Imported Upstream version 5.42
This commit is contained in:
parent
74a62c14eb
commit
d419cab3c4
27
.travis.yml
Normal file
27
.travis.yml
Normal file
@ -0,0 +1,27 @@
|
||||
sudo: false
|
||||
|
||||
language: c
|
||||
|
||||
os:
|
||||
- linux
|
||||
- osx
|
||||
|
||||
compiler:
|
||||
- gcc
|
||||
- clang
|
||||
|
||||
env:
|
||||
- CONFIGURE_OPTIONS='--with-threads=pthread'
|
||||
- CONFIGURE_OPTIONS='--with-threads=fork'
|
||||
- CONFIGURE_OPTIONS='--with-threads=ucontext'
|
||||
- CONFIGURE_OPTIONS='--disable-ipv6 --disable-fips --disable-systemd --disable-libwrap'
|
||||
|
||||
addons:
|
||||
apt:
|
||||
packages:
|
||||
- libssl-dev
|
||||
- libwrap0-dev
|
||||
|
||||
before_script: autoreconf -fvi && touch src/dhparam.c
|
||||
|
||||
script: ./configure $CONFIGURE_OPTIONS && make && make test
|
2
AUTHORS
2
AUTHORS
@ -1,4 +1,4 @@
|
||||
stunnel authors
|
||||
|
||||
Michal Trojnara <Michal.Trojnara@mirt.net>
|
||||
Michal Trojnara <Michal.Trojnara@stunnel.org>
|
||||
|
||||
|
2
COPYING
2
COPYING
@ -1,6 +1,6 @@
|
||||
stunnel license (see COPYRIGHT.GPL for detailed GPL conditions)
|
||||
|
||||
Copyright (C) 1998-2013 Michal Trojnara
|
||||
Copyright (C) 1998-2017 Michal Trojnara
|
||||
|
||||
This program is free software; you can redistribute it and/or modify it under
|
||||
the terms of the GNU General Public License as published by the Free Software
|
||||
|
39
CREDITS
39
CREDITS
@ -1,9 +1,40 @@
|
||||
Special thx to:
|
||||
stunnel code contributions
|
||||
|
||||
|
||||
The code contributions are licensed as public domain unless stated otherwise.
|
||||
|
||||
Several Win32 and WCE improvements and bugfixes:
|
||||
* Pierre Delaage <delaage.pierre@free.fr>
|
||||
|
||||
systemd socket activation in version 5.05:
|
||||
Copyright (c) 2014 Mark Theunissen
|
||||
|
||||
Permission is hereby granted, free of charge, to any person obtaining a copy of
|
||||
this software and associated documentation files (the "Software"), to deal in
|
||||
the Software without restriction, including without limitation the rights to
|
||||
use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies
|
||||
of the Software, and to permit persons to whom the Software is furnished to do
|
||||
so, subject to the following conditions:
|
||||
|
||||
The above copyright notice and this permission notice shall be included in all
|
||||
copies or substantial portions of the Software.
|
||||
|
||||
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
||||
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
||||
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
||||
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
||||
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
||||
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
||||
SOFTWARE.
|
||||
|
||||
Several bugfixes and improvements mostly in versions 3.xx:
|
||||
* Brian Hatch <bri@stunnel.org>
|
||||
|
||||
Initial PTY support in version 3.05:
|
||||
* Dirk O. Siebnich <dok@vossnet.de>
|
||||
|
||||
Initial SSL support in versions 1.x:
|
||||
* Adam Hernik <adas@infocentrum.com>
|
||||
* Pawel Krawczyk <kravietz@ceti.com.pl>
|
||||
* Brian Hatch <bri@stunnel.org>
|
||||
* Dirk O. Siebnich <dok@vossnet.de> for PTY support
|
||||
|
||||
and many others...
|
||||
|
||||
|
670
ChangeLog
670
ChangeLog
@ -1,5 +1,670 @@
|
||||
stunnel change log
|
||||
|
||||
Version 5.42, 2017.07.16, urgency: HIGH
|
||||
* New features
|
||||
- "redirect" also supports "exec" and not only "connect".
|
||||
- PKCS#11 engine DLL updated to version 0.4.7.
|
||||
* Bugfixes
|
||||
- Fixed premature cron thread initialization causing hangs.
|
||||
- Fixed "verifyPeer = yes" on OpenSSL <= 1.0.1.
|
||||
- Fixed pthreads support on OpenSolaris.
|
||||
|
||||
Version 5.41, 2017.04.01, urgency: MEDIUM
|
||||
* New features
|
||||
- PKCS#11 engine DLL updated to version 0.4.5.
|
||||
- Default engine UI set with ENGINE_CTRL_SET_USER_INTERFACE.
|
||||
- Key file name added into the passphrase console prompt.
|
||||
- Performance optimization in memory leak detection.
|
||||
* Bugfixes
|
||||
- Fixed crashes with the OpenSSL 1.1.0 branch.
|
||||
- Fixed certificate verification with "verifyPeer = yes"
|
||||
and "verifyChain = no" (the default), while the peer
|
||||
only returns a single certificate.
|
||||
|
||||
Version 5.40, 2017.01.28, urgency: HIGH
|
||||
* Security bugfixes
|
||||
- OpenSSL DLLs updated to version 1.0.2k.
|
||||
https://www.openssl.org/news/secadv/20170126.txt
|
||||
* New features
|
||||
- DH ciphersuites are now disabled by default.
|
||||
- The daily server DH parameter regeneration is only performed if
|
||||
DH ciphersuites are enabled in the configuration file.
|
||||
- "checkHost" and "checkEmail" were modified to require either
|
||||
"verifyChain" or "verifyPeer" (thx to Małorzata Olszówka).
|
||||
* Bugfixes
|
||||
- Fixed setting default ciphers.
|
||||
|
||||
Version 5.39, 2017.01.01, urgency: LOW
|
||||
* New features
|
||||
- PKCS#11 engine (pkcs11.dll) added to the Win32 build.
|
||||
- Per-destination TLS session cache added for the client mode.
|
||||
- The new "logId" parameter "process" added to log PID values.
|
||||
- Added support for the new SSL_set_options() values.
|
||||
- Updated the manual page.
|
||||
- Obsolete references to "SSL" replaced with "TLS".
|
||||
* Bugfixes
|
||||
- Fixed "logId" parameter to also work in inetd mode.
|
||||
- "delay = yes" properly enforces "failover = prio".
|
||||
- Fixed fd_set allocation size on Win64.
|
||||
- Fixed reloading invalid configuration file on Win32.
|
||||
- Fixed resolving addresses with unconfigured network interfaces.
|
||||
|
||||
Version 5.38, 2016.11.26, urgency: MEDIUM
|
||||
* New features
|
||||
- "sni=" can be used to prevent sending the SNI extension.
|
||||
- The AI_ADDRCONFIG resolver flag is used when available.
|
||||
- Merged Debian 06-lfs.patch (thx to Peter Pentchev).
|
||||
* Bugfixes
|
||||
- Fixed a memory allocation bug causing crashes with OpenSSL 1.1.0.
|
||||
- Fixed error handling for mixed IPv4/IPv6 destinations.
|
||||
- Merged Debian 08-typos.patch (thx to Peter Pentchev).
|
||||
|
||||
Version 5.37, 2016.11.06, urgency: MEDIUM
|
||||
* Bugfixes
|
||||
- OpenSSL DLLs updated to version 1.0.2j (stops crashes).
|
||||
- The default SNI target (not handled by any slave service)
|
||||
is handled by the master service rather than rejected.
|
||||
- Removed thread synchronization in the FORK threading model.
|
||||
|
||||
Version 5.36, 2016.09.22, urgency: HIGH
|
||||
* Security bugfixes
|
||||
- OpenSSL DLLs updated to version 1.0.2i.
|
||||
https://www.openssl.org/news/secadv_20160922.txt
|
||||
* New features
|
||||
- Added support for OpenSSL 1.1.0 built with "no-deprecated".
|
||||
- Removed direct zlib dependency.
|
||||
|
||||
Version 5.35, 2016.07.18, urgency: HIGH
|
||||
* Bugfixes
|
||||
- Fixed incorrectly enforced client certificate requests.
|
||||
- Only default to SO_EXCLUSIVEADDRUSE on Vista and later.
|
||||
- Fixed thread safety of the configuration file reopening.
|
||||
|
||||
Version 5.34, 2016.07.05, urgency: HIGH
|
||||
* Security bugfixes
|
||||
- Fixed malfunctioning "verify = 4".
|
||||
* New features
|
||||
- Bind sockets with SO_EXCLUSIVEADDRUSE on WIN32.
|
||||
- Added three new service-level options: requireCert, verifyChain,
|
||||
and verifyPeer for fine-grained certificate verification control.
|
||||
- Improved compatibility with the current OpenSSL 1.1.0-dev tree.
|
||||
|
||||
Version 5.33, 2016.06.23, urgency: HIGH
|
||||
* New features
|
||||
- Improved memory leak detection performance and accuracy.
|
||||
- Improved compatibility with the current OpenSSL 1.1.0-dev tree.
|
||||
- SNI support also enabled on OpenSSL 0.9.8f and later (thx to
|
||||
Guillermo Rodriguez Garcia).
|
||||
- Added support for PKCS #12 (.p12/.pfx) certificates (thx to
|
||||
Dmitry Bakshaev).
|
||||
* Bugfixes
|
||||
- Fixed a TLS session caching memory leak (thx to Richard Kraemer).
|
||||
Before stunnel 5.27 this leak only emerged with sessiond enabled.
|
||||
- Yet another WinCE socket fix (thx to Richard Kraemer).
|
||||
- Fixed passphrase/pin dialogs in tstunnel.exe.
|
||||
- Fixed a FORK threading build regression bug.
|
||||
- OPENSSL_NO_DH compilation fix (thx to Brian Lin).
|
||||
|
||||
Version 5.32, 2016.05.03, urgency: HIGH
|
||||
* Security bugfixes
|
||||
- OpenSSL DLLs updated to version 1.0.2h.
|
||||
https://www.openssl.org/news/secadv_20160503.txt
|
||||
* New features
|
||||
- New "socket = a:IPV6_V6ONLY=yes" option to only bind IPv6.
|
||||
- Memory leak detection.
|
||||
- Improved compatibility with the current OpenSSL 1.1.0-dev tree.
|
||||
- Added/fixed Red Hat scripts (thx to Andrew Colin Kissa).
|
||||
* Bugfixes
|
||||
- Workaround for a WinCE sockets quirk (thx to Richard Kraemer).
|
||||
- Fixed data alignment on 64-bit MSVC (thx to Yuris W. Auzins).
|
||||
|
||||
Version 5.31, 2016.03.01, urgency: HIGH
|
||||
* Security bugfixes
|
||||
- OpenSSL DLLs updated to version 1.0.2g.
|
||||
https://www.openssl.org/news/secadv_20160301.txt
|
||||
* New features
|
||||
- Added logging the list of client CAs requested by the server.
|
||||
- Improved compatibility with the current OpenSSL 1.1.0-dev tree.
|
||||
* Bugfixes
|
||||
- Only reset the watchdog if some data was actually transferred.
|
||||
- A workaround implemented for the unexpected exceptfds set by
|
||||
select() on WinCE 6.0 (thx to Richard Kraemer).
|
||||
- Fixed logging an incorrect value of the round-robin starting
|
||||
point (thx to Jose Alf.).
|
||||
|
||||
Version 5.30, 2016.01.28, urgency: HIGH
|
||||
* Security bugfixes
|
||||
- OpenSSL DLLs updated to version 1.0.2f.
|
||||
https://www.openssl.org/news/secadv_20160128.txt
|
||||
* New features
|
||||
- Improved compatibility with the current OpenSSL 1.1.0-dev tree.
|
||||
- Added OpenSSL autodetection for the recent versions of Xcode.
|
||||
* Bugfixes
|
||||
- Fixed references to /etc removed from stunnel.init.in.
|
||||
- Stopped even trying -fstack-protector on unsupported platforms
|
||||
(thx to Rob Lockhart).
|
||||
|
||||
Version 5.29, 2016.01.08, urgency: LOW
|
||||
* New features
|
||||
- New WIN32 icons.
|
||||
- Performance improvement: rwlocks used for locking with pthreads.
|
||||
* Bugfixes
|
||||
- Compilation fix for *BSD.
|
||||
- Fixed configuration file reload for relative stunnel.conf path
|
||||
on Unix.
|
||||
- Fixed ignoring CRLfile unless CAfile was also specified (thx
|
||||
to Strukov Petr).
|
||||
|
||||
Version 5.28, 2015.12.11, urgency: HIGH
|
||||
* New features
|
||||
- Build matrix (.travis.yml) extended with ./configure options.
|
||||
- mingw.mak updated to build tstunnel.exe (thx to Jose Alf.).
|
||||
* Bugfixes
|
||||
- Fixed incomplete initialization.
|
||||
- Fixed UCONTEXT threading on OSX.
|
||||
- Fixed exit codes for information requests (as
|
||||
in "stunnel -version" or "stunnel -help").
|
||||
|
||||
Version 5.27, 2015.12.03, urgency: MEDIUM
|
||||
* Security bugfixes
|
||||
- OpenSSL DLLs updated to version 1.0.2e.
|
||||
https://www.openssl.org/news/secadv_20151203.txt
|
||||
* New features
|
||||
- Automated build testing configured with .travis.yml.
|
||||
- Added reading server certificates from hardware engines.
|
||||
For example: cert = id_45
|
||||
- Only attempt to use potentially harmful compiler or linker
|
||||
options if gcc was detected.
|
||||
- /opt/csw added to the OpenSSL directory lookup list.
|
||||
- mingw.mak updates (thx to Jose Alf.).
|
||||
- TODO list updated.
|
||||
|
||||
Version 5.26, 2015.11.06, urgency: MEDIUM
|
||||
* Bugfixes
|
||||
- Compilation fixes for OSX, *BSD and Solaris.
|
||||
|
||||
Version 5.25, 2015.11.02, urgency: MEDIUM
|
||||
* New features
|
||||
- SMTP client protocol negotiation support for
|
||||
"protocolUsername", "protocolPassword", and
|
||||
"protocolAuthentication" (thx to Douglas Harris).
|
||||
- New service-level option "config" to specify configuration
|
||||
commands introduced in OpenSSL 1.0.2 (thx to Stephen Wall).
|
||||
- The global option "foreground" now also accepts "quiet"
|
||||
parameter, which does not enable logging to stderr.
|
||||
- Manual page updated.
|
||||
- Obsolete OpenSSL engines removed from the Windows build:
|
||||
4758cca, aep, atalla, cswift, nuron, sureware.
|
||||
- Improved compatibility with the current OpenSSL 1.1.0-dev tree:
|
||||
gracefully handle symbols renamed from SSLeay* to OpenSSL*.
|
||||
* Bugfixes
|
||||
- Fixed the "s_poll_wait returned 1, but no descriptor
|
||||
is ready" internal error.
|
||||
- Fixed "exec" hangs due to incorrect thread-local
|
||||
storage handling (thx to Philip Craig).
|
||||
- Fixed PRNG initialization (thx to Philip Craig).
|
||||
- Setting socket options no longer performed on PTYs.
|
||||
- Fixed 64-bit Windows build.
|
||||
|
||||
Version 5.24, 2015.10.08, urgency: MEDIUM
|
||||
* New features
|
||||
- Custom CRL verification was replaced with the internal
|
||||
OpenSSL functionality.
|
||||
- *BSD support for "transparent = destination" and
|
||||
client-side "protocol = socks". This feature should
|
||||
work at least on FreeBSD, OpenBSD and OS X.
|
||||
- Added a new "protocolDomain" option for the NTLM
|
||||
authentication (thx to Andreas Botsikas).
|
||||
- Improved compatibility of the NTLM phase 1 message (thx
|
||||
to Andreas Botsikas).
|
||||
- "setuid" and "setgid" options are now also available
|
||||
in service sections. They can be used to set owner
|
||||
and group of the Unix socket specified with "accept".
|
||||
- Added support for the new OpenSSL 1.0.2 SSL options.
|
||||
- Added OPENSSL_NO_EGD support (thx to Bernard Spil).
|
||||
- VC autodetection added to makew32.bat (thx to Andreas
|
||||
Botsikas).
|
||||
* Bugfixes
|
||||
- Fixed the RESOLVE [F0] TOR extension support in SOCKS5.
|
||||
- Fixed the error code reported on the failed bind()
|
||||
requests.
|
||||
- Fixed the sequential log id with the FORK threading.
|
||||
- Restored the missing Microsoft.VC90.CRT.manifest file.
|
||||
|
||||
Version 5.23, 2015.09.02, urgency: LOW
|
||||
* New features
|
||||
- Client-side support for the SOCKS protocol.
|
||||
See https://www.stunnel.org/socksvpn.html for details.
|
||||
- Reject SOCKS requests to connect loopback addresses.
|
||||
- New service-level option "OCSPnonce".
|
||||
The default value is "OCSPnonce = no".
|
||||
- Win32 directory structure rearranged. The installer
|
||||
script provides automatic migration for common setups.
|
||||
- Added Win32 installer option to install stunnel for the
|
||||
current user only. This feature does not deploy the NT
|
||||
service, but it also does not require aministrative
|
||||
privileges to install and configure stunnel.
|
||||
- stunnel.cnf was renamed to openssl.cnf in order to
|
||||
to prevent users from mixing it up with stunnel.conf.
|
||||
- Win32 desktop is automatically refreshed when the icon
|
||||
is created or removed.
|
||||
- The ca-certs.pem file is now updated on stunnel upgrade.
|
||||
- Inactive ports were removed from the PORTS file.
|
||||
- Added IPv6 support to the transparent proxy code.
|
||||
* Bugfixes
|
||||
- Compilation fix for OpenSSL version older than 1.0.0.
|
||||
- Compilation fix for mingw.
|
||||
|
||||
Version 5.22, 2015.07.30, urgency: HIGH
|
||||
* New features
|
||||
- "OCSPaia = yes" added to the configuration file templates.
|
||||
- Improved double free detection.
|
||||
* Bugfixes
|
||||
- Fixed a number of OCSP bugs. The most severe of those
|
||||
bugs caused stunnel to treat OCSP responses that failed
|
||||
OCSP_basic_verify() checks as if they were successful.
|
||||
- Fixed the passive IPv6 resolver (broken in stunnel 5.21).
|
||||
|
||||
Version 5.21, 2015.07.27, urgency: MEDIUM
|
||||
* New features
|
||||
- Signal names are displayed instead of numbers.
|
||||
- First resolve IPv4 addresses on passive resolver requests.
|
||||
This speeds up stunnel startup on Win32 with a slow/defunct
|
||||
DNS service.
|
||||
- The "make check" target was modified to only build Win32
|
||||
executables when stunnel is built from a git repository (thx
|
||||
to Peter Pentchev).
|
||||
- More elaborate descriptions were added to the warning about
|
||||
using "verify = 2" without "checkHost" or "checkIP".
|
||||
- Performance optimization was performed on the debug code.
|
||||
* Bugfixes
|
||||
- Fixed the FORK and UCONTEXT threading support.
|
||||
- Fixed "failover=prio" (broken since stunnel 5.15).
|
||||
- Added a retry when sleep(3) was interrupted by a signal
|
||||
in the cron thread scheduler.
|
||||
|
||||
Version 5.20, 2015.07.09, urgency: HIGH
|
||||
* Security bugfixes
|
||||
- OpenSSL DLLs updated to version 1.0.2d.
|
||||
https://www.openssl.org/news/secadv_20150709.txt
|
||||
* New features
|
||||
- poll(2) re-enabled on MacOS X 10.5 and later.
|
||||
- Xcode SDK is automatically used on MacOS X if no other
|
||||
locally installed OpenSSL directory is found.
|
||||
- The SSL library detection algorithm was made a bit smarter.
|
||||
- Warnings about insecure authentication were modified to
|
||||
include the name of the affected service section.
|
||||
- A warning was added to stunnel.init if no pid file was
|
||||
specified in the configuration file (thx to Peter Pentchev).
|
||||
- Optional debugging symbols are included in the Win32 installer.
|
||||
- Documentation updates (closes Debian bug #781669).
|
||||
* Bugfixes
|
||||
- Signal pipe reinitialization added to prevent turning the
|
||||
main accepting thread into a busy wait loop when an external
|
||||
condition breaks the signal pipe. This bug was found to
|
||||
surface on Win32, but other platforms may also be affected.
|
||||
- Fixed removing the disabled taskbar icon.
|
||||
- Generated temporary DH parameters are used for configuration
|
||||
reload instead of the static defaults.
|
||||
- LSB compatibility fixes added to the stunnel.init script (thx
|
||||
to Peter Pentchev).
|
||||
- Fixed the manual page headers (thx to Gleydson Soares).
|
||||
|
||||
Version 5.19, 2015.06.16, urgency: MEDIUM:
|
||||
* New features
|
||||
- OpenSSL DLLs updated to version 1.0.2c.
|
||||
- Added a runtime check whether COMP_zlib() method is implemented
|
||||
in order to improve compatibility with the Debian OpenSSL build.
|
||||
* Bugfixes
|
||||
- Improved socket error handling.
|
||||
- Cron thread priority on Win32 platform changed to
|
||||
THREAD_PRIORITY_LOWEST to improve portability.
|
||||
- Makefile bugfixes for stunnel 5.18 regressions.
|
||||
- Fixed some typos in docs and scripts (thx to Peter Pentchev).
|
||||
- Fixed a log level check condition (thx to Peter Pentchev).
|
||||
|
||||
Version 5.18, 2015.06.12, urgency: MEDIUM:
|
||||
* New features
|
||||
- OpenSSL DLLs updated to version 1.0.2b.
|
||||
https://www.openssl.org/news/secadv_20150611.txt
|
||||
- Added "include" configuration file option to include all
|
||||
configuration file parts located in a specified directory.
|
||||
- Log file is reopened every 24 hours. With "log = overwrite"
|
||||
this feature can be used to prevent filling up disk space.
|
||||
- Temporary DH parameters are refreshed every 24 hours, unless
|
||||
static DH parameters were provided in the certificate file.
|
||||
- Unique initial DH parameters are distributed with each release.
|
||||
- Warnings are logged on potentially insecure authentication.
|
||||
- Improved compatibility with the current OpenSSL 1.1.0-dev tree:
|
||||
removed RLE compression support, etc.
|
||||
- Updated stunnel.spec (thx to Bill Quayle).
|
||||
* Bugfixes
|
||||
- Fixed handling of dynamic connect targets.
|
||||
- Fixed handling of trailing whitespaces in the Content-Length
|
||||
header of the NTLM authentication.
|
||||
- Fixed --sysconfdir and --localstatedir handling (thx to
|
||||
Dagobert Michelsen).
|
||||
|
||||
Version 5.17, 2015.04.29, urgency: HIGH:
|
||||
* Bugfixes
|
||||
- Fixed a NULL pointer dereference causing the service to crash.
|
||||
This bug was introduced in stunnel 5.15.
|
||||
|
||||
Version 5.16, 2015.04.19, urgency: MEDIUM:
|
||||
* Bugfixes
|
||||
- Fixed compilation with old versions of gcc.
|
||||
|
||||
Version 5.15, 2015.04.16, urgency: LOW:
|
||||
* New features
|
||||
- Added new service-level options "checkHost", "checkEmail" and
|
||||
"checkIP" for additional checks of the peer certificate subject.
|
||||
These options require OpenSSL version 1.0.2 or higher.
|
||||
- Win32 binary distribution now ships with the Mozilla root CA
|
||||
bundle. This bundle is intended be used together with the new
|
||||
"checkHost" option to validate server certs accepted by Mozilla.
|
||||
- New commandline options "-reload" to reload the configuration
|
||||
file and "-reopen" to reopen the log file of stunnel running
|
||||
as a Windows service (thx to Marc McLaughlin).
|
||||
- Added session persistence based on negotiated TLS sessions.
|
||||
https://en.wikipedia.org/wiki/Load_balancing_%28computing%29#Persistence
|
||||
The current implementation does not support external TLS
|
||||
session caching with sessiond.
|
||||
- MEDIUM ciphers (currently SEED and RC4) are removed from the
|
||||
default cipher list.
|
||||
- The "redirect" option was improved to not only redirect sessions
|
||||
established with an untrusted certificate, but also sessions
|
||||
established without a client certificate.
|
||||
- OpenSSL version checking modified to distinguish FIPS and
|
||||
non-FIPS builds.
|
||||
- Improved compatibility with the current OpenSSL 1.1.0-dev tree.
|
||||
- Removed support for OpenSSL versions older than 0.9.7.
|
||||
The final update for the OpenSSL 0.9.6 branch was 17 Mar 2004.
|
||||
- "sessiond" support improved to also work in OpenSSL 0.9.7.
|
||||
- Randomize the initial value of the round-robin counter.
|
||||
- New stunnel.conf templates are provided for Windows and Unix.
|
||||
* Bugfixes
|
||||
- Fixed compilation against old versions of OpenSSL.
|
||||
- Fixed memory leaks in certificate verification.
|
||||
|
||||
Version 5.14, 2015.03.25, urgency: HIGH:
|
||||
* Security bugfixes
|
||||
- The "redirect" option now also redirects clients on SSL session
|
||||
reuse. In stunnel versions 5.00 to 5.13 reused sessions were
|
||||
instead always connected hosts specified with the "connect"
|
||||
option regardless of their certificate verification result.
|
||||
This vulnerability was reported by Johan Olofsson.
|
||||
* New features
|
||||
- Windows service is automatically restarted after upgrade.
|
||||
* Bugfixes
|
||||
- Fixed a memory allocation error during Unix daemon shutdown.
|
||||
- Fixed handling multiple connect/redirect destinations.
|
||||
- OpenSSL FIPS builds are now correctly reported on startup.
|
||||
|
||||
Version 5.13, 2015.03.20, urgency: MEDIUM:
|
||||
* New features
|
||||
- The "service" option was modified to also control the syslog
|
||||
service name.
|
||||
* Bugfixes
|
||||
- Fixed Windows service crash.
|
||||
|
||||
Version 5.12, 2015.03.19, urgency: HIGH:
|
||||
* Security bugfixes
|
||||
- OpenSSL DLLs updated to version 1.0.2a.
|
||||
https://www.openssl.org/news/secadv_20150319.txt
|
||||
* New features
|
||||
- New service-level option "logId" to specify the
|
||||
connection identifier type. Currently supported types:
|
||||
"sequential" (default), "unique", and "thread".
|
||||
- New service-level option "debug" to individually control
|
||||
logging verbosity of defined services.
|
||||
* Bugfixes
|
||||
- OCSP fixed on Windows platform (thx to Alec Kosky).
|
||||
|
||||
Version 5.11, 2015.03.11, urgency: LOW:
|
||||
* New features
|
||||
- OpenSSL DLLs updated to version 1.0.2.
|
||||
- Removed dereferences of internal OpenSSL data structures.
|
||||
- PSK key lookup algorithm performance improved from
|
||||
O(N) (linear) to O(log N) (logarithmic).
|
||||
* Bugfixes
|
||||
- Fixed peer certificate list in the main window on Win32
|
||||
(thx to @fyer for reporting it).
|
||||
- Fixed console logging in tstunnel.exe.
|
||||
- _tputenv_s() replaced with more portable _tputenv() on Win32.
|
||||
|
||||
Version 5.10, 2015.01.22, urgency: LOW:
|
||||
* New features
|
||||
- OCSP AIA (Authority Information Access) support. This feature
|
||||
can be enabled with the new service-level option "OCSPaia".
|
||||
- Additional security features of the linker are enabled:
|
||||
"-z relro", "-z now", "-z noexecstack".
|
||||
* Bugfixes
|
||||
- OpenSSL DLLs updated to version 1.0.1l.
|
||||
https://www.openssl.org/news/secadv_20150108.txt
|
||||
- FIPS canister updated to version 2.0.9 in the Win32 binary
|
||||
build.
|
||||
|
||||
Version 5.09, 2015.01.02, urgency: LOW:
|
||||
* New features
|
||||
- Added PSK authentication with two new service-level
|
||||
configuration file options "PSKsecrets" and "PSKidentity".
|
||||
- Added additional security checks to the OpenSSL memory
|
||||
management functions.
|
||||
- Added support for the OPENSSL_NO_OCSP and OPENSSL_NO_ENGINE
|
||||
OpenSSL configuration flags.
|
||||
- Added compatibility with the current OpenSSL 1.1.0-dev tree.
|
||||
* Bugfixes
|
||||
- Removed defective s_poll_error() code occasionally causing
|
||||
connections to be prematurely closed (truncated).
|
||||
This bug was introduced in stunnel 4.34.
|
||||
- Fixed ./configure systemd detection (thx to Kip Walraven).
|
||||
- Fixed ./configure sysroot detection (thx to Kip Walraven).
|
||||
- Fixed compilation against old versions of OpenSSL.
|
||||
- Removed outdated French manual page.
|
||||
|
||||
Version 5.08, 2014.12.09, urgency: MEDIUM:
|
||||
* New features
|
||||
- Added SOCKS4/SOCKS4a protocol support.
|
||||
- Added SOCKS5 protocol support.
|
||||
- Added SOCKS RESOLVE [F0] TOR extension support.
|
||||
- Updated automake to version 1.14.1.
|
||||
- OpenSSL directory searching is now relative to the sysroot.
|
||||
* Bugfixes
|
||||
- Fixed improper hangup condition handling.
|
||||
- Fixed missing -pic linker option. This is required for
|
||||
Android 5.0 and improves security.
|
||||
|
||||
Version 5.07, 2014.11.01, urgency: MEDIUM:
|
||||
* New features
|
||||
- Several SMTP server protocol negotiation improvements.
|
||||
- Added UTF-8 byte order marks to stunnel.conf templates.
|
||||
- DH parameters are no longer generated by "make cert".
|
||||
The hardcoded DH parameters are sufficiently secure,
|
||||
and modern TLS implementations will use ECDH anyway.
|
||||
- Updated manual for the "options" configuration file option.
|
||||
- Added support for systemd 209 or later.
|
||||
- New --disable-systemd ./configure option.
|
||||
- setuid/setgid commented out in stunnel.conf-sample.
|
||||
* Bugfixes
|
||||
- Added support for UTF-8 byte order mark in stunnel.conf.
|
||||
- Compilation fix for OpenSSL with disabled SSLv2 or SSLv3.
|
||||
- Non-blocking mode set on inetd and systemd descriptors.
|
||||
- shfolder.h replaced with shlobj.h for compatibility
|
||||
with modern Microsoft compilers.
|
||||
|
||||
Version 5.06, 2014.10.15, urgency: HIGH:
|
||||
* Security bugfixes
|
||||
- OpenSSL DLLs updated to version 1.0.1j.
|
||||
https://www.openssl.org/news/secadv_20141015.txt
|
||||
- The insecure SSLv2 protocol is now disabled by default.
|
||||
It can be enabled with "options = -NO_SSLv2".
|
||||
- The insecure SSLv3 protocol is now disabled by default.
|
||||
It can be enabled with "options = -NO_SSLv3".
|
||||
- Default sslVersion changed to "all" (also in FIPS mode)
|
||||
to autonegotiate the highest supported TLS version.
|
||||
* New features
|
||||
- Added missing SSL options to match OpenSSL 1.0.1j.
|
||||
- New "-options" commandline option to display the list
|
||||
of supported SSL options.
|
||||
* Bugfixes
|
||||
- Fixed FORK threading build regression bug.
|
||||
- Fixed missing periodic Win32 GUI log updates.
|
||||
|
||||
Version 5.05, 2014.10.10, urgency: MEDIUM:
|
||||
* New features
|
||||
- Asynchronous communication with the GUI thread for faster
|
||||
logging on Win32.
|
||||
- systemd socket activation (thx to Mark Theunissen).
|
||||
- The parameter of "options" can now be prefixed with "-"
|
||||
to clear an SSL option, for example:
|
||||
"options = -LEGACY_SERVER_CONNECT".
|
||||
- Improved "transparent = destination" manual page (thx to
|
||||
Vadim Penzin).
|
||||
* Bugfixes
|
||||
- Fixed POLLIN|POLLHUP condition handling error resulting
|
||||
in prematurely closed (truncated) connection.
|
||||
- Fixed a null pointer dereference regression bug in the
|
||||
"transparent = destination" functionality (thx to
|
||||
Vadim Penzin). This bug was introduced in stunnel 5.00.
|
||||
- Fixed startup thread synchronization with Win32 GUI.
|
||||
- Fixed erroneously closed stdin/stdout/stderr if specified
|
||||
as the -fd commandline option parameter.
|
||||
- A number of minor Win32 GUI bugfixes and improvements.
|
||||
- Merged most of the Windows CE patches (thx to Pierre Delaage).
|
||||
- Fixed incorrect CreateService() error message on Win32.
|
||||
- Implemented a workaround for defective Cygwin file
|
||||
descriptor passing breaking the libwrap support:
|
||||
http://wiki.osdev.org/Cygwin_Issues#Passing_file_descriptors
|
||||
|
||||
Version 5.04, 2014.09.21, urgency: LOW:
|
||||
* New features
|
||||
- Support for local mode ("exec" option) on Win32.
|
||||
- Support for UTF-8 config file and log file.
|
||||
- Win32 UTF-16 build (thx to Pierre Delaage for support).
|
||||
- Support for Unicode file names on Win32.
|
||||
- A more explicit service description provided for the
|
||||
Windows SCM (thx to Pierre Delaage).
|
||||
- TCP/IP dependency added for NT service in order to prevent
|
||||
initialization failure at boot time.
|
||||
- FIPS canister updated to version 2.0.8 in the Win32 binary
|
||||
build.
|
||||
* Bugfixes
|
||||
- load_icon_default() modified to return copies of default icons
|
||||
instead of the original resources to prevent the resources
|
||||
from being destroyed.
|
||||
- Partially merged Windows CE patches (thx to Pierre Delaage).
|
||||
- Fixed typos in stunnel.init.in and vc.mak.
|
||||
- Fixed incorrect memory allocation statistics update in
|
||||
str_realloc().
|
||||
- Missing REMOTE_PORT environmental variable is provided to
|
||||
processes spawned with "exec" on Unix platforms.
|
||||
- Taskbar icon is no longer disabled for NT service.
|
||||
- Fixed taskbar icon initialization when commandline options are
|
||||
specified.
|
||||
- Reportedly more compatible values used for the dwDesiredAccess
|
||||
parameter of the CreateFile() function (thx to Pierre Delaage).
|
||||
- A number of minor Win32 GUI bugfixes and improvements.
|
||||
|
||||
Version 5.03, 2014.08.07, urgency: HIGH:
|
||||
* Security bugfixes
|
||||
- OpenSSL DLLs updated to version 1.0.1i.
|
||||
See https://www.openssl.org/news/secadv_20140806.txt
|
||||
* New features
|
||||
- FIPS autoconfiguration cleanup.
|
||||
- FIPS canister updated to version 2.0.6.
|
||||
- Improved SNI diagnostic logging.
|
||||
* Bugfixes
|
||||
- Compilation fixes for old versions of OpenSSL.
|
||||
- Fixed whitespace handling in the stunnel.init script.
|
||||
|
||||
Version 5.02, 2014.06.09, urgency: HIGH:
|
||||
* Security bugfixes
|
||||
- OpenSSL DLLs updated to version 1.0.1h.
|
||||
See https://www.openssl.org/news/secadv_20140605.txt
|
||||
* New features
|
||||
- Major rewrite of the protocol.c interface: it is now possible to add
|
||||
protocol negotiations at multiple connection phases, protocols can
|
||||
individually decide whether the remote connection will be
|
||||
established before or after SSL/TLS is negotiated.
|
||||
- Heap memory blocks are wiped before release. This only works for
|
||||
block allocated by stunnel, and not by OpenSSL or other libraries.
|
||||
- The safe_memcmp() function implemented with execution time not
|
||||
dependent on the compared data.
|
||||
- Updated the stunnel.conf and stunnel.init templates.
|
||||
- Added a client-mode example to the manual.
|
||||
* Bugfixes
|
||||
- Fixed "failover = rr" broken since version 5.00.
|
||||
- Fixed "taskbar = no" broken since version 5.00.
|
||||
- Compilation fix for missing SSL_OP_MSIE_SSLV2_RSA_PADDING option.
|
||||
|
||||
Version 5.01, 2014.04.08, urgency: HIGH:
|
||||
* Security bugfixes
|
||||
- OpenSSL DLLs updated to version 1.0.1g.
|
||||
This version mitigates TLS heartbeat read overrun (CVE-2014-0160).
|
||||
* New features
|
||||
- X.509 extensions added to the created self-signed stunnel.pem.
|
||||
- "FIPS = no" also allowed in non-FIPS builds of stunnel.
|
||||
- Search all certificates with the same subject name for a matching
|
||||
public key rather than only the first one (thx to Leon Winter).
|
||||
- Create logs in the local application data folder if stunnel folder
|
||||
is not writable on Win32.
|
||||
* Bugfixes
|
||||
- close_notify not sent when SSL still has some data buffered.
|
||||
- Protocol negotiation with server-side SNI fixed.
|
||||
- A Mac OS X missing symbols fixed.
|
||||
- Win32 configuration file reload crash fixed.
|
||||
- Added s_pool_free() on exec+connect service retires.
|
||||
- Line-buffering enforced on stderr output.
|
||||
|
||||
stunnel 5.00 disables some features previously enabled by default.
|
||||
Users should review whether the new defaults are appropriate for their
|
||||
particular deployments. Packages maintainers may consider prepending
|
||||
the old defaults for "fips" (if supported by their OpenSSL library),
|
||||
"pid" and "libwrap" to stunnel.conf during automated updates.
|
||||
|
||||
Version 5.00, 2014.03.06, urgency: HIGH:
|
||||
* Security bugfixes
|
||||
- Added PRNG state update in fork threading (CVE-2014-0016).
|
||||
* New global configuration file defaults
|
||||
- Default "fips" option value is now "no", as FIPS mode is only
|
||||
helpful for compliance, and never for actual security.
|
||||
- Default "pid" is now "", i.e. not to create a pid file at startup.
|
||||
* New service-level configuration file defaults
|
||||
- Default "ciphers" updated to "HIGH:MEDIUM:+3DES:+DH:!aNULL:!SSLv2"
|
||||
due to AlFBPPS attack and bad performance of DH ciphersuites.
|
||||
- Default "libwrap" setting is now "no" to improve performance.
|
||||
* New features
|
||||
- OpenSSL DLLs updated to version 1.0.1f.
|
||||
- zlib DLL updated to version 1.2.8.
|
||||
- autoconf scripts upgraded to version 2.69.
|
||||
- TLS 1.1 and TLS 1.2 are now allowed in the FIPS mode.
|
||||
- New service-level option "redirect" to redirect SSL client
|
||||
connections on authentication failures instead of rejecting them.
|
||||
- New global "engineDefault" configuration file option to control
|
||||
which OpenSSL tasks are delegated to the current engine.
|
||||
Available tasks: ALL, RSA, DSA, ECDH, ECDSA, DH, RAND, CIPHERS,
|
||||
DIGESTS, PKEY, PKEY_CRYPTO, PKEY_ASN1.
|
||||
- New service-level configuration file option "engineId" to select
|
||||
the engine by identifier, e.g. "engineId = capi".
|
||||
- New global configuration file option "log" to control whether to
|
||||
append (the default), or to overwrite log file while (re)opening.
|
||||
- Different taskbar icon colors to indicate the service state.
|
||||
- New global configuration file options "iconIdle", "iconActive",
|
||||
and "iconError" to select status icon on GUI taskbar.
|
||||
- Removed the limit of 63 stunnel.conf sections on Win32 platform.
|
||||
- Installation of a sample certificate was moved to a separate "cert"
|
||||
target in order to allow unattended (e.g. scripted) installations.
|
||||
- Reduced length of the logged thread identifier. It is still based
|
||||
on the OS thread ID, and thus not unique over long periods of time.
|
||||
- Improved readability of error messages printed when stunnel refuses
|
||||
to start due to a critical error.
|
||||
* Bugfixes
|
||||
- LD_PRELOAD Solaris compatibility bug fixed (thx to Norm Jacobs).
|
||||
- CRYPTO_NUM_LOCKS replaced with CRYPTO_num_locks() to improve binary
|
||||
compatibility with diverse builds of OpenSSL (thx to Norm Jacobs).
|
||||
- Corrected round-robin failover behavior under heavy load.
|
||||
- Numerous fixes in the engine support code.
|
||||
- On Win32 platform .rnd file moved from c:\ to the stunnel folder.
|
||||
|
||||
Version 4.57, 2015.04.01, urgency: HIGH:
|
||||
* Security bugfixes
|
||||
@ -116,6 +781,7 @@ Version 4.51, 2012.01.09, urgency: MEDIUM:
|
||||
- New "compression = deflate" global option to enable RFC 2246 compresion.
|
||||
For compatibility with previous versions "compression = zlib" and
|
||||
"compression = rle" also enable the deflate (RFC 2246) compression.
|
||||
- Compression is disabled by default.
|
||||
- Separate default ciphers and sslVersion for "fips = yes" and "fips = no".
|
||||
- UAC support for editing configuration file with Windows GUI.
|
||||
* Bugfixes
|
||||
@ -518,7 +1184,7 @@ Version 4.19, 2006.11.11, urgency: LOW/EXPERIMENTAL:
|
||||
- There are a lot of new features in this version. I recommend
|
||||
to test it well before upgrading your mission-critical systems.
|
||||
* New features
|
||||
- New service-level option to specify OCSP server flag:
|
||||
- New service-level option to specify an OCSP responder flag:
|
||||
OCSPflag = <flag>
|
||||
- "protocolCredentials" option changed to "protocolUsername"
|
||||
and "protocolPassword"
|
||||
@ -574,7 +1240,7 @@ Version 4.16, 2006.08.31, urgency: MEDIUM:
|
||||
- Default group is now detected by configure script.
|
||||
- Check for maximum number of defined services added.
|
||||
- OpenSSL_add_all_algorithms() added to SSL initialization.
|
||||
- configure script sections reordered to detect pthread library funcions.
|
||||
- configure script sections reordered to detect pthread library functions.
|
||||
- RFC 2487 autodetection improved. High resolution s_poll_wait()
|
||||
not currently supported by UCONTEXT threading.
|
||||
- More precise description of cert directory file names (thx to Muhammad
|
||||
|
378
INSTALL
378
INSTALL
@ -1,40 +1,370 @@
|
||||
stunnel Unix install notes
|
||||
Installation Instructions
|
||||
*************************
|
||||
|
||||
Copyright (C) 1994-1996, 1999-2002, 2004-2013 Free Software Foundation,
|
||||
Inc.
|
||||
|
||||
1. If your machine supports POSIX threads make sure your SSL
|
||||
library is compiled with -DTHREADS.
|
||||
Copying and distribution of this file, with or without modification,
|
||||
are permitted in any medium without royalty provided the copyright
|
||||
notice and this notice are preserved. This file is offered as-is,
|
||||
without warranty of any kind.
|
||||
|
||||
2. Compile the software:
|
||||
Basic Installation
|
||||
==================
|
||||
|
||||
./configure
|
||||
make
|
||||
make install
|
||||
Briefly, the shell command `./configure && make && make install'
|
||||
should configure, build, and install this package. The following
|
||||
more-detailed instructions are generic; see the `README' file for
|
||||
instructions specific to this package. Some packages provide this
|
||||
`INSTALL' file but do not implement all of the features documented
|
||||
below. The lack of an optional feature in a given package is not
|
||||
necessarily a bug. More recommendations for GNU packages can be found
|
||||
in *note Makefile Conventions: (standards)Makefile Conventions.
|
||||
|
||||
(see potential options for 'configure' at the end of this file)
|
||||
The `configure' shell script attempts to guess correct values for
|
||||
various system-dependent variables used during compilation. It uses
|
||||
those values to create a `Makefile' in each directory of the package.
|
||||
It may also create one or more `.h' files containing system-dependent
|
||||
definitions. Finally, it creates a shell script `config.status' that
|
||||
you can run in the future to recreate the current configuration, and a
|
||||
file `config.log' containing compiler output (useful mainly for
|
||||
debugging `configure').
|
||||
|
||||
3. Create stunnel configuration file (stunnel.conf).
|
||||
It can also use an optional file (typically called `config.cache'
|
||||
and enabled with `--cache-file=config.cache' or simply `-C') that saves
|
||||
the results of its tests to speed up reconfiguring. Caching is
|
||||
disabled by default to prevent problems with accidental use of stale
|
||||
cache files.
|
||||
|
||||
4. Add stunnel invocation to your system's startup files.
|
||||
For SysV-compatible init you can use stunnel.init script.
|
||||
If you need to do unusual things to compile the package, please try
|
||||
to figure out how `configure' could check whether to do them, and mail
|
||||
diffs or instructions to the address given in the `README' so they can
|
||||
be considered for the next release. If you are using the cache, and at
|
||||
some point `config.cache' contains results you don't want to keep, you
|
||||
may remove or edit it.
|
||||
|
||||
or
|
||||
The file `configure.ac' (or `configure.in') is used to create
|
||||
`configure' by a program called `autoconf'. You need `configure.ac' if
|
||||
you want to change it or regenerate `configure' using a newer version
|
||||
of `autoconf'.
|
||||
|
||||
Modify /etc/services and /etc/inetd.conf, restart inetd (inetd mode).
|
||||
The simplest way to compile this package is:
|
||||
|
||||
See the manual for details.
|
||||
1. `cd' to the directory containing the package's source code and type
|
||||
`./configure' to configure the package for your system.
|
||||
|
||||
5. There are a variety of compile-time options you may supply when
|
||||
running configure. Most commonly used are:
|
||||
Running `configure' might take a while. While running, it prints
|
||||
some messages telling which features it is checking for.
|
||||
|
||||
--with-ssl=DIR
|
||||
where your SSL libraries and include files are installed
|
||||
2. Type `make' to compile the package.
|
||||
|
||||
--with-random=FILE
|
||||
read randomness from FILE for PRNG seeding
|
||||
3. Optionally, type `make check' to run any self-tests that come with
|
||||
the package, generally using the just-built uninstalled binaries.
|
||||
|
||||
--with-egd-socket=FILE
|
||||
location of Entropy Gathering Daemon socket, if running EGD
|
||||
(for example on a machine that lacks a /dev/urandom device)
|
||||
4. Type `make install' to install the programs and any data files and
|
||||
documentation. When installing into a prefix owned by root, it is
|
||||
recommended that the package be configured and built as a regular
|
||||
user, and only the `make install' phase executed with root
|
||||
privileges.
|
||||
|
||||
Use `./configure --help' to see all the options.
|
||||
5. Optionally, type `make installcheck' to repeat any self-tests, but
|
||||
this time using the binaries in their final installed location.
|
||||
This target does not install anything. Running this target as a
|
||||
regular user, particularly if the prior `make install' required
|
||||
root privileges, verifies that the installation completed
|
||||
correctly.
|
||||
|
||||
6. You can remove the program binaries and object files from the
|
||||
source code directory by typing `make clean'. To also remove the
|
||||
files that `configure' created (so you can compile the package for
|
||||
a different kind of computer), type `make distclean'. There is
|
||||
also a `make maintainer-clean' target, but that is intended mainly
|
||||
for the package's developers. If you use it, you may have to get
|
||||
all sorts of other programs in order to regenerate files that came
|
||||
with the distribution.
|
||||
|
||||
7. Often, you can also type `make uninstall' to remove the installed
|
||||
files again. In practice, not all packages have tested that
|
||||
uninstallation works correctly, even though it is required by the
|
||||
GNU Coding Standards.
|
||||
|
||||
8. Some packages, particularly those that use Automake, provide `make
|
||||
distcheck', which can by used by developers to test that all other
|
||||
targets like `make install' and `make uninstall' work correctly.
|
||||
This target is generally not run by end users.
|
||||
|
||||
Compilers and Options
|
||||
=====================
|
||||
|
||||
Some systems require unusual options for compilation or linking that
|
||||
the `configure' script does not know about. Run `./configure --help'
|
||||
for details on some of the pertinent environment variables.
|
||||
|
||||
You can give `configure' initial values for configuration parameters
|
||||
by setting variables in the command line or in the environment. Here
|
||||
is an example:
|
||||
|
||||
./configure CC=c99 CFLAGS=-g LIBS=-lposix
|
||||
|
||||
*Note Defining Variables::, for more details.
|
||||
|
||||
Compiling For Multiple Architectures
|
||||
====================================
|
||||
|
||||
You can compile the package for more than one kind of computer at the
|
||||
same time, by placing the object files for each architecture in their
|
||||
own directory. To do this, you can use GNU `make'. `cd' to the
|
||||
directory where you want the object files and executables to go and run
|
||||
the `configure' script. `configure' automatically checks for the
|
||||
source code in the directory that `configure' is in and in `..'. This
|
||||
is known as a "VPATH" build.
|
||||
|
||||
With a non-GNU `make', it is safer to compile the package for one
|
||||
architecture at a time in the source code directory. After you have
|
||||
installed the package for one architecture, use `make distclean' before
|
||||
reconfiguring for another architecture.
|
||||
|
||||
On MacOS X 10.5 and later systems, you can create libraries and
|
||||
executables that work on multiple system types--known as "fat" or
|
||||
"universal" binaries--by specifying multiple `-arch' options to the
|
||||
compiler but only a single `-arch' option to the preprocessor. Like
|
||||
this:
|
||||
|
||||
./configure CC="gcc -arch i386 -arch x86_64 -arch ppc -arch ppc64" \
|
||||
CXX="g++ -arch i386 -arch x86_64 -arch ppc -arch ppc64" \
|
||||
CPP="gcc -E" CXXCPP="g++ -E"
|
||||
|
||||
This is not guaranteed to produce working output in all cases, you
|
||||
may have to build one architecture at a time and combine the results
|
||||
using the `lipo' tool if you have problems.
|
||||
|
||||
Installation Names
|
||||
==================
|
||||
|
||||
By default, `make install' installs the package's commands under
|
||||
`/usr/local/bin', include files under `/usr/local/include', etc. You
|
||||
can specify an installation prefix other than `/usr/local' by giving
|
||||
`configure' the option `--prefix=PREFIX', where PREFIX must be an
|
||||
absolute file name.
|
||||
|
||||
You can specify separate installation prefixes for
|
||||
architecture-specific files and architecture-independent files. If you
|
||||
pass the option `--exec-prefix=PREFIX' to `configure', the package uses
|
||||
PREFIX as the prefix for installing programs and libraries.
|
||||
Documentation and other data files still use the regular prefix.
|
||||
|
||||
In addition, if you use an unusual directory layout you can give
|
||||
options like `--bindir=DIR' to specify different values for particular
|
||||
kinds of files. Run `configure --help' for a list of the directories
|
||||
you can set and what kinds of files go in them. In general, the
|
||||
default for these options is expressed in terms of `${prefix}', so that
|
||||
specifying just `--prefix' will affect all of the other directory
|
||||
specifications that were not explicitly provided.
|
||||
|
||||
The most portable way to affect installation locations is to pass the
|
||||
correct locations to `configure'; however, many packages provide one or
|
||||
both of the following shortcuts of passing variable assignments to the
|
||||
`make install' command line to change installation locations without
|
||||
having to reconfigure or recompile.
|
||||
|
||||
The first method involves providing an override variable for each
|
||||
affected directory. For example, `make install
|
||||
prefix=/alternate/directory' will choose an alternate location for all
|
||||
directory configuration variables that were expressed in terms of
|
||||
`${prefix}'. Any directories that were specified during `configure',
|
||||
but not in terms of `${prefix}', must each be overridden at install
|
||||
time for the entire installation to be relocated. The approach of
|
||||
makefile variable overrides for each directory variable is required by
|
||||
the GNU Coding Standards, and ideally causes no recompilation.
|
||||
However, some platforms have known limitations with the semantics of
|
||||
shared libraries that end up requiring recompilation when using this
|
||||
method, particularly noticeable in packages that use GNU Libtool.
|
||||
|
||||
The second method involves providing the `DESTDIR' variable. For
|
||||
example, `make install DESTDIR=/alternate/directory' will prepend
|
||||
`/alternate/directory' before all installation names. The approach of
|
||||
`DESTDIR' overrides is not required by the GNU Coding Standards, and
|
||||
does not work on platforms that have drive letters. On the other hand,
|
||||
it does better at avoiding recompilation issues, and works well even
|
||||
when some directory options were not specified in terms of `${prefix}'
|
||||
at `configure' time.
|
||||
|
||||
Optional Features
|
||||
=================
|
||||
|
||||
If the package supports it, you can cause programs to be installed
|
||||
with an extra prefix or suffix on their names by giving `configure' the
|
||||
option `--program-prefix=PREFIX' or `--program-suffix=SUFFIX'.
|
||||
|
||||
Some packages pay attention to `--enable-FEATURE' options to
|
||||
`configure', where FEATURE indicates an optional part of the package.
|
||||
They may also pay attention to `--with-PACKAGE' options, where PACKAGE
|
||||
is something like `gnu-as' or `x' (for the X Window System). The
|
||||
`README' should mention any `--enable-' and `--with-' options that the
|
||||
package recognizes.
|
||||
|
||||
For packages that use the X Window System, `configure' can usually
|
||||
find the X include and library files automatically, but if it doesn't,
|
||||
you can use the `configure' options `--x-includes=DIR' and
|
||||
`--x-libraries=DIR' to specify their locations.
|
||||
|
||||
Some packages offer the ability to configure how verbose the
|
||||
execution of `make' will be. For these packages, running `./configure
|
||||
--enable-silent-rules' sets the default to minimal output, which can be
|
||||
overridden with `make V=1'; while running `./configure
|
||||
--disable-silent-rules' sets the default to verbose, which can be
|
||||
overridden with `make V=0'.
|
||||
|
||||
Particular systems
|
||||
==================
|
||||
|
||||
On HP-UX, the default C compiler is not ANSI C compatible. If GNU
|
||||
CC is not installed, it is recommended to use the following options in
|
||||
order to use an ANSI C compiler:
|
||||
|
||||
./configure CC="cc -Ae -D_XOPEN_SOURCE=500"
|
||||
|
||||
and if that doesn't work, install pre-built binaries of GCC for HP-UX.
|
||||
|
||||
HP-UX `make' updates targets which have the same time stamps as
|
||||
their prerequisites, which makes it generally unusable when shipped
|
||||
generated files such as `configure' are involved. Use GNU `make'
|
||||
instead.
|
||||
|
||||
On OSF/1 a.k.a. Tru64, some versions of the default C compiler cannot
|
||||
parse its `<wchar.h>' header file. The option `-nodtk' can be used as
|
||||
a workaround. If GNU CC is not installed, it is therefore recommended
|
||||
to try
|
||||
|
||||
./configure CC="cc"
|
||||
|
||||
and if that doesn't work, try
|
||||
|
||||
./configure CC="cc -nodtk"
|
||||
|
||||
On Solaris, don't put `/usr/ucb' early in your `PATH'. This
|
||||
directory contains several dysfunctional programs; working variants of
|
||||
these programs are available in `/usr/bin'. So, if you need `/usr/ucb'
|
||||
in your `PATH', put it _after_ `/usr/bin'.
|
||||
|
||||
On Haiku, software installed for all users goes in `/boot/common',
|
||||
not `/usr/local'. It is recommended to use the following options:
|
||||
|
||||
./configure --prefix=/boot/common
|
||||
|
||||
Specifying the System Type
|
||||
==========================
|
||||
|
||||
There may be some features `configure' cannot figure out
|
||||
automatically, but needs to determine by the type of machine the package
|
||||
will run on. Usually, assuming the package is built to be run on the
|
||||
_same_ architectures, `configure' can figure that out, but if it prints
|
||||
a message saying it cannot guess the machine type, give it the
|
||||
`--build=TYPE' option. TYPE can either be a short name for the system
|
||||
type, such as `sun4', or a canonical name which has the form:
|
||||
|
||||
CPU-COMPANY-SYSTEM
|
||||
|
||||
where SYSTEM can have one of these forms:
|
||||
|
||||
OS
|
||||
KERNEL-OS
|
||||
|
||||
See the file `config.sub' for the possible values of each field. If
|
||||
`config.sub' isn't included in this package, then this package doesn't
|
||||
need to know the machine type.
|
||||
|
||||
If you are _building_ compiler tools for cross-compiling, you should
|
||||
use the option `--target=TYPE' to select the type of system they will
|
||||
produce code for.
|
||||
|
||||
If you want to _use_ a cross compiler, that generates code for a
|
||||
platform different from the build platform, you should specify the
|
||||
"host" platform (i.e., that on which the generated programs will
|
||||
eventually be run) with `--host=TYPE'.
|
||||
|
||||
Sharing Defaults
|
||||
================
|
||||
|
||||
If you want to set default values for `configure' scripts to share,
|
||||
you can create a site shell script called `config.site' that gives
|
||||
default values for variables like `CC', `cache_file', and `prefix'.
|
||||
`configure' looks for `PREFIX/share/config.site' if it exists, then
|
||||
`PREFIX/etc/config.site' if it exists. Or, you can set the
|
||||
`CONFIG_SITE' environment variable to the location of the site script.
|
||||
A warning: not all `configure' scripts look for a site script.
|
||||
|
||||
Defining Variables
|
||||
==================
|
||||
|
||||
Variables not defined in a site shell script can be set in the
|
||||
environment passed to `configure'. However, some packages may run
|
||||
configure again during the build, and the customized values of these
|
||||
variables may be lost. In order to avoid this problem, you should set
|
||||
them in the `configure' command line, using `VAR=value'. For example:
|
||||
|
||||
./configure CC=/usr/local2/bin/gcc
|
||||
|
||||
causes the specified `gcc' to be used as the C compiler (unless it is
|
||||
overridden in the site shell script).
|
||||
|
||||
Unfortunately, this technique does not work for `CONFIG_SHELL' due to
|
||||
an Autoconf limitation. Until the limitation is lifted, you can use
|
||||
this workaround:
|
||||
|
||||
CONFIG_SHELL=/bin/bash ./configure CONFIG_SHELL=/bin/bash
|
||||
|
||||
`configure' Invocation
|
||||
======================
|
||||
|
||||
`configure' recognizes the following options to control how it
|
||||
operates.
|
||||
|
||||
`--help'
|
||||
`-h'
|
||||
Print a summary of all of the options to `configure', and exit.
|
||||
|
||||
`--help=short'
|
||||
`--help=recursive'
|
||||
Print a summary of the options unique to this package's
|
||||
`configure', and exit. The `short' variant lists options used
|
||||
only in the top level, while the `recursive' variant lists options
|
||||
also present in any nested packages.
|
||||
|
||||
`--version'
|
||||
`-V'
|
||||
Print the version of Autoconf used to generate the `configure'
|
||||
script, and exit.
|
||||
|
||||
`--cache-file=FILE'
|
||||
Enable the cache: use and save the results of the tests in FILE,
|
||||
traditionally `config.cache'. FILE defaults to `/dev/null' to
|
||||
disable caching.
|
||||
|
||||
`--config-cache'
|
||||
`-C'
|
||||
Alias for `--cache-file=config.cache'.
|
||||
|
||||
`--quiet'
|
||||
`--silent'
|
||||
`-q'
|
||||
Do not print messages saying which checks are being made. To
|
||||
suppress all normal output, redirect it to `/dev/null' (any error
|
||||
messages will still be shown).
|
||||
|
||||
`--srcdir=DIR'
|
||||
Look for the package's source code in directory DIR. Usually
|
||||
`configure' can determine that directory automatically.
|
||||
|
||||
`--prefix=DIR'
|
||||
Use DIR as the installation prefix. *note Installation Names::
|
||||
for more details, including other options available for fine-tuning
|
||||
the installation locations.
|
||||
|
||||
`--no-create'
|
||||
`-n'
|
||||
Run the configure checks, but stop before creating any output
|
||||
files.
|
||||
|
||||
`configure' also accepts some other, not widely useful, options. Run
|
||||
`configure --help' for more details.
|
||||
|
12
INSTALL.FIPS
12
INSTALL.FIPS
@ -2,10 +2,12 @@ stunnel FIPS install notes
|
||||
|
||||
|
||||
Unix HOWTO:
|
||||
FIPS mode is autodetected if possible. You can force it with:
|
||||
./configure --enable-fips
|
||||
or disable with:
|
||||
./configure --disable-fips
|
||||
* Only dynamic linking of the FIPS-enabled OpenSSL is currently supported,
|
||||
i.e. FIPS-enabled OpenSSL has to be configured with "shared" parameter.
|
||||
* FIPS mode is autodetected if possible. It can be forced with:
|
||||
./configure --enable-fips
|
||||
or disable with:
|
||||
./configure --disable-fips
|
||||
|
||||
WIN32 HOWTO:
|
||||
* On 32-bit Windows install one of the following compilers:
|
||||
@ -15,7 +17,7 @@ WIN32 HOWTO:
|
||||
- MSVC 8.0 (VS 2005) Standard or Professional Edition
|
||||
- MSVC 9.0 (VS 2008) Standard or Professional Edition
|
||||
* Build FIPS-compliant OpenSSL DLLS according to:
|
||||
http://www.openssl.org/docs/fips/UserGuide-1.2.pdf
|
||||
https://www.openssl.org/docs/fips/UserGuide-2.0.pdf
|
||||
* Build stunnel normally with MSVC or Mingw.
|
||||
Mingw build requires DLL stubs. Stubs can be built with:
|
||||
dlltool --def ms/libeay32.def --output-lib libcrypto.a
|
||||
|
79
INSTALL.W32
79
INSTALL.W32
@ -1,51 +1,66 @@
|
||||
stunnel Windows install notes
|
||||
|
||||
|
||||
Building stunnel from source (optional):
|
||||
Cross-compiling stunnel from source with MinGW (optional):
|
||||
|
||||
1) Install mingw32 cross-compiler o a Unix/Linux machine.
|
||||
In Debian all you need is:
|
||||
apt-get install gcc-mingw32
|
||||
Native compilation on a Windows machine is possible, but not supported.
|
||||
1) Install the mingw32 cross-compiler on a Unix/Linux machine.
|
||||
On Debian (and derivatives, including Ubuntu):
|
||||
sudo apt-get install gcc-mingw-w64-i686
|
||||
On Arch Linux:
|
||||
sudo pacman -S mingw-w64-gcc
|
||||
|
||||
2) Download the recent zlib from http://www.zlib.net/
|
||||
Update the following definitions in win32/Makefile.gcc file:
|
||||
SHARED_MODE=1
|
||||
PREFIX = i586-mingw32msvc-
|
||||
then build zlib with:
|
||||
make -f win32/Makefile.gcc
|
||||
and install it in mingw32 tree:
|
||||
sudo BINARY_PATH=~/ \
|
||||
INCLUDE_PATH=/usr/i586-mingw32msvc/include/ \
|
||||
LIBRARY_PATH=/usr/i586-mingw32msvc/lib/ \
|
||||
make -f win32/Makefile.gcc install
|
||||
|
||||
3) Download the recent OpenSSL in unpack it to /usr/src/ directory.
|
||||
cd /usr/src
|
||||
2) Download the recent OpenSSL and unpack it:
|
||||
tar zvxf ~/openssl-(version).tar.gz
|
||||
mv openssl-(version) openssl-(version)-i586
|
||||
mv openssl-(version) openssl-(version)-i686
|
||||
cd openssl-(version)-i686/
|
||||
|
||||
4) Build OpenSSL.
|
||||
./Configure --cross-compile-prefix=i586-mingw32msvc- mingw shared zlib-dynamic
|
||||
3) Build OpenSSL.
|
||||
For 32-bit Windows:
|
||||
./Configure \
|
||||
--cross-compile-prefix=i686-w64-mingw32- \
|
||||
--openssldir=/opt/openssl-mingw mingw shared
|
||||
make
|
||||
sudo make install
|
||||
sudo cp ms/applink.c /opt/openssl-mingw/include/openssl/
|
||||
For 64-bit Windows:
|
||||
./Configure \
|
||||
--cross-compile-prefix=x86_64-w64-mingw32- \
|
||||
--openssldir=/opt/openssl-mingw64 mingw64 shared
|
||||
make
|
||||
sudo make install
|
||||
sudo cp ms/applink.c /opt/openssl-mingw64/include/openssl/
|
||||
|
||||
5) Download and unpack stunnel-(version).tar.gz.
|
||||
4) Download and unpack stunnel-(version).tar.gz.
|
||||
|
||||
6) Configure stunnel.
|
||||
5) Configure stunnel:
|
||||
cd stunnel-(version)
|
||||
./configure --with-ssl=/path/to/openssl-(version)
|
||||
./configure
|
||||
|
||||
7) Build windows executable.
|
||||
6) Build Windows 32-bit and/or 64-bit executables:
|
||||
cd src
|
||||
make stunnel.exe
|
||||
make mingw
|
||||
make mingw64
|
||||
|
||||
|
||||
Building stunnel from source with MinGW (optional):
|
||||
|
||||
Building on a Windows machine is possible, but not currently supported.
|
||||
|
||||
|
||||
Building stunnel from source with Visual Studio (optional):
|
||||
|
||||
TODO
|
||||
|
||||
|
||||
Installing stunnel:
|
||||
|
||||
1) run installer to install precompiled binaries or copy stunnel.exe and
|
||||
OpenSSL DLLs into a directory
|
||||
1) Run installer to install the precompiled binaries, or
|
||||
copy the stunnel.exe or tstunnel.exe executable located in the
|
||||
/stunnel-(version)/bin/mingw/ directory into the destination
|
||||
directory on a Windows machine, and
|
||||
copy OpenSSL DLLs: libeay32.dll, libssp-0.dll and ssleay32.dll
|
||||
into the same directory, if necessary.
|
||||
|
||||
2) read the manual (stunnel.html)
|
||||
|
||||
3) create/edit stunnel.conf configuration file
|
||||
2) Read the manual (stunnel.html).
|
||||
|
||||
3) Create/edit the stunnel.conf configuration file.
|
||||
|
43
Makefile.am
43
Makefile.am
@ -1,4 +1,5 @@
|
||||
## Process this file with automake to produce Makefile.in
|
||||
# by Michal Trojnara 2015-2017
|
||||
|
||||
ACLOCAL_AMFLAGS = -I m4
|
||||
|
||||
@ -10,7 +11,7 @@ libtool: $(LIBTOOL_DEPS)
|
||||
|
||||
EXTRA_DIST = PORTS BUGS COPYRIGHT.GPL CREDITS
|
||||
EXTRA_DIST += INSTALL.W32 INSTALL.WCE INSTALL.FIPS
|
||||
EXTRA_DIST += build-android.sh
|
||||
EXTRA_DIST += build-android.sh .travis.yml
|
||||
|
||||
docdir = $(datadir)/doc/stunnel
|
||||
doc_DATA = INSTALL README TODO COPYING AUTHORS ChangeLog
|
||||
@ -21,19 +22,39 @@ distcleancheck_listfiles = find -type f -exec sh -c 'test -f $(srcdir)/{} || ech
|
||||
|
||||
distclean-local:
|
||||
rm -rf autom4te.cache
|
||||
rm -f $(distdir)-installer.exe
|
||||
# rm -f $(distdir)-win32-installer.exe
|
||||
|
||||
#dist-hook:
|
||||
# makensis -NOCD -DVERSION=${VERSION} -DSRCDIR=$(srcdir) \
|
||||
# -DOPENSSL=/usr/src/openssl-0.9.8u-fips/out32dll \
|
||||
# -DZLIB=/usr/src/zlib-1.2.6-i586 \
|
||||
# makensis -NOCD -DVERSION=${VERSION} \
|
||||
# -DSTUNNEL_DIR=$(srcdir) \
|
||||
# -DROOT_DIR=/usr/src \
|
||||
# $(srcdir)/tools/stunnel.nsi
|
||||
|
||||
# cp -f $(distdir)-installer.exe ../dist
|
||||
# gpg --yes --armor --detach-sign --force-v3-sigs ../dist/$(distdir)-installer.exe
|
||||
|
||||
sign: dist
|
||||
cp -f $(distdir).tar.gz ../dist
|
||||
gpg --yes --armor --detach-sign --force-v3-sigs ../dist/$(distdir).tar.gz
|
||||
sha256sum $(distdir).tar.gz | tee ../dist/$(distdir).tar.gz.sha256
|
||||
cp -f $(distdir).tar.gz $(distdir)-win32-installer.exe $(distdir)-android.zip ../dist
|
||||
gpg-agent --daemon /bin/sh -c "cd ../dist; gpg --yes --armor --detach-sign --force-v3-sigs $(distdir).tar.gz; gpg --yes --armor --detach-sign --force-v3-sigs $(distdir)-win32-installer.exe; gpg --yes --armor --detach-sign --force-v3-sigs $(distdir)-android.zip"
|
||||
sha256sum $(distdir).tar.gz >../dist/$(distdir).tar.gz.sha256
|
||||
sha256sum $(distdir)-win32-installer.exe >../dist/$(distdir)-win32-installer.exe.sha256
|
||||
sha256sum $(distdir)-android.zip >../dist/$(distdir)-android.zip.sha256
|
||||
cat ../dist/$(distdir)*.sha256 | tac
|
||||
|
||||
cert:
|
||||
$(MAKE) -C tools cert
|
||||
|
||||
test:
|
||||
$(abs_builddir)/src/stunnel -version
|
||||
@echo "No tests are currently implemented"
|
||||
|
||||
install-data-hook:
|
||||
@echo "*********************************************************"
|
||||
@echo "* Type 'make cert' to also install a sample certificate *"
|
||||
@echo "*********************************************************"
|
||||
|
||||
edit = sed \
|
||||
-e 's|@bindir[@]|$(bindir)|g' \
|
||||
-e 's|@sysconfdir[@]|$(sysconfdir)|g'
|
||||
|
||||
stunnel.pod: Makefile
|
||||
$(edit) '$(srcdir)/$@.in' >$@
|
||||
|
||||
stunnel.pod: $(srcdir)/stunnel.pod
|
||||
|
465
Makefile.in
465
Makefile.in
@ -1,9 +1,8 @@
|
||||
# Makefile.in generated by automake 1.11.1 from Makefile.am.
|
||||
# Makefile.in generated by automake 1.14.1 from Makefile.am.
|
||||
# @configure_input@
|
||||
|
||||
# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
|
||||
# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation,
|
||||
# Inc.
|
||||
# Copyright (C) 1994-2013 Free Software Foundation, Inc.
|
||||
|
||||
# This Makefile.in is free software; the Free Software Foundation
|
||||
# gives unlimited permission to copy and/or distribute it,
|
||||
# with or without modifications, as long as this notice is preserved.
|
||||
@ -15,7 +14,54 @@
|
||||
|
||||
@SET_MAKE@
|
||||
|
||||
# by Michal Trojnara 2015-2017
|
||||
|
||||
VPATH = @srcdir@
|
||||
am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
|
||||
am__make_running_with_option = \
|
||||
case $${target_option-} in \
|
||||
?) ;; \
|
||||
*) echo "am__make_running_with_option: internal error: invalid" \
|
||||
"target option '$${target_option-}' specified" >&2; \
|
||||
exit 1;; \
|
||||
esac; \
|
||||
has_opt=no; \
|
||||
sane_makeflags=$$MAKEFLAGS; \
|
||||
if $(am__is_gnu_make); then \
|
||||
sane_makeflags=$$MFLAGS; \
|
||||
else \
|
||||
case $$MAKEFLAGS in \
|
||||
*\\[\ \ ]*) \
|
||||
bs=\\; \
|
||||
sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \
|
||||
| sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \
|
||||
esac; \
|
||||
fi; \
|
||||
skip_next=no; \
|
||||
strip_trailopt () \
|
||||
{ \
|
||||
flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \
|
||||
}; \
|
||||
for flg in $$sane_makeflags; do \
|
||||
test $$skip_next = yes && { skip_next=no; continue; }; \
|
||||
case $$flg in \
|
||||
*=*|--*) continue;; \
|
||||
-*I) strip_trailopt 'I'; skip_next=yes;; \
|
||||
-*I?*) strip_trailopt 'I';; \
|
||||
-*O) strip_trailopt 'O'; skip_next=yes;; \
|
||||
-*O?*) strip_trailopt 'O';; \
|
||||
-*l) strip_trailopt 'l'; skip_next=yes;; \
|
||||
-*l?*) strip_trailopt 'l';; \
|
||||
-[dEDm]) skip_next=yes;; \
|
||||
-[JT]) skip_next=yes;; \
|
||||
esac; \
|
||||
case $$flg in \
|
||||
*$$target_option*) has_opt=yes; break;; \
|
||||
esac; \
|
||||
done; \
|
||||
test $$has_opt = yes
|
||||
am__make_dryrun = (target_option=n; $(am__make_running_with_option))
|
||||
am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
|
||||
pkgdatadir = $(datadir)/@PACKAGE@
|
||||
pkgincludedir = $(includedir)/@PACKAGE@
|
||||
pkglibdir = $(libdir)/@PACKAGE@
|
||||
@ -35,11 +81,14 @@ POST_UNINSTALL = :
|
||||
build_triplet = @build@
|
||||
host_triplet = @host@
|
||||
subdir = .
|
||||
DIST_COMMON = README $(am__configure_deps) $(srcdir)/Makefile.am \
|
||||
$(srcdir)/Makefile.in $(top_srcdir)/configure AUTHORS COPYING \
|
||||
ChangeLog INSTALL NEWS TODO auto/compile auto/config.guess \
|
||||
auto/config.sub auto/depcomp auto/install-sh auto/ltmain.sh \
|
||||
auto/missing
|
||||
DIST_COMMON = INSTALL NEWS README AUTHORS ChangeLog \
|
||||
$(srcdir)/Makefile.in $(srcdir)/Makefile.am \
|
||||
$(top_srcdir)/configure $(am__configure_deps) COPYING TODO \
|
||||
auto/compile auto/config.guess auto/config.sub auto/depcomp \
|
||||
auto/install-sh auto/missing auto/ltmain.sh \
|
||||
$(top_srcdir)/auto/compile $(top_srcdir)/auto/config.guess \
|
||||
$(top_srcdir)/auto/config.sub $(top_srcdir)/auto/install-sh \
|
||||
$(top_srcdir)/auto/ltmain.sh $(top_srcdir)/auto/missing
|
||||
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
|
||||
am__aclocal_m4_deps = $(top_srcdir)/m4/libtool.m4 \
|
||||
$(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \
|
||||
@ -53,15 +102,33 @@ mkinstalldirs = $(install_sh) -d
|
||||
CONFIG_HEADER = $(top_builddir)/src/config.h
|
||||
CONFIG_CLEAN_FILES =
|
||||
CONFIG_CLEAN_VPATH_FILES =
|
||||
AM_V_P = $(am__v_P_@AM_V@)
|
||||
am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
|
||||
am__v_P_0 = false
|
||||
am__v_P_1 = :
|
||||
AM_V_GEN = $(am__v_GEN_@AM_V@)
|
||||
am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
|
||||
am__v_GEN_0 = @echo " GEN " $@;
|
||||
am__v_GEN_1 =
|
||||
AM_V_at = $(am__v_at_@AM_V@)
|
||||
am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
|
||||
am__v_at_0 = @
|
||||
am__v_at_1 =
|
||||
SOURCES =
|
||||
DIST_SOURCES =
|
||||
RECURSIVE_TARGETS = all-recursive check-recursive dvi-recursive \
|
||||
html-recursive info-recursive install-data-recursive \
|
||||
install-dvi-recursive install-exec-recursive \
|
||||
install-html-recursive install-info-recursive \
|
||||
install-pdf-recursive install-ps-recursive install-recursive \
|
||||
installcheck-recursive installdirs-recursive pdf-recursive \
|
||||
ps-recursive uninstall-recursive
|
||||
RECURSIVE_TARGETS = all-recursive check-recursive cscopelist-recursive \
|
||||
ctags-recursive dvi-recursive html-recursive info-recursive \
|
||||
install-data-recursive install-dvi-recursive \
|
||||
install-exec-recursive install-html-recursive \
|
||||
install-info-recursive install-pdf-recursive \
|
||||
install-ps-recursive install-recursive installcheck-recursive \
|
||||
installdirs-recursive pdf-recursive ps-recursive \
|
||||
tags-recursive uninstall-recursive
|
||||
am__can_run_installinfo = \
|
||||
case $$AM_UPDATE_INFO_DIR in \
|
||||
n|no|NO) false;; \
|
||||
*) (install-info --version) >/dev/null 2>&1;; \
|
||||
esac
|
||||
am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
|
||||
am__vpath_adj = case $$p in \
|
||||
$(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
|
||||
@ -83,23 +150,53 @@ am__nobase_list = $(am__nobase_strip_setup); \
|
||||
am__base_list = \
|
||||
sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
|
||||
sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
|
||||
am__uninstall_files_from_dir = { \
|
||||
test -z "$$files" \
|
||||
|| { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
|
||||
|| { echo " ( cd '$$dir' && rm -f" $$files ")"; \
|
||||
$(am__cd) "$$dir" && rm -f $$files; }; \
|
||||
}
|
||||
am__installdirs = "$(DESTDIR)$(docdir)"
|
||||
DATA = $(doc_DATA)
|
||||
RECURSIVE_CLEAN_TARGETS = mostlyclean-recursive clean-recursive \
|
||||
distclean-recursive maintainer-clean-recursive
|
||||
AM_RECURSIVE_TARGETS = $(RECURSIVE_TARGETS:-recursive=) \
|
||||
$(RECURSIVE_CLEAN_TARGETS:-recursive=) tags TAGS ctags CTAGS \
|
||||
distdir dist dist-all distcheck
|
||||
am__recursive_targets = \
|
||||
$(RECURSIVE_TARGETS) \
|
||||
$(RECURSIVE_CLEAN_TARGETS) \
|
||||
$(am__extra_recursive_targets)
|
||||
AM_RECURSIVE_TARGETS = $(am__recursive_targets:-recursive=) TAGS CTAGS \
|
||||
cscope distdir dist dist-all distcheck
|
||||
am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
|
||||
# Read a list of newline-separated strings from the standard input,
|
||||
# and print each of them once, without duplicates. Input order is
|
||||
# *not* preserved.
|
||||
am__uniquify_input = $(AWK) '\
|
||||
BEGIN { nonempty = 0; } \
|
||||
{ items[$$0] = 1; nonempty = 1; } \
|
||||
END { if (nonempty) { for (i in items) print i; }; } \
|
||||
'
|
||||
# Make sure the list of sources is unique. This is necessary because,
|
||||
# e.g., the same source file might be shared among _SOURCES variables
|
||||
# for different programs/libraries.
|
||||
am__define_uniq_tagged_files = \
|
||||
list='$(am__tagged_files)'; \
|
||||
unique=`for i in $$list; do \
|
||||
if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
|
||||
done | $(am__uniquify_input)`
|
||||
ETAGS = etags
|
||||
CTAGS = ctags
|
||||
CSCOPE = cscope
|
||||
DIST_SUBDIRS = $(SUBDIRS)
|
||||
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
|
||||
distdir = $(PACKAGE)-$(VERSION)
|
||||
top_distdir = $(distdir)
|
||||
am__remove_distdir = \
|
||||
{ test ! -d "$(distdir)" \
|
||||
|| { find "$(distdir)" -type d ! -perm -200 -exec chmod u+w {} ';' \
|
||||
&& rm -fr "$(distdir)"; }; }
|
||||
if test -d "$(distdir)"; then \
|
||||
find "$(distdir)" -type d ! -perm -200 -exec chmod u+w {} ';' \
|
||||
&& rm -rf "$(distdir)" \
|
||||
|| { sleep 5 && rm -rf "$(distdir)"; }; \
|
||||
else :; fi
|
||||
am__post_remove_distdir = $(am__remove_distdir)
|
||||
am__relativize = \
|
||||
dir0=`pwd`; \
|
||||
sed_first='s,^\([^/]*\)/.*$$,\1,'; \
|
||||
@ -127,9 +224,13 @@ am__relativize = \
|
||||
reldir="$$dir2"
|
||||
DIST_ARCHIVES = $(distdir).tar.gz
|
||||
GZIP_ENV = --best
|
||||
DIST_TARGETS = dist-gzip
|
||||
distuninstallcheck_listfiles = find . -type f -print
|
||||
am__distuninstallcheck_listfiles = $(distuninstallcheck_listfiles) \
|
||||
| sed 's|^\./|$(prefix)/|' | grep -v '$(infodir)/dir$$'
|
||||
ACLOCAL = @ACLOCAL@
|
||||
AMTAR = @AMTAR@
|
||||
AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
|
||||
AR = @AR@
|
||||
AUTOCONF = @AUTOCONF@
|
||||
AUTOHEADER = @AUTOHEADER@
|
||||
@ -144,6 +245,7 @@ CYGPATH_W = @CYGPATH_W@
|
||||
DEFAULT_GROUP = @DEFAULT_GROUP@
|
||||
DEFS = @DEFS@
|
||||
DEPDIR = @DEPDIR@
|
||||
DLLTOOL = @DLLTOOL@
|
||||
DSYMUTIL = @DSYMUTIL@
|
||||
DUMPBIN = @DUMPBIN@
|
||||
ECHO_C = @ECHO_C@
|
||||
@ -168,6 +270,7 @@ LIPO = @LIPO@
|
||||
LN_S = @LN_S@
|
||||
LTLIBOBJS = @LTLIBOBJS@
|
||||
MAKEINFO = @MAKEINFO@
|
||||
MANIFEST_TOOL = @MANIFEST_TOOL@
|
||||
MKDIR_P = @MKDIR_P@
|
||||
NM = @NM@
|
||||
NMEDIT = @NMEDIT@
|
||||
@ -183,6 +286,9 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@
|
||||
PACKAGE_URL = @PACKAGE_URL@
|
||||
PACKAGE_VERSION = @PACKAGE_VERSION@
|
||||
PATH_SEPARATOR = @PATH_SEPARATOR@
|
||||
PTHREAD_CC = @PTHREAD_CC@
|
||||
PTHREAD_CFLAGS = @PTHREAD_CFLAGS@
|
||||
PTHREAD_LIBS = @PTHREAD_LIBS@
|
||||
RANDOM_FILE = @RANDOM_FILE@
|
||||
RANLIB = @RANLIB@
|
||||
SED = @SED@
|
||||
@ -195,6 +301,7 @@ abs_builddir = @abs_builddir@
|
||||
abs_srcdir = @abs_srcdir@
|
||||
abs_top_builddir = @abs_top_builddir@
|
||||
abs_top_srcdir = @abs_top_srcdir@
|
||||
ac_ct_AR = @ac_ct_AR@
|
||||
ac_ct_CC = @ac_ct_CC@
|
||||
ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
|
||||
am__include = @am__include@
|
||||
@ -202,6 +309,7 @@ am__leading_dot = @am__leading_dot@
|
||||
am__quote = @am__quote@
|
||||
am__tar = @am__tar@
|
||||
am__untar = @am__untar@
|
||||
ax_pthread_config = @ax_pthread_config@
|
||||
bindir = @bindir@
|
||||
build = @build@
|
||||
build_alias = @build_alias@
|
||||
@ -227,7 +335,6 @@ libdir = @libdir@
|
||||
libexecdir = @libexecdir@
|
||||
localedir = @localedir@
|
||||
localstatedir = @localstatedir@
|
||||
lt_ECHO = @lt_ECHO@
|
||||
mandir = @mandir@
|
||||
mkdir_p = @mkdir_p@
|
||||
oldincludedir = @oldincludedir@
|
||||
@ -235,12 +342,10 @@ pdfdir = @pdfdir@
|
||||
prefix = @prefix@
|
||||
program_transform_name = @program_transform_name@
|
||||
psdir = @psdir@
|
||||
runstatedir = @runstatedir@
|
||||
sbindir = @sbindir@
|
||||
sharedstatedir = @sharedstatedir@
|
||||
srcdir = @srcdir@
|
||||
stunnel_CFLAGS = @stunnel_CFLAGS@
|
||||
stunnel_LDFLAGF = @stunnel_LDFLAGF@
|
||||
stunnel_LDFLAGS = @stunnel_LDFLAGS@
|
||||
sysconfdir = @sysconfdir@
|
||||
target_alias = @target_alias@
|
||||
top_build_prefix = @top_build_prefix@
|
||||
@ -249,14 +354,18 @@ top_srcdir = @top_srcdir@
|
||||
ACLOCAL_AMFLAGS = -I m4
|
||||
SUBDIRS = src doc tools
|
||||
EXTRA_DIST = PORTS BUGS COPYRIGHT.GPL CREDITS INSTALL.W32 INSTALL.WCE \
|
||||
INSTALL.FIPS build-android.sh
|
||||
INSTALL.FIPS build-android.sh .travis.yml
|
||||
doc_DATA = INSTALL README TODO COPYING AUTHORS ChangeLog PORTS BUGS \
|
||||
COPYRIGHT.GPL CREDITS INSTALL.W32 INSTALL.WCE INSTALL.FIPS
|
||||
distcleancheck_listfiles = find -type f -exec sh -c 'test -f $(srcdir)/{} || echo {}' ';'
|
||||
edit = sed \
|
||||
-e 's|@bindir[@]|$(bindir)|g' \
|
||||
-e 's|@sysconfdir[@]|$(sysconfdir)|g'
|
||||
|
||||
all: all-recursive
|
||||
|
||||
.SUFFIXES:
|
||||
am--refresh:
|
||||
am--refresh: Makefile
|
||||
@:
|
||||
$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps)
|
||||
@for dep in $?; do \
|
||||
@ -301,8 +410,11 @@ distclean-libtool:
|
||||
-rm -f libtool config.lt
|
||||
install-docDATA: $(doc_DATA)
|
||||
@$(NORMAL_INSTALL)
|
||||
test -z "$(docdir)" || $(MKDIR_P) "$(DESTDIR)$(docdir)"
|
||||
@list='$(doc_DATA)'; test -n "$(docdir)" || list=; \
|
||||
if test -n "$$list"; then \
|
||||
echo " $(MKDIR_P) '$(DESTDIR)$(docdir)'"; \
|
||||
$(MKDIR_P) "$(DESTDIR)$(docdir)" || exit 1; \
|
||||
fi; \
|
||||
for p in $$list; do \
|
||||
if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
|
||||
echo "$$d$$p"; \
|
||||
@ -316,27 +428,28 @@ uninstall-docDATA:
|
||||
@$(NORMAL_UNINSTALL)
|
||||
@list='$(doc_DATA)'; test -n "$(docdir)" || list=; \
|
||||
files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
|
||||
test -n "$$files" || exit 0; \
|
||||
echo " ( cd '$(DESTDIR)$(docdir)' && rm -f" $$files ")"; \
|
||||
cd "$(DESTDIR)$(docdir)" && rm -f $$files
|
||||
dir='$(DESTDIR)$(docdir)'; $(am__uninstall_files_from_dir)
|
||||
|
||||
# This directory's subdirectories are mostly independent; you can cd
|
||||
# into them and run `make' without going through this Makefile.
|
||||
# To change the values of `make' variables: instead of editing Makefiles,
|
||||
# (1) if the variable is set in `config.status', edit `config.status'
|
||||
# (which will cause the Makefiles to be regenerated when you run `make');
|
||||
# (2) otherwise, pass the desired values on the `make' command line.
|
||||
$(RECURSIVE_TARGETS):
|
||||
@fail= failcom='exit 1'; \
|
||||
for f in x $$MAKEFLAGS; do \
|
||||
case $$f in \
|
||||
*=* | --[!k]*);; \
|
||||
*k*) failcom='fail=yes';; \
|
||||
esac; \
|
||||
done; \
|
||||
# into them and run 'make' without going through this Makefile.
|
||||
# To change the values of 'make' variables: instead of editing Makefiles,
|
||||
# (1) if the variable is set in 'config.status', edit 'config.status'
|
||||
# (which will cause the Makefiles to be regenerated when you run 'make');
|
||||
# (2) otherwise, pass the desired values on the 'make' command line.
|
||||
$(am__recursive_targets):
|
||||
@fail=; \
|
||||
if $(am__make_keepgoing); then \
|
||||
failcom='fail=yes'; \
|
||||
else \
|
||||
failcom='exit 1'; \
|
||||
fi; \
|
||||
dot_seen=no; \
|
||||
target=`echo $@ | sed s/-recursive//`; \
|
||||
list='$(SUBDIRS)'; for subdir in $$list; do \
|
||||
case "$@" in \
|
||||
distclean-* | maintainer-clean-*) list='$(DIST_SUBDIRS)' ;; \
|
||||
*) list='$(SUBDIRS)' ;; \
|
||||
esac; \
|
||||
for subdir in $$list; do \
|
||||
echo "Making $$target in $$subdir"; \
|
||||
if test "$$subdir" = "."; then \
|
||||
dot_seen=yes; \
|
||||
@ -351,57 +464,12 @@ $(RECURSIVE_TARGETS):
|
||||
$(MAKE) $(AM_MAKEFLAGS) "$$target-am" || exit 1; \
|
||||
fi; test -z "$$fail"
|
||||
|
||||
$(RECURSIVE_CLEAN_TARGETS):
|
||||
@fail= failcom='exit 1'; \
|
||||
for f in x $$MAKEFLAGS; do \
|
||||
case $$f in \
|
||||
*=* | --[!k]*);; \
|
||||
*k*) failcom='fail=yes';; \
|
||||
esac; \
|
||||
done; \
|
||||
dot_seen=no; \
|
||||
case "$@" in \
|
||||
distclean-* | maintainer-clean-*) list='$(DIST_SUBDIRS)' ;; \
|
||||
*) list='$(SUBDIRS)' ;; \
|
||||
esac; \
|
||||
rev=''; for subdir in $$list; do \
|
||||
if test "$$subdir" = "."; then :; else \
|
||||
rev="$$subdir $$rev"; \
|
||||
fi; \
|
||||
done; \
|
||||
rev="$$rev ."; \
|
||||
target=`echo $@ | sed s/-recursive//`; \
|
||||
for subdir in $$rev; do \
|
||||
echo "Making $$target in $$subdir"; \
|
||||
if test "$$subdir" = "."; then \
|
||||
local_target="$$target-am"; \
|
||||
else \
|
||||
local_target="$$target"; \
|
||||
fi; \
|
||||
($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \
|
||||
|| eval $$failcom; \
|
||||
done && test -z "$$fail"
|
||||
tags-recursive:
|
||||
list='$(SUBDIRS)'; for subdir in $$list; do \
|
||||
test "$$subdir" = . || ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) tags); \
|
||||
done
|
||||
ctags-recursive:
|
||||
list='$(SUBDIRS)'; for subdir in $$list; do \
|
||||
test "$$subdir" = . || ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) ctags); \
|
||||
done
|
||||
ID: $(am__tagged_files)
|
||||
$(am__define_uniq_tagged_files); mkid -fID $$unique
|
||||
tags: tags-recursive
|
||||
TAGS: tags
|
||||
|
||||
ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
|
||||
list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
|
||||
unique=`for i in $$list; do \
|
||||
if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
|
||||
done | \
|
||||
$(AWK) '{ files[$$0] = 1; nonempty = 1; } \
|
||||
END { if (nonempty) { for (i in files) print i; }; }'`; \
|
||||
mkid -fID $$unique
|
||||
tags: TAGS
|
||||
|
||||
TAGS: tags-recursive $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \
|
||||
$(TAGS_FILES) $(LISP)
|
||||
tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
|
||||
set x; \
|
||||
here=`pwd`; \
|
||||
if ($(ETAGS) --etags-include --version) >/dev/null 2>&1; then \
|
||||
@ -417,12 +485,7 @@ TAGS: tags-recursive $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \
|
||||
set "$$@" "$$include_option=$$here/$$subdir/TAGS"; \
|
||||
fi; \
|
||||
done; \
|
||||
list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
|
||||
unique=`for i in $$list; do \
|
||||
if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
|
||||
done | \
|
||||
$(AWK) '{ files[$$0] = 1; nonempty = 1; } \
|
||||
END { if (nonempty) { for (i in files) print i; }; }'`; \
|
||||
$(am__define_uniq_tagged_files); \
|
||||
shift; \
|
||||
if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
|
||||
test -n "$$unique" || unique=$$empty_fix; \
|
||||
@ -434,15 +497,11 @@ TAGS: tags-recursive $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \
|
||||
$$unique; \
|
||||
fi; \
|
||||
fi
|
||||
ctags: CTAGS
|
||||
CTAGS: ctags-recursive $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \
|
||||
$(TAGS_FILES) $(LISP)
|
||||
list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
|
||||
unique=`for i in $$list; do \
|
||||
if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
|
||||
done | \
|
||||
$(AWK) '{ files[$$0] = 1; nonempty = 1; } \
|
||||
END { if (nonempty) { for (i in files) print i; }; }'`; \
|
||||
ctags: ctags-recursive
|
||||
|
||||
CTAGS: ctags
|
||||
ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
|
||||
$(am__define_uniq_tagged_files); \
|
||||
test -z "$(CTAGS_ARGS)$$unique" \
|
||||
|| $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
|
||||
$$unique
|
||||
@ -451,9 +510,31 @@ GTAGS:
|
||||
here=`$(am__cd) $(top_builddir) && pwd` \
|
||||
&& $(am__cd) $(top_srcdir) \
|
||||
&& gtags -i $(GTAGS_ARGS) "$$here"
|
||||
cscope: cscope.files
|
||||
test ! -s cscope.files \
|
||||
|| $(CSCOPE) -b -q $(AM_CSCOPEFLAGS) $(CSCOPEFLAGS) -i cscope.files $(CSCOPE_ARGS)
|
||||
clean-cscope:
|
||||
-rm -f cscope.files
|
||||
cscope.files: clean-cscope cscopelist
|
||||
cscopelist: cscopelist-recursive
|
||||
|
||||
cscopelist-am: $(am__tagged_files)
|
||||
list='$(am__tagged_files)'; \
|
||||
case "$(srcdir)" in \
|
||||
[\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \
|
||||
*) sdir=$(subdir)/$(srcdir) ;; \
|
||||
esac; \
|
||||
for i in $$list; do \
|
||||
if test -f "$$i"; then \
|
||||
echo "$(subdir)/$$i"; \
|
||||
else \
|
||||
echo "$$sdir/$$i"; \
|
||||
fi; \
|
||||
done >> $(top_builddir)/cscope.files
|
||||
|
||||
distclean-tags:
|
||||
-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
|
||||
-rm -f cscope.out cscope.in.out cscope.po.out cscope.files
|
||||
|
||||
distdir: $(DISTFILES)
|
||||
$(am__remove_distdir)
|
||||
@ -489,13 +570,10 @@ distdir: $(DISTFILES)
|
||||
done
|
||||
@list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
|
||||
if test "$$subdir" = .; then :; else \
|
||||
test -d "$(distdir)/$$subdir" \
|
||||
|| $(MKDIR_P) "$(distdir)/$$subdir" \
|
||||
|| exit 1; \
|
||||
fi; \
|
||||
done
|
||||
@list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
|
||||
if test "$$subdir" = .; then :; else \
|
||||
$(am__make_dryrun) \
|
||||
|| test -d "$(distdir)/$$subdir" \
|
||||
|| $(MKDIR_P) "$(distdir)/$$subdir" \
|
||||
|| exit 1; \
|
||||
dir1=$$subdir; dir2="$(distdir)/$$subdir"; \
|
||||
$(am__relativize); \
|
||||
new_distdir=$$reldir; \
|
||||
@ -524,36 +602,42 @@ distdir: $(DISTFILES)
|
||||
|| chmod -R a+r "$(distdir)"
|
||||
dist-gzip: distdir
|
||||
tardir=$(distdir) && $(am__tar) | GZIP=$(GZIP_ENV) gzip -c >$(distdir).tar.gz
|
||||
$(am__remove_distdir)
|
||||
$(am__post_remove_distdir)
|
||||
|
||||
dist-bzip2: distdir
|
||||
tardir=$(distdir) && $(am__tar) | bzip2 -9 -c >$(distdir).tar.bz2
|
||||
$(am__remove_distdir)
|
||||
tardir=$(distdir) && $(am__tar) | BZIP2=$${BZIP2--9} bzip2 -c >$(distdir).tar.bz2
|
||||
$(am__post_remove_distdir)
|
||||
|
||||
dist-lzma: distdir
|
||||
tardir=$(distdir) && $(am__tar) | lzma -9 -c >$(distdir).tar.lzma
|
||||
$(am__remove_distdir)
|
||||
dist-lzip: distdir
|
||||
tardir=$(distdir) && $(am__tar) | lzip -c $${LZIP_OPT--9} >$(distdir).tar.lz
|
||||
$(am__post_remove_distdir)
|
||||
|
||||
dist-xz: distdir
|
||||
tardir=$(distdir) && $(am__tar) | xz -c >$(distdir).tar.xz
|
||||
$(am__remove_distdir)
|
||||
tardir=$(distdir) && $(am__tar) | XZ_OPT=$${XZ_OPT--e} xz -c >$(distdir).tar.xz
|
||||
$(am__post_remove_distdir)
|
||||
|
||||
dist-tarZ: distdir
|
||||
@echo WARNING: "Support for shar distribution archives is" \
|
||||
"deprecated." >&2
|
||||
@echo WARNING: "It will be removed altogether in Automake 2.0" >&2
|
||||
tardir=$(distdir) && $(am__tar) | compress -c >$(distdir).tar.Z
|
||||
$(am__remove_distdir)
|
||||
$(am__post_remove_distdir)
|
||||
|
||||
dist-shar: distdir
|
||||
@echo WARNING: "Support for distribution archives compressed with" \
|
||||
"legacy program 'compress' is deprecated." >&2
|
||||
@echo WARNING: "It will be removed altogether in Automake 2.0" >&2
|
||||
shar $(distdir) | GZIP=$(GZIP_ENV) gzip -c >$(distdir).shar.gz
|
||||
$(am__remove_distdir)
|
||||
$(am__post_remove_distdir)
|
||||
|
||||
dist-zip: distdir
|
||||
-rm -f $(distdir).zip
|
||||
zip -rq $(distdir).zip $(distdir)
|
||||
$(am__remove_distdir)
|
||||
$(am__post_remove_distdir)
|
||||
|
||||
dist dist-all: distdir
|
||||
tardir=$(distdir) && $(am__tar) | GZIP=$(GZIP_ENV) gzip -c >$(distdir).tar.gz
|
||||
$(am__remove_distdir)
|
||||
dist dist-all:
|
||||
$(MAKE) $(AM_MAKEFLAGS) $(DIST_TARGETS) am__post_remove_distdir='@:'
|
||||
$(am__post_remove_distdir)
|
||||
|
||||
# This target untars the dist file and tries a VPATH configuration. Then
|
||||
# it guarantees that the distribution is self-contained by making another
|
||||
@ -564,8 +648,8 @@ distcheck: dist
|
||||
GZIP=$(GZIP_ENV) gzip -dc $(distdir).tar.gz | $(am__untar) ;;\
|
||||
*.tar.bz2*) \
|
||||
bzip2 -dc $(distdir).tar.bz2 | $(am__untar) ;;\
|
||||
*.tar.lzma*) \
|
||||
lzma -dc $(distdir).tar.lzma | $(am__untar) ;;\
|
||||
*.tar.lz*) \
|
||||
lzip -dc $(distdir).tar.lz | $(am__untar) ;;\
|
||||
*.tar.xz*) \
|
||||
xz -dc $(distdir).tar.xz | $(am__untar) ;;\
|
||||
*.tar.Z*) \
|
||||
@ -575,17 +659,19 @@ distcheck: dist
|
||||
*.zip*) \
|
||||
unzip $(distdir).zip ;;\
|
||||
esac
|
||||
chmod -R a-w $(distdir); chmod u+w $(distdir)
|
||||
mkdir $(distdir)/_build
|
||||
mkdir $(distdir)/_inst
|
||||
chmod -R a-w $(distdir)
|
||||
chmod u+w $(distdir)
|
||||
mkdir $(distdir)/_build $(distdir)/_inst
|
||||
chmod a-w $(distdir)
|
||||
test -d $(distdir)/_build || exit 0; \
|
||||
dc_install_base=`$(am__cd) $(distdir)/_inst && pwd | sed -e 's,^[^:\\/]:[\\/],/,'` \
|
||||
&& dc_destdir="$${TMPDIR-/tmp}/am-dc-$$$$/" \
|
||||
&& am__cwd=`pwd` \
|
||||
&& $(am__cd) $(distdir)/_build \
|
||||
&& ../configure --srcdir=.. --prefix="$$dc_install_base" \
|
||||
&& ../configure \
|
||||
$(AM_DISTCHECK_CONFIGURE_FLAGS) \
|
||||
$(DISTCHECK_CONFIGURE_FLAGS) \
|
||||
--srcdir=.. --prefix="$$dc_install_base" \
|
||||
&& $(MAKE) $(AM_MAKEFLAGS) \
|
||||
&& $(MAKE) $(AM_MAKEFLAGS) dvi \
|
||||
&& $(MAKE) $(AM_MAKEFLAGS) check \
|
||||
@ -608,13 +694,21 @@ distcheck: dist
|
||||
&& $(MAKE) $(AM_MAKEFLAGS) distcleancheck \
|
||||
&& cd "$$am__cwd" \
|
||||
|| exit 1
|
||||
$(am__remove_distdir)
|
||||
$(am__post_remove_distdir)
|
||||
@(echo "$(distdir) archives ready for distribution: "; \
|
||||
list='$(DIST_ARCHIVES)'; for i in $$list; do echo $$i; done) | \
|
||||
sed -e 1h -e 1s/./=/g -e 1p -e 1x -e '$$p' -e '$$x'
|
||||
distuninstallcheck:
|
||||
@$(am__cd) '$(distuninstallcheck_dir)' \
|
||||
&& test `$(distuninstallcheck_listfiles) | wc -l` -le 1 \
|
||||
@test -n '$(distuninstallcheck_dir)' || { \
|
||||
echo 'ERROR: trying to run $@ with an empty' \
|
||||
'$$(distuninstallcheck_dir)' >&2; \
|
||||
exit 1; \
|
||||
}; \
|
||||
$(am__cd) '$(distuninstallcheck_dir)' || { \
|
||||
echo 'ERROR: cannot chdir into $(distuninstallcheck_dir)' >&2; \
|
||||
exit 1; \
|
||||
}; \
|
||||
test `$(am__distuninstallcheck_listfiles) | wc -l` -eq 0 \
|
||||
|| { echo "ERROR: files left after uninstall:" ; \
|
||||
if test -n "$(DESTDIR)"; then \
|
||||
echo " (check DESTDIR support)"; \
|
||||
@ -648,10 +742,15 @@ install-am: all-am
|
||||
|
||||
installcheck: installcheck-recursive
|
||||
install-strip:
|
||||
$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
|
||||
install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
|
||||
`test -z '$(STRIP)' || \
|
||||
echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
|
||||
if test -z '$(STRIP)'; then \
|
||||
$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
|
||||
install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
|
||||
install; \
|
||||
else \
|
||||
$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
|
||||
install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
|
||||
"INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
|
||||
fi
|
||||
mostlyclean-generic:
|
||||
|
||||
clean-generic:
|
||||
@ -686,7 +785,8 @@ info: info-recursive
|
||||
info-am:
|
||||
|
||||
install-data-am: install-docDATA
|
||||
|
||||
@$(NORMAL_INSTALL)
|
||||
$(MAKE) $(AM_MAKEFLAGS) install-data-hook
|
||||
install-dvi: install-dvi-recursive
|
||||
|
||||
install-dvi-am:
|
||||
@ -733,46 +833,63 @@ ps-am:
|
||||
|
||||
uninstall-am: uninstall-docDATA
|
||||
|
||||
.MAKE: $(RECURSIVE_CLEAN_TARGETS) $(RECURSIVE_TARGETS) ctags-recursive \
|
||||
install-am install-strip tags-recursive
|
||||
.MAKE: $(am__recursive_targets) install-am install-data-am \
|
||||
install-strip
|
||||
|
||||
.PHONY: $(RECURSIVE_CLEAN_TARGETS) $(RECURSIVE_TARGETS) CTAGS GTAGS \
|
||||
all all-am am--refresh check check-am clean clean-generic \
|
||||
clean-libtool ctags ctags-recursive dist dist-all dist-bzip2 \
|
||||
dist-gzip dist-lzma dist-shar dist-tarZ dist-xz dist-zip \
|
||||
distcheck distclean distclean-generic distclean-libtool \
|
||||
distclean-local distclean-tags distcleancheck distdir \
|
||||
distuninstallcheck dvi dvi-am html html-am info info-am \
|
||||
install install-am install-data install-data-am \
|
||||
install-docDATA install-dvi install-dvi-am install-exec \
|
||||
install-exec-am install-html install-html-am install-info \
|
||||
install-info-am install-man install-pdf install-pdf-am \
|
||||
install-ps install-ps-am install-strip installcheck \
|
||||
installcheck-am installdirs installdirs-am maintainer-clean \
|
||||
maintainer-clean-generic mostlyclean mostlyclean-generic \
|
||||
mostlyclean-libtool pdf pdf-am ps ps-am tags tags-recursive \
|
||||
uninstall uninstall-am uninstall-docDATA
|
||||
.PHONY: $(am__recursive_targets) CTAGS GTAGS TAGS all all-am \
|
||||
am--refresh check check-am clean clean-cscope clean-generic \
|
||||
clean-libtool cscope cscopelist-am ctags ctags-am dist \
|
||||
dist-all dist-bzip2 dist-gzip dist-lzip dist-shar dist-tarZ \
|
||||
dist-xz dist-zip distcheck distclean distclean-generic \
|
||||
distclean-libtool distclean-local distclean-tags \
|
||||
distcleancheck distdir distuninstallcheck dvi dvi-am html \
|
||||
html-am info info-am install install-am install-data \
|
||||
install-data-am install-data-hook install-docDATA install-dvi \
|
||||
install-dvi-am install-exec install-exec-am install-html \
|
||||
install-html-am install-info install-info-am install-man \
|
||||
install-pdf install-pdf-am install-ps install-ps-am \
|
||||
install-strip installcheck installcheck-am installdirs \
|
||||
installdirs-am maintainer-clean maintainer-clean-generic \
|
||||
mostlyclean mostlyclean-generic mostlyclean-libtool pdf pdf-am \
|
||||
ps ps-am tags tags-am uninstall uninstall-am uninstall-docDATA
|
||||
|
||||
libtool: $(LIBTOOL_DEPS)
|
||||
$(SHELL) ./config.status libtool
|
||||
|
||||
distclean-local:
|
||||
rm -rf autom4te.cache
|
||||
rm -f $(distdir)-installer.exe
|
||||
# rm -f $(distdir)-win32-installer.exe
|
||||
|
||||
#dist-hook:
|
||||
# makensis -NOCD -DVERSION=${VERSION} -DSRCDIR=$(srcdir) \
|
||||
# -DOPENSSL=/usr/src/openssl-0.9.8u-fips/out32dll \
|
||||
# -DZLIB=/usr/src/zlib-1.2.6-i586 \
|
||||
# makensis -NOCD -DVERSION=${VERSION} \
|
||||
# -DSTUNNEL_DIR=$(srcdir) \
|
||||
# -DROOT_DIR=/usr/src \
|
||||
# $(srcdir)/tools/stunnel.nsi
|
||||
|
||||
# cp -f $(distdir)-installer.exe ../dist
|
||||
# gpg --yes --armor --detach-sign --force-v3-sigs ../dist/$(distdir)-installer.exe
|
||||
|
||||
sign: dist
|
||||
cp -f $(distdir).tar.gz ../dist
|
||||
gpg --yes --armor --detach-sign --force-v3-sigs ../dist/$(distdir).tar.gz
|
||||
sha256sum $(distdir).tar.gz | tee ../dist/$(distdir).tar.gz.sha256
|
||||
cp -f $(distdir).tar.gz $(distdir)-win32-installer.exe $(distdir)-android.zip ../dist
|
||||
gpg-agent --daemon /bin/sh -c "cd ../dist; gpg --yes --armor --detach-sign --force-v3-sigs $(distdir).tar.gz; gpg --yes --armor --detach-sign --force-v3-sigs $(distdir)-win32-installer.exe; gpg --yes --armor --detach-sign --force-v3-sigs $(distdir)-android.zip"
|
||||
sha256sum $(distdir).tar.gz >../dist/$(distdir).tar.gz.sha256
|
||||
sha256sum $(distdir)-win32-installer.exe >../dist/$(distdir)-win32-installer.exe.sha256
|
||||
sha256sum $(distdir)-android.zip >../dist/$(distdir)-android.zip.sha256
|
||||
cat ../dist/$(distdir)*.sha256 | tac
|
||||
|
||||
cert:
|
||||
$(MAKE) -C tools cert
|
||||
|
||||
test:
|
||||
$(abs_builddir)/src/stunnel -version
|
||||
@echo "No tests are currently implemented"
|
||||
|
||||
install-data-hook:
|
||||
@echo "*********************************************************"
|
||||
@echo "* Type 'make cert' to also install a sample certificate *"
|
||||
@echo "*********************************************************"
|
||||
|
||||
stunnel.pod: Makefile
|
||||
$(edit) '$(srcdir)/$@.in' >$@
|
||||
|
||||
stunnel.pod: $(srcdir)/stunnel.pod
|
||||
|
||||
# Tell versions [3.59,3.63) of GNU make to not export all variables.
|
||||
# Otherwise a system limit (for SysV at least) may be exceeded.
|
||||
|
13
PORTS
13
PORTS
@ -1,22 +1,17 @@
|
||||
stunnel known port maintainers
|
||||
|
||||
|
||||
* AmigaOS
|
||||
- Diego Casorran <dcr8520@amiga.org>
|
||||
* Cygwin
|
||||
- Andrew Schulman <andrex@alumni.utexas.net>
|
||||
* Debian GNU/Linux
|
||||
- Luis Rodrigo Gallardo Cruz <rodrigo@nul-unu.com>
|
||||
- Peter Pentchev <roam@ringlet.net>
|
||||
* FreeBSD
|
||||
- Ryan Steinmetz <zi@FreeBSD.org>
|
||||
* NetBSD
|
||||
- Martti Kuparinen <martti.kuparinen@iki.fi>
|
||||
* OpenBSD
|
||||
- Jakob Schlyter <jakob@openbsd.org>
|
||||
* OpenSolaris
|
||||
- Mark Fenwick <Mark.Fenwick@sun.com>
|
||||
* OS/2
|
||||
- Paul Smedley <paul@smedley.info>
|
||||
- Gleydson Soares <gsoares@openbsd.org>
|
||||
* OpenCSW Solaris
|
||||
- Dagobert Michelsen <dam@opencsw.org>
|
||||
* RedHat Linux
|
||||
- Damien Miller <dmiller@ilogic.com.au>
|
||||
|
||||
|
55
TODO
55
TODO
@ -3,41 +3,48 @@ stunnel TODO
|
||||
|
||||
High priority features. They will likely be supported some day.
|
||||
A sponsor could allocate my time to get them faster.
|
||||
* Perform protocol negotiations after SSL negotiations if possible.
|
||||
* Command-line server control interface on both Unix and Windows.
|
||||
* Separate GUI process running as current user on Windows.
|
||||
* Add client certificate autoselection based on the list of accepted issuers:
|
||||
SSL_CTX_set_client_cert_cb(), SSL_get_client_CA_list().
|
||||
* Add an Apparmor profile.
|
||||
* Optional line-buffering of the log file.
|
||||
* etc/stunnel/conf.d/* files automatically processed while reading
|
||||
etc/stunnel/stunnel.conf
|
||||
* Android GUI.
|
||||
* Support for CryptoAPI certificates and private keys with OpenSSL CAPI
|
||||
engine (this feature is incompatible with FIPS support).
|
||||
* Indirect CRL support (RFC 3280, section 5).
|
||||
* Log rotation on Windows.
|
||||
* Configuration file option to limit the number of concurrent connections.
|
||||
* SOCKS 4 protocol support.
|
||||
http://archive.socks.permeo.com/protocol/socks4.protocol
|
||||
* Option to redirect instead of rejecting connections on failed authentication.
|
||||
|
||||
Low priority features. They will unlikely ever be supported.
|
||||
* Implement reference counting of the SERVICE_OPTIONS structure
|
||||
- Add 'leastconn' failover strategy to order defined 'connect' targets
|
||||
by the number of active connections.
|
||||
- Add '-status' command line option reporting the number of clients
|
||||
connected to each service.
|
||||
- Deallocate SERVICE_OPTIONS structure when the configuration file
|
||||
is reloaded *and* old connections are closed.
|
||||
* Command-line server control interface on both Unix and Windows.
|
||||
* Separate GUI process running as the current user on Windows.
|
||||
* An Android GUI.
|
||||
* OCSP stapling (tlsext_status).
|
||||
* Extend session tickets and/or sessiond to also serialize application
|
||||
data ("redirect" state and session persistence).
|
||||
* Indirect CRL support (RFC 3280, section 5).
|
||||
* Provide 64-bit Windows builds (besides 32-bit builds).
|
||||
This requires either Microsoft Visual Studio Standard Edition or Microsoft
|
||||
Visual Studio Professional Edition in order to retain FIPS compliance.
|
||||
* Service-level logging configuration (separate verbosity and destination).
|
||||
* Key renegotiation (re-handshake) for long connections.
|
||||
* MSI installer for Windows.
|
||||
* Add user-defined headers to CONNECT proxy requests.
|
||||
This can be used to impersonate other software (e.g. web browsers).
|
||||
|
||||
Low priority features. They will unlikely ever be supported.
|
||||
* Database and/or directory interface for retrieving PSK secrets.
|
||||
* Support static FIPS-enabled build.
|
||||
* Service-level logging destination.
|
||||
* Enforce key renegotiation (re-handshake) for long connections.
|
||||
* Logging to NT EventLog on Windows.
|
||||
* Log rotation on Windows.
|
||||
* Internationalization of logged messages (i18n).
|
||||
* Generic scripting engine instead or static protocol.c.
|
||||
|
||||
Features I won't support, unless convinced otherwise by a wealthy sponsor.
|
||||
* Protocol support *after* SSL is negotiated:
|
||||
- Support for adding X-Forwarded-For to HTTP request headers.
|
||||
This feature is less useful since PROXY protocol support is available.
|
||||
- Support for adding X-Forwarded-For to SMTP email headers.
|
||||
This feature is most likely to be implemented as a separate proxy.
|
||||
* Support for adding X-Forwarded-For to HTTP request headers.
|
||||
This feature is less useful since PROXY protocol support is available.
|
||||
* Support for adding X-Forwarded-For to SMTP email headers.
|
||||
This feature is most likely to be implemented as a separate proxy.
|
||||
* Additional certificate checks (including wildcard comparison) based on:
|
||||
- CN (Common Name);
|
||||
- SAN (Subject Alternative Name);
|
||||
- O (Organization), and
|
||||
- OU (Organizational Unit).
|
||||
* Set processes title that appear on the ps(1) and top(1) commands.
|
||||
|
1451
aclocal.m4
vendored
1451
aclocal.m4
vendored
File diff suppressed because it is too large
Load Diff
232
auto/compile
232
auto/compile
@ -1,10 +1,9 @@
|
||||
#! /bin/sh
|
||||
# Wrapper for compilers which do not understand `-c -o'.
|
||||
# Wrapper for compilers which do not understand '-c -o'.
|
||||
|
||||
scriptversion=2009-10-06.20; # UTC
|
||||
scriptversion=2012-10-14.11; # UTC
|
||||
|
||||
# Copyright (C) 1999, 2000, 2003, 2004, 2005, 2009 Free Software
|
||||
# Foundation, Inc.
|
||||
# Copyright (C) 1999-2013 Free Software Foundation, Inc.
|
||||
# Written by Tom Tromey <tromey@cygnus.com>.
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
@ -29,21 +28,224 @@ scriptversion=2009-10-06.20; # UTC
|
||||
# bugs to <bug-automake@gnu.org> or send patches to
|
||||
# <automake-patches@gnu.org>.
|
||||
|
||||
nl='
|
||||
'
|
||||
|
||||
# We need space, tab and new line, in precisely that order. Quoting is
|
||||
# there to prevent tools from complaining about whitespace usage.
|
||||
IFS=" "" $nl"
|
||||
|
||||
file_conv=
|
||||
|
||||
# func_file_conv build_file lazy
|
||||
# Convert a $build file to $host form and store it in $file
|
||||
# Currently only supports Windows hosts. If the determined conversion
|
||||
# type is listed in (the comma separated) LAZY, no conversion will
|
||||
# take place.
|
||||
func_file_conv ()
|
||||
{
|
||||
file=$1
|
||||
case $file in
|
||||
/ | /[!/]*) # absolute file, and not a UNC file
|
||||
if test -z "$file_conv"; then
|
||||
# lazily determine how to convert abs files
|
||||
case `uname -s` in
|
||||
MINGW*)
|
||||
file_conv=mingw
|
||||
;;
|
||||
CYGWIN*)
|
||||
file_conv=cygwin
|
||||
;;
|
||||
*)
|
||||
file_conv=wine
|
||||
;;
|
||||
esac
|
||||
fi
|
||||
case $file_conv/,$2, in
|
||||
*,$file_conv,*)
|
||||
;;
|
||||
mingw/*)
|
||||
file=`cmd //C echo "$file " | sed -e 's/"\(.*\) " *$/\1/'`
|
||||
;;
|
||||
cygwin/*)
|
||||
file=`cygpath -m "$file" || echo "$file"`
|
||||
;;
|
||||
wine/*)
|
||||
file=`winepath -w "$file" || echo "$file"`
|
||||
;;
|
||||
esac
|
||||
;;
|
||||
esac
|
||||
}
|
||||
|
||||
# func_cl_dashL linkdir
|
||||
# Make cl look for libraries in LINKDIR
|
||||
func_cl_dashL ()
|
||||
{
|
||||
func_file_conv "$1"
|
||||
if test -z "$lib_path"; then
|
||||
lib_path=$file
|
||||
else
|
||||
lib_path="$lib_path;$file"
|
||||
fi
|
||||
linker_opts="$linker_opts -LIBPATH:$file"
|
||||
}
|
||||
|
||||
# func_cl_dashl library
|
||||
# Do a library search-path lookup for cl
|
||||
func_cl_dashl ()
|
||||
{
|
||||
lib=$1
|
||||
found=no
|
||||
save_IFS=$IFS
|
||||
IFS=';'
|
||||
for dir in $lib_path $LIB
|
||||
do
|
||||
IFS=$save_IFS
|
||||
if $shared && test -f "$dir/$lib.dll.lib"; then
|
||||
found=yes
|
||||
lib=$dir/$lib.dll.lib
|
||||
break
|
||||
fi
|
||||
if test -f "$dir/$lib.lib"; then
|
||||
found=yes
|
||||
lib=$dir/$lib.lib
|
||||
break
|
||||
fi
|
||||
if test -f "$dir/lib$lib.a"; then
|
||||
found=yes
|
||||
lib=$dir/lib$lib.a
|
||||
break
|
||||
fi
|
||||
done
|
||||
IFS=$save_IFS
|
||||
|
||||
if test "$found" != yes; then
|
||||
lib=$lib.lib
|
||||
fi
|
||||
}
|
||||
|
||||
# func_cl_wrapper cl arg...
|
||||
# Adjust compile command to suit cl
|
||||
func_cl_wrapper ()
|
||||
{
|
||||
# Assume a capable shell
|
||||
lib_path=
|
||||
shared=:
|
||||
linker_opts=
|
||||
for arg
|
||||
do
|
||||
if test -n "$eat"; then
|
||||
eat=
|
||||
else
|
||||
case $1 in
|
||||
-o)
|
||||
# configure might choose to run compile as 'compile cc -o foo foo.c'.
|
||||
eat=1
|
||||
case $2 in
|
||||
*.o | *.[oO][bB][jJ])
|
||||
func_file_conv "$2"
|
||||
set x "$@" -Fo"$file"
|
||||
shift
|
||||
;;
|
||||
*)
|
||||
func_file_conv "$2"
|
||||
set x "$@" -Fe"$file"
|
||||
shift
|
||||
;;
|
||||
esac
|
||||
;;
|
||||
-I)
|
||||
eat=1
|
||||
func_file_conv "$2" mingw
|
||||
set x "$@" -I"$file"
|
||||
shift
|
||||
;;
|
||||
-I*)
|
||||
func_file_conv "${1#-I}" mingw
|
||||
set x "$@" -I"$file"
|
||||
shift
|
||||
;;
|
||||
-l)
|
||||
eat=1
|
||||
func_cl_dashl "$2"
|
||||
set x "$@" "$lib"
|
||||
shift
|
||||
;;
|
||||
-l*)
|
||||
func_cl_dashl "${1#-l}"
|
||||
set x "$@" "$lib"
|
||||
shift
|
||||
;;
|
||||
-L)
|
||||
eat=1
|
||||
func_cl_dashL "$2"
|
||||
;;
|
||||
-L*)
|
||||
func_cl_dashL "${1#-L}"
|
||||
;;
|
||||
-static)
|
||||
shared=false
|
||||
;;
|
||||
-Wl,*)
|
||||
arg=${1#-Wl,}
|
||||
save_ifs="$IFS"; IFS=','
|
||||
for flag in $arg; do
|
||||
IFS="$save_ifs"
|
||||
linker_opts="$linker_opts $flag"
|
||||
done
|
||||
IFS="$save_ifs"
|
||||
;;
|
||||
-Xlinker)
|
||||
eat=1
|
||||
linker_opts="$linker_opts $2"
|
||||
;;
|
||||
-*)
|
||||
set x "$@" "$1"
|
||||
shift
|
||||
;;
|
||||
*.cc | *.CC | *.cxx | *.CXX | *.[cC]++)
|
||||
func_file_conv "$1"
|
||||
set x "$@" -Tp"$file"
|
||||
shift
|
||||
;;
|
||||
*.c | *.cpp | *.CPP | *.lib | *.LIB | *.Lib | *.OBJ | *.obj | *.[oO])
|
||||
func_file_conv "$1" mingw
|
||||
set x "$@" "$file"
|
||||
shift
|
||||
;;
|
||||
*)
|
||||
set x "$@" "$1"
|
||||
shift
|
||||
;;
|
||||
esac
|
||||
fi
|
||||
shift
|
||||
done
|
||||
if test -n "$linker_opts"; then
|
||||
linker_opts="-link$linker_opts"
|
||||
fi
|
||||
exec "$@" $linker_opts
|
||||
exit 1
|
||||
}
|
||||
|
||||
eat=
|
||||
|
||||
case $1 in
|
||||
'')
|
||||
echo "$0: No command. Try \`$0 --help' for more information." 1>&2
|
||||
echo "$0: No command. Try '$0 --help' for more information." 1>&2
|
||||
exit 1;
|
||||
;;
|
||||
-h | --h*)
|
||||
cat <<\EOF
|
||||
Usage: compile [--help] [--version] PROGRAM [ARGS]
|
||||
|
||||
Wrapper for compilers which do not understand `-c -o'.
|
||||
Remove `-o dest.o' from ARGS, run PROGRAM with the remaining
|
||||
Wrapper for compilers which do not understand '-c -o'.
|
||||
Remove '-o dest.o' from ARGS, run PROGRAM with the remaining
|
||||
arguments, and rename the output as expected.
|
||||
|
||||
If you are trying to build a whole package this is not the
|
||||
right script to run: please start by reading the file `INSTALL'.
|
||||
right script to run: please start by reading the file 'INSTALL'.
|
||||
|
||||
Report bugs to <bug-automake@gnu.org>.
|
||||
EOF
|
||||
@ -53,11 +255,13 @@ EOF
|
||||
echo "compile $scriptversion"
|
||||
exit $?
|
||||
;;
|
||||
cl | *[/\\]cl | cl.exe | *[/\\]cl.exe )
|
||||
func_cl_wrapper "$@" # Doesn't return...
|
||||
;;
|
||||
esac
|
||||
|
||||
ofile=
|
||||
cfile=
|
||||
eat=
|
||||
|
||||
for arg
|
||||
do
|
||||
@ -66,8 +270,8 @@ do
|
||||
else
|
||||
case $1 in
|
||||
-o)
|
||||
# configure might choose to run compile as `compile cc -o foo foo.c'.
|
||||
# So we strip `-o arg' only if arg is an object.
|
||||
# configure might choose to run compile as 'compile cc -o foo foo.c'.
|
||||
# So we strip '-o arg' only if arg is an object.
|
||||
eat=1
|
||||
case $2 in
|
||||
*.o | *.obj)
|
||||
@ -94,10 +298,10 @@ do
|
||||
done
|
||||
|
||||
if test -z "$ofile" || test -z "$cfile"; then
|
||||
# If no `-o' option was seen then we might have been invoked from a
|
||||
# If no '-o' option was seen then we might have been invoked from a
|
||||
# pattern rule where we don't need one. That is ok -- this is a
|
||||
# normal compilation that the losing compiler can handle. If no
|
||||
# `.c' file was seen then we are probably linking. That is also
|
||||
# '.c' file was seen then we are probably linking. That is also
|
||||
# ok.
|
||||
exec "$@"
|
||||
fi
|
||||
@ -106,7 +310,7 @@ fi
|
||||
cofile=`echo "$cfile" | sed 's|^.*[\\/]||; s|^[a-zA-Z]:||; s/\.c$/.o/'`
|
||||
|
||||
# Create the lock directory.
|
||||
# Note: use `[/\\:.-]' here to ensure that we don't use the same name
|
||||
# Note: use '[/\\:.-]' here to ensure that we don't use the same name
|
||||
# that we are using for the .o file. Also, base the name on the expected
|
||||
# object file name, since that is what matters with a parallel build.
|
||||
lockdir=`echo "$cofile" | sed -e 's|[/\\:.-]|_|g'`.d
|
||||
|
358
auto/config.guess
vendored
Normal file → Executable file
358
auto/config.guess
vendored
Normal file → Executable file
@ -1,14 +1,12 @@
|
||||
#! /bin/sh
|
||||
# Attempt to guess a canonical system name.
|
||||
# Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999,
|
||||
# 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010,
|
||||
# 2011 Free Software Foundation, Inc.
|
||||
# Copyright 1992-2014 Free Software Foundation, Inc.
|
||||
|
||||
timestamp='2011-11-11'
|
||||
timestamp='2014-03-23'
|
||||
|
||||
# This file is free software; you can redistribute it and/or modify it
|
||||
# under the terms of the GNU General Public License as published by
|
||||
# the Free Software Foundation; either version 2 of the License, or
|
||||
# the Free Software Foundation; either version 3 of the License, or
|
||||
# (at your option) any later version.
|
||||
#
|
||||
# This program is distributed in the hope that it will be useful, but
|
||||
@ -17,26 +15,22 @@ timestamp='2011-11-11'
|
||||
# General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program; if not, write to the Free Software
|
||||
# Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA
|
||||
# 02110-1301, USA.
|
||||
# along with this program; if not, see <http://www.gnu.org/licenses/>.
|
||||
#
|
||||
# As a special exception to the GNU General Public License, if you
|
||||
# distribute this file as part of a program that contains a
|
||||
# configuration script generated by Autoconf, you may include it under
|
||||
# the same distribution terms that you use for the rest of that program.
|
||||
|
||||
|
||||
# Originally written by Per Bothner. Please send patches (context
|
||||
# diff format) to <config-patches@gnu.org> and include a ChangeLog
|
||||
# entry.
|
||||
# the same distribution terms that you use for the rest of that
|
||||
# program. This Exception is an additional permission under section 7
|
||||
# of the GNU General Public License, version 3 ("GPLv3").
|
||||
#
|
||||
# This script attempts to guess a canonical system name similar to
|
||||
# config.sub. If it succeeds, it prints the system name on stdout, and
|
||||
# exits with 0. Otherwise, it exits with 1.
|
||||
# Originally written by Per Bothner.
|
||||
#
|
||||
# You can get the latest version of this script from:
|
||||
# http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.guess;hb=HEAD
|
||||
#
|
||||
# Please send patches with a ChangeLog entry to config-patches@gnu.org.
|
||||
|
||||
|
||||
me=`echo "$0" | sed -e 's,.*/,,'`
|
||||
|
||||
@ -56,9 +50,7 @@ version="\
|
||||
GNU config.guess ($timestamp)
|
||||
|
||||
Originally written by Per Bothner.
|
||||
Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000,
|
||||
2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free
|
||||
Software Foundation, Inc.
|
||||
Copyright 1992-2014 Free Software Foundation, Inc.
|
||||
|
||||
This is free software; see the source for copying conditions. There is NO
|
||||
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE."
|
||||
@ -140,12 +132,33 @@ UNAME_RELEASE=`(uname -r) 2>/dev/null` || UNAME_RELEASE=unknown
|
||||
UNAME_SYSTEM=`(uname -s) 2>/dev/null` || UNAME_SYSTEM=unknown
|
||||
UNAME_VERSION=`(uname -v) 2>/dev/null` || UNAME_VERSION=unknown
|
||||
|
||||
case "${UNAME_SYSTEM}" in
|
||||
Linux|GNU|GNU/*)
|
||||
# If the system lacks a compiler, then just pick glibc.
|
||||
# We could probably try harder.
|
||||
LIBC=gnu
|
||||
|
||||
eval $set_cc_for_build
|
||||
cat <<-EOF > $dummy.c
|
||||
#include <features.h>
|
||||
#if defined(__UCLIBC__)
|
||||
LIBC=uclibc
|
||||
#elif defined(__dietlibc__)
|
||||
LIBC=dietlibc
|
||||
#else
|
||||
LIBC=gnu
|
||||
#endif
|
||||
EOF
|
||||
eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep '^LIBC' | sed 's, ,,g'`
|
||||
;;
|
||||
esac
|
||||
|
||||
# Note: order is significant - the case branches are not exclusive.
|
||||
|
||||
case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
|
||||
*:NetBSD:*:*)
|
||||
# NetBSD (nbsd) targets should (where applicable) match one or
|
||||
# more of the tupples: *-*-netbsdelf*, *-*-netbsdaout*,
|
||||
# more of the tuples: *-*-netbsdelf*, *-*-netbsdaout*,
|
||||
# *-*-netbsdecoff* and *-*-netbsd*. For targets that recently
|
||||
# switched to ELF, *-*-netbsd* would select the old
|
||||
# object file format. This provides both forward
|
||||
@ -202,6 +215,10 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
|
||||
# CPU_TYPE-MANUFACTURER-OPERATING_SYSTEM is used.
|
||||
echo "${machine}-${os}${release}"
|
||||
exit ;;
|
||||
*:Bitrig:*:*)
|
||||
UNAME_MACHINE_ARCH=`arch | sed 's/Bitrig.//'`
|
||||
echo ${UNAME_MACHINE_ARCH}-unknown-bitrig${UNAME_RELEASE}
|
||||
exit ;;
|
||||
*:OpenBSD:*:*)
|
||||
UNAME_MACHINE_ARCH=`arch | sed 's/OpenBSD.//'`
|
||||
echo ${UNAME_MACHINE_ARCH}-unknown-openbsd${UNAME_RELEASE}
|
||||
@ -304,7 +321,7 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
|
||||
arm:RISC*:1.[012]*:*|arm:riscix:1.[012]*:*)
|
||||
echo arm-acorn-riscix${UNAME_RELEASE}
|
||||
exit ;;
|
||||
arm:riscos:*:*|arm:RISCOS:*:*)
|
||||
arm*:riscos:*:*|arm*:RISCOS:*:*)
|
||||
echo arm-unknown-riscos
|
||||
exit ;;
|
||||
SR2?01:HI-UX/MPP:*:* | SR8000:HI-UX/MPP:*:*)
|
||||
@ -803,10 +820,13 @@ EOF
|
||||
i*:CYGWIN*:*)
|
||||
echo ${UNAME_MACHINE}-pc-cygwin
|
||||
exit ;;
|
||||
*:MINGW64*:*)
|
||||
echo ${UNAME_MACHINE}-pc-mingw64
|
||||
exit ;;
|
||||
*:MINGW*:*)
|
||||
echo ${UNAME_MACHINE}-pc-mingw32
|
||||
exit ;;
|
||||
i*:MSYS*:*)
|
||||
*:MSYS*:*)
|
||||
echo ${UNAME_MACHINE}-pc-msys
|
||||
exit ;;
|
||||
i*:windows32*:*)
|
||||
@ -854,15 +874,22 @@ EOF
|
||||
exit ;;
|
||||
*:GNU:*:*)
|
||||
# the GNU system
|
||||
echo `echo ${UNAME_MACHINE}|sed -e 's,[-/].*$,,'`-unknown-gnu`echo ${UNAME_RELEASE}|sed -e 's,/.*$,,'`
|
||||
echo `echo ${UNAME_MACHINE}|sed -e 's,[-/].*$,,'`-unknown-${LIBC}`echo ${UNAME_RELEASE}|sed -e 's,/.*$,,'`
|
||||
exit ;;
|
||||
*:GNU/*:*:*)
|
||||
# other systems with GNU libc and userland
|
||||
echo ${UNAME_MACHINE}-unknown-`echo ${UNAME_SYSTEM} | sed 's,^[^/]*/,,' | tr '[A-Z]' '[a-z]'``echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`-gnu
|
||||
echo ${UNAME_MACHINE}-unknown-`echo ${UNAME_SYSTEM} | sed 's,^[^/]*/,,' | tr '[A-Z]' '[a-z]'``echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`-${LIBC}
|
||||
exit ;;
|
||||
i*86:Minix:*:*)
|
||||
echo ${UNAME_MACHINE}-pc-minix
|
||||
exit ;;
|
||||
aarch64:Linux:*:*)
|
||||
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
|
||||
exit ;;
|
||||
aarch64_be:Linux:*:*)
|
||||
UNAME_MACHINE=aarch64_be
|
||||
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
|
||||
exit ;;
|
||||
alpha:Linux:*:*)
|
||||
case `sed -n '/^cpu model/s/^.*: \(.*\)/\1/p' < /proc/cpuinfo` in
|
||||
EV5) UNAME_MACHINE=alphaev5 ;;
|
||||
@ -874,59 +901,54 @@ EOF
|
||||
EV68*) UNAME_MACHINE=alphaev68 ;;
|
||||
esac
|
||||
objdump --private-headers /bin/sh | grep -q ld.so.1
|
||||
if test "$?" = 0 ; then LIBC="libc1" ; else LIBC="" ; fi
|
||||
echo ${UNAME_MACHINE}-unknown-linux-gnu${LIBC}
|
||||
if test "$?" = 0 ; then LIBC="gnulibc1" ; fi
|
||||
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
|
||||
exit ;;
|
||||
arc:Linux:*:* | arceb:Linux:*:*)
|
||||
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
|
||||
exit ;;
|
||||
arm*:Linux:*:*)
|
||||
eval $set_cc_for_build
|
||||
if echo __ARM_EABI__ | $CC_FOR_BUILD -E - 2>/dev/null \
|
||||
| grep -q __ARM_EABI__
|
||||
then
|
||||
echo ${UNAME_MACHINE}-unknown-linux-gnu
|
||||
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
|
||||
else
|
||||
if echo __ARM_PCS_VFP | $CC_FOR_BUILD -E - 2>/dev/null \
|
||||
| grep -q __ARM_PCS_VFP
|
||||
then
|
||||
echo ${UNAME_MACHINE}-unknown-linux-gnueabi
|
||||
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}eabi
|
||||
else
|
||||
echo ${UNAME_MACHINE}-unknown-linux-gnueabihf
|
||||
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}eabihf
|
||||
fi
|
||||
fi
|
||||
exit ;;
|
||||
avr32*:Linux:*:*)
|
||||
echo ${UNAME_MACHINE}-unknown-linux-gnu
|
||||
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
|
||||
exit ;;
|
||||
cris:Linux:*:*)
|
||||
echo cris-axis-linux-gnu
|
||||
echo ${UNAME_MACHINE}-axis-linux-${LIBC}
|
||||
exit ;;
|
||||
crisv32:Linux:*:*)
|
||||
echo crisv32-axis-linux-gnu
|
||||
echo ${UNAME_MACHINE}-axis-linux-${LIBC}
|
||||
exit ;;
|
||||
frv:Linux:*:*)
|
||||
echo frv-unknown-linux-gnu
|
||||
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
|
||||
exit ;;
|
||||
hexagon:Linux:*:*)
|
||||
echo hexagon-unknown-linux-gnu
|
||||
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
|
||||
exit ;;
|
||||
i*86:Linux:*:*)
|
||||
LIBC=gnu
|
||||
eval $set_cc_for_build
|
||||
sed 's/^ //' << EOF >$dummy.c
|
||||
#ifdef __dietlibc__
|
||||
LIBC=dietlibc
|
||||
#endif
|
||||
EOF
|
||||
eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep '^LIBC'`
|
||||
echo "${UNAME_MACHINE}-pc-linux-${LIBC}"
|
||||
echo ${UNAME_MACHINE}-pc-linux-${LIBC}
|
||||
exit ;;
|
||||
ia64:Linux:*:*)
|
||||
echo ${UNAME_MACHINE}-unknown-linux-gnu
|
||||
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
|
||||
exit ;;
|
||||
m32r*:Linux:*:*)
|
||||
echo ${UNAME_MACHINE}-unknown-linux-gnu
|
||||
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
|
||||
exit ;;
|
||||
m68*:Linux:*:*)
|
||||
echo ${UNAME_MACHINE}-unknown-linux-gnu
|
||||
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
|
||||
exit ;;
|
||||
mips:Linux:*:* | mips64:Linux:*:*)
|
||||
eval $set_cc_for_build
|
||||
@ -945,54 +967,63 @@ EOF
|
||||
#endif
|
||||
EOF
|
||||
eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep '^CPU'`
|
||||
test x"${CPU}" != x && { echo "${CPU}-unknown-linux-gnu"; exit; }
|
||||
test x"${CPU}" != x && { echo "${CPU}-unknown-linux-${LIBC}"; exit; }
|
||||
;;
|
||||
or32:Linux:*:*)
|
||||
echo or32-unknown-linux-gnu
|
||||
openrisc*:Linux:*:*)
|
||||
echo or1k-unknown-linux-${LIBC}
|
||||
exit ;;
|
||||
or32:Linux:*:* | or1k*:Linux:*:*)
|
||||
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
|
||||
exit ;;
|
||||
padre:Linux:*:*)
|
||||
echo sparc-unknown-linux-gnu
|
||||
echo sparc-unknown-linux-${LIBC}
|
||||
exit ;;
|
||||
parisc64:Linux:*:* | hppa64:Linux:*:*)
|
||||
echo hppa64-unknown-linux-gnu
|
||||
echo hppa64-unknown-linux-${LIBC}
|
||||
exit ;;
|
||||
parisc:Linux:*:* | hppa:Linux:*:*)
|
||||
# Look for CPU level
|
||||
case `grep '^cpu[^a-z]*:' /proc/cpuinfo 2>/dev/null | cut -d' ' -f2` in
|
||||
PA7*) echo hppa1.1-unknown-linux-gnu ;;
|
||||
PA8*) echo hppa2.0-unknown-linux-gnu ;;
|
||||
*) echo hppa-unknown-linux-gnu ;;
|
||||
PA7*) echo hppa1.1-unknown-linux-${LIBC} ;;
|
||||
PA8*) echo hppa2.0-unknown-linux-${LIBC} ;;
|
||||
*) echo hppa-unknown-linux-${LIBC} ;;
|
||||
esac
|
||||
exit ;;
|
||||
ppc64:Linux:*:*)
|
||||
echo powerpc64-unknown-linux-gnu
|
||||
echo powerpc64-unknown-linux-${LIBC}
|
||||
exit ;;
|
||||
ppc:Linux:*:*)
|
||||
echo powerpc-unknown-linux-gnu
|
||||
echo powerpc-unknown-linux-${LIBC}
|
||||
exit ;;
|
||||
ppc64le:Linux:*:*)
|
||||
echo powerpc64le-unknown-linux-${LIBC}
|
||||
exit ;;
|
||||
ppcle:Linux:*:*)
|
||||
echo powerpcle-unknown-linux-${LIBC}
|
||||
exit ;;
|
||||
s390:Linux:*:* | s390x:Linux:*:*)
|
||||
echo ${UNAME_MACHINE}-ibm-linux
|
||||
echo ${UNAME_MACHINE}-ibm-linux-${LIBC}
|
||||
exit ;;
|
||||
sh64*:Linux:*:*)
|
||||
echo ${UNAME_MACHINE}-unknown-linux-gnu
|
||||
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
|
||||
exit ;;
|
||||
sh*:Linux:*:*)
|
||||
echo ${UNAME_MACHINE}-unknown-linux-gnu
|
||||
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
|
||||
exit ;;
|
||||
sparc:Linux:*:* | sparc64:Linux:*:*)
|
||||
echo ${UNAME_MACHINE}-unknown-linux-gnu
|
||||
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
|
||||
exit ;;
|
||||
tile*:Linux:*:*)
|
||||
echo ${UNAME_MACHINE}-unknown-linux-gnu
|
||||
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
|
||||
exit ;;
|
||||
vax:Linux:*:*)
|
||||
echo ${UNAME_MACHINE}-dec-linux-gnu
|
||||
echo ${UNAME_MACHINE}-dec-linux-${LIBC}
|
||||
exit ;;
|
||||
x86_64:Linux:*:*)
|
||||
echo x86_64-unknown-linux-gnu
|
||||
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
|
||||
exit ;;
|
||||
xtensa*:Linux:*:*)
|
||||
echo ${UNAME_MACHINE}-unknown-linux-gnu
|
||||
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
|
||||
exit ;;
|
||||
i*86:DYNIX/ptx:4*:*)
|
||||
# ptx 4.0 does uname -s correctly, with DYNIX/ptx in there.
|
||||
@ -1196,6 +1227,9 @@ EOF
|
||||
BePC:Haiku:*:*) # Haiku running on Intel PC compatible.
|
||||
echo i586-pc-haiku
|
||||
exit ;;
|
||||
x86_64:Haiku:*:*)
|
||||
echo x86_64-unknown-haiku
|
||||
exit ;;
|
||||
SX-4:SUPER-UX:*:*)
|
||||
echo sx4-nec-superux${UNAME_RELEASE}
|
||||
exit ;;
|
||||
@ -1222,19 +1256,31 @@ EOF
|
||||
exit ;;
|
||||
*:Darwin:*:*)
|
||||
UNAME_PROCESSOR=`uname -p` || UNAME_PROCESSOR=unknown
|
||||
case $UNAME_PROCESSOR in
|
||||
i386)
|
||||
eval $set_cc_for_build
|
||||
if [ "$CC_FOR_BUILD" != 'no_compiler_found' ]; then
|
||||
if (echo '#ifdef __LP64__'; echo IS_64BIT_ARCH; echo '#endif') | \
|
||||
(CCOPTS= $CC_FOR_BUILD -E - 2>/dev/null) | \
|
||||
grep IS_64BIT_ARCH >/dev/null
|
||||
then
|
||||
UNAME_PROCESSOR="x86_64"
|
||||
fi
|
||||
fi ;;
|
||||
unknown) UNAME_PROCESSOR=powerpc ;;
|
||||
esac
|
||||
eval $set_cc_for_build
|
||||
if test "$UNAME_PROCESSOR" = unknown ; then
|
||||
UNAME_PROCESSOR=powerpc
|
||||
fi
|
||||
if test `echo "$UNAME_RELEASE" | sed -e 's/\..*//'` -le 10 ; then
|
||||
if [ "$CC_FOR_BUILD" != 'no_compiler_found' ]; then
|
||||
if (echo '#ifdef __LP64__'; echo IS_64BIT_ARCH; echo '#endif') | \
|
||||
(CCOPTS= $CC_FOR_BUILD -E - 2>/dev/null) | \
|
||||
grep IS_64BIT_ARCH >/dev/null
|
||||
then
|
||||
case $UNAME_PROCESSOR in
|
||||
i386) UNAME_PROCESSOR=x86_64 ;;
|
||||
powerpc) UNAME_PROCESSOR=powerpc64 ;;
|
||||
esac
|
||||
fi
|
||||
fi
|
||||
elif test "$UNAME_PROCESSOR" = i386 ; then
|
||||
# Avoid executing cc on OS X 10.9, as it ships with a stub
|
||||
# that puts up a graphical alert prompting to install
|
||||
# developer tools. Any system running Mac OS X 10.7 or
|
||||
# later (Darwin 11 and later) is required to have a 64-bit
|
||||
# processor. This is not true of the ARM version of Darwin
|
||||
# that Apple uses in portable devices.
|
||||
UNAME_PROCESSOR=x86_64
|
||||
fi
|
||||
echo ${UNAME_PROCESSOR}-apple-darwin${UNAME_RELEASE}
|
||||
exit ;;
|
||||
*:procnto*:*:* | *:QNX:[0123456789]*:*)
|
||||
@ -1251,7 +1297,7 @@ EOF
|
||||
NEO-?:NONSTOP_KERNEL:*:*)
|
||||
echo neo-tandem-nsk${UNAME_RELEASE}
|
||||
exit ;;
|
||||
NSE-?:NONSTOP_KERNEL:*:*)
|
||||
NSE-*:NONSTOP_KERNEL:*:*)
|
||||
echo nse-tandem-nsk${UNAME_RELEASE}
|
||||
exit ;;
|
||||
NSR-?:NONSTOP_KERNEL:*:*)
|
||||
@ -1320,159 +1366,11 @@ EOF
|
||||
i*86:AROS:*:*)
|
||||
echo ${UNAME_MACHINE}-pc-aros
|
||||
exit ;;
|
||||
x86_64:VMkernel:*:*)
|
||||
echo ${UNAME_MACHINE}-unknown-esx
|
||||
exit ;;
|
||||
esac
|
||||
|
||||
#echo '(No uname command or uname output not recognized.)' 1>&2
|
||||
#echo "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" 1>&2
|
||||
|
||||
eval $set_cc_for_build
|
||||
cat >$dummy.c <<EOF
|
||||
#ifdef _SEQUENT_
|
||||
# include <sys/types.h>
|
||||
# include <sys/utsname.h>
|
||||
#endif
|
||||
main ()
|
||||
{
|
||||
#if defined (sony)
|
||||
#if defined (MIPSEB)
|
||||
/* BFD wants "bsd" instead of "newsos". Perhaps BFD should be changed,
|
||||
I don't know.... */
|
||||
printf ("mips-sony-bsd\n"); exit (0);
|
||||
#else
|
||||
#include <sys/param.h>
|
||||
printf ("m68k-sony-newsos%s\n",
|
||||
#ifdef NEWSOS4
|
||||
"4"
|
||||
#else
|
||||
""
|
||||
#endif
|
||||
); exit (0);
|
||||
#endif
|
||||
#endif
|
||||
|
||||
#if defined (__arm) && defined (__acorn) && defined (__unix)
|
||||
printf ("arm-acorn-riscix\n"); exit (0);
|
||||
#endif
|
||||
|
||||
#if defined (hp300) && !defined (hpux)
|
||||
printf ("m68k-hp-bsd\n"); exit (0);
|
||||
#endif
|
||||
|
||||
#if defined (NeXT)
|
||||
#if !defined (__ARCHITECTURE__)
|
||||
#define __ARCHITECTURE__ "m68k"
|
||||
#endif
|
||||
int version;
|
||||
version=`(hostinfo | sed -n 's/.*NeXT Mach \([0-9]*\).*/\1/p') 2>/dev/null`;
|
||||
if (version < 4)
|
||||
printf ("%s-next-nextstep%d\n", __ARCHITECTURE__, version);
|
||||
else
|
||||
printf ("%s-next-openstep%d\n", __ARCHITECTURE__, version);
|
||||
exit (0);
|
||||
#endif
|
||||
|
||||
#if defined (MULTIMAX) || defined (n16)
|
||||
#if defined (UMAXV)
|
||||
printf ("ns32k-encore-sysv\n"); exit (0);
|
||||
#else
|
||||
#if defined (CMU)
|
||||
printf ("ns32k-encore-mach\n"); exit (0);
|
||||
#else
|
||||
printf ("ns32k-encore-bsd\n"); exit (0);
|
||||
#endif
|
||||
#endif
|
||||
#endif
|
||||
|
||||
#if defined (__386BSD__)
|
||||
printf ("i386-pc-bsd\n"); exit (0);
|
||||
#endif
|
||||
|
||||
#if defined (sequent)
|
||||
#if defined (i386)
|
||||
printf ("i386-sequent-dynix\n"); exit (0);
|
||||
#endif
|
||||
#if defined (ns32000)
|
||||
printf ("ns32k-sequent-dynix\n"); exit (0);
|
||||
#endif
|
||||
#endif
|
||||
|
||||
#if defined (_SEQUENT_)
|
||||
struct utsname un;
|
||||
|
||||
uname(&un);
|
||||
|
||||
if (strncmp(un.version, "V2", 2) == 0) {
|
||||
printf ("i386-sequent-ptx2\n"); exit (0);
|
||||
}
|
||||
if (strncmp(un.version, "V1", 2) == 0) { /* XXX is V1 correct? */
|
||||
printf ("i386-sequent-ptx1\n"); exit (0);
|
||||
}
|
||||
printf ("i386-sequent-ptx\n"); exit (0);
|
||||
|
||||
#endif
|
||||
|
||||
#if defined (vax)
|
||||
# if !defined (ultrix)
|
||||
# include <sys/param.h>
|
||||
# if defined (BSD)
|
||||
# if BSD == 43
|
||||
printf ("vax-dec-bsd4.3\n"); exit (0);
|
||||
# else
|
||||
# if BSD == 199006
|
||||
printf ("vax-dec-bsd4.3reno\n"); exit (0);
|
||||
# else
|
||||
printf ("vax-dec-bsd\n"); exit (0);
|
||||
# endif
|
||||
# endif
|
||||
# else
|
||||
printf ("vax-dec-bsd\n"); exit (0);
|
||||
# endif
|
||||
# else
|
||||
printf ("vax-dec-ultrix\n"); exit (0);
|
||||
# endif
|
||||
#endif
|
||||
|
||||
#if defined (alliant) && defined (i860)
|
||||
printf ("i860-alliant-bsd\n"); exit (0);
|
||||
#endif
|
||||
|
||||
exit (1);
|
||||
}
|
||||
EOF
|
||||
|
||||
$CC_FOR_BUILD -o $dummy $dummy.c 2>/dev/null && SYSTEM_NAME=`$dummy` &&
|
||||
{ echo "$SYSTEM_NAME"; exit; }
|
||||
|
||||
# Apollos put the system type in the environment.
|
||||
|
||||
test -d /usr/apollo && { echo ${ISP}-apollo-${SYSTYPE}; exit; }
|
||||
|
||||
# Convex versions that predate uname can use getsysinfo(1)
|
||||
|
||||
if [ -x /usr/convex/getsysinfo ]
|
||||
then
|
||||
case `getsysinfo -f cpu_type` in
|
||||
c1*)
|
||||
echo c1-convex-bsd
|
||||
exit ;;
|
||||
c2*)
|
||||
if getsysinfo -f scalar_acc
|
||||
then echo c32-convex-bsd
|
||||
else echo c2-convex-bsd
|
||||
fi
|
||||
exit ;;
|
||||
c34*)
|
||||
echo c34-convex-bsd
|
||||
exit ;;
|
||||
c38*)
|
||||
echo c38-convex-bsd
|
||||
exit ;;
|
||||
c4*)
|
||||
echo c4-convex-bsd
|
||||
exit ;;
|
||||
esac
|
||||
fi
|
||||
|
||||
cat >&2 <<EOF
|
||||
$0: unable to guess system type
|
||||
|
||||
|
142
auto/config.sub
vendored
Normal file → Executable file
142
auto/config.sub
vendored
Normal file → Executable file
@ -1,38 +1,31 @@
|
||||
#! /bin/sh
|
||||
# Configuration validation subroutine script.
|
||||
# Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999,
|
||||
# 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010,
|
||||
# 2011 Free Software Foundation, Inc.
|
||||
# Copyright 1992-2014 Free Software Foundation, Inc.
|
||||
|
||||
timestamp='2011-11-11'
|
||||
timestamp='2014-09-11'
|
||||
|
||||
# This file is (in principle) common to ALL GNU software.
|
||||
# The presence of a machine in this file suggests that SOME GNU software
|
||||
# can handle that machine. It does not imply ALL GNU software can.
|
||||
#
|
||||
# This file is free software; you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
# the Free Software Foundation; either version 2 of the License, or
|
||||
# This file is free software; you can redistribute it and/or modify it
|
||||
# under the terms of the GNU General Public License as published by
|
||||
# the Free Software Foundation; either version 3 of the License, or
|
||||
# (at your option) any later version.
|
||||
#
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
# This program is distributed in the hope that it will be useful, but
|
||||
# WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||
# General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program; if not, write to the Free Software
|
||||
# Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA
|
||||
# 02110-1301, USA.
|
||||
# along with this program; if not, see <http://www.gnu.org/licenses/>.
|
||||
#
|
||||
# As a special exception to the GNU General Public License, if you
|
||||
# distribute this file as part of a program that contains a
|
||||
# configuration script generated by Autoconf, you may include it under
|
||||
# the same distribution terms that you use for the rest of that program.
|
||||
# the same distribution terms that you use for the rest of that
|
||||
# program. This Exception is an additional permission under section 7
|
||||
# of the GNU General Public License, version 3 ("GPLv3").
|
||||
|
||||
|
||||
# Please send patches to <config-patches@gnu.org>. Submit a context
|
||||
# diff and a properly formatted GNU ChangeLog entry.
|
||||
# Please send patches with a ChangeLog entry to config-patches@gnu.org.
|
||||
#
|
||||
# Configuration subroutine to validate and canonicalize a configuration type.
|
||||
# Supply the specified configuration type as an argument.
|
||||
@ -75,9 +68,7 @@ Report bugs and patches to <config-patches@gnu.org>."
|
||||
version="\
|
||||
GNU config.sub ($timestamp)
|
||||
|
||||
Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000,
|
||||
2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free
|
||||
Software Foundation, Inc.
|
||||
Copyright 1992-2014 Free Software Foundation, Inc.
|
||||
|
||||
This is free software; see the source for copying conditions. There is NO
|
||||
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE."
|
||||
@ -125,13 +116,17 @@ esac
|
||||
maybe_os=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\2/'`
|
||||
case $maybe_os in
|
||||
nto-qnx* | linux-gnu* | linux-android* | linux-dietlibc | linux-newlib* | \
|
||||
linux-uclibc* | uclinux-uclibc* | uclinux-gnu* | kfreebsd*-gnu* | \
|
||||
linux-musl* | linux-uclibc* | uclinux-uclibc* | uclinux-gnu* | kfreebsd*-gnu* | \
|
||||
knetbsd*-gnu* | netbsd*-gnu* | \
|
||||
kopensolaris*-gnu* | \
|
||||
storm-chaos* | os2-emx* | rtmk-nova*)
|
||||
os=-$maybe_os
|
||||
basic_machine=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'`
|
||||
;;
|
||||
android-linux)
|
||||
os=-linux-android
|
||||
basic_machine=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'`-unknown
|
||||
;;
|
||||
*)
|
||||
basic_machine=`echo $1 | sed 's/-[^-]*$//'`
|
||||
if [ $basic_machine != $1 ]
|
||||
@ -154,7 +149,7 @@ case $os in
|
||||
-convergent* | -ncr* | -news | -32* | -3600* | -3100* | -hitachi* |\
|
||||
-c[123]* | -convex* | -sun | -crds | -omron* | -dg | -ultra | -tti* | \
|
||||
-harris | -dolphin | -highlevel | -gould | -cbm | -ns | -masscomp | \
|
||||
-apple | -axis | -knuth | -cray | -microblaze)
|
||||
-apple | -axis | -knuth | -cray | -microblaze*)
|
||||
os=
|
||||
basic_machine=$1
|
||||
;;
|
||||
@ -223,6 +218,12 @@ case $os in
|
||||
-isc*)
|
||||
basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
|
||||
;;
|
||||
-lynx*178)
|
||||
os=-lynxos178
|
||||
;;
|
||||
-lynx*5)
|
||||
os=-lynxos5
|
||||
;;
|
||||
-lynx*)
|
||||
os=-lynxos
|
||||
;;
|
||||
@ -247,13 +248,16 @@ case $basic_machine in
|
||||
# Some are omitted here because they have special meanings below.
|
||||
1750a | 580 \
|
||||
| a29k \
|
||||
| aarch64 | aarch64_be \
|
||||
| alpha | alphaev[4-8] | alphaev56 | alphaev6[78] | alphapca5[67] \
|
||||
| alpha64 | alpha64ev[4-8] | alpha64ev56 | alpha64ev6[78] | alpha64pca5[67] \
|
||||
| am33_2.0 \
|
||||
| arc | arm | arm[bl]e | arme[lb] | armv[2345] | armv[345][lb] | avr | avr32 \
|
||||
| be32 | be64 \
|
||||
| arc | arceb \
|
||||
| arm | arm[bl]e | arme[lb] | armv[2-8] | armv[3-8][lb] | armv7[arm] \
|
||||
| avr | avr32 \
|
||||
| be32 | be64 \
|
||||
| bfin \
|
||||
| c4x | clipper \
|
||||
| c4x | c8051 | clipper \
|
||||
| d10v | d30v | dlx | dsp16xx \
|
||||
| epiphany \
|
||||
| fido | fr30 | frv \
|
||||
@ -261,10 +265,11 @@ case $basic_machine in
|
||||
| hexagon \
|
||||
| i370 | i860 | i960 | ia64 \
|
||||
| ip2k | iq2000 \
|
||||
| k1om \
|
||||
| le32 | le64 \
|
||||
| lm32 \
|
||||
| m32c | m32r | m32rle | m68000 | m68k | m88k \
|
||||
| maxq | mb | microblaze | mcore | mep | metag \
|
||||
| maxq | mb | microblaze | microblazeel | mcore | mep | metag \
|
||||
| mips | mipsbe | mipseb | mipsel | mipsle \
|
||||
| mips16 \
|
||||
| mips64 | mips64el \
|
||||
@ -278,23 +283,26 @@ case $basic_machine in
|
||||
| mips64vr5900 | mips64vr5900el \
|
||||
| mipsisa32 | mipsisa32el \
|
||||
| mipsisa32r2 | mipsisa32r2el \
|
||||
| mipsisa32r6 | mipsisa32r6el \
|
||||
| mipsisa64 | mipsisa64el \
|
||||
| mipsisa64r2 | mipsisa64r2el \
|
||||
| mipsisa64r6 | mipsisa64r6el \
|
||||
| mipsisa64sb1 | mipsisa64sb1el \
|
||||
| mipsisa64sr71k | mipsisa64sr71kel \
|
||||
| mipsr5900 | mipsr5900el \
|
||||
| mipstx39 | mipstx39el \
|
||||
| mn10200 | mn10300 \
|
||||
| moxie \
|
||||
| mt \
|
||||
| msp430 \
|
||||
| nds32 | nds32le | nds32be \
|
||||
| nios | nios2 \
|
||||
| nios | nios2 | nios2eb | nios2el \
|
||||
| ns16k | ns32k \
|
||||
| open8 \
|
||||
| or32 \
|
||||
| open8 | or1k | or1knd | or32 \
|
||||
| pdp10 | pdp11 | pj | pjl \
|
||||
| powerpc | powerpc64 | powerpc64le | powerpcle \
|
||||
| pyramid \
|
||||
| riscv32 | riscv64 \
|
||||
| rl78 | rx \
|
||||
| score \
|
||||
| sh | sh[1234] | sh[24]a | sh[24]aeb | sh[23]e | sh[34]eb | sheb | shbe | shle | sh[1234]le | sh3ele \
|
||||
@ -319,8 +327,7 @@ case $basic_machine in
|
||||
c6x)
|
||||
basic_machine=tic6x-unknown
|
||||
;;
|
||||
m6811 | m68hc11 | m6812 | m68hc12 | picochip)
|
||||
# Motorola 68HC11/12.
|
||||
m6811 | m68hc11 | m6812 | m68hc12 | m68hcs12x | nvptx | picochip)
|
||||
basic_machine=$basic_machine-unknown
|
||||
os=-none
|
||||
;;
|
||||
@ -333,7 +340,10 @@ case $basic_machine in
|
||||
strongarm | thumb | xscale)
|
||||
basic_machine=arm-unknown
|
||||
;;
|
||||
|
||||
xgate)
|
||||
basic_machine=$basic_machine-unknown
|
||||
os=-none
|
||||
;;
|
||||
xscaleeb)
|
||||
basic_machine=armeb-unknown
|
||||
;;
|
||||
@ -356,15 +366,16 @@ case $basic_machine in
|
||||
# Recognize the basic CPU types with company name.
|
||||
580-* \
|
||||
| a29k-* \
|
||||
| aarch64-* | aarch64_be-* \
|
||||
| alpha-* | alphaev[4-8]-* | alphaev56-* | alphaev6[78]-* \
|
||||
| alpha64-* | alpha64ev[4-8]-* | alpha64ev56-* | alpha64ev6[78]-* \
|
||||
| alphapca5[67]-* | alpha64pca5[67]-* | arc-* \
|
||||
| alphapca5[67]-* | alpha64pca5[67]-* | arc-* | arceb-* \
|
||||
| arm-* | armbe-* | armle-* | armeb-* | armv*-* \
|
||||
| avr-* | avr32-* \
|
||||
| be32-* | be64-* \
|
||||
| bfin-* | bs2000-* \
|
||||
| c[123]* | c30-* | [cjt]90-* | c4x-* \
|
||||
| clipper-* | craynv-* | cydra-* \
|
||||
| c8051-* | clipper-* | craynv-* | cydra-* \
|
||||
| d10v-* | d30v-* | dlx-* \
|
||||
| elxsi-* \
|
||||
| f30[01]-* | f700-* | fido-* | fr30-* | frv-* | fx80-* \
|
||||
@ -373,11 +384,13 @@ case $basic_machine in
|
||||
| hexagon-* \
|
||||
| i*86-* | i860-* | i960-* | ia64-* \
|
||||
| ip2k-* | iq2000-* \
|
||||
| k1om-* \
|
||||
| le32-* | le64-* \
|
||||
| lm32-* \
|
||||
| m32c-* | m32r-* | m32rle-* \
|
||||
| m68000-* | m680[012346]0-* | m68360-* | m683?2-* | m68k-* \
|
||||
| m88110-* | m88k-* | maxq-* | mcore-* | metag-* | microblaze-* \
|
||||
| m88110-* | m88k-* | maxq-* | mcore-* | metag-* \
|
||||
| microblaze-* | microblazeel-* \
|
||||
| mips-* | mipsbe-* | mipseb-* | mipsel-* | mipsle-* \
|
||||
| mips16-* \
|
||||
| mips64-* | mips64el-* \
|
||||
@ -391,18 +404,22 @@ case $basic_machine in
|
||||
| mips64vr5900-* | mips64vr5900el-* \
|
||||
| mipsisa32-* | mipsisa32el-* \
|
||||
| mipsisa32r2-* | mipsisa32r2el-* \
|
||||
| mipsisa32r6-* | mipsisa32r6el-* \
|
||||
| mipsisa64-* | mipsisa64el-* \
|
||||
| mipsisa64r2-* | mipsisa64r2el-* \
|
||||
| mipsisa64r6-* | mipsisa64r6el-* \
|
||||
| mipsisa64sb1-* | mipsisa64sb1el-* \
|
||||
| mipsisa64sr71k-* | mipsisa64sr71kel-* \
|
||||
| mipsr5900-* | mipsr5900el-* \
|
||||
| mipstx39-* | mipstx39el-* \
|
||||
| mmix-* \
|
||||
| mt-* \
|
||||
| msp430-* \
|
||||
| nds32-* | nds32le-* | nds32be-* \
|
||||
| nios-* | nios2-* \
|
||||
| nios-* | nios2-* | nios2eb-* | nios2el-* \
|
||||
| none-* | np1-* | ns16k-* | ns32k-* \
|
||||
| open8-* \
|
||||
| or1k*-* \
|
||||
| orion-* \
|
||||
| pdp10-* | pdp11-* | pj-* | pjl-* | pn-* | power-* \
|
||||
| powerpc-* | powerpc64-* | powerpc64le-* | powerpcle-* \
|
||||
@ -719,7 +736,6 @@ case $basic_machine in
|
||||
i370-ibm* | ibm*)
|
||||
basic_machine=i370-ibm
|
||||
;;
|
||||
# I'm not sure what "Sysv32" means. Should this be sysv3.2?
|
||||
i*86v32)
|
||||
basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'`
|
||||
os=-sysv32
|
||||
@ -777,11 +793,15 @@ case $basic_machine in
|
||||
basic_machine=ns32k-utek
|
||||
os=-sysv
|
||||
;;
|
||||
microblaze)
|
||||
microblaze*)
|
||||
basic_machine=microblaze-xilinx
|
||||
;;
|
||||
mingw64)
|
||||
basic_machine=x86_64-pc
|
||||
os=-mingw64
|
||||
;;
|
||||
mingw32)
|
||||
basic_machine=i386-pc
|
||||
basic_machine=i686-pc
|
||||
os=-mingw32
|
||||
;;
|
||||
mingw32ce)
|
||||
@ -809,6 +829,10 @@ case $basic_machine in
|
||||
basic_machine=powerpc-unknown
|
||||
os=-morphos
|
||||
;;
|
||||
moxiebox)
|
||||
basic_machine=moxie-unknown
|
||||
os=-moxiebox
|
||||
;;
|
||||
msdos)
|
||||
basic_machine=i386-pc
|
||||
os=-msdos
|
||||
@ -817,7 +841,7 @@ case $basic_machine in
|
||||
basic_machine=`echo $basic_machine | sed -e 's/ms1-/mt-/'`
|
||||
;;
|
||||
msys)
|
||||
basic_machine=i386-pc
|
||||
basic_machine=i686-pc
|
||||
os=-msys
|
||||
;;
|
||||
mvs)
|
||||
@ -1008,7 +1032,11 @@ case $basic_machine in
|
||||
basic_machine=i586-unknown
|
||||
os=-pw32
|
||||
;;
|
||||
rdos)
|
||||
rdos | rdos64)
|
||||
basic_machine=x86_64-pc
|
||||
os=-rdos
|
||||
;;
|
||||
rdos32)
|
||||
basic_machine=i386-pc
|
||||
os=-rdos
|
||||
;;
|
||||
@ -1335,29 +1363,29 @@ case $os in
|
||||
-gnu* | -bsd* | -mach* | -minix* | -genix* | -ultrix* | -irix* \
|
||||
| -*vms* | -sco* | -esix* | -isc* | -aix* | -cnk* | -sunos | -sunos[34]*\
|
||||
| -hpux* | -unos* | -osf* | -luna* | -dgux* | -auroraux* | -solaris* \
|
||||
| -sym* | -kopensolaris* \
|
||||
| -sym* | -kopensolaris* | -plan9* \
|
||||
| -amigaos* | -amigados* | -msdos* | -newsos* | -unicos* | -aof* \
|
||||
| -aos* | -aros* \
|
||||
| -nindy* | -vxsim* | -vxworks* | -ebmon* | -hms* | -mvs* \
|
||||
| -clix* | -riscos* | -uniplus* | -iris* | -rtu* | -xenix* \
|
||||
| -hiux* | -386bsd* | -knetbsd* | -mirbsd* | -netbsd* \
|
||||
| -openbsd* | -solidbsd* \
|
||||
| -bitrig* | -openbsd* | -solidbsd* \
|
||||
| -ekkobsd* | -kfreebsd* | -freebsd* | -riscix* | -lynxos* \
|
||||
| -bosx* | -nextstep* | -cxux* | -aout* | -elf* | -oabi* \
|
||||
| -ptx* | -coff* | -ecoff* | -winnt* | -domain* | -vsta* \
|
||||
| -udi* | -eabi* | -lites* | -ieee* | -go32* | -aux* \
|
||||
| -chorusos* | -chorusrdb* | -cegcc* \
|
||||
| -cygwin* | -msys* | -pe* | -psos* | -moss* | -proelf* | -rtems* \
|
||||
| -mingw32* | -linux-gnu* | -linux-android* \
|
||||
| -linux-newlib* | -linux-uclibc* \
|
||||
| -uxpv* | -beos* | -mpeix* | -udk* \
|
||||
| -mingw32* | -mingw64* | -linux-gnu* | -linux-android* \
|
||||
| -linux-newlib* | -linux-musl* | -linux-uclibc* \
|
||||
| -uxpv* | -beos* | -mpeix* | -udk* | -moxiebox* \
|
||||
| -interix* | -uwin* | -mks* | -rhapsody* | -darwin* | -opened* \
|
||||
| -openstep* | -oskit* | -conix* | -pw32* | -nonstopux* \
|
||||
| -storm-chaos* | -tops10* | -tenex* | -tops20* | -its* \
|
||||
| -os2* | -vos* | -palmos* | -uclinux* | -nucleus* \
|
||||
| -morphos* | -superux* | -rtmk* | -rtmk-nova* | -windiss* \
|
||||
| -powermax* | -dnix* | -nx6 | -nx7 | -sei* | -dragonfly* \
|
||||
| -skyos* | -haiku* | -rdos* | -toppers* | -drops* | -es*)
|
||||
| -skyos* | -haiku* | -rdos* | -toppers* | -drops* | -es* | -tirtos*)
|
||||
# Remember, each alternative MUST END IN *, to match a version number.
|
||||
;;
|
||||
-qnx*)
|
||||
@ -1481,9 +1509,6 @@ case $os in
|
||||
-aros*)
|
||||
os=-aros
|
||||
;;
|
||||
-kaos*)
|
||||
os=-kaos
|
||||
;;
|
||||
-zvmoe)
|
||||
os=-zvmoe
|
||||
;;
|
||||
@ -1532,6 +1557,12 @@ case $basic_machine in
|
||||
c4x-* | tic4x-*)
|
||||
os=-coff
|
||||
;;
|
||||
c8051-*)
|
||||
os=-elf
|
||||
;;
|
||||
hexagon-*)
|
||||
os=-elf
|
||||
;;
|
||||
tic54x-*)
|
||||
os=-coff
|
||||
;;
|
||||
@ -1559,9 +1590,6 @@ case $basic_machine in
|
||||
;;
|
||||
m68000-sun)
|
||||
os=-sunos3
|
||||
# This also exists in the configure program, but was not the
|
||||
# default.
|
||||
# os=-sunos4
|
||||
;;
|
||||
m68*-cisco)
|
||||
os=-aout
|
||||
|
580
auto/depcomp
580
auto/depcomp
@ -1,10 +1,9 @@
|
||||
#! /bin/sh
|
||||
# depcomp - compile a program generating dependencies as side-effects
|
||||
|
||||
scriptversion=2007-03-29.01
|
||||
scriptversion=2013-05-30.07; # UTC
|
||||
|
||||
# Copyright (C) 1999, 2000, 2003, 2004, 2005, 2006, 2007 Free Software
|
||||
# Foundation, Inc.
|
||||
# Copyright (C) 1999-2013 Free Software Foundation, Inc.
|
||||
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
@ -17,9 +16,7 @@ scriptversion=2007-03-29.01
|
||||
# GNU General Public License for more details.
|
||||
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program; if not, write to the Free Software
|
||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
|
||||
# 02110-1301, USA.
|
||||
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
|
||||
# As a special exception to the GNU General Public License, if you
|
||||
# distribute this file as part of a program that contains a
|
||||
@ -30,9 +27,9 @@ scriptversion=2007-03-29.01
|
||||
|
||||
case $1 in
|
||||
'')
|
||||
echo "$0: No command. Try \`$0 --help' for more information." 1>&2
|
||||
exit 1;
|
||||
;;
|
||||
echo "$0: No command. Try '$0 --help' for more information." 1>&2
|
||||
exit 1;
|
||||
;;
|
||||
-h | --h*)
|
||||
cat <<\EOF
|
||||
Usage: depcomp [--help] [--version] PROGRAM [ARGS]
|
||||
@ -42,11 +39,11 @@ as side-effects.
|
||||
|
||||
Environment variables:
|
||||
depmode Dependency tracking mode.
|
||||
source Source file read by `PROGRAMS ARGS'.
|
||||
object Object file output by `PROGRAMS ARGS'.
|
||||
source Source file read by 'PROGRAMS ARGS'.
|
||||
object Object file output by 'PROGRAMS ARGS'.
|
||||
DEPDIR directory where to store dependencies.
|
||||
depfile Dependency file to output.
|
||||
tmpdepfile Temporary file to use when outputing dependencies.
|
||||
tmpdepfile Temporary file to use when outputting dependencies.
|
||||
libtool Whether libtool is used (yes/no).
|
||||
|
||||
Report bugs to <bug-automake@gnu.org>.
|
||||
@ -59,6 +56,66 @@ EOF
|
||||
;;
|
||||
esac
|
||||
|
||||
# Get the directory component of the given path, and save it in the
|
||||
# global variables '$dir'. Note that this directory component will
|
||||
# be either empty or ending with a '/' character. This is deliberate.
|
||||
set_dir_from ()
|
||||
{
|
||||
case $1 in
|
||||
*/*) dir=`echo "$1" | sed -e 's|/[^/]*$|/|'`;;
|
||||
*) dir=;;
|
||||
esac
|
||||
}
|
||||
|
||||
# Get the suffix-stripped basename of the given path, and save it the
|
||||
# global variable '$base'.
|
||||
set_base_from ()
|
||||
{
|
||||
base=`echo "$1" | sed -e 's|^.*/||' -e 's/\.[^.]*$//'`
|
||||
}
|
||||
|
||||
# If no dependency file was actually created by the compiler invocation,
|
||||
# we still have to create a dummy depfile, to avoid errors with the
|
||||
# Makefile "include basename.Plo" scheme.
|
||||
make_dummy_depfile ()
|
||||
{
|
||||
echo "#dummy" > "$depfile"
|
||||
}
|
||||
|
||||
# Factor out some common post-processing of the generated depfile.
|
||||
# Requires the auxiliary global variable '$tmpdepfile' to be set.
|
||||
aix_post_process_depfile ()
|
||||
{
|
||||
# If the compiler actually managed to produce a dependency file,
|
||||
# post-process it.
|
||||
if test -f "$tmpdepfile"; then
|
||||
# Each line is of the form 'foo.o: dependency.h'.
|
||||
# Do two passes, one to just change these to
|
||||
# $object: dependency.h
|
||||
# and one to simply output
|
||||
# dependency.h:
|
||||
# which is needed to avoid the deleted-header problem.
|
||||
{ sed -e "s,^.*\.[$lower]*:,$object:," < "$tmpdepfile"
|
||||
sed -e "s,^.*\.[$lower]*:[$tab ]*,," -e 's,$,:,' < "$tmpdepfile"
|
||||
} > "$depfile"
|
||||
rm -f "$tmpdepfile"
|
||||
else
|
||||
make_dummy_depfile
|
||||
fi
|
||||
}
|
||||
|
||||
# A tabulation character.
|
||||
tab=' '
|
||||
# A newline character.
|
||||
nl='
|
||||
'
|
||||
# Character ranges might be problematic outside the C locale.
|
||||
# These definitions help.
|
||||
upper=ABCDEFGHIJKLMNOPQRSTUVWXYZ
|
||||
lower=abcdefghijklmnopqrstuvwxyz
|
||||
digits=0123456789
|
||||
alpha=${upper}${lower}
|
||||
|
||||
if test -z "$depmode" || test -z "$source" || test -z "$object"; then
|
||||
echo "depcomp: Variables source, object and depmode must be set" 1>&2
|
||||
exit 1
|
||||
@ -71,6 +128,9 @@ tmpdepfile=${tmpdepfile-`echo "$depfile" | sed 's/\.\([^.]*\)$/.T\1/'`}
|
||||
|
||||
rm -f "$tmpdepfile"
|
||||
|
||||
# Avoid interferences from the environment.
|
||||
gccflag= dashmflag=
|
||||
|
||||
# Some modes work just like other modes, but use different flags. We
|
||||
# parameterize here, but still list the modes in the big case below,
|
||||
# to make depend.m4 easier to write. Note that we *cannot* use a case
|
||||
@ -82,9 +142,32 @@ if test "$depmode" = hp; then
|
||||
fi
|
||||
|
||||
if test "$depmode" = dashXmstdout; then
|
||||
# This is just like dashmstdout with a different argument.
|
||||
dashmflag=-xM
|
||||
depmode=dashmstdout
|
||||
# This is just like dashmstdout with a different argument.
|
||||
dashmflag=-xM
|
||||
depmode=dashmstdout
|
||||
fi
|
||||
|
||||
cygpath_u="cygpath -u -f -"
|
||||
if test "$depmode" = msvcmsys; then
|
||||
# This is just like msvisualcpp but w/o cygpath translation.
|
||||
# Just convert the backslash-escaped backslashes to single forward
|
||||
# slashes to satisfy depend.m4
|
||||
cygpath_u='sed s,\\\\,/,g'
|
||||
depmode=msvisualcpp
|
||||
fi
|
||||
|
||||
if test "$depmode" = msvc7msys; then
|
||||
# This is just like msvc7 but w/o cygpath translation.
|
||||
# Just convert the backslash-escaped backslashes to single forward
|
||||
# slashes to satisfy depend.m4
|
||||
cygpath_u='sed s,\\\\,/,g'
|
||||
depmode=msvc7
|
||||
fi
|
||||
|
||||
if test "$depmode" = xlc; then
|
||||
# IBM C/C++ Compilers xlc/xlC can output gcc-like dependency information.
|
||||
gccflag=-qmakedep=gcc,-MF
|
||||
depmode=gcc
|
||||
fi
|
||||
|
||||
case "$depmode" in
|
||||
@ -107,8 +190,7 @@ gcc3)
|
||||
done
|
||||
"$@"
|
||||
stat=$?
|
||||
if test $stat -eq 0; then :
|
||||
else
|
||||
if test $stat -ne 0; then
|
||||
rm -f "$tmpdepfile"
|
||||
exit $stat
|
||||
fi
|
||||
@ -116,13 +198,17 @@ gcc3)
|
||||
;;
|
||||
|
||||
gcc)
|
||||
## Note that this doesn't just cater to obsosete pre-3.x GCC compilers.
|
||||
## but also to in-use compilers like IMB xlc/xlC and the HP C compiler.
|
||||
## (see the conditional assignment to $gccflag above).
|
||||
## There are various ways to get dependency output from gcc. Here's
|
||||
## why we pick this rather obscure method:
|
||||
## - Don't want to use -MD because we'd like the dependencies to end
|
||||
## up in a subdir. Having to rename by hand is ugly.
|
||||
## (We might end up doing this anyway to support other compilers.)
|
||||
## - The DEPENDENCIES_OUTPUT environment variable makes gcc act like
|
||||
## -MM, not -M (despite what the docs say).
|
||||
## -MM, not -M (despite what the docs say). Also, it might not be
|
||||
## supported by the other compilers which use the 'gcc' depmode.
|
||||
## - Using -M directly means running the compiler twice (even worse
|
||||
## than renaming).
|
||||
if test -z "$gccflag"; then
|
||||
@ -130,31 +216,31 @@ gcc)
|
||||
fi
|
||||
"$@" -Wp,"$gccflag$tmpdepfile"
|
||||
stat=$?
|
||||
if test $stat -eq 0; then :
|
||||
else
|
||||
if test $stat -ne 0; then
|
||||
rm -f "$tmpdepfile"
|
||||
exit $stat
|
||||
fi
|
||||
rm -f "$depfile"
|
||||
echo "$object : \\" > "$depfile"
|
||||
alpha=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
|
||||
## The second -e expression handles DOS-style file names with drive letters.
|
||||
# The second -e expression handles DOS-style file names with drive
|
||||
# letters.
|
||||
sed -e 's/^[^:]*: / /' \
|
||||
-e 's/^['$alpha']:\/[^:]*: / /' < "$tmpdepfile" >> "$depfile"
|
||||
## This next piece of magic avoids the `deleted header file' problem.
|
||||
## This next piece of magic avoids the "deleted header file" problem.
|
||||
## The problem is that when a header file which appears in a .P file
|
||||
## is deleted, the dependency causes make to die (because there is
|
||||
## typically no way to rebuild the header). We avoid this by adding
|
||||
## dummy dependencies for each header file. Too bad gcc doesn't do
|
||||
## this for us directly.
|
||||
tr ' ' '
|
||||
' < "$tmpdepfile" |
|
||||
## Some versions of gcc put a space before the `:'. On the theory
|
||||
## Some versions of gcc put a space before the ':'. On the theory
|
||||
## that the space means something, we add a space to the output as
|
||||
## well.
|
||||
## well. hp depmode also adds that space, but also prefixes the VPATH
|
||||
## to the object. Take care to not repeat it in the output.
|
||||
## Some versions of the HPUX 10.20 sed can't process this invocation
|
||||
## correctly. Breaking it into two sed invocations is a workaround.
|
||||
sed -e 's/^\\$//' -e '/^$/d' -e '/:$/d' | sed -e 's/$/ :/' >> "$depfile"
|
||||
tr ' ' "$nl" < "$tmpdepfile" \
|
||||
| sed -e 's/^\\$//' -e '/^$/d' -e "s|.*$object$||" -e '/:$/d' \
|
||||
| sed -e 's/$/ :/' >> "$depfile"
|
||||
rm -f "$tmpdepfile"
|
||||
;;
|
||||
|
||||
@ -172,8 +258,7 @@ sgi)
|
||||
"$@" -MDupdate "$tmpdepfile"
|
||||
fi
|
||||
stat=$?
|
||||
if test $stat -eq 0; then :
|
||||
else
|
||||
if test $stat -ne 0; then
|
||||
rm -f "$tmpdepfile"
|
||||
exit $stat
|
||||
fi
|
||||
@ -181,43 +266,41 @@ sgi)
|
||||
|
||||
if test -f "$tmpdepfile"; then # yes, the sourcefile depend on other files
|
||||
echo "$object : \\" > "$depfile"
|
||||
|
||||
# Clip off the initial element (the dependent). Don't try to be
|
||||
# clever and replace this with sed code, as IRIX sed won't handle
|
||||
# lines with more than a fixed number of characters (4096 in
|
||||
# IRIX 6.2 sed, 8192 in IRIX 6.5). We also remove comment lines;
|
||||
# the IRIX cc adds comments like `#:fec' to the end of the
|
||||
# the IRIX cc adds comments like '#:fec' to the end of the
|
||||
# dependency line.
|
||||
tr ' ' '
|
||||
' < "$tmpdepfile" \
|
||||
| sed -e 's/^.*\.o://' -e 's/#.*$//' -e '/^$/ d' | \
|
||||
tr '
|
||||
' ' ' >> $depfile
|
||||
echo >> $depfile
|
||||
|
||||
tr ' ' "$nl" < "$tmpdepfile" \
|
||||
| sed -e 's/^.*\.o://' -e 's/#.*$//' -e '/^$/ d' \
|
||||
| tr "$nl" ' ' >> "$depfile"
|
||||
echo >> "$depfile"
|
||||
# The second pass generates a dummy entry for each header file.
|
||||
tr ' ' '
|
||||
' < "$tmpdepfile" \
|
||||
| sed -e 's/^.*\.o://' -e 's/#.*$//' -e '/^$/ d' -e 's/$/:/' \
|
||||
>> $depfile
|
||||
tr ' ' "$nl" < "$tmpdepfile" \
|
||||
| sed -e 's/^.*\.o://' -e 's/#.*$//' -e '/^$/ d' -e 's/$/:/' \
|
||||
>> "$depfile"
|
||||
else
|
||||
# The sourcefile does not contain any dependencies, so just
|
||||
# store a dummy comment line, to avoid errors with the Makefile
|
||||
# "include basename.Plo" scheme.
|
||||
echo "#dummy" > "$depfile"
|
||||
make_dummy_depfile
|
||||
fi
|
||||
rm -f "$tmpdepfile"
|
||||
;;
|
||||
|
||||
xlc)
|
||||
# This case exists only to let depend.m4 do its work. It works by
|
||||
# looking at the text of this script. This case will never be run,
|
||||
# since it is checked for above.
|
||||
exit 1
|
||||
;;
|
||||
|
||||
aix)
|
||||
# The C for AIX Compiler uses -M and outputs the dependencies
|
||||
# in a .u file. In older versions, this file always lives in the
|
||||
# current directory. Also, the AIX compiler puts `$object:' at the
|
||||
# current directory. Also, the AIX compiler puts '$object:' at the
|
||||
# start of each line; $object doesn't have directory information.
|
||||
# Version 6 uses the directory in both cases.
|
||||
dir=`echo "$object" | sed -e 's|/[^/]*$|/|'`
|
||||
test "x$dir" = "x$object" && dir=
|
||||
base=`echo "$object" | sed -e 's|^.*/||' -e 's/\.o$//' -e 's/\.lo$//'`
|
||||
set_dir_from "$object"
|
||||
set_base_from "$object"
|
||||
if test "$libtool" = yes; then
|
||||
tmpdepfile1=$dir$base.u
|
||||
tmpdepfile2=$base.u
|
||||
@ -230,9 +313,7 @@ aix)
|
||||
"$@" -M
|
||||
fi
|
||||
stat=$?
|
||||
|
||||
if test $stat -eq 0; then :
|
||||
else
|
||||
if test $stat -ne 0; then
|
||||
rm -f "$tmpdepfile1" "$tmpdepfile2" "$tmpdepfile3"
|
||||
exit $stat
|
||||
fi
|
||||
@ -241,44 +322,100 @@ aix)
|
||||
do
|
||||
test -f "$tmpdepfile" && break
|
||||
done
|
||||
if test -f "$tmpdepfile"; then
|
||||
# Each line is of the form `foo.o: dependent.h'.
|
||||
# Do two passes, one to just change these to
|
||||
# `$object: dependent.h' and one to simply `dependent.h:'.
|
||||
sed -e "s,^.*\.[a-z]*:,$object:," < "$tmpdepfile" > "$depfile"
|
||||
# That's a tab and a space in the [].
|
||||
sed -e 's,^.*\.[a-z]*:[ ]*,,' -e 's,$,:,' < "$tmpdepfile" >> "$depfile"
|
||||
else
|
||||
# The sourcefile does not contain any dependencies, so just
|
||||
# store a dummy comment line, to avoid errors with the Makefile
|
||||
# "include basename.Plo" scheme.
|
||||
echo "#dummy" > "$depfile"
|
||||
aix_post_process_depfile
|
||||
;;
|
||||
|
||||
tcc)
|
||||
# tcc (Tiny C Compiler) understand '-MD -MF file' since version 0.9.26
|
||||
# FIXME: That version still under development at the moment of writing.
|
||||
# Make that this statement remains true also for stable, released
|
||||
# versions.
|
||||
# It will wrap lines (doesn't matter whether long or short) with a
|
||||
# trailing '\', as in:
|
||||
#
|
||||
# foo.o : \
|
||||
# foo.c \
|
||||
# foo.h \
|
||||
#
|
||||
# It will put a trailing '\' even on the last line, and will use leading
|
||||
# spaces rather than leading tabs (at least since its commit 0394caf7
|
||||
# "Emit spaces for -MD").
|
||||
"$@" -MD -MF "$tmpdepfile"
|
||||
stat=$?
|
||||
if test $stat -ne 0; then
|
||||
rm -f "$tmpdepfile"
|
||||
exit $stat
|
||||
fi
|
||||
rm -f "$depfile"
|
||||
# Each non-empty line is of the form 'foo.o : \' or ' dep.h \'.
|
||||
# We have to change lines of the first kind to '$object: \'.
|
||||
sed -e "s|.*:|$object :|" < "$tmpdepfile" > "$depfile"
|
||||
# And for each line of the second kind, we have to emit a 'dep.h:'
|
||||
# dummy dependency, to avoid the deleted-header problem.
|
||||
sed -n -e 's|^ *\(.*\) *\\$|\1:|p' < "$tmpdepfile" >> "$depfile"
|
||||
rm -f "$tmpdepfile"
|
||||
;;
|
||||
|
||||
icc)
|
||||
# Intel's C compiler understands `-MD -MF file'. However on
|
||||
# icc -MD -MF foo.d -c -o sub/foo.o sub/foo.c
|
||||
# ICC 7.0 will fill foo.d with something like
|
||||
# foo.o: sub/foo.c
|
||||
# foo.o: sub/foo.h
|
||||
# which is wrong. We want:
|
||||
# sub/foo.o: sub/foo.c
|
||||
# sub/foo.o: sub/foo.h
|
||||
# sub/foo.c:
|
||||
# sub/foo.h:
|
||||
# ICC 7.1 will output
|
||||
## The order of this option in the case statement is important, since the
|
||||
## shell code in configure will try each of these formats in the order
|
||||
## listed in this file. A plain '-MD' option would be understood by many
|
||||
## compilers, so we must ensure this comes after the gcc and icc options.
|
||||
pgcc)
|
||||
# Portland's C compiler understands '-MD'.
|
||||
# Will always output deps to 'file.d' where file is the root name of the
|
||||
# source file under compilation, even if file resides in a subdirectory.
|
||||
# The object file name does not affect the name of the '.d' file.
|
||||
# pgcc 10.2 will output
|
||||
# foo.o: sub/foo.c sub/foo.h
|
||||
# and will wrap long lines using \ :
|
||||
# and will wrap long lines using '\' :
|
||||
# foo.o: sub/foo.c ... \
|
||||
# sub/foo.h ... \
|
||||
# ...
|
||||
set_dir_from "$object"
|
||||
# Use the source, not the object, to determine the base name, since
|
||||
# that's sadly what pgcc will do too.
|
||||
set_base_from "$source"
|
||||
tmpdepfile=$base.d
|
||||
|
||||
"$@" -MD -MF "$tmpdepfile"
|
||||
stat=$?
|
||||
if test $stat -eq 0; then :
|
||||
else
|
||||
# For projects that build the same source file twice into different object
|
||||
# files, the pgcc approach of using the *source* file root name can cause
|
||||
# problems in parallel builds. Use a locking strategy to avoid stomping on
|
||||
# the same $tmpdepfile.
|
||||
lockdir=$base.d-lock
|
||||
trap "
|
||||
echo '$0: caught signal, cleaning up...' >&2
|
||||
rmdir '$lockdir'
|
||||
exit 1
|
||||
" 1 2 13 15
|
||||
numtries=100
|
||||
i=$numtries
|
||||
while test $i -gt 0; do
|
||||
# mkdir is a portable test-and-set.
|
||||
if mkdir "$lockdir" 2>/dev/null; then
|
||||
# This process acquired the lock.
|
||||
"$@" -MD
|
||||
stat=$?
|
||||
# Release the lock.
|
||||
rmdir "$lockdir"
|
||||
break
|
||||
else
|
||||
# If the lock is being held by a different process, wait
|
||||
# until the winning process is done or we timeout.
|
||||
while test -d "$lockdir" && test $i -gt 0; do
|
||||
sleep 1
|
||||
i=`expr $i - 1`
|
||||
done
|
||||
fi
|
||||
i=`expr $i - 1`
|
||||
done
|
||||
trap - 1 2 13 15
|
||||
if test $i -le 0; then
|
||||
echo "$0: failed to acquire lock after $numtries attempts" >&2
|
||||
echo "$0: check lockdir '$lockdir'" >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if test $stat -ne 0; then
|
||||
rm -f "$tmpdepfile"
|
||||
exit $stat
|
||||
fi
|
||||
@ -290,8 +427,8 @@ icc)
|
||||
sed "s,^[^:]*:,$object :," < "$tmpdepfile" > "$depfile"
|
||||
# Some versions of the HPUX 10.20 sed can't process this invocation
|
||||
# correctly. Breaking it into two sed invocations is a workaround.
|
||||
sed 's,^[^:]*: \(.*\)$,\1,;s/^\\$//;/^$/d;/:$/d' < "$tmpdepfile" |
|
||||
sed -e 's/$/ :/' >> "$depfile"
|
||||
sed 's,^[^:]*: \(.*\)$,\1,;s/^\\$//;/^$/d;/:$/d' < "$tmpdepfile" \
|
||||
| sed -e 's/$/ :/' >> "$depfile"
|
||||
rm -f "$tmpdepfile"
|
||||
;;
|
||||
|
||||
@ -302,9 +439,8 @@ hp2)
|
||||
# 'foo.d', which lands next to the object file, wherever that
|
||||
# happens to be.
|
||||
# Much of this is similar to the tru64 case; see comments there.
|
||||
dir=`echo "$object" | sed -e 's|/[^/]*$|/|'`
|
||||
test "x$dir" = "x$object" && dir=
|
||||
base=`echo "$object" | sed -e 's|^.*/||' -e 's/\.o$//' -e 's/\.lo$//'`
|
||||
set_dir_from "$object"
|
||||
set_base_from "$object"
|
||||
if test "$libtool" = yes; then
|
||||
tmpdepfile1=$dir$base.d
|
||||
tmpdepfile2=$dir.libs/$base.d
|
||||
@ -315,8 +451,7 @@ hp2)
|
||||
"$@" +Maked
|
||||
fi
|
||||
stat=$?
|
||||
if test $stat -eq 0; then :
|
||||
else
|
||||
if test $stat -ne 0; then
|
||||
rm -f "$tmpdepfile1" "$tmpdepfile2"
|
||||
exit $stat
|
||||
fi
|
||||
@ -326,72 +461,107 @@ hp2)
|
||||
test -f "$tmpdepfile" && break
|
||||
done
|
||||
if test -f "$tmpdepfile"; then
|
||||
sed -e "s,^.*\.[a-z]*:,$object:," "$tmpdepfile" > "$depfile"
|
||||
# Add `dependent.h:' lines.
|
||||
sed -ne '2,${; s/^ *//; s/ \\*$//; s/$/:/; p;}' "$tmpdepfile" >> "$depfile"
|
||||
sed -e "s,^.*\.[$lower]*:,$object:," "$tmpdepfile" > "$depfile"
|
||||
# Add 'dependent.h:' lines.
|
||||
sed -ne '2,${
|
||||
s/^ *//
|
||||
s/ \\*$//
|
||||
s/$/:/
|
||||
p
|
||||
}' "$tmpdepfile" >> "$depfile"
|
||||
else
|
||||
echo "#dummy" > "$depfile"
|
||||
make_dummy_depfile
|
||||
fi
|
||||
rm -f "$tmpdepfile" "$tmpdepfile2"
|
||||
;;
|
||||
|
||||
tru64)
|
||||
# The Tru64 compiler uses -MD to generate dependencies as a side
|
||||
# effect. `cc -MD -o foo.o ...' puts the dependencies into `foo.o.d'.
|
||||
# At least on Alpha/Redhat 6.1, Compaq CCC V6.2-504 seems to put
|
||||
# dependencies in `foo.d' instead, so we check for that too.
|
||||
# Subdirectories are respected.
|
||||
dir=`echo "$object" | sed -e 's|/[^/]*$|/|'`
|
||||
test "x$dir" = "x$object" && dir=
|
||||
base=`echo "$object" | sed -e 's|^.*/||' -e 's/\.o$//' -e 's/\.lo$//'`
|
||||
# The Tru64 compiler uses -MD to generate dependencies as a side
|
||||
# effect. 'cc -MD -o foo.o ...' puts the dependencies into 'foo.o.d'.
|
||||
# At least on Alpha/Redhat 6.1, Compaq CCC V6.2-504 seems to put
|
||||
# dependencies in 'foo.d' instead, so we check for that too.
|
||||
# Subdirectories are respected.
|
||||
set_dir_from "$object"
|
||||
set_base_from "$object"
|
||||
|
||||
if test "$libtool" = yes; then
|
||||
# With Tru64 cc, shared objects can also be used to make a
|
||||
# static library. This mechanism is used in libtool 1.4 series to
|
||||
# handle both shared and static libraries in a single compilation.
|
||||
# With libtool 1.4, dependencies were output in $dir.libs/$base.lo.d.
|
||||
#
|
||||
# With libtool 1.5 this exception was removed, and libtool now
|
||||
# generates 2 separate objects for the 2 libraries. These two
|
||||
# compilations output dependencies in $dir.libs/$base.o.d and
|
||||
# in $dir$base.o.d. We have to check for both files, because
|
||||
# one of the two compilations can be disabled. We should prefer
|
||||
# $dir$base.o.d over $dir.libs/$base.o.d because the latter is
|
||||
# automatically cleaned when .libs/ is deleted, while ignoring
|
||||
# the former would cause a distcleancheck panic.
|
||||
tmpdepfile1=$dir.libs/$base.lo.d # libtool 1.4
|
||||
tmpdepfile2=$dir$base.o.d # libtool 1.5
|
||||
tmpdepfile3=$dir.libs/$base.o.d # libtool 1.5
|
||||
tmpdepfile4=$dir.libs/$base.d # Compaq CCC V6.2-504
|
||||
"$@" -Wc,-MD
|
||||
else
|
||||
tmpdepfile1=$dir$base.o.d
|
||||
tmpdepfile2=$dir$base.d
|
||||
tmpdepfile3=$dir$base.d
|
||||
tmpdepfile4=$dir$base.d
|
||||
"$@" -MD
|
||||
fi
|
||||
if test "$libtool" = yes; then
|
||||
# Libtool generates 2 separate objects for the 2 libraries. These
|
||||
# two compilations output dependencies in $dir.libs/$base.o.d and
|
||||
# in $dir$base.o.d. We have to check for both files, because
|
||||
# one of the two compilations can be disabled. We should prefer
|
||||
# $dir$base.o.d over $dir.libs/$base.o.d because the latter is
|
||||
# automatically cleaned when .libs/ is deleted, while ignoring
|
||||
# the former would cause a distcleancheck panic.
|
||||
tmpdepfile1=$dir$base.o.d # libtool 1.5
|
||||
tmpdepfile2=$dir.libs/$base.o.d # Likewise.
|
||||
tmpdepfile3=$dir.libs/$base.d # Compaq CCC V6.2-504
|
||||
"$@" -Wc,-MD
|
||||
else
|
||||
tmpdepfile1=$dir$base.d
|
||||
tmpdepfile2=$dir$base.d
|
||||
tmpdepfile3=$dir$base.d
|
||||
"$@" -MD
|
||||
fi
|
||||
|
||||
stat=$?
|
||||
if test $stat -eq 0; then :
|
||||
else
|
||||
rm -f "$tmpdepfile1" "$tmpdepfile2" "$tmpdepfile3" "$tmpdepfile4"
|
||||
exit $stat
|
||||
fi
|
||||
stat=$?
|
||||
if test $stat -ne 0; then
|
||||
rm -f "$tmpdepfile1" "$tmpdepfile2" "$tmpdepfile3"
|
||||
exit $stat
|
||||
fi
|
||||
|
||||
for tmpdepfile in "$tmpdepfile1" "$tmpdepfile2" "$tmpdepfile3" "$tmpdepfile4"
|
||||
do
|
||||
test -f "$tmpdepfile" && break
|
||||
done
|
||||
if test -f "$tmpdepfile"; then
|
||||
sed -e "s,^.*\.[a-z]*:,$object:," < "$tmpdepfile" > "$depfile"
|
||||
# That's a tab and a space in the [].
|
||||
sed -e 's,^.*\.[a-z]*:[ ]*,,' -e 's,$,:,' < "$tmpdepfile" >> "$depfile"
|
||||
else
|
||||
echo "#dummy" > "$depfile"
|
||||
fi
|
||||
rm -f "$tmpdepfile"
|
||||
;;
|
||||
for tmpdepfile in "$tmpdepfile1" "$tmpdepfile2" "$tmpdepfile3"
|
||||
do
|
||||
test -f "$tmpdepfile" && break
|
||||
done
|
||||
# Same post-processing that is required for AIX mode.
|
||||
aix_post_process_depfile
|
||||
;;
|
||||
|
||||
msvc7)
|
||||
if test "$libtool" = yes; then
|
||||
showIncludes=-Wc,-showIncludes
|
||||
else
|
||||
showIncludes=-showIncludes
|
||||
fi
|
||||
"$@" $showIncludes > "$tmpdepfile"
|
||||
stat=$?
|
||||
grep -v '^Note: including file: ' "$tmpdepfile"
|
||||
if test $stat -ne 0; then
|
||||
rm -f "$tmpdepfile"
|
||||
exit $stat
|
||||
fi
|
||||
rm -f "$depfile"
|
||||
echo "$object : \\" > "$depfile"
|
||||
# The first sed program below extracts the file names and escapes
|
||||
# backslashes for cygpath. The second sed program outputs the file
|
||||
# name when reading, but also accumulates all include files in the
|
||||
# hold buffer in order to output them again at the end. This only
|
||||
# works with sed implementations that can handle large buffers.
|
||||
sed < "$tmpdepfile" -n '
|
||||
/^Note: including file: *\(.*\)/ {
|
||||
s//\1/
|
||||
s/\\/\\\\/g
|
||||
p
|
||||
}' | $cygpath_u | sort -u | sed -n '
|
||||
s/ /\\ /g
|
||||
s/\(.*\)/'"$tab"'\1 \\/p
|
||||
s/.\(.*\) \\/\1:/
|
||||
H
|
||||
$ {
|
||||
s/.*/'"$tab"'/
|
||||
G
|
||||
p
|
||||
}' >> "$depfile"
|
||||
echo >> "$depfile" # make sure the fragment doesn't end with a backslash
|
||||
rm -f "$tmpdepfile"
|
||||
;;
|
||||
|
||||
msvc7msys)
|
||||
# This case exists only to let depend.m4 do its work. It works by
|
||||
# looking at the text of this script. This case will never be run,
|
||||
# since it is checked for above.
|
||||
exit 1
|
||||
;;
|
||||
|
||||
#nosideeffect)
|
||||
# This comment above is used by automake to tell side-effect
|
||||
@ -404,13 +574,13 @@ dashmstdout)
|
||||
|
||||
# Remove the call to Libtool.
|
||||
if test "$libtool" = yes; then
|
||||
while test $1 != '--mode=compile'; do
|
||||
while test "X$1" != 'X--mode=compile'; do
|
||||
shift
|
||||
done
|
||||
shift
|
||||
fi
|
||||
|
||||
# Remove `-o $object'.
|
||||
# Remove '-o $object'.
|
||||
IFS=" "
|
||||
for arg
|
||||
do
|
||||
@ -430,18 +600,18 @@ dashmstdout)
|
||||
done
|
||||
|
||||
test -z "$dashmflag" && dashmflag=-M
|
||||
# Require at least two characters before searching for `:'
|
||||
# Require at least two characters before searching for ':'
|
||||
# in the target name. This is to cope with DOS-style filenames:
|
||||
# a dependency such as `c:/foo/bar' could be seen as target `c' otherwise.
|
||||
# a dependency such as 'c:/foo/bar' could be seen as target 'c' otherwise.
|
||||
"$@" $dashmflag |
|
||||
sed 's:^[ ]*[^: ][^:][^:]*\:[ ]*:'"$object"'\: :' > "$tmpdepfile"
|
||||
sed "s|^[$tab ]*[^:$tab ][^:][^:]*:[$tab ]*|$object: |" > "$tmpdepfile"
|
||||
rm -f "$depfile"
|
||||
cat < "$tmpdepfile" > "$depfile"
|
||||
tr ' ' '
|
||||
' < "$tmpdepfile" | \
|
||||
## Some versions of the HPUX 10.20 sed can't process this invocation
|
||||
## correctly. Breaking it into two sed invocations is a workaround.
|
||||
sed -e 's/^\\$//' -e '/^$/d' -e '/:$/d' | sed -e 's/$/ :/' >> "$depfile"
|
||||
# Some versions of the HPUX 10.20 sed can't process this sed invocation
|
||||
# correctly. Breaking it into two sed invocations is a workaround.
|
||||
tr ' ' "$nl" < "$tmpdepfile" \
|
||||
| sed -e 's/^\\$//' -e '/^$/d' -e '/:$/d' \
|
||||
| sed -e 's/$/ :/' >> "$depfile"
|
||||
rm -f "$tmpdepfile"
|
||||
;;
|
||||
|
||||
@ -455,41 +625,51 @@ makedepend)
|
||||
"$@" || exit $?
|
||||
# Remove any Libtool call
|
||||
if test "$libtool" = yes; then
|
||||
while test $1 != '--mode=compile'; do
|
||||
while test "X$1" != 'X--mode=compile'; do
|
||||
shift
|
||||
done
|
||||
shift
|
||||
fi
|
||||
# X makedepend
|
||||
shift
|
||||
cleared=no
|
||||
for arg in "$@"; do
|
||||
cleared=no eat=no
|
||||
for arg
|
||||
do
|
||||
case $cleared in
|
||||
no)
|
||||
set ""; shift
|
||||
cleared=yes ;;
|
||||
esac
|
||||
if test $eat = yes; then
|
||||
eat=no
|
||||
continue
|
||||
fi
|
||||
case "$arg" in
|
||||
-D*|-I*)
|
||||
set fnord "$@" "$arg"; shift ;;
|
||||
# Strip any option that makedepend may not understand. Remove
|
||||
# the object too, otherwise makedepend will parse it as a source file.
|
||||
-arch)
|
||||
eat=yes ;;
|
||||
-*|$object)
|
||||
;;
|
||||
*)
|
||||
set fnord "$@" "$arg"; shift ;;
|
||||
esac
|
||||
done
|
||||
obj_suffix="`echo $object | sed 's/^.*\././'`"
|
||||
obj_suffix=`echo "$object" | sed 's/^.*\././'`
|
||||
touch "$tmpdepfile"
|
||||
${MAKEDEPEND-makedepend} -o"$obj_suffix" -f"$tmpdepfile" "$@"
|
||||
rm -f "$depfile"
|
||||
cat < "$tmpdepfile" > "$depfile"
|
||||
sed '1,2d' "$tmpdepfile" | tr ' ' '
|
||||
' | \
|
||||
## Some versions of the HPUX 10.20 sed can't process this invocation
|
||||
## correctly. Breaking it into two sed invocations is a workaround.
|
||||
sed -e 's/^\\$//' -e '/^$/d' -e '/:$/d' | sed -e 's/$/ :/' >> "$depfile"
|
||||
# makedepend may prepend the VPATH from the source file name to the object.
|
||||
# No need to regex-escape $object, excess matching of '.' is harmless.
|
||||
sed "s|^.*\($object *:\)|\1|" "$tmpdepfile" > "$depfile"
|
||||
# Some versions of the HPUX 10.20 sed can't process the last invocation
|
||||
# correctly. Breaking it into two sed invocations is a workaround.
|
||||
sed '1,2d' "$tmpdepfile" \
|
||||
| tr ' ' "$nl" \
|
||||
| sed -e 's/^\\$//' -e '/^$/d' -e '/:$/d' \
|
||||
| sed -e 's/$/ :/' >> "$depfile"
|
||||
rm -f "$tmpdepfile" "$tmpdepfile".bak
|
||||
;;
|
||||
|
||||
@ -500,13 +680,13 @@ cpp)
|
||||
|
||||
# Remove the call to Libtool.
|
||||
if test "$libtool" = yes; then
|
||||
while test $1 != '--mode=compile'; do
|
||||
while test "X$1" != 'X--mode=compile'; do
|
||||
shift
|
||||
done
|
||||
shift
|
||||
fi
|
||||
|
||||
# Remove `-o $object'.
|
||||
# Remove '-o $object'.
|
||||
IFS=" "
|
||||
for arg
|
||||
do
|
||||
@ -525,10 +705,10 @@ cpp)
|
||||
esac
|
||||
done
|
||||
|
||||
"$@" -E |
|
||||
sed -n -e '/^# [0-9][0-9]* "\([^"]*\)".*/ s:: \1 \\:p' \
|
||||
-e '/^#line [0-9][0-9]* "\([^"]*\)".*/ s:: \1 \\:p' |
|
||||
sed '$ s: \\$::' > "$tmpdepfile"
|
||||
"$@" -E \
|
||||
| sed -n -e '/^# [0-9][0-9]* "\([^"]*\)".*/ s:: \1 \\:p' \
|
||||
-e '/^#line [0-9][0-9]* "\([^"]*\)".*/ s:: \1 \\:p' \
|
||||
| sed '$ s: \\$::' > "$tmpdepfile"
|
||||
rm -f "$depfile"
|
||||
echo "$object : \\" > "$depfile"
|
||||
cat < "$tmpdepfile" >> "$depfile"
|
||||
@ -538,35 +718,56 @@ cpp)
|
||||
|
||||
msvisualcpp)
|
||||
# Important note: in order to support this mode, a compiler *must*
|
||||
# always write the preprocessed file to stdout, regardless of -o,
|
||||
# because we must use -o when running libtool.
|
||||
# always write the preprocessed file to stdout.
|
||||
"$@" || exit $?
|
||||
|
||||
# Remove the call to Libtool.
|
||||
if test "$libtool" = yes; then
|
||||
while test "X$1" != 'X--mode=compile'; do
|
||||
shift
|
||||
done
|
||||
shift
|
||||
fi
|
||||
|
||||
IFS=" "
|
||||
for arg
|
||||
do
|
||||
case "$arg" in
|
||||
-o)
|
||||
shift
|
||||
;;
|
||||
$object)
|
||||
shift
|
||||
;;
|
||||
"-Gm"|"/Gm"|"-Gi"|"/Gi"|"-ZI"|"/ZI")
|
||||
set fnord "$@"
|
||||
shift
|
||||
shift
|
||||
;;
|
||||
set fnord "$@"
|
||||
shift
|
||||
shift
|
||||
;;
|
||||
*)
|
||||
set fnord "$@" "$arg"
|
||||
shift
|
||||
shift
|
||||
;;
|
||||
set fnord "$@" "$arg"
|
||||
shift
|
||||
shift
|
||||
;;
|
||||
esac
|
||||
done
|
||||
"$@" -E |
|
||||
sed -n '/^#line [0-9][0-9]* "\([^"]*\)"/ s::echo "`cygpath -u \\"\1\\"`":p' | sort | uniq > "$tmpdepfile"
|
||||
"$@" -E 2>/dev/null |
|
||||
sed -n '/^#line [0-9][0-9]* "\([^"]*\)"/ s::\1:p' | $cygpath_u | sort -u > "$tmpdepfile"
|
||||
rm -f "$depfile"
|
||||
echo "$object : \\" > "$depfile"
|
||||
. "$tmpdepfile" | sed 's% %\\ %g' | sed -n '/^\(.*\)$/ s:: \1 \\:p' >> "$depfile"
|
||||
echo " " >> "$depfile"
|
||||
. "$tmpdepfile" | sed 's% %\\ %g' | sed -n '/^\(.*\)$/ s::\1\::p' >> "$depfile"
|
||||
sed < "$tmpdepfile" -n -e 's% %\\ %g' -e '/^\(.*\)$/ s::'"$tab"'\1 \\:p' >> "$depfile"
|
||||
echo "$tab" >> "$depfile"
|
||||
sed < "$tmpdepfile" -n -e 's% %\\ %g' -e '/^\(.*\)$/ s::\1\::p' >> "$depfile"
|
||||
rm -f "$tmpdepfile"
|
||||
;;
|
||||
|
||||
msvcmsys)
|
||||
# This case exists only to let depend.m4 do its work. It works by
|
||||
# looking at the text of this script. This case will never be run,
|
||||
# since it is checked for above.
|
||||
exit 1
|
||||
;;
|
||||
|
||||
none)
|
||||
exec "$@"
|
||||
;;
|
||||
@ -585,5 +786,6 @@ exit 0
|
||||
# eval: (add-hook 'write-file-hooks 'time-stamp)
|
||||
# time-stamp-start: "scriptversion="
|
||||
# time-stamp-format: "%:y-%02m-%02d.%02H"
|
||||
# time-stamp-end: "$"
|
||||
# time-stamp-time-zone: "UTC"
|
||||
# time-stamp-end: "; # UTC"
|
||||
# End:
|
||||
|
@ -1,7 +1,7 @@
|
||||
#!/bin/sh
|
||||
# install - install a program, script, or datafile
|
||||
|
||||
scriptversion=2006-12-25.00
|
||||
scriptversion=2011-11-20.07; # UTC
|
||||
|
||||
# This originates from X11R5 (mit/util/scripts/install.sh), which was
|
||||
# later released in X11R6 (xc/config/util/install.sh) with the
|
||||
@ -35,7 +35,7 @@ scriptversion=2006-12-25.00
|
||||
# FSF changes to this file are in the public domain.
|
||||
#
|
||||
# Calling this script install-sh is preferred over install.sh, to prevent
|
||||
# `make' implicit rules from creating a file called install from it
|
||||
# 'make' implicit rules from creating a file called install from it
|
||||
# when there is no Makefile.
|
||||
#
|
||||
# This script is compatible with the BSD install script, but was written
|
||||
@ -156,6 +156,10 @@ while test $# -ne 0; do
|
||||
-s) stripcmd=$stripprog;;
|
||||
|
||||
-t) dst_arg=$2
|
||||
# Protect names problematic for 'test' and other utilities.
|
||||
case $dst_arg in
|
||||
-* | [=\(\)!]) dst_arg=./$dst_arg;;
|
||||
esac
|
||||
shift;;
|
||||
|
||||
-T) no_target_directory=true;;
|
||||
@ -186,6 +190,10 @@ if test $# -ne 0 && test -z "$dir_arg$dst_arg"; then
|
||||
fi
|
||||
shift # arg
|
||||
dst_arg=$arg
|
||||
# Protect names problematic for 'test' and other utilities.
|
||||
case $dst_arg in
|
||||
-* | [=\(\)!]) dst_arg=./$dst_arg;;
|
||||
esac
|
||||
done
|
||||
fi
|
||||
|
||||
@ -194,13 +202,17 @@ if test $# -eq 0; then
|
||||
echo "$0: no input file specified." >&2
|
||||
exit 1
|
||||
fi
|
||||
# It's OK to call `install-sh -d' without argument.
|
||||
# It's OK to call 'install-sh -d' without argument.
|
||||
# This can happen when creating conditional directories.
|
||||
exit 0
|
||||
fi
|
||||
|
||||
if test -z "$dir_arg"; then
|
||||
trap '(exit $?); exit' 1 2 13 15
|
||||
do_exit='(exit $ret); exit $ret'
|
||||
trap "ret=129; $do_exit" 1
|
||||
trap "ret=130; $do_exit" 2
|
||||
trap "ret=141; $do_exit" 13
|
||||
trap "ret=143; $do_exit" 15
|
||||
|
||||
# Set umask so as not to create temps with too-generous modes.
|
||||
# However, 'strip' requires both read and write access to temps.
|
||||
@ -228,9 +240,9 @@ fi
|
||||
|
||||
for src
|
||||
do
|
||||
# Protect names starting with `-'.
|
||||
# Protect names problematic for 'test' and other utilities.
|
||||
case $src in
|
||||
-*) src=./$src;;
|
||||
-* | [=\(\)!]) src=./$src;;
|
||||
esac
|
||||
|
||||
if test -n "$dir_arg"; then
|
||||
@ -252,12 +264,7 @@ do
|
||||
echo "$0: no destination specified." >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
dst=$dst_arg
|
||||
# Protect names starting with `-'.
|
||||
case $dst in
|
||||
-*) dst=./$dst;;
|
||||
esac
|
||||
|
||||
# If destination is a directory, append the input filename; won't work
|
||||
# if double slashes aren't ignored.
|
||||
@ -338,34 +345,41 @@ do
|
||||
# is incompatible with FreeBSD 'install' when (umask & 300) != 0.
|
||||
;;
|
||||
*)
|
||||
# $RANDOM is not portable (e.g. dash); use it when possible to
|
||||
# lower collision chance
|
||||
tmpdir=${TMPDIR-/tmp}/ins$RANDOM-$$
|
||||
trap 'ret=$?; rmdir "$tmpdir/d" "$tmpdir" 2>/dev/null; exit $ret' 0
|
||||
trap 'ret=$?; rmdir "$tmpdir/a/b" "$tmpdir/a" "$tmpdir" 2>/dev/null; exit $ret' 0
|
||||
|
||||
# As "mkdir -p" follows symlinks and we work in /tmp possibly; so
|
||||
# create the $tmpdir first (and fail if unsuccessful) to make sure
|
||||
# that nobody tries to guess the $tmpdir name.
|
||||
if (umask $mkdir_umask &&
|
||||
exec $mkdirprog $mkdir_mode -p -- "$tmpdir/d") >/dev/null 2>&1
|
||||
$mkdirprog $mkdir_mode "$tmpdir" &&
|
||||
exec $mkdirprog $mkdir_mode -p -- "$tmpdir/a/b") >/dev/null 2>&1
|
||||
then
|
||||
if test -z "$dir_arg" || {
|
||||
# Check for POSIX incompatibilities with -m.
|
||||
# HP-UX 11.23 and IRIX 6.5 mkdir -m -p sets group- or
|
||||
# other-writeable bit of parent directory when it shouldn't.
|
||||
# other-writable bit of parent directory when it shouldn't.
|
||||
# FreeBSD 6.1 mkdir -m -p sets mode of existing directory.
|
||||
ls_ld_tmpdir=`ls -ld "$tmpdir"`
|
||||
test_tmpdir="$tmpdir/a"
|
||||
ls_ld_tmpdir=`ls -ld "$test_tmpdir"`
|
||||
case $ls_ld_tmpdir in
|
||||
d????-?r-*) different_mode=700;;
|
||||
d????-?--*) different_mode=755;;
|
||||
*) false;;
|
||||
esac &&
|
||||
$mkdirprog -m$different_mode -p -- "$tmpdir" && {
|
||||
ls_ld_tmpdir_1=`ls -ld "$tmpdir"`
|
||||
$mkdirprog -m$different_mode -p -- "$test_tmpdir" && {
|
||||
ls_ld_tmpdir_1=`ls -ld "$test_tmpdir"`
|
||||
test "$ls_ld_tmpdir" = "$ls_ld_tmpdir_1"
|
||||
}
|
||||
}
|
||||
then posix_mkdir=:
|
||||
fi
|
||||
rmdir "$tmpdir/d" "$tmpdir"
|
||||
rmdir "$tmpdir/a/b" "$tmpdir/a" "$tmpdir"
|
||||
else
|
||||
# Remove any dirs left behind by ancient mkdir implementations.
|
||||
rmdir ./$mkdir_mode ./-p ./-- 2>/dev/null
|
||||
rmdir ./$mkdir_mode ./-p ./-- "$tmpdir" 2>/dev/null
|
||||
fi
|
||||
trap '' 0;;
|
||||
esac;;
|
||||
@ -385,7 +399,7 @@ do
|
||||
|
||||
case $dstdir in
|
||||
/*) prefix='/';;
|
||||
-*) prefix='./';;
|
||||
[-=\(\)!]*) prefix='./';;
|
||||
*) prefix='';;
|
||||
esac
|
||||
|
||||
@ -403,7 +417,7 @@ do
|
||||
|
||||
for d
|
||||
do
|
||||
test -z "$d" && continue
|
||||
test X"$d" = X && continue
|
||||
|
||||
prefix=$prefix$d
|
||||
if test -d "$prefix"; then
|
||||
@ -515,5 +529,6 @@ done
|
||||
# eval: (add-hook 'write-file-hooks 'time-stamp)
|
||||
# time-stamp-start: "scriptversion="
|
||||
# time-stamp-format: "%:y-%02m-%02d.%02H"
|
||||
# time-stamp-end: "$"
|
||||
# time-stamp-time-zone: "UTC"
|
||||
# time-stamp-end: "; # UTC"
|
||||
# End:
|
||||
|
4036
auto/ltmain.sh
Executable file → Normal file
4036
auto/ltmain.sh
Executable file → Normal file
File diff suppressed because it is too large
Load Diff
458
auto/missing
458
auto/missing
@ -1,11 +1,10 @@
|
||||
#! /bin/sh
|
||||
# Common stub for a few missing GNU programs while installing.
|
||||
# Common wrapper for a few potentially missing GNU programs.
|
||||
|
||||
scriptversion=2006-05-10.23
|
||||
scriptversion=2013-10-28.13; # UTC
|
||||
|
||||
# Copyright (C) 1996, 1997, 1999, 2000, 2002, 2003, 2004, 2005, 2006
|
||||
# Free Software Foundation, Inc.
|
||||
# Originally by Fran,cois Pinard <pinard@iro.umontreal.ca>, 1996.
|
||||
# Copyright (C) 1996-2013 Free Software Foundation, Inc.
|
||||
# Originally written by Fran,cois Pinard <pinard@iro.umontreal.ca>, 1996.
|
||||
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
@ -18,9 +17,7 @@ scriptversion=2006-05-10.23
|
||||
# GNU General Public License for more details.
|
||||
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program; if not, write to the Free Software
|
||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
|
||||
# 02110-1301, USA.
|
||||
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
|
||||
# As a special exception to the GNU General Public License, if you
|
||||
# distribute this file as part of a program that contains a
|
||||
@ -28,66 +25,40 @@ scriptversion=2006-05-10.23
|
||||
# the same distribution terms that you use for the rest of that program.
|
||||
|
||||
if test $# -eq 0; then
|
||||
echo 1>&2 "Try \`$0 --help' for more information"
|
||||
echo 1>&2 "Try '$0 --help' for more information"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
run=:
|
||||
sed_output='s/.* --output[ =]\([^ ]*\).*/\1/p'
|
||||
sed_minuso='s/.* -o \([^ ]*\).*/\1/p'
|
||||
|
||||
# In the cases where this matters, `missing' is being run in the
|
||||
# srcdir already.
|
||||
if test -f configure.ac; then
|
||||
configure_ac=configure.ac
|
||||
else
|
||||
configure_ac=configure.in
|
||||
fi
|
||||
|
||||
msg="missing on your system"
|
||||
|
||||
case $1 in
|
||||
--run)
|
||||
# Try to run requested program, and just exit if it succeeds.
|
||||
run=
|
||||
shift
|
||||
"$@" && exit 0
|
||||
# Exit code 63 means version mismatch. This often happens
|
||||
# when the user try to use an ancient version of a tool on
|
||||
# a file that requires a minimum version. In this case we
|
||||
# we should proceed has if the program had been absent, or
|
||||
# if --run hadn't been passed.
|
||||
if test $? = 63; then
|
||||
run=:
|
||||
msg="probably too old"
|
||||
fi
|
||||
;;
|
||||
|
||||
--is-lightweight)
|
||||
# Used by our autoconf macros to check whether the available missing
|
||||
# script is modern enough.
|
||||
exit 0
|
||||
;;
|
||||
|
||||
--run)
|
||||
# Back-compat with the calling convention used by older automake.
|
||||
shift
|
||||
;;
|
||||
|
||||
-h|--h|--he|--hel|--help)
|
||||
echo "\
|
||||
$0 [OPTION]... PROGRAM [ARGUMENT]...
|
||||
|
||||
Handle \`PROGRAM [ARGUMENT]...' for when PROGRAM is missing, or return an
|
||||
error status if there is no known handling for PROGRAM.
|
||||
Run 'PROGRAM [ARGUMENT]...', returning a proper advice when this fails due
|
||||
to PROGRAM being missing or too old.
|
||||
|
||||
Options:
|
||||
-h, --help display this help and exit
|
||||
-v, --version output version information and exit
|
||||
--run try to run the given command, and emulate it if it fails
|
||||
|
||||
Supported PROGRAM values:
|
||||
aclocal touch file \`aclocal.m4'
|
||||
autoconf touch file \`configure'
|
||||
autoheader touch file \`config.h.in'
|
||||
autom4te touch the output file, or create a stub one
|
||||
automake touch all \`Makefile.in' files
|
||||
bison create \`y.tab.[ch]', if possible, from existing .[ch]
|
||||
flex create \`lex.yy.c', if possible, from existing .c
|
||||
help2man touch the output file
|
||||
lex create \`lex.yy.c', if possible, from existing .c
|
||||
makeinfo touch the output file
|
||||
tar try tar, gnutar, gtar, then tar without non-portable flags
|
||||
yacc create \`y.tab.[ch]', if possible, from existing .[ch]
|
||||
aclocal autoconf autoheader autom4te automake makeinfo
|
||||
bison yacc flex lex help2man
|
||||
|
||||
Version suffixes to PROGRAM as well as the prefixes 'gnu-', 'gnu', and
|
||||
'g' are ignored when checking the name.
|
||||
|
||||
Send bug reports to <bug-automake@gnu.org>."
|
||||
exit $?
|
||||
@ -99,269 +70,146 @@ Send bug reports to <bug-automake@gnu.org>."
|
||||
;;
|
||||
|
||||
-*)
|
||||
echo 1>&2 "$0: Unknown \`$1' option"
|
||||
echo 1>&2 "Try \`$0 --help' for more information"
|
||||
echo 1>&2 "$0: unknown '$1' option"
|
||||
echo 1>&2 "Try '$0 --help' for more information"
|
||||
exit 1
|
||||
;;
|
||||
|
||||
esac
|
||||
|
||||
# Now exit if we have it, but it failed. Also exit now if we
|
||||
# don't have it and --version was passed (most likely to detect
|
||||
# the program).
|
||||
case $1 in
|
||||
lex|yacc)
|
||||
# Not GNU programs, they don't have --version.
|
||||
# Run the given program, remember its exit status.
|
||||
"$@"; st=$?
|
||||
|
||||
# If it succeeded, we are done.
|
||||
test $st -eq 0 && exit 0
|
||||
|
||||
# Also exit now if we it failed (or wasn't found), and '--version' was
|
||||
# passed; such an option is passed most likely to detect whether the
|
||||
# program is present and works.
|
||||
case $2 in --version|--help) exit $st;; esac
|
||||
|
||||
# Exit code 63 means version mismatch. This often happens when the user
|
||||
# tries to use an ancient version of a tool on a file that requires a
|
||||
# minimum version.
|
||||
if test $st -eq 63; then
|
||||
msg="probably too old"
|
||||
elif test $st -eq 127; then
|
||||
# Program was missing.
|
||||
msg="missing on your system"
|
||||
else
|
||||
# Program was found and executed, but failed. Give up.
|
||||
exit $st
|
||||
fi
|
||||
|
||||
perl_URL=http://www.perl.org/
|
||||
flex_URL=http://flex.sourceforge.net/
|
||||
gnu_software_URL=http://www.gnu.org/software
|
||||
|
||||
program_details ()
|
||||
{
|
||||
case $1 in
|
||||
aclocal|automake)
|
||||
echo "The '$1' program is part of the GNU Automake package:"
|
||||
echo "<$gnu_software_URL/automake>"
|
||||
echo "It also requires GNU Autoconf, GNU m4 and Perl in order to run:"
|
||||
echo "<$gnu_software_URL/autoconf>"
|
||||
echo "<$gnu_software_URL/m4/>"
|
||||
echo "<$perl_URL>"
|
||||
;;
|
||||
autoconf|autom4te|autoheader)
|
||||
echo "The '$1' program is part of the GNU Autoconf package:"
|
||||
echo "<$gnu_software_URL/autoconf/>"
|
||||
echo "It also requires GNU m4 and Perl in order to run:"
|
||||
echo "<$gnu_software_URL/m4/>"
|
||||
echo "<$perl_URL>"
|
||||
;;
|
||||
esac
|
||||
}
|
||||
|
||||
give_advice ()
|
||||
{
|
||||
# Normalize program name to check for.
|
||||
normalized_program=`echo "$1" | sed '
|
||||
s/^gnu-//; t
|
||||
s/^gnu//; t
|
||||
s/^g//; t'`
|
||||
|
||||
printf '%s\n' "'$1' is $msg."
|
||||
|
||||
configure_deps="'configure.ac' or m4 files included by 'configure.ac'"
|
||||
case $normalized_program in
|
||||
autoconf*)
|
||||
echo "You should only need it if you modified 'configure.ac',"
|
||||
echo "or m4 files included by it."
|
||||
program_details 'autoconf'
|
||||
;;
|
||||
autoheader*)
|
||||
echo "You should only need it if you modified 'acconfig.h' or"
|
||||
echo "$configure_deps."
|
||||
program_details 'autoheader'
|
||||
;;
|
||||
automake*)
|
||||
echo "You should only need it if you modified 'Makefile.am' or"
|
||||
echo "$configure_deps."
|
||||
program_details 'automake'
|
||||
;;
|
||||
aclocal*)
|
||||
echo "You should only need it if you modified 'acinclude.m4' or"
|
||||
echo "$configure_deps."
|
||||
program_details 'aclocal'
|
||||
;;
|
||||
autom4te*)
|
||||
echo "You might have modified some maintainer files that require"
|
||||
echo "the 'autom4te' program to be rebuilt."
|
||||
program_details 'autom4te'
|
||||
;;
|
||||
bison*|yacc*)
|
||||
echo "You should only need it if you modified a '.y' file."
|
||||
echo "You may want to install the GNU Bison package:"
|
||||
echo "<$gnu_software_URL/bison/>"
|
||||
;;
|
||||
lex*|flex*)
|
||||
echo "You should only need it if you modified a '.l' file."
|
||||
echo "You may want to install the Fast Lexical Analyzer package:"
|
||||
echo "<$flex_URL>"
|
||||
;;
|
||||
help2man*)
|
||||
echo "You should only need it if you modified a dependency" \
|
||||
"of a man page."
|
||||
echo "You may want to install the GNU Help2man package:"
|
||||
echo "<$gnu_software_URL/help2man/>"
|
||||
;;
|
||||
makeinfo*)
|
||||
echo "You should only need it if you modified a '.texi' file, or"
|
||||
echo "any other file indirectly affecting the aspect of the manual."
|
||||
echo "You might want to install the Texinfo package:"
|
||||
echo "<$gnu_software_URL/texinfo/>"
|
||||
echo "The spurious makeinfo call might also be the consequence of"
|
||||
echo "using a buggy 'make' (AIX, DU, IRIX), in which case you might"
|
||||
echo "want to install GNU make:"
|
||||
echo "<$gnu_software_URL/make/>"
|
||||
;;
|
||||
*)
|
||||
echo "You might have modified some files without having the proper"
|
||||
echo "tools for further handling them. Check the 'README' file, it"
|
||||
echo "often tells you about the needed prerequisites for installing"
|
||||
echo "this package. You may also peek at any GNU archive site, in"
|
||||
echo "case some other package contains this missing '$1' program."
|
||||
;;
|
||||
esac
|
||||
}
|
||||
|
||||
tar)
|
||||
if test -n "$run"; then
|
||||
echo 1>&2 "ERROR: \`tar' requires --run"
|
||||
exit 1
|
||||
elif test "x$2" = "x--version" || test "x$2" = "x--help"; then
|
||||
exit 1
|
||||
fi
|
||||
;;
|
||||
give_advice "$1" | sed -e '1s/^/WARNING: /' \
|
||||
-e '2,$s/^/ /' >&2
|
||||
|
||||
*)
|
||||
if test -z "$run" && ($1 --version) > /dev/null 2>&1; then
|
||||
# We have it, but it failed.
|
||||
exit 1
|
||||
elif test "x$2" = "x--version" || test "x$2" = "x--help"; then
|
||||
# Could not run --version or --help. This is probably someone
|
||||
# running `$TOOL --version' or `$TOOL --help' to check whether
|
||||
# $TOOL exists and not knowing $TOOL uses missing.
|
||||
exit 1
|
||||
fi
|
||||
;;
|
||||
esac
|
||||
|
||||
# If it does not exist, or fails to run (possibly an outdated version),
|
||||
# try to emulate it.
|
||||
case $1 in
|
||||
aclocal*)
|
||||
echo 1>&2 "\
|
||||
WARNING: \`$1' is $msg. You should only need it if
|
||||
you modified \`acinclude.m4' or \`${configure_ac}'. You might want
|
||||
to install the \`Automake' and \`Perl' packages. Grab them from
|
||||
any GNU archive site."
|
||||
touch aclocal.m4
|
||||
;;
|
||||
|
||||
autoconf)
|
||||
echo 1>&2 "\
|
||||
WARNING: \`$1' is $msg. You should only need it if
|
||||
you modified \`${configure_ac}'. You might want to install the
|
||||
\`Autoconf' and \`GNU m4' packages. Grab them from any GNU
|
||||
archive site."
|
||||
touch configure
|
||||
;;
|
||||
|
||||
autoheader)
|
||||
echo 1>&2 "\
|
||||
WARNING: \`$1' is $msg. You should only need it if
|
||||
you modified \`acconfig.h' or \`${configure_ac}'. You might want
|
||||
to install the \`Autoconf' and \`GNU m4' packages. Grab them
|
||||
from any GNU archive site."
|
||||
files=`sed -n 's/^[ ]*A[CM]_CONFIG_HEADER(\([^)]*\)).*/\1/p' ${configure_ac}`
|
||||
test -z "$files" && files="config.h"
|
||||
touch_files=
|
||||
for f in $files; do
|
||||
case $f in
|
||||
*:*) touch_files="$touch_files "`echo "$f" |
|
||||
sed -e 's/^[^:]*://' -e 's/:.*//'`;;
|
||||
*) touch_files="$touch_files $f.in";;
|
||||
esac
|
||||
done
|
||||
touch $touch_files
|
||||
;;
|
||||
|
||||
automake*)
|
||||
echo 1>&2 "\
|
||||
WARNING: \`$1' is $msg. You should only need it if
|
||||
you modified \`Makefile.am', \`acinclude.m4' or \`${configure_ac}'.
|
||||
You might want to install the \`Automake' and \`Perl' packages.
|
||||
Grab them from any GNU archive site."
|
||||
find . -type f -name Makefile.am -print |
|
||||
sed 's/\.am$/.in/' |
|
||||
while read f; do touch "$f"; done
|
||||
;;
|
||||
|
||||
autom4te)
|
||||
echo 1>&2 "\
|
||||
WARNING: \`$1' is needed, but is $msg.
|
||||
You might have modified some files without having the
|
||||
proper tools for further handling them.
|
||||
You can get \`$1' as part of \`Autoconf' from any GNU
|
||||
archive site."
|
||||
|
||||
file=`echo "$*" | sed -n "$sed_output"`
|
||||
test -z "$file" && file=`echo "$*" | sed -n "$sed_minuso"`
|
||||
if test -f "$file"; then
|
||||
touch $file
|
||||
else
|
||||
test -z "$file" || exec >$file
|
||||
echo "#! /bin/sh"
|
||||
echo "# Created by GNU Automake missing as a replacement of"
|
||||
echo "# $ $@"
|
||||
echo "exit 0"
|
||||
chmod +x $file
|
||||
exit 1
|
||||
fi
|
||||
;;
|
||||
|
||||
bison|yacc)
|
||||
echo 1>&2 "\
|
||||
WARNING: \`$1' $msg. You should only need it if
|
||||
you modified a \`.y' file. You may need the \`Bison' package
|
||||
in order for those modifications to take effect. You can get
|
||||
\`Bison' from any GNU archive site."
|
||||
rm -f y.tab.c y.tab.h
|
||||
if test $# -ne 1; then
|
||||
eval LASTARG="\${$#}"
|
||||
case $LASTARG in
|
||||
*.y)
|
||||
SRCFILE=`echo "$LASTARG" | sed 's/y$/c/'`
|
||||
if test -f "$SRCFILE"; then
|
||||
cp "$SRCFILE" y.tab.c
|
||||
fi
|
||||
SRCFILE=`echo "$LASTARG" | sed 's/y$/h/'`
|
||||
if test -f "$SRCFILE"; then
|
||||
cp "$SRCFILE" y.tab.h
|
||||
fi
|
||||
;;
|
||||
esac
|
||||
fi
|
||||
if test ! -f y.tab.h; then
|
||||
echo >y.tab.h
|
||||
fi
|
||||
if test ! -f y.tab.c; then
|
||||
echo 'main() { return 0; }' >y.tab.c
|
||||
fi
|
||||
;;
|
||||
|
||||
lex|flex)
|
||||
echo 1>&2 "\
|
||||
WARNING: \`$1' is $msg. You should only need it if
|
||||
you modified a \`.l' file. You may need the \`Flex' package
|
||||
in order for those modifications to take effect. You can get
|
||||
\`Flex' from any GNU archive site."
|
||||
rm -f lex.yy.c
|
||||
if test $# -ne 1; then
|
||||
eval LASTARG="\${$#}"
|
||||
case $LASTARG in
|
||||
*.l)
|
||||
SRCFILE=`echo "$LASTARG" | sed 's/l$/c/'`
|
||||
if test -f "$SRCFILE"; then
|
||||
cp "$SRCFILE" lex.yy.c
|
||||
fi
|
||||
;;
|
||||
esac
|
||||
fi
|
||||
if test ! -f lex.yy.c; then
|
||||
echo 'main() { return 0; }' >lex.yy.c
|
||||
fi
|
||||
;;
|
||||
|
||||
help2man)
|
||||
echo 1>&2 "\
|
||||
WARNING: \`$1' is $msg. You should only need it if
|
||||
you modified a dependency of a manual page. You may need the
|
||||
\`Help2man' package in order for those modifications to take
|
||||
effect. You can get \`Help2man' from any GNU archive site."
|
||||
|
||||
file=`echo "$*" | sed -n "$sed_output"`
|
||||
test -z "$file" && file=`echo "$*" | sed -n "$sed_minuso"`
|
||||
if test -f "$file"; then
|
||||
touch $file
|
||||
else
|
||||
test -z "$file" || exec >$file
|
||||
echo ".ab help2man is required to generate this page"
|
||||
exit 1
|
||||
fi
|
||||
;;
|
||||
|
||||
makeinfo)
|
||||
echo 1>&2 "\
|
||||
WARNING: \`$1' is $msg. You should only need it if
|
||||
you modified a \`.texi' or \`.texinfo' file, or any other file
|
||||
indirectly affecting the aspect of the manual. The spurious
|
||||
call might also be the consequence of using a buggy \`make' (AIX,
|
||||
DU, IRIX). You might want to install the \`Texinfo' package or
|
||||
the \`GNU make' package. Grab either from any GNU archive site."
|
||||
# The file to touch is that specified with -o ...
|
||||
file=`echo "$*" | sed -n "$sed_output"`
|
||||
test -z "$file" && file=`echo "$*" | sed -n "$sed_minuso"`
|
||||
if test -z "$file"; then
|
||||
# ... or it is the one specified with @setfilename ...
|
||||
infile=`echo "$*" | sed 's/.* \([^ ]*\) *$/\1/'`
|
||||
file=`sed -n '
|
||||
/^@setfilename/{
|
||||
s/.* \([^ ]*\) *$/\1/
|
||||
p
|
||||
q
|
||||
}' $infile`
|
||||
# ... or it is derived from the source name (dir/f.texi becomes f.info)
|
||||
test -z "$file" && file=`echo "$infile" | sed 's,.*/,,;s,.[^.]*$,,'`.info
|
||||
fi
|
||||
# If the file does not exist, the user really needs makeinfo;
|
||||
# let's fail without touching anything.
|
||||
test -f $file || exit 1
|
||||
touch $file
|
||||
;;
|
||||
|
||||
tar)
|
||||
shift
|
||||
|
||||
# We have already tried tar in the generic part.
|
||||
# Look for gnutar/gtar before invocation to avoid ugly error
|
||||
# messages.
|
||||
if (gnutar --version > /dev/null 2>&1); then
|
||||
gnutar "$@" && exit 0
|
||||
fi
|
||||
if (gtar --version > /dev/null 2>&1); then
|
||||
gtar "$@" && exit 0
|
||||
fi
|
||||
firstarg="$1"
|
||||
if shift; then
|
||||
case $firstarg in
|
||||
*o*)
|
||||
firstarg=`echo "$firstarg" | sed s/o//`
|
||||
tar "$firstarg" "$@" && exit 0
|
||||
;;
|
||||
esac
|
||||
case $firstarg in
|
||||
*h*)
|
||||
firstarg=`echo "$firstarg" | sed s/h//`
|
||||
tar "$firstarg" "$@" && exit 0
|
||||
;;
|
||||
esac
|
||||
fi
|
||||
|
||||
echo 1>&2 "\
|
||||
WARNING: I can't seem to be able to run \`tar' with the given arguments.
|
||||
You may want to install GNU tar or Free paxutils, or check the
|
||||
command line arguments."
|
||||
exit 1
|
||||
;;
|
||||
|
||||
*)
|
||||
echo 1>&2 "\
|
||||
WARNING: \`$1' is needed, and is $msg.
|
||||
You might have modified some files without having the
|
||||
proper tools for further handling them. Check the \`README' file,
|
||||
it often tells you about the needed prerequisites for installing
|
||||
this package. You may also peek at any GNU archive site, in case
|
||||
some other package would contain this missing \`$1' program."
|
||||
exit 1
|
||||
;;
|
||||
esac
|
||||
|
||||
exit 0
|
||||
# Propagate the correct exit status (expected to be 127 for a program
|
||||
# not found, 63 for a program that failed due to version mismatch).
|
||||
exit $st
|
||||
|
||||
# Local variables:
|
||||
# eval: (add-hook 'write-file-hooks 'time-stamp)
|
||||
# time-stamp-start: "scriptversion="
|
||||
# time-stamp-format: "%:y-%02m-%02d.%02H"
|
||||
# time-stamp-end: "$"
|
||||
# time-stamp-time-zone: "UTC"
|
||||
# time-stamp-end: "; # UTC"
|
||||
# End:
|
||||
|
@ -1,31 +1,25 @@
|
||||
#!/bin/sh
|
||||
set -ev
|
||||
VERSION=4.57
|
||||
VERSION=5.42
|
||||
DST=stunnel-$VERSION-android
|
||||
|
||||
# to build Zlib:
|
||||
# export CHOST=arm-linux-androideabi
|
||||
# ./configure --static --prefix=/opt/androideabi/sysroot
|
||||
# make
|
||||
# make install
|
||||
|
||||
# to build OpenSSL:
|
||||
# export CC=arm-linux-androideabi-gcc
|
||||
# ./Configure linux-armv4 threads no-shared zlib no-dso --openssldir=/opt/androideabi/sysroot
|
||||
# make
|
||||
# ./Configure threads no-shared no-dso --cross-compile-prefix=arm-linux-androideabi- --openssldir=/opt/androideabi/sysroot linux-armv4
|
||||
# make install
|
||||
|
||||
test -f Makefile && make distclean
|
||||
mkdir -p bin/android
|
||||
cd bin/android
|
||||
../../configure --build=i686-pc-linux-gnu --host=arm-linux-androideabi --prefix=/data/local --with-ssl=/opt/androideabi/sysroot
|
||||
../../configure --with-sysroot --build=i686-pc-linux-gnu --host=arm-linux-androideabi --prefix=/data/local
|
||||
make clean
|
||||
make
|
||||
cd ../..
|
||||
mkdir $DST
|
||||
cp bin/android/src/stunnel /opt/androideabi/sysroot/bin/openssl $DST
|
||||
cp bin/android/src/stunnel $DST
|
||||
# arm-linux-androideabi-strip $DST/stunnel $DST/openssl
|
||||
arm-linux-androideabi-strip $DST/openssl
|
||||
# cp /opt/androideabi/sysroot/bin/openssl $DST
|
||||
# arm-linux-androideabi-strip $DST/openssl
|
||||
zip -r $DST.zip $DST
|
||||
rm -rf $DST
|
||||
sha256sum $DST.zip
|
||||
mv $DST.zip ../dist/
|
||||
# sha256sum $DST.zip
|
||||
# mv $DST.zip ../dist/
|
||||
|
492
configure.ac
492
configure.ac
@ -1,14 +1,14 @@
|
||||
# Process this file with autoconf to produce a configure script.
|
||||
|
||||
AC_INIT([stunnel],[4.57])
|
||||
AC_INIT([stunnel],[5.42])
|
||||
AC_MSG_NOTICE([**************************************** initialization])
|
||||
AC_CONFIG_AUX_DIR(auto)
|
||||
AC_CONFIG_MACRO_DIR([m4])
|
||||
AM_INIT_AUTOMAKE(stunnel, 4.57)
|
||||
AC_CONFIG_HEADERS([src/config.h])
|
||||
AC_CONFIG_SRCDIR([src/stunnel.c])
|
||||
AC_DEFINE([_GNU_SOURCE], [1], [Use GNU source])
|
||||
AM_INIT_AUTOMAKE
|
||||
|
||||
AM_CONDITIONAL([AUTHOR_TESTS], [test -d ".git"])
|
||||
AC_CANONICAL_HOST
|
||||
AC_SUBST([host])
|
||||
AC_DEFINE_UNQUOTED([HOST], ["$host"], [Host description])
|
||||
@ -17,104 +17,116 @@ AC_DEFINE_UNQUOTED(esc(CPU_$host_cpu))
|
||||
AC_DEFINE_UNQUOTED(esc(VENDOR_$host_vendor))
|
||||
AC_DEFINE_UNQUOTED(esc(OS_$host_os))
|
||||
|
||||
case "$host_os" in
|
||||
*darwin*)
|
||||
# OSX does not declare ucontext without _XOPEN_SOURCE
|
||||
AC_DEFINE([_XOPEN_SOURCE], [500], [Use X/Open 5 with POSIX 1995])
|
||||
# OSX does not declare chroot() without _DARWIN_C_SOURCE
|
||||
AC_DEFINE([_DARWIN_C_SOURCE], [1], [Use Darwin source])
|
||||
;;
|
||||
*)
|
||||
AC_DEFINE([_GNU_SOURCE], [1], [Use GNU source])
|
||||
;;
|
||||
esac
|
||||
|
||||
AC_PROG_CC
|
||||
AM_PROG_CC_C_O
|
||||
AC_PROG_INSTALL
|
||||
AC_PROG_MAKE_SET
|
||||
# silent build by default
|
||||
ifdef([AM_SILENT_RULES], [AM_SILENT_RULES([yes])])
|
||||
|
||||
# Checks for typedefs, structures, and compiler characteristics
|
||||
# AC_C_CONST
|
||||
# AC_TYPE_SIZE_T
|
||||
# AC_TYPE_PID_T
|
||||
# AC_HEADER_TIME
|
||||
AC_MSG_NOTICE([**************************************** thread model])
|
||||
# thread detection should be done first, as it may change the CC variable
|
||||
|
||||
AC_ARG_WITH(threads,
|
||||
[ --with-threads=model select threading model (ucontext/pthread/fork)],
|
||||
[
|
||||
case "$withval" in
|
||||
ucontext)
|
||||
AC_MSG_NOTICE([UCONTEXT mode selected])
|
||||
AC_DEFINE([USE_UCONTEXT], [1], [Define to 1 to select UCONTEXT mode])
|
||||
;;
|
||||
pthread)
|
||||
AC_MSG_NOTICE([PTHREAD mode selected])
|
||||
AX_PTHREAD()
|
||||
LIBS="$PTHREAD_LIBS $LIBS"
|
||||
CFLAGS="$CFLAGS $PTHREAD_CFLAGS"
|
||||
CC="$PTHREAD_CC"
|
||||
AC_DEFINE([USE_PTHREAD], [1], [Define to 1 to select PTHREAD mode])
|
||||
;;
|
||||
fork)
|
||||
AC_MSG_NOTICE([FORK mode selected])
|
||||
AC_DEFINE([USE_FORK], [1], [Define to 1 to select FORK mode])
|
||||
;;
|
||||
*)
|
||||
AC_MSG_ERROR([Unknown thread model \"${withval}\"])
|
||||
;;
|
||||
esac
|
||||
], [
|
||||
# do not attempt to autodetect UCONTEXT threading
|
||||
AX_PTHREAD([
|
||||
AC_MSG_NOTICE([PTHREAD thread model detected])
|
||||
LIBS="$PTHREAD_LIBS $LIBS"
|
||||
CFLAGS="$CFLAGS $PTHREAD_CFLAGS"
|
||||
CC="$PTHREAD_CC"
|
||||
AC_DEFINE([USE_PTHREAD], [1], [Define to 1 to select PTHREAD mode])
|
||||
], [
|
||||
AC_MSG_NOTICE([FORK thread model detected])
|
||||
AC_DEFINE([USE_FORK], [1], [Define to 1 to select FORK mode])
|
||||
])
|
||||
])
|
||||
|
||||
AC_MSG_NOTICE([**************************************** compiler/linker flags])
|
||||
AC_SUBST([stunnel_LDFLAGS])
|
||||
|
||||
AC_MSG_CHECKING([whether $CC accepts -pthread])
|
||||
valid_CFLAGS="$CFLAGS"; CFLAGS="$CFLAGS -pthread"
|
||||
valid_LDFLAGS="$LDFLAGS"; LDFLAGS="$LDFLAGS -pthread"
|
||||
AC_LINK_IFELSE([int main() {return 0;}],
|
||||
[
|
||||
AC_MSG_RESULT([yes])
|
||||
AC_SUBST([stunnel_CFLAGS], ["$stunnel_CFLAGS -pthread"])
|
||||
AC_SUBST([stunnel_LDFLAGF], ["$stunnel_LDFLAGF -pthread"])
|
||||
], [
|
||||
AC_MSG_RESULT([no])
|
||||
])
|
||||
CFLAGS="$valid_CFLAGS"; LDFLAGS="$valid_LDFLAGS"
|
||||
|
||||
AC_MSG_CHECKING([whether $CC accepts -fstack-protector])
|
||||
valid_CFLAGS="$CFLAGS"; CFLAGS="$CFLAGS -fstack-protector"
|
||||
valid_LDFLAGS="$LDFLAGS"; LDFLAGS="$LDFLAGS -fstack-protector"
|
||||
AC_LINK_IFELSE([int main() {return 0;}],
|
||||
[
|
||||
AC_MSG_RESULT([yes])
|
||||
AC_SUBST([stunnel_CFLAGS], ["$stunnel_CFLAGS -fstack-protector"])
|
||||
AC_SUBST([stunnel_LDFLAGF], ["$stunnel_LDFLAGF -fstack-protector"])
|
||||
], [
|
||||
AC_MSG_RESULT([no])
|
||||
])
|
||||
CFLAGS="$valid_CFLAGS"; LDFLAGS="$valid_LDFLAGS"
|
||||
|
||||
AC_MSG_CHECKING([whether $CC accepts -pie])
|
||||
valid_CFLAGS="$CFLAGS"; CFLAGS="$CFLAGS -fPIE"
|
||||
valid_LDFLAGS="$LDFLAGS"; LDFLAGS="$LDFLAGS -pie -fPIE"
|
||||
AC_LINK_IFELSE([int main() {return 0;}],
|
||||
[
|
||||
AC_MSG_RESULT([yes])
|
||||
AC_SUBST([stunnel_CFLAGS], ["$stunnel_CFLAGS -fPIE"])
|
||||
AC_SUBST([stunnel_LDFLAGF], ["$stunnel_LDFLAGF -pie -fPIE"])
|
||||
], [
|
||||
AC_MSG_RESULT([no])
|
||||
])
|
||||
CFLAGS="$valid_CFLAGS"; LDFLAGS="$valid_LDFLAGS"
|
||||
|
||||
AC_MSG_CHECKING([whether $CC accepts -Wall])
|
||||
valid_CFLAGS="$CFLAGS"; CFLAGS="$CFLAGS -Wall"
|
||||
AC_LINK_IFELSE([int main() {return 0;}],
|
||||
[AC_MSG_RESULT([yes])],
|
||||
[AC_MSG_RESULT([no]); CFLAGS="$valid_CFLAGS"])
|
||||
|
||||
AC_MSG_CHECKING([whether $CC accepts -Wextra])
|
||||
valid_CFLAGS="$CFLAGS"; CFLAGS="$CFLAGS -Wextra"
|
||||
AC_LINK_IFELSE([int main() {return 0;}],
|
||||
[AC_MSG_RESULT([yes])],
|
||||
[AC_MSG_RESULT([no]); CFLAGS="$valid_CFLAGS"])
|
||||
|
||||
AC_MSG_CHECKING([whether $CC accepts -Wno-long-long])
|
||||
valid_CFLAGS="$CFLAGS"; CFLAGS="$CFLAGS -Wno-long-long"
|
||||
AC_LINK_IFELSE([int main() {return 0;}],
|
||||
[AC_MSG_RESULT([yes])],
|
||||
[AC_MSG_RESULT([no]); CFLAGS="$valid_CFLAGS"])
|
||||
|
||||
AC_MSG_CHECKING([whether $CC accepts -pedantic])
|
||||
valid_CFLAGS="$CFLAGS"; CFLAGS="$CFLAGS -pedantic"
|
||||
AC_LINK_IFELSE([int main() {return 0;}],
|
||||
[AC_MSG_RESULT([yes])],
|
||||
[AC_MSG_RESULT([no]); CFLAGS="$valid_CFLAGS"])
|
||||
if test "$GCC" = yes; then
|
||||
AX_APPEND_COMPILE_FLAGS([-Wall])
|
||||
AX_APPEND_COMPILE_FLAGS([-Wextra])
|
||||
AX_APPEND_COMPILE_FLAGS([-Wpedantic])
|
||||
AX_APPEND_COMPILE_FLAGS([-Wformat=2])
|
||||
AX_APPEND_COMPILE_FLAGS([-Wconversion])
|
||||
AX_APPEND_COMPILE_FLAGS([-Wno-long-long])
|
||||
AX_APPEND_COMPILE_FLAGS([-Wno-deprecated-declarations])
|
||||
AX_APPEND_COMPILE_FLAGS([-fPIE])
|
||||
case "${host}" in
|
||||
avr-*.* | powerpc-*-aix* | rl78-*.* | visium-*.*)
|
||||
;;
|
||||
*)
|
||||
AX_APPEND_COMPILE_FLAGS([-fstack-protector])
|
||||
;;
|
||||
esac
|
||||
AX_APPEND_LINK_FLAGS([-fPIE -pie])
|
||||
AX_APPEND_LINK_FLAGS([-Wl,-z,relro])
|
||||
AX_APPEND_LINK_FLAGS([-Wl,-z,now])
|
||||
AX_APPEND_LINK_FLAGS([-Wl,-z,noexecstack])
|
||||
fi
|
||||
AX_APPEND_COMPILE_FLAGS([-D_FORTIFY_SOURCE=2])
|
||||
|
||||
AC_MSG_NOTICE([**************************************** libtool])
|
||||
LT_INIT([disable-static])
|
||||
AC_SUBST([LIBTOOL_DEPS])
|
||||
|
||||
AC_MSG_NOTICE([**************************************** types])
|
||||
AC_CHECK_SIZEOF(unsigned char)
|
||||
AC_CHECK_SIZEOF(unsigned short)
|
||||
AC_CHECK_SIZEOF(unsigned int)
|
||||
AC_CHECK_SIZEOF(unsigned long)
|
||||
|
||||
AC_TYPE_INT8_T
|
||||
AC_TYPE_INT16_T
|
||||
AC_TYPE_INT32_T
|
||||
AC_TYPE_INT64_T
|
||||
AC_TYPE_UINT8_T
|
||||
AC_TYPE_UINT16_T
|
||||
AC_TYPE_UINT32_T
|
||||
AC_TYPE_UINT64_T
|
||||
AC_TYPE_SIZE_T
|
||||
AC_TYPE_SSIZE_T
|
||||
AC_TYPE_UID_T
|
||||
AC_MSG_CHECKING([for socklen_t])
|
||||
AC_EGREP_HEADER(socklen_t, sys/socket.h,
|
||||
AC_MSG_RESULT([yes]),
|
||||
AC_MSG_RESULT([no (defined as int)])
|
||||
AC_DEFINE([socklen_t], [int], [Type of socklen_t]))
|
||||
|
||||
AC_CHECK_TYPES([struct sockaddr_un], [], [], [#include <sys/un.h>])
|
||||
AC_CHECK_TYPES([struct addrinfo], [], [], [#include <netdb.h>])
|
||||
|
||||
AC_MSG_NOTICE([**************************************** PTY device files])
|
||||
if test "$cross_compiling" = "no"; then
|
||||
if test "x$cross_compiling" = "xno"; then
|
||||
AC_CHECK_FILE("/dev/ptmx", AC_DEFINE([HAVE_DEV_PTMX], [1],
|
||||
[Define to 1 if you have '/dev/ptmx' device.]))
|
||||
AC_CHECK_FILE("/dev/ptc", AC_DEFINE([HAVE_DEV_PTS_AND_PTC], [1],
|
||||
@ -125,13 +137,14 @@ fi
|
||||
|
||||
AC_MSG_NOTICE([**************************************** entropy sources])
|
||||
|
||||
if test "$cross_compiling" = "no"; then
|
||||
if test "x$cross_compiling" = "xno"; then
|
||||
AC_ARG_WITH(egd-socket,
|
||||
[ --with-egd-socket=FILE Entropy Gathering Daemon socket path],
|
||||
[EGD_SOCKET="$withval"]
|
||||
)
|
||||
if test -n "$EGD_SOCKET"; then
|
||||
AC_DEFINE_UNQUOTED([EGD_SOCKET], ["$EGD_SOCKET"], [Entropy Gathering Daemon socket path])
|
||||
AC_DEFINE_UNQUOTED([EGD_SOCKET], ["$EGD_SOCKET"],
|
||||
[Entropy Gathering Daemon socket path])
|
||||
fi
|
||||
|
||||
# Check for user-specified random device
|
||||
@ -153,7 +166,7 @@ fi
|
||||
|
||||
AC_MSG_NOTICE([**************************************** default group])
|
||||
DEFAULT_GROUP=nobody
|
||||
if test "$cross_compiling" = "no"; then
|
||||
if test "x$cross_compiling" = "xno"; then
|
||||
grep '^nogroup:' /etc/group >/dev/null && DEFAULT_GROUP=nogroup
|
||||
else
|
||||
AC_MSG_WARN([cross-compilation: assuming nogroup is not available])
|
||||
@ -162,12 +175,17 @@ AC_MSG_CHECKING([for default group])
|
||||
AC_MSG_RESULT([$DEFAULT_GROUP])
|
||||
AC_SUBST([DEFAULT_GROUP])
|
||||
|
||||
AC_SYS_LARGEFILE
|
||||
|
||||
AC_MSG_NOTICE([**************************************** header files])
|
||||
# AC_HEADER_DIRENT
|
||||
# AC_HEADER_STDC
|
||||
# AC_HEADER_SYS_WAIT
|
||||
AC_CHECK_HEADERS([malloc.h ucontext.h pthread.h poll.h tcpd.h stropts.h grp.h unistd.h util.h libutil.h pty.h])
|
||||
AC_CHECK_HEADERS([sys/types.h sys/select.h sys/poll.h sys/socket.h sys/un.h sys/ioctl.h sys/filio.h sys/resource.h sys/uio.h])
|
||||
AC_CHECK_HEADERS([stdint.h inttypes.h malloc.h ucontext.h pthread.h poll.h \
|
||||
tcpd.h stropts.h grp.h unistd.h util.h libutil.h pty.h limits.h])
|
||||
AC_CHECK_HEADERS([sys/types.h sys/select.h sys/poll.h sys/socket.h sys/un.h \
|
||||
sys/ioctl.h sys/filio.h sys/resource.h sys/uio.h sys/syscall.h])
|
||||
AC_CHECK_HEADERS([linux/sched.h])
|
||||
AC_CHECK_MEMBERS([struct msghdr.msg_control],
|
||||
[AC_DEFINE([HAVE_MSGHDR_MSG_CONTROL], [1],
|
||||
[Define to 1 if you have 'msghdr.msg_control' structure.])], [], [
|
||||
@ -188,102 +206,22 @@ AC_SEARCH_LIBS([gethostbyname], [nsl])
|
||||
AC_SEARCH_LIBS([yp_get_default_domain], [nsl])
|
||||
AC_SEARCH_LIBS([socket], [socket])
|
||||
AC_SEARCH_LIBS([openpty], [util])
|
||||
# Checks for dynamic loader and zlib needed by OpenSSL
|
||||
# Checks for dynamic loader needed by OpenSSL
|
||||
AC_SEARCH_LIBS([dlopen], [dl])
|
||||
AC_SEARCH_LIBS([shl_load], [dld])
|
||||
AC_SEARCH_LIBS([inflateEnd], [z])
|
||||
|
||||
# Add BeOS libraries
|
||||
if test "$host_os" = "beos"; then
|
||||
if test "x$host_os" = "xbeos"; then
|
||||
LIBS="$LIBS -lbe -lroot -lbind"
|
||||
fi
|
||||
|
||||
AC_MSG_NOTICE([**************************************** thread model])
|
||||
|
||||
checkpthreadlib() { :
|
||||
# 1. BSD hack: attempt to use alternative libc implementation if available
|
||||
AC_CHECK_LIB([c_r], [pthread_create],
|
||||
[
|
||||
LIBS="$LIBS -pthread"
|
||||
HAVE_LIBPTHREAD="yes"
|
||||
AC_DEFINE([HAVE_LIBPTHREAD], [1], [Define to 1 if you have 'libpthread' library.])
|
||||
]
|
||||
)
|
||||
|
||||
# 2. try to use from standard libc (required by Android and possibly other platforms)
|
||||
AC_CHECK_LIB([c], [pthread_create],
|
||||
[
|
||||
HAVE_LIBPTHREAD="yes"
|
||||
AC_DEFINE([HAVE_LIBPTHREAD], [1], [Define to 1 if you have 'libpthread' library.])
|
||||
]
|
||||
)
|
||||
|
||||
# 3. try libpthread: OSF hack instead of simple AC_CHECK_LIB here
|
||||
AC_MSG_CHECKING([for pthread_create in -lpthread])
|
||||
valid_LIBS="$LIBS"
|
||||
LIBS="$valid_LIBS -lpthread"
|
||||
AC_LINK_IFELSE(
|
||||
[AC_LANG_PROGRAM(
|
||||
[
|
||||
#include <pthread.h>
|
||||
],
|
||||
[
|
||||
pthread_create((void *)0, (void *)0, (void *)0, (void *)0)
|
||||
]
|
||||
)],
|
||||
[
|
||||
AC_MSG_RESULT([yes])
|
||||
HAVE_LIBPTHREAD="yes"
|
||||
AC_DEFINE([HAVE_LIBPTHREAD], [1], [Define to 1 if you have 'libpthread' library.])
|
||||
], [
|
||||
AC_MSG_RESULT([no])
|
||||
LIBS="$valid_LIBS"
|
||||
]
|
||||
)
|
||||
}
|
||||
|
||||
AC_ARG_WITH(threads,
|
||||
[ --with-threads=model select threading model (ucontext/pthread/fork)],
|
||||
[
|
||||
case "$withval" in
|
||||
ucontext)
|
||||
AC_MSG_NOTICE([UCONTEXT mode selected])
|
||||
AC_DEFINE([USE_UCONTEXT], [1], [Define to 1 to select UCONTEXT mode])
|
||||
;;
|
||||
pthread)
|
||||
checkpthreadlib
|
||||
AC_MSG_NOTICE([PTHREAD mode selected])
|
||||
AC_DEFINE([USE_PTHREAD], [1], [Define to 1 to select PTHREAD mode])
|
||||
;;
|
||||
fork)
|
||||
AC_MSG_NOTICE([FORK mode selected])
|
||||
AC_DEFINE([USE_FORK], [1], [Define to 1 to select FORK mode])
|
||||
;;
|
||||
*)
|
||||
AC_MSG_ERROR([Unknown thread model \"${withval}\"])
|
||||
;;
|
||||
esac
|
||||
], [
|
||||
checkpthreadlib
|
||||
if test "$HAVE_LIBPTHREAD" = "yes" -a "$ac_cv_header_pthread_h" = "yes"; then
|
||||
AC_MSG_NOTICE([PTHREAD thread model detected])
|
||||
AC_DEFINE([USE_PTHREAD], [1], [Define to 1 to select PTHREAD mode])
|
||||
elif test "$ac_cv_func_getcontext" = "yes" -a "$ac_cv_header_ucontext_h" = "yes"; then
|
||||
AC_MSG_NOTICE([UCONTEXT thread model detected])
|
||||
AC_DEFINE([USE_UCONTEXT], [1], [Define to 1 to select UCONTEXT mode])
|
||||
else
|
||||
AC_MSG_NOTICE([FORK thread model detected])
|
||||
AC_DEFINE([USE_FORK], [1], [Define to 1 to select FORK mode])
|
||||
fi
|
||||
])
|
||||
|
||||
AC_MSG_NOTICE([**************************************** library functions])
|
||||
# safe string operations
|
||||
AC_CHECK_FUNCS(snprintf vsnprintf)
|
||||
# pseudoterminal
|
||||
AC_CHECK_FUNCS(openpty _getpty)
|
||||
# Unix
|
||||
AC_CHECK_FUNCS(daemon waitpid wait4 setsid setgroups chroot)
|
||||
AC_CHECK_FUNCS(daemon waitpid wait4 setsid setgroups chroot realpath)
|
||||
# limits
|
||||
AC_CHECK_FUNCS(sysconf getrlimit)
|
||||
# threads/reentrant functions
|
||||
@ -316,10 +254,10 @@ getaddrinfo(NULL, NULL, NULL, NULL);
|
||||
[AC_MSG_RESULT([no])])
|
||||
;;
|
||||
esac
|
||||
# poll() is not recommended on Mac OS X <=10.3 and broken on Mac OS X >=10.4
|
||||
# poll() is not recommended on Mac OS X <= 10.3 and broken on Mac OS X 10.4
|
||||
AC_MSG_CHECKING([for broken poll() implementation])
|
||||
case "$host_os" in
|
||||
darwin*)
|
||||
darwin[0-8].*)
|
||||
AC_MSG_RESULT([yes (poll() disabled)])
|
||||
AC_DEFINE([BROKEN_POLL], [1], [Define to 1 if you have a broken 'poll' implementation.])
|
||||
;;
|
||||
@ -334,11 +272,12 @@ AC_MSG_NOTICE([**************************************** optional features])
|
||||
# Use IPv6?
|
||||
AC_MSG_CHECKING([whether to enable IPv6 support])
|
||||
AC_ARG_ENABLE(ipv6,
|
||||
[ --enable-ipv6 Enable IPv6 support],
|
||||
[ --disable-ipv6 disable IPv6 support],
|
||||
[
|
||||
case "$enableval" in
|
||||
yes) AC_MSG_RESULT([yes])
|
||||
AC_DEFINE([USE_IPv6], [1], [Define to 1 to enable IPv6 support])
|
||||
AC_DEFINE([USE_IPv6], [1],
|
||||
[Define to 1 to enable IPv6 support])
|
||||
;;
|
||||
no) AC_MSG_RESULT([no])
|
||||
;;
|
||||
@ -346,23 +285,86 @@ AC_ARG_ENABLE(ipv6,
|
||||
AC_MSG_ERROR([bad value \"${enableval}\"])
|
||||
;;
|
||||
esac
|
||||
], [
|
||||
AC_MSG_RESULT([yes (default)])
|
||||
AC_DEFINE([USE_IPv6], [1], [Define to 1 to enable IPv6 support])
|
||||
], [
|
||||
AC_MSG_RESULT([no])
|
||||
]
|
||||
)
|
||||
|
||||
# FIPS Mode
|
||||
AC_MSG_CHECKING([whether to enable FIPS support])
|
||||
AC_ARG_ENABLE(fips,
|
||||
[ --disable-fips disable OpenSSL FIPS support],
|
||||
[
|
||||
case "$enableval" in
|
||||
yes) AC_MSG_RESULT([no])
|
||||
use_fips="yes"
|
||||
AC_DEFINE([USE_FIPS], [1],
|
||||
[Define to 1 to enable OpenSSL FIPS support])
|
||||
;;
|
||||
no) AC_MSG_RESULT([no])
|
||||
use_fips="no"
|
||||
;;
|
||||
*) AC_MSG_RESULT([error])
|
||||
AC_MSG_ERROR([bad value \"${enableval}\"])
|
||||
;;
|
||||
esac
|
||||
],
|
||||
[AC_MSG_RESULT([yes]); AC_DEFINE([USE_IPv6], [1], [Define to 1 to enable IPv6 support])],
|
||||
[AC_MSG_RESULT([no])]
|
||||
[
|
||||
use_fips="auto"
|
||||
AC_MSG_RESULT([autodetecting])
|
||||
]
|
||||
)
|
||||
|
||||
# Disable systemd socket activation support
|
||||
AC_MSG_CHECKING([whether to enable systemd socket activation support])
|
||||
AC_ARG_ENABLE(systemd,
|
||||
[ --disable-systemd disable systemd socket activation support],
|
||||
[
|
||||
case "$enableval" in
|
||||
yes) AC_MSG_RESULT([yes])
|
||||
AC_SEARCH_LIBS([sd_listen_fds], [systemd systemd-daemon])
|
||||
AC_DEFINE([USE_SYSTEMD], [1],
|
||||
[Define to 1 to enable systemd socket activation])
|
||||
;;
|
||||
no) AC_MSG_RESULT([no])
|
||||
;;
|
||||
*) AC_MSG_RESULT([error])
|
||||
AC_MSG_ERROR([Bad value \"${enableval}\"])
|
||||
;;
|
||||
esac
|
||||
],
|
||||
[
|
||||
AC_MSG_RESULT([autodetecting])
|
||||
# the library name has changed to -lsystemd in systemd 209
|
||||
AC_SEARCH_LIBS([sd_listen_fds], [systemd systemd-daemon],
|
||||
[ AC_CHECK_HEADERS([systemd/sd-daemon.h], [
|
||||
AC_DEFINE([USE_SYSTEMD], [1],
|
||||
[Define to 1 to enable systemd socket activation])
|
||||
AC_MSG_NOTICE([systemd support enabled])
|
||||
], [
|
||||
AC_MSG_NOTICE([systemd header not found])
|
||||
]) ], [
|
||||
AC_MSG_NOTICE([systemd library not found])
|
||||
])
|
||||
]
|
||||
)
|
||||
|
||||
# Disable use of libwrap (TCP wrappers)
|
||||
# it should be the last check!
|
||||
AC_MSG_CHECKING([whether to disable TCP wrappers library support])
|
||||
AC_MSG_CHECKING([whether to enable TCP wrappers support])
|
||||
AC_ARG_ENABLE(libwrap,
|
||||
[ --disable-libwrap Disable TCP wrappers library support],
|
||||
[ --disable-libwrap disable TCP wrappers support],
|
||||
[
|
||||
case "$enableval" in
|
||||
yes) AC_MSG_RESULT([no])
|
||||
AC_DEFINE([HAVE_LIBWRAP], [1], [Define to 1 if you have 'libwrap' library.])
|
||||
yes) AC_MSG_RESULT([yes])
|
||||
AC_DEFINE([USE_LIBWRAP], [1],
|
||||
[Define to 1 to enable TCP wrappers support])
|
||||
LIBS="$LIBS -lwrap"
|
||||
;;
|
||||
no) AC_MSG_RESULT([yes])
|
||||
no) AC_MSG_RESULT([no])
|
||||
;;
|
||||
*) AC_MSG_RESULT([error])
|
||||
AC_MSG_ERROR([Bad value \"${enableval}\"])
|
||||
@ -375,106 +377,83 @@ AC_ARG_ENABLE(libwrap,
|
||||
valid_LIBS="$LIBS"
|
||||
LIBS="$valid_LIBS -lwrap"
|
||||
AC_LINK_IFELSE(
|
||||
[AC_LANG_PROGRAM(
|
||||
[
|
||||
int hosts_access(); int allow_severity, deny_severity;
|
||||
],
|
||||
[
|
||||
hosts_access()
|
||||
]
|
||||
)],
|
||||
[AC_MSG_RESULT([yes]); AC_DEFINE([HAVE_LIBWRAP], [1], [Define to 1 if you have 'libwrap' library.])],
|
||||
[AC_MSG_RESULT([no]); LIBS="$valid_LIBS"]
|
||||
[
|
||||
AC_LANG_PROGRAM(
|
||||
[int hosts_access(); int allow_severity, deny_severity;],
|
||||
[hosts_access()])
|
||||
], [
|
||||
AC_MSG_RESULT([yes]);
|
||||
AC_DEFINE([USE_LIBWRAP], [1],
|
||||
[Define to 1 to enable TCP wrappers support])
|
||||
AC_MSG_NOTICE([libwrap support enabled])
|
||||
], [
|
||||
AC_MSG_RESULT([no])
|
||||
LIBS="$valid_LIBS"
|
||||
AC_MSG_NOTICE([libwrap library not found])
|
||||
]
|
||||
)
|
||||
]
|
||||
)
|
||||
|
||||
# FIPS Mode
|
||||
AC_MSG_CHECKING([whether to enable FIPS mode support])
|
||||
AC_ARG_ENABLE(fips,
|
||||
[ --enable-fips Enable OpenSSL FIPS mode],
|
||||
[
|
||||
case "$enableval" in
|
||||
yes) AC_MSG_RESULT([yes])
|
||||
sub_dirs="/ssl/fips /ssl/fips-1.0 /"
|
||||
fips="yes"
|
||||
AC_DEFINE([USE_FIPS], [1], [Define to 1 to enable OpenSSL FIPS mode])
|
||||
;;
|
||||
no) AC_MSG_RESULT([no])
|
||||
sub_dirs="/ssl /openssl /"
|
||||
fips="no"
|
||||
;;
|
||||
*) AC_MSG_RESULT([error])
|
||||
AC_MSG_ERROR([bad value \"${enableval}\"])
|
||||
;;
|
||||
esac
|
||||
],
|
||||
[
|
||||
sub_dirs="/ssl/fips /ssl/fips-1.0 /ssl /openssl /"
|
||||
fips="auto"
|
||||
AC_MSG_RESULT([autodetecting])
|
||||
]
|
||||
)
|
||||
AC_MSG_NOTICE([**************************************** TLS])
|
||||
|
||||
AC_MSG_CHECKING([for compiler sysroot])
|
||||
if test "x$GCC" = "xyes"; then
|
||||
sysroot=`$CC --print-sysroot 2>/dev/null`
|
||||
fi
|
||||
if test -z "$sysroot" -o "x$sysroot" = "x/"; then
|
||||
sysroot=""
|
||||
AC_MSG_RESULT([/])
|
||||
else
|
||||
AC_MSG_RESULT([$sysroot])
|
||||
fi
|
||||
|
||||
AC_MSG_NOTICE([**************************************** SSL])
|
||||
check_ssl_dir() { :
|
||||
SSLDIR="$1"
|
||||
if test -f "$1/include/openssl/ssl.h"; then
|
||||
return 0
|
||||
fi
|
||||
return 1
|
||||
test -n "$1" -a -f "$1/include/openssl/ssl.h" && SSLDIR="$1"
|
||||
}
|
||||
|
||||
# Check for SSL directory
|
||||
AC_MSG_CHECKING([for SSL directory])
|
||||
AC_ARG_WITH(ssl,
|
||||
[ --with-ssl=DIR location of installed SSL libraries/include files],
|
||||
[
|
||||
check_ssl_dir "$withval"
|
||||
],
|
||||
[
|
||||
for main_dir in /usr/local /usr/lib /usr/pkg /opt/local /opt /usr; do
|
||||
for sub_dir in $sub_dirs; do
|
||||
check_ssl_dir "$main_dir$sub_dir" && break 2
|
||||
done
|
||||
find_ssl_dir() { :
|
||||
stunnel_prefix="$prefix"
|
||||
test "x$stunnel_prefix" = "xNONE" && stunnel_prefix=$ac_default_prefix
|
||||
for main_dir in "$stunnel_prefix" "/usr/local" "/usr/lib" "/usr/pkg" "/opt/local" "/opt" "/opt/csw" "/usr" ""; do
|
||||
for sub_dir in "/ssl" "/openssl" "/ossl" ""; do
|
||||
check_ssl_dir "$sysroot$main_dir$sub_dir" && return
|
||||
done
|
||||
]
|
||||
done
|
||||
if test -x "/usr/bin/xcrun"; then
|
||||
sdk_path=`/usr/bin/xcrun --sdk macosx --show-sdk-path`
|
||||
check_ssl_dir "$sdk_path/usr" && return
|
||||
fi
|
||||
check_ssl_dir "/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/swift-migrator/sdk/MacOSX.sdk/usr"
|
||||
}
|
||||
|
||||
SSLDIR=""
|
||||
AC_MSG_CHECKING([for TLS directory])
|
||||
AC_ARG_WITH(ssl,
|
||||
[ --with-ssl=DIR location of installed TLS libraries/include files],
|
||||
[check_ssl_dir "$withval"],
|
||||
[find_ssl_dir]
|
||||
)
|
||||
if test ! -d "$SSLDIR"; then
|
||||
if test -z "$SSLDIR"; then
|
||||
AC_MSG_RESULT([not found])
|
||||
AC_MSG_ERROR([
|
||||
Couldn't find your SSL library installation dir
|
||||
Could not find your TLS library installation dir
|
||||
Use --with-ssl option to fix this problem
|
||||
])
|
||||
fi
|
||||
AC_MSG_RESULT([$SSLDIR])
|
||||
AC_SUBST([SSLDIR])
|
||||
AC_DEFINE_UNQUOTED([SSLDIR], ["$SSLDIR"], [SSL directory])
|
||||
AC_DEFINE_UNQUOTED([SSLDIR], ["$SSLDIR"], [TLS directory])
|
||||
|
||||
valid_CPPFLAGS="$CPPFLAGS"; CPPFLAGS="$CPPFLAGS -I$SSLDIR/include"
|
||||
valid_LIBS="$LIBS"; LIBS="$LIBS -L$SSLDIR/lib64 -L$SSLDIR/lib -lssl -lcrypto"
|
||||
|
||||
AC_CHECK_HEADER([$SSLDIR/include/openssl/engine.h],
|
||||
[AC_DEFINE([HAVE_OSSL_ENGINE_H], [1],
|
||||
[Define to 1 if you have <engine.h> header file.])],
|
||||
[AC_MSG_WARN([OpenSSL engine header not found])])
|
||||
|
||||
AC_CHECK_HEADER([$SSLDIR/include/openssl/ocsp.h],
|
||||
[AC_DEFINE([HAVE_OSSL_OCSP_H], [1],
|
||||
[Define to 1 if you have <ocsp.h> header file.])],
|
||||
[AC_MSG_WARN([OpenSSL ocsp header not found])])
|
||||
|
||||
AC_CHECK_HEADER([$SSLDIR/include/openssl/fips.h],
|
||||
[AC_DEFINE([HAVE_OSSL_FIPS_H], [1],
|
||||
[Define to 1 if you have <fips.h> header file.])],
|
||||
[AC_MSG_WARN([OpenSSL fips header not found])])
|
||||
|
||||
if test "$fips" = "auto"; then
|
||||
if test "x$use_fips" = "xauto"; then
|
||||
AC_CHECK_FUNCS(FIPS_mode_set, [
|
||||
AC_DEFINE([USE_FIPS], [1], [Define to 1 to enable OpenSSL FIPS mode.])
|
||||
AC_MSG_NOTICE([FIPS mode detected])
|
||||
AC_DEFINE([USE_FIPS], [1], [Define to 1 to enable OpenSSL FIPS support])
|
||||
AC_MSG_NOTICE([FIPS support enabled])
|
||||
], [
|
||||
AC_MSG_NOTICE([FIPS mode not detected])
|
||||
AC_MSG_NOTICE([FIPS support not found])
|
||||
])
|
||||
fi
|
||||
|
||||
@ -482,8 +461,9 @@ CPPFLAGS="$valid_CPPFLAGS"
|
||||
LIBS="$valid_LIBS"
|
||||
|
||||
AC_MSG_NOTICE([**************************************** write the results])
|
||||
AC_CONFIG_FILES([Makefile src/Makefile src/stunnel3 doc/Makefile tools/Makefile tools/stunnel.conf-sample tools/stunnel.init tools/stunnel.service])
|
||||
AC_CONFIG_FILES([Makefile src/Makefile doc/Makefile tools/Makefile])
|
||||
AC_OUTPUT
|
||||
|
||||
AC_MSG_NOTICE([**************************************** success])
|
||||
# vim:ft=automake
|
||||
# End of configure.ac
|
||||
|
@ -1,21 +1,35 @@
|
||||
## Process this file with automake to produce Makefile.in
|
||||
# by Michal Trojnara 2015-2017
|
||||
|
||||
EXTRA_DIST = stunnel.pod stunnel.pl.pod stunnel.fr.pod \
|
||||
stunnel.8 stunnel.pl.8 stunnel.fr.8 \
|
||||
stunnel.html stunnel.pl.html stunnel.fr.html en pl
|
||||
EXTRA_DIST = stunnel.pod.in stunnel.8.in stunnel.html.in en
|
||||
EXTRA_DIST += stunnel.pl.pod.in stunnel.pl.8.in stunnel.pl.html.in pl
|
||||
|
||||
man_MANS = stunnel.8 stunnel.pl.8 stunnel.fr.8
|
||||
man_MANS = stunnel.8 stunnel.pl.8
|
||||
|
||||
docdir = $(datadir)/doc/stunnel
|
||||
doc_DATA = stunnel.html stunnel.pl.html stunnel.fr.html
|
||||
doc_DATA = stunnel.html stunnel.pl.html
|
||||
|
||||
SUFFIXES = .pod .8 .html
|
||||
CLEANFILES = $(man_MANS) $(doc_DATA)
|
||||
|
||||
.pod.8:
|
||||
pod2man -u --section=8 --release=$(VERSION) --center=stunnel \
|
||||
--date=`date +%Y.%m.%d` $< $@
|
||||
SUFFIXES = .pod.in .8.in .html.in
|
||||
|
||||
.pod.html:
|
||||
pod2html --noindex --title stunnel.8 --infile=$< --outfile=$@
|
||||
.pod.in.8.in:
|
||||
pod2man -u -n stunnel -s 8 -r $(VERSION) \
|
||||
-c "stunnel TLS Proxy" -d `date +%Y.%m.%d` $< $@
|
||||
|
||||
.pod.in.html.in:
|
||||
pod2html --index --backlink --header \
|
||||
--title "stunnel TLS Proxy" --infile=$< --outfile=$@
|
||||
rm -f pod2htmd.tmp pod2htmi.tmp
|
||||
|
||||
edit = sed \
|
||||
-e 's|@bindir[@]|$(bindir)|g' \
|
||||
-e 's|@sysconfdir[@]|$(sysconfdir)|g'
|
||||
|
||||
$(man_MANS) $(doc_DATA): Makefile
|
||||
$(edit) '$(srcdir)/$@.in' >$@
|
||||
|
||||
stunnel.8: $(srcdir)/stunnel.8.in
|
||||
stunnel.html: $(srcdir)/stunnel.html.in
|
||||
stunnel.pl.8: $(srcdir)/stunnel.pl.8.in
|
||||
stunnel.pl.html: $(srcdir)/stunnel.pl.html.in
|
||||
|
216
doc/Makefile.in
216
doc/Makefile.in
@ -1,9 +1,8 @@
|
||||
# Makefile.in generated by automake 1.11.1 from Makefile.am.
|
||||
# Makefile.in generated by automake 1.14.1 from Makefile.am.
|
||||
# @configure_input@
|
||||
|
||||
# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
|
||||
# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation,
|
||||
# Inc.
|
||||
# Copyright (C) 1994-2013 Free Software Foundation, Inc.
|
||||
|
||||
# This Makefile.in is free software; the Free Software Foundation
|
||||
# gives unlimited permission to copy and/or distribute it,
|
||||
# with or without modifications, as long as this notice is preserved.
|
||||
@ -15,7 +14,54 @@
|
||||
|
||||
@SET_MAKE@
|
||||
|
||||
# by Michal Trojnara 2015-2017
|
||||
|
||||
VPATH = @srcdir@
|
||||
am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
|
||||
am__make_running_with_option = \
|
||||
case $${target_option-} in \
|
||||
?) ;; \
|
||||
*) echo "am__make_running_with_option: internal error: invalid" \
|
||||
"target option '$${target_option-}' specified" >&2; \
|
||||
exit 1;; \
|
||||
esac; \
|
||||
has_opt=no; \
|
||||
sane_makeflags=$$MAKEFLAGS; \
|
||||
if $(am__is_gnu_make); then \
|
||||
sane_makeflags=$$MFLAGS; \
|
||||
else \
|
||||
case $$MAKEFLAGS in \
|
||||
*\\[\ \ ]*) \
|
||||
bs=\\; \
|
||||
sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \
|
||||
| sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \
|
||||
esac; \
|
||||
fi; \
|
||||
skip_next=no; \
|
||||
strip_trailopt () \
|
||||
{ \
|
||||
flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \
|
||||
}; \
|
||||
for flg in $$sane_makeflags; do \
|
||||
test $$skip_next = yes && { skip_next=no; continue; }; \
|
||||
case $$flg in \
|
||||
*=*|--*) continue;; \
|
||||
-*I) strip_trailopt 'I'; skip_next=yes;; \
|
||||
-*I?*) strip_trailopt 'I';; \
|
||||
-*O) strip_trailopt 'O'; skip_next=yes;; \
|
||||
-*O?*) strip_trailopt 'O';; \
|
||||
-*l) strip_trailopt 'l'; skip_next=yes;; \
|
||||
-*l?*) strip_trailopt 'l';; \
|
||||
-[dEDm]) skip_next=yes;; \
|
||||
-[JT]) skip_next=yes;; \
|
||||
esac; \
|
||||
case $$flg in \
|
||||
*$$target_option*) has_opt=yes; break;; \
|
||||
esac; \
|
||||
done; \
|
||||
test $$has_opt = yes
|
||||
am__make_dryrun = (target_option=n; $(am__make_running_with_option))
|
||||
am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
|
||||
pkgdatadir = $(datadir)/@PACKAGE@
|
||||
pkgincludedir = $(includedir)/@PACKAGE@
|
||||
pkglibdir = $(libdir)/@PACKAGE@
|
||||
@ -35,7 +81,7 @@ POST_UNINSTALL = :
|
||||
build_triplet = @build@
|
||||
host_triplet = @host@
|
||||
subdir = doc
|
||||
DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
|
||||
DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am
|
||||
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
|
||||
am__aclocal_m4_deps = $(top_srcdir)/m4/libtool.m4 \
|
||||
$(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \
|
||||
@ -47,8 +93,25 @@ mkinstalldirs = $(install_sh) -d
|
||||
CONFIG_HEADER = $(top_builddir)/src/config.h
|
||||
CONFIG_CLEAN_FILES =
|
||||
CONFIG_CLEAN_VPATH_FILES =
|
||||
AM_V_P = $(am__v_P_@AM_V@)
|
||||
am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
|
||||
am__v_P_0 = false
|
||||
am__v_P_1 = :
|
||||
AM_V_GEN = $(am__v_GEN_@AM_V@)
|
||||
am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
|
||||
am__v_GEN_0 = @echo " GEN " $@;
|
||||
am__v_GEN_1 =
|
||||
AM_V_at = $(am__v_at_@AM_V@)
|
||||
am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
|
||||
am__v_at_0 = @
|
||||
am__v_at_1 =
|
||||
SOURCES =
|
||||
DIST_SOURCES =
|
||||
am__can_run_installinfo = \
|
||||
case $$AM_UPDATE_INFO_DIR in \
|
||||
n|no|NO) false;; \
|
||||
*) (install-info --version) >/dev/null 2>&1;; \
|
||||
esac
|
||||
am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
|
||||
am__vpath_adj = case $$p in \
|
||||
$(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
|
||||
@ -70,14 +133,22 @@ am__nobase_list = $(am__nobase_strip_setup); \
|
||||
am__base_list = \
|
||||
sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
|
||||
sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
|
||||
am__uninstall_files_from_dir = { \
|
||||
test -z "$$files" \
|
||||
|| { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
|
||||
|| { echo " ( cd '$$dir' && rm -f" $$files ")"; \
|
||||
$(am__cd) "$$dir" && rm -f $$files; }; \
|
||||
}
|
||||
man8dir = $(mandir)/man8
|
||||
am__installdirs = "$(DESTDIR)$(man8dir)" "$(DESTDIR)$(docdir)"
|
||||
NROFF = nroff
|
||||
MANS = $(man_MANS)
|
||||
DATA = $(doc_DATA)
|
||||
am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
|
||||
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
|
||||
ACLOCAL = @ACLOCAL@
|
||||
AMTAR = @AMTAR@
|
||||
AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
|
||||
AR = @AR@
|
||||
AUTOCONF = @AUTOCONF@
|
||||
AUTOHEADER = @AUTOHEADER@
|
||||
@ -92,6 +163,7 @@ CYGPATH_W = @CYGPATH_W@
|
||||
DEFAULT_GROUP = @DEFAULT_GROUP@
|
||||
DEFS = @DEFS@
|
||||
DEPDIR = @DEPDIR@
|
||||
DLLTOOL = @DLLTOOL@
|
||||
DSYMUTIL = @DSYMUTIL@
|
||||
DUMPBIN = @DUMPBIN@
|
||||
ECHO_C = @ECHO_C@
|
||||
@ -116,6 +188,7 @@ LIPO = @LIPO@
|
||||
LN_S = @LN_S@
|
||||
LTLIBOBJS = @LTLIBOBJS@
|
||||
MAKEINFO = @MAKEINFO@
|
||||
MANIFEST_TOOL = @MANIFEST_TOOL@
|
||||
MKDIR_P = @MKDIR_P@
|
||||
NM = @NM@
|
||||
NMEDIT = @NMEDIT@
|
||||
@ -131,6 +204,9 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@
|
||||
PACKAGE_URL = @PACKAGE_URL@
|
||||
PACKAGE_VERSION = @PACKAGE_VERSION@
|
||||
PATH_SEPARATOR = @PATH_SEPARATOR@
|
||||
PTHREAD_CC = @PTHREAD_CC@
|
||||
PTHREAD_CFLAGS = @PTHREAD_CFLAGS@
|
||||
PTHREAD_LIBS = @PTHREAD_LIBS@
|
||||
RANDOM_FILE = @RANDOM_FILE@
|
||||
RANLIB = @RANLIB@
|
||||
SED = @SED@
|
||||
@ -143,6 +219,7 @@ abs_builddir = @abs_builddir@
|
||||
abs_srcdir = @abs_srcdir@
|
||||
abs_top_builddir = @abs_top_builddir@
|
||||
abs_top_srcdir = @abs_top_srcdir@
|
||||
ac_ct_AR = @ac_ct_AR@
|
||||
ac_ct_CC = @ac_ct_CC@
|
||||
ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
|
||||
am__include = @am__include@
|
||||
@ -150,6 +227,7 @@ am__leading_dot = @am__leading_dot@
|
||||
am__quote = @am__quote@
|
||||
am__tar = @am__tar@
|
||||
am__untar = @am__untar@
|
||||
ax_pthread_config = @ax_pthread_config@
|
||||
bindir = @bindir@
|
||||
build = @build@
|
||||
build_alias = @build_alias@
|
||||
@ -175,7 +253,6 @@ libdir = @libdir@
|
||||
libexecdir = @libexecdir@
|
||||
localedir = @localedir@
|
||||
localstatedir = @localstatedir@
|
||||
lt_ECHO = @lt_ECHO@
|
||||
mandir = @mandir@
|
||||
mkdir_p = @mkdir_p@
|
||||
oldincludedir = @oldincludedir@
|
||||
@ -183,28 +260,29 @@ pdfdir = @pdfdir@
|
||||
prefix = @prefix@
|
||||
program_transform_name = @program_transform_name@
|
||||
psdir = @psdir@
|
||||
runstatedir = @runstatedir@
|
||||
sbindir = @sbindir@
|
||||
sharedstatedir = @sharedstatedir@
|
||||
srcdir = @srcdir@
|
||||
stunnel_CFLAGS = @stunnel_CFLAGS@
|
||||
stunnel_LDFLAGF = @stunnel_LDFLAGF@
|
||||
stunnel_LDFLAGS = @stunnel_LDFLAGS@
|
||||
sysconfdir = @sysconfdir@
|
||||
target_alias = @target_alias@
|
||||
top_build_prefix = @top_build_prefix@
|
||||
top_builddir = @top_builddir@
|
||||
top_srcdir = @top_srcdir@
|
||||
EXTRA_DIST = stunnel.pod stunnel.pl.pod stunnel.fr.pod \
|
||||
stunnel.8 stunnel.pl.8 stunnel.fr.8 \
|
||||
stunnel.html stunnel.pl.html stunnel.fr.html en pl
|
||||
EXTRA_DIST = stunnel.pod.in stunnel.8.in stunnel.html.in en \
|
||||
stunnel.pl.pod.in stunnel.pl.8.in stunnel.pl.html.in pl
|
||||
man_MANS = stunnel.8 stunnel.pl.8
|
||||
doc_DATA = stunnel.html stunnel.pl.html
|
||||
CLEANFILES = $(man_MANS) $(doc_DATA)
|
||||
SUFFIXES = .pod.in .8.in .html.in
|
||||
edit = sed \
|
||||
-e 's|@bindir[@]|$(bindir)|g' \
|
||||
-e 's|@sysconfdir[@]|$(sysconfdir)|g'
|
||||
|
||||
man_MANS = stunnel.8 stunnel.pl.8 stunnel.fr.8
|
||||
doc_DATA = stunnel.html stunnel.pl.html stunnel.fr.html
|
||||
SUFFIXES = .pod .8 .html
|
||||
all: all-am
|
||||
|
||||
.SUFFIXES:
|
||||
.SUFFIXES: .pod .8 .html
|
||||
.SUFFIXES: .pod.in .8.in .html.in
|
||||
$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps)
|
||||
@for dep in $?; do \
|
||||
case '$(am__configure_deps)' in \
|
||||
@ -243,11 +321,18 @@ clean-libtool:
|
||||
-rm -rf .libs _libs
|
||||
install-man8: $(man_MANS)
|
||||
@$(NORMAL_INSTALL)
|
||||
test -z "$(man8dir)" || $(MKDIR_P) "$(DESTDIR)$(man8dir)"
|
||||
@list=''; test -n "$(man8dir)" || exit 0; \
|
||||
{ for i in $$list; do echo "$$i"; done; \
|
||||
l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done | \
|
||||
sed -n '/\.8[a-z]*$$/p'; \
|
||||
@list1=''; \
|
||||
list2='$(man_MANS)'; \
|
||||
test -n "$(man8dir)" \
|
||||
&& test -n "`echo $$list1$$list2`" \
|
||||
|| exit 0; \
|
||||
echo " $(MKDIR_P) '$(DESTDIR)$(man8dir)'"; \
|
||||
$(MKDIR_P) "$(DESTDIR)$(man8dir)" || exit 1; \
|
||||
{ for i in $$list1; do echo "$$i"; done; \
|
||||
if test -n "$$list2"; then \
|
||||
for i in $$list2; do echo "$$i"; done \
|
||||
| sed -n '/\.8[a-z]*$$/p'; \
|
||||
fi; \
|
||||
} | while read p; do \
|
||||
if test -f $$p; then d=; else d="$(srcdir)/"; fi; \
|
||||
echo "$$d$$p"; echo "$$p"; \
|
||||
@ -276,13 +361,14 @@ uninstall-man8:
|
||||
sed -n '/\.8[a-z]*$$/p'; \
|
||||
} | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \
|
||||
-e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \
|
||||
test -z "$$files" || { \
|
||||
echo " ( cd '$(DESTDIR)$(man8dir)' && rm -f" $$files ")"; \
|
||||
cd "$(DESTDIR)$(man8dir)" && rm -f $$files; }
|
||||
dir='$(DESTDIR)$(man8dir)'; $(am__uninstall_files_from_dir)
|
||||
install-docDATA: $(doc_DATA)
|
||||
@$(NORMAL_INSTALL)
|
||||
test -z "$(docdir)" || $(MKDIR_P) "$(DESTDIR)$(docdir)"
|
||||
@list='$(doc_DATA)'; test -n "$(docdir)" || list=; \
|
||||
if test -n "$$list"; then \
|
||||
echo " $(MKDIR_P) '$(DESTDIR)$(docdir)'"; \
|
||||
$(MKDIR_P) "$(DESTDIR)$(docdir)" || exit 1; \
|
||||
fi; \
|
||||
for p in $$list; do \
|
||||
if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
|
||||
echo "$$d$$p"; \
|
||||
@ -296,30 +382,15 @@ uninstall-docDATA:
|
||||
@$(NORMAL_UNINSTALL)
|
||||
@list='$(doc_DATA)'; test -n "$(docdir)" || list=; \
|
||||
files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
|
||||
test -n "$$files" || exit 0; \
|
||||
echo " ( cd '$(DESTDIR)$(docdir)' && rm -f" $$files ")"; \
|
||||
cd "$(DESTDIR)$(docdir)" && rm -f $$files
|
||||
tags: TAGS
|
||||
TAGS:
|
||||
dir='$(DESTDIR)$(docdir)'; $(am__uninstall_files_from_dir)
|
||||
tags TAGS:
|
||||
|
||||
ctags: CTAGS
|
||||
CTAGS:
|
||||
ctags CTAGS:
|
||||
|
||||
cscope cscopelist:
|
||||
|
||||
|
||||
distdir: $(DISTFILES)
|
||||
@list='$(MANS)'; if test -n "$$list"; then \
|
||||
list=`for p in $$list; do \
|
||||
if test -f $$p; then d=; else d="$(srcdir)/"; fi; \
|
||||
if test -f "$$d$$p"; then echo "$$d$$p"; else :; fi; done`; \
|
||||
if test -n "$$list" && \
|
||||
grep 'ab help2man is required to generate this page' $$list >/dev/null; then \
|
||||
echo "error: found man pages containing the \`missing help2man' replacement text:" >&2; \
|
||||
grep -l 'ab help2man is required to generate this page' $$list | sed 's/^/ /' >&2; \
|
||||
echo " to fix them, install help2man, remove and regenerate the man pages;" >&2; \
|
||||
echo " typically \`make maintainer-clean' will remove them" >&2; \
|
||||
exit 1; \
|
||||
else :; fi; \
|
||||
else :; fi
|
||||
@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
|
||||
topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
|
||||
list='$(DISTFILES)'; \
|
||||
@ -366,13 +437,19 @@ install-am: all-am
|
||||
|
||||
installcheck: installcheck-am
|
||||
install-strip:
|
||||
$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
|
||||
install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
|
||||
`test -z '$(STRIP)' || \
|
||||
echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
|
||||
if test -z '$(STRIP)'; then \
|
||||
$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
|
||||
install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
|
||||
install; \
|
||||
else \
|
||||
$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
|
||||
install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
|
||||
"INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
|
||||
fi
|
||||
mostlyclean-generic:
|
||||
|
||||
clean-generic:
|
||||
-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
|
||||
|
||||
distclean-generic:
|
||||
-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
|
||||
@ -452,27 +529,36 @@ uninstall-man: uninstall-man8
|
||||
.MAKE: install-am install-strip
|
||||
|
||||
.PHONY: all all-am check check-am clean clean-generic clean-libtool \
|
||||
distclean distclean-generic distclean-libtool distdir dvi \
|
||||
dvi-am html html-am info info-am install install-am \
|
||||
install-data install-data-am install-docDATA install-dvi \
|
||||
install-dvi-am install-exec install-exec-am install-html \
|
||||
install-html-am install-info install-info-am install-man \
|
||||
install-man8 install-pdf install-pdf-am install-ps \
|
||||
install-ps-am install-strip installcheck installcheck-am \
|
||||
installdirs maintainer-clean maintainer-clean-generic \
|
||||
mostlyclean mostlyclean-generic mostlyclean-libtool pdf pdf-am \
|
||||
ps ps-am uninstall uninstall-am uninstall-docDATA \
|
||||
uninstall-man uninstall-man8
|
||||
cscopelist-am ctags-am distclean distclean-generic \
|
||||
distclean-libtool distdir dvi dvi-am html html-am info info-am \
|
||||
install install-am install-data install-data-am \
|
||||
install-docDATA install-dvi install-dvi-am install-exec \
|
||||
install-exec-am install-html install-html-am install-info \
|
||||
install-info-am install-man install-man8 install-pdf \
|
||||
install-pdf-am install-ps install-ps-am install-strip \
|
||||
installcheck installcheck-am installdirs maintainer-clean \
|
||||
maintainer-clean-generic mostlyclean mostlyclean-generic \
|
||||
mostlyclean-libtool pdf pdf-am ps ps-am tags-am uninstall \
|
||||
uninstall-am uninstall-docDATA uninstall-man uninstall-man8
|
||||
|
||||
|
||||
.pod.8:
|
||||
pod2man -u --section=8 --release=$(VERSION) --center=stunnel \
|
||||
--date=`date +%Y.%m.%d` $< $@
|
||||
.pod.in.8.in:
|
||||
pod2man -u -n stunnel -s 8 -r $(VERSION) \
|
||||
-c "stunnel TLS Proxy" -d `date +%Y.%m.%d` $< $@
|
||||
|
||||
.pod.html:
|
||||
pod2html --noindex --title stunnel.8 --infile=$< --outfile=$@
|
||||
.pod.in.html.in:
|
||||
pod2html --index --backlink --header \
|
||||
--title "stunnel TLS Proxy" --infile=$< --outfile=$@
|
||||
rm -f pod2htmd.tmp pod2htmi.tmp
|
||||
|
||||
$(man_MANS) $(doc_DATA): Makefile
|
||||
$(edit) '$(srcdir)/$@.in' >$@
|
||||
|
||||
stunnel.8: $(srcdir)/stunnel.8.in
|
||||
stunnel.html: $(srcdir)/stunnel.html.in
|
||||
stunnel.pl.8: $(srcdir)/stunnel.pl.8.in
|
||||
stunnel.pl.html: $(srcdir)/stunnel.pl.html.in
|
||||
|
||||
# Tell versions [3.59,3.63) of GNU make to not export all variables.
|
||||
# Otherwise a system limit (for SysV at least) may be exceeded.
|
||||
.NOEXPORT:
|
||||
|
@ -36,8 +36,8 @@ HOWTO and then we'll look at the theory behind all this.</P>
|
||||
<P STYLE="margin-bottom: 0cm"><BR>
|
||||
</P>
|
||||
<OL>
|
||||
<LI><P STYLE="margin-bottom: 0cm">Download and install openSSL,
|
||||
SSLEay, and Stunnel on the Linux/Unix box. Download the modules.</P>
|
||||
<LI><P STYLE="margin-bottom: 0cm">Download and install OpenSSL,
|
||||
SSLeay, and Stunnel on the Linux/Unix box. Download the modules.</P>
|
||||
</OL>
|
||||
<P STYLE="margin-left: 0.5cm; margin-bottom: 0cm">a)
|
||||
[root@anthrax$]gunzip openssl-x.xx.tar.gz (repeat for all 3 the
|
||||
@ -52,7 +52,7 @@ modules)</P>
|
||||
save the file as VNCRegEdit.REG on the Windows 2000 box</P>
|
||||
</OL>
|
||||
<P STYLE="margin-left: 0.5cm; margin-bottom: 0cm">--cut here and copy
|
||||
to VNCRegEdit.REG the double click file to
|
||||
to VNCRegEdit.REG then double click the file to
|
||||
import--<BR>REGEDIT4<BR><BR>[HKEY_LOCAL_MACHINE\Software\ORL\WinVNC3]<BR>AllowLoopback=dword:00000001<BR><BR>[HKEY_LOCAL_MACHINE\Software\ORL\WinVNC3\Default]<BR>AllowLoopback=dword:00000001<BR>--stop
|
||||
here--<BR><BR>
|
||||
</P>
|
||||
@ -87,7 +87,7 @@ here--<BR><BR>
|
||||
execute the following command and let it run in its own terminal.</P>
|
||||
</OL>
|
||||
<P STYLE="margin-left: 0.5cm; margin-bottom: 0cm">stunnel -d 5900 -r
|
||||
unix.ip.adress:5900 -c</P>
|
||||
unix.ip.address:5900 -c</P>
|
||||
<P STYLE="margin-left: 0.5cm; margin-bottom: 0cm">.</P>
|
||||
<OL>
|
||||
<LI><P STYLE="margin-bottom: 0cm">And on the Windows 2000 machine
|
||||
@ -109,7 +109,7 @@ the window</P>
|
||||
2000 command as follows:
|
||||
</P>
|
||||
<P STYLE="margin-left: 0.5cm; margin-bottom: 0cm">stunnel -d 5902 -r
|
||||
unix.ip.adress:5902</P>
|
||||
unix.ip.address:5902</P>
|
||||
<P STYLE="margin-left: 0.5cm; margin-bottom: 0cm">and remember to
|
||||
start another vncserver on the Linux box for each VNC display</P>
|
||||
<P STYLE="margin-bottom: 0cm"><BR>
|
||||
@ -165,11 +165,11 @@ desired "display" number.</P>
|
||||
<P STYLE="margin-bottom: 0cm"><BR>
|
||||
</P>
|
||||
<P STYLE="margin-bottom: 0cm">To connect from the client machine you
|
||||
need to enter the client machines IP address and the "display"
|
||||
need to enter the client machine's IP address and the "display"
|
||||
(from the port conversion). But VNC will think that you are trying to
|
||||
connect to the local machine and does not allow this. To override
|
||||
this add the following to you registry.<BR><BR>--cut here and copy to
|
||||
anything.reg. the double click file to
|
||||
this add the following to your registry.<BR><BR>--cut here and copy to
|
||||
anything.reg. then double click the file to
|
||||
import--<BR>REGEDIT4<BR><BR>[HKEY_LOCAL_MACHINE\Software\ORL\WinVNC3]<BR>AllowLoopback=dword:00000001<BR><BR>[HKEY_LOCAL_MACHINE\Software\ORL\WinVNC3\Default]<BR>AllowLoopback=dword:00000001<BR>--stop
|
||||
here--<BR><BR>Now VNC will not complain. So you need to always run
|
||||
stunnel in client mode on the Windows machine and then connect with
|
||||
@ -182,9 +182,9 @@ way, *NIX doesn't complain about this. There is no setting needed if
|
||||
<P STYLE="margin-bottom: 0cm"><BR>
|
||||
</P>
|
||||
<P STYLE="margin-bottom: 0cm">Unfortunately this will not work well
|
||||
with the build in web version. If you did not known about it, try
|
||||
with the built-in web version. If you did not known about it, try
|
||||
http'ing into a machine running VNC server on it, to port 58XX (where
|
||||
XX is the display number), and the Java client will be loaded.<BR><BR>
|
||||
</P>
|
||||
</BODY>
|
||||
</HTML>
|
||||
</HTML>
|
||||
|
@ -93,7 +93,7 @@ private key</I>
|
||||
# private random number file</I>
|
||||
<BR><I> </I>
|
||||
<BR><I>x509_extensions = usr_cert
|
||||
# The extentions to add to the cert</I>
|
||||
# The extensions to add to the cert</I>
|
||||
<BR><I>crl_extensions = crl_ext
|
||||
# Extensions to add to CRL</I>
|
||||
<BR><I>default_days = 365
|
||||
@ -147,7 +147,7 @@ look</I>
|
||||
<BR><I>distinguished_name = req_distinguished_name</I>
|
||||
<BR><I>attributes
|
||||
= req_attributes</I>
|
||||
<BR><I>x509_extensions = v3_ca # The extentions to add to the self signed
|
||||
<BR><I>x509_extensions = v3_ca # The extensions to add to the self signed
|
||||
cert</I>
|
||||
<BR><I> </I>
|
||||
<BR><I>[ req_distinguished_name ]</I>
|
||||
|
993
doc/stunnel.8
993
doc/stunnel.8
@ -1,993 +0,0 @@
|
||||
.\" Automatically generated by Pod::Man 2.22 (Pod::Simple 3.07)
|
||||
.\"
|
||||
.\" Standard preamble:
|
||||
.\" ========================================================================
|
||||
.de Sp \" Vertical space (when we can't use .PP)
|
||||
.if t .sp .5v
|
||||
.if n .sp
|
||||
..
|
||||
.de Vb \" Begin verbatim text
|
||||
.ft CW
|
||||
.nf
|
||||
.ne \\$1
|
||||
..
|
||||
.de Ve \" End verbatim text
|
||||
.ft R
|
||||
.fi
|
||||
..
|
||||
.\" Set up some character translations and predefined strings. \*(-- will
|
||||
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
|
||||
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
|
||||
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
|
||||
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
|
||||
.\" nothing in troff, for use with C<>.
|
||||
.tr \(*W-
|
||||
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
|
||||
.ie n \{\
|
||||
. ds -- \(*W-
|
||||
. ds PI pi
|
||||
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
|
||||
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
|
||||
. ds L" ""
|
||||
. ds R" ""
|
||||
. ds C` ""
|
||||
. ds C' ""
|
||||
'br\}
|
||||
.el\{\
|
||||
. ds -- \|\(em\|
|
||||
. ds PI \(*p
|
||||
. ds L" ``
|
||||
. ds R" ''
|
||||
'br\}
|
||||
.\"
|
||||
.\" Escape single quotes in literal strings from groff's Unicode transform.
|
||||
.ie \n(.g .ds Aq \(aq
|
||||
.el .ds Aq '
|
||||
.\"
|
||||
.\" If the F register is turned on, we'll generate index entries on stderr for
|
||||
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
|
||||
.\" entries marked with X<> in POD. Of course, you'll have to process the
|
||||
.\" output yourself in some meaningful fashion.
|
||||
.ie \nF \{\
|
||||
. de IX
|
||||
. tm Index:\\$1\t\\n%\t"\\$2"
|
||||
..
|
||||
. nr % 0
|
||||
. rr F
|
||||
.\}
|
||||
.el \{\
|
||||
. de IX
|
||||
..
|
||||
.\}
|
||||
.\" ========================================================================
|
||||
.\"
|
||||
.IX Title "STUNNEL 8"
|
||||
.TH STUNNEL 8 "2013.03.20" "4.56" "stunnel"
|
||||
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
|
||||
.\" way too many mistakes in technical documents.
|
||||
.if n .ad l
|
||||
.nh
|
||||
.SH "NAME"
|
||||
stunnel \- universal SSL tunnel
|
||||
.SH "SYNOPSIS"
|
||||
.IX Header "SYNOPSIS"
|
||||
.IP "\fBUnix:\fR" 4
|
||||
.IX Item "Unix:"
|
||||
\&\fBstunnel\fR [<filename>] | \-fd n | \-help | \-version | \-sockets
|
||||
.IP "\fB\s-1WIN32:\s0\fR" 4
|
||||
.IX Item "WIN32:"
|
||||
\&\fBstunnel\fR [ [\-install | \-uninstall | \-start | \-stop] | \-exit]
|
||||
[\-quiet] [<filename>] ] | \-help | \-version | \-sockets
|
||||
.SH "DESCRIPTION"
|
||||
.IX Header "DESCRIPTION"
|
||||
The \fBstunnel\fR program is designed to work as \fI\s-1SSL\s0\fR encryption wrapper
|
||||
between remote clients and local (\fIinetd\fR\-startable) or remote
|
||||
servers. The concept is that having non-SSL aware daemons running on
|
||||
your system you can easily set them up to communicate with clients over
|
||||
secure \s-1SSL\s0 channels.
|
||||
.PP
|
||||
\&\fBstunnel\fR can be used to add \s-1SSL\s0 functionality to commonly used \fIInetd\fR
|
||||
daemons like \s-1POP\-2\s0, \s-1POP\-3\s0, and \s-1IMAP\s0 servers, to standalone daemons like
|
||||
\&\s-1NNTP\s0, \s-1SMTP\s0 and \s-1HTTP\s0, and in tunneling \s-1PPP\s0 over network sockets without
|
||||
changes to the source code.
|
||||
.PP
|
||||
This product includes cryptographic software written by
|
||||
Eric Young (eay@cryptsoft.com)
|
||||
.SH "OPTIONS"
|
||||
.IX Header "OPTIONS"
|
||||
.IP "<\fBfilename\fR>" 4
|
||||
.IX Item "<filename>"
|
||||
Use specified configuration file
|
||||
.IP "\fB\-fd n\fR (Unix only)" 4
|
||||
.IX Item "-fd n (Unix only)"
|
||||
Read the config file from specified file descriptor
|
||||
.IP "\fB\-help\fR" 4
|
||||
.IX Item "-help"
|
||||
Print \fBstunnel\fR help menu
|
||||
.IP "\fB\-version\fR" 4
|
||||
.IX Item "-version"
|
||||
Print \fBstunnel\fR version and compile time defaults
|
||||
.IP "\fB\-sockets\fR" 4
|
||||
.IX Item "-sockets"
|
||||
Print default socket options
|
||||
.IP "\fB\-install\fR (\s-1NT/2000/XP\s0 only)" 4
|
||||
.IX Item "-install (NT/2000/XP only)"
|
||||
Install \s-1NT\s0 Service
|
||||
.IP "\fB\-uninstall\fR (\s-1NT/2000/XP\s0 only)" 4
|
||||
.IX Item "-uninstall (NT/2000/XP only)"
|
||||
Uninstall \s-1NT\s0 Service
|
||||
.IP "\fB\-start\fR (\s-1NT/2000/XP\s0 only)" 4
|
||||
.IX Item "-start (NT/2000/XP only)"
|
||||
Start \s-1NT\s0 Service
|
||||
.IP "\fB\-stop\fR (\s-1NT/2000/XP\s0 only)" 4
|
||||
.IX Item "-stop (NT/2000/XP only)"
|
||||
Stop \s-1NT\s0 Service
|
||||
.IP "\fB\-exit\fR (Win32 only)" 4
|
||||
.IX Item "-exit (Win32 only)"
|
||||
Exit an already started stunnel
|
||||
.IP "\fB\-quiet\fR (\s-1NT/2000/XP\s0 only)" 4
|
||||
.IX Item "-quiet (NT/2000/XP only)"
|
||||
Don't display any message boxes
|
||||
.SH "CONFIGURATION FILE"
|
||||
.IX Header "CONFIGURATION FILE"
|
||||
Each line of the configuration file can be either:
|
||||
.IP "\(bu" 4
|
||||
An empty line (ignored).
|
||||
.IP "\(bu" 4
|
||||
A comment starting with ';' (ignored).
|
||||
.IP "\(bu" 4
|
||||
An 'option_name = option_value' pair.
|
||||
.IP "\(bu" 4
|
||||
\&'[service_name]' indicating a start of a service definition.
|
||||
.PP
|
||||
An address parameter of an option may be either:
|
||||
.IP "\(bu" 4
|
||||
A port number.
|
||||
.IP "\(bu" 4
|
||||
A colon-separated pair of \s-1IP\s0 address (either IPv4, IPv6, or domain name) and port number.
|
||||
.IP "\(bu" 4
|
||||
A Unix socket path (Unix only).
|
||||
.SS "\s-1GLOBAL\s0 \s-1OPTIONS\s0"
|
||||
.IX Subsection "GLOBAL OPTIONS"
|
||||
.IP "\fBchroot\fR = directory (Unix only)" 4
|
||||
.IX Item "chroot = directory (Unix only)"
|
||||
directory to chroot \fBstunnel\fR process
|
||||
.Sp
|
||||
\&\fBchroot\fR keeps \fBstunnel\fR in chrooted jail. \fICApath\fR, \fICRLpath\fR, \fIpid\fR
|
||||
and \fIexec\fR are located inside the jail and the patches have to be relative
|
||||
to the directory specified with \fBchroot\fR.
|
||||
.Sp
|
||||
Several functions of the operating system also need their files to be located within chroot jail, e.g.:
|
||||
.RS 4
|
||||
.IP "\(bu" 4
|
||||
Delayed resolver typically needs /etc/nsswitch.conf and /etc/resolv.conf.
|
||||
.IP "\(bu" 4
|
||||
Local time in log files needs /etc/timezone.
|
||||
.IP "\(bu" 4
|
||||
Some other functions may need devices, e.g. /dev/zero or /dev/null.
|
||||
.RE
|
||||
.RS 4
|
||||
.RE
|
||||
.IP "\fBcompression\fR = deflate | zlib | rle" 4
|
||||
.IX Item "compression = deflate | zlib | rle"
|
||||
select data compression algorithm
|
||||
.Sp
|
||||
default: no compression
|
||||
.Sp
|
||||
deflate is the standard compression method as described in \s-1RFC\s0 1951.
|
||||
.Sp
|
||||
zlib compression of \fBOpenSSL 0.9.8\fR or above is not backward compatible with
|
||||
\&\fBOpenSSL 0.9.7\fR.
|
||||
.Sp
|
||||
rle compression is currently not implemented by the \fBOpenSSL\fR library.
|
||||
.IP "\fBdebug\fR = [facility.]level" 4
|
||||
.IX Item "debug = [facility.]level"
|
||||
debugging level
|
||||
.Sp
|
||||
Level is a one of the syslog level names or numbers
|
||||
emerg (0), alert (1), crit (2), err (3), warning (4), notice (5),
|
||||
info (6), or debug (7). All logs for the specified level and
|
||||
all levels numerically less than it will be shown. Use \fIdebug = debug\fR or
|
||||
\&\fIdebug = 7\fR for greatest debugging output. The default is notice (5).
|
||||
.Sp
|
||||
The syslog facility 'daemon' will be used unless a facility name is supplied.
|
||||
(Facilities are not supported on Win32.)
|
||||
.Sp
|
||||
Case is ignored for both facilities and levels.
|
||||
.IP "\fB\s-1EGD\s0\fR = egd path (Unix only)" 4
|
||||
.IX Item "EGD = egd path (Unix only)"
|
||||
path to Entropy Gathering Daemon socket
|
||||
.Sp
|
||||
Entropy Gathering Daemon socket to use to feed \fBOpenSSL\fR random number
|
||||
generator. (Available only if compiled with \fBOpenSSL 0.9.5a\fR or higher)
|
||||
.IP "\fBengine\fR = auto | <engine id>" 4
|
||||
.IX Item "engine = auto | <engine id>"
|
||||
select hardware engine
|
||||
.Sp
|
||||
default: software-only cryptography
|
||||
.Sp
|
||||
Here is an example of advanced engine configuration to read private key from an
|
||||
OpenSC engine
|
||||
.Sp
|
||||
.Vb 7
|
||||
\& engine=dynamic
|
||||
\& engineCtrl=SO_PATH:/usr/lib/opensc/engine_pkcs11.so
|
||||
\& engineCtrl=ID:pkcs11
|
||||
\& engineCtrl=LIST_ADD:1
|
||||
\& engineCtrl=LOAD
|
||||
\& engineCtrl=MODULE_PATH:/usr/lib/pkcs11/opensc\-pkcs11.so
|
||||
\& engineCtrl=INIT
|
||||
\&
|
||||
\& [service]
|
||||
\& engineNum=1
|
||||
\& key=id_45
|
||||
.Ve
|
||||
.IP "\fBengineCtrl\fR = command[:parameter]" 4
|
||||
.IX Item "engineCtrl = command[:parameter]"
|
||||
control hardware engine
|
||||
.Sp
|
||||
Special commands \*(L"\s-1LOAD\s0\*(R" and \*(L"\s-1INIT\s0\*(R" can be used to load and initialize the
|
||||
engine cryptogaphic module.
|
||||
.IP "\fBfips\fR = yes | no" 4
|
||||
.IX Item "fips = yes | no"
|
||||
Enable or disable \s-1FIPS\s0 140\-2 mode.
|
||||
.Sp
|
||||
This option allows to disable entering \s-1FIPS\s0 mode if \fBstunnel\fR was compiled
|
||||
with \s-1FIPS\s0 140\-2 support.
|
||||
.Sp
|
||||
default: yes
|
||||
.IP "\fBforeground\fR = yes | no (Unix only)" 4
|
||||
.IX Item "foreground = yes | no (Unix only)"
|
||||
foreground mode
|
||||
.Sp
|
||||
Stay in foreground (don't fork) and log to stderr
|
||||
instead of via syslog (unless \fIoutput\fR is specified).
|
||||
.Sp
|
||||
default: background in daemon mode
|
||||
.IP "\fBoutput\fR = file" 4
|
||||
.IX Item "output = file"
|
||||
append log messages to a file
|
||||
.Sp
|
||||
/dev/stdout device can be used to send log messages to the standard
|
||||
output (for example to log them with daemontools splogger).
|
||||
.IP "\fBpid\fR = file (Unix only)" 4
|
||||
.IX Item "pid = file (Unix only)"
|
||||
pid file location
|
||||
.Sp
|
||||
If the argument is empty, then no pid file will be created.
|
||||
.Sp
|
||||
\&\fIpid\fR path is relative to \fIchroot\fR directory if specified.
|
||||
.IP "\fBRNDbytes\fR = bytes" 4
|
||||
.IX Item "RNDbytes = bytes"
|
||||
bytes to read from random seed files
|
||||
.Sp
|
||||
Number of bytes of data read from random seed files. With \s-1SSL\s0 versions less
|
||||
than \fB0.9.5a\fR, also determines how many bytes of data are considered
|
||||
sufficient to seed the \s-1PRNG\s0. More recent \fBOpenSSL\fR versions have a builtin
|
||||
function to determine when sufficient randomness is available.
|
||||
.IP "\fBRNDfile\fR = file" 4
|
||||
.IX Item "RNDfile = file"
|
||||
path to file with random seed data
|
||||
.Sp
|
||||
The \s-1SSL\s0 library will use data from this file first to seed the random
|
||||
number generator.
|
||||
.IP "\fBRNDoverwrite\fR = yes | no" 4
|
||||
.IX Item "RNDoverwrite = yes | no"
|
||||
overwrite the random seed files with new random data
|
||||
.Sp
|
||||
default: yes
|
||||
.IP "\fBservice\fR = servicename (Unix only)" 4
|
||||
.IX Item "service = servicename (Unix only)"
|
||||
use specified string as \fIinetd\fR mode service name for \s-1TCP\s0 Wrapper library
|
||||
.Sp
|
||||
default: stunnel
|
||||
.IP "\fBsetgid\fR = groupname (Unix only)" 4
|
||||
.IX Item "setgid = groupname (Unix only)"
|
||||
\&\fIsetgid()\fR to groupname in daemon mode and clears all other groups
|
||||
.IP "\fBsetuid\fR = username (Unix only)" 4
|
||||
.IX Item "setuid = username (Unix only)"
|
||||
\&\fIsetuid()\fR to username in daemon mode
|
||||
.IP "\fBsocket\fR = a|l|r:option=value[:value]" 4
|
||||
.IX Item "socket = a|l|r:option=value[:value]"
|
||||
Set an option on accept/local/remote socket
|
||||
.Sp
|
||||
The values for linger option are l_onof:l_linger.
|
||||
The values for time are tv_sec:tv_usec.
|
||||
.Sp
|
||||
Examples:
|
||||
.Sp
|
||||
.Vb 9
|
||||
\& socket = l:SO_LINGER=1:60
|
||||
\& set one minute timeout for closing local socket
|
||||
\& socket = r:SO_OOBINLINE=yes
|
||||
\& place out\-of\-band data directly into the
|
||||
\& receive data stream for remote sockets
|
||||
\& socket = a:SO_REUSEADDR=no
|
||||
\& disable address reuse (enabled by default)
|
||||
\& socket = a:SO_BINDTODEVICE=lo
|
||||
\& only accept connections on loopback interface
|
||||
.Ve
|
||||
.IP "\fBsyslog\fR = yes | no (Unix only)" 4
|
||||
.IX Item "syslog = yes | no (Unix only)"
|
||||
enable logging via syslog
|
||||
.Sp
|
||||
default: yes
|
||||
.IP "\fBtaskbar\fR = yes | no (\s-1WIN32\s0 only)" 4
|
||||
.IX Item "taskbar = yes | no (WIN32 only)"
|
||||
enable the taskbar icon
|
||||
.Sp
|
||||
default: yes
|
||||
.SS "SERVICE-LEVEL \s-1OPTIONS\s0"
|
||||
.IX Subsection "SERVICE-LEVEL OPTIONS"
|
||||
Each configuration section begins with service name in square brackets.
|
||||
The service name is used for libwrap (\s-1TCP\s0 Wrappers) access control and lets
|
||||
you distinguish \fBstunnel\fR services in your log files.
|
||||
.PP
|
||||
Note that if you wish to run \fBstunnel\fR in \fIinetd\fR mode (where it
|
||||
is provided a network socket by a server such as \fIinetd\fR, \fIxinetd\fR,
|
||||
or \fItcpserver\fR) then you should read the section entitled \fI\s-1INETD\s0 \s-1MODE\s0\fR
|
||||
below.
|
||||
.IP "\fBaccept\fR = address" 4
|
||||
.IX Item "accept = address"
|
||||
accept connections on specified address
|
||||
.Sp
|
||||
If no host specified, defaults to all IPv4 addresses for the local host.
|
||||
.Sp
|
||||
To listen on all IPv6 addresses use:
|
||||
.Sp
|
||||
.Vb 1
|
||||
\& connect = :::port
|
||||
.Ve
|
||||
.IP "\fBCApath\fR = directory" 4
|
||||
.IX Item "CApath = directory"
|
||||
Certificate Authority directory
|
||||
.Sp
|
||||
This is the directory in which \fBstunnel\fR will look for certificates when using
|
||||
the \fIverify\fR. Note that the certificates in this directory should be named
|
||||
\&\s-1XXXXXXXX\s0.0 where \s-1XXXXXXXX\s0 is the hash value of the \s-1DER\s0 encoded subject of the
|
||||
cert.
|
||||
.Sp
|
||||
The hash algorithm has been changed in \fBOpenSSL 1.0.0\fR. It is required to
|
||||
c_rehash the directory on upgrade from \fBOpenSSL 0.x.x\fR to \fBOpenSSL 1.x.x\fR.
|
||||
.Sp
|
||||
\&\fICApath\fR path is relative to \fIchroot\fR directory if specified.
|
||||
.IP "\fBCAfile\fR = certfile" 4
|
||||
.IX Item "CAfile = certfile"
|
||||
Certificate Authority file
|
||||
.Sp
|
||||
This file contains multiple \s-1CA\s0 certificates, used with the \fIverify\fR.
|
||||
.IP "\fBcert\fR = pemfile" 4
|
||||
.IX Item "cert = pemfile"
|
||||
certificate chain \s-1PEM\s0 file name
|
||||
.Sp
|
||||
A \s-1PEM\s0 is always needed in server mode.
|
||||
Specifying this flag in client mode will use this certificate chain
|
||||
as a client side certificate chain. Using client side certs is optional.
|
||||
The certificates must be in \s-1PEM\s0 format and must be sorted starting with the
|
||||
certificate to the highest level (root \s-1CA\s0).
|
||||
.IP "\fBciphers\fR = cipherlist" 4
|
||||
.IX Item "ciphers = cipherlist"
|
||||
Select permitted \s-1SSL\s0 ciphers
|
||||
.Sp
|
||||
A colon delimited list of the ciphers to allow in the \s-1SSL\s0 connection.
|
||||
For example \s-1DES\-CBC3\-SHA:IDEA\-CBC\-MD5\s0
|
||||
.IP "\fBclient\fR = yes | no" 4
|
||||
.IX Item "client = yes | no"
|
||||
client mode (remote service uses \s-1SSL\s0)
|
||||
.Sp
|
||||
default: no (server mode)
|
||||
.IP "\fBconnect\fR = address" 4
|
||||
.IX Item "connect = address"
|
||||
connect to a remote address
|
||||
.Sp
|
||||
If no host is specified, the host defaults to localhost.
|
||||
.Sp
|
||||
Multiple \fBconnect\fR options are allowed in a single service section.
|
||||
.Sp
|
||||
If host resolves to multiple addresses and/or if multiple \fIconnect\fR
|
||||
options are specified, then the remote address is chosen using a
|
||||
round-robin algorithm.
|
||||
.IP "\fBCRLpath\fR = directory" 4
|
||||
.IX Item "CRLpath = directory"
|
||||
Certificate Revocation Lists directory
|
||||
.Sp
|
||||
This is the directory in which \fBstunnel\fR will look for CRLs when
|
||||
using the \fIverify\fR. Note that the CRLs in this directory should
|
||||
be named \s-1XXXXXXXX\s0.r0 where \s-1XXXXXXXX\s0 is the hash value of the \s-1CRL\s0.
|
||||
.Sp
|
||||
The hash algorithm has been changed in \fBOpenSSL 1.0.0\fR. It is required to
|
||||
c_rehash the directory on upgrade from \fBOpenSSL 0.x.x\fR to \fBOpenSSL 1.x.x\fR.
|
||||
.Sp
|
||||
\&\fICRLpath\fR path is relative to \fIchroot\fR directory if specified.
|
||||
.IP "\fBCRLfile\fR = certfile" 4
|
||||
.IX Item "CRLfile = certfile"
|
||||
Certificate Revocation Lists file
|
||||
.Sp
|
||||
This file contains multiple CRLs, used with the \fIverify\fR.
|
||||
.IP "\fBcurve\fR = nid" 4
|
||||
.IX Item "curve = nid"
|
||||
specify \s-1ECDH\s0 curve name
|
||||
.Sp
|
||||
To get a list of supported cuves use:
|
||||
.Sp
|
||||
.Vb 1
|
||||
\& openssl ecparam \-list_curves
|
||||
.Ve
|
||||
.Sp
|
||||
default: prime256v1
|
||||
.IP "\fBdelay\fR = yes | no" 4
|
||||
.IX Item "delay = yes | no"
|
||||
delay \s-1DNS\s0 lookup for 'connect' option
|
||||
.Sp
|
||||
This option is useful for dynamic \s-1DNS\s0, or when \s-1DNS\s0 is not available during
|
||||
\&\fBstunnel\fR startup (road warrior \s-1VPN\s0, dial-up configurations).
|
||||
.IP "\fBengineNum\fR = engine number" 4
|
||||
.IX Item "engineNum = engine number"
|
||||
select engine number to read private key
|
||||
.Sp
|
||||
The engines are numbered starting from 1.
|
||||
.IP "\fBexec\fR = executable_path" 4
|
||||
.IX Item "exec = executable_path"
|
||||
execute local inetd-type program
|
||||
.Sp
|
||||
\&\fIexec\fR path is relative to \fIchroot\fR directory if specified.
|
||||
.ie n .IP "\fBexecargs\fR = $0 $1 $2 ..." 4
|
||||
.el .IP "\fBexecargs\fR = \f(CW$0\fR \f(CW$1\fR \f(CW$2\fR ..." 4
|
||||
.IX Item "execargs = $0 $1 $2 ..."
|
||||
arguments for \fIexec\fR including program name ($0)
|
||||
.Sp
|
||||
Quoting is currently not supported.
|
||||
Arguments are separated with arbitrary number of whitespaces.
|
||||
.IP "\fBfailover\fR = rr | prio" 4
|
||||
.IX Item "failover = rr | prio"
|
||||
Failover strategy for multiple \*(L"connect\*(R" targets.
|
||||
.Sp
|
||||
.Vb 2
|
||||
\& rr (round robin) \- fair load distribution
|
||||
\& prio (priority) \- use the order specified in config file
|
||||
.Ve
|
||||
.Sp
|
||||
default: rr
|
||||
.IP "\fBident\fR = username" 4
|
||||
.IX Item "ident = username"
|
||||
use \s-1IDENT\s0 (\s-1RFC\s0 1413) username checking
|
||||
.IP "\fBkey\fR = keyfile" 4
|
||||
.IX Item "key = keyfile"
|
||||
private key for certificate specified with \fIcert\fR option
|
||||
.Sp
|
||||
Private key is needed to authenticate certificate owner.
|
||||
Since this file should be kept secret it should only be readable
|
||||
to its owner. On Unix systems you can use the following command:
|
||||
.Sp
|
||||
.Vb 1
|
||||
\& chmod 600 keyfile
|
||||
.Ve
|
||||
.Sp
|
||||
default: value of \fIcert\fR option
|
||||
.IP "\fBlibwrap\fR = yes | no" 4
|
||||
.IX Item "libwrap = yes | no"
|
||||
Enable or disable the use of /etc/hosts.allow and /etc/hosts.deny.
|
||||
.Sp
|
||||
default: yes
|
||||
.IP "\fBlocal\fR = host" 4
|
||||
.IX Item "local = host"
|
||||
\&\s-1IP\s0 of the outgoing interface is used as source for remote connections.
|
||||
Use this option to bind a static local \s-1IP\s0 address, instead.
|
||||
.IP "\fBsni\fR = service_name:server_name_pattern (server mode)" 4
|
||||
.IX Item "sni = service_name:server_name_pattern (server mode)"
|
||||
Use the service as a slave service (a name-based virtual server) for Server
|
||||
Name Indication \s-1TLS\s0 extension (\s-1RFC\s0 3546).
|
||||
.Sp
|
||||
\&\fIservice_name\fR specifies the master service that accepts client connections
|
||||
with \fIaccept\fR option. \fIserver_name_pattern\fR specifies the host name to be
|
||||
redirected. The pattern may start with '*' character, e.g. '*.example.com'.
|
||||
Multiple slave services are normally specified for a single master service.
|
||||
\&\fIsni\fR option can also be specified more than once within a single slave
|
||||
service.
|
||||
.Sp
|
||||
This service, as well as the master service, may not be configured in client
|
||||
mode.
|
||||
.Sp
|
||||
\&\fIconnect\fR option of the slave service is ignored when \fIprotocol\fR option is
|
||||
specified, as \fIprotocol\fR connects remote host before \s-1TLS\s0 handshake.
|
||||
.Sp
|
||||
Libwrap checks (Unix only) are performed twice: with master service name after
|
||||
\&\s-1TCP\s0 connection is accepted, and with slave service name during \s-1TLS\s0 handshake.
|
||||
.Sp
|
||||
Option \fIsni\fR is only available when compiled with \fBOpenSSL 1.0.0\fR and later.
|
||||
.IP "\fBsni\fR = server_name (client mode)" 4
|
||||
.IX Item "sni = server_name (client mode)"
|
||||
Use the parameter as the value of \s-1TLS\s0 Server Name Indication (\s-1RFC\s0 3546)
|
||||
extension.
|
||||
.Sp
|
||||
Option \fIsni\fR is only available when compiled with \fBOpenSSL 1.0.0\fR and later.
|
||||
.IP "\fB\s-1OCSP\s0\fR = url" 4
|
||||
.IX Item "OCSP = url"
|
||||
select \s-1OCSP\s0 server for certificate verification
|
||||
.IP "\fBOCSPflag\fR = flag" 4
|
||||
.IX Item "OCSPflag = flag"
|
||||
specify \s-1OCSP\s0 server flag
|
||||
.Sp
|
||||
Several \fIOCSPflag\fR can be used to specify multiple flags.
|
||||
.Sp
|
||||
currently supported flags: \s-1NOCERTS\s0, \s-1NOINTERN\s0 \s-1NOSIGS\s0, \s-1NOCHAIN\s0, \s-1NOVERIFY\s0,
|
||||
\&\s-1NOEXPLICIT\s0, \s-1NOCASIGN\s0, \s-1NODELEGATED\s0, \s-1NOCHECKS\s0, \s-1TRUSTOTHER\s0, \s-1RESPID_KEY\s0, \s-1NOTIME\s0
|
||||
.IP "\fBoptions\fR = SSL_options" 4
|
||||
.IX Item "options = SSL_options"
|
||||
\&\fBOpenSSL\fR library options
|
||||
.Sp
|
||||
The parameter is the \fBOpenSSL\fR option name as described in the
|
||||
\&\fI\fISSL_CTX_set_options\fI\|(3ssl)\fR manual, but without \fI\s-1SSL_OP_\s0\fR prefix.
|
||||
Several \fIoptions\fR can be used to specify multiple options.
|
||||
.Sp
|
||||
For example for compatibility with erroneous Eudora \s-1SSL\s0 implementation
|
||||
the following option can be used:
|
||||
.Sp
|
||||
.Vb 1
|
||||
\& options = DONT_INSERT_EMPTY_FRAGMENTS
|
||||
.Ve
|
||||
.IP "\fBprotocol\fR = proto" 4
|
||||
.IX Item "protocol = proto"
|
||||
application protocol to negotiate \s-1SSL\s0
|
||||
.Sp
|
||||
This option enables initial, protocol-specific negotiation of the \s-1SSL/TLS\s0
|
||||
encryption.
|
||||
\&\fIprotocol\fR option should not be used with \s-1SSL\s0 encryption on a separate port.
|
||||
.Sp
|
||||
Currently supported protocols:
|
||||
.RS 4
|
||||
.IP "\fIcifs\fR" 4
|
||||
.IX Item "cifs"
|
||||
Proprietary (undocummented) extension of \s-1CIFS\s0 protocol implemented in Samba.
|
||||
Support for this extension was dropped in Samba 3.0.0.
|
||||
.IP "\fIconnect\fR" 4
|
||||
.IX Item "connect"
|
||||
Based on \s-1RFC\s0 2817 \- \fIUpgrading to \s-1TLS\s0 Within \s-1HTTP/1\s0.1\fR, section 5.2 \- \fIRequesting a Tunnel with \s-1CONNECT\s0\fR
|
||||
.Sp
|
||||
This protocol is only supported in client mode.
|
||||
.IP "\fIimap\fR" 4
|
||||
.IX Item "imap"
|
||||
Based on \s-1RFC\s0 2595 \- \fIUsing \s-1TLS\s0 with \s-1IMAP\s0, \s-1POP3\s0 and \s-1ACAP\s0\fR
|
||||
.IP "\fInntp\fR" 4
|
||||
.IX Item "nntp"
|
||||
Based on \s-1RFC\s0 4642 \- \fIUsing Transport Layer Security (\s-1TLS\s0) with Network News Transfer Protocol (\s-1NNTP\s0)\fR
|
||||
.Sp
|
||||
This protocol is only supported in client mode.
|
||||
.IP "\fIpgsql\fR" 4
|
||||
.IX Item "pgsql"
|
||||
Based on http://www.postgresql.org/docs/8.3/static/protocol\-flow.html#AEN73982
|
||||
.IP "\fIpop3\fR" 4
|
||||
.IX Item "pop3"
|
||||
Based on \s-1RFC\s0 2449 \- \fI\s-1POP3\s0 Extension Mechanism\fR
|
||||
.IP "\fIproxy\fR" 4
|
||||
.IX Item "proxy"
|
||||
Haproxy client \s-1IP\s0 address http://haproxy.1wt.eu/download/1.5/doc/proxy\-protocol.txt
|
||||
.IP "\fIsmtp\fR" 4
|
||||
.IX Item "smtp"
|
||||
Based on \s-1RFC\s0 2487 \- \fI\s-1SMTP\s0 Service Extension for Secure \s-1SMTP\s0 over \s-1TLS\s0\fR
|
||||
.RE
|
||||
.RS 4
|
||||
.RE
|
||||
.IP "\fBprotocolAuthentication\fR = auth_type" 4
|
||||
.IX Item "protocolAuthentication = auth_type"
|
||||
authentication type for protocol negotiations
|
||||
.Sp
|
||||
currently supported: basic, \s-1NTLM\s0
|
||||
.Sp
|
||||
Currently authentication type only applies to the 'connect' protocol.
|
||||
.Sp
|
||||
default: basic
|
||||
.IP "\fBprotocolHost\fR = host:port" 4
|
||||
.IX Item "protocolHost = host:port"
|
||||
destination address for protocol negotiations
|
||||
.Sp
|
||||
\&\fIprotocolHost\fR specifies the final \s-1SSL\s0 server to be connected by the proxy,
|
||||
and not the proxy server directly connected by \fBstunnel\fR.
|
||||
The proxy server should be specified with the 'connect' option.
|
||||
.Sp
|
||||
Currently protocol destination address only applies to 'connect' protocol.
|
||||
.IP "\fBprotocolPassword\fR = password" 4
|
||||
.IX Item "protocolPassword = password"
|
||||
password for protocol negotiations
|
||||
.IP "\fBprotocolUsername\fR = username" 4
|
||||
.IX Item "protocolUsername = username"
|
||||
username for protocol negotiations
|
||||
.IP "\fBpty\fR = yes | no (Unix only)" 4
|
||||
.IX Item "pty = yes | no (Unix only)"
|
||||
allocate pseudo terminal for 'exec' option
|
||||
.IP "\fBrenegotiation\fR = yes | no" 4
|
||||
.IX Item "renegotiation = yes | no"
|
||||
support \s-1SSL\s0 renegotiation
|
||||
.Sp
|
||||
Applications of the \s-1SSL\s0 renegotiation include some authentication scenarios,
|
||||
or re-keying long lasting connections.
|
||||
.Sp
|
||||
On the other hand this feature can facilitate a trivial CPU-exhaustion
|
||||
DoS attack:
|
||||
.Sp
|
||||
http://vincent.bernat.im/en/blog/2011\-ssl\-dos\-mitigation.html
|
||||
.Sp
|
||||
Please note that disabling \s-1SSL\s0 renegotiation does not fully mitigate
|
||||
this issue.
|
||||
.Sp
|
||||
default: yes (if supported by \fBOpenSSL\fR)
|
||||
.IP "\fBreset\fR = yes | no" 4
|
||||
.IX Item "reset = yes | no"
|
||||
attempt to use \s-1TCP\s0 \s-1RST\s0 flag to indicate an error
|
||||
.Sp
|
||||
This option is not supported on some platforms.
|
||||
.Sp
|
||||
default: yes
|
||||
.IP "\fBretry\fR = yes | no" 4
|
||||
.IX Item "retry = yes | no"
|
||||
reconnect a connect+exec section after it's disconnected
|
||||
.Sp
|
||||
default: no
|
||||
.IP "\fBsessionCacheSize\fR = size" 4
|
||||
.IX Item "sessionCacheSize = size"
|
||||
session cache size
|
||||
.Sp
|
||||
\&\fIsessionCacheSize\fR specifies the maximum number of the internal session cache
|
||||
entries.
|
||||
.Sp
|
||||
The value of 0 can be used for unlimited size. It is not recommended
|
||||
for production use due to the risk of memory exhaustion DoS attack.
|
||||
.IP "\fBsessionCacheTimeout\fR = timeout" 4
|
||||
.IX Item "sessionCacheTimeout = timeout"
|
||||
session cache timeout
|
||||
.Sp
|
||||
This is the number of seconds to keep cached \s-1SSL\s0 sessions.
|
||||
.IP "\fBsessiond\fR = host:port" 4
|
||||
.IX Item "sessiond = host:port"
|
||||
address of sessiond \s-1SSL\s0 cache server
|
||||
.IP "\fBsslVersion\fR = version" 4
|
||||
.IX Item "sslVersion = version"
|
||||
select version of \s-1SSL\s0 protocol
|
||||
.Sp
|
||||
Allowed options: all, SSLv2, SSLv3, TLSv1, TLSv1.1, TLSv1.2
|
||||
.IP "\fBstack\fR = bytes (except for \s-1FORK\s0 model)" 4
|
||||
.IX Item "stack = bytes (except for FORK model)"
|
||||
thread stack size
|
||||
.IP "\fBTIMEOUTbusy\fR = seconds" 4
|
||||
.IX Item "TIMEOUTbusy = seconds"
|
||||
time to wait for expected data
|
||||
.IP "\fBTIMEOUTclose\fR = seconds" 4
|
||||
.IX Item "TIMEOUTclose = seconds"
|
||||
time to wait for close_notify (set to 0 for buggy \s-1MSIE\s0)
|
||||
.IP "\fBTIMEOUTconnect\fR = seconds" 4
|
||||
.IX Item "TIMEOUTconnect = seconds"
|
||||
time to wait to connect a remote host
|
||||
.IP "\fBTIMEOUTidle\fR = seconds" 4
|
||||
.IX Item "TIMEOUTidle = seconds"
|
||||
time to keep an idle connection
|
||||
.IP "\fBtransparent\fR = none | source | destination | both (Unix only)" 4
|
||||
.IX Item "transparent = none | source | destination | both (Unix only)"
|
||||
enable transparent proxy support on selected platforms
|
||||
.Sp
|
||||
Supported values:
|
||||
.RS 4
|
||||
.IP "\fInone\fR" 4
|
||||
.IX Item "none"
|
||||
Disable transparent proxy support. This is the default.
|
||||
.IP "\fIsource\fR" 4
|
||||
.IX Item "source"
|
||||
Re-write address to appear as if wrapped daemon is connecting
|
||||
from the \s-1SSL\s0 client machine instead of the machine running \fBstunnel\fR.
|
||||
.Sp
|
||||
This option is currently available in:
|
||||
.RS 4
|
||||
.IP "Remote mode (\fIconnect\fR option) on \fILinux >=2.6.28\fR" 4
|
||||
.IX Item "Remote mode (connect option) on Linux >=2.6.28"
|
||||
This configuration requires \fBstunnel\fR to be executed as root and without
|
||||
\&\fIsetuid\fR option.
|
||||
.Sp
|
||||
This configuration requires the following setup for iptables and routing
|
||||
(possibly in /etc/rc.local or equivalent file):
|
||||
.Sp
|
||||
.Vb 7
|
||||
\& iptables \-t mangle \-N DIVERT
|
||||
\& iptables \-t mangle \-A PREROUTING \-p tcp \-m socket \-j DIVERT
|
||||
\& iptables \-t mangle \-A DIVERT \-j MARK \-\-set\-mark 1
|
||||
\& iptables \-t mangle \-A DIVERT \-j ACCEPT
|
||||
\& ip rule add fwmark 1 lookup 100
|
||||
\& ip route add local 0.0.0.0/0 dev lo table 100
|
||||
\& echo 0 >/proc/sys/net/ipv4/conf/lo/rp_filter
|
||||
.Ve
|
||||
.Sp
|
||||
\&\fBstunnel\fR must also to be executed as root and without \fIsetuid\fR option.
|
||||
.IP "Remote mode (\fIconnect\fR option) on \fILinux 2.2.x\fR" 4
|
||||
.IX Item "Remote mode (connect option) on Linux 2.2.x"
|
||||
This configuration requires kernel to be compiled with \fItransparent proxy\fR
|
||||
option.
|
||||
Connected service must be installed on a separate host.
|
||||
Routing towards the clients has to go through the \fBstunnel\fR box.
|
||||
.Sp
|
||||
\&\fBstunnel\fR must also to be executed as root and without \fIsetuid\fR option.
|
||||
.IP "Remote mode (\fIconnect\fR option) on \fIFreeBSD >=8.0\fR" 4
|
||||
.IX Item "Remote mode (connect option) on FreeBSD >=8.0"
|
||||
This configuration requires additional firewall and routing setup.
|
||||
\&\fBstunnel\fR must also to be executed as root and without \fIsetuid\fR option.
|
||||
.IP "Local mode (\fIexec\fR option)" 4
|
||||
.IX Item "Local mode (exec option)"
|
||||
This configuration works by pre-loading \fIlibstunnel.so\fR shared library.
|
||||
_RLD_LIST environment variable is used on Tru64, and \s-1LD_PRELOAD\s0 variable on
|
||||
other platforms.
|
||||
.RE
|
||||
.RS 4
|
||||
.RE
|
||||
.IP "\fIdestination\fR" 4
|
||||
.IX Item "destination"
|
||||
Original destination is used instead of \fIconnect\fR option.
|
||||
.Sp
|
||||
A service section for transparent destination may look like this:
|
||||
.Sp
|
||||
.Vb 4
|
||||
\& [transparent]
|
||||
\& client=yes
|
||||
\& accept=<stunnel_port>
|
||||
\& transparent=destination
|
||||
.Ve
|
||||
.Sp
|
||||
This configuration requires the following setup for iptables
|
||||
(possibly in /etc/rc.local or equivalent file):
|
||||
.Sp
|
||||
.Vb 2
|
||||
\& /sbin/iptables \-I INPUT \-i eth0 \-p tcp \-\-dport <stunnel_port> \-j ACCEPT
|
||||
\& /sbin/iptables \-t nat \-I PREROUTING \-i eth0 \-p tcp \-\-dport <redirected_port> \-j DNAT \-\-to\-destination <local_ip>:<stunnel_port>
|
||||
.Ve
|
||||
.Sp
|
||||
Transparent destination option is currently only supported on Linux.
|
||||
.IP "\fIboth\fR" 4
|
||||
.IX Item "both"
|
||||
Use both \fIsource\fR and \fIdestination\fR transparent proxy.
|
||||
.RE
|
||||
.RS 4
|
||||
.Sp
|
||||
Two legacy options are also supported for backward compatibility:
|
||||
.IP "\fIyes\fR" 4
|
||||
.IX Item "yes"
|
||||
This options has been renamed to \fIsource\fR.
|
||||
.IP "\fIno\fR" 4
|
||||
.IX Item "no"
|
||||
This options has been renamed to \fInone\fR.
|
||||
.RE
|
||||
.RS 4
|
||||
.RE
|
||||
.IP "\fBverify\fR = level" 4
|
||||
.IX Item "verify = level"
|
||||
verify peer certificate
|
||||
.RS 4
|
||||
.IP "level 0" 4
|
||||
.IX Item "level 0"
|
||||
Request and ignore peer certificate.
|
||||
.IP "level 1" 4
|
||||
.IX Item "level 1"
|
||||
Verify peer certificate if present.
|
||||
.IP "level 2" 4
|
||||
.IX Item "level 2"
|
||||
Verify peer certificate.
|
||||
.IP "level 3" 4
|
||||
.IX Item "level 3"
|
||||
Verify peer with locally installed certificate.
|
||||
.IP "level 4" 4
|
||||
.IX Item "level 4"
|
||||
Ignore \s-1CA\s0 chain and only verify peer certificate.
|
||||
.IP "default" 4
|
||||
.IX Item "default"
|
||||
No verify.
|
||||
.RE
|
||||
.RS 4
|
||||
.Sp
|
||||
It is important to understand, that this option was solely designed for access
|
||||
control and not for authorization. Specifically for level 2 every non-revoked
|
||||
certificate is accepted regardless of its Common Name. For this reason a
|
||||
dedicated \s-1CA\s0 should be used with level 2, and not a generic \s-1CA\s0 commonly used
|
||||
for webservers. Level 3 is preferred for point-to-point connections.
|
||||
.RE
|
||||
.SH "RETURN VALUE"
|
||||
.IX Header "RETURN VALUE"
|
||||
\&\fBstunnel\fR returns zero on success, non-zero on error.
|
||||
.SH "SIGNALS"
|
||||
.IX Header "SIGNALS"
|
||||
The following signals can be used to control \fBstunnel\fR in Unix environment:
|
||||
.IP "\s-1SIGHUP\s0" 4
|
||||
.IX Item "SIGHUP"
|
||||
Force a reload of the configuration file.
|
||||
.Sp
|
||||
Some global options will not be reloaded:
|
||||
.RS 4
|
||||
.IP "\(bu" 4
|
||||
chroot
|
||||
.IP "\(bu" 4
|
||||
foreground
|
||||
.IP "\(bu" 4
|
||||
pid
|
||||
.IP "\(bu" 4
|
||||
setgid
|
||||
.IP "\(bu" 4
|
||||
setuid
|
||||
.RE
|
||||
.RS 4
|
||||
.Sp
|
||||
The use of 'setuid' option will also prevent \fBstunnel\fR from binding privileged
|
||||
(<1024) ports during configuration reloading.
|
||||
.Sp
|
||||
When 'chroot' option is used, \fBstunnel\fR will look for all its files (including
|
||||
configuration file, certificates, log file and pid file) within the chroot
|
||||
jail.
|
||||
.RE
|
||||
.IP "\s-1SIGUSR1\s0" 4
|
||||
.IX Item "SIGUSR1"
|
||||
Close and reopen \fBstunnel\fR log file.
|
||||
This function can be used for log rotation.
|
||||
.IP "\s-1SIGTERM\s0, \s-1SIGQUIT\s0, \s-1SIGINT\s0" 4
|
||||
.IX Item "SIGTERM, SIGQUIT, SIGINT"
|
||||
Shut \fBstunnel\fR down.
|
||||
.PP
|
||||
The result of sending any other signals to the server is undefined.
|
||||
.SH "EXAMPLES"
|
||||
.IX Header "EXAMPLES"
|
||||
In order to provide \s-1SSL\s0 encapsulation to your local \fIimapd\fR service, use
|
||||
.PP
|
||||
.Vb 4
|
||||
\& [imapd]
|
||||
\& accept = 993
|
||||
\& exec = /usr/sbin/imapd
|
||||
\& execargs = imapd
|
||||
.Ve
|
||||
.PP
|
||||
If you want to provide tunneling to your \fIpppd\fR daemon on port 2020,
|
||||
use something like
|
||||
.PP
|
||||
.Vb 5
|
||||
\& [vpn]
|
||||
\& accept = 2020
|
||||
\& exec = /usr/sbin/pppd
|
||||
\& execargs = pppd local
|
||||
\& pty = yes
|
||||
.Ve
|
||||
.PP
|
||||
If you want to use \fBstunnel\fR in \fIinetd\fR mode to launch your imapd
|
||||
process, you'd use this \fIstunnel.conf\fR.
|
||||
Note there must be no \fI[service_name]\fR section.
|
||||
.PP
|
||||
.Vb 2
|
||||
\& exec = /usr/sbin/imapd
|
||||
\& execargs = imapd
|
||||
.Ve
|
||||
.SH "NOTES"
|
||||
.IX Header "NOTES"
|
||||
.SS "\s-1RESTRICTIONS\s0"
|
||||
.IX Subsection "RESTRICTIONS"
|
||||
\&\fBstunnel\fR cannot be used for the \s-1FTP\s0 daemon because of the nature
|
||||
of the \s-1FTP\s0 protocol which utilizes multiple ports for data transfers.
|
||||
There are available \s-1SSL\s0 enabled versions of \s-1FTP\s0 and telnet daemons, however.
|
||||
.SS "\s-1INETD\s0 \s-1MODE\s0"
|
||||
.IX Subsection "INETD MODE"
|
||||
The most common use of \fBstunnel\fR is to listen on a network
|
||||
port and establish communication with either a new port
|
||||
via the connect option, or a new program via the \fIexec\fR option.
|
||||
However there is a special case when you wish to have
|
||||
some other program accept incoming connections and
|
||||
launch \fBstunnel\fR, for example with \fIinetd\fR, \fIxinetd\fR,
|
||||
or \fItcpserver\fR.
|
||||
.PP
|
||||
For example, if you have the following line in \fIinetd.conf\fR:
|
||||
.PP
|
||||
.Vb 1
|
||||
\& imaps stream tcp nowait root /usr/bin/stunnel stunnel /etc/stunnel/imaps.conf
|
||||
.Ve
|
||||
.PP
|
||||
In these cases, the \fIinetd\fR\-style program is responsible
|
||||
for binding a network socket (\fIimaps\fR above) and handing
|
||||
it to \fBstunnel\fR when a connection is received.
|
||||
Thus you do not want \fBstunnel\fR to have any \fIaccept\fR option.
|
||||
All the \fIService Level Options\fR should be placed in the
|
||||
global options section, and no \fI[service_name]\fR section
|
||||
will be present. See the \fI\s-1EXAMPLES\s0\fR section for example
|
||||
configurations.
|
||||
.SS "\s-1CERTIFICATES\s0"
|
||||
.IX Subsection "CERTIFICATES"
|
||||
Each \s-1SSL\s0 enabled daemon needs to present a valid X.509 certificate
|
||||
to the peer. It also needs a private key to decrypt the incoming
|
||||
data. The easiest way to obtain a certificate and a key is to
|
||||
generate them with the free \fBOpenSSL\fR package. You can find more
|
||||
information on certificates generation on pages listed below.
|
||||
.PP
|
||||
The order of contents of the \fI.pem\fR file is important. It should contain the
|
||||
unencrypted private key first, then a signed certificate (not certificate
|
||||
request). There should be also empty lines after certificate and private key.
|
||||
Plaintext certificate information appended on the top of generated certificate
|
||||
should be discarded. So the file should look like this:
|
||||
.PP
|
||||
.Vb 8
|
||||
\& \-\-\-\-\-BEGIN RSA PRIVATE KEY\-\-\-\-\-
|
||||
\& [encoded key]
|
||||
\& \-\-\-\-\-END RSA PRIVATE KEY\-\-\-\-\-
|
||||
\& [empty line]
|
||||
\& \-\-\-\-\-BEGIN CERTIFICATE\-\-\-\-\-
|
||||
\& [encoded certificate]
|
||||
\& \-\-\-\-\-END CERTIFICATE\-\-\-\-\-
|
||||
\& [empty line]
|
||||
.Ve
|
||||
.SS "\s-1RANDOMNESS\s0"
|
||||
.IX Subsection "RANDOMNESS"
|
||||
\&\fBstunnel\fR needs to seed the \s-1PRNG\s0 (pseudo random number generator) in
|
||||
order for \s-1SSL\s0 to use good randomness. The following sources are loaded
|
||||
in order until sufficient random data has been gathered:
|
||||
.IP "\(bu" 4
|
||||
The file specified with the \fIRNDfile\fR flag.
|
||||
.IP "\(bu" 4
|
||||
The file specified by the \s-1RANDFILE\s0 environment variable, if set.
|
||||
.IP "\(bu" 4
|
||||
The file .rnd in your home directory, if \s-1RANDFILE\s0 not set.
|
||||
.IP "\(bu" 4
|
||||
The file specified with '\-\-with\-random' at compile time.
|
||||
.IP "\(bu" 4
|
||||
The contents of the screen if running on Windows.
|
||||
.IP "\(bu" 4
|
||||
The egd socket specified with the \fI\s-1EGD\s0\fR flag.
|
||||
.IP "\(bu" 4
|
||||
The egd socket specified with '\-\-with\-egd\-sock' at compile time.
|
||||
.IP "\(bu" 4
|
||||
The /dev/urandom device.
|
||||
.PP
|
||||
With recent (\fBOpenSSL 0.9.5a\fR or later) version of \s-1SSL\s0 it will stop loading
|
||||
random data automatically when sufficient entropy has been gathered. With
|
||||
previous versions it will continue to gather from all the above sources since
|
||||
no \s-1SSL\s0 function exists to tell when enough data is available.
|
||||
.PP
|
||||
Note that on Windows machines that do not have console user interaction
|
||||
(mouse movements, creating windows, etc.) the screen contents are not
|
||||
variable enough to be sufficient, and you should provide a random file
|
||||
for use with the \fIRNDfile\fR flag.
|
||||
.PP
|
||||
Note that the file specified with the \fIRNDfile\fR flag should contain
|
||||
random data \*(-- that means it should contain different information
|
||||
each time \fBstunnel\fR is run. This is handled automatically
|
||||
unless the \fIRNDoverwrite\fR flag is used. If you wish to update this file
|
||||
manually, the \fIopenssl rand\fR command in recent versions of \fBOpenSSL\fR,
|
||||
would be useful.
|
||||
.PP
|
||||
Important note: If /dev/urandom is available, \fBOpenSSL\fR often seeds the \s-1PRNG\s0
|
||||
with it while checking the random state. On systems with /dev/urandom
|
||||
\&\fBOpenSSL\fR is likely to use it even though it is listed at the very bottom of
|
||||
the list above. This is the behaviour of \fBOpenSSL\fR and not \fBstunnel\fR.
|
||||
.SS "\s-1DH\s0 \s-1PARAMETERS\s0"
|
||||
.IX Subsection "DH PARAMETERS"
|
||||
Stunnel 4.40 and later contains hardcoded 2048\-bit \s-1DH\s0 parameters.
|
||||
.PP
|
||||
It is also possible to specify \s-1DH\s0 parameters in the certificate file:
|
||||
.PP
|
||||
.Vb 1
|
||||
\& openssl dhparam 2048 >> stunnel.pem
|
||||
.Ve
|
||||
.PP
|
||||
\&\s-1DH\s0 parameter generation may take several minutes.
|
||||
.SH "FILES"
|
||||
.IX Header "FILES"
|
||||
.IP "\fIstunnel.conf\fR" 4
|
||||
.IX Item "stunnel.conf"
|
||||
\&\fBstunnel\fR configuration file
|
||||
.SH "BUGS"
|
||||
.IX Header "BUGS"
|
||||
Option \fIexecargs\fR and Win32 command line does not support quoting.
|
||||
.SH "SEE ALSO"
|
||||
.IX Header "SEE ALSO"
|
||||
.IP "\fItcpd\fR\|(8)" 4
|
||||
.IX Item "tcpd"
|
||||
access control facility for internet services
|
||||
.IP "\fIinetd\fR\|(8)" 4
|
||||
.IX Item "inetd"
|
||||
internet 'super\-server'
|
||||
.IP "\fIhttp://www.stunnel.org/\fR" 4
|
||||
.IX Item "http://www.stunnel.org/"
|
||||
\&\fBstunnel\fR homepage
|
||||
.IP "\fIhttp://www.openssl.org/\fR" 4
|
||||
.IX Item "http://www.openssl.org/"
|
||||
\&\fBOpenSSL\fR project website
|
||||
.SH "AUTHOR"
|
||||
.IX Header "AUTHOR"
|
||||
.IP "Michał Trojnara" 4
|
||||
.IX Item "Michał Trojnara"
|
||||
<\fIMichal.Trojnara@mirt.net\fR>
|
1395
doc/stunnel.8.in
Normal file
1395
doc/stunnel.8.in
Normal file
File diff suppressed because it is too large
Load Diff
574
doc/stunnel.fr.8
574
doc/stunnel.fr.8
@ -1,574 +0,0 @@
|
||||
.\" Automatically generated by Pod::Man 2.22 (Pod::Simple 3.07)
|
||||
.\"
|
||||
.\" Standard preamble:
|
||||
.\" ========================================================================
|
||||
.de Sp \" Vertical space (when we can't use .PP)
|
||||
.if t .sp .5v
|
||||
.if n .sp
|
||||
..
|
||||
.de Vb \" Begin verbatim text
|
||||
.ft CW
|
||||
.nf
|
||||
.ne \\$1
|
||||
..
|
||||
.de Ve \" End verbatim text
|
||||
.ft R
|
||||
.fi
|
||||
..
|
||||
.\" Set up some character translations and predefined strings. \*(-- will
|
||||
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
|
||||
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
|
||||
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
|
||||
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
|
||||
.\" nothing in troff, for use with C<>.
|
||||
.tr \(*W-
|
||||
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
|
||||
.ie n \{\
|
||||
. ds -- \(*W-
|
||||
. ds PI pi
|
||||
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
|
||||
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
|
||||
. ds L" ""
|
||||
. ds R" ""
|
||||
. ds C` ""
|
||||
. ds C' ""
|
||||
'br\}
|
||||
.el\{\
|
||||
. ds -- \|\(em\|
|
||||
. ds PI \(*p
|
||||
. ds L" ``
|
||||
. ds R" ''
|
||||
'br\}
|
||||
.\"
|
||||
.\" Escape single quotes in literal strings from groff's Unicode transform.
|
||||
.ie \n(.g .ds Aq \(aq
|
||||
.el .ds Aq '
|
||||
.\"
|
||||
.\" If the F register is turned on, we'll generate index entries on stderr for
|
||||
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
|
||||
.\" entries marked with X<> in POD. Of course, you'll have to process the
|
||||
.\" output yourself in some meaningful fashion.
|
||||
.ie \nF \{\
|
||||
. de IX
|
||||
. tm Index:\\$1\t\\n%\t"\\$2"
|
||||
..
|
||||
. nr % 0
|
||||
. rr F
|
||||
.\}
|
||||
.el \{\
|
||||
. de IX
|
||||
..
|
||||
.\}
|
||||
.\" ========================================================================
|
||||
.\"
|
||||
.IX Title "STUNNEL.FR 8"
|
||||
.TH STUNNEL.FR 8 "2013.03.19" "4.56" "stunnel"
|
||||
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
|
||||
.\" way too many mistakes in technical documents.
|
||||
.if n .ad l
|
||||
.nh
|
||||
.SH "NOM"
|
||||
.IX Header "NOM"
|
||||
stunnel \- tunnel \s-1SSL\s0 universel
|
||||
.SH "SYNOPSIS"
|
||||
.IX Header "SYNOPSIS"
|
||||
.IP "\fBUnix:\fR" 4
|
||||
.IX Item "Unix:"
|
||||
\&\fBstunnel\fR [fichier] | \-fd [n] | \-help | \-version | \-sockets
|
||||
.IP "\fB\s-1WIN32:\s0\fR" 4
|
||||
.IX Item "WIN32:"
|
||||
\&\fBstunnel\fR [fichier] | \-install | \-uninstall | \-help | \-version | \-sockets
|
||||
.SH "DESCRIPTION"
|
||||
.IX Header "DESCRIPTION"
|
||||
Le programme \fBstunnel\fR est conçu pour fonctionner comme une couche
|
||||
de chiffrement \fI\s-1SSL\s0\fR entre des clients distants et des serveurs locaux
|
||||
(\fIinetd\fR\-démarrables) ou distants. Le concept est qu'à partir de daemons
|
||||
non-SSL présents sur le système, on peut facilement les configurer pour
|
||||
communiquer avec des clients sur des liens sécurisés \s-1SSL\s0.
|
||||
.PP
|
||||
\&\fBstunnel\fR peut être utilisé pour ajouter des fonctionnalités \s-1SSL\s0 à des
|
||||
daemons classiques \fIInetd\fR tels que les serveurs \s-1POP\-2\s0, \s-1POP\-3\s0 et \s-1IMAP\s0,
|
||||
à d'autres autonomes tels que \s-1NNTP\s0, \s-1SMTP\s0 et \s-1HTTP\s0, ainsi que pour tunneliser
|
||||
\&\s-1PPP\s0 sur des sockets réseau sans modification du code source.
|
||||
.PP
|
||||
Ce produit inclut du code de chiffrement écrit par
|
||||
Eric Young (eay@cryptsoft.com)
|
||||
.SH "OPTIONS"
|
||||
.IX Header "OPTIONS"
|
||||
.IP "\fB[fichier]\fR" 4
|
||||
.IX Item "[fichier]"
|
||||
Utilisation du fichier de configuration spécifié.
|
||||
.IP "\fB\-fd [n]\fR (Unix seulement)" 4
|
||||
.IX Item "-fd [n] (Unix seulement)"
|
||||
Lecture du fichier de configuration depuis le descripteur de
|
||||
fichier indiqué.
|
||||
.IP "\fB\-help\fR" 4
|
||||
.IX Item "-help"
|
||||
Affiche le menu d'aide de \fBstunnel\fR.
|
||||
.IP "\fB\-version\fR" 4
|
||||
.IX Item "-version"
|
||||
Affiche la version de \fBstunnel\fR et les options de compilation.
|
||||
.IP "\fB\-sockets\fR" 4
|
||||
.IX Item "-sockets"
|
||||
Affiche les options socket par défaut.
|
||||
.IP "\fB\-install\fR (\s-1NT/2000/XP\s0 seulement)" 4
|
||||
.IX Item "-install (NT/2000/XP seulement)"
|
||||
Installe un service \s-1NT\s0.
|
||||
.IP "\fB\-uninstall\fR (\s-1NT/2000/XP\s0 only)" 4
|
||||
.IX Item "-uninstall (NT/2000/XP only)"
|
||||
Désinstalle un service \s-1NT\s0.
|
||||
.SH "FICHIER DE CONFIGURATION"
|
||||
.IX Header "FICHIER DE CONFIGURATION"
|
||||
Chaque ligne du fichier de configuration peut être soit :
|
||||
.IP "\(bu" 4
|
||||
une ligne vide (ignorée) ;
|
||||
.IP "\(bu" 4
|
||||
un commentaire commençant par « # » (ignoré) ;
|
||||
.IP "\(bu" 4
|
||||
une paire « option = valeur » ;
|
||||
.IP "\(bu" 4
|
||||
« [service_name] » indiquant le début de la définition d'un service ;
|
||||
.SS "\s-1OPTIONS\s0 \s-1GLOBALES\s0"
|
||||
.IX Subsection "OPTIONS GLOBALES"
|
||||
.IP "\fBCApath\fR = répertoire" 4
|
||||
.IX Item "CApath = répertoire"
|
||||
Répertoire des autorités de certification (\s-1CA\s0)
|
||||
.Sp
|
||||
C'est le répertoire dans lequel \fBstunnel\fR cherche les certificats si
|
||||
l'on utilise \fIverify\fR. Les certificats doivent être dénommés selon la
|
||||
forme \s-1XXXXXXXX\s0.0, où \s-1XXXXXXXX\s0 est la valeur de hachage du certificat.
|
||||
.Sp
|
||||
Le cas échéant, le répertoire \fICApath\fR est relatif au répertoire \fIchroot\fR.
|
||||
.IP "\fBCAfile\fR = fichier" 4
|
||||
.IX Item "CAfile = fichier"
|
||||
Fichier d'autorités de certification
|
||||
.Sp
|
||||
Ce fichier, utilisé avec \fIverify\fR, contient plusieurs certificats de \s-1CA\s0.
|
||||
.IP "\fBcert\fR = fichier" 4
|
||||
.IX Item "cert = fichier"
|
||||
Fichier de chaîne de certificats \s-1PEM\s0
|
||||
.Sp
|
||||
Une \s-1PEM\s0 est toujours nécessaire en mode serveur.
|
||||
En mode client, cette option utilise cette \s-1PEM\s0 comme une chaîne côté client.
|
||||
L'utilisation de certificats côté client est optionnelle. Les certificats
|
||||
doivent être au format \s-1PEM\s0 et triés par ordre de niveau décroissant (\s-1CA\s0 racine
|
||||
en premier).
|
||||
.IP "\fBchroot\fR = répertoire (Unix seulement)" 4
|
||||
.IX Item "chroot = répertoire (Unix seulement)"
|
||||
Répertoire de chroot du processus \fBstunnel\fR
|
||||
.Sp
|
||||
\&\fBchroot\fR enferme \fBstunnel\fR dans une cellule chroot. \fICApath\fR, \fICRLpath\fR, \fIpid\fR
|
||||
et \fIexec\fR sont situés à l'intérieur de la cellule et les répertoires doivent être
|
||||
relatifs au répertoire correspondant.
|
||||
.Sp
|
||||
Pour que le contrôle de libwrap (wrappeur \s-1TCP\s0) soit effectif dans un environnement
|
||||
chroot, il faut aussi y recopier leurs fichiers de configuration (/etc/hosts.allow et
|
||||
/etc/hosts.deny).
|
||||
.IP "\fBciphers\fR = listes de chiffre" 4
|
||||
.IX Item "ciphers = listes de chiffre"
|
||||
Sélection des chiffres \s-1SSL\s0 autorisés
|
||||
.Sp
|
||||
Liste délimitée par deux-points (« : ») des chiffres autorisés pour la connexion \s-1SSL\s0.
|
||||
Exemple : \s-1DES\-CBC3\-SHA:IDEA\-CBC\-MD5\s0
|
||||
.IP "\fBclient\fR = yes | no" 4
|
||||
.IX Item "client = yes | no"
|
||||
Mode client (Le service distant utilise \s-1SSL\s0)
|
||||
.Sp
|
||||
Par défaut : no (mode server)
|
||||
.IP "\fBCRLpath\fR = répertoire" 4
|
||||
.IX Item "CRLpath = répertoire"
|
||||
Répertoire des listes de révocation de certificats (\s-1CRL\s0)
|
||||
.Sp
|
||||
C'est le répertoire dans lequel \fBstunnel\fR recherche les \s-1CRL\s0 avec
|
||||
l'option \fIverify\fR. Les \s-1CRL\s0 doivent être dénommés selon la
|
||||
forme \s-1XXXXXXXX\s0.0 où \s-1XXXXXXXX\s0 est la valeur de hachage de la \s-1CRL\s0.
|
||||
.Sp
|
||||
Le cas échéant, le répertoire \fICRLpath\fR est relatif au répertoire \fIchroot\fR.
|
||||
.IP "\fBCRLfile\fR = fichier" 4
|
||||
.IX Item "CRLfile = fichier"
|
||||
Fichier de listes de révocation de certificats (\s-1CRL\s0)
|
||||
.Sp
|
||||
Ce fichier, utilisé avec \fIverify\fR, contient plusieurs \s-1CRL\s0.
|
||||
.IP "\fBdebug\fR = [facilité.]niveau" 4
|
||||
.IX Item "debug = [facilité.]niveau"
|
||||
niveau de déverminage
|
||||
.Sp
|
||||
Le niveau est un nom ou un numéro conforme à ceux de syslog :
|
||||
emerg (0), alert (1), crit (2), err (3), warning (4), notice (5),
|
||||
info (6) ou debug (7). Toutes les traces du niveau indiqué et des niveaux
|
||||
numériquement inférieurs seront affichées. \fBdebug = debug\fR ou
|
||||
\&\fBdebug = 7\fR donneront le maximum d'informations. La valeur par défaut
|
||||
est notice (5).
|
||||
.Sp
|
||||
La facilité syslog « daemon » est utilisée, sauf si un autre nom est spécifié
|
||||
(Win32 ne permet pas l'usage des facilités.)
|
||||
.Sp
|
||||
La casse est ignorée, aussi bien pour la facilité que pour le niveau.
|
||||
.IP "\fB\s-1EGD\s0\fR = chemin (Unix seulement)" 4
|
||||
.IX Item "EGD = chemin (Unix seulement)"
|
||||
Emplacement du socket du daemon de recueil d'entropie (\s-1EGD\s0 \- Entropy Gathering Daemon)
|
||||
.Sp
|
||||
Socket \s-1EGD\s0 à utiliser pour alimenter le générateur d'aléatoires de OpenSSL (disponible
|
||||
seulement si la compilation a été effectuée avec OpenSSL 0.9.5a ou supérieur).
|
||||
.IP "\fBforeground\fR = yes | no (Unix seulement)" 4
|
||||
.IX Item "foreground = yes | no (Unix seulement)"
|
||||
Mode avant-plan
|
||||
.Sp
|
||||
Reste en avant-plan (sans fork) et dirige la trace sur stderr
|
||||
au lieu de syslog (sauf si \fBoutput\fR est spécifié).
|
||||
.Sp
|
||||
Par défault : arrière\-plan en mode daemon.
|
||||
.IP "\fBkey\fR = fichier" 4
|
||||
.IX Item "key = fichier"
|
||||
Fichier de clef privée pour le certificat spécifié par \fIcert\fR
|
||||
.Sp
|
||||
La clef privée est nécessaire pour authentifier le titulaire du
|
||||
certificat.
|
||||
Puisque ce fichier doit rester secret, il ne doit être lisible que
|
||||
par son propriétaire. Sur les systèmes Unix, on peut utiliser la
|
||||
commande suivante :
|
||||
.Sp
|
||||
.Vb 1
|
||||
\& chmod 600 fichier
|
||||
.Ve
|
||||
.Sp
|
||||
Par défault : Valeur de \fIcert\fR
|
||||
.IP "\fBoptions\fR = Options_SSL" 4
|
||||
.IX Item "options = Options_SSL"
|
||||
Options de la bibliothèque OpenSSL
|
||||
.Sp
|
||||
Le paramètre est l'option OpenSSL décrite dans la page de man
|
||||
\&\fI\fISSL_CTX_set_options\fI\|(3ssl)\fR, débarassée du préfixe \fI\s-1SSL_OP_\s0\fR.
|
||||
Plusieurs \fIoptions\fR peuvent être spécifiées.
|
||||
.Sp
|
||||
Par exemple, pour la compatibilité avec l'implantation \s-1SSL\s0 défaillante
|
||||
d'Eudora, on peut utiliser :
|
||||
.Sp
|
||||
.Vb 1
|
||||
\& options = DONT_INSERT_EMPTY_FRAGMENTS
|
||||
.Ve
|
||||
.IP "\fBoutput\fR = fichier" 4
|
||||
.IX Item "output = fichier"
|
||||
Ajoute la trace à la fin d'un fichier au lieu d'utiliser syslog.
|
||||
.Sp
|
||||
/dev/stdout peut être utilisé pour afficher les traces sur la sortie standard
|
||||
(par exemple pour les traiter avec les outils splogger).
|
||||
.IP "\fBpid\fR = fichier (Unix seulement)" 4
|
||||
.IX Item "pid = fichier (Unix seulement)"
|
||||
Emplacement du fichier pid
|
||||
.Sp
|
||||
Si l'argument est vide, aucun fichier ne sera créé.
|
||||
.Sp
|
||||
Le cas échéant, le chemin \fIpid\fR est relatif au répertoire \fIchroot\fR.
|
||||
.IP "\fBRNDbytes\fR = nombre" 4
|
||||
.IX Item "RNDbytes = nombre"
|
||||
Nombre d'octets à lire depuis les fichiers de « sel » aléatoire
|
||||
.Sp
|
||||
Avec les \s-1SSL\s0 de version inférieure à 0.9.5a, détermine aussi le nombre
|
||||
d'octets considérés comme suffisants pour « saler » le \s-1PRNG\s0. Les versions plus
|
||||
récentes d'OpenSSL ont une fonction intégrée qui détermine lorsque l'aléatoire
|
||||
est suffisant.
|
||||
.IP "\fBRNDfile\fR = fichier" 4
|
||||
.IX Item "RNDfile = fichier"
|
||||
chemin du fichier de données de « sel » aléatoire
|
||||
.Sp
|
||||
La bibliothèque \s-1SSL\s0 utilise prioritairement les données de ce fichier pour
|
||||
« saler » le générateur d'aléatoire.
|
||||
.IP "\fBRNDoverwrite\fR = yes | no" 4
|
||||
.IX Item "RNDoverwrite = yes | no"
|
||||
Recouvre les fichiers de « sel » avec de nouvelles données aléatoires.
|
||||
.Sp
|
||||
Par défaut : yes
|
||||
.IP "\fBservice\fR = nom" 4
|
||||
.IX Item "service = nom"
|
||||
Définit le nom de service à utiliser
|
||||
.Sp
|
||||
\&\fBSous Unix :\fR nom de service du mode \fIinetd\fR pour la bibliothèque \s-1TCP\s0 Wrapper.
|
||||
.Sp
|
||||
Par défaut : stunnel
|
||||
.IP "\fBsession\fR = timeout" 4
|
||||
.IX Item "session = timeout"
|
||||
Timeout du cache de session
|
||||
.IP "\fBsetgid\fR = nom (Unix seulement)" 4
|
||||
.IX Item "setgid = nom (Unix seulement)"
|
||||
Nom de groupe utilisé en mode daemon (les éventuels autres noms de groupe attribués sont supprimés)
|
||||
.IP "\fBsetuid\fR = nom (Unix seulement)" 4
|
||||
.IX Item "setuid = nom (Unix seulement)"
|
||||
Nom d'utilisateur utilisé en mode daemon
|
||||
.IP "\fBsocket\fR = a|l|r:option=valeur[:valeur]" 4
|
||||
.IX Item "socket = a|l|r:option=valeur[:valeur]"
|
||||
Configure une option de socket accept (a), locale (l) ou distante (r)
|
||||
.Sp
|
||||
Les valeurs de l'option linger sont : l_onof:l_linger.
|
||||
Les valeurs de l'option time sont : tv_sec:tv_usec.
|
||||
.Sp
|
||||
Exemples :
|
||||
.Sp
|
||||
.Vb 9
|
||||
\& socket = l:SO_LINGER=1:60
|
||||
\& définit un délai d\*(Aqune minute pour la clôture des sockets locaux
|
||||
\& socket = r:SO_OOBINLINE=yes
|
||||
\& Place directement les données hors\-bande dans le flux de réception
|
||||
\& des sockets distants
|
||||
\& socket = a:SO_REUSEADDR=no
|
||||
\& désactive la réutilisation d\*(Aqadresses (activée par défaut)
|
||||
\& socket = a:SO_BINDTODEVICE=lo
|
||||
\& limite l\*(Aqacceptation des connexions sur la seule interface de bouclage
|
||||
.Ve
|
||||
.IP "\fBtaskbar\fR = yes | no (\s-1WIN32\s0 seulement)" 4
|
||||
.IX Item "taskbar = yes | no (WIN32 seulement)"
|
||||
active l'icône de la barre de tâches
|
||||
.Sp
|
||||
Par défaut : yes
|
||||
.IP "\fBverify\fR = niveau" 4
|
||||
.IX Item "verify = niveau"
|
||||
Vérifie le certificat du correspondant
|
||||
.Sp
|
||||
.Vb 3
|
||||
\& niveau 1 \- vérifie le certificat s\*(Aqil est présent
|
||||
\& niveau 2 \- vérifie le certificat
|
||||
\& niveau 3 \- contrôle le correspondant avec le certificat local
|
||||
.Ve
|
||||
.Sp
|
||||
Par défaut \- pas de vérification
|
||||
.SS "\s-1OPTIONS\s0 \s-1DE\s0 \s-1SERVICE\s0"
|
||||
.IX Subsection "OPTIONS DE SERVICE"
|
||||
Chaque section de configuration commence par le nom du service entre crochets.
|
||||
Celui-ci est utilisé par le contrôle d'accès de libwrap (\s-1TCP\s0 Wrappers) et sert
|
||||
à distinguer les services \fBstunnel\fR dans les fichiers de traces.
|
||||
.PP
|
||||
Si l'on souhaite utiliser \fBstunnel\fR en mode \fIinetd\fR (lorsqu'un socket lui est
|
||||
fourni par un serveur comme \fIinetd\fR, \fIxinetd\fR ou \fItcpserver\fR), il faut se
|
||||
reporter à la section \fI\s-1MODE\s0 \s-1INETD\s0\fR plus bas.
|
||||
.IP "\fBaccept\fR = [hôte:]port" 4
|
||||
.IX Item "accept = [hôte:]port"
|
||||
Accepte des connexions sur le port spécifié
|
||||
.Sp
|
||||
Si l'hôte n'est pas indiqué, le port est ouvert pour toutes les adresses \s-1IP\s0 de
|
||||
la machine locale.
|
||||
.IP "\fBconnect\fR = [hôte:]port" 4
|
||||
.IX Item "connect = [hôte:]port"
|
||||
Se connecte au port distant indiqué
|
||||
.Sp
|
||||
Par défaut, l'hôte est localhost.
|
||||
.IP "\fBdelay\fR = yes | no" 4
|
||||
.IX Item "delay = yes | no"
|
||||
Retarde la recherche \s-1DNS\s0 pour l'option « connect »
|
||||
.IP "\fBexec\fR = chemin_exécutable (Unix seulement)" 4
|
||||
.IX Item "exec = chemin_exécutable (Unix seulement)"
|
||||
Exécute un programme local de type inetd
|
||||
.Sp
|
||||
Le cas échéant, le chemin \fIexec\fR est relatif au répertoire \fIchroot\fR.
|
||||
.ie n .IP "\fBexecargs\fR = $0 $1 $2 ... (Unix seulement)" 4
|
||||
.el .IP "\fBexecargs\fR = \f(CW$0\fR \f(CW$1\fR \f(CW$2\fR ... (Unix seulement)" 4
|
||||
.IX Item "execargs = $0 $1 $2 ... (Unix seulement)"
|
||||
Arguments pour \fIexec\fR, y compris le nom du programme ($0)
|
||||
.Sp
|
||||
Les quotes ne peuvent actuellement pas être utilisées.
|
||||
Les arguments sont séparés par un nombre quelconque d'espaces.
|
||||
.IP "\fBident\fR = nom" 4
|
||||
.IX Item "ident = nom"
|
||||
Applique le contrôle d'identité d'utilisateur \s-1IDENT\s0 (\s-1RFC\s0 1413)
|
||||
.IP "\fBlocal\fR = hôte" 4
|
||||
.IX Item "local = hôte"
|
||||
Adresse \s-1IP\s0 de l'interface de sortie utilisée pour les connexions distantes.
|
||||
Cette option permet de relier une adresse statique locale.
|
||||
.IP "\fBprotocol\fR = protocole" 4
|
||||
.IX Item "protocol = protocole"
|
||||
Négocie avec \s-1SSL\s0 selon le protocole indiqué
|
||||
.Sp
|
||||
Actuellement gérés : cifs, nntp, pop3, smtp
|
||||
.IP "\fBpty\fR = yes | no (Unix seulement)" 4
|
||||
.IX Item "pty = yes | no (Unix seulement)"
|
||||
Alloue un pseudo-terminal pour l'option « exec »
|
||||
.IP "\fBTIMEOUTbusy\fR = secondes" 4
|
||||
.IX Item "TIMEOUTbusy = secondes"
|
||||
Durée d'attente de données
|
||||
.IP "\fBTIMEOUTclose\fR = secondes" 4
|
||||
.IX Item "TIMEOUTclose = secondes"
|
||||
Durée d'attente du close_notify (mis à 0 pour \s-1MSIE\s0 qui est bogué)
|
||||
.IP "\fBTIMEOUTidle\fR = secondes" 4
|
||||
.IX Item "TIMEOUTidle = secondes"
|
||||
Durée d'attente sur une connexion inactive
|
||||
.IP "\fBtransparent\fR = yes | no (Unix seulement)" 4
|
||||
.IX Item "transparent = yes | no (Unix seulement)"
|
||||
Mode mandataire transparent
|
||||
.Sp
|
||||
Ré\-écrit les adresses pour qu'elles apparaissent provenir de la
|
||||
machine client \s-1SSL\s0 plutôt que de celle qui exécute \fBstunnel\fR.
|
||||
Cette option n'est disponible en mode local (option \fIexec\fR) qu'avec
|
||||
la bibliothèque partagée LD_PRELOADing env.so shared library et en mode
|
||||
distant (option \fIconnect\fR) sur les noyaux Linux 2.2 compilés avec
|
||||
l'option \fItransparent proxy\fR et seulement en mode serveur. Cette
|
||||
option ne se combine pas au mode mandataire (\fIconnect\fR) sauf si la
|
||||
route par défaut du client vers la cible passe par l'hôte qui fait
|
||||
tourner \fBstunnel\fR, qui ne peut être localhost.
|
||||
.SH "VALEUR DE RETOUR"
|
||||
.IX Header "VALEUR DE RETOUR"
|
||||
\&\fBstunnel\fR renvoie zéro en cas de succès, une autre valeur en cas d'erreur.
|
||||
.SH "EXEMPLES"
|
||||
.IX Header "EXEMPLES"
|
||||
Pour encapsuler votre service \fIimapd\fR local avec \s-1SSL\s0 :
|
||||
.PP
|
||||
.Vb 4
|
||||
\& [imapd]
|
||||
\& accept = 993
|
||||
\& exec = /usr/sbin/imapd
|
||||
\& execargs = imapd
|
||||
.Ve
|
||||
.PP
|
||||
Pour tunneliser un daemon \fIpppd\fR sur le port 2020 :
|
||||
.PP
|
||||
.Vb 5
|
||||
\& [vpn]
|
||||
\& accept = 2020
|
||||
\& exec = /usr/sbin/pppd
|
||||
\& execargs = pppd local
|
||||
\& pty = yes
|
||||
.Ve
|
||||
.PP
|
||||
Configuration de \fIstunnel.conf\fR pour utiliser \fBstunnel\fR en mode \fIinetd\fR
|
||||
qui lance imapd à son tour (il ne doit pas y avoir de section \fI[service_name]\fR) :
|
||||
.PP
|
||||
.Vb 2
|
||||
\& exec = /usr/sbin/imapd
|
||||
\& execargs = imapd
|
||||
.Ve
|
||||
.SH "FICHIERS"
|
||||
.IX Header "FICHIERS"
|
||||
.IP "\fIstunnel.conf\fR" 4
|
||||
.IX Item "stunnel.conf"
|
||||
Fichier de configuration de \fBstunnel\fR
|
||||
.IP "\fIstunnel.pem\fR" 4
|
||||
.IX Item "stunnel.pem"
|
||||
Certificat et clef privée de \fBstunnel\fR
|
||||
.SH "BOGUES"
|
||||
.IX Header "BOGUES"
|
||||
L'option \fIexecargs\fR n'admet pas les quotes.
|
||||
.SH "RESTRICTIONS"
|
||||
.IX Header "RESTRICTIONS"
|
||||
\&\fBstunnel\fR ne peut être utilisé pour le daemon \s-1FTP\s0 en raison de la nature
|
||||
du protocole \s-1FTP\s0 qui utilise des ports multiples pour les transferts de données.
|
||||
Il existe cependant des versions \s-1SSL\s0 de \s-1FTP\s0 et de telnet.
|
||||
.SH "NOTES"
|
||||
.IX Header "NOTES"
|
||||
.SS "\s-1MODE\s0 \s-1INETD\s0"
|
||||
.IX Subsection "MODE INETD"
|
||||
L'utilisation la plus commune de \fBstunnel\fR consiste à écouter un port
|
||||
réseau et à établir une communication, soit avec un nouveau port
|
||||
avec l'option \fIconnect\fR, soit avec un programme avec l'option \fIexec\fR.
|
||||
On peut parfois cependant souhaiter qu'un autre programme reçoive les
|
||||
connexions entrantes et lance \fBstunnel\fR, par exemple avec \fIinetd\fR,
|
||||
\&\fIxinetd\fR ou \fItcpserver\fR.
|
||||
.PP
|
||||
Si, par exemple, la ligne suivante se trouve dans \fIinetd.conf\fR :
|
||||
.PP
|
||||
.Vb 1
|
||||
\& imaps stream tcp nowait root /usr/bin/stunnel stunnel /etc/stunnel/imaps.conf
|
||||
.Ve
|
||||
.PP
|
||||
Dans ces cas, c'est le programme du genre \fIinetd\fR\-style qui est
|
||||
responsable de l'établissement de la connexion (\fIimaps\fR ci-dessus) et de passer
|
||||
celle-ci à \fBstunnel\fR.
|
||||
Ainsi, \fBstunnel\fR ne doit alors avoir aucune option \fIaccept\fR.
|
||||
Toutes les \fIoptions de niveau service\fR doivent être placées dans
|
||||
la section des options globales et aucune section \fI[service_name]\fR ne doit
|
||||
être présente. Voir la section \fI\s-1EXEMPLES\s0\fR pour des exemples de configurations.
|
||||
.SS "\s-1CERTIFICATS\s0"
|
||||
.IX Subsection "CERTIFICATS"
|
||||
Chaque daemon à propriétés \s-1SSL\s0 doit présenter un certificat X.509
|
||||
valide à son interlocuteur. Il a aussi besoin d'une clef privé pour
|
||||
déchiffrer les données entrantes. La méthode la plus simple pour
|
||||
obtenir un certificat et une clef est d'engendrer celles-ci avec
|
||||
le paquetage libre \fIOpenSSL\fR. Plus d'informations sur la génération de
|
||||
certificats se trouvent dans les pages indiquées plus bas.
|
||||
.PP
|
||||
Deux choses importantes lors de la génération de paires certificat-clef
|
||||
pour \fBstunnel\fR :
|
||||
.IP "\(bu" 4
|
||||
la clef privée ne peut être chiffrée puisque le serveur n'a aucun moyen
|
||||
d'obtenir le mot de passe de l'utilisateur ; pour produire une clef non chiffrée,
|
||||
ajouter l'option \fI\-nodes\fR à la commande \fBreq\fR de \fIOpenSSL\fR ;
|
||||
.IP "\(bu" 4
|
||||
l'ordre du contenu du fichier \fI.pem\fR est significatif : il doit contenir d'abord
|
||||
une clef privée non chiffrée, puis un certificat signé (et non une demande de certificat).
|
||||
Il doit aussi y avoir des lignes vides après le certificat et après la clef privée.
|
||||
L'information textuelle ajoutée au début d'un certificat doit être supprimée afin que
|
||||
le fichier ait l'allure suivante :
|
||||
.Sp
|
||||
.Vb 8
|
||||
\& \-\-\-\-\-BEGIN RSA PRIVATE KEY\-\-\-\-\-
|
||||
\& [clef encodée]
|
||||
\& \-\-\-\-\-END RSA PRIVATE KEY\-\-\-\-\-
|
||||
\& [ligne vide]
|
||||
\& \-\-\-\-\-BEGIN CERTIFICATE\-\-\-\-\-
|
||||
\& [certificat encodé]
|
||||
\& \-\-\-\-\-END CERTIFICATE\-\-\-\-\-
|
||||
\& [ligne vide]
|
||||
.Ve
|
||||
.SS "\s-1ALEATOIRE\s0"
|
||||
.IX Subsection "ALEATOIRE"
|
||||
\&\fBstunnel\fR doit « saler » le générateur de pseudo\-aléatoires \s-1PRNG\s0 (pseudo random
|
||||
number generator) afin que \s-1SSL\s0 utilise un aléatoire de qualité. Les sources suivantes
|
||||
sont chargées dans l'ordre jusqu'à ce qu'une quantité suffisante de données soit lue :
|
||||
.IP "\(bu" 4
|
||||
le fichier spécifié par \fIRNDfile\fR ;
|
||||
.IP "\(bu" 4
|
||||
le fichier spécifié par la variable d'environnement \s-1RANDFILE\s0, à défaut
|
||||
le fichier .rnd du répertoire \f(CW$HOME\fR de l'utilisateur ;
|
||||
.IP "\(bu" 4
|
||||
le fichier spécifié par « \-\-with\-random » lors de la compilation ;
|
||||
.IP "\(bu" 4
|
||||
le contenu de l'écran (MS-Windows seulement) ;
|
||||
.IP "\(bu" 4
|
||||
le socket \s-1EGD\s0 spécifié par \fI\s-1EGD\s0\fR ;
|
||||
.IP "\(bu" 4
|
||||
le socket \s-1EGD\s0 spécifié par « \-\-with\-egd\-sock » lors de la compilation ;
|
||||
.IP "\(bu" 4
|
||||
le périphérique /dev/urandom.
|
||||
.PP
|
||||
Avec un OpenSSL récent (>=OpenSSL 0.9.5a) le chargement de données s'arrête
|
||||
automatiquement lorsqu'un niveau d'entropie suffisant est atteint.
|
||||
Les versions précédentes continuent à lire toutes les sources puisqu'aucune
|
||||
fonction \s-1SSL\s0 ne leur permet de savoir que suffisamment de données sont disponibles.
|
||||
.PP
|
||||
Sur les machines MS-Windows qui n'ont pas d'interaction utilisateur sur la console,
|
||||
(mouvements de souris, création de fenêtres, etc.), le contenu de l'écran n'est
|
||||
pas suffisamment changeant et il est nécessaire de fournir un fichier d'aléatoire
|
||||
par le biais de \fIRNDfile\fR.
|
||||
.PP
|
||||
Le fichier spécifié par \fIRNDfile\fR doit contenir des informations aléatoires \*(--
|
||||
c'est\-à\-dire des informations différentes à chaque lancement de \fBstunnel\fR.
|
||||
Cela est géré automatiquement sauf si l'option \fIRNDoverwrite\fR est utilisée.
|
||||
Si l'on souhaite procéder manuellement à la mise à jour de ce fichier, la
|
||||
commande \fIopenssl rand\fR des versions récentes d'OpenSSL sera sans doute utile.
|
||||
.PP
|
||||
Note importante : si /dev/urandom est disponible, OpenSSL a l'habitude d'utiliser
|
||||
celui-ci pour « saler » le \s-1PRNG\s0 même lorsqu'il contrôle l'état de l'aléatoire ;
|
||||
ainsi, même si /dev/urandom est dernier de la liste ci-dessus, il est vraisemblable
|
||||
qu'il soit utilisé s'il est présent.
|
||||
Ce n'est pas le comportement de \fBstunnel\fR, c'est celui d'OpenSSL.
|
||||
.SH "VOIR AUSSI"
|
||||
.IX Header "VOIR AUSSI"
|
||||
.IP "\fItcpd\fR\|(8)" 4
|
||||
.IX Item "tcpd"
|
||||
Service de contrôle d'accès pour les services internet
|
||||
.IP "\fIinetd\fR\|(8)" 4
|
||||
.IX Item "inetd"
|
||||
« super-serveur » internet
|
||||
.IP "\fIhttp://www.stunnel.org/\fR" 4
|
||||
.IX Item "http://www.stunnel.org/"
|
||||
Page de référence de \fBstunnel\fR
|
||||
.IP "\fIhttp://www.openssl.org/\fR" 4
|
||||
.IX Item "http://www.openssl.org/"
|
||||
Site web du projet OpenSSL
|
||||
.SH "AUTEUR"
|
||||
.IX Header "AUTEUR"
|
||||
.IP "Michał Trojnara" 4
|
||||
.IX Item "Michał Trojnara"
|
||||
<\fIMichal.Trojnara@mirt.net\fR>
|
||||
.SH "ADAPTATION FRANÇAISE"
|
||||
.IX Header "ADAPTATION FRANÇAISE"
|
||||
.IP "Bernard Choppy" 4
|
||||
.IX Item "Bernard Choppy"
|
||||
<\fIchoppy \s-1AT\s0 free \s-1POINT\s0 fr\fR>
|
@ -1,670 +0,0 @@
|
||||
<?xml version="1.0" ?>
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
|
||||
<html xmlns="http://www.w3.org/1999/xhtml">
|
||||
<head>
|
||||
<title>stunnel.8</title>
|
||||
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
|
||||
<link rev="made" href="mailto:root@localhost" />
|
||||
</head>
|
||||
|
||||
<body style="background-color: white">
|
||||
|
||||
|
||||
<!-- INDEX BEGIN -->
|
||||
<div name="index">
|
||||
<p><a name="__index__"></a></p>
|
||||
<!--
|
||||
|
||||
<ul>
|
||||
|
||||
<li><a href="#nom">NOM</a></li>
|
||||
<li><a href="#synopsis">SYNOPSIS</a></li>
|
||||
<li><a href="#description">DESCRIPTION</a></li>
|
||||
<li><a href="#options">OPTIONS</a></li>
|
||||
<li><a href="#fichier_de_configuration">FICHIER DE CONFIGURATION</a></li>
|
||||
<ul>
|
||||
|
||||
<li><a href="#options_globales">OPTIONS GLOBALES</a></li>
|
||||
<li><a href="#options_de_service">OPTIONS DE SERVICE</a></li>
|
||||
</ul>
|
||||
|
||||
<li><a href="#valeur_de_retour">VALEUR DE RETOUR</a></li>
|
||||
<li><a href="#exemples">EXEMPLES</a></li>
|
||||
<li><a href="#fichiers">FICHIERS</a></li>
|
||||
<li><a href="#bogues">BOGUES</a></li>
|
||||
<li><a href="#restrictions">RESTRICTIONS</a></li>
|
||||
<li><a href="#notes">NOTES</a></li>
|
||||
<ul>
|
||||
|
||||
<li><a href="#mode_inetd">MODE INETD</a></li>
|
||||
<li><a href="#certificats">CERTIFICATS</a></li>
|
||||
<li><a href="#aleatoire">ALEATOIRE</a></li>
|
||||
</ul>
|
||||
|
||||
<li><a href="#voir_aussi">VOIR AUSSI</a></li>
|
||||
<li><a href="#auteur">AUTEUR</a></li>
|
||||
<li><a href="#adaptation_fran__aise">ADAPTATION FRANÇAISE</a></li>
|
||||
</ul>
|
||||
|
||||
-->
|
||||
|
||||
|
||||
</div>
|
||||
<!-- INDEX END -->
|
||||
|
||||
<p>
|
||||
</p>
|
||||
<h1><a name="nom">NOM</a></h1>
|
||||
<p>stunnel - tunnel SSL universel</p>
|
||||
<p>
|
||||
</p>
|
||||
<hr />
|
||||
<h1><a name="synopsis">SYNOPSIS</a></h1>
|
||||
<dl>
|
||||
<dt><strong><a name="unix" class="item"><strong>Unix:</strong></a></strong></dt>
|
||||
|
||||
<dd>
|
||||
<p><strong>stunnel</strong> [fichier] | -fd [n] | -help | -version | -sockets</p>
|
||||
</dd>
|
||||
<dt><strong><a name="win32" class="item"><strong>WIN32:</strong></a></strong></dt>
|
||||
|
||||
<dd>
|
||||
<p><strong>stunnel</strong> [fichier] | -install | -uninstall | -help | -version | -sockets</p>
|
||||
</dd>
|
||||
</dl>
|
||||
<p>
|
||||
</p>
|
||||
<hr />
|
||||
<h1><a name="description">DESCRIPTION</a></h1>
|
||||
<p>Le programme <strong>stunnel</strong> est conçu pour fonctionner comme une couche
|
||||
de chiffrement <em>SSL</em> entre des clients distants et des serveurs locaux
|
||||
(<em>inetd</em>-démarrables) ou distants. Le concept est qu'à partir de daemons
|
||||
non-SSL présents sur le système, on peut facilement les configurer pour
|
||||
communiquer avec des clients sur des liens sécurisés SSL.</p>
|
||||
<p><strong>stunnel</strong> peut être utilisé pour ajouter des fonctionnalités SSL à des
|
||||
daemons classiques <em>Inetd</em> tels que les serveurs POP-2, POP-3 et IMAP,
|
||||
à d'autres autonomes tels que NNTP, SMTP et HTTP, ainsi que pour tunneliser
|
||||
PPP sur des sockets réseau sans modification du code source.</p>
|
||||
<p>Ce produit inclut du code de chiffrement écrit par
|
||||
Eric Young (<a href="mailto:eay@cryptsoft.com">eay@cryptsoft.com</a>)</p>
|
||||
<p>
|
||||
</p>
|
||||
<hr />
|
||||
<h1><a name="options">OPTIONS</a></h1>
|
||||
<dl>
|
||||
<dt><strong><a name="fichier" class="item"><strong>[fichier]</strong></a></strong></dt>
|
||||
|
||||
<dd>
|
||||
<p>Utilisation du fichier de configuration spécifié.</p>
|
||||
</dd>
|
||||
<dt><strong><a name="fd_n_unix_seulement" class="item"><strong>-fd [n]</strong> (Unix seulement)</a></strong></dt>
|
||||
|
||||
<dd>
|
||||
<p>Lecture du fichier de configuration depuis le descripteur de
|
||||
fichier indiqué.</p>
|
||||
</dd>
|
||||
<dt><strong><a name="help" class="item"><strong>-help</strong></a></strong></dt>
|
||||
|
||||
<dd>
|
||||
<p>Affiche le menu d'aide de <strong>stunnel</strong>.</p>
|
||||
</dd>
|
||||
<dt><strong><a name="version" class="item"><strong>-version</strong></a></strong></dt>
|
||||
|
||||
<dd>
|
||||
<p>Affiche la version de <strong>stunnel</strong> et les options de compilation.</p>
|
||||
</dd>
|
||||
<dt><strong><a name="sockets" class="item"><strong>-sockets</strong></a></strong></dt>
|
||||
|
||||
<dd>
|
||||
<p>Affiche les options socket par défaut.</p>
|
||||
</dd>
|
||||
<dt><strong><a name="install" class="item"><strong>-install</strong> (NT/2000/XP seulement)</a></strong></dt>
|
||||
|
||||
<dd>
|
||||
<p>Installe un service NT.</p>
|
||||
</dd>
|
||||
<dt><strong><a name="uninstall" class="item"><strong>-uninstall</strong> (NT/2000/XP only)</a></strong></dt>
|
||||
|
||||
<dd>
|
||||
<p>Désinstalle un service NT.</p>
|
||||
</dd>
|
||||
</dl>
|
||||
<p>
|
||||
</p>
|
||||
<hr />
|
||||
<h1><a name="fichier_de_configuration">FICHIER DE CONFIGURATION</a></h1>
|
||||
<p>Chaque ligne du fichier de configuration peut être soit :</p>
|
||||
<ul>
|
||||
<li>
|
||||
<p>une ligne vide (ignorée) ;</p>
|
||||
</li>
|
||||
<li>
|
||||
<p>un commentaire commençant par « # » (ignoré) ;</p>
|
||||
</li>
|
||||
<li>
|
||||
<p>une paire « option = valeur » ;</p>
|
||||
</li>
|
||||
<li>
|
||||
<p>« [service_name] » indiquant le début de la définition d'un service ;</p>
|
||||
</li>
|
||||
</ul>
|
||||
<p>
|
||||
</p>
|
||||
<h2><a name="options_globales">OPTIONS GLOBALES</a></h2>
|
||||
<dl>
|
||||
<dt><strong><a name="capath_r_pertoire" class="item"><strong>CApath</strong> = répertoire</a></strong></dt>
|
||||
|
||||
<dd>
|
||||
<p>Répertoire des autorités de certification (CA)</p>
|
||||
<p>C'est le répertoire dans lequel <strong>stunnel</strong> cherche les certificats si
|
||||
l'on utilise <em>verify</em>. Les certificats doivent être dénommés selon la
|
||||
forme XXXXXXXX.0, où XXXXXXXX est la valeur de hachage du certificat.</p>
|
||||
<p>Le cas échéant, le répertoire <em>CApath</em> est relatif au répertoire <em>chroot</em>.</p>
|
||||
</dd>
|
||||
<dt><strong><a name="cafile_fichier" class="item"><strong>CAfile</strong> = fichier</a></strong></dt>
|
||||
|
||||
<dd>
|
||||
<p>Fichier d'autorités de certification</p>
|
||||
<p>Ce fichier, utilisé avec <em>verify</em>, contient plusieurs certificats de CA.</p>
|
||||
</dd>
|
||||
<dt><strong><a name="cert_fichier" class="item"><strong>cert</strong> = fichier</a></strong></dt>
|
||||
|
||||
<dd>
|
||||
<p>Fichier de chaîne de certificats PEM</p>
|
||||
<p>Une PEM est toujours nécessaire en mode serveur.
|
||||
En mode client, cette option utilise cette PEM comme une chaîne côté client.
|
||||
L'utilisation de certificats côté client est optionnelle. Les certificats
|
||||
doivent être au format PEM et triés par ordre de niveau décroissant (CA racine
|
||||
en premier).</p>
|
||||
</dd>
|
||||
<dt><strong><a name="pertoire" class="item"><strong>chroot</strong> = répertoire (Unix seulement)</a></strong></dt>
|
||||
|
||||
<dd>
|
||||
<p>Répertoire de chroot du processus <strong>stunnel</strong></p>
|
||||
<p><strong>chroot</strong> enferme <strong>stunnel</strong> dans une cellule chroot. <em>CApath</em>, <em>CRLpath</em>, <em>pid</em>
|
||||
et <em>exec</em> sont situés à l'intérieur de la cellule et les répertoires doivent être
|
||||
relatifs au répertoire correspondant.</p>
|
||||
<p>Pour que le contrôle de libwrap (wrappeur TCP) soit effectif dans un environnement
|
||||
chroot, il faut aussi y recopier leurs fichiers de configuration (/etc/hosts.allow et
|
||||
/etc/hosts.deny).</p>
|
||||
</dd>
|
||||
<dt><strong><a name="ciphers_listes_de_chiffre" class="item"><strong>ciphers</strong> = listes de chiffre</a></strong></dt>
|
||||
|
||||
<dd>
|
||||
<p>Sélection des chiffres SSL autorisés</p>
|
||||
<p>Liste délimitée par deux-points (« : ») des chiffres autorisés pour la connexion SSL.
|
||||
Exemple : DES-CBC3-SHA:IDEA-CBC-MD5</p>
|
||||
</dd>
|
||||
<dt><strong><a name="client_yes_no" class="item"><strong>client</strong> = yes | no</a></strong></dt>
|
||||
|
||||
<dd>
|
||||
<p>Mode client (Le service distant utilise SSL)</p>
|
||||
<p>Par défaut : no (mode server)</p>
|
||||
</dd>
|
||||
<dt><strong><a name="crlpath_r_pertoire" class="item"><strong>CRLpath</strong> = répertoire</a></strong></dt>
|
||||
|
||||
<dd>
|
||||
<p>Répertoire des listes de révocation de certificats (CRL)</p>
|
||||
<p>C'est le répertoire dans lequel <strong>stunnel</strong> recherche les CRL avec
|
||||
l'option <em>verify</em>. Les CRL doivent être dénommés selon la
|
||||
forme XXXXXXXX.0 où XXXXXXXX est la valeur de hachage de la CRL.</p>
|
||||
<p>Le cas échéant, le répertoire <em>CRLpath</em> est relatif au répertoire <em>chroot</em>.</p>
|
||||
</dd>
|
||||
<dt><strong><a name="crlfile_fichier" class="item"><strong>CRLfile</strong> = fichier</a></strong></dt>
|
||||
|
||||
<dd>
|
||||
<p>Fichier de listes de révocation de certificats (CRL)</p>
|
||||
<p>Ce fichier, utilisé avec <em>verify</em>, contient plusieurs CRL.</p>
|
||||
</dd>
|
||||
<dt><strong><a name="debug_facilit_niveau" class="item"><strong>debug</strong> = [facilité.]niveau</a></strong></dt>
|
||||
|
||||
<dd>
|
||||
<p>niveau de déverminage</p>
|
||||
<p>Le niveau est un nom ou un numéro conforme à ceux de syslog :
|
||||
emerg (0), alert (1), crit (2), err (3), warning (4), notice (5),
|
||||
info (6) ou debug (7). Toutes les traces du niveau indiqué et des niveaux
|
||||
numériquement inférieurs seront affichées. <strong>debug = debug</strong> ou
|
||||
<strong>debug = 7</strong> donneront le maximum d'informations. La valeur par défaut
|
||||
est notice (5).</p>
|
||||
<p>La facilité syslog « daemon » est utilisée, sauf si un autre nom est spécifié
|
||||
(Win32 ne permet pas l'usage des facilités.)</p>
|
||||
<p>La casse est ignorée, aussi bien pour la facilité que pour le niveau.</p>
|
||||
</dd>
|
||||
<dt><strong><a name="chemin" class="item"><strong>EGD</strong> = chemin (Unix seulement)</a></strong></dt>
|
||||
|
||||
<dd>
|
||||
<p>Emplacement du socket du daemon de recueil d'entropie (EGD - Entropy Gathering Daemon)</p>
|
||||
<p>Socket EGD à utiliser pour alimenter le générateur d'aléatoires de OpenSSL (disponible
|
||||
seulement si la compilation a été effectuée avec OpenSSL 0.9.5a ou supérieur).</p>
|
||||
</dd>
|
||||
<dt><strong><a name="no" class="item"><strong>foreground</strong> = yes | no (Unix seulement)</a></strong></dt>
|
||||
|
||||
<dd>
|
||||
<p>Mode avant-plan</p>
|
||||
<p>Reste en avant-plan (sans fork) et dirige la trace sur stderr
|
||||
au lieu de syslog (sauf si <strong>output</strong> est spécifié).</p>
|
||||
<p>Par défault : arrière-plan en mode daemon.</p>
|
||||
</dd>
|
||||
<dt><strong><a name="key_fichier" class="item"><strong>key</strong> = fichier</a></strong></dt>
|
||||
|
||||
<dd>
|
||||
<p>Fichier de clef privée pour le certificat spécifié par <em>cert</em></p>
|
||||
<p>La clef privée est nécessaire pour authentifier le titulaire du
|
||||
certificat.
|
||||
Puisque ce fichier doit rester secret, il ne doit être lisible que
|
||||
par son propriétaire. Sur les systèmes Unix, on peut utiliser la
|
||||
commande suivante :</p>
|
||||
<pre>
|
||||
chmod 600 fichier</pre>
|
||||
<p>Par défault : Valeur de <em>cert</em></p>
|
||||
</dd>
|
||||
<dt><strong><a name="options_options_ssl" class="item"><strong>options</strong> = Options_SSL</a></strong></dt>
|
||||
|
||||
<dd>
|
||||
<p>Options de la bibliothèque OpenSSL</p>
|
||||
<p>Le paramètre est l'option OpenSSL décrite dans la page de man
|
||||
<em>SSL_CTX_set_options(3ssl)</em>, débarassée du préfixe <em>SSL_OP_</em>.
|
||||
Plusieurs <em>options</em> peuvent être spécifiées.</p>
|
||||
<p>Par exemple, pour la compatibilité avec l'implantation SSL défaillante
|
||||
d'Eudora, on peut utiliser :</p>
|
||||
<pre>
|
||||
options = DONT_INSERT_EMPTY_FRAGMENTS</pre>
|
||||
</dd>
|
||||
<dt><strong><a name="output_fichier" class="item"><strong>output</strong> = fichier</a></strong></dt>
|
||||
|
||||
<dd>
|
||||
<p>Ajoute la trace à la fin d'un fichier au lieu d'utiliser syslog.</p>
|
||||
<p>/dev/stdout peut être utilisé pour afficher les traces sur la sortie standard
|
||||
(par exemple pour les traiter avec les outils splogger).</p>
|
||||
</dd>
|
||||
<dt><strong><strong>pid</strong> = fichier (Unix seulement)</strong></dt>
|
||||
|
||||
<dd>
|
||||
<p>Emplacement du fichier pid</p>
|
||||
<p>Si l'argument est vide, aucun fichier ne sera créé.</p>
|
||||
<p>Le cas échéant, le chemin <em>pid</em> est relatif au répertoire <em>chroot</em>.</p>
|
||||
</dd>
|
||||
<dt><strong><a name="rndbytes_nombre" class="item"><strong>RNDbytes</strong> = nombre</a></strong></dt>
|
||||
|
||||
<dd>
|
||||
<p>Nombre d'octets à lire depuis les fichiers de « sel » aléatoire</p>
|
||||
<p>Avec les SSL de version inférieure à 0.9.5a, détermine aussi le nombre
|
||||
d'octets considérés comme suffisants pour « saler » le PRNG. Les versions plus
|
||||
récentes d'OpenSSL ont une fonction intégrée qui détermine lorsque l'aléatoire
|
||||
est suffisant.</p>
|
||||
</dd>
|
||||
<dt><strong><a name="rndfile_fichier" class="item"><strong>RNDfile</strong> = fichier</a></strong></dt>
|
||||
|
||||
<dd>
|
||||
<p>chemin du fichier de données de « sel » aléatoire</p>
|
||||
<p>La bibliothèque SSL utilise prioritairement les données de ce fichier pour
|
||||
« saler » le générateur d'aléatoire.</p>
|
||||
</dd>
|
||||
<dt><strong><a name="rndoverwrite_yes_no" class="item"><strong>RNDoverwrite</strong> = yes | no</a></strong></dt>
|
||||
|
||||
<dd>
|
||||
<p>Recouvre les fichiers de « sel » avec de nouvelles données aléatoires.</p>
|
||||
<p>Par défaut : yes</p>
|
||||
</dd>
|
||||
<dt><strong><a name="service_nom" class="item"><strong>service</strong> = nom</a></strong></dt>
|
||||
|
||||
<dd>
|
||||
<p>Définit le nom de service à utiliser</p>
|
||||
<p><strong>Sous Unix :</strong> nom de service du mode <em>inetd</em> pour la bibliothèque TCP Wrapper.</p>
|
||||
<p>Par défaut : stunnel</p>
|
||||
</dd>
|
||||
<dt><strong><a name="session_timeout" class="item"><strong>session</strong> = timeout</a></strong></dt>
|
||||
|
||||
<dd>
|
||||
<p>Timeout du cache de session</p>
|
||||
</dd>
|
||||
<dt><strong><a name="nom" class="item"><strong>setgid</strong> = nom (Unix seulement)</a></strong></dt>
|
||||
|
||||
<dd>
|
||||
<p>Nom de groupe utilisé en mode daemon (les éventuels autres noms de groupe attribués sont supprimés)</p>
|
||||
</dd>
|
||||
<dt><strong><strong>setuid</strong> = nom (Unix seulement)</strong></dt>
|
||||
|
||||
<dd>
|
||||
<p>Nom d'utilisateur utilisé en mode daemon</p>
|
||||
</dd>
|
||||
<dt><strong><a name="socket_a_l_r_option_valeur_valeur" class="item"><strong>socket</strong> = a|l|r:option=valeur[:valeur]</a></strong></dt>
|
||||
|
||||
<dd>
|
||||
<p>Configure une option de socket accept (a), locale (l) ou distante (r)</p>
|
||||
<p>Les valeurs de l'option linger sont : l_onof:l_linger.
|
||||
Les valeurs de l'option time sont : tv_sec:tv_usec.</p>
|
||||
<p>Exemples :</p>
|
||||
<pre>
|
||||
socket = l:SO_LINGER=1:60
|
||||
définit un délai d'une minute pour la clôture des sockets locaux
|
||||
socket = r:SO_OOBINLINE=yes
|
||||
Place directement les données hors-bande dans le flux de réception
|
||||
des sockets distants
|
||||
socket = a:SO_REUSEADDR=no
|
||||
désactive la réutilisation d'adresses (activée par défaut)
|
||||
socket = a:SO_BINDTODEVICE=lo
|
||||
limite l'acceptation des connexions sur la seule interface de bouclage</pre>
|
||||
</dd>
|
||||
<dt><strong><strong>taskbar</strong> = yes | no (WIN32 seulement)</strong></dt>
|
||||
|
||||
<dd>
|
||||
<p>active l'icône de la barre de tâches</p>
|
||||
<p>Par défaut : yes</p>
|
||||
</dd>
|
||||
<dt><strong><a name="verify_niveau" class="item"><strong>verify</strong> = niveau</a></strong></dt>
|
||||
|
||||
<dd>
|
||||
<p>Vérifie le certificat du correspondant</p>
|
||||
<pre>
|
||||
niveau 1 - vérifie le certificat s'il est présent
|
||||
niveau 2 - vérifie le certificat
|
||||
niveau 3 - contrôle le correspondant avec le certificat local</pre>
|
||||
<p>Par défaut - pas de vérification</p>
|
||||
</dd>
|
||||
</dl>
|
||||
<p>
|
||||
</p>
|
||||
<h2><a name="options_de_service">OPTIONS DE SERVICE</a></h2>
|
||||
<p>Chaque section de configuration commence par le nom du service entre crochets.
|
||||
Celui-ci est utilisé par le contrôle d'accès de libwrap (TCP Wrappers) et sert
|
||||
à distinguer les services <strong>stunnel</strong> dans les fichiers de traces.</p>
|
||||
<p>Si l'on souhaite utiliser <strong>stunnel</strong> en mode <em>inetd</em> (lorsqu'un socket lui est
|
||||
fourni par un serveur comme <em>inetd</em>, <em>xinetd</em> ou <em>tcpserver</em>), il faut se
|
||||
reporter à la section <em>MODE INETD</em> plus bas.</p>
|
||||
<dl>
|
||||
<dt><strong><a name="accept_h_te_port" class="item"><strong>accept</strong> = [hôte:]port</a></strong></dt>
|
||||
|
||||
<dd>
|
||||
<p>Accepte des connexions sur le port spécifié</p>
|
||||
<p>Si l'hôte n'est pas indiqué, le port est ouvert pour toutes les adresses IP de
|
||||
la machine locale.</p>
|
||||
</dd>
|
||||
<dt><strong><a name="connect_h_te_port" class="item"><strong>connect</strong> = [hôte:]port</a></strong></dt>
|
||||
|
||||
<dd>
|
||||
<p>Se connecte au port distant indiqué</p>
|
||||
<p>Par défaut, l'hôte est localhost.</p>
|
||||
</dd>
|
||||
<dt><strong><a name="delay_yes_no" class="item"><strong>delay</strong> = yes | no</a></strong></dt>
|
||||
|
||||
<dd>
|
||||
<p>Retarde la recherche DNS pour l'option « connect »</p>
|
||||
</dd>
|
||||
<dt><strong><a name="cutable" class="item"><strong>exec</strong> = chemin_exécutable (Unix seulement)</a></strong></dt>
|
||||
|
||||
<dd>
|
||||
<p>Exécute un programme local de type inetd</p>
|
||||
<p>Le cas échéant, le chemin <em>exec</em> est relatif au répertoire <em>chroot</em>.</p>
|
||||
</dd>
|
||||
<dt><strong><a name="execargs_0_1_2_unix_seulement" class="item"><strong>execargs</strong> = $0 $1 $2 ... (Unix seulement)</a></strong></dt>
|
||||
|
||||
<dd>
|
||||
<p>Arguments pour <em>exec</em>, y compris le nom du programme ($0)</p>
|
||||
<p>Les quotes ne peuvent actuellement pas être utilisées.
|
||||
Les arguments sont séparés par un nombre quelconque d'espaces.</p>
|
||||
</dd>
|
||||
<dt><strong><a name="ident_nom" class="item"><strong>ident</strong> = nom</a></strong></dt>
|
||||
|
||||
<dd>
|
||||
<p>Applique le contrôle d'identité d'utilisateur IDENT (<a href="http://www.ietf.org/rfc/rfc1413.txt" class="rfc">RFC 1413</a>)</p>
|
||||
</dd>
|
||||
<dt><strong><a name="local_h_te" class="item"><strong>local</strong> = hôte</a></strong></dt>
|
||||
|
||||
<dd>
|
||||
<p>Adresse IP de l'interface de sortie utilisée pour les connexions distantes.
|
||||
Cette option permet de relier une adresse statique locale.</p>
|
||||
</dd>
|
||||
<dt><strong><a name="protocol_protocole" class="item"><strong>protocol</strong> = protocole</a></strong></dt>
|
||||
|
||||
<dd>
|
||||
<p>Négocie avec SSL selon le protocole indiqué</p>
|
||||
<p>Actuellement gérés : cifs, nntp, pop3, smtp</p>
|
||||
</dd>
|
||||
<dt><strong><strong>pty</strong> = yes | no (Unix seulement)</strong></dt>
|
||||
|
||||
<dd>
|
||||
<p>Alloue un pseudo-terminal pour l'option « exec »</p>
|
||||
</dd>
|
||||
<dt><strong><a name="timeoutbusy_secondes" class="item"><strong>TIMEOUTbusy</strong> = secondes</a></strong></dt>
|
||||
|
||||
<dd>
|
||||
<p>Durée d'attente de données</p>
|
||||
</dd>
|
||||
<dt><strong><a name="timeoutclose_secondes" class="item"><strong>TIMEOUTclose</strong> = secondes</a></strong></dt>
|
||||
|
||||
<dd>
|
||||
<p>Durée d'attente du close_notify (mis à 0 pour MSIE qui est bogué)</p>
|
||||
</dd>
|
||||
<dt><strong><a name="timeoutidle_secondes" class="item"><strong>TIMEOUTidle</strong> = secondes</a></strong></dt>
|
||||
|
||||
<dd>
|
||||
<p>Durée d'attente sur une connexion inactive</p>
|
||||
</dd>
|
||||
<dt><strong><strong>transparent</strong> = yes | no (Unix seulement)</strong></dt>
|
||||
|
||||
<dd>
|
||||
<p>Mode mandataire transparent</p>
|
||||
<p>Ré-écrit les adresses pour qu'elles apparaissent provenir de la
|
||||
machine client SSL plutôt que de celle qui exécute <strong>stunnel</strong>.
|
||||
Cette option n'est disponible en mode local (option <em>exec</em>) qu'avec
|
||||
la bibliothèque partagée LD_PRELOADing env.so shared library et en mode
|
||||
distant (option <em>connect</em>) sur les noyaux Linux 2.2 compilés avec
|
||||
l'option <em>transparent proxy</em> et seulement en mode serveur. Cette
|
||||
option ne se combine pas au mode mandataire (<em>connect</em>) sauf si la
|
||||
route par défaut du client vers la cible passe par l'hôte qui fait
|
||||
tourner <strong>stunnel</strong>, qui ne peut être localhost.</p>
|
||||
</dd>
|
||||
</dl>
|
||||
<p>
|
||||
</p>
|
||||
<hr />
|
||||
<h1><a name="valeur_de_retour">VALEUR DE RETOUR</a></h1>
|
||||
<p><strong>stunnel</strong> renvoie zéro en cas de succès, une autre valeur en cas d'erreur.</p>
|
||||
<p>
|
||||
</p>
|
||||
<hr />
|
||||
<h1><a name="exemples">EXEMPLES</a></h1>
|
||||
<p>Pour encapsuler votre service <em>imapd</em> local avec SSL :</p>
|
||||
<pre>
|
||||
[imapd]
|
||||
accept = 993
|
||||
exec = /usr/sbin/imapd
|
||||
execargs = imapd</pre>
|
||||
<p>Pour tunneliser un daemon <em>pppd</em> sur le port 2020 :</p>
|
||||
<pre>
|
||||
[vpn]
|
||||
accept = 2020
|
||||
exec = /usr/sbin/pppd
|
||||
execargs = pppd local
|
||||
pty = yes</pre>
|
||||
<p>Configuration de <em>stunnel.conf</em> pour utiliser <strong>stunnel</strong> en mode <em>inetd</em>
|
||||
qui lance imapd à son tour (il ne doit pas y avoir de section <em>[service_name]</em>) :</p>
|
||||
<pre>
|
||||
exec = /usr/sbin/imapd
|
||||
execargs = imapd</pre>
|
||||
<p>
|
||||
</p>
|
||||
<hr />
|
||||
<h1><a name="fichiers">FICHIERS</a></h1>
|
||||
<dl>
|
||||
<dt><strong><a name="stunnel_conf" class="item"><em class="file">stunnel.conf</em></a></strong></dt>
|
||||
|
||||
<dd>
|
||||
<p>Fichier de configuration de <strong>stunnel</strong></p>
|
||||
</dd>
|
||||
<dt><strong><a name="stunnel_pem" class="item"><em class="file">stunnel.pem</em></a></strong></dt>
|
||||
|
||||
<dd>
|
||||
<p>Certificat et clef privée de <strong>stunnel</strong></p>
|
||||
</dd>
|
||||
</dl>
|
||||
<p>
|
||||
</p>
|
||||
<hr />
|
||||
<h1><a name="bogues">BOGUES</a></h1>
|
||||
<p>L'option <em>execargs</em> n'admet pas les quotes.</p>
|
||||
<p>
|
||||
</p>
|
||||
<hr />
|
||||
<h1><a name="restrictions">RESTRICTIONS</a></h1>
|
||||
<p><strong>stunnel</strong> ne peut être utilisé pour le daemon FTP en raison de la nature
|
||||
du protocole FTP qui utilise des ports multiples pour les transferts de données.
|
||||
Il existe cependant des versions SSL de FTP et de telnet.</p>
|
||||
<p>
|
||||
</p>
|
||||
<hr />
|
||||
<h1><a name="notes">NOTES</a></h1>
|
||||
<p>
|
||||
</p>
|
||||
<h2><a name="mode_inetd">MODE INETD</a></h2>
|
||||
<p>L'utilisation la plus commune de <strong>stunnel</strong> consiste à écouter un port
|
||||
réseau et à établir une communication, soit avec un nouveau port
|
||||
avec l'option <em>connect</em>, soit avec un programme avec l'option <em>exec</em>.
|
||||
On peut parfois cependant souhaiter qu'un autre programme reçoive les
|
||||
connexions entrantes et lance <strong>stunnel</strong>, par exemple avec <em>inetd</em>,
|
||||
<em>xinetd</em> ou <em>tcpserver</em>.</p>
|
||||
<p>Si, par exemple, la ligne suivante se trouve dans <em>inetd.conf</em> :</p>
|
||||
<pre>
|
||||
imaps stream tcp nowait root /usr/bin/stunnel stunnel /etc/stunnel/imaps.conf</pre>
|
||||
<p>Dans ces cas, c'est le programme du genre <em>inetd</em>-style qui est
|
||||
responsable de l'établissement de la connexion (<em>imaps</em> ci-dessus) et de passer
|
||||
celle-ci à <strong>stunnel</strong>.
|
||||
Ainsi, <strong>stunnel</strong> ne doit alors avoir aucune option <em>accept</em>.
|
||||
Toutes les <em>options de niveau service</em> doivent être placées dans
|
||||
la section des options globales et aucune section <em>[service_name]</em> ne doit
|
||||
être présente. Voir la section <em>EXEMPLES</em> pour des exemples de configurations.</p>
|
||||
<p>
|
||||
</p>
|
||||
<h2><a name="certificats">CERTIFICATS</a></h2>
|
||||
<p>Chaque daemon à propriétés SSL doit présenter un certificat X.509
|
||||
valide à son interlocuteur. Il a aussi besoin d'une clef privé pour
|
||||
déchiffrer les données entrantes. La méthode la plus simple pour
|
||||
obtenir un certificat et une clef est d'engendrer celles-ci avec
|
||||
le paquetage libre <em>OpenSSL</em>. Plus d'informations sur la génération de
|
||||
certificats se trouvent dans les pages indiquées plus bas.</p>
|
||||
<p>Deux choses importantes lors de la génération de paires certificat-clef
|
||||
pour <strong>stunnel</strong> :</p>
|
||||
<ul>
|
||||
<li>
|
||||
<p>la clef privée ne peut être chiffrée puisque le serveur n'a aucun moyen
|
||||
d'obtenir le mot de passe de l'utilisateur ; pour produire une clef non chiffrée,
|
||||
ajouter l'option <em>-nodes</em> à la commande <strong>req</strong> de <em>OpenSSL</em> ;</p>
|
||||
</li>
|
||||
<li>
|
||||
<p>l'ordre du contenu du fichier <em>.pem</em> est significatif : il doit contenir d'abord
|
||||
une clef privée non chiffrée, puis un certificat signé (et non une demande de certificat).
|
||||
Il doit aussi y avoir des lignes vides après le certificat et après la clef privée.
|
||||
L'information textuelle ajoutée au début d'un certificat doit être supprimée afin que
|
||||
le fichier ait l'allure suivante :</p>
|
||||
<pre>
|
||||
-----BEGIN RSA PRIVATE KEY-----
|
||||
[clef encodée]
|
||||
-----END RSA PRIVATE KEY-----
|
||||
[ligne vide]
|
||||
-----BEGIN CERTIFICATE-----
|
||||
[certificat encodé]
|
||||
-----END CERTIFICATE-----
|
||||
[ligne vide]</pre>
|
||||
</li>
|
||||
</ul>
|
||||
<p>
|
||||
</p>
|
||||
<h2><a name="aleatoire">ALEATOIRE</a></h2>
|
||||
<p><strong>stunnel</strong> doit « saler » le générateur de pseudo-aléatoires PRNG (pseudo random
|
||||
number generator) afin que SSL utilise un aléatoire de qualité. Les sources suivantes
|
||||
sont chargées dans l'ordre jusqu'à ce qu'une quantité suffisante de données soit lue :</p>
|
||||
<ul>
|
||||
<li>
|
||||
<p>le fichier spécifié par <em>RNDfile</em> ;</p>
|
||||
</li>
|
||||
<li>
|
||||
<p>le fichier spécifié par la variable d'environnement RANDFILE, à défaut
|
||||
le fichier .rnd du répertoire $HOME de l'utilisateur ;</p>
|
||||
</li>
|
||||
<li>
|
||||
<p>le fichier spécifié par « --with-random » lors de la compilation ;</p>
|
||||
</li>
|
||||
<li>
|
||||
<p>le contenu de l'écran (MS-Windows seulement) ;</p>
|
||||
</li>
|
||||
<li>
|
||||
<p>le socket EGD spécifié par <em>EGD</em> ;</p>
|
||||
</li>
|
||||
<li>
|
||||
<p>le socket EGD spécifié par « --with-egd-sock » lors de la compilation ;</p>
|
||||
</li>
|
||||
<li>
|
||||
<p>le périphérique /dev/urandom.</p>
|
||||
</li>
|
||||
</ul>
|
||||
<p>Avec un OpenSSL récent (>=OpenSSL 0.9.5a) le chargement de données s'arrête
|
||||
automatiquement lorsqu'un niveau d'entropie suffisant est atteint.
|
||||
Les versions précédentes continuent à lire toutes les sources puisqu'aucune
|
||||
fonction SSL ne leur permet de savoir que suffisamment de données sont disponibles.</p>
|
||||
<p>Sur les machines MS-Windows qui n'ont pas d'interaction utilisateur sur la console,
|
||||
(mouvements de souris, création de fenêtres, etc.), le contenu de l'écran n'est
|
||||
pas suffisamment changeant et il est nécessaire de fournir un fichier d'aléatoire
|
||||
par le biais de <em>RNDfile</em>.</p>
|
||||
<p>Le fichier spécifié par <em>RNDfile</em> doit contenir des informations aléatoires --
|
||||
c'est-à-dire des informations différentes à chaque lancement de <strong>stunnel</strong>.
|
||||
Cela est géré automatiquement sauf si l'option <em>RNDoverwrite</em> est utilisée.
|
||||
Si l'on souhaite procéder manuellement à la mise à jour de ce fichier, la
|
||||
commande <em>openssl rand</em> des versions récentes d'OpenSSL sera sans doute utile.</p>
|
||||
<p>Note importante : si /dev/urandom est disponible, OpenSSL a l'habitude d'utiliser
|
||||
celui-ci pour « saler » le PRNG même lorsqu'il contrôle l'état de l'aléatoire ;
|
||||
ainsi, même si /dev/urandom est dernier de la liste ci-dessus, il est vraisemblable
|
||||
qu'il soit utilisé s'il est présent.
|
||||
Ce n'est pas le comportement de <strong>stunnel</strong>, c'est celui d'OpenSSL.</p>
|
||||
<p>
|
||||
</p>
|
||||
<hr />
|
||||
<h1><a name="voir_aussi">VOIR AUSSI</a></h1>
|
||||
<dl>
|
||||
<dt><strong><a name="tcpd" class="item"><a href="#tcpd">tcpd(8)</a></a></strong></dt>
|
||||
|
||||
<dd>
|
||||
<p>Service de contrôle d'accès pour les services internet</p>
|
||||
</dd>
|
||||
<dt><strong><a name="inetd" class="item"><a href="#inetd">inetd(8)</a></a></strong></dt>
|
||||
|
||||
<dd>
|
||||
<p>« super-serveur » internet</p>
|
||||
</dd>
|
||||
<dt><strong><a name="http_www_stunnel_org" class="item"><em class="file"><a href="http://www.stunnel.org/">http://www.stunnel.org/</a></em></a></strong></dt>
|
||||
|
||||
<dd>
|
||||
<p>Page de référence de <strong>stunnel</strong></p>
|
||||
</dd>
|
||||
<dt><strong><a name="http_www_openssl_org" class="item"><em class="file"><a href="http://www.openssl.org/">http://www.openssl.org/</a></em></a></strong></dt>
|
||||
|
||||
<dd>
|
||||
<p>Site web du projet OpenSSL</p>
|
||||
</dd>
|
||||
</dl>
|
||||
<p>
|
||||
</p>
|
||||
<hr />
|
||||
<h1><a name="auteur">AUTEUR</a></h1>
|
||||
<dl>
|
||||
<dt><strong><a name="micha_trojnara" class="item">Michał Trojnara</a></strong></dt>
|
||||
|
||||
<dd>
|
||||
<p><<em class="file"><a href="mailto:Michal.Trojnara@mirt.net">Michal.Trojnara@mirt.net</a></em>></p>
|
||||
</dd>
|
||||
</dl>
|
||||
<p>
|
||||
</p>
|
||||
<hr />
|
||||
<h1><a name="adaptation_fran__aise">ADAPTATION FRANÇAISE</a></h1>
|
||||
<dl>
|
||||
<dt><strong><a name="bernard_choppy" class="item">Bernard Choppy</a></strong></dt>
|
||||
|
||||
<dd>
|
||||
<p><<em class="file">choppy AT free POINT fr</em>></p>
|
||||
</dd>
|
||||
</dl>
|
||||
|
||||
</body>
|
||||
|
||||
</html>
|
@ -1,636 +0,0 @@
|
||||
=head1 NOM
|
||||
|
||||
=encoding utf8
|
||||
|
||||
stunnel - tunnel SSL universel
|
||||
|
||||
=head1 SYNOPSIS
|
||||
|
||||
=over 4
|
||||
|
||||
=item B<Unix:>
|
||||
|
||||
B<stunnel> S<[fichier]> | S<-fd [n]> | S<-help> | S<-version> | S<-sockets>
|
||||
|
||||
=item B<WIN32:>
|
||||
|
||||
B<stunnel> S<[fichier]> | S<-install> | S<-uninstall> | S<-help> | S<-version> | S<-sockets>
|
||||
|
||||
=back
|
||||
|
||||
|
||||
=head1 DESCRIPTION
|
||||
|
||||
Le programme B<stunnel> est conçu pour fonctionner comme une couche
|
||||
de chiffrement I<SSL> entre des clients distants et des serveurs locaux
|
||||
(I<inetd>-démarrables) ou distants. Le concept est qu'à partir de daemons
|
||||
non-SSL présents sur le système, on peut facilement les configurer pour
|
||||
communiquer avec des clients sur des liens sécurisés SSL.
|
||||
|
||||
B<stunnel> peut être utilisé pour ajouter des fonctionnalités SSL à des
|
||||
daemons classiques I<Inetd> tels que les serveurs POP-2, POP-3 et IMAP,
|
||||
à d'autres autonomes tels que NNTP, SMTP et HTTP, ainsi que pour tunneliser
|
||||
PPP sur des sockets réseau sans modification du code source.
|
||||
|
||||
Ce produit inclut du code de chiffrement écrit par
|
||||
Eric Young (eay@cryptsoft.com)
|
||||
|
||||
|
||||
=head1 OPTIONS
|
||||
|
||||
=over 4
|
||||
|
||||
=item B<[fichier]>
|
||||
|
||||
Utilisation du fichier de configuration spécifié.
|
||||
|
||||
=item B<-fd [n]> (Unix seulement)
|
||||
|
||||
Lecture du fichier de configuration depuis le descripteur de
|
||||
fichier indiqué.
|
||||
|
||||
=item B<-help>
|
||||
|
||||
Affiche le menu d'aide de B<stunnel>.
|
||||
|
||||
=item B<-version>
|
||||
|
||||
Affiche la version de B<stunnel> et les options de compilation.
|
||||
|
||||
=item B<-sockets>
|
||||
|
||||
Affiche les options socket par défaut.
|
||||
|
||||
=item B<-install> (NT/2000/XP seulement)
|
||||
|
||||
Installe un service NT.
|
||||
|
||||
=item B<-uninstall> (NT/2000/XP only)
|
||||
|
||||
Désinstalle un service NT.
|
||||
|
||||
=back
|
||||
|
||||
|
||||
=head1 FICHIER DE CONFIGURATION
|
||||
|
||||
Chaque ligne du fichier de configuration peut être soitE<nbsp>:
|
||||
|
||||
=over 4
|
||||
|
||||
=item *
|
||||
|
||||
une ligne vide (ignorée)E<nbsp>;
|
||||
|
||||
=item *
|
||||
|
||||
un commentaire commençant par «E<nbsp>#E<nbsp>» (ignoré)E<nbsp>;
|
||||
|
||||
=item *
|
||||
|
||||
une paire «E<nbsp>option = valeurE<nbsp>»E<nbsp>;
|
||||
|
||||
=item *
|
||||
|
||||
«E<nbsp>[service_name]E<nbsp>» indiquant le début de la définition d'un serviceE<nbsp>;
|
||||
|
||||
=back
|
||||
|
||||
=head2 OPTIONS GLOBALES
|
||||
|
||||
=over 4
|
||||
|
||||
=item B<CApath> = répertoire
|
||||
|
||||
Répertoire des autorités de certification (CA)
|
||||
|
||||
C'est le répertoire dans lequel B<stunnel> cherche les certificats si
|
||||
l'on utilise I<verify>. Les certificats doivent être dénommés selon la
|
||||
forme XXXXXXXX.0, où XXXXXXXX est la valeur de hachage du certificat.
|
||||
|
||||
Le cas échéant, le répertoire I<CApath> est relatif au répertoire I<chroot>.
|
||||
|
||||
=item B<CAfile> = fichier
|
||||
|
||||
Fichier d'autorités de certification
|
||||
|
||||
Ce fichier, utilisé avec I<verify>, contient plusieurs certificats de CA.
|
||||
|
||||
=item B<cert> = fichier
|
||||
|
||||
Fichier de chaîne de certificats PEM
|
||||
|
||||
Une PEM est toujours nécessaire en mode serveur.
|
||||
En mode client, cette option utilise cette PEM comme une chaîne côté client.
|
||||
L'utilisation de certificats côté client est optionnelle. Les certificats
|
||||
doivent être au format PEM et triés par ordre de niveau décroissant (CA racine
|
||||
en premier).
|
||||
|
||||
=item B<chroot> = répertoire (Unix seulement)
|
||||
|
||||
Répertoire de chroot du processus B<stunnel>
|
||||
|
||||
B<chroot> enferme B<stunnel> dans une cellule chroot. I<CApath>, I<CRLpath>, I<pid>
|
||||
et I<exec> sont situés à l'intérieur de la cellule et les répertoires doivent être
|
||||
relatifs au répertoire correspondant.
|
||||
|
||||
Pour que le contrôle de libwrap (wrappeur TCP) soit effectif dans un environnement
|
||||
chroot, il faut aussi y recopier leurs fichiers de configuration (/etc/hosts.allow et
|
||||
/etc/hosts.deny).
|
||||
|
||||
=item B<ciphers> = listes de chiffre
|
||||
|
||||
Sélection des chiffres SSL autorisés
|
||||
|
||||
Liste délimitée par deux-points («E<nbsp>:E<nbsp>») des chiffres autorisés pour la connexion SSL.
|
||||
ExempleE<nbsp>: DES-CBC3-SHA:IDEA-CBC-MD5
|
||||
|
||||
=item B<client> = yes | no
|
||||
|
||||
Mode client (Le service distant utilise SSL)
|
||||
|
||||
Par défautE<nbsp>: no (mode server)
|
||||
|
||||
=item B<CRLpath> = répertoire
|
||||
|
||||
Répertoire des listes de révocation de certificats (CRL)
|
||||
|
||||
C'est le répertoire dans lequel B<stunnel> recherche les CRL avec
|
||||
l'option I<verify>. Les CRL doivent être dénommés selon la
|
||||
forme XXXXXXXX.0 où XXXXXXXX est la valeur de hachage de la CRL.
|
||||
|
||||
Le cas échéant, le répertoire I<CRLpath> est relatif au répertoire I<chroot>.
|
||||
|
||||
=item B<CRLfile> = fichier
|
||||
|
||||
Fichier de listes de révocation de certificats (CRL)
|
||||
|
||||
Ce fichier, utilisé avec I<verify>, contient plusieurs CRL.
|
||||
|
||||
=item B<debug> = [facilité.]niveau
|
||||
|
||||
niveau de déverminage
|
||||
|
||||
Le niveau est un nom ou un numéro conforme à ceux de syslogE<nbsp>:
|
||||
emerg (0), alert (1), crit (2), err (3), warning (4), notice (5),
|
||||
info (6) ou debug (7). Toutes les traces du niveau indiqué et des niveaux
|
||||
numériquement inférieurs seront affichées. B<debug = debug> ou
|
||||
B<debug = 7> donneront le maximum d'informations. La valeur par défaut
|
||||
est notice (5).
|
||||
|
||||
La facilité syslog «E<nbsp>daemonE<nbsp>» est utilisée, sauf si un autre nom est spécifié
|
||||
(Win32 ne permet pas l'usage des facilités.)
|
||||
|
||||
La casse est ignorée, aussi bien pour la facilité que pour le niveau.
|
||||
|
||||
=item B<EGD> = chemin (Unix seulement)
|
||||
|
||||
Emplacement du socket du daemon de recueil d'entropie (EGD - Entropy Gathering Daemon)
|
||||
|
||||
Socket EGD à utiliser pour alimenter le générateur d'aléatoires de OpenSSL (disponible
|
||||
seulement si la compilation a été effectuée avec OpenSSL 0.9.5a ou supérieur).
|
||||
|
||||
=item B<foreground> = yes | no (Unix seulement)
|
||||
|
||||
Mode avant-plan
|
||||
|
||||
Reste en avant-plan (sans fork) et dirige la trace sur stderr
|
||||
au lieu de syslog (sauf si B<output> est spécifié).
|
||||
|
||||
Par défaultE<nbsp>: arrière-plan en mode daemon.
|
||||
|
||||
=item B<key> = fichier
|
||||
|
||||
Fichier de clef privée pour le certificat spécifié par I<cert>
|
||||
|
||||
La clef privée est nécessaire pour authentifier le titulaire du
|
||||
certificat.
|
||||
Puisque ce fichier doit rester secret, il ne doit être lisible que
|
||||
par son propriétaire. Sur les systèmes Unix, on peut utiliser la
|
||||
commande suivanteE<nbsp>:
|
||||
|
||||
chmod 600 fichier
|
||||
|
||||
Par défaultE<nbsp>: Valeur de I<cert>
|
||||
|
||||
=item B<options> = Options_SSL
|
||||
|
||||
Options de la bibliothèque OpenSSL
|
||||
|
||||
Le paramètre est l'option OpenSSL décrite dans la page de man
|
||||
I<SSL_CTX_set_options(3ssl)>, débarassée du préfixe I<SSL_OP_>.
|
||||
Plusieurs I<options> peuvent être spécifiées.
|
||||
|
||||
Par exemple, pour la compatibilité avec l'implantation SSL défaillante
|
||||
d'Eudora, on peut utiliserE<nbsp>:
|
||||
|
||||
options = DONT_INSERT_EMPTY_FRAGMENTS
|
||||
|
||||
=item B<output> = fichier
|
||||
|
||||
Ajoute la trace à la fin d'un fichier au lieu d'utiliser syslog.
|
||||
|
||||
/dev/stdout peut être utilisé pour afficher les traces sur la sortie standard
|
||||
(par exemple pour les traiter avec les outils splogger).
|
||||
|
||||
=item B<pid> = fichier (Unix seulement)
|
||||
|
||||
Emplacement du fichier pid
|
||||
|
||||
Si l'argument est vide, aucun fichier ne sera créé.
|
||||
|
||||
Le cas échéant, le chemin I<pid> est relatif au répertoire I<chroot>.
|
||||
|
||||
=item B<RNDbytes> = nombre
|
||||
|
||||
Nombre d'octets à lire depuis les fichiers de «E<nbsp>selE<nbsp>» aléatoire
|
||||
|
||||
Avec les SSL de version inférieure à 0.9.5a, détermine aussi le nombre
|
||||
d'octets considérés comme suffisants pour «E<nbsp>salerE<nbsp>» le PRNG. Les versions plus
|
||||
récentes d'OpenSSL ont une fonction intégrée qui détermine lorsque l'aléatoire
|
||||
est suffisant.
|
||||
|
||||
=item B<RNDfile> = fichier
|
||||
|
||||
chemin du fichier de données de «E<nbsp>selE<nbsp>» aléatoire
|
||||
|
||||
La bibliothèque SSL utilise prioritairement les données de ce fichier pour
|
||||
«E<nbsp>salerE<nbsp>» le générateur d'aléatoire.
|
||||
|
||||
=item B<RNDoverwrite> = yes | no
|
||||
|
||||
Recouvre les fichiers de «E<nbsp>selE<nbsp>» avec de nouvelles données aléatoires.
|
||||
|
||||
Par défautE<nbsp>: yes
|
||||
|
||||
=item B<service> = nom
|
||||
|
||||
Définit le nom de service à utiliser
|
||||
|
||||
B<Sous UnixE<nbsp>:> nom de service du mode I<inetd> pour la bibliothèque TCP Wrapper.
|
||||
|
||||
Par défautE<nbsp>: stunnel
|
||||
|
||||
=item B<session> = timeout
|
||||
|
||||
Timeout du cache de session
|
||||
|
||||
=item B<setgid> = nom (Unix seulement)
|
||||
|
||||
Nom de groupe utilisé en mode daemon (les éventuels autres noms de groupe attribués sont supprimés)
|
||||
|
||||
=item B<setuid> = nom (Unix seulement)
|
||||
|
||||
Nom d'utilisateur utilisé en mode daemon
|
||||
|
||||
=item B<socket> = a|l|r:option=valeur[:valeur]
|
||||
|
||||
Configure une option de socket accept (a), locale (l) ou distante (r)
|
||||
|
||||
Les valeurs de l'option linger sontE<nbsp>: l_onof:l_linger.
|
||||
Les valeurs de l'option time sontE<nbsp>: tv_sec:tv_usec.
|
||||
|
||||
ExemplesE<nbsp>:
|
||||
|
||||
socket = l:SO_LINGER=1:60
|
||||
définit un délai d'une minute pour la clôture des sockets locaux
|
||||
socket = r:SO_OOBINLINE=yes
|
||||
Place directement les données hors-bande dans le flux de réception
|
||||
des sockets distants
|
||||
socket = a:SO_REUSEADDR=no
|
||||
désactive la réutilisation d'adresses (activée par défaut)
|
||||
socket = a:SO_BINDTODEVICE=lo
|
||||
limite l'acceptation des connexions sur la seule interface de bouclage
|
||||
|
||||
=item B<taskbar> = yes | no (WIN32 seulement)
|
||||
|
||||
active l'icône de la barre de tâches
|
||||
|
||||
Par défautE<nbsp>: yes
|
||||
|
||||
=item B<verify> = niveau
|
||||
|
||||
Vérifie le certificat du correspondant
|
||||
|
||||
niveau 1 - vérifie le certificat s'il est présent
|
||||
niveau 2 - vérifie le certificat
|
||||
niveau 3 - contrôle le correspondant avec le certificat local
|
||||
|
||||
Par défaut - pas de vérification
|
||||
|
||||
=back
|
||||
|
||||
|
||||
=head2 OPTIONS DE SERVICE
|
||||
|
||||
Chaque section de configuration commence par le nom du service entre crochets.
|
||||
Celui-ci est utilisé par le contrôle d'accès de libwrap (TCP Wrappers) et sert
|
||||
à distinguer les services B<stunnel> dans les fichiers de traces.
|
||||
|
||||
Si l'on souhaite utiliser B<stunnel> en mode I<inetd> (lorsqu'un socket lui est
|
||||
fourni par un serveur comme I<inetd>, I<xinetd> ou I<tcpserver>), il faut se
|
||||
reporter à la section I<MODE INETD> plus bas.
|
||||
|
||||
|
||||
=over 4
|
||||
|
||||
=item B<accept> = [hôte:]port
|
||||
|
||||
Accepte des connexions sur le port spécifié
|
||||
|
||||
Si l'hôte n'est pas indiqué, le port est ouvert pour toutes les adresses IP de
|
||||
la machine locale.
|
||||
|
||||
=item B<connect> = [hôte:]port
|
||||
|
||||
Se connecte au port distant indiqué
|
||||
|
||||
Par défaut, l'hôte est localhost.
|
||||
|
||||
=item B<delay> = yes | no
|
||||
|
||||
Retarde la recherche DNS pour l'option «E<nbsp>connectE<nbsp>»
|
||||
|
||||
=item B<exec> = chemin_exécutable (Unix seulement)
|
||||
|
||||
Exécute un programme local de type inetd
|
||||
|
||||
Le cas échéant, le chemin I<exec> est relatif au répertoire I<chroot>.
|
||||
|
||||
=item B<execargs> = $0 $1 $2 ... (Unix seulement)
|
||||
|
||||
Arguments pour I<exec>, y compris le nom du programme ($0)
|
||||
|
||||
Les quotes ne peuvent actuellement pas être utilisées.
|
||||
Les arguments sont séparés par un nombre quelconque d'espaces.
|
||||
|
||||
=item B<ident> = nom
|
||||
|
||||
Applique le contrôle d'identité d'utilisateur IDENT (RFC 1413)
|
||||
|
||||
=item B<local> = hôte
|
||||
|
||||
Adresse IP de l'interface de sortie utilisée pour les connexions distantes.
|
||||
Cette option permet de relier une adresse statique locale.
|
||||
|
||||
=item B<protocol> = protocole
|
||||
|
||||
Négocie avec SSL selon le protocole indiqué
|
||||
|
||||
Actuellement gérésE<nbsp>: cifs, nntp, pop3, smtp
|
||||
|
||||
=item B<pty> = yes | no (Unix seulement)
|
||||
|
||||
Alloue un pseudo-terminal pour l'option «E<nbsp>execE<nbsp>»
|
||||
|
||||
=item B<TIMEOUTbusy> = secondes
|
||||
|
||||
Durée d'attente de données
|
||||
|
||||
=item B<TIMEOUTclose> = secondes
|
||||
|
||||
Durée d'attente du close_notify (mis à 0 pour MSIE qui est bogué)
|
||||
|
||||
=item B<TIMEOUTidle> = secondes
|
||||
|
||||
Durée d'attente sur une connexion inactive
|
||||
|
||||
=item B<transparent> = yes | no (Unix seulement)
|
||||
|
||||
Mode mandataire transparent
|
||||
|
||||
Ré-écrit les adresses pour qu'elles apparaissent provenir de la
|
||||
machine client SSL plutôt que de celle qui exécute B<stunnel>.
|
||||
Cette option n'est disponible en mode local (option I<exec>) qu'avec
|
||||
la bibliothèque partagée LD_PRELOADing env.so shared library et en mode
|
||||
distant (option I<connect>) sur les noyaux Linux 2.2 compilés avec
|
||||
l'option I<transparent proxy> et seulement en mode serveur. Cette
|
||||
option ne se combine pas au mode mandataire (I<connect>) sauf si la
|
||||
route par défaut du client vers la cible passe par l'hôte qui fait
|
||||
tourner B<stunnel>, qui ne peut être localhost.
|
||||
|
||||
=back
|
||||
|
||||
|
||||
=head1 VALEUR DE RETOUR
|
||||
|
||||
B<stunnel> renvoie zéro en cas de succès, une autre valeur en cas d'erreur.
|
||||
|
||||
|
||||
=head1 EXEMPLES
|
||||
|
||||
Pour encapsuler votre service I<imapd> local avec SSLE<nbsp>:
|
||||
|
||||
[imapd]
|
||||
accept = 993
|
||||
exec = /usr/sbin/imapd
|
||||
execargs = imapd
|
||||
|
||||
Pour tunneliser un daemon I<pppd> sur le port 2020E<nbsp>:
|
||||
|
||||
[vpn]
|
||||
accept = 2020
|
||||
exec = /usr/sbin/pppd
|
||||
execargs = pppd local
|
||||
pty = yes
|
||||
|
||||
Configuration de I<stunnel.conf> pour utiliser B<stunnel> en mode I<inetd>
|
||||
qui lance imapd à son tour (il ne doit pas y avoir de section I<[service_name]>)E<nbsp>:
|
||||
|
||||
exec = /usr/sbin/imapd
|
||||
execargs = imapd
|
||||
|
||||
|
||||
=head1 FICHIERS
|
||||
|
||||
=over 4
|
||||
|
||||
=item F<stunnel.conf>
|
||||
|
||||
Fichier de configuration de B<stunnel>
|
||||
|
||||
=item F<stunnel.pem>
|
||||
|
||||
Certificat et clef privée de B<stunnel>
|
||||
|
||||
=back
|
||||
|
||||
|
||||
=head1 BOGUES
|
||||
|
||||
L'option I<execargs> n'admet pas les quotes.
|
||||
|
||||
|
||||
=head1 RESTRICTIONS
|
||||
|
||||
B<stunnel> ne peut être utilisé pour le daemon FTP en raison de la nature
|
||||
du protocole FTP qui utilise des ports multiples pour les transferts de données.
|
||||
Il existe cependant des versions SSL de FTP et de telnet.
|
||||
|
||||
|
||||
=head1 NOTES
|
||||
|
||||
=head2 MODE INETD
|
||||
|
||||
L'utilisation la plus commune de B<stunnel> consiste à écouter un port
|
||||
réseau et à établir une communication, soit avec un nouveau port
|
||||
avec l'option I<connect>, soit avec un programme avec l'option I<exec>.
|
||||
On peut parfois cependant souhaiter qu'un autre programme reçoive les
|
||||
connexions entrantes et lance B<stunnel>, par exemple avec I<inetd>,
|
||||
I<xinetd> ou I<tcpserver>.
|
||||
|
||||
Si, par exemple, la ligne suivante se trouve dans I<inetd.conf>E<nbsp>:
|
||||
|
||||
imaps stream tcp nowait root /usr/bin/stunnel stunnel /etc/stunnel/imaps.conf
|
||||
|
||||
Dans ces cas, c'est le programme du genre I<inetd>-style qui est
|
||||
responsable de l'établissement de la connexion (I<imaps> ci-dessus) et de passer
|
||||
celle-ci à B<stunnel>.
|
||||
Ainsi, B<stunnel> ne doit alors avoir aucune option I<accept>.
|
||||
Toutes les I<options de niveau service> doivent être placées dans
|
||||
la section des options globales et aucune section I<[service_name]> ne doit
|
||||
être présente. Voir la section I<EXEMPLES> pour des exemples de configurations.
|
||||
|
||||
=head2 CERTIFICATS
|
||||
|
||||
Chaque daemon à propriétés SSL doit présenter un certificat X.509
|
||||
valide à son interlocuteur. Il a aussi besoin d'une clef privé pour
|
||||
déchiffrer les données entrantes. La méthode la plus simple pour
|
||||
obtenir un certificat et une clef est d'engendrer celles-ci avec
|
||||
le paquetage libre I<OpenSSL>. Plus d'informations sur la génération de
|
||||
certificats se trouvent dans les pages indiquées plus bas.
|
||||
|
||||
Deux choses importantes lors de la génération de paires certificat-clef
|
||||
pour B<stunnel>E<nbsp>:
|
||||
|
||||
=over 4
|
||||
|
||||
=item *
|
||||
|
||||
la clef privée ne peut être chiffrée puisque le serveur n'a aucun moyen
|
||||
d'obtenir le mot de passe de l'utilisateurE<nbsp>; pour produire une clef non chiffrée,
|
||||
ajouter l'option I<-nodes> à la commande B<req> de I<OpenSSL>E<nbsp>;
|
||||
|
||||
=item *
|
||||
|
||||
l'ordre du contenu du fichier I<.pem> est significatifE<nbsp>: il doit contenir d'abord
|
||||
une clef privée non chiffrée, puis un certificat signé (et non une demande de certificat).
|
||||
Il doit aussi y avoir des lignes vides après le certificat et après la clef privée.
|
||||
L'information textuelle ajoutée au début d'un certificat doit être supprimée afin que
|
||||
le fichier ait l'allure suivanteE<nbsp>:
|
||||
|
||||
-----BEGIN RSA PRIVATE KEY-----
|
||||
[clef encodée]
|
||||
-----END RSA PRIVATE KEY-----
|
||||
[ligne vide]
|
||||
-----BEGIN CERTIFICATE-----
|
||||
[certificat encodé]
|
||||
-----END CERTIFICATE-----
|
||||
[ligne vide]
|
||||
|
||||
=back
|
||||
|
||||
=head2 ALEATOIRE
|
||||
|
||||
B<stunnel> doit «E<nbsp>salerE<nbsp>» le générateur de pseudo-aléatoires PRNG (pseudo random
|
||||
number generator) afin que SSL utilise un aléatoire de qualité. Les sources suivantes
|
||||
sont chargées dans l'ordre jusqu'à ce qu'une quantité suffisante de données soit lueE<nbsp>:
|
||||
|
||||
=over 4
|
||||
|
||||
=item *
|
||||
|
||||
le fichier spécifié par I<RNDfile>E<nbsp>;
|
||||
|
||||
=item *
|
||||
|
||||
le fichier spécifié par la variable d'environnement RANDFILE, à défaut
|
||||
le fichier .rnd du répertoire $HOME de l'utilisateurE<nbsp>;
|
||||
|
||||
=item *
|
||||
|
||||
le fichier spécifié par «E<nbsp>--with-randomE<nbsp>» lors de la compilationE<nbsp>;
|
||||
|
||||
=item *
|
||||
|
||||
le contenu de l'écran (MS-Windows seulement)E<nbsp>;
|
||||
|
||||
=item *
|
||||
|
||||
le socket EGD spécifié par I<EGD>E<nbsp>;
|
||||
|
||||
=item *
|
||||
|
||||
le socket EGD spécifié par «E<nbsp>--with-egd-sockE<nbsp>» lors de la compilationE<nbsp>;
|
||||
|
||||
=item *
|
||||
|
||||
le périphérique /dev/urandom.
|
||||
|
||||
=back
|
||||
|
||||
Avec un OpenSSL récent (>=OpenSSL 0.9.5a) le chargement de données s'arrête
|
||||
automatiquement lorsqu'un niveau d'entropie suffisant est atteint.
|
||||
Les versions précédentes continuent à lire toutes les sources puisqu'aucune
|
||||
fonction SSL ne leur permet de savoir que suffisamment de données sont disponibles.
|
||||
|
||||
Sur les machines MS-Windows qui n'ont pas d'interaction utilisateur sur la console,
|
||||
(mouvements de souris, création de fenêtres, etc.), le contenu de l'écran n'est
|
||||
pas suffisamment changeant et il est nécessaire de fournir un fichier d'aléatoire
|
||||
par le biais de I<RNDfile>.
|
||||
|
||||
Le fichier spécifié par I<RNDfile> doit contenir des informations aléatoires --
|
||||
c'est-à-dire des informations différentes à chaque lancement de B<stunnel>.
|
||||
Cela est géré automatiquement sauf si l'option I<RNDoverwrite> est utilisée.
|
||||
Si l'on souhaite procéder manuellement à la mise à jour de ce fichier, la
|
||||
commande I<openssl rand> des versions récentes d'OpenSSL sera sans doute utile.
|
||||
|
||||
Note importanteE<nbsp>: si /dev/urandom est disponible, OpenSSL a l'habitude d'utiliser
|
||||
celui-ci pour «E<nbsp>salerE<nbsp>» le PRNG même lorsqu'il contrôle l'état de l'aléatoireE<nbsp>;
|
||||
ainsi, même si /dev/urandom est dernier de la liste ci-dessus, il est vraisemblable
|
||||
qu'il soit utilisé s'il est présent.
|
||||
Ce n'est pas le comportement de B<stunnel>, c'est celui d'OpenSSL.
|
||||
|
||||
|
||||
=head1 VOIR AUSSI
|
||||
|
||||
=over 4
|
||||
|
||||
=item L<tcpd(8)>
|
||||
|
||||
Service de contrôle d'accès pour les services internet
|
||||
|
||||
=item L<inetd(8)>
|
||||
|
||||
«E<nbsp>super-serveurE<nbsp>» internet
|
||||
|
||||
=item F<http://www.stunnel.org/>
|
||||
|
||||
Page de référence de B<stunnel>
|
||||
|
||||
=item F<http://www.openssl.org/>
|
||||
|
||||
Site web du projet OpenSSL
|
||||
|
||||
=back
|
||||
|
||||
|
||||
=head1 AUTEUR
|
||||
|
||||
=over 4
|
||||
|
||||
=item Michał Trojnara
|
||||
|
||||
<F<Michal.Trojnara@mirt.net>>
|
||||
|
||||
=back
|
||||
|
||||
=head1 ADAPTATION FRANÇAISE
|
||||
|
||||
=over 4
|
||||
|
||||
=item Bernard Choppy
|
||||
|
||||
<F<choppy AT free POINT fr>>
|
||||
|
||||
=back
|
1120
doc/stunnel.html
1120
doc/stunnel.html
File diff suppressed because it is too large
Load Diff
1625
doc/stunnel.html.in
Normal file
1625
doc/stunnel.html.in
Normal file
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
1158
doc/stunnel.pl.html
1158
doc/stunnel.pl.html
File diff suppressed because it is too large
Load Diff
1626
doc/stunnel.pl.html.in
Normal file
1626
doc/stunnel.pl.html.in
Normal file
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
1124
doc/stunnel.pod
1124
doc/stunnel.pod
File diff suppressed because it is too large
Load Diff
1529
doc/stunnel.pod.in
Normal file
1529
doc/stunnel.pod.in
Normal file
File diff suppressed because it is too large
Load Diff
2290
m4/libtool.m4
vendored
2290
m4/libtool.m4
vendored
File diff suppressed because it is too large
Load Diff
32
m4/ltoptions.m4
vendored
32
m4/ltoptions.m4
vendored
@ -1,13 +1,14 @@
|
||||
# Helper functions for option handling. -*- Autoconf -*-
|
||||
#
|
||||
# Copyright (C) 2004, 2005, 2007, 2008 Free Software Foundation, Inc.
|
||||
# Copyright (C) 2004, 2005, 2007, 2008, 2009 Free Software Foundation,
|
||||
# Inc.
|
||||
# Written by Gary V. Vaughan, 2004
|
||||
#
|
||||
# This file is free software; the Free Software Foundation gives
|
||||
# unlimited permission to copy and/or distribute it, with or without
|
||||
# modifications, as long as this notice is preserved.
|
||||
|
||||
# serial 6 ltoptions.m4
|
||||
# serial 7 ltoptions.m4
|
||||
|
||||
# This is to help aclocal find these macros, as it can't see m4_define.
|
||||
AC_DEFUN([LTOPTIONS_VERSION], [m4_if([1])])
|
||||
@ -125,7 +126,7 @@ LT_OPTION_DEFINE([LT_INIT], [win32-dll],
|
||||
[enable_win32_dll=yes
|
||||
|
||||
case $host in
|
||||
*-*-cygwin* | *-*-mingw* | *-*-pw32* | *-cegcc*)
|
||||
*-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-cegcc*)
|
||||
AC_CHECK_TOOL(AS, as, false)
|
||||
AC_CHECK_TOOL(DLLTOOL, dlltool, false)
|
||||
AC_CHECK_TOOL(OBJDUMP, objdump, false)
|
||||
@ -133,13 +134,13 @@ case $host in
|
||||
esac
|
||||
|
||||
test -z "$AS" && AS=as
|
||||
_LT_DECL([], [AS], [0], [Assembler program])dnl
|
||||
_LT_DECL([], [AS], [1], [Assembler program])dnl
|
||||
|
||||
test -z "$DLLTOOL" && DLLTOOL=dlltool
|
||||
_LT_DECL([], [DLLTOOL], [0], [DLL creation program])dnl
|
||||
_LT_DECL([], [DLLTOOL], [1], [DLL creation program])dnl
|
||||
|
||||
test -z "$OBJDUMP" && OBJDUMP=objdump
|
||||
_LT_DECL([], [OBJDUMP], [0], [Object dumper program])dnl
|
||||
_LT_DECL([], [OBJDUMP], [1], [Object dumper program])dnl
|
||||
])# win32-dll
|
||||
|
||||
AU_DEFUN([AC_LIBTOOL_WIN32_DLL],
|
||||
@ -325,9 +326,24 @@ dnl AC_DEFUN([AM_DISABLE_FAST_INSTALL], [])
|
||||
# MODE is either `yes' or `no'. If omitted, it defaults to `both'.
|
||||
m4_define([_LT_WITH_PIC],
|
||||
[AC_ARG_WITH([pic],
|
||||
[AS_HELP_STRING([--with-pic],
|
||||
[AS_HELP_STRING([--with-pic@<:@=PKGS@:>@],
|
||||
[try to use only PIC/non-PIC objects @<:@default=use both@:>@])],
|
||||
[pic_mode="$withval"],
|
||||
[lt_p=${PACKAGE-default}
|
||||
case $withval in
|
||||
yes|no) pic_mode=$withval ;;
|
||||
*)
|
||||
pic_mode=default
|
||||
# Look at the argument we got. We use all the common list separators.
|
||||
lt_save_ifs="$IFS"; IFS="${IFS}$PATH_SEPARATOR,"
|
||||
for lt_pkg in $withval; do
|
||||
IFS="$lt_save_ifs"
|
||||
if test "X$lt_pkg" = "X$lt_p"; then
|
||||
pic_mode=yes
|
||||
fi
|
||||
done
|
||||
IFS="$lt_save_ifs"
|
||||
;;
|
||||
esac],
|
||||
[pic_mode=default])
|
||||
|
||||
test -z "$pic_mode" && pic_mode=m4_default([$1], [default])
|
||||
|
12
m4/ltversion.m4
vendored
12
m4/ltversion.m4
vendored
@ -7,17 +7,17 @@
|
||||
# unlimited permission to copy and/or distribute it, with or without
|
||||
# modifications, as long as this notice is preserved.
|
||||
|
||||
# Generated from ltversion.in.
|
||||
# @configure_input@
|
||||
|
||||
# serial 3017 ltversion.m4
|
||||
# serial 3337 ltversion.m4
|
||||
# This file is part of GNU Libtool
|
||||
|
||||
m4_define([LT_PACKAGE_VERSION], [2.2.6b])
|
||||
m4_define([LT_PACKAGE_REVISION], [1.3017])
|
||||
m4_define([LT_PACKAGE_VERSION], [2.4.2])
|
||||
m4_define([LT_PACKAGE_REVISION], [1.3337])
|
||||
|
||||
AC_DEFUN([LTVERSION_VERSION],
|
||||
[macro_version='2.2.6b'
|
||||
macro_revision='1.3017'
|
||||
[macro_version='2.4.2'
|
||||
macro_revision='1.3337'
|
||||
_LT_DECL(, macro_version, 0, [Which release of libtool.m4 was used?])
|
||||
_LT_DECL(, macro_revision, 0)
|
||||
])
|
||||
|
12
m4/lt~obsolete.m4
vendored
12
m4/lt~obsolete.m4
vendored
@ -1,13 +1,13 @@
|
||||
# lt~obsolete.m4 -- aclocal satisfying obsolete definitions. -*-Autoconf-*-
|
||||
#
|
||||
# Copyright (C) 2004, 2005, 2007 Free Software Foundation, Inc.
|
||||
# Copyright (C) 2004, 2005, 2007, 2009 Free Software Foundation, Inc.
|
||||
# Written by Scott James Remnant, 2004.
|
||||
#
|
||||
# This file is free software; the Free Software Foundation gives
|
||||
# unlimited permission to copy and/or distribute it, with or without
|
||||
# modifications, as long as this notice is preserved.
|
||||
|
||||
# serial 4 lt~obsolete.m4
|
||||
# serial 5 lt~obsolete.m4
|
||||
|
||||
# These exist entirely to fool aclocal when bootstrapping libtool.
|
||||
#
|
||||
@ -77,7 +77,6 @@ m4_ifndef([AC_DISABLE_FAST_INSTALL], [AC_DEFUN([AC_DISABLE_FAST_INSTALL])])
|
||||
m4_ifndef([_LT_AC_LANG_CXX], [AC_DEFUN([_LT_AC_LANG_CXX])])
|
||||
m4_ifndef([_LT_AC_LANG_F77], [AC_DEFUN([_LT_AC_LANG_F77])])
|
||||
m4_ifndef([_LT_AC_LANG_GCJ], [AC_DEFUN([_LT_AC_LANG_GCJ])])
|
||||
m4_ifndef([AC_LIBTOOL_RC], [AC_DEFUN([AC_LIBTOOL_RC])])
|
||||
m4_ifndef([AC_LIBTOOL_LANG_C_CONFIG], [AC_DEFUN([AC_LIBTOOL_LANG_C_CONFIG])])
|
||||
m4_ifndef([_LT_AC_LANG_C_CONFIG], [AC_DEFUN([_LT_AC_LANG_C_CONFIG])])
|
||||
m4_ifndef([AC_LIBTOOL_LANG_CXX_CONFIG], [AC_DEFUN([AC_LIBTOOL_LANG_CXX_CONFIG])])
|
||||
@ -90,3 +89,10 @@ m4_ifndef([AC_LIBTOOL_LANG_RC_CONFIG], [AC_DEFUN([AC_LIBTOOL_LANG_RC_CONFIG])])
|
||||
m4_ifndef([_LT_AC_LANG_RC_CONFIG], [AC_DEFUN([_LT_AC_LANG_RC_CONFIG])])
|
||||
m4_ifndef([AC_LIBTOOL_CONFIG], [AC_DEFUN([AC_LIBTOOL_CONFIG])])
|
||||
m4_ifndef([_LT_AC_FILE_LTDLL_C], [AC_DEFUN([_LT_AC_FILE_LTDLL_C])])
|
||||
m4_ifndef([_LT_REQUIRED_DARWIN_CHECKS], [AC_DEFUN([_LT_REQUIRED_DARWIN_CHECKS])])
|
||||
m4_ifndef([_LT_AC_PROG_CXXCPP], [AC_DEFUN([_LT_AC_PROG_CXXCPP])])
|
||||
m4_ifndef([_LT_PREPARE_SED_QUOTE_VARS], [AC_DEFUN([_LT_PREPARE_SED_QUOTE_VARS])])
|
||||
m4_ifndef([_LT_PROG_ECHO_BACKSLASH], [AC_DEFUN([_LT_PROG_ECHO_BACKSLASH])])
|
||||
m4_ifndef([_LT_PROG_F77], [AC_DEFUN([_LT_PROG_F77])])
|
||||
m4_ifndef([_LT_PROG_FC], [AC_DEFUN([_LT_PROG_FC])])
|
||||
m4_ifndef([_LT_PROG_CXX], [AC_DEFUN([_LT_PROG_CXX])])
|
||||
|
111
src/Makefile.am
111
src/Makefile.am
@ -1,22 +1,41 @@
|
||||
## Process this file with automake to produce Makefile.in
|
||||
# by Michal Trojnara 2015-2017
|
||||
|
||||
###############################################################################
|
||||
# File lists #
|
||||
###############################################################################
|
||||
|
||||
# File lists
|
||||
common_headers = common.h prototypes.h version.h
|
||||
common_sources = str.c file.c client.c log.c options.c protocol.c network.c
|
||||
common_sources += resolver.c ssl.c ctx.c verify.c sthreads.c fd.c stunnel.c
|
||||
unix_sources = pty.c libwrap.c
|
||||
common_sources = tls.c str.c file.c client.c log.c options.c protocol.c
|
||||
common_sources += network.c resolver.c ssl.c ctx.c verify.c sthreads.c
|
||||
common_sources += fd.c dhparam.c cron.c stunnel.c
|
||||
unix_sources = pty.c libwrap.c ui_unix.c
|
||||
shared_sources = env.c
|
||||
win32_sources = gui.c resources.h resources.rc stunnel.ico
|
||||
win32_gui_sources = ui_win_gui.c resources.h resources.rc
|
||||
win32_gui_sources += stunnel.ico active.ico error.ico idle.ico
|
||||
win32_cli_sources = ui_win_cli.c
|
||||
|
||||
###############################################################################
|
||||
# Generate a new set of DH parameters for each version #
|
||||
###############################################################################
|
||||
|
||||
dhparam.c: version.h
|
||||
echo '#include "common.h"' >dhparam.c
|
||||
echo '#ifndef OPENSSL_NO_DH' >>dhparam.c
|
||||
echo '#define DN_new DH_new' >>dhparam.c
|
||||
openssl dhparam -noout -C 2048 >>dhparam.c
|
||||
echo '#endif /* OPENSSL_NO_DH */' >>dhparam.c
|
||||
|
||||
###############################################################################
|
||||
# Unix executables and shared library #
|
||||
###############################################################################
|
||||
|
||||
# Unix executables
|
||||
bin_PROGRAMS = stunnel
|
||||
stunnel_SOURCES = $(common_headers) $(common_sources) $(unix_sources)
|
||||
bin_SCRIPTS = stunnel3
|
||||
|
||||
# Unix shared library
|
||||
pkglib_LTLIBRARIES = libstunnel.la
|
||||
libstunnel_la_SOURCES = $(shared_sources)
|
||||
libstunnel_la_LDFLAGS = -avoid-version
|
||||
EXTRA_DIST = stunnel3.in
|
||||
CLEANFILES = stunnel3
|
||||
|
||||
# Red Hat "by design" bug #82369
|
||||
stunnel_CPPFLAGS = -I/usr/kerberos/include
|
||||
@ -25,55 +44,41 @@ stunnel_CPPFLAGS = -I/usr/kerberos/include
|
||||
stunnel_CPPFLAGS += -I$(SSLDIR)/include
|
||||
stunnel_CPPFLAGS += -DLIBDIR='"$(pkglibdir)"'
|
||||
stunnel_CPPFLAGS += -DCONFDIR='"$(sysconfdir)/stunnel"'
|
||||
stunnel_CPPFLAGS += -DPIDFILE='"$(localstatedir)/run/stunnel/stunnel.pid"'
|
||||
|
||||
# SSL library
|
||||
# TLS library
|
||||
stunnel_LDFLAGS = -L$(SSLDIR)/lib64 -L$(SSLDIR)/lib -lssl -lcrypto
|
||||
|
||||
# Win32 executable
|
||||
EXTRA_DIST = make.bat makece.bat makew32.bat
|
||||
EXTRA_DIST += mingw.mak evc.mak vc.mak os2.mak
|
||||
EXTRA_PROGRAMS = stunnel.exe tstunnel.exe
|
||||
stunnel_exe_SOURCES = $(common_headers) $(common_sources) $(win32_sources)
|
||||
tstunnel_exe_SOURCES = $(common_headers) $(common_sources) nogui.c
|
||||
# stunnel3 script
|
||||
edit = sed \
|
||||
-e 's|@bindir[@]|$(bindir)|g'
|
||||
stunnel3: Makefile
|
||||
$(edit) '$(srcdir)/$@.in' >$@
|
||||
stunnel3: $(srcdir)/stunnel3.in
|
||||
|
||||
# OPENSSLDIR = /usr/src/openssl-0.9.8u-fips
|
||||
# WINCPPFLAGS = -I$(OPENSSLDIR)/inc32
|
||||
OPENSSLDIR = /usr/src/openssl-1.0.2a-i686
|
||||
WINCPPFLAGS = -I$(OPENSSLDIR)/include
|
||||
WINCFLAGS = -mthreads -fstack-protector -O2 -Wall -Wextra -Wno-long-long -pedantic
|
||||
WINLDFLAGS = -mthreads -fstack-protector -s
|
||||
WINLIBS = -L$(OPENSSLDIR) -lcrypto -lssl -lpsapi -lws2_32 -lgdi32
|
||||
# WINLIBS = -L$(OPENSSLDIR) -lzdll -lcrypto.dll -lssl.dll -lpsapi -lws2_32 -lgdi32
|
||||
# WINLIBS = -L$(OPENSSLDIR) -lzdll -lcrypto -lssl -lpsapi -lws2_32 -lgdi32
|
||||
WINOBJ = str.obj file.obj client.obj log.obj options.obj protocol.obj
|
||||
WINOBJ += network.obj resolver.obj ssl.obj ctx.obj verify.obj sthreads.obj
|
||||
WINOBJ += fd.obj stunnel.obj
|
||||
WINGUIOBJ = $(WINOBJ) gui.obj resources.obj
|
||||
WINNOGUIOBJ = $(WINOBJ) nogui.obj
|
||||
WINPREFIX = i686-w64-mingw32-
|
||||
WINGCC = $(WINPREFIX)gcc
|
||||
WINDRES = $(WINPREFIX)windres
|
||||
# Unix shared library
|
||||
pkglib_LTLIBRARIES = libstunnel.la
|
||||
libstunnel_la_SOURCES = $(shared_sources)
|
||||
libstunnel_la_LDFLAGS = -avoid-version
|
||||
|
||||
dist-hook: stunnel.exe tstunnel.exe
|
||||
###############################################################################
|
||||
# Win32 executables #
|
||||
###############################################################################
|
||||
|
||||
distclean-local:
|
||||
rm -f stunnel.exe tstunnel.exe
|
||||
if AUTHOR_TESTS
|
||||
# Just check if the programs can be built, don't perform any actual tests
|
||||
check-local: mingw mingw64
|
||||
endif
|
||||
|
||||
# SUFFIXES = .c .rc .obj
|
||||
mingw:
|
||||
$(MAKE) -f $(srcdir)/mingw.mk srcdir=$(srcdir) win32_targetcpu=i686 win32_mingw=mingw
|
||||
mingw64:
|
||||
$(MAKE) -f $(srcdir)/mingw.mk srcdir=$(srcdir) win32_targetcpu=x86_64 win32_mingw=mingw64
|
||||
.PHONY: mingw mingw64
|
||||
|
||||
stunnel.exe: $(WINGUIOBJ)
|
||||
$(WINGCC) -mwindows $(WINLDFLAGS) -o stunnel.exe $(WINGUIOBJ) $(WINLIBS)
|
||||
|
||||
tstunnel.exe: $(WINNOGUIOBJ)
|
||||
$(WINGCC) $(WINLDFLAGS) -o tstunnel.exe $(WINNOGUIOBJ) $(WINLIBS)
|
||||
|
||||
%.obj: %.c $(common_headers)
|
||||
$(WINGCC) -c $(WINCPPFLAGS) $(WINCFLAGS) -o $@ $<
|
||||
|
||||
resources.obj: resources.rc resources.h version.h
|
||||
$(WINDRES) --include-dir $(srcdir) $< $@
|
||||
|
||||
mostlyclean-local:
|
||||
-rm -f *.obj
|
||||
clean-local:
|
||||
rm -rf ../obj ../bin
|
||||
|
||||
# Remaining files to be included
|
||||
EXTRA_DIST += $(win32_gui_sources) $(win32_cli_sources)
|
||||
EXTRA_DIST += make.bat makece.bat makew32.bat
|
||||
EXTRA_DIST += mingw.mk mingw.mak evc.mak vc.mak os2.mak
|
||||
|
818
src/Makefile.in
818
src/Makefile.in
File diff suppressed because it is too large
Load Diff
BIN
src/active.ico
Normal file
BIN
src/active.ico
Normal file
Binary file not shown.
After Width: | Height: | Size: 1.1 KiB |
1273
src/client.c
1273
src/client.c
File diff suppressed because it is too large
Load Diff
231
src/common.h
231
src/common.h
@ -1,24 +1,24 @@
|
||||
/*
|
||||
* stunnel Universal SSL tunnel
|
||||
* Copyright (C) 1998-2013 Michal Trojnara <Michal.Trojnara@mirt.net>
|
||||
* stunnel TLS offloading and load-balancing proxy
|
||||
* Copyright (C) 1998-2017 Michal Trojnara <Michal.Trojnara@stunnel.org>
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it
|
||||
* under the terms of the GNU General Public License as published by the
|
||||
* Free Software Foundation; either version 2 of the License, or (at your
|
||||
* option) any later version.
|
||||
*
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
|
||||
* See the GNU General Public License for more details.
|
||||
*
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License along
|
||||
* with this program; if not, see <http://www.gnu.org/licenses>.
|
||||
*
|
||||
*
|
||||
* Linking stunnel statically or dynamically with other modules is making
|
||||
* a combined work based on stunnel. Thus, the terms and conditions of
|
||||
* the GNU General Public License cover the whole combination.
|
||||
*
|
||||
*
|
||||
* In addition, as a special exception, the copyright holder of stunnel
|
||||
* gives you permission to combine stunnel with free software programs or
|
||||
* libraries that are released under the GNU LGPL and with code included
|
||||
@ -26,7 +26,7 @@
|
||||
* modified versions of such code, with unchanged license). You may copy
|
||||
* and distribute such a system following the terms of the GNU GPL for
|
||||
* stunnel and the licenses of the other code concerned.
|
||||
*
|
||||
*
|
||||
* Note that people who make modified versions of stunnel are not obligated
|
||||
* to grant this special exception for their modified versions; it is their
|
||||
* choice whether to do so. The GNU General Public License gives permission
|
||||
@ -40,7 +40,6 @@
|
||||
|
||||
#include "version.h"
|
||||
|
||||
|
||||
/**************************************** common constants */
|
||||
|
||||
#define LIBWRAP_CLIENTS 5
|
||||
@ -49,7 +48,7 @@
|
||||
#define DEFAULT_STACK_SIZE 65536
|
||||
/* #define DEBUG_STACK_SIZE */
|
||||
|
||||
/* I/O buffer size - 18432 is the maximum size of SSL record payload */
|
||||
/* I/O buffer size: 18432 (0x4800) is the maximum size of TLS record payload */
|
||||
#define BUFFSIZE 18432
|
||||
|
||||
/* how many bytes of random input to read from files for PRNG */
|
||||
@ -62,6 +61,12 @@
|
||||
/* additional diagnostic messages */
|
||||
/* #define DEBUG_FD_ALLOC */
|
||||
|
||||
#ifdef DEBUG_INFO
|
||||
#define NOEXPORT
|
||||
#else
|
||||
#define NOEXPORT static
|
||||
#endif
|
||||
|
||||
/**************************************** platform */
|
||||
|
||||
#ifdef _WIN32
|
||||
@ -70,20 +75,32 @@
|
||||
|
||||
#ifdef _WIN32_WCE
|
||||
#define USE_WIN32
|
||||
typedef int socklen_t;
|
||||
typedef int socklen_t;
|
||||
#endif
|
||||
|
||||
#ifdef USE_WIN32
|
||||
typedef signed char int8_t;
|
||||
typedef signed short int16_t;
|
||||
typedef signed int int32_t;
|
||||
typedef signed long long int64_t;
|
||||
typedef unsigned char uint8_t;
|
||||
typedef unsigned short uint16_t;
|
||||
typedef unsigned int uint32_t;
|
||||
typedef unsigned long long uint64_t;
|
||||
#ifndef __MINGW32__
|
||||
#ifdef _WIN64
|
||||
typedef __int64 ssize_t;
|
||||
#else /* _WIN64 */
|
||||
typedef int ssize_t;
|
||||
#endif /* _WIN64 */
|
||||
#endif /* !__MINGW32__ */
|
||||
#define PATH_MAX MAX_PATH
|
||||
#define USE_IPv6
|
||||
#define _CRT_SECURE_NO_DEPRECATE
|
||||
#define _CRT_NONSTDC_NO_DEPRECATE
|
||||
#define HAVE_OSSL_ENGINE_H
|
||||
#define HAVE_OSSL_OCSP_H
|
||||
/* prevent including wincrypt.h, as it defines it's own OCSP_RESPONSE */
|
||||
#define _CRT_NON_CONFORMING_SWPRINTFS
|
||||
/* prevent including wincrypt.h, as it defines its own OCSP_RESPONSE */
|
||||
#define __WINCRYPT_H__
|
||||
#endif
|
||||
|
||||
#ifdef USE_WIN32
|
||||
#define S_EADDRINUSE WSAEADDRINUSE
|
||||
/* winsock does not define WSAEAGAIN */
|
||||
/* in most (but not all!) BSD implementations EAGAIN==EWOULDBLOCK */
|
||||
@ -158,9 +175,17 @@ typedef int socklen_t;
|
||||
#include <pthread.h>
|
||||
#endif
|
||||
|
||||
/* TCP wrapper */
|
||||
#if defined HAVE_TCPD_H && defined HAVE_LIBWRAP
|
||||
#define USE_LIBWRAP 1
|
||||
/* systemd */
|
||||
#ifdef USE_SYSTEMD
|
||||
#include <systemd/sd-daemon.h>
|
||||
#endif
|
||||
|
||||
#ifdef HAVE_STDINT_H
|
||||
#include <stdint.h>
|
||||
#endif
|
||||
|
||||
#ifdef HAVE_INTTYPES_H
|
||||
#include <inttypes.h>
|
||||
#endif
|
||||
|
||||
/* must be included before sys/stat.h for Ultrix */
|
||||
@ -185,10 +210,6 @@ typedef int socklen_t;
|
||||
|
||||
#ifdef USE_WIN32
|
||||
|
||||
typedef unsigned char u8;
|
||||
typedef unsigned short u16;
|
||||
typedef unsigned long u32;
|
||||
|
||||
#define HAVE_STRUCT_ADDRINFO
|
||||
#define HAVE_SNPRINTF
|
||||
#define snprintf _snprintf
|
||||
@ -202,10 +223,9 @@ typedef unsigned long u32;
|
||||
#define set_last_socket_error(e) WSASetLastError(e)
|
||||
#define get_last_error() GetLastError()
|
||||
#define set_last_error(e) SetLastError(e)
|
||||
#define readsocket(s,b,n) recv((s),(b),(n),0)
|
||||
#define writesocket(s,b,n) send((s),(b),(n),0)
|
||||
#define readsocket(s,b,n) recv((s),(b),(int)(n),0)
|
||||
#define writesocket(s,b,n) send((s),(b),(int)(n),0)
|
||||
|
||||
/* #define FD_SETSIZE 4096 */
|
||||
/* #define Win32_Winsock */
|
||||
#define __USE_W32_SOCKETS
|
||||
|
||||
@ -216,6 +236,7 @@ typedef unsigned long u32;
|
||||
#include <windows.h>
|
||||
|
||||
#include <process.h> /* _beginthread */
|
||||
#include <shlobj.h> /* SHGetFolderPath */
|
||||
#include <tchar.h>
|
||||
|
||||
#include "resources.h"
|
||||
@ -224,22 +245,6 @@ typedef unsigned long u32;
|
||||
|
||||
#else /* USE_WIN32 */
|
||||
|
||||
#if SIZEOF_UNSIGNED_CHAR == 1
|
||||
typedef unsigned char u8;
|
||||
#endif
|
||||
|
||||
#if SIZEOF_UNSIGNED_SHORT == 2
|
||||
typedef unsigned short u16;
|
||||
#else
|
||||
typedef unsigned int u16;
|
||||
#endif
|
||||
|
||||
#if SIZEOF_UNSIGNED_INT == 4
|
||||
typedef unsigned int u32;
|
||||
#else
|
||||
typedef unsigned long u32;
|
||||
#endif
|
||||
|
||||
#ifdef __INNOTEK_LIBC__
|
||||
#define socklen_t __socklen_t
|
||||
#define strcasecmp stricmp
|
||||
@ -265,10 +270,12 @@ typedef unsigned long u32;
|
||||
#define ioctlsocket(a,b,c) ioctl((a),(b),(c))
|
||||
#endif
|
||||
|
||||
typedef int SOCKET;
|
||||
#define INVALID_SOCKET (-1)
|
||||
|
||||
/* OpenVMS compatibility */
|
||||
#ifdef __vms
|
||||
#define LIBDIR "__NA__"
|
||||
#define PIDFILE "SYS$LOGIN:STUNNEL.PID"
|
||||
#ifdef __alpha
|
||||
#define HOST "alpha-openvms"
|
||||
#else
|
||||
@ -283,6 +290,9 @@ typedef unsigned long u32;
|
||||
/* Unix-specific headers */
|
||||
#include <signal.h> /* signal */
|
||||
#include <sys/wait.h> /* wait */
|
||||
#ifdef HAVE_LIMITS_H
|
||||
#include <limits.h> /* INT_MAX */
|
||||
#endif
|
||||
#ifdef HAVE_SYS_RESOURCE_H
|
||||
#include <sys/resource.h> /* getrlimit */
|
||||
#endif
|
||||
@ -298,6 +308,7 @@ typedef unsigned long u32;
|
||||
#ifdef HAVE_SYS_SELECT_H
|
||||
#include <sys/select.h> /* for aix */
|
||||
#endif
|
||||
#include <dirent.h>
|
||||
|
||||
#if defined(HAVE_POLL) && !defined(BROKEN_POLL)
|
||||
#ifdef HAVE_POLL_H
|
||||
@ -326,6 +337,7 @@ typedef unsigned long u32;
|
||||
#include <sys/uio.h> /* struct iovec */
|
||||
#endif /* HAVE_SYS_UIO_H */
|
||||
|
||||
/* BSD sockets */
|
||||
#include <netinet/in.h> /* struct sockaddr_in */
|
||||
#include <sys/socket.h> /* getpeername */
|
||||
#include <arpa/inet.h> /* inet_ntoa */
|
||||
@ -383,83 +395,108 @@ extern char *sys_errlist[];
|
||||
#include <linux/netfilter_ipv4.h>
|
||||
#endif /* HAVE_LINUX_NETFILTER_IPV4_H */
|
||||
#endif /* __linux__ */
|
||||
#ifdef HAVE_SYS_SYSCALL_H
|
||||
#include <sys/syscall.h> /* SYS_gettid */
|
||||
#endif
|
||||
#ifdef HAVE_LINUX_SCHED_H
|
||||
#include <linux/sched.h> /* SCHED_BATCH */
|
||||
#endif
|
||||
|
||||
#endif /* USE_WIN32 */
|
||||
|
||||
#ifndef S_ISREG
|
||||
#define S_ISREG(m) (((m)&S_IFMT)==S_IFREG)
|
||||
#endif
|
||||
|
||||
/**************************************** OpenSSL headers */
|
||||
|
||||
#define OPENSSL_THREAD_DEFINES
|
||||
#include <openssl/opensslconf.h>
|
||||
#if defined(USE_PTHREAD) && !(defined(OPENSSL_THREADS) || \
|
||||
(OPENSSL_VERSION_NUMBER<0x0090700fL && defined(THREADS)))
|
||||
/* opensslv.h requires prior opensslconf.h to include -fips in version string */
|
||||
#include <openssl/opensslv.h>
|
||||
|
||||
#if OPENSSL_VERSION_NUMBER<0x0090700fL
|
||||
#error OpenSSL 0.9.7 or later is required
|
||||
#endif /* OpenSSL older than 0.9.7 */
|
||||
|
||||
#if defined(USE_PTHREAD) && !defined(OPENSSL_THREADS)
|
||||
#error OpenSSL library compiled without thread support
|
||||
#endif /* !OPENSSL_THREADS && USE_PTHREAD */
|
||||
|
||||
#if defined (USE_WIN32) && defined(OPENSSL_FIPS)
|
||||
#define USE_FIPS
|
||||
#endif
|
||||
|
||||
/* OpenSSL 0.9.6 comp.h needs ZLIB macro to declare COMP_zlib() */
|
||||
#define ZLIB
|
||||
|
||||
#include <openssl/lhash.h>
|
||||
#include <openssl/ssl.h>
|
||||
#include <openssl/err.h>
|
||||
#include <openssl/crypto.h> /* for CRYPTO_* and SSLeay_version */
|
||||
#include <openssl/rand.h>
|
||||
#ifndef OPENSSL_NO_MD4
|
||||
#include <openssl/md4.h>
|
||||
#endif
|
||||
#include <openssl/des.h>
|
||||
|
||||
#ifdef HAVE_OSSL_ENGINE_H
|
||||
#ifndef OPENSSL_NO_ENGINE
|
||||
#include <openssl/engine.h>
|
||||
#else
|
||||
#undef HAVE_OSSL_ENGINE_H
|
||||
#endif
|
||||
#endif /* HAVE_OSSL_ENGINE_H */
|
||||
#if OPENSSL_VERSION_NUMBER<0x0090800fL
|
||||
#define OPENSSL_NO_ECDH
|
||||
#define OPENSSL_NO_COMP
|
||||
#endif /* OpenSSL older than 0.9.8 */
|
||||
|
||||
/* non-blocking OCSP API is not available before OpenSSL 0.9.8h */
|
||||
#if OPENSSL_VERSION_NUMBER<0x00908080L
|
||||
#ifdef HAVE_OSSL_OCSP_H
|
||||
#undef HAVE_OSSL_OCSP_H
|
||||
#endif /* HAVE_OSSL_OCSP_H */
|
||||
#ifndef OPENSSL_NO_OCSP
|
||||
#define OPENSSL_NO_OCSP
|
||||
#endif /* !defined(OPENSSL_NO_OCSP) */
|
||||
#endif /* OpenSSL older than 0.9.8h */
|
||||
|
||||
#ifdef HAVE_OSSL_OCSP_H
|
||||
#include <openssl/ocsp.h>
|
||||
#endif /* HAVE_OSSL_OCSP_H */
|
||||
|
||||
#ifdef HAVE_OSSL_FIPS_H
|
||||
#include <openssl/fips.h>
|
||||
#include <openssl/fips_rand.h>
|
||||
#endif /* HAVE_OSSL_FIPS_H */
|
||||
|
||||
#if OPENSSL_VERSION_NUMBER<0x0090800fL
|
||||
#define OPENSSL_NO_ECDH
|
||||
#endif /* OpenSSL version < 0.8.0 */
|
||||
#if OPENSSL_VERSION_NUMBER<0x00908060L
|
||||
#define OPENSSL_NO_TLSEXT
|
||||
#endif /* OpenSSL older than 0.9.8f */
|
||||
|
||||
#if OPENSSL_VERSION_NUMBER<0x10000000L
|
||||
#define OPENSSL_NO_TLSEXT
|
||||
#endif /* OpenSSL version < 1.0.0 */
|
||||
#define OPENSSL_NO_PSK
|
||||
#endif /* OpenSSL older than 1.0.0 */
|
||||
|
||||
#if OPENSSL_VERSION_NUMBER<0x10001000L || defined(OPENSSL_NO_TLS1)
|
||||
#define OPENSSL_NO_TLS1_1
|
||||
#define OPENSSL_NO_TLS1_2
|
||||
#endif /* OpenSSL older than 1.0.1 || defined(OPENSSL_NO_TLS1) */
|
||||
|
||||
#if OPENSSL_VERSION_NUMBER>=0x10100000L
|
||||
#ifndef OPENSSL_NO_SSL2
|
||||
#define OPENSSL_NO_SSL2
|
||||
#endif /* !defined(OPENSSL_NO_SSL2) */
|
||||
#else /* OpenSSL older than 1.1.0 */
|
||||
#define X509_STORE_CTX_get0_chain(x) X509_STORE_CTX_get_chain(x)
|
||||
#endif /* OpenSSL 1.1.0 or newer */
|
||||
|
||||
#if defined(USE_WIN32) && defined(OPENSSL_FIPS)
|
||||
#define USE_FIPS
|
||||
#endif
|
||||
|
||||
#include <openssl/lhash.h>
|
||||
#include <openssl/ssl.h>
|
||||
#include <openssl/ui.h>
|
||||
#include <openssl/err.h>
|
||||
#include <openssl/crypto.h> /* for CRYPTO_* and SSLeay_version */
|
||||
#include <openssl/rand.h>
|
||||
#include <openssl/bn.h>
|
||||
#include <openssl/pkcs12.h>
|
||||
#ifndef OPENSSL_NO_MD4
|
||||
#include <openssl/md4.h>
|
||||
#endif /* !defined(OPENSSL_NO_MD4) */
|
||||
#include <openssl/des.h>
|
||||
#ifndef OPENSSL_NO_DH
|
||||
#include <openssl/dh.h>
|
||||
#if OPENSSL_VERSION_NUMBER<0x10100000L
|
||||
int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g);
|
||||
#endif /* OpenSSL older than 1.1.0 */
|
||||
#endif /* !defined(OPENSSL_NO_DH) */
|
||||
#ifndef OPENSSL_NO_ENGINE
|
||||
#include <openssl/engine.h>
|
||||
#endif /* !defined(OPENSSL_NO_ENGINE) */
|
||||
#ifndef OPENSSL_NO_OCSP
|
||||
#include <openssl/ocsp.h>
|
||||
#endif /* !defined(OPENSSL_NO_OCSP) */
|
||||
#ifndef OPENSSL_NO_COMP
|
||||
/* not defined in public headers before OpenSSL 0.9.8 */
|
||||
STACK_OF(SSL_COMP) *SSL_COMP_get_compression_methods(void);
|
||||
#endif /* OPENSSL_NO_COMP */
|
||||
#endif /* !defined(OPENSSL_NO_COMP) */
|
||||
|
||||
#ifndef OPENSSL_VERSION
|
||||
#define OPENSSL_VERSION SSLEAY_VERSION
|
||||
#define OpenSSL_version_num() SSLeay()
|
||||
#define OpenSSL_version(x) SSLeay_version(x)
|
||||
#endif
|
||||
|
||||
/**************************************** other defines */
|
||||
|
||||
/* change all non-printable characters to '.' */
|
||||
#define safestring(s) \
|
||||
do {unsigned char *p; for(p=(unsigned char *)(s); *p; p++) \
|
||||
if(!isprint((int)*p)) *p='.';} while(0)
|
||||
/* change all unsafe characters to '.' */
|
||||
#define safename(s) \
|
||||
do {unsigned char *p; for(p=(s); *p; p++) \
|
||||
if(!isalnum((int)*p)) *p='.';} while(0)
|
||||
|
||||
/* always use IPv4 defaults! */
|
||||
#define DEFAULT_LOOPBACK "127.0.0.1"
|
||||
#define DEFAULT_ANY "0.0.0.0"
|
||||
@ -480,7 +517,7 @@ STACK_OF(SSL_COMP) *SSL_COMP_get_compression_methods(void);
|
||||
#endif /* defined (USE_WIN32) || defined (__vms) */
|
||||
|
||||
#ifndef offsetof
|
||||
#define offsetof(T, F) ((unsigned int)((char *)&((T *)0L)->F - (char *)0L))
|
||||
#define offsetof(T, F) ((unsigned)((char *)&((T *)0L)->F - (char *)0L))
|
||||
#endif
|
||||
|
||||
#endif /* defined COMMON_H */
|
||||
|
139
src/config.h.in
139
src/config.h.in
@ -51,18 +51,18 @@
|
||||
/* Define to 1 if you have the <inttypes.h> header file. */
|
||||
#undef HAVE_INTTYPES_H
|
||||
|
||||
/* Define to 1 if you have 'libpthread' library. */
|
||||
#undef HAVE_LIBPTHREAD
|
||||
|
||||
/* Define to 1 if you have the <libutil.h> header file. */
|
||||
#undef HAVE_LIBUTIL_H
|
||||
|
||||
/* Define to 1 if you have 'libwrap' library. */
|
||||
#undef HAVE_LIBWRAP
|
||||
/* Define to 1 if you have the <limits.h> header file. */
|
||||
#undef HAVE_LIMITS_H
|
||||
|
||||
/* Define to 1 if you have the <linux/netfilter_ipv4.h> header file. */
|
||||
#undef HAVE_LINUX_NETFILTER_IPV4_H
|
||||
|
||||
/* Define to 1 if you have the <linux/sched.h> header file. */
|
||||
#undef HAVE_LINUX_SCHED_H
|
||||
|
||||
/* Define to 1 if you have the `localtime_r' function. */
|
||||
#undef HAVE_LOCALTIME_R
|
||||
|
||||
@ -78,15 +78,6 @@
|
||||
/* Define to 1 if you have the `openpty' function. */
|
||||
#undef HAVE_OPENPTY
|
||||
|
||||
/* Define to 1 if you have <engine.h> header file. */
|
||||
#undef HAVE_OSSL_ENGINE_H
|
||||
|
||||
/* Define to 1 if you have <fips.h> header file. */
|
||||
#undef HAVE_OSSL_FIPS_H
|
||||
|
||||
/* Define to 1 if you have <ocsp.h> header file. */
|
||||
#undef HAVE_OSSL_OCSP_H
|
||||
|
||||
/* Define to 1 if you have the `pipe2' function. */
|
||||
#undef HAVE_PIPE2
|
||||
|
||||
@ -96,15 +87,24 @@
|
||||
/* Define to 1 if you have the <poll.h> header file. */
|
||||
#undef HAVE_POLL_H
|
||||
|
||||
/* Define if you have POSIX threads libraries and header files. */
|
||||
#undef HAVE_PTHREAD
|
||||
|
||||
/* Define to 1 if you have the <pthread.h> header file. */
|
||||
#undef HAVE_PTHREAD_H
|
||||
|
||||
/* Have PTHREAD_PRIO_INHERIT. */
|
||||
#undef HAVE_PTHREAD_PRIO_INHERIT
|
||||
|
||||
/* Define to 1 if you have the `pthread_sigmask' function. */
|
||||
#undef HAVE_PTHREAD_SIGMASK
|
||||
|
||||
/* Define to 1 if you have the <pty.h> header file. */
|
||||
#undef HAVE_PTY_H
|
||||
|
||||
/* Define to 1 if you have the `realpath' function. */
|
||||
#undef HAVE_REALPATH
|
||||
|
||||
/* Define to 1 if you have the `setgroups' function. */
|
||||
#undef HAVE_SETGROUPS
|
||||
|
||||
@ -141,6 +141,9 @@
|
||||
/* Define to 1 if you have the `sysconf' function. */
|
||||
#undef HAVE_SYSCONF
|
||||
|
||||
/* Define to 1 if you have the <systemd/sd-daemon.h> header file. */
|
||||
#undef HAVE_SYSTEMD_SD_DAEMON_H
|
||||
|
||||
/* Define to 1 if you have the <sys/filio.h> header file. */
|
||||
#undef HAVE_SYS_FILIO_H
|
||||
|
||||
@ -162,6 +165,9 @@
|
||||
/* Define to 1 if you have the <sys/stat.h> header file. */
|
||||
#undef HAVE_SYS_STAT_H
|
||||
|
||||
/* Define to 1 if you have the <sys/syscall.h> header file. */
|
||||
#undef HAVE_SYS_SYSCALL_H
|
||||
|
||||
/* Define to 1 if you have the <sys/types.h> header file. */
|
||||
#undef HAVE_SYS_TYPES_H
|
||||
|
||||
@ -205,9 +211,6 @@
|
||||
*/
|
||||
#undef LT_OBJDIR
|
||||
|
||||
/* Define to 1 if your C compiler doesn't accept -c and -o together. */
|
||||
#undef NO_MINUS_C_MINUS_O
|
||||
|
||||
/* Name of package */
|
||||
#undef PACKAGE
|
||||
|
||||
@ -229,28 +232,20 @@
|
||||
/* Define to the version of this package. */
|
||||
#undef PACKAGE_VERSION
|
||||
|
||||
/* Define to necessary symbol if this constant uses a non-standard name on
|
||||
your system. */
|
||||
#undef PTHREAD_CREATE_JOINABLE
|
||||
|
||||
/* Random file path */
|
||||
#undef RANDOM_FILE
|
||||
|
||||
/* The size of `unsigned char', as computed by sizeof. */
|
||||
#undef SIZEOF_UNSIGNED_CHAR
|
||||
|
||||
/* The size of `unsigned int', as computed by sizeof. */
|
||||
#undef SIZEOF_UNSIGNED_INT
|
||||
|
||||
/* The size of `unsigned long', as computed by sizeof. */
|
||||
#undef SIZEOF_UNSIGNED_LONG
|
||||
|
||||
/* The size of `unsigned short', as computed by sizeof. */
|
||||
#undef SIZEOF_UNSIGNED_SHORT
|
||||
|
||||
/* SSL directory */
|
||||
/* TLS directory */
|
||||
#undef SSLDIR
|
||||
|
||||
/* Define to 1 if you have the ANSI C header files. */
|
||||
#undef STDC_HEADERS
|
||||
|
||||
/* Define to 1 to enable OpenSSL FIPS mode. */
|
||||
/* Define to 1 to enable OpenSSL FIPS support */
|
||||
#undef USE_FIPS
|
||||
|
||||
/* Define to 1 to select FORK mode */
|
||||
@ -259,17 +254,99 @@
|
||||
/* Define to 1 to enable IPv6 support */
|
||||
#undef USE_IPv6
|
||||
|
||||
/* Define to 1 to enable TCP wrappers support */
|
||||
#undef USE_LIBWRAP
|
||||
|
||||
/* Define to 1 to select PTHREAD mode */
|
||||
#undef USE_PTHREAD
|
||||
|
||||
/* Define to 1 to enable systemd socket activation */
|
||||
#undef USE_SYSTEMD
|
||||
|
||||
/* Define to 1 to select UCONTEXT mode */
|
||||
#undef USE_UCONTEXT
|
||||
|
||||
/* Version number of package */
|
||||
#undef VERSION
|
||||
|
||||
/* Use Darwin source */
|
||||
#undef _DARWIN_C_SOURCE
|
||||
|
||||
/* Enable large inode numbers on Mac OS X 10.5. */
|
||||
#ifndef _DARWIN_USE_64_BIT_INODE
|
||||
# define _DARWIN_USE_64_BIT_INODE 1
|
||||
#endif
|
||||
|
||||
/* Number of bits in a file offset, on hosts where this is settable. */
|
||||
#undef _FILE_OFFSET_BITS
|
||||
|
||||
/* Use GNU source */
|
||||
#undef _GNU_SOURCE
|
||||
|
||||
/* Define for large files, on AIX-style hosts. */
|
||||
#undef _LARGE_FILES
|
||||
|
||||
/* Define for Solaris 2.5.1 so the uint32_t typedef from <sys/synch.h>,
|
||||
<pthread.h>, or <semaphore.h> is not used. If the typedef were allowed, the
|
||||
#define below would cause a syntax error. */
|
||||
#undef _UINT32_T
|
||||
|
||||
/* Define for Solaris 2.5.1 so the uint64_t typedef from <sys/synch.h>,
|
||||
<pthread.h>, or <semaphore.h> is not used. If the typedef were allowed, the
|
||||
#define below would cause a syntax error. */
|
||||
#undef _UINT64_T
|
||||
|
||||
/* Define for Solaris 2.5.1 so the uint8_t typedef from <sys/synch.h>,
|
||||
<pthread.h>, or <semaphore.h> is not used. If the typedef were allowed, the
|
||||
#define below would cause a syntax error. */
|
||||
#undef _UINT8_T
|
||||
|
||||
/* Use X/Open 5 with POSIX 1995 */
|
||||
#undef _XOPEN_SOURCE
|
||||
|
||||
/* Define to `int' if <sys/types.h> doesn't define. */
|
||||
#undef gid_t
|
||||
|
||||
/* Define to the type of a signed integer type of width exactly 16 bits if
|
||||
such a type exists and the standard includes do not define it. */
|
||||
#undef int16_t
|
||||
|
||||
/* Define to the type of a signed integer type of width exactly 32 bits if
|
||||
such a type exists and the standard includes do not define it. */
|
||||
#undef int32_t
|
||||
|
||||
/* Define to the type of a signed integer type of width exactly 64 bits if
|
||||
such a type exists and the standard includes do not define it. */
|
||||
#undef int64_t
|
||||
|
||||
/* Define to the type of a signed integer type of width exactly 8 bits if such
|
||||
a type exists and the standard includes do not define it. */
|
||||
#undef int8_t
|
||||
|
||||
/* Define to `unsigned int' if <sys/types.h> does not define. */
|
||||
#undef size_t
|
||||
|
||||
/* Type of socklen_t */
|
||||
#undef socklen_t
|
||||
|
||||
/* Define to `int' if <sys/types.h> does not define. */
|
||||
#undef ssize_t
|
||||
|
||||
/* Define to `int' if <sys/types.h> doesn't define. */
|
||||
#undef uid_t
|
||||
|
||||
/* Define to the type of an unsigned integer type of width exactly 16 bits if
|
||||
such a type exists and the standard includes do not define it. */
|
||||
#undef uint16_t
|
||||
|
||||
/* Define to the type of an unsigned integer type of width exactly 32 bits if
|
||||
such a type exists and the standard includes do not define it. */
|
||||
#undef uint32_t
|
||||
|
||||
/* Define to the type of an unsigned integer type of width exactly 64 bits if
|
||||
such a type exists and the standard includes do not define it. */
|
||||
#undef uint64_t
|
||||
|
||||
/* Define to the type of an unsigned integer type of width exactly 8 bits if
|
||||
such a type exists and the standard includes do not define it. */
|
||||
#undef uint8_t
|
||||
|
201
src/cron.c
Normal file
201
src/cron.c
Normal file
@ -0,0 +1,201 @@
|
||||
/*
|
||||
* stunnel TLS offloading and load-balancing proxy
|
||||
* Copyright (C) 1998-2017 Michal Trojnara <Michal.Trojnara@stunnel.org>
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it
|
||||
* under the terms of the GNU General Public License as published by the
|
||||
* Free Software Foundation; either version 2 of the License, or (at your
|
||||
* option) any later version.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
|
||||
* See the GNU General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License along
|
||||
* with this program; if not, see <http://www.gnu.org/licenses>.
|
||||
*
|
||||
* Linking stunnel statically or dynamically with other modules is making
|
||||
* a combined work based on stunnel. Thus, the terms and conditions of
|
||||
* the GNU General Public License cover the whole combination.
|
||||
*
|
||||
* In addition, as a special exception, the copyright holder of stunnel
|
||||
* gives you permission to combine stunnel with free software programs or
|
||||
* libraries that are released under the GNU LGPL and with code included
|
||||
* in the standard release of OpenSSL under the OpenSSL License (or
|
||||
* modified versions of such code, with unchanged license). You may copy
|
||||
* and distribute such a system following the terms of the GNU GPL for
|
||||
* stunnel and the licenses of the other code concerned.
|
||||
*
|
||||
* Note that people who make modified versions of stunnel are not obligated
|
||||
* to grant this special exception for their modified versions; it is their
|
||||
* choice whether to do so. The GNU General Public License gives permission
|
||||
* to release a modified version without this exception; this exception
|
||||
* also makes it possible to release a modified version which carries
|
||||
* forward this exception.
|
||||
*/
|
||||
|
||||
#include "common.h"
|
||||
#include "prototypes.h"
|
||||
|
||||
#ifdef USE_PTHREAD
|
||||
NOEXPORT void *cron_thread(void *arg);
|
||||
#endif
|
||||
#ifdef USE_WIN32
|
||||
NOEXPORT void cron_thread(void *arg);
|
||||
#endif
|
||||
#if defined(USE_PTHREAD) || defined(USE_WIN32)
|
||||
NOEXPORT void cron_worker(void);
|
||||
NOEXPORT void cron_dh_param(void);
|
||||
#endif
|
||||
|
||||
#if defined(USE_PTHREAD)
|
||||
|
||||
int cron_init() {
|
||||
pthread_t thread;
|
||||
pthread_attr_t pth_attr;
|
||||
#if defined(HAVE_PTHREAD_SIGMASK) && !defined(__APPLE__)
|
||||
sigset_t new_set, old_set;
|
||||
#endif /* HAVE_PTHREAD_SIGMASK && !__APPLE__*/
|
||||
|
||||
#if defined(HAVE_PTHREAD_SIGMASK) && !defined(__APPLE__)
|
||||
sigfillset(&new_set);
|
||||
pthread_sigmask(SIG_SETMASK, &new_set, &old_set); /* block signals */
|
||||
#endif /* HAVE_PTHREAD_SIGMASK && !__APPLE__*/
|
||||
pthread_attr_init(&pth_attr);
|
||||
pthread_attr_setdetachstate(&pth_attr, PTHREAD_CREATE_DETACHED);
|
||||
if(pthread_create(&thread, &pth_attr, cron_thread, NULL))
|
||||
ioerror("pthread_create");
|
||||
pthread_attr_destroy(&pth_attr);
|
||||
#if defined(HAVE_PTHREAD_SIGMASK) && !defined(__APPLE__)
|
||||
pthread_sigmask(SIG_SETMASK, &old_set, NULL); /* unblock signals */
|
||||
#endif /* HAVE_PTHREAD_SIGMASK && !__APPLE__*/
|
||||
return 0;
|
||||
}
|
||||
|
||||
NOEXPORT void *cron_thread(void *arg) {
|
||||
#ifdef SCHED_BATCH
|
||||
struct sched_param param;
|
||||
#endif
|
||||
|
||||
(void)arg; /* squash the unused parameter warning */
|
||||
tls_alloc(NULL, NULL, "cron");
|
||||
#ifdef SCHED_BATCH
|
||||
param.sched_priority=0;
|
||||
if(pthread_setschedparam(pthread_self(), SCHED_BATCH, ¶m))
|
||||
ioerror("pthread_getschedparam");
|
||||
#endif
|
||||
cron_worker();
|
||||
return NULL; /* it should never be executed */
|
||||
}
|
||||
|
||||
#elif defined(USE_WIN32)
|
||||
|
||||
int cron_init() {
|
||||
if((long)_beginthread(cron_thread, 0, NULL)==-1)
|
||||
ioerror("_beginthread");
|
||||
return 0;
|
||||
}
|
||||
|
||||
NOEXPORT void cron_thread(void *arg) {
|
||||
(void)arg; /* squash the unused parameter warning */
|
||||
tls_alloc(NULL, NULL, "cron");
|
||||
if(!SetThreadPriority(GetCurrentThread(), THREAD_PRIORITY_LOWEST))
|
||||
ioerror("SetThreadPriority");
|
||||
cron_worker();
|
||||
_endthread(); /* it should never be executed */
|
||||
}
|
||||
|
||||
#else /* !defined(USE_PTHREAD) && !defined(USE_WIN32) */
|
||||
|
||||
int cron_init() {
|
||||
/* not implemented for now */
|
||||
return 0;
|
||||
}
|
||||
|
||||
#endif
|
||||
|
||||
/* run the cron job every 24 hours */
|
||||
#define CRON_PERIOD (24*60*60)
|
||||
|
||||
#if defined(USE_PTHREAD) || defined(USE_WIN32)
|
||||
|
||||
NOEXPORT void cron_worker(void) {
|
||||
time_t now, then;
|
||||
int delay;
|
||||
|
||||
s_log(LOG_DEBUG, "Cron thread initialized");
|
||||
sleep(60); /* allow the other services to start with idle CPU */
|
||||
time(&then);
|
||||
for(;;) {
|
||||
s_log(LOG_INFO, "Executing cron jobs");
|
||||
#ifndef OPENSSL_NO_DH
|
||||
cron_dh_param();
|
||||
#endif /* OPENSSL_NO_DH */
|
||||
time(&now);
|
||||
s_log(LOG_INFO, "Cron jobs completed in %d seconds", (int)(now-then));
|
||||
then+=CRON_PERIOD;
|
||||
if(then>now) {
|
||||
delay=(int)(then-now);
|
||||
} else {
|
||||
s_log(LOG_NOTICE, "Cron backlog cleared (possible hibernation)");
|
||||
delay=CRON_PERIOD-(int)(now-then)%CRON_PERIOD;
|
||||
then=now+delay;
|
||||
}
|
||||
s_log(LOG_DEBUG, "Waiting %d seconds", delay);
|
||||
do { /* retry sleep() if it was interrupted by a signal */
|
||||
sleep((unsigned)delay);
|
||||
time(&now);
|
||||
delay=(int)(then-now);
|
||||
} while(delay>0);
|
||||
s_log(LOG_INFO, "Reopening log file");
|
||||
signal_post(SIGNAL_REOPEN_LOG);
|
||||
}
|
||||
}
|
||||
|
||||
#ifndef OPENSSL_NO_DH
|
||||
NOEXPORT void cron_dh_param(void) {
|
||||
SERVICE_OPTIONS *opt;
|
||||
DH *dh;
|
||||
|
||||
if(!dh_needed)
|
||||
return;
|
||||
|
||||
s_log(LOG_NOTICE, "Updating DH parameters");
|
||||
#if OPENSSL_VERSION_NUMBER>=0x0090800fL
|
||||
/* generate 2048-bit DH parameters */
|
||||
dh=DH_new();
|
||||
if(!dh) {
|
||||
sslerror("DH_new");
|
||||
return;
|
||||
}
|
||||
if(!DH_generate_parameters_ex(dh, 2048, 2, NULL)) {
|
||||
DH_free(dh);
|
||||
sslerror("DH_generate_parameters_ex");
|
||||
return;
|
||||
}
|
||||
#else /* OpenSSL older than 0.9.8 */
|
||||
dh=DH_generate_parameters(2048, 2, NULL, NULL);
|
||||
if(!dh) {
|
||||
sslerror("DH_generate_parameters");
|
||||
return;
|
||||
}
|
||||
#endif
|
||||
|
||||
/* update global dh_params for future configuration reloads */
|
||||
stunnel_write_lock(&stunnel_locks[LOCK_DH]);
|
||||
DH_free(dh_params);
|
||||
dh_params=dh;
|
||||
stunnel_write_unlock(&stunnel_locks[LOCK_DH]);
|
||||
|
||||
/* set for all sections that require it */
|
||||
for(opt=service_options.next; opt; opt=opt->next)
|
||||
if(opt->option.dh_needed)
|
||||
SSL_CTX_set_tmp_dh(opt->ctx, dh);
|
||||
s_log(LOG_NOTICE, "DH parameters updated");
|
||||
}
|
||||
#endif /* OPENSSL_NO_DH */
|
||||
|
||||
#endif /* USE_PTHREAD || USE_WIN32 */
|
||||
|
||||
/* end of cron.c */
|
57
src/dhparam.c
Normal file
57
src/dhparam.c
Normal file
@ -0,0 +1,57 @@
|
||||
#include "common.h"
|
||||
#ifndef OPENSSL_NO_DH
|
||||
#define DN_new DH_new
|
||||
#ifndef HEADER_DH_H
|
||||
# include <openssl/dh.h>
|
||||
#endif
|
||||
|
||||
DH *get_dh2048()
|
||||
{
|
||||
static unsigned char dhp_2048[] = {
|
||||
0xE5, 0x09, 0xEB, 0x6B, 0x7E, 0xFF, 0x06, 0x2E, 0xE9, 0x8E,
|
||||
0xEB, 0xB8, 0x15, 0x2E, 0x83, 0xE9, 0x77, 0x6B, 0x98, 0x80,
|
||||
0xC2, 0x5B, 0xC7, 0x99, 0xEF, 0xD2, 0x3B, 0x75, 0x23, 0xD1,
|
||||
0xEF, 0x4D, 0x2C, 0xE6, 0xE5, 0xD3, 0x6A, 0x5E, 0x38, 0x4A,
|
||||
0x05, 0x15, 0x57, 0xFF, 0x46, 0x22, 0x0F, 0xDC, 0xC9, 0xF0,
|
||||
0xA0, 0x4C, 0x2B, 0x70, 0x91, 0x30, 0x32, 0x3A, 0x20, 0x38,
|
||||
0xB6, 0x62, 0xAE, 0x8C, 0x9E, 0x9B, 0x7A, 0x04, 0xCF, 0x9C,
|
||||
0x20, 0x0C, 0x9D, 0x34, 0xFC, 0xB5, 0x46, 0x9E, 0xB6, 0x56,
|
||||
0x94, 0x7A, 0x8E, 0x7B, 0xEA, 0x77, 0x3D, 0x1F, 0x57, 0xAD,
|
||||
0xB0, 0xB7, 0xD6, 0x2E, 0x95, 0x5B, 0xA7, 0x1E, 0xF1, 0x84,
|
||||
0x04, 0x7C, 0x77, 0x9B, 0x10, 0x8D, 0x5F, 0xA5, 0x2B, 0x0D,
|
||||
0xCB, 0xFB, 0xB9, 0x0A, 0xCB, 0xDD, 0x70, 0x9F, 0x85, 0xBA,
|
||||
0xE3, 0x6A, 0xD1, 0xE4, 0x83, 0x7B, 0x89, 0x66, 0xAC, 0x58,
|
||||
0x12, 0x43, 0x5B, 0xA8, 0x02, 0xC0, 0x5C, 0x27, 0x61, 0x97,
|
||||
0x5D, 0xEC, 0x94, 0x71, 0xB2, 0x13, 0x13, 0xAB, 0x30, 0x0C,
|
||||
0x54, 0x54, 0x8C, 0xE2, 0x9D, 0x07, 0xDE, 0xE7, 0x62, 0x70,
|
||||
0xDE, 0x6C, 0x48, 0xD7, 0x69, 0xDA, 0xBC, 0xDA, 0xB1, 0x82,
|
||||
0xE4, 0xD7, 0xE4, 0xFB, 0x6D, 0x36, 0x46, 0x55, 0x30, 0x63,
|
||||
0x18, 0x42, 0x82, 0x60, 0xE2, 0x76, 0x23, 0x56, 0x34, 0x25,
|
||||
0xA9, 0x6A, 0xF1, 0x06, 0xB1, 0x68, 0xAD, 0x7F, 0xCE, 0x06,
|
||||
0xEE, 0x85, 0xA5, 0x83, 0x85, 0x08, 0x45, 0x45, 0x09, 0xA7,
|
||||
0x3D, 0xC9, 0xAC, 0xE6, 0x3A, 0x98, 0x93, 0xBF, 0x98, 0x2E,
|
||||
0x4D, 0x00, 0x3B, 0x74, 0x62, 0x7B, 0x8D, 0xBD, 0x18, 0x6C,
|
||||
0xAC, 0x4B, 0xEF, 0xF5, 0xAD, 0x0E, 0x2E, 0x85, 0x60, 0xE6,
|
||||
0xF4, 0x3F, 0x25, 0xFE, 0xAE, 0xC3, 0x18, 0x9B, 0x04, 0x7B,
|
||||
0xC7, 0x48, 0xE8, 0xC1, 0x3C, 0x13
|
||||
};
|
||||
static unsigned char dhg_2048[] = {
|
||||
0x02
|
||||
};
|
||||
DH *dh = DH_new();
|
||||
BIGNUM *dhp_bn, *dhg_bn;
|
||||
|
||||
if (dh == NULL)
|
||||
return NULL;
|
||||
dhp_bn = BN_bin2bn(dhp_2048, sizeof (dhp_2048), NULL);
|
||||
dhg_bn = BN_bin2bn(dhg_2048, sizeof (dhg_2048), NULL);
|
||||
if (dhp_bn == NULL || dhg_bn == NULL
|
||||
|| !DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn)) {
|
||||
DH_free(dh);
|
||||
BN_free(dhp_bn);
|
||||
BN_free(dhg_bn);
|
||||
return NULL;
|
||||
}
|
||||
return dh;
|
||||
}
|
||||
#endif /* OPENSSL_NO_DH */
|
10
src/env.c
10
src/env.c
@ -1,6 +1,6 @@
|
||||
/*
|
||||
* stunnel Universal SSL tunnel
|
||||
* Copyright (C) 1998-2013 Michal Trojnara <Michal.Trojnara@mirt.net>
|
||||
* stunnel TLS offloading and load-balancing proxy
|
||||
* Copyright (C) 1998-2017 Michal Trojnara <Michal.Trojnara@stunnel.org>
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it
|
||||
* under the terms of the GNU General Public License as published by the
|
||||
@ -53,15 +53,15 @@
|
||||
int getpeername(int s, struct sockaddr_in *name, int *len) {
|
||||
char *value;
|
||||
|
||||
(void)s; /* skip warning about unused parameter */
|
||||
(void)len; /* skip warning about unused parameter */
|
||||
(void)s; /* squash the unused parameter warning */
|
||||
(void)len; /* squash the unused parameter warning */
|
||||
name->sin_family=AF_INET;
|
||||
if((value=getenv("REMOTE_HOST")))
|
||||
name->sin_addr.s_addr=inet_addr(value);
|
||||
else
|
||||
name->sin_addr.s_addr=htonl(INADDR_ANY);
|
||||
if((value=getenv("REMOTE_PORT")))
|
||||
name->sin_port=htons(atoi(value));
|
||||
name->sin_port=htons((uint16_t)atoi(value));
|
||||
else
|
||||
name->sin_port=htons(0); /* dynamic port allocation */
|
||||
return 0;
|
||||
|
BIN
src/error.ico
Normal file
BIN
src/error.ico
Normal file
Binary file not shown.
After Width: | Height: | Size: 1.1 KiB |
64
src/evc.mak
64
src/evc.mak
@ -1,8 +1,24 @@
|
||||
# wce.mak for stunnel.exe by Michal Trojnara 2006-2012
|
||||
# with help of Pierre Delaage <delaage.pierre@free.fr>
|
||||
# pdelaage 20140610 : added UNICODE optional FLAG, always ACTIVE on WCE because of poor ANSI support
|
||||
# pdelaage 20140610 : added _WIN32_WCE flag for RC compilation, to preprocess out "HELP" unsupported menu flag on WCE
|
||||
# pdelaage 20140610 : ws2 lib is required to get WSAGetLastError routine (absent from winsock lib)
|
||||
# pdelaage 20140610 : /Dx86 flag required for X86/Emulator targets, to get proper definition for InterlockedExchange
|
||||
# pdelaage 20140610 : /MT flag is NON-SENSE for X86-WCE platforms, it is only meaningful for X86-W32-Desktop.
|
||||
# for X86-WCE targets, although compiler "cl.exe" is REALLY the same as desktop W32 VS6 C++ compiler,
|
||||
# the MT flags relating to LIBCMT is useless BECAUSE LIBCMT does NOT exist on WCE. No msvcrt on WCE either...
|
||||
|
||||
# pdelaage 20140610 : Note on /MC flag
|
||||
# For other targets than X86/Emulator, /MC flag is redundant with "/nodefaultlib coredll.lib corelibc.lib" LD lib list.
|
||||
# For << X86 / Emulator >> target, as the cl.exe compiler IS the SAME as the standard VS6.0 C++ compiler for Desktop Pentium processor,
|
||||
# /MC flag is in fact NOT existing, thus requiring an explicit linking with core libs by using :
|
||||
# /NODEFAULTLIB coredll.lib corelibc.lib,
|
||||
# something that is correct for any WCE target, X86 and other, and leading /MC flag to be useless ALSO for other target than X86.
|
||||
|
||||
|
||||
#
|
||||
# DEFAULTLIB management: only 2 are necessary
|
||||
# defaultlibS as given for CLxxx in the MS doc ARE WRONG
|
||||
# defaultlibS, as given for CLxxx in the MS doc, ARE WRONG
|
||||
|
||||
# !!!!!!!!!!!!!!
|
||||
# CUSTOMIZE THIS according to your wcecompat and openssl directories
|
||||
@ -10,10 +26,10 @@
|
||||
|
||||
# Modify this to point to your actual openssl compile directory
|
||||
# (You did already compile openssl, didn't you???)
|
||||
SSLDIR=C:\Users\standard\Documents\Dvts\Contrib\openssl\v1.0.0a\patched3
|
||||
SSLDIR=C:\Users\pdelaage\Dvts\Contrib\openssl
|
||||
|
||||
# Note that we currently use a multi-target customized version of legacy Essemer/wcecompat lib
|
||||
COMPATDIR=C:\Users\standard\Documents\Dvts\Contrib\wcecompat\v12\patchedX86
|
||||
COMPATDIR=C:\Users\pdelaage\Dvts\Contrib\wcecompat\v12\patched3emu
|
||||
|
||||
WCEVER=420
|
||||
|
||||
@ -24,7 +40,8 @@ WCEVER=420
|
||||
!IF "$(TARGETCPU)"=="X86"
|
||||
WCETARGETCPU=_X86_
|
||||
LDTARGETCPU=X86
|
||||
MORECFLAGS=/MT
|
||||
#pdelaage 20140621 /Dx86 for inline defs of InterlockedExchange inline in winbase.h; no more /MT
|
||||
MORECFLAGS=/Dx86
|
||||
|
||||
# TODO: continue list for other targets : see wcecompat/wcedefs.mak for a good ref.
|
||||
# see also openssl/util/pl/vc-32.pl, also link /?
|
||||
@ -34,17 +51,20 @@ MORECFLAGS=/MT
|
||||
!ELSEIF "$(TARGETCPU)"=="emulator"
|
||||
WCETARGETCPU=_X86_
|
||||
LDTARGETCPU=X86
|
||||
MORECFLAGS=/MT
|
||||
#pdelaage 20140621 /Dx86 for inline defs of InterlockedExchange inline in winbase.h; no more /MT
|
||||
MORECFLAGS=/Dx86
|
||||
|
||||
!ELSEIF "$(TARGETCPU)"=="MIPS16" || "$(TARGETCPU)"=="MIPSII" || "$(TARGETCPU)"=="MIPSII_FP" || "$(TARGETCPU)"=="MIPSIV" || "$(TARGETCPU)"=="MIPSIV_FP"
|
||||
WCETARGETCPU=_MIPS_
|
||||
LDTARGETCPU=MIPS
|
||||
MORECFLAGS=/DMIPS /MC
|
||||
#pdelaage 20140621 no more /MC required
|
||||
MORECFLAGS=/DMIPS
|
||||
|
||||
!ELSEIF "$(TARGETCPU)"=="SH3" || "$(TARGETCPU)"=="SH4"
|
||||
WCETARGETCPU=SHx
|
||||
LDTARGETCPU=$(TARGETCPU)
|
||||
MORECFLAGS=/MC
|
||||
#pdelaage 20140621 no more /MC required
|
||||
MORECFLAGS=
|
||||
|
||||
!ELSE
|
||||
# default is ARM !
|
||||
@ -52,8 +72,8 @@ MORECFLAGS=/MC
|
||||
# the following flag is required by (eg) winnt.h, and is different from targetcpu (armV4)
|
||||
WCETARGETCPU=ARM
|
||||
LDTARGETCPU=ARM
|
||||
MORECFLAGS=/MC
|
||||
|
||||
#pdelaage 20140621 no more /MC required
|
||||
MORECFLAGS=
|
||||
!ENDIF
|
||||
|
||||
# ceutilsdir probably useless (nb : were tools from essemer; but ms delivers a cecopy anyway, see ms dld site)
|
||||
@ -65,12 +85,17 @@ SDKDIR=$(SDKROOT)\$(OSVERSION)\$(PLATFORM)
|
||||
INCLUDES=-I$(SSLDIR)\inc32 -I$(COMPATDIR)\include -I"$(SDKDIR)\include\$(TARGETCPU)"
|
||||
# for X86 and other it appears that /MC or /ML flags are absurd,
|
||||
# we always have to override runtime lib list to coredll and corelibc
|
||||
LIBS=/NODEFAULTLIB winsock.lib wcecompatex.lib libeay32.lib ssleay32.lib coredll.lib corelibc.lib
|
||||
#LIBS=/NODEFAULTLIB winsock.lib wcecompatex.lib libeay32.lib ssleay32.lib coredll.lib corelibc.lib
|
||||
LIBS=/NODEFAULTLIB ws2.lib wcecompatex.lib libeay32.lib ssleay32.lib coredll.lib corelibc.lib
|
||||
|
||||
DEFINES=/DHOST=\"$(TARGETCPU)-WCE-eVC-$(WCEVER)\"
|
||||
# pdelaage 20140610 added unicode flag : ALWAYS ACTIVE on WCE, because of poor ANSI support by the MS SDK
|
||||
UNICODEFLAGS=/DUNICODE -D_UNICODE
|
||||
# /O1 /Oi more correct vs MS doc
|
||||
CFLAGS=/nologo $(MORECFLAGS) /O1 /Oi /W3 /WX /GF /Gy $(DEFINES) /D$(WCETARGETCPU) /D$(TARGETCPU) /DUNDER_CE=$(WCEVER) /D_WIN32_WCE=$(WCEVER) /DUNICODE -D_UNICODE $(INCLUDES)
|
||||
RFLAGS=$(DEFINES) $(INCLUDES)
|
||||
CFLAGS=/nologo $(MORECFLAGS) /O1 /Oi /W3 /WX /GF /Gy $(DEFINES) /D$(WCETARGETCPU) /D$(TARGETCPU) /DUNDER_CE=$(WCEVER) /D_WIN32_WCE=$(WCEVER) $(UNICODEFLAGS) $(INCLUDES)
|
||||
# pdelaage 20140610 : RC compilation requires D_WIN32_WCE flag to comment out unsupported "HELP" flag in menu definition, in resources.rc file
|
||||
RFLAGS=$(DEFINES) /D_WIN32_WCE=$(WCEVER) $(INCLUDES)
|
||||
|
||||
# LDFLAGS: since openssl >> 098a (eg 098h) out32dll is out32dll_targetCPU for WCE
|
||||
# delaage added $(TARGETCPU) in legacy Essemer/wcecompat libpath
|
||||
# to ease multitarget compilation without recompiling everything
|
||||
@ -89,11 +114,12 @@ BIN=$(BINROOT)\$(TARGETCPU)
|
||||
|
||||
OBJS=$(OBJ)\stunnel.obj $(OBJ)\ssl.obj $(OBJ)\ctx.obj $(OBJ)\verify.obj \
|
||||
$(OBJ)\file.obj $(OBJ)\client.obj $(OBJ)\protocol.obj $(OBJ)\sthreads.obj \
|
||||
$(OBJ)\log.obj $(OBJ)\options.obj $(OBJ)\network.obj \
|
||||
$(OBJ)\resolver.obj $(OBJ)\str.obj $(OBJ)\fd.obj
|
||||
$(OBJ)\log.obj $(OBJ)\options.obj $(OBJ)\network.obj $(OBJ)\resolver.obj \
|
||||
$(OBJ)\str.obj $(OBJ)\tls.obj $(OBJ)\fd.obj $(OBJ)\dhparam.obj \
|
||||
$(OBJ)\cron.obj
|
||||
|
||||
GUIOBJS=$(OBJ)\gui.obj $(OBJ)\resources.res
|
||||
NOGUIOBJS=$(OBJ)\nogui.obj
|
||||
GUIOBJS=$(OBJ)\ui_win_gui.obj $(OBJ)\resources.res
|
||||
CLIOBJS=$(OBJ)\ui_win_cli.obj
|
||||
|
||||
{$(SRC)\}.c{$(OBJ)\}.obj:
|
||||
$(CC) $(CFLAGS) -Fo$@ -c $<
|
||||
@ -115,11 +141,11 @@ makedirs:
|
||||
$(BIN)\stunnel.exe:$(OBJS) $(GUIOBJS)
|
||||
link $(LDFLAGS) /out:$(BIN)\stunnel.exe $(LIBS) commctrl.lib $**
|
||||
|
||||
$(BIN)\tstunnel.exe:$(OBJS) $(NOGUIOBJS)
|
||||
$(BIN)\tstunnel.exe:$(OBJS) $(CLIOBJS)
|
||||
link $(LDFLAGS) /out:$(BIN)\tstunnel.exe $(LIBS) $**
|
||||
|
||||
$(OBJ)\resources.res: $(SRC)\resources.rc $(SRC)\resources.h $(SRC)\version.h
|
||||
$(OBJ)\gui.obj: $(SRC)\gui.c $(SRC)\version.h
|
||||
$(OBJ)\ui_win_gui.obj: $(SRC)\ui_win_gui.c $(SRC)\version.h
|
||||
$(OBJ)\stunnel.obj: $(SRC)\stunnel.c $(SRC)\version.h
|
||||
|
||||
# now list of openssl dll has more files,
|
||||
@ -136,6 +162,6 @@ install: stunnel.exe tstunnel.exe
|
||||
$(CEUTILSDIR)\cecopy $(SSLDIR)\out32dll_$(TARGETCPU)\ssleay32.dll $(DSTDIR)
|
||||
|
||||
clean:
|
||||
-@ IF NOT "$(TARGETCPU)"=="" del $(OBJS) $(GUIOBJS) $(NOGUIOBJS) $(BIN)\stunnel.exe $(BIN)\tstunnel.exe >NUL 2>&1
|
||||
-@ IF NOT "$(TARGETCPU)"=="" del $(OBJS) $(GUIOBJS) $(CLIOBJS) $(BIN)\stunnel.exe $(BIN)\tstunnel.exe >NUL 2>&1
|
||||
-@ IF NOT "$(TARGETCPU)"=="" rmdir $(OBJ) >NUL 2>&1
|
||||
-@ IF NOT "$(TARGETCPU)"=="" rmdir $(BIN) >NUL 2>&1
|
||||
|
53
src/fd.c
53
src/fd.c
@ -1,6 +1,6 @@
|
||||
/*
|
||||
* stunnel Universal SSL tunnel
|
||||
* Copyright (C) 1998-2013 Michal Trojnara <Michal.Trojnara@mirt.net>
|
||||
* stunnel TLS offloading and load-balancing proxy
|
||||
* Copyright (C) 1998-2017 Michal Trojnara <Michal.Trojnara@stunnel.org>
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it
|
||||
* under the terms of the GNU General Public License as published by the
|
||||
@ -49,19 +49,19 @@
|
||||
|
||||
/**************************************** prototypes */
|
||||
|
||||
static int setup_fd(int, int, char *);
|
||||
NOEXPORT SOCKET setup_fd(SOCKET, int, char *);
|
||||
|
||||
/**************************************** internal limit of file descriptors */
|
||||
|
||||
#ifndef USE_FORK
|
||||
|
||||
static int max_fds;
|
||||
static SOCKET max_fds;
|
||||
|
||||
void get_limits(void) { /* set max_fds and max_clients */
|
||||
/* start with current ulimit */
|
||||
#if defined(HAVE_SYSCONF)
|
||||
errno=0;
|
||||
max_fds=sysconf(_SC_OPEN_MAX);
|
||||
max_fds=(SOCKET)sysconf(_SC_OPEN_MAX);
|
||||
if(errno)
|
||||
ioerror("sysconf");
|
||||
if(max_fds<0)
|
||||
@ -84,13 +84,13 @@ void get_limits(void) { /* set max_fds and max_clients */
|
||||
max_fds=FD_SETSIZE; /* start with select() limit */
|
||||
#endif /* select() on Unix */
|
||||
|
||||
/* stunnel needs at least 16 file desriptors */
|
||||
/* stunnel needs at least 16 file descriptors */
|
||||
if(max_fds && max_fds<16)
|
||||
max_fds=16;
|
||||
|
||||
if(max_fds) {
|
||||
max_clients=max_fds>=256 ? max_fds*125/256 : (max_fds-6)/2;
|
||||
s_log(LOG_DEBUG, "Clients allowed=%d", max_clients);
|
||||
max_clients=(long)(max_fds>=256 ? max_fds*125/256 : (max_fds-6)/2);
|
||||
s_log(LOG_DEBUG, "Clients allowed=%ld", max_clients);
|
||||
} else {
|
||||
max_clients=0;
|
||||
s_log(LOG_DEBUG, "No limit detected for the number of clients");
|
||||
@ -101,18 +101,27 @@ void get_limits(void) { /* set max_fds and max_clients */
|
||||
|
||||
/**************************************** file descriptor validation */
|
||||
|
||||
int s_socket(int domain, int type, int protocol, int nonblock, char *msg) {
|
||||
SOCKET s_socket(int domain, int type, int protocol, int nonblock, char *msg) {
|
||||
SOCKET fd;
|
||||
|
||||
#ifdef USE_NEW_LINUX_API
|
||||
if(nonblock)
|
||||
type|=SOCK_NONBLOCK;
|
||||
type|=SOCK_CLOEXEC;
|
||||
#endif
|
||||
return setup_fd(socket(domain, type, protocol), nonblock, msg);
|
||||
#ifdef USE_WIN32
|
||||
/* http://stackoverflow.com/questions/4993119 */
|
||||
/* CreateProcess() needs a non-overlapped handle */
|
||||
fd=WSASocket(domain, type, protocol, NULL, 0, 0);
|
||||
#else /* USE_WIN32 */
|
||||
fd=socket(domain, type, protocol);
|
||||
#endif /* USE_WIN32 */
|
||||
return setup_fd(fd, nonblock, msg);
|
||||
}
|
||||
|
||||
int s_accept(int sockfd, struct sockaddr *addr, socklen_t *addrlen,
|
||||
SOCKET s_accept(SOCKET sockfd, struct sockaddr *addr, socklen_t *addrlen,
|
||||
int nonblock, char *msg) {
|
||||
int fd;
|
||||
SOCKET fd;
|
||||
|
||||
#ifdef USE_NEW_LINUX_API
|
||||
if(nonblock)
|
||||
@ -127,7 +136,7 @@ int s_accept(int sockfd, struct sockaddr *addr, socklen_t *addrlen,
|
||||
|
||||
#ifndef USE_WIN32
|
||||
|
||||
int s_socketpair(int domain, int type, int protocol, int sv[2],
|
||||
int s_socketpair(int domain, int type, int protocol, SOCKET sv[2],
|
||||
int nonblock, char *msg) {
|
||||
#ifdef USE_NEW_LINUX_API
|
||||
if(nonblock)
|
||||
@ -177,28 +186,28 @@ int s_pipe(int pipefd[2], int nonblock, char *msg) {
|
||||
|
||||
#endif /* USE_WIN32 */
|
||||
|
||||
static int setup_fd(int fd, int nonblock, char *msg) {
|
||||
NOEXPORT SOCKET setup_fd(SOCKET fd, int nonblock, char *msg) {
|
||||
#if !defined USE_NEW_LINUX_API && defined FD_CLOEXEC
|
||||
int err;
|
||||
#endif
|
||||
|
||||
if(fd<0) {
|
||||
if(fd==INVALID_SOCKET) {
|
||||
sockerror(msg);
|
||||
return -1;
|
||||
return INVALID_SOCKET;
|
||||
}
|
||||
#ifndef USE_FORK
|
||||
if(max_fds && fd>=max_fds) {
|
||||
s_log(LOG_ERR, "%s: FD=%d out of range (max %d)",
|
||||
msg, fd, max_fds);
|
||||
msg, (int)fd, (int)max_fds);
|
||||
closesocket(fd);
|
||||
return -1;
|
||||
return INVALID_SOCKET;
|
||||
}
|
||||
#endif
|
||||
|
||||
#ifdef USE_NEW_LINUX_API
|
||||
(void)nonblock; /* skip warning about unused parameter */
|
||||
(void)nonblock; /* squash the unused parameter warning */
|
||||
#else /* set O_NONBLOCK and F_SETFD */
|
||||
set_nonblock(fd, nonblock);
|
||||
set_nonblock(fd, (unsigned long)nonblock);
|
||||
#ifdef FD_CLOEXEC
|
||||
do {
|
||||
err=fcntl(fd, F_SETFD, FD_CLOEXEC);
|
||||
@ -216,7 +225,7 @@ static int setup_fd(int fd, int nonblock, char *msg) {
|
||||
return fd;
|
||||
}
|
||||
|
||||
void set_nonblock(int fd, unsigned long nonblock) {
|
||||
void set_nonblock(SOCKET fd, unsigned long nonblock) {
|
||||
#if defined F_GETFL && defined F_SETFL && defined O_NONBLOCK && !defined __INNOTEK_LIBC__
|
||||
int err, flags;
|
||||
|
||||
@ -237,7 +246,7 @@ void set_nonblock(int fd, unsigned long nonblock) {
|
||||
if(err<0)
|
||||
sockerror("fcntl SETFL"); /* non-critical */
|
||||
#else /* WIN32 or similar */
|
||||
if(ioctlsocket(fd, FIONBIO, &nonblock)<0)
|
||||
if(ioctlsocket(fd, (long)FIONBIO, &nonblock)<0)
|
||||
sockerror("ioctlsocket"); /* non-critical */
|
||||
#if 0
|
||||
else
|
||||
|
139
src/file.c
139
src/file.c
@ -1,6 +1,6 @@
|
||||
/*
|
||||
* stunnel Universal SSL tunnel
|
||||
* Copyright (C) 1998-2013 Michal Trojnara <Michal.Trojnara@mirt.net>
|
||||
* stunnel TLS offloading and load-balancing proxy
|
||||
* Copyright (C) 1998-2017 Michal Trojnara <Michal.Trojnara@stunnel.org>
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it
|
||||
* under the terms of the GNU General Public License as published by the
|
||||
@ -40,20 +40,37 @@
|
||||
|
||||
#ifdef USE_WIN32
|
||||
|
||||
DISK_FILE *file_open(char *name, int wr) {
|
||||
DISK_FILE *file_open(char *name, FILE_MODE mode) {
|
||||
DISK_FILE *df;
|
||||
LPTSTR tstr;
|
||||
LPTSTR tname;
|
||||
HANDLE fh;
|
||||
DWORD desired_access, creation_disposition;
|
||||
|
||||
/* open file */
|
||||
tstr=str2tstr(name);
|
||||
fh=CreateFile(tstr, wr ? GENERIC_WRITE : GENERIC_READ,
|
||||
FILE_SHARE_READ, NULL, wr ? OPEN_ALWAYS : OPEN_EXISTING,
|
||||
FILE_ATTRIBUTE_NORMAL, (HANDLE)NULL);
|
||||
str_free(tstr); /* str_free() overwrites GetLastError() value */
|
||||
switch(mode) {
|
||||
case FILE_MODE_READ:
|
||||
desired_access=GENERIC_READ;
|
||||
creation_disposition=OPEN_EXISTING;
|
||||
break;
|
||||
case FILE_MODE_APPEND:
|
||||
/* reportedly more compatible than FILE_APPEND_DATA */
|
||||
desired_access=GENERIC_WRITE;
|
||||
creation_disposition=OPEN_ALWAYS; /* keep the data */
|
||||
break;
|
||||
case FILE_MODE_OVERWRITE:
|
||||
desired_access=GENERIC_WRITE;
|
||||
creation_disposition=CREATE_ALWAYS; /* remove the data */
|
||||
break;
|
||||
default: /* invalid mode */
|
||||
return NULL;
|
||||
}
|
||||
tname=str2tstr(name);
|
||||
fh=CreateFile(tname, desired_access, FILE_SHARE_READ, NULL,
|
||||
creation_disposition, FILE_ATTRIBUTE_NORMAL, (HANDLE)NULL);
|
||||
str_free(tname); /* str_free() overwrites GetLastError() value */
|
||||
if(fh==INVALID_HANDLE_VALUE)
|
||||
return NULL;
|
||||
if(wr) /* append */
|
||||
if(mode==FILE_MODE_APPEND) /* workaround for FILE_APPEND_DATA */
|
||||
SetFilePointer(fh, 0, NULL, FILE_END);
|
||||
|
||||
/* setup df structure */
|
||||
@ -72,15 +89,24 @@ DISK_FILE *file_fdopen(int fd) {
|
||||
return df;
|
||||
}
|
||||
|
||||
DISK_FILE *file_open(char *name, int wr) {
|
||||
DISK_FILE *file_open(char *name, FILE_MODE mode) {
|
||||
DISK_FILE *df;
|
||||
int fd, flags;
|
||||
|
||||
/* open file */
|
||||
if(wr)
|
||||
flags=O_CREAT|O_WRONLY|O_APPEND;
|
||||
else
|
||||
switch(mode) {
|
||||
case FILE_MODE_READ:
|
||||
flags=O_RDONLY;
|
||||
break;
|
||||
case FILE_MODE_APPEND:
|
||||
flags=O_CREAT|O_WRONLY|O_APPEND;
|
||||
break;
|
||||
case FILE_MODE_OVERWRITE:
|
||||
flags=O_CREAT|O_WRONLY|O_TRUNC;
|
||||
break;
|
||||
default: /* invalid mode */
|
||||
return NULL;
|
||||
}
|
||||
#ifdef O_NONBLOCK
|
||||
flags|=O_NONBLOCK;
|
||||
#elif defined O_NDELAY
|
||||
@ -90,7 +116,7 @@ DISK_FILE *file_open(char *name, int wr) {
|
||||
flags|=O_CLOEXEC;
|
||||
#endif /* O_CLOEXEC */
|
||||
fd=open(name, flags, 0640);
|
||||
if(fd<0)
|
||||
if(fd==INVALID_SOCKET)
|
||||
return NULL;
|
||||
|
||||
/* setup df structure */
|
||||
@ -107,19 +133,20 @@ void file_close(DISK_FILE *df) {
|
||||
#ifdef USE_WIN32
|
||||
CloseHandle(df->fh);
|
||||
#else /* USE_WIN32 */
|
||||
close(df->fd);
|
||||
if(df->fd>2) /* never close stdin/stdout/stder */
|
||||
close(df->fd);
|
||||
#endif /* USE_WIN32 */
|
||||
str_free(df);
|
||||
}
|
||||
|
||||
int file_getline(DISK_FILE *df, char *line, int len) {
|
||||
ssize_t file_getline(DISK_FILE *df, char *line, int len) {
|
||||
/* this version is really slow, but performance is not important here */
|
||||
/* (no buffering is implemented) */
|
||||
int i;
|
||||
ssize_t i;
|
||||
#ifdef USE_WIN32
|
||||
DWORD num;
|
||||
#else /* USE_WIN32 */
|
||||
int num;
|
||||
ssize_t num;
|
||||
#endif /* USE_WIN32 */
|
||||
|
||||
if(!df) /* not opened */
|
||||
@ -146,13 +173,13 @@ int file_getline(DISK_FILE *df, char *line, int len) {
|
||||
return i;
|
||||
}
|
||||
|
||||
int file_putline(DISK_FILE *df, char *line) {
|
||||
int len;
|
||||
ssize_t file_putline(DISK_FILE *df, char *line) {
|
||||
char *buff;
|
||||
size_t len;
|
||||
#ifdef USE_WIN32
|
||||
DWORD num;
|
||||
#else /* USE_WIN32 */
|
||||
int num;
|
||||
ssize_t num;
|
||||
#endif /* USE_WIN32 */
|
||||
|
||||
len=strlen(line);
|
||||
@ -163,53 +190,73 @@ int file_putline(DISK_FILE *df, char *line) {
|
||||
#endif /* USE_WIN32 */
|
||||
buff[len++]='\n'; /* LF */
|
||||
#ifdef USE_WIN32
|
||||
WriteFile(df->fh, buff, len, &num, NULL);
|
||||
WriteFile(df->fh, buff, (DWORD)len, &num, NULL);
|
||||
#else /* USE_WIN32 */
|
||||
/* no file -> write to stderr */
|
||||
num=write(df ? df->fd : 2, buff, len);
|
||||
#endif /* USE_WIN32 */
|
||||
str_free(buff);
|
||||
return num;
|
||||
return (ssize_t)num;
|
||||
}
|
||||
|
||||
int file_permissions(const char *file_name) {
|
||||
#if !defined(USE_WIN32) && !defined(USE_OS2)
|
||||
struct stat sb; /* buffer for stat */
|
||||
|
||||
/* check permissions of the private key file */
|
||||
if(stat(file_name, &sb)) {
|
||||
ioerror(file_name);
|
||||
return 1; /* FAILED */
|
||||
}
|
||||
if(sb.st_mode & 7)
|
||||
s_log(LOG_WARNING,
|
||||
"Insecure file permissions on %s", file_name);
|
||||
#else
|
||||
(void)file_name; /* squash the unused parameter warning */
|
||||
#endif
|
||||
return 0;
|
||||
}
|
||||
|
||||
#ifdef USE_WIN32
|
||||
|
||||
LPTSTR str2tstr(const LPSTR in) {
|
||||
LPTSTR str2tstr(LPCSTR in) {
|
||||
LPTSTR out;
|
||||
#ifdef UNICODE
|
||||
int len;
|
||||
|
||||
#ifdef UNICODE
|
||||
len=MultiByteToWideChar(CP_ACP, 0, in, -1, NULL, 0);
|
||||
len=MultiByteToWideChar(CP_UTF8, 0, in, -1, NULL, 0);
|
||||
if(!len)
|
||||
return NULL;
|
||||
out=str_alloc((len+1)*sizeof(WCHAR));
|
||||
len=MultiByteToWideChar(CP_ACP, 0, in, -1, out, len);
|
||||
if(!len)
|
||||
return NULL;
|
||||
return str_tprintf(TEXT("MultiByteToWideChar() failed"));
|
||||
out=str_alloc(((size_t)len+1)*sizeof(WCHAR));
|
||||
len=MultiByteToWideChar(CP_UTF8, 0, in, -1, out, len);
|
||||
if(!len) {
|
||||
str_free(out);
|
||||
return str_tprintf(TEXT("MultiByteToWideChar() failed"));
|
||||
}
|
||||
#else
|
||||
len=strlen(in);
|
||||
out=str_alloc(len+1);
|
||||
strcpy(out, in);
|
||||
/* FIXME: convert UTF-8 to native codepage */
|
||||
out=str_dup(in);
|
||||
#endif
|
||||
return out;
|
||||
}
|
||||
|
||||
LPSTR tstr2str(const LPTSTR in) {
|
||||
LPSTR tstr2str(LPCTSTR in) {
|
||||
LPSTR out;
|
||||
#ifdef UNICODE
|
||||
int len;
|
||||
|
||||
#ifdef UNICODE
|
||||
len=WideCharToMultiByte(CP_ACP, 0, in, -1, NULL, 0, NULL, NULL);
|
||||
len=WideCharToMultiByte(CP_UTF8, 0, in, -1, NULL, 0, NULL, NULL);
|
||||
if(!len)
|
||||
return NULL;
|
||||
out=str_alloc(len+1);
|
||||
len=WideCharToMultiByte(CP_ACP, 0, in, -1, out, len, NULL, NULL);
|
||||
if(!len)
|
||||
return NULL;
|
||||
return str_printf("WideCharToMultiByte() failed");
|
||||
out=str_alloc((size_t)len+1);
|
||||
len=WideCharToMultiByte(CP_UTF8, 0, in, -1, out, len, NULL, NULL);
|
||||
if(!len) {
|
||||
str_free(out);
|
||||
return str_printf("WideCharToMultiByte() failed");
|
||||
}
|
||||
#else
|
||||
len=strlen(in);
|
||||
out=str_alloc(len+1);
|
||||
strcpy(out, in);
|
||||
/* FIXME: convert native codepage to UTF-8 */
|
||||
out=str_dup(in);
|
||||
#endif
|
||||
return out;
|
||||
}
|
||||
|
BIN
src/idle.ico
Normal file
BIN
src/idle.ico
Normal file
Binary file not shown.
After Width: | Height: | Size: 1.1 KiB |
@ -1,6 +1,6 @@
|
||||
/*
|
||||
* stunnel Universal SSL tunnel
|
||||
* Copyright (C) 1998-2013 Michal Trojnara <Michal.Trojnara@mirt.net>
|
||||
* stunnel TLS offloading and load-balancing proxy
|
||||
* Copyright (C) 1998-2017 Michal Trojnara <Michal.Trojnara@stunnel.org>
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it
|
||||
* under the terms of the GNU General Public License as published by the
|
||||
@ -42,23 +42,33 @@
|
||||
|
||||
#include <tcpd.h>
|
||||
|
||||
static int check(char *, int);
|
||||
#if defined(USE_PTHREAD) && !defined(__CYGWIN__)
|
||||
/* http://wiki.osdev.org/Cygwin_Issues#Passing_file_descriptors */
|
||||
#define USE_LIBWRAP_POOL
|
||||
#endif /* USE_PTHREAD && !__CYGWIN__ */
|
||||
|
||||
NOEXPORT int check(char *, int);
|
||||
|
||||
int allow_severity=LOG_NOTICE, deny_severity=LOG_WARNING;
|
||||
|
||||
#ifdef USE_PTHREAD
|
||||
#ifdef USE_LIBWRAP_POOL
|
||||
#define SERVNAME_LEN 256
|
||||
|
||||
static ssize_t read_fd(int, void *, size_t, int *);
|
||||
static ssize_t write_fd(int, void *, size_t, int);
|
||||
NOEXPORT ssize_t read_fd(int, void *, size_t, int *);
|
||||
NOEXPORT ssize_t write_fd(int, void *, size_t, int);
|
||||
|
||||
int num_processes=0;
|
||||
unsigned num_processes=0;
|
||||
static int *ipc_socket, *busy;
|
||||
#endif /* USE_PTHREAD */
|
||||
#endif /* USE_LIBWRAP_POOL */
|
||||
|
||||
#ifdef __GNUC__
|
||||
#pragma GCC diagnostic push
|
||||
#pragma GCC diagnostic ignored "-Wunused-result"
|
||||
#endif /* __GNUC__ */
|
||||
int libwrap_init() {
|
||||
#ifdef USE_PTHREAD
|
||||
int i, j, rfd, result;
|
||||
#ifdef USE_LIBWRAP_POOL
|
||||
unsigned i, j;
|
||||
int rfd, result;
|
||||
char servname[SERVNAME_LEN];
|
||||
static int initialized=0;
|
||||
SERVICE_OPTIONS *opt;
|
||||
@ -82,10 +92,11 @@ int libwrap_init() {
|
||||
ioerror("fork");
|
||||
return 1;
|
||||
case 0: /* child */
|
||||
tls_alloc(NULL, ui_tls, "libwrap");
|
||||
drop_privileges(0); /* libwrap processes are not chrooted */
|
||||
close(0); /* stdin */
|
||||
close(1); /* stdout */
|
||||
if(!global_options.option.foreground) /* for logging in read_fd */
|
||||
if(!global_options.option.log_stderr) /* for logging in read_fd */
|
||||
close(2); /* stderr */
|
||||
for(j=0; j<=i; ++j) /* close parent-side sockets created so far */
|
||||
close(ipc_socket[2*j]);
|
||||
@ -93,7 +104,7 @@ int libwrap_init() {
|
||||
if(read_fd(ipc_socket[2*i+1], servname, SERVNAME_LEN, &rfd)<=0)
|
||||
_exit(0);
|
||||
result=check(servname, rfd);
|
||||
write(ipc_socket[2*i+1], (u8 *)&result, sizeof result);
|
||||
write(ipc_socket[2*i+1], (uint8_t *)&result, sizeof result);
|
||||
if(rfd>=0)
|
||||
close(rfd);
|
||||
}
|
||||
@ -102,18 +113,22 @@ int libwrap_init() {
|
||||
}
|
||||
}
|
||||
initialized=1;
|
||||
#endif /* USE_PTHREAD */
|
||||
#endif /* USE_LIBWRAP_POOL */
|
||||
return 0;
|
||||
}
|
||||
#ifdef __GNUC__
|
||||
#pragma GCC diagnostic pop
|
||||
#endif /* __GNUC__ */
|
||||
|
||||
void libwrap_auth(CLI *c, char *accepted_address) {
|
||||
int result=0; /* deny by default */
|
||||
#ifdef USE_PTHREAD
|
||||
static volatile int num_busy=0, roundrobin=0;
|
||||
int retval, my_process;
|
||||
#ifdef USE_LIBWRAP_POOL
|
||||
static volatile unsigned num_busy=0, roundrobin=0;
|
||||
unsigned my_process;
|
||||
int retval;
|
||||
static pthread_mutex_t mutex=PTHREAD_MUTEX_INITIALIZER;
|
||||
static pthread_cond_t cond=PTHREAD_COND_INITIALIZER;
|
||||
#endif /* USE_PTHREAD */
|
||||
#endif /* USE_LIBWRAP_POOL */
|
||||
|
||||
if(!c->opt->option.libwrap) /* libwrap is disabled for this service */
|
||||
return; /* allow connection */
|
||||
@ -123,7 +138,7 @@ void libwrap_auth(CLI *c, char *accepted_address) {
|
||||
return;
|
||||
}
|
||||
#endif
|
||||
#ifdef USE_PTHREAD
|
||||
#ifdef USE_LIBWRAP_POOL
|
||||
if(num_processes) {
|
||||
s_log(LOG_DEBUG, "Waiting for a libwrap process");
|
||||
|
||||
@ -156,8 +171,8 @@ void libwrap_auth(CLI *c, char *accepted_address) {
|
||||
s_log(LOG_DEBUG, "Acquired libwrap process #%d", my_process);
|
||||
write_fd(ipc_socket[2*my_process], c->opt->servname,
|
||||
strlen(c->opt->servname)+1, c->local_rfd.fd);
|
||||
read_blocking(c, ipc_socket[2*my_process],
|
||||
(u8 *)&result, sizeof result);
|
||||
s_read(c, ipc_socket[2*my_process],
|
||||
(uint8_t *)&result, sizeof result);
|
||||
s_log(LOG_DEBUG, "Releasing libwrap process #%d", my_process);
|
||||
|
||||
retval=pthread_mutex_lock(&mutex);
|
||||
@ -183,11 +198,11 @@ void libwrap_auth(CLI *c, char *accepted_address) {
|
||||
|
||||
s_log(LOG_DEBUG, "Released libwrap process #%d", my_process);
|
||||
} else
|
||||
#endif /* USE_PTHREAD */
|
||||
#endif /* USE_LIBWRAP_POOL */
|
||||
{ /* use original, synchronous libwrap calls */
|
||||
enter_critical_section(CRIT_LIBWRAP);
|
||||
stunnel_write_lock(&stunnel_locks[LOCK_LIBWRAP]);
|
||||
result=check(c->opt->servname, c->local_rfd.fd);
|
||||
leave_critical_section(CRIT_LIBWRAP);
|
||||
stunnel_write_unlock(&stunnel_locks[LOCK_LIBWRAP]);
|
||||
}
|
||||
if(!result) {
|
||||
s_log(LOG_WARNING, "Service [%s] REFUSED by libwrap from %s",
|
||||
@ -199,7 +214,7 @@ void libwrap_auth(CLI *c, char *accepted_address) {
|
||||
c->opt->servname, accepted_address);
|
||||
}
|
||||
|
||||
static int check(char *name, int fd) {
|
||||
NOEXPORT int check(char *name, int fd) {
|
||||
struct request_info request;
|
||||
|
||||
request_init(&request, RQ_DAEMON, name, RQ_FILE, fd, 0);
|
||||
@ -207,9 +222,9 @@ static int check(char *name, int fd) {
|
||||
return hosts_access(&request);
|
||||
}
|
||||
|
||||
#ifdef USE_PTHREAD
|
||||
#ifdef USE_LIBWRAP_POOL
|
||||
|
||||
static ssize_t read_fd(int fd, void *ptr, size_t nbytes, int *recvfd) {
|
||||
NOEXPORT ssize_t read_fd(SOCKET fd, void *ptr, size_t nbytes, SOCKET *recvfd) {
|
||||
struct msghdr msg;
|
||||
struct iovec iov[1];
|
||||
ssize_t n;
|
||||
@ -238,7 +253,7 @@ static ssize_t read_fd(int fd, void *ptr, size_t nbytes, int *recvfd) {
|
||||
msg.msg_iov=iov;
|
||||
msg.msg_iovlen=1;
|
||||
|
||||
*recvfd=-1; /* descriptor was not passed */
|
||||
*recvfd=INVALID_SOCKET; /* descriptor was not passed */
|
||||
n=recvmsg(fd, &msg, 0);
|
||||
if(n<=0)
|
||||
return n;
|
||||
@ -264,7 +279,7 @@ static ssize_t read_fd(int fd, void *ptr, size_t nbytes, int *recvfd) {
|
||||
return n;
|
||||
}
|
||||
|
||||
static ssize_t write_fd(int fd, void *ptr, size_t nbytes, int sendfd) {
|
||||
NOEXPORT ssize_t write_fd(int fd, void *ptr, size_t nbytes, int sendfd) {
|
||||
struct msghdr msg;
|
||||
struct iovec iov[1];
|
||||
|
||||
@ -299,7 +314,7 @@ static ssize_t write_fd(int fd, void *ptr, size_t nbytes, int sendfd) {
|
||||
return sendmsg(fd, &msg, 0);
|
||||
}
|
||||
|
||||
#endif /* USE_PTHREAD */
|
||||
#endif /* USE_LIBWRAP_POOL */
|
||||
|
||||
#endif /* USE_LIBWRAP */
|
||||
|
||||
|
235
src/log.c
235
src/log.c
@ -1,6 +1,6 @@
|
||||
/*
|
||||
* stunnel Universal SSL tunnel
|
||||
* Copyright (C) 1998-2013 Michal Trojnara <Michal.Trojnara@mirt.net>
|
||||
* stunnel TLS offloading and load-balancing proxy
|
||||
* Copyright (C) 1998-2017 Michal Trojnara <Michal.Trojnara@stunnel.org>
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it
|
||||
* under the terms of the GNU General Public License as published by the
|
||||
@ -38,15 +38,18 @@
|
||||
#include "common.h"
|
||||
#include "prototypes.h"
|
||||
|
||||
static void log_raw(const int, const char *, const char *, const char *);
|
||||
NOEXPORT void log_raw(const SERVICE_OPTIONS *, const int,
|
||||
const char *, const char *, const char *);
|
||||
NOEXPORT void safestring(char *);
|
||||
|
||||
static DISK_FILE *outfile=NULL;
|
||||
static struct LIST { /* single-linked list of log lines */
|
||||
struct LIST *next;
|
||||
SERVICE_OPTIONS *opt;
|
||||
int level;
|
||||
char *stamp, *id, *text;
|
||||
} *head=NULL, *tail=NULL;
|
||||
static LOG_MODE mode=LOG_MODE_NONE;
|
||||
static LOG_MODE log_mode=LOG_MODE_BUFFER;
|
||||
|
||||
#if !defined(USE_WIN32) && !defined(__vms)
|
||||
|
||||
@ -54,18 +57,19 @@ static int syslog_opened=0;
|
||||
|
||||
void syslog_open(void) {
|
||||
syslog_close();
|
||||
if(global_options.option.syslog)
|
||||
if(global_options.option.log_syslog)
|
||||
#ifdef __ultrix__
|
||||
openlog("stunnel", 0);
|
||||
openlog(service_options.servname, 0);
|
||||
#else
|
||||
openlog("stunnel", LOG_CONS|LOG_NDELAY, global_options.facility);
|
||||
openlog(service_options.servname,
|
||||
LOG_CONS|LOG_NDELAY, global_options.log_facility);
|
||||
#endif /* __ultrix__ */
|
||||
syslog_opened=1;
|
||||
}
|
||||
|
||||
void syslog_close(void) {
|
||||
if(syslog_opened) {
|
||||
if(global_options.option.syslog)
|
||||
if(global_options.option.log_syslog)
|
||||
closelog();
|
||||
syslog_opened=0;
|
||||
}
|
||||
@ -75,11 +79,25 @@ void syslog_close(void) {
|
||||
|
||||
int log_open(void) {
|
||||
if(global_options.output_file) { /* 'output' option specified */
|
||||
outfile=file_open(global_options.output_file, 1);
|
||||
outfile=file_open(global_options.output_file,
|
||||
global_options.log_file_mode);
|
||||
#if defined(USE_WIN32) && !defined(_WIN32_WCE)
|
||||
if(!outfile) {
|
||||
char appdata[MAX_PATH], *path;
|
||||
if(SHGetFolderPathA(NULL, CSIDL_LOCAL_APPDATA|CSIDL_FLAG_CREATE,
|
||||
NULL, 0, appdata)==S_OK) {
|
||||
path=str_printf("%s\\%s", appdata, global_options.output_file);
|
||||
outfile=file_open(path, global_options.log_file_mode);
|
||||
if(outfile)
|
||||
s_log(LOG_NOTICE, "Logging to %s", path);
|
||||
str_free(path);
|
||||
}
|
||||
}
|
||||
#endif
|
||||
if(!outfile) {
|
||||
s_log(LOG_ERR, "Cannot open log file: %s",
|
||||
global_options.output_file);
|
||||
return 1;
|
||||
return 1;
|
||||
}
|
||||
}
|
||||
log_flush(LOG_MODE_CONFIGURED);
|
||||
@ -87,24 +105,28 @@ int log_open(void) {
|
||||
}
|
||||
|
||||
void log_close(void) {
|
||||
mode=LOG_MODE_NONE;
|
||||
/* prevent changing the mode while logging */
|
||||
stunnel_write_lock(&stunnel_locks[LOCK_LOG_MODE]);
|
||||
log_mode=LOG_MODE_BUFFER;
|
||||
if(outfile) {
|
||||
file_close(outfile);
|
||||
outfile=NULL;
|
||||
}
|
||||
stunnel_write_unlock(&stunnel_locks[LOCK_LOG_MODE]);
|
||||
}
|
||||
|
||||
void log_flush(LOG_MODE new_mode) {
|
||||
struct LIST *tmp;
|
||||
|
||||
stunnel_write_lock(&stunnel_locks[LOCK_LOG_MODE]);
|
||||
/* prevent changing LOG_MODE_CONFIGURED to LOG_MODE_ERROR
|
||||
* once stderr file descriptor is closed */
|
||||
if(mode!=LOG_MODE_CONFIGURED)
|
||||
mode=new_mode;
|
||||
|
||||
enter_critical_section(CRIT_LOG);
|
||||
if(log_mode!=LOG_MODE_CONFIGURED)
|
||||
log_mode=new_mode;
|
||||
/* log_raw() will use the new value of log_mode */
|
||||
stunnel_write_lock(&stunnel_locks[LOCK_LOG_BUFFER]);
|
||||
while(head) {
|
||||
log_raw(head->level, head->stamp, head->id, head->text);
|
||||
log_raw(head->opt, head->level, head->stamp, head->id, head->text);
|
||||
str_free(head->stamp);
|
||||
str_free(head->id);
|
||||
str_free(head->text);
|
||||
@ -112,28 +134,43 @@ void log_flush(LOG_MODE new_mode) {
|
||||
head=head->next;
|
||||
str_free(tmp);
|
||||
}
|
||||
leave_critical_section(CRIT_LOG);
|
||||
head=tail=NULL;
|
||||
stunnel_write_unlock(&stunnel_locks[LOCK_LOG_BUFFER]);
|
||||
stunnel_write_unlock(&stunnel_locks[LOCK_LOG_MODE]);
|
||||
}
|
||||
|
||||
void s_log(int level, const char *format, ...) {
|
||||
va_list ap;
|
||||
char *text, *stamp, *id;
|
||||
struct LIST *tmp;
|
||||
int libc_error, socket_error;
|
||||
#ifdef USE_WIN32
|
||||
DWORD libc_error;
|
||||
#else
|
||||
int libc_error;
|
||||
#endif
|
||||
int socket_error;
|
||||
time_t gmt;
|
||||
struct tm *timeptr;
|
||||
#if defined(HAVE_LOCALTIME_R) && defined(_REENTRANT)
|
||||
struct tm timestruct;
|
||||
#endif
|
||||
TLS_DATA *tls_data;
|
||||
|
||||
tls_data=tls_get();
|
||||
if(!tls_data) {
|
||||
tls_data=tls_alloc(NULL, NULL, "log");
|
||||
s_log(LOG_ERR, "INTERNAL ERROR: Uninitialized TLS at %s, line %d",
|
||||
__FILE__, __LINE__);
|
||||
}
|
||||
|
||||
/* performance optimization: skip the trivial case early */
|
||||
if(mode==LOG_MODE_CONFIGURED && level>global_options.debug_level)
|
||||
if(log_mode==LOG_MODE_CONFIGURED && level>tls_data->opt->log_level)
|
||||
return;
|
||||
|
||||
libc_error=get_last_error();
|
||||
socket_error=get_last_socket_error();
|
||||
|
||||
/* format the id to be logged */
|
||||
time(&gmt);
|
||||
#if defined(HAVE_LOCALTIME_R) && defined(_REENTRANT)
|
||||
timeptr=localtime_r(&gmt, ×truct);
|
||||
@ -143,17 +180,20 @@ void s_log(int level, const char *format, ...) {
|
||||
stamp=str_printf("%04d.%02d.%02d %02d:%02d:%02d",
|
||||
timeptr->tm_year+1900, timeptr->tm_mon+1, timeptr->tm_mday,
|
||||
timeptr->tm_hour, timeptr->tm_min, timeptr->tm_sec);
|
||||
id=str_printf("LOG%d[%lu:%lu]",
|
||||
level, stunnel_process_id(), stunnel_thread_id());
|
||||
id=str_printf("LOG%d[%s]", level, tls_data->id);
|
||||
|
||||
/* format the text to be logged */
|
||||
va_start(ap, format);
|
||||
text=str_vprintf(format, ap);
|
||||
va_end(ap);
|
||||
safestring(text);
|
||||
|
||||
if(mode==LOG_MODE_NONE) { /* save the text to log it later */
|
||||
enter_critical_section(CRIT_LOG);
|
||||
tmp=str_alloc(sizeof(struct LIST));
|
||||
str_detach(tmp);
|
||||
stunnel_read_lock(&stunnel_locks[LOCK_LOG_MODE]);
|
||||
if(log_mode==LOG_MODE_BUFFER) { /* save the text to log it later */
|
||||
stunnel_write_lock(&stunnel_locks[LOCK_LOG_BUFFER]);
|
||||
tmp=str_alloc_detached(sizeof(struct LIST));
|
||||
tmp->next=NULL;
|
||||
tmp->opt=tls_data->opt;
|
||||
tmp->level=level;
|
||||
tmp->stamp=stamp;
|
||||
str_detach(tmp->stamp);
|
||||
@ -166,94 +206,164 @@ void s_log(int level, const char *format, ...) {
|
||||
else
|
||||
head=tmp;
|
||||
tail=tmp;
|
||||
leave_critical_section(CRIT_LOG);
|
||||
stunnel_write_unlock(&stunnel_locks[LOCK_LOG_BUFFER]);
|
||||
} else { /* ready log the text directly */
|
||||
log_raw(level, stamp, id, text);
|
||||
log_raw(tls_data->opt, level, stamp, id, text);
|
||||
str_free(stamp);
|
||||
str_free(id);
|
||||
str_free(text);
|
||||
}
|
||||
stunnel_read_unlock(&stunnel_locks[LOCK_LOG_MODE]);
|
||||
|
||||
set_last_error(libc_error);
|
||||
set_last_socket_error(socket_error);
|
||||
}
|
||||
|
||||
static void log_raw(const int level, const char *stamp,
|
||||
NOEXPORT void log_raw(const SERVICE_OPTIONS *opt,
|
||||
const int level, const char *stamp,
|
||||
const char *id, const char *text) {
|
||||
char *line;
|
||||
|
||||
/* build the line and log it to syslog/file */
|
||||
if(mode==LOG_MODE_CONFIGURED) { /* configured */
|
||||
if(log_mode==LOG_MODE_CONFIGURED) { /* configured */
|
||||
line=str_printf("%s %s: %s", stamp, id, text);
|
||||
if(level<=global_options.debug_level) {
|
||||
if(level<=opt->log_level) {
|
||||
#if !defined(USE_WIN32) && !defined(__vms)
|
||||
if(global_options.option.syslog)
|
||||
if(global_options.option.log_syslog)
|
||||
syslog(level, "%s: %s", id, text);
|
||||
#endif /* USE_WIN32, __vms */
|
||||
if(outfile)
|
||||
file_putline(outfile, line); /* send log to file */
|
||||
}
|
||||
} else /* LOG_MODE_ERROR or LOG_MODE_INFO */
|
||||
} else if(log_mode==LOG_MODE_ERROR) {
|
||||
if(level>=0 && level<=7) /* just in case */
|
||||
line=str_printf("[%c] %s", "***!:. "[level], text);
|
||||
else
|
||||
line=str_printf("[?] %s", text);
|
||||
} else /* LOG_MODE_INFO */
|
||||
line=str_dup(text); /* don't log the time stamp in error mode */
|
||||
|
||||
/* log the line to GUI/stderr */
|
||||
#ifdef USE_WIN32
|
||||
if(mode==LOG_MODE_ERROR || /* always log to the GUI window */
|
||||
(mode==LOG_MODE_INFO && level<LOG_DEBUG) ||
|
||||
level<=global_options.debug_level)
|
||||
win_new_log(line);
|
||||
#else /* Unix */
|
||||
if(mode==LOG_MODE_ERROR || /* always log LOG_MODE_ERROR to stderr */
|
||||
(mode==LOG_MODE_INFO && level<LOG_DEBUG) ||
|
||||
(level<=global_options.debug_level &&
|
||||
global_options.option.foreground))
|
||||
fprintf(stderr, "%s\n", line); /* send log to stderr */
|
||||
/* log the line to the UI (GUI, stderr, etc.) */
|
||||
if(log_mode==LOG_MODE_ERROR ||
|
||||
(log_mode==LOG_MODE_INFO && level<LOG_DEBUG) ||
|
||||
#if defined(USE_WIN32) || defined(USE_JNI)
|
||||
level<=opt->log_level
|
||||
#else
|
||||
(level<=opt->log_level &&
|
||||
global_options.option.log_stderr)
|
||||
#endif
|
||||
)
|
||||
ui_new_log(line);
|
||||
|
||||
str_free(line);
|
||||
}
|
||||
|
||||
/* critical problem - str.c functions are not safe to use */
|
||||
void fatal_debug(char *error, char *file, int line) {
|
||||
char text[80];
|
||||
#ifdef __GNUC__
|
||||
#pragma GCC diagnostic push
|
||||
#pragma GCC diagnostic ignored "-Wformat"
|
||||
#pragma GCC diagnostic ignored "-Wformat-extra-args"
|
||||
#endif /* __GNUC__ */
|
||||
char *log_id(CLI *c) {
|
||||
const char table[62]=
|
||||
"0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
|
||||
unsigned char rnd[22];
|
||||
char *uniq;
|
||||
size_t i;
|
||||
unsigned long tid;
|
||||
|
||||
switch(c->opt->log_id) {
|
||||
case LOG_ID_SEQUENTIAL:
|
||||
return str_printf("%llu", c->seq);
|
||||
case LOG_ID_UNIQUE:
|
||||
if(RAND_bytes(rnd, sizeof rnd)<=0) /* log2(62^22)=130.99 */
|
||||
return str_dup("error");
|
||||
for(i=0; i<sizeof rnd; ++i) {
|
||||
rnd[i]&=63;
|
||||
while(rnd[i]>=62) {
|
||||
if(RAND_bytes(rnd+i, 1)<=0)
|
||||
return str_dup("error");
|
||||
rnd[i]&=63;
|
||||
}
|
||||
}
|
||||
uniq=str_alloc(sizeof rnd+1);
|
||||
for(i=0; i<sizeof rnd; ++i)
|
||||
uniq[i]=table[rnd[i]];
|
||||
uniq[sizeof rnd]='\0';
|
||||
return uniq;
|
||||
case LOG_ID_THREAD:
|
||||
tid=stunnel_thread_id();
|
||||
if(!tid) /* currently USE_FORK */
|
||||
tid=stunnel_process_id();
|
||||
return str_printf("%lu", tid);
|
||||
case LOG_ID_PROCESS:
|
||||
return str_printf("%lu", stunnel_process_id());
|
||||
}
|
||||
return str_dup("error");
|
||||
}
|
||||
#ifdef __GNUC__
|
||||
#pragma GCC diagnostic pop
|
||||
#endif /* __GNUC__ */
|
||||
|
||||
/* critical problem handling */
|
||||
/* str.c functions are not safe to use here */
|
||||
#ifdef __GNUC__
|
||||
#pragma GCC diagnostic push
|
||||
#pragma GCC diagnostic ignored "-Wunused-result"
|
||||
#endif /* __GNUC__ */
|
||||
void fatal_debug(char *txt, const char *file, int line) {
|
||||
char msg[80];
|
||||
#ifdef USE_WIN32
|
||||
DWORD num;
|
||||
#ifdef UNICODE
|
||||
TCHAR tmsg[80];
|
||||
#endif
|
||||
#endif /* USE_WIN32 */
|
||||
|
||||
snprintf(text, sizeof text, /* with newline */
|
||||
"INTERNAL ERROR: %s at %s, line %d\n", error, file, line);
|
||||
snprintf(msg, sizeof msg, /* with newline */
|
||||
"INTERNAL ERROR: %s at %s, line %d\n", txt, file, line);
|
||||
|
||||
if(outfile) {
|
||||
#ifdef USE_WIN32
|
||||
WriteFile(outfile->fh, text, strlen(text), &num, NULL);
|
||||
WriteFile(outfile->fh, msg, (DWORD)strlen(msg), &num, NULL);
|
||||
#else /* USE_WIN32 */
|
||||
/* no file -> write to stderr */
|
||||
write(outfile ? outfile->fd : 2, text, strlen(text));
|
||||
/* no meaningful way here to handle the result */
|
||||
write(outfile ? outfile->fd : 2, msg, strlen(msg));
|
||||
#endif /* USE_WIN32 */
|
||||
}
|
||||
|
||||
#ifndef USE_WIN32
|
||||
if(mode!=LOG_MODE_CONFIGURED || global_options.option.foreground)
|
||||
fputs(text, stderr);
|
||||
if(log_mode!=LOG_MODE_CONFIGURED || global_options.option.log_stderr) {
|
||||
fputs(msg, stderr);
|
||||
fflush(stderr);
|
||||
}
|
||||
#endif /* !USE_WIN32 */
|
||||
|
||||
snprintf(text, sizeof text, /* without newline */
|
||||
"INTERNAL ERROR: %s at %s, line %d", error, file, line);
|
||||
snprintf(msg, sizeof msg, /* without newline */
|
||||
"INTERNAL ERROR: %s at %s, line %d", txt, file, line);
|
||||
|
||||
#if !defined(USE_WIN32) && !defined(__vms)
|
||||
if(global_options.option.syslog)
|
||||
syslog(LOG_CRIT, "%s", text);
|
||||
if(global_options.option.log_syslog)
|
||||
syslog(LOG_CRIT, "%s", msg);
|
||||
#endif /* USE_WIN32, __vms */
|
||||
|
||||
#ifdef USE_WIN32
|
||||
message_box(text, MB_ICONERROR);
|
||||
#ifdef UNICODE
|
||||
if(MultiByteToWideChar(CP_UTF8, 0, msg, -1, tmsg, 80))
|
||||
message_box(tmsg, MB_ICONERROR);
|
||||
#else
|
||||
message_box(msg, MB_ICONERROR);
|
||||
#endif
|
||||
#endif /* USE_WIN32 */
|
||||
|
||||
abort();
|
||||
}
|
||||
#ifdef __GNUC__
|
||||
#pragma GCC diagnostic pop
|
||||
#endif /* __GNUC__ */
|
||||
|
||||
void ioerror(const char *txt) { /* input/output error */
|
||||
log_error(LOG_ERR, get_last_error(), txt);
|
||||
log_error(LOG_ERR, (int)get_last_error(), txt);
|
||||
}
|
||||
|
||||
void sockerror(const char *txt) { /* socket error */
|
||||
@ -377,4 +487,11 @@ char *s_strerror(int errnum) {
|
||||
}
|
||||
}
|
||||
|
||||
/* replace non-UTF-8 and non-printable control characters with '.' */
|
||||
NOEXPORT void safestring(char *c) {
|
||||
for(; *c; ++c)
|
||||
if(!(*c&0x80 || isprint((int)*c)))
|
||||
*c='.';
|
||||
}
|
||||
|
||||
/* end of log.c */
|
||||
|
@ -1,8 +1,8 @@
|
||||
@echo off
|
||||
:: pdelaage commented : make.exe -f mingw.mak %1 %2 %3 %4 %5 %6 %7 %8 %9
|
||||
:: on Windows, make is Borland make, but mingw.mak is NOW only compatible
|
||||
:: with gnu make (due to various improvments I made, for compatibility between
|
||||
:: linux and Windows host environments.
|
||||
:: with gnu make (due to various improvements I made, for compatibility between
|
||||
:: linux and Windows host environments).
|
||||
:: and echo OFF is the sign we are HERE on Windows, isn't it?...
|
||||
|
||||
mingw32-make.exe -f mingw.mak %1 %2 %3 %4 %5 %6 %7 %8 %9
|
||||
|
@ -1,18 +1,30 @@
|
||||
@echo off
|
||||
TITLE W32 STUNNEL
|
||||
::pdelaage 20101026: for use with MS VCexpress 2008 (v9)
|
||||
::some trick to avoid re-pollution of env vars as much as possible
|
||||
|
||||
:: In multitarget compilation environment, it is better to open a new cmd.exe window
|
||||
:: to avoid pollution of PATH from, eg, some previous WCE compilation attempts.
|
||||
:: In a multi-target compilation environment, it is better to open
|
||||
:: a new cmd.exe window in order to avoid PATH pollution
|
||||
:: (for example with some previous WCE compilation attempts)
|
||||
|
||||
set NEWTGTCPU=W32
|
||||
|
||||
rem Adjust MS VC env vars
|
||||
rem Adjust the MS VC environment variables
|
||||
rem ---------------------
|
||||
|
||||
rem Check MSenv vars against our ref values
|
||||
rem Detect the latest Visual Studio
|
||||
rem Visual Studio 2008
|
||||
if DEFINED VS90COMNTOOLS if exist "%VS90COMNTOOLS%..\..\vc\vcvarsall.bat" set vsTools=%VS90COMNTOOLS%
|
||||
rem Visual Studio 2010
|
||||
if DEFINED VS100COMNTOOLS if exist "%VS100COMNTOOLS%..\..\vc\vcvarsall.bat" set vsTools=%VS100COMNTOOLS%
|
||||
rem Visual Studio 2012
|
||||
if DEFINED VS110COMNTOOLS if exist "%VS110COMNTOOLS%..\..\vc\vcvarsall.bat" set vsTools=%VS110COMNTOOLS%
|
||||
rem Visual Studio 2013
|
||||
if DEFINED VS120COMNTOOLS if exist "%VS120COMNTOOLS%..\..\vc\vcvarsall.bat" set vsTools=%VS120COMNTOOLS%
|
||||
rem Visual Studio 2015
|
||||
if DEFINED VS140COMNTOOLS if exist "%VS140COMNTOOLS%..\..\vc\vcvarsall.bat" set vsTools=%VS140COMNTOOLS%
|
||||
|
||||
::rem Initialize the Visual Studio tools
|
||||
::call "%vsTools%..\..\vc\vcvarsall.bat"
|
||||
|
||||
rem Check the MSenv variables against our reference values
|
||||
set isenvok=0
|
||||
if NOT DEFINED TARGETCPU set TARGETCPU=XXXXX
|
||||
if "%NEWTGTCPU%"=="%TARGETCPU%" set /A "isenvok+=1"
|
||||
@ -20,26 +32,26 @@ if "%NEWTGTCPU%"=="%TARGETCPU%" set /A "isenvok+=1"
|
||||
if %isenvok%==1 echo W32 ENVIRONMENT OK
|
||||
if %isenvok%==1 goto envisok
|
||||
|
||||
:: useless since separated tgt folders
|
||||
:: Useless with separated target folders
|
||||
::echo W32 TARGET CPU changed, destroying every obj files
|
||||
::del .\*.obj
|
||||
|
||||
:: if env is NOT ok, adjust MS VC env vars to be used by MS VC
|
||||
:: if env is NOT ok, adjust the MS VC environment variables
|
||||
:: (this is to avoid repetitive pollution of PATH)
|
||||
|
||||
echo W32 ENVIRONMENT ADJUSTED
|
||||
|
||||
:: reset of INCLUDE needed because of accumulation of includes in vcvars32
|
||||
:: Reset of INCLUDE is needed because of accumulation of includes in vcvars32
|
||||
|
||||
set INCLUDE=
|
||||
|
||||
call "C:\Program Files\Microsoft Visual Studio 9.0\VC\bin\vcvars32.bat"
|
||||
call "%vsTools%..\..\vc\bin\vcvars32.bat"
|
||||
|
||||
set TARGETCPU=%NEWTGTCPU%
|
||||
|
||||
:envisok
|
||||
|
||||
rem make everything
|
||||
rem Make everything
|
||||
rem ---------------
|
||||
|
||||
nmake.exe -f vc.mak %1 %2 %3 %4 %5 %6 %7 %8 %9
|
||||
|
@ -1,4 +1,4 @@
|
||||
# Simple Makefile.w32 for stunnel.exe by Michal Trojnara 1998-2007
|
||||
# Simple Makefile.w32 for stunnel.exe by Michal Trojnara 1998-2017
|
||||
#
|
||||
# Modified by Brian Hatch (bri@stunnel.org)
|
||||
# 20101030 pdelaage:
|
||||
@ -22,8 +22,21 @@
|
||||
|
||||
# Modify this to point to your actual openssl compile directory
|
||||
# (You did already compile openssl, didn't you???)
|
||||
SSLDIR=../openssl-1.0.0f
|
||||
#SSLDIR=C:/Users/standard/Documents/Dvts/Contrib/openssl/v1.0.0c/patched3
|
||||
#SSLDIR=../../openssl-0.9.8zh
|
||||
#SSLDIR=../../openssl-1.0.0t
|
||||
SSLDIR=../../openssl-1.0.1q
|
||||
|
||||
# For 0.9.8 mingw compiled openssl
|
||||
#SSLINC=$(SSLDIR)/outinc
|
||||
#SSLLIBS=-L$(SSLDIR)/out -leay32 -lssl32
|
||||
|
||||
# for 1.0.0/1.0.1 mingw (msys2) compiled
|
||||
SSLINC=$(SSLDIR)/include
|
||||
SSLLIBS=-L$(SSLDIR) -lcrypto.dll -lssl.dll
|
||||
|
||||
# For MSVC compiled openssl
|
||||
#SSLINC=$(SSLDIR)/inc32
|
||||
#SSLLIBS=-L$(SSLDIR)/out32dll -lssleay32 -llibeay32
|
||||
|
||||
# c:\, backslash is not correctly recognized by mingw32-make, produces some
|
||||
# "missing separator" issue.
|
||||
@ -34,17 +47,19 @@ SSLDIR=../openssl-1.0.0f
|
||||
# $(info is !MESSAGE in MS nmake or Borland make.
|
||||
|
||||
ifdef windir
|
||||
$(info host machine is a Windows machine )
|
||||
$(info host machine is a Windows machine )
|
||||
NULLDEV=NUL
|
||||
MKDIR="C:\Program Files\GnuWin32\bin\mkdir.exe"
|
||||
DELFILES="C:\Program Files\GnuWin32\bin\rm.exe" -f
|
||||
DELDIR="C:\Program Files\GnuWin32\bin\rm.exe" -rf
|
||||
COPYFILES="C:\Program Files\GnuWin32\bin\cp.exe" -f
|
||||
else
|
||||
$(info host machine is a linux machine )
|
||||
$(info host machine is a linux machine )
|
||||
NULLDEV=/dev/null
|
||||
MKDIR=mkdir
|
||||
DELFILES=rm -f
|
||||
DELDIR=rm -rf
|
||||
COPYFILES=cp -f
|
||||
endif
|
||||
|
||||
TARGETCPU=MGW32
|
||||
@ -57,7 +72,14 @@ BIN=$(BINROOT)/$(TARGETCPU)
|
||||
OBJS=$(OBJ)/stunnel.o $(OBJ)/ssl.o $(OBJ)/ctx.o $(OBJ)/verify.o \
|
||||
$(OBJ)/file.o $(OBJ)/client.o $(OBJ)/protocol.o $(OBJ)/sthreads.o \
|
||||
$(OBJ)/log.o $(OBJ)/options.o $(OBJ)/network.o $(OBJ)/resolver.o \
|
||||
$(OBJ)/gui.o $(OBJ)/resources.o $(OBJ)/str.o $(OBJ)/fd.o
|
||||
$(OBJ)/ui_win_gui.o $(OBJ)/resources.o $(OBJ)/str.o $(OBJ)/tls.o \
|
||||
$(OBJ)/fd.o $(OBJ)/dhparam.o $(OBJ)/cron.o
|
||||
|
||||
TOBJS=$(OBJ)/stunnel.o $(OBJ)/ssl.o $(OBJ)/ctx.o $(OBJ)/verify.o \
|
||||
$(OBJ)/file.o $(OBJ)/client.o $(OBJ)/protocol.o $(OBJ)/sthreads.o \
|
||||
$(OBJ)/log.o $(OBJ)/options.o $(OBJ)/network.o $(OBJ)/resolver.o \
|
||||
$(OBJ)/ui_win_cli.o $(OBJ)/str.o $(OBJ)/tls.o \
|
||||
$(OBJ)/fd.o $(OBJ)/dhparam.o $(OBJ)/cron.o
|
||||
|
||||
CC=gcc
|
||||
RC=windres
|
||||
@ -70,9 +92,7 @@ DEFINES=-D_WIN32_WINNT=0x0501
|
||||
|
||||
# some preprocessing debug : $(info DEFINES is $(DEFINES) )
|
||||
|
||||
#CFLAGS=-g -O2 -Wall $(DEFINES) -I$(SSLDIR)/outinc
|
||||
#pdelaage : outinc not correct, it is inc32!
|
||||
CFLAGS=-g -O2 -Wall $(DEFINES) -I$(SSLDIR)/inc32
|
||||
CFLAGS=-g -O2 -Wall $(DEFINES) -I$(SSLINC)
|
||||
|
||||
# RFLAGS, note of pdelaage: windres accepts -fo for compatibility with ms tools
|
||||
# default options : -J rc -O coff, input rc file, output coff file.
|
||||
@ -82,10 +102,8 @@ RFLAGS=-v --use-temp-file $(DEFINES)
|
||||
RFLAGS2=-v $(DEFINES)
|
||||
LDFLAGS=-s
|
||||
|
||||
# LIBS=-L$(SSLDIR)/out -lssl -lcrypto -lwsock32 -lgdi32 -lcrypt32
|
||||
#20101030 pdelaage fix winsock2 and BAD sslpath ! LIBS=-L$(SSLDIR)/out -lzdll -leay32 -lssl32 -lwsock32 -lgdi32 -lcrypt32
|
||||
# added libeay instead of eay, ssleay instead of ssl32, suppressed zdll useless.
|
||||
LIBS=-L$(SSLDIR)/out32dll -lssleay32 -llibeay32 -lws2_32 -lpsapi -lgdi32 -lcrypt32
|
||||
LIBS=$(SSLLIBS) -lws2_32 -lpsapi -lgdi32 -lcrypt32 -lkernel32
|
||||
TLIBS=$(SSLLIBS) -lws2_32 -lpsapi -lcrypt32 -lkernel32
|
||||
# IMPORTANT pdelaage : restore this if you need (but I do not see why) -lzdll
|
||||
|
||||
$(OBJ)/%.o: $(SRC)/%.c
|
||||
@ -113,12 +131,16 @@ $(OBJ)/%.o: $(OBJ)/%.rcp
|
||||
# in the system...
|
||||
# for debug of the preprocessed rcp file, because it is automatically deleted by gnu-make: cp $< $<.2
|
||||
|
||||
all: testenv makedirs $(BIN)/stunnel.exe
|
||||
all: testenv makedirs $(BIN)/stunnel.exe $(BIN)/tstunnel.exe
|
||||
|
||||
testopenssl:
|
||||
@if not exist $(SSLDIR) echo You mush have a compiled OpenSSL tree
|
||||
@if not exist $(SSLINC)/openssl/applink.c $(COPYFILES) $(SSLDIR)/ms/applink.c $(SSLINC)/openssl
|
||||
|
||||
#pdelaage : testenv purpose is to detect, on windows, whether Gnu-win32 has been properly installed...
|
||||
# a first call to "true" is made to detect availability, a second is made to stop the make process.
|
||||
ifdef windir
|
||||
testenv:
|
||||
testenv: testopenssl
|
||||
-@ echo OFF
|
||||
-@ true >$(NULLDEV) 2>&1 || echo You MUST install Gnu-Win32 coreutils \
|
||||
from http://gnuwin32.sourceforge.net/downlinks/coreutils.php \
|
||||
@ -133,8 +155,8 @@ endif
|
||||
clean:
|
||||
-@ $(DELFILES) $(OBJ)/*.o
|
||||
-@ $(DELFILES) $(BIN)/stunnel.exe >$(NULLDEV) 2>&1
|
||||
-@ $(DELDIR) $(OBJ) >$(NULLDEV) 2>&1
|
||||
-@ $(DELDIR) $(BIN) >$(NULLDEV) 2>&1
|
||||
-@ $(DELDIR) $(OBJ) >$(NULLDEV) 2>&1
|
||||
-@ $(DELDIR) $(BIN) >$(NULLDEV) 2>&1
|
||||
|
||||
makedirs:
|
||||
-@ $(MKDIR) $(OBJROOT) >$(NULLDEV) 2>&1
|
||||
@ -152,6 +174,9 @@ $(OBJS): *.h mingw.mak
|
||||
$(BIN)/stunnel.exe: $(OBJS)
|
||||
$(CC) $(LDFLAGS) -o $(BIN)/stunnel.exe $(OBJS) $(LIBS) -mwindows
|
||||
|
||||
$(BIN)/tstunnel.exe: $(TOBJS)
|
||||
$(CC) $(LDFLAGS) -o $(BIN)/tstunnel.exe $(TOBJS) $(TLIBS)
|
||||
|
||||
# "missing separator" issue with mingw32-make: tabs MUST BE TABS in your text
|
||||
# editor, and not set of spaces even if your development host is windows.
|
||||
# Some \ are badly tolerated by mingw32-make "!" directives, eg as !IF,
|
||||
|
54
src/mingw.mk
Normal file
54
src/mingw.mk
Normal file
@ -0,0 +1,54 @@
|
||||
## mingw/mingw64 Makefile
|
||||
# by Michal Trojnara 2015-2017
|
||||
|
||||
# 32-bit Windows
|
||||
#win32_targetcpu=i686
|
||||
#win32_mingw=mingw
|
||||
|
||||
# 64-bit Windows
|
||||
#win32_targetcpu=x86_64
|
||||
#win32_mingw=mingw64
|
||||
|
||||
bindir = ../bin/$(win32_mingw)
|
||||
objdir = ../obj/$(win32_mingw)
|
||||
|
||||
win32_ssl_dir = /opt/openssl-$(win32_mingw)
|
||||
win32_cppflags = -I$(win32_ssl_dir)/include
|
||||
win32_cflags = -mthreads -fstack-protector -O2
|
||||
win32_cflags += -Wall -Wextra -Wpedantic -Wformat=2 -Wconversion -Wno-long-long
|
||||
win32_cflags += -D_FORTIFY_SOURCE=2 -DUNICODE -D_UNICODE
|
||||
win32_ldflags = -mthreads -fstack-protector -s
|
||||
|
||||
win32_common_libs = -lws2_32 -lkernel32
|
||||
win32_ssl_libs = -L$(win32_ssl_dir)/lib -lcrypto -lssl
|
||||
win32_gui_libs = $(win32_common_libs) -lgdi32 -lpsapi $(win32_ssl_libs)
|
||||
win32_cli_libs = $(win32_common_libs) $(win32_ssl_libs)
|
||||
|
||||
win32_common = tls str file client log options protocol network resolver
|
||||
win32_common += ssl ctx verify sthreads fd dhparam cron stunnel
|
||||
win32_gui = ui_win_gui resources
|
||||
win32_cli = ui_win_cli
|
||||
win32_common_objs = $(addsuffix .o, $(addprefix $(objdir)/, $(win32_common)))
|
||||
win32_gui_objs = $(addsuffix .o, $(addprefix $(objdir)/, $(win32_gui)))
|
||||
win32_cli_objs = $(addsuffix .o, $(addprefix $(objdir)/, $(win32_cli)))
|
||||
|
||||
win32_prefix = $(win32_targetcpu)-w64-mingw32-
|
||||
win32_cc = $(win32_prefix)gcc
|
||||
win32_windres = $(win32_prefix)windres
|
||||
|
||||
all: mkdirs $(bindir)/stunnel.exe $(bindir)/tstunnel.exe
|
||||
|
||||
mkdirs:
|
||||
mkdir -p $(bindir) $(objdir)
|
||||
|
||||
$(bindir)/stunnel.exe: $(win32_common_objs) $(win32_gui_objs)
|
||||
$(win32_cc) -mwindows $(win32_ldflags) -o $(bindir)/stunnel.exe $(win32_common_objs) $(win32_gui_objs) $(win32_gui_libs)
|
||||
|
||||
$(bindir)/tstunnel.exe: $(win32_common_objs) $(win32_cli_objs)
|
||||
$(win32_cc) $(win32_ldflags) -o $(bindir)/tstunnel.exe $(win32_common_objs) $(win32_cli_objs) $(win32_cli_libs)
|
||||
|
||||
$(objdir)/%.o: $(srcdir)/%.c $(common_headers)
|
||||
$(win32_cc) -c $(win32_cppflags) $(win32_cflags) -o $@ $<
|
||||
|
||||
$(objdir)/resources.o: $(srcdir)/resources.rc $(srcdir)/resources.h $(srcdir)/version.h
|
||||
$(win32_windres) --include-dir $(srcdir) $< $@
|
554
src/network.c
554
src/network.c
@ -1,6 +1,6 @@
|
||||
/*
|
||||
* stunnel Universal SSL tunnel
|
||||
* Copyright (C) 1998-2013 Michal Trojnara <Michal.Trojnara@mirt.net>
|
||||
* stunnel TLS offloading and load-balancing proxy
|
||||
* Copyright (C) 1998-2017 Michal Trojnara <Michal.Trojnara@stunnel.org>
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it
|
||||
* under the terms of the GNU General Public License as published by the
|
||||
@ -35,12 +35,17 @@
|
||||
* forward this exception.
|
||||
*/
|
||||
|
||||
#if defined(_WIN32) || defined(_WIN32_WCE)
|
||||
/* bypass automatic index bound checks in the FD_SET() macro */
|
||||
#define FD_SETSIZE 1000000
|
||||
#endif
|
||||
|
||||
#include "common.h"
|
||||
#include "prototypes.h"
|
||||
|
||||
/* #define DEBUG_UCONTEXT */
|
||||
|
||||
static int get_socket_error(const int);
|
||||
NOEXPORT void s_poll_realloc(s_poll_set *);
|
||||
|
||||
/**************************************** s_poll functions */
|
||||
|
||||
@ -53,96 +58,138 @@ s_poll_set *s_poll_alloc() {
|
||||
|
||||
void s_poll_free(s_poll_set *fds) {
|
||||
if(fds) {
|
||||
if(fds->ufds)
|
||||
str_free(fds->ufds);
|
||||
str_free(fds->ufds);
|
||||
str_free(fds);
|
||||
}
|
||||
}
|
||||
|
||||
void s_poll_init(s_poll_set *fds) {
|
||||
fds->nfds=0;
|
||||
fds->allocated=4; /* prealloc 4 file desciptors */
|
||||
fds->ufds=str_realloc(fds->ufds, fds->allocated*sizeof(struct pollfd));
|
||||
fds->allocated=4; /* prealloc 4 file descriptors */
|
||||
s_poll_realloc(fds);
|
||||
}
|
||||
|
||||
void s_poll_add(s_poll_set *fds, int fd, int rd, int wr) {
|
||||
unsigned int i;
|
||||
void s_poll_add(s_poll_set *fds, SOCKET fd, int rd, int wr) {
|
||||
unsigned i;
|
||||
|
||||
for(i=0; i<fds->nfds && fds->ufds[i].fd!=fd; i++)
|
||||
;
|
||||
if(i==fds->nfds) {
|
||||
if(i==fds->nfds) { /* not found */
|
||||
if(i==fds->allocated) {
|
||||
fds->allocated=i+1;
|
||||
fds->ufds=str_realloc(fds->ufds, fds->allocated*sizeof(struct pollfd));
|
||||
s_poll_realloc(fds);
|
||||
}
|
||||
fds->ufds[i].fd=fd;
|
||||
fds->ufds[i].events=0;
|
||||
fds->nfds++;
|
||||
}
|
||||
if(rd)
|
||||
if(rd) {
|
||||
fds->ufds[i].events|=POLLIN;
|
||||
#ifdef POLLRDHUP
|
||||
fds->ufds[i].events|=POLLRDHUP;
|
||||
#endif
|
||||
}
|
||||
if(wr)
|
||||
fds->ufds[i].events|=POLLOUT;
|
||||
}
|
||||
|
||||
int s_poll_canread(s_poll_set *fds, int fd) {
|
||||
unsigned int i;
|
||||
void s_poll_remove(s_poll_set *fds, SOCKET fd) {
|
||||
unsigned i;
|
||||
|
||||
for(i=0; i<fds->nfds && fds->ufds[i].fd!=fd; i++)
|
||||
;
|
||||
if(i<fds->nfds) { /* found */
|
||||
memmove(fds->ufds+i, fds->ufds+i+1,
|
||||
(fds->nfds-i-1)*sizeof(struct pollfd));
|
||||
fds->nfds--;
|
||||
}
|
||||
}
|
||||
|
||||
int s_poll_canread(s_poll_set *fds, SOCKET fd) {
|
||||
unsigned i;
|
||||
|
||||
for(i=0; i<fds->nfds; i++)
|
||||
if(fds->ufds[i].fd==fd)
|
||||
return fds->ufds[i].revents&POLLIN;
|
||||
return fds->ufds[i].revents&(POLLIN|POLLERR);
|
||||
return 0; /* not listed in fds */
|
||||
}
|
||||
|
||||
int s_poll_canwrite(s_poll_set *fds, int fd) {
|
||||
unsigned int i;
|
||||
int s_poll_canwrite(s_poll_set *fds, SOCKET fd) {
|
||||
unsigned i;
|
||||
|
||||
for(i=0; i<fds->nfds; i++)
|
||||
if(fds->ufds[i].fd==fd)
|
||||
return fds->ufds[i].revents&POLLOUT;
|
||||
return fds->ufds[i].revents&(POLLOUT|POLLERR);
|
||||
return 0; /* not listed in fds */
|
||||
}
|
||||
|
||||
int s_poll_hup(s_poll_set *fds, int fd) {
|
||||
unsigned int i;
|
||||
/* best doc: http://lxr.free-electrons.com/source/net/ipv4/tcp.c#L456 */
|
||||
|
||||
int s_poll_hup(s_poll_set *fds, SOCKET fd) {
|
||||
unsigned i;
|
||||
|
||||
for(i=0; i<fds->nfds; i++)
|
||||
if(fds->ufds[i].fd==fd)
|
||||
return fds->ufds[i].revents&POLLHUP;
|
||||
return fds->ufds[i].revents&POLLHUP; /* read and write closed */
|
||||
return 0; /* not listed in fds */
|
||||
}
|
||||
|
||||
int s_poll_error(s_poll_set *fds, int fd) {
|
||||
unsigned int i;
|
||||
int s_poll_rdhup(s_poll_set *fds, SOCKET fd) {
|
||||
unsigned i;
|
||||
|
||||
for(i=0; i<fds->nfds; i++)
|
||||
if(fds->ufds[i].fd==fd)
|
||||
return fds->ufds[i].revents&(POLLERR|POLLNVAL) ?
|
||||
get_socket_error(fd) : 0;
|
||||
#ifdef POLLRDHUP
|
||||
return fds->ufds[i].revents&POLLRDHUP; /* read closed */
|
||||
#else
|
||||
return fds->ufds[i].revents&POLLHUP; /* read and write closed */
|
||||
#endif
|
||||
return 0; /* not listed in fds */
|
||||
}
|
||||
|
||||
int s_poll_err(s_poll_set *fds, SOCKET fd) {
|
||||
unsigned i;
|
||||
|
||||
for(i=0; i<fds->nfds; i++)
|
||||
if(fds->ufds[i].fd==fd)
|
||||
return fds->ufds[i].revents&POLLERR;
|
||||
return 0; /* not listed in fds */
|
||||
}
|
||||
|
||||
NOEXPORT void s_poll_realloc(s_poll_set *fds) {
|
||||
fds->ufds=str_realloc(fds->ufds, fds->allocated*sizeof(struct pollfd));
|
||||
}
|
||||
|
||||
void s_poll_dump(s_poll_set *fds, int level) {
|
||||
unsigned i;
|
||||
|
||||
for(i=0; i<fds->nfds; i++)
|
||||
s_log(level, "FD=%ld events=0x%X revents=0x%X",
|
||||
(long)fds->ufds[i].fd, fds->ufds[i].events, fds->ufds[i].revents);
|
||||
}
|
||||
|
||||
#ifdef USE_UCONTEXT
|
||||
|
||||
/* move ready contexts from waiting queue to ready queue */
|
||||
static void scan_waiting_queue(void) {
|
||||
NOEXPORT void scan_waiting_queue(void) {
|
||||
int retval;
|
||||
CONTEXT *context, *prev;
|
||||
int min_timeout;
|
||||
unsigned int nfds, i;
|
||||
unsigned nfds, i;
|
||||
time_t now;
|
||||
static unsigned int max_nfds=0;
|
||||
static unsigned max_nfds=0;
|
||||
static struct pollfd *ufds=NULL;
|
||||
|
||||
time(&now);
|
||||
/* count file descriptors */
|
||||
min_timeout=-1;
|
||||
min_timeout=-1; /* infinity */
|
||||
nfds=0;
|
||||
for(context=waiting_head; context; context=context->next) {
|
||||
nfds+=context->fds->nfds;
|
||||
if(context->finish>=0) /* finite time */
|
||||
if(min_timeout<0 || min_timeout>context->finish-now)
|
||||
min_timeout=context->finish-now<0 ? 0 : context->finish-now;
|
||||
min_timeout=
|
||||
(int)(context->finish-now<0 ? 0 : context->finish-now);
|
||||
}
|
||||
/* setup ufds structure */
|
||||
if(nfds>max_nfds) { /* need to allocate more memory */
|
||||
@ -177,13 +224,13 @@ static void scan_waiting_queue(void) {
|
||||
#ifdef DEBUG_UCONTEXT
|
||||
s_log(LOG_DEBUG, "CONTEXT %ld, FD=%d,%s%s ->%s%s%s%s%s",
|
||||
context->id, ufds[nfds].fd,
|
||||
ufds[nfds].events & POLLIN ? " IN" : "",
|
||||
ufds[nfds].events & POLLOUT ? " OUT" : "",
|
||||
ufds[nfds].revents & POLLIN ? " IN" : "",
|
||||
ufds[nfds].revents & POLLOUT ? " OUT" : "",
|
||||
ufds[nfds].revents & POLLERR ? " ERR" : "",
|
||||
ufds[nfds].revents & POLLHUP ? " HUP" : "",
|
||||
ufds[nfds].revents & POLLNVAL ? " NVAL" : "");
|
||||
(ufds[nfds].events & POLLIN) ? " IN" : "",
|
||||
(ufds[nfds].events & POLLOUT) ? " OUT" : "",
|
||||
(ufds[nfds].revents & POLLIN) ? " IN" : "",
|
||||
(ufds[nfds].revents & POLLOUT) ? " OUT" : "",
|
||||
(ufds[nfds].revents & POLLERR) ? " ERR" : "",
|
||||
(ufds[nfds].revents & POLLHUP) ? " HUP" : "",
|
||||
(ufds[nfds].revents & POLLNVAL) ? " NVAL" : "");
|
||||
#endif
|
||||
if(ufds[nfds].revents)
|
||||
context->ready++;
|
||||
@ -217,16 +264,16 @@ int s_poll_wait(s_poll_set *fds, int sec, int msec) {
|
||||
static CONTEXT *to_free=NULL; /* delayed memory deallocation */
|
||||
|
||||
/* FIXME: msec parameter is currently ignored with UCONTEXT threads */
|
||||
(void)msec; /* skip warning about unused parameter */
|
||||
(void)msec; /* squash the unused parameter warning */
|
||||
|
||||
/* remove the current context from ready queue */
|
||||
context=ready_head;
|
||||
ready_head=ready_head->next;
|
||||
if(!ready_head) /* the queue is empty */
|
||||
ready_tail=NULL;
|
||||
/* it it safe to s_log() after new ready_head is set */
|
||||
/* it is safe to s_log() after new ready_head is set */
|
||||
|
||||
/* it's illegal to deallocate the stack of the current context */
|
||||
/* it is illegal to deallocate the stack of the current context */
|
||||
if(to_free) { /* a delayed deallocation is scheduled */
|
||||
#ifdef DEBUG_UCONTEXT
|
||||
s_log(LOG_DEBUG, "Releasing context %ld", to_free->id);
|
||||
@ -300,58 +347,98 @@ s_poll_set *s_poll_alloc() {
|
||||
}
|
||||
|
||||
void s_poll_free(s_poll_set *fds) {
|
||||
if(fds)
|
||||
if(fds) {
|
||||
str_free(fds->irfds);
|
||||
str_free(fds->iwfds);
|
||||
str_free(fds->ixfds);
|
||||
str_free(fds->orfds);
|
||||
str_free(fds->owfds);
|
||||
str_free(fds->oxfds);
|
||||
str_free(fds);
|
||||
}
|
||||
}
|
||||
|
||||
void s_poll_init(s_poll_set *fds) {
|
||||
FD_ZERO(&fds->irfds);
|
||||
FD_ZERO(&fds->iwfds);
|
||||
FD_ZERO(&fds->ixfds);
|
||||
#ifdef USE_WIN32
|
||||
fds->allocated=4; /* prealloc 4 file descriptors */
|
||||
#endif
|
||||
s_poll_realloc(fds);
|
||||
FD_ZERO(fds->irfds);
|
||||
FD_ZERO(fds->iwfds);
|
||||
FD_ZERO(fds->ixfds);
|
||||
fds->max=0; /* no file descriptors */
|
||||
}
|
||||
|
||||
void s_poll_add(s_poll_set *fds, int fd, int rd, int wr) {
|
||||
void s_poll_add(s_poll_set *fds, SOCKET fd, int rd, int wr) {
|
||||
#ifdef USE_WIN32
|
||||
/* fds->ixfds contains union of fds->irfds and fds->iwfds */
|
||||
if(fds->ixfds->fd_count>=fds->allocated) {
|
||||
fds->allocated=fds->ixfds->fd_count+1;
|
||||
s_poll_realloc(fds);
|
||||
}
|
||||
#endif
|
||||
if(rd)
|
||||
FD_SET((unsigned int)fd, &fds->irfds);
|
||||
FD_SET(fd, fds->irfds);
|
||||
if(wr)
|
||||
FD_SET((unsigned int)fd, &fds->iwfds);
|
||||
FD_SET(fd, fds->iwfds);
|
||||
/* always expect errors (and the Spanish Inquisition) */
|
||||
FD_SET((unsigned int)fd, &fds->ixfds);
|
||||
FD_SET(fd, fds->ixfds);
|
||||
if(fd>fds->max)
|
||||
fds->max=fd;
|
||||
}
|
||||
|
||||
int s_poll_canread(s_poll_set *fds, int fd) {
|
||||
return FD_ISSET(fd, &fds->orfds);
|
||||
void s_poll_remove(s_poll_set *fds, SOCKET fd) {
|
||||
FD_CLR(fd, fds->irfds);
|
||||
FD_CLR(fd, fds->iwfds);
|
||||
FD_CLR(fd, fds->ixfds);
|
||||
}
|
||||
|
||||
int s_poll_canwrite(s_poll_set *fds, int fd) {
|
||||
return FD_ISSET(fd, &fds->owfds);
|
||||
int s_poll_canread(s_poll_set *fds, SOCKET fd) {
|
||||
/* ignore exception if there is no error (WinCE 6.0 anomaly) */
|
||||
return FD_ISSET(fd, fds->orfds) ||
|
||||
(FD_ISSET(fd, fds->oxfds) && get_socket_error(fd));
|
||||
}
|
||||
|
||||
int s_poll_hup(s_poll_set *fds, int fd) {
|
||||
(void)fds; /* skip warning about unused parameter */
|
||||
(void)fd; /* skip warning about unused parameter */
|
||||
return 0; /* FIXME: how to detect HUP condition with select()? */
|
||||
int s_poll_canwrite(s_poll_set *fds, SOCKET fd) {
|
||||
/* ignore exception if there is no error (WinCE 6.0 anomaly) */
|
||||
return FD_ISSET(fd, fds->owfds) ||
|
||||
(FD_ISSET(fd, fds->oxfds) && get_socket_error(fd));
|
||||
}
|
||||
|
||||
int s_poll_error(s_poll_set *fds, int fd) {
|
||||
/* error conditions are signaled as read, but apparently *not* in Winsock:
|
||||
* http://msdn.microsoft.com/en-us/library/windows/desktop/ms737625%28v=vs.85%29.aspx */
|
||||
if(!FD_ISSET(fd, &fds->orfds) && !FD_ISSET(fd, &fds->oxfds))
|
||||
return 0;
|
||||
return get_socket_error(fd); /* check if it's really an error */
|
||||
int s_poll_hup(s_poll_set *fds, SOCKET fd) {
|
||||
(void)fds; /* squash the unused parameter warning */
|
||||
(void)fd; /* squash the unused parameter warning */
|
||||
return 0; /* FIXME: how to detect the HUP condition with select()? */
|
||||
}
|
||||
|
||||
int s_poll_rdhup(s_poll_set *fds, SOCKET fd) {
|
||||
(void)fds; /* squash the unused parameter warning */
|
||||
(void)fd; /* squash the unused parameter warning */
|
||||
return 0; /* FIXME: how to detect the RDHUP condition with select()? */
|
||||
}
|
||||
|
||||
int s_poll_err(s_poll_set *fds, SOCKET fd) {
|
||||
return FD_ISSET(fd, fds->oxfds);
|
||||
}
|
||||
|
||||
#ifdef USE_WIN32
|
||||
#define FD_SIZE(fds) (8+(fds)->allocated*sizeof(SOCKET))
|
||||
#else
|
||||
#define FD_SIZE(fds) (sizeof(fd_set))
|
||||
#endif
|
||||
|
||||
int s_poll_wait(s_poll_set *fds, int sec, int msec) {
|
||||
int retval;
|
||||
struct timeval tv, *tv_ptr;
|
||||
|
||||
do { /* skip "Interrupted system call" errors */
|
||||
memcpy(&fds->orfds, &fds->irfds, sizeof(fd_set));
|
||||
memcpy(&fds->owfds, &fds->iwfds, sizeof(fd_set));
|
||||
memcpy(&fds->oxfds, &fds->ixfds, sizeof(fd_set));
|
||||
memcpy(fds->orfds, fds->irfds, FD_SIZE(fds));
|
||||
memcpy(fds->owfds, fds->iwfds, FD_SIZE(fds));
|
||||
#ifndef _WIN32_WCE
|
||||
memcpy(fds->oxfds, fds->ixfds, FD_SIZE(fds));
|
||||
#else /* WinCE reports unexpected permanent exceptions */
|
||||
FD_ZERO(fds->oxfds);
|
||||
#endif
|
||||
if(sec<0) { /* infinite timeout */
|
||||
tv_ptr=NULL;
|
||||
} else {
|
||||
@ -359,20 +446,48 @@ int s_poll_wait(s_poll_set *fds, int sec, int msec) {
|
||||
tv.tv_usec=1000*msec;
|
||||
tv_ptr=&tv;
|
||||
}
|
||||
retval=select(fds->max+1, &fds->orfds, &fds->owfds, &fds->oxfds, tv_ptr);
|
||||
retval=select((int)fds->max+1,
|
||||
fds->orfds, fds->owfds, fds->oxfds, tv_ptr);
|
||||
} while(retval<0 && get_last_socket_error()==S_EINTR);
|
||||
return retval;
|
||||
}
|
||||
|
||||
NOEXPORT void s_poll_realloc(s_poll_set *fds) {
|
||||
fds->irfds=str_realloc(fds->irfds, FD_SIZE(fds));
|
||||
fds->iwfds=str_realloc(fds->iwfds, FD_SIZE(fds));
|
||||
fds->ixfds=str_realloc(fds->ixfds, FD_SIZE(fds));
|
||||
fds->orfds=str_realloc(fds->orfds, FD_SIZE(fds));
|
||||
fds->owfds=str_realloc(fds->owfds, FD_SIZE(fds));
|
||||
fds->oxfds=str_realloc(fds->oxfds, FD_SIZE(fds));
|
||||
}
|
||||
|
||||
void s_poll_dump(s_poll_set *fds, int level) {
|
||||
SOCKET fd;
|
||||
int ir, iw, ix, or, ow, ox;
|
||||
|
||||
for(fd=0; fd<fds->max; fd++) {
|
||||
ir=FD_ISSET(fd, fds->irfds);
|
||||
iw=FD_ISSET(fd, fds->iwfds);
|
||||
ix=FD_ISSET(fd, fds->ixfds);
|
||||
or=FD_ISSET(fd, fds->orfds);
|
||||
ow=FD_ISSET(fd, fds->owfds);
|
||||
ox=FD_ISSET(fd, fds->oxfds);
|
||||
if(ir || iw || ix || or || ow || ox)
|
||||
s_log(level, "FD=%ld ifds=%c%c%c ofds=%c%c%c", (long)fd,
|
||||
ir?'r':'-', iw?'w':'-', ix?'x':'-',
|
||||
or?'r':'-', ow?'w':'-', ox?'x':'-');
|
||||
}
|
||||
}
|
||||
|
||||
#endif /* USE_POLL */
|
||||
|
||||
/**************************************** fd management */
|
||||
|
||||
int set_socket_options(int s, int type) {
|
||||
int set_socket_options(SOCKET s, int type) {
|
||||
SOCK_OPT *ptr;
|
||||
extern SOCK_OPT sock_opts[];
|
||||
extern SOCK_OPT *sock_opts;
|
||||
static char *type_str[3]={"accept", "local", "remote"};
|
||||
int opt_size;
|
||||
socklen_t opt_size;
|
||||
int retval=0; /* no error found */
|
||||
|
||||
for(ptr=sock_opts; ptr->opt_str; ptr++) {
|
||||
@ -386,7 +501,7 @@ int set_socket_options(int s, int type) {
|
||||
opt_size=sizeof(struct timeval);
|
||||
break;
|
||||
case TYPE_STRING:
|
||||
opt_size=strlen(ptr->opt_val[type]->c_val)+1;
|
||||
opt_size=(socklen_t)strlen(ptr->opt_val[type]->c_val)+1;
|
||||
break;
|
||||
default:
|
||||
opt_size=sizeof(int);
|
||||
@ -403,17 +518,15 @@ int set_socket_options(int s, int type) {
|
||||
retval=-1; /* failed to set this option */
|
||||
}
|
||||
}
|
||||
#ifdef DEBUG_FD_ALLOC
|
||||
else {
|
||||
s_log(LOG_DEBUG, "Option %s set on %s socket",
|
||||
ptr->opt_str, type_str[type]);
|
||||
}
|
||||
#endif /* DEBUG_FD_ALLOC */
|
||||
}
|
||||
return retval; /* returns 0 when all options succeeded */
|
||||
}
|
||||
|
||||
static int get_socket_error(const int fd) {
|
||||
int get_socket_error(const SOCKET fd) {
|
||||
int err;
|
||||
socklen_t optlen=sizeof err;
|
||||
|
||||
@ -424,56 +537,56 @@ static int get_socket_error(const int fd) {
|
||||
|
||||
/**************************************** simulate blocking I/O */
|
||||
|
||||
int connect_blocking(CLI *c, SOCKADDR_UNION *addr, socklen_t addrlen) {
|
||||
int s_connect(CLI *c, SOCKADDR_UNION *addr, socklen_t addrlen) {
|
||||
int error;
|
||||
char *dst;
|
||||
|
||||
dst=s_ntop(addr, addrlen);
|
||||
s_log(LOG_INFO, "connect_blocking: connecting %s", dst);
|
||||
s_log(LOG_INFO, "s_connect: connecting %s", dst);
|
||||
|
||||
if(!connect(c->fd, &addr->sa, addrlen)) {
|
||||
s_log(LOG_NOTICE, "connect_blocking: connected %s", dst);
|
||||
s_log(LOG_INFO, "s_connect: connected %s", dst);
|
||||
str_free(dst);
|
||||
return 0; /* no error -> success (on some OSes over the loopback) */
|
||||
}
|
||||
error=get_last_socket_error();
|
||||
if(error!=S_EINPROGRESS && error!=S_EWOULDBLOCK) {
|
||||
s_log(LOG_ERR, "connect_blocking: connect %s: %s (%d)",
|
||||
s_log(LOG_ERR, "s_connect: connect %s: %s (%d)",
|
||||
dst, s_strerror(error), error);
|
||||
str_free(dst);
|
||||
return -1;
|
||||
}
|
||||
|
||||
s_log(LOG_DEBUG, "connect_blocking: s_poll_wait %s: waiting %d seconds",
|
||||
s_log(LOG_DEBUG, "s_connect: s_poll_wait %s: waiting %d seconds",
|
||||
dst, c->opt->timeout_connect);
|
||||
s_poll_init(c->fds);
|
||||
s_poll_add(c->fds, c->fd, 1, 1);
|
||||
switch(s_poll_wait(c->fds, c->opt->timeout_connect, 0)) {
|
||||
case -1:
|
||||
error=get_last_socket_error();
|
||||
s_log(LOG_ERR, "connect_blocking: s_poll_wait %s: %s (%d)",
|
||||
s_log(LOG_ERR, "s_connect: s_poll_wait %s: %s (%d)",
|
||||
dst, s_strerror(error), error);
|
||||
str_free(dst);
|
||||
return -1;
|
||||
case 0:
|
||||
s_log(LOG_ERR, "connect_blocking: s_poll_wait %s:"
|
||||
s_log(LOG_ERR, "s_connect: s_poll_wait %s:"
|
||||
" TIMEOUTconnect exceeded", dst);
|
||||
str_free(dst);
|
||||
return -1;
|
||||
default:
|
||||
error=get_socket_error(c->fd);
|
||||
if(error) {
|
||||
s_log(LOG_ERR, "connect_blocking: connect %s: %s (%d)",
|
||||
s_log(LOG_ERR, "s_connect: connect %s: %s (%d)",
|
||||
dst, s_strerror(error), error);
|
||||
str_free(dst);
|
||||
return -1;
|
||||
}
|
||||
if(s_poll_canwrite(c->fds, c->fd)) {
|
||||
s_log(LOG_NOTICE, "connect_blocking: connected %s", dst);
|
||||
s_log(LOG_NOTICE, "s_connect: connected %s", dst);
|
||||
str_free(dst);
|
||||
return 0; /* success */
|
||||
}
|
||||
s_log(LOG_ERR, "connect_blocking: s_poll_wait %s: internal error",
|
||||
s_log(LOG_ERR, "s_connect: s_poll_wait %s: internal error",
|
||||
dst);
|
||||
str_free(dst);
|
||||
return -1;
|
||||
@ -481,147 +594,115 @@ int connect_blocking(CLI *c, SOCKADDR_UNION *addr, socklen_t addrlen) {
|
||||
return -1; /* should not be possible */
|
||||
}
|
||||
|
||||
void write_blocking(CLI *c, int fd, void *ptr, int len) {
|
||||
void s_write(CLI *c, SOCKET fd, const void *buf, size_t len) {
|
||||
/* simulate a blocking write */
|
||||
int num;
|
||||
uint8_t *ptr=(uint8_t *)buf;
|
||||
ssize_t num;
|
||||
|
||||
while(len>0) {
|
||||
s_poll_init(c->fds);
|
||||
s_poll_add(c->fds, fd, 0, 1); /* write */
|
||||
switch(s_poll_wait(c->fds, c->opt->timeout_busy, 0)) {
|
||||
case -1:
|
||||
sockerror("write_blocking: s_poll_wait");
|
||||
sockerror("s_write: s_poll_wait");
|
||||
longjmp(c->err, 1); /* error */
|
||||
case 0:
|
||||
s_log(LOG_INFO, "write_blocking: s_poll_wait:"
|
||||
s_log(LOG_INFO, "s_write: s_poll_wait:"
|
||||
" TIMEOUTbusy exceeded: sending reset");
|
||||
longjmp(c->err, 1); /* timeout */
|
||||
case 1:
|
||||
break; /* OK */
|
||||
default:
|
||||
s_log(LOG_ERR, "write_blocking: s_poll_wait: unknown result");
|
||||
s_log(LOG_ERR, "s_write: s_poll_wait: unknown result");
|
||||
longjmp(c->err, 1); /* error */
|
||||
}
|
||||
num=writesocket(fd, ptr, len);
|
||||
switch(num) {
|
||||
case -1: /* error */
|
||||
sockerror("writesocket (write_blocking)");
|
||||
num=writesocket(fd, (void *)ptr, len);
|
||||
if(num==-1) { /* error */
|
||||
sockerror("writesocket (s_write)");
|
||||
longjmp(c->err, 1);
|
||||
}
|
||||
ptr=(u8 *)ptr+num;
|
||||
len-=num;
|
||||
ptr+=(size_t)num;
|
||||
len-=(size_t)num;
|
||||
}
|
||||
}
|
||||
|
||||
void read_blocking(CLI *c, int fd, void *ptr, int len) {
|
||||
void s_read(CLI *c, SOCKET fd, void *ptr, size_t len) {
|
||||
/* simulate a blocking read */
|
||||
int num;
|
||||
ssize_t num;
|
||||
|
||||
while(len>0) {
|
||||
s_poll_init(c->fds);
|
||||
s_poll_add(c->fds, fd, 1, 0); /* read */
|
||||
switch(s_poll_wait(c->fds, c->opt->timeout_busy, 0)) {
|
||||
case -1:
|
||||
sockerror("read_blocking: s_poll_wait");
|
||||
sockerror("s_read: s_poll_wait");
|
||||
longjmp(c->err, 1); /* error */
|
||||
case 0:
|
||||
s_log(LOG_INFO, "read_blocking: s_poll_wait:"
|
||||
s_log(LOG_INFO, "s_read: s_poll_wait:"
|
||||
" TIMEOUTbusy exceeded: sending reset");
|
||||
longjmp(c->err, 1); /* timeout */
|
||||
case 1:
|
||||
break; /* OK */
|
||||
default:
|
||||
s_log(LOG_ERR, "read_blocking: s_poll_wait: unknown result");
|
||||
s_log(LOG_ERR, "s_read: s_poll_wait: unknown result");
|
||||
longjmp(c->err, 1); /* error */
|
||||
}
|
||||
num=readsocket(fd, ptr, len);
|
||||
switch(num) {
|
||||
case -1: /* error */
|
||||
sockerror("readsocket (read_blocking)");
|
||||
sockerror("readsocket (s_read)");
|
||||
longjmp(c->err, 1);
|
||||
case 0: /* EOF */
|
||||
s_log(LOG_ERR, "Unexpected socket close (read_blocking)");
|
||||
s_log(LOG_ERR, "Unexpected socket close (s_read)");
|
||||
longjmp(c->err, 1);
|
||||
}
|
||||
ptr=(u8 *)ptr+num;
|
||||
len-=num;
|
||||
ptr=(uint8_t *)ptr+num;
|
||||
len-=(size_t)num;
|
||||
}
|
||||
}
|
||||
|
||||
void fd_putline(CLI *c, int fd, const char *line) {
|
||||
void fd_putline(CLI *c, SOCKET fd, const char *line) {
|
||||
char *tmpline;
|
||||
const char crlf[]="\r\n";
|
||||
int len;
|
||||
size_t len;
|
||||
|
||||
tmpline=str_printf("%s%s", line, crlf);
|
||||
len=strlen(tmpline);
|
||||
write_blocking(c, fd, tmpline, len);
|
||||
tmpline[len-2]='\0'; /* remove CRLF */
|
||||
safestring(tmpline);
|
||||
s_log(LOG_DEBUG, " -> %s", tmpline);
|
||||
s_write(c, fd, tmpline, len);
|
||||
str_free(tmpline);
|
||||
s_log(LOG_DEBUG, " -> %s", line);
|
||||
}
|
||||
|
||||
char *fd_getline(CLI *c, int fd) {
|
||||
char *line, *tmpline;
|
||||
int ptr=0, allocated=32;
|
||||
char *fd_getline(CLI *c, SOCKET fd) {
|
||||
char *line;
|
||||
size_t ptr=0, allocated=32;
|
||||
|
||||
line=str_alloc(allocated);
|
||||
for(;;) {
|
||||
s_poll_init(c->fds);
|
||||
s_poll_add(c->fds, fd, 1, 0); /* read */
|
||||
switch(s_poll_wait(c->fds, c->opt->timeout_busy, 0)) {
|
||||
case -1:
|
||||
sockerror("fd_getline: s_poll_wait");
|
||||
if(ptr>65536) { /* >64KB --> DoS protection */
|
||||
s_log(LOG_ERR, "fd_getline: Line too long");
|
||||
str_free(line);
|
||||
longjmp(c->err, 1); /* error */
|
||||
case 0:
|
||||
s_log(LOG_INFO, "fd_getline: s_poll_wait:"
|
||||
" TIMEOUTbusy exceeded: sending reset");
|
||||
str_free(line);
|
||||
longjmp(c->err, 1); /* timeout */
|
||||
case 1:
|
||||
break; /* OK */
|
||||
default:
|
||||
s_log(LOG_ERR, "fd_getline: s_poll_wait: Unknown result");
|
||||
str_free(line);
|
||||
longjmp(c->err, 1); /* error */
|
||||
longjmp(c->err, 1);
|
||||
}
|
||||
if(allocated<ptr+1) {
|
||||
allocated*=2;
|
||||
line=str_realloc(line, allocated);
|
||||
}
|
||||
switch(readsocket(fd, line+ptr, 1)) {
|
||||
case -1: /* error */
|
||||
sockerror("fd_getline: readsocket");
|
||||
str_free(line);
|
||||
longjmp(c->err, 1);
|
||||
case 0: /* EOF */
|
||||
s_log(LOG_ERR, "fd_getline: Unexpected socket close");
|
||||
str_free(line);
|
||||
longjmp(c->err, 1);
|
||||
}
|
||||
s_read(c, fd, line+ptr, 1);
|
||||
if(line[ptr]=='\r')
|
||||
continue;
|
||||
if(line[ptr]=='\n')
|
||||
break;
|
||||
if(line[ptr]=='\0')
|
||||
break;
|
||||
if(++ptr>65536) { /* >64KB --> DoS protection */
|
||||
s_log(LOG_ERR, "fd_getline: Line too long");
|
||||
str_free(line);
|
||||
longjmp(c->err, 1);
|
||||
}
|
||||
++ptr;
|
||||
}
|
||||
line[ptr]='\0';
|
||||
tmpline=str_dup(line);
|
||||
safestring(tmpline);
|
||||
s_log(LOG_DEBUG, " <- %s", tmpline);
|
||||
str_free(tmpline);
|
||||
s_log(LOG_DEBUG, " <- %s", line);
|
||||
return line;
|
||||
}
|
||||
|
||||
void fd_printf(CLI *c, int fd, const char *format, ...) {
|
||||
void fd_printf(CLI *c, SOCKET fd, const char *format, ...) {
|
||||
va_list ap;
|
||||
char *line;
|
||||
|
||||
@ -636,27 +717,166 @@ void fd_printf(CLI *c, int fd, const char *format, ...) {
|
||||
str_free(line);
|
||||
}
|
||||
|
||||
void s_ssl_write(CLI *c, const void *buf, int len) {
|
||||
/* simulate a blocking SSL_write */
|
||||
uint8_t *ptr=(uint8_t *)buf;
|
||||
int num;
|
||||
|
||||
while(len>0) {
|
||||
s_poll_init(c->fds);
|
||||
s_poll_add(c->fds, c->ssl_wfd->fd, 0, 1); /* write */
|
||||
switch(s_poll_wait(c->fds, c->opt->timeout_busy, 0)) {
|
||||
case -1:
|
||||
sockerror("s_write: s_poll_wait");
|
||||
longjmp(c->err, 1); /* error */
|
||||
case 0:
|
||||
s_log(LOG_INFO, "s_write: s_poll_wait:"
|
||||
" TIMEOUTbusy exceeded: sending reset");
|
||||
longjmp(c->err, 1); /* timeout */
|
||||
case 1:
|
||||
break; /* OK */
|
||||
default:
|
||||
s_log(LOG_ERR, "s_write: s_poll_wait: unknown result");
|
||||
longjmp(c->err, 1); /* error */
|
||||
}
|
||||
num=SSL_write(c->ssl, (void *)ptr, len);
|
||||
if(num==-1) { /* error */
|
||||
sockerror("SSL_write (s_ssl_write)");
|
||||
longjmp(c->err, 1);
|
||||
}
|
||||
ptr+=num;
|
||||
len-=num;
|
||||
}
|
||||
}
|
||||
|
||||
void s_ssl_read(CLI *c, void *ptr, int len) {
|
||||
/* simulate a blocking SSL_read */
|
||||
int num;
|
||||
|
||||
while(len>0) {
|
||||
if(!SSL_pending(c->ssl)) {
|
||||
s_poll_init(c->fds);
|
||||
s_poll_add(c->fds, c->ssl_rfd->fd, 1, 0); /* read */
|
||||
switch(s_poll_wait(c->fds, c->opt->timeout_busy, 0)) {
|
||||
case -1:
|
||||
sockerror("s_read: s_poll_wait");
|
||||
longjmp(c->err, 1); /* error */
|
||||
case 0:
|
||||
s_log(LOG_INFO, "s_read: s_poll_wait:"
|
||||
" TIMEOUTbusy exceeded: sending reset");
|
||||
longjmp(c->err, 1); /* timeout */
|
||||
case 1:
|
||||
break; /* OK */
|
||||
default:
|
||||
s_log(LOG_ERR, "s_read: s_poll_wait: unknown result");
|
||||
longjmp(c->err, 1); /* error */
|
||||
}
|
||||
}
|
||||
num=SSL_read(c->ssl, ptr, len);
|
||||
switch(num) {
|
||||
case -1: /* error */
|
||||
sockerror("SSL_read (s_ssl_read)");
|
||||
longjmp(c->err, 1);
|
||||
case 0: /* EOF */
|
||||
s_log(LOG_ERR, "Unexpected socket close (s_ssl_read)");
|
||||
longjmp(c->err, 1);
|
||||
}
|
||||
ptr=(uint8_t *)ptr+num;
|
||||
len-=num;
|
||||
}
|
||||
}
|
||||
|
||||
char *ssl_getstring(CLI *c) { /* get null-terminated string */
|
||||
char *line;
|
||||
size_t ptr=0, allocated=32;
|
||||
|
||||
line=str_alloc(allocated);
|
||||
for(;;) {
|
||||
if(ptr>65536) { /* >64KB --> DoS protection */
|
||||
s_log(LOG_ERR, "ssl_getstring: Line too long");
|
||||
str_free(line);
|
||||
longjmp(c->err, 1);
|
||||
}
|
||||
if(allocated<ptr+1) {
|
||||
allocated*=2;
|
||||
line=str_realloc(line, allocated);
|
||||
}
|
||||
s_ssl_read(c, line+ptr, 1);
|
||||
if(line[ptr]=='\0')
|
||||
break;
|
||||
++ptr;
|
||||
}
|
||||
return line;
|
||||
}
|
||||
|
||||
char *ssl_getline(CLI *c) { /* get newline-terminated string */
|
||||
char *line;
|
||||
size_t ptr=0, allocated=32;
|
||||
|
||||
line=str_alloc(allocated);
|
||||
for(;;) {
|
||||
if(ptr>65536) { /* >64KB --> DoS protection */
|
||||
s_log(LOG_ERR, "ssl_getline: Line too long");
|
||||
str_free(line);
|
||||
longjmp(c->err, 1);
|
||||
}
|
||||
if(allocated<ptr+1) {
|
||||
allocated*=2;
|
||||
line=str_realloc(line, allocated);
|
||||
}
|
||||
s_ssl_read(c, line+ptr, 1);
|
||||
if(line[ptr]=='\r')
|
||||
continue;
|
||||
if(line[ptr]=='\n')
|
||||
break;
|
||||
if(line[ptr]=='\0')
|
||||
break;
|
||||
++ptr;
|
||||
}
|
||||
line[ptr]='\0';
|
||||
s_log(LOG_DEBUG, " <- %s", line);
|
||||
return line;
|
||||
}
|
||||
|
||||
void ssl_putline(CLI *c, const char *line) { /* put newline-terminated string */
|
||||
char *tmpline;
|
||||
const char crlf[]="\r\n";
|
||||
size_t len;
|
||||
|
||||
tmpline=str_printf("%s%s", line, crlf);
|
||||
len=strlen(tmpline);
|
||||
if(len>INT_MAX) { /* paranoia */
|
||||
s_log(LOG_ERR, "ssl_putline: Line too long");
|
||||
str_free(tmpline);
|
||||
longjmp(c->err, 1);
|
||||
}
|
||||
s_ssl_write(c, tmpline, (int)len);
|
||||
str_free(tmpline);
|
||||
s_log(LOG_DEBUG, " -> %s", line);
|
||||
}
|
||||
|
||||
/**************************************** network helpers */
|
||||
|
||||
#define INET_SOCKET_PAIR
|
||||
|
||||
int make_sockets(int fd[2]) { /* make a pair of connected ipv4 sockets */
|
||||
int make_sockets(SOCKET fd[2]) { /* make a pair of connected ipv4 sockets */
|
||||
#ifdef INET_SOCKET_PAIR
|
||||
struct sockaddr_in addr;
|
||||
socklen_t addrlen;
|
||||
int s; /* temporary socket awaiting for connection */
|
||||
SOCKET s; /* temporary socket awaiting for connection */
|
||||
|
||||
/* create two *blocking* sockets first */
|
||||
s=s_socket(AF_INET, SOCK_STREAM, 0, 0, "make_sockets: s_socket#1");
|
||||
if(s<0) {
|
||||
if(s==INVALID_SOCKET)
|
||||
return 1;
|
||||
}
|
||||
fd[1]=s_socket(AF_INET, SOCK_STREAM, 0, 0, "make_sockets: s_socket#2");
|
||||
if(fd[1]<0) {
|
||||
if(fd[1]==INVALID_SOCKET) {
|
||||
closesocket(s);
|
||||
return 1;
|
||||
}
|
||||
|
||||
addrlen=sizeof addr;
|
||||
memset(&addr, 0, addrlen);
|
||||
memset(&addr, 0, sizeof addr);
|
||||
addr.sin_family=AF_INET;
|
||||
addr.sin_addr.s_addr=htonl(INADDR_LOOPBACK);
|
||||
addr.sin_port=htons(0); /* dynamic port allocation */
|
||||
@ -685,7 +905,7 @@ int make_sockets(int fd[2]) { /* make a pair of connected ipv4 sockets */
|
||||
}
|
||||
fd[0]=s_accept(s, (struct sockaddr *)&addr, &addrlen, 1,
|
||||
"make_sockets: s_accept");
|
||||
if(fd[0]<0) {
|
||||
if(fd[0]==INVALID_SOCKET) {
|
||||
closesocket(s);
|
||||
closesocket(fd[1]);
|
||||
return 1;
|
||||
@ -700,4 +920,26 @@ int make_sockets(int fd[2]) { /* make a pair of connected ipv4 sockets */
|
||||
return 0;
|
||||
}
|
||||
|
||||
/* returns 0 on success, and -1 on error */
|
||||
int original_dst(const SOCKET fd, SOCKADDR_UNION *addr) {
|
||||
socklen_t addrlen;
|
||||
|
||||
memset(addr, 0, sizeof(SOCKADDR_UNION));
|
||||
addrlen=sizeof(SOCKADDR_UNION);
|
||||
#ifdef SO_ORIGINAL_DST
|
||||
#ifdef USE_IPv6
|
||||
if(!getsockopt(fd, SOL_IPV6, SO_ORIGINAL_DST, &addr->sa, &addrlen))
|
||||
return 0; /* succeeded */
|
||||
#endif /* USE_IPv6 */
|
||||
if(!getsockopt(fd, SOL_IP, SO_ORIGINAL_DST, &addr->sa, &addrlen))
|
||||
return 0; /* succeeded */
|
||||
sockerror("getsockopt SO_ORIGINAL_DST");
|
||||
#else /* SO_ORIGINAL_DST */
|
||||
if(!getsockname(fd, &addr->sa, &addrlen))
|
||||
return 0; /* succeeded */
|
||||
sockerror("getsockname");
|
||||
#endif /* SO_ORIGINAL_DST */
|
||||
return -1; /* failed */
|
||||
}
|
||||
|
||||
/* end of network.c */
|
||||
|
101
src/nogui.c
101
src/nogui.c
@ -1,101 +0,0 @@
|
||||
/*
|
||||
* stunnel Universal SSL tunnel
|
||||
* Copyright (C) 1998-2013 Michal Trojnara <Michal.Trojnara@mirt.net>
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it
|
||||
* under the terms of the GNU General Public License as published by the
|
||||
* Free Software Foundation; either version 2 of the License, or (at your
|
||||
* option) any later version.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
|
||||
* See the GNU General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License along
|
||||
* with this program; if not, see <http://www.gnu.org/licenses>.
|
||||
*
|
||||
* Linking stunnel statically or dynamically with other modules is making
|
||||
* a combined work based on stunnel. Thus, the terms and conditions of
|
||||
* the GNU General Public License cover the whole combination.
|
||||
*
|
||||
* In addition, as a special exception, the copyright holder of stunnel
|
||||
* gives you permission to combine stunnel with free software programs or
|
||||
* libraries that are released under the GNU LGPL and with code included
|
||||
* in the standard release of OpenSSL under the OpenSSL License (or
|
||||
* modified versions of such code, with unchanged license). You may copy
|
||||
* and distribute such a system following the terms of the GNU GPL for
|
||||
* stunnel and the licenses of the other code concerned.
|
||||
*
|
||||
* Note that people who make modified versions of stunnel are not obligated
|
||||
* to grant this special exception for their modified versions; it is their
|
||||
* choice whether to do so. The GNU General Public License gives permission
|
||||
* to release a modified version without this exception; this exception
|
||||
* also makes it possible to release a modified version which carries
|
||||
* forward this exception.
|
||||
*/
|
||||
|
||||
#include "common.h"
|
||||
#include "prototypes.h"
|
||||
|
||||
int main(int argc, char *argv[]) {
|
||||
static struct WSAData wsa_state;
|
||||
|
||||
str_init(); /* initialize per-thread string management */
|
||||
if(WSAStartup(MAKEWORD(1, 1), &wsa_state))
|
||||
return 1;
|
||||
resolver_init();
|
||||
main_initialize();
|
||||
if(!main_configure(argc>1 ? argv[1] : NULL, argc>2 ? argv[2] : NULL))
|
||||
daemon_loop();
|
||||
unbind_ports();
|
||||
log_flush(LOG_MODE_ERROR);
|
||||
return 0;
|
||||
}
|
||||
|
||||
void message_box(const LPSTR text, const UINT type) {
|
||||
LPTSTR tstr;
|
||||
|
||||
tstr=str2tstr(text);
|
||||
MessageBox(NULL, tstr, TEXT("stunnel"), type);
|
||||
str_free(tstr);
|
||||
}
|
||||
|
||||
void win_new_chain(int section_number) {
|
||||
(void)section_number; /* skip warning about unused parameter */
|
||||
}
|
||||
|
||||
void win_new_log(char *line) {
|
||||
#ifdef _WIN32_WCE
|
||||
/* log to Windows CE debug output stream */
|
||||
LPTSTR tstr;
|
||||
|
||||
tstr=str2tstr(line);
|
||||
RETAILMSG(TRUE, (TEXT("%s\r\n"), tstr));
|
||||
str_free(tstr);
|
||||
#else
|
||||
printf("%s\n", line);
|
||||
#endif
|
||||
}
|
||||
|
||||
void win_new_config(void) {
|
||||
/* no action */
|
||||
}
|
||||
|
||||
int passwd_cb(char *buf, int size, int rwflag, void *userdata) {
|
||||
(void)buf; /* skip warning about unused parameter */
|
||||
(void)size; /* skip warning about unused parameter */
|
||||
(void)rwflag; /* skip warning about unused parameter */
|
||||
(void)userdata; /* skip warning about unused parameter */
|
||||
return 0; /* not implemented */
|
||||
}
|
||||
|
||||
#ifdef HAVE_OSSL_ENGINE_H
|
||||
int pin_cb(UI *ui, UI_STRING *uis) {
|
||||
(void)ui; /* skip warning about unused parameter */
|
||||
(void)uis; /* skip warning about unused parameter */
|
||||
return 0; /* not implemented */
|
||||
}
|
||||
#endif
|
||||
|
||||
/* end of nogui.c */
|
2611
src/options.c
2611
src/options.c
File diff suppressed because it is too large
Load Diff
15
src/os2.mak
15
src/os2.mak
@ -1,11 +1,11 @@
|
||||
prefix=.
|
||||
DEFS = -DPACKAGE_NAME=\"stunnel\" \
|
||||
-DPACKAGE_TARNAME=\"stunnel\" \
|
||||
-DPACKAGE_VERSION=\"4.57\" \
|
||||
-DPACKAGE_STRING=\"stunnel\ 4.57\" \
|
||||
-DPACKAGE_VERSION=\"5.42\" \
|
||||
-DPACKAGE_STRING=\"stunnel\ 5.42\" \
|
||||
-DPACKAGE_BUGREPORT=\"\" \
|
||||
-DPACKAGE=\"stunnel\" \
|
||||
-DVERSION=\"4.57\" \
|
||||
-DVERSION=\"5.42\" \
|
||||
-DSTDC_HEADERS=1 \
|
||||
-DHAVE_SYS_TYPES_H=1 \
|
||||
-DHAVE_SYS_STAT_H=1 \
|
||||
@ -14,7 +14,6 @@ DEFS = -DPACKAGE_NAME=\"stunnel\" \
|
||||
-DHAVE_MEMORY_H=1 \
|
||||
-DHAVE_STRINGS_H=1 \
|
||||
-DHAVE_UNISTD_H=1 \
|
||||
-DHAVE_OSSL_ENGINE_H=1 \
|
||||
-DSSLDIR=\"/usr\" \
|
||||
-DHOST=\"i386-pc-os2-emx\" \
|
||||
-DHAVE_LIBSOCKET=1 \
|
||||
@ -34,8 +33,7 @@ DEFS = -DPACKAGE_NAME=\"stunnel\" \
|
||||
-DSIZEOF_UNSIGNED_INT=4 \
|
||||
-DSIZEOF_UNSIGNED_LONG=4 \
|
||||
-DLIBDIR=\"$(prefix)/lib\" \
|
||||
-DCONFDIR=\"$(prefix)/etc\" \
|
||||
-DPIDFILE=\"$(prefix)/stunnel.pid\"
|
||||
-DCONFDIR=\"$(prefix)/etc\"
|
||||
|
||||
CC = gcc
|
||||
.SUFFIXES = .c .o
|
||||
@ -43,7 +41,7 @@ OPENSSLDIR = u:/extras
|
||||
#SYSLOGDIR = /unixos2/workdir/syslog
|
||||
INCLUDES = -I$(OPENSSLDIR)/outinc
|
||||
LIBS = -lsocket -L$(OPENSSLDIR)/out -lssl -lcrypto -lz -lsyslog
|
||||
OBJS = file.o client.o log.o options.o protocol.o network.o ssl.o ctx.o verify.o sthreads.o stunnel.o pty.o resolver.o str.o fd.o
|
||||
OBJS = file.o client.o log.o options.o protocol.o network.o ssl.o ctx.o verify.o sthreads.o stunnel.o pty.o resolver.o str.o tls.o fd.o dhparam.o cron.o
|
||||
LIBDIR = .
|
||||
CFLAGS = -O2 -Wall -Wshadow -Wcast-align -Wpointer-arith
|
||||
|
||||
@ -70,7 +68,10 @@ sthreads.o: sthreads.c common.h prototypes.h
|
||||
stunnel.o: stunnel.c common.h prototypes.h
|
||||
resolver.o: resolver.c common.h prototypes.h
|
||||
str.o: str.c common.h prototypes.h
|
||||
tls.o: tls.c common.h prototypes.h
|
||||
fd.o: fd.c common.h prototypes.h
|
||||
dhparam.o: dhparam.c common.h prototypes.h
|
||||
cron.o: cron.c common.h prototypes.h
|
||||
|
||||
clean:
|
||||
rm -f *.o *.exe
|
||||
|
982
src/protocol.c
982
src/protocol.c
File diff suppressed because it is too large
Load Diff
616
src/prototypes.h
616
src/prototypes.h
@ -1,24 +1,24 @@
|
||||
/*
|
||||
* stunnel Universal SSL tunnel
|
||||
* Copyright (C) 1998-2013 Michal Trojnara <Michal.Trojnara@mirt.net>
|
||||
* stunnel TLS offloading and load-balancing proxy
|
||||
* Copyright (C) 1998-2017 Michal Trojnara <Michal.Trojnara@stunnel.org>
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it
|
||||
* under the terms of the GNU General Public License as published by the
|
||||
* Free Software Foundation; either version 2 of the License, or (at your
|
||||
* option) any later version.
|
||||
*
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
|
||||
* See the GNU General Public License for more details.
|
||||
*
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License along
|
||||
* with this program; if not, see <http://www.gnu.org/licenses>.
|
||||
*
|
||||
*
|
||||
* Linking stunnel statically or dynamically with other modules is making
|
||||
* a combined work based on stunnel. Thus, the terms and conditions of
|
||||
* the GNU General Public License cover the whole combination.
|
||||
*
|
||||
*
|
||||
* In addition, as a special exception, the copyright holder of stunnel
|
||||
* gives you permission to combine stunnel with free software programs or
|
||||
* libraries that are released under the GNU LGPL and with code included
|
||||
@ -26,7 +26,7 @@
|
||||
* modified versions of such code, with unchanged license). You may copy
|
||||
* and distribute such a system following the terms of the GNU GPL for
|
||||
* stunnel and the licenses of the other code concerned.
|
||||
*
|
||||
*
|
||||
* Note that people who make modified versions of stunnel are not obligated
|
||||
* to grant this special exception for their modified versions; it is their
|
||||
* choice whether to do so. The GNU General Public License gives permission
|
||||
@ -40,15 +40,45 @@
|
||||
|
||||
#include "common.h"
|
||||
|
||||
/**************************************** forward declarations */
|
||||
|
||||
typedef struct tls_data_struct TLS_DATA;
|
||||
|
||||
/**************************************** data structures */
|
||||
|
||||
#if defined (USE_WIN32)
|
||||
#define ICON_IMAGE HICON
|
||||
#elif defined(__APPLE__)
|
||||
#define ICON_IMAGE void *
|
||||
#endif
|
||||
|
||||
typedef enum {
|
||||
LOG_MODE_NONE,
|
||||
ICON_ERROR,
|
||||
ICON_IDLE,
|
||||
ICON_ACTIVE,
|
||||
ICON_NONE /* it has to be the last one */
|
||||
} ICON_TYPE;
|
||||
|
||||
typedef enum {
|
||||
LOG_MODE_BUFFER,
|
||||
LOG_MODE_ERROR,
|
||||
LOG_MODE_INFO,
|
||||
LOG_MODE_CONFIGURED
|
||||
} LOG_MODE;
|
||||
|
||||
typedef enum {
|
||||
LOG_ID_SEQUENTIAL,
|
||||
LOG_ID_UNIQUE,
|
||||
LOG_ID_THREAD,
|
||||
LOG_ID_PROCESS
|
||||
} LOG_ID;
|
||||
|
||||
typedef enum {
|
||||
FILE_MODE_READ,
|
||||
FILE_MODE_APPEND,
|
||||
FILE_MODE_OVERWRITE
|
||||
} FILE_MODE;
|
||||
|
||||
typedef union sockaddr_union {
|
||||
struct sockaddr sa;
|
||||
struct sockaddr_in in;
|
||||
@ -66,25 +96,29 @@ typedef struct name_list_struct {
|
||||
} NAME_LIST;
|
||||
|
||||
typedef struct sockaddr_list { /* list of addresses */
|
||||
SOCKADDR_UNION *addr; /* the list of addresses */
|
||||
u16 cur; /* current address for round-robin */
|
||||
u16 num; /* how many addresses are used */
|
||||
struct sockaddr_list *parent; /* used by copies to locate their parent */
|
||||
SOCKADDR_UNION *addr; /* array of resolved addresses */
|
||||
SSL_SESSION **session; /* array of cached client sessions */
|
||||
unsigned rr; /* current address for round-robin */
|
||||
unsigned num; /* how many addresses are used */
|
||||
int passive; /* listening socket */
|
||||
NAME_LIST *names; /* a list of unresolved names */
|
||||
} SOCKADDR_LIST;
|
||||
|
||||
#ifndef OPENSSL_NO_COMP
|
||||
typedef enum {
|
||||
COMP_NONE, COMP_DEFLATE, COMP_ZLIB, COMP_RLE
|
||||
COMP_NONE, COMP_DEFLATE, COMP_ZLIB
|
||||
} COMP_TYPE;
|
||||
#endif /* OPENSSL_NO_COMP */
|
||||
#endif /* !defined(OPENSSL_NO_COMP) */
|
||||
|
||||
typedef struct {
|
||||
/* some data for SSL initialization in ssl.c */
|
||||
/* some data for TLS initialization in ssl.c */
|
||||
#ifndef OPENSSL_NO_COMP
|
||||
COMP_TYPE compression; /* compression type */
|
||||
#endif /* OPENSSL_NO_COMP */
|
||||
#endif /* !defined(OPENSSL_NO_COMP) */
|
||||
char *egd_sock; /* entropy gathering daemon socket */
|
||||
char *rand_file; /* file with random data */
|
||||
int random_bytes; /* how many random bytes to read */
|
||||
long random_bytes; /* how many random bytes to read */
|
||||
|
||||
/* some global data for stunnel.c */
|
||||
#ifndef USE_WIN32
|
||||
@ -93,27 +127,32 @@ typedef struct {
|
||||
#endif
|
||||
unsigned long dpid;
|
||||
char *pidfile;
|
||||
int uid, gid;
|
||||
#endif
|
||||
|
||||
/* logging-support data for log.c */
|
||||
int debug_level; /* debug level for logging */
|
||||
#ifndef USE_WIN32
|
||||
int facility; /* debug facility for syslog */
|
||||
int log_facility; /* debug facility for syslog */
|
||||
#endif
|
||||
char *output_file;
|
||||
FILE_MODE log_file_mode;
|
||||
|
||||
/* user interface configuration */
|
||||
#ifdef ICON_IMAGE
|
||||
ICON_IMAGE icon[ICON_NONE]; /* user-specified GUI icons */
|
||||
#endif
|
||||
|
||||
/* on/off switches */
|
||||
struct {
|
||||
unsigned int rand_write:1; /* overwrite rand_file */
|
||||
unsigned rand_write:1; /* overwrite rand_file */
|
||||
#ifdef USE_WIN32
|
||||
unsigned int taskbar:1; /* enable the taskbar icon */
|
||||
unsigned taskbar:1; /* enable the taskbar icon */
|
||||
#else /* !USE_WIN32 */
|
||||
unsigned int foreground:1;
|
||||
unsigned int syslog:1;
|
||||
unsigned foreground:1;
|
||||
unsigned log_stderr:1;
|
||||
unsigned log_syslog:1;
|
||||
#endif
|
||||
#ifdef USE_FIPS
|
||||
unsigned int fips:1; /* enable FIPS 140-2 mode */
|
||||
unsigned fips:1; /* enable FIPS 140-2 mode */
|
||||
#endif
|
||||
} option;
|
||||
} GLOBAL_OPTIONS;
|
||||
@ -122,16 +161,39 @@ extern GLOBAL_OPTIONS global_options;
|
||||
|
||||
#ifndef OPENSSL_NO_TLSEXT
|
||||
typedef struct servername_list_struct SERVERNAME_LIST;/* forward declaration */
|
||||
#endif
|
||||
#endif /* !defined(OPENSSL_NO_TLSEXT) */
|
||||
|
||||
#ifndef OPENSSL_NO_PSK
|
||||
typedef struct psk_keys_struct {
|
||||
char *identity;
|
||||
unsigned char *key_val;
|
||||
size_t key_len;
|
||||
struct psk_keys_struct *next;
|
||||
} PSK_KEYS;
|
||||
typedef struct psk_table_struct {
|
||||
PSK_KEYS **val;
|
||||
size_t num;
|
||||
} PSK_TABLE;
|
||||
#endif /* !defined(OPENSSL_NO_PSK) */
|
||||
|
||||
typedef struct service_options_struct {
|
||||
struct service_options_struct *next; /* next node in the services list */
|
||||
SSL_CTX *ctx; /* SSL context */
|
||||
SSL_CTX *ctx; /* TLS context */
|
||||
char *servname; /* service name for logging & permission checking */
|
||||
|
||||
/* service-specific data for stunnel.c */
|
||||
#ifndef USE_WIN32
|
||||
uid_t uid;
|
||||
gid_t gid;
|
||||
#endif
|
||||
|
||||
/* service-specific data for log.c */
|
||||
int log_level; /* debug level for logging */
|
||||
LOG_ID log_id; /* logging session id type */
|
||||
|
||||
/* service-specific data for sthreads.c */
|
||||
#ifndef USE_FORK
|
||||
int stack_size; /* stack size for this thread */
|
||||
size_t stack_size; /* stack size for this thread */
|
||||
#endif
|
||||
|
||||
/* service-specific data for verify.c */
|
||||
@ -139,92 +201,109 @@ typedef struct service_options_struct {
|
||||
char *ca_file; /* file containing bunches of certs */
|
||||
char *crl_dir; /* directory for hashed CRLs */
|
||||
char *crl_file; /* file containing bunches of CRLs */
|
||||
int verify_level;
|
||||
X509_STORE *revocation_store; /* cert store for CRL checking */
|
||||
#ifdef HAVE_OSSL_OCSP_H
|
||||
SOCKADDR_UNION ocsp_addr;
|
||||
char *ocsp_path;
|
||||
#ifndef OPENSSL_NO_OCSP
|
||||
char *ocsp_url;
|
||||
unsigned long ocsp_flags;
|
||||
#endif
|
||||
#endif /* !defined(OPENSSL_NO_OCSP) */
|
||||
#if OPENSSL_VERSION_NUMBER>=0x10002000L
|
||||
NAME_LIST *check_host, *check_email, *check_ip; /* cert subject checks */
|
||||
NAME_LIST *config; /* OpenSSL CONF options */
|
||||
#endif /* OPENSSL_VERSION_NUMBER>=0x10002000L */
|
||||
|
||||
/* service-specific data for ctx.c */
|
||||
char *cipher_list;
|
||||
char *cert; /* cert filename */
|
||||
char *key; /* pem (priv key/cert) filename */
|
||||
long session_size, session_timeout;
|
||||
long ssl_options;
|
||||
long unsigned ssl_options_set;
|
||||
#if OPENSSL_VERSION_NUMBER>=0x009080dfL
|
||||
long unsigned ssl_options_clear;
|
||||
#endif /* OpenSSL 0.9.8m or later */
|
||||
SSL_METHOD *client_method, *server_method;
|
||||
SOCKADDR_UNION sessiond_addr;
|
||||
#ifndef OPENSSL_NO_TLSEXT
|
||||
char *sni;
|
||||
SERVERNAME_LIST *servername_list_head, *servername_list_tail;
|
||||
#endif
|
||||
#endif /* !defined(OPENSSL_NO_TLSEXT) */
|
||||
#ifndef OPENSSL_NO_PSK
|
||||
char *psk_identity;
|
||||
PSK_KEYS *psk_keys, *psk_selected;
|
||||
PSK_TABLE psk_sorted;
|
||||
#endif /* !defined(OPENSSL_NO_PSK) */
|
||||
#ifndef OPENSSL_NO_ECDH
|
||||
int curve;
|
||||
#endif
|
||||
#ifdef HAVE_OSSL_ENGINE_H
|
||||
#endif /* !defined(OPENSSL_NO_ECDH) */
|
||||
#ifndef OPENSSL_NO_ENGINE
|
||||
ENGINE *engine; /* engine to read the private key */
|
||||
#endif
|
||||
#endif /* !defined(OPENSSL_NO_ENGINE) */
|
||||
|
||||
/* service-specific data for client.c */
|
||||
int fd; /* file descriptor accepting connections for this service */
|
||||
SOCKET fd; /* file descriptor accepting connections for this service */
|
||||
SSL_SESSION *session; /* recently used session */
|
||||
char *execname; /* program name for local mode */
|
||||
char *exec_name; /* program name for local mode */
|
||||
#ifdef USE_WIN32
|
||||
char *execargs; /* program arguments for local mode */
|
||||
char *exec_args; /* program arguments for local mode */
|
||||
#else
|
||||
char **execargs; /* program arguments for local mode */
|
||||
char **exec_args; /* program arguments for local mode */
|
||||
#endif
|
||||
SOCKADDR_UNION local_addr, source_addr;
|
||||
SOCKADDR_LIST connect_addr;
|
||||
char *username;
|
||||
NAME_LIST *connect_list;
|
||||
SOCKADDR_LIST connect_addr, redirect_addr;
|
||||
int timeout_busy; /* maximum waiting for data time */
|
||||
int timeout_close; /* maximum close_notify time */
|
||||
int timeout_connect; /* maximum connect() time */
|
||||
int timeout_idle; /* maximum idle connection time */
|
||||
enum {FAILOVER_RR, FAILOVER_PRIO} failover; /* failover strategy */
|
||||
char *username;
|
||||
|
||||
/* service-specific data for protocol.c */
|
||||
int protocol;
|
||||
char * protocol;
|
||||
char *protocol_host;
|
||||
char *protocol_domain;
|
||||
char *protocol_username;
|
||||
char *protocol_password;
|
||||
char *protocol_authentication;
|
||||
|
||||
/* service-specific data for gui.c */
|
||||
/* service-specific data for ui_*.c */
|
||||
#ifdef USE_WIN32
|
||||
int section_number;
|
||||
LPTSTR file;
|
||||
char *help, *chain;
|
||||
LPTSTR file, help;
|
||||
#endif
|
||||
unsigned section_number;
|
||||
char *chain;
|
||||
|
||||
/* on/off switches */
|
||||
struct {
|
||||
unsigned int accept:1; /* endpoint: accept */
|
||||
unsigned int client:1;
|
||||
unsigned int delayed_lookup:1;
|
||||
unsigned request_cert:1; /* request a peer certificate */
|
||||
unsigned require_cert:1; /* require a client certificate */
|
||||
unsigned verify_chain:1; /* verify certificate chain */
|
||||
unsigned verify_peer:1; /* verify peer certificate */
|
||||
unsigned accept:1; /* endpoint: accept */
|
||||
unsigned client:1;
|
||||
unsigned delayed_lookup:1;
|
||||
#ifdef USE_LIBWRAP
|
||||
unsigned int libwrap:1;
|
||||
unsigned libwrap:1;
|
||||
#endif
|
||||
unsigned int local:1; /* outgoing interface specified */
|
||||
unsigned int remote:1; /* endpoint: connect */
|
||||
unsigned int retry:1; /* loop remote+program */
|
||||
unsigned int sessiond:1;
|
||||
unsigned int program:1; /* endpoint: exec */
|
||||
unsigned local:1; /* outgoing interface specified */
|
||||
unsigned retry:1; /* loop remote+program */
|
||||
unsigned sessiond:1;
|
||||
#ifndef OPENSSL_NO_TLSEXT
|
||||
unsigned int sni:1; /* endpoint: sni */
|
||||
#endif
|
||||
unsigned sni:1; /* endpoint: sni */
|
||||
#endif /* !defined(OPENSSL_NO_TLSEXT) */
|
||||
#ifndef USE_WIN32
|
||||
unsigned int pty:1;
|
||||
unsigned int transparent_src:1;
|
||||
unsigned int transparent_dst:1; /* endpoint: transparent destination */
|
||||
unsigned pty:1;
|
||||
unsigned transparent_src:1;
|
||||
#endif
|
||||
#ifdef HAVE_OSSL_OCSP_H
|
||||
unsigned int ocsp:1;
|
||||
#endif
|
||||
unsigned int reset:1; /* reset sockets on error */
|
||||
unsigned int renegotiation:1;
|
||||
unsigned transparent_dst:1; /* endpoint: transparent destination */
|
||||
unsigned protocol_endpoint:1; /* dynamic target from the protocol */
|
||||
unsigned reset:1; /* reset sockets on error */
|
||||
unsigned renegotiation:1;
|
||||
unsigned connect_before_ssl:1;
|
||||
#ifndef OPENSSL_NO_OCSP
|
||||
unsigned aia:1; /* Authority Information Access */
|
||||
unsigned nonce:1; /* send and verify OCSP nonce */
|
||||
#endif /* !defined(OPENSSL_NO_OCSP) */
|
||||
#ifndef OPENSSL_NO_DH
|
||||
unsigned dh_needed:1;
|
||||
#endif /* OPENSSL_NO_DH */
|
||||
} option;
|
||||
} SERVICE_OPTIONS;
|
||||
|
||||
@ -236,7 +315,7 @@ struct servername_list_struct {
|
||||
SERVICE_OPTIONS *opt;
|
||||
struct servername_list_struct *next;
|
||||
};
|
||||
#endif
|
||||
#endif /* !defined(OPENSSL_NO_TLSEXT) */
|
||||
|
||||
typedef enum {
|
||||
TYPE_NONE, TYPE_FLAG, TYPE_INT, TYPE_LINGER, TYPE_TIMEVAL, TYPE_STRING
|
||||
@ -267,11 +346,14 @@ typedef enum {
|
||||
typedef struct {
|
||||
#ifdef USE_POLL
|
||||
struct pollfd *ufds;
|
||||
unsigned int nfds;
|
||||
unsigned int allocated;
|
||||
unsigned nfds;
|
||||
unsigned allocated;
|
||||
#else /* select */
|
||||
fd_set irfds, iwfds, ixfds, orfds, owfds, oxfds;
|
||||
int max;
|
||||
fd_set *irfds, *iwfds, *ixfds, *orfds, *owfds, *oxfds;
|
||||
SOCKET max;
|
||||
#ifdef USE_WIN32
|
||||
unsigned allocated;
|
||||
#endif
|
||||
#endif
|
||||
} s_poll_set;
|
||||
|
||||
@ -281,47 +363,91 @@ typedef struct disk_file {
|
||||
#else
|
||||
int fd;
|
||||
#endif
|
||||
/* the inteface is prepared to easily implement buffering if needed */
|
||||
/* the interface is prepared to easily implement buffering if needed */
|
||||
} DISK_FILE;
|
||||
|
||||
/* FD definition for client.c */
|
||||
/* definitions for client.c */
|
||||
|
||||
typedef struct {
|
||||
int fd; /* file descriptor */
|
||||
SOCKET fd; /* file descriptor */
|
||||
int is_socket; /* file descriptor is a socket */
|
||||
} FD;
|
||||
|
||||
typedef enum {
|
||||
RENEG_INIT, /* initial state */
|
||||
RENEG_ESTABLISHED, /* initial handshake completed */
|
||||
RENEG_DETECTED /* renegotiation detected */
|
||||
} RENEG_STATE;
|
||||
|
||||
typedef struct {
|
||||
jmp_buf err; /* 64-bit platforms require jmp_buf to be 16-byte aligned */
|
||||
SSL *ssl; /* TLS connection */
|
||||
SERVICE_OPTIONS *opt;
|
||||
TLS_DATA *tls;
|
||||
|
||||
SOCKADDR_UNION peer_addr; /* peer address */
|
||||
socklen_t peer_addr_len;
|
||||
SOCKADDR_UNION *bind_addr; /* address to bind() the socket */
|
||||
SOCKADDR_LIST connect_addr; /* either copied or resolved dynamically */
|
||||
unsigned idx; /* actually connected address in connect_addr */
|
||||
FD local_rfd, local_wfd; /* read and write local descriptors */
|
||||
FD remote_fd; /* remote file descriptor */
|
||||
/* IP for explicit local bind or transparent proxy */
|
||||
unsigned long pid; /* PID of the local process */
|
||||
SOCKET fd; /* temporary file descriptor */
|
||||
RENEG_STATE reneg_state; /* used to track renegotiation attempts */
|
||||
unsigned long long seq; /* sequential thread number for logging */
|
||||
|
||||
/* data for transfer() function */
|
||||
char sock_buff[BUFFSIZE]; /* socket read buffer */
|
||||
char ssl_buff[BUFFSIZE]; /* TLS read buffer */
|
||||
size_t sock_ptr, ssl_ptr; /* index of the first unused byte */
|
||||
FD *sock_rfd, *sock_wfd; /* read and write socket descriptors */
|
||||
FD *ssl_rfd, *ssl_wfd; /* read and write TLS descriptors */
|
||||
uint64_t sock_bytes, ssl_bytes; /* bytes written to socket and TLS */
|
||||
s_poll_set *fds; /* file descriptors */
|
||||
} CLI;
|
||||
|
||||
/**************************************** prototypes for stunnel.c */
|
||||
|
||||
#ifndef USE_FORK
|
||||
extern int max_clients;
|
||||
extern volatile int num_clients;
|
||||
extern long max_clients;
|
||||
extern volatile long num_clients;
|
||||
#endif
|
||||
|
||||
void main_initialize(void);
|
||||
void main_init(void);
|
||||
int main_configure(char *, char *);
|
||||
void main_cleanup(void);
|
||||
int drop_privileges(int);
|
||||
void daemon_loop(void);
|
||||
void unbind_ports(void);
|
||||
int bind_ports(void);
|
||||
#if !defined (USE_WIN32) && !defined (__vms) && !defined(USE_OS2)
|
||||
int drop_privileges(int);
|
||||
#endif
|
||||
void signal_post(int);
|
||||
#if !defined(USE_WIN32) && !defined(USE_OS2)
|
||||
void child_status(void); /* dead libwrap or 'exec' process detected */
|
||||
#endif
|
||||
void stunnel_info(int);
|
||||
|
||||
/**************************************** prototypes for options.c */
|
||||
|
||||
extern char configuration_file[PATH_MAX];
|
||||
extern unsigned number_of_sections;
|
||||
|
||||
int options_cmdline(char *, char *);
|
||||
int options_parse(CONF_TYPE);
|
||||
void options_defaults(void);
|
||||
void options_apply(void);
|
||||
|
||||
/**************************************** prototypes for fd.c */
|
||||
|
||||
#ifndef USE_FORK
|
||||
void get_limits(void); /* setup global max_clients and max_fds */
|
||||
#endif
|
||||
int s_socket(int, int, int, int, char *);
|
||||
int s_pipe(int [2], int, char *);
|
||||
int s_socketpair(int, int, int, int [2], int, char *);
|
||||
int s_accept(int, struct sockaddr *, socklen_t *, int, char *);
|
||||
void set_nonblock(int, unsigned long);
|
||||
SOCKET s_socket(int, int, int, int, char *);
|
||||
int s_pipe(int[2], int, char *);
|
||||
int s_socketpair(int, int, int, SOCKET[2], int, char *);
|
||||
SOCKET s_accept(SOCKET, struct sockaddr *, socklen_t *, int, char *);
|
||||
void set_nonblock(SOCKET, unsigned long);
|
||||
|
||||
/**************************************** prototypes for log.c */
|
||||
|
||||
@ -338,7 +464,8 @@ void s_log(int, const char *, ...)
|
||||
#else
|
||||
;
|
||||
#endif
|
||||
void fatal_debug(char *, char *, int);
|
||||
char *log_id(CLI *);
|
||||
void fatal_debug(char *, const char *, int);
|
||||
#define fatal(a) fatal_debug((a), __FILE__, __LINE__)
|
||||
void ioerror(const char *);
|
||||
void sockerror(const char *);
|
||||
@ -349,44 +476,58 @@ char *s_strerror(int);
|
||||
|
||||
int pty_allocate(int *, int *, char *);
|
||||
|
||||
/**************************************** prototypes for dhparam.c */
|
||||
|
||||
DH *get_dh2048(void);
|
||||
|
||||
/**************************************** prototypes for cron.c */
|
||||
|
||||
int cron_init(void);
|
||||
|
||||
/**************************************** prototypes for ssl.c */
|
||||
|
||||
extern int cli_index, opt_index;
|
||||
extern int index_ssl_cli, index_ssl_ctx_opt;
|
||||
extern int index_session_authenticated, index_session_connect_address;
|
||||
|
||||
int ssl_init(void);
|
||||
int ssl_configure(GLOBAL_OPTIONS *);
|
||||
|
||||
/**************************************** prototypes for options.c */
|
||||
|
||||
int parse_commandline(char *, char *);
|
||||
int parse_conf(char *, CONF_TYPE);
|
||||
void apply_conf(void);
|
||||
|
||||
/**************************************** prototypes for ctx.c */
|
||||
|
||||
typedef struct {
|
||||
SERVICE_OPTIONS *section;
|
||||
char pass[PEM_BUFSIZE];
|
||||
} UI_DATA;
|
||||
extern SERVICE_OPTIONS *current_section;
|
||||
|
||||
#ifndef OPENSSL_NO_DH
|
||||
extern DH *dh_params;
|
||||
extern int dh_needed;
|
||||
#endif /* OPENSSL_NO_DH */
|
||||
|
||||
int context_init(SERVICE_OPTIONS *);
|
||||
#ifndef OPENSSL_NO_PSK
|
||||
void psk_sort(PSK_TABLE *, PSK_KEYS *);
|
||||
PSK_KEYS *psk_find(const PSK_TABLE *, const char *);
|
||||
#endif /* !defined(OPENSSL_NO_PSK) */
|
||||
void sslerror(char *);
|
||||
|
||||
/**************************************** prototypes for verify.c */
|
||||
|
||||
int verify_init(SERVICE_OPTIONS *);
|
||||
void print_client_CA_list(const STACK_OF(X509_NAME) *);
|
||||
char *X509_NAME2text(X509_NAME *);
|
||||
|
||||
/**************************************** prototypes for network.c */
|
||||
|
||||
s_poll_set *s_poll_alloc(void);
|
||||
void s_poll_free(s_poll_set *);
|
||||
void s_poll_init(s_poll_set *);
|
||||
void s_poll_add(s_poll_set *, int, int, int);
|
||||
int s_poll_canread(s_poll_set *, int);
|
||||
int s_poll_canwrite(s_poll_set *, int);
|
||||
int s_poll_hup(s_poll_set *, int);
|
||||
int s_poll_error(s_poll_set *, int);
|
||||
void s_poll_add(s_poll_set *, SOCKET, int, int);
|
||||
void s_poll_remove(s_poll_set *, SOCKET);
|
||||
int s_poll_canread(s_poll_set *, SOCKET);
|
||||
int s_poll_canwrite(s_poll_set *, SOCKET);
|
||||
int s_poll_hup(s_poll_set *, SOCKET);
|
||||
int s_poll_rdhup(s_poll_set *, SOCKET);
|
||||
int s_poll_err(s_poll_set *, SOCKET);
|
||||
int s_poll_wait(s_poll_set *, int, int);
|
||||
void s_poll_dump(s_poll_set *, int);
|
||||
|
||||
#ifdef USE_WIN32
|
||||
#define SIGNAL_RELOAD_CONFIG 1
|
||||
@ -398,80 +539,62 @@ int s_poll_wait(s_poll_set *, int, int);
|
||||
#define SIGNAL_TERMINATE SIGTERM
|
||||
#endif
|
||||
|
||||
int set_socket_options(int, int);
|
||||
int make_sockets(int [2]);
|
||||
int set_socket_options(SOCKET, int);
|
||||
int make_sockets(SOCKET[2]);
|
||||
int original_dst(const SOCKET, SOCKADDR_UNION *);
|
||||
|
||||
/**************************************** prototypes for client.c */
|
||||
|
||||
typedef enum {
|
||||
RENEG_INIT, /* initial state */
|
||||
RENEG_ESTABLISHED, /* initial handshake completed */
|
||||
RENEG_DETECTED /* renegotiation detected */
|
||||
} RENEG_STATE;
|
||||
|
||||
typedef struct {
|
||||
jmp_buf err; /* exception handler needs to be 16-byte aligned on Itanium */
|
||||
SSL *ssl; /* SSL connnection */
|
||||
SERVICE_OPTIONS *opt;
|
||||
|
||||
SOCKADDR_UNION peer_addr; /* peer address */
|
||||
socklen_t peer_addr_len;
|
||||
SOCKADDR_UNION *bind_addr; /* address to bind() the socket */
|
||||
SOCKADDR_LIST connect_addr; /* for dynamically assigned addresses */
|
||||
FD local_rfd, local_wfd; /* read and write local descriptors */
|
||||
FD remote_fd; /* remote file descriptor */
|
||||
/* IP for explicit local bind or transparent proxy */
|
||||
unsigned long pid; /* PID of the local process */
|
||||
int fd; /* temporary file descriptor */
|
||||
RENEG_STATE reneg_state; /* used to track renegotiation attempts */
|
||||
|
||||
/* data for transfer() function */
|
||||
char sock_buff[BUFFSIZE]; /* socket read buffer */
|
||||
char ssl_buff[BUFFSIZE]; /* SSL read buffer */
|
||||
int sock_ptr, ssl_ptr; /* index of first unused byte in buffer */
|
||||
FD *sock_rfd, *sock_wfd; /* read and write socket descriptors */
|
||||
FD *ssl_rfd, *ssl_wfd; /* read and write SSL descriptors */
|
||||
int sock_bytes, ssl_bytes; /* bytes written to socket and SSL */
|
||||
s_poll_set *fds; /* file descriptors */
|
||||
} CLI;
|
||||
|
||||
CLI *alloc_client_session(SERVICE_OPTIONS *, int, int);
|
||||
CLI *alloc_client_session(SERVICE_OPTIONS *, SOCKET, SOCKET);
|
||||
void *client_thread(void *);
|
||||
void client_main(CLI *);
|
||||
|
||||
/**************************************** prototypes for network.c */
|
||||
|
||||
int connect_blocking(CLI *, SOCKADDR_UNION *, socklen_t);
|
||||
void write_blocking(CLI *, int fd, void *, int);
|
||||
void read_blocking(CLI *, int fd, void *, int);
|
||||
void fd_putline(CLI *, int, const char *);
|
||||
char *fd_getline(CLI *, int);
|
||||
int get_socket_error(const SOCKET);
|
||||
int s_connect(CLI *, SOCKADDR_UNION *, socklen_t);
|
||||
void s_write(CLI *, SOCKET fd, const void *, size_t);
|
||||
void s_read(CLI *, SOCKET fd, void *, size_t);
|
||||
void fd_putline(CLI *, SOCKET, const char *);
|
||||
char *fd_getline(CLI *, SOCKET);
|
||||
/* descriptor versions of fprintf/fscanf */
|
||||
void fd_printf(CLI *, int, const char *, ...)
|
||||
void fd_printf(CLI *, SOCKET, const char *, ...)
|
||||
#ifdef __GNUC__
|
||||
__attribute__((format(printf, 3, 4)));
|
||||
#else
|
||||
;
|
||||
#endif
|
||||
void s_ssl_write(CLI *, const void *, int);
|
||||
void s_ssl_read(CLI *, void *, int);
|
||||
char *ssl_getstring(CLI *c);
|
||||
char *ssl_getline(CLI *c);
|
||||
void ssl_putline(CLI *c, const char *);
|
||||
|
||||
/**************************************** prototype for protocol.c */
|
||||
|
||||
typedef enum {
|
||||
PROTOCOL_NONE,
|
||||
PROTOCOL_PRE_CONNECT,
|
||||
PROTOCOL_PRE_SSL,
|
||||
PROTOCOL_POST_SSL
|
||||
} PROTOCOL_PHASE;
|
||||
PROTOCOL_CHECK,
|
||||
PROTOCOL_EARLY,
|
||||
PROTOCOL_MIDDLE,
|
||||
PROTOCOL_LATE
|
||||
} PHASE;
|
||||
|
||||
int find_protocol_id(const char *);
|
||||
void protocol(CLI *, const PROTOCOL_PHASE);
|
||||
char *protocol(CLI *, SERVICE_OPTIONS *opt, const PHASE);
|
||||
|
||||
/**************************************** prototypes for resolver.c */
|
||||
|
||||
void resolver_init();
|
||||
int name2addr(SOCKADDR_UNION *, char *, char *);
|
||||
int hostport2addr(SOCKADDR_UNION *, char *, char *);
|
||||
int namelist2addrlist(SOCKADDR_LIST *, NAME_LIST *, char *);
|
||||
|
||||
unsigned name2addr(SOCKADDR_UNION *, char *, int);
|
||||
unsigned hostport2addr(SOCKADDR_UNION *, char *, char *, int);
|
||||
|
||||
unsigned name2addrlist(SOCKADDR_LIST *, char *);
|
||||
unsigned hostport2addrlist(SOCKADDR_LIST *, char *, char *);
|
||||
|
||||
void addrlist_clear(SOCKADDR_LIST *, int);
|
||||
unsigned addrlist_dup(SOCKADDR_LIST *, const SOCKADDR_LIST *);
|
||||
unsigned addrlist_resolve(SOCKADDR_LIST *);
|
||||
|
||||
char *s_ntop(SOCKADDR_UNION *, socklen_t);
|
||||
socklen_t addr_len(const SOCKADDR_UNION *);
|
||||
const char *s_gai_strerror(int);
|
||||
@ -503,28 +626,78 @@ extern GETNAMEINFO s_getnameinfo;
|
||||
|
||||
#endif /* USE_WIN32 */
|
||||
|
||||
int getnameinfo(const struct sockaddr *, int, char *, int, char *, int, int);
|
||||
int getnameinfo(const struct sockaddr *, socklen_t,
|
||||
char *, size_t, char *, size_t, int);
|
||||
|
||||
#endif /* !defined HAVE_GETNAMEINFO */
|
||||
|
||||
/**************************************** prototypes for sthreads.c */
|
||||
|
||||
typedef enum {
|
||||
CRIT_CLIENTS, CRIT_SESSION, CRIT_SSL, /* client.c */
|
||||
CRIT_INET, /* resolver.c */
|
||||
#ifndef USE_WIN32
|
||||
CRIT_LIBWRAP, /* libwrap.c */
|
||||
#endif
|
||||
CRIT_LOG, /* log.c */
|
||||
CRIT_SECTIONS /* number of critical sections */
|
||||
} SECTION_CODE;
|
||||
#if defined(USE_PTHREAD) || defined(USE_WIN32)
|
||||
|
||||
struct CRYPTO_dynlock_value {
|
||||
#ifdef USE_PTHREAD
|
||||
pthread_rwlock_t rwlock;
|
||||
#endif
|
||||
#ifdef USE_WIN32
|
||||
CRITICAL_SECTION critical_section;
|
||||
#endif
|
||||
const char *init_file, *read_lock_file, *write_lock_file,
|
||||
*read_unlock_file, *write_unlock_file, *destroy_file;
|
||||
int init_line, read_lock_line, write_lock_line,
|
||||
read_unlock_line, write_unlock_line, destroy_line;
|
||||
};
|
||||
|
||||
typedef enum {
|
||||
LOCK_SESSION, LOCK_ADDR,
|
||||
LOCK_CLIENTS, LOCK_SSL, /* client.c */
|
||||
LOCK_INET, /* resolver.c */
|
||||
#ifndef USE_WIN32
|
||||
LOCK_LIBWRAP, /* libwrap.c */
|
||||
#endif
|
||||
LOCK_LOG_BUFFER, LOCK_LOG_MODE, /* log.c */
|
||||
LOCK_LEAK_HASH, LOCK_LEAK_RESULTS, /* str.c */
|
||||
#ifndef OPENSSL_NO_DH
|
||||
LOCK_DH, /* ctx.c */
|
||||
#endif /* OPENSSL_NO_DH */
|
||||
STUNNEL_LOCKS /* number of locks */
|
||||
} LOCK_TYPE;
|
||||
extern struct CRYPTO_dynlock_value stunnel_locks[STUNNEL_LOCKS];
|
||||
|
||||
void stunnel_rwlock_init_debug(struct CRYPTO_dynlock_value *, const char *, int);
|
||||
void stunnel_read_lock_debug(struct CRYPTO_dynlock_value *, const char *, int);
|
||||
void stunnel_write_lock_debug(struct CRYPTO_dynlock_value *, const char *, int);
|
||||
void stunnel_read_unlock_debug(struct CRYPTO_dynlock_value *, const char *, int);
|
||||
void stunnel_write_unlock_debug(struct CRYPTO_dynlock_value *, const char *, int);
|
||||
void stunnel_rwlock_destroy_debug(struct CRYPTO_dynlock_value *, const char *, int);
|
||||
|
||||
#define stunnel_rwlock_init(x) stunnel_rwlock_init_debug((x),__FILE__,__LINE__)
|
||||
#define stunnel_read_lock(x) stunnel_read_lock_debug((x),__FILE__,__LINE__)
|
||||
#define stunnel_write_lock(x) stunnel_write_lock_debug((x),__FILE__,__LINE__)
|
||||
#define stunnel_read_unlock(x) stunnel_read_unlock_debug((x),__FILE__,__LINE__)
|
||||
#define stunnel_write_unlock(x) stunnel_write_unlock_debug((x),__FILE__,__LINE__)
|
||||
#define stunnel_rwlock_destroy(x) stunnel_rwlock_destroy_debug((x),__FILE__,__LINE__)
|
||||
|
||||
#if OPENSSL_VERSION_NUMBER<0x10100004L
|
||||
#define CRYPTO_atomic_add(addr,amount,result,type) \
|
||||
*result = type ? CRYPTO_add(addr,amount,type) : (*addr+=amount)
|
||||
#endif
|
||||
|
||||
#else /* defined(USE_PTHREAD) || defined(USE_WIN32) */
|
||||
|
||||
#define stunnel_rwlock_init(x) {}
|
||||
#define stunnel_read_lock(x) {}
|
||||
#define stunnel_write_lock(x) {}
|
||||
#define stunnel_read_unlock(x) {}
|
||||
#define stunnel_write_unlock(x) {}
|
||||
#define stunnel_rwlock_destroy(x) {}
|
||||
|
||||
#endif /* defined(USE_PTHREAD) || defined(USE_WIN32) */
|
||||
|
||||
void enter_critical_section(SECTION_CODE);
|
||||
void leave_critical_section(SECTION_CODE);
|
||||
int sthreads_init(void);
|
||||
unsigned long stunnel_process_id(void);
|
||||
unsigned long stunnel_thread_id(void);
|
||||
int create_client(int, int, CLI *, void *(*)(void *));
|
||||
int create_client(SOCKET, SOCKET, CLI *, void *(*)(void *));
|
||||
#ifdef USE_UCONTEXT
|
||||
typedef struct CONTEXT_STRUCTURE {
|
||||
char *stack; /* CPU stack for this thread */
|
||||
@ -534,7 +707,7 @@ typedef struct CONTEXT_STRUCTURE {
|
||||
int ready; /* number of ready file descriptors */
|
||||
time_t finish; /* when to finish poll() for this context */
|
||||
struct CONTEXT_STRUCTURE *next; /* next context on a list */
|
||||
void *tls; /* thread local storage for str.c */
|
||||
void *tls; /* thread local storage for tls.c */
|
||||
} CONTEXT;
|
||||
extern CONTEXT *ready_head, *ready_tail;
|
||||
extern CONTEXT *waiting_head, *waiting_tail;
|
||||
@ -547,32 +720,20 @@ void _endthread(void);
|
||||
void stack_info(int);
|
||||
#endif
|
||||
|
||||
/**************************************** prototypes for gui.c */
|
||||
|
||||
#ifdef USE_WIN32
|
||||
void message_box(const LPSTR, const UINT);
|
||||
void win_new_chain(int);
|
||||
void win_new_log(char *);
|
||||
void win_new_config(void);
|
||||
int passwd_cb(char *, int, int, void *);
|
||||
#ifdef HAVE_OSSL_ENGINE_H
|
||||
int pin_cb(UI *, UI_STRING *);
|
||||
#endif
|
||||
#endif /* USE_WIN32 */
|
||||
|
||||
/**************************************** prototypes for file.c */
|
||||
|
||||
#ifndef USE_WIN32
|
||||
DISK_FILE *file_fdopen(int);
|
||||
#endif
|
||||
DISK_FILE *file_open(char *, int);
|
||||
DISK_FILE *file_open(char *, FILE_MODE mode);
|
||||
void file_close(DISK_FILE *);
|
||||
int file_getline(DISK_FILE *, char *, int);
|
||||
int file_putline(DISK_FILE *, char *);
|
||||
ssize_t file_getline(DISK_FILE *, char *, int);
|
||||
ssize_t file_putline(DISK_FILE *, char *);
|
||||
int file_permissions(const char *);
|
||||
|
||||
#ifdef USE_WIN32
|
||||
LPTSTR str2tstr(const LPSTR);
|
||||
LPSTR tstr2str(const LPTSTR);
|
||||
LPTSTR str2tstr(LPCSTR);
|
||||
LPSTR tstr2str(LPCTSTR);
|
||||
#endif
|
||||
|
||||
/**************************************** prototypes for libwrap.c */
|
||||
@ -580,21 +741,33 @@ LPSTR tstr2str(const LPTSTR);
|
||||
int libwrap_init();
|
||||
void libwrap_auth(CLI *, char *);
|
||||
|
||||
/**************************************** prototypes for tls.c */
|
||||
|
||||
extern volatile int tls_initialized;
|
||||
|
||||
void tls_init();
|
||||
TLS_DATA *tls_alloc(CLI *, TLS_DATA *, char *);
|
||||
void tls_cleanup();
|
||||
void tls_set(TLS_DATA *);
|
||||
TLS_DATA *tls_get();
|
||||
|
||||
/**************************************** prototypes for str.c */
|
||||
|
||||
void str_init();
|
||||
void str_canary_init();
|
||||
void str_cleanup();
|
||||
void str_stats();
|
||||
void *str_alloc_debug(size_t, char *, int);
|
||||
#define str_alloc(a) str_alloc_debug((a), __FILE__, __LINE__)
|
||||
void *str_realloc_debug(void *, size_t, char *, int);
|
||||
#define str_realloc(a, b) str_realloc_debug((a), (b), __FILE__, __LINE__)
|
||||
void str_detach_debug(void *, char *, int);
|
||||
#define str_detach(a) str_detach_debug((a), __FILE__, __LINE__)
|
||||
void str_free_debug(void *, char *, int);
|
||||
#define str_free(a) str_free_debug((a), __FILE__, __LINE__), (a)=NULL
|
||||
char *str_dup(const char *);
|
||||
extern TLS_DATA *ui_tls;
|
||||
typedef struct alloc_list_struct ALLOC_LIST;
|
||||
|
||||
struct tls_data_struct {
|
||||
ALLOC_LIST *alloc_head;
|
||||
size_t alloc_bytes, alloc_blocks;
|
||||
CLI *c;
|
||||
SERVICE_OPTIONS *opt;
|
||||
char *id;
|
||||
};
|
||||
|
||||
void str_init(TLS_DATA *);
|
||||
void str_cleanup(TLS_DATA *);
|
||||
char *str_dup_debug(const char *, const char *, int);
|
||||
#define str_dup(a) str_dup_debug((a), __FILE__, __LINE__)
|
||||
char *str_vprintf(const char *, va_list);
|
||||
char *str_printf(const char *, ...)
|
||||
#ifdef __GNUC__
|
||||
@ -602,6 +775,47 @@ char *str_printf(const char *, ...)
|
||||
#else
|
||||
;
|
||||
#endif
|
||||
#ifdef USE_WIN32
|
||||
LPTSTR str_tprintf(LPCTSTR, ...);
|
||||
#endif
|
||||
|
||||
void str_canary_init();
|
||||
void str_stats();
|
||||
void *str_alloc_debug(size_t, const char *, int);
|
||||
#define str_alloc(a) str_alloc_debug((a), __FILE__, __LINE__)
|
||||
void *str_alloc_detached_debug(size_t, const char *, int);
|
||||
#define str_alloc_detached(a) str_alloc_detached_debug((a), __FILE__, __LINE__)
|
||||
void *str_realloc_detached_debug(void *, size_t, const char *, int);
|
||||
void *str_realloc_debug(void *, size_t, const char *, int);
|
||||
#define str_realloc(a, b) str_realloc_debug((a), (b), __FILE__, __LINE__)
|
||||
void str_detach_debug(void *, const char *, int);
|
||||
#define str_detach(a) str_detach_debug((a), __FILE__, __LINE__)
|
||||
void str_free_debug(void *, const char *, int);
|
||||
#define str_free(a) str_free_debug((a), __FILE__, __LINE__), (a)=NULL
|
||||
#define str_free_expression(a) str_free_debug((a), __FILE__, __LINE__)
|
||||
|
||||
int safe_memcmp(const void *, const void *, size_t);
|
||||
|
||||
/**************************************** prototypes for ui_*.c */
|
||||
|
||||
void ui_config_reloaded(void);
|
||||
void ui_new_chain(const unsigned);
|
||||
void ui_clients(const long);
|
||||
|
||||
void ui_new_log(const char *);
|
||||
#ifdef USE_WIN32
|
||||
void message_box(LPCTSTR, const UINT);
|
||||
#endif /* USE_WIN32 */
|
||||
|
||||
int ui_passwd_cb(char *, int, int, void *);
|
||||
#ifndef OPENSSL_NO_ENGINE
|
||||
UI_METHOD *UI_stunnel(void);
|
||||
#endif /* !defined(OPENSSL_NO_ENGINE) */
|
||||
|
||||
#ifdef ICON_IMAGE
|
||||
ICON_IMAGE load_icon_default(ICON_TYPE);
|
||||
ICON_IMAGE load_icon_file(const char *);
|
||||
#endif
|
||||
|
||||
#endif /* defined PROTOTYPES_H */
|
||||
|
||||
|
10
src/pty.c
10
src/pty.c
@ -1,6 +1,6 @@
|
||||
/*
|
||||
* stunnel Universal SSL tunnel
|
||||
* Copyright (C) 1998-2013 Michal Trojnara <Michal.Trojnara@mirt.net>
|
||||
* stunnel TLS offloading and load-balancing proxy
|
||||
* Copyright (C) 1998-2017 Michal Trojnara <Michal.Trojnara@stunnel.org>
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it
|
||||
* under the terms of the GNU General Public License as published by the
|
||||
@ -177,11 +177,11 @@ int pty_allocate(int *ptyfd, int *ttyfd, char *namebuf) {
|
||||
#else /* HAVE_DEV_PTS_AND_PTC */
|
||||
/* BSD-style pty code. */
|
||||
char buf[64];
|
||||
int i;
|
||||
size_t i;
|
||||
const char *ptymajors="pqrstuvwxyzabcdefghijklmnoABCDEFGHIJKLMNOPQRSTUVWXYZ";
|
||||
const char *ptyminors="0123456789abcdef";
|
||||
int num_minors=strlen(ptyminors);
|
||||
int num_ptys=strlen(ptymajors)*num_minors;
|
||||
size_t num_minors=strlen(ptyminors);
|
||||
size_t num_ptys=strlen(ptymajors)*num_minors;
|
||||
|
||||
for(i=0; i<num_ptys; i++) {
|
||||
#ifdef HAVE_SNPRINTF
|
||||
|
337
src/resolver.c
337
src/resolver.c
@ -1,6 +1,6 @@
|
||||
/*
|
||||
* stunnel Universal SSL tunnel
|
||||
* Copyright (C) 1998-2013 Michal Trojnara <Michal.Trojnara@mirt.net>
|
||||
* stunnel TLS offloading and load-balancing proxy
|
||||
* Copyright (C) 1998-2017 Michal Trojnara <Michal.Trojnara@stunnel.org>
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it
|
||||
* under the terms of the GNU General Public License as published by the
|
||||
@ -40,8 +40,11 @@
|
||||
|
||||
/**************************************** prototypes */
|
||||
|
||||
static int name2addrlist(SOCKADDR_LIST *, char *, char *);
|
||||
static int hostport2addrlist(SOCKADDR_LIST *, char *, char *);
|
||||
#if defined(USE_WIN32) && !defined(_WIN32_WCE)
|
||||
NOEXPORT int get_ipv6(LPTSTR);
|
||||
#endif
|
||||
NOEXPORT void addrlist2addr(SOCKADDR_UNION *, SOCKADDR_LIST *);
|
||||
NOEXPORT void addrlist_reset(SOCKADDR_LIST *);
|
||||
|
||||
#ifndef HAVE_GETADDRINFO
|
||||
|
||||
@ -72,11 +75,15 @@ struct addrinfo {
|
||||
};
|
||||
#endif
|
||||
|
||||
static int getaddrinfo(const char *, const char *,
|
||||
#ifndef AI_PASSIVE
|
||||
#define AI_PASSIVE 1
|
||||
#endif
|
||||
|
||||
NOEXPORT int getaddrinfo(const char *, const char *,
|
||||
const struct addrinfo *, struct addrinfo **);
|
||||
static int alloc_addresses(struct hostent *, const struct addrinfo *,
|
||||
NOEXPORT int alloc_addresses(struct hostent *, const struct addrinfo *,
|
||||
u_short port, struct addrinfo **, struct addrinfo **);
|
||||
static void freeaddrinfo(struct addrinfo *);
|
||||
NOEXPORT void freeaddrinfo(struct addrinfo *);
|
||||
|
||||
#endif /* !defined HAVE_GETADDRINFO */
|
||||
|
||||
@ -90,75 +97,92 @@ GETNAMEINFO s_getnameinfo;
|
||||
|
||||
void resolver_init() {
|
||||
#if defined(USE_WIN32) && !defined(_WIN32_WCE)
|
||||
HINSTANCE handle;
|
||||
|
||||
handle=LoadLibrary("ws2_32.dll"); /* IPv6 in Windows XP or higher */
|
||||
if(handle) {
|
||||
s_getaddrinfo=(GETADDRINFO)GetProcAddress(handle, "getaddrinfo");
|
||||
s_freeaddrinfo=(FREEADDRINFO)GetProcAddress(handle, "freeaddrinfo");
|
||||
s_getnameinfo=(GETNAMEINFO)GetProcAddress(handle, "getnameinfo");
|
||||
if(s_getaddrinfo && s_freeaddrinfo && s_getnameinfo)
|
||||
return; /* IPv6 detected -> OK */
|
||||
FreeLibrary(handle);
|
||||
}
|
||||
handle=LoadLibrary("wship6.dll"); /* experimental IPv6 for Windows 2000 */
|
||||
if(handle) {
|
||||
s_getaddrinfo=(GETADDRINFO)GetProcAddress(handle, "getaddrinfo");
|
||||
s_freeaddrinfo=(FREEADDRINFO)GetProcAddress(handle, "freeaddrinfo");
|
||||
s_getnameinfo=(GETNAMEINFO)GetProcAddress(handle, "getnameinfo");
|
||||
if(s_getaddrinfo && s_freeaddrinfo && s_getnameinfo)
|
||||
return; /* IPv6 detected -> OK */
|
||||
FreeLibrary(handle);
|
||||
}
|
||||
s_getaddrinfo=NULL;
|
||||
s_freeaddrinfo=NULL;
|
||||
s_getnameinfo=NULL;
|
||||
if(get_ipv6(TEXT("ws2_32.dll"))) /* IPv6 in Windows XP or higher */
|
||||
return;
|
||||
if(get_ipv6(TEXT("wship6.dll"))) /* experimental IPv6 for Windows 2000 */
|
||||
return;
|
||||
/* fall back to the built-in emulation */
|
||||
#endif
|
||||
}
|
||||
|
||||
#if defined(USE_WIN32) && !defined(_WIN32_WCE)
|
||||
NOEXPORT int get_ipv6(LPTSTR file) {
|
||||
HINSTANCE handle;
|
||||
|
||||
handle=LoadLibrary(file);
|
||||
if(!handle)
|
||||
return 0;
|
||||
s_getaddrinfo=(GETADDRINFO)GetProcAddress(handle, "getaddrinfo");
|
||||
s_freeaddrinfo=(FREEADDRINFO)GetProcAddress(handle, "freeaddrinfo");
|
||||
s_getnameinfo=(GETNAMEINFO)GetProcAddress(handle, "getnameinfo");
|
||||
if(!s_getaddrinfo || !s_freeaddrinfo || !s_getnameinfo) {
|
||||
s_getaddrinfo=NULL;
|
||||
s_freeaddrinfo=NULL;
|
||||
s_getnameinfo=NULL;
|
||||
FreeLibrary(handle);
|
||||
return 0;
|
||||
}
|
||||
return 1; /* IPv6 detected -> OK */
|
||||
}
|
||||
#endif
|
||||
|
||||
/**************************************** stunnel resolver API */
|
||||
|
||||
int name2addr(SOCKADDR_UNION *addr, char *name, char *default_host) {
|
||||
SOCKADDR_LIST addr_list;
|
||||
int retval;
|
||||
unsigned name2addr(SOCKADDR_UNION *addr, char *name, int passive) {
|
||||
SOCKADDR_LIST *addr_list;
|
||||
unsigned retval;
|
||||
|
||||
addr_list.num=0;
|
||||
addr_list.addr=NULL;
|
||||
retval=name2addrlist(&addr_list, name, default_host);
|
||||
if(retval>0)
|
||||
memcpy(addr, &addr_list.addr[0], sizeof *addr);
|
||||
if(addr_list.addr)
|
||||
str_free(addr_list.addr);
|
||||
addr_list=str_alloc(sizeof(SOCKADDR_LIST));
|
||||
addrlist_clear(addr_list, passive);
|
||||
retval=name2addrlist(addr_list, name);
|
||||
if(retval)
|
||||
addrlist2addr(addr, addr_list);
|
||||
str_free(addr_list->addr);
|
||||
str_free(addr_list->session);
|
||||
str_free(addr_list);
|
||||
return retval;
|
||||
}
|
||||
|
||||
int hostport2addr(SOCKADDR_UNION *addr, char *hostname, char *portname) {
|
||||
SOCKADDR_LIST addr_list;
|
||||
int retval;
|
||||
unsigned hostport2addr(SOCKADDR_UNION *addr,
|
||||
char *host_name, char *port_name, int passive) {
|
||||
SOCKADDR_LIST *addr_list;
|
||||
unsigned num;
|
||||
|
||||
addr_list.num=0;
|
||||
addr_list.addr=NULL;
|
||||
retval=hostport2addrlist(&addr_list, hostname, portname);
|
||||
if(retval>0)
|
||||
memcpy(addr, &addr_list.addr[0], sizeof *addr);
|
||||
if(addr_list.addr)
|
||||
str_free(addr_list.addr);
|
||||
return retval;
|
||||
addr_list=str_alloc(sizeof(SOCKADDR_LIST));
|
||||
addrlist_clear(addr_list, passive);
|
||||
num=hostport2addrlist(addr_list, host_name, port_name);
|
||||
if(num)
|
||||
addrlist2addr(addr, addr_list);
|
||||
str_free(addr_list->addr);
|
||||
str_free(addr_list->session);
|
||||
str_free(addr_list);
|
||||
return num;
|
||||
}
|
||||
|
||||
int namelist2addrlist(SOCKADDR_LIST *addr_list, NAME_LIST *name_list, char *default_host) {
|
||||
/* recursive implementation to reverse the list */
|
||||
if(!name_list)
|
||||
return 0;
|
||||
return namelist2addrlist(addr_list, name_list->next, default_host) +
|
||||
name2addrlist(addr_list, name_list->name, default_host);
|
||||
NOEXPORT void addrlist2addr(SOCKADDR_UNION *addr, SOCKADDR_LIST *addr_list) {
|
||||
unsigned i;
|
||||
|
||||
for(i=0; i<addr_list->num; ++i) { /* find the first IPv4 address */
|
||||
if(addr_list->addr[i].in.sin_family==AF_INET) {
|
||||
memcpy(addr, &addr_list->addr[i], sizeof(SOCKADDR_UNION));
|
||||
return;
|
||||
}
|
||||
}
|
||||
#ifdef USE_IPv6
|
||||
for(i=0; i<addr_list->num; ++i) { /* find the first IPv6 address */
|
||||
if(addr_list->addr[i].in.sin_family==AF_INET6) {
|
||||
memcpy(addr, &addr_list->addr[i], sizeof(SOCKADDR_UNION));
|
||||
return;
|
||||
}
|
||||
}
|
||||
#endif
|
||||
/* copy the first address resolved (currently AF_UNIX) */
|
||||
memcpy(addr, &addr_list->addr[0], sizeof(SOCKADDR_UNION));
|
||||
}
|
||||
|
||||
static int name2addrlist(SOCKADDR_LIST *addr_list, char *name, char *default_host) {
|
||||
char *tmp, *hostname, *portname;
|
||||
int retval;
|
||||
|
||||
addr_list->cur=0; /* reset round-robin counter */
|
||||
unsigned name2addrlist(SOCKADDR_LIST *addr_list, char *name) {
|
||||
char *tmp, *host_name, *port_name;
|
||||
unsigned num;
|
||||
|
||||
/* first check if this is a UNIX socket */
|
||||
#ifdef HAVE_STRUCT_SOCKADDR_UN
|
||||
@ -172,58 +196,87 @@ static int name2addrlist(SOCKADDR_LIST *addr_list, char *name, char *default_hos
|
||||
(addr_list->num+1)*sizeof(SOCKADDR_UNION));
|
||||
addr_list->addr[addr_list->num].un.sun_family=AF_UNIX;
|
||||
strcpy(addr_list->addr[addr_list->num].un.sun_path, name);
|
||||
return ++(addr_list->num); /* ok - return the number of addresses */
|
||||
addr_list->session=str_realloc(addr_list->session,
|
||||
(addr_list->num+1)*sizeof(SSL_SESSION *));
|
||||
addr_list->session[addr_list->num]=NULL;
|
||||
++(addr_list->num);
|
||||
return 1; /* ok - return the number of new addresses */
|
||||
}
|
||||
#endif
|
||||
|
||||
/* set hostname and portname */
|
||||
/* setup host_name and port_name */
|
||||
tmp=str_dup(name);
|
||||
portname=strrchr(tmp, ':');
|
||||
if(portname) {
|
||||
hostname=tmp;
|
||||
*portname++='\0';
|
||||
port_name=strrchr(tmp, ':');
|
||||
if(port_name) {
|
||||
host_name=tmp;
|
||||
*port_name++='\0';
|
||||
} else { /* no ':' - use default host IP */
|
||||
hostname=default_host;
|
||||
portname=tmp;
|
||||
host_name=NULL;
|
||||
port_name=tmp;
|
||||
}
|
||||
|
||||
/* fill addr_list structure */
|
||||
retval=hostport2addrlist(addr_list, hostname, portname);
|
||||
num=hostport2addrlist(addr_list, host_name, port_name);
|
||||
str_free(tmp);
|
||||
return retval;
|
||||
return num; /* ok - return the number of new addresses */
|
||||
}
|
||||
|
||||
static int hostport2addrlist(SOCKADDR_LIST *addr_list,
|
||||
char *hostname, char *portname) {
|
||||
unsigned hostport2addrlist(SOCKADDR_LIST *addr_list,
|
||||
char *host_name, char *port_name) {
|
||||
struct addrinfo hints, *res=NULL, *cur;
|
||||
int err, retries=0;
|
||||
int err, retry=0;
|
||||
unsigned num=0;
|
||||
|
||||
memset(&hints, 0, sizeof hints);
|
||||
#if defined(USE_IPv6) || defined(USE_WIN32)
|
||||
hints.ai_family=PF_UNSPEC;
|
||||
hints.ai_family=AF_UNSPEC;
|
||||
#else
|
||||
hints.ai_family=PF_INET;
|
||||
hints.ai_family=AF_INET;
|
||||
#endif
|
||||
hints.ai_socktype=SOCK_STREAM;
|
||||
hints.ai_protocol=IPPROTO_TCP;
|
||||
for(;;) {
|
||||
err=getaddrinfo(hostname, portname, &hints, &res);
|
||||
if(err && res)
|
||||
freeaddrinfo(res);
|
||||
if(err!=EAI_AGAIN || ++retries>=3)
|
||||
break;
|
||||
s_log(LOG_DEBUG, "getaddrinfo: EAI_AGAIN received: retrying");
|
||||
sleep(1);
|
||||
hints.ai_flags=0;
|
||||
if(addr_list->passive) {
|
||||
hints.ai_family=AF_INET; /* first try IPv4 for passive requests */
|
||||
hints.ai_flags|=AI_PASSIVE;
|
||||
}
|
||||
switch(err) {
|
||||
case 0:
|
||||
break; /* success */
|
||||
case EAI_SERVICE:
|
||||
s_log(LOG_ERR, "Unknown TCP service '%s'", portname);
|
||||
#ifdef AI_ADDRCONFIG
|
||||
hints.ai_flags|=AI_ADDRCONFIG;
|
||||
#endif
|
||||
for(;;) {
|
||||
err=getaddrinfo(host_name, port_name, &hints, &res);
|
||||
if(!err)
|
||||
break;
|
||||
if(res)
|
||||
freeaddrinfo(res);
|
||||
if(err==EAI_AGAIN && ++retry<=3) {
|
||||
s_log(LOG_DEBUG, "getaddrinfo: EAI_AGAIN received: retrying");
|
||||
sleep(1);
|
||||
continue;
|
||||
}
|
||||
#ifdef AI_ADDRCONFIG
|
||||
if(hints.ai_flags&AI_ADDRCONFIG) {
|
||||
hints.ai_flags&=~AI_ADDRCONFIG;
|
||||
continue; /* retry for unconfigured network interfaces */
|
||||
}
|
||||
#endif
|
||||
#if defined(USE_IPv6) || defined(USE_WIN32)
|
||||
if(hints.ai_family==AF_INET) {
|
||||
hints.ai_family=AF_UNSPEC;
|
||||
continue; /* retry for non-IPv4 addresses */
|
||||
}
|
||||
#endif
|
||||
break;
|
||||
}
|
||||
if(err==EAI_SERVICE) {
|
||||
s_log(LOG_ERR, "Unknown TCP service \"%s\"", port_name);
|
||||
return 0; /* error */
|
||||
default:
|
||||
s_log(LOG_ERR, "Error resolving '%s': %s",
|
||||
hostname, s_gai_strerror(err));
|
||||
}
|
||||
if(err) {
|
||||
s_log(LOG_ERR, "Error resolving \"%s\": %s",
|
||||
host_name ? host_name :
|
||||
(addr_list->passive ? DEFAULT_ANY : DEFAULT_LOOPBACK),
|
||||
s_gai_strerror(err));
|
||||
return 0; /* error */
|
||||
}
|
||||
|
||||
@ -236,11 +289,65 @@ static int hostport2addrlist(SOCKADDR_LIST *addr_list,
|
||||
}
|
||||
addr_list->addr=str_realloc(addr_list->addr,
|
||||
(addr_list->num+1)*sizeof(SOCKADDR_UNION));
|
||||
memcpy(&addr_list->addr[addr_list->num], cur->ai_addr, cur->ai_addrlen);
|
||||
memcpy(&addr_list->addr[addr_list->num], cur->ai_addr,
|
||||
(size_t)cur->ai_addrlen);
|
||||
addr_list->session=str_realloc(addr_list->session,
|
||||
(addr_list->num+1)*sizeof(SSL_SESSION *));
|
||||
addr_list->session[addr_list->num]=NULL;
|
||||
++(addr_list->num);
|
||||
++num;
|
||||
}
|
||||
freeaddrinfo(res);
|
||||
return addr_list->num; /* ok - return the number of addresses */
|
||||
return num; /* ok - return the number of new addresses */
|
||||
}
|
||||
|
||||
/* initialize the structure */
|
||||
void addrlist_clear(SOCKADDR_LIST *addr_list, int passive) {
|
||||
addrlist_reset(addr_list);
|
||||
addr_list->names=NULL;
|
||||
addr_list->passive=passive;
|
||||
}
|
||||
|
||||
/* prepare the structure to resolve new hosts */
|
||||
NOEXPORT void addrlist_reset(SOCKADDR_LIST *addr_list) {
|
||||
addr_list->num=0;
|
||||
addr_list->addr=NULL;
|
||||
addr_list->session=NULL;
|
||||
addr_list->rr=0; /* reset the round-robin counter */
|
||||
addr_list->parent=addr_list; /* allow a copy to locate its parent */
|
||||
}
|
||||
|
||||
unsigned addrlist_dup(SOCKADDR_LIST *dst, const SOCKADDR_LIST *src) {
|
||||
memcpy(dst, src, sizeof(SOCKADDR_LIST));
|
||||
if(src->num) { /* already resolved */
|
||||
dst->addr=str_alloc(src->num*sizeof(SOCKADDR_UNION));
|
||||
memcpy(dst->addr, src->addr, src->num*sizeof(SOCKADDR_UNION));
|
||||
} else { /* delayed resolver */
|
||||
addrlist_resolve(dst);
|
||||
}
|
||||
/* we currently don't make a local copy of src->session */
|
||||
return dst->num;
|
||||
}
|
||||
|
||||
unsigned addrlist_resolve(SOCKADDR_LIST *addr_list) {
|
||||
unsigned num=0, rnd;
|
||||
NAME_LIST *host;
|
||||
|
||||
addrlist_reset(addr_list);
|
||||
for(host=addr_list->names; host; host=host->next)
|
||||
num+=name2addrlist(addr_list, host->name);
|
||||
switch(num) {
|
||||
case 0:
|
||||
case 1:
|
||||
addr_list->rr=0;
|
||||
break;
|
||||
default:
|
||||
/* randomize the initial value of round-robin counter */
|
||||
/* ignore the error value and the distribution bias */
|
||||
RAND_bytes((unsigned char *)&rnd, sizeof rnd);
|
||||
addr_list->rr=rnd%num;
|
||||
}
|
||||
return num;
|
||||
}
|
||||
|
||||
char *s_ntop(SOCKADDR_UNION *addr, socklen_t addrlen) {
|
||||
@ -283,7 +390,7 @@ socklen_t addr_len(const SOCKADDR_UNION *addr) {
|
||||
/* implementation is limited to functionality needed by stunnel */
|
||||
|
||||
#ifndef HAVE_GETADDRINFO
|
||||
static int getaddrinfo(const char *node, const char *service,
|
||||
NOEXPORT int getaddrinfo(const char *node, const char *service,
|
||||
const struct addrinfo *hints, struct addrinfo **res) {
|
||||
struct hostent *h;
|
||||
#ifndef _WIN32_WCE
|
||||
@ -294,6 +401,8 @@ static int getaddrinfo(const char *node, const char *service,
|
||||
int retval;
|
||||
char *tmpstr;
|
||||
|
||||
if(!node)
|
||||
node=(hints->ai_flags & AI_PASSIVE) ? DEFAULT_ANY : DEFAULT_LOOPBACK;
|
||||
#if defined(USE_WIN32) && !defined(_WIN32_WCE)
|
||||
if(s_getaddrinfo)
|
||||
return s_getaddrinfo(node, service, hints, res);
|
||||
@ -307,7 +416,7 @@ static int getaddrinfo(const char *node, const char *service,
|
||||
p=getservbyname(service, "tcp");
|
||||
if(!p)
|
||||
return EAI_NONAME;
|
||||
port=p->s_port;
|
||||
port=(u_short)p->s_port;
|
||||
#endif /* defined(_WIN32_WCE) */
|
||||
}
|
||||
|
||||
@ -320,7 +429,7 @@ static int getaddrinfo(const char *node, const char *service,
|
||||
#if defined(USE_IPv6) && !defined(USE_WIN32)
|
||||
ai->ai_family=AF_INET6;
|
||||
ai->ai_addrlen=sizeof(struct sockaddr_in6);
|
||||
ai->ai_addr=str_alloc(ai->ai_addrlen);
|
||||
ai->ai_addr=str_alloc((size_t)ai->ai_addrlen);
|
||||
ai->ai_addr->sa_family=AF_INET6;
|
||||
if(inet_pton(AF_INET6, node,
|
||||
&((struct sockaddr_in6 *)ai->ai_addr)->sin6_addr)>0) {
|
||||
@ -343,7 +452,7 @@ static int getaddrinfo(const char *node, const char *service,
|
||||
/* not numerical: need to call resolver library */
|
||||
*res=NULL;
|
||||
ai=NULL;
|
||||
enter_critical_section(CRIT_INET);
|
||||
stunnel_write_lock(&stunnel_locks[LOCK_INET]);
|
||||
#ifdef HAVE_GETHOSTBYNAME2
|
||||
h=gethostbyname2(node, AF_INET6);
|
||||
if(h) /* some IPv6 addresses found */
|
||||
@ -361,7 +470,7 @@ static int getaddrinfo(const char *node, const char *service,
|
||||
#ifdef HAVE_ENDHOSTENT
|
||||
endhostent();
|
||||
#endif
|
||||
leave_critical_section(CRIT_INET);
|
||||
stunnel_write_unlock(&stunnel_locks[LOCK_INET]);
|
||||
if(retval) { /* error: free allocated memory */
|
||||
freeaddrinfo(*res);
|
||||
*res=NULL;
|
||||
@ -369,7 +478,7 @@ static int getaddrinfo(const char *node, const char *service,
|
||||
return retval;
|
||||
}
|
||||
|
||||
static int alloc_addresses(struct hostent *h, const struct addrinfo *hints,
|
||||
NOEXPORT int alloc_addresses(struct hostent *h, const struct addrinfo *hints,
|
||||
u_short port, struct addrinfo **head, struct addrinfo **tail) {
|
||||
int i;
|
||||
struct addrinfo *ai;
|
||||
@ -391,25 +500,25 @@ static int alloc_addresses(struct hostent *h, const struct addrinfo *hints,
|
||||
#if defined(USE_IPv6)
|
||||
if(h->h_addrtype==AF_INET6) {
|
||||
ai->ai_addrlen=sizeof(struct sockaddr_in6);
|
||||
ai->ai_addr=str_alloc(ai->ai_addrlen);
|
||||
ai->ai_addr=str_alloc((size_t)ai->ai_addrlen);
|
||||
memcpy(&((struct sockaddr_in6 *)ai->ai_addr)->sin6_addr,
|
||||
h->h_addr_list[i], h->h_length);
|
||||
h->h_addr_list[i], (size_t)h->h_length);
|
||||
} else
|
||||
#endif
|
||||
{
|
||||
ai->ai_addrlen=sizeof(struct sockaddr_in);
|
||||
ai->ai_addr=str_alloc(ai->ai_addrlen);
|
||||
ai->ai_addr=str_alloc((size_t)ai->ai_addrlen);
|
||||
memcpy(&((struct sockaddr_in *)ai->ai_addr)->sin_addr,
|
||||
h->h_addr_list[i], h->h_length);
|
||||
h->h_addr_list[i], (size_t)h->h_length);
|
||||
}
|
||||
ai->ai_addr->sa_family=h->h_addrtype;
|
||||
ai->ai_addr->sa_family=(u_short)h->h_addrtype;
|
||||
/* offsets of sin_port and sin6_port should be the same */
|
||||
((struct sockaddr_in *)ai->ai_addr)->sin_port=port;
|
||||
}
|
||||
return 0; /* success */
|
||||
}
|
||||
|
||||
static void freeaddrinfo(struct addrinfo *current) {
|
||||
NOEXPORT void freeaddrinfo(struct addrinfo *current) {
|
||||
struct addrinfo *next;
|
||||
|
||||
#if defined(USE_WIN32) && !defined(_WIN32_WCE)
|
||||
@ -419,10 +528,8 @@ static void freeaddrinfo(struct addrinfo *current) {
|
||||
}
|
||||
#endif
|
||||
while(current) {
|
||||
if(current->ai_addr)
|
||||
str_free(current->ai_addr);
|
||||
if(current->ai_canonname)
|
||||
str_free(current->ai_canonname);
|
||||
str_free(current->ai_addr);
|
||||
str_free(current->ai_canonname);
|
||||
next=current->ai_next;
|
||||
str_free(current);
|
||||
current=next;
|
||||
@ -484,8 +591,8 @@ const char *s_gai_strerror(int err) {
|
||||
/* implementation is limited to functionality needed by stunnel */
|
||||
|
||||
#ifndef HAVE_GETNAMEINFO
|
||||
int getnameinfo(const struct sockaddr *sa, int salen,
|
||||
char *host, int hostlen, char *serv, int servlen, int flags) {
|
||||
int getnameinfo(const struct sockaddr *sa, socklen_t salen,
|
||||
char *host, size_t hostlen, char *serv, size_t servlen, int flags) {
|
||||
|
||||
#if defined(USE_WIN32) && !defined(_WIN32_WCE)
|
||||
if(s_getnameinfo)
|
||||
@ -498,10 +605,10 @@ int getnameinfo(const struct sockaddr *sa, int salen,
|
||||
(void *)&((struct sockaddr_in *)sa)->sin_addr,
|
||||
host, hostlen);
|
||||
#else /* USE_IPv6 */
|
||||
enter_critical_section(CRIT_INET); /* inet_ntoa is not mt-safe */
|
||||
stunnel_write_lock(&stunnel_locks[LOCK_INET]); /* inet_ntoa is not mt-safe */
|
||||
strncpy(host, inet_ntoa(((struct sockaddr_in *)sa)->sin_addr),
|
||||
hostlen);
|
||||
leave_critical_section(CRIT_INET);
|
||||
stunnel_write_unlock(&stunnel_locks[LOCK_INET]);
|
||||
host[hostlen-1]='\0';
|
||||
#endif /* USE_IPv6 */
|
||||
}
|
||||
|
@ -1,10 +1,15 @@
|
||||
#define WM_SYSTRAY (WM_USER+0)
|
||||
|
||||
#define WM_VALID_CONFIG (WM_APP+0)
|
||||
#define WM_INVALID_CONFIG (WM_APP+1)
|
||||
#define WM_LOG (WM_APP+2)
|
||||
#define WM_NEW_CHAIN (WM_APP+3)
|
||||
#define WM_CLIENTS (WM_APP+4)
|
||||
|
||||
#define IDI_MYICON 10
|
||||
#define IDI_STUNNEL_MAIN 10
|
||||
#define IDI_STUNNEL_ACTIVE 11
|
||||
#define IDI_STUNNEL_ERROR 12
|
||||
#define IDI_STUNNEL_IDLE 13
|
||||
|
||||
#define IDE_EDIT 20
|
||||
#define IDE_PASSEDIT 21
|
||||
@ -26,3 +31,6 @@
|
||||
#define IDM_HOMEPAGE 52
|
||||
|
||||
#define IDM_PEER_MENU 60
|
||||
|
||||
#define IDS_SERVICE_DESC 70
|
||||
|
||||
|
@ -4,7 +4,7 @@
|
||||
|
||||
VS_VERSION_INFO VERSIONINFO
|
||||
FILEVERSION STUNNEL_VERSION_FIELDS
|
||||
PRODUCTVERSION STUNNEL_VERSION_FIELDS
|
||||
PRODUCTVERSION STUNNEL_VERSION_FIELDS
|
||||
FILEFLAGSMASK VS_FFI_FILEFLAGSMASK
|
||||
FILEFLAGS 0
|
||||
FILEOS VOS__WINDOWS32
|
||||
@ -16,10 +16,10 @@ BEGIN
|
||||
BLOCK "040904E4"
|
||||
BEGIN
|
||||
VALUE "CompanyName", "Michal Trojnara"
|
||||
VALUE "FileDescription", "stunnel - multiplatform SSL tunneling proxy"
|
||||
VALUE "FileDescription", "stunnel - TLS offloading and load-balancing proxy"
|
||||
VALUE "FileVersion", STUNNEL_VERSION
|
||||
VALUE "InternalName", "stunnel"
|
||||
VALUE "LegalCopyright", "© by Michal Trojnara, 1998-2013"
|
||||
VALUE "LegalCopyright", "© by Michal Trojnara, 1998-2017"
|
||||
VALUE "OriginalFilename", "stunnel.exe"
|
||||
VALUE "ProductName", STUNNEL_PRODUCTNAME
|
||||
VALUE "ProductVersion", STUNNEL_VERSION
|
||||
@ -31,7 +31,10 @@ BEGIN
|
||||
END
|
||||
END
|
||||
|
||||
IDI_MYICON ICON "stunnel.ico"
|
||||
IDI_STUNNEL_MAIN ICON "stunnel.ico"
|
||||
IDI_STUNNEL_ACTIVE ICON "active.ico"
|
||||
IDI_STUNNEL_ERROR ICON "error.ico"
|
||||
IDI_STUNNEL_IDLE ICON "idle.ico"
|
||||
|
||||
IDM_MAINMENU MENU
|
||||
BEGIN
|
||||
@ -40,18 +43,28 @@ BEGIN
|
||||
MENUITEM "&Save Log As", IDM_SAVE_LOG
|
||||
MENUITEM "Reopen &Log File", IDM_REOPEN_LOG, GRAYED
|
||||
MENUITEM SEPARATOR
|
||||
MENUITEM "E&xit", IDM_EXIT
|
||||
MENUITEM SEPARATOR
|
||||
MENUITEM "&Close", IDM_CLOSE
|
||||
END
|
||||
#ifdef _WIN32_WCE
|
||||
POPUP "&Config"
|
||||
#else
|
||||
POPUP "&Configuration"
|
||||
#endif
|
||||
BEGIN
|
||||
MENUITEM "&Edit stunnel.conf", IDM_EDIT_CONFIG
|
||||
MENUITEM "&Reload stunnel.conf", IDM_RELOAD_CONFIG
|
||||
MENUITEM "&Edit Configuration", IDM_EDIT_CONFIG
|
||||
MENUITEM "&Reload Configuration", IDM_RELOAD_CONFIG
|
||||
END
|
||||
POPUP "&Save peer certificate"
|
||||
#ifdef _WIN32_WCE
|
||||
POPUP "&Save Peer Certs"
|
||||
#else
|
||||
POPUP "&Save Peer Certificate"
|
||||
#endif
|
||||
BEGIN
|
||||
MENUITEM "dummy", 0, GRAYED
|
||||
END
|
||||
POPUP "&Help", HELP
|
||||
POPUP "&Help"
|
||||
BEGIN
|
||||
MENUITEM "&About", IDM_ABOUT
|
||||
MENUITEM SEPARATOR
|
||||
@ -66,13 +79,13 @@ BEGIN
|
||||
BEGIN
|
||||
MENUITEM "Show Log &Window", IDM_SHOW_LOG
|
||||
MENUITEM SEPARATOR
|
||||
POPUP "&Save peer certificate"
|
||||
POPUP "&Save Peer Certificate"
|
||||
BEGIN
|
||||
MENUITEM "dummy", 0, GRAYED
|
||||
END
|
||||
MENUITEM SEPARATOR
|
||||
MENUITEM "&Edit stunnel.conf", IDM_EDIT_CONFIG
|
||||
MENUITEM "&Reload stunnel.conf", IDM_RELOAD_CONFIG
|
||||
MENUITEM "&Edit Configuration", IDM_EDIT_CONFIG
|
||||
MENUITEM "&Reload Configuration", IDM_RELOAD_CONFIG
|
||||
MENUITEM "Reopen &Log File", IDM_REOPEN_LOG, GRAYED
|
||||
MENUITEM SEPARATOR
|
||||
MENUITEM "&Homepage", IDM_HOMEPAGE
|
||||
@ -86,36 +99,44 @@ END
|
||||
ABOUTBOX DIALOG DISCARDABLE 0, 0, 140, 68
|
||||
STYLE DS_MODALFRAME|DS_CENTER|WS_POPUP|WS_CAPTION|WS_SYSMENU
|
||||
CAPTION "About stunnel"
|
||||
FONT 8, "MS Sans Serif"
|
||||
BEGIN
|
||||
ICON IDI_MYICON, -1, 9, 8, 18, 20
|
||||
LTEXT "stunnel version", -1, 30, 4, 52, 8
|
||||
LTEXT STUNNEL_VERSION, -1, 82, 4, 54, 8
|
||||
LTEXT "© by Michal Trojnara, 1998-2013", -1, 30, 12, 106, 8
|
||||
ICON IDI_STUNNEL_MAIN, -1, 6, 6, 20, 20
|
||||
LTEXT "stunnel version", -1, 30, 4, 49, 8
|
||||
LTEXT STUNNEL_VERSION, -1, 79, 4, 57, 8
|
||||
LTEXT "© by Michal Trojnara, 1998-2017", -1, 30, 12, 106, 8
|
||||
LTEXT "All Rights Reserved", -1, 30, 20, 106, 8
|
||||
LTEXT "Licensed under the GNU GPL version 2", -1, 4, 28, 132, 8
|
||||
LTEXT "with a special exception for OpenSSL", -1, 4, 36, 132, 8
|
||||
DEFPUSHBUTTON "OK",IDOK, 54, 48, 32, 14, WS_GROUP
|
||||
END
|
||||
|
||||
PASSBOX DIALOG DISCARDABLE 0, 0, 158, 51
|
||||
PASSBOX DIALOG DISCARDABLE 0, 0, 156, 51
|
||||
STYLE DS_MODALFRAME|DS_CENTER|WS_POPUP|WS_CAPTION|WS_SYSMENU
|
||||
CAPTION ""
|
||||
FONT 8, "MS Sans Serif"
|
||||
BEGIN
|
||||
ICON IDI_MYICON, -1, 8, 6, 18, 20
|
||||
LTEXT "Pass phrase:", -1, 33, 9, 50, 8
|
||||
EDITTEXT IDE_PASSEDIT, 86, 7, 65, 12, ES_PASSWORD|ES_AUTOHSCROLL
|
||||
DEFPUSHBUTTON "OK",IDOK, 7, 30, 50, 14
|
||||
PUSHBUTTON "Cancel",IDCANCEL, 101, 30, 50, 14
|
||||
ICON IDI_STUNNEL_MAIN, -1, 6, 6, 20, 20
|
||||
LTEXT "Key passphrase:", -1, 30, 13, 56, 8
|
||||
EDITTEXT IDE_PASSEDIT, 86, 11, 64, 12, ES_PASSWORD|ES_AUTOHSCROLL
|
||||
DEFPUSHBUTTON "OK",IDOK, 6, 30, 50, 14
|
||||
PUSHBUTTON "Cancel",IDCANCEL, 100, 30, 50, 14
|
||||
END
|
||||
|
||||
PINBOX DIALOG DISCARDABLE 0, 0, 158, 51
|
||||
PINBOX DIALOG DISCARDABLE 0, 0, 156, 51
|
||||
STYLE DS_MODALFRAME|DS_CENTER|WS_POPUP|WS_CAPTION|WS_SYSMENU
|
||||
CAPTION ""
|
||||
FONT 8, "MS Sans Serif"
|
||||
BEGIN
|
||||
ICON IDI_MYICON, -1, 8, 6, 18, 20
|
||||
LTEXT "SmartCard PIN:", -1, 33, 9, 50, 8
|
||||
EDITTEXT IDE_PINEDIT, 86, 7, 65, 12, ES_PASSWORD|ES_AUTOHSCROLL
|
||||
DEFPUSHBUTTON "OK",IDOK, 7, 30, 50, 14
|
||||
PUSHBUTTON "Cancel",IDCANCEL, 101, 30, 50, 14
|
||||
ICON IDI_STUNNEL_MAIN, -1, 6, 6, 20, 20
|
||||
LTEXT "SmartCard PIN:", -1, 30, 13, 56, 8
|
||||
EDITTEXT IDE_PINEDIT, 86, 11, 64, 12, ES_PASSWORD|ES_AUTOHSCROLL
|
||||
DEFPUSHBUTTON "OK",IDOK, 6, 30, 50, 14
|
||||
PUSHBUTTON "Cancel",IDCANCEL, 100, 30, 50, 14
|
||||
END
|
||||
|
||||
STRINGTABLE
|
||||
BEGIN
|
||||
IDS_SERVICE_DESC "TLS offloading and load-balancing proxy"
|
||||
END
|
||||
|
||||
|
198
src/ssl.c
198
src/ssl.c
@ -1,6 +1,6 @@
|
||||
/*
|
||||
* stunnel Universal SSL tunnel
|
||||
* Copyright (C) 1998-2013 Michal Trojnara <Michal.Trojnara@mirt.net>
|
||||
* stunnel TLS offloading and load-balancing proxy
|
||||
* Copyright (C) 1998-2017 Michal Trojnara <Michal.Trojnara@stunnel.org>
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it
|
||||
* under the terms of the GNU General Public License as published by the
|
||||
@ -38,54 +38,117 @@
|
||||
#include "common.h"
|
||||
#include "prototypes.h"
|
||||
|
||||
/* global OpenSSL initalization: compression, engine, entropy */
|
||||
static int init_compression(GLOBAL_OPTIONS *);
|
||||
static int init_prng(GLOBAL_OPTIONS *);
|
||||
static int add_rand_file(GLOBAL_OPTIONS *, const char *);
|
||||
/* global OpenSSL initialization: compression, engine, entropy */
|
||||
NOEXPORT void cb_free(void *parent, void *ptr, CRYPTO_EX_DATA *ad,
|
||||
int idx, long argl, void *argp);
|
||||
#ifndef OPENSSL_NO_COMP
|
||||
NOEXPORT int compression_init(GLOBAL_OPTIONS *);
|
||||
#endif
|
||||
NOEXPORT int prng_init(GLOBAL_OPTIONS *);
|
||||
NOEXPORT int add_rand_file(GLOBAL_OPTIONS *, const char *);
|
||||
|
||||
int cli_index, opt_index; /* to keep structure for callbacks */
|
||||
int index_ssl_cli, index_ssl_ctx_opt;
|
||||
int index_session_authenticated, index_session_connect_address;
|
||||
|
||||
int ssl_init(void) { /* init SSL before parsing configuration file */
|
||||
int ssl_init(void) { /* init TLS before parsing configuration file */
|
||||
#if OPENSSL_VERSION_NUMBER>=0x10100000L
|
||||
OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS |
|
||||
OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL);
|
||||
#else
|
||||
SSL_load_error_strings();
|
||||
SSL_library_init();
|
||||
cli_index=SSL_get_ex_new_index(0, "cli index", NULL, NULL, NULL);
|
||||
opt_index=SSL_CTX_get_ex_new_index(0, "opt index", NULL, NULL, NULL);
|
||||
if(cli_index<0 || opt_index<0)
|
||||
#endif
|
||||
index_ssl_cli=SSL_get_ex_new_index(0,
|
||||
"CLI pointer", NULL, NULL, NULL);
|
||||
index_ssl_ctx_opt=SSL_CTX_get_ex_new_index(0,
|
||||
"SERVICE_OPTIONS pointer", NULL, NULL, NULL);
|
||||
index_session_authenticated=SSL_SESSION_get_ex_new_index(0,
|
||||
"session authenticated", NULL, NULL, NULL);
|
||||
index_session_connect_address=SSL_SESSION_get_ex_new_index(0,
|
||||
"session connect address", NULL, NULL, cb_free);
|
||||
if(index_ssl_cli<0 || index_ssl_ctx_opt<0 ||
|
||||
index_session_authenticated<0 ||
|
||||
index_session_connect_address<0) {
|
||||
s_log(LOG_ERR, "Application specific data initialization failed");
|
||||
return 1;
|
||||
#ifdef HAVE_OSSL_ENGINE_H
|
||||
}
|
||||
#ifndef OPENSSL_NO_ENGINE
|
||||
ENGINE_load_builtin_engines();
|
||||
#endif
|
||||
#ifndef OPENSSL_NO_DH
|
||||
dh_params=get_dh2048();
|
||||
if(!dh_params) {
|
||||
s_log(LOG_ERR, "Failed to get default DH parameters");
|
||||
return 1;
|
||||
}
|
||||
#endif /* OPENSSL_NO_DH */
|
||||
return 0;
|
||||
}
|
||||
|
||||
int ssl_configure(GLOBAL_OPTIONS *global) { /* configure global SSL settings */
|
||||
#ifndef OPENSSL_NO_DH
|
||||
#if OPENSSL_VERSION_NUMBER<0x10100000L
|
||||
/* this is needed for dhparam.c generated with OpenSSL >= 1.1.0
|
||||
* to be linked against the older versions */
|
||||
int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g) {
|
||||
if(!p || !g) /* q is optional */
|
||||
return 0;
|
||||
BN_free(dh->p);
|
||||
BN_free(dh->q);
|
||||
BN_free(dh->g);
|
||||
dh->p = p;
|
||||
dh->q = q;
|
||||
dh->g = g;
|
||||
if(q)
|
||||
dh->length = BN_num_bits(q);
|
||||
return 1;
|
||||
}
|
||||
#endif
|
||||
#endif
|
||||
|
||||
NOEXPORT void cb_free(void *parent, void *ptr, CRYPTO_EX_DATA *ad,
|
||||
int idx, long argl, void *argp) {
|
||||
(void)parent; /* squash the unused parameter warning */
|
||||
(void)ad; /* squash the unused parameter warning */
|
||||
(void)idx; /* squash the unused parameter warning */
|
||||
(void)argl; /* squash the unused parameter warning */
|
||||
s_log(LOG_DEBUG, "Deallocating application specific data for %s",
|
||||
(char *)argp);
|
||||
str_free(ptr);
|
||||
}
|
||||
|
||||
int ssl_configure(GLOBAL_OPTIONS *global) { /* configure global TLS settings */
|
||||
#ifdef USE_FIPS
|
||||
if(FIPS_mode()!=global->option.fips) {
|
||||
RAND_set_rand_method(NULL); /* reset RAND methods */
|
||||
if(!FIPS_mode_set(global->option.fips)) {
|
||||
#if OPENSSL_VERSION_NUMBER>=0x10100000L
|
||||
OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL);
|
||||
#else
|
||||
ERR_load_crypto_strings();
|
||||
#endif
|
||||
sslerror("FIPS_mode_set");
|
||||
return 1;
|
||||
}
|
||||
}
|
||||
s_log(LOG_NOTICE, "FIPS mode is %s",
|
||||
s_log(LOG_NOTICE, "FIPS mode %s",
|
||||
global->option.fips ? "enabled" : "disabled");
|
||||
#endif /* USE_FIPS */
|
||||
if(init_compression(global))
|
||||
#ifndef OPENSSL_NO_COMP
|
||||
if(compression_init(global))
|
||||
return 1;
|
||||
if(init_prng(global))
|
||||
#endif /* OPENSSL_NO_COMP */
|
||||
if(prng_init(global))
|
||||
return 1;
|
||||
s_log(LOG_DEBUG, "PRNG seeded successfully");
|
||||
return 0; /* SUCCESS */
|
||||
}
|
||||
|
||||
static int init_compression(GLOBAL_OPTIONS *global) {
|
||||
#ifndef OPENSSL_NO_COMP
|
||||
SSL_COMP *comp;
|
||||
STACK_OF(SSL_COMP) *ssl_comp_methods;
|
||||
NOEXPORT int compression_init(GLOBAL_OPTIONS *global) {
|
||||
STACK_OF(SSL_COMP) *methods;
|
||||
|
||||
ssl_comp_methods=SSL_COMP_get_compression_methods();
|
||||
if(!ssl_comp_methods) {
|
||||
methods=SSL_COMP_get_compression_methods();
|
||||
if(!methods) {
|
||||
if(global->compression==COMP_NONE) {
|
||||
s_log(LOG_NOTICE, "Failed to get compression methods");
|
||||
return 0; /* ignore */
|
||||
@ -95,73 +158,47 @@ static int init_compression(GLOBAL_OPTIONS *global) {
|
||||
}
|
||||
}
|
||||
|
||||
/* delete OpenSSL defaults (empty the SSL_COMP stack) */
|
||||
/* cannot use sk_SSL_COMP_pop_free, as it also destroys the stack itself */
|
||||
while(sk_SSL_COMP_num(ssl_comp_methods))
|
||||
OPENSSL_free(sk_SSL_COMP_pop(ssl_comp_methods));
|
||||
if(global->compression==COMP_NONE ||
|
||||
OpenSSL_version_num()<0x00908051L /* 0.9.8e-beta1 */) {
|
||||
/* delete OpenSSL defaults (empty the SSL_COMP stack) */
|
||||
/* cannot use sk_SSL_COMP_pop_free,
|
||||
* as it also destroys the stack itself */
|
||||
/* only leave the standard RFC 1951 (DEFLATE) algorithm,
|
||||
* if any of the private algorithms is enabled */
|
||||
/* only allow DEFLATE with OpenSSL 0.9.8 or later
|
||||
* with OpenSSL #1468 zlib memory leak fixed */
|
||||
while(sk_SSL_COMP_num(methods))
|
||||
OPENSSL_free(sk_SSL_COMP_pop(methods));
|
||||
}
|
||||
|
||||
if(global->compression==COMP_NONE) {
|
||||
s_log(LOG_DEBUG, "Compression not enabled");
|
||||
s_log(LOG_DEBUG, "Compression disabled");
|
||||
return 0; /* success */
|
||||
}
|
||||
|
||||
/* insert RFC 1951 (DEFLATE) algoritm */
|
||||
if(SSLeay()>=0x00908051L) { /* 0.9.8e-beta1 */
|
||||
/* only allow DEFLATE with OpenSSL 0.9.8 or later
|
||||
with openssl #1468 zlib memory leak fixed */
|
||||
comp=(SSL_COMP *)OPENSSL_malloc(sizeof(SSL_COMP));
|
||||
if(!comp) {
|
||||
s_log(LOG_ERR, "OPENSSL_malloc filed");
|
||||
return 1;
|
||||
}
|
||||
comp->id=1; /* RFC 1951 */
|
||||
comp->method=COMP_zlib();
|
||||
if(!comp->method || comp->method->type==NID_undef) {
|
||||
OPENSSL_free(comp);
|
||||
s_log(LOG_ERR, "Failed to initialize compression method");
|
||||
return 1;
|
||||
}
|
||||
comp->name=comp->method->name;
|
||||
sk_SSL_COMP_push(ssl_comp_methods, comp);
|
||||
}
|
||||
|
||||
/* also insert one of obsolete (ZLIB/RLE) algoritms */
|
||||
comp=(SSL_COMP *)OPENSSL_malloc(sizeof(SSL_COMP));
|
||||
if(!comp) {
|
||||
s_log(LOG_ERR, "OPENSSL_malloc filed");
|
||||
return 1;
|
||||
}
|
||||
/* also insert the obsolete ZLIB algorithm */
|
||||
if(global->compression==COMP_ZLIB) {
|
||||
comp->id=0xe0; /* 224 - within private range (193 to 255) */
|
||||
comp->method=COMP_zlib();
|
||||
} else if(global->compression==COMP_RLE) {
|
||||
comp->id=0xe1; /* 225 - within private range (193 to 255) */
|
||||
comp->method=COMP_rle();
|
||||
} else {
|
||||
s_log(LOG_INFO, "Compression enabled: %d algorithm(s)",
|
||||
sk_SSL_COMP_num(ssl_comp_methods));
|
||||
OPENSSL_free(comp);
|
||||
return 0;
|
||||
/* 224 - within the private range (193 to 255) */
|
||||
COMP_METHOD *meth=COMP_zlib();
|
||||
#if OPENSSL_VERSION_NUMBER>=0x10100000L
|
||||
if(!meth || COMP_get_type(meth)==NID_undef) {
|
||||
#else
|
||||
if(!meth || meth->type==NID_undef) {
|
||||
#endif
|
||||
s_log(LOG_ERR, "ZLIB compression is not supported");
|
||||
return 1;
|
||||
}
|
||||
SSL_COMP_add_compression_method(0xe0, meth);
|
||||
}
|
||||
if(!comp->method || comp->method->type==NID_undef) {
|
||||
OPENSSL_free(comp);
|
||||
s_log(LOG_ERR, "Failed to initialize compression method");
|
||||
return 1;
|
||||
}
|
||||
comp->name=comp->method->name;
|
||||
sk_SSL_COMP_push(ssl_comp_methods, comp);
|
||||
s_log(LOG_INFO, "Compression enabled: %d algorithm(s)",
|
||||
sk_SSL_COMP_num(ssl_comp_methods));
|
||||
#endif /* OPENSSL_NO_COMP */
|
||||
s_log(LOG_INFO, "Compression enabled: %d method(s)",
|
||||
sk_SSL_COMP_num(methods));
|
||||
return 0; /* success */
|
||||
}
|
||||
#endif /* OPENSSL_NO_COMP */
|
||||
|
||||
static int init_prng(GLOBAL_OPTIONS *global) {
|
||||
NOEXPORT int prng_init(GLOBAL_OPTIONS *global) {
|
||||
int totbytes=0;
|
||||
char filename[256];
|
||||
int bytes;
|
||||
|
||||
bytes=0; /* avoid warning if #ifdef'd out for windows */
|
||||
|
||||
filename[0]='\0';
|
||||
|
||||
@ -195,8 +232,10 @@ static int init_prng(GLOBAL_OPTIONS *global) {
|
||||
}
|
||||
s_log(LOG_DEBUG, "RAND_screen failed to sufficiently seed PRNG");
|
||||
#else
|
||||
#ifndef OPENSSL_NO_EGD
|
||||
if(global->egd_sock) {
|
||||
if((bytes=RAND_egd(global->egd_sock))==-1) {
|
||||
int bytes=RAND_egd(global->egd_sock);
|
||||
if(bytes==-1) {
|
||||
s_log(LOG_WARNING, "EGD Socket %s failed", global->egd_sock);
|
||||
bytes=0;
|
||||
} else {
|
||||
@ -207,6 +246,7 @@ static int init_prng(GLOBAL_OPTIONS *global) {
|
||||
so no need to check if seeded sufficiently */
|
||||
}
|
||||
}
|
||||
#endif
|
||||
/* try the good-old default /dev/urandom, if available */
|
||||
totbytes+=add_rand_file(global, "/dev/urandom");
|
||||
if(RAND_status())
|
||||
@ -219,7 +259,7 @@ static int init_prng(GLOBAL_OPTIONS *global) {
|
||||
return 1; /* FAILED */
|
||||
}
|
||||
|
||||
static int add_rand_file(GLOBAL_OPTIONS *global, const char *filename) {
|
||||
NOEXPORT int add_rand_file(GLOBAL_OPTIONS *global, const char *filename) {
|
||||
int readbytes;
|
||||
int writebytes;
|
||||
struct stat sb;
|
||||
@ -233,7 +273,7 @@ static int add_rand_file(GLOBAL_OPTIONS *global, const char *filename) {
|
||||
s_log(LOG_INFO, "Cannot retrieve any random data from %s",
|
||||
filename);
|
||||
/* write new random data for future seeding if it's a regular file */
|
||||
if(global->option.rand_write && (sb.st_mode & S_IFREG)) {
|
||||
if(global->option.rand_write && S_ISREG(sb.st_mode)) {
|
||||
writebytes=RAND_write_file(filename);
|
||||
if(writebytes==-1)
|
||||
s_log(LOG_WARNING, "Failed to write strong random data to %s - "
|
||||
|
518
src/sthreads.c
518
src/sthreads.c
@ -1,6 +1,6 @@
|
||||
/*
|
||||
* stunnel Universal SSL tunnel
|
||||
* Copyright (C) 1998-2013 Michal Trojnara <Michal.Trojnara@mirt.net>
|
||||
* stunnel TLS offloading and load-balancing proxy
|
||||
* Copyright (C) 1998-2017 Michal Trojnara <Michal.Trojnara@stunnel.org>
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it
|
||||
* under the terms of the GNU General Public License as published by the
|
||||
@ -43,19 +43,256 @@
|
||||
#include "common.h"
|
||||
#include "prototypes.h"
|
||||
|
||||
/**************************************** thread ID callbacks */
|
||||
|
||||
#ifdef USE_UCONTEXT
|
||||
|
||||
unsigned long stunnel_process_id(void) {
|
||||
return (unsigned long)getpid();
|
||||
}
|
||||
|
||||
unsigned long stunnel_thread_id(void) {
|
||||
return ready_head ? ready_head->id : 0;
|
||||
}
|
||||
|
||||
#endif /* USE_UCONTEXT */
|
||||
|
||||
#ifdef USE_FORK
|
||||
|
||||
unsigned long stunnel_process_id(void) {
|
||||
return (unsigned long)getpid();
|
||||
}
|
||||
|
||||
unsigned long stunnel_thread_id(void) {
|
||||
return 0L;
|
||||
}
|
||||
|
||||
#endif /* USE_FORK */
|
||||
|
||||
#ifdef USE_PTHREAD
|
||||
|
||||
unsigned long stunnel_process_id(void) {
|
||||
return (unsigned long)getpid();
|
||||
}
|
||||
|
||||
unsigned long stunnel_thread_id(void) {
|
||||
#if defined(SYS_gettid) && defined(__linux__)
|
||||
return (unsigned long)syscall(SYS_gettid);
|
||||
#else
|
||||
return (unsigned long)pthread_self();
|
||||
#endif
|
||||
}
|
||||
|
||||
#endif /* USE_PTHREAD */
|
||||
|
||||
#ifdef USE_WIN32
|
||||
|
||||
unsigned long stunnel_process_id(void) {
|
||||
return GetCurrentProcessId() & 0x00ffffff;
|
||||
}
|
||||
|
||||
unsigned long stunnel_thread_id(void) {
|
||||
return GetCurrentThreadId() & 0x00ffffff;
|
||||
}
|
||||
|
||||
#endif /* USE_WIN32 */
|
||||
|
||||
#if OPENSSL_VERSION_NUMBER>=0x10000000L && OPENSSL_VERSION_NUMBER<0x10100004L
|
||||
NOEXPORT void threadid_func(CRYPTO_THREADID *tid) {
|
||||
CRYPTO_THREADID_set_numeric(tid, stunnel_thread_id());
|
||||
}
|
||||
#endif
|
||||
|
||||
void thread_id_init(void) {
|
||||
#if OPENSSL_VERSION_NUMBER>=0x10000000L && OPENSSL_VERSION_NUMBER<0x10100000L
|
||||
CRYPTO_THREADID_set_callback(threadid_func);
|
||||
#endif
|
||||
#if OPENSSL_VERSION_NUMBER<0x10000000L || !defined(OPENSSL_NO_DEPRECATED)
|
||||
CRYPTO_set_id_callback(stunnel_thread_id);
|
||||
#endif
|
||||
}
|
||||
|
||||
/**************************************** locking */
|
||||
|
||||
#ifdef USE_PTHREAD
|
||||
|
||||
void stunnel_rwlock_init_debug(struct CRYPTO_dynlock_value *lock,
|
||||
const char *file, int line) {
|
||||
pthread_rwlock_init(&lock->rwlock, NULL);
|
||||
lock->init_file=file;
|
||||
lock->init_line=line;
|
||||
}
|
||||
|
||||
void stunnel_read_lock_debug(struct CRYPTO_dynlock_value *lock,
|
||||
const char *file, int line) {
|
||||
pthread_rwlock_rdlock(&lock->rwlock);
|
||||
lock->read_lock_file=file;
|
||||
lock->read_lock_line=line;
|
||||
}
|
||||
|
||||
void stunnel_write_lock_debug(struct CRYPTO_dynlock_value *lock,
|
||||
const char *file, int line) {
|
||||
pthread_rwlock_wrlock(&lock->rwlock);
|
||||
lock->write_lock_file=file;
|
||||
lock->write_lock_line=line;
|
||||
}
|
||||
|
||||
void stunnel_read_unlock_debug(struct CRYPTO_dynlock_value *lock,
|
||||
const char *file, int line) {
|
||||
pthread_rwlock_unlock(&lock->rwlock);
|
||||
lock->read_unlock_file=file;
|
||||
lock->read_unlock_line=line;
|
||||
}
|
||||
|
||||
void stunnel_write_unlock_debug(struct CRYPTO_dynlock_value *lock,
|
||||
const char *file, int line) {
|
||||
pthread_rwlock_unlock(&lock->rwlock);
|
||||
lock->write_unlock_file=file;
|
||||
lock->write_unlock_line=line;
|
||||
}
|
||||
|
||||
void stunnel_rwlock_destroy_debug(struct CRYPTO_dynlock_value *lock,
|
||||
const char *file, int line) {
|
||||
pthread_rwlock_destroy(&lock->rwlock);
|
||||
lock->destroy_file=file;
|
||||
lock->destroy_line=line;
|
||||
str_free(lock);
|
||||
}
|
||||
|
||||
#endif /* USE_PTHREAD */
|
||||
|
||||
#ifdef USE_WIN32
|
||||
|
||||
/* Slim Reader/Writer (SRW) Lock would be better than CRITICAL_SECTION,
|
||||
* but it is unsupported on Windows XP (and earlier versions of Windows):
|
||||
* https://msdn.microsoft.com/en-us/library/windows/desktop/aa904937%28v=vs.85%29.aspx */
|
||||
|
||||
void stunnel_rwlock_init_debug(struct CRYPTO_dynlock_value *lock,
|
||||
const char *file, int line) {
|
||||
InitializeCriticalSection(&lock->critical_section);
|
||||
lock->init_file=file;
|
||||
lock->init_line=line;
|
||||
}
|
||||
|
||||
void stunnel_read_lock_debug(struct CRYPTO_dynlock_value *lock,
|
||||
const char *file, int line) {
|
||||
EnterCriticalSection(&lock->critical_section);
|
||||
lock->read_lock_file=file;
|
||||
lock->read_lock_line=line;
|
||||
}
|
||||
|
||||
void stunnel_write_lock_debug(struct CRYPTO_dynlock_value *lock,
|
||||
const char *file, int line) {
|
||||
EnterCriticalSection(&lock->critical_section);
|
||||
lock->write_lock_file=file;
|
||||
lock->write_lock_line=line;
|
||||
}
|
||||
|
||||
void stunnel_read_unlock_debug(struct CRYPTO_dynlock_value *lock,
|
||||
const char *file, int line) {
|
||||
LeaveCriticalSection(&lock->critical_section);
|
||||
lock->read_unlock_file=file;
|
||||
lock->read_unlock_line=line;
|
||||
}
|
||||
|
||||
void stunnel_write_unlock_debug(struct CRYPTO_dynlock_value *lock,
|
||||
const char *file, int line) {
|
||||
LeaveCriticalSection(&lock->critical_section);
|
||||
lock->write_unlock_file=file;
|
||||
lock->write_unlock_line=line;
|
||||
}
|
||||
|
||||
void stunnel_rwlock_destroy_debug(struct CRYPTO_dynlock_value *lock,
|
||||
const char *file, int line) {
|
||||
DeleteCriticalSection(&lock->critical_section);
|
||||
lock->destroy_file=file;
|
||||
lock->destroy_line=line;
|
||||
str_free(lock);
|
||||
}
|
||||
|
||||
#endif /* USE_WIN32 */
|
||||
|
||||
#if defined(USE_PTHREAD) || defined(USE_WIN32)
|
||||
|
||||
struct CRYPTO_dynlock_value stunnel_locks[STUNNEL_LOCKS];
|
||||
|
||||
#if OPENSSL_VERSION_NUMBER<0x10100004L
|
||||
#define CRYPTO_THREAD_lock_new() CRYPTO_get_new_dynlockid()
|
||||
#endif
|
||||
|
||||
#if OPENSSL_VERSION_NUMBER<0x10100004L
|
||||
|
||||
static struct CRYPTO_dynlock_value *lock_cs;
|
||||
|
||||
NOEXPORT struct CRYPTO_dynlock_value *dyn_create_function(const char *file,
|
||||
int line) {
|
||||
struct CRYPTO_dynlock_value *lock;
|
||||
|
||||
lock=str_alloc_detached(sizeof(struct CRYPTO_dynlock_value));
|
||||
stunnel_rwlock_init_debug(lock, file, line);
|
||||
return lock;
|
||||
}
|
||||
|
||||
NOEXPORT void dyn_lock_function(int mode, struct CRYPTO_dynlock_value *lock,
|
||||
const char *file, int line) {
|
||||
if(mode&CRYPTO_LOCK) {
|
||||
/* either CRYPTO_READ or CRYPTO_WRITE (but not both) are needed */
|
||||
if(!(mode&CRYPTO_READ)==!(mode&CRYPTO_WRITE))
|
||||
fatal("Invalid locking mode");
|
||||
if(mode&CRYPTO_WRITE)
|
||||
stunnel_write_lock_debug(lock, file, line);
|
||||
else
|
||||
stunnel_read_lock_debug(lock, file, line);
|
||||
} else
|
||||
stunnel_write_unlock_debug(lock, file, line);
|
||||
}
|
||||
|
||||
NOEXPORT void dyn_destroy_function(struct CRYPTO_dynlock_value *lock,
|
||||
const char *file, int line) {
|
||||
stunnel_rwlock_destroy_debug(lock, file, line);
|
||||
str_free(lock);
|
||||
}
|
||||
|
||||
NOEXPORT void locking_callback(int mode, int type, const char *file, int line) {
|
||||
dyn_lock_function(mode, lock_cs+type, file, line);
|
||||
}
|
||||
|
||||
#endif /* OPENSSL_VERSION_NUMBER<0x10100004L */
|
||||
|
||||
void locking_init(void) {
|
||||
size_t i;
|
||||
#if OPENSSL_VERSION_NUMBER<0x10100004L
|
||||
size_t num;
|
||||
#endif
|
||||
|
||||
/* initialize stunnel critical sections */
|
||||
for(i=0; i<STUNNEL_LOCKS; i++) /* all the mutexes */
|
||||
stunnel_rwlock_init(&stunnel_locks[i]);
|
||||
|
||||
#if OPENSSL_VERSION_NUMBER<0x10100004L
|
||||
/* initialize the OpenSSL static locking */
|
||||
num=(size_t)CRYPTO_num_locks();
|
||||
lock_cs=str_alloc_detached(num*sizeof(struct CRYPTO_dynlock_value));
|
||||
for(i=0; i<num; i++)
|
||||
stunnel_rwlock_init(&lock_cs[i]);
|
||||
|
||||
/* initialize the OpenSSL static locking callbacks */
|
||||
CRYPTO_set_locking_callback(locking_callback);
|
||||
|
||||
/* initialize the OpenSSL dynamic locking callbacks */
|
||||
CRYPTO_set_dynlock_create_callback(dyn_create_function);
|
||||
CRYPTO_set_dynlock_lock_callback(dyn_lock_function);
|
||||
CRYPTO_set_dynlock_destroy_callback(dyn_destroy_function);
|
||||
#endif
|
||||
}
|
||||
|
||||
#endif /* defined(USE_PTHREAD) || defined(USE_WIN32) */
|
||||
|
||||
/**************************************** creating a client */
|
||||
|
||||
#if defined(USE_UCONTEXT) || defined(USE_FORK)
|
||||
/* no need for critical sections */
|
||||
|
||||
void enter_critical_section(SECTION_CODE i) {
|
||||
(void)i; /* skip warning about unused parameter */
|
||||
/* empty */
|
||||
}
|
||||
|
||||
void leave_critical_section(SECTION_CODE i) {
|
||||
(void)i; /* skip warning about unused parameter */
|
||||
/* empty */
|
||||
}
|
||||
|
||||
#endif /* USE_UCONTEXT || USE_FORK */
|
||||
|
||||
#ifdef USE_UCONTEXT
|
||||
@ -79,21 +316,12 @@ void leave_critical_section(SECTION_CODE i) {
|
||||
CONTEXT *ready_head=NULL, *ready_tail=NULL; /* ready to execute */
|
||||
CONTEXT *waiting_head=NULL, *waiting_tail=NULL; /* waiting on poll() */
|
||||
|
||||
unsigned long stunnel_process_id(void) {
|
||||
return (unsigned long)getpid();
|
||||
}
|
||||
|
||||
unsigned long stunnel_thread_id(void) {
|
||||
return ready_head ? ready_head->id : 0;
|
||||
}
|
||||
|
||||
static CONTEXT *new_context(void) {
|
||||
static int next_id=1;
|
||||
NOEXPORT CONTEXT *new_context(void) {
|
||||
static unsigned long next_id=1;
|
||||
CONTEXT *context;
|
||||
|
||||
/* allocate and fill the CONTEXT structure */
|
||||
context=str_alloc(sizeof(CONTEXT));
|
||||
str_detach(context);
|
||||
context=str_alloc_detached(sizeof(CONTEXT));
|
||||
context->id=next_id++;
|
||||
context->fds=NULL;
|
||||
context->ready=0;
|
||||
@ -110,17 +338,20 @@ static CONTEXT *new_context(void) {
|
||||
}
|
||||
|
||||
int sthreads_init(void) {
|
||||
thread_id_init();
|
||||
/* create the first (listening) context and put it in the running queue */
|
||||
if(!new_context()) {
|
||||
s_log(LOG_ERR, "Cannot create the listening context");
|
||||
return 1;
|
||||
}
|
||||
/* update tls for newly allocated ready_head */
|
||||
ui_tls=tls_alloc(NULL, ui_tls, "ui");
|
||||
/* no need to initialize ucontext_t structure here
|
||||
it will be initialied with swapcontext() call */
|
||||
return 0;
|
||||
}
|
||||
|
||||
int create_client(int ls, int s, CLI *arg, void *(*cli)(void *)) {
|
||||
int create_client(SOCKET ls, SOCKET s, CLI *arg, void *(*cli)(void *)) {
|
||||
CONTEXT *context;
|
||||
|
||||
(void)ls; /* this parameter is only used with USE_FORK */
|
||||
@ -128,8 +359,7 @@ int create_client(int ls, int s, CLI *arg, void *(*cli)(void *)) {
|
||||
s_log(LOG_DEBUG, "Creating a new context");
|
||||
context=new_context();
|
||||
if(!context) {
|
||||
if(arg)
|
||||
str_free(arg);
|
||||
str_free(arg);
|
||||
if(s>=0)
|
||||
closesocket(s);
|
||||
return -1;
|
||||
@ -138,8 +368,7 @@ int create_client(int ls, int s, CLI *arg, void *(*cli)(void *)) {
|
||||
/* initialize context_t structure */
|
||||
if(getcontext(&context->context)<0) {
|
||||
str_free(context);
|
||||
if(arg)
|
||||
str_free(arg);
|
||||
str_free(arg);
|
||||
if(s>=0)
|
||||
closesocket(s);
|
||||
ioerror("getcontext");
|
||||
@ -148,8 +377,7 @@ int create_client(int ls, int s, CLI *arg, void *(*cli)(void *)) {
|
||||
context->context.uc_link=NULL; /* stunnel does not use uc_link */
|
||||
|
||||
/* create stack */
|
||||
context->stack=str_alloc(arg->opt->stack_size);
|
||||
str_detach(context->stack);
|
||||
context->stack=str_alloc_detached(arg->opt->stack_size);
|
||||
#if defined(__sgi) || ARGC==2 /* obsolete ss_sp semantics */
|
||||
context->context.uc_stack.ss_sp=context->stack+arg->opt->stack_size-8;
|
||||
#else
|
||||
@ -168,27 +396,19 @@ int create_client(int ls, int s, CLI *arg, void *(*cli)(void *)) {
|
||||
#ifdef USE_FORK
|
||||
|
||||
int sthreads_init(void) {
|
||||
thread_id_init();
|
||||
return 0;
|
||||
}
|
||||
|
||||
unsigned long stunnel_process_id(void) {
|
||||
return (unsigned long)getpid();
|
||||
}
|
||||
|
||||
unsigned long stunnel_thread_id(void) {
|
||||
return 0L;
|
||||
}
|
||||
|
||||
static void null_handler(int sig) {
|
||||
(void)sig; /* skip warning about unused parameter */
|
||||
NOEXPORT void null_handler(int sig) {
|
||||
(void)sig; /* squash the unused parameter warning */
|
||||
signal(SIGCHLD, null_handler);
|
||||
}
|
||||
|
||||
int create_client(int ls, int s, CLI *arg, void *(*cli)(void *)) {
|
||||
int create_client(SOCKET ls, SOCKET s, CLI *arg, void *(*cli)(void *)) {
|
||||
switch(fork()) {
|
||||
case -1: /* error */
|
||||
if(arg)
|
||||
str_free(arg);
|
||||
str_free(arg);
|
||||
if(s>=0)
|
||||
closesocket(s);
|
||||
return -1;
|
||||
@ -199,8 +419,7 @@ int create_client(int ls, int s, CLI *arg, void *(*cli)(void *)) {
|
||||
cli(arg);
|
||||
_exit(0);
|
||||
default: /* parent */
|
||||
if(arg)
|
||||
str_free(arg);
|
||||
str_free(arg);
|
||||
if(s>=0)
|
||||
closesocket(s);
|
||||
}
|
||||
@ -211,95 +430,18 @@ int create_client(int ls, int s, CLI *arg, void *(*cli)(void *)) {
|
||||
|
||||
#ifdef USE_PTHREAD
|
||||
|
||||
static pthread_mutex_t stunnel_cs[CRIT_SECTIONS];
|
||||
static pthread_mutex_t lock_cs[CRYPTO_NUM_LOCKS];
|
||||
|
||||
void enter_critical_section(SECTION_CODE i) {
|
||||
pthread_mutex_lock(stunnel_cs+i);
|
||||
}
|
||||
|
||||
void leave_critical_section(SECTION_CODE i) {
|
||||
pthread_mutex_unlock(stunnel_cs+i);
|
||||
}
|
||||
|
||||
static void locking_callback(int mode, int type, const char *file, int line) {
|
||||
(void)file; /* skip warning about unused parameter */
|
||||
(void)line; /* skip warning about unused parameter */
|
||||
if(mode&CRYPTO_LOCK)
|
||||
pthread_mutex_lock(lock_cs+type);
|
||||
else
|
||||
pthread_mutex_unlock(lock_cs+type);
|
||||
}
|
||||
|
||||
struct CRYPTO_dynlock_value {
|
||||
pthread_mutex_t mutex;
|
||||
};
|
||||
|
||||
static struct CRYPTO_dynlock_value *dyn_create_function(const char *file,
|
||||
int line) {
|
||||
struct CRYPTO_dynlock_value *value;
|
||||
|
||||
(void)file; /* skip warning about unused parameter */
|
||||
(void)line; /* skip warning about unused parameter */
|
||||
value=str_alloc(sizeof(struct CRYPTO_dynlock_value));
|
||||
str_detach(value);
|
||||
pthread_mutex_init(&value->mutex, NULL);
|
||||
return value;
|
||||
}
|
||||
|
||||
static void dyn_lock_function(int mode, struct CRYPTO_dynlock_value *value,
|
||||
const char *file, int line) {
|
||||
(void)file; /* skip warning about unused parameter */
|
||||
(void)line; /* skip warning about unused parameter */
|
||||
if(mode&CRYPTO_LOCK)
|
||||
pthread_mutex_lock(&value->mutex);
|
||||
else
|
||||
pthread_mutex_unlock(&value->mutex);
|
||||
}
|
||||
|
||||
static void dyn_destroy_function(struct CRYPTO_dynlock_value *value,
|
||||
const char *file, int line) {
|
||||
(void)file; /* skip warning about unused parameter */
|
||||
(void)line; /* skip warning about unused parameter */
|
||||
pthread_mutex_destroy(&value->mutex);
|
||||
str_free(value);
|
||||
}
|
||||
|
||||
unsigned long stunnel_process_id(void) {
|
||||
return (unsigned long)getpid();
|
||||
}
|
||||
|
||||
unsigned long stunnel_thread_id(void) {
|
||||
return (unsigned long)pthread_self();
|
||||
}
|
||||
|
||||
int sthreads_init(void) {
|
||||
int i;
|
||||
|
||||
/* initialize stunnel critical sections */
|
||||
for(i=0; i<CRIT_SECTIONS; i++)
|
||||
pthread_mutex_init(stunnel_cs+i, NULL);
|
||||
|
||||
/* initialize OpenSSL locking callback */
|
||||
for(i=0; i<CRYPTO_NUM_LOCKS; i++)
|
||||
pthread_mutex_init(lock_cs+i, NULL);
|
||||
CRYPTO_set_id_callback(stunnel_thread_id);
|
||||
CRYPTO_set_locking_callback(locking_callback);
|
||||
|
||||
/* initialize OpenSSL dynamic locks callbacks */
|
||||
CRYPTO_set_dynlock_create_callback(dyn_create_function);
|
||||
CRYPTO_set_dynlock_lock_callback(dyn_lock_function);
|
||||
CRYPTO_set_dynlock_destroy_callback(dyn_destroy_function);
|
||||
|
||||
thread_id_init();
|
||||
locking_init();
|
||||
return 0;
|
||||
}
|
||||
|
||||
int create_client(int ls, int s, CLI *arg, void *(*cli)(void *)) {
|
||||
int create_client(SOCKET ls, SOCKET s, CLI *arg, void *(*cli)(void *)) {
|
||||
pthread_t thread;
|
||||
pthread_attr_t pth_attr;
|
||||
int error;
|
||||
#if defined(HAVE_PTHREAD_SIGMASK) && !defined(__APPLE__)
|
||||
/* Disabled on OS X due to strange problems on Mac OS X 10.5
|
||||
/* disabled on OS X due to strange problems on Mac OS X 10.5
|
||||
it seems to restore signal mask somewhere (I couldn't find where)
|
||||
effectively blocking signals after first accepted connection */
|
||||
sigset_t new_set, old_set;
|
||||
@ -325,8 +467,7 @@ int create_client(int ls, int s, CLI *arg, void *(*cli)(void *)) {
|
||||
if(error) {
|
||||
errno=error;
|
||||
ioerror("pthread_create");
|
||||
if(arg)
|
||||
str_free(arg);
|
||||
str_free(arg);
|
||||
if(s>=0)
|
||||
closesocket(s);
|
||||
return -1;
|
||||
@ -338,96 +479,20 @@ int create_client(int ls, int s, CLI *arg, void *(*cli)(void *)) {
|
||||
|
||||
#ifdef USE_WIN32
|
||||
|
||||
static CRITICAL_SECTION stunnel_cs[CRIT_SECTIONS];
|
||||
static CRITICAL_SECTION lock_cs[CRYPTO_NUM_LOCKS];
|
||||
|
||||
void enter_critical_section(SECTION_CODE i) {
|
||||
EnterCriticalSection(stunnel_cs+i);
|
||||
}
|
||||
|
||||
void leave_critical_section(SECTION_CODE i) {
|
||||
LeaveCriticalSection(stunnel_cs+i);
|
||||
}
|
||||
|
||||
static void locking_callback(int mode, int type, const char *file, int line) {
|
||||
(void)file; /* skip warning about unused parameter */
|
||||
(void)line; /* skip warning about unused parameter */
|
||||
if(mode&CRYPTO_LOCK)
|
||||
EnterCriticalSection(lock_cs+type);
|
||||
else
|
||||
LeaveCriticalSection(lock_cs+type);
|
||||
}
|
||||
|
||||
struct CRYPTO_dynlock_value {
|
||||
CRITICAL_SECTION mutex;
|
||||
};
|
||||
|
||||
static struct CRYPTO_dynlock_value *dyn_create_function(const char *file,
|
||||
int line) {
|
||||
struct CRYPTO_dynlock_value *value;
|
||||
|
||||
(void)file; /* skip warning about unused parameter */
|
||||
(void)line; /* skip warning about unused parameter */
|
||||
value=str_alloc(sizeof(struct CRYPTO_dynlock_value));
|
||||
str_detach(value);
|
||||
InitializeCriticalSection(&value->mutex);
|
||||
return value;
|
||||
}
|
||||
|
||||
static void dyn_lock_function(int mode, struct CRYPTO_dynlock_value *value,
|
||||
const char *file, int line) {
|
||||
(void)file; /* skip warning about unused parameter */
|
||||
(void)line; /* skip warning about unused parameter */
|
||||
if(mode&CRYPTO_LOCK)
|
||||
EnterCriticalSection(&value->mutex);
|
||||
else
|
||||
LeaveCriticalSection(&value->mutex);
|
||||
}
|
||||
|
||||
static void dyn_destroy_function(struct CRYPTO_dynlock_value *value,
|
||||
const char *file, int line) {
|
||||
(void)file; /* skip warning about unused parameter */
|
||||
(void)line; /* skip warning about unused parameter */
|
||||
DeleteCriticalSection(&value->mutex);
|
||||
str_free(value);
|
||||
}
|
||||
|
||||
unsigned long stunnel_process_id(void) {
|
||||
return GetCurrentProcessId() & 0x00ffffff;
|
||||
}
|
||||
|
||||
unsigned long stunnel_thread_id(void) {
|
||||
return GetCurrentThreadId() & 0x00ffffff;
|
||||
}
|
||||
|
||||
int sthreads_init(void) {
|
||||
int i;
|
||||
|
||||
/* initialize stunnel critical sections */
|
||||
for(i=0; i<CRIT_SECTIONS; i++)
|
||||
InitializeCriticalSection(stunnel_cs+i);
|
||||
|
||||
/* initialize OpenSSL locking callback */
|
||||
for(i=0; i<CRYPTO_NUM_LOCKS; i++)
|
||||
InitializeCriticalSection(lock_cs+i);
|
||||
CRYPTO_set_locking_callback(locking_callback);
|
||||
|
||||
/* initialize OpenSSL dynamic locks callbacks */
|
||||
CRYPTO_set_dynlock_create_callback(dyn_create_function);
|
||||
CRYPTO_set_dynlock_lock_callback(dyn_lock_function);
|
||||
CRYPTO_set_dynlock_destroy_callback(dyn_destroy_function);
|
||||
|
||||
thread_id_init();
|
||||
locking_init();
|
||||
return 0;
|
||||
}
|
||||
|
||||
int create_client(int ls, int s, CLI *arg, void *(*cli)(void *)) {
|
||||
int create_client(SOCKET ls, SOCKET s, CLI *arg, void *(*cli)(void *)) {
|
||||
(void)ls; /* this parameter is only used with USE_FORK */
|
||||
s_log(LOG_DEBUG, "Creating a new thread");
|
||||
if((long)_beginthread((void(*)(void *))cli, arg->opt->stack_size, arg)==-1) {
|
||||
if((long)_beginthread((void(*)(void *))cli,
|
||||
(unsigned)arg->opt->stack_size, arg)==-1) {
|
||||
ioerror("_beginthread");
|
||||
if(arg)
|
||||
str_free(arg);
|
||||
if(s>=0)
|
||||
str_free(arg);
|
||||
if(s!=INVALID_SOCKET)
|
||||
closesocket(s);
|
||||
return -1;
|
||||
}
|
||||
@ -439,14 +504,6 @@ int create_client(int ls, int s, CLI *arg, void *(*cli)(void *)) {
|
||||
|
||||
#ifdef USE_OS2
|
||||
|
||||
void enter_critical_section(SECTION_CODE i) {
|
||||
DosEnterCritSec();
|
||||
}
|
||||
|
||||
void leave_critical_section(SECTION_CODE i) {
|
||||
DosExitCritSec();
|
||||
}
|
||||
|
||||
int sthreads_init(void) {
|
||||
return 0;
|
||||
}
|
||||
@ -463,13 +520,12 @@ unsigned long stunnel_thread_id(void) {
|
||||
return (unsigned long)ppib->pib_ulpid;
|
||||
}
|
||||
|
||||
int create_client(int ls, int s, CLI *arg, void *(*cli)(void *)) {
|
||||
int create_client(SOCKET ls, SOCKET s, CLI *arg, void *(*cli)(void *)) {
|
||||
(void)ls; /* this parameter is only used with USE_FORK */
|
||||
s_log(LOG_DEBUG, "Creating a new thread");
|
||||
if((long)_beginthread((void(*)(void *))cli, NULL, arg->opt->stack_size, arg)==-1L) {
|
||||
ioerror("_beginthread");
|
||||
if(arg)
|
||||
str_free(arg);
|
||||
str_free(arg);
|
||||
if(s>=0)
|
||||
closesocket(s);
|
||||
return -1;
|
||||
@ -505,12 +561,12 @@ void _endthread(void) {
|
||||
#ifdef DEBUG_STACK_SIZE
|
||||
|
||||
#define STACK_RESERVE (STACK_SIZE/8)
|
||||
#define VERIFY_AREA ((STACK_SIZE-STACK_RESERVE)/sizeof(u32))
|
||||
#define VERIFY_AREA ((STACK_SIZE-STACK_RESERVE)/sizeof(uint32_t))
|
||||
#define TEST_VALUE 0xdeadbeef
|
||||
|
||||
/* some heuristic to determine the usage of client stack size */
|
||||
void stack_info(int init) { /* 1-initialize, 0-display */
|
||||
u32 table[VERIFY_AREA];
|
||||
uint32_t table[VERIFY_AREA];
|
||||
int i, num;
|
||||
static int min_num=VERIFY_AREA;
|
||||
|
||||
@ -518,12 +574,12 @@ void stack_info(int init) { /* 1-initialize, 0-display */
|
||||
for(i=0; i<VERIFY_AREA; i++)
|
||||
table[i]=TEST_VALUE;
|
||||
} else {
|
||||
/* the stack is growing down */
|
||||
/* the stack grows down */
|
||||
for(i=0; i<VERIFY_AREA; i++)
|
||||
if(table[i]!=TEST_VALUE)
|
||||
break;
|
||||
num=i;
|
||||
/* the stack is growing up */
|
||||
/* the stack grows up */
|
||||
for(i=0; i<VERIFY_AREA; i++)
|
||||
if(table[VERIFY_AREA-i-1]!=TEST_VALUE)
|
||||
break;
|
||||
@ -538,10 +594,10 @@ void stack_info(int init) { /* 1-initialize, 0-display */
|
||||
s_log(LOG_NOTICE,
|
||||
"stack_info: size=%d, current=%d (%d%%), maximum=%d (%d%%)",
|
||||
STACK_SIZE,
|
||||
(int)((VERIFY_AREA-num)*sizeof(u32)),
|
||||
(int)((VERIFY_AREA-num)*sizeof(u32)*100/STACK_SIZE),
|
||||
(int)((VERIFY_AREA-min_num)*sizeof(u32)),
|
||||
(int)((VERIFY_AREA-min_num)*sizeof(u32)*100/STACK_SIZE));
|
||||
(int)((VERIFY_AREA-num)*sizeof(uint32_t)),
|
||||
(int)((VERIFY_AREA-num)*sizeof(uint32_t)*100/STACK_SIZE),
|
||||
(int)((VERIFY_AREA-min_num)*sizeof(uint32_t)),
|
||||
(int)((VERIFY_AREA-min_num)*sizeof(uint32_t)*100/STACK_SIZE));
|
||||
}
|
||||
}
|
||||
|
||||
|
554
src/str.c
554
src/str.c
@ -1,6 +1,6 @@
|
||||
/*
|
||||
* stunnel Universal SSL tunnel
|
||||
* Copyright (C) 1998-2013 Michal Trojnara <Michal.Trojnara@mirt.net>
|
||||
* stunnel TLS offloading and load-balancing proxy
|
||||
* Copyright (C) 1998-2017 Michal Trojnara <Michal.Trojnara@stunnel.org>
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it
|
||||
* under the terms of the GNU General Public License as published by the
|
||||
@ -38,6 +38,73 @@
|
||||
#include "common.h"
|
||||
#include "prototypes.h"
|
||||
|
||||
/* reportedly, malloc does not always return 16-byte aligned addresses
|
||||
* for 64-bit targets as specified by
|
||||
* https://msdn.microsoft.com/en-us/library/6ewkz86d.aspx */
|
||||
#ifdef USE_WIN32
|
||||
#define system_malloc(n) _aligned_malloc((n),16)
|
||||
#define system_realloc(p,n) _aligned_realloc((p),(n),16)
|
||||
#define system_free(p) _aligned_free(p)
|
||||
#else
|
||||
#define system_malloc(n) malloc(n)
|
||||
#define system_realloc(p,n) realloc((p),(n))
|
||||
#define system_free(p) free(p)
|
||||
#endif
|
||||
|
||||
#define CANARY_INITIALIZED 0x0000c0ded0000000LL
|
||||
#define CANARY_UNINTIALIZED 0x0000abadbabe0000LL
|
||||
#define MAGIC_ALLOCATED 0x0000a110c8ed0000LL
|
||||
#define MAGIC_DEALLOCATED 0x0000defec8ed0000LL
|
||||
|
||||
/* most platforms require allocations to be aligned */
|
||||
#ifdef _MSC_VER
|
||||
__declspec(align(16))
|
||||
#endif
|
||||
struct alloc_list_struct {
|
||||
ALLOC_LIST *prev, *next;
|
||||
TLS_DATA *tls;
|
||||
size_t size;
|
||||
const char *alloc_file, *free_file;
|
||||
int alloc_line, free_line;
|
||||
uint64_t valid_canary, magic;
|
||||
#ifdef __GNUC__
|
||||
} __attribute__((aligned(16)));
|
||||
#else
|
||||
#ifndef MSC_VER
|
||||
uint64_t :0; /* align the structure */
|
||||
#endif
|
||||
};
|
||||
#endif
|
||||
|
||||
#define LEAK_TABLE_SIZE 997
|
||||
typedef struct {
|
||||
const char *alloc_file;
|
||||
int alloc_line;
|
||||
int num, max;
|
||||
} LEAK_ENTRY;
|
||||
NOEXPORT LEAK_ENTRY leak_hash_table[LEAK_TABLE_SIZE],
|
||||
*leak_results[LEAK_TABLE_SIZE];
|
||||
NOEXPORT volatile int leak_result_num=0;
|
||||
|
||||
#ifdef USE_WIN32
|
||||
NOEXPORT LPTSTR str_vtprintf(LPCTSTR, va_list);
|
||||
#endif /* USE_WIN32 */
|
||||
|
||||
NOEXPORT void *str_realloc_internal_debug(void *, size_t, const char *, int);
|
||||
|
||||
NOEXPORT ALLOC_LIST *get_alloc_list_ptr(void *, const char *, int);
|
||||
NOEXPORT void str_leak_debug(const ALLOC_LIST *, int);
|
||||
|
||||
NOEXPORT LEAK_ENTRY *leak_search(const ALLOC_LIST *);
|
||||
NOEXPORT void leak_report();
|
||||
NOEXPORT long leak_threshold();
|
||||
|
||||
TLS_DATA *ui_tls;
|
||||
NOEXPORT uint8_t canary[10]; /* 80-bit canary value */
|
||||
NOEXPORT volatile uint64_t canary_initialized=CANARY_UNINTIALIZED;
|
||||
|
||||
/**************************************** string manipulation functions */
|
||||
|
||||
#ifndef va_copy
|
||||
#ifdef __va_copy
|
||||
#define va_copy(dst, src) __va_copy((dst), (src))
|
||||
@ -46,38 +113,10 @@
|
||||
#endif /* __va_copy */
|
||||
#endif /* va_copy */
|
||||
|
||||
static u8 canary[10]; /* 80-bit canary value */
|
||||
static volatile int canary_initialized=0;
|
||||
|
||||
typedef struct alloc_list_struct ALLOC_LIST;
|
||||
|
||||
typedef struct {
|
||||
ALLOC_LIST *head;
|
||||
size_t bytes, blocks;
|
||||
} ALLOC_TLS;
|
||||
|
||||
struct alloc_list_struct {
|
||||
ALLOC_LIST *prev, *next;
|
||||
ALLOC_TLS *tls;
|
||||
size_t size;
|
||||
int valid_canary;
|
||||
unsigned int magic;
|
||||
/* at least on IA64 allocations need to be aligned */
|
||||
#ifdef __GNUC__
|
||||
} __attribute__((aligned(16)));
|
||||
#else
|
||||
int padding[2]; /* the number of integers is architecture-specific */
|
||||
};
|
||||
#endif
|
||||
|
||||
static void set_alloc_tls(ALLOC_TLS *);
|
||||
static ALLOC_TLS *get_alloc_tls();
|
||||
static ALLOC_LIST *get_alloc_list_ptr(void *, char *, int);
|
||||
|
||||
char *str_dup(const char *str) {
|
||||
char *str_dup_debug(const char *str, const char *file, int line) {
|
||||
char *retval;
|
||||
|
||||
retval=str_alloc(strlen(str)+1);
|
||||
retval=str_alloc_debug(strlen(str)+1, file, line);
|
||||
strcpy(retval, str);
|
||||
return retval;
|
||||
}
|
||||
@ -92,203 +131,216 @@ char *str_printf(const char *format, ...) {
|
||||
return txt;
|
||||
}
|
||||
|
||||
#ifdef __GNUC__
|
||||
#pragma GCC diagnostic push
|
||||
#pragma GCC diagnostic ignored "-Wformat-nonliteral"
|
||||
#endif /* __GNUC__ */
|
||||
char *str_vprintf(const char *format, va_list start_ap) {
|
||||
int n, size=32;
|
||||
char *p, *np;
|
||||
int n;
|
||||
size_t size=32;
|
||||
char *p;
|
||||
va_list ap;
|
||||
|
||||
p=str_alloc(size);
|
||||
for(;;) {
|
||||
va_copy(ap, start_ap);
|
||||
n=vsnprintf(p, size, format, ap);
|
||||
if(n>-1 && n<size)
|
||||
if(n>-1 && n<(int)size)
|
||||
return p;
|
||||
if(n>-1) /* glibc 2.1 */
|
||||
size=n+1; /* precisely what is needed */
|
||||
else /* glibc 2.0, WIN32, etc. */
|
||||
size*=2; /* twice the old size */
|
||||
np=str_realloc(p, size);
|
||||
p=np; /* LOL */
|
||||
if(n>-1) /* glibc 2.1 */
|
||||
size=(size_t)n+1; /* precisely what is needed */
|
||||
else /* glibc 2.0, WIN32, etc. */
|
||||
size*=2; /* twice the old size */
|
||||
p=str_realloc(p, size);
|
||||
}
|
||||
}
|
||||
|
||||
#ifdef USE_UCONTEXT
|
||||
|
||||
static ALLOC_TLS *global_tls=NULL;
|
||||
|
||||
void str_init() {
|
||||
}
|
||||
|
||||
static void set_alloc_tls(ALLOC_TLS *tls) {
|
||||
if(ready_head)
|
||||
ready_head->tls=tls;
|
||||
else /* ucontext threads not initialized */
|
||||
global_tls=tls;
|
||||
}
|
||||
|
||||
static ALLOC_TLS *get_alloc_tls() {
|
||||
if(ready_head)
|
||||
return ready_head->tls;
|
||||
else /* ucontext threads not initialized */
|
||||
return global_tls;
|
||||
}
|
||||
|
||||
#endif /* USE_UCONTEXT */
|
||||
|
||||
#ifdef USE_FORK
|
||||
|
||||
static ALLOC_TLS *global_tls=NULL;
|
||||
|
||||
void str_init() {
|
||||
}
|
||||
|
||||
static void set_alloc_tls(ALLOC_TLS *tls) {
|
||||
global_tls=tls;
|
||||
}
|
||||
|
||||
static ALLOC_TLS *get_alloc_tls() {
|
||||
return global_tls;
|
||||
}
|
||||
|
||||
#endif /* USE_FORK */
|
||||
|
||||
#ifdef USE_PTHREAD
|
||||
|
||||
static pthread_key_t pthread_key;
|
||||
|
||||
void str_init() {
|
||||
pthread_key_create(&pthread_key, NULL);
|
||||
}
|
||||
|
||||
static void set_alloc_tls(ALLOC_TLS *tls) {
|
||||
pthread_setspecific(pthread_key, tls);
|
||||
}
|
||||
|
||||
static ALLOC_TLS *get_alloc_tls() {
|
||||
return pthread_getspecific(pthread_key);
|
||||
}
|
||||
|
||||
#endif /* USE_PTHREAD */
|
||||
#ifdef __GNUC__
|
||||
#pragma GCC diagnostic pop
|
||||
#endif /* __GNUC__ */
|
||||
|
||||
#ifdef USE_WIN32
|
||||
|
||||
static DWORD tls_index;
|
||||
LPTSTR str_tprintf(LPCTSTR format, ...) {
|
||||
LPTSTR txt;
|
||||
va_list arglist;
|
||||
|
||||
void str_init() {
|
||||
tls_index=TlsAlloc();
|
||||
va_start(arglist, format);
|
||||
txt=str_vtprintf(format, arglist);
|
||||
va_end(arglist);
|
||||
return txt;
|
||||
}
|
||||
|
||||
static void set_alloc_tls(ALLOC_TLS *alloc_tls) {
|
||||
TlsSetValue(tls_index, alloc_tls);
|
||||
NOEXPORT LPTSTR str_vtprintf(LPCTSTR format, va_list start_ap) {
|
||||
int n;
|
||||
size_t size=32;
|
||||
LPTSTR p;
|
||||
va_list ap;
|
||||
|
||||
p=str_alloc(size*sizeof(TCHAR));
|
||||
for(;;) {
|
||||
va_copy(ap, start_ap);
|
||||
n=_vsntprintf(p, size, format, ap);
|
||||
if(n>-1 && n<(int)size)
|
||||
return p;
|
||||
size*=2;
|
||||
p=str_realloc(p, size*sizeof(TCHAR));
|
||||
}
|
||||
}
|
||||
|
||||
static ALLOC_TLS *get_alloc_tls() {
|
||||
return TlsGetValue(tls_index);
|
||||
#endif
|
||||
|
||||
/**************************************** memory allocation wrappers */
|
||||
|
||||
void str_init(TLS_DATA *tls_data) {
|
||||
tls_data->alloc_head=NULL;
|
||||
tls_data->alloc_bytes=tls_data->alloc_blocks=0;
|
||||
}
|
||||
|
||||
#endif /* USE_WIN32 */
|
||||
void str_cleanup(TLS_DATA *tls_data) {
|
||||
/* free all attached allocations */
|
||||
while(tls_data->alloc_head) /* str_free macro requires an lvalue */
|
||||
str_free_expression(tls_data->alloc_head+1);
|
||||
}
|
||||
|
||||
void str_canary_init() {
|
||||
if(canary_initialized) /* prevent double initialization on config reload */
|
||||
return;
|
||||
RAND_bytes(canary, sizeof canary);
|
||||
canary_initialized=1; /* after RAND_bytes */
|
||||
}
|
||||
|
||||
void str_cleanup() {
|
||||
ALLOC_TLS *alloc_tls;
|
||||
|
||||
alloc_tls=get_alloc_tls();
|
||||
if(alloc_tls) {
|
||||
while(alloc_tls->head) /* str_free macro requires lvalue parameter */
|
||||
str_free_debug(alloc_tls->head+1, __FILE__, __LINE__);
|
||||
set_alloc_tls(NULL);
|
||||
free(alloc_tls);
|
||||
}
|
||||
if(canary_initialized!=CANARY_UNINTIALIZED)
|
||||
return; /* prevent double initialization on config reload */
|
||||
RAND_bytes(canary, (int)sizeof canary);
|
||||
/* an error would reduce the effectiveness of canaries */
|
||||
/* this is nothing critical, so the return value is ignored here */
|
||||
canary_initialized=CANARY_INITIALIZED; /* after RAND_bytes */
|
||||
}
|
||||
|
||||
void str_stats() {
|
||||
ALLOC_TLS *alloc_tls;
|
||||
TLS_DATA *tls_data;
|
||||
ALLOC_LIST *alloc_list;
|
||||
int i=0;
|
||||
|
||||
alloc_tls=get_alloc_tls();
|
||||
if(!alloc_tls) {
|
||||
s_log(LOG_DEBUG, "str_stats: alloc_tls not initialized");
|
||||
return;
|
||||
}
|
||||
if(!alloc_tls->blocks && !alloc_tls->bytes)
|
||||
if(!tls_initialized)
|
||||
fatal("str not initialized");
|
||||
leak_report();
|
||||
tls_data=tls_get();
|
||||
if(!tls_data || (!tls_data->alloc_blocks && !tls_data->alloc_bytes))
|
||||
return; /* skip if no data is allocated */
|
||||
s_log(LOG_DEBUG, "str_stats: %lu block(s), "
|
||||
"%lu data byte(s), %lu control byte(s)",
|
||||
(unsigned long int)alloc_tls->blocks,
|
||||
(unsigned long int)alloc_tls->bytes,
|
||||
(unsigned long int)(alloc_tls->blocks*
|
||||
(unsigned long)tls_data->alloc_blocks,
|
||||
(unsigned long)tls_data->alloc_bytes,
|
||||
(unsigned long)(tls_data->alloc_blocks*
|
||||
(sizeof(ALLOC_LIST)+sizeof canary)));
|
||||
for(alloc_list=tls_data->alloc_head; alloc_list; alloc_list=alloc_list->next) {
|
||||
if(++i>10) /* limit the number of results */
|
||||
break;
|
||||
s_log(LOG_DEBUG, "str_stats: %lu byte(s) at %s:%d",
|
||||
(unsigned long)alloc_list->size,
|
||||
alloc_list->alloc_file, alloc_list->alloc_line);
|
||||
}
|
||||
}
|
||||
|
||||
void *str_alloc_debug(size_t size, char *file, int line) {
|
||||
ALLOC_TLS *alloc_tls;
|
||||
void *str_alloc_debug(size_t size, const char *file, int line) {
|
||||
TLS_DATA *tls_data;
|
||||
ALLOC_LIST *alloc_list;
|
||||
|
||||
alloc_tls=get_alloc_tls();
|
||||
if(!alloc_tls) { /* first allocation in this thread */
|
||||
alloc_tls=calloc(1, sizeof(ALLOC_TLS));
|
||||
if(!alloc_tls)
|
||||
fatal_debug("Out of memory", file, line);
|
||||
alloc_tls->head=NULL;
|
||||
alloc_tls->bytes=alloc_tls->blocks=0;
|
||||
set_alloc_tls(alloc_tls);
|
||||
if(!tls_initialized)
|
||||
fatal_debug("str not initialized", file, line);
|
||||
tls_data=tls_get();
|
||||
if(!tls_data) {
|
||||
tls_data=tls_alloc(NULL, NULL, "alloc");
|
||||
s_log(LOG_ERR, "INTERNAL ERROR: Uninitialized TLS at %s, line %d",
|
||||
file, line);
|
||||
}
|
||||
alloc_list=calloc(1, sizeof(ALLOC_LIST)+size+sizeof canary);
|
||||
if(!alloc_list)
|
||||
fatal_debug("Out of memory", file, line);
|
||||
|
||||
alloc_list=(ALLOC_LIST *)str_alloc_detached_debug(size, file, line)-1;
|
||||
alloc_list->prev=NULL;
|
||||
alloc_list->next=alloc_tls->head;
|
||||
alloc_list->tls=alloc_tls;
|
||||
alloc_list->size=size;
|
||||
alloc_list->valid_canary=canary_initialized; /* before memcpy */
|
||||
memcpy((u8 *)(alloc_list+1)+size, canary, sizeof canary);
|
||||
alloc_list->magic=0xdeadbeef;
|
||||
|
||||
if(alloc_tls->head)
|
||||
alloc_tls->head->prev=alloc_list;
|
||||
alloc_tls->head=alloc_list;
|
||||
alloc_tls->bytes+=size;
|
||||
alloc_tls->blocks++;
|
||||
alloc_list->next=tls_data->alloc_head;
|
||||
alloc_list->tls=tls_data;
|
||||
if(tls_data->alloc_head)
|
||||
tls_data->alloc_head->prev=alloc_list;
|
||||
tls_data->alloc_head=alloc_list;
|
||||
tls_data->alloc_bytes+=size;
|
||||
tls_data->alloc_blocks++;
|
||||
|
||||
return alloc_list+1;
|
||||
}
|
||||
|
||||
void *str_realloc_debug(void *ptr, size_t size, char *file, int line) {
|
||||
ALLOC_LIST *previous_alloc_list, *alloc_list;
|
||||
void *str_alloc_detached_debug(size_t size, const char *file, int line) {
|
||||
ALLOC_LIST *alloc_list;
|
||||
|
||||
if(!ptr)
|
||||
return str_alloc(size);
|
||||
previous_alloc_list=get_alloc_list_ptr(ptr, file, line);
|
||||
alloc_list=realloc(previous_alloc_list,
|
||||
sizeof(ALLOC_LIST)+size+sizeof canary);
|
||||
#if 0
|
||||
printf("allocating %lu bytes at %s:%d\n", (unsigned long)size, file, line);
|
||||
#endif
|
||||
alloc_list=system_malloc(sizeof(ALLOC_LIST)+size+sizeof canary);
|
||||
if(!alloc_list)
|
||||
fatal_debug("Out of memory", file, line);
|
||||
memset(alloc_list, 0, sizeof(ALLOC_LIST)+size+sizeof canary);
|
||||
alloc_list->prev=NULL; /* for debugging */
|
||||
alloc_list->next=NULL; /* for debugging */
|
||||
alloc_list->tls=NULL;
|
||||
alloc_list->size=size;
|
||||
alloc_list->alloc_file=file;
|
||||
alloc_list->alloc_line=line;
|
||||
alloc_list->free_file="none";
|
||||
alloc_list->free_line=0;
|
||||
alloc_list->valid_canary=canary_initialized; /* before memcpy */
|
||||
memcpy((uint8_t *)(alloc_list+1)+size, canary, sizeof canary);
|
||||
alloc_list->magic=MAGIC_ALLOCATED;
|
||||
str_leak_debug(alloc_list, 1);
|
||||
|
||||
return alloc_list+1;
|
||||
}
|
||||
|
||||
void *str_realloc_debug(void *ptr, size_t size, const char *file, int line) {
|
||||
if(ptr)
|
||||
return str_realloc_internal_debug(ptr, size, file, line);
|
||||
else
|
||||
return str_alloc_debug(size, file, line);
|
||||
}
|
||||
|
||||
void *str_realloc_detached_debug(void *ptr, size_t size, const char *file, int line) {
|
||||
if(ptr)
|
||||
return str_realloc_internal_debug(ptr, size, file, line);
|
||||
else
|
||||
return str_alloc_detached_debug(size, file, line);
|
||||
}
|
||||
|
||||
NOEXPORT void *str_realloc_internal_debug(void *ptr, size_t size, const char *file, int line) {
|
||||
ALLOC_LIST *prev_alloc_list, *alloc_list;
|
||||
|
||||
prev_alloc_list=get_alloc_list_ptr(ptr, file, line);
|
||||
str_leak_debug(prev_alloc_list, -1);
|
||||
if(prev_alloc_list->size>size) /* shrinking the allocation */
|
||||
memset((uint8_t *)ptr+size, 0, prev_alloc_list->size-size); /* paranoia */
|
||||
alloc_list=system_realloc(prev_alloc_list, sizeof(ALLOC_LIST)+size+sizeof canary);
|
||||
if(!alloc_list)
|
||||
fatal_debug("Out of memory", file, line);
|
||||
ptr=alloc_list+1;
|
||||
if(size>alloc_list->size) /* growing the allocation */
|
||||
memset((uint8_t *)ptr+alloc_list->size, 0, size-alloc_list->size);
|
||||
if(alloc_list->tls) { /* not detached */
|
||||
/* refresh possibly invalidated linked list pointers */
|
||||
if(alloc_list->tls->head==previous_alloc_list)
|
||||
alloc_list->tls->head=alloc_list;
|
||||
if(alloc_list->tls->alloc_head==prev_alloc_list)
|
||||
alloc_list->tls->alloc_head=alloc_list;
|
||||
if(alloc_list->next)
|
||||
alloc_list->next->prev=alloc_list;
|
||||
if(alloc_list->prev)
|
||||
alloc_list->prev->next=alloc_list;
|
||||
/* update statistics */
|
||||
alloc_list->tls->bytes+=size-alloc_list->size;
|
||||
/* update statistics while the old size is still available */
|
||||
alloc_list->tls->alloc_bytes+=size-alloc_list->size;
|
||||
}
|
||||
alloc_list->size=size;
|
||||
alloc_list->alloc_file=file;
|
||||
alloc_list->alloc_line=line;
|
||||
alloc_list->free_file="none";
|
||||
alloc_list->free_line=0;
|
||||
alloc_list->valid_canary=canary_initialized; /* before memcpy */
|
||||
memcpy((u8 *)(alloc_list+1)+size, canary, sizeof canary);
|
||||
return alloc_list+1;
|
||||
memcpy((uint8_t *)ptr+size, canary, sizeof canary);
|
||||
str_leak_debug(alloc_list, 1);
|
||||
return ptr;
|
||||
}
|
||||
|
||||
/* detach from thread automatic deallocation list */
|
||||
/* it has no effect if the allocation is already detached */
|
||||
void str_detach_debug(void *ptr, char *file, int line) {
|
||||
void str_detach_debug(void *ptr, const char *file, int line) {
|
||||
ALLOC_LIST *alloc_list;
|
||||
|
||||
if(!ptr) /* do not attempt to free null pointers */
|
||||
@ -296,15 +348,15 @@ void str_detach_debug(void *ptr, char *file, int line) {
|
||||
alloc_list=get_alloc_list_ptr(ptr, file, line);
|
||||
if(alloc_list->tls) { /* not detached */
|
||||
/* remove from linked list */
|
||||
if(alloc_list->tls->head==alloc_list)
|
||||
alloc_list->tls->head=alloc_list->next;
|
||||
if(alloc_list->tls->alloc_head==alloc_list)
|
||||
alloc_list->tls->alloc_head=alloc_list->next;
|
||||
if(alloc_list->next)
|
||||
alloc_list->next->prev=alloc_list->prev;
|
||||
if(alloc_list->prev)
|
||||
alloc_list->prev->next=alloc_list->next;
|
||||
/* update statistics */
|
||||
alloc_list->tls->bytes-=alloc_list->size;
|
||||
alloc_list->tls->blocks--;
|
||||
alloc_list->tls->alloc_bytes-=alloc_list->size;
|
||||
alloc_list->tls->alloc_blocks--;
|
||||
/* clear pointers */
|
||||
alloc_list->next=NULL;
|
||||
alloc_list->prev=NULL;
|
||||
@ -312,33 +364,155 @@ void str_detach_debug(void *ptr, char *file, int line) {
|
||||
}
|
||||
}
|
||||
|
||||
void str_free_debug(void *ptr, char *file, int line) {
|
||||
void str_free_debug(void *ptr, const char *file, int line) {
|
||||
ALLOC_LIST *alloc_list;
|
||||
|
||||
if(!ptr) /* do not attempt to free null pointers */
|
||||
return;
|
||||
str_detach_debug(ptr, file, line);
|
||||
alloc_list=(ALLOC_LIST *)ptr-1;
|
||||
alloc_list->magic=0xdefec8ed; /* to detect double free attempts */
|
||||
free(alloc_list);
|
||||
if(alloc_list->magic==MAGIC_DEALLOCATED) { /* double free */
|
||||
/* this may (unlikely) log garbage instead of file names */
|
||||
s_log(LOG_CRIT,
|
||||
"Double free attempt: ptr=%p alloc=%s:%d free#1=%s:%d free#2=%s:%d",
|
||||
ptr,
|
||||
alloc_list->alloc_file, alloc_list->alloc_line,
|
||||
alloc_list->free_file, alloc_list->free_line,
|
||||
file, line);
|
||||
return;
|
||||
}
|
||||
str_detach_debug(ptr, file, line);
|
||||
str_leak_debug(alloc_list, -1);
|
||||
alloc_list->free_file=file;
|
||||
alloc_list->free_line=line;
|
||||
alloc_list->magic=MAGIC_DEALLOCATED; /* detect double free attempts */
|
||||
memset(ptr, 0, alloc_list->size+sizeof canary); /* paranoia */
|
||||
system_free(alloc_list);
|
||||
}
|
||||
|
||||
static ALLOC_LIST *get_alloc_list_ptr(void *ptr, char *file, int line) {
|
||||
NOEXPORT ALLOC_LIST *get_alloc_list_ptr(void *ptr, const char *file, int line) {
|
||||
ALLOC_LIST *alloc_list;
|
||||
|
||||
if(!tls_initialized)
|
||||
fatal_debug("str not initialized", file, line);
|
||||
alloc_list=(ALLOC_LIST *)ptr-1;
|
||||
if(alloc_list->magic!=0xdeadbeef) { /* not allocated by str_alloc() */
|
||||
if(alloc_list->magic==0xdefec8ed)
|
||||
fatal_debug("Double free attempt", file, line);
|
||||
else
|
||||
fatal_debug("Bad magic", file, line); /* LOL */
|
||||
}
|
||||
if(alloc_list->tls /* not detached */ && alloc_list->tls!=get_alloc_tls())
|
||||
if(alloc_list->magic!=MAGIC_ALLOCATED) /* not allocated by str_alloc() */
|
||||
fatal_debug("Bad magic", file, line); /* LOL */
|
||||
if(alloc_list->tls /* not detached */ && alloc_list->tls!=tls_get())
|
||||
fatal_debug("Memory allocated in a different thread", file, line);
|
||||
if(alloc_list->valid_canary &&
|
||||
memcmp((u8 *)ptr+alloc_list->size, canary, sizeof canary))
|
||||
if(alloc_list->valid_canary!=CANARY_UNINTIALIZED &&
|
||||
safe_memcmp((uint8_t *)ptr+alloc_list->size, canary, sizeof canary))
|
||||
fatal_debug("Dead canary", file, line); /* LOL */
|
||||
return alloc_list;
|
||||
}
|
||||
|
||||
/**************************************** memory leak detection */
|
||||
|
||||
NOEXPORT void str_leak_debug(const ALLOC_LIST *alloc_list, int change) {
|
||||
static size_t entries=0;
|
||||
LEAK_ENTRY *entry;
|
||||
int new_entry, allocations;
|
||||
|
||||
#if defined(USE_PTHREAD) || defined(USE_WIN32)
|
||||
if(!&stunnel_locks[STUNNEL_LOCKS-1]) /* threads not initialized */
|
||||
return;
|
||||
#endif /* defined(USE_PTHREAD) || defined(USE_WIN32) */
|
||||
if(!number_of_sections) /* configuration file not initialized */
|
||||
return;
|
||||
|
||||
entry=leak_search(alloc_list);
|
||||
/* the race condition may lead to false positives, which is handled later */
|
||||
new_entry=entry->alloc_line!=alloc_list->alloc_line ||
|
||||
entry->alloc_file!=alloc_list->alloc_file;
|
||||
|
||||
if(new_entry) { /* the file:line pair was encountered for the first time */
|
||||
stunnel_write_lock(&stunnel_locks[LOCK_LEAK_HASH]);
|
||||
entry=leak_search(alloc_list); /* the list may have changed */
|
||||
if(entry->alloc_line==0) {
|
||||
if(entries>LEAK_TABLE_SIZE-100) { /* this should never happen */
|
||||
stunnel_write_unlock(&stunnel_locks[LOCK_LEAK_HASH]);
|
||||
return;
|
||||
}
|
||||
entries++;
|
||||
entry->alloc_line=alloc_list->alloc_line;
|
||||
entry->alloc_file=alloc_list->alloc_file;
|
||||
}
|
||||
stunnel_write_unlock(&stunnel_locks[LOCK_LEAK_HASH]);
|
||||
}
|
||||
|
||||
#ifdef PRECISE_LEAK_ALLOCATON_COUNTERS
|
||||
/* this is *really* slow in OpenSSL < 1.1.0 */
|
||||
CRYPTO_atomic_add(&entry->num, change, &allocations,
|
||||
&stunnel_locks[LOCK_LEAK_HASH]);
|
||||
#else
|
||||
allocations=(entry->num+=change); /* we just need an estimate... */
|
||||
#endif
|
||||
|
||||
if(allocations<=leak_threshold()) /* leak not detected */
|
||||
return;
|
||||
if(allocations<=entry->max) /* not the biggest leak for this entry */
|
||||
return;
|
||||
if(entry->max) { /* not the first time we found a leak for this entry */
|
||||
entry->max=allocations; /* just update the value */
|
||||
return;
|
||||
}
|
||||
/* we *may* need to allocate a new leak_results entry */
|
||||
/* locking is slow, so we try to avoid it if possible */
|
||||
stunnel_write_lock(&stunnel_locks[LOCK_LEAK_RESULTS]);
|
||||
if(entry->max==0) { /* the table may have changed */
|
||||
leak_results[leak_result_num]=entry;
|
||||
entry->max=allocations;
|
||||
++leak_result_num; /* at the end to avoid a lock in leak_report() */
|
||||
} else { /* gracefully handle the race condition */
|
||||
entry->max=allocations;
|
||||
}
|
||||
stunnel_write_unlock(&stunnel_locks[LOCK_LEAK_RESULTS]);
|
||||
}
|
||||
|
||||
/* O(1) hash table lookup */
|
||||
NOEXPORT LEAK_ENTRY *leak_search(const ALLOC_LIST *alloc_list) {
|
||||
int i=alloc_list->alloc_line%LEAK_TABLE_SIZE;
|
||||
|
||||
while(!(leak_hash_table[i].alloc_line==0 ||
|
||||
(leak_hash_table[i].alloc_line==alloc_list->alloc_line &&
|
||||
leak_hash_table[i].alloc_file==alloc_list->alloc_file)))
|
||||
i=(i+1)%LEAK_TABLE_SIZE;
|
||||
return leak_hash_table+i;
|
||||
}
|
||||
|
||||
/* report identified leaks */
|
||||
NOEXPORT void leak_report() {
|
||||
int i;
|
||||
long limit;
|
||||
|
||||
limit=leak_threshold();
|
||||
for(i=0; i<leak_result_num; ++i)
|
||||
if(leak_results[i] /* an officious compiler could reorder code */ &&
|
||||
leak_results[i]->max>limit /* the limit could have changed */)
|
||||
s_log(LOG_WARNING, "Possible memory leak at %s:%d: %d allocations",
|
||||
leak_results[i]->alloc_file, leak_results[i]->alloc_line,
|
||||
leak_results[i]->max);
|
||||
}
|
||||
|
||||
NOEXPORT long leak_threshold() {
|
||||
long limit;
|
||||
|
||||
limit=10000*((int)number_of_sections+1);
|
||||
#ifndef USE_FORK
|
||||
limit+=100*num_clients;
|
||||
#endif
|
||||
return limit;
|
||||
}
|
||||
|
||||
/**************************************** memcmp() replacement */
|
||||
|
||||
/* a version of memcmp() with execution time not dependent on data values */
|
||||
/* it does *not* allow testing whether s1 is greater or lesser than s2 */
|
||||
int safe_memcmp(const void *s1, const void *s2, size_t n) {
|
||||
uint8_t *p1=(uint8_t *)s1, *p2=(uint8_t *)s2;
|
||||
int r=0;
|
||||
while(n--)
|
||||
r|=(*p1++)^(*p2++);
|
||||
return r;
|
||||
}
|
||||
|
||||
/* end of str.c */
|
||||
|
828
src/stunnel.c
828
src/stunnel.c
File diff suppressed because it is too large
Load Diff
BIN
src/stunnel.ico
BIN
src/stunnel.ico
Binary file not shown.
Before Width: | Height: | Size: 4.6 KiB After Width: | Height: | Size: 15 KiB |
@ -1,7 +1,7 @@
|
||||
#!/usr/bin/perl
|
||||
#
|
||||
# stunnel3 Perl wrapper to use stunnel 3.x syntax in stunnel >=4.05
|
||||
# Copyright (C) 2004-2012 Michal Trojnara <Michal.Trojnara@mirt.net>
|
||||
# Copyright (C) 2004-2012 Michal Trojnara <Michal.Trojnara@stunnel.org>
|
||||
# Version: 2.03
|
||||
# Date: 2011.10.22
|
||||
#
|
||||
@ -22,7 +22,7 @@ use POSIX;
|
||||
use Getopt::Std;
|
||||
|
||||
# Configuration - path to stunnel (version >=4.05)
|
||||
$stunnel_bin='@prefix@/bin/stunnel';
|
||||
$stunnel_bin='@bindir@/stunnel';
|
||||
|
||||
# stunnel3 script body begins here
|
||||
($read_fd, $write_fd)=POSIX::pipe();
|
||||
@ -67,7 +67,7 @@ print("setgid = $opt_g\n") if defined $opt_g;
|
||||
print("pid = $opt_P\n") if defined $opt_P;
|
||||
print("connect = $opt_r\n") if defined $opt_r;
|
||||
print("pty = yes\n"), $opt_l=$opt_L if defined $opt_L;
|
||||
print("exec = $opt_l\nexecargs = " . join(' ', $opt_l, @ARGV) . "\n") if defined $opt_l;
|
||||
print("exec = $opt_l\nexecArgs = " . join(' ', $opt_l, @ARGV) . "\n") if defined $opt_l;
|
||||
print("[stunnel3]\n") if defined $opt_d;
|
||||
|
||||
close(STUNNEL);
|
||||
|
195
src/tls.c
Normal file
195
src/tls.c
Normal file
@ -0,0 +1,195 @@
|
||||
/*
|
||||
* stunnel TLS offloading and load-balancing proxy
|
||||
* Copyright (C) 1998-2017 Michal Trojnara <Michal.Trojnara@stunnel.org>
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it
|
||||
* under the terms of the GNU General Public License as published by the
|
||||
* Free Software Foundation; either version 2 of the License, or (at your
|
||||
* option) any later version.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
|
||||
* See the GNU General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License along
|
||||
* with this program; if not, see <http://www.gnu.org/licenses>.
|
||||
*
|
||||
* Linking stunnel statically or dynamically with other modules is making
|
||||
* a combined work based on stunnel. Thus, the terms and conditions of
|
||||
* the GNU General Public License cover the whole combination.
|
||||
*
|
||||
* In addition, as a special exception, the copyright holder of stunnel
|
||||
* gives you permission to combine stunnel with free software programs or
|
||||
* libraries that are released under the GNU LGPL and with code included
|
||||
* in the standard release of OpenSSL under the OpenSSL License (or
|
||||
* modified versions of such code, with unchanged license). You may copy
|
||||
* and distribute such a system following the terms of the GNU GPL for
|
||||
* stunnel and the licenses of the other code concerned.
|
||||
*
|
||||
* Note that people who make modified versions of stunnel are not obligated
|
||||
* to grant this special exception for their modified versions; it is their
|
||||
* choice whether to do so. The GNU General Public License gives permission
|
||||
* to release a modified version without this exception; this exception
|
||||
* also makes it possible to release a modified version which carries
|
||||
* forward this exception.
|
||||
*/
|
||||
|
||||
#include "common.h"
|
||||
#include "prototypes.h"
|
||||
|
||||
volatile int tls_initialized=0;
|
||||
|
||||
NOEXPORT void tls_platform_init();
|
||||
#if OPENSSL_VERSION_NUMBER<0x10100000L
|
||||
NOEXPORT void free_function(void *);
|
||||
#endif
|
||||
|
||||
/**************************************** thread local storage */
|
||||
|
||||
/* this has to be the first function called from ui_*.c */
|
||||
void tls_init() {
|
||||
tls_platform_init();
|
||||
tls_initialized=1;
|
||||
ui_tls=tls_alloc(NULL, NULL, "ui");
|
||||
#if OPENSSL_VERSION_NUMBER>=0x10100000L
|
||||
CRYPTO_set_mem_functions(str_alloc_detached_debug,
|
||||
str_realloc_detached_debug, str_free_debug);
|
||||
#else
|
||||
CRYPTO_set_mem_ex_functions(str_alloc_detached_debug,
|
||||
str_realloc_detached_debug, free_function);
|
||||
#endif
|
||||
}
|
||||
|
||||
/* this has to be the first function called by a new thread */
|
||||
TLS_DATA *tls_alloc(CLI *c, TLS_DATA *inherited, char *txt) {
|
||||
TLS_DATA *tls_data;
|
||||
|
||||
if(inherited) { /* reuse the thread-local storage after fork() */
|
||||
tls_data=inherited;
|
||||
str_free(tls_data->id);
|
||||
} else {
|
||||
tls_data=calloc(1, sizeof(TLS_DATA));
|
||||
if(!tls_data)
|
||||
fatal("Out of memory");
|
||||
if(c)
|
||||
c->tls=tls_data;
|
||||
str_init(tls_data);
|
||||
tls_data->c=c;
|
||||
tls_data->opt=c?c->opt:&service_options;
|
||||
}
|
||||
tls_data->id="unconfigured";
|
||||
tls_set(tls_data);
|
||||
|
||||
/* str.c functions can be used below this point */
|
||||
if(txt) {
|
||||
tls_data->id=str_dup(txt);
|
||||
str_detach(tls_data->id); /* it is deallocated after str_stats() */
|
||||
} else if(c) {
|
||||
tls_data->id=log_id(c);
|
||||
str_detach(tls_data->id); /* it is deallocated after str_stats() */
|
||||
}
|
||||
|
||||
return tls_data;
|
||||
}
|
||||
|
||||
/* per-thread thread-local storage cleanup */
|
||||
void tls_cleanup() {
|
||||
TLS_DATA *tls_data;
|
||||
|
||||
tls_data=tls_get();
|
||||
if(!tls_data)
|
||||
return;
|
||||
str_cleanup(tls_data);
|
||||
str_free(tls_data->id); /* detached allocation */
|
||||
tls_set(NULL);
|
||||
free(tls_data);
|
||||
}
|
||||
|
||||
#ifdef USE_UCONTEXT
|
||||
|
||||
static TLS_DATA *global_tls=NULL;
|
||||
|
||||
NOEXPORT void tls_platform_init() {
|
||||
}
|
||||
|
||||
void tls_set(TLS_DATA *tls_data) {
|
||||
if(ready_head)
|
||||
ready_head->tls=tls_data;
|
||||
else /* ucontext threads not initialized */
|
||||
global_tls=tls_data;
|
||||
}
|
||||
|
||||
TLS_DATA *tls_get() {
|
||||
if(ready_head)
|
||||
return ready_head->tls;
|
||||
else /* ucontext threads not initialized */
|
||||
return global_tls;
|
||||
}
|
||||
|
||||
#endif /* USE_UCONTEXT */
|
||||
|
||||
#ifdef USE_FORK
|
||||
|
||||
static TLS_DATA *global_tls=NULL;
|
||||
|
||||
NOEXPORT void tls_platform_init() {
|
||||
}
|
||||
|
||||
void tls_set(TLS_DATA *tls_data) {
|
||||
global_tls=tls_data;
|
||||
}
|
||||
|
||||
TLS_DATA *tls_get() {
|
||||
return global_tls;
|
||||
}
|
||||
|
||||
#endif /* USE_FORK */
|
||||
|
||||
#ifdef USE_PTHREAD
|
||||
|
||||
static pthread_key_t pthread_key;
|
||||
|
||||
NOEXPORT void tls_platform_init() {
|
||||
pthread_key_create(&pthread_key, NULL);
|
||||
}
|
||||
|
||||
void tls_set(TLS_DATA *tls_data) {
|
||||
pthread_setspecific(pthread_key, tls_data);
|
||||
}
|
||||
|
||||
TLS_DATA *tls_get() {
|
||||
return pthread_getspecific(pthread_key);
|
||||
}
|
||||
|
||||
#endif /* USE_PTHREAD */
|
||||
|
||||
#ifdef USE_WIN32
|
||||
|
||||
static DWORD tls_index;
|
||||
|
||||
NOEXPORT void tls_platform_init() {
|
||||
tls_index=TlsAlloc();
|
||||
}
|
||||
|
||||
void tls_set(TLS_DATA *tls_data) {
|
||||
TlsSetValue(tls_index, tls_data);
|
||||
}
|
||||
|
||||
TLS_DATA *tls_get() {
|
||||
return TlsGetValue(tls_index);
|
||||
}
|
||||
|
||||
#endif /* USE_WIN32 */
|
||||
|
||||
/**************************************** OpenSSL allocator hook */
|
||||
|
||||
#if OPENSSL_VERSION_NUMBER<0x10100000L
|
||||
NOEXPORT void free_function(void *ptr) {
|
||||
/* CRYPTO_set_mem_ex_functions() needs a function rather than a macro */
|
||||
/* unfortunately, OpenSSL provides no file:line information here */
|
||||
str_free_debug(ptr, "OpenSSL", 0);
|
||||
}
|
||||
#endif
|
||||
|
||||
/* end of tls.c */
|
268
src/ui_unix.c
Normal file
268
src/ui_unix.c
Normal file
@ -0,0 +1,268 @@
|
||||
/*
|
||||
* stunnel TLS offloading and load-balancing proxy
|
||||
* Copyright (C) 1998-2017 Michal Trojnara <Michal.Trojnara@stunnel.org>
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it
|
||||
* under the terms of the GNU General Public License as published by the
|
||||
* Free Software Foundation; either version 2 of the License, or (at your
|
||||
* option) any later version.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
|
||||
* See the GNU General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License along
|
||||
* with this program; if not, see <http://www.gnu.org/licenses>.
|
||||
*
|
||||
* Linking stunnel statically or dynamically with other modules is making
|
||||
* a combined work based on stunnel. Thus, the terms and conditions of
|
||||
* the GNU General Public License cover the whole combination.
|
||||
*
|
||||
* In addition, as a special exception, the copyright holder of stunnel
|
||||
* gives you permission to combine stunnel with free software programs or
|
||||
* libraries that are released under the GNU LGPL and with code included
|
||||
* in the standard release of OpenSSL under the OpenSSL License (or
|
||||
* modified versions of such code, with unchanged license). You may copy
|
||||
* and distribute such a system following the terms of the GNU GPL for
|
||||
* stunnel and the licenses of the other code concerned.
|
||||
*
|
||||
* Note that people who make modified versions of stunnel are not obligated
|
||||
* to grant this special exception for their modified versions; it is their
|
||||
* choice whether to do so. The GNU General Public License gives permission
|
||||
* to release a modified version without this exception; this exception
|
||||
* also makes it possible to release a modified version which carries
|
||||
* forward this exception.
|
||||
*/
|
||||
|
||||
#include "common.h"
|
||||
#include "prototypes.h"
|
||||
|
||||
NOEXPORT int main_unix(int, char*[]);
|
||||
#if !defined(__vms) && !defined(USE_OS2)
|
||||
NOEXPORT int daemonize(int);
|
||||
NOEXPORT int create_pid(void);
|
||||
NOEXPORT void delete_pid(void);
|
||||
#endif
|
||||
#ifndef USE_OS2
|
||||
NOEXPORT void signal_handler(int);
|
||||
#endif
|
||||
|
||||
int main(int argc, char* argv[]) { /* execution begins here 8-) */
|
||||
int retval;
|
||||
|
||||
#ifdef M_MMAP_THRESHOLD
|
||||
mallopt(M_MMAP_THRESHOLD, 4096);
|
||||
#endif
|
||||
tls_init(); /* initialize thread-local storage */
|
||||
retval=main_unix(argc, argv);
|
||||
main_cleanup();
|
||||
return retval;
|
||||
}
|
||||
|
||||
NOEXPORT int main_unix(int argc, char* argv[]) {
|
||||
int configure_status;
|
||||
|
||||
#if !defined(__vms) && !defined(USE_OS2)
|
||||
int fd;
|
||||
|
||||
fd=open("/dev/null", O_RDWR); /* open /dev/null before chroot */
|
||||
if(fd==INVALID_SOCKET)
|
||||
fatal("Could not open /dev/null");
|
||||
#endif
|
||||
main_init();
|
||||
configure_status=main_configure(argc>1 ? argv[1] : NULL,
|
||||
argc>2 ? argv[2] : NULL);
|
||||
switch(configure_status) {
|
||||
case 1: /* error -> exit with 1 to indicate error */
|
||||
close(fd);
|
||||
return 1;
|
||||
case 2: /* information printed -> exit with 0 to indicate success */
|
||||
close(fd);
|
||||
return 0;
|
||||
}
|
||||
if(service_options.next) { /* there are service sections -> daemon mode */
|
||||
#if !defined(__vms) && !defined(USE_OS2)
|
||||
if(daemonize(fd)) {
|
||||
close(fd);
|
||||
return 1;
|
||||
}
|
||||
close(fd);
|
||||
/* create_pid() must be called after drop_privileges()
|
||||
* or it won't be possible to remove the file on exit */
|
||||
/* create_pid() must be called after daemonize()
|
||||
* since the final pid is not known beforehand */
|
||||
if(create_pid())
|
||||
return 1;
|
||||
#endif
|
||||
#ifndef USE_OS2
|
||||
signal(SIGCHLD, signal_handler); /* handle dead children */
|
||||
signal(SIGHUP, signal_handler); /* configuration reload */
|
||||
signal(SIGUSR1, signal_handler); /* log reopen */
|
||||
signal(SIGPIPE, SIG_IGN); /* ignore broken pipe */
|
||||
if(signal(SIGTERM, SIG_IGN)!=SIG_IGN)
|
||||
signal(SIGTERM, signal_handler); /* fatal */
|
||||
if(signal(SIGQUIT, SIG_IGN)!=SIG_IGN)
|
||||
signal(SIGQUIT, signal_handler); /* fatal */
|
||||
if(signal(SIGINT, SIG_IGN)!=SIG_IGN)
|
||||
signal(SIGINT, signal_handler); /* fatal */
|
||||
#endif
|
||||
daemon_loop();
|
||||
} else { /* inetd mode */
|
||||
CLI *c;
|
||||
#if !defined(__vms) && !defined(USE_OS2)
|
||||
close(fd);
|
||||
#endif /* standard Unix */
|
||||
#ifndef USE_OS2
|
||||
signal(SIGCHLD, SIG_IGN); /* ignore dead children */
|
||||
signal(SIGPIPE, SIG_IGN); /* ignore broken pipe */
|
||||
#endif
|
||||
set_nonblock(0, 1); /* stdin */
|
||||
set_nonblock(1, 1); /* stdout */
|
||||
c=alloc_client_session(&service_options, 0, 1);
|
||||
tls_alloc(c, ui_tls, NULL);
|
||||
client_main(c);
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
#ifndef USE_OS2
|
||||
NOEXPORT void signal_handler(int sig) {
|
||||
int saved_errno;
|
||||
|
||||
saved_errno=errno;
|
||||
signal_post(sig);
|
||||
signal(sig, signal_handler);
|
||||
errno=saved_errno;
|
||||
}
|
||||
#endif
|
||||
|
||||
#if !defined(__vms) && !defined(USE_OS2)
|
||||
|
||||
NOEXPORT int daemonize(int fd) { /* go to background */
|
||||
if(global_options.option.foreground)
|
||||
return 0;
|
||||
dup2(fd, 0);
|
||||
dup2(fd, 1);
|
||||
dup2(fd, 2);
|
||||
#if defined(HAVE_DAEMON) && !defined(__BEOS__)
|
||||
/* set noclose option when calling daemon() function,
|
||||
* so it does not require /dev/null device in the chrooted directory */
|
||||
if(daemon(0, 1)==-1) {
|
||||
ioerror("daemon");
|
||||
return 1;
|
||||
}
|
||||
#else
|
||||
chdir("/");
|
||||
switch(fork()) {
|
||||
case -1: /* fork failed */
|
||||
ioerror("fork");
|
||||
return 1;
|
||||
case 0: /* child */
|
||||
break;
|
||||
default: /* parent */
|
||||
exit(0);
|
||||
}
|
||||
#endif
|
||||
tls_alloc(NULL, ui_tls, "main"); /* reuse thread-local storage */
|
||||
#ifdef HAVE_SETSID
|
||||
setsid(); /* ignore the error */
|
||||
#endif
|
||||
return 0;
|
||||
}
|
||||
|
||||
NOEXPORT int create_pid(void) {
|
||||
int pf;
|
||||
char *pid;
|
||||
|
||||
if(!global_options.pidfile) {
|
||||
s_log(LOG_DEBUG, "No pid file being created");
|
||||
return 0;
|
||||
}
|
||||
if(global_options.pidfile[0]!='/') {
|
||||
/* to prevent creating pid file relative to '/' after daemonize() */
|
||||
s_log(LOG_ERR, "Pid file (%s) must be full path name", global_options.pidfile);
|
||||
return 1;
|
||||
}
|
||||
global_options.dpid=(unsigned long)getpid();
|
||||
|
||||
/* silently remove old pid file */
|
||||
unlink(global_options.pidfile);
|
||||
pf=open(global_options.pidfile, O_WRONLY|O_CREAT|O_TRUNC|O_EXCL, 0644);
|
||||
if(pf==-1) {
|
||||
s_log(LOG_ERR, "Cannot create pid file %s", global_options.pidfile);
|
||||
ioerror("create");
|
||||
return 1;
|
||||
}
|
||||
pid=str_printf("%lu\n", global_options.dpid);
|
||||
if(write(pf, pid, strlen(pid))<(int)strlen(pid)) {
|
||||
s_log(LOG_ERR, "Cannot write pid file %s", global_options.pidfile);
|
||||
ioerror("write");
|
||||
return 1;
|
||||
}
|
||||
str_free(pid);
|
||||
close(pf);
|
||||
s_log(LOG_DEBUG, "Created pid file %s", global_options.pidfile);
|
||||
atexit(delete_pid);
|
||||
return 0;
|
||||
}
|
||||
|
||||
NOEXPORT void delete_pid(void) {
|
||||
if((unsigned long)getpid()!=global_options.dpid)
|
||||
return; /* current process is not main daemon process */
|
||||
s_log(LOG_DEBUG, "removing pid file %s", global_options.pidfile);
|
||||
if(unlink(global_options.pidfile)<0)
|
||||
ioerror(global_options.pidfile); /* not critical */
|
||||
}
|
||||
|
||||
#endif /* standard Unix */
|
||||
|
||||
/**************************************** options callbacks */
|
||||
|
||||
void ui_config_reloaded(void) {
|
||||
/* no action */
|
||||
}
|
||||
|
||||
#ifdef ICON_IMAGE
|
||||
|
||||
ICON_IMAGE load_icon_default(ICON_TYPE icon) {
|
||||
(void)icon; /* squash the unused parameter warning */
|
||||
return (ICON_IMAGE)0;
|
||||
}
|
||||
|
||||
ICON_IMAGE load_icon_file(const char *file) {
|
||||
(void)file; /* squash the unused parameter warning */
|
||||
return (ICON_IMAGE)0;
|
||||
}
|
||||
|
||||
#endif
|
||||
|
||||
/**************************************** client callbacks */
|
||||
|
||||
void ui_new_chain(const unsigned section_number) {
|
||||
(void)section_number; /* squash the unused parameter warning */
|
||||
}
|
||||
|
||||
void ui_clients(const long num) {
|
||||
(void)num; /* squash the unused parameter warning */
|
||||
}
|
||||
|
||||
/**************************************** s_log callbacks */
|
||||
|
||||
void ui_new_log(const char *line) {
|
||||
fprintf(stderr, "%s\n", line);
|
||||
}
|
||||
|
||||
/**************************************** ctx callbacks */
|
||||
|
||||
int ui_passwd_cb(char *buf, int size, int rwflag, void *userdata) {
|
||||
return PEM_def_callback(buf, size, rwflag, userdata);
|
||||
}
|
||||
|
||||
#ifndef OPENSSL_NO_ENGINE
|
||||
UI_METHOD *UI_stunnel() {
|
||||
return UI_OpenSSL();
|
||||
}
|
||||
#endif
|
||||
|
||||
/* end of ui_unix.c */
|
138
src/ui_win_cli.c
Normal file
138
src/ui_win_cli.c
Normal file
@ -0,0 +1,138 @@
|
||||
/*
|
||||
* stunnel TLS offloading and load-balancing proxy
|
||||
* Copyright (C) 1998-2017 Michal Trojnara <Michal.Trojnara@stunnel.org>
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it
|
||||
* under the terms of the GNU General Public License as published by the
|
||||
* Free Software Foundation; either version 2 of the License, or (at your
|
||||
* option) any later version.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
|
||||
* See the GNU General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License along
|
||||
* with this program; if not, see <http://www.gnu.org/licenses>.
|
||||
*
|
||||
* Linking stunnel statically or dynamically with other modules is making
|
||||
* a combined work based on stunnel. Thus, the terms and conditions of
|
||||
* the GNU General Public License cover the whole combination.
|
||||
*
|
||||
* In addition, as a special exception, the copyright holder of stunnel
|
||||
* gives you permission to combine stunnel with free software programs or
|
||||
* libraries that are released under the GNU LGPL and with code included
|
||||
* in the standard release of OpenSSL under the OpenSSL License (or
|
||||
* modified versions of such code, with unchanged license). You may copy
|
||||
* and distribute such a system following the terms of the GNU GPL for
|
||||
* stunnel and the licenses of the other code concerned.
|
||||
*
|
||||
* Note that people who make modified versions of stunnel are not obligated
|
||||
* to grant this special exception for their modified versions; it is their
|
||||
* choice whether to do so. The GNU General Public License gives permission
|
||||
* to release a modified version without this exception; this exception
|
||||
* also makes it possible to release a modified version which carries
|
||||
* forward this exception.
|
||||
*/
|
||||
|
||||
#include "common.h"
|
||||
#include "prototypes.h"
|
||||
|
||||
int main(int argc, char *argv[]) {
|
||||
static struct WSAData wsa_state;
|
||||
TCHAR *c, stunnel_exe_path[MAX_PATH];
|
||||
|
||||
tls_init(); /* initialize thread-local storage */
|
||||
|
||||
/* set current working directory and engine path */
|
||||
GetModuleFileName(0, stunnel_exe_path, MAX_PATH);
|
||||
c=_tcsrchr(stunnel_exe_path, TEXT('\\')); /* last backslash */
|
||||
if(c) { /* found */
|
||||
*c=TEXT('\0'); /* truncate the program name */
|
||||
c=_tcsrchr(stunnel_exe_path, TEXT('\\')); /* previous backslash */
|
||||
if(c && !_tcscmp(c+1, TEXT("bin")))
|
||||
*c=TEXT('\0'); /* truncate "bin" */
|
||||
}
|
||||
#ifndef _WIN32_WCE
|
||||
if(!SetCurrentDirectory(stunnel_exe_path)) {
|
||||
/* log to stderr, as s_log() is not initialized */
|
||||
_ftprintf(stderr, TEXT("Cannot set directory to %s"),
|
||||
stunnel_exe_path);
|
||||
return 1;
|
||||
}
|
||||
/* try to enter the "config" subdirectory, ignore the result */
|
||||
SetCurrentDirectory(TEXT("config"));
|
||||
#endif
|
||||
_tputenv(str_tprintf(TEXT("OPENSSL_ENGINES=%s\\engines"),
|
||||
stunnel_exe_path));
|
||||
|
||||
if(WSAStartup(MAKEWORD(1, 1), &wsa_state))
|
||||
return 1;
|
||||
resolver_init();
|
||||
main_init();
|
||||
if(!main_configure(argc>1 ? argv[1] : NULL, argc>2 ? argv[2] : NULL))
|
||||
daemon_loop();
|
||||
main_cleanup();
|
||||
return 0;
|
||||
}
|
||||
|
||||
/**************************************** options callbacks */
|
||||
|
||||
void ui_config_reloaded(void) {
|
||||
/* no action */
|
||||
}
|
||||
|
||||
ICON_IMAGE load_icon_default(ICON_TYPE type) {
|
||||
(void)type; /* squash the unused parameter warning */
|
||||
return NULL;
|
||||
}
|
||||
|
||||
ICON_IMAGE load_icon_file(const char *name) {
|
||||
(void)name; /* squash the unused parameter warning */
|
||||
return NULL;
|
||||
}
|
||||
|
||||
/**************************************** client callbacks */
|
||||
|
||||
void ui_new_chain(const unsigned section_number) {
|
||||
(void)section_number; /* squash the unused parameter warning */
|
||||
}
|
||||
|
||||
void ui_clients(const long num) {
|
||||
(void)num; /* squash the unused parameter warning */
|
||||
}
|
||||
|
||||
/**************************************** s_log callbacks */
|
||||
|
||||
void message_box(LPCTSTR text, const UINT type) {
|
||||
MessageBox(NULL, text, TEXT("stunnel"), type);
|
||||
}
|
||||
|
||||
void ui_new_log(const char *line) {
|
||||
LPTSTR tstr;
|
||||
|
||||
tstr=str2tstr(line);
|
||||
#ifdef _WIN32_WCE
|
||||
/* log to Windows CE debug output stream */
|
||||
RETAILMSG(TRUE, (TEXT("%s\r\n"), tstr));
|
||||
#else
|
||||
/* use UTF-16 or native codepage rather than UTF-8 */
|
||||
_ftprintf(stderr, TEXT("%s\r\n"), tstr);
|
||||
fflush(stderr);
|
||||
#endif
|
||||
str_free(tstr);
|
||||
}
|
||||
|
||||
/**************************************** ctx callbacks */
|
||||
|
||||
int ui_passwd_cb(char *buf, int size, int rwflag, void *userdata) {
|
||||
return PEM_def_callback(buf, size, rwflag, userdata);
|
||||
}
|
||||
|
||||
#ifndef OPENSSL_NO_ENGINE
|
||||
UI_METHOD *UI_stunnel() {
|
||||
return UI_OpenSSL();
|
||||
}
|
||||
#endif
|
||||
|
||||
/* end of ui_win_cli.c */
|
File diff suppressed because it is too large
Load Diff
66
src/vc.mak
66
src/vc.mak
@ -1,4 +1,4 @@
|
||||
# vc.mak by Michal Trojnara 1998-2013
|
||||
# vc.mak by Michal Trojnara 1998-2017
|
||||
# with help of David Gillingham <dgillingham@gmail.com>
|
||||
# with help of Pierre Delaage <delaage.pierre@free.fr>
|
||||
|
||||
@ -8,49 +8,51 @@
|
||||
# - Visual C++ 2005 Professional Edition
|
||||
# - Visual C++ 2008 Express Edition
|
||||
|
||||
!IF [ml64.exe /help >NUL 2>&1]
|
||||
TARGET=win32
|
||||
!ELSE
|
||||
TARGET=win64
|
||||
!ENDIF
|
||||
!MESSAGE Detected target: $(TARGET)
|
||||
!MESSAGE
|
||||
|
||||
# modify this to point to your OpenSSL directory
|
||||
# either install a precompiled version (*not* the "Light" one) from
|
||||
# http://www.slproweb.com/products/Win32OpenSSL.html
|
||||
#SSLDIR=C:\OpenSSL-Win32
|
||||
#INCDIR=$(SSLDIR)\include
|
||||
#FIPSDIR=$(SSLDIR)\include
|
||||
#LIBDIR=$(SSLDIR)\lib
|
||||
# or compile one yourself
|
||||
#SSLDIR=..\..\openssl-1.0.1e
|
||||
#INCDIR=$(SSLDIR)\inc32
|
||||
#FIPSDIR=$(SSLDIR)\inc32
|
||||
#LIBDIR=$(SSLDIR)\out32dll
|
||||
SSLDIR=\devel\$(TARGET)\openssl
|
||||
# or simply install with "nmake -f ms\ntdll.mak install"
|
||||
SSLDIR=\usr\local\ssl
|
||||
#SSLDIR=\usr\local\ssl
|
||||
|
||||
INCDIR=$(SSLDIR)\include
|
||||
FIPSDIR=$(SSLDIR)\fips-2.0\include
|
||||
LIBDIR=$(SSLDIR)\lib
|
||||
|
||||
TARGETCPU=W32
|
||||
SRC=..\src
|
||||
OBJROOT=..\obj
|
||||
OBJ=$(OBJROOT)\$(TARGETCPU)
|
||||
OBJ=$(OBJROOT)\$(TARGET)
|
||||
BINROOT=..\bin
|
||||
BIN=$(BINROOT)\$(TARGETCPU)
|
||||
BIN=$(BINROOT)\$(TARGET)
|
||||
|
||||
SHAREDOBJS=$(OBJ)\stunnel.obj $(OBJ)\ssl.obj $(OBJ)\ctx.obj \
|
||||
$(OBJ)\verify.obj $(OBJ)\file.obj $(OBJ)\client.obj \
|
||||
$(OBJ)\protocol.obj $(OBJ)\sthreads.obj $(OBJ)\log.obj \
|
||||
$(OBJ)\options.obj $(OBJ)\network.obj $(OBJ)\resolver.obj \
|
||||
$(OBJ)\str.obj $(OBJ)/fd.obj
|
||||
GUIOBJS=$(OBJ)\gui.obj $(OBJ)\resources.res
|
||||
NOGUIOBJS=$(OBJ)\nogui.obj
|
||||
|
||||
$(OBJ)\str.obj $(OBJ)\tls.obj $(OBJ)\fd.obj $(OBJ)\dhparam.obj \
|
||||
$(OBJ)\cron.obj
|
||||
GUIOBJS=$(OBJ)\ui_win_gui.obj $(OBJ)\resources.res
|
||||
CLIOBJS=$(OBJ)\ui_win_cli.obj
|
||||
|
||||
CC=cl
|
||||
LINK=link
|
||||
|
||||
CFLAGS=/MD /W3 /O2 /nologo /I"$(INCDIR)" /I"$(FIPSDIR)"
|
||||
LDFLAGS=/NOLOGO
|
||||
UNICODEFLAGS=/DUNICODE /D_UNICODE
|
||||
CFLAGS=/MD /W3 /O2 /nologo /I"$(INCDIR)" $(UNICODEFLAGS)
|
||||
LDFLAGS=/NOLOGO /DEBUG
|
||||
|
||||
SHAREDLIBS=ws2_32.lib user32.lib
|
||||
GUILIBS=advapi32.lib comdlg32.lib crypt32.lib gdi32.lib \
|
||||
psapi.lib shell32.lib
|
||||
NOGUILIBS=
|
||||
SHAREDLIBS=ws2_32.lib user32.lib shell32.lib kernel32.lib
|
||||
GUILIBS=advapi32.lib comdlg32.lib crypt32.lib gdi32.lib psapi.lib
|
||||
CLILIBS=
|
||||
SSLLIBS=/LIBPATH:"$(LIBDIR)" libeay32.lib ssleay32.lib
|
||||
# static linking:
|
||||
# /LIBPATH:"$(LIBDIR)\VC\static" libeay32MD.lib ssleay32MD.lib
|
||||
@ -60,13 +62,15 @@ SSLLIBS=/LIBPATH:"$(LIBDIR)" libeay32.lib ssleay32.lib
|
||||
|
||||
{$(SRC)\}.rc{$(OBJ)\}.res:
|
||||
$(RC) -fo$@ -r $<
|
||||
|
||||
all: makedirs $(BIN)\stunnel.exe $(BIN)\tstunnel.exe
|
||||
|
||||
all: build
|
||||
|
||||
build: makedirs $(BIN)\stunnel.exe $(BIN)\tstunnel.exe
|
||||
|
||||
clean:
|
||||
-@ del $(SHAREDOBJS) >NUL 2>&1
|
||||
-@ del $(GUIBJS) >NUL 2>&1
|
||||
-@ del $(NOGUIBJS) >NUL 2>&1
|
||||
-@ del $(GUIOBJS) >NUL 2>&1
|
||||
-@ del $(CLIOBJS) >NUL 2>&1
|
||||
# -@ del *.manifest >NUL 2>&1
|
||||
-@ del $(BIN)\stunnel.exe >NUL 2>&1
|
||||
-@ del $(BIN)\stunnel.exe.manifest >NUL 2>&1
|
||||
@ -75,7 +79,7 @@ clean:
|
||||
-@ rmdir $(OBJ) >NUL 2>&1
|
||||
-@ rmdir $(BIN) >NUL 2>&1
|
||||
|
||||
makedirs:
|
||||
makedirs:
|
||||
-@ IF NOT EXIST $(OBJROOT) mkdir $(OBJROOT) >NUL 2>&1
|
||||
-@ IF NOT EXIST $(OBJ) mkdir $(OBJ) >NUL 2>&1
|
||||
-@ IF NOT EXIST $(BINROOT) mkdir $(BINROOT) >NUL 2>&1
|
||||
@ -83,15 +87,15 @@ makedirs:
|
||||
|
||||
$(SHAREDOBJS): *.h vc.mak
|
||||
$(GUIOBJS): *.h vc.mak
|
||||
$(NOGUIOBJS): *.h vc.mak
|
||||
$(CLIOBJS): *.h vc.mak
|
||||
|
||||
$(BIN)\stunnel.exe: $(SHAREDOBJS) $(GUIOBJS)
|
||||
$(LINK) $(LDFLAGS) $(SHAREDLIBS) $(GUILIBS) $(SSLLIBS) /OUT:$@ $**
|
||||
IF EXIST $@.manifest \
|
||||
mt -nologo -manifest $@.manifest -outputresource:$@;1
|
||||
|
||||
$(BIN)\tstunnel.exe: $(SHAREDOBJS) $(NOGUIOBJS)
|
||||
$(LINK) $(LDFLAGS) $(SHAREDLIBS) $(NOGUILIBS) $(SSLLIBS) /OUT:$@ $**
|
||||
$(BIN)\tstunnel.exe: $(SHAREDOBJS) $(CLIOBJS)
|
||||
$(LINK) $(LDFLAGS) $(SHAREDLIBS) $(CLILIBS) $(SSLLIBS) /OUT:$@ $**
|
||||
IF EXIST $@.manifest \
|
||||
mt -nologo -manifest $@.manifest -outputresource:$@;1
|
||||
|
||||
|
836
src/verify.c
836
src/verify.c
File diff suppressed because it is too large
Load Diff
183
src/version.h
183
src/version.h
@ -1,88 +1,95 @@
|
||||
/*
|
||||
* stunnel Universal SSL tunnel
|
||||
* Copyright (C) 1998-2013 Michal Trojnara <Michal.Trojnara@mirt.net>
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it
|
||||
* under the terms of the GNU General Public License as published by the
|
||||
* Free Software Foundation; either version 2 of the License, or (at your
|
||||
* option) any later version.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
|
||||
* See the GNU General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License along
|
||||
* with this program; if not, see <http://www.gnu.org/licenses>.
|
||||
*
|
||||
* Linking stunnel statically or dynamically with other modules is making
|
||||
* a combined work based on stunnel. Thus, the terms and conditions of
|
||||
* the GNU General Public License cover the whole combination.
|
||||
*
|
||||
* In addition, as a special exception, the copyright holder of stunnel
|
||||
* gives you permission to combine stunnel with free software programs or
|
||||
* libraries that are released under the GNU LGPL and with code included
|
||||
* in the standard release of OpenSSL under the OpenSSL License (or
|
||||
* modified versions of such code, with unchanged license). You may copy
|
||||
* and distribute such a system following the terms of the GNU GPL for
|
||||
* stunnel and the licenses of the other code concerned.
|
||||
*
|
||||
* Note that people who make modified versions of stunnel are not obligated
|
||||
* to grant this special exception for their modified versions; it is their
|
||||
* choice whether to do so. The GNU General Public License gives permission
|
||||
* to release a modified version without this exception; this exception
|
||||
* also makes it possible to release a modified version which carries
|
||||
* forward this exception.
|
||||
*/
|
||||
|
||||
#ifndef VERSION_MAJOR
|
||||
|
||||
#ifdef HAVE_CONFIG_H
|
||||
#include "config.h"
|
||||
#endif /* HAVE_CONFIG_H */
|
||||
|
||||
/* HOST may be undefined on Win32 platform */
|
||||
#ifndef HOST
|
||||
#ifdef __MINGW32__
|
||||
#define HOST "x86-pc-mingw32-gnu"
|
||||
#else /* __MINGW32__ */
|
||||
#ifdef _MSC_VER
|
||||
#define _QUOTEME(x) #x
|
||||
#define QUOTEME(x) _QUOTEME(x)
|
||||
#define HOST "x86-pc-msvc-" ## QUOTEME(_MSC_VER)
|
||||
#else /* _MSC_VER */
|
||||
#define HOST "x86-pc-unknown"
|
||||
#endif /* _MSC_VER */
|
||||
#endif /* __MINGW32__ */
|
||||
#endif /* HOST */
|
||||
|
||||
/* START CUSTOMIZE */
|
||||
#define VERSION_MAJOR 4
|
||||
#define VERSION_MINOR 57
|
||||
/* END CUSTOMIZE */
|
||||
|
||||
/* all the following macros are ABSOLUTELY NECESSARY to have proper string
|
||||
* construction with VARIOUS C preprocessors (EVC, VC, BCC, GCC) */
|
||||
#define STRINGIZE0(x) #x
|
||||
#define STRINGIZE(x) STRINGIZE0(x)
|
||||
#define STRZCONCAT30(a,b,c) a##b##c
|
||||
#define STRZCONCAT3(a,b,c) STRZCONCAT30(a,b,c)
|
||||
|
||||
/* for resource.rc, stunnel.c, gui.c */
|
||||
#define STUNNEL_VERSION0 STRZCONCAT3(VERSION_MAJOR, . , VERSION_MINOR)
|
||||
#define STUNNEL_VERSION STRINGIZE(STUNNEL_VERSION0)
|
||||
|
||||
/* for resources.rc */
|
||||
#define STUNNEL_VERSION_FIELDS VERSION_MAJOR,VERSION_MINOR,0,0
|
||||
#define STUNNEL_PRODUCTNAME "stunnel " STUNNEL_VERSION " for " HOST
|
||||
|
||||
/* some useful tricks for preprocessing debugging */
|
||||
#if 0
|
||||
#pragma message ( "VERSION.H: STUNNEL_VERSION is " STUNNEL_VERSION )
|
||||
#pragma message ( "VERSION.H: HOST is " HOST )
|
||||
#pragma message ( "VERSION.H: STUNNEL_PRODUCTNAME is " STUNNEL_PRODUCTNAME )
|
||||
#endif
|
||||
|
||||
#endif /* VERSION_MAJOR */
|
||||
|
||||
/* end of version.h */
|
||||
/*
|
||||
* stunnel TLS offloading and load-balancing proxy
|
||||
* Copyright (C) 1998-2017 Michal Trojnara <Michal.Trojnara@stunnel.org>
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it
|
||||
* under the terms of the GNU General Public License as published by the
|
||||
* Free Software Foundation; either version 2 of the License, or (at your
|
||||
* option) any later version.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
|
||||
* See the GNU General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License along
|
||||
* with this program; if not, see <http://www.gnu.org/licenses>.
|
||||
*
|
||||
* Linking stunnel statically or dynamically with other modules is making
|
||||
* a combined work based on stunnel. Thus, the terms and conditions of
|
||||
* the GNU General Public License cover the whole combination.
|
||||
*
|
||||
* In addition, as a special exception, the copyright holder of stunnel
|
||||
* gives you permission to combine stunnel with free software programs or
|
||||
* libraries that are released under the GNU LGPL and with code included
|
||||
* in the standard release of OpenSSL under the OpenSSL License (or
|
||||
* modified versions of such code, with unchanged license). You may copy
|
||||
* and distribute such a system following the terms of the GNU GPL for
|
||||
* stunnel and the licenses of the other code concerned.
|
||||
*
|
||||
* Note that people who make modified versions of stunnel are not obligated
|
||||
* to grant this special exception for their modified versions; it is their
|
||||
* choice whether to do so. The GNU General Public License gives permission
|
||||
* to release a modified version without this exception; this exception
|
||||
* also makes it possible to release a modified version which carries
|
||||
* forward this exception.
|
||||
*/
|
||||
|
||||
#ifndef VERSION_MAJOR
|
||||
|
||||
#ifdef HAVE_CONFIG_H
|
||||
#include "config.h"
|
||||
#endif /* HAVE_CONFIG_H */
|
||||
|
||||
/* HOST may be undefined on Win32 platform */
|
||||
#ifndef HOST
|
||||
#if defined(_WIN64)
|
||||
#define PLATFORM "x64"
|
||||
#elif defined(_WIN32)
|
||||
#define PLATFORM "x86"
|
||||
#else /* although MSDN claims that _WIN32 is always defined */
|
||||
#define PLATFORM "unknown"
|
||||
#endif
|
||||
#ifdef __MINGW32__
|
||||
#define HOST PLATFORM "-pc-mingw32-gnu"
|
||||
#else /* __MINGW32__ */
|
||||
#ifdef _MSC_VER
|
||||
#define xstr(a) str(a)
|
||||
#define str(a) #a
|
||||
#define HOST PLATFORM "-pc-msvc-" xstr(_MSC_VER)
|
||||
#else /* _MSC_VER */
|
||||
#define HOST PLATFORM "-pc-unknown"
|
||||
#endif /* _MSC_VER */
|
||||
#endif /* __MINGW32__ */
|
||||
#endif /* HOST */
|
||||
|
||||
/* START CUSTOMIZE */
|
||||
#define VERSION_MAJOR 5
|
||||
#define VERSION_MINOR 42
|
||||
/* END CUSTOMIZE */
|
||||
|
||||
/* all the following macros are ABSOLUTELY NECESSARY to have proper string
|
||||
* construction with VARIOUS C preprocessors (EVC, VC, BCC, GCC) */
|
||||
#define STRINGIZE0(x) #x
|
||||
#define STRINGIZE(x) STRINGIZE0(x)
|
||||
#define STRZCONCAT30(a,b,c) a##b##c
|
||||
#define STRZCONCAT3(a,b,c) STRZCONCAT30(a,b,c)
|
||||
|
||||
/* for resource.rc, stunnel.c, gui.c */
|
||||
#define STUNNEL_VERSION0 STRZCONCAT3(VERSION_MAJOR, . , VERSION_MINOR)
|
||||
#define STUNNEL_VERSION STRINGIZE(STUNNEL_VERSION0)
|
||||
|
||||
/* for resources.rc */
|
||||
#define STUNNEL_VERSION_FIELDS VERSION_MAJOR,VERSION_MINOR,0,0
|
||||
#define STUNNEL_PRODUCTNAME "stunnel " STUNNEL_VERSION " for " HOST
|
||||
|
||||
/* some useful tricks for preprocessing debugging */
|
||||
#if 0
|
||||
#pragma message ( "VERSION.H: STUNNEL_VERSION is " STUNNEL_VERSION )
|
||||
#pragma message ( "VERSION.H: HOST is " HOST )
|
||||
#pragma message ( "VERSION.H: STUNNEL_PRODUCTNAME is " STUNNEL_PRODUCTNAME )
|
||||
#endif
|
||||
|
||||
#endif /* VERSION_MAJOR */
|
||||
|
||||
/* end of version.h */
|
||||
|
@ -1,36 +1,41 @@
|
||||
## Process this file with automake to produce Makefile.in
|
||||
# by Michal Trojnara 2015-2017
|
||||
|
||||
EXTRA_DIST = ca.html ca.pl importCA.html importCA.sh script.sh \
|
||||
stunnel.spec stunnel.cnf stunnel.nsi stunnel.license stunnel.conf
|
||||
EXTRA_DIST = ca.html ca.pl importCA.html importCA.sh script.sh makecert.sh
|
||||
EXTRA_DIST += openssl.cnf stunnel.nsi stunnel.license stunnel.conf
|
||||
EXTRA_DIST += stunnel.conf-sample.in stunnel.init.in stunnel.service.in
|
||||
EXTRA_DIST += stunnel.logrotate stunnel.rh.init stunnel.spec
|
||||
|
||||
confdir = $(sysconfdir)/stunnel
|
||||
conf_DATA = stunnel.conf-sample
|
||||
|
||||
docdir = $(datadir)/doc/stunnel
|
||||
examplesdir = $(docdir)/examples
|
||||
examples_DATA = ca.html ca.pl importCA.html importCA.sh script.sh \
|
||||
stunnel.spec stunnel.init stunnel.service
|
||||
examples_DATA = stunnel.init stunnel.service
|
||||
examples_DATA += stunnel.logrotate stunnel.rh.init stunnel.spec
|
||||
examples_DATA += ca.html ca.pl importCA.html importCA.sh script.sh
|
||||
|
||||
CLEANFILES = stunnel.conf-sample stunnel.init stunnel.service
|
||||
|
||||
OPENSSL=$(SSLDIR)/bin/openssl
|
||||
install-data-local:
|
||||
if test ! -r $(DESTDIR)$(confdir)/stunnel.pem; then \
|
||||
if test -r "$(RANDOM_FILE)"; then \
|
||||
dd if="$(RANDOM_FILE)" of=stunnel.rnd bs=256 count=1; \
|
||||
RND="-rand stunnel.rnd"; \
|
||||
else \
|
||||
RND=""; \
|
||||
fi; \
|
||||
$(OPENSSL) req -new -x509 -days 365 $$RND \
|
||||
-config $(srcdir)/stunnel.cnf \
|
||||
-out stunnel.pem -keyout stunnel.pem; \
|
||||
$(OPENSSL) gendh $$RND 1024 >> stunnel.pem; \
|
||||
$(OPENSSL) x509 -subject -dates -fingerprint -noout -in stunnel.pem; \
|
||||
${INSTALL} -m 600 stunnel.pem $(DESTDIR)$(confdir)/stunnel.pem; \
|
||||
rm stunnel.pem; \
|
||||
fi
|
||||
${INSTALL} -d -m 1770 $(DESTDIR)$(localstatedir)/lib/stunnel
|
||||
-chgrp $(DEFAULT_GROUP) $(DESTDIR)$(localstatedir)/lib/stunnel
|
||||
|
||||
clean-local:
|
||||
-rm -f stunnel.rnd
|
||||
cert:
|
||||
$(srcdir)/makecert.sh $(srcdir) $(SSLDIR) $(RANDOM_FILE)
|
||||
${INSTALL} -b -m 600 stunnel.pem $(DESTDIR)$(confdir)/stunnel.pem
|
||||
rm -f stunnel.pem
|
||||
|
||||
edit = sed \
|
||||
-e 's|@prefix[@]|$(prefix)|g' \
|
||||
-e 's|@bindir[@]|$(bindir)|g' \
|
||||
-e 's|@localstatedir[@]|$(localstatedir)|g' \
|
||||
-e 's|@sysconfdir[@]|$(sysconfdir)|g' \
|
||||
-e 's|@DEFAULT_GROUP[@]|$(DEFAULT_GROUP)|g'
|
||||
|
||||
stunnel.conf-sample stunnel.init stunnel.service: Makefile
|
||||
$(edit) '$(srcdir)/$@.in' >$@
|
||||
|
||||
stunnel.conf-sample: $(srcdir)/stunnel.conf-sample.in
|
||||
stunnel.init: $(srcdir)/stunnel.init.in
|
||||
stunnel.service: $(srcdir)/stunnel.service.in
|
||||
|
@ -1,9 +1,8 @@
|
||||
# Makefile.in generated by automake 1.11.1 from Makefile.am.
|
||||
# Makefile.in generated by automake 1.14.1 from Makefile.am.
|
||||
# @configure_input@
|
||||
|
||||
# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
|
||||
# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation,
|
||||
# Inc.
|
||||
# Copyright (C) 1994-2013 Free Software Foundation, Inc.
|
||||
|
||||
# This Makefile.in is free software; the Free Software Foundation
|
||||
# gives unlimited permission to copy and/or distribute it,
|
||||
# with or without modifications, as long as this notice is preserved.
|
||||
@ -15,7 +14,54 @@
|
||||
|
||||
@SET_MAKE@
|
||||
|
||||
# by Michal Trojnara 2015-2017
|
||||
|
||||
VPATH = @srcdir@
|
||||
am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
|
||||
am__make_running_with_option = \
|
||||
case $${target_option-} in \
|
||||
?) ;; \
|
||||
*) echo "am__make_running_with_option: internal error: invalid" \
|
||||
"target option '$${target_option-}' specified" >&2; \
|
||||
exit 1;; \
|
||||
esac; \
|
||||
has_opt=no; \
|
||||
sane_makeflags=$$MAKEFLAGS; \
|
||||
if $(am__is_gnu_make); then \
|
||||
sane_makeflags=$$MFLAGS; \
|
||||
else \
|
||||
case $$MAKEFLAGS in \
|
||||
*\\[\ \ ]*) \
|
||||
bs=\\; \
|
||||
sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \
|
||||
| sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \
|
||||
esac; \
|
||||
fi; \
|
||||
skip_next=no; \
|
||||
strip_trailopt () \
|
||||
{ \
|
||||
flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \
|
||||
}; \
|
||||
for flg in $$sane_makeflags; do \
|
||||
test $$skip_next = yes && { skip_next=no; continue; }; \
|
||||
case $$flg in \
|
||||
*=*|--*) continue;; \
|
||||
-*I) strip_trailopt 'I'; skip_next=yes;; \
|
||||
-*I?*) strip_trailopt 'I';; \
|
||||
-*O) strip_trailopt 'O'; skip_next=yes;; \
|
||||
-*O?*) strip_trailopt 'O';; \
|
||||
-*l) strip_trailopt 'l'; skip_next=yes;; \
|
||||
-*l?*) strip_trailopt 'l';; \
|
||||
-[dEDm]) skip_next=yes;; \
|
||||
-[JT]) skip_next=yes;; \
|
||||
esac; \
|
||||
case $$flg in \
|
||||
*$$target_option*) has_opt=yes; break;; \
|
||||
esac; \
|
||||
done; \
|
||||
test $$has_opt = yes
|
||||
am__make_dryrun = (target_option=n; $(am__make_running_with_option))
|
||||
am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
|
||||
pkgdatadir = $(datadir)/@PACKAGE@
|
||||
pkgincludedir = $(includedir)/@PACKAGE@
|
||||
pkglibdir = $(libdir)/@PACKAGE@
|
||||
@ -35,9 +81,7 @@ POST_UNINSTALL = :
|
||||
build_triplet = @build@
|
||||
host_triplet = @host@
|
||||
subdir = tools
|
||||
DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in \
|
||||
$(srcdir)/stunnel.conf-sample.in $(srcdir)/stunnel.init.in \
|
||||
$(srcdir)/stunnel.service.in
|
||||
DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am
|
||||
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
|
||||
am__aclocal_m4_deps = $(top_srcdir)/m4/libtool.m4 \
|
||||
$(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \
|
||||
@ -47,10 +91,27 @@ am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
|
||||
$(ACLOCAL_M4)
|
||||
mkinstalldirs = $(install_sh) -d
|
||||
CONFIG_HEADER = $(top_builddir)/src/config.h
|
||||
CONFIG_CLEAN_FILES = stunnel.conf-sample stunnel.init stunnel.service
|
||||
CONFIG_CLEAN_FILES =
|
||||
CONFIG_CLEAN_VPATH_FILES =
|
||||
AM_V_P = $(am__v_P_@AM_V@)
|
||||
am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
|
||||
am__v_P_0 = false
|
||||
am__v_P_1 = :
|
||||
AM_V_GEN = $(am__v_GEN_@AM_V@)
|
||||
am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
|
||||
am__v_GEN_0 = @echo " GEN " $@;
|
||||
am__v_GEN_1 =
|
||||
AM_V_at = $(am__v_at_@AM_V@)
|
||||
am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
|
||||
am__v_at_0 = @
|
||||
am__v_at_1 =
|
||||
SOURCES =
|
||||
DIST_SOURCES =
|
||||
am__can_run_installinfo = \
|
||||
case $$AM_UPDATE_INFO_DIR in \
|
||||
n|no|NO) false;; \
|
||||
*) (install-info --version) >/dev/null 2>&1;; \
|
||||
esac
|
||||
am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
|
||||
am__vpath_adj = case $$p in \
|
||||
$(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
|
||||
@ -72,11 +133,19 @@ am__nobase_list = $(am__nobase_strip_setup); \
|
||||
am__base_list = \
|
||||
sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
|
||||
sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
|
||||
am__uninstall_files_from_dir = { \
|
||||
test -z "$$files" \
|
||||
|| { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
|
||||
|| { echo " ( cd '$$dir' && rm -f" $$files ")"; \
|
||||
$(am__cd) "$$dir" && rm -f $$files; }; \
|
||||
}
|
||||
am__installdirs = "$(DESTDIR)$(confdir)" "$(DESTDIR)$(examplesdir)"
|
||||
DATA = $(conf_DATA) $(examples_DATA)
|
||||
am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
|
||||
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
|
||||
ACLOCAL = @ACLOCAL@
|
||||
AMTAR = @AMTAR@
|
||||
AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
|
||||
AR = @AR@
|
||||
AUTOCONF = @AUTOCONF@
|
||||
AUTOHEADER = @AUTOHEADER@
|
||||
@ -91,6 +160,7 @@ CYGPATH_W = @CYGPATH_W@
|
||||
DEFAULT_GROUP = @DEFAULT_GROUP@
|
||||
DEFS = @DEFS@
|
||||
DEPDIR = @DEPDIR@
|
||||
DLLTOOL = @DLLTOOL@
|
||||
DSYMUTIL = @DSYMUTIL@
|
||||
DUMPBIN = @DUMPBIN@
|
||||
ECHO_C = @ECHO_C@
|
||||
@ -115,6 +185,7 @@ LIPO = @LIPO@
|
||||
LN_S = @LN_S@
|
||||
LTLIBOBJS = @LTLIBOBJS@
|
||||
MAKEINFO = @MAKEINFO@
|
||||
MANIFEST_TOOL = @MANIFEST_TOOL@
|
||||
MKDIR_P = @MKDIR_P@
|
||||
NM = @NM@
|
||||
NMEDIT = @NMEDIT@
|
||||
@ -130,6 +201,9 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@
|
||||
PACKAGE_URL = @PACKAGE_URL@
|
||||
PACKAGE_VERSION = @PACKAGE_VERSION@
|
||||
PATH_SEPARATOR = @PATH_SEPARATOR@
|
||||
PTHREAD_CC = @PTHREAD_CC@
|
||||
PTHREAD_CFLAGS = @PTHREAD_CFLAGS@
|
||||
PTHREAD_LIBS = @PTHREAD_LIBS@
|
||||
RANDOM_FILE = @RANDOM_FILE@
|
||||
RANLIB = @RANLIB@
|
||||
SED = @SED@
|
||||
@ -142,6 +216,7 @@ abs_builddir = @abs_builddir@
|
||||
abs_srcdir = @abs_srcdir@
|
||||
abs_top_builddir = @abs_top_builddir@
|
||||
abs_top_srcdir = @abs_top_srcdir@
|
||||
ac_ct_AR = @ac_ct_AR@
|
||||
ac_ct_CC = @ac_ct_CC@
|
||||
ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
|
||||
am__include = @am__include@
|
||||
@ -149,6 +224,7 @@ am__leading_dot = @am__leading_dot@
|
||||
am__quote = @am__quote@
|
||||
am__tar = @am__tar@
|
||||
am__untar = @am__untar@
|
||||
ax_pthread_config = @ax_pthread_config@
|
||||
bindir = @bindir@
|
||||
build = @build@
|
||||
build_alias = @build_alias@
|
||||
@ -174,7 +250,6 @@ libdir = @libdir@
|
||||
libexecdir = @libexecdir@
|
||||
localedir = @localedir@
|
||||
localstatedir = @localstatedir@
|
||||
lt_ECHO = @lt_ECHO@
|
||||
mandir = @mandir@
|
||||
mkdir_p = @mkdir_p@
|
||||
oldincludedir = @oldincludedir@
|
||||
@ -182,27 +257,34 @@ pdfdir = @pdfdir@
|
||||
prefix = @prefix@
|
||||
program_transform_name = @program_transform_name@
|
||||
psdir = @psdir@
|
||||
runstatedir = @runstatedir@
|
||||
sbindir = @sbindir@
|
||||
sharedstatedir = @sharedstatedir@
|
||||
srcdir = @srcdir@
|
||||
stunnel_CFLAGS = @stunnel_CFLAGS@
|
||||
stunnel_LDFLAGF = @stunnel_LDFLAGF@
|
||||
stunnel_LDFLAGS = @stunnel_LDFLAGS@
|
||||
sysconfdir = @sysconfdir@
|
||||
target_alias = @target_alias@
|
||||
top_build_prefix = @top_build_prefix@
|
||||
top_builddir = @top_builddir@
|
||||
top_srcdir = @top_srcdir@
|
||||
EXTRA_DIST = ca.html ca.pl importCA.html importCA.sh script.sh \
|
||||
stunnel.spec stunnel.cnf stunnel.nsi stunnel.license stunnel.conf
|
||||
|
||||
makecert.sh openssl.cnf stunnel.nsi stunnel.license \
|
||||
stunnel.conf stunnel.conf-sample.in stunnel.init.in \
|
||||
stunnel.service.in stunnel.logrotate stunnel.rh.init \
|
||||
stunnel.spec
|
||||
confdir = $(sysconfdir)/stunnel
|
||||
conf_DATA = stunnel.conf-sample
|
||||
examplesdir = $(docdir)/examples
|
||||
examples_DATA = ca.html ca.pl importCA.html importCA.sh script.sh \
|
||||
stunnel.spec stunnel.init stunnel.service
|
||||
examples_DATA = stunnel.init stunnel.service stunnel.logrotate \
|
||||
stunnel.rh.init stunnel.spec ca.html ca.pl importCA.html \
|
||||
importCA.sh script.sh
|
||||
CLEANFILES = stunnel.conf-sample stunnel.init stunnel.service
|
||||
edit = sed \
|
||||
-e 's|@prefix[@]|$(prefix)|g' \
|
||||
-e 's|@bindir[@]|$(bindir)|g' \
|
||||
-e 's|@localstatedir[@]|$(localstatedir)|g' \
|
||||
-e 's|@sysconfdir[@]|$(sysconfdir)|g' \
|
||||
-e 's|@DEFAULT_GROUP[@]|$(DEFAULT_GROUP)|g'
|
||||
|
||||
OPENSSL = $(SSLDIR)/bin/openssl
|
||||
all: all-am
|
||||
|
||||
.SUFFIXES:
|
||||
@ -236,12 +318,6 @@ $(top_srcdir)/configure: $(am__configure_deps)
|
||||
$(ACLOCAL_M4): $(am__aclocal_m4_deps)
|
||||
cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
|
||||
$(am__aclocal_m4_deps):
|
||||
stunnel.conf-sample: $(top_builddir)/config.status $(srcdir)/stunnel.conf-sample.in
|
||||
cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@
|
||||
stunnel.init: $(top_builddir)/config.status $(srcdir)/stunnel.init.in
|
||||
cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@
|
||||
stunnel.service: $(top_builddir)/config.status $(srcdir)/stunnel.service.in
|
||||
cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@
|
||||
|
||||
mostlyclean-libtool:
|
||||
-rm -f *.lo
|
||||
@ -250,8 +326,11 @@ clean-libtool:
|
||||
-rm -rf .libs _libs
|
||||
install-confDATA: $(conf_DATA)
|
||||
@$(NORMAL_INSTALL)
|
||||
test -z "$(confdir)" || $(MKDIR_P) "$(DESTDIR)$(confdir)"
|
||||
@list='$(conf_DATA)'; test -n "$(confdir)" || list=; \
|
||||
if test -n "$$list"; then \
|
||||
echo " $(MKDIR_P) '$(DESTDIR)$(confdir)'"; \
|
||||
$(MKDIR_P) "$(DESTDIR)$(confdir)" || exit 1; \
|
||||
fi; \
|
||||
for p in $$list; do \
|
||||
if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
|
||||
echo "$$d$$p"; \
|
||||
@ -265,13 +344,14 @@ uninstall-confDATA:
|
||||
@$(NORMAL_UNINSTALL)
|
||||
@list='$(conf_DATA)'; test -n "$(confdir)" || list=; \
|
||||
files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
|
||||
test -n "$$files" || exit 0; \
|
||||
echo " ( cd '$(DESTDIR)$(confdir)' && rm -f" $$files ")"; \
|
||||
cd "$(DESTDIR)$(confdir)" && rm -f $$files
|
||||
dir='$(DESTDIR)$(confdir)'; $(am__uninstall_files_from_dir)
|
||||
install-examplesDATA: $(examples_DATA)
|
||||
@$(NORMAL_INSTALL)
|
||||
test -z "$(examplesdir)" || $(MKDIR_P) "$(DESTDIR)$(examplesdir)"
|
||||
@list='$(examples_DATA)'; test -n "$(examplesdir)" || list=; \
|
||||
if test -n "$$list"; then \
|
||||
echo " $(MKDIR_P) '$(DESTDIR)$(examplesdir)'"; \
|
||||
$(MKDIR_P) "$(DESTDIR)$(examplesdir)" || exit 1; \
|
||||
fi; \
|
||||
for p in $$list; do \
|
||||
if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
|
||||
echo "$$d$$p"; \
|
||||
@ -285,14 +365,12 @@ uninstall-examplesDATA:
|
||||
@$(NORMAL_UNINSTALL)
|
||||
@list='$(examples_DATA)'; test -n "$(examplesdir)" || list=; \
|
||||
files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
|
||||
test -n "$$files" || exit 0; \
|
||||
echo " ( cd '$(DESTDIR)$(examplesdir)' && rm -f" $$files ")"; \
|
||||
cd "$(DESTDIR)$(examplesdir)" && rm -f $$files
|
||||
tags: TAGS
|
||||
TAGS:
|
||||
dir='$(DESTDIR)$(examplesdir)'; $(am__uninstall_files_from_dir)
|
||||
tags TAGS:
|
||||
|
||||
ctags: CTAGS
|
||||
CTAGS:
|
||||
ctags CTAGS:
|
||||
|
||||
cscope cscopelist:
|
||||
|
||||
|
||||
distdir: $(DISTFILES)
|
||||
@ -342,13 +420,19 @@ install-am: all-am
|
||||
|
||||
installcheck: installcheck-am
|
||||
install-strip:
|
||||
$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
|
||||
install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
|
||||
`test -z '$(STRIP)' || \
|
||||
echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
|
||||
if test -z '$(STRIP)'; then \
|
||||
$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
|
||||
install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
|
||||
install; \
|
||||
else \
|
||||
$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
|
||||
install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
|
||||
"INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
|
||||
fi
|
||||
mostlyclean-generic:
|
||||
|
||||
clean-generic:
|
||||
-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
|
||||
|
||||
distclean-generic:
|
||||
-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
|
||||
@ -359,7 +443,7 @@ maintainer-clean-generic:
|
||||
@echo "it deletes files that may require special tools to rebuild."
|
||||
clean: clean-am
|
||||
|
||||
clean-am: clean-generic clean-libtool clean-local mostlyclean-am
|
||||
clean-am: clean-generic clean-libtool mostlyclean-am
|
||||
|
||||
distclean: distclean-am
|
||||
-rm -f Makefile
|
||||
@ -427,40 +511,35 @@ uninstall-am: uninstall-confDATA uninstall-examplesDATA
|
||||
.MAKE: install-am install-strip
|
||||
|
||||
.PHONY: all all-am check check-am clean clean-generic clean-libtool \
|
||||
clean-local distclean distclean-generic distclean-libtool \
|
||||
distdir dvi dvi-am html html-am info info-am install \
|
||||
install-am install-confDATA install-data install-data-am \
|
||||
install-data-local install-dvi install-dvi-am \
|
||||
cscopelist-am ctags-am distclean distclean-generic \
|
||||
distclean-libtool distdir dvi dvi-am html html-am info info-am \
|
||||
install install-am install-confDATA install-data \
|
||||
install-data-am install-data-local install-dvi install-dvi-am \
|
||||
install-examplesDATA install-exec install-exec-am install-html \
|
||||
install-html-am install-info install-info-am install-man \
|
||||
install-pdf install-pdf-am install-ps install-ps-am \
|
||||
install-strip installcheck installcheck-am installdirs \
|
||||
maintainer-clean maintainer-clean-generic mostlyclean \
|
||||
mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
|
||||
uninstall uninstall-am uninstall-confDATA \
|
||||
tags-am uninstall uninstall-am uninstall-confDATA \
|
||||
uninstall-examplesDATA
|
||||
|
||||
|
||||
install-data-local:
|
||||
if test ! -r $(DESTDIR)$(confdir)/stunnel.pem; then \
|
||||
if test -r "$(RANDOM_FILE)"; then \
|
||||
dd if="$(RANDOM_FILE)" of=stunnel.rnd bs=256 count=1; \
|
||||
RND="-rand stunnel.rnd"; \
|
||||
else \
|
||||
RND=""; \
|
||||
fi; \
|
||||
$(OPENSSL) req -new -x509 -days 365 $$RND \
|
||||
-config $(srcdir)/stunnel.cnf \
|
||||
-out stunnel.pem -keyout stunnel.pem; \
|
||||
$(OPENSSL) gendh $$RND 1024 >> stunnel.pem; \
|
||||
$(OPENSSL) x509 -subject -dates -fingerprint -noout -in stunnel.pem; \
|
||||
${INSTALL} -m 600 stunnel.pem $(DESTDIR)$(confdir)/stunnel.pem; \
|
||||
rm stunnel.pem; \
|
||||
fi
|
||||
${INSTALL} -d -m 1770 $(DESTDIR)$(localstatedir)/lib/stunnel
|
||||
-chgrp $(DEFAULT_GROUP) $(DESTDIR)$(localstatedir)/lib/stunnel
|
||||
|
||||
clean-local:
|
||||
-rm -f stunnel.rnd
|
||||
cert:
|
||||
$(srcdir)/makecert.sh $(srcdir) $(SSLDIR) $(RANDOM_FILE)
|
||||
${INSTALL} -b -m 600 stunnel.pem $(DESTDIR)$(confdir)/stunnel.pem
|
||||
rm -f stunnel.pem
|
||||
|
||||
stunnel.conf-sample stunnel.init stunnel.service: Makefile
|
||||
$(edit) '$(srcdir)/$@.in' >$@
|
||||
|
||||
stunnel.conf-sample: $(srcdir)/stunnel.conf-sample.in
|
||||
stunnel.init: $(srcdir)/stunnel.init.in
|
||||
stunnel.service: $(srcdir)/stunnel.service.in
|
||||
|
||||
# Tell versions [3.59,3.63) of GNU make to not export all variables.
|
||||
# Otherwise a system limit (for SysV at least) may be exceeded.
|
||||
|
@ -61,5 +61,5 @@ sub ReadForm {
|
||||
|
||||
sub Error {
|
||||
print "Content-type: text/html\n\n";
|
||||
print "<P><P><center><H1>Cant open file</H1></center>\n";
|
||||
print "<P><P><center><H1>Can't open file</H1></center>\n";
|
||||
}
|
||||
|
29
tools/makecert.sh
Executable file
29
tools/makecert.sh
Executable file
@ -0,0 +1,29 @@
|
||||
#!/bin/sh
|
||||
|
||||
if test -n "$1"; then
|
||||
CONF="$1/openssl.cnf"
|
||||
else
|
||||
CONF="openssl.cnf"
|
||||
fi
|
||||
|
||||
if test -n "$2"; then
|
||||
OPENSSL="$2/bin/openssl"
|
||||
else
|
||||
OPENSSL=openssl
|
||||
fi
|
||||
|
||||
if test -n "$3"; then
|
||||
RAND="$3"
|
||||
else
|
||||
RAND="/dev/urandom"
|
||||
fi
|
||||
|
||||
dd if="$RAND" of=stunnel.rnd bs=256 count=1
|
||||
$OPENSSL req -new -x509 -days 1461 -rand stunnel.rnd -config $CONF \
|
||||
-out stunnel.pem -keyout stunnel.pem
|
||||
rm -f stunnel.rnd
|
||||
|
||||
echo
|
||||
echo "Certificate details:"
|
||||
$OPENSSL x509 -subject -dates -fingerprint -noout -in stunnel.pem
|
||||
echo
|
@ -1,15 +1,23 @@
|
||||
# OpenSSL configuration file to create a server certificate
|
||||
# by Michal Trojnara 1998-2013
|
||||
# by Michal Trojnara 1998-2017
|
||||
|
||||
[ req ]
|
||||
# the default key length is secure and quite fast - do not change it
|
||||
default_bits = 2048
|
||||
# comment out the next line to protect the private key with a passphrase
|
||||
encrypt_key = no
|
||||
distinguished_name = req_dn
|
||||
x509_extensions = cert_type
|
||||
# the default key length is secure and quite fast - do not change it
|
||||
default_bits = 2048
|
||||
default_md = sha1
|
||||
x509_extensions = stunnel_extensions
|
||||
distinguished_name = stunnel_dn
|
||||
|
||||
[ req_dn ]
|
||||
[ stunnel_extensions ]
|
||||
nsCertType = server
|
||||
basicConstraints = CA:TRUE,pathlen:0
|
||||
keyUsage = keyCertSign
|
||||
extendedKeyUsage = serverAuth
|
||||
nsComment = "stunnel self-signed certificate"
|
||||
|
||||
[ stunnel_dn ]
|
||||
countryName = Country Name (2 letter code)
|
||||
countryName_default = PL
|
||||
countryName_min = 2
|
||||
@ -37,6 +45,3 @@ organizationalUnitName_default = Provisional CA
|
||||
# See http://home.netscape.com/eng/security/ssl_2.0_certificate.html
|
||||
# to see how Netscape understands commonName.
|
||||
|
||||
[ cert_type ]
|
||||
nsCertType = server
|
||||
|
@ -1,4 +1,4 @@
|
||||
; Sample stunnel configuration file for Win32 by Michal Trojnara 2002-2012
|
||||
; Sample stunnel configuration file for Win32 by Michal Trojnara 2002-2017
|
||||
; Some options used here may be inadequate for your particular configuration
|
||||
; This sample file does *not* represent stunnel.conf defaults
|
||||
; Please consult the manual for detailed description of available options
|
||||
@ -7,85 +7,129 @@
|
||||
; * Global options *
|
||||
; **************************************************************************
|
||||
|
||||
; Debugging stuff (may useful for troubleshooting)
|
||||
;debug = 7
|
||||
; Debugging stuff (may be useful for troubleshooting)
|
||||
;debug = info
|
||||
;output = stunnel.log
|
||||
|
||||
; Disable FIPS mode to allow non-approved protocols and algorithms
|
||||
;fips = no
|
||||
; Enable FIPS 140-2 mode if needed for compliance
|
||||
;fips = yes
|
||||
|
||||
; Microsoft CryptoAPI engine allows for authentication with private keys
|
||||
; stored in the Windows certificate store
|
||||
; Each section using this feature also needs the "engineId = capi" option
|
||||
;engine = capi
|
||||
|
||||
; The pkcs11 engine allows for authentication with cryptographic
|
||||
; keys isolated in a hardware or software token
|
||||
; MODULE_PATH specifies the path to the pkcs11 module shared library,
|
||||
; e.g. softhsm2.dll or opensc-pkcs11.so
|
||||
; Each section using this feature also needs the "engineId = pkcs11" option
|
||||
;engine = pkcs11
|
||||
;engineCtrl = MODULE_PATH:softhsm2.dll
|
||||
;engineCtrl = PIN:1234
|
||||
|
||||
; **************************************************************************
|
||||
; * Service defaults may also be specified in individual service sections *
|
||||
; **************************************************************************
|
||||
|
||||
; Certificate/key is needed in server mode and optional in client mode
|
||||
cert = stunnel.pem
|
||||
;key = stunnel.pem
|
||||
|
||||
; Authentication stuff needs to be configured to prevent MITM attacks
|
||||
; It is not enabled by default!
|
||||
;verify = 2
|
||||
; Don't forget to c_rehash CApath
|
||||
;CApath = certs
|
||||
; It's often easier to use CAfile
|
||||
;CAfile = certs.pem
|
||||
; Don't forget to c_rehash CRLpath
|
||||
;CRLpath = crls
|
||||
; Alternatively CRLfile can be used
|
||||
;CRLfile = crls.pem
|
||||
|
||||
; Disable support for insecure SSLv2 protocol
|
||||
options = NO_SSLv2
|
||||
; Workaround for Eudora bug
|
||||
;options = DONT_INSERT_EMPTY_FRAGMENTS
|
||||
; Enable support for the insecure SSLv3 protocol
|
||||
;options = -NO_SSLv3
|
||||
|
||||
; These options provide additional security at some performance degradation
|
||||
;options = SINGLE_ECDH_USE
|
||||
;options = SINGLE_DH_USE
|
||||
|
||||
; **************************************************************************
|
||||
; * Include all configuration file fragments from the specified folder *
|
||||
; **************************************************************************
|
||||
|
||||
;include = conf.d
|
||||
|
||||
; **************************************************************************
|
||||
; * Service definitions (at least one service has to be defined) *
|
||||
; **************************************************************************
|
||||
|
||||
; Example SSL server mode services
|
||||
; ***************************************** Example TLS client mode services
|
||||
|
||||
[pop3s]
|
||||
accept = 995
|
||||
connect = 110
|
||||
[gmail-pop3]
|
||||
client = yes
|
||||
accept = 127.0.0.1:110
|
||||
connect = pop.gmail.com:995
|
||||
verifyChain = yes
|
||||
CAfile = ca-certs.pem
|
||||
checkHost = pop.gmail.com
|
||||
OCSPaia = yes
|
||||
|
||||
[imaps]
|
||||
accept = 993
|
||||
connect = 143
|
||||
[gmail-imap]
|
||||
client = yes
|
||||
accept = 127.0.0.1:143
|
||||
connect = imap.gmail.com:993
|
||||
verifyChain = yes
|
||||
CAfile = ca-certs.pem
|
||||
checkHost = imap.gmail.com
|
||||
OCSPaia = yes
|
||||
|
||||
[ssmtp]
|
||||
accept = 465
|
||||
connect = 25
|
||||
[gmail-smtp]
|
||||
client = yes
|
||||
accept = 127.0.0.1:25
|
||||
connect = smtp.gmail.com:465
|
||||
verifyChain = yes
|
||||
CAfile = ca-certs.pem
|
||||
checkHost = smtp.gmail.com
|
||||
OCSPaia = yes
|
||||
|
||||
; Example SSL client mode services
|
||||
|
||||
;[gmail-pop3]
|
||||
; Encrypted HTTP proxy authenticated with a client certificate
|
||||
; located in the Windows certificate store
|
||||
;[example-proxy]
|
||||
;client = yes
|
||||
;accept = 127.0.0.1:110
|
||||
;connect = pop.gmail.com:995
|
||||
;accept = 127.0.0.1:8080
|
||||
;connect = example.com:8443
|
||||
;engineId = capi
|
||||
|
||||
;[gmail-imap]
|
||||
; Encrypted HTTP proxy authenticated with a client certificate
|
||||
; located in a cryptographic token
|
||||
;[example-pkcs11]
|
||||
;client = yes
|
||||
;accept = 127.0.0.1:143
|
||||
;connect = imap.gmail.com:993
|
||||
;accept = 127.0.0.1:8080
|
||||
;connect = example.com:8443
|
||||
;engineId = pkcs11
|
||||
;cert = pkcs11:token=MyToken;object=MyCert
|
||||
;key = pkcs11:token=MyToken;object=MyKey
|
||||
|
||||
;[gmail-smtp]
|
||||
;client = yes
|
||||
;accept = 127.0.0.1:25
|
||||
;connect = smtp.gmail.com:465
|
||||
; ***************************************** Example TLS server mode services
|
||||
|
||||
; Example SSL front-end to a web server
|
||||
;[pop3s]
|
||||
;accept = 995
|
||||
;connect = 110
|
||||
;cert = stunnel.pem
|
||||
|
||||
;[imaps]
|
||||
;accept = 993
|
||||
;connect = 143
|
||||
;cert = stunnel.pem
|
||||
|
||||
;[ssmtp]
|
||||
;accept = 465
|
||||
;connect = 25
|
||||
;cert = stunnel.pem
|
||||
|
||||
; TLS front-end to a web server
|
||||
;[https]
|
||||
;accept = 443
|
||||
;connect = 80
|
||||
; "TIMEOUTclose = 0" is a workaround for a design flaw in Microsoft SSL
|
||||
; Microsoft implementations do not use SSL close-notify alert and thus
|
||||
; they are vulnerable to truncation attacks
|
||||
;cert = stunnel.pem
|
||||
; "TIMEOUTclose = 0" is a workaround for a design flaw in Microsoft SChannel
|
||||
; Microsoft implementations do not use TLS close-notify alert and thus they
|
||||
; are vulnerable to truncation attacks
|
||||
;TIMEOUTclose = 0
|
||||
|
||||
; Remote cmd.exe protected with PSK-authenticated TLS
|
||||
; Create "secrets.txt" containing IDENTITY:KEY pairs
|
||||
;[cmd]
|
||||
;accept = 1337
|
||||
;exec = c:\windows\system32\cmd.exe
|
||||
;execArgs = cmd.exe
|
||||
;ciphers = PSK
|
||||
;PSKsecrets = secrets.txt
|
||||
|
||||
; vim:ft=dosini
|
||||
|
@ -1,4 +1,4 @@
|
||||
; Sample stunnel configuration file for Unix by Michal Trojnara 2002-2013
|
||||
; Sample stunnel configuration file for Unix by Michal Trojnara 2002-2017
|
||||
; Some options used here may be inadequate for your particular configuration
|
||||
; This sample file does *not* represent stunnel.conf defaults
|
||||
; Please consult the manual for detailed description of available options
|
||||
@ -7,94 +7,135 @@
|
||||
; * Global options *
|
||||
; **************************************************************************
|
||||
|
||||
; A copy of some devices and system files is needed within the chroot jail
|
||||
; Chroot conflicts with configuration file reload and many other features
|
||||
chroot = @prefix@/var/lib/stunnel/
|
||||
; Chroot jail can be escaped if setuid option is not used
|
||||
setuid = nobody
|
||||
setgid = @DEFAULT_GROUP@
|
||||
; It is recommended to drop root privileges if stunnel is started by root
|
||||
;setuid = nobody
|
||||
;setgid = @DEFAULT_GROUP@
|
||||
|
||||
; PID is created inside the chroot jail
|
||||
pid = /stunnel.pid
|
||||
; PID file is created inside the chroot jail (if enabled)
|
||||
;pid = @localstatedir@/run/stunnel.pid
|
||||
|
||||
; Debugging stuff (may useful for troubleshooting)
|
||||
;debug = 7
|
||||
;output = stunnel.log
|
||||
; Debugging stuff (may be useful for troubleshooting)
|
||||
;foreground = yes
|
||||
;debug = info
|
||||
;output = @localstatedir@/log/stunnel.log
|
||||
|
||||
; Enable FIPS 140-2 mode if needed for compliance
|
||||
;fips = yes
|
||||
|
||||
; The pkcs11 engine allows for authentication with cryptographic
|
||||
; keys isolated in a hardware or software token
|
||||
; MODULE_PATH specifies the path to the pkcs11 module shared library,
|
||||
; e.g. softhsm2.dll or opensc-pkcs11.so
|
||||
; Each section using this feature also needs the "engineId = pkcs11" option
|
||||
;engine = pkcs11
|
||||
;engineCtrl = MODULE_PATH:/usr/lib/softhsm/libsofthsm2.so
|
||||
;engineCtrl = PIN:1234
|
||||
|
||||
; **************************************************************************
|
||||
; * Service defaults may also be specified in individual service sections *
|
||||
; **************************************************************************
|
||||
|
||||
; Certificate/key is needed in server mode and optional in client mode
|
||||
cert = @prefix@/etc/stunnel/mail.pem
|
||||
;key = @prefix@/etc/stunnel/mail.pem
|
||||
|
||||
; Authentication stuff needs to be configured to prevent MITM attacks
|
||||
; It is not enabled by default!
|
||||
;verify = 2
|
||||
; Don't forget to c_rehash CApath
|
||||
; CApath is located inside chroot jail
|
||||
;CApath = /certs
|
||||
; It's often easier to use CAfile
|
||||
;CAfile = @prefix@/etc/stunnel/certs.pem
|
||||
; Don't forget to c_rehash CRLpath
|
||||
; CRLpath is located inside chroot jail
|
||||
;CRLpath = /crls
|
||||
; Alternatively CRLfile can be used
|
||||
;CRLfile = @prefix@/etc/stunnel/crls.pem
|
||||
|
||||
; Disable support for insecure SSLv2 protocol
|
||||
options = NO_SSLv2
|
||||
; Workaround for Eudora bug
|
||||
;options = DONT_INSERT_EMPTY_FRAGMENTS
|
||||
; Enable support for the insecure SSLv3 protocol
|
||||
;options = -NO_SSLv3
|
||||
|
||||
; These options provide additional security at some performance degradation
|
||||
;options = SINGLE_ECDH_USE
|
||||
;options = SINGLE_DH_USE
|
||||
|
||||
; **************************************************************************
|
||||
; * Include all configuration file fragments from the specified folder *
|
||||
; **************************************************************************
|
||||
|
||||
;include = @sysconfdir@/stunnel/conf.d
|
||||
|
||||
; **************************************************************************
|
||||
; * Service definitions (remove all services for inetd mode) *
|
||||
; **************************************************************************
|
||||
|
||||
; Example SSL server mode services
|
||||
; ***************************************** Example TLS client mode services
|
||||
|
||||
[pop3s]
|
||||
accept = 995
|
||||
connect = 110
|
||||
; The following examples use /etc/ssl/certs, which is the common location
|
||||
; of a hashed directory containing trusted CA certificates. This is not
|
||||
; a hardcoded path of the stunnel package, as it is not related to the
|
||||
; stunnel configuration in @sysconfdir@/stunnel/.
|
||||
|
||||
[imaps]
|
||||
accept = 993
|
||||
connect = 143
|
||||
[gmail-pop3]
|
||||
client = yes
|
||||
accept = 127.0.0.1:110
|
||||
connect = pop.gmail.com:995
|
||||
verifyChain = yes
|
||||
CApath = /etc/ssl/certs
|
||||
checkHost = pop.gmail.com
|
||||
OCSPaia = yes
|
||||
|
||||
[ssmtp]
|
||||
accept = 465
|
||||
connect = 25
|
||||
[gmail-imap]
|
||||
client = yes
|
||||
accept = 127.0.0.1:143
|
||||
connect = imap.gmail.com:993
|
||||
verifyChain = yes
|
||||
CApath = /etc/ssl/certs
|
||||
checkHost = imap.gmail.com
|
||||
OCSPaia = yes
|
||||
|
||||
; Example SSL client mode services
|
||||
[gmail-smtp]
|
||||
client = yes
|
||||
accept = 127.0.0.1:25
|
||||
connect = smtp.gmail.com:465
|
||||
verifyChain = yes
|
||||
CApath = /etc/ssl/certs
|
||||
checkHost = smtp.gmail.com
|
||||
OCSPaia = yes
|
||||
|
||||
;[gmail-pop3]
|
||||
; Encrypted HTTP proxy authenticated with a client certificate
|
||||
; located in a cryptographic token
|
||||
;[example-pkcs11]
|
||||
;client = yes
|
||||
;accept = 127.0.0.1:110
|
||||
;connect = pop.gmail.com:995
|
||||
;accept = 127.0.0.1:8080
|
||||
;connect = example.com:8443
|
||||
;engineId = pkcs11
|
||||
;cert = pkcs11:token=MyToken;object=MyCert
|
||||
;key = pkcs11:token=MyToken;object=MyKey
|
||||
|
||||
;[gmail-imap]
|
||||
;client = yes
|
||||
;accept = 127.0.0.1:143
|
||||
;connect = imap.gmail.com:993
|
||||
; ***************************************** Example TLS server mode services
|
||||
|
||||
;[gmail-smtp]
|
||||
;client = yes
|
||||
;accept = 127.0.0.1:25
|
||||
;connect = smtp.gmail.com:465
|
||||
;[pop3s]
|
||||
;accept = 995
|
||||
;connect = 110
|
||||
;cert = @sysconfdir@/stunnel/stunnel.pem
|
||||
|
||||
; Example SSL front-end to a web server
|
||||
;[imaps]
|
||||
;accept = 993
|
||||
;connect = 143
|
||||
;cert = @sysconfdir@/stunnel/stunnel.pem
|
||||
|
||||
;[ssmtp]
|
||||
;accept = 465
|
||||
;connect = 25
|
||||
;cert = @sysconfdir@/stunnel/stunnel.pem
|
||||
|
||||
; TLS front-end to a web server
|
||||
;[https]
|
||||
;accept = 443
|
||||
;connect = 80
|
||||
; "TIMEOUTclose = 0" is a workaround for a design flaw in Microsoft SSL
|
||||
; Microsoft implementations do not use SSL close-notify alert and thus
|
||||
; they are vulnerable to truncation attacks
|
||||
;cert = @sysconfdir@/stunnel/stunnel.pem
|
||||
; "TIMEOUTclose = 0" is a workaround for a design flaw in Microsoft SChannel
|
||||
; Microsoft implementations do not use TLS close-notify alert and thus they
|
||||
; are vulnerable to truncation attacks
|
||||
;TIMEOUTclose = 0
|
||||
|
||||
; Remote shell protected with PSK-authenticated TLS
|
||||
; Create "@sysconfdir@/stunnel/secrets.txt" containing IDENTITY:KEY pairs
|
||||
;[shell]
|
||||
;accept = 1337
|
||||
;exec = /bin/sh
|
||||
;execArgs = sh -i
|
||||
;ciphers = PSK
|
||||
;PSKsecrets = @sysconfdir@/stunnel/secrets.txt
|
||||
|
||||
; Non-standard MySQL-over-TLS encapsulation connecting the Unix socket
|
||||
;[mysql]
|
||||
;cert = @sysconfdir@/stunnel/stunnel.pem
|
||||
;accept = 3307
|
||||
;connect = /run/mysqld/mysqld.sock
|
||||
|
||||
; vim:ft=dosini
|
||||
|
@ -7,112 +7,203 @@
|
||||
# Should-Stop: $syslog
|
||||
# Default-Start: 2 3 4 5
|
||||
# Default-Stop: 0 1 6
|
||||
# Short-Description: Start or stop stunnel 4.x (SSL tunnel for network daemons)
|
||||
# Short-Description: Start or stop stunnel 4.x (TLS tunnel for network daemons)
|
||||
# Description: Starts or stops all configured TLS network tunnels. Each *.conf file in
|
||||
# @sysconfdir@/stunnel/ will spawn a separate stunnel process. The list of files
|
||||
# can be overridden in @sysconfdir@/default/stunnel, and that same file can be used
|
||||
# to completely disable *all* tunnels.
|
||||
### END INIT INFO
|
||||
|
||||
# Author / upstream maintainer note:
|
||||
# With the planned introduction of a control interface (conceptually similar to
|
||||
# apache2ctl), running separate processes for each *.conf will become obsolete.
|
||||
# Please add "include = @sysconfdir@/stunnel/conf.d" to stunnel.conf instead.
|
||||
|
||||
. /lib/lsb/init-functions
|
||||
|
||||
DEFAULTPIDFILE="/var/run/stunnel.pid"
|
||||
DAEMON=@prefix@/bin/stunnel
|
||||
DAEMON=@bindir@/stunnel
|
||||
NAME=stunnel
|
||||
DESC="SSL tunnels"
|
||||
FILES="/etc/stunnel/*.conf"
|
||||
DESC="TLS tunnels"
|
||||
OPTIONS=""
|
||||
ENABLED=0
|
||||
|
||||
get_pids() {
|
||||
local file=$1
|
||||
if test -f $file; then
|
||||
CHROOT=`grep "^chroot" $file|sed "s;.*= *;;"`
|
||||
PIDFILE=`grep "^pid" $file|sed "s;.*= *;;"`
|
||||
if [ "$PIDFILE" = "" ]; then
|
||||
PIDFILE=$DEFAULTPIDFILE
|
||||
fi
|
||||
if test -f $CHROOT/$PIDFILE; then
|
||||
cat $CHROOT/$PIDFILE
|
||||
fi
|
||||
fi
|
||||
get_opt() {
|
||||
sed -e "s;^[[:space:]]*;;" -e "s;[[:space:]]*$;;" \
|
||||
-e "s;[[:space:]]*=[[:space:]]*;=;" "$1" |
|
||||
grep -i "^$2=" | sed -e "s;^[^=]*=;;"
|
||||
}
|
||||
|
||||
get_pidfile() {
|
||||
local file=$1
|
||||
if [ -f $file ]; then
|
||||
CHROOT=`get_opt $file chroot`
|
||||
PIDFILE=`get_opt $file pid`
|
||||
if [ "$PIDFILE" = "" ]; then
|
||||
PIDFILE=$DEFAULTPIDFILE
|
||||
fi
|
||||
echo "$CHROOT/$PIDFILE"
|
||||
fi
|
||||
}
|
||||
|
||||
startdaemons() {
|
||||
local res file args pidfile warn status
|
||||
|
||||
if ! [ -d /var/run/stunnel ]; then
|
||||
rm -rf /var/run/stunnel
|
||||
install -d -o stunnel -g stunnel /var/run/stunnel
|
||||
fi
|
||||
if [ -n "$RLIMITS" ]; then
|
||||
ulimit $RLIMITS
|
||||
fi
|
||||
res=0
|
||||
for file in $FILES; do
|
||||
if test -f $file; then
|
||||
ARGS="$file $OPTIONS"
|
||||
PROCLIST=`get_pids $file`
|
||||
if [ "$PROCLIST" ] && kill -s 0 $PROCLIST 2>/dev/null; then
|
||||
echo -n "[Already running: $file] "
|
||||
elif $DAEMON $ARGS; then
|
||||
echo -n "[Started: $file] "
|
||||
if [ -f $file ]; then
|
||||
echo -n " $file: "
|
||||
args="$file $OPTIONS"
|
||||
pidfile=`get_pidfile $file`
|
||||
if egrep -qe '^pid[[:space:]]*=' "$file"; then
|
||||
warn=''
|
||||
else
|
||||
echo "[Failed: $file]"
|
||||
echo "You should check that you have specified the pid= in you configuration file"
|
||||
exit 1
|
||||
warn=' (no pid=pidfile specified!)'
|
||||
fi
|
||||
status=0
|
||||
start_daemon -p "$pidfile" "$DAEMON" $args || status=$?
|
||||
if [ "$status" -eq 0 ]; then
|
||||
echo -n "started$warn"
|
||||
else
|
||||
echo "failed$warn"
|
||||
echo "You should check that you have specified the pid= in you configuration file"
|
||||
res=1
|
||||
fi
|
||||
fi
|
||||
done;
|
||||
echo ''
|
||||
return "$res"
|
||||
}
|
||||
|
||||
killdaemons()
|
||||
{
|
||||
SIGNAL=${1:-TERM}
|
||||
local sig file pidfile status
|
||||
|
||||
sig=${1:-TERM}
|
||||
res=0
|
||||
for file in $FILES; do
|
||||
PROCLIST=`get_pids $file`
|
||||
if [ "$PROCLIST" ] && kill -s 0 $PROCLIST 2>/dev/null; then
|
||||
kill -s $SIGNAL $PROCLIST
|
||||
echo -n "[stopped: $file] "
|
||||
echo -n " $file: "
|
||||
pidfile=`get_pidfile $file`
|
||||
if [ ! -e "$pidfile" ]; then
|
||||
echo -n "no pid file"
|
||||
else
|
||||
status=0
|
||||
killproc -p "$pidfile" "$DAEMON" "$sig" || status=$?
|
||||
if [ "$status" -eq 0 ]; then
|
||||
echo -n 'stopped'
|
||||
else
|
||||
echo -n 'failed'
|
||||
res=1
|
||||
fi
|
||||
fi
|
||||
done
|
||||
echo ''
|
||||
return "$res"
|
||||
}
|
||||
|
||||
querydaemons()
|
||||
{
|
||||
local res file pidfile status
|
||||
|
||||
res=0
|
||||
for file in $FILES; do
|
||||
echo -n " $file: "
|
||||
pidfile=`get_pidfile "$file"`
|
||||
if [ ! -e "$pidfile" ]; then
|
||||
echo -n 'no pid file'
|
||||
res=1
|
||||
else
|
||||
status=0
|
||||
pidofproc -p "$pidfile" "$DAEMON" >/dev/null || status="$?"
|
||||
if [ "$status" = 0 ]; then
|
||||
echo -n 'running'
|
||||
elif [ "$status" = 4 ]; then
|
||||
echo "cannot access the pid file $pidfile"
|
||||
res=1
|
||||
else
|
||||
echo -n 'stopped'
|
||||
res=1
|
||||
fi
|
||||
fi
|
||||
done
|
||||
echo ''
|
||||
exit "$res"
|
||||
}
|
||||
|
||||
if [ "x$OPTIONS" != "x" ]; then
|
||||
OPTIONS="-- $OPTIONS"
|
||||
fi
|
||||
|
||||
test -f /etc/default/stunnel && . /etc/default/stunnel
|
||||
[ -f @sysconfdir@/default/stunnel ] && . @sysconfdir@/default/stunnel
|
||||
if [ "$ENABLED" = "0" ] ; then
|
||||
echo "$DESC disabled, see /etc/default/stunnel"
|
||||
echo "$DESC disabled, see @sysconfdir@/default/stunnel"
|
||||
exit 0
|
||||
fi
|
||||
|
||||
test -x $DAEMON || exit 0
|
||||
# If the user want to manage a single tunnel, the conf file's name
|
||||
# is in $2. Otherwise, respect @sysconfdir@/default/stunnel4 setting.
|
||||
# If no setting there, use @sysconfdir@/stunnel/*.conf.
|
||||
if [ -n "${2:-}" ]; then
|
||||
if [ -e "@sysconfdir@/stunnel/$2.conf" ]; then
|
||||
FILES="@sysconfdir@/stunnel/$2.conf"
|
||||
else
|
||||
echo >&2 "@sysconfdir@/stunnel/$2.conf does not exist."
|
||||
exit 1
|
||||
fi
|
||||
else
|
||||
if [ -z "$FILES" ]; then
|
||||
FILES="@sysconfdir@/stunnel/*.conf"
|
||||
fi
|
||||
fi
|
||||
|
||||
[ -x $DAEMON ] || exit 0
|
||||
|
||||
set -e
|
||||
|
||||
res=0
|
||||
case "$1" in
|
||||
start)
|
||||
echo -n "Starting $DESC: "
|
||||
startdaemons
|
||||
echo "$NAME."
|
||||
;;
|
||||
echo -n "Starting $DESC:"
|
||||
startdaemons
|
||||
res=$?
|
||||
;;
|
||||
stop)
|
||||
echo -n "Stopping $DESC: "
|
||||
killdaemons
|
||||
echo "$NAME."
|
||||
;;
|
||||
echo -n "Stopping $DESC:"
|
||||
killdaemons
|
||||
res=$?
|
||||
;;
|
||||
reopen-logs)
|
||||
echo -n "Reopening log files $DESC: "
|
||||
killdaemons USR1
|
||||
echo "$NAME."
|
||||
;;
|
||||
echo -n "Reopening log files $DESC:"
|
||||
killdaemons USR1
|
||||
res=$?
|
||||
;;
|
||||
force-reload|reload)
|
||||
echo -n "Reloading configuration $DESC: "
|
||||
killdaemons HUP
|
||||
echo "$NAME."
|
||||
;;
|
||||
echo -n "Reloading configuration $DESC:"
|
||||
killdaemons HUP
|
||||
res=$?
|
||||
;;
|
||||
restart)
|
||||
echo -n "Restarting $DESC: "
|
||||
killdaemons
|
||||
sleep 5
|
||||
startdaemons
|
||||
echo "$NAME."
|
||||
;;
|
||||
echo -n "Restarting $DESC:"
|
||||
killdaemons && startdaemons
|
||||
res=$?
|
||||
;;
|
||||
status)
|
||||
echo -n "$DESC status:"
|
||||
querydaemons
|
||||
res=$?
|
||||
;;
|
||||
*)
|
||||
N=/etc/init.d/$NAME
|
||||
echo "Usage: $N {start|stop|reload|reopen-logs|restart}" >&2
|
||||
exit 1
|
||||
;;
|
||||
N=@sysconfdir@/init.d/$NAME
|
||||
echo "Usage: $N {start|stop|status|reload|reopen-logs|restart} [<stunnel instance>]" >&2
|
||||
res=1
|
||||
;;
|
||||
esac
|
||||
|
||||
exit 0
|
||||
exit "$res"
|
||||
|
@ -1,4 +1,4 @@
|
||||
Copyright (C) 1998-2013 Michal Trojnara
|
||||
Copyright (C) 1998-2017 Michal Trojnara
|
||||
|
||||
This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
|
||||
|
||||
|
9
tools/stunnel.logrotate
Normal file
9
tools/stunnel.logrotate
Normal file
@ -0,0 +1,9 @@
|
||||
/var/log/stunnel/*.log {
|
||||
weekly
|
||||
rotate 10
|
||||
copytruncate
|
||||
delaycompress
|
||||
compress
|
||||
notifempty
|
||||
missingok
|
||||
}
|
@ -1,289 +1,556 @@
|
||||
# NSIS stunnel installer by Michal Trojnara 1998-2013
|
||||
# NSIS stunnel installer by Michal Trojnara 1998-2017
|
||||
|
||||
!define /ifndef VERSION testing
|
||||
!define /ifndef ARCH win32
|
||||
|
||||
!define REGKEY_INSTALL "Software\NSIS_stunnel"
|
||||
!define REGKEY_UNINST \
|
||||
"Software\Microsoft\Windows\CurrentVersion\Uninstall\stunnel"
|
||||
!define SHORTCUTS "stunnel $MultiUser.InstallMode"
|
||||
|
||||
SetCompressor /SOLID LZMA
|
||||
Name "stunnel ${VERSION}"
|
||||
OutFile "stunnel-${VERSION}-${ARCH}-installer.exe"
|
||||
BrandingText "Author: Michal Trojnara"
|
||||
|
||||
# MultiUser
|
||||
!define MULTIUSER_EXECUTIONLEVEL Highest
|
||||
!define MULTIUSER_MUI
|
||||
!define MULTIUSER_INSTALLMODE_COMMANDLINE
|
||||
!define MULTIUSER_INSTALLMODE_INSTDIR "stunnel"
|
||||
!define MULTIUSER_INSTALLMODE_INSTDIR_REGISTRY_KEY "${REGKEY_INSTALL}"
|
||||
!define MULTIUSER_INSTALLMODE_INSTDIR_REGISTRY_VALUENAME "Install_Dir"
|
||||
!define MULTIUSER_INSTALLMODE_DEFAULT_REGISTRY_KEY "${REGKEY_INSTALL}"
|
||||
!define MULTIUSER_INSTALLMODE_DEFAULT_REGISTRY_VALUENAME "Install_Mode"
|
||||
!include MultiUser.nsh
|
||||
# Modern UI
|
||||
!define MUI_FINISHPAGE_RUN "$INSTDIR\bin\stunnel.exe"
|
||||
!define MUI_FINISHPAGE_RUN_TEXT "Start stunnel after installation"
|
||||
!define MUI_FINISHPAGE_RUN_NOTCHECKED
|
||||
!include "MUI2.nsh"
|
||||
# define SF_SELECTED
|
||||
!include "Sections.nsh"
|
||||
|
||||
!ifndef VERSION
|
||||
!define VERSION 4.57
|
||||
!endif
|
||||
|
||||
!ifndef ZLIBDIR
|
||||
!define ZLIBDIR zlib-1.2.7
|
||||
!endif
|
||||
|
||||
!ifndef OPENSSLDIR
|
||||
!define OPENSSLDIR openssl-1.0.1e
|
||||
!endif
|
||||
|
||||
# additional plugins
|
||||
!addplugindir "plugins/SimpleFC"
|
||||
!addplugindir "plugins/ShellLink/Plugins"
|
||||
|
||||
Name "stunnel ${VERSION}"
|
||||
OutFile "stunnel-${VERSION}-installer.exe"
|
||||
InstallDir "$PROGRAMFILES\stunnel"
|
||||
BrandingText "Author: Michal Trojnara"
|
||||
LicenseData "stunnel.license"
|
||||
SetCompressor /SOLID LZMA
|
||||
InstallDirRegKey HKLM "Software\NSIS_stunnel" "Install_Dir"
|
||||
!define /ifndef ROOT_DIR \devel
|
||||
|
||||
RequestExecutionLevel admin
|
||||
!define /ifndef STUNNEL_DIR ${ROOT_DIR}\src\stunnel
|
||||
!define /ifndef STUNNEL_BIN_DIR ${STUNNEL_DIR}\bin\${ARCH}
|
||||
!define /ifndef STUNNEL_TOOLS_DIR ${STUNNEL_DIR}\tools
|
||||
!define /ifndef STUNNEL_DOC_DIR ${STUNNEL_DIR}\doc
|
||||
!define /ifndef STUNNEL_SRC_DIR ${STUNNEL_DIR}\src
|
||||
|
||||
Page license
|
||||
Page components
|
||||
Page directory
|
||||
Page instfiles
|
||||
!define /ifndef BIN_DIR ${ROOT_DIR}\${ARCH}
|
||||
!define /ifndef OPENSSL_DIR ${BIN_DIR}\openssl
|
||||
!define /ifndef OPENSSL_BIN_DIR ${OPENSSL_DIR}\bin
|
||||
!define /ifndef OPENSSL_ENGINES_DIR ${OPENSSL_DIR}\lib\engines
|
||||
!define /ifndef ZLIB_DIR ${BIN_DIR}\zlib
|
||||
!define /ifndef REDIST_DIR ${BIN_DIR}\redist
|
||||
|
||||
UninstPage uninstConfirm
|
||||
UninstPage instfiles
|
||||
!define /ifndef LIBP11_DIR ${ROOT_DIR}\src\libp11-0.4.7\src
|
||||
|
||||
Section "Stunnel Core Files (required)"
|
||||
SectionIn RO
|
||||
SetOutPath "$INSTDIR"
|
||||
!define MUI_ICON ${STUNNEL_SRC_DIR}\stunnel.ico
|
||||
|
||||
# stop the service, exit stunnel
|
||||
ReadRegStr $R0 HKLM \
|
||||
"Software\Microsoft\Windows NT\CurrentVersion" CurrentVersion
|
||||
IfErrors skip_service_stop
|
||||
ExecWait '"$INSTDIR\stunnel.exe" -stop -quiet'
|
||||
skip_service_stop:
|
||||
ExecWait '"$INSTDIR\stunnel.exe" -exit -quiet'
|
||||
!insertmacro MUI_PAGE_LICENSE "stunnel.license"
|
||||
!insertmacro MULTIUSER_PAGE_INSTALLMODE
|
||||
!insertmacro MUI_PAGE_COMPONENTS
|
||||
!insertmacro MUI_PAGE_DIRECTORY
|
||||
!insertmacro MUI_PAGE_INSTFILES
|
||||
!insertmacro MUI_PAGE_FINISH
|
||||
|
||||
# write files
|
||||
SetOverwrite off
|
||||
File "stunnel.conf"
|
||||
SetOverwrite on
|
||||
!cd ".."
|
||||
!cd "doc"
|
||||
File "stunnel.html"
|
||||
!cd ".."
|
||||
!cd "bin"
|
||||
!cd "W32"
|
||||
File "stunnel.exe"
|
||||
File "stunnel.exe.manifest"
|
||||
!cd ".."
|
||||
!cd ".."
|
||||
!cd ".."
|
||||
!cd "${ZLIBDIR}"
|
||||
File "zlib1.dll"
|
||||
File "zlib1.dll.manifest"
|
||||
!cd ".."
|
||||
!cd "${OPENSSLDIR}"
|
||||
!cd "out32dll"
|
||||
File "*.dll"
|
||||
File "*.dll.manifest"
|
||||
!cd ".."
|
||||
!cd ".."
|
||||
!cd "redist"
|
||||
File "msvcr90.dll"
|
||||
File "Microsoft.VC90.CRT.manifest"
|
||||
!cd ".."
|
||||
!cd "stunnel"
|
||||
!cd "tools"
|
||||
!insertmacro MUI_UNPAGE_CONFIRM
|
||||
!insertmacro MUI_UNPAGE_INSTFILES
|
||||
|
||||
# add firewall rule
|
||||
SimpleFC::AddApplication "stunnel (GUI Version)" \
|
||||
"$INSTDIR\stunnel.exe" 0 2 "" 1
|
||||
Pop $0 # returns error(1)/success(0)
|
||||
DetailPrint "SimpleFC::AddApplication: $0"
|
||||
!insertmacro MUI_LANGUAGE "English"
|
||||
|
||||
# write uninstaller and its registry entries
|
||||
WriteUninstaller "uninstall.exe"
|
||||
WriteRegStr HKLM "Software\NSIS_stunnel" "Install_Dir" "$INSTDIR"
|
||||
WriteRegStr HKLM \
|
||||
"Software\Microsoft\Windows\CurrentVersion\Uninstall\stunnel" \
|
||||
"DisplayName" "stunnel"
|
||||
WriteRegStr HKLM \
|
||||
"Software\Microsoft\Windows\CurrentVersion\Uninstall\stunnel" \
|
||||
"UninstallString" '"$INSTDIR\uninstall.exe"'
|
||||
WriteRegDWORD HKLM \
|
||||
"Software\Microsoft\Windows\CurrentVersion\Uninstall\stunnel" \
|
||||
"NoModify" 1
|
||||
WriteRegDWORD HKLM \
|
||||
"Software\Microsoft\Windows\CurrentVersion\Uninstall\stunnel" \
|
||||
"NoRepair" 1
|
||||
SectionEnd
|
||||
!macro MoveFiles src dst pattern
|
||||
FindFirst $0 $1 "${src}\${pattern}"
|
||||
!define MoveFilesId ${__LINE__}
|
||||
loop_${MoveFilesId}:
|
||||
StrCmp $1 "" done_${MoveFilesId}
|
||||
Rename "${src}\$1" "${dst}\$1"
|
||||
FindNext $0 $1
|
||||
Goto loop_${MoveFilesId}
|
||||
done_${MoveFilesId}:
|
||||
FindClose $0
|
||||
!undef MoveFilesId
|
||||
!macroend
|
||||
|
||||
Section "Self-signed Certificate Tools" sectionCA
|
||||
SetOutPath "$INSTDIR"
|
||||
!cd ".."
|
||||
!cd ".."
|
||||
!cd "${OPENSSLDIR}"
|
||||
!cd "out32dll"
|
||||
File "openssl.exe"
|
||||
File "openssl.exe.manifest"
|
||||
!cd ".."
|
||||
!cd ".."
|
||||
!cd "stunnel"
|
||||
!cd "tools"
|
||||
File "stunnel.cnf"
|
||||
IfSilent lbl_skip_new_pem
|
||||
IfFileExists "$INSTDIR\stunnel.pem" lbl_skip_new_pem
|
||||
ExecWait '"$INSTDIR\openssl.exe" req -new -x509 -days 365 -config stunnel.cnf -out stunnel.pem -keyout stunnel.pem'
|
||||
lbl_skip_new_pem:
|
||||
SectionEnd
|
||||
!macro DetailError message
|
||||
# pop the error and log the failure
|
||||
!define DetailErrorId ${__LINE__}
|
||||
Pop $0 # returns error(-1)/success(0)
|
||||
IntCmp $0 0 done_${DetailErrorId}
|
||||
DetailPrint "${message}"
|
||||
done_${DetailErrorId}:
|
||||
!undef DetailErrorId
|
||||
!macroend
|
||||
|
||||
Section "Terminal Version of stunnel" sectionTERM
|
||||
SetOutPath "$INSTDIR"
|
||||
!cd ".."
|
||||
!cd "bin"
|
||||
!cd "W32"
|
||||
File "tstunnel.exe"
|
||||
File "tstunnel.exe.manifest"
|
||||
!cd ".."
|
||||
!cd ".."
|
||||
!cd "tools"
|
||||
# add firewall rule
|
||||
SimpleFC::AddApplication "stunnel (Terminal Version)" \
|
||||
"$INSTDIR\tstunnel.exe" 0 2 "" 1
|
||||
Pop $0 # returns error(1)/success(0)
|
||||
DetailPrint "SimpleFC::AddApplication: $0"
|
||||
SectionEnd
|
||||
!macro SetRunAsAdmin path
|
||||
# run the link as administrator if InstallMode is AllUsers
|
||||
!define SetRunAsAdminId ${__LINE__}
|
||||
StrCmp $MultiUser.InstallMode "CurrentUser" done_${SetRunAsAdminId}
|
||||
ShellLink::SetRunAsAdministrator "$SMPROGRAMS\${SHORTCUTS}\${path}.lnk"
|
||||
!insertmacro DetailError "ShellLink::SetRunAsAdministrator failed for ${path}"
|
||||
done_${SetRunAsAdminId}:
|
||||
!undef SetRunAsAdminId
|
||||
!macroend
|
||||
|
||||
Section "Start Menu Shortcuts"
|
||||
SetShellVarContext all
|
||||
CreateDirectory "$SMPROGRAMS\stunnel"
|
||||
Var /GLOBAL gui_restart
|
||||
Var /GLOBAL service_restart
|
||||
Var /GLOBAL service_reinstall
|
||||
Var /GLOBAL exe
|
||||
|
||||
# remove old links
|
||||
Delete "$SMPROGRAMS\stunnel\*.lnk"
|
||||
Delete "$SMPROGRAMS\stunnel\*.url"
|
||||
|
||||
# main link
|
||||
CreateShortCut "$SMPROGRAMS\stunnel\stunnel GUI Start.lnk" \
|
||||
"$INSTDIR\stunnel.exe" "" "$INSTDIR\stunnel.exe" 0
|
||||
CreateShortCut "$SMPROGRAMS\stunnel\stunnel GUI Stop.lnk" \
|
||||
"$INSTDIR\stunnel.exe" "-exit" "$INSTDIR\stunnel.exe" 0
|
||||
|
||||
# tstunnel
|
||||
SectionGetFlags ${sectionTERM} $0
|
||||
IntOp $0 $0 & ${SF_SELECTED}
|
||||
IntCmp $0 0 lbl_noTERM
|
||||
CreateShortCut "$SMPROGRAMS\stunnel\stunnel Terminal Start.lnk" \
|
||||
"$INSTDIR\tstunnel.exe" "" "$INSTDIR\tstunnel.exe" 0
|
||||
lbl_noTERM:
|
||||
|
||||
# NT service
|
||||
!macro TerminateStunnel
|
||||
# initialize with nonzero values: do not restart/reinstall
|
||||
StrCpy $service_restart 1
|
||||
StrCpy $service_reinstall 1
|
||||
# find the old stunnel executable
|
||||
StrCpy $exe "$INSTDIR\bin\stunnel.exe"
|
||||
IfFileExists "$exe" found
|
||||
StrCpy $exe "$INSTDIR\stunnel.exe"
|
||||
IfFileExists "$exe" found done
|
||||
found:
|
||||
# exit the stunnel GUI
|
||||
ExecWait '"$exe" -exit -quiet' $gui_restart
|
||||
# stop and uninstall the stunnel service
|
||||
# setup $service_restart and $service_reinstall
|
||||
StrCmp $MultiUser.InstallMode "CurrentUser" done
|
||||
ClearErrors
|
||||
ReadRegStr $R0 HKLM \
|
||||
"Software\Microsoft\Windows NT\CurrentVersion" CurrentVersion
|
||||
IfErrors skip_service_links
|
||||
IfErrors done
|
||||
ExecWait '"$exe" -stop -quiet' $service_restart
|
||||
IntCmp $service_restart 0 0 not_stopped not_stopped
|
||||
DetailPrint "Service stopped"
|
||||
not_stopped:
|
||||
StrCmp "$exe" "$INSTDIR\bin\stunnel.exe" done # no need to uninstall
|
||||
ExecWait '"$exe" -uninstall -quiet' $service_reinstall
|
||||
IntCmp $service_reinstall 0 0 done done
|
||||
DetailPrint "Service uninstalled"
|
||||
done:
|
||||
!macroend
|
||||
|
||||
CreateShortCut "$SMPROGRAMS\stunnel\stunnel Service Install.lnk" \
|
||||
"$INSTDIR\stunnel.exe" "-install" "$INSTDIR\stunnel.exe" 0
|
||||
ShellLink::SetRunAsAdministrator \
|
||||
"$SMPROGRAMS\stunnel\stunnel Service Install.lnk"
|
||||
Pop $0 # returns error(-1)/success(0)
|
||||
DetailPrint "ShellLink::SetRunAsAdministrator: $0"
|
||||
!macro RestartStunnel
|
||||
# install the service if $service_reinstall is 0
|
||||
IntCmp $service_reinstall 0 0 no_service_reinstall no_service_reinstall
|
||||
ExecWait '"$INSTDIR\bin\stunnel.exe" -install -quiet' $service_reinstall
|
||||
IntCmp $service_reinstall 0 0 no_service_reinstall no_service_reinstall
|
||||
DetailPrint "Service installed"
|
||||
no_service_reinstall:
|
||||
# start the service if $service_restart is 0
|
||||
IntCmp $service_restart 0 0 no_service_restart no_service_restart
|
||||
ExecWait '"$INSTDIR\bin\stunnel.exe" -start -quiet' $service_restart
|
||||
IntCmp $service_restart 0 0 no_service_restart no_service_restart
|
||||
DetailPrint "Service started"
|
||||
no_service_restart:
|
||||
# start the gui if $gui_restart is 0
|
||||
# it does not work against stunnel older than 5.23 due to a bug
|
||||
# IntCmp $gui_restart 0 0 no_gui_restart no_gui_restart
|
||||
# Exec '"$INSTDIR\bin\stunnel.exe"'
|
||||
# no_gui_restart:
|
||||
!macroend
|
||||
|
||||
CreateShortCut "$SMPROGRAMS\stunnel\stunnel Service Uninstall.lnk" \
|
||||
"$INSTDIR\stunnel.exe" "-uninstall" "$INSTDIR\stunnel.exe" 0
|
||||
ShellLink::SetRunAsAdministrator \
|
||||
"$SMPROGRAMS\stunnel\stunnel Service Uninstall.lnk"
|
||||
Pop $0 # returns error(-1)/success(0)
|
||||
DetailPrint "ShellLink::SetRunAsAdministrator: $0"
|
||||
!macro CleanupStunnelFiles
|
||||
# current versions
|
||||
Delete "$INSTDIR\config\openssl.cnf"
|
||||
|
||||
CreateShortCut "$SMPROGRAMS\stunnel\stunnel Service Start.lnk" \
|
||||
"$INSTDIR\stunnel.exe" "-start" "$INSTDIR\stunnel.exe" 0
|
||||
ShellLink::SetRunAsAdministrator \
|
||||
"$SMPROGRAMS\stunnel\stunnel Service Start.lnk"
|
||||
Pop $0 # returns error(-1)/success(0)
|
||||
DetailPrint "ShellLink::SetRunAsAdministrator: $0"
|
||||
Delete "$INSTDIR\bin\stunnel.exe"
|
||||
Delete "$INSTDIR\bin\stunnel.pdb"
|
||||
Delete "$INSTDIR\bin\tstunnel.exe"
|
||||
Delete "$INSTDIR\bin\tstunnel.pdb"
|
||||
Delete "$INSTDIR\bin\openssl.exe"
|
||||
Delete "$INSTDIR\bin\openssl.pdb"
|
||||
Delete "$INSTDIR\bin\libeay32.dll"
|
||||
Delete "$INSTDIR\bin\libeay32.pdb"
|
||||
Delete "$INSTDIR\bin\ssleay32.dll"
|
||||
Delete "$INSTDIR\bin\ssleay32.pdb"
|
||||
Delete "$INSTDIR\bin\zlib1.dll"
|
||||
Delete "$INSTDIR\bin\zlib1.pdb"
|
||||
Delete "$INSTDIR\bin\msvcr90.dll"
|
||||
Delete "$INSTDIR\bin\Microsoft.VC90.CRT.Manifest"
|
||||
RMDir "$INSTDIR\bin"
|
||||
|
||||
CreateShortCut "$SMPROGRAMS\stunnel\stunnel Service Stop.lnk" \
|
||||
"$INSTDIR\stunnel.exe" "-stop" "$INSTDIR\stunnel.exe" 0
|
||||
ShellLink::SetRunAsAdministrator \
|
||||
"$SMPROGRAMS\stunnel\stunnel Service Stop.lnk"
|
||||
Pop $0 # returns error(-1)/success(0)
|
||||
DetailPrint "ShellLink::SetRunAsAdministrator: $0"
|
||||
skip_service_links:
|
||||
Delete "$INSTDIR\engines\capi.dll"
|
||||
Delete "$INSTDIR\engines\capi.pdb"
|
||||
Delete "$INSTDIR\engines\chil.dll"
|
||||
Delete "$INSTDIR\engines\chil.pdb"
|
||||
Delete "$INSTDIR\engines\gmp.dll"
|
||||
Delete "$INSTDIR\engines\gmp.pdb"
|
||||
Delete "$INSTDIR\engines\gost.dll"
|
||||
Delete "$INSTDIR\engines\gost.pdb"
|
||||
Delete "$INSTDIR\engines\padlock.dll"
|
||||
Delete "$INSTDIR\engines\padlock.pdb"
|
||||
Delete "$INSTDIR\engines\ubsec.dll"
|
||||
Delete "$INSTDIR\engines\ubsec.pdb"
|
||||
Delete "$INSTDIR\engines\pkcs11.dll"
|
||||
Delete "$INSTDIR\engines\pkcs11.pdb"
|
||||
RMDir "$INSTDIR\engines"
|
||||
|
||||
# edit config file
|
||||
CreateShortCut "$SMPROGRAMS\stunnel\Edit stunnel.conf.lnk" \
|
||||
"notepad.exe" "$INSTDIR\stunnel.conf" "notepad.exe" 0
|
||||
ShellLink::SetRunAsAdministrator \
|
||||
"$SMPROGRAMS\stunnel\Edit stunnel.conf.lnk"
|
||||
Pop $0 # returns error(-1)/success(0)
|
||||
DetailPrint "ShellLink::SetRunAsAdministrator: $0"
|
||||
Delete "$INSTDIR\doc\*.html"
|
||||
RMDir "$INSTDIR\doc"
|
||||
|
||||
SectionGetFlags ${sectionCA} $0
|
||||
IntOp $0 $0 & ${SF_SELECTED}
|
||||
IntCmp $0 0 lbl_noCA
|
||||
# menu and desktop shortcuts
|
||||
Delete "$SMPROGRAMS\${SHORTCUTS}\*.lnk"
|
||||
Delete "$SMPROGRAMS\${SHORTCUTS}\*.url"
|
||||
RMDir "$SMPROGRAMS\${SHORTCUTS}"
|
||||
Delete "$DESKTOP\${SHORTCUTS}.lnk"
|
||||
|
||||
# OpenSSL shell
|
||||
CreateShortCut "$SMPROGRAMS\stunnel\OpenSSL Shell.lnk" \
|
||||
"$INSTDIR\openssl.exe" "" "$INSTDIR\openssl.exe" 0
|
||||
|
||||
# make stunnel.pem
|
||||
CreateShortCut "$SMPROGRAMS\stunnel\Build Self-signed stunnel.pem.lnk" \
|
||||
"$INSTDIR\openssl.exe" \
|
||||
"req -new -x509 -days 365 -config stunnel.cnf -out stunnel.pem -keyout stunnel.pem"
|
||||
ShellLink::SetRunAsAdministrator \
|
||||
"$SMPROGRAMS\stunnel\\Build Self-signed stunnel.pem.lnk"
|
||||
Pop $0 # returns error(-1)/success(0)
|
||||
DetailPrint "ShellLink::SetRunAsAdministrator: $0"
|
||||
|
||||
lbl_noCA:
|
||||
|
||||
# help/uninstall
|
||||
WriteINIStr "$SMPROGRAMS\stunnel\Manual.url" "InternetShortcut" \
|
||||
"URL" "file://$INSTDIR/stunnel.html"
|
||||
CreateShortCut "$SMPROGRAMS\stunnel\Uninstall stunnel.lnk" \
|
||||
"$INSTDIR\uninstall.exe" "" "$INSTDIR\uninstall.exe" 0
|
||||
SectionEnd
|
||||
|
||||
Section "Desktop Shortcut"
|
||||
SetShellVarContext all
|
||||
Delete "$DESKTOP\stunnel.lnk"
|
||||
CreateShortCut "$DESKTOP\stunnel.lnk" \
|
||||
"$INSTDIR\stunnel.exe" "" "$INSTDIR\stunnel.exe" 0
|
||||
SectionEnd
|
||||
|
||||
Section "Uninstall"
|
||||
ClearErrors
|
||||
|
||||
# stop and remove the service, exit stunnel
|
||||
ReadRegStr $R0 HKLM \
|
||||
"Software\Microsoft\Windows NT\CurrentVersion" CurrentVersion
|
||||
IfErrors skip_service_uninstall
|
||||
ExecWait '"$INSTDIR\stunnel.exe" -stop -quiet'
|
||||
ExecWait '"$INSTDIR\stunnel.exe" -uninstall -quiet'
|
||||
skip_service_uninstall:
|
||||
ExecWait '"$INSTDIR\stunnel.exe" -exit -quiet'
|
||||
|
||||
# remove stunnel folder
|
||||
Delete "$INSTDIR\stunnel.conf"
|
||||
Delete "$INSTDIR\stunnel.pem"
|
||||
# obsolete versions
|
||||
Delete "$INSTDIR\stunnel.exe"
|
||||
Delete "$INSTDIR\stunnel.exe.manifest"
|
||||
Delete "$INSTDIR\stunnel.pdb"
|
||||
Delete "$INSTDIR\tstunnel.exe"
|
||||
Delete "$INSTDIR\tstunnel.exe.manifest"
|
||||
Delete "$INSTDIR\stunnel.cnf"
|
||||
Delete "$INSTDIR\tstunnel.pdb"
|
||||
Delete "$INSTDIR\openssl.exe"
|
||||
Delete "$INSTDIR\openssl.exe.manifest"
|
||||
Delete "$INSTDIR\*.dll"
|
||||
Delete "$INSTDIR\*.dll.manifest"
|
||||
Delete "$INSTDIR\Microsoft.VC90.CRT.manifest"
|
||||
Delete "$INSTDIR\stunnel.html"
|
||||
Delete "$INSTDIR\uninstall.exe"
|
||||
RMDir "$INSTDIR"
|
||||
Delete "$INSTDIR\openssl.pdb"
|
||||
Delete "$INSTDIR\libeay32.dll"
|
||||
Delete "$INSTDIR\libeay32.pdb"
|
||||
Delete "$INSTDIR\ssleay32.dll"
|
||||
Delete "$INSTDIR\ssleay32.pdb"
|
||||
Delete "$INSTDIR\zlib1.dll"
|
||||
Delete "$INSTDIR\zlib1.pdb"
|
||||
Delete "$INSTDIR\msvcr90.dll"
|
||||
|
||||
# remove menu shortcuts
|
||||
SetShellVarContext all
|
||||
Delete "$DESKTOP\stunnel.lnk"
|
||||
Delete "$INSTDIR\openssl.cnf"
|
||||
Delete "$INSTDIR\stunnel.html"
|
||||
|
||||
Delete "$INSTDIR\stunnel.cnf"
|
||||
Delete "$INSTDIR\stunnel.exe.manifest"
|
||||
Delete "$INSTDIR\tstunnel.exe.manifest"
|
||||
Delete "$INSTDIR\openssl.exe.manifest"
|
||||
Delete "$INSTDIR\libeay32.dll.manifest"
|
||||
Delete "$INSTDIR\ssleay32.dll.manifest"
|
||||
Delete "$INSTDIR\zlib1.dll.manifest"
|
||||
Delete "$INSTDIR\Microsoft.VC90.CRT.Manifest"
|
||||
|
||||
Delete "$INSTDIR\4758cca.dll"
|
||||
Delete "$INSTDIR\4758cca.dll.manifest"
|
||||
Delete "$INSTDIR\4758cca.pdb"
|
||||
Delete "$INSTDIR\aep.dll"
|
||||
Delete "$INSTDIR\aep.dll.manifest"
|
||||
Delete "$INSTDIR\aep.pdb"
|
||||
Delete "$INSTDIR\atalla.dll"
|
||||
Delete "$INSTDIR\atalla.dll.manifest"
|
||||
Delete "$INSTDIR\atalla.pdb"
|
||||
Delete "$INSTDIR\capi.dll"
|
||||
Delete "$INSTDIR\capi.dll.manifest"
|
||||
Delete "$INSTDIR\capi.pdb"
|
||||
Delete "$INSTDIR\chil.dll"
|
||||
Delete "$INSTDIR\chil.dll.manifest"
|
||||
Delete "$INSTDIR\chil.pdb"
|
||||
Delete "$INSTDIR\cswift.dll"
|
||||
Delete "$INSTDIR\cswift.dll.manifest"
|
||||
Delete "$INSTDIR\cswift.pdb"
|
||||
Delete "$INSTDIR\gmp.dll"
|
||||
Delete "$INSTDIR\gmp.dll.manifest"
|
||||
Delete "$INSTDIR\gmp.pdb"
|
||||
Delete "$INSTDIR\gost.dll"
|
||||
Delete "$INSTDIR\gost.dll.manifest"
|
||||
Delete "$INSTDIR\gost.pdb"
|
||||
Delete "$INSTDIR\nuron.dll"
|
||||
Delete "$INSTDIR\nuron.dll.manifest"
|
||||
Delete "$INSTDIR\nuron.pdb"
|
||||
Delete "$INSTDIR\padlock.dll"
|
||||
Delete "$INSTDIR\padlock.dll.manifest"
|
||||
Delete "$INSTDIR\padlock.pdb"
|
||||
Delete "$INSTDIR\sureware.dll"
|
||||
Delete "$INSTDIR\sureware.dll.manifest"
|
||||
Delete "$INSTDIR\sureware.pdb"
|
||||
Delete "$INSTDIR\ubsec.dll"
|
||||
Delete "$INSTDIR\ubsec.dll.manifest"
|
||||
Delete "$INSTDIR\ubsec.pdb"
|
||||
|
||||
# obsolete menu and desktop shortcuts
|
||||
Delete "$SMPROGRAMS\stunnel\*.lnk"
|
||||
Delete "$SMPROGRAMS\stunnel\*.url"
|
||||
RMDir "$SMPROGRAMS\stunnel"
|
||||
Delete "$DESKTOP\stunnel.lnk"
|
||||
|
||||
# remove firewall rules
|
||||
SimpleFC::RemoveApplication "$INSTDIR\stunnel.exe"
|
||||
Pop $0 # returns error(1)/success(0)
|
||||
DetailPrint "SimpleFC::RemoveApplication: $0"
|
||||
SimpleFC::RemoveApplication "$INSTDIR\tstunnel.exe"
|
||||
Pop $0 # returns error(1)/success(0)
|
||||
DetailPrint "SimpleFC::RemoveApplication: $0"
|
||||
# refresh the screen
|
||||
System::Call 'Shell32::SHChangeNotify(i 0x8000000, i 0, i 0, i 0)'
|
||||
!macroend
|
||||
|
||||
# remove uninstaller registry entires
|
||||
DeleteRegKey HKLM \
|
||||
"Software\Microsoft\Windows\CurrentVersion\Uninstall\stunnel"
|
||||
DeleteRegKey HKLM "Software\NSIS_stunnel"
|
||||
Function .onInit
|
||||
!insertmacro MULTIUSER_INIT
|
||||
FunctionEnd
|
||||
|
||||
Function un.onInit
|
||||
!insertmacro MULTIUSER_UNINIT
|
||||
FunctionEnd
|
||||
|
||||
Section "Core Files" sectionCORE
|
||||
SectionIn RO
|
||||
|
||||
# save the installer configuration
|
||||
WriteRegStr SHCTX "${REGKEY_INSTALL}" "Install_Dir" "$INSTDIR"
|
||||
WriteRegStr SHCTX "${REGKEY_INSTALL}" "Install_Mode" "$MultiUser.InstallMode"
|
||||
|
||||
!insertmacro TerminateStunnel
|
||||
!insertmacro CleanupStunnelFiles
|
||||
|
||||
# update the configuration (migrate the old one if available)
|
||||
SetOutPath "$INSTDIR\config" # this also creates the directory
|
||||
!insertmacro MoveFiles "$INSTDIR" "$INSTDIR\config" "*.conf"
|
||||
!insertmacro MoveFiles "$INSTDIR" "$INSTDIR\config" "*.pem"
|
||||
!insertmacro MoveFiles "$INSTDIR" "$INSTDIR\config" "*.crt"
|
||||
!insertmacro MoveFiles "$INSTDIR" "$INSTDIR\config" "*.key"
|
||||
SetOverwrite off
|
||||
File "${STUNNEL_TOOLS_DIR}\stunnel.conf"
|
||||
SetOverwrite on
|
||||
File "${STUNNEL_TOOLS_DIR}\ca-certs.pem"
|
||||
|
||||
# write new executables/libraries files
|
||||
SetOutPath "$INSTDIR\bin"
|
||||
File "${STUNNEL_BIN_DIR}\stunnel.exe"
|
||||
File "${OPENSSL_BIN_DIR}\libeay32.dll"
|
||||
File "${OPENSSL_BIN_DIR}\ssleay32.dll"
|
||||
!if ${ARCH} == win32
|
||||
File "${ZLIB_DIR}\zlib1.dll"
|
||||
File "${REDIST_DIR}\msvcr90.dll"
|
||||
File "${REDIST_DIR}\Microsoft.VC90.CRT.Manifest"
|
||||
# MINGW builds requires libssp-0.dll instead of msvcr90.dll
|
||||
!else
|
||||
File "${REDIST_DIR}\vcruntime140.dll"
|
||||
!endif
|
||||
|
||||
# write new engine libraries
|
||||
SetOutPath "$INSTDIR\engines"
|
||||
File "${OPENSSL_ENGINES_DIR}\capi.dll"
|
||||
File "${OPENSSL_ENGINES_DIR}\chil.dll"
|
||||
File "${OPENSSL_ENGINES_DIR}\gmp.dll"
|
||||
File "${OPENSSL_ENGINES_DIR}\gost.dll"
|
||||
File "${OPENSSL_ENGINES_DIR}\padlock.dll"
|
||||
File "${OPENSSL_ENGINES_DIR}\ubsec.dll"
|
||||
File "${LIBP11_DIR}\pkcs11.dll"
|
||||
|
||||
# write new documentation
|
||||
SetOutPath "$INSTDIR\doc"
|
||||
File "${STUNNEL_DOC_DIR}\stunnel.html"
|
||||
|
||||
# add firewall rule
|
||||
SimpleFC::AddApplication "stunnel (GUI Version)" \
|
||||
"$INSTDIR\bin\stunnel.exe" 0 2 "" 1
|
||||
!insertmacro DetailError "SimpleFC::AddApplication failed for stunnel.exe"
|
||||
|
||||
# write uninstaller and its registry entries
|
||||
WriteUninstaller "uninstall.exe"
|
||||
WriteRegStr SHCTX "${REGKEY_UNINST}" "DisplayName" \
|
||||
"stunnel installed for $MultiUser.InstallMode"
|
||||
WriteRegStr SHCTX "${REGKEY_UNINST}" "DisplayVersion" "${VERSION}"
|
||||
WriteRegStr SHCTX "${REGKEY_UNINST}" "DisplayIcon" "$INSTDIR\bin\stunnel.exe"
|
||||
WriteRegStr SHCTX "${REGKEY_UNINST}" "Publisher" "Michal Trojnara"
|
||||
WriteRegStr SHCTX "${REGKEY_UNINST}" \
|
||||
"UninstallString" '"$INSTDIR\uninstall.exe" /$MultiUser.InstallMode'
|
||||
WriteRegDWORD SHCTX "${REGKEY_UNINST}" "NoModify" 1
|
||||
WriteRegDWORD SHCTX "${REGKEY_UNINST}" "NoRepair" 1
|
||||
SectionEnd
|
||||
|
||||
SectionGroup "Tools" groupTOOLS
|
||||
|
||||
Section "openssl.exe" sectionOPENSSL
|
||||
SetOutPath "$INSTDIR\bin"
|
||||
File "${OPENSSL_BIN_DIR}\openssl.exe"
|
||||
SetOutPath "$INSTDIR\config"
|
||||
File "${STUNNEL_TOOLS_DIR}\openssl.cnf"
|
||||
|
||||
# create stunnel.pem
|
||||
IfSilent no_new_pem
|
||||
IfFileExists "$INSTDIR\config\stunnel.pem" no_new_pem
|
||||
# set HOME for the .rnd file
|
||||
ReadEnvStr $0 "HOME"
|
||||
StrCmp $0 "" home_defined
|
||||
System::Call 'Kernel32::SetEnvironmentVariable(t, t) i("HOME", "$INSTDIR\config").r0'
|
||||
home_defined:
|
||||
ExecWait '"$INSTDIR\bin\openssl.exe" req -new -x509 -days 365 -config "$INSTDIR\config\openssl.cnf" -out "$INSTDIR\config\stunnel.pem" -keyout "$INSTDIR\config\stunnel.pem"'
|
||||
no_new_pem:
|
||||
SectionEnd
|
||||
|
||||
Section "tstunnel.exe" sectionTSTUNNEL
|
||||
SetOutPath "$INSTDIR\bin"
|
||||
File "${STUNNEL_BIN_DIR}\tstunnel.exe"
|
||||
# add firewall rule
|
||||
SimpleFC::AddApplication "stunnel (Terminal Version)" \
|
||||
"$INSTDIR\bin\tstunnel.exe" 0 2 "" 1
|
||||
!insertmacro DetailError "SimpleFC::AddApplication failed for tstunnel.exe"
|
||||
SectionEnd
|
||||
|
||||
SectionGroupEnd
|
||||
|
||||
SectionGroup "Shortcuts" groupSHORTCUTS
|
||||
|
||||
Section "Start Menu" sectionMENU
|
||||
CreateDirectory "$SMPROGRAMS\${SHORTCUTS}"
|
||||
|
||||
# the core links
|
||||
CreateShortCut "$SMPROGRAMS\${SHORTCUTS}\stunnel GUI Start.lnk" \
|
||||
"$INSTDIR\bin\stunnel.exe" "" "$INSTDIR\bin\stunnel.exe"
|
||||
CreateShortCut "$SMPROGRAMS\${SHORTCUTS}\stunnel GUI Stop.lnk" \
|
||||
"$INSTDIR\bin\stunnel.exe" "-exit" "$INSTDIR\bin\stunnel.exe"
|
||||
|
||||
# tstunnel
|
||||
SectionGetFlags ${sectionTSTUNNEL} $0
|
||||
IntOp $0 $0 & ${SF_SELECTED}
|
||||
IntCmp $0 0 no_tstunnel_shortcut
|
||||
CreateShortCut "$SMPROGRAMS\${SHORTCUTS}\stunnel Terminal Start.lnk" \
|
||||
"$INSTDIR\bin\tstunnel.exe" "" "$INSTDIR\bin\tstunnel.exe"
|
||||
no_tstunnel_shortcut:
|
||||
|
||||
# NT service management
|
||||
ClearErrors
|
||||
ReadRegStr $R0 HKLM \
|
||||
"Software\Microsoft\Windows NT\CurrentVersion" CurrentVersion
|
||||
IfErrors no_service_shortcuts
|
||||
StrCmp $MultiUser.InstallMode "CurrentUser" no_service_shortcuts
|
||||
CreateShortCut "$SMPROGRAMS\${SHORTCUTS}\stunnel Service Install.lnk" \
|
||||
"$INSTDIR\bin\stunnel.exe" "-install" "$INSTDIR\bin\stunnel.exe"
|
||||
!insertmacro SetRunAsAdmin "stunnel Service Install"
|
||||
CreateShortCut "$SMPROGRAMS\${SHORTCUTS}\stunnel Service Uninstall.lnk" \
|
||||
"$INSTDIR\bin\stunnel.exe" "-uninstall" "$INSTDIR\bin\stunnel.exe"
|
||||
!insertmacro SetRunAsAdmin "stunnel Service Uninstall"
|
||||
CreateShortCut "$SMPROGRAMS\${SHORTCUTS}\stunnel Service Start.lnk" \
|
||||
"$INSTDIR\bin\stunnel.exe" "-start" "$INSTDIR\bin\stunnel.exe"
|
||||
!insertmacro SetRunAsAdmin "stunnel Service Start"
|
||||
CreateShortCut "$SMPROGRAMS\${SHORTCUTS}\stunnel Service Stop.lnk" \
|
||||
"$INSTDIR\bin\stunnel.exe" "-stop" "$INSTDIR\bin\stunnel.exe"
|
||||
!insertmacro SetRunAsAdmin "stunnel Service Stop"
|
||||
CreateShortCut "$SMPROGRAMS\${SHORTCUTS}\stunnel Service Configuration File Reload.lnk" \
|
||||
"$INSTDIR\bin\stunnel.exe" "-reload" "$INSTDIR\bin\stunnel.exe"
|
||||
!insertmacro SetRunAsAdmin "stunnel Service Configuration File Reload"
|
||||
CreateShortCut "$SMPROGRAMS\${SHORTCUTS}\stunnel Service Log File Reopen.lnk" \
|
||||
"$INSTDIR\bin\stunnel.exe" "-reopen" "$INSTDIR\bin\stunnel.exe"
|
||||
!insertmacro SetRunAsAdmin "stunnel Service Log File Reopen"
|
||||
no_service_shortcuts:
|
||||
|
||||
# edit config file
|
||||
CreateShortCut "$SMPROGRAMS\${SHORTCUTS}\Edit stunnel.conf.lnk" \
|
||||
"notepad.exe" "$INSTDIR\config\stunnel.conf" "notepad.exe"
|
||||
!insertmacro SetRunAsAdmin "Edit stunnel.conf"
|
||||
|
||||
SectionGetFlags ${sectionOPENSSL} $0
|
||||
IntOp $0 $0 & ${SF_SELECTED}
|
||||
IntCmp $0 0 no_openssl_shortcuts
|
||||
# OpenSSL shell
|
||||
CreateShortCut "$SMPROGRAMS\${SHORTCUTS}\OpenSSL Shell.lnk" \
|
||||
"$INSTDIR\bin\openssl.exe" "" "$INSTDIR\bin\openssl.exe"
|
||||
# make stunnel.pem
|
||||
CreateShortCut "$SMPROGRAMS\${SHORTCUTS}\Build a Self-signed stunnel.pem.lnk" \
|
||||
"$INSTDIR\bin\openssl.exe" \
|
||||
'req -new -x509 -days 365 -config "$INSTDIR\config\openssl.cnf" -out "$INSTDIR\config\stunnel.pem" -keyout "$INSTDIR\config\stunnel.pem"'
|
||||
!insertmacro SetRunAsAdmin "Build a Self-signed stunnel.pem"
|
||||
no_openssl_shortcuts:
|
||||
|
||||
# the fine manual
|
||||
WriteINIStr "$SMPROGRAMS\${SHORTCUTS}\stunnel Manual Page.url" \
|
||||
"InternetShortcut" "URL" "file://$INSTDIR\doc\stunnel.html"
|
||||
|
||||
# uninstall
|
||||
CreateShortCut "$SMPROGRAMS\${SHORTCUTS}\Uninstall stunnel.lnk" \
|
||||
"$INSTDIR\uninstall.exe" "/$MultiUser.InstallMode" \
|
||||
"$INSTDIR\uninstall.exe"
|
||||
SectionEnd
|
||||
|
||||
Section "Desktop" sectionDESKTOP
|
||||
# create the link
|
||||
CreateShortCut "$DESKTOP\${SHORTCUTS}.lnk" \
|
||||
"$INSTDIR\bin\stunnel.exe" "" "$INSTDIR\bin\stunnel.exe"
|
||||
|
||||
# refresh the screen
|
||||
System::Call 'Shell32::SHChangeNotify(i 0x8000000, i 0, i 0, i 0)'
|
||||
SectionEnd
|
||||
|
||||
SectionGroupEnd
|
||||
|
||||
Section /o "Debugging Symbols" sectionDEBUG
|
||||
SetOutPath "$INSTDIR\bin"
|
||||
|
||||
# core components
|
||||
File "${STUNNEL_BIN_DIR}\stunnel.pdb"
|
||||
File "${OPENSSL_BIN_DIR}\libeay32.pdb"
|
||||
File "${OPENSSL_BIN_DIR}\ssleay32.pdb"
|
||||
!if ${ARCH} == win32
|
||||
File "${ZLIB_DIR}\zlib1.pdb"
|
||||
!endif
|
||||
|
||||
# optional tstunnel.exe
|
||||
SectionGetFlags ${sectionTSTUNNEL} $0
|
||||
IntOp $0 $0 & ${SF_SELECTED}
|
||||
IntCmp $0 0 no_tstunnel_pdb
|
||||
File "${STUNNEL_BIN_DIR}\tstunnel.pdb"
|
||||
no_tstunnel_pdb:
|
||||
|
||||
# optional openssl.exe
|
||||
SectionGetFlags ${sectionOPENSSL} $0
|
||||
IntOp $0 $0 & ${SF_SELECTED}
|
||||
IntCmp $0 0 no_openssl_pdb
|
||||
File "${OPENSSL_BIN_DIR}\openssl.pdb"
|
||||
no_openssl_pdb:
|
||||
|
||||
# engines
|
||||
SetOutPath "$INSTDIR\engines"
|
||||
File "${OPENSSL_ENGINES_DIR}\capi.pdb"
|
||||
File "${OPENSSL_ENGINES_DIR}\chil.pdb"
|
||||
File "${OPENSSL_ENGINES_DIR}\gmp.pdb"
|
||||
File "${OPENSSL_ENGINES_DIR}\gost.pdb"
|
||||
File "${OPENSSL_ENGINES_DIR}\padlock.pdb"
|
||||
File "${OPENSSL_ENGINES_DIR}\ubsec.pdb"
|
||||
# File "${LIBP11_DIR}\pkcs11.pdb"
|
||||
SetOutPath "$INSTDIR"
|
||||
SectionEnd
|
||||
|
||||
Section
|
||||
!insertmacro RestartStunnel
|
||||
SectionEnd
|
||||
|
||||
Section "Uninstall"
|
||||
!insertmacro TerminateStunnel
|
||||
!insertmacro CleanupStunnelFiles
|
||||
|
||||
# remove the stunnel directory
|
||||
Delete "$INSTDIR\config\stunnel.pem"
|
||||
Delete "$INSTDIR\config\stunnel.conf"
|
||||
RMDir "$INSTDIR\config"
|
||||
Delete "$INSTDIR\uninstall.exe"
|
||||
RMDir "$INSTDIR"
|
||||
|
||||
# remove firewall rules
|
||||
SimpleFC::RemoveApplication "$INSTDIR\bin\stunnel.exe"
|
||||
!insertmacro DetailError "SimpleFC::RemoveApplication failed for stunnel.exe"
|
||||
SimpleFC::RemoveApplication "$INSTDIR\bin\tstunnel.exe"
|
||||
!insertmacro DetailError "SimpleFC::RemoveApplication failed for tstunnel.exe"
|
||||
|
||||
# remove the installer and uninstaller registry entires
|
||||
DeleteRegKey SHCTX "${REGKEY_INSTALL}"
|
||||
DeleteRegKey SHCTX "${REGKEY_UNINST}"
|
||||
SectionEnd
|
||||
|
||||
LangString DESC_sectionCORE ${LANG_ENGLISH} \
|
||||
"Installs the stunnel executable and the required libraries.$\r$\nThis component also creates a sample stunnel.conf if no such file exists."
|
||||
LangString DESC_sectionOPENSSL ${LANG_ENGLISH} \
|
||||
"Installs openssl.exe, the OpenSSL command-line tool.$\r$\nThis component also builds a self-signed stunnel.pem file if no such file exists."
|
||||
LangString DESC_sectionTSTUNNEL ${LANG_ENGLISH} \
|
||||
"Installs tstunnel.exe, the command-line version of stunnel.$\r$\ntstunnel.exe is often used for scripting."
|
||||
LangString DESC_sectionMENU ${LANG_ENGLISH} \
|
||||
"Installs the Start Menu shortcuts for managing stunnel."
|
||||
LangString DESC_sectionDESKTOP ${LANG_ENGLISH} \
|
||||
"Installs the Desktop shortcut for stunnel."
|
||||
LangString DESC_sectionDEBUG ${LANG_ENGLISH} \
|
||||
"Installs the .PDB (program database) files for the executables and libraries."
|
||||
LangString DESC_groupTOOLS ${LANG_ENGLISH} \
|
||||
"Installs optional (but useful) tools."
|
||||
LangString DESC_groupSHORTCUTS ${LANG_ENGLISH} \
|
||||
"Installs menu and desktop shortcuts."
|
||||
|
||||
!insertmacro MUI_FUNCTION_DESCRIPTION_BEGIN
|
||||
!insertmacro MUI_DESCRIPTION_TEXT ${sectionCORE} $(DESC_sectionCORE)
|
||||
!insertmacro MUI_DESCRIPTION_TEXT ${sectionOPENSSL} $(DESC_sectionOPENSSL)
|
||||
!insertmacro MUI_DESCRIPTION_TEXT ${sectionTSTUNNEL} $(DESC_sectionTSTUNNEL)
|
||||
!insertmacro MUI_DESCRIPTION_TEXT ${sectionMENU} $(DESC_sectionMENU)
|
||||
!insertmacro MUI_DESCRIPTION_TEXT ${sectionDESKTOP} $(DESC_sectionDESKTOP)
|
||||
!insertmacro MUI_DESCRIPTION_TEXT ${sectionDEBUG} $(DESC_sectionDEBUG)
|
||||
!insertmacro MUI_DESCRIPTION_TEXT ${groupTOOLS} $(DESC_groupTOOLS)
|
||||
!insertmacro MUI_DESCRIPTION_TEXT ${groupSHORTCUTS} $(DESC_groupSHORTCUTS)
|
||||
!insertmacro MUI_FUNCTION_DESCRIPTION_END
|
||||
|
||||
# end of stunnel.nsi
|
||||
|
106
tools/stunnel.rh.init
Normal file
106
tools/stunnel.rh.init
Normal file
@ -0,0 +1,106 @@
|
||||
#!/bin/sh
|
||||
#
|
||||
# stunnel Starts or stops Stunnel daemon
|
||||
#
|
||||
# chkconfig: - 48 52
|
||||
# description: Starts or stops Stunnel daemon
|
||||
#
|
||||
### BEGIN INIT INFO
|
||||
# Provides: stunnel
|
||||
# Required-Start: $local_fs $remote_fs
|
||||
# Required-Stop: $local_fs $remote_fs
|
||||
# Should-Start: $syslog
|
||||
# Should-Stop: $syslog
|
||||
# Default-Start:
|
||||
# Default-Stop: 0 1 2 3 4 5 6
|
||||
# Short-Description: Start or stop stunnel 4.x (TLS tunnel for network daemons)
|
||||
# Description: Starts or stops all configured TLS network tunnels. Each *.conf file in
|
||||
# /etc/stunnel/ will spawn a separate stunnel process. The list of files
|
||||
# can be overridden in /etc/sysconfig/stunnel, and that same file can be used
|
||||
# to completely disable *all* tunnels.
|
||||
### END INIT INFO
|
||||
|
||||
# Source function library.
|
||||
. /etc/rc.d/init.d/functions
|
||||
|
||||
exec="/usr/bin/stunnel"
|
||||
prog="stunnel"
|
||||
config="/etc/stunnel/stunnel.conf"
|
||||
|
||||
[ -e /etc/sysconfig/$prog ] && . /etc/sysconfig/$prog
|
||||
|
||||
lockfile=/var/lock/subsys/$prog
|
||||
|
||||
start() {
|
||||
[ -x $exec ] || exit 5
|
||||
[ -f $config ] || exit 6
|
||||
echo -n $"Starting $prog: "
|
||||
daemon ${exec} ${config}
|
||||
retval=$?
|
||||
echo
|
||||
[ $retval -eq 0 ] && touch $lockfile
|
||||
return $retval
|
||||
}
|
||||
|
||||
stop() {
|
||||
echo -n $"Stopping $prog: "
|
||||
killproc ${prog}
|
||||
retval=$?
|
||||
echo
|
||||
[ $retval -eq 0 ] && rm -f $lockfile
|
||||
return $retval
|
||||
}
|
||||
|
||||
restart() {
|
||||
stop
|
||||
start
|
||||
}
|
||||
|
||||
reload() {
|
||||
restart
|
||||
}
|
||||
|
||||
force_reload() {
|
||||
restart
|
||||
}
|
||||
|
||||
rh_status() {
|
||||
status $prog
|
||||
}
|
||||
|
||||
rh_status_q() {
|
||||
rh_status >/dev/null 2>&1
|
||||
}
|
||||
|
||||
|
||||
case "$1" in
|
||||
start)
|
||||
rh_status_q && exit 0
|
||||
$1
|
||||
;;
|
||||
stop)
|
||||
rh_status_q || exit 0
|
||||
$1
|
||||
;;
|
||||
restart)
|
||||
$1
|
||||
;;
|
||||
reload)
|
||||
rh_status_q || exit 7
|
||||
$1
|
||||
;;
|
||||
force-reload)
|
||||
force_reload
|
||||
;;
|
||||
status)
|
||||
rh_status
|
||||
;;
|
||||
condrestart|try-restart)
|
||||
rh_status_q || exit 0
|
||||
restart
|
||||
;;
|
||||
*)
|
||||
echo $"Usage: $0 {start|stop|status|restart|condrestart|try-restart|reload|force-reload}"
|
||||
exit 2
|
||||
esac
|
||||
exit $?
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue
Block a user