||||
|
</HTML>
|
143
doc/pl/faq.stunnel-2.html
Normal file
143
doc/pl/faq.stunnel-2.html
Normal file
@ -0,0 +1,143 @@
|
|||||||
|
<HTML>
|
||||||
|
<HEAD>
|
||||||
|
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-2">
|
||||||
|
<TITLE>Gdy pojawiają się kłopoty</TITLE>
|
||||||
|
</HEAD>
|
||||||
|
<BODY TEXT="#000000" BGCOLOR="#FFFFFF" LINK="#0000EF" VLINK="#51188E" ALINK="#FF0000">
|
||||||
|
<B>Q: </B>Próbuje kompilować stunnel jednak dostaje
|
||||||
|
następujące komunikaty:
|
||||||
|
<BR>stunnel.c:69: ssl.h: No such file or directory
|
||||||
|
<BR>stunnel.c:71: bio.h: No such file or directory
|
||||||
|
<BR>stunnel.c:72: pem.h: No such file or directory
|
||||||
|
<BR>make: *** [stunnel.o] Error 1
|
||||||
|
|
||||||
|
<P><B>A:</B> Są dwie prawdopodobne przyczyny: nie masz zainstalowanego
|
||||||
|
w systemie pakietu SSLeay lub pakiet nie znajduje sie w miejscu domyślnym
|
||||||
|
czyli<B> /usr/local/ssl. </B>Należy zainstalować SSLeay lub też poprawić
|
||||||
|
Makefile tak by ścieżka była prawidłowa.
|
||||||
|
<BR>
|
||||||
|
<HR WIDTH="100%">
|
||||||
|
<BR><B>Q:</B> Próbuje uruchomić stunnel jako wrapper dla httpd. Po
|
||||||
|
wydaniu komendy: <B>stunnel 443 @localhost:80</B> demon się nie uruchamia
|
||||||
|
a w syslogu pojawia się komunikat "<B>stunnel[2481]: getpeername: Socket
|
||||||
|
operation on non-socket (88)"</B><B></B>
|
||||||
|
|
||||||
|
<P><B>A</B>: Jest to błąd charakterystyczny dla Linuxa. Należy w pliku
|
||||||
|
stunnel.c zmienić linię<B> #define INET_SOCKET_PAIR 1</B> na
|
||||||
|
<BR><B>#define INET_SOCKET_PAIR 0</B> i zrekompilować program ponownie.
|
||||||
|
<BR>
|
||||||
|
<HR WIDTH="100%">
|
||||||
|
<BR><B>Q:</B> Stunnel nadal się nie uruchamia a w syslogu pojawia się komunikat
|
||||||
|
"<B>stunnel[2525]: /usr/local/ssl/certs/localhost:80.pem: No such file
|
||||||
|
or directory (2)</B>"<B></B>
|
||||||
|
|
||||||
|
<P><B>A:</B> Nie posiadasz odpowiedniego certyfikatu dla demona. Stunnel
|
||||||
|
w celu poprawnego działania <B>MUSI</B> posiadać certyfikat. W celu wygenerowania
|
||||||
|
odpowiedniego certyfikatu należy wydać komende: <B>/usr/local/ssl/bin/ssleay
|
||||||
|
req -new -x509 -nodes -out server.pem -days 365 -keyout server.pem</B>
|
||||||
|
bądź też użyć <B>Makefile</B> dołączonego do programu stunnel i przy pomocy
|
||||||
|
komendy <B>make cert </B>stworzyć certyfikat. Tak utworzony certyfikat (server.pem)
|
||||||
|
należy umieścić w katalogu <B>/usr/local/ssl/certs</B> i utworzyć doń odpowiednie
|
||||||
|
linki lub zmieć nazwę certyfikatu na wymaganą przez stunnel.
|
||||||
|
<BR>
|
||||||
|
<HR WIDTH="100%">
|
||||||
|
<BR><B>Q:</B> Wygenerowałem odpowiedni certyfikat przy pomocy skryptu CA.sh,
|
||||||
|
a stunnel <B>przy starcie prosi o podanie hasła</B>. Jak można przekazać
|
||||||
|
hasło zabezpieczające certyfikat do programu ?<B></B>
|
||||||
|
|
||||||
|
<P><B>A:</B> W chwili obecnej jest to niemożliwe. Certyfikaty którymi posługuje
|
||||||
|
sie stunnel nie mogą być zabezpieczane hasłem. Przy tworzeniu certyfikatu
|
||||||
|
należy użyć opcji -nodes (lub utworzyć certyfikat przy pomocy makefile
|
||||||
|
odstarczonego z programem).
|
||||||
|
<BR>
|
||||||
|
<HR WIDTH="100%">
|
||||||
|
<BR><B>Q:</B> Po uruchomieniu programu stunnel w syslogu pojawia się komunikat:
|
||||||
|
"<B>stunnel[2805]: WARNING: Wrong permissions on /usr/local/ssl/certs/localhost:80.pem</B>".
|
||||||
|
Co jest nie tak ?<B></B>
|
||||||
|
|
||||||
|
<P><B>A:</B> To tylko ostrzeżenie ! Certyfikat nie powien dać się odczytać
|
||||||
|
przez innych użytkowników systemu. Prawidłowe prawa dostępu powinny być
|
||||||
|
następujące: <B>-rw------ 1 root root
|
||||||
|
1370 Nov 8 1997 server.pem </B>(jeśli uruchamiającym stunnel jest
|
||||||
|
root).
|
||||||
|
<BR>
|
||||||
|
<HR WIDTH="100%">
|
||||||
|
<BR><B>Q:</B> Probowałem zrobić tunelowanie połączenia do demona <B>pop3</B>.
|
||||||
|
Pomimo zrobienia prawidłowego wpisu do inetd.conf
|
||||||
|
<BR>"spop3 stream tcp nowait root /usr/sbin/stunnel
|
||||||
|
qpopper -s" stunnel nie działa a w syslogu pojawia się komunikat:
|
||||||
|
<BR><B>inetd[2949]: spop3/tcp: unknown service.</B><B></B>
|
||||||
|
|
||||||
|
<P><B>A: </B>Nie zrobiłeś dodatkowych wpisów do pliku <B>/etc/services.</B>
|
||||||
|
Zgodnie z rfc???? prawidłowymi portami na których działają demony posługujące
|
||||||
|
się SSL są:
|
||||||
|
<TABLE>
|
||||||
|
<TR>
|
||||||
|
<TD>https</TD>
|
||||||
|
|
||||||
|
<TD>443/tcp</TD>
|
||||||
|
|
||||||
|
<TD># HTTP over SSL </TD>
|
||||||
|
</TR>
|
||||||
|
|
||||||
|
<TR>
|
||||||
|
<TD>ssmtp</TD>
|
||||||
|
|
||||||
|
<TD>465/tcp</TD>
|
||||||
|
|
||||||
|
<TD># SMTP over SSL </TD>
|
||||||
|
</TR>
|
||||||
|
|
||||||
|
<TR>
|
||||||
|
<TD>snews</TD>
|
||||||
|
|
||||||
|
<TD>563/tcp</TD>
|
||||||
|
|
||||||
|
<TD># NNTP over SSL </TD>
|
||||||
|
</TR>
|
||||||
|
|
||||||
|
<TR>
|
||||||
|
<TD>ssl-ldap</TD>
|
||||||
|
|
||||||
|
<TD>636/tcp</TD>
|
||||||
|
|
||||||
|
<TD># LDAP over SSL </TD>
|
||||||
|
</TR>
|
||||||
|
|
||||||
|
<TR>
|
||||||
|
<TD>simap</TD>
|
||||||
|
|
||||||
|
<TD>993/tcp</TD>
|
||||||
|
|
||||||
|
<TD># IMAP over SSL </TD>
|
||||||
|
</TR>
|
||||||
|
|
||||||
|
<TR>
|
||||||
|
<TD>spop3</TD>
|
||||||
|
|
||||||
|
<TD>995/tcp</TD>
|
||||||
|
|
||||||
|
<TD># POP-3 over SSL </TD>
|
||||||
|
</TR>
|
||||||
|
</TABLE>
|
||||||
|
Jeśli nie chesz robić poprawek zamiast nazwy serwisu użyj numeru portu
|
||||||
|
na którym on działa.
|
||||||
|
<BR>
|
||||||
|
<HR WIDTH="100%">
|
||||||
|
<BR><B>Q:</B> Dobrze, zrobiłem wymagany wpis lecz w dalszym ciagu stunnel
|
||||||
|
nie działa, natomiast w syslogu pojawia sie wpis:
|
||||||
|
<BR> <B>stunnel[3015]: execvp: No such file or directory (2). </B>Co
|
||||||
|
jeszcze jest nie tak ?<B></B>
|
||||||
|
|
||||||
|
<P><B>A:</B> Prawdopodone są dwie przyczyny: pierwsza w twoim systemie
|
||||||
|
nie ma demona dla ktorego zrobiłeś wpis w inetd.conf,
|
||||||
|
<BR>(spop3 stream tcp nowait root /usr/sbin/stunnel
|
||||||
|
qpopper -s) lub też dany program jest w systemie, jednak ścieżka dostępu
|
||||||
|
do niego nie jest wymieniona w zmiennej systemowej <B>$PATH</B>. Należy
|
||||||
|
więc poprawić zapis w inetd.conf uzupełniając o pełna ścieżke dostępu do
|
||||||
|
demona np. <B>spop3 stream tcp nowait root
|
||||||
|
/usr/sbin/stunnel /usr/sbin/qpopper -s</B>
|
||||||
|
<BR>
|
||||||
|
<BR>
|
||||||
|
</BODY>
|
||||||
|
</HTML>
|
744
doc/pl/tworzenie_certyfikatow.html
Normal file
744
doc/pl/tworzenie_certyfikatow.html
Normal file
@ -0,0 +1,744 @@
|
|||||||
|
<HTML>
|
||||||
|
<HEAD>
|
||||||
|
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-2">
|
||||||
|
<META NAME="Author" CONTENT="Adam Hernik">
|
||||||
|
<TITLE>Wszystko co powiniene¶ wiedzieæ o tworzeniu certyfikatów ale nie chce Ci siê poszukaæ w dokumentacji</TITLE>
|
||||||
|
</HEAD>
|
||||||
|
<BODY TEXT="#000000" BGCOLOR="#CCCCCC" LINK="#0000EF" VLINK="#51188E" ALINK="#FF0000">
|
||||||
|
|
||||||
|
<CENTER>
|
||||||
|
<H1>
|
||||||
|
<FONT SIZE=+2>Wszystko co powiniene¶ wiedzieæ o tworzeniu certyfikatów
|
||||||
|
ale nie chce Ci siê</FONT></H1></CENTER>
|
||||||
|
|
||||||
|
<CENTER>
|
||||||
|
<H1>
|
||||||
|
<FONT SIZE=+2>poszukaæ w dokumentacji.</FONT></H1></CENTER>
|
||||||
|
|
||||||
|
|
||||||
|
<P><B><FONT SIZE=+1>Co powinno znajdowaæ siê na Twoim dysku zamin zostaniesz
|
||||||
|
"Certificate Authorities".</FONT></B>
|
||||||
|
|
||||||
|
<P>Podstawowym oprogramowaniem jest oczywi¶cie <A HREF="http://www.openssl.org">openssl</A>.
|
||||||
|
W tym miejscu nale¿y zachowaæ czujno¶æ
|
||||||
|
<BR>bo openssl <B>MUSI</B> byæ co najmniej w wersji 0.9.2b dziêki czemu
|
||||||
|
ominie Ciê czê¶æ karko³omnych
|
||||||
|
<BR>operacji przy pomocy <A HREF="http://www.drh-consultancy.demon.co.uk">pcks12</A>
|
||||||
|
ktory tak¿e musisz posiadaæ w swoich zasobach dyskowych.
|
||||||
|
<BR>Je¶li masz ju¿ zainstalowane powy¿sze oprogramowanie mo¿esz zacz±æ
|
||||||
|
tworzyæ certyfikaty.
|
||||||
|
|
||||||
|
<P><B><FONT SIZE=+1>Konfiguracja openssl.</FONT></B>
|
||||||
|
|
||||||
|
<P>Zak³adam ze openssl jest zainstalowany standardowo czyli w <B>/usr/local/ssl</B>.
|
||||||
|
Pierwszym krokiem jest
|
||||||
|
<BR>przejrzenie i "dokonfigurowanie" <B>/usr/local/ssl/lib/openssl.cnf</B>.
|
||||||
|
Mój domowy konfig wygl±da nastêpuj±co
|
||||||
|
<BR>(kolorem czerwonym zaznaczylem opcje które raczej powiniene¶ zmieniæ)
|
||||||
|
:
|
||||||
|
<BR><FONT SIZE=-2><A HREF="#koniec openssl.cnf">je¶li nie chce Ci siê tego
|
||||||
|
czytaæ to skocz na koniec konfiga</A></FONT>
|
||||||
|
|
||||||
|
<P><I>#</I>
|
||||||
|
<BR><I># OpenSSL example configuration file.</I>
|
||||||
|
<BR><I># This is mostly being used for generation of certificate requests.</I>
|
||||||
|
<BR><I>#</I>
|
||||||
|
<BR><I> </I>
|
||||||
|
<BR><I>RANDFILE
|
||||||
|
= $ENV::HOME/.rnd</I>
|
||||||
|
<BR><I>oid_file
|
||||||
|
= $ENV::HOME/.oid</I>
|
||||||
|
<BR><I>oid_section
|
||||||
|
= new_oids</I>
|
||||||
|
<BR><I> </I>
|
||||||
|
<BR><I>[ new_oids ]</I>
|
||||||
|
<BR><I> </I>
|
||||||
|
<BR><I># We can add new OIDs in here for use by 'ca' and 'req'.</I>
|
||||||
|
<BR><I># Add a simple OID like this:</I>
|
||||||
|
<BR><I># testoid1=1.2.3.4</I>
|
||||||
|
<BR><I># Or use config file substitution like this:</I>
|
||||||
|
<BR><I># testoid2=${testoid1}.5.6</I>
|
||||||
|
<BR><I> </I>
|
||||||
|
<BR><I>####################################################################</I>
|
||||||
|
<BR><I>[ ca ]</I>
|
||||||
|
<BR><I>default_ca = CA_default
|
||||||
|
# The default ca section</I>
|
||||||
|
<BR><I> </I>
|
||||||
|
<BR><I>####################################################################</I>
|
||||||
|
<BR><I>[ CA_default ]</I>
|
||||||
|
<BR><I> </I>
|
||||||
|
<BR><I>dir
|
||||||
|
= ./demoCA
|
||||||
|
# Where everything is kept</I>
|
||||||
|
<BR><I>certs
|
||||||
|
= $dir/certs
|
||||||
|
# Where the issued certs are kept</I>
|
||||||
|
<BR><I>crl_dir = $dir/crl
|
||||||
|
# Where the issued crl are kept</I>
|
||||||
|
<BR><I>database = $dir/index.txt
|
||||||
|
# database index file.</I>
|
||||||
|
<BR><I>new_certs_dir = $dir/newcerts
|
||||||
|
# default place for new certs.</I>
|
||||||
|
<BR><I> </I>
|
||||||
|
<BR><I>certificate = $dir/cacert.pem
|
||||||
|
# The CA certificate</I>
|
||||||
|
<BR><I>serial = $dir/serial
|
||||||
|
# The current serial number</I>
|
||||||
|
<BR><I>crl
|
||||||
|
= $dir/crl.pem #
|
||||||
|
The current CRL</I>
|
||||||
|
<BR><I>private_key = $dir/private/cakey.pem# The
|
||||||
|
private key</I>
|
||||||
|
<BR><I>RANDFILE = $dir/private/.rand
|
||||||
|
# private random number file</I>
|
||||||
|
<BR><I> </I>
|
||||||
|
<BR><I>x509_extensions = usr_cert
|
||||||
|
# The extentions to add to the cert</I>
|
||||||
|
<BR><I>crl_extensions = crl_ext
|
||||||
|
# Extensions to add to CRL</I>
|
||||||
|
<BR><I>default_days = 365
|
||||||
|
# how long to certify for</I>
|
||||||
|
<BR><I>default_crl_days= 30
|
||||||
|
# how long before next CRL</I>
|
||||||
|
<BR><I>default_md = md5
|
||||||
|
# which md to use.</I>
|
||||||
|
<BR><I>preserve = no
|
||||||
|
# keep passed DN ordering</I>
|
||||||
|
<BR><I> </I>
|
||||||
|
<BR><I># A few difference way of specifying how similar the request should
|
||||||
|
look</I>
|
||||||
|
<BR><I># For type CA, the listed attributes must be the same, and the optional</I>
|
||||||
|
<BR><I># and supplied fields are just that :-)</I>
|
||||||
|
<BR><I>policy = policy_match</I>
|
||||||
|
<BR><I># For the CA policy</I>
|
||||||
|
<BR><I>[ policy_match ]</I>
|
||||||
|
<BR><I>countryName
|
||||||
|
= match</I>
|
||||||
|
<BR><I>stateOrProvinceName = match</I>
|
||||||
|
<BR><I>organizationName = match</I>
|
||||||
|
<BR><I>organizationalUnitName = optional</I>
|
||||||
|
<BR><I>commonName
|
||||||
|
= supplied</I>
|
||||||
|
<BR><I>emailAddress
|
||||||
|
= optional</I>
|
||||||
|
<BR><I> </I>
|
||||||
|
<BR><I># For the 'anything' policy</I>
|
||||||
|
<BR><I># At this point in time, you must list all acceptable 'object'</I>
|
||||||
|
<BR><I># types.</I>
|
||||||
|
<BR><I>[ policy_anything ]</I>
|
||||||
|
<BR><I>countryName
|
||||||
|
= optional</I>
|
||||||
|
<BR><I>stateOrProvinceName = optional</I>
|
||||||
|
<BR><I>localityName
|
||||||
|
= optional</I>
|
||||||
|
<BR><I>organizationName = optional</I>
|
||||||
|
<BR><I>organizationalUnitName = optional</I>
|
||||||
|
<BR><I>commonName
|
||||||
|
= supplied</I>
|
||||||
|
<BR><I>emailAddress
|
||||||
|
= optional</I>
|
||||||
|
<BR><I> </I>
|
||||||
|
<BR><I>####################################################################</I>
|
||||||
|
<BR><A NAME="req"></A><I>[ req ]</I>
|
||||||
|
<BR><I>default_bits
|
||||||
|
= <FONT COLOR="#FF0000">1024</FONT></I>
|
||||||
|
<BR><I>default_keyfile
|
||||||
|
= privkey.pem</I>
|
||||||
|
<BR><I>distinguished_name = req_distinguished_name</I>
|
||||||
|
<BR><I>attributes
|
||||||
|
= req_attributes</I>
|
||||||
|
<BR><I>x509_extensions = v3_ca # The extentions to add to the self signed
|
||||||
|
cert</I>
|
||||||
|
<BR><I> </I>
|
||||||
|
<BR><I>[ req_distinguished_name ]</I>
|
||||||
|
<BR><I>countryName
|
||||||
|
= Country Name (2 letter code)</I>
|
||||||
|
<BR><I>countryName_default
|
||||||
|
= <FONT COLOR="#FF0000">PL</FONT></I>
|
||||||
|
<BR><I>countryName_min
|
||||||
|
= 2</I>
|
||||||
|
<BR><I>countryName_max
|
||||||
|
= 2</I>
|
||||||
|
<BR><I> </I>
|
||||||
|
<BR><I>stateOrProvinceName
|
||||||
|
= State i Prowincja</I>
|
||||||
|
<BR><I>stateOrProvinceName_default = <FONT COLOR="#FF0000">State-Prowincja
|
||||||
|
domyslna</FONT></I>
|
||||||
|
<BR><I>localityName
|
||||||
|
= Locality Name (eg, city)</I>
|
||||||
|
<BR><I>localityName_default
|
||||||
|
= <FONT COLOR="#FF0000">Lodz</FONT></I>
|
||||||
|
<BR><I> </I>
|
||||||
|
<BR><I>0.organizationName
|
||||||
|
= Organization Name (eg, company)</I>
|
||||||
|
<BR><I>0.organizationName_default = <FONT COLOR="#FF0000">Nawza
|
||||||
|
Organizacji</FONT></I>
|
||||||
|
<BR><I> </I>
|
||||||
|
<BR><I># we can do this but it is not needed normally :-)</I>
|
||||||
|
<BR><I>#1.organizationName
|
||||||
|
= Second Organization Name (eg, company)</I>
|
||||||
|
<BR><I>#1.organizationName_default = World Wide
|
||||||
|
Web Pty Ltd</I>
|
||||||
|
<BR><I>organizationalUnitName
|
||||||
|
= Organizational Unit Name (eg, section)</I>
|
||||||
|
<BR><I>organizationalUnitName_default = <FONT COLOR="#FF0000">Unit
|
||||||
|
name domyslny</FONT></I>
|
||||||
|
<BR><I> </I>
|
||||||
|
<BR><I>commonName
|
||||||
|
= Common Name (eg, YOUR name)</I>
|
||||||
|
<BR><I>commonName_max
|
||||||
|
= 64</I>
|
||||||
|
<BR><I> </I>
|
||||||
|
<BR><I>emailAddress
|
||||||
|
= Email Address</I>
|
||||||
|
<BR><I>emailAddress_max
|
||||||
|
= 40</I>
|
||||||
|
<BR><I> </I>
|
||||||
|
<BR><I># SET-ex3
|
||||||
|
= SET extension number 3</I>
|
||||||
|
<BR><I> </I>
|
||||||
|
<BR><I>[ req_attributes ]</I>
|
||||||
|
<BR><I>challengePassword
|
||||||
|
= A challenge password</I>
|
||||||
|
<BR><I>challengePassword_min = 4</I>
|
||||||
|
<BR><I>challengePassword_max = 20</I>
|
||||||
|
<BR><I> </I>
|
||||||
|
<BR><I>unstructuredName
|
||||||
|
= An optional company name</I>
|
||||||
|
<BR><I> </I>
|
||||||
|
<BR><A NAME="usr_cert"></A><I>[ usr_cert ]</I>
|
||||||
|
<BR><I> </I>
|
||||||
|
<BR><I># These extensions are added when 'ca' signs a request.</I>
|
||||||
|
<BR><I> </I>
|
||||||
|
<BR><I># This goes against PKIX guidelines but some CAs do it and some
|
||||||
|
software</I>
|
||||||
|
<BR><I># requires this to avoid interpreting an end user certificate as
|
||||||
|
a CA.</I>
|
||||||
|
<BR><I> </I>
|
||||||
|
<BR><I>basicConstraints=CA:FALSE</I>
|
||||||
|
<BR><I> </I>
|
||||||
|
<BR><I># Here are some examples of the usage of nsCertType. If it is omitted</I>
|
||||||
|
<BR><I># the certificate can be used for anything *except* object signing.</I>
|
||||||
|
<BR><I> </I>
|
||||||
|
<BR><A NAME="server"></A><I># This is OK for an SSL server.</I>
|
||||||
|
<BR><I><FONT COLOR="#006600">#nsCertType
|
||||||
|
= server</FONT></I>
|
||||||
|
<BR><I> </I>
|
||||||
|
<BR><I># For an object signing certificate this would be used.</I>
|
||||||
|
<BR><I>#nsCertType = objsign</I>
|
||||||
|
<BR><I> </I>
|
||||||
|
<BR><A NAME="klient"></A><I># For normal client use this is typical</I>
|
||||||
|
<BR><I><FONT COLOR="#006600">nsCertType = client, email</FONT></I>
|
||||||
|
<BR><I> </I>
|
||||||
|
<BR><I># This is typical also</I>
|
||||||
|
<BR><I> </I>
|
||||||
|
<BR><I>keyUsage = nonRepudiation, digitalSignature, keyEncipherment</I>
|
||||||
|
<BR><I> </I>
|
||||||
|
<BR><I>nsComment
|
||||||
|
= "<FONT COLOR="#FF0000">OpenSSL Generated Certificate</FONT>"</I>
|
||||||
|
<BR><I> </I>
|
||||||
|
<BR><I># PKIX recommendations</I>
|
||||||
|
<BR><I>subjectKeyIdentifier=hash</I>
|
||||||
|
<BR><I>authorityKeyIdentifier=keyid,issuer:always</I>
|
||||||
|
<BR><I># Import the email address.</I>
|
||||||
|
<BR><I> </I>
|
||||||
|
<BR><I>subjectAltName=email:copy</I>
|
||||||
|
<BR><I> </I>
|
||||||
|
<BR><I># Copy subject details</I>
|
||||||
|
<BR><I> </I>
|
||||||
|
<BR><I>issuerAltName=issuer:copy</I>
|
||||||
|
<BR><I> </I>
|
||||||
|
<BR><I>#nsCaRevocationUrl
|
||||||
|
= http://www.domain.dom/ca-crl.pem</I>
|
||||||
|
<BR><I>#nsBaseUrl</I>
|
||||||
|
<BR><I>#nsRevocationUrl</I>
|
||||||
|
<BR><I>#nsRenewalUrl</I>
|
||||||
|
<BR><I>#nsCaPolicyUrl</I>
|
||||||
|
<BR><I>#nsSslServerName</I>
|
||||||
|
<BR><I> </I>
|
||||||
|
<BR><I>[ v3_ca]</I>
|
||||||
|
<BR><I> </I>
|
||||||
|
<BR><I># Extensions for a typical CA</I>
|
||||||
|
<BR><I> </I>
|
||||||
|
<BR><I># It's a CA certificate</I>
|
||||||
|
<BR><I>basicConstraints = CA:true</I>
|
||||||
|
<BR><I> </I>
|
||||||
|
<BR><I># PKIX recommendation.</I>
|
||||||
|
<BR><I> </I>
|
||||||
|
<BR><I>subjectKeyIdentifier=hash</I>
|
||||||
|
<BR><I> </I>
|
||||||
|
<BR><I>authorityKeyIdentifier=keyid:always,issuer:always</I>
|
||||||
|
<BR><I> </I>
|
||||||
|
<BR><I># This is what PKIX recommends but some broken software chokes on
|
||||||
|
critical</I>
|
||||||
|
<BR><I># extensions.</I>
|
||||||
|
<BR><I>#basicConstraints = critical,CA:true</I>
|
||||||
|
<BR><I> </I>
|
||||||
|
<BR><I># Key usage: again this should really be critical.</I>
|
||||||
|
<BR><I>keyUsage = cRLSign, keyCertSign</I>
|
||||||
|
<BR><I> </I>
|
||||||
|
<BR><I># Some might want this also</I>
|
||||||
|
<BR><I>nsCertType = sslCA, emailCA, objCA</I>
|
||||||
|
<BR><I> </I>
|
||||||
|
<BR><I># Include email address in subject alt name: another PKIX recommendation</I>
|
||||||
|
<BR><I>subjectAltName=email:copy</I>
|
||||||
|
<BR><I># Copy issuer details</I>
|
||||||
|
<BR><I>issuerAltName=issuer:copy</I>
|
||||||
|
<BR><I> </I>
|
||||||
|
<BR><I># RAW DER hex encoding of an extension: beware experts only!</I>
|
||||||
|
<BR><I># 1.2.3.5=RAW:02:03</I>
|
||||||
|
<BR><I># You can even override a supported extension:</I>
|
||||||
|
<BR><I># basicConstraints= critical, RAW:30:03:01:01:FF</I>
|
||||||
|
<BR><I> </I>
|
||||||
|
<BR><I>[ crl_ext ]</I>
|
||||||
|
<BR><I> </I>
|
||||||
|
<BR><I># CRL extensions.</I>
|
||||||
|
<BR><I># Only issuerAltName and authorityKeyIdentifier make any sense in
|
||||||
|
a CRL.</I>
|
||||||
|
|
||||||
|
<P><I>issuerAltName=issuer:copy</I>
|
||||||
|
<BR><I>authorityKeyIdentifier=keyid:always,issuer:always</I>
|
||||||
|
<BR>################################################################################
|
||||||
|
<BR>########## koniec pliku openssl.cnf
|
||||||
|
|
||||||
|
<P><A NAME="koniec openssl.cnf"></A>Jak widaæ zmiany s± praktycznie kosmetyczne.
|
||||||
|
Nale¿y zwrócic jedynie uwagê na opcjê <A HREF="#req">default_bits</A> w
|
||||||
|
sekcji req.
|
||||||
|
<BR>W momencie generowania certyfikatu CA powinna mieæ ona warto¶æ 1024
|
||||||
|
lub wiêcej, natomiast w trakcie tworzenia
|
||||||
|
<BR>certyfikatów klienckich winno mieæ siê na uwadze wredn± cechê produktów
|
||||||
|
M$ dostêpnych poza granicami USA.
|
||||||
|
<BR>Nie s± one w stanie zaimportowaæ kluczy maj±cych wiêcej ni¿ 512 bitów.
|
||||||
|
W takim przypadku default_bits nale¿y
|
||||||
|
<BR>zmniejszyæ do tej warto¶ci. Je¶li chodzi o Netscapa konieczno¶æ taka
|
||||||
|
nie wystêpuje, nawet gdy nie jest on
|
||||||
|
<BR>patchowany przy pomocy <A HREF="http://www.fortify.net/">Fortify</A>.
|
||||||
|
Jednak¿e klucz nie powinien byæ wiêkszy ni¿ 1024 bity.
|
||||||
|
|
||||||
|
<P><B><FONT SIZE=+1>Generowanie certyfikatu CA</FONT></B>
|
||||||
|
|
||||||
|
<P>Pierwszy± czynno¶ci± jak± nale¿y wykonaæ jest wygenerowanie certyfikatu
|
||||||
|
CA czyli czego¶ czym bêd±
|
||||||
|
<BR>podpiswane certyfikaty udostêpniane klientom. Uruchom rxvt lub co¶
|
||||||
|
innego i wykonaj polecenie:
|
||||||
|
|
||||||
|
<P><I>adas:~# <B>cd /usr/local/ssl/bin</B></I>
|
||||||
|
<BR><I>adas:/usr/local/ssl/bin# <B>./CA.pl -newca</B></I>
|
||||||
|
|
||||||
|
<P><I>CA certificate filename (or enter to create)</I>
|
||||||
|
|
||||||
|
<P><I>Making CA certificate ...</I>
|
||||||
|
<BR><I>Using configuration from /usr/local/ssl/lib/openssl.cnf</I>
|
||||||
|
<BR><I>Generating a 1024 bit RSA private key</I>
|
||||||
|
<BR><I>..+++++</I>
|
||||||
|
<BR><I>....+++++</I>
|
||||||
|
<BR><I>writing new private key to './demoCA/private/cakey.pem'</I>
|
||||||
|
<BR><A NAME="pem_pass"></A><I><FONT COLOR="#009900">Enter PEM pass phrase:</FONT></I>
|
||||||
|
<BR><I><FONT COLOR="#009900">Verifying password - Enter PEM pass phrase:</FONT></I>
|
||||||
|
<BR><I>-----</I>
|
||||||
|
<BR><I>You are about to be asked to enter information that will be incorporated</I>
|
||||||
|
<BR><I>into your certificate request.</I>
|
||||||
|
<BR><I>What you are about to enter is what is called a Distinguished Name
|
||||||
|
or a DN.</I>
|
||||||
|
<BR><I>There are quite a few fields but you can leave some blank</I>
|
||||||
|
<BR><I>For some fields there will be a default value,</I>
|
||||||
|
<BR><I>If you enter '.', the field will be left blank.</I>
|
||||||
|
<BR><I>-----</I>
|
||||||
|
<BR><I>Country Name (2 letter code) [PL]:</I>
|
||||||
|
<BR><I>State i Prowincja [Kraina Bezrobotnych Szwaczek]:</I>
|
||||||
|
<BR><I>Locality Name (eg, city) [Lodz]:</I>
|
||||||
|
<BR><I>Organization Name (eg, company) [Instytut Badan Czarow i Magii]:</I>
|
||||||
|
<BR><I>Organizational Unit Name (eg, section) [Komorka d/s Egzorcyzmow
|
||||||
|
i Opentan]:</I>
|
||||||
|
<BR><I>Common Name (eg, YOUR name) []:Adam Hernik</I>
|
||||||
|
<BR><I>Email Address []:adas@infocentrum.com</I>
|
||||||
|
|
||||||
|
<P><I>adas:/usr/local/ssl/bin#</I>
|
||||||
|
|
||||||
|
<P>Skrypt CA.pl uruchomiony poraz pierwszy tworzy w /usr/local/ssl/bin
|
||||||
|
katalog o nazwie demoCA w którym znajduje siê
|
||||||
|
<BR>wygenerowany przed chwil± certyfikat publiczny <B>cacert.pem</B> (do³±czany
|
||||||
|
pó¿niej do certyfikatów klienckich) oraz tajny
|
||||||
|
<BR>zabezpieczony <A HREF="#pem_pass">has³em</A> klucz <B>cakey.pem</B>
|
||||||
|
którym bêdziesz podpisywa³ certyfikaty wydawane u¿ytkownikom. Klucz i has³o
|
||||||
|
<BR>oczywi¶cie nale¿y dobrze chroniæ i najlepiej jest gdy znajduje siê
|
||||||
|
na serwerze tylko w momencie generowania certyfikatu.
|
||||||
|
<BR>Ponowne uruchomienie CA.pl z parametrem -newca niszczy to co pracowicie
|
||||||
|
stworzy³e¶ i generuje nowy klucz i certyfikat.
|
||||||
|
<BR>
|
||||||
|
|
||||||
|
<P><B><FONT SIZE=+1>Tworzenie certyfikatu dla stunnela i innych serwerów</FONT></B>
|
||||||
|
<BR>
|
||||||
|
|
||||||
|
<P>Zanim siê do tego zabierzesz powiniene¶ lekko zmodyfikowac skrypt <B>CA.pl</B>
|
||||||
|
oraz plik konfiguracyjny <B>openssl.cnf</B>.
|
||||||
|
<BR>Skopiuj je odpowiednio do plików <B>/usr/local/ssl/bin/CAserv.pl</B>
|
||||||
|
i <B>/usr/local/ssl/lib/openssl_serv.cnf</B>.<B></B>
|
||||||
|
<BR>Generowane certyfikaty domy¶lnie zabezpieczone s± has³em, w takim przypadku
|
||||||
|
w momencie startu stunnela zawsze
|
||||||
|
<BR>bêdziesz pytany o haslo zabezpieczaj±ce, co skutecznie uniemo¿liwi
|
||||||
|
automatyczne uruchamianie programu w czasie
|
||||||
|
<BR>bootowania serwera, czy te¿ przy próbie wystartowania go przez
|
||||||
|
inetd. Nale¿y poprawiæ <B>linie 40</B> i <B>41</B> skryptu
|
||||||
|
<BR><B>CAserv.pl</B> z
|
||||||
|
|
||||||
|
<P><FONT COLOR="#006600">linia 40:</FONT>
|
||||||
|
<BR><B>$REQ="openssl req <I>$SSLEAY_CONFIG</I>";</B>
|
||||||
|
<BR>na
|
||||||
|
<BR><B>$REQ="openssl req <FONT COLOR="#FF0000">-nodes -config /usr/local/ssl/lib/openssl_serv.cnf</FONT>";</B>
|
||||||
|
|
||||||
|
<P><FONT COLOR="#006600">linia 41:</FONT>
|
||||||
|
<BR><B>$CA="openssl ca <I>$SSLEAY_CONFIG</I>";</B>
|
||||||
|
<BR>na
|
||||||
|
<BR><B>$CA="openssl ca <FONT COLOR="#FF0000">-config /usr/local/ssl/lib/openssl_serv.cnf</FONT>";</B>
|
||||||
|
<BR>
|
||||||
|
|
||||||
|
<P>Natomiast w pliku <B>/usr/local/ssl/lib/openssl_serv.cnf </B>nalezy
|
||||||
|
w sekcji <A HREF="#usr_cert">usr_cert</A> "zahashowaæ" linijkê
|
||||||
|
<BR><A HREF="#klient">nsCertType = client, email</A> oraz "odhashowaæ"
|
||||||
|
linijkê <A HREF="#server">nsCertType = server</A> . Je¶li tego
|
||||||
|
nie zrobisz klient nie bêdzie
|
||||||
|
<BR>poprawnie rozpoznawa³ typu certyfikatu. A teraz kolej na wygenerowanie
|
||||||
|
"requestu" posy³anego zazwyczaj do CA.
|
||||||
|
<BR>Bêd±c w katalogu /usr/local/ssl/bin wykonaj:
|
||||||
|
|
||||||
|
<P><I>adas:/usr/local/ssl/bin# .<B>/CAserv.pl -newreq</B></I>
|
||||||
|
<BR><I>Using configuration from /usr/local/ssl/lib/openssl_serv.cnf</I>
|
||||||
|
<BR><I>Generating a 1024 bit RSA private key</I>
|
||||||
|
<BR><I>..............................+++++</I>
|
||||||
|
<BR><I>.........+++++</I>
|
||||||
|
<BR><I>writing new private key to 'newreq.pem'</I>
|
||||||
|
<BR><I>-----</I>
|
||||||
|
<BR><I>You are about to be asked to enter information that will be incorporated</I>
|
||||||
|
<BR><I>into your certificate request.</I>
|
||||||
|
<BR><I>What you are about to enter is what is called a Distinguished Name
|
||||||
|
or a DN.</I>
|
||||||
|
<BR><I>There are quite a few fields but you can leave some blank</I>
|
||||||
|
<BR><I>For some fields there will be a default value,</I>
|
||||||
|
<BR><I>If you enter '.', the field will be left blank.</I>
|
||||||
|
<BR><I>-----</I>
|
||||||
|
<BR><I>Country Name (2 letter code) [PL]:</I>
|
||||||
|
<BR><I>State i Prowincja [Kraina Bezrobotnych Szwaczek]:Kraina latajacych
|
||||||
|
scyzorykow</I>
|
||||||
|
<BR><I>Locality Name (eg, city) [Lodz]:Sielpia</I>
|
||||||
|
<BR><I>Organization Name (eg, company) [Instytut Badan Czarow i Magii]:Bar
|
||||||
|
Sloneczko</I>
|
||||||
|
<BR><I>Organizational Unit Name (eg, section) [Komorka d/s Egzorcyzmow
|
||||||
|
i Opentan]:Kuflownia</I>
|
||||||
|
<BR><I><FONT COLOR="#FF0000">Common Name (eg, YOUR name) []:adas.pl</FONT></I>
|
||||||
|
<BR><I>Email Address []:adas@adas.pl</I>
|
||||||
|
|
||||||
|
<P><I>Please enter the following 'extra' attributes</I>
|
||||||
|
<BR><I>to be sent with your certificate request</I>
|
||||||
|
<BR><I>A challenge password []:</I>
|
||||||
|
<BR><I>An optional company name []:</I>
|
||||||
|
<BR><I>Request (and private key) is in newreq.pem</I>
|
||||||
|
<BR><I>adas:/usr/local/ssl/bin#</I>
|
||||||
|
|
||||||
|
<P>Polem o którym warto wspomnieæ jest "Common Name" (zaznaczone na czerwono).
|
||||||
|
W trakcie generowania requestu
|
||||||
|
<BR>nale¿y w tym miejscu wpisaæ <B>FQDN serwera</B> na którym bêdzie on
|
||||||
|
u¿ywany. W przeciwnym wypadku w chwili
|
||||||
|
<BR>po³±czenia klient bêdzie twierdzi³, ¿e certyfikat jakim przedstawia
|
||||||
|
siê serwer nie nale¿y do niego. Unikniemy w ten
|
||||||
|
<BR>sposób niepotrzebnego klikania. Kolejn± czynno¶ci± jest podpisanie
|
||||||
|
wygenerowanego requestu. W katalogu
|
||||||
|
<BR>/usr/local/ssl/bin wykonaj polecenie:
|
||||||
|
|
||||||
|
<P><I>adas:/usr/local/ssl/bin# .<B>/CAserv.pl -sign</B></I>
|
||||||
|
<BR><I>Using configuration from /usr/local/ssl/lib/openssl.cnf</I>
|
||||||
|
<BR><I><FONT COLOR="#009900">Enter PEM pass phrase:</FONT></I>
|
||||||
|
<BR><I>Check that the request matches the signature</I>
|
||||||
|
<BR><I>Signature ok</I>
|
||||||
|
<BR><I>The Subjects Distinguished Name is as follows</I>
|
||||||
|
<BR><I>countryName
|
||||||
|
:PRINTABLE:'PL'</I>
|
||||||
|
<BR><I>stateOrProvinceName :PRINTABLE:'Kraina latajacych scyzorykow'</I>
|
||||||
|
<BR><I>localityName
|
||||||
|
:PRINTABLE:'Sielpia'</I>
|
||||||
|
<BR><I>organizationName :PRINTABLE:'Bar Sloneczko'</I>
|
||||||
|
<BR><I>organizationalUnitName:PRINTABLE:'Kuflownia'</I>
|
||||||
|
<BR><I>commonName
|
||||||
|
:PRINTABLE:'adas.pl'</I>
|
||||||
|
<BR><I>emailAddress
|
||||||
|
:IA5STRING:'adas@adas.pl'</I>
|
||||||
|
<BR><I>Certificate is to be certified until Mar 26 21:06:13 2000 GMT (365
|
||||||
|
days)</I>
|
||||||
|
<BR><I>Sign the certificate? [y/n]:y</I>
|
||||||
|
<BR>
|
||||||
|
|
||||||
|
<P><I>1 out of 1 certificate requests certified, commit? [y/n]y</I>
|
||||||
|
<BR><I>Write out database with 1 new entries</I>
|
||||||
|
<BR><I>Data Base Updated</I>
|
||||||
|
<BR><I>Signed certificate is in newcert.pem</I>
|
||||||
|
<BR><I>adas:/usr/local/ssl/bin#</I>
|
||||||
|
|
||||||
|
<P>W trakcie podpisywania bêdziesz pytany o has³o zabezpieczaj±ce klucz
|
||||||
|
prywatny CA (zaznaczone na zielono).
|
||||||
|
<BR>Po tej operacji powiniene¶ w katalogu /usr/local/ssl/bin otrzymaæ 2
|
||||||
|
pliki: <B>newcert.pem</B> oraz <B>newreq.pem</B>.
|
||||||
|
<BR>Zanim zaczniesz ich u¿ywaæ musisz wykonaæ jeszcze jedn± operacje, a
|
||||||
|
mianowicie z³orzyæ wszystko do kupy.
|
||||||
|
<BR>Wykonujesz: <B>cat newcert.pem newreq.pem > httpds.pem</B> a nastêpnie
|
||||||
|
poddajesz tak powsta³y certyfikat edycji.
|
||||||
|
<BR>Nale¿y z pliku httpds.pem nale¿y usun±æ wszystkie niepotrzebne informacje
|
||||||
|
tak by pozosta³ jedynie certyfikat oraz
|
||||||
|
<BR>klucz prywatny. Po tej operacji plik httpds.pem powinien wygl±daæ mniej
|
||||||
|
wiêcej tak:
|
||||||
|
|
||||||
|
<P><I>issuer :/C=PL/ST=Kraina Bezrobotnych Szwaczek/L=Lodz/O=Instytut Badan
|
||||||
|
Czarow i Magii/OU=Komorka d/s Egzorcyzmow i opentan/CN=Adam Hernik/Email=adas@infocentrum.com</I>
|
||||||
|
<BR><I>subject:/C=PL/ST=Kraina latajacych scyzorykow/L=Sielpia/O=Bar Sloneczko/OU=Kuflownia/CN=adas.pl/</I>
|
||||||
|
<BR><I>Email=adas@adas.pl</I>
|
||||||
|
<BR><I>-----BEGIN CERTIFICATE-----</I>
|
||||||
|
<BR><I> Tu s± magiczne dane</I>
|
||||||
|
<BR><I>-----END CERTIFICATE-----</I>
|
||||||
|
|
||||||
|
<P><I>-----BEGIN RSA PRIVATE KEY-----</I>
|
||||||
|
<BR><I> I tu te¿ s± magiczne dane</I>
|
||||||
|
<BR><I>-----END RSA PRIVATE KEY-----</I>
|
||||||
|
|
||||||
|
<P>Spreparowany w ten sposób plik umieszczamy w katalogu /usr/local/ssl/certs
|
||||||
|
i zajmujemy siê generowaniem dwu
|
||||||
|
<BR>certyfikatów klienckich.
|
||||||
|
<BR>
|
||||||
|
|
||||||
|
<P><B><FONT SIZE=+1>Generowanie i importowanie certyfikatów klienckich
|
||||||
|
do Netscape Communikatora.</FONT></B>
|
||||||
|
<BR>
|
||||||
|
<BR>Generalnie s± dwie metody tworzenia i importowania certyfikatów klienckich
|
||||||
|
do Netscapa
|
||||||
|
<BR><B>Sposób pierwszy:</B>
|
||||||
|
<BR>Przy pomocy komendy <B>CA.pl -newreq</B> wygeneruj request a nastêpnie
|
||||||
|
przy pomocy <B>CA.pl -sign</B> podpisz go.
|
||||||
|
<BR>Pytanie o <I>challenge password</I> zignoruj. Kolejn± czynno¶ci± jest
|
||||||
|
scalenie i podczyszczenie certyfikatu.
|
||||||
|
<BR>W przypadku certyfikatu klienta wa¿ne jest podanie <B>prawid³owego
|
||||||
|
adresu email</B> <B>!</B> Bez tego nie bêdzie mo¿na
|
||||||
|
<BR>podpisywaæ i szyfrowaæ listów. Stwórz dwa certyfikaty. Bêd± one
|
||||||
|
potrzebne do wyja¶nienia dzia³ania opcji -v 3
|
||||||
|
<BR>programu stunnel. Zak³adam ¿e pierwszy certyfikat nale¿y do Jana Kowalskiego
|
||||||
|
jan@ibczim.pl zachowany w
|
||||||
|
<BR>pliku jan.pem a drugi do Genowefy Pigwy pigwa@scyzoryki.pl znajduj±cym
|
||||||
|
siê w pliku pigwa.pem. Przed
|
||||||
|
<BR>zaimportowaniem plików do Netscpea nale¿y przekonwertowaæ je z formatu
|
||||||
|
PEM do PCKS12. Wykonuje siê to
|
||||||
|
<BR>przy pomocy wspomnianego na pocz±tku programu <B>pcks12</B>. Aby przekonwertowaæ
|
||||||
|
certyfikat Jan Kowalskiego,
|
||||||
|
<BR>w katalogu w ktorym znajduje siê plik jan.pem wykonaj:
|
||||||
|
<BR>
|
||||||
|
|
||||||
|
<P><B>pkcs12 -export -name "Jan Kowalski jan@ibczim.pl" -in jan.pem -out
|
||||||
|
jan.p12 -certfile /usr/local/ssl/bin/demoCA/cacert.pem</B>
|
||||||
|
|
||||||
|
<P>(<FONT COLOR="#990000">jest to jedna linia !!!</FONT>)
|
||||||
|
<BR>w wyniku czego powstanie plik jan.p12 który mo¿na zaimportowaæ do Netscapea.
|
||||||
|
Bardzo wa¿n± opcj± jest
|
||||||
|
<BR><B><I>-certfile /usr/local/ssl/bin/demoCA/cacert.pem</I></B>. Bez niej
|
||||||
|
nie bêdzie mo¿na w prawid³owy sposób podpisywaæ listów.
|
||||||
|
<BR>Prze³±cznik -certfile powoduje do³±czenie publicznego certyfikatu CA
|
||||||
|
do certyfikatu klienta dziêki czemu Netscape
|
||||||
|
<BR>jest wstanie "wyekstrachowaæ" certyfikat CA i dodaæ go do wewnêtrznej
|
||||||
|
bazy CA. Wykonaj powy¿sz± operacjê tak¿e
|
||||||
|
<BR>dla pigwy. Samo zaimportowanie certyfikatu jest bardzo proste wykonuje
|
||||||
|
siê to klikaj±c w Netscape na
|
||||||
|
|
||||||
|
<P><B>Security-> Yours -> Import a Certificate</B>
|
||||||
|
|
||||||
|
<P>Po zaimportowaniu nale¿y w <B>Security -> Signers</B> zaznaczyæ nasz
|
||||||
|
CA certyfikat a nastêpnie klikn±æ na przycisku Edit
|
||||||
|
<BR>oraz "zaczekowaæ" opcje:
|
||||||
|
|
||||||
|
<P><I>Accept this Certificate Authority for Certifying network sites</I>
|
||||||
|
<BR><I>Accept this Certificate Authority for Certifying e-mail users</I>
|
||||||
|
|
||||||
|
<P>Od tej pory nasz certyfikat bêdzie traktowany na równi z innymi, komercyjnymi.
|
||||||
|
|
||||||
|
<P><B>Sposób drugi:</B>
|
||||||
|
<BR>Polega on na wygenerowaniu i imporcie certyfikatu poprzez strone www.
|
||||||
|
Wraz z stunnelem dostarczane s±
|
||||||
|
<BR>przk³adowe strony (dwie) i skrypty (dwa). Skrypty nale¿y raczej
|
||||||
|
traktowaæ jako wzorzec i ka¿dy powinien napisaæ
|
||||||
|
<BR>swoje, bardziej bezpieczne. Pierwszym krokiem jest import certyfikatu
|
||||||
|
CA. U¿ywa siê do tego strony <B>importCA.html</B>
|
||||||
|
<BR>oraz skryptu <B>importCA.sh</B>. Sam skrypt wygl±da tak:
|
||||||
|
|
||||||
|
<P><I>#!/bin/bash</I>
|
||||||
|
|
||||||
|
<P><I>echo "Content-type: application/x-x509-ca-cert"</I>
|
||||||
|
<BR><I>echo</I>
|
||||||
|
<BR><I>cat <FONT COLOR="#CC0000">/var/lib/httpds/cgi-bin/<B>cacert.pem</B></FONT></I>
|
||||||
|
|
||||||
|
<P>cacert.pem jest to oczywi¶cie certyfikat publiczny CA znajduj±cy siê
|
||||||
|
w katalogu /usr/local/ssl/bin/demoCA
|
||||||
|
<BR>który nale¿y przekopiowaæ do katalogu cgi-bin serwera httpd oraz nadaæ
|
||||||
|
mu odpowiednie prawa dostêpu.
|
||||||
|
<BR>Po zaimportowaniu certyfikatu CA nale¿y w Security->Signers zaznaczyæ
|
||||||
|
do jakich celów bêdziemy uznawli
|
||||||
|
<BR>go za wiarygodny. Do generowania certyfikatu klienta wykorzystamy pozosta³±
|
||||||
|
strone i skrypt. Zanim do tego dojdzie
|
||||||
|
<BR>nale¿y "dokonfigurowaæ" skrypt i stworzyæ potrzebne katalogi.
|
||||||
|
W /tmp (lub w innym miejscu) nalezy stworzyæ
|
||||||
|
<BR>katalog ssl a nastêpnie przekopiowaæ do niego katalog <B>/usr/local/bin/demoCA</B>
|
||||||
|
oraz plik <B>openssl.cnf</B>.
|
||||||
|
<BR>Jako ¿e skrypty domy¶lnie uruchamiane s± z prawami u¿ytkownika nobody
|
||||||
|
nale¿y uczyniæ go wla¶cicielem
|
||||||
|
<BR>katalogu /tmp/ssl i ca³ej jego zawarto¶ci. Kolejn± czynno¶ci± jest
|
||||||
|
wygenerowanie pliku <B>.rnd</B>. W Linuxie robimy to
|
||||||
|
<BR>tak:
|
||||||
|
<BR><B>cat /dev/random > /tmp/ssl/.rnd</B>
|
||||||
|
<BR>czekamy chwilkê tak by plik .rnd mia³ wielko¶æ oko³o 1024 B po czym
|
||||||
|
w³a¶cicielem pliku robimy u¿ytkownika nobody.
|
||||||
|
<BR>Teraz trzeba przekonfigurowaæ plik /tmp/ssl/openssl.cnf
|
||||||
|
|
||||||
|
<P><I>#</I>
|
||||||
|
<BR><I># OpenSSL example configuration file.</I>
|
||||||
|
<BR><I># This is mostly being used for generation of certificate requests.</I>
|
||||||
|
<BR><I>#</I>
|
||||||
|
<BR><I> </I>
|
||||||
|
<BR><I><FONT COLOR="#FF0000">RANDFILE
|
||||||
|
= /tmp/ssl/.rnd</FONT></I>
|
||||||
|
<BR><I>#oid_file
|
||||||
|
= /tmp/ssl/.oid</I>
|
||||||
|
<BR><I>oid_section
|
||||||
|
= new_oids</I>
|
||||||
|
<BR><I> </I>
|
||||||
|
<BR><I>[ new_oids ]</I>
|
||||||
|
<BR><I> </I>
|
||||||
|
<BR><I># We can add new OIDs in here for use by 'ca' and 'req'.</I>
|
||||||
|
<BR><I># Add a simple OID like this:</I>
|
||||||
|
<BR><I># testoid1=1.2.3.4</I>
|
||||||
|
<BR><I># Or use config file substitution like this:</I>
|
||||||
|
<BR><I># testoid2=${testoid1}.5.6</I><I></I>
|
||||||
|
|
||||||
|
<P><I>####################################################################</I>
|
||||||
|
<BR><I>[ ca ]</I>
|
||||||
|
<BR><I>default_ca = CA_default
|
||||||
|
# The default ca section</I><I></I>
|
||||||
|
|
||||||
|
<P><I>####################################################################</I>
|
||||||
|
<BR><I>[ CA_default ]</I>
|
||||||
|
<BR><I> </I>
|
||||||
|
<BR><I><FONT COLOR="#FF0000">dir
|
||||||
|
= /tmp/ssl/demoCA
|
||||||
|
# Where everything is kept</FONT></I>
|
||||||
|
<BR><I>certs
|
||||||
|
= $dir/certs
|
||||||
|
# Where the issued certs are kept</I>
|
||||||
|
<BR><I>crl_dir = $dir/crl
|
||||||
|
# Where the issued crl are kept</I>
|
||||||
|
<BR><I>database = $dir/index.txt
|
||||||
|
# database index file.</I>
|
||||||
|
<BR><I>new_certs_dir = $dir/newcerts
|
||||||
|
# default place for new certs.</I>
|
||||||
|
<BR>
|
||||||
|
<BR>Nale¿y zmieniæ opcje zaznaczone na czerwono. Ostatni± czynno¶ci± jest
|
||||||
|
sprawdzenie i ewentualne poprawienie
|
||||||
|
<BR>strony ca.html i skryptu ca.pl. W pliku ca.html nalezy wpisaæ poprawn±
|
||||||
|
nazwê serwera na którym znajduje siê
|
||||||
|
<BR>skrypt ca.pl czyli linijkê <B><FORM ACTION="<FONT COLOR="#FF0000">http://localhost/cgi-bin/ca.pl</FONT>"
|
||||||
|
METHOD=POST></B>. W ca.pl
|
||||||
|
<BR>nale¿y skontrolowaæ poprawno¶æ podanych ¶cie¿ek oraz wpisaæ has³o jakim
|
||||||
|
zabezpieczony jest klucz prywatny CA
|
||||||
|
<BR>(zmienna $certpass zaznaczona na czerwono).
|
||||||
|
<BR>
|
||||||
|
|
||||||
|
<P><I>#!/usr/bin/perl</I>
|
||||||
|
<BR><I>#ca.pl</I><I></I>
|
||||||
|
|
||||||
|
<P><I>$config = "/tmp/ssl/openssl.cnf";</I>
|
||||||
|
<BR><I>$capath = "/usr/local/ssl/bin/openssl ca";</I>
|
||||||
|
<BR><I><FONT COLOR="#FF0000">$certpass = "tu_jest_haslo";</FONT></I>
|
||||||
|
<BR><I>$tempca = "/tmp/ssl/cli".rand 10000;</I>
|
||||||
|
<BR><I>$tempout = "/tmp/ssl/certtmp".rand 10000;</I>
|
||||||
|
<BR><I>$caout = "/tmp/ssl/certwynik.txt";</I>
|
||||||
|
<BR><I>$CAcert = "/tmp/ssl/demoCA/cacert.pem";</I>
|
||||||
|
<BR><I>...</I>
|
||||||
|
<BR>
|
||||||
|
|
||||||
|
<P>Po umieszczeniu tak przygotowanych stron i skryptów na serwerze bêdzie
|
||||||
|
mo¿na generowaæ certyfikaty dla klientów.
|
||||||
|
|
||||||
|
<P><B>Wady i zalety obydwu sposobów generowania i instalowania certyfikatów.</B>
|
||||||
|
|
||||||
|
<P><A NAME="usuwanie"></A>Jak wynika z powy¿szego opisu bezpieczniejszym
|
||||||
|
i polecanym przeze mnie jest sposób pierwszy. Jego powa¿n± wad±
|
||||||
|
<BR>jest fakt ¿e cz³owiek generuj±cy certyfikaty znajduje siê w posiadaniu
|
||||||
|
klucza prywatnego osoby wystêpuj±cej o
|
||||||
|
<BR>certyfikat. <FONT COLOR="#FF0000">Oczywi¶cie uczciwy CA powinien
|
||||||
|
skasowaæ go, zaraz po utworzeniu</FONT>. W takim wypadku metoda pierwsza
|
||||||
|
<BR>spe³nia wszelkie wymogi. Sposób drugi prócz samych wad ma jedn±
|
||||||
|
acz ogromn± zaletê. Mianowicie klucz prywatny
|
||||||
|
<BR>klienta nigdy nie opuszcza jego komputera. Do wad mo¿na zaliczyæ
|
||||||
|
fakt ¿e has³o zabezpieczaj±ce klucz prywatny CA
|
||||||
|
<BR>znajduje siê na serwerze i to w dodatku w ¿aden sposób nie chronione.
|
||||||
|
Kolejn± wad± jest generowanie kompletnych
|
||||||
|
<BR>certyfikatów przez strone www, co mo¿e groziæ wykradzeniem klucza prywatnego.
|
||||||
|
Rozwi±zaniem mo¿e byæ sk³adowanie
|
||||||
|
<BR>requestów w bazie danych a nastpnie rêczna ich obróbka przez administratora.
|
||||||
|
Reasumuj±c, sposób drugi nale¿y
|
||||||
|
<BR>potraktowaæ jako demonstracje metody któr± mo¿na przeæwiczyæ przed
|
||||||
|
napisaniem porz±dnych skryptów.
|
||||||
|
<BR> <B><FONT SIZE=+1></FONT></B>
|
||||||
|
|
||||||
|
<P><B><FONT SIZE=+1>Tajemniczy prze³±cznik -v 3 w stunnelu</FONT></B>
|
||||||
|
|
||||||
|
<P>Stunnel posiada trzy tryby weryfikacji klienta.
|
||||||
|
<BR>Pierwszy opcja <B><FONT SIZE=+1>-v 1</FONT></B> oznacza ¿e nale¿y spróbowaæ
|
||||||
|
zweryfikowaæ osobê nawi±zuj±c± po³±czenie czyli uzyskaæ jej
|
||||||
|
<BR>ceryfikat. Je¶li operacja ta siê nie powiedzie, mimo wszystko dostêp
|
||||||
|
do serwera bêdzie zapewniony.
|
||||||
|
<BR>Prze³±cznik <B><FONT SIZE=+1>-v 2</FONT></B> nakazuje stunnelowi zweryfikowaæ
|
||||||
|
klienta. Je¶li u¿ytkownik nie posiada certyfikatu lub certyfikat
|
||||||
|
<BR>jest niewa¿ny, niew³a¶ciwy czy te¿ nie posiadamy certyfikatu CA którym
|
||||||
|
podpisany jest certyfikat klienta
|
||||||
|
<BR><FONT SIZE=-2>(straszny jest ten jêzyk polski)</FONT> nawi±zanie po³±czenia
|
||||||
|
z serwerem bêdzie niemo¿liwe. I wreszcie opcja <B><FONT SIZE=+1>-v 3</FONT></B>
|
||||||
|
nakazuj±ca
|
||||||
|
<BR>stunnelowi zweryfikowaæ klienta a tak¿e poszukaæ jego certyfikatu w
|
||||||
|
naszej lokalnej bazie.
|
||||||
|
<BR>Dzieki opcji -v 3 mo¿emy stworzyæ bardzo selektywny dostêp do us³ug
|
||||||
|
oferowanych przez serwer, unikaj±c generowania du¿ych ilo¶ci certyfikatów.
|
||||||
|
<FONT COLOR="#FF0000">Uwaga ogólna: do poprawnej weryfikacji klienta KONIECZNE
|
||||||
|
jest posiadanie certyfikatu CA którym podpisany jest sprawdzany certyfikat</FONT>.
|
||||||
|
Bez tego stunnel nie jest wstanie przeprowadziæ poprawnej autoryzacji klienta.
|
||||||
|
Próba taka koñczy siê b³êdami "<B>VERIFY ERROR: self signed certificate
|
||||||
|
for .....</B>" oraz "<B>SSL_accept: error:140890B1:SSL routines:</B> <B>SSL3_GET_CLIENT_CERTIFICATE:no
|
||||||
|
certificate returned</B>". A teraz przyk³ad praktyczny: chcemy aby do https
|
||||||
|
bêd±cym na <B>porcie 444</B> mia³y dostêp wszystkie osoby maj±ce certyfikaty
|
||||||
|
natomiast
|
||||||
|
<BR>do do https na <B>porcie 445</B> dostêp mia³ tylko Jan Kowalski. Pierwsz±
|
||||||
|
czynno¶ci± jak± nale¿y wykonaæ jest skopiowanie
|
||||||
|
<BR>certyfikatu CA do katalogu <B>/usr/local/ssl/certs</B> (default cert
|
||||||
|
area), nastêpnie w tym katalogu nale¿y utworzyæ
|
||||||
|
<BR>podkatalog o nazwie <B>mytrusted</B>, poczym skopiowaæ do niego
|
||||||
|
certyfikat klienta czyli jan.pem. <A HREF="#usuwanie"><B>Uwaga</B>: z pliku
|
||||||
|
jan.pem</A>
|
||||||
|
<BR><A HREF="#usuwanie"><B>MUSISZ</B> usun±æ klucz prywatny</A> !!! Czyli
|
||||||
|
to co siê znajduje miêdzy
|
||||||
|
|
||||||
|
<P>-----BEGIN RSA PRIVATE KEY-----
|
||||||
|
<BR>.......
|
||||||
|
<BR>-----END RSA PRIVATE KEY-----
|
||||||
|
|
||||||
|
<P>³±cznie z powy¿szymi liniami. Nastêpnie w katalogach <B>/usr/local/ssl/certs</B>
|
||||||
|
i <B>/usr/local/ssl/certs/mytrusted</B> nale¿y
|
||||||
|
<BR>wykonaæ polecenie
|
||||||
|
<BR><B>/usr/local/ssl/bin/c_rehash ./</B>
|
||||||
|
<BR>Teraz kolej na uruchomienie stunnela:
|
||||||
|
<BR><B>stunnel -d 444 -r 80 -v 2</B>
|
||||||
|
<BR>oraz
|
||||||
|
<BR><B>stunnel -d 445 -r 80 -v 3</B>
|
||||||
|
<BR>Netscapem nale¿y po³±czyæ sie z https://localhost:444/ a po pytaniu
|
||||||
|
o certyfikat przedstawiæ certyfikat nale¿±cy
|
||||||
|
<BR>do pigwy. Dostêp do serwera bêdzie zapewniony. Czynno¶c tê nale¿y powtórzyæ
|
||||||
|
przedstawiaj±c siê za drugim razem
|
||||||
|
<BR>certyfikatem Jana Kowalskiego. Po³±czenie tak¿e bêdzie zrealizowane.
|
||||||
|
W przypadku https://localhost:445/ wej¶cie
|
||||||
|
<BR>na serwer bêdzie zapewnione tylko po wylegitymowaniu siê certyfikatem
|
||||||
|
Jana Kowalskiego. Po kazdej zmianie w
|
||||||
|
<BR>katalogu /usr/local/ssl/certs/mytrusted nale¿y wykonaæ komendê c_rehash
|
||||||
|
./ i zrestartowaæ stunnela.
|
||||||
|
<BR>
|
||||||
|
</BODY>
|
||||||
|
</HTML>
|
930
doc/stunnel.8
Normal file
930
doc/stunnel.8
Normal file
@ -0,0 +1,930 @@
|
|||||||
|
.\" Automatically generated by Pod::Man 2.22 (Pod::Simple 3.07)
|
||||||
|
.\"
|
||||||
|
.\" Standard preamble:
|
||||||
|
.\" ========================================================================
|
||||||
|
.de Sp \" Vertical space (when we can't use .PP)
|
||||||
|
.if t .sp .5v
|
||||||
|
.if n .sp
|
||||||
|
..
|
||||||
|
.de Vb \" Begin verbatim text
|
||||||
|
.ft CW
|
||||||
|
.nf
|
||||||
|
.ne \\$1
|
||||||
|
..
|
||||||
|
.de Ve \" End verbatim text
|
||||||
|
.ft R
|
||||||
|
.fi
|
||||||
|
..
|
||||||
|
.\" Set up some character translations and predefined strings. \*(-- will
|
||||||
|
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
|
||||||
|
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
|
||||||
|
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
|
||||||
|
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
|
||||||
|
.\" nothing in troff, for use with C<>.
|
||||||
|
.tr \(*W-
|
||||||
|
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
|
||||||
|
.ie n \{\
|
||||||
|
. ds -- \(*W-
|
||||||
|
. ds PI pi
|
||||||
|
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
|
||||||
|
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
|
||||||
|
. ds L" ""
|
||||||
|
. ds R" ""
|
||||||
|
. ds C` ""
|
||||||
|
. ds C' ""
|
||||||
|
'br\}
|
||||||
|
.el\{\
|
||||||
|
. ds -- \|\(em\|
|
||||||
|
. ds PI \(*p
|
||||||
|
. ds L" ``
|
||||||
|
. ds R" ''
|
||||||
|
'br\}
|
||||||
|
.\"
|
||||||
|
.\" Escape single quotes in literal strings from groff's Unicode transform.
|
||||||
|
.ie \n(.g .ds Aq \(aq
|
||||||
|
.el .ds Aq '
|
||||||
|
.\"
|
||||||
|
.\" If the F register is turned on, we'll generate index entries on stderr for
|
||||||
|
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
|
||||||
|
.\" entries marked with X<> in POD. Of course, you'll have to process the
|
||||||
|
.\" output yourself in some meaningful fashion.
|
||||||
|
.ie \nF \{\
|
||||||
|
. de IX
|
||||||
|
. tm Index:\\$1\t\\n%\t"\\$2"
|
||||||
|
..
|
||||||
|
. nr % 0
|
||||||
|
. rr F
|
||||||
|
.\}
|
||||||
|
.el \{\
|
||||||
|
. de IX
|
||||||
|
..
|
||||||
|
.\}
|
||||||
|
.\" ========================================================================
|
||||||
|
.\"
|
||||||
|
.IX Title "STUNNEL 8"
|
||||||
|
.TH STUNNEL 8 "2012.01.14" "4.53" "stunnel"
|
||||||
|
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
|
||||||
|
.\" way too many mistakes in technical documents.
|
||||||
|
.if n .ad l
|
||||||
|
.nh
|
||||||
|
.SH "NAME"
|
||||||
|
stunnel \- universal SSL tunnel
|
||||||
|
.SH "SYNOPSIS"
|
||||||
|
.IX Header "SYNOPSIS"
|
||||||
|
.IP "\fBUnix:\fR" 4
|
||||||
|
.IX Item "Unix:"
|
||||||
|
\&\fBstunnel\fR [<filename>] | \-fd n | \-help | \-version | \-sockets
|
||||||
|
.IP "\fB\s-1WIN32:\s0\fR" 4
|
||||||
|
.IX Item "WIN32:"
|
||||||
|
\&\fBstunnel\fR [ [\-install | \-uninstall | \-start | \-stop] | \-exit]
|
||||||
|
[\-quiet] [<filename>] ] | \-help | \-version | \-sockets
|
||||||
|
.SH "DESCRIPTION"
|
||||||
|
.IX Header "DESCRIPTION"
|
||||||
|
The \fBstunnel\fR program is designed to work as \fI\s-1SSL\s0\fR encryption wrapper
|
||||||
|
between remote clients and local (\fIinetd\fR\-startable) or remote
|
||||||
|
servers. The concept is that having non-SSL aware daemons running on
|
||||||
|
your system you can easily set them up to communicate with clients over
|
||||||
|
secure \s-1SSL\s0 channels.
|
||||||
|
.PP
|
||||||
|
\&\fBstunnel\fR can be used to add \s-1SSL\s0 functionality to commonly used \fIInetd\fR
|
||||||
|
daemons like \s-1POP\-2\s0, \s-1POP\-3\s0, and \s-1IMAP\s0 servers, to standalone daemons like
|
||||||
|
\&\s-1NNTP\s0, \s-1SMTP\s0 and \s-1HTTP\s0, and in tunneling \s-1PPP\s0 over network sockets without
|
||||||
|
changes to the source code.
|
||||||
|
.PP
|
||||||
|
This product includes cryptographic software written by
|
||||||
|
Eric Young (eay@cryptsoft.com)
|
||||||
|
.SH "OPTIONS"
|
||||||
|
.IX Header "OPTIONS"
|
||||||
|
.IP "<\fBfilename\fR>" 4
|
||||||
|
.IX Item "<filename>"
|
||||||
|
Use specified configuration file
|
||||||
|
.IP "\fB\-fd n\fR (Unix only)" 4
|
||||||
|
.IX Item "-fd n (Unix only)"
|
||||||
|
Read the config file from specified file descriptor
|
||||||
|
.IP "\fB\-help\fR" 4
|
||||||
|
.IX Item "-help"
|
||||||
|
Print \fBstunnel\fR help menu
|
||||||
|
.IP "\fB\-version\fR" 4
|
||||||
|
.IX Item "-version"
|
||||||
|
Print \fBstunnel\fR version and compile time defaults
|
||||||
|
.IP "\fB\-sockets\fR" 4
|
||||||
|
.IX Item "-sockets"
|
||||||
|
Print default socket options
|
||||||
|
.IP "\fB\-install\fR (\s-1NT/2000/XP\s0 only)" 4
|
||||||
|
.IX Item "-install (NT/2000/XP only)"
|
||||||
|
Install \s-1NT\s0 Service
|
||||||
|
.IP "\fB\-uninstall\fR (\s-1NT/2000/XP\s0 only)" 4
|
||||||
|
.IX Item "-uninstall (NT/2000/XP only)"
|
||||||
|
Uninstall \s-1NT\s0 Service
|
||||||
|
.IP "\fB\-start\fR (\s-1NT/2000/XP\s0 only)" 4
|
||||||
|
.IX Item "-start (NT/2000/XP only)"
|
||||||
|
Start \s-1NT\s0 Service
|
||||||
|
.IP "\fB\-stop\fR (\s-1NT/2000/XP\s0 only)" 4
|
||||||
|
.IX Item "-stop (NT/2000/XP only)"
|
||||||
|
Stop \s-1NT\s0 Service
|
||||||
|
.IP "\fB\-exit\fR (Win32 only)" 4
|
||||||
|
.IX Item "-exit (Win32 only)"
|
||||||
|
Exit an already started stunnel
|
||||||
|
.IP "\fB\-quiet\fR (\s-1NT/2000/XP\s0 only)" 4
|
||||||
|
.IX Item "-quiet (NT/2000/XP only)"
|
||||||
|
Don't display any message boxes
|
||||||
|
.SH "CONFIGURATION FILE"
|
||||||
|
.IX Header "CONFIGURATION FILE"
|
||||||
|
Each line of the configuration file can be either:
|
||||||
|
.IP "\(bu" 4
|
||||||
|
an empty line (ignored)
|
||||||
|
.IP "\(bu" 4
|
||||||
|
a comment starting with ';' (ignored)
|
||||||
|
.IP "\(bu" 4
|
||||||
|
an 'option_name = option_value' pair
|
||||||
|
.IP "\(bu" 4
|
||||||
|
\&'[service_name]' indicating a start of a service definition
|
||||||
|
.PP
|
||||||
|
An address parameter of an option may be either:
|
||||||
|
.IP "\(bu" 4
|
||||||
|
a port number
|
||||||
|
.IP "\(bu" 4
|
||||||
|
a colon-separated pair of \s-1IP\s0 address (either IPv4, IPv6, or domain name) and port number
|
||||||
|
.IP "\(bu" 4
|
||||||
|
a Unix socket path (Unix only)
|
||||||
|
.SS "\s-1GLOBAL\s0 \s-1OPTIONS\s0"
|
||||||
|
.IX Subsection "GLOBAL OPTIONS"
|
||||||
|
.IP "\fBchroot\fR = directory (Unix only)" 4
|
||||||
|
.IX Item "chroot = directory (Unix only)"
|
||||||
|
directory to chroot \fBstunnel\fR process
|
||||||
|
.Sp
|
||||||
|
\&\fBchroot\fR keeps \fBstunnel\fR in chrooted jail. \fICApath\fR, \fICRLpath\fR, \fIpid\fR
|
||||||
|
and \fIexec\fR are located inside the jail and the patches have to be relative
|
||||||
|
to the directory specified with \fBchroot\fR.
|
||||||
|
.IP "\fBcompression\fR = deflate | zlib | rle" 4
|
||||||
|
.IX Item "compression = deflate | zlib | rle"
|
||||||
|
select data compression algorithm
|
||||||
|
.Sp
|
||||||
|
default: no compression
|
||||||
|
.Sp
|
||||||
|
deflate is the standard compression method as described in \s-1RFC\s0 1951.
|
||||||
|
.Sp
|
||||||
|
zlib compression of OpenSSL 0.9.8 or above is not backward compatible with
|
||||||
|
OpenSSL 0.9.7.
|
||||||
|
.Sp
|
||||||
|
rle compression is currently not implemented by the OpenSSL library.
|
||||||
|
.IP "\fBdebug\fR = [facility.]level" 4
|
||||||
|
.IX Item "debug = [facility.]level"
|
||||||
|
debugging level
|
||||||
|
.Sp
|
||||||
|
Level is a one of the syslog level names or numbers
|
||||||
|
emerg (0), alert (1), crit (2), err (3), warning (4), notice (5),
|
||||||
|
info (6), or debug (7). All logs for the specified level and
|
||||||
|
all levels numerically less than it will be shown. Use \fIdebug = debug\fR or
|
||||||
|
\&\fIdebug = 7\fR for greatest debugging output. The default is notice (5).
|
||||||
|
.Sp
|
||||||
|
The syslog facility 'daemon' will be used unless a facility name is supplied.
|
||||||
|
(Facilities are not supported on Win32.)
|
||||||
|
.Sp
|
||||||
|
Case is ignored for both facilities and levels.
|
||||||
|
.IP "\fB\s-1EGD\s0\fR = egd path (Unix only)" 4
|
||||||
|
.IX Item "EGD = egd path (Unix only)"
|
||||||
|
path to Entropy Gathering Daemon socket
|
||||||
|
.Sp
|
||||||
|
Entropy Gathering Daemon socket to use to feed OpenSSL random number
|
||||||
|
generator. (Available only if compiled with OpenSSL 0.9.5a or higher)
|
||||||
|
.IP "\fBengine\fR = auto | <engine id>" 4
|
||||||
|
.IX Item "engine = auto | <engine id>"
|
||||||
|
select hardware engine
|
||||||
|
.Sp
|
||||||
|
default: software-only cryptography
|
||||||
|
.Sp
|
||||||
|
Here is an example of advanced engine configuration to read private key from an
|
||||||
|
OpenSC engine
|
||||||
|
.Sp
|
||||||
|
.Vb 7
|
||||||
|
\& engine=dynamic
|
||||||
|
\& engineCtrl=SO_PATH:/usr/lib/opensc/engine_pkcs11.so
|
||||||
|
\& engineCtrl=ID:pkcs11
|
||||||
|
\& engineCtrl=LIST_ADD:1
|
||||||
|
\& engineCtrl=LOAD
|
||||||
|
\& engineCtrl=MODULE_PATH:/usr/lib/pkcs11/opensc\-pkcs11.so
|
||||||
|
\& engineCtrl=INIT
|
||||||
|
\&
|
||||||
|
\& [service]
|
||||||
|
\& engineNum=1
|
||||||
|
\& key=id_45
|
||||||
|
.Ve
|
||||||
|
.IP "\fBengineCtrl\fR = command[:parameter]" 4
|
||||||
|
.IX Item "engineCtrl = command[:parameter]"
|
||||||
|
control hardware engine
|
||||||
|
.Sp
|
||||||
|
Special commands \*(L"\s-1LOAD\s0\*(R" and \*(L"\s-1INIT\s0\*(R" can be used to load and initialize the
|
||||||
|
engine cryptogaphic module.
|
||||||
|
.IP "\fBfips\fR = yes | no" 4
|
||||||
|
.IX Item "fips = yes | no"
|
||||||
|
Enable or disable \s-1FIPS\s0 140\-2 mode.
|
||||||
|
.Sp
|
||||||
|
This option allows to disable entering \s-1FIPS\s0 mode if stunnel was compiled with
|
||||||
|
\&\s-1FIPS\s0 140\-2 support.
|
||||||
|
.Sp
|
||||||
|
default: yes
|
||||||
|
.IP "\fBforeground\fR = yes | no (Unix only)" 4
|
||||||
|
.IX Item "foreground = yes | no (Unix only)"
|
||||||
|
foreground mode
|
||||||
|
.Sp
|
||||||
|
Stay in foreground (don't fork) and log to stderr
|
||||||
|
instead of via syslog (unless \fIoutput\fR is specified).
|
||||||
|
.Sp
|
||||||
|
default: background in daemon mode
|
||||||
|
.IP "\fBoutput\fR = file" 4
|
||||||
|
.IX Item "output = file"
|
||||||
|
append log messages to a file
|
||||||
|
.Sp
|
||||||
|
/dev/stdout device can be used to send log messages to the standard
|
||||||
|
output (for example to log them with daemontools splogger).
|
||||||
|
.IP "\fBpid\fR = file (Unix only)" 4
|
||||||
|
.IX Item "pid = file (Unix only)"
|
||||||
|
pid file location
|
||||||
|
.Sp
|
||||||
|
If the argument is empty, then no pid file will be created.
|
||||||
|
.Sp
|
||||||
|
\&\fIpid\fR path is relative to \fIchroot\fR directory if specified.
|
||||||
|
.IP "\fBRNDbytes\fR = bytes" 4
|
||||||
|
.IX Item "RNDbytes = bytes"
|
||||||
|
bytes to read from random seed files
|
||||||
|
.Sp
|
||||||
|
Number of bytes of data read from random seed files. With \s-1SSL\s0 versions
|
||||||
|
less than 0.9.5a, also determines how many bytes of data are considered
|
||||||
|
sufficient to seed the \s-1PRNG\s0. More recent OpenSSL versions have a builtin
|
||||||
|
function to determine when sufficient randomness is available.
|
||||||
|
.IP "\fBRNDfile\fR = file" 4
|
||||||
|
.IX Item "RNDfile = file"
|
||||||
|
path to file with random seed data
|
||||||
|
.Sp
|
||||||
|
The \s-1SSL\s0 library will use data from this file first to seed the random
|
||||||
|
number generator.
|
||||||
|
.IP "\fBRNDoverwrite\fR = yes | no" 4
|
||||||
|
.IX Item "RNDoverwrite = yes | no"
|
||||||
|
overwrite the random seed files with new random data
|
||||||
|
.Sp
|
||||||
|
default: yes
|
||||||
|
.IP "\fBservice\fR = servicename (Unix only)" 4
|
||||||
|
.IX Item "service = servicename (Unix only)"
|
||||||
|
use specified string as \fIinetd\fR mode service name for \s-1TCP\s0 Wrapper library
|
||||||
|
.Sp
|
||||||
|
default: stunnel
|
||||||
|
.IP "\fBsetgid\fR = groupname (Unix only)" 4
|
||||||
|
.IX Item "setgid = groupname (Unix only)"
|
||||||
|
\&\fIsetgid()\fR to groupname in daemon mode and clears all other groups
|
||||||
|
.IP "\fBsetuid\fR = username (Unix only)" 4
|
||||||
|
.IX Item "setuid = username (Unix only)"
|
||||||
|
\&\fIsetuid()\fR to username in daemon mode
|
||||||
|
.IP "\fBsocket\fR = a|l|r:option=value[:value]" 4
|
||||||
|
.IX Item "socket = a|l|r:option=value[:value]"
|
||||||
|
Set an option on accept/local/remote socket
|
||||||
|
.Sp
|
||||||
|
The values for linger option are l_onof:l_linger.
|
||||||
|
The values for time are tv_sec:tv_usec.
|
||||||
|
.Sp
|
||||||
|
Examples:
|
||||||
|
.Sp
|
||||||
|
.Vb 9
|
||||||
|
\& socket = l:SO_LINGER=1:60
|
||||||
|
\& set one minute timeout for closing local socket
|
||||||
|
\& socket = r:SO_OOBINLINE=yes
|
||||||
|
\& place out\-of\-band data directly into the
|
||||||
|
\& receive data stream for remote sockets
|
||||||
|
\& socket = a:SO_REUSEADDR=no
|
||||||
|
\& disable address reuse (enabled by default)
|
||||||
|
\& socket = a:SO_BINDTODEVICE=lo
|
||||||
|
\& only accept connections on loopback interface
|
||||||
|
.Ve
|
||||||
|
.IP "\fBsyslog\fR = yes | no (Unix only)" 4
|
||||||
|
.IX Item "syslog = yes | no (Unix only)"
|
||||||
|
enable logging via syslog
|
||||||
|
.Sp
|
||||||
|
default: yes
|
||||||
|
.IP "\fBtaskbar\fR = yes | no (\s-1WIN32\s0 only)" 4
|
||||||
|
.IX Item "taskbar = yes | no (WIN32 only)"
|
||||||
|
enable the taskbar icon
|
||||||
|
.Sp
|
||||||
|
default: yes
|
||||||
|
.SS "SERVICE-LEVEL \s-1OPTIONS\s0"
|
||||||
|
.IX Subsection "SERVICE-LEVEL OPTIONS"
|
||||||
|
Each configuration section begins with service name in square brackets.
|
||||||
|
The service name is used for libwrap (\s-1TCP\s0 Wrappers) access control and lets
|
||||||
|
you distinguish \fBstunnel\fR services in your log files.
|
||||||
|
.PP
|
||||||
|
Note that if you wish to run \fBstunnel\fR in \fIinetd\fR mode (where it
|
||||||
|
is provided a network socket by a server such as \fIinetd\fR, \fIxinetd\fR,
|
||||||
|
or \fItcpserver\fR) then you should read the section entitled \fI\s-1INETD\s0 \s-1MODE\s0\fR
|
||||||
|
below.
|
||||||
|
.IP "\fBaccept\fR = address" 4
|
||||||
|
.IX Item "accept = address"
|
||||||
|
accept connections on specified address
|
||||||
|
.Sp
|
||||||
|
If no host specified, defaults to all IPv4 addresses for the local host.
|
||||||
|
.Sp
|
||||||
|
To listen on all IPv6 addresses use:
|
||||||
|
.Sp
|
||||||
|
.Vb 1
|
||||||
|
\& connect = :::port
|
||||||
|
.Ve
|
||||||
|
.IP "\fBCApath\fR = directory" 4
|
||||||
|
.IX Item "CApath = directory"
|
||||||
|
Certificate Authority directory
|
||||||
|
.Sp
|
||||||
|
This is the directory in which \fBstunnel\fR will look for certificates when using
|
||||||
|
the \fIverify\fR. Note that the certificates in this directory should be named
|
||||||
|
\&\s-1XXXXXXXX\s0.0 where \s-1XXXXXXXX\s0 is the hash value of the \s-1DER\s0 encoded subject of the
|
||||||
|
cert.
|
||||||
|
.Sp
|
||||||
|
The hash algorithm has been changed in OpenSSL 1.0.0. It is required to
|
||||||
|
c_rehash the directory on upgrade from OpenSSL 0.x.x to OpenSSL 1.x.x.
|
||||||
|
.Sp
|
||||||
|
\&\fICApath\fR path is relative to \fIchroot\fR directory if specified.
|
||||||
|
.IP "\fBCAfile\fR = certfile" 4
|
||||||
|
.IX Item "CAfile = certfile"
|
||||||
|
Certificate Authority file
|
||||||
|
.Sp
|
||||||
|
This file contains multiple \s-1CA\s0 certificates, used with the \fIverify\fR.
|
||||||
|
.IP "\fBcert\fR = pemfile" 4
|
||||||
|
.IX Item "cert = pemfile"
|
||||||
|
certificate chain \s-1PEM\s0 file name
|
||||||
|
.Sp
|
||||||
|
A \s-1PEM\s0 is always needed in server mode.
|
||||||
|
Specifying this flag in client mode will use this certificate chain
|
||||||
|
as a client side certificate chain. Using client side certs is optional.
|
||||||
|
The certificates must be in \s-1PEM\s0 format and must be sorted starting with the
|
||||||
|
certificate to the highest level (root \s-1CA\s0).
|
||||||
|
.IP "\fBciphers\fR = cipherlist" 4
|
||||||
|
.IX Item "ciphers = cipherlist"
|
||||||
|
Select permitted \s-1SSL\s0 ciphers
|
||||||
|
.Sp
|
||||||
|
A colon delimited list of the ciphers to allow in the \s-1SSL\s0 connection.
|
||||||
|
For example \s-1DES\-CBC3\-SHA:IDEA\-CBC\-MD5\s0
|
||||||
|
.IP "\fBclient\fR = yes | no" 4
|
||||||
|
.IX Item "client = yes | no"
|
||||||
|
client mode (remote service uses \s-1SSL\s0)
|
||||||
|
.Sp
|
||||||
|
default: no (server mode)
|
||||||
|
.IP "\fBconnect\fR = address" 4
|
||||||
|
.IX Item "connect = address"
|
||||||
|
connect to a remote address
|
||||||
|
.Sp
|
||||||
|
If no host is specified, the host defaults to localhost.
|
||||||
|
.Sp
|
||||||
|
Multiple \fBconnect\fR options are allowed in a single service section.
|
||||||
|
.Sp
|
||||||
|
If host resolves to multiple addresses and/or if multiple \fIconnect\fR
|
||||||
|
options are specified, then the remote address is chosen using a
|
||||||
|
round-robin algorithm.
|
||||||
|
.IP "\fBCRLpath\fR = directory" 4
|
||||||
|
.IX Item "CRLpath = directory"
|
||||||
|
Certificate Revocation Lists directory
|
||||||
|
.Sp
|
||||||
|
This is the directory in which \fBstunnel\fR will look for CRLs when
|
||||||
|
using the \fIverify\fR. Note that the CRLs in this directory should
|
||||||
|
be named \s-1XXXXXXXX\s0.r0 where \s-1XXXXXXXX\s0 is the hash value of the \s-1CRL\s0.
|
||||||
|
.Sp
|
||||||
|
The hash algorithm has been changed in OpenSSL 1.0.0. It is required to
|
||||||
|
c_rehash the directory on upgrade from OpenSSL 0.x.x to OpenSSL 1.x.x.
|
||||||
|
.Sp
|
||||||
|
\&\fICRLpath\fR path is relative to \fIchroot\fR directory if specified.
|
||||||
|
.IP "\fBCRLfile\fR = certfile" 4
|
||||||
|
.IX Item "CRLfile = certfile"
|
||||||
|
Certificate Revocation Lists file
|
||||||
|
.Sp
|
||||||
|
This file contains multiple CRLs, used with the \fIverify\fR.
|
||||||
|
.IP "\fBcurve\fR = nid" 4
|
||||||
|
.IX Item "curve = nid"
|
||||||
|
specify \s-1ECDH\s0 curve name
|
||||||
|
.Sp
|
||||||
|
To get a list of supported cuves use:
|
||||||
|
.Sp
|
||||||
|
.Vb 1
|
||||||
|
\& openssl ecparam \-list_curves
|
||||||
|
.Ve
|
||||||
|
.Sp
|
||||||
|
default: prime256v1
|
||||||
|
.IP "\fBdelay\fR = yes | no" 4
|
||||||
|
.IX Item "delay = yes | no"
|
||||||
|
delay \s-1DNS\s0 lookup for 'connect' option
|
||||||
|
.Sp
|
||||||
|
This option is useful for dynamic \s-1DNS\s0, or when \s-1DNS\s0 is not available during
|
||||||
|
stunnel startup (road warrior \s-1VPN\s0, dial-up configurations).
|
||||||
|
.IP "\fBengineNum\fR = engine number" 4
|
||||||
|
.IX Item "engineNum = engine number"
|
||||||
|
select engine number to read private key
|
||||||
|
.Sp
|
||||||
|
The engines are numbered starting from 1.
|
||||||
|
.IP "\fBexec\fR = executable_path" 4
|
||||||
|
.IX Item "exec = executable_path"
|
||||||
|
execute local inetd-type program
|
||||||
|
.Sp
|
||||||
|
\&\fIexec\fR path is relative to \fIchroot\fR directory if specified.
|
||||||
|
.ie n .IP "\fBexecargs\fR = $0 $1 $2 ..." 4
|
||||||
|
.el .IP "\fBexecargs\fR = \f(CW$0\fR \f(CW$1\fR \f(CW$2\fR ..." 4
|
||||||
|
.IX Item "execargs = $0 $1 $2 ..."
|
||||||
|
arguments for \fIexec\fR including program name ($0)
|
||||||
|
.Sp
|
||||||
|
Quoting is currently not supported.
|
||||||
|
Arguments are separated with arbitrary number of whitespaces.
|
||||||
|
.IP "\fBfailover\fR = rr | prio" 4
|
||||||
|
.IX Item "failover = rr | prio"
|
||||||
|
Failover strategy for multiple \*(L"connect\*(R" targets.
|
||||||
|
.Sp
|
||||||
|
.Vb 2
|
||||||
|
\& rr (round robin) \- fair load distribution
|
||||||
|
\& prio (priority) \- use the order specified in config file
|
||||||
|
.Ve
|
||||||
|
.Sp
|
||||||
|
default: rr
|
||||||
|
.IP "\fBident\fR = username" 4
|
||||||
|
.IX Item "ident = username"
|
||||||
|
use \s-1IDENT\s0 (\s-1RFC\s0 1413) username checking
|
||||||
|
.IP "\fBkey\fR = keyfile" 4
|
||||||
|
.IX Item "key = keyfile"
|
||||||
|
private key for certificate specified with \fIcert\fR option
|
||||||
|
.Sp
|
||||||
|
Private key is needed to authenticate certificate owner.
|
||||||
|
Since this file should be kept secret it should only be readable
|
||||||
|
to its owner. On Unix systems you can use the following command:
|
||||||
|
.Sp
|
||||||
|
.Vb 1
|
||||||
|
\& chmod 600 keyfile
|
||||||
|
.Ve
|
||||||
|
.Sp
|
||||||
|
default: value of \fIcert\fR option
|
||||||
|
.IP "\fBlibwrap\fR = yes | no" 4
|
||||||
|
.IX Item "libwrap = yes | no"
|
||||||
|
Enable or disable the use of /etc/hosts.allow and /etc/hosts.deny.
|
||||||
|
.Sp
|
||||||
|
default: yes
|
||||||
|
.IP "\fBlocal\fR = host" 4
|
||||||
|
.IX Item "local = host"
|
||||||
|
\&\s-1IP\s0 of the outgoing interface is used as source for remote connections.
|
||||||
|
Use this option to bind a static local \s-1IP\s0 address, instead.
|
||||||
|
.IP "\fBsni\fR = service_name:server_name (server mode)" 4
|
||||||
|
.IX Item "sni = service_name:server_name (server mode)"
|
||||||
|
Use the service as a slave service (a name-based virtual server) for Server
|
||||||
|
Name Indication \s-1TLS\s0 extension (\s-1RFC\s0 3546).
|
||||||
|
.Sp
|
||||||
|
\&\fIservice_name\fR specifies the master service that accepts client connections
|
||||||
|
with \fIaccept\fR option. \fIserver_name\fR specifies the host name to be redirected.
|
||||||
|
Multiple slave services are normally specified for a single master service.
|
||||||
|
\&\fIsni\fR option can also be specified more than once within a single slave service.
|
||||||
|
.Sp
|
||||||
|
This service, as well as the master service, may not be configured in client mode.
|
||||||
|
\&\fIconnect\fR option of the slave service is ignored when \fIprotocol\fR option is
|
||||||
|
specified, as \fIprotocol\fR connects remote host before \s-1TLS\s0 handshake.
|
||||||
|
Libwrap checks (Unix only) are performed twice: with master service name after
|
||||||
|
\&\s-1TCP\s0 connection is accepted, and with slave service name during \s-1TLS\s0 handshake.
|
||||||
|
.Sp
|
||||||
|
Option \fIsni\fR is only available when compiled with OpenSSL 1.0.0 and later.
|
||||||
|
.IP "\fBsni\fR = server_name (client mode)" 4
|
||||||
|
.IX Item "sni = server_name (client mode)"
|
||||||
|
Use the parameter as the value of \s-1TLS\s0 Server Name Indication (\s-1RFC\s0 3546)
|
||||||
|
extension.
|
||||||
|
.Sp
|
||||||
|
Option \fIsni\fR is only available when compiled with OpenSSL 1.0.0 and later.
|
||||||
|
.IP "\fB\s-1OCSP\s0\fR = url" 4
|
||||||
|
.IX Item "OCSP = url"
|
||||||
|
select \s-1OCSP\s0 server for certificate verification
|
||||||
|
.IP "\fBOCSPflag\fR = flag" 4
|
||||||
|
.IX Item "OCSPflag = flag"
|
||||||
|
specify \s-1OCSP\s0 server flag
|
||||||
|
.Sp
|
||||||
|
Several \fIOCSPflag\fR can be used to specify multiple flags.
|
||||||
|
.Sp
|
||||||
|
currently supported flags: \s-1NOCERTS\s0, \s-1NOINTERN\s0 \s-1NOSIGS\s0, \s-1NOCHAIN\s0, \s-1NOVERIFY\s0,
|
||||||
|
\&\s-1NOEXPLICIT\s0, \s-1NOCASIGN\s0, \s-1NODELEGATED\s0, \s-1NOCHECKS\s0, \s-1TRUSTOTHER\s0, \s-1RESPID_KEY\s0, \s-1NOTIME\s0
|
||||||
|
.IP "\fBoptions\fR = SSL_options" 4
|
||||||
|
.IX Item "options = SSL_options"
|
||||||
|
OpenSSL library options
|
||||||
|
.Sp
|
||||||
|
The parameter is the OpenSSL option name as described in the
|
||||||
|
\&\fI\fISSL_CTX_set_options\fI\|(3ssl)\fR manual, but without \fI\s-1SSL_OP_\s0\fR prefix.
|
||||||
|
Several \fIoptions\fR can be used to specify multiple options.
|
||||||
|
.Sp
|
||||||
|
For example for compatibility with erroneous Eudora \s-1SSL\s0 implementation
|
||||||
|
the following option can be used:
|
||||||
|
.Sp
|
||||||
|
.Vb 1
|
||||||
|
\& options = DONT_INSERT_EMPTY_FRAGMENTS
|
||||||
|
.Ve
|
||||||
|
.IP "\fBprotocol\fR = proto" 4
|
||||||
|
.IX Item "protocol = proto"
|
||||||
|
application protocol to negotiate \s-1SSL\s0 (e.g. \fIstarttls\fR or \fIstls\fR)
|
||||||
|
.Sp
|
||||||
|
\&\fIprotocol\fR option should not be used with \s-1SSL\s0 encryption on a separate port.
|
||||||
|
.Sp
|
||||||
|
Currently supported protocols:
|
||||||
|
.RS 4
|
||||||
|
.IP "\fIcifs\fR" 4
|
||||||
|
.IX Item "cifs"
|
||||||
|
Proprietary (undocummented) extension of \s-1CIFS\s0 protocol implemented in Samba.
|
||||||
|
Support for this extension was dropped in Samba 3.0.0.
|
||||||
|
.IP "\fIconnect\fR" 4
|
||||||
|
.IX Item "connect"
|
||||||
|
Based on \s-1RFC\s0 2817 \- \fIUpgrading to \s-1TLS\s0 Within \s-1HTTP/1\s0.1\fR, section 5.2 \- \fIRequesting a Tunnel with \s-1CONNECT\s0\fR
|
||||||
|
.Sp
|
||||||
|
This protocol is only supported in client mode.
|
||||||
|
.IP "\fIimap\fR" 4
|
||||||
|
.IX Item "imap"
|
||||||
|
Based on \s-1RFC\s0 2595 \- \fIUsing \s-1TLS\s0 with \s-1IMAP\s0, \s-1POP3\s0 and \s-1ACAP\s0\fR
|
||||||
|
.IP "\fInntp\fR" 4
|
||||||
|
.IX Item "nntp"
|
||||||
|
Based on \s-1RFC\s0 4642 \- \fIUsing Transport Layer Security (\s-1TLS\s0) with Network News Transfer Protocol (\s-1NNTP\s0)\fR
|
||||||
|
.Sp
|
||||||
|
This protocol is only supported in client mode.
|
||||||
|
.IP "\fIpgsql\fR" 4
|
||||||
|
.IX Item "pgsql"
|
||||||
|
Based on http://www.postgresql.org/docs/8.3/static/protocol\-flow.html#AEN73982
|
||||||
|
.IP "\fIpop3\fR" 4
|
||||||
|
.IX Item "pop3"
|
||||||
|
Based on \s-1RFC\s0 2449 \- \fI\s-1POP3\s0 Extension Mechanism\fR
|
||||||
|
.IP "\fIproxy\fR" 4
|
||||||
|
.IX Item "proxy"
|
||||||
|
Haproxy client \s-1IP\s0 address http://haproxy.1wt.eu/download/1.5/doc/proxy\-protocol.txt
|
||||||
|
.IP "\fIsmtp\fR" 4
|
||||||
|
.IX Item "smtp"
|
||||||
|
Based on \s-1RFC\s0 2487 \- \fI\s-1SMTP\s0 Service Extension for Secure \s-1SMTP\s0 over \s-1TLS\s0\fR
|
||||||
|
.RE
|
||||||
|
.RS 4
|
||||||
|
.RE
|
||||||
|
.IP "\fBprotocolAuthentication\fR = auth_type" 4
|
||||||
|
.IX Item "protocolAuthentication = auth_type"
|
||||||
|
authentication type for protocol negotiations
|
||||||
|
.Sp
|
||||||
|
currently supported: basic, \s-1NTLM\s0
|
||||||
|
.Sp
|
||||||
|
Currently authentication type only applies to 'connect' protocol.
|
||||||
|
.Sp
|
||||||
|
default: basic
|
||||||
|
.IP "\fBprotocolHost\fR = host:port" 4
|
||||||
|
.IX Item "protocolHost = host:port"
|
||||||
|
destination address for protocol negotiations
|
||||||
|
.IP "\fBprotocolPassword\fR = password" 4
|
||||||
|
.IX Item "protocolPassword = password"
|
||||||
|
password for protocol negotiations
|
||||||
|
.IP "\fBprotocolUsername\fR = username" 4
|
||||||
|
.IX Item "protocolUsername = username"
|
||||||
|
username for protocol negotiations
|
||||||
|
.IP "\fBpty\fR = yes | no (Unix only)" 4
|
||||||
|
.IX Item "pty = yes | no (Unix only)"
|
||||||
|
allocate pseudo terminal for 'exec' option
|
||||||
|
.IP "\fBretry\fR = yes | no (Unix only)" 4
|
||||||
|
.IX Item "retry = yes | no (Unix only)"
|
||||||
|
reconnect a connect+exec section after it's disconnected
|
||||||
|
.Sp
|
||||||
|
default: no
|
||||||
|
.IP "\fBsession\fR = timeout" 4
|
||||||
|
.IX Item "session = timeout"
|
||||||
|
session cache timeout
|
||||||
|
.IP "\fBsessiond\fR = host:port" 4
|
||||||
|
.IX Item "sessiond = host:port"
|
||||||
|
address of sessiond \s-1SSL\s0 cache server
|
||||||
|
.IP "\fBsslVersion\fR = version" 4
|
||||||
|
.IX Item "sslVersion = version"
|
||||||
|
select version of \s-1SSL\s0 protocol
|
||||||
|
.Sp
|
||||||
|
Allowed options: all, SSLv2, SSLv3, TLSv1
|
||||||
|
.IP "\fBstack\fR = bytes (except for \s-1FORK\s0 model)" 4
|
||||||
|
.IX Item "stack = bytes (except for FORK model)"
|
||||||
|
thread stack size
|
||||||
|
.IP "\fBTIMEOUTbusy\fR = seconds" 4
|
||||||
|
.IX Item "TIMEOUTbusy = seconds"
|
||||||
|
time to wait for expected data
|
||||||
|
.IP "\fBTIMEOUTclose\fR = seconds" 4
|
||||||
|
.IX Item "TIMEOUTclose = seconds"
|
||||||
|
time to wait for close_notify (set to 0 for buggy \s-1MSIE\s0)
|
||||||
|
.IP "\fBTIMEOUTconnect\fR = seconds" 4
|
||||||
|
.IX Item "TIMEOUTconnect = seconds"
|
||||||
|
time to wait to connect a remote host
|
||||||
|
.IP "\fBTIMEOUTidle\fR = seconds" 4
|
||||||
|
.IX Item "TIMEOUTidle = seconds"
|
||||||
|
time to keep an idle connection
|
||||||
|
.IP "\fBtransparent\fR = none | source | destination | both (Unix only)" 4
|
||||||
|
.IX Item "transparent = none | source | destination | both (Unix only)"
|
||||||
|
enable transparent proxy support on selected platforms
|
||||||
|
.Sp
|
||||||
|
Supported values:
|
||||||
|
.RS 4
|
||||||
|
.IP "\fInone\fR" 4
|
||||||
|
.IX Item "none"
|
||||||
|
Disable transparent proxy support. This is the default.
|
||||||
|
.IP "\fIsource\fR" 4
|
||||||
|
.IX Item "source"
|
||||||
|
Re-write address to appear as if wrapped daemon is connecting
|
||||||
|
from the \s-1SSL\s0 client machine instead of the machine running \fBstunnel\fR.
|
||||||
|
.Sp
|
||||||
|
This option is currently available in:
|
||||||
|
.RS 4
|
||||||
|
.IP "Remote mode (\fIconnect\fR option) on \fILinux >=2.6.28\fR" 4
|
||||||
|
.IX Item "Remote mode (connect option) on Linux >=2.6.28"
|
||||||
|
This configuration requires stunnel to be executed as root and without
|
||||||
|
\&\fIsetuid\fR option.
|
||||||
|
.Sp
|
||||||
|
This configuration requires the following setup for iptables and routing
|
||||||
|
(possibly in /etc/rc.local or equivalent file):
|
||||||
|
.Sp
|
||||||
|
.Vb 7
|
||||||
|
\& iptables \-t mangle \-N DIVERT
|
||||||
|
\& iptables \-t mangle \-A PREROUTING \-p tcp \-m socket \-j DIVERT
|
||||||
|
\& iptables \-t mangle \-A DIVERT \-j MARK \-\-set\-mark 1
|
||||||
|
\& iptables \-t mangle \-A DIVERT \-j ACCEPT
|
||||||
|
\& ip rule add fwmark 1 lookup 100
|
||||||
|
\& ip route add local 0.0.0.0/0 dev lo table 100
|
||||||
|
\& echo 0 >/proc/sys/net/ipv4/conf/lo/rp_filter
|
||||||
|
.Ve
|
||||||
|
.Sp
|
||||||
|
\&\fBstunnel\fR must also to be executed as root and without \fIsetuid\fR option.
|
||||||
|
.IP "Remote mode (\fIconnect\fR option) on \fILinux 2.2.x\fR" 4
|
||||||
|
.IX Item "Remote mode (connect option) on Linux 2.2.x"
|
||||||
|
This configuration requires kernel to be compiled with \fItransparent proxy\fR option.
|
||||||
|
Connected service must be installed on a separate host.
|
||||||
|
Routing towards the clients has to go through the stunnel box.
|
||||||
|
.Sp
|
||||||
|
\&\fBstunnel\fR must also to be executed as root and without \fIsetuid\fR option.
|
||||||
|
.IP "Remote mode (\fIconnect\fR option) on \fIFreeBSD >=8.0\fR" 4
|
||||||
|
.IX Item "Remote mode (connect option) on FreeBSD >=8.0"
|
||||||
|
This configuration requires additional firewall and routing setup.
|
||||||
|
\&\fBstunnel\fR must also to be executed as root and without \fIsetuid\fR option.
|
||||||
|
.IP "Local mode (\fIexec\fR option)" 4
|
||||||
|
.IX Item "Local mode (exec option)"
|
||||||
|
This configuration works by pre-loading \fIlibstunnel.so\fR shared library.
|
||||||
|
_RLD_LIST environment variable is used on Tru64, and \s-1LD_PRELOAD\s0 variable on
|
||||||
|
other platforms.
|
||||||
|
.RE
|
||||||
|
.RS 4
|
||||||
|
.RE
|
||||||
|
.IP "\fIdestination\fR" 4
|
||||||
|
.IX Item "destination"
|
||||||
|
Original destination is used instead of \fIconnect\fR option.
|
||||||
|
.Sp
|
||||||
|
A service section for transparent destination may look like this:
|
||||||
|
.Sp
|
||||||
|
.Vb 4
|
||||||
|
\& [transparent]
|
||||||
|
\& client=yes
|
||||||
|
\& accept=<stunnel_port>
|
||||||
|
\& transparent=destination
|
||||||
|
.Ve
|
||||||
|
.Sp
|
||||||
|
This configuration requires the following setup for iptables
|
||||||
|
(possibly in /etc/rc.local or equivalent file):
|
||||||
|
.Sp
|
||||||
|
.Vb 2
|
||||||
|
\& /sbin/iptables \-I INPUT \-i eth0 \-p tcp \-\-dport <stunnel_port> \-j ACCEPT
|
||||||
|
\& /sbin/iptables \-t nat \-I PREROUTING \-i eth0 \-p tcp \-\-dport <redirected_port> \-j DNAT \-\-to\-destination <local_ip>:<stunnel_port>
|
||||||
|
.Ve
|
||||||
|
.Sp
|
||||||
|
Transparent destination option is currently only supported on Linux.
|
||||||
|
.IP "\fIboth\fR" 4
|
||||||
|
.IX Item "both"
|
||||||
|
Use both \fIsource\fR and \fIdestination\fR transparent proxy.
|
||||||
|
.RE
|
||||||
|
.RS 4
|
||||||
|
.Sp
|
||||||
|
Two legacy options are also supported for backward compatibility:
|
||||||
|
.IP "\fIyes\fR" 4
|
||||||
|
.IX Item "yes"
|
||||||
|
This options has been renamed to \fIsource\fR.
|
||||||
|
.IP "\fIno\fR" 4
|
||||||
|
.IX Item "no"
|
||||||
|
This options has been renamed to \fInone\fR.
|
||||||
|
.RE
|
||||||
|
.RS 4
|
||||||
|
.RE
|
||||||
|
.IP "\fBverify\fR = level" 4
|
||||||
|
.IX Item "verify = level"
|
||||||
|
verify peer certificate
|
||||||
|
.RS 4
|
||||||
|
.IP "\fIlevel 0\fR \- request and ignore peer certificate" 4
|
||||||
|
.IX Item "level 0 - request and ignore peer certificate"
|
||||||
|
.PD 0
|
||||||
|
.IP "\fIlevel 1\fR \- verify peer certificate if present" 4
|
||||||
|
.IX Item "level 1 - verify peer certificate if present"
|
||||||
|
.IP "\fIlevel 2\fR \- verify peer certificate" 4
|
||||||
|
.IX Item "level 2 - verify peer certificate"
|
||||||
|
.IP "\fIlevel 3\fR \- verify peer with locally installed certificate" 4
|
||||||
|
.IX Item "level 3 - verify peer with locally installed certificate"
|
||||||
|
.IP "\fIlevel 4\fR \- ignore \s-1CA\s0 chain and only verify peer certificate" 4
|
||||||
|
.IX Item "level 4 - ignore CA chain and only verify peer certificate"
|
||||||
|
.IP "\fIdefault\fR \- no verify" 4
|
||||||
|
.IX Item "default - no verify"
|
||||||
|
.RE
|
||||||
|
.RS 4
|
||||||
|
.PD
|
||||||
|
.Sp
|
||||||
|
It is important to understand, that this option was solely designed for access
|
||||||
|
control and not for authorization. Specifically for level 2 every non-revoked
|
||||||
|
certificate is accepted regardless of its Common Name. For this reason a
|
||||||
|
dedicated \s-1CA\s0 should be used with level 2, and not a generic \s-1CA\s0 commonly used
|
||||||
|
for webservers. Level 3 is preferred for point-to-point connections.
|
||||||
|
.RE
|
||||||
|
.SH "RETURN VALUE"
|
||||||
|
.IX Header "RETURN VALUE"
|
||||||
|
\&\fBstunnel\fR returns zero on success, non-zero on error.
|
||||||
|
.SH "SIGNALS"
|
||||||
|
.IX Header "SIGNALS"
|
||||||
|
The following signals can be used to control stunnel in Unix environment:
|
||||||
|
.IP "\s-1SIGHUP\s0" 4
|
||||||
|
.IX Item "SIGHUP"
|
||||||
|
Force a reload of the configuration file.
|
||||||
|
.Sp
|
||||||
|
Some global options will not be reloaded:
|
||||||
|
.RS 4
|
||||||
|
.IP "\(bu" 4
|
||||||
|
chroot
|
||||||
|
.IP "\(bu" 4
|
||||||
|
foreground
|
||||||
|
.IP "\(bu" 4
|
||||||
|
pid
|
||||||
|
.IP "\(bu" 4
|
||||||
|
setgid
|
||||||
|
.IP "\(bu" 4
|
||||||
|
setuid
|
||||||
|
.RE
|
||||||
|
.RS 4
|
||||||
|
.Sp
|
||||||
|
The use of 'setuid' option will also prevent stunnel from binding privileged
|
||||||
|
(<1024) ports during configuration reloading.
|
||||||
|
.Sp
|
||||||
|
When 'chroot' option is used, stunnel will look for all its files (including
|
||||||
|
configuration file, certificates, log file and pid file) within the chroot
|
||||||
|
jail.
|
||||||
|
.RE
|
||||||
|
.IP "\s-1SIGUSR1\s0" 4
|
||||||
|
.IX Item "SIGUSR1"
|
||||||
|
Close and reopen stunnel log file.
|
||||||
|
This function can be used for log rotation.
|
||||||
|
.IP "\s-1SIGTERM\s0, \s-1SIGQUIT\s0, \s-1SIGINT\s0" 4
|
||||||
|
.IX Item "SIGTERM, SIGQUIT, SIGINT"
|
||||||
|
Shut stunnel down.
|
||||||
|
.PP
|
||||||
|
The result of sending any other signals to the server is undefined.
|
||||||
|
.SH "EXAMPLES"
|
||||||
|
.IX Header "EXAMPLES"
|
||||||
|
In order to provide \s-1SSL\s0 encapsulation to your local \fIimapd\fR service, use
|
||||||
|
.PP
|
||||||
|
.Vb 4
|
||||||
|
\& [imapd]
|
||||||
|
\& accept = 993
|
||||||
|
\& exec = /usr/sbin/imapd
|
||||||
|
\& execargs = imapd
|
||||||
|
.Ve
|
||||||
|
.PP
|
||||||
|
If you want to provide tunneling to your \fIpppd\fR daemon on port 2020,
|
||||||
|
use something like
|
||||||
|
.PP
|
||||||
|
.Vb 5
|
||||||
|
\& [vpn]
|
||||||
|
\& accept = 2020
|
||||||
|
\& exec = /usr/sbin/pppd
|
||||||
|
\& execargs = pppd local
|
||||||
|
\& pty = yes
|
||||||
|
.Ve
|
||||||
|
.PP
|
||||||
|
If you want to use \fBstunnel\fR in \fIinetd\fR mode to launch your imapd
|
||||||
|
process, you'd use this \fIstunnel.conf\fR.
|
||||||
|
Note there must be no \fI[service_name]\fR section.
|
||||||
|
.PP
|
||||||
|
.Vb 2
|
||||||
|
\& exec = /usr/sbin/imapd
|
||||||
|
\& execargs = imapd
|
||||||
|
.Ve
|
||||||
|
.SH "NOTES"
|
||||||
|
.IX Header "NOTES"
|
||||||
|
.SS "\s-1RESTRICTIONS\s0"
|
||||||
|
.IX Subsection "RESTRICTIONS"
|
||||||
|
\&\fBstunnel\fR cannot be used for the \s-1FTP\s0 daemon because of the nature
|
||||||
|
of the \s-1FTP\s0 protocol which utilizes multiple ports for data transfers.
|
||||||
|
There are available \s-1SSL\s0 enabled versions of \s-1FTP\s0 and telnet daemons, however.
|
||||||
|
.SS "\s-1INETD\s0 \s-1MODE\s0"
|
||||||
|
.IX Subsection "INETD MODE"
|
||||||
|
The most common use of \fBstunnel\fR is to listen on a network
|
||||||
|
port and establish communication with either a new port
|
||||||
|
via the connect option, or a new program via the \fIexec\fR option.
|
||||||
|
However there is a special case when you wish to have
|
||||||
|
some other program accept incoming connections and
|
||||||
|
launch \fBstunnel\fR, for example with \fIinetd\fR, \fIxinetd\fR,
|
||||||
|
or \fItcpserver\fR.
|
||||||
|
.PP
|
||||||
|
For example, if you have the following line in \fIinetd.conf\fR:
|
||||||
|
.PP
|
||||||
|
.Vb 1
|
||||||
|
\& imaps stream tcp nowait root /usr/bin/stunnel stunnel /etc/stunnel/imaps.conf
|
||||||
|
.Ve
|
||||||
|
.PP
|
||||||
|
In these cases, the \fIinetd\fR\-style program is responsible
|
||||||
|
for binding a network socket (\fIimaps\fR above) and handing
|
||||||
|
it to \fBstunnel\fR when a connection is received.
|
||||||
|
Thus you do not want \fBstunnel\fR to have any \fIaccept\fR option.
|
||||||
|
All the \fIService Level Options\fR should be placed in the
|
||||||
|
global options section, and no \fI[service_name]\fR section
|
||||||
|
will be present. See the \fI\s-1EXAMPLES\s0\fR section for example
|
||||||
|
configurations.
|
||||||
|
.SS "\s-1CERTIFICATES\s0"
|
||||||
|
.IX Subsection "CERTIFICATES"
|
||||||
|
Each \s-1SSL\s0 enabled daemon needs to present a valid X.509 certificate
|
||||||
|
to the peer. It also needs a private key to decrypt the incoming
|
||||||
|
data. The easiest way to obtain a certificate and a key is to
|
||||||
|
generate them with the free \fIOpenSSL\fR package. You can find more
|
||||||
|
information on certificates generation on pages listed below.
|
||||||
|
.PP
|
||||||
|
The order of contents of the \fI.pem\fR file is important. It should contain the
|
||||||
|
unencrypted private key first, then a signed certificate (not certificate
|
||||||
|
request). There should be also empty lines after certificate and private key.
|
||||||
|
Plaintext certificate information appended on the top of generated certificate
|
||||||
|
should be discarded. So the file should look like this:
|
||||||
|
.PP
|
||||||
|
.Vb 8
|
||||||
|
\& \-\-\-\-\-BEGIN RSA PRIVATE KEY\-\-\-\-\-
|
||||||
|
\& [encoded key]
|
||||||
|
\& \-\-\-\-\-END RSA PRIVATE KEY\-\-\-\-\-
|
||||||
|
\& [empty line]
|
||||||
|
\& \-\-\-\-\-BEGIN CERTIFICATE\-\-\-\-\-
|
||||||
|
\& [encoded certificate]
|
||||||
|
\& \-\-\-\-\-END CERTIFICATE\-\-\-\-\-
|
||||||
|
\& [empty line]
|
||||||
|
.Ve
|
||||||
|
.SS "\s-1RANDOMNESS\s0"
|
||||||
|
.IX Subsection "RANDOMNESS"
|
||||||
|
\&\fBstunnel\fR needs to seed the \s-1PRNG\s0 (pseudo random number generator) in
|
||||||
|
order for \s-1SSL\s0 to use good randomness. The following sources are loaded
|
||||||
|
in order until sufficient random data has been gathered:
|
||||||
|
.IP "\(bu" 4
|
||||||
|
The file specified with the \fIRNDfile\fR flag.
|
||||||
|
.IP "\(bu" 4
|
||||||
|
The file specified by the \s-1RANDFILE\s0 environment variable, if set.
|
||||||
|
.IP "\(bu" 4
|
||||||
|
The file .rnd in your home directory, if \s-1RANDFILE\s0 not set.
|
||||||
|
.IP "\(bu" 4
|
||||||
|
The file specified with '\-\-with\-random' at compile time.
|
||||||
|
.IP "\(bu" 4
|
||||||
|
The contents of the screen if running on Windows.
|
||||||
|
.IP "\(bu" 4
|
||||||
|
The egd socket specified with the \fI\s-1EGD\s0\fR flag.
|
||||||
|
.IP "\(bu" 4
|
||||||
|
The egd socket specified with '\-\-with\-egd\-sock' at compile time.
|
||||||
|
.IP "\(bu" 4
|
||||||
|
The /dev/urandom device.
|
||||||
|
.PP
|
||||||
|
With recent (>=OpenSSL 0.9.5a) version of \s-1SSL\s0 it will stop loading
|
||||||
|
random data automatically when sufficient entropy has been gathered.
|
||||||
|
With previous versions it will continue to gather from all the above
|
||||||
|
sources since no \s-1SSL\s0 function exists to tell when enough data is available.
|
||||||
|
.PP
|
||||||
|
Note that on Windows machines that do not have console user interaction
|
||||||
|
(mouse movements, creating windows, etc.) the screen contents are not
|
||||||
|
variable enough to be sufficient, and you should provide a random file
|
||||||
|
for use with the \fIRNDfile\fR flag.
|
||||||
|
.PP
|
||||||
|
Note that the file specified with the \fIRNDfile\fR flag should contain
|
||||||
|
random data \*(-- that means it should contain different information
|
||||||
|
each time \fBstunnel\fR is run. This is handled automatically
|
||||||
|
unless the \fIRNDoverwrite\fR flag is used. If you wish to update this file
|
||||||
|
manually, the \fIopenssl rand\fR command in recent versions of OpenSSL,
|
||||||
|
would be useful.
|
||||||
|
.PP
|
||||||
|
One important note \*(-- if /dev/urandom is available, OpenSSL has a habit of
|
||||||
|
seeding the \s-1PRNG\s0 with it even when checking the random state, so on
|
||||||
|
systems with /dev/urandom you're likely to use it even though it's listed
|
||||||
|
at the very bottom of the list above. This isn't \fBstunnel's\fR behaviour, it's
|
||||||
|
OpenSSLs.
|
||||||
|
.SS "\s-1DH\s0 \s-1PARAMETERS\s0"
|
||||||
|
.IX Subsection "DH PARAMETERS"
|
||||||
|
Stunnel 4.40 and later contains hardcoded 2048\-bit \s-1DH\s0 parameters.
|
||||||
|
.PP
|
||||||
|
It is also possible to specify \s-1DH\s0 parameters in the certificate file:
|
||||||
|
.PP
|
||||||
|
.Vb 1
|
||||||
|
\& openssl dhparam 2048 >> stunnel.pem
|
||||||
|
.Ve
|
||||||
|
.PP
|
||||||
|
\&\s-1DH\s0 parameter generation may take several minutes.
|
||||||
|
.SH "FILES"
|
||||||
|
.IX Header "FILES"
|
||||||
|
.IP "\fIstunnel.conf\fR" 4
|
||||||
|
.IX Item "stunnel.conf"
|
||||||
|
\&\fBstunnel\fR configuration file
|
||||||
|
.SH "BUGS"
|
||||||
|
.IX Header "BUGS"
|
||||||
|
Option \fIexecargs\fR does not support quoting.
|
||||||
|
.SH "SEE ALSO"
|
||||||
|
.IX Header "SEE ALSO"
|
||||||
|
.IP "\fItcpd\fR\|(8)" 4
|
||||||
|
.IX Item "tcpd"
|
||||||
|
access control facility for internet services
|
||||||
|
.IP "\fIinetd\fR\|(8)" 4
|
||||||
|
.IX Item "inetd"
|
||||||
|
internet 'super\-server'
|
||||||
|
.IP "\fIhttp://www.stunnel.org/\fR" 4
|
||||||
|
.IX Item "http://www.stunnel.org/"
|
||||||
|
\&\fBstunnel\fR homepage
|
||||||
|
.IP "\fIhttp://www.openssl.org/\fR" 4
|
||||||
|
.IX Item "http://www.openssl.org/"
|
||||||
|
OpenSSL project website
|
||||||
|
.SH "AUTHOR"
|
||||||
|
.IX Header "AUTHOR"
|
||||||
|
.IP "Michał Trojnara" 4
|
||||||
|
.IX Item "Michał Trojnara"
|
||||||
|
<\fIMichal.Trojnara@mirt.net\fR>
|
574
doc/stunnel.fr.8
Normal file
574
doc/stunnel.fr.8
Normal file
@ -0,0 +1,574 @@
|
|||||||
|
.\" Automatically generated by Pod::Man 2.22 (Pod::Simple 3.07)
|
||||||
|
.\"
|
||||||
|
.\" Standard preamble:
|
||||||
|
.\" ========================================================================
|
||||||
|
.de Sp \" Vertical space (when we can't use .PP)
|
||||||
|
.if t .sp .5v
|
||||||
|
.if n .sp
|
||||||
|
..
|
||||||
|
.de Vb \" Begin verbatim text
|
||||||
|
.ft CW
|
||||||
|
.nf
|
||||||
|
.ne \\$1
|
||||||
|
..
|
||||||
|
.de Ve \" End verbatim text
|
||||||
|
.ft R
|
||||||
|
.fi
|
||||||
|
..
|
||||||
|
.\" Set up some character translations and predefined strings. \*(-- will
|
||||||
|
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
|
||||||
|
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
|
||||||
|
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
|
||||||
|
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
|
||||||
|
.\" nothing in troff, for use with C<>.
|
||||||
|
.tr \(*W-
|
||||||
|
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
|
||||||
|
.ie n \{\
|
||||||
|
. ds -- \(*W-
|
||||||
|
. ds PI pi
|
||||||
|
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
|
||||||
|
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
|
||||||
|
. ds L" ""
|
||||||
|
. ds R" ""
|
||||||
|
. ds C` ""
|
||||||
|
. ds C' ""
|
||||||
|
'br\}
|
||||||
|
.el\{\
|
||||||
|
. ds -- \|\(em\|
|
||||||
|
. ds PI \(*p
|
||||||
|
. ds L" ``
|
||||||
|
. ds R" ''
|
||||||
|
'br\}
|
||||||
|
.\"
|
||||||
|
.\" Escape single quotes in literal strings from groff's Unicode transform.
|
||||||
|
.ie \n(.g .ds Aq \(aq
|
||||||
|
.el .ds Aq '
|
||||||
|
.\"
|
||||||
|
.\" If the F register is turned on, we'll generate index entries on stderr for
|
||||||
|
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
|
||||||
|
.\" entries marked with X<> in POD. Of course, you'll have to process the
|
||||||
|
.\" output yourself in some meaningful fashion.
|
||||||
|
.ie \nF \{\
|
||||||
|
. de IX
|
||||||
|
. tm Index:\\$1\t\\n%\t"\\$2"
|
||||||
|
..
|
||||||
|
. nr % 0
|
||||||
|
. rr F
|
||||||
|
.\}
|
||||||
|
.el \{\
|
||||||
|
. de IX
|
||||||
|
..
|
||||||
|
.\}
|
||||||
|
.\" ========================================================================
|
||||||
|
.\"
|
||||||
|
.IX Title "STUNNEL.FR 8"
|
||||||
|
.TH STUNNEL.FR 8 "2012.01.12" "4.53" "stunnel"
|
||||||
|
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
|
||||||
|
.\" way too many mistakes in technical documents.
|
||||||
|
.if n .ad l
|
||||||
|
.nh
|
||||||
|
.SH "NOM"
|
||||||
|
.IX Header "NOM"
|
||||||
|
stunnel \- tunnel \s-1SSL\s0 universel
|
||||||
|
.SH "SYNOPSIS"
|
||||||
|
.IX Header "SYNOPSIS"
|
||||||
|
.IP "\fBUnix:\fR" 4
|
||||||
|
.IX Item "Unix:"
|
||||||
|
\&\fBstunnel\fR [fichier] | \-fd [n] | \-help | \-version | \-sockets
|
||||||
|
.IP "\fB\s-1WIN32:\s0\fR" 4
|
||||||
|
.IX Item "WIN32:"
|
||||||
|
\&\fBstunnel\fR [fichier] | \-install | \-uninstall | \-help | \-version | \-sockets
|
||||||
|
.SH "DESCRIPTION"
|
||||||
|
.IX Header "DESCRIPTION"
|
||||||
|
Le programme \fBstunnel\fR est conçu pour fonctionner comme une couche
|
||||||
|
de chiffrement \fI\s-1SSL\s0\fR entre des clients distants et des serveurs locaux
|
||||||
|
(\fIinetd\fR\-démarrables) ou distants. Le concept est qu'à partir de daemons
|
||||||
|
non-SSL présents sur le système, on peut facilement les configurer pour
|
||||||
|
communiquer avec des clients sur des liens sécurisés \s-1SSL\s0.
|
||||||
|
.PP
|
||||||
|
\&\fBstunnel\fR peut être utilisé pour ajouter des fonctionnalités \s-1SSL\s0 à des
|
||||||
|
daemons classiques \fIInetd\fR tels que les serveurs \s-1POP\-2\s0, \s-1POP\-3\s0 et \s-1IMAP\s0,
|
||||||
|
à d'autres autonomes tels que \s-1NNTP\s0, \s-1SMTP\s0 et \s-1HTTP\s0, ainsi que pour tunneliser
|
||||||
|
\&\s-1PPP\s0 sur des sockets réseau sans modification du code source.
|
||||||
|
.PP
|
||||||
|
Ce produit inclut du code de chiffrement écrit par
|
||||||
|
Eric Young (eay@cryptsoft.com)
|
||||||
|
.SH "OPTIONS"
|
||||||
|
.IX Header "OPTIONS"
|
||||||
|
.IP "\fB[fichier]\fR" 4
|
||||||
|
.IX Item "[fichier]"
|
||||||
|
Utilisation du fichier de configuration spécifié.
|
||||||
|
.IP "\fB\-fd [n]\fR (Unix seulement)" 4
|
||||||
|
.IX Item "-fd [n] (Unix seulement)"
|
||||||
|
Lecture du fichier de configuration depuis le descripteur de
|
||||||
|
fichier indiqué.
|
||||||
|
.IP "\fB\-help\fR" 4
|
||||||
|
.IX Item "-help"
|
||||||
|
Affiche le menu d'aide de \fBstunnel\fR.
|
||||||
|
.IP "\fB\-version\fR" 4
|
||||||
|
.IX Item "-version"
|
||||||
|
Affiche la version de \fBstunnel\fR et les options de compilation.
|
||||||
|
.IP "\fB\-sockets\fR" 4
|
||||||
|
.IX Item "-sockets"
|
||||||
|
Affiche les options socket par défaut.
|
||||||
|
.IP "\fB\-install\fR (\s-1NT/2000/XP\s0 seulement)" 4
|
||||||
|
.IX Item "-install (NT/2000/XP seulement)"
|
||||||
|
Installe un service \s-1NT\s0.
|
||||||
|
.IP "\fB\-uninstall\fR (\s-1NT/2000/XP\s0 only)" 4
|
||||||
|
.IX Item "-uninstall (NT/2000/XP only)"
|
||||||
|
Désinstalle un service \s-1NT\s0.
|
||||||
|
.SH "FICHIER DE CONFIGURATION"
|
||||||
|
.IX Header "FICHIER DE CONFIGURATION"
|
||||||
|
Chaque ligne du fichier de configuration peut être soit :
|
||||||
|
.IP "\(bu" 4
|
||||||
|
une ligne vide (ignorée) ;
|
||||||
|
.IP "\(bu" 4
|
||||||
|
un commentaire commençant par « # » (ignoré) ;
|
||||||
|
.IP "\(bu" 4
|
||||||
|
une paire « option = valeur » ;
|
||||||
|
.IP "\(bu" 4
|
||||||
|
« [service_name] » indiquant le début de la définition d'un service ;
|
||||||
|
.SS "\s-1OPTIONS\s0 \s-1GLOBALES\s0"
|
||||||
|
.IX Subsection "OPTIONS GLOBALES"
|
||||||
|
.IP "\fBCApath\fR = répertoire" 4
|
||||||
|
.IX Item "CApath = répertoire"
|
||||||
|
Répertoire des autorités de certification (\s-1CA\s0)
|
||||||
|
.Sp
|
||||||
|
C'est le répertoire dans lequel \fBstunnel\fR cherche les certificats si
|
||||||
|
l'on utilise \fIverify\fR. Les certificats doivent être dénommés selon la
|
||||||
|
forme \s-1XXXXXXXX\s0.0, où \s-1XXXXXXXX\s0 est la valeur de hachage du certificat.
|
||||||
|
.Sp
|
||||||
|
Le cas échéant, le répertoire \fICApath\fR est relatif au répertoire \fIchroot\fR.
|
||||||
|
.IP "\fBCAfile\fR = fichier" 4
|
||||||
|
.IX Item "CAfile = fichier"
|
||||||
|
Fichier d'autorités de certification
|
||||||
|
.Sp
|
||||||
|
Ce fichier, utilisé avec \fIverify\fR, contient plusieurs certificats de \s-1CA\s0.
|
||||||
|
.IP "\fBcert\fR = fichier" 4
|
||||||
|
.IX Item "cert = fichier"
|
||||||
|
Fichier de chaîne de certificats \s-1PEM\s0
|
||||||
|
.Sp
|
||||||
|
Une \s-1PEM\s0 est toujours nécessaire en mode serveur.
|
||||||
|
En mode client, cette option utilise cette \s-1PEM\s0 comme une chaîne côté client.
|
||||||
|
L'utilisation de certificats côté client est optionnelle. Les certificats
|
||||||
|
doivent être au format \s-1PEM\s0 et triés par ordre de niveau décroissant (\s-1CA\s0 racine
|
||||||
|
en premier).
|
||||||
|
.IP "\fBchroot\fR = répertoire (Unix seulement)" 4
|
||||||
|
.IX Item "chroot = répertoire (Unix seulement)"
|
||||||
|
Répertoire de chroot du processus \fBstunnel\fR
|
||||||
|
.Sp
|
||||||
|
\&\fBchroot\fR enferme \fBstunnel\fR dans une cellule chroot. \fICApath\fR, \fICRLpath\fR, \fIpid\fR
|
||||||
|
et \fIexec\fR sont situés à l'intérieur de la cellule et les répertoires doivent être
|
||||||
|
relatifs au répertoire correspondant.
|
||||||
|
.Sp
|
||||||
|
Pour que le contrôle de libwrap (wrappeur \s-1TCP\s0) soit effectif dans un environnement
|
||||||
|
chroot, il faut aussi y recopier leurs fichiers de configuration (/etc/hosts.allow et
|
||||||
|
/etc/hosts.deny).
|
||||||
|
.IP "\fBciphers\fR = listes de chiffre" 4
|
||||||
|
.IX Item "ciphers = listes de chiffre"
|
||||||
|
Sélection des chiffres \s-1SSL\s0 autorisés
|
||||||
|
.Sp
|
||||||
|
Liste délimitée par deux-points (« : ») des chiffres autorisés pour la connexion \s-1SSL\s0.
|
||||||
|
Exemple : \s-1DES\-CBC3\-SHA:IDEA\-CBC\-MD5\s0
|
||||||
|
.IP "\fBclient\fR = yes | no" 4
|
||||||
|
.IX Item "client = yes | no"
|
||||||
|
Mode client (Le service distant utilise \s-1SSL\s0)
|
||||||
|
.Sp
|
||||||
|
Par défaut : no (mode server)
|
||||||
|
.IP "\fBCRLpath\fR = répertoire" 4
|
||||||
|
.IX Item "CRLpath = répertoire"
|
||||||
|
Répertoire des listes de révocation de certificats (\s-1CRL\s0)
|
||||||
|
.Sp
|
||||||
|
C'est le répertoire dans lequel \fBstunnel\fR recherche les \s-1CRL\s0 avec
|
||||||
|
l'option \fIverify\fR. Les \s-1CRL\s0 doivent être dénommés selon la
|
||||||
|
forme \s-1XXXXXXXX\s0.0 où \s-1XXXXXXXX\s0 est la valeur de hachage de la \s-1CRL\s0.
|
||||||
|
.Sp
|
||||||
|
Le cas échéant, le répertoire \fICRLpath\fR est relatif au répertoire \fIchroot\fR.
|
||||||
|
.IP "\fBCRLfile\fR = fichier" 4
|
||||||
|
.IX Item "CRLfile = fichier"
|
||||||
|
Fichier de listes de révocation de certificats (\s-1CRL\s0)
|
||||||
|
.Sp
|
||||||
|
Ce fichier, utilisé avec \fIverify\fR, contient plusieurs \s-1CRL\s0.
|
||||||
|
.IP "\fBdebug\fR = [facilité.]niveau" 4
|
||||||
|
.IX Item "debug = [facilité.]niveau"
|
||||||
|
niveau de déverminage
|
||||||
|
.Sp
|
||||||
|
Le niveau est un nom ou un numéro conforme à ceux de syslog :
|
||||||
|
emerg (0), alert (1), crit (2), err (3), warning (4), notice (5),
|
||||||
|
info (6) ou debug (7). Toutes les traces du niveau indiqué et des niveaux
|
||||||
|
numériquement inférieurs seront affichées. \fBdebug = debug\fR ou
|
||||||
|
\&\fBdebug = 7\fR donneront le maximum d'informations. La valeur par défaut
|
||||||
|
est notice (5).
|
||||||
|
.Sp
|
||||||
|
La facilité syslog « daemon » est utilisée, sauf si un autre nom est spécifié
|
||||||
|
(Win32 ne permet pas l'usage des facilités.)
|
||||||
|
.Sp
|
||||||
|
La casse est ignorée, aussi bien pour la facilité que pour le niveau.
|
||||||
|
.IP "\fB\s-1EGD\s0\fR = chemin (Unix seulement)" 4
|
||||||
|
.IX Item "EGD = chemin (Unix seulement)"
|
||||||
|
Emplacement du socket du daemon de recueil d'entropie (\s-1EGD\s0 \- Entropy Gathering Daemon)
|
||||||
|
.Sp
|
||||||
|
Socket \s-1EGD\s0 à utiliser pour alimenter le générateur d'aléatoires de OpenSSL (disponible
|
||||||
|
seulement si la compilation a été effectuée avec OpenSSL 0.9.5a ou supérieur).
|
||||||
|
.IP "\fBforeground\fR = yes | no (Unix seulement)" 4
|
||||||
|
.IX Item "foreground = yes | no (Unix seulement)"
|
||||||
|
Mode avant-plan
|
||||||
|
.Sp
|
||||||
|
Reste en avant-plan (sans fork) et dirige la trace sur stderr
|
||||||
|
au lieu de syslog (sauf si \fBoutput\fR est spécifié).
|
||||||
|
.Sp
|
||||||
|
Par défault : arrière\-plan en mode daemon.
|
||||||
|
.IP "\fBkey\fR = fichier" 4
|
||||||
|
.IX Item "key = fichier"
|
||||||
|
Fichier de clef privée pour le certificat spécifié par \fIcert\fR
|
||||||
|
.Sp
|
||||||
|
La clef privée est nécessaire pour authentifier le titulaire du
|
||||||
|
certificat.
|
||||||
|
Puisque ce fichier doit rester secret, il ne doit être lisible que
|
||||||
|
par son propriétaire. Sur les systèmes Unix, on peut utiliser la
|
||||||
|
commande suivante :
|
||||||
|
.Sp
|
||||||
|
.Vb 1
|
||||||
|
\& chmod 600 fichier
|
||||||
|
.Ve
|
||||||
|
.Sp
|
||||||
|
Par défault : Valeur de \fIcert\fR
|
||||||
|
.IP "\fBoptions\fR = Options_SSL" 4
|
||||||
|
.IX Item "options = Options_SSL"
|
||||||
|
Options de la bibliothèque OpenSSL
|
||||||
|
.Sp
|
||||||
|
Le paramètre est l'option OpenSSL décrite dans la page de man
|
||||||
|
\&\fI\fISSL_CTX_set_options\fI\|(3ssl)\fR, débarassée du préfixe \fI\s-1SSL_OP_\s0\fR.
|
||||||
|
Plusieurs \fIoptions\fR peuvent être spécifiées.
|
||||||
|
.Sp
|
||||||
|
Par exemple, pour la compatibilité avec l'implantation \s-1SSL\s0 défaillante
|
||||||
|
d'Eudora, on peut utiliser :
|
||||||
|
.Sp
|
||||||
|
.Vb 1
|
||||||
|
\& options = DONT_INSERT_EMPTY_FRAGMENTS
|
||||||
|
.Ve
|
||||||
|
.IP "\fBoutput\fR = fichier" 4
|
||||||
|
.IX Item "output = fichier"
|
||||||
|
Ajoute la trace à la fin d'un fichier au lieu d'utiliser syslog.
|
||||||
|
.Sp
|
||||||
|
/dev/stdout peut être utilisé pour afficher les traces sur la sortie standard
|
||||||
|
(par exemple pour les traiter avec les outils splogger).
|
||||||
|
.IP "\fBpid\fR = fichier (Unix seulement)" 4
|
||||||
|
.IX Item "pid = fichier (Unix seulement)"
|
||||||
|
Emplacement du fichier pid
|
||||||
|
.Sp
|
||||||
|
Si l'argument est vide, aucun fichier ne sera créé.
|
||||||
|
.Sp
|
||||||
|
Le cas échéant, le chemin \fIpid\fR est relatif au répertoire \fIchroot\fR.
|
||||||
|
.IP "\fBRNDbytes\fR = nombre" 4
|
||||||
|
.IX Item "RNDbytes = nombre"
|
||||||
|
Nombre d'octets à lire depuis les fichiers de « sel » aléatoire
|
||||||
|
.Sp
|
||||||
|
Avec les \s-1SSL\s0 de version inférieure à 0.9.5a, détermine aussi le nombre
|
||||||
|
d'octets considérés comme suffisants pour « saler » le \s-1PRNG\s0. Les versions plus
|
||||||
|
récentes d'OpenSSL ont une fonction intégrée qui détermine lorsque l'aléatoire
|
||||||
|
est suffisant.
|
||||||
|
.IP "\fBRNDfile\fR = fichier" 4
|
||||||
|
.IX Item "RNDfile = fichier"
|
||||||
|
chemin du fichier de données de « sel » aléatoire
|
||||||
|
.Sp
|
||||||
|
La bibliothèque \s-1SSL\s0 utilise prioritairement les données de ce fichier pour
|
||||||
|
« saler » le générateur d'aléatoire.
|
||||||
|
.IP "\fBRNDoverwrite\fR = yes | no" 4
|
||||||
|
.IX Item "RNDoverwrite = yes | no"
|
||||||
|
Recouvre les fichiers de « sel » avec de nouvelles données aléatoires.
|
||||||
|
.Sp
|
||||||
|
Par défaut : yes
|
||||||
|
.IP "\fBservice\fR = nom" 4
|
||||||
|
.IX Item "service = nom"
|
||||||
|
Définit le nom de service à utiliser
|
||||||
|
.Sp
|
||||||
|
\&\fBSous Unix :\fR nom de service du mode \fIinetd\fR pour la bibliothèque \s-1TCP\s0 Wrapper.
|
||||||
|
.Sp
|
||||||
|
Par défaut : stunnel
|
||||||
|
.IP "\fBsession\fR = timeout" 4
|
||||||
|
.IX Item "session = timeout"
|
||||||
|
Timeout du cache de session
|
||||||
|
.IP "\fBsetgid\fR = nom (Unix seulement)" 4
|
||||||
|
.IX Item "setgid = nom (Unix seulement)"
|
||||||
|
Nom de groupe utilisé en mode daemon (les éventuels autres noms de groupe attribués sont supprimés)
|
||||||
|
.IP "\fBsetuid\fR = nom (Unix seulement)" 4
|
||||||
|
.IX Item "setuid = nom (Unix seulement)"
|
||||||
|
Nom d'utilisateur utilisé en mode daemon
|
||||||
|
.IP "\fBsocket\fR = a|l|r:option=valeur[:valeur]" 4
|
||||||
|
.IX Item "socket = a|l|r:option=valeur[:valeur]"
|
||||||
|
Configure une option de socket accept (a), locale (l) ou distante (r)
|
||||||
|
.Sp
|
||||||
|
Les valeurs de l'option linger sont : l_onof:l_linger.
|
||||||
|
Les valeurs de l'option time sont : tv_sec:tv_usec.
|
||||||
|
.Sp
|
||||||
|
Exemples :
|
||||||
|
.Sp
|
||||||
|
.Vb 9
|
||||||
|
\& socket = l:SO_LINGER=1:60
|
||||||
|
\& définit un délai d\*(Aqune minute pour la clôture des sockets locaux
|
||||||
|
\& socket = r:SO_OOBINLINE=yes
|
||||||
|
\& Place directement les données hors\-bande dans le flux de réception
|
||||||
|
\& des sockets distants
|
||||||
|
\& socket = a:SO_REUSEADDR=no
|
||||||
|
\& désactive la réutilisation d\*(Aqadresses (activée par défaut)
|
||||||
|
\& socket = a:SO_BINDTODEVICE=lo
|
||||||
|
\& limite l\*(Aqacceptation des connexions sur la seule interface de bouclage
|
||||||
|
.Ve
|
||||||
|
.IP "\fBtaskbar\fR = yes | no (\s-1WIN32\s0 seulement)" 4
|
||||||
|
.IX Item "taskbar = yes | no (WIN32 seulement)"
|
||||||
|
active l'icône de la barre de tâches
|
||||||
|
.Sp
|
||||||
|
Par défaut : yes
|
||||||
|
.IP "\fBverify\fR = niveau" 4
|
||||||
|
.IX Item "verify = niveau"
|
||||||
|
Vérifie le certificat du correspondant
|
||||||
|
.Sp
|
||||||
|
.Vb 3
|
||||||
|
\& niveau 1 \- vérifie le certificat s\*(Aqil est présent
|
||||||
|
\& niveau 2 \- vérifie le certificat
|
||||||
|
\& niveau 3 \- contrôle le correspondant avec le certificat local
|
||||||
|
.Ve
|
||||||
|
.Sp
|
||||||
|
Par défaut \- pas de vérification
|
||||||
|
.SS "\s-1OPTIONS\s0 \s-1DE\s0 \s-1SERVICE\s0"
|
||||||
|
.IX Subsection "OPTIONS DE SERVICE"
|
||||||
|
Chaque section de configuration commence par le nom du service entre crochets.
|
||||||
|
Celui-ci est utilisé par le contrôle d'accès de libwrap (\s-1TCP\s0 Wrappers) et sert
|
||||||
|
à distinguer les services \fBstunnel\fR dans les fichiers de traces.
|
||||||
|
.PP
|
||||||
|
Si l'on souhaite utiliser \fBstunnel\fR en mode \fIinetd\fR (lorsqu'un socket lui est
|
||||||
|
fourni par un serveur comme \fIinetd\fR, \fIxinetd\fR ou \fItcpserver\fR), il faut se
|
||||||
|
reporter à la section \fI\s-1MODE\s0 \s-1INETD\s0\fR plus bas.
|
||||||
|
.IP "\fBaccept\fR = [hôte:]port" 4
|
||||||
|
.IX Item "accept = [hôte:]port"
|
||||||
|
Accepte des connexions sur le port spécifié
|
||||||
|
.Sp
|
||||||
|
Si l'hôte n'est pas indiqué, le port est ouvert pour toutes les adresses \s-1IP\s0 de
|
||||||
|
la machine locale.
|
||||||
|
.IP "\fBconnect\fR = [hôte:]port" 4
|
||||||
|
.IX Item "connect = [hôte:]port"
|
||||||
|
Se connecte au port distant indiqué
|
||||||
|
.Sp
|
||||||
|
Par défaut, l'hôte est localhost.
|
||||||
|
.IP "\fBdelay\fR = yes | no" 4
|
||||||
|
.IX Item "delay = yes | no"
|
||||||
|
Retarde la recherche \s-1DNS\s0 pour l'option « connect »
|
||||||
|
.IP "\fBexec\fR = chemin_exécutable (Unix seulement)" 4
|
||||||
|
.IX Item "exec = chemin_exécutable (Unix seulement)"
|
||||||
|
Exécute un programme local de type inetd
|
||||||
|
.Sp
|
||||||
|
Le cas échéant, le chemin \fIexec\fR est relatif au répertoire \fIchroot\fR.
|
||||||
|
.ie n .IP "\fBexecargs\fR = $0 $1 $2 ... (Unix seulement)" 4
|
||||||
|
.el .IP "\fBexecargs\fR = \f(CW$0\fR \f(CW$1\fR \f(CW$2\fR ... (Unix seulement)" 4
|
||||||
|
.IX Item "execargs = $0 $1 $2 ... (Unix seulement)"
|
||||||
|
Arguments pour \fIexec\fR, y compris le nom du programme ($0)
|
||||||
|
.Sp
|
||||||
|
Les quotes ne peuvent actuellement pas être utilisées.
|
||||||
|
Les arguments sont séparés par un nombre quelconque d'espaces.
|
||||||
|
.IP "\fBident\fR = nom" 4
|
||||||
|
.IX Item "ident = nom"
|
||||||
|
Applique le contrôle d'identité d'utilisateur \s-1IDENT\s0 (\s-1RFC\s0 1413)
|
||||||
|
.IP "\fBlocal\fR = hôte" 4
|
||||||
|
.IX Item "local = hôte"
|
||||||
|
Adresse \s-1IP\s0 de l'interface de sortie utilisée pour les connexions distantes.
|
||||||
|
Cette option permet de relier une adresse statique locale.
|
||||||
|
.IP "\fBprotocol\fR = protocole" 4
|
||||||
|
.IX Item "protocol = protocole"
|
||||||
|
Négocie avec \s-1SSL\s0 selon le protocole indiqué
|
||||||
|
.Sp
|
||||||
|
Actuellement gérés : cifs, nntp, pop3, smtp
|
||||||
|
.IP "\fBpty\fR = yes | no (Unix seulement)" 4
|
||||||
|
.IX Item "pty = yes | no (Unix seulement)"
|
||||||
|
Alloue un pseudo-terminal pour l'option « exec »
|
||||||
|
.IP "\fBTIMEOUTbusy\fR = secondes" 4
|
||||||
|
.IX Item "TIMEOUTbusy = secondes"
|
||||||
|
Durée d'attente de données
|
||||||
|
.IP "\fBTIMEOUTclose\fR = secondes" 4
|
||||||
|
.IX Item "TIMEOUTclose = secondes"
|
||||||
|
Durée d'attente du close_notify (mis à 0 pour \s-1MSIE\s0 qui est bogué)
|
||||||
|
.IP "\fBTIMEOUTidle\fR = secondes" 4
|
||||||
|
.IX Item "TIMEOUTidle = secondes"
|
||||||
|
Durée d'attente sur une connexion inactive
|
||||||
|
.IP "\fBtransparent\fR = yes | no (Unix seulement)" 4
|
||||||
|
.IX Item "transparent = yes | no (Unix seulement)"
|
||||||
|
Mode mandataire transparent
|
||||||
|
.Sp
|
||||||
|
Ré\-écrit les adresses pour qu'elles apparaissent provenir de la
|
||||||
|
machine client \s-1SSL\s0 plutôt que de celle qui exécute \fBstunnel\fR.
|
||||||
|
Cette option n'est disponible en mode local (option \fIexec\fR) qu'avec
|
||||||
|
la bibliothèque partagée LD_PRELOADing env.so shared library et en mode
|
||||||
|
distant (option \fIconnect\fR) sur les noyaux Linux 2.2 compilés avec
|
||||||
|
l'option \fItransparent proxy\fR et seulement en mode serveur. Cette
|
||||||
|
option ne se combine pas au mode mandataire (\fIconnect\fR) sauf si la
|
||||||
|
route par défaut du client vers la cible passe par l'hôte qui fait
|
||||||
|
tourner \fBstunnel\fR, qui ne peut être localhost.
|
||||||
|
.SH "VALEUR DE RETOUR"
|
||||||
|
.IX Header "VALEUR DE RETOUR"
|
||||||
|
\&\fBstunnel\fR renvoie zéro en cas de succès, une autre valeur en cas d'erreur.
|
||||||
|
.SH "EXEMPLES"
|
||||||
|
.IX Header "EXEMPLES"
|
||||||
|
Pour encapsuler votre service \fIimapd\fR local avec \s-1SSL\s0 :
|
||||||
|
.PP
|
||||||
|
.Vb 4
|
||||||
|
\& [imapd]
|
||||||
|
\& accept = 993
|
||||||
|
\& exec = /usr/sbin/imapd
|
||||||
|
\& execargs = imapd
|
||||||
|
.Ve
|
||||||
|
.PP
|
||||||
|
Pour tunneliser un daemon \fIpppd\fR sur le port 2020 :
|
||||||
|
.PP
|
||||||
|
.Vb 5
|
||||||
|
\& [vpn]
|
||||||
|
\& accept = 2020
|
||||||
|
\& exec = /usr/sbin/pppd
|
||||||
|
\& execargs = pppd local
|
||||||
|
\& pty = yes
|
||||||
|
.Ve
|
||||||
|
.PP
|
||||||
|
Configuration de \fIstunnel.conf\fR pour utiliser \fBstunnel\fR en mode \fIinetd\fR
|
||||||
|
qui lance imapd à son tour (il ne doit pas y avoir de section \fI[service_name]\fR) :
|
||||||
|
.PP
|
||||||
|
.Vb 2
|
||||||
|
\& exec = /usr/sbin/imapd
|
||||||
|
\& execargs = imapd
|
||||||
|
.Ve
|
||||||
|
.SH "FICHIERS"
|
||||||
|
.IX Header "FICHIERS"
|
||||||
|
.IP "\fIstunnel.conf\fR" 4
|
||||||
|
.IX Item "stunnel.conf"
|
||||||
|
Fichier de configuration de \fBstunnel\fR
|
||||||
|
.IP "\fIstunnel.pem\fR" 4
|
||||||
|
.IX Item "stunnel.pem"
|
||||||
|
Certificat et clef privée de \fBstunnel\fR
|
||||||
|
.SH "BOGUES"
|
||||||
|
.IX Header "BOGUES"
|
||||||
|
L'option \fIexecargs\fR n'admet pas les quotes.
|
||||||
|
.SH "RESTRICTIONS"
|
||||||
|
.IX Header "RESTRICTIONS"
|
||||||
|
\&\fBstunnel\fR ne peut être utilisé pour le daemon \s-1FTP\s0 en raison de la nature
|
||||||
|
du protocole \s-1FTP\s0 qui utilise des ports multiples pour les transferts de données.
|
||||||
|
Il existe cependant des versions \s-1SSL\s0 de \s-1FTP\s0 et de telnet.
|
||||||
|
.SH "NOTES"
|
||||||
|
.IX Header "NOTES"
|
||||||
|
.SS "\s-1MODE\s0 \s-1INETD\s0"
|
||||||
|
.IX Subsection "MODE INETD"
|
||||||
|
L'utilisation la plus commune de \fBstunnel\fR consiste à écouter un port
|
||||||
|
réseau et à établir une communication, soit avec un nouveau port
|
||||||
|
avec l'option \fIconnect\fR, soit avec un programme avec l'option \fIexec\fR.
|
||||||
|
On peut parfois cependant souhaiter qu'un autre programme reçoive les
|
||||||
|
connexions entrantes et lance \fBstunnel\fR, par exemple avec \fIinetd\fR,
|
||||||
|
\&\fIxinetd\fR ou \fItcpserver\fR.
|
||||||
|
.PP
|
||||||
|
Si, par exemple, la ligne suivante se trouve dans \fIinetd.conf\fR :
|
||||||
|
.PP
|
||||||
|
.Vb 1
|
||||||
|
\& imaps stream tcp nowait root /usr/bin/stunnel stunnel /etc/stunnel/imaps.conf
|
||||||
|
.Ve
|
||||||
|
.PP
|
||||||
|
Dans ces cas, c'est le programme du genre \fIinetd\fR\-style qui est
|
||||||
|
responsable de l'établissement de la connexion (\fIimaps\fR ci-dessus) et de passer
|
||||||
|
celle-ci à \fBstunnel\fR.
|
||||||
|
Ainsi, \fBstunnel\fR ne doit alors avoir aucune option \fIaccept\fR.
|
||||||
|
Toutes les \fIoptions de niveau service\fR doivent être placées dans
|
||||||
|
la section des options globales et aucune section \fI[service_name]\fR ne doit
|
||||||
|
être présente. Voir la section \fI\s-1EXEMPLES\s0\fR pour des exemples de configurations.
|
||||||
|
.SS "\s-1CERTIFICATS\s0"
|
||||||
|
.IX Subsection "CERTIFICATS"
|
||||||
|
Chaque daemon à propriétés \s-1SSL\s0 doit présenter un certificat X.509
|
||||||
|
valide à son interlocuteur. Il a aussi besoin d'une clef privé pour
|
||||||
|
déchiffrer les données entrantes. La méthode la plus simple pour
|
||||||
|
obtenir un certificat et une clef est d'engendrer celles-ci avec
|
||||||
|
le paquetage libre \fIOpenSSL\fR. Plus d'informations sur la génération de
|
||||||
|
certificats se trouvent dans les pages indiquées plus bas.
|
||||||
|
.PP
|
||||||
|
Deux choses importantes lors de la génération de paires certificat-clef
|
||||||
|
pour \fBstunnel\fR :
|
||||||
|
.IP "\(bu" 4
|
||||||
|
la clef privée ne peut être chiffrée puisque le serveur n'a aucun moyen
|
||||||
|
d'obtenir le mot de passe de l'utilisateur ; pour produire une clef non chiffrée,
|
||||||
|
ajouter l'option \fI\-nodes\fR à la commande \fBreq\fR de \fIOpenSSL\fR ;
|
||||||
|
.IP "\(bu" 4
|
||||||
|
l'ordre du contenu du fichier \fI.pem\fR est significatif : il doit contenir d'abord
|
||||||
|
une clef privée non chiffrée, puis un certificat signé (et non une demande de certificat).
|
||||||
|
Il doit aussi y avoir des lignes vides après le certificat et après la clef privée.
|
||||||
|
L'information textuelle ajoutée au début d'un certificat doit être supprimée afin que
|
||||||
|
le fichier ait l'allure suivante :
|
||||||
|
.Sp
|
||||||
|
.Vb 8
|
||||||
|
\& \-\-\-\-\-BEGIN RSA PRIVATE KEY\-\-\-\-\-
|
||||||
|
\& [clef encodée]
|
||||||
|
\& \-\-\-\-\-END RSA PRIVATE KEY\-\-\-\-\-
|
||||||
|
\& [ligne vide]
|
||||||
|
\& \-\-\-\-\-BEGIN CERTIFICATE\-\-\-\-\-
|
||||||
|
\& [certificat encodé]
|
||||||
|
\& \-\-\-\-\-END CERTIFICATE\-\-\-\-\-
|
||||||
|
\& [ligne vide]
|
||||||
|
.Ve
|
||||||
|
.SS "\s-1ALEATOIRE\s0"
|
||||||
|
.IX Subsection "ALEATOIRE"
|
||||||
|
\&\fBstunnel\fR doit « saler » le générateur de pseudo\-aléatoires \s-1PRNG\s0 (pseudo random
|
||||||
|
number generator) afin que \s-1SSL\s0 utilise un aléatoire de qualité. Les sources suivantes
|
||||||
|
sont chargées dans l'ordre jusqu'à ce qu'une quantité suffisante de données soit lue :
|
||||||
|
.IP "\(bu" 4
|
||||||
|
le fichier spécifié par \fIRNDfile\fR ;
|
||||||
|
.IP "\(bu" 4
|
||||||
|
le fichier spécifié par la variable d'environnement \s-1RANDFILE\s0, à défaut
|
||||||
|
le fichier .rnd du répertoire \f(CW$HOME\fR de l'utilisateur ;
|
||||||
|
.IP "\(bu" 4
|
||||||
|
le fichier spécifié par « \-\-with\-random » lors de la compilation ;
|
||||||
|
.IP "\(bu" 4
|
||||||
|
le contenu de l'écran (MS-Windows seulement) ;
|
||||||
|
.IP "\(bu" 4
|
||||||
|
le socket \s-1EGD\s0 spécifié par \fI\s-1EGD\s0\fR ;
|
||||||
|
.IP "\(bu" 4
|
||||||
|
le socket \s-1EGD\s0 spécifié par « \-\-with\-egd\-sock » lors de la compilation ;
|
||||||
|
.IP "\(bu" 4
|
||||||
|
le périphérique /dev/urandom.
|
||||||
|
.PP
|
||||||
|
Avec un OpenSSL récent (>=OpenSSL 0.9.5a) le chargement de données s'arrête
|
||||||
|
automatiquement lorsqu'un niveau d'entropie suffisant est atteint.
|
||||||
|
Les versions précédentes continuent à lire toutes les sources puisqu'aucune
|
||||||
|
fonction \s-1SSL\s0 ne leur permet de savoir que suffisamment de données sont disponibles.
|
||||||
|
.PP
|
||||||
|
Sur les machines MS-Windows qui n'ont pas d'interaction utilisateur sur la console,
|
||||||
|
(mouvements de souris, création de fenêtres, etc.), le contenu de l'écran n'est
|
||||||
|
pas suffisamment changeant et il est nécessaire de fournir un fichier d'aléatoire
|
||||||
|
par le biais de \fIRNDfile\fR.
|
||||||
|
.PP
|
||||||
|
Le fichier spécifié par \fIRNDfile\fR doit contenir des informations aléatoires \*(--
|
||||||
|
c'est\-à\-dire des informations différentes à chaque lancement de \fBstunnel\fR.
|
||||||
|
Cela est géré automatiquement sauf si l'option \fIRNDoverwrite\fR est utilisée.
|
||||||
|
Si l'on souhaite procéder manuellement à la mise à jour de ce fichier, la
|
||||||
|
commande \fIopenssl rand\fR des versions récentes d'OpenSSL sera sans doute utile.
|
||||||
|
.PP
|
||||||
|
Note importante : si /dev/urandom est disponible, OpenSSL a l'habitude d'utiliser
|
||||||
|
celui-ci pour « saler » le \s-1PRNG\s0 même lorsqu'il contrôle l'état de l'aléatoire ;
|
||||||
|
ainsi, même si /dev/urandom est dernier de la liste ci-dessus, il est vraisemblable
|
||||||
|
qu'il soit utilisé s'il est présent.
|
||||||
|
Ce n'est pas le comportement de \fBstunnel\fR, c'est celui d'OpenSSL.
|
||||||
|
.SH "VOIR AUSSI"
|
||||||
|
.IX Header "VOIR AUSSI"
|
||||||
|
.IP "\fItcpd\fR\|(8)" 4
|
||||||
|
.IX Item "tcpd"
|
||||||
|
Service de contrôle d'accès pour les services internet
|
||||||
|
.IP "\fIinetd\fR\|(8)" 4
|
||||||
|
.IX Item "inetd"
|
||||||
|
« super-serveur » internet
|
||||||
|
.IP "\fIhttp://www.stunnel.org/\fR" 4
|
||||||
|
.IX Item "http://www.stunnel.org/"
|
||||||
|
Page de référence de \fBstunnel\fR
|
||||||
|
.IP "\fIhttp://www.openssl.org/\fR" 4
|
||||||
|
.IX Item "http://www.openssl.org/"
|
||||||
|
Site web du projet OpenSSL
|
||||||
|
.SH "AUTEUR"
|
||||||
|
.IX Header "AUTEUR"
|
||||||
|
.IP "Michał Trojnara" 4
|
||||||
|
.IX Item "Michał Trojnara"
|
||||||
|
<\fIMichal.Trojnara@mirt.net\fR>
|
||||||
|
.SH "ADAPTATION FRANÇAISE"
|
||||||
|
.IX Header "ADAPTATION FRANÇAISE"
|
||||||
|
.IP "Bernard Choppy" 4
|
||||||
|
.IX Item "Bernard Choppy"
|
||||||
|
<\fIchoppy \s-1AT\s0 free \s-1POINT\s0 fr\fR>
|
670
doc/stunnel.fr.html
Normal file
670
doc/stunnel.fr.html
Normal file
@ -0,0 +1,670 @@
|
|||||||
|
<?xml version="1.0" ?>
|
||||||
|
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
|
||||||
|
<html xmlns="http://www.w3.org/1999/xhtml">
|
||||||
|
<head>
|
||||||
|
<title>stunnel.8</title>
|
||||||
|
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
|
||||||
|
<link rev="made" href="mailto:root@localhost" />
|
||||||
|
</head>
|
||||||
|
|
||||||
|
<body style="background-color: white">
|
||||||
|
|
||||||
|
|
||||||
|
<!-- INDEX BEGIN -->
|
||||||
|
<div name="index">
|
||||||
|
<p><a name="__index__"></a></p>
|
||||||
|
<!--
|
||||||
|
|
||||||
|
<ul>
|
||||||
|
|
||||||
|
<li><a href="#nom">NOM</a></li>
|
||||||
|
<li><a href="#synopsis">SYNOPSIS</a></li>
|
||||||
|
<li><a href="#description">DESCRIPTION</a></li>
|
||||||
|
<li><a href="#options">OPTIONS</a></li>
|
||||||
|
<li><a href="#fichier_de_configuration">FICHIER DE CONFIGURATION</a></li>
|
||||||
|
<ul>
|
||||||
|
|
||||||
|
<li><a href="#options_globales">OPTIONS GLOBALES</a></li>
|
||||||
|
<li><a href="#options_de_service">OPTIONS DE SERVICE</a></li>
|
||||||
|
</ul>
|
||||||
|
|
||||||
|
<li><a href="#valeur_de_retour">VALEUR DE RETOUR</a></li>
|
||||||
|
<li><a href="#exemples">EXEMPLES</a></li>
|
||||||
|
<li><a href="#fichiers">FICHIERS</a></li>
|
||||||
|
<li><a href="#bogues">BOGUES</a></li>
|
||||||
|
<li><a href="#restrictions">RESTRICTIONS</a></li>
|
||||||
|
<li><a href="#notes">NOTES</a></li>
|
||||||
|
<ul>
|
||||||
|
|
||||||
|
<li><a href="#mode_inetd">MODE INETD</a></li>
|
||||||
|
<li><a href="#certificats">CERTIFICATS</a></li>
|
||||||
|
<li><a href="#aleatoire">ALEATOIRE</a></li>
|
||||||
|
</ul>
|
||||||
|
|
||||||
|
<li><a href="#voir_aussi">VOIR AUSSI</a></li>
|
||||||
|
<li><a href="#auteur">AUTEUR</a></li>
|
||||||
|
<li><a href="#adaptation_fran__aise">ADAPTATION FRANÇAISE</a></li>
|
||||||
|
</ul>
|
||||||
|
|
||||||
|
-->
|
||||||
|
|
||||||
|
|
||||||
|
</div>
|
||||||
|
<!-- INDEX END -->
|
||||||
|
|
||||||
|
<p>
|
||||||
|
</p>
|
||||||
|
<h1><a name="nom">NOM</a></h1>
|
||||||
|
<p>stunnel - tunnel SSL universel</p>
|
||||||
|
<p>
|
||||||
|
</p>
|
||||||
|
<hr />
|
||||||
|
<h1><a name="synopsis">SYNOPSIS</a></h1>
|
||||||
|
<dl>
|
||||||
|
<dt><strong><a name="unix" class="item"><strong>Unix:</strong></a></strong></dt>
|
||||||
|
|
||||||
|
<dd>
|
||||||
|
<p><strong>stunnel</strong> [fichier] | -fd [n] | -help | -version | -sockets</p>
|
||||||
|
</dd>
|
||||||
|
<dt><strong><a name="win32" class="item"><strong>WIN32:</strong></a></strong></dt>
|
||||||
|
|
||||||
|
<dd>
|
||||||
|
<p><strong>stunnel</strong> [fichier] | -install | -uninstall | -help | -version | -sockets</p>
|
||||||
|
</dd>
|
||||||
|
</dl>
|
||||||
|
<p>
|
||||||
|
</p>
|
||||||
|
<hr />
|
||||||
|
<h1><a name="description">DESCRIPTION</a></h1>
|
||||||
|
<p>Le programme <strong>stunnel</strong> est conçu pour fonctionner comme une couche
|
||||||
|
de chiffrement <em>SSL</em> entre des clients distants et des serveurs locaux
|
||||||
|
(<em>inetd</em>-démarrables) ou distants. Le concept est qu'à partir de daemons
|
||||||
|
non-SSL présents sur le système, on peut facilement les configurer pour
|
||||||
|
communiquer avec des clients sur des liens sécurisés SSL.</p>
|
||||||
|
<p><strong>stunnel</strong> peut être utilisé pour ajouter des fonctionnalités SSL à des
|
||||||
|
daemons classiques <em>Inetd</em> tels que les serveurs POP-2, POP-3 et IMAP,
|
||||||
|
à d'autres autonomes tels que NNTP, SMTP et HTTP, ainsi que pour tunneliser
|
||||||
|
PPP sur des sockets réseau sans modification du code source.</p>
|
||||||
|
<p>Ce produit inclut du code de chiffrement écrit par
|
||||||
|
Eric Young (<a href="mailto:eay@cryptsoft.com">eay@cryptsoft.com</a>)</p>
|
||||||
|
<p>
|
||||||
|
</p>
|
||||||
|
<hr />
|
||||||
|
<h1><a name="options">OPTIONS</a></h1>
|
||||||
|
<dl>
|
||||||
|
<dt><strong><a name="fichier" class="item"><strong>[fichier]</strong></a></strong></dt>
|
||||||
|
|
||||||
|
<dd>
|
||||||
|
<p>Utilisation du fichier de configuration spécifié.</p>
|
||||||
|
</dd>
|
||||||
|
<dt><strong><a name="fd_n_unix_seulement" class="item"><strong>-fd [n]</strong> (Unix seulement)</a></strong></dt>
|
||||||
|
|
||||||
|
<dd>
|
||||||
|
<p>Lecture du fichier de configuration depuis le descripteur de
|
||||||
|
fichier indiqué.</p>
|
||||||
|
</dd>
|
||||||
|
<dt><strong><a name="help" class="item"><strong>-help</strong></a></strong></dt>
|
||||||
|
|
||||||
|
<dd>
|
||||||
|
<p>Affiche le menu d'aide de <strong>stunnel</strong>.</p>
|
||||||
|
</dd>
|
||||||
|
<dt><strong><a name="version" class="item"><strong>-version</strong></a></strong></dt>
|
||||||
|
|
||||||
|
<dd>
|
||||||
|
<p>Affiche la version de <strong>stunnel</strong> et les options de compilation.</p>
|
||||||
|
</dd>
|
||||||
|
<dt><strong><a name="sockets" class="item"><strong>-sockets</strong></a></strong></dt>
|
||||||
|
|
||||||
|
<dd>
|
||||||
|
<p>Affiche les options socket par défaut.</p>
|
||||||
|
</dd>
|
||||||
|
<dt><strong><a name="install" class="item"><strong>-install</strong> (NT/2000/XP seulement)</a></strong></dt>
|
||||||
|
|
||||||
|
<dd>
|
||||||
|
<p>Installe un service NT.</p>
|
||||||
|
</dd>
|
||||||
|
<dt><strong><a name="uninstall" class="item"><strong>-uninstall</strong> (NT/2000/XP only)</a></strong></dt>
|
||||||
|
|
||||||
|
<dd>
|
||||||
|
<p>Désinstalle un service NT.</p>
|
||||||
|
</dd>
|
||||||
|
</dl>
|
||||||
|
<p>
|
||||||
|
</p>
|
||||||
|
<hr />
|
||||||
|
<h1><a name="fichier_de_configuration">FICHIER DE CONFIGURATION</a></h1>
|
||||||
|
<p>Chaque ligne du fichier de configuration peut être soit :</p>
|
||||||
|
<ul>
|
||||||
|
<li>
|
||||||
|
<p>une ligne vide (ignorée) ;</p>
|
||||||
|
</li>
|
||||||
|
<li>
|
||||||
|
<p>un commentaire commençant par « # » (ignoré) ;</p>
|
||||||
|
</li>
|
||||||
|
<li>
|
||||||
|
<p>une paire « option = valeur » ;</p>
|
||||||
|
</li>
|
||||||
|
<li>
|
||||||
|
<p>« [service_name] » indiquant le début de la définition d'un service ;</p>
|
||||||
|
</li>
|
||||||
|
</ul>
|
||||||
|
<p>
|
||||||
|
</p>
|
||||||
|
<h2><a name="options_globales">OPTIONS GLOBALES</a></h2>
|
||||||
|
<dl>
|
||||||
|
<dt><strong><a name="capath_r_pertoire" class="item"><strong>CApath</strong> = répertoire</a></strong></dt>
|
||||||
|
|
||||||
|
<dd>
|
||||||
|
<p>Répertoire des autorités de certification (CA)</p>
|
||||||
|
<p>C'est le répertoire dans lequel <strong>stunnel</strong> cherche les certificats si
|
||||||
|
l'on utilise <em>verify</em>. Les certificats doivent être dénommés selon la
|
||||||
|
forme XXXXXXXX.0, où XXXXXXXX est la valeur de hachage du certificat.</p>
|
||||||
|
<p>Le cas échéant, le répertoire <em>CApath</em> est relatif au répertoire <em>chroot</em>.</p>
|
||||||
|
</dd>
|
||||||
|
<dt><strong><a name="cafile_fichier" class="item"><strong>CAfile</strong> = fichier</a></strong></dt>
|
||||||
|
|
||||||
|
<dd>
|
||||||
|
<p>Fichier d'autorités de certification</p>
|
||||||
|
<p>Ce fichier, utilisé avec <em>verify</em>, contient plusieurs certificats de CA.</p>
|
||||||
|
</dd>
|
||||||
|
<dt><strong><a name="cert_fichier" class="item"><strong>cert</strong> = fichier</a></strong></dt>
|
||||||
|
|
||||||
|
<dd>
|
||||||
|
<p>Fichier de chaîne de certificats PEM</p>
|
||||||
|
<p>Une PEM est toujours nécessaire en mode serveur.
|
||||||
|
En mode client, cette option utilise cette PEM comme une chaîne côté client.
|
||||||
|
L'utilisation de certificats côté client est optionnelle. Les certificats
|
||||||
|
doivent être au format PEM et triés par ordre de niveau décroissant (CA racine
|
||||||
|
en premier).</p>
|
||||||
|
</dd>
|
||||||
|
<dt><strong><a name="pertoire" class="item"><strong>chroot</strong> = répertoire (Unix seulement)</a></strong></dt>
|
||||||
|
|
||||||
|
<dd>
|
||||||
|
<p>Répertoire de chroot du processus <strong>stunnel</strong></p>
|
||||||
|
<p><strong>chroot</strong> enferme <strong>stunnel</strong> dans une cellule chroot. <em>CApath</em>, <em>CRLpath</em>, <em>pid</em>
|
||||||
|
et <em>exec</em> sont situés à l'intérieur de la cellule et les répertoires doivent être
|
||||||
|
relatifs au répertoire correspondant.</p>
|
||||||
|
<p>Pour que le contrôle de libwrap (wrappeur TCP) soit effectif dans un environnement
|
||||||
|
chroot, il faut aussi y recopier leurs fichiers de configuration (/etc/hosts.allow et
|
||||||
|
/etc/hosts.deny).</p>
|
||||||
|
</dd>
|
||||||
|
<dt><strong><a name="ciphers_listes_de_chiffre" class="item"><strong>ciphers</strong> = listes de chiffre</a></strong></dt>
|
||||||
|
|
||||||
|
<dd>
|
||||||
|
<p>Sélection des chiffres SSL autorisés</p>
|
||||||
|
<p>Liste délimitée par deux-points (« : ») des chiffres autorisés pour la connexion SSL.
|
||||||
|
Exemple : DES-CBC3-SHA:IDEA-CBC-MD5</p>
|
||||||
|
</dd>
|
||||||
|
<dt><strong><a name="client_yes_no" class="item"><strong>client</strong> = yes | no</a></strong></dt>
|
||||||
|
|
||||||
|
<dd>
|
||||||
|
<p>Mode client (Le service distant utilise SSL)</p>
|
||||||
|
<p>Par défaut : no (mode server)</p>
|
||||||
|
</dd>
|
||||||
|
<dt><strong><a name="crlpath_r_pertoire" class="item"><strong>CRLpath</strong> = répertoire</a></strong></dt>
|
||||||
|
|
||||||
|
<dd>
|
||||||
|
<p>Répertoire des listes de révocation de certificats (CRL)</p>
|
||||||
|
<p>C'est le répertoire dans lequel <strong>stunnel</strong> recherche les CRL avec
|
||||||
|
l'option <em>verify</em>. Les CRL doivent être dénommés selon la
|
||||||
|
forme XXXXXXXX.0 où XXXXXXXX est la valeur de hachage de la CRL.</p>
|
||||||
|
<p>Le cas échéant, le répertoire <em>CRLpath</em> est relatif au répertoire <em>chroot</em>.</p>
|
||||||
|
</dd>
|
||||||
|
<dt><strong><a name="crlfile_fichier" class="item"><strong>CRLfile</strong> = fichier</a></strong></dt>
|
||||||
|
|
||||||
|
<dd>
|
||||||
|
<p>Fichier de listes de révocation de certificats (CRL)</p>
|
||||||
|
<p>Ce fichier, utilisé avec <em>verify</em>, contient plusieurs CRL.</p>
|
||||||
|
</dd>
|
||||||
|
<dt><strong><a name="debug_facilit_niveau" class="item"><strong>debug</strong> = [facilité.]niveau</a></strong></dt>
|
||||||
|
|
||||||
|
<dd>
|
||||||
|
<p>niveau de déverminage</p>
|
||||||
|
<p>Le niveau est un nom ou un numéro conforme à ceux de syslog :
|
||||||
|
emerg (0), alert (1), crit (2), err (3), warning (4), notice (5),
|
||||||
|
info (6) ou debug (7). Toutes les traces du niveau indiqué et des niveaux
|
||||||
|
numériquement inférieurs seront affichées. <strong>debug = debug</strong> ou
|
||||||
|
<strong>debug = 7</strong> donneront le maximum d'informations. La valeur par défaut
|
||||||
|
est notice (5).</p>
|
||||||
|
<p>La facilité syslog « daemon » est utilisée, sauf si un autre nom est spécifié
|
||||||
|
(Win32 ne permet pas l'usage des facilités.)</p>
|
||||||
|
<p>La casse est ignorée, aussi bien pour la facilité que pour le niveau.</p>
|
||||||
|
</dd>
|
||||||
|
<dt><strong><a name="chemin" class="item"><strong>EGD</strong> = chemin (Unix seulement)</a></strong></dt>
|
||||||
|
|
||||||
|
<dd>
|
||||||
|
<p>Emplacement du socket du daemon de recueil d'entropie (EGD - Entropy Gathering Daemon)</p>
|
||||||
|
<p>Socket EGD à utiliser pour alimenter le générateur d'aléatoires de OpenSSL (disponible
|
||||||
|
seulement si la compilation a été effectuée avec OpenSSL 0.9.5a ou supérieur).</p>
|
||||||
|
</dd>
|
||||||
|
<dt><strong><a name="no" class="item"><strong>foreground</strong> = yes | no (Unix seulement)</a></strong></dt>
|
||||||
|
|
||||||
|
<dd>
|
||||||
|
<p>Mode avant-plan</p>
|
||||||
|
<p>Reste en avant-plan (sans fork) et dirige la trace sur stderr
|
||||||
|
au lieu de syslog (sauf si <strong>output</strong> est spécifié).</p>
|
||||||
|
<p>Par défault : arrière-plan en mode daemon.</p>
|
||||||
|
</dd>
|
||||||
|
<dt><strong><a name="key_fichier" class="item"><strong>key</strong> = fichier</a></strong></dt>
|
||||||
|
|
||||||
|
<dd>
|
||||||
|
<p>Fichier de clef privée pour le certificat spécifié par <em>cert</em></p>
|
||||||
|
<p>La clef privée est nécessaire pour authentifier le titulaire du
|
||||||
|
certificat.
|
||||||
|
Puisque ce fichier doit rester secret, il ne doit être lisible que
|
||||||
|
par son propriétaire. Sur les systèmes Unix, on peut utiliser la
|
||||||
|
commande suivante :</p>
|
||||||
|
<pre>
|
||||||
|
chmod 600 fichier</pre>
|
||||||
|
<p>Par défault : Valeur de <em>cert</em></p>
|
||||||
|
</dd>
|
||||||
|
<dt><strong><a name="options_options_ssl" class="item"><strong>options</strong> = Options_SSL</a></strong></dt>
|
||||||
|
|
||||||
|
<dd>
|
||||||
|
<p>Options de la bibliothèque OpenSSL</p>
|
||||||
|
<p>Le paramètre est l'option OpenSSL décrite dans la page de man
|
||||||
|
<em>SSL_CTX_set_options(3ssl)</em>, débarassée du préfixe <em>SSL_OP_</em>.
|
||||||
|
Plusieurs <em>options</em> peuvent être spécifiées.</p>
|
||||||
|
<p>Par exemple, pour la compatibilité avec l'implantation SSL défaillante
|
||||||
|
d'Eudora, on peut utiliser :</p>
|
||||||
|
<pre>
|
||||||
|
options = DONT_INSERT_EMPTY_FRAGMENTS</pre>
|
||||||
|
</dd>
|
||||||
|
<dt><strong><a name="output_fichier" class="item"><strong>output</strong> = fichier</a></strong></dt>
|
||||||
|
|
||||||
|
<dd>
|
||||||
|
<p>Ajoute la trace à la fin d'un fichier au lieu d'utiliser syslog.</p>
|
||||||
|
<p>/dev/stdout peut être utilisé pour afficher les traces sur la sortie standard
|
||||||
|
(par exemple pour les traiter avec les outils splogger).</p>
|
||||||
|
</dd>
|
||||||
|
<dt><strong><strong>pid</strong> = fichier (Unix seulement)</strong></dt>
|
||||||
|
|
||||||
|
<dd>
|
||||||
|
<p>Emplacement du fichier pid</p>
|
||||||
|
<p>Si l'argument est vide, aucun fichier ne sera créé.</p>
|
||||||
|
<p>Le cas échéant, le chemin <em>pid</em> est relatif au répertoire <em>chroot</em>.</p>
|
||||||
|
</dd>
|
||||||
|
<dt><strong><a name="rndbytes_nombre" class="item"><strong>RNDbytes</strong> = nombre</a></strong></dt>
|
||||||
|
|
||||||
|
<dd>
|
||||||
|
<p>Nombre d'octets à lire depuis les fichiers de « sel » aléatoire</p>
|
||||||
|
<p>Avec les SSL de version inférieure à 0.9.5a, détermine aussi le nombre
|
||||||
|
d'octets considérés comme suffisants pour « saler » le PRNG. Les versions plus
|
||||||
|
récentes d'OpenSSL ont une fonction intégrée qui détermine lorsque l'aléatoire
|
||||||
|
est suffisant.</p>
|
||||||
|
</dd>
|
||||||
|
<dt><strong><a name="rndfile_fichier" class="item"><strong>RNDfile</strong> = fichier</a></strong></dt>
|
||||||
|
|
||||||
|
<dd>
|
||||||
|
<p>chemin du fichier de données de « sel » aléatoire</p>
|
||||||
|
<p>La bibliothèque SSL utilise prioritairement les données de ce fichier pour
|
||||||
|
« saler » le générateur d'aléatoire.</p>
|
||||||
|
</dd>
|
||||||
|
<dt><strong><a name="rndoverwrite_yes_no" class="item"><strong>RNDoverwrite</strong> = yes | no</a></strong></dt>
|
||||||
|
|
||||||
|
<dd>
|
||||||
|
<p>Recouvre les fichiers de « sel » avec de nouvelles données aléatoires.</p>
|
||||||
|
<p>Par défaut : yes</p>
|
||||||
|
</dd>
|
||||||
|
<dt><strong><a name="service_nom" class="item"><strong>service</strong> = nom</a></strong></dt>
|
||||||
|
|
||||||
|
<dd>
|
||||||
|
<p>Définit le nom de service à utiliser</p>
|
||||||
|
<p><strong>Sous Unix :</strong> nom de service du mode <em>inetd</em> pour la bibliothèque TCP Wrapper.</p>
|
||||||
|
<p>Par défaut : stunnel</p>
|
||||||
|
</dd>
|
||||||
|
<dt><strong><a name="session_timeout" class="item"><strong>session</strong> = timeout</a></strong></dt>
|
||||||
|
|
||||||
|
<dd>
|
||||||
|
<p>Timeout du cache de session</p>
|
||||||
|
</dd>
|
||||||
|
<dt><strong><a name="nom" class="item"><strong>setgid</strong> = nom (Unix seulement)</a></strong></dt>
|
||||||
|
|
||||||
|
<dd>
|
||||||
|
<p>Nom de groupe utilisé en mode daemon (les éventuels autres noms de groupe attribués sont supprimés)</p>
|
||||||
|
</dd>
|
||||||
|
<dt><strong><strong>setuid</strong> = nom (Unix seulement)</strong></dt>
|
||||||
|
|
||||||
|
<dd>
|
||||||
|
<p>Nom d'utilisateur utilisé en mode daemon</p>
|
||||||
|
</dd>
|
||||||
|
<dt><strong><a name="socket_a_l_r_option_valeur_valeur" class="item"><strong>socket</strong> = a|l|r:option=valeur[:valeur]</a></strong></dt>
|
||||||
|
|
||||||
|
<dd>
|
||||||
|
<p>Configure une option de socket accept (a), locale (l) ou distante (r)</p>
|
||||||
|
<p>Les valeurs de l'option linger sont : l_onof:l_linger.
|
||||||
|
Les valeurs de l'option time sont : tv_sec:tv_usec.</p>
|
||||||
|
<p>Exemples :</p>
|
||||||
|
<pre>
|
||||||
|
socket = l:SO_LINGER=1:60
|
||||||
|
définit un délai d'une minute pour la clôture des sockets locaux
|
||||||
|
socket = r:SO_OOBINLINE=yes
|
||||||
|
Place directement les données hors-bande dans le flux de réception
|
||||||
|
des sockets distants
|
||||||
|
socket = a:SO_REUSEADDR=no
|
||||||
|
désactive la réutilisation d'adresses (activée par défaut)
|
||||||
|
socket = a:SO_BINDTODEVICE=lo
|
||||||
|
limite l'acceptation des connexions sur la seule interface de bouclage</pre>
|
||||||
|
</dd>
|
||||||
|
<dt><strong><strong>taskbar</strong> = yes | no (WIN32 seulement)</strong></dt>
|
||||||
|
|
||||||
|
<dd>
|
||||||
|
<p>active l'icône de la barre de tâches</p>
|
||||||
|
<p>Par défaut : yes</p>
|
||||||
|
</dd>
|
||||||
|
<dt><strong><a name="verify_niveau" class="item"><strong>verify</strong> = niveau</a></strong></dt>
|
||||||
|
|
||||||
|
<dd>
|
||||||
|
<p>Vérifie le certificat du correspondant</p>
|
||||||
|
<pre>
|
||||||
|
niveau 1 - vérifie le certificat s'il est présent
|
||||||
|
niveau 2 - vérifie le certificat
|
||||||
|
niveau 3 - contrôle le correspondant avec le certificat local</pre>
|
||||||
|
<p>Par défaut - pas de vérification</p>
|
||||||
|
</dd>
|
||||||
|
</dl>
|
||||||
|
<p>
|
||||||
|
</p>
|
||||||
|
<h2><a name="options_de_service">OPTIONS DE SERVICE</a></h2>
|
||||||
|
<p>Chaque section de configuration commence par le nom du service entre crochets.
|
||||||
|
Celui-ci est utilisé par le contrôle d'accès de libwrap (TCP Wrappers) et sert
|
||||||
|
à distinguer les services <strong>stunnel</strong> dans les fichiers de traces.</p>
|
||||||
|
<p>Si l'on souhaite utiliser <strong>stunnel</strong> en mode <em>inetd</em> (lorsqu'un socket lui est
|
||||||
|
fourni par un serveur comme <em>inetd</em>, <em>xinetd</em> ou <em>tcpserver</em>), il faut se
|
||||||
|
reporter à la section <em>MODE INETD</em> plus bas.</p>
|
||||||
|
<dl>
|
||||||
|
<dt><strong><a name="accept_h_te_port" class="item"><strong>accept</strong> = [hôte:]port</a></strong></dt>
|
||||||
|
|
||||||
|
<dd>
|
||||||
|
<p>Accepte des connexions sur le port spécifié</p>
|
||||||
|
<p>Si l'hôte n'est pas indiqué, le port est ouvert pour toutes les adresses IP de
|
||||||
|
la machine locale.</p>
|
||||||
|
</dd>
|
||||||
|
<dt><strong><a name="connect_h_te_port" class="item"><strong>connect</strong> = [hôte:]port</a></strong></dt>
|
||||||
|
|
||||||
|
<dd>
|
||||||
|
<p>Se connecte au port distant indiqué</p>
|
||||||
|
<p>Par défaut, l'hôte est localhost.</p>
|
||||||
|
</dd>
|
||||||
|
<dt><strong><a name="delay_yes_no" class="item"><strong>delay</strong> = yes | no</a></strong></dt>
|
||||||
|
|
||||||
|
<dd>
|
||||||
|
<p>Retarde la recherche DNS pour l'option « connect »</p>
|
||||||
|
</dd>
|
||||||
|
<dt><strong><a name="cutable" class="item"><strong>exec</strong> = chemin_exécutable (Unix seulement)</a></strong></dt>
|
||||||
|
|
||||||
|
<dd>
|
||||||
|
<p>Exécute un programme local de type inetd</p>
|
||||||
|
<p>Le cas échéant, le chemin <em>exec</em> est relatif au répertoire <em>chroot</em>.</p>
|
||||||
|
</dd>
|
||||||
|
<dt><strong><a name="execargs_0_1_2_unix_seulement" class="item"><strong>execargs</strong> = $0 $1 $2 ... (Unix seulement)</a></strong></dt>
|
||||||
|
|
||||||
|
<dd>
|
||||||
|
<p>Arguments pour <em>exec</em>, y compris le nom du programme ($0)</p>
|
||||||
|
<p>Les quotes ne peuvent actuellement pas être utilisées.
|
||||||
|
Les arguments sont séparés par un nombre quelconque d'espaces.</p>
|
||||||
|
</dd>
|
||||||
|
<dt><strong><a name="ident_nom" class="item"><strong>ident</strong> = nom</a></strong></dt>
|
||||||
|
|
||||||
|
<dd>
|
||||||
|
<p>Applique le contrôle d'identité d'utilisateur IDENT (<a href="http://www.ietf.org/rfc/rfc1413.txt" class="rfc">RFC 1413</a>)</p>
|
||||||
|
</dd>
|
||||||
|
<dt><strong><a name="local_h_te" class="item"><strong>local</strong> = hôte</a></strong></dt>
|
||||||
|
|
||||||
|
<dd>
|
||||||
|
<p>Adresse IP de l'interface de sortie utilisée pour les connexions distantes.
|
||||||
|
Cette option permet de relier une adresse statique locale.</p>
|
||||||
|
</dd>
|
||||||
|
<dt><strong><a name="protocol_protocole" class="item"><strong>protocol</strong> = protocole</a></strong></dt>
|
||||||
|
|
||||||
|
<dd>
|
||||||
|
<p>Négocie avec SSL selon le protocole indiqué</p>
|
||||||
|
<p>Actuellement gérés : cifs, nntp, pop3, smtp</p>
|
||||||
|
</dd>
|
||||||
|
<dt><strong><strong>pty</strong> = yes | no (Unix seulement)</strong></dt>
|
||||||
|
|
||||||
|
<dd>
|
||||||
|
<p>Alloue un pseudo-terminal pour l'option « exec »</p>
|
||||||
|
</dd>
|
||||||
|
<dt><strong><a name="timeoutbusy_secondes" class="item"><strong>TIMEOUTbusy</strong> = secondes</a></strong></dt>
|
||||||
|
|
||||||
|
<dd>
|
||||||
|
<p>Durée d'attente de données</p>
|
||||||
|
</dd>
|
||||||
|
<dt><strong><a name="timeoutclose_secondes" class="item"><strong>TIMEOUTclose</strong> = secondes</a></strong></dt>
|
||||||
|
|
||||||
|
<dd>
|
||||||
|
<p>Durée d'attente du close_notify (mis à 0 pour MSIE qui est bogué)</p>
|
||||||
|
</dd>
|
||||||
|
<dt><strong><a name="timeoutidle_secondes" class="item"><strong>TIMEOUTidle</strong> = secondes</a></strong></dt>
|
||||||
|
|
||||||
|
<dd>
|
||||||
|
<p>Durée d'attente sur une connexion inactive</p>
|
||||||
|
</dd>
|
||||||
|
<dt><strong><strong>transparent</strong> = yes | no (Unix seulement)</strong></dt>
|
||||||
|
|
||||||
|
<dd>
|
||||||
|
<p>Mode mandataire transparent</p>
|
||||||
|
<p>Ré-écrit les adresses pour qu'elles apparaissent provenir de la
|
||||||
|
machine client SSL plutôt que de celle qui exécute <strong>stunnel</strong>.
|
||||||
|
Cette option n'est disponible en mode local (option <em>exec</em>) qu'avec
|
||||||
|
la bibliothèque partagée LD_PRELOADing env.so shared library et en mode
|
||||||
|
distant (option <em>connect</em>) sur les noyaux Linux 2.2 compilés avec
|
||||||
|
l'option <em>transparent proxy</em> et seulement en mode serveur. Cette
|
||||||
|
option ne se combine pas au mode mandataire (<em>connect</em>) sauf si la
|
||||||
|
route par défaut du client vers la cible passe par l'hôte qui fait
|
||||||
|
tourner <strong>stunnel</strong>, qui ne peut être localhost.</p>
|
||||||
|
</dd>
|
||||||
|
</dl>
|
||||||
|
<p>
|
||||||
|
</p>
|
||||||
|
<hr />
|
||||||
|
<h1><a name="valeur_de_retour">VALEUR DE RETOUR</a></h1>
|
||||||
|
<p><strong>stunnel</strong> renvoie zéro en cas de succès, une autre valeur en cas d'erreur.</p>
|
||||||
|
<p>
|
||||||
|
</p>
|
||||||
|
<hr />
|
||||||
|
<h1><a name="exemples">EXEMPLES</a></h1>
|
||||||
|
<p>Pour encapsuler votre service <em>imapd</em> local avec SSL :</p>
|
||||||
|
<pre>
|
||||||
|
[imapd]
|
||||||
|
accept = 993
|
||||||
|
exec = /usr/sbin/imapd
|
||||||
|
execargs = imapd</pre>
|
||||||
|
<p>Pour tunneliser un daemon <em>pppd</em> sur le port 2020 :</p>
|
||||||
|
<pre>
|
||||||
|
[vpn]
|
||||||
|
accept = 2020
|
||||||
|
exec = /usr/sbin/pppd
|
||||||
|
execargs = pppd local
|
||||||
|
pty = yes</pre>
|
||||||
|
<p>Configuration de <em>stunnel.conf</em> pour utiliser <strong>stunnel</strong> en mode <em>inetd</em>
|
||||||
|
qui lance imapd à son tour (il ne doit pas y avoir de section <em>[service_name]</em>) :</p>
|
||||||
|
<pre>
|
||||||
|
exec = /usr/sbin/imapd
|
||||||
|
execargs = imapd</pre>
|
||||||
|
<p>
|
||||||
|
</p>
|
||||||
|
<hr />
|
||||||
|
<h1><a name="fichiers">FICHIERS</a></h1>
|
||||||
|
<dl>
|
||||||
|
<dt><strong><a name="stunnel_conf" class="item"><em class="file">stunnel.conf</em></a></strong></dt>
|
||||||
|
|
||||||
|
<dd>
|
||||||
|
<p>Fichier de configuration de <strong>stunnel</strong></p>
|
||||||
|
</dd>
|
||||||
|
<dt><strong><a name="stunnel_pem" class="item"><em class="file">stunnel.pem</em></a></strong></dt>
|
||||||
|
|
||||||
|
<dd>
|
||||||
|
<p>Certificat et clef privée de <strong>stunnel</strong></p>
|
||||||
|
</dd>
|
||||||
|
</dl>
|
||||||
|
<p>
|
||||||
|
</p>
|
||||||
|
<hr />
|
||||||
|
<h1><a name="bogues">BOGUES</a></h1>
|
||||||
|
<p>L'option <em>execargs</em> n'admet pas les quotes.</p>
|
||||||
|
<p>
|
||||||
|
</p>
|
||||||
|
<hr />
|
||||||
|
<h1><a name="restrictions">RESTRICTIONS</a></h1>
|
||||||
|
<p><strong>stunnel</strong> ne peut être utilisé pour le daemon FTP en raison de la nature
|
||||||
|
du protocole FTP qui utilise des ports multiples pour les transferts de données.
|
||||||
|
Il existe cependant des versions SSL de FTP et de telnet.</p>
|
||||||
|
<p>
|
||||||
|
</p>
|
||||||
|
<hr />
|
||||||
|
<h1><a name="notes">NOTES</a></h1>
|
||||||
|
<p>
|
||||||
|
</p>
|
||||||
|
<h2><a name="mode_inetd">MODE INETD</a></h2>
|
||||||
|
<p>L'utilisation la plus commune de <strong>stunnel</strong> consiste à écouter un port
|
||||||
|
réseau et à établir une communication, soit avec un nouveau port
|
||||||
|
avec l'option <em>connect</em>, soit avec un programme avec l'option <em>exec</em>.
|
||||||
|
On peut parfois cependant souhaiter qu'un autre programme reçoive les
|
||||||
|
connexions entrantes et lance <strong>stunnel</strong>, par exemple avec <em>inetd</em>,
|
||||||
|
<em>xinetd</em> ou <em>tcpserver</em>.</p>
|
||||||
|
<p>Si, par exemple, la ligne suivante se trouve dans <em>inetd.conf</em> :</p>
|
||||||
|
<pre>
|
||||||
|
imaps stream tcp nowait root /usr/bin/stunnel stunnel /etc/stunnel/imaps.conf</pre>
|
||||||
|
<p>Dans ces cas, c'est le programme du genre <em>inetd</em>-style qui est
|
||||||
|
responsable de l'établissement de la connexion (<em>imaps</em> ci-dessus) et de passer
|
||||||
|
celle-ci à <strong>stunnel</strong>.
|
||||||
|
Ainsi, <strong>stunnel</strong> ne doit alors avoir aucune option <em>accept</em>.
|
||||||
|
Toutes les <em>options de niveau service</em> doivent être placées dans
|
||||||
|
la section des options globales et aucune section <em>[service_name]</em> ne doit
|
||||||
|
être présente. Voir la section <em>EXEMPLES</em> pour des exemples de configurations.</p>
|
||||||
|
<p>
|
||||||
|
</p>
|
||||||
|
<h2><a name="certificats">CERTIFICATS</a></h2>
|
||||||
|
<p>Chaque daemon à propriétés SSL doit présenter un certificat X.509
|
||||||
|
valide à son interlocuteur. Il a aussi besoin d'une clef privé pour
|
||||||
|
déchiffrer les données entrantes. La méthode la plus simple pour
|
||||||
|
obtenir un certificat et une clef est d'engendrer celles-ci avec
|
||||||
|
le paquetage libre <em>OpenSSL</em>. Plus d'informations sur la génération de
|
||||||
|
certificats se trouvent dans les pages indiquées plus bas.</p>
|
||||||
|
<p>Deux choses importantes lors de la génération de paires certificat-clef
|
||||||
|
pour <strong>stunnel</strong> :</p>
|
||||||
|
<ul>
|
||||||
|
<li>
|
||||||
|
<p>la clef privée ne peut être chiffrée puisque le serveur n'a aucun moyen
|
||||||
|
d'obtenir le mot de passe de l'utilisateur ; pour produire une clef non chiffrée,
|
||||||
|
ajouter l'option <em>-nodes</em> à la commande <strong>req</strong> de <em>OpenSSL</em> ;</p>
|
||||||
|
</li>
|
||||||
|
<li>
|
||||||
|
<p>l'ordre du contenu du fichier <em>.pem</em> est significatif : il doit contenir d'abord
|
||||||
|
une clef privée non chiffrée, puis un certificat signé (et non une demande de certificat).
|
||||||
|
Il doit aussi y avoir des lignes vides après le certificat et après la clef privée.
|
||||||
|
L'information textuelle ajoutée au début d'un certificat doit être supprimée afin que
|
||||||
|
le fichier ait l'allure suivante :</p>
|
||||||
|
<pre>
|
||||||
|
-----BEGIN RSA PRIVATE KEY-----
|
||||||
|
[clef encodée]
|
||||||
|
-----END RSA PRIVATE KEY-----
|
||||||
|
[ligne vide]
|
||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
[certificat encodé]
|
||||||
|
-----END CERTIFICATE-----
|
||||||
|
[ligne vide]</pre>
|
||||||
|
</li>
|
||||||
|
</ul>
|
||||||
|
<p>
|
||||||
|
</p>
|
||||||
|
<h2><a name="aleatoire">ALEATOIRE</a></h2>
|
||||||
|
<p><strong>stunnel</strong> doit « saler » le générateur de pseudo-aléatoires PRNG (pseudo random
|
||||||
|
number generator) afin que SSL utilise un aléatoire de qualité. Les sources suivantes
|
||||||
|
sont chargées dans l'ordre jusqu'à ce qu'une quantité suffisante de données soit lue :</p>
|
||||||
|
<ul>
|
||||||
|
<li>
|
||||||
|
<p>le fichier spécifié par <em>RNDfile</em> ;</p>
|
||||||
|
</li>
|
||||||
|
<li>
|
||||||
|
<p>le fichier spécifié par la variable d'environnement RANDFILE, à défaut
|
||||||
|
le fichier .rnd du répertoire $HOME de l'utilisateur ;</p>
|
||||||
|
</li>
|
||||||
|
<li>
|
||||||
|
<p>le fichier spécifié par « --with-random » lors de la compilation ;</p>
|
||||||
|
</li>
|
||||||
|
<li>
|
||||||
|
<p>le contenu de l'écran (MS-Windows seulement) ;</p>
|
||||||
|
</li>
|
||||||
|
<li>
|
||||||
|
<p>le socket EGD spécifié par <em>EGD</em> ;</p>
|
||||||
|
</li>
|
||||||
|
<li>
|
||||||
|
<p>le socket EGD spécifié par « --with-egd-sock » lors de la compilation ;</p>
|
||||||
|
</li>
|
||||||
|
<li>
|
||||||
|
<p>le périphérique /dev/urandom.</p>
|
||||||
|
</li>
|
||||||
|
</ul>
|
||||||
|
<p>Avec un OpenSSL récent (>=OpenSSL 0.9.5a) le chargement de données s'arrête
|
||||||
|
automatiquement lorsqu'un niveau d'entropie suffisant est atteint.
|
||||||
|
Les versions précédentes continuent à lire toutes les sources puisqu'aucune
|
||||||
|
fonction SSL ne leur permet de savoir que suffisamment de données sont disponibles.</p>
|
||||||
|
<p>Sur les machines MS-Windows qui n'ont pas d'interaction utilisateur sur la console,
|
||||||
|
(mouvements de souris, création de fenêtres, etc.), le contenu de l'écran n'est
|
||||||
|
pas suffisamment changeant et il est nécessaire de fournir un fichier d'aléatoire
|
||||||
|
par le biais de <em>RNDfile</em>.</p>
|
||||||
|
<p>Le fichier spécifié par <em>RNDfile</em> doit contenir des informations aléatoires --
|
||||||
|
c'est-à-dire des informations différentes à chaque lancement de <strong>stunnel</strong>.
|
||||||
|
Cela est géré automatiquement sauf si l'option <em>RNDoverwrite</em> est utilisée.
|
||||||
|
Si l'on souhaite procéder manuellement à la mise à jour de ce fichier, la
|
||||||
|
commande <em>openssl rand</em> des versions récentes d'OpenSSL sera sans doute utile.</p>
|
||||||
|
<p>Note importante : si /dev/urandom est disponible, OpenSSL a l'habitude d'utiliser
|
||||||
|
celui-ci pour « saler » le PRNG même lorsqu'il contrôle l'état de l'aléatoire ;
|
||||||
|
ainsi, même si /dev/urandom est dernier de la liste ci-dessus, il est vraisemblable
|
||||||
|
qu'il soit utilisé s'il est présent.
|
||||||
|
Ce n'est pas le comportement de <strong>stunnel</strong>, c'est celui d'OpenSSL.</p>
|
||||||
|
<p>
|
||||||
|
</p>
|
||||||
|
<hr />
|
||||||
|
<h1><a name="voir_aussi">VOIR AUSSI</a></h1>
|
||||||
|
<dl>
|
||||||
|
<dt><strong><a name="tcpd" class="item"><a href="#tcpd">tcpd(8)</a></a></strong></dt>
|
||||||
|
|
||||||
|
<dd>
|
||||||
|
<p>Service de contrôle d'accès pour les services internet</p>
|
||||||
|
</dd>
|
||||||
|
<dt><strong><a name="inetd" class="item"><a href="#inetd">inetd(8)</a></a></strong></dt>
|
||||||
|
|
||||||
|
<dd>
|
||||||
|
<p>« super-serveur » internet</p>
|
||||||
|
</dd>
|
||||||
|
<dt><strong><a name="http_www_stunnel_org" class="item"><em class="file"><a href="http://www.stunnel.org/">http://www.stunnel.org/</a></em></a></strong></dt>
|
||||||
|
|
||||||
|
<dd>
|
||||||
|
<p>Page de référence de <strong>stunnel</strong></p>
|
||||||
|
</dd>
|
||||||
|
<dt><strong><a name="http_www_openssl_org" class="item"><em class="file"><a href="http://www.openssl.org/">http://www.openssl.org/</a></em></a></strong></dt>
|
||||||
|
|
||||||
|
<dd>
|
||||||
|
<p>Site web du projet OpenSSL</p>
|
||||||
|
</dd>
|
||||||
|
</dl>
|
||||||
|
<p>
|
||||||
|
</p>
|
||||||
|
<hr />
|
||||||
|
<h1><a name="auteur">AUTEUR</a></h1>
|
||||||
|
<dl>
|
||||||
|
<dt><strong><a name="micha_trojnara" class="item">Michał Trojnara</a></strong></dt>
|
||||||
|
|
||||||
|
<dd>
|
||||||
|
<p><<em class="file"><a href="mailto:Michal.Trojnara@mirt.net">Michal.Trojnara@mirt.net</a></em>></p>
|
||||||
|
</dd>
|
||||||
|
</dl>
|
||||||
|
<p>
|
||||||
|
</p>
|
||||||
|
<hr />
|
||||||
|
<h1><a name="adaptation_fran__aise">ADAPTATION FRANÇAISE</a></h1>
|
||||||
|
<dl>
|
||||||
|
<dt><strong><a name="bernard_choppy" class="item">Bernard Choppy</a></strong></dt>
|
||||||
|
|
||||||
|
<dd>
|
||||||
|
<p><<em class="file">choppy AT free POINT fr</em>></p>
|
||||||
|
</dd>
|
||||||
|
</dl>
|
||||||
|
|
||||||
|
</body>
|
||||||
|
|
||||||
|
</html>
|
636
doc/stunnel.fr.pod
Normal file
636
doc/stunnel.fr.pod
Normal file
@ -0,0 +1,636 @@
|
|||||||
|
=head1 NOM
|
||||||
|
|
||||||
|
=encoding utf8
|
||||||
|
|
||||||
|
stunnel - tunnel SSL universel
|
||||||
|
|
||||||
|
=head1 SYNOPSIS
|
||||||
|
|
||||||
|
=over 4
|
||||||
|
|
||||||
|
=item B<Unix:>
|
||||||
|
|
||||||
|
B<stunnel> S<[fichier]> | S<-fd [n]> | S<-help> | S<-version> | S<-sockets>
|
||||||
|
|
||||||
|
=item B<WIN32:>
|
||||||
|
|
||||||
|
B<stunnel> S<[fichier]> | S<-install> | S<-uninstall> | S<-help> | S<-version> | S<-sockets>
|
||||||
|
|
||||||
|
=back
|
||||||
|
|
||||||
|
|
||||||
|
=head1 DESCRIPTION
|
||||||
|
|
||||||
|
Le programme B<stunnel> est conçu pour fonctionner comme une couche
|
||||||
|
de chiffrement I<SSL> entre des clients distants et des serveurs locaux
|
||||||
|
(I<inetd>-démarrables) ou distants. Le concept est qu'à partir de daemons
|
||||||
|
non-SSL présents sur le système, on peut facilement les configurer pour
|
||||||
|
communiquer avec des clients sur des liens sécurisés SSL.
|
||||||
|
|
||||||
|
B<stunnel> peut être utilisé pour ajouter des fonctionnalités SSL à des
|
||||||
|
daemons classiques I<Inetd> tels que les serveurs POP-2, POP-3 et IMAP,
|
||||||
|
à d'autres autonomes tels que NNTP, SMTP et HTTP, ainsi que pour tunneliser
|
||||||
|
PPP sur des sockets réseau sans modification du code source.
|
||||||
|
|
||||||
|
Ce produit inclut du code de chiffrement écrit par
|
||||||
|
Eric Young (eay@cryptsoft.com)
|
||||||
|
|
||||||
|
|
||||||
|
=head1 OPTIONS
|
||||||
|
|
||||||
|
=over 4
|
||||||
|
|
||||||
|
=item B<[fichier]>
|
||||||
|
|
||||||
|
Utilisation du fichier de configuration spécifié.
|
||||||
|
|
||||||
|
=item B<-fd [n]> (Unix seulement)
|
||||||
|
|
||||||
|
Lecture du fichier de configuration depuis le descripteur de
|
||||||
|
fichier indiqué.
|
||||||
|
|
||||||
|
=item B<-help>
|
||||||
|
|
||||||
|
Affiche le menu d'aide de B<stunnel>.
|
||||||
|
|
||||||
|
=item B<-version>
|
||||||
|
|
||||||
|
Affiche la version de B<stunnel> et les options de compilation.
|
||||||
|
|
||||||
|
=item B<-sockets>
|
||||||
|
|
||||||
|
Affiche les options socket par défaut.
|
||||||
|
|
||||||
|
=item B<-install> (NT/2000/XP seulement)
|
||||||
|
|
||||||
|
Installe un service NT.
|
||||||
|
|
||||||
|
=item B<-uninstall> (NT/2000/XP only)
|
||||||
|
|
||||||
|
Désinstalle un service NT.
|
||||||
|
|
||||||
|
=back
|
||||||
|
|
||||||
|
|
||||||
|
=head1 FICHIER DE CONFIGURATION
|
||||||
|
|
||||||
|
Chaque ligne du fichier de configuration peut être soitE<nbsp>:
|
||||||
|
|
||||||
|
=over 4
|
||||||
|
|
||||||
|
=item *
|
||||||
|
|
||||||
|
une ligne vide (ignorée)E<nbsp>;
|
||||||
|
|
||||||
|
=item *
|
||||||
|
|
||||||
|
un commentaire commençant par «E<nbsp>#E<nbsp>» (ignoré)E<nbsp>;
|
||||||
|
|
||||||
|
=item *
|
||||||
|
|
||||||
|
une paire «E<nbsp>option = valeurE<nbsp>»E<nbsp>;
|
||||||
|
|
||||||
|
=item *
|
||||||
|
|
||||||
|
«E<nbsp>[service_name]E<nbsp>» indiquant le début de la définition d'un serviceE<nbsp>;
|
||||||
|
|
||||||
|
=back
|
||||||
|
|
||||||
|
=head2 OPTIONS GLOBALES
|
||||||
|
|
||||||
|
=over 4
|
||||||
|
|
||||||
|
=item B<CApath> = répertoire
|
||||||
|
|
||||||
|
Répertoire des autorités de certification (CA)
|
||||||
|
|
||||||
|
C'est le répertoire dans lequel B<stunnel> cherche les certificats si
|
||||||
|
l'on utilise I<verify>. Les certificats doivent être dénommés selon la
|
||||||
|
forme XXXXXXXX.0, où XXXXXXXX est la valeur de hachage du certificat.
|
||||||
|
|
||||||
|
Le cas échéant, le répertoire I<CApath> est relatif au répertoire I<chroot>.
|
||||||
|
|
||||||
|
=item B<CAfile> = fichier
|
||||||
|
|
||||||
|
Fichier d'autorités de certification
|
||||||
|
|
||||||
|
Ce fichier, utilisé avec I<verify>, contient plusieurs certificats de CA.
|
||||||
|
|
||||||
|
=item B<cert> = fichier
|
||||||
|
|
||||||
|
Fichier de chaîne de certificats PEM
|
||||||
|
|
||||||
|
Une PEM est toujours nécessaire en mode serveur.
|
||||||
|
En mode client, cette option utilise cette PEM comme une chaîne côté client.
|
||||||
|
L'utilisation de certificats côté client est optionnelle. Les certificats
|
||||||
|
doivent être au format PEM et triés par ordre de niveau décroissant (CA racine
|
||||||
|
en premier).
|
||||||
|
|
||||||
|
=item B<chroot> = répertoire (Unix seulement)
|
||||||
|
|
||||||
|
Répertoire de chroot du processus B<stunnel>
|
||||||
|
|
||||||
|
B<chroot> enferme B<stunnel> dans une cellule chroot. I<CApath>, I<CRLpath>, I<pid>
|
||||||
|
et I<exec> sont situés à l'intérieur de la cellule et les répertoires doivent être
|
||||||
|
relatifs au répertoire correspondant.
|
||||||
|
|
||||||
|
Pour que le contrôle de libwrap (wrappeur TCP) soit effectif dans un environnement
|
||||||
|
chroot, il faut aussi y recopier leurs fichiers de configuration (/etc/hosts.allow et
|
||||||
|
/etc/hosts.deny).
|
||||||
|
|
||||||
|
=item B<ciphers> = listes de chiffre
|
||||||
|
|
||||||
|
Sélection des chiffres SSL autorisés
|
||||||
|
|
||||||
|
Liste délimitée par deux-points («E<nbsp>:E<nbsp>») des chiffres autorisés pour la connexion SSL.
|
||||||
|
ExempleE<nbsp>: DES-CBC3-SHA:IDEA-CBC-MD5
|
||||||
|
|
||||||
|
=item B<client> = yes | no
|
||||||
|
|
||||||
|
Mode client (Le service distant utilise SSL)
|
||||||
|
|
||||||
|
Par défautE<nbsp>: no (mode server)
|
||||||
|
|
||||||
|
=item B<CRLpath> = répertoire
|
||||||
|
|
||||||
|
Répertoire des listes de révocation de certificats (CRL)
|
||||||
|
|
||||||
|
C'est le répertoire dans lequel B<stunnel> recherche les CRL avec
|
||||||
|
l'option I<verify>. Les CRL doivent être dénommés selon la
|
||||||
|
forme XXXXXXXX.0 où XXXXXXXX est la valeur de hachage de la CRL.
|
||||||
|
|
||||||
|
Le cas échéant, le répertoire I<CRLpath> est relatif au répertoire I<chroot>.
|
||||||
|
|
||||||
|
=item B<CRLfile> = fichier
|
||||||
|
|
||||||
|
Fichier de listes de révocation de certificats (CRL)
|
||||||
|
|
||||||
|
Ce fichier, utilisé avec I<verify>, contient plusieurs CRL.
|
||||||
|
|
||||||
|
=item B<debug> = [facilité.]niveau
|
||||||
|
|
||||||
|
niveau de déverminage
|
||||||
|
|
||||||
|
Le niveau est un nom ou un numéro conforme à ceux de syslogE<nbsp>:
|
||||||
|
emerg (0), alert (1), crit (2), err (3), warning (4), notice (5),
|
||||||
|
info (6) ou debug (7). Toutes les traces du niveau indiqué et des niveaux
|
||||||
|
numériquement inférieurs seront affichées. B<debug = debug> ou
|
||||||
|
B<debug = 7> donneront le maximum d'informations. La valeur par défaut
|
||||||
|
est notice (5).
|
||||||
|
|
||||||
|
La facilité syslog «E<nbsp>daemonE<nbsp>» est utilisée, sauf si un autre nom est spécifié
|
||||||
|
(Win32 ne permet pas l'usage des facilités.)
|
||||||
|
|
||||||
|
La casse est ignorée, aussi bien pour la facilité que pour le niveau.
|
||||||
|
|
||||||
|
=item B<EGD> = chemin (Unix seulement)
|
||||||
|
|
||||||
|
Emplacement du socket du daemon de recueil d'entropie (EGD - Entropy Gathering Daemon)
|
||||||
|
|
||||||
|
Socket EGD à utiliser pour alimenter le générateur d'aléatoires de OpenSSL (disponible
|
||||||
|
seulement si la compilation a été effectuée avec OpenSSL 0.9.5a ou supérieur).
|
||||||
|
|
||||||
|
=item B<foreground> = yes | no (Unix seulement)
|
||||||
|
|
||||||
|
Mode avant-plan
|
||||||
|
|
||||||
|
Reste en avant-plan (sans fork) et dirige la trace sur stderr
|
||||||
|
au lieu de syslog (sauf si B<output> est spécifié).
|
||||||
|
|
||||||
|
Par défaultE<nbsp>: arrière-plan en mode daemon.
|
||||||
|
|
||||||
|
=item B<key> = fichier
|
||||||
|
|
||||||
|
Fichier de clef privée pour le certificat spécifié par I<cert>
|
||||||
|
|
||||||
|
La clef privée est nécessaire pour authentifier le titulaire du
|
||||||
|
certificat.
|
||||||
|
Puisque ce fichier doit rester secret, il ne doit être lisible que
|
||||||
|
par son propriétaire. Sur les systèmes Unix, on peut utiliser la
|
||||||
|
commande suivanteE<nbsp>:
|
||||||
|
|
||||||
|
chmod 600 fichier
|
||||||
|
|
||||||
|
Par défaultE<nbsp>: Valeur de I<cert>
|
||||||
|
|
||||||
|
=item B<options> = Options_SSL
|
||||||
|
|
||||||
|
Options de la bibliothèque OpenSSL
|
||||||
|
|
||||||
|
Le paramètre est l'option OpenSSL décrite dans la page de man
|
||||||
|
I<SSL_CTX_set_options(3ssl)>, débarassée du préfixe I<SSL_OP_>.
|
||||||
|
Plusieurs I<options> peuvent être spécifiées.
|
||||||
|
|
||||||
|
Par exemple, pour la compatibilité avec l'implantation SSL défaillante
|
||||||
|
d'Eudora, on peut utiliserE<nbsp>:
|
||||||
|
|
||||||
|
options = DONT_INSERT_EMPTY_FRAGMENTS
|
||||||
|
|
||||||
|
=item B<output> = fichier
|
||||||
|
|
||||||
|
Ajoute la trace à la fin d'un fichier au lieu d'utiliser syslog.
|
||||||
|
|
||||||
|
/dev/stdout peut être utilisé pour afficher les traces sur la sortie standard
|
||||||
|
(par exemple pour les traiter avec les outils splogger).
|
||||||
|
|
||||||
|
=item B<pid> = fichier (Unix seulement)
|
||||||
|
|
||||||
|
Emplacement du fichier pid
|
||||||
|
|
||||||
|
Si l'argument est vide, aucun fichier ne sera créé.
|
||||||
|
|
||||||
|
Le cas échéant, le chemin I<pid> est relatif au répertoire I<chroot>.
|
||||||
|
|
||||||
|
=item B<RNDbytes> = nombre
|
||||||
|
|
||||||
|
Nombre d'octets à lire depuis les fichiers de «E<nbsp>selE<nbsp>» aléatoire
|
||||||
|
|
||||||
|
Avec les SSL de version inférieure à 0.9.5a, détermine aussi le nombre
|
||||||
|
d'octets considérés comme suffisants pour «E<nbsp>salerE<nbsp>» le PRNG. Les versions plus
|
||||||
|
récentes d'OpenSSL ont une fonction intégrée qui détermine lorsque l'aléatoire
|
||||||
|
est suffisant.
|
||||||
|
|
||||||
|
=item B<RNDfile> = fichier
|
||||||
|
|
||||||
|
chemin du fichier de données de «E<nbsp>selE<nbsp>» aléatoire
|
||||||
|
|
||||||
|
La bibliothèque SSL utilise prioritairement les données de ce fichier pour
|
||||||
|
«E<nbsp>salerE<nbsp>» le générateur d'aléatoire.
|
||||||
|
|
||||||
|
=item B<RNDoverwrite> = yes | no
|
||||||
|
|
||||||
|
Recouvre les fichiers de «E<nbsp>selE<nbsp>» avec de nouvelles données aléatoires.
|
||||||
|
|
||||||
|
Par défautE<nbsp>: yes
|
||||||
|
|
||||||
|
=item B<service> = nom
|
||||||
|
|
||||||
|
Définit le nom de service à utiliser
|
||||||
|
|
||||||
|
B<Sous UnixE<nbsp>:> nom de service du mode I<inetd> pour la bibliothèque TCP Wrapper.
|
||||||
|
|
||||||
|
Par défautE<nbsp>: stunnel
|
||||||
|
|
||||||
|
=item B<session> = timeout
|
||||||
|
|
||||||
|
Timeout du cache de session
|
||||||
|
|
||||||
|
=item B<setgid> = nom (Unix seulement)
|
||||||
|
|
||||||
|
Nom de groupe utilisé en mode daemon (les éventuels autres noms de groupe attribués sont supprimés)
|
||||||
|
|
||||||
|
=item B<setuid> = nom (Unix seulement)
|
||||||
|
|
||||||
|
Nom d'utilisateur utilisé en mode daemon
|
||||||
|
|
||||||
|
=item B<socket> = a|l|r:option=valeur[:valeur]
|
||||||
|
|
||||||
|
Configure une option de socket accept (a), locale (l) ou distante (r)
|
||||||
|
|
||||||
|
Les valeurs de l'option linger sontE<nbsp>: l_onof:l_linger.
|
||||||
|
Les valeurs de l'option time sontE<nbsp>: tv_sec:tv_usec.
|
||||||
|
|
||||||
|
ExemplesE<nbsp>:
|
||||||
|
|
||||||
|
socket = l:SO_LINGER=1:60
|
||||||
|
définit un délai d'une minute pour la clôture des sockets locaux
|
||||||
|
socket = r:SO_OOBINLINE=yes
|
||||||
|
Place directement les données hors-bande dans le flux de réception
|
||||||
|
des sockets distants
|
||||||
|
socket = a:SO_REUSEADDR=no
|
||||||
|
désactive la réutilisation d'adresses (activée par défaut)
|
||||||
|
socket = a:SO_BINDTODEVICE=lo
|
||||||
|
limite l'acceptation des connexions sur la seule interface de bouclage
|
||||||
|
|
||||||
|
=item B<taskbar> = yes | no (WIN32 seulement)
|
||||||
|
|
||||||
|
active l'icône de la barre de tâches
|
||||||
|
|
||||||
|
Par défautE<nbsp>: yes
|
||||||
|
|
||||||
|
=item B<verify> = niveau
|
||||||
|
|
||||||
|
Vérifie le certificat du correspondant
|
||||||
|
|
||||||
|
niveau 1 - vérifie le certificat s'il est présent
|
||||||
|
niveau 2 - vérifie le certificat
|
||||||
|
niveau 3 - contrôle le correspondant avec le certificat local
|
||||||
|
|
||||||
|
Par défaut - pas de vérification
|
||||||
|
|
||||||
|
=back
|
||||||
|
|
||||||
|
|
||||||
|
=head2 OPTIONS DE SERVICE
|
||||||
|
|
||||||
|
Chaque section de configuration commence par le nom du service entre crochets.
|
||||||
|
Celui-ci est utilisé par le contrôle d'accès de libwrap (TCP Wrappers) et sert
|
||||||
|
à distinguer les services B<stunnel> dans les fichiers de traces.
|
||||||
|
|
||||||
|
Si l'on souhaite utiliser B<stunnel> en mode I<inetd> (lorsqu'un socket lui est
|
||||||
|
fourni par un serveur comme I<inetd>, I<xinetd> ou I<tcpserver>), il faut se
|
||||||
|
reporter à la section I<MODE INETD> plus bas.
|
||||||
|
|
||||||
|
|
||||||
|
=over 4
|
||||||
|
|
||||||
|
=item B<accept> = [hôte:]port
|
||||||
|
|
||||||
|
Accepte des connexions sur le port spécifié
|
||||||
|
|
||||||
|
Si l'hôte n'est pas indiqué, le port est ouvert pour toutes les adresses IP de
|
||||||
|
la machine locale.
|
||||||
|
|
||||||
|
=item B<connect> = [hôte:]port
|
||||||
|
|
||||||
|
Se connecte au port distant indiqué
|
||||||
|
|
||||||
|
Par défaut, l'hôte est localhost.
|
||||||
|
|
||||||
|
=item B<delay> = yes | no
|
||||||
|
|
||||||
|
Retarde la recherche DNS pour l'option «E<nbsp>connectE<nbsp>»
|
||||||
|
|
||||||
|
=item B<exec> = chemin_exécutable (Unix seulement)
|
||||||
|
|
||||||
|
Exécute un programme local de type inetd
|
||||||
|
|
||||||
|
Le cas échéant, le chemin I<exec> est relatif au répertoire I<chroot>.
|
||||||
|
|
||||||
|
=item B<execargs> = $0 $1 $2 ... (Unix seulement)
|
||||||
|
|
||||||
|
Arguments pour I<exec>, y compris le nom du programme ($0)
|
||||||
|
|
||||||
|
Les quotes ne peuvent actuellement pas être utilisées.
|
||||||
|
Les arguments sont séparés par un nombre quelconque d'espaces.
|
||||||
|
|
||||||
|
=item B<ident> = nom
|
||||||
|
|
||||||
|
Applique le contrôle d'identité d'utilisateur IDENT (RFC 1413)
|
||||||
|
|
||||||
|
=item B<local> = hôte
|
||||||
|
|
||||||
|
Adresse IP de l'interface de sortie utilisée pour les connexions distantes.
|
||||||
|
Cette option permet de relier une adresse statique locale.
|
||||||
|
|
||||||
|
=item B<protocol> = protocole
|
||||||
|
|
||||||
|
Négocie avec SSL selon le protocole indiqué
|
||||||
|
|
||||||
|
Actuellement gérésE<nbsp>: cifs, nntp, pop3, smtp
|
||||||
|
|
||||||
|
=item B<pty> = yes | no (Unix seulement)
|
||||||
|
|
||||||
|
Alloue un pseudo-terminal pour l'option «E<nbsp>execE<nbsp>»
|
||||||
|
|
||||||
|
=item B<TIMEOUTbusy> = secondes
|
||||||
|
|
||||||
|
Durée d'attente de données
|
||||||
|
|
||||||
|
=item B<TIMEOUTclose> = secondes
|
||||||
|
|
||||||
|
Durée d'attente du close_notify (mis à 0 pour MSIE qui est bogué)
|
||||||
|
|
||||||
|
=item B<TIMEOUTidle> = secondes
|
||||||
|
|
||||||
|
Durée d'attente sur une connexion inactive
|
||||||
|
|
||||||
|
=item B<transparent> = yes | no (Unix seulement)
|
||||||
|
|
||||||
|
Mode mandataire transparent
|
||||||
|
|
||||||
|
Ré-écrit les adresses pour qu'elles apparaissent provenir de la
|
||||||
|
machine client SSL plutôt que de celle qui exécute B<stunnel>.
|
||||||
|
Cette option n'est disponible en mode local (option I<exec>) qu'avec
|
||||||
|
la bibliothèque partagée LD_PRELOADing env.so shared library et en mode
|
||||||
|
distant (option I<connect>) sur les noyaux Linux 2.2 compilés avec
|
||||||
|
l'option I<transparent proxy> et seulement en mode serveur. Cette
|
||||||
|
option ne se combine pas au mode mandataire (I<connect>) sauf si la
|
||||||
|
route par défaut du client vers la cible passe par l'hôte qui fait
|
||||||
|
tourner B<stunnel>, qui ne peut être localhost.
|
||||||
|
|
||||||
|
=back
|
||||||
|
|
||||||
|
|
||||||
|
=head1 VALEUR DE RETOUR
|
||||||
|
|
||||||
|
B<stunnel> renvoie zéro en cas de succès, une autre valeur en cas d'erreur.
|
||||||
|
|
||||||
|
|
||||||
|
=head1 EXEMPLES
|
||||||
|
|
||||||
|
Pour encapsuler votre service I<imapd> local avec SSLE<nbsp>:
|
||||||
|
|
||||||
|
[imapd]
|
||||||
|
accept = 993
|
||||||
|
exec = /usr/sbin/imapd
|
||||||
|
execargs = imapd
|
||||||
|
|
||||||
|
Pour tunneliser un daemon I<pppd> sur le port 2020E<nbsp>:
|
||||||
|
|
||||||
|
[vpn]
|
||||||
|
accept = 2020
|
||||||
|
exec = /usr/sbin/pppd
|
||||||
|
execargs = pppd local
|
||||||
|
pty = yes
|
||||||
|
|
||||||
|
Configuration de I<stunnel.conf> pour utiliser B<stunnel> en mode I<inetd>
|
||||||
|
qui lance imapd à son tour (il ne doit pas y avoir de section I<[service_name]>)E<nbsp>:
|
||||||
|
|
||||||
|
exec = /usr/sbin/imapd
|
||||||
|
execargs = imapd
|
||||||
|
|
||||||
|
|
||||||
|
=head1 FICHIERS
|
||||||
|
|
||||||
|
=over 4
|
||||||
|
|
||||||
|
=item F<stunnel.conf>
|
||||||
|
|
||||||
|
Fichier de configuration de B<stunnel>
|
||||||
|
|
||||||
|
=item F<stunnel.pem>
|
||||||
|
|
||||||
|
Certificat et clef privée de B<stunnel>
|
||||||
|
|
||||||
|
=back
|
||||||
|
|
||||||
|
|
||||||
|
=head1 BOGUES
|
||||||
|
|
||||||
|
L'option I<execargs> n'admet pas les quotes.
|
||||||
|
|
||||||
|
|
||||||
|
=head1 RESTRICTIONS
|
||||||
|
|
||||||
|
B<stunnel> ne peut être utilisé pour le daemon FTP en raison de la nature
|
||||||
|
du protocole FTP qui utilise des ports multiples pour les transferts de données.
|
||||||
|
Il existe cependant des versions SSL de FTP et de telnet.
|
||||||
|
|
||||||
|
|
||||||
|
=head1 NOTES
|
||||||
|
|
||||||
|
=head2 MODE INETD
|
||||||
|
|
||||||
|
L'utilisation la plus commune de B<stunnel> consiste à écouter un port
|
||||||
|
réseau et à établir une communication, soit avec un nouveau port
|
||||||
|
avec l'option I<connect>, soit avec un programme avec l'option I<exec>.
|
||||||
|
On peut parfois cependant souhaiter qu'un autre programme reçoive les
|
||||||
|
connexions entrantes et lance B<stunnel>, par exemple avec I<inetd>,
|
||||||
|
I<xinetd> ou I<tcpserver>.
|
||||||
|
|
||||||
|
Si, par exemple, la ligne suivante se trouve dans I<inetd.conf>E<nbsp>:
|
||||||
|
|
||||||
|
imaps stream tcp nowait root /usr/bin/stunnel stunnel /etc/stunnel/imaps.conf
|
||||||
|
|
||||||
|
Dans ces cas, c'est le programme du genre I<inetd>-style qui est
|
||||||
|
responsable de l'établissement de la connexion (I<imaps> ci-dessus) et de passer
|
||||||
|
celle-ci à B<stunnel>.
|
||||||
|
Ainsi, B<stunnel> ne doit alors avoir aucune option I<accept>.
|
||||||
|
Toutes les I<options de niveau service> doivent être placées dans
|
||||||
|
la section des options globales et aucune section I<[service_name]> ne doit
|
||||||
|
être présente. Voir la section I<EXEMPLES> pour des exemples de configurations.
|
||||||
|
|
||||||
|
=head2 CERTIFICATS
|
||||||
|
|
||||||
|
Chaque daemon à propriétés SSL doit présenter un certificat X.509
|
||||||
|
valide à son interlocuteur. Il a aussi besoin d'une clef privé pour
|
||||||
|
déchiffrer les données entrantes. La méthode la plus simple pour
|
||||||
|
obtenir un certificat et une clef est d'engendrer celles-ci avec
|
||||||
|
le paquetage libre I<OpenSSL>. Plus d'informations sur la génération de
|
||||||
|
certificats se trouvent dans les pages indiquées plus bas.
|
||||||
|
|
||||||
|
Deux choses importantes lors de la génération de paires certificat-clef
|
||||||
|
pour B<stunnel>E<nbsp>:
|
||||||
|
|
||||||
|
=over 4
|
||||||
|
|
||||||
|
=item *
|
||||||
|
|
||||||
|
la clef privée ne peut être chiffrée puisque le serveur n'a aucun moyen
|
||||||
|
d'obtenir le mot de passe de l'utilisateurE<nbsp>; pour produire une clef non chiffrée,
|
||||||
|
ajouter l'option I<-nodes> à la commande B<req> de I<OpenSSL>E<nbsp>;
|
||||||
|
|
||||||
|
=item *
|
||||||
|
|
||||||
|
l'ordre du contenu du fichier I<.pem> est significatifE<nbsp>: il doit contenir d'abord
|
||||||
|
une clef privée non chiffrée, puis un certificat signé (et non une demande de certificat).
|
||||||
|
Il doit aussi y avoir des lignes vides après le certificat et après la clef privée.
|
||||||
|
L'information textuelle ajoutée au début d'un certificat doit être supprimée afin que
|
||||||
|
le fichier ait l'allure suivanteE<nbsp>:
|
||||||
|
|
||||||
|
-----BEGIN RSA PRIVATE KEY-----
|
||||||
|
[clef encodée]
|
||||||
|
-----END RSA PRIVATE KEY-----
|
||||||
|
[ligne vide]
|
||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
[certificat encodé]
|
||||||
|
-----END CERTIFICATE-----
|
||||||
|
[ligne vide]
|
||||||
|
|
||||||
|
=back
|
||||||
|
|
||||||
|
=head2 ALEATOIRE
|
||||||
|
|
||||||
|
B<stunnel> doit «E<nbsp>salerE<nbsp>» le générateur de pseudo-aléatoires PRNG (pseudo random
|
||||||
|
number generator) afin que SSL utilise un aléatoire de qualité. Les sources suivantes
|
||||||
|
sont chargées dans l'ordre jusqu'à ce qu'une quantité suffisante de données soit lueE<nbsp>:
|
||||||
|
|
||||||
|
=over 4
|
||||||
|
|
||||||
|
=item *
|
||||||
|
|
||||||
|
le fichier spécifié par I<RNDfile>E<nbsp>;
|
||||||
|
|
||||||
|
=item *
|
||||||
|
|
||||||
|
le fichier spécifié par la variable d'environnement RANDFILE, à défaut
|
||||||
|
le fichier .rnd du répertoire $HOME de l'utilisateurE<nbsp>;
|
||||||
|
|
||||||
|
=item *
|
||||||
|
|
||||||
|
le fichier spécifié par «E<nbsp>--with-randomE<nbsp>» lors de la compilationE<nbsp>;
|
||||||
|
|
||||||
|
=item *
|
||||||
|
|
||||||
|
le contenu de l'écran (MS-Windows seulement)E<nbsp>;
|
||||||
|
|
||||||
|
=item *
|
||||||
|
|
||||||
|
le socket EGD spécifié par I<EGD>E<nbsp>;
|
||||||
|
|
||||||
|
=item *
|
||||||
|
|
||||||
|
le socket EGD spécifié par «E<nbsp>--with-egd-sockE<nbsp>» lors de la compilationE<nbsp>;
|
||||||
|
|
||||||
|
=item *
|
||||||
|
|
||||||
|
le périphérique /dev/urandom.
|
||||||
|
|
||||||
|
=back
|
||||||
|
|
||||||
|
Avec un OpenSSL récent (>=OpenSSL 0.9.5a) le chargement de données s'arrête
|
||||||
|
automatiquement lorsqu'un niveau d'entropie suffisant est atteint.
|
||||||
|
Les versions précédentes continuent à lire toutes les sources puisqu'aucune
|
||||||
|
fonction SSL ne leur permet de savoir que suffisamment de données sont disponibles.
|
||||||
|
|
||||||
|
Sur les machines MS-Windows qui n'ont pas d'interaction utilisateur sur la console,
|
||||||
|
(mouvements de souris, création de fenêtres, etc.), le contenu de l'écran n'est
|
||||||
|
pas suffisamment changeant et il est nécessaire de fournir un fichier d'aléatoire
|
||||||
|
par le biais de I<RNDfile>.
|
||||||
|
|
||||||
|
Le fichier spécifié par I<RNDfile> doit contenir des informations aléatoires --
|
||||||
|
c'est-à-dire des informations différentes à chaque lancement de B<stunnel>.
|
||||||
|
Cela est géré automatiquement sauf si l'option I<RNDoverwrite> est utilisée.
|
||||||
|
Si l'on souhaite procéder manuellement à la mise à jour de ce fichier, la
|
||||||
|
commande I<openssl rand> des versions récentes d'OpenSSL sera sans doute utile.
|
||||||
|
|
||||||
|
Note importanteE<nbsp>: si /dev/urandom est disponible, OpenSSL a l'habitude d'utiliser
|
||||||
|
celui-ci pour «E<nbsp>salerE<nbsp>» le PRNG même lorsqu'il contrôle l'état de l'aléatoireE<nbsp>;
|
||||||
|
ainsi, même si /dev/urandom est dernier de la liste ci-dessus, il est vraisemblable
|
||||||
|
qu'il soit utilisé s'il est présent.
|
||||||
|
Ce n'est pas le comportement de B<stunnel>, c'est celui d'OpenSSL.
|
||||||
|
|
||||||
|
|
||||||
|
=head1 VOIR AUSSI
|
||||||
|
|
||||||
|
=over 4
|
||||||
|
|
||||||
|
=item L<tcpd(8)>
|
||||||
|
|
||||||
|
Service de contrôle d'accès pour les services internet
|
||||||
|
|
||||||
|
=item L<inetd(8)>
|
||||||
|
|
||||||
|
«E<nbsp>super-serveurE<nbsp>» internet
|
||||||
|
|
||||||
|
=item F<http://www.stunnel.org/>
|
||||||
|
|
||||||
|
Page de référence de B<stunnel>
|
||||||
|
|
||||||
|
=item F<http://www.openssl.org/>
|
||||||
|
|
||||||
|
Site web du projet OpenSSL
|
||||||
|
|
||||||
|
=back
|
||||||
|
|
||||||
|
|
||||||
|
=head1 AUTEUR
|
||||||
|
|
||||||
|
=over 4
|
||||||
|
|
||||||
|
=item Michał Trojnara
|
||||||
|
|
||||||
|
<F<Michal.Trojnara@mirt.net>>
|
||||||
|
|
||||||
|
=back
|
||||||
|
|
||||||
|
=head1 ADAPTATION FRANÇAISE
|
||||||
|
|
||||||
|
=over 4
|
||||||
|
|
||||||
|
=item Bernard Choppy
|
||||||
|
|
||||||
|
<F<choppy AT free POINT fr>>
|
||||||
|
|
||||||
|
=back
|
1051
doc/stunnel.html
Normal file
1051
doc/stunnel.html
Normal file
File diff suppressed because it is too large
Load Diff
967
doc/stunnel.pl.8
Normal file
967
doc/stunnel.pl.8
Normal file
@ -0,0 +1,967 @@
|
|||||||
|
.\" Automatically generated by Pod::Man 2.22 (Pod::Simple 3.07)
|
||||||
|
.\"
|
||||||
|
.\" Standard preamble:
|
||||||
|
.\" ========================================================================
|
||||||
|
.de Sp \" Vertical space (when we can't use .PP)
|
||||||
|
.if t .sp .5v
|
||||||
|
.if n .sp
|
||||||
|
..
|
||||||
|
.de Vb \" Begin verbatim text
|
||||||
|
.ft CW
|
||||||
|
.nf
|
||||||
|
.ne \\$1
|
||||||
|
..
|
||||||
|
.de Ve \" End verbatim text
|
||||||
|
.ft R
|
||||||
|
.fi
|
||||||
|
..
|
||||||
|
.\" Set up some character translations and predefined strings. \*(-- will
|
||||||
|
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
|
||||||
|
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
|
||||||
|
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
|
||||||
|
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
|
||||||
|
.\" nothing in troff, for use with C<>.
|
||||||
|
.tr \(*W-
|
||||||
|
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
|
||||||
|
.ie n \{\
|
||||||
|
. ds -- \(*W-
|
||||||
|
. ds PI pi
|
||||||
|
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
|
||||||
|
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
|
||||||
|
. ds L" ""
|
||||||
|
. ds R" ""
|
||||||
|
. ds C` ""
|
||||||
|
. ds C' ""
|
||||||
|
'br\}
|
||||||
|
.el\{\
|
||||||
|
. ds -- \|\(em\|
|
||||||
|
. ds PI \(*p
|
||||||
|
. ds L" ``
|
||||||
|
. ds R" ''
|
||||||
|
'br\}
|
||||||
|
.\"
|
||||||
|
.\" Escape single quotes in literal strings from groff's Unicode transform.
|
||||||
|
.ie \n(.g .ds Aq \(aq
|
||||||
|
.el .ds Aq '
|
||||||
|
.\"
|
||||||
|
.\" If the F register is turned on, we'll generate index entries on stderr for
|
||||||
|
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
|
||||||
|
.\" entries marked with X<> in POD. Of course, you'll have to process the
|
||||||
|
.\" output yourself in some meaningful fashion.
|
||||||
|
.ie \nF \{\
|
||||||
|
. de IX
|
||||||
|
. tm Index:\\$1\t\\n%\t"\\$2"
|
||||||
|
..
|
||||||
|
. nr % 0
|
||||||
|
. rr F
|
||||||
|
.\}
|
||||||
|
.el \{\
|
||||||
|
. de IX
|
||||||
|
..
|
||||||
|
.\}
|
||||||
|
.\" ========================================================================
|
||||||
|
.\"
|
||||||
|
.IX Title "STUNNEL.PL 8"
|
||||||
|
.TH STUNNEL.PL 8 "2012.01.14" "4.53" "stunnel"
|
||||||
|
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
|
||||||
|
.\" way too many mistakes in technical documents.
|
||||||
|
.if n .ad l
|
||||||
|
.nh
|
||||||
|
.SH "NAZWA"
|
||||||
|
.IX Header "NAZWA"
|
||||||
|
stunnel \- uniwersalny tunel protokołu \s-1SSL\s0
|
||||||
|
.SH "SKŁADNIA"
|
||||||
|
.IX Header "SKŁADNIA"
|
||||||
|
.IP "\fBUnix:\fR" 4
|
||||||
|
.IX Item "Unix:"
|
||||||
|
\&\fBstunnel\fR [<plik>] | \-fd n | \-help | \-version | \-sockets
|
||||||
|
.IP "\fB\s-1WIN32:\s0\fR" 4
|
||||||
|
.IX Item "WIN32:"
|
||||||
|
\&\fBstunnel\fR [ [\-install | \-uninstall | \-start | \-stop ] | \-exit]
|
||||||
|
[\-quiet] [<plik>] ] | \-help | \-version | \-sockets
|
||||||
|
.SH "OPIS"
|
||||||
|
.IX Header "OPIS"
|
||||||
|
Program \fBstunnel\fR został zaprojektowany do opakowywania w protokół \fI\s-1SSL\s0\fR
|
||||||
|
połączeń pomiędzy zdalnymi klientami a lokalnymi lub zdalnymi serwerami.
|
||||||
|
Przez serwer lokalny rozumiana jest aplikacja przeznaczona do uruchamiania
|
||||||
|
przy pomocy \fIinetd\fR.
|
||||||
|
Stunnel pozwala na proste zestawienie komunikacji serwerów nie posiadających
|
||||||
|
funkcjonalności \fI\s-1SSL\s0\fR poprzez bezpieczne kanały \fI\s-1SSL\s0\fR.
|
||||||
|
.PP
|
||||||
|
\&\fBstunnel\fR pozwala dodać funkcjonalność \fI\s-1SSL\s0\fR do powszechnie stosowanych
|
||||||
|
demonów \fIinetd\fR, np. \fIpop3\fR lub \fIimap\fR, do samodzielnych demonów,
|
||||||
|
np. \fInntp\fR, \fIsmtp\fR lub \fIhttp\fR, a nawet tunelować ppp poprzez gniazda sieciowe
|
||||||
|
bez zmian w kodzie źródłowym.
|
||||||
|
.SH "OPCJE"
|
||||||
|
.IX Header "OPCJE"
|
||||||
|
.IP "<\fBplik\fR>" 4
|
||||||
|
.IX Item "<plik>"
|
||||||
|
użyj podanego pliku konfiguracyjnego
|
||||||
|
.IP "\fB\-fd n\fR (tylko Unix)" 4
|
||||||
|
.IX Item "-fd n (tylko Unix)"
|
||||||
|
wczytaj konfigurację z podanego deskryptora pliku
|
||||||
|
.IP "\fB\-help\fR" 4
|
||||||
|
.IX Item "-help"
|
||||||
|
drukuj listę wspieranych opcji
|
||||||
|
.IP "\fB\-version\fR" 4
|
||||||
|
.IX Item "-version"
|
||||||
|
drukuj wersję programu i domyślne wartości parametrów
|
||||||
|
.IP "\fB\-sockets\fR" 4
|
||||||
|
.IX Item "-sockets"
|
||||||
|
drukuj domyślne opcje gniazd
|
||||||
|
.IP "\fB\-install\fR (tylko \s-1NT/2000/XP\s0)" 4
|
||||||
|
.IX Item "-install (tylko NT/2000/XP)"
|
||||||
|
instaluj serwis \s-1NT\s0
|
||||||
|
.IP "\fB\-uninstall\fR (tylko \s-1NT/2000/XP\s0)" 4
|
||||||
|
.IX Item "-uninstall (tylko NT/2000/XP)"
|
||||||
|
odinstaluj serwis \s-1NT\s0
|
||||||
|
.IP "\fB\-start\fR (tylko \s-1NT/2000/XP\s0)" 4
|
||||||
|
.IX Item "-start (tylko NT/2000/XP)"
|
||||||
|
uruchom serwis \s-1NT\s0
|
||||||
|
.IP "\fB\-stop\fR (tylko \s-1NT/2000/XP\s0)" 4
|
||||||
|
.IX Item "-stop (tylko NT/2000/XP)"
|
||||||
|
zatrzymaj serwis \s-1NT\s0
|
||||||
|
.IP "\fB\-exit\fR (tylko Win32)" 4
|
||||||
|
.IX Item "-exit (tylko Win32)"
|
||||||
|
zatrzymaj uruchomiony program
|
||||||
|
.IP "\fB\-quiet\fR (tylko \s-1NT/2000/XP\s0)" 4
|
||||||
|
.IX Item "-quiet (tylko NT/2000/XP)"
|
||||||
|
nie wyświetlaj okienka informującego o pomyślnym zainstalowaniu lub
|
||||||
|
odinstalowaniu
|
||||||
|
.SH "PLIK KONFIGURACYJNY"
|
||||||
|
.IX Header "PLIK KONFIGURACYJNY"
|
||||||
|
Linia w pliku konfiguracyjnym może być:
|
||||||
|
.IP "\(bu" 4
|
||||||
|
pusta (ignorowana)
|
||||||
|
.IP "\(bu" 4
|
||||||
|
komentarzem rozpoczynającym się znakiem ';' (ignorowana)
|
||||||
|
.IP "\(bu" 4
|
||||||
|
parą 'nazwa_opcji = wartość_opcji'
|
||||||
|
.IP "\(bu" 4
|
||||||
|
tekstem '[nazwa_usługi]' wskazującym początek definicji usługi
|
||||||
|
.PP
|
||||||
|
Parametr adres może być:
|
||||||
|
.IP "\(bu" 4
|
||||||
|
numerem portu
|
||||||
|
.IP "\(bu" 4
|
||||||
|
oddzieloną średnikiem parą adresu (IPv4, IPv6, lub nazwą domenową) i numeru portu
|
||||||
|
.IP "\(bu" 4
|
||||||
|
ścieżką do gniazda Unix (tylko Unix)
|
||||||
|
.SS "\s-1OPCJE\s0 \s-1GLOBALNE\s0"
|
||||||
|
.IX Subsection "OPCJE GLOBALNE"
|
||||||
|
.IP "\fBchroot\fR = katalog (tylko Unix)" 4
|
||||||
|
.IX Item "chroot = katalog (tylko Unix)"
|
||||||
|
katalog roboczego korzenia systemu plików
|
||||||
|
.Sp
|
||||||
|
Opcja określa katalog, w którym uwięziony zostanie proces programu
|
||||||
|
\&\fBstunnel\fR tuż po jego inicjalizacji, a przed rozpoczęciem odbierania
|
||||||
|
połączeń. Ścieżki podane w opcjach \fICApath\fR, \fICRLpath\fR, \fIpid\fR
|
||||||
|
oraz \fIexec\fR muszą być umieszczone wewnątrz katalogu podanego w opcji
|
||||||
|
\&\fIchroot\fR i określone względem tego katalogu.
|
||||||
|
.IP "\fBcompression\fR = deflate | zlib | rle" 4
|
||||||
|
.IX Item "compression = deflate | zlib | rle"
|
||||||
|
wybór algorytmu kompresji przesyłanych danych
|
||||||
|
.Sp
|
||||||
|
domyślnie: bez kompresji
|
||||||
|
.Sp
|
||||||
|
Algorytm deflate jest standardową metodą kompresji zgodnie z \s-1RFC\s0 1951.
|
||||||
|
.Sp
|
||||||
|
Kompresja zlib zaimplementowana w OpenSSL 0.9.8 i nowszych nie jest
|
||||||
|
kompatybilna implementacją OpenSSL 0.9.7.
|
||||||
|
.Sp
|
||||||
|
Kompresja rle nie jest zaimplementowana w aktualnych wersjach OpenSSL.
|
||||||
|
.IP "\fBdebug\fR = poziom[.podsystem]" 4
|
||||||
|
.IX Item "debug = poziom[.podsystem]"
|
||||||
|
szczegółowość logowania
|
||||||
|
.Sp
|
||||||
|
Poziom logowania można określić przy pomocy jednej z nazw lub liczb:
|
||||||
|
emerg (0), alert (1), crit (2), err (3), warning (4), notice (5),
|
||||||
|
info (6) lub debug (7).
|
||||||
|
Zapisywane są komunikaty o poziomie niższym (numerycznie) lub równym podanemu.
|
||||||
|
Do uzyskania najwyższego poziomu szczegółowości można użyć opcji
|
||||||
|
\&\fIdebug = debug\fR lub \fIdebug = 7\fR. Domyślnym poziomem jest notice (5).
|
||||||
|
.Sp
|
||||||
|
O ile nie wyspecyfikowano podsystemu użyty będzie domyślny: daemon.
|
||||||
|
Podsystemy nie są wspierane przez platformę Win32.
|
||||||
|
.Sp
|
||||||
|
Wielkość liter jest ignorowana zarówno dla poziomu jak podsystemu.
|
||||||
|
.IP "\fB\s-1EGD\s0\fR = ścieżka_do_EGD (tylko Unix)" 4
|
||||||
|
.IX Item "EGD = ścieżka_do_EGD (tylko Unix)"
|
||||||
|
ścieżka do gniazda programu Entropy Gathering Daemon
|
||||||
|
.Sp
|
||||||
|
Opcja pozwala określić ścieżkę do gniazda programu Entropy Gathering Daemon
|
||||||
|
używanego do zainicjalizowania generatora ciągów pseudolosowych biblioteki
|
||||||
|
OpenSSL. Opcja jest dostępna z biblioteką OpenSSL 0.9.5a lub nowszą.
|
||||||
|
.IP "\fBengine\fR = auto | <identyfikator urządzenia>" 4
|
||||||
|
.IX Item "engine = auto | <identyfikator urządzenia>"
|
||||||
|
wybór sprzętowego urządzenia kryptograficznego
|
||||||
|
.Sp
|
||||||
|
domyślnie: bez wykorzystania urządzeń kryptograficznych
|
||||||
|
.Sp
|
||||||
|
Przykładowa konfiguracja umożliwiająca odczytanie klucza prywatnego z
|
||||||
|
urządzenia zgodnego z OpenSC:
|
||||||
|
.Sp
|
||||||
|
.Vb 7
|
||||||
|
\& engine=dynamic
|
||||||
|
\& engineCtrl=SO_PATH:/usr/lib/opensc/engine_pkcs11.so
|
||||||
|
\& engineCtrl=ID:pkcs11
|
||||||
|
\& engineCtrl=LIST_ADD:1
|
||||||
|
\& engineCtrl=LOAD
|
||||||
|
\& engineCtrl=MODULE_PATH:/usr/lib/pkcs11/opensc\-pkcs11.so
|
||||||
|
\& engineCtrl=INIT
|
||||||
|
\&
|
||||||
|
\& [service]
|
||||||
|
\& engineNum=1
|
||||||
|
\& key=id_45
|
||||||
|
.Ve
|
||||||
|
.IP "\fBengineCtrl\fR = <command>[:<parameter>]" 4
|
||||||
|
.IX Item "engineCtrl = <command>[:<parameter>]"
|
||||||
|
konfiguracja urządzenia kryptograficznego
|
||||||
|
.Sp
|
||||||
|
Specjalne komendy \*(L"\s-1LOAD\s0\*(R" i \*(L"\s-1INIT\s0\*(R" pozwalają na załadowanie i inicjalizację
|
||||||
|
modułu kryptograficznego urządzenia.
|
||||||
|
.IP "\fBfips\fR = yes | no" 4
|
||||||
|
.IX Item "fips = yes | no"
|
||||||
|
Włącz lub wyłącz tryb \s-1FIPS\s0 140\-2.
|
||||||
|
.Sp
|
||||||
|
Opcja pozwala wyłączyć wejście w tryb \s-1FIPS\s0, jeśli stunnel został skompilowany
|
||||||
|
ze wsparciem dla \s-1FIPS\s0 140\-2.
|
||||||
|
.Sp
|
||||||
|
domyślnie: yes (pracuj w trybie \s-1FIPS\s0 140\-2)
|
||||||
|
.IP "\fBforeground\fR = yes | no (tylko Unix)" 4
|
||||||
|
.IX Item "foreground = yes | no (tylko Unix)"
|
||||||
|
tryb pierwszoplanowy
|
||||||
|
.Sp
|
||||||
|
Użycie tej opcji powoduje, że \fIstunnel\fR nie przechodzi w tło logując
|
||||||
|
swoje komunikaty na konsolę zamiast przez \fIsyslog\fR (o ile nie użyto
|
||||||
|
opcji \fIoutput\fR).
|
||||||
|
.IP "\fBoutput\fR = plik" 4
|
||||||
|
.IX Item "output = plik"
|
||||||
|
plik, do którego dopisane zostaną logi
|
||||||
|
.Sp
|
||||||
|
Użycie tej opcji powoduje dopisanie logów do podanego pliku.
|
||||||
|
.Sp
|
||||||
|
Do kierowaniakomunikatów na standardowe wyjście (na przykład po to, żeby
|
||||||
|
zalogować je programem splogger z pakietu daemontools) można podać jako
|
||||||
|
parametr urządzenie /dev/stdout.
|
||||||
|
.IP "\fBpid\fR = plik (tylko Unix)" 4
|
||||||
|
.IX Item "pid = plik (tylko Unix)"
|
||||||
|
położenie pliku z numerem procesu
|
||||||
|
.Sp
|
||||||
|
Jeżeli argument jest pusty plik nie zostanie stworzony.
|
||||||
|
.Sp
|
||||||
|
Jeżeli zdefiniowano katalog \fIchroot\fR, to ścieżka do \fIpid\fR jest określona
|
||||||
|
względem tego katalogu.
|
||||||
|
.IP "\fBRNDbytes\fR = liczba_bajtów" 4
|
||||||
|
.IX Item "RNDbytes = liczba_bajtów"
|
||||||
|
liczba bajtów do zainicjowania generatora pseudolosowego
|
||||||
|
.Sp
|
||||||
|
W wersjach biblioteki OpenSSL starszych niż 0.9.5a opcja ta określa
|
||||||
|
również liczbę bajtów wystarczających do zainicjowania \s-1PRNG\s0.
|
||||||
|
Nowsze wersje biblioteki mają wbudowaną funkcję określającą, czy
|
||||||
|
dostarczona ilość losowości jest wystarczająca do zainicjowania generatora.
|
||||||
|
.IP "\fBRNDfile\fR = plik" 4
|
||||||
|
.IX Item "RNDfile = plik"
|
||||||
|
ścieżka do pliku zawierającego losowe dane
|
||||||
|
.Sp
|
||||||
|
Biblioteka OpenSSL użyje danych z tego pliku do zainicjowania
|
||||||
|
generatora pseudolosowego.
|
||||||
|
.IP "\fBRNDoverwrite\fR = yes | no" 4
|
||||||
|
.IX Item "RNDoverwrite = yes | no"
|
||||||
|
nadpisz plik nowymi wartościami pseudolosowymi
|
||||||
|
.Sp
|
||||||
|
domyślnie: yes (nadpisz)
|
||||||
|
.IP "\fBservice\fR = nazwa_serwisu (tylko Unix)" 4
|
||||||
|
.IX Item "service = nazwa_serwisu (tylko Unix)"
|
||||||
|
użyj parametru jako nazwy serwisu dla biblioteki \s-1TCP\s0 Wrapper w trybie \fIinetd\fR
|
||||||
|
.Sp
|
||||||
|
domyślnie: stunnel
|
||||||
|
.IP "\fBsetgid\fR = identyfikator_grupy (tylko Unix)" 4
|
||||||
|
.IX Item "setgid = identyfikator_grupy (tylko Unix)"
|
||||||
|
grupa z której prawami pracował będzie \fIstunnel\fR
|
||||||
|
.IP "\fBsetuid\fR = identyfikator_użytkownika (tylko Unix)" 4
|
||||||
|
.IX Item "setuid = identyfikator_użytkownika (tylko Unix)"
|
||||||
|
użytkownik, z którego prawami pracował będzie \fIstunnel\fR
|
||||||
|
.IP "\fBsocket\fR = a|l|r:option=value[:value]" 4
|
||||||
|
.IX Item "socket = a|l|r:option=value[:value]"
|
||||||
|
ustaw opcję na akceptującym/lokalnym/zdalnym gnieździe
|
||||||
|
.Sp
|
||||||
|
Dla opcji linger wartości mają postać l_onof:l_linger.
|
||||||
|
Dla opcji time wartości mają postać tv_sec:tv_usec.
|
||||||
|
.Sp
|
||||||
|
Przykłady:
|
||||||
|
.Sp
|
||||||
|
.Vb 10
|
||||||
|
\& socket = l:SO_LINGER=1:60
|
||||||
|
\& ustaw jednominutowe przeterminowanie
|
||||||
|
\& przy zamykaniu lokalnego gniazda
|
||||||
|
\& socket = r:SO_OOBINLINE=yes
|
||||||
|
\& umieść dane pozapasmowe (out\-of\-band)
|
||||||
|
\& bezpośrednio w strumieniu danych
|
||||||
|
\& wejściowych dla zdalnych gniazd
|
||||||
|
\& socket = a:SO_REUSEADDR=no
|
||||||
|
\& zablokuj ponowne używanie portu
|
||||||
|
\& (domyślnie włączone)
|
||||||
|
\& socket = a:SO_BINDTODEVICE=lo
|
||||||
|
\& przyjmuj połączenia wyłącznie na
|
||||||
|
\& interfejsie zwrotnym (ang. loopback)
|
||||||
|
.Ve
|
||||||
|
.IP "\fBsyslog\fR = yes | no (tylko Unix)" 4
|
||||||
|
.IX Item "syslog = yes | no (tylko Unix)"
|
||||||
|
włącz logowanie poprzez mechanizm syslog
|
||||||
|
.Sp
|
||||||
|
domyślnie: yes (włącz)
|
||||||
|
.IP "\fBtaskbar\fR = yes | no (tylko \s-1WIN32\s0)" 4
|
||||||
|
.IX Item "taskbar = yes | no (tylko WIN32)"
|
||||||
|
włącz ikonkę w prawym dolnym rogu ekranu
|
||||||
|
.Sp
|
||||||
|
domyślnie: yes (włącz)
|
||||||
|
.SS "\s-1OPCJE\s0 USŁUG"
|
||||||
|
.IX Subsection "OPCJE USŁUG"
|
||||||
|
Każda sekcja konfiguracji usługi zaczyna się jej nazwą ujętą w nawias
|
||||||
|
kwadratowy. Nazwa usługi używana jest do kontroli dostępu przez
|
||||||
|
bibliotekę libwrap (\s-1TCP\s0 wrappers) oraz pozwala rozróżnić poszczególne
|
||||||
|
usługi w logach.
|
||||||
|
.PP
|
||||||
|
Jeżeli \fBstunnel\fR ma zostać użyty w trybie \fIinetd\fR, gdzie za odebranie
|
||||||
|
połączenia odpowiada osobny program (zwykle \fIinetd\fR, \fIxinetd\fR
|
||||||
|
lub \fItcpserver\fR), należy przeczytać sekcję \fI\s-1TRYB\s0 \s-1INETD\s0\fR poniżej.
|
||||||
|
.IP "\fBaccept\fR = [adres:]port" 4
|
||||||
|
.IX Item "accept = [adres:]port"
|
||||||
|
nasłuchuje na połączenia na podanym adresie i porcie
|
||||||
|
.Sp
|
||||||
|
Jeżeli nie został podany adres, \fIstunnel\fR domyślnie nasłuchuje
|
||||||
|
na wszystkich adresach IPv4 lokalnych interfejsów.
|
||||||
|
.Sp
|
||||||
|
Aby nasłuchiwać na wszystkich adresach IPv6 należy użyć:
|
||||||
|
.Sp
|
||||||
|
.Vb 1
|
||||||
|
\& accept = :::port
|
||||||
|
.Ve
|
||||||
|
.IP "\fBCApath\fR = katalog_CA" 4
|
||||||
|
.IX Item "CApath = katalog_CA"
|
||||||
|
katalog Centrum Certyfikacji
|
||||||
|
.Sp
|
||||||
|
Opcja określa katalog, w którym \fBstunnel\fR będzie szukał certyfikatów,
|
||||||
|
jeżeli użyta została opcja \fIverify\fR. Pliki z certyfikatami muszą
|
||||||
|
posiadać specjalne nazwy \s-1XXXXXXXX\s0.0, gdzie \s-1XXXXXXXX\s0 jest skrótem
|
||||||
|
kryptograficznym reprezentacji \s-1DER\s0 nazwy podmiotu certyfikatu.
|
||||||
|
.Sp
|
||||||
|
Funkcja skrótu została zmieniona w wersji 1.0.0 biblioteki OpenSSL.
|
||||||
|
Należy wykonać c_rehash przy zmianie OpenSSL 0.x.x na 1.x.x.
|
||||||
|
.Sp
|
||||||
|
Jeżeli zdefiniowano katalog \fIchroot\fR, to ścieżka do \fICApath\fR jest określona
|
||||||
|
względem tego katalogu.
|
||||||
|
.IP "\fBCAfile\fR = plik_CA" 4
|
||||||
|
.IX Item "CAfile = plik_CA"
|
||||||
|
plik Centrum Certyfikacji
|
||||||
|
.Sp
|
||||||
|
Opcja pozwala określić położenie pliku zawierającego certyfikaty używane
|
||||||
|
przez opcję \fIverify\fR.
|
||||||
|
.IP "\fBcert\fR = plik_pem" 4
|
||||||
|
.IX Item "cert = plik_pem"
|
||||||
|
plik z łańcuchem certyfikatów
|
||||||
|
.Sp
|
||||||
|
Opcja określa położenie pliku zawierającego certyfikaty używane przez
|
||||||
|
program \fBstunnel\fR do uwierzytelnienia się przed drugą stroną połączenia.
|
||||||
|
Certyfikat jest konieczny, aby używać programu w trybie serwera.
|
||||||
|
W trybie klienta certyfikat jest opcjonalny.
|
||||||
|
.IP "\fBciphers\fR = lista_szyfrów" 4
|
||||||
|
.IX Item "ciphers = lista_szyfrów"
|
||||||
|
lista dozwolonych szyfrów \s-1SSL\s0
|
||||||
|
.Sp
|
||||||
|
Parametrem tej opcji jest lista szyfrów, które będą użyte przy
|
||||||
|
otwieraniu nowych połączeń \s-1SSL\s0, np.: \s-1DES\-CBC3\-SHA:IDEA\-CBC\-MD5\s0
|
||||||
|
.IP "\fBclient\fR = yes | no" 4
|
||||||
|
.IX Item "client = yes | no"
|
||||||
|
tryb kliencki (zdalna usługa używa \s-1SSL\s0)
|
||||||
|
.Sp
|
||||||
|
domyślnie: no (tryb serwerowy)
|
||||||
|
.IP "\fBconnect\fR = [adres:]port" 4
|
||||||
|
.IX Item "connect = [adres:]port"
|
||||||
|
połącz się ze zdalnym serwerem na podany port
|
||||||
|
.Sp
|
||||||
|
Jeżeli nie został podany adres, \fIstunnel\fR domyślnie łączy się
|
||||||
|
z lokalnym serwerem.
|
||||||
|
.Sp
|
||||||
|
Komenda może byc użyta wielokrotnie w pojedynczej sekcji
|
||||||
|
celem zapewnienia wysokiej niezawodności lub rozłożenia
|
||||||
|
ruchu pomiędzy wiele serwerów.
|
||||||
|
.IP "\fBCRLpath\fR = katalog_CRL" 4
|
||||||
|
.IX Item "CRLpath = katalog_CRL"
|
||||||
|
katalog List Odwołanych Certyfikatów (\s-1CRL\s0)
|
||||||
|
.Sp
|
||||||
|
Opcja określa katalog, w którym \fBstunnel\fR będzie szukał list \s-1CRL\s0,
|
||||||
|
jeżeli użyta została opcja \fIverify\fR. Pliki z listami \s-1CRL\s0 muszą
|
||||||
|
posiadać specjalne nazwy \s-1XXXXXXXX\s0.r0, gdzie \s-1XXXXXXXX\s0 jest skrótem
|
||||||
|
listy \s-1CRL\s0.
|
||||||
|
.Sp
|
||||||
|
Funkcja skrótu została zmieniona w wersji 1.0.0 biblioteki OpenSSL.
|
||||||
|
Należy wykonać c_rehash przy zmianie OpenSSL 0.x.x na 1.x.x.
|
||||||
|
.Sp
|
||||||
|
Jeżeli zdefiniowano katalog \fIchroot\fR, to ścieżka do \fICRLpath\fR jest określona
|
||||||
|
względem tego katalogu.
|
||||||
|
.IP "\fBCRLfile\fR = plik_CRL" 4
|
||||||
|
.IX Item "CRLfile = plik_CRL"
|
||||||
|
plik List Odwołanych Certyfikatów (\s-1CRL\s0)
|
||||||
|
.Sp
|
||||||
|
Opcja pozwala określić położenie pliku zawierającego listy \s-1CRL\s0 używane
|
||||||
|
przez opcję \fIverify\fR.
|
||||||
|
.IP "\fBcurve\fR = nid" 4
|
||||||
|
.IX Item "curve = nid"
|
||||||
|
krzywa dla \s-1ECDH\s0
|
||||||
|
.Sp
|
||||||
|
Listę dostępnych krzywych można uzyskać poleceniem:
|
||||||
|
.Sp
|
||||||
|
.Vb 1
|
||||||
|
\& openssl ecparam \-list_curves
|
||||||
|
.Ve
|
||||||
|
.Sp
|
||||||
|
domyślnie: prime256v1
|
||||||
|
.IP "\fBdelay\fR = yes | no" 4
|
||||||
|
.IX Item "delay = yes | no"
|
||||||
|
opóźnij rozwinięcie adresu \s-1DNS\s0 podanego w opcji \fIconnect\fR
|
||||||
|
.Sp
|
||||||
|
Opcja jest przydatna przy dynamicznym \s-1DNS\s0, albo gdy usługa \s-1DNS\s0 nie jest
|
||||||
|
dostępna przy starcie programu stunnel (klient \s-1VPN\s0, połączenie wdzwaniane).
|
||||||
|
.IP "\fBengineNum\fR = <numer urządzenia>" 4
|
||||||
|
.IX Item "engineNum = <numer urządzenia>"
|
||||||
|
wybierz urządzenie do odczyta klucza prywatnego
|
||||||
|
.Sp
|
||||||
|
Urządzenia są numerowane od 1 w górę.
|
||||||
|
.IP "\fBexec\fR = ścieżka_do_programu" 4
|
||||||
|
.IX Item "exec = ścieżka_do_programu"
|
||||||
|
wykonaj lokalny program przystosowany do pracy z superdemonem inetd
|
||||||
|
.Sp
|
||||||
|
Jeżeli zdefiniowano katalog \fIchroot\fR, to ścieżka do \fIexec\fR jest określona
|
||||||
|
względem tego katalogu.
|
||||||
|
.ie n .IP "\fBexecargs\fR = $0 $1 $2 ..." 4
|
||||||
|
.el .IP "\fBexecargs\fR = \f(CW$0\fR \f(CW$1\fR \f(CW$2\fR ..." 4
|
||||||
|
.IX Item "execargs = $0 $1 $2 ..."
|
||||||
|
argumenty do opcji \fIexec\fR włącznie z nazwą programu ($0)
|
||||||
|
.Sp
|
||||||
|
Cytowanie nie jest wspierane w obecnej wersji programu.
|
||||||
|
Argumenty są rozdzielone dowolną liczbą białych znaków.
|
||||||
|
.IP "\fBfailover\fR = rr | prio" 4
|
||||||
|
.IX Item "failover = rr | prio"
|
||||||
|
Strategia wybierania serwerów wyspecyfikowanych parametrami \*(L"connect\*(R".
|
||||||
|
.Sp
|
||||||
|
.Vb 2
|
||||||
|
\& rr (round robin) \- sprawiedliwe rozłożenie obciążenia
|
||||||
|
\& prio (priority) \- użyj kolejności opcji w pliku konfiguracyjnym
|
||||||
|
.Ve
|
||||||
|
.Sp
|
||||||
|
domyślnie: rr
|
||||||
|
.IP "\fBident\fR = nazwa_użytkownika" 4
|
||||||
|
.IX Item "ident = nazwa_użytkownika"
|
||||||
|
weryfikuj nazwę zdalnego użytkownika korzystając z protokołu \s-1IDENT\s0 (\s-1RFC\s0 1413)
|
||||||
|
.IP "\fBkey\fR = plik_klucza" 4
|
||||||
|
.IX Item "key = plik_klucza"
|
||||||
|
klucz prywatny do certyfikatu podanego w opcji \fIcert\fR
|
||||||
|
.Sp
|
||||||
|
Klucz prywatny jest potrzebny do uwierzytelnienia właściciela certyfikatu.
|
||||||
|
Ponieważ powinien on być zachowany w tajemnicy, prawa do jego odczytu
|
||||||
|
powinien mieć wyłącznie właściciel pliku. W systemie Unix można to osiągnąć
|
||||||
|
komendą:
|
||||||
|
.Sp
|
||||||
|
.Vb 1
|
||||||
|
\& chmod 600 keyfile
|
||||||
|
.Ve
|
||||||
|
.Sp
|
||||||
|
domyślnie: wartość opcji \fIcert\fR
|
||||||
|
.IP "\fBlibwrap\fR = yes | no" 4
|
||||||
|
.IX Item "libwrap = yes | no"
|
||||||
|
włącz lub wyłącz korzystanie z /etc/hosts.allow i /etc/hosts.deny.
|
||||||
|
.Sp
|
||||||
|
domyślnie: yes
|
||||||
|
.IP "\fBlocal\fR = serwer" 4
|
||||||
|
.IX Item "local = serwer"
|
||||||
|
\&\s-1IP\s0 źródła do nawiązywania zdalnych połączeń
|
||||||
|
.Sp
|
||||||
|
Domyślnie używane jest \s-1IP\s0 najbardziej zewnętrznego interfejsu w stronę
|
||||||
|
serwera, do którego nawiązywane jest połączenie.
|
||||||
|
.IP "\fBsni\fR = nazwa_usługi:nazwa_serwera (tryb serwera)" 4
|
||||||
|
.IX Item "sni = nazwa_usługi:nazwa_serwera (tryb serwera)"
|
||||||
|
Użyj usługi jako podrzędnej (virtualnego serwera) dla rozszerzenia \s-1TLS\s0 Server
|
||||||
|
Name Indication (\s-1RFC\s0 3546).
|
||||||
|
.Sp
|
||||||
|
\&\fInazwa_usługi\fR wskazuje usługę nadrzędną, która odbiera połączenia od klientów
|
||||||
|
przy pomocy opcji \fIaccept\fR. \fInazwa_serwera\fR wskazuje nazwę serwera
|
||||||
|
wirtualnego. Z pojedyńczą usługą nadrzędną powiązane jest zwykle wiele usług
|
||||||
|
podrzędnych. Opcja \fIsni\fR może być rownież użyta wielokrotnie w ramach jednej
|
||||||
|
usługi podrzędnej.
|
||||||
|
.Sp
|
||||||
|
Zarówno usługa nadrzędna jak i podrzędna nie może być skonfigurowana w trybie
|
||||||
|
klienckim. Opcja \fIconnect\fR usługi podrzędnej jest ignorowana w połączeniu z
|
||||||
|
opcją \fIprotocol\fR, gdyż połączenie do zdalnego serwera jest w tym wypadku
|
||||||
|
nawiązywane przed negocjacją \s-1TLS\s0. Uwierzytelnienie przy pomocy biblioteki
|
||||||
|
libwrap jest realizowane dwukrotnie: najpierw dla usługi nadrzędnej po
|
||||||
|
odebraniu połączenia \s-1TCP\s0, a następnie dla usługi podrzędnej podczas negocjacji
|
||||||
|
\&\s-1TLS\s0.
|
||||||
|
.Sp
|
||||||
|
Opcja \fIsni\fR jest dostępna począwszy od wersji 1.0.0 biblioteki OpenSSL.
|
||||||
|
.IP "\fBsni\fR = nazwa_serwera (tryb klienta)" 4
|
||||||
|
.IX Item "sni = nazwa_serwera (tryb klienta)"
|
||||||
|
Użyj parametru jako wartości rozszerzenia \s-1TLS\s0 Server Name Indication
|
||||||
|
(\s-1RFC\s0 3546).
|
||||||
|
.Sp
|
||||||
|
Opcja \fIsni\fR jest dostępna począwszy od wersji 1.0.0 biblioteki OpenSSL.
|
||||||
|
.IP "\fB\s-1OCSP\s0\fR = \s-1URL\s0" 4
|
||||||
|
.IX Item "OCSP = URL"
|
||||||
|
serwer \s-1OCSP\s0 do weryfikacji certyfikatów
|
||||||
|
.IP "\fBOCSPflag\fR = flaga" 4
|
||||||
|
.IX Item "OCSPflag = flaga"
|
||||||
|
flaga serwera \s-1OCSP\s0
|
||||||
|
.Sp
|
||||||
|
aktualnie wspierane flagi: \s-1NOCERTS\s0, \s-1NOINTERN\s0 \s-1NOSIGS\s0, \s-1NOCHAIN\s0, \s-1NOVERIFY\s0,
|
||||||
|
\&\s-1NOEXPLICIT\s0, \s-1NOCASIGN\s0, \s-1NODELEGATED\s0, \s-1NOCHECKS\s0, \s-1TRUSTOTHER\s0, \s-1RESPID_KEY\s0, \s-1NOTIME\s0
|
||||||
|
.Sp
|
||||||
|
Aby wyspecyfikować kilka flag należy użyć \fIOCSPflag\fR wielokrotnie.
|
||||||
|
.IP "\fBoptions\fR = opcje_SSL" 4
|
||||||
|
.IX Item "options = opcje_SSL"
|
||||||
|
opcje biblioteki OpenSSL
|
||||||
|
.Sp
|
||||||
|
Parametrem jest nazwa opcji zgodnie z opisem w \fI\fISSL_CTX_set_options\fI\|(3ssl)\fR,
|
||||||
|
ale bez przedrostka \fI\s-1SSL_OP_\s0\fR.
|
||||||
|
Aby wyspecyfikować kilka opcji należy użyć \fIoptions\fR wielokrotnie.
|
||||||
|
.Sp
|
||||||
|
Na przykład dla zachowania kompatybilności z błędami implementacji \s-1SSL\s0
|
||||||
|
w programie Eudora można użyć opcji:
|
||||||
|
.Sp
|
||||||
|
.Vb 1
|
||||||
|
\& options = DONT_INSERT_EMPTY_FRAGMENTS
|
||||||
|
.Ve
|
||||||
|
.IP "\fBprotocol\fR = protokół" 4
|
||||||
|
.IX Item "protocol = protokół"
|
||||||
|
negocjuj \s-1SSL\s0 podanym protokołem aplikacyjnym (np. \fIstarttls\fR lub \fIstls\fR)
|
||||||
|
.Sp
|
||||||
|
Opcji \fIprotocol\fR nie należy używać z szyfrowaniem \s-1SSL\s0 na osobnym porcie.
|
||||||
|
.Sp
|
||||||
|
Aktualnie wspierane protokoły:
|
||||||
|
.RS 4
|
||||||
|
.IP "\fIcifs\fR" 4
|
||||||
|
.IX Item "cifs"
|
||||||
|
Unieudokumentowane rozszerzenie protokołu \s-1CIFS\s0 wspierane przez serwer Samba.
|
||||||
|
Wsparcie dla tego rozrzeczenia zostało zarzucone w wersji 3.0.0 serwera Samba.
|
||||||
|
.IP "\fIconnect\fR" 4
|
||||||
|
.IX Item "connect"
|
||||||
|
Negocjacja \s-1RFC\s0 2817 \- \fIUpgrading to \s-1TLS\s0 Within \s-1HTTP/1\s0.1\fR, rozdział 5.2 \- \fIRequesting a Tunnel with \s-1CONNECT\s0\fR
|
||||||
|
.Sp
|
||||||
|
Ten protokół jest wspierany wyłącznie w trybie klienckim.
|
||||||
|
.IP "\fIimap\fR" 4
|
||||||
|
.IX Item "imap"
|
||||||
|
Negocjacja \s-1RFC\s0 2595 \- \fIUsing \s-1TLS\s0 with \s-1IMAP\s0, \s-1POP3\s0 and \s-1ACAP\s0\fR
|
||||||
|
.IP "\fInntp\fR" 4
|
||||||
|
.IX Item "nntp"
|
||||||
|
Negocjacja \s-1RFC\s0 4642 \- \fIUsing Transport Layer Security (\s-1TLS\s0) with Network News Transfer Protocol (\s-1NNTP\s0)\fR
|
||||||
|
.Sp
|
||||||
|
Ten protokół jest wspierany wyłącznie w trybie klienckim.
|
||||||
|
.IP "\fIpgsql\fR" 4
|
||||||
|
.IX Item "pgsql"
|
||||||
|
Negocjacja http://www.postgresql.org/docs/8.3/static/protocol\-flow.html#AEN73982
|
||||||
|
.IP "\fIpop3\fR" 4
|
||||||
|
.IX Item "pop3"
|
||||||
|
Negocjacja \s-1RFC\s0 2449 \- \fI\s-1POP3\s0 Extension Mechanism\fR
|
||||||
|
.IP "\fIproxy\fR" 4
|
||||||
|
.IX Item "proxy"
|
||||||
|
Przekazywanie adresu \s-1IP\s0 haproxy http://haproxy.1wt.eu/download/1.5/doc/proxy\-protocol.txt
|
||||||
|
.IP "\fIsmtp\fR" 4
|
||||||
|
.IX Item "smtp"
|
||||||
|
Negocjacja \s-1RFC\s0 2487 \- \fI\s-1SMTP\s0 Service Extension for Secure \s-1SMTP\s0 over \s-1TLS\s0\fR
|
||||||
|
.RE
|
||||||
|
.RS 4
|
||||||
|
.RE
|
||||||
|
.IP "\fBprotocolAuthentication\fR = uwierzytelnienie" 4
|
||||||
|
.IX Item "protocolAuthentication = uwierzytelnienie"
|
||||||
|
rodzaj uwierzytelnienia do negocjacji protokołu
|
||||||
|
.Sp
|
||||||
|
aktualnie wspierane: basic, \s-1NTLM\s0
|
||||||
|
.Sp
|
||||||
|
Obecnie typ uwierzytelnienia ma zastosowanie wyłącznie w protokole 'connect'.
|
||||||
|
.Sp
|
||||||
|
domyślnie: basic
|
||||||
|
.IP "\fBprotocolHost\fR = adres:port" 4
|
||||||
|
.IX Item "protocolHost = adres:port"
|
||||||
|
adres docelowy do negocjacji protokołu
|
||||||
|
.IP "\fBprotocolPassword\fR = hasło" 4
|
||||||
|
.IX Item "protocolPassword = hasło"
|
||||||
|
hasło do negocjacji protokołu
|
||||||
|
.IP "\fBprotocolUsername\fR = użytkownik" 4
|
||||||
|
.IX Item "protocolUsername = użytkownik"
|
||||||
|
nazwa użytkownika do negocjacji protokołu
|
||||||
|
.IP "\fBpty\fR = yes | no (tylko Unix)" 4
|
||||||
|
.IX Item "pty = yes | no (tylko Unix)"
|
||||||
|
alokuj pseudoterminal dla programu uruchamianego w opcji 'exec'
|
||||||
|
.IP "\fBretry\fR = yes | no (tylko Unix)" 4
|
||||||
|
.IX Item "retry = yes | no (tylko Unix)"
|
||||||
|
połącz ponownie sekcję connect+exec po rozłączeniu
|
||||||
|
.Sp
|
||||||
|
domyślnie: no
|
||||||
|
.IP "\fBsession\fR = przeterminowanie_pamięci_podręcznej_sesji" 4
|
||||||
|
.IX Item "session = przeterminowanie_pamięci_podręcznej_sesji"
|
||||||
|
czas w sekundach, po którym sesja \s-1SSL\s0 zostanie usunięta z pamięci podręcznej
|
||||||
|
.IP "\fBsessiond\fR = adres:port" 4
|
||||||
|
.IX Item "sessiond = adres:port"
|
||||||
|
adres sessiond \- servera cache sesji \s-1SSL\s0
|
||||||
|
.IP "\fBsslVersion\fR = wersja" 4
|
||||||
|
.IX Item "sslVersion = wersja"
|
||||||
|
wersja protokołu \s-1SSL\s0
|
||||||
|
.Sp
|
||||||
|
Dozwolone opcje: all, SSLv2, SSLv3, TLSv1
|
||||||
|
.IP "\fBstack\fR = liczba_bajtów (z wyjątkiem modelu \s-1FORK\s0)" 4
|
||||||
|
.IX Item "stack = liczba_bajtów (z wyjątkiem modelu FORK)"
|
||||||
|
rozmiar stosu procesora wątku
|
||||||
|
.IP "\fBTIMEOUTbusy\fR = liczba_sekund" 4
|
||||||
|
.IX Item "TIMEOUTbusy = liczba_sekund"
|
||||||
|
czas oczekiwania na spodziewane dane
|
||||||
|
.IP "\fBTIMEOUTclose\fR = liczba_sekund" 4
|
||||||
|
.IX Item "TIMEOUTclose = liczba_sekund"
|
||||||
|
czas oczekiwania na close_notify (ustaw na 0, jeżeli klientem jest \s-1MSIE\s0)
|
||||||
|
.IP "\fBTIMEOUTconnect\fR = liczba_sekund" 4
|
||||||
|
.IX Item "TIMEOUTconnect = liczba_sekund"
|
||||||
|
czas oczekiwania na nawiązanie połączenia
|
||||||
|
.IP "\fBTIMEOUTidle\fR = liczba_sekund" 4
|
||||||
|
.IX Item "TIMEOUTidle = liczba_sekund"
|
||||||
|
maksymalny czas utrzymywania bezczynnego połączenia
|
||||||
|
.IP "\fBtransparent\fR = none | source | destination | both (tylko Unix)" 4
|
||||||
|
.IX Item "transparent = none | source | destination | both (tylko Unix)"
|
||||||
|
tryb przezroczystego proxy na wspieranych platformach
|
||||||
|
.Sp
|
||||||
|
Wspierane opcje:
|
||||||
|
.RS 4
|
||||||
|
.IP "\fBnone\fR" 4
|
||||||
|
.IX Item "none"
|
||||||
|
Zablokuj wsparcie dla przezroczystago proxy. Jest to wartość domyślna.
|
||||||
|
.IP "\fBsource\fR" 4
|
||||||
|
.IX Item "source"
|
||||||
|
Przepisz adres, aby nawiązywane połączenie wydawało się pochodzić
|
||||||
|
bezpośrednio od klienta, a nie od programu \fIstunnel\fR.
|
||||||
|
.Sp
|
||||||
|
Opcja jest aktualnie obsługiwana w:
|
||||||
|
.RS 4
|
||||||
|
.IP "Trybie zdalnym (opcja \fIconnect\fR) w systemie \fILinux >=2.6.28\fR" 4
|
||||||
|
.IX Item "Trybie zdalnym (opcja connect) w systemie Linux >=2.6.28"
|
||||||
|
Konfiguracja wymaga następujących ustawień iptables oraz routingu
|
||||||
|
(na przykład w pliku /etc/rc.local lub analogicznym):
|
||||||
|
.Sp
|
||||||
|
.Vb 7
|
||||||
|
\& iptables \-t mangle \-N DIVERT
|
||||||
|
\& iptables \-t mangle \-A PREROUTING \-p tcp \-m socket \-j DIVERT
|
||||||
|
\& iptables \-t mangle \-A DIVERT \-j MARK \-\-set\-mark 1
|
||||||
|
\& iptables \-t mangle \-A DIVERT \-j ACCEPT
|
||||||
|
\& ip rule add fwmark 1 lookup 100
|
||||||
|
\& ip route add local 0.0.0.0/0 dev lo table 100
|
||||||
|
\& echo 0 >/proc/sys/net/ipv4/conf/lo/rp_filter
|
||||||
|
.Ve
|
||||||
|
.Sp
|
||||||
|
Konfiguracja ta wymaga, aby \fBstunnel\fR był wykonywany jako root i bez opcji \fIsetuid\fR.
|
||||||
|
.IP "Trybie zdalnym (opcja \fIconnect\fR) w systemie \fILinux 2.2.x\fR" 4
|
||||||
|
.IX Item "Trybie zdalnym (opcja connect) w systemie Linux 2.2.x"
|
||||||
|
Konfiguracja ta wymaga skompilowania jądra z opcją \fItransparent proxy\fR.
|
||||||
|
Docelowa usługa musi być umieszczona na osobnej maszynie, do której routing
|
||||||
|
kierowany jest poprzez serwer stunnela.
|
||||||
|
.Sp
|
||||||
|
Dodatkowo \fBstunnel\fR powinien być wykonywany jako root i bez opcji \fIsetuid\fR.
|
||||||
|
.IP "Trybie zdalnym (opcja \fIconnect\fR) w systemie \fIFreeBSD >=8.0\fR" 4
|
||||||
|
.IX Item "Trybie zdalnym (opcja connect) w systemie FreeBSD >=8.0"
|
||||||
|
Konfiguracja ta wymaga skonfigurowania firewalla i routingu.
|
||||||
|
\&\fBstunnel\fR musi być wykonywany jako root i bez opcji \fIsetuid\fR.
|
||||||
|
.IP "Trybie lokalnym (opcja \fIexec\fR)" 4
|
||||||
|
.IX Item "Trybie lokalnym (opcja exec)"
|
||||||
|
Konfiguracja ta jest realizowana przy pomocy biblioteki \fIlibstunnel.so\fR.
|
||||||
|
Do załadowania biblioteki wykorzystywana jest zmienna środowiskowa _RLD_LIST na
|
||||||
|
platformie Tru64 lub \s-1LD_PRELOAD\s0 na innych platformach.
|
||||||
|
.RE
|
||||||
|
.RS 4
|
||||||
|
.RE
|
||||||
|
.IP "\fIdestination\fR" 4
|
||||||
|
.IX Item "destination"
|
||||||
|
Oryginalny adres docelowy jest używany zamiast opcji \fIconnect\fR.
|
||||||
|
.Sp
|
||||||
|
Przykładowana konfiguracja przezroczystego adresu docelowego:
|
||||||
|
.Sp
|
||||||
|
.Vb 4
|
||||||
|
\& [transparent]
|
||||||
|
\& client=yes
|
||||||
|
\& accept=<port_stunnela>
|
||||||
|
\& transparent=destination
|
||||||
|
.Ve
|
||||||
|
.Sp
|
||||||
|
Konfiguracja wymaga następujących ustawień iptables
|
||||||
|
(na przykład w pliku /etc/rc.local lub analogicznym):
|
||||||
|
.Sp
|
||||||
|
.Vb 2
|
||||||
|
\& /sbin/iptables \-I INPUT \-i eth0 \-p tcp \-\-dport <port_stunnela> \-j ACCEPT
|
||||||
|
\& /sbin/iptables \-t nat \-I PREROUTING \-i eth0 \-p tcp \-\-dport <port_przekierowany> \-j DNAT \-\-to\-destination <lokalne_ip>:<port_stunnela>
|
||||||
|
.Ve
|
||||||
|
.Sp
|
||||||
|
Przezroczysty adres docelowy jest aktualnie wspierany wyłącznie w systemie Linux.
|
||||||
|
.IP "\fIboth\fR" 4
|
||||||
|
.IX Item "both"
|
||||||
|
Użyj przezroczystego proxy zarówno dla adresu źródłowego jak i docelowego.
|
||||||
|
.RE
|
||||||
|
.RS 4
|
||||||
|
.Sp
|
||||||
|
Dla zapewnienia kompatybilności z wcześniejszymim wersjami wspierane są dwie
|
||||||
|
dodatkowe opcje:
|
||||||
|
.IP "\fIyes\fR" 4
|
||||||
|
.IX Item "yes"
|
||||||
|
Opcja została przemianowana na \fIsource\fR.
|
||||||
|
.IP "\fIno\fR" 4
|
||||||
|
.IX Item "no"
|
||||||
|
Opcja została przemianowana na \fInone\fR.
|
||||||
|
.RE
|
||||||
|
.RS 4
|
||||||
|
.RE
|
||||||
|
.IP "\fBverify\fR = poziom" 4
|
||||||
|
.IX Item "verify = poziom"
|
||||||
|
weryfikuj certyfikat drugiej strony połączenia
|
||||||
|
.RS 4
|
||||||
|
.IP "\fIpoziom 0\fR \- zarządaj certyfikatu i zignoruj go" 4
|
||||||
|
.IX Item "poziom 0 - zarządaj certyfikatu i zignoruj go"
|
||||||
|
.PD 0
|
||||||
|
.IP "\fIpoziom 1\fR \- weryfikuj, jeżeli został przedstawiony" 4
|
||||||
|
.IX Item "poziom 1 - weryfikuj, jeżeli został przedstawiony"
|
||||||
|
.IP "\fIpoziom 2\fR \- weryfikuj z zainstalowanym certyfikatem Centrum Certyfikacji" 4
|
||||||
|
.IX Item "poziom 2 - weryfikuj z zainstalowanym certyfikatem Centrum Certyfikacji"
|
||||||
|
.IP "\fIpoziom 3\fR \- weryfikuj z lokalnie zainstalowanym certyfikatem drugiej strony" 4
|
||||||
|
.IX Item "poziom 3 - weryfikuj z lokalnie zainstalowanym certyfikatem drugiej strony"
|
||||||
|
.IP "\fIpoziom 4\fR \- weryfikuj z certyfikatem drugiej strony ignorując łańcuch \s-1CA\s0" 4
|
||||||
|
.IX Item "poziom 4 - weryfikuj z certyfikatem drugiej strony ignorując łańcuch CA"
|
||||||
|
.IP "\fIdomyślnie\fR \- nie weryfikuj" 4
|
||||||
|
.IX Item "domyślnie - nie weryfikuj"
|
||||||
|
.RE
|
||||||
|
.RS 4
|
||||||
|
.RE
|
||||||
|
.PD
|
||||||
|
.SH "ZWRACANA WARTOŚĆ"
|
||||||
|
.IX Header "ZWRACANA WARTOŚĆ"
|
||||||
|
\&\fBstunnel\fR zwraca zero w przypadku sukcesu, lub wartość niezerową
|
||||||
|
w przypadku błędu.
|
||||||
|
.SH "SIGNAŁY"
|
||||||
|
.IX Header "SIGNAŁY"
|
||||||
|
Następujące sygnały mogą być użyte do sterowania programem w systemie Unix:
|
||||||
|
.IP "\s-1SIGHUP\s0" 4
|
||||||
|
.IX Item "SIGHUP"
|
||||||
|
Załaduj ponownie plik konfiguracyjny.
|
||||||
|
.Sp
|
||||||
|
Niektóre globalne opcje nie będą przeładowane:
|
||||||
|
.RS 4
|
||||||
|
.IP "\(bu" 4
|
||||||
|
chroot
|
||||||
|
.IP "\(bu" 4
|
||||||
|
foreground
|
||||||
|
.IP "\(bu" 4
|
||||||
|
pid
|
||||||
|
.IP "\(bu" 4
|
||||||
|
setgid
|
||||||
|
.IP "\(bu" 4
|
||||||
|
setuid
|
||||||
|
.RE
|
||||||
|
.RS 4
|
||||||
|
.Sp
|
||||||
|
Jeżeli wykorzystywana jest opcja 'setuid' stunnel nie będzie mógł załadować
|
||||||
|
ponownie konfiguracji wykorzystującej uprzywilejowane (<1024) porty.
|
||||||
|
.Sp
|
||||||
|
Jeżeli wykorzystywana jest opcja 'chroot' stunnel będzie szukał wszystkich
|
||||||
|
potrzebnych plików (łącznie z plikiem konfiguracyjnym, certyfikatami, logiem i
|
||||||
|
plikiem pid) wewnątrz katalogu wskazanego przez 'chroot'.
|
||||||
|
.RE
|
||||||
|
.IP "\s-1SIGUSR1\s0" 4
|
||||||
|
.IX Item "SIGUSR1"
|
||||||
|
Zamknij i otwórz ponownie log.
|
||||||
|
Funkcja ta może zostać użyta w skrypcie rotującym log programu stunnel.
|
||||||
|
.IP "\s-1SIGTERM\s0, \s-1SIGQUIT\s0, \s-1SIGINT\s0" 4
|
||||||
|
.IX Item "SIGTERM, SIGQUIT, SIGINT"
|
||||||
|
Zakończ działanie programu.
|
||||||
|
.PP
|
||||||
|
Skutek wysłania innych sygnałów jest niezdefiniowany.
|
||||||
|
.SH "PRZYKŁADY"
|
||||||
|
.IX Header "PRZYKŁADY"
|
||||||
|
Szyfrowanie połączeń do lokalnego serwera \fIimapd\fR można użyć:
|
||||||
|
.PP
|
||||||
|
.Vb 4
|
||||||
|
\& [imapd]
|
||||||
|
\& accept = 993
|
||||||
|
\& exec = /usr/sbin/imapd
|
||||||
|
\& execargs = imapd
|
||||||
|
.Ve
|
||||||
|
.PP
|
||||||
|
albo w trybie zdalnym:
|
||||||
|
.PP
|
||||||
|
.Vb 3
|
||||||
|
\& [imapd]
|
||||||
|
\& accept = 993
|
||||||
|
\& connect = 143
|
||||||
|
.Ve
|
||||||
|
.PP
|
||||||
|
W połączeniu z programem \fIpppd\fR \fBstunnel\fR pozwala zestawić prosty \s-1VPN\s0.
|
||||||
|
Po stronie serwera nasłuchującego na porcie 2020 jego konfiguracja
|
||||||
|
może wyglądać następująco:
|
||||||
|
.PP
|
||||||
|
.Vb 5
|
||||||
|
\& [vpn]
|
||||||
|
\& accept = 2020
|
||||||
|
\& exec = /usr/sbin/pppd
|
||||||
|
\& execargs = pppd local
|
||||||
|
\& pty = yes
|
||||||
|
.Ve
|
||||||
|
.PP
|
||||||
|
Poniższy plik konfiguracyjny może być wykorzystany do uruchomienia
|
||||||
|
programu \fBstunnel\fR w trybie \fIinetd\fR. Warto zauważyć, że w pliku
|
||||||
|
konfiguracyjnym nie ma sekcji \fI[nazwa_usługi]\fR.
|
||||||
|
.PP
|
||||||
|
.Vb 2
|
||||||
|
\& exec = /usr/sbin/imapd
|
||||||
|
\& execargs = imapd
|
||||||
|
.Ve
|
||||||
|
.SH "NOTKI"
|
||||||
|
.IX Header "NOTKI"
|
||||||
|
.SS "\s-1OGRANICZENIA\s0"
|
||||||
|
.IX Subsection "OGRANICZENIA"
|
||||||
|
\&\fIstunnel\fR nie może być używany do szyfrowania protokołu \fI\s-1FTP\s0\fR,
|
||||||
|
ponieważ do przesyłania poszczególnych plików używa on dodatkowych
|
||||||
|
połączeń otwieranych na portach o dynamicznie przydzielanych numerach.
|
||||||
|
Istnieją jednak specjalne wersje klientów i serwerów \s-1FTP\s0 pozwalające
|
||||||
|
na szyfrowanie przesyłanych danych przy pomocy protokołu \fI\s-1SSL\s0\fR.
|
||||||
|
.SS "\s-1TRYB\s0 \s-1INETD\s0 (tylko Unix)"
|
||||||
|
.IX Subsection "TRYB INETD (tylko Unix)"
|
||||||
|
W większości zastosowań \fBstunnel\fR samodzielnie nasłuchuje na porcie
|
||||||
|
podanym w pliku konfiguracyjnym i tworzy połączenie z innym portem
|
||||||
|
podanym w opcji \fIconnect\fR lub nowym programem podanym w opcji \fIexec\fR.
|
||||||
|
Niektórzy wolą jednak wykorzystywać oddzielny program, który odbiera
|
||||||
|
połączenia, po czym uruchamia program \fBstunnel\fR. Przykładami takich
|
||||||
|
programów są inetd, xinetd i tcpserver.
|
||||||
|
.PP
|
||||||
|
Przykładowa linia pliku /etc/inetd.conf może wyglądać tak:
|
||||||
|
.PP
|
||||||
|
.Vb 2
|
||||||
|
\& imaps stream tcp nowait root /usr/bin/stunnel
|
||||||
|
\& stunnel /etc/stunnel/imaps.conf
|
||||||
|
.Ve
|
||||||
|
.PP
|
||||||
|
Ponieważ w takich przypadkach połączenie na zdefiniowanym porcie
|
||||||
|
(tutaj \fIimaps\fR) nawiązuje osobny program (tutaj \fIinetd\fR), \fBstunnel\fR
|
||||||
|
nie może używać opcji \fIaccept\fR. W pliku konfiguracyjnym nie może
|
||||||
|
być również zdefiniowana żadna usługa (\fI[nazwa_usługi]\fR), ponieważ
|
||||||
|
konfiguracja taka pozwala na nawiązanie tylko jednego połączenia.
|
||||||
|
Wszystkie \fI\s-1OPCJE\s0 USŁUG\fR powinny być umieszczone razem z opcjami
|
||||||
|
globalnymi. Przykład takiej konfiguracji znajduje się w sekcji
|
||||||
|
\&\fIPRZYKŁADY\fR.
|
||||||
|
.SS "\s-1CERTYFIKATY\s0"
|
||||||
|
.IX Subsection "CERTYFIKATY"
|
||||||
|
Protokół \s-1SSL\s0 wymaga, aby każdy serwer przedstawiał się nawiązującemu
|
||||||
|
połączenie klientowi prawidłowym certyfikatem X.509.
|
||||||
|
Potwierdzenie tożsamości serwera polega na wykazaniu, że posiada on
|
||||||
|
odpowiadający certyfikatowi klucz prywatny.
|
||||||
|
Najprostszą metodą uzyskania certyfikatu jest wygenerowanie
|
||||||
|
go przy pomocy wolnego pakietu \fIOpenSSL\fR. Więcej informacji na temat
|
||||||
|
generowania certyfikatów można znaleźć na umieszczonych poniżej stronach.
|
||||||
|
.PP
|
||||||
|
Istotną kwestią jest kolejność zawartości pliku \fI.pem\fR.
|
||||||
|
W pierwszej kolejności powinien on zawierać klucz prywatny,
|
||||||
|
a dopiero za nim podpisany certyfikat (nie żądanie certyfikatu).
|
||||||
|
Po certyfikacie i kluczu prywatnym powinny znajdować się puste linie.
|
||||||
|
Jeżeli przed certyfikatem znajdują się dodatkowe informacje tekstowe,
|
||||||
|
to powinny one zostać usunięte. Otrzymany plik powinien mieć
|
||||||
|
następującą postać:
|
||||||
|
.PP
|
||||||
|
.Vb 8
|
||||||
|
\& \-\-\-\-\-BEGIN RSA PRIVATE KEY\-\-\-\-\-
|
||||||
|
\& [zakodowany klucz]
|
||||||
|
\& \-\-\-\-\-END RSA PRIVATE KEY\-\-\-\-\-
|
||||||
|
\& [pusta linia]
|
||||||
|
\& \-\-\-\-\-BEGIN CERTIFICATE\-\-\-\-\-
|
||||||
|
\& [zakodowany certyfikat]
|
||||||
|
\& \-\-\-\-\-END CERTIFICATE\-\-\-\-\-
|
||||||
|
\& [pusta linia]
|
||||||
|
.Ve
|
||||||
|
.SS "LOSOWOŚĆ"
|
||||||
|
.IX Subsection "LOSOWOŚĆ"
|
||||||
|
\&\fBstunnel\fR potrzebuje zainicjować \s-1PRNG\s0 (generator liczb pseudolosowych),
|
||||||
|
gdyż protokół \s-1SSL\s0 wymaga do bezpieczeństwa kryptograficznego źródła
|
||||||
|
dobrej losowości. Następujące źródła są kolejno odczytywane aż do
|
||||||
|
uzyskania wystarczającej ilości entropii:
|
||||||
|
.IP "\(bu" 4
|
||||||
|
Zawartość pliku podanego w opcji \fIRNDfile\fR.
|
||||||
|
.IP "\(bu" 4
|
||||||
|
Zawartość pliku o nazwie określonej przez zmienną środowiskową
|
||||||
|
\&\s-1RANDFILE\s0, o ile jest ona ustawiona.
|
||||||
|
.IP "\(bu" 4
|
||||||
|
Plik .rnd umieszczony w katalogu domowym użytkownika,
|
||||||
|
jeżeli zmienna \s-1RANDFILE\s0 nie jest ustawiona.
|
||||||
|
.IP "\(bu" 4
|
||||||
|
Plik podany w opcji '\-\-with\-random' w czasie konfiguracji programu.
|
||||||
|
.IP "\(bu" 4
|
||||||
|
Zawartość ekranu w systemie Windows.
|
||||||
|
.IP "\(bu" 4
|
||||||
|
Gniazdo egd, jeżeli użyta została opcja \fI\s-1EGD\s0\fR.
|
||||||
|
.IP "\(bu" 4
|
||||||
|
Gniazdo egd podane w opcji '\-\-with\-egd\-socket' w czasie konfiguracji
|
||||||
|
programu.
|
||||||
|
.IP "\(bu" 4
|
||||||
|
Urządzenie /dev/urandom.
|
||||||
|
.PP
|
||||||
|
Współczesne (>=0.9.5a) wersje biblioteki \fIOpenSSL\fR automatycznie
|
||||||
|
zaprzestają ładowania kolejnych danych w momencie uzyskania wystarczającej
|
||||||
|
ilości entropii. Wcześniejsze wersje biblioteki wykorzystają wszystkie
|
||||||
|
powyższe źródła, gdyż nie istnieje tam funkcja pozwalająca określić,
|
||||||
|
czy uzyskano już wystarczająco dużo danych.
|
||||||
|
.PP
|
||||||
|
Warto zwrócić uwagę, że na maszynach z systemem Windows, na których
|
||||||
|
konsoli nie pracuje użytkownik, zawartość ekranu nie jest wystarczająco
|
||||||
|
zmienna, aby zainicjować \s-1PRNG\s0. W takim przypadku do zainicjowania
|
||||||
|
generatora należy użyć opcji \fIRNDfile\fR.
|
||||||
|
.PP
|
||||||
|
Plik \fIRNDfile\fR powinien zawierać dane losowe \*(-- również w tym sensie,
|
||||||
|
że powinny być one inne przy każdym uruchomieniu programu \fBstunnel\fR.
|
||||||
|
O ile nie użyta została opcja \fIRNDoverwrite\fR jest to robione
|
||||||
|
automatycznie. Do ręcznego uzyskania takiego pliku użyteczna
|
||||||
|
może być komenda \fIopenssl rand\fR dostarczana ze współczesnymi
|
||||||
|
wersjami pakietu \fIOpenSSL\fR.
|
||||||
|
.PP
|
||||||
|
Jeszcze jedna istotna informacja \*(-- jeżeli dostępne jest urządzenie
|
||||||
|
\&\fI/dev/urandom\fR biblioteka \fIOpenSSL\fR ma zwyczaj zasilania nim \s-1PRNG\s0 w trakcie
|
||||||
|
sprawdzania stanu generatora. W systemach z \fI/dev/urandom\fR urządzenie
|
||||||
|
to będzie najprawdopodobniej użyte, pomimo że znajduje się na samym końcu
|
||||||
|
powyższej listy. Jest to właściwość biblioteki \fIOpenSSL\fR, a nie programu
|
||||||
|
\&\fIstunnel\fR.
|
||||||
|
.SS "\s-1PARAMETRY\s0 \s-1DH\s0"
|
||||||
|
.IX Subsection "PARAMETRY DH"
|
||||||
|
Począwszy od wersji 4.40 stunnel zawiera w kodzie programu 2048\-bitowe
|
||||||
|
parametry \s-1DH\s0.
|
||||||
|
.PP
|
||||||
|
Alternatywnie parametry \s-1DH\s0 można umieścić w pliku razem z certyfikatem:
|
||||||
|
.PP
|
||||||
|
.Vb 1
|
||||||
|
\& openssl dhparam 2048 >> stunnel.pem
|
||||||
|
.Ve
|
||||||
|
.PP
|
||||||
|
Wygenerowanie parametrów \s-1DH\s0 może zająć nawet wiele minut.
|
||||||
|
.SH "PLIKI"
|
||||||
|
.IX Header "PLIKI"
|
||||||
|
.IP "\fIstunnel.conf\fR" 4
|
||||||
|
.IX Item "stunnel.conf"
|
||||||
|
plik konfiguracyjny programu
|
||||||
|
.SH "BŁĘDY"
|
||||||
|
.IX Header "BŁĘDY"
|
||||||
|
Opcja \fIexecargs\fR nie obsługuje cytowania.
|
||||||
|
.SH "ZOBACZ RÓWNIEŻ"
|
||||||
|
.IX Header "ZOBACZ RÓWNIEŻ"
|
||||||
|
.IP "\fItcpd\fR\|(8)" 4
|
||||||
|
.IX Item "tcpd"
|
||||||
|
biblioteka kontroli dostępu do usług internetowych
|
||||||
|
.IP "\fIinetd\fR\|(8)" 4
|
||||||
|
.IX Item "inetd"
|
||||||
|
\&'super\-serwer' internetowy
|
||||||
|
.IP "\fIhttp://www.stunnel.org/\fR" 4
|
||||||
|
.IX Item "http://www.stunnel.org/"
|
||||||
|
strona domowa programu \fIstunnel\fR
|
||||||
|
.IP "\fIhttp://www.openssl.org/\fR" 4
|
||||||
|
.IX Item "http://www.openssl.org/"
|
||||||
|
strona projektu \fIOpenSSL\fR
|
||||||
|
.SH "AUTOR"
|
||||||
|
.IX Header "AUTOR"
|
||||||
|
.IP "Michał Trojnara" 4
|
||||||
|
.IX Item "Michał Trojnara"
|
||||||
|
<\fIMichal.Trojnara@mirt.net\fR>
|
1087
doc/stunnel.pl.html
Normal file
1087
doc/stunnel.pl.html
Normal file
File diff suppressed because it is too large
Load Diff
1035
doc/stunnel.pl.pod
Normal file
1035
doc/stunnel.pl.pod
Normal file
File diff suppressed because it is too large
Load Diff
1004
doc/stunnel.pod
Normal file
1004
doc/stunnel.pod
Normal file
File diff suppressed because it is too large
Load Diff
7377
m4/libtool.m4
vendored
Normal file
7377
m4/libtool.m4
vendored
Normal file
File diff suppressed because it is too large
Load Diff
368
m4/ltoptions.m4
vendored
Normal file
368
m4/ltoptions.m4
vendored
Normal file
@ -0,0 +1,368 @@
|
|||||||
|
# Helper functions for option handling. -*- Autoconf -*-
|
||||||
|
#
|
||||||
|
# Copyright (C) 2004, 2005, 2007, 2008 Free Software Foundation, Inc.
|
||||||
|
# Written by Gary V. Vaughan, 2004
|
||||||
|
#
|
||||||
|
# This file is free software; the Free Software Foundation gives
|
||||||
|
# unlimited permission to copy and/or distribute it, with or without
|
||||||
|
# modifications, as long as this notice is preserved.
|
||||||
|
|
||||||
|
# serial 6 ltoptions.m4
|
||||||
|
|
||||||
|
# This is to help aclocal find these macros, as it can't see m4_define.
|
||||||
|
AC_DEFUN([LTOPTIONS_VERSION], [m4_if([1])])
|
||||||
|
|
||||||
|
|
||||||
|
# _LT_MANGLE_OPTION(MACRO-NAME, OPTION-NAME)
|
||||||
|
# ------------------------------------------
|
||||||
|
m4_define([_LT_MANGLE_OPTION],
|
||||||
|
[[_LT_OPTION_]m4_bpatsubst($1__$2, [[^a-zA-Z0-9_]], [_])])
|
||||||
|
|
||||||
|
|
||||||
|
# _LT_SET_OPTION(MACRO-NAME, OPTION-NAME)
|
||||||
|
# ---------------------------------------
|
||||||
|
# Set option OPTION-NAME for macro MACRO-NAME, and if there is a
|
||||||
|
# matching handler defined, dispatch to it. Other OPTION-NAMEs are
|
||||||
|
# saved as a flag.
|
||||||
|
m4_define([_LT_SET_OPTION],
|
||||||
|
[m4_define(_LT_MANGLE_OPTION([$1], [$2]))dnl
|
||||||
|
m4_ifdef(_LT_MANGLE_DEFUN([$1], [$2]),
|
||||||
|
_LT_MANGLE_DEFUN([$1], [$2]),
|
||||||
|
[m4_warning([Unknown $1 option `$2'])])[]dnl
|
||||||
|
])
|
||||||
|
|
||||||
|
|
||||||
|
# _LT_IF_OPTION(MACRO-NAME, OPTION-NAME, IF-SET, [IF-NOT-SET])
|
||||||
|
# ------------------------------------------------------------
|
||||||
|
# Execute IF-SET if OPTION is set, IF-NOT-SET otherwise.
|
||||||
|
m4_define([_LT_IF_OPTION],
|
||||||
|
[m4_ifdef(_LT_MANGLE_OPTION([$1], [$2]), [$3], [$4])])
|
||||||
|
|
||||||
|
|
||||||
|
# _LT_UNLESS_OPTIONS(MACRO-NAME, OPTION-LIST, IF-NOT-SET)
|
||||||
|
# -------------------------------------------------------
|
||||||
|
# Execute IF-NOT-SET unless all options in OPTION-LIST for MACRO-NAME
|
||||||
|
# are set.
|
||||||
|
m4_define([_LT_UNLESS_OPTIONS],
|
||||||
|
[m4_foreach([_LT_Option], m4_split(m4_normalize([$2])),
|
||||||
|
[m4_ifdef(_LT_MANGLE_OPTION([$1], _LT_Option),
|
||||||
|
[m4_define([$0_found])])])[]dnl
|
||||||
|
m4_ifdef([$0_found], [m4_undefine([$0_found])], [$3
|
||||||
|
])[]dnl
|
||||||
|
])
|
||||||
|
|
||||||
|
|
||||||
|
# _LT_SET_OPTIONS(MACRO-NAME, OPTION-LIST)
|
||||||
|
# ----------------------------------------
|
||||||
|
# OPTION-LIST is a space-separated list of Libtool options associated
|
||||||
|
# with MACRO-NAME. If any OPTION has a matching handler declared with
|
||||||
|
# LT_OPTION_DEFINE, dispatch to that macro; otherwise complain about
|
||||||
|
# the unknown option and exit.
|
||||||
|
m4_defun([_LT_SET_OPTIONS],
|
||||||
|
[# Set options
|
||||||
|
m4_foreach([_LT_Option], m4_split(m4_normalize([$2])),
|
||||||
|
[_LT_SET_OPTION([$1], _LT_Option)])
|
||||||
|
|
||||||
|
m4_if([$1],[LT_INIT],[
|
||||||
|
dnl
|
||||||
|
dnl Simply set some default values (i.e off) if boolean options were not
|
||||||
|
dnl specified:
|
||||||
|
_LT_UNLESS_OPTIONS([LT_INIT], [dlopen], [enable_dlopen=no
|
||||||
|
])
|
||||||
|
_LT_UNLESS_OPTIONS([LT_INIT], [win32-dll], [enable_win32_dll=no
|
||||||
|
])
|
||||||
|
dnl
|
||||||
|
dnl If no reference was made to various pairs of opposing options, then
|
||||||
|
dnl we run the default mode handler for the pair. For example, if neither
|
||||||
|
dnl `shared' nor `disable-shared' was passed, we enable building of shared
|
||||||
|
dnl archives by default:
|
||||||
|
_LT_UNLESS_OPTIONS([LT_INIT], [shared disable-shared], [_LT_ENABLE_SHARED])
|
||||||
|
_LT_UNLESS_OPTIONS([LT_INIT], [static disable-static], [_LT_ENABLE_STATIC])
|
||||||
|
_LT_UNLESS_OPTIONS([LT_INIT], [pic-only no-pic], [_LT_WITH_PIC])
|
||||||
|
_LT_UNLESS_OPTIONS([LT_INIT], [fast-install disable-fast-install],
|
||||||
|
[_LT_ENABLE_FAST_INSTALL])
|
||||||
|
])
|
||||||
|
])# _LT_SET_OPTIONS
|
||||||
|
|
||||||
|
|
||||||
|
## --------------------------------- ##
|
||||||
|
## Macros to handle LT_INIT options. ##
|
||||||
|
## --------------------------------- ##
|
||||||
|
|
||||||
|
# _LT_MANGLE_DEFUN(MACRO-NAME, OPTION-NAME)
|
||||||
|
# -----------------------------------------
|
||||||
|
m4_define([_LT_MANGLE_DEFUN],
|
||||||
|
[[_LT_OPTION_DEFUN_]m4_bpatsubst(m4_toupper([$1__$2]), [[^A-Z0-9_]], [_])])
|
||||||
|
|
||||||
|
|
||||||
|
# LT_OPTION_DEFINE(MACRO-NAME, OPTION-NAME, CODE)
|
||||||
|
# -----------------------------------------------
|
||||||
|
m4_define([LT_OPTION_DEFINE],
|
||||||
|
[m4_define(_LT_MANGLE_DEFUN([$1], [$2]), [$3])[]dnl
|
||||||
|
])# LT_OPTION_DEFINE
|
||||||
|
|
||||||
|
|
||||||
|
# dlopen
|
||||||
|
# ------
|
||||||
|
LT_OPTION_DEFINE([LT_INIT], [dlopen], [enable_dlopen=yes
|
||||||
|
])
|
||||||
|
|
||||||
|
AU_DEFUN([AC_LIBTOOL_DLOPEN],
|
||||||
|
[_LT_SET_OPTION([LT_INIT], [dlopen])
|
||||||
|
AC_DIAGNOSE([obsolete],
|
||||||
|
[$0: Remove this warning and the call to _LT_SET_OPTION when you
|
||||||
|
put the `dlopen' option into LT_INIT's first parameter.])
|
||||||
|
])
|
||||||
|
|
||||||
|
dnl aclocal-1.4 backwards compatibility:
|
||||||
|
dnl AC_DEFUN([AC_LIBTOOL_DLOPEN], [])
|
||||||
|
|
||||||
|
|
||||||
|
# win32-dll
|
||||||
|
# ---------
|
||||||
|
# Declare package support for building win32 dll's.
|
||||||
|
LT_OPTION_DEFINE([LT_INIT], [win32-dll],
|
||||||
|
[enable_win32_dll=yes
|
||||||
|
|
||||||
|
case $host in
|
||||||
|
*-*-cygwin* | *-*-mingw* | *-*-pw32* | *-cegcc*)
|
||||||
|
AC_CHECK_TOOL(AS, as, false)
|
||||||
|
AC_CHECK_TOOL(DLLTOOL, dlltool, false)
|
||||||
|
AC_CHECK_TOOL(OBJDUMP, objdump, false)
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
|
||||||
|
test -z "$AS" && AS=as
|
||||||
|
_LT_DECL([], [AS], [0], [Assembler program])dnl
|
||||||
|
|
||||||
|
test -z "$DLLTOOL" && DLLTOOL=dlltool
|
||||||
|
_LT_DECL([], [DLLTOOL], [0], [DLL creation program])dnl
|
||||||
|
|
||||||
|
test -z "$OBJDUMP" && OBJDUMP=objdump
|
||||||
|
_LT_DECL([], [OBJDUMP], [0], [Object dumper program])dnl
|
||||||
|
])# win32-dll
|
||||||
|
|
||||||
|
AU_DEFUN([AC_LIBTOOL_WIN32_DLL],
|
||||||
|
[AC_REQUIRE([AC_CANONICAL_HOST])dnl
|
||||||
|
_LT_SET_OPTION([LT_INIT], [win32-dll])
|
||||||
|
AC_DIAGNOSE([obsolete],
|
||||||
|
[$0: Remove this warning and the call to _LT_SET_OPTION when you
|
||||||
|
put the `win32-dll' option into LT_INIT's first parameter.])
|
||||||
|
])
|
||||||
|
|
||||||
|
dnl aclocal-1.4 backwards compatibility:
|
||||||
|
dnl AC_DEFUN([AC_LIBTOOL_WIN32_DLL], [])
|
||||||
|
|
||||||
|
|
||||||
|
# _LT_ENABLE_SHARED([DEFAULT])
|
||||||
|
# ----------------------------
|
||||||
|
# implement the --enable-shared flag, and supports the `shared' and
|
||||||
|
# `disable-shared' LT_INIT options.
|
||||||
|
# DEFAULT is either `yes' or `no'. If omitted, it defaults to `yes'.
|
||||||
|
m4_define([_LT_ENABLE_SHARED],
|
||||||
|
[m4_define([_LT_ENABLE_SHARED_DEFAULT], [m4_if($1, no, no, yes)])dnl
|
||||||
|
AC_ARG_ENABLE([shared],
|
||||||
|
[AS_HELP_STRING([--enable-shared@<:@=PKGS@:>@],
|
||||||
|
[build shared libraries @<:@default=]_LT_ENABLE_SHARED_DEFAULT[@:>@])],
|
||||||
|
[p=${PACKAGE-default}
|
||||||
|
case $enableval in
|
||||||
|
yes) enable_shared=yes ;;
|
||||||
|
no) enable_shared=no ;;
|
||||||
|
*)
|
||||||
|
enable_shared=no
|
||||||
|
# Look at the argument we got. We use all the common list separators.
|
||||||
|
lt_save_ifs="$IFS"; IFS="${IFS}$PATH_SEPARATOR,"
|
||||||
|
for pkg in $enableval; do
|
||||||
|
IFS="$lt_save_ifs"
|
||||||
|
if test "X$pkg" = "X$p"; then
|
||||||
|
enable_shared=yes
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
IFS="$lt_save_ifs"
|
||||||
|
;;
|
||||||
|
esac],
|
||||||
|
[enable_shared=]_LT_ENABLE_SHARED_DEFAULT)
|
||||||
|
|
||||||
|
_LT_DECL([build_libtool_libs], [enable_shared], [0],
|
||||||
|
[Whether or not to build shared libraries])
|
||||||
|
])# _LT_ENABLE_SHARED
|
||||||
|
|
||||||
|
LT_OPTION_DEFINE([LT_INIT], [shared], [_LT_ENABLE_SHARED([yes])])
|
||||||
|
LT_OPTION_DEFINE([LT_INIT], [disable-shared], [_LT_ENABLE_SHARED([no])])
|
||||||
|
|
||||||
|
# Old names:
|
||||||
|
AC_DEFUN([AC_ENABLE_SHARED],
|
||||||
|
[_LT_SET_OPTION([LT_INIT], m4_if([$1], [no], [disable-])[shared])
|
||||||
|
])
|
||||||
|
|
||||||
|
AC_DEFUN([AC_DISABLE_SHARED],
|
||||||
|
[_LT_SET_OPTION([LT_INIT], [disable-shared])
|
||||||
|
])
|
||||||
|
|
||||||
|
AU_DEFUN([AM_ENABLE_SHARED], [AC_ENABLE_SHARED($@)])
|
||||||
|
AU_DEFUN([AM_DISABLE_SHARED], [AC_DISABLE_SHARED($@)])
|
||||||
|
|
||||||
|
dnl aclocal-1.4 backwards compatibility:
|
||||||
|
dnl AC_DEFUN([AM_ENABLE_SHARED], [])
|
||||||
|
dnl AC_DEFUN([AM_DISABLE_SHARED], [])
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
# _LT_ENABLE_STATIC([DEFAULT])
|
||||||
|
# ----------------------------
|
||||||
|
# implement the --enable-static flag, and support the `static' and
|
||||||
|
# `disable-static' LT_INIT options.
|
||||||
|
# DEFAULT is either `yes' or `no'. If omitted, it defaults to `yes'.
|
||||||
|
m4_define([_LT_ENABLE_STATIC],
|
||||||
|
[m4_define([_LT_ENABLE_STATIC_DEFAULT], [m4_if($1, no, no, yes)])dnl
|
||||||
|
AC_ARG_ENABLE([static],
|
||||||
|
[AS_HELP_STRING([--enable-static@<:@=PKGS@:>@],
|
||||||
|
[build static libraries @<:@default=]_LT_ENABLE_STATIC_DEFAULT[@:>@])],
|
||||||
|
[p=${PACKAGE-default}
|
||||||
|
case $enableval in
|
||||||
|
yes) enable_static=yes ;;
|
||||||
|
no) enable_static=no ;;
|
||||||
|
*)
|
||||||
|
enable_static=no
|
||||||
|
# Look at the argument we got. We use all the common list separators.
|
||||||
|
lt_save_ifs="$IFS"; IFS="${IFS}$PATH_SEPARATOR,"
|
||||||
|
for pkg in $enableval; do
|
||||||
|
IFS="$lt_save_ifs"
|
||||||
|
if test "X$pkg" = "X$p"; then
|
||||||
|
enable_static=yes
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
IFS="$lt_save_ifs"
|
||||||
|
;;
|
||||||
|
esac],
|
||||||
|
[enable_static=]_LT_ENABLE_STATIC_DEFAULT)
|
||||||
|
|
||||||
|
_LT_DECL([build_old_libs], [enable_static], [0],
|
||||||
|
[Whether or not to build static libraries])
|
||||||
|
])# _LT_ENABLE_STATIC
|
||||||
|
|
||||||
|
LT_OPTION_DEFINE([LT_INIT], [static], [_LT_ENABLE_STATIC([yes])])
|
||||||
|
LT_OPTION_DEFINE([LT_INIT], [disable-static], [_LT_ENABLE_STATIC([no])])
|
||||||
|
|
||||||
|
# Old names:
|
||||||
|
AC_DEFUN([AC_ENABLE_STATIC],
|
||||||
|
[_LT_SET_OPTION([LT_INIT], m4_if([$1], [no], [disable-])[static])
|
||||||
|
])
|
||||||
|
|
||||||
|
AC_DEFUN([AC_DISABLE_STATIC],
|
||||||
|
[_LT_SET_OPTION([LT_INIT], [disable-static])
|
||||||
|
])
|
||||||
|
|
||||||
|
AU_DEFUN([AM_ENABLE_STATIC], [AC_ENABLE_STATIC($@)])
|
||||||
|
AU_DEFUN([AM_DISABLE_STATIC], [AC_DISABLE_STATIC($@)])
|
||||||
|
|
||||||
|
dnl aclocal-1.4 backwards compatibility:
|
||||||
|
dnl AC_DEFUN([AM_ENABLE_STATIC], [])
|
||||||
|
dnl AC_DEFUN([AM_DISABLE_STATIC], [])
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
# _LT_ENABLE_FAST_INSTALL([DEFAULT])
|
||||||
|
# ----------------------------------
|
||||||
|
# implement the --enable-fast-install flag, and support the `fast-install'
|
||||||
|
# and `disable-fast-install' LT_INIT options.
|
||||||
|
# DEFAULT is either `yes' or `no'. If omitted, it defaults to `yes'.
|
||||||
|
m4_define([_LT_ENABLE_FAST_INSTALL],
|
||||||
|
[m4_define([_LT_ENABLE_FAST_INSTALL_DEFAULT], [m4_if($1, no, no, yes)])dnl
|
||||||
|
AC_ARG_ENABLE([fast-install],
|
||||||
|
[AS_HELP_STRING([--enable-fast-install@<:@=PKGS@:>@],
|
||||||
|
[optimize for fast installation @<:@default=]_LT_ENABLE_FAST_INSTALL_DEFAULT[@:>@])],
|
||||||
|
[p=${PACKAGE-default}
|
||||||
|
case $enableval in
|
||||||
|
yes) enable_fast_install=yes ;;
|
||||||
|
no) enable_fast_install=no ;;
|
||||||
|
*)
|
||||||
|
enable_fast_install=no
|
||||||
|
# Look at the argument we got. We use all the common list separators.
|
||||||
|
lt_save_ifs="$IFS"; IFS="${IFS}$PATH_SEPARATOR,"
|
||||||
|
for pkg in $enableval; do
|
||||||
|
IFS="$lt_save_ifs"
|
||||||
|
if test "X$pkg" = "X$p"; then
|
||||||
|
enable_fast_install=yes
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
IFS="$lt_save_ifs"
|
||||||
|
;;
|
||||||
|
esac],
|
||||||
|
[enable_fast_install=]_LT_ENABLE_FAST_INSTALL_DEFAULT)
|
||||||
|
|
||||||
|
_LT_DECL([fast_install], [enable_fast_install], [0],
|
||||||
|
[Whether or not to optimize for fast installation])dnl
|
||||||
|
])# _LT_ENABLE_FAST_INSTALL
|
||||||
|
|
||||||
|
LT_OPTION_DEFINE([LT_INIT], [fast-install], [_LT_ENABLE_FAST_INSTALL([yes])])
|
||||||
|
LT_OPTION_DEFINE([LT_INIT], [disable-fast-install], [_LT_ENABLE_FAST_INSTALL([no])])
|
||||||
|
|
||||||
|
# Old names:
|
||||||
|
AU_DEFUN([AC_ENABLE_FAST_INSTALL],
|
||||||
|
[_LT_SET_OPTION([LT_INIT], m4_if([$1], [no], [disable-])[fast-install])
|
||||||
|
AC_DIAGNOSE([obsolete],
|
||||||
|
[$0: Remove this warning and the call to _LT_SET_OPTION when you put
|
||||||
|
the `fast-install' option into LT_INIT's first parameter.])
|
||||||
|
])
|
||||||
|
|
||||||
|
AU_DEFUN([AC_DISABLE_FAST_INSTALL],
|
||||||
|
[_LT_SET_OPTION([LT_INIT], [disable-fast-install])
|
||||||
|
AC_DIAGNOSE([obsolete],
|
||||||
|
[$0: Remove this warning and the call to _LT_SET_OPTION when you put
|
||||||
|
the `disable-fast-install' option into LT_INIT's first parameter.])
|
||||||
|
])
|
||||||
|
|
||||||
|
dnl aclocal-1.4 backwards compatibility:
|
||||||
|
dnl AC_DEFUN([AC_ENABLE_FAST_INSTALL], [])
|
||||||
|
dnl AC_DEFUN([AM_DISABLE_FAST_INSTALL], [])
|
||||||
|
|
||||||
|
|
||||||
|
# _LT_WITH_PIC([MODE])
|
||||||
|
# --------------------
|
||||||
|
# implement the --with-pic flag, and support the `pic-only' and `no-pic'
|
||||||
|
# LT_INIT options.
|
||||||
|
# MODE is either `yes' or `no'. If omitted, it defaults to `both'.
|
||||||
|
m4_define([_LT_WITH_PIC],
|
||||||
|
[AC_ARG_WITH([pic],
|
||||||
|
[AS_HELP_STRING([--with-pic],
|
||||||
|
[try to use only PIC/non-PIC objects @<:@default=use both@:>@])],
|
||||||
|
[pic_mode="$withval"],
|
||||||
|
[pic_mode=default])
|
||||||
|
|
||||||
|
test -z "$pic_mode" && pic_mode=m4_default([$1], [default])
|
||||||
|
|
||||||
|
_LT_DECL([], [pic_mode], [0], [What type of objects to build])dnl
|
||||||
|
])# _LT_WITH_PIC
|
||||||
|
|
||||||
|
LT_OPTION_DEFINE([LT_INIT], [pic-only], [_LT_WITH_PIC([yes])])
|
||||||
|
LT_OPTION_DEFINE([LT_INIT], [no-pic], [_LT_WITH_PIC([no])])
|
||||||
|
|
||||||
|
# Old name:
|
||||||
|
AU_DEFUN([AC_LIBTOOL_PICMODE],
|
||||||
|
[_LT_SET_OPTION([LT_INIT], [pic-only])
|
||||||
|
AC_DIAGNOSE([obsolete],
|
||||||
|
[$0: Remove this warning and the call to _LT_SET_OPTION when you
|
||||||
|
put the `pic-only' option into LT_INIT's first parameter.])
|
||||||
|
])
|
||||||
|
|
||||||
|
dnl aclocal-1.4 backwards compatibility:
|
||||||
|
dnl AC_DEFUN([AC_LIBTOOL_PICMODE], [])
|
||||||
|
|
||||||
|
## ----------------- ##
|
||||||
|
## LTDL_INIT Options ##
|
||||||
|
## ----------------- ##
|
||||||
|
|
||||||
|
m4_define([_LTDL_MODE], [])
|
||||||
|
LT_OPTION_DEFINE([LTDL_INIT], [nonrecursive],
|
||||||
|
[m4_define([_LTDL_MODE], [nonrecursive])])
|
||||||
|
LT_OPTION_DEFINE([LTDL_INIT], [recursive],
|
||||||
|
[m4_define([_LTDL_MODE], [recursive])])
|
||||||
|
LT_OPTION_DEFINE([LTDL_INIT], [subproject],
|
||||||
|
[m4_define([_LTDL_MODE], [subproject])])
|
||||||
|
|
||||||
|
m4_define([_LTDL_TYPE], [])
|
||||||
|
LT_OPTION_DEFINE([LTDL_INIT], [installable],
|
||||||
|
[m4_define([_LTDL_TYPE], [installable])])
|
||||||
|
LT_OPTION_DEFINE([LTDL_INIT], [convenience],
|
||||||
|
[m4_define([_LTDL_TYPE], [convenience])])
|
123
m4/ltsugar.m4
vendored
Normal file
123
m4/ltsugar.m4
vendored
Normal file
@ -0,0 +1,123 @@
|
|||||||
|
# ltsugar.m4 -- libtool m4 base layer. -*-Autoconf-*-
|
||||||
|
#
|
||||||
|
# Copyright (C) 2004, 2005, 2007, 2008 Free Software Foundation, Inc.
|
||||||
|
# Written by Gary V. Vaughan, 2004
|
||||||
|
#
|
||||||
|
# This file is free software; the Free Software Foundation gives
|
||||||
|
# unlimited permission to copy and/or distribute it, with or without
|
||||||
|
# modifications, as long as this notice is preserved.
|
||||||
|
|
||||||
|
# serial 6 ltsugar.m4
|
||||||
|
|
||||||
|
# This is to help aclocal find these macros, as it can't see m4_define.
|
||||||
|
AC_DEFUN([LTSUGAR_VERSION], [m4_if([0.1])])
|
||||||
|
|
||||||
|
|
||||||
|
# lt_join(SEP, ARG1, [ARG2...])
|
||||||
|
# -----------------------------
|
||||||
|
# Produce ARG1SEPARG2...SEPARGn, omitting [] arguments and their
|
||||||
|
# associated separator.
|
||||||
|
# Needed until we can rely on m4_join from Autoconf 2.62, since all earlier
|
||||||
|
# versions in m4sugar had bugs.
|
||||||
|
m4_define([lt_join],
|
||||||
|
[m4_if([$#], [1], [],
|
||||||
|
[$#], [2], [[$2]],
|
||||||
|
[m4_if([$2], [], [], [[$2]_])$0([$1], m4_shift(m4_shift($@)))])])
|
||||||
|
m4_define([_lt_join],
|
||||||
|
[m4_if([$#$2], [2], [],
|
||||||
|
[m4_if([$2], [], [], [[$1$2]])$0([$1], m4_shift(m4_shift($@)))])])
|
||||||
|
|
||||||
|
|
||||||
|
# lt_car(LIST)
|
||||||
|
# lt_cdr(LIST)
|
||||||
|
# ------------
|
||||||
|
# Manipulate m4 lists.
|
||||||
|
# These macros are necessary as long as will still need to support
|
||||||
|
# Autoconf-2.59 which quotes differently.
|
||||||
|
m4_define([lt_car], [[$1]])
|
||||||
|
m4_define([lt_cdr],
|
||||||
|
[m4_if([$#], 0, [m4_fatal([$0: cannot be called without arguments])],
|
||||||
|
[$#], 1, [],
|
||||||
|
[m4_dquote(m4_shift($@))])])
|
||||||
|
m4_define([lt_unquote], $1)
|
||||||
|
|
||||||
|
|
||||||
|
# lt_append(MACRO-NAME, STRING, [SEPARATOR])
|
||||||
|
# ------------------------------------------
|
||||||
|
# Redefine MACRO-NAME to hold its former content plus `SEPARATOR'`STRING'.
|
||||||
|
# Note that neither SEPARATOR nor STRING are expanded; they are appended
|
||||||
|
# to MACRO-NAME as is (leaving the expansion for when MACRO-NAME is invoked).
|
||||||
|
# No SEPARATOR is output if MACRO-NAME was previously undefined (different
|
||||||
|
# than defined and empty).
|
||||||
|
#
|
||||||
|
# This macro is needed until we can rely on Autoconf 2.62, since earlier
|
||||||
|
# versions of m4sugar mistakenly expanded SEPARATOR but not STRING.
|
||||||
|
m4_define([lt_append],
|
||||||
|
[m4_define([$1],
|
||||||
|
m4_ifdef([$1], [m4_defn([$1])[$3]])[$2])])
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
# lt_combine(SEP, PREFIX-LIST, INFIX, SUFFIX1, [SUFFIX2...])
|
||||||
|
# ----------------------------------------------------------
|
||||||
|
# Produce a SEP delimited list of all paired combinations of elements of
|
||||||
|
# PREFIX-LIST with SUFFIX1 through SUFFIXn. Each element of the list
|
||||||
|
# has the form PREFIXmINFIXSUFFIXn.
|
||||||
|
# Needed until we can rely on m4_combine added in Autoconf 2.62.
|
||||||
|
m4_define([lt_combine],
|
||||||
|
[m4_if(m4_eval([$# > 3]), [1],
|
||||||
|
[m4_pushdef([_Lt_sep], [m4_define([_Lt_sep], m4_defn([lt_car]))])]]dnl
|
||||||
|
[[m4_foreach([_Lt_prefix], [$2],
|
||||||
|
[m4_foreach([_Lt_suffix],
|
||||||
|
]m4_dquote(m4_dquote(m4_shift(m4_shift(m4_shift($@)))))[,
|
||||||
|
[_Lt_sep([$1])[]m4_defn([_Lt_prefix])[$3]m4_defn([_Lt_suffix])])])])])
|
||||||
|
|
||||||
|
|
||||||
|
# lt_if_append_uniq(MACRO-NAME, VARNAME, [SEPARATOR], [UNIQ], [NOT-UNIQ])
|
||||||
|
# -----------------------------------------------------------------------
|
||||||
|
# Iff MACRO-NAME does not yet contain VARNAME, then append it (delimited
|
||||||
|
# by SEPARATOR if supplied) and expand UNIQ, else NOT-UNIQ.
|
||||||
|
m4_define([lt_if_append_uniq],
|
||||||
|
[m4_ifdef([$1],
|
||||||
|
[m4_if(m4_index([$3]m4_defn([$1])[$3], [$3$2$3]), [-1],
|
||||||
|
[lt_append([$1], [$2], [$3])$4],
|
||||||
|
[$5])],
|
||||||
|
[lt_append([$1], [$2], [$3])$4])])
|
||||||
|
|
||||||
|
|
||||||
|
# lt_dict_add(DICT, KEY, VALUE)
|
||||||
|
# -----------------------------
|
||||||
|
m4_define([lt_dict_add],
|
||||||
|
[m4_define([$1($2)], [$3])])
|
||||||
|
|
||||||
|
|
||||||
|
# lt_dict_add_subkey(DICT, KEY, SUBKEY, VALUE)
|
||||||
|
# --------------------------------------------
|
||||||
|
m4_define([lt_dict_add_subkey],
|
||||||
|
[m4_define([$1($2:$3)], [$4])])
|
||||||
|
|
||||||
|
|
||||||
|
# lt_dict_fetch(DICT, KEY, [SUBKEY])
|
||||||
|
# ----------------------------------
|
||||||
|
m4_define([lt_dict_fetch],
|
||||||
|
[m4_ifval([$3],
|
||||||
|
m4_ifdef([$1($2:$3)], [m4_defn([$1($2:$3)])]),
|
||||||
|
m4_ifdef([$1($2)], [m4_defn([$1($2)])]))])
|
||||||
|
|
||||||
|
|
||||||
|
# lt_if_dict_fetch(DICT, KEY, [SUBKEY], VALUE, IF-TRUE, [IF-FALSE])
|
||||||
|
# -----------------------------------------------------------------
|
||||||
|
m4_define([lt_if_dict_fetch],
|
||||||
|
[m4_if(lt_dict_fetch([$1], [$2], [$3]), [$4],
|
||||||
|
[$5],
|
||||||
|
[$6])])
|
||||||
|
|
||||||
|
|
||||||
|
# lt_dict_filter(DICT, [SUBKEY], VALUE, [SEPARATOR], KEY, [...])
|
||||||
|
# --------------------------------------------------------------
|
||||||
|
m4_define([lt_dict_filter],
|
||||||
|
[m4_if([$5], [], [],
|
||||||
|
[lt_join(m4_quote(m4_default([$4], [[, ]])),
|
||||||
|
lt_unquote(m4_split(m4_normalize(m4_foreach(_Lt_key, lt_car([m4_shiftn(4, $@)]),
|
||||||
|
[lt_if_dict_fetch([$1], _Lt_key, [$2], [$3], [_Lt_key ])])))))])[]dnl
|
||||||
|
])
|
23
m4/ltversion.m4
vendored
Normal file
23
m4/ltversion.m4
vendored
Normal file
@ -0,0 +1,23 @@
|
|||||||
|
# ltversion.m4 -- version numbers -*- Autoconf -*-
|
||||||
|
#
|
||||||
|
# Copyright (C) 2004 Free Software Foundation, Inc.
|
||||||
|
# Written by Scott James Remnant, 2004
|
||||||
|
#
|
||||||
|
# This file is free software; the Free Software Foundation gives
|
||||||
|
# unlimited permission to copy and/or distribute it, with or without
|
||||||
|
# modifications, as long as this notice is preserved.
|
||||||
|
|
||||||
|
# Generated from ltversion.in.
|
||||||
|
|
||||||
|
# serial 3017 ltversion.m4
|
||||||
|
# This file is part of GNU Libtool
|
||||||
|
|
||||||
|
m4_define([LT_PACKAGE_VERSION], [2.2.6b])
|
||||||
|
m4_define([LT_PACKAGE_REVISION], [1.3017])
|
||||||
|
|
||||||
|
AC_DEFUN([LTVERSION_VERSION],
|
||||||
|
[macro_version='2.2.6b'
|
||||||
|
macro_revision='1.3017'
|
||||||
|
_LT_DECL(, macro_version, 0, [Which release of libtool.m4 was used?])
|
||||||
|
_LT_DECL(, macro_revision, 0)
|
||||||
|
])
|
92
m4/lt~obsolete.m4
vendored
Normal file
92
m4/lt~obsolete.m4
vendored
Normal file
@ -0,0 +1,92 @@
|
|||||||
|
# lt~obsolete.m4 -- aclocal satisfying obsolete definitions. -*-Autoconf-*-
|
||||||
|
#
|
||||||
|
# Copyright (C) 2004, 2005, 2007 Free Software Foundation, Inc.
|
||||||
|
# Written by Scott James Remnant, 2004.
|
||||||
|
#
|
||||||
|
# This file is free software; the Free Software Foundation gives
|
||||||
|
# unlimited permission to copy and/or distribute it, with or without
|
||||||
|
# modifications, as long as this notice is preserved.
|
||||||
|
|
||||||
|
# serial 4 lt~obsolete.m4
|
||||||
|
|
||||||
|
# These exist entirely to fool aclocal when bootstrapping libtool.
|
||||||
|
#
|
||||||
|
# In the past libtool.m4 has provided macros via AC_DEFUN (or AU_DEFUN)
|
||||||
|
# which have later been changed to m4_define as they aren't part of the
|
||||||
|
# exported API, or moved to Autoconf or Automake where they belong.
|
||||||
|
#
|
||||||
|
# The trouble is, aclocal is a bit thick. It'll see the old AC_DEFUN
|
||||||
|
# in /usr/share/aclocal/libtool.m4 and remember it, then when it sees us
|
||||||
|
# using a macro with the same name in our local m4/libtool.m4 it'll
|
||||||
|
# pull the old libtool.m4 in (it doesn't see our shiny new m4_define
|
||||||
|
# and doesn't know about Autoconf macros at all.)
|
||||||
|
#
|
||||||
|
# So we provide this file, which has a silly filename so it's always
|
||||||
|
# included after everything else. This provides aclocal with the
|
||||||
|
# AC_DEFUNs it wants, but when m4 processes it, it doesn't do anything
|
||||||
|
# because those macros already exist, or will be overwritten later.
|
||||||
|
# We use AC_DEFUN over AU_DEFUN for compatibility with aclocal-1.6.
|
||||||
|
#
|
||||||
|
# Anytime we withdraw an AC_DEFUN or AU_DEFUN, remember to add it here.
|
||||||
|
# Yes, that means every name once taken will need to remain here until
|
||||||
|
# we give up compatibility with versions before 1.7, at which point
|
||||||
|
# we need to keep only those names which we still refer to.
|
||||||
|
|
||||||
|
# This is to help aclocal find these macros, as it can't see m4_define.
|
||||||
|
AC_DEFUN([LTOBSOLETE_VERSION], [m4_if([1])])
|
||||||
|
|
||||||
|
m4_ifndef([AC_LIBTOOL_LINKER_OPTION], [AC_DEFUN([AC_LIBTOOL_LINKER_OPTION])])
|
||||||
|
m4_ifndef([AC_PROG_EGREP], [AC_DEFUN([AC_PROG_EGREP])])
|
||||||
|
m4_ifndef([_LT_AC_PROG_ECHO_BACKSLASH], [AC_DEFUN([_LT_AC_PROG_ECHO_BACKSLASH])])
|
||||||
|
m4_ifndef([_LT_AC_SHELL_INIT], [AC_DEFUN([_LT_AC_SHELL_INIT])])
|
||||||
|
m4_ifndef([_LT_AC_SYS_LIBPATH_AIX], [AC_DEFUN([_LT_AC_SYS_LIBPATH_AIX])])
|
||||||
|
m4_ifndef([_LT_PROG_LTMAIN], [AC_DEFUN([_LT_PROG_LTMAIN])])
|
||||||
|
m4_ifndef([_LT_AC_TAGVAR], [AC_DEFUN([_LT_AC_TAGVAR])])
|
||||||
|
m4_ifndef([AC_LTDL_ENABLE_INSTALL], [AC_DEFUN([AC_LTDL_ENABLE_INSTALL])])
|
||||||
|
m4_ifndef([AC_LTDL_PREOPEN], [AC_DEFUN([AC_LTDL_PREOPEN])])
|
||||||
|
m4_ifndef([_LT_AC_SYS_COMPILER], [AC_DEFUN([_LT_AC_SYS_COMPILER])])
|
||||||
|
m4_ifndef([_LT_AC_LOCK], [AC_DEFUN([_LT_AC_LOCK])])
|
||||||
|
m4_ifndef([AC_LIBTOOL_SYS_OLD_ARCHIVE], [AC_DEFUN([AC_LIBTOOL_SYS_OLD_ARCHIVE])])
|
||||||
|
m4_ifndef([_LT_AC_TRY_DLOPEN_SELF], [AC_DEFUN([_LT_AC_TRY_DLOPEN_SELF])])
|
||||||
|
m4_ifndef([AC_LIBTOOL_PROG_CC_C_O], [AC_DEFUN([AC_LIBTOOL_PROG_CC_C_O])])
|
||||||
|
m4_ifndef([AC_LIBTOOL_SYS_HARD_LINK_LOCKS], [AC_DEFUN([AC_LIBTOOL_SYS_HARD_LINK_LOCKS])])
|
||||||
|
m4_ifndef([AC_LIBTOOL_OBJDIR], [AC_DEFUN([AC_LIBTOOL_OBJDIR])])
|
||||||
|
m4_ifndef([AC_LTDL_OBJDIR], [AC_DEFUN([AC_LTDL_OBJDIR])])
|
||||||
|
m4_ifndef([AC_LIBTOOL_PROG_LD_HARDCODE_LIBPATH], [AC_DEFUN([AC_LIBTOOL_PROG_LD_HARDCODE_LIBPATH])])
|
||||||
|
m4_ifndef([AC_LIBTOOL_SYS_LIB_STRIP], [AC_DEFUN([AC_LIBTOOL_SYS_LIB_STRIP])])
|
||||||
|
m4_ifndef([AC_PATH_MAGIC], [AC_DEFUN([AC_PATH_MAGIC])])
|
||||||
|
m4_ifndef([AC_PROG_LD_GNU], [AC_DEFUN([AC_PROG_LD_GNU])])
|
||||||
|
m4_ifndef([AC_PROG_LD_RELOAD_FLAG], [AC_DEFUN([AC_PROG_LD_RELOAD_FLAG])])
|
||||||
|
m4_ifndef([AC_DEPLIBS_CHECK_METHOD], [AC_DEFUN([AC_DEPLIBS_CHECK_METHOD])])
|
||||||
|
m4_ifndef([AC_LIBTOOL_PROG_COMPILER_NO_RTTI], [AC_DEFUN([AC_LIBTOOL_PROG_COMPILER_NO_RTTI])])
|
||||||
|
m4_ifndef([AC_LIBTOOL_SYS_GLOBAL_SYMBOL_PIPE], [AC_DEFUN([AC_LIBTOOL_SYS_GLOBAL_SYMBOL_PIPE])])
|
||||||
|
m4_ifndef([AC_LIBTOOL_PROG_COMPILER_PIC], [AC_DEFUN([AC_LIBTOOL_PROG_COMPILER_PIC])])
|
||||||
|
m4_ifndef([AC_LIBTOOL_PROG_LD_SHLIBS], [AC_DEFUN([AC_LIBTOOL_PROG_LD_SHLIBS])])
|
||||||
|
m4_ifndef([AC_LIBTOOL_POSTDEP_PREDEP], [AC_DEFUN([AC_LIBTOOL_POSTDEP_PREDEP])])
|
||||||
|
m4_ifndef([LT_AC_PROG_EGREP], [AC_DEFUN([LT_AC_PROG_EGREP])])
|
||||||
|
m4_ifndef([LT_AC_PROG_SED], [AC_DEFUN([LT_AC_PROG_SED])])
|
||||||
|
m4_ifndef([_LT_CC_BASENAME], [AC_DEFUN([_LT_CC_BASENAME])])
|
||||||
|
m4_ifndef([_LT_COMPILER_BOILERPLATE], [AC_DEFUN([_LT_COMPILER_BOILERPLATE])])
|
||||||
|
m4_ifndef([_LT_LINKER_BOILERPLATE], [AC_DEFUN([_LT_LINKER_BOILERPLATE])])
|
||||||
|
m4_ifndef([_AC_PROG_LIBTOOL], [AC_DEFUN([_AC_PROG_LIBTOOL])])
|
||||||
|
m4_ifndef([AC_LIBTOOL_SETUP], [AC_DEFUN([AC_LIBTOOL_SETUP])])
|
||||||
|
m4_ifndef([_LT_AC_CHECK_DLFCN], [AC_DEFUN([_LT_AC_CHECK_DLFCN])])
|
||||||
|
m4_ifndef([AC_LIBTOOL_SYS_DYNAMIC_LINKER], [AC_DEFUN([AC_LIBTOOL_SYS_DYNAMIC_LINKER])])
|
||||||
|
m4_ifndef([_LT_AC_TAGCONFIG], [AC_DEFUN([_LT_AC_TAGCONFIG])])
|
||||||
|
m4_ifndef([AC_DISABLE_FAST_INSTALL], [AC_DEFUN([AC_DISABLE_FAST_INSTALL])])
|
||||||
|
m4_ifndef([_LT_AC_LANG_CXX], [AC_DEFUN([_LT_AC_LANG_CXX])])
|
||||||
|
m4_ifndef([_LT_AC_LANG_F77], [AC_DEFUN([_LT_AC_LANG_F77])])
|
||||||
|
m4_ifndef([_LT_AC_LANG_GCJ], [AC_DEFUN([_LT_AC_LANG_GCJ])])
|
||||||
|
m4_ifndef([AC_LIBTOOL_RC], [AC_DEFUN([AC_LIBTOOL_RC])])
|
||||||
|
m4_ifndef([AC_LIBTOOL_LANG_C_CONFIG], [AC_DEFUN([AC_LIBTOOL_LANG_C_CONFIG])])
|
||||||
|
m4_ifndef([_LT_AC_LANG_C_CONFIG], [AC_DEFUN([_LT_AC_LANG_C_CONFIG])])
|
||||||
|
m4_ifndef([AC_LIBTOOL_LANG_CXX_CONFIG], [AC_DEFUN([AC_LIBTOOL_LANG_CXX_CONFIG])])
|
||||||
|
m4_ifndef([_LT_AC_LANG_CXX_CONFIG], [AC_DEFUN([_LT_AC_LANG_CXX_CONFIG])])
|
||||||
|
m4_ifndef([AC_LIBTOOL_LANG_F77_CONFIG], [AC_DEFUN([AC_LIBTOOL_LANG_F77_CONFIG])])
|
||||||
|
m4_ifndef([_LT_AC_LANG_F77_CONFIG], [AC_DEFUN([_LT_AC_LANG_F77_CONFIG])])
|
||||||
|
m4_ifndef([AC_LIBTOOL_LANG_GCJ_CONFIG], [AC_DEFUN([AC_LIBTOOL_LANG_GCJ_CONFIG])])
|
||||||
|
m4_ifndef([_LT_AC_LANG_GCJ_CONFIG], [AC_DEFUN([_LT_AC_LANG_GCJ_CONFIG])])
|
||||||
|
m4_ifndef([AC_LIBTOOL_LANG_RC_CONFIG], [AC_DEFUN([AC_LIBTOOL_LANG_RC_CONFIG])])
|
||||||
|
m4_ifndef([_LT_AC_LANG_RC_CONFIG], [AC_DEFUN([_LT_AC_LANG_RC_CONFIG])])
|
||||||
|
m4_ifndef([AC_LIBTOOL_CONFIG], [AC_DEFUN([AC_LIBTOOL_CONFIG])])
|
||||||
|
m4_ifndef([_LT_AC_FILE_LTDLL_C], [AC_DEFUN([_LT_AC_FILE_LTDLL_C])])
|
73
src/Makefile.am
Normal file
73
src/Makefile.am
Normal file
@ -0,0 +1,73 @@
|
|||||||
|
## Process this file with automake to produce Makefile.in
|
||||||
|
|
||||||
|
# File lists
|
||||||
|
common_headers = common.h prototypes.h version.h
|
||||||
|
common_sources = str.c file.c client.c log.c options.c protocol.c network.c
|
||||||
|
common_sources += resolver.c ssl.c ctx.c verify.c sthreads.c fd.c stunnel.c
|
||||||
|
unix_sources = pty.c libwrap.c
|
||||||
|
shared_sources = env.c
|
||||||
|
win32_sources = gui.c resources.h resources.rc stunnel.ico
|
||||||
|
|
||||||
|
# Unix executables
|
||||||
|
bin_PROGRAMS = stunnel
|
||||||
|
stunnel_SOURCES = $(common_headers) $(common_sources) $(unix_sources)
|
||||||
|
bin_SCRIPTS = stunnel3
|
||||||
|
|
||||||
|
# Unix shared library
|
||||||
|
pkglib_LTLIBRARIES = libstunnel.la
|
||||||
|
libstunnel_la_SOURCES = $(shared_sources)
|
||||||
|
libstunnel_la_LDFLAGS = -avoid-version
|
||||||
|
|
||||||
|
# Red Hat "by design" bug #82369
|
||||||
|
stunnel_CPPFLAGS = -I/usr/kerberos/include
|
||||||
|
|
||||||
|
# Additional preprocesor definitions
|
||||||
|
stunnel_CPPFLAGS += -I$(SSLDIR)/include
|
||||||
|
stunnel_CPPFLAGS += -DLIBDIR='"$(pkglibdir)"'
|
||||||
|
stunnel_CPPFLAGS += -DCONFDIR='"$(sysconfdir)/stunnel"'
|
||||||
|
stunnel_CPPFLAGS += -DPIDFILE='"$(localstatedir)/run/stunnel/stunnel.pid"'
|
||||||
|
|
||||||
|
# SSL library
|
||||||
|
stunnel_LDFLAGS = -L$(SSLDIR)/lib64 -L$(SSLDIR)/lib -lssl -lcrypto
|
||||||
|
|
||||||
|
# Win32 executable
|
||||||
|
EXTRA_DIST = nogui.c make.bat makece.bat makew32.bat
|
||||||
|
EXTRA_DIST += mingw.mak evc.mak vc.mak os2.mak
|
||||||
|
EXTRA_PROGRAMS = stunnel.exe
|
||||||
|
stunnel_exe_SOURCES = $(common_headers) $(common_sources) $(win32_sources)
|
||||||
|
|
||||||
|
OPENSSLDIR = /usr/src/openssl-0.9.8s-fips
|
||||||
|
WINCPPFLAGS = -I$(OPENSSLDIR)/inc32
|
||||||
|
# OPENSSLDIR = /usr/src/openssl-1.0.0f-i586
|
||||||
|
# WINCPPFLAGS = -I$(OPENSSLDIR)/include
|
||||||
|
WINCFLAGS = -mthreads -fstack-protector -O2 -Wall -Wextra -Wno-long-long -pedantic
|
||||||
|
WINLDFLAGS = -mthreads -fstack-protector -mwindows -s
|
||||||
|
WINLIBS = -L$(OPENSSLDIR) -lcrypto -lssl -lpsapi -lws2_32 -lgdi32
|
||||||
|
# WINLIBS = -L$(OPENSSLDIR) -lzdll -lcrypto.dll -lssl.dll -lpsapi -lws2_32 -lgdi32
|
||||||
|
# WINLIBS = -L$(OPENSSLDIR) -lzdll -lcrypto -lssl -lpsapi -lws2_32 -lgdi32
|
||||||
|
WINOBJ = str.obj file.obj client.obj log.obj options.obj protocol.obj
|
||||||
|
WINOBJ += network.obj resolver.obj ssl.obj ctx.obj verify.obj sthreads.obj
|
||||||
|
WINOBJ += fd.obj stunnel.obj gui.obj resources.obj
|
||||||
|
WINPREFIX = i586-mingw32msvc-
|
||||||
|
WINGCC = $(WINPREFIX)gcc
|
||||||
|
WINDRES = $(WINPREFIX)windres
|
||||||
|
|
||||||
|
dist-hook: stunnel.exe
|
||||||
|
|
||||||
|
distclean-local:
|
||||||
|
rm -f stunnel.exe
|
||||||
|
|
||||||
|
# SUFFIXES = .c .rc .obj
|
||||||
|
|
||||||
|
stunnel.exe: $(WINOBJ)
|
||||||
|
$(WINGCC) $(WINLDFLAGS) -o stunnel.exe $(WINOBJ) $(WINLIBS)
|
||||||
|
|
||||||
|
%.obj: %.c $(common_headers)
|
||||||
|
$(WINGCC) -c $(WINCPPFLAGS) $(WINCFLAGS) -o $@ $<
|
||||||
|
|
||||||
|
resources.obj: resources.rc resources.h version.h
|
||||||
|
$(WINDRES) --include-dir $(srcdir) $< $@
|
||||||
|
|
||||||
|
mostlyclean-local:
|
||||||
|
-rm -f *.obj
|
||||||
|
|
986
src/Makefile.in
Normal file
986
src/Makefile.in
Normal file
@ -0,0 +1,986 @@
|
|||||||
|
# Makefile.in generated by automake 1.11.1 from Makefile.am.
|
||||||
|
# @configure_input@
|
||||||
|
|
||||||
|
# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
|
||||||
|
# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation,
|
||||||
|
# Inc.
|
||||||
|
# This Makefile.in is free software; the Free Software Foundation
|
||||||
|
# gives unlimited permission to copy and/or distribute it,
|
||||||
|
# with or without modifications, as long as this notice is preserved.
|
||||||
|
|
||||||
|
# This program is distributed in the hope that it will be useful,
|
||||||
|
# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
|
||||||
|
# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
|
||||||
|
# PARTICULAR PURPOSE.
|
||||||
|
|
||||||
|
@SET_MAKE@
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
VPATH = @srcdir@
|
||||||
|
pkgdatadir = $(datadir)/@PACKAGE@
|
||||||
|
pkgincludedir = $(includedir)/@PACKAGE@
|
||||||
|
pkglibdir = $(libdir)/@PACKAGE@
|
||||||
|
pkglibexecdir = $(libexecdir)/@PACKAGE@
|
||||||
|
am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
|
||||||
|
install_sh_DATA = $(install_sh) -c -m 644
|
||||||
|
install_sh_PROGRAM = $(install_sh) -c
|
||||||
|
install_sh_SCRIPT = $(install_sh) -c
|
||||||
|
INSTALL_HEADER = $(INSTALL_DATA)
|
||||||
|
transform = $(program_transform_name)
|
||||||
|
NORMAL_INSTALL = :
|
||||||
|
PRE_INSTALL = :
|
||||||
|
POST_INSTALL = :
|
||||||
|
NORMAL_UNINSTALL = :
|
||||||
|
PRE_UNINSTALL = :
|
||||||
|
POST_UNINSTALL = :
|
||||||
|
build_triplet = @build@
|
||||||
|
host_triplet = @host@
|
||||||
|
bin_PROGRAMS = stunnel$(EXEEXT)
|
||||||
|
EXTRA_PROGRAMS = stunnel.exe$(EXEEXT)
|
||||||
|
subdir = src
|
||||||
|
DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in \
|
||||||
|
$(srcdir)/config.h.in $(srcdir)/stunnel3.in
|
||||||
|
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
|
||||||
|
am__aclocal_m4_deps = $(top_srcdir)/m4/libtool.m4 \
|
||||||
|
$(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \
|
||||||
|
$(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \
|
||||||
|
$(top_srcdir)/configure.ac
|
||||||
|
am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
|
||||||
|
$(ACLOCAL_M4)
|
||||||
|
mkinstalldirs = $(install_sh) -d
|
||||||
|
CONFIG_HEADER = config.h
|
||||||
|
CONFIG_CLEAN_FILES = stunnel3
|
||||||
|
CONFIG_CLEAN_VPATH_FILES =
|
||||||
|
am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
|
||||||
|
am__vpath_adj = case $$p in \
|
||||||
|
$(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
|
||||||
|
*) f=$$p;; \
|
||||||
|
esac;
|
||||||
|
am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
|
||||||
|
am__install_max = 40
|
||||||
|
am__nobase_strip_setup = \
|
||||||
|
srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
|
||||||
|
am__nobase_strip = \
|
||||||
|
for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
|
||||||
|
am__nobase_list = $(am__nobase_strip_setup); \
|
||||||
|
for p in $$list; do echo "$$p $$p"; done | \
|
||||||
|
sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
|
||||||
|
$(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
|
||||||
|
if (++n[$$2] == $(am__install_max)) \
|
||||||
|
{ print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
|
||||||
|
END { for (dir in files) print dir, files[dir] }'
|
||||||
|
am__base_list = \
|
||||||
|
sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
|
||||||
|
sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
|
||||||
|
am__installdirs = "$(DESTDIR)$(pkglibdir)" "$(DESTDIR)$(bindir)" \
|
||||||
|
"$(DESTDIR)$(bindir)"
|
||||||
|
LTLIBRARIES = $(pkglib_LTLIBRARIES)
|
||||||
|
libstunnel_la_LIBADD =
|
||||||
|
am__objects_1 = env.lo
|
||||||
|
am_libstunnel_la_OBJECTS = $(am__objects_1)
|
||||||
|
libstunnel_la_OBJECTS = $(am_libstunnel_la_OBJECTS)
|
||||||
|
libstunnel_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
|
||||||
|
$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
|
||||||
|
$(libstunnel_la_LDFLAGS) $(LDFLAGS) -o $@
|
||||||
|
PROGRAMS = $(bin_PROGRAMS)
|
||||||
|
am__objects_2 =
|
||||||
|
am__objects_3 = stunnel-str.$(OBJEXT) stunnel-file.$(OBJEXT) \
|
||||||
|
stunnel-client.$(OBJEXT) stunnel-log.$(OBJEXT) \
|
||||||
|
stunnel-options.$(OBJEXT) stunnel-protocol.$(OBJEXT) \
|
||||||
|
stunnel-network.$(OBJEXT) stunnel-resolver.$(OBJEXT) \
|
||||||
|
stunnel-ssl.$(OBJEXT) stunnel-ctx.$(OBJEXT) \
|
||||||
|
stunnel-verify.$(OBJEXT) stunnel-sthreads.$(OBJEXT) \
|
||||||
|
stunnel-fd.$(OBJEXT) stunnel-stunnel.$(OBJEXT)
|
||||||
|
am__objects_4 = stunnel-pty.$(OBJEXT) stunnel-libwrap.$(OBJEXT)
|
||||||
|
am_stunnel_OBJECTS = $(am__objects_2) $(am__objects_3) \
|
||||||
|
$(am__objects_4)
|
||||||
|
stunnel_OBJECTS = $(am_stunnel_OBJECTS)
|
||||||
|
stunnel_LDADD = $(LDADD)
|
||||||
|
stunnel_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
|
||||||
|
--mode=link $(CCLD) $(stunnel_CFLAGS) $(CFLAGS) \
|
||||||
|
$(stunnel_LDFLAGS) $(LDFLAGS) -o $@
|
||||||
|
am__objects_5 = str.$(OBJEXT) file.$(OBJEXT) client.$(OBJEXT) \
|
||||||
|
log.$(OBJEXT) options.$(OBJEXT) protocol.$(OBJEXT) \
|
||||||
|
network.$(OBJEXT) resolver.$(OBJEXT) ssl.$(OBJEXT) \
|
||||||
|
ctx.$(OBJEXT) verify.$(OBJEXT) sthreads.$(OBJEXT) fd.$(OBJEXT) \
|
||||||
|
stunnel.$(OBJEXT)
|
||||||
|
am__objects_6 = gui.$(OBJEXT)
|
||||||
|
am_stunnel_exe_OBJECTS = $(am__objects_2) $(am__objects_5) \
|
||||||
|
$(am__objects_6)
|
||||||
|
stunnel_exe_OBJECTS = $(am_stunnel_exe_OBJECTS)
|
||||||
|
stunnel_exe_LDADD = $(LDADD)
|
||||||
|
SCRIPTS = $(bin_SCRIPTS)
|
||||||
|
DEFAULT_INCLUDES = -I.@am__isrc@
|
||||||
|
depcomp = $(SHELL) $(top_srcdir)/auto/depcomp
|
||||||
|
am__depfiles_maybe = depfiles
|
||||||
|
am__mv = mv -f
|
||||||
|
COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
|
||||||
|
$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
|
||||||
|
LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
|
||||||
|
--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
|
||||||
|
$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
|
||||||
|
CCLD = $(CC)
|
||||||
|
LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
|
||||||
|
--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
|
||||||
|
$(LDFLAGS) -o $@
|
||||||
|
SOURCES = $(libstunnel_la_SOURCES) $(stunnel_SOURCES) \
|
||||||
|
$(stunnel_exe_SOURCES)
|
||||||
|
DIST_SOURCES = $(libstunnel_la_SOURCES) $(stunnel_SOURCES) \
|
||||||
|
$(stunnel_exe_SOURCES)
|
||||||
|
ETAGS = etags
|
||||||
|
CTAGS = ctags
|
||||||
|
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
|
||||||
|
ACLOCAL = @ACLOCAL@
|
||||||
|
AMTAR = @AMTAR@
|
||||||
|
AR = @AR@
|
||||||
|
AUTOCONF = @AUTOCONF@
|
||||||
|
AUTOHEADER = @AUTOHEADER@
|
||||||
|
AUTOMAKE = @AUTOMAKE@
|
||||||
|
AWK = @AWK@
|
||||||
|
CC = @CC@
|
||||||
|
CCDEPMODE = @CCDEPMODE@
|
||||||
|
CFLAGS = @CFLAGS@
|
||||||
|
CPP = @CPP@
|
||||||
|
CPPFLAGS = @CPPFLAGS@
|
||||||
|
CYGPATH_W = @CYGPATH_W@
|
||||||
|
DEFAULT_GROUP = @DEFAULT_GROUP@
|
||||||
|
DEFS = @DEFS@
|
||||||
|
DEPDIR = @DEPDIR@
|
||||||
|
DSYMUTIL = @DSYMUTIL@
|
||||||
|
DUMPBIN = @DUMPBIN@
|
||||||
|
ECHO_C = @ECHO_C@
|
||||||
|
ECHO_N = @ECHO_N@
|
||||||
|
ECHO_T = @ECHO_T@
|
||||||
|
EGREP = @EGREP@
|
||||||
|
EXEEXT = @EXEEXT@
|
||||||
|
FGREP = @FGREP@
|
||||||
|
GREP = @GREP@
|
||||||
|
INSTALL = @INSTALL@
|
||||||
|
INSTALL_DATA = @INSTALL_DATA@
|
||||||
|
INSTALL_PROGRAM = @INSTALL_PROGRAM@
|
||||||
|
INSTALL_SCRIPT = @INSTALL_SCRIPT@
|
||||||
|
INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
|
||||||
|
LD = @LD@
|
||||||
|
LDFLAGS = @LDFLAGS@
|
||||||
|
LIBOBJS = @LIBOBJS@
|
||||||
|
LIBS = @LIBS@
|
||||||
|
LIBTOOL = @LIBTOOL@
|
||||||
|
LIBTOOL_DEPS = @LIBTOOL_DEPS@
|
||||||
|
LIPO = @LIPO@
|
||||||
|
LN_S = @LN_S@
|
||||||
|
LTLIBOBJS = @LTLIBOBJS@
|
||||||
|
MAKEINFO = @MAKEINFO@
|
||||||
|
MKDIR_P = @MKDIR_P@
|
||||||
|
NM = @NM@
|
||||||
|
NMEDIT = @NMEDIT@
|
||||||
|
OBJDUMP = @OBJDUMP@
|
||||||
|
OBJEXT = @OBJEXT@
|
||||||
|
OTOOL = @OTOOL@
|
||||||
|
OTOOL64 = @OTOOL64@
|
||||||
|
PACKAGE = @PACKAGE@
|
||||||
|
PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
|
||||||
|
PACKAGE_NAME = @PACKAGE_NAME@
|
||||||
|
PACKAGE_STRING = @PACKAGE_STRING@
|
||||||
|
PACKAGE_TARNAME = @PACKAGE_TARNAME@
|
||||||
|
PACKAGE_URL = @PACKAGE_URL@
|
||||||
|
PACKAGE_VERSION = @PACKAGE_VERSION@
|
||||||
|
PATH_SEPARATOR = @PATH_SEPARATOR@
|
||||||
|
RANDOM_FILE = @RANDOM_FILE@
|
||||||
|
RANLIB = @RANLIB@
|
||||||
|
SED = @SED@
|
||||||
|
SET_MAKE = @SET_MAKE@
|
||||||
|
SHELL = @SHELL@
|
||||||
|
SSLDIR = @SSLDIR@
|
||||||
|
STRIP = @STRIP@
|
||||||
|
VERSION = @VERSION@
|
||||||
|
abs_builddir = @abs_builddir@
|
||||||
|
abs_srcdir = @abs_srcdir@
|
||||||
|
abs_top_builddir = @abs_top_builddir@
|
||||||
|
abs_top_srcdir = @abs_top_srcdir@
|
||||||
|
ac_ct_CC = @ac_ct_CC@
|
||||||
|
ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
|
||||||
|
am__include = @am__include@
|
||||||
|
am__leading_dot = @am__leading_dot@
|
||||||
|
am__quote = @am__quote@
|
||||||
|
am__tar = @am__tar@
|
||||||
|
am__untar = @am__untar@
|
||||||
|
bindir = @bindir@
|
||||||
|
build = @build@
|
||||||
|
build_alias = @build_alias@
|
||||||
|
build_cpu = @build_cpu@
|
||||||
|
build_os = @build_os@
|
||||||
|
build_vendor = @build_vendor@
|
||||||
|
builddir = @builddir@
|
||||||
|
datadir = @datadir@
|
||||||
|
datarootdir = @datarootdir@
|
||||||
|
docdir = @docdir@
|
||||||
|
dvidir = @dvidir@
|
||||||
|
exec_prefix = @exec_prefix@
|
||||||
|
host = @host@
|
||||||
|
host_alias = @host_alias@
|
||||||
|
host_cpu = @host_cpu@
|
||||||
|
host_os = @host_os@
|
||||||
|
host_vendor = @host_vendor@
|
||||||
|
htmldir = @htmldir@
|
||||||
|
includedir = @includedir@
|
||||||
|
infodir = @infodir@
|
||||||
|
install_sh = @install_sh@
|
||||||
|
libdir = @libdir@
|
||||||
|
libexecdir = @libexecdir@
|
||||||
|
localedir = @localedir@
|
||||||
|
localstatedir = @localstatedir@
|
||||||
|
lt_ECHO = @lt_ECHO@
|
||||||
|
mandir = @mandir@
|
||||||
|
mkdir_p = @mkdir_p@
|
||||||
|
oldincludedir = @oldincludedir@
|
||||||
|
pdfdir = @pdfdir@
|
||||||
|
prefix = @prefix@
|
||||||
|
program_transform_name = @program_transform_name@
|
||||||
|
psdir = @psdir@
|
||||||
|
sbindir = @sbindir@
|
||||||
|
sharedstatedir = @sharedstatedir@
|
||||||
|
srcdir = @srcdir@
|
||||||
|
stunnel_CFLAGS = @stunnel_CFLAGS@
|
||||||
|
stunnel_LDFLAGF = @stunnel_LDFLAGF@
|
||||||
|
|
||||||
|
# SSL library
|
||||||
|
stunnel_LDFLAGS = -L$(SSLDIR)/lib64 -L$(SSLDIR)/lib -lssl -lcrypto
|
||||||
|
sysconfdir = @sysconfdir@
|
||||||
|
target_alias = @target_alias@
|
||||||
|
top_build_prefix = @top_build_prefix@
|
||||||
|
top_builddir = @top_builddir@
|
||||||
|
top_srcdir = @top_srcdir@
|
||||||
|
|
||||||
|
# File lists
|
||||||
|
common_headers = common.h prototypes.h version.h
|
||||||
|
common_sources = str.c file.c client.c log.c options.c protocol.c \
|
||||||
|
network.c resolver.c ssl.c ctx.c verify.c sthreads.c fd.c \
|
||||||
|
stunnel.c
|
||||||
|
unix_sources = pty.c libwrap.c
|
||||||
|
shared_sources = env.c
|
||||||
|
win32_sources = gui.c resources.h resources.rc stunnel.ico
|
||||||
|
stunnel_SOURCES = $(common_headers) $(common_sources) $(unix_sources)
|
||||||
|
bin_SCRIPTS = stunnel3
|
||||||
|
|
||||||
|
# Unix shared library
|
||||||
|
pkglib_LTLIBRARIES = libstunnel.la
|
||||||
|
libstunnel_la_SOURCES = $(shared_sources)
|
||||||
|
libstunnel_la_LDFLAGS = -avoid-version
|
||||||
|
|
||||||
|
# Red Hat "by design" bug #82369
|
||||||
|
|
||||||
|
# Additional preprocesor definitions
|
||||||
|
stunnel_CPPFLAGS = -I/usr/kerberos/include -I$(SSLDIR)/include \
|
||||||
|
-DLIBDIR='"$(pkglibdir)"' -DCONFDIR='"$(sysconfdir)/stunnel"' \
|
||||||
|
-DPIDFILE='"$(localstatedir)/run/stunnel/stunnel.pid"'
|
||||||
|
|
||||||
|
# Win32 executable
|
||||||
|
EXTRA_DIST = nogui.c make.bat makece.bat makew32.bat mingw.mak evc.mak \
|
||||||
|
vc.mak os2.mak
|
||||||
|
stunnel_exe_SOURCES = $(common_headers) $(common_sources) $(win32_sources)
|
||||||
|
OPENSSLDIR = /usr/src/openssl-0.9.8s-fips
|
||||||
|
WINCPPFLAGS = -I$(OPENSSLDIR)/inc32
|
||||||
|
# OPENSSLDIR = /usr/src/openssl-1.0.0f-i586
|
||||||
|
# WINCPPFLAGS = -I$(OPENSSLDIR)/include
|
||||||
|
WINCFLAGS = -mthreads -fstack-protector -O2 -Wall -Wextra -Wno-long-long -pedantic
|
||||||
|
WINLDFLAGS = -mthreads -fstack-protector -mwindows -s
|
||||||
|
WINLIBS = -L$(OPENSSLDIR) -lcrypto -lssl -lpsapi -lws2_32 -lgdi32
|
||||||
|
# WINLIBS = -L$(OPENSSLDIR) -lzdll -lcrypto.dll -lssl.dll -lpsapi -lws2_32 -lgdi32
|
||||||
|
# WINLIBS = -L$(OPENSSLDIR) -lzdll -lcrypto -lssl -lpsapi -lws2_32 -lgdi32
|
||||||
|
WINOBJ = str.obj file.obj client.obj log.obj options.obj protocol.obj \
|
||||||
|
network.obj resolver.obj ssl.obj ctx.obj verify.obj \
|
||||||
|
sthreads.obj fd.obj stunnel.obj gui.obj resources.obj
|
||||||
|
WINPREFIX = i586-mingw32msvc-
|
||||||
|
WINGCC = $(WINPREFIX)gcc
|
||||||
|
WINDRES = $(WINPREFIX)windres
|
||||||
|
all: config.h
|
||||||
|
$(MAKE) $(AM_MAKEFLAGS) all-am
|
||||||
|
|
||||||
|
.SUFFIXES:
|
||||||
|
.SUFFIXES: .c .lo .o .obj
|
||||||
|
$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps)
|
||||||
|
@for dep in $?; do \
|
||||||
|
case '$(am__configure_deps)' in \
|
||||||
|
*$$dep*) \
|
||||||
|
( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
|
||||||
|
&& { if test -f $@; then exit 0; else break; fi; }; \
|
||||||
|
exit 1;; \
|
||||||
|
esac; \
|
||||||
|
done; \
|
||||||
|
echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/Makefile'; \
|
||||||
|
$(am__cd) $(top_srcdir) && \
|
||||||
|
$(AUTOMAKE) --gnu src/Makefile
|
||||||
|
.PRECIOUS: Makefile
|
||||||
|
Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
|
||||||
|
@case '$?' in \
|
||||||
|
*config.status*) \
|
||||||
|
cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
|
||||||
|
*) \
|
||||||
|
echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
|
||||||
|
cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
|
||||||
|
esac;
|
||||||
|
|
||||||
|
$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
|
||||||
|
cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
|
||||||
|
|
||||||
|
$(top_srcdir)/configure: $(am__configure_deps)
|
||||||
|
cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
|
||||||
|
$(ACLOCAL_M4): $(am__aclocal_m4_deps)
|
||||||
|
cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
|
||||||
|
$(am__aclocal_m4_deps):
|
||||||
|
|
||||||
|
config.h: stamp-h1
|
||||||
|
@if test ! -f $@; then \
|
||||||
|
rm -f stamp-h1; \
|
||||||
|
$(MAKE) $(AM_MAKEFLAGS) stamp-h1; \
|
||||||
|
else :; fi
|
||||||
|
|
||||||
|
stamp-h1: $(srcdir)/config.h.in $(top_builddir)/config.status
|
||||||
|
@rm -f stamp-h1
|
||||||
|
cd $(top_builddir) && $(SHELL) ./config.status src/config.h
|
||||||
|
$(srcdir)/config.h.in: $(am__configure_deps)
|
||||||
|
($(am__cd) $(top_srcdir) && $(AUTOHEADER))
|
||||||
|
rm -f stamp-h1
|
||||||
|
touch $@
|
||||||
|
|
||||||
|
distclean-hdr:
|
||||||
|
-rm -f config.h stamp-h1
|
||||||
|
stunnel3: $(top_builddir)/config.status $(srcdir)/stunnel3.in
|
||||||
|
cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@
|
||||||
|
install-pkglibLTLIBRARIES: $(pkglib_LTLIBRARIES)
|
||||||
|
@$(NORMAL_INSTALL)
|
||||||
|
test -z "$(pkglibdir)" || $(MKDIR_P) "$(DESTDIR)$(pkglibdir)"
|
||||||
|
@list='$(pkglib_LTLIBRARIES)'; test -n "$(pkglibdir)" || list=; \
|
||||||
|
list2=; for p in $$list; do \
|
||||||
|
if test -f $$p; then \
|
||||||
|
list2="$$list2 $$p"; \
|
||||||
|
else :; fi; \
|
||||||
|
done; \
|
||||||
|
test -z "$$list2" || { \
|
||||||
|
echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(pkglibdir)'"; \
|
||||||
|
$(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(pkglibdir)"; \
|
||||||
|
}
|
||||||
|
|
||||||
|
uninstall-pkglibLTLIBRARIES:
|
||||||
|
@$(NORMAL_UNINSTALL)
|
||||||
|
@list='$(pkglib_LTLIBRARIES)'; test -n "$(pkglibdir)" || list=; \
|
||||||
|
for p in $$list; do \
|
||||||
|
$(am__strip_dir) \
|
||||||
|
echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(pkglibdir)/$$f'"; \
|
||||||
|
$(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(pkglibdir)/$$f"; \
|
||||||
|
done
|
||||||
|
|
||||||
|
clean-pkglibLTLIBRARIES:
|
||||||
|
-test -z "$(pkglib_LTLIBRARIES)" || rm -f $(pkglib_LTLIBRARIES)
|
||||||
|
@list='$(pkglib_LTLIBRARIES)'; for p in $$list; do \
|
||||||
|
dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
|
||||||
|
test "$$dir" != "$$p" || dir=.; \
|
||||||
|
echo "rm -f \"$${dir}/so_locations\""; \
|
||||||
|
rm -f "$${dir}/so_locations"; \
|
||||||
|
done
|
||||||
|
libstunnel.la: $(libstunnel_la_OBJECTS) $(libstunnel_la_DEPENDENCIES)
|
||||||
|
$(libstunnel_la_LINK) -rpath $(pkglibdir) $(libstunnel_la_OBJECTS) $(libstunnel_la_LIBADD) $(LIBS)
|
||||||
|
install-binPROGRAMS: $(bin_PROGRAMS)
|
||||||
|
@$(NORMAL_INSTALL)
|
||||||
|
test -z "$(bindir)" || $(MKDIR_P) "$(DESTDIR)$(bindir)"
|
||||||
|
@list='$(bin_PROGRAMS)'; test -n "$(bindir)" || list=; \
|
||||||
|
for p in $$list; do echo "$$p $$p"; done | \
|
||||||
|
sed 's/$(EXEEXT)$$//' | \
|
||||||
|
while read p p1; do if test -f $$p || test -f $$p1; \
|
||||||
|
then echo "$$p"; echo "$$p"; else :; fi; \
|
||||||
|
done | \
|
||||||
|
sed -e 'p;s,.*/,,;n;h' -e 's|.*|.|' \
|
||||||
|
-e 'p;x;s,.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/' | \
|
||||||
|
sed 'N;N;N;s,\n, ,g' | \
|
||||||
|
$(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1 } \
|
||||||
|
{ d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \
|
||||||
|
if ($$2 == $$4) files[d] = files[d] " " $$1; \
|
||||||
|
else { print "f", $$3 "/" $$4, $$1; } } \
|
||||||
|
END { for (d in files) print "f", d, files[d] }' | \
|
||||||
|
while read type dir files; do \
|
||||||
|
if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \
|
||||||
|
test -z "$$files" || { \
|
||||||
|
echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files '$(DESTDIR)$(bindir)$$dir'"; \
|
||||||
|
$(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files "$(DESTDIR)$(bindir)$$dir" || exit $$?; \
|
||||||
|
} \
|
||||||
|
; done
|
||||||
|
|
||||||
|
uninstall-binPROGRAMS:
|
||||||
|
@$(NORMAL_UNINSTALL)
|
||||||
|
@list='$(bin_PROGRAMS)'; test -n "$(bindir)" || list=; \
|
||||||
|
files=`for p in $$list; do echo "$$p"; done | \
|
||||||
|
sed -e 'h;s,^.*/,,;s/$(EXEEXT)$$//;$(transform)' \
|
||||||
|
-e 's/$$/$(EXEEXT)/' `; \
|
||||||
|
test -n "$$list" || exit 0; \
|
||||||
|
echo " ( cd '$(DESTDIR)$(bindir)' && rm -f" $$files ")"; \
|
||||||
|
cd "$(DESTDIR)$(bindir)" && rm -f $$files
|
||||||
|
|
||||||
|
clean-binPROGRAMS:
|
||||||
|
@list='$(bin_PROGRAMS)'; test -n "$$list" || exit 0; \
|
||||||
|
echo " rm -f" $$list; \
|
||||||
|
rm -f $$list || exit $$?; \
|
||||||
|
test -n "$(EXEEXT)" || exit 0; \
|
||||||
|
list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
|
||||||
|
echo " rm -f" $$list; \
|
||||||
|
rm -f $$list
|
||||||
|
stunnel$(EXEEXT): $(stunnel_OBJECTS) $(stunnel_DEPENDENCIES)
|
||||||
|
@rm -f stunnel$(EXEEXT)
|
||||||
|
$(stunnel_LINK) $(stunnel_OBJECTS) $(stunnel_LDADD) $(LIBS)
|
||||||
|
install-binSCRIPTS: $(bin_SCRIPTS)
|
||||||
|
@$(NORMAL_INSTALL)
|
||||||
|
test -z "$(bindir)" || $(MKDIR_P) "$(DESTDIR)$(bindir)"
|
||||||
|
@list='$(bin_SCRIPTS)'; test -n "$(bindir)" || list=; \
|
||||||
|
for p in $$list; do \
|
||||||
|
if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
|
||||||
|
if test -f "$$d$$p"; then echo "$$d$$p"; echo "$$p"; else :; fi; \
|
||||||
|
done | \
|
||||||
|
sed -e 'p;s,.*/,,;n' \
|
||||||
|
-e 'h;s|.*|.|' \
|
||||||
|
-e 'p;x;s,.*/,,;$(transform)' | sed 'N;N;N;s,\n, ,g' | \
|
||||||
|
$(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1; } \
|
||||||
|
{ d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \
|
||||||
|
if ($$2 == $$4) { files[d] = files[d] " " $$1; \
|
||||||
|
if (++n[d] == $(am__install_max)) { \
|
||||||
|
print "f", d, files[d]; n[d] = 0; files[d] = "" } } \
|
||||||
|
else { print "f", d "/" $$4, $$1 } } \
|
||||||
|
END { for (d in files) print "f", d, files[d] }' | \
|
||||||
|
while read type dir files; do \
|
||||||
|
if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \
|
||||||
|
test -z "$$files" || { \
|
||||||
|
echo " $(INSTALL_SCRIPT) $$files '$(DESTDIR)$(bindir)$$dir'"; \
|
||||||
|
$(INSTALL_SCRIPT) $$files "$(DESTDIR)$(bindir)$$dir" || exit $$?; \
|
||||||
|
} \
|
||||||
|
; done
|
||||||
|
|
||||||
|
uninstall-binSCRIPTS:
|
||||||
|
@$(NORMAL_UNINSTALL)
|
||||||
|
@list='$(bin_SCRIPTS)'; test -n "$(bindir)" || exit 0; \
|
||||||
|
files=`for p in $$list; do echo "$$p"; done | \
|
||||||
|
sed -e 's,.*/,,;$(transform)'`; \
|
||||||
|
test -n "$$list" || exit 0; \
|
||||||
|
echo " ( cd '$(DESTDIR)$(bindir)' && rm -f" $$files ")"; \
|
||||||
|
cd "$(DESTDIR)$(bindir)" && rm -f $$files
|
||||||
|
|
||||||
|
mostlyclean-compile:
|
||||||
|
-rm -f *.$(OBJEXT)
|
||||||
|
|
||||||
|
distclean-compile:
|
||||||
|
-rm -f *.tab.c
|
||||||
|
|
||||||
|
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/client.Po@am__quote@
|
||||||
|
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ctx.Po@am__quote@
|
||||||
|
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/env.Plo@am__quote@
|
||||||
|
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/fd.Po@am__quote@
|
||||||
|
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/file.Po@am__quote@
|
||||||
|
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/gui.Po@am__quote@
|
||||||
|
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/log.Po@am__quote@
|
||||||
|
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/network.Po@am__quote@
|
||||||
|
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/options.Po@am__quote@
|
||||||
|
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/protocol.Po@am__quote@
|
||||||
|
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/resolver.Po@am__quote@
|
||||||
|
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ssl.Po@am__quote@
|
||||||
|
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sthreads.Po@am__quote@
|
||||||
|
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/str.Po@am__quote@
|
||||||
|
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stunnel-client.Po@am__quote@
|
||||||
|
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stunnel-ctx.Po@am__quote@
|
||||||
|
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stunnel-fd.Po@am__quote@
|
||||||
|
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stunnel-file.Po@am__quote@
|
||||||
|
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stunnel-libwrap.Po@am__quote@
|
||||||
|
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stunnel-log.Po@am__quote@
|
||||||
|
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stunnel-network.Po@am__quote@
|
||||||
|
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stunnel-options.Po@am__quote@
|
||||||
|
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stunnel-protocol.Po@am__quote@
|
||||||
|
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stunnel-pty.Po@am__quote@
|
||||||
|
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stunnel-resolver.Po@am__quote@
|
||||||
|
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stunnel-ssl.Po@am__quote@
|
||||||
|
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stunnel-sthreads.Po@am__quote@
|
||||||
|
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stunnel-str.Po@am__quote@
|
||||||
|
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stunnel-stunnel.Po@am__quote@
|
||||||
|
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stunnel-verify.Po@am__quote@
|
||||||
|
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stunnel.Po@am__quote@
|
||||||
|
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/verify.Po@am__quote@
|
||||||
|
|
||||||
|
.c.o:
|
||||||
|
@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
|
||||||
|
@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
|
||||||
|
@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
|
||||||
|
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
|
||||||
|
@am__fastdepCC_FALSE@ $(COMPILE) -c $<
|
||||||
|
|
||||||
|
.c.obj:
|
||||||
|
@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
|
||||||
|
@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
|
||||||
|
@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
|
||||||
|
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
|
||||||
|
@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'`
|
||||||
|
|
||||||
|
.c.lo:
|
||||||
|
@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
|
||||||
|
@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
|
||||||
|
@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
|
||||||
|
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
|
||||||
|
@am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $<
|
||||||
|
|
||||||
|
stunnel-str.o: str.c
|
||||||
|
@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stunnel_CPPFLAGS) $(CPPFLAGS) $(stunnel_CFLAGS) $(CFLAGS) -MT stunnel-str.o -MD -MP -MF $(DEPDIR)/stunnel-str.Tpo -c -o stunnel-str.o `test -f 'str.c' || echo '$(srcdir)/'`str.c
|
||||||
|
@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/stunnel-str.Tpo $(DEPDIR)/stunnel-str.Po
|
||||||
|
@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='str.c' object='stunnel-str.o' libtool=no @AMDEPBACKSLASH@
|
||||||
|
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
|
||||||
|
@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stunnel_CPPFLAGS) $(CPPFLAGS) $(stunnel_CFLAGS) $(CFLAGS) -c -o stunnel-str.o `test -f 'str.c' || echo '$(srcdir)/'`str.c
|
||||||
|
|
||||||
|
stunnel-str.obj: str.c
|
||||||
|
@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stunnel_CPPFLAGS) $(CPPFLAGS) $(stunnel_CFLAGS) $(CFLAGS) -MT stunnel-str.obj -MD -MP -MF $(DEPDIR)/stunnel-str.Tpo -c -o stunnel-str.obj `if test -f 'str.c'; then $(CYGPATH_W) 'str.c'; else $(CYGPATH_W) '$(srcdir)/str.c'; fi`
|
||||||
|
@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/stunnel-str.Tpo $(DEPDIR)/stunnel-str.Po
|
||||||
|
@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='str.c' object='stunnel-str.obj' libtool=no @AMDEPBACKSLASH@
|
||||||
|
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
|
||||||
|
@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stunnel_CPPFLAGS) $(CPPFLAGS) $(stunnel_CFLAGS) $(CFLAGS) -c -o stunnel-str.obj `if test -f 'str.c'; then $(CYGPATH_W) 'str.c'; else $(CYGPATH_W) '$(srcdir)/str.c'; fi`
|
||||||
|
|
||||||
|
stunnel-file.o: file.c
|
||||||
|
@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stunnel_CPPFLAGS) $(CPPFLAGS) $(stunnel_CFLAGS) $(CFLAGS) -MT stunnel-file.o -MD -MP -MF $(DEPDIR)/stunnel-file.Tpo -c -o stunnel-file.o `test -f 'file.c' || echo '$(srcdir)/'`file.c
|
||||||
|
@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/stunnel-file.Tpo $(DEPDIR)/stunnel-file.Po
|
||||||
|
@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='file.c' object='stunnel-file.o' libtool=no @AMDEPBACKSLASH@
|
||||||
|
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
|
||||||
|
@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stunnel_CPPFLAGS) $(CPPFLAGS) $(stunnel_CFLAGS) $(CFLAGS) -c -o stunnel-file.o `test -f 'file.c' || echo '$(srcdir)/'`file.c
|
||||||
|
|
||||||
|
stunnel-file.obj: file.c
|
||||||
|
@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stunnel_CPPFLAGS) $(CPPFLAGS) $(stunnel_CFLAGS) $(CFLAGS) -MT stunnel-file.obj -MD -MP -MF $(DEPDIR)/stunnel-file.Tpo -c -o stunnel-file.obj `if test -f 'file.c'; then $(CYGPATH_W) 'file.c'; else $(CYGPATH_W) '$(srcdir)/file.c'; fi`
|
||||||
|
@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/stunnel-file.Tpo $(DEPDIR)/stunnel-file.Po
|
||||||
|
@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='file.c' object='stunnel-file.obj' libtool=no @AMDEPBACKSLASH@
|
||||||
|
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
|
||||||
|
@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stunnel_CPPFLAGS) $(CPPFLAGS) $(stunnel_CFLAGS) $(CFLAGS) -c -o stunnel-file.obj `if test -f 'file.c'; then $(CYGPATH_W) 'file.c'; else $(CYGPATH_W) '$(srcdir)/file.c'; fi`
|
||||||
|
|
||||||
|
stunnel-client.o: client.c
|
||||||
|
@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stunnel_CPPFLAGS) $(CPPFLAGS) $(stunnel_CFLAGS) $(CFLAGS) -MT stunnel-client.o -MD -MP -MF $(DEPDIR)/stunnel-client.Tpo -c -o stunnel-client.o `test -f 'client.c' || echo '$(srcdir)/'`client.c
|
||||||
|
@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/stunnel-client.Tpo $(DEPDIR)/stunnel-client.Po
|
||||||
|
@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='client.c' object='stunnel-client.o' libtool=no @AMDEPBACKSLASH@
|
||||||
|
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
|
||||||
|
@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stunnel_CPPFLAGS) $(CPPFLAGS) $(stunnel_CFLAGS) $(CFLAGS) -c -o stunnel-client.o `test -f 'client.c' || echo '$(srcdir)/'`client.c
|
||||||
|
|
||||||
|
stunnel-client.obj: client.c
|
||||||
|
@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stunnel_CPPFLAGS) $(CPPFLAGS) $(stunnel_CFLAGS) $(CFLAGS) -MT stunnel-client.obj -MD -MP -MF $(DEPDIR)/stunnel-client.Tpo -c -o stunnel-client.obj `if test -f 'client.c'; then $(CYGPATH_W) 'client.c'; else $(CYGPATH_W) '$(srcdir)/client.c'; fi`
|
||||||
|
@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/stunnel-client.Tpo $(DEPDIR)/stunnel-client.Po
|
||||||
|
@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='client.c' object='stunnel-client.obj' libtool=no @AMDEPBACKSLASH@
|
||||||
|
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
|
||||||
|
@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stunnel_CPPFLAGS) $(CPPFLAGS) $(stunnel_CFLAGS) $(CFLAGS) -c -o stunnel-client.obj `if test -f 'client.c'; then $(CYGPATH_W) 'client.c'; else $(CYGPATH_W) '$(srcdir)/client.c'; fi`
|
||||||
|
|
||||||
|
stunnel-log.o: log.c
|
||||||
|
@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stunnel_CPPFLAGS) $(CPPFLAGS) $(stunnel_CFLAGS) $(CFLAGS) -MT stunnel-log.o -MD -MP -MF $(DEPDIR)/stunnel-log.Tpo -c -o stunnel-log.o `test -f 'log.c' || echo '$(srcdir)/'`log.c
|
||||||
|
@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/stunnel-log.Tpo $(DEPDIR)/stunnel-log.Po
|
||||||
|
@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='log.c' object='stunnel-log.o' libtool=no @AMDEPBACKSLASH@
|
||||||
|
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
|
||||||
|
@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stunnel_CPPFLAGS) $(CPPFLAGS) $(stunnel_CFLAGS) $(CFLAGS) -c -o stunnel-log.o `test -f 'log.c' || echo '$(srcdir)/'`log.c
|
||||||
|
|
||||||
|
stunnel-log.obj: log.c
|
||||||
|
@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stunnel_CPPFLAGS) $(CPPFLAGS) $(stunnel_CFLAGS) $(CFLAGS) -MT stunnel-log.obj -MD -MP -MF $(DEPDIR)/stunnel-log.Tpo -c -o stunnel-log.obj `if test -f 'log.c'; then $(CYGPATH_W) 'log.c'; else $(CYGPATH_W) '$(srcdir)/log.c'; fi`
|
||||||
|
@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/stunnel-log.Tpo $(DEPDIR)/stunnel-log.Po
|
||||||
|
@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='log.c' object='stunnel-log.obj' libtool=no @AMDEPBACKSLASH@
|
||||||
|
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
|
||||||
|
@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stunnel_CPPFLAGS) $(CPPFLAGS) $(stunnel_CFLAGS) $(CFLAGS) -c -o stunnel-log.obj `if test -f 'log.c'; then $(CYGPATH_W) 'log.c'; else $(CYGPATH_W) '$(srcdir)/log.c'; fi`
|
||||||
|
|
||||||
|
stunnel-options.o: options.c
|
||||||
|
@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stunnel_CPPFLAGS) $(CPPFLAGS) $(stunnel_CFLAGS) $(CFLAGS) -MT stunnel-options.o -MD -MP -MF $(DEPDIR)/stunnel-options.Tpo -c -o stunnel-options.o `test -f 'options.c' || echo '$(srcdir)/'`options.c
|
||||||
|
@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/stunnel-options.Tpo $(DEPDIR)/stunnel-options.Po
|
||||||
|
@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='options.c' object='stunnel-options.o' libtool=no @AMDEPBACKSLASH@
|
||||||
|
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
|
||||||
|
@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stunnel_CPPFLAGS) $(CPPFLAGS) $(stunnel_CFLAGS) $(CFLAGS) -c -o stunnel-options.o `test -f 'options.c' || echo '$(srcdir)/'`options.c
|
||||||
|
|
||||||
|
stunnel-options.obj: options.c
|
||||||
|
@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stunnel_CPPFLAGS) $(CPPFLAGS) $(stunnel_CFLAGS) $(CFLAGS) -MT stunnel-options.obj -MD -MP -MF $(DEPDIR)/stunnel-options.Tpo -c -o stunnel-options.obj `if test -f 'options.c'; then $(CYGPATH_W) 'options.c'; else $(CYGPATH_W) '$(srcdir)/options.c'; fi`
|
||||||
|
@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/stunnel-options.Tpo $(DEPDIR)/stunnel-options.Po
|
||||||
|
@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='options.c' object='stunnel-options.obj' libtool=no @AMDEPBACKSLASH@
|
||||||
|
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
|
||||||
|
@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stunnel_CPPFLAGS) $(CPPFLAGS) $(stunnel_CFLAGS) $(CFLAGS) -c -o stunnel-options.obj `if test -f 'options.c'; then $(CYGPATH_W) 'options.c'; else $(CYGPATH_W) '$(srcdir)/options.c'; fi`
|
||||||
|
|
||||||
|
stunnel-protocol.o: protocol.c
|
||||||
|
@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stunnel_CPPFLAGS) $(CPPFLAGS) $(stunnel_CFLAGS) $(CFLAGS) -MT stunnel-protocol.o -MD -MP -MF $(DEPDIR)/stunnel-protocol.Tpo -c -o stunnel-protocol.o `test -f 'protocol.c' || echo '$(srcdir)/'`protocol.c
|
||||||
|
@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/stunnel-protocol.Tpo $(DEPDIR)/stunnel-protocol.Po
|
||||||
|
@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='protocol.c' object='stunnel-protocol.o' libtool=no @AMDEPBACKSLASH@
|
||||||
|
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
|
||||||
|
@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stunnel_CPPFLAGS) $(CPPFLAGS) $(stunnel_CFLAGS) $(CFLAGS) -c -o stunnel-protocol.o `test -f 'protocol.c' || echo '$(srcdir)/'`protocol.c
|
||||||
|
|
||||||
|
stunnel-protocol.obj: protocol.c
|
||||||
|
@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stunnel_CPPFLAGS) $(CPPFLAGS) $(stunnel_CFLAGS) $(CFLAGS) -MT stunnel-protocol.obj -MD -MP -MF $(DEPDIR)/stunnel-protocol.Tpo -c -o stunnel-protocol.obj `if test -f 'protocol.c'; then $(CYGPATH_W) 'protocol.c'; else $(CYGPATH_W) '$(srcdir)/protocol.c'; fi`
|
||||||
|
@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/stunnel-protocol.Tpo $(DEPDIR)/stunnel-protocol.Po
|
||||||
|
@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='protocol.c' object='stunnel-protocol.obj' libtool=no @AMDEPBACKSLASH@
|
||||||
|
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
|
||||||
|
@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stunnel_CPPFLAGS) $(CPPFLAGS) $(stunnel_CFLAGS) $(CFLAGS) -c -o stunnel-protocol.obj `if test -f 'protocol.c'; then $(CYGPATH_W) 'protocol.c'; else $(CYGPATH_W) '$(srcdir)/protocol.c'; fi`
|
||||||
|
|
||||||
|
stunnel-network.o: network.c
|
||||||
|
@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stunnel_CPPFLAGS) $(CPPFLAGS) $(stunnel_CFLAGS) $(CFLAGS) -MT stunnel-network.o -MD -MP -MF $(DEPDIR)/stunnel-network.Tpo -c -o stunnel-network.o `test -f 'network.c' || echo '$(srcdir)/'`network.c
|
||||||
|
@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/stunnel-network.Tpo $(DEPDIR)/stunnel-network.Po
|
||||||
|
@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='network.c' object='stunnel-network.o' libtool=no @AMDEPBACKSLASH@
|
||||||
|
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
|
||||||
|
@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stunnel_CPPFLAGS) $(CPPFLAGS) $(stunnel_CFLAGS) $(CFLAGS) -c -o stunnel-network.o `test -f 'network.c' || echo '$(srcdir)/'`network.c
|
||||||
|
|
||||||
|
stunnel-network.obj: network.c
|
||||||
|
@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stunnel_CPPFLAGS) $(CPPFLAGS) $(stunnel_CFLAGS) $(CFLAGS) -MT stunnel-network.obj -MD -MP -MF $(DEPDIR)/stunnel-network.Tpo -c -o stunnel-network.obj `if test -f 'network.c'; then $(CYGPATH_W) 'network.c'; else $(CYGPATH_W) '$(srcdir)/network.c'; fi`
|
||||||
|
@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/stunnel-network.Tpo $(DEPDIR)/stunnel-network.Po
|
||||||
|
@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='network.c' object='stunnel-network.obj' libtool=no @AMDEPBACKSLASH@
|
||||||
|
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
|
||||||
|
@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stunnel_CPPFLAGS) $(CPPFLAGS) $(stunnel_CFLAGS) $(CFLAGS) -c -o stunnel-network.obj `if test -f 'network.c'; then $(CYGPATH_W) 'network.c'; else $(CYGPATH_W) '$(srcdir)/network.c'; fi`
|
||||||
|
|
||||||
|
stunnel-resolver.o: resolver.c
|
||||||
|
@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stunnel_CPPFLAGS) $(CPPFLAGS) $(stunnel_CFLAGS) $(CFLAGS) -MT stunnel-resolver.o -MD -MP -MF $(DEPDIR)/stunnel-resolver.Tpo -c -o stunnel-resolver.o `test -f 'resolver.c' || echo '$(srcdir)/'`resolver.c
|
||||||
|
@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/stunnel-resolver.Tpo $(DEPDIR)/stunnel-resolver.Po
|
||||||
|
@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='resolver.c' object='stunnel-resolver.o' libtool=no @AMDEPBACKSLASH@
|
||||||
|
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
|
||||||
|
@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stunnel_CPPFLAGS) $(CPPFLAGS) $(stunnel_CFLAGS) $(CFLAGS) -c -o stunnel-resolver.o `test -f 'resolver.c' || echo '$(srcdir)/'`resolver.c
|
||||||
|
|
||||||
|
stunnel-resolver.obj: resolver.c
|
||||||
|
@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stunnel_CPPFLAGS) $(CPPFLAGS) $(stunnel_CFLAGS) $(CFLAGS) -MT stunnel-resolver.obj -MD -MP -MF $(DEPDIR)/stunnel-resolver.Tpo -c -o stunnel-resolver.obj `if test -f 'resolver.c'; then $(CYGPATH_W) 'resolver.c'; else $(CYGPATH_W) '$(srcdir)/resolver.c'; fi`
|
||||||
|
@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/stunnel-resolver.Tpo $(DEPDIR)/stunnel-resolver.Po
|
||||||
|
@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='resolver.c' object='stunnel-resolver.obj' libtool=no @AMDEPBACKSLASH@
|
||||||
|
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
|
||||||
|
@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stunnel_CPPFLAGS) $(CPPFLAGS) $(stunnel_CFLAGS) $(CFLAGS) -c -o stunnel-resolver.obj `if test -f 'resolver.c'; then $(CYGPATH_W) 'resolver.c'; else $(CYGPATH_W) '$(srcdir)/resolver.c'; fi`
|
||||||
|
|
||||||
|
stunnel-ssl.o: ssl.c
|
||||||
|
@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stunnel_CPPFLAGS) $(CPPFLAGS) $(stunnel_CFLAGS) $(CFLAGS) -MT stunnel-ssl.o -MD -MP -MF $(DEPDIR)/stunnel-ssl.Tpo -c -o stunnel-ssl.o `test -f 'ssl.c' || echo '$(srcdir)/'`ssl.c
|
||||||
|
@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/stunnel-ssl.Tpo $(DEPDIR)/stunnel-ssl.Po
|
||||||
|
@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='ssl.c' object='stunnel-ssl.o' libtool=no @AMDEPBACKSLASH@
|
||||||
|
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
|
||||||
|
@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stunnel_CPPFLAGS) $(CPPFLAGS) $(stunnel_CFLAGS) $(CFLAGS) -c -o stunnel-ssl.o `test -f 'ssl.c' || echo '$(srcdir)/'`ssl.c
|
||||||
|
|
||||||
|
stunnel-ssl.obj: ssl.c
|
||||||
|
@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stunnel_CPPFLAGS) $(CPPFLAGS) $(stunnel_CFLAGS) $(CFLAGS) -MT stunnel-ssl.obj -MD -MP -MF $(DEPDIR)/stunnel-ssl.Tpo -c -o stunnel-ssl.obj `if test -f 'ssl.c'; then $(CYGPATH_W) 'ssl.c'; else $(CYGPATH_W) '$(srcdir)/ssl.c'; fi`
|
||||||
|
@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/stunnel-ssl.Tpo $(DEPDIR)/stunnel-ssl.Po
|
||||||
|
@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='ssl.c' object='stunnel-ssl.obj' libtool=no @AMDEPBACKSLASH@
|
||||||
|
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
|
||||||
|
@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stunnel_CPPFLAGS) $(CPPFLAGS) $(stunnel_CFLAGS) $(CFLAGS) -c -o stunnel-ssl.obj `if test -f 'ssl.c'; then $(CYGPATH_W) 'ssl.c'; else $(CYGPATH_W) '$(srcdir)/ssl.c'; fi`
|
||||||
|
|
||||||
|
stunnel-ctx.o: ctx.c
|
||||||
|
@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stunnel_CPPFLAGS) $(CPPFLAGS) $(stunnel_CFLAGS) $(CFLAGS) -MT stunnel-ctx.o -MD -MP -MF $(DEPDIR)/stunnel-ctx.Tpo -c -o stunnel-ctx.o `test -f 'ctx.c' || echo '$(srcdir)/'`ctx.c
|
||||||
|
@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/stunnel-ctx.Tpo $(DEPDIR)/stunnel-ctx.Po
|
||||||
|
@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='ctx.c' object='stunnel-ctx.o' libtool=no @AMDEPBACKSLASH@
|
||||||
|
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
|
||||||
|
@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stunnel_CPPFLAGS) $(CPPFLAGS) $(stunnel_CFLAGS) $(CFLAGS) -c -o stunnel-ctx.o `test -f 'ctx.c' || echo '$(srcdir)/'`ctx.c
|
||||||
|
|
||||||
|
stunnel-ctx.obj: ctx.c
|
||||||
|
@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stunnel_CPPFLAGS) $(CPPFLAGS) $(stunnel_CFLAGS) $(CFLAGS) -MT stunnel-ctx.obj -MD -MP -MF $(DEPDIR)/stunnel-ctx.Tpo -c -o stunnel-ctx.obj `if test -f 'ctx.c'; then $(CYGPATH_W) 'ctx.c'; else $(CYGPATH_W) '$(srcdir)/ctx.c'; fi`
|
||||||
|
@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/stunnel-ctx.Tpo $(DEPDIR)/stunnel-ctx.Po
|
||||||
|
@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='ctx.c' object='stunnel-ctx.obj' libtool=no @AMDEPBACKSLASH@
|
||||||
|
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
|
||||||
|
@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stunnel_CPPFLAGS) $(CPPFLAGS) $(stunnel_CFLAGS) $(CFLAGS) -c -o stunnel-ctx.obj `if test -f 'ctx.c'; then $(CYGPATH_W) 'ctx.c'; else $(CYGPATH_W) '$(srcdir)/ctx.c'; fi`
|
||||||
|
|
||||||
|
stunnel-verify.o: verify.c
|
||||||
|
@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stunnel_CPPFLAGS) $(CPPFLAGS) $(stunnel_CFLAGS) $(CFLAGS) -MT stunnel-verify.o -MD -MP -MF $(DEPDIR)/stunnel-verify.Tpo -c -o stunnel-verify.o `test -f 'verify.c' || echo '$(srcdir)/'`verify.c
|
||||||
|
@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/stunnel-verify.Tpo $(DEPDIR)/stunnel-verify.Po
|
||||||
|
@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='verify.c' object='stunnel-verify.o' libtool=no @AMDEPBACKSLASH@
|
||||||
|
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
|
||||||
|
@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stunnel_CPPFLAGS) $(CPPFLAGS) $(stunnel_CFLAGS) $(CFLAGS) -c -o stunnel-verify.o `test -f 'verify.c' || echo '$(srcdir)/'`verify.c
|
||||||
|
|
||||||
|
stunnel-verify.obj: verify.c
|
||||||
|
@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stunnel_CPPFLAGS) $(CPPFLAGS) $(stunnel_CFLAGS) $(CFLAGS) -MT stunnel-verify.obj -MD -MP -MF $(DEPDIR)/stunnel-verify.Tpo -c -o stunnel-verify.obj `if test -f 'verify.c'; then $(CYGPATH_W) 'verify.c'; else $(CYGPATH_W) '$(srcdir)/verify.c'; fi`
|
||||||
|
@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/stunnel-verify.Tpo $(DEPDIR)/stunnel-verify.Po
|
||||||
|
@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='verify.c' object='stunnel-verify.obj' libtool=no @AMDEPBACKSLASH@
|
||||||
|
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
|
||||||
|
@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stunnel_CPPFLAGS) $(CPPFLAGS) $(stunnel_CFLAGS) $(CFLAGS) -c -o stunnel-verify.obj `if test -f 'verify.c'; then $(CYGPATH_W) 'verify.c'; else $(CYGPATH_W) '$(srcdir)/verify.c'; fi`
|
||||||
|
|
||||||
|
stunnel-sthreads.o: sthreads.c
|
||||||
|
@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stunnel_CPPFLAGS) $(CPPFLAGS) $(stunnel_CFLAGS) $(CFLAGS) -MT stunnel-sthreads.o -MD -MP -MF $(DEPDIR)/stunnel-sthreads.Tpo -c -o stunnel-sthreads.o `test -f 'sthreads.c' || echo '$(srcdir)/'`sthreads.c
|
||||||
|
@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/stunnel-sthreads.Tpo $(DEPDIR)/stunnel-sthreads.Po
|
||||||
|
@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='sthreads.c' object='stunnel-sthreads.o' libtool=no @AMDEPBACKSLASH@
|
||||||
|
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
|
||||||
|
@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stunnel_CPPFLAGS) $(CPPFLAGS) $(stunnel_CFLAGS) $(CFLAGS) -c -o stunnel-sthreads.o `test -f 'sthreads.c' || echo '$(srcdir)/'`sthreads.c
|
||||||
|
|
||||||
|
stunnel-sthreads.obj: sthreads.c
|
||||||
|
@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stunnel_CPPFLAGS) $(CPPFLAGS) $(stunnel_CFLAGS) $(CFLAGS) -MT stunnel-sthreads.obj -MD -MP -MF $(DEPDIR)/stunnel-sthreads.Tpo -c -o stunnel-sthreads.obj `if test -f 'sthreads.c'; then $(CYGPATH_W) 'sthreads.c'; else $(CYGPATH_W) '$(srcdir)/sthreads.c'; fi`
|
||||||
|
@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/stunnel-sthreads.Tpo $(DEPDIR)/stunnel-sthreads.Po
|
||||||
|
@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='sthreads.c' object='stunnel-sthreads.obj' libtool=no @AMDEPBACKSLASH@
|
||||||
|
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
|
||||||
|
@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stunnel_CPPFLAGS) $(CPPFLAGS) $(stunnel_CFLAGS) $(CFLAGS) -c -o stunnel-sthreads.obj `if test -f 'sthreads.c'; then $(CYGPATH_W) 'sthreads.c'; else $(CYGPATH_W) '$(srcdir)/sthreads.c'; fi`
|
||||||
|
|
||||||
|
stunnel-fd.o: fd.c
|
||||||
|
@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stunnel_CPPFLAGS) $(CPPFLAGS) $(stunnel_CFLAGS) $(CFLAGS) -MT stunnel-fd.o -MD -MP -MF $(DEPDIR)/stunnel-fd.Tpo -c -o stunnel-fd.o `test -f 'fd.c' || echo '$(srcdir)/'`fd.c
|
||||||
|
@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/stunnel-fd.Tpo $(DEPDIR)/stunnel-fd.Po
|
||||||
|
@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='fd.c' object='stunnel-fd.o' libtool=no @AMDEPBACKSLASH@
|
||||||
|
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
|
||||||
|
@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stunnel_CPPFLAGS) $(CPPFLAGS) $(stunnel_CFLAGS) $(CFLAGS) -c -o stunnel-fd.o `test -f 'fd.c' || echo '$(srcdir)/'`fd.c
|
||||||
|
|
||||||
|
stunnel-fd.obj: fd.c
|
||||||
|
@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stunnel_CPPFLAGS) $(CPPFLAGS) $(stunnel_CFLAGS) $(CFLAGS) -MT stunnel-fd.obj -MD -MP -MF $(DEPDIR)/stunnel-fd.Tpo -c -o stunnel-fd.obj `if test -f 'fd.c'; then $(CYGPATH_W) 'fd.c'; else $(CYGPATH_W) '$(srcdir)/fd.c'; fi`
|
||||||
|
@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/stunnel-fd.Tpo $(DEPDIR)/stunnel-fd.Po
|
||||||
|
@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='fd.c' object='stunnel-fd.obj' libtool=no @AMDEPBACKSLASH@
|
||||||
|
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
|
||||||
|
@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stunnel_CPPFLAGS) $(CPPFLAGS) $(stunnel_CFLAGS) $(CFLAGS) -c -o stunnel-fd.obj `if test -f 'fd.c'; then $(CYGPATH_W) 'fd.c'; else $(CYGPATH_W) '$(srcdir)/fd.c'; fi`
|
||||||
|
|
||||||
|
stunnel-stunnel.o: stunnel.c
|
||||||
|
@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stunnel_CPPFLAGS) $(CPPFLAGS) $(stunnel_CFLAGS) $(CFLAGS) -MT stunnel-stunnel.o -MD -MP -MF $(DEPDIR)/stunnel-stunnel.Tpo -c -o stunnel-stunnel.o `test -f 'stunnel.c' || echo '$(srcdir)/'`stunnel.c
|
||||||
|
@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/stunnel-stunnel.Tpo $(DEPDIR)/stunnel-stunnel.Po
|
||||||
|
@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='stunnel.c' object='stunnel-stunnel.o' libtool=no @AMDEPBACKSLASH@
|
||||||
|
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
|
||||||
|
@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stunnel_CPPFLAGS) $(CPPFLAGS) $(stunnel_CFLAGS) $(CFLAGS) -c -o stunnel-stunnel.o `test -f 'stunnel.c' || echo '$(srcdir)/'`stunnel.c
|
||||||
|
|
||||||
|
stunnel-stunnel.obj: stunnel.c
|
||||||
|
@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stunnel_CPPFLAGS) $(CPPFLAGS) $(stunnel_CFLAGS) $(CFLAGS) -MT stunnel-stunnel.obj -MD -MP -MF $(DEPDIR)/stunnel-stunnel.Tpo -c -o stunnel-stunnel.obj `if test -f 'stunnel.c'; then $(CYGPATH_W) 'stunnel.c'; else $(CYGPATH_W) '$(srcdir)/stunnel.c'; fi`
|
||||||
|
@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/stunnel-stunnel.Tpo $(DEPDIR)/stunnel-stunnel.Po
|
||||||
|
@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='stunnel.c' object='stunnel-stunnel.obj' libtool=no @AMDEPBACKSLASH@
|
||||||
|
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
|
||||||
|
@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stunnel_CPPFLAGS) $(CPPFLAGS) $(stunnel_CFLAGS) $(CFLAGS) -c -o stunnel-stunnel.obj `if test -f 'stunnel.c'; then $(CYGPATH_W) 'stunnel.c'; else $(CYGPATH_W) '$(srcdir)/stunnel.c'; fi`
|
||||||
|
|
||||||
|
stunnel-pty.o: pty.c
|
||||||
|
@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stunnel_CPPFLAGS) $(CPPFLAGS) $(stunnel_CFLAGS) $(CFLAGS) -MT stunnel-pty.o -MD -MP -MF $(DEPDIR)/stunnel-pty.Tpo -c -o stunnel-pty.o `test -f 'pty.c' || echo '$(srcdir)/'`pty.c
|
||||||
|
@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/stunnel-pty.Tpo $(DEPDIR)/stunnel-pty.Po
|
||||||
|
@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='pty.c' object='stunnel-pty.o' libtool=no @AMDEPBACKSLASH@
|
||||||
|
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
|
||||||
|
@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stunnel_CPPFLAGS) $(CPPFLAGS) $(stunnel_CFLAGS) $(CFLAGS) -c -o stunnel-pty.o `test -f 'pty.c' || echo '$(srcdir)/'`pty.c
|
||||||
|
|
||||||
|
stunnel-pty.obj: pty.c
|
||||||
|
@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stunnel_CPPFLAGS) $(CPPFLAGS) $(stunnel_CFLAGS) $(CFLAGS) -MT stunnel-pty.obj -MD -MP -MF $(DEPDIR)/stunnel-pty.Tpo -c -o stunnel-pty.obj `if test -f 'pty.c'; then $(CYGPATH_W) 'pty.c'; else $(CYGPATH_W) '$(srcdir)/pty.c'; fi`
|
||||||
|
@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/stunnel-pty.Tpo $(DEPDIR)/stunnel-pty.Po
|
||||||
|
@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='pty.c' object='stunnel-pty.obj' libtool=no @AMDEPBACKSLASH@
|
||||||
|
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
|
||||||
|
@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stunnel_CPPFLAGS) $(CPPFLAGS) $(stunnel_CFLAGS) $(CFLAGS) -c -o stunnel-pty.obj `if test -f 'pty.c'; then $(CYGPATH_W) 'pty.c'; else $(CYGPATH_W) '$(srcdir)/pty.c'; fi`
|
||||||
|
|
||||||
|
stunnel-libwrap.o: libwrap.c
|
||||||
|
@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stunnel_CPPFLAGS) $(CPPFLAGS) $(stunnel_CFLAGS) $(CFLAGS) -MT stunnel-libwrap.o -MD -MP -MF $(DEPDIR)/stunnel-libwrap.Tpo -c -o stunnel-libwrap.o `test -f 'libwrap.c' || echo '$(srcdir)/'`libwrap.c
|
||||||
|
@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/stunnel-libwrap.Tpo $(DEPDIR)/stunnel-libwrap.Po
|
||||||
|
@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='libwrap.c' object='stunnel-libwrap.o' libtool=no @AMDEPBACKSLASH@
|
||||||
|
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
|
||||||
|
@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stunnel_CPPFLAGS) $(CPPFLAGS) $(stunnel_CFLAGS) $(CFLAGS) -c -o stunnel-libwrap.o `test -f 'libwrap.c' || echo '$(srcdir)/'`libwrap.c
|
||||||
|
|
||||||
|
stunnel-libwrap.obj: libwrap.c
|
||||||
|
@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stunnel_CPPFLAGS) $(CPPFLAGS) $(stunnel_CFLAGS) $(CFLAGS) -MT stunnel-libwrap.obj -MD -MP -MF $(DEPDIR)/stunnel-libwrap.Tpo -c -o stunnel-libwrap.obj `if test -f 'libwrap.c'; then $(CYGPATH_W) 'libwrap.c'; else $(CYGPATH_W) '$(srcdir)/libwrap.c'; fi`
|
||||||
|
@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/stunnel-libwrap.Tpo $(DEPDIR)/stunnel-libwrap.Po
|
||||||
|
@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='libwrap.c' object='stunnel-libwrap.obj' libtool=no @AMDEPBACKSLASH@
|
||||||
|
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
|
||||||
|
@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stunnel_CPPFLAGS) $(CPPFLAGS) $(stunnel_CFLAGS) $(CFLAGS) -c -o stunnel-libwrap.obj `if test -f 'libwrap.c'; then $(CYGPATH_W) 'libwrap.c'; else $(CYGPATH_W) '$(srcdir)/libwrap.c'; fi`
|
||||||
|
|
||||||
|
mostlyclean-libtool:
|
||||||
|
-rm -f *.lo
|
||||||
|
|
||||||
|
clean-libtool:
|
||||||
|
-rm -rf .libs _libs
|
||||||
|
|
||||||
|
ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
|
||||||
|
list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
|
||||||
|
unique=`for i in $$list; do \
|
||||||
|
if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
|
||||||
|
done | \
|
||||||
|
$(AWK) '{ files[$$0] = 1; nonempty = 1; } \
|
||||||
|
END { if (nonempty) { for (i in files) print i; }; }'`; \
|
||||||
|
mkid -fID $$unique
|
||||||
|
tags: TAGS
|
||||||
|
|
||||||
|
TAGS: $(HEADERS) $(SOURCES) config.h.in $(TAGS_DEPENDENCIES) \
|
||||||
|
$(TAGS_FILES) $(LISP)
|
||||||
|
set x; \
|
||||||
|
here=`pwd`; \
|
||||||
|
list='$(SOURCES) $(HEADERS) config.h.in $(LISP) $(TAGS_FILES)'; \
|
||||||
|
unique=`for i in $$list; do \
|
||||||
|
if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
|
||||||
|
done | \
|
||||||
|
$(AWK) '{ files[$$0] = 1; nonempty = 1; } \
|
||||||
|
END { if (nonempty) { for (i in files) print i; }; }'`; \
|
||||||
|
shift; \
|
||||||
|
if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
|
||||||
|
test -n "$$unique" || unique=$$empty_fix; \
|
||||||
|
if test $$# -gt 0; then \
|
||||||
|
$(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
|
||||||
|
"$$@" $$unique; \
|
||||||
|
else \
|
||||||
|
$(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
|
||||||
|
$$unique; \
|
||||||
|
fi; \
|
||||||
|
fi
|
||||||
|
ctags: CTAGS
|
||||||
|
CTAGS: $(HEADERS) $(SOURCES) config.h.in $(TAGS_DEPENDENCIES) \
|
||||||
|
$(TAGS_FILES) $(LISP)
|
||||||
|
list='$(SOURCES) $(HEADERS) config.h.in $(LISP) $(TAGS_FILES)'; \
|
||||||
|
unique=`for i in $$list; do \
|
||||||
|
if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
|
||||||
|
done | \
|
||||||
|
$(AWK) '{ files[$$0] = 1; nonempty = 1; } \
|
||||||
|
END { if (nonempty) { for (i in files) print i; }; }'`; \
|
||||||
|
test -z "$(CTAGS_ARGS)$$unique" \
|
||||||
|
|| $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
|
||||||
|
$$unique
|
||||||
|
|
||||||
|
GTAGS:
|
||||||
|
here=`$(am__cd) $(top_builddir) && pwd` \
|
||||||
|
&& $(am__cd) $(top_srcdir) \
|
||||||
|
&& gtags -i $(GTAGS_ARGS) "$$here"
|
||||||
|
|
||||||
|
distclean-tags:
|
||||||
|
-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
|
||||||
|
|
||||||
|
distdir: $(DISTFILES)
|
||||||
|
@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
|
||||||
|
topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
|
||||||
|
list='$(DISTFILES)'; \
|
||||||
|
dist_files=`for file in $$list; do echo $$file; done | \
|
||||||
|
sed -e "s|^$$srcdirstrip/||;t" \
|
||||||
|
-e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
|
||||||
|
case $$dist_files in \
|
||||||
|
*/*) $(MKDIR_P) `echo "$$dist_files" | \
|
||||||
|
sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
|
||||||
|
sort -u` ;; \
|
||||||
|
esac; \
|
||||||
|
for file in $$dist_files; do \
|
||||||
|
if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
|
||||||
|
if test -d $$d/$$file; then \
|
||||||
|
dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
|
||||||
|
if test -d "$(distdir)/$$file"; then \
|
||||||
|
find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
|
||||||
|
fi; \
|
||||||
|
if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
|
||||||
|
cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
|
||||||
|
find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
|
||||||
|
fi; \
|
||||||
|
cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
|
||||||
|
else \
|
||||||
|
test -f "$(distdir)/$$file" \
|
||||||
|
|| cp -p $$d/$$file "$(distdir)/$$file" \
|
||||||
|
|| exit 1; \
|
||||||
|
fi; \
|
||||||
|
done
|
||||||
|
$(MAKE) $(AM_MAKEFLAGS) \
|
||||||
|
top_distdir="$(top_distdir)" distdir="$(distdir)" \
|
||||||
|
dist-hook
|
||||||
|
check-am: all-am
|
||||||
|
check: check-am
|
||||||
|
all-am: Makefile $(LTLIBRARIES) $(PROGRAMS) $(SCRIPTS) config.h
|
||||||
|
installdirs:
|
||||||
|
for dir in "$(DESTDIR)$(pkglibdir)" "$(DESTDIR)$(bindir)" "$(DESTDIR)$(bindir)"; do \
|
||||||
|
test -z "$$dir" || $(MKDIR_P) "$$dir"; \
|
||||||
|
done
|
||||||
|
install: install-am
|
||||||
|
install-exec: install-exec-am
|
||||||
|
install-data: install-data-am
|
||||||
|
uninstall: uninstall-am
|
||||||
|
|
||||||
|
install-am: all-am
|
||||||
|
@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
|
||||||
|
|
||||||
|
installcheck: installcheck-am
|
||||||
|
install-strip:
|
||||||
|
$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
|
||||||
|
install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
|
||||||
|
`test -z '$(STRIP)' || \
|
||||||
|
echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
|
||||||
|
mostlyclean-generic:
|
||||||
|
|
||||||
|
clean-generic:
|
||||||
|
|
||||||
|
distclean-generic:
|
||||||
|
-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
|
||||||
|
-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
|
||||||
|
|
||||||
|
maintainer-clean-generic:
|
||||||
|
@echo "This command is intended for maintainers to use"
|
||||||
|
@echo "it deletes files that may require special tools to rebuild."
|
||||||
|
clean: clean-am
|
||||||
|
|
||||||
|
clean-am: clean-binPROGRAMS clean-generic clean-libtool \
|
||||||
|
clean-pkglibLTLIBRARIES mostlyclean-am
|
||||||
|
|
||||||
|
distclean: distclean-am
|
||||||
|
-rm -rf ./$(DEPDIR)
|
||||||
|
-rm -f Makefile
|
||||||
|
distclean-am: clean-am distclean-compile distclean-generic \
|
||||||
|
distclean-hdr distclean-local distclean-tags
|
||||||
|
|
||||||
|
dvi: dvi-am
|
||||||
|
|
||||||
|
dvi-am:
|
||||||
|
|
||||||
|
html: html-am
|
||||||
|
|
||||||
|
html-am:
|
||||||
|
|
||||||
|
info: info-am
|
||||||
|
|
||||||
|
info-am:
|
||||||
|
|
||||||
|
install-data-am:
|
||||||
|
|
||||||
|
install-dvi: install-dvi-am
|
||||||
|
|
||||||
|
install-dvi-am:
|
||||||
|
|
||||||
|
install-exec-am: install-binPROGRAMS install-binSCRIPTS \
|
||||||
|
install-pkglibLTLIBRARIES
|
||||||
|
|
||||||
|
install-html: install-html-am
|
||||||
|
|
||||||
|
install-html-am:
|
||||||
|
|
||||||
|
install-info: install-info-am
|
||||||
|
|
||||||
|
install-info-am:
|
||||||
|
|
||||||
|
install-man:
|
||||||
|
|
||||||
|
install-pdf: install-pdf-am
|
||||||
|
|
||||||
|
install-pdf-am:
|
||||||
|
|
||||||
|
install-ps: install-ps-am
|
||||||
|
|
||||||
|
install-ps-am:
|
||||||
|
|
||||||
|
installcheck-am:
|
||||||
|
|
||||||
|
maintainer-clean: maintainer-clean-am
|
||||||
|
-rm -rf ./$(DEPDIR)
|
||||||
|
-rm -f Makefile
|
||||||
|
maintainer-clean-am: distclean-am maintainer-clean-generic
|
||||||
|
|
||||||
|
mostlyclean: mostlyclean-am
|
||||||
|
|
||||||
|
mostlyclean-am: mostlyclean-compile mostlyclean-generic \
|
||||||
|
mostlyclean-libtool mostlyclean-local
|
||||||
|
|
||||||
|
pdf: pdf-am
|
||||||
|
|
||||||
|
pdf-am:
|
||||||
|
|
||||||
|
ps: ps-am
|
||||||
|
|
||||||
|
ps-am:
|
||||||
|
|
||||||
|
uninstall-am: uninstall-binPROGRAMS uninstall-binSCRIPTS \
|
||||||
|
uninstall-pkglibLTLIBRARIES
|
||||||
|
|
||||||
|
.MAKE: all install-am install-strip
|
||||||
|
|
||||||
|
.PHONY: CTAGS GTAGS all all-am check check-am clean clean-binPROGRAMS \
|
||||||
|
clean-generic clean-libtool clean-pkglibLTLIBRARIES ctags \
|
||||||
|
dist-hook distclean distclean-compile distclean-generic \
|
||||||
|
distclean-hdr distclean-libtool distclean-local distclean-tags \
|
||||||
|
distdir dvi dvi-am html html-am info info-am install \
|
||||||
|
install-am install-binPROGRAMS install-binSCRIPTS install-data \
|
||||||
|
install-data-am install-dvi install-dvi-am install-exec \
|
||||||
|
install-exec-am install-html install-html-am install-info \
|
||||||
|
install-info-am install-man install-pdf install-pdf-am \
|
||||||
|
install-pkglibLTLIBRARIES install-ps install-ps-am \
|
||||||
|
install-strip installcheck installcheck-am installdirs \
|
||||||
|
maintainer-clean maintainer-clean-generic mostlyclean \
|
||||||
|
mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
|
||||||
|
mostlyclean-local pdf pdf-am ps ps-am tags uninstall \
|
||||||
|
uninstall-am uninstall-binPROGRAMS uninstall-binSCRIPTS \
|
||||||
|
uninstall-pkglibLTLIBRARIES
|
||||||
|
|
||||||
|
|
||||||
|
dist-hook: stunnel.exe
|
||||||
|
|
||||||
|
distclean-local:
|
||||||
|
rm -f stunnel.exe
|
||||||
|
|
||||||
|
# SUFFIXES = .c .rc .obj
|
||||||
|
|
||||||
|
stunnel.exe: $(WINOBJ)
|
||||||
|
$(WINGCC) $(WINLDFLAGS) -o stunnel.exe $(WINOBJ) $(WINLIBS)
|
||||||
|
|
||||||
|
%.obj: %.c $(common_headers)
|
||||||
|
$(WINGCC) -c $(WINCPPFLAGS) $(WINCFLAGS) -o $@ $<
|
||||||
|
|
||||||
|
resources.obj: resources.rc resources.h version.h
|
||||||
|
$(WINDRES) --include-dir $(srcdir) $< $@
|
||||||
|
|
||||||
|
mostlyclean-local:
|
||||||
|
-rm -f *.obj
|
||||||
|
|
||||||
|
# Tell versions [3.59,3.63) of GNU make to not export all variables.
|
||||||
|
# Otherwise a system limit (for SysV at least) may be exceeded.
|
||||||
|
.NOEXPORT:
|
1267
src/client.c
Normal file
1267
src/client.c
Normal file
File diff suppressed because it is too large
Load Diff
488
src/common.h
Normal file
488
src/common.h
Normal file
@ -0,0 +1,488 @@
|
|||||||
|
/*
|
||||||
|
* stunnel Universal SSL tunnel
|
||||||
|
* Copyright (C) 1998-2012 Michal Trojnara <Michal.Trojnara@mirt.net>
|
||||||
|
*
|
||||||
|
* This program is free software; you can redistribute it and/or modify it
|
||||||
|
* under the terms of the GNU General Public License as published by the
|
||||||
|
* Free Software Foundation; either version 2 of the License, or (at your
|
||||||
|
* option) any later version.
|
||||||
|
*
|
||||||
|
* This program is distributed in the hope that it will be useful,
|
||||||
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
|
||||||
|
* See the GNU General Public License for more details.
|
||||||
|
*
|
||||||
|
* You should have received a copy of the GNU General Public License along
|
||||||
|
* with this program; if not, see <http://www.gnu.org/licenses>.
|
||||||
|
*
|
||||||
|
* Linking stunnel statically or dynamically with other modules is making
|
||||||
|
* a combined work based on stunnel. Thus, the terms and conditions of
|
||||||
|
* the GNU General Public License cover the whole combination.
|
||||||
|
*
|
||||||
|
* In addition, as a special exception, the copyright holder of stunnel
|
||||||
|
* gives you permission to combine stunnel with free software programs or
|
||||||
|
* libraries that are released under the GNU LGPL and with code included
|
||||||
|
* in the standard release of OpenSSL under the OpenSSL License (or
|
||||||
|
* modified versions of such code, with unchanged license). You may copy
|
||||||
|
* and distribute such a system following the terms of the GNU GPL for
|
||||||
|
* stunnel and the licenses of the other code concerned.
|
||||||
|
*
|
||||||
|
* Note that people who make modified versions of stunnel are not obligated
|
||||||
|
* to grant this special exception for their modified versions; it is their
|
||||||
|
* choice whether to do so. The GNU General Public License gives permission
|
||||||
|
* to release a modified version without this exception; this exception
|
||||||
|
* also makes it possible to release a modified version which carries
|
||||||
|
* forward this exception.
|
||||||
|
*/
|
||||||
|
|
||||||
|
#ifndef COMMON_H
|
||||||
|
#define COMMON_H
|
||||||
|
|
||||||
|
#include "version.h"
|
||||||
|
|
||||||
|
|
||||||
|
/**************************************** common constants */
|
||||||
|
|
||||||
|
#define LIBWRAP_CLIENTS 5
|
||||||
|
|
||||||
|
/* CPU stack size */
|
||||||
|
#define DEFAULT_STACK_SIZE 65536
|
||||||
|
/* #define DEBUG_STACK_SIZE */
|
||||||
|
|
||||||
|
/* I/O buffer size - 18432 is the maximum size of SSL record payload */
|
||||||
|
#define BUFFSIZE 18432
|
||||||
|
|
||||||
|
/* how many bytes of random input to read from files for PRNG */
|
||||||
|
/* OpenSSL likes at least 128 bits, so 64 bytes seems plenty. */
|
||||||
|
#define RANDOM_BYTES 64
|
||||||
|
|
||||||
|
/* for FormatGuard */
|
||||||
|
/* #define __NO_FORMATGUARD_ */
|
||||||
|
|
||||||
|
/* additional diagnostic messages */
|
||||||
|
/* #define DEBUG_FD_ALLOC */
|
||||||
|
|
||||||
|
/**************************************** platform */
|
||||||
|
|
||||||
|
#ifdef _WIN32
|
||||||
|
#define USE_WIN32
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#ifdef _WIN32_WCE
|
||||||
|
#define USE_WIN32
|
||||||
|
typedef int socklen_t;
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#ifdef USE_WIN32
|
||||||
|
#define USE_IPv6
|
||||||
|
#define _CRT_SECURE_NO_DEPRECATE
|
||||||
|
#define _CRT_NONSTDC_NO_DEPRECATE
|
||||||
|
#define HAVE_OSSL_ENGINE_H
|
||||||
|
#define HAVE_OSSL_OCSP_H
|
||||||
|
/* prevent including wincrypt.h, as it defines it's own OCSP_RESPONSE */
|
||||||
|
#define __WINCRYPT_H__
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#ifdef USE_WIN32
|
||||||
|
#define S_EADDRINUSE WSAEADDRINUSE
|
||||||
|
/* winsock does not define WSAEAGAIN */
|
||||||
|
/* in most (but not all!) BSD implementations EAGAIN==EWOULDBLOCK */
|
||||||
|
#define S_EAGAIN WSAEWOULDBLOCK
|
||||||
|
#define S_ECONNRESET WSAECONNRESET
|
||||||
|
#define S_EINPROGRESS WSAEINPROGRESS
|
||||||
|
#define S_EINTR WSAEINTR
|
||||||
|
#define S_EINVAL WSAEINVAL
|
||||||
|
#define S_EISCONN WSAEISCONN
|
||||||
|
#define S_EMFILE WSAEMFILE
|
||||||
|
/* winsock does not define WSAENFILE */
|
||||||
|
#define S_ENOBUFS WSAENOBUFS
|
||||||
|
/* winsock does not define WSAENOMEM */
|
||||||
|
#define S_ENOPROTOOPT WSAENOPROTOOPT
|
||||||
|
#define S_ENOTSOCK WSAENOTSOCK
|
||||||
|
#define S_EOPNOTSUPP WSAEOPNOTSUPP
|
||||||
|
#define S_EWOULDBLOCK WSAEWOULDBLOCK
|
||||||
|
#define S_ECONNABORTED WSAECONNABORTED
|
||||||
|
#else /* USE_WIN32 */
|
||||||
|
#define S_EADDRINUSE EADDRINUSE
|
||||||
|
#define S_EAGAIN EAGAIN
|
||||||
|
#define S_ECONNRESET ECONNRESET
|
||||||
|
#define S_EINPROGRESS EINPROGRESS
|
||||||
|
#define S_EINTR EINTR
|
||||||
|
#define S_EINVAL EINVAL
|
||||||
|
#define S_EISCONN EISCONN
|
||||||
|
#define S_EMFILE EMFILE
|
||||||
|
#ifdef ENFILE
|
||||||
|
#define S_ENFILE ENFILE
|
||||||
|
#endif
|
||||||
|
#ifdef ENOBUFS
|
||||||
|
#define S_ENOBUFS ENOBUFS
|
||||||
|
#endif
|
||||||
|
#ifdef ENOMEM
|
||||||
|
#define S_ENOMEM ENOMEM
|
||||||
|
#endif
|
||||||
|
#define S_ENOPROTOOPT ENOPROTOOPT
|
||||||
|
#define S_ENOTSOCK ENOTSOCK
|
||||||
|
#define S_EOPNOTSUPP EOPNOTSUPP
|
||||||
|
#define S_EWOULDBLOCK EWOULDBLOCK
|
||||||
|
#define S_ECONNABORTED ECONNABORTED
|
||||||
|
#endif /* USE_WIN32 */
|
||||||
|
|
||||||
|
/**************************************** generic headers */
|
||||||
|
|
||||||
|
#ifdef __vms
|
||||||
|
#include <starlet.h>
|
||||||
|
#endif /* __vms */
|
||||||
|
|
||||||
|
/* for nsr-tandem-nsk architecture */
|
||||||
|
#ifdef __TANDEM
|
||||||
|
#include <floss.h>
|
||||||
|
#endif
|
||||||
|
|
||||||
|
/* threads model */
|
||||||
|
#ifdef USE_UCONTEXT
|
||||||
|
#define __MAKECONTEXT_V2_SOURCE
|
||||||
|
#include <ucontext.h>
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#ifdef USE_PTHREAD
|
||||||
|
#ifndef THREADS
|
||||||
|
#define THREADS
|
||||||
|
#endif
|
||||||
|
#ifndef _REENTRANT
|
||||||
|
/* _REENTRANT is required for thread-safe errno on Solaris */
|
||||||
|
#define _REENTRANT
|
||||||
|
#endif
|
||||||
|
#ifndef _THREAD_SAFE
|
||||||
|
#define _THREAD_SAFE
|
||||||
|
#endif
|
||||||
|
#include <pthread.h>
|
||||||
|
#endif
|
||||||
|
|
||||||
|
/* TCP wrapper */
|
||||||
|
#if defined HAVE_TCPD_H && defined HAVE_LIBWRAP
|
||||||
|
#define USE_LIBWRAP 1
|
||||||
|
#endif
|
||||||
|
|
||||||
|
/* must be included before sys/stat.h for Ultrix */
|
||||||
|
/* must be included before sys/socket.h for OpenBSD */
|
||||||
|
#include <sys/types.h> /* u_short, u_long */
|
||||||
|
/* general headers */
|
||||||
|
#include <stdio.h>
|
||||||
|
/* must be included before sys/stat.h for Ultrix */
|
||||||
|
#ifndef _WIN32_WCE
|
||||||
|
#include <errno.h>
|
||||||
|
#endif
|
||||||
|
#include <stdlib.h>
|
||||||
|
#include <stdarg.h> /* va_ */
|
||||||
|
#include <string.h>
|
||||||
|
#include <ctype.h> /* isalnum */
|
||||||
|
#include <time.h>
|
||||||
|
#include <sys/stat.h> /* stat */
|
||||||
|
#include <setjmp.h>
|
||||||
|
#include <fcntl.h>
|
||||||
|
|
||||||
|
/**************************************** WIN32 headers */
|
||||||
|
|
||||||
|
#ifdef USE_WIN32
|
||||||
|
|
||||||
|
typedef unsigned char u8;
|
||||||
|
typedef unsigned short u16;
|
||||||
|
typedef unsigned long u32;
|
||||||
|
|
||||||
|
#define HAVE_STRUCT_ADDRINFO
|
||||||
|
#define HAVE_SNPRINTF
|
||||||
|
#define snprintf _snprintf
|
||||||
|
#define HAVE_VSNPRINTF
|
||||||
|
#define vsnprintf _vsnprintf
|
||||||
|
#define strcasecmp _stricmp
|
||||||
|
#define strncasecmp _strnicmp
|
||||||
|
#define sleep(c) Sleep(1000*(c))
|
||||||
|
|
||||||
|
#define get_last_socket_error() WSAGetLastError()
|
||||||
|
#define set_last_socket_error(e) WSASetLastError(e)
|
||||||
|
#define get_last_error() GetLastError()
|
||||||
|
#define set_last_error(e) SetLastError(e)
|
||||||
|
#define readsocket(s,b,n) recv((s),(b),(n),0)
|
||||||
|
#define writesocket(s,b,n) send((s),(b),(n),0)
|
||||||
|
|
||||||
|
/* #define FD_SETSIZE 4096 */
|
||||||
|
/* #define Win32_Winsock */
|
||||||
|
#define __USE_W32_SOCKETS
|
||||||
|
|
||||||
|
/* Winsock2 header for IPv6 definitions */
|
||||||
|
#include <winsock2.h>
|
||||||
|
#include <ws2tcpip.h>
|
||||||
|
|
||||||
|
#include <windows.h>
|
||||||
|
|
||||||
|
#include <process.h> /* _beginthread */
|
||||||
|
#include <tchar.h>
|
||||||
|
|
||||||
|
#include "resources.h"
|
||||||
|
|
||||||
|
/**************************************** non-WIN32 headers */
|
||||||
|
|
||||||
|
#else /* USE_WIN32 */
|
||||||
|
|
||||||
|
#if SIZEOF_UNSIGNED_CHAR == 1
|
||||||
|
typedef unsigned char u8;
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#if SIZEOF_UNSIGNED_SHORT == 2
|
||||||
|
typedef unsigned short u16;
|
||||||
|
#else
|
||||||
|
typedef unsigned int u16;
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#if SIZEOF_UNSIGNED_INT == 4
|
||||||
|
typedef unsigned int u32;
|
||||||
|
#else
|
||||||
|
typedef unsigned long u32;
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#ifdef __INNOTEK_LIBC__
|
||||||
|
#define socklen_t __socklen_t
|
||||||
|
#define strcasecmp stricmp
|
||||||
|
#define strncasecmp strnicmp
|
||||||
|
#define NI_NUMERICHOST 1
|
||||||
|
#define NI_NUMERICSERV 2
|
||||||
|
#define get_last_socket_error() sock_errno()
|
||||||
|
#define set_last_socket_error(e) ()
|
||||||
|
#define get_last_error() errno
|
||||||
|
#define set_last_error(e) (errno=(e))
|
||||||
|
#define readsocket(s,b,n) recv((s),(b),(n),0)
|
||||||
|
#define writesocket(s,b,n) send((s),(b),(n),0)
|
||||||
|
#define closesocket(s) close(s)
|
||||||
|
#define ioctlsocket(a,b,c) so_ioctl((a),(b),(c))
|
||||||
|
#else
|
||||||
|
#define get_last_socket_error() errno
|
||||||
|
#define set_last_socket_error(e) (errno=(e))
|
||||||
|
#define get_last_error() errno
|
||||||
|
#define set_last_error(e) (errno=(e))
|
||||||
|
#define readsocket(s,b,n) read((s),(b),(n))
|
||||||
|
#define writesocket(s,b,n) write((s),(b),(n))
|
||||||
|
#define closesocket(s) close(s)
|
||||||
|
#define ioctlsocket(a,b,c) ioctl((a),(b),(c))
|
||||||
|
#endif
|
||||||
|
|
||||||
|
/* OpenVMS compatibility */
|
||||||
|
#ifdef __vms
|
||||||
|
#define LIBDIR "__NA__"
|
||||||
|
#define PIDFILE "SYS$LOGIN:STUNNEL.PID"
|
||||||
|
#ifdef __alpha
|
||||||
|
#define HOST "alpha-openvms"
|
||||||
|
#else
|
||||||
|
#define HOST "vax-openvms"
|
||||||
|
#endif
|
||||||
|
#include <inet.h>
|
||||||
|
#include <unistd.h>
|
||||||
|
#else /* __vms */
|
||||||
|
#include <syslog.h>
|
||||||
|
#endif /* __vms */
|
||||||
|
|
||||||
|
/* Unix-specific headers */
|
||||||
|
#include <signal.h> /* signal */
|
||||||
|
#include <sys/wait.h> /* wait */
|
||||||
|
#ifdef HAVE_SYS_RESOURCE_H
|
||||||
|
#include <sys/resource.h> /* getrlimit */
|
||||||
|
#endif
|
||||||
|
#ifdef HAVE_UNISTD_H
|
||||||
|
#include <unistd.h> /* getpid, fork, execvp, exit */
|
||||||
|
#endif
|
||||||
|
#ifdef HAVE_STROPTS_H
|
||||||
|
#include <stropts.h>
|
||||||
|
#endif
|
||||||
|
#ifdef HAVE_MALLOC_H
|
||||||
|
#include <malloc.h> /* mallopt */
|
||||||
|
#endif
|
||||||
|
#ifdef HAVE_SYS_SELECT_H
|
||||||
|
#include <sys/select.h> /* for aix */
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#if defined(HAVE_POLL) && !defined(BROKEN_POLL)
|
||||||
|
#ifdef HAVE_POLL_H
|
||||||
|
#include <poll.h>
|
||||||
|
#define USE_POLL
|
||||||
|
#else /* HAVE_POLL_H */
|
||||||
|
#ifdef HAVE_SYS_POLL_H
|
||||||
|
#include <sys/poll.h>
|
||||||
|
#define USE_POLL
|
||||||
|
#endif /* HAVE_SYS_POLL_H */
|
||||||
|
#endif /* HAVE_POLL_H */
|
||||||
|
#endif /* HAVE_POLL && !BROKEN_POLL */
|
||||||
|
|
||||||
|
#ifdef HAVE_SYS_FILIO_H
|
||||||
|
#include <sys/filio.h> /* for FIONBIO */
|
||||||
|
#endif
|
||||||
|
#include <pwd.h>
|
||||||
|
#ifdef HAVE_GRP_H
|
||||||
|
#include <grp.h>
|
||||||
|
#endif
|
||||||
|
#ifdef __BEOS__
|
||||||
|
#include <posix/grp.h>
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#ifdef HAVE_SYS_UIO_H
|
||||||
|
#include <sys/uio.h> /* struct iovec */
|
||||||
|
#endif /* HAVE_SYS_UIO_H */
|
||||||
|
|
||||||
|
#include <netinet/in.h> /* struct sockaddr_in */
|
||||||
|
#include <sys/socket.h> /* getpeername */
|
||||||
|
#include <arpa/inet.h> /* inet_ntoa */
|
||||||
|
#include <sys/time.h> /* select */
|
||||||
|
#include <sys/ioctl.h> /* ioctl */
|
||||||
|
#ifdef HAVE_SYS_UN_H
|
||||||
|
#include <sys/un.h>
|
||||||
|
#endif
|
||||||
|
#include <netinet/tcp.h>
|
||||||
|
#include <netdb.h>
|
||||||
|
#ifndef INADDR_ANY
|
||||||
|
#define INADDR_ANY (u32)0x00000000
|
||||||
|
#endif
|
||||||
|
#ifndef INADDR_LOOPBACK
|
||||||
|
#define INADDR_LOOPBACK (u32)0x7F000001
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#if defined(HAVE_WAITPID)
|
||||||
|
/* for SYSV systems */
|
||||||
|
#define wait_for_pid(a, b, c) waitpid((a), (b), (c))
|
||||||
|
#define HAVE_WAIT_FOR_PID 1
|
||||||
|
#elif defined(HAVE_WAIT4)
|
||||||
|
/* for BSD systems */
|
||||||
|
#define wait_for_pid(a, b, c) wait4((a), (b), (c), NULL)
|
||||||
|
#define HAVE_WAIT_FOR_PID 1
|
||||||
|
#endif
|
||||||
|
|
||||||
|
/* SunOS 4 */
|
||||||
|
#if defined(sun) && !defined(__svr4__) && !defined(__SVR4)
|
||||||
|
#define atexit(a) on_exit((a), NULL)
|
||||||
|
extern int sys_nerr;
|
||||||
|
extern char *sys_errlist[];
|
||||||
|
#define strerror(num) ((num)==0 ? "No error" : \
|
||||||
|
((num)>=sys_nerr ? "Unknown error" : sys_errlist[num]))
|
||||||
|
#endif /* SunOS 4 */
|
||||||
|
|
||||||
|
/* AIX does not have SOL_TCP defined */
|
||||||
|
#ifndef SOL_TCP
|
||||||
|
#define SOL_TCP SOL_SOCKET
|
||||||
|
#endif /* SOL_TCP */
|
||||||
|
|
||||||
|
/* Linux */
|
||||||
|
#ifdef __linux__
|
||||||
|
#ifndef IP_FREEBIND
|
||||||
|
/* kernel headers without IP_FREEBIND definition */
|
||||||
|
#define IP_FREEBIND 15
|
||||||
|
#endif /* IP_FREEBIND */
|
||||||
|
#ifndef IP_TRANSPARENT
|
||||||
|
/* kernel headers without IP_TRANSPARENT definition */
|
||||||
|
#define IP_TRANSPARENT 19
|
||||||
|
#endif /* IP_TRANSPARENT */
|
||||||
|
#ifdef HAVE_LINUX_NETFILTER_IPV4_H
|
||||||
|
#include <limits.h>
|
||||||
|
#include <linux/types.h>
|
||||||
|
#include <linux/netfilter_ipv4.h>
|
||||||
|
#endif /* HAVE_LINUX_NETFILTER_IPV4_H */
|
||||||
|
#endif /* __linux__ */
|
||||||
|
|
||||||
|
#endif /* USE_WIN32 */
|
||||||
|
|
||||||
|
/**************************************** OpenSSL headers */
|
||||||
|
|
||||||
|
#define OPENSSL_THREAD_DEFINES
|
||||||
|
#include <openssl/opensslconf.h>
|
||||||
|
#if defined(USE_PTHREAD) && !(defined(OPENSSL_THREADS) || \
|
||||||
|
(OPENSSL_VERSION_NUMBER<0x0090700fL && defined(THREADS)))
|
||||||
|
#error OpenSSL library compiled without thread support
|
||||||
|
#endif /* !OPENSSL_THREADS && USE_PTHREAD */
|
||||||
|
|
||||||
|
#if defined (USE_WIN32) && defined(OPENSSL_FIPS)
|
||||||
|
#define USE_FIPS
|
||||||
|
#endif
|
||||||
|
|
||||||
|
/* OpenSSL 0.9.6 comp.h needs ZLIB macro to declare COMP_zlib() */
|
||||||
|
#define ZLIB
|
||||||
|
|
||||||
|
#include <openssl/lhash.h>
|
||||||
|
#include <openssl/ssl.h>
|
||||||
|
#include <openssl/err.h>
|
||||||
|
#include <openssl/crypto.h> /* for CRYPTO_* and SSLeay_version */
|
||||||
|
#include <openssl/rand.h>
|
||||||
|
#ifndef OPENSSL_NO_MD4
|
||||||
|
#include <openssl/md4.h>
|
||||||
|
#endif
|
||||||
|
#include <openssl/des.h>
|
||||||
|
|
||||||
|
#ifdef HAVE_OSSL_ENGINE_H
|
||||||
|
#ifndef OPENSSL_NO_ENGINE
|
||||||
|
#include <openssl/engine.h>
|
||||||
|
#else
|
||||||
|
#undef HAVE_OSSL_ENGINE_H
|
||||||
|
#endif
|
||||||
|
#endif /* HAVE_OSSL_ENGINE_H */
|
||||||
|
|
||||||
|
/* non-blocking OCSP API is not available before OpenSSL 0.9.8h */
|
||||||
|
#if OPENSSL_VERSION_NUMBER<0x00908080L
|
||||||
|
#ifdef HAVE_OSSL_OCSP_H
|
||||||
|
#undef HAVE_OSSL_OCSP_H
|
||||||
|
#endif /* HAVE_OSSL_OCSP_H */
|
||||||
|
#endif /* OpenSSL older than 0.9.8h */
|
||||||
|
|
||||||
|
#ifdef HAVE_OSSL_OCSP_H
|
||||||
|
#include <openssl/ocsp.h>
|
||||||
|
#endif /* HAVE_OSSL_OCSP_H */
|
||||||
|
|
||||||
|
#ifdef USE_FIPS
|
||||||
|
#include <openssl/fips.h>
|
||||||
|
#include <openssl/fips_rand.h>
|
||||||
|
#endif /* USE_FIPS */
|
||||||
|
|
||||||
|
#if OPENSSL_VERSION_NUMBER<0x0090800fL
|
||||||
|
#define OPENSSL_NO_ECDH
|
||||||
|
#endif /* OpenSSL version < 0.8.0 */
|
||||||
|
|
||||||
|
#if OPENSSL_VERSION_NUMBER<0x10000000L
|
||||||
|
#define OPENSSL_NO_TLSEXT
|
||||||
|
#endif /* OpenSSL version < 1.0.0 */
|
||||||
|
|
||||||
|
#ifndef OPENSSL_NO_COMP
|
||||||
|
/* not defined in public headers before OpenSSL 0.9.8 */
|
||||||
|
STACK_OF(SSL_COMP) *SSL_COMP_get_compression_methods(void);
|
||||||
|
#endif /* OPENSSL_NO_COMP */
|
||||||
|
|
||||||
|
/**************************************** other defines */
|
||||||
|
|
||||||
|
/* change all non-printable characters to '.' */
|
||||||
|
#define safestring(s) \
|
||||||
|
do {unsigned char *p; for(p=(unsigned char *)(s); *p; p++) \
|
||||||
|
if(!isprint((int)*p)) *p='.';} while(0)
|
||||||
|
/* change all unsafe characters to '.' */
|
||||||
|
#define safename(s) \
|
||||||
|
do {unsigned char *p; for(p=(s); *p; p++) \
|
||||||
|
if(!isalnum((int)*p)) *p='.';} while(0)
|
||||||
|
|
||||||
|
/* always use IPv4 defaults! */
|
||||||
|
#define DEFAULT_LOOPBACK "127.0.0.1"
|
||||||
|
#define DEFAULT_ANY "0.0.0.0"
|
||||||
|
#if 0
|
||||||
|
#define DEFAULT_LOOPBACK "::1"
|
||||||
|
#define DEFAULT_ANY "::"
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#if defined (USE_WIN32) || defined (__vms)
|
||||||
|
#define LOG_EMERG 0
|
||||||
|
#define LOG_ALERT 1
|
||||||
|
#define LOG_CRIT 2
|
||||||
|
#define LOG_ERR 3
|
||||||
|
#define LOG_WARNING 4
|
||||||
|
#define LOG_NOTICE 5
|
||||||
|
#define LOG_INFO 6
|
||||||
|
#define LOG_DEBUG 7
|
||||||
|
#endif /* defined (USE_WIN32) || defined (__vms) */
|
||||||
|
|
||||||
|
#ifndef offsetof
|
||||||
|
#define offsetof(T, F) ((unsigned int)((char *)&((T *)0L)->F - (char *)0L))
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#endif /* defined COMMON_H */
|
||||||
|
|
||||||
|
/* end of common.h */
|
269
src/config.h.in
Normal file
269
src/config.h.in
Normal file
@ -0,0 +1,269 @@
|
|||||||
|
/* src/config.h.in. Generated from configure.ac by autoheader. */
|
||||||
|
|
||||||
|
/* Define to 1 if you have a broken 'poll' implementation. */
|
||||||
|
#undef BROKEN_POLL
|
||||||
|
|
||||||
|
/* Entropy Gathering Daemon socket path */
|
||||||
|
#undef EGD_SOCKET
|
||||||
|
|
||||||
|
/* Define to 1 if you have the `accept4' function. */
|
||||||
|
#undef HAVE_ACCEPT4
|
||||||
|
|
||||||
|
/* Define to 1 if you have the `chroot' function. */
|
||||||
|
#undef HAVE_CHROOT
|
||||||
|
|
||||||
|
/* Define to 1 if you have the `daemon' function. */
|
||||||
|
#undef HAVE_DAEMON
|
||||||
|
|
||||||
|
/* Define to 1 if you have '/dev/ptmx' device. */
|
||||||
|
#undef HAVE_DEV_PTMX
|
||||||
|
|
||||||
|
/* Define to 1 if you have '/dev/ptc' device. */
|
||||||
|
#undef HAVE_DEV_PTS_AND_PTC
|
||||||
|
|
||||||
|
/* Define to 1 if you have the <dlfcn.h> header file. */
|
||||||
|
#undef HAVE_DLFCN_H
|
||||||
|
|
||||||
|
/* Define to 1 if you have the `endhostent' function. */
|
||||||
|
#undef HAVE_ENDHOSTENT
|
||||||
|
|
||||||
|
/* Define to 1 if you have 'getaddrinfo' function. */
|
||||||
|
#undef HAVE_GETADDRINFO
|
||||||
|
|
||||||
|
/* Define to 1 if you have the `getcontext' function. */
|
||||||
|
#undef HAVE_GETCONTEXT
|
||||||
|
|
||||||
|
/* Define to 1 if you have the `gethostbyname2' function. */
|
||||||
|
#undef HAVE_GETHOSTBYNAME2
|
||||||
|
|
||||||
|
/* Define to 1 if you have the `getnameinfo' function. */
|
||||||
|
#undef HAVE_GETNAMEINFO
|
||||||
|
|
||||||
|
/* Define to 1 if you have the `getrlimit' function. */
|
||||||
|
#undef HAVE_GETRLIMIT
|
||||||
|
|
||||||
|
/* Define to 1 if you have the <grp.h> header file. */
|
||||||
|
#undef HAVE_GRP_H
|
||||||
|
|
||||||
|
/* Define to 1 if you have the <inttypes.h> header file. */
|
||||||
|
#undef HAVE_INTTYPES_H
|
||||||
|
|
||||||
|
/* Define to 1 if you have 'libpthread' library. */
|
||||||
|
#undef HAVE_LIBPTHREAD
|
||||||
|
|
||||||
|
/* Define to 1 if you have the <libutil.h> header file. */
|
||||||
|
#undef HAVE_LIBUTIL_H
|
||||||
|
|
||||||
|
/* Define to 1 if you have 'libwrap' library. */
|
||||||
|
#undef HAVE_LIBWRAP
|
||||||
|
|
||||||
|
/* Define to 1 if you have the <linux/netfilter_ipv4.h> header file. */
|
||||||
|
#undef HAVE_LINUX_NETFILTER_IPV4_H
|
||||||
|
|
||||||
|
/* Define to 1 if you have the `localtime_r' function. */
|
||||||
|
#undef HAVE_LOCALTIME_R
|
||||||
|
|
||||||
|
/* Define to 1 if you have the <malloc.h> header file. */
|
||||||
|
#undef HAVE_MALLOC_H
|
||||||
|
|
||||||
|
/* Define to 1 if you have the <memory.h> header file. */
|
||||||
|
#undef HAVE_MEMORY_H
|
||||||
|
|
||||||
|
/* Define to 1 if you have 'msghdr.msg_control' structure. */
|
||||||
|
#undef HAVE_MSGHDR_MSG_CONTROL
|
||||||
|
|
||||||
|
/* Define to 1 if you have the `openpty' function. */
|
||||||
|
#undef HAVE_OPENPTY
|
||||||
|
|
||||||
|
/* Define to 1 if you have <engine.h> header file. */
|
||||||
|
#undef HAVE_OSSL_ENGINE_H
|
||||||
|
|
||||||
|
/* Define to 1 if you have <ocsp.h> header file. */
|
||||||
|
#undef HAVE_OSSL_OCSP_H
|
||||||
|
|
||||||
|
/* Define to 1 if you have the `pipe2' function. */
|
||||||
|
#undef HAVE_PIPE2
|
||||||
|
|
||||||
|
/* Define to 1 if you have the `poll' function. */
|
||||||
|
#undef HAVE_POLL
|
||||||
|
|
||||||
|
/* Define to 1 if you have the <poll.h> header file. */
|
||||||
|
#undef HAVE_POLL_H
|
||||||
|
|
||||||
|
/* Define to 1 if you have the <pthread.h> header file. */
|
||||||
|
#undef HAVE_PTHREAD_H
|
||||||
|
|
||||||
|
/* Define to 1 if you have the `pthread_sigmask' function. */
|
||||||
|
#undef HAVE_PTHREAD_SIGMASK
|
||||||
|
|
||||||
|
/* Define to 1 if you have the <pty.h> header file. */
|
||||||
|
#undef HAVE_PTY_H
|
||||||
|
|
||||||
|
/* Define to 1 if you have the `setgroups' function. */
|
||||||
|
#undef HAVE_SETGROUPS
|
||||||
|
|
||||||
|
/* Define to 1 if you have the `setsid' function. */
|
||||||
|
#undef HAVE_SETSID
|
||||||
|
|
||||||
|
/* Define to 1 if you have the `snprintf' function. */
|
||||||
|
#undef HAVE_SNPRINTF
|
||||||
|
|
||||||
|
/* Define to 1 if you have the <stdint.h> header file. */
|
||||||
|
#undef HAVE_STDINT_H
|
||||||
|
|
||||||
|
/* Define to 1 if you have the <stdlib.h> header file. */
|
||||||
|
#undef HAVE_STDLIB_H
|
||||||
|
|
||||||
|
/* Define to 1 if you have the <strings.h> header file. */
|
||||||
|
#undef HAVE_STRINGS_H
|
||||||
|
|
||||||
|
/* Define to 1 if you have the <string.h> header file. */
|
||||||
|
#undef HAVE_STRING_H
|
||||||
|
|
||||||
|
/* Define to 1 if you have the <stropts.h> header file. */
|
||||||
|
#undef HAVE_STROPTS_H
|
||||||
|
|
||||||
|
/* Define to 1 if the system has the type `struct addrinfo'. */
|
||||||
|
#undef HAVE_STRUCT_ADDRINFO
|
||||||
|
|
||||||
|
/* Define to 1 if `msg_control' is a member of `struct msghdr'. */
|
||||||
|
#undef HAVE_STRUCT_MSGHDR_MSG_CONTROL
|
||||||
|
|
||||||
|
/* Define to 1 if the system has the type `struct sockaddr_un'. */
|
||||||
|
#undef HAVE_STRUCT_SOCKADDR_UN
|
||||||
|
|
||||||
|
/* Define to 1 if you have the `sysconf' function. */
|
||||||
|
#undef HAVE_SYSCONF
|
||||||
|
|
||||||
|
/* Define to 1 if you have the <sys/filio.h> header file. */
|
||||||
|
#undef HAVE_SYS_FILIO_H
|
||||||
|
|
||||||
|
/* Define to 1 if you have the <sys/ioctl.h> header file. */
|
||||||
|
#undef HAVE_SYS_IOCTL_H
|
||||||
|
|
||||||
|
/* Define to 1 if you have the <sys/poll.h> header file. */
|
||||||
|
#undef HAVE_SYS_POLL_H
|
||||||
|
|
||||||
|
/* Define to 1 if you have the <sys/resource.h> header file. */
|
||||||
|
#undef HAVE_SYS_RESOURCE_H
|
||||||
|
|
||||||
|
/* Define to 1 if you have the <sys/select.h> header file. */
|
||||||
|
#undef HAVE_SYS_SELECT_H
|
||||||
|
|
||||||
|
/* Define to 1 if you have the <sys/socket.h> header file. */
|
||||||
|
#undef HAVE_SYS_SOCKET_H
|
||||||
|
|
||||||
|
/* Define to 1 if you have the <sys/stat.h> header file. */
|
||||||
|
#undef HAVE_SYS_STAT_H
|
||||||
|
|
||||||
|
/* Define to 1 if you have the <sys/types.h> header file. */
|
||||||
|
#undef HAVE_SYS_TYPES_H
|
||||||
|
|
||||||
|
/* Define to 1 if you have the <sys/uio.h> header file. */
|
||||||
|
#undef HAVE_SYS_UIO_H
|
||||||
|
|
||||||
|
/* Define to 1 if you have the <sys/un.h> header file. */
|
||||||
|
#undef HAVE_SYS_UN_H
|
||||||
|
|
||||||
|
/* Define to 1 if you have the <tcpd.h> header file. */
|
||||||
|
#undef HAVE_TCPD_H
|
||||||
|
|
||||||
|
/* Define to 1 if you have the <ucontext.h> header file. */
|
||||||
|
#undef HAVE_UCONTEXT_H
|
||||||
|
|
||||||
|
/* Define to 1 if you have the <unistd.h> header file. */
|
||||||
|
#undef HAVE_UNISTD_H
|
||||||
|
|
||||||
|
/* Define to 1 if you have the <util.h> header file. */
|
||||||
|
#undef HAVE_UTIL_H
|
||||||
|
|
||||||
|
/* Define to 1 if you have the `vsnprintf' function. */
|
||||||
|
#undef HAVE_VSNPRINTF
|
||||||
|
|
||||||
|
/* Define to 1 if you have the `wait4' function. */
|
||||||
|
#undef HAVE_WAIT4
|
||||||
|
|
||||||
|
/* Define to 1 if you have the `waitpid' function. */
|
||||||
|
#undef HAVE_WAITPID
|
||||||
|
|
||||||
|
/* Define to 1 if you have the `_getpty' function. */
|
||||||
|
#undef HAVE__GETPTY
|
||||||
|
|
||||||
|
/* Define to 1 if you have the `__makecontext_v2' function. */
|
||||||
|
#undef HAVE___MAKECONTEXT_V2
|
||||||
|
|
||||||
|
/* Host description */
|
||||||
|
#undef HOST
|
||||||
|
|
||||||
|
/* Define to the sub-directory in which libtool stores uninstalled libraries.
|
||||||
|
*/
|
||||||
|
#undef LT_OBJDIR
|
||||||
|
|
||||||
|
/* Define to 1 if your C compiler doesn't accept -c and -o together. */
|
||||||
|
#undef NO_MINUS_C_MINUS_O
|
||||||
|
|
||||||
|
/* Name of package */
|
||||||
|
#undef PACKAGE
|
||||||
|
|
||||||
|
/* Define to the address where bug reports for this package should be sent. */
|
||||||
|
#undef PACKAGE_BUGREPORT
|
||||||
|
|
||||||
|
/* Define to the full name of this package. */
|
||||||
|
#undef PACKAGE_NAME
|
||||||
|
|
||||||
|
/* Define to the full name and version of this package. */
|
||||||
|
#undef PACKAGE_STRING
|
||||||
|
|
||||||
|
/* Define to the one symbol short name of this package. */
|
||||||
|
#undef PACKAGE_TARNAME
|
||||||
|
|
||||||
|
/* Define to the home page for this package. */
|
||||||
|
#undef PACKAGE_URL
|
||||||
|
|
||||||
|
/* Define to the version of this package. */
|
||||||
|
#undef PACKAGE_VERSION
|
||||||
|
|
||||||
|
/* Random file path */
|
||||||
|
#undef RANDOM_FILE
|
||||||
|
|
||||||
|
/* The size of `unsigned char', as computed by sizeof. */
|
||||||
|
#undef SIZEOF_UNSIGNED_CHAR
|
||||||
|
|
||||||
|
/* The size of `unsigned int', as computed by sizeof. */
|
||||||
|
#undef SIZEOF_UNSIGNED_INT
|
||||||
|
|
||||||
|
/* The size of `unsigned long', as computed by sizeof. */
|
||||||
|
#undef SIZEOF_UNSIGNED_LONG
|
||||||
|
|
||||||
|
/* The size of `unsigned short', as computed by sizeof. */
|
||||||
|
#undef SIZEOF_UNSIGNED_SHORT
|
||||||
|
|
||||||
|
/* SSL directory */
|
||||||
|
#undef SSLDIR
|
||||||
|
|
||||||
|
/* Define to 1 if you have the ANSI C header files. */
|
||||||
|
#undef STDC_HEADERS
|
||||||
|
|
||||||
|
/* Define to 1 to enable OpenSSL FIPS mode. */
|
||||||
|
#undef USE_FIPS
|
||||||
|
|
||||||
|
/* Define to 1 to select FORK mode */
|
||||||
|
#undef USE_FORK
|
||||||
|
|
||||||
|
/* Define to 1 to enable IPv6 support */
|
||||||
|
#undef USE_IPv6
|
||||||
|
|
||||||
|
/* Define to 1 to select PTHREAD mode */
|
||||||
|
#undef USE_PTHREAD
|
||||||
|
|
||||||
|
/* Define to 1 to select UCONTEXT mode */
|
||||||
|
#undef USE_UCONTEXT
|
||||||
|
|
||||||
|
/* Version number of package */
|
||||||
|
#undef VERSION
|
||||||
|
|
||||||
|
/* Use GNU source */
|
||||||
|
#undef _GNU_SOURCE
|
||||||
|
|
||||||
|
/* Type of socklen_t */
|
||||||
|
#undef socklen_t
|
687
src/ctx.c
Normal file
687
src/ctx.c
Normal file
@ -0,0 +1,687 @@
|
|||||||
|
/*
|
||||||
|
* stunnel Universal SSL tunnel
|
||||||
|
* Copyright (C) 1998-2012 Michal Trojnara <Michal.Trojnara@mirt.net>
|
||||||
|
*
|
||||||
|
* This program is free software; you can redistribute it and/or modify it
|
||||||
|
* under the terms of the GNU General Public License as published by the
|
||||||
|
* Free Software Foundation; either version 2 of the License, or (at your
|
||||||
|
* option) any later version.
|
||||||
|
*
|
||||||
|
* This program is distributed in the hope that it will be useful,
|
||||||
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
|
||||||
|
* See the GNU General Public License for more details.
|
||||||
|
*
|
||||||
|
* You should have received a copy of the GNU General Public License along
|
||||||
|
* with this program; if not, see <http://www.gnu.org/licenses>.
|
||||||
|
*
|
||||||
|
* Linking stunnel statically or dynamically with other modules is making
|
||||||
|
* a combined work based on stunnel. Thus, the terms and conditions of
|
||||||
|
* the GNU General Public License cover the whole combination.
|
||||||
|
*
|
||||||
|
* In addition, as a special exception, the copyright holder of stunnel
|
||||||
|
* gives you permission to combine stunnel with free software programs or
|
||||||
|
* libraries that are released under the GNU LGPL and with code included
|
||||||
|
* in the standard release of OpenSSL under the OpenSSL License (or
|
||||||
|
* modified versions of such code, with unchanged license). You may copy
|
||||||
|
* and distribute such a system following the terms of the GNU GPL for
|
||||||
|
* stunnel and the licenses of the other code concerned.
|
||||||
|
*
|
||||||
|
* Note that people who make modified versions of stunnel are not obligated
|
||||||
|
* to grant this special exception for their modified versions; it is their
|
||||||
|
* choice whether to do so. The GNU General Public License gives permission
|
||||||
|
* to release a modified version without this exception; this exception
|
||||||
|
* also makes it possible to release a modified version which carries
|
||||||
|
* forward this exception.
|
||||||
|
*/
|
||||||
|
|
||||||
|
#include "common.h"
|
||||||
|
#include "prototypes.h"
|
||||||
|
|
||||||
|
/**************************************** prototypes */
|
||||||
|
|
||||||
|
/* SNI */
|
||||||
|
#ifndef OPENSSL_NO_TLSEXT
|
||||||
|
static int servername_cb(SSL *, int *, void *);
|
||||||
|
#endif
|
||||||
|
|
||||||
|
/* DH/ECDH initialization */
|
||||||
|
#ifndef OPENSSL_NO_DH
|
||||||
|
static int init_dh(SERVICE_OPTIONS *);
|
||||||
|
static DH *read_dh(char *);
|
||||||
|
static DH *get_dh2048(void);
|
||||||
|
#endif /* OPENSSL_NO_DH */
|
||||||
|
#ifndef OPENSSL_NO_ECDH
|
||||||
|
static int init_ecdh(SERVICE_OPTIONS *);
|
||||||
|
#endif /* USE_ECDH */
|
||||||
|
|
||||||
|
/* loading certificate */
|
||||||
|
static int load_certificate(SERVICE_OPTIONS *);
|
||||||
|
#if defined(USE_WIN32) || OPENSSL_VERSION_NUMBER>=0x0090700fL
|
||||||
|
static int password_cb(char *, int, int, void *);
|
||||||
|
#endif
|
||||||
|
|
||||||
|
/* session cache callbacks */
|
||||||
|
static int sess_new_cb(SSL *, SSL_SESSION *);
|
||||||
|
static SSL_SESSION *sess_get_cb(SSL *, unsigned char *, int, int *);
|
||||||
|
static void sess_remove_cb(SSL_CTX *, SSL_SESSION *);
|
||||||
|
static void cache_transfer(SSL_CTX *, const unsigned int, const unsigned,
|
||||||
|
const unsigned char *, const unsigned int,
|
||||||
|
const unsigned char *, const unsigned int,
|
||||||
|
unsigned char **, unsigned int *);
|
||||||
|
|
||||||
|
/* info callbacks */
|
||||||
|
static void info_callback(
|
||||||
|
#if OPENSSL_VERSION_NUMBER>=0x0090700fL
|
||||||
|
const
|
||||||
|
#endif
|
||||||
|
SSL *, int, int);
|
||||||
|
|
||||||
|
static void sslerror_queue(void);
|
||||||
|
static void sslerror_log(unsigned long, char *);
|
||||||
|
|
||||||
|
/**************************************** initialize section->ctx */
|
||||||
|
|
||||||
|
int context_init(SERVICE_OPTIONS *section) { /* init SSL context */
|
||||||
|
/* create SSL context */
|
||||||
|
if(section->option.client)
|
||||||
|
section->ctx=SSL_CTX_new(section->client_method);
|
||||||
|
else /* server mode */
|
||||||
|
section->ctx=SSL_CTX_new(section->server_method);
|
||||||
|
if(!section->ctx) {
|
||||||
|
sslerror("SSL_CTX_new");
|
||||||
|
return 1; /* FAILED */
|
||||||
|
}
|
||||||
|
SSL_CTX_set_ex_data(section->ctx, opt_index, section); /* for callbacks */
|
||||||
|
|
||||||
|
/* initialize certificate verification */
|
||||||
|
if(load_certificate(section))
|
||||||
|
return 1; /* FAILED */
|
||||||
|
if(verify_init(section))
|
||||||
|
return 1; /* FAILED */
|
||||||
|
|
||||||
|
/* initialize DH/ECDH server mode */
|
||||||
|
if(!section->option.client) {
|
||||||
|
#ifndef OPENSSL_NO_TLSEXT
|
||||||
|
SSL_CTX_set_tlsext_servername_arg(section->ctx, section);
|
||||||
|
SSL_CTX_set_tlsext_servername_callback(section->ctx, servername_cb);
|
||||||
|
#endif /* OPENSSL_NO_TLSEXT */
|
||||||
|
#ifndef OPENSSL_NO_DH
|
||||||
|
init_dh(section); /* ignore the result (errors are not critical) */
|
||||||
|
#endif /* OPENSSL_NO_DH */
|
||||||
|
#ifndef OPENSSL_NO_ECDH
|
||||||
|
init_ecdh(section); /* ignore the result (errors are not critical) */
|
||||||
|
#endif /* OPENSSL_NO_ECDH */
|
||||||
|
}
|
||||||
|
|
||||||
|
/* setup session cache */
|
||||||
|
if(!section->option.client) {
|
||||||
|
unsigned int servname_len=strlen(section->servname);
|
||||||
|
if(servname_len>SSL_MAX_SSL_SESSION_ID_LENGTH)
|
||||||
|
servname_len=SSL_MAX_SSL_SESSION_ID_LENGTH;
|
||||||
|
if(!SSL_CTX_set_session_id_context(section->ctx,
|
||||||
|
(unsigned char *)section->servname, servname_len)) {
|
||||||
|
sslerror("SSL_CTX_set_session_id_context");
|
||||||
|
return 1; /* FAILED */
|
||||||
|
}
|
||||||
|
}
|
||||||
|
SSL_CTX_set_session_cache_mode(section->ctx, SSL_SESS_CACHE_BOTH);
|
||||||
|
SSL_CTX_set_timeout(section->ctx, section->session_timeout);
|
||||||
|
if(section->option.sessiond) {
|
||||||
|
SSL_CTX_sess_set_new_cb(section->ctx, sess_new_cb);
|
||||||
|
SSL_CTX_sess_set_get_cb(section->ctx, sess_get_cb);
|
||||||
|
SSL_CTX_sess_set_remove_cb(section->ctx, sess_remove_cb);
|
||||||
|
}
|
||||||
|
|
||||||
|
/* set info callback */
|
||||||
|
if(global_options.debug_level==LOG_DEBUG) /* performance optimization */
|
||||||
|
SSL_CTX_set_info_callback(section->ctx, info_callback);
|
||||||
|
|
||||||
|
/* ciphers, options, mode */
|
||||||
|
if(section->cipher_list)
|
||||||
|
if(!SSL_CTX_set_cipher_list(section->ctx, section->cipher_list)) {
|
||||||
|
sslerror("SSL_CTX_set_cipher_list");
|
||||||
|
return 1; /* FAILED */
|
||||||
|
}
|
||||||
|
s_log(LOG_DEBUG, "SSL options set: 0x%08lX",
|
||||||
|
SSL_CTX_set_options(section->ctx, section->ssl_options));
|
||||||
|
#ifdef SSL_MODE_RELEASE_BUFFERS
|
||||||
|
SSL_CTX_set_mode(section->ctx,
|
||||||
|
SSL_MODE_ENABLE_PARTIAL_WRITE |
|
||||||
|
SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER |
|
||||||
|
SSL_MODE_RELEASE_BUFFERS);
|
||||||
|
#else
|
||||||
|
SSL_CTX_set_mode(section->ctx,
|
||||||
|
SSL_MODE_ENABLE_PARTIAL_WRITE |
|
||||||
|
SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
|
||||||
|
#endif
|
||||||
|
return 0; /* OK */
|
||||||
|
}
|
||||||
|
|
||||||
|
/**************************************** SNI callback */
|
||||||
|
|
||||||
|
#ifndef OPENSSL_NO_TLSEXT
|
||||||
|
|
||||||
|
static int servername_cb(SSL *ssl, int *ad, void *arg) {
|
||||||
|
SERVICE_OPTIONS *section=(SERVICE_OPTIONS *)arg;
|
||||||
|
const char *servername=SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name);
|
||||||
|
SERVERNAME_LIST *list;
|
||||||
|
CLI *c;
|
||||||
|
#ifdef USE_LIBWRAP
|
||||||
|
char *accepted_address;
|
||||||
|
#endif /* USE_LIBWRAP */
|
||||||
|
|
||||||
|
/* leave the alert type at SSL_AD_UNRECOGNIZED_NAME */
|
||||||
|
(void)ad; /* skip warning about unused parameter */
|
||||||
|
if(!section->servername_list_head) /* no virtual services defined */
|
||||||
|
return SSL_TLSEXT_ERR_OK;
|
||||||
|
if(!servername) /* no SNI extension received from the client */
|
||||||
|
return SSL_TLSEXT_ERR_NOACK;
|
||||||
|
|
||||||
|
for(list=section->servername_list_head; list; list=list->next)
|
||||||
|
if(!strcasecmp(servername, list->servername)) {
|
||||||
|
c=SSL_get_ex_data(ssl, cli_index);
|
||||||
|
c->opt=list->opt;
|
||||||
|
SSL_set_SSL_CTX(ssl, c->opt->ctx);
|
||||||
|
SSL_set_verify(ssl, SSL_CTX_get_verify_mode(c->opt->ctx),
|
||||||
|
SSL_CTX_get_verify_callback(c->opt->ctx));
|
||||||
|
s_log(LOG_NOTICE, "SNI: switched to section %s",
|
||||||
|
c->opt->servname);
|
||||||
|
#ifdef USE_LIBWRAP
|
||||||
|
accepted_address=s_ntop(&c->peer_addr, c->peer_addr_len);
|
||||||
|
libwrap_auth(c, accepted_address); /* retry on a service switch */
|
||||||
|
str_free(accepted_address);
|
||||||
|
#endif /* USE_LIBWRAP */
|
||||||
|
return SSL_TLSEXT_ERR_OK;
|
||||||
|
}
|
||||||
|
s_log(LOG_ERR, "SNI: no service defined for server %s", servername);
|
||||||
|
return SSL_TLSEXT_ERR_ALERT_FATAL;
|
||||||
|
}
|
||||||
|
/* TLSEXT callback return codes:
|
||||||
|
* - SSL_TLSEXT_ERR_OK
|
||||||
|
* - SSL_TLSEXT_ERR_ALERT_WARNING
|
||||||
|
* - SSL_TLSEXT_ERR_ALERT_FATAL
|
||||||
|
* - SSL_TLSEXT_ERR_NOACK */
|
||||||
|
|
||||||
|
#endif /* OPENSSL_NO_TLSEXT */
|
||||||
|
|
||||||
|
/**************************************** DH initialization */
|
||||||
|
|
||||||
|
#ifndef OPENSSL_NO_DH
|
||||||
|
|
||||||
|
static int init_dh(SERVICE_OPTIONS *section) {
|
||||||
|
DH *dh;
|
||||||
|
|
||||||
|
dh=read_dh(section->cert);
|
||||||
|
if(!dh)
|
||||||
|
dh=get_dh2048();
|
||||||
|
if(!dh) {
|
||||||
|
s_log(LOG_NOTICE, "DH initialization failed");
|
||||||
|
return 1; /* FAILED */
|
||||||
|
}
|
||||||
|
SSL_CTX_set_tmp_dh(section->ctx, dh);
|
||||||
|
s_log(LOG_DEBUG, "DH initialized with %d-bit key", 8*DH_size(dh));
|
||||||
|
DH_free(dh);
|
||||||
|
return 0; /* OK */
|
||||||
|
}
|
||||||
|
|
||||||
|
static DH *read_dh(char *cert) {
|
||||||
|
DH *dh;
|
||||||
|
BIO *bio;
|
||||||
|
|
||||||
|
if(!cert) {
|
||||||
|
s_log(LOG_DEBUG, "No certificate available to load DH parameters");
|
||||||
|
return NULL; /* FAILED */
|
||||||
|
}
|
||||||
|
bio=BIO_new_file(cert, "r");
|
||||||
|
if(!bio) {
|
||||||
|
sslerror("BIO_new_file");
|
||||||
|
return NULL; /* FAILED */
|
||||||
|
}
|
||||||
|
dh=PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
|
||||||
|
BIO_free(bio);
|
||||||
|
if(!dh) {
|
||||||
|
while(ERR_get_error())
|
||||||
|
; /* OpenSSL error queue cleanup */
|
||||||
|
s_log(LOG_DEBUG, "Could not load DH parameters from %s", cert);
|
||||||
|
return NULL; /* FAILED */
|
||||||
|
}
|
||||||
|
s_log(LOG_DEBUG, "Using DH parameters from %s", cert);
|
||||||
|
return dh;
|
||||||
|
}
|
||||||
|
|
||||||
|
static DH *get_dh2048() {
|
||||||
|
static unsigned char dh2048_p[]={ /* OpenSSL DH parameters */
|
||||||
|
0xED,0x92,0x89,0x35,0x82,0x45,0x55,0xCB,0x3B,0xFB,0xA2,0x76,
|
||||||
|
0x5A,0x69,0x04,0x61,0xBF,0x21,0xF3,0xAB,0x53,0xD2,0xCD,0x21,
|
||||||
|
0xDA,0xFF,0x78,0x19,0x11,0x52,0xF1,0x0E,0xC1,0xE2,0x55,0xBD,
|
||||||
|
0x68,0x6F,0x68,0x00,0x53,0xB9,0x22,0x6A,0x2F,0xE4,0x9A,0x34,
|
||||||
|
0x1F,0x65,0xCC,0x59,0x32,0x8A,0xBD,0xB1,0xDB,0x49,0xED,0xDF,
|
||||||
|
0xA7,0x12,0x66,0xC3,0xFD,0x21,0x04,0x70,0x18,0xF0,0x7F,0xD6,
|
||||||
|
0xF7,0x58,0x51,0x19,0x72,0x82,0x7B,0x22,0xA9,0x34,0x18,0x1D,
|
||||||
|
0x2F,0xCB,0x21,0xCF,0x6D,0x92,0xAE,0x43,0xB6,0xA8,0x29,0xC7,
|
||||||
|
0x27,0xA3,0xCB,0x00,0xC5,0xF2,0xE5,0xFB,0x0A,0xA4,0x59,0x85,
|
||||||
|
0xA2,0xBD,0xAD,0x45,0xF0,0xB3,0xAD,0xF9,0xE0,0x81,0x35,0xEE,
|
||||||
|
0xD9,0x83,0xB3,0xCC,0xAE,0xEA,0xEB,0x66,0xE6,0xA9,0x57,0x66,
|
||||||
|
0xB9,0xF1,0x28,0xA5,0x3F,0x22,0x80,0xD7,0x0B,0xA6,0xF6,0x71,
|
||||||
|
0x93,0x9B,0x81,0x0E,0xF8,0x5A,0x90,0xE6,0xCC,0xCA,0x6F,0x66,
|
||||||
|
0x5F,0x7A,0xC0,0x10,0x1A,0x1E,0xF0,0xFC,0x2D,0xB6,0x08,0x0C,
|
||||||
|
0x62,0x28,0xB0,0xEC,0xDB,0x89,0x28,0xEE,0x0C,0xA8,0x3D,0x65,
|
||||||
|
0x94,0x69,0x16,0x69,0x53,0x3C,0x53,0x60,0x13,0xB0,0x2B,0xA7,
|
||||||
|
0xD4,0x82,0x87,0xAD,0x1C,0x72,0x9E,0x41,0x35,0xFC,0xC2,0x7C,
|
||||||
|
0xE9,0x51,0xDE,0x61,0x85,0xFC,0x19,0x9B,0x76,0x60,0x0F,0x33,
|
||||||
|
0xF8,0x6B,0xB3,0xCA,0x52,0x0E,0x29,0xC3,0x07,0xE8,0x90,0x16,
|
||||||
|
0xCC,0xCC,0x00,0x19,0xB6,0xAD,0xC3,0xA4,0x30,0x8B,0x33,0xA1,
|
||||||
|
0xAF,0xD8,0x8C,0x8D,0x9D,0x01,0xDB,0xA4,0xC4,0xDD,0x7F,0x0B,
|
||||||
|
0xBD,0x6F,0x38,0xC3,};
|
||||||
|
static unsigned char dh2048_g[]={0x02,};
|
||||||
|
DH *dh;
|
||||||
|
|
||||||
|
dh=DH_new();
|
||||||
|
if(!dh)
|
||||||
|
return NULL;
|
||||||
|
dh->p=BN_bin2bn(dh2048_p, sizeof dh2048_p, NULL);
|
||||||
|
dh->g=BN_bin2bn(dh2048_g, sizeof dh2048_g, NULL);
|
||||||
|
if(!dh->p || !dh->g) {
|
||||||
|
DH_free(dh);
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
s_log(LOG_DEBUG, "Using hardcoded DH parameters");
|
||||||
|
return dh;
|
||||||
|
}
|
||||||
|
|
||||||
|
#endif /* OPENSSL_NO_DH */
|
||||||
|
|
||||||
|
/**************************************** ECDH initialization */
|
||||||
|
|
||||||
|
#ifndef OPENSSL_NO_ECDH
|
||||||
|
static int init_ecdh(SERVICE_OPTIONS *section) {
|
||||||
|
EC_KEY *ecdh;
|
||||||
|
|
||||||
|
ecdh=EC_KEY_new_by_curve_name(section->curve);
|
||||||
|
if(!ecdh) {
|
||||||
|
s_log(LOG_ERR, "Unable to create curve %s",
|
||||||
|
OBJ_nid2ln(section->curve));
|
||||||
|
return 1; /* FAILED */
|
||||||
|
}
|
||||||
|
SSL_CTX_set_tmp_ecdh(section->ctx, ecdh);
|
||||||
|
EC_KEY_free(ecdh);
|
||||||
|
s_log(LOG_DEBUG, "ECDH initialized with curve %s",
|
||||||
|
OBJ_nid2ln(section->curve));
|
||||||
|
return 0; /* OK */
|
||||||
|
}
|
||||||
|
#endif /* OPENSSL_NO_ECDH */
|
||||||
|
|
||||||
|
/**************************************** loading certificate */
|
||||||
|
|
||||||
|
static int cache_initialized=0;
|
||||||
|
|
||||||
|
static int load_certificate(SERVICE_OPTIONS *section) {
|
||||||
|
int i, reason;
|
||||||
|
UI_DATA ui_data;
|
||||||
|
#ifdef HAVE_OSSL_ENGINE_H
|
||||||
|
EVP_PKEY *pkey;
|
||||||
|
UI_METHOD *ui_method;
|
||||||
|
#endif
|
||||||
|
struct stat st; /* buffer for stat */
|
||||||
|
|
||||||
|
/* check if certificate exists */
|
||||||
|
if(!section->key) /* key file not specified */
|
||||||
|
section->key=section->cert;
|
||||||
|
#ifdef HAVE_OSSL_ENGINE_H
|
||||||
|
if(!section->engine)
|
||||||
|
#endif
|
||||||
|
if(section->key) {
|
||||||
|
if(stat(section->key, &st)) {
|
||||||
|
ioerror(section->key);
|
||||||
|
return 1; /* FAILED */
|
||||||
|
}
|
||||||
|
#if !defined(USE_WIN32) && !defined(USE_OS2)
|
||||||
|
if(st.st_mode & 7)
|
||||||
|
s_log(LOG_WARNING, "Insecure file permissions on %s",
|
||||||
|
section->key);
|
||||||
|
#endif /* defined USE_WIN32 */
|
||||||
|
}
|
||||||
|
|
||||||
|
if(!section->cert) /* no certificate specified */
|
||||||
|
return 0; /* OK */
|
||||||
|
|
||||||
|
ui_data.section=section; /* setup current section for callbacks */
|
||||||
|
|
||||||
|
s_log(LOG_DEBUG, "Certificate: %s", section->cert);
|
||||||
|
if(!SSL_CTX_use_certificate_chain_file(section->ctx, section->cert)) {
|
||||||
|
s_log(LOG_ERR, "Error reading certificate file: %s", section->cert);
|
||||||
|
sslerror("SSL_CTX_use_certificate_chain_file");
|
||||||
|
return 1; /* FAILED */
|
||||||
|
}
|
||||||
|
s_log(LOG_DEBUG, "Certificate loaded");
|
||||||
|
|
||||||
|
s_log(LOG_DEBUG, "Key file: %s", section->key);
|
||||||
|
#if defined(USE_WIN32) || OPENSSL_VERSION_NUMBER>=0x0090700fL
|
||||||
|
SSL_CTX_set_default_passwd_cb(section->ctx, password_cb);
|
||||||
|
#endif
|
||||||
|
#ifdef HAVE_OSSL_ENGINE_H
|
||||||
|
#ifdef USE_WIN32
|
||||||
|
ui_method=UI_create_method("stunnel WIN32 UI");
|
||||||
|
UI_method_set_reader(ui_method, pin_cb);
|
||||||
|
#else /* USE_WIN32 */
|
||||||
|
ui_method=UI_OpenSSL();
|
||||||
|
#endif /* USE_WIN32 */
|
||||||
|
if(section->engine)
|
||||||
|
for(i=1; i<=3; i++) {
|
||||||
|
pkey=ENGINE_load_private_key(section->engine, section->key,
|
||||||
|
ui_method, &ui_data);
|
||||||
|
if(!pkey) {
|
||||||
|
reason=ERR_GET_REASON(ERR_peek_error());
|
||||||
|
if(i<=2 && (reason==7 || reason==160)) { /* wrong PIN */
|
||||||
|
sslerror_queue(); /* dump the error queue */
|
||||||
|
s_log(LOG_ERR, "Wrong PIN: retrying");
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
sslerror("ENGINE_load_private_key");
|
||||||
|
return 1; /* FAILED */
|
||||||
|
}
|
||||||
|
if(SSL_CTX_use_PrivateKey(section->ctx, pkey))
|
||||||
|
break; /* success */
|
||||||
|
sslerror("SSL_CTX_use_PrivateKey");
|
||||||
|
return 1; /* FAILED */
|
||||||
|
}
|
||||||
|
else
|
||||||
|
#endif /* HAVE_OSSL_ENGINE_H */
|
||||||
|
for(i=0; i<=3; i++) {
|
||||||
|
if(!i && !cache_initialized)
|
||||||
|
continue; /* there is no cached value */
|
||||||
|
SSL_CTX_set_default_passwd_cb_userdata(section->ctx,
|
||||||
|
i ? &ui_data : NULL); /* try the cached password first */
|
||||||
|
if(SSL_CTX_use_PrivateKey_file(section->ctx, section->key,
|
||||||
|
SSL_FILETYPE_PEM))
|
||||||
|
break;
|
||||||
|
reason=ERR_GET_REASON(ERR_peek_error());
|
||||||
|
if(i<=2 && reason==EVP_R_BAD_DECRYPT) {
|
||||||
|
sslerror_queue(); /* dump the error queue */
|
||||||
|
s_log(LOG_ERR, "Wrong pass phrase: retrying");
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
sslerror("SSL_CTX_use_PrivateKey_file");
|
||||||
|
return 1; /* FAILED */
|
||||||
|
}
|
||||||
|
if(!SSL_CTX_check_private_key(section->ctx)) {
|
||||||
|
sslerror("Private key does not match the certificate");
|
||||||
|
return 1; /* FAILED */
|
||||||
|
}
|
||||||
|
s_log(LOG_DEBUG, "Private key loaded");
|
||||||
|
return 0; /* OK */
|
||||||
|
}
|
||||||
|
|
||||||
|
#if defined(USE_WIN32) || OPENSSL_VERSION_NUMBER>=0x0090700fL
|
||||||
|
static int password_cb(char *buf, int size, int rwflag, void *userdata) {
|
||||||
|
static char cache[PEM_BUFSIZE];
|
||||||
|
int len;
|
||||||
|
|
||||||
|
if(size>PEM_BUFSIZE)
|
||||||
|
size=PEM_BUFSIZE;
|
||||||
|
|
||||||
|
if(userdata) { /* prompt the user */
|
||||||
|
#ifdef USE_WIN32
|
||||||
|
len=passwd_cb(buf, size, rwflag, userdata);
|
||||||
|
#else
|
||||||
|
/* PEM_def_callback is defined in OpenSSL 0.9.7 and later */
|
||||||
|
len=PEM_def_callback(buf, size, rwflag, NULL);
|
||||||
|
#endif
|
||||||
|
memcpy(cache, buf, size); /* save in cache */
|
||||||
|
cache_initialized=1;
|
||||||
|
} else { /* try the cached value */
|
||||||
|
strncpy(buf, cache, size);
|
||||||
|
buf[size-1]='\0';
|
||||||
|
len=strlen(buf);
|
||||||
|
}
|
||||||
|
return len;
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
|
/**************************************** session cache callbacks */
|
||||||
|
|
||||||
|
#define CACHE_CMD_NEW 0x00
|
||||||
|
#define CACHE_CMD_GET 0x01
|
||||||
|
#define CACHE_CMD_REMOVE 0x02
|
||||||
|
#define CACHE_RESP_ERR 0x80
|
||||||
|
#define CACHE_RESP_OK 0x81
|
||||||
|
|
||||||
|
static int sess_new_cb(SSL *ssl, SSL_SESSION *sess) {
|
||||||
|
unsigned char *val, *val_tmp;
|
||||||
|
int val_len;
|
||||||
|
|
||||||
|
val_len=i2d_SSL_SESSION(sess, NULL);
|
||||||
|
val_tmp=val=str_alloc(val_len);
|
||||||
|
i2d_SSL_SESSION(sess, &val_tmp);
|
||||||
|
|
||||||
|
cache_transfer(ssl->ctx, CACHE_CMD_NEW, SSL_SESSION_get_timeout(sess),
|
||||||
|
sess->session_id, sess->session_id_length, val, val_len, NULL, NULL);
|
||||||
|
str_free(val);
|
||||||
|
return 1; /* leave the session in local cache for reuse */
|
||||||
|
}
|
||||||
|
|
||||||
|
static SSL_SESSION *sess_get_cb(SSL *ssl,
|
||||||
|
unsigned char *key, int key_len, int *do_copy) {
|
||||||
|
unsigned char *val, *val_tmp=NULL;
|
||||||
|
unsigned int val_len=0;
|
||||||
|
SSL_SESSION *sess;
|
||||||
|
|
||||||
|
*do_copy = 0; /* allow the session to be freed autmatically */
|
||||||
|
cache_transfer(ssl->ctx, CACHE_CMD_GET, 0,
|
||||||
|
key, key_len, NULL, 0, &val, &val_len);
|
||||||
|
if(!val)
|
||||||
|
return NULL;
|
||||||
|
val_tmp=val;
|
||||||
|
sess=d2i_SSL_SESSION(NULL,
|
||||||
|
#if OPENSSL_VERSION_NUMBER>=0x0090800fL
|
||||||
|
(const unsigned char **)
|
||||||
|
#endif /* OpenSSL version >= 0.8.0 */
|
||||||
|
&val_tmp, val_len);
|
||||||
|
str_free(val);
|
||||||
|
return sess;
|
||||||
|
}
|
||||||
|
|
||||||
|
static void sess_remove_cb(SSL_CTX *ctx, SSL_SESSION *sess) {
|
||||||
|
cache_transfer(ctx, CACHE_CMD_REMOVE, 0,
|
||||||
|
sess->session_id, sess->session_id_length, NULL, 0, NULL, NULL);
|
||||||
|
}
|
||||||
|
|
||||||
|
#define MAX_VAL_LEN 512
|
||||||
|
typedef struct {
|
||||||
|
u_char version, type;
|
||||||
|
u_short timeout;
|
||||||
|
u_char key[SSL_MAX_SSL_SESSION_ID_LENGTH];
|
||||||
|
u_char val[MAX_VAL_LEN];
|
||||||
|
} CACHE_PACKET;
|
||||||
|
|
||||||
|
static void cache_transfer(SSL_CTX *ctx, const unsigned int type,
|
||||||
|
const unsigned int timeout,
|
||||||
|
const unsigned char *key, const unsigned int key_len,
|
||||||
|
const unsigned char *val, const unsigned int val_len,
|
||||||
|
unsigned char **ret, unsigned int *ret_len) {
|
||||||
|
char session_id_txt[2*SSL_MAX_SSL_SESSION_ID_LENGTH+1];
|
||||||
|
const char hex[16]="0123456789ABCDEF";
|
||||||
|
const char *type_description[]={"new", "get", "remove"};
|
||||||
|
unsigned int i;
|
||||||
|
int s, len;
|
||||||
|
struct timeval t;
|
||||||
|
CACHE_PACKET *packet;
|
||||||
|
SERVICE_OPTIONS *section;
|
||||||
|
|
||||||
|
if(ret) /* set error as the default result if required */
|
||||||
|
*ret=NULL;
|
||||||
|
|
||||||
|
/* log the request information */
|
||||||
|
for(i=0; i<key_len && i<SSL_MAX_SSL_SESSION_ID_LENGTH; ++i) {
|
||||||
|
session_id_txt[2*i]=hex[key[i]>>4];
|
||||||
|
session_id_txt[2*i+1]=hex[key[i]&0x0f];
|
||||||
|
}
|
||||||
|
session_id_txt[2*i]='\0';
|
||||||
|
s_log(LOG_INFO,
|
||||||
|
"cache_transfer: request=%s, timeout=%u, id=%s, length=%d",
|
||||||
|
type_description[type], timeout, session_id_txt, val_len);
|
||||||
|
|
||||||
|
/* allocate UDP packet buffer */
|
||||||
|
if(key_len>SSL_MAX_SSL_SESSION_ID_LENGTH) {
|
||||||
|
s_log(LOG_ERR, "cache_transfer: session id too big (%d bytes)",
|
||||||
|
key_len);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
if(val_len>MAX_VAL_LEN) {
|
||||||
|
s_log(LOG_ERR, "cache_transfer: encoded session too big (%d bytes)",
|
||||||
|
key_len);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
packet=str_alloc(sizeof(CACHE_PACKET));
|
||||||
|
|
||||||
|
/* setup packet */
|
||||||
|
packet->version=1;
|
||||||
|
packet->type=type;
|
||||||
|
packet->timeout=htons((u_short)(timeout<64800?timeout:64800));/* 18 hours */
|
||||||
|
memcpy(packet->key, key, key_len);
|
||||||
|
memcpy(packet->val, val, val_len);
|
||||||
|
|
||||||
|
/* create the socket */
|
||||||
|
s=s_socket(AF_INET, SOCK_DGRAM, 0, 0, "cache_transfer: socket");
|
||||||
|
if(s<0) {
|
||||||
|
str_free(packet);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* retrieve pointer to the section structure of this ctx */
|
||||||
|
section=SSL_CTX_get_ex_data(ctx, opt_index);
|
||||||
|
if(sendto(s, (void *)packet, sizeof(CACHE_PACKET)-MAX_VAL_LEN+val_len, 0,
|
||||||
|
§ion->sessiond_addr.sa, addr_len(§ion->sessiond_addr))<0) {
|
||||||
|
sockerror("cache_transfer: sendto");
|
||||||
|
closesocket(s);
|
||||||
|
str_free(packet);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
if(!ret || !ret_len) { /* no response is required */
|
||||||
|
closesocket(s);
|
||||||
|
str_free(packet);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* set recvfrom timeout to 200ms */
|
||||||
|
t.tv_sec=0;
|
||||||
|
t.tv_usec=200;
|
||||||
|
if(setsockopt(s, SOL_SOCKET, SO_RCVTIMEO, (void *)&t, sizeof t)<0) {
|
||||||
|
sockerror("cache_transfer: setsockopt SO_RCVTIMEO");
|
||||||
|
closesocket(s);
|
||||||
|
str_free(packet);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* retrieve response */
|
||||||
|
len=recv(s, (void *)packet, sizeof(CACHE_PACKET), 0);
|
||||||
|
closesocket(s);
|
||||||
|
if(len<0) {
|
||||||
|
if(get_last_socket_error()==S_EWOULDBLOCK ||
|
||||||
|
get_last_socket_error()==S_EAGAIN)
|
||||||
|
s_log(LOG_INFO, "cache_transfer: recv timeout");
|
||||||
|
else
|
||||||
|
sockerror("cache_transfer: recv");
|
||||||
|
str_free(packet);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* parse results */
|
||||||
|
if(len<(int)sizeof(CACHE_PACKET)-MAX_VAL_LEN || /* too short */
|
||||||
|
packet->version!=1 || /* wrong version */
|
||||||
|
memcmp(packet->key, key, key_len)) { /* wrong session id */
|
||||||
|
s_log(LOG_DEBUG, "cache_transfer: malformed packet received");
|
||||||
|
str_free(packet);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
if(packet->type!=CACHE_RESP_OK) {
|
||||||
|
s_log(LOG_INFO, "cache_transfer: session not found");
|
||||||
|
str_free(packet);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
*ret_len=len-(sizeof(CACHE_PACKET)-MAX_VAL_LEN);
|
||||||
|
*ret=str_alloc(*ret_len);
|
||||||
|
s_log(LOG_INFO, "cache_transfer: session found");
|
||||||
|
memcpy(*ret, packet->val, *ret_len);
|
||||||
|
str_free(packet);
|
||||||
|
}
|
||||||
|
|
||||||
|
/**************************************** informational callback */
|
||||||
|
|
||||||
|
static void info_callback(
|
||||||
|
#if OPENSSL_VERSION_NUMBER>=0x0090700fL
|
||||||
|
const
|
||||||
|
#endif
|
||||||
|
SSL *ssl, int where, int ret) {
|
||||||
|
if(where & SSL_CB_LOOP) {
|
||||||
|
s_log(LOG_DEBUG, "SSL state (%s): %s",
|
||||||
|
where & SSL_ST_CONNECT ? "connect" :
|
||||||
|
where & SSL_ST_ACCEPT ? "accept" :
|
||||||
|
"undefined", SSL_state_string_long(ssl));
|
||||||
|
} else if(where & SSL_CB_ALERT) {
|
||||||
|
s_log(LOG_DEBUG, "SSL alert (%s): %s: %s",
|
||||||
|
where & SSL_CB_READ ? "read" : "write",
|
||||||
|
SSL_alert_type_string_long(ret),
|
||||||
|
SSL_alert_desc_string_long(ret));
|
||||||
|
} else if(where==SSL_CB_HANDSHAKE_DONE) {
|
||||||
|
s_log(LOG_DEBUG, "%4ld items in the session cache",
|
||||||
|
SSL_CTX_sess_number(ssl->ctx));
|
||||||
|
s_log(LOG_DEBUG, "%4ld client connects (SSL_connect())",
|
||||||
|
SSL_CTX_sess_connect(ssl->ctx));
|
||||||
|
s_log(LOG_DEBUG, "%4ld client connects that finished",
|
||||||
|
SSL_CTX_sess_connect_good(ssl->ctx));
|
||||||
|
s_log(LOG_DEBUG, "%4ld client renegotiations requested",
|
||||||
|
SSL_CTX_sess_connect_renegotiate(ssl->ctx));
|
||||||
|
s_log(LOG_DEBUG, "%4ld server connects (SSL_accept())",
|
||||||
|
SSL_CTX_sess_accept(ssl->ctx));
|
||||||
|
s_log(LOG_DEBUG, "%4ld server connects that finished",
|
||||||
|
SSL_CTX_sess_accept_good(ssl->ctx));
|
||||||
|
s_log(LOG_DEBUG, "%4ld server renegotiations requested",
|
||||||
|
SSL_CTX_sess_accept_renegotiate(ssl->ctx));
|
||||||
|
s_log(LOG_DEBUG, "%4ld session cache hits",
|
||||||
|
SSL_CTX_sess_hits(ssl->ctx));
|
||||||
|
s_log(LOG_DEBUG, "%4ld external session cache hits",
|
||||||
|
SSL_CTX_sess_cb_hits(ssl->ctx));
|
||||||
|
s_log(LOG_DEBUG, "%4ld session cache misses",
|
||||||
|
SSL_CTX_sess_misses(ssl->ctx));
|
||||||
|
s_log(LOG_DEBUG, "%4ld session cache timeouts",
|
||||||
|
SSL_CTX_sess_timeouts(ssl->ctx));
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
/**************************************** SSL error reporting */
|
||||||
|
|
||||||
|
void sslerror(char *txt) { /* OpenSSL error handler */
|
||||||
|
unsigned long err;
|
||||||
|
|
||||||
|
err=ERR_get_error();
|
||||||
|
if(err) {
|
||||||
|
sslerror_queue();
|
||||||
|
sslerror_log(err, txt);
|
||||||
|
} else {
|
||||||
|
s_log(LOG_ERR, "%s: Peer suddenly disconnected", txt);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
static void sslerror_queue(void) { /* recursive dump of the error queue */
|
||||||
|
unsigned long err;
|
||||||
|
|
||||||
|
err=ERR_get_error();
|
||||||
|
if(err) {
|
||||||
|
sslerror_queue();
|
||||||
|
sslerror_log(err, "error queue");
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
static void sslerror_log(unsigned long err, char *txt) {
|
||||||
|
char *error_string;
|
||||||
|
|
||||||
|
error_string=str_alloc(120);
|
||||||
|
ERR_error_string(err, error_string);
|
||||||
|
s_log(LOG_ERR, "%s: %lX: %s", txt, err, error_string);
|
||||||
|
str_free(error_string);
|
||||||
|
}
|
||||||
|
|
||||||
|
/* end of ctx.c */
|
70
src/env.c
Normal file
70
src/env.c
Normal file
@ -0,0 +1,70 @@
|
|||||||
|
/*
|
||||||
|
* stunnel Universal SSL tunnel
|
||||||
|
* Copyright (C) 1998-2012 Michal Trojnara <Michal.Trojnara@mirt.net>
|
||||||
|
*
|
||||||
|
* This program is free software; you can redistribute it and/or modify it
|
||||||
|
* under the terms of the GNU General Public License as published by the
|
||||||
|
* Free Software Foundation; either version 2 of the License, or (at your
|
||||||
|
* option) any later version.
|
||||||
|
*
|
||||||
|
* This program is distributed in the hope that it will be useful,
|
||||||
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
|
||||||
|
* See the GNU General Public License for more details.
|
||||||
|
*
|
||||||
|
* You should have received a copy of the GNU General Public License along
|
||||||
|
* with this program; if not, see <http://www.gnu.org/licenses>.
|
||||||
|
*
|
||||||
|
* Linking stunnel statically or dynamically with other modules is making
|
||||||
|
* a combined work based on stunnel. Thus, the terms and conditions of
|
||||||
|
* the GNU General Public License cover the whole combination.
|
||||||
|
*
|
||||||
|
* In addition, as a special exception, the copyright holder of stunnel
|
||||||
|
* gives you permission to combine stunnel with free software programs or
|
||||||
|
* libraries that are released under the GNU LGPL and with code included
|
||||||
|
* in the standard release of OpenSSL under the OpenSSL License (or
|
||||||
|
* modified versions of such code, with unchanged license). You may copy
|
||||||
|
* and distribute such a system following the terms of the GNU GPL for
|
||||||
|
* stunnel and the licenses of the other code concerned.
|
||||||
|
*
|
||||||
|
* Note that people who make modified versions of stunnel are not obligated
|
||||||
|
* to grant this special exception for their modified versions; it is their
|
||||||
|
* choice whether to do so. The GNU General Public License gives permission
|
||||||
|
* to release a modified version without this exception; this exception
|
||||||
|
* also makes it possible to release a modified version which carries
|
||||||
|
* forward this exception.
|
||||||
|
*/
|
||||||
|
|
||||||
|
/* getpeername() can't be declared in the following includes */
|
||||||
|
#define getpeername no_getpeername
|
||||||
|
#include <sys/types.h>
|
||||||
|
#include <sys/socket.h> /* for AF_INET */
|
||||||
|
#include <netinet/in.h>
|
||||||
|
#include <arpa/inet.h> /* for inet_addr() */
|
||||||
|
#include <stdlib.h> /* for getenv() */
|
||||||
|
#ifdef __BEOS__
|
||||||
|
#include <be/bone/arpa/inet.h> /* for AF_INET */
|
||||||
|
#include <be/bone/sys/socket.h> /* for AF_INET */
|
||||||
|
#else
|
||||||
|
#include <sys/socket.h> /* for AF_INET */
|
||||||
|
#endif
|
||||||
|
#undef getpeername
|
||||||
|
|
||||||
|
int getpeername(int s, struct sockaddr_in *name, int *len) {
|
||||||
|
char *value;
|
||||||
|
|
||||||
|
(void)s; /* skip warning about unused parameter */
|
||||||
|
(void)len; /* skip warning about unused parameter */
|
||||||
|
name->sin_family=AF_INET;
|
||||||
|
if((value=getenv("REMOTE_HOST")))
|
||||||
|
name->sin_addr.s_addr=inet_addr(value);
|
||||||
|
else
|
||||||
|
name->sin_addr.s_addr=htonl(INADDR_ANY);
|
||||||
|
if((value=getenv("REMOTE_PORT")))
|
||||||
|
name->sin_port=htons(atoi(value));
|
||||||
|
else
|
||||||
|
name->sin_port=htons(0); /* dynamic port allocation */
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* end of env.c */
|
141
src/evc.mak
Normal file
141
src/evc.mak
Normal file
@ -0,0 +1,141 @@
|
|||||||
|
# wce.mak for stunnel.exe by Michal Trojnara 2006-2012
|
||||||
|
# with help of Pierre Delaage <delaage.pierre@free.fr>
|
||||||
|
#
|
||||||
|
# DEFAULTLIB management: only 2 are necessary
|
||||||
|
# defaultlibS as given for CLxxx in the MS doc ARE WRONG
|
||||||
|
|
||||||
|
# !!!!!!!!!!!!!!
|
||||||
|
# CUSTOMIZE THIS according to your wcecompat and openssl directories
|
||||||
|
# !!!!!!!!!!!!!!
|
||||||
|
|
||||||
|
# Modify this to point to your actual openssl compile directory
|
||||||
|
# (You did already compile openssl, didn't you???)
|
||||||
|
SSLDIR=C:\Users\standard\Documents\Dvts\Contrib\openssl\v1.0.0a\patched3
|
||||||
|
|
||||||
|
# Note that we currently use a multi-target customized version of legacy Essemer/wcecompat lib
|
||||||
|
COMPATDIR=C:\Users\standard\Documents\Dvts\Contrib\wcecompat\v12\patchedX86
|
||||||
|
|
||||||
|
WCEVER=420
|
||||||
|
|
||||||
|
# !!!!!!!!!!!!!!!!!!
|
||||||
|
# END CUSTOMIZATION
|
||||||
|
# !!!!!!!!!!!!!!!!!!
|
||||||
|
|
||||||
|
!IF "$(TARGETCPU)"=="X86"
|
||||||
|
WCETARGETCPU=_X86_
|
||||||
|
LDTARGETCPU=X86
|
||||||
|
MORECFLAGS=/MT
|
||||||
|
|
||||||
|
# TODO: continue list for other targets : see wcecompat/wcedefs.mak for a good ref.
|
||||||
|
# see also openssl/util/pl/vc-32.pl, also link /?
|
||||||
|
# for LDTARGETCPU: /MACHINE:{AM33|ARM|IA64|M32R|MIPS|MIPS16|MIPSFPU|MIPSFPU16|MIPSR41XX|SH3|SH3DSP|SH4|SH5|THUMB|X86}
|
||||||
|
# see wce/include/winnt.h for other "target architecture" flag
|
||||||
|
|
||||||
|
!ELSEIF "$(TARGETCPU)"=="emulator"
|
||||||
|
WCETARGETCPU=_X86_
|
||||||
|
LDTARGETCPU=X86
|
||||||
|
MORECFLAGS=/MT
|
||||||
|
|
||||||
|
!ELSEIF "$(TARGETCPU)"=="MIPS16" || "$(TARGETCPU)"=="MIPSII" || "$(TARGETCPU)"=="MIPSII_FP" || "$(TARGETCPU)"=="MIPSIV" || "$(TARGETCPU)"=="MIPSIV_FP"
|
||||||
|
WCETARGETCPU=_MIPS_
|
||||||
|
LDTARGETCPU=MIPS
|
||||||
|
MORECFLAGS=/DMIPS /MC
|
||||||
|
|
||||||
|
!ELSEIF "$(TARGETCPU)"=="SH3" || "$(TARGETCPU)"=="SH4"
|
||||||
|
WCETARGETCPU=SHx
|
||||||
|
LDTARGETCPU=$(TARGETCPU)
|
||||||
|
MORECFLAGS=/MC
|
||||||
|
|
||||||
|
!ELSE
|
||||||
|
# default is ARM !
|
||||||
|
# !IF "$(TARGETCPU)"=="ARMV4" || "$(TARGETCPU)"=="ARMV4I" || "$(TARGETCPU)"=="ARMV4T"
|
||||||
|
# the following flag is required by (eg) winnt.h, and is different from targetcpu (armV4)
|
||||||
|
WCETARGETCPU=ARM
|
||||||
|
LDTARGETCPU=ARM
|
||||||
|
MORECFLAGS=/MC
|
||||||
|
|
||||||
|
!ENDIF
|
||||||
|
|
||||||
|
# ceutilsdir probably useless (nb : were tools from essemer; but ms delivers a cecopy anyway, see ms dld site)
|
||||||
|
CEUTILSDIR=..\..\ceutils
|
||||||
|
# "ce:" is not a correct location , but we never "make install"
|
||||||
|
DSTDIR=ce:\stunnel
|
||||||
|
# use MS env vars, as in wcecompat and openssl makefiles
|
||||||
|
SDKDIR=$(SDKROOT)\$(OSVERSION)\$(PLATFORM)
|
||||||
|
INCLUDES=-I$(SSLDIR)\inc32 -I$(COMPATDIR)\include -I"$(SDKDIR)\include\$(TARGETCPU)"
|
||||||
|
# for X86 and other it appears that /MC or /ML flags are absurd,
|
||||||
|
# we always have to override runtime lib list to coredll and corelibc
|
||||||
|
LIBS=/NODEFAULTLIB coredll.lib corelibc.lib winsock.lib wcecompatex.lib libeay32.lib ssleay32.lib
|
||||||
|
|
||||||
|
DEFINES=/DHOST=\"$(TARGETCPU)-WCE-eVC-$(WCEVER)\"
|
||||||
|
# /O1 /Oi more correct vs MS doc
|
||||||
|
CFLAGS=/nologo $(MORECFLAGS) /O1 /Oi /W3 /WX /GF /Gy $(DEFINES) /D$(WCETARGETCPU) /D$(TARGETCPU) /DUNDER_CE=$(WCEVER) /D_WIN32_WCE=$(WCEVER) /DUNICODE -D_UNICODE $(INCLUDES)
|
||||||
|
RFLAGS=$(DEFINES) $(INCLUDES)
|
||||||
|
# LDFLAGS: since openssl >> 098a (eg 098h) out32dll is out32dll_targetCPU for WCE
|
||||||
|
# delaage added $(TARGETCPU) in legacy Essemer/wcecompat libpath
|
||||||
|
# to ease multitarget compilation without recompiling everything
|
||||||
|
# this customized version is available on:
|
||||||
|
# http://delaage.pierre.free.fr/contrib/wcecompat/wcecompat12_patched.zip
|
||||||
|
|
||||||
|
LDFLAGS=/nologo /subsystem:windowsce,3.00 /machine:$(LDTARGETCPU) /libpath:"$(SDKDIR)\lib\$(TARGETCPU)" /libpath:"$(COMPATDIR)\lib\$(TARGETCPU)" /libpath:"$(SSLDIR)\out32dll_$(TARGETCPU)"
|
||||||
|
|
||||||
|
# Multi-target support for stunnel
|
||||||
|
|
||||||
|
SRC=..\src
|
||||||
|
OBJROOT=..\obj
|
||||||
|
OBJ=$(OBJROOT)\$(TARGETCPU)
|
||||||
|
BINROOT=..\bin
|
||||||
|
BIN=$(BINROOT)\$(TARGETCPU)
|
||||||
|
|
||||||
|
OBJS=$(OBJ)\stunnel.obj $(OBJ)\ssl.obj $(OBJ)\ctx.obj $(OBJ)\verify.obj \
|
||||||
|
$(OBJ)\file.obj $(OBJ)\client.obj $(OBJ)\protocol.obj $(OBJ)\sthreads.obj \
|
||||||
|
$(OBJ)\log.obj $(OBJ)\options.obj $(OBJ)\network.obj \
|
||||||
|
$(OBJ)\resolver.obj $(OBJ)\str.obj $(OBJ)\fd.obj
|
||||||
|
|
||||||
|
GUIOBJS=$(OBJ)\gui.obj $(OBJ)\resources.res
|
||||||
|
NOGUIOBJS=$(OBJ)\nogui.obj
|
||||||
|
|
||||||
|
{$(SRC)\}.c{$(OBJ)\}.obj:
|
||||||
|
$(CC) $(CFLAGS) -Fo$@ -c $<
|
||||||
|
|
||||||
|
{$(SRC)\}.cpp{$(OBJ)\}.obj:
|
||||||
|
$(CC) $(CFLAGS) -Fo$@ -c $<
|
||||||
|
|
||||||
|
{$(SRC)\}.rc{$(OBJ)\}.res:
|
||||||
|
$(RC) $(RFLAGS) -fo$@ -r $<
|
||||||
|
|
||||||
|
all: makedirs $(BIN)\stunnel.exe $(BIN)\tstunnel.exe
|
||||||
|
|
||||||
|
makedirs:
|
||||||
|
-@ IF NOT EXIST $(OBJROOT) mkdir $(OBJROOT) >NUL 2>&1
|
||||||
|
-@ IF NOT EXIST $(OBJ) mkdir $(OBJ) >NUL 2>&1
|
||||||
|
-@ IF NOT EXIST $(BINROOT) mkdir $(BINROOT) >NUL 2>&1
|
||||||
|
-@ IF NOT EXIST $(BIN) mkdir $(BIN) >NUL 2>&1
|
||||||
|
|
||||||
|
$(BIN)\stunnel.exe:$(OBJS) $(GUIOBJS)
|
||||||
|
link $(LDFLAGS) /out:$(BIN)\stunnel.exe $(LIBS) commctrl.lib $**
|
||||||
|
|
||||||
|
$(BIN)\tstunnel.exe:$(OBJS) $(NOGUIOBJS)
|
||||||
|
link $(LDFLAGS) /out:$(BIN)\tstunnel.exe $(LIBS) $**
|
||||||
|
|
||||||
|
$(OBJ)\resources.res: $(SRC)\resources.rc $(SRC)\resources.h $(SRC)\version.h
|
||||||
|
$(OBJ)\gui.obj: $(SRC)\gui.c $(SRC)\version.h
|
||||||
|
$(OBJ)\stunnel.obj: $(SRC)\stunnel.c $(SRC)\version.h
|
||||||
|
|
||||||
|
# now list of openssl dll has more files,
|
||||||
|
# but we do not use "make install" for stunnel
|
||||||
|
# ceutils come from essemer/wcecompat website
|
||||||
|
# some tools can be found at MS website
|
||||||
|
# TODO: update all this ceutils stuff, or suppress it
|
||||||
|
|
||||||
|
install: stunnel.exe tstunnel.exe
|
||||||
|
$(CEUTILSDIR)\cemkdir $(DSTDIR) || echo Directory exists?
|
||||||
|
$(CEUTILSDIR)\cecopy stunnel.exe $(DSTDIR)
|
||||||
|
$(CEUTILSDIR)\cecopy tstunnel.exe $(DSTDIR)
|
||||||
|
$(CEUTILSDIR)\cecopy $(SSLDIR)\out32dll_$(TARGETCPU)\libeay32.dll $(DSTDIR)
|
||||||
|
$(CEUTILSDIR)\cecopy $(SSLDIR)\out32dll_$(TARGETCPU)\ssleay32.dll $(DSTDIR)
|
||||||
|
|
||||||
|
clean:
|
||||||
|
-@ IF NOT "$(TARGETCPU)"=="" del $(OBJS) $(GUIOBJS) $(NOGUIOBJS) $(BIN)\stunnel.exe $(BIN)\tstunnel.exe >NUL 2>&1
|
||||||
|
-@ IF NOT "$(TARGETCPU)"=="" rmdir $(OBJ) >NUL 2>&1
|
||||||
|
-@ IF NOT "$(TARGETCPU)"=="" rmdir $(BIN) >NUL 2>&1
|
250
src/fd.c
Normal file
250
src/fd.c
Normal file
@ -0,0 +1,250 @@
|
|||||||
|
/*
|
||||||
|
* stunnel Universal SSL tunnel
|
||||||
|
* Copyright (C) 1998-2012 Michal Trojnara <Michal.Trojnara@mirt.net>
|
||||||
|
*
|
||||||
|
* This program is free software; you can redistribute it and/or modify it
|
||||||
|
* under the terms of the GNU General Public License as published by the
|
||||||
|
* Free Software Foundation; either version 2 of the License, or (at your
|
||||||
|
* option) any later version.
|
||||||
|
*
|
||||||
|
* This program is distributed in the hope that it will be useful,
|
||||||
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
|
||||||
|
* See the GNU General Public License for more details.
|
||||||
|
*
|
||||||
|
* You should have received a copy of the GNU General Public License along
|
||||||
|
* with this program; if not, see <http://www.gnu.org/licenses>.
|
||||||
|
*
|
||||||
|
* Linking stunnel statically or dynamically with other modules is making
|
||||||
|
* a combined work based on stunnel. Thus, the terms and conditions of
|
||||||
|
* the GNU General Public License cover the whole combination.
|
||||||
|
*
|
||||||
|
* In addition, as a special exception, the copyright holder of stunnel
|
||||||
|
* gives you permission to combine stunnel with free software programs or
|
||||||
|
* libraries that are released under the GNU LGPL and with code included
|
||||||
|
* in the standard release of OpenSSL under the OpenSSL License (or
|
||||||
|
* modified versions of such code, with unchanged license). You may copy
|
||||||
|
* and distribute such a system following the terms of the GNU GPL for
|
||||||
|
* stunnel and the licenses of the other code concerned.
|
||||||
|
*
|
||||||
|
* Note that people who make modified versions of stunnel are not obligated
|
||||||
|
* to grant this special exception for their modified versions; it is their
|
||||||
|
* choice whether to do so. The GNU General Public License gives permission
|
||||||
|
* to release a modified version without this exception; this exception
|
||||||
|
* also makes it possible to release a modified version which carries
|
||||||
|
* forward this exception.
|
||||||
|
*/
|
||||||
|
|
||||||
|
#include "common.h"
|
||||||
|
#include "prototypes.h"
|
||||||
|
|
||||||
|
#if defined HAVE_PIPE2 && defined HAVE_ACCEPT4
|
||||||
|
#define USE_NEW_LINUX_API 1
|
||||||
|
#endif
|
||||||
|
|
||||||
|
/* try to use non-POSIX O_NDELAY on obsolete BSD systems */
|
||||||
|
#if !defined O_NONBLOCK && defined O_NDELAY
|
||||||
|
#define O_NONBLOCK O_NDELAY
|
||||||
|
#endif
|
||||||
|
|
||||||
|
/**************************************** prototypes */
|
||||||
|
|
||||||
|
static int setup_fd(int, int, char *);
|
||||||
|
|
||||||
|
/**************************************** internal limit of file descriptors */
|
||||||
|
|
||||||
|
#ifndef USE_FORK
|
||||||
|
|
||||||
|
static int max_fds;
|
||||||
|
|
||||||
|
void get_limits(void) { /* set max_fds and max_clients */
|
||||||
|
/* start with current ulimit */
|
||||||
|
#if defined(HAVE_SYSCONF)
|
||||||
|
errno=0;
|
||||||
|
max_fds=sysconf(_SC_OPEN_MAX);
|
||||||
|
if(errno)
|
||||||
|
ioerror("sysconf");
|
||||||
|
if(max_fds<0)
|
||||||
|
max_fds=0; /* unlimited */
|
||||||
|
#elif defined(HAVE_GETRLIMIT)
|
||||||
|
struct rlimit rlim;
|
||||||
|
|
||||||
|
if(getrlimit(RLIMIT_NOFILE, &rlim)<0) {
|
||||||
|
ioerror("getrlimit");
|
||||||
|
max_fds=0; /* unlimited */
|
||||||
|
} else
|
||||||
|
max_fds=rlim.rlim_cur!=RLIM_INFINITY ? rlim.rlim_cur : 0;
|
||||||
|
#else
|
||||||
|
max_fds=0; /* unlimited */
|
||||||
|
#endif /* HAVE_SYSCONF || HAVE_GETRLIMIT */
|
||||||
|
|
||||||
|
#if !defined(USE_WIN32) && !defined(USE_POLL) && !defined(__INNOTEK_LIBC__)
|
||||||
|
/* apply FD_SETSIZE if select() is used on Unix */
|
||||||
|
if(!max_fds || max_fds>FD_SETSIZE)
|
||||||
|
max_fds=FD_SETSIZE; /* start with select() limit */
|
||||||
|
#endif /* select() on Unix */
|
||||||
|
|
||||||
|
/* stunnel needs at least 16 file desriptors */
|
||||||
|
if(max_fds && max_fds<16)
|
||||||
|
max_fds=16;
|
||||||
|
|
||||||
|
if(max_fds) {
|
||||||
|
max_clients=max_fds>=256 ? max_fds*125/256 : (max_fds-6)/2;
|
||||||
|
s_log(LOG_DEBUG, "Clients allowed=%d", max_clients);
|
||||||
|
} else {
|
||||||
|
max_clients=0;
|
||||||
|
s_log(LOG_DEBUG, "No limit detected for the number of clients");
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
#endif
|
||||||
|
|
||||||
|
/**************************************** file descriptor validation */
|
||||||
|
|
||||||
|
int s_socket(int domain, int type, int protocol, int nonblock, char *msg) {
|
||||||
|
#ifdef USE_NEW_LINUX_API
|
||||||
|
if(nonblock)
|
||||||
|
type|=SOCK_NONBLOCK;
|
||||||
|
type|=SOCK_CLOEXEC;
|
||||||
|
#endif
|
||||||
|
return setup_fd(socket(domain, type, protocol), nonblock, msg);
|
||||||
|
}
|
||||||
|
|
||||||
|
int s_accept(int sockfd, struct sockaddr *addr, socklen_t *addrlen,
|
||||||
|
int nonblock, char *msg) {
|
||||||
|
int fd;
|
||||||
|
|
||||||
|
#ifdef USE_NEW_LINUX_API
|
||||||
|
if(nonblock)
|
||||||
|
fd=accept4(sockfd, addr, addrlen, SOCK_NONBLOCK|SOCK_CLOEXEC);
|
||||||
|
else
|
||||||
|
fd=accept4(sockfd, addr, addrlen, SOCK_CLOEXEC);
|
||||||
|
#else
|
||||||
|
fd=accept(sockfd, addr, addrlen);
|
||||||
|
#endif
|
||||||
|
return setup_fd(fd, nonblock, msg);
|
||||||
|
}
|
||||||
|
|
||||||
|
#ifndef USE_WIN32
|
||||||
|
|
||||||
|
int s_socketpair(int domain, int type, int protocol, int sv[2],
|
||||||
|
int nonblock, char *msg) {
|
||||||
|
#ifdef USE_NEW_LINUX_API
|
||||||
|
if(nonblock)
|
||||||
|
type|=SOCK_NONBLOCK;
|
||||||
|
type|=SOCK_CLOEXEC;
|
||||||
|
#endif
|
||||||
|
if(socketpair(domain, type, protocol, sv)<0) {
|
||||||
|
ioerror(msg);
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
if(setup_fd(sv[0], nonblock, msg)<0) {
|
||||||
|
closesocket(sv[1]);
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
if(setup_fd(sv[1], nonblock, msg)<0) {
|
||||||
|
closesocket(sv[0]);
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
int s_pipe(int pipefd[2], int nonblock, char *msg) {
|
||||||
|
int retval;
|
||||||
|
|
||||||
|
#ifdef USE_NEW_LINUX_API
|
||||||
|
if(nonblock)
|
||||||
|
retval=pipe2(pipefd, O_NONBLOCK|O_CLOEXEC);
|
||||||
|
else
|
||||||
|
retval=pipe2(pipefd, O_CLOEXEC);
|
||||||
|
#else
|
||||||
|
retval=pipe(pipefd);
|
||||||
|
#endif
|
||||||
|
if(retval<0) {
|
||||||
|
ioerror(msg);
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
if(setup_fd(pipefd[0], nonblock, msg)<0) {
|
||||||
|
close(pipefd[1]);
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
if(setup_fd(pipefd[1], nonblock, msg)<0) {
|
||||||
|
close(pipefd[0]);
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
#endif /* USE_WIN32 */
|
||||||
|
|
||||||
|
static int setup_fd(int fd, int nonblock, char *msg) {
|
||||||
|
#if !defined USE_NEW_LINUX_API && defined FD_CLOEXEC
|
||||||
|
int err;
|
||||||
|
#endif
|
||||||
|
|
||||||
|
if(fd<0) {
|
||||||
|
sockerror(msg);
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
#ifndef USE_FORK
|
||||||
|
if(max_fds && fd>=max_fds) {
|
||||||
|
s_log(LOG_ERR, "%s: FD=%d out of range (max %d)",
|
||||||
|
msg, fd, max_fds);
|
||||||
|
closesocket(fd);
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#ifdef USE_NEW_LINUX_API
|
||||||
|
(void)nonblock; /* skip warning about unused parameter */
|
||||||
|
#else /* set O_NONBLOCK and F_SETFD */
|
||||||
|
set_nonblock(fd, nonblock);
|
||||||
|
#ifdef FD_CLOEXEC
|
||||||
|
do {
|
||||||
|
err=fcntl(fd, F_SETFD, FD_CLOEXEC);
|
||||||
|
} while(err<0 && get_last_socket_error()==S_EINTR);
|
||||||
|
if(err<0)
|
||||||
|
sockerror("fcntl SETFD"); /* non-critical */
|
||||||
|
#endif /* FD_CLOEXEC */
|
||||||
|
#endif /* USE_NEW_LINUX_API */
|
||||||
|
|
||||||
|
#ifdef DEBUG_FD_ALLOC
|
||||||
|
s_log(LOG_DEBUG, "%s: FD=%d allocated (%sblocking mode)",
|
||||||
|
msg, fd, nonblock?"non-":"");
|
||||||
|
#endif /* DEBUG_FD_ALLOC */
|
||||||
|
|
||||||
|
return fd;
|
||||||
|
}
|
||||||
|
|
||||||
|
void set_nonblock(int fd, unsigned long nonblock) {
|
||||||
|
#if defined F_GETFL && defined F_SETFL && defined O_NONBLOCK && !defined __INNOTEK_LIBC__
|
||||||
|
int err, flags;
|
||||||
|
|
||||||
|
do {
|
||||||
|
flags=fcntl(fd, F_GETFL, 0);
|
||||||
|
} while(flags<0 && get_last_socket_error()==S_EINTR);
|
||||||
|
if(flags<0) {
|
||||||
|
sockerror("fcntl GETFL"); /* non-critical */
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
if(nonblock)
|
||||||
|
flags|=O_NONBLOCK;
|
||||||
|
else
|
||||||
|
flags&=~O_NONBLOCK;
|
||||||
|
do {
|
||||||
|
err=fcntl(fd, F_SETFL, flags);
|
||||||
|
} while(err<0 && get_last_socket_error()==S_EINTR);
|
||||||
|
if(err<0)
|
||||||
|
sockerror("fcntl SETFL"); /* non-critical */
|
||||||
|
#else /* WIN32 or similar */
|
||||||
|
if(ioctlsocket(fd, FIONBIO, &nonblock)<0)
|
||||||
|
sockerror("ioctlsocket"); /* non-critical */
|
||||||
|
#if 0
|
||||||
|
else
|
||||||
|
s_log(LOG_DEBUG, "Socket %d set to %s mode",
|
||||||
|
fd, nonblock ? "non-blocking" : "blocking");
|
||||||
|
#endif
|
||||||
|
#endif
|
||||||
|
}
|
||||||
|
|
||||||
|
/* end of fd.c */
|
223
src/file.c
Normal file
223
src/file.c
Normal file
@ -0,0 +1,223 @@
|
|||||||
|
/*
|
||||||
|
* stunnel Universal SSL tunnel
|
||||||
|
* Copyright (C) 1998-2012 Michal Trojnara <Michal.Trojnara@mirt.net>
|
||||||
|
*
|
||||||
|
* This program is free software; you can redistribute it and/or modify it
|
||||||
|
* under the terms of the GNU General Public License as published by the
|
||||||
|
* Free Software Foundation; either version 2 of the License, or (at your
|
||||||
|
* option) any later version.
|
||||||
|
*
|
||||||
|
* This program is distributed in the hope that it will be useful,
|
||||||
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
|
||||||
|
* See the GNU General Public License for more details.
|
||||||
|
*
|
||||||
|
* You should have received a copy of the GNU General Public License along
|
||||||
|
* with this program; if not, see <http://www.gnu.org/licenses>.
|
||||||
|
*
|
||||||
|
* Linking stunnel statically or dynamically with other modules is making
|
||||||
|
* a combined work based on stunnel. Thus, the terms and conditions of
|
||||||
|
* the GNU General Public License cover the whole combination.
|
||||||
|
*
|
||||||
|
* In addition, as a special exception, the copyright holder of stunnel
|
||||||
|
* gives you permission to combine stunnel with free software programs or
|
||||||
|
* libraries that are released under the GNU LGPL and with code included
|
||||||
|
* in the standard release of OpenSSL under the OpenSSL License (or
|
||||||
|
* modified versions of such code, with unchanged license). You may copy
|
||||||
|
* and distribute such a system following the terms of the GNU GPL for
|
||||||
|
* stunnel and the licenses of the other code concerned.
|
||||||
|
*
|
||||||
|
* Note that people who make modified versions of stunnel are not obligated
|
||||||
|
* to grant this special exception for their modified versions; it is their
|
||||||
|
* choice whether to do so. The GNU General Public License gives permission
|
||||||
|
* to release a modified version without this exception; this exception
|
||||||
|
* also makes it possible to release a modified version which carries
|
||||||
|
* forward this exception.
|
||||||
|
*/
|
||||||
|
|
||||||
|
#include "common.h"
|
||||||
|
#include "prototypes.h"
|
||||||
|
|
||||||
|
#ifdef USE_WIN32
|
||||||
|
|
||||||
|
DISK_FILE *file_open(char *name, int wr) {
|
||||||
|
DISK_FILE *df;
|
||||||
|
LPTSTR tstr;
|
||||||
|
HANDLE fh;
|
||||||
|
|
||||||
|
/* open file */
|
||||||
|
tstr=str2tstr(name);
|
||||||
|
fh=CreateFile(tstr, wr ? GENERIC_WRITE : GENERIC_READ,
|
||||||
|
FILE_SHARE_READ, NULL, wr ? OPEN_ALWAYS : OPEN_EXISTING,
|
||||||
|
FILE_ATTRIBUTE_NORMAL, (HANDLE)NULL);
|
||||||
|
str_free(tstr);
|
||||||
|
if(fh==INVALID_HANDLE_VALUE) {
|
||||||
|
ioerror(name);
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
if(wr) /* append */
|
||||||
|
SetFilePointer(fh, 0, NULL, FILE_END);
|
||||||
|
|
||||||
|
/* setup df structure */
|
||||||
|
df=str_alloc(sizeof df);
|
||||||
|
df->fh=fh;
|
||||||
|
return df;
|
||||||
|
}
|
||||||
|
|
||||||
|
#else /* USE_WIN32 */
|
||||||
|
|
||||||
|
DISK_FILE *file_fdopen(int fd) {
|
||||||
|
DISK_FILE *df;
|
||||||
|
|
||||||
|
df=str_alloc(sizeof(DISK_FILE));
|
||||||
|
df->fd=fd;
|
||||||
|
return df;
|
||||||
|
}
|
||||||
|
|
||||||
|
DISK_FILE *file_open(char *name, int wr) {
|
||||||
|
DISK_FILE *df;
|
||||||
|
int fd, flags;
|
||||||
|
|
||||||
|
/* open file */
|
||||||
|
if(wr)
|
||||||
|
flags=O_CREAT|O_WRONLY|O_APPEND;
|
||||||
|
else
|
||||||
|
flags=O_RDONLY;
|
||||||
|
#ifdef O_NONBLOCK
|
||||||
|
flags|=O_NONBLOCK;
|
||||||
|
#elif defined O_NDELAY
|
||||||
|
flags|=O_NDELAY;
|
||||||
|
#endif
|
||||||
|
#ifdef O_CLOEXEC
|
||||||
|
flags|=O_CLOEXEC;
|
||||||
|
#endif /* O_CLOEXEC */
|
||||||
|
fd=open(name, flags, 0640);
|
||||||
|
if(fd<0) {
|
||||||
|
ioerror(name);
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* setup df structure */
|
||||||
|
df=str_alloc(sizeof df);
|
||||||
|
df->fd=fd;
|
||||||
|
return df;
|
||||||
|
}
|
||||||
|
|
||||||
|
#endif /* USE_WIN32 */
|
||||||
|
|
||||||
|
void file_close(DISK_FILE *df) {
|
||||||
|
if(!df) /* nothing to do */
|
||||||
|
return;
|
||||||
|
#ifdef USE_WIN32
|
||||||
|
CloseHandle(df->fh);
|
||||||
|
#else /* USE_WIN32 */
|
||||||
|
close(df->fd);
|
||||||
|
#endif /* USE_WIN32 */
|
||||||
|
str_free(df);
|
||||||
|
}
|
||||||
|
|
||||||
|
int file_getline(DISK_FILE *df, char *line, int len) {
|
||||||
|
/* this version is really slow, but performance is not important here */
|
||||||
|
/* (no buffering is implemented) */
|
||||||
|
int i;
|
||||||
|
#ifdef USE_WIN32
|
||||||
|
DWORD num;
|
||||||
|
#else /* USE_WIN32 */
|
||||||
|
int num;
|
||||||
|
#endif /* USE_WIN32 */
|
||||||
|
|
||||||
|
if(!df) /* not opened */
|
||||||
|
return -1;
|
||||||
|
|
||||||
|
for(i=0; i<len-1; i++) {
|
||||||
|
#ifdef USE_WIN32
|
||||||
|
ReadFile(df->fh, line+i, 1, &num, NULL);
|
||||||
|
#else /* USE_WIN32 */
|
||||||
|
num=read(df->fd, line+i, 1);
|
||||||
|
#endif /* USE_WIN32 */
|
||||||
|
if(num!=1) { /* EOF */
|
||||||
|
if(i) /* any previously retrieved data */
|
||||||
|
break;
|
||||||
|
else
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
if(line[i]=='\n') /* LF */
|
||||||
|
break;
|
||||||
|
if(line[i]=='\r') /* CR */
|
||||||
|
--i; /* ignore - it must be the last check */
|
||||||
|
}
|
||||||
|
line[i]='\0';
|
||||||
|
return i;
|
||||||
|
}
|
||||||
|
|
||||||
|
int file_putline(DISK_FILE *df, char *line) {
|
||||||
|
int len;
|
||||||
|
char *buff;
|
||||||
|
#ifdef USE_WIN32
|
||||||
|
DWORD num;
|
||||||
|
#else /* USE_WIN32 */
|
||||||
|
int num;
|
||||||
|
#endif /* USE_WIN32 */
|
||||||
|
|
||||||
|
len=strlen(line);
|
||||||
|
buff=str_alloc(len+2); /* +2 for CR+LF */
|
||||||
|
strcpy(buff, line);
|
||||||
|
#ifdef USE_WIN32
|
||||||
|
buff[len++]='\r'; /* CR */
|
||||||
|
#endif /* USE_WIN32 */
|
||||||
|
buff[len++]='\n'; /* LF */
|
||||||
|
#ifdef USE_WIN32
|
||||||
|
WriteFile(df->fh, buff, len, &num, NULL);
|
||||||
|
#else /* USE_WIN32 */
|
||||||
|
/* no file -> write to stderr */
|
||||||
|
num=write(df ? df->fd : 2, buff, len);
|
||||||
|
#endif /* USE_WIN32 */
|
||||||
|
str_free(buff);
|
||||||
|
return num;
|
||||||
|
}
|
||||||
|
|
||||||
|
#ifdef USE_WIN32
|
||||||
|
|
||||||
|
LPTSTR str2tstr(const LPSTR in) {
|
||||||
|
LPTSTR out;
|
||||||
|
int len;
|
||||||
|
|
||||||
|
#ifdef UNICODE
|
||||||
|
len=MultiByteToWideChar(CP_ACP, 0, in, -1, NULL, 0);
|
||||||
|
if(!len)
|
||||||
|
return NULL;
|
||||||
|
out=str_alloc((len+1)*sizeof(WCHAR));
|
||||||
|
len=MultiByteToWideChar(CP_ACP, 0, in, -1, out, len);
|
||||||
|
if(!len)
|
||||||
|
return NULL;
|
||||||
|
#else
|
||||||
|
len=strlen(in);
|
||||||
|
out=str_alloc(len+1);
|
||||||
|
strcpy(out, in);
|
||||||
|
#endif
|
||||||
|
return out;
|
||||||
|
}
|
||||||
|
|
||||||
|
LPSTR tstr2str(const LPTSTR in) {
|
||||||
|
LPSTR out;
|
||||||
|
int len;
|
||||||
|
|
||||||
|
#ifdef UNICODE
|
||||||
|
len=WideCharToMultiByte(CP_ACP, 0, in, -1, NULL, 0, NULL, NULL);
|
||||||
|
if(!len)
|
||||||
|
return NULL;
|
||||||
|
out=str_alloc(len+1);
|
||||||
|
len=WideCharToMultiByte(CP_ACP, 0, in, -1, out, len, NULL, NULL);
|
||||||
|
if(!len)
|
||||||
|
return NULL;
|
||||||
|
#else
|
||||||
|
len=strlen(in);
|
||||||
|
out=str_alloc(len+1);
|
||||||
|
strcpy(out, in);
|
||||||
|
#endif
|
||||||
|
return out;
|
||||||
|
}
|
||||||
|
|
||||||
|
#endif /* USE_WIN32 */
|
||||||
|
|
||||||
|
/* end of file.c */
|
308
src/libwrap.c
Normal file
308
src/libwrap.c
Normal file
@ -0,0 +1,308 @@
|
|||||||
|
/*
|
||||||
|
* stunnel Universal SSL tunnel
|
||||||
|
* Copyright (C) 1998-2012 Michal Trojnara <Michal.Trojnara@mirt.net>
|
||||||
|
*
|
||||||
|
* This program is free software; you can redistribute it and/or modify it
|
||||||
|
* under the terms of the GNU General Public License as published by the
|
||||||
|
* Free Software Foundation; either version 2 of the License, or (at your
|
||||||
|
* option) any later version.
|
||||||
|
*
|
||||||
|
* This program is distributed in the hope that it will be useful,
|
||||||
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
|
||||||
|
* See the GNU General Public License for more details.
|
||||||
|
*
|
||||||
|
* You should have received a copy of the GNU General Public License along
|
||||||
|
* with this program; if not, see <http://www.gnu.org/licenses>.
|
||||||
|
*
|
||||||
|
* Linking stunnel statically or dynamically with other modules is making
|
||||||
|
* a combined work based on stunnel. Thus, the terms and conditions of
|
||||||
|
* the GNU General Public License cover the whole combination.
|
||||||
|
*
|
||||||
|
* In addition, as a special exception, the copyright holder of stunnel
|
||||||
|
* gives you permission to combine stunnel with free software programs or
|
||||||
|
* libraries that are released under the GNU LGPL and with code included
|
||||||
|
* in the standard release of OpenSSL under the OpenSSL License (or
|
||||||
|
* modified versions of such code, with unchanged license). You may copy
|
||||||
|
* and distribute such a system following the terms of the GNU GPL for
|
||||||
|
* stunnel and the licenses of the other code concerned.
|
||||||
|
*
|
||||||
|
* Note that people who make modified versions of stunnel are not obligated
|
||||||
|
* to grant this special exception for their modified versions; it is their
|
||||||
|
* choice whether to do so. The GNU General Public License gives permission
|
||||||
|
* to release a modified version without this exception; this exception
|
||||||
|
* also makes it possible to release a modified version which carries
|
||||||
|
* forward this exception.
|
||||||
|
*/
|
||||||
|
|
||||||
|
#include "common.h"
|
||||||
|
#include "prototypes.h"
|
||||||
|
|
||||||
|
#ifdef USE_LIBWRAP
|
||||||
|
|
||||||
|
#include <tcpd.h>
|
||||||
|
|
||||||
|
static int check(char *, int);
|
||||||
|
|
||||||
|
int allow_severity=LOG_NOTICE, deny_severity=LOG_WARNING;
|
||||||
|
|
||||||
|
#ifdef USE_PTHREAD
|
||||||
|
#define SERVNAME_LEN 256
|
||||||
|
|
||||||
|
static ssize_t read_fd(int, void *, size_t, int *);
|
||||||
|
static ssize_t write_fd(int, void *, size_t, int);
|
||||||
|
|
||||||
|
int num_processes=0;
|
||||||
|
static int *ipc_socket, *busy;
|
||||||
|
#endif /* USE_PTHREAD */
|
||||||
|
|
||||||
|
int libwrap_init() {
|
||||||
|
#ifdef USE_PTHREAD
|
||||||
|
int i, j, rfd, result;
|
||||||
|
char servname[SERVNAME_LEN];
|
||||||
|
static int initialized=0;
|
||||||
|
SERVICE_OPTIONS *opt;
|
||||||
|
|
||||||
|
if(initialized) /* during startup or previous configuration file reload */
|
||||||
|
return 0;
|
||||||
|
for(opt=service_options.next; opt; opt=opt->next)
|
||||||
|
if(opt->option.libwrap) /* libwrap is enabled for this service */
|
||||||
|
break;
|
||||||
|
if(!opt) /* disabled for all sections or inetd mode (no sections) */
|
||||||
|
return 0;
|
||||||
|
|
||||||
|
num_processes=LIBWRAP_CLIENTS;
|
||||||
|
ipc_socket=str_alloc(2*num_processes*sizeof(int));
|
||||||
|
busy=str_alloc(num_processes*sizeof(int));
|
||||||
|
for(i=0; i<num_processes; ++i) { /* spawn a child */
|
||||||
|
if(s_socketpair(AF_UNIX, SOCK_STREAM, 0, ipc_socket+2*i, 0, "libwrap_init"))
|
||||||
|
return 1;
|
||||||
|
switch(fork()) {
|
||||||
|
case -1: /* error */
|
||||||
|
ioerror("fork");
|
||||||
|
return 1;
|
||||||
|
case 0: /* child */
|
||||||
|
drop_privileges(0); /* libwrap processes are not chrooted */
|
||||||
|
close(0); /* stdin */
|
||||||
|
close(1); /* stdout */
|
||||||
|
if(!global_options.option.foreground) /* for logging in read_fd */
|
||||||
|
close(2); /* stderr */
|
||||||
|
for(j=0; j<=i; ++j) /* close parent-side sockets created so far */
|
||||||
|
close(ipc_socket[2*j]);
|
||||||
|
while(1) { /* main libwrap child loop */
|
||||||
|
if(read_fd(ipc_socket[2*i+1], servname, SERVNAME_LEN, &rfd)<=0)
|
||||||
|
_exit(0);
|
||||||
|
result=check(servname, rfd);
|
||||||
|
write(ipc_socket[2*i+1], (u8 *)&result, sizeof result);
|
||||||
|
if(rfd>=0)
|
||||||
|
close(rfd);
|
||||||
|
}
|
||||||
|
default: /* parent */
|
||||||
|
close(ipc_socket[2*i+1]); /* child-side socket */
|
||||||
|
}
|
||||||
|
}
|
||||||
|
initialized=1;
|
||||||
|
#endif /* USE_PTHREAD */
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
void libwrap_auth(CLI *c, char *accepted_address) {
|
||||||
|
int result=0; /* deny by default */
|
||||||
|
#ifdef USE_PTHREAD
|
||||||
|
static volatile int num_busy=0, roundrobin=0;
|
||||||
|
int retval, my_process;
|
||||||
|
static pthread_mutex_t mutex=PTHREAD_MUTEX_INITIALIZER;
|
||||||
|
static pthread_cond_t cond=PTHREAD_COND_INITIALIZER;
|
||||||
|
#endif /* USE_PTHREAD */
|
||||||
|
|
||||||
|
if(!c->opt->option.libwrap) /* libwrap is disabled for this service */
|
||||||
|
return; /* allow connection */
|
||||||
|
#ifdef HAVE_STRUCT_SOCKADDR_UN
|
||||||
|
if(c->peer_addr.sa.sa_family==AF_UNIX) {
|
||||||
|
s_log(LOG_INFO, "Libwrap is not supported on Unix sockets");
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
#ifdef USE_PTHREAD
|
||||||
|
if(num_processes) {
|
||||||
|
s_log(LOG_DEBUG, "Waiting for a libwrap process");
|
||||||
|
|
||||||
|
retval=pthread_mutex_lock(&mutex);
|
||||||
|
if(retval) {
|
||||||
|
errno=retval;
|
||||||
|
ioerror("pthread_mutex_lock");
|
||||||
|
longjmp(c->err, 1);
|
||||||
|
}
|
||||||
|
while(num_busy==num_processes) { /* all child processes are busy */
|
||||||
|
retval=pthread_cond_wait(&cond, &mutex);
|
||||||
|
if(retval) {
|
||||||
|
errno=retval;
|
||||||
|
ioerror("pthread_cond_wait");
|
||||||
|
longjmp(c->err, 1);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
while(busy[roundrobin]) /* find a free child process */
|
||||||
|
roundrobin=(roundrobin+1)%num_processes;
|
||||||
|
my_process=roundrobin; /* the process allocated by this thread */
|
||||||
|
++num_busy; /* the child process has been allocated */
|
||||||
|
busy[my_process]=1; /* mark the child process as busy */
|
||||||
|
retval=pthread_mutex_unlock(&mutex);
|
||||||
|
if(retval) {
|
||||||
|
errno=retval;
|
||||||
|
ioerror("pthread_mutex_unlock");
|
||||||
|
longjmp(c->err, 1);
|
||||||
|
}
|
||||||
|
|
||||||
|
s_log(LOG_DEBUG, "Acquired libwrap process #%d", my_process);
|
||||||
|
write_fd(ipc_socket[2*my_process], c->opt->servname,
|
||||||
|
strlen(c->opt->servname)+1, c->local_rfd.fd);
|
||||||
|
read_blocking(c, ipc_socket[2*my_process],
|
||||||
|
(u8 *)&result, sizeof result);
|
||||||
|
s_log(LOG_DEBUG, "Releasing libwrap process #%d", my_process);
|
||||||
|
|
||||||
|
retval=pthread_mutex_lock(&mutex);
|
||||||
|
if(retval) {
|
||||||
|
errno=retval;
|
||||||
|
ioerror("pthread_mutex_lock");
|
||||||
|
longjmp(c->err, 1);
|
||||||
|
}
|
||||||
|
busy[my_process]=0; /* mark the child process as free */
|
||||||
|
--num_busy; /* the child process has been released */
|
||||||
|
if(num_busy==num_processes-1) { /* need to wake up a thread */
|
||||||
|
retval=pthread_cond_signal(&cond); /* signal waiting threads */
|
||||||
|
if(retval) {
|
||||||
|
errno=retval;
|
||||||
|
ioerror("pthread_cond_signal");
|
||||||
|
longjmp(c->err, 1);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
retval=pthread_mutex_unlock(&mutex);
|
||||||
|
if(retval) {
|
||||||
|
errno=retval;
|
||||||
|
ioerror("pthread_mutex_unlock");
|
||||||
|
longjmp(c->err, 1);
|
||||||
|
}
|
||||||
|
|
||||||
|
s_log(LOG_DEBUG, "Released libwrap process #%d", my_process);
|
||||||
|
} else
|
||||||
|
#endif /* USE_PTHREAD */
|
||||||
|
{ /* use original, synchronous libwrap calls */
|
||||||
|
enter_critical_section(CRIT_LIBWRAP);
|
||||||
|
result=check(c->opt->servname, c->local_rfd.fd);
|
||||||
|
leave_critical_section(CRIT_LIBWRAP);
|
||||||
|
}
|
||||||
|
if(!result) {
|
||||||
|
s_log(LOG_WARNING, "Service [%s] REFUSED by libwrap from %s",
|
||||||
|
c->opt->servname, accepted_address);
|
||||||
|
s_log(LOG_DEBUG, "See hosts_access(5) manual for details");
|
||||||
|
longjmp(c->err, 1);
|
||||||
|
}
|
||||||
|
s_log(LOG_DEBUG, "Service [%s] permitted by libwrap from %s",
|
||||||
|
c->opt->servname, accepted_address);
|
||||||
|
}
|
||||||
|
|
||||||
|
static int check(char *name, int fd) {
|
||||||
|
struct request_info request;
|
||||||
|
|
||||||
|
request_init(&request, RQ_DAEMON, name, RQ_FILE, fd, 0);
|
||||||
|
fromhost(&request);
|
||||||
|
return hosts_access(&request);
|
||||||
|
}
|
||||||
|
|
||||||
|
#ifdef USE_PTHREAD
|
||||||
|
|
||||||
|
static ssize_t read_fd(int fd, void *ptr, size_t nbytes, int *recvfd) {
|
||||||
|
struct msghdr msg;
|
||||||
|
struct iovec iov[1];
|
||||||
|
ssize_t n;
|
||||||
|
|
||||||
|
#ifdef HAVE_MSGHDR_MSG_CONTROL
|
||||||
|
union {
|
||||||
|
struct cmsghdr cm;
|
||||||
|
char control[CMSG_SPACE(sizeof(int))];
|
||||||
|
} control_un;
|
||||||
|
struct cmsghdr *cmptr;
|
||||||
|
|
||||||
|
msg.msg_control=control_un.control;
|
||||||
|
msg.msg_controllen=sizeof control_un.control;
|
||||||
|
#else
|
||||||
|
int newfd;
|
||||||
|
|
||||||
|
msg.msg_accrights=(caddr_t)&newfd;
|
||||||
|
msg.msg_accrightslen=sizeof(int);
|
||||||
|
#endif
|
||||||
|
|
||||||
|
msg.msg_name=NULL;
|
||||||
|
msg.msg_namelen=0;
|
||||||
|
|
||||||
|
iov[0].iov_base=ptr;
|
||||||
|
iov[0].iov_len=nbytes;
|
||||||
|
msg.msg_iov=iov;
|
||||||
|
msg.msg_iovlen=1;
|
||||||
|
|
||||||
|
*recvfd=-1; /* descriptor was not passed */
|
||||||
|
n=recvmsg(fd, &msg, 0);
|
||||||
|
if(n<=0)
|
||||||
|
return n;
|
||||||
|
|
||||||
|
#ifdef HAVE_MSGHDR_MSG_CONTROL
|
||||||
|
cmptr=CMSG_FIRSTHDR(&msg);
|
||||||
|
if(!cmptr || cmptr->cmsg_len!=CMSG_LEN(sizeof(int)))
|
||||||
|
return n;
|
||||||
|
if(cmptr->cmsg_level!=SOL_SOCKET) {
|
||||||
|
s_log(LOG_ERR, "control level != SOL_SOCKET");
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
if(cmptr->cmsg_type!=SCM_RIGHTS) {
|
||||||
|
s_log(LOG_ERR, "control type != SCM_RIGHTS");
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
memcpy(recvfd, CMSG_DATA(cmptr), sizeof(int));
|
||||||
|
#else
|
||||||
|
if(msg.msg_accrightslen==sizeof(int))
|
||||||
|
*recvfd=newfd;
|
||||||
|
#endif
|
||||||
|
|
||||||
|
return n;
|
||||||
|
}
|
||||||
|
|
||||||
|
static ssize_t write_fd(int fd, void *ptr, size_t nbytes, int sendfd) {
|
||||||
|
struct msghdr msg;
|
||||||
|
struct iovec iov[1];
|
||||||
|
|
||||||
|
#ifdef HAVE_MSGHDR_MSG_CONTROL
|
||||||
|
union {
|
||||||
|
struct cmsghdr cm;
|
||||||
|
char control[CMSG_SPACE(sizeof(int))];
|
||||||
|
} control_un;
|
||||||
|
struct cmsghdr *cmptr;
|
||||||
|
|
||||||
|
msg.msg_control=control_un.control;
|
||||||
|
msg.msg_controllen=sizeof control_un.control;
|
||||||
|
|
||||||
|
cmptr=CMSG_FIRSTHDR(&msg);
|
||||||
|
cmptr->cmsg_len=CMSG_LEN(sizeof(int));
|
||||||
|
cmptr->cmsg_level=SOL_SOCKET;
|
||||||
|
cmptr->cmsg_type=SCM_RIGHTS;
|
||||||
|
memcpy(CMSG_DATA(cmptr), &sendfd, sizeof(int));
|
||||||
|
#else
|
||||||
|
msg.msg_accrights=(caddr_t)&sendfd;
|
||||||
|
msg.msg_accrightslen=sizeof(int);
|
||||||
|
#endif
|
||||||
|
|
||||||
|
msg.msg_name=NULL;
|
||||||
|
msg.msg_namelen=0;
|
||||||
|
|
||||||
|
iov[0].iov_base=ptr;
|
||||||
|
iov[0].iov_len=nbytes;
|
||||||
|
msg.msg_iov=iov;
|
||||||
|
msg.msg_iovlen=1;
|
||||||
|
|
||||||
|
return sendmsg(fd, &msg, 0);
|
||||||
|
}
|
||||||
|
|
||||||
|
#endif /* USE_PTHREAD */
|
||||||
|
|
||||||
|
#endif /* USE_LIBWRAP */
|
||||||
|
|
||||||
|
/* end of libwrap.c */
|
390
src/log.c
Normal file
390
src/log.c
Normal file
@ -0,0 +1,390 @@
|
|||||||
|
/*
|
||||||
|
* stunnel Universal SSL tunnel
|
||||||
|
* Copyright (C) 1998-2012 Michal Trojnara <Michal.Trojnara@mirt.net>
|
||||||
|
*
|
||||||
|
* This program is free software; you can redistribute it and/or modify it
|
||||||
|
* under the terms of the GNU General Public License as published by the
|
||||||
|
* Free Software Foundation; either version 2 of the License, or (at your
|
||||||
|
* option) any later version.
|
||||||
|
*
|
||||||
|
* This program is distributed in the hope that it will be useful,
|
||||||
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
|
||||||
|
* See the GNU General Public License for more details.
|
||||||
|
*
|
||||||
|
* You should have received a copy of the GNU General Public License along
|
||||||
|
* with this program; if not, see <http://www.gnu.org/licenses>.
|
||||||
|
*
|
||||||
|
* Linking stunnel statically or dynamically with other modules is making
|
||||||
|
* a combined work based on stunnel. Thus, the terms and conditions of
|
||||||
|
* the GNU General Public License cover the whole combination.
|
||||||
|
*
|
||||||
|
* In addition, as a special exception, the copyright holder of stunnel
|
||||||
|
* gives you permission to combine stunnel with free software programs or
|
||||||
|
* libraries that are released under the GNU LGPL and with code included
|
||||||
|
* in the standard release of OpenSSL under the OpenSSL License (or
|
||||||
|
* modified versions of such code, with unchanged license). You may copy
|
||||||
|
* and distribute such a system following the terms of the GNU GPL for
|
||||||
|
* stunnel and the licenses of the other code concerned.
|
||||||
|
*
|
||||||
|
* Note that people who make modified versions of stunnel are not obligated
|
||||||
|
* to grant this special exception for their modified versions; it is their
|
||||||
|
* choice whether to do so. The GNU General Public License gives permission
|
||||||
|
* to release a modified version without this exception; this exception
|
||||||
|
* also makes it possible to release a modified version which carries
|
||||||
|
* forward this exception.
|
||||||
|
*/
|
||||||
|
|
||||||
|
#include "common.h"
|
||||||
|
#include "prototypes.h"
|
||||||
|
|
||||||
|
static void log_raw(const int, const char *, const char *, const char *);
|
||||||
|
|
||||||
|
static DISK_FILE *outfile=NULL;
|
||||||
|
static struct LIST { /* single-linked list of log lines */
|
||||||
|
struct LIST *next;
|
||||||
|
int level;
|
||||||
|
char *stamp, *id, *text;
|
||||||
|
} *head=NULL, *tail=NULL;
|
||||||
|
static LOG_MODE mode=LOG_MODE_NONE;
|
||||||
|
|
||||||
|
#if !defined(USE_WIN32) && !defined(__vms)
|
||||||
|
|
||||||
|
static int syslog_opened=0;
|
||||||
|
|
||||||
|
void syslog_open(void) {
|
||||||
|
syslog_close();
|
||||||
|
if(global_options.option.syslog)
|
||||||
|
#ifdef __ultrix__
|
||||||
|
openlog("stunnel", 0);
|
||||||
|
#else
|
||||||
|
openlog("stunnel", LOG_CONS|LOG_NDELAY, global_options.facility);
|
||||||
|
#endif /* __ultrix__ */
|
||||||
|
syslog_opened=1;
|
||||||
|
}
|
||||||
|
|
||||||
|
void syslog_close(void) {
|
||||||
|
if(syslog_opened) {
|
||||||
|
if(global_options.option.syslog)
|
||||||
|
closelog();
|
||||||
|
syslog_opened=0;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
#endif /* !defined(USE_WIN32) && !defined(__vms) */
|
||||||
|
|
||||||
|
void log_open(void) {
|
||||||
|
if(global_options.output_file) { /* 'output' option specified */
|
||||||
|
outfile=file_open(global_options.output_file, 1);
|
||||||
|
if(!outfile)
|
||||||
|
s_log(LOG_ERR, "Unable to open output file: %s",
|
||||||
|
global_options.output_file);
|
||||||
|
}
|
||||||
|
log_flush(LOG_MODE_CONFIGURED);
|
||||||
|
}
|
||||||
|
|
||||||
|
void log_close(void) {
|
||||||
|
mode=LOG_MODE_NONE;
|
||||||
|
if(outfile) {
|
||||||
|
file_close(outfile);
|
||||||
|
outfile=NULL;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
void log_flush(LOG_MODE new_mode) {
|
||||||
|
struct LIST *tmp;
|
||||||
|
|
||||||
|
/* prevent changing LOG_MODE_CONFIGURED to LOG_MODE_ERROR
|
||||||
|
* once stderr file descriptor is closed */
|
||||||
|
if(mode!=LOG_MODE_CONFIGURED)
|
||||||
|
mode=new_mode;
|
||||||
|
|
||||||
|
enter_critical_section(CRIT_LOG);
|
||||||
|
while(head) {
|
||||||
|
log_raw(head->level, head->stamp, head->id, head->text);
|
||||||
|
str_free(head->stamp);
|
||||||
|
str_free(head->id);
|
||||||
|
str_free(head->text);
|
||||||
|
tmp=head;
|
||||||
|
head=head->next;
|
||||||
|
str_free(tmp);
|
||||||
|
}
|
||||||
|
leave_critical_section(CRIT_LOG);
|
||||||
|
head=tail=NULL;
|
||||||
|
}
|
||||||
|
|
||||||
|
void s_log(int level, const char *format, ...) {
|
||||||
|
va_list ap;
|
||||||
|
char *text, *stamp, *id;
|
||||||
|
struct LIST *tmp;
|
||||||
|
int libc_error, socket_error;
|
||||||
|
time_t gmt;
|
||||||
|
struct tm *timeptr;
|
||||||
|
#if defined(HAVE_LOCALTIME_R) && defined(_REENTRANT)
|
||||||
|
struct tm timestruct;
|
||||||
|
#endif
|
||||||
|
|
||||||
|
/* performance optimization: skip the trivial case early */
|
||||||
|
if(mode==LOG_MODE_CONFIGURED && level>global_options.debug_level)
|
||||||
|
return;
|
||||||
|
|
||||||
|
libc_error=get_last_error();
|
||||||
|
socket_error=get_last_socket_error();
|
||||||
|
|
||||||
|
time(&gmt);
|
||||||
|
#if defined(HAVE_LOCALTIME_R) && defined(_REENTRANT)
|
||||||
|
timeptr=localtime_r(&gmt, ×truct);
|
||||||
|
#else
|
||||||
|
timeptr=localtime(&gmt);
|
||||||
|
#endif
|
||||||
|
stamp=str_printf("%04d.%02d.%02d %02d:%02d:%02d",
|
||||||
|
timeptr->tm_year+1900, timeptr->tm_mon+1, timeptr->tm_mday,
|
||||||
|
timeptr->tm_hour, timeptr->tm_min, timeptr->tm_sec);
|
||||||
|
id=str_printf("LOG%d[%lu:%lu]",
|
||||||
|
level, stunnel_process_id(), stunnel_thread_id());
|
||||||
|
va_start(ap, format);
|
||||||
|
text=str_vprintf(format, ap);
|
||||||
|
va_end(ap);
|
||||||
|
|
||||||
|
if(mode==LOG_MODE_NONE) { /* save the text to log it later */
|
||||||
|
enter_critical_section(CRIT_LOG);
|
||||||
|
tmp=str_alloc(sizeof(struct LIST));
|
||||||
|
str_detach(tmp);
|
||||||
|
tmp->next=NULL;
|
||||||
|
tmp->level=level;
|
||||||
|
tmp->stamp=stamp;
|
||||||
|
str_detach(tmp->stamp);
|
||||||
|
tmp->id=id;
|
||||||
|
str_detach(tmp->id);
|
||||||
|
tmp->text=text;
|
||||||
|
str_detach(tmp->text);
|
||||||
|
if(tail)
|
||||||
|
tail->next=tmp;
|
||||||
|
else
|
||||||
|
head=tmp;
|
||||||
|
tail=tmp;
|
||||||
|
leave_critical_section(CRIT_LOG);
|
||||||
|
} else { /* ready log the text directly */
|
||||||
|
log_raw(level, stamp, id, text);
|
||||||
|
str_free(stamp);
|
||||||
|
str_free(id);
|
||||||
|
str_free(text);
|
||||||
|
}
|
||||||
|
|
||||||
|
set_last_error(libc_error);
|
||||||
|
set_last_socket_error(socket_error);
|
||||||
|
}
|
||||||
|
|
||||||
|
static void log_raw(const int level, const char *stamp,
|
||||||
|
const char *id, const char *text) {
|
||||||
|
char *line;
|
||||||
|
|
||||||
|
/* build the line and log it to syslog/file */
|
||||||
|
if(mode==LOG_MODE_CONFIGURED) { /* configured */
|
||||||
|
line=str_printf("%s %s: %s", stamp, id, text);
|
||||||
|
if(level<=global_options.debug_level) {
|
||||||
|
#if !defined(USE_WIN32) && !defined(__vms)
|
||||||
|
if(global_options.option.syslog)
|
||||||
|
syslog(level, "%s: %s", id, text);
|
||||||
|
#endif /* USE_WIN32, __vms */
|
||||||
|
if(outfile)
|
||||||
|
file_putline(outfile, line); /* send log to file */
|
||||||
|
}
|
||||||
|
} else /* LOG_MODE_ERROR or LOG_MODE_INFO */
|
||||||
|
line=str_dup(text); /* don't log the time stamp in error mode */
|
||||||
|
|
||||||
|
/* log the line to GUI/stderr */
|
||||||
|
#ifdef USE_WIN32
|
||||||
|
if(mode==LOG_MODE_ERROR || /* always log to the GUI window */
|
||||||
|
(mode==LOG_MODE_INFO && level<LOG_DEBUG) ||
|
||||||
|
level<=global_options.debug_level)
|
||||||
|
SendMessage(hwnd, WM_LOG, (WPARAM)line, 0);
|
||||||
|
#if 0
|
||||||
|
/* logging to Windows console for nogui.c */
|
||||||
|
LPTSTR tstr;
|
||||||
|
|
||||||
|
tstr=str2tstr(line);
|
||||||
|
RETAILMSG(TRUE, (TEXT("%s\r\n"), tstr));
|
||||||
|
str_free(tstr);
|
||||||
|
#endif
|
||||||
|
#else /* Unix */
|
||||||
|
if(mode==LOG_MODE_ERROR || /* always log LOG_MODE_ERROR to stderr */
|
||||||
|
(mode==LOG_MODE_INFO && level<LOG_DEBUG) ||
|
||||||
|
(level<=global_options.debug_level &&
|
||||||
|
global_options.option.foreground))
|
||||||
|
fprintf(stderr, "%s\n", line); /* send log to stderr */
|
||||||
|
#endif
|
||||||
|
|
||||||
|
str_free(line);
|
||||||
|
}
|
||||||
|
|
||||||
|
/* critical problem - str.c functions are not safe to use */
|
||||||
|
void fatal_debug(char *error, char *file, int line) {
|
||||||
|
char text[80];
|
||||||
|
#ifdef USE_WIN32
|
||||||
|
DWORD num;
|
||||||
|
#endif /* USE_WIN32 */
|
||||||
|
|
||||||
|
snprintf(text, sizeof text, /* with newline */
|
||||||
|
"INTERNAL ERROR: %s at %s, line %d\n", error, file, line);
|
||||||
|
|
||||||
|
if(outfile) {
|
||||||
|
#ifdef USE_WIN32
|
||||||
|
WriteFile(outfile->fh, text, strlen(text), &num, NULL);
|
||||||
|
#else /* USE_WIN32 */
|
||||||
|
/* no file -> write to stderr */
|
||||||
|
write(outfile ? outfile->fd : 2, text, strlen(text));
|
||||||
|
#endif /* USE_WIN32 */
|
||||||
|
}
|
||||||
|
|
||||||
|
#ifndef USE_WIN32
|
||||||
|
if(mode!=LOG_MODE_CONFIGURED || global_options.option.foreground)
|
||||||
|
fputs(text, stderr);
|
||||||
|
#endif /* !USE_WIN32 */
|
||||||
|
|
||||||
|
snprintf(text, sizeof text, /* without newline */
|
||||||
|
"INTERNAL ERROR: %s at %s, line %d", error, file, line);
|
||||||
|
|
||||||
|
#if !defined(USE_WIN32) && !defined(__vms)
|
||||||
|
if(global_options.option.syslog)
|
||||||
|
syslog(LOG_CRIT, "%s", text);
|
||||||
|
#endif /* USE_WIN32, __vms */
|
||||||
|
|
||||||
|
#ifdef USE_WIN32
|
||||||
|
#ifdef _WIN32_WCE
|
||||||
|
MessageBox(hwnd, TEXT("INTERNAL ERROR"),
|
||||||
|
TEXT("stunnel"), MB_ICONERROR);
|
||||||
|
#else /* _WIN32_WCE */
|
||||||
|
MessageBox(hwnd, text, "stunnel", MB_ICONERROR);
|
||||||
|
#endif /* _WIN32_WCE */
|
||||||
|
#endif /* USE_WIN32 */
|
||||||
|
|
||||||
|
abort();
|
||||||
|
}
|
||||||
|
|
||||||
|
void ioerror(const char *txt) { /* input/output error */
|
||||||
|
log_error(LOG_ERR, get_last_error(), txt);
|
||||||
|
}
|
||||||
|
|
||||||
|
void sockerror(const char *txt) { /* socket error */
|
||||||
|
log_error(LOG_ERR, get_last_socket_error(), txt);
|
||||||
|
}
|
||||||
|
|
||||||
|
void log_error(int level, int error, const char *txt) { /* generic error */
|
||||||
|
s_log(level, "%s: %s (%d)", txt, s_strerror(error), error);
|
||||||
|
}
|
||||||
|
|
||||||
|
char *s_strerror(int errnum) {
|
||||||
|
switch(errnum) {
|
||||||
|
#ifdef USE_WIN32
|
||||||
|
case 10004:
|
||||||
|
return "Interrupted system call (WSAEINTR)";
|
||||||
|
case 10009:
|
||||||
|
return "Bad file number (WSAEBADF)";
|
||||||
|
case 10013:
|
||||||
|
return "Permission denied (WSAEACCES)";
|
||||||
|
case 10014:
|
||||||
|
return "Bad address (WSAEFAULT)";
|
||||||
|
case 10022:
|
||||||
|
return "Invalid argument (WSAEINVAL)";
|
||||||
|
case 10024:
|
||||||
|
return "Too many open files (WSAEMFILE)";
|
||||||
|
case 10035:
|
||||||
|
return "Operation would block (WSAEWOULDBLOCK)";
|
||||||
|
case 10036:
|
||||||
|
return "Operation now in progress (WSAEINPROGRESS)";
|
||||||
|
case 10037:
|
||||||
|
return "Operation already in progress (WSAEALREADY)";
|
||||||
|
case 10038:
|
||||||
|
return "Socket operation on non-socket (WSAENOTSOCK)";
|
||||||
|
case 10039:
|
||||||
|
return "Destination address required (WSAEDESTADDRREQ)";
|
||||||
|
case 10040:
|
||||||
|
return "Message too long (WSAEMSGSIZE)";
|
||||||
|
case 10041:
|
||||||
|
return "Protocol wrong type for socket (WSAEPROTOTYPE)";
|
||||||
|
case 10042:
|
||||||
|
return "Bad protocol option (WSAENOPROTOOPT)";
|
||||||
|
case 10043:
|
||||||
|
return "Protocol not supported (WSAEPROTONOSUPPORT)";
|
||||||
|
case 10044:
|
||||||
|
return "Socket type not supported (WSAESOCKTNOSUPPORT)";
|
||||||
|
case 10045:
|
||||||
|
return "Operation not supported on socket (WSAEOPNOTSUPP)";
|
||||||
|
case 10046:
|
||||||
|
return "Protocol family not supported (WSAEPFNOSUPPORT)";
|
||||||
|
case 10047:
|
||||||
|
return "Address family not supported by protocol family (WSAEAFNOSUPPORT)";
|
||||||
|
case 10048:
|
||||||
|
return "Address already in use (WSAEADDRINUSE)";
|
||||||
|
case 10049:
|
||||||
|
return "Can't assign requested address (WSAEADDRNOTAVAIL)";
|
||||||
|
case 10050:
|
||||||
|
return "Network is down (WSAENETDOWN)";
|
||||||
|
case 10051:
|
||||||
|
return "Network is unreachable (WSAENETUNREACH)";
|
||||||
|
case 10052:
|
||||||
|
return "Net dropped connection or reset (WSAENETRESET)";
|
||||||
|
case 10053:
|
||||||
|
return "Software caused connection abort (WSAECONNABORTED)";
|
||||||
|
case 10054:
|
||||||
|
return "Connection reset by peer (WSAECONNRESET)";
|
||||||
|
case 10055:
|
||||||
|
return "No buffer space available (WSAENOBUFS)";
|
||||||
|
case 10056:
|
||||||
|
return "Socket is already connected (WSAEISCONN)";
|
||||||
|
case 10057:
|
||||||
|
return "Socket is not connected (WSAENOTCONN)";
|
||||||
|
case 10058:
|
||||||
|
return "Can't send after socket shutdown (WSAESHUTDOWN)";
|
||||||
|
case 10059:
|
||||||
|
return "Too many references, can't splice (WSAETOOMANYREFS)";
|
||||||
|
case 10060:
|
||||||
|
return "Connection timed out (WSAETIMEDOUT)";
|
||||||
|
case 10061:
|
||||||
|
return "Connection refused (WSAECONNREFUSED)";
|
||||||
|
case 10062:
|
||||||
|
return "Too many levels of symbolic links (WSAELOOP)";
|
||||||
|
case 10063:
|
||||||
|
return "File name too long (WSAENAMETOOLONG)";
|
||||||
|
case 10064:
|
||||||
|
return "Host is down (WSAEHOSTDOWN)";
|
||||||
|
case 10065:
|
||||||
|
return "No Route to Host (WSAEHOSTUNREACH)";
|
||||||
|
case 10066:
|
||||||
|
return "Directory not empty (WSAENOTEMPTY)";
|
||||||
|
case 10067:
|
||||||
|
return "Too many processes (WSAEPROCLIM)";
|
||||||
|
case 10068:
|
||||||
|
return "Too many users (WSAEUSERS)";
|
||||||
|
case 10069:
|
||||||
|
return "Disc Quota Exceeded (WSAEDQUOT)";
|
||||||
|
case 10070:
|
||||||
|
return "Stale NFS file handle (WSAESTALE)";
|
||||||
|
case 10091:
|
||||||
|
return "Network SubSystem is unavailable (WSASYSNOTREADY)";
|
||||||
|
case 10092:
|
||||||
|
return "WINSOCK DLL Version out of range (WSAVERNOTSUPPORTED)";
|
||||||
|
case 10093:
|
||||||
|
return "Successful WSASTARTUP not yet performed (WSANOTINITIALISED)";
|
||||||
|
case 10071:
|
||||||
|
return "Too many levels of remote in path (WSAEREMOTE)";
|
||||||
|
case 11001:
|
||||||
|
return "Host not found (WSAHOST_NOT_FOUND)";
|
||||||
|
case 11002:
|
||||||
|
return "Non-Authoritative Host not found (WSATRY_AGAIN)";
|
||||||
|
case 11003:
|
||||||
|
return "Non-Recoverable errors: FORMERR, REFUSED, NOTIMP (WSANO_RECOVERY)";
|
||||||
|
case 11004:
|
||||||
|
return "Valid name, no data record of requested type (WSANO_DATA)";
|
||||||
|
#if 0
|
||||||
|
case 11004: /* typically, only WSANO_DATA is reported */
|
||||||
|
return "No address, look for MX record (WSANO_ADDRESS)";
|
||||||
|
#endif
|
||||||
|
#endif /* defined USE_WIN32 */
|
||||||
|
default:
|
||||||
|
return strerror(errnum);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
/* end of log.c */
|
8
src/make.bat
Normal file
8
src/make.bat
Normal file
@ -0,0 +1,8 @@
|
|||||||
|
@echo off
|
||||||
|
:: pdelaage commented : make.exe -f mingw.mak %1 %2 %3 %4 %5 %6 %7 %8 %9
|
||||||
|
:: on Windows, make is Borland make, but mingw.mak is NOW only compatible
|
||||||
|
:: with gnu make (due to various improvments I made, for compatibility between
|
||||||
|
:: linux and Windows host environments.
|
||||||
|
:: and echo OFF is the sign we are HERE on Windows, isn't it?...
|
||||||
|
|
||||||
|
mingw32-make.exe -f mingw.mak %1 %2 %3 %4 %5 %6 %7 %8 %9
|
73
src/makece.bat
Normal file
73
src/makece.bat
Normal file
@ -0,0 +1,73 @@
|
|||||||
|
@echo off
|
||||||
|
:: created by pdelaage on 20100928
|
||||||
|
:: usage : makece ARMV4|X86|... other cpus: see bat scripts in evc/bin
|
||||||
|
:: eg makece X86, makece X86 clean
|
||||||
|
:: makece <=> makece ARMV4 all
|
||||||
|
:: NEVER DO makece clean ! but makece TARGETCPU clean !
|
||||||
|
:: Note : adapt EVC/bin/WCE<target>.bat scripts
|
||||||
|
Title WCE STUNNEL
|
||||||
|
|
||||||
|
:: !!!!!!!!!!!!!!
|
||||||
|
:: CUSTOMIZE THIS according to your EVC INSTALLED ENVIRONMENT
|
||||||
|
:: !!!!!!!!!!!!!!
|
||||||
|
|
||||||
|
set OSVERSION=WCE420
|
||||||
|
set PLATFORM=STANDARDSDK
|
||||||
|
set WCEROOT=C:\Program Files\MSEVC4
|
||||||
|
set SDKROOT=C:\Program Files\Microsoft SDKs
|
||||||
|
|
||||||
|
:: !!!!!!!!!!!!!!!!!!
|
||||||
|
:: END CUSTOMIZATION
|
||||||
|
:: !!!!!!!!!!!!!!!!!!
|
||||||
|
|
||||||
|
:: Define TARGET CPU
|
||||||
|
:: -----------------
|
||||||
|
|
||||||
|
:: define "new" target (useful if one wants to compile for various WCE target CPUs)
|
||||||
|
if "%1"=="" echo "USAGE : makece TARGETCPU other_make_options..."
|
||||||
|
if "%1"=="" echo "TARGETCPU=(ARMV4|ARMV4I|ARMV4T|MIPS16|MIPSII|MIPSII_FP|MIPSIV|MIPSIV_FP|SH3|SH4|X86), other cpu: see bat scripts in evc/bin"
|
||||||
|
if "%1"=="" echo "!!! do not hesitate to adapt evc.mak for CPU and/or better compilation flags !!!"
|
||||||
|
if "%1"=="" exit /B
|
||||||
|
|
||||||
|
:: old code to default to ARMV4, but it is better that users are WARNED that the script now need an explicit target!
|
||||||
|
::if "%1"=="" set NEWTGTCPU=ARMV4
|
||||||
|
|
||||||
|
if NOT DEFINED TARGETCPU set TARGETCPU=XXXXX
|
||||||
|
if NOT "%1"=="" set NEWTGTCPU=%1
|
||||||
|
if NOT "%1"=="" shift
|
||||||
|
|
||||||
|
echo WCE TARGET CPU is %NEWTGTCPU%
|
||||||
|
|
||||||
|
rem Adjust MS EVC env vars
|
||||||
|
rem ----------------------
|
||||||
|
|
||||||
|
rem Check MSenv vars against our ref values
|
||||||
|
|
||||||
|
set isenvok=0
|
||||||
|
if "%NEWTGTCPU%"=="%TARGETCPU%" set /A "isenvok+=1"
|
||||||
|
|
||||||
|
if %isenvok%==1 echo WCE ENVIRONMENT OK
|
||||||
|
if %isenvok%==1 goto envisok
|
||||||
|
|
||||||
|
:: useless since separated tgt folders
|
||||||
|
::echo WCE TARGET CPU changed, destroying every obj files
|
||||||
|
::del .\*.obj
|
||||||
|
|
||||||
|
:: if env is NOT ok, adjust MS EVC env vars to be used by MS WCE<CPU>.BAT
|
||||||
|
:: (this is to avoid repetitive pollution of PATH)
|
||||||
|
|
||||||
|
echo WCE ENVIRONMENT ADJUSTED
|
||||||
|
|
||||||
|
:: call "%WCEROOT%\EVC\WCE420\BIN\WCE%NEWTGTCPU%.BAT"
|
||||||
|
call "%WCEROOT%\EVC\%OSVERSION%\bin\WCE%NEWTGTCPU%.BAT"
|
||||||
|
|
||||||
|
set TARGETCPU=%NEWTGTCPU%
|
||||||
|
|
||||||
|
:envisok
|
||||||
|
|
||||||
|
::exit /B
|
||||||
|
|
||||||
|
rem make everything
|
||||||
|
rem ---------------
|
||||||
|
|
||||||
|
nmake /NOLOGO -f evc.mak %1 %2 %3 %4 %5 %6 %7 %8 %9
|
45
src/makew32.bat
Normal file
45
src/makew32.bat
Normal file
@ -0,0 +1,45 @@
|
|||||||
|
@echo off
|
||||||
|
TITLE W32 STUNNEL
|
||||||
|
::pdelaage 20101026: for use with MS VCexpress 2008 (v9)
|
||||||
|
::some trick to avoid re-pollution of env vars as much as possible
|
||||||
|
|
||||||
|
:: In multitarget compilation environment, it is better to open a new cmd.exe window
|
||||||
|
:: to avoid pollution of PATH from, eg, some previous WCE compilation attempts.
|
||||||
|
|
||||||
|
set NEWTGTCPU=W32
|
||||||
|
|
||||||
|
rem Adjust MS VC env vars
|
||||||
|
rem ---------------------
|
||||||
|
|
||||||
|
rem Check MSenv vars against our ref values
|
||||||
|
|
||||||
|
set isenvok=0
|
||||||
|
if NOT DEFINED TARGETCPU set TARGETCPU=XXXXX
|
||||||
|
if "%NEWTGTCPU%"=="%TARGETCPU%" set /A "isenvok+=1"
|
||||||
|
|
||||||
|
if %isenvok%==1 echo W32 ENVIRONMENT OK
|
||||||
|
if %isenvok%==1 goto envisok
|
||||||
|
|
||||||
|
:: useless since separated tgt folders
|
||||||
|
::echo W32 TARGET CPU changed, destroying every obj files
|
||||||
|
::del .\*.obj
|
||||||
|
|
||||||
|
:: if env is NOT ok, adjust MS VC env vars to be used by MS VC
|
||||||
|
:: (this is to avoid repetitive pollution of PATH)
|
||||||
|
|
||||||
|
echo W32 ENVIRONMENT ADJUSTED
|
||||||
|
|
||||||
|
:: reset of INCLUDE needed because of accumulation of includes in vcvars32
|
||||||
|
|
||||||
|
set INCLUDE=
|
||||||
|
|
||||||
|
call "C:\Program Files\Microsoft Visual Studio 9.0\VC\bin\vcvars32.bat"
|
||||||
|
|
||||||
|
set TARGETCPU=%NEWTGTCPU%
|
||||||
|
|
||||||
|
:envisok
|
||||||
|
|
||||||
|
rem make everything
|
||||||
|
rem ---------------
|
||||||
|
|
||||||
|
nmake.exe -f vc.mak %1 %2 %3 %4 %5 %6 %7 %8 %9
|
162
src/mingw.mak
Normal file
162
src/mingw.mak
Normal file
@ -0,0 +1,162 @@
|
|||||||
|
# Simple Makefile.w32 for stunnel.exe by Michal Trojnara 1998-2007
|
||||||
|
#
|
||||||
|
# Modified by Brian Hatch (bri@stunnel.org)
|
||||||
|
# 20101030 pdelaage:
|
||||||
|
# + multi-HOST management (if used on Windows host or Linux Host)
|
||||||
|
# + lack of gnu-win32 (rm) detection
|
||||||
|
# note: rm is used INTERNALLY by gcc for deletion if intermediate files.
|
||||||
|
|
||||||
|
# This makefile is only tested on the mingw compiler. Mingw can successfully
|
||||||
|
# compile both openssl and stunnel. If you want to use another compiler, give
|
||||||
|
# it a shot, and tell us how it went.
|
||||||
|
|
||||||
|
# pdelaage : THIS makefile can be used with mingw-make on Windows or gnu make
|
||||||
|
# on Linux, to produce the Win32 version of stunnel (target is win32). It
|
||||||
|
# requires, on Windows, the use of gnu-win32 tools: rm, mkdir, rmdir that
|
||||||
|
# manages files and dirs BOTH on linux and Windows with / as path separator.
|
||||||
|
# Note: Native windows equivalent, del and mkdir/rmdir, badly manage / and \,
|
||||||
|
# so they cannot be used here.
|
||||||
|
# On Windows host, download:
|
||||||
|
# http://gnuwin32.sourceforge.net/downlinks/coreutils.php
|
||||||
|
# if you have forgotten this, this makefile will remind you...
|
||||||
|
|
||||||
|
# Modify this to point to your actual openssl compile directory
|
||||||
|
# (You did already compile openssl, didn't you???)
|
||||||
|
SSLDIR=../openssl-1.0.0f
|
||||||
|
#SSLDIR=C:/Users/standard/Documents/Dvts/Contrib/openssl/v1.0.0c/patched3
|
||||||
|
|
||||||
|
# c:\, backslash is not correctly recognized by mingw32-make, produces some
|
||||||
|
# "missing separator" issue.
|
||||||
|
# pdelaage: simple trick to detect if we are using mingw-gcc on a Windows host,
|
||||||
|
# or on a linux host. windir is a system environment variable on windows NT
|
||||||
|
# and above, and then redefine some macros.
|
||||||
|
# note: ifdef is !IFDEF in MS nmake or Borland make.
|
||||||
|
# $(info is !MESSAGE in MS nmake or Borland make.
|
||||||
|
|
||||||
|
ifdef windir
|
||||||
|
$(info host machine is a Windows machine )
|
||||||
|
NULLDEV=NUL
|
||||||
|
MKDIR="C:\Program Files\GnuWin32\bin\mkdir.exe"
|
||||||
|
DELFILES="C:\Program Files\GnuWin32\bin\rm.exe" -f
|
||||||
|
DELDIR="C:\Program Files\GnuWin32\bin\rm.exe" -rf
|
||||||
|
else
|
||||||
|
$(info host machine is a linux machine )
|
||||||
|
NULLDEV=/dev/null
|
||||||
|
MKDIR=mkdir
|
||||||
|
DELFILES=rm -f
|
||||||
|
DELDIR=rm -rf
|
||||||
|
endif
|
||||||
|
|
||||||
|
TARGETCPU=MGW32
|
||||||
|
SRC=../src
|
||||||
|
OBJROOT=../obj
|
||||||
|
OBJ=$(OBJROOT)/$(TARGETCPU)
|
||||||
|
BINROOT=../bin
|
||||||
|
BIN=$(BINROOT)/$(TARGETCPU)
|
||||||
|
|
||||||
|
OBJS=$(OBJ)/stunnel.o $(OBJ)/ssl.o $(OBJ)/ctx.o $(OBJ)/verify.o \
|
||||||
|
$(OBJ)/file.o $(OBJ)/client.o $(OBJ)/protocol.o $(OBJ)/sthreads.o \
|
||||||
|
$(OBJ)/log.o $(OBJ)/options.o $(OBJ)/network.o $(OBJ)/resolver.o \
|
||||||
|
$(OBJ)/gui.o $(OBJ)/resources.o $(OBJ)/str.o $(OBJ)/fd.o
|
||||||
|
|
||||||
|
CC=gcc
|
||||||
|
RC=windres
|
||||||
|
|
||||||
|
# pdelaage note: as a workaround for windres bug on resources.rc, equivalent to
|
||||||
|
# "use a temp file instead of popen" option between cpp and windres!
|
||||||
|
RCP=gcc -E -xc-header -DRC_INVOKED
|
||||||
|
|
||||||
|
DEFINES=-D_WIN32_WINNT=0x0501
|
||||||
|
|
||||||
|
# some preprocessing debug : $(info DEFINES is $(DEFINES) )
|
||||||
|
|
||||||
|
#CFLAGS=-g -O2 -Wall $(DEFINES) -I$(SSLDIR)/outinc
|
||||||
|
#pdelaage : outinc not correct, it is inc32!
|
||||||
|
CFLAGS=-g -O2 -Wall $(DEFINES) -I$(SSLDIR)/inc32
|
||||||
|
|
||||||
|
# RFLAGS, note of pdelaage: windres accepts -fo for compatibility with ms tools
|
||||||
|
# default options : -J rc -O coff, input rc file, output coff file.
|
||||||
|
|
||||||
|
RFLAGS=-v --use-temp-file $(DEFINES)
|
||||||
|
# following RFLAGS2 useful if one day use-temp-file does not exist anymore
|
||||||
|
RFLAGS2=-v $(DEFINES)
|
||||||
|
LDFLAGS=-s
|
||||||
|
|
||||||
|
# LIBS=-L$(SSLDIR)/out -lssl -lcrypto -lwsock32 -lgdi32 -lcrypt32
|
||||||
|
#20101030 pdelaage fix winsock2 and BAD sslpath ! LIBS=-L$(SSLDIR)/out -lzdll -leay32 -lssl32 -lwsock32 -lgdi32 -lcrypt32
|
||||||
|
# added libeay instead of eay, ssleay instead of ssl32, suppressed zdll useless.
|
||||||
|
LIBS=-L$(SSLDIR)/out32dll -lssleay32 -llibeay32 -lws2_32 -lpsapi -lgdi32 -lcrypt32
|
||||||
|
# IMPORTANT pdelaage : restore this if you need (but I do not see why) -lzdll
|
||||||
|
|
||||||
|
$(OBJ)/%.o: $(SRC)/%.c
|
||||||
|
$(CC) $(CFLAGS) -o$@ -c $<
|
||||||
|
|
||||||
|
$(OBJ)/%.o: $(SRC)/%.cpp
|
||||||
|
$(CC) $(CFLAGS) -o$@ -c $<
|
||||||
|
|
||||||
|
$(OBJ)/%.o: $(SRC)/%.rc
|
||||||
|
$(RC) $(RFLAGS) -o$@ $<
|
||||||
|
|
||||||
|
# pdelaage : trick for windres preprocessing popen bug on Windows, in case the windres option
|
||||||
|
# use_temp_file disappear one day...
|
||||||
|
# comment out the $(RC) rule above to activate the following
|
||||||
|
|
||||||
|
$(OBJ)/%.rcp: $(SRC)/%.rc
|
||||||
|
$(RCP) $(DEFINES) -o$@ $<
|
||||||
|
|
||||||
|
$(OBJ)/%.o: $(OBJ)/%.rcp
|
||||||
|
$(RC) $(RFLAGS2) -o$@ $<
|
||||||
|
|
||||||
|
# Note : gnu-make will automatically RM the intermediate "rcp" file
|
||||||
|
# BUT it will ABSOLUTELY NEED the "rm" command available : not a problem on linux
|
||||||
|
# but on a windows dev host machine, one will need to install gnu-win32/rm command
|
||||||
|
# in the system...
|
||||||
|
# for debug of the preprocessed rcp file, because it is automatically deleted by gnu-make: cp $< $<.2
|
||||||
|
|
||||||
|
all: testenv makedirs $(BIN)/stunnel.exe
|
||||||
|
|
||||||
|
#pdelaage : testenv purpose is to detect, on windows, whether Gnu-win32 has been properly installed...
|
||||||
|
# a first call to "true" is made to detect availability, a second is made to stop the make process.
|
||||||
|
ifdef windir
|
||||||
|
testenv:
|
||||||
|
-@ echo OFF
|
||||||
|
-@ true >$(NULLDEV) 2>&1 || echo You MUST install Gnu-Win32 coreutils \
|
||||||
|
from http://gnuwin32.sourceforge.net/downlinks/coreutils.php \
|
||||||
|
and set PATH to include C:\Program Files\GnuWin32\bin
|
||||||
|
@true >$(NULLDEV) 2>&1
|
||||||
|
else
|
||||||
|
testenv:
|
||||||
|
-@ true >$(NULLDEV) 2>&1 || echo Your system lacks Gnu coreutils tools !!!
|
||||||
|
@true >$(NULLDEV) 2>&1
|
||||||
|
endif
|
||||||
|
|
||||||
|
clean:
|
||||||
|
-@ $(DELFILES) $(OBJ)/*.o
|
||||||
|
-@ $(DELFILES) $(BIN)/stunnel.exe >$(NULLDEV) 2>&1
|
||||||
|
-@ $(DELDIR) $(OBJ) >$(NULLDEV) 2>&1
|
||||||
|
-@ $(DELDIR) $(BIN) >$(NULLDEV) 2>&1
|
||||||
|
|
||||||
|
makedirs:
|
||||||
|
-@ $(MKDIR) $(OBJROOT) >$(NULLDEV) 2>&1
|
||||||
|
-@ $(MKDIR) $(OBJ) >$(NULLDEV) 2>&1
|
||||||
|
-@ $(MKDIR) $(BINROOT) >$(NULLDEV) 2>&1
|
||||||
|
-@ $(MKDIR) $(BIN) >$(NULLDEV) 2>&1
|
||||||
|
|
||||||
|
# pseudo-target for RC-preprocessor debugging
|
||||||
|
# result appears OK, as a text file
|
||||||
|
faketest:
|
||||||
|
gcc -E -xc-header -DRC_INVOKED $(DEFINES) -o $(SRC)/resources.rcp $(SRC)/resources.rc
|
||||||
|
|
||||||
|
$(OBJS): *.h mingw.mak
|
||||||
|
|
||||||
|
$(BIN)/stunnel.exe: $(OBJS)
|
||||||
|
$(CC) $(LDFLAGS) -o $(BIN)/stunnel.exe $(OBJS) $(LIBS) -mwindows
|
||||||
|
|
||||||
|
# "missing separator" issue with mingw32-make: tabs MUST BE TABS in your text
|
||||||
|
# editor, and not set of spaces even if your development host is windows.
|
||||||
|
# Some \ are badly tolerated by mingw32-make "!" directives, eg as !IF,
|
||||||
|
# accepted in MS nmake and Borland make ARE NOT supported by gnu make but they
|
||||||
|
# all have their equivalents.
|
||||||
|
# Gnu-make is case sensitive, while ms nmake or borland make are not. Anyway,
|
||||||
|
# on reference to env vars nmake convert env vars to UPPERCASE macro names...
|
||||||
|
|
686
src/network.c
Normal file
686
src/network.c
Normal file
@ -0,0 +1,686 @@
|
|||||||
|
/*
|
||||||
|
* stunnel Universal SSL tunnel
|
||||||
|
* Copyright (C) 1998-2012 Michal Trojnara <Michal.Trojnara@mirt.net>
|
||||||
|
*
|
||||||
|
* This program is free software; you can redistribute it and/or modify it
|
||||||
|
* under the terms of the GNU General Public License as published by the
|
||||||
|
* Free Software Foundation; either version 2 of the License, or (at your
|
||||||
|
* option) any later version.
|
||||||
|
*
|
||||||
|
* This program is distributed in the hope that it will be useful,
|
||||||
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
|
||||||
|
* See the GNU General Public License for more details.
|
||||||
|
*
|
||||||
|
* You should have received a copy of the GNU General Public License along
|
||||||
|
* with this program; if not, see <http://www.gnu.org/licenses>.
|
||||||
|
*
|
||||||
|
* Linking stunnel statically or dynamically with other modules is making
|
||||||
|
* a combined work based on stunnel. Thus, the terms and conditions of
|
||||||
|
* the GNU General Public License cover the whole combination.
|
||||||
|
*
|
||||||
|
* In addition, as a special exception, the copyright holder of stunnel
|
||||||
|
* gives you permission to combine stunnel with free software programs or
|
||||||
|
* libraries that are released under the GNU LGPL and with code included
|
||||||
|
* in the standard release of OpenSSL under the OpenSSL License (or
|
||||||
|
* modified versions of such code, with unchanged license). You may copy
|
||||||
|
* and distribute such a system following the terms of the GNU GPL for
|
||||||
|
* stunnel and the licenses of the other code concerned.
|
||||||
|
*
|
||||||
|
* Note that people who make modified versions of stunnel are not obligated
|
||||||
|
* to grant this special exception for their modified versions; it is their
|
||||||
|
* choice whether to do so. The GNU General Public License gives permission
|
||||||
|
* to release a modified version without this exception; this exception
|
||||||
|
* also makes it possible to release a modified version which carries
|
||||||
|
* forward this exception.
|
||||||
|
*/
|
||||||
|
|
||||||
|
#include "common.h"
|
||||||
|
#include "prototypes.h"
|
||||||
|
|
||||||
|
/* #define DEBUG_UCONTEXT */
|
||||||
|
|
||||||
|
/**************************************** s_poll functions */
|
||||||
|
|
||||||
|
#ifdef USE_POLL
|
||||||
|
|
||||||
|
s_poll_set *s_poll_alloc() {
|
||||||
|
/* it needs to be filled with zeros */
|
||||||
|
return str_alloc(sizeof(s_poll_set));
|
||||||
|
}
|
||||||
|
|
||||||
|
void s_poll_free(s_poll_set *fds) {
|
||||||
|
if(fds) {
|
||||||
|
if(fds->ufds)
|
||||||
|
str_free(fds->ufds);
|
||||||
|
str_free(fds);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
void s_poll_init(s_poll_set *fds) {
|
||||||
|
fds->nfds=0;
|
||||||
|
fds->allocated=4; /* prealloc 4 file desciptors */
|
||||||
|
fds->ufds=str_realloc(fds->ufds, fds->allocated*sizeof(struct pollfd));
|
||||||
|
}
|
||||||
|
|
||||||
|
void s_poll_add(s_poll_set *fds, int fd, int rd, int wr) {
|
||||||
|
unsigned int i;
|
||||||
|
|
||||||
|
for(i=0; i<fds->nfds && fds->ufds[i].fd!=fd; i++)
|
||||||
|
;
|
||||||
|
if(i==fds->nfds) {
|
||||||
|
if(i==fds->allocated) {
|
||||||
|
fds->allocated=i+1;
|
||||||
|
fds->ufds=str_realloc(fds->ufds, fds->allocated*sizeof(struct pollfd));
|
||||||
|
}
|
||||||
|
fds->ufds[i].fd=fd;
|
||||||
|
fds->ufds[i].events=0;
|
||||||
|
fds->nfds++;
|
||||||
|
}
|
||||||
|
if(rd)
|
||||||
|
fds->ufds[i].events|=POLLIN;
|
||||||
|
if(wr)
|
||||||
|
fds->ufds[i].events|=POLLOUT;
|
||||||
|
}
|
||||||
|
|
||||||
|
int s_poll_canread(s_poll_set *fds, int fd) {
|
||||||
|
unsigned int i;
|
||||||
|
|
||||||
|
for(i=0; i<fds->nfds; i++)
|
||||||
|
if(fds->ufds[i].fd==fd)
|
||||||
|
return fds->ufds[i].revents&(POLLIN|POLLHUP); /* read or closed */
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
int s_poll_canwrite(s_poll_set *fds, int fd) {
|
||||||
|
unsigned int i;
|
||||||
|
|
||||||
|
for(i=0; i<fds->nfds; i++)
|
||||||
|
if(fds->ufds[i].fd==fd)
|
||||||
|
return fds->ufds[i].revents&POLLOUT; /* it is possible to write */
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
int s_poll_error(s_poll_set *fds, FD *s) {
|
||||||
|
unsigned int i;
|
||||||
|
|
||||||
|
if(!s->is_socket)
|
||||||
|
return 0;
|
||||||
|
for(i=0; i<fds->nfds; i++)
|
||||||
|
if(fds->ufds[i].fd==s->fd)
|
||||||
|
return fds->ufds[i].revents&(POLLERR|POLLNVAL) ?
|
||||||
|
get_socket_error(s->fd) : 0;
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
#ifdef USE_UCONTEXT
|
||||||
|
|
||||||
|
/* move ready contexts from waiting queue to ready queue */
|
||||||
|
static void scan_waiting_queue(void) {
|
||||||
|
int retval;
|
||||||
|
CONTEXT *context, *prev;
|
||||||
|
int min_timeout;
|
||||||
|
unsigned int nfds, i;
|
||||||
|
time_t now;
|
||||||
|
static unsigned int max_nfds=0;
|
||||||
|
static struct pollfd *ufds=NULL;
|
||||||
|
|
||||||
|
time(&now);
|
||||||
|
/* count file descriptors */
|
||||||
|
min_timeout=-1;
|
||||||
|
nfds=0;
|
||||||
|
for(context=waiting_head; context; context=context->next) {
|
||||||
|
nfds+=context->fds->nfds;
|
||||||
|
if(context->finish>=0) /* finite time */
|
||||||
|
if(min_timeout<0 || min_timeout>context->finish-now)
|
||||||
|
min_timeout=context->finish-now<0 ? 0 : context->finish-now;
|
||||||
|
}
|
||||||
|
/* setup ufds structure */
|
||||||
|
if(nfds>max_nfds) { /* need to allocate more memory */
|
||||||
|
ufds=str_realloc(ufds, nfds*sizeof(struct pollfd));
|
||||||
|
max_nfds=nfds;
|
||||||
|
}
|
||||||
|
nfds=0;
|
||||||
|
for(context=waiting_head; context; context=context->next)
|
||||||
|
for(i=0; i<context->fds->nfds; i++) {
|
||||||
|
ufds[nfds].fd=context->fds->ufds[i].fd;
|
||||||
|
ufds[nfds].events=context->fds->ufds[i].events;
|
||||||
|
nfds++;
|
||||||
|
}
|
||||||
|
|
||||||
|
#ifdef DEBUG_UCONTEXT
|
||||||
|
s_log(LOG_DEBUG, "Waiting %d second(s) for %d file descriptor(s)",
|
||||||
|
min_timeout, nfds);
|
||||||
|
#endif
|
||||||
|
do { /* skip "Interrupted system call" errors */
|
||||||
|
retval=poll(ufds, nfds, min_timeout<0 ? -1 : 1000*min_timeout);
|
||||||
|
} while(retval<0 && get_last_socket_error()==S_EINTR);
|
||||||
|
time(&now);
|
||||||
|
/* process the returned data */
|
||||||
|
nfds=0;
|
||||||
|
prev=NULL; /* previous element of the waiting queue */
|
||||||
|
context=waiting_head;
|
||||||
|
while(context) {
|
||||||
|
context->ready=0;
|
||||||
|
/* count ready file descriptors in each context */
|
||||||
|
for(i=0; i<context->fds->nfds; i++) {
|
||||||
|
context->fds->ufds[i].revents=ufds[nfds].revents;
|
||||||
|
#ifdef DEBUG_UCONTEXT
|
||||||
|
s_log(LOG_DEBUG, "CONTEXT %ld, FD=%d,%s%s ->%s%s%s%s%s",
|
||||||
|
context->id, ufds[nfds].fd,
|
||||||
|
ufds[nfds].events & POLLIN ? " IN" : "",
|
||||||
|
ufds[nfds].events & POLLOUT ? " OUT" : "",
|
||||||
|
ufds[nfds].revents & POLLIN ? " IN" : "",
|
||||||
|
ufds[nfds].revents & POLLOUT ? " OUT" : "",
|
||||||
|
ufds[nfds].revents & POLLERR ? " ERR" : "",
|
||||||
|
ufds[nfds].revents & POLLHUP ? " HUP" : "",
|
||||||
|
ufds[nfds].revents & POLLNVAL ? " NVAL" : "");
|
||||||
|
#endif
|
||||||
|
if(ufds[nfds].revents)
|
||||||
|
context->ready++;
|
||||||
|
nfds++;
|
||||||
|
}
|
||||||
|
if(context->ready || (context->finish>=0 && context->finish<=now)) {
|
||||||
|
/* remove context from the waiting queue */
|
||||||
|
if(prev)
|
||||||
|
prev->next=context->next;
|
||||||
|
else
|
||||||
|
waiting_head=context->next;
|
||||||
|
if(!context->next) /* same as context==waiting_tail */
|
||||||
|
waiting_tail=prev;
|
||||||
|
|
||||||
|
/* append context context to the ready queue */
|
||||||
|
context->next=NULL;
|
||||||
|
if(ready_tail)
|
||||||
|
ready_tail->next=context;
|
||||||
|
ready_tail=context;
|
||||||
|
if(!ready_head)
|
||||||
|
ready_head=context;
|
||||||
|
} else { /* leave the context context in the waiting queue */
|
||||||
|
prev=context;
|
||||||
|
}
|
||||||
|
context=prev ? prev->next : waiting_head;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
int s_poll_wait(s_poll_set *fds, int sec, int msec) {
|
||||||
|
CONTEXT *context; /* current context */
|
||||||
|
static CONTEXT *to_free=NULL; /* delayed memory deallocation */
|
||||||
|
|
||||||
|
/* FIXME: msec parameter is currently ignored with UCONTEXT threads */
|
||||||
|
(void)msec; /* skip warning about unused parameter */
|
||||||
|
|
||||||
|
/* remove the current context from ready queue */
|
||||||
|
context=ready_head;
|
||||||
|
ready_head=ready_head->next;
|
||||||
|
if(!ready_head) /* the queue is empty */
|
||||||
|
ready_tail=NULL;
|
||||||
|
/* it it safe to s_log() after new ready_head is set */
|
||||||
|
|
||||||
|
/* it's illegal to deallocate the stack of the current context */
|
||||||
|
if(to_free) { /* a delayed deallocation is scheduled */
|
||||||
|
#ifdef DEBUG_UCONTEXT
|
||||||
|
s_log(LOG_DEBUG, "Releasing context %ld", to_free->id);
|
||||||
|
#endif
|
||||||
|
str_free(to_free->stack);
|
||||||
|
str_free(to_free);
|
||||||
|
to_free=NULL;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* manage the current thread */
|
||||||
|
if(fds) { /* something to wait for -> swap the context */
|
||||||
|
context->fds=fds; /* set file descriptors to wait for */
|
||||||
|
context->finish=sec<0 ? -1 : time(NULL)+sec;
|
||||||
|
|
||||||
|
/* append the current context to the waiting queue */
|
||||||
|
context->next=NULL;
|
||||||
|
if(waiting_tail)
|
||||||
|
waiting_tail->next=context;
|
||||||
|
waiting_tail=context;
|
||||||
|
if(!waiting_head)
|
||||||
|
waiting_head=context;
|
||||||
|
} else { /* nothing to wait for -> drop the context */
|
||||||
|
to_free=context; /* schedule for delayed deallocation */
|
||||||
|
}
|
||||||
|
|
||||||
|
while(!ready_head) /* wait until there is a thread to switch to */
|
||||||
|
scan_waiting_queue();
|
||||||
|
|
||||||
|
/* switch threads */
|
||||||
|
if(fds) { /* swap the current context */
|
||||||
|
if(context->id!=ready_head->id) {
|
||||||
|
#ifdef DEBUG_UCONTEXT
|
||||||
|
s_log(LOG_DEBUG, "Context swap: %ld -> %ld",
|
||||||
|
context->id, ready_head->id);
|
||||||
|
#endif
|
||||||
|
swapcontext(&context->context, &ready_head->context);
|
||||||
|
#ifdef DEBUG_UCONTEXT
|
||||||
|
s_log(LOG_DEBUG, "Current context: %ld", ready_head->id);
|
||||||
|
#endif
|
||||||
|
}
|
||||||
|
return ready_head->ready;
|
||||||
|
} else { /* drop the current context */
|
||||||
|
#ifdef DEBUG_UCONTEXT
|
||||||
|
s_log(LOG_DEBUG, "Context set: %ld (dropped) -> %ld",
|
||||||
|
context->id, ready_head->id);
|
||||||
|
#endif
|
||||||
|
setcontext(&ready_head->context);
|
||||||
|
ioerror("setcontext"); /* should not ever happen */
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
#else /* USE_UCONTEXT */
|
||||||
|
|
||||||
|
int s_poll_wait(s_poll_set *fds, int sec, int msec) {
|
||||||
|
int retval;
|
||||||
|
|
||||||
|
do { /* skip "Interrupted system call" errors */
|
||||||
|
retval=poll(fds->ufds, fds->nfds, sec<0 ? -1 : 1000*sec+msec);
|
||||||
|
} while(retval<0 && get_last_socket_error()==S_EINTR);
|
||||||
|
return retval;
|
||||||
|
}
|
||||||
|
|
||||||
|
#endif /* USE_UCONTEXT */
|
||||||
|
|
||||||
|
#else /* select */
|
||||||
|
|
||||||
|
s_poll_set *s_poll_alloc() {
|
||||||
|
/* it needs to be filled with zeros */
|
||||||
|
return str_alloc(sizeof(s_poll_set));
|
||||||
|
}
|
||||||
|
|
||||||
|
void s_poll_free(s_poll_set *fds) {
|
||||||
|
if(fds)
|
||||||
|
str_free(fds);
|
||||||
|
}
|
||||||
|
|
||||||
|
void s_poll_init(s_poll_set *fds) {
|
||||||
|
FD_ZERO(&fds->irfds);
|
||||||
|
FD_ZERO(&fds->iwfds);
|
||||||
|
FD_ZERO(&fds->ixfds);
|
||||||
|
fds->max=0; /* no file descriptors */
|
||||||
|
}
|
||||||
|
|
||||||
|
void s_poll_add(s_poll_set *fds, int fd, int rd, int wr) {
|
||||||
|
if(rd)
|
||||||
|
FD_SET((unsigned int)fd, &fds->irfds);
|
||||||
|
if(wr)
|
||||||
|
FD_SET((unsigned int)fd, &fds->iwfds);
|
||||||
|
/* always expect errors (and the Spanish Inquisition) */
|
||||||
|
FD_SET((unsigned int)fd, &fds->ixfds);
|
||||||
|
if(fd>fds->max)
|
||||||
|
fds->max=fd;
|
||||||
|
}
|
||||||
|
|
||||||
|
int s_poll_canread(s_poll_set *fds, int fd) {
|
||||||
|
return FD_ISSET(fd, &fds->orfds);
|
||||||
|
}
|
||||||
|
|
||||||
|
int s_poll_canwrite(s_poll_set *fds, int fd) {
|
||||||
|
return FD_ISSET(fd, &fds->owfds);
|
||||||
|
}
|
||||||
|
|
||||||
|
int s_poll_error(s_poll_set *fds, FD *s) {
|
||||||
|
if(!s->is_socket)
|
||||||
|
return 0; /* getsockopt is only available on sockets */
|
||||||
|
/* error conditions are signaled as read, but apparently *not* in Winsock:
|
||||||
|
* http://msdn.microsoft.com/en-us/library/windows/desktop/ms737625%28v=vs.85%29.aspx */
|
||||||
|
if(!(FD_ISSET(s->fd, &fds->orfds) || FD_ISSET(s->fd, &fds->oxfds)))
|
||||||
|
return 0;
|
||||||
|
return get_socket_error(s->fd); /* check if it's really an error */
|
||||||
|
}
|
||||||
|
|
||||||
|
int s_poll_wait(s_poll_set *fds, int sec, int msec) {
|
||||||
|
int retval;
|
||||||
|
struct timeval tv, *tv_ptr;
|
||||||
|
|
||||||
|
do { /* skip "Interrupted system call" errors */
|
||||||
|
memcpy(&fds->orfds, &fds->irfds, sizeof(fd_set));
|
||||||
|
memcpy(&fds->owfds, &fds->iwfds, sizeof(fd_set));
|
||||||
|
memcpy(&fds->oxfds, &fds->ixfds, sizeof(fd_set));
|
||||||
|
if(sec<0) { /* infinite timeout */
|
||||||
|
tv_ptr=NULL;
|
||||||
|
} else {
|
||||||
|
tv.tv_sec=sec;
|
||||||
|
tv.tv_usec=1000*msec;
|
||||||
|
tv_ptr=&tv;
|
||||||
|
}
|
||||||
|
retval=select(fds->max+1, &fds->orfds, &fds->owfds, &fds->oxfds, tv_ptr);
|
||||||
|
} while(retval<0 && get_last_socket_error()==S_EINTR);
|
||||||
|
return retval;
|
||||||
|
}
|
||||||
|
|
||||||
|
#endif /* USE_POLL */
|
||||||
|
|
||||||
|
/**************************************** fd management */
|
||||||
|
|
||||||
|
int set_socket_options(int s, int type) {
|
||||||
|
SOCK_OPT *ptr;
|
||||||
|
extern SOCK_OPT sock_opts[];
|
||||||
|
static char *type_str[3]={"accept", "local", "remote"};
|
||||||
|
int opt_size;
|
||||||
|
int retval=0; /* no error found */
|
||||||
|
|
||||||
|
for(ptr=sock_opts; ptr->opt_str; ptr++) {
|
||||||
|
if(!ptr->opt_val[type])
|
||||||
|
continue; /* default */
|
||||||
|
switch(ptr->opt_type) {
|
||||||
|
case TYPE_LINGER:
|
||||||
|
opt_size=sizeof(struct linger);
|
||||||
|
break;
|
||||||
|
case TYPE_TIMEVAL:
|
||||||
|
opt_size=sizeof(struct timeval);
|
||||||
|
break;
|
||||||
|
case TYPE_STRING:
|
||||||
|
opt_size=strlen(ptr->opt_val[type]->c_val)+1;
|
||||||
|
break;
|
||||||
|
default:
|
||||||
|
opt_size=sizeof(int);
|
||||||
|
}
|
||||||
|
if(setsockopt(s, ptr->opt_level, ptr->opt_name,
|
||||||
|
(void *)ptr->opt_val[type], opt_size)) {
|
||||||
|
if(get_last_socket_error()==S_EOPNOTSUPP) {
|
||||||
|
/* most likely stdin/stdout or AF_UNIX socket */
|
||||||
|
s_log(LOG_DEBUG,
|
||||||
|
"Option %s not supported on %s socket",
|
||||||
|
ptr->opt_str, type_str[type]);
|
||||||
|
} else {
|
||||||
|
sockerror(ptr->opt_str);
|
||||||
|
retval=-1; /* failed to set this option */
|
||||||
|
}
|
||||||
|
}
|
||||||
|
#ifdef DEBUG_FD_ALLOC
|
||||||
|
else {
|
||||||
|
s_log(LOG_DEBUG, "Option %s set on %s socket",
|
||||||
|
ptr->opt_str, type_str[type]);
|
||||||
|
}
|
||||||
|
#endif /* DEBUG_FD_ALLOC */
|
||||||
|
}
|
||||||
|
return retval; /* returns 0 when all options succeeded */
|
||||||
|
}
|
||||||
|
|
||||||
|
int get_socket_error(const int fd) {
|
||||||
|
int err;
|
||||||
|
socklen_t optlen=sizeof err;
|
||||||
|
|
||||||
|
if(getsockopt(fd, SOL_SOCKET, SO_ERROR, (void *)&err, &optlen))
|
||||||
|
err=get_last_socket_error(); /* failed -> ask why */
|
||||||
|
return err;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**************************************** simulate blocking I/O */
|
||||||
|
|
||||||
|
int connect_blocking(CLI *c, SOCKADDR_UNION *addr, socklen_t addrlen) {
|
||||||
|
int error;
|
||||||
|
char *dst;
|
||||||
|
|
||||||
|
dst=s_ntop(addr, addrlen);
|
||||||
|
s_log(LOG_INFO, "connect_blocking: connecting %s", dst);
|
||||||
|
|
||||||
|
if(!connect(c->fd, &addr->sa, addrlen)) {
|
||||||
|
s_log(LOG_NOTICE, "connect_blocking: connected %s", dst);
|
||||||
|
str_free(dst);
|
||||||
|
return 0; /* no error -> success (on some OSes over the loopback) */
|
||||||
|
}
|
||||||
|
error=get_last_socket_error();
|
||||||
|
if(error!=S_EINPROGRESS && error!=S_EWOULDBLOCK) {
|
||||||
|
s_log(LOG_ERR, "connect_blocking: connect %s: %s (%d)",
|
||||||
|
dst, s_strerror(error), error);
|
||||||
|
str_free(dst);
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
|
||||||
|
s_log(LOG_DEBUG, "connect_blocking: s_poll_wait %s: waiting %d seconds",
|
||||||
|
dst, c->opt->timeout_connect);
|
||||||
|
s_poll_init(c->fds);
|
||||||
|
s_poll_add(c->fds, c->fd, 1, 1);
|
||||||
|
switch(s_poll_wait(c->fds, c->opt->timeout_connect, 0)) {
|
||||||
|
case -1:
|
||||||
|
error=get_last_socket_error();
|
||||||
|
s_log(LOG_ERR, "connect_blocking: s_poll_wait %s: %s (%d)",
|
||||||
|
dst, s_strerror(error), error);
|
||||||
|
str_free(dst);
|
||||||
|
return -1;
|
||||||
|
case 0:
|
||||||
|
s_log(LOG_ERR, "connect_blocking: s_poll_wait %s:"
|
||||||
|
" TIMEOUTconnect exceeded", dst);
|
||||||
|
str_free(dst);
|
||||||
|
return -1;
|
||||||
|
default:
|
||||||
|
error=get_socket_error(c->fd);
|
||||||
|
if(error) {
|
||||||
|
s_log(LOG_ERR, "connect_blocking: connect %s: %s (%d)",
|
||||||
|
dst, s_strerror(error), error);
|
||||||
|
str_free(dst);
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
if(s_poll_canwrite(c->fds, c->fd)) {
|
||||||
|
s_log(LOG_NOTICE, "connect_blocking: connected %s", dst);
|
||||||
|
str_free(dst);
|
||||||
|
return 0; /* success */
|
||||||
|
}
|
||||||
|
s_log(LOG_ERR, "connect_blocking: s_poll_wait %s: internal error",
|
||||||
|
dst);
|
||||||
|
str_free(dst);
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
return -1; /* should not be possible */
|
||||||
|
}
|
||||||
|
|
||||||
|
void write_blocking(CLI *c, int fd, void *ptr, int len) {
|
||||||
|
/* simulate a blocking write */
|
||||||
|
int num;
|
||||||
|
|
||||||
|
while(len>0) {
|
||||||
|
s_poll_init(c->fds);
|
||||||
|
s_poll_add(c->fds, fd, 0, 1); /* write */
|
||||||
|
switch(s_poll_wait(c->fds, c->opt->timeout_busy, 0)) {
|
||||||
|
case -1:
|
||||||
|
sockerror("write_blocking: s_poll_wait");
|
||||||
|
longjmp(c->err, 1); /* error */
|
||||||
|
case 0:
|
||||||
|
s_log(LOG_INFO, "write_blocking: s_poll_wait:"
|
||||||
|
" TIMEOUTbusy exceeded: sending reset");
|
||||||
|
longjmp(c->err, 1); /* timeout */
|
||||||
|
case 1:
|
||||||
|
break; /* OK */
|
||||||
|
default:
|
||||||
|
s_log(LOG_ERR, "write_blocking: s_poll_wait: unknown result");
|
||||||
|
longjmp(c->err, 1); /* error */
|
||||||
|
}
|
||||||
|
num=writesocket(fd, ptr, len);
|
||||||
|
switch(num) {
|
||||||
|
case -1: /* error */
|
||||||
|
sockerror("writesocket (write_blocking)");
|
||||||
|
longjmp(c->err, 1);
|
||||||
|
}
|
||||||
|
ptr=(u8 *)ptr+num;
|
||||||
|
len-=num;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
void read_blocking(CLI *c, int fd, void *ptr, int len) {
|
||||||
|
/* simulate a blocking read */
|
||||||
|
int num;
|
||||||
|
|
||||||
|
while(len>0) {
|
||||||
|
s_poll_init(c->fds);
|
||||||
|
s_poll_add(c->fds, fd, 1, 0); /* read */
|
||||||
|
switch(s_poll_wait(c->fds, c->opt->timeout_busy, 0)) {
|
||||||
|
case -1:
|
||||||
|
sockerror("read_blocking: s_poll_wait");
|
||||||
|
longjmp(c->err, 1); /* error */
|
||||||
|
case 0:
|
||||||
|
s_log(LOG_INFO, "read_blocking: s_poll_wait:"
|
||||||
|
" TIMEOUTbusy exceeded: sending reset");
|
||||||
|
longjmp(c->err, 1); /* timeout */
|
||||||
|
case 1:
|
||||||
|
break; /* OK */
|
||||||
|
default:
|
||||||
|
s_log(LOG_ERR, "read_blocking: s_poll_wait: unknown result");
|
||||||
|
longjmp(c->err, 1); /* error */
|
||||||
|
}
|
||||||
|
num=readsocket(fd, ptr, len);
|
||||||
|
switch(num) {
|
||||||
|
case -1: /* error */
|
||||||
|
sockerror("readsocket (read_blocking)");
|
||||||
|
longjmp(c->err, 1);
|
||||||
|
case 0: /* EOF */
|
||||||
|
s_log(LOG_ERR, "Unexpected socket close (read_blocking)");
|
||||||
|
longjmp(c->err, 1);
|
||||||
|
}
|
||||||
|
ptr=(u8 *)ptr+num;
|
||||||
|
len-=num;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
void fd_putline(CLI *c, int fd, const char *line) {
|
||||||
|
char *tmpline;
|
||||||
|
const char crlf[]="\r\n";
|
||||||
|
int len;
|
||||||
|
|
||||||
|
tmpline=str_printf("%s%s", line, crlf);
|
||||||
|
len=strlen(tmpline);
|
||||||
|
write_blocking(c, fd, tmpline, len);
|
||||||
|
tmpline[len-2]='\0'; /* remove CRLF */
|
||||||
|
safestring(tmpline);
|
||||||
|
s_log(LOG_DEBUG, " -> %s", tmpline);
|
||||||
|
str_free(tmpline);
|
||||||
|
}
|
||||||
|
|
||||||
|
char *fd_getline(CLI *c, int fd) {
|
||||||
|
char *line=NULL, *tmpline;
|
||||||
|
int ptr=0;
|
||||||
|
|
||||||
|
for(;;) {
|
||||||
|
s_poll_init(c->fds);
|
||||||
|
s_poll_add(c->fds, fd, 1, 0); /* read */
|
||||||
|
switch(s_poll_wait(c->fds, c->opt->timeout_busy, 0)) {
|
||||||
|
case -1:
|
||||||
|
sockerror("fd_getline: s_poll_wait");
|
||||||
|
str_free(line);
|
||||||
|
longjmp(c->err, 1); /* error */
|
||||||
|
case 0:
|
||||||
|
s_log(LOG_INFO, "fd_getline: s_poll_wait:"
|
||||||
|
" TIMEOUTbusy exceeded: sending reset");
|
||||||
|
str_free(line);
|
||||||
|
longjmp(c->err, 1); /* timeout */
|
||||||
|
case 1:
|
||||||
|
break; /* OK */
|
||||||
|
default:
|
||||||
|
s_log(LOG_ERR, "fd_getline: s_poll_wait: Unknown result");
|
||||||
|
str_free(line);
|
||||||
|
longjmp(c->err, 1); /* error */
|
||||||
|
}
|
||||||
|
line=str_realloc(line, ptr+1);
|
||||||
|
switch(readsocket(fd, line+ptr, 1)) {
|
||||||
|
case -1: /* error */
|
||||||
|
sockerror("fd_getline: readsocket");
|
||||||
|
str_free(line);
|
||||||
|
longjmp(c->err, 1);
|
||||||
|
case 0: /* EOF */
|
||||||
|
s_log(LOG_ERR, "fd_getline: Unexpected socket close");
|
||||||
|
str_free(line);
|
||||||
|
longjmp(c->err, 1);
|
||||||
|
}
|
||||||
|
if(line[ptr]=='\r')
|
||||||
|
continue;
|
||||||
|
if(line[ptr]=='\n')
|
||||||
|
break;
|
||||||
|
if(line[ptr]=='\0')
|
||||||
|
break;
|
||||||
|
if(++ptr>65536) { /* >64KB --> DoS protection */
|
||||||
|
s_log(LOG_ERR, "fd_getline: Line too long");
|
||||||
|
str_free(line);
|
||||||
|
longjmp(c->err, 1);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
line[ptr]='\0';
|
||||||
|
tmpline=str_dup(line);
|
||||||
|
safestring(tmpline);
|
||||||
|
s_log(LOG_DEBUG, " <- %s", tmpline);
|
||||||
|
str_free(tmpline);
|
||||||
|
return line;
|
||||||
|
}
|
||||||
|
|
||||||
|
void fd_printf(CLI *c, int fd, const char *format, ...) {
|
||||||
|
va_list ap;
|
||||||
|
char *line;
|
||||||
|
|
||||||
|
va_start(ap, format);
|
||||||
|
line=str_vprintf(format, ap);
|
||||||
|
va_end(ap);
|
||||||
|
if(!line) {
|
||||||
|
s_log(LOG_ERR, "fd_printf: str_vprintf failed");
|
||||||
|
longjmp(c->err, 1);
|
||||||
|
}
|
||||||
|
fd_putline(c, fd, line);
|
||||||
|
str_free(line);
|
||||||
|
}
|
||||||
|
|
||||||
|
#define INET_SOCKET_PAIR
|
||||||
|
|
||||||
|
int make_sockets(int fd[2]) { /* make a pair of connected ipv4 sockets */
|
||||||
|
#ifdef INET_SOCKET_PAIR
|
||||||
|
struct sockaddr_in addr;
|
||||||
|
socklen_t addrlen;
|
||||||
|
int s; /* temporary socket awaiting for connection */
|
||||||
|
|
||||||
|
/* create two *blocking* sockets first */
|
||||||
|
s=s_socket(AF_INET, SOCK_STREAM, 0, 0, "make_sockets: s_socket#1");
|
||||||
|
if(s<0) {
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
fd[1]=s_socket(AF_INET, SOCK_STREAM, 0, 0, "make_sockets: s_socket#2");
|
||||||
|
if(fd[1]<0) {
|
||||||
|
closesocket(s);
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
addrlen=sizeof addr;
|
||||||
|
memset(&addr, 0, addrlen);
|
||||||
|
addr.sin_family=AF_INET;
|
||||||
|
addr.sin_addr.s_addr=htonl(INADDR_LOOPBACK);
|
||||||
|
addr.sin_port=htons(0); /* dynamic port allocation */
|
||||||
|
if(bind(s, (struct sockaddr *)&addr, addrlen))
|
||||||
|
log_error(LOG_DEBUG, get_last_socket_error(), "make_sockets: bind#1");
|
||||||
|
if(bind(fd[1], (struct sockaddr *)&addr, addrlen))
|
||||||
|
log_error(LOG_DEBUG, get_last_socket_error(), "make_sockets: bind#2");
|
||||||
|
|
||||||
|
if(listen(s, 1)) {
|
||||||
|
sockerror("make_sockets: listen");
|
||||||
|
closesocket(s);
|
||||||
|
closesocket(fd[1]);
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
if(getsockname(s, (struct sockaddr *)&addr, &addrlen)) {
|
||||||
|
sockerror("make_sockets: getsockname");
|
||||||
|
closesocket(s);
|
||||||
|
closesocket(fd[1]);
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
if(connect(fd[1], (struct sockaddr *)&addr, addrlen)) {
|
||||||
|
sockerror("make_sockets: connect");
|
||||||
|
closesocket(s);
|
||||||
|
closesocket(fd[1]);
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
fd[0]=s_accept(s, (struct sockaddr *)&addr, &addrlen, 1,
|
||||||
|
"make_sockets: s_accept");
|
||||||
|
if(fd[0]<0) {
|
||||||
|
closesocket(s);
|
||||||
|
closesocket(fd[1]);
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
closesocket(s); /* don't care about the result */
|
||||||
|
set_nonblock(fd[0], 1);
|
||||||
|
set_nonblock(fd[1], 1);
|
||||||
|
#else
|
||||||
|
if(s_socketpair(AF_UNIX, SOCK_STREAM, 0, fd, 1, "make_sockets: socketpair"))
|
||||||
|
return 1;
|
||||||
|
#endif
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* end of network.c */
|
63
src/nogui.c
Normal file
63
src/nogui.c
Normal file
@ -0,0 +1,63 @@
|
|||||||
|
/*
|
||||||
|
* stunnel Universal SSL tunnel
|
||||||
|
* Copyright (C) 1998-2012 Michal Trojnara <Michal.Trojnara@mirt.net>
|
||||||
|
*
|
||||||
|
* This program is free software; you can redistribute it and/or modify it
|
||||||
|
* under the terms of the GNU General Public License as published by the
|
||||||
|
* Free Software Foundation; either version 2 of the License, or (at your
|
||||||
|
* option) any later version.
|
||||||
|
*
|
||||||
|
* This program is distributed in the hope that it will be useful,
|
||||||
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
|
||||||
|
* See the GNU General Public License for more details.
|
||||||
|
*
|
||||||
|
* You should have received a copy of the GNU General Public License along
|
||||||
|
* with this program; if not, see <http://www.gnu.org/licenses>.
|
||||||
|
*
|
||||||
|
* Linking stunnel statically or dynamically with other modules is making
|
||||||
|
* a combined work based on stunnel. Thus, the terms and conditions of
|
||||||
|
* the GNU General Public License cover the whole combination.
|
||||||
|
*
|
||||||
|
* In addition, as a special exception, the copyright holder of stunnel
|
||||||
|
* gives you permission to combine stunnel with free software programs or
|
||||||
|
* libraries that are released under the GNU LGPL and with code included
|
||||||
|
* in the standard release of OpenSSL under the OpenSSL License (or
|
||||||
|
* modified versions of such code, with unchanged license). You may copy
|
||||||
|
* and distribute such a system following the terms of the GNU GPL for
|
||||||
|
* stunnel and the licenses of the other code concerned.
|
||||||
|
*
|
||||||
|
* Note that people who make modified versions of stunnel are not obligated
|
||||||
|
* to grant this special exception for their modified versions; it is their
|
||||||
|
* choice whether to do so. The GNU General Public License gives permission
|
||||||
|
* to release a modified version without this exception; this exception
|
||||||
|
* also makes it possible to release a modified version which carries
|
||||||
|
* forward this exception.
|
||||||
|
*/
|
||||||
|
|
||||||
|
#include "common.h"
|
||||||
|
#include "prototypes.h"
|
||||||
|
|
||||||
|
int main(int argc, char *argv[]) {
|
||||||
|
static struct WSAData wsa_state;
|
||||||
|
|
||||||
|
if(WSAStartup(MAKEWORD(1, 1), &wsa_state))
|
||||||
|
return 1;
|
||||||
|
main_initialize();
|
||||||
|
if(main_configure(argc>1 ? argv[1] : NULL, argc>2 ? argv[2] : NULL))
|
||||||
|
return 1;
|
||||||
|
main_execute();
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
int passwd_cb(char *buf, int size, int rwflag, void *userdata) {
|
||||||
|
return 0; /* not implemented */
|
||||||
|
}
|
||||||
|
|
||||||
|
#ifdef HAVE_OSSL_ENGINE_H
|
||||||
|
int pin_cb(UI *ui, UI_STRING *uis) {
|
||||||
|
return 0; /* not implemented */
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
|
/* end of nogui.c */
|
2407
src/options.c
Normal file
2407
src/options.c
Normal file
File diff suppressed because it is too large
Load Diff
76
src/os2.mak
Normal file
76
src/os2.mak
Normal file
@ -0,0 +1,76 @@
|
|||||||
|
prefix=.
|
||||||
|
DEFS = -DPACKAGE_NAME=\"stunnel\" \
|
||||||
|
-DPACKAGE_TARNAME=\"stunnel\" \
|
||||||
|
-DPACKAGE_VERSION=\"4.53\" \
|
||||||
|
-DPACKAGE_STRING=\"stunnel\ 4.53\" \
|
||||||
|
-DPACKAGE_BUGREPORT=\"\" \
|
||||||
|
-DPACKAGE=\"stunnel\" \
|
||||||
|
-DVERSION=\"4.53\" \
|
||||||
|
-DSTDC_HEADERS=1 \
|
||||||
|
-DHAVE_SYS_TYPES_H=1 \
|
||||||
|
-DHAVE_SYS_STAT_H=1 \
|
||||||
|
-DHAVE_STDLIB_H=1 \
|
||||||
|
-DHAVE_STRING_H=1 \
|
||||||
|
-DHAVE_MEMORY_H=1 \
|
||||||
|
-DHAVE_STRINGS_H=1 \
|
||||||
|
-DHAVE_UNISTD_H=1 \
|
||||||
|
-DHAVE_OSSL_ENGINE_H=1 \
|
||||||
|
-DSSLDIR=\"/usr\" \
|
||||||
|
-DHOST=\"i386-pc-os2-emx\" \
|
||||||
|
-DHAVE_LIBSOCKET=1 \
|
||||||
|
-DHAVE_GRP_H=1 \
|
||||||
|
-DHAVE_UNISTD_H=1 \
|
||||||
|
-DHAVE_SYS_SELECT_H=1 \
|
||||||
|
-DHAVE_SYS_IOCTL_H=1 \
|
||||||
|
-DHAVE_SYS_RESOURCE_H=1 \
|
||||||
|
-DHAVE_SNPRINTF=1 \
|
||||||
|
-DHAVE_VSNPRINTF=1 \
|
||||||
|
-DHAVE_WAITPID=1 \
|
||||||
|
-DHAVE_SYSCONF=1 \
|
||||||
|
-DHAVE_ENDHOSTENT=1 \
|
||||||
|
-DUSE_OS2=1 \
|
||||||
|
-DSIZEOF_UNSIGNED_CHAR=1 \
|
||||||
|
-DSIZEOF_UNSIGNED_SHORT=2 \
|
||||||
|
-DSIZEOF_UNSIGNED_INT=4 \
|
||||||
|
-DSIZEOF_UNSIGNED_LONG=4 \
|
||||||
|
-DLIBDIR=\"$(prefix)/lib\" \
|
||||||
|
-DCONFDIR=\"$(prefix)/etc\" \
|
||||||
|
-DPIDFILE=\"$(prefix)/stunnel.pid\"
|
||||||
|
|
||||||
|
CC = gcc
|
||||||
|
.SUFFIXES = .c .o
|
||||||
|
OPENSSLDIR = u:/extras
|
||||||
|
#SYSLOGDIR = /unixos2/workdir/syslog
|
||||||
|
INCLUDES = -I$(OPENSSLDIR)/outinc
|
||||||
|
LIBS = -lsocket -L$(OPENSSLDIR)/out -lssl -lcrypto -lz -lsyslog
|
||||||
|
OBJS = file.o client.o log.o options.o protocol.o network.o ssl.o ctx.o verify.o sthreads.o stunnel.o pty.o resolver.o str.o fd.o
|
||||||
|
LIBDIR = .
|
||||||
|
CFLAGS = -O2 -Wall -Wshadow -Wcast-align -Wpointer-arith
|
||||||
|
|
||||||
|
all: stunnel.exe
|
||||||
|
|
||||||
|
stunnel.exe: $(OBJS)
|
||||||
|
$(CC) -Zmap $(CFLAGS) -o $@ $(OBJS) $(LIBS)
|
||||||
|
|
||||||
|
.c.o:
|
||||||
|
$(CC) $(CFLAGS) $(DEFS) $(INCLUDES) -o $@ -c $<
|
||||||
|
|
||||||
|
client.o: client.c common.h prototypes.h
|
||||||
|
#env.o: env.c common.h prototypes.h
|
||||||
|
#gui.o: gui.c common.h prototypes.h
|
||||||
|
file.o: file.c common.h prototypes.h
|
||||||
|
network.o: network.c common.h prototypes.h
|
||||||
|
options.o: options.c common.h prototypes.h
|
||||||
|
protocol.o: protocol.c common.h prototypes.h
|
||||||
|
pty.o: pty.c common.h prototypes.h
|
||||||
|
ssl.o: ssl.c common.h prototypes.h
|
||||||
|
ctx.o: ctx.c common.h prototypes.h
|
||||||
|
verify.o: verify.c common.h prototypes.h
|
||||||
|
sthreads.o: sthreads.c common.h prototypes.h
|
||||||
|
stunnel.o: stunnel.c common.h prototypes.h
|
||||||
|
resolver.o: resolver.c common.h prototypes.h
|
||||||
|
str.o: str.c common.h prototypes.h
|
||||||
|
fd.o: fd.c common.h prototypes.h
|
||||||
|
|
||||||
|
clean:
|
||||||
|
rm -f *.o *.exe
|
747
src/protocol.c
Normal file
747
src/protocol.c
Normal file
@ -0,0 +1,747 @@
|
|||||||
|
/*
|
||||||
|
* stunnel Universal SSL tunnel
|
||||||
|
* Copyright (C) 1998-2012 Michal Trojnara <Michal.Trojnara@mirt.net>
|
||||||
|
*
|
||||||
|
* This program is free software; you can redistribute it and/or modify it
|
||||||
|
* under the terms of the GNU General Public License as published by the
|
||||||
|
* Free Software Foundation; either version 2 of the License, or (at your
|
||||||
|
* option) any later version.
|
||||||
|
*
|
||||||
|
* This program is distributed in the hope that it will be useful,
|
||||||
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
|
||||||
|
* See the GNU General Public License for more details.
|
||||||
|
*
|
||||||
|
* You should have received a copy of the GNU General Public License along
|
||||||
|
* with this program; if not, see <http://www.gnu.org/licenses>.
|
||||||
|
*
|
||||||
|
* Linking stunnel statically or dynamically with other modules is making
|
||||||
|
* a combined work based on stunnel. Thus, the terms and conditions of
|
||||||
|
* the GNU General Public License cover the whole combination.
|
||||||
|
*
|
||||||
|
* In addition, as a special exception, the copyright holder of stunnel
|
||||||
|
* gives you permission to combine stunnel with free software programs or
|
||||||
|
* libraries that are released under the GNU LGPL and with code included
|
||||||
|
* in the standard release of OpenSSL under the OpenSSL License (or
|
||||||
|
* modified versions of such code, with unchanged license). You may copy
|
||||||
|
* and distribute such a system following the terms of the GNU GPL for
|
||||||
|
* stunnel and the licenses of the other code concerned.
|
||||||
|
*
|
||||||
|
* Note that people who make modified versions of stunnel are not obligated
|
||||||
|
* to grant this special exception for their modified versions; it is their
|
||||||
|
* choice whether to do so. The GNU General Public License gives permission
|
||||||
|
* to release a modified version without this exception; this exception
|
||||||
|
* also makes it possible to release a modified version which carries
|
||||||
|
* forward this exception.
|
||||||
|
*/
|
||||||
|
|
||||||
|
#include "common.h"
|
||||||
|
#include "prototypes.h"
|
||||||
|
|
||||||
|
#define isprefix(a, b) (strncasecmp((a), (b), strlen(b))==0)
|
||||||
|
|
||||||
|
/* protocol-specific function prototypes */
|
||||||
|
static void proxy_server(CLI *c);
|
||||||
|
static void cifs_client(CLI *);
|
||||||
|
static void cifs_server(CLI *);
|
||||||
|
static void pgsql_client(CLI *);
|
||||||
|
static void pgsql_server(CLI *);
|
||||||
|
static void smtp_client(CLI *);
|
||||||
|
static void smtp_server(CLI *);
|
||||||
|
static void pop3_client(CLI *);
|
||||||
|
static void pop3_server(CLI *);
|
||||||
|
static void imap_client(CLI *);
|
||||||
|
static void imap_server(CLI *);
|
||||||
|
static void nntp_client(CLI *);
|
||||||
|
static void connect_server(CLI *);
|
||||||
|
static void connect_client(CLI *);
|
||||||
|
|
||||||
|
#if !defined(OPENSSL_NO_MD4) && OPENSSL_VERSION_NUMBER>=0x0090700fL
|
||||||
|
static void ntlm(CLI *);
|
||||||
|
static char *ntlm1();
|
||||||
|
static char *ntlm3(char *, char *, char *);
|
||||||
|
static void crypt_DES(DES_cblock, DES_cblock, DES_cblock);
|
||||||
|
#endif
|
||||||
|
static char *base64(int, char *, int);
|
||||||
|
|
||||||
|
/**************************************** framework */
|
||||||
|
|
||||||
|
typedef void (*FUNCTION)(CLI *);
|
||||||
|
|
||||||
|
static const struct {
|
||||||
|
char *name;
|
||||||
|
struct {
|
||||||
|
PROTOCOL_TYPE type;
|
||||||
|
FUNCTION func;
|
||||||
|
} handlers[2];
|
||||||
|
} protocols[]={
|
||||||
|
{"proxy", {{PROTOCOL_PRE_SSL, proxy_server}, {PROTOCOL_PRE_SSL, NULL}}},
|
||||||
|
{"cifs", {{PROTOCOL_PRE_CONNECT, cifs_server}, {PROTOCOL_PRE_SSL, cifs_client}}},
|
||||||
|
{"pgsql", {{PROTOCOL_PRE_CONNECT, pgsql_server}, {PROTOCOL_PRE_SSL, pgsql_client}}},
|
||||||
|
{"smtp", {{PROTOCOL_PRE_SSL, smtp_server}, {PROTOCOL_PRE_SSL, smtp_client}}},
|
||||||
|
{"pop3", {{PROTOCOL_PRE_SSL, pop3_server}, {PROTOCOL_PRE_SSL, pop3_client}}},
|
||||||
|
{"imap", {{PROTOCOL_PRE_SSL, imap_server}, {PROTOCOL_PRE_SSL, imap_client}}},
|
||||||
|
{"nntp", {{PROTOCOL_NONE, NULL}, {PROTOCOL_PRE_SSL, nntp_client}}},
|
||||||
|
{"connect", {{PROTOCOL_PRE_CONNECT, connect_server}, {PROTOCOL_PRE_SSL, connect_client}}},
|
||||||
|
{NULL, {{PROTOCOL_NONE, NULL}, {PROTOCOL_NONE, NULL}}}
|
||||||
|
};
|
||||||
|
|
||||||
|
int find_protocol_id(const char *name) {
|
||||||
|
int id;
|
||||||
|
|
||||||
|
for(id=0; protocols[id].name; ++id)
|
||||||
|
if(!strcmp(name, protocols[id].name))
|
||||||
|
return id;
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
|
||||||
|
void protocol(CLI *c, const PROTOCOL_TYPE type) {
|
||||||
|
const int id=c->opt->protocol, mode=(unsigned int)c->opt->option.client;
|
||||||
|
|
||||||
|
if(id<0 || type!=protocols[id].handlers[mode].type ||
|
||||||
|
!protocols[id].handlers[mode].func)
|
||||||
|
return;
|
||||||
|
s_log(LOG_INFO, "%s-mode %s protocol negotiations started",
|
||||||
|
mode ? "Client" : "Server", protocols[id].name);
|
||||||
|
protocols[id].handlers[mode].func(c);
|
||||||
|
s_log(LOG_INFO, "%s-mode %s protocol negotiations succeeded",
|
||||||
|
mode ? "Client" : "Server", protocols[id].name);
|
||||||
|
}
|
||||||
|
|
||||||
|
/**************************************** proxy */
|
||||||
|
|
||||||
|
/*
|
||||||
|
* PROXY protocol: http://haproxy.1wt.eu/download/1.5/doc/proxy-protocol.txt
|
||||||
|
* this is a protocol client support for stunnel acting as an SSL server
|
||||||
|
* I don't think anything else is useful, but feel free to discuss on the
|
||||||
|
* stunnel-users mailing list if you disagree
|
||||||
|
*/
|
||||||
|
|
||||||
|
/* IP address textual representation length */
|
||||||
|
/* 1234:6789:1234:6789:1234:6789:1234:6789 -> 40 chars with '\0' */
|
||||||
|
#define IP_LEN 40
|
||||||
|
#define PORT_LEN 6
|
||||||
|
|
||||||
|
static void proxy_server(CLI *c) {
|
||||||
|
SOCKADDR_UNION addr;
|
||||||
|
socklen_t addrlen;
|
||||||
|
char src_host[IP_LEN], dst_host[IP_LEN];
|
||||||
|
char src_port[PORT_LEN], dst_port[PORT_LEN], *proto;
|
||||||
|
int err;
|
||||||
|
|
||||||
|
addrlen=sizeof addr;
|
||||||
|
if(getpeername(c->local_rfd.fd, &addr.sa, &addrlen)) {
|
||||||
|
sockerror("getpeername");
|
||||||
|
longjmp(c->err, 1);
|
||||||
|
}
|
||||||
|
err=getnameinfo(&addr.sa, addr_len(&addr), src_host, IP_LEN,
|
||||||
|
src_port, PORT_LEN, NI_NUMERICHOST|NI_NUMERICSERV);
|
||||||
|
if(err) {
|
||||||
|
s_log(LOG_ERR, "getnameinfo: %s", s_gai_strerror(err));
|
||||||
|
longjmp(c->err, 1);
|
||||||
|
}
|
||||||
|
|
||||||
|
addrlen=sizeof addr;
|
||||||
|
if(getsockname(c->local_rfd.fd, &addr.sa, &addrlen)) {
|
||||||
|
sockerror("getsockname");
|
||||||
|
longjmp(c->err, 1);
|
||||||
|
}
|
||||||
|
err=getnameinfo(&addr.sa, addr_len(&addr), dst_host, IP_LEN,
|
||||||
|
dst_port, PORT_LEN, NI_NUMERICHOST|NI_NUMERICSERV);
|
||||||
|
if(err) {
|
||||||
|
s_log(LOG_ERR, "getnameinfo: %s", s_gai_strerror(err));
|
||||||
|
longjmp(c->err, 1);
|
||||||
|
}
|
||||||
|
|
||||||
|
switch(addr.sa.sa_family) {
|
||||||
|
case AF_INET:
|
||||||
|
proto="TCP4";
|
||||||
|
break;
|
||||||
|
case AF_INET6:
|
||||||
|
proto="TCP6";
|
||||||
|
break;
|
||||||
|
default: /* AF_UNIX */
|
||||||
|
proto="UNKNOWN";
|
||||||
|
}
|
||||||
|
fd_printf(c, c->remote_fd.fd, "PROXY %s %s %s %s %s",
|
||||||
|
proto, src_host, dst_host, src_port, dst_port);
|
||||||
|
}
|
||||||
|
|
||||||
|
/**************************************** cifs */
|
||||||
|
|
||||||
|
static void cifs_client(CLI *c) {
|
||||||
|
u8 buffer[5];
|
||||||
|
u8 request_dummy[4] = {0x81, 0, 0, 0}; /* a zero-length request */
|
||||||
|
|
||||||
|
write_blocking(c, c->remote_fd.fd, request_dummy, 4);
|
||||||
|
read_blocking(c, c->remote_fd.fd, buffer, 5);
|
||||||
|
if(buffer[0]!=0x83) { /* NB_SSN_NEGRESP */
|
||||||
|
s_log(LOG_ERR, "Negative response expected");
|
||||||
|
longjmp(c->err, 1);
|
||||||
|
}
|
||||||
|
if(buffer[2]!=0 || buffer[3]!=1) { /* length != 1 */
|
||||||
|
s_log(LOG_ERR, "Unexpected NetBIOS response size");
|
||||||
|
longjmp(c->err, 1);
|
||||||
|
}
|
||||||
|
if(buffer[4]!=0x8e) { /* use SSL */
|
||||||
|
s_log(LOG_ERR, "Remote server does not require SSL");
|
||||||
|
longjmp(c->err, 1);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
static void cifs_server(CLI *c) {
|
||||||
|
u8 buffer[128];
|
||||||
|
u8 response_access_denied[5] = {0x83, 0, 0, 1, 0x81};
|
||||||
|
u8 response_use_ssl[5] = {0x83, 0, 0, 1, 0x8e};
|
||||||
|
u16 len;
|
||||||
|
|
||||||
|
read_blocking(c, c->local_rfd.fd, buffer, 4) ;/* NetBIOS header */
|
||||||
|
len=buffer[3];
|
||||||
|
len|=(u16)(buffer[2]) << 8;
|
||||||
|
if(len>sizeof buffer-4) {
|
||||||
|
s_log(LOG_ERR, "Received block too long");
|
||||||
|
longjmp(c->err, 1);
|
||||||
|
}
|
||||||
|
read_blocking(c, c->local_rfd.fd, buffer+4, len);
|
||||||
|
if(buffer[0]!=0x81){ /* NB_SSN_REQUEST */
|
||||||
|
s_log(LOG_ERR, "Client did not send session setup");
|
||||||
|
write_blocking(c, c->local_wfd.fd, response_access_denied, 5);
|
||||||
|
longjmp(c->err, 1);
|
||||||
|
}
|
||||||
|
write_blocking(c, c->local_wfd.fd, response_use_ssl, 5);
|
||||||
|
}
|
||||||
|
|
||||||
|
/**************************************** pgsql */
|
||||||
|
|
||||||
|
/* http://www.postgresql.org/docs/8.3/static/protocol-flow.html#AEN73982 */
|
||||||
|
u8 ssl_request[8]={0, 0, 0, 8, 0x04, 0xd2, 0x16, 0x2f};
|
||||||
|
|
||||||
|
static void pgsql_client(CLI *c) {
|
||||||
|
u8 buffer[1];
|
||||||
|
|
||||||
|
write_blocking(c, c->remote_fd.fd, ssl_request, sizeof ssl_request);
|
||||||
|
read_blocking(c, c->remote_fd.fd, buffer, 1);
|
||||||
|
/* S - accepted, N - rejected, non-SSL preferred */
|
||||||
|
if(buffer[0]!='S') {
|
||||||
|
s_log(LOG_ERR, "PostgreSQL server rejected SSL");
|
||||||
|
longjmp(c->err, 1);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
static void pgsql_server(CLI *c) {
|
||||||
|
u8 buffer[8], ssl_ok[1]={'S'};
|
||||||
|
|
||||||
|
memset(buffer, 0, sizeof buffer);
|
||||||
|
read_blocking(c, c->local_rfd.fd, buffer, sizeof buffer);
|
||||||
|
if(memcmp(buffer, ssl_request, sizeof ssl_request)) {
|
||||||
|
s_log(LOG_ERR, "PostgreSQL client did not request SSL, rejecting");
|
||||||
|
/* no way to send error on startup, so just drop the client */
|
||||||
|
longjmp(c->err, 1);
|
||||||
|
}
|
||||||
|
write_blocking(c, c->local_wfd.fd, ssl_ok, sizeof ssl_ok);
|
||||||
|
}
|
||||||
|
|
||||||
|
/**************************************** smtp */
|
||||||
|
|
||||||
|
static void smtp_client(CLI *c) {
|
||||||
|
char *line;
|
||||||
|
|
||||||
|
do { /* copy multiline greeting */
|
||||||
|
line=fd_getline(c, c->remote_fd.fd);
|
||||||
|
fd_putline(c, c->local_wfd.fd, line);
|
||||||
|
} while(isprefix(line, "220-"));
|
||||||
|
|
||||||
|
fd_putline(c, c->remote_fd.fd, "EHLO localhost");
|
||||||
|
do { /* skip multiline reply */
|
||||||
|
line=fd_getline(c, c->remote_fd.fd);
|
||||||
|
} while(isprefix(line, "250-"));
|
||||||
|
if(!isprefix(line, "250 ")) { /* error */
|
||||||
|
s_log(LOG_ERR, "Remote server is not RFC 1425 compliant");
|
||||||
|
longjmp(c->err, 1);
|
||||||
|
}
|
||||||
|
|
||||||
|
fd_putline(c, c->remote_fd.fd, "STARTTLS");
|
||||||
|
do { /* skip multiline reply */
|
||||||
|
line=fd_getline(c, c->remote_fd.fd);
|
||||||
|
} while(isprefix(line, "220-"));
|
||||||
|
if(!isprefix(line, "220 ")) { /* error */
|
||||||
|
s_log(LOG_ERR, "Remote server is not RFC 2487 compliant");
|
||||||
|
longjmp(c->err, 1);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
static void smtp_server(CLI *c) {
|
||||||
|
char *line;
|
||||||
|
|
||||||
|
s_poll_init(c->fds);
|
||||||
|
s_poll_add(c->fds, c->local_rfd.fd, 1, 0);
|
||||||
|
switch(s_poll_wait(c->fds, 0, 200)) { /* wait up to 200ms */
|
||||||
|
case 0: /* fd not ready to read */
|
||||||
|
s_log(LOG_DEBUG, "RFC 2487 detected");
|
||||||
|
break;
|
||||||
|
case 1: /* fd ready to read */
|
||||||
|
s_log(LOG_DEBUG, "RFC 2487 not detected");
|
||||||
|
return; /* return if RFC 2487 is not used */
|
||||||
|
default: /* -1 */
|
||||||
|
sockerror("RFC2487 (s_poll_wait)");
|
||||||
|
longjmp(c->err, 1);
|
||||||
|
}
|
||||||
|
|
||||||
|
line=fd_getline(c, c->remote_fd.fd);
|
||||||
|
if(!isprefix(line, "220")) {
|
||||||
|
s_log(LOG_ERR, "Unknown server welcome");
|
||||||
|
longjmp(c->err, 1);
|
||||||
|
}
|
||||||
|
fd_printf(c, c->local_wfd.fd, "%s + stunnel", line);
|
||||||
|
line=fd_getline(c, c->local_rfd.fd);
|
||||||
|
if(!isprefix(line, "EHLO ")) {
|
||||||
|
s_log(LOG_ERR, "Unknown client EHLO");
|
||||||
|
longjmp(c->err, 1);
|
||||||
|
}
|
||||||
|
fd_printf(c, c->local_wfd.fd, "250-%s Welcome", line);
|
||||||
|
fd_putline(c, c->local_wfd.fd, "250 STARTTLS");
|
||||||
|
line=fd_getline(c, c->local_rfd.fd);
|
||||||
|
if(!isprefix(line, "STARTTLS")) {
|
||||||
|
s_log(LOG_ERR, "STARTTLS expected");
|
||||||
|
longjmp(c->err, 1);
|
||||||
|
}
|
||||||
|
fd_putline(c, c->local_wfd.fd, "220 Go ahead");
|
||||||
|
}
|
||||||
|
|
||||||
|
/**************************************** pop3 */
|
||||||
|
|
||||||
|
static void pop3_client(CLI *c) {
|
||||||
|
char *line;
|
||||||
|
|
||||||
|
line=fd_getline(c, c->remote_fd.fd);
|
||||||
|
if(!isprefix(line, "+OK ")) {
|
||||||
|
s_log(LOG_ERR, "Unknown server welcome");
|
||||||
|
longjmp(c->err, 1);
|
||||||
|
}
|
||||||
|
fd_putline(c, c->local_wfd.fd, line);
|
||||||
|
fd_putline(c, c->remote_fd.fd, "STLS");
|
||||||
|
line=fd_getline(c, c->remote_fd.fd);
|
||||||
|
if(!isprefix(line, "+OK ")) {
|
||||||
|
s_log(LOG_ERR, "Server does not support TLS");
|
||||||
|
longjmp(c->err, 1);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
static void pop3_server(CLI *c) {
|
||||||
|
char *line;
|
||||||
|
|
||||||
|
line=fd_getline(c, c->remote_fd.fd);
|
||||||
|
fd_printf(c, c->local_wfd.fd, "%s + stunnel", line);
|
||||||
|
line=fd_getline(c, c->local_rfd.fd);
|
||||||
|
if(isprefix(line, "CAPA")) { /* client wants RFC 2449 extensions */
|
||||||
|
fd_putline(c, c->local_wfd.fd, "+OK Stunnel capability list follows");
|
||||||
|
fd_putline(c, c->local_wfd.fd, "STLS");
|
||||||
|
fd_putline(c, c->local_wfd.fd, ".");
|
||||||
|
line=fd_getline(c, c->local_rfd.fd);
|
||||||
|
}
|
||||||
|
if(!isprefix(line, "STLS")) {
|
||||||
|
s_log(LOG_ERR, "Client does not want TLS");
|
||||||
|
longjmp(c->err, 1);
|
||||||
|
}
|
||||||
|
fd_putline(c, c->local_wfd.fd, "+OK Stunnel starts TLS negotiation");
|
||||||
|
}
|
||||||
|
|
||||||
|
/**************************************** imap */
|
||||||
|
|
||||||
|
static void imap_client(CLI *c) {
|
||||||
|
char *line;
|
||||||
|
|
||||||
|
line=fd_getline(c, c->remote_fd.fd);
|
||||||
|
if(!isprefix(line, "* OK")) {
|
||||||
|
s_log(LOG_ERR, "Unknown server welcome");
|
||||||
|
longjmp(c->err, 1);
|
||||||
|
}
|
||||||
|
fd_putline(c, c->local_wfd.fd, line);
|
||||||
|
fd_putline(c, c->remote_fd.fd, "stunnel STARTTLS");
|
||||||
|
line=fd_getline(c, c->remote_fd.fd);
|
||||||
|
if(!isprefix(line, "stunnel OK")) {
|
||||||
|
fd_putline(c, c->local_wfd.fd,
|
||||||
|
"* BYE stunnel: Server does not support TLS");
|
||||||
|
s_log(LOG_ERR, "Server does not support TLS");
|
||||||
|
longjmp(c->err, 2); /* don't reset */
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
static void imap_server(CLI *c) {
|
||||||
|
char *line, *id, *tail, *capa;
|
||||||
|
|
||||||
|
s_poll_init(c->fds);
|
||||||
|
s_poll_add(c->fds, c->local_rfd.fd, 1, 0);
|
||||||
|
switch(s_poll_wait(c->fds, 0, 200)) {
|
||||||
|
case 0: /* fd not ready to read */
|
||||||
|
s_log(LOG_DEBUG, "RFC 2595 detected");
|
||||||
|
break;
|
||||||
|
case 1: /* fd ready to read */
|
||||||
|
s_log(LOG_DEBUG, "RFC 2595 not detected");
|
||||||
|
return; /* return if RFC 2595 is not used */
|
||||||
|
default: /* -1 */
|
||||||
|
sockerror("RFC2595 (s_poll_wait)");
|
||||||
|
longjmp(c->err, 1);
|
||||||
|
}
|
||||||
|
|
||||||
|
/* process server welcome and send it to client */
|
||||||
|
line=fd_getline(c, c->remote_fd.fd);
|
||||||
|
if(!isprefix(line, "* OK")) {
|
||||||
|
s_log(LOG_ERR, "Unknown server welcome");
|
||||||
|
longjmp(c->err, 1);
|
||||||
|
}
|
||||||
|
capa=strstr(line, "CAPABILITY");
|
||||||
|
if(!capa)
|
||||||
|
capa=strstr(line, "capability");
|
||||||
|
if(capa)
|
||||||
|
*capa='K'; /* disable CAPABILITY within greeting */
|
||||||
|
fd_printf(c, c->local_wfd.fd, "%s (stunnel)", line);
|
||||||
|
|
||||||
|
while(1) { /* process client commands */
|
||||||
|
line=fd_getline(c, c->local_rfd.fd);
|
||||||
|
/* split line into id and tail */
|
||||||
|
id=str_dup(line);
|
||||||
|
tail=strchr(id, ' ');
|
||||||
|
if(!tail)
|
||||||
|
break;
|
||||||
|
*tail++='\0';
|
||||||
|
|
||||||
|
if(isprefix(tail, "STARTTLS")) {
|
||||||
|
fd_printf(c, c->local_wfd.fd,
|
||||||
|
"%s OK Begin TLS negotiation now", id);
|
||||||
|
return; /* success */
|
||||||
|
} else if(isprefix(tail, "CAPABILITY")) {
|
||||||
|
fd_putline(c, c->remote_fd.fd, line); /* send it to server */
|
||||||
|
line=fd_getline(c, c->remote_fd.fd); /* get the capabilites */
|
||||||
|
if(*line=='*') {
|
||||||
|
/*
|
||||||
|
* append STARTTLS
|
||||||
|
* should also add LOGINDISABLED, but can't because
|
||||||
|
* of Mozilla bug #324138/#312009
|
||||||
|
* LOGIN would fail as "unexpected command", anyway
|
||||||
|
*/
|
||||||
|
fd_printf(c, c->local_wfd.fd, "%s STARTTLS", line);
|
||||||
|
line=fd_getline(c, c->remote_fd.fd); /* next line */
|
||||||
|
}
|
||||||
|
fd_putline(c, c->local_wfd.fd, line); /* forward to the client */
|
||||||
|
tail=strchr(line, ' ');
|
||||||
|
if(!tail || !isprefix(tail+1, "OK")) { /* not OK? */
|
||||||
|
fd_putline(c, c->local_wfd.fd,
|
||||||
|
"* BYE unexpected server response");
|
||||||
|
s_log(LOG_ERR, "Unexpected server response: %s", line);
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
} else if(isprefix(tail, "LOGOUT")) {
|
||||||
|
fd_putline(c, c->local_wfd.fd, "* BYE server terminating");
|
||||||
|
fd_printf(c, c->local_wfd.fd, "%s OK LOGOUT completed", id);
|
||||||
|
break;
|
||||||
|
} else {
|
||||||
|
fd_putline(c, c->local_wfd.fd, "* BYE stunnel: unexpected command");
|
||||||
|
fd_printf(c, c->local_wfd.fd, "%s BAD %s unexpected", id, tail);
|
||||||
|
s_log(LOG_ERR, "Unexpected client command %s", tail);
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
/* clean server shutdown */
|
||||||
|
fd_putline(c, c->remote_fd.fd, "stunnel LOGOUT");
|
||||||
|
line=fd_getline(c, c->remote_fd.fd);
|
||||||
|
if(*line=='*')
|
||||||
|
line=fd_getline(c, c->remote_fd.fd);
|
||||||
|
longjmp(c->err, 2); /* don't reset */
|
||||||
|
}
|
||||||
|
|
||||||
|
/**************************************** nntp */
|
||||||
|
|
||||||
|
static void nntp_client(CLI *c) {
|
||||||
|
char *line;
|
||||||
|
|
||||||
|
line=fd_getline(c, c->remote_fd.fd);
|
||||||
|
if(!isprefix(line, "200 ") && !isprefix(line, "201 ")) {
|
||||||
|
s_log(LOG_ERR, "Unknown server welcome");
|
||||||
|
longjmp(c->err, 1);
|
||||||
|
}
|
||||||
|
fd_putline(c, c->local_wfd.fd, line);
|
||||||
|
fd_putline(c, c->remote_fd.fd, "STARTTLS");
|
||||||
|
line=fd_getline(c, c->remote_fd.fd);
|
||||||
|
if(!isprefix(line, "382 ")) {
|
||||||
|
s_log(LOG_ERR, "Server does not support TLS");
|
||||||
|
longjmp(c->err, 1);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
/**************************************** connect */
|
||||||
|
|
||||||
|
static void connect_server(CLI *c) {
|
||||||
|
char *request, *proto, *header;
|
||||||
|
int not_empty;
|
||||||
|
|
||||||
|
request=fd_getline(c, c->local_rfd.fd);
|
||||||
|
if(!isprefix(request, "CONNECT ")) {
|
||||||
|
fd_putline(c, c->local_wfd.fd, "HTTP/1.0 400 Bad Request Method");
|
||||||
|
fd_putline(c, c->local_wfd.fd, "Server: stunnel/" STUNNEL_VERSION);
|
||||||
|
fd_putline(c, c->local_wfd.fd, "");
|
||||||
|
longjmp(c->err, 1);
|
||||||
|
}
|
||||||
|
proto=strchr(request+8, ' ');
|
||||||
|
if(!proto || !isprefix(proto, " HTTP/")) {
|
||||||
|
fd_putline(c, c->local_wfd.fd, "HTTP/1.0 400 Bad Request Protocol");
|
||||||
|
fd_putline(c, c->local_wfd.fd, "Server: stunnel/" STUNNEL_VERSION);
|
||||||
|
fd_putline(c, c->local_wfd.fd, "");
|
||||||
|
longjmp(c->err, 1);
|
||||||
|
}
|
||||||
|
*proto='\0';
|
||||||
|
do { /* ignore any headers*/
|
||||||
|
header=fd_getline(c, c->local_rfd.fd);
|
||||||
|
not_empty=*header;
|
||||||
|
str_free(header);
|
||||||
|
} while(not_empty);
|
||||||
|
if(!name2addrlist(&c->connect_addr, request+8, DEFAULT_LOOPBACK)) {
|
||||||
|
fd_putline(c, c->local_wfd.fd, "HTTP/1.0 404 Not Found");
|
||||||
|
fd_putline(c, c->local_wfd.fd, "Server: stunnel/" STUNNEL_VERSION);
|
||||||
|
fd_putline(c, c->local_wfd.fd, "");
|
||||||
|
longjmp(c->err, 1);
|
||||||
|
}
|
||||||
|
str_free(request);
|
||||||
|
fd_putline(c, c->local_wfd.fd, "HTTP/1.0 200 OK");
|
||||||
|
fd_putline(c, c->local_wfd.fd, "Server: stunnel/" STUNNEL_VERSION);
|
||||||
|
fd_putline(c, c->local_wfd.fd, "");
|
||||||
|
}
|
||||||
|
|
||||||
|
static void connect_client(CLI *c) {
|
||||||
|
char *line, *encoded;
|
||||||
|
|
||||||
|
if(!c->opt->protocol_host) {
|
||||||
|
s_log(LOG_ERR, "protocolHost not specified");
|
||||||
|
longjmp(c->err, 1);
|
||||||
|
}
|
||||||
|
fd_printf(c, c->remote_fd.fd, "CONNECT %s HTTP/1.1",
|
||||||
|
c->opt->protocol_host);
|
||||||
|
fd_printf(c, c->remote_fd.fd, "Host: %s", c->opt->protocol_host);
|
||||||
|
if(c->opt->protocol_username && c->opt->protocol_password) {
|
||||||
|
if(!strcasecmp(c->opt->protocol_authentication, "NTLM")) {
|
||||||
|
#if !defined(OPENSSL_NO_MD4) && OPENSSL_VERSION_NUMBER>=0x0090700fL
|
||||||
|
ntlm(c);
|
||||||
|
#else
|
||||||
|
s_log(LOG_ERR, "NTLM authentication is not available");
|
||||||
|
longjmp(c->err, 1);
|
||||||
|
#endif
|
||||||
|
} else { /* basic authentication */
|
||||||
|
line=str_printf("%s:%s",
|
||||||
|
c->opt->protocol_username, c->opt->protocol_password);
|
||||||
|
encoded=base64(1, line, strlen(line));
|
||||||
|
str_free(line);
|
||||||
|
if(!encoded) {
|
||||||
|
s_log(LOG_ERR, "Base64 encoder failed");
|
||||||
|
longjmp(c->err, 1);
|
||||||
|
}
|
||||||
|
fd_printf(c, c->remote_fd.fd, "Proxy-Authorization: basic %s",
|
||||||
|
encoded);
|
||||||
|
str_free(encoded);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
fd_putline(c, c->remote_fd.fd, ""); /* empty line */
|
||||||
|
line=fd_getline(c, c->remote_fd.fd);
|
||||||
|
if(strlen(line)<12 || line[9]!='2') {
|
||||||
|
/* not "HTTP/1.0 200 Connection established" */
|
||||||
|
s_log(LOG_ERR, "CONNECT request rejected");
|
||||||
|
do { /* read all headers */
|
||||||
|
line=fd_getline(c, c->remote_fd.fd);
|
||||||
|
} while(*line);
|
||||||
|
longjmp(c->err, 1);
|
||||||
|
}
|
||||||
|
s_log(LOG_INFO, "CONNECT request accepted");
|
||||||
|
do {
|
||||||
|
line=fd_getline(c, c->remote_fd.fd); /* read all headers */
|
||||||
|
} while(*line);
|
||||||
|
}
|
||||||
|
|
||||||
|
#if !defined(OPENSSL_NO_MD4) && OPENSSL_VERSION_NUMBER>=0x0090700fL
|
||||||
|
|
||||||
|
/*
|
||||||
|
* NTLM code is based on the following documentation:
|
||||||
|
* http://davenport.sourceforge.net/ntlm.html
|
||||||
|
* http://www.innovation.ch/personal/ronald/ntlm.html
|
||||||
|
*/
|
||||||
|
|
||||||
|
#define s_min(a, b) ((a)>(b)?(b):(a))
|
||||||
|
|
||||||
|
static void ntlm(CLI *c) {
|
||||||
|
char *line, buf[BUFSIZ], *ntlm1_txt, *ntlm2_txt, *ntlm3_txt;
|
||||||
|
long content_length=0; /* no HTTP content */
|
||||||
|
|
||||||
|
/* send Proxy-Authorization (phase 1) */
|
||||||
|
fd_printf(c, c->remote_fd.fd, "Proxy-Connection: keep-alive");
|
||||||
|
ntlm1_txt=ntlm1();
|
||||||
|
if(!ntlm1_txt) {
|
||||||
|
s_log(LOG_ERR, "Proxy-Authenticate: Failed to build NTLM request");
|
||||||
|
longjmp(c->err, 1);
|
||||||
|
}
|
||||||
|
fd_printf(c, c->remote_fd.fd, "Proxy-Authorization: NTLM %s", ntlm1_txt);
|
||||||
|
str_free(ntlm1_txt);
|
||||||
|
fd_putline(c, c->remote_fd.fd, ""); /* empty line */
|
||||||
|
line=fd_getline(c, c->remote_fd.fd);
|
||||||
|
|
||||||
|
/* receive Proxy-Authenticate (phase 2) */
|
||||||
|
if(line[9]!='4' || line[10]!='0' || line[11]!='7') { /* code 407 */
|
||||||
|
s_log(LOG_ERR, "NTLM authorization request rejected");
|
||||||
|
do { /* read all headers */
|
||||||
|
line=fd_getline(c, c->remote_fd.fd);
|
||||||
|
} while(*line);
|
||||||
|
longjmp(c->err, 1);
|
||||||
|
}
|
||||||
|
ntlm2_txt=NULL;
|
||||||
|
do { /* read all headers */
|
||||||
|
line=fd_getline(c, c->remote_fd.fd);
|
||||||
|
if(isprefix(line, "Proxy-Authenticate: NTLM "))
|
||||||
|
ntlm2_txt=str_dup(line+25);
|
||||||
|
else if(isprefix(line, "Content-Length: "))
|
||||||
|
content_length=atol(line+16);
|
||||||
|
} while(*line);
|
||||||
|
if(!ntlm2_txt) { /* no Proxy-Authenticate: NTLM header */
|
||||||
|
s_log(LOG_ERR, "Proxy-Authenticate: NTLM header not found");
|
||||||
|
longjmp(c->err, 1);
|
||||||
|
}
|
||||||
|
|
||||||
|
/* read and ignore HTTP content (if any) */
|
||||||
|
while(content_length) {
|
||||||
|
read_blocking(c, c->remote_fd.fd, buf, s_min(content_length, BUFSIZ));
|
||||||
|
content_length-=s_min(content_length, BUFSIZ);
|
||||||
|
}
|
||||||
|
|
||||||
|
/* send Proxy-Authorization (phase 3) */
|
||||||
|
fd_printf(c, c->remote_fd.fd, "CONNECT %s HTTP/1.1", c->opt->protocol_host);
|
||||||
|
fd_printf(c, c->remote_fd.fd, "Host: %s", c->opt->protocol_host);
|
||||||
|
ntlm3_txt=ntlm3(c->opt->protocol_username, c->opt->protocol_password, ntlm2_txt);
|
||||||
|
str_free(ntlm2_txt);
|
||||||
|
if(!ntlm3_txt) {
|
||||||
|
s_log(LOG_ERR, "Proxy-Authenticate: Failed to build NTLM response");
|
||||||
|
longjmp(c->err, 1);
|
||||||
|
}
|
||||||
|
fd_printf(c, c->remote_fd.fd, "Proxy-Authorization: NTLM %s", ntlm3_txt);
|
||||||
|
str_free(ntlm3_txt);
|
||||||
|
}
|
||||||
|
|
||||||
|
static char *ntlm1() {
|
||||||
|
char phase1[16];
|
||||||
|
|
||||||
|
memset(phase1, 0, sizeof phase1);
|
||||||
|
strcpy(phase1, "NTLMSSP");
|
||||||
|
phase1[8]=1; /* type: 1 */
|
||||||
|
phase1[12]=2; /* flag: negotiate OEM */
|
||||||
|
phase1[13]=2; /* flag: negotiate NTLM */
|
||||||
|
return base64(1, phase1, sizeof phase1); /* encode */
|
||||||
|
}
|
||||||
|
|
||||||
|
static char *ntlm3(char *username, char *password, char *phase2) {
|
||||||
|
MD4_CTX md4;
|
||||||
|
char *decoded; /* decoded reply from proxy */
|
||||||
|
char phase3[146];
|
||||||
|
unsigned char md4_hash[21];
|
||||||
|
unsigned int userlen=strlen(username);
|
||||||
|
unsigned int phase3len=s_min(88+userlen, sizeof phase3);
|
||||||
|
|
||||||
|
/* setup phase3 structure */
|
||||||
|
memset(phase3, 0, sizeof phase3);
|
||||||
|
strcpy(phase3, "NTLMSSP");
|
||||||
|
phase3[8]=3; /* type: 3 */
|
||||||
|
phase3[16]=phase3len; /* LM-resp off */
|
||||||
|
phase3[20]=24; /* NT-resp len */
|
||||||
|
phase3[22]=24; /* NT-Resp len */
|
||||||
|
phase3[24]=64; /* NT-resp off */
|
||||||
|
phase3[32]=phase3len; /* domain offset */
|
||||||
|
phase3[36]=userlen; /* user length */
|
||||||
|
phase3[38]=userlen; /* user length */
|
||||||
|
phase3[40]=88; /* user offset */
|
||||||
|
phase3[48]=phase3len; /* host offset */
|
||||||
|
phase3[56]=phase3len; /* message len */
|
||||||
|
phase3[60]=2; /* flag: negotiate OEM */
|
||||||
|
phase3[61]=2; /* flag: negotiate NTLM */
|
||||||
|
|
||||||
|
/* calculate MD4 of UTF-16 encoded password */
|
||||||
|
MD4_Init(&md4);
|
||||||
|
while(*password) {
|
||||||
|
MD4_Update(&md4, password++, 1);
|
||||||
|
MD4_Update(&md4, "", 1); /* UTF-16 */
|
||||||
|
}
|
||||||
|
MD4_Final(md4_hash, &md4);
|
||||||
|
memset(md4_hash+16, 0, 5); /* pad to 21 bytes */
|
||||||
|
|
||||||
|
/* decode challenge and calculate response */
|
||||||
|
decoded=base64(0, phase2, strlen(phase2)); /* decode */
|
||||||
|
if(!decoded)
|
||||||
|
return NULL;
|
||||||
|
crypt_DES((unsigned char *)phase3+64,
|
||||||
|
(unsigned char *)decoded+24, md4_hash);
|
||||||
|
crypt_DES((unsigned char *)phase3+72,
|
||||||
|
(unsigned char *)decoded+24, md4_hash+7);
|
||||||
|
crypt_DES((unsigned char *)phase3+80,
|
||||||
|
(unsigned char *)decoded+24, md4_hash+14);
|
||||||
|
str_free(decoded);
|
||||||
|
|
||||||
|
strncpy(phase3+88, username, sizeof phase3-88);
|
||||||
|
|
||||||
|
return base64(1, phase3, phase3len); /* encode */
|
||||||
|
}
|
||||||
|
|
||||||
|
static void crypt_DES(DES_cblock dst, const_DES_cblock src, DES_cblock hash) {
|
||||||
|
DES_cblock key;
|
||||||
|
DES_key_schedule sched;
|
||||||
|
|
||||||
|
/* convert key from 56 to 64 bits */
|
||||||
|
key[0]=hash[0];
|
||||||
|
key[1]=((hash[0]&1)<<7)|(hash[1]>>1);
|
||||||
|
key[2]=((hash[1]&3)<<6)|(hash[2]>>2);
|
||||||
|
key[3]=((hash[2]&7)<<5)|(hash[3]>>3);
|
||||||
|
key[4]=((hash[3]&15)<<4)|(hash[4]>>4);
|
||||||
|
key[5]=((hash[4]&31)<<3)|(hash[5]>>5);
|
||||||
|
key[6]=((hash[5]&63)<<2)|(hash[6]>>6);
|
||||||
|
key[7]=((hash[6]&127)<<1);
|
||||||
|
DES_set_odd_parity(&key);
|
||||||
|
|
||||||
|
/* encrypt */
|
||||||
|
DES_set_key_unchecked(&key, &sched);
|
||||||
|
DES_ecb_encrypt((const_DES_cblock *)src,
|
||||||
|
(DES_cblock *)dst, &sched, DES_ENCRYPT);
|
||||||
|
}
|
||||||
|
|
||||||
|
#endif
|
||||||
|
|
||||||
|
static char *base64(int encode, char *in, int len) {
|
||||||
|
BIO *bio, *b64;
|
||||||
|
char *out;
|
||||||
|
int n;
|
||||||
|
|
||||||
|
b64=BIO_new(BIO_f_base64());
|
||||||
|
if(!b64)
|
||||||
|
return NULL;
|
||||||
|
BIO_set_flags(b64, BIO_FLAGS_BASE64_NO_NL);
|
||||||
|
bio=BIO_new(BIO_s_mem());
|
||||||
|
if(!bio) {
|
||||||
|
str_free(b64);
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
if(encode)
|
||||||
|
bio=BIO_push(b64, bio);
|
||||||
|
BIO_write(bio, in, len);
|
||||||
|
(void)BIO_flush(bio); /* ignore the error if any */
|
||||||
|
if(encode) {
|
||||||
|
bio=BIO_pop(bio);
|
||||||
|
BIO_free(b64);
|
||||||
|
} else {
|
||||||
|
bio=BIO_push(b64, bio);
|
||||||
|
}
|
||||||
|
n=BIO_pending(bio);
|
||||||
|
/* 32 bytes as a safety precaution for passing decoded data to crypt_DES */
|
||||||
|
/* n+1 to get null-terminated string on encode */
|
||||||
|
out=str_alloc(n<32?32:n+1);
|
||||||
|
n=BIO_read(bio, out, n);
|
||||||
|
if(n<0) {
|
||||||
|
BIO_free_all(bio);
|
||||||
|
str_free(out);
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
BIO_free_all(bio);
|
||||||
|
return out;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* end of protocol.c */
|
590
src/prototypes.h
Normal file
590
src/prototypes.h
Normal file
@ -0,0 +1,590 @@
|
|||||||
|
/*
|
||||||
|
* stunnel Universal SSL tunnel
|
||||||
|
* Copyright (C) 1998-2012 Michal Trojnara <Michal.Trojnara@mirt.net>
|
||||||
|
*
|
||||||
|
* This program is free software; you can redistribute it and/or modify it
|
||||||
|
* under the terms of the GNU General Public License as published by the
|
||||||
|
* Free Software Foundation; either version 2 of the License, or (at your
|
||||||
|
* option) any later version.
|
||||||
|
*
|
||||||
|
* This program is distributed in the hope that it will be useful,
|
||||||
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
|
||||||
|
* See the GNU General Public License for more details.
|
||||||
|
*
|
||||||
|
* You should have received a copy of the GNU General Public License along
|
||||||
|
* with this program; if not, see <http://www.gnu.org/licenses>.
|
||||||
|
*
|
||||||
|
* Linking stunnel statically or dynamically with other modules is making
|
||||||
|
* a combined work based on stunnel. Thus, the terms and conditions of
|
||||||
|
* the GNU General Public License cover the whole combination.
|
||||||
|
*
|
||||||
|
* In addition, as a special exception, the copyright holder of stunnel
|
||||||
|
* gives you permission to combine stunnel with free software programs or
|
||||||
|
* libraries that are released under the GNU LGPL and with code included
|
||||||
|
* in the standard release of OpenSSL under the OpenSSL License (or
|
||||||
|
* modified versions of such code, with unchanged license). You may copy
|
||||||
|
* and distribute such a system following the terms of the GNU GPL for
|
||||||
|
* stunnel and the licenses of the other code concerned.
|
||||||
|
*
|
||||||
|
* Note that people who make modified versions of stunnel are not obligated
|
||||||
|
* to grant this special exception for their modified versions; it is their
|
||||||
|
* choice whether to do so. The GNU General Public License gives permission
|
||||||
|
* to release a modified version without this exception; this exception
|
||||||
|
* also makes it possible to release a modified version which carries
|
||||||
|
* forward this exception.
|
||||||
|
*/
|
||||||
|
|
||||||
|
#ifndef PROTOTYPES_H
|
||||||
|
#define PROTOTYPES_H
|
||||||
|
|
||||||
|
#include "common.h"
|
||||||
|
|
||||||
|
/**************************************** data structures */
|
||||||
|
|
||||||
|
typedef enum {
|
||||||
|
LOG_MODE_NONE,
|
||||||
|
LOG_MODE_ERROR,
|
||||||
|
LOG_MODE_INFO,
|
||||||
|
LOG_MODE_CONFIGURED
|
||||||
|
} LOG_MODE;
|
||||||
|
|
||||||
|
typedef union sockaddr_union {
|
||||||
|
struct sockaddr sa;
|
||||||
|
struct sockaddr_in in;
|
||||||
|
#ifdef USE_IPv6
|
||||||
|
struct sockaddr_in6 in6;
|
||||||
|
#endif
|
||||||
|
#ifdef HAVE_STRUCT_SOCKADDR_UN
|
||||||
|
struct sockaddr_un un;
|
||||||
|
#endif
|
||||||
|
} SOCKADDR_UNION;
|
||||||
|
|
||||||
|
typedef struct sockaddr_list { /* list of addresses */
|
||||||
|
SOCKADDR_UNION *addr; /* the list of addresses */
|
||||||
|
u16 cur; /* current address for round-robin */
|
||||||
|
u16 num; /* how many addresses are used */
|
||||||
|
} SOCKADDR_LIST;
|
||||||
|
|
||||||
|
#ifndef OPENSSL_NO_COMP
|
||||||
|
typedef enum {
|
||||||
|
COMP_NONE, COMP_DEFLATE, COMP_ZLIB, COMP_RLE
|
||||||
|
} COMP_TYPE;
|
||||||
|
#endif /* OPENSSL_NO_COMP */
|
||||||
|
|
||||||
|
typedef struct {
|
||||||
|
/* some data for SSL initialization in ssl.c */
|
||||||
|
#ifndef OPENSSL_NO_COMP
|
||||||
|
COMP_TYPE compression; /* compression type */
|
||||||
|
#endif /* OPENSSL_NO_COMP */
|
||||||
|
char *egd_sock; /* entropy gathering daemon socket */
|
||||||
|
char *rand_file; /* file with random data */
|
||||||
|
int random_bytes; /* how many random bytes to read */
|
||||||
|
|
||||||
|
/* some global data for stunnel.c */
|
||||||
|
#ifndef USE_WIN32
|
||||||
|
#ifdef HAVE_CHROOT
|
||||||
|
char *chroot_dir;
|
||||||
|
#endif
|
||||||
|
unsigned long dpid;
|
||||||
|
char *pidfile;
|
||||||
|
int uid, gid;
|
||||||
|
#endif
|
||||||
|
|
||||||
|
/* logging-support data for log.c */
|
||||||
|
int debug_level; /* debug level for logging */
|
||||||
|
#ifndef USE_WIN32
|
||||||
|
int facility; /* debug facility for syslog */
|
||||||
|
#endif
|
||||||
|
char *output_file;
|
||||||
|
|
||||||
|
/* on/off switches */
|
||||||
|
struct {
|
||||||
|
unsigned int rand_write:1; /* overwrite rand_file */
|
||||||
|
#ifdef USE_WIN32
|
||||||
|
unsigned int taskbar:1; /* enable the taskbar icon */
|
||||||
|
#else /* !USE_WIN32 */
|
||||||
|
unsigned int foreground:1;
|
||||||
|
unsigned int syslog:1;
|
||||||
|
#endif
|
||||||
|
#ifdef USE_FIPS
|
||||||
|
unsigned int fips:1; /* enable FIPS 140-2 mode */
|
||||||
|
#endif
|
||||||
|
} option;
|
||||||
|
} GLOBAL_OPTIONS;
|
||||||
|
|
||||||
|
extern GLOBAL_OPTIONS global_options;
|
||||||
|
|
||||||
|
#ifndef OPENSSL_NO_TLSEXT
|
||||||
|
typedef struct servername_list_struct SERVERNAME_LIST;/* forward declaration */
|
||||||
|
#endif
|
||||||
|
|
||||||
|
typedef struct service_options_struct {
|
||||||
|
struct service_options_struct *next; /* next node in the services list */
|
||||||
|
SSL_CTX *ctx; /* SSL context */
|
||||||
|
char *servname; /* service name for logging & permission checking */
|
||||||
|
|
||||||
|
/* service-specific data for sthreads.c */
|
||||||
|
#ifndef USE_FORK
|
||||||
|
int stack_size; /* stack size for this thread */
|
||||||
|
#endif
|
||||||
|
|
||||||
|
/* service-specific data for verify.c */
|
||||||
|
char *ca_dir; /* directory for hashed certs */
|
||||||
|
char *ca_file; /* file containing bunches of certs */
|
||||||
|
char *crl_dir; /* directory for hashed CRLs */
|
||||||
|
char *crl_file; /* file containing bunches of CRLs */
|
||||||
|
int verify_level;
|
||||||
|
X509_STORE *revocation_store; /* cert store for CRL checking */
|
||||||
|
#ifdef HAVE_OSSL_OCSP_H
|
||||||
|
SOCKADDR_UNION ocsp_addr;
|
||||||
|
char *ocsp_path;
|
||||||
|
unsigned long ocsp_flags;
|
||||||
|
#endif
|
||||||
|
|
||||||
|
/* service-specific data for ctx.c */
|
||||||
|
char *cipher_list;
|
||||||
|
char *cert; /* cert filename */
|
||||||
|
char *key; /* pem (priv key/cert) filename */
|
||||||
|
long session_timeout;
|
||||||
|
long ssl_options;
|
||||||
|
SSL_METHOD *client_method, *server_method;
|
||||||
|
SOCKADDR_UNION sessiond_addr;
|
||||||
|
#ifndef OPENSSL_NO_TLSEXT
|
||||||
|
char *sni;
|
||||||
|
SERVERNAME_LIST *servername_list_head, *servername_list_tail;
|
||||||
|
#endif
|
||||||
|
#ifndef OPENSSL_NO_ECDH
|
||||||
|
int curve;
|
||||||
|
#endif
|
||||||
|
#ifdef HAVE_OSSL_ENGINE_H
|
||||||
|
ENGINE *engine; /* engine to read the private key */
|
||||||
|
#endif
|
||||||
|
|
||||||
|
/* service-specific data for client.c */
|
||||||
|
int fd; /* file descriptor accepting connections for this service */
|
||||||
|
SSL_SESSION *session; /* recently used session */
|
||||||
|
char *execname; /* program name for local mode */
|
||||||
|
#ifdef USE_WIN32
|
||||||
|
char *execargs; /* program arguments for local mode */
|
||||||
|
#else
|
||||||
|
char **execargs; /* program arguments for local mode */
|
||||||
|
#endif
|
||||||
|
SOCKADDR_UNION local_addr, source_addr;
|
||||||
|
SOCKADDR_LIST connect_addr;
|
||||||
|
char *username;
|
||||||
|
char *connect_name;
|
||||||
|
int timeout_busy; /* maximum waiting for data time */
|
||||||
|
int timeout_close; /* maximum close_notify time */
|
||||||
|
int timeout_connect; /* maximum connect() time */
|
||||||
|
int timeout_idle; /* maximum idle connection time */
|
||||||
|
enum {FAILOVER_RR, FAILOVER_PRIO} failover; /* failover strategy */
|
||||||
|
|
||||||
|
/* service-specific data for protocol.c */
|
||||||
|
int protocol;
|
||||||
|
char *protocol_host;
|
||||||
|
char *protocol_username;
|
||||||
|
char *protocol_password;
|
||||||
|
char *protocol_authentication;
|
||||||
|
|
||||||
|
/* service-specific data for gui.c */
|
||||||
|
#ifdef USE_WIN32
|
||||||
|
int section_number;
|
||||||
|
LPTSTR file, help;
|
||||||
|
char *chain;
|
||||||
|
#endif
|
||||||
|
|
||||||
|
/* on/off switches */
|
||||||
|
struct {
|
||||||
|
unsigned int accept:1; /* endpoint: accept */
|
||||||
|
unsigned int client:1;
|
||||||
|
unsigned int delayed_lookup:1;
|
||||||
|
#ifdef USE_LIBWRAP
|
||||||
|
unsigned int libwrap:1;
|
||||||
|
#endif
|
||||||
|
unsigned int local:1; /* outgoing interface specified */
|
||||||
|
unsigned int remote:1; /* endpoint: connect */
|
||||||
|
unsigned int retry:1; /* loop remote+program */
|
||||||
|
unsigned int sessiond:1;
|
||||||
|
unsigned int program:1; /* endpoint: exec */
|
||||||
|
#ifndef OPENSSL_NO_TLSEXT
|
||||||
|
unsigned int sni:1; /* endpoint: sni */
|
||||||
|
#endif
|
||||||
|
#ifndef USE_WIN32
|
||||||
|
unsigned int pty:1;
|
||||||
|
unsigned int transparent_src:1;
|
||||||
|
unsigned int transparent_dst:1; /* endpoint: transparent destination */
|
||||||
|
#endif
|
||||||
|
#ifdef HAVE_OSSL_OCSP_H
|
||||||
|
unsigned int ocsp:1;
|
||||||
|
#endif
|
||||||
|
} option;
|
||||||
|
} SERVICE_OPTIONS;
|
||||||
|
|
||||||
|
extern SERVICE_OPTIONS service_options;
|
||||||
|
|
||||||
|
#ifndef OPENSSL_NO_TLSEXT
|
||||||
|
struct servername_list_struct {
|
||||||
|
char *servername;
|
||||||
|
SERVICE_OPTIONS *opt;
|
||||||
|
struct servername_list_struct *next;
|
||||||
|
};
|
||||||
|
#endif
|
||||||
|
|
||||||
|
typedef enum {
|
||||||
|
TYPE_NONE, TYPE_FLAG, TYPE_INT, TYPE_LINGER, TYPE_TIMEVAL, TYPE_STRING
|
||||||
|
} VAL_TYPE;
|
||||||
|
|
||||||
|
typedef union {
|
||||||
|
int i_val;
|
||||||
|
long l_val;
|
||||||
|
char c_val[16];
|
||||||
|
struct linger linger_val;
|
||||||
|
struct timeval timeval_val;
|
||||||
|
} OPT_UNION;
|
||||||
|
|
||||||
|
typedef struct {
|
||||||
|
char *opt_str;
|
||||||
|
int opt_level;
|
||||||
|
int opt_name;
|
||||||
|
VAL_TYPE opt_type;
|
||||||
|
OPT_UNION *opt_val[3];
|
||||||
|
} SOCK_OPT;
|
||||||
|
|
||||||
|
typedef enum {
|
||||||
|
CONF_RELOAD, CONF_FILE, CONF_FD
|
||||||
|
} CONF_TYPE;
|
||||||
|
|
||||||
|
/* s_poll_set definition for network.c */
|
||||||
|
|
||||||
|
typedef struct {
|
||||||
|
#ifdef USE_POLL
|
||||||
|
struct pollfd *ufds;
|
||||||
|
unsigned int nfds;
|
||||||
|
unsigned int allocated;
|
||||||
|
#else /* select */
|
||||||
|
fd_set irfds, iwfds, ixfds, orfds, owfds, oxfds;
|
||||||
|
int max;
|
||||||
|
#endif
|
||||||
|
} s_poll_set;
|
||||||
|
|
||||||
|
typedef struct disk_file {
|
||||||
|
#ifdef USE_WIN32
|
||||||
|
HANDLE fh;
|
||||||
|
#else
|
||||||
|
int fd;
|
||||||
|
#endif
|
||||||
|
/* the inteface is prepared to easily implement buffering if needed */
|
||||||
|
} DISK_FILE;
|
||||||
|
|
||||||
|
/* FD definition for client.c */
|
||||||
|
|
||||||
|
typedef struct {
|
||||||
|
int fd; /* file descriptor */
|
||||||
|
int is_socket; /* file descriptor is a socket */
|
||||||
|
} FD;
|
||||||
|
|
||||||
|
/**************************************** prototypes for stunnel.c */
|
||||||
|
|
||||||
|
#ifndef USE_FORK
|
||||||
|
extern int max_clients;
|
||||||
|
extern volatile int num_clients;
|
||||||
|
#endif
|
||||||
|
|
||||||
|
void main_initialize(void);
|
||||||
|
int main_configure(char *, char *);
|
||||||
|
void daemon_loop(void);
|
||||||
|
void unbind_ports(void);
|
||||||
|
int bind_ports(void);
|
||||||
|
#if !defined (USE_WIN32) && !defined (__vms) && !defined(USE_OS2)
|
||||||
|
int drop_privileges(int);
|
||||||
|
#endif
|
||||||
|
void signal_post(int);
|
||||||
|
#if !defined(USE_WIN32) && !defined(USE_OS2)
|
||||||
|
void child_status(void); /* dead libwrap or 'exec' process detected */
|
||||||
|
#endif
|
||||||
|
void stunnel_info(int);
|
||||||
|
|
||||||
|
/**************************************** prototypes for fd.c */
|
||||||
|
|
||||||
|
#ifndef USE_FORK
|
||||||
|
void get_limits(void); /* setup global max_clients and max_fds */
|
||||||
|
#endif
|
||||||
|
int s_socket(int, int, int, int, char *);
|
||||||
|
int s_pipe(int [2], int, char *);
|
||||||
|
int s_socketpair(int, int, int, int [2], int, char *);
|
||||||
|
int s_accept(int, struct sockaddr *, socklen_t *, int, char *);
|
||||||
|
void set_nonblock(int, unsigned long);
|
||||||
|
|
||||||
|
/**************************************** prototypes for log.c */
|
||||||
|
|
||||||
|
#if !defined(USE_WIN32) && !defined(__vms)
|
||||||
|
void syslog_open(void);
|
||||||
|
void syslog_close(void);
|
||||||
|
#endif
|
||||||
|
void log_open(void);
|
||||||
|
void log_close(void);
|
||||||
|
void log_flush(LOG_MODE);
|
||||||
|
void s_log(int, const char *, ...)
|
||||||
|
#ifdef __GNUC__
|
||||||
|
__attribute__((format(printf, 2, 3)));
|
||||||
|
#else
|
||||||
|
;
|
||||||
|
#endif
|
||||||
|
void fatal_debug(char *, char *, int);
|
||||||
|
#define fatal(a) fatal_debug((a), __FILE__, __LINE__)
|
||||||
|
void ioerror(const char *);
|
||||||
|
void sockerror(const char *);
|
||||||
|
void log_error(int, int, const char *);
|
||||||
|
char *s_strerror(int);
|
||||||
|
|
||||||
|
/**************************************** prototypes for pty.c */
|
||||||
|
|
||||||
|
int pty_allocate(int *, int *, char *);
|
||||||
|
|
||||||
|
/**************************************** prototypes for ssl.c */
|
||||||
|
|
||||||
|
extern int cli_index, opt_index;
|
||||||
|
|
||||||
|
int ssl_init(void);
|
||||||
|
int ssl_configure(GLOBAL_OPTIONS *);
|
||||||
|
|
||||||
|
/**************************************** prototypes for options.c */
|
||||||
|
|
||||||
|
int parse_commandline(char *, char *);
|
||||||
|
int parse_conf(char *, CONF_TYPE);
|
||||||
|
void apply_conf(void);
|
||||||
|
|
||||||
|
/**************************************** prototypes for ctx.c */
|
||||||
|
|
||||||
|
typedef struct {
|
||||||
|
SERVICE_OPTIONS *section;
|
||||||
|
char pass[PEM_BUFSIZE];
|
||||||
|
} UI_DATA;
|
||||||
|
|
||||||
|
int context_init(SERVICE_OPTIONS *);
|
||||||
|
void sslerror(char *);
|
||||||
|
|
||||||
|
/**************************************** prototypes for verify.c */
|
||||||
|
|
||||||
|
int verify_init(SERVICE_OPTIONS *);
|
||||||
|
|
||||||
|
/**************************************** prototypes for network.c */
|
||||||
|
|
||||||
|
s_poll_set *s_poll_alloc(void);
|
||||||
|
void s_poll_free(s_poll_set *);
|
||||||
|
void s_poll_init(s_poll_set *);
|
||||||
|
void s_poll_add(s_poll_set *, int, int, int);
|
||||||
|
int s_poll_canread(s_poll_set *, int);
|
||||||
|
int s_poll_canwrite(s_poll_set *, int);
|
||||||
|
int s_poll_error(s_poll_set *, FD *);
|
||||||
|
int s_poll_wait(s_poll_set *, int, int);
|
||||||
|
|
||||||
|
#ifdef USE_WIN32
|
||||||
|
#define SIGNAL_RELOAD_CONFIG 1
|
||||||
|
#define SIGNAL_REOPEN_LOG 2
|
||||||
|
#define SIGNAL_TERMINATE 3
|
||||||
|
#else
|
||||||
|
#define SIGNAL_RELOAD_CONFIG SIGHUP
|
||||||
|
#define SIGNAL_REOPEN_LOG SIGUSR1
|
||||||
|
#define SIGNAL_TERMINATE SIGTERM
|
||||||
|
#endif
|
||||||
|
|
||||||
|
int set_socket_options(int, int);
|
||||||
|
int get_socket_error(const int);
|
||||||
|
int make_sockets(int [2]);
|
||||||
|
|
||||||
|
/**************************************** prototypes for client.c */
|
||||||
|
|
||||||
|
typedef struct {
|
||||||
|
jmp_buf err; /* exception handler needs to be 16-byte aligned on Itanium */
|
||||||
|
SSL *ssl; /* SSL connnection */
|
||||||
|
SERVICE_OPTIONS *opt;
|
||||||
|
|
||||||
|
SOCKADDR_UNION peer_addr; /* peer address */
|
||||||
|
socklen_t peer_addr_len;
|
||||||
|
SOCKADDR_UNION *bind_addr; /* address to bind() the socket */
|
||||||
|
SOCKADDR_LIST connect_addr; /* for dynamically assigned addresses */
|
||||||
|
FD local_rfd, local_wfd; /* read and write local descriptors */
|
||||||
|
FD remote_fd; /* remote file descriptor */
|
||||||
|
/* IP for explicit local bind or transparent proxy */
|
||||||
|
unsigned long pid; /* PID of the local process */
|
||||||
|
int fd; /* temporary file descriptor */
|
||||||
|
|
||||||
|
/* data for transfer() function */
|
||||||
|
char sock_buff[BUFFSIZE]; /* socket read buffer */
|
||||||
|
char ssl_buff[BUFFSIZE]; /* SSL read buffer */
|
||||||
|
int sock_ptr, ssl_ptr; /* index of first unused byte in buffer */
|
||||||
|
FD *sock_rfd, *sock_wfd; /* read and write socket descriptors */
|
||||||
|
FD *ssl_rfd, *ssl_wfd; /* read and write SSL descriptors */
|
||||||
|
int sock_bytes, ssl_bytes; /* bytes written to socket and SSL */
|
||||||
|
s_poll_set *fds; /* file descriptors */
|
||||||
|
} CLI;
|
||||||
|
|
||||||
|
CLI *alloc_client_session(SERVICE_OPTIONS *, int, int);
|
||||||
|
void *client_thread(void *);
|
||||||
|
void client_main(CLI *);
|
||||||
|
|
||||||
|
/**************************************** prototypes for network.c */
|
||||||
|
|
||||||
|
int connect_blocking(CLI *, SOCKADDR_UNION *, socklen_t);
|
||||||
|
void write_blocking(CLI *, int fd, void *, int);
|
||||||
|
void read_blocking(CLI *, int fd, void *, int);
|
||||||
|
void fd_putline(CLI *, int, const char *);
|
||||||
|
char *fd_getline(CLI *, int);
|
||||||
|
/* descriptor versions of fprintf/fscanf */
|
||||||
|
void fd_printf(CLI *, int, const char *, ...)
|
||||||
|
#ifdef __GNUC__
|
||||||
|
__attribute__((format(printf, 3, 4)));
|
||||||
|
#else
|
||||||
|
;
|
||||||
|
#endif
|
||||||
|
|
||||||
|
/**************************************** prototype for protocol.c */
|
||||||
|
|
||||||
|
typedef enum {
|
||||||
|
PROTOCOL_NONE,
|
||||||
|
PROTOCOL_PRE_CONNECT,
|
||||||
|
PROTOCOL_PRE_SSL,
|
||||||
|
PROTOCOL_POST_SSL
|
||||||
|
} PROTOCOL_TYPE;
|
||||||
|
|
||||||
|
int find_protocol_id(const char *);
|
||||||
|
void protocol(CLI *, const PROTOCOL_TYPE);
|
||||||
|
|
||||||
|
/**************************************** prototypes for resolver.c */
|
||||||
|
|
||||||
|
int name2addr(SOCKADDR_UNION *, char *, char *);
|
||||||
|
int hostport2addr(SOCKADDR_UNION *, char *, char *);
|
||||||
|
int name2addrlist(SOCKADDR_LIST *, char *, char *);
|
||||||
|
int hostport2addrlist(SOCKADDR_LIST *, char *, char *);
|
||||||
|
char *s_ntop(SOCKADDR_UNION *, socklen_t);
|
||||||
|
socklen_t addr_len(const SOCKADDR_UNION *);
|
||||||
|
const char *s_gai_strerror(int);
|
||||||
|
|
||||||
|
#ifndef HAVE_GETNAMEINFO
|
||||||
|
|
||||||
|
#ifndef NI_NUMERICHOST
|
||||||
|
#define NI_NUMERICHOST 2
|
||||||
|
#endif
|
||||||
|
#ifndef NI_NUMERICSERV
|
||||||
|
#define NI_NUMERICSERV 8
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#ifdef USE_WIN32
|
||||||
|
/* rename some locally shadowed declarations */
|
||||||
|
#define getnameinfo local_getnameinfo
|
||||||
|
#endif /* defined USE_WIN32 */
|
||||||
|
|
||||||
|
int getnameinfo(const struct sockaddr *, int, char *, int, char *, int, int);
|
||||||
|
|
||||||
|
#endif /* !defined HAVE_GETNAMEINFO */
|
||||||
|
|
||||||
|
/**************************************** prototypes for sthreads.c */
|
||||||
|
|
||||||
|
typedef enum {
|
||||||
|
CRIT_CLIENTS, CRIT_SESSION, CRIT_SSL, /* client.c */
|
||||||
|
CRIT_INET, /* resolver.c */
|
||||||
|
#ifndef USE_WIN32
|
||||||
|
CRIT_LIBWRAP, /* libwrap.c */
|
||||||
|
#endif
|
||||||
|
CRIT_LOG, /* log.c */
|
||||||
|
CRIT_SECTIONS /* number of critical sections */
|
||||||
|
} SECTION_CODE;
|
||||||
|
|
||||||
|
void enter_critical_section(SECTION_CODE);
|
||||||
|
void leave_critical_section(SECTION_CODE);
|
||||||
|
int sthreads_init(void);
|
||||||
|
unsigned long stunnel_process_id(void);
|
||||||
|
unsigned long stunnel_thread_id(void);
|
||||||
|
int create_client(int, int, CLI *, void *(*)(void *));
|
||||||
|
#ifdef USE_UCONTEXT
|
||||||
|
typedef struct CONTEXT_STRUCTURE {
|
||||||
|
char *stack; /* CPU stack for this thread */
|
||||||
|
unsigned long id;
|
||||||
|
ucontext_t context;
|
||||||
|
s_poll_set *fds;
|
||||||
|
int ready; /* number of ready file descriptors */
|
||||||
|
time_t finish; /* when to finish poll() for this context */
|
||||||
|
struct CONTEXT_STRUCTURE *next; /* next context on a list */
|
||||||
|
void *tls; /* thread local storage for str.c */
|
||||||
|
} CONTEXT;
|
||||||
|
extern CONTEXT *ready_head, *ready_tail;
|
||||||
|
extern CONTEXT *waiting_head, *waiting_tail;
|
||||||
|
#endif
|
||||||
|
#ifdef _WIN32_WCE
|
||||||
|
long _beginthread(void (*)(void *), int, void *);
|
||||||
|
void _endthread(void);
|
||||||
|
#endif
|
||||||
|
#ifdef DEBUG_STACK_SIZE
|
||||||
|
void stack_info(int);
|
||||||
|
#endif
|
||||||
|
|
||||||
|
/**************************************** prototypes for gui.c */
|
||||||
|
|
||||||
|
#ifdef USE_WIN32
|
||||||
|
extern HWND hwnd;
|
||||||
|
|
||||||
|
int passwd_cb(char *, int, int, void *);
|
||||||
|
#ifdef HAVE_OSSL_ENGINE_H
|
||||||
|
int pin_cb(UI *, UI_STRING *);
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#ifndef _WIN32_WCE
|
||||||
|
typedef int (CALLBACK * GETADDRINFO) (const char *,
|
||||||
|
const char *, const struct addrinfo *, struct addrinfo **);
|
||||||
|
typedef void (CALLBACK * FREEADDRINFO) (struct addrinfo FAR *);
|
||||||
|
typedef int (CALLBACK * GETNAMEINFO) (const struct sockaddr *, socklen_t,
|
||||||
|
char *, size_t, char *, size_t, int);
|
||||||
|
extern GETADDRINFO s_getaddrinfo;
|
||||||
|
extern FREEADDRINFO s_freeaddrinfo;
|
||||||
|
extern GETNAMEINFO s_getnameinfo;
|
||||||
|
#endif /* ! _WIN32_WCE */
|
||||||
|
#endif /* USE_WIN32 */
|
||||||
|
|
||||||
|
/**************************************** prototypes for file.c */
|
||||||
|
|
||||||
|
#ifndef USE_WIN32
|
||||||
|
DISK_FILE *file_fdopen(int);
|
||||||
|
#endif
|
||||||
|
DISK_FILE *file_open(char *, int);
|
||||||
|
void file_close(DISK_FILE *);
|
||||||
|
int file_getline(DISK_FILE *, char *, int);
|
||||||
|
int file_putline(DISK_FILE *, char *);
|
||||||
|
|
||||||
|
#ifdef USE_WIN32
|
||||||
|
LPTSTR str2tstr(const LPSTR);
|
||||||
|
LPSTR tstr2str(const LPTSTR);
|
||||||
|
#endif
|
||||||
|
|
||||||
|
/**************************************** prototypes for libwrap.c */
|
||||||
|
|
||||||
|
int libwrap_init();
|
||||||
|
void libwrap_auth(CLI *, char *);
|
||||||
|
|
||||||
|
/**************************************** prototypes for str.c */
|
||||||
|
|
||||||
|
void str_init();
|
||||||
|
void str_canary_init();
|
||||||
|
void str_cleanup();
|
||||||
|
void str_stats();
|
||||||
|
void *str_alloc_debug(size_t, char *, int);
|
||||||
|
#define str_alloc(a) str_alloc_debug((a), __FILE__, __LINE__)
|
||||||
|
void *str_realloc_debug(void *, size_t, char *, int);
|
||||||
|
#define str_realloc(a, b) str_realloc_debug((a), (b), __FILE__, __LINE__)
|
||||||
|
void str_detach_debug(void *, char *, int);
|
||||||
|
#define str_detach(a) str_detach_debug((a), __FILE__, __LINE__)
|
||||||
|
void str_free_debug(void *, char *, int);
|
||||||
|
#define str_free(a) str_free_debug((a), __FILE__, __LINE__), (a)=NULL
|
||||||
|
char *str_dup(const char *);
|
||||||
|
char *str_vprintf(const char *, va_list);
|
||||||
|
char *str_printf(const char *, ...)
|
||||||
|
#ifdef __GNUC__
|
||||||
|
__attribute__((format(printf, 1, 2)));
|
||||||
|
#else
|
||||||
|
;
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#endif /* defined PROTOTYPES_H */
|
||||||
|
|
||||||
|
/* end of prototypes.h */
|
221
src/pty.c
Normal file
221
src/pty.c
Normal file
@ -0,0 +1,221 @@
|
|||||||
|
/*
|
||||||
|
* stunnel Universal SSL tunnel
|
||||||
|
* Copyright (C) 1998-2012 Michal Trojnara <Michal.Trojnara@mirt.net>
|
||||||
|
*
|
||||||
|
* This program is free software; you can redistribute it and/or modify it
|
||||||
|
* under the terms of the GNU General Public License as published by the
|
||||||
|
* Free Software Foundation; either version 2 of the License, or (at your
|
||||||
|
* option) any later version.
|
||||||
|
*
|
||||||
|
* This program is distributed in the hope that it will be useful,
|
||||||
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
|
||||||
|
* See the GNU General Public License for more details.
|
||||||
|
*
|
||||||
|
* You should have received a copy of the GNU General Public License along
|
||||||
|
* with this program; if not, see <http://www.gnu.org/licenses>.
|
||||||
|
*
|
||||||
|
* Linking stunnel statically or dynamically with other modules is making
|
||||||
|
* a combined work based on stunnel. Thus, the terms and conditions of
|
||||||
|
* the GNU General Public License cover the whole combination.
|
||||||
|
*
|
||||||
|
* In addition, as a special exception, the copyright holder of stunnel
|
||||||
|
* gives you permission to combine stunnel with free software programs or
|
||||||
|
* libraries that are released under the GNU LGPL and with code included
|
||||||
|
* in the standard release of OpenSSL under the OpenSSL License (or
|
||||||
|
* modified versions of such code, with unchanged license). You may copy
|
||||||
|
* and distribute such a system following the terms of the GNU GPL for
|
||||||
|
* stunnel and the licenses of the other code concerned.
|
||||||
|
*
|
||||||
|
* Note that people who make modified versions of stunnel are not obligated
|
||||||
|
* to grant this special exception for their modified versions; it is their
|
||||||
|
* choice whether to do so. The GNU General Public License gives permission
|
||||||
|
* to release a modified version without this exception; this exception
|
||||||
|
* also makes it possible to release a modified version which carries
|
||||||
|
* forward this exception.
|
||||||
|
*/
|
||||||
|
|
||||||
|
#include "common.h"
|
||||||
|
#include "prototypes.h"
|
||||||
|
|
||||||
|
#ifdef HAVE_UTIL_H
|
||||||
|
#include <util.h>
|
||||||
|
#endif /* HAVE_UTIL_H */
|
||||||
|
|
||||||
|
#ifdef HAVE_SYS_IOCTL_H
|
||||||
|
#include <sys/ioctl.h>
|
||||||
|
#endif /* HAVE_SYS_IOCTL_H */
|
||||||
|
|
||||||
|
/* pty allocated with _getpty gets broken if we do I_PUSH:es to it. */
|
||||||
|
#if defined(HAVE__GETPTY) || defined(HAVE_OPENPTY)
|
||||||
|
#undef HAVE_DEV_PTMX
|
||||||
|
#endif /* HAVE__GETPTY || HAVE_OPENPTY */
|
||||||
|
|
||||||
|
#ifdef HAVE_PTY_H
|
||||||
|
#include <pty.h>
|
||||||
|
#endif /* HAVE_PTY_H */
|
||||||
|
|
||||||
|
#ifdef HAVE_LIBUTIL_H
|
||||||
|
#include <libutil.h>
|
||||||
|
#endif /* HAVE_LIBUTIL_H */
|
||||||
|
|
||||||
|
#ifndef O_NOCTTY
|
||||||
|
#define O_NOCTTY 0
|
||||||
|
#endif /* O_NOCTTY */
|
||||||
|
|
||||||
|
/*
|
||||||
|
* allocates and opens a pty
|
||||||
|
* returns -1 if no pty could be allocated, or zero if a pty was successfully
|
||||||
|
* allocated
|
||||||
|
* on success, open file descriptors for the pty and tty sides and the name of
|
||||||
|
* the tty side are returned
|
||||||
|
* the buffer must be able to hold at least 64 characters
|
||||||
|
*/
|
||||||
|
|
||||||
|
int pty_allocate(int *ptyfd, int *ttyfd, char *namebuf) {
|
||||||
|
#if defined(HAVE_OPENPTY) || defined(BSD4_4) && !defined(__INNOTEK_LIBC__)
|
||||||
|
/* openpty(3) exists in OSF/1 and some other os'es */
|
||||||
|
char buf[64];
|
||||||
|
int i;
|
||||||
|
|
||||||
|
i=openpty(ptyfd, ttyfd, buf, NULL, NULL);
|
||||||
|
if(i<0) {
|
||||||
|
ioerror("openpty");
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
strcpy(namebuf, buf); /* possible truncation */
|
||||||
|
return 0;
|
||||||
|
#else /* HAVE_OPENPTY */
|
||||||
|
#ifdef HAVE__GETPTY
|
||||||
|
/*
|
||||||
|
* _getpty(3) exists in SGI Irix 4.x, 5.x & 6.x -- it generates more
|
||||||
|
* pty's automagically when needed
|
||||||
|
*/
|
||||||
|
char *slave;
|
||||||
|
|
||||||
|
slave=_getpty(ptyfd, O_RDWR, 0622, 0);
|
||||||
|
if(slave==NULL) {
|
||||||
|
ioerror("_getpty");
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
strcpy(namebuf, slave);
|
||||||
|
/* open the slave side */
|
||||||
|
*ttyfd=open(namebuf, O_RDWR|O_NOCTTY);
|
||||||
|
if(*ttyfd<0) {
|
||||||
|
ioerror(namebuf);
|
||||||
|
close(*ptyfd);
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
return 0;
|
||||||
|
#else /* HAVE__GETPTY */
|
||||||
|
#if defined(HAVE_DEV_PTMX)
|
||||||
|
/*
|
||||||
|
* this code is used e.g. on Solaris 2.x
|
||||||
|
* note that Solaris 2.3 * also has bsd-style ptys, but they simply do not
|
||||||
|
* work
|
||||||
|
*/
|
||||||
|
int ptm; char *pts;
|
||||||
|
|
||||||
|
ptm=open("/dev/ptmx", O_RDWR|O_NOCTTY);
|
||||||
|
if(ptm<0) {
|
||||||
|
ioerror("/dev/ptmx");
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
if(grantpt(ptm)<0) {
|
||||||
|
ioerror("grantpt");
|
||||||
|
/* return -1; */
|
||||||
|
/* can you tell me why it doesn't work? */
|
||||||
|
}
|
||||||
|
if(unlockpt(ptm)<0) {
|
||||||
|
ioerror("unlockpt");
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
pts=ptsname(ptm);
|
||||||
|
if(pts==NULL)
|
||||||
|
s_log(LOG_ERR, "Slave pty side name could not be obtained");
|
||||||
|
strcpy(namebuf, pts);
|
||||||
|
*ptyfd=ptm;
|
||||||
|
|
||||||
|
/* open the slave side */
|
||||||
|
*ttyfd=open(namebuf, O_RDWR|O_NOCTTY);
|
||||||
|
if(*ttyfd<0) {
|
||||||
|
ioerror(namebuf);
|
||||||
|
close(*ptyfd);
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
/* push the appropriate streams modules, as described in Solaris pts(7) */
|
||||||
|
if(ioctl(*ttyfd, I_PUSH, "ptem")<0)
|
||||||
|
ioerror("ioctl I_PUSH ptem");
|
||||||
|
if(ioctl(*ttyfd, I_PUSH, "ldterm")<0)
|
||||||
|
ioerror("ioctl I_PUSH ldterm");
|
||||||
|
if(ioctl(*ttyfd, I_PUSH, "ttcompat")<0)
|
||||||
|
ioerror("ioctl I_PUSH ttcompat");
|
||||||
|
return 0;
|
||||||
|
#else /* HAVE_DEV_PTMX */
|
||||||
|
#ifdef HAVE_DEV_PTS_AND_PTC
|
||||||
|
/* AIX-style pty code. */
|
||||||
|
const char *name;
|
||||||
|
|
||||||
|
*ptyfd=open("/dev/ptc", O_RDWR|O_NOCTTY);
|
||||||
|
if(*ptyfd<0) {
|
||||||
|
ioerror("open(/dev/ptc)");
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
name=ttyname(*ptyfd);
|
||||||
|
if(!name) {
|
||||||
|
s_log(LOG_ERR, "Open of /dev/ptc returns device for which ttyname fails");
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
strcpy(namebuf, name);
|
||||||
|
*ttyfd=open(name, O_RDWR|O_NOCTTY);
|
||||||
|
if(*ttyfd<0) {
|
||||||
|
ioerror(name);
|
||||||
|
close(*ptyfd);
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
return 0;
|
||||||
|
#else /* HAVE_DEV_PTS_AND_PTC */
|
||||||
|
/* BSD-style pty code. */
|
||||||
|
char buf[64];
|
||||||
|
int i;
|
||||||
|
const char *ptymajors="pqrstuvwxyzabcdefghijklmnoABCDEFGHIJKLMNOPQRSTUVWXYZ";
|
||||||
|
const char *ptyminors="0123456789abcdef";
|
||||||
|
int num_minors=strlen(ptyminors);
|
||||||
|
int num_ptys=strlen(ptymajors)*num_minors;
|
||||||
|
|
||||||
|
for(i=0; i<num_ptys; i++) {
|
||||||
|
#ifdef HAVE_SNPRINTF
|
||||||
|
snprintf(buf, sizeof buf,
|
||||||
|
#else
|
||||||
|
sprintf(buf,
|
||||||
|
#endif
|
||||||
|
"/dev/pty%c%c", ptymajors[i/num_minors],
|
||||||
|
ptyminors[i%num_minors]);
|
||||||
|
*ptyfd=open(buf, O_RDWR|O_NOCTTY);
|
||||||
|
if(*ptyfd<0)
|
||||||
|
continue;
|
||||||
|
#ifdef HAVE_SNPRINTF
|
||||||
|
snprintf(namebuf, 64,
|
||||||
|
#else
|
||||||
|
sprintf(namebuf,
|
||||||
|
#endif
|
||||||
|
"/dev/tty%c%c",
|
||||||
|
ptymajors[i/num_minors], ptyminors[i%num_minors]);
|
||||||
|
|
||||||
|
/* open the slave side */
|
||||||
|
*ttyfd=open(namebuf, O_RDWR | O_NOCTTY);
|
||||||
|
if(*ttyfd<0) {
|
||||||
|
ioerror(namebuf);
|
||||||
|
close(*ptyfd);
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
return -1;
|
||||||
|
#endif /* HAVE_DEV_PTS_AND_PTC */
|
||||||
|
#endif /* HAVE_DEV_PTMX */
|
||||||
|
#endif /* HAVE__GETPTY */
|
||||||
|
#endif /* HAVE_OPENPTY */
|
||||||
|
}
|
||||||
|
|
||||||
|
/* end of pty.c */
|
469
src/resolver.c
Normal file
469
src/resolver.c
Normal file
@ -0,0 +1,469 @@
|
|||||||
|
/*
|
||||||
|
* stunnel Universal SSL tunnel
|
||||||
|
* Copyright (C) 1998-2012 Michal Trojnara <Michal.Trojnara@mirt.net>
|
||||||
|
*
|
||||||
|
* This program is free software; you can redistribute it and/or modify it
|
||||||
|
* under the terms of the GNU General Public License as published by the
|
||||||
|
* Free Software Foundation; either version 2 of the License, or (at your
|
||||||
|
* option) any later version.
|
||||||
|
*
|
||||||
|
* This program is distributed in the hope that it will be useful,
|
||||||
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
|
||||||
|
* See the GNU General Public License for more details.
|
||||||
|
*
|
||||||
|
* You should have received a copy of the GNU General Public License along
|
||||||
|
* with this program; if not, see <http://www.gnu.org/licenses>.
|
||||||
|
*
|
||||||
|
* Linking stunnel statically or dynamically with other modules is making
|
||||||
|
* a combined work based on stunnel. Thus, the terms and conditions of
|
||||||
|
* the GNU General Public License cover the whole combination.
|
||||||
|
*
|
||||||
|
* In addition, as a special exception, the copyright holder of stunnel
|
||||||
|
* gives you permission to combine stunnel with free software programs or
|
||||||
|
* libraries that are released under the GNU LGPL and with code included
|
||||||
|
* in the standard release of OpenSSL under the OpenSSL License (or
|
||||||
|
* modified versions of such code, with unchanged license). You may copy
|
||||||
|
* and distribute such a system following the terms of the GNU GPL for
|
||||||
|
* stunnel and the licenses of the other code concerned.
|
||||||
|
*
|
||||||
|
* Note that people who make modified versions of stunnel are not obligated
|
||||||
|
* to grant this special exception for their modified versions; it is their
|
||||||
|
* choice whether to do so. The GNU General Public License gives permission
|
||||||
|
* to release a modified version without this exception; this exception
|
||||||
|
* also makes it possible to release a modified version which carries
|
||||||
|
* forward this exception.
|
||||||
|
*/
|
||||||
|
|
||||||
|
#include "common.h"
|
||||||
|
#include "prototypes.h"
|
||||||
|
|
||||||
|
/**************************************** prototypes */
|
||||||
|
|
||||||
|
#ifndef HAVE_GETADDRINFO
|
||||||
|
|
||||||
|
#ifndef EAI_MEMORY
|
||||||
|
#define EAI_MEMORY 1
|
||||||
|
#endif
|
||||||
|
#ifndef EAI_NONAME
|
||||||
|
#define EAI_NONAME 2
|
||||||
|
#endif
|
||||||
|
#ifndef EAI_SERVICE
|
||||||
|
#define EAI_SERVICE 8
|
||||||
|
#endif
|
||||||
|
|
||||||
|
/* rename some potentially locally shadowed declarations */
|
||||||
|
#define getaddrinfo local_getaddrinfo
|
||||||
|
#define freeaddrinfo local_freeaddrinfo
|
||||||
|
|
||||||
|
#ifndef HAVE_STRUCT_ADDRINFO
|
||||||
|
struct addrinfo {
|
||||||
|
int ai_flags;
|
||||||
|
int ai_family;
|
||||||
|
int ai_socktype;
|
||||||
|
int ai_protocol;
|
||||||
|
int ai_addrlen;
|
||||||
|
struct sockaddr *ai_addr;
|
||||||
|
char *ai_canonname;
|
||||||
|
struct addrinfo *ai_next;
|
||||||
|
};
|
||||||
|
#endif
|
||||||
|
|
||||||
|
static int getaddrinfo(const char *, const char *,
|
||||||
|
const struct addrinfo *, struct addrinfo **);
|
||||||
|
static int alloc_addresses(struct hostent *, const struct addrinfo *,
|
||||||
|
u_short port, struct addrinfo **, struct addrinfo **);
|
||||||
|
static void freeaddrinfo(struct addrinfo *);
|
||||||
|
|
||||||
|
#endif /* !defined HAVE_GETADDRINFO */
|
||||||
|
|
||||||
|
/**************************************** stunnel resolver API */
|
||||||
|
|
||||||
|
int name2addr(SOCKADDR_UNION *addr, char *name, char *default_host) {
|
||||||
|
SOCKADDR_LIST addr_list;
|
||||||
|
int retval;
|
||||||
|
|
||||||
|
addr_list.num=0;
|
||||||
|
addr_list.addr=NULL;
|
||||||
|
retval=name2addrlist(&addr_list, name, default_host);
|
||||||
|
if(retval>0)
|
||||||
|
memcpy(addr, &addr_list.addr[0], sizeof *addr);
|
||||||
|
if(addr_list.addr)
|
||||||
|
str_free(addr_list.addr);
|
||||||
|
return retval;
|
||||||
|
}
|
||||||
|
|
||||||
|
int hostport2addr(SOCKADDR_UNION *addr, char *hostname, char *portname) {
|
||||||
|
SOCKADDR_LIST addr_list;
|
||||||
|
int retval;
|
||||||
|
|
||||||
|
addr_list.num=0;
|
||||||
|
addr_list.addr=NULL;
|
||||||
|
retval=hostport2addrlist(&addr_list, hostname, portname);
|
||||||
|
if(retval>0)
|
||||||
|
memcpy(addr, &addr_list.addr[0], sizeof *addr);
|
||||||
|
if(addr_list.addr)
|
||||||
|
str_free(addr_list.addr);
|
||||||
|
return retval;
|
||||||
|
}
|
||||||
|
|
||||||
|
int name2addrlist(SOCKADDR_LIST *addr_list, char *name, char *default_host) {
|
||||||
|
char *tmp, *hostname, *portname;
|
||||||
|
int retval;
|
||||||
|
|
||||||
|
addr_list->cur=0; /* reset round-robin counter */
|
||||||
|
|
||||||
|
/* first check if this is a UNIX socket */
|
||||||
|
#ifdef HAVE_STRUCT_SOCKADDR_UN
|
||||||
|
if(*name=='/') {
|
||||||
|
if(offsetof(struct sockaddr_un, sun_path)+strlen(name)+1
|
||||||
|
> sizeof(struct sockaddr_un)) {
|
||||||
|
s_log(LOG_ERR, "Unix socket path is too long");
|
||||||
|
return 0; /* no results */
|
||||||
|
}
|
||||||
|
addr_list->addr=str_realloc(addr_list->addr,
|
||||||
|
(addr_list->num+1)*sizeof(SOCKADDR_UNION));
|
||||||
|
addr_list->addr[addr_list->num].un.sun_family=AF_UNIX;
|
||||||
|
strcpy(addr_list->addr[addr_list->num].un.sun_path, name);
|
||||||
|
return ++(addr_list->num); /* ok - return the number of addresses */
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
|
/* set hostname and portname */
|
||||||
|
tmp=str_dup(name);
|
||||||
|
portname=strrchr(tmp, ':');
|
||||||
|
if(portname) {
|
||||||
|
hostname=tmp;
|
||||||
|
*portname++='\0';
|
||||||
|
} else { /* no ':' - use default host IP */
|
||||||
|
hostname=default_host;
|
||||||
|
portname=tmp;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* fill addr_list structure */
|
||||||
|
retval=hostport2addrlist(addr_list, hostname, portname);
|
||||||
|
str_free(tmp);
|
||||||
|
return retval;
|
||||||
|
}
|
||||||
|
|
||||||
|
int hostport2addrlist(SOCKADDR_LIST *addr_list,
|
||||||
|
char *hostname, char *portname) {
|
||||||
|
struct addrinfo hints, *res=NULL, *cur;
|
||||||
|
int err;
|
||||||
|
|
||||||
|
memset(&hints, 0, sizeof hints);
|
||||||
|
#if defined(USE_IPv6) || defined(USE_WIN32)
|
||||||
|
hints.ai_family=PF_UNSPEC;
|
||||||
|
#else
|
||||||
|
hints.ai_family=PF_INET;
|
||||||
|
#endif
|
||||||
|
hints.ai_socktype=SOCK_STREAM;
|
||||||
|
hints.ai_protocol=IPPROTO_TCP;
|
||||||
|
do {
|
||||||
|
err=getaddrinfo(hostname, portname, &hints, &res);
|
||||||
|
if(err && res)
|
||||||
|
freeaddrinfo(res);
|
||||||
|
if(err==EAI_AGAIN) {
|
||||||
|
s_log(LOG_DEBUG, "getaddrinfo: EAI_AGAIN received: retrying");
|
||||||
|
sleep(1);
|
||||||
|
}
|
||||||
|
} while(err==EAI_AGAIN);
|
||||||
|
switch(err) {
|
||||||
|
case 0:
|
||||||
|
break; /* success */
|
||||||
|
case EAI_SERVICE:
|
||||||
|
s_log(LOG_ERR, "Unknown TCP service '%s'", portname);
|
||||||
|
return 0; /* error */
|
||||||
|
default:
|
||||||
|
s_log(LOG_ERR, "Error resolving '%s': %s",
|
||||||
|
hostname, s_gai_strerror(err));
|
||||||
|
return 0; /* error */
|
||||||
|
}
|
||||||
|
|
||||||
|
/* copy the list of addresses */
|
||||||
|
for(cur=res; cur; cur=cur->ai_next) {
|
||||||
|
if(cur->ai_addrlen>(int)sizeof(SOCKADDR_UNION)) {
|
||||||
|
s_log(LOG_ERR, "INTERNAL ERROR: ai_addrlen value too big");
|
||||||
|
freeaddrinfo(res);
|
||||||
|
return 0; /* no results */
|
||||||
|
}
|
||||||
|
addr_list->addr=str_realloc(addr_list->addr,
|
||||||
|
(addr_list->num+1)*sizeof(SOCKADDR_UNION));
|
||||||
|
memcpy(&addr_list->addr[addr_list->num], cur->ai_addr, cur->ai_addrlen);
|
||||||
|
++(addr_list->num);
|
||||||
|
}
|
||||||
|
freeaddrinfo(res);
|
||||||
|
return addr_list->num; /* ok - return the number of addresses */
|
||||||
|
}
|
||||||
|
|
||||||
|
char *s_ntop(SOCKADDR_UNION *addr, socklen_t addrlen) {
|
||||||
|
int err;
|
||||||
|
char *host, *port, *retval;
|
||||||
|
|
||||||
|
if(addrlen==sizeof(u_short)) /* see UNIX(7) manual for details */
|
||||||
|
return str_dup("unnamed socket");
|
||||||
|
host=str_alloc(256);
|
||||||
|
port=str_alloc(256); /* needs to be long enough for AF_UNIX path */
|
||||||
|
err=getnameinfo(&addr->sa, addrlen,
|
||||||
|
host, 256, port, 256, NI_NUMERICHOST|NI_NUMERICSERV);
|
||||||
|
if(err) {
|
||||||
|
s_log(LOG_ERR, "getnameinfo: %s", s_gai_strerror(err));
|
||||||
|
retval=str_dup("unresolvable address");
|
||||||
|
} else
|
||||||
|
retval=str_printf("%s:%s", host, port);
|
||||||
|
str_free(host);
|
||||||
|
str_free(port);
|
||||||
|
return retval;
|
||||||
|
}
|
||||||
|
|
||||||
|
socklen_t addr_len(const SOCKADDR_UNION *addr) {
|
||||||
|
if(addr->sa.sa_family==AF_INET)
|
||||||
|
return sizeof(struct sockaddr_in);
|
||||||
|
#ifdef USE_IPv6
|
||||||
|
if(addr->sa.sa_family==AF_INET6)
|
||||||
|
return sizeof(struct sockaddr_in6);
|
||||||
|
#endif
|
||||||
|
#ifdef HAVE_STRUCT_SOCKADDR_UN
|
||||||
|
if(addr->sa.sa_family==AF_UNIX)
|
||||||
|
return sizeof(struct sockaddr_un);
|
||||||
|
#endif
|
||||||
|
s_log(LOG_ERR, "INTERNAL ERROR: Unknown sa_family: %d",
|
||||||
|
addr->sa.sa_family);
|
||||||
|
return sizeof(SOCKADDR_UNION);
|
||||||
|
}
|
||||||
|
|
||||||
|
/**************************************** my getaddrinfo() */
|
||||||
|
/* implementation is limited to functionality needed by stunnel */
|
||||||
|
|
||||||
|
#ifndef HAVE_GETADDRINFO
|
||||||
|
static int getaddrinfo(const char *node, const char *service,
|
||||||
|
const struct addrinfo *hints, struct addrinfo **res) {
|
||||||
|
struct hostent *h;
|
||||||
|
#ifndef _WIN32_WCE
|
||||||
|
struct servent *p;
|
||||||
|
#endif
|
||||||
|
u_short port;
|
||||||
|
struct addrinfo *ai;
|
||||||
|
int retval;
|
||||||
|
char *tmpstr;
|
||||||
|
|
||||||
|
#if defined(USE_WIN32) && !defined(_WIN32_WCE)
|
||||||
|
if(s_getaddrinfo)
|
||||||
|
return s_getaddrinfo(node, service, hints, res);
|
||||||
|
#endif
|
||||||
|
/* decode service name */
|
||||||
|
port=htons((u_short)strtol(service, &tmpstr, 10));
|
||||||
|
if(tmpstr==service || *tmpstr) { /* not a number */
|
||||||
|
#ifdef _WIN32_WCE
|
||||||
|
return EAI_NONAME;
|
||||||
|
#else /* defined(_WIN32_WCE) */
|
||||||
|
p=getservbyname(service, "tcp");
|
||||||
|
if(!p)
|
||||||
|
return EAI_NONAME;
|
||||||
|
port=p->s_port;
|
||||||
|
#endif /* defined(_WIN32_WCE) */
|
||||||
|
}
|
||||||
|
|
||||||
|
/* allocate addrlist structure */
|
||||||
|
ai=str_alloc(sizeof(struct addrinfo));
|
||||||
|
if(hints)
|
||||||
|
memcpy(ai, hints, sizeof(struct addrinfo));
|
||||||
|
|
||||||
|
/* try to decode numerical address */
|
||||||
|
#if defined(USE_IPv6) && !defined(USE_WIN32)
|
||||||
|
ai->ai_family=AF_INET6;
|
||||||
|
ai->ai_addrlen=sizeof(struct sockaddr_in6);
|
||||||
|
ai->ai_addr=str_alloc(ai->ai_addrlen);
|
||||||
|
ai->ai_addr->sa_family=AF_INET6;
|
||||||
|
if(inet_pton(AF_INET6, node,
|
||||||
|
&((struct sockaddr_in6 *)ai->ai_addr)->sin6_addr)>0) {
|
||||||
|
#else
|
||||||
|
ai->ai_family=AF_INET;
|
||||||
|
ai->ai_addrlen=sizeof(struct sockaddr_in);
|
||||||
|
ai->ai_addr=str_alloc(ai->ai_addrlen);
|
||||||
|
ai->ai_addr->sa_family=AF_INET;
|
||||||
|
((struct sockaddr_in *)ai->ai_addr)->sin_addr.s_addr=inet_addr(node);
|
||||||
|
if(((struct sockaddr_in *)ai->ai_addr)->sin_addr.s_addr+1) {
|
||||||
|
/* (signed)((struct sockaddr_in *)ai->ai_addr)->sin_addr.s_addr!=-1 */
|
||||||
|
#endif
|
||||||
|
((struct sockaddr_in *)ai->ai_addr)->sin_port=port;
|
||||||
|
*res=ai;
|
||||||
|
return 0; /* numerical address resolved */
|
||||||
|
}
|
||||||
|
str_free(ai->ai_addr);
|
||||||
|
str_free(ai);
|
||||||
|
|
||||||
|
/* not numerical: need to call resolver library */
|
||||||
|
*res=NULL;
|
||||||
|
ai=NULL;
|
||||||
|
enter_critical_section(CRIT_INET);
|
||||||
|
#ifdef HAVE_GETHOSTBYNAME2
|
||||||
|
h=gethostbyname2(node, AF_INET6);
|
||||||
|
if(h) /* some IPv6 addresses found */
|
||||||
|
alloc_addresses(h, hints, port, res, &ai); /* ignore the error */
|
||||||
|
#endif
|
||||||
|
h=gethostbyname(node); /* get list of addresses */
|
||||||
|
if(h)
|
||||||
|
retval=ai ?
|
||||||
|
alloc_addresses(h, hints, port, &ai->ai_next, &ai) :
|
||||||
|
alloc_addresses(h, hints, port, res, &ai);
|
||||||
|
else if(!*res)
|
||||||
|
retval=EAI_NONAME; /* no results */
|
||||||
|
else
|
||||||
|
retval=0;
|
||||||
|
#ifdef HAVE_ENDHOSTENT
|
||||||
|
endhostent();
|
||||||
|
#endif
|
||||||
|
leave_critical_section(CRIT_INET);
|
||||||
|
if(retval) { /* error: free allocated memory */
|
||||||
|
freeaddrinfo(*res);
|
||||||
|
*res=NULL;
|
||||||
|
}
|
||||||
|
return retval;
|
||||||
|
}
|
||||||
|
|
||||||
|
static int alloc_addresses(struct hostent *h, const struct addrinfo *hints,
|
||||||
|
u_short port, struct addrinfo **head, struct addrinfo **tail) {
|
||||||
|
int i;
|
||||||
|
struct addrinfo *ai;
|
||||||
|
|
||||||
|
/* copy addresses */
|
||||||
|
for(i=0; h->h_addr_list[i]; i++) {
|
||||||
|
ai=str_alloc(sizeof(struct addrinfo));
|
||||||
|
if(hints)
|
||||||
|
memcpy(ai, hints, sizeof(struct addrinfo));
|
||||||
|
ai->ai_next=NULL; /* just in case */
|
||||||
|
if(*tail) { /* list not empty: add a node */
|
||||||
|
(*tail)->ai_next=ai;
|
||||||
|
*tail=ai;
|
||||||
|
} else { /* list empty: create it */
|
||||||
|
*head=ai;
|
||||||
|
*tail=ai;
|
||||||
|
}
|
||||||
|
ai->ai_family=h->h_addrtype;
|
||||||
|
#if defined(USE_IPv6)
|
||||||
|
if(h->h_addrtype==AF_INET6) {
|
||||||
|
ai->ai_addrlen=sizeof(struct sockaddr_in6);
|
||||||
|
ai->ai_addr=str_alloc(ai->ai_addrlen);
|
||||||
|
memcpy(&((struct sockaddr_in6 *)ai->ai_addr)->sin6_addr,
|
||||||
|
h->h_addr_list[i], h->h_length);
|
||||||
|
} else
|
||||||
|
#endif
|
||||||
|
{
|
||||||
|
ai->ai_addrlen=sizeof(struct sockaddr_in);
|
||||||
|
ai->ai_addr=str_alloc(ai->ai_addrlen);
|
||||||
|
memcpy(&((struct sockaddr_in *)ai->ai_addr)->sin_addr,
|
||||||
|
h->h_addr_list[i], h->h_length);
|
||||||
|
}
|
||||||
|
ai->ai_addr->sa_family=h->h_addrtype;
|
||||||
|
/* offsets of sin_port and sin6_port should be the same */
|
||||||
|
((struct sockaddr_in *)ai->ai_addr)->sin_port=port;
|
||||||
|
}
|
||||||
|
return 0; /* success */
|
||||||
|
}
|
||||||
|
|
||||||
|
static void freeaddrinfo(struct addrinfo *current) {
|
||||||
|
struct addrinfo *next;
|
||||||
|
|
||||||
|
#if defined(USE_WIN32) && !defined(_WIN32_WCE)
|
||||||
|
if(s_freeaddrinfo) {
|
||||||
|
s_freeaddrinfo(current);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
while(current) {
|
||||||
|
if(current->ai_addr)
|
||||||
|
str_free(current->ai_addr);
|
||||||
|
if(current->ai_canonname)
|
||||||
|
str_free(current->ai_canonname);
|
||||||
|
next=current->ai_next;
|
||||||
|
str_free(current);
|
||||||
|
current=next;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
#endif /* !defined HAVE_GETADDRINFO */
|
||||||
|
|
||||||
|
/* due to a problem with Mingw32 I decided to define my own gai_strerror() */
|
||||||
|
const char *s_gai_strerror(int err) {
|
||||||
|
switch(err) {
|
||||||
|
#ifdef EAI_BADFLAGS
|
||||||
|
case EAI_BADFLAGS:
|
||||||
|
return "Invalid value for ai_flags (EAI_BADFLAGS)";
|
||||||
|
#endif
|
||||||
|
case EAI_NONAME:
|
||||||
|
return "Neither nodename nor servname known (EAI_NONAME)";
|
||||||
|
#ifdef EAI_AGAIN
|
||||||
|
case EAI_AGAIN:
|
||||||
|
return "Temporary failure in name resolution (EAI_AGAIN)";
|
||||||
|
#endif
|
||||||
|
#ifdef EAI_FAIL
|
||||||
|
case EAI_FAIL:
|
||||||
|
return "Non-recoverable failure in name resolution (EAI_FAIL)";
|
||||||
|
#endif
|
||||||
|
#ifdef EAI_NODATA
|
||||||
|
#if EAI_NODATA!=EAI_NONAME
|
||||||
|
case EAI_NODATA:
|
||||||
|
return "No address associated with nodename (EAI_NODATA)";
|
||||||
|
#endif /* EAI_NODATA!=EAI_NONAME */
|
||||||
|
#endif /* defined EAI_NODATA */
|
||||||
|
#ifdef EAI_FAMILY
|
||||||
|
case EAI_FAMILY:
|
||||||
|
return "ai_family not supported (EAI_FAMILY)";
|
||||||
|
#endif
|
||||||
|
#ifdef EAI_SOCKTYPE
|
||||||
|
case EAI_SOCKTYPE:
|
||||||
|
return "ai_socktype not supported (EAI_SOCKTYPE)";
|
||||||
|
#endif
|
||||||
|
#ifdef EAI_SERVICE
|
||||||
|
case EAI_SERVICE:
|
||||||
|
return "servname is not supported for ai_socktype (EAI_SERVICE)";
|
||||||
|
#endif
|
||||||
|
#ifdef EAI_ADDRFAMILY
|
||||||
|
case EAI_ADDRFAMILY:
|
||||||
|
return "Address family for nodename not supported (EAI_ADDRFAMILY)";
|
||||||
|
#endif /* EAI_ADDRFAMILY */
|
||||||
|
case EAI_MEMORY:
|
||||||
|
return "Memory allocation failure (EAI_MEMORY)";
|
||||||
|
#ifdef EAI_SYSTEM
|
||||||
|
case EAI_SYSTEM:
|
||||||
|
return "System error returned in errno (EAI_SYSTEM)";
|
||||||
|
#endif /* EAI_SYSTEM */
|
||||||
|
default:
|
||||||
|
return "Unknown error";
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
/**************************************** my getnameinfo() */
|
||||||
|
/* implementation is limited to functionality needed by stunnel */
|
||||||
|
|
||||||
|
#ifndef HAVE_GETNAMEINFO
|
||||||
|
int getnameinfo(const struct sockaddr *sa, int salen,
|
||||||
|
char *host, int hostlen, char *serv, int servlen, int flags) {
|
||||||
|
|
||||||
|
#if defined(USE_WIN32) && !defined(_WIN32_WCE)
|
||||||
|
if(s_getnameinfo)
|
||||||
|
return s_getnameinfo(sa, salen, host, hostlen, serv, servlen, flags);
|
||||||
|
#endif
|
||||||
|
if(host && hostlen) {
|
||||||
|
#if defined(USE_IPv6) && !defined(USE_WIN32)
|
||||||
|
inet_ntop(sa->sa_family, sa->sa_family==AF_INET6 ?
|
||||||
|
(void *)&((struct sockaddr_in6 *)sa)->sin6_addr :
|
||||||
|
(void *)&((struct sockaddr_in *)sa)->sin_addr,
|
||||||
|
host, hostlen);
|
||||||
|
#else /* USE_IPv6 */
|
||||||
|
enter_critical_section(CRIT_INET); /* inet_ntoa is not mt-safe */
|
||||||
|
strncpy(host, inet_ntoa(((struct sockaddr_in *)sa)->sin_addr),
|
||||||
|
hostlen);
|
||||||
|
leave_critical_section(CRIT_INET);
|
||||||
|
host[hostlen-1]='\0';
|
||||||
|
#endif /* USE_IPv6 */
|
||||||
|
}
|
||||||
|
if(serv && servlen)
|
||||||
|
sprintf(serv, "%u", ntohs(((struct sockaddr_in *)sa)->sin_port));
|
||||||
|
/* sin_port is in the same place both in sockaddr_in and sockaddr_in6 */
|
||||||
|
/* ignore servlen since it's long enough in stunnel code */
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
|
/* end of resolver.c */
|
28
src/resources.h
Normal file
28
src/resources.h
Normal file
@ -0,0 +1,28 @@
|
|||||||
|
#define WM_SYSTRAY (WM_USER+0)
|
||||||
|
#define WM_VALID_CONFIG (WM_APP+0)
|
||||||
|
#define WM_INVALID_CONFIG (WM_APP+1)
|
||||||
|
#define WM_LOG (WM_APP+2)
|
||||||
|
#define WM_NEW_CHAIN (WM_APP+3)
|
||||||
|
|
||||||
|
#define IDI_MYICON 10
|
||||||
|
|
||||||
|
#define IDE_EDIT 20
|
||||||
|
#define IDE_PASSEDIT 21
|
||||||
|
#define IDE_PINEDIT 22
|
||||||
|
|
||||||
|
#define IDM_TRAYMENU 30
|
||||||
|
#define IDM_MAINMENU 31
|
||||||
|
#define IDM_CLOSE 32
|
||||||
|
#define IDM_EXIT 33
|
||||||
|
#define IDM_SHOW_LOG 34
|
||||||
|
|
||||||
|
#define IDM_SAVE_LOG 40
|
||||||
|
#define IDM_REOPEN_LOG 41
|
||||||
|
#define IDM_EDIT_CONFIG 42
|
||||||
|
#define IDM_RELOAD_CONFIG 43
|
||||||
|
|
||||||
|
#define IDM_ABOUT 50
|
||||||
|
#define IDM_MANPAGE 51
|
||||||
|
#define IDM_HOMEPAGE 52
|
||||||
|
|
||||||
|
#define IDM_PEER_MENU 60
|
121
src/resources.rc
Normal file
121
src/resources.rc
Normal file
@ -0,0 +1,121 @@
|
|||||||
|
#include <windows.h>
|
||||||
|
#include "resources.h"
|
||||||
|
#include "version.h"
|
||||||
|
|
||||||
|
VS_VERSION_INFO VERSIONINFO
|
||||||
|
FILEVERSION STUNNEL_VERSION_FIELDS
|
||||||
|
PRODUCTVERSION STUNNEL_VERSION_FIELDS
|
||||||
|
FILEFLAGSMASK VS_FFI_FILEFLAGSMASK
|
||||||
|
FILEFLAGS 0
|
||||||
|
FILEOS VOS__WINDOWS32
|
||||||
|
FILETYPE VFT_APP
|
||||||
|
FILESUBTYPE VFT2_UNKNOWN
|
||||||
|
BEGIN
|
||||||
|
BLOCK "StringFileInfo"
|
||||||
|
BEGIN
|
||||||
|
BLOCK "040904E4"
|
||||||
|
BEGIN
|
||||||
|
VALUE "CompanyName", "Michal Trojnara"
|
||||||
|
VALUE "FileDescription", "stunnel - multiplatform SSL tunneling proxy"
|
||||||
|
VALUE "FileVersion", STUNNEL_VERSION
|
||||||
|
VALUE "InternalName", "stunnel"
|
||||||
|
VALUE "LegalCopyright", "© by Michal Trojnara, 1998-2012"
|
||||||
|
VALUE "OriginalFilename", "stunnel.exe"
|
||||||
|
VALUE "ProductName", STUNNEL_PRODUCTNAME
|
||||||
|
VALUE "ProductVersion", STUNNEL_VERSION
|
||||||
|
END
|
||||||
|
END
|
||||||
|
BLOCK "VarFileInfo"
|
||||||
|
BEGIN
|
||||||
|
VALUE "Translation", 0x409, 1252
|
||||||
|
END
|
||||||
|
END
|
||||||
|
|
||||||
|
IDI_MYICON ICON "stunnel.ico"
|
||||||
|
|
||||||
|
IDM_MAINMENU MENU
|
||||||
|
BEGIN
|
||||||
|
POPUP "&File"
|
||||||
|
BEGIN
|
||||||
|
MENUITEM "&Save Log As", IDM_SAVE_LOG
|
||||||
|
MENUITEM "Reopen &Log File", IDM_REOPEN_LOG, GRAYED
|
||||||
|
MENUITEM SEPARATOR
|
||||||
|
MENUITEM "&Close", IDM_CLOSE
|
||||||
|
END
|
||||||
|
POPUP "&Configuration"
|
||||||
|
BEGIN
|
||||||
|
MENUITEM "&Edit stunnel.conf", IDM_EDIT_CONFIG
|
||||||
|
MENUITEM "&Reload stunnel.conf", IDM_RELOAD_CONFIG
|
||||||
|
END
|
||||||
|
POPUP "&Save peer certificate"
|
||||||
|
BEGIN
|
||||||
|
MENUITEM "dummy", 0, GRAYED
|
||||||
|
END
|
||||||
|
POPUP "&Help", HELP
|
||||||
|
BEGIN
|
||||||
|
MENUITEM "&About", IDM_ABOUT
|
||||||
|
MENUITEM SEPARATOR
|
||||||
|
MENUITEM "&Manual", IDM_MANPAGE
|
||||||
|
MENUITEM "&Homepage", IDM_HOMEPAGE
|
||||||
|
END
|
||||||
|
END
|
||||||
|
|
||||||
|
IDM_TRAYMENU MENU
|
||||||
|
BEGIN
|
||||||
|
POPUP "Ooops?"
|
||||||
|
BEGIN
|
||||||
|
MENUITEM "Show Log &Window", IDM_SHOW_LOG
|
||||||
|
MENUITEM SEPARATOR
|
||||||
|
POPUP "&Save peer certificate"
|
||||||
|
BEGIN
|
||||||
|
MENUITEM "dummy", 0, GRAYED
|
||||||
|
END
|
||||||
|
MENUITEM SEPARATOR
|
||||||
|
MENUITEM "&Edit stunnel.conf", IDM_EDIT_CONFIG
|
||||||
|
MENUITEM "&Reload stunnel.conf", IDM_RELOAD_CONFIG
|
||||||
|
MENUITEM "Reopen &Log File", IDM_REOPEN_LOG, GRAYED
|
||||||
|
MENUITEM SEPARATOR
|
||||||
|
MENUITEM "&Homepage", IDM_HOMEPAGE
|
||||||
|
MENUITEM "&Manual", IDM_MANPAGE
|
||||||
|
MENUITEM "&About", IDM_ABOUT
|
||||||
|
MENUITEM SEPARATOR
|
||||||
|
MENUITEM "E&xit", IDM_EXIT
|
||||||
|
END
|
||||||
|
END
|
||||||
|
|
||||||
|
ABOUTBOX DIALOG DISCARDABLE 0, 0, 140, 68
|
||||||
|
STYLE DS_MODALFRAME|DS_CENTER|WS_POPUP|WS_CAPTION|WS_SYSMENU
|
||||||
|
CAPTION "About stunnel"
|
||||||
|
BEGIN
|
||||||
|
ICON IDI_MYICON, -1, 9, 8, 18, 20
|
||||||
|
LTEXT "stunnel version", -1, 30, 4, 52, 8
|
||||||
|
LTEXT STUNNEL_VERSION, -1, 82, 4, 54, 8
|
||||||
|
LTEXT "© by Michal Trojnara, 1998-2012", -1, 30, 12, 106, 8
|
||||||
|
LTEXT "All Rights Reserved", -1, 30, 20, 106, 8
|
||||||
|
LTEXT "Licensed under the GNU GPL version 2", -1, 4, 28, 132, 8
|
||||||
|
LTEXT "with a special exception for OpenSSL", -1, 4, 36, 132, 8
|
||||||
|
DEFPUSHBUTTON "OK",IDOK, 54, 48, 32, 14, WS_GROUP
|
||||||
|
END
|
||||||
|
|
||||||
|
PASSBOX DIALOG DISCARDABLE 0, 0, 158, 51
|
||||||
|
STYLE DS_MODALFRAME|DS_CENTER|WS_POPUP|WS_CAPTION|WS_SYSMENU
|
||||||
|
CAPTION ""
|
||||||
|
BEGIN
|
||||||
|
ICON IDI_MYICON, -1, 8, 6, 18, 20
|
||||||
|
LTEXT "Pass phrase:", -1, 33, 9, 50, 8
|
||||||
|
EDITTEXT IDE_PASSEDIT, 86, 7, 65, 12, ES_PASSWORD|ES_AUTOHSCROLL
|
||||||
|
DEFPUSHBUTTON "OK",IDOK, 7, 30, 50, 14
|
||||||
|
PUSHBUTTON "Cancel",IDCANCEL, 101, 30, 50, 14
|
||||||
|
END
|
||||||
|
|
||||||
|
PINBOX DIALOG DISCARDABLE 0, 0, 158, 51
|
||||||
|
STYLE DS_MODALFRAME|DS_CENTER|WS_POPUP|WS_CAPTION|WS_SYSMENU
|
||||||
|
CAPTION ""
|
||||||
|
BEGIN
|
||||||
|
ICON IDI_MYICON, -1, 8, 6, 18, 20
|
||||||
|
LTEXT "SmartCard PIN:", -1, 33, 9, 50, 8
|
||||||
|
EDITTEXT IDE_PINEDIT, 86, 7, 65, 12, ES_PASSWORD|ES_AUTOHSCROLL
|
||||||
|
DEFPUSHBUTTON "OK",IDOK, 7, 30, 50, 14
|
||||||
|
PUSHBUTTON "Cancel",IDCANCEL, 101, 30, 50, 14
|
||||||
|
END
|
||||||
|
|
248
src/ssl.c
Normal file
248
src/ssl.c
Normal file
@ -0,0 +1,248 @@
|
|||||||
|
/*
|
||||||
|
* stunnel Universal SSL tunnel
|
||||||
|
* Copyright (C) 1998-2012 Michal Trojnara <Michal.Trojnara@mirt.net>
|
||||||
|
*
|
||||||
|
* This program is free software; you can redistribute it and/or modify it
|
||||||
|
* under the terms of the GNU General Public License as published by the
|
||||||
|
* Free Software Foundation; either version 2 of the License, or (at your
|
||||||
|
* option) any later version.
|
||||||
|
*
|
||||||
|
* This program is distributed in the hope that it will be useful,
|
||||||
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
|
||||||
|
* See the GNU General Public License for more details.
|
||||||
|
*
|
||||||
|
* You should have received a copy of the GNU General Public License along
|
||||||
|
* with this program; if not, see <http://www.gnu.org/licenses>.
|
||||||
|
*
|
||||||
|
* Linking stunnel statically or dynamically with other modules is making
|
||||||
|
* a combined work based on stunnel. Thus, the terms and conditions of
|
||||||
|
* the GNU General Public License cover the whole combination.
|
||||||
|
*
|
||||||
|
* In addition, as a special exception, the copyright holder of stunnel
|
||||||
|
* gives you permission to combine stunnel with free software programs or
|
||||||
|
* libraries that are released under the GNU LGPL and with code included
|
||||||
|
* in the standard release of OpenSSL under the OpenSSL License (or
|
||||||
|
* modified versions of such code, with unchanged license). You may copy
|
||||||
|
* and distribute such a system following the terms of the GNU GPL for
|
||||||
|
* stunnel and the licenses of the other code concerned.
|
||||||
|
*
|
||||||
|
* Note that people who make modified versions of stunnel are not obligated
|
||||||
|
* to grant this special exception for their modified versions; it is their
|
||||||
|
* choice whether to do so. The GNU General Public License gives permission
|
||||||
|
* to release a modified version without this exception; this exception
|
||||||
|
* also makes it possible to release a modified version which carries
|
||||||
|
* forward this exception.
|
||||||
|
*/
|
||||||
|
|
||||||
|
#include "common.h"
|
||||||
|
#include "prototypes.h"
|
||||||
|
|
||||||
|
/* global OpenSSL initalization: compression, engine, entropy */
|
||||||
|
static int init_compression(GLOBAL_OPTIONS *);
|
||||||
|
static int init_prng(GLOBAL_OPTIONS *);
|
||||||
|
static int add_rand_file(GLOBAL_OPTIONS *, const char *);
|
||||||
|
|
||||||
|
int cli_index, opt_index; /* to keep structure for callbacks */
|
||||||
|
|
||||||
|
int ssl_init(void) { /* init SSL before parsing configuration file */
|
||||||
|
SSL_load_error_strings();
|
||||||
|
SSL_library_init();
|
||||||
|
cli_index=SSL_get_ex_new_index(0, "cli index", NULL, NULL, NULL);
|
||||||
|
opt_index=SSL_CTX_get_ex_new_index(0, "opt index", NULL, NULL, NULL);
|
||||||
|
if(cli_index<0 || opt_index<0)
|
||||||
|
return 1;
|
||||||
|
#ifdef HAVE_OSSL_ENGINE_H
|
||||||
|
ENGINE_load_builtin_engines();
|
||||||
|
#endif
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
int ssl_configure(GLOBAL_OPTIONS *global) { /* configure global SSL settings */
|
||||||
|
#ifdef USE_FIPS
|
||||||
|
if(FIPS_mode()!=global->option.fips) {
|
||||||
|
RAND_set_rand_method(NULL); /* reset RAND methods */
|
||||||
|
if(!FIPS_mode_set(global->option.fips)) {
|
||||||
|
ERR_load_crypto_strings();
|
||||||
|
sslerror("FIPS_mode_set");
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
s_log(LOG_NOTICE, "FIPS mode is %s",
|
||||||
|
global->option.fips ? "enabled" : "disabled");
|
||||||
|
#endif /* USE_FIPS */
|
||||||
|
if(init_compression(global))
|
||||||
|
return 1;
|
||||||
|
if(init_prng(global))
|
||||||
|
return 1;
|
||||||
|
s_log(LOG_DEBUG, "PRNG seeded successfully");
|
||||||
|
return 0; /* SUCCESS */
|
||||||
|
}
|
||||||
|
|
||||||
|
static int init_compression(GLOBAL_OPTIONS *global) {
|
||||||
|
#ifndef OPENSSL_NO_COMP
|
||||||
|
SSL_COMP *comp;
|
||||||
|
STACK_OF(SSL_COMP) *ssl_comp_methods;
|
||||||
|
|
||||||
|
ssl_comp_methods=SSL_COMP_get_compression_methods();
|
||||||
|
if(!ssl_comp_methods) {
|
||||||
|
if(global->compression==COMP_NONE) {
|
||||||
|
s_log(LOG_NOTICE, "Failed to get compression methods");
|
||||||
|
return 0; /* ignore */
|
||||||
|
} else {
|
||||||
|
s_log(LOG_ERR, "Failed to get compression methods");
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
/* delete OpenSSL defaults (empty the SSL_COMP stack) */
|
||||||
|
/* cannot use sk_SSL_COMP_pop_free, as it also destroys the stack itself */
|
||||||
|
while(sk_SSL_COMP_num(ssl_comp_methods))
|
||||||
|
OPENSSL_free(sk_SSL_COMP_pop(ssl_comp_methods));
|
||||||
|
|
||||||
|
if(global->compression==COMP_NONE) {
|
||||||
|
s_log(LOG_DEBUG, "Compression not enabled");
|
||||||
|
return 0; /* success */
|
||||||
|
}
|
||||||
|
|
||||||
|
/* insert RFC 1951 (DEFLATE) algoritm */
|
||||||
|
if(SSLeay()>=0x00908051L) { /* 0.9.8e-beta1 */
|
||||||
|
/* only allow DEFLATE with OpenSSL 0.9.8 or later
|
||||||
|
with openssl #1468 zlib memory leak fixed */
|
||||||
|
comp=(SSL_COMP *)OPENSSL_malloc(sizeof(SSL_COMP));
|
||||||
|
if(!comp) {
|
||||||
|
s_log(LOG_ERR, "OPENSSL_malloc filed");
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
comp->id=1; /* RFC 1951 */
|
||||||
|
comp->method=COMP_zlib();
|
||||||
|
if(!comp->method || comp->method->type==NID_undef) {
|
||||||
|
OPENSSL_free(comp);
|
||||||
|
s_log(LOG_ERR, "Failed to initialize compression method");
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
comp->name=comp->method->name;
|
||||||
|
sk_SSL_COMP_push(ssl_comp_methods, comp);
|
||||||
|
}
|
||||||
|
|
||||||
|
/* also insert one of obsolete (ZLIB/RLE) algoritms */
|
||||||
|
comp=(SSL_COMP *)OPENSSL_malloc(sizeof(SSL_COMP));
|
||||||
|
if(!comp) {
|
||||||
|
s_log(LOG_ERR, "OPENSSL_malloc filed");
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
if(global->compression==COMP_ZLIB) {
|
||||||
|
comp->id=0xe0; /* 224 - within private range (193 to 255) */
|
||||||
|
comp->method=COMP_zlib();
|
||||||
|
} else if(global->compression==COMP_RLE) {
|
||||||
|
comp->id=0xe1; /* 225 - within private range (193 to 255) */
|
||||||
|
comp->method=COMP_rle();
|
||||||
|
} else {
|
||||||
|
s_log(LOG_INFO, "Compression enabled: %d algorithm(s)",
|
||||||
|
sk_SSL_COMP_num(ssl_comp_methods));
|
||||||
|
OPENSSL_free(comp);
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
if(!comp->method || comp->method->type==NID_undef) {
|
||||||
|
OPENSSL_free(comp);
|
||||||
|
s_log(LOG_ERR, "Failed to initialize compression method");
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
comp->name=comp->method->name;
|
||||||
|
sk_SSL_COMP_push(ssl_comp_methods, comp);
|
||||||
|
s_log(LOG_INFO, "Compression enabled: %d algorithm(s)",
|
||||||
|
sk_SSL_COMP_num(ssl_comp_methods));
|
||||||
|
#endif /* OPENSSL_NO_COMP */
|
||||||
|
return 0; /* success */
|
||||||
|
}
|
||||||
|
|
||||||
|
static int init_prng(GLOBAL_OPTIONS *global) {
|
||||||
|
int totbytes=0;
|
||||||
|
char filename[256];
|
||||||
|
int bytes;
|
||||||
|
|
||||||
|
bytes=0; /* avoid warning if #ifdef'd out for windows */
|
||||||
|
|
||||||
|
filename[0]='\0';
|
||||||
|
|
||||||
|
/* if they specify a rand file on the command line we
|
||||||
|
assume that they really do want it, so try it first */
|
||||||
|
if(global->rand_file) {
|
||||||
|
totbytes+=add_rand_file(global, global->rand_file);
|
||||||
|
if(RAND_status())
|
||||||
|
return 0; /* success */
|
||||||
|
}
|
||||||
|
|
||||||
|
/* try the $RANDFILE or $HOME/.rnd files */
|
||||||
|
RAND_file_name(filename, 256);
|
||||||
|
if(filename[0]) {
|
||||||
|
totbytes+=add_rand_file(global, filename);
|
||||||
|
if(RAND_status())
|
||||||
|
return 0; /* success */
|
||||||
|
}
|
||||||
|
|
||||||
|
#ifdef RANDOM_FILE
|
||||||
|
totbytes+=add_rand_file(global, RANDOM_FILE);
|
||||||
|
if(RAND_status())
|
||||||
|
return 0; /* success */
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#ifdef USE_WIN32
|
||||||
|
RAND_screen();
|
||||||
|
if(RAND_status()) {
|
||||||
|
s_log(LOG_DEBUG, "Seeded PRNG with RAND_screen");
|
||||||
|
return 0; /* success */
|
||||||
|
}
|
||||||
|
s_log(LOG_DEBUG, "RAND_screen failed to sufficiently seed PRNG");
|
||||||
|
#else
|
||||||
|
if(global->egd_sock) {
|
||||||
|
if((bytes=RAND_egd(global->egd_sock))==-1) {
|
||||||
|
s_log(LOG_WARNING, "EGD Socket %s failed", global->egd_sock);
|
||||||
|
bytes=0;
|
||||||
|
} else {
|
||||||
|
totbytes+=bytes;
|
||||||
|
s_log(LOG_DEBUG, "Snagged %d random bytes from EGD Socket %s",
|
||||||
|
bytes, global->egd_sock);
|
||||||
|
return 0; /* OpenSSL always gets what it needs or fails,
|
||||||
|
so no need to check if seeded sufficiently */
|
||||||
|
}
|
||||||
|
}
|
||||||
|
/* try the good-old default /dev/urandom, if available */
|
||||||
|
totbytes+=add_rand_file(global, "/dev/urandom");
|
||||||
|
if(RAND_status())
|
||||||
|
return 0; /* success */
|
||||||
|
#endif /* USE_WIN32 */
|
||||||
|
|
||||||
|
/* random file specified during configure */
|
||||||
|
s_log(LOG_ERR, "PRNG seeded with %d bytes total", totbytes);
|
||||||
|
s_log(LOG_ERR, "PRNG was not seeded with enough random bytes");
|
||||||
|
return 1; /* FAILED */
|
||||||
|
}
|
||||||
|
|
||||||
|
static int add_rand_file(GLOBAL_OPTIONS *global, const char *filename) {
|
||||||
|
int readbytes;
|
||||||
|
int writebytes;
|
||||||
|
struct stat sb;
|
||||||
|
|
||||||
|
if(stat(filename, &sb))
|
||||||
|
return 0; /* could not stat() file -> return 0 bytes */
|
||||||
|
if((readbytes=RAND_load_file(filename, global->random_bytes)))
|
||||||
|
s_log(LOG_DEBUG, "Snagged %d random bytes from %s",
|
||||||
|
readbytes, filename);
|
||||||
|
else
|
||||||
|
s_log(LOG_INFO, "Unable to retrieve any random data from %s",
|
||||||
|
filename);
|
||||||
|
/* write new random data for future seeding if it's a regular file */
|
||||||
|
if(global->option.rand_write && (sb.st_mode & S_IFREG)){
|
||||||
|
writebytes=RAND_write_file(filename);
|
||||||
|
if(writebytes==-1)
|
||||||
|
s_log(LOG_WARNING, "Failed to write strong random data to %s - "
|
||||||
|
"may be a permissions or seeding problem", filename);
|
||||||
|
else
|
||||||
|
s_log(LOG_DEBUG, "Wrote %d new random bytes to %s",
|
||||||
|
writebytes, filename);
|
||||||
|
}
|
||||||
|
return readbytes;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* end of ssl.c */
|
550
src/sthreads.c
Normal file
550
src/sthreads.c
Normal file
@ -0,0 +1,550 @@
|
|||||||
|
/*
|
||||||
|
* stunnel Universal SSL tunnel
|
||||||
|
* Copyright (C) 1998-2012 Michal Trojnara <Michal.Trojnara@mirt.net>
|
||||||
|
*
|
||||||
|
* This program is free software; you can redistribute it and/or modify it
|
||||||
|
* under the terms of the GNU General Public License as published by the
|
||||||
|
* Free Software Foundation; either version 2 of the License, or (at your
|
||||||
|
* option) any later version.
|
||||||
|
*
|
||||||
|
* This program is distributed in the hope that it will be useful,
|
||||||
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
|
||||||
|
* See the GNU General Public License for more details.
|
||||||
|
*
|
||||||
|
* You should have received a copy of the GNU General Public License along
|
||||||
|
* with this program; if not, see <http://www.gnu.org/licenses>.
|
||||||
|
*
|
||||||
|
* Linking stunnel statically or dynamically with other modules is making
|
||||||
|
* a combined work based on stunnel. Thus, the terms and conditions of
|
||||||
|
* the GNU General Public License cover the whole combination.
|
||||||
|
*
|
||||||
|
* In addition, as a special exception, the copyright holder of stunnel
|
||||||
|
* gives you permission to combine stunnel with free software programs or
|
||||||
|
* libraries that are released under the GNU LGPL and with code included
|
||||||
|
* in the standard release of OpenSSL under the OpenSSL License (or
|
||||||
|
* modified versions of such code, with unchanged license). You may copy
|
||||||
|
* and distribute such a system following the terms of the GNU GPL for
|
||||||
|
* stunnel and the licenses of the other code concerned.
|
||||||
|
*
|
||||||
|
* Note that people who make modified versions of stunnel are not obligated
|
||||||
|
* to grant this special exception for their modified versions; it is their
|
||||||
|
* choice whether to do so. The GNU General Public License gives permission
|
||||||
|
* to release a modified version without this exception; this exception
|
||||||
|
* also makes it possible to release a modified version which carries
|
||||||
|
* forward this exception.
|
||||||
|
*/
|
||||||
|
|
||||||
|
#ifdef USE_OS2
|
||||||
|
#define INCL_DOSPROCESS
|
||||||
|
#include <os2.h>
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#include "common.h"
|
||||||
|
#include "prototypes.h"
|
||||||
|
|
||||||
|
#if defined(USE_UCONTEXT) || defined(USE_FORK)
|
||||||
|
/* no need for critical sections */
|
||||||
|
|
||||||
|
void enter_critical_section(SECTION_CODE i) {
|
||||||
|
(void)i; /* skip warning about unused parameter */
|
||||||
|
/* empty */
|
||||||
|
}
|
||||||
|
|
||||||
|
void leave_critical_section(SECTION_CODE i) {
|
||||||
|
(void)i; /* skip warning about unused parameter */
|
||||||
|
/* empty */
|
||||||
|
}
|
||||||
|
|
||||||
|
#endif /* USE_UCONTEXT || USE_FORK */
|
||||||
|
|
||||||
|
#ifdef USE_UCONTEXT
|
||||||
|
|
||||||
|
#if defined(CPU_SPARC) && ( \
|
||||||
|
defined(OS_SOLARIS2_0) || \
|
||||||
|
defined(OS_SOLARIS2_1) || \
|
||||||
|
defined(OS_SOLARIS2_2) || \
|
||||||
|
defined(OS_SOLARIS2_3) || \
|
||||||
|
defined(OS_SOLARIS2_4) || \
|
||||||
|
defined(OS_SOLARIS2_5) || \
|
||||||
|
defined(OS_SOLARIS2_6) || \
|
||||||
|
defined(OS_SOLARIS2_7) || \
|
||||||
|
defined(OS_SOLARIS2_8))
|
||||||
|
#define ARGC 2
|
||||||
|
#else
|
||||||
|
#define ARGC 1
|
||||||
|
#endif
|
||||||
|
|
||||||
|
/* first context on the ready list is the active context */
|
||||||
|
CONTEXT *ready_head=NULL, *ready_tail=NULL; /* ready to execute */
|
||||||
|
CONTEXT *waiting_head=NULL, *waiting_tail=NULL; /* waiting on poll() */
|
||||||
|
|
||||||
|
unsigned long stunnel_process_id(void) {
|
||||||
|
return (unsigned long)getpid();
|
||||||
|
}
|
||||||
|
|
||||||
|
unsigned long stunnel_thread_id(void) {
|
||||||
|
return ready_head ? ready_head->id : 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
static CONTEXT *new_context(void) {
|
||||||
|
static int next_id=1;
|
||||||
|
CONTEXT *context;
|
||||||
|
|
||||||
|
/* allocate and fill the CONTEXT structure */
|
||||||
|
context=str_alloc(sizeof(CONTEXT));
|
||||||
|
str_detach(context);
|
||||||
|
context->id=next_id++;
|
||||||
|
context->fds=NULL;
|
||||||
|
context->ready=0;
|
||||||
|
|
||||||
|
/* append to the tail of the ready queue */
|
||||||
|
context->next=NULL;
|
||||||
|
if(ready_tail)
|
||||||
|
ready_tail->next=context;
|
||||||
|
ready_tail=context;
|
||||||
|
if(!ready_head)
|
||||||
|
ready_head=context;
|
||||||
|
|
||||||
|
return context;
|
||||||
|
}
|
||||||
|
|
||||||
|
int sthreads_init(void) {
|
||||||
|
/* create the first (listening) context and put it in the running queue */
|
||||||
|
if(!new_context()) {
|
||||||
|
s_log(LOG_ERR, "Unable create the listening context");
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
/* no need to initialize ucontext_t structure here
|
||||||
|
it will be initialied with swapcontext() call */
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
int create_client(int ls, int s, CLI *arg, void *(*cli)(void *)) {
|
||||||
|
CONTEXT *context;
|
||||||
|
|
||||||
|
(void)ls; /* this parameter is only used with USE_FORK */
|
||||||
|
|
||||||
|
s_log(LOG_DEBUG, "Creating a new context");
|
||||||
|
context=new_context();
|
||||||
|
if(!context) {
|
||||||
|
if(arg)
|
||||||
|
str_free(arg);
|
||||||
|
if(s>=0)
|
||||||
|
closesocket(s);
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* initialize context_t structure */
|
||||||
|
if(getcontext(&context->context)<0) {
|
||||||
|
str_free(context);
|
||||||
|
if(arg)
|
||||||
|
str_free(arg);
|
||||||
|
if(s>=0)
|
||||||
|
closesocket(s);
|
||||||
|
ioerror("getcontext");
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
context->context.uc_link=NULL; /* stunnel does not use uc_link */
|
||||||
|
|
||||||
|
/* create stack */
|
||||||
|
context->stack=str_alloc(arg->opt->stack_size);
|
||||||
|
str_detach(context->stack);
|
||||||
|
#if defined(__sgi) || ARGC==2 /* obsolete ss_sp semantics */
|
||||||
|
context->context.uc_stack.ss_sp=context->stack+arg->opt->stack_size-8;
|
||||||
|
#else
|
||||||
|
context->context.uc_stack.ss_sp=context->stack;
|
||||||
|
#endif
|
||||||
|
context->context.uc_stack.ss_size=arg->opt->stack_size;
|
||||||
|
context->context.uc_stack.ss_flags=0;
|
||||||
|
|
||||||
|
makecontext(&context->context, (void(*)(void))cli, ARGC, arg);
|
||||||
|
s_log(LOG_DEBUG, "New context created");
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
#endif /* USE_UCONTEXT */
|
||||||
|
|
||||||
|
#ifdef USE_FORK
|
||||||
|
|
||||||
|
int sthreads_init(void) {
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
unsigned long stunnel_process_id(void) {
|
||||||
|
return (unsigned long)getpid();
|
||||||
|
}
|
||||||
|
|
||||||
|
unsigned long stunnel_thread_id(void) {
|
||||||
|
return 0L;
|
||||||
|
}
|
||||||
|
|
||||||
|
static void null_handler(int sig) {
|
||||||
|
(void)sig; /* skip warning about unused parameter */
|
||||||
|
signal(SIGCHLD, null_handler);
|
||||||
|
}
|
||||||
|
|
||||||
|
int create_client(int ls, int s, CLI *arg, void *(*cli)(void *)) {
|
||||||
|
switch(fork()) {
|
||||||
|
case -1: /* error */
|
||||||
|
if(arg)
|
||||||
|
str_free(arg);
|
||||||
|
if(s>=0)
|
||||||
|
closesocket(s);
|
||||||
|
return -1;
|
||||||
|
case 0: /* child */
|
||||||
|
if(ls>=0)
|
||||||
|
closesocket(ls);
|
||||||
|
signal(SIGCHLD, null_handler);
|
||||||
|
cli(arg);
|
||||||
|
_exit(0);
|
||||||
|
default: /* parent */
|
||||||
|
if(arg)
|
||||||
|
str_free(arg);
|
||||||
|
if(s>=0)
|
||||||
|
closesocket(s);
|
||||||
|
}
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
#endif /* USE_FORK */
|
||||||
|
|
||||||
|
#ifdef USE_PTHREAD
|
||||||
|
|
||||||
|
static pthread_mutex_t stunnel_cs[CRIT_SECTIONS];
|
||||||
|
static pthread_mutex_t lock_cs[CRYPTO_NUM_LOCKS];
|
||||||
|
|
||||||
|
void enter_critical_section(SECTION_CODE i) {
|
||||||
|
pthread_mutex_lock(stunnel_cs+i);
|
||||||
|
}
|
||||||
|
|
||||||
|
void leave_critical_section(SECTION_CODE i) {
|
||||||
|
pthread_mutex_unlock(stunnel_cs+i);
|
||||||
|
}
|
||||||
|
|
||||||
|
static void locking_callback(int mode, int type, const char *file, int line) {
|
||||||
|
(void)file; /* skip warning about unused parameter */
|
||||||
|
(void)line; /* skip warning about unused parameter */
|
||||||
|
if(mode&CRYPTO_LOCK)
|
||||||
|
pthread_mutex_lock(lock_cs+type);
|
||||||
|
else
|
||||||
|
pthread_mutex_unlock(lock_cs+type);
|
||||||
|
}
|
||||||
|
|
||||||
|
struct CRYPTO_dynlock_value {
|
||||||
|
pthread_mutex_t mutex;
|
||||||
|
};
|
||||||
|
|
||||||
|
static struct CRYPTO_dynlock_value *dyn_create_function(const char *file,
|
||||||
|
int line) {
|
||||||
|
struct CRYPTO_dynlock_value *value;
|
||||||
|
|
||||||
|
(void)file; /* skip warning about unused parameter */
|
||||||
|
(void)line; /* skip warning about unused parameter */
|
||||||
|
value=str_alloc(sizeof(struct CRYPTO_dynlock_value));
|
||||||
|
str_detach(value);
|
||||||
|
pthread_mutex_init(&value->mutex, NULL);
|
||||||
|
return value;
|
||||||
|
}
|
||||||
|
|
||||||
|
static void dyn_lock_function(int mode, struct CRYPTO_dynlock_value *value,
|
||||||
|
const char *file, int line) {
|
||||||
|
(void)file; /* skip warning about unused parameter */
|
||||||
|
(void)line; /* skip warning about unused parameter */
|
||||||
|
if(mode&CRYPTO_LOCK)
|
||||||
|
pthread_mutex_lock(&value->mutex);
|
||||||
|
else
|
||||||
|
pthread_mutex_unlock(&value->mutex);
|
||||||
|
}
|
||||||
|
|
||||||
|
static void dyn_destroy_function(struct CRYPTO_dynlock_value *value,
|
||||||
|
const char *file, int line) {
|
||||||
|
(void)file; /* skip warning about unused parameter */
|
||||||
|
(void)line; /* skip warning about unused parameter */
|
||||||
|
pthread_mutex_destroy(&value->mutex);
|
||||||
|
str_free(value);
|
||||||
|
}
|
||||||
|
|
||||||
|
unsigned long stunnel_process_id(void) {
|
||||||
|
return (unsigned long)getpid();
|
||||||
|
}
|
||||||
|
|
||||||
|
unsigned long stunnel_thread_id(void) {
|
||||||
|
return (unsigned long)pthread_self();
|
||||||
|
}
|
||||||
|
|
||||||
|
int sthreads_init(void) {
|
||||||
|
int i;
|
||||||
|
|
||||||
|
/* initialize stunnel critical sections */
|
||||||
|
for(i=0; i<CRIT_SECTIONS; i++)
|
||||||
|
pthread_mutex_init(stunnel_cs+i, NULL);
|
||||||
|
|
||||||
|
/* initialize OpenSSL locking callback */
|
||||||
|
for(i=0; i<CRYPTO_NUM_LOCKS; i++)
|
||||||
|
pthread_mutex_init(lock_cs+i, NULL);
|
||||||
|
CRYPTO_set_id_callback(stunnel_thread_id);
|
||||||
|
CRYPTO_set_locking_callback(locking_callback);
|
||||||
|
|
||||||
|
/* initialize OpenSSL dynamic locks callbacks */
|
||||||
|
CRYPTO_set_dynlock_create_callback(dyn_create_function);
|
||||||
|
CRYPTO_set_dynlock_lock_callback(dyn_lock_function);
|
||||||
|
CRYPTO_set_dynlock_destroy_callback(dyn_destroy_function);
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
int create_client(int ls, int s, CLI *arg, void *(*cli)(void *)) {
|
||||||
|
pthread_t thread;
|
||||||
|
pthread_attr_t pth_attr;
|
||||||
|
int error;
|
||||||
|
#if defined(HAVE_PTHREAD_SIGMASK) && !defined(__APPLE__)
|
||||||
|
/* Disabled on OS X due to strange problems on Mac OS X 10.5
|
||||||
|
it seems to restore signal mask somewhere (I couldn't find where)
|
||||||
|
effectively blocking signals after first accepted connection */
|
||||||
|
sigset_t new_set, old_set;
|
||||||
|
#endif /* HAVE_PTHREAD_SIGMASK && !__APPLE__*/
|
||||||
|
|
||||||
|
(void)ls; /* this parameter is only used with USE_FORK */
|
||||||
|
|
||||||
|
#if defined(HAVE_PTHREAD_SIGMASK) && !defined(__APPLE__)
|
||||||
|
/* the idea is that only the main thread handles all the signals with
|
||||||
|
* posix threads; signals are blocked for any other thread */
|
||||||
|
sigfillset(&new_set);
|
||||||
|
pthread_sigmask(SIG_SETMASK, &new_set, &old_set); /* block signals */
|
||||||
|
#endif /* HAVE_PTHREAD_SIGMASK && !__APPLE__*/
|
||||||
|
pthread_attr_init(&pth_attr);
|
||||||
|
pthread_attr_setdetachstate(&pth_attr, PTHREAD_CREATE_DETACHED);
|
||||||
|
pthread_attr_setstacksize(&pth_attr, arg->opt->stack_size);
|
||||||
|
error=pthread_create(&thread, &pth_attr, cli, arg);
|
||||||
|
pthread_attr_destroy(&pth_attr);
|
||||||
|
#if defined(HAVE_PTHREAD_SIGMASK) && !defined(__APPLE__)
|
||||||
|
pthread_sigmask(SIG_SETMASK, &old_set, NULL); /* unblock signals */
|
||||||
|
#endif /* HAVE_PTHREAD_SIGMASK && !__APPLE__*/
|
||||||
|
|
||||||
|
if(error) {
|
||||||
|
errno=error;
|
||||||
|
ioerror("pthread_create");
|
||||||
|
if(arg)
|
||||||
|
str_free(arg);
|
||||||
|
if(s>=0)
|
||||||
|
closesocket(s);
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
#endif /* USE_PTHREAD */
|
||||||
|
|
||||||
|
#ifdef USE_WIN32
|
||||||
|
|
||||||
|
static CRITICAL_SECTION stunnel_cs[CRIT_SECTIONS];
|
||||||
|
static CRITICAL_SECTION lock_cs[CRYPTO_NUM_LOCKS];
|
||||||
|
|
||||||
|
void enter_critical_section(SECTION_CODE i) {
|
||||||
|
EnterCriticalSection(stunnel_cs+i);
|
||||||
|
}
|
||||||
|
|
||||||
|
void leave_critical_section(SECTION_CODE i) {
|
||||||
|
LeaveCriticalSection(stunnel_cs+i);
|
||||||
|
}
|
||||||
|
|
||||||
|
static void locking_callback(int mode, int type, const char *file, int line) {
|
||||||
|
(void)file; /* skip warning about unused parameter */
|
||||||
|
(void)line; /* skip warning about unused parameter */
|
||||||
|
if(mode&CRYPTO_LOCK)
|
||||||
|
EnterCriticalSection(lock_cs+type);
|
||||||
|
else
|
||||||
|
LeaveCriticalSection(lock_cs+type);
|
||||||
|
}
|
||||||
|
|
||||||
|
struct CRYPTO_dynlock_value {
|
||||||
|
CRITICAL_SECTION mutex;
|
||||||
|
};
|
||||||
|
|
||||||
|
static struct CRYPTO_dynlock_value *dyn_create_function(const char *file,
|
||||||
|
int line) {
|
||||||
|
struct CRYPTO_dynlock_value *value;
|
||||||
|
|
||||||
|
(void)file; /* skip warning about unused parameter */
|
||||||
|
(void)line; /* skip warning about unused parameter */
|
||||||
|
value=str_alloc(sizeof(struct CRYPTO_dynlock_value));
|
||||||
|
str_detach(value);
|
||||||
|
InitializeCriticalSection(&value->mutex);
|
||||||
|
return value;
|
||||||
|
}
|
||||||
|
|
||||||
|
static void dyn_lock_function(int mode, struct CRYPTO_dynlock_value *value,
|
||||||
|
const char *file, int line) {
|
||||||
|
(void)file; /* skip warning about unused parameter */
|
||||||
|
(void)line; /* skip warning about unused parameter */
|
||||||
|
if(mode&CRYPTO_LOCK)
|
||||||
|
EnterCriticalSection(&value->mutex);
|
||||||
|
else
|
||||||
|
LeaveCriticalSection(&value->mutex);
|
||||||
|
}
|
||||||
|
|
||||||
|
static void dyn_destroy_function(struct CRYPTO_dynlock_value *value,
|
||||||
|
const char *file, int line) {
|
||||||
|
(void)file; /* skip warning about unused parameter */
|
||||||
|
(void)line; /* skip warning about unused parameter */
|
||||||
|
DeleteCriticalSection(&value->mutex);
|
||||||
|
str_free(value);
|
||||||
|
}
|
||||||
|
|
||||||
|
unsigned long stunnel_process_id(void) {
|
||||||
|
return GetCurrentProcessId() & 0x00ffffff;
|
||||||
|
}
|
||||||
|
|
||||||
|
unsigned long stunnel_thread_id(void) {
|
||||||
|
return GetCurrentThreadId() & 0x00ffffff;
|
||||||
|
}
|
||||||
|
|
||||||
|
int sthreads_init(void) {
|
||||||
|
int i;
|
||||||
|
|
||||||
|
/* initialize stunnel critical sections */
|
||||||
|
for(i=0; i<CRIT_SECTIONS; i++)
|
||||||
|
InitializeCriticalSection(stunnel_cs+i);
|
||||||
|
|
||||||
|
/* initialize OpenSSL locking callback */
|
||||||
|
for(i=0; i<CRYPTO_NUM_LOCKS; i++)
|
||||||
|
InitializeCriticalSection(lock_cs+i);
|
||||||
|
CRYPTO_set_locking_callback(locking_callback);
|
||||||
|
|
||||||
|
/* initialize OpenSSL dynamic locks callbacks */
|
||||||
|
CRYPTO_set_dynlock_create_callback(dyn_create_function);
|
||||||
|
CRYPTO_set_dynlock_lock_callback(dyn_lock_function);
|
||||||
|
CRYPTO_set_dynlock_destroy_callback(dyn_destroy_function);
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
int create_client(int ls, int s, CLI *arg, void *(*cli)(void *)) {
|
||||||
|
(void)ls; /* this parameter is only used with USE_FORK */
|
||||||
|
s_log(LOG_DEBUG, "Creating a new thread");
|
||||||
|
if((long)_beginthread((void(*)(void *))cli, arg->opt->stack_size, arg)==-1) {
|
||||||
|
ioerror("_beginthread");
|
||||||
|
if(arg)
|
||||||
|
str_free(arg);
|
||||||
|
if(s>=0)
|
||||||
|
closesocket(s);
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
s_log(LOG_DEBUG, "New thread created");
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
#endif /* USE_WIN32 */
|
||||||
|
|
||||||
|
#ifdef USE_OS2
|
||||||
|
|
||||||
|
void enter_critical_section(SECTION_CODE i) {
|
||||||
|
DosEnterCritSec();
|
||||||
|
}
|
||||||
|
|
||||||
|
void leave_critical_section(SECTION_CODE i) {
|
||||||
|
DosExitCritSec();
|
||||||
|
}
|
||||||
|
|
||||||
|
int sthreads_init(void) {
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
unsigned long stunnel_process_id(void) {
|
||||||
|
PTIB ptib=NULL;
|
||||||
|
DosGetInfoBlocks(&ptib, NULL);
|
||||||
|
return (unsigned long)ptib->tib_ordinal;
|
||||||
|
}
|
||||||
|
|
||||||
|
unsigned long stunnel_thread_id(void) {
|
||||||
|
PPIB ppib=NULL;
|
||||||
|
DosGetInfoBlocks(NULL, &ppib);
|
||||||
|
return (unsigned long)ppib->pib_ulpid;
|
||||||
|
}
|
||||||
|
|
||||||
|
int create_client(int ls, int s, CLI *arg, void *(*cli)(void *)) {
|
||||||
|
(void)ls; /* this parameter is only used with USE_FORK */
|
||||||
|
s_log(LOG_DEBUG, "Creating a new thread");
|
||||||
|
if((long)_beginthread((void(*)(void *))cli, NULL, arg->opt->stack_size, arg)==-1L) {
|
||||||
|
ioerror("_beginthread");
|
||||||
|
if(arg)
|
||||||
|
str_free(arg);
|
||||||
|
if(s>=0)
|
||||||
|
closesocket(s);
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
s_log(LOG_DEBUG, "New thread created");
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
#endif /* USE_OS2 */
|
||||||
|
|
||||||
|
#ifdef _WIN32_WCE
|
||||||
|
|
||||||
|
long _beginthread(void (*start_address)(void *),
|
||||||
|
int stack_size, void *arglist) {
|
||||||
|
DWORD thread_id;
|
||||||
|
HANDLE handle;
|
||||||
|
|
||||||
|
handle=CreateThread(NULL, stack_size,
|
||||||
|
(LPTHREAD_START_ROUTINE)start_address, arglist,
|
||||||
|
STACK_SIZE_PARAM_IS_A_RESERVATION, &thread_id);
|
||||||
|
if(!handle)
|
||||||
|
return -1L;
|
||||||
|
CloseHandle(handle);
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
void _endthread(void) {
|
||||||
|
ExitThread(0);
|
||||||
|
}
|
||||||
|
|
||||||
|
#endif /* _WIN32_WCE */
|
||||||
|
|
||||||
|
#ifdef DEBUG_STACK_SIZE
|
||||||
|
|
||||||
|
#define STACK_RESERVE (STACK_SIZE/8)
|
||||||
|
#define VERIFY_AREA ((STACK_SIZE-STACK_RESERVE)/sizeof(u32))
|
||||||
|
#define TEST_VALUE 0xdeadbeef
|
||||||
|
|
||||||
|
/* some heuristic to determine the usage of client stack size */
|
||||||
|
void stack_info(int init) { /* 1-initialize, 0-display */
|
||||||
|
u32 table[VERIFY_AREA];
|
||||||
|
int i, num;
|
||||||
|
static int min_num=VERIFY_AREA;
|
||||||
|
|
||||||
|
if(init) {
|
||||||
|
for(i=0; i<VERIFY_AREA; i++)
|
||||||
|
table[i]=TEST_VALUE;
|
||||||
|
} else {
|
||||||
|
/* the stack is growing down */
|
||||||
|
for(i=0; i<VERIFY_AREA; i++)
|
||||||
|
if(table[i]!=TEST_VALUE)
|
||||||
|
break;
|
||||||
|
num=i;
|
||||||
|
/* the stack is growing up */
|
||||||
|
for(i=0; i<VERIFY_AREA; i++)
|
||||||
|
if(table[VERIFY_AREA-i-1]!=TEST_VALUE)
|
||||||
|
break;
|
||||||
|
if(i>num) /* use the higher value */
|
||||||
|
num=i;
|
||||||
|
if(num<64) {
|
||||||
|
s_log(LOG_NOTICE, "STACK_RESERVE is too high");
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
if(num<min_num)
|
||||||
|
min_num=num;
|
||||||
|
s_log(LOG_NOTICE,
|
||||||
|
"stack_info: size=%d, current=%d (%d%%), maximum=%d (%d%%)",
|
||||||
|
STACK_SIZE,
|
||||||
|
(int)((VERIFY_AREA-num)*sizeof(u32)),
|
||||||
|
(int)((VERIFY_AREA-num)*sizeof(u32)*100/STACK_SIZE),
|
||||||
|
(int)((VERIFY_AREA-min_num)*sizeof(u32)),
|
||||||
|
(int)((VERIFY_AREA-min_num)*sizeof(u32)*100/STACK_SIZE));
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
#endif /* DEBUG_STACK_SIZE */
|
||||||
|
|
||||||
|
/* end of sthreads.c */
|
344
src/str.c
Normal file
344
src/str.c
Normal file
@ -0,0 +1,344 @@
|
|||||||
|
/*
|
||||||
|
* stunnel Universal SSL tunnel
|
||||||
|
* Copyright (C) 1998-2012 Michal Trojnara <Michal.Trojnara@mirt.net>
|
||||||
|
*
|
||||||
|
* This program is free software; you can redistribute it and/or modify it
|
||||||
|
* under the terms of the GNU General Public License as published by the
|
||||||
|
* Free Software Foundation; either version 2 of the License, or (at your
|
||||||
|
* option) any later version.
|
||||||
|
*
|
||||||
|
* This program is distributed in the hope that it will be useful,
|
||||||
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
|
||||||
|
* See the GNU General Public License for more details.
|
||||||
|
*
|
||||||
|
* You should have received a copy of the GNU General Public License along
|
||||||
|
* with this program; if not, see <http://www.gnu.org/licenses>.
|
||||||
|
*
|
||||||
|
* Linking stunnel statically or dynamically with other modules is making
|
||||||
|
* a combined work based on stunnel. Thus, the terms and conditions of
|
||||||
|
* the GNU General Public License cover the whole combination.
|
||||||
|
*
|
||||||
|
* In addition, as a special exception, the copyright holder of stunnel
|
||||||
|
* gives you permission to combine stunnel with free software programs or
|
||||||
|
* libraries that are released under the GNU LGPL and with code included
|
||||||
|
* in the standard release of OpenSSL under the OpenSSL License (or
|
||||||
|
* modified versions of such code, with unchanged license). You may copy
|
||||||
|
* and distribute such a system following the terms of the GNU GPL for
|
||||||
|
* stunnel and the licenses of the other code concerned.
|
||||||
|
*
|
||||||
|
* Note that people who make modified versions of stunnel are not obligated
|
||||||
|
* to grant this special exception for their modified versions; it is their
|
||||||
|
* choice whether to do so. The GNU General Public License gives permission
|
||||||
|
* to release a modified version without this exception; this exception
|
||||||
|
* also makes it possible to release a modified version which carries
|
||||||
|
* forward this exception.
|
||||||
|
*/
|
||||||
|
|
||||||
|
#include "common.h"
|
||||||
|
#include "prototypes.h"
|
||||||
|
|
||||||
|
#ifndef va_copy
|
||||||
|
#ifdef __va_copy
|
||||||
|
#define va_copy(dst, src) __va_copy((dst), (src))
|
||||||
|
#else /* __va_copy */
|
||||||
|
#define va_copy(dst, src) memcpy(&(dst), &(src), sizeof(va_list))
|
||||||
|
#endif /* __va_copy */
|
||||||
|
#endif /* va_copy */
|
||||||
|
|
||||||
|
static u8 canary[10]; /* 80-bit canary value */
|
||||||
|
static volatile int canary_initialized=0;
|
||||||
|
|
||||||
|
typedef struct alloc_list_struct ALLOC_LIST;
|
||||||
|
|
||||||
|
typedef struct {
|
||||||
|
ALLOC_LIST *head;
|
||||||
|
size_t bytes, blocks;
|
||||||
|
} ALLOC_TLS;
|
||||||
|
|
||||||
|
struct alloc_list_struct {
|
||||||
|
ALLOC_LIST *prev, *next;
|
||||||
|
ALLOC_TLS *tls;
|
||||||
|
size_t size;
|
||||||
|
int valid_canary;
|
||||||
|
unsigned int magic;
|
||||||
|
/* at least on IA64 allocations need to be aligned */
|
||||||
|
#ifdef __GNUC__
|
||||||
|
} __attribute__((aligned(16)));
|
||||||
|
#else
|
||||||
|
int padding[2]; /* the number of integers is architecture-specific */
|
||||||
|
};
|
||||||
|
#endif
|
||||||
|
|
||||||
|
static void set_alloc_tls(ALLOC_TLS *);
|
||||||
|
static ALLOC_TLS *get_alloc_tls();
|
||||||
|
static ALLOC_LIST *get_alloc_list_ptr(void *, char *, int);
|
||||||
|
|
||||||
|
char *str_dup(const char *str) {
|
||||||
|
char *retval;
|
||||||
|
|
||||||
|
retval=str_alloc(strlen(str)+1);
|
||||||
|
strcpy(retval, str);
|
||||||
|
return retval;
|
||||||
|
}
|
||||||
|
|
||||||
|
char *str_printf(const char *format, ...) {
|
||||||
|
char *txt;
|
||||||
|
va_list arglist;
|
||||||
|
|
||||||
|
va_start(arglist, format);
|
||||||
|
txt=str_vprintf(format, arglist);
|
||||||
|
va_end(arglist);
|
||||||
|
return txt;
|
||||||
|
}
|
||||||
|
|
||||||
|
char *str_vprintf(const char *format, va_list start_ap) {
|
||||||
|
int n, size=32;
|
||||||
|
char *p, *np;
|
||||||
|
va_list ap;
|
||||||
|
|
||||||
|
p=str_alloc(size);
|
||||||
|
for(;;) {
|
||||||
|
va_copy(ap, start_ap);
|
||||||
|
n=vsnprintf(p, size, format, ap);
|
||||||
|
if(n>-1 && n<size)
|
||||||
|
return p;
|
||||||
|
if(n>-1) /* glibc 2.1 */
|
||||||
|
size=n+1; /* precisely what is needed */
|
||||||
|
else /* glibc 2.0, WIN32, etc. */
|
||||||
|
size*=2; /* twice the old size */
|
||||||
|
np=str_realloc(p, size);
|
||||||
|
p=np; /* LOL */
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
#ifdef USE_UCONTEXT
|
||||||
|
|
||||||
|
static ALLOC_TLS *global_tls=NULL;
|
||||||
|
|
||||||
|
void str_init() {
|
||||||
|
}
|
||||||
|
|
||||||
|
static void set_alloc_tls(ALLOC_TLS *tls) {
|
||||||
|
if(ready_head)
|
||||||
|
ready_head->tls=tls;
|
||||||
|
else /* ucontext threads not initialized */
|
||||||
|
global_tls=tls;
|
||||||
|
}
|
||||||
|
|
||||||
|
static ALLOC_TLS *get_alloc_tls() {
|
||||||
|
if(ready_head)
|
||||||
|
return ready_head->tls;
|
||||||
|
else /* ucontext threads not initialized */
|
||||||
|
return global_tls;
|
||||||
|
}
|
||||||
|
|
||||||
|
#endif /* USE_UCONTEXT */
|
||||||
|
|
||||||
|
#ifdef USE_FORK
|
||||||
|
|
||||||
|
static ALLOC_TLS *global_tls=NULL;
|
||||||
|
|
||||||
|
void str_init() {
|
||||||
|
}
|
||||||
|
|
||||||
|
static void set_alloc_tls(ALLOC_TLS *tls) {
|
||||||
|
global_tls=tls;
|
||||||
|
}
|
||||||
|
|
||||||
|
static ALLOC_TLS *get_alloc_tls() {
|
||||||
|
return global_tls;
|
||||||
|
}
|
||||||
|
|
||||||
|
#endif /* USE_FORK */
|
||||||
|
|
||||||
|
#ifdef USE_PTHREAD
|
||||||
|
|
||||||
|
static pthread_key_t pthread_key;
|
||||||
|
|
||||||
|
void str_init() {
|
||||||
|
pthread_key_create(&pthread_key, NULL);
|
||||||
|
}
|
||||||
|
|
||||||
|
static void set_alloc_tls(ALLOC_TLS *tls) {
|
||||||
|
pthread_setspecific(pthread_key, tls);
|
||||||
|
}
|
||||||
|
|
||||||
|
static ALLOC_TLS *get_alloc_tls() {
|
||||||
|
return pthread_getspecific(pthread_key);
|
||||||
|
}
|
||||||
|
|
||||||
|
#endif /* USE_PTHREAD */
|
||||||
|
|
||||||
|
#ifdef USE_WIN32
|
||||||
|
|
||||||
|
static DWORD tls_index;
|
||||||
|
|
||||||
|
void str_init() {
|
||||||
|
tls_index=TlsAlloc();
|
||||||
|
}
|
||||||
|
|
||||||
|
static void set_alloc_tls(ALLOC_TLS *alloc_tls) {
|
||||||
|
TlsSetValue(tls_index, alloc_tls);
|
||||||
|
}
|
||||||
|
|
||||||
|
static ALLOC_TLS *get_alloc_tls() {
|
||||||
|
return TlsGetValue(tls_index);
|
||||||
|
}
|
||||||
|
|
||||||
|
#endif /* USE_WIN32 */
|
||||||
|
|
||||||
|
void str_canary_init() {
|
||||||
|
if(canary_initialized) /* prevent double initialization on config reload */
|
||||||
|
return;
|
||||||
|
RAND_bytes(canary, sizeof canary);
|
||||||
|
canary_initialized=1; /* after RAND_bytes */
|
||||||
|
}
|
||||||
|
|
||||||
|
void str_cleanup() {
|
||||||
|
ALLOC_TLS *alloc_tls;
|
||||||
|
|
||||||
|
alloc_tls=get_alloc_tls();
|
||||||
|
if(alloc_tls) {
|
||||||
|
while(alloc_tls->head) /* str_free macro requires lvalue parameter */
|
||||||
|
str_free_debug(alloc_tls->head+1, __FILE__, __LINE__);
|
||||||
|
set_alloc_tls(NULL);
|
||||||
|
free(alloc_tls);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
void str_stats() {
|
||||||
|
ALLOC_TLS *alloc_tls;
|
||||||
|
|
||||||
|
alloc_tls=get_alloc_tls();
|
||||||
|
if(!alloc_tls) {
|
||||||
|
s_log(LOG_DEBUG, "str_stats: alloc_tls not initialized");
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
if(!alloc_tls->blocks && !alloc_tls->bytes)
|
||||||
|
return; /* skip if no data is allocated */
|
||||||
|
s_log(LOG_DEBUG, "str_stats: %lu block(s), "
|
||||||
|
"%lu data byte(s), %lu control byte(s)",
|
||||||
|
(unsigned long int)alloc_tls->blocks,
|
||||||
|
(unsigned long int)alloc_tls->bytes,
|
||||||
|
(unsigned long int)(alloc_tls->blocks*
|
||||||
|
(sizeof(ALLOC_LIST)+sizeof canary)));
|
||||||
|
}
|
||||||
|
|
||||||
|
void *str_alloc_debug(size_t size, char *file, int line) {
|
||||||
|
ALLOC_TLS *alloc_tls;
|
||||||
|
ALLOC_LIST *alloc_list;
|
||||||
|
|
||||||
|
alloc_tls=get_alloc_tls();
|
||||||
|
if(!alloc_tls) { /* first allocation in this thread */
|
||||||
|
alloc_tls=calloc(1, sizeof(ALLOC_TLS));
|
||||||
|
if(!alloc_tls)
|
||||||
|
fatal_debug("Out of memory", file, line);
|
||||||
|
alloc_tls->head=NULL;
|
||||||
|
alloc_tls->bytes=alloc_tls->blocks=0;
|
||||||
|
set_alloc_tls(alloc_tls);
|
||||||
|
}
|
||||||
|
alloc_list=calloc(1, sizeof(ALLOC_LIST)+size+sizeof canary);
|
||||||
|
if(!alloc_list)
|
||||||
|
fatal_debug("Out of memory", file, line);
|
||||||
|
|
||||||
|
alloc_list->prev=NULL;
|
||||||
|
alloc_list->next=alloc_tls->head;
|
||||||
|
alloc_list->tls=alloc_tls;
|
||||||
|
alloc_list->size=size;
|
||||||
|
alloc_list->valid_canary=canary_initialized; /* before memcpy */
|
||||||
|
memcpy((u8 *)(alloc_list+1)+size, canary, sizeof canary);
|
||||||
|
alloc_list->magic=0xdeadbeef;
|
||||||
|
|
||||||
|
if(alloc_tls->head)
|
||||||
|
alloc_tls->head->prev=alloc_list;
|
||||||
|
alloc_tls->head=alloc_list;
|
||||||
|
alloc_tls->bytes+=size;
|
||||||
|
alloc_tls->blocks++;
|
||||||
|
|
||||||
|
return alloc_list+1;
|
||||||
|
}
|
||||||
|
|
||||||
|
void *str_realloc_debug(void *ptr, size_t size, char *file, int line) {
|
||||||
|
ALLOC_LIST *previous_alloc_list, *alloc_list;
|
||||||
|
|
||||||
|
if(!ptr)
|
||||||
|
return str_alloc(size);
|
||||||
|
previous_alloc_list=get_alloc_list_ptr(ptr, file, line);
|
||||||
|
alloc_list=realloc(previous_alloc_list,
|
||||||
|
sizeof(ALLOC_LIST)+size+sizeof canary);
|
||||||
|
if(!alloc_list)
|
||||||
|
fatal_debug("Out of memory", file, line);
|
||||||
|
if(alloc_list->tls) { /* not detached */
|
||||||
|
/* refresh possibly invalidated linked list pointers */
|
||||||
|
if(alloc_list->tls->head==previous_alloc_list)
|
||||||
|
alloc_list->tls->head=alloc_list;
|
||||||
|
if(alloc_list->next)
|
||||||
|
alloc_list->next->prev=alloc_list;
|
||||||
|
if(alloc_list->prev)
|
||||||
|
alloc_list->prev->next=alloc_list;
|
||||||
|
/* update statistics */
|
||||||
|
alloc_list->tls->bytes+=size-alloc_list->size;
|
||||||
|
}
|
||||||
|
alloc_list->size=size;
|
||||||
|
alloc_list->valid_canary=canary_initialized; /* before memcpy */
|
||||||
|
memcpy((u8 *)(alloc_list+1)+size, canary, sizeof canary);
|
||||||
|
return alloc_list+1;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* detach from thread automatic deallocation list */
|
||||||
|
/* it has no effect if the allocation is already detached */
|
||||||
|
void str_detach_debug(void *ptr, char *file, int line) {
|
||||||
|
ALLOC_LIST *alloc_list;
|
||||||
|
|
||||||
|
if(!ptr) /* do not attempt to free null pointers */
|
||||||
|
return;
|
||||||
|
alloc_list=get_alloc_list_ptr(ptr, file, line);
|
||||||
|
if(alloc_list->tls) { /* not detached */
|
||||||
|
/* remove from linked list */
|
||||||
|
if(alloc_list->tls->head==alloc_list)
|
||||||
|
alloc_list->tls->head=alloc_list->next;
|
||||||
|
if(alloc_list->next)
|
||||||
|
alloc_list->next->prev=alloc_list->prev;
|
||||||
|
if(alloc_list->prev)
|
||||||
|
alloc_list->prev->next=alloc_list->next;
|
||||||
|
/* update statistics */
|
||||||
|
alloc_list->tls->bytes-=alloc_list->size;
|
||||||
|
alloc_list->tls->blocks--;
|
||||||
|
/* clear pointers */
|
||||||
|
alloc_list->next=NULL;
|
||||||
|
alloc_list->prev=NULL;
|
||||||
|
alloc_list->tls=NULL;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
void str_free_debug(void *ptr, char *file, int line) {
|
||||||
|
ALLOC_LIST *alloc_list;
|
||||||
|
|
||||||
|
if(!ptr) /* do not attempt to free null pointers */
|
||||||
|
return;
|
||||||
|
str_detach_debug(ptr, file, line);
|
||||||
|
alloc_list=(ALLOC_LIST *)ptr-1;
|
||||||
|
alloc_list->magic=0xdefec8ed; /* to detect double free attempts */
|
||||||
|
free(alloc_list);
|
||||||
|
}
|
||||||
|
|
||||||
|
static ALLOC_LIST *get_alloc_list_ptr(void *ptr, char *file, int line) {
|
||||||
|
ALLOC_LIST *alloc_list;
|
||||||
|
|
||||||
|
alloc_list=(ALLOC_LIST *)ptr-1;
|
||||||
|
if(alloc_list->magic!=0xdeadbeef) { /* not allocated by str_alloc() */
|
||||||
|
if(alloc_list->magic==0xdefec8ed)
|
||||||
|
fatal_debug("Double free attempt", file, line);
|
||||||
|
else
|
||||||
|
fatal_debug("Bad magic", file, line); /* LOL */
|
||||||
|
}
|
||||||
|
if(alloc_list->tls /* not detached */ && alloc_list->tls!=get_alloc_tls())
|
||||||
|
fatal_debug("Memory allocated in a different thread", file, line);
|
||||||
|
if(alloc_list->valid_canary &&
|
||||||
|
memcmp((u8 *)ptr+alloc_list->size, canary, sizeof canary))
|
||||||
|
fatal_debug("Dead canary", file, line); /* LOL */
|
||||||
|
return alloc_list;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* end of str.c */
|
729
src/stunnel.c
Normal file
729
src/stunnel.c
Normal file
@ -0,0 +1,729 @@
|
|||||||
|
/*
|
||||||
|
* stunnel Universal SSL tunnel
|
||||||
|
* Copyright (C) 1998-2012 Michal Trojnara <Michal.Trojnara@mirt.net>
|
||||||
|
*
|
||||||
|
* This program is free software; you can redistribute it and/or modify it
|
||||||
|
* under the terms of the GNU General Public License as published by the
|
||||||
|
* Free Software Foundation; either version 2 of the License, or (at your
|
||||||
|
* option) any later version.
|
||||||
|
*
|
||||||
|
* This program is distributed in the hope that it will be useful,
|
||||||
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
|
||||||
|
* See the GNU General Public License for more details.
|
||||||
|
*
|
||||||
|
* You should have received a copy of the GNU General Public License along
|
||||||
|
* with this program; if not, see <http://www.gnu.org/licenses>.
|
||||||
|
*
|
||||||
|
* Linking stunnel statically or dynamically with other modules is making
|
||||||
|
* a combined work based on stunnel. Thus, the terms and conditions of
|
||||||
|
* the GNU General Public License cover the whole combination.
|
||||||
|
*
|
||||||
|
* In addition, as a special exception, the copyright holder of stunnel
|
||||||
|
* gives you permission to combine stunnel with free software programs or
|
||||||
|
* libraries that are released under the GNU LGPL and with code included
|
||||||
|
* in the standard release of OpenSSL under the OpenSSL License (or
|
||||||
|
* modified versions of such code, with unchanged license). You may copy
|
||||||
|
* and distribute such a system following the terms of the GNU GPL for
|
||||||
|
* stunnel and the licenses of the other code concerned.
|
||||||
|
*
|
||||||
|
* Note that people who make modified versions of stunnel are not obligated
|
||||||
|
* to grant this special exception for their modified versions; it is their
|
||||||
|
* choice whether to do so. The GNU General Public License gives permission
|
||||||
|
* to release a modified version without this exception; this exception
|
||||||
|
* also makes it possible to release a modified version which carries
|
||||||
|
* forward this exception.
|
||||||
|
*/
|
||||||
|
|
||||||
|
#include "common.h"
|
||||||
|
#include "prototypes.h"
|
||||||
|
|
||||||
|
/* http://www.openssl.org/support/faq.html#PROG2 */
|
||||||
|
#ifdef USE_WIN32
|
||||||
|
#ifdef __GNUC__
|
||||||
|
#pragma GCC diagnostic push
|
||||||
|
#pragma GCC diagnostic ignored "-pedantic"
|
||||||
|
#endif /* __GNUC__ */
|
||||||
|
#include <openssl/applink.c>
|
||||||
|
#ifdef __GNUC__
|
||||||
|
#pragma GCC diagnostic pop
|
||||||
|
#endif /* __GNUC__ */
|
||||||
|
#endif /* USE_WIN32 */
|
||||||
|
|
||||||
|
/**************************************** prototypes */
|
||||||
|
|
||||||
|
#ifdef __INNOTEK_LIBC__
|
||||||
|
struct sockaddr_un {
|
||||||
|
u_char sun_len; /* sockaddr len including null */
|
||||||
|
u_char sun_family; /* AF_OS2 or AF_UNIX */
|
||||||
|
char sun_path[108]; /* path name */
|
||||||
|
};
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#ifndef USE_WIN32
|
||||||
|
static int main_unix(int, char*[]);
|
||||||
|
#endif
|
||||||
|
static int accept_connection(SERVICE_OPTIONS *);
|
||||||
|
#ifdef HAVE_CHROOT
|
||||||
|
static int change_root(void);
|
||||||
|
#endif
|
||||||
|
#if !defined(USE_WIN32) && !defined(__vms)
|
||||||
|
static int daemonize(int);
|
||||||
|
static int create_pid(void);
|
||||||
|
static void delete_pid(void);
|
||||||
|
#endif
|
||||||
|
#if !defined(USE_WIN32) && !defined(USE_OS2)
|
||||||
|
static void signal_handler(int);
|
||||||
|
#endif
|
||||||
|
static int signal_pipe_init(void);
|
||||||
|
static int signal_pipe_dispatch(void);
|
||||||
|
#ifdef USE_FORK
|
||||||
|
static void client_status(void); /* dead children detected */
|
||||||
|
#endif
|
||||||
|
|
||||||
|
/**************************************** global variables */
|
||||||
|
|
||||||
|
static int signal_pipe[2]={-1, -1};
|
||||||
|
|
||||||
|
#ifndef USE_FORK
|
||||||
|
int max_clients=0;
|
||||||
|
volatile int num_clients=0; /* current number of clients */
|
||||||
|
#endif
|
||||||
|
s_poll_set *fds; /* file descriptors of listening sockets */
|
||||||
|
|
||||||
|
/**************************************** startup */
|
||||||
|
|
||||||
|
#ifndef USE_WIN32
|
||||||
|
int main(int argc, char* argv[]) { /* execution begins here 8-) */
|
||||||
|
int retval;
|
||||||
|
|
||||||
|
#ifdef M_MMAP_THRESHOLD
|
||||||
|
mallopt(M_MMAP_THRESHOLD, 4096);
|
||||||
|
#endif
|
||||||
|
str_init(); /* initialize per-thread string management */
|
||||||
|
retval=main_unix(argc, argv);
|
||||||
|
unbind_ports();
|
||||||
|
s_poll_free(fds);
|
||||||
|
fds=NULL;
|
||||||
|
str_stats();
|
||||||
|
log_flush(LOG_MODE_ERROR);
|
||||||
|
return retval;
|
||||||
|
}
|
||||||
|
|
||||||
|
static int main_unix(int argc, char* argv[]) {
|
||||||
|
#if !defined(__vms) && !defined(USE_OS2)
|
||||||
|
int fd;
|
||||||
|
|
||||||
|
fd=open("/dev/null", O_RDWR); /* open /dev/null before chroot */
|
||||||
|
if(fd<0)
|
||||||
|
fatal("Could not open /dev/null");
|
||||||
|
#endif /* standard Unix */
|
||||||
|
main_initialize();
|
||||||
|
if(main_configure(argc>1 ? argv[1] : NULL, argc>2 ? argv[2] : NULL))
|
||||||
|
return 1;
|
||||||
|
if(service_options.next) { /* there are service sections -> daemon mode */
|
||||||
|
#if !defined(__vms) && !defined(USE_OS2)
|
||||||
|
if(daemonize(fd))
|
||||||
|
return 1;
|
||||||
|
close(fd);
|
||||||
|
/* create_pid() must be called after drop_privileges()
|
||||||
|
* or it won't be possible to remove the file on exit */
|
||||||
|
/* create_pid() must be called after daemonize()
|
||||||
|
* since the final pid is not known beforehand */
|
||||||
|
if(create_pid())
|
||||||
|
return 1;
|
||||||
|
#endif /* standard Unix */
|
||||||
|
signal(SIGCHLD, signal_handler); /* handle dead children */
|
||||||
|
signal(SIGHUP, signal_handler); /* configuration reload */
|
||||||
|
signal(SIGUSR1, signal_handler); /* log reopen */
|
||||||
|
signal(SIGPIPE, SIG_IGN); /* ignore broken pipe */
|
||||||
|
if(signal(SIGTERM, SIG_IGN)!=SIG_IGN)
|
||||||
|
signal(SIGTERM, signal_handler); /* fatal */
|
||||||
|
if(signal(SIGQUIT, SIG_IGN)!=SIG_IGN)
|
||||||
|
signal(SIGQUIT, signal_handler); /* fatal */
|
||||||
|
if(signal(SIGINT, SIG_IGN)!=SIG_IGN)
|
||||||
|
signal(SIGINT, signal_handler); /* fatal */
|
||||||
|
daemon_loop();
|
||||||
|
} else { /* inetd mode */
|
||||||
|
#if !defined(__vms) && !defined(USE_OS2)
|
||||||
|
close(fd);
|
||||||
|
#endif /* standard Unix */
|
||||||
|
signal(SIGCHLD, SIG_IGN); /* ignore dead children */
|
||||||
|
signal(SIGPIPE, SIG_IGN); /* ignore broken pipe */
|
||||||
|
client_main(alloc_client_session(&service_options, 0, 1));
|
||||||
|
}
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
|
void main_initialize() { /* one-time initialization */
|
||||||
|
/* basic initialization contains essential functions required for logging
|
||||||
|
* subsystem to function properly, thus all errors here are fatal */
|
||||||
|
if(ssl_init()) /* initialize SSL library */
|
||||||
|
fatal("SSL initialization failed");
|
||||||
|
if(sthreads_init()) /* initialize critical sections & SSL callbacks */
|
||||||
|
fatal("Threads initialization failed");
|
||||||
|
#ifndef USE_FORK
|
||||||
|
get_limits(); /* required by setup_fd() */
|
||||||
|
#endif
|
||||||
|
fds=s_poll_alloc();
|
||||||
|
if(signal_pipe_init())
|
||||||
|
fatal("Signal pipe initialization failed: "
|
||||||
|
"check your personal firewall");
|
||||||
|
stunnel_info(LOG_NOTICE);
|
||||||
|
}
|
||||||
|
|
||||||
|
/* configuration-dependent initialization */
|
||||||
|
int main_configure(char *arg1, char *arg2) {
|
||||||
|
if(parse_commandline(arg1, arg2))
|
||||||
|
return 1;
|
||||||
|
str_canary_init(); /* needs prng initialization from parse_commandline */
|
||||||
|
#if !defined(USE_WIN32) && !defined(__vms)
|
||||||
|
/* syslog_open() must be called before change_root()
|
||||||
|
* to be able to access /dev/log socket */
|
||||||
|
syslog_open();
|
||||||
|
#endif /* !defined(USE_WIN32) && !defined(__vms) */
|
||||||
|
if(bind_ports())
|
||||||
|
return 1;
|
||||||
|
|
||||||
|
#ifdef HAVE_CHROOT
|
||||||
|
/* change_root() must be called before drop_privileges()
|
||||||
|
* since chroot() needs root privileges */
|
||||||
|
if(change_root())
|
||||||
|
return 1;
|
||||||
|
#endif /* HAVE_CHROOT */
|
||||||
|
|
||||||
|
#if !defined(USE_WIN32) && !defined(__vms) && !defined(USE_OS2)
|
||||||
|
if(drop_privileges(1))
|
||||||
|
return 1;
|
||||||
|
#endif /* standard Unix */
|
||||||
|
|
||||||
|
/* log_open() must be be called after drop_privileges()
|
||||||
|
* or logfile rotation won't be possible */
|
||||||
|
/* log_open() must be be called before daemonize()
|
||||||
|
* since daemonize() invalidates stderr */
|
||||||
|
log_open();
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**************************************** main loop accepting connections */
|
||||||
|
|
||||||
|
void daemon_loop(void) {
|
||||||
|
SERVICE_OPTIONS *opt;
|
||||||
|
int temporary_lack_of_resources;
|
||||||
|
|
||||||
|
while(1) {
|
||||||
|
temporary_lack_of_resources=0;
|
||||||
|
if(s_poll_wait(fds, -1, -1)>=0) {
|
||||||
|
if(s_poll_canread(fds, signal_pipe[0]))
|
||||||
|
if(signal_pipe_dispatch()) /* received SIGNAL_TERMINATE */
|
||||||
|
break; /* terminate daemon_loop */
|
||||||
|
for(opt=service_options.next; opt; opt=opt->next)
|
||||||
|
if(opt->option.accept && s_poll_canread(fds, opt->fd))
|
||||||
|
if(accept_connection(opt))
|
||||||
|
temporary_lack_of_resources=1;
|
||||||
|
} else {
|
||||||
|
log_error(LOG_NOTICE, get_last_socket_error(),
|
||||||
|
"daemon_loop: s_poll_wait");
|
||||||
|
temporary_lack_of_resources=1;
|
||||||
|
}
|
||||||
|
if(temporary_lack_of_resources) {
|
||||||
|
s_log(LOG_NOTICE,
|
||||||
|
"Accepting new connections suspended for 1 second");
|
||||||
|
sleep(1); /* to avoid log trashing */
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
/* return 1 when a short delay is needed before another try */
|
||||||
|
static int accept_connection(SERVICE_OPTIONS *opt) {
|
||||||
|
SOCKADDR_UNION addr;
|
||||||
|
char *from_address;
|
||||||
|
int s;
|
||||||
|
socklen_t addrlen;
|
||||||
|
|
||||||
|
addrlen=sizeof addr;
|
||||||
|
for(;;) {
|
||||||
|
s=s_accept(opt->fd, &addr.sa, &addrlen, 1, "local socket");
|
||||||
|
if(s>=0) /* success! */
|
||||||
|
break;
|
||||||
|
switch(get_last_socket_error()) {
|
||||||
|
case S_EINTR: /* interrupted by a signal */
|
||||||
|
break; /* retry now */
|
||||||
|
case S_EMFILE:
|
||||||
|
#ifdef S_ENFILE
|
||||||
|
case S_ENFILE:
|
||||||
|
#endif
|
||||||
|
#ifdef S_ENOBUFS
|
||||||
|
case S_ENOBUFS:
|
||||||
|
#endif
|
||||||
|
#ifdef S_ENOMEM
|
||||||
|
case S_ENOMEM:
|
||||||
|
#endif
|
||||||
|
return 1; /* temporary lack of resources */
|
||||||
|
default:
|
||||||
|
return 0; /* any other error */
|
||||||
|
}
|
||||||
|
}
|
||||||
|
from_address=s_ntop(&addr, addrlen);
|
||||||
|
s_log(LOG_DEBUG, "Service [%s] accepted (FD=%d) from %s",
|
||||||
|
opt->servname, s, from_address);
|
||||||
|
str_free(from_address);
|
||||||
|
#ifndef USE_FORK
|
||||||
|
if(max_clients && num_clients>=max_clients) {
|
||||||
|
s_log(LOG_WARNING, "Connection rejected: too many clients (>=%d)",
|
||||||
|
max_clients);
|
||||||
|
closesocket(s);
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
if(create_client(opt->fd, s,
|
||||||
|
alloc_client_session(opt, s, s), client_thread)) {
|
||||||
|
s_log(LOG_ERR, "Connection rejected: create_client failed");
|
||||||
|
closesocket(s);
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**************************************** initialization helpers */
|
||||||
|
|
||||||
|
/* clear fds, close old ports */
|
||||||
|
void unbind_ports(void) {
|
||||||
|
SERVICE_OPTIONS *opt;
|
||||||
|
#ifdef HAVE_STRUCT_SOCKADDR_UN
|
||||||
|
struct stat st; /* buffer for stat */
|
||||||
|
#endif
|
||||||
|
|
||||||
|
s_poll_init(fds);
|
||||||
|
s_poll_add(fds, signal_pipe[0], 1, 0);
|
||||||
|
|
||||||
|
for(opt=service_options.next; opt; opt=opt->next)
|
||||||
|
if(opt->option.accept && opt->fd>=0) {
|
||||||
|
closesocket(opt->fd);
|
||||||
|
s_log(LOG_DEBUG, "Service [%s] closed (FD=%d)",
|
||||||
|
opt->servname, opt->fd);
|
||||||
|
opt->fd=-1;
|
||||||
|
#ifdef HAVE_STRUCT_SOCKADDR_UN
|
||||||
|
if(opt->local_addr.sa.sa_family==AF_UNIX) {
|
||||||
|
if(lstat(opt->local_addr.un.sun_path, &st))
|
||||||
|
sockerror(opt->local_addr.un.sun_path);
|
||||||
|
else if(!S_ISSOCK(st.st_mode))
|
||||||
|
s_log(LOG_ERR, "Not a socket: %s",
|
||||||
|
opt->local_addr.un.sun_path);
|
||||||
|
else if(unlink(opt->local_addr.un.sun_path))
|
||||||
|
sockerror(opt->local_addr.un.sun_path);
|
||||||
|
else
|
||||||
|
s_log(LOG_DEBUG, "Socket removed: %s",
|
||||||
|
opt->local_addr.un.sun_path);
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
/* open new ports, update fds */
|
||||||
|
int bind_ports(void) {
|
||||||
|
SERVICE_OPTIONS *opt;
|
||||||
|
char *local_address;
|
||||||
|
|
||||||
|
#ifdef USE_LIBWRAP
|
||||||
|
/* execute after parse_commandline() to know service_options.next,
|
||||||
|
* but as early as possible to avoid leaking file descriptors */
|
||||||
|
/* retry on each bind_ports() in case stunnel.conf was reloaded
|
||||||
|
without "libwrap = no" */
|
||||||
|
libwrap_init();
|
||||||
|
#endif /* USE_LIBWRAP */
|
||||||
|
|
||||||
|
s_poll_init(fds);
|
||||||
|
s_poll_add(fds, signal_pipe[0], 1, 0);
|
||||||
|
|
||||||
|
/* allow clean unbind_ports() even though
|
||||||
|
bind_ports() was not fully performed */
|
||||||
|
for(opt=service_options.next; opt; opt=opt->next)
|
||||||
|
if(opt->option.accept)
|
||||||
|
opt->fd=-1;
|
||||||
|
|
||||||
|
for(opt=service_options.next; opt; opt=opt->next) {
|
||||||
|
if(opt->option.accept) {
|
||||||
|
opt->fd=s_socket(opt->local_addr.sa.sa_family,
|
||||||
|
SOCK_STREAM, 0, 1, "accept socket");
|
||||||
|
if(opt->fd<0)
|
||||||
|
return 1;
|
||||||
|
if(set_socket_options(opt->fd, 0)<0) {
|
||||||
|
closesocket(opt->fd);
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
/* local socket can't be unnamed */
|
||||||
|
local_address=s_ntop(&opt->local_addr, addr_len(&opt->local_addr));
|
||||||
|
if(bind(opt->fd, &opt->local_addr.sa, addr_len(&opt->local_addr))) {
|
||||||
|
s_log(LOG_ERR, "Error binding service [%s] to %s",
|
||||||
|
opt->servname, local_address);
|
||||||
|
sockerror("bind");
|
||||||
|
closesocket(opt->fd);
|
||||||
|
str_free(local_address);
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
if(listen(opt->fd, SOMAXCONN)) {
|
||||||
|
sockerror("listen");
|
||||||
|
closesocket(opt->fd);
|
||||||
|
str_free(local_address);
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
s_poll_add(fds, opt->fd, 1, 0);
|
||||||
|
s_log(LOG_DEBUG, "Service [%s] (FD=%d) bound to %s",
|
||||||
|
opt->servname, opt->fd, local_address);
|
||||||
|
str_free(local_address);
|
||||||
|
} else if(opt->option.program && opt->option.remote) {
|
||||||
|
/* create exec+connect services */
|
||||||
|
create_client(-1, -1,
|
||||||
|
alloc_client_session(opt, -1, -1), client_thread);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return 0; /* OK */
|
||||||
|
}
|
||||||
|
|
||||||
|
#ifdef HAVE_CHROOT
|
||||||
|
static int change_root(void) {
|
||||||
|
if(!global_options.chroot_dir)
|
||||||
|
return 0;
|
||||||
|
if(chroot(global_options.chroot_dir)) {
|
||||||
|
sockerror("chroot");
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
if(chdir("/")) {
|
||||||
|
sockerror("chdir");
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
#endif /* HAVE_CHROOT */
|
||||||
|
|
||||||
|
#if !defined(USE_WIN32) && !defined(__vms) && !defined(USE_OS2)
|
||||||
|
|
||||||
|
int drop_privileges(int critical) {
|
||||||
|
#ifdef HAVE_SETGROUPS
|
||||||
|
gid_t gr_list[1];
|
||||||
|
#endif
|
||||||
|
|
||||||
|
/* set uid and gid */
|
||||||
|
if(global_options.gid) {
|
||||||
|
if(setgid(global_options.gid) && critical) {
|
||||||
|
sockerror("setgid");
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
#ifdef HAVE_SETGROUPS
|
||||||
|
gr_list[0]=global_options.gid;
|
||||||
|
if(setgroups(1, gr_list) && critical) {
|
||||||
|
sockerror("setgroups");
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
}
|
||||||
|
if(global_options.uid) {
|
||||||
|
if(setuid(global_options.uid) && critical) {
|
||||||
|
sockerror("setuid");
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
static int daemonize(int fd) { /* go to background */
|
||||||
|
if(global_options.option.foreground)
|
||||||
|
return 0;
|
||||||
|
dup2(fd, 0);
|
||||||
|
dup2(fd, 1);
|
||||||
|
dup2(fd, 2);
|
||||||
|
#if defined(HAVE_DAEMON) && !defined(__BEOS__)
|
||||||
|
/* set noclose option when calling daemon() function,
|
||||||
|
* so it does not require /dev/null device in the chrooted directory */
|
||||||
|
if(daemon(0, 1)==-1) {
|
||||||
|
ioerror("daemon");
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
#else
|
||||||
|
chdir("/");
|
||||||
|
switch(fork()) {
|
||||||
|
case -1: /* fork failed */
|
||||||
|
ioerror("fork");
|
||||||
|
return 1;
|
||||||
|
case 0: /* child */
|
||||||
|
break;
|
||||||
|
default: /* parent */
|
||||||
|
exit(0);
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
#ifdef HAVE_SETSID
|
||||||
|
setsid(); /* ignore the error */
|
||||||
|
#endif
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
static int create_pid(void) {
|
||||||
|
int pf;
|
||||||
|
char *pid;
|
||||||
|
|
||||||
|
if(!global_options.pidfile) {
|
||||||
|
s_log(LOG_DEBUG, "No pid file being created");
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
if(global_options.pidfile[0]!='/') {
|
||||||
|
/* to prevent creating pid file relative to '/' after daemonize() */
|
||||||
|
s_log(LOG_ERR, "Pid file (%s) must be full path name", global_options.pidfile);
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
global_options.dpid=(unsigned long)getpid();
|
||||||
|
|
||||||
|
/* silently remove old pid file */
|
||||||
|
unlink(global_options.pidfile);
|
||||||
|
pf=open(global_options.pidfile, O_WRONLY|O_CREAT|O_TRUNC|O_EXCL, 0644);
|
||||||
|
if(pf==-1) {
|
||||||
|
s_log(LOG_ERR, "Cannot create pid file %s", global_options.pidfile);
|
||||||
|
ioerror("create");
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
pid=str_printf("%lu\n", global_options.dpid);
|
||||||
|
write(pf, pid, strlen(pid));
|
||||||
|
str_free(pid);
|
||||||
|
close(pf);
|
||||||
|
s_log(LOG_DEBUG, "Created pid file %s", global_options.pidfile);
|
||||||
|
atexit(delete_pid);
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
static void delete_pid(void) {
|
||||||
|
if((unsigned long)getpid()!=global_options.dpid)
|
||||||
|
return; /* current process is not main daemon process */
|
||||||
|
s_log(LOG_DEBUG, "removing pid file %s", global_options.pidfile);
|
||||||
|
if(unlink(global_options.pidfile)<0)
|
||||||
|
ioerror(global_options.pidfile); /* not critical */
|
||||||
|
}
|
||||||
|
|
||||||
|
#endif /* standard Unix */
|
||||||
|
|
||||||
|
/**************************************** signal pipe handling */
|
||||||
|
|
||||||
|
static int signal_pipe_init(void) {
|
||||||
|
#ifdef USE_WIN32
|
||||||
|
if(make_sockets(signal_pipe))
|
||||||
|
return 1;
|
||||||
|
#elif defined(__INNOTEK_LIBC__)
|
||||||
|
/* Innotek port of GCC can not use select on a pipe:
|
||||||
|
* use local socket instead */
|
||||||
|
struct sockaddr_un un;
|
||||||
|
fd_set set_pipe;
|
||||||
|
int pipe_in;
|
||||||
|
|
||||||
|
FD_ZERO(&set_pipe);
|
||||||
|
signal_pipe[0]=s_socket(PF_OS2, SOCK_STREAM, 0, 0, "socket#1");
|
||||||
|
signal_pipe[1]=s_socket(PF_OS2, SOCK_STREAM, 0, 0, "socket#2");
|
||||||
|
|
||||||
|
/* connect the two endpoints */
|
||||||
|
memset(&un, 0, sizeof un);
|
||||||
|
un.sun_len=sizeof un;
|
||||||
|
un.sun_family=AF_OS2;
|
||||||
|
sprintf(un.sun_path, "\\socket\\stunnel-%u", getpid());
|
||||||
|
/* make the first endpoint listen */
|
||||||
|
bind(signal_pipe[0], (struct sockaddr *)&un, sizeof un);
|
||||||
|
listen(signal_pipe[0], 1);
|
||||||
|
connect(signal_pipe[1], (struct sockaddr *)&un, sizeof un);
|
||||||
|
FD_SET(signal_pipe[0], &set_pipe);
|
||||||
|
if(select(signal_pipe[0]+1, &set_pipe, NULL, NULL, NULL)>0) {
|
||||||
|
pipe_in=signal_pipe[0];
|
||||||
|
signal_pipe[0]=s_accept(signal_pipe[0], NULL, 0, 0, "accept");
|
||||||
|
closesocket(pipe_in);
|
||||||
|
} else {
|
||||||
|
sockerror("select");
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
#else /* Unix */
|
||||||
|
if(s_pipe(signal_pipe, 1, "signal_pipe"))
|
||||||
|
return 1;
|
||||||
|
#endif /* USE_WIN32 */
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
void signal_post(int sig) {
|
||||||
|
writesocket(signal_pipe[1], (char *)&sig, sizeof sig);
|
||||||
|
}
|
||||||
|
|
||||||
|
static int signal_pipe_dispatch(void) {
|
||||||
|
int sig, err;
|
||||||
|
|
||||||
|
s_log(LOG_DEBUG, "Dispatching signals from the signal pipe");
|
||||||
|
while(readsocket(signal_pipe[0], (char *)&sig, sizeof sig)==sizeof sig) {
|
||||||
|
switch(sig) {
|
||||||
|
#ifndef USE_WIN32
|
||||||
|
case SIGCHLD:
|
||||||
|
s_log(LOG_DEBUG, "Processing SIGCHLD");
|
||||||
|
#ifdef USE_FORK
|
||||||
|
client_status(); /* report status of client process */
|
||||||
|
#else /* USE_UCONTEXT || USE_PTHREAD */
|
||||||
|
child_status(); /* report status of libwrap or 'exec' process */
|
||||||
|
#endif /* defined USE_FORK */
|
||||||
|
break;
|
||||||
|
#endif /* !defind USE_WIN32 */
|
||||||
|
case SIGNAL_RELOAD_CONFIG:
|
||||||
|
s_log(LOG_DEBUG, "Processing SIGNAL_RELOAD_CONFIG");
|
||||||
|
err=parse_conf(NULL, CONF_RELOAD);
|
||||||
|
if(err) {
|
||||||
|
s_log(LOG_ERR, "Failed to reload the configuration file");
|
||||||
|
} else {
|
||||||
|
unbind_ports();
|
||||||
|
log_close();
|
||||||
|
apply_conf();
|
||||||
|
log_open();
|
||||||
|
if(bind_ports()) {
|
||||||
|
/* FIXME: handle the error */
|
||||||
|
}
|
||||||
|
}
|
||||||
|
break;
|
||||||
|
case SIGNAL_REOPEN_LOG:
|
||||||
|
s_log(LOG_DEBUG, "Processing SIGNAL_REOPEN_LOG");
|
||||||
|
log_close();
|
||||||
|
log_open();
|
||||||
|
s_log(LOG_NOTICE, "Log file reopened");
|
||||||
|
break;
|
||||||
|
case SIGNAL_TERMINATE:
|
||||||
|
s_log(LOG_DEBUG, "Processing SIGNAL_TERMINATE");
|
||||||
|
s_log(LOG_NOTICE, "Terminated");
|
||||||
|
return 2;
|
||||||
|
default:
|
||||||
|
s_log(LOG_ERR, "Received signal %d; terminating", sig);
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
s_log(LOG_DEBUG, "Signal pipe is empty");
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
#ifdef USE_FORK
|
||||||
|
static void client_status(void) { /* dead children detected */
|
||||||
|
int pid, status;
|
||||||
|
|
||||||
|
#ifdef HAVE_WAIT_FOR_PID
|
||||||
|
while((pid=wait_for_pid(-1, &status, WNOHANG))>0) {
|
||||||
|
#else
|
||||||
|
if((pid=wait(&status))>0) {
|
||||||
|
#endif
|
||||||
|
#ifdef WIFSIGNALED
|
||||||
|
if(WIFSIGNALED(status)) {
|
||||||
|
s_log(LOG_DEBUG, "Process %d terminated on signal %d",
|
||||||
|
pid, WTERMSIG(status));
|
||||||
|
} else {
|
||||||
|
s_log(LOG_DEBUG, "Process %d finished with code %d",
|
||||||
|
pid, WEXITSTATUS(status));
|
||||||
|
}
|
||||||
|
}
|
||||||
|
#else
|
||||||
|
s_log(LOG_DEBUG, "Process %d finished with code %d",
|
||||||
|
pid, status);
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
}
|
||||||
|
#endif /* defined USE_FORK */
|
||||||
|
|
||||||
|
#if !defined(USE_WIN32) && !defined(USE_OS2)
|
||||||
|
|
||||||
|
void child_status(void) { /* dead libwrap or 'exec' process detected */
|
||||||
|
int pid, status;
|
||||||
|
|
||||||
|
#ifdef HAVE_WAIT_FOR_PID
|
||||||
|
while((pid=wait_for_pid(-1, &status, WNOHANG))>0) {
|
||||||
|
#else
|
||||||
|
if((pid=wait(&status))>0) {
|
||||||
|
#endif
|
||||||
|
#ifdef WIFSIGNALED
|
||||||
|
if(WIFSIGNALED(status)) {
|
||||||
|
s_log(LOG_INFO, "Child process %d terminated on signal %d",
|
||||||
|
pid, WTERMSIG(status));
|
||||||
|
} else {
|
||||||
|
s_log(LOG_INFO, "Child process %d finished with code %d",
|
||||||
|
pid, WEXITSTATUS(status));
|
||||||
|
}
|
||||||
|
#else
|
||||||
|
s_log(LOG_INFO, "Child process %d finished with status %d",
|
||||||
|
pid, status);
|
||||||
|
#endif
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
static void signal_handler(int sig) {
|
||||||
|
int saved_errno;
|
||||||
|
|
||||||
|
saved_errno=errno;
|
||||||
|
signal_post(sig);
|
||||||
|
signal(sig, signal_handler);
|
||||||
|
errno=saved_errno;
|
||||||
|
}
|
||||||
|
|
||||||
|
#endif /* !defined(USE_WIN32) && !defined(USE_OS2) */
|
||||||
|
|
||||||
|
/**************************************** log messages to identify build */
|
||||||
|
|
||||||
|
void stunnel_info(int level) {
|
||||||
|
s_log(level, "stunnel " STUNNEL_VERSION " on " HOST " platform");
|
||||||
|
if(SSLeay()==SSLEAY_VERSION_NUMBER) {
|
||||||
|
s_log(level, "Compiled/running with " OPENSSL_VERSION_TEXT);
|
||||||
|
} else {
|
||||||
|
s_log(level, "Compiled with " OPENSSL_VERSION_TEXT);
|
||||||
|
s_log(level, "Running with %s", SSLeay_version(SSLEAY_VERSION));
|
||||||
|
s_log(level, "Update OpenSSL shared libraries or rebuild stunnel");
|
||||||
|
}
|
||||||
|
s_log(level,
|
||||||
|
"Threading:"
|
||||||
|
#ifdef USE_UCONTEXT
|
||||||
|
"UCONTEXT"
|
||||||
|
#endif
|
||||||
|
#ifdef USE_PTHREAD
|
||||||
|
"PTHREAD"
|
||||||
|
#endif
|
||||||
|
#ifdef USE_WIN32
|
||||||
|
"WIN32"
|
||||||
|
#endif
|
||||||
|
#ifdef USE_FORK
|
||||||
|
"FORK"
|
||||||
|
#endif
|
||||||
|
|
||||||
|
" SSL:"
|
||||||
|
#if defined HAVE_OSSL_ENGINE_H || defined HAVE_OSSL_OCSP_H || defined USE_FIPS
|
||||||
|
#ifdef HAVE_OSSL_ENGINE_H
|
||||||
|
"+ENGINE"
|
||||||
|
#endif
|
||||||
|
#ifdef HAVE_OSSL_OCSP_H
|
||||||
|
"+OCSP"
|
||||||
|
#endif
|
||||||
|
#ifdef USE_FIPS
|
||||||
|
"+FIPS"
|
||||||
|
#endif
|
||||||
|
#else
|
||||||
|
"none"
|
||||||
|
#endif
|
||||||
|
|
||||||
|
" Auth:"
|
||||||
|
#ifdef USE_LIBWRAP
|
||||||
|
"LIBWRAP"
|
||||||
|
#else
|
||||||
|
"none"
|
||||||
|
#endif
|
||||||
|
|
||||||
|
" Sockets:"
|
||||||
|
#ifdef USE_POLL
|
||||||
|
"POLL"
|
||||||
|
#else /* defined(USE_POLL) */
|
||||||
|
"SELECT"
|
||||||
|
#endif /* defined(USE_POLL) */
|
||||||
|
"+IPv%c",
|
||||||
|
#if defined(USE_WIN32) && !defined(_WIN32_WCE)
|
||||||
|
s_getaddrinfo ? '6' : '4'
|
||||||
|
#else /* defined(USE_WIN32) */
|
||||||
|
#if defined(USE_IPv6)
|
||||||
|
'6'
|
||||||
|
#else /* defined(USE_IPv6) */
|
||||||
|
'4'
|
||||||
|
#endif /* defined(USE_IPv6) */
|
||||||
|
#endif /* defined(USE_WIN32) */
|
||||||
|
);
|
||||||
|
}
|
||||||
|
|
||||||
|
/* end of stunnel.c */
|
BIN
src/stunnel.ico
Normal file
BIN
src/stunnel.ico
Normal file
Binary file not shown.
After Width: | Height: | Size: 4.6 KiB |
75
src/stunnel3.in
Executable file
75
src/stunnel3.in
Executable file
@ -0,0 +1,75 @@
|
|||||||
|
#!/usr/bin/perl
|
||||||
|
#
|
||||||
|
# stunnel3 Perl wrapper to use stunnel 3.x syntax in stunnel >=4.05
|
||||||
|
# Copyright (C) 2004-2012 Michal Trojnara <Michal.Trojnara@mirt.net>
|
||||||
|
# Version: 2.03
|
||||||
|
# Date: 2011.10.22
|
||||||
|
#
|
||||||
|
# This program is free software; you can redistribute it and/or modify it
|
||||||
|
# under the terms of the GNU General Public License as published by the
|
||||||
|
# Free Software Foundation; either version 2 of the License, or (at your
|
||||||
|
# option) any later version.
|
||||||
|
#
|
||||||
|
# This program is distributed in the hope that it will be useful,
|
||||||
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
|
||||||
|
# See the GNU General Public License for more details.
|
||||||
|
#
|
||||||
|
# You should have received a copy of the GNU General Public License along
|
||||||
|
# with this program; if not, see <http://www.gnu.org/licenses>.
|
||||||
|
|
||||||
|
use POSIX;
|
||||||
|
use Getopt::Std;
|
||||||
|
|
||||||
|
# Configuration - path to stunnel (version >=4.05)
|
||||||
|
$stunnel_bin='@prefix@/bin/stunnel';
|
||||||
|
|
||||||
|
# stunnel3 script body begins here
|
||||||
|
($read_fd, $write_fd)=POSIX::pipe();
|
||||||
|
$pid=fork;
|
||||||
|
die "Can't fork" unless defined $pid;
|
||||||
|
if($pid) { # parent
|
||||||
|
POSIX::close($write_fd);
|
||||||
|
exec "$stunnel_bin -fd $read_fd";
|
||||||
|
die "$stunnel_bin exec failed";
|
||||||
|
}
|
||||||
|
# child
|
||||||
|
POSIX::close($read_fd);
|
||||||
|
open(STUNNEL, ">&$write_fd");
|
||||||
|
# comment out the next line to see the config file
|
||||||
|
select(STUNNEL);
|
||||||
|
|
||||||
|
getopts('cTWfD:O:o:C:p:v:a:A:t:N:u:n:E:R:B:I:d:s:g:P:r:L:l:');
|
||||||
|
|
||||||
|
print("client = yes\n") if defined $opt_c;
|
||||||
|
print("transparent = yes\n") if defined $opt_T;
|
||||||
|
print("RNDoverwrite = yes\n") if defined $opt_W;
|
||||||
|
print("foreground = yes\n") if defined $opt_f;
|
||||||
|
print("debug = $opt_D\n") if defined $opt_D;
|
||||||
|
print("socket = $opt_O\n") if defined $opt_O;
|
||||||
|
print("output = $opt_o\n") if defined $opt_o;
|
||||||
|
print("ciphers = $opt_C\n") if defined $opt_C;
|
||||||
|
print("cert = $opt_p\n") if defined $opt_p;
|
||||||
|
print("verify = $opt_v\n") if defined $opt_v;
|
||||||
|
print("CApath = $opt_a\n") if defined $opt_a;
|
||||||
|
print("CAfile = $opt_A\n") if defined $opt_A;
|
||||||
|
print("session = $opt_t\n") if defined $opt_t;
|
||||||
|
print("service = $opt_N\n") if defined $opt_N;
|
||||||
|
print("ident = $opt_u\n") if defined $opt_u;
|
||||||
|
print("protocol = $opt_n\n") if defined $opt_n;
|
||||||
|
print("EGD = $opt_E\n") if defined $opt_E;
|
||||||
|
print("RNDfile = $opt_R\n") if defined $opt_R;
|
||||||
|
print("RNDbytes = $opt_B\n") if defined $opt_B;
|
||||||
|
print("local = $opt_I\n") if defined $opt_I;
|
||||||
|
print("accept = $opt_d\n") if defined $opt_d;
|
||||||
|
print("setuid = $opt_s\n") if defined $opt_s;
|
||||||
|
print("setgid = $opt_g\n") if defined $opt_g;
|
||||||
|
print("pid = $opt_P\n") if defined $opt_P;
|
||||||
|
print("connect = $opt_r\n") if defined $opt_r;
|
||||||
|
print("pty = yes\n"), $opt_l=$opt_L if defined $opt_L;
|
||||||
|
print("exec = $opt_l\nexecargs = " . join(' ', $opt_l, @ARGV) . "\n") if defined $opt_l;
|
||||||
|
print("[stunnel3]\n") if defined $opt_d;
|
||||||
|
|
||||||
|
close(STUNNEL);
|
||||||
|
|
||||||
|
# stunnel3 script body ends here
|
76
src/vc.mak
Normal file
76
src/vc.mak
Normal file
@ -0,0 +1,76 @@
|
|||||||
|
# vc.mak by Michal Trojnara 1998-2012
|
||||||
|
# with help of David Gillingham <dgillingham@gmail.com>
|
||||||
|
# with help of Pierre Delaage <delaage.pierre@free.fr>
|
||||||
|
|
||||||
|
# the compilation requires:
|
||||||
|
# - Visual C++ 2005 Express Edition with Platform SDK
|
||||||
|
# http://social.msdn.microsoft.com/forums/en-US/Vsexpressvc/thread/c5c3afad-f4c6-4d27-b471-0291e099a742/
|
||||||
|
# - Visual C++ 2005 Professional Edition
|
||||||
|
# - Visual C++ 2008 Express Edition
|
||||||
|
|
||||||
|
# modify this to point to your OpenSSL directory
|
||||||
|
# either install a precompiled version (*not* the "Light" one) from
|
||||||
|
# http://www.slproweb.com/products/Win32OpenSSL.html
|
||||||
|
SSLDIR=C:\OpenSSL-Win32
|
||||||
|
INCDIR=$(SSLDIR)\include
|
||||||
|
LIBDIR=$(SSLDIR)\lib
|
||||||
|
# or compile one yourself
|
||||||
|
#SSLDIR=..\..\openssl-1.0.0f
|
||||||
|
#INCDIR=$(SSLDIR)\inc32
|
||||||
|
#LIBDIR=$(SSLDIR)\out32dll
|
||||||
|
|
||||||
|
TARGETCPU=W32
|
||||||
|
SRC=..\src
|
||||||
|
OBJROOT=..\obj
|
||||||
|
OBJ=$(OBJROOT)\$(TARGETCPU)
|
||||||
|
BINROOT=..\bin
|
||||||
|
BIN=$(BINROOT)\$(TARGETCPU)
|
||||||
|
|
||||||
|
OBJS=$(OBJ)\stunnel.obj $(OBJ)\ssl.obj $(OBJ)\ctx.obj \
|
||||||
|
$(OBJ)\verify.obj $(OBJ)\file.obj $(OBJ)\client.obj \
|
||||||
|
$(OBJ)\protocol.obj $(OBJ)\sthreads.obj $(OBJ)\log.obj \
|
||||||
|
$(OBJ)\options.obj $(OBJ)\network.obj $(OBJ)\resolver.obj \
|
||||||
|
$(OBJ)\gui.obj $(OBJ)\resources.res $(OBJ)\str.obj $(OBJ)/fd.obj
|
||||||
|
|
||||||
|
CC=cl
|
||||||
|
LINK=link
|
||||||
|
|
||||||
|
CFLAGS=/MD /W3 /O2 /nologo /I"$(INCDIR)"
|
||||||
|
LDFLAGS=/NOLOGO
|
||||||
|
|
||||||
|
LIBS=advapi32.lib comdlg32.lib crypt32.lib gdi32.lib \
|
||||||
|
psapi.lib shell32.lib user32.lib ws2_32.lib \
|
||||||
|
/LIBPATH:"$(LIBDIR)" libeay32.lib ssleay32.lib
|
||||||
|
# static linking:
|
||||||
|
# /LIBPATH:"$(LIBDIR)\VC\static" libeay32MD.lib ssleay32MD.lib
|
||||||
|
|
||||||
|
{$(SRC)\}.c{$(OBJ)\}.obj:
|
||||||
|
$(CC) $(CFLAGS) -Fo$@ -c $<
|
||||||
|
|
||||||
|
{$(SRC)\}.rc{$(OBJ)\}.res:
|
||||||
|
$(RC) -fo$@ -r $<
|
||||||
|
|
||||||
|
all: makedirs $(BIN)\stunnel.exe
|
||||||
|
|
||||||
|
clean:
|
||||||
|
-@ del $(OBJS) >NUL 2>&1
|
||||||
|
# -@ del *.manifest >NUL 2>&1
|
||||||
|
-@ del $(BIN)\stunnel.exe >NUL 2>&1
|
||||||
|
-@ del $(BIN)\stunnel.exe.manifest >NUL 2>&1
|
||||||
|
-@ rmdir $(OBJ) >NUL 2>&1
|
||||||
|
-@ rmdir $(BIN) >NUL 2>&1
|
||||||
|
|
||||||
|
makedirs:
|
||||||
|
-@ IF NOT EXIST $(OBJROOT) mkdir $(OBJROOT) >NUL 2>&1
|
||||||
|
-@ IF NOT EXIST $(OBJ) mkdir $(OBJ) >NUL 2>&1
|
||||||
|
-@ IF NOT EXIST $(BINROOT) mkdir $(BINROOT) >NUL 2>&1
|
||||||
|
-@ IF NOT EXIST $(BIN) mkdir $(BIN) >NUL 2>&1
|
||||||
|
|
||||||
|
$(OBJS): *.h vc.mak
|
||||||
|
|
||||||
|
$(BIN)\stunnel.exe: $(OBJS)
|
||||||
|
$(LINK) $(LDFLAGS) $(LIBS) /OUT:$@ $**
|
||||||
|
IF EXIST $@.manifest \
|
||||||
|
mt -nologo -manifest $@.manifest -outputresource:$@;1
|
||||||
|
|
||||||
|
# end of vc.mak
|
541
src/verify.c
Normal file
541
src/verify.c
Normal file
@ -0,0 +1,541 @@
|
|||||||
|
/*
|
||||||
|
* stunnel Universal SSL tunnel
|
||||||
|
* Copyright (C) 1998-2012 Michal Trojnara <Michal.Trojnara@mirt.net>
|
||||||
|
*
|
||||||
|
* This program is free software; you can redistribute it and/or modify it
|
||||||
|
* under the terms of the GNU General Public License as published by the
|
||||||
|
* Free Software Foundation; either version 2 of the License, or (at your
|
||||||
|
* option) any later version.
|
||||||
|
*
|
||||||
|
* This program is distributed in the hope that it will be useful,
|
||||||
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
|
||||||
|
* See the GNU General Public License for more details.
|
||||||
|
*
|
||||||
|
* You should have received a copy of the GNU General Public License along
|
||||||
|
* with this program; if not, see <http://www.gnu.org/licenses>.
|
||||||
|
*
|
||||||
|
* Linking stunnel statically or dynamically with other modules is making
|
||||||
|
* a combined work based on stunnel. Thus, the terms and conditions of
|
||||||
|
* the GNU General Public License cover the whole combination.
|
||||||
|
*
|
||||||
|
* In addition, as a special exception, the copyright holder of stunnel
|
||||||
|
* gives you permission to combine stunnel with free software programs or
|
||||||
|
* libraries that are released under the GNU LGPL and with code included
|
||||||
|
* in the standard release of OpenSSL under the OpenSSL License (or
|
||||||
|
* modified versions of such code, with unchanged license). You may copy
|
||||||
|
* and distribute such a system following the terms of the GNU GPL for
|
||||||
|
* stunnel and the licenses of the other code concerned.
|
||||||
|
*
|
||||||
|
* Note that people who make modified versions of stunnel are not obligated
|
||||||
|
* to grant this special exception for their modified versions; it is their
|
||||||
|
* choice whether to do so. The GNU General Public License gives permission
|
||||||
|
* to release a modified version without this exception; this exception
|
||||||
|
* also makes it possible to release a modified version which carries
|
||||||
|
* forward this exception.
|
||||||
|
*/
|
||||||
|
|
||||||
|
#include "common.h"
|
||||||
|
#include "prototypes.h"
|
||||||
|
|
||||||
|
/**************************************** prototypes */
|
||||||
|
|
||||||
|
/* verify initialization */
|
||||||
|
static int load_file_lookup(X509_STORE *, char *);
|
||||||
|
static int add_dir_lookup(X509_STORE *, char *);
|
||||||
|
|
||||||
|
/* verify callback */
|
||||||
|
static int verify_callback(int, X509_STORE_CTX *);
|
||||||
|
static int cert_check(CLI *c, X509_STORE_CTX *, int);
|
||||||
|
static int crl_check(CLI *c, X509_STORE_CTX *);
|
||||||
|
#ifdef HAVE_OSSL_OCSP_H
|
||||||
|
static int ocsp_check(CLI *c, X509_STORE_CTX *);
|
||||||
|
static OCSP_RESPONSE *ocsp_get_response(CLI *, OCSP_REQUEST *);
|
||||||
|
#endif
|
||||||
|
|
||||||
|
/* utility functions */
|
||||||
|
static void log_time(const int, const char *, ASN1_TIME *);
|
||||||
|
|
||||||
|
/**************************************** verify initialization */
|
||||||
|
|
||||||
|
int verify_init(SERVICE_OPTIONS *section) {
|
||||||
|
if(section->verify_level<0)
|
||||||
|
return 0; /* OK - no certificate verification */
|
||||||
|
|
||||||
|
if(section->verify_level>=2 && !section->ca_file && !section->ca_dir) {
|
||||||
|
s_log(LOG_ERR,
|
||||||
|
"Either CApath or CAfile has to be used for authentication");
|
||||||
|
return 1; /* FAILED */
|
||||||
|
}
|
||||||
|
|
||||||
|
section->revocation_store=X509_STORE_new();
|
||||||
|
if(!section->revocation_store) {
|
||||||
|
sslerror("X509_STORE_new");
|
||||||
|
return 1; /* FAILED */
|
||||||
|
}
|
||||||
|
|
||||||
|
if(section->ca_file) {
|
||||||
|
if(!SSL_CTX_load_verify_locations(section->ctx,
|
||||||
|
section->ca_file, NULL)) {
|
||||||
|
s_log(LOG_ERR, "Error loading verify certificates from %s",
|
||||||
|
section->ca_file);
|
||||||
|
sslerror("SSL_CTX_load_verify_locations");
|
||||||
|
return 1; /* FAILED */
|
||||||
|
}
|
||||||
|
/* list of trusted CAs for the client to choose the right cert */
|
||||||
|
SSL_CTX_set_client_CA_list(section->ctx,
|
||||||
|
SSL_load_client_CA_file(section->ca_file));
|
||||||
|
s_log(LOG_DEBUG, "Loaded verify certificates from %s",
|
||||||
|
section->ca_file);
|
||||||
|
if(load_file_lookup(section->revocation_store, section->ca_file))
|
||||||
|
return 1; /* FAILED */
|
||||||
|
}
|
||||||
|
|
||||||
|
if(section->ca_dir) {
|
||||||
|
if(!SSL_CTX_load_verify_locations(section->ctx,
|
||||||
|
NULL, section->ca_dir)) {
|
||||||
|
s_log(LOG_ERR, "Error setting verify directory to %s",
|
||||||
|
section->ca_dir);
|
||||||
|
sslerror("SSL_CTX_load_verify_locations");
|
||||||
|
return 1; /* FAILED */
|
||||||
|
}
|
||||||
|
s_log(LOG_DEBUG, "Verify directory set to %s", section->ca_dir);
|
||||||
|
add_dir_lookup(section->revocation_store, section->ca_dir);
|
||||||
|
}
|
||||||
|
|
||||||
|
if(section->crl_file)
|
||||||
|
if(load_file_lookup(section->revocation_store, section->crl_file))
|
||||||
|
return 1; /* FAILED */
|
||||||
|
|
||||||
|
if(section->crl_dir) {
|
||||||
|
section->revocation_store->cache=0; /* don't cache CRLs */
|
||||||
|
add_dir_lookup(section->revocation_store, section->crl_dir);
|
||||||
|
}
|
||||||
|
|
||||||
|
SSL_CTX_set_verify(section->ctx, SSL_VERIFY_PEER |
|
||||||
|
(section->verify_level>=2 ? SSL_VERIFY_FAIL_IF_NO_PEER_CERT : 0),
|
||||||
|
verify_callback);
|
||||||
|
|
||||||
|
if(section->ca_dir && section->verify_level>=3)
|
||||||
|
s_log(LOG_INFO, "Peer certificate location %s", section->ca_dir);
|
||||||
|
return 0; /* OK */
|
||||||
|
}
|
||||||
|
|
||||||
|
static int load_file_lookup(X509_STORE *store, char *name) {
|
||||||
|
X509_LOOKUP *lookup;
|
||||||
|
|
||||||
|
lookup=X509_STORE_add_lookup(store, X509_LOOKUP_file());
|
||||||
|
if(!lookup) {
|
||||||
|
sslerror("X509_STORE_add_lookup");
|
||||||
|
return 1; /* FAILED */
|
||||||
|
}
|
||||||
|
if(!X509_LOOKUP_load_file(lookup, name, X509_FILETYPE_PEM)) {
|
||||||
|
s_log(LOG_ERR, "Failed to load %s revocation lookup file", name);
|
||||||
|
sslerror("X509_LOOKUP_load_file");
|
||||||
|
return 1; /* FAILED */
|
||||||
|
}
|
||||||
|
s_log(LOG_DEBUG, "Loaded %s revocation lookup file", name);
|
||||||
|
return 0; /* OK */
|
||||||
|
}
|
||||||
|
|
||||||
|
static int add_dir_lookup(X509_STORE *store, char *name) {
|
||||||
|
X509_LOOKUP *lookup;
|
||||||
|
|
||||||
|
lookup=X509_STORE_add_lookup(store, X509_LOOKUP_hash_dir());
|
||||||
|
if(!lookup) {
|
||||||
|
sslerror("X509_STORE_add_lookup");
|
||||||
|
return 1; /* FAILED */
|
||||||
|
}
|
||||||
|
if(!X509_LOOKUP_add_dir(lookup, name, X509_FILETYPE_PEM)) {
|
||||||
|
s_log(LOG_ERR, "Failed to add %s revocation lookup directory", name);
|
||||||
|
sslerror("X509_LOOKUP_add_dir");
|
||||||
|
return 1; /* FAILED */
|
||||||
|
}
|
||||||
|
s_log(LOG_DEBUG, "Added %s revocation lookup directory", name);
|
||||||
|
return 0; /* OK */
|
||||||
|
}
|
||||||
|
|
||||||
|
/**************************************** verify callback */
|
||||||
|
|
||||||
|
static int verify_callback(int preverify_ok, X509_STORE_CTX *callback_ctx) {
|
||||||
|
/* our verify callback function */
|
||||||
|
SSL *ssl;
|
||||||
|
CLI *c;
|
||||||
|
X509 *cert;
|
||||||
|
int depth;
|
||||||
|
char *subject_name;
|
||||||
|
|
||||||
|
/* retrieve application specific data */
|
||||||
|
ssl=X509_STORE_CTX_get_ex_data(callback_ctx,
|
||||||
|
SSL_get_ex_data_X509_STORE_CTX_idx());
|
||||||
|
c=SSL_get_ex_data(ssl, cli_index);
|
||||||
|
cert=X509_STORE_CTX_get_current_cert(callback_ctx);
|
||||||
|
depth=X509_STORE_CTX_get_error_depth(callback_ctx);
|
||||||
|
|
||||||
|
/* certificate name for logging */
|
||||||
|
subject_name=X509_NAME_oneline(X509_get_subject_name(cert), NULL, 0);
|
||||||
|
|
||||||
|
s_log(LOG_DEBUG, "Starting certificate verification: depth=%d, %s",
|
||||||
|
depth, subject_name);
|
||||||
|
if(!cert_check(c, callback_ctx, preverify_ok)) {
|
||||||
|
s_log(LOG_WARNING, "Certificate check failed: depth=%d, %s",
|
||||||
|
depth, subject_name);
|
||||||
|
OPENSSL_free(subject_name);
|
||||||
|
return 0; /* reject connection */
|
||||||
|
}
|
||||||
|
if(!crl_check(c, callback_ctx)) {
|
||||||
|
s_log(LOG_WARNING, "CRL check failed: depth=%d, %s",
|
||||||
|
depth, subject_name);
|
||||||
|
OPENSSL_free(subject_name);
|
||||||
|
return 0; /* reject connection */
|
||||||
|
}
|
||||||
|
#ifdef HAVE_OSSL_OCSP_H
|
||||||
|
if(c->opt->option.ocsp && !ocsp_check(c, callback_ctx)) {
|
||||||
|
s_log(LOG_WARNING, "OCSP check failed: depth=%d, %s",
|
||||||
|
depth, subject_name);
|
||||||
|
OPENSSL_free(subject_name);
|
||||||
|
return 0; /* reject connection */
|
||||||
|
}
|
||||||
|
#endif /* HAVE_OSSL_OCSP_H */
|
||||||
|
/* errnum=X509_STORE_CTX_get_error(ctx); */
|
||||||
|
s_log(LOG_NOTICE, "Certificate accepted: depth=%d, %s",
|
||||||
|
depth, subject_name);
|
||||||
|
OPENSSL_free(subject_name);
|
||||||
|
return 1; /* accept connection */
|
||||||
|
}
|
||||||
|
|
||||||
|
/**************************************** certificate checking */
|
||||||
|
|
||||||
|
static int cert_check(CLI *c, X509_STORE_CTX *callback_ctx, int preverify_ok) {
|
||||||
|
X509_OBJECT obj;
|
||||||
|
#if OPENSSL_VERSION_NUMBER>=0x0090700fL
|
||||||
|
ASN1_BIT_STRING *local_key, *peer_key;
|
||||||
|
#endif
|
||||||
|
X509 *cert;
|
||||||
|
int depth;
|
||||||
|
|
||||||
|
if(c->opt->verify_level<1) {
|
||||||
|
s_log(LOG_INFO, "CERT: Verification not enabled");
|
||||||
|
return 1; /* accept connection */
|
||||||
|
}
|
||||||
|
cert=X509_STORE_CTX_get_current_cert(callback_ctx);
|
||||||
|
depth=X509_STORE_CTX_get_error_depth(callback_ctx);
|
||||||
|
if(!preverify_ok) {
|
||||||
|
/* remote site specified a certificate, but it's not correct */
|
||||||
|
if(c->opt->verify_level>=4 && depth>0) {
|
||||||
|
s_log(LOG_INFO, "CERT: Invalid CA certificate ignored");
|
||||||
|
return 1; /* accept connection */
|
||||||
|
} else {
|
||||||
|
s_log(LOG_WARNING, "CERT: Verification error: %s",
|
||||||
|
X509_verify_cert_error_string(
|
||||||
|
X509_STORE_CTX_get_error(callback_ctx)));
|
||||||
|
return 0; /* reject connection */
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if(c->opt->verify_level>=3 && depth==0) {
|
||||||
|
if(X509_STORE_get_by_subject(callback_ctx, X509_LU_X509,
|
||||||
|
X509_get_subject_name(cert), &obj)!=1) {
|
||||||
|
s_log(LOG_WARNING,
|
||||||
|
"CERT: Certificate not found in local repository");
|
||||||
|
return 0; /* reject connection */
|
||||||
|
}
|
||||||
|
#if OPENSSL_VERSION_NUMBER>=0x0090700fL
|
||||||
|
peer_key=X509_get0_pubkey_bitstr(cert);
|
||||||
|
local_key=X509_get0_pubkey_bitstr(obj.data.x509);
|
||||||
|
if(!peer_key || !local_key || peer_key->length!=local_key->length ||
|
||||||
|
memcmp(peer_key->data, local_key->data, local_key->length)) {
|
||||||
|
s_log(LOG_WARNING, "CERT: Public keys do not match");
|
||||||
|
return 0; /* reject connection */
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
s_log(LOG_INFO, "CERT: Locally installed certificate matched");
|
||||||
|
}
|
||||||
|
return 1; /* accept connection */
|
||||||
|
}
|
||||||
|
|
||||||
|
/**************************************** CRL checking */
|
||||||
|
|
||||||
|
/* based on BSD-style licensed code of mod_ssl */
|
||||||
|
static int crl_check(CLI *c, X509_STORE_CTX *callback_ctx) {
|
||||||
|
X509_STORE_CTX store_ctx;
|
||||||
|
X509_OBJECT obj;
|
||||||
|
X509_NAME *subject;
|
||||||
|
X509_NAME *issuer;
|
||||||
|
X509 *cert;
|
||||||
|
X509_CRL *crl;
|
||||||
|
X509_REVOKED *revoked;
|
||||||
|
EVP_PKEY *pubkey;
|
||||||
|
long serial;
|
||||||
|
int i, n, rc;
|
||||||
|
char *cp;
|
||||||
|
ASN1_TIME *last_update=NULL, *next_update=NULL;
|
||||||
|
|
||||||
|
/* determine certificate ingredients in advance */
|
||||||
|
cert=X509_STORE_CTX_get_current_cert(callback_ctx);
|
||||||
|
subject=X509_get_subject_name(cert);
|
||||||
|
issuer=X509_get_issuer_name(cert);
|
||||||
|
|
||||||
|
/* try to retrieve a CRL corresponding to the _subject_ of
|
||||||
|
* the current certificate in order to verify it's integrity */
|
||||||
|
memset((char *)&obj, 0, sizeof obj);
|
||||||
|
X509_STORE_CTX_init(&store_ctx, c->opt->revocation_store, NULL, NULL);
|
||||||
|
rc=X509_STORE_get_by_subject(&store_ctx, X509_LU_CRL, subject, &obj);
|
||||||
|
X509_STORE_CTX_cleanup(&store_ctx);
|
||||||
|
crl=obj.data.crl;
|
||||||
|
if(rc>0 && crl) {
|
||||||
|
cp=X509_NAME_oneline(subject, NULL, 0);
|
||||||
|
s_log(LOG_INFO, "CRL: issuer: %s", cp);
|
||||||
|
OPENSSL_free(cp);
|
||||||
|
last_update=X509_CRL_get_lastUpdate(crl);
|
||||||
|
next_update=X509_CRL_get_nextUpdate(crl);
|
||||||
|
log_time(LOG_INFO, "CRL: last update", last_update);
|
||||||
|
log_time(LOG_INFO, "CRL: next update", next_update);
|
||||||
|
|
||||||
|
/* verify the signature on this CRL */
|
||||||
|
pubkey=X509_get_pubkey(cert);
|
||||||
|
if(X509_CRL_verify(crl, pubkey)<=0) {
|
||||||
|
s_log(LOG_WARNING, "CRL: Invalid signature");
|
||||||
|
X509_STORE_CTX_set_error(callback_ctx,
|
||||||
|
X509_V_ERR_CRL_SIGNATURE_FAILURE);
|
||||||
|
X509_OBJECT_free_contents(&obj);
|
||||||
|
if(pubkey)
|
||||||
|
EVP_PKEY_free(pubkey);
|
||||||
|
return 0; /* reject connection */
|
||||||
|
}
|
||||||
|
if(pubkey)
|
||||||
|
EVP_PKEY_free(pubkey);
|
||||||
|
|
||||||
|
/* check date of CRL to make sure it's not expired */
|
||||||
|
if(!next_update) {
|
||||||
|
s_log(LOG_WARNING, "CRL: Invalid nextUpdate field");
|
||||||
|
X509_STORE_CTX_set_error(callback_ctx,
|
||||||
|
X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD);
|
||||||
|
X509_OBJECT_free_contents(&obj);
|
||||||
|
return 0; /* reject connection */
|
||||||
|
}
|
||||||
|
if(X509_cmp_current_time(next_update)<0) {
|
||||||
|
s_log(LOG_WARNING, "CRL: CRL Expired - revoking all certificates");
|
||||||
|
X509_STORE_CTX_set_error(callback_ctx, X509_V_ERR_CRL_HAS_EXPIRED);
|
||||||
|
X509_OBJECT_free_contents(&obj);
|
||||||
|
return 0; /* reject connection */
|
||||||
|
}
|
||||||
|
X509_OBJECT_free_contents(&obj);
|
||||||
|
}
|
||||||
|
|
||||||
|
/* try to retrieve a CRL corresponding to the _issuer_ of
|
||||||
|
* the current certificate in order to check for revocation */
|
||||||
|
memset((char *)&obj, 0, sizeof obj);
|
||||||
|
X509_STORE_CTX_init(&store_ctx, c->opt->revocation_store, NULL, NULL);
|
||||||
|
rc=X509_STORE_get_by_subject(&store_ctx, X509_LU_CRL, issuer, &obj);
|
||||||
|
X509_STORE_CTX_cleanup(&store_ctx);
|
||||||
|
crl=obj.data.crl;
|
||||||
|
if(rc>0 && crl) {
|
||||||
|
/* check if the current certificate is revoked by this CRL */
|
||||||
|
n=sk_X509_REVOKED_num(X509_CRL_get_REVOKED(crl));
|
||||||
|
for(i=0; i<n; i++) {
|
||||||
|
revoked=sk_X509_REVOKED_value(X509_CRL_get_REVOKED(crl), i);
|
||||||
|
if(ASN1_INTEGER_cmp(revoked->serialNumber,
|
||||||
|
X509_get_serialNumber(cert)) == 0) {
|
||||||
|
serial=ASN1_INTEGER_get(revoked->serialNumber);
|
||||||
|
cp=X509_NAME_oneline(issuer, NULL, 0);
|
||||||
|
s_log(LOG_WARNING, "CRL: Certificate with serial %ld (0x%lX) "
|
||||||
|
"revoked per CRL from issuer %s", serial, serial, cp);
|
||||||
|
OPENSSL_free(cp);
|
||||||
|
X509_STORE_CTX_set_error(callback_ctx, X509_V_ERR_CERT_REVOKED);
|
||||||
|
X509_OBJECT_free_contents(&obj);
|
||||||
|
return 0; /* reject connection */
|
||||||
|
}
|
||||||
|
}
|
||||||
|
X509_OBJECT_free_contents(&obj);
|
||||||
|
}
|
||||||
|
return 1; /* accept connection */
|
||||||
|
}
|
||||||
|
|
||||||
|
#ifdef HAVE_OSSL_OCSP_H
|
||||||
|
|
||||||
|
/**************************************** OCSP checking */
|
||||||
|
/* TODO: check OCSP server specified in the certificate */
|
||||||
|
|
||||||
|
static int ocsp_check(CLI *c, X509_STORE_CTX *callback_ctx) {
|
||||||
|
int error, retval=0;
|
||||||
|
X509 *cert;
|
||||||
|
X509 *issuer=NULL;
|
||||||
|
OCSP_CERTID *certID;
|
||||||
|
OCSP_REQUEST *request=NULL;
|
||||||
|
OCSP_RESPONSE *response=NULL;
|
||||||
|
OCSP_BASICRESP *basicResponse=NULL;
|
||||||
|
ASN1_GENERALIZEDTIME *revoked_at=NULL,
|
||||||
|
*this_update=NULL, *next_update=NULL;
|
||||||
|
int status, reason;
|
||||||
|
|
||||||
|
/* get current certificate ID */
|
||||||
|
cert=X509_STORE_CTX_get_current_cert(callback_ctx); /* get current cert */
|
||||||
|
if(X509_STORE_CTX_get1_issuer(&issuer, callback_ctx, cert)!=1) {
|
||||||
|
sslerror("OCSP: X509_STORE_CTX_get1_issuer");
|
||||||
|
goto cleanup;
|
||||||
|
}
|
||||||
|
certID=OCSP_cert_to_id(0, cert, issuer);
|
||||||
|
if(!certID) {
|
||||||
|
sslerror("OCSP: OCSP_cert_to_id");
|
||||||
|
goto cleanup;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* build request */
|
||||||
|
request=OCSP_REQUEST_new();
|
||||||
|
if(!request) {
|
||||||
|
sslerror("OCSP: OCSP_REQUEST_new");
|
||||||
|
goto cleanup;
|
||||||
|
}
|
||||||
|
if(!OCSP_request_add0_id(request, certID)) {
|
||||||
|
sslerror("OCSP: OCSP_request_add0_id");
|
||||||
|
goto cleanup;
|
||||||
|
}
|
||||||
|
OCSP_request_add1_nonce(request, 0, -1);
|
||||||
|
|
||||||
|
/* send the request and get a response */
|
||||||
|
response=ocsp_get_response(c, request);
|
||||||
|
if(!response)
|
||||||
|
goto cleanup;
|
||||||
|
error=OCSP_response_status(response);
|
||||||
|
if(error!=OCSP_RESPONSE_STATUS_SUCCESSFUL) {
|
||||||
|
s_log(LOG_WARNING, "OCSP: Responder error: %d: %s",
|
||||||
|
error, OCSP_response_status_str(error));
|
||||||
|
goto cleanup;
|
||||||
|
}
|
||||||
|
s_log(LOG_DEBUG, "OCSP: Response received");
|
||||||
|
|
||||||
|
/* verify the response */
|
||||||
|
basicResponse=OCSP_response_get1_basic(response);
|
||||||
|
if(!basicResponse) {
|
||||||
|
sslerror("OCSP: OCSP_response_get1_basic");
|
||||||
|
goto cleanup;
|
||||||
|
}
|
||||||
|
if(OCSP_check_nonce(request, basicResponse)<=0) {
|
||||||
|
sslerror("OCSP: OCSP_check_nonce");
|
||||||
|
goto cleanup;
|
||||||
|
}
|
||||||
|
if(OCSP_basic_verify(basicResponse, NULL,
|
||||||
|
c->opt->revocation_store, c->opt->ocsp_flags)<=0) {
|
||||||
|
sslerror("OCSP: OCSP_basic_verify");
|
||||||
|
goto cleanup;
|
||||||
|
}
|
||||||
|
if(!OCSP_resp_find_status(basicResponse, certID, &status, &reason,
|
||||||
|
&revoked_at, &this_update, &next_update)) {
|
||||||
|
sslerror("OCSP: OCSP_resp_find_status");
|
||||||
|
goto cleanup;
|
||||||
|
}
|
||||||
|
s_log(LOG_NOTICE, "OCSP: Status: %d: %s",
|
||||||
|
status, OCSP_cert_status_str(status));
|
||||||
|
log_time(LOG_INFO, "OCSP: This update", this_update);
|
||||||
|
log_time(LOG_INFO, "OCSP: Next update", next_update);
|
||||||
|
/* check if the response is valid for at least one minute */
|
||||||
|
if(!OCSP_check_validity(this_update, next_update, 60, -1)) {
|
||||||
|
sslerror("OCSP: OCSP_check_validity");
|
||||||
|
goto cleanup;
|
||||||
|
}
|
||||||
|
if(status==V_OCSP_CERTSTATUS_REVOKED) {
|
||||||
|
if(reason==-1)
|
||||||
|
s_log(LOG_WARNING, "OCSP: Certificate revoked");
|
||||||
|
else
|
||||||
|
s_log(LOG_WARNING, "OCSP: Certificate revoked: %d: %s",
|
||||||
|
reason, OCSP_crl_reason_str(reason));
|
||||||
|
log_time(LOG_NOTICE, "OCSP: Revoked at", revoked_at);
|
||||||
|
goto cleanup;
|
||||||
|
}
|
||||||
|
retval=1; /* accept connection */
|
||||||
|
cleanup:
|
||||||
|
if(issuer)
|
||||||
|
X509_free(issuer);
|
||||||
|
if(request)
|
||||||
|
OCSP_REQUEST_free(request);
|
||||||
|
if(response)
|
||||||
|
OCSP_RESPONSE_free(response);
|
||||||
|
if(basicResponse)
|
||||||
|
OCSP_BASICRESP_free(basicResponse);
|
||||||
|
return retval;
|
||||||
|
}
|
||||||
|
|
||||||
|
static OCSP_RESPONSE *ocsp_get_response(CLI *c, OCSP_REQUEST *req) {
|
||||||
|
BIO *bio=NULL;
|
||||||
|
OCSP_REQ_CTX *req_ctx=NULL;
|
||||||
|
OCSP_RESPONSE *resp=NULL;
|
||||||
|
int err;
|
||||||
|
|
||||||
|
/* connect specified OCSP server (responder) */
|
||||||
|
c->fd=s_socket(c->opt->ocsp_addr.sa.sa_family, SOCK_STREAM, 0,
|
||||||
|
1, "OCSP: socket (auth_user)");
|
||||||
|
if(c->fd<0)
|
||||||
|
goto cleanup;
|
||||||
|
if(connect_blocking(c, &c->opt->ocsp_addr, addr_len(&c->opt->ocsp_addr)))
|
||||||
|
goto cleanup;
|
||||||
|
bio=BIO_new_fd(c->fd, BIO_NOCLOSE);
|
||||||
|
if(!bio)
|
||||||
|
goto cleanup;
|
||||||
|
s_log(LOG_DEBUG, "OCSP: server connected");
|
||||||
|
|
||||||
|
/* OCSP protocol communication loop */
|
||||||
|
req_ctx=OCSP_sendreq_new(bio, c->opt->ocsp_path, req, -1);
|
||||||
|
if(!req_ctx) {
|
||||||
|
sslerror("OCSP: OCSP_sendreq_new");
|
||||||
|
goto cleanup;
|
||||||
|
}
|
||||||
|
while(OCSP_sendreq_nbio(&resp, req_ctx)==-1) {
|
||||||
|
s_poll_init(c->fds);
|
||||||
|
s_poll_add(c->fds, c->fd, BIO_should_read(bio), BIO_should_write(bio));
|
||||||
|
err=s_poll_wait(c->fds, c->opt->timeout_busy, 0);
|
||||||
|
if(err==-1)
|
||||||
|
sockerror("OCSP: s_poll_wait");
|
||||||
|
if(err==0)
|
||||||
|
s_log(LOG_INFO, "OCSP: s_poll_wait: TIMEOUTbusy exceeded");
|
||||||
|
if(err<=0)
|
||||||
|
goto cleanup;
|
||||||
|
}
|
||||||
|
/* s_log(LOG_DEBUG, "OCSP: context state: 0x%x", *(int *)req_ctx); */
|
||||||
|
/* http://www.mail-archive.com/openssl-users@openssl.org/msg61691.html */
|
||||||
|
if(!resp) {
|
||||||
|
if(ERR_peek_error())
|
||||||
|
sslerror("OCSP: OCSP_sendreq_nbio");
|
||||||
|
else /* OpenSSL error: OCSP_sendreq_nbio does not use OCSPerr */
|
||||||
|
s_log(LOG_ERR, "OCSP: OCSP_sendreq_nbio: OpenSSL internal error");
|
||||||
|
}
|
||||||
|
|
||||||
|
cleanup:
|
||||||
|
if(req_ctx)
|
||||||
|
OCSP_REQ_CTX_free(req_ctx);
|
||||||
|
if(bio)
|
||||||
|
BIO_free_all(bio);
|
||||||
|
if(c->fd>=0) {
|
||||||
|
closesocket(c->fd);
|
||||||
|
c->fd=-1; /* avoid double close on cleanup */
|
||||||
|
}
|
||||||
|
return resp;
|
||||||
|
}
|
||||||
|
|
||||||
|
#endif /* HAVE_OSSL_OCSP_H */
|
||||||
|
|
||||||
|
static void log_time(const int level, const char *txt, ASN1_TIME *t) {
|
||||||
|
char *cp;
|
||||||
|
BIO *bio;
|
||||||
|
int n;
|
||||||
|
|
||||||
|
if(!t)
|
||||||
|
return;
|
||||||
|
bio=BIO_new(BIO_s_mem());
|
||||||
|
if(!bio)
|
||||||
|
return;
|
||||||
|
ASN1_TIME_print(bio, t);
|
||||||
|
n=BIO_pending(bio);
|
||||||
|
cp=str_alloc(n+1);
|
||||||
|
n=BIO_read(bio, cp, n);
|
||||||
|
if(n<0) {
|
||||||
|
BIO_free(bio);
|
||||||
|
str_free(cp);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
cp[n]='\0';
|
||||||
|
BIO_free(bio);
|
||||||
|
s_log(level, "%s: %s", txt, cp);
|
||||||
|
str_free(cp);
|
||||||
|
}
|
||||||
|
|
||||||
|
/* end of verify.c */
|
88
src/version.h
Normal file
88
src/version.h
Normal file
@ -0,0 +1,88 @@
|
|||||||
|
/*
|
||||||
|
* stunnel Universal SSL tunnel
|
||||||
|
* Copyright (C) 1998-2012 Michal Trojnara <Michal.Trojnara@mirt.net>
|
||||||
|
*
|
||||||
|
* This program is free software; you can redistribute it and/or modify it
|
||||||
|
* under the terms of the GNU General Public License as published by the
|
||||||
|
* Free Software Foundation; either version 2 of the License, or (at your
|
||||||
|
* option) any later version.
|
||||||
|
*
|
||||||
|
* This program is distributed in the hope that it will be useful,
|
||||||
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
|
||||||
|
* See the GNU General Public License for more details.
|
||||||
|
*
|
||||||
|
* You should have received a copy of the GNU General Public License along
|
||||||
|
* with this program; if not, see <http://www.gnu.org/licenses>.
|
||||||
|
*
|
||||||
|
* Linking stunnel statically or dynamically with other modules is making
|
||||||
|
* a combined work based on stunnel. Thus, the terms and conditions of
|
||||||
|
* the GNU General Public License cover the whole combination.
|
||||||
|
*
|
||||||
|
* In addition, as a special exception, the copyright holder of stunnel
|
||||||
|
* gives you permission to combine stunnel with free software programs or
|
||||||
|
* libraries that are released under the GNU LGPL and with code included
|
||||||
|
* in the standard release of OpenSSL under the OpenSSL License (or
|
||||||
|
* modified versions of such code, with unchanged license). You may copy
|
||||||
|
* and distribute such a system following the terms of the GNU GPL for
|
||||||
|
* stunnel and the licenses of the other code concerned.
|
||||||
|
*
|
||||||
|
* Note that people who make modified versions of stunnel are not obligated
|
||||||
|
* to grant this special exception for their modified versions; it is their
|
||||||
|
* choice whether to do so. The GNU General Public License gives permission
|
||||||
|
* to release a modified version without this exception; this exception
|
||||||
|
* also makes it possible to release a modified version which carries
|
||||||
|
* forward this exception.
|
||||||
|
*/
|
||||||
|
|
||||||
|
#ifndef VERSION_MAJOR
|
||||||
|
|
||||||
|
#ifdef HAVE_CONFIG_H
|
||||||
|
#include "config.h"
|
||||||
|
#endif /* HAVE_CONFIG_H */
|
||||||
|
|
||||||
|
/* HOST may be undefined on Win32 platform */
|
||||||
|
#ifndef HOST
|
||||||
|
#ifdef __MINGW32__
|
||||||
|
#define HOST "x86-pc-mingw32-gnu"
|
||||||
|
#else /* __MINGW32__ */
|
||||||
|
#ifdef _MSC_VER
|
||||||
|
#define _QUOTEME(x) #x
|
||||||
|
#define QUOTEME(x) _QUOTEME(x)
|
||||||
|
#define HOST "x86-pc-msvc-" ## QUOTEME(_MSC_VER)
|
||||||
|
#else /* _MSC_VER */
|
||||||
|
#define HOST "x86-pc-unknown"
|
||||||
|
#endif /* _MSC_VER */
|
||||||
|
#endif /* __MINGW32__ */
|
||||||
|
#endif /* HOST */
|
||||||
|
|
||||||
|
/* START CUSTOMIZE */
|
||||||
|
#define VERSION_MAJOR 4
|
||||||
|
#define VERSION_MINOR 53
|
||||||
|
/* END CUSTOMIZE */
|
||||||
|
|
||||||
|
/* all the following macros are ABSOLUTELY NECESSARY to have proper string
|
||||||
|
* construction with VARIOUS C preprocessors (EVC, VC, BCC, GCC) */
|
||||||
|
#define STRINGIZE0(x) #x
|
||||||
|
#define STRINGIZE(x) STRINGIZE0(x)
|
||||||
|
#define STRZCONCAT30(a,b,c) a##b##c
|
||||||
|
#define STRZCONCAT3(a,b,c) STRZCONCAT30(a,b,c)
|
||||||
|
|
||||||
|
/* for resource.rc, stunnel.c, gui.c */
|
||||||
|
#define STUNNEL_VERSION0 STRZCONCAT3(VERSION_MAJOR, . , VERSION_MINOR)
|
||||||
|
#define STUNNEL_VERSION STRINGIZE(STUNNEL_VERSION0)
|
||||||
|
|
||||||
|
/* for resources.rc */
|
||||||
|
#define STUNNEL_VERSION_FIELDS VERSION_MAJOR,VERSION_MINOR,0,0
|
||||||
|
#define STUNNEL_PRODUCTNAME "stunnel " STUNNEL_VERSION " for " HOST
|
||||||
|
|
||||||
|
/* some useful tricks for preprocessing debugging */
|
||||||
|
#if 0
|
||||||
|
#pragma message ( "VERSION.H: STUNNEL_VERSION is " STUNNEL_VERSION )
|
||||||
|
#pragma message ( "VERSION.H: HOST is " HOST )
|
||||||
|
#pragma message ( "VERSION.H: STUNNEL_PRODUCTNAME is " STUNNEL_PRODUCTNAME )
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#endif /* VERSION_MAJOR */
|
||||||
|
|
||||||
|
/* end of version.h */
|
36
tools/Makefile.am
Normal file
36
tools/Makefile.am
Normal file
@ -0,0 +1,36 @@
|
|||||||
|
## Process this file with automake to produce Makefile.in
|
||||||
|
|
||||||
|
EXTRA_DIST = ca.html ca.pl importCA.html importCA.sh script.sh \
|
||||||
|
stunnel.spec stunnel.cnf stunnel.nsi stunnel.license stunnel.conf
|
||||||
|
|
||||||
|
confdir = $(sysconfdir)/stunnel
|
||||||
|
conf_DATA = stunnel.conf-sample
|
||||||
|
|
||||||
|
docdir = $(datadir)/doc/stunnel
|
||||||
|
examplesdir = $(docdir)/examples
|
||||||
|
examples_DATA = ca.html ca.pl importCA.html importCA.sh script.sh \
|
||||||
|
stunnel.spec stunnel.init stunnel.service
|
||||||
|
|
||||||
|
OPENSSL=$(SSLDIR)/bin/openssl
|
||||||
|
install-data-local:
|
||||||
|
if test ! -r $(DESTDIR)$(confdir)/stunnel.pem; then \
|
||||||
|
if test -r "$(RANDOM_FILE)"; then \
|
||||||
|
dd if="$(RANDOM_FILE)" of=stunnel.rnd bs=256 count=1; \
|
||||||
|
RND="-rand stunnel.rnd"; \
|
||||||
|
else \
|
||||||
|
RND=""; \
|
||||||
|
fi; \
|
||||||
|
$(OPENSSL) req -new -x509 -days 365 $$RND \
|
||||||
|
-config $(srcdir)/stunnel.cnf \
|
||||||
|
-out stunnel.pem -keyout stunnel.pem; \
|
||||||
|
$(OPENSSL) gendh $$RND 1024 >> stunnel.pem; \
|
||||||
|
$(OPENSSL) x509 -subject -dates -fingerprint -noout -in stunnel.pem; \
|
||||||
|
${INSTALL} -m 600 stunnel.pem $(DESTDIR)$(confdir)/stunnel.pem; \
|
||||||
|
rm stunnel.pem; \
|
||||||
|
fi
|
||||||
|
${INSTALL} -d -m 1770 $(DESTDIR)$(localstatedir)/lib/stunnel
|
||||||
|
-chgrp $(DEFAULT_GROUP) $(DESTDIR)$(localstatedir)/lib/stunnel
|
||||||
|
|
||||||
|
clean-local:
|
||||||
|
-rm -f stunnel.rnd
|
||||||
|
|
467
tools/Makefile.in
Normal file
467
tools/Makefile.in
Normal file
@ -0,0 +1,467 @@
|
|||||||
|
# Makefile.in generated by automake 1.11.1 from Makefile.am.
|
||||||
|
# @configure_input@
|
||||||
|
|
||||||
|
# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
|
||||||
|
# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation,
|
||||||
|
# Inc.
|
||||||
|
# This Makefile.in is free software; the Free Software Foundation
|
||||||
|
# gives unlimited permission to copy and/or distribute it,
|
||||||
|
# with or without modifications, as long as this notice is preserved.
|
||||||
|
|
||||||
|
# This program is distributed in the hope that it will be useful,
|
||||||
|
# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
|
||||||
|
# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
|
||||||
|
# PARTICULAR PURPOSE.
|
||||||
|
|
||||||
|
@SET_MAKE@
|
||||||
|
|
||||||
|
VPATH = @srcdir@
|
||||||
|
pkgdatadir = $(datadir)/@PACKAGE@
|
||||||
|
pkgincludedir = $(includedir)/@PACKAGE@
|
||||||
|
pkglibdir = $(libdir)/@PACKAGE@
|
||||||
|
pkglibexecdir = $(libexecdir)/@PACKAGE@
|
||||||
|
am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
|
||||||
|
install_sh_DATA = $(install_sh) -c -m 644
|
||||||
|
install_sh_PROGRAM = $(install_sh) -c
|
||||||
|
install_sh_SCRIPT = $(install_sh) -c
|
||||||
|
INSTALL_HEADER = $(INSTALL_DATA)
|
||||||
|
transform = $(program_transform_name)
|
||||||
|
NORMAL_INSTALL = :
|
||||||
|
PRE_INSTALL = :
|
||||||
|
POST_INSTALL = :
|
||||||
|
NORMAL_UNINSTALL = :
|
||||||
|
PRE_UNINSTALL = :
|
||||||
|
POST_UNINSTALL = :
|
||||||
|
build_triplet = @build@
|
||||||
|
host_triplet = @host@
|
||||||
|
subdir = tools
|
||||||
|
DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in \
|
||||||
|
$(srcdir)/stunnel.conf-sample.in $(srcdir)/stunnel.init.in \
|
||||||
|
$(srcdir)/stunnel.service.in
|
||||||
|
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
|
||||||
|
am__aclocal_m4_deps = $(top_srcdir)/m4/libtool.m4 \
|
||||||
|
$(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \
|
||||||
|
$(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \
|
||||||
|
$(top_srcdir)/configure.ac
|
||||||
|
am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
|
||||||
|
$(ACLOCAL_M4)
|
||||||
|
mkinstalldirs = $(install_sh) -d
|
||||||
|
CONFIG_HEADER = $(top_builddir)/src/config.h
|
||||||
|
CONFIG_CLEAN_FILES = stunnel.conf-sample stunnel.init stunnel.service
|
||||||
|
CONFIG_CLEAN_VPATH_FILES =
|
||||||
|
SOURCES =
|
||||||
|
DIST_SOURCES =
|
||||||
|
am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
|
||||||
|
am__vpath_adj = case $$p in \
|
||||||
|
$(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
|
||||||
|
*) f=$$p;; \
|
||||||
|
esac;
|
||||||
|
am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
|
||||||
|
am__install_max = 40
|
||||||
|
am__nobase_strip_setup = \
|
||||||
|
srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
|
||||||
|
am__nobase_strip = \
|
||||||
|
for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
|
||||||
|
am__nobase_list = $(am__nobase_strip_setup); \
|
||||||
|
for p in $$list; do echo "$$p $$p"; done | \
|
||||||
|
sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
|
||||||
|
$(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
|
||||||
|
if (++n[$$2] == $(am__install_max)) \
|
||||||
|
{ print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
|
||||||
|
END { for (dir in files) print dir, files[dir] }'
|
||||||
|
am__base_list = \
|
||||||
|
sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
|
||||||
|
sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
|
||||||
|
am__installdirs = "$(DESTDIR)$(confdir)" "$(DESTDIR)$(examplesdir)"
|
||||||
|
DATA = $(conf_DATA) $(examples_DATA)
|
||||||
|
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
|
||||||
|
ACLOCAL = @ACLOCAL@
|
||||||
|
AMTAR = @AMTAR@
|
||||||
|
AR = @AR@
|
||||||
|
AUTOCONF = @AUTOCONF@
|
||||||
|
AUTOHEADER = @AUTOHEADER@
|
||||||
|
AUTOMAKE = @AUTOMAKE@
|
||||||
|
AWK = @AWK@
|
||||||
|
CC = @CC@
|
||||||
|
CCDEPMODE = @CCDEPMODE@
|
||||||
|
CFLAGS = @CFLAGS@
|
||||||
|
CPP = @CPP@
|
||||||
|
CPPFLAGS = @CPPFLAGS@
|
||||||
|
CYGPATH_W = @CYGPATH_W@
|
||||||
|
DEFAULT_GROUP = @DEFAULT_GROUP@
|
||||||
|
DEFS = @DEFS@
|
||||||
|
DEPDIR = @DEPDIR@
|
||||||
|
DSYMUTIL = @DSYMUTIL@
|
||||||
|
DUMPBIN = @DUMPBIN@
|
||||||
|
ECHO_C = @ECHO_C@
|
||||||
|
ECHO_N = @ECHO_N@
|
||||||
|
ECHO_T = @ECHO_T@
|
||||||
|
EGREP = @EGREP@
|
||||||
|
EXEEXT = @EXEEXT@
|
||||||
|
FGREP = @FGREP@
|
||||||
|
GREP = @GREP@
|
||||||
|
INSTALL = @INSTALL@
|
||||||
|
INSTALL_DATA = @INSTALL_DATA@
|
||||||
|
INSTALL_PROGRAM = @INSTALL_PROGRAM@
|
||||||
|
INSTALL_SCRIPT = @INSTALL_SCRIPT@
|
||||||
|
INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
|
||||||
|
LD = @LD@
|
||||||
|
LDFLAGS = @LDFLAGS@
|
||||||
|
LIBOBJS = @LIBOBJS@
|
||||||
|
LIBS = @LIBS@
|
||||||
|
LIBTOOL = @LIBTOOL@
|
||||||
|
LIBTOOL_DEPS = @LIBTOOL_DEPS@
|
||||||
|
LIPO = @LIPO@
|
||||||
|
LN_S = @LN_S@
|
||||||
|
LTLIBOBJS = @LTLIBOBJS@
|
||||||
|
MAKEINFO = @MAKEINFO@
|
||||||
|
MKDIR_P = @MKDIR_P@
|
||||||
|
NM = @NM@
|
||||||
|
NMEDIT = @NMEDIT@
|
||||||
|
OBJDUMP = @OBJDUMP@
|
||||||
|
OBJEXT = @OBJEXT@
|
||||||
|
OTOOL = @OTOOL@
|
||||||
|
OTOOL64 = @OTOOL64@
|
||||||
|
PACKAGE = @PACKAGE@
|
||||||
|
PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
|
||||||
|
PACKAGE_NAME = @PACKAGE_NAME@
|
||||||
|
PACKAGE_STRING = @PACKAGE_STRING@
|
||||||
|
PACKAGE_TARNAME = @PACKAGE_TARNAME@
|
||||||
|
PACKAGE_URL = @PACKAGE_URL@
|
||||||
|
PACKAGE_VERSION = @PACKAGE_VERSION@
|
||||||
|
PATH_SEPARATOR = @PATH_SEPARATOR@
|
||||||
|
RANDOM_FILE = @RANDOM_FILE@
|
||||||
|
RANLIB = @RANLIB@
|
||||||
|
SED = @SED@
|
||||||
|
SET_MAKE = @SET_MAKE@
|
||||||
|
SHELL = @SHELL@
|
||||||
|
SSLDIR = @SSLDIR@
|
||||||
|
STRIP = @STRIP@
|
||||||
|
VERSION = @VERSION@
|
||||||
|
abs_builddir = @abs_builddir@
|
||||||
|
abs_srcdir = @abs_srcdir@
|
||||||
|
abs_top_builddir = @abs_top_builddir@
|
||||||
|
abs_top_srcdir = @abs_top_srcdir@
|
||||||
|
ac_ct_CC = @ac_ct_CC@
|
||||||
|
ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
|
||||||
|
am__include = @am__include@
|
||||||
|
am__leading_dot = @am__leading_dot@
|
||||||
|
am__quote = @am__quote@
|
||||||
|
am__tar = @am__tar@
|
||||||
|
am__untar = @am__untar@
|
||||||
|
bindir = @bindir@
|
||||||
|
build = @build@
|
||||||
|
build_alias = @build_alias@
|
||||||
|
build_cpu = @build_cpu@
|
||||||
|
build_os = @build_os@
|
||||||
|
build_vendor = @build_vendor@
|
||||||
|
builddir = @builddir@
|
||||||
|
datadir = @datadir@
|
||||||
|
datarootdir = @datarootdir@
|
||||||
|
docdir = $(datadir)/doc/stunnel
|
||||||
|
dvidir = @dvidir@
|
||||||
|
exec_prefix = @exec_prefix@
|
||||||
|
host = @host@
|
||||||
|
host_alias = @host_alias@
|
||||||
|
host_cpu = @host_cpu@
|
||||||
|
host_os = @host_os@
|
||||||
|
host_vendor = @host_vendor@
|
||||||
|
htmldir = @htmldir@
|
||||||
|
includedir = @includedir@
|
||||||
|
infodir = @infodir@
|
||||||
|
install_sh = @install_sh@
|
||||||
|
libdir = @libdir@
|
||||||
|
libexecdir = @libexecdir@
|
||||||
|
localedir = @localedir@
|
||||||
|
localstatedir = @localstatedir@
|
||||||
|
lt_ECHO = @lt_ECHO@
|
||||||
|
mandir = @mandir@
|
||||||
|
mkdir_p = @mkdir_p@
|
||||||
|
oldincludedir = @oldincludedir@
|
||||||
|
pdfdir = @pdfdir@
|
||||||
|
prefix = @prefix@
|
||||||
|
program_transform_name = @program_transform_name@
|
||||||
|
psdir = @psdir@
|
||||||
|
sbindir = @sbindir@
|
||||||
|
sharedstatedir = @sharedstatedir@
|
||||||
|
srcdir = @srcdir@
|
||||||
|
stunnel_CFLAGS = @stunnel_CFLAGS@
|
||||||
|
stunnel_LDFLAGF = @stunnel_LDFLAGF@
|
||||||
|
stunnel_LDFLAGS = @stunnel_LDFLAGS@
|
||||||
|
sysconfdir = @sysconfdir@
|
||||||
|
target_alias = @target_alias@
|
||||||
|
top_build_prefix = @top_build_prefix@
|
||||||
|
top_builddir = @top_builddir@
|
||||||
|
top_srcdir = @top_srcdir@
|
||||||
|
EXTRA_DIST = ca.html ca.pl importCA.html importCA.sh script.sh \
|
||||||
|
stunnel.spec stunnel.cnf stunnel.nsi stunnel.license stunnel.conf
|
||||||
|
|
||||||
|
confdir = $(sysconfdir)/stunnel
|
||||||
|
conf_DATA = stunnel.conf-sample
|
||||||
|
examplesdir = $(docdir)/examples
|
||||||
|
examples_DATA = ca.html ca.pl importCA.html importCA.sh script.sh \
|
||||||
|
stunnel.spec stunnel.init stunnel.service
|
||||||
|
|
||||||
|
OPENSSL = $(SSLDIR)/bin/openssl
|
||||||
|
all: all-am
|
||||||
|
|
||||||
|
.SUFFIXES:
|
||||||
|
$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps)
|
||||||
|
@for dep in $?; do \
|
||||||
|
case '$(am__configure_deps)' in \
|
||||||
|
*$$dep*) \
|
||||||
|
( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
|
||||||
|
&& { if test -f $@; then exit 0; else break; fi; }; \
|
||||||
|
exit 1;; \
|
||||||
|
esac; \
|
||||||
|
done; \
|
||||||
|
echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu tools/Makefile'; \
|
||||||
|
$(am__cd) $(top_srcdir) && \
|
||||||
|
$(AUTOMAKE) --gnu tools/Makefile
|
||||||
|
.PRECIOUS: Makefile
|
||||||
|
Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
|
||||||
|
@case '$?' in \
|
||||||
|
*config.status*) \
|
||||||
|
cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
|
||||||
|
*) \
|
||||||
|
echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
|
||||||
|
cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
|
||||||
|
esac;
|
||||||
|
|
||||||
|
$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
|
||||||
|
cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
|
||||||
|
|
||||||
|
$(top_srcdir)/configure: $(am__configure_deps)
|
||||||
|
cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
|
||||||
|
$(ACLOCAL_M4): $(am__aclocal_m4_deps)
|
||||||
|
cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
|
||||||
|
$(am__aclocal_m4_deps):
|
||||||
|
stunnel.conf-sample: $(top_builddir)/config.status $(srcdir)/stunnel.conf-sample.in
|
||||||
|
cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@
|
||||||
|
stunnel.init: $(top_builddir)/config.status $(srcdir)/stunnel.init.in
|
||||||
|
cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@
|
||||||
|
stunnel.service: $(top_builddir)/config.status $(srcdir)/stunnel.service.in
|
||||||
|
cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@
|
||||||
|
|
||||||
|
mostlyclean-libtool:
|
||||||
|
-rm -f *.lo
|
||||||
|
|
||||||
|
clean-libtool:
|
||||||
|
-rm -rf .libs _libs
|
||||||
|
install-confDATA: $(conf_DATA)
|
||||||
|
@$(NORMAL_INSTALL)
|
||||||
|
test -z "$(confdir)" || $(MKDIR_P) "$(DESTDIR)$(confdir)"
|
||||||
|
@list='$(conf_DATA)'; test -n "$(confdir)" || list=; \
|
||||||
|
for p in $$list; do \
|
||||||
|
if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
|
||||||
|
echo "$$d$$p"; \
|
||||||
|
done | $(am__base_list) | \
|
||||||
|
while read files; do \
|
||||||
|
echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(confdir)'"; \
|
||||||
|
$(INSTALL_DATA) $$files "$(DESTDIR)$(confdir)" || exit $$?; \
|
||||||
|
done
|
||||||
|
|
||||||
|
uninstall-confDATA:
|
||||||
|
@$(NORMAL_UNINSTALL)
|
||||||
|
@list='$(conf_DATA)'; test -n "$(confdir)" || list=; \
|
||||||
|
files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
|
||||||
|
test -n "$$files" || exit 0; \
|
||||||
|
echo " ( cd '$(DESTDIR)$(confdir)' && rm -f" $$files ")"; \
|
||||||
|
cd "$(DESTDIR)$(confdir)" && rm -f $$files
|
||||||
|
install-examplesDATA: $(examples_DATA)
|
||||||
|
@$(NORMAL_INSTALL)
|
||||||
|
test -z "$(examplesdir)" || $(MKDIR_P) "$(DESTDIR)$(examplesdir)"
|
||||||
|
@list='$(examples_DATA)'; test -n "$(examplesdir)" || list=; \
|
||||||
|
for p in $$list; do \
|
||||||
|
if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
|
||||||
|
echo "$$d$$p"; \
|
||||||
|
done | $(am__base_list) | \
|
||||||
|
while read files; do \
|
||||||
|
echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(examplesdir)'"; \
|
||||||
|
$(INSTALL_DATA) $$files "$(DESTDIR)$(examplesdir)" || exit $$?; \
|
||||||
|
done
|
||||||
|
|
||||||
|
uninstall-examplesDATA:
|
||||||
|
@$(NORMAL_UNINSTALL)
|
||||||
|
@list='$(examples_DATA)'; test -n "$(examplesdir)" || list=; \
|
||||||
|
files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
|
||||||
|
test -n "$$files" || exit 0; \
|
||||||
|
echo " ( cd '$(DESTDIR)$(examplesdir)' && rm -f" $$files ")"; \
|
||||||
|
cd "$(DESTDIR)$(examplesdir)" && rm -f $$files
|
||||||
|
tags: TAGS
|
||||||
|
TAGS:
|
||||||
|
|
||||||
|
ctags: CTAGS
|
||||||
|
CTAGS:
|
||||||
|
|
||||||
|
|
||||||
|
distdir: $(DISTFILES)
|
||||||
|
@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
|
||||||
|
topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
|
||||||
|
list='$(DISTFILES)'; \
|
||||||
|
dist_files=`for file in $$list; do echo $$file; done | \
|
||||||
|
sed -e "s|^$$srcdirstrip/||;t" \
|
||||||
|
-e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
|
||||||
|
case $$dist_files in \
|
||||||
|
*/*) $(MKDIR_P) `echo "$$dist_files" | \
|
||||||
|
sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
|
||||||
|
sort -u` ;; \
|
||||||
|
esac; \
|
||||||
|
for file in $$dist_files; do \
|
||||||
|
if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
|
||||||
|
if test -d $$d/$$file; then \
|
||||||
|
dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
|
||||||
|
if test -d "$(distdir)/$$file"; then \
|
||||||
|
find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
|
||||||
|
fi; \
|
||||||
|
if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
|
||||||
|
cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
|
||||||
|
find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
|
||||||
|
fi; \
|
||||||
|
cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
|
||||||
|
else \
|
||||||
|
test -f "$(distdir)/$$file" \
|
||||||
|
|| cp -p $$d/$$file "$(distdir)/$$file" \
|
||||||
|
|| exit 1; \
|
||||||
|
fi; \
|
||||||
|
done
|
||||||
|
check-am: all-am
|
||||||
|
check: check-am
|
||||||
|
all-am: Makefile $(DATA)
|
||||||
|
installdirs:
|
||||||
|
for dir in "$(DESTDIR)$(confdir)" "$(DESTDIR)$(examplesdir)"; do \
|
||||||
|
test -z "$$dir" || $(MKDIR_P) "$$dir"; \
|
||||||
|
done
|
||||||
|
install: install-am
|
||||||
|
install-exec: install-exec-am
|
||||||
|
install-data: install-data-am
|
||||||
|
uninstall: uninstall-am
|
||||||
|
|
||||||
|
install-am: all-am
|
||||||
|
@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
|
||||||
|
|
||||||
|
installcheck: installcheck-am
|
||||||
|
install-strip:
|
||||||
|
$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
|
||||||
|
install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
|
||||||
|
`test -z '$(STRIP)' || \
|
||||||
|
echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
|
||||||
|
mostlyclean-generic:
|
||||||
|
|
||||||
|
clean-generic:
|
||||||
|
|
||||||
|
distclean-generic:
|
||||||
|
-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
|
||||||
|
-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
|
||||||
|
|
||||||
|
maintainer-clean-generic:
|
||||||
|
@echo "This command is intended for maintainers to use"
|
||||||
|
@echo "it deletes files that may require special tools to rebuild."
|
||||||
|
clean: clean-am
|
||||||
|
|
||||||
|
clean-am: clean-generic clean-libtool clean-local mostlyclean-am
|
||||||
|
|
||||||
|
distclean: distclean-am
|
||||||
|
-rm -f Makefile
|
||||||
|
distclean-am: clean-am distclean-generic
|
||||||
|
|
||||||
|
dvi: dvi-am
|
||||||
|
|
||||||
|
dvi-am:
|
||||||
|
|
||||||
|
html: html-am
|
||||||
|
|
||||||
|
html-am:
|
||||||
|
|
||||||
|
info: info-am
|
||||||
|
|
||||||
|
info-am:
|
||||||
|
|
||||||
|
install-data-am: install-confDATA install-data-local \
|
||||||
|
install-examplesDATA
|
||||||
|
|
||||||
|
install-dvi: install-dvi-am
|
||||||
|
|
||||||
|
install-dvi-am:
|
||||||
|
|
||||||
|
install-exec-am:
|
||||||
|
|
||||||
|
install-html: install-html-am
|
||||||
|
|
||||||
|
install-html-am:
|
||||||
|
|
||||||
|
install-info: install-info-am
|
||||||
|
|
||||||
|
install-info-am:
|
||||||
|
|
||||||
|
install-man:
|
||||||
|
|
||||||
|
install-pdf: install-pdf-am
|
||||||
|
|
||||||
|
install-pdf-am:
|
||||||
|
|
||||||
|
install-ps: install-ps-am
|
||||||
|
|
||||||
|
install-ps-am:
|
||||||
|
|
||||||
|
installcheck-am:
|
||||||
|
|
||||||
|
maintainer-clean: maintainer-clean-am
|
||||||
|
-rm -f Makefile
|
||||||
|
maintainer-clean-am: distclean-am maintainer-clean-generic
|
||||||
|
|
||||||
|
mostlyclean: mostlyclean-am
|
||||||
|
|
||||||
|
mostlyclean-am: mostlyclean-generic mostlyclean-libtool
|
||||||
|
|
||||||
|
pdf: pdf-am
|
||||||
|
|
||||||
|
pdf-am:
|
||||||
|
|
||||||
|
ps: ps-am
|
||||||
|
|
||||||
|
ps-am:
|
||||||
|
|
||||||
|
uninstall-am: uninstall-confDATA uninstall-examplesDATA
|
||||||
|
|
||||||
|
.MAKE: install-am install-strip
|
||||||
|
|
||||||
|
.PHONY: all all-am check check-am clean clean-generic clean-libtool \
|
||||||
|
clean-local distclean distclean-generic distclean-libtool \
|
||||||
|
distdir dvi dvi-am html html-am info info-am install \
|
||||||
|
install-am install-confDATA install-data install-data-am \
|
||||||
|
install-data-local install-dvi install-dvi-am \
|
||||||
|
install-examplesDATA install-exec install-exec-am install-html \
|
||||||
|
install-html-am install-info install-info-am install-man \
|
||||||
|
install-pdf install-pdf-am install-ps install-ps-am \
|
||||||
|
install-strip installcheck installcheck-am installdirs \
|
||||||
|
maintainer-clean maintainer-clean-generic mostlyclean \
|
||||||
|
mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
|
||||||
|
uninstall uninstall-am uninstall-confDATA \
|
||||||
|
uninstall-examplesDATA
|
||||||
|
|
||||||
|
install-data-local:
|
||||||
|
if test ! -r $(DESTDIR)$(confdir)/stunnel.pem; then \
|
||||||
|
if test -r "$(RANDOM_FILE)"; then \
|
||||||
|
dd if="$(RANDOM_FILE)" of=stunnel.rnd bs=256 count=1; \
|
||||||
|
RND="-rand stunnel.rnd"; \
|
||||||
|
else \
|
||||||
|
RND=""; \
|
||||||
|
fi; \
|
||||||
|
$(OPENSSL) req -new -x509 -days 365 $$RND \
|
||||||
|
-config $(srcdir)/stunnel.cnf \
|
||||||
|
-out stunnel.pem -keyout stunnel.pem; \
|
||||||
|
$(OPENSSL) gendh $$RND 1024 >> stunnel.pem; \
|
||||||
|
$(OPENSSL) x509 -subject -dates -fingerprint -noout -in stunnel.pem; \
|
||||||
|
${INSTALL} -m 600 stunnel.pem $(DESTDIR)$(confdir)/stunnel.pem; \
|
||||||
|
rm stunnel.pem; \
|
||||||
|
fi
|
||||||
|
${INSTALL} -d -m 1770 $(DESTDIR)$(localstatedir)/lib/stunnel
|
||||||
|
-chgrp $(DEFAULT_GROUP) $(DESTDIR)$(localstatedir)/lib/stunnel
|
||||||
|
|
||||||
|
clean-local:
|
||||||
|
-rm -f stunnel.rnd
|
||||||
|
|
||||||
|
# Tell versions [3.59,3.63) of GNU make to not export all variables.
|
||||||
|
# Otherwise a system limit (for SysV at least) may be exceeded.
|
||||||
|
.NOEXPORT:
|
56
tools/ca.html
Normal file
56
tools/ca.html
Normal file
@ -0,0 +1,56 @@
|
|||||||
|
<HTML>
|
||||||
|
<HEAD>
|
||||||
|
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
|
||||||
|
<TITLE>Make your own certificate</TITLE>
|
||||||
|
</HEAD>
|
||||||
|
<BODY TEXT="#000000" BGCOLOR="#FFFFCC" LINK="#0000EF" VLINK="#51188E" ALINK="#FF0000">
|
||||||
|
<FORM ACTION="http://localhost/cgi-bin/ca.pl" METHOD=POST>
|
||||||
|
<TABLE>
|
||||||
|
|
||||||
|
<TR>
|
||||||
|
<TD>Key bits:</TD>
|
||||||
|
<TD><KEYGEN NAME="SPKAC"></TD>
|
||||||
|
</TR>
|
||||||
|
|
||||||
|
<TR>
|
||||||
|
<TD>Your name:</TD>
|
||||||
|
|
||||||
|
<TD><INPUT NAME="who" SIZE="40" MAXLENGTH=60 ALIGN=middle></TD>
|
||||||
|
</TR>
|
||||||
|
|
||||||
|
<TR>
|
||||||
|
<TD>Your e-mail address:</TD>
|
||||||
|
|
||||||
|
<TD><INPUT NAME="email" SIZE="40" MAXLENGTH=40 ALIGN=middle></TD>
|
||||||
|
</TR>
|
||||||
|
|
||||||
|
<TR>
|
||||||
|
<TD>Country name:</TD>
|
||||||
|
|
||||||
|
<TD><INPUT NAME="country" SIZE="40" MAXLENGTH=150 ALIGN=middle></TD>
|
||||||
|
</TR>
|
||||||
|
|
||||||
|
<TR>
|
||||||
|
<TD>State or province name:</TD>
|
||||||
|
|
||||||
|
<TD><INPUT NAME="state" SIZE="40" MAXLENGTH=40 ALIGN=middle></TD>
|
||||||
|
</TR>
|
||||||
|
|
||||||
|
<TR>
|
||||||
|
<TD>Organization:</TD>
|
||||||
|
|
||||||
|
<TD><INPUT NAME="organization" SIZE="40" MAXLENGTH=60 ALIGN=middle></TD>
|
||||||
|
</TR>
|
||||||
|
|
||||||
|
<TR>
|
||||||
|
<TD>Comment:</TD>
|
||||||
|
|
||||||
|
<TD><INPUT NAME="comment" SIZE="40" MAXLENGTH=40 ALIGN=middle></TD>
|
||||||
|
</TR>
|
||||||
|
</TABLE>
|
||||||
|
|
||||||
|
<H3>
|
||||||
|
<INPUT TYPE=submit VALUE=" Submit "> <INPUT TYPE=reset VALUE=" Reset All "></H3>
|
||||||
|
</FORM>
|
||||||
|
</BODY>
|
||||||
|
</HTML>
|
65
tools/ca.pl
Executable file
65
tools/ca.pl
Executable file
@ -0,0 +1,65 @@
|
|||||||
|
#!/usr/bin/perl
|
||||||
|
|
||||||
|
$config = "/var/openssl/openssl.cnf";
|
||||||
|
$capath = "/usr/bin/openssl ca";
|
||||||
|
$certpass = "mypassword";
|
||||||
|
$tempca = "/tmp/ssl/cli".rand 10000;
|
||||||
|
$tempout = "/tmp/ssl/certtmp".rand 10000;
|
||||||
|
$caout = "/tmp/ssl/certout.txt";
|
||||||
|
$CAcert = "/var/openssl/localCA/cacert.pem";
|
||||||
|
$spkac = "";
|
||||||
|
|
||||||
|
&ReadForm;
|
||||||
|
|
||||||
|
$spkac = $FIELDS{'SPKAC'};
|
||||||
|
$spkac =~ s/\n//g;
|
||||||
|
|
||||||
|
open(TEMPCE,">$tempca") || die &Error;
|
||||||
|
print TEMPCE "C = $FIELDS{'country'}\n";
|
||||||
|
print TEMPCE "ST = $FIELDS{'state'}\n";
|
||||||
|
print TEMPCE "O = $FIELDS{'organization'}\n";
|
||||||
|
print TEMPCE "Email = $FIELDS{'email'}\n";
|
||||||
|
print TEMPCE "CN = $FIELDS{'who'}\n";
|
||||||
|
print TEMPCE "SPKAC = $spkac\n";
|
||||||
|
close(TEMPCE);
|
||||||
|
|
||||||
|
system("$capath -batch -config $config -spkac $tempca -out $tempout -key $certpass -cert $CAcert>> $caout 2>&1");
|
||||||
|
open(CERT,"$tempout") || die &Error;
|
||||||
|
@certificate = <CERT>;
|
||||||
|
close(CERT);
|
||||||
|
|
||||||
|
#system("rm -f $tempca");
|
||||||
|
#system("rm -f $tempout");
|
||||||
|
|
||||||
|
print "Content-type: application/x-x509-user-cert\n\n";
|
||||||
|
print @certificate;
|
||||||
|
|
||||||
|
##############################################################
|
||||||
|
####
|
||||||
|
#### Procedures
|
||||||
|
####
|
||||||
|
|
||||||
|
sub ReadForm {
|
||||||
|
|
||||||
|
if ($ENV{'REQUEST_METHOD'} eq 'GET') {
|
||||||
|
@pairs = split(/&/, $ENV{'QUERY_STRING'});
|
||||||
|
}
|
||||||
|
elsif ($ENV{'REQUEST_METHOD'} eq 'POST') {
|
||||||
|
read(STDIN, $buffer, $ENV{'CONTENT_LENGTH'});
|
||||||
|
@pairs = split(/&/, $buffer);
|
||||||
|
}
|
||||||
|
foreach $pair (@pairs) {
|
||||||
|
($name, $value) = split(/=/, $pair);
|
||||||
|
$name =~ tr/+/ /;
|
||||||
|
$name =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
|
||||||
|
$value =~ tr/+/ /;
|
||||||
|
$value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
|
||||||
|
$value =~ s/<!--(.|\n)*-->//g;
|
||||||
|
$FIELDS{$name} = $value;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
sub Error {
|
||||||
|
print "Content-type: text/html\n\n";
|
||||||
|
print "<P><P><center><H1>Cant open file</H1></center>\n";
|
||||||
|
}
|
16
tools/importCA.html
Normal file
16
tools/importCA.html
Normal file
@ -0,0 +1,16 @@
|
|||||||
|
<HTML>
|
||||||
|
<HEAD>
|
||||||
|
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
|
||||||
|
<TITLE>Import CA root certificate</TITLE>
|
||||||
|
</HEAD>
|
||||||
|
<BODY TEXT="#000000" BGCOLOR="#FFFFCC" LINK="#0000EF" VLINK="#51188E" ALINK="#FF0000">
|
||||||
|
|
||||||
|
<BR>
|
||||||
|
<BR>
|
||||||
|
<BR>
|
||||||
|
<BR>
|
||||||
|
<CENTER><FONT SIZE=+2><A HREF="http://localhost/cgi-bin/importCA.sh">Import
|
||||||
|
CA certificate</A></FONT></CENTER>
|
||||||
|
|
||||||
|
</BODY>
|
||||||
|
</HTML>
|
5
tools/importCA.sh
Executable file
5
tools/importCA.sh
Executable file
@ -0,0 +1,5 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
echo "Content-type: application/x-x509-ca-cert"
|
||||||
|
echo
|
||||||
|
cat /var/lib/httpds/cgi-bin/cacert.pem
|
11
tools/script.sh
Executable file
11
tools/script.sh
Executable file
@ -0,0 +1,11 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
REMOTE_HOST="www.mirt.net:443"
|
||||||
|
echo "client script connecting $REMOTE_HOST"
|
||||||
|
/usr/local/bin/stunnel -fd 10 \
|
||||||
|
11<&0 <<EOT 10<&0 0<&11 11<&-
|
||||||
|
client=yes
|
||||||
|
connect=$REMOTE_HOST
|
||||||
|
EOT
|
||||||
|
echo "client script finished"
|
||||||
|
|
42
tools/stunnel.cnf
Normal file
42
tools/stunnel.cnf
Normal file
@ -0,0 +1,42 @@
|
|||||||
|
# OpenSSL configuration file to create a server certificate
|
||||||
|
# by Michal Trojnara 1998-2012
|
||||||
|
|
||||||
|
[ req ]
|
||||||
|
# the default key length is secure and quite fast - do not change it
|
||||||
|
default_bits = 2048
|
||||||
|
# comment out the next line to protect the private key with a passphrase
|
||||||
|
encrypt_key = no
|
||||||
|
distinguished_name = req_dn
|
||||||
|
x509_extensions = cert_type
|
||||||
|
|
||||||
|
[ req_dn ]
|
||||||
|
countryName = Country Name (2 letter code)
|
||||||
|
countryName_default = PL
|
||||||
|
countryName_min = 2
|
||||||
|
countryName_max = 2
|
||||||
|
|
||||||
|
stateOrProvinceName = State or Province Name (full name)
|
||||||
|
stateOrProvinceName_default = Mazovia Province
|
||||||
|
|
||||||
|
localityName = Locality Name (eg, city)
|
||||||
|
localityName_default = Warsaw
|
||||||
|
|
||||||
|
organizationName = Organization Name (eg, company)
|
||||||
|
organizationName_default = Stunnel Developers
|
||||||
|
|
||||||
|
organizationalUnitName = Organizational Unit Name (eg, section)
|
||||||
|
organizationalUnitName_default = Provisional CA
|
||||||
|
|
||||||
|
0.commonName = Common Name (FQDN of your server)
|
||||||
|
0.commonName_default = localhost
|
||||||
|
|
||||||
|
# To create a certificate for more than one name uncomment:
|
||||||
|
# 1.commonName = DNS alias of your server
|
||||||
|
# 2.commonName = DNS alias of your server
|
||||||
|
# ...
|
||||||
|
# See http://home.netscape.com/eng/security/ssl_2.0_certificate.html
|
||||||
|
# to see how Netscape understands commonName.
|
||||||
|
|
||||||
|
[ cert_type ]
|
||||||
|
nsCertType = server
|
||||||
|
|
91
tools/stunnel.conf
Normal file
91
tools/stunnel.conf
Normal file
@ -0,0 +1,91 @@
|
|||||||
|
; Sample stunnel configuration file for Win32 by Michal Trojnara 2002-2012
|
||||||
|
; Some options used here may be inadequate for your particular configuration
|
||||||
|
; This sample file does *not* represent stunnel.conf defaults
|
||||||
|
; Please consult the manual for detailed description of available options
|
||||||
|
|
||||||
|
; **************************************************************************
|
||||||
|
; * Global options *
|
||||||
|
; **************************************************************************
|
||||||
|
|
||||||
|
; Debugging stuff (may useful for troubleshooting)
|
||||||
|
;debug = 7
|
||||||
|
;output = stunnel.log
|
||||||
|
|
||||||
|
; Disable FIPS mode to allow non-approved protocols and algorithms
|
||||||
|
;fips = no
|
||||||
|
|
||||||
|
; **************************************************************************
|
||||||
|
; * Service defaults may also be specified in individual service sections *
|
||||||
|
; **************************************************************************
|
||||||
|
|
||||||
|
; Certificate/key is needed in server mode and optional in client mode
|
||||||
|
cert = stunnel.pem
|
||||||
|
;key = stunnel.pem
|
||||||
|
|
||||||
|
; Authentication stuff needs to be configured to prevent MITM attacks
|
||||||
|
; It is not enabled by default!
|
||||||
|
;verify = 2
|
||||||
|
; Don't forget to c_rehash CApath
|
||||||
|
;CApath = certs
|
||||||
|
; It's often easier to use CAfile
|
||||||
|
;CAfile = certs.pem
|
||||||
|
; Don't forget to c_rehash CRLpath
|
||||||
|
;CRLpath = crls
|
||||||
|
; Alternatively CRLfile can be used
|
||||||
|
;CRLfile = crls.pem
|
||||||
|
|
||||||
|
; Disable support for insecure SSLv2 protocol
|
||||||
|
options = NO_SSLv2
|
||||||
|
; Workaround for Eudora bug
|
||||||
|
;options = DONT_INSERT_EMPTY_FRAGMENTS
|
||||||
|
|
||||||
|
; These options provide additional security at some performance degradation
|
||||||
|
;options = SINGLE_ECDH_USE
|
||||||
|
;options = SINGLE_DH_USE
|
||||||
|
|
||||||
|
; **************************************************************************
|
||||||
|
; * Service definitions (at least one service has to be defined) *
|
||||||
|
; **************************************************************************
|
||||||
|
|
||||||
|
; Example SSL server mode services
|
||||||
|
|
||||||
|
[pop3s]
|
||||||
|
accept = 995
|
||||||
|
connect = 110
|
||||||
|
|
||||||
|
[imaps]
|
||||||
|
accept = 993
|
||||||
|
connect = 143
|
||||||
|
|
||||||
|
[ssmtp]
|
||||||
|
accept = 465
|
||||||
|
connect = 25
|
||||||
|
|
||||||
|
; Example SSL client mode services
|
||||||
|
|
||||||
|
;[gmail-pop3]
|
||||||
|
;client = yes
|
||||||
|
;accept = 127.0.0.1:110
|
||||||
|
;connect = pop.gmail.com:995
|
||||||
|
|
||||||
|
;[gmail-imap]
|
||||||
|
;client = yes
|
||||||
|
;accept = 127.0.0.1:143
|
||||||
|
;connect = imap.gmail.com:993
|
||||||
|
|
||||||
|
;[gmail-smtp]
|
||||||
|
;client = yes
|
||||||
|
;accept = 127.0.0.1:25
|
||||||
|
;connect = smtp.gmail.com:465
|
||||||
|
|
||||||
|
; Example SSL front-end to a web server
|
||||||
|
|
||||||
|
;[https]
|
||||||
|
;accept = 443
|
||||||
|
;connect = 80
|
||||||
|
; "TIMEOUTclose = 0" is a workaround for a design flaw in Microsoft SSL
|
||||||
|
; Microsoft implementations do not use SSL close-notify alert and thus
|
||||||
|
; they are vulnerable to truncation attacks
|
||||||
|
;TIMEOUTclose = 0
|
||||||
|
|
||||||
|
; vim:ft=dosini
|
100
tools/stunnel.conf-sample.in
Normal file
100
tools/stunnel.conf-sample.in
Normal file
@ -0,0 +1,100 @@
|
|||||||
|
; Sample stunnel configuration file for Unix by Michal Trojnara 2002-2012
|
||||||
|
; Some options used here may be inadequate for your particular configuration
|
||||||
|
; This sample file does *not* represent stunnel.conf defaults
|
||||||
|
; Please consult the manual for detailed description of available options
|
||||||
|
|
||||||
|
; **************************************************************************
|
||||||
|
; * Global options *
|
||||||
|
; **************************************************************************
|
||||||
|
|
||||||
|
; A copy of some devices and system files is needed within the chroot jail
|
||||||
|
; Chroot conflicts with configuration file reload and many other features
|
||||||
|
chroot = @prefix@/var/lib/stunnel/
|
||||||
|
; Chroot jail can be escaped if setuid option is not used
|
||||||
|
setuid = nobody
|
||||||
|
setgid = @DEFAULT_GROUP@
|
||||||
|
|
||||||
|
; PID is created inside the chroot jail
|
||||||
|
pid = /stunnel.pid
|
||||||
|
|
||||||
|
; Debugging stuff (may useful for troubleshooting)
|
||||||
|
;debug = 7
|
||||||
|
;output = stunnel.log
|
||||||
|
|
||||||
|
; **************************************************************************
|
||||||
|
; * Service defaults may also be specified in individual service sections *
|
||||||
|
; **************************************************************************
|
||||||
|
|
||||||
|
; Certificate/key is needed in server mode and optional in client mode
|
||||||
|
cert = @prefix@/etc/stunnel/mail.pem
|
||||||
|
;key = @prefix@/etc/stunnel/mail.pem
|
||||||
|
|
||||||
|
; Authentication stuff needs to be configured to prevent MITM attacks
|
||||||
|
; It is not enabled by default!
|
||||||
|
;verify = 2
|
||||||
|
; Don't forget to c_rehash CApath
|
||||||
|
; CApath is located inside chroot jail
|
||||||
|
;CApath = /certs
|
||||||
|
; It's often easier to use CAfile
|
||||||
|
;CAfile = @prefix@/etc/stunnel/certs.pem
|
||||||
|
; Don't forget to c_rehash CRLpath
|
||||||
|
; CRLpath is located inside chroot jail
|
||||||
|
;CRLpath = /crls
|
||||||
|
; Alternatively CRLfile can be used
|
||||||
|
;CRLfile = @prefix@/etc/stunnel/crls.pem
|
||||||
|
|
||||||
|
; Disable support for insecure SSLv2 protocol
|
||||||
|
options = NO_SSLv2
|
||||||
|
; Workaround for Eudora bug
|
||||||
|
;options = DONT_INSERT_EMPTY_FRAGMENTS
|
||||||
|
|
||||||
|
; These options provide additional security at some performance degradation
|
||||||
|
;options = SINGLE_ECDH_USE
|
||||||
|
;options = SINGLE_DH_USE
|
||||||
|
|
||||||
|
; **************************************************************************
|
||||||
|
; * Service definitions (remove all services for inetd mode) *
|
||||||
|
; **************************************************************************
|
||||||
|
|
||||||
|
; Example SSL server mode services
|
||||||
|
|
||||||
|
[pop3s]
|
||||||
|
accept = 995
|
||||||
|
connect = 110
|
||||||
|
|
||||||
|
[imaps]
|
||||||
|
accept = 993
|
||||||
|
connect = 143
|
||||||
|
|
||||||
|
[ssmtp]
|
||||||
|
accept = 465
|
||||||
|
connect = 25
|
||||||
|
|
||||||
|
; Example SSL client mode services
|
||||||
|
|
||||||
|
;[gmail-pop3]
|
||||||
|
;client = yes
|
||||||
|
;accept = 127.0.0.1:110
|
||||||
|
;connect = pop.gmail.com:995
|
||||||
|
|
||||||
|
;[gmail-imap]
|
||||||
|
;client = yes
|
||||||
|
;accept = 127.0.0.1:143
|
||||||
|
;connect = imap.gmail.com:993
|
||||||
|
|
||||||
|
;[gmail-smtp]
|
||||||
|
;client = yes
|
||||||
|
;accept = 127.0.0.1:25
|
||||||
|
;connect = smtp.gmail.com:465
|
||||||
|
|
||||||
|
; Example SSL front-end to a web server
|
||||||
|
|
||||||
|
;[https]
|
||||||
|
;accept = 443
|
||||||
|
;connect = 80
|
||||||
|
; "TIMEOUTclose = 0" is a workaround for a design flaw in Microsoft SSL
|
||||||
|
; Microsoft implementations do not use SSL close-notify alert and thus
|
||||||
|
; they are vulnerable to truncation attacks
|
||||||
|
;TIMEOUTclose = 0
|
||||||
|
|
||||||
|
; vim:ft=dosini
|
118
tools/stunnel.init.in
Normal file
118
tools/stunnel.init.in
Normal file
@ -0,0 +1,118 @@
|
|||||||
|
#! /bin/sh -e
|
||||||
|
### BEGIN INIT INFO
|
||||||
|
# Provides: stunnel
|
||||||
|
# Required-Start: $local_fs $remote_fs
|
||||||
|
# Required-Stop: $local_fs $remote_fs
|
||||||
|
# Should-Start: $syslog
|
||||||
|
# Should-Stop: $syslog
|
||||||
|
# Default-Start: 2 3 4 5
|
||||||
|
# Default-Stop: 0 1 6
|
||||||
|
# Short-Description: Start or stop stunnel 4.x (SSL tunnel for network daemons)
|
||||||
|
### END INIT INFO
|
||||||
|
|
||||||
|
DEFAULTPIDFILE="/var/run/stunnel.pid"
|
||||||
|
DAEMON=@prefix@/bin/stunnel
|
||||||
|
NAME=stunnel
|
||||||
|
DESC="SSL tunnels"
|
||||||
|
FILES="/etc/stunnel/*.conf"
|
||||||
|
OPTIONS=""
|
||||||
|
ENABLED=0
|
||||||
|
|
||||||
|
get_pids() {
|
||||||
|
local file=$1
|
||||||
|
if test -f $file; then
|
||||||
|
CHROOT=`grep "^chroot" $file|sed "s;.*= *;;"`
|
||||||
|
PIDFILE=`grep "^pid" $file|sed "s;.*= *;;"`
|
||||||
|
if [ "$PIDFILE" = "" ]; then
|
||||||
|
PIDFILE=$DEFAULTPIDFILE
|
||||||
|
fi
|
||||||
|
if test -f $CHROOT/$PIDFILE; then
|
||||||
|
cat $CHROOT/$PIDFILE
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
startdaemons() {
|
||||||
|
if ! [ -d /var/run/stunnel ]; then
|
||||||
|
rm -rf /var/run/stunnel
|
||||||
|
install -d -o stunnel -g stunnel /var/run/stunnel
|
||||||
|
fi
|
||||||
|
for file in $FILES; do
|
||||||
|
if test -f $file; then
|
||||||
|
ARGS="$file $OPTIONS"
|
||||||
|
PROCLIST=`get_pids $file`
|
||||||
|
if [ "$PROCLIST" ] && kill -s 0 $PROCLIST 2>/dev/null; then
|
||||||
|
echo -n "[Already running: $file] "
|
||||||
|
elif $DAEMON $ARGS; then
|
||||||
|
echo -n "[Started: $file] "
|
||||||
|
else
|
||||||
|
echo "[Failed: $file]"
|
||||||
|
echo "You should check that you have specified the pid= in you configuration file"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
done;
|
||||||
|
}
|
||||||
|
|
||||||
|
killdaemons()
|
||||||
|
{
|
||||||
|
SIGNAL=${1:-TERM}
|
||||||
|
for file in $FILES; do
|
||||||
|
PROCLIST=`get_pids $file`
|
||||||
|
if [ "$PROCLIST" ] && kill -s 0 $PROCLIST 2>/dev/null; then
|
||||||
|
kill -s $SIGNAL $PROCLIST
|
||||||
|
echo -n "[stopped: $file] "
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
}
|
||||||
|
|
||||||
|
if [ "x$OPTIONS" != "x" ]; then
|
||||||
|
OPTIONS="-- $OPTIONS"
|
||||||
|
fi
|
||||||
|
|
||||||
|
test -f /etc/default/stunnel && . /etc/default/stunnel
|
||||||
|
if [ "$ENABLED" = "0" ] ; then
|
||||||
|
echo "$DESC disabled, see /etc/default/stunnel"
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
|
||||||
|
test -x $DAEMON || exit 0
|
||||||
|
|
||||||
|
set -e
|
||||||
|
|
||||||
|
case "$1" in
|
||||||
|
start)
|
||||||
|
echo -n "Starting $DESC: "
|
||||||
|
startdaemons
|
||||||
|
echo "$NAME."
|
||||||
|
;;
|
||||||
|
stop)
|
||||||
|
echo -n "Stopping $DESC: "
|
||||||
|
killdaemons
|
||||||
|
echo "$NAME."
|
||||||
|
;;
|
||||||
|
reopen-logs)
|
||||||
|
echo -n "Reopening log files $DESC: "
|
||||||
|
killdaemons USR1
|
||||||
|
echo "$NAME."
|
||||||
|
;;
|
||||||
|
force-reload|reload)
|
||||||
|
echo -n "Reloading configuration $DESC: "
|
||||||
|
killdaemons HUP
|
||||||
|
echo "$NAME."
|
||||||
|
;;
|
||||||
|
restart)
|
||||||
|
echo -n "Restarting $DESC: "
|
||||||
|
killdaemons
|
||||||
|
sleep 5
|
||||||
|
startdaemons
|
||||||
|
echo "$NAME."
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
N=/etc/init.d/$NAME
|
||||||
|
echo "Usage: $N {start|stop|reload|reopen-logs|restart}" >&2
|
||||||
|
exit 1
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
|
||||||
|
exit 0
|
13
tools/stunnel.license
Normal file
13
tools/stunnel.license
Normal file
@ -0,0 +1,13 @@
|
|||||||
|
Copyright (C) 1998-2012 Michal Trojnara
|
||||||
|
|
||||||
|
This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
|
||||||
|
|
||||||
|
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
|
||||||
|
|
||||||
|
You should have received a copy of the GNU General Public License along with this program; if not, see <http://www.gnu.org/licenses>.
|
||||||
|
|
||||||
|
Linking stunnel statically or dynamically with other modules is making a combined work based on stunnel. Thus, the terms and conditions of the GNU General Public License cover the whole combination.
|
||||||
|
|
||||||
|
In addition, as a special exception, the copyright holder of stunnel gives you permission to combine stunnel with free software programs or libraries that are released under the GNU LGPL and with code included in the standard release of OpenSSL under the OpenSSL License (or modified versions of such code, with unchanged license). You may copy and distribute such a system following the terms of the GNU GPL for stunnel and the licenses of the other code concerned.
|
||||||
|
|
||||||
|
Note that people who make modified versions of stunnel are not obligated to grant this special exception for their modified versions; it is their choice whether to do so. The GNU General Public License gives permission to release a modified version without this exception; this exception also makes it possible to release a modified version which carries forward this exception.
|
182
tools/stunnel.nsi
Normal file
182
tools/stunnel.nsi
Normal file
@ -0,0 +1,182 @@
|
|||||||
|
# NSIS stunnel installer by Michal Trojnara 1998-2012
|
||||||
|
|
||||||
|
!include "Sections.nsh"
|
||||||
|
|
||||||
|
Name "stunnel ${VERSION}"
|
||||||
|
OutFile "stunnel-${VERSION}-installer.exe"
|
||||||
|
InstallDir "$PROGRAMFILES\stunnel"
|
||||||
|
BrandingText "Author: Michal Trojnara"
|
||||||
|
LicenseData "${SRCDIR}/tools/stunnel.license"
|
||||||
|
SetCompressor /SOLID LZMA
|
||||||
|
InstallDirRegKey HKLM "Software\NSIS_stunnel" "Install_Dir"
|
||||||
|
|
||||||
|
RequestExecutionLevel admin
|
||||||
|
|
||||||
|
Page license
|
||||||
|
Page components
|
||||||
|
Page directory
|
||||||
|
Page instfiles
|
||||||
|
|
||||||
|
UninstPage uninstConfirm
|
||||||
|
UninstPage instfiles
|
||||||
|
|
||||||
|
Section "Stunnel Core Files (required)"
|
||||||
|
SectionIn RO
|
||||||
|
SetOutPath "$INSTDIR"
|
||||||
|
|
||||||
|
# stop the service, exit stunnel
|
||||||
|
ReadRegStr $R0 HKLM \
|
||||||
|
"Software\Microsoft\Windows NT\CurrentVersion" CurrentVersion
|
||||||
|
IfErrors skip_service_stop
|
||||||
|
ExecWait '"$INSTDIR\stunnel.exe" -stop -quiet'
|
||||||
|
skip_service_stop:
|
||||||
|
# skip if the previously installed stunnel version is older than 4.40
|
||||||
|
GetDLLVersion "$INSTDIR\stunnel.exe" $R0 $R1
|
||||||
|
IfErrors skip_process_exit
|
||||||
|
ExecWait '"$INSTDIR\stunnel.exe" -exit -quiet'
|
||||||
|
skip_process_exit:
|
||||||
|
|
||||||
|
# write files
|
||||||
|
SetOverwrite off
|
||||||
|
File "${SRCDIR}/tools/stunnel.conf"
|
||||||
|
SetOverwrite on
|
||||||
|
#File "${DLLS}/*eay32.dll"
|
||||||
|
File "${DLLS}/libeay32.dll"
|
||||||
|
File "${DLLS}/ssleay32.dll"
|
||||||
|
File "${DLLS}/zlib1.dll"
|
||||||
|
File "${DLLS}/msvcr90.dll"
|
||||||
|
File "${DLLS}/Microsoft.VC90.CRT.manifest"
|
||||||
|
File "src/stunnel.exe"
|
||||||
|
File "${SRCDIR}/doc/stunnel.html"
|
||||||
|
WriteUninstaller "uninstall.exe"
|
||||||
|
|
||||||
|
# add uninstaller registry entries
|
||||||
|
WriteRegStr HKLM "Software\NSIS_stunnel" "Install_Dir" "$INSTDIR"
|
||||||
|
WriteRegStr HKLM \
|
||||||
|
"Software\Microsoft\Windows\CurrentVersion\Uninstall\stunnel" \
|
||||||
|
"DisplayName" "stunnel"
|
||||||
|
WriteRegStr HKLM \
|
||||||
|
"Software\Microsoft\Windows\CurrentVersion\Uninstall\stunnel" \
|
||||||
|
"UninstallString" '"$INSTDIR\uninstall.exe"'
|
||||||
|
WriteRegDWORD HKLM \
|
||||||
|
"Software\Microsoft\Windows\CurrentVersion\Uninstall\stunnel" \
|
||||||
|
"NoModify" 1
|
||||||
|
WriteRegDWORD HKLM \
|
||||||
|
"Software\Microsoft\Windows\CurrentVersion\Uninstall\stunnel" \
|
||||||
|
"NoRepair" 1
|
||||||
|
SectionEnd
|
||||||
|
|
||||||
|
Section "Self-signed Certificate Tools" sectionCA
|
||||||
|
SetOutPath "$INSTDIR"
|
||||||
|
|
||||||
|
# write files
|
||||||
|
File "${DLLS}/openssl.exe"
|
||||||
|
File "${SRCDIR}/tools/stunnel.cnf"
|
||||||
|
IfSilent lbl_skip_new_pem
|
||||||
|
IfFileExists "$INSTDIR\stunnel.pem" lbl_skip_new_pem
|
||||||
|
ExecWait '"$INSTDIR\openssl.exe" req -new -x509 -days 365 -config stunnel.cnf -out stunnel.pem -keyout stunnel.pem'
|
||||||
|
lbl_skip_new_pem:
|
||||||
|
SectionEnd
|
||||||
|
|
||||||
|
Section "Start Menu Shortcuts"
|
||||||
|
SetShellVarContext all
|
||||||
|
CreateDirectory "$SMPROGRAMS\stunnel"
|
||||||
|
|
||||||
|
# remove old links
|
||||||
|
Delete "$SMPROGRAMS\stunnel\*.lnk"
|
||||||
|
Delete "$SMPROGRAMS\stunnel\*.url"
|
||||||
|
|
||||||
|
# main link
|
||||||
|
CreateShortCut "$SMPROGRAMS\stunnel\Run stunnel.lnk" \
|
||||||
|
"$INSTDIR\stunnel.exe" "" "$INSTDIR\stunnel.exe" 0
|
||||||
|
CreateShortCut "$SMPROGRAMS\stunnel\Exit stunnel.lnk" \
|
||||||
|
"$INSTDIR\stunnel.exe" "-exit" "$INSTDIR\stunnel.exe" 0
|
||||||
|
|
||||||
|
# NT service
|
||||||
|
ClearErrors
|
||||||
|
ReadRegStr $R0 HKLM \
|
||||||
|
"Software\Microsoft\Windows NT\CurrentVersion" CurrentVersion
|
||||||
|
IfErrors skip_service_links
|
||||||
|
CreateShortCut "$SMPROGRAMS\stunnel\Service install.lnk" \
|
||||||
|
"$INSTDIR\stunnel.exe" "-install" "$INSTDIR\stunnel.exe" 0
|
||||||
|
CreateShortCut "$SMPROGRAMS\stunnel\Service uninstall.lnk" \
|
||||||
|
"$INSTDIR\stunnel.exe" "-uninstall" "$INSTDIR\stunnel.exe" 0
|
||||||
|
CreateShortCut "$SMPROGRAMS\stunnel\Service start.lnk" \
|
||||||
|
"$INSTDIR\stunnel.exe" "-start" "$INSTDIR\stunnel.exe" 0
|
||||||
|
CreateShortCut "$SMPROGRAMS\stunnel\Service stop.lnk" \
|
||||||
|
"$INSTDIR\stunnel.exe" "-stop" "$INSTDIR\stunnel.exe" 0
|
||||||
|
skip_service_links:
|
||||||
|
|
||||||
|
# edit config file
|
||||||
|
CreateShortCut "$SMPROGRAMS\stunnel\Edit stunnel.conf.lnk" \
|
||||||
|
"notepad.exe" "stunnel.conf" "notepad.exe" 0
|
||||||
|
|
||||||
|
# OpenSSL shell
|
||||||
|
CreateShortCut "$SMPROGRAMS\stunnel\OpenSSL Shell.lnk" \
|
||||||
|
"$INSTDIR\openssl.exe" "" "$INSTDIR\openssl.exe" 0
|
||||||
|
|
||||||
|
# make stunnel.pem
|
||||||
|
SectionGetFlags sectionCA $0
|
||||||
|
IntOp $0 $0 & SF_SELECTED
|
||||||
|
IntCmp $0 0 lbl_noCA
|
||||||
|
CreateShortCut "$SMPROGRAMS\stunnel\Build Self-signed stunnel.pem.lnk" \
|
||||||
|
"$INSTDIR\openssl.exe" \
|
||||||
|
"req -new -x509 -days 365 -config stunnel.cnf -out stunnel.pem -keyout stunnel.pem"
|
||||||
|
lbl_noCA:
|
||||||
|
|
||||||
|
# help/uninstall
|
||||||
|
WriteINIStr "$SMPROGRAMS\stunnel\Manual.url" "InternetShortcut" \
|
||||||
|
"URL" "file://$INSTDIR/stunnel.html"
|
||||||
|
CreateShortCut "$SMPROGRAMS\stunnel\Uninstall stunnel.lnk" \
|
||||||
|
"$INSTDIR\uninstall.exe" "" "$INSTDIR\uninstall.exe" 0
|
||||||
|
SectionEnd
|
||||||
|
|
||||||
|
Section "Desktop Shortcut"
|
||||||
|
SetShellVarContext all
|
||||||
|
Delete "$DESKTOP\stunnel.lnk"
|
||||||
|
CreateShortCut "$DESKTOP\stunnel.lnk" \
|
||||||
|
"$INSTDIR\stunnel.exe" "" "$INSTDIR\stunnel.exe" 0
|
||||||
|
SectionEnd
|
||||||
|
|
||||||
|
Section "Uninstall"
|
||||||
|
ClearErrors
|
||||||
|
|
||||||
|
# stop and remove the service, exit stunnel
|
||||||
|
ReadRegStr $R0 HKLM \
|
||||||
|
"Software\Microsoft\Windows NT\CurrentVersion" CurrentVersion
|
||||||
|
IfErrors skip_service_uninstall
|
||||||
|
ExecWait '"$INSTDIR\stunnel.exe" -stop -quiet'
|
||||||
|
ExecWait '"$INSTDIR\stunnel.exe" -uninstall -quiet'
|
||||||
|
skip_service_uninstall:
|
||||||
|
ExecWait '"$INSTDIR\stunnel.exe" -exit -quiet'
|
||||||
|
|
||||||
|
# remove stunnel folder
|
||||||
|
Delete "$INSTDIR\stunnel.conf"
|
||||||
|
Delete "$INSTDIR\stunnel.pem"
|
||||||
|
Delete "$INSTDIR\stunnel.exe"
|
||||||
|
Delete "$INSTDIR\stunnel.cnf"
|
||||||
|
Delete "$INSTDIR\openssl.exe"
|
||||||
|
#Delete "$INSTDIR\*eay32.dll"
|
||||||
|
Delete "$INSTDIR\libeay32.dll"
|
||||||
|
Delete "$INSTDIR\ssleay32.dll"
|
||||||
|
Delete "$INSTDIR\zlib1.dll"
|
||||||
|
Delete "$INSTDIR\msvcr90.dll"
|
||||||
|
Delete "$INSTDIR\Microsoft.VC90.CRT.manifest"
|
||||||
|
Delete "$INSTDIR\stunnel.html"
|
||||||
|
Delete "$INSTDIR\uninstall.exe"
|
||||||
|
RMDir "$INSTDIR"
|
||||||
|
|
||||||
|
# remove menu shortcuts
|
||||||
|
SetShellVarContext all
|
||||||
|
Delete "$DESKTOP\stunnel.lnk"
|
||||||
|
Delete "$SMPROGRAMS\stunnel\*.lnk"
|
||||||
|
Delete "$SMPROGRAMS\stunnel\*.url"
|
||||||
|
RMDir "$SMPROGRAMS\stunnel"
|
||||||
|
|
||||||
|
# remove uninstaller registry entires
|
||||||
|
DeleteRegKey HKLM \
|
||||||
|
"Software\Microsoft\Windows\CurrentVersion\Uninstall\stunnel"
|
||||||
|
DeleteRegKey HKLM "Software\NSIS_stunnel"
|
||||||
|
SectionEnd
|
||||||
|
|
||||||
|
# end of stunnel.nsi
|
10
tools/stunnel.service.in
Normal file
10
tools/stunnel.service.in
Normal file
@ -0,0 +1,10 @@
|
|||||||
|
[Unit]
|
||||||
|
Description=SSL tunnel for network daemons
|
||||||
|
After=syslog.target
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
ExecStart=@prefix@/bin/stunnel
|
||||||
|
Type=forking
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=multi-user.target
|
91
tools/stunnel.spec
Normal file
91
tools/stunnel.spec
Normal file
@ -0,0 +1,91 @@
|
|||||||
|
%define _prefix /usr
|
||||||
|
%define _sysconfdir /etc
|
||||||
|
|
||||||
|
Summary: Program that wraps normal socket connections with SSL/TLS
|
||||||
|
Name: stunnel
|
||||||
|
Version: 4.53
|
||||||
|
Release: 1
|
||||||
|
Copyright: GPL
|
||||||
|
Group: Applications/Networking
|
||||||
|
Source: stunnel-%{version}.tar.gz
|
||||||
|
Packager: neeo <neeo@irc.pl>
|
||||||
|
Requires: openssl >= 0.9.6g
|
||||||
|
BuildRequires: openssl-devel >= 0.9.6g
|
||||||
|
Buildroot: /var/tmp/stunnel-%{version}-root
|
||||||
|
|
||||||
|
%description
|
||||||
|
The stunnel program is designed to work as SSL encryption wrapper
|
||||||
|
between remote clients and local (inetd-startable) or remote
|
||||||
|
servers. The concept is that having non-SSL aware daemons running on
|
||||||
|
your system you can easily set them up to communicate with clients over
|
||||||
|
secure SSL channels.
|
||||||
|
stunnel can be used to add SSL functionality to commonly used inetd
|
||||||
|
daemons like POP-2, POP-3, and IMAP servers, to standalone daemons like
|
||||||
|
NNTP, SMTP and HTTP, and in tunneling PPP over network sockets without
|
||||||
|
changes to the source code.
|
||||||
|
|
||||||
|
%prep
|
||||||
|
%setup -n stunnel-%{version}
|
||||||
|
|
||||||
|
|
||||||
|
%build
|
||||||
|
if [ ! -x ./configure ]; then
|
||||||
|
autoconf
|
||||||
|
autoheader
|
||||||
|
fi
|
||||||
|
|
||||||
|
CFLAGS="%{optflags}" ./configure --prefix=%{_prefix} --sysconfdir=%{_sysconfdir}
|
||||||
|
|
||||||
|
%{__make}
|
||||||
|
|
||||||
|
%install
|
||||||
|
%{__rm} -rf %{buildroot}
|
||||||
|
%{__mkdir} -p %{buildroot}%{_sysconfdir}/stunnel
|
||||||
|
%{__mkdir} -p %{buildroot}%{_sbindir}
|
||||||
|
%{__mkdir} -p %{buildroot}%{_libdir}
|
||||||
|
%{__mkdir} -p %{buildroot}%{_mandir}/man8
|
||||||
|
%{__mkdir} -p %{buildroot}%{_initrddir}
|
||||||
|
|
||||||
|
%{__install} -m755 -s src/stunnel %{buildroot}%{_sbindir}
|
||||||
|
%{__install} -m755 src/.libs/libstunnel.so %{buildroot}%{_libdir}
|
||||||
|
%{__install} -m755 src/.libs/libstunnel.la %{buildroot}%{_libdir}
|
||||||
|
%{__install} -m644 doc/stunnel.8 %{buildroot}%{_mandir}/man8/stunnel.8.gz
|
||||||
|
%{__install} -m644 tools/stunnel.conf-sample %{buildroot}%{_sysconfdir}/stunnel
|
||||||
|
%{__install} -m500 tools/stunnel.init %{buildroot}%{_initrddir}/stunnel
|
||||||
|
|
||||||
|
%clean
|
||||||
|
%{__rm} -rf %{buildroot}
|
||||||
|
|
||||||
|
%post
|
||||||
|
ldconfig
|
||||||
|
|
||||||
|
%postun
|
||||||
|
ldconfig
|
||||||
|
|
||||||
|
%files
|
||||||
|
%defattr(-,root,root)
|
||||||
|
%doc COPYING COPYRIGHT.GPL README ChangeLog doc/stunnel.html doc/en/transproxy.txt doc/en/VNC_StunnelHOWTO.html
|
||||||
|
%doc tools/ca.html tools/ca.pl tools/importCA.html tools/importCA.sh tools/stunnel.cnf
|
||||||
|
%dir %{_sysconfdir}/stunnel
|
||||||
|
%config %{_sysconfdir}/stunnel/*
|
||||||
|
%{_sbindir}/stunnel
|
||||||
|
%{_libdir}/libstunnel.so
|
||||||
|
%{_libdir}/libstunnel.la
|
||||||
|
%{_mandir}/man8/stunnel.8.gz
|
||||||
|
%{_initrddir}/stunnel
|
||||||
|
|
||||||
|
%changelog
|
||||||
|
* Fri Sep 09 2005 neeo <neeo@irc.pl>
|
||||||
|
- lots of changes and cleanups
|
||||||
|
|
||||||
|
* Wed Mar 17 2004 neeo <neeo@irc.pl>
|
||||||
|
- updated for 4.05
|
||||||
|
|
||||||
|
* Sun Jun 24 2000 Brian Hatch <bri@stunnel.org>
|
||||||
|
- updated for 3.8p3
|
||||||
|
|
||||||
|
* Wed Jul 14 1999 Dirk O. Siebnich <dok@vossnet.de>
|
||||||
|
- updated for 3.5.
|
||||||
|
|
||||||
|
* Mon Jun 07 1999 Dirk O. Siebnich <dok@vossnet.de>
|
||||||
|
- adapted from sslwrap RPM spec file
|
Loading…
Reference in New Issue
Block a user