debmon/stunnel4
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Imported Upstream version 5.42

Browse Source
This commit is contained in:
Mario Fetka 2017-11-15 15:03:25 +01:00
parent 74a62c14eb
commit d419cab3c4
102 changed files with 31695 additions and 17975 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
.travis.yml Normal file
View File

@ -0,0 +1,27 @@
sudo: false
language: c
os:
- linux
- osx
compiler:
- gcc
- clang
env:
- CONFIGURE_OPTIONS='--with-threads=pthread'
- CONFIGURE_OPTIONS='--with-threads=fork'
- CONFIGURE_OPTIONS='--with-threads=ucontext'
- CONFIGURE_OPTIONS='--disable-ipv6 --disable-fips --disable-systemd --disable-libwrap'
addons:
apt:
packages:
- libssl-dev
- libwrap0-dev
before_script: autoreconf -fvi && touch src/dhparam.c
script: ./configure $CONFIGURE_OPTIONS && make && make test

2
AUTHORS
View File

@ -1,4 +1,4 @@
stunnel authors
Michal Trojnara <Michal.Trojnara@mirt.net>
Michal Trojnara <Michal.Trojnara@stunnel.org>

2
COPYING
View File

@ -1,6 +1,6 @@
stunnel license (see COPYRIGHT.GPL for detailed GPL conditions)
Copyright (C) 1998-2013 Michal Trojnara
Copyright (C) 1998-2017 Michal Trojnara
This program is free software; you can redistribute it and/or modify it under
the terms of the GNU General Public License as published by the Free Software

39
CREDITS
View File

@ -1,9 +1,40 @@
Special thx to:
stunnel code contributions
The code contributions are licensed as public domain unless stated otherwise.
Several Win32 and WCE improvements and bugfixes:
* Pierre Delaage <delaage.pierre@free.fr>
systemd socket activation in version 5.05:
Copyright (c) 2014 Mark Theunissen
Permission is hereby granted, free of charge, to any person obtaining a copy of
this software and associated documentation files (the "Software"), to deal in
the Software without restriction, including without limitation the rights to
use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies
of the Software, and to permit persons to whom the Software is furnished to do
so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
Several bugfixes and improvements mostly in versions 3.xx:
* Brian Hatch <bri@stunnel.org>
Initial PTY support in version 3.05:
* Dirk O. Siebnich <dok@vossnet.de>
Initial SSL support in versions 1.x:
* Adam Hernik <adas@infocentrum.com>
* Pawel Krawczyk <kravietz@ceti.com.pl>
* Brian Hatch <bri@stunnel.org>
* Dirk O. Siebnich <dok@vossnet.de> for PTY support
and many others...

670
ChangeLog
View File

@ -1,5 +1,670 @@
stunnel change log
Version 5.42, 2017.07.16, urgency: HIGH
* New features
- "redirect" also supports "exec" and not only "connect".
- PKCS#11 engine DLL updated to version 0.4.7.
* Bugfixes
- Fixed premature cron thread initialization causing hangs.
- Fixed "verifyPeer = yes" on OpenSSL <= 1.0.1.
- Fixed pthreads support on OpenSolaris.
Version 5.41, 2017.04.01, urgency: MEDIUM
* New features
- PKCS#11 engine DLL updated to version 0.4.5.
- Default engine UI set with ENGINE_CTRL_SET_USER_INTERFACE.
- Key file name added into the passphrase console prompt.
- Performance optimization in memory leak detection.
* Bugfixes
- Fixed crashes with the OpenSSL 1.1.0 branch.
- Fixed certificate verification with "verifyPeer = yes"
and "verifyChain = no" (the default), while the peer
only returns a single certificate.
Version 5.40, 2017.01.28, urgency: HIGH
* Security bugfixes
- OpenSSL DLLs updated to version 1.0.2k.
https://www.openssl.org/news/secadv/20170126.txt
* New features
- DH ciphersuites are now disabled by default.
- The daily server DH parameter regeneration is only performed if
DH ciphersuites are enabled in the configuration file.
- "checkHost" and "checkEmail" were modified to require either
"verifyChain" or "verifyPeer" (thx to Małorzata Olszówka).
* Bugfixes
- Fixed setting default ciphers.
Version 5.39, 2017.01.01, urgency: LOW
* New features
- PKCS#11 engine (pkcs11.dll) added to the Win32 build.
- Per-destination TLS session cache added for the client mode.
- The new "logId" parameter "process" added to log PID values.
- Added support for the new SSL_set_options() values.
- Updated the manual page.
- Obsolete references to "SSL" replaced with "TLS".
* Bugfixes
- Fixed "logId" parameter to also work in inetd mode.
- "delay = yes" properly enforces "failover = prio".
- Fixed fd_set allocation size on Win64.
- Fixed reloading invalid configuration file on Win32.
- Fixed resolving addresses with unconfigured network interfaces.
Version 5.38, 2016.11.26, urgency: MEDIUM
* New features
- "sni=" can be used to prevent sending the SNI extension.
- The AI_ADDRCONFIG resolver flag is used when available.
- Merged Debian 06-lfs.patch (thx to Peter Pentchev).
* Bugfixes
- Fixed a memory allocation bug causing crashes with OpenSSL 1.1.0.
- Fixed error handling for mixed IPv4/IPv6 destinations.
- Merged Debian 08-typos.patch (thx to Peter Pentchev).
Version 5.37, 2016.11.06, urgency: MEDIUM
* Bugfixes
- OpenSSL DLLs updated to version 1.0.2j (stops crashes).
- The default SNI target (not handled by any slave service)
is handled by the master service rather than rejected.
- Removed thread synchronization in the FORK threading model.
Version 5.36, 2016.09.22, urgency: HIGH
* Security bugfixes
- OpenSSL DLLs updated to version 1.0.2i.
https://www.openssl.org/news/secadv_20160922.txt
* New features
- Added support for OpenSSL 1.1.0 built with "no-deprecated".
- Removed direct zlib dependency.
Version 5.35, 2016.07.18, urgency: HIGH
* Bugfixes
- Fixed incorrectly enforced client certificate requests.
- Only default to SO_EXCLUSIVEADDRUSE on Vista and later.
- Fixed thread safety of the configuration file reopening.
Version 5.34, 2016.07.05, urgency: HIGH
* Security bugfixes
- Fixed malfunctioning "verify = 4".
* New features
- Bind sockets with SO_EXCLUSIVEADDRUSE on WIN32.
- Added three new service-level options: requireCert, verifyChain,
and verifyPeer for fine-grained certificate verification control.
- Improved compatibility with the current OpenSSL 1.1.0-dev tree.
Version 5.33, 2016.06.23, urgency: HIGH
* New features
- Improved memory leak detection performance and accuracy.
- Improved compatibility with the current OpenSSL 1.1.0-dev tree.
- SNI support also enabled on OpenSSL 0.9.8f and later (thx to
Guillermo Rodriguez Garcia).
- Added support for PKCS #12 (.p12/.pfx) certificates (thx to
Dmitry Bakshaev).
* Bugfixes
- Fixed a TLS session caching memory leak (thx to Richard Kraemer).
Before stunnel 5.27 this leak only emerged with sessiond enabled.
- Yet another WinCE socket fix (thx to Richard Kraemer).
- Fixed passphrase/pin dialogs in tstunnel.exe.
- Fixed a FORK threading build regression bug.
- OPENSSL_NO_DH compilation fix (thx to Brian Lin).
Version 5.32, 2016.05.03, urgency: HIGH
* Security bugfixes
- OpenSSL DLLs updated to version 1.0.2h.
https://www.openssl.org/news/secadv_20160503.txt
* New features
- New "socket = a:IPV6_V6ONLY=yes" option to only bind IPv6.
- Memory leak detection.
- Improved compatibility with the current OpenSSL 1.1.0-dev tree.
- Added/fixed Red Hat scripts (thx to Andrew Colin Kissa).
* Bugfixes
- Workaround for a WinCE sockets quirk (thx to Richard Kraemer).
- Fixed data alignment on 64-bit MSVC (thx to Yuris W. Auzins).
Version 5.31, 2016.03.01, urgency: HIGH
* Security bugfixes
- OpenSSL DLLs updated to version 1.0.2g.
https://www.openssl.org/news/secadv_20160301.txt
* New features
- Added logging the list of client CAs requested by the server.
- Improved compatibility with the current OpenSSL 1.1.0-dev tree.
* Bugfixes
- Only reset the watchdog if some data was actually transferred.
- A workaround implemented for the unexpected exceptfds set by
select() on WinCE 6.0 (thx to Richard Kraemer).
- Fixed logging an incorrect value of the round-robin starting
point (thx to Jose Alf.).
Version 5.30, 2016.01.28, urgency: HIGH
* Security bugfixes
- OpenSSL DLLs updated to version 1.0.2f.
https://www.openssl.org/news/secadv_20160128.txt
* New features
- Improved compatibility with the current OpenSSL 1.1.0-dev tree.
- Added OpenSSL autodetection for the recent versions of Xcode.
* Bugfixes
- Fixed references to /etc removed from stunnel.init.in.
- Stopped even trying -fstack-protector on unsupported platforms
(thx to Rob Lockhart).
Version 5.29, 2016.01.08, urgency: LOW
* New features
- New WIN32 icons.
- Performance improvement: rwlocks used for locking with pthreads.
* Bugfixes
- Compilation fix for *BSD.
- Fixed configuration file reload for relative stunnel.conf path
on Unix.
- Fixed ignoring CRLfile unless CAfile was also specified (thx
to Strukov Petr).
Version 5.28, 2015.12.11, urgency: HIGH
* New features
- Build matrix (.travis.yml) extended with ./configure options.
- mingw.mak updated to build tstunnel.exe (thx to Jose Alf.).
* Bugfixes
- Fixed incomplete initialization.
- Fixed UCONTEXT threading on OSX.
- Fixed exit codes for information requests (as
in "stunnel -version" or "stunnel -help").
Version 5.27, 2015.12.03, urgency: MEDIUM
* Security bugfixes
- OpenSSL DLLs updated to version 1.0.2e.
https://www.openssl.org/news/secadv_20151203.txt
* New features
- Automated build testing configured with .travis.yml.
- Added reading server certificates from hardware engines.
For example: cert = id_45
- Only attempt to use potentially harmful compiler or linker
options if gcc was detected.
- /opt/csw added to the OpenSSL directory lookup list.
- mingw.mak updates (thx to Jose Alf.).
- TODO list updated.
Version 5.26, 2015.11.06, urgency: MEDIUM
* Bugfixes
- Compilation fixes for OSX, *BSD and Solaris.
Version 5.25, 2015.11.02, urgency: MEDIUM
* New features
- SMTP client protocol negotiation support for
"protocolUsername", "protocolPassword", and
"protocolAuthentication" (thx to Douglas Harris).
- New service-level option "config" to specify configuration
commands introduced in OpenSSL 1.0.2 (thx to Stephen Wall).
- The global option "foreground" now also accepts "quiet"
parameter, which does not enable logging to stderr.
- Manual page updated.
- Obsolete OpenSSL engines removed from the Windows build:
4758cca, aep, atalla, cswift, nuron, sureware.
- Improved compatibility with the current OpenSSL 1.1.0-dev tree:
gracefully handle symbols renamed from SSLeay* to OpenSSL*.
* Bugfixes
- Fixed the "s_poll_wait returned 1, but no descriptor
is ready" internal error.
- Fixed "exec" hangs due to incorrect thread-local
storage handling (thx to Philip Craig).
- Fixed PRNG initialization (thx to Philip Craig).
- Setting socket options no longer performed on PTYs.
- Fixed 64-bit Windows build.
Version 5.24, 2015.10.08, urgency: MEDIUM
* New features
- Custom CRL verification was replaced with the internal
OpenSSL functionality.
- *BSD support for "transparent = destination" and
client-side "protocol = socks". This feature should
work at least on FreeBSD, OpenBSD and OS X.
- Added a new "protocolDomain" option for the NTLM
authentication (thx to Andreas Botsikas).
- Improved compatibility of the NTLM phase 1 message (thx
to Andreas Botsikas).
- "setuid" and "setgid" options are now also available
in service sections. They can be used to set owner
and group of the Unix socket specified with "accept".
- Added support for the new OpenSSL 1.0.2 SSL options.
- Added OPENSSL_NO_EGD support (thx to Bernard Spil).
- VC autodetection added to makew32.bat (thx to Andreas
Botsikas).
* Bugfixes
- Fixed the RESOLVE [F0] TOR extension support in SOCKS5.
- Fixed the error code reported on the failed bind()
requests.
- Fixed the sequential log id with the FORK threading.
- Restored the missing Microsoft.VC90.CRT.manifest file.
Version 5.23, 2015.09.02, urgency: LOW
* New features
- Client-side support for the SOCKS protocol.
See https://www.stunnel.org/socksvpn.html for details.
- Reject SOCKS requests to connect loopback addresses.
- New service-level option "OCSPnonce".
The default value is "OCSPnonce = no".
- Win32 directory structure rearranged. The installer
script provides automatic migration for common setups.
- Added Win32 installer option to install stunnel for the
current user only. This feature does not deploy the NT
service, but it also does not require aministrative
privileges to install and configure stunnel.
- stunnel.cnf was renamed to openssl.cnf in order to
to prevent users from mixing it up with stunnel.conf.
- Win32 desktop is automatically refreshed when the icon
is created or removed.
- The ca-certs.pem file is now updated on stunnel upgrade.
- Inactive ports were removed from the PORTS file.
- Added IPv6 support to the transparent proxy code.
* Bugfixes
- Compilation fix for OpenSSL version older than 1.0.0.
- Compilation fix for mingw.
Version 5.22, 2015.07.30, urgency: HIGH
* New features
- "OCSPaia = yes" added to the configuration file templates.
- Improved double free detection.
* Bugfixes
- Fixed a number of OCSP bugs. The most severe of those
bugs caused stunnel to treat OCSP responses that failed
OCSP_basic_verify() checks as if they were successful.
- Fixed the passive IPv6 resolver (broken in stunnel 5.21).
Version 5.21, 2015.07.27, urgency: MEDIUM
* New features
- Signal names are displayed instead of numbers.
- First resolve IPv4 addresses on passive resolver requests.
This speeds up stunnel startup on Win32 with a slow/defunct
DNS service.
- The "make check" target was modified to only build Win32
executables when stunnel is built from a git repository (thx
to Peter Pentchev).
- More elaborate descriptions were added to the warning about
using "verify = 2" without "checkHost" or "checkIP".
- Performance optimization was performed on the debug code.
* Bugfixes
- Fixed the FORK and UCONTEXT threading support.
- Fixed "failover=prio" (broken since stunnel 5.15).
- Added a retry when sleep(3) was interrupted by a signal
in the cron thread scheduler.
Version 5.20, 2015.07.09, urgency: HIGH
* Security bugfixes
- OpenSSL DLLs updated to version 1.0.2d.
https://www.openssl.org/news/secadv_20150709.txt
* New features
- poll(2) re-enabled on MacOS X 10.5 and later.
- Xcode SDK is automatically used on MacOS X if no other
locally installed OpenSSL directory is found.
- The SSL library detection algorithm was made a bit smarter.
- Warnings about insecure authentication were modified to
include the name of the affected service section.
- A warning was added to stunnel.init if no pid file was
specified in the configuration file (thx to Peter Pentchev).
- Optional debugging symbols are included in the Win32 installer.
- Documentation updates (closes Debian bug #781669).
* Bugfixes
- Signal pipe reinitialization added to prevent turning the
main accepting thread into a busy wait loop when an external
condition breaks the signal pipe. This bug was found to
surface on Win32, but other platforms may also be affected.
- Fixed removing the disabled taskbar icon.
- Generated temporary DH parameters are used for configuration
reload instead of the static defaults.
- LSB compatibility fixes added to the stunnel.init script (thx
to Peter Pentchev).
- Fixed the manual page headers (thx to Gleydson Soares).
Version 5.19, 2015.06.16, urgency: MEDIUM:
* New features
- OpenSSL DLLs updated to version 1.0.2c.
- Added a runtime check whether COMP_zlib() method is implemented
in order to improve compatibility with the Debian OpenSSL build.
* Bugfixes
- Improved socket error handling.
- Cron thread priority on Win32 platform changed to
THREAD_PRIORITY_LOWEST to improve portability.
- Makefile bugfixes for stunnel 5.18 regressions.
- Fixed some typos in docs and scripts (thx to Peter Pentchev).
- Fixed a log level check condition (thx to Peter Pentchev).
Version 5.18, 2015.06.12, urgency: MEDIUM:
* New features
- OpenSSL DLLs updated to version 1.0.2b.
https://www.openssl.org/news/secadv_20150611.txt
- Added "include" configuration file option to include all
configuration file parts located in a specified directory.
- Log file is reopened every 24 hours. With "log = overwrite"
this feature can be used to prevent filling up disk space.
- Temporary DH parameters are refreshed every 24 hours, unless
static DH parameters were provided in the certificate file.
- Unique initial DH parameters are distributed with each release.
- Warnings are logged on potentially insecure authentication.
- Improved compatibility with the current OpenSSL 1.1.0-dev tree:
removed RLE compression support, etc.
- Updated stunnel.spec (thx to Bill Quayle).
* Bugfixes
- Fixed handling of dynamic connect targets.
- Fixed handling of trailing whitespaces in the Content-Length
header of the NTLM authentication.
- Fixed --sysconfdir and --localstatedir handling (thx to
Dagobert Michelsen).
Version 5.17, 2015.04.29, urgency: HIGH:
* Bugfixes
- Fixed a NULL pointer dereference causing the service to crash.
This bug was introduced in stunnel 5.15.
Version 5.16, 2015.04.19, urgency: MEDIUM:
* Bugfixes
- Fixed compilation with old versions of gcc.
Version 5.15, 2015.04.16, urgency: LOW:
* New features
- Added new service-level options "checkHost", "checkEmail" and
"checkIP" for additional checks of the peer certificate subject.
These options require OpenSSL version 1.0.2 or higher.
- Win32 binary distribution now ships with the Mozilla root CA
bundle. This bundle is intended be used together with the new
"checkHost" option to validate server certs accepted by Mozilla.
- New commandline options "-reload" to reload the configuration
file and "-reopen" to reopen the log file of stunnel running
as a Windows service (thx to Marc McLaughlin).
- Added session persistence based on negotiated TLS sessions.
https://en.wikipedia.org/wiki/Load_balancing_%28computing%29#Persistence
The current implementation does not support external TLS
session caching with sessiond.
- MEDIUM ciphers (currently SEED and RC4) are removed from the
default cipher list.
- The "redirect" option was improved to not only redirect sessions
established with an untrusted certificate, but also sessions
established without a client certificate.
- OpenSSL version checking modified to distinguish FIPS and
non-FIPS builds.
- Improved compatibility with the current OpenSSL 1.1.0-dev tree.
- Removed support for OpenSSL versions older than 0.9.7.
The final update for the OpenSSL 0.9.6 branch was 17 Mar 2004.
- "sessiond" support improved to also work in OpenSSL 0.9.7.
- Randomize the initial value of the round-robin counter.
- New stunnel.conf templates are provided for Windows and Unix.
* Bugfixes
- Fixed compilation against old versions of OpenSSL.
- Fixed memory leaks in certificate verification.
Version 5.14, 2015.03.25, urgency: HIGH:
* Security bugfixes
- The "redirect" option now also redirects clients on SSL session
reuse. In stunnel versions 5.00 to 5.13 reused sessions were
instead always connected hosts specified with the "connect"
option regardless of their certificate verification result.
This vulnerability was reported by Johan Olofsson.
* New features
- Windows service is automatically restarted after upgrade.
* Bugfixes
- Fixed a memory allocation error during Unix daemon shutdown.
- Fixed handling multiple connect/redirect destinations.
- OpenSSL FIPS builds are now correctly reported on startup.
Version 5.13, 2015.03.20, urgency: MEDIUM:
* New features
- The "service" option was modified to also control the syslog
service name.
* Bugfixes
- Fixed Windows service crash.
Version 5.12, 2015.03.19, urgency: HIGH:
* Security bugfixes
- OpenSSL DLLs updated to version 1.0.2a.
https://www.openssl.org/news/secadv_20150319.txt
* New features
- New service-level option "logId" to specify the
connection identifier type. Currently supported types:
"sequential" (default), "unique", and "thread".
- New service-level option "debug" to individually control
logging verbosity of defined services.
* Bugfixes
- OCSP fixed on Windows platform (thx to Alec Kosky).
Version 5.11, 2015.03.11, urgency: LOW:
* New features
- OpenSSL DLLs updated to version 1.0.2.
- Removed dereferences of internal OpenSSL data structures.
- PSK key lookup algorithm performance improved from
O(N) (linear) to O(log N) (logarithmic).
* Bugfixes
- Fixed peer certificate list in the main window on Win32
(thx to @fyer for reporting it).
- Fixed console logging in tstunnel.exe.
- _tputenv_s() replaced with more portable _tputenv() on Win32.
Version 5.10, 2015.01.22, urgency: LOW:
* New features
- OCSP AIA (Authority Information Access) support. This feature
can be enabled with the new service-level option "OCSPaia".
- Additional security features of the linker are enabled:
"-z relro", "-z now", "-z noexecstack".
* Bugfixes
- OpenSSL DLLs updated to version 1.0.1l.
https://www.openssl.org/news/secadv_20150108.txt
- FIPS canister updated to version 2.0.9 in the Win32 binary
build.
Version 5.09, 2015.01.02, urgency: LOW:
* New features
- Added PSK authentication with two new service-level
configuration file options "PSKsecrets" and "PSKidentity".
- Added additional security checks to the OpenSSL memory
management functions.
- Added support for the OPENSSL_NO_OCSP and OPENSSL_NO_ENGINE
OpenSSL configuration flags.
- Added compatibility with the current OpenSSL 1.1.0-dev tree.
* Bugfixes
- Removed defective s_poll_error() code occasionally causing
connections to be prematurely closed (truncated).
This bug was introduced in stunnel 4.34.
- Fixed ./configure systemd detection (thx to Kip Walraven).
- Fixed ./configure sysroot detection (thx to Kip Walraven).
- Fixed compilation against old versions of OpenSSL.
- Removed outdated French manual page.
Version 5.08, 2014.12.09, urgency: MEDIUM:
* New features
- Added SOCKS4/SOCKS4a protocol support.
- Added SOCKS5 protocol support.
- Added SOCKS RESOLVE [F0] TOR extension support.
- Updated automake to version 1.14.1.
- OpenSSL directory searching is now relative to the sysroot.
* Bugfixes
- Fixed improper hangup condition handling.
- Fixed missing -pic linker option. This is required for
Android 5.0 and improves security.
Version 5.07, 2014.11.01, urgency: MEDIUM:
* New features
- Several SMTP server protocol negotiation improvements.
- Added UTF-8 byte order marks to stunnel.conf templates.
- DH parameters are no longer generated by "make cert".
The hardcoded DH parameters are sufficiently secure,
and modern TLS implementations will use ECDH anyway.
- Updated manual for the "options" configuration file option.
- Added support for systemd 209 or later.
- New --disable-systemd ./configure option.
- setuid/setgid commented out in stunnel.conf-sample.
* Bugfixes
- Added support for UTF-8 byte order mark in stunnel.conf.
- Compilation fix for OpenSSL with disabled SSLv2 or SSLv3.
- Non-blocking mode set on inetd and systemd descriptors.
- shfolder.h replaced with shlobj.h for compatibility
with modern Microsoft compilers.
Version 5.06, 2014.10.15, urgency: HIGH:
* Security bugfixes
- OpenSSL DLLs updated to version 1.0.1j.
https://www.openssl.org/news/secadv_20141015.txt
- The insecure SSLv2 protocol is now disabled by default.
It can be enabled with "options = -NO_SSLv2".
- The insecure SSLv3 protocol is now disabled by default.
It can be enabled with "options = -NO_SSLv3".
- Default sslVersion changed to "all" (also in FIPS mode)
to autonegotiate the highest supported TLS version.
* New features
- Added missing SSL options to match OpenSSL 1.0.1j.
- New "-options" commandline option to display the list
of supported SSL options.
* Bugfixes
- Fixed FORK threading build regression bug.
- Fixed missing periodic Win32 GUI log updates.
Version 5.05, 2014.10.10, urgency: MEDIUM:
* New features
- Asynchronous communication with the GUI thread for faster
logging on Win32.
- systemd socket activation (thx to Mark Theunissen).
- The parameter of "options" can now be prefixed with "-"
to clear an SSL option, for example:
"options = -LEGACY_SERVER_CONNECT".
- Improved "transparent = destination" manual page (thx to
Vadim Penzin).
* Bugfixes
- Fixed POLLIN|POLLHUP condition handling error resulting
in prematurely closed (truncated) connection.
- Fixed a null pointer dereference regression bug in the
"transparent = destination" functionality (thx to
Vadim Penzin). This bug was introduced in stunnel 5.00.
- Fixed startup thread synchronization with Win32 GUI.
- Fixed erroneously closed stdin/stdout/stderr if specified
as the -fd commandline option parameter.
- A number of minor Win32 GUI bugfixes and improvements.
- Merged most of the Windows CE patches (thx to Pierre Delaage).
- Fixed incorrect CreateService() error message on Win32.
- Implemented a workaround for defective Cygwin file
descriptor passing breaking the libwrap support:
http://wiki.osdev.org/Cygwin_Issues#Passing_file_descriptors
Version 5.04, 2014.09.21, urgency: LOW:
* New features
- Support for local mode ("exec" option) on Win32.
- Support for UTF-8 config file and log file.
- Win32 UTF-16 build (thx to Pierre Delaage for support).
- Support for Unicode file names on Win32.
- A more explicit service description provided for the
Windows SCM (thx to Pierre Delaage).
- TCP/IP dependency added for NT service in order to prevent
initialization failure at boot time.
- FIPS canister updated to version 2.0.8 in the Win32 binary
build.
* Bugfixes
- load_icon_default() modified to return copies of default icons
instead of the original resources to prevent the resources
from being destroyed.
- Partially merged Windows CE patches (thx to Pierre Delaage).
- Fixed typos in stunnel.init.in and vc.mak.
- Fixed incorrect memory allocation statistics update in
str_realloc().
- Missing REMOTE_PORT environmental variable is provided to
processes spawned with "exec" on Unix platforms.
- Taskbar icon is no longer disabled for NT service.
- Fixed taskbar icon initialization when commandline options are
specified.
- Reportedly more compatible values used for the dwDesiredAccess
parameter of the CreateFile() function (thx to Pierre Delaage).
- A number of minor Win32 GUI bugfixes and improvements.
Version 5.03, 2014.08.07, urgency: HIGH:
* Security bugfixes
- OpenSSL DLLs updated to version 1.0.1i.
See https://www.openssl.org/news/secadv_20140806.txt
* New features
- FIPS autoconfiguration cleanup.
- FIPS canister updated to version 2.0.6.
- Improved SNI diagnostic logging.
* Bugfixes
- Compilation fixes for old versions of OpenSSL.
- Fixed whitespace handling in the stunnel.init script.
Version 5.02, 2014.06.09, urgency: HIGH:
* Security bugfixes
- OpenSSL DLLs updated to version 1.0.1h.
See https://www.openssl.org/news/secadv_20140605.txt
* New features
- Major rewrite of the protocol.c interface: it is now possible to add
protocol negotiations at multiple connection phases, protocols can
individually decide whether the remote connection will be
established before or after SSL/TLS is negotiated.
- Heap memory blocks are wiped before release. This only works for
block allocated by stunnel, and not by OpenSSL or other libraries.
- The safe_memcmp() function implemented with execution time not
dependent on the compared data.
- Updated the stunnel.conf and stunnel.init templates.
- Added a client-mode example to the manual.
* Bugfixes
- Fixed "failover = rr" broken since version 5.00.
- Fixed "taskbar = no" broken since version 5.00.
- Compilation fix for missing SSL_OP_MSIE_SSLV2_RSA_PADDING option.
Version 5.01, 2014.04.08, urgency: HIGH:
* Security bugfixes
- OpenSSL DLLs updated to version 1.0.1g.
This version mitigates TLS heartbeat read overrun (CVE-2014-0160).
* New features
- X.509 extensions added to the created self-signed stunnel.pem.
- "FIPS = no" also allowed in non-FIPS builds of stunnel.
- Search all certificates with the same subject name for a matching
public key rather than only the first one (thx to Leon Winter).
- Create logs in the local application data folder if stunnel folder
is not writable on Win32.
* Bugfixes
- close_notify not sent when SSL still has some data buffered.
- Protocol negotiation with server-side SNI fixed.
- A Mac OS X missing symbols fixed.
- Win32 configuration file reload crash fixed.
- Added s_pool_free() on exec+connect service retires.
- Line-buffering enforced on stderr output.
stunnel 5.00 disables some features previously enabled by default.
Users should review whether the new defaults are appropriate for their
particular deployments. Packages maintainers may consider prepending
the old defaults for "fips" (if supported by their OpenSSL library),
"pid" and "libwrap" to stunnel.conf during automated updates.
Version 5.00, 2014.03.06, urgency: HIGH:
* Security bugfixes
- Added PRNG state update in fork threading (CVE-2014-0016).
* New global configuration file defaults
- Default "fips" option value is now "no", as FIPS mode is only
helpful for compliance, and never for actual security.
- Default "pid" is now "", i.e. not to create a pid file at startup.
* New service-level configuration file defaults
- Default "ciphers" updated to "HIGH:MEDIUM:+3DES:+DH:!aNULL:!SSLv2"
due to AlFBPPS attack and bad performance of DH ciphersuites.
- Default "libwrap" setting is now "no" to improve performance.
* New features
- OpenSSL DLLs updated to version 1.0.1f.
- zlib DLL updated to version 1.2.8.
- autoconf scripts upgraded to version 2.69.
- TLS 1.1 and TLS 1.2 are now allowed in the FIPS mode.
- New service-level option "redirect" to redirect SSL client
connections on authentication failures instead of rejecting them.
- New global "engineDefault" configuration file option to control
which OpenSSL tasks are delegated to the current engine.
Available tasks: ALL, RSA, DSA, ECDH, ECDSA, DH, RAND, CIPHERS,
DIGESTS, PKEY, PKEY_CRYPTO, PKEY_ASN1.
- New service-level configuration file option "engineId" to select
the engine by identifier, e.g. "engineId = capi".
- New global configuration file option "log" to control whether to
append (the default), or to overwrite log file while (re)opening.
- Different taskbar icon colors to indicate the service state.
- New global configuration file options "iconIdle", "iconActive",
and "iconError" to select status icon on GUI taskbar.
- Removed the limit of 63 stunnel.conf sections on Win32 platform.
- Installation of a sample certificate was moved to a separate "cert"
target in order to allow unattended (e.g. scripted) installations.
- Reduced length of the logged thread identifier. It is still based
on the OS thread ID, and thus not unique over long periods of time.
- Improved readability of error messages printed when stunnel refuses
to start due to a critical error.
* Bugfixes
- LD_PRELOAD Solaris compatibility bug fixed (thx to Norm Jacobs).
- CRYPTO_NUM_LOCKS replaced with CRYPTO_num_locks() to improve binary
compatibility with diverse builds of OpenSSL (thx to Norm Jacobs).
- Corrected round-robin failover behavior under heavy load.
- Numerous fixes in the engine support code.
- On Win32 platform .rnd file moved from c:\ to the stunnel folder.
Version 4.57, 2015.04.01, urgency: HIGH:
* Security bugfixes
@ -116,6 +781,7 @@ Version 4.51, 2012.01.09, urgency: MEDIUM:
- New "compression = deflate" global option to enable RFC 2246 compresion.
For compatibility with previous versions "compression = zlib" and
"compression = rle" also enable the deflate (RFC 2246) compression.
- Compression is disabled by default.
- Separate default ciphers and sslVersion for "fips = yes" and "fips = no".
- UAC support for editing configuration file with Windows GUI.
* Bugfixes
@ -518,7 +1184,7 @@ Version 4.19, 2006.11.11, urgency: LOW/EXPERIMENTAL:
- There are a lot of new features in this version. I recommend
to test it well before upgrading your mission-critical systems.
* New features
- New service-level option to specify OCSP server flag:
- New service-level option to specify an OCSP responder flag:
OCSPflag = <flag>
- "protocolCredentials" option changed to "protocolUsername"
and "protocolPassword"
@ -574,7 +1240,7 @@ Version 4.16, 2006.08.31, urgency: MEDIUM:
- Default group is now detected by configure script.
- Check for maximum number of defined services added.
- OpenSSL_add_all_algorithms() added to SSL initialization.
- configure script sections reordered to detect pthread library funcions.
- configure script sections reordered to detect pthread library functions.
- RFC 2487 autodetection improved. High resolution s_poll_wait()
not currently supported by UCONTEXT threading.
- More precise description of cert directory file names (thx to Muhammad

378
INSTALL
View File

@ -1,40 +1,370 @@
stunnel Unix install notes
Installation Instructions
*************************
Copyright (C) 1994-1996, 1999-2002, 2004-2013 Free Software Foundation,
Inc.
1. If your machine supports POSIX threads make sure your SSL
library is compiled with -DTHREADS.
Copying and distribution of this file, with or without modification,
are permitted in any medium without royalty provided the copyright
notice and this notice are preserved. This file is offered as-is,
without warranty of any kind.
2. Compile the software:
Basic Installation
==================
./configure
make
make install
Briefly, the shell command `./configure && make && make install'
should configure, build, and install this package. The following
more-detailed instructions are generic; see the `README' file for
instructions specific to this package. Some packages provide this
`INSTALL' file but do not implement all of the features documented
below. The lack of an optional feature in a given package is not
necessarily a bug. More recommendations for GNU packages can be found
in *note Makefile Conventions: (standards)Makefile Conventions.
(see potential options for 'configure' at the end of this file)
The `configure' shell script attempts to guess correct values for
various system-dependent variables used during compilation. It uses
those values to create a `Makefile' in each directory of the package.
It may also create one or more `.h' files containing system-dependent
definitions. Finally, it creates a shell script `config.status' that
you can run in the future to recreate the current configuration, and a
file `config.log' containing compiler output (useful mainly for
debugging `configure').
3. Create stunnel configuration file (stunnel.conf).
It can also use an optional file (typically called `config.cache'
and enabled with `--cache-file=config.cache' or simply `-C') that saves
the results of its tests to speed up reconfiguring. Caching is
disabled by default to prevent problems with accidental use of stale
cache files.
4. Add stunnel invocation to your system's startup files.
For SysV-compatible init you can use stunnel.init script.
If you need to do unusual things to compile the package, please try
to figure out how `configure' could check whether to do them, and mail
diffs or instructions to the address given in the `README' so they can
be considered for the next release. If you are using the cache, and at
some point `config.cache' contains results you don't want to keep, you
may remove or edit it.
or
The file `configure.ac' (or `configure.in') is used to create
`configure' by a program called `autoconf'. You need `configure.ac' if
you want to change it or regenerate `configure' using a newer version
of `autoconf'.
Modify /etc/services and /etc/inetd.conf, restart inetd (inetd mode).
The simplest way to compile this package is:
See the manual for details.
1. `cd' to the directory containing the package's source code and type
`./configure' to configure the package for your system.
5. There are a variety of compile-time options you may supply when
running configure. Most commonly used are:
Running `configure' might take a while. While running, it prints
some messages telling which features it is checking for.
--with-ssl=DIR
where your SSL libraries and include files are installed
2. Type `make' to compile the package.
--with-random=FILE
read randomness from FILE for PRNG seeding
3. Optionally, type `make check' to run any self-tests that come with
the package, generally using the just-built uninstalled binaries.
--with-egd-socket=FILE
location of Entropy Gathering Daemon socket, if running EGD
(for example on a machine that lacks a /dev/urandom device)
4. Type `make install' to install the programs and any data files and
documentation. When installing into a prefix owned by root, it is
recommended that the package be configured and built as a regular
user, and only the `make install' phase executed with root
privileges.
Use `./configure --help' to see all the options.
5. Optionally, type `make installcheck' to repeat any self-tests, but
this time using the binaries in their final installed location.
This target does not install anything. Running this target as a
regular user, particularly if the prior `make install' required
root privileges, verifies that the installation completed
correctly.
6. You can remove the program binaries and object files from the
source code directory by typing `make clean'. To also remove the
files that `configure' created (so you can compile the package for
a different kind of computer), type `make distclean'. There is
also a `make maintainer-clean' target, but that is intended mainly
for the package's developers. If you use it, you may have to get
all sorts of other programs in order to regenerate files that came
with the distribution.
7. Often, you can also type `make uninstall' to remove the installed
files again. In practice, not all packages have tested that
uninstallation works correctly, even though it is required by the
GNU Coding Standards.
8. Some packages, particularly those that use Automake, provide `make
distcheck', which can by used by developers to test that all other
targets like `make install' and `make uninstall' work correctly.
This target is generally not run by end users.
Compilers and Options
=====================
Some systems require unusual options for compilation or linking that
the `configure' script does not know about. Run `./configure --help'
for details on some of the pertinent environment variables.
You can give `configure' initial values for configuration parameters
by setting variables in the command line or in the environment. Here
is an example:
./configure CC=c99 CFLAGS=-g LIBS=-lposix
*Note Defining Variables::, for more details.
Compiling For Multiple Architectures
====================================
You can compile the package for more than one kind of computer at the
same time, by placing the object files for each architecture in their
own directory. To do this, you can use GNU `make'. `cd' to the
directory where you want the object files and executables to go and run
the `configure' script. `configure' automatically checks for the
source code in the directory that `configure' is in and in `..'. This
is known as a "VPATH" build.
With a non-GNU `make', it is safer to compile the package for one
architecture at a time in the source code directory. After you have
installed the package for one architecture, use `make distclean' before
reconfiguring for another architecture.
On MacOS X 10.5 and later systems, you can create libraries and
executables that work on multiple system types--known as "fat" or
"universal" binaries--by specifying multiple `-arch' options to the
compiler but only a single `-arch' option to the preprocessor. Like
this:
./configure CC="gcc -arch i386 -arch x86_64 -arch ppc -arch ppc64" \
CXX="g++ -arch i386 -arch x86_64 -arch ppc -arch ppc64" \
CPP="gcc -E" CXXCPP="g++ -E"
This is not guaranteed to produce working output in all cases, you
may have to build one architecture at a time and combine the results
using the `lipo' tool if you have problems.
Installation Names
==================
By default, `make install' installs the package's commands under
`/usr/local/bin', include files under `/usr/local/include', etc. You
can specify an installation prefix other than `/usr/local' by giving
`configure' the option `--prefix=PREFIX', where PREFIX must be an
absolute file name.
You can specify separate installation prefixes for
architecture-specific files and architecture-independent files. If you
pass the option `--exec-prefix=PREFIX' to `configure', the package uses
PREFIX as the prefix for installing programs and libraries.
Documentation and other data files still use the regular prefix.
In addition, if you use an unusual directory layout you can give
options like `--bindir=DIR' to specify different values for particular
kinds of files. Run `configure --help' for a list of the directories
you can set and what kinds of files go in them. In general, the
default for these options is expressed in terms of `${prefix}', so that
specifying just `--prefix' will affect all of the other directory
specifications that were not explicitly provided.
The most portable way to affect installation locations is to pass the
correct locations to `configure'; however, many packages provide one or
both of the following shortcuts of passing variable assignments to the
`make install' command line to change installation locations without
having to reconfigure or recompile.
The first method involves providing an override variable for each
affected directory. For example, `make install
prefix=/alternate/directory' will choose an alternate location for all
directory configuration variables that were expressed in terms of
`${prefix}'. Any directories that were specified during `configure',
but not in terms of `${prefix}', must each be overridden at install
time for the entire installation to be relocated. The approach of
makefile variable overrides for each directory variable is required by
the GNU Coding Standards, and ideally causes no recompilation.
However, some platforms have known limitations with the semantics of
shared libraries that end up requiring recompilation when using this
method, particularly noticeable in packages that use GNU Libtool.
The second method involves providing the `DESTDIR' variable. For
example, `make install DESTDIR=/alternate/directory' will prepend
`/alternate/directory' before all installation names. The approach of
`DESTDIR' overrides is not required by the GNU Coding Standards, and
does not work on platforms that have drive letters. On the other hand,
it does better at avoiding recompilation issues, and works well even
when some directory options were not specified in terms of `${prefix}'
at `configure' time.
Optional Features
=================
If the package supports it, you can cause programs to be installed
with an extra prefix or suffix on their names by giving `configure' the
option `--program-prefix=PREFIX' or `--program-suffix=SUFFIX'.
Some packages pay attention to `--enable-FEATURE' options to
`configure', where FEATURE indicates an optional part of the package.
They may also pay attention to `--with-PACKAGE' options, where PACKAGE
is something like `gnu-as' or `x' (for the X Window System). The
`README' should mention any `--enable-' and `--with-' options that the
package recognizes.
For packages that use the X Window System, `configure' can usually
find the X include and library files automatically, but if it doesn't,
you can use the `configure' options `--x-includes=DIR' and
`--x-libraries=DIR' to specify their locations.
Some packages offer the ability to configure how verbose the
execution of `make' will be. For these packages, running `./configure
--enable-silent-rules' sets the default to minimal output, which can be
overridden with `make V=1'; while running `./configure
--disable-silent-rules' sets the default to verbose, which can be
overridden with `make V=0'.
Particular systems
==================
On HP-UX, the default C compiler is not ANSI C compatible. If GNU
CC is not installed, it is recommended to use the following options in
order to use an ANSI C compiler:
./configure CC="cc -Ae -D_XOPEN_SOURCE=500"
and if that doesn't work, install pre-built binaries of GCC for HP-UX.
HP-UX `make' updates targets which have the same time stamps as
their prerequisites, which makes it generally unusable when shipped
generated files such as `configure' are involved. Use GNU `make'
instead.
On OSF/1 a.k.a. Tru64, some versions of the default C compiler cannot
parse its `<wchar.h>' header file. The option `-nodtk' can be used as
a workaround. If GNU CC is not installed, it is therefore recommended
to try
./configure CC="cc"
and if that doesn't work, try
./configure CC="cc -nodtk"
On Solaris, don't put `/usr/ucb' early in your `PATH'. This
directory contains several dysfunctional programs; working variants of
these programs are available in `/usr/bin'. So, if you need `/usr/ucb'
in your `PATH', put it _after_ `/usr/bin'.
On Haiku, software installed for all users goes in `/boot/common',
not `/usr/local'. It is recommended to use the following options:
./configure --prefix=/boot/common
Specifying the System Type
==========================
There may be some features `configure' cannot figure out
automatically, but needs to determine by the type of machine the package
will run on. Usually, assuming the package is built to be run on the
_same_ architectures, `configure' can figure that out, but if it prints
a message saying it cannot guess the machine type, give it the
`--build=TYPE' option. TYPE can either be a short name for the system
type, such as `sun4', or a canonical name which has the form:
CPU-COMPANY-SYSTEM
where SYSTEM can have one of these forms:
OS
KERNEL-OS
See the file `config.sub' for the possible values of each field. If
`config.sub' isn't included in this package, then this package doesn't
need to know the machine type.
If you are _building_ compiler tools for cross-compiling, you should
use the option `--target=TYPE' to select the type of system they will
produce code for.
If you want to _use_ a cross compiler, that generates code for a
platform different from the build platform, you should specify the
"host" platform (i.e., that on which the generated programs will
eventually be run) with `--host=TYPE'.
Sharing Defaults
================
If you want to set default values for `configure' scripts to share,
you can create a site shell script called `config.site' that gives
default values for variables like `CC', `cache_file', and `prefix'.
`configure' looks for `PREFIX/share/config.site' if it exists, then
`PREFIX/etc/config.site' if it exists. Or, you can set the
`CONFIG_SITE' environment variable to the location of the site script.
A warning: not all `configure' scripts look for a site script.
Defining Variables
==================
Variables not defined in a site shell script can be set in the
environment passed to `configure'. However, some packages may run
configure again during the build, and the customized values of these
variables may be lost. In order to avoid this problem, you should set
them in the `configure' command line, using `VAR=value'. For example:
./configure CC=/usr/local2/bin/gcc
causes the specified `gcc' to be used as the C compiler (unless it is
overridden in the site shell script).
Unfortunately, this technique does not work for `CONFIG_SHELL' due to
an Autoconf limitation. Until the limitation is lifted, you can use
this workaround:
CONFIG_SHELL=/bin/bash ./configure CONFIG_SHELL=/bin/bash
`configure' Invocation
======================
`configure' recognizes the following options to control how it
operates.
`--help'
`-h'
Print a summary of all of the options to `configure', and exit.
`--help=short'
`--help=recursive'
Print a summary of the options unique to this package's
`configure', and exit. The `short' variant lists options used
only in the top level, while the `recursive' variant lists options
also present in any nested packages.
`--version'
`-V'
Print the version of Autoconf used to generate the `configure'
script, and exit.
`--cache-file=FILE'
Enable the cache: use and save the results of the tests in FILE,
traditionally `config.cache'. FILE defaults to `/dev/null' to
disable caching.
`--config-cache'
`-C'
Alias for `--cache-file=config.cache'.
`--quiet'
`--silent'
`-q'
Do not print messages saying which checks are being made. To
suppress all normal output, redirect it to `/dev/null' (any error
messages will still be shown).
`--srcdir=DIR'
Look for the package's source code in directory DIR. Usually
`configure' can determine that directory automatically.
`--prefix=DIR'
Use DIR as the installation prefix. *note Installation Names::
for more details, including other options available for fine-tuning
the installation locations.
`--no-create'
`-n'
Run the configure checks, but stop before creating any output
files.
`configure' also accepts some other, not widely useful, options. Run
`configure --help' for more details.

12
INSTALL.FIPS
View File

@ -2,10 +2,12 @@ stunnel FIPS install notes
Unix HOWTO:
FIPS mode is autodetected if possible. You can force it with:
./configure --enable-fips
or disable with:
./configure --disable-fips
* Only dynamic linking of the FIPS-enabled OpenSSL is currently supported,
i.e. FIPS-enabled OpenSSL has to be configured with "shared" parameter.
* FIPS mode is autodetected if possible. It can be forced with:
./configure --enable-fips
or disable with:
./configure --disable-fips
WIN32 HOWTO:
* On 32-bit Windows install one of the following compilers:
@ -15,7 +17,7 @@ WIN32 HOWTO:
- MSVC 8.0 (VS 2005) Standard or Professional Edition
- MSVC 9.0 (VS 2008) Standard or Professional Edition
* Build FIPS-compliant OpenSSL DLLS according to:
http://www.openssl.org/docs/fips/UserGuide-1.2.pdf
https://www.openssl.org/docs/fips/UserGuide-2.0.pdf
* Build stunnel normally with MSVC or Mingw.
Mingw build requires DLL stubs. Stubs can be built with:
dlltool --def ms/libeay32.def --output-lib libcrypto.a

79
INSTALL.W32
View File

@ -1,51 +1,66 @@
stunnel Windows install notes
Building stunnel from source (optional):
Cross-compiling stunnel from source with MinGW (optional):
1) Install mingw32 cross-compiler o a Unix/Linux machine.
In Debian all you need is:
apt-get install gcc-mingw32
Native compilation on a Windows machine is possible, but not supported.
1) Install the mingw32 cross-compiler on a Unix/Linux machine.
On Debian (and derivatives, including Ubuntu):
sudo apt-get install gcc-mingw-w64-i686
On Arch Linux:
sudo pacman -S mingw-w64-gcc
2) Download the recent zlib from http://www.zlib.net/
Update the following definitions in win32/Makefile.gcc file:
SHARED_MODE=1
PREFIX = i586-mingw32msvc-
then build zlib with:
make -f win32/Makefile.gcc
and install it in mingw32 tree:
sudo BINARY_PATH=~/ \
INCLUDE_PATH=/usr/i586-mingw32msvc/include/ \
LIBRARY_PATH=/usr/i586-mingw32msvc/lib/ \
make -f win32/Makefile.gcc install
3) Download the recent OpenSSL in unpack it to /usr/src/ directory.
cd /usr/src
2) Download the recent OpenSSL and unpack it:
tar zvxf ~/openssl-(version).tar.gz
mv openssl-(version) openssl-(version)-i586
mv openssl-(version) openssl-(version)-i686
cd openssl-(version)-i686/
4) Build OpenSSL.
./Configure --cross-compile-prefix=i586-mingw32msvc- mingw shared zlib-dynamic
3) Build OpenSSL.
For 32-bit Windows:
./Configure \
--cross-compile-prefix=i686-w64-mingw32- \
--openssldir=/opt/openssl-mingw mingw shared
make
sudo make install
sudo cp ms/applink.c /opt/openssl-mingw/include/openssl/
For 64-bit Windows:
./Configure \
--cross-compile-prefix=x86_64-w64-mingw32- \
--openssldir=/opt/openssl-mingw64 mingw64 shared
make
sudo make install
sudo cp ms/applink.c /opt/openssl-mingw64/include/openssl/
5) Download and unpack stunnel-(version).tar.gz.
4) Download and unpack stunnel-(version).tar.gz.
6) Configure stunnel.
5) Configure stunnel:
cd stunnel-(version)
./configure --with-ssl=/path/to/openssl-(version)
./configure
7) Build windows executable.
6) Build Windows 32-bit and/or 64-bit executables:
cd src
make stunnel.exe
make mingw
make mingw64
Building stunnel from source with MinGW (optional):
Building on a Windows machine is possible, but not currently supported.
Building stunnel from source with Visual Studio (optional):
TODO
Installing stunnel:
1) run installer to install precompiled binaries or copy stunnel.exe and
OpenSSL DLLs into a directory
1) Run installer to install the precompiled binaries, or
copy the stunnel.exe or tstunnel.exe executable located in the
/stunnel-(version)/bin/mingw/ directory into the destination
directory on a Windows machine, and
copy OpenSSL DLLs: libeay32.dll, libssp-0.dll and ssleay32.dll
into the same directory, if necessary.
2) read the manual (stunnel.html)
3) create/edit stunnel.conf configuration file
2) Read the manual (stunnel.html).
3) Create/edit the stunnel.conf configuration file.

43
Makefile.am
View File

@ -1,4 +1,5 @@
## Process this file with automake to produce Makefile.in
# by Michal Trojnara 2015-2017
ACLOCAL_AMFLAGS = -I m4
@ -10,7 +11,7 @@ libtool: $(LIBTOOL_DEPS)
EXTRA_DIST = PORTS BUGS COPYRIGHT.GPL CREDITS
EXTRA_DIST += INSTALL.W32 INSTALL.WCE INSTALL.FIPS
EXTRA_DIST += build-android.sh
EXTRA_DIST += build-android.sh .travis.yml
docdir = $(datadir)/doc/stunnel
doc_DATA = INSTALL README TODO COPYING AUTHORS ChangeLog
@ -21,19 +22,39 @@ distcleancheck_listfiles = find -type f -exec sh -c 'test -f $(srcdir)/{} || ech
distclean-local:
rm -rf autom4te.cache
rm -f $(distdir)-installer.exe
# rm -f $(distdir)-win32-installer.exe
#dist-hook:
# makensis -NOCD -DVERSION=${VERSION} -DSRCDIR=$(srcdir) \
# -DOPENSSL=/usr/src/openssl-0.9.8u-fips/out32dll \
# -DZLIB=/usr/src/zlib-1.2.6-i586 \
# makensis -NOCD -DVERSION=${VERSION} \
# -DSTUNNEL_DIR=$(srcdir) \
# -DROOT_DIR=/usr/src \
# $(srcdir)/tools/stunnel.nsi
# cp -f $(distdir)-installer.exe ../dist
# gpg --yes --armor --detach-sign --force-v3-sigs ../dist/$(distdir)-installer.exe
sign: dist
cp -f $(distdir).tar.gz ../dist
gpg --yes --armor --detach-sign --force-v3-sigs ../dist/$(distdir).tar.gz
sha256sum $(distdir).tar.gz | tee ../dist/$(distdir).tar.gz.sha256
cp -f $(distdir).tar.gz $(distdir)-win32-installer.exe $(distdir)-android.zip ../dist
gpg-agent --daemon /bin/sh -c "cd ../dist; gpg --yes --armor --detach-sign --force-v3-sigs $(distdir).tar.gz; gpg --yes --armor --detach-sign --force-v3-sigs $(distdir)-win32-installer.exe; gpg --yes --armor --detach-sign --force-v3-sigs $(distdir)-android.zip"
sha256sum $(distdir).tar.gz >../dist/$(distdir).tar.gz.sha256
sha256sum $(distdir)-win32-installer.exe >../dist/$(distdir)-win32-installer.exe.sha256
sha256sum $(distdir)-android.zip >../dist/$(distdir)-android.zip.sha256
cat ../dist/$(distdir)*.sha256 | tac
cert:
$(MAKE) -C tools cert
test:
$(abs_builddir)/src/stunnel -version
@echo "No tests are currently implemented"
install-data-hook:
@echo "*********************************************************"
@echo "* Type 'make cert' to also install a sample certificate *"
@echo "*********************************************************"
edit = sed \
-e 's|@bindir[@]|$(bindir)|g' \
-e 's|@sysconfdir[@]|$(sysconfdir)|g'
stunnel.pod: Makefile
$(edit) '$(srcdir)/$@.in' >$@
stunnel.pod: $(srcdir)/stunnel.pod

465
Makefile.in
View File

@ -1,9 +1,8 @@
# Makefile.in generated by automake 1.11.1 from Makefile.am.
# Makefile.in generated by automake 1.14.1 from Makefile.am.
# @configure_input@
# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation,
# Inc.
# Copyright (C) 1994-2013 Free Software Foundation, Inc.
# This Makefile.in is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
# with or without modifications, as long as this notice is preserved.
@ -15,7 +14,54 @@
@SET_MAKE@
# by Michal Trojnara 2015-2017
VPATH = @srcdir@
am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
am__make_running_with_option = \
case $${target_option-} in \
?) ;; \
*) echo "am__make_running_with_option: internal error: invalid" \
"target option '$${target_option-}' specified" >&2; \
exit 1;; \
esac; \
has_opt=no; \
sane_makeflags=$$MAKEFLAGS; \
if $(am__is_gnu_make); then \
sane_makeflags=$$MFLAGS; \
else \
case $$MAKEFLAGS in \
*\\[\ \ ]*) \
bs=\\; \
sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \
| sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \
esac; \
fi; \
skip_next=no; \
strip_trailopt () \
{ \
flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \
}; \
for flg in $$sane_makeflags; do \
test $$skip_next = yes && { skip_next=no; continue; }; \
case $$flg in \
*=*|--*) continue;; \
-*I) strip_trailopt 'I'; skip_next=yes;; \
-*I?*) strip_trailopt 'I';; \
-*O) strip_trailopt 'O'; skip_next=yes;; \
-*O?*) strip_trailopt 'O';; \
-*l) strip_trailopt 'l'; skip_next=yes;; \
-*l?*) strip_trailopt 'l';; \
-[dEDm]) skip_next=yes;; \
-[JT]) skip_next=yes;; \
esac; \
case $$flg in \
*$$target_option*) has_opt=yes; break;; \
esac; \
done; \
test $$has_opt = yes
am__make_dryrun = (target_option=n; $(am__make_running_with_option))
am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
pkgdatadir = $(datadir)/@PACKAGE@
pkgincludedir = $(includedir)/@PACKAGE@
pkglibdir = $(libdir)/@PACKAGE@
@ -35,11 +81,14 @@ POST_UNINSTALL = :
build_triplet = @build@
host_triplet = @host@
subdir = .
DIST_COMMON = README $(am__configure_deps) $(srcdir)/Makefile.am \
$(srcdir)/Makefile.in $(top_srcdir)/configure AUTHORS COPYING \
ChangeLog INSTALL NEWS TODO auto/compile auto/config.guess \
auto/config.sub auto/depcomp auto/install-sh auto/ltmain.sh \
auto/missing
DIST_COMMON = INSTALL NEWS README AUTHORS ChangeLog \
$(srcdir)/Makefile.in $(srcdir)/Makefile.am \
$(top_srcdir)/configure $(am__configure_deps) COPYING TODO \
auto/compile auto/config.guess auto/config.sub auto/depcomp \
auto/install-sh auto/missing auto/ltmain.sh \
$(top_srcdir)/auto/compile $(top_srcdir)/auto/config.guess \
$(top_srcdir)/auto/config.sub $(top_srcdir)/auto/install-sh \
$(top_srcdir)/auto/ltmain.sh $(top_srcdir)/auto/missing
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
am__aclocal_m4_deps = $(top_srcdir)/m4/libtool.m4 \
$(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \
@ -53,15 +102,33 @@ mkinstalldirs = $(install_sh) -d
CONFIG_HEADER = $(top_builddir)/src/config.h
CONFIG_CLEAN_FILES =
CONFIG_CLEAN_VPATH_FILES =
AM_V_P = $(am__v_P_@AM_V@)
am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
am__v_P_0 = false
am__v_P_1 = :
AM_V_GEN = $(am__v_GEN_@AM_V@)
am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
am__v_GEN_0 = @echo " GEN " $@;
am__v_GEN_1 =
AM_V_at = $(am__v_at_@AM_V@)
am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
am__v_at_0 = @
am__v_at_1 =
SOURCES =
DIST_SOURCES =
RECURSIVE_TARGETS = all-recursive check-recursive dvi-recursive \
html-recursive info-recursive install-data-recursive \
install-dvi-recursive install-exec-recursive \
install-html-recursive install-info-recursive \
install-pdf-recursive install-ps-recursive install-recursive \
installcheck-recursive installdirs-recursive pdf-recursive \
ps-recursive uninstall-recursive
RECURSIVE_TARGETS = all-recursive check-recursive cscopelist-recursive \
ctags-recursive dvi-recursive html-recursive info-recursive \
install-data-recursive install-dvi-recursive \
install-exec-recursive install-html-recursive \
install-info-recursive install-pdf-recursive \
install-ps-recursive install-recursive installcheck-recursive \
installdirs-recursive pdf-recursive ps-recursive \
tags-recursive uninstall-recursive
am__can_run_installinfo = \
case $$AM_UPDATE_INFO_DIR in \
n|no|NO) false;; \
*) (install-info --version) >/dev/null 2>&1;; \
esac
am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
am__vpath_adj = case $$p in \
$(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
@ -83,23 +150,53 @@ am__nobase_list = $(am__nobase_strip_setup); \
am__base_list = \
sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
am__uninstall_files_from_dir = { \
test -z "$$files" \
|| { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
|| { echo " ( cd '$$dir' && rm -f" $$files ")"; \
$(am__cd) "$$dir" && rm -f $$files; }; \
}
am__installdirs = "$(DESTDIR)$(docdir)"
DATA = $(doc_DATA)
RECURSIVE_CLEAN_TARGETS = mostlyclean-recursive clean-recursive \
distclean-recursive maintainer-clean-recursive
AM_RECURSIVE_TARGETS = $(RECURSIVE_TARGETS:-recursive=) \
$(RECURSIVE_CLEAN_TARGETS:-recursive=) tags TAGS ctags CTAGS \
distdir dist dist-all distcheck
am__recursive_targets = \
$(RECURSIVE_TARGETS) \
$(RECURSIVE_CLEAN_TARGETS) \
$(am__extra_recursive_targets)
AM_RECURSIVE_TARGETS = $(am__recursive_targets:-recursive=) TAGS CTAGS \
cscope distdir dist dist-all distcheck
am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
# Read a list of newline-separated strings from the standard input,
# and print each of them once, without duplicates. Input order is
# *not* preserved.
am__uniquify_input = $(AWK) '\
BEGIN { nonempty = 0; } \
{ items[$$0] = 1; nonempty = 1; } \
END { if (nonempty) { for (i in items) print i; }; } \
'
# Make sure the list of sources is unique. This is necessary because,
# e.g., the same source file might be shared among _SOURCES variables
# for different programs/libraries.
am__define_uniq_tagged_files = \
list='$(am__tagged_files)'; \
unique=`for i in $$list; do \
if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
done | $(am__uniquify_input)`
ETAGS = etags
CTAGS = ctags
CSCOPE = cscope
DIST_SUBDIRS = $(SUBDIRS)
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
distdir = $(PACKAGE)-$(VERSION)
top_distdir = $(distdir)
am__remove_distdir = \
{ test ! -d "$(distdir)" \
|| { find "$(distdir)" -type d ! -perm -200 -exec chmod u+w {} ';' \
&& rm -fr "$(distdir)"; }; }
if test -d "$(distdir)"; then \
find "$(distdir)" -type d ! -perm -200 -exec chmod u+w {} ';' \
&& rm -rf "$(distdir)" \
|| { sleep 5 && rm -rf "$(distdir)"; }; \
else :; fi
am__post_remove_distdir = $(am__remove_distdir)
am__relativize = \
dir0=`pwd`; \
sed_first='s,^\([^/]*\)/.*$$,\1,'; \
@ -127,9 +224,13 @@ am__relativize = \
reldir="$$dir2"
DIST_ARCHIVES = $(distdir).tar.gz
GZIP_ENV = --best
DIST_TARGETS = dist-gzip
distuninstallcheck_listfiles = find . -type f -print
am__distuninstallcheck_listfiles = $(distuninstallcheck_listfiles) \
| sed 's|^\./|$(prefix)/|' | grep -v '$(infodir)/dir$$'
ACLOCAL = @ACLOCAL@
AMTAR = @AMTAR@
AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
AR = @AR@
AUTOCONF = @AUTOCONF@
AUTOHEADER = @AUTOHEADER@
@ -144,6 +245,7 @@ CYGPATH_W = @CYGPATH_W@
DEFAULT_GROUP = @DEFAULT_GROUP@
DEFS = @DEFS@
DEPDIR = @DEPDIR@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
ECHO_C = @ECHO_C@
@ -168,6 +270,7 @@ LIPO = @LIPO@
LN_S = @LN_S@
LTLIBOBJS = @LTLIBOBJS@
MAKEINFO = @MAKEINFO@
MANIFEST_TOOL = @MANIFEST_TOOL@
MKDIR_P = @MKDIR_P@
NM = @NM@
NMEDIT = @NMEDIT@
@ -183,6 +286,9 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@
PACKAGE_URL = @PACKAGE_URL@
PACKAGE_VERSION = @PACKAGE_VERSION@
PATH_SEPARATOR = @PATH_SEPARATOR@
PTHREAD_CC = @PTHREAD_CC@
PTHREAD_CFLAGS = @PTHREAD_CFLAGS@
PTHREAD_LIBS = @PTHREAD_LIBS@
RANDOM_FILE = @RANDOM_FILE@
RANLIB = @RANLIB@
SED = @SED@
@ -195,6 +301,7 @@ abs_builddir = @abs_builddir@
abs_srcdir = @abs_srcdir@
abs_top_builddir = @abs_top_builddir@
abs_top_srcdir = @abs_top_srcdir@
ac_ct_AR = @ac_ct_AR@
ac_ct_CC = @ac_ct_CC@
ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
am__include = @am__include@
@ -202,6 +309,7 @@ am__leading_dot = @am__leading_dot@
am__quote = @am__quote@
am__tar = @am__tar@
am__untar = @am__untar@
ax_pthread_config = @ax_pthread_config@
bindir = @bindir@
build = @build@
build_alias = @build_alias@
@ -227,7 +335,6 @@ libdir = @libdir@
libexecdir = @libexecdir@
localedir = @localedir@
localstatedir = @localstatedir@
lt_ECHO = @lt_ECHO@
mandir = @mandir@
mkdir_p = @mkdir_p@
oldincludedir = @oldincludedir@
@ -235,12 +342,10 @@ pdfdir = @pdfdir@
prefix = @prefix@
program_transform_name = @program_transform_name@
psdir = @psdir@
runstatedir = @runstatedir@
sbindir = @sbindir@
sharedstatedir = @sharedstatedir@
srcdir = @srcdir@
stunnel_CFLAGS = @stunnel_CFLAGS@
stunnel_LDFLAGF = @stunnel_LDFLAGF@
stunnel_LDFLAGS = @stunnel_LDFLAGS@
sysconfdir = @sysconfdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
@ -249,14 +354,18 @@ top_srcdir = @top_srcdir@
ACLOCAL_AMFLAGS = -I m4
SUBDIRS = src doc tools
EXTRA_DIST = PORTS BUGS COPYRIGHT.GPL CREDITS INSTALL.W32 INSTALL.WCE \
INSTALL.FIPS build-android.sh
INSTALL.FIPS build-android.sh .travis.yml
doc_DATA = INSTALL README TODO COPYING AUTHORS ChangeLog PORTS BUGS \
COPYRIGHT.GPL CREDITS INSTALL.W32 INSTALL.WCE INSTALL.FIPS
distcleancheck_listfiles = find -type f -exec sh -c 'test -f $(srcdir)/{} || echo {}' ';'
edit = sed \
-e 's|@bindir[@]|$(bindir)|g' \
-e 's|@sysconfdir[@]|$(sysconfdir)|g'
all: all-recursive
.SUFFIXES:
am--refresh:
am--refresh: Makefile
@:
$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps)
@for dep in $?; do \
@ -301,8 +410,11 @@ distclean-libtool:
-rm -f libtool config.lt
install-docDATA: $(doc_DATA)
@$(NORMAL_INSTALL)
test -z "$(docdir)" || $(MKDIR_P) "$(DESTDIR)$(docdir)"
@list='$(doc_DATA)'; test -n "$(docdir)" || list=; \
if test -n "$$list"; then \
echo " $(MKDIR_P) '$(DESTDIR)$(docdir)'"; \
$(MKDIR_P) "$(DESTDIR)$(docdir)" || exit 1; \
fi; \
for p in $$list; do \
if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
echo "$$d$$p"; \
@ -316,27 +428,28 @@ uninstall-docDATA:
@$(NORMAL_UNINSTALL)
@list='$(doc_DATA)'; test -n "$(docdir)" || list=; \
files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
test -n "$$files" || exit 0; \
echo " ( cd '$(DESTDIR)$(docdir)' && rm -f" $$files ")"; \
cd "$(DESTDIR)$(docdir)" && rm -f $$files
dir='$(DESTDIR)$(docdir)'; $(am__uninstall_files_from_dir)
# This directory's subdirectories are mostly independent; you can cd
# into them and run `make' without going through this Makefile.
# To change the values of `make' variables: instead of editing Makefiles,
# (1) if the variable is set in `config.status', edit `config.status'
# (which will cause the Makefiles to be regenerated when you run `make');
# (2) otherwise, pass the desired values on the `make' command line.
$(RECURSIVE_TARGETS):
@fail= failcom='exit 1'; \
for f in x $$MAKEFLAGS; do \
case $$f in \
*=* | --[!k]*);; \
*k*) failcom='fail=yes';; \
esac; \
done; \
# into them and run 'make' without going through this Makefile.
# To change the values of 'make' variables: instead of editing Makefiles,
# (1) if the variable is set in 'config.status', edit 'config.status'
# (which will cause the Makefiles to be regenerated when you run 'make');
# (2) otherwise, pass the desired values on the 'make' command line.
$(am__recursive_targets):
@fail=; \
if $(am__make_keepgoing); then \
failcom='fail=yes'; \
else \
failcom='exit 1'; \
fi; \
dot_seen=no; \
target=`echo $@ | sed s/-recursive//`; \
list='$(SUBDIRS)'; for subdir in $$list; do \
case "$@" in \
distclean-* | maintainer-clean-*) list='$(DIST_SUBDIRS)' ;; \
*) list='$(SUBDIRS)' ;; \
esac; \
for subdir in $$list; do \
echo "Making $$target in $$subdir"; \
if test "$$subdir" = "."; then \
dot_seen=yes; \
@ -351,57 +464,12 @@ $(RECURSIVE_TARGETS):
$(MAKE) $(AM_MAKEFLAGS) "$$target-am" || exit 1; \
fi; test -z "$$fail"
$(RECURSIVE_CLEAN_TARGETS):
@fail= failcom='exit 1'; \
for f in x $$MAKEFLAGS; do \
case $$f in \
*=* | --[!k]*);; \
*k*) failcom='fail=yes';; \
esac; \
done; \
dot_seen=no; \
case "$@" in \
distclean-* | maintainer-clean-*) list='$(DIST_SUBDIRS)' ;; \
*) list='$(SUBDIRS)' ;; \
esac; \
rev=''; for subdir in $$list; do \
if test "$$subdir" = "."; then :; else \
rev="$$subdir $$rev"; \
fi; \
done; \
rev="$$rev ."; \
target=`echo $@ | sed s/-recursive//`; \
for subdir in $$rev; do \
echo "Making $$target in $$subdir"; \
if test "$$subdir" = "."; then \
local_target="$$target-am"; \
else \
local_target="$$target"; \
fi; \
($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \
|| eval $$failcom; \
done && test -z "$$fail"
tags-recursive:
list='$(SUBDIRS)'; for subdir in $$list; do \
test "$$subdir" = . || ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) tags); \
done
ctags-recursive:
list='$(SUBDIRS)'; for subdir in $$list; do \
test "$$subdir" = . || ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) ctags); \
done
ID: $(am__tagged_files)
$(am__define_uniq_tagged_files); mkid -fID $$unique
tags: tags-recursive
TAGS: tags
ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
unique=`for i in $$list; do \
if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
done | \
$(AWK) '{ files[$$0] = 1; nonempty = 1; } \
END { if (nonempty) { for (i in files) print i; }; }'`; \
mkid -fID $$unique
tags: TAGS
TAGS: tags-recursive $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \
$(TAGS_FILES) $(LISP)
tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
set x; \
here=`pwd`; \
if ($(ETAGS) --etags-include --version) >/dev/null 2>&1; then \
@ -417,12 +485,7 @@ TAGS: tags-recursive $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \
set "$$@" "$$include_option=$$here/$$subdir/TAGS"; \
fi; \
done; \
list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
unique=`for i in $$list; do \
if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
done | \
$(AWK) '{ files[$$0] = 1; nonempty = 1; } \
END { if (nonempty) { for (i in files) print i; }; }'`; \
$(am__define_uniq_tagged_files); \
shift; \
if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
test -n "$$unique" || unique=$$empty_fix; \
@ -434,15 +497,11 @@ TAGS: tags-recursive $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \
$$unique; \
fi; \
fi
ctags: CTAGS
CTAGS: ctags-recursive $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \
$(TAGS_FILES) $(LISP)
list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
unique=`for i in $$list; do \
if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
done | \
$(AWK) '{ files[$$0] = 1; nonempty = 1; } \
END { if (nonempty) { for (i in files) print i; }; }'`; \
ctags: ctags-recursive
CTAGS: ctags
ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
$(am__define_uniq_tagged_files); \
test -z "$(CTAGS_ARGS)$$unique" \
|| $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
$$unique
@ -451,9 +510,31 @@ GTAGS:
here=`$(am__cd) $(top_builddir) && pwd` \
&& $(am__cd) $(top_srcdir) \
&& gtags -i $(GTAGS_ARGS) "$$here"
cscope: cscope.files
test ! -s cscope.files \
|| $(CSCOPE) -b -q $(AM_CSCOPEFLAGS) $(CSCOPEFLAGS) -i cscope.files $(CSCOPE_ARGS)
clean-cscope:
-rm -f cscope.files
cscope.files: clean-cscope cscopelist
cscopelist: cscopelist-recursive
cscopelist-am: $(am__tagged_files)
list='$(am__tagged_files)'; \
case "$(srcdir)" in \
[\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \
*) sdir=$(subdir)/$(srcdir) ;; \
esac; \
for i in $$list; do \
if test -f "$$i"; then \
echo "$(subdir)/$$i"; \
else \
echo "$$sdir/$$i"; \
fi; \
done >> $(top_builddir)/cscope.files
distclean-tags:
-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
-rm -f cscope.out cscope.in.out cscope.po.out cscope.files
distdir: $(DISTFILES)
$(am__remove_distdir)
@ -489,13 +570,10 @@ distdir: $(DISTFILES)
done
@list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
if test "$$subdir" = .; then :; else \
test -d "$(distdir)/$$subdir" \
|| $(MKDIR_P) "$(distdir)/$$subdir" \
|| exit 1; \
fi; \
done
@list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
if test "$$subdir" = .; then :; else \
$(am__make_dryrun) \
|| test -d "$(distdir)/$$subdir" \
|| $(MKDIR_P) "$(distdir)/$$subdir" \
|| exit 1; \
dir1=$$subdir; dir2="$(distdir)/$$subdir"; \
$(am__relativize); \
new_distdir=$$reldir; \
@ -524,36 +602,42 @@ distdir: $(DISTFILES)
|| chmod -R a+r "$(distdir)"
dist-gzip: distdir
tardir=$(distdir) && $(am__tar) | GZIP=$(GZIP_ENV) gzip -c >$(distdir).tar.gz
$(am__remove_distdir)
$(am__post_remove_distdir)
dist-bzip2: distdir
tardir=$(distdir) && $(am__tar) | bzip2 -9 -c >$(distdir).tar.bz2
$(am__remove_distdir)
tardir=$(distdir) && $(am__tar) | BZIP2=$${BZIP2--9} bzip2 -c >$(distdir).tar.bz2
$(am__post_remove_distdir)
dist-lzma: distdir
tardir=$(distdir) && $(am__tar) | lzma -9 -c >$(distdir).tar.lzma
$(am__remove_distdir)
dist-lzip: distdir
tardir=$(distdir) && $(am__tar) | lzip -c $${LZIP_OPT--9} >$(distdir).tar.lz
$(am__post_remove_distdir)
dist-xz: distdir
tardir=$(distdir) && $(am__tar) | xz -c >$(distdir).tar.xz
$(am__remove_distdir)
tardir=$(distdir) && $(am__tar) | XZ_OPT=$${XZ_OPT--e} xz -c >$(distdir).tar.xz
$(am__post_remove_distdir)
dist-tarZ: distdir
@echo WARNING: "Support for shar distribution archives is" \
"deprecated." >&2
@echo WARNING: "It will be removed altogether in Automake 2.0" >&2
tardir=$(distdir) && $(am__tar) | compress -c >$(distdir).tar.Z
$(am__remove_distdir)
$(am__post_remove_distdir)
dist-shar: distdir
@echo WARNING: "Support for distribution archives compressed with" \
"legacy program 'compress' is deprecated." >&2
@echo WARNING: "It will be removed altogether in Automake 2.0" >&2
shar $(distdir) | GZIP=$(GZIP_ENV) gzip -c >$(distdir).shar.gz
$(am__remove_distdir)
$(am__post_remove_distdir)
dist-zip: distdir
-rm -f $(distdir).zip
zip -rq $(distdir).zip $(distdir)
$(am__remove_distdir)
$(am__post_remove_distdir)
dist dist-all: distdir
tardir=$(distdir) && $(am__tar) | GZIP=$(GZIP_ENV) gzip -c >$(distdir).tar.gz
$(am__remove_distdir)
dist dist-all:
$(MAKE) $(AM_MAKEFLAGS) $(DIST_TARGETS) am__post_remove_distdir='@:'
$(am__post_remove_distdir)
# This target untars the dist file and tries a VPATH configuration. Then
# it guarantees that the distribution is self-contained by making another
@ -564,8 +648,8 @@ distcheck: dist
GZIP=$(GZIP_ENV) gzip -dc $(distdir).tar.gz | $(am__untar) ;;\
*.tar.bz2*) \
bzip2 -dc $(distdir).tar.bz2 | $(am__untar) ;;\
*.tar.lzma*) \
lzma -dc $(distdir).tar.lzma | $(am__untar) ;;\
*.tar.lz*) \
lzip -dc $(distdir).tar.lz | $(am__untar) ;;\
*.tar.xz*) \
xz -dc $(distdir).tar.xz | $(am__untar) ;;\
*.tar.Z*) \
@ -575,17 +659,19 @@ distcheck: dist
*.zip*) \
unzip $(distdir).zip ;;\
esac
chmod -R a-w $(distdir); chmod u+w $(distdir)
mkdir $(distdir)/_build
mkdir $(distdir)/_inst
chmod -R a-w $(distdir)
chmod u+w $(distdir)
mkdir $(distdir)/_build $(distdir)/_inst
chmod a-w $(distdir)
test -d $(distdir)/_build || exit 0; \
dc_install_base=`$(am__cd) $(distdir)/_inst && pwd | sed -e 's,^[^:\\/]:[\\/],/,'` \
&& dc_destdir="$${TMPDIR-/tmp}/am-dc-$$$$/" \
&& am__cwd=`pwd` \
&& $(am__cd) $(distdir)/_build \
&& ../configure --srcdir=.. --prefix="$$dc_install_base" \
&& ../configure \
$(AM_DISTCHECK_CONFIGURE_FLAGS) \
$(DISTCHECK_CONFIGURE_FLAGS) \
--srcdir=.. --prefix="$$dc_install_base" \
&& $(MAKE) $(AM_MAKEFLAGS) \
&& $(MAKE) $(AM_MAKEFLAGS) dvi \
&& $(MAKE) $(AM_MAKEFLAGS) check \
@ -608,13 +694,21 @@ distcheck: dist
&& $(MAKE) $(AM_MAKEFLAGS) distcleancheck \
&& cd "$$am__cwd" \
|| exit 1
$(am__remove_distdir)
$(am__post_remove_distdir)
@(echo "$(distdir) archives ready for distribution: "; \
list='$(DIST_ARCHIVES)'; for i in $$list; do echo $$i; done) | \
sed -e 1h -e 1s/./=/g -e 1p -e 1x -e '$$p' -e '$$x'
distuninstallcheck:
@$(am__cd) '$(distuninstallcheck_dir)' \
&& test `$(distuninstallcheck_listfiles) | wc -l` -le 1 \
@test -n '$(distuninstallcheck_dir)' || { \
echo 'ERROR: trying to run $@ with an empty' \
'$$(distuninstallcheck_dir)' >&2; \
exit 1; \
}; \
$(am__cd) '$(distuninstallcheck_dir)' || { \
echo 'ERROR: cannot chdir into $(distuninstallcheck_dir)' >&2; \
exit 1; \
}; \
test `$(am__distuninstallcheck_listfiles) | wc -l` -eq 0 \
|| { echo "ERROR: files left after uninstall:" ; \
if test -n "$(DESTDIR)"; then \
echo " (check DESTDIR support)"; \
@ -648,10 +742,15 @@ install-am: all-am
installcheck: installcheck-recursive
install-strip:
$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
`test -z '$(STRIP)' || \
echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
if test -z '$(STRIP)'; then \
$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
install; \
else \
$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
"INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
fi
mostlyclean-generic:
clean-generic:
@ -686,7 +785,8 @@ info: info-recursive
info-am:
install-data-am: install-docDATA
@$(NORMAL_INSTALL)
$(MAKE) $(AM_MAKEFLAGS) install-data-hook
install-dvi: install-dvi-recursive
install-dvi-am:
@ -733,46 +833,63 @@ ps-am:
uninstall-am: uninstall-docDATA
.MAKE: $(RECURSIVE_CLEAN_TARGETS) $(RECURSIVE_TARGETS) ctags-recursive \
install-am install-strip tags-recursive
.MAKE: $(am__recursive_targets) install-am install-data-am \
install-strip
.PHONY: $(RECURSIVE_CLEAN_TARGETS) $(RECURSIVE_TARGETS) CTAGS GTAGS \
all all-am am--refresh check check-am clean clean-generic \
clean-libtool ctags ctags-recursive dist dist-all dist-bzip2 \
dist-gzip dist-lzma dist-shar dist-tarZ dist-xz dist-zip \
distcheck distclean distclean-generic distclean-libtool \
distclean-local distclean-tags distcleancheck distdir \
distuninstallcheck dvi dvi-am html html-am info info-am \
install install-am install-data install-data-am \
install-docDATA install-dvi install-dvi-am install-exec \
install-exec-am install-html install-html-am install-info \
install-info-am install-man install-pdf install-pdf-am \
install-ps install-ps-am install-strip installcheck \
installcheck-am installdirs installdirs-am maintainer-clean \
maintainer-clean-generic mostlyclean mostlyclean-generic \
mostlyclean-libtool pdf pdf-am ps ps-am tags tags-recursive \
uninstall uninstall-am uninstall-docDATA
.PHONY: $(am__recursive_targets) CTAGS GTAGS TAGS all all-am \
am--refresh check check-am clean clean-cscope clean-generic \
clean-libtool cscope cscopelist-am ctags ctags-am dist \
dist-all dist-bzip2 dist-gzip dist-lzip dist-shar dist-tarZ \
dist-xz dist-zip distcheck distclean distclean-generic \
distclean-libtool distclean-local distclean-tags \
distcleancheck distdir distuninstallcheck dvi dvi-am html \
html-am info info-am install install-am install-data \
install-data-am install-data-hook install-docDATA install-dvi \
install-dvi-am install-exec install-exec-am install-html \
install-html-am install-info install-info-am install-man \
install-pdf install-pdf-am install-ps install-ps-am \
install-strip installcheck installcheck-am installdirs \
installdirs-am maintainer-clean maintainer-clean-generic \
mostlyclean mostlyclean-generic mostlyclean-libtool pdf pdf-am \
ps ps-am tags tags-am uninstall uninstall-am uninstall-docDATA
libtool: $(LIBTOOL_DEPS)
$(SHELL) ./config.status libtool
distclean-local:
rm -rf autom4te.cache
rm -f $(distdir)-installer.exe
# rm -f $(distdir)-win32-installer.exe
#dist-hook:
# makensis -NOCD -DVERSION=${VERSION} -DSRCDIR=$(srcdir) \
# -DOPENSSL=/usr/src/openssl-0.9.8u-fips/out32dll \
# -DZLIB=/usr/src/zlib-1.2.6-i586 \
# makensis -NOCD -DVERSION=${VERSION} \
# -DSTUNNEL_DIR=$(srcdir) \
# -DROOT_DIR=/usr/src \
# $(srcdir)/tools/stunnel.nsi
# cp -f $(distdir)-installer.exe ../dist
# gpg --yes --armor --detach-sign --force-v3-sigs ../dist/$(distdir)-installer.exe
sign: dist
cp -f $(distdir).tar.gz ../dist
gpg --yes --armor --detach-sign --force-v3-sigs ../dist/$(distdir).tar.gz
sha256sum $(distdir).tar.gz | tee ../dist/$(distdir).tar.gz.sha256
cp -f $(distdir).tar.gz $(distdir)-win32-installer.exe $(distdir)-android.zip ../dist
gpg-agent --daemon /bin/sh -c "cd ../dist; gpg --yes --armor --detach-sign --force-v3-sigs $(distdir).tar.gz; gpg --yes --armor --detach-sign --force-v3-sigs $(distdir)-win32-installer.exe; gpg --yes --armor --detach-sign --force-v3-sigs $(distdir)-android.zip"
sha256sum $(distdir).tar.gz >../dist/$(distdir).tar.gz.sha256
sha256sum $(distdir)-win32-installer.exe >../dist/$(distdir)-win32-installer.exe.sha256
sha256sum $(distdir)-android.zip >../dist/$(distdir)-android.zip.sha256
cat ../dist/$(distdir)*.sha256 | tac
cert:
$(MAKE) -C tools cert
test:
$(abs_builddir)/src/stunnel -version
@echo "No tests are currently implemented"
install-data-hook:
@echo "*********************************************************"
@echo "* Type 'make cert' to also install a sample certificate *"
@echo "*********************************************************"
stunnel.pod: Makefile
$(edit) '$(srcdir)/$@.in' >$@
stunnel.pod: $(srcdir)/stunnel.pod
# Tell versions [3.59,3.63) of GNU make to not export all variables.
# Otherwise a system limit (for SysV at least) may be exceeded.

13
PORTS
View File

@ -1,22 +1,17 @@
stunnel known port maintainers
* AmigaOS
- Diego Casorran <dcr8520@amiga.org>
* Cygwin
- Andrew Schulman <andrex@alumni.utexas.net>
* Debian GNU/Linux
- Luis Rodrigo Gallardo Cruz <rodrigo@nul-unu.com>
- Peter Pentchev <roam@ringlet.net>
* FreeBSD
- Ryan Steinmetz <zi@FreeBSD.org>
* NetBSD
- Martti Kuparinen <martti.kuparinen@iki.fi>
* OpenBSD
- Jakob Schlyter <jakob@openbsd.org>
* OpenSolaris
- Mark Fenwick <Mark.Fenwick@sun.com>
* OS/2
- Paul Smedley <paul@smedley.info>
- Gleydson Soares <gsoares@openbsd.org>
* OpenCSW Solaris
- Dagobert Michelsen <dam@opencsw.org>
* RedHat Linux
- Damien Miller <dmiller@ilogic.com.au>

55
TODO
View File

@ -3,41 +3,48 @@ stunnel TODO
High priority features. They will likely be supported some day.
A sponsor could allocate my time to get them faster.
* Perform protocol negotiations after SSL negotiations if possible.
* Command-line server control interface on both Unix and Windows.
* Separate GUI process running as current user on Windows.
* Add client certificate autoselection based on the list of accepted issuers:
SSL_CTX_set_client_cert_cb(), SSL_get_client_CA_list().
* Add an Apparmor profile.
* Optional line-buffering of the log file.
* etc/stunnel/conf.d/* files automatically processed while reading
etc/stunnel/stunnel.conf
* Android GUI.
* Support for CryptoAPI certificates and private keys with OpenSSL CAPI
engine (this feature is incompatible with FIPS support).
* Indirect CRL support (RFC 3280, section 5).
* Log rotation on Windows.
* Configuration file option to limit the number of concurrent connections.
* SOCKS 4 protocol support.
http://archive.socks.permeo.com/protocol/socks4.protocol
* Option to redirect instead of rejecting connections on failed authentication.
Low priority features. They will unlikely ever be supported.
* Implement reference counting of the SERVICE_OPTIONS structure
- Add 'leastconn' failover strategy to order defined 'connect' targets
by the number of active connections.
- Add '-status' command line option reporting the number of clients
connected to each service.
- Deallocate SERVICE_OPTIONS structure when the configuration file
is reloaded *and* old connections are closed.
* Command-line server control interface on both Unix and Windows.
* Separate GUI process running as the current user on Windows.
* An Android GUI.
* OCSP stapling (tlsext_status).
* Extend session tickets and/or sessiond to also serialize application
data ("redirect" state and session persistence).
* Indirect CRL support (RFC 3280, section 5).
* Provide 64-bit Windows builds (besides 32-bit builds).
This requires either Microsoft Visual Studio Standard Edition or Microsoft
Visual Studio Professional Edition in order to retain FIPS compliance.
* Service-level logging configuration (separate verbosity and destination).
* Key renegotiation (re-handshake) for long connections.
* MSI installer for Windows.
* Add user-defined headers to CONNECT proxy requests.
This can be used to impersonate other software (e.g. web browsers).
Low priority features. They will unlikely ever be supported.
* Database and/or directory interface for retrieving PSK secrets.
* Support static FIPS-enabled build.
* Service-level logging destination.
* Enforce key renegotiation (re-handshake) for long connections.
* Logging to NT EventLog on Windows.
* Log rotation on Windows.
* Internationalization of logged messages (i18n).
* Generic scripting engine instead or static protocol.c.
Features I won't support, unless convinced otherwise by a wealthy sponsor.
* Protocol support *after* SSL is negotiated:
- Support for adding X-Forwarded-For to HTTP request headers.
This feature is less useful since PROXY protocol support is available.
- Support for adding X-Forwarded-For to SMTP email headers.
This feature is most likely to be implemented as a separate proxy.
* Support for adding X-Forwarded-For to HTTP request headers.
This feature is less useful since PROXY protocol support is available.
* Support for adding X-Forwarded-For to SMTP email headers.
This feature is most likely to be implemented as a separate proxy.
* Additional certificate checks (including wildcard comparison) based on:
- CN (Common Name);
- SAN (Subject Alternative Name);
- O (Organization), and
- OU (Organizational Unit).
* Set processes title that appear on the ps(1) and top(1) commands.

1451
aclocal.m4 vendored
View File

File diff suppressed because it is too large Load Diff

232
auto/compile
View File

@ -1,10 +1,9 @@
#! /bin/sh
# Wrapper for compilers which do not understand `-c -o'.
# Wrapper for compilers which do not understand '-c -o'.
scriptversion=2009-10-06.20; # UTC
scriptversion=2012-10-14.11; # UTC
# Copyright (C) 1999, 2000, 2003, 2004, 2005, 2009 Free Software
# Foundation, Inc.
# Copyright (C) 1999-2013 Free Software Foundation, Inc.
# Written by Tom Tromey <tromey@cygnus.com>.
#
# This program is free software; you can redistribute it and/or modify
@ -29,21 +28,224 @@ scriptversion=2009-10-06.20; # UTC
# bugs to <bug-automake@gnu.org> or send patches to
# <automake-patches@gnu.org>.
nl='
'
# We need space, tab and new line, in precisely that order. Quoting is
# there to prevent tools from complaining about whitespace usage.
IFS=" "" $nl"
file_conv=
# func_file_conv build_file lazy
# Convert a $build file to $host form and store it in $file
# Currently only supports Windows hosts. If the determined conversion
# type is listed in (the comma separated) LAZY, no conversion will
# take place.
func_file_conv ()
{
file=$1
case $file in
/ | /[!/]*) # absolute file, and not a UNC file
if test -z "$file_conv"; then
# lazily determine how to convert abs files
case `uname -s` in
MINGW*)
file_conv=mingw
;;
CYGWIN*)
file_conv=cygwin
;;
*)
file_conv=wine
;;
esac
fi
case $file_conv/,$2, in
*,$file_conv,*)
;;
mingw/*)
file=`cmd //C echo "$file " | sed -e 's/"\(.*\) " *$/\1/'`
;;
cygwin/*)
file=`cygpath -m "$file" || echo "$file"`
;;
wine/*)
file=`winepath -w "$file" || echo "$file"`
;;
esac
;;
esac
}
# func_cl_dashL linkdir
# Make cl look for libraries in LINKDIR
func_cl_dashL ()
{
func_file_conv "$1"
if test -z "$lib_path"; then
lib_path=$file
else
lib_path="$lib_path;$file"
fi
linker_opts="$linker_opts -LIBPATH:$file"
}
# func_cl_dashl library
# Do a library search-path lookup for cl
func_cl_dashl ()
{
lib=$1
found=no
save_IFS=$IFS
IFS=';'
for dir in $lib_path $LIB
do
IFS=$save_IFS
if $shared && test -f "$dir/$lib.dll.lib"; then
found=yes
lib=$dir/$lib.dll.lib
break
fi
if test -f "$dir/$lib.lib"; then
found=yes
lib=$dir/$lib.lib
break
fi
if test -f "$dir/lib$lib.a"; then
found=yes
lib=$dir/lib$lib.a
break
fi
done
IFS=$save_IFS
if test "$found" != yes; then
lib=$lib.lib
fi
}
# func_cl_wrapper cl arg...
# Adjust compile command to suit cl
func_cl_wrapper ()
{
# Assume a capable shell
lib_path=
shared=:
linker_opts=
for arg
do
if test -n "$eat"; then
eat=
else
case $1 in
-o)
# configure might choose to run compile as 'compile cc -o foo foo.c'.
eat=1
case $2 in
*.o | *.[oO][bB][jJ])
func_file_conv "$2"
set x "$@" -Fo"$file"
shift
;;
*)
func_file_conv "$2"
set x "$@" -Fe"$file"
shift
;;
esac
;;
-I)
eat=1
func_file_conv "$2" mingw
set x "$@" -I"$file"
shift
;;
-I*)
func_file_conv "${1#-I}" mingw
set x "$@" -I"$file"
shift
;;
-l)
eat=1
func_cl_dashl "$2"
set x "$@" "$lib"
shift
;;
-l*)
func_cl_dashl "${1#-l}"
set x "$@" "$lib"
shift
;;
-L)
eat=1
func_cl_dashL "$2"
;;
-L*)
func_cl_dashL "${1#-L}"
;;
-static)
shared=false
;;
-Wl,*)
arg=${1#-Wl,}
save_ifs="$IFS"; IFS=','
for flag in $arg; do
IFS="$save_ifs"
linker_opts="$linker_opts $flag"
done
IFS="$save_ifs"
;;
-Xlinker)
eat=1
linker_opts="$linker_opts $2"
;;
-*)
set x "$@" "$1"
shift
;;
*.cc | *.CC | *.cxx | *.CXX | *.[cC]++)
func_file_conv "$1"
set x "$@" -Tp"$file"
shift
;;
*.c | *.cpp | *.CPP | *.lib | *.LIB | *.Lib | *.OBJ | *.obj | *.[oO])
func_file_conv "$1" mingw
set x "$@" "$file"
shift
;;
*)
set x "$@" "$1"
shift
;;
esac
fi
shift
done
if test -n "$linker_opts"; then
linker_opts="-link$linker_opts"
fi
exec "$@" $linker_opts
exit 1
}
eat=
case $1 in
'')
echo "$0: No command. Try \`$0 --help' for more information." 1>&2
echo "$0: No command. Try '$0 --help' for more information." 1>&2
exit 1;
;;
-h | --h*)
cat <<\EOF
Usage: compile [--help] [--version] PROGRAM [ARGS]
Wrapper for compilers which do not understand `-c -o'.
Remove `-o dest.o' from ARGS, run PROGRAM with the remaining
Wrapper for compilers which do not understand '-c -o'.
Remove '-o dest.o' from ARGS, run PROGRAM with the remaining
arguments, and rename the output as expected.
If you are trying to build a whole package this is not the
right script to run: please start by reading the file `INSTALL'.
right script to run: please start by reading the file 'INSTALL'.
Report bugs to <bug-automake@gnu.org>.
EOF
@ -53,11 +255,13 @@ EOF
echo "compile $scriptversion"
exit $?
;;
cl | *[/\\]cl | cl.exe | *[/\\]cl.exe )
func_cl_wrapper "$@" # Doesn't return...
;;
esac
ofile=
cfile=
eat=
for arg
do
@ -66,8 +270,8 @@ do
else
case $1 in
-o)
# configure might choose to run compile as `compile cc -o foo foo.c'.
# So we strip `-o arg' only if arg is an object.
# configure might choose to run compile as 'compile cc -o foo foo.c'.
# So we strip '-o arg' only if arg is an object.
eat=1
case $2 in
*.o | *.obj)
@ -94,10 +298,10 @@ do
done
if test -z "$ofile" || test -z "$cfile"; then
# If no `-o' option was seen then we might have been invoked from a
# If no '-o' option was seen then we might have been invoked from a
# pattern rule where we don't need one. That is ok -- this is a
# normal compilation that the losing compiler can handle. If no
# `.c' file was seen then we are probably linking. That is also
# '.c' file was seen then we are probably linking. That is also
# ok.
exec "$@"
fi
@ -106,7 +310,7 @@ fi
cofile=`echo "$cfile" | sed 's|^.*[\\/]||; s|^[a-zA-Z]:||; s/\.c$/.o/'`
# Create the lock directory.
# Note: use `[/\\:.-]' here to ensure that we don't use the same name
# Note: use '[/\\:.-]' here to ensure that we don't use the same name
# that we are using for the .o file. Also, base the name on the expected
# object file name, since that is what matters with a parallel build.
lockdir=`echo "$cofile" | sed -e 's|[/\\:.-]|_|g'`.d

358
auto/config.guess vendored Normal file → Executable file
View File

@ -1,14 +1,12 @@
#! /bin/sh
# Attempt to guess a canonical system name.
# Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999,
# 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010,
# 2011 Free Software Foundation, Inc.
# Copyright 1992-2014 Free Software Foundation, Inc.
timestamp='2011-11-11'
timestamp='2014-03-23'
# This file is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# the Free Software Foundation; either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful, but
@ -17,26 +15,22 @@ timestamp='2011-11-11'
# General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA
# 02110-1301, USA.
# along with this program; if not, see <http://www.gnu.org/licenses/>.
#
# As a special exception to the GNU General Public License, if you
# distribute this file as part of a program that contains a
# configuration script generated by Autoconf, you may include it under
# the same distribution terms that you use for the rest of that program.
# Originally written by Per Bothner. Please send patches (context
# diff format) to <config-patches@gnu.org> and include a ChangeLog
# entry.
# the same distribution terms that you use for the rest of that
# program. This Exception is an additional permission under section 7
# of the GNU General Public License, version 3 ("GPLv3").
#
# This script attempts to guess a canonical system name similar to
# config.sub. If it succeeds, it prints the system name on stdout, and
# exits with 0. Otherwise, it exits with 1.
# Originally written by Per Bothner.
#
# You can get the latest version of this script from:
# http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.guess;hb=HEAD
#
# Please send patches with a ChangeLog entry to config-patches@gnu.org.
me=`echo "$0" | sed -e 's,.*/,,'`
@ -56,9 +50,7 @@ version="\
GNU config.guess ($timestamp)
Originally written by Per Bothner.
Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000,
2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free
Software Foundation, Inc.
Copyright 1992-2014 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE."
@ -140,12 +132,33 @@ UNAME_RELEASE=`(uname -r) 2>/dev/null` || UNAME_RELEASE=unknown
UNAME_SYSTEM=`(uname -s) 2>/dev/null` || UNAME_SYSTEM=unknown
UNAME_VERSION=`(uname -v) 2>/dev/null` || UNAME_VERSION=unknown
case "${UNAME_SYSTEM}" in
Linux|GNU|GNU/*)
# If the system lacks a compiler, then just pick glibc.
# We could probably try harder.
LIBC=gnu
eval $set_cc_for_build
cat <<-EOF > $dummy.c
#include <features.h>
#if defined(__UCLIBC__)
LIBC=uclibc
#elif defined(__dietlibc__)
LIBC=dietlibc
#else
LIBC=gnu
#endif
EOF
eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep '^LIBC' | sed 's, ,,g'`
;;
esac
# Note: order is significant - the case branches are not exclusive.
case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
*:NetBSD:*:*)
# NetBSD (nbsd) targets should (where applicable) match one or
# more of the tupples: *-*-netbsdelf*, *-*-netbsdaout*,
# more of the tuples: *-*-netbsdelf*, *-*-netbsdaout*,
# *-*-netbsdecoff* and *-*-netbsd*. For targets that recently
# switched to ELF, *-*-netbsd* would select the old
# object file format. This provides both forward
@ -202,6 +215,10 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
# CPU_TYPE-MANUFACTURER-OPERATING_SYSTEM is used.
echo "${machine}-${os}${release}"
exit ;;
*:Bitrig:*:*)
UNAME_MACHINE_ARCH=`arch | sed 's/Bitrig.//'`
echo ${UNAME_MACHINE_ARCH}-unknown-bitrig${UNAME_RELEASE}
exit ;;
*:OpenBSD:*:*)
UNAME_MACHINE_ARCH=`arch | sed 's/OpenBSD.//'`
echo ${UNAME_MACHINE_ARCH}-unknown-openbsd${UNAME_RELEASE}
@ -304,7 +321,7 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
arm:RISC*:1.[012]*:*|arm:riscix:1.[012]*:*)
echo arm-acorn-riscix${UNAME_RELEASE}
exit ;;
arm:riscos:*:*|arm:RISCOS:*:*)
arm*:riscos:*:*|arm*:RISCOS:*:*)
echo arm-unknown-riscos
exit ;;
SR2?01:HI-UX/MPP:*:* | SR8000:HI-UX/MPP:*:*)
@ -803,10 +820,13 @@ EOF
i*:CYGWIN*:*)
echo ${UNAME_MACHINE}-pc-cygwin
exit ;;
*:MINGW64*:*)
echo ${UNAME_MACHINE}-pc-mingw64
exit ;;
*:MINGW*:*)
echo ${UNAME_MACHINE}-pc-mingw32
exit ;;
i*:MSYS*:*)
*:MSYS*:*)
echo ${UNAME_MACHINE}-pc-msys
exit ;;
i*:windows32*:*)
@ -854,15 +874,22 @@ EOF
exit ;;
*:GNU:*:*)
# the GNU system
echo `echo ${UNAME_MACHINE}|sed -e 's,[-/].*$,,'`-unknown-gnu`echo ${UNAME_RELEASE}|sed -e 's,/.*$,,'`
echo `echo ${UNAME_MACHINE}|sed -e 's,[-/].*$,,'`-unknown-${LIBC}`echo ${UNAME_RELEASE}|sed -e 's,/.*$,,'`
exit ;;
*:GNU/*:*:*)
# other systems with GNU libc and userland
echo ${UNAME_MACHINE}-unknown-`echo ${UNAME_SYSTEM} | sed 's,^[^/]*/,,' | tr '[A-Z]' '[a-z]'``echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`-gnu
echo ${UNAME_MACHINE}-unknown-`echo ${UNAME_SYSTEM} | sed 's,^[^/]*/,,' | tr '[A-Z]' '[a-z]'``echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`-${LIBC}
exit ;;
i*86:Minix:*:*)
echo ${UNAME_MACHINE}-pc-minix
exit ;;
aarch64:Linux:*:*)
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
exit ;;
aarch64_be:Linux:*:*)
UNAME_MACHINE=aarch64_be
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
exit ;;
alpha:Linux:*:*)
case `sed -n '/^cpu model/s/^.*: \(.*\)/\1/p' < /proc/cpuinfo` in
EV5) UNAME_MACHINE=alphaev5 ;;
@ -874,59 +901,54 @@ EOF
EV68*) UNAME_MACHINE=alphaev68 ;;
esac
objdump --private-headers /bin/sh | grep -q ld.so.1
if test "$?" = 0 ; then LIBC="libc1" ; else LIBC="" ; fi
echo ${UNAME_MACHINE}-unknown-linux-gnu${LIBC}
if test "$?" = 0 ; then LIBC="gnulibc1" ; fi
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
exit ;;
arc:Linux:*:* | arceb:Linux:*:*)
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
exit ;;
arm*:Linux:*:*)
eval $set_cc_for_build
if echo __ARM_EABI__ | $CC_FOR_BUILD -E - 2>/dev/null \
| grep -q __ARM_EABI__
then
echo ${UNAME_MACHINE}-unknown-linux-gnu
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
else
if echo __ARM_PCS_VFP | $CC_FOR_BUILD -E - 2>/dev/null \
| grep -q __ARM_PCS_VFP
then
echo ${UNAME_MACHINE}-unknown-linux-gnueabi
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}eabi
else
echo ${UNAME_MACHINE}-unknown-linux-gnueabihf
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}eabihf
fi
fi
exit ;;
avr32*:Linux:*:*)
echo ${UNAME_MACHINE}-unknown-linux-gnu
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
exit ;;
cris:Linux:*:*)
echo cris-axis-linux-gnu
echo ${UNAME_MACHINE}-axis-linux-${LIBC}
exit ;;
crisv32:Linux:*:*)
echo crisv32-axis-linux-gnu
echo ${UNAME_MACHINE}-axis-linux-${LIBC}
exit ;;
frv:Linux:*:*)
echo frv-unknown-linux-gnu
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
exit ;;
hexagon:Linux:*:*)
echo hexagon-unknown-linux-gnu
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
exit ;;
i*86:Linux:*:*)
LIBC=gnu
eval $set_cc_for_build
sed 's/^ //' << EOF >$dummy.c
#ifdef __dietlibc__
LIBC=dietlibc
#endif
EOF
eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep '^LIBC'`
echo "${UNAME_MACHINE}-pc-linux-${LIBC}"
echo ${UNAME_MACHINE}-pc-linux-${LIBC}
exit ;;
ia64:Linux:*:*)
echo ${UNAME_MACHINE}-unknown-linux-gnu
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
exit ;;
m32r*:Linux:*:*)
echo ${UNAME_MACHINE}-unknown-linux-gnu
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
exit ;;
m68*:Linux:*:*)
echo ${UNAME_MACHINE}-unknown-linux-gnu
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
exit ;;
mips:Linux:*:* | mips64:Linux:*:*)
eval $set_cc_for_build
@ -945,54 +967,63 @@ EOF
#endif
EOF
eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep '^CPU'`
test x"${CPU}" != x && { echo "${CPU}-unknown-linux-gnu"; exit; }
test x"${CPU}" != x && { echo "${CPU}-unknown-linux-${LIBC}"; exit; }
;;
or32:Linux:*:*)
echo or32-unknown-linux-gnu
openrisc*:Linux:*:*)
echo or1k-unknown-linux-${LIBC}
exit ;;
or32:Linux:*:* | or1k*:Linux:*:*)
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
exit ;;
padre:Linux:*:*)
echo sparc-unknown-linux-gnu
echo sparc-unknown-linux-${LIBC}
exit ;;
parisc64:Linux:*:* | hppa64:Linux:*:*)
echo hppa64-unknown-linux-gnu
echo hppa64-unknown-linux-${LIBC}
exit ;;
parisc:Linux:*:* | hppa:Linux:*:*)
# Look for CPU level
case `grep '^cpu[^a-z]*:' /proc/cpuinfo 2>/dev/null | cut -d' ' -f2` in
PA7*) echo hppa1.1-unknown-linux-gnu ;;
PA8*) echo hppa2.0-unknown-linux-gnu ;;
*) echo hppa-unknown-linux-gnu ;;
PA7*) echo hppa1.1-unknown-linux-${LIBC} ;;
PA8*) echo hppa2.0-unknown-linux-${LIBC} ;;
*) echo hppa-unknown-linux-${LIBC} ;;
esac
exit ;;
ppc64:Linux:*:*)
echo powerpc64-unknown-linux-gnu
echo powerpc64-unknown-linux-${LIBC}
exit ;;
ppc:Linux:*:*)
echo powerpc-unknown-linux-gnu
echo powerpc-unknown-linux-${LIBC}
exit ;;
ppc64le:Linux:*:*)
echo powerpc64le-unknown-linux-${LIBC}
exit ;;
ppcle:Linux:*:*)
echo powerpcle-unknown-linux-${LIBC}
exit ;;
s390:Linux:*:* | s390x:Linux:*:*)
echo ${UNAME_MACHINE}-ibm-linux
echo ${UNAME_MACHINE}-ibm-linux-${LIBC}
exit ;;
sh64*:Linux:*:*)
echo ${UNAME_MACHINE}-unknown-linux-gnu
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
exit ;;
sh*:Linux:*:*)
echo ${UNAME_MACHINE}-unknown-linux-gnu
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
exit ;;
sparc:Linux:*:* | sparc64:Linux:*:*)
echo ${UNAME_MACHINE}-unknown-linux-gnu
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
exit ;;
tile*:Linux:*:*)
echo ${UNAME_MACHINE}-unknown-linux-gnu
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
exit ;;
vax:Linux:*:*)
echo ${UNAME_MACHINE}-dec-linux-gnu
echo ${UNAME_MACHINE}-dec-linux-${LIBC}
exit ;;
x86_64:Linux:*:*)
echo x86_64-unknown-linux-gnu
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
exit ;;
xtensa*:Linux:*:*)
echo ${UNAME_MACHINE}-unknown-linux-gnu
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
exit ;;
i*86:DYNIX/ptx:4*:*)
# ptx 4.0 does uname -s correctly, with DYNIX/ptx in there.
@ -1196,6 +1227,9 @@ EOF
BePC:Haiku:*:*) # Haiku running on Intel PC compatible.
echo i586-pc-haiku
exit ;;
x86_64:Haiku:*:*)
echo x86_64-unknown-haiku
exit ;;
SX-4:SUPER-UX:*:*)
echo sx4-nec-superux${UNAME_RELEASE}
exit ;;
@ -1222,19 +1256,31 @@ EOF
exit ;;
*:Darwin:*:*)
UNAME_PROCESSOR=`uname -p` || UNAME_PROCESSOR=unknown
case $UNAME_PROCESSOR in
i386)
eval $set_cc_for_build
if [ "$CC_FOR_BUILD" != 'no_compiler_found' ]; then
if (echo '#ifdef __LP64__'; echo IS_64BIT_ARCH; echo '#endif') | \
(CCOPTS= $CC_FOR_BUILD -E - 2>/dev/null) | \
grep IS_64BIT_ARCH >/dev/null
then
UNAME_PROCESSOR="x86_64"
fi
fi ;;
unknown) UNAME_PROCESSOR=powerpc ;;
esac
eval $set_cc_for_build
if test "$UNAME_PROCESSOR" = unknown ; then
UNAME_PROCESSOR=powerpc
fi
if test `echo "$UNAME_RELEASE" | sed -e 's/\..*//'` -le 10 ; then
if [ "$CC_FOR_BUILD" != 'no_compiler_found' ]; then
if (echo '#ifdef __LP64__'; echo IS_64BIT_ARCH; echo '#endif') | \
(CCOPTS= $CC_FOR_BUILD -E - 2>/dev/null) | \
grep IS_64BIT_ARCH >/dev/null
then
case $UNAME_PROCESSOR in
i386) UNAME_PROCESSOR=x86_64 ;;
powerpc) UNAME_PROCESSOR=powerpc64 ;;
esac
fi
fi
elif test "$UNAME_PROCESSOR" = i386 ; then
# Avoid executing cc on OS X 10.9, as it ships with a stub
# that puts up a graphical alert prompting to install
# developer tools. Any system running Mac OS X 10.7 or
# later (Darwin 11 and later) is required to have a 64-bit
# processor. This is not true of the ARM version of Darwin
# that Apple uses in portable devices.
UNAME_PROCESSOR=x86_64
fi
echo ${UNAME_PROCESSOR}-apple-darwin${UNAME_RELEASE}
exit ;;
*:procnto*:*:* | *:QNX:[0123456789]*:*)
@ -1251,7 +1297,7 @@ EOF
NEO-?:NONSTOP_KERNEL:*:*)
echo neo-tandem-nsk${UNAME_RELEASE}
exit ;;
NSE-?:NONSTOP_KERNEL:*:*)
NSE-*:NONSTOP_KERNEL:*:*)
echo nse-tandem-nsk${UNAME_RELEASE}
exit ;;
NSR-?:NONSTOP_KERNEL:*:*)
@ -1320,159 +1366,11 @@ EOF
i*86:AROS:*:*)
echo ${UNAME_MACHINE}-pc-aros
exit ;;
x86_64:VMkernel:*:*)
echo ${UNAME_MACHINE}-unknown-esx
exit ;;
esac
#echo '(No uname command or uname output not recognized.)' 1>&2
#echo "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" 1>&2
eval $set_cc_for_build
cat >$dummy.c <<EOF
#ifdef _SEQUENT_
# include <sys/types.h>
# include <sys/utsname.h>
#endif
main ()
{
#if defined (sony)
#if defined (MIPSEB)
/* BFD wants "bsd" instead of "newsos". Perhaps BFD should be changed,
I don't know.... */
printf ("mips-sony-bsd\n"); exit (0);
#else
#include <sys/param.h>
printf ("m68k-sony-newsos%s\n",
#ifdef NEWSOS4
"4"
#else
""
#endif
); exit (0);
#endif
#endif
#if defined (__arm) && defined (__acorn) && defined (__unix)
printf ("arm-acorn-riscix\n"); exit (0);
#endif
#if defined (hp300) && !defined (hpux)
printf ("m68k-hp-bsd\n"); exit (0);
#endif
#if defined (NeXT)
#if !defined (__ARCHITECTURE__)
#define __ARCHITECTURE__ "m68k"
#endif
int version;
version=`(hostinfo | sed -n 's/.*NeXT Mach \([0-9]*\).*/\1/p') 2>/dev/null`;
if (version < 4)
printf ("%s-next-nextstep%d\n", __ARCHITECTURE__, version);
else
printf ("%s-next-openstep%d\n", __ARCHITECTURE__, version);
exit (0);
#endif
#if defined (MULTIMAX) || defined (n16)
#if defined (UMAXV)
printf ("ns32k-encore-sysv\n"); exit (0);
#else
#if defined (CMU)
printf ("ns32k-encore-mach\n"); exit (0);
#else
printf ("ns32k-encore-bsd\n"); exit (0);
#endif
#endif
#endif
#if defined (__386BSD__)
printf ("i386-pc-bsd\n"); exit (0);
#endif
#if defined (sequent)
#if defined (i386)
printf ("i386-sequent-dynix\n"); exit (0);
#endif
#if defined (ns32000)
printf ("ns32k-sequent-dynix\n"); exit (0);
#endif
#endif
#if defined (_SEQUENT_)
struct utsname un;
uname(&un);
if (strncmp(un.version, "V2", 2) == 0) {
printf ("i386-sequent-ptx2\n"); exit (0);
}
if (strncmp(un.version, "V1", 2) == 0) { /* XXX is V1 correct? */
printf ("i386-sequent-ptx1\n"); exit (0);
}
printf ("i386-sequent-ptx\n"); exit (0);
#endif
#if defined (vax)
# if !defined (ultrix)
# include <sys/param.h>
# if defined (BSD)
# if BSD == 43
printf ("vax-dec-bsd4.3\n"); exit (0);
# else
# if BSD == 199006
printf ("vax-dec-bsd4.3reno\n"); exit (0);
# else
printf ("vax-dec-bsd\n"); exit (0);
# endif
# endif
# else
printf ("vax-dec-bsd\n"); exit (0);
# endif
# else
printf ("vax-dec-ultrix\n"); exit (0);
# endif
#endif
#if defined (alliant) && defined (i860)
printf ("i860-alliant-bsd\n"); exit (0);
#endif
exit (1);
}
EOF
$CC_FOR_BUILD -o $dummy $dummy.c 2>/dev/null && SYSTEM_NAME=`$dummy` &&
{ echo "$SYSTEM_NAME"; exit; }
# Apollos put the system type in the environment.
test -d /usr/apollo && { echo ${ISP}-apollo-${SYSTYPE}; exit; }
# Convex versions that predate uname can use getsysinfo(1)
if [ -x /usr/convex/getsysinfo ]
then
case `getsysinfo -f cpu_type` in
c1*)
echo c1-convex-bsd
exit ;;
c2*)
if getsysinfo -f scalar_acc
then echo c32-convex-bsd
else echo c2-convex-bsd
fi
exit ;;
c34*)
echo c34-convex-bsd
exit ;;
c38*)
echo c38-convex-bsd
exit ;;
c4*)
echo c4-convex-bsd
exit ;;
esac
fi
cat >&2 <<EOF
$0: unable to guess system type

142
auto/config.sub vendored Normal file → Executable file
View File

@ -1,38 +1,31 @@
#! /bin/sh
# Configuration validation subroutine script.
# Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999,
# 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010,
# 2011 Free Software Foundation, Inc.
# Copyright 1992-2014 Free Software Foundation, Inc.
timestamp='2011-11-11'
timestamp='2014-09-11'
# This file is (in principle) common to ALL GNU software.
# The presence of a machine in this file suggests that SOME GNU software
# can handle that machine. It does not imply ALL GNU software can.
#
# This file is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# This file is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA
# 02110-1301, USA.
# along with this program; if not, see <http://www.gnu.org/licenses/>.
#
# As a special exception to the GNU General Public License, if you
# distribute this file as part of a program that contains a
# configuration script generated by Autoconf, you may include it under
# the same distribution terms that you use for the rest of that program.
# the same distribution terms that you use for the rest of that
# program. This Exception is an additional permission under section 7
# of the GNU General Public License, version 3 ("GPLv3").
# Please send patches to <config-patches@gnu.org>. Submit a context
# diff and a properly formatted GNU ChangeLog entry.
# Please send patches with a ChangeLog entry to config-patches@gnu.org.
#
# Configuration subroutine to validate and canonicalize a configuration type.
# Supply the specified configuration type as an argument.
@ -75,9 +68,7 @@ Report bugs and patches to <config-patches@gnu.org>."
version="\
GNU config.sub ($timestamp)
Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000,
2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free
Software Foundation, Inc.
Copyright 1992-2014 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE."
@ -125,13 +116,17 @@ esac
maybe_os=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\2/'`
case $maybe_os in
nto-qnx* | linux-gnu* | linux-android* | linux-dietlibc | linux-newlib* | \
linux-uclibc* | uclinux-uclibc* | uclinux-gnu* | kfreebsd*-gnu* | \
linux-musl* | linux-uclibc* | uclinux-uclibc* | uclinux-gnu* | kfreebsd*-gnu* | \
knetbsd*-gnu* | netbsd*-gnu* | \
kopensolaris*-gnu* | \
storm-chaos* | os2-emx* | rtmk-nova*)
os=-$maybe_os
basic_machine=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'`
;;
android-linux)
os=-linux-android
basic_machine=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'`-unknown
;;
*)
basic_machine=`echo $1 | sed 's/-[^-]*$//'`
if [ $basic_machine != $1 ]
@ -154,7 +149,7 @@ case $os in
-convergent* | -ncr* | -news | -32* | -3600* | -3100* | -hitachi* |\
-c[123]* | -convex* | -sun | -crds | -omron* | -dg | -ultra | -tti* | \
-harris | -dolphin | -highlevel | -gould | -cbm | -ns | -masscomp | \
-apple | -axis | -knuth | -cray | -microblaze)
-apple | -axis | -knuth | -cray | -microblaze*)
os=
basic_machine=$1
;;
@ -223,6 +218,12 @@ case $os in
-isc*)
basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
;;
-lynx*178)
os=-lynxos178
;;
-lynx*5)
os=-lynxos5
;;
-lynx*)
os=-lynxos
;;
@ -247,13 +248,16 @@ case $basic_machine in
# Some are omitted here because they have special meanings below.
1750a | 580 \
| a29k \
| aarch64 | aarch64_be \
| alpha | alphaev[4-8] | alphaev56 | alphaev6[78] | alphapca5[67] \
| alpha64 | alpha64ev[4-8] | alpha64ev56 | alpha64ev6[78] | alpha64pca5[67] \
| am33_2.0 \
| arc | arm | arm[bl]e | arme[lb] | armv[2345] | armv[345][lb] | avr | avr32 \
| be32 | be64 \
| arc | arceb \
| arm | arm[bl]e | arme[lb] | armv[2-8] | armv[3-8][lb] | armv7[arm] \
| avr | avr32 \
| be32 | be64 \
| bfin \
| c4x | clipper \
| c4x | c8051 | clipper \
| d10v | d30v | dlx | dsp16xx \
| epiphany \
| fido | fr30 | frv \
@ -261,10 +265,11 @@ case $basic_machine in
| hexagon \
| i370 | i860 | i960 | ia64 \
| ip2k | iq2000 \
| k1om \
| le32 | le64 \
| lm32 \
| m32c | m32r | m32rle | m68000 | m68k | m88k \
| maxq | mb | microblaze | mcore | mep | metag \
| maxq | mb | microblaze | microblazeel | mcore | mep | metag \
| mips | mipsbe | mipseb | mipsel | mipsle \
| mips16 \
| mips64 | mips64el \
@ -278,23 +283,26 @@ case $basic_machine in
| mips64vr5900 | mips64vr5900el \
| mipsisa32 | mipsisa32el \
| mipsisa32r2 | mipsisa32r2el \
| mipsisa32r6 | mipsisa32r6el \
| mipsisa64 | mipsisa64el \
| mipsisa64r2 | mipsisa64r2el \
| mipsisa64r6 | mipsisa64r6el \
| mipsisa64sb1 | mipsisa64sb1el \
| mipsisa64sr71k | mipsisa64sr71kel \
| mipsr5900 | mipsr5900el \
| mipstx39 | mipstx39el \
| mn10200 | mn10300 \
| moxie \
| mt \
| msp430 \
| nds32 | nds32le | nds32be \
| nios | nios2 \
| nios | nios2 | nios2eb | nios2el \
| ns16k | ns32k \
| open8 \
| or32 \
| open8 | or1k | or1knd | or32 \
| pdp10 | pdp11 | pj | pjl \
| powerpc | powerpc64 | powerpc64le | powerpcle \
| pyramid \
| riscv32 | riscv64 \
| rl78 | rx \
| score \
| sh | sh[1234] | sh[24]a | sh[24]aeb | sh[23]e | sh[34]eb | sheb | shbe | shle | sh[1234]le | sh3ele \
@ -319,8 +327,7 @@ case $basic_machine in
c6x)
basic_machine=tic6x-unknown
;;
m6811 | m68hc11 | m6812 | m68hc12 | picochip)
# Motorola 68HC11/12.
m6811 | m68hc11 | m6812 | m68hc12 | m68hcs12x | nvptx | picochip)
basic_machine=$basic_machine-unknown
os=-none
;;
@ -333,7 +340,10 @@ case $basic_machine in
strongarm | thumb | xscale)
basic_machine=arm-unknown
;;
xgate)
basic_machine=$basic_machine-unknown
os=-none
;;
xscaleeb)
basic_machine=armeb-unknown
;;
@ -356,15 +366,16 @@ case $basic_machine in
# Recognize the basic CPU types with company name.
580-* \
| a29k-* \
| aarch64-* | aarch64_be-* \
| alpha-* | alphaev[4-8]-* | alphaev56-* | alphaev6[78]-* \
| alpha64-* | alpha64ev[4-8]-* | alpha64ev56-* | alpha64ev6[78]-* \
| alphapca5[67]-* | alpha64pca5[67]-* | arc-* \
| alphapca5[67]-* | alpha64pca5[67]-* | arc-* | arceb-* \
| arm-* | armbe-* | armle-* | armeb-* | armv*-* \
| avr-* | avr32-* \
| be32-* | be64-* \
| bfin-* | bs2000-* \
| c[123]* | c30-* | [cjt]90-* | c4x-* \
| clipper-* | craynv-* | cydra-* \
| c8051-* | clipper-* | craynv-* | cydra-* \
| d10v-* | d30v-* | dlx-* \
| elxsi-* \
| f30[01]-* | f700-* | fido-* | fr30-* | frv-* | fx80-* \
@ -373,11 +384,13 @@ case $basic_machine in
| hexagon-* \
| i*86-* | i860-* | i960-* | ia64-* \
| ip2k-* | iq2000-* \
| k1om-* \
| le32-* | le64-* \
| lm32-* \
| m32c-* | m32r-* | m32rle-* \
| m68000-* | m680[012346]0-* | m68360-* | m683?2-* | m68k-* \
| m88110-* | m88k-* | maxq-* | mcore-* | metag-* | microblaze-* \
| m88110-* | m88k-* | maxq-* | mcore-* | metag-* \
| microblaze-* | microblazeel-* \
| mips-* | mipsbe-* | mipseb-* | mipsel-* | mipsle-* \
| mips16-* \
| mips64-* | mips64el-* \
@ -391,18 +404,22 @@ case $basic_machine in
| mips64vr5900-* | mips64vr5900el-* \
| mipsisa32-* | mipsisa32el-* \
| mipsisa32r2-* | mipsisa32r2el-* \
| mipsisa32r6-* | mipsisa32r6el-* \
| mipsisa64-* | mipsisa64el-* \
| mipsisa64r2-* | mipsisa64r2el-* \
| mipsisa64r6-* | mipsisa64r6el-* \
| mipsisa64sb1-* | mipsisa64sb1el-* \
| mipsisa64sr71k-* | mipsisa64sr71kel-* \
| mipsr5900-* | mipsr5900el-* \
| mipstx39-* | mipstx39el-* \
| mmix-* \
| mt-* \
| msp430-* \
| nds32-* | nds32le-* | nds32be-* \
| nios-* | nios2-* \
| nios-* | nios2-* | nios2eb-* | nios2el-* \
| none-* | np1-* | ns16k-* | ns32k-* \
| open8-* \
| or1k*-* \
| orion-* \
| pdp10-* | pdp11-* | pj-* | pjl-* | pn-* | power-* \
| powerpc-* | powerpc64-* | powerpc64le-* | powerpcle-* \
@ -719,7 +736,6 @@ case $basic_machine in
i370-ibm* | ibm*)
basic_machine=i370-ibm
;;
# I'm not sure what "Sysv32" means. Should this be sysv3.2?
i*86v32)
basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'`
os=-sysv32
@ -777,11 +793,15 @@ case $basic_machine in
basic_machine=ns32k-utek
os=-sysv
;;
microblaze)
microblaze*)
basic_machine=microblaze-xilinx
;;
mingw64)
basic_machine=x86_64-pc
os=-mingw64
;;
mingw32)
basic_machine=i386-pc
basic_machine=i686-pc
os=-mingw32
;;
mingw32ce)
@ -809,6 +829,10 @@ case $basic_machine in
basic_machine=powerpc-unknown
os=-morphos
;;
moxiebox)
basic_machine=moxie-unknown
os=-moxiebox
;;
msdos)
basic_machine=i386-pc
os=-msdos
@ -817,7 +841,7 @@ case $basic_machine in
basic_machine=`echo $basic_machine | sed -e 's/ms1-/mt-/'`
;;
msys)
basic_machine=i386-pc
basic_machine=i686-pc
os=-msys
;;
mvs)
@ -1008,7 +1032,11 @@ case $basic_machine in
basic_machine=i586-unknown
os=-pw32
;;
rdos)
rdos | rdos64)
basic_machine=x86_64-pc
os=-rdos
;;
rdos32)
basic_machine=i386-pc
os=-rdos
;;
@ -1335,29 +1363,29 @@ case $os in
-gnu* | -bsd* | -mach* | -minix* | -genix* | -ultrix* | -irix* \
| -*vms* | -sco* | -esix* | -isc* | -aix* | -cnk* | -sunos | -sunos[34]*\
| -hpux* | -unos* | -osf* | -luna* | -dgux* | -auroraux* | -solaris* \
| -sym* | -kopensolaris* \
| -sym* | -kopensolaris* | -plan9* \
| -amigaos* | -amigados* | -msdos* | -newsos* | -unicos* | -aof* \
| -aos* | -aros* \
| -nindy* | -vxsim* | -vxworks* | -ebmon* | -hms* | -mvs* \
| -clix* | -riscos* | -uniplus* | -iris* | -rtu* | -xenix* \
| -hiux* | -386bsd* | -knetbsd* | -mirbsd* | -netbsd* \
| -openbsd* | -solidbsd* \
| -bitrig* | -openbsd* | -solidbsd* \
| -ekkobsd* | -kfreebsd* | -freebsd* | -riscix* | -lynxos* \
| -bosx* | -nextstep* | -cxux* | -aout* | -elf* | -oabi* \
| -ptx* | -coff* | -ecoff* | -winnt* | -domain* | -vsta* \
| -udi* | -eabi* | -lites* | -ieee* | -go32* | -aux* \
| -chorusos* | -chorusrdb* | -cegcc* \
| -cygwin* | -msys* | -pe* | -psos* | -moss* | -proelf* | -rtems* \
| -mingw32* | -linux-gnu* | -linux-android* \
| -linux-newlib* | -linux-uclibc* \
| -uxpv* | -beos* | -mpeix* | -udk* \
| -mingw32* | -mingw64* | -linux-gnu* | -linux-android* \
| -linux-newlib* | -linux-musl* | -linux-uclibc* \
| -uxpv* | -beos* | -mpeix* | -udk* | -moxiebox* \
| -interix* | -uwin* | -mks* | -rhapsody* | -darwin* | -opened* \
| -openstep* | -oskit* | -conix* | -pw32* | -nonstopux* \
| -storm-chaos* | -tops10* | -tenex* | -tops20* | -its* \
| -os2* | -vos* | -palmos* | -uclinux* | -nucleus* \
| -morphos* | -superux* | -rtmk* | -rtmk-nova* | -windiss* \
| -powermax* | -dnix* | -nx6 | -nx7 | -sei* | -dragonfly* \
| -skyos* | -haiku* | -rdos* | -toppers* | -drops* | -es*)
| -skyos* | -haiku* | -rdos* | -toppers* | -drops* | -es* | -tirtos*)
# Remember, each alternative MUST END IN *, to match a version number.
;;
-qnx*)
@ -1481,9 +1509,6 @@ case $os in
-aros*)
os=-aros
;;
-kaos*)
os=-kaos
;;
-zvmoe)
os=-zvmoe
;;
@ -1532,6 +1557,12 @@ case $basic_machine in
c4x-* | tic4x-*)
os=-coff
;;
c8051-*)
os=-elf
;;
hexagon-*)
os=-elf
;;
tic54x-*)
os=-coff
;;
@ -1559,9 +1590,6 @@ case $basic_machine in
;;
m68000-sun)
os=-sunos3
# This also exists in the configure program, but was not the
# default.
# os=-sunos4
;;
m68*-cisco)
os=-aout

580
auto/depcomp
View File

@ -1,10 +1,9 @@
#! /bin/sh
# depcomp - compile a program generating dependencies as side-effects
scriptversion=2007-03-29.01
scriptversion=2013-05-30.07; # UTC
# Copyright (C) 1999, 2000, 2003, 2004, 2005, 2006, 2007 Free Software
# Foundation, Inc.
# Copyright (C) 1999-2013 Free Software Foundation, Inc.
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@ -17,9 +16,7 @@ scriptversion=2007-03-29.01
# GNU General Public License for more details.
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
# 02110-1301, USA.
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# As a special exception to the GNU General Public License, if you
# distribute this file as part of a program that contains a
@ -30,9 +27,9 @@ scriptversion=2007-03-29.01
case $1 in
'')
echo "$0: No command. Try \`$0 --help' for more information." 1>&2
exit 1;
;;
echo "$0: No command. Try '$0 --help' for more information." 1>&2
exit 1;
;;
-h | --h*)
cat <<\EOF
Usage: depcomp [--help] [--version] PROGRAM [ARGS]
@ -42,11 +39,11 @@ as side-effects.
Environment variables:
depmode Dependency tracking mode.
source Source file read by `PROGRAMS ARGS'.
object Object file output by `PROGRAMS ARGS'.
source Source file read by 'PROGRAMS ARGS'.
object Object file output by 'PROGRAMS ARGS'.
DEPDIR directory where to store dependencies.
depfile Dependency file to output.
tmpdepfile Temporary file to use when outputing dependencies.
tmpdepfile Temporary file to use when outputting dependencies.
libtool Whether libtool is used (yes/no).
Report bugs to <bug-automake@gnu.org>.
@ -59,6 +56,66 @@ EOF
;;
esac
# Get the directory component of the given path, and save it in the
# global variables '$dir'. Note that this directory component will
# be either empty or ending with a '/' character. This is deliberate.
set_dir_from ()
{
case $1 in
*/*) dir=`echo "$1" | sed -e 's|/[^/]*$|/|'`;;
*) dir=;;
esac
}
# Get the suffix-stripped basename of the given path, and save it the
# global variable '$base'.
set_base_from ()
{
base=`echo "$1" | sed -e 's|^.*/||' -e 's/\.[^.]*$//'`
}
# If no dependency file was actually created by the compiler invocation,
# we still have to create a dummy depfile, to avoid errors with the
# Makefile "include basename.Plo" scheme.
make_dummy_depfile ()
{
echo "#dummy" > "$depfile"
}
# Factor out some common post-processing of the generated depfile.
# Requires the auxiliary global variable '$tmpdepfile' to be set.
aix_post_process_depfile ()
{
# If the compiler actually managed to produce a dependency file,
# post-process it.
if test -f "$tmpdepfile"; then
# Each line is of the form 'foo.o: dependency.h'.
# Do two passes, one to just change these to
# $object: dependency.h
# and one to simply output
# dependency.h:
# which is needed to avoid the deleted-header problem.
{ sed -e "s,^.*\.[$lower]*:,$object:," < "$tmpdepfile"
sed -e "s,^.*\.[$lower]*:[$tab ]*,," -e 's,$,:,' < "$tmpdepfile"
} > "$depfile"
rm -f "$tmpdepfile"
else
make_dummy_depfile
fi
}
# A tabulation character.
tab=' '
# A newline character.
nl='
'
# Character ranges might be problematic outside the C locale.
# These definitions help.
upper=ABCDEFGHIJKLMNOPQRSTUVWXYZ
lower=abcdefghijklmnopqrstuvwxyz
digits=0123456789
alpha=${upper}${lower}
if test -z "$depmode" || test -z "$source" || test -z "$object"; then
echo "depcomp: Variables source, object and depmode must be set" 1>&2
exit 1
@ -71,6 +128,9 @@ tmpdepfile=${tmpdepfile-`echo "$depfile" | sed 's/\.\([^.]*\)$/.T\1/'`}
rm -f "$tmpdepfile"
# Avoid interferences from the environment.
gccflag= dashmflag=
# Some modes work just like other modes, but use different flags. We
# parameterize here, but still list the modes in the big case below,
# to make depend.m4 easier to write. Note that we *cannot* use a case
@ -82,9 +142,32 @@ if test "$depmode" = hp; then
fi
if test "$depmode" = dashXmstdout; then
# This is just like dashmstdout with a different argument.
dashmflag=-xM
depmode=dashmstdout
# This is just like dashmstdout with a different argument.
dashmflag=-xM
depmode=dashmstdout
fi
cygpath_u="cygpath -u -f -"
if test "$depmode" = msvcmsys; then
# This is just like msvisualcpp but w/o cygpath translation.
# Just convert the backslash-escaped backslashes to single forward
# slashes to satisfy depend.m4
cygpath_u='sed s,\\\\,/,g'
depmode=msvisualcpp
fi
if test "$depmode" = msvc7msys; then
# This is just like msvc7 but w/o cygpath translation.
# Just convert the backslash-escaped backslashes to single forward
# slashes to satisfy depend.m4
cygpath_u='sed s,\\\\,/,g'
depmode=msvc7
fi
if test "$depmode" = xlc; then
# IBM C/C++ Compilers xlc/xlC can output gcc-like dependency information.
gccflag=-qmakedep=gcc,-MF
depmode=gcc
fi
case "$depmode" in
@ -107,8 +190,7 @@ gcc3)
done
"$@"
stat=$?
if test $stat -eq 0; then :
else
if test $stat -ne 0; then
rm -f "$tmpdepfile"
exit $stat
fi
@ -116,13 +198,17 @@ gcc3)
;;
gcc)
## Note that this doesn't just cater to obsosete pre-3.x GCC compilers.
## but also to in-use compilers like IMB xlc/xlC and the HP C compiler.
## (see the conditional assignment to $gccflag above).
## There are various ways to get dependency output from gcc. Here's
## why we pick this rather obscure method:
## - Don't want to use -MD because we'd like the dependencies to end
## up in a subdir. Having to rename by hand is ugly.
## (We might end up doing this anyway to support other compilers.)
## - The DEPENDENCIES_OUTPUT environment variable makes gcc act like
## -MM, not -M (despite what the docs say).
## -MM, not -M (despite what the docs say). Also, it might not be
## supported by the other compilers which use the 'gcc' depmode.
## - Using -M directly means running the compiler twice (even worse
## than renaming).
if test -z "$gccflag"; then
@ -130,31 +216,31 @@ gcc)
fi
"$@" -Wp,"$gccflag$tmpdepfile"
stat=$?
if test $stat -eq 0; then :
else
if test $stat -ne 0; then
rm -f "$tmpdepfile"
exit $stat
fi
rm -f "$depfile"
echo "$object : \\" > "$depfile"
alpha=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
## The second -e expression handles DOS-style file names with drive letters.
# The second -e expression handles DOS-style file names with drive
# letters.
sed -e 's/^[^:]*: / /' \
-e 's/^['$alpha']:\/[^:]*: / /' < "$tmpdepfile" >> "$depfile"
## This next piece of magic avoids the `deleted header file' problem.
## This next piece of magic avoids the "deleted header file" problem.
## The problem is that when a header file which appears in a .P file
## is deleted, the dependency causes make to die (because there is
## typically no way to rebuild the header). We avoid this by adding
## dummy dependencies for each header file. Too bad gcc doesn't do
## this for us directly.
tr ' ' '
' < "$tmpdepfile" |
## Some versions of gcc put a space before the `:'. On the theory
## Some versions of gcc put a space before the ':'. On the theory
## that the space means something, we add a space to the output as
## well.
## well. hp depmode also adds that space, but also prefixes the VPATH
## to the object. Take care to not repeat it in the output.
## Some versions of the HPUX 10.20 sed can't process this invocation
## correctly. Breaking it into two sed invocations is a workaround.
sed -e 's/^\\$//' -e '/^$/d' -e '/:$/d' | sed -e 's/$/ :/' >> "$depfile"
tr ' ' "$nl" < "$tmpdepfile" \
| sed -e 's/^\\$//' -e '/^$/d' -e "s|.*$object$||" -e '/:$/d' \
| sed -e 's/$/ :/' >> "$depfile"
rm -f "$tmpdepfile"
;;
@ -172,8 +258,7 @@ sgi)
"$@" -MDupdate "$tmpdepfile"
fi
stat=$?
if test $stat -eq 0; then :
else
if test $stat -ne 0; then
rm -f "$tmpdepfile"
exit $stat
fi
@ -181,43 +266,41 @@ sgi)
if test -f "$tmpdepfile"; then # yes, the sourcefile depend on other files
echo "$object : \\" > "$depfile"
# Clip off the initial element (the dependent). Don't try to be
# clever and replace this with sed code, as IRIX sed won't handle
# lines with more than a fixed number of characters (4096 in
# IRIX 6.2 sed, 8192 in IRIX 6.5). We also remove comment lines;
# the IRIX cc adds comments like `#:fec' to the end of the
# the IRIX cc adds comments like '#:fec' to the end of the
# dependency line.
tr ' ' '
' < "$tmpdepfile" \
| sed -e 's/^.*\.o://' -e 's/#.*$//' -e '/^$/ d' | \
tr '
' ' ' >> $depfile
echo >> $depfile
tr ' ' "$nl" < "$tmpdepfile" \
| sed -e 's/^.*\.o://' -e 's/#.*$//' -e '/^$/ d' \
| tr "$nl" ' ' >> "$depfile"
echo >> "$depfile"
# The second pass generates a dummy entry for each header file.
tr ' ' '
' < "$tmpdepfile" \
| sed -e 's/^.*\.o://' -e 's/#.*$//' -e '/^$/ d' -e 's/$/:/' \
>> $depfile
tr ' ' "$nl" < "$tmpdepfile" \
| sed -e 's/^.*\.o://' -e 's/#.*$//' -e '/^$/ d' -e 's/$/:/' \
>> "$depfile"
else
# The sourcefile does not contain any dependencies, so just
# store a dummy comment line, to avoid errors with the Makefile
# "include basename.Plo" scheme.
echo "#dummy" > "$depfile"
make_dummy_depfile
fi
rm -f "$tmpdepfile"
;;
xlc)
# This case exists only to let depend.m4 do its work. It works by
# looking at the text of this script. This case will never be run,
# since it is checked for above.
exit 1
;;
aix)
# The C for AIX Compiler uses -M and outputs the dependencies
# in a .u file. In older versions, this file always lives in the
# current directory. Also, the AIX compiler puts `$object:' at the
# current directory. Also, the AIX compiler puts '$object:' at the
# start of each line; $object doesn't have directory information.
# Version 6 uses the directory in both cases.
dir=`echo "$object" | sed -e 's|/[^/]*$|/|'`
test "x$dir" = "x$object" && dir=
base=`echo "$object" | sed -e 's|^.*/||' -e 's/\.o$//' -e 's/\.lo$//'`
set_dir_from "$object"
set_base_from "$object"
if test "$libtool" = yes; then
tmpdepfile1=$dir$base.u
tmpdepfile2=$base.u
@ -230,9 +313,7 @@ aix)
"$@" -M
fi
stat=$?
if test $stat -eq 0; then :
else
if test $stat -ne 0; then
rm -f "$tmpdepfile1" "$tmpdepfile2" "$tmpdepfile3"
exit $stat
fi
@ -241,44 +322,100 @@ aix)
do
test -f "$tmpdepfile" && break
done
if test -f "$tmpdepfile"; then
# Each line is of the form `foo.o: dependent.h'.
# Do two passes, one to just change these to
# `$object: dependent.h' and one to simply `dependent.h:'.
sed -e "s,^.*\.[a-z]*:,$object:," < "$tmpdepfile" > "$depfile"
# That's a tab and a space in the [].
sed -e 's,^.*\.[a-z]*:[ ]*,,' -e 's,$,:,' < "$tmpdepfile" >> "$depfile"
else
# The sourcefile does not contain any dependencies, so just
# store a dummy comment line, to avoid errors with the Makefile
# "include basename.Plo" scheme.
echo "#dummy" > "$depfile"
aix_post_process_depfile
;;
tcc)
# tcc (Tiny C Compiler) understand '-MD -MF file' since version 0.9.26
# FIXME: That version still under development at the moment of writing.
# Make that this statement remains true also for stable, released
# versions.
# It will wrap lines (doesn't matter whether long or short) with a
# trailing '\', as in:
#
# foo.o : \
# foo.c \
# foo.h \
#
# It will put a trailing '\' even on the last line, and will use leading
# spaces rather than leading tabs (at least since its commit 0394caf7
# "Emit spaces for -MD").
"$@" -MD -MF "$tmpdepfile"
stat=$?
if test $stat -ne 0; then
rm -f "$tmpdepfile"
exit $stat
fi
rm -f "$depfile"
# Each non-empty line is of the form 'foo.o : \' or ' dep.h \'.
# We have to change lines of the first kind to '$object: \'.
sed -e "s|.*:|$object :|" < "$tmpdepfile" > "$depfile"
# And for each line of the second kind, we have to emit a 'dep.h:'
# dummy dependency, to avoid the deleted-header problem.
sed -n -e 's|^ *\(.*\) *\\$|\1:|p' < "$tmpdepfile" >> "$depfile"
rm -f "$tmpdepfile"
;;
icc)
# Intel's C compiler understands `-MD -MF file'. However on
# icc -MD -MF foo.d -c -o sub/foo.o sub/foo.c
# ICC 7.0 will fill foo.d with something like
# foo.o: sub/foo.c
# foo.o: sub/foo.h
# which is wrong. We want:
# sub/foo.o: sub/foo.c
# sub/foo.o: sub/foo.h
# sub/foo.c:
# sub/foo.h:
# ICC 7.1 will output
## The order of this option in the case statement is important, since the
## shell code in configure will try each of these formats in the order
## listed in this file. A plain '-MD' option would be understood by many
## compilers, so we must ensure this comes after the gcc and icc options.
pgcc)
# Portland's C compiler understands '-MD'.
# Will always output deps to 'file.d' where file is the root name of the
# source file under compilation, even if file resides in a subdirectory.
# The object file name does not affect the name of the '.d' file.
# pgcc 10.2 will output
# foo.o: sub/foo.c sub/foo.h
# and will wrap long lines using \ :
# and will wrap long lines using '\' :
# foo.o: sub/foo.c ... \
# sub/foo.h ... \
# ...
set_dir_from "$object"
# Use the source, not the object, to determine the base name, since
# that's sadly what pgcc will do too.
set_base_from "$source"
tmpdepfile=$base.d
"$@" -MD -MF "$tmpdepfile"
stat=$?
if test $stat -eq 0; then :
else
# For projects that build the same source file twice into different object
# files, the pgcc approach of using the *source* file root name can cause
# problems in parallel builds. Use a locking strategy to avoid stomping on
# the same $tmpdepfile.
lockdir=$base.d-lock
trap "
echo '$0: caught signal, cleaning up...' >&2
rmdir '$lockdir'
exit 1
" 1 2 13 15
numtries=100
i=$numtries
while test $i -gt 0; do
# mkdir is a portable test-and-set.
if mkdir "$lockdir" 2>/dev/null; then
# This process acquired the lock.
"$@" -MD
stat=$?
# Release the lock.
rmdir "$lockdir"
break
else
# If the lock is being held by a different process, wait
# until the winning process is done or we timeout.
while test -d "$lockdir" && test $i -gt 0; do
sleep 1
i=`expr $i - 1`
done
fi
i=`expr $i - 1`
done
trap - 1 2 13 15
if test $i -le 0; then
echo "$0: failed to acquire lock after $numtries attempts" >&2
echo "$0: check lockdir '$lockdir'" >&2
exit 1
fi
if test $stat -ne 0; then
rm -f "$tmpdepfile"
exit $stat
fi
@ -290,8 +427,8 @@ icc)
sed "s,^[^:]*:,$object :," < "$tmpdepfile" > "$depfile"
# Some versions of the HPUX 10.20 sed can't process this invocation
# correctly. Breaking it into two sed invocations is a workaround.
sed 's,^[^:]*: \(.*\)$,\1,;s/^\\$//;/^$/d;/:$/d' < "$tmpdepfile" |
sed -e 's/$/ :/' >> "$depfile"
sed 's,^[^:]*: \(.*\)$,\1,;s/^\\$//;/^$/d;/:$/d' < "$tmpdepfile" \
| sed -e 's/$/ :/' >> "$depfile"
rm -f "$tmpdepfile"
;;
@ -302,9 +439,8 @@ hp2)
# 'foo.d', which lands next to the object file, wherever that
# happens to be.
# Much of this is similar to the tru64 case; see comments there.
dir=`echo "$object" | sed -e 's|/[^/]*$|/|'`
test "x$dir" = "x$object" && dir=
base=`echo "$object" | sed -e 's|^.*/||' -e 's/\.o$//' -e 's/\.lo$//'`
set_dir_from "$object"
set_base_from "$object"
if test "$libtool" = yes; then
tmpdepfile1=$dir$base.d
tmpdepfile2=$dir.libs/$base.d
@ -315,8 +451,7 @@ hp2)
"$@" +Maked
fi
stat=$?
if test $stat -eq 0; then :
else
if test $stat -ne 0; then
rm -f "$tmpdepfile1" "$tmpdepfile2"
exit $stat
fi
@ -326,72 +461,107 @@ hp2)
test -f "$tmpdepfile" && break
done
if test -f "$tmpdepfile"; then
sed -e "s,^.*\.[a-z]*:,$object:," "$tmpdepfile" > "$depfile"
# Add `dependent.h:' lines.
sed -ne '2,${; s/^ *//; s/ \\*$//; s/$/:/; p;}' "$tmpdepfile" >> "$depfile"
sed -e "s,^.*\.[$lower]*:,$object:," "$tmpdepfile" > "$depfile"
# Add 'dependent.h:' lines.
sed -ne '2,${
s/^ *//
s/ \\*$//
s/$/:/
p
}' "$tmpdepfile" >> "$depfile"
else
echo "#dummy" > "$depfile"
make_dummy_depfile
fi
rm -f "$tmpdepfile" "$tmpdepfile2"
;;
tru64)
# The Tru64 compiler uses -MD to generate dependencies as a side
# effect. `cc -MD -o foo.o ...' puts the dependencies into `foo.o.d'.
# At least on Alpha/Redhat 6.1, Compaq CCC V6.2-504 seems to put
# dependencies in `foo.d' instead, so we check for that too.
# Subdirectories are respected.
dir=`echo "$object" | sed -e 's|/[^/]*$|/|'`
test "x$dir" = "x$object" && dir=
base=`echo "$object" | sed -e 's|^.*/||' -e 's/\.o$//' -e 's/\.lo$//'`
# The Tru64 compiler uses -MD to generate dependencies as a side
# effect. 'cc -MD -o foo.o ...' puts the dependencies into 'foo.o.d'.
# At least on Alpha/Redhat 6.1, Compaq CCC V6.2-504 seems to put
# dependencies in 'foo.d' instead, so we check for that too.
# Subdirectories are respected.
set_dir_from "$object"
set_base_from "$object"
if test "$libtool" = yes; then
# With Tru64 cc, shared objects can also be used to make a
# static library. This mechanism is used in libtool 1.4 series to
# handle both shared and static libraries in a single compilation.
# With libtool 1.4, dependencies were output in $dir.libs/$base.lo.d.
#
# With libtool 1.5 this exception was removed, and libtool now
# generates 2 separate objects for the 2 libraries. These two
# compilations output dependencies in $dir.libs/$base.o.d and
# in $dir$base.o.d. We have to check for both files, because
# one of the two compilations can be disabled. We should prefer
# $dir$base.o.d over $dir.libs/$base.o.d because the latter is
# automatically cleaned when .libs/ is deleted, while ignoring
# the former would cause a distcleancheck panic.
tmpdepfile1=$dir.libs/$base.lo.d # libtool 1.4
tmpdepfile2=$dir$base.o.d # libtool 1.5
tmpdepfile3=$dir.libs/$base.o.d # libtool 1.5
tmpdepfile4=$dir.libs/$base.d # Compaq CCC V6.2-504
"$@" -Wc,-MD
else
tmpdepfile1=$dir$base.o.d
tmpdepfile2=$dir$base.d
tmpdepfile3=$dir$base.d
tmpdepfile4=$dir$base.d
"$@" -MD
fi
if test "$libtool" = yes; then
# Libtool generates 2 separate objects for the 2 libraries. These
# two compilations output dependencies in $dir.libs/$base.o.d and
# in $dir$base.o.d. We have to check for both files, because
# one of the two compilations can be disabled. We should prefer
# $dir$base.o.d over $dir.libs/$base.o.d because the latter is
# automatically cleaned when .libs/ is deleted, while ignoring
# the former would cause a distcleancheck panic.
tmpdepfile1=$dir$base.o.d # libtool 1.5
tmpdepfile2=$dir.libs/$base.o.d # Likewise.
tmpdepfile3=$dir.libs/$base.d # Compaq CCC V6.2-504
"$@" -Wc,-MD
else
tmpdepfile1=$dir$base.d
tmpdepfile2=$dir$base.d
tmpdepfile3=$dir$base.d
"$@" -MD
fi
stat=$?
if test $stat -eq 0; then :
else
rm -f "$tmpdepfile1" "$tmpdepfile2" "$tmpdepfile3" "$tmpdepfile4"
exit $stat
fi
stat=$?
if test $stat -ne 0; then
rm -f "$tmpdepfile1" "$tmpdepfile2" "$tmpdepfile3"
exit $stat
fi
for tmpdepfile in "$tmpdepfile1" "$tmpdepfile2" "$tmpdepfile3" "$tmpdepfile4"
do
test -f "$tmpdepfile" && break
done
if test -f "$tmpdepfile"; then
sed -e "s,^.*\.[a-z]*:,$object:," < "$tmpdepfile" > "$depfile"
# That's a tab and a space in the [].
sed -e 's,^.*\.[a-z]*:[ ]*,,' -e 's,$,:,' < "$tmpdepfile" >> "$depfile"
else
echo "#dummy" > "$depfile"
fi
rm -f "$tmpdepfile"
;;
for tmpdepfile in "$tmpdepfile1" "$tmpdepfile2" "$tmpdepfile3"
do
test -f "$tmpdepfile" && break
done
# Same post-processing that is required for AIX mode.
aix_post_process_depfile
;;
msvc7)
if test "$libtool" = yes; then
showIncludes=-Wc,-showIncludes
else
showIncludes=-showIncludes
fi
"$@" $showIncludes > "$tmpdepfile"
stat=$?
grep -v '^Note: including file: ' "$tmpdepfile"
if test $stat -ne 0; then
rm -f "$tmpdepfile"
exit $stat
fi
rm -f "$depfile"
echo "$object : \\" > "$depfile"
# The first sed program below extracts the file names and escapes
# backslashes for cygpath. The second sed program outputs the file
# name when reading, but also accumulates all include files in the
# hold buffer in order to output them again at the end. This only
# works with sed implementations that can handle large buffers.
sed < "$tmpdepfile" -n '
/^Note: including file: *\(.*\)/ {
s//\1/
s/\\/\\\\/g
p
}' | $cygpath_u | sort -u | sed -n '
s/ /\\ /g
s/\(.*\)/'"$tab"'\1 \\/p
s/.\(.*\) \\/\1:/
H
$ {
s/.*/'"$tab"'/
G
p
}' >> "$depfile"
echo >> "$depfile" # make sure the fragment doesn't end with a backslash
rm -f "$tmpdepfile"
;;
msvc7msys)
# This case exists only to let depend.m4 do its work. It works by
# looking at the text of this script. This case will never be run,
# since it is checked for above.
exit 1
;;
#nosideeffect)
# This comment above is used by automake to tell side-effect
@ -404,13 +574,13 @@ dashmstdout)
# Remove the call to Libtool.
if test "$libtool" = yes; then
while test $1 != '--mode=compile'; do
while test "X$1" != 'X--mode=compile'; do
shift
done
shift
fi
# Remove `-o $object'.
# Remove '-o $object'.
IFS=" "
for arg
do
@ -430,18 +600,18 @@ dashmstdout)
done
test -z "$dashmflag" && dashmflag=-M
# Require at least two characters before searching for `:'
# Require at least two characters before searching for ':'
# in the target name. This is to cope with DOS-style filenames:
# a dependency such as `c:/foo/bar' could be seen as target `c' otherwise.
# a dependency such as 'c:/foo/bar' could be seen as target 'c' otherwise.
"$@" $dashmflag |
sed 's:^[ ]*[^: ][^:][^:]*\:[ ]*:'"$object"'\: :' > "$tmpdepfile"
sed "s|^[$tab ]*[^:$tab ][^:][^:]*:[$tab ]*|$object: |" > "$tmpdepfile"
rm -f "$depfile"
cat < "$tmpdepfile" > "$depfile"
tr ' ' '
' < "$tmpdepfile" | \
## Some versions of the HPUX 10.20 sed can't process this invocation
## correctly. Breaking it into two sed invocations is a workaround.
sed -e 's/^\\$//' -e '/^$/d' -e '/:$/d' | sed -e 's/$/ :/' >> "$depfile"
# Some versions of the HPUX 10.20 sed can't process this sed invocation
# correctly. Breaking it into two sed invocations is a workaround.
tr ' ' "$nl" < "$tmpdepfile" \
| sed -e 's/^\\$//' -e '/^$/d' -e '/:$/d' \
| sed -e 's/$/ :/' >> "$depfile"
rm -f "$tmpdepfile"
;;
@ -455,41 +625,51 @@ makedepend)
"$@" || exit $?
# Remove any Libtool call
if test "$libtool" = yes; then
while test $1 != '--mode=compile'; do
while test "X$1" != 'X--mode=compile'; do
shift
done
shift
fi
# X makedepend
shift
cleared=no
for arg in "$@"; do
cleared=no eat=no
for arg
do
case $cleared in
no)
set ""; shift
cleared=yes ;;
esac
if test $eat = yes; then
eat=no
continue
fi
case "$arg" in
-D*|-I*)
set fnord "$@" "$arg"; shift ;;
# Strip any option that makedepend may not understand. Remove
# the object too, otherwise makedepend will parse it as a source file.
-arch)
eat=yes ;;
-*|$object)
;;
*)
set fnord "$@" "$arg"; shift ;;
esac
done
obj_suffix="`echo $object | sed 's/^.*\././'`"
obj_suffix=`echo "$object" | sed 's/^.*\././'`
touch "$tmpdepfile"
${MAKEDEPEND-makedepend} -o"$obj_suffix" -f"$tmpdepfile" "$@"
rm -f "$depfile"
cat < "$tmpdepfile" > "$depfile"
sed '1,2d' "$tmpdepfile" | tr ' ' '
' | \
## Some versions of the HPUX 10.20 sed can't process this invocation
## correctly. Breaking it into two sed invocations is a workaround.
sed -e 's/^\\$//' -e '/^$/d' -e '/:$/d' | sed -e 's/$/ :/' >> "$depfile"
# makedepend may prepend the VPATH from the source file name to the object.
# No need to regex-escape $object, excess matching of '.' is harmless.
sed "s|^.*\($object *:\)|\1|" "$tmpdepfile" > "$depfile"
# Some versions of the HPUX 10.20 sed can't process the last invocation
# correctly. Breaking it into two sed invocations is a workaround.
sed '1,2d' "$tmpdepfile" \
| tr ' ' "$nl" \
| sed -e 's/^\\$//' -e '/^$/d' -e '/:$/d' \
| sed -e 's/$/ :/' >> "$depfile"
rm -f "$tmpdepfile" "$tmpdepfile".bak
;;
@ -500,13 +680,13 @@ cpp)
# Remove the call to Libtool.
if test "$libtool" = yes; then
while test $1 != '--mode=compile'; do
while test "X$1" != 'X--mode=compile'; do
shift
done
shift
fi
# Remove `-o $object'.
# Remove '-o $object'.
IFS=" "
for arg
do
@ -525,10 +705,10 @@ cpp)
esac
done
"$@" -E |
sed -n -e '/^# [0-9][0-9]* "\([^"]*\)".*/ s:: \1 \\:p' \
-e '/^#line [0-9][0-9]* "\([^"]*\)".*/ s:: \1 \\:p' |
sed '$ s: \\$::' > "$tmpdepfile"
"$@" -E \
| sed -n -e '/^# [0-9][0-9]* "\([^"]*\)".*/ s:: \1 \\:p' \
-e '/^#line [0-9][0-9]* "\([^"]*\)".*/ s:: \1 \\:p' \
| sed '$ s: \\$::' > "$tmpdepfile"
rm -f "$depfile"
echo "$object : \\" > "$depfile"
cat < "$tmpdepfile" >> "$depfile"
@ -538,35 +718,56 @@ cpp)
msvisualcpp)
# Important note: in order to support this mode, a compiler *must*
# always write the preprocessed file to stdout, regardless of -o,
# because we must use -o when running libtool.
# always write the preprocessed file to stdout.
"$@" || exit $?
# Remove the call to Libtool.
if test "$libtool" = yes; then
while test "X$1" != 'X--mode=compile'; do
shift
done
shift
fi
IFS=" "
for arg
do
case "$arg" in
-o)
shift
;;
$object)
shift
;;
"-Gm"|"/Gm"|"-Gi"|"/Gi"|"-ZI"|"/ZI")
set fnord "$@"
shift
shift
;;
set fnord "$@"
shift
shift
;;
*)
set fnord "$@" "$arg"
shift
shift
;;
set fnord "$@" "$arg"
shift
shift
;;
esac
done
"$@" -E |
sed -n '/^#line [0-9][0-9]* "\([^"]*\)"/ s::echo "`cygpath -u \\"\1\\"`":p' | sort | uniq > "$tmpdepfile"
"$@" -E 2>/dev/null |
sed -n '/^#line [0-9][0-9]* "\([^"]*\)"/ s::\1:p' | $cygpath_u | sort -u > "$tmpdepfile"
rm -f "$depfile"
echo "$object : \\" > "$depfile"
. "$tmpdepfile" | sed 's% %\\ %g' | sed -n '/^\(.*\)$/ s:: \1 \\:p' >> "$depfile"
echo " " >> "$depfile"
. "$tmpdepfile" | sed 's% %\\ %g' | sed -n '/^\(.*\)$/ s::\1\::p' >> "$depfile"
sed < "$tmpdepfile" -n -e 's% %\\ %g' -e '/^\(.*\)$/ s::'"$tab"'\1 \\:p' >> "$depfile"
echo "$tab" >> "$depfile"
sed < "$tmpdepfile" -n -e 's% %\\ %g' -e '/^\(.*\)$/ s::\1\::p' >> "$depfile"
rm -f "$tmpdepfile"
;;
msvcmsys)
# This case exists only to let depend.m4 do its work. It works by
# looking at the text of this script. This case will never be run,
# since it is checked for above.
exit 1
;;
none)
exec "$@"
;;
@ -585,5 +786,6 @@ exit 0
# eval: (add-hook 'write-file-hooks 'time-stamp)
# time-stamp-start: "scriptversion="
# time-stamp-format: "%:y-%02m-%02d.%02H"
# time-stamp-end: "$"
# time-stamp-time-zone: "UTC"
# time-stamp-end: "; # UTC"
# End:

59
auto/install-sh
View File

@ -1,7 +1,7 @@
#!/bin/sh
# install - install a program, script, or datafile
scriptversion=2006-12-25.00
scriptversion=2011-11-20.07; # UTC
# This originates from X11R5 (mit/util/scripts/install.sh), which was
# later released in X11R6 (xc/config/util/install.sh) with the
@ -35,7 +35,7 @@ scriptversion=2006-12-25.00
# FSF changes to this file are in the public domain.
#
# Calling this script install-sh is preferred over install.sh, to prevent
# `make' implicit rules from creating a file called install from it
# 'make' implicit rules from creating a file called install from it
# when there is no Makefile.
#
# This script is compatible with the BSD install script, but was written
@ -156,6 +156,10 @@ while test $# -ne 0; do
-s) stripcmd=$stripprog;;
-t) dst_arg=$2
# Protect names problematic for 'test' and other utilities.
case $dst_arg in
-* | [=\(\)!]) dst_arg=./$dst_arg;;
esac
shift;;
-T) no_target_directory=true;;
@ -186,6 +190,10 @@ if test $# -ne 0 && test -z "$dir_arg$dst_arg"; then
fi
shift # arg
dst_arg=$arg
# Protect names problematic for 'test' and other utilities.
case $dst_arg in
-* | [=\(\)!]) dst_arg=./$dst_arg;;
esac
done
fi
@ -194,13 +202,17 @@ if test $# -eq 0; then
echo "$0: no input file specified." >&2
exit 1
fi
# It's OK to call `install-sh -d' without argument.
# It's OK to call 'install-sh -d' without argument.
# This can happen when creating conditional directories.
exit 0
fi
if test -z "$dir_arg"; then
trap '(exit $?); exit' 1 2 13 15
do_exit='(exit $ret); exit $ret'
trap "ret=129; $do_exit" 1
trap "ret=130; $do_exit" 2
trap "ret=141; $do_exit" 13
trap "ret=143; $do_exit" 15
# Set umask so as not to create temps with too-generous modes.
# However, 'strip' requires both read and write access to temps.
@ -228,9 +240,9 @@ fi
for src
do
# Protect names starting with `-'.
# Protect names problematic for 'test' and other utilities.
case $src in
-*) src=./$src;;
-* | [=\(\)!]) src=./$src;;
esac
if test -n "$dir_arg"; then
@ -252,12 +264,7 @@ do
echo "$0: no destination specified." >&2
exit 1
fi
dst=$dst_arg
# Protect names starting with `-'.
case $dst in
-*) dst=./$dst;;
esac
# If destination is a directory, append the input filename; won't work
# if double slashes aren't ignored.
@ -338,34 +345,41 @@ do
# is incompatible with FreeBSD 'install' when (umask & 300) != 0.
;;
*)
# $RANDOM is not portable (e.g. dash); use it when possible to
# lower collision chance
tmpdir=${TMPDIR-/tmp}/ins$RANDOM-$$
trap 'ret=$?; rmdir "$tmpdir/d" "$tmpdir" 2>/dev/null; exit $ret' 0
trap 'ret=$?; rmdir "$tmpdir/a/b" "$tmpdir/a" "$tmpdir" 2>/dev/null; exit $ret' 0
# As "mkdir -p" follows symlinks and we work in /tmp possibly; so
# create the $tmpdir first (and fail if unsuccessful) to make sure
# that nobody tries to guess the $tmpdir name.
if (umask $mkdir_umask &&
exec $mkdirprog $mkdir_mode -p -- "$tmpdir/d") >/dev/null 2>&1
$mkdirprog $mkdir_mode "$tmpdir" &&
exec $mkdirprog $mkdir_mode -p -- "$tmpdir/a/b") >/dev/null 2>&1
then
if test -z "$dir_arg" || {
# Check for POSIX incompatibilities with -m.
# HP-UX 11.23 and IRIX 6.5 mkdir -m -p sets group- or
# other-writeable bit of parent directory when it shouldn't.
# other-writable bit of parent directory when it shouldn't.
# FreeBSD 6.1 mkdir -m -p sets mode of existing directory.
ls_ld_tmpdir=`ls -ld "$tmpdir"`
test_tmpdir="$tmpdir/a"
ls_ld_tmpdir=`ls -ld "$test_tmpdir"`
case $ls_ld_tmpdir in
d????-?r-*) different_mode=700;;
d????-?--*) different_mode=755;;
*) false;;
esac &&
$mkdirprog -m$different_mode -p -- "$tmpdir" && {
ls_ld_tmpdir_1=`ls -ld "$tmpdir"`
$mkdirprog -m$different_mode -p -- "$test_tmpdir" && {
ls_ld_tmpdir_1=`ls -ld "$test_tmpdir"`
test "$ls_ld_tmpdir" = "$ls_ld_tmpdir_1"
}
}
then posix_mkdir=:
fi
rmdir "$tmpdir/d" "$tmpdir"
rmdir "$tmpdir/a/b" "$tmpdir/a" "$tmpdir"
else
# Remove any dirs left behind by ancient mkdir implementations.
rmdir ./$mkdir_mode ./-p ./-- 2>/dev/null
rmdir ./$mkdir_mode ./-p ./-- "$tmpdir" 2>/dev/null
fi
trap '' 0;;
esac;;
@ -385,7 +399,7 @@ do
case $dstdir in
/*) prefix='/';;
-*) prefix='./';;
[-=\(\)!]*) prefix='./';;
*) prefix='';;
esac
@ -403,7 +417,7 @@ do
for d
do
test -z "$d" && continue
test X"$d" = X && continue
prefix=$prefix$d
if test -d "$prefix"; then
@ -515,5 +529,6 @@ done
# eval: (add-hook 'write-file-hooks 'time-stamp)
# time-stamp-start: "scriptversion="
# time-stamp-format: "%:y-%02m-%02d.%02H"
# time-stamp-end: "$"
# time-stamp-time-zone: "UTC"
# time-stamp-end: "; # UTC"
# End:

4036
auto/ltmain.sh Executable file → Normal file
View File

File diff suppressed because it is too large Load Diff

458
auto/missing
View File

@ -1,11 +1,10 @@
#! /bin/sh
# Common stub for a few missing GNU programs while installing.
# Common wrapper for a few potentially missing GNU programs.
scriptversion=2006-05-10.23
scriptversion=2013-10-28.13; # UTC
# Copyright (C) 1996, 1997, 1999, 2000, 2002, 2003, 2004, 2005, 2006
# Free Software Foundation, Inc.
# Originally by Fran,cois Pinard <pinard@iro.umontreal.ca>, 1996.
# Copyright (C) 1996-2013 Free Software Foundation, Inc.
# Originally written by Fran,cois Pinard <pinard@iro.umontreal.ca>, 1996.
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@ -18,9 +17,7 @@ scriptversion=2006-05-10.23
# GNU General Public License for more details.
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
# 02110-1301, USA.
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# As a special exception to the GNU General Public License, if you
# distribute this file as part of a program that contains a
@ -28,66 +25,40 @@ scriptversion=2006-05-10.23
# the same distribution terms that you use for the rest of that program.
if test $# -eq 0; then
echo 1>&2 "Try \`$0 --help' for more information"
echo 1>&2 "Try '$0 --help' for more information"
exit 1
fi
run=:
sed_output='s/.* --output[ =]\([^ ]*\).*/\1/p'
sed_minuso='s/.* -o \([^ ]*\).*/\1/p'
# In the cases where this matters, `missing' is being run in the
# srcdir already.
if test -f configure.ac; then
configure_ac=configure.ac
else
configure_ac=configure.in
fi
msg="missing on your system"
case $1 in
--run)
# Try to run requested program, and just exit if it succeeds.
run=
shift
"$@" && exit 0
# Exit code 63 means version mismatch. This often happens
# when the user try to use an ancient version of a tool on
# a file that requires a minimum version. In this case we
# we should proceed has if the program had been absent, or
# if --run hadn't been passed.
if test $? = 63; then
run=:
msg="probably too old"
fi
;;
--is-lightweight)
# Used by our autoconf macros to check whether the available missing
# script is modern enough.
exit 0
;;
--run)
# Back-compat with the calling convention used by older automake.
shift
;;
-h|--h|--he|--hel|--help)
echo "\
$0 [OPTION]... PROGRAM [ARGUMENT]...
Handle \`PROGRAM [ARGUMENT]...' for when PROGRAM is missing, or return an
error status if there is no known handling for PROGRAM.
Run 'PROGRAM [ARGUMENT]...', returning a proper advice when this fails due
to PROGRAM being missing or too old.
Options:
-h, --help display this help and exit
-v, --version output version information and exit
--run try to run the given command, and emulate it if it fails
Supported PROGRAM values:
aclocal touch file \`aclocal.m4'
autoconf touch file \`configure'
autoheader touch file \`config.h.in'
autom4te touch the output file, or create a stub one
automake touch all \`Makefile.in' files
bison create \`y.tab.[ch]', if possible, from existing .[ch]
flex create \`lex.yy.c', if possible, from existing .c
help2man touch the output file
lex create \`lex.yy.c', if possible, from existing .c
makeinfo touch the output file
tar try tar, gnutar, gtar, then tar without non-portable flags
yacc create \`y.tab.[ch]', if possible, from existing .[ch]
aclocal autoconf autoheader autom4te automake makeinfo
bison yacc flex lex help2man
Version suffixes to PROGRAM as well as the prefixes 'gnu-', 'gnu', and
'g' are ignored when checking the name.
Send bug reports to <bug-automake@gnu.org>."
exit $?
@ -99,269 +70,146 @@ Send bug reports to <bug-automake@gnu.org>."
;;
-*)
echo 1>&2 "$0: Unknown \`$1' option"
echo 1>&2 "Try \`$0 --help' for more information"
echo 1>&2 "$0: unknown '$1' option"
echo 1>&2 "Try '$0 --help' for more information"
exit 1
;;
esac
# Now exit if we have it, but it failed. Also exit now if we
# don't have it and --version was passed (most likely to detect
# the program).
case $1 in
lex|yacc)
# Not GNU programs, they don't have --version.
# Run the given program, remember its exit status.
"$@"; st=$?
# If it succeeded, we are done.
test $st -eq 0 && exit 0
# Also exit now if we it failed (or wasn't found), and '--version' was
# passed; such an option is passed most likely to detect whether the
# program is present and works.
case $2 in --version|--help) exit $st;; esac
# Exit code 63 means version mismatch. This often happens when the user
# tries to use an ancient version of a tool on a file that requires a
# minimum version.
if test $st -eq 63; then
msg="probably too old"
elif test $st -eq 127; then
# Program was missing.
msg="missing on your system"
else
# Program was found and executed, but failed. Give up.
exit $st
fi
perl_URL=http://www.perl.org/
flex_URL=http://flex.sourceforge.net/
gnu_software_URL=http://www.gnu.org/software
program_details ()
{
case $1 in
aclocal|automake)
echo "The '$1' program is part of the GNU Automake package:"
echo "<$gnu_software_URL/automake>"
echo "It also requires GNU Autoconf, GNU m4 and Perl in order to run:"
echo "<$gnu_software_URL/autoconf>"
echo "<$gnu_software_URL/m4/>"
echo "<$perl_URL>"
;;
autoconf|autom4te|autoheader)
echo "The '$1' program is part of the GNU Autoconf package:"
echo "<$gnu_software_URL/autoconf/>"
echo "It also requires GNU m4 and Perl in order to run:"
echo "<$gnu_software_URL/m4/>"
echo "<$perl_URL>"
;;
esac
}
give_advice ()
{
# Normalize program name to check for.
normalized_program=`echo "$1" | sed '
s/^gnu-//; t
s/^gnu//; t
s/^g//; t'`
printf '%s\n' "'$1' is $msg."
configure_deps="'configure.ac' or m4 files included by 'configure.ac'"
case $normalized_program in
autoconf*)
echo "You should only need it if you modified 'configure.ac',"
echo "or m4 files included by it."
program_details 'autoconf'
;;
autoheader*)
echo "You should only need it if you modified 'acconfig.h' or"
echo "$configure_deps."
program_details 'autoheader'
;;
automake*)
echo "You should only need it if you modified 'Makefile.am' or"
echo "$configure_deps."
program_details 'automake'
;;
aclocal*)
echo "You should only need it if you modified 'acinclude.m4' or"
echo "$configure_deps."
program_details 'aclocal'
;;
autom4te*)
echo "You might have modified some maintainer files that require"
echo "the 'autom4te' program to be rebuilt."
program_details 'autom4te'
;;
bison*|yacc*)
echo "You should only need it if you modified a '.y' file."
echo "You may want to install the GNU Bison package:"
echo "<$gnu_software_URL/bison/>"
;;
lex*|flex*)
echo "You should only need it if you modified a '.l' file."
echo "You may want to install the Fast Lexical Analyzer package:"
echo "<$flex_URL>"
;;
help2man*)
echo "You should only need it if you modified a dependency" \
"of a man page."
echo "You may want to install the GNU Help2man package:"
echo "<$gnu_software_URL/help2man/>"
;;
makeinfo*)
echo "You should only need it if you modified a '.texi' file, or"
echo "any other file indirectly affecting the aspect of the manual."
echo "You might want to install the Texinfo package:"
echo "<$gnu_software_URL/texinfo/>"
echo "The spurious makeinfo call might also be the consequence of"
echo "using a buggy 'make' (AIX, DU, IRIX), in which case you might"
echo "want to install GNU make:"
echo "<$gnu_software_URL/make/>"
;;
*)
echo "You might have modified some files without having the proper"
echo "tools for further handling them. Check the 'README' file, it"
echo "often tells you about the needed prerequisites for installing"
echo "this package. You may also peek at any GNU archive site, in"
echo "case some other package contains this missing '$1' program."
;;
esac
}
tar)
if test -n "$run"; then
echo 1>&2 "ERROR: \`tar' requires --run"
exit 1
elif test "x$2" = "x--version" || test "x$2" = "x--help"; then
exit 1
fi
;;
give_advice "$1" | sed -e '1s/^/WARNING: /' \
-e '2,$s/^/ /' >&2
*)
if test -z "$run" && ($1 --version) > /dev/null 2>&1; then
# We have it, but it failed.
exit 1
elif test "x$2" = "x--version" || test "x$2" = "x--help"; then
# Could not run --version or --help. This is probably someone
# running `$TOOL --version' or `$TOOL --help' to check whether
# $TOOL exists and not knowing $TOOL uses missing.
exit 1
fi
;;
esac
# If it does not exist, or fails to run (possibly an outdated version),
# try to emulate it.
case $1 in
aclocal*)
echo 1>&2 "\
WARNING: \`$1' is $msg. You should only need it if
you modified \`acinclude.m4' or \`${configure_ac}'. You might want
to install the \`Automake' and \`Perl' packages. Grab them from
any GNU archive site."
touch aclocal.m4
;;
autoconf)
echo 1>&2 "\
WARNING: \`$1' is $msg. You should only need it if
you modified \`${configure_ac}'. You might want to install the
\`Autoconf' and \`GNU m4' packages. Grab them from any GNU
archive site."
touch configure
;;
autoheader)
echo 1>&2 "\
WARNING: \`$1' is $msg. You should only need it if
you modified \`acconfig.h' or \`${configure_ac}'. You might want
to install the \`Autoconf' and \`GNU m4' packages. Grab them
from any GNU archive site."
files=`sed -n 's/^[ ]*A[CM]_CONFIG_HEADER(\([^)]*\)).*/\1/p' ${configure_ac}`
test -z "$files" && files="config.h"
touch_files=
for f in $files; do
case $f in
*:*) touch_files="$touch_files "`echo "$f" |
sed -e 's/^[^:]*://' -e 's/:.*//'`;;
*) touch_files="$touch_files $f.in";;
esac
done
touch $touch_files
;;
automake*)
echo 1>&2 "\
WARNING: \`$1' is $msg. You should only need it if
you modified \`Makefile.am', \`acinclude.m4' or \`${configure_ac}'.
You might want to install the \`Automake' and \`Perl' packages.
Grab them from any GNU archive site."
find . -type f -name Makefile.am -print |
sed 's/\.am$/.in/' |
while read f; do touch "$f"; done
;;
autom4te)
echo 1>&2 "\
WARNING: \`$1' is needed, but is $msg.
You might have modified some files without having the
proper tools for further handling them.
You can get \`$1' as part of \`Autoconf' from any GNU
archive site."
file=`echo "$*" | sed -n "$sed_output"`
test -z "$file" && file=`echo "$*" | sed -n "$sed_minuso"`
if test -f "$file"; then
touch $file
else
test -z "$file" || exec >$file
echo "#! /bin/sh"
echo "# Created by GNU Automake missing as a replacement of"
echo "# $ $@"
echo "exit 0"
chmod +x $file
exit 1
fi
;;
bison|yacc)
echo 1>&2 "\
WARNING: \`$1' $msg. You should only need it if
you modified a \`.y' file. You may need the \`Bison' package
in order for those modifications to take effect. You can get
\`Bison' from any GNU archive site."
rm -f y.tab.c y.tab.h
if test $# -ne 1; then
eval LASTARG="\${$#}"
case $LASTARG in
*.y)
SRCFILE=`echo "$LASTARG" | sed 's/y$/c/'`
if test -f "$SRCFILE"; then
cp "$SRCFILE" y.tab.c
fi
SRCFILE=`echo "$LASTARG" | sed 's/y$/h/'`
if test -f "$SRCFILE"; then
cp "$SRCFILE" y.tab.h
fi
;;
esac
fi
if test ! -f y.tab.h; then
echo >y.tab.h
fi
if test ! -f y.tab.c; then
echo 'main() { return 0; }' >y.tab.c
fi
;;
lex|flex)
echo 1>&2 "\
WARNING: \`$1' is $msg. You should only need it if
you modified a \`.l' file. You may need the \`Flex' package
in order for those modifications to take effect. You can get
\`Flex' from any GNU archive site."
rm -f lex.yy.c
if test $# -ne 1; then
eval LASTARG="\${$#}"
case $LASTARG in
*.l)
SRCFILE=`echo "$LASTARG" | sed 's/l$/c/'`
if test -f "$SRCFILE"; then
cp "$SRCFILE" lex.yy.c
fi
;;
esac
fi
if test ! -f lex.yy.c; then
echo 'main() { return 0; }' >lex.yy.c
fi
;;
help2man)
echo 1>&2 "\
WARNING: \`$1' is $msg. You should only need it if
you modified a dependency of a manual page. You may need the
\`Help2man' package in order for those modifications to take
effect. You can get \`Help2man' from any GNU archive site."
file=`echo "$*" | sed -n "$sed_output"`
test -z "$file" && file=`echo "$*" | sed -n "$sed_minuso"`
if test -f "$file"; then
touch $file
else
test -z "$file" || exec >$file
echo ".ab help2man is required to generate this page"
exit 1
fi
;;
makeinfo)
echo 1>&2 "\
WARNING: \`$1' is $msg. You should only need it if
you modified a \`.texi' or \`.texinfo' file, or any other file
indirectly affecting the aspect of the manual. The spurious
call might also be the consequence of using a buggy \`make' (AIX,
DU, IRIX). You might want to install the \`Texinfo' package or
the \`GNU make' package. Grab either from any GNU archive site."
# The file to touch is that specified with -o ...
file=`echo "$*" | sed -n "$sed_output"`
test -z "$file" && file=`echo "$*" | sed -n "$sed_minuso"`
if test -z "$file"; then
# ... or it is the one specified with @setfilename ...
infile=`echo "$*" | sed 's/.* \([^ ]*\) *$/\1/'`
file=`sed -n '
/^@setfilename/{
s/.* \([^ ]*\) *$/\1/
p
q
}' $infile`
# ... or it is derived from the source name (dir/f.texi becomes f.info)
test -z "$file" && file=`echo "$infile" | sed 's,.*/,,;s,.[^.]*$,,'`.info
fi
# If the file does not exist, the user really needs makeinfo;
# let's fail without touching anything.
test -f $file || exit 1
touch $file
;;
tar)
shift
# We have already tried tar in the generic part.
# Look for gnutar/gtar before invocation to avoid ugly error
# messages.
if (gnutar --version > /dev/null 2>&1); then
gnutar "$@" && exit 0
fi
if (gtar --version > /dev/null 2>&1); then
gtar "$@" && exit 0
fi
firstarg="$1"
if shift; then
case $firstarg in
*o*)
firstarg=`echo "$firstarg" | sed s/o//`
tar "$firstarg" "$@" && exit 0
;;
esac
case $firstarg in
*h*)
firstarg=`echo "$firstarg" | sed s/h//`
tar "$firstarg" "$@" && exit 0
;;
esac
fi
echo 1>&2 "\
WARNING: I can't seem to be able to run \`tar' with the given arguments.
You may want to install GNU tar or Free paxutils, or check the
command line arguments."
exit 1
;;
*)
echo 1>&2 "\
WARNING: \`$1' is needed, and is $msg.
You might have modified some files without having the
proper tools for further handling them. Check the \`README' file,
it often tells you about the needed prerequisites for installing
this package. You may also peek at any GNU archive site, in case
some other package would contain this missing \`$1' program."
exit 1
;;
esac
exit 0
# Propagate the correct exit status (expected to be 127 for a program
# not found, 63 for a program that failed due to version mismatch).
exit $st
# Local variables:
# eval: (add-hook 'write-file-hooks 'time-stamp)
# time-stamp-start: "scriptversion="
# time-stamp-format: "%:y-%02m-%02d.%02H"
# time-stamp-end: "$"
# time-stamp-time-zone: "UTC"
# time-stamp-end: "; # UTC"
# End:

24
build-android.sh
View File

@ -1,31 +1,25 @@
#!/bin/sh
set -ev
VERSION=4.57
VERSION=5.42
DST=stunnel-$VERSION-android
# to build Zlib:
# export CHOST=arm-linux-androideabi
# ./configure --static --prefix=/opt/androideabi/sysroot
# make
# make install
# to build OpenSSL:
# export CC=arm-linux-androideabi-gcc
# ./Configure linux-armv4 threads no-shared zlib no-dso --openssldir=/opt/androideabi/sysroot
# make
# ./Configure threads no-shared no-dso --cross-compile-prefix=arm-linux-androideabi- --openssldir=/opt/androideabi/sysroot linux-armv4
# make install
test -f Makefile && make distclean
mkdir -p bin/android
cd bin/android
../../configure --build=i686-pc-linux-gnu --host=arm-linux-androideabi --prefix=/data/local --with-ssl=/opt/androideabi/sysroot
../../configure --with-sysroot --build=i686-pc-linux-gnu --host=arm-linux-androideabi --prefix=/data/local
make clean
make
cd ../..
mkdir $DST
cp bin/android/src/stunnel /opt/androideabi/sysroot/bin/openssl $DST
cp bin/android/src/stunnel $DST
# arm-linux-androideabi-strip $DST/stunnel $DST/openssl
arm-linux-androideabi-strip $DST/openssl
# cp /opt/androideabi/sysroot/bin/openssl $DST
# arm-linux-androideabi-strip $DST/openssl
zip -r $DST.zip $DST
rm -rf $DST
sha256sum $DST.zip
mv $DST.zip ../dist/
# sha256sum $DST.zip
# mv $DST.zip ../dist/

6351
configure vendored
View File

File diff suppressed because it is too large Load Diff

492
configure.ac
View File

@ -1,14 +1,14 @@
# Process this file with autoconf to produce a configure script.
AC_INIT([stunnel],[4.57])
AC_INIT([stunnel],[5.42])
AC_MSG_NOTICE([**************************************** initialization])
AC_CONFIG_AUX_DIR(auto)
AC_CONFIG_MACRO_DIR([m4])
AM_INIT_AUTOMAKE(stunnel, 4.57)
AC_CONFIG_HEADERS([src/config.h])
AC_CONFIG_SRCDIR([src/stunnel.c])
AC_DEFINE([_GNU_SOURCE], [1], [Use GNU source])
AM_INIT_AUTOMAKE
AM_CONDITIONAL([AUTHOR_TESTS], [test -d ".git"])
AC_CANONICAL_HOST
AC_SUBST([host])
AC_DEFINE_UNQUOTED([HOST], ["$host"], [Host description])
@ -17,104 +17,116 @@ AC_DEFINE_UNQUOTED(esc(CPU_$host_cpu))
AC_DEFINE_UNQUOTED(esc(VENDOR_$host_vendor))
AC_DEFINE_UNQUOTED(esc(OS_$host_os))
case "$host_os" in
*darwin*)
# OSX does not declare ucontext without _XOPEN_SOURCE
AC_DEFINE([_XOPEN_SOURCE], [500], [Use X/Open 5 with POSIX 1995])
# OSX does not declare chroot() without _DARWIN_C_SOURCE
AC_DEFINE([_DARWIN_C_SOURCE], [1], [Use Darwin source])
;;
*)
AC_DEFINE([_GNU_SOURCE], [1], [Use GNU source])
;;
esac
AC_PROG_CC
AM_PROG_CC_C_O
AC_PROG_INSTALL
AC_PROG_MAKE_SET
# silent build by default
ifdef([AM_SILENT_RULES], [AM_SILENT_RULES([yes])])
# Checks for typedefs, structures, and compiler characteristics
# AC_C_CONST
# AC_TYPE_SIZE_T
# AC_TYPE_PID_T
# AC_HEADER_TIME
AC_MSG_NOTICE([**************************************** thread model])
# thread detection should be done first, as it may change the CC variable
AC_ARG_WITH(threads,
[ --with-threads=model select threading model (ucontext/pthread/fork)],
[
case "$withval" in
ucontext)
AC_MSG_NOTICE([UCONTEXT mode selected])
AC_DEFINE([USE_UCONTEXT], [1], [Define to 1 to select UCONTEXT mode])
;;
pthread)
AC_MSG_NOTICE([PTHREAD mode selected])
AX_PTHREAD()
LIBS="$PTHREAD_LIBS $LIBS"
CFLAGS="$CFLAGS $PTHREAD_CFLAGS"
CC="$PTHREAD_CC"
AC_DEFINE([USE_PTHREAD], [1], [Define to 1 to select PTHREAD mode])
;;
fork)
AC_MSG_NOTICE([FORK mode selected])
AC_DEFINE([USE_FORK], [1], [Define to 1 to select FORK mode])
;;
*)
AC_MSG_ERROR([Unknown thread model \"${withval}\"])
;;
esac
], [
# do not attempt to autodetect UCONTEXT threading
AX_PTHREAD([
AC_MSG_NOTICE([PTHREAD thread model detected])
LIBS="$PTHREAD_LIBS $LIBS"
CFLAGS="$CFLAGS $PTHREAD_CFLAGS"
CC="$PTHREAD_CC"
AC_DEFINE([USE_PTHREAD], [1], [Define to 1 to select PTHREAD mode])
], [
AC_MSG_NOTICE([FORK thread model detected])
AC_DEFINE([USE_FORK], [1], [Define to 1 to select FORK mode])
])
])
AC_MSG_NOTICE([**************************************** compiler/linker flags])
AC_SUBST([stunnel_LDFLAGS])
AC_MSG_CHECKING([whether $CC accepts -pthread])
valid_CFLAGS="$CFLAGS"; CFLAGS="$CFLAGS -pthread"
valid_LDFLAGS="$LDFLAGS"; LDFLAGS="$LDFLAGS -pthread"
AC_LINK_IFELSE([int main() {return 0;}],
[
AC_MSG_RESULT([yes])
AC_SUBST([stunnel_CFLAGS], ["$stunnel_CFLAGS -pthread"])
AC_SUBST([stunnel_LDFLAGF], ["$stunnel_LDFLAGF -pthread"])
], [
AC_MSG_RESULT([no])
])
CFLAGS="$valid_CFLAGS"; LDFLAGS="$valid_LDFLAGS"
AC_MSG_CHECKING([whether $CC accepts -fstack-protector])
valid_CFLAGS="$CFLAGS"; CFLAGS="$CFLAGS -fstack-protector"
valid_LDFLAGS="$LDFLAGS"; LDFLAGS="$LDFLAGS -fstack-protector"
AC_LINK_IFELSE([int main() {return 0;}],
[
AC_MSG_RESULT([yes])
AC_SUBST([stunnel_CFLAGS], ["$stunnel_CFLAGS -fstack-protector"])
AC_SUBST([stunnel_LDFLAGF], ["$stunnel_LDFLAGF -fstack-protector"])
], [
AC_MSG_RESULT([no])
])
CFLAGS="$valid_CFLAGS"; LDFLAGS="$valid_LDFLAGS"
AC_MSG_CHECKING([whether $CC accepts -pie])
valid_CFLAGS="$CFLAGS"; CFLAGS="$CFLAGS -fPIE"
valid_LDFLAGS="$LDFLAGS"; LDFLAGS="$LDFLAGS -pie -fPIE"
AC_LINK_IFELSE([int main() {return 0;}],
[
AC_MSG_RESULT([yes])
AC_SUBST([stunnel_CFLAGS], ["$stunnel_CFLAGS -fPIE"])
AC_SUBST([stunnel_LDFLAGF], ["$stunnel_LDFLAGF -pie -fPIE"])
], [
AC_MSG_RESULT([no])
])
CFLAGS="$valid_CFLAGS"; LDFLAGS="$valid_LDFLAGS"
AC_MSG_CHECKING([whether $CC accepts -Wall])
valid_CFLAGS="$CFLAGS"; CFLAGS="$CFLAGS -Wall"
AC_LINK_IFELSE([int main() {return 0;}],
[AC_MSG_RESULT([yes])],
[AC_MSG_RESULT([no]); CFLAGS="$valid_CFLAGS"])
AC_MSG_CHECKING([whether $CC accepts -Wextra])
valid_CFLAGS="$CFLAGS"; CFLAGS="$CFLAGS -Wextra"
AC_LINK_IFELSE([int main() {return 0;}],
[AC_MSG_RESULT([yes])],
[AC_MSG_RESULT([no]); CFLAGS="$valid_CFLAGS"])
AC_MSG_CHECKING([whether $CC accepts -Wno-long-long])
valid_CFLAGS="$CFLAGS"; CFLAGS="$CFLAGS -Wno-long-long"
AC_LINK_IFELSE([int main() {return 0;}],
[AC_MSG_RESULT([yes])],
[AC_MSG_RESULT([no]); CFLAGS="$valid_CFLAGS"])
AC_MSG_CHECKING([whether $CC accepts -pedantic])
valid_CFLAGS="$CFLAGS"; CFLAGS="$CFLAGS -pedantic"
AC_LINK_IFELSE([int main() {return 0;}],
[AC_MSG_RESULT([yes])],
[AC_MSG_RESULT([no]); CFLAGS="$valid_CFLAGS"])
if test "$GCC" = yes; then
AX_APPEND_COMPILE_FLAGS([-Wall])
AX_APPEND_COMPILE_FLAGS([-Wextra])
AX_APPEND_COMPILE_FLAGS([-Wpedantic])
AX_APPEND_COMPILE_FLAGS([-Wformat=2])
AX_APPEND_COMPILE_FLAGS([-Wconversion])
AX_APPEND_COMPILE_FLAGS([-Wno-long-long])
AX_APPEND_COMPILE_FLAGS([-Wno-deprecated-declarations])
AX_APPEND_COMPILE_FLAGS([-fPIE])
case "${host}" in
avr-*.* | powerpc-*-aix* | rl78-*.* | visium-*.*)
;;
*)
AX_APPEND_COMPILE_FLAGS([-fstack-protector])
;;
esac
AX_APPEND_LINK_FLAGS([-fPIE -pie])
AX_APPEND_LINK_FLAGS([-Wl,-z,relro])
AX_APPEND_LINK_FLAGS([-Wl,-z,now])
AX_APPEND_LINK_FLAGS([-Wl,-z,noexecstack])
fi
AX_APPEND_COMPILE_FLAGS([-D_FORTIFY_SOURCE=2])
AC_MSG_NOTICE([**************************************** libtool])
LT_INIT([disable-static])
AC_SUBST([LIBTOOL_DEPS])
AC_MSG_NOTICE([**************************************** types])
AC_CHECK_SIZEOF(unsigned char)
AC_CHECK_SIZEOF(unsigned short)
AC_CHECK_SIZEOF(unsigned int)
AC_CHECK_SIZEOF(unsigned long)
AC_TYPE_INT8_T
AC_TYPE_INT16_T
AC_TYPE_INT32_T
AC_TYPE_INT64_T
AC_TYPE_UINT8_T
AC_TYPE_UINT16_T
AC_TYPE_UINT32_T
AC_TYPE_UINT64_T
AC_TYPE_SIZE_T
AC_TYPE_SSIZE_T
AC_TYPE_UID_T
AC_MSG_CHECKING([for socklen_t])
AC_EGREP_HEADER(socklen_t, sys/socket.h,
AC_MSG_RESULT([yes]),
AC_MSG_RESULT([no (defined as int)])
AC_DEFINE([socklen_t], [int], [Type of socklen_t]))
AC_CHECK_TYPES([struct sockaddr_un], [], [], [#include <sys/un.h>])
AC_CHECK_TYPES([struct addrinfo], [], [], [#include <netdb.h>])
AC_MSG_NOTICE([**************************************** PTY device files])
if test "$cross_compiling" = "no"; then
if test "x$cross_compiling" = "xno"; then
AC_CHECK_FILE("/dev/ptmx", AC_DEFINE([HAVE_DEV_PTMX], [1],
[Define to 1 if you have '/dev/ptmx' device.]))
AC_CHECK_FILE("/dev/ptc", AC_DEFINE([HAVE_DEV_PTS_AND_PTC], [1],
@ -125,13 +137,14 @@ fi
AC_MSG_NOTICE([**************************************** entropy sources])
if test "$cross_compiling" = "no"; then
if test "x$cross_compiling" = "xno"; then
AC_ARG_WITH(egd-socket,
[ --with-egd-socket=FILE Entropy Gathering Daemon socket path],
[EGD_SOCKET="$withval"]
)
if test -n "$EGD_SOCKET"; then
AC_DEFINE_UNQUOTED([EGD_SOCKET], ["$EGD_SOCKET"], [Entropy Gathering Daemon socket path])
AC_DEFINE_UNQUOTED([EGD_SOCKET], ["$EGD_SOCKET"],
[Entropy Gathering Daemon socket path])
fi
# Check for user-specified random device
@ -153,7 +166,7 @@ fi
AC_MSG_NOTICE([**************************************** default group])
DEFAULT_GROUP=nobody
if test "$cross_compiling" = "no"; then
if test "x$cross_compiling" = "xno"; then
grep '^nogroup:' /etc/group >/dev/null && DEFAULT_GROUP=nogroup
else
AC_MSG_WARN([cross-compilation: assuming nogroup is not available])
@ -162,12 +175,17 @@ AC_MSG_CHECKING([for default group])
AC_MSG_RESULT([$DEFAULT_GROUP])
AC_SUBST([DEFAULT_GROUP])
AC_SYS_LARGEFILE
AC_MSG_NOTICE([**************************************** header files])
# AC_HEADER_DIRENT
# AC_HEADER_STDC
# AC_HEADER_SYS_WAIT
AC_CHECK_HEADERS([malloc.h ucontext.h pthread.h poll.h tcpd.h stropts.h grp.h unistd.h util.h libutil.h pty.h])
AC_CHECK_HEADERS([sys/types.h sys/select.h sys/poll.h sys/socket.h sys/un.h sys/ioctl.h sys/filio.h sys/resource.h sys/uio.h])
AC_CHECK_HEADERS([stdint.h inttypes.h malloc.h ucontext.h pthread.h poll.h \
tcpd.h stropts.h grp.h unistd.h util.h libutil.h pty.h limits.h])
AC_CHECK_HEADERS([sys/types.h sys/select.h sys/poll.h sys/socket.h sys/un.h \
sys/ioctl.h sys/filio.h sys/resource.h sys/uio.h sys/syscall.h])
AC_CHECK_HEADERS([linux/sched.h])
AC_CHECK_MEMBERS([struct msghdr.msg_control],
[AC_DEFINE([HAVE_MSGHDR_MSG_CONTROL], [1],
[Define to 1 if you have 'msghdr.msg_control' structure.])], [], [
@ -188,102 +206,22 @@ AC_SEARCH_LIBS([gethostbyname], [nsl])
AC_SEARCH_LIBS([yp_get_default_domain], [nsl])
AC_SEARCH_LIBS([socket], [socket])
AC_SEARCH_LIBS([openpty], [util])
# Checks for dynamic loader and zlib needed by OpenSSL
# Checks for dynamic loader needed by OpenSSL
AC_SEARCH_LIBS([dlopen], [dl])
AC_SEARCH_LIBS([shl_load], [dld])
AC_SEARCH_LIBS([inflateEnd], [z])
# Add BeOS libraries
if test "$host_os" = "beos"; then
if test "x$host_os" = "xbeos"; then
LIBS="$LIBS -lbe -lroot -lbind"
fi
AC_MSG_NOTICE([**************************************** thread model])
checkpthreadlib() { :
# 1. BSD hack: attempt to use alternative libc implementation if available
AC_CHECK_LIB([c_r], [pthread_create],
[
LIBS="$LIBS -pthread"
HAVE_LIBPTHREAD="yes"
AC_DEFINE([HAVE_LIBPTHREAD], [1], [Define to 1 if you have 'libpthread' library.])
]
)
# 2. try to use from standard libc (required by Android and possibly other platforms)
AC_CHECK_LIB([c], [pthread_create],
[
HAVE_LIBPTHREAD="yes"
AC_DEFINE([HAVE_LIBPTHREAD], [1], [Define to 1 if you have 'libpthread' library.])
]
)
# 3. try libpthread: OSF hack instead of simple AC_CHECK_LIB here
AC_MSG_CHECKING([for pthread_create in -lpthread])
valid_LIBS="$LIBS"
LIBS="$valid_LIBS -lpthread"
AC_LINK_IFELSE(
[AC_LANG_PROGRAM(
[
#include <pthread.h>
],
[
pthread_create((void *)0, (void *)0, (void *)0, (void *)0)
]
)],
[
AC_MSG_RESULT([yes])
HAVE_LIBPTHREAD="yes"
AC_DEFINE([HAVE_LIBPTHREAD], [1], [Define to 1 if you have 'libpthread' library.])
], [
AC_MSG_RESULT([no])
LIBS="$valid_LIBS"
]
)
}
AC_ARG_WITH(threads,
[ --with-threads=model select threading model (ucontext/pthread/fork)],
[
case "$withval" in
ucontext)
AC_MSG_NOTICE([UCONTEXT mode selected])
AC_DEFINE([USE_UCONTEXT], [1], [Define to 1 to select UCONTEXT mode])
;;
pthread)
checkpthreadlib
AC_MSG_NOTICE([PTHREAD mode selected])
AC_DEFINE([USE_PTHREAD], [1], [Define to 1 to select PTHREAD mode])
;;
fork)
AC_MSG_NOTICE([FORK mode selected])
AC_DEFINE([USE_FORK], [1], [Define to 1 to select FORK mode])
;;
*)
AC_MSG_ERROR([Unknown thread model \"${withval}\"])
;;
esac
], [
checkpthreadlib
if test "$HAVE_LIBPTHREAD" = "yes" -a "$ac_cv_header_pthread_h" = "yes"; then
AC_MSG_NOTICE([PTHREAD thread model detected])
AC_DEFINE([USE_PTHREAD], [1], [Define to 1 to select PTHREAD mode])
elif test "$ac_cv_func_getcontext" = "yes" -a "$ac_cv_header_ucontext_h" = "yes"; then
AC_MSG_NOTICE([UCONTEXT thread model detected])
AC_DEFINE([USE_UCONTEXT], [1], [Define to 1 to select UCONTEXT mode])
else
AC_MSG_NOTICE([FORK thread model detected])
AC_DEFINE([USE_FORK], [1], [Define to 1 to select FORK mode])
fi
])
AC_MSG_NOTICE([**************************************** library functions])
# safe string operations
AC_CHECK_FUNCS(snprintf vsnprintf)
# pseudoterminal
AC_CHECK_FUNCS(openpty _getpty)
# Unix
AC_CHECK_FUNCS(daemon waitpid wait4 setsid setgroups chroot)
AC_CHECK_FUNCS(daemon waitpid wait4 setsid setgroups chroot realpath)
# limits
AC_CHECK_FUNCS(sysconf getrlimit)
# threads/reentrant functions
@ -316,10 +254,10 @@ getaddrinfo(NULL, NULL, NULL, NULL);
[AC_MSG_RESULT([no])])
;;
esac
# poll() is not recommended on Mac OS X <=10.3 and broken on Mac OS X >=10.4
# poll() is not recommended on Mac OS X <= 10.3 and broken on Mac OS X 10.4
AC_MSG_CHECKING([for broken poll() implementation])
case "$host_os" in
darwin*)
darwin[0-8].*)
AC_MSG_RESULT([yes (poll() disabled)])
AC_DEFINE([BROKEN_POLL], [1], [Define to 1 if you have a broken 'poll' implementation.])
;;
@ -334,11 +272,12 @@ AC_MSG_NOTICE([**************************************** optional features])
# Use IPv6?
AC_MSG_CHECKING([whether to enable IPv6 support])
AC_ARG_ENABLE(ipv6,
[ --enable-ipv6 Enable IPv6 support],
[ --disable-ipv6 disable IPv6 support],
[
case "$enableval" in
yes) AC_MSG_RESULT([yes])
AC_DEFINE([USE_IPv6], [1], [Define to 1 to enable IPv6 support])
AC_DEFINE([USE_IPv6], [1],
[Define to 1 to enable IPv6 support])
;;
no) AC_MSG_RESULT([no])
;;
@ -346,23 +285,86 @@ AC_ARG_ENABLE(ipv6,
AC_MSG_ERROR([bad value \"${enableval}\"])
;;
esac
], [
AC_MSG_RESULT([yes (default)])
AC_DEFINE([USE_IPv6], [1], [Define to 1 to enable IPv6 support])
], [
AC_MSG_RESULT([no])
]
)
# FIPS Mode
AC_MSG_CHECKING([whether to enable FIPS support])
AC_ARG_ENABLE(fips,
[ --disable-fips disable OpenSSL FIPS support],
[
case "$enableval" in
yes) AC_MSG_RESULT([no])
use_fips="yes"
AC_DEFINE([USE_FIPS], [1],
[Define to 1 to enable OpenSSL FIPS support])
;;
no) AC_MSG_RESULT([no])
use_fips="no"
;;
*) AC_MSG_RESULT([error])
AC_MSG_ERROR([bad value \"${enableval}\"])
;;
esac
],
[AC_MSG_RESULT([yes]); AC_DEFINE([USE_IPv6], [1], [Define to 1 to enable IPv6 support])],
[AC_MSG_RESULT([no])]
[
use_fips="auto"
AC_MSG_RESULT([autodetecting])
]
)
# Disable systemd socket activation support
AC_MSG_CHECKING([whether to enable systemd socket activation support])
AC_ARG_ENABLE(systemd,
[ --disable-systemd disable systemd socket activation support],
[
case "$enableval" in
yes) AC_MSG_RESULT([yes])
AC_SEARCH_LIBS([sd_listen_fds], [systemd systemd-daemon])
AC_DEFINE([USE_SYSTEMD], [1],
[Define to 1 to enable systemd socket activation])
;;
no) AC_MSG_RESULT([no])
;;
*) AC_MSG_RESULT([error])
AC_MSG_ERROR([Bad value \"${enableval}\"])
;;
esac
],
[
AC_MSG_RESULT([autodetecting])
# the library name has changed to -lsystemd in systemd 209
AC_SEARCH_LIBS([sd_listen_fds], [systemd systemd-daemon],
[ AC_CHECK_HEADERS([systemd/sd-daemon.h], [
AC_DEFINE([USE_SYSTEMD], [1],
[Define to 1 to enable systemd socket activation])
AC_MSG_NOTICE([systemd support enabled])
], [
AC_MSG_NOTICE([systemd header not found])
]) ], [
AC_MSG_NOTICE([systemd library not found])
])
]
)
# Disable use of libwrap (TCP wrappers)
# it should be the last check!
AC_MSG_CHECKING([whether to disable TCP wrappers library support])
AC_MSG_CHECKING([whether to enable TCP wrappers support])
AC_ARG_ENABLE(libwrap,
[ --disable-libwrap Disable TCP wrappers library support],
[ --disable-libwrap disable TCP wrappers support],
[
case "$enableval" in
yes) AC_MSG_RESULT([no])
AC_DEFINE([HAVE_LIBWRAP], [1], [Define to 1 if you have 'libwrap' library.])
yes) AC_MSG_RESULT([yes])
AC_DEFINE([USE_LIBWRAP], [1],
[Define to 1 to enable TCP wrappers support])
LIBS="$LIBS -lwrap"
;;
no) AC_MSG_RESULT([yes])
no) AC_MSG_RESULT([no])
;;
*) AC_MSG_RESULT([error])
AC_MSG_ERROR([Bad value \"${enableval}\"])
@ -375,106 +377,83 @@ AC_ARG_ENABLE(libwrap,
valid_LIBS="$LIBS"
LIBS="$valid_LIBS -lwrap"
AC_LINK_IFELSE(
[AC_LANG_PROGRAM(
[
int hosts_access(); int allow_severity, deny_severity;
],
[
hosts_access()
]
)],
[AC_MSG_RESULT([yes]); AC_DEFINE([HAVE_LIBWRAP], [1], [Define to 1 if you have 'libwrap' library.])],
[AC_MSG_RESULT([no]); LIBS="$valid_LIBS"]
[
AC_LANG_PROGRAM(
[int hosts_access(); int allow_severity, deny_severity;],
[hosts_access()])
], [
AC_MSG_RESULT([yes]);
AC_DEFINE([USE_LIBWRAP], [1],
[Define to 1 to enable TCP wrappers support])
AC_MSG_NOTICE([libwrap support enabled])
], [
AC_MSG_RESULT([no])
LIBS="$valid_LIBS"
AC_MSG_NOTICE([libwrap library not found])
]
)
]
)
# FIPS Mode
AC_MSG_CHECKING([whether to enable FIPS mode support])
AC_ARG_ENABLE(fips,
[ --enable-fips Enable OpenSSL FIPS mode],
[
case "$enableval" in
yes) AC_MSG_RESULT([yes])
sub_dirs="/ssl/fips /ssl/fips-1.0 /"
fips="yes"
AC_DEFINE([USE_FIPS], [1], [Define to 1 to enable OpenSSL FIPS mode])
;;
no) AC_MSG_RESULT([no])
sub_dirs="/ssl /openssl /"
fips="no"
;;
*) AC_MSG_RESULT([error])
AC_MSG_ERROR([bad value \"${enableval}\"])
;;
esac
],
[
sub_dirs="/ssl/fips /ssl/fips-1.0 /ssl /openssl /"
fips="auto"
AC_MSG_RESULT([autodetecting])
]
)
AC_MSG_NOTICE([**************************************** TLS])
AC_MSG_CHECKING([for compiler sysroot])
if test "x$GCC" = "xyes"; then
sysroot=`$CC --print-sysroot 2>/dev/null`
fi
if test -z "$sysroot" -o "x$sysroot" = "x/"; then
sysroot=""
AC_MSG_RESULT([/])
else
AC_MSG_RESULT([$sysroot])
fi
AC_MSG_NOTICE([**************************************** SSL])
check_ssl_dir() { :
SSLDIR="$1"
if test -f "$1/include/openssl/ssl.h"; then
return 0
fi
return 1
test -n "$1" -a -f "$1/include/openssl/ssl.h" && SSLDIR="$1"
}
# Check for SSL directory
AC_MSG_CHECKING([for SSL directory])
AC_ARG_WITH(ssl,
[ --with-ssl=DIR location of installed SSL libraries/include files],
[
check_ssl_dir "$withval"
],
[
for main_dir in /usr/local /usr/lib /usr/pkg /opt/local /opt /usr; do
for sub_dir in $sub_dirs; do
check_ssl_dir "$main_dir$sub_dir" && break 2
done
find_ssl_dir() { :
stunnel_prefix="$prefix"
test "x$stunnel_prefix" = "xNONE" && stunnel_prefix=$ac_default_prefix
for main_dir in "$stunnel_prefix" "/usr/local" "/usr/lib" "/usr/pkg" "/opt/local" "/opt" "/opt/csw" "/usr" ""; do
for sub_dir in "/ssl" "/openssl" "/ossl" ""; do
check_ssl_dir "$sysroot$main_dir$sub_dir" && return
done
]
done
if test -x "/usr/bin/xcrun"; then
sdk_path=`/usr/bin/xcrun --sdk macosx --show-sdk-path`
check_ssl_dir "$sdk_path/usr" && return
fi
check_ssl_dir "/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/swift-migrator/sdk/MacOSX.sdk/usr"
}
SSLDIR=""
AC_MSG_CHECKING([for TLS directory])
AC_ARG_WITH(ssl,
[ --with-ssl=DIR location of installed TLS libraries/include files],
[check_ssl_dir "$withval"],
[find_ssl_dir]
)
if test ! -d "$SSLDIR"; then
if test -z "$SSLDIR"; then
AC_MSG_RESULT([not found])
AC_MSG_ERROR([
Couldn't find your SSL library installation dir
Could not find your TLS library installation dir
Use --with-ssl option to fix this problem
])
fi
AC_MSG_RESULT([$SSLDIR])
AC_SUBST([SSLDIR])
AC_DEFINE_UNQUOTED([SSLDIR], ["$SSLDIR"], [SSL directory])
AC_DEFINE_UNQUOTED([SSLDIR], ["$SSLDIR"], [TLS directory])
valid_CPPFLAGS="$CPPFLAGS"; CPPFLAGS="$CPPFLAGS -I$SSLDIR/include"
valid_LIBS="$LIBS"; LIBS="$LIBS -L$SSLDIR/lib64 -L$SSLDIR/lib -lssl -lcrypto"
AC_CHECK_HEADER([$SSLDIR/include/openssl/engine.h],
[AC_DEFINE([HAVE_OSSL_ENGINE_H], [1],
[Define to 1 if you have <engine.h> header file.])],
[AC_MSG_WARN([OpenSSL engine header not found])])
AC_CHECK_HEADER([$SSLDIR/include/openssl/ocsp.h],
[AC_DEFINE([HAVE_OSSL_OCSP_H], [1],
[Define to 1 if you have <ocsp.h> header file.])],
[AC_MSG_WARN([OpenSSL ocsp header not found])])
AC_CHECK_HEADER([$SSLDIR/include/openssl/fips.h],
[AC_DEFINE([HAVE_OSSL_FIPS_H], [1],
[Define to 1 if you have <fips.h> header file.])],
[AC_MSG_WARN([OpenSSL fips header not found])])
if test "$fips" = "auto"; then
if test "x$use_fips" = "xauto"; then
AC_CHECK_FUNCS(FIPS_mode_set, [
AC_DEFINE([USE_FIPS], [1], [Define to 1 to enable OpenSSL FIPS mode.])
AC_MSG_NOTICE([FIPS mode detected])
AC_DEFINE([USE_FIPS], [1], [Define to 1 to enable OpenSSL FIPS support])
AC_MSG_NOTICE([FIPS support enabled])
], [
AC_MSG_NOTICE([FIPS mode not detected])
AC_MSG_NOTICE([FIPS support not found])
])
fi
@ -482,8 +461,9 @@ CPPFLAGS="$valid_CPPFLAGS"
LIBS="$valid_LIBS"
AC_MSG_NOTICE([**************************************** write the results])
AC_CONFIG_FILES([Makefile src/Makefile src/stunnel3 doc/Makefile tools/Makefile tools/stunnel.conf-sample tools/stunnel.init tools/stunnel.service])
AC_CONFIG_FILES([Makefile src/Makefile doc/Makefile tools/Makefile])
AC_OUTPUT
AC_MSG_NOTICE([**************************************** success])
# vim:ft=automake
# End of configure.ac

36
doc/Makefile.am
View File

@ -1,21 +1,35 @@
## Process this file with automake to produce Makefile.in
# by Michal Trojnara 2015-2017
EXTRA_DIST = stunnel.pod stunnel.pl.pod stunnel.fr.pod \
stunnel.8 stunnel.pl.8 stunnel.fr.8 \
stunnel.html stunnel.pl.html stunnel.fr.html en pl
EXTRA_DIST = stunnel.pod.in stunnel.8.in stunnel.html.in en
EXTRA_DIST += stunnel.pl.pod.in stunnel.pl.8.in stunnel.pl.html.in pl
man_MANS = stunnel.8 stunnel.pl.8 stunnel.fr.8
man_MANS = stunnel.8 stunnel.pl.8
docdir = $(datadir)/doc/stunnel
doc_DATA = stunnel.html stunnel.pl.html stunnel.fr.html
doc_DATA = stunnel.html stunnel.pl.html
SUFFIXES = .pod .8 .html
CLEANFILES = $(man_MANS) $(doc_DATA)
.pod.8:
pod2man -u --section=8 --release=$(VERSION) --center=stunnel \
--date=`date +%Y.%m.%d` $< $@
SUFFIXES = .pod.in .8.in .html.in
.pod.html:
pod2html --noindex --title stunnel.8 --infile=$< --outfile=$@
.pod.in.8.in:
pod2man -u -n stunnel -s 8 -r $(VERSION) \
-c "stunnel TLS Proxy" -d `date +%Y.%m.%d` $< $@
.pod.in.html.in:
pod2html --index --backlink --header \
--title "stunnel TLS Proxy" --infile=$< --outfile=$@
rm -f pod2htmd.tmp pod2htmi.tmp
edit = sed \
-e 's|@bindir[@]|$(bindir)|g' \
-e 's|@sysconfdir[@]|$(sysconfdir)|g'
$(man_MANS) $(doc_DATA): Makefile
$(edit) '$(srcdir)/$@.in' >$@
stunnel.8: $(srcdir)/stunnel.8.in
stunnel.html: $(srcdir)/stunnel.html.in
stunnel.pl.8: $(srcdir)/stunnel.pl.8.in
stunnel.pl.html: $(srcdir)/stunnel.pl.html.in

216
doc/Makefile.in
View File

@ -1,9 +1,8 @@
# Makefile.in generated by automake 1.11.1 from Makefile.am.
# Makefile.in generated by automake 1.14.1 from Makefile.am.
# @configure_input@
# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation,
# Inc.
# Copyright (C) 1994-2013 Free Software Foundation, Inc.
# This Makefile.in is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
# with or without modifications, as long as this notice is preserved.
@ -15,7 +14,54 @@
@SET_MAKE@
# by Michal Trojnara 2015-2017
VPATH = @srcdir@
am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
am__make_running_with_option = \
case $${target_option-} in \
?) ;; \
*) echo "am__make_running_with_option: internal error: invalid" \
"target option '$${target_option-}' specified" >&2; \
exit 1;; \
esac; \
has_opt=no; \
sane_makeflags=$$MAKEFLAGS; \
if $(am__is_gnu_make); then \
sane_makeflags=$$MFLAGS; \
else \
case $$MAKEFLAGS in \
*\\[\ \ ]*) \
bs=\\; \
sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \
| sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \
esac; \
fi; \
skip_next=no; \
strip_trailopt () \
{ \
flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \
}; \
for flg in $$sane_makeflags; do \
test $$skip_next = yes && { skip_next=no; continue; }; \
case $$flg in \
*=*|--*) continue;; \
-*I) strip_trailopt 'I'; skip_next=yes;; \
-*I?*) strip_trailopt 'I';; \
-*O) strip_trailopt 'O'; skip_next=yes;; \
-*O?*) strip_trailopt 'O';; \
-*l) strip_trailopt 'l'; skip_next=yes;; \
-*l?*) strip_trailopt 'l';; \
-[dEDm]) skip_next=yes;; \
-[JT]) skip_next=yes;; \
esac; \
case $$flg in \
*$$target_option*) has_opt=yes; break;; \
esac; \
done; \
test $$has_opt = yes
am__make_dryrun = (target_option=n; $(am__make_running_with_option))
am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
pkgdatadir = $(datadir)/@PACKAGE@
pkgincludedir = $(includedir)/@PACKAGE@
pkglibdir = $(libdir)/@PACKAGE@
@ -35,7 +81,7 @@ POST_UNINSTALL = :
build_triplet = @build@
host_triplet = @host@
subdir = doc
DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
am__aclocal_m4_deps = $(top_srcdir)/m4/libtool.m4 \
$(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \
@ -47,8 +93,25 @@ mkinstalldirs = $(install_sh) -d
CONFIG_HEADER = $(top_builddir)/src/config.h
CONFIG_CLEAN_FILES =
CONFIG_CLEAN_VPATH_FILES =
AM_V_P = $(am__v_P_@AM_V@)
am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
am__v_P_0 = false
am__v_P_1 = :
AM_V_GEN = $(am__v_GEN_@AM_V@)
am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
am__v_GEN_0 = @echo " GEN " $@;
am__v_GEN_1 =
AM_V_at = $(am__v_at_@AM_V@)
am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
am__v_at_0 = @
am__v_at_1 =
SOURCES =
DIST_SOURCES =
am__can_run_installinfo = \
case $$AM_UPDATE_INFO_DIR in \
n|no|NO) false;; \
*) (install-info --version) >/dev/null 2>&1;; \
esac
am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
am__vpath_adj = case $$p in \
$(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
@ -70,14 +133,22 @@ am__nobase_list = $(am__nobase_strip_setup); \
am__base_list = \
sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
am__uninstall_files_from_dir = { \
test -z "$$files" \
|| { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
|| { echo " ( cd '$$dir' && rm -f" $$files ")"; \
$(am__cd) "$$dir" && rm -f $$files; }; \
}
man8dir = $(mandir)/man8
am__installdirs = "$(DESTDIR)$(man8dir)" "$(DESTDIR)$(docdir)"
NROFF = nroff
MANS = $(man_MANS)
DATA = $(doc_DATA)
am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
AMTAR = @AMTAR@
AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
AR = @AR@
AUTOCONF = @AUTOCONF@
AUTOHEADER = @AUTOHEADER@
@ -92,6 +163,7 @@ CYGPATH_W = @CYGPATH_W@
DEFAULT_GROUP = @DEFAULT_GROUP@
DEFS = @DEFS@
DEPDIR = @DEPDIR@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
ECHO_C = @ECHO_C@
@ -116,6 +188,7 @@ LIPO = @LIPO@
LN_S = @LN_S@
LTLIBOBJS = @LTLIBOBJS@
MAKEINFO = @MAKEINFO@
MANIFEST_TOOL = @MANIFEST_TOOL@
MKDIR_P = @MKDIR_P@
NM = @NM@
NMEDIT = @NMEDIT@
@ -131,6 +204,9 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@
PACKAGE_URL = @PACKAGE_URL@
PACKAGE_VERSION = @PACKAGE_VERSION@
PATH_SEPARATOR = @PATH_SEPARATOR@
PTHREAD_CC = @PTHREAD_CC@
PTHREAD_CFLAGS = @PTHREAD_CFLAGS@
PTHREAD_LIBS = @PTHREAD_LIBS@
RANDOM_FILE = @RANDOM_FILE@
RANLIB = @RANLIB@
SED = @SED@
@ -143,6 +219,7 @@ abs_builddir = @abs_builddir@
abs_srcdir = @abs_srcdir@
abs_top_builddir = @abs_top_builddir@
abs_top_srcdir = @abs_top_srcdir@
ac_ct_AR = @ac_ct_AR@
ac_ct_CC = @ac_ct_CC@
ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
am__include = @am__include@
@ -150,6 +227,7 @@ am__leading_dot = @am__leading_dot@
am__quote = @am__quote@
am__tar = @am__tar@
am__untar = @am__untar@
ax_pthread_config = @ax_pthread_config@
bindir = @bindir@
build = @build@
build_alias = @build_alias@
@ -175,7 +253,6 @@ libdir = @libdir@
libexecdir = @libexecdir@
localedir = @localedir@
localstatedir = @localstatedir@
lt_ECHO = @lt_ECHO@
mandir = @mandir@
mkdir_p = @mkdir_p@
oldincludedir = @oldincludedir@
@ -183,28 +260,29 @@ pdfdir = @pdfdir@
prefix = @prefix@
program_transform_name = @program_transform_name@
psdir = @psdir@
runstatedir = @runstatedir@
sbindir = @sbindir@
sharedstatedir = @sharedstatedir@
srcdir = @srcdir@
stunnel_CFLAGS = @stunnel_CFLAGS@
stunnel_LDFLAGF = @stunnel_LDFLAGF@
stunnel_LDFLAGS = @stunnel_LDFLAGS@
sysconfdir = @sysconfdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
top_srcdir = @top_srcdir@
EXTRA_DIST = stunnel.pod stunnel.pl.pod stunnel.fr.pod \
stunnel.8 stunnel.pl.8 stunnel.fr.8 \
stunnel.html stunnel.pl.html stunnel.fr.html en pl
EXTRA_DIST = stunnel.pod.in stunnel.8.in stunnel.html.in en \
stunnel.pl.pod.in stunnel.pl.8.in stunnel.pl.html.in pl
man_MANS = stunnel.8 stunnel.pl.8
doc_DATA = stunnel.html stunnel.pl.html
CLEANFILES = $(man_MANS) $(doc_DATA)
SUFFIXES = .pod.in .8.in .html.in
edit = sed \
-e 's|@bindir[@]|$(bindir)|g' \
-e 's|@sysconfdir[@]|$(sysconfdir)|g'
man_MANS = stunnel.8 stunnel.pl.8 stunnel.fr.8
doc_DATA = stunnel.html stunnel.pl.html stunnel.fr.html
SUFFIXES = .pod .8 .html
all: all-am
.SUFFIXES:
.SUFFIXES: .pod .8 .html
.SUFFIXES: .pod.in .8.in .html.in
$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps)
@for dep in $?; do \
case '$(am__configure_deps)' in \
@ -243,11 +321,18 @@ clean-libtool:
-rm -rf .libs _libs
install-man8: $(man_MANS)
@$(NORMAL_INSTALL)
test -z "$(man8dir)" || $(MKDIR_P) "$(DESTDIR)$(man8dir)"
@list=''; test -n "$(man8dir)" || exit 0; \
{ for i in $$list; do echo "$$i"; done; \
l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done | \
sed -n '/\.8[a-z]*$$/p'; \
@list1=''; \
list2='$(man_MANS)'; \
test -n "$(man8dir)" \
&& test -n "`echo $$list1$$list2`" \
|| exit 0; \
echo " $(MKDIR_P) '$(DESTDIR)$(man8dir)'"; \
$(MKDIR_P) "$(DESTDIR)$(man8dir)" || exit 1; \
{ for i in $$list1; do echo "$$i"; done; \
if test -n "$$list2"; then \
for i in $$list2; do echo "$$i"; done \
| sed -n '/\.8[a-z]*$$/p'; \
fi; \
} | while read p; do \
if test -f $$p; then d=; else d="$(srcdir)/"; fi; \
echo "$$d$$p"; echo "$$p"; \
@ -276,13 +361,14 @@ uninstall-man8:
sed -n '/\.8[a-z]*$$/p'; \
} | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \
-e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \
test -z "$$files" || { \
echo " ( cd '$(DESTDIR)$(man8dir)' && rm -f" $$files ")"; \
cd "$(DESTDIR)$(man8dir)" && rm -f $$files; }
dir='$(DESTDIR)$(man8dir)'; $(am__uninstall_files_from_dir)
install-docDATA: $(doc_DATA)
@$(NORMAL_INSTALL)
test -z "$(docdir)" || $(MKDIR_P) "$(DESTDIR)$(docdir)"
@list='$(doc_DATA)'; test -n "$(docdir)" || list=; \
if test -n "$$list"; then \
echo " $(MKDIR_P) '$(DESTDIR)$(docdir)'"; \
$(MKDIR_P) "$(DESTDIR)$(docdir)" || exit 1; \
fi; \
for p in $$list; do \
if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
echo "$$d$$p"; \
@ -296,30 +382,15 @@ uninstall-docDATA:
@$(NORMAL_UNINSTALL)
@list='$(doc_DATA)'; test -n "$(docdir)" || list=; \
files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
test -n "$$files" || exit 0; \
echo " ( cd '$(DESTDIR)$(docdir)' && rm -f" $$files ")"; \
cd "$(DESTDIR)$(docdir)" && rm -f $$files
tags: TAGS
TAGS:
dir='$(DESTDIR)$(docdir)'; $(am__uninstall_files_from_dir)
tags TAGS:
ctags: CTAGS
CTAGS:
ctags CTAGS:
cscope cscopelist:
distdir: $(DISTFILES)
@list='$(MANS)'; if test -n "$$list"; then \
list=`for p in $$list; do \
if test -f $$p; then d=; else d="$(srcdir)/"; fi; \
if test -f "$$d$$p"; then echo "$$d$$p"; else :; fi; done`; \
if test -n "$$list" && \
grep 'ab help2man is required to generate this page' $$list >/dev/null; then \
echo "error: found man pages containing the \`missing help2man' replacement text:" >&2; \
grep -l 'ab help2man is required to generate this page' $$list | sed 's/^/ /' >&2; \
echo " to fix them, install help2man, remove and regenerate the man pages;" >&2; \
echo " typically \`make maintainer-clean' will remove them" >&2; \
exit 1; \
else :; fi; \
else :; fi
@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
list='$(DISTFILES)'; \
@ -366,13 +437,19 @@ install-am: all-am
installcheck: installcheck-am
install-strip:
$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
`test -z '$(STRIP)' || \
echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
if test -z '$(STRIP)'; then \
$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
install; \
else \
$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
"INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
fi
mostlyclean-generic:
clean-generic:
-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
distclean-generic:
-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
@ -452,27 +529,36 @@ uninstall-man: uninstall-man8
.MAKE: install-am install-strip
.PHONY: all all-am check check-am clean clean-generic clean-libtool \
distclean distclean-generic distclean-libtool distdir dvi \
dvi-am html html-am info info-am install install-am \
install-data install-data-am install-docDATA install-dvi \
install-dvi-am install-exec install-exec-am install-html \
install-html-am install-info install-info-am install-man \
install-man8 install-pdf install-pdf-am install-ps \
install-ps-am install-strip installcheck installcheck-am \
installdirs maintainer-clean maintainer-clean-generic \
mostlyclean mostlyclean-generic mostlyclean-libtool pdf pdf-am \
ps ps-am uninstall uninstall-am uninstall-docDATA \
uninstall-man uninstall-man8
cscopelist-am ctags-am distclean distclean-generic \
distclean-libtool distdir dvi dvi-am html html-am info info-am \
install install-am install-data install-data-am \
install-docDATA install-dvi install-dvi-am install-exec \
install-exec-am install-html install-html-am install-info \
install-info-am install-man install-man8 install-pdf \
install-pdf-am install-ps install-ps-am install-strip \
installcheck installcheck-am installdirs maintainer-clean \
maintainer-clean-generic mostlyclean mostlyclean-generic \
mostlyclean-libtool pdf pdf-am ps ps-am tags-am uninstall \
uninstall-am uninstall-docDATA uninstall-man uninstall-man8
.pod.8:
pod2man -u --section=8 --release=$(VERSION) --center=stunnel \
--date=`date +%Y.%m.%d` $< $@
.pod.in.8.in:
pod2man -u -n stunnel -s 8 -r $(VERSION) \
-c "stunnel TLS Proxy" -d `date +%Y.%m.%d` $< $@
.pod.html:
pod2html --noindex --title stunnel.8 --infile=$< --outfile=$@
.pod.in.html.in:
pod2html --index --backlink --header \
--title "stunnel TLS Proxy" --infile=$< --outfile=$@
rm -f pod2htmd.tmp pod2htmi.tmp
$(man_MANS) $(doc_DATA): Makefile
$(edit) '$(srcdir)/$@.in' >$@
stunnel.8: $(srcdir)/stunnel.8.in
stunnel.html: $(srcdir)/stunnel.html.in
stunnel.pl.8: $(srcdir)/stunnel.pl.8.in
stunnel.pl.html: $(srcdir)/stunnel.pl.html.in
# Tell versions [3.59,3.63) of GNU make to not export all variables.
# Otherwise a system limit (for SysV at least) may be exceeded.
.NOEXPORT:

20
doc/en/VNC_StunnelHOWTO.html
View File

@ -36,8 +36,8 @@ HOWTO and then we'll look at the theory behind all this.</P>
<P STYLE="margin-bottom: 0cm"><BR>
</P>
<OL>
<LI><P STYLE="margin-bottom: 0cm">Download and install openSSL,
SSLEay, and Stunnel on the Linux/Unix box. Download the modules.</P>
<LI><P STYLE="margin-bottom: 0cm">Download and install OpenSSL,
SSLeay, and Stunnel on the Linux/Unix box. Download the modules.</P>
</OL>
<P STYLE="margin-left: 0.5cm; margin-bottom: 0cm">a)
[root@anthrax$]gunzip openssl-x.xx.tar.gz (repeat for all 3 the
@ -52,7 +52,7 @@ modules)</P>
save the file as VNCRegEdit.REG on the Windows 2000 box</P>
</OL>
<P STYLE="margin-left: 0.5cm; margin-bottom: 0cm">--cut here and copy
to VNCRegEdit.REG the double click file to
to VNCRegEdit.REG then double click the file to
import--<BR>REGEDIT4<BR><BR>[HKEY_LOCAL_MACHINE\Software\ORL\WinVNC3]<BR>AllowLoopback=dword:00000001<BR><BR>[HKEY_LOCAL_MACHINE\Software\ORL\WinVNC3\Default]<BR>AllowLoopback=dword:00000001<BR>--stop
here--<BR><BR>
</P>
@ -87,7 +87,7 @@ here--<BR><BR>
execute the following command and let it run in its own terminal.</P>
</OL>
<P STYLE="margin-left: 0.5cm; margin-bottom: 0cm">stunnel -d 5900 -r
unix.ip.adress:5900 -c</P>
unix.ip.address:5900 -c</P>
<P STYLE="margin-left: 0.5cm; margin-bottom: 0cm">.</P>
<OL>
<LI><P STYLE="margin-bottom: 0cm">And on the Windows 2000 machine
@ -109,7 +109,7 @@ the window</P>
2000 command as follows:
</P>
<P STYLE="margin-left: 0.5cm; margin-bottom: 0cm">stunnel -d 5902 -r
unix.ip.adress:5902</P>
unix.ip.address:5902</P>
<P STYLE="margin-left: 0.5cm; margin-bottom: 0cm">and remember to
start another vncserver on the Linux box for each VNC display</P>
<P STYLE="margin-bottom: 0cm"><BR>
@ -165,11 +165,11 @@ desired &quot;display&quot; number.</P>
<P STYLE="margin-bottom: 0cm"><BR>
</P>
<P STYLE="margin-bottom: 0cm">To connect from the client machine you
need to enter the client machines IP address and the &quot;display&quot;
need to enter the client machine's IP address and the &quot;display&quot;
(from the port conversion). But VNC will think that you are trying to
connect to the local machine and does not allow this. To override
this add the following to you registry.<BR><BR>--cut here and copy to
anything.reg. the double click file to
this add the following to your registry.<BR><BR>--cut here and copy to
anything.reg. then double click the file to
import--<BR>REGEDIT4<BR><BR>[HKEY_LOCAL_MACHINE\Software\ORL\WinVNC3]<BR>AllowLoopback=dword:00000001<BR><BR>[HKEY_LOCAL_MACHINE\Software\ORL\WinVNC3\Default]<BR>AllowLoopback=dword:00000001<BR>--stop
here--<BR><BR>Now VNC will not complain. So you need to always run
stunnel in client mode on the Windows machine and then connect with
@ -182,9 +182,9 @@ way, *NIX doesn't complain about this. There is no setting needed if
<P STYLE="margin-bottom: 0cm"><BR>
</P>
<P STYLE="margin-bottom: 0cm">Unfortunately this will not work well
with the build in web version. If you did not known about it, try
with the built-in web version. If you did not known about it, try
http'ing into a machine running VNC server on it, to port 58XX (where
XX is the display number), and the Java client will be loaded.<BR><BR>
</P>
</BODY>
</HTML>
</HTML>

4
doc/pl/tworzenie_certyfikatow.html
View File

@ -93,7 +93,7 @@ private key</I>
# private random number file</I>
<BR><I>&nbsp;</I>
<BR><I>x509_extensions = usr_cert&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
# The extentions to add to the cert</I>
# The extensions to add to the cert</I>
<BR><I>crl_extensions&nbsp; = crl_ext&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
# Extensions to add to CRL</I>
<BR><I>default_days&nbsp;&nbsp;&nbsp; = 365&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
@ -147,7 +147,7 @@ look</I>
<BR><I>distinguished_name&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; = req_distinguished_name</I>
<BR><I>attributes&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
= req_attributes</I>
<BR><I>x509_extensions = v3_ca # The extentions to add to the self signed
<BR><I>x509_extensions = v3_ca # The extensions to add to the self signed
cert</I>
<BR><I>&nbsp;</I>
<BR><I>[ req_distinguished_name ]</I>

993
doc/stunnel.8
View File

@ -1,993 +0,0 @@
.\" Automatically generated by Pod::Man 2.22 (Pod::Simple 3.07)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is turned on, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.ie \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. nr % 0
. rr F
.\}
.el \{\
. de IX
..
.\}
.\" ========================================================================
.\"
.IX Title "STUNNEL 8"
.TH STUNNEL 8 "2013.03.20" "4.56" "stunnel"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
stunnel \- universal SSL tunnel
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.IP "\fBUnix:\fR" 4
.IX Item "Unix:"
\&\fBstunnel\fR [<filename>] | \-fd n | \-help | \-version | \-sockets
.IP "\fB\s-1WIN32:\s0\fR" 4
.IX Item "WIN32:"
\&\fBstunnel\fR [ [\-install | \-uninstall | \-start | \-stop] | \-exit]
[\-quiet] [<filename>] ] | \-help | \-version | \-sockets
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The \fBstunnel\fR program is designed to work as \fI\s-1SSL\s0\fR encryption wrapper
between remote clients and local (\fIinetd\fR\-startable) or remote
servers. The concept is that having non-SSL aware daemons running on
your system you can easily set them up to communicate with clients over
secure \s-1SSL\s0 channels.
.PP
\&\fBstunnel\fR can be used to add \s-1SSL\s0 functionality to commonly used \fIInetd\fR
daemons like \s-1POP\-2\s0, \s-1POP\-3\s0, and \s-1IMAP\s0 servers, to standalone daemons like
\&\s-1NNTP\s0, \s-1SMTP\s0 and \s-1HTTP\s0, and in tunneling \s-1PPP\s0 over network sockets without
changes to the source code.
.PP
This product includes cryptographic software written by
Eric Young (eay@cryptsoft.com)
.SH "OPTIONS"
.IX Header "OPTIONS"
.IP "<\fBfilename\fR>" 4
.IX Item "<filename>"
Use specified configuration file
.IP "\fB\-fd n\fR (Unix only)" 4
.IX Item "-fd n (Unix only)"
Read the config file from specified file descriptor
.IP "\fB\-help\fR" 4
.IX Item "-help"
Print \fBstunnel\fR help menu
.IP "\fB\-version\fR" 4
.IX Item "-version"
Print \fBstunnel\fR version and compile time defaults
.IP "\fB\-sockets\fR" 4
.IX Item "-sockets"
Print default socket options
.IP "\fB\-install\fR (\s-1NT/2000/XP\s0 only)" 4
.IX Item "-install (NT/2000/XP only)"
Install \s-1NT\s0 Service
.IP "\fB\-uninstall\fR (\s-1NT/2000/XP\s0 only)" 4
.IX Item "-uninstall (NT/2000/XP only)"
Uninstall \s-1NT\s0 Service
.IP "\fB\-start\fR (\s-1NT/2000/XP\s0 only)" 4
.IX Item "-start (NT/2000/XP only)"
Start \s-1NT\s0 Service
.IP "\fB\-stop\fR (\s-1NT/2000/XP\s0 only)" 4
.IX Item "-stop (NT/2000/XP only)"
Stop \s-1NT\s0 Service
.IP "\fB\-exit\fR (Win32 only)" 4
.IX Item "-exit (Win32 only)"
Exit an already started stunnel
.IP "\fB\-quiet\fR (\s-1NT/2000/XP\s0 only)" 4
.IX Item "-quiet (NT/2000/XP only)"
Don't display any message boxes
.SH "CONFIGURATION FILE"
.IX Header "CONFIGURATION FILE"
Each line of the configuration file can be either:
.IP "\(bu" 4
An empty line (ignored).
.IP "\(bu" 4
A comment starting with ';' (ignored).
.IP "\(bu" 4
An 'option_name = option_value' pair.
.IP "\(bu" 4
\&'[service_name]' indicating a start of a service definition.
.PP
An address parameter of an option may be either:
.IP "\(bu" 4
A port number.
.IP "\(bu" 4
A colon-separated pair of \s-1IP\s0 address (either IPv4, IPv6, or domain name) and port number.
.IP "\(bu" 4
A Unix socket path (Unix only).
.SS "\s-1GLOBAL\s0 \s-1OPTIONS\s0"
.IX Subsection "GLOBAL OPTIONS"
.IP "\fBchroot\fR = directory (Unix only)" 4
.IX Item "chroot = directory (Unix only)"
directory to chroot \fBstunnel\fR process
.Sp
\&\fBchroot\fR keeps \fBstunnel\fR in chrooted jail. \fICApath\fR, \fICRLpath\fR, \fIpid\fR
and \fIexec\fR are located inside the jail and the patches have to be relative
to the directory specified with \fBchroot\fR.
.Sp
Several functions of the operating system also need their files to be located within chroot jail, e.g.:
.RS 4
.IP "\(bu" 4
Delayed resolver typically needs /etc/nsswitch.conf and /etc/resolv.conf.
.IP "\(bu" 4
Local time in log files needs /etc/timezone.
.IP "\(bu" 4
Some other functions may need devices, e.g. /dev/zero or /dev/null.
.RE
.RS 4
.RE
.IP "\fBcompression\fR = deflate | zlib | rle" 4
.IX Item "compression = deflate | zlib | rle"
select data compression algorithm
.Sp
default: no compression
.Sp
deflate is the standard compression method as described in \s-1RFC\s0 1951.
.Sp
zlib compression of \fBOpenSSL 0.9.8\fR or above is not backward compatible with
\&\fBOpenSSL 0.9.7\fR.
.Sp
rle compression is currently not implemented by the \fBOpenSSL\fR library.
.IP "\fBdebug\fR = [facility.]level" 4
.IX Item "debug = [facility.]level"
debugging level
.Sp
Level is a one of the syslog level names or numbers
emerg (0), alert (1), crit (2), err (3), warning (4), notice (5),
info (6), or debug (7). All logs for the specified level and
all levels numerically less than it will be shown. Use \fIdebug = debug\fR or
\&\fIdebug = 7\fR for greatest debugging output. The default is notice (5).
.Sp
The syslog facility 'daemon' will be used unless a facility name is supplied.
(Facilities are not supported on Win32.)
.Sp
Case is ignored for both facilities and levels.
.IP "\fB\s-1EGD\s0\fR = egd path (Unix only)" 4
.IX Item "EGD = egd path (Unix only)"
path to Entropy Gathering Daemon socket
.Sp
Entropy Gathering Daemon socket to use to feed \fBOpenSSL\fR random number
generator. (Available only if compiled with \fBOpenSSL 0.9.5a\fR or higher)
.IP "\fBengine\fR = auto | <engine id>" 4
.IX Item "engine = auto | <engine id>"
select hardware engine
.Sp
default: software-only cryptography
.Sp
Here is an example of advanced engine configuration to read private key from an
OpenSC engine
.Sp
.Vb 7
\& engine=dynamic
\& engineCtrl=SO_PATH:/usr/lib/opensc/engine_pkcs11.so
\& engineCtrl=ID:pkcs11
\& engineCtrl=LIST_ADD:1
\& engineCtrl=LOAD
\& engineCtrl=MODULE_PATH:/usr/lib/pkcs11/opensc\-pkcs11.so
\& engineCtrl=INIT
\&
\& [service]
\& engineNum=1
\& key=id_45
.Ve
.IP "\fBengineCtrl\fR = command[:parameter]" 4
.IX Item "engineCtrl = command[:parameter]"
control hardware engine
.Sp
Special commands \*(L"\s-1LOAD\s0\*(R" and \*(L"\s-1INIT\s0\*(R" can be used to load and initialize the
engine cryptogaphic module.
.IP "\fBfips\fR = yes | no" 4
.IX Item "fips = yes | no"
Enable or disable \s-1FIPS\s0 140\-2 mode.
.Sp
This option allows to disable entering \s-1FIPS\s0 mode if \fBstunnel\fR was compiled
with \s-1FIPS\s0 140\-2 support.
.Sp
default: yes
.IP "\fBforeground\fR = yes | no (Unix only)" 4
.IX Item "foreground = yes | no (Unix only)"
foreground mode
.Sp
Stay in foreground (don't fork) and log to stderr
instead of via syslog (unless \fIoutput\fR is specified).
.Sp
default: background in daemon mode
.IP "\fBoutput\fR = file" 4
.IX Item "output = file"
append log messages to a file
.Sp
/dev/stdout device can be used to send log messages to the standard
output (for example to log them with daemontools splogger).
.IP "\fBpid\fR = file (Unix only)" 4
.IX Item "pid = file (Unix only)"
pid file location
.Sp
If the argument is empty, then no pid file will be created.
.Sp
\&\fIpid\fR path is relative to \fIchroot\fR directory if specified.
.IP "\fBRNDbytes\fR = bytes" 4
.IX Item "RNDbytes = bytes"
bytes to read from random seed files
.Sp
Number of bytes of data read from random seed files. With \s-1SSL\s0 versions less
than \fB0.9.5a\fR, also determines how many bytes of data are considered
sufficient to seed the \s-1PRNG\s0. More recent \fBOpenSSL\fR versions have a builtin
function to determine when sufficient randomness is available.
.IP "\fBRNDfile\fR = file" 4
.IX Item "RNDfile = file"
path to file with random seed data
.Sp
The \s-1SSL\s0 library will use data from this file first to seed the random
number generator.
.IP "\fBRNDoverwrite\fR = yes | no" 4
.IX Item "RNDoverwrite = yes | no"
overwrite the random seed files with new random data
.Sp
default: yes
.IP "\fBservice\fR = servicename (Unix only)" 4
.IX Item "service = servicename (Unix only)"
use specified string as \fIinetd\fR mode service name for \s-1TCP\s0 Wrapper library
.Sp
default: stunnel
.IP "\fBsetgid\fR = groupname (Unix only)" 4
.IX Item "setgid = groupname (Unix only)"
\&\fIsetgid()\fR to groupname in daemon mode and clears all other groups
.IP "\fBsetuid\fR = username (Unix only)" 4
.IX Item "setuid = username (Unix only)"
\&\fIsetuid()\fR to username in daemon mode
.IP "\fBsocket\fR = a|l|r:option=value[:value]" 4
.IX Item "socket = a|l|r:option=value[:value]"
Set an option on accept/local/remote socket
.Sp
The values for linger option are l_onof:l_linger.
The values for time are tv_sec:tv_usec.
.Sp
Examples:
.Sp
.Vb 9
\& socket = l:SO_LINGER=1:60
\& set one minute timeout for closing local socket
\& socket = r:SO_OOBINLINE=yes
\& place out\-of\-band data directly into the
\& receive data stream for remote sockets
\& socket = a:SO_REUSEADDR=no
\& disable address reuse (enabled by default)
\& socket = a:SO_BINDTODEVICE=lo
\& only accept connections on loopback interface
.Ve
.IP "\fBsyslog\fR = yes | no (Unix only)" 4
.IX Item "syslog = yes | no (Unix only)"
enable logging via syslog
.Sp
default: yes
.IP "\fBtaskbar\fR = yes | no (\s-1WIN32\s0 only)" 4
.IX Item "taskbar = yes | no (WIN32 only)"
enable the taskbar icon
.Sp
default: yes
.SS "SERVICE-LEVEL \s-1OPTIONS\s0"
.IX Subsection "SERVICE-LEVEL OPTIONS"
Each configuration section begins with service name in square brackets.
The service name is used for libwrap (\s-1TCP\s0 Wrappers) access control and lets
you distinguish \fBstunnel\fR services in your log files.
.PP
Note that if you wish to run \fBstunnel\fR in \fIinetd\fR mode (where it
is provided a network socket by a server such as \fIinetd\fR, \fIxinetd\fR,
or \fItcpserver\fR) then you should read the section entitled \fI\s-1INETD\s0 \s-1MODE\s0\fR
below.
.IP "\fBaccept\fR = address" 4
.IX Item "accept = address"
accept connections on specified address
.Sp
If no host specified, defaults to all IPv4 addresses for the local host.
.Sp
To listen on all IPv6 addresses use:
.Sp
.Vb 1
\& connect = :::port
.Ve
.IP "\fBCApath\fR = directory" 4
.IX Item "CApath = directory"
Certificate Authority directory
.Sp
This is the directory in which \fBstunnel\fR will look for certificates when using
the \fIverify\fR. Note that the certificates in this directory should be named
\&\s-1XXXXXXXX\s0.0 where \s-1XXXXXXXX\s0 is the hash value of the \s-1DER\s0 encoded subject of the
cert.
.Sp
The hash algorithm has been changed in \fBOpenSSL 1.0.0\fR. It is required to
c_rehash the directory on upgrade from \fBOpenSSL 0.x.x\fR to \fBOpenSSL 1.x.x\fR.
.Sp
\&\fICApath\fR path is relative to \fIchroot\fR directory if specified.
.IP "\fBCAfile\fR = certfile" 4
.IX Item "CAfile = certfile"
Certificate Authority file
.Sp
This file contains multiple \s-1CA\s0 certificates, used with the \fIverify\fR.
.IP "\fBcert\fR = pemfile" 4
.IX Item "cert = pemfile"
certificate chain \s-1PEM\s0 file name
.Sp
A \s-1PEM\s0 is always needed in server mode.
Specifying this flag in client mode will use this certificate chain
as a client side certificate chain. Using client side certs is optional.
The certificates must be in \s-1PEM\s0 format and must be sorted starting with the
certificate to the highest level (root \s-1CA\s0).
.IP "\fBciphers\fR = cipherlist" 4
.IX Item "ciphers = cipherlist"
Select permitted \s-1SSL\s0 ciphers
.Sp
A colon delimited list of the ciphers to allow in the \s-1SSL\s0 connection.
For example \s-1DES\-CBC3\-SHA:IDEA\-CBC\-MD5\s0
.IP "\fBclient\fR = yes | no" 4
.IX Item "client = yes | no"
client mode (remote service uses \s-1SSL\s0)
.Sp
default: no (server mode)
.IP "\fBconnect\fR = address" 4
.IX Item "connect = address"
connect to a remote address
.Sp
If no host is specified, the host defaults to localhost.
.Sp
Multiple \fBconnect\fR options are allowed in a single service section.
.Sp
If host resolves to multiple addresses and/or if multiple \fIconnect\fR
options are specified, then the remote address is chosen using a
round-robin algorithm.
.IP "\fBCRLpath\fR = directory" 4
.IX Item "CRLpath = directory"
Certificate Revocation Lists directory
.Sp
This is the directory in which \fBstunnel\fR will look for CRLs when
using the \fIverify\fR. Note that the CRLs in this directory should
be named \s-1XXXXXXXX\s0.r0 where \s-1XXXXXXXX\s0 is the hash value of the \s-1CRL\s0.
.Sp
The hash algorithm has been changed in \fBOpenSSL 1.0.0\fR. It is required to
c_rehash the directory on upgrade from \fBOpenSSL 0.x.x\fR to \fBOpenSSL 1.x.x\fR.
.Sp
\&\fICRLpath\fR path is relative to \fIchroot\fR directory if specified.
.IP "\fBCRLfile\fR = certfile" 4
.IX Item "CRLfile = certfile"
Certificate Revocation Lists file
.Sp
This file contains multiple CRLs, used with the \fIverify\fR.
.IP "\fBcurve\fR = nid" 4
.IX Item "curve = nid"
specify \s-1ECDH\s0 curve name
.Sp
To get a list of supported cuves use:
.Sp
.Vb 1
\& openssl ecparam \-list_curves
.Ve
.Sp
default: prime256v1
.IP "\fBdelay\fR = yes | no" 4
.IX Item "delay = yes | no"
delay \s-1DNS\s0 lookup for 'connect' option
.Sp
This option is useful for dynamic \s-1DNS\s0, or when \s-1DNS\s0 is not available during
\&\fBstunnel\fR startup (road warrior \s-1VPN\s0, dial-up configurations).
.IP "\fBengineNum\fR = engine number" 4
.IX Item "engineNum = engine number"
select engine number to read private key
.Sp
The engines are numbered starting from 1.
.IP "\fBexec\fR = executable_path" 4
.IX Item "exec = executable_path"
execute local inetd-type program
.Sp
\&\fIexec\fR path is relative to \fIchroot\fR directory if specified.
.ie n .IP "\fBexecargs\fR = $0 $1 $2 ..." 4
.el .IP "\fBexecargs\fR = \f(CW$0\fR \f(CW$1\fR \f(CW$2\fR ..." 4
.IX Item "execargs = $0 $1 $2 ..."
arguments for \fIexec\fR including program name ($0)
.Sp
Quoting is currently not supported.
Arguments are separated with arbitrary number of whitespaces.
.IP "\fBfailover\fR = rr | prio" 4
.IX Item "failover = rr | prio"
Failover strategy for multiple \*(L"connect\*(R" targets.
.Sp
.Vb 2
\& rr (round robin) \- fair load distribution
\& prio (priority) \- use the order specified in config file
.Ve
.Sp
default: rr
.IP "\fBident\fR = username" 4
.IX Item "ident = username"
use \s-1IDENT\s0 (\s-1RFC\s0 1413) username checking
.IP "\fBkey\fR = keyfile" 4
.IX Item "key = keyfile"
private key for certificate specified with \fIcert\fR option
.Sp
Private key is needed to authenticate certificate owner.
Since this file should be kept secret it should only be readable
to its owner. On Unix systems you can use the following command:
.Sp
.Vb 1
\& chmod 600 keyfile
.Ve
.Sp
default: value of \fIcert\fR option
.IP "\fBlibwrap\fR = yes | no" 4
.IX Item "libwrap = yes | no"
Enable or disable the use of /etc/hosts.allow and /etc/hosts.deny.
.Sp
default: yes
.IP "\fBlocal\fR = host" 4
.IX Item "local = host"
\&\s-1IP\s0 of the outgoing interface is used as source for remote connections.
Use this option to bind a static local \s-1IP\s0 address, instead.
.IP "\fBsni\fR = service_name:server_name_pattern (server mode)" 4
.IX Item "sni = service_name:server_name_pattern (server mode)"
Use the service as a slave service (a name-based virtual server) for Server
Name Indication \s-1TLS\s0 extension (\s-1RFC\s0 3546).
.Sp
\&\fIservice_name\fR specifies the master service that accepts client connections
with \fIaccept\fR option. \fIserver_name_pattern\fR specifies the host name to be
redirected. The pattern may start with '*' character, e.g. '*.example.com'.
Multiple slave services are normally specified for a single master service.
\&\fIsni\fR option can also be specified more than once within a single slave
service.
.Sp
This service, as well as the master service, may not be configured in client
mode.
.Sp
\&\fIconnect\fR option of the slave service is ignored when \fIprotocol\fR option is
specified, as \fIprotocol\fR connects remote host before \s-1TLS\s0 handshake.
.Sp
Libwrap checks (Unix only) are performed twice: with master service name after
\&\s-1TCP\s0 connection is accepted, and with slave service name during \s-1TLS\s0 handshake.
.Sp
Option \fIsni\fR is only available when compiled with \fBOpenSSL 1.0.0\fR and later.
.IP "\fBsni\fR = server_name (client mode)" 4
.IX Item "sni = server_name (client mode)"
Use the parameter as the value of \s-1TLS\s0 Server Name Indication (\s-1RFC\s0 3546)
extension.
.Sp
Option \fIsni\fR is only available when compiled with \fBOpenSSL 1.0.0\fR and later.
.IP "\fB\s-1OCSP\s0\fR = url" 4
.IX Item "OCSP = url"
select \s-1OCSP\s0 server for certificate verification
.IP "\fBOCSPflag\fR = flag" 4
.IX Item "OCSPflag = flag"
specify \s-1OCSP\s0 server flag
.Sp
Several \fIOCSPflag\fR can be used to specify multiple flags.
.Sp
currently supported flags: \s-1NOCERTS\s0, \s-1NOINTERN\s0 \s-1NOSIGS\s0, \s-1NOCHAIN\s0, \s-1NOVERIFY\s0,
\&\s-1NOEXPLICIT\s0, \s-1NOCASIGN\s0, \s-1NODELEGATED\s0, \s-1NOCHECKS\s0, \s-1TRUSTOTHER\s0, \s-1RESPID_KEY\s0, \s-1NOTIME\s0
.IP "\fBoptions\fR = SSL_options" 4
.IX Item "options = SSL_options"
\&\fBOpenSSL\fR library options
.Sp
The parameter is the \fBOpenSSL\fR option name as described in the
\&\fI\fISSL_CTX_set_options\fI\|(3ssl)\fR manual, but without \fI\s-1SSL_OP_\s0\fR prefix.
Several \fIoptions\fR can be used to specify multiple options.
.Sp
For example for compatibility with erroneous Eudora \s-1SSL\s0 implementation
the following option can be used:
.Sp
.Vb 1
\& options = DONT_INSERT_EMPTY_FRAGMENTS
.Ve
.IP "\fBprotocol\fR = proto" 4
.IX Item "protocol = proto"
application protocol to negotiate \s-1SSL\s0
.Sp
This option enables initial, protocol-specific negotiation of the \s-1SSL/TLS\s0
encryption.
\&\fIprotocol\fR option should not be used with \s-1SSL\s0 encryption on a separate port.
.Sp
Currently supported protocols:
.RS 4
.IP "\fIcifs\fR" 4
.IX Item "cifs"
Proprietary (undocummented) extension of \s-1CIFS\s0 protocol implemented in Samba.
Support for this extension was dropped in Samba 3.0.0.
.IP "\fIconnect\fR" 4
.IX Item "connect"
Based on \s-1RFC\s0 2817 \- \fIUpgrading to \s-1TLS\s0 Within \s-1HTTP/1\s0.1\fR, section 5.2 \- \fIRequesting a Tunnel with \s-1CONNECT\s0\fR
.Sp
This protocol is only supported in client mode.
.IP "\fIimap\fR" 4
.IX Item "imap"
Based on \s-1RFC\s0 2595 \- \fIUsing \s-1TLS\s0 with \s-1IMAP\s0, \s-1POP3\s0 and \s-1ACAP\s0\fR
.IP "\fInntp\fR" 4
.IX Item "nntp"
Based on \s-1RFC\s0 4642 \- \fIUsing Transport Layer Security (\s-1TLS\s0) with Network News Transfer Protocol (\s-1NNTP\s0)\fR
.Sp
This protocol is only supported in client mode.
.IP "\fIpgsql\fR" 4
.IX Item "pgsql"
Based on http://www.postgresql.org/docs/8.3/static/protocol\-flow.html#AEN73982
.IP "\fIpop3\fR" 4
.IX Item "pop3"
Based on \s-1RFC\s0 2449 \- \fI\s-1POP3\s0 Extension Mechanism\fR
.IP "\fIproxy\fR" 4
.IX Item "proxy"
Haproxy client \s-1IP\s0 address http://haproxy.1wt.eu/download/1.5/doc/proxy\-protocol.txt
.IP "\fIsmtp\fR" 4
.IX Item "smtp"
Based on \s-1RFC\s0 2487 \- \fI\s-1SMTP\s0 Service Extension for Secure \s-1SMTP\s0 over \s-1TLS\s0\fR
.RE
.RS 4
.RE
.IP "\fBprotocolAuthentication\fR = auth_type" 4
.IX Item "protocolAuthentication = auth_type"
authentication type for protocol negotiations
.Sp
currently supported: basic, \s-1NTLM\s0
.Sp
Currently authentication type only applies to the 'connect' protocol.
.Sp
default: basic
.IP "\fBprotocolHost\fR = host:port" 4
.IX Item "protocolHost = host:port"
destination address for protocol negotiations
.Sp
\&\fIprotocolHost\fR specifies the final \s-1SSL\s0 server to be connected by the proxy,
and not the proxy server directly connected by \fBstunnel\fR.
The proxy server should be specified with the 'connect' option.
.Sp
Currently protocol destination address only applies to 'connect' protocol.
.IP "\fBprotocolPassword\fR = password" 4
.IX Item "protocolPassword = password"
password for protocol negotiations
.IP "\fBprotocolUsername\fR = username" 4
.IX Item "protocolUsername = username"
username for protocol negotiations
.IP "\fBpty\fR = yes | no (Unix only)" 4
.IX Item "pty = yes | no (Unix only)"
allocate pseudo terminal for 'exec' option
.IP "\fBrenegotiation\fR = yes | no" 4
.IX Item "renegotiation = yes | no"
support \s-1SSL\s0 renegotiation
.Sp
Applications of the \s-1SSL\s0 renegotiation include some authentication scenarios,
or re-keying long lasting connections.
.Sp
On the other hand this feature can facilitate a trivial CPU-exhaustion
DoS attack:
.Sp
http://vincent.bernat.im/en/blog/2011\-ssl\-dos\-mitigation.html
.Sp
Please note that disabling \s-1SSL\s0 renegotiation does not fully mitigate
this issue.
.Sp
default: yes (if supported by \fBOpenSSL\fR)
.IP "\fBreset\fR = yes | no" 4
.IX Item "reset = yes | no"
attempt to use \s-1TCP\s0 \s-1RST\s0 flag to indicate an error
.Sp
This option is not supported on some platforms.
.Sp
default: yes
.IP "\fBretry\fR = yes | no" 4
.IX Item "retry = yes | no"
reconnect a connect+exec section after it's disconnected
.Sp
default: no
.IP "\fBsessionCacheSize\fR = size" 4
.IX Item "sessionCacheSize = size"
session cache size
.Sp
\&\fIsessionCacheSize\fR specifies the maximum number of the internal session cache
entries.
.Sp
The value of 0 can be used for unlimited size. It is not recommended
for production use due to the risk of memory exhaustion DoS attack.
.IP "\fBsessionCacheTimeout\fR = timeout" 4
.IX Item "sessionCacheTimeout = timeout"
session cache timeout
.Sp
This is the number of seconds to keep cached \s-1SSL\s0 sessions.
.IP "\fBsessiond\fR = host:port" 4
.IX Item "sessiond = host:port"
address of sessiond \s-1SSL\s0 cache server
.IP "\fBsslVersion\fR = version" 4
.IX Item "sslVersion = version"
select version of \s-1SSL\s0 protocol
.Sp
Allowed options: all, SSLv2, SSLv3, TLSv1, TLSv1.1, TLSv1.2
.IP "\fBstack\fR = bytes (except for \s-1FORK\s0 model)" 4
.IX Item "stack = bytes (except for FORK model)"
thread stack size
.IP "\fBTIMEOUTbusy\fR = seconds" 4
.IX Item "TIMEOUTbusy = seconds"
time to wait for expected data
.IP "\fBTIMEOUTclose\fR = seconds" 4
.IX Item "TIMEOUTclose = seconds"
time to wait for close_notify (set to 0 for buggy \s-1MSIE\s0)
.IP "\fBTIMEOUTconnect\fR = seconds" 4
.IX Item "TIMEOUTconnect = seconds"
time to wait to connect a remote host
.IP "\fBTIMEOUTidle\fR = seconds" 4
.IX Item "TIMEOUTidle = seconds"
time to keep an idle connection
.IP "\fBtransparent\fR = none | source | destination | both (Unix only)" 4
.IX Item "transparent = none | source | destination | both (Unix only)"
enable transparent proxy support on selected platforms
.Sp
Supported values:
.RS 4
.IP "\fInone\fR" 4
.IX Item "none"
Disable transparent proxy support. This is the default.
.IP "\fIsource\fR" 4
.IX Item "source"
Re-write address to appear as if wrapped daemon is connecting
from the \s-1SSL\s0 client machine instead of the machine running \fBstunnel\fR.
.Sp
This option is currently available in:
.RS 4
.IP "Remote mode (\fIconnect\fR option) on \fILinux >=2.6.28\fR" 4
.IX Item "Remote mode (connect option) on Linux >=2.6.28"
This configuration requires \fBstunnel\fR to be executed as root and without
\&\fIsetuid\fR option.
.Sp
This configuration requires the following setup for iptables and routing
(possibly in /etc/rc.local or equivalent file):
.Sp
.Vb 7
\& iptables \-t mangle \-N DIVERT
\& iptables \-t mangle \-A PREROUTING \-p tcp \-m socket \-j DIVERT
\& iptables \-t mangle \-A DIVERT \-j MARK \-\-set\-mark 1
\& iptables \-t mangle \-A DIVERT \-j ACCEPT
\& ip rule add fwmark 1 lookup 100
\& ip route add local 0.0.0.0/0 dev lo table 100
\& echo 0 >/proc/sys/net/ipv4/conf/lo/rp_filter
.Ve
.Sp
\&\fBstunnel\fR must also to be executed as root and without \fIsetuid\fR option.
.IP "Remote mode (\fIconnect\fR option) on \fILinux 2.2.x\fR" 4
.IX Item "Remote mode (connect option) on Linux 2.2.x"
This configuration requires kernel to be compiled with \fItransparent proxy\fR
option.
Connected service must be installed on a separate host.
Routing towards the clients has to go through the \fBstunnel\fR box.
.Sp
\&\fBstunnel\fR must also to be executed as root and without \fIsetuid\fR option.
.IP "Remote mode (\fIconnect\fR option) on \fIFreeBSD >=8.0\fR" 4
.IX Item "Remote mode (connect option) on FreeBSD >=8.0"
This configuration requires additional firewall and routing setup.
\&\fBstunnel\fR must also to be executed as root and without \fIsetuid\fR option.
.IP "Local mode (\fIexec\fR option)" 4
.IX Item "Local mode (exec option)"
This configuration works by pre-loading \fIlibstunnel.so\fR shared library.
_RLD_LIST environment variable is used on Tru64, and \s-1LD_PRELOAD\s0 variable on
other platforms.
.RE
.RS 4
.RE
.IP "\fIdestination\fR" 4
.IX Item "destination"
Original destination is used instead of \fIconnect\fR option.
.Sp
A service section for transparent destination may look like this:
.Sp
.Vb 4
\& [transparent]
\& client=yes
\& accept=<stunnel_port>
\& transparent=destination
.Ve
.Sp
This configuration requires the following setup for iptables
(possibly in /etc/rc.local or equivalent file):
.Sp
.Vb 2
\& /sbin/iptables \-I INPUT \-i eth0 \-p tcp \-\-dport <stunnel_port> \-j ACCEPT
\& /sbin/iptables \-t nat \-I PREROUTING \-i eth0 \-p tcp \-\-dport <redirected_port> \-j DNAT \-\-to\-destination <local_ip>:<stunnel_port>
.Ve
.Sp
Transparent destination option is currently only supported on Linux.
.IP "\fIboth\fR" 4
.IX Item "both"
Use both \fIsource\fR and \fIdestination\fR transparent proxy.
.RE
.RS 4
.Sp
Two legacy options are also supported for backward compatibility:
.IP "\fIyes\fR" 4
.IX Item "yes"
This options has been renamed to \fIsource\fR.
.IP "\fIno\fR" 4
.IX Item "no"
This options has been renamed to \fInone\fR.
.RE
.RS 4
.RE
.IP "\fBverify\fR = level" 4
.IX Item "verify = level"
verify peer certificate
.RS 4
.IP "level 0" 4
.IX Item "level 0"
Request and ignore peer certificate.
.IP "level 1" 4
.IX Item "level 1"
Verify peer certificate if present.
.IP "level 2" 4
.IX Item "level 2"
Verify peer certificate.
.IP "level 3" 4
.IX Item "level 3"
Verify peer with locally installed certificate.
.IP "level 4" 4
.IX Item "level 4"
Ignore \s-1CA\s0 chain and only verify peer certificate.
.IP "default" 4
.IX Item "default"
No verify.
.RE
.RS 4
.Sp
It is important to understand, that this option was solely designed for access
control and not for authorization. Specifically for level 2 every non-revoked
certificate is accepted regardless of its Common Name. For this reason a
dedicated \s-1CA\s0 should be used with level 2, and not a generic \s-1CA\s0 commonly used
for webservers. Level 3 is preferred for point-to-point connections.
.RE
.SH "RETURN VALUE"
.IX Header "RETURN VALUE"
\&\fBstunnel\fR returns zero on success, non-zero on error.
.SH "SIGNALS"
.IX Header "SIGNALS"
The following signals can be used to control \fBstunnel\fR in Unix environment:
.IP "\s-1SIGHUP\s0" 4
.IX Item "SIGHUP"
Force a reload of the configuration file.
.Sp
Some global options will not be reloaded:
.RS 4
.IP "\(bu" 4
chroot
.IP "\(bu" 4
foreground
.IP "\(bu" 4
pid
.IP "\(bu" 4
setgid
.IP "\(bu" 4
setuid
.RE
.RS 4
.Sp
The use of 'setuid' option will also prevent \fBstunnel\fR from binding privileged
(<1024) ports during configuration reloading.
.Sp
When 'chroot' option is used, \fBstunnel\fR will look for all its files (including
configuration file, certificates, log file and pid file) within the chroot
jail.
.RE
.IP "\s-1SIGUSR1\s0" 4
.IX Item "SIGUSR1"
Close and reopen \fBstunnel\fR log file.
This function can be used for log rotation.
.IP "\s-1SIGTERM\s0, \s-1SIGQUIT\s0, \s-1SIGINT\s0" 4
.IX Item "SIGTERM, SIGQUIT, SIGINT"
Shut \fBstunnel\fR down.
.PP
The result of sending any other signals to the server is undefined.
.SH "EXAMPLES"
.IX Header "EXAMPLES"
In order to provide \s-1SSL\s0 encapsulation to your local \fIimapd\fR service, use
.PP
.Vb 4
\& [imapd]
\& accept = 993
\& exec = /usr/sbin/imapd
\& execargs = imapd
.Ve
.PP
If you want to provide tunneling to your \fIpppd\fR daemon on port 2020,
use something like
.PP
.Vb 5
\& [vpn]
\& accept = 2020
\& exec = /usr/sbin/pppd
\& execargs = pppd local
\& pty = yes
.Ve
.PP
If you want to use \fBstunnel\fR in \fIinetd\fR mode to launch your imapd
process, you'd use this \fIstunnel.conf\fR.
Note there must be no \fI[service_name]\fR section.
.PP
.Vb 2
\& exec = /usr/sbin/imapd
\& execargs = imapd
.Ve
.SH "NOTES"
.IX Header "NOTES"
.SS "\s-1RESTRICTIONS\s0"
.IX Subsection "RESTRICTIONS"
\&\fBstunnel\fR cannot be used for the \s-1FTP\s0 daemon because of the nature
of the \s-1FTP\s0 protocol which utilizes multiple ports for data transfers.
There are available \s-1SSL\s0 enabled versions of \s-1FTP\s0 and telnet daemons, however.
.SS "\s-1INETD\s0 \s-1MODE\s0"
.IX Subsection "INETD MODE"
The most common use of \fBstunnel\fR is to listen on a network
port and establish communication with either a new port
via the connect option, or a new program via the \fIexec\fR option.
However there is a special case when you wish to have
some other program accept incoming connections and
launch \fBstunnel\fR, for example with \fIinetd\fR, \fIxinetd\fR,
or \fItcpserver\fR.
.PP
For example, if you have the following line in \fIinetd.conf\fR:
.PP
.Vb 1
\& imaps stream tcp nowait root /usr/bin/stunnel stunnel /etc/stunnel/imaps.conf
.Ve
.PP
In these cases, the \fIinetd\fR\-style program is responsible
for binding a network socket (\fIimaps\fR above) and handing
it to \fBstunnel\fR when a connection is received.
Thus you do not want \fBstunnel\fR to have any \fIaccept\fR option.
All the \fIService Level Options\fR should be placed in the
global options section, and no \fI[service_name]\fR section
will be present. See the \fI\s-1EXAMPLES\s0\fR section for example
configurations.
.SS "\s-1CERTIFICATES\s0"
.IX Subsection "CERTIFICATES"
Each \s-1SSL\s0 enabled daemon needs to present a valid X.509 certificate
to the peer. It also needs a private key to decrypt the incoming
data. The easiest way to obtain a certificate and a key is to
generate them with the free \fBOpenSSL\fR package. You can find more
information on certificates generation on pages listed below.
.PP
The order of contents of the \fI.pem\fR file is important. It should contain the
unencrypted private key first, then a signed certificate (not certificate
request). There should be also empty lines after certificate and private key.
Plaintext certificate information appended on the top of generated certificate
should be discarded. So the file should look like this:
.PP
.Vb 8
\& \-\-\-\-\-BEGIN RSA PRIVATE KEY\-\-\-\-\-
\& [encoded key]
\& \-\-\-\-\-END RSA PRIVATE KEY\-\-\-\-\-
\& [empty line]
\& \-\-\-\-\-BEGIN CERTIFICATE\-\-\-\-\-
\& [encoded certificate]
\& \-\-\-\-\-END CERTIFICATE\-\-\-\-\-
\& [empty line]
.Ve
.SS "\s-1RANDOMNESS\s0"
.IX Subsection "RANDOMNESS"
\&\fBstunnel\fR needs to seed the \s-1PRNG\s0 (pseudo random number generator) in
order for \s-1SSL\s0 to use good randomness. The following sources are loaded
in order until sufficient random data has been gathered:
.IP "\(bu" 4
The file specified with the \fIRNDfile\fR flag.
.IP "\(bu" 4
The file specified by the \s-1RANDFILE\s0 environment variable, if set.
.IP "\(bu" 4
The file .rnd in your home directory, if \s-1RANDFILE\s0 not set.
.IP "\(bu" 4
The file specified with '\-\-with\-random' at compile time.
.IP "\(bu" 4
The contents of the screen if running on Windows.
.IP "\(bu" 4
The egd socket specified with the \fI\s-1EGD\s0\fR flag.
.IP "\(bu" 4
The egd socket specified with '\-\-with\-egd\-sock' at compile time.
.IP "\(bu" 4
The /dev/urandom device.
.PP
With recent (\fBOpenSSL 0.9.5a\fR or later) version of \s-1SSL\s0 it will stop loading
random data automatically when sufficient entropy has been gathered. With
previous versions it will continue to gather from all the above sources since
no \s-1SSL\s0 function exists to tell when enough data is available.
.PP
Note that on Windows machines that do not have console user interaction
(mouse movements, creating windows, etc.) the screen contents are not
variable enough to be sufficient, and you should provide a random file
for use with the \fIRNDfile\fR flag.
.PP
Note that the file specified with the \fIRNDfile\fR flag should contain
random data \*(-- that means it should contain different information
each time \fBstunnel\fR is run. This is handled automatically
unless the \fIRNDoverwrite\fR flag is used. If you wish to update this file
manually, the \fIopenssl rand\fR command in recent versions of \fBOpenSSL\fR,
would be useful.
.PP
Important note: If /dev/urandom is available, \fBOpenSSL\fR often seeds the \s-1PRNG\s0
with it while checking the random state. On systems with /dev/urandom
\&\fBOpenSSL\fR is likely to use it even though it is listed at the very bottom of
the list above. This is the behaviour of \fBOpenSSL\fR and not \fBstunnel\fR.
.SS "\s-1DH\s0 \s-1PARAMETERS\s0"
.IX Subsection "DH PARAMETERS"
Stunnel 4.40 and later contains hardcoded 2048\-bit \s-1DH\s0 parameters.
.PP
It is also possible to specify \s-1DH\s0 parameters in the certificate file:
.PP
.Vb 1
\& openssl dhparam 2048 >> stunnel.pem
.Ve
.PP
\&\s-1DH\s0 parameter generation may take several minutes.
.SH "FILES"
.IX Header "FILES"
.IP "\fIstunnel.conf\fR" 4
.IX Item "stunnel.conf"
\&\fBstunnel\fR configuration file
.SH "BUGS"
.IX Header "BUGS"
Option \fIexecargs\fR and Win32 command line does not support quoting.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
.IP "\fItcpd\fR\|(8)" 4
.IX Item "tcpd"
access control facility for internet services
.IP "\fIinetd\fR\|(8)" 4
.IX Item "inetd"
internet 'super\-server'
.IP "\fIhttp://www.stunnel.org/\fR" 4
.IX Item "http://www.stunnel.org/"
\&\fBstunnel\fR homepage
.IP "\fIhttp://www.openssl.org/\fR" 4
.IX Item "http://www.openssl.org/"
\&\fBOpenSSL\fR project website
.SH "AUTHOR"
.IX Header "AUTHOR"
.IP "Michał Trojnara" 4
.IX Item "Michał Trojnara"
<\fIMichal.Trojnara@mirt.net\fR>

1395
doc/stunnel.8.in Normal file
View File

File diff suppressed because it is too large Load Diff

574
doc/stunnel.fr.8
View File

@ -1,574 +0,0 @@
.\" Automatically generated by Pod::Man 2.22 (Pod::Simple 3.07)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is turned on, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.ie \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. nr % 0
. rr F
.\}
.el \{\
. de IX
..
.\}
.\" ========================================================================
.\"
.IX Title "STUNNEL.FR 8"
.TH STUNNEL.FR 8 "2013.03.19" "4.56" "stunnel"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NOM"
.IX Header "NOM"
stunnel \- tunnel \s-1SSL\s0 universel
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.IP "\fBUnix:\fR" 4
.IX Item "Unix:"
\&\fBstunnel\fR [fichier] | \-fd [n] | \-help | \-version | \-sockets
.IP "\fB\s-1WIN32:\s0\fR" 4
.IX Item "WIN32:"
\&\fBstunnel\fR [fichier] | \-install | \-uninstall | \-help | \-version | \-sockets
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
Le programme \fBstunnel\fR est conçu pour fonctionner comme une couche
de chiffrement \fI\s-1SSL\s0\fR entre des clients distants et des serveurs locaux
(\fIinetd\fR\-démarrables) ou distants. Le concept est qu'à partir de daemons
non-SSL présents sur le système, on peut facilement les configurer pour
communiquer avec des clients sur des liens sécurisés \s-1SSL\s0.
.PP
\&\fBstunnel\fR peut être utilisé pour ajouter des fonctionnalités \s-1SSL\s0 à des
daemons classiques \fIInetd\fR tels que les serveurs \s-1POP\-2\s0, \s-1POP\-3\s0 et \s-1IMAP\s0,
à d'autres autonomes tels que \s-1NNTP\s0, \s-1SMTP\s0 et \s-1HTTP\s0, ainsi que pour tunneliser
\&\s-1PPP\s0 sur des sockets réseau sans modification du code source.
.PP
Ce produit inclut du code de chiffrement écrit par
Eric Young (eay@cryptsoft.com)
.SH "OPTIONS"
.IX Header "OPTIONS"
.IP "\fB[fichier]\fR" 4
.IX Item "[fichier]"
Utilisation du fichier de configuration spécifié.
.IP "\fB\-fd [n]\fR (Unix seulement)" 4
.IX Item "-fd [n] (Unix seulement)"
Lecture du fichier de configuration depuis le descripteur de
fichier indiqué.
.IP "\fB\-help\fR" 4
.IX Item "-help"
Affiche le menu d'aide de \fBstunnel\fR.
.IP "\fB\-version\fR" 4
.IX Item "-version"
Affiche la version de \fBstunnel\fR et les options de compilation.
.IP "\fB\-sockets\fR" 4
.IX Item "-sockets"
Affiche les options socket par défaut.
.IP "\fB\-install\fR (\s-1NT/2000/XP\s0 seulement)" 4
.IX Item "-install (NT/2000/XP seulement)"
Installe un service \s-1NT\s0.
.IP "\fB\-uninstall\fR (\s-1NT/2000/XP\s0 only)" 4
.IX Item "-uninstall (NT/2000/XP only)"
Désinstalle un service \s-1NT\s0.
.SH "FICHIER DE CONFIGURATION"
.IX Header "FICHIER DE CONFIGURATION"
Chaque ligne du fichier de configuration peut être soit :
.IP "\(bu" 4
une ligne vide (ignorée) ;
.IP "\(bu" 4
un commentaire commençant par « # » (ignoré) ;
.IP "\(bu" 4
une paire « option = valeur » ;
.IP "\(bu" 4
« [service_name] » indiquant le début de la définition d'un service ;
.SS "\s-1OPTIONS\s0 \s-1GLOBALES\s0"
.IX Subsection "OPTIONS GLOBALES"
.IP "\fBCApath\fR = répertoire" 4
.IX Item "CApath = répertoire"
Répertoire des autorités de certification (\s-1CA\s0)
.Sp
C'est le répertoire dans lequel \fBstunnel\fR cherche les certificats si
l'on utilise \fIverify\fR. Les certificats doivent être dénommés selon la
forme \s-1XXXXXXXX\s0.0, où \s-1XXXXXXXX\s0 est la valeur de hachage du certificat.
.Sp
Le cas échéant, le répertoire \fICApath\fR est relatif au répertoire \fIchroot\fR.
.IP "\fBCAfile\fR = fichier" 4
.IX Item "CAfile = fichier"
Fichier d'autorités de certification
.Sp
Ce fichier, utilisé avec \fIverify\fR, contient plusieurs certificats de \s-1CA\s0.
.IP "\fBcert\fR = fichier" 4
.IX Item "cert = fichier"
Fichier de chaîne de certificats \s-1PEM\s0
.Sp
Une \s-1PEM\s0 est toujours nécessaire en mode serveur.
En mode client, cette option utilise cette \s-1PEM\s0 comme une chaîne côté client.
L'utilisation de certificats côté client est optionnelle. Les certificats
doivent être au format \s-1PEM\s0 et triés par ordre de niveau décroissant (\s-1CA\s0 racine
en premier).
.IP "\fBchroot\fR = répertoire (Unix seulement)" 4
.IX Item "chroot = répertoire (Unix seulement)"
Répertoire de chroot du processus \fBstunnel\fR
.Sp
\&\fBchroot\fR enferme \fBstunnel\fR dans une cellule chroot. \fICApath\fR, \fICRLpath\fR, \fIpid\fR
et \fIexec\fR sont situés à l'intérieur de la cellule et les répertoires doivent être
relatifs au répertoire correspondant.
.Sp
Pour que le contrôle de libwrap (wrappeur \s-1TCP\s0) soit effectif dans un environnement
chroot, il faut aussi y recopier leurs fichiers de configuration (/etc/hosts.allow et
/etc/hosts.deny).
.IP "\fBciphers\fR = listes de chiffre" 4
.IX Item "ciphers = listes de chiffre"
Sélection des chiffres \s-1SSL\s0 autorisés
.Sp
Liste délimitée par deux-points (« : ») des chiffres autorisés pour la connexion \s-1SSL\s0.
Exemple : \s-1DES\-CBC3\-SHA:IDEA\-CBC\-MD5\s0
.IP "\fBclient\fR = yes | no" 4
.IX Item "client = yes | no"
Mode client (Le service distant utilise \s-1SSL\s0)
.Sp
Par défaut : no (mode server)
.IP "\fBCRLpath\fR = répertoire" 4
.IX Item "CRLpath = répertoire"
Répertoire des listes de révocation de certificats (\s-1CRL\s0)
.Sp
C'est le répertoire dans lequel \fBstunnel\fR recherche les \s-1CRL\s0 avec
l'option \fIverify\fR. Les \s-1CRL\s0 doivent être dénommés selon la
forme \s-1XXXXXXXX\s0.0 où \s-1XXXXXXXX\s0 est la valeur de hachage de la \s-1CRL\s0.
.Sp
Le cas échéant, le répertoire \fICRLpath\fR est relatif au répertoire \fIchroot\fR.
.IP "\fBCRLfile\fR = fichier" 4
.IX Item "CRLfile = fichier"
Fichier de listes de révocation de certificats (\s-1CRL\s0)
.Sp
Ce fichier, utilisé avec \fIverify\fR, contient plusieurs \s-1CRL\s0.
.IP "\fBdebug\fR = [facilité.]niveau" 4
.IX Item "debug = [facilité.]niveau"
niveau de déverminage
.Sp
Le niveau est un nom ou un numéro conforme à ceux de syslog :
emerg (0), alert (1), crit (2), err (3), warning (4), notice (5),
info (6) ou debug (7). Toutes les traces du niveau indiqué et des niveaux
numériquement inférieurs seront affichées. \fBdebug = debug\fR ou
\&\fBdebug = 7\fR donneront le maximum d'informations. La valeur par défaut
est notice (5).
.Sp
La facilité syslog « daemon » est utilisée, sauf si un autre nom est spécifié
(Win32 ne permet pas l'usage des facilités.)
.Sp
La casse est ignorée, aussi bien pour la facilité que pour le niveau.
.IP "\fB\s-1EGD\s0\fR = chemin (Unix seulement)" 4
.IX Item "EGD = chemin (Unix seulement)"
Emplacement du socket du daemon de recueil d'entropie (\s-1EGD\s0 \- Entropy Gathering Daemon)
.Sp
Socket \s-1EGD\s0 à utiliser pour alimenter le générateur d'aléatoires de OpenSSL (disponible
seulement si la compilation a été effectuée avec OpenSSL 0.9.5a ou supérieur).
.IP "\fBforeground\fR = yes | no (Unix seulement)" 4
.IX Item "foreground = yes | no (Unix seulement)"
Mode avant-plan
.Sp
Reste en avant-plan (sans fork) et dirige la trace sur stderr
au lieu de syslog (sauf si \fBoutput\fR est spécifié).
.Sp
Par défault : arrière\-plan en mode daemon.
.IP "\fBkey\fR = fichier" 4
.IX Item "key = fichier"
Fichier de clef privée pour le certificat spécifié par \fIcert\fR
.Sp
La clef privée est nécessaire pour authentifier le titulaire du
certificat.
Puisque ce fichier doit rester secret, il ne doit être lisible que
par son propriétaire. Sur les systèmes Unix, on peut utiliser la
commande suivante :
.Sp
.Vb 1
\& chmod 600 fichier
.Ve
.Sp
Par défault : Valeur de \fIcert\fR
.IP "\fBoptions\fR = Options_SSL" 4
.IX Item "options = Options_SSL"
Options de la bibliothèque OpenSSL
.Sp
Le paramètre est l'option OpenSSL décrite dans la page de man
\&\fI\fISSL_CTX_set_options\fI\|(3ssl)\fR, débarassée du préfixe \fI\s-1SSL_OP_\s0\fR.
Plusieurs \fIoptions\fR peuvent être spécifiées.
.Sp
Par exemple, pour la compatibilité avec l'implantation \s-1SSL\s0 défaillante
d'Eudora, on peut utiliser :
.Sp
.Vb 1
\& options = DONT_INSERT_EMPTY_FRAGMENTS
.Ve
.IP "\fBoutput\fR = fichier" 4
.IX Item "output = fichier"
Ajoute la trace à la fin d'un fichier au lieu d'utiliser syslog.
.Sp
/dev/stdout peut être utilisé pour afficher les traces sur la sortie standard
(par exemple pour les traiter avec les outils splogger).
.IP "\fBpid\fR = fichier (Unix seulement)" 4
.IX Item "pid = fichier (Unix seulement)"
Emplacement du fichier pid
.Sp
Si l'argument est vide, aucun fichier ne sera créé.
.Sp
Le cas échéant, le chemin \fIpid\fR est relatif au répertoire \fIchroot\fR.
.IP "\fBRNDbytes\fR = nombre" 4
.IX Item "RNDbytes = nombre"
Nombre d'octets à lire depuis les fichiers de « sel » aléatoire
.Sp
Avec les \s-1SSL\s0 de version inférieure à 0.9.5a, détermine aussi le nombre
d'octets considérés comme suffisants pour « saler » le \s-1PRNG\s0. Les versions plus
récentes d'OpenSSL ont une fonction intégrée qui détermine lorsque l'aléatoire
est suffisant.
.IP "\fBRNDfile\fR = fichier" 4
.IX Item "RNDfile = fichier"
chemin du fichier de données de « sel » aléatoire
.Sp
La bibliothèque \s-1SSL\s0 utilise prioritairement les données de ce fichier pour
« saler » le générateur d'aléatoire.
.IP "\fBRNDoverwrite\fR = yes | no" 4
.IX Item "RNDoverwrite = yes | no"
Recouvre les fichiers de « sel » avec de nouvelles données aléatoires.
.Sp
Par défaut : yes
.IP "\fBservice\fR = nom" 4
.IX Item "service = nom"
Définit le nom de service à utiliser
.Sp
\&\fBSous Unix :\fR nom de service du mode \fIinetd\fR pour la bibliothèque \s-1TCP\s0 Wrapper.
.Sp
Par défaut : stunnel
.IP "\fBsession\fR = timeout" 4
.IX Item "session = timeout"
Timeout du cache de session
.IP "\fBsetgid\fR = nom (Unix seulement)" 4
.IX Item "setgid = nom (Unix seulement)"
Nom de groupe utilisé en mode daemon (les éventuels autres noms de groupe attribués sont supprimés)
.IP "\fBsetuid\fR = nom (Unix seulement)" 4
.IX Item "setuid = nom (Unix seulement)"
Nom d'utilisateur utilisé en mode daemon
.IP "\fBsocket\fR = a|l|r:option=valeur[:valeur]" 4
.IX Item "socket = a|l|r:option=valeur[:valeur]"
Configure une option de socket accept (a), locale (l) ou distante (r)
.Sp
Les valeurs de l'option linger sont : l_onof:l_linger.
Les valeurs de l'option time sont : tv_sec:tv_usec.
.Sp
Exemples :
.Sp
.Vb 9
\& socket = l:SO_LINGER=1:60
\& définit un délai d\*(Aqune minute pour la clôture des sockets locaux
\& socket = r:SO_OOBINLINE=yes
\& Place directement les données hors\-bande dans le flux de réception
\& des sockets distants
\& socket = a:SO_REUSEADDR=no
\& désactive la réutilisation d\*(Aqadresses (activée par défaut)
\& socket = a:SO_BINDTODEVICE=lo
\& limite l\*(Aqacceptation des connexions sur la seule interface de bouclage
.Ve
.IP "\fBtaskbar\fR = yes | no (\s-1WIN32\s0 seulement)" 4
.IX Item "taskbar = yes | no (WIN32 seulement)"
active l'icône de la barre de tâches
.Sp
Par défaut : yes
.IP "\fBverify\fR = niveau" 4
.IX Item "verify = niveau"
Vérifie le certificat du correspondant
.Sp
.Vb 3
\& niveau 1 \- vérifie le certificat s\*(Aqil est présent
\& niveau 2 \- vérifie le certificat
\& niveau 3 \- contrôle le correspondant avec le certificat local
.Ve
.Sp
Par défaut \- pas de vérification
.SS "\s-1OPTIONS\s0 \s-1DE\s0 \s-1SERVICE\s0"
.IX Subsection "OPTIONS DE SERVICE"
Chaque section de configuration commence par le nom du service entre crochets.
Celui-ci est utilisé par le contrôle d'accès de libwrap (\s-1TCP\s0 Wrappers) et sert
à distinguer les services \fBstunnel\fR dans les fichiers de traces.
.PP
Si l'on souhaite utiliser \fBstunnel\fR en mode \fIinetd\fR (lorsqu'un socket lui est
fourni par un serveur comme \fIinetd\fR, \fIxinetd\fR ou \fItcpserver\fR), il faut se
reporter à la section \fI\s-1MODE\s0 \s-1INETD\s0\fR plus bas.
.IP "\fBaccept\fR = [hôte:]port" 4
.IX Item "accept = [hôte:]port"
Accepte des connexions sur le port spécifié
.Sp
Si l'hôte n'est pas indiqué, le port est ouvert pour toutes les adresses \s-1IP\s0 de
la machine locale.
.IP "\fBconnect\fR = [hôte:]port" 4
.IX Item "connect = [hôte:]port"
Se connecte au port distant indiqué
.Sp
Par défaut, l'hôte est localhost.
.IP "\fBdelay\fR = yes | no" 4
.IX Item "delay = yes | no"
Retarde la recherche \s-1DNS\s0 pour l'option « connect »
.IP "\fBexec\fR = chemin_exécutable (Unix seulement)" 4
.IX Item "exec = chemin_exécutable (Unix seulement)"
Exécute un programme local de type inetd
.Sp
Le cas échéant, le chemin \fIexec\fR est relatif au répertoire \fIchroot\fR.
.ie n .IP "\fBexecargs\fR = $0 $1 $2 ... (Unix seulement)" 4
.el .IP "\fBexecargs\fR = \f(CW$0\fR \f(CW$1\fR \f(CW$2\fR ... (Unix seulement)" 4
.IX Item "execargs = $0 $1 $2 ... (Unix seulement)"
Arguments pour \fIexec\fR, y compris le nom du programme ($0)
.Sp
Les quotes ne peuvent actuellement pas être utilisées.
Les arguments sont séparés par un nombre quelconque d'espaces.
.IP "\fBident\fR = nom" 4
.IX Item "ident = nom"
Applique le contrôle d'identité d'utilisateur \s-1IDENT\s0 (\s-1RFC\s0 1413)
.IP "\fBlocal\fR = hôte" 4
.IX Item "local = hôte"
Adresse \s-1IP\s0 de l'interface de sortie utilisée pour les connexions distantes.
Cette option permet de relier une adresse statique locale.
.IP "\fBprotocol\fR = protocole" 4
.IX Item "protocol = protocole"
Négocie avec \s-1SSL\s0 selon le protocole indiqué
.Sp
Actuellement gérés : cifs, nntp, pop3, smtp
.IP "\fBpty\fR = yes | no (Unix seulement)" 4
.IX Item "pty = yes | no (Unix seulement)"
Alloue un pseudo-terminal pour l'option « exec »
.IP "\fBTIMEOUTbusy\fR = secondes" 4
.IX Item "TIMEOUTbusy = secondes"
Durée d'attente de données
.IP "\fBTIMEOUTclose\fR = secondes" 4
.IX Item "TIMEOUTclose = secondes"
Durée d'attente du close_notify (mis à 0 pour \s-1MSIE\s0 qui est bogué)
.IP "\fBTIMEOUTidle\fR = secondes" 4
.IX Item "TIMEOUTidle = secondes"
Durée d'attente sur une connexion inactive
.IP "\fBtransparent\fR = yes | no (Unix seulement)" 4
.IX Item "transparent = yes | no (Unix seulement)"
Mode mandataire transparent
.Sp
\-écrit les adresses pour qu'elles apparaissent provenir de la
machine client \s-1SSL\s0 plutôt que de celle qui exécute \fBstunnel\fR.
Cette option n'est disponible en mode local (option \fIexec\fR) qu'avec
la bibliothèque partagée LD_PRELOADing env.so shared library et en mode
distant (option \fIconnect\fR) sur les noyaux Linux 2.2 compilés avec
l'option \fItransparent proxy\fR et seulement en mode serveur. Cette
option ne se combine pas au mode mandataire (\fIconnect\fR) sauf si la
route par défaut du client vers la cible passe par l'hôte qui fait
tourner \fBstunnel\fR, qui ne peut être localhost.
.SH "VALEUR DE RETOUR"
.IX Header "VALEUR DE RETOUR"
\&\fBstunnel\fR renvoie zéro en cas de succès, une autre valeur en cas d'erreur.
.SH "EXEMPLES"
.IX Header "EXEMPLES"
Pour encapsuler votre service \fIimapd\fR local avec \s-1SSL\s0 :
.PP
.Vb 4
\& [imapd]
\& accept = 993
\& exec = /usr/sbin/imapd
\& execargs = imapd
.Ve
.PP
Pour tunneliser un daemon \fIpppd\fR sur le port 2020 :
.PP
.Vb 5
\& [vpn]
\& accept = 2020
\& exec = /usr/sbin/pppd
\& execargs = pppd local
\& pty = yes
.Ve
.PP
Configuration de \fIstunnel.conf\fR pour utiliser \fBstunnel\fR en mode \fIinetd\fR
qui lance imapd à son tour (il ne doit pas y avoir de section \fI[service_name]\fR) :
.PP
.Vb 2
\& exec = /usr/sbin/imapd
\& execargs = imapd
.Ve
.SH "FICHIERS"
.IX Header "FICHIERS"
.IP "\fIstunnel.conf\fR" 4
.IX Item "stunnel.conf"
Fichier de configuration de \fBstunnel\fR
.IP "\fIstunnel.pem\fR" 4
.IX Item "stunnel.pem"
Certificat et clef privée de \fBstunnel\fR
.SH "BOGUES"
.IX Header "BOGUES"
L'option \fIexecargs\fR n'admet pas les quotes.
.SH "RESTRICTIONS"
.IX Header "RESTRICTIONS"
\&\fBstunnel\fR ne peut être utilisé pour le daemon \s-1FTP\s0 en raison de la nature
du protocole \s-1FTP\s0 qui utilise des ports multiples pour les transferts de données.
Il existe cependant des versions \s-1SSL\s0 de \s-1FTP\s0 et de telnet.
.SH "NOTES"
.IX Header "NOTES"
.SS "\s-1MODE\s0 \s-1INETD\s0"
.IX Subsection "MODE INETD"
L'utilisation la plus commune de \fBstunnel\fR consiste à écouter un port
réseau et à établir une communication, soit avec un nouveau port
avec l'option \fIconnect\fR, soit avec un programme avec l'option \fIexec\fR.
On peut parfois cependant souhaiter qu'un autre programme reçoive les
connexions entrantes et lance \fBstunnel\fR, par exemple avec \fIinetd\fR,
\&\fIxinetd\fR ou \fItcpserver\fR.
.PP
Si, par exemple, la ligne suivante se trouve dans \fIinetd.conf\fR :
.PP
.Vb 1
\& imaps stream tcp nowait root /usr/bin/stunnel stunnel /etc/stunnel/imaps.conf
.Ve
.PP
Dans ces cas, c'est le programme du genre \fIinetd\fR\-style qui est
responsable de l'établissement de la connexion (\fIimaps\fR ci-dessus) et de passer
celle-ci à \fBstunnel\fR.
Ainsi, \fBstunnel\fR ne doit alors avoir aucune option \fIaccept\fR.
Toutes les \fIoptions de niveau service\fR doivent être placées dans
la section des options globales et aucune section \fI[service_name]\fR ne doit
être présente. Voir la section \fI\s-1EXEMPLES\s0\fR pour des exemples de configurations.
.SS "\s-1CERTIFICATS\s0"
.IX Subsection "CERTIFICATS"
Chaque daemon à propriétés \s-1SSL\s0 doit présenter un certificat X.509
valide à son interlocuteur. Il a aussi besoin d'une clef privé pour
déchiffrer les données entrantes. La méthode la plus simple pour
obtenir un certificat et une clef est d'engendrer celles-ci avec
le paquetage libre \fIOpenSSL\fR. Plus d'informations sur la génération de
certificats se trouvent dans les pages indiquées plus bas.
.PP
Deux choses importantes lors de la génération de paires certificat-clef
pour \fBstunnel\fR :
.IP "\(bu" 4
la clef privée ne peut être chiffrée puisque le serveur n'a aucun moyen
d'obtenir le mot de passe de l'utilisateur ; pour produire une clef non chiffrée,
ajouter l'option \fI\-nodes\fR à la commande \fBreq\fR de \fIOpenSSL\fR ;
.IP "\(bu" 4
l'ordre du contenu du fichier \fI.pem\fR est significatif : il doit contenir d'abord
une clef privée non chiffrée, puis un certificat signé (et non une demande de certificat).
Il doit aussi y avoir des lignes vides après le certificat et après la clef privée.
L'information textuelle ajoutée au début d'un certificat doit être supprimée afin que
le fichier ait l'allure suivante :
.Sp
.Vb 8
\& \-\-\-\-\-BEGIN RSA PRIVATE KEY\-\-\-\-\-
\& [clef encodée]
\& \-\-\-\-\-END RSA PRIVATE KEY\-\-\-\-\-
\& [ligne vide]
\& \-\-\-\-\-BEGIN CERTIFICATE\-\-\-\-\-
\& [certificat encodé]
\& \-\-\-\-\-END CERTIFICATE\-\-\-\-\-
\& [ligne vide]
.Ve
.SS "\s-1ALEATOIRE\s0"
.IX Subsection "ALEATOIRE"
\&\fBstunnel\fR doit « saler » le générateur de pseudo\-aléatoires \s-1PRNG\s0 (pseudo random
number generator) afin que \s-1SSL\s0 utilise un aléatoire de qualité. Les sources suivantes
sont chargées dans l'ordre jusqu'à ce qu'une quantité suffisante de données soit lue :
.IP "\(bu" 4
le fichier spécifié par \fIRNDfile\fR ;
.IP "\(bu" 4
le fichier spécifié par la variable d'environnement \s-1RANDFILE\s0, à défaut
le fichier .rnd du répertoire \f(CW$HOME\fR de l'utilisateur ;
.IP "\(bu" 4
le fichier spécifié par « \-\-with\-random » lors de la compilation ;
.IP "\(bu" 4
le contenu de l'écran (MS-Windows seulement) ;
.IP "\(bu" 4
le socket \s-1EGD\s0 spécifié par \fI\s-1EGD\s0\fR ;
.IP "\(bu" 4
le socket \s-1EGD\s0 spécifié par « \-\-with\-egd\-sock » lors de la compilation ;
.IP "\(bu" 4
le périphérique /dev/urandom.
.PP
Avec un OpenSSL récent (>=OpenSSL 0.9.5a) le chargement de données s'arrête
automatiquement lorsqu'un niveau d'entropie suffisant est atteint.
Les versions précédentes continuent à lire toutes les sources puisqu'aucune
fonction \s-1SSL\s0 ne leur permet de savoir que suffisamment de données sont disponibles.
.PP
Sur les machines MS-Windows qui n'ont pas d'interaction utilisateur sur la console,
(mouvements de souris, création de fenêtres, etc.), le contenu de l'écran n'est
pas suffisamment changeant et il est nécessaire de fournir un fichier d'aléatoire
par le biais de \fIRNDfile\fR.
.PP
Le fichier spécifié par \fIRNDfile\fR doit contenir des informations aléatoires \*(--
c'est\-à\-dire des informations différentes à chaque lancement de \fBstunnel\fR.
Cela est géré automatiquement sauf si l'option \fIRNDoverwrite\fR est utilisée.
Si l'on souhaite procéder manuellement à la mise à jour de ce fichier, la
commande \fIopenssl rand\fR des versions récentes d'OpenSSL sera sans doute utile.
.PP
Note importante : si /dev/urandom est disponible, OpenSSL a l'habitude d'utiliser
celui-ci pour « saler » le \s-1PRNG\s0 même lorsqu'il contrôle l'état de l'aléatoire ;
ainsi, même si /dev/urandom est dernier de la liste ci-dessus, il est vraisemblable
qu'il soit utilisé s'il est présent.
Ce n'est pas le comportement de \fBstunnel\fR, c'est celui d'OpenSSL.
.SH "VOIR AUSSI"
.IX Header "VOIR AUSSI"
.IP "\fItcpd\fR\|(8)" 4
.IX Item "tcpd"
Service de contrôle d'accès pour les services internet
.IP "\fIinetd\fR\|(8)" 4
.IX Item "inetd"
« super-serveur » internet
.IP "\fIhttp://www.stunnel.org/\fR" 4
.IX Item "http://www.stunnel.org/"
Page de référence de \fBstunnel\fR
.IP "\fIhttp://www.openssl.org/\fR" 4
.IX Item "http://www.openssl.org/"
Site web du projet OpenSSL
.SH "AUTEUR"
.IX Header "AUTEUR"
.IP "Michał Trojnara" 4
.IX Item "Michał Trojnara"
<\fIMichal.Trojnara@mirt.net\fR>
.SH "ADAPTATION FRANÇAISE"
.IX Header "ADAPTATION FRANÇAISE"
.IP "Bernard Choppy" 4
.IX Item "Bernard Choppy"
<\fIchoppy \s-1AT\s0 free \s-1POINT\s0 fr\fR>

670
doc/stunnel.fr.html
View File

@ -1,670 +0,0 @@
<?xml version="1.0" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>stunnel.8</title>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<link rev="made" href="mailto:root@localhost" />
</head>
<body style="background-color: white">
<!-- INDEX BEGIN -->
<div name="index">
<p><a name="__index__"></a></p>
<!--
<ul>
<li><a href="#nom">NOM</a></li>
<li><a href="#synopsis">SYNOPSIS</a></li>
<li><a href="#description">DESCRIPTION</a></li>
<li><a href="#options">OPTIONS</a></li>
<li><a href="#fichier_de_configuration">FICHIER DE CONFIGURATION</a></li>
<ul>
<li><a href="#options_globales">OPTIONS GLOBALES</a></li>
<li><a href="#options_de_service">OPTIONS DE SERVICE</a></li>
</ul>
<li><a href="#valeur_de_retour">VALEUR DE RETOUR</a></li>
<li><a href="#exemples">EXEMPLES</a></li>
<li><a href="#fichiers">FICHIERS</a></li>
<li><a href="#bogues">BOGUES</a></li>
<li><a href="#restrictions">RESTRICTIONS</a></li>
<li><a href="#notes">NOTES</a></li>
<ul>
<li><a href="#mode_inetd">MODE INETD</a></li>
<li><a href="#certificats">CERTIFICATS</a></li>
<li><a href="#aleatoire">ALEATOIRE</a></li>
</ul>
<li><a href="#voir_aussi">VOIR AUSSI</a></li>
<li><a href="#auteur">AUTEUR</a></li>
<li><a href="#adaptation_fran__aise">ADAPTATION FRANÇAISE</a></li>
</ul>
-->
</div>
<!-- INDEX END -->
<p>
</p>
<h1><a name="nom">NOM</a></h1>
<p>stunnel - tunnel SSL universel</p>
<p>
</p>
<hr />
<h1><a name="synopsis">SYNOPSIS</a></h1>
<dl>
<dt><strong><a name="unix" class="item"><strong>Unix:</strong></a></strong></dt>
<dd>
<p><strong>stunnel</strong> [fichier] | -fd&nbsp;[n] | -help | -version | -sockets</p>
</dd>
<dt><strong><a name="win32" class="item"><strong>WIN32:</strong></a></strong></dt>
<dd>
<p><strong>stunnel</strong> [fichier] | -install | -uninstall | -help | -version | -sockets</p>
</dd>
</dl>
<p>
</p>
<hr />
<h1><a name="description">DESCRIPTION</a></h1>
<p>Le programme <strong>stunnel</strong> est conçu pour fonctionner comme une couche
de chiffrement <em>SSL</em> entre des clients distants et des serveurs locaux
(<em>inetd</em>-démarrables) ou distants. Le concept est qu'à partir de daemons
non-SSL présents sur le système, on peut facilement les configurer pour
communiquer avec des clients sur des liens sécurisés SSL.</p>
<p><strong>stunnel</strong> peut être utilisé pour ajouter des fonctionnalités SSL à des
daemons classiques <em>Inetd</em> tels que les serveurs POP-2, POP-3 et IMAP,
à d'autres autonomes tels que NNTP, SMTP et HTTP, ainsi que pour tunneliser
PPP sur des sockets réseau sans modification du code source.</p>
<p>Ce produit inclut du code de chiffrement écrit par
Eric Young (<a href="mailto:eay@cryptsoft.com">eay@cryptsoft.com</a>)</p>
<p>
</p>
<hr />
<h1><a name="options">OPTIONS</a></h1>
<dl>
<dt><strong><a name="fichier" class="item"><strong>[fichier]</strong></a></strong></dt>
<dd>
<p>Utilisation du fichier de configuration spécifié.</p>
</dd>
<dt><strong><a name="fd_n_unix_seulement" class="item"><strong>-fd [n]</strong> (Unix seulement)</a></strong></dt>
<dd>
<p>Lecture du fichier de configuration depuis le descripteur de
fichier indiqué.</p>
</dd>
<dt><strong><a name="help" class="item"><strong>-help</strong></a></strong></dt>
<dd>
<p>Affiche le menu d'aide de <strong>stunnel</strong>.</p>
</dd>
<dt><strong><a name="version" class="item"><strong>-version</strong></a></strong></dt>
<dd>
<p>Affiche la version de <strong>stunnel</strong> et les options de compilation.</p>
</dd>
<dt><strong><a name="sockets" class="item"><strong>-sockets</strong></a></strong></dt>
<dd>
<p>Affiche les options socket par défaut.</p>
</dd>
<dt><strong><a name="install" class="item"><strong>-install</strong> (NT/2000/XP seulement)</a></strong></dt>
<dd>
<p>Installe un service NT.</p>
</dd>
<dt><strong><a name="uninstall" class="item"><strong>-uninstall</strong> (NT/2000/XP only)</a></strong></dt>
<dd>
<p>Désinstalle un service NT.</p>
</dd>
</dl>
<p>
</p>
<hr />
<h1><a name="fichier_de_configuration">FICHIER DE CONFIGURATION</a></h1>
<p>Chaque ligne du fichier de configuration peut être soit&nbsp;:</p>
<ul>
<li>
<p>une ligne vide (ignorée)&nbsp;;</p>
</li>
<li>
<p>un commentaire commençant par «&nbsp;#&nbsp;» (ignoré)&nbsp;;</p>
</li>
<li>
<p>une paire «&nbsp;option = valeur&nbsp;»&nbsp;;</p>
</li>
<li>
<p>«&nbsp;[service_name]&nbsp;» indiquant le début de la définition d'un service&nbsp;;</p>
</li>
</ul>
<p>
</p>
<h2><a name="options_globales">OPTIONS GLOBALES</a></h2>
<dl>
<dt><strong><a name="capath_r_pertoire" class="item"><strong>CApath</strong> = répertoire</a></strong></dt>
<dd>
<p>Répertoire des autorités de certification (CA)</p>
<p>C'est le répertoire dans lequel <strong>stunnel</strong> cherche les certificats si
l'on utilise <em>verify</em>. Les certificats doivent être dénommés selon la
forme XXXXXXXX.0, où XXXXXXXX est la valeur de hachage du certificat.</p>
<p>Le cas échéant, le répertoire <em>CApath</em> est relatif au répertoire <em>chroot</em>.</p>
</dd>
<dt><strong><a name="cafile_fichier" class="item"><strong>CAfile</strong> = fichier</a></strong></dt>
<dd>
<p>Fichier d'autorités de certification</p>
<p>Ce fichier, utilisé avec <em>verify</em>, contient plusieurs certificats de CA.</p>
</dd>
<dt><strong><a name="cert_fichier" class="item"><strong>cert</strong> = fichier</a></strong></dt>
<dd>
<p>Fichier de chaîne de certificats PEM</p>
<p>Une PEM est toujours nécessaire en mode serveur.
En mode client, cette option utilise cette PEM comme une chaîne côté client.
L'utilisation de certificats côté client est optionnelle. Les certificats
doivent être au format PEM et triés par ordre de niveau décroissant (CA racine
en premier).</p>
</dd>
<dt><strong><a name="pertoire" class="item"><strong>chroot</strong> = répertoire (Unix seulement)</a></strong></dt>
<dd>
<p>Répertoire de chroot du processus <strong>stunnel</strong></p>
<p><strong>chroot</strong> enferme <strong>stunnel</strong> dans une cellule chroot. <em>CApath</em>, <em>CRLpath</em>, <em>pid</em>
et <em>exec</em> sont situés à l'intérieur de la cellule et les répertoires doivent être
relatifs au répertoire correspondant.</p>
<p>Pour que le contrôle de libwrap (wrappeur TCP) soit effectif dans un environnement
chroot, il faut aussi y recopier leurs fichiers de configuration (/etc/hosts.allow et
/etc/hosts.deny).</p>
</dd>
<dt><strong><a name="ciphers_listes_de_chiffre" class="item"><strong>ciphers</strong> = listes de chiffre</a></strong></dt>
<dd>
<p>Sélection des chiffres SSL autorisés</p>
<p>Liste délimitée par deux-points («&nbsp;:&nbsp;») des chiffres autorisés pour la connexion SSL.
Exemple&nbsp;: DES-CBC3-SHA:IDEA-CBC-MD5</p>
</dd>
<dt><strong><a name="client_yes_no" class="item"><strong>client</strong> = yes | no</a></strong></dt>
<dd>
<p>Mode client (Le service distant utilise SSL)</p>
<p>Par défaut&nbsp;: no (mode server)</p>
</dd>
<dt><strong><a name="crlpath_r_pertoire" class="item"><strong>CRLpath</strong> = répertoire</a></strong></dt>
<dd>
<p>Répertoire des listes de révocation de certificats (CRL)</p>
<p>C'est le répertoire dans lequel <strong>stunnel</strong> recherche les CRL avec
l'option <em>verify</em>. Les CRL doivent être dénommés selon la
forme XXXXXXXX.0 où XXXXXXXX est la valeur de hachage de la CRL.</p>
<p>Le cas échéant, le répertoire <em>CRLpath</em> est relatif au répertoire <em>chroot</em>.</p>
</dd>
<dt><strong><a name="crlfile_fichier" class="item"><strong>CRLfile</strong> = fichier</a></strong></dt>
<dd>
<p>Fichier de listes de révocation de certificats (CRL)</p>
<p>Ce fichier, utilisé avec <em>verify</em>, contient plusieurs CRL.</p>
</dd>
<dt><strong><a name="debug_facilit_niveau" class="item"><strong>debug</strong> = [facilité.]niveau</a></strong></dt>
<dd>
<p>niveau de déverminage</p>
<p>Le niveau est un nom ou un numéro conforme à ceux de syslog&nbsp;:
emerg (0), alert (1), crit (2), err (3), warning (4), notice (5),
info (6) ou debug (7). Toutes les traces du niveau indiqué et des niveaux
numériquement inférieurs seront affichées. <strong>debug = debug</strong> ou
<strong>debug = 7</strong> donneront le maximum d'informations. La valeur par défaut
est notice (5).</p>
<p>La facilité syslog «&nbsp;daemon&nbsp;» est utilisée, sauf si un autre nom est spécifié
(Win32 ne permet pas l'usage des facilités.)</p>
<p>La casse est ignorée, aussi bien pour la facilité que pour le niveau.</p>
</dd>
<dt><strong><a name="chemin" class="item"><strong>EGD</strong> = chemin (Unix seulement)</a></strong></dt>
<dd>
<p>Emplacement du socket du daemon de recueil d'entropie (EGD - Entropy Gathering Daemon)</p>
<p>Socket EGD à utiliser pour alimenter le générateur d'aléatoires de OpenSSL (disponible
seulement si la compilation a été effectuée avec OpenSSL 0.9.5a ou supérieur).</p>
</dd>
<dt><strong><a name="no" class="item"><strong>foreground</strong> = yes | no (Unix seulement)</a></strong></dt>
<dd>
<p>Mode avant-plan</p>
<p>Reste en avant-plan (sans fork) et dirige la trace sur stderr
au lieu de syslog (sauf si <strong>output</strong> est spécifié).</p>
<p>Par défault&nbsp;: arrière-plan en mode daemon.</p>
</dd>
<dt><strong><a name="key_fichier" class="item"><strong>key</strong> = fichier</a></strong></dt>
<dd>
<p>Fichier de clef privée pour le certificat spécifié par <em>cert</em></p>
<p>La clef privée est nécessaire pour authentifier le titulaire du
certificat.
Puisque ce fichier doit rester secret, il ne doit être lisible que
par son propriétaire. Sur les systèmes Unix, on peut utiliser la
commande suivante&nbsp;:</p>
<pre>
chmod 600 fichier</pre>
<p>Par défault&nbsp;: Valeur de <em>cert</em></p>
</dd>
<dt><strong><a name="options_options_ssl" class="item"><strong>options</strong> = Options_SSL</a></strong></dt>
<dd>
<p>Options de la bibliothèque OpenSSL</p>
<p>Le paramètre est l'option OpenSSL décrite dans la page de man
<em>SSL_CTX_set_options(3ssl)</em>, débarassée du préfixe <em>SSL_OP_</em>.
Plusieurs <em>options</em> peuvent être spécifiées.</p>
<p>Par exemple, pour la compatibilité avec l'implantation SSL défaillante
d'Eudora, on peut utiliser&nbsp;:</p>
<pre>
options = DONT_INSERT_EMPTY_FRAGMENTS</pre>
</dd>
<dt><strong><a name="output_fichier" class="item"><strong>output</strong> = fichier</a></strong></dt>
<dd>
<p>Ajoute la trace à la fin d'un fichier au lieu d'utiliser syslog.</p>
<p>/dev/stdout peut être utilisé pour afficher les traces sur la sortie standard
(par exemple pour les traiter avec les outils splogger).</p>
</dd>
<dt><strong><strong>pid</strong> = fichier (Unix seulement)</strong></dt>
<dd>
<p>Emplacement du fichier pid</p>
<p>Si l'argument est vide, aucun fichier ne sera créé.</p>
<p>Le cas échéant, le chemin <em>pid</em> est relatif au répertoire <em>chroot</em>.</p>
</dd>
<dt><strong><a name="rndbytes_nombre" class="item"><strong>RNDbytes</strong> = nombre</a></strong></dt>
<dd>
<p>Nombre d'octets à lire depuis les fichiers de «&nbsp;sel&nbsp;» aléatoire</p>
<p>Avec les SSL de version inférieure à 0.9.5a, détermine aussi le nombre
d'octets considérés comme suffisants pour «&nbsp;saler&nbsp;» le PRNG. Les versions plus
récentes d'OpenSSL ont une fonction intégrée qui détermine lorsque l'aléatoire
est suffisant.</p>
</dd>
<dt><strong><a name="rndfile_fichier" class="item"><strong>RNDfile</strong> = fichier</a></strong></dt>
<dd>
<p>chemin du fichier de données de «&nbsp;sel&nbsp;» aléatoire</p>
<p>La bibliothèque SSL utilise prioritairement les données de ce fichier pour
«&nbsp;saler&nbsp;» le générateur d'aléatoire.</p>
</dd>
<dt><strong><a name="rndoverwrite_yes_no" class="item"><strong>RNDoverwrite</strong> = yes | no</a></strong></dt>
<dd>
<p>Recouvre les fichiers de «&nbsp;sel&nbsp;» avec de nouvelles données aléatoires.</p>
<p>Par défaut&nbsp;: yes</p>
</dd>
<dt><strong><a name="service_nom" class="item"><strong>service</strong> = nom</a></strong></dt>
<dd>
<p>Définit le nom de service à utiliser</p>
<p><strong>Sous Unix&nbsp;:</strong> nom de service du mode <em>inetd</em> pour la bibliothèque TCP Wrapper.</p>
<p>Par défaut&nbsp;: stunnel</p>
</dd>
<dt><strong><a name="session_timeout" class="item"><strong>session</strong> = timeout</a></strong></dt>
<dd>
<p>Timeout du cache de session</p>
</dd>
<dt><strong><a name="nom" class="item"><strong>setgid</strong> = nom (Unix seulement)</a></strong></dt>
<dd>
<p>Nom de groupe utilisé en mode daemon (les éventuels autres noms de groupe attribués sont supprimés)</p>
</dd>
<dt><strong><strong>setuid</strong> = nom (Unix seulement)</strong></dt>
<dd>
<p>Nom d'utilisateur utilisé en mode daemon</p>
</dd>
<dt><strong><a name="socket_a_l_r_option_valeur_valeur" class="item"><strong>socket</strong> = a|l|r:option=valeur[:valeur]</a></strong></dt>
<dd>
<p>Configure une option de socket accept (a), locale (l) ou distante (r)</p>
<p>Les valeurs de l'option linger sont&nbsp;: l_onof:l_linger.
Les valeurs de l'option time sont&nbsp;: tv_sec:tv_usec.</p>
<p>Exemples&nbsp;:</p>
<pre>
socket = l:SO_LINGER=1:60
définit un délai d'une minute pour la clôture des sockets locaux
socket = r:SO_OOBINLINE=yes
Place directement les données hors-bande dans le flux de réception
des sockets distants
socket = a:SO_REUSEADDR=no
désactive la réutilisation d'adresses (activée par défaut)
socket = a:SO_BINDTODEVICE=lo
limite l'acceptation des connexions sur la seule interface de bouclage</pre>
</dd>
<dt><strong><strong>taskbar</strong> = yes | no (WIN32 seulement)</strong></dt>
<dd>
<p>active l'icône de la barre de tâches</p>
<p>Par défaut&nbsp;: yes</p>
</dd>
<dt><strong><a name="verify_niveau" class="item"><strong>verify</strong> = niveau</a></strong></dt>
<dd>
<p>Vérifie le certificat du correspondant</p>
<pre>
niveau 1 - vérifie le certificat s'il est présent
niveau 2 - vérifie le certificat
niveau 3 - contrôle le correspondant avec le certificat local</pre>
<p>Par défaut - pas de vérification</p>
</dd>
</dl>
<p>
</p>
<h2><a name="options_de_service">OPTIONS DE SERVICE</a></h2>
<p>Chaque section de configuration commence par le nom du service entre crochets.
Celui-ci est utilisé par le contrôle d'accès de libwrap (TCP Wrappers) et sert
à distinguer les services <strong>stunnel</strong> dans les fichiers de traces.</p>
<p>Si l'on souhaite utiliser <strong>stunnel</strong> en mode <em>inetd</em> (lorsqu'un socket lui est
fourni par un serveur comme <em>inetd</em>, <em>xinetd</em> ou <em>tcpserver</em>), il faut se
reporter à la section <em>MODE INETD</em> plus bas.</p>
<dl>
<dt><strong><a name="accept_h_te_port" class="item"><strong>accept</strong> = [hôte:]port</a></strong></dt>
<dd>
<p>Accepte des connexions sur le port spécifié</p>
<p>Si l'hôte n'est pas indiqué, le port est ouvert pour toutes les adresses IP de
la machine locale.</p>
</dd>
<dt><strong><a name="connect_h_te_port" class="item"><strong>connect</strong> = [hôte:]port</a></strong></dt>
<dd>
<p>Se connecte au port distant indiqué</p>
<p>Par défaut, l'hôte est localhost.</p>
</dd>
<dt><strong><a name="delay_yes_no" class="item"><strong>delay</strong> = yes | no</a></strong></dt>
<dd>
<p>Retarde la recherche DNS pour l'option «&nbsp;connect&nbsp;»</p>
</dd>
<dt><strong><a name="cutable" class="item"><strong>exec</strong> = chemin_exécutable (Unix seulement)</a></strong></dt>
<dd>
<p>Exécute un programme local de type inetd</p>
<p>Le cas échéant, le chemin <em>exec</em> est relatif au répertoire <em>chroot</em>.</p>
</dd>
<dt><strong><a name="execargs_0_1_2_unix_seulement" class="item"><strong>execargs</strong> = $0 $1 $2 ... (Unix seulement)</a></strong></dt>
<dd>
<p>Arguments pour <em>exec</em>, y compris le nom du programme ($0)</p>
<p>Les quotes ne peuvent actuellement pas être utilisées.
Les arguments sont séparés par un nombre quelconque d'espaces.</p>
</dd>
<dt><strong><a name="ident_nom" class="item"><strong>ident</strong> = nom</a></strong></dt>
<dd>
<p>Applique le contrôle d'identité d'utilisateur IDENT (<a href="http://www.ietf.org/rfc/rfc1413.txt" class="rfc">RFC 1413</a>)</p>
</dd>
<dt><strong><a name="local_h_te" class="item"><strong>local</strong> = hôte</a></strong></dt>
<dd>
<p>Adresse IP de l'interface de sortie utilisée pour les connexions distantes.
Cette option permet de relier une adresse statique locale.</p>
</dd>
<dt><strong><a name="protocol_protocole" class="item"><strong>protocol</strong> = protocole</a></strong></dt>
<dd>
<p>Négocie avec SSL selon le protocole indiqué</p>
<p>Actuellement gérés&nbsp;: cifs, nntp, pop3, smtp</p>
</dd>
<dt><strong><strong>pty</strong> = yes | no (Unix seulement)</strong></dt>
<dd>
<p>Alloue un pseudo-terminal pour l'option «&nbsp;exec&nbsp;»</p>
</dd>
<dt><strong><a name="timeoutbusy_secondes" class="item"><strong>TIMEOUTbusy</strong> = secondes</a></strong></dt>
<dd>
<p>Durée d'attente de données</p>
</dd>
<dt><strong><a name="timeoutclose_secondes" class="item"><strong>TIMEOUTclose</strong> = secondes</a></strong></dt>
<dd>
<p>Durée d'attente du close_notify (mis à 0 pour MSIE qui est bogué)</p>
</dd>
<dt><strong><a name="timeoutidle_secondes" class="item"><strong>TIMEOUTidle</strong> = secondes</a></strong></dt>
<dd>
<p>Durée d'attente sur une connexion inactive</p>
</dd>
<dt><strong><strong>transparent</strong> = yes | no (Unix seulement)</strong></dt>
<dd>
<p>Mode mandataire transparent</p>
<p>Ré-écrit les adresses pour qu'elles apparaissent provenir de la
machine client SSL plutôt que de celle qui exécute <strong>stunnel</strong>.
Cette option n'est disponible en mode local (option <em>exec</em>) qu'avec
la bibliothèque partagée LD_PRELOADing env.so shared library et en mode
distant (option <em>connect</em>) sur les noyaux Linux 2.2 compilés avec
l'option <em>transparent proxy</em> et seulement en mode serveur. Cette
option ne se combine pas au mode mandataire (<em>connect</em>) sauf si la
route par défaut du client vers la cible passe par l'hôte qui fait
tourner <strong>stunnel</strong>, qui ne peut être localhost.</p>
</dd>
</dl>
<p>
</p>
<hr />
<h1><a name="valeur_de_retour">VALEUR DE RETOUR</a></h1>
<p><strong>stunnel</strong> renvoie zéro en cas de succès, une autre valeur en cas d'erreur.</p>
<p>
</p>
<hr />
<h1><a name="exemples">EXEMPLES</a></h1>
<p>Pour encapsuler votre service <em>imapd</em> local avec SSL&nbsp;:</p>
<pre>
[imapd]
accept = 993
exec = /usr/sbin/imapd
execargs = imapd</pre>
<p>Pour tunneliser un daemon <em>pppd</em> sur le port 2020&nbsp;:</p>
<pre>
[vpn]
accept = 2020
exec = /usr/sbin/pppd
execargs = pppd local
pty = yes</pre>
<p>Configuration de <em>stunnel.conf</em> pour utiliser <strong>stunnel</strong> en mode <em>inetd</em>
qui lance imapd à son tour (il ne doit pas y avoir de section <em>[service_name]</em>)&nbsp;:</p>
<pre>
exec = /usr/sbin/imapd
execargs = imapd</pre>
<p>
</p>
<hr />
<h1><a name="fichiers">FICHIERS</a></h1>
<dl>
<dt><strong><a name="stunnel_conf" class="item"><em class="file">stunnel.conf</em></a></strong></dt>
<dd>
<p>Fichier de configuration de <strong>stunnel</strong></p>
</dd>
<dt><strong><a name="stunnel_pem" class="item"><em class="file">stunnel.pem</em></a></strong></dt>
<dd>
<p>Certificat et clef privée de <strong>stunnel</strong></p>
</dd>
</dl>
<p>
</p>
<hr />
<h1><a name="bogues">BOGUES</a></h1>
<p>L'option <em>execargs</em> n'admet pas les quotes.</p>
<p>
</p>
<hr />
<h1><a name="restrictions">RESTRICTIONS</a></h1>
<p><strong>stunnel</strong> ne peut être utilisé pour le daemon FTP en raison de la nature
du protocole FTP qui utilise des ports multiples pour les transferts de données.
Il existe cependant des versions SSL de FTP et de telnet.</p>
<p>
</p>
<hr />
<h1><a name="notes">NOTES</a></h1>
<p>
</p>
<h2><a name="mode_inetd">MODE INETD</a></h2>
<p>L'utilisation la plus commune de <strong>stunnel</strong> consiste à écouter un port
réseau et à établir une communication, soit avec un nouveau port
avec l'option <em>connect</em>, soit avec un programme avec l'option <em>exec</em>.
On peut parfois cependant souhaiter qu'un autre programme reçoive les
connexions entrantes et lance <strong>stunnel</strong>, par exemple avec <em>inetd</em>,
<em>xinetd</em> ou <em>tcpserver</em>.</p>
<p>Si, par exemple, la ligne suivante se trouve dans <em>inetd.conf</em>&nbsp;:</p>
<pre>
imaps stream tcp nowait root /usr/bin/stunnel stunnel /etc/stunnel/imaps.conf</pre>
<p>Dans ces cas, c'est le programme du genre <em>inetd</em>-style qui est
responsable de l'établissement de la connexion (<em>imaps</em> ci-dessus) et de passer
celle-ci à <strong>stunnel</strong>.
Ainsi, <strong>stunnel</strong> ne doit alors avoir aucune option <em>accept</em>.
Toutes les <em>options de niveau service</em> doivent être placées dans
la section des options globales et aucune section <em>[service_name]</em> ne doit
être présente. Voir la section <em>EXEMPLES</em> pour des exemples de configurations.</p>
<p>
</p>
<h2><a name="certificats">CERTIFICATS</a></h2>
<p>Chaque daemon à propriétés SSL doit présenter un certificat X.509
valide à son interlocuteur. Il a aussi besoin d'une clef privé pour
déchiffrer les données entrantes. La méthode la plus simple pour
obtenir un certificat et une clef est d'engendrer celles-ci avec
le paquetage libre <em>OpenSSL</em>. Plus d'informations sur la génération de
certificats se trouvent dans les pages indiquées plus bas.</p>
<p>Deux choses importantes lors de la génération de paires certificat-clef
pour <strong>stunnel</strong>&nbsp;:</p>
<ul>
<li>
<p>la clef privée ne peut être chiffrée puisque le serveur n'a aucun moyen
d'obtenir le mot de passe de l'utilisateur&nbsp;; pour produire une clef non chiffrée,
ajouter l'option <em>-nodes</em> à la commande <strong>req</strong> de <em>OpenSSL</em>&nbsp;;</p>
</li>
<li>
<p>l'ordre du contenu du fichier <em>.pem</em> est significatif&nbsp;: il doit contenir d'abord
une clef privée non chiffrée, puis un certificat signé (et non une demande de certificat).
Il doit aussi y avoir des lignes vides après le certificat et après la clef privée.
L'information textuelle ajoutée au début d'un certificat doit être supprimée afin que
le fichier ait l'allure suivante&nbsp;:</p>
<pre>
-----BEGIN RSA PRIVATE KEY-----
[clef encodée]
-----END RSA PRIVATE KEY-----
[ligne vide]
-----BEGIN CERTIFICATE-----
[certificat encodé]
-----END CERTIFICATE-----
[ligne vide]</pre>
</li>
</ul>
<p>
</p>
<h2><a name="aleatoire">ALEATOIRE</a></h2>
<p><strong>stunnel</strong> doit «&nbsp;saler&nbsp;» le générateur de pseudo-aléatoires PRNG (pseudo random
number generator) afin que SSL utilise un aléatoire de qualité. Les sources suivantes
sont chargées dans l'ordre jusqu'à ce qu'une quantité suffisante de données soit lue&nbsp;:</p>
<ul>
<li>
<p>le fichier spécifié par <em>RNDfile</em>&nbsp;;</p>
</li>
<li>
<p>le fichier spécifié par la variable d'environnement RANDFILE, à défaut
le fichier .rnd du répertoire $HOME de l'utilisateur&nbsp;;</p>
</li>
<li>
<p>le fichier spécifié par «&nbsp;--with-random&nbsp;» lors de la compilation&nbsp;;</p>
</li>
<li>
<p>le contenu de l'écran (MS-Windows seulement)&nbsp;;</p>
</li>
<li>
<p>le socket EGD spécifié par <em>EGD</em>&nbsp;;</p>
</li>
<li>
<p>le socket EGD spécifié par «&nbsp;--with-egd-sock&nbsp;» lors de la compilation&nbsp;;</p>
</li>
<li>
<p>le périphérique /dev/urandom.</p>
</li>
</ul>
<p>Avec un OpenSSL récent (&gt;=OpenSSL 0.9.5a) le chargement de données s'arrête
automatiquement lorsqu'un niveau d'entropie suffisant est atteint.
Les versions précédentes continuent à lire toutes les sources puisqu'aucune
fonction SSL ne leur permet de savoir que suffisamment de données sont disponibles.</p>
<p>Sur les machines MS-Windows qui n'ont pas d'interaction utilisateur sur la console,
(mouvements de souris, création de fenêtres, etc.), le contenu de l'écran n'est
pas suffisamment changeant et il est nécessaire de fournir un fichier d'aléatoire
par le biais de <em>RNDfile</em>.</p>
<p>Le fichier spécifié par <em>RNDfile</em> doit contenir des informations aléatoires --
c'est-à-dire des informations différentes à chaque lancement de <strong>stunnel</strong>.
Cela est géré automatiquement sauf si l'option <em>RNDoverwrite</em> est utilisée.
Si l'on souhaite procéder manuellement à la mise à jour de ce fichier, la
commande <em>openssl rand</em> des versions récentes d'OpenSSL sera sans doute utile.</p>
<p>Note importante&nbsp;: si /dev/urandom est disponible, OpenSSL a l'habitude d'utiliser
celui-ci pour «&nbsp;saler&nbsp;» le PRNG même lorsqu'il contrôle l'état de l'aléatoire&nbsp;;
ainsi, même si /dev/urandom est dernier de la liste ci-dessus, il est vraisemblable
qu'il soit utilisé s'il est présent.
Ce n'est pas le comportement de <strong>stunnel</strong>, c'est celui d'OpenSSL.</p>
<p>
</p>
<hr />
<h1><a name="voir_aussi">VOIR AUSSI</a></h1>
<dl>
<dt><strong><a name="tcpd" class="item"><a href="#tcpd">tcpd(8)</a></a></strong></dt>
<dd>
<p>Service de contrôle d'accès pour les services internet</p>
</dd>
<dt><strong><a name="inetd" class="item"><a href="#inetd">inetd(8)</a></a></strong></dt>
<dd>
<p>«&nbsp;super-serveur&nbsp;» internet</p>
</dd>
<dt><strong><a name="http_www_stunnel_org" class="item"><em class="file"><a href="http://www.stunnel.org/">http://www.stunnel.org/</a></em></a></strong></dt>
<dd>
<p>Page de référence de <strong>stunnel</strong></p>
</dd>
<dt><strong><a name="http_www_openssl_org" class="item"><em class="file"><a href="http://www.openssl.org/">http://www.openssl.org/</a></em></a></strong></dt>
<dd>
<p>Site web du projet OpenSSL</p>
</dd>
</dl>
<p>
</p>
<hr />
<h1><a name="auteur">AUTEUR</a></h1>
<dl>
<dt><strong><a name="micha_trojnara" class="item">Michał Trojnara</a></strong></dt>
<dd>
<p>&lt;<em class="file"><a href="mailto:Michal.Trojnara@mirt.net">Michal.Trojnara@mirt.net</a></em>&gt;</p>
</dd>
</dl>
<p>
</p>
<hr />
<h1><a name="adaptation_fran__aise">ADAPTATION FRANÇAISE</a></h1>
<dl>
<dt><strong><a name="bernard_choppy" class="item">Bernard Choppy</a></strong></dt>
<dd>
<p>&lt;<em class="file">choppy AT free POINT fr</em>&gt;</p>
</dd>
</dl>
</body>
</html>

636
doc/stunnel.fr.pod
View File

@ -1,636 +0,0 @@
=head1 NOM
=encoding utf8
stunnel - tunnel SSL universel
=head1 SYNOPSIS
=over 4
=item B<Unix:>
B<stunnel> S<[fichier]> | S<-fd [n]> | S<-help> | S<-version> | S<-sockets>
=item B<WIN32:>
B<stunnel> S<[fichier]> | S<-install> | S<-uninstall> | S<-help> | S<-version> | S<-sockets>
=back
=head1 DESCRIPTION
Le programme B<stunnel> est conçu pour fonctionner comme une couche
de chiffrement I<SSL> entre des clients distants et des serveurs locaux
(I<inetd>-démarrables) ou distants. Le concept est qu'à partir de daemons
non-SSL présents sur le système, on peut facilement les configurer pour
communiquer avec des clients sur des liens sécurisés SSL.
B<stunnel> peut être utilisé pour ajouter des fonctionnalités SSL à des
daemons classiques I<Inetd> tels que les serveurs POP-2, POP-3 et IMAP,
à d'autres autonomes tels que NNTP, SMTP et HTTP, ainsi que pour tunneliser
PPP sur des sockets réseau sans modification du code source.
Ce produit inclut du code de chiffrement écrit par
Eric Young (eay@cryptsoft.com)
=head1 OPTIONS
=over 4
=item B<[fichier]>
Utilisation du fichier de configuration spécifié.
=item B<-fd [n]> (Unix seulement)
Lecture du fichier de configuration depuis le descripteur de
fichier indiqué.
=item B<-help>
Affiche le menu d'aide de B<stunnel>.
=item B<-version>
Affiche la version de B<stunnel> et les options de compilation.
=item B<-sockets>
Affiche les options socket par défaut.
=item B<-install> (NT/2000/XP seulement)
Installe un service NT.
=item B<-uninstall> (NT/2000/XP only)
Désinstalle un service NT.
=back
=head1 FICHIER DE CONFIGURATION
Chaque ligne du fichier de configuration peut être soitE<nbsp>:
=over 4
=item *
une ligne vide (ignorée)E<nbsp>;
=item *
un commentaire commençant par «E<nbsp>#E<nbsp>» (ignoré)E<nbsp>;
=item *
une paire «E<nbsp>option = valeurE<nbsp>»E<nbsp>;
=item *
«E<nbsp>[service_name]E<nbsp>» indiquant le début de la définition d'un serviceE<nbsp>;
=back
=head2 OPTIONS GLOBALES
=over 4
=item B<CApath> = répertoire
Répertoire des autorités de certification (CA)
C'est le répertoire dans lequel B<stunnel> cherche les certificats si
l'on utilise I<verify>. Les certificats doivent être dénommés selon la
forme XXXXXXXX.0, où XXXXXXXX est la valeur de hachage du certificat.
Le cas échéant, le répertoire I<CApath> est relatif au répertoire I<chroot>.
=item B<CAfile> = fichier
Fichier d'autorités de certification
Ce fichier, utilisé avec I<verify>, contient plusieurs certificats de CA.
=item B<cert> = fichier
Fichier de chaîne de certificats PEM
Une PEM est toujours nécessaire en mode serveur.
En mode client, cette option utilise cette PEM comme une chaîne côté client.
L'utilisation de certificats côté client est optionnelle. Les certificats
doivent être au format PEM et triés par ordre de niveau décroissant (CA racine
en premier).
=item B<chroot> = répertoire (Unix seulement)
Répertoire de chroot du processus B<stunnel>
B<chroot> enferme B<stunnel> dans une cellule chroot. I<CApath>, I<CRLpath>, I<pid>
et I<exec> sont situés à l'intérieur de la cellule et les répertoires doivent être
relatifs au répertoire correspondant.
Pour que le contrôle de libwrap (wrappeur TCP) soit effectif dans un environnement
chroot, il faut aussi y recopier leurs fichiers de configuration (/etc/hosts.allow et
/etc/hosts.deny).
=item B<ciphers> = listes de chiffre
Sélection des chiffres SSL autorisés
Liste délimitée par deux-points («E<nbsp>:E<nbsp>») des chiffres autorisés pour la connexion SSL.
ExempleE<nbsp>: DES-CBC3-SHA:IDEA-CBC-MD5
=item B<client> = yes | no
Mode client (Le service distant utilise SSL)
Par défautE<nbsp>: no (mode server)
=item B<CRLpath> = répertoire
Répertoire des listes de révocation de certificats (CRL)
C'est le répertoire dans lequel B<stunnel> recherche les CRL avec
l'option I<verify>. Les CRL doivent être dénommés selon la
forme XXXXXXXX.0 où XXXXXXXX est la valeur de hachage de la CRL.
Le cas échéant, le répertoire I<CRLpath> est relatif au répertoire I<chroot>.
=item B<CRLfile> = fichier
Fichier de listes de révocation de certificats (CRL)
Ce fichier, utilisé avec I<verify>, contient plusieurs CRL.
=item B<debug> = [facilité.]niveau
niveau de déverminage
Le niveau est un nom ou un numéro conforme à ceux de syslogE<nbsp>:
emerg (0), alert (1), crit (2), err (3), warning (4), notice (5),
info (6) ou debug (7). Toutes les traces du niveau indiqué et des niveaux
numériquement inférieurs seront affichées. B<debug = debug> ou
B<debug = 7> donneront le maximum d'informations. La valeur par défaut
est notice (5).
La facilité syslog «E<nbsp>daemonE<nbsp>» est utilisée, sauf si un autre nom est spécifié
(Win32 ne permet pas l'usage des facilités.)
La casse est ignorée, aussi bien pour la facilité que pour le niveau.
=item B<EGD> = chemin (Unix seulement)
Emplacement du socket du daemon de recueil d'entropie (EGD - Entropy Gathering Daemon)
Socket EGD à utiliser pour alimenter le générateur d'aléatoires de OpenSSL (disponible
seulement si la compilation a été effectuée avec OpenSSL 0.9.5a ou supérieur).
=item B<foreground> = yes | no (Unix seulement)
Mode avant-plan
Reste en avant-plan (sans fork) et dirige la trace sur stderr
au lieu de syslog (sauf si B<output> est spécifié).
Par défaultE<nbsp>: arrière-plan en mode daemon.
=item B<key> = fichier
Fichier de clef privée pour le certificat spécifié par I<cert>
La clef privée est nécessaire pour authentifier le titulaire du
certificat.
Puisque ce fichier doit rester secret, il ne doit être lisible que
par son propriétaire. Sur les systèmes Unix, on peut utiliser la
commande suivanteE<nbsp>:
chmod 600 fichier
Par défaultE<nbsp>: Valeur de I<cert>
=item B<options> = Options_SSL
Options de la bibliothèque OpenSSL
Le paramètre est l'option OpenSSL décrite dans la page de man
I<SSL_CTX_set_options(3ssl)>, débarassée du préfixe I<SSL_OP_>.
Plusieurs I<options> peuvent être spécifiées.
Par exemple, pour la compatibilité avec l'implantation SSL défaillante
d'Eudora, on peut utiliserE<nbsp>:
options = DONT_INSERT_EMPTY_FRAGMENTS
=item B<output> = fichier
Ajoute la trace à la fin d'un fichier au lieu d'utiliser syslog.
/dev/stdout peut être utilisé pour afficher les traces sur la sortie standard
(par exemple pour les traiter avec les outils splogger).
=item B<pid> = fichier (Unix seulement)
Emplacement du fichier pid
Si l'argument est vide, aucun fichier ne sera créé.
Le cas échéant, le chemin I<pid> est relatif au répertoire I<chroot>.
=item B<RNDbytes> = nombre
Nombre d'octets à lire depuis les fichiers de «E<nbsp>selE<nbsp>» aléatoire
Avec les SSL de version inférieure à 0.9.5a, détermine aussi le nombre
d'octets considérés comme suffisants pour «E<nbsp>salerE<nbsp>» le PRNG. Les versions plus
récentes d'OpenSSL ont une fonction intégrée qui détermine lorsque l'aléatoire
est suffisant.
=item B<RNDfile> = fichier
chemin du fichier de données de «E<nbsp>selE<nbsp>» aléatoire
La bibliothèque SSL utilise prioritairement les données de ce fichier pour
«E<nbsp>salerE<nbsp>» le générateur d'aléatoire.
=item B<RNDoverwrite> = yes | no
Recouvre les fichiers de «E<nbsp>selE<nbsp>» avec de nouvelles données aléatoires.
Par défautE<nbsp>: yes
=item B<service> = nom
Définit le nom de service à utiliser
B<Sous UnixE<nbsp>:> nom de service du mode I<inetd> pour la bibliothèque TCP Wrapper.
Par défautE<nbsp>: stunnel
=item B<session> = timeout
Timeout du cache de session
=item B<setgid> = nom (Unix seulement)
Nom de groupe utilisé en mode daemon (les éventuels autres noms de groupe attribués sont supprimés)
=item B<setuid> = nom (Unix seulement)
Nom d'utilisateur utilisé en mode daemon
=item B<socket> = a|l|r:option=valeur[:valeur]
Configure une option de socket accept (a), locale (l) ou distante (r)
Les valeurs de l'option linger sontE<nbsp>: l_onof:l_linger.
Les valeurs de l'option time sontE<nbsp>: tv_sec:tv_usec.
ExemplesE<nbsp>:
socket = l:SO_LINGER=1:60
définit un délai d'une minute pour la clôture des sockets locaux
socket = r:SO_OOBINLINE=yes
Place directement les données hors-bande dans le flux de réception
des sockets distants
socket = a:SO_REUSEADDR=no
désactive la réutilisation d'adresses (activée par défaut)
socket = a:SO_BINDTODEVICE=lo
limite l'acceptation des connexions sur la seule interface de bouclage
=item B<taskbar> = yes | no (WIN32 seulement)
active l'icône de la barre de tâches
Par défautE<nbsp>: yes
=item B<verify> = niveau
Vérifie le certificat du correspondant
niveau 1 - vérifie le certificat s'il est présent
niveau 2 - vérifie le certificat
niveau 3 - contrôle le correspondant avec le certificat local
Par défaut - pas de vérification
=back
=head2 OPTIONS DE SERVICE
Chaque section de configuration commence par le nom du service entre crochets.
Celui-ci est utilisé par le contrôle d'accès de libwrap (TCP Wrappers) et sert
à distinguer les services B<stunnel> dans les fichiers de traces.
Si l'on souhaite utiliser B<stunnel> en mode I<inetd> (lorsqu'un socket lui est
fourni par un serveur comme I<inetd>, I<xinetd> ou I<tcpserver>), il faut se
reporter à la section I<MODE INETD> plus bas.
=over 4
=item B<accept> = [hôte:]port
Accepte des connexions sur le port spécifié
Si l'hôte n'est pas indiqué, le port est ouvert pour toutes les adresses IP de
la machine locale.
=item B<connect> = [hôte:]port
Se connecte au port distant indiqué
Par défaut, l'hôte est localhost.
=item B<delay> = yes | no
Retarde la recherche DNS pour l'option «E<nbsp>connectE<nbsp>»
=item B<exec> = chemin_exécutable (Unix seulement)
Exécute un programme local de type inetd
Le cas échéant, le chemin I<exec> est relatif au répertoire I<chroot>.
=item B<execargs> = $0 $1 $2 ... (Unix seulement)
Arguments pour I<exec>, y compris le nom du programme ($0)
Les quotes ne peuvent actuellement pas être utilisées.
Les arguments sont séparés par un nombre quelconque d'espaces.
=item B<ident> = nom
Applique le contrôle d'identité d'utilisateur IDENT (RFC 1413)
=item B<local> = hôte
Adresse IP de l'interface de sortie utilisée pour les connexions distantes.
Cette option permet de relier une adresse statique locale.
=item B<protocol> = protocole
Négocie avec SSL selon le protocole indiqué
Actuellement gérésE<nbsp>: cifs, nntp, pop3, smtp
=item B<pty> = yes | no (Unix seulement)
Alloue un pseudo-terminal pour l'option «E<nbsp>execE<nbsp>»
=item B<TIMEOUTbusy> = secondes
Durée d'attente de données
=item B<TIMEOUTclose> = secondes
Durée d'attente du close_notify (mis à 0 pour MSIE qui est bogué)
=item B<TIMEOUTidle> = secondes
Durée d'attente sur une connexion inactive
=item B<transparent> = yes | no (Unix seulement)
Mode mandataire transparent
Ré-écrit les adresses pour qu'elles apparaissent provenir de la
machine client SSL plutôt que de celle qui exécute B<stunnel>.
Cette option n'est disponible en mode local (option I<exec>) qu'avec
la bibliothèque partagée LD_PRELOADing env.so shared library et en mode
distant (option I<connect>) sur les noyaux Linux 2.2 compilés avec
l'option I<transparent proxy> et seulement en mode serveur. Cette
option ne se combine pas au mode mandataire (I<connect>) sauf si la
route par défaut du client vers la cible passe par l'hôte qui fait
tourner B<stunnel>, qui ne peut être localhost.
=back
=head1 VALEUR DE RETOUR
B<stunnel> renvoie zéro en cas de succès, une autre valeur en cas d'erreur.
=head1 EXEMPLES
Pour encapsuler votre service I<imapd> local avec SSLE<nbsp>:
[imapd]
accept = 993
exec = /usr/sbin/imapd
execargs = imapd
Pour tunneliser un daemon I<pppd> sur le port 2020E<nbsp>:
[vpn]
accept = 2020
exec = /usr/sbin/pppd
execargs = pppd local
pty = yes
Configuration de I<stunnel.conf> pour utiliser B<stunnel> en mode I<inetd>
qui lance imapd à son tour (il ne doit pas y avoir de section I<[service_name]>)E<nbsp>:
exec = /usr/sbin/imapd
execargs = imapd
=head1 FICHIERS
=over 4
=item F<stunnel.conf>
Fichier de configuration de B<stunnel>
=item F<stunnel.pem>
Certificat et clef privée de B<stunnel>
=back
=head1 BOGUES
L'option I<execargs> n'admet pas les quotes.
=head1 RESTRICTIONS
B<stunnel> ne peut être utilisé pour le daemon FTP en raison de la nature
du protocole FTP qui utilise des ports multiples pour les transferts de données.
Il existe cependant des versions SSL de FTP et de telnet.
=head1 NOTES
=head2 MODE INETD
L'utilisation la plus commune de B<stunnel> consiste à écouter un port
réseau et à établir une communication, soit avec un nouveau port
avec l'option I<connect>, soit avec un programme avec l'option I<exec>.
On peut parfois cependant souhaiter qu'un autre programme reçoive les
connexions entrantes et lance B<stunnel>, par exemple avec I<inetd>,
I<xinetd> ou I<tcpserver>.
Si, par exemple, la ligne suivante se trouve dans I<inetd.conf>E<nbsp>:
imaps stream tcp nowait root /usr/bin/stunnel stunnel /etc/stunnel/imaps.conf
Dans ces cas, c'est le programme du genre I<inetd>-style qui est
responsable de l'établissement de la connexion (I<imaps> ci-dessus) et de passer
celle-ci à B<stunnel>.
Ainsi, B<stunnel> ne doit alors avoir aucune option I<accept>.
Toutes les I<options de niveau service> doivent être placées dans
la section des options globales et aucune section I<[service_name]> ne doit
être présente. Voir la section I<EXEMPLES> pour des exemples de configurations.
=head2 CERTIFICATS
Chaque daemon à propriétés SSL doit présenter un certificat X.509
valide à son interlocuteur. Il a aussi besoin d'une clef privé pour
déchiffrer les données entrantes. La méthode la plus simple pour
obtenir un certificat et une clef est d'engendrer celles-ci avec
le paquetage libre I<OpenSSL>. Plus d'informations sur la génération de
certificats se trouvent dans les pages indiquées plus bas.
Deux choses importantes lors de la génération de paires certificat-clef
pour B<stunnel>E<nbsp>:
=over 4
=item *
la clef privée ne peut être chiffrée puisque le serveur n'a aucun moyen
d'obtenir le mot de passe de l'utilisateurE<nbsp>; pour produire une clef non chiffrée,
ajouter l'option I<-nodes> à la commande B<req> de I<OpenSSL>E<nbsp>;
=item *
l'ordre du contenu du fichier I<.pem> est significatifE<nbsp>: il doit contenir d'abord
une clef privée non chiffrée, puis un certificat signé (et non une demande de certificat).
Il doit aussi y avoir des lignes vides après le certificat et après la clef privée.
L'information textuelle ajoutée au début d'un certificat doit être supprimée afin que
le fichier ait l'allure suivanteE<nbsp>:
-----BEGIN RSA PRIVATE KEY-----
[clef encodée]
-----END RSA PRIVATE KEY-----
[ligne vide]
-----BEGIN CERTIFICATE-----
[certificat encodé]
-----END CERTIFICATE-----
[ligne vide]
=back
=head2 ALEATOIRE
B<stunnel> doit «E<nbsp>salerE<nbsp>» le générateur de pseudo-aléatoires PRNG (pseudo random
number generator) afin que SSL utilise un aléatoire de qualité. Les sources suivantes
sont chargées dans l'ordre jusqu'à ce qu'une quantité suffisante de données soit lueE<nbsp>:
=over 4
=item *
le fichier spécifié par I<RNDfile>E<nbsp>;
=item *
le fichier spécifié par la variable d'environnement RANDFILE, à défaut
le fichier .rnd du répertoire $HOME de l'utilisateurE<nbsp>;
=item *
le fichier spécifié par «E<nbsp>--with-randomE<nbsp>» lors de la compilationE<nbsp>;
=item *
le contenu de l'écran (MS-Windows seulement)E<nbsp>;
=item *
le socket EGD spécifié par I<EGD>E<nbsp>;
=item *
le socket EGD spécifié par «E<nbsp>--with-egd-sockE<nbsp>» lors de la compilationE<nbsp>;
=item *
le périphérique /dev/urandom.
=back
Avec un OpenSSL récent (>=OpenSSL 0.9.5a) le chargement de données s'arrête
automatiquement lorsqu'un niveau d'entropie suffisant est atteint.
Les versions précédentes continuent à lire toutes les sources puisqu'aucune
fonction SSL ne leur permet de savoir que suffisamment de données sont disponibles.
Sur les machines MS-Windows qui n'ont pas d'interaction utilisateur sur la console,
(mouvements de souris, création de fenêtres, etc.), le contenu de l'écran n'est
pas suffisamment changeant et il est nécessaire de fournir un fichier d'aléatoire
par le biais de I<RNDfile>.
Le fichier spécifié par I<RNDfile> doit contenir des informations aléatoires --
c'est-à-dire des informations différentes à chaque lancement de B<stunnel>.
Cela est géré automatiquement sauf si l'option I<RNDoverwrite> est utilisée.
Si l'on souhaite procéder manuellement à la mise à jour de ce fichier, la
commande I<openssl rand> des versions récentes d'OpenSSL sera sans doute utile.
Note importanteE<nbsp>: si /dev/urandom est disponible, OpenSSL a l'habitude d'utiliser
celui-ci pour «E<nbsp>salerE<nbsp>» le PRNG même lorsqu'il contrôle l'état de l'aléatoireE<nbsp>;
ainsi, même si /dev/urandom est dernier de la liste ci-dessus, il est vraisemblable
qu'il soit utilisé s'il est présent.
Ce n'est pas le comportement de B<stunnel>, c'est celui d'OpenSSL.
=head1 VOIR AUSSI
=over 4
=item L<tcpd(8)>
Service de contrôle d'accès pour les services internet
=item L<inetd(8)>
«E<nbsp>super-serveurE<nbsp>» internet
=item F<http://www.stunnel.org/>
Page de référence de B<stunnel>
=item F<http://www.openssl.org/>
Site web du projet OpenSSL
=back
=head1 AUTEUR
=over 4
=item Michał Trojnara
<F<Michal.Trojnara@mirt.net>>
=back
=head1 ADAPTATION FRANÇAISE
=over 4
=item Bernard Choppy
<F<choppy AT free POINT fr>>
=back

1120
doc/stunnel.html
View File

File diff suppressed because it is too large Load Diff

1625
doc/stunnel.html.in Normal file
View File

File diff suppressed because it is too large Load Diff

1129
doc/stunnel.pl.8 → doc/stunnel.pl.8.in
View File

File diff suppressed because it is too large Load Diff

1158
doc/stunnel.pl.html
View File

File diff suppressed because it is too large Load Diff

1626
doc/stunnel.pl.html.in Normal file
View File

File diff suppressed because it is too large Load Diff

810
doc/stunnel.pl.pod → doc/stunnel.pl.pod.in
View File

File diff suppressed because it is too large Load Diff

1124
doc/stunnel.pod
View File

File diff suppressed because it is too large Load Diff

1529
doc/stunnel.pod.in Normal file
View File

File diff suppressed because it is too large Load Diff

2290
m4/libtool.m4 vendored
View File

File diff suppressed because it is too large Load Diff

32
m4/ltoptions.m4 vendored
View File

@ -1,13 +1,14 @@
# Helper functions for option handling. -*- Autoconf -*-
#
# Copyright (C) 2004, 2005, 2007, 2008 Free Software Foundation, Inc.
# Copyright (C) 2004, 2005, 2007, 2008, 2009 Free Software Foundation,
# Inc.
# Written by Gary V. Vaughan, 2004
#
# This file is free software; the Free Software Foundation gives
# unlimited permission to copy and/or distribute it, with or without
# modifications, as long as this notice is preserved.
# serial 6 ltoptions.m4
# serial 7 ltoptions.m4
# This is to help aclocal find these macros, as it can't see m4_define.
AC_DEFUN([LTOPTIONS_VERSION], [m4_if([1])])
@ -125,7 +126,7 @@ LT_OPTION_DEFINE([LT_INIT], [win32-dll],
[enable_win32_dll=yes
case $host in
*-*-cygwin* | *-*-mingw* | *-*-pw32* | *-cegcc*)
*-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-cegcc*)
AC_CHECK_TOOL(AS, as, false)
AC_CHECK_TOOL(DLLTOOL, dlltool, false)
AC_CHECK_TOOL(OBJDUMP, objdump, false)
@ -133,13 +134,13 @@ case $host in
esac
test -z "$AS" && AS=as
_LT_DECL([], [AS], [0], [Assembler program])dnl
_LT_DECL([], [AS], [1], [Assembler program])dnl
test -z "$DLLTOOL" && DLLTOOL=dlltool
_LT_DECL([], [DLLTOOL], [0], [DLL creation program])dnl
_LT_DECL([], [DLLTOOL], [1], [DLL creation program])dnl
test -z "$OBJDUMP" && OBJDUMP=objdump
_LT_DECL([], [OBJDUMP], [0], [Object dumper program])dnl
_LT_DECL([], [OBJDUMP], [1], [Object dumper program])dnl
])# win32-dll
AU_DEFUN([AC_LIBTOOL_WIN32_DLL],
@ -325,9 +326,24 @@ dnl AC_DEFUN([AM_DISABLE_FAST_INSTALL], [])
# MODE is either `yes' or `no'. If omitted, it defaults to `both'.
m4_define([_LT_WITH_PIC],
[AC_ARG_WITH([pic],
[AS_HELP_STRING([--with-pic],
[AS_HELP_STRING([--with-pic@<:@=PKGS@:>@],
[try to use only PIC/non-PIC objects @<:@default=use both@:>@])],
[pic_mode="$withval"],
[lt_p=${PACKAGE-default}
case $withval in
yes|no) pic_mode=$withval ;;
*)
pic_mode=default
# Look at the argument we got. We use all the common list separators.
lt_save_ifs="$IFS"; IFS="${IFS}$PATH_SEPARATOR,"
for lt_pkg in $withval; do
IFS="$lt_save_ifs"
if test "X$lt_pkg" = "X$lt_p"; then
pic_mode=yes
fi
done
IFS="$lt_save_ifs"
;;
esac],
[pic_mode=default])
test -z "$pic_mode" && pic_mode=m4_default([$1], [default])

12
m4/ltversion.m4 vendored
View File

@ -7,17 +7,17 @@
# unlimited permission to copy and/or distribute it, with or without
# modifications, as long as this notice is preserved.
# Generated from ltversion.in.
# @configure_input@
# serial 3017 ltversion.m4
# serial 3337 ltversion.m4
# This file is part of GNU Libtool
m4_define([LT_PACKAGE_VERSION], [2.2.6b])
m4_define([LT_PACKAGE_REVISION], [1.3017])
m4_define([LT_PACKAGE_VERSION], [2.4.2])
m4_define([LT_PACKAGE_REVISION], [1.3337])
AC_DEFUN([LTVERSION_VERSION],
[macro_version='2.2.6b'
macro_revision='1.3017'
[macro_version='2.4.2'
macro_revision='1.3337'
_LT_DECL(, macro_version, 0, [Which release of libtool.m4 was used?])
_LT_DECL(, macro_revision, 0)
])

12
m4/lt~obsolete.m4 vendored
View File

@ -1,13 +1,13 @@
# lt~obsolete.m4 -- aclocal satisfying obsolete definitions. -*-Autoconf-*-
#
# Copyright (C) 2004, 2005, 2007 Free Software Foundation, Inc.
# Copyright (C) 2004, 2005, 2007, 2009 Free Software Foundation, Inc.
# Written by Scott James Remnant, 2004.
#
# This file is free software; the Free Software Foundation gives
# unlimited permission to copy and/or distribute it, with or without
# modifications, as long as this notice is preserved.
# serial 4 lt~obsolete.m4
# serial 5 lt~obsolete.m4
# These exist entirely to fool aclocal when bootstrapping libtool.
#
@ -77,7 +77,6 @@ m4_ifndef([AC_DISABLE_FAST_INSTALL], [AC_DEFUN([AC_DISABLE_FAST_INSTALL])])
m4_ifndef([_LT_AC_LANG_CXX], [AC_DEFUN([_LT_AC_LANG_CXX])])
m4_ifndef([_LT_AC_LANG_F77], [AC_DEFUN([_LT_AC_LANG_F77])])
m4_ifndef([_LT_AC_LANG_GCJ], [AC_DEFUN([_LT_AC_LANG_GCJ])])
m4_ifndef([AC_LIBTOOL_RC], [AC_DEFUN([AC_LIBTOOL_RC])])
m4_ifndef([AC_LIBTOOL_LANG_C_CONFIG], [AC_DEFUN([AC_LIBTOOL_LANG_C_CONFIG])])
m4_ifndef([_LT_AC_LANG_C_CONFIG], [AC_DEFUN([_LT_AC_LANG_C_CONFIG])])
m4_ifndef([AC_LIBTOOL_LANG_CXX_CONFIG], [AC_DEFUN([AC_LIBTOOL_LANG_CXX_CONFIG])])
@ -90,3 +89,10 @@ m4_ifndef([AC_LIBTOOL_LANG_RC_CONFIG], [AC_DEFUN([AC_LIBTOOL_LANG_RC_CONFIG])])
m4_ifndef([_LT_AC_LANG_RC_CONFIG], [AC_DEFUN([_LT_AC_LANG_RC_CONFIG])])
m4_ifndef([AC_LIBTOOL_CONFIG], [AC_DEFUN([AC_LIBTOOL_CONFIG])])
m4_ifndef([_LT_AC_FILE_LTDLL_C], [AC_DEFUN([_LT_AC_FILE_LTDLL_C])])
m4_ifndef([_LT_REQUIRED_DARWIN_CHECKS], [AC_DEFUN([_LT_REQUIRED_DARWIN_CHECKS])])
m4_ifndef([_LT_AC_PROG_CXXCPP], [AC_DEFUN([_LT_AC_PROG_CXXCPP])])
m4_ifndef([_LT_PREPARE_SED_QUOTE_VARS], [AC_DEFUN([_LT_PREPARE_SED_QUOTE_VARS])])
m4_ifndef([_LT_PROG_ECHO_BACKSLASH], [AC_DEFUN([_LT_PROG_ECHO_BACKSLASH])])
m4_ifndef([_LT_PROG_F77], [AC_DEFUN([_LT_PROG_F77])])
m4_ifndef([_LT_PROG_FC], [AC_DEFUN([_LT_PROG_FC])])
m4_ifndef([_LT_PROG_CXX], [AC_DEFUN([_LT_PROG_CXX])])

111
src/Makefile.am
View File

@ -1,22 +1,41 @@
## Process this file with automake to produce Makefile.in
# by Michal Trojnara 2015-2017
###############################################################################
# File lists #
###############################################################################
# File lists
common_headers = common.h prototypes.h version.h
common_sources = str.c file.c client.c log.c options.c protocol.c network.c
common_sources += resolver.c ssl.c ctx.c verify.c sthreads.c fd.c stunnel.c
unix_sources = pty.c libwrap.c
common_sources = tls.c str.c file.c client.c log.c options.c protocol.c
common_sources += network.c resolver.c ssl.c ctx.c verify.c sthreads.c
common_sources += fd.c dhparam.c cron.c stunnel.c
unix_sources = pty.c libwrap.c ui_unix.c
shared_sources = env.c
win32_sources = gui.c resources.h resources.rc stunnel.ico
win32_gui_sources = ui_win_gui.c resources.h resources.rc
win32_gui_sources += stunnel.ico active.ico error.ico idle.ico
win32_cli_sources = ui_win_cli.c
###############################################################################
# Generate a new set of DH parameters for each version #
###############################################################################
dhparam.c: version.h
echo '#include "common.h"' >dhparam.c
echo '#ifndef OPENSSL_NO_DH' >>dhparam.c
echo '#define DN_new DH_new' >>dhparam.c
openssl dhparam -noout -C 2048 >>dhparam.c
echo '#endif /* OPENSSL_NO_DH */' >>dhparam.c
###############################################################################
# Unix executables and shared library #
###############################################################################
# Unix executables
bin_PROGRAMS = stunnel
stunnel_SOURCES = $(common_headers) $(common_sources) $(unix_sources)
bin_SCRIPTS = stunnel3
# Unix shared library
pkglib_LTLIBRARIES = libstunnel.la
libstunnel_la_SOURCES = $(shared_sources)
libstunnel_la_LDFLAGS = -avoid-version
EXTRA_DIST = stunnel3.in
CLEANFILES = stunnel3
# Red Hat "by design" bug #82369
stunnel_CPPFLAGS = -I/usr/kerberos/include
@ -25,55 +44,41 @@ stunnel_CPPFLAGS = -I/usr/kerberos/include
stunnel_CPPFLAGS += -I$(SSLDIR)/include
stunnel_CPPFLAGS += -DLIBDIR='"$(pkglibdir)"'
stunnel_CPPFLAGS += -DCONFDIR='"$(sysconfdir)/stunnel"'
stunnel_CPPFLAGS += -DPIDFILE='"$(localstatedir)/run/stunnel/stunnel.pid"'
# SSL library
# TLS library
stunnel_LDFLAGS = -L$(SSLDIR)/lib64 -L$(SSLDIR)/lib -lssl -lcrypto
# Win32 executable
EXTRA_DIST = make.bat makece.bat makew32.bat
EXTRA_DIST += mingw.mak evc.mak vc.mak os2.mak
EXTRA_PROGRAMS = stunnel.exe tstunnel.exe
stunnel_exe_SOURCES = $(common_headers) $(common_sources) $(win32_sources)
tstunnel_exe_SOURCES = $(common_headers) $(common_sources) nogui.c
# stunnel3 script
edit = sed \
-e 's|@bindir[@]|$(bindir)|g'
stunnel3: Makefile
$(edit) '$(srcdir)/$@.in' >$@
stunnel3: $(srcdir)/stunnel3.in
# OPENSSLDIR = /usr/src/openssl-0.9.8u-fips
# WINCPPFLAGS = -I$(OPENSSLDIR)/inc32
OPENSSLDIR = /usr/src/openssl-1.0.2a-i686
WINCPPFLAGS = -I$(OPENSSLDIR)/include
WINCFLAGS = -mthreads -fstack-protector -O2 -Wall -Wextra -Wno-long-long -pedantic
WINLDFLAGS = -mthreads -fstack-protector -s
WINLIBS = -L$(OPENSSLDIR) -lcrypto -lssl -lpsapi -lws2_32 -lgdi32
# WINLIBS = -L$(OPENSSLDIR) -lzdll -lcrypto.dll -lssl.dll -lpsapi -lws2_32 -lgdi32
# WINLIBS = -L$(OPENSSLDIR) -lzdll -lcrypto -lssl -lpsapi -lws2_32 -lgdi32
WINOBJ = str.obj file.obj client.obj log.obj options.obj protocol.obj
WINOBJ += network.obj resolver.obj ssl.obj ctx.obj verify.obj sthreads.obj
WINOBJ += fd.obj stunnel.obj
WINGUIOBJ = $(WINOBJ) gui.obj resources.obj
WINNOGUIOBJ = $(WINOBJ) nogui.obj
WINPREFIX = i686-w64-mingw32-
WINGCC = $(WINPREFIX)gcc
WINDRES = $(WINPREFIX)windres
# Unix shared library
pkglib_LTLIBRARIES = libstunnel.la
libstunnel_la_SOURCES = $(shared_sources)
libstunnel_la_LDFLAGS = -avoid-version
dist-hook: stunnel.exe tstunnel.exe
###############################################################################
# Win32 executables #
###############################################################################
distclean-local:
rm -f stunnel.exe tstunnel.exe
if AUTHOR_TESTS
# Just check if the programs can be built, don't perform any actual tests
check-local: mingw mingw64
endif
# SUFFIXES = .c .rc .obj
mingw:
$(MAKE) -f $(srcdir)/mingw.mk srcdir=$(srcdir) win32_targetcpu=i686 win32_mingw=mingw
mingw64:
$(MAKE) -f $(srcdir)/mingw.mk srcdir=$(srcdir) win32_targetcpu=x86_64 win32_mingw=mingw64
.PHONY: mingw mingw64
stunnel.exe: $(WINGUIOBJ)
$(WINGCC) -mwindows $(WINLDFLAGS) -o stunnel.exe $(WINGUIOBJ) $(WINLIBS)
tstunnel.exe: $(WINNOGUIOBJ)
$(WINGCC) $(WINLDFLAGS) -o tstunnel.exe $(WINNOGUIOBJ) $(WINLIBS)
%.obj: %.c $(common_headers)
$(WINGCC) -c $(WINCPPFLAGS) $(WINCFLAGS) -o $@ $<
resources.obj: resources.rc resources.h version.h
$(WINDRES) --include-dir $(srcdir) $< $@
mostlyclean-local:
-rm -f *.obj
clean-local:
rm -rf ../obj ../bin
# Remaining files to be included
EXTRA_DIST += $(win32_gui_sources) $(win32_cli_sources)
EXTRA_DIST += make.bat makece.bat makew32.bat
EXTRA_DIST += mingw.mk mingw.mak evc.mak vc.mak os2.mak

818
src/Makefile.in
View File

File diff suppressed because it is too large Load Diff

BIN
src/active.ico Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 1.1 KiB

1273
src/client.c
View File

File diff suppressed because it is too large Load Diff

231
src/common.h
View File

@ -1,24 +1,24 @@
/*
* stunnel Universal SSL tunnel
* Copyright (C) 1998-2013 Michal Trojnara <Michal.Trojnara@mirt.net>
* stunnel TLS offloading and load-balancing proxy
* Copyright (C) 1998-2017 Michal Trojnara <Michal.Trojnara@stunnel.org>
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version.
*
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
* See the GNU General Public License for more details.
*
*
* You should have received a copy of the GNU General Public License along
* with this program; if not, see <http://www.gnu.org/licenses>.
*
*
* Linking stunnel statically or dynamically with other modules is making
* a combined work based on stunnel. Thus, the terms and conditions of
* the GNU General Public License cover the whole combination.
*
*
* In addition, as a special exception, the copyright holder of stunnel
* gives you permission to combine stunnel with free software programs or
* libraries that are released under the GNU LGPL and with code included
@ -26,7 +26,7 @@
* modified versions of such code, with unchanged license). You may copy
* and distribute such a system following the terms of the GNU GPL for
* stunnel and the licenses of the other code concerned.
*
*
* Note that people who make modified versions of stunnel are not obligated
* to grant this special exception for their modified versions; it is their
* choice whether to do so. The GNU General Public License gives permission
@ -40,7 +40,6 @@
#include "version.h"
/**************************************** common constants */
#define LIBWRAP_CLIENTS 5
@ -49,7 +48,7 @@
#define DEFAULT_STACK_SIZE 65536
/* #define DEBUG_STACK_SIZE */
/* I/O buffer size - 18432 is the maximum size of SSL record payload */
/* I/O buffer size: 18432 (0x4800) is the maximum size of TLS record payload */
#define BUFFSIZE 18432
/* how many bytes of random input to read from files for PRNG */
@ -62,6 +61,12 @@
/* additional diagnostic messages */
/* #define DEBUG_FD_ALLOC */
#ifdef DEBUG_INFO
#define NOEXPORT
#else
#define NOEXPORT static
#endif
/**************************************** platform */
#ifdef _WIN32
@ -70,20 +75,32 @@
#ifdef _WIN32_WCE
#define USE_WIN32
typedef int socklen_t;
typedef int socklen_t;
#endif
#ifdef USE_WIN32
typedef signed char int8_t;
typedef signed short int16_t;
typedef signed int int32_t;
typedef signed long long int64_t;
typedef unsigned char uint8_t;
typedef unsigned short uint16_t;
typedef unsigned int uint32_t;
typedef unsigned long long uint64_t;
#ifndef __MINGW32__
#ifdef _WIN64
typedef __int64 ssize_t;
#else /* _WIN64 */
typedef int ssize_t;
#endif /* _WIN64 */
#endif /* !__MINGW32__ */
#define PATH_MAX MAX_PATH
#define USE_IPv6
#define _CRT_SECURE_NO_DEPRECATE
#define _CRT_NONSTDC_NO_DEPRECATE
#define HAVE_OSSL_ENGINE_H
#define HAVE_OSSL_OCSP_H
/* prevent including wincrypt.h, as it defines it's own OCSP_RESPONSE */
#define _CRT_NON_CONFORMING_SWPRINTFS
/* prevent including wincrypt.h, as it defines its own OCSP_RESPONSE */
#define __WINCRYPT_H__
#endif
#ifdef USE_WIN32
#define S_EADDRINUSE WSAEADDRINUSE
/* winsock does not define WSAEAGAIN */
/* in most (but not all!) BSD implementations EAGAIN==EWOULDBLOCK */
@ -158,9 +175,17 @@ typedef int socklen_t;
#include <pthread.h>
#endif
/* TCP wrapper */
#if defined HAVE_TCPD_H && defined HAVE_LIBWRAP
#define USE_LIBWRAP 1
/* systemd */
#ifdef USE_SYSTEMD
#include <systemd/sd-daemon.h>
#endif
#ifdef HAVE_STDINT_H
#include <stdint.h>
#endif
#ifdef HAVE_INTTYPES_H
#include <inttypes.h>
#endif
/* must be included before sys/stat.h for Ultrix */
@ -185,10 +210,6 @@ typedef int socklen_t;
#ifdef USE_WIN32
typedef unsigned char u8;
typedef unsigned short u16;
typedef unsigned long u32;
#define HAVE_STRUCT_ADDRINFO
#define HAVE_SNPRINTF
#define snprintf _snprintf
@ -202,10 +223,9 @@ typedef unsigned long u32;
#define set_last_socket_error(e) WSASetLastError(e)
#define get_last_error() GetLastError()
#define set_last_error(e) SetLastError(e)
#define readsocket(s,b,n) recv((s),(b),(n),0)
#define writesocket(s,b,n) send((s),(b),(n),0)
#define readsocket(s,b,n) recv((s),(b),(int)(n),0)
#define writesocket(s,b,n) send((s),(b),(int)(n),0)
/* #define FD_SETSIZE 4096 */
/* #define Win32_Winsock */
#define __USE_W32_SOCKETS
@ -216,6 +236,7 @@ typedef unsigned long u32;
#include <windows.h>
#include <process.h> /* _beginthread */
#include <shlobj.h> /* SHGetFolderPath */
#include <tchar.h>
#include "resources.h"
@ -224,22 +245,6 @@ typedef unsigned long u32;
#else /* USE_WIN32 */
#if SIZEOF_UNSIGNED_CHAR == 1
typedef unsigned char u8;
#endif
#if SIZEOF_UNSIGNED_SHORT == 2
typedef unsigned short u16;
#else
typedef unsigned int u16;
#endif
#if SIZEOF_UNSIGNED_INT == 4
typedef unsigned int u32;
#else
typedef unsigned long u32;
#endif
#ifdef __INNOTEK_LIBC__
#define socklen_t __socklen_t
#define strcasecmp stricmp
@ -265,10 +270,12 @@ typedef unsigned long u32;
#define ioctlsocket(a,b,c) ioctl((a),(b),(c))
#endif
typedef int SOCKET;
#define INVALID_SOCKET (-1)
/* OpenVMS compatibility */
#ifdef __vms
#define LIBDIR "__NA__"
#define PIDFILE "SYS$LOGIN:STUNNEL.PID"
#ifdef __alpha
#define HOST "alpha-openvms"
#else
@ -283,6 +290,9 @@ typedef unsigned long u32;
/* Unix-specific headers */
#include <signal.h> /* signal */
#include <sys/wait.h> /* wait */
#ifdef HAVE_LIMITS_H
#include <limits.h> /* INT_MAX */
#endif
#ifdef HAVE_SYS_RESOURCE_H
#include <sys/resource.h> /* getrlimit */
#endif
@ -298,6 +308,7 @@ typedef unsigned long u32;
#ifdef HAVE_SYS_SELECT_H
#include <sys/select.h> /* for aix */
#endif
#include <dirent.h>
#if defined(HAVE_POLL) && !defined(BROKEN_POLL)
#ifdef HAVE_POLL_H
@ -326,6 +337,7 @@ typedef unsigned long u32;
#include <sys/uio.h> /* struct iovec */
#endif /* HAVE_SYS_UIO_H */
/* BSD sockets */
#include <netinet/in.h> /* struct sockaddr_in */
#include <sys/socket.h> /* getpeername */
#include <arpa/inet.h> /* inet_ntoa */
@ -383,83 +395,108 @@ extern char *sys_errlist[];
#include <linux/netfilter_ipv4.h>
#endif /* HAVE_LINUX_NETFILTER_IPV4_H */
#endif /* __linux__ */
#ifdef HAVE_SYS_SYSCALL_H
#include <sys/syscall.h> /* SYS_gettid */
#endif
#ifdef HAVE_LINUX_SCHED_H
#include <linux/sched.h> /* SCHED_BATCH */
#endif
#endif /* USE_WIN32 */
#ifndef S_ISREG
#define S_ISREG(m) (((m)&S_IFMT)==S_IFREG)
#endif
/**************************************** OpenSSL headers */
#define OPENSSL_THREAD_DEFINES
#include <openssl/opensslconf.h>
#if defined(USE_PTHREAD) && !(defined(OPENSSL_THREADS) || \
(OPENSSL_VERSION_NUMBER<0x0090700fL && defined(THREADS)))
/* opensslv.h requires prior opensslconf.h to include -fips in version string */
#include <openssl/opensslv.h>
#if OPENSSL_VERSION_NUMBER<0x0090700fL
#error OpenSSL 0.9.7 or later is required
#endif /* OpenSSL older than 0.9.7 */
#if defined(USE_PTHREAD) && !defined(OPENSSL_THREADS)
#error OpenSSL library compiled without thread support
#endif /* !OPENSSL_THREADS && USE_PTHREAD */
#if defined (USE_WIN32) && defined(OPENSSL_FIPS)
#define USE_FIPS
#endif
/* OpenSSL 0.9.6 comp.h needs ZLIB macro to declare COMP_zlib() */
#define ZLIB
#include <openssl/lhash.h>
#include <openssl/ssl.h>
#include <openssl/err.h>
#include <openssl/crypto.h> /* for CRYPTO_* and SSLeay_version */
#include <openssl/rand.h>
#ifndef OPENSSL_NO_MD4
#include <openssl/md4.h>
#endif
#include <openssl/des.h>
#ifdef HAVE_OSSL_ENGINE_H
#ifndef OPENSSL_NO_ENGINE
#include <openssl/engine.h>
#else
#undef HAVE_OSSL_ENGINE_H
#endif
#endif /* HAVE_OSSL_ENGINE_H */
#if OPENSSL_VERSION_NUMBER<0x0090800fL
#define OPENSSL_NO_ECDH
#define OPENSSL_NO_COMP
#endif /* OpenSSL older than 0.9.8 */
/* non-blocking OCSP API is not available before OpenSSL 0.9.8h */
#if OPENSSL_VERSION_NUMBER<0x00908080L
#ifdef HAVE_OSSL_OCSP_H
#undef HAVE_OSSL_OCSP_H
#endif /* HAVE_OSSL_OCSP_H */
#ifndef OPENSSL_NO_OCSP
#define OPENSSL_NO_OCSP
#endif /* !defined(OPENSSL_NO_OCSP) */
#endif /* OpenSSL older than 0.9.8h */
#ifdef HAVE_OSSL_OCSP_H
#include <openssl/ocsp.h>
#endif /* HAVE_OSSL_OCSP_H */
#ifdef HAVE_OSSL_FIPS_H
#include <openssl/fips.h>
#include <openssl/fips_rand.h>
#endif /* HAVE_OSSL_FIPS_H */
#if OPENSSL_VERSION_NUMBER<0x0090800fL
#define OPENSSL_NO_ECDH
#endif /* OpenSSL version < 0.8.0 */
#if OPENSSL_VERSION_NUMBER<0x00908060L
#define OPENSSL_NO_TLSEXT
#endif /* OpenSSL older than 0.9.8f */
#if OPENSSL_VERSION_NUMBER<0x10000000L
#define OPENSSL_NO_TLSEXT
#endif /* OpenSSL version < 1.0.0 */
#define OPENSSL_NO_PSK
#endif /* OpenSSL older than 1.0.0 */
#if OPENSSL_VERSION_NUMBER<0x10001000L || defined(OPENSSL_NO_TLS1)
#define OPENSSL_NO_TLS1_1
#define OPENSSL_NO_TLS1_2
#endif /* OpenSSL older than 1.0.1 || defined(OPENSSL_NO_TLS1) */
#if OPENSSL_VERSION_NUMBER>=0x10100000L
#ifndef OPENSSL_NO_SSL2
#define OPENSSL_NO_SSL2
#endif /* !defined(OPENSSL_NO_SSL2) */
#else /* OpenSSL older than 1.1.0 */
#define X509_STORE_CTX_get0_chain(x) X509_STORE_CTX_get_chain(x)
#endif /* OpenSSL 1.1.0 or newer */
#if defined(USE_WIN32) && defined(OPENSSL_FIPS)
#define USE_FIPS
#endif
#include <openssl/lhash.h>
#include <openssl/ssl.h>
#include <openssl/ui.h>
#include <openssl/err.h>
#include <openssl/crypto.h> /* for CRYPTO_* and SSLeay_version */
#include <openssl/rand.h>
#include <openssl/bn.h>
#include <openssl/pkcs12.h>
#ifndef OPENSSL_NO_MD4
#include <openssl/md4.h>
#endif /* !defined(OPENSSL_NO_MD4) */
#include <openssl/des.h>
#ifndef OPENSSL_NO_DH
#include <openssl/dh.h>
#if OPENSSL_VERSION_NUMBER<0x10100000L
int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g);
#endif /* OpenSSL older than 1.1.0 */
#endif /* !defined(OPENSSL_NO_DH) */
#ifndef OPENSSL_NO_ENGINE
#include <openssl/engine.h>
#endif /* !defined(OPENSSL_NO_ENGINE) */
#ifndef OPENSSL_NO_OCSP
#include <openssl/ocsp.h>
#endif /* !defined(OPENSSL_NO_OCSP) */
#ifndef OPENSSL_NO_COMP
/* not defined in public headers before OpenSSL 0.9.8 */
STACK_OF(SSL_COMP) *SSL_COMP_get_compression_methods(void);
#endif /* OPENSSL_NO_COMP */
#endif /* !defined(OPENSSL_NO_COMP) */
#ifndef OPENSSL_VERSION
#define OPENSSL_VERSION SSLEAY_VERSION
#define OpenSSL_version_num() SSLeay()
#define OpenSSL_version(x) SSLeay_version(x)
#endif
/**************************************** other defines */
/* change all non-printable characters to '.' */
#define safestring(s) \
do {unsigned char *p; for(p=(unsigned char *)(s); *p; p++) \
if(!isprint((int)*p)) *p='.';} while(0)
/* change all unsafe characters to '.' */
#define safename(s) \
do {unsigned char *p; for(p=(s); *p; p++) \
if(!isalnum((int)*p)) *p='.';} while(0)
/* always use IPv4 defaults! */
#define DEFAULT_LOOPBACK "127.0.0.1"
#define DEFAULT_ANY "0.0.0.0"
@ -480,7 +517,7 @@ STACK_OF(SSL_COMP) *SSL_COMP_get_compression_methods(void);
#endif /* defined (USE_WIN32) || defined (__vms) */
#ifndef offsetof
#define offsetof(T, F) ((unsigned int)((char *)&((T *)0L)->F - (char *)0L))
#define offsetof(T, F) ((unsigned)((char *)&((T *)0L)->F - (char *)0L))
#endif
#endif /* defined COMMON_H */

139
src/config.h.in
View File

@ -51,18 +51,18 @@
/* Define to 1 if you have the <inttypes.h> header file. */
#undef HAVE_INTTYPES_H
/* Define to 1 if you have 'libpthread' library. */
#undef HAVE_LIBPTHREAD
/* Define to 1 if you have the <libutil.h> header file. */
#undef HAVE_LIBUTIL_H
/* Define to 1 if you have 'libwrap' library. */
#undef HAVE_LIBWRAP
/* Define to 1 if you have the <limits.h> header file. */
#undef HAVE_LIMITS_H
/* Define to 1 if you have the <linux/netfilter_ipv4.h> header file. */
#undef HAVE_LINUX_NETFILTER_IPV4_H
/* Define to 1 if you have the <linux/sched.h> header file. */
#undef HAVE_LINUX_SCHED_H
/* Define to 1 if you have the `localtime_r' function. */
#undef HAVE_LOCALTIME_R
@ -78,15 +78,6 @@
/* Define to 1 if you have the `openpty' function. */
#undef HAVE_OPENPTY
/* Define to 1 if you have <engine.h> header file. */
#undef HAVE_OSSL_ENGINE_H
/* Define to 1 if you have <fips.h> header file. */
#undef HAVE_OSSL_FIPS_H
/* Define to 1 if you have <ocsp.h> header file. */
#undef HAVE_OSSL_OCSP_H
/* Define to 1 if you have the `pipe2' function. */
#undef HAVE_PIPE2
@ -96,15 +87,24 @@
/* Define to 1 if you have the <poll.h> header file. */
#undef HAVE_POLL_H
/* Define if you have POSIX threads libraries and header files. */
#undef HAVE_PTHREAD
/* Define to 1 if you have the <pthread.h> header file. */
#undef HAVE_PTHREAD_H
/* Have PTHREAD_PRIO_INHERIT. */
#undef HAVE_PTHREAD_PRIO_INHERIT
/* Define to 1 if you have the `pthread_sigmask' function. */
#undef HAVE_PTHREAD_SIGMASK
/* Define to 1 if you have the <pty.h> header file. */
#undef HAVE_PTY_H
/* Define to 1 if you have the `realpath' function. */
#undef HAVE_REALPATH
/* Define to 1 if you have the `setgroups' function. */
#undef HAVE_SETGROUPS
@ -141,6 +141,9 @@
/* Define to 1 if you have the `sysconf' function. */
#undef HAVE_SYSCONF
/* Define to 1 if you have the <systemd/sd-daemon.h> header file. */
#undef HAVE_SYSTEMD_SD_DAEMON_H
/* Define to 1 if you have the <sys/filio.h> header file. */
#undef HAVE_SYS_FILIO_H
@ -162,6 +165,9 @@
/* Define to 1 if you have the <sys/stat.h> header file. */
#undef HAVE_SYS_STAT_H
/* Define to 1 if you have the <sys/syscall.h> header file. */
#undef HAVE_SYS_SYSCALL_H
/* Define to 1 if you have the <sys/types.h> header file. */
#undef HAVE_SYS_TYPES_H
@ -205,9 +211,6 @@
*/
#undef LT_OBJDIR
/* Define to 1 if your C compiler doesn't accept -c and -o together. */
#undef NO_MINUS_C_MINUS_O
/* Name of package */
#undef PACKAGE
@ -229,28 +232,20 @@
/* Define to the version of this package. */
#undef PACKAGE_VERSION
/* Define to necessary symbol if this constant uses a non-standard name on
your system. */
#undef PTHREAD_CREATE_JOINABLE
/* Random file path */
#undef RANDOM_FILE
/* The size of `unsigned char', as computed by sizeof. */
#undef SIZEOF_UNSIGNED_CHAR
/* The size of `unsigned int', as computed by sizeof. */
#undef SIZEOF_UNSIGNED_INT
/* The size of `unsigned long', as computed by sizeof. */
#undef SIZEOF_UNSIGNED_LONG
/* The size of `unsigned short', as computed by sizeof. */
#undef SIZEOF_UNSIGNED_SHORT
/* SSL directory */
/* TLS directory */
#undef SSLDIR
/* Define to 1 if you have the ANSI C header files. */
#undef STDC_HEADERS
/* Define to 1 to enable OpenSSL FIPS mode. */
/* Define to 1 to enable OpenSSL FIPS support */
#undef USE_FIPS
/* Define to 1 to select FORK mode */
@ -259,17 +254,99 @@
/* Define to 1 to enable IPv6 support */
#undef USE_IPv6
/* Define to 1 to enable TCP wrappers support */
#undef USE_LIBWRAP
/* Define to 1 to select PTHREAD mode */
#undef USE_PTHREAD
/* Define to 1 to enable systemd socket activation */
#undef USE_SYSTEMD
/* Define to 1 to select UCONTEXT mode */
#undef USE_UCONTEXT
/* Version number of package */
#undef VERSION
/* Use Darwin source */
#undef _DARWIN_C_SOURCE
/* Enable large inode numbers on Mac OS X 10.5. */
#ifndef _DARWIN_USE_64_BIT_INODE
# define _DARWIN_USE_64_BIT_INODE 1
#endif
/* Number of bits in a file offset, on hosts where this is settable. */
#undef _FILE_OFFSET_BITS
/* Use GNU source */
#undef _GNU_SOURCE
/* Define for large files, on AIX-style hosts. */
#undef _LARGE_FILES
/* Define for Solaris 2.5.1 so the uint32_t typedef from <sys/synch.h>,
<pthread.h>, or <semaphore.h> is not used. If the typedef were allowed, the
#define below would cause a syntax error. */
#undef _UINT32_T
/* Define for Solaris 2.5.1 so the uint64_t typedef from <sys/synch.h>,
<pthread.h>, or <semaphore.h> is not used. If the typedef were allowed, the
#define below would cause a syntax error. */
#undef _UINT64_T
/* Define for Solaris 2.5.1 so the uint8_t typedef from <sys/synch.h>,
<pthread.h>, or <semaphore.h> is not used. If the typedef were allowed, the
#define below would cause a syntax error. */
#undef _UINT8_T
/* Use X/Open 5 with POSIX 1995 */
#undef _XOPEN_SOURCE
/* Define to `int' if <sys/types.h> doesn't define. */
#undef gid_t
/* Define to the type of a signed integer type of width exactly 16 bits if
such a type exists and the standard includes do not define it. */
#undef int16_t
/* Define to the type of a signed integer type of width exactly 32 bits if
such a type exists and the standard includes do not define it. */
#undef int32_t
/* Define to the type of a signed integer type of width exactly 64 bits if
such a type exists and the standard includes do not define it. */
#undef int64_t
/* Define to the type of a signed integer type of width exactly 8 bits if such
a type exists and the standard includes do not define it. */
#undef int8_t
/* Define to `unsigned int' if <sys/types.h> does not define. */
#undef size_t
/* Type of socklen_t */
#undef socklen_t
/* Define to `int' if <sys/types.h> does not define. */
#undef ssize_t
/* Define to `int' if <sys/types.h> doesn't define. */
#undef uid_t
/* Define to the type of an unsigned integer type of width exactly 16 bits if
such a type exists and the standard includes do not define it. */
#undef uint16_t
/* Define to the type of an unsigned integer type of width exactly 32 bits if
such a type exists and the standard includes do not define it. */
#undef uint32_t
/* Define to the type of an unsigned integer type of width exactly 64 bits if
such a type exists and the standard includes do not define it. */
#undef uint64_t
/* Define to the type of an unsigned integer type of width exactly 8 bits if
such a type exists and the standard includes do not define it. */
#undef uint8_t

201
src/cron.c Normal file
View File

@ -0,0 +1,201 @@
/*
* stunnel TLS offloading and load-balancing proxy
* Copyright (C) 1998-2017 Michal Trojnara <Michal.Trojnara@stunnel.org>
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
* See the GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License along
* with this program; if not, see <http://www.gnu.org/licenses>.
*
* Linking stunnel statically or dynamically with other modules is making
* a combined work based on stunnel. Thus, the terms and conditions of
* the GNU General Public License cover the whole combination.
*
* In addition, as a special exception, the copyright holder of stunnel
* gives you permission to combine stunnel with free software programs or
* libraries that are released under the GNU LGPL and with code included
* in the standard release of OpenSSL under the OpenSSL License (or
* modified versions of such code, with unchanged license). You may copy
* and distribute such a system following the terms of the GNU GPL for
* stunnel and the licenses of the other code concerned.
*
* Note that people who make modified versions of stunnel are not obligated
* to grant this special exception for their modified versions; it is their
* choice whether to do so. The GNU General Public License gives permission
* to release a modified version without this exception; this exception
* also makes it possible to release a modified version which carries
* forward this exception.
*/
#include "common.h"
#include "prototypes.h"
#ifdef USE_PTHREAD
NOEXPORT void *cron_thread(void *arg);
#endif
#ifdef USE_WIN32
NOEXPORT void cron_thread(void *arg);
#endif
#if defined(USE_PTHREAD) || defined(USE_WIN32)
NOEXPORT void cron_worker(void);
NOEXPORT void cron_dh_param(void);
#endif
#if defined(USE_PTHREAD)
int cron_init() {
pthread_t thread;
pthread_attr_t pth_attr;
#if defined(HAVE_PTHREAD_SIGMASK) && !defined(__APPLE__)
sigset_t new_set, old_set;
#endif /* HAVE_PTHREAD_SIGMASK && !__APPLE__*/
#if defined(HAVE_PTHREAD_SIGMASK) && !defined(__APPLE__)
sigfillset(&new_set);
pthread_sigmask(SIG_SETMASK, &new_set, &old_set); /* block signals */
#endif /* HAVE_PTHREAD_SIGMASK && !__APPLE__*/
pthread_attr_init(&pth_attr);
pthread_attr_setdetachstate(&pth_attr, PTHREAD_CREATE_DETACHED);
if(pthread_create(&thread, &pth_attr, cron_thread, NULL))
ioerror("pthread_create");
pthread_attr_destroy(&pth_attr);
#if defined(HAVE_PTHREAD_SIGMASK) && !defined(__APPLE__)
pthread_sigmask(SIG_SETMASK, &old_set, NULL); /* unblock signals */
#endif /* HAVE_PTHREAD_SIGMASK && !__APPLE__*/
return 0;
}
NOEXPORT void *cron_thread(void *arg) {
#ifdef SCHED_BATCH
struct sched_param param;
#endif
(void)arg; /* squash the unused parameter warning */
tls_alloc(NULL, NULL, "cron");
#ifdef SCHED_BATCH
param.sched_priority=0;
if(pthread_setschedparam(pthread_self(), SCHED_BATCH, &param))
ioerror("pthread_getschedparam");
#endif
cron_worker();
return NULL; /* it should never be executed */
}
#elif defined(USE_WIN32)
int cron_init() {
if((long)_beginthread(cron_thread, 0, NULL)==-1)
ioerror("_beginthread");
return 0;
}
NOEXPORT void cron_thread(void *arg) {
(void)arg; /* squash the unused parameter warning */
tls_alloc(NULL, NULL, "cron");
if(!SetThreadPriority(GetCurrentThread(), THREAD_PRIORITY_LOWEST))
ioerror("SetThreadPriority");
cron_worker();
_endthread(); /* it should never be executed */
}
#else /* !defined(USE_PTHREAD) && !defined(USE_WIN32) */
int cron_init() {
/* not implemented for now */
return 0;
}
#endif
/* run the cron job every 24 hours */
#define CRON_PERIOD (24*60*60)
#if defined(USE_PTHREAD) || defined(USE_WIN32)
NOEXPORT void cron_worker(void) {
time_t now, then;
int delay;
s_log(LOG_DEBUG, "Cron thread initialized");
sleep(60); /* allow the other services to start with idle CPU */
time(&then);
for(;;) {
s_log(LOG_INFO, "Executing cron jobs");
#ifndef OPENSSL_NO_DH
cron_dh_param();
#endif /* OPENSSL_NO_DH */
time(&now);
s_log(LOG_INFO, "Cron jobs completed in %d seconds", (int)(now-then));
then+=CRON_PERIOD;
if(then>now) {
delay=(int)(then-now);
} else {
s_log(LOG_NOTICE, "Cron backlog cleared (possible hibernation)");
delay=CRON_PERIOD-(int)(now-then)%CRON_PERIOD;
then=now+delay;
}
s_log(LOG_DEBUG, "Waiting %d seconds", delay);
do { /* retry sleep() if it was interrupted by a signal */
sleep((unsigned)delay);
time(&now);
delay=(int)(then-now);
} while(delay>0);
s_log(LOG_INFO, "Reopening log file");
signal_post(SIGNAL_REOPEN_LOG);
}
}
#ifndef OPENSSL_NO_DH
NOEXPORT void cron_dh_param(void) {
SERVICE_OPTIONS *opt;
DH *dh;
if(!dh_needed)
return;
s_log(LOG_NOTICE, "Updating DH parameters");
#if OPENSSL_VERSION_NUMBER>=0x0090800fL
/* generate 2048-bit DH parameters */
dh=DH_new();
if(!dh) {
sslerror("DH_new");
return;
}
if(!DH_generate_parameters_ex(dh, 2048, 2, NULL)) {
DH_free(dh);
sslerror("DH_generate_parameters_ex");
return;
}
#else /* OpenSSL older than 0.9.8 */
dh=DH_generate_parameters(2048, 2, NULL, NULL);
if(!dh) {
sslerror("DH_generate_parameters");
return;
}
#endif
/* update global dh_params for future configuration reloads */
stunnel_write_lock(&stunnel_locks[LOCK_DH]);
DH_free(dh_params);
dh_params=dh;
stunnel_write_unlock(&stunnel_locks[LOCK_DH]);
/* set for all sections that require it */
for(opt=service_options.next; opt; opt=opt->next)
if(opt->option.dh_needed)
SSL_CTX_set_tmp_dh(opt->ctx, dh);
s_log(LOG_NOTICE, "DH parameters updated");
}
#endif /* OPENSSL_NO_DH */
#endif /* USE_PTHREAD || USE_WIN32 */
/* end of cron.c */

1181
src/ctx.c
View File

File diff suppressed because it is too large Load Diff

57
src/dhparam.c Normal file
View File

@ -0,0 +1,57 @@
#include "common.h"
#ifndef OPENSSL_NO_DH
#define DN_new DH_new
#ifndef HEADER_DH_H
# include <openssl/dh.h>
#endif
DH *get_dh2048()
{
static unsigned char dhp_2048[] = {
0xE5, 0x09, 0xEB, 0x6B, 0x7E, 0xFF, 0x06, 0x2E, 0xE9, 0x8E,
0xEB, 0xB8, 0x15, 0x2E, 0x83, 0xE9, 0x77, 0x6B, 0x98, 0x80,
0xC2, 0x5B, 0xC7, 0x99, 0xEF, 0xD2, 0x3B, 0x75, 0x23, 0xD1,
0xEF, 0x4D, 0x2C, 0xE6, 0xE5, 0xD3, 0x6A, 0x5E, 0x38, 0x4A,
0x05, 0x15, 0x57, 0xFF, 0x46, 0x22, 0x0F, 0xDC, 0xC9, 0xF0,
0xA0, 0x4C, 0x2B, 0x70, 0x91, 0x30, 0x32, 0x3A, 0x20, 0x38,
0xB6, 0x62, 0xAE, 0x8C, 0x9E, 0x9B, 0x7A, 0x04, 0xCF, 0x9C,
0x20, 0x0C, 0x9D, 0x34, 0xFC, 0xB5, 0x46, 0x9E, 0xB6, 0x56,
0x94, 0x7A, 0x8E, 0x7B, 0xEA, 0x77, 0x3D, 0x1F, 0x57, 0xAD,
0xB0, 0xB7, 0xD6, 0x2E, 0x95, 0x5B, 0xA7, 0x1E, 0xF1, 0x84,
0x04, 0x7C, 0x77, 0x9B, 0x10, 0x8D, 0x5F, 0xA5, 0x2B, 0x0D,
0xCB, 0xFB, 0xB9, 0x0A, 0xCB, 0xDD, 0x70, 0x9F, 0x85, 0xBA,
0xE3, 0x6A, 0xD1, 0xE4, 0x83, 0x7B, 0x89, 0x66, 0xAC, 0x58,
0x12, 0x43, 0x5B, 0xA8, 0x02, 0xC0, 0x5C, 0x27, 0x61, 0x97,
0x5D, 0xEC, 0x94, 0x71, 0xB2, 0x13, 0x13, 0xAB, 0x30, 0x0C,
0x54, 0x54, 0x8C, 0xE2, 0x9D, 0x07, 0xDE, 0xE7, 0x62, 0x70,
0xDE, 0x6C, 0x48, 0xD7, 0x69, 0xDA, 0xBC, 0xDA, 0xB1, 0x82,
0xE4, 0xD7, 0xE4, 0xFB, 0x6D, 0x36, 0x46, 0x55, 0x30, 0x63,
0x18, 0x42, 0x82, 0x60, 0xE2, 0x76, 0x23, 0x56, 0x34, 0x25,
0xA9, 0x6A, 0xF1, 0x06, 0xB1, 0x68, 0xAD, 0x7F, 0xCE, 0x06,
0xEE, 0x85, 0xA5, 0x83, 0x85, 0x08, 0x45, 0x45, 0x09, 0xA7,
0x3D, 0xC9, 0xAC, 0xE6, 0x3A, 0x98, 0x93, 0xBF, 0x98, 0x2E,
0x4D, 0x00, 0x3B, 0x74, 0x62, 0x7B, 0x8D, 0xBD, 0x18, 0x6C,
0xAC, 0x4B, 0xEF, 0xF5, 0xAD, 0x0E, 0x2E, 0x85, 0x60, 0xE6,
0xF4, 0x3F, 0x25, 0xFE, 0xAE, 0xC3, 0x18, 0x9B, 0x04, 0x7B,
0xC7, 0x48, 0xE8, 0xC1, 0x3C, 0x13
};
static unsigned char dhg_2048[] = {
0x02
};
DH *dh = DH_new();
BIGNUM *dhp_bn, *dhg_bn;
if (dh == NULL)
return NULL;
dhp_bn = BN_bin2bn(dhp_2048, sizeof (dhp_2048), NULL);
dhg_bn = BN_bin2bn(dhg_2048, sizeof (dhg_2048), NULL);
if (dhp_bn == NULL || dhg_bn == NULL
|| !DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn)) {
DH_free(dh);
BN_free(dhp_bn);
BN_free(dhg_bn);
return NULL;
}
return dh;
}
#endif /* OPENSSL_NO_DH */

10
src/env.c
View File

@ -1,6 +1,6 @@
/*
* stunnel Universal SSL tunnel
* Copyright (C) 1998-2013 Michal Trojnara <Michal.Trojnara@mirt.net>
* stunnel TLS offloading and load-balancing proxy
* Copyright (C) 1998-2017 Michal Trojnara <Michal.Trojnara@stunnel.org>
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
@ -53,15 +53,15 @@
int getpeername(int s, struct sockaddr_in *name, int *len) {
char *value;
(void)s; /* skip warning about unused parameter */
(void)len; /* skip warning about unused parameter */
(void)s; /* squash the unused parameter warning */
(void)len; /* squash the unused parameter warning */
name->sin_family=AF_INET;
if((value=getenv("REMOTE_HOST")))
name->sin_addr.s_addr=inet_addr(value);
else
name->sin_addr.s_addr=htonl(INADDR_ANY);
if((value=getenv("REMOTE_PORT")))
name->sin_port=htons(atoi(value));
name->sin_port=htons((uint16_t)atoi(value));
else
name->sin_port=htons(0); /* dynamic port allocation */
return 0;

BIN
src/error.ico Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 1.1 KiB

64
src/evc.mak
View File

@ -1,8 +1,24 @@
# wce.mak for stunnel.exe by Michal Trojnara 2006-2012
# with help of Pierre Delaage <delaage.pierre@free.fr>
# pdelaage 20140610 : added UNICODE optional FLAG, always ACTIVE on WCE because of poor ANSI support
# pdelaage 20140610 : added _WIN32_WCE flag for RC compilation, to preprocess out "HELP" unsupported menu flag on WCE
# pdelaage 20140610 : ws2 lib is required to get WSAGetLastError routine (absent from winsock lib)
# pdelaage 20140610 : /Dx86 flag required for X86/Emulator targets, to get proper definition for InterlockedExchange
# pdelaage 20140610 : /MT flag is NON-SENSE for X86-WCE platforms, it is only meaningful for X86-W32-Desktop.
# for X86-WCE targets, although compiler "cl.exe" is REALLY the same as desktop W32 VS6 C++ compiler,
# the MT flags relating to LIBCMT is useless BECAUSE LIBCMT does NOT exist on WCE. No msvcrt on WCE either...
# pdelaage 20140610 : Note on /MC flag
# For other targets than X86/Emulator, /MC flag is redundant with "/nodefaultlib coredll.lib corelibc.lib" LD lib list.
# For << X86 / Emulator >> target, as the cl.exe compiler IS the SAME as the standard VS6.0 C++ compiler for Desktop Pentium processor,
# /MC flag is in fact NOT existing, thus requiring an explicit linking with core libs by using :
# /NODEFAULTLIB coredll.lib corelibc.lib,
# something that is correct for any WCE target, X86 and other, and leading /MC flag to be useless ALSO for other target than X86.
#
# DEFAULTLIB management: only 2 are necessary
# defaultlibS as given for CLxxx in the MS doc ARE WRONG
# defaultlibS, as given for CLxxx in the MS doc, ARE WRONG
# !!!!!!!!!!!!!!
# CUSTOMIZE THIS according to your wcecompat and openssl directories
@ -10,10 +26,10 @@
# Modify this to point to your actual openssl compile directory
# (You did already compile openssl, didn't you???)
SSLDIR=C:\Users\standard\Documents\Dvts\Contrib\openssl\v1.0.0a\patched3
SSLDIR=C:\Users\pdelaage\Dvts\Contrib\openssl
# Note that we currently use a multi-target customized version of legacy Essemer/wcecompat lib
COMPATDIR=C:\Users\standard\Documents\Dvts\Contrib\wcecompat\v12\patchedX86
COMPATDIR=C:\Users\pdelaage\Dvts\Contrib\wcecompat\v12\patched3emu
WCEVER=420
@ -24,7 +40,8 @@ WCEVER=420
!IF "$(TARGETCPU)"=="X86"
WCETARGETCPU=_X86_
LDTARGETCPU=X86
MORECFLAGS=/MT
#pdelaage 20140621 /Dx86 for inline defs of InterlockedExchange inline in winbase.h; no more /MT
MORECFLAGS=/Dx86
# TODO: continue list for other targets : see wcecompat/wcedefs.mak for a good ref.
# see also openssl/util/pl/vc-32.pl, also link /?
@ -34,17 +51,20 @@ MORECFLAGS=/MT
!ELSEIF "$(TARGETCPU)"=="emulator"
WCETARGETCPU=_X86_
LDTARGETCPU=X86
MORECFLAGS=/MT
#pdelaage 20140621 /Dx86 for inline defs of InterlockedExchange inline in winbase.h; no more /MT
MORECFLAGS=/Dx86
!ELSEIF "$(TARGETCPU)"=="MIPS16" || "$(TARGETCPU)"=="MIPSII" || "$(TARGETCPU)"=="MIPSII_FP" || "$(TARGETCPU)"=="MIPSIV" || "$(TARGETCPU)"=="MIPSIV_FP"
WCETARGETCPU=_MIPS_
LDTARGETCPU=MIPS
MORECFLAGS=/DMIPS /MC
#pdelaage 20140621 no more /MC required
MORECFLAGS=/DMIPS
!ELSEIF "$(TARGETCPU)"=="SH3" || "$(TARGETCPU)"=="SH4"
WCETARGETCPU=SHx
LDTARGETCPU=$(TARGETCPU)
MORECFLAGS=/MC
#pdelaage 20140621 no more /MC required
MORECFLAGS=
!ELSE
# default is ARM !
@ -52,8 +72,8 @@ MORECFLAGS=/MC
# the following flag is required by (eg) winnt.h, and is different from targetcpu (armV4)
WCETARGETCPU=ARM
LDTARGETCPU=ARM
MORECFLAGS=/MC
#pdelaage 20140621 no more /MC required
MORECFLAGS=
!ENDIF
# ceutilsdir probably useless (nb : were tools from essemer; but ms delivers a cecopy anyway, see ms dld site)
@ -65,12 +85,17 @@ SDKDIR=$(SDKROOT)\$(OSVERSION)\$(PLATFORM)
INCLUDES=-I$(SSLDIR)\inc32 -I$(COMPATDIR)\include -I"$(SDKDIR)\include\$(TARGETCPU)"
# for X86 and other it appears that /MC or /ML flags are absurd,
# we always have to override runtime lib list to coredll and corelibc
LIBS=/NODEFAULTLIB winsock.lib wcecompatex.lib libeay32.lib ssleay32.lib coredll.lib corelibc.lib
#LIBS=/NODEFAULTLIB winsock.lib wcecompatex.lib libeay32.lib ssleay32.lib coredll.lib corelibc.lib
LIBS=/NODEFAULTLIB ws2.lib wcecompatex.lib libeay32.lib ssleay32.lib coredll.lib corelibc.lib
DEFINES=/DHOST=\"$(TARGETCPU)-WCE-eVC-$(WCEVER)\"
# pdelaage 20140610 added unicode flag : ALWAYS ACTIVE on WCE, because of poor ANSI support by the MS SDK
UNICODEFLAGS=/DUNICODE -D_UNICODE
# /O1 /Oi more correct vs MS doc
CFLAGS=/nologo $(MORECFLAGS) /O1 /Oi /W3 /WX /GF /Gy $(DEFINES) /D$(WCETARGETCPU) /D$(TARGETCPU) /DUNDER_CE=$(WCEVER) /D_WIN32_WCE=$(WCEVER) /DUNICODE -D_UNICODE $(INCLUDES)
RFLAGS=$(DEFINES) $(INCLUDES)
CFLAGS=/nologo $(MORECFLAGS) /O1 /Oi /W3 /WX /GF /Gy $(DEFINES) /D$(WCETARGETCPU) /D$(TARGETCPU) /DUNDER_CE=$(WCEVER) /D_WIN32_WCE=$(WCEVER) $(UNICODEFLAGS) $(INCLUDES)
# pdelaage 20140610 : RC compilation requires D_WIN32_WCE flag to comment out unsupported "HELP" flag in menu definition, in resources.rc file
RFLAGS=$(DEFINES) /D_WIN32_WCE=$(WCEVER) $(INCLUDES)
# LDFLAGS: since openssl >> 098a (eg 098h) out32dll is out32dll_targetCPU for WCE
# delaage added $(TARGETCPU) in legacy Essemer/wcecompat libpath
# to ease multitarget compilation without recompiling everything
@ -89,11 +114,12 @@ BIN=$(BINROOT)\$(TARGETCPU)
OBJS=$(OBJ)\stunnel.obj $(OBJ)\ssl.obj $(OBJ)\ctx.obj $(OBJ)\verify.obj \
$(OBJ)\file.obj $(OBJ)\client.obj $(OBJ)\protocol.obj $(OBJ)\sthreads.obj \
$(OBJ)\log.obj $(OBJ)\options.obj $(OBJ)\network.obj \
$(OBJ)\resolver.obj $(OBJ)\str.obj $(OBJ)\fd.obj
$(OBJ)\log.obj $(OBJ)\options.obj $(OBJ)\network.obj $(OBJ)\resolver.obj \
$(OBJ)\str.obj $(OBJ)\tls.obj $(OBJ)\fd.obj $(OBJ)\dhparam.obj \
$(OBJ)\cron.obj
GUIOBJS=$(OBJ)\gui.obj $(OBJ)\resources.res
NOGUIOBJS=$(OBJ)\nogui.obj
GUIOBJS=$(OBJ)\ui_win_gui.obj $(OBJ)\resources.res
CLIOBJS=$(OBJ)\ui_win_cli.obj
{$(SRC)\}.c{$(OBJ)\}.obj:
$(CC) $(CFLAGS) -Fo$@ -c $<
@ -115,11 +141,11 @@ makedirs:
$(BIN)\stunnel.exe:$(OBJS) $(GUIOBJS)
link $(LDFLAGS) /out:$(BIN)\stunnel.exe $(LIBS) commctrl.lib $**
$(BIN)\tstunnel.exe:$(OBJS) $(NOGUIOBJS)
$(BIN)\tstunnel.exe:$(OBJS) $(CLIOBJS)
link $(LDFLAGS) /out:$(BIN)\tstunnel.exe $(LIBS) $**
$(OBJ)\resources.res: $(SRC)\resources.rc $(SRC)\resources.h $(SRC)\version.h
$(OBJ)\gui.obj: $(SRC)\gui.c $(SRC)\version.h
$(OBJ)\ui_win_gui.obj: $(SRC)\ui_win_gui.c $(SRC)\version.h
$(OBJ)\stunnel.obj: $(SRC)\stunnel.c $(SRC)\version.h
# now list of openssl dll has more files,
@ -136,6 +162,6 @@ install: stunnel.exe tstunnel.exe
$(CEUTILSDIR)\cecopy $(SSLDIR)\out32dll_$(TARGETCPU)\ssleay32.dll $(DSTDIR)
clean:
-@ IF NOT "$(TARGETCPU)"=="" del $(OBJS) $(GUIOBJS) $(NOGUIOBJS) $(BIN)\stunnel.exe $(BIN)\tstunnel.exe >NUL 2>&1
-@ IF NOT "$(TARGETCPU)"=="" del $(OBJS) $(GUIOBJS) $(CLIOBJS) $(BIN)\stunnel.exe $(BIN)\tstunnel.exe >NUL 2>&1
-@ IF NOT "$(TARGETCPU)"=="" rmdir $(OBJ) >NUL 2>&1
-@ IF NOT "$(TARGETCPU)"=="" rmdir $(BIN) >NUL 2>&1

53
src/fd.c
View File

@ -1,6 +1,6 @@
/*
* stunnel Universal SSL tunnel
* Copyright (C) 1998-2013 Michal Trojnara <Michal.Trojnara@mirt.net>
* stunnel TLS offloading and load-balancing proxy
* Copyright (C) 1998-2017 Michal Trojnara <Michal.Trojnara@stunnel.org>
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
@ -49,19 +49,19 @@
/**************************************** prototypes */
static int setup_fd(int, int, char *);
NOEXPORT SOCKET setup_fd(SOCKET, int, char *);
/**************************************** internal limit of file descriptors */
#ifndef USE_FORK
static int max_fds;
static SOCKET max_fds;
void get_limits(void) { /* set max_fds and max_clients */
/* start with current ulimit */
#if defined(HAVE_SYSCONF)
errno=0;
max_fds=sysconf(_SC_OPEN_MAX);
max_fds=(SOCKET)sysconf(_SC_OPEN_MAX);
if(errno)
ioerror("sysconf");
if(max_fds<0)
@ -84,13 +84,13 @@ void get_limits(void) { /* set max_fds and max_clients */
max_fds=FD_SETSIZE; /* start with select() limit */
#endif /* select() on Unix */
/* stunnel needs at least 16 file desriptors */
/* stunnel needs at least 16 file descriptors */
if(max_fds && max_fds<16)
max_fds=16;
if(max_fds) {
max_clients=max_fds>=256 ? max_fds*125/256 : (max_fds-6)/2;
s_log(LOG_DEBUG, "Clients allowed=%d", max_clients);
max_clients=(long)(max_fds>=256 ? max_fds*125/256 : (max_fds-6)/2);
s_log(LOG_DEBUG, "Clients allowed=%ld", max_clients);
} else {
max_clients=0;
s_log(LOG_DEBUG, "No limit detected for the number of clients");
@ -101,18 +101,27 @@ void get_limits(void) { /* set max_fds and max_clients */
/**************************************** file descriptor validation */
int s_socket(int domain, int type, int protocol, int nonblock, char *msg) {
SOCKET s_socket(int domain, int type, int protocol, int nonblock, char *msg) {
SOCKET fd;
#ifdef USE_NEW_LINUX_API
if(nonblock)
type|=SOCK_NONBLOCK;
type|=SOCK_CLOEXEC;
#endif
return setup_fd(socket(domain, type, protocol), nonblock, msg);
#ifdef USE_WIN32
/* http://stackoverflow.com/questions/4993119 */
/* CreateProcess() needs a non-overlapped handle */
fd=WSASocket(domain, type, protocol, NULL, 0, 0);
#else /* USE_WIN32 */
fd=socket(domain, type, protocol);
#endif /* USE_WIN32 */
return setup_fd(fd, nonblock, msg);
}
int s_accept(int sockfd, struct sockaddr *addr, socklen_t *addrlen,
SOCKET s_accept(SOCKET sockfd, struct sockaddr *addr, socklen_t *addrlen,
int nonblock, char *msg) {
int fd;
SOCKET fd;
#ifdef USE_NEW_LINUX_API
if(nonblock)
@ -127,7 +136,7 @@ int s_accept(int sockfd, struct sockaddr *addr, socklen_t *addrlen,
#ifndef USE_WIN32
int s_socketpair(int domain, int type, int protocol, int sv[2],
int s_socketpair(int domain, int type, int protocol, SOCKET sv[2],
int nonblock, char *msg) {
#ifdef USE_NEW_LINUX_API
if(nonblock)
@ -177,28 +186,28 @@ int s_pipe(int pipefd[2], int nonblock, char *msg) {
#endif /* USE_WIN32 */
static int setup_fd(int fd, int nonblock, char *msg) {
NOEXPORT SOCKET setup_fd(SOCKET fd, int nonblock, char *msg) {
#if !defined USE_NEW_LINUX_API && defined FD_CLOEXEC
int err;
#endif
if(fd<0) {
if(fd==INVALID_SOCKET) {
sockerror(msg);
return -1;
return INVALID_SOCKET;
}
#ifndef USE_FORK
if(max_fds && fd>=max_fds) {
s_log(LOG_ERR, "%s: FD=%d out of range (max %d)",
msg, fd, max_fds);
msg, (int)fd, (int)max_fds);
closesocket(fd);
return -1;
return INVALID_SOCKET;
}
#endif
#ifdef USE_NEW_LINUX_API
(void)nonblock; /* skip warning about unused parameter */
(void)nonblock; /* squash the unused parameter warning */
#else /* set O_NONBLOCK and F_SETFD */
set_nonblock(fd, nonblock);
set_nonblock(fd, (unsigned long)nonblock);
#ifdef FD_CLOEXEC
do {
err=fcntl(fd, F_SETFD, FD_CLOEXEC);
@ -216,7 +225,7 @@ static int setup_fd(int fd, int nonblock, char *msg) {
return fd;
}
void set_nonblock(int fd, unsigned long nonblock) {
void set_nonblock(SOCKET fd, unsigned long nonblock) {
#if defined F_GETFL && defined F_SETFL && defined O_NONBLOCK && !defined __INNOTEK_LIBC__
int err, flags;
@ -237,7 +246,7 @@ void set_nonblock(int fd, unsigned long nonblock) {
if(err<0)
sockerror("fcntl SETFL"); /* non-critical */
#else /* WIN32 or similar */
if(ioctlsocket(fd, FIONBIO, &nonblock)<0)
if(ioctlsocket(fd, (long)FIONBIO, &nonblock)<0)
sockerror("ioctlsocket"); /* non-critical */
#if 0
else

139
src/file.c
View File

@ -1,6 +1,6 @@
/*
* stunnel Universal SSL tunnel
* Copyright (C) 1998-2013 Michal Trojnara <Michal.Trojnara@mirt.net>
* stunnel TLS offloading and load-balancing proxy
* Copyright (C) 1998-2017 Michal Trojnara <Michal.Trojnara@stunnel.org>
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
@ -40,20 +40,37 @@
#ifdef USE_WIN32
DISK_FILE *file_open(char *name, int wr) {
DISK_FILE *file_open(char *name, FILE_MODE mode) {
DISK_FILE *df;
LPTSTR tstr;
LPTSTR tname;
HANDLE fh;
DWORD desired_access, creation_disposition;
/* open file */
tstr=str2tstr(name);
fh=CreateFile(tstr, wr ? GENERIC_WRITE : GENERIC_READ,
FILE_SHARE_READ, NULL, wr ? OPEN_ALWAYS : OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL, (HANDLE)NULL);
str_free(tstr); /* str_free() overwrites GetLastError() value */
switch(mode) {
case FILE_MODE_READ:
desired_access=GENERIC_READ;
creation_disposition=OPEN_EXISTING;
break;
case FILE_MODE_APPEND:
/* reportedly more compatible than FILE_APPEND_DATA */
desired_access=GENERIC_WRITE;
creation_disposition=OPEN_ALWAYS; /* keep the data */
break;
case FILE_MODE_OVERWRITE:
desired_access=GENERIC_WRITE;
creation_disposition=CREATE_ALWAYS; /* remove the data */
break;
default: /* invalid mode */
return NULL;
}
tname=str2tstr(name);
fh=CreateFile(tname, desired_access, FILE_SHARE_READ, NULL,
creation_disposition, FILE_ATTRIBUTE_NORMAL, (HANDLE)NULL);
str_free(tname); /* str_free() overwrites GetLastError() value */
if(fh==INVALID_HANDLE_VALUE)
return NULL;
if(wr) /* append */
if(mode==FILE_MODE_APPEND) /* workaround for FILE_APPEND_DATA */
SetFilePointer(fh, 0, NULL, FILE_END);
/* setup df structure */
@ -72,15 +89,24 @@ DISK_FILE *file_fdopen(int fd) {
return df;
}
DISK_FILE *file_open(char *name, int wr) {
DISK_FILE *file_open(char *name, FILE_MODE mode) {
DISK_FILE *df;
int fd, flags;
/* open file */
if(wr)
flags=O_CREAT|O_WRONLY|O_APPEND;
else
switch(mode) {
case FILE_MODE_READ:
flags=O_RDONLY;
break;
case FILE_MODE_APPEND:
flags=O_CREAT|O_WRONLY|O_APPEND;
break;
case FILE_MODE_OVERWRITE:
flags=O_CREAT|O_WRONLY|O_TRUNC;
break;
default: /* invalid mode */
return NULL;
}
#ifdef O_NONBLOCK
flags|=O_NONBLOCK;
#elif defined O_NDELAY
@ -90,7 +116,7 @@ DISK_FILE *file_open(char *name, int wr) {
flags|=O_CLOEXEC;
#endif /* O_CLOEXEC */
fd=open(name, flags, 0640);
if(fd<0)
if(fd==INVALID_SOCKET)
return NULL;
/* setup df structure */
@ -107,19 +133,20 @@ void file_close(DISK_FILE *df) {
#ifdef USE_WIN32
CloseHandle(df->fh);
#else /* USE_WIN32 */
close(df->fd);
if(df->fd>2) /* never close stdin/stdout/stder */
close(df->fd);
#endif /* USE_WIN32 */
str_free(df);
}
int file_getline(DISK_FILE *df, char *line, int len) {
ssize_t file_getline(DISK_FILE *df, char *line, int len) {
/* this version is really slow, but performance is not important here */
/* (no buffering is implemented) */
int i;
ssize_t i;
#ifdef USE_WIN32
DWORD num;
#else /* USE_WIN32 */
int num;
ssize_t num;
#endif /* USE_WIN32 */
if(!df) /* not opened */
@ -146,13 +173,13 @@ int file_getline(DISK_FILE *df, char *line, int len) {
return i;
}
int file_putline(DISK_FILE *df, char *line) {
int len;
ssize_t file_putline(DISK_FILE *df, char *line) {
char *buff;
size_t len;
#ifdef USE_WIN32
DWORD num;
#else /* USE_WIN32 */
int num;
ssize_t num;
#endif /* USE_WIN32 */
len=strlen(line);
@ -163,53 +190,73 @@ int file_putline(DISK_FILE *df, char *line) {
#endif /* USE_WIN32 */
buff[len++]='\n'; /* LF */
#ifdef USE_WIN32
WriteFile(df->fh, buff, len, &num, NULL);
WriteFile(df->fh, buff, (DWORD)len, &num, NULL);
#else /* USE_WIN32 */
/* no file -> write to stderr */
num=write(df ? df->fd : 2, buff, len);
#endif /* USE_WIN32 */
str_free(buff);
return num;
return (ssize_t)num;
}
int file_permissions(const char *file_name) {
#if !defined(USE_WIN32) && !defined(USE_OS2)
struct stat sb; /* buffer for stat */
/* check permissions of the private key file */
if(stat(file_name, &sb)) {
ioerror(file_name);
return 1; /* FAILED */
}
if(sb.st_mode & 7)
s_log(LOG_WARNING,
"Insecure file permissions on %s", file_name);
#else
(void)file_name; /* squash the unused parameter warning */
#endif
return 0;
}
#ifdef USE_WIN32
LPTSTR str2tstr(const LPSTR in) {
LPTSTR str2tstr(LPCSTR in) {
LPTSTR out;
#ifdef UNICODE
int len;
#ifdef UNICODE
len=MultiByteToWideChar(CP_ACP, 0, in, -1, NULL, 0);
len=MultiByteToWideChar(CP_UTF8, 0, in, -1, NULL, 0);
if(!len)
return NULL;
out=str_alloc((len+1)*sizeof(WCHAR));
len=MultiByteToWideChar(CP_ACP, 0, in, -1, out, len);
if(!len)
return NULL;
return str_tprintf(TEXT("MultiByteToWideChar() failed"));
out=str_alloc(((size_t)len+1)*sizeof(WCHAR));
len=MultiByteToWideChar(CP_UTF8, 0, in, -1, out, len);
if(!len) {
str_free(out);
return str_tprintf(TEXT("MultiByteToWideChar() failed"));
}
#else
len=strlen(in);
out=str_alloc(len+1);
strcpy(out, in);
/* FIXME: convert UTF-8 to native codepage */
out=str_dup(in);
#endif
return out;
}
LPSTR tstr2str(const LPTSTR in) {
LPSTR tstr2str(LPCTSTR in) {
LPSTR out;
#ifdef UNICODE
int len;
#ifdef UNICODE
len=WideCharToMultiByte(CP_ACP, 0, in, -1, NULL, 0, NULL, NULL);
len=WideCharToMultiByte(CP_UTF8, 0, in, -1, NULL, 0, NULL, NULL);
if(!len)
return NULL;
out=str_alloc(len+1);
len=WideCharToMultiByte(CP_ACP, 0, in, -1, out, len, NULL, NULL);
if(!len)
return NULL;
return str_printf("WideCharToMultiByte() failed");
out=str_alloc((size_t)len+1);
len=WideCharToMultiByte(CP_UTF8, 0, in, -1, out, len, NULL, NULL);
if(!len) {
str_free(out);
return str_printf("WideCharToMultiByte() failed");
}
#else
len=strlen(in);
out=str_alloc(len+1);
strcpy(out, in);
/* FIXME: convert native codepage to UTF-8 */
out=str_dup(in);
#endif
return out;
}

BIN
src/idle.ico Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 1.1 KiB

73
src/libwrap.c
View File

@ -1,6 +1,6 @@
/*
* stunnel Universal SSL tunnel
* Copyright (C) 1998-2013 Michal Trojnara <Michal.Trojnara@mirt.net>
* stunnel TLS offloading and load-balancing proxy
* Copyright (C) 1998-2017 Michal Trojnara <Michal.Trojnara@stunnel.org>
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
@ -42,23 +42,33 @@
#include <tcpd.h>
static int check(char *, int);
#if defined(USE_PTHREAD) && !defined(__CYGWIN__)
/* http://wiki.osdev.org/Cygwin_Issues#Passing_file_descriptors */
#define USE_LIBWRAP_POOL
#endif /* USE_PTHREAD && !__CYGWIN__ */
NOEXPORT int check(char *, int);
int allow_severity=LOG_NOTICE, deny_severity=LOG_WARNING;
#ifdef USE_PTHREAD
#ifdef USE_LIBWRAP_POOL
#define SERVNAME_LEN 256
static ssize_t read_fd(int, void *, size_t, int *);
static ssize_t write_fd(int, void *, size_t, int);
NOEXPORT ssize_t read_fd(int, void *, size_t, int *);
NOEXPORT ssize_t write_fd(int, void *, size_t, int);
int num_processes=0;
unsigned num_processes=0;
static int *ipc_socket, *busy;
#endif /* USE_PTHREAD */
#endif /* USE_LIBWRAP_POOL */
#ifdef __GNUC__
#pragma GCC diagnostic push
#pragma GCC diagnostic ignored "-Wunused-result"
#endif /* __GNUC__ */
int libwrap_init() {
#ifdef USE_PTHREAD
int i, j, rfd, result;
#ifdef USE_LIBWRAP_POOL
unsigned i, j;
int rfd, result;
char servname[SERVNAME_LEN];
static int initialized=0;
SERVICE_OPTIONS *opt;
@ -82,10 +92,11 @@ int libwrap_init() {
ioerror("fork");
return 1;
case 0: /* child */
tls_alloc(NULL, ui_tls, "libwrap");
drop_privileges(0); /* libwrap processes are not chrooted */
close(0); /* stdin */
close(1); /* stdout */
if(!global_options.option.foreground) /* for logging in read_fd */
if(!global_options.option.log_stderr) /* for logging in read_fd */
close(2); /* stderr */
for(j=0; j<=i; ++j) /* close parent-side sockets created so far */
close(ipc_socket[2*j]);
@ -93,7 +104,7 @@ int libwrap_init() {
if(read_fd(ipc_socket[2*i+1], servname, SERVNAME_LEN, &rfd)<=0)
_exit(0);
result=check(servname, rfd);
write(ipc_socket[2*i+1], (u8 *)&result, sizeof result);
write(ipc_socket[2*i+1], (uint8_t *)&result, sizeof result);
if(rfd>=0)
close(rfd);
}
@ -102,18 +113,22 @@ int libwrap_init() {
}
}
initialized=1;
#endif /* USE_PTHREAD */
#endif /* USE_LIBWRAP_POOL */
return 0;
}
#ifdef __GNUC__
#pragma GCC diagnostic pop
#endif /* __GNUC__ */
void libwrap_auth(CLI *c, char *accepted_address) {
int result=0; /* deny by default */
#ifdef USE_PTHREAD
static volatile int num_busy=0, roundrobin=0;
int retval, my_process;
#ifdef USE_LIBWRAP_POOL
static volatile unsigned num_busy=0, roundrobin=0;
unsigned my_process;
int retval;
static pthread_mutex_t mutex=PTHREAD_MUTEX_INITIALIZER;
static pthread_cond_t cond=PTHREAD_COND_INITIALIZER;
#endif /* USE_PTHREAD */
#endif /* USE_LIBWRAP_POOL */
if(!c->opt->option.libwrap) /* libwrap is disabled for this service */
return; /* allow connection */
@ -123,7 +138,7 @@ void libwrap_auth(CLI *c, char *accepted_address) {
return;
}
#endif
#ifdef USE_PTHREAD
#ifdef USE_LIBWRAP_POOL
if(num_processes) {
s_log(LOG_DEBUG, "Waiting for a libwrap process");
@ -156,8 +171,8 @@ void libwrap_auth(CLI *c, char *accepted_address) {
s_log(LOG_DEBUG, "Acquired libwrap process #%d", my_process);
write_fd(ipc_socket[2*my_process], c->opt->servname,
strlen(c->opt->servname)+1, c->local_rfd.fd);
read_blocking(c, ipc_socket[2*my_process],
(u8 *)&result, sizeof result);
s_read(c, ipc_socket[2*my_process],
(uint8_t *)&result, sizeof result);
s_log(LOG_DEBUG, "Releasing libwrap process #%d", my_process);
retval=pthread_mutex_lock(&mutex);
@ -183,11 +198,11 @@ void libwrap_auth(CLI *c, char *accepted_address) {
s_log(LOG_DEBUG, "Released libwrap process #%d", my_process);
} else
#endif /* USE_PTHREAD */
#endif /* USE_LIBWRAP_POOL */
{ /* use original, synchronous libwrap calls */
enter_critical_section(CRIT_LIBWRAP);
stunnel_write_lock(&stunnel_locks[LOCK_LIBWRAP]);
result=check(c->opt->servname, c->local_rfd.fd);
leave_critical_section(CRIT_LIBWRAP);
stunnel_write_unlock(&stunnel_locks[LOCK_LIBWRAP]);
}
if(!result) {
s_log(LOG_WARNING, "Service [%s] REFUSED by libwrap from %s",
@ -199,7 +214,7 @@ void libwrap_auth(CLI *c, char *accepted_address) {
c->opt->servname, accepted_address);
}
static int check(char *name, int fd) {
NOEXPORT int check(char *name, int fd) {
struct request_info request;
request_init(&request, RQ_DAEMON, name, RQ_FILE, fd, 0);
@ -207,9 +222,9 @@ static int check(char *name, int fd) {
return hosts_access(&request);
}
#ifdef USE_PTHREAD
#ifdef USE_LIBWRAP_POOL
static ssize_t read_fd(int fd, void *ptr, size_t nbytes, int *recvfd) {
NOEXPORT ssize_t read_fd(SOCKET fd, void *ptr, size_t nbytes, SOCKET *recvfd) {
struct msghdr msg;
struct iovec iov[1];
ssize_t n;
@ -238,7 +253,7 @@ static ssize_t read_fd(int fd, void *ptr, size_t nbytes, int *recvfd) {
msg.msg_iov=iov;
msg.msg_iovlen=1;
*recvfd=-1; /* descriptor was not passed */
*recvfd=INVALID_SOCKET; /* descriptor was not passed */
n=recvmsg(fd, &msg, 0);
if(n<=0)
return n;
@ -264,7 +279,7 @@ static ssize_t read_fd(int fd, void *ptr, size_t nbytes, int *recvfd) {
return n;
}
static ssize_t write_fd(int fd, void *ptr, size_t nbytes, int sendfd) {
NOEXPORT ssize_t write_fd(int fd, void *ptr, size_t nbytes, int sendfd) {
struct msghdr msg;
struct iovec iov[1];
@ -299,7 +314,7 @@ static ssize_t write_fd(int fd, void *ptr, size_t nbytes, int sendfd) {
return sendmsg(fd, &msg, 0);
}
#endif /* USE_PTHREAD */
#endif /* USE_LIBWRAP_POOL */
#endif /* USE_LIBWRAP */

235
src/log.c
View File

@ -1,6 +1,6 @@
/*
* stunnel Universal SSL tunnel
* Copyright (C) 1998-2013 Michal Trojnara <Michal.Trojnara@mirt.net>
* stunnel TLS offloading and load-balancing proxy
* Copyright (C) 1998-2017 Michal Trojnara <Michal.Trojnara@stunnel.org>
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
@ -38,15 +38,18 @@
#include "common.h"
#include "prototypes.h"
static void log_raw(const int, const char *, const char *, const char *);
NOEXPORT void log_raw(const SERVICE_OPTIONS *, const int,
const char *, const char *, const char *);
NOEXPORT void safestring(char *);
static DISK_FILE *outfile=NULL;
static struct LIST { /* single-linked list of log lines */
struct LIST *next;
SERVICE_OPTIONS *opt;
int level;
char *stamp, *id, *text;
} *head=NULL, *tail=NULL;
static LOG_MODE mode=LOG_MODE_NONE;
static LOG_MODE log_mode=LOG_MODE_BUFFER;
#if !defined(USE_WIN32) && !defined(__vms)
@ -54,18 +57,19 @@ static int syslog_opened=0;
void syslog_open(void) {
syslog_close();
if(global_options.option.syslog)
if(global_options.option.log_syslog)
#ifdef __ultrix__
openlog("stunnel", 0);
openlog(service_options.servname, 0);
#else
openlog("stunnel", LOG_CONS|LOG_NDELAY, global_options.facility);
openlog(service_options.servname,
LOG_CONS|LOG_NDELAY, global_options.log_facility);
#endif /* __ultrix__ */
syslog_opened=1;
}
void syslog_close(void) {
if(syslog_opened) {
if(global_options.option.syslog)
if(global_options.option.log_syslog)
closelog();
syslog_opened=0;
}
@ -75,11 +79,25 @@ void syslog_close(void) {
int log_open(void) {
if(global_options.output_file) { /* 'output' option specified */
outfile=file_open(global_options.output_file, 1);
outfile=file_open(global_options.output_file,
global_options.log_file_mode);
#if defined(USE_WIN32) && !defined(_WIN32_WCE)
if(!outfile) {
char appdata[MAX_PATH], *path;
if(SHGetFolderPathA(NULL, CSIDL_LOCAL_APPDATA|CSIDL_FLAG_CREATE,
NULL, 0, appdata)==S_OK) {
path=str_printf("%s\\%s", appdata, global_options.output_file);
outfile=file_open(path, global_options.log_file_mode);
if(outfile)
s_log(LOG_NOTICE, "Logging to %s", path);
str_free(path);
}
}
#endif
if(!outfile) {
s_log(LOG_ERR, "Cannot open log file: %s",
global_options.output_file);
return 1;
return 1;
}
}
log_flush(LOG_MODE_CONFIGURED);
@ -87,24 +105,28 @@ int log_open(void) {
}
void log_close(void) {
mode=LOG_MODE_NONE;
/* prevent changing the mode while logging */
stunnel_write_lock(&stunnel_locks[LOCK_LOG_MODE]);
log_mode=LOG_MODE_BUFFER;
if(outfile) {
file_close(outfile);
outfile=NULL;
}
stunnel_write_unlock(&stunnel_locks[LOCK_LOG_MODE]);
}
void log_flush(LOG_MODE new_mode) {
struct LIST *tmp;
stunnel_write_lock(&stunnel_locks[LOCK_LOG_MODE]);
/* prevent changing LOG_MODE_CONFIGURED to LOG_MODE_ERROR
* once stderr file descriptor is closed */
if(mode!=LOG_MODE_CONFIGURED)
mode=new_mode;
enter_critical_section(CRIT_LOG);
if(log_mode!=LOG_MODE_CONFIGURED)
log_mode=new_mode;
/* log_raw() will use the new value of log_mode */
stunnel_write_lock(&stunnel_locks[LOCK_LOG_BUFFER]);
while(head) {
log_raw(head->level, head->stamp, head->id, head->text);
log_raw(head->opt, head->level, head->stamp, head->id, head->text);
str_free(head->stamp);
str_free(head->id);
str_free(head->text);
@ -112,28 +134,43 @@ void log_flush(LOG_MODE new_mode) {
head=head->next;
str_free(tmp);
}
leave_critical_section(CRIT_LOG);
head=tail=NULL;
stunnel_write_unlock(&stunnel_locks[LOCK_LOG_BUFFER]);
stunnel_write_unlock(&stunnel_locks[LOCK_LOG_MODE]);
}
void s_log(int level, const char *format, ...) {
va_list ap;
char *text, *stamp, *id;
struct LIST *tmp;
int libc_error, socket_error;
#ifdef USE_WIN32
DWORD libc_error;
#else
int libc_error;
#endif
int socket_error;
time_t gmt;
struct tm *timeptr;
#if defined(HAVE_LOCALTIME_R) && defined(_REENTRANT)
struct tm timestruct;
#endif
TLS_DATA *tls_data;
tls_data=tls_get();
if(!tls_data) {
tls_data=tls_alloc(NULL, NULL, "log");
s_log(LOG_ERR, "INTERNAL ERROR: Uninitialized TLS at %s, line %d",
__FILE__, __LINE__);
}
/* performance optimization: skip the trivial case early */
if(mode==LOG_MODE_CONFIGURED && level>global_options.debug_level)
if(log_mode==LOG_MODE_CONFIGURED && level>tls_data->opt->log_level)
return;
libc_error=get_last_error();
socket_error=get_last_socket_error();
/* format the id to be logged */
time(&gmt);
#if defined(HAVE_LOCALTIME_R) && defined(_REENTRANT)
timeptr=localtime_r(&gmt, &timestruct);
@ -143,17 +180,20 @@ void s_log(int level, const char *format, ...) {
stamp=str_printf("%04d.%02d.%02d %02d:%02d:%02d",
timeptr->tm_year+1900, timeptr->tm_mon+1, timeptr->tm_mday,
timeptr->tm_hour, timeptr->tm_min, timeptr->tm_sec);
id=str_printf("LOG%d[%lu:%lu]",
level, stunnel_process_id(), stunnel_thread_id());
id=str_printf("LOG%d[%s]", level, tls_data->id);
/* format the text to be logged */
va_start(ap, format);
text=str_vprintf(format, ap);
va_end(ap);
safestring(text);
if(mode==LOG_MODE_NONE) { /* save the text to log it later */
enter_critical_section(CRIT_LOG);
tmp=str_alloc(sizeof(struct LIST));
str_detach(tmp);
stunnel_read_lock(&stunnel_locks[LOCK_LOG_MODE]);
if(log_mode==LOG_MODE_BUFFER) { /* save the text to log it later */
stunnel_write_lock(&stunnel_locks[LOCK_LOG_BUFFER]);
tmp=str_alloc_detached(sizeof(struct LIST));
tmp->next=NULL;
tmp->opt=tls_data->opt;
tmp->level=level;
tmp->stamp=stamp;
str_detach(tmp->stamp);
@ -166,94 +206,164 @@ void s_log(int level, const char *format, ...) {
else
head=tmp;
tail=tmp;
leave_critical_section(CRIT_LOG);
stunnel_write_unlock(&stunnel_locks[LOCK_LOG_BUFFER]);
} else { /* ready log the text directly */
log_raw(level, stamp, id, text);
log_raw(tls_data->opt, level, stamp, id, text);
str_free(stamp);
str_free(id);
str_free(text);
}
stunnel_read_unlock(&stunnel_locks[LOCK_LOG_MODE]);
set_last_error(libc_error);
set_last_socket_error(socket_error);
}
static void log_raw(const int level, const char *stamp,
NOEXPORT void log_raw(const SERVICE_OPTIONS *opt,
const int level, const char *stamp,
const char *id, const char *text) {
char *line;
/* build the line and log it to syslog/file */
if(mode==LOG_MODE_CONFIGURED) { /* configured */
if(log_mode==LOG_MODE_CONFIGURED) { /* configured */
line=str_printf("%s %s: %s", stamp, id, text);
if(level<=global_options.debug_level) {
if(level<=opt->log_level) {
#if !defined(USE_WIN32) && !defined(__vms)
if(global_options.option.syslog)
if(global_options.option.log_syslog)
syslog(level, "%s: %s", id, text);
#endif /* USE_WIN32, __vms */
if(outfile)
file_putline(outfile, line); /* send log to file */
}
} else /* LOG_MODE_ERROR or LOG_MODE_INFO */
} else if(log_mode==LOG_MODE_ERROR) {
if(level>=0 && level<=7) /* just in case */
line=str_printf("[%c] %s", "***!:. "[level], text);
else
line=str_printf("[?] %s", text);
} else /* LOG_MODE_INFO */
line=str_dup(text); /* don't log the time stamp in error mode */
/* log the line to GUI/stderr */
#ifdef USE_WIN32
if(mode==LOG_MODE_ERROR || /* always log to the GUI window */
(mode==LOG_MODE_INFO && level<LOG_DEBUG) ||
level<=global_options.debug_level)
win_new_log(line);
#else /* Unix */
if(mode==LOG_MODE_ERROR || /* always log LOG_MODE_ERROR to stderr */
(mode==LOG_MODE_INFO && level<LOG_DEBUG) ||
(level<=global_options.debug_level &&
global_options.option.foreground))
fprintf(stderr, "%s\n", line); /* send log to stderr */
/* log the line to the UI (GUI, stderr, etc.) */
if(log_mode==LOG_MODE_ERROR ||
(log_mode==LOG_MODE_INFO && level<LOG_DEBUG) ||
#if defined(USE_WIN32) || defined(USE_JNI)
level<=opt->log_level
#else
(level<=opt->log_level &&
global_options.option.log_stderr)
#endif
)
ui_new_log(line);
str_free(line);
}
/* critical problem - str.c functions are not safe to use */
void fatal_debug(char *error, char *file, int line) {
char text[80];
#ifdef __GNUC__
#pragma GCC diagnostic push
#pragma GCC diagnostic ignored "-Wformat"
#pragma GCC diagnostic ignored "-Wformat-extra-args"
#endif /* __GNUC__ */
char *log_id(CLI *c) {
const char table[62]=
"0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
unsigned char rnd[22];
char *uniq;
size_t i;
unsigned long tid;
switch(c->opt->log_id) {
case LOG_ID_SEQUENTIAL:
return str_printf("%llu", c->seq);
case LOG_ID_UNIQUE:
if(RAND_bytes(rnd, sizeof rnd)<=0) /* log2(62^22)=130.99 */
return str_dup("error");
for(i=0; i<sizeof rnd; ++i) {
rnd[i]&=63;
while(rnd[i]>=62) {
if(RAND_bytes(rnd+i, 1)<=0)
return str_dup("error");
rnd[i]&=63;
}
}
uniq=str_alloc(sizeof rnd+1);
for(i=0; i<sizeof rnd; ++i)
uniq[i]=table[rnd[i]];
uniq[sizeof rnd]='\0';
return uniq;
case LOG_ID_THREAD:
tid=stunnel_thread_id();
if(!tid) /* currently USE_FORK */
tid=stunnel_process_id();
return str_printf("%lu", tid);
case LOG_ID_PROCESS:
return str_printf("%lu", stunnel_process_id());
}
return str_dup("error");
}
#ifdef __GNUC__
#pragma GCC diagnostic pop
#endif /* __GNUC__ */
/* critical problem handling */
/* str.c functions are not safe to use here */
#ifdef __GNUC__
#pragma GCC diagnostic push
#pragma GCC diagnostic ignored "-Wunused-result"
#endif /* __GNUC__ */
void fatal_debug(char *txt, const char *file, int line) {
char msg[80];
#ifdef USE_WIN32
DWORD num;
#ifdef UNICODE
TCHAR tmsg[80];
#endif
#endif /* USE_WIN32 */
snprintf(text, sizeof text, /* with newline */
"INTERNAL ERROR: %s at %s, line %d\n", error, file, line);
snprintf(msg, sizeof msg, /* with newline */
"INTERNAL ERROR: %s at %s, line %d\n", txt, file, line);
if(outfile) {
#ifdef USE_WIN32
WriteFile(outfile->fh, text, strlen(text), &num, NULL);
WriteFile(outfile->fh, msg, (DWORD)strlen(msg), &num, NULL);
#else /* USE_WIN32 */
/* no file -> write to stderr */
write(outfile ? outfile->fd : 2, text, strlen(text));
/* no meaningful way here to handle the result */
write(outfile ? outfile->fd : 2, msg, strlen(msg));
#endif /* USE_WIN32 */
}
#ifndef USE_WIN32
if(mode!=LOG_MODE_CONFIGURED || global_options.option.foreground)
fputs(text, stderr);
if(log_mode!=LOG_MODE_CONFIGURED || global_options.option.log_stderr) {
fputs(msg, stderr);
fflush(stderr);
}
#endif /* !USE_WIN32 */
snprintf(text, sizeof text, /* without newline */
"INTERNAL ERROR: %s at %s, line %d", error, file, line);
snprintf(msg, sizeof msg, /* without newline */
"INTERNAL ERROR: %s at %s, line %d", txt, file, line);
#if !defined(USE_WIN32) && !defined(__vms)
if(global_options.option.syslog)
syslog(LOG_CRIT, "%s", text);
if(global_options.option.log_syslog)
syslog(LOG_CRIT, "%s", msg);
#endif /* USE_WIN32, __vms */
#ifdef USE_WIN32
message_box(text, MB_ICONERROR);
#ifdef UNICODE
if(MultiByteToWideChar(CP_UTF8, 0, msg, -1, tmsg, 80))
message_box(tmsg, MB_ICONERROR);
#else
message_box(msg, MB_ICONERROR);
#endif
#endif /* USE_WIN32 */
abort();
}
#ifdef __GNUC__
#pragma GCC diagnostic pop
#endif /* __GNUC__ */
void ioerror(const char *txt) { /* input/output error */
log_error(LOG_ERR, get_last_error(), txt);
log_error(LOG_ERR, (int)get_last_error(), txt);
}
void sockerror(const char *txt) { /* socket error */
@ -377,4 +487,11 @@ char *s_strerror(int errnum) {
}
}
/* replace non-UTF-8 and non-printable control characters with '.' */
NOEXPORT void safestring(char *c) {
for(; *c; ++c)
if(!(*c&0x80 || isprint((int)*c)))
*c='.';
}
/* end of log.c */

4
src/make.bat
View File

@ -1,8 +1,8 @@
@echo off
:: pdelaage commented : make.exe -f mingw.mak %1 %2 %3 %4 %5 %6 %7 %8 %9
:: on Windows, make is Borland make, but mingw.mak is NOW only compatible
:: with gnu make (due to various improvments I made, for compatibility between
:: linux and Windows host environments.
:: with gnu make (due to various improvements I made, for compatibility between
:: linux and Windows host environments).
:: and echo OFF is the sign we are HERE on Windows, isn't it?...
mingw32-make.exe -f mingw.mak %1 %2 %3 %4 %5 %6 %7 %8 %9

36
src/makew32.bat
View File

@ -1,18 +1,30 @@
@echo off
TITLE W32 STUNNEL
::pdelaage 20101026: for use with MS VCexpress 2008 (v9)
::some trick to avoid re-pollution of env vars as much as possible
:: In multitarget compilation environment, it is better to open a new cmd.exe window
:: to avoid pollution of PATH from, eg, some previous WCE compilation attempts.
:: In a multi-target compilation environment, it is better to open
:: a new cmd.exe window in order to avoid PATH pollution
:: (for example with some previous WCE compilation attempts)
set NEWTGTCPU=W32
rem Adjust MS VC env vars
rem Adjust the MS VC environment variables
rem ---------------------
rem Check MSenv vars against our ref values
rem Detect the latest Visual Studio
rem Visual Studio 2008
if DEFINED VS90COMNTOOLS if exist "%VS90COMNTOOLS%..\..\vc\vcvarsall.bat" set vsTools=%VS90COMNTOOLS%
rem Visual Studio 2010
if DEFINED VS100COMNTOOLS if exist "%VS100COMNTOOLS%..\..\vc\vcvarsall.bat" set vsTools=%VS100COMNTOOLS%
rem Visual Studio 2012
if DEFINED VS110COMNTOOLS if exist "%VS110COMNTOOLS%..\..\vc\vcvarsall.bat" set vsTools=%VS110COMNTOOLS%
rem Visual Studio 2013
if DEFINED VS120COMNTOOLS if exist "%VS120COMNTOOLS%..\..\vc\vcvarsall.bat" set vsTools=%VS120COMNTOOLS%
rem Visual Studio 2015
if DEFINED VS140COMNTOOLS if exist "%VS140COMNTOOLS%..\..\vc\vcvarsall.bat" set vsTools=%VS140COMNTOOLS%
::rem Initialize the Visual Studio tools
::call "%vsTools%..\..\vc\vcvarsall.bat"
rem Check the MSenv variables against our reference values
set isenvok=0
if NOT DEFINED TARGETCPU set TARGETCPU=XXXXX
if "%NEWTGTCPU%"=="%TARGETCPU%" set /A "isenvok+=1"
@ -20,26 +32,26 @@ if "%NEWTGTCPU%"=="%TARGETCPU%" set /A "isenvok+=1"
if %isenvok%==1 echo W32 ENVIRONMENT OK
if %isenvok%==1 goto envisok
:: useless since separated tgt folders
:: Useless with separated target folders
::echo W32 TARGET CPU changed, destroying every obj files
::del .\*.obj
:: if env is NOT ok, adjust MS VC env vars to be used by MS VC
:: if env is NOT ok, adjust the MS VC environment variables
:: (this is to avoid repetitive pollution of PATH)
echo W32 ENVIRONMENT ADJUSTED
:: reset of INCLUDE needed because of accumulation of includes in vcvars32
:: Reset of INCLUDE is needed because of accumulation of includes in vcvars32
set INCLUDE=
call "C:\Program Files\Microsoft Visual Studio 9.0\VC\bin\vcvars32.bat"
call "%vsTools%..\..\vc\bin\vcvars32.bat"
set TARGETCPU=%NEWTGTCPU%
:envisok
rem make everything
rem Make everything
rem ---------------
nmake.exe -f vc.mak %1 %2 %3 %4 %5 %6 %7 %8 %9

59
src/mingw.mak
View File

@ -1,4 +1,4 @@
# Simple Makefile.w32 for stunnel.exe by Michal Trojnara 1998-2007
# Simple Makefile.w32 for stunnel.exe by Michal Trojnara 1998-2017
#
# Modified by Brian Hatch (bri@stunnel.org)
# 20101030 pdelaage:
@ -22,8 +22,21 @@
# Modify this to point to your actual openssl compile directory
# (You did already compile openssl, didn't you???)
SSLDIR=../openssl-1.0.0f
#SSLDIR=C:/Users/standard/Documents/Dvts/Contrib/openssl/v1.0.0c/patched3
#SSLDIR=../../openssl-0.9.8zh
#SSLDIR=../../openssl-1.0.0t
SSLDIR=../../openssl-1.0.1q
# For 0.9.8 mingw compiled openssl
#SSLINC=$(SSLDIR)/outinc
#SSLLIBS=-L$(SSLDIR)/out -leay32 -lssl32
# for 1.0.0/1.0.1 mingw (msys2) compiled
SSLINC=$(SSLDIR)/include
SSLLIBS=-L$(SSLDIR) -lcrypto.dll -lssl.dll
# For MSVC compiled openssl
#SSLINC=$(SSLDIR)/inc32
#SSLLIBS=-L$(SSLDIR)/out32dll -lssleay32 -llibeay32
# c:\, backslash is not correctly recognized by mingw32-make, produces some
# "missing separator" issue.
@ -34,17 +47,19 @@ SSLDIR=../openssl-1.0.0f
# $(info is !MESSAGE in MS nmake or Borland make.
ifdef windir
$(info host machine is a Windows machine )
$(info host machine is a Windows machine )
NULLDEV=NUL
MKDIR="C:\Program Files\GnuWin32\bin\mkdir.exe"
DELFILES="C:\Program Files\GnuWin32\bin\rm.exe" -f
DELDIR="C:\Program Files\GnuWin32\bin\rm.exe" -rf
COPYFILES="C:\Program Files\GnuWin32\bin\cp.exe" -f
else
$(info host machine is a linux machine )
$(info host machine is a linux machine )
NULLDEV=/dev/null
MKDIR=mkdir
DELFILES=rm -f
DELDIR=rm -rf
COPYFILES=cp -f
endif
TARGETCPU=MGW32
@ -57,7 +72,14 @@ BIN=$(BINROOT)/$(TARGETCPU)
OBJS=$(OBJ)/stunnel.o $(OBJ)/ssl.o $(OBJ)/ctx.o $(OBJ)/verify.o \
$(OBJ)/file.o $(OBJ)/client.o $(OBJ)/protocol.o $(OBJ)/sthreads.o \
$(OBJ)/log.o $(OBJ)/options.o $(OBJ)/network.o $(OBJ)/resolver.o \
$(OBJ)/gui.o $(OBJ)/resources.o $(OBJ)/str.o $(OBJ)/fd.o
$(OBJ)/ui_win_gui.o $(OBJ)/resources.o $(OBJ)/str.o $(OBJ)/tls.o \
$(OBJ)/fd.o $(OBJ)/dhparam.o $(OBJ)/cron.o
TOBJS=$(OBJ)/stunnel.o $(OBJ)/ssl.o $(OBJ)/ctx.o $(OBJ)/verify.o \
$(OBJ)/file.o $(OBJ)/client.o $(OBJ)/protocol.o $(OBJ)/sthreads.o \
$(OBJ)/log.o $(OBJ)/options.o $(OBJ)/network.o $(OBJ)/resolver.o \
$(OBJ)/ui_win_cli.o $(OBJ)/str.o $(OBJ)/tls.o \
$(OBJ)/fd.o $(OBJ)/dhparam.o $(OBJ)/cron.o
CC=gcc
RC=windres
@ -70,9 +92,7 @@ DEFINES=-D_WIN32_WINNT=0x0501
# some preprocessing debug : $(info DEFINES is $(DEFINES) )
#CFLAGS=-g -O2 -Wall $(DEFINES) -I$(SSLDIR)/outinc
#pdelaage : outinc not correct, it is inc32!
CFLAGS=-g -O2 -Wall $(DEFINES) -I$(SSLDIR)/inc32
CFLAGS=-g -O2 -Wall $(DEFINES) -I$(SSLINC)
# RFLAGS, note of pdelaage: windres accepts -fo for compatibility with ms tools
# default options : -J rc -O coff, input rc file, output coff file.
@ -82,10 +102,8 @@ RFLAGS=-v --use-temp-file $(DEFINES)
RFLAGS2=-v $(DEFINES)
LDFLAGS=-s
# LIBS=-L$(SSLDIR)/out -lssl -lcrypto -lwsock32 -lgdi32 -lcrypt32
#20101030 pdelaage fix winsock2 and BAD sslpath ! LIBS=-L$(SSLDIR)/out -lzdll -leay32 -lssl32 -lwsock32 -lgdi32 -lcrypt32
# added libeay instead of eay, ssleay instead of ssl32, suppressed zdll useless.
LIBS=-L$(SSLDIR)/out32dll -lssleay32 -llibeay32 -lws2_32 -lpsapi -lgdi32 -lcrypt32
LIBS=$(SSLLIBS) -lws2_32 -lpsapi -lgdi32 -lcrypt32 -lkernel32
TLIBS=$(SSLLIBS) -lws2_32 -lpsapi -lcrypt32 -lkernel32
# IMPORTANT pdelaage : restore this if you need (but I do not see why) -lzdll
$(OBJ)/%.o: $(SRC)/%.c
@ -113,12 +131,16 @@ $(OBJ)/%.o: $(OBJ)/%.rcp
# in the system...
# for debug of the preprocessed rcp file, because it is automatically deleted by gnu-make: cp $< $<.2
all: testenv makedirs $(BIN)/stunnel.exe
all: testenv makedirs $(BIN)/stunnel.exe $(BIN)/tstunnel.exe
testopenssl:
@if not exist $(SSLDIR) echo You mush have a compiled OpenSSL tree
@if not exist $(SSLINC)/openssl/applink.c $(COPYFILES) $(SSLDIR)/ms/applink.c $(SSLINC)/openssl
#pdelaage : testenv purpose is to detect, on windows, whether Gnu-win32 has been properly installed...
# a first call to "true" is made to detect availability, a second is made to stop the make process.
ifdef windir
testenv:
testenv: testopenssl
-@ echo OFF
-@ true >$(NULLDEV) 2>&1 || echo You MUST install Gnu-Win32 coreutils \
from http://gnuwin32.sourceforge.net/downlinks/coreutils.php \
@ -133,8 +155,8 @@ endif
clean:
-@ $(DELFILES) $(OBJ)/*.o
-@ $(DELFILES) $(BIN)/stunnel.exe >$(NULLDEV) 2>&1
-@ $(DELDIR) $(OBJ) >$(NULLDEV) 2>&1
-@ $(DELDIR) $(BIN) >$(NULLDEV) 2>&1
-@ $(DELDIR) $(OBJ) >$(NULLDEV) 2>&1
-@ $(DELDIR) $(BIN) >$(NULLDEV) 2>&1
makedirs:
-@ $(MKDIR) $(OBJROOT) >$(NULLDEV) 2>&1
@ -152,6 +174,9 @@ $(OBJS): *.h mingw.mak
$(BIN)/stunnel.exe: $(OBJS)
$(CC) $(LDFLAGS) -o $(BIN)/stunnel.exe $(OBJS) $(LIBS) -mwindows
$(BIN)/tstunnel.exe: $(TOBJS)
$(CC) $(LDFLAGS) -o $(BIN)/tstunnel.exe $(TOBJS) $(TLIBS)
# "missing separator" issue with mingw32-make: tabs MUST BE TABS in your text
# editor, and not set of spaces even if your development host is windows.
# Some \ are badly tolerated by mingw32-make "!" directives, eg as !IF,

54
src/mingw.mk Normal file
View File

@ -0,0 +1,54 @@
## mingw/mingw64 Makefile
# by Michal Trojnara 2015-2017
# 32-bit Windows
#win32_targetcpu=i686
#win32_mingw=mingw
# 64-bit Windows
#win32_targetcpu=x86_64
#win32_mingw=mingw64
bindir = ../bin/$(win32_mingw)
objdir = ../obj/$(win32_mingw)
win32_ssl_dir = /opt/openssl-$(win32_mingw)
win32_cppflags = -I$(win32_ssl_dir)/include
win32_cflags = -mthreads -fstack-protector -O2
win32_cflags += -Wall -Wextra -Wpedantic -Wformat=2 -Wconversion -Wno-long-long
win32_cflags += -D_FORTIFY_SOURCE=2 -DUNICODE -D_UNICODE
win32_ldflags = -mthreads -fstack-protector -s
win32_common_libs = -lws2_32 -lkernel32
win32_ssl_libs = -L$(win32_ssl_dir)/lib -lcrypto -lssl
win32_gui_libs = $(win32_common_libs) -lgdi32 -lpsapi $(win32_ssl_libs)
win32_cli_libs = $(win32_common_libs) $(win32_ssl_libs)
win32_common = tls str file client log options protocol network resolver
win32_common += ssl ctx verify sthreads fd dhparam cron stunnel
win32_gui = ui_win_gui resources
win32_cli = ui_win_cli
win32_common_objs = $(addsuffix .o, $(addprefix $(objdir)/, $(win32_common)))
win32_gui_objs = $(addsuffix .o, $(addprefix $(objdir)/, $(win32_gui)))
win32_cli_objs = $(addsuffix .o, $(addprefix $(objdir)/, $(win32_cli)))
win32_prefix = $(win32_targetcpu)-w64-mingw32-
win32_cc = $(win32_prefix)gcc
win32_windres = $(win32_prefix)windres
all: mkdirs $(bindir)/stunnel.exe $(bindir)/tstunnel.exe
mkdirs:
mkdir -p $(bindir) $(objdir)
$(bindir)/stunnel.exe: $(win32_common_objs) $(win32_gui_objs)
$(win32_cc) -mwindows $(win32_ldflags) -o $(bindir)/stunnel.exe $(win32_common_objs) $(win32_gui_objs) $(win32_gui_libs)
$(bindir)/tstunnel.exe: $(win32_common_objs) $(win32_cli_objs)
$(win32_cc) $(win32_ldflags) -o $(bindir)/tstunnel.exe $(win32_common_objs) $(win32_cli_objs) $(win32_cli_libs)
$(objdir)/%.o: $(srcdir)/%.c $(common_headers)
$(win32_cc) -c $(win32_cppflags) $(win32_cflags) -o $@ $<
$(objdir)/resources.o: $(srcdir)/resources.rc $(srcdir)/resources.h $(srcdir)/version.h
$(win32_windres) --include-dir $(srcdir) $< $@

554
src/network.c
View File

@ -1,6 +1,6 @@
/*
* stunnel Universal SSL tunnel
* Copyright (C) 1998-2013 Michal Trojnara <Michal.Trojnara@mirt.net>
* stunnel TLS offloading and load-balancing proxy
* Copyright (C) 1998-2017 Michal Trojnara <Michal.Trojnara@stunnel.org>
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
@ -35,12 +35,17 @@
* forward this exception.
*/
#if defined(_WIN32) || defined(_WIN32_WCE)
/* bypass automatic index bound checks in the FD_SET() macro */
#define FD_SETSIZE 1000000
#endif
#include "common.h"
#include "prototypes.h"
/* #define DEBUG_UCONTEXT */
static int get_socket_error(const int);
NOEXPORT void s_poll_realloc(s_poll_set *);
/**************************************** s_poll functions */
@ -53,96 +58,138 @@ s_poll_set *s_poll_alloc() {
void s_poll_free(s_poll_set *fds) {
if(fds) {
if(fds->ufds)
str_free(fds->ufds);
str_free(fds->ufds);
str_free(fds);
}
}
void s_poll_init(s_poll_set *fds) {
fds->nfds=0;
fds->allocated=4; /* prealloc 4 file desciptors */
fds->ufds=str_realloc(fds->ufds, fds->allocated*sizeof(struct pollfd));
fds->allocated=4; /* prealloc 4 file descriptors */
s_poll_realloc(fds);
}
void s_poll_add(s_poll_set *fds, int fd, int rd, int wr) {
unsigned int i;
void s_poll_add(s_poll_set *fds, SOCKET fd, int rd, int wr) {
unsigned i;
for(i=0; i<fds->nfds && fds->ufds[i].fd!=fd; i++)
;
if(i==fds->nfds) {
if(i==fds->nfds) { /* not found */
if(i==fds->allocated) {
fds->allocated=i+1;
fds->ufds=str_realloc(fds->ufds, fds->allocated*sizeof(struct pollfd));
s_poll_realloc(fds);
}
fds->ufds[i].fd=fd;
fds->ufds[i].events=0;
fds->nfds++;
}
if(rd)
if(rd) {
fds->ufds[i].events|=POLLIN;
#ifdef POLLRDHUP
fds->ufds[i].events|=POLLRDHUP;
#endif
}
if(wr)
fds->ufds[i].events|=POLLOUT;
}
int s_poll_canread(s_poll_set *fds, int fd) {
unsigned int i;
void s_poll_remove(s_poll_set *fds, SOCKET fd) {
unsigned i;
for(i=0; i<fds->nfds && fds->ufds[i].fd!=fd; i++)
;
if(i<fds->nfds) { /* found */
memmove(fds->ufds+i, fds->ufds+i+1,
(fds->nfds-i-1)*sizeof(struct pollfd));
fds->nfds--;
}
}
int s_poll_canread(s_poll_set *fds, SOCKET fd) {
unsigned i;
for(i=0; i<fds->nfds; i++)
if(fds->ufds[i].fd==fd)
return fds->ufds[i].revents&POLLIN;
return fds->ufds[i].revents&(POLLIN|POLLERR);
return 0; /* not listed in fds */
}
int s_poll_canwrite(s_poll_set *fds, int fd) {
unsigned int i;
int s_poll_canwrite(s_poll_set *fds, SOCKET fd) {
unsigned i;
for(i=0; i<fds->nfds; i++)
if(fds->ufds[i].fd==fd)
return fds->ufds[i].revents&POLLOUT;
return fds->ufds[i].revents&(POLLOUT|POLLERR);
return 0; /* not listed in fds */
}
int s_poll_hup(s_poll_set *fds, int fd) {
unsigned int i;
/* best doc: http://lxr.free-electrons.com/source/net/ipv4/tcp.c#L456 */
int s_poll_hup(s_poll_set *fds, SOCKET fd) {
unsigned i;
for(i=0; i<fds->nfds; i++)
if(fds->ufds[i].fd==fd)
return fds->ufds[i].revents&POLLHUP;
return fds->ufds[i].revents&POLLHUP; /* read and write closed */
return 0; /* not listed in fds */
}
int s_poll_error(s_poll_set *fds, int fd) {
unsigned int i;
int s_poll_rdhup(s_poll_set *fds, SOCKET fd) {
unsigned i;
for(i=0; i<fds->nfds; i++)
if(fds->ufds[i].fd==fd)
return fds->ufds[i].revents&(POLLERR|POLLNVAL) ?
get_socket_error(fd) : 0;
#ifdef POLLRDHUP
return fds->ufds[i].revents&POLLRDHUP; /* read closed */
#else
return fds->ufds[i].revents&POLLHUP; /* read and write closed */
#endif
return 0; /* not listed in fds */
}
int s_poll_err(s_poll_set *fds, SOCKET fd) {
unsigned i;
for(i=0; i<fds->nfds; i++)
if(fds->ufds[i].fd==fd)
return fds->ufds[i].revents&POLLERR;
return 0; /* not listed in fds */
}
NOEXPORT void s_poll_realloc(s_poll_set *fds) {
fds->ufds=str_realloc(fds->ufds, fds->allocated*sizeof(struct pollfd));
}
void s_poll_dump(s_poll_set *fds, int level) {
unsigned i;
for(i=0; i<fds->nfds; i++)
s_log(level, "FD=%ld events=0x%X revents=0x%X",
(long)fds->ufds[i].fd, fds->ufds[i].events, fds->ufds[i].revents);
}
#ifdef USE_UCONTEXT
/* move ready contexts from waiting queue to ready queue */
static void scan_waiting_queue(void) {
NOEXPORT void scan_waiting_queue(void) {
int retval;
CONTEXT *context, *prev;
int min_timeout;
unsigned int nfds, i;
unsigned nfds, i;
time_t now;
static unsigned int max_nfds=0;
static unsigned max_nfds=0;
static struct pollfd *ufds=NULL;
time(&now);
/* count file descriptors */
min_timeout=-1;
min_timeout=-1; /* infinity */
nfds=0;
for(context=waiting_head; context; context=context->next) {
nfds+=context->fds->nfds;
if(context->finish>=0) /* finite time */
if(min_timeout<0 || min_timeout>context->finish-now)
min_timeout=context->finish-now<0 ? 0 : context->finish-now;
min_timeout=
(int)(context->finish-now<0 ? 0 : context->finish-now);
}
/* setup ufds structure */
if(nfds>max_nfds) { /* need to allocate more memory */
@ -177,13 +224,13 @@ static void scan_waiting_queue(void) {
#ifdef DEBUG_UCONTEXT
s_log(LOG_DEBUG, "CONTEXT %ld, FD=%d,%s%s ->%s%s%s%s%s",
context->id, ufds[nfds].fd,
ufds[nfds].events & POLLIN ? " IN" : "",
ufds[nfds].events & POLLOUT ? " OUT" : "",
ufds[nfds].revents & POLLIN ? " IN" : "",
ufds[nfds].revents & POLLOUT ? " OUT" : "",
ufds[nfds].revents & POLLERR ? " ERR" : "",
ufds[nfds].revents & POLLHUP ? " HUP" : "",
ufds[nfds].revents & POLLNVAL ? " NVAL" : "");
(ufds[nfds].events & POLLIN) ? " IN" : "",
(ufds[nfds].events & POLLOUT) ? " OUT" : "",
(ufds[nfds].revents & POLLIN) ? " IN" : "",
(ufds[nfds].revents & POLLOUT) ? " OUT" : "",
(ufds[nfds].revents & POLLERR) ? " ERR" : "",
(ufds[nfds].revents & POLLHUP) ? " HUP" : "",
(ufds[nfds].revents & POLLNVAL) ? " NVAL" : "");
#endif
if(ufds[nfds].revents)
context->ready++;
@ -217,16 +264,16 @@ int s_poll_wait(s_poll_set *fds, int sec, int msec) {
static CONTEXT *to_free=NULL; /* delayed memory deallocation */
/* FIXME: msec parameter is currently ignored with UCONTEXT threads */
(void)msec; /* skip warning about unused parameter */
(void)msec; /* squash the unused parameter warning */
/* remove the current context from ready queue */
context=ready_head;
ready_head=ready_head->next;
if(!ready_head) /* the queue is empty */
ready_tail=NULL;
/* it it safe to s_log() after new ready_head is set */
/* it is safe to s_log() after new ready_head is set */
/* it's illegal to deallocate the stack of the current context */
/* it is illegal to deallocate the stack of the current context */
if(to_free) { /* a delayed deallocation is scheduled */
#ifdef DEBUG_UCONTEXT
s_log(LOG_DEBUG, "Releasing context %ld", to_free->id);
@ -300,58 +347,98 @@ s_poll_set *s_poll_alloc() {
}
void s_poll_free(s_poll_set *fds) {
if(fds)
if(fds) {
str_free(fds->irfds);
str_free(fds->iwfds);
str_free(fds->ixfds);
str_free(fds->orfds);
str_free(fds->owfds);
str_free(fds->oxfds);
str_free(fds);
}
}
void s_poll_init(s_poll_set *fds) {
FD_ZERO(&fds->irfds);
FD_ZERO(&fds->iwfds);
FD_ZERO(&fds->ixfds);
#ifdef USE_WIN32
fds->allocated=4; /* prealloc 4 file descriptors */
#endif
s_poll_realloc(fds);
FD_ZERO(fds->irfds);
FD_ZERO(fds->iwfds);
FD_ZERO(fds->ixfds);
fds->max=0; /* no file descriptors */
}
void s_poll_add(s_poll_set *fds, int fd, int rd, int wr) {
void s_poll_add(s_poll_set *fds, SOCKET fd, int rd, int wr) {
#ifdef USE_WIN32
/* fds->ixfds contains union of fds->irfds and fds->iwfds */
if(fds->ixfds->fd_count>=fds->allocated) {
fds->allocated=fds->ixfds->fd_count+1;
s_poll_realloc(fds);
}
#endif
if(rd)
FD_SET((unsigned int)fd, &fds->irfds);
FD_SET(fd, fds->irfds);
if(wr)
FD_SET((unsigned int)fd, &fds->iwfds);
FD_SET(fd, fds->iwfds);
/* always expect errors (and the Spanish Inquisition) */
FD_SET((unsigned int)fd, &fds->ixfds);
FD_SET(fd, fds->ixfds);
if(fd>fds->max)
fds->max=fd;
}
int s_poll_canread(s_poll_set *fds, int fd) {
return FD_ISSET(fd, &fds->orfds);
void s_poll_remove(s_poll_set *fds, SOCKET fd) {
FD_CLR(fd, fds->irfds);
FD_CLR(fd, fds->iwfds);
FD_CLR(fd, fds->ixfds);
}
int s_poll_canwrite(s_poll_set *fds, int fd) {
return FD_ISSET(fd, &fds->owfds);
int s_poll_canread(s_poll_set *fds, SOCKET fd) {
/* ignore exception if there is no error (WinCE 6.0 anomaly) */
return FD_ISSET(fd, fds->orfds) ||
(FD_ISSET(fd, fds->oxfds) && get_socket_error(fd));
}
int s_poll_hup(s_poll_set *fds, int fd) {
(void)fds; /* skip warning about unused parameter */
(void)fd; /* skip warning about unused parameter */
return 0; /* FIXME: how to detect HUP condition with select()? */
int s_poll_canwrite(s_poll_set *fds, SOCKET fd) {
/* ignore exception if there is no error (WinCE 6.0 anomaly) */
return FD_ISSET(fd, fds->owfds) ||
(FD_ISSET(fd, fds->oxfds) && get_socket_error(fd));
}
int s_poll_error(s_poll_set *fds, int fd) {
/* error conditions are signaled as read, but apparently *not* in Winsock:
* http://msdn.microsoft.com/en-us/library/windows/desktop/ms737625%28v=vs.85%29.aspx */
if(!FD_ISSET(fd, &fds->orfds) && !FD_ISSET(fd, &fds->oxfds))
return 0;
return get_socket_error(fd); /* check if it's really an error */
int s_poll_hup(s_poll_set *fds, SOCKET fd) {
(void)fds; /* squash the unused parameter warning */
(void)fd; /* squash the unused parameter warning */
return 0; /* FIXME: how to detect the HUP condition with select()? */
}
int s_poll_rdhup(s_poll_set *fds, SOCKET fd) {
(void)fds; /* squash the unused parameter warning */
(void)fd; /* squash the unused parameter warning */
return 0; /* FIXME: how to detect the RDHUP condition with select()? */
}
int s_poll_err(s_poll_set *fds, SOCKET fd) {
return FD_ISSET(fd, fds->oxfds);
}
#ifdef USE_WIN32
#define FD_SIZE(fds) (8+(fds)->allocated*sizeof(SOCKET))
#else
#define FD_SIZE(fds) (sizeof(fd_set))
#endif
int s_poll_wait(s_poll_set *fds, int sec, int msec) {
int retval;
struct timeval tv, *tv_ptr;
do { /* skip "Interrupted system call" errors */
memcpy(&fds->orfds, &fds->irfds, sizeof(fd_set));
memcpy(&fds->owfds, &fds->iwfds, sizeof(fd_set));
memcpy(&fds->oxfds, &fds->ixfds, sizeof(fd_set));
memcpy(fds->orfds, fds->irfds, FD_SIZE(fds));
memcpy(fds->owfds, fds->iwfds, FD_SIZE(fds));
#ifndef _WIN32_WCE
memcpy(fds->oxfds, fds->ixfds, FD_SIZE(fds));
#else /* WinCE reports unexpected permanent exceptions */
FD_ZERO(fds->oxfds);
#endif
if(sec<0) { /* infinite timeout */
tv_ptr=NULL;
} else {
@ -359,20 +446,48 @@ int s_poll_wait(s_poll_set *fds, int sec, int msec) {
tv.tv_usec=1000*msec;
tv_ptr=&tv;
}
retval=select(fds->max+1, &fds->orfds, &fds->owfds, &fds->oxfds, tv_ptr);
retval=select((int)fds->max+1,
fds->orfds, fds->owfds, fds->oxfds, tv_ptr);
} while(retval<0 && get_last_socket_error()==S_EINTR);
return retval;
}
NOEXPORT void s_poll_realloc(s_poll_set *fds) {
fds->irfds=str_realloc(fds->irfds, FD_SIZE(fds));
fds->iwfds=str_realloc(fds->iwfds, FD_SIZE(fds));
fds->ixfds=str_realloc(fds->ixfds, FD_SIZE(fds));
fds->orfds=str_realloc(fds->orfds, FD_SIZE(fds));
fds->owfds=str_realloc(fds->owfds, FD_SIZE(fds));
fds->oxfds=str_realloc(fds->oxfds, FD_SIZE(fds));
}
void s_poll_dump(s_poll_set *fds, int level) {
SOCKET fd;
int ir, iw, ix, or, ow, ox;
for(fd=0; fd<fds->max; fd++) {
ir=FD_ISSET(fd, fds->irfds);
iw=FD_ISSET(fd, fds->iwfds);
ix=FD_ISSET(fd, fds->ixfds);
or=FD_ISSET(fd, fds->orfds);
ow=FD_ISSET(fd, fds->owfds);
ox=FD_ISSET(fd, fds->oxfds);
if(ir || iw || ix || or || ow || ox)
s_log(level, "FD=%ld ifds=%c%c%c ofds=%c%c%c", (long)fd,
ir?'r':'-', iw?'w':'-', ix?'x':'-',
or?'r':'-', ow?'w':'-', ox?'x':'-');
}
}
#endif /* USE_POLL */
/**************************************** fd management */
int set_socket_options(int s, int type) {
int set_socket_options(SOCKET s, int type) {
SOCK_OPT *ptr;
extern SOCK_OPT sock_opts[];
extern SOCK_OPT *sock_opts;
static char *type_str[3]={"accept", "local", "remote"};
int opt_size;
socklen_t opt_size;
int retval=0; /* no error found */
for(ptr=sock_opts; ptr->opt_str; ptr++) {
@ -386,7 +501,7 @@ int set_socket_options(int s, int type) {
opt_size=sizeof(struct timeval);
break;
case TYPE_STRING:
opt_size=strlen(ptr->opt_val[type]->c_val)+1;
opt_size=(socklen_t)strlen(ptr->opt_val[type]->c_val)+1;
break;
default:
opt_size=sizeof(int);
@ -403,17 +518,15 @@ int set_socket_options(int s, int type) {
retval=-1; /* failed to set this option */
}
}
#ifdef DEBUG_FD_ALLOC
else {
s_log(LOG_DEBUG, "Option %s set on %s socket",
ptr->opt_str, type_str[type]);
}
#endif /* DEBUG_FD_ALLOC */
}
return retval; /* returns 0 when all options succeeded */
}
static int get_socket_error(const int fd) {
int get_socket_error(const SOCKET fd) {
int err;
socklen_t optlen=sizeof err;
@ -424,56 +537,56 @@ static int get_socket_error(const int fd) {
/**************************************** simulate blocking I/O */
int connect_blocking(CLI *c, SOCKADDR_UNION *addr, socklen_t addrlen) {
int s_connect(CLI *c, SOCKADDR_UNION *addr, socklen_t addrlen) {
int error;
char *dst;
dst=s_ntop(addr, addrlen);
s_log(LOG_INFO, "connect_blocking: connecting %s", dst);
s_log(LOG_INFO, "s_connect: connecting %s", dst);
if(!connect(c->fd, &addr->sa, addrlen)) {
s_log(LOG_NOTICE, "connect_blocking: connected %s", dst);
s_log(LOG_INFO, "s_connect: connected %s", dst);
str_free(dst);
return 0; /* no error -> success (on some OSes over the loopback) */
}
error=get_last_socket_error();
if(error!=S_EINPROGRESS && error!=S_EWOULDBLOCK) {
s_log(LOG_ERR, "connect_blocking: connect %s: %s (%d)",
s_log(LOG_ERR, "s_connect: connect %s: %s (%d)",
dst, s_strerror(error), error);
str_free(dst);
return -1;
}
s_log(LOG_DEBUG, "connect_blocking: s_poll_wait %s: waiting %d seconds",
s_log(LOG_DEBUG, "s_connect: s_poll_wait %s: waiting %d seconds",
dst, c->opt->timeout_connect);
s_poll_init(c->fds);
s_poll_add(c->fds, c->fd, 1, 1);
switch(s_poll_wait(c->fds, c->opt->timeout_connect, 0)) {
case -1:
error=get_last_socket_error();
s_log(LOG_ERR, "connect_blocking: s_poll_wait %s: %s (%d)",
s_log(LOG_ERR, "s_connect: s_poll_wait %s: %s (%d)",
dst, s_strerror(error), error);
str_free(dst);
return -1;
case 0:
s_log(LOG_ERR, "connect_blocking: s_poll_wait %s:"
s_log(LOG_ERR, "s_connect: s_poll_wait %s:"
" TIMEOUTconnect exceeded", dst);
str_free(dst);
return -1;
default:
error=get_socket_error(c->fd);
if(error) {
s_log(LOG_ERR, "connect_blocking: connect %s: %s (%d)",
s_log(LOG_ERR, "s_connect: connect %s: %s (%d)",
dst, s_strerror(error), error);
str_free(dst);
return -1;
}
if(s_poll_canwrite(c->fds, c->fd)) {
s_log(LOG_NOTICE, "connect_blocking: connected %s", dst);
s_log(LOG_NOTICE, "s_connect: connected %s", dst);
str_free(dst);
return 0; /* success */
}
s_log(LOG_ERR, "connect_blocking: s_poll_wait %s: internal error",
s_log(LOG_ERR, "s_connect: s_poll_wait %s: internal error",
dst);
str_free(dst);
return -1;
@ -481,147 +594,115 @@ int connect_blocking(CLI *c, SOCKADDR_UNION *addr, socklen_t addrlen) {
return -1; /* should not be possible */
}
void write_blocking(CLI *c, int fd, void *ptr, int len) {
void s_write(CLI *c, SOCKET fd, const void *buf, size_t len) {
/* simulate a blocking write */
int num;
uint8_t *ptr=(uint8_t *)buf;
ssize_t num;
while(len>0) {
s_poll_init(c->fds);
s_poll_add(c->fds, fd, 0, 1); /* write */
switch(s_poll_wait(c->fds, c->opt->timeout_busy, 0)) {
case -1:
sockerror("write_blocking: s_poll_wait");
sockerror("s_write: s_poll_wait");
longjmp(c->err, 1); /* error */
case 0:
s_log(LOG_INFO, "write_blocking: s_poll_wait:"
s_log(LOG_INFO, "s_write: s_poll_wait:"
" TIMEOUTbusy exceeded: sending reset");
longjmp(c->err, 1); /* timeout */
case 1:
break; /* OK */
default:
s_log(LOG_ERR, "write_blocking: s_poll_wait: unknown result");
s_log(LOG_ERR, "s_write: s_poll_wait: unknown result");
longjmp(c->err, 1); /* error */
}
num=writesocket(fd, ptr, len);
switch(num) {
case -1: /* error */
sockerror("writesocket (write_blocking)");
num=writesocket(fd, (void *)ptr, len);
if(num==-1) { /* error */
sockerror("writesocket (s_write)");
longjmp(c->err, 1);
}
ptr=(u8 *)ptr+num;
len-=num;
ptr+=(size_t)num;
len-=(size_t)num;
}
}
void read_blocking(CLI *c, int fd, void *ptr, int len) {
void s_read(CLI *c, SOCKET fd, void *ptr, size_t len) {
/* simulate a blocking read */
int num;
ssize_t num;
while(len>0) {
s_poll_init(c->fds);
s_poll_add(c->fds, fd, 1, 0); /* read */
switch(s_poll_wait(c->fds, c->opt->timeout_busy, 0)) {
case -1:
sockerror("read_blocking: s_poll_wait");
sockerror("s_read: s_poll_wait");
longjmp(c->err, 1); /* error */
case 0:
s_log(LOG_INFO, "read_blocking: s_poll_wait:"
s_log(LOG_INFO, "s_read: s_poll_wait:"
" TIMEOUTbusy exceeded: sending reset");
longjmp(c->err, 1); /* timeout */
case 1:
break; /* OK */
default:
s_log(LOG_ERR, "read_blocking: s_poll_wait: unknown result");
s_log(LOG_ERR, "s_read: s_poll_wait: unknown result");
longjmp(c->err, 1); /* error */
}
num=readsocket(fd, ptr, len);
switch(num) {
case -1: /* error */
sockerror("readsocket (read_blocking)");
sockerror("readsocket (s_read)");
longjmp(c->err, 1);
case 0: /* EOF */
s_log(LOG_ERR, "Unexpected socket close (read_blocking)");
s_log(LOG_ERR, "Unexpected socket close (s_read)");
longjmp(c->err, 1);
}
ptr=(u8 *)ptr+num;
len-=num;
ptr=(uint8_t *)ptr+num;
len-=(size_t)num;
}
}
void fd_putline(CLI *c, int fd, const char *line) {
void fd_putline(CLI *c, SOCKET fd, const char *line) {
char *tmpline;
const char crlf[]="\r\n";
int len;
size_t len;
tmpline=str_printf("%s%s", line, crlf);
len=strlen(tmpline);
write_blocking(c, fd, tmpline, len);
tmpline[len-2]='\0'; /* remove CRLF */
safestring(tmpline);
s_log(LOG_DEBUG, " -> %s", tmpline);
s_write(c, fd, tmpline, len);
str_free(tmpline);
s_log(LOG_DEBUG, " -> %s", line);
}
char *fd_getline(CLI *c, int fd) {
char *line, *tmpline;
int ptr=0, allocated=32;
char *fd_getline(CLI *c, SOCKET fd) {
char *line;
size_t ptr=0, allocated=32;
line=str_alloc(allocated);
for(;;) {
s_poll_init(c->fds);
s_poll_add(c->fds, fd, 1, 0); /* read */
switch(s_poll_wait(c->fds, c->opt->timeout_busy, 0)) {
case -1:
sockerror("fd_getline: s_poll_wait");
if(ptr>65536) { /* >64KB --> DoS protection */
s_log(LOG_ERR, "fd_getline: Line too long");
str_free(line);
longjmp(c->err, 1); /* error */
case 0:
s_log(LOG_INFO, "fd_getline: s_poll_wait:"
" TIMEOUTbusy exceeded: sending reset");
str_free(line);
longjmp(c->err, 1); /* timeout */
case 1:
break; /* OK */
default:
s_log(LOG_ERR, "fd_getline: s_poll_wait: Unknown result");
str_free(line);
longjmp(c->err, 1); /* error */
longjmp(c->err, 1);
}
if(allocated<ptr+1) {
allocated*=2;
line=str_realloc(line, allocated);
}
switch(readsocket(fd, line+ptr, 1)) {
case -1: /* error */
sockerror("fd_getline: readsocket");
str_free(line);
longjmp(c->err, 1);
case 0: /* EOF */
s_log(LOG_ERR, "fd_getline: Unexpected socket close");
str_free(line);
longjmp(c->err, 1);
}
s_read(c, fd, line+ptr, 1);
if(line[ptr]=='\r')
continue;
if(line[ptr]=='\n')
break;
if(line[ptr]=='\0')
break;
if(++ptr>65536) { /* >64KB --> DoS protection */
s_log(LOG_ERR, "fd_getline: Line too long");
str_free(line);
longjmp(c->err, 1);
}
++ptr;
}
line[ptr]='\0';
tmpline=str_dup(line);
safestring(tmpline);
s_log(LOG_DEBUG, " <- %s", tmpline);
str_free(tmpline);
s_log(LOG_DEBUG, " <- %s", line);
return line;
}
void fd_printf(CLI *c, int fd, const char *format, ...) {
void fd_printf(CLI *c, SOCKET fd, const char *format, ...) {
va_list ap;
char *line;
@ -636,27 +717,166 @@ void fd_printf(CLI *c, int fd, const char *format, ...) {
str_free(line);
}
void s_ssl_write(CLI *c, const void *buf, int len) {
/* simulate a blocking SSL_write */
uint8_t *ptr=(uint8_t *)buf;
int num;
while(len>0) {
s_poll_init(c->fds);
s_poll_add(c->fds, c->ssl_wfd->fd, 0, 1); /* write */
switch(s_poll_wait(c->fds, c->opt->timeout_busy, 0)) {
case -1:
sockerror("s_write: s_poll_wait");
longjmp(c->err, 1); /* error */
case 0:
s_log(LOG_INFO, "s_write: s_poll_wait:"
" TIMEOUTbusy exceeded: sending reset");
longjmp(c->err, 1); /* timeout */
case 1:
break; /* OK */
default:
s_log(LOG_ERR, "s_write: s_poll_wait: unknown result");
longjmp(c->err, 1); /* error */
}
num=SSL_write(c->ssl, (void *)ptr, len);
if(num==-1) { /* error */
sockerror("SSL_write (s_ssl_write)");
longjmp(c->err, 1);
}
ptr+=num;
len-=num;
}
}
void s_ssl_read(CLI *c, void *ptr, int len) {
/* simulate a blocking SSL_read */
int num;
while(len>0) {
if(!SSL_pending(c->ssl)) {
s_poll_init(c->fds);
s_poll_add(c->fds, c->ssl_rfd->fd, 1, 0); /* read */
switch(s_poll_wait(c->fds, c->opt->timeout_busy, 0)) {
case -1:
sockerror("s_read: s_poll_wait");
longjmp(c->err, 1); /* error */
case 0:
s_log(LOG_INFO, "s_read: s_poll_wait:"
" TIMEOUTbusy exceeded: sending reset");
longjmp(c->err, 1); /* timeout */
case 1:
break; /* OK */
default:
s_log(LOG_ERR, "s_read: s_poll_wait: unknown result");
longjmp(c->err, 1); /* error */
}
}
num=SSL_read(c->ssl, ptr, len);
switch(num) {
case -1: /* error */
sockerror("SSL_read (s_ssl_read)");
longjmp(c->err, 1);
case 0: /* EOF */
s_log(LOG_ERR, "Unexpected socket close (s_ssl_read)");
longjmp(c->err, 1);
}
ptr=(uint8_t *)ptr+num;
len-=num;
}
}
char *ssl_getstring(CLI *c) { /* get null-terminated string */
char *line;
size_t ptr=0, allocated=32;
line=str_alloc(allocated);
for(;;) {
if(ptr>65536) { /* >64KB --> DoS protection */
s_log(LOG_ERR, "ssl_getstring: Line too long");
str_free(line);
longjmp(c->err, 1);
}
if(allocated<ptr+1) {
allocated*=2;
line=str_realloc(line, allocated);
}
s_ssl_read(c, line+ptr, 1);
if(line[ptr]=='\0')
break;
++ptr;
}
return line;
}
char *ssl_getline(CLI *c) { /* get newline-terminated string */
char *line;
size_t ptr=0, allocated=32;
line=str_alloc(allocated);
for(;;) {
if(ptr>65536) { /* >64KB --> DoS protection */
s_log(LOG_ERR, "ssl_getline: Line too long");
str_free(line);
longjmp(c->err, 1);
}
if(allocated<ptr+1) {
allocated*=2;
line=str_realloc(line, allocated);
}
s_ssl_read(c, line+ptr, 1);
if(line[ptr]=='\r')
continue;
if(line[ptr]=='\n')
break;
if(line[ptr]=='\0')
break;
++ptr;
}
line[ptr]='\0';
s_log(LOG_DEBUG, " <- %s", line);
return line;
}
void ssl_putline(CLI *c, const char *line) { /* put newline-terminated string */
char *tmpline;
const char crlf[]="\r\n";
size_t len;
tmpline=str_printf("%s%s", line, crlf);
len=strlen(tmpline);
if(len>INT_MAX) { /* paranoia */
s_log(LOG_ERR, "ssl_putline: Line too long");
str_free(tmpline);
longjmp(c->err, 1);
}
s_ssl_write(c, tmpline, (int)len);
str_free(tmpline);
s_log(LOG_DEBUG, " -> %s", line);
}
/**************************************** network helpers */
#define INET_SOCKET_PAIR
int make_sockets(int fd[2]) { /* make a pair of connected ipv4 sockets */
int make_sockets(SOCKET fd[2]) { /* make a pair of connected ipv4 sockets */
#ifdef INET_SOCKET_PAIR
struct sockaddr_in addr;
socklen_t addrlen;
int s; /* temporary socket awaiting for connection */
SOCKET s; /* temporary socket awaiting for connection */
/* create two *blocking* sockets first */
s=s_socket(AF_INET, SOCK_STREAM, 0, 0, "make_sockets: s_socket#1");
if(s<0) {
if(s==INVALID_SOCKET)
return 1;
}
fd[1]=s_socket(AF_INET, SOCK_STREAM, 0, 0, "make_sockets: s_socket#2");
if(fd[1]<0) {
if(fd[1]==INVALID_SOCKET) {
closesocket(s);
return 1;
}
addrlen=sizeof addr;
memset(&addr, 0, addrlen);
memset(&addr, 0, sizeof addr);
addr.sin_family=AF_INET;
addr.sin_addr.s_addr=htonl(INADDR_LOOPBACK);
addr.sin_port=htons(0); /* dynamic port allocation */
@ -685,7 +905,7 @@ int make_sockets(int fd[2]) { /* make a pair of connected ipv4 sockets */
}
fd[0]=s_accept(s, (struct sockaddr *)&addr, &addrlen, 1,
"make_sockets: s_accept");
if(fd[0]<0) {
if(fd[0]==INVALID_SOCKET) {
closesocket(s);
closesocket(fd[1]);
return 1;
@ -700,4 +920,26 @@ int make_sockets(int fd[2]) { /* make a pair of connected ipv4 sockets */
return 0;
}
/* returns 0 on success, and -1 on error */
int original_dst(const SOCKET fd, SOCKADDR_UNION *addr) {
socklen_t addrlen;
memset(addr, 0, sizeof(SOCKADDR_UNION));
addrlen=sizeof(SOCKADDR_UNION);
#ifdef SO_ORIGINAL_DST
#ifdef USE_IPv6
if(!getsockopt(fd, SOL_IPV6, SO_ORIGINAL_DST, &addr->sa, &addrlen))
return 0; /* succeeded */
#endif /* USE_IPv6 */
if(!getsockopt(fd, SOL_IP, SO_ORIGINAL_DST, &addr->sa, &addrlen))
return 0; /* succeeded */
sockerror("getsockopt SO_ORIGINAL_DST");
#else /* SO_ORIGINAL_DST */
if(!getsockname(fd, &addr->sa, &addrlen))
return 0; /* succeeded */
sockerror("getsockname");
#endif /* SO_ORIGINAL_DST */
return -1; /* failed */
}
/* end of network.c */

101
src/nogui.c
View File

@ -1,101 +0,0 @@
/*
* stunnel Universal SSL tunnel
* Copyright (C) 1998-2013 Michal Trojnara <Michal.Trojnara@mirt.net>
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
* See the GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License along
* with this program; if not, see <http://www.gnu.org/licenses>.
*
* Linking stunnel statically or dynamically with other modules is making
* a combined work based on stunnel. Thus, the terms and conditions of
* the GNU General Public License cover the whole combination.
*
* In addition, as a special exception, the copyright holder of stunnel
* gives you permission to combine stunnel with free software programs or
* libraries that are released under the GNU LGPL and with code included
* in the standard release of OpenSSL under the OpenSSL License (or
* modified versions of such code, with unchanged license). You may copy
* and distribute such a system following the terms of the GNU GPL for
* stunnel and the licenses of the other code concerned.
*
* Note that people who make modified versions of stunnel are not obligated
* to grant this special exception for their modified versions; it is their
* choice whether to do so. The GNU General Public License gives permission
* to release a modified version without this exception; this exception
* also makes it possible to release a modified version which carries
* forward this exception.
*/
#include "common.h"
#include "prototypes.h"
int main(int argc, char *argv[]) {
static struct WSAData wsa_state;
str_init(); /* initialize per-thread string management */
if(WSAStartup(MAKEWORD(1, 1), &wsa_state))
return 1;
resolver_init();
main_initialize();
if(!main_configure(argc>1 ? argv[1] : NULL, argc>2 ? argv[2] : NULL))
daemon_loop();
unbind_ports();
log_flush(LOG_MODE_ERROR);
return 0;
}
void message_box(const LPSTR text, const UINT type) {
LPTSTR tstr;
tstr=str2tstr(text);
MessageBox(NULL, tstr, TEXT("stunnel"), type);
str_free(tstr);
}
void win_new_chain(int section_number) {
(void)section_number; /* skip warning about unused parameter */
}
void win_new_log(char *line) {
#ifdef _WIN32_WCE
/* log to Windows CE debug output stream */
LPTSTR tstr;
tstr=str2tstr(line);
RETAILMSG(TRUE, (TEXT("%s\r\n"), tstr));
str_free(tstr);
#else
printf("%s\n", line);
#endif
}
void win_new_config(void) {
/* no action */
}
int passwd_cb(char *buf, int size, int rwflag, void *userdata) {
(void)buf; /* skip warning about unused parameter */
(void)size; /* skip warning about unused parameter */
(void)rwflag; /* skip warning about unused parameter */
(void)userdata; /* skip warning about unused parameter */
return 0; /* not implemented */
}
#ifdef HAVE_OSSL_ENGINE_H
int pin_cb(UI *ui, UI_STRING *uis) {
(void)ui; /* skip warning about unused parameter */
(void)uis; /* skip warning about unused parameter */
return 0; /* not implemented */
}
#endif
/* end of nogui.c */

2611
src/options.c
View File

File diff suppressed because it is too large Load Diff

15
src/os2.mak
View File

@ -1,11 +1,11 @@
prefix=.
DEFS = -DPACKAGE_NAME=\"stunnel\" \
-DPACKAGE_TARNAME=\"stunnel\" \
-DPACKAGE_VERSION=\"4.57\" \
-DPACKAGE_STRING=\"stunnel\ 4.57\" \
-DPACKAGE_VERSION=\"5.42\" \
-DPACKAGE_STRING=\"stunnel\ 5.42\" \
-DPACKAGE_BUGREPORT=\"\" \
-DPACKAGE=\"stunnel\" \
-DVERSION=\"4.57\" \
-DVERSION=\"5.42\" \
-DSTDC_HEADERS=1 \
-DHAVE_SYS_TYPES_H=1 \
-DHAVE_SYS_STAT_H=1 \
@ -14,7 +14,6 @@ DEFS = -DPACKAGE_NAME=\"stunnel\" \
-DHAVE_MEMORY_H=1 \
-DHAVE_STRINGS_H=1 \
-DHAVE_UNISTD_H=1 \
-DHAVE_OSSL_ENGINE_H=1 \
-DSSLDIR=\"/usr\" \
-DHOST=\"i386-pc-os2-emx\" \
-DHAVE_LIBSOCKET=1 \
@ -34,8 +33,7 @@ DEFS = -DPACKAGE_NAME=\"stunnel\" \
-DSIZEOF_UNSIGNED_INT=4 \
-DSIZEOF_UNSIGNED_LONG=4 \
-DLIBDIR=\"$(prefix)/lib\" \
-DCONFDIR=\"$(prefix)/etc\" \
-DPIDFILE=\"$(prefix)/stunnel.pid\"
-DCONFDIR=\"$(prefix)/etc\"
CC = gcc
.SUFFIXES = .c .o
@ -43,7 +41,7 @@ OPENSSLDIR = u:/extras
#SYSLOGDIR = /unixos2/workdir/syslog
INCLUDES = -I$(OPENSSLDIR)/outinc
LIBS = -lsocket -L$(OPENSSLDIR)/out -lssl -lcrypto -lz -lsyslog
OBJS = file.o client.o log.o options.o protocol.o network.o ssl.o ctx.o verify.o sthreads.o stunnel.o pty.o resolver.o str.o fd.o
OBJS = file.o client.o log.o options.o protocol.o network.o ssl.o ctx.o verify.o sthreads.o stunnel.o pty.o resolver.o str.o tls.o fd.o dhparam.o cron.o
LIBDIR = .
CFLAGS = -O2 -Wall -Wshadow -Wcast-align -Wpointer-arith
@ -70,7 +68,10 @@ sthreads.o: sthreads.c common.h prototypes.h
stunnel.o: stunnel.c common.h prototypes.h
resolver.o: resolver.c common.h prototypes.h
str.o: str.c common.h prototypes.h
tls.o: tls.c common.h prototypes.h
fd.o: fd.c common.h prototypes.h
dhparam.o: dhparam.c common.h prototypes.h
cron.o: cron.c common.h prototypes.h
clean:
rm -f *.o *.exe

982
src/protocol.c
View File

File diff suppressed because it is too large Load Diff

616
src/prototypes.h
View File

@ -1,24 +1,24 @@
/*
* stunnel Universal SSL tunnel
* Copyright (C) 1998-2013 Michal Trojnara <Michal.Trojnara@mirt.net>
* stunnel TLS offloading and load-balancing proxy
* Copyright (C) 1998-2017 Michal Trojnara <Michal.Trojnara@stunnel.org>
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version.
*
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
* See the GNU General Public License for more details.
*
*
* You should have received a copy of the GNU General Public License along
* with this program; if not, see <http://www.gnu.org/licenses>.
*
*
* Linking stunnel statically or dynamically with other modules is making
* a combined work based on stunnel. Thus, the terms and conditions of
* the GNU General Public License cover the whole combination.
*
*
* In addition, as a special exception, the copyright holder of stunnel
* gives you permission to combine stunnel with free software programs or
* libraries that are released under the GNU LGPL and with code included
@ -26,7 +26,7 @@
* modified versions of such code, with unchanged license). You may copy
* and distribute such a system following the terms of the GNU GPL for
* stunnel and the licenses of the other code concerned.
*
*
* Note that people who make modified versions of stunnel are not obligated
* to grant this special exception for their modified versions; it is their
* choice whether to do so. The GNU General Public License gives permission
@ -40,15 +40,45 @@
#include "common.h"
/**************************************** forward declarations */
typedef struct tls_data_struct TLS_DATA;
/**************************************** data structures */
#if defined (USE_WIN32)
#define ICON_IMAGE HICON
#elif defined(__APPLE__)
#define ICON_IMAGE void *
#endif
typedef enum {
LOG_MODE_NONE,
ICON_ERROR,
ICON_IDLE,
ICON_ACTIVE,
ICON_NONE /* it has to be the last one */
} ICON_TYPE;
typedef enum {
LOG_MODE_BUFFER,
LOG_MODE_ERROR,
LOG_MODE_INFO,
LOG_MODE_CONFIGURED
} LOG_MODE;
typedef enum {
LOG_ID_SEQUENTIAL,
LOG_ID_UNIQUE,
LOG_ID_THREAD,
LOG_ID_PROCESS
} LOG_ID;
typedef enum {
FILE_MODE_READ,
FILE_MODE_APPEND,
FILE_MODE_OVERWRITE
} FILE_MODE;
typedef union sockaddr_union {
struct sockaddr sa;
struct sockaddr_in in;
@ -66,25 +96,29 @@ typedef struct name_list_struct {
} NAME_LIST;
typedef struct sockaddr_list { /* list of addresses */
SOCKADDR_UNION *addr; /* the list of addresses */
u16 cur; /* current address for round-robin */
u16 num; /* how many addresses are used */
struct sockaddr_list *parent; /* used by copies to locate their parent */
SOCKADDR_UNION *addr; /* array of resolved addresses */
SSL_SESSION **session; /* array of cached client sessions */
unsigned rr; /* current address for round-robin */
unsigned num; /* how many addresses are used */
int passive; /* listening socket */
NAME_LIST *names; /* a list of unresolved names */
} SOCKADDR_LIST;
#ifndef OPENSSL_NO_COMP
typedef enum {
COMP_NONE, COMP_DEFLATE, COMP_ZLIB, COMP_RLE
COMP_NONE, COMP_DEFLATE, COMP_ZLIB
} COMP_TYPE;
#endif /* OPENSSL_NO_COMP */
#endif /* !defined(OPENSSL_NO_COMP) */
typedef struct {
/* some data for SSL initialization in ssl.c */
/* some data for TLS initialization in ssl.c */
#ifndef OPENSSL_NO_COMP
COMP_TYPE compression; /* compression type */
#endif /* OPENSSL_NO_COMP */
#endif /* !defined(OPENSSL_NO_COMP) */
char *egd_sock; /* entropy gathering daemon socket */
char *rand_file; /* file with random data */
int random_bytes; /* how many random bytes to read */
long random_bytes; /* how many random bytes to read */
/* some global data for stunnel.c */
#ifndef USE_WIN32
@ -93,27 +127,32 @@ typedef struct {
#endif
unsigned long dpid;
char *pidfile;
int uid, gid;
#endif
/* logging-support data for log.c */
int debug_level; /* debug level for logging */
#ifndef USE_WIN32
int facility; /* debug facility for syslog */
int log_facility; /* debug facility for syslog */
#endif
char *output_file;
FILE_MODE log_file_mode;
/* user interface configuration */
#ifdef ICON_IMAGE
ICON_IMAGE icon[ICON_NONE]; /* user-specified GUI icons */
#endif
/* on/off switches */
struct {
unsigned int rand_write:1; /* overwrite rand_file */
unsigned rand_write:1; /* overwrite rand_file */
#ifdef USE_WIN32
unsigned int taskbar:1; /* enable the taskbar icon */
unsigned taskbar:1; /* enable the taskbar icon */
#else /* !USE_WIN32 */
unsigned int foreground:1;
unsigned int syslog:1;
unsigned foreground:1;
unsigned log_stderr:1;
unsigned log_syslog:1;
#endif
#ifdef USE_FIPS
unsigned int fips:1; /* enable FIPS 140-2 mode */
unsigned fips:1; /* enable FIPS 140-2 mode */
#endif
} option;
} GLOBAL_OPTIONS;
@ -122,16 +161,39 @@ extern GLOBAL_OPTIONS global_options;
#ifndef OPENSSL_NO_TLSEXT
typedef struct servername_list_struct SERVERNAME_LIST;/* forward declaration */
#endif
#endif /* !defined(OPENSSL_NO_TLSEXT) */
#ifndef OPENSSL_NO_PSK
typedef struct psk_keys_struct {
char *identity;
unsigned char *key_val;
size_t key_len;
struct psk_keys_struct *next;
} PSK_KEYS;
typedef struct psk_table_struct {
PSK_KEYS **val;
size_t num;
} PSK_TABLE;
#endif /* !defined(OPENSSL_NO_PSK) */
typedef struct service_options_struct {
struct service_options_struct *next; /* next node in the services list */
SSL_CTX *ctx; /* SSL context */
SSL_CTX *ctx; /* TLS context */
char *servname; /* service name for logging & permission checking */
/* service-specific data for stunnel.c */
#ifndef USE_WIN32
uid_t uid;
gid_t gid;
#endif
/* service-specific data for log.c */
int log_level; /* debug level for logging */
LOG_ID log_id; /* logging session id type */
/* service-specific data for sthreads.c */
#ifndef USE_FORK
int stack_size; /* stack size for this thread */
size_t stack_size; /* stack size for this thread */
#endif
/* service-specific data for verify.c */
@ -139,92 +201,109 @@ typedef struct service_options_struct {
char *ca_file; /* file containing bunches of certs */
char *crl_dir; /* directory for hashed CRLs */
char *crl_file; /* file containing bunches of CRLs */
int verify_level;
X509_STORE *revocation_store; /* cert store for CRL checking */
#ifdef HAVE_OSSL_OCSP_H
SOCKADDR_UNION ocsp_addr;
char *ocsp_path;
#ifndef OPENSSL_NO_OCSP
char *ocsp_url;
unsigned long ocsp_flags;
#endif
#endif /* !defined(OPENSSL_NO_OCSP) */
#if OPENSSL_VERSION_NUMBER>=0x10002000L
NAME_LIST *check_host, *check_email, *check_ip; /* cert subject checks */
NAME_LIST *config; /* OpenSSL CONF options */
#endif /* OPENSSL_VERSION_NUMBER>=0x10002000L */
/* service-specific data for ctx.c */
char *cipher_list;
char *cert; /* cert filename */
char *key; /* pem (priv key/cert) filename */
long session_size, session_timeout;
long ssl_options;
long unsigned ssl_options_set;
#if OPENSSL_VERSION_NUMBER>=0x009080dfL
long unsigned ssl_options_clear;
#endif /* OpenSSL 0.9.8m or later */
SSL_METHOD *client_method, *server_method;
SOCKADDR_UNION sessiond_addr;
#ifndef OPENSSL_NO_TLSEXT
char *sni;
SERVERNAME_LIST *servername_list_head, *servername_list_tail;
#endif
#endif /* !defined(OPENSSL_NO_TLSEXT) */
#ifndef OPENSSL_NO_PSK
char *psk_identity;
PSK_KEYS *psk_keys, *psk_selected;
PSK_TABLE psk_sorted;
#endif /* !defined(OPENSSL_NO_PSK) */
#ifndef OPENSSL_NO_ECDH
int curve;
#endif
#ifdef HAVE_OSSL_ENGINE_H
#endif /* !defined(OPENSSL_NO_ECDH) */
#ifndef OPENSSL_NO_ENGINE
ENGINE *engine; /* engine to read the private key */
#endif
#endif /* !defined(OPENSSL_NO_ENGINE) */
/* service-specific data for client.c */
int fd; /* file descriptor accepting connections for this service */
SOCKET fd; /* file descriptor accepting connections for this service */
SSL_SESSION *session; /* recently used session */
char *execname; /* program name for local mode */
char *exec_name; /* program name for local mode */
#ifdef USE_WIN32
char *execargs; /* program arguments for local mode */
char *exec_args; /* program arguments for local mode */
#else
char **execargs; /* program arguments for local mode */
char **exec_args; /* program arguments for local mode */
#endif
SOCKADDR_UNION local_addr, source_addr;
SOCKADDR_LIST connect_addr;
char *username;
NAME_LIST *connect_list;
SOCKADDR_LIST connect_addr, redirect_addr;
int timeout_busy; /* maximum waiting for data time */
int timeout_close; /* maximum close_notify time */
int timeout_connect; /* maximum connect() time */
int timeout_idle; /* maximum idle connection time */
enum {FAILOVER_RR, FAILOVER_PRIO} failover; /* failover strategy */
char *username;
/* service-specific data for protocol.c */
int protocol;
char * protocol;
char *protocol_host;
char *protocol_domain;
char *protocol_username;
char *protocol_password;
char *protocol_authentication;
/* service-specific data for gui.c */
/* service-specific data for ui_*.c */
#ifdef USE_WIN32
int section_number;
LPTSTR file;
char *help, *chain;
LPTSTR file, help;
#endif
unsigned section_number;
char *chain;
/* on/off switches */
struct {
unsigned int accept:1; /* endpoint: accept */
unsigned int client:1;
unsigned int delayed_lookup:1;
unsigned request_cert:1; /* request a peer certificate */
unsigned require_cert:1; /* require a client certificate */
unsigned verify_chain:1; /* verify certificate chain */
unsigned verify_peer:1; /* verify peer certificate */
unsigned accept:1; /* endpoint: accept */
unsigned client:1;
unsigned delayed_lookup:1;
#ifdef USE_LIBWRAP
unsigned int libwrap:1;
unsigned libwrap:1;
#endif
unsigned int local:1; /* outgoing interface specified */
unsigned int remote:1; /* endpoint: connect */
unsigned int retry:1; /* loop remote+program */
unsigned int sessiond:1;
unsigned int program:1; /* endpoint: exec */
unsigned local:1; /* outgoing interface specified */
unsigned retry:1; /* loop remote+program */
unsigned sessiond:1;
#ifndef OPENSSL_NO_TLSEXT
unsigned int sni:1; /* endpoint: sni */
#endif
unsigned sni:1; /* endpoint: sni */
#endif /* !defined(OPENSSL_NO_TLSEXT) */
#ifndef USE_WIN32
unsigned int pty:1;
unsigned int transparent_src:1;
unsigned int transparent_dst:1; /* endpoint: transparent destination */
unsigned pty:1;
unsigned transparent_src:1;
#endif
#ifdef HAVE_OSSL_OCSP_H
unsigned int ocsp:1;
#endif
unsigned int reset:1; /* reset sockets on error */
unsigned int renegotiation:1;
unsigned transparent_dst:1; /* endpoint: transparent destination */
unsigned protocol_endpoint:1; /* dynamic target from the protocol */
unsigned reset:1; /* reset sockets on error */
unsigned renegotiation:1;
unsigned connect_before_ssl:1;
#ifndef OPENSSL_NO_OCSP
unsigned aia:1; /* Authority Information Access */
unsigned nonce:1; /* send and verify OCSP nonce */
#endif /* !defined(OPENSSL_NO_OCSP) */
#ifndef OPENSSL_NO_DH
unsigned dh_needed:1;
#endif /* OPENSSL_NO_DH */
} option;
} SERVICE_OPTIONS;
@ -236,7 +315,7 @@ struct servername_list_struct {
SERVICE_OPTIONS *opt;
struct servername_list_struct *next;
};
#endif
#endif /* !defined(OPENSSL_NO_TLSEXT) */
typedef enum {
TYPE_NONE, TYPE_FLAG, TYPE_INT, TYPE_LINGER, TYPE_TIMEVAL, TYPE_STRING
@ -267,11 +346,14 @@ typedef enum {
typedef struct {
#ifdef USE_POLL
struct pollfd *ufds;
unsigned int nfds;
unsigned int allocated;
unsigned nfds;
unsigned allocated;
#else /* select */
fd_set irfds, iwfds, ixfds, orfds, owfds, oxfds;
int max;
fd_set *irfds, *iwfds, *ixfds, *orfds, *owfds, *oxfds;
SOCKET max;
#ifdef USE_WIN32
unsigned allocated;
#endif
#endif
} s_poll_set;
@ -281,47 +363,91 @@ typedef struct disk_file {
#else
int fd;
#endif
/* the inteface is prepared to easily implement buffering if needed */
/* the interface is prepared to easily implement buffering if needed */
} DISK_FILE;
/* FD definition for client.c */
/* definitions for client.c */
typedef struct {
int fd; /* file descriptor */
SOCKET fd; /* file descriptor */
int is_socket; /* file descriptor is a socket */
} FD;
typedef enum {
RENEG_INIT, /* initial state */
RENEG_ESTABLISHED, /* initial handshake completed */
RENEG_DETECTED /* renegotiation detected */
} RENEG_STATE;
typedef struct {
jmp_buf err; /* 64-bit platforms require jmp_buf to be 16-byte aligned */
SSL *ssl; /* TLS connection */
SERVICE_OPTIONS *opt;
TLS_DATA *tls;
SOCKADDR_UNION peer_addr; /* peer address */
socklen_t peer_addr_len;
SOCKADDR_UNION *bind_addr; /* address to bind() the socket */
SOCKADDR_LIST connect_addr; /* either copied or resolved dynamically */
unsigned idx; /* actually connected address in connect_addr */
FD local_rfd, local_wfd; /* read and write local descriptors */
FD remote_fd; /* remote file descriptor */
/* IP for explicit local bind or transparent proxy */
unsigned long pid; /* PID of the local process */
SOCKET fd; /* temporary file descriptor */
RENEG_STATE reneg_state; /* used to track renegotiation attempts */
unsigned long long seq; /* sequential thread number for logging */
/* data for transfer() function */
char sock_buff[BUFFSIZE]; /* socket read buffer */
char ssl_buff[BUFFSIZE]; /* TLS read buffer */
size_t sock_ptr, ssl_ptr; /* index of the first unused byte */
FD *sock_rfd, *sock_wfd; /* read and write socket descriptors */
FD *ssl_rfd, *ssl_wfd; /* read and write TLS descriptors */
uint64_t sock_bytes, ssl_bytes; /* bytes written to socket and TLS */
s_poll_set *fds; /* file descriptors */
} CLI;
/**************************************** prototypes for stunnel.c */
#ifndef USE_FORK
extern int max_clients;
extern volatile int num_clients;
extern long max_clients;
extern volatile long num_clients;
#endif
void main_initialize(void);
void main_init(void);
int main_configure(char *, char *);
void main_cleanup(void);
int drop_privileges(int);
void daemon_loop(void);
void unbind_ports(void);
int bind_ports(void);
#if !defined (USE_WIN32) && !defined (__vms) && !defined(USE_OS2)
int drop_privileges(int);
#endif
void signal_post(int);
#if !defined(USE_WIN32) && !defined(USE_OS2)
void child_status(void); /* dead libwrap or 'exec' process detected */
#endif
void stunnel_info(int);
/**************************************** prototypes for options.c */
extern char configuration_file[PATH_MAX];
extern unsigned number_of_sections;
int options_cmdline(char *, char *);
int options_parse(CONF_TYPE);
void options_defaults(void);
void options_apply(void);
/**************************************** prototypes for fd.c */
#ifndef USE_FORK
void get_limits(void); /* setup global max_clients and max_fds */
#endif
int s_socket(int, int, int, int, char *);
int s_pipe(int [2], int, char *);
int s_socketpair(int, int, int, int [2], int, char *);
int s_accept(int, struct sockaddr *, socklen_t *, int, char *);
void set_nonblock(int, unsigned long);
SOCKET s_socket(int, int, int, int, char *);
int s_pipe(int[2], int, char *);
int s_socketpair(int, int, int, SOCKET[2], int, char *);
SOCKET s_accept(SOCKET, struct sockaddr *, socklen_t *, int, char *);
void set_nonblock(SOCKET, unsigned long);
/**************************************** prototypes for log.c */
@ -338,7 +464,8 @@ void s_log(int, const char *, ...)
#else
;
#endif
void fatal_debug(char *, char *, int);
char *log_id(CLI *);
void fatal_debug(char *, const char *, int);
#define fatal(a) fatal_debug((a), __FILE__, __LINE__)
void ioerror(const char *);
void sockerror(const char *);
@ -349,44 +476,58 @@ char *s_strerror(int);
int pty_allocate(int *, int *, char *);
/**************************************** prototypes for dhparam.c */
DH *get_dh2048(void);
/**************************************** prototypes for cron.c */
int cron_init(void);
/**************************************** prototypes for ssl.c */
extern int cli_index, opt_index;
extern int index_ssl_cli, index_ssl_ctx_opt;
extern int index_session_authenticated, index_session_connect_address;
int ssl_init(void);
int ssl_configure(GLOBAL_OPTIONS *);
/**************************************** prototypes for options.c */
int parse_commandline(char *, char *);
int parse_conf(char *, CONF_TYPE);
void apply_conf(void);
/**************************************** prototypes for ctx.c */
typedef struct {
SERVICE_OPTIONS *section;
char pass[PEM_BUFSIZE];
} UI_DATA;
extern SERVICE_OPTIONS *current_section;
#ifndef OPENSSL_NO_DH
extern DH *dh_params;
extern int dh_needed;
#endif /* OPENSSL_NO_DH */
int context_init(SERVICE_OPTIONS *);
#ifndef OPENSSL_NO_PSK
void psk_sort(PSK_TABLE *, PSK_KEYS *);
PSK_KEYS *psk_find(const PSK_TABLE *, const char *);
#endif /* !defined(OPENSSL_NO_PSK) */
void sslerror(char *);
/**************************************** prototypes for verify.c */
int verify_init(SERVICE_OPTIONS *);
void print_client_CA_list(const STACK_OF(X509_NAME) *);
char *X509_NAME2text(X509_NAME *);
/**************************************** prototypes for network.c */
s_poll_set *s_poll_alloc(void);
void s_poll_free(s_poll_set *);
void s_poll_init(s_poll_set *);
void s_poll_add(s_poll_set *, int, int, int);
int s_poll_canread(s_poll_set *, int);
int s_poll_canwrite(s_poll_set *, int);
int s_poll_hup(s_poll_set *, int);
int s_poll_error(s_poll_set *, int);
void s_poll_add(s_poll_set *, SOCKET, int, int);
void s_poll_remove(s_poll_set *, SOCKET);
int s_poll_canread(s_poll_set *, SOCKET);
int s_poll_canwrite(s_poll_set *, SOCKET);
int s_poll_hup(s_poll_set *, SOCKET);
int s_poll_rdhup(s_poll_set *, SOCKET);
int s_poll_err(s_poll_set *, SOCKET);
int s_poll_wait(s_poll_set *, int, int);
void s_poll_dump(s_poll_set *, int);
#ifdef USE_WIN32
#define SIGNAL_RELOAD_CONFIG 1
@ -398,80 +539,62 @@ int s_poll_wait(s_poll_set *, int, int);
#define SIGNAL_TERMINATE SIGTERM
#endif
int set_socket_options(int, int);
int make_sockets(int [2]);
int set_socket_options(SOCKET, int);
int make_sockets(SOCKET[2]);
int original_dst(const SOCKET, SOCKADDR_UNION *);
/**************************************** prototypes for client.c */
typedef enum {
RENEG_INIT, /* initial state */
RENEG_ESTABLISHED, /* initial handshake completed */
RENEG_DETECTED /* renegotiation detected */
} RENEG_STATE;
typedef struct {
jmp_buf err; /* exception handler needs to be 16-byte aligned on Itanium */
SSL *ssl; /* SSL connnection */
SERVICE_OPTIONS *opt;
SOCKADDR_UNION peer_addr; /* peer address */
socklen_t peer_addr_len;
SOCKADDR_UNION *bind_addr; /* address to bind() the socket */
SOCKADDR_LIST connect_addr; /* for dynamically assigned addresses */
FD local_rfd, local_wfd; /* read and write local descriptors */
FD remote_fd; /* remote file descriptor */
/* IP for explicit local bind or transparent proxy */
unsigned long pid; /* PID of the local process */
int fd; /* temporary file descriptor */
RENEG_STATE reneg_state; /* used to track renegotiation attempts */
/* data for transfer() function */
char sock_buff[BUFFSIZE]; /* socket read buffer */
char ssl_buff[BUFFSIZE]; /* SSL read buffer */
int sock_ptr, ssl_ptr; /* index of first unused byte in buffer */
FD *sock_rfd, *sock_wfd; /* read and write socket descriptors */
FD *ssl_rfd, *ssl_wfd; /* read and write SSL descriptors */
int sock_bytes, ssl_bytes; /* bytes written to socket and SSL */
s_poll_set *fds; /* file descriptors */
} CLI;
CLI *alloc_client_session(SERVICE_OPTIONS *, int, int);
CLI *alloc_client_session(SERVICE_OPTIONS *, SOCKET, SOCKET);
void *client_thread(void *);
void client_main(CLI *);
/**************************************** prototypes for network.c */
int connect_blocking(CLI *, SOCKADDR_UNION *, socklen_t);
void write_blocking(CLI *, int fd, void *, int);
void read_blocking(CLI *, int fd, void *, int);
void fd_putline(CLI *, int, const char *);
char *fd_getline(CLI *, int);
int get_socket_error(const SOCKET);
int s_connect(CLI *, SOCKADDR_UNION *, socklen_t);
void s_write(CLI *, SOCKET fd, const void *, size_t);
void s_read(CLI *, SOCKET fd, void *, size_t);
void fd_putline(CLI *, SOCKET, const char *);
char *fd_getline(CLI *, SOCKET);
/* descriptor versions of fprintf/fscanf */
void fd_printf(CLI *, int, const char *, ...)
void fd_printf(CLI *, SOCKET, const char *, ...)
#ifdef __GNUC__
__attribute__((format(printf, 3, 4)));
#else
;
#endif
void s_ssl_write(CLI *, const void *, int);
void s_ssl_read(CLI *, void *, int);
char *ssl_getstring(CLI *c);
char *ssl_getline(CLI *c);
void ssl_putline(CLI *c, const char *);
/**************************************** prototype for protocol.c */
typedef enum {
PROTOCOL_NONE,
PROTOCOL_PRE_CONNECT,
PROTOCOL_PRE_SSL,
PROTOCOL_POST_SSL
} PROTOCOL_PHASE;
PROTOCOL_CHECK,
PROTOCOL_EARLY,
PROTOCOL_MIDDLE,
PROTOCOL_LATE
} PHASE;
int find_protocol_id(const char *);
void protocol(CLI *, const PROTOCOL_PHASE);
char *protocol(CLI *, SERVICE_OPTIONS *opt, const PHASE);
/**************************************** prototypes for resolver.c */
void resolver_init();
int name2addr(SOCKADDR_UNION *, char *, char *);
int hostport2addr(SOCKADDR_UNION *, char *, char *);
int namelist2addrlist(SOCKADDR_LIST *, NAME_LIST *, char *);
unsigned name2addr(SOCKADDR_UNION *, char *, int);
unsigned hostport2addr(SOCKADDR_UNION *, char *, char *, int);
unsigned name2addrlist(SOCKADDR_LIST *, char *);
unsigned hostport2addrlist(SOCKADDR_LIST *, char *, char *);
void addrlist_clear(SOCKADDR_LIST *, int);
unsigned addrlist_dup(SOCKADDR_LIST *, const SOCKADDR_LIST *);
unsigned addrlist_resolve(SOCKADDR_LIST *);
char *s_ntop(SOCKADDR_UNION *, socklen_t);
socklen_t addr_len(const SOCKADDR_UNION *);
const char *s_gai_strerror(int);
@ -503,28 +626,78 @@ extern GETNAMEINFO s_getnameinfo;
#endif /* USE_WIN32 */
int getnameinfo(const struct sockaddr *, int, char *, int, char *, int, int);
int getnameinfo(const struct sockaddr *, socklen_t,
char *, size_t, char *, size_t, int);
#endif /* !defined HAVE_GETNAMEINFO */
/**************************************** prototypes for sthreads.c */
typedef enum {
CRIT_CLIENTS, CRIT_SESSION, CRIT_SSL, /* client.c */
CRIT_INET, /* resolver.c */
#ifndef USE_WIN32
CRIT_LIBWRAP, /* libwrap.c */
#endif
CRIT_LOG, /* log.c */
CRIT_SECTIONS /* number of critical sections */
} SECTION_CODE;
#if defined(USE_PTHREAD) || defined(USE_WIN32)
struct CRYPTO_dynlock_value {
#ifdef USE_PTHREAD
pthread_rwlock_t rwlock;
#endif
#ifdef USE_WIN32
CRITICAL_SECTION critical_section;
#endif
const char *init_file, *read_lock_file, *write_lock_file,
*read_unlock_file, *write_unlock_file, *destroy_file;
int init_line, read_lock_line, write_lock_line,
read_unlock_line, write_unlock_line, destroy_line;
};
typedef enum {
LOCK_SESSION, LOCK_ADDR,
LOCK_CLIENTS, LOCK_SSL, /* client.c */
LOCK_INET, /* resolver.c */
#ifndef USE_WIN32
LOCK_LIBWRAP, /* libwrap.c */
#endif
LOCK_LOG_BUFFER, LOCK_LOG_MODE, /* log.c */
LOCK_LEAK_HASH, LOCK_LEAK_RESULTS, /* str.c */
#ifndef OPENSSL_NO_DH
LOCK_DH, /* ctx.c */
#endif /* OPENSSL_NO_DH */
STUNNEL_LOCKS /* number of locks */
} LOCK_TYPE;
extern struct CRYPTO_dynlock_value stunnel_locks[STUNNEL_LOCKS];
void stunnel_rwlock_init_debug(struct CRYPTO_dynlock_value *, const char *, int);
void stunnel_read_lock_debug(struct CRYPTO_dynlock_value *, const char *, int);
void stunnel_write_lock_debug(struct CRYPTO_dynlock_value *, const char *, int);
void stunnel_read_unlock_debug(struct CRYPTO_dynlock_value *, const char *, int);
void stunnel_write_unlock_debug(struct CRYPTO_dynlock_value *, const char *, int);
void stunnel_rwlock_destroy_debug(struct CRYPTO_dynlock_value *, const char *, int);
#define stunnel_rwlock_init(x) stunnel_rwlock_init_debug((x),__FILE__,__LINE__)
#define stunnel_read_lock(x) stunnel_read_lock_debug((x),__FILE__,__LINE__)
#define stunnel_write_lock(x) stunnel_write_lock_debug((x),__FILE__,__LINE__)
#define stunnel_read_unlock(x) stunnel_read_unlock_debug((x),__FILE__,__LINE__)
#define stunnel_write_unlock(x) stunnel_write_unlock_debug((x),__FILE__,__LINE__)
#define stunnel_rwlock_destroy(x) stunnel_rwlock_destroy_debug((x),__FILE__,__LINE__)
#if OPENSSL_VERSION_NUMBER<0x10100004L
#define CRYPTO_atomic_add(addr,amount,result,type) \
*result = type ? CRYPTO_add(addr,amount,type) : (*addr+=amount)
#endif
#else /* defined(USE_PTHREAD) || defined(USE_WIN32) */
#define stunnel_rwlock_init(x) {}
#define stunnel_read_lock(x) {}
#define stunnel_write_lock(x) {}
#define stunnel_read_unlock(x) {}
#define stunnel_write_unlock(x) {}
#define stunnel_rwlock_destroy(x) {}
#endif /* defined(USE_PTHREAD) || defined(USE_WIN32) */
void enter_critical_section(SECTION_CODE);
void leave_critical_section(SECTION_CODE);
int sthreads_init(void);
unsigned long stunnel_process_id(void);
unsigned long stunnel_thread_id(void);
int create_client(int, int, CLI *, void *(*)(void *));
int create_client(SOCKET, SOCKET, CLI *, void *(*)(void *));
#ifdef USE_UCONTEXT
typedef struct CONTEXT_STRUCTURE {
char *stack; /* CPU stack for this thread */
@ -534,7 +707,7 @@ typedef struct CONTEXT_STRUCTURE {
int ready; /* number of ready file descriptors */
time_t finish; /* when to finish poll() for this context */
struct CONTEXT_STRUCTURE *next; /* next context on a list */
void *tls; /* thread local storage for str.c */
void *tls; /* thread local storage for tls.c */
} CONTEXT;
extern CONTEXT *ready_head, *ready_tail;
extern CONTEXT *waiting_head, *waiting_tail;
@ -547,32 +720,20 @@ void _endthread(void);
void stack_info(int);
#endif
/**************************************** prototypes for gui.c */
#ifdef USE_WIN32
void message_box(const LPSTR, const UINT);
void win_new_chain(int);
void win_new_log(char *);
void win_new_config(void);
int passwd_cb(char *, int, int, void *);
#ifdef HAVE_OSSL_ENGINE_H
int pin_cb(UI *, UI_STRING *);
#endif
#endif /* USE_WIN32 */
/**************************************** prototypes for file.c */
#ifndef USE_WIN32
DISK_FILE *file_fdopen(int);
#endif
DISK_FILE *file_open(char *, int);
DISK_FILE *file_open(char *, FILE_MODE mode);
void file_close(DISK_FILE *);
int file_getline(DISK_FILE *, char *, int);
int file_putline(DISK_FILE *, char *);
ssize_t file_getline(DISK_FILE *, char *, int);
ssize_t file_putline(DISK_FILE *, char *);
int file_permissions(const char *);
#ifdef USE_WIN32
LPTSTR str2tstr(const LPSTR);
LPSTR tstr2str(const LPTSTR);
LPTSTR str2tstr(LPCSTR);
LPSTR tstr2str(LPCTSTR);
#endif
/**************************************** prototypes for libwrap.c */
@ -580,21 +741,33 @@ LPSTR tstr2str(const LPTSTR);
int libwrap_init();
void libwrap_auth(CLI *, char *);
/**************************************** prototypes for tls.c */
extern volatile int tls_initialized;
void tls_init();
TLS_DATA *tls_alloc(CLI *, TLS_DATA *, char *);
void tls_cleanup();
void tls_set(TLS_DATA *);
TLS_DATA *tls_get();
/**************************************** prototypes for str.c */
void str_init();
void str_canary_init();
void str_cleanup();
void str_stats();
void *str_alloc_debug(size_t, char *, int);
#define str_alloc(a) str_alloc_debug((a), __FILE__, __LINE__)
void *str_realloc_debug(void *, size_t, char *, int);
#define str_realloc(a, b) str_realloc_debug((a), (b), __FILE__, __LINE__)
void str_detach_debug(void *, char *, int);
#define str_detach(a) str_detach_debug((a), __FILE__, __LINE__)
void str_free_debug(void *, char *, int);
#define str_free(a) str_free_debug((a), __FILE__, __LINE__), (a)=NULL
char *str_dup(const char *);
extern TLS_DATA *ui_tls;
typedef struct alloc_list_struct ALLOC_LIST;
struct tls_data_struct {
ALLOC_LIST *alloc_head;
size_t alloc_bytes, alloc_blocks;
CLI *c;
SERVICE_OPTIONS *opt;
char *id;
};
void str_init(TLS_DATA *);
void str_cleanup(TLS_DATA *);
char *str_dup_debug(const char *, const char *, int);
#define str_dup(a) str_dup_debug((a), __FILE__, __LINE__)
char *str_vprintf(const char *, va_list);
char *str_printf(const char *, ...)
#ifdef __GNUC__
@ -602,6 +775,47 @@ char *str_printf(const char *, ...)
#else
;
#endif
#ifdef USE_WIN32
LPTSTR str_tprintf(LPCTSTR, ...);
#endif
void str_canary_init();
void str_stats();
void *str_alloc_debug(size_t, const char *, int);
#define str_alloc(a) str_alloc_debug((a), __FILE__, __LINE__)
void *str_alloc_detached_debug(size_t, const char *, int);
#define str_alloc_detached(a) str_alloc_detached_debug((a), __FILE__, __LINE__)
void *str_realloc_detached_debug(void *, size_t, const char *, int);
void *str_realloc_debug(void *, size_t, const char *, int);
#define str_realloc(a, b) str_realloc_debug((a), (b), __FILE__, __LINE__)
void str_detach_debug(void *, const char *, int);
#define str_detach(a) str_detach_debug((a), __FILE__, __LINE__)
void str_free_debug(void *, const char *, int);
#define str_free(a) str_free_debug((a), __FILE__, __LINE__), (a)=NULL
#define str_free_expression(a) str_free_debug((a), __FILE__, __LINE__)
int safe_memcmp(const void *, const void *, size_t);
/**************************************** prototypes for ui_*.c */
void ui_config_reloaded(void);
void ui_new_chain(const unsigned);
void ui_clients(const long);
void ui_new_log(const char *);
#ifdef USE_WIN32
void message_box(LPCTSTR, const UINT);
#endif /* USE_WIN32 */
int ui_passwd_cb(char *, int, int, void *);
#ifndef OPENSSL_NO_ENGINE
UI_METHOD *UI_stunnel(void);
#endif /* !defined(OPENSSL_NO_ENGINE) */
#ifdef ICON_IMAGE
ICON_IMAGE load_icon_default(ICON_TYPE);
ICON_IMAGE load_icon_file(const char *);
#endif
#endif /* defined PROTOTYPES_H */

10
src/pty.c
View File

@ -1,6 +1,6 @@
/*
* stunnel Universal SSL tunnel
* Copyright (C) 1998-2013 Michal Trojnara <Michal.Trojnara@mirt.net>
* stunnel TLS offloading and load-balancing proxy
* Copyright (C) 1998-2017 Michal Trojnara <Michal.Trojnara@stunnel.org>
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
@ -177,11 +177,11 @@ int pty_allocate(int *ptyfd, int *ttyfd, char *namebuf) {
#else /* HAVE_DEV_PTS_AND_PTC */
/* BSD-style pty code. */
char buf[64];
int i;
size_t i;
const char *ptymajors="pqrstuvwxyzabcdefghijklmnoABCDEFGHIJKLMNOPQRSTUVWXYZ";
const char *ptyminors="0123456789abcdef";
int num_minors=strlen(ptyminors);
int num_ptys=strlen(ptymajors)*num_minors;
size_t num_minors=strlen(ptyminors);
size_t num_ptys=strlen(ptymajors)*num_minors;
for(i=0; i<num_ptys; i++) {
#ifdef HAVE_SNPRINTF

337
src/resolver.c
View File

@ -1,6 +1,6 @@
/*
* stunnel Universal SSL tunnel
* Copyright (C) 1998-2013 Michal Trojnara <Michal.Trojnara@mirt.net>
* stunnel TLS offloading and load-balancing proxy
* Copyright (C) 1998-2017 Michal Trojnara <Michal.Trojnara@stunnel.org>
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
@ -40,8 +40,11 @@
/**************************************** prototypes */
static int name2addrlist(SOCKADDR_LIST *, char *, char *);
static int hostport2addrlist(SOCKADDR_LIST *, char *, char *);
#if defined(USE_WIN32) && !defined(_WIN32_WCE)
NOEXPORT int get_ipv6(LPTSTR);
#endif
NOEXPORT void addrlist2addr(SOCKADDR_UNION *, SOCKADDR_LIST *);
NOEXPORT void addrlist_reset(SOCKADDR_LIST *);
#ifndef HAVE_GETADDRINFO
@ -72,11 +75,15 @@ struct addrinfo {
};
#endif
static int getaddrinfo(const char *, const char *,
#ifndef AI_PASSIVE
#define AI_PASSIVE 1
#endif
NOEXPORT int getaddrinfo(const char *, const char *,
const struct addrinfo *, struct addrinfo **);
static int alloc_addresses(struct hostent *, const struct addrinfo *,
NOEXPORT int alloc_addresses(struct hostent *, const struct addrinfo *,
u_short port, struct addrinfo **, struct addrinfo **);
static void freeaddrinfo(struct addrinfo *);
NOEXPORT void freeaddrinfo(struct addrinfo *);
#endif /* !defined HAVE_GETADDRINFO */
@ -90,75 +97,92 @@ GETNAMEINFO s_getnameinfo;
void resolver_init() {
#if defined(USE_WIN32) && !defined(_WIN32_WCE)
HINSTANCE handle;
handle=LoadLibrary("ws2_32.dll"); /* IPv6 in Windows XP or higher */
if(handle) {
s_getaddrinfo=(GETADDRINFO)GetProcAddress(handle, "getaddrinfo");
s_freeaddrinfo=(FREEADDRINFO)GetProcAddress(handle, "freeaddrinfo");
s_getnameinfo=(GETNAMEINFO)GetProcAddress(handle, "getnameinfo");
if(s_getaddrinfo && s_freeaddrinfo && s_getnameinfo)
return; /* IPv6 detected -> OK */
FreeLibrary(handle);
}
handle=LoadLibrary("wship6.dll"); /* experimental IPv6 for Windows 2000 */
if(handle) {
s_getaddrinfo=(GETADDRINFO)GetProcAddress(handle, "getaddrinfo");
s_freeaddrinfo=(FREEADDRINFO)GetProcAddress(handle, "freeaddrinfo");
s_getnameinfo=(GETNAMEINFO)GetProcAddress(handle, "getnameinfo");
if(s_getaddrinfo && s_freeaddrinfo && s_getnameinfo)
return; /* IPv6 detected -> OK */
FreeLibrary(handle);
}
s_getaddrinfo=NULL;
s_freeaddrinfo=NULL;
s_getnameinfo=NULL;
if(get_ipv6(TEXT("ws2_32.dll"))) /* IPv6 in Windows XP or higher */
return;
if(get_ipv6(TEXT("wship6.dll"))) /* experimental IPv6 for Windows 2000 */
return;
/* fall back to the built-in emulation */
#endif
}
#if defined(USE_WIN32) && !defined(_WIN32_WCE)
NOEXPORT int get_ipv6(LPTSTR file) {
HINSTANCE handle;
handle=LoadLibrary(file);
if(!handle)
return 0;
s_getaddrinfo=(GETADDRINFO)GetProcAddress(handle, "getaddrinfo");
s_freeaddrinfo=(FREEADDRINFO)GetProcAddress(handle, "freeaddrinfo");
s_getnameinfo=(GETNAMEINFO)GetProcAddress(handle, "getnameinfo");
if(!s_getaddrinfo || !s_freeaddrinfo || !s_getnameinfo) {
s_getaddrinfo=NULL;
s_freeaddrinfo=NULL;
s_getnameinfo=NULL;
FreeLibrary(handle);
return 0;
}
return 1; /* IPv6 detected -> OK */
}
#endif
/**************************************** stunnel resolver API */
int name2addr(SOCKADDR_UNION *addr, char *name, char *default_host) {
SOCKADDR_LIST addr_list;
int retval;
unsigned name2addr(SOCKADDR_UNION *addr, char *name, int passive) {
SOCKADDR_LIST *addr_list;
unsigned retval;
addr_list.num=0;
addr_list.addr=NULL;
retval=name2addrlist(&addr_list, name, default_host);
if(retval>0)
memcpy(addr, &addr_list.addr[0], sizeof *addr);
if(addr_list.addr)
str_free(addr_list.addr);
addr_list=str_alloc(sizeof(SOCKADDR_LIST));
addrlist_clear(addr_list, passive);
retval=name2addrlist(addr_list, name);
if(retval)
addrlist2addr(addr, addr_list);
str_free(addr_list->addr);
str_free(addr_list->session);
str_free(addr_list);
return retval;
}
int hostport2addr(SOCKADDR_UNION *addr, char *hostname, char *portname) {
SOCKADDR_LIST addr_list;
int retval;
unsigned hostport2addr(SOCKADDR_UNION *addr,
char *host_name, char *port_name, int passive) {
SOCKADDR_LIST *addr_list;
unsigned num;
addr_list.num=0;
addr_list.addr=NULL;
retval=hostport2addrlist(&addr_list, hostname, portname);
if(retval>0)
memcpy(addr, &addr_list.addr[0], sizeof *addr);
if(addr_list.addr)
str_free(addr_list.addr);
return retval;
addr_list=str_alloc(sizeof(SOCKADDR_LIST));
addrlist_clear(addr_list, passive);
num=hostport2addrlist(addr_list, host_name, port_name);
if(num)
addrlist2addr(addr, addr_list);
str_free(addr_list->addr);
str_free(addr_list->session);
str_free(addr_list);
return num;
}
int namelist2addrlist(SOCKADDR_LIST *addr_list, NAME_LIST *name_list, char *default_host) {
/* recursive implementation to reverse the list */
if(!name_list)
return 0;
return namelist2addrlist(addr_list, name_list->next, default_host) +
name2addrlist(addr_list, name_list->name, default_host);
NOEXPORT void addrlist2addr(SOCKADDR_UNION *addr, SOCKADDR_LIST *addr_list) {
unsigned i;
for(i=0; i<addr_list->num; ++i) { /* find the first IPv4 address */
if(addr_list->addr[i].in.sin_family==AF_INET) {
memcpy(addr, &addr_list->addr[i], sizeof(SOCKADDR_UNION));
return;
}
}
#ifdef USE_IPv6
for(i=0; i<addr_list->num; ++i) { /* find the first IPv6 address */
if(addr_list->addr[i].in.sin_family==AF_INET6) {
memcpy(addr, &addr_list->addr[i], sizeof(SOCKADDR_UNION));
return;
}
}
#endif
/* copy the first address resolved (currently AF_UNIX) */
memcpy(addr, &addr_list->addr[0], sizeof(SOCKADDR_UNION));
}
static int name2addrlist(SOCKADDR_LIST *addr_list, char *name, char *default_host) {
char *tmp, *hostname, *portname;
int retval;
addr_list->cur=0; /* reset round-robin counter */
unsigned name2addrlist(SOCKADDR_LIST *addr_list, char *name) {
char *tmp, *host_name, *port_name;
unsigned num;
/* first check if this is a UNIX socket */
#ifdef HAVE_STRUCT_SOCKADDR_UN
@ -172,58 +196,87 @@ static int name2addrlist(SOCKADDR_LIST *addr_list, char *name, char *default_hos
(addr_list->num+1)*sizeof(SOCKADDR_UNION));
addr_list->addr[addr_list->num].un.sun_family=AF_UNIX;
strcpy(addr_list->addr[addr_list->num].un.sun_path, name);
return ++(addr_list->num); /* ok - return the number of addresses */
addr_list->session=str_realloc(addr_list->session,
(addr_list->num+1)*sizeof(SSL_SESSION *));
addr_list->session[addr_list->num]=NULL;
++(addr_list->num);
return 1; /* ok - return the number of new addresses */
}
#endif
/* set hostname and portname */
/* setup host_name and port_name */
tmp=str_dup(name);
portname=strrchr(tmp, ':');
if(portname) {
hostname=tmp;
*portname++='\0';
port_name=strrchr(tmp, ':');
if(port_name) {
host_name=tmp;
*port_name++='\0';
} else { /* no ':' - use default host IP */
hostname=default_host;
portname=tmp;
host_name=NULL;
port_name=tmp;
}
/* fill addr_list structure */
retval=hostport2addrlist(addr_list, hostname, portname);
num=hostport2addrlist(addr_list, host_name, port_name);
str_free(tmp);
return retval;
return num; /* ok - return the number of new addresses */
}
static int hostport2addrlist(SOCKADDR_LIST *addr_list,
char *hostname, char *portname) {
unsigned hostport2addrlist(SOCKADDR_LIST *addr_list,
char *host_name, char *port_name) {
struct addrinfo hints, *res=NULL, *cur;
int err, retries=0;
int err, retry=0;
unsigned num=0;
memset(&hints, 0, sizeof hints);
#if defined(USE_IPv6) || defined(USE_WIN32)
hints.ai_family=PF_UNSPEC;
hints.ai_family=AF_UNSPEC;
#else
hints.ai_family=PF_INET;
hints.ai_family=AF_INET;
#endif
hints.ai_socktype=SOCK_STREAM;
hints.ai_protocol=IPPROTO_TCP;
for(;;) {
err=getaddrinfo(hostname, portname, &hints, &res);
if(err && res)
freeaddrinfo(res);
if(err!=EAI_AGAIN || ++retries>=3)
break;
s_log(LOG_DEBUG, "getaddrinfo: EAI_AGAIN received: retrying");
sleep(1);
hints.ai_flags=0;
if(addr_list->passive) {
hints.ai_family=AF_INET; /* first try IPv4 for passive requests */
hints.ai_flags|=AI_PASSIVE;
}
switch(err) {
case 0:
break; /* success */
case EAI_SERVICE:
s_log(LOG_ERR, "Unknown TCP service '%s'", portname);
#ifdef AI_ADDRCONFIG
hints.ai_flags|=AI_ADDRCONFIG;
#endif
for(;;) {
err=getaddrinfo(host_name, port_name, &hints, &res);
if(!err)
break;
if(res)
freeaddrinfo(res);
if(err==EAI_AGAIN && ++retry<=3) {
s_log(LOG_DEBUG, "getaddrinfo: EAI_AGAIN received: retrying");
sleep(1);
continue;
}
#ifdef AI_ADDRCONFIG
if(hints.ai_flags&AI_ADDRCONFIG) {
hints.ai_flags&=~AI_ADDRCONFIG;
continue; /* retry for unconfigured network interfaces */
}
#endif
#if defined(USE_IPv6) || defined(USE_WIN32)
if(hints.ai_family==AF_INET) {
hints.ai_family=AF_UNSPEC;
continue; /* retry for non-IPv4 addresses */
}
#endif
break;
}
if(err==EAI_SERVICE) {
s_log(LOG_ERR, "Unknown TCP service \"%s\"", port_name);
return 0; /* error */
default:
s_log(LOG_ERR, "Error resolving '%s': %s",
hostname, s_gai_strerror(err));
}
if(err) {
s_log(LOG_ERR, "Error resolving \"%s\": %s",
host_name ? host_name :
(addr_list->passive ? DEFAULT_ANY : DEFAULT_LOOPBACK),
s_gai_strerror(err));
return 0; /* error */
}
@ -236,11 +289,65 @@ static int hostport2addrlist(SOCKADDR_LIST *addr_list,
}
addr_list->addr=str_realloc(addr_list->addr,
(addr_list->num+1)*sizeof(SOCKADDR_UNION));
memcpy(&addr_list->addr[addr_list->num], cur->ai_addr, cur->ai_addrlen);
memcpy(&addr_list->addr[addr_list->num], cur->ai_addr,
(size_t)cur->ai_addrlen);
addr_list->session=str_realloc(addr_list->session,
(addr_list->num+1)*sizeof(SSL_SESSION *));
addr_list->session[addr_list->num]=NULL;
++(addr_list->num);
++num;
}
freeaddrinfo(res);
return addr_list->num; /* ok - return the number of addresses */
return num; /* ok - return the number of new addresses */
}
/* initialize the structure */
void addrlist_clear(SOCKADDR_LIST *addr_list, int passive) {
addrlist_reset(addr_list);
addr_list->names=NULL;
addr_list->passive=passive;
}
/* prepare the structure to resolve new hosts */
NOEXPORT void addrlist_reset(SOCKADDR_LIST *addr_list) {
addr_list->num=0;
addr_list->addr=NULL;
addr_list->session=NULL;
addr_list->rr=0; /* reset the round-robin counter */
addr_list->parent=addr_list; /* allow a copy to locate its parent */
}
unsigned addrlist_dup(SOCKADDR_LIST *dst, const SOCKADDR_LIST *src) {
memcpy(dst, src, sizeof(SOCKADDR_LIST));
if(src->num) { /* already resolved */
dst->addr=str_alloc(src->num*sizeof(SOCKADDR_UNION));
memcpy(dst->addr, src->addr, src->num*sizeof(SOCKADDR_UNION));
} else { /* delayed resolver */
addrlist_resolve(dst);
}
/* we currently don't make a local copy of src->session */
return dst->num;
}
unsigned addrlist_resolve(SOCKADDR_LIST *addr_list) {
unsigned num=0, rnd;
NAME_LIST *host;
addrlist_reset(addr_list);
for(host=addr_list->names; host; host=host->next)
num+=name2addrlist(addr_list, host->name);
switch(num) {
case 0:
case 1:
addr_list->rr=0;
break;
default:
/* randomize the initial value of round-robin counter */
/* ignore the error value and the distribution bias */
RAND_bytes((unsigned char *)&rnd, sizeof rnd);
addr_list->rr=rnd%num;
}
return num;
}
char *s_ntop(SOCKADDR_UNION *addr, socklen_t addrlen) {
@ -283,7 +390,7 @@ socklen_t addr_len(const SOCKADDR_UNION *addr) {
/* implementation is limited to functionality needed by stunnel */
#ifndef HAVE_GETADDRINFO
static int getaddrinfo(const char *node, const char *service,
NOEXPORT int getaddrinfo(const char *node, const char *service,
const struct addrinfo *hints, struct addrinfo **res) {
struct hostent *h;
#ifndef _WIN32_WCE
@ -294,6 +401,8 @@ static int getaddrinfo(const char *node, const char *service,
int retval;
char *tmpstr;
if(!node)
node=(hints->ai_flags & AI_PASSIVE) ? DEFAULT_ANY : DEFAULT_LOOPBACK;
#if defined(USE_WIN32) && !defined(_WIN32_WCE)
if(s_getaddrinfo)
return s_getaddrinfo(node, service, hints, res);
@ -307,7 +416,7 @@ static int getaddrinfo(const char *node, const char *service,
p=getservbyname(service, "tcp");
if(!p)
return EAI_NONAME;
port=p->s_port;
port=(u_short)p->s_port;
#endif /* defined(_WIN32_WCE) */
}
@ -320,7 +429,7 @@ static int getaddrinfo(const char *node, const char *service,
#if defined(USE_IPv6) && !defined(USE_WIN32)
ai->ai_family=AF_INET6;
ai->ai_addrlen=sizeof(struct sockaddr_in6);
ai->ai_addr=str_alloc(ai->ai_addrlen);
ai->ai_addr=str_alloc((size_t)ai->ai_addrlen);
ai->ai_addr->sa_family=AF_INET6;
if(inet_pton(AF_INET6, node,
&((struct sockaddr_in6 *)ai->ai_addr)->sin6_addr)>0) {
@ -343,7 +452,7 @@ static int getaddrinfo(const char *node, const char *service,
/* not numerical: need to call resolver library */
*res=NULL;
ai=NULL;
enter_critical_section(CRIT_INET);
stunnel_write_lock(&stunnel_locks[LOCK_INET]);
#ifdef HAVE_GETHOSTBYNAME2
h=gethostbyname2(node, AF_INET6);
if(h) /* some IPv6 addresses found */
@ -361,7 +470,7 @@ static int getaddrinfo(const char *node, const char *service,
#ifdef HAVE_ENDHOSTENT
endhostent();
#endif
leave_critical_section(CRIT_INET);
stunnel_write_unlock(&stunnel_locks[LOCK_INET]);
if(retval) { /* error: free allocated memory */
freeaddrinfo(*res);
*res=NULL;
@ -369,7 +478,7 @@ static int getaddrinfo(const char *node, const char *service,
return retval;
}
static int alloc_addresses(struct hostent *h, const struct addrinfo *hints,
NOEXPORT int alloc_addresses(struct hostent *h, const struct addrinfo *hints,
u_short port, struct addrinfo **head, struct addrinfo **tail) {
int i;
struct addrinfo *ai;
@ -391,25 +500,25 @@ static int alloc_addresses(struct hostent *h, const struct addrinfo *hints,
#if defined(USE_IPv6)
if(h->h_addrtype==AF_INET6) {
ai->ai_addrlen=sizeof(struct sockaddr_in6);
ai->ai_addr=str_alloc(ai->ai_addrlen);
ai->ai_addr=str_alloc((size_t)ai->ai_addrlen);
memcpy(&((struct sockaddr_in6 *)ai->ai_addr)->sin6_addr,
h->h_addr_list[i], h->h_length);
h->h_addr_list[i], (size_t)h->h_length);
} else
#endif
{
ai->ai_addrlen=sizeof(struct sockaddr_in);
ai->ai_addr=str_alloc(ai->ai_addrlen);
ai->ai_addr=str_alloc((size_t)ai->ai_addrlen);
memcpy(&((struct sockaddr_in *)ai->ai_addr)->sin_addr,
h->h_addr_list[i], h->h_length);
h->h_addr_list[i], (size_t)h->h_length);
}
ai->ai_addr->sa_family=h->h_addrtype;
ai->ai_addr->sa_family=(u_short)h->h_addrtype;
/* offsets of sin_port and sin6_port should be the same */
((struct sockaddr_in *)ai->ai_addr)->sin_port=port;
}
return 0; /* success */
}
static void freeaddrinfo(struct addrinfo *current) {
NOEXPORT void freeaddrinfo(struct addrinfo *current) {
struct addrinfo *next;
#if defined(USE_WIN32) && !defined(_WIN32_WCE)
@ -419,10 +528,8 @@ static void freeaddrinfo(struct addrinfo *current) {
}
#endif
while(current) {
if(current->ai_addr)
str_free(current->ai_addr);
if(current->ai_canonname)
str_free(current->ai_canonname);
str_free(current->ai_addr);
str_free(current->ai_canonname);
next=current->ai_next;
str_free(current);
current=next;
@ -484,8 +591,8 @@ const char *s_gai_strerror(int err) {
/* implementation is limited to functionality needed by stunnel */
#ifndef HAVE_GETNAMEINFO
int getnameinfo(const struct sockaddr *sa, int salen,
char *host, int hostlen, char *serv, int servlen, int flags) {
int getnameinfo(const struct sockaddr *sa, socklen_t salen,
char *host, size_t hostlen, char *serv, size_t servlen, int flags) {
#if defined(USE_WIN32) && !defined(_WIN32_WCE)
if(s_getnameinfo)
@ -498,10 +605,10 @@ int getnameinfo(const struct sockaddr *sa, int salen,
(void *)&((struct sockaddr_in *)sa)->sin_addr,
host, hostlen);
#else /* USE_IPv6 */
enter_critical_section(CRIT_INET); /* inet_ntoa is not mt-safe */
stunnel_write_lock(&stunnel_locks[LOCK_INET]); /* inet_ntoa is not mt-safe */
strncpy(host, inet_ntoa(((struct sockaddr_in *)sa)->sin_addr),
hostlen);
leave_critical_section(CRIT_INET);
stunnel_write_unlock(&stunnel_locks[LOCK_INET]);
host[hostlen-1]='\0';
#endif /* USE_IPv6 */
}

10
src/resources.h
View File

@ -1,10 +1,15 @@
#define WM_SYSTRAY (WM_USER+0)
#define WM_VALID_CONFIG (WM_APP+0)
#define WM_INVALID_CONFIG (WM_APP+1)
#define WM_LOG (WM_APP+2)
#define WM_NEW_CHAIN (WM_APP+3)
#define WM_CLIENTS (WM_APP+4)
#define IDI_MYICON 10
#define IDI_STUNNEL_MAIN 10
#define IDI_STUNNEL_ACTIVE 11
#define IDI_STUNNEL_ERROR 12
#define IDI_STUNNEL_IDLE 13
#define IDE_EDIT 20
#define IDE_PASSEDIT 21
@ -26,3 +31,6 @@
#define IDM_HOMEPAGE 52
#define IDM_PEER_MENU 60
#define IDS_SERVICE_DESC 70

75
src/resources.rc
View File

@ -4,7 +4,7 @@
VS_VERSION_INFO VERSIONINFO
FILEVERSION STUNNEL_VERSION_FIELDS
PRODUCTVERSION STUNNEL_VERSION_FIELDS
PRODUCTVERSION STUNNEL_VERSION_FIELDS
FILEFLAGSMASK VS_FFI_FILEFLAGSMASK
FILEFLAGS 0
FILEOS VOS__WINDOWS32
@ -16,10 +16,10 @@ BEGIN
BLOCK "040904E4"
BEGIN
VALUE "CompanyName", "Michal Trojnara"
VALUE "FileDescription", "stunnel - multiplatform SSL tunneling proxy"
VALUE "FileDescription", "stunnel - TLS offloading and load-balancing proxy"
VALUE "FileVersion", STUNNEL_VERSION
VALUE "InternalName", "stunnel"
VALUE "LegalCopyright", "© by Michal Trojnara, 1998-2013"
VALUE "LegalCopyright", "© by Michal Trojnara, 1998-2017"
VALUE "OriginalFilename", "stunnel.exe"
VALUE "ProductName", STUNNEL_PRODUCTNAME
VALUE "ProductVersion", STUNNEL_VERSION
@ -31,7 +31,10 @@ BEGIN
END
END
IDI_MYICON ICON "stunnel.ico"
IDI_STUNNEL_MAIN ICON "stunnel.ico"
IDI_STUNNEL_ACTIVE ICON "active.ico"
IDI_STUNNEL_ERROR ICON "error.ico"
IDI_STUNNEL_IDLE ICON "idle.ico"
IDM_MAINMENU MENU
BEGIN
@ -40,18 +43,28 @@ BEGIN
MENUITEM "&Save Log As", IDM_SAVE_LOG
MENUITEM "Reopen &Log File", IDM_REOPEN_LOG, GRAYED
MENUITEM SEPARATOR
MENUITEM "E&xit", IDM_EXIT
MENUITEM SEPARATOR
MENUITEM "&Close", IDM_CLOSE
END
#ifdef _WIN32_WCE
POPUP "&Config"
#else
POPUP "&Configuration"
#endif
BEGIN
MENUITEM "&Edit stunnel.conf", IDM_EDIT_CONFIG
MENUITEM "&Reload stunnel.conf", IDM_RELOAD_CONFIG
MENUITEM "&Edit Configuration", IDM_EDIT_CONFIG
MENUITEM "&Reload Configuration", IDM_RELOAD_CONFIG
END
POPUP "&Save peer certificate"
#ifdef _WIN32_WCE
POPUP "&Save Peer Certs"
#else
POPUP "&Save Peer Certificate"
#endif
BEGIN
MENUITEM "dummy", 0, GRAYED
END
POPUP "&Help", HELP
POPUP "&Help"
BEGIN
MENUITEM "&About", IDM_ABOUT
MENUITEM SEPARATOR
@ -66,13 +79,13 @@ BEGIN
BEGIN
MENUITEM "Show Log &Window", IDM_SHOW_LOG
MENUITEM SEPARATOR
POPUP "&Save peer certificate"
POPUP "&Save Peer Certificate"
BEGIN
MENUITEM "dummy", 0, GRAYED
END
MENUITEM SEPARATOR
MENUITEM "&Edit stunnel.conf", IDM_EDIT_CONFIG
MENUITEM "&Reload stunnel.conf", IDM_RELOAD_CONFIG
MENUITEM "&Edit Configuration", IDM_EDIT_CONFIG
MENUITEM "&Reload Configuration", IDM_RELOAD_CONFIG
MENUITEM "Reopen &Log File", IDM_REOPEN_LOG, GRAYED
MENUITEM SEPARATOR
MENUITEM "&Homepage", IDM_HOMEPAGE
@ -86,36 +99,44 @@ END
ABOUTBOX DIALOG DISCARDABLE 0, 0, 140, 68
STYLE DS_MODALFRAME|DS_CENTER|WS_POPUP|WS_CAPTION|WS_SYSMENU
CAPTION "About stunnel"
FONT 8, "MS Sans Serif"
BEGIN
ICON IDI_MYICON, -1, 9, 8, 18, 20
LTEXT "stunnel version", -1, 30, 4, 52, 8
LTEXT STUNNEL_VERSION, -1, 82, 4, 54, 8
LTEXT "© by Michal Trojnara, 1998-2013", -1, 30, 12, 106, 8
ICON IDI_STUNNEL_MAIN, -1, 6, 6, 20, 20
LTEXT "stunnel version", -1, 30, 4, 49, 8
LTEXT STUNNEL_VERSION, -1, 79, 4, 57, 8
LTEXT "© by Michal Trojnara, 1998-2017", -1, 30, 12, 106, 8
LTEXT "All Rights Reserved", -1, 30, 20, 106, 8
LTEXT "Licensed under the GNU GPL version 2", -1, 4, 28, 132, 8
LTEXT "with a special exception for OpenSSL", -1, 4, 36, 132, 8
DEFPUSHBUTTON "OK",IDOK, 54, 48, 32, 14, WS_GROUP
END
PASSBOX DIALOG DISCARDABLE 0, 0, 158, 51
PASSBOX DIALOG DISCARDABLE 0, 0, 156, 51
STYLE DS_MODALFRAME|DS_CENTER|WS_POPUP|WS_CAPTION|WS_SYSMENU
CAPTION ""
FONT 8, "MS Sans Serif"
BEGIN
ICON IDI_MYICON, -1, 8, 6, 18, 20
LTEXT "Pass phrase:", -1, 33, 9, 50, 8
EDITTEXT IDE_PASSEDIT, 86, 7, 65, 12, ES_PASSWORD|ES_AUTOHSCROLL
DEFPUSHBUTTON "OK",IDOK, 7, 30, 50, 14
PUSHBUTTON "Cancel",IDCANCEL, 101, 30, 50, 14
ICON IDI_STUNNEL_MAIN, -1, 6, 6, 20, 20
LTEXT "Key passphrase:", -1, 30, 13, 56, 8
EDITTEXT IDE_PASSEDIT, 86, 11, 64, 12, ES_PASSWORD|ES_AUTOHSCROLL
DEFPUSHBUTTON "OK",IDOK, 6, 30, 50, 14
PUSHBUTTON "Cancel",IDCANCEL, 100, 30, 50, 14
END
PINBOX DIALOG DISCARDABLE 0, 0, 158, 51
PINBOX DIALOG DISCARDABLE 0, 0, 156, 51
STYLE DS_MODALFRAME|DS_CENTER|WS_POPUP|WS_CAPTION|WS_SYSMENU
CAPTION ""
FONT 8, "MS Sans Serif"
BEGIN
ICON IDI_MYICON, -1, 8, 6, 18, 20
LTEXT "SmartCard PIN:", -1, 33, 9, 50, 8
EDITTEXT IDE_PINEDIT, 86, 7, 65, 12, ES_PASSWORD|ES_AUTOHSCROLL
DEFPUSHBUTTON "OK",IDOK, 7, 30, 50, 14
PUSHBUTTON "Cancel",IDCANCEL, 101, 30, 50, 14
ICON IDI_STUNNEL_MAIN, -1, 6, 6, 20, 20
LTEXT "SmartCard PIN:", -1, 30, 13, 56, 8
EDITTEXT IDE_PINEDIT, 86, 11, 64, 12, ES_PASSWORD|ES_AUTOHSCROLL
DEFPUSHBUTTON "OK",IDOK, 6, 30, 50, 14
PUSHBUTTON "Cancel",IDCANCEL, 100, 30, 50, 14
END
STRINGTABLE
BEGIN
IDS_SERVICE_DESC "TLS offloading and load-balancing proxy"
END

198
src/ssl.c
View File

@ -1,6 +1,6 @@
/*
* stunnel Universal SSL tunnel
* Copyright (C) 1998-2013 Michal Trojnara <Michal.Trojnara@mirt.net>
* stunnel TLS offloading and load-balancing proxy
* Copyright (C) 1998-2017 Michal Trojnara <Michal.Trojnara@stunnel.org>
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
@ -38,54 +38,117 @@
#include "common.h"
#include "prototypes.h"
/* global OpenSSL initalization: compression, engine, entropy */
static int init_compression(GLOBAL_OPTIONS *);
static int init_prng(GLOBAL_OPTIONS *);
static int add_rand_file(GLOBAL_OPTIONS *, const char *);
/* global OpenSSL initialization: compression, engine, entropy */
NOEXPORT void cb_free(void *parent, void *ptr, CRYPTO_EX_DATA *ad,
int idx, long argl, void *argp);
#ifndef OPENSSL_NO_COMP
NOEXPORT int compression_init(GLOBAL_OPTIONS *);
#endif
NOEXPORT int prng_init(GLOBAL_OPTIONS *);
NOEXPORT int add_rand_file(GLOBAL_OPTIONS *, const char *);
int cli_index, opt_index; /* to keep structure for callbacks */
int index_ssl_cli, index_ssl_ctx_opt;
int index_session_authenticated, index_session_connect_address;
int ssl_init(void) { /* init SSL before parsing configuration file */
int ssl_init(void) { /* init TLS before parsing configuration file */
#if OPENSSL_VERSION_NUMBER>=0x10100000L
OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS |
OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL);
#else
SSL_load_error_strings();
SSL_library_init();
cli_index=SSL_get_ex_new_index(0, "cli index", NULL, NULL, NULL);
opt_index=SSL_CTX_get_ex_new_index(0, "opt index", NULL, NULL, NULL);
if(cli_index<0 || opt_index<0)
#endif
index_ssl_cli=SSL_get_ex_new_index(0,
"CLI pointer", NULL, NULL, NULL);
index_ssl_ctx_opt=SSL_CTX_get_ex_new_index(0,
"SERVICE_OPTIONS pointer", NULL, NULL, NULL);
index_session_authenticated=SSL_SESSION_get_ex_new_index(0,
"session authenticated", NULL, NULL, NULL);
index_session_connect_address=SSL_SESSION_get_ex_new_index(0,
"session connect address", NULL, NULL, cb_free);
if(index_ssl_cli<0 || index_ssl_ctx_opt<0 ||
index_session_authenticated<0 ||
index_session_connect_address<0) {
s_log(LOG_ERR, "Application specific data initialization failed");
return 1;
#ifdef HAVE_OSSL_ENGINE_H
}
#ifndef OPENSSL_NO_ENGINE
ENGINE_load_builtin_engines();
#endif
#ifndef OPENSSL_NO_DH
dh_params=get_dh2048();
if(!dh_params) {
s_log(LOG_ERR, "Failed to get default DH parameters");
return 1;
}
#endif /* OPENSSL_NO_DH */
return 0;
}
int ssl_configure(GLOBAL_OPTIONS *global) { /* configure global SSL settings */
#ifndef OPENSSL_NO_DH
#if OPENSSL_VERSION_NUMBER<0x10100000L
/* this is needed for dhparam.c generated with OpenSSL >= 1.1.0
* to be linked against the older versions */
int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g) {
if(!p || !g) /* q is optional */
return 0;
BN_free(dh->p);
BN_free(dh->q);
BN_free(dh->g);
dh->p = p;
dh->q = q;
dh->g = g;
if(q)
dh->length = BN_num_bits(q);
return 1;
}
#endif
#endif
NOEXPORT void cb_free(void *parent, void *ptr, CRYPTO_EX_DATA *ad,
int idx, long argl, void *argp) {
(void)parent; /* squash the unused parameter warning */
(void)ad; /* squash the unused parameter warning */
(void)idx; /* squash the unused parameter warning */
(void)argl; /* squash the unused parameter warning */
s_log(LOG_DEBUG, "Deallocating application specific data for %s",
(char *)argp);
str_free(ptr);
}
int ssl_configure(GLOBAL_OPTIONS *global) { /* configure global TLS settings */
#ifdef USE_FIPS
if(FIPS_mode()!=global->option.fips) {
RAND_set_rand_method(NULL); /* reset RAND methods */
if(!FIPS_mode_set(global->option.fips)) {
#if OPENSSL_VERSION_NUMBER>=0x10100000L
OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL);
#else
ERR_load_crypto_strings();
#endif
sslerror("FIPS_mode_set");
return 1;
}
}
s_log(LOG_NOTICE, "FIPS mode is %s",
s_log(LOG_NOTICE, "FIPS mode %s",
global->option.fips ? "enabled" : "disabled");
#endif /* USE_FIPS */
if(init_compression(global))
#ifndef OPENSSL_NO_COMP
if(compression_init(global))
return 1;
if(init_prng(global))
#endif /* OPENSSL_NO_COMP */
if(prng_init(global))
return 1;
s_log(LOG_DEBUG, "PRNG seeded successfully");
return 0; /* SUCCESS */
}
static int init_compression(GLOBAL_OPTIONS *global) {
#ifndef OPENSSL_NO_COMP
SSL_COMP *comp;
STACK_OF(SSL_COMP) *ssl_comp_methods;
NOEXPORT int compression_init(GLOBAL_OPTIONS *global) {
STACK_OF(SSL_COMP) *methods;
ssl_comp_methods=SSL_COMP_get_compression_methods();
if(!ssl_comp_methods) {
methods=SSL_COMP_get_compression_methods();
if(!methods) {
if(global->compression==COMP_NONE) {
s_log(LOG_NOTICE, "Failed to get compression methods");
return 0; /* ignore */
@ -95,73 +158,47 @@ static int init_compression(GLOBAL_OPTIONS *global) {
}
}
/* delete OpenSSL defaults (empty the SSL_COMP stack) */
/* cannot use sk_SSL_COMP_pop_free, as it also destroys the stack itself */
while(sk_SSL_COMP_num(ssl_comp_methods))
OPENSSL_free(sk_SSL_COMP_pop(ssl_comp_methods));
if(global->compression==COMP_NONE ||
OpenSSL_version_num()<0x00908051L /* 0.9.8e-beta1 */) {
/* delete OpenSSL defaults (empty the SSL_COMP stack) */
/* cannot use sk_SSL_COMP_pop_free,
* as it also destroys the stack itself */
/* only leave the standard RFC 1951 (DEFLATE) algorithm,
* if any of the private algorithms is enabled */
/* only allow DEFLATE with OpenSSL 0.9.8 or later
* with OpenSSL #1468 zlib memory leak fixed */
while(sk_SSL_COMP_num(methods))
OPENSSL_free(sk_SSL_COMP_pop(methods));
}
if(global->compression==COMP_NONE) {
s_log(LOG_DEBUG, "Compression not enabled");
s_log(LOG_DEBUG, "Compression disabled");
return 0; /* success */
}
/* insert RFC 1951 (DEFLATE) algoritm */
if(SSLeay()>=0x00908051L) { /* 0.9.8e-beta1 */
/* only allow DEFLATE with OpenSSL 0.9.8 or later
with openssl #1468 zlib memory leak fixed */
comp=(SSL_COMP *)OPENSSL_malloc(sizeof(SSL_COMP));
if(!comp) {
s_log(LOG_ERR, "OPENSSL_malloc filed");
return 1;
}
comp->id=1; /* RFC 1951 */
comp->method=COMP_zlib();
if(!comp->method || comp->method->type==NID_undef) {
OPENSSL_free(comp);
s_log(LOG_ERR, "Failed to initialize compression method");
return 1;
}
comp->name=comp->method->name;
sk_SSL_COMP_push(ssl_comp_methods, comp);
}
/* also insert one of obsolete (ZLIB/RLE) algoritms */
comp=(SSL_COMP *)OPENSSL_malloc(sizeof(SSL_COMP));
if(!comp) {
s_log(LOG_ERR, "OPENSSL_malloc filed");
return 1;
}
/* also insert the obsolete ZLIB algorithm */
if(global->compression==COMP_ZLIB) {
comp->id=0xe0; /* 224 - within private range (193 to 255) */
comp->method=COMP_zlib();
} else if(global->compression==COMP_RLE) {
comp->id=0xe1; /* 225 - within private range (193 to 255) */
comp->method=COMP_rle();
} else {
s_log(LOG_INFO, "Compression enabled: %d algorithm(s)",
sk_SSL_COMP_num(ssl_comp_methods));
OPENSSL_free(comp);
return 0;
/* 224 - within the private range (193 to 255) */
COMP_METHOD *meth=COMP_zlib();
#if OPENSSL_VERSION_NUMBER>=0x10100000L
if(!meth || COMP_get_type(meth)==NID_undef) {
#else
if(!meth || meth->type==NID_undef) {
#endif
s_log(LOG_ERR, "ZLIB compression is not supported");
return 1;
}
SSL_COMP_add_compression_method(0xe0, meth);
}
if(!comp->method || comp->method->type==NID_undef) {
OPENSSL_free(comp);
s_log(LOG_ERR, "Failed to initialize compression method");
return 1;
}
comp->name=comp->method->name;
sk_SSL_COMP_push(ssl_comp_methods, comp);
s_log(LOG_INFO, "Compression enabled: %d algorithm(s)",
sk_SSL_COMP_num(ssl_comp_methods));
#endif /* OPENSSL_NO_COMP */
s_log(LOG_INFO, "Compression enabled: %d method(s)",
sk_SSL_COMP_num(methods));
return 0; /* success */
}
#endif /* OPENSSL_NO_COMP */
static int init_prng(GLOBAL_OPTIONS *global) {
NOEXPORT int prng_init(GLOBAL_OPTIONS *global) {
int totbytes=0;
char filename[256];
int bytes;
bytes=0; /* avoid warning if #ifdef'd out for windows */
filename[0]='\0';
@ -195,8 +232,10 @@ static int init_prng(GLOBAL_OPTIONS *global) {
}
s_log(LOG_DEBUG, "RAND_screen failed to sufficiently seed PRNG");
#else
#ifndef OPENSSL_NO_EGD
if(global->egd_sock) {
if((bytes=RAND_egd(global->egd_sock))==-1) {
int bytes=RAND_egd(global->egd_sock);
if(bytes==-1) {
s_log(LOG_WARNING, "EGD Socket %s failed", global->egd_sock);
bytes=0;
} else {
@ -207,6 +246,7 @@ static int init_prng(GLOBAL_OPTIONS *global) {
so no need to check if seeded sufficiently */
}
}
#endif
/* try the good-old default /dev/urandom, if available */
totbytes+=add_rand_file(global, "/dev/urandom");
if(RAND_status())
@ -219,7 +259,7 @@ static int init_prng(GLOBAL_OPTIONS *global) {
return 1; /* FAILED */
}
static int add_rand_file(GLOBAL_OPTIONS *global, const char *filename) {
NOEXPORT int add_rand_file(GLOBAL_OPTIONS *global, const char *filename) {
int readbytes;
int writebytes;
struct stat sb;
@ -233,7 +273,7 @@ static int add_rand_file(GLOBAL_OPTIONS *global, const char *filename) {
s_log(LOG_INFO, "Cannot retrieve any random data from %s",
filename);
/* write new random data for future seeding if it's a regular file */
if(global->option.rand_write && (sb.st_mode & S_IFREG)) {
if(global->option.rand_write && S_ISREG(sb.st_mode)) {
writebytes=RAND_write_file(filename);
if(writebytes==-1)
s_log(LOG_WARNING, "Failed to write strong random data to %s - "

518
src/sthreads.c
View File

@ -1,6 +1,6 @@
/*
* stunnel Universal SSL tunnel
* Copyright (C) 1998-2013 Michal Trojnara <Michal.Trojnara@mirt.net>
* stunnel TLS offloading and load-balancing proxy
* Copyright (C) 1998-2017 Michal Trojnara <Michal.Trojnara@stunnel.org>
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
@ -43,19 +43,256 @@
#include "common.h"
#include "prototypes.h"
/**************************************** thread ID callbacks */
#ifdef USE_UCONTEXT
unsigned long stunnel_process_id(void) {
return (unsigned long)getpid();
}
unsigned long stunnel_thread_id(void) {
return ready_head ? ready_head->id : 0;
}
#endif /* USE_UCONTEXT */
#ifdef USE_FORK
unsigned long stunnel_process_id(void) {
return (unsigned long)getpid();
}
unsigned long stunnel_thread_id(void) {
return 0L;
}
#endif /* USE_FORK */
#ifdef USE_PTHREAD
unsigned long stunnel_process_id(void) {
return (unsigned long)getpid();
}
unsigned long stunnel_thread_id(void) {
#if defined(SYS_gettid) && defined(__linux__)
return (unsigned long)syscall(SYS_gettid);
#else
return (unsigned long)pthread_self();
#endif
}
#endif /* USE_PTHREAD */
#ifdef USE_WIN32
unsigned long stunnel_process_id(void) {
return GetCurrentProcessId() & 0x00ffffff;
}
unsigned long stunnel_thread_id(void) {
return GetCurrentThreadId() & 0x00ffffff;
}
#endif /* USE_WIN32 */
#if OPENSSL_VERSION_NUMBER>=0x10000000L && OPENSSL_VERSION_NUMBER<0x10100004L
NOEXPORT void threadid_func(CRYPTO_THREADID *tid) {
CRYPTO_THREADID_set_numeric(tid, stunnel_thread_id());
}
#endif
void thread_id_init(void) {
#if OPENSSL_VERSION_NUMBER>=0x10000000L && OPENSSL_VERSION_NUMBER<0x10100000L
CRYPTO_THREADID_set_callback(threadid_func);
#endif
#if OPENSSL_VERSION_NUMBER<0x10000000L || !defined(OPENSSL_NO_DEPRECATED)
CRYPTO_set_id_callback(stunnel_thread_id);
#endif
}
/**************************************** locking */
#ifdef USE_PTHREAD
void stunnel_rwlock_init_debug(struct CRYPTO_dynlock_value *lock,
const char *file, int line) {
pthread_rwlock_init(&lock->rwlock, NULL);
lock->init_file=file;
lock->init_line=line;
}
void stunnel_read_lock_debug(struct CRYPTO_dynlock_value *lock,
const char *file, int line) {
pthread_rwlock_rdlock(&lock->rwlock);
lock->read_lock_file=file;
lock->read_lock_line=line;
}
void stunnel_write_lock_debug(struct CRYPTO_dynlock_value *lock,
const char *file, int line) {
pthread_rwlock_wrlock(&lock->rwlock);
lock->write_lock_file=file;
lock->write_lock_line=line;
}
void stunnel_read_unlock_debug(struct CRYPTO_dynlock_value *lock,
const char *file, int line) {
pthread_rwlock_unlock(&lock->rwlock);
lock->read_unlock_file=file;
lock->read_unlock_line=line;
}
void stunnel_write_unlock_debug(struct CRYPTO_dynlock_value *lock,
const char *file, int line) {
pthread_rwlock_unlock(&lock->rwlock);
lock->write_unlock_file=file;
lock->write_unlock_line=line;
}
void stunnel_rwlock_destroy_debug(struct CRYPTO_dynlock_value *lock,
const char *file, int line) {
pthread_rwlock_destroy(&lock->rwlock);
lock->destroy_file=file;
lock->destroy_line=line;
str_free(lock);
}
#endif /* USE_PTHREAD */
#ifdef USE_WIN32
/* Slim Reader/Writer (SRW) Lock would be better than CRITICAL_SECTION,
* but it is unsupported on Windows XP (and earlier versions of Windows):
* https://msdn.microsoft.com/en-us/library/windows/desktop/aa904937%28v=vs.85%29.aspx */
void stunnel_rwlock_init_debug(struct CRYPTO_dynlock_value *lock,
const char *file, int line) {
InitializeCriticalSection(&lock->critical_section);
lock->init_file=file;
lock->init_line=line;
}
void stunnel_read_lock_debug(struct CRYPTO_dynlock_value *lock,
const char *file, int line) {
EnterCriticalSection(&lock->critical_section);
lock->read_lock_file=file;
lock->read_lock_line=line;
}
void stunnel_write_lock_debug(struct CRYPTO_dynlock_value *lock,
const char *file, int line) {
EnterCriticalSection(&lock->critical_section);
lock->write_lock_file=file;
lock->write_lock_line=line;
}
void stunnel_read_unlock_debug(struct CRYPTO_dynlock_value *lock,
const char *file, int line) {
LeaveCriticalSection(&lock->critical_section);
lock->read_unlock_file=file;
lock->read_unlock_line=line;
}
void stunnel_write_unlock_debug(struct CRYPTO_dynlock_value *lock,
const char *file, int line) {
LeaveCriticalSection(&lock->critical_section);
lock->write_unlock_file=file;
lock->write_unlock_line=line;
}
void stunnel_rwlock_destroy_debug(struct CRYPTO_dynlock_value *lock,
const char *file, int line) {
DeleteCriticalSection(&lock->critical_section);
lock->destroy_file=file;
lock->destroy_line=line;
str_free(lock);
}
#endif /* USE_WIN32 */
#if defined(USE_PTHREAD) || defined(USE_WIN32)
struct CRYPTO_dynlock_value stunnel_locks[STUNNEL_LOCKS];
#if OPENSSL_VERSION_NUMBER<0x10100004L
#define CRYPTO_THREAD_lock_new() CRYPTO_get_new_dynlockid()
#endif
#if OPENSSL_VERSION_NUMBER<0x10100004L
static struct CRYPTO_dynlock_value *lock_cs;
NOEXPORT struct CRYPTO_dynlock_value *dyn_create_function(const char *file,
int line) {
struct CRYPTO_dynlock_value *lock;
lock=str_alloc_detached(sizeof(struct CRYPTO_dynlock_value));
stunnel_rwlock_init_debug(lock, file, line);
return lock;
}
NOEXPORT void dyn_lock_function(int mode, struct CRYPTO_dynlock_value *lock,
const char *file, int line) {
if(mode&CRYPTO_LOCK) {
/* either CRYPTO_READ or CRYPTO_WRITE (but not both) are needed */
if(!(mode&CRYPTO_READ)==!(mode&CRYPTO_WRITE))
fatal("Invalid locking mode");
if(mode&CRYPTO_WRITE)
stunnel_write_lock_debug(lock, file, line);
else
stunnel_read_lock_debug(lock, file, line);
} else
stunnel_write_unlock_debug(lock, file, line);
}
NOEXPORT void dyn_destroy_function(struct CRYPTO_dynlock_value *lock,
const char *file, int line) {
stunnel_rwlock_destroy_debug(lock, file, line);
str_free(lock);
}
NOEXPORT void locking_callback(int mode, int type, const char *file, int line) {
dyn_lock_function(mode, lock_cs+type, file, line);
}
#endif /* OPENSSL_VERSION_NUMBER<0x10100004L */
void locking_init(void) {
size_t i;
#if OPENSSL_VERSION_NUMBER<0x10100004L
size_t num;
#endif
/* initialize stunnel critical sections */
for(i=0; i<STUNNEL_LOCKS; i++) /* all the mutexes */
stunnel_rwlock_init(&stunnel_locks[i]);
#if OPENSSL_VERSION_NUMBER<0x10100004L
/* initialize the OpenSSL static locking */
num=(size_t)CRYPTO_num_locks();
lock_cs=str_alloc_detached(num*sizeof(struct CRYPTO_dynlock_value));
for(i=0; i<num; i++)
stunnel_rwlock_init(&lock_cs[i]);
/* initialize the OpenSSL static locking callbacks */
CRYPTO_set_locking_callback(locking_callback);
/* initialize the OpenSSL dynamic locking callbacks */
CRYPTO_set_dynlock_create_callback(dyn_create_function);
CRYPTO_set_dynlock_lock_callback(dyn_lock_function);
CRYPTO_set_dynlock_destroy_callback(dyn_destroy_function);
#endif
}
#endif /* defined(USE_PTHREAD) || defined(USE_WIN32) */
/**************************************** creating a client */
#if defined(USE_UCONTEXT) || defined(USE_FORK)
/* no need for critical sections */
void enter_critical_section(SECTION_CODE i) {
(void)i; /* skip warning about unused parameter */
/* empty */
}
void leave_critical_section(SECTION_CODE i) {
(void)i; /* skip warning about unused parameter */
/* empty */
}
#endif /* USE_UCONTEXT || USE_FORK */
#ifdef USE_UCONTEXT
@ -79,21 +316,12 @@ void leave_critical_section(SECTION_CODE i) {
CONTEXT *ready_head=NULL, *ready_tail=NULL; /* ready to execute */
CONTEXT *waiting_head=NULL, *waiting_tail=NULL; /* waiting on poll() */
unsigned long stunnel_process_id(void) {
return (unsigned long)getpid();
}
unsigned long stunnel_thread_id(void) {
return ready_head ? ready_head->id : 0;
}
static CONTEXT *new_context(void) {
static int next_id=1;
NOEXPORT CONTEXT *new_context(void) {
static unsigned long next_id=1;
CONTEXT *context;
/* allocate and fill the CONTEXT structure */
context=str_alloc(sizeof(CONTEXT));
str_detach(context);
context=str_alloc_detached(sizeof(CONTEXT));
context->id=next_id++;
context->fds=NULL;
context->ready=0;
@ -110,17 +338,20 @@ static CONTEXT *new_context(void) {
}
int sthreads_init(void) {
thread_id_init();
/* create the first (listening) context and put it in the running queue */
if(!new_context()) {
s_log(LOG_ERR, "Cannot create the listening context");
return 1;
}
/* update tls for newly allocated ready_head */
ui_tls=tls_alloc(NULL, ui_tls, "ui");
/* no need to initialize ucontext_t structure here
it will be initialied with swapcontext() call */
return 0;
}
int create_client(int ls, int s, CLI *arg, void *(*cli)(void *)) {
int create_client(SOCKET ls, SOCKET s, CLI *arg, void *(*cli)(void *)) {
CONTEXT *context;
(void)ls; /* this parameter is only used with USE_FORK */
@ -128,8 +359,7 @@ int create_client(int ls, int s, CLI *arg, void *(*cli)(void *)) {
s_log(LOG_DEBUG, "Creating a new context");
context=new_context();
if(!context) {
if(arg)
str_free(arg);
str_free(arg);
if(s>=0)
closesocket(s);
return -1;
@ -138,8 +368,7 @@ int create_client(int ls, int s, CLI *arg, void *(*cli)(void *)) {
/* initialize context_t structure */
if(getcontext(&context->context)<0) {
str_free(context);
if(arg)
str_free(arg);
str_free(arg);
if(s>=0)
closesocket(s);
ioerror("getcontext");
@ -148,8 +377,7 @@ int create_client(int ls, int s, CLI *arg, void *(*cli)(void *)) {
context->context.uc_link=NULL; /* stunnel does not use uc_link */
/* create stack */
context->stack=str_alloc(arg->opt->stack_size);
str_detach(context->stack);
context->stack=str_alloc_detached(arg->opt->stack_size);
#if defined(__sgi) || ARGC==2 /* obsolete ss_sp semantics */
context->context.uc_stack.ss_sp=context->stack+arg->opt->stack_size-8;
#else
@ -168,27 +396,19 @@ int create_client(int ls, int s, CLI *arg, void *(*cli)(void *)) {
#ifdef USE_FORK
int sthreads_init(void) {
thread_id_init();
return 0;
}
unsigned long stunnel_process_id(void) {
return (unsigned long)getpid();
}
unsigned long stunnel_thread_id(void) {
return 0L;
}
static void null_handler(int sig) {
(void)sig; /* skip warning about unused parameter */
NOEXPORT void null_handler(int sig) {
(void)sig; /* squash the unused parameter warning */
signal(SIGCHLD, null_handler);
}
int create_client(int ls, int s, CLI *arg, void *(*cli)(void *)) {
int create_client(SOCKET ls, SOCKET s, CLI *arg, void *(*cli)(void *)) {
switch(fork()) {
case -1: /* error */
if(arg)
str_free(arg);
str_free(arg);
if(s>=0)
closesocket(s);
return -1;
@ -199,8 +419,7 @@ int create_client(int ls, int s, CLI *arg, void *(*cli)(void *)) {
cli(arg);
_exit(0);
default: /* parent */
if(arg)
str_free(arg);
str_free(arg);
if(s>=0)
closesocket(s);
}
@ -211,95 +430,18 @@ int create_client(int ls, int s, CLI *arg, void *(*cli)(void *)) {
#ifdef USE_PTHREAD
static pthread_mutex_t stunnel_cs[CRIT_SECTIONS];
static pthread_mutex_t lock_cs[CRYPTO_NUM_LOCKS];
void enter_critical_section(SECTION_CODE i) {
pthread_mutex_lock(stunnel_cs+i);
}
void leave_critical_section(SECTION_CODE i) {
pthread_mutex_unlock(stunnel_cs+i);
}
static void locking_callback(int mode, int type, const char *file, int line) {
(void)file; /* skip warning about unused parameter */
(void)line; /* skip warning about unused parameter */
if(mode&CRYPTO_LOCK)
pthread_mutex_lock(lock_cs+type);
else
pthread_mutex_unlock(lock_cs+type);
}
struct CRYPTO_dynlock_value {
pthread_mutex_t mutex;
};
static struct CRYPTO_dynlock_value *dyn_create_function(const char *file,
int line) {
struct CRYPTO_dynlock_value *value;
(void)file; /* skip warning about unused parameter */
(void)line; /* skip warning about unused parameter */
value=str_alloc(sizeof(struct CRYPTO_dynlock_value));
str_detach(value);
pthread_mutex_init(&value->mutex, NULL);
return value;
}
static void dyn_lock_function(int mode, struct CRYPTO_dynlock_value *value,
const char *file, int line) {
(void)file; /* skip warning about unused parameter */
(void)line; /* skip warning about unused parameter */
if(mode&CRYPTO_LOCK)
pthread_mutex_lock(&value->mutex);
else
pthread_mutex_unlock(&value->mutex);
}
static void dyn_destroy_function(struct CRYPTO_dynlock_value *value,
const char *file, int line) {
(void)file; /* skip warning about unused parameter */
(void)line; /* skip warning about unused parameter */
pthread_mutex_destroy(&value->mutex);
str_free(value);
}
unsigned long stunnel_process_id(void) {
return (unsigned long)getpid();
}
unsigned long stunnel_thread_id(void) {
return (unsigned long)pthread_self();
}
int sthreads_init(void) {
int i;
/* initialize stunnel critical sections */
for(i=0; i<CRIT_SECTIONS; i++)
pthread_mutex_init(stunnel_cs+i, NULL);
/* initialize OpenSSL locking callback */
for(i=0; i<CRYPTO_NUM_LOCKS; i++)
pthread_mutex_init(lock_cs+i, NULL);
CRYPTO_set_id_callback(stunnel_thread_id);
CRYPTO_set_locking_callback(locking_callback);
/* initialize OpenSSL dynamic locks callbacks */
CRYPTO_set_dynlock_create_callback(dyn_create_function);
CRYPTO_set_dynlock_lock_callback(dyn_lock_function);
CRYPTO_set_dynlock_destroy_callback(dyn_destroy_function);
thread_id_init();
locking_init();
return 0;
}
int create_client(int ls, int s, CLI *arg, void *(*cli)(void *)) {
int create_client(SOCKET ls, SOCKET s, CLI *arg, void *(*cli)(void *)) {
pthread_t thread;
pthread_attr_t pth_attr;
int error;
#if defined(HAVE_PTHREAD_SIGMASK) && !defined(__APPLE__)
/* Disabled on OS X due to strange problems on Mac OS X 10.5
/* disabled on OS X due to strange problems on Mac OS X 10.5
it seems to restore signal mask somewhere (I couldn't find where)
effectively blocking signals after first accepted connection */
sigset_t new_set, old_set;
@ -325,8 +467,7 @@ int create_client(int ls, int s, CLI *arg, void *(*cli)(void *)) {
if(error) {
errno=error;
ioerror("pthread_create");
if(arg)
str_free(arg);
str_free(arg);
if(s>=0)
closesocket(s);
return -1;
@ -338,96 +479,20 @@ int create_client(int ls, int s, CLI *arg, void *(*cli)(void *)) {
#ifdef USE_WIN32
static CRITICAL_SECTION stunnel_cs[CRIT_SECTIONS];
static CRITICAL_SECTION lock_cs[CRYPTO_NUM_LOCKS];
void enter_critical_section(SECTION_CODE i) {
EnterCriticalSection(stunnel_cs+i);
}
void leave_critical_section(SECTION_CODE i) {
LeaveCriticalSection(stunnel_cs+i);
}
static void locking_callback(int mode, int type, const char *file, int line) {
(void)file; /* skip warning about unused parameter */
(void)line; /* skip warning about unused parameter */
if(mode&CRYPTO_LOCK)
EnterCriticalSection(lock_cs+type);
else
LeaveCriticalSection(lock_cs+type);
}
struct CRYPTO_dynlock_value {
CRITICAL_SECTION mutex;
};
static struct CRYPTO_dynlock_value *dyn_create_function(const char *file,
int line) {
struct CRYPTO_dynlock_value *value;
(void)file; /* skip warning about unused parameter */
(void)line; /* skip warning about unused parameter */
value=str_alloc(sizeof(struct CRYPTO_dynlock_value));
str_detach(value);
InitializeCriticalSection(&value->mutex);
return value;
}
static void dyn_lock_function(int mode, struct CRYPTO_dynlock_value *value,
const char *file, int line) {
(void)file; /* skip warning about unused parameter */
(void)line; /* skip warning about unused parameter */
if(mode&CRYPTO_LOCK)
EnterCriticalSection(&value->mutex);
else
LeaveCriticalSection(&value->mutex);
}
static void dyn_destroy_function(struct CRYPTO_dynlock_value *value,
const char *file, int line) {
(void)file; /* skip warning about unused parameter */
(void)line; /* skip warning about unused parameter */
DeleteCriticalSection(&value->mutex);
str_free(value);
}
unsigned long stunnel_process_id(void) {
return GetCurrentProcessId() & 0x00ffffff;
}
unsigned long stunnel_thread_id(void) {
return GetCurrentThreadId() & 0x00ffffff;
}
int sthreads_init(void) {
int i;
/* initialize stunnel critical sections */
for(i=0; i<CRIT_SECTIONS; i++)
InitializeCriticalSection(stunnel_cs+i);
/* initialize OpenSSL locking callback */
for(i=0; i<CRYPTO_NUM_LOCKS; i++)
InitializeCriticalSection(lock_cs+i);
CRYPTO_set_locking_callback(locking_callback);
/* initialize OpenSSL dynamic locks callbacks */
CRYPTO_set_dynlock_create_callback(dyn_create_function);
CRYPTO_set_dynlock_lock_callback(dyn_lock_function);
CRYPTO_set_dynlock_destroy_callback(dyn_destroy_function);
thread_id_init();
locking_init();
return 0;
}
int create_client(int ls, int s, CLI *arg, void *(*cli)(void *)) {
int create_client(SOCKET ls, SOCKET s, CLI *arg, void *(*cli)(void *)) {
(void)ls; /* this parameter is only used with USE_FORK */
s_log(LOG_DEBUG, "Creating a new thread");
if((long)_beginthread((void(*)(void *))cli, arg->opt->stack_size, arg)==-1) {
if((long)_beginthread((void(*)(void *))cli,
(unsigned)arg->opt->stack_size, arg)==-1) {
ioerror("_beginthread");
if(arg)
str_free(arg);
if(s>=0)
str_free(arg);
if(s!=INVALID_SOCKET)
closesocket(s);
return -1;
}
@ -439,14 +504,6 @@ int create_client(int ls, int s, CLI *arg, void *(*cli)(void *)) {
#ifdef USE_OS2
void enter_critical_section(SECTION_CODE i) {
DosEnterCritSec();
}
void leave_critical_section(SECTION_CODE i) {
DosExitCritSec();
}
int sthreads_init(void) {
return 0;
}
@ -463,13 +520,12 @@ unsigned long stunnel_thread_id(void) {
return (unsigned long)ppib->pib_ulpid;
}
int create_client(int ls, int s, CLI *arg, void *(*cli)(void *)) {
int create_client(SOCKET ls, SOCKET s, CLI *arg, void *(*cli)(void *)) {
(void)ls; /* this parameter is only used with USE_FORK */
s_log(LOG_DEBUG, "Creating a new thread");
if((long)_beginthread((void(*)(void *))cli, NULL, arg->opt->stack_size, arg)==-1L) {
ioerror("_beginthread");
if(arg)
str_free(arg);
str_free(arg);
if(s>=0)
closesocket(s);
return -1;
@ -505,12 +561,12 @@ void _endthread(void) {
#ifdef DEBUG_STACK_SIZE
#define STACK_RESERVE (STACK_SIZE/8)
#define VERIFY_AREA ((STACK_SIZE-STACK_RESERVE)/sizeof(u32))
#define VERIFY_AREA ((STACK_SIZE-STACK_RESERVE)/sizeof(uint32_t))
#define TEST_VALUE 0xdeadbeef
/* some heuristic to determine the usage of client stack size */
void stack_info(int init) { /* 1-initialize, 0-display */
u32 table[VERIFY_AREA];
uint32_t table[VERIFY_AREA];
int i, num;
static int min_num=VERIFY_AREA;
@ -518,12 +574,12 @@ void stack_info(int init) { /* 1-initialize, 0-display */
for(i=0; i<VERIFY_AREA; i++)
table[i]=TEST_VALUE;
} else {
/* the stack is growing down */
/* the stack grows down */
for(i=0; i<VERIFY_AREA; i++)
if(table[i]!=TEST_VALUE)
break;
num=i;
/* the stack is growing up */
/* the stack grows up */
for(i=0; i<VERIFY_AREA; i++)
if(table[VERIFY_AREA-i-1]!=TEST_VALUE)
break;
@ -538,10 +594,10 @@ void stack_info(int init) { /* 1-initialize, 0-display */
s_log(LOG_NOTICE,
"stack_info: size=%d, current=%d (%d%%), maximum=%d (%d%%)",
STACK_SIZE,
(int)((VERIFY_AREA-num)*sizeof(u32)),
(int)((VERIFY_AREA-num)*sizeof(u32)*100/STACK_SIZE),
(int)((VERIFY_AREA-min_num)*sizeof(u32)),
(int)((VERIFY_AREA-min_num)*sizeof(u32)*100/STACK_SIZE));
(int)((VERIFY_AREA-num)*sizeof(uint32_t)),
(int)((VERIFY_AREA-num)*sizeof(uint32_t)*100/STACK_SIZE),
(int)((VERIFY_AREA-min_num)*sizeof(uint32_t)),
(int)((VERIFY_AREA-min_num)*sizeof(uint32_t)*100/STACK_SIZE));
}
}

554
src/str.c
View File

@ -1,6 +1,6 @@
/*
* stunnel Universal SSL tunnel
* Copyright (C) 1998-2013 Michal Trojnara <Michal.Trojnara@mirt.net>
* stunnel TLS offloading and load-balancing proxy
* Copyright (C) 1998-2017 Michal Trojnara <Michal.Trojnara@stunnel.org>
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
@ -38,6 +38,73 @@
#include "common.h"
#include "prototypes.h"
/* reportedly, malloc does not always return 16-byte aligned addresses
* for 64-bit targets as specified by
* https://msdn.microsoft.com/en-us/library/6ewkz86d.aspx */
#ifdef USE_WIN32
#define system_malloc(n) _aligned_malloc((n),16)
#define system_realloc(p,n) _aligned_realloc((p),(n),16)
#define system_free(p) _aligned_free(p)
#else
#define system_malloc(n) malloc(n)
#define system_realloc(p,n) realloc((p),(n))
#define system_free(p) free(p)
#endif
#define CANARY_INITIALIZED 0x0000c0ded0000000LL
#define CANARY_UNINTIALIZED 0x0000abadbabe0000LL
#define MAGIC_ALLOCATED 0x0000a110c8ed0000LL
#define MAGIC_DEALLOCATED 0x0000defec8ed0000LL
/* most platforms require allocations to be aligned */
#ifdef _MSC_VER
__declspec(align(16))
#endif
struct alloc_list_struct {
ALLOC_LIST *prev, *next;
TLS_DATA *tls;
size_t size;
const char *alloc_file, *free_file;
int alloc_line, free_line;
uint64_t valid_canary, magic;
#ifdef __GNUC__
} __attribute__((aligned(16)));
#else
#ifndef MSC_VER
uint64_t :0; /* align the structure */
#endif
};
#endif
#define LEAK_TABLE_SIZE 997
typedef struct {
const char *alloc_file;
int alloc_line;
int num, max;
} LEAK_ENTRY;
NOEXPORT LEAK_ENTRY leak_hash_table[LEAK_TABLE_SIZE],
*leak_results[LEAK_TABLE_SIZE];
NOEXPORT volatile int leak_result_num=0;
#ifdef USE_WIN32
NOEXPORT LPTSTR str_vtprintf(LPCTSTR, va_list);
#endif /* USE_WIN32 */
NOEXPORT void *str_realloc_internal_debug(void *, size_t, const char *, int);
NOEXPORT ALLOC_LIST *get_alloc_list_ptr(void *, const char *, int);
NOEXPORT void str_leak_debug(const ALLOC_LIST *, int);
NOEXPORT LEAK_ENTRY *leak_search(const ALLOC_LIST *);
NOEXPORT void leak_report();
NOEXPORT long leak_threshold();
TLS_DATA *ui_tls;
NOEXPORT uint8_t canary[10]; /* 80-bit canary value */
NOEXPORT volatile uint64_t canary_initialized=CANARY_UNINTIALIZED;
/**************************************** string manipulation functions */
#ifndef va_copy
#ifdef __va_copy
#define va_copy(dst, src) __va_copy((dst), (src))
@ -46,38 +113,10 @@
#endif /* __va_copy */
#endif /* va_copy */
static u8 canary[10]; /* 80-bit canary value */
static volatile int canary_initialized=0;
typedef struct alloc_list_struct ALLOC_LIST;
typedef struct {
ALLOC_LIST *head;
size_t bytes, blocks;
} ALLOC_TLS;
struct alloc_list_struct {
ALLOC_LIST *prev, *next;
ALLOC_TLS *tls;
size_t size;
int valid_canary;
unsigned int magic;
/* at least on IA64 allocations need to be aligned */
#ifdef __GNUC__
} __attribute__((aligned(16)));
#else
int padding[2]; /* the number of integers is architecture-specific */
};
#endif
static void set_alloc_tls(ALLOC_TLS *);
static ALLOC_TLS *get_alloc_tls();
static ALLOC_LIST *get_alloc_list_ptr(void *, char *, int);
char *str_dup(const char *str) {
char *str_dup_debug(const char *str, const char *file, int line) {
char *retval;
retval=str_alloc(strlen(str)+1);
retval=str_alloc_debug(strlen(str)+1, file, line);
strcpy(retval, str);
return retval;
}
@ -92,203 +131,216 @@ char *str_printf(const char *format, ...) {
return txt;
}
#ifdef __GNUC__
#pragma GCC diagnostic push
#pragma GCC diagnostic ignored "-Wformat-nonliteral"
#endif /* __GNUC__ */
char *str_vprintf(const char *format, va_list start_ap) {
int n, size=32;
char *p, *np;
int n;
size_t size=32;
char *p;
va_list ap;
p=str_alloc(size);
for(;;) {
va_copy(ap, start_ap);
n=vsnprintf(p, size, format, ap);
if(n>-1 && n<size)
if(n>-1 && n<(int)size)
return p;
if(n>-1) /* glibc 2.1 */
size=n+1; /* precisely what is needed */
else /* glibc 2.0, WIN32, etc. */
size*=2; /* twice the old size */
np=str_realloc(p, size);
p=np; /* LOL */
if(n>-1) /* glibc 2.1 */
size=(size_t)n+1; /* precisely what is needed */
else /* glibc 2.0, WIN32, etc. */
size*=2; /* twice the old size */
p=str_realloc(p, size);
}
}
#ifdef USE_UCONTEXT
static ALLOC_TLS *global_tls=NULL;
void str_init() {
}
static void set_alloc_tls(ALLOC_TLS *tls) {
if(ready_head)
ready_head->tls=tls;
else /* ucontext threads not initialized */
global_tls=tls;
}
static ALLOC_TLS *get_alloc_tls() {
if(ready_head)
return ready_head->tls;
else /* ucontext threads not initialized */
return global_tls;
}
#endif /* USE_UCONTEXT */
#ifdef USE_FORK
static ALLOC_TLS *global_tls=NULL;
void str_init() {
}
static void set_alloc_tls(ALLOC_TLS *tls) {
global_tls=tls;
}
static ALLOC_TLS *get_alloc_tls() {
return global_tls;
}
#endif /* USE_FORK */
#ifdef USE_PTHREAD
static pthread_key_t pthread_key;
void str_init() {
pthread_key_create(&pthread_key, NULL);
}
static void set_alloc_tls(ALLOC_TLS *tls) {
pthread_setspecific(pthread_key, tls);
}
static ALLOC_TLS *get_alloc_tls() {
return pthread_getspecific(pthread_key);
}
#endif /* USE_PTHREAD */
#ifdef __GNUC__
#pragma GCC diagnostic pop
#endif /* __GNUC__ */
#ifdef USE_WIN32
static DWORD tls_index;
LPTSTR str_tprintf(LPCTSTR format, ...) {
LPTSTR txt;
va_list arglist;
void str_init() {
tls_index=TlsAlloc();
va_start(arglist, format);
txt=str_vtprintf(format, arglist);
va_end(arglist);
return txt;
}
static void set_alloc_tls(ALLOC_TLS *alloc_tls) {
TlsSetValue(tls_index, alloc_tls);
NOEXPORT LPTSTR str_vtprintf(LPCTSTR format, va_list start_ap) {
int n;
size_t size=32;
LPTSTR p;
va_list ap;
p=str_alloc(size*sizeof(TCHAR));
for(;;) {
va_copy(ap, start_ap);
n=_vsntprintf(p, size, format, ap);
if(n>-1 && n<(int)size)
return p;
size*=2;
p=str_realloc(p, size*sizeof(TCHAR));
}
}
static ALLOC_TLS *get_alloc_tls() {
return TlsGetValue(tls_index);
#endif
/**************************************** memory allocation wrappers */
void str_init(TLS_DATA *tls_data) {
tls_data->alloc_head=NULL;
tls_data->alloc_bytes=tls_data->alloc_blocks=0;
}
#endif /* USE_WIN32 */
void str_cleanup(TLS_DATA *tls_data) {
/* free all attached allocations */
while(tls_data->alloc_head) /* str_free macro requires an lvalue */
str_free_expression(tls_data->alloc_head+1);
}
void str_canary_init() {
if(canary_initialized) /* prevent double initialization on config reload */
return;
RAND_bytes(canary, sizeof canary);
canary_initialized=1; /* after RAND_bytes */
}
void str_cleanup() {
ALLOC_TLS *alloc_tls;
alloc_tls=get_alloc_tls();
if(alloc_tls) {
while(alloc_tls->head) /* str_free macro requires lvalue parameter */
str_free_debug(alloc_tls->head+1, __FILE__, __LINE__);
set_alloc_tls(NULL);
free(alloc_tls);
}
if(canary_initialized!=CANARY_UNINTIALIZED)
return; /* prevent double initialization on config reload */
RAND_bytes(canary, (int)sizeof canary);
/* an error would reduce the effectiveness of canaries */
/* this is nothing critical, so the return value is ignored here */
canary_initialized=CANARY_INITIALIZED; /* after RAND_bytes */
}
void str_stats() {
ALLOC_TLS *alloc_tls;
TLS_DATA *tls_data;
ALLOC_LIST *alloc_list;
int i=0;
alloc_tls=get_alloc_tls();
if(!alloc_tls) {
s_log(LOG_DEBUG, "str_stats: alloc_tls not initialized");
return;
}
if(!alloc_tls->blocks && !alloc_tls->bytes)
if(!tls_initialized)
fatal("str not initialized");
leak_report();
tls_data=tls_get();
if(!tls_data || (!tls_data->alloc_blocks && !tls_data->alloc_bytes))
return; /* skip if no data is allocated */
s_log(LOG_DEBUG, "str_stats: %lu block(s), "
"%lu data byte(s), %lu control byte(s)",
(unsigned long int)alloc_tls->blocks,
(unsigned long int)alloc_tls->bytes,
(unsigned long int)(alloc_tls->blocks*
(unsigned long)tls_data->alloc_blocks,
(unsigned long)tls_data->alloc_bytes,
(unsigned long)(tls_data->alloc_blocks*
(sizeof(ALLOC_LIST)+sizeof canary)));
for(alloc_list=tls_data->alloc_head; alloc_list; alloc_list=alloc_list->next) {
if(++i>10) /* limit the number of results */
break;
s_log(LOG_DEBUG, "str_stats: %lu byte(s) at %s:%d",
(unsigned long)alloc_list->size,
alloc_list->alloc_file, alloc_list->alloc_line);
}
}
void *str_alloc_debug(size_t size, char *file, int line) {
ALLOC_TLS *alloc_tls;
void *str_alloc_debug(size_t size, const char *file, int line) {
TLS_DATA *tls_data;
ALLOC_LIST *alloc_list;
alloc_tls=get_alloc_tls();
if(!alloc_tls) { /* first allocation in this thread */
alloc_tls=calloc(1, sizeof(ALLOC_TLS));
if(!alloc_tls)
fatal_debug("Out of memory", file, line);
alloc_tls->head=NULL;
alloc_tls->bytes=alloc_tls->blocks=0;
set_alloc_tls(alloc_tls);
if(!tls_initialized)
fatal_debug("str not initialized", file, line);
tls_data=tls_get();
if(!tls_data) {
tls_data=tls_alloc(NULL, NULL, "alloc");
s_log(LOG_ERR, "INTERNAL ERROR: Uninitialized TLS at %s, line %d",
file, line);
}
alloc_list=calloc(1, sizeof(ALLOC_LIST)+size+sizeof canary);
if(!alloc_list)
fatal_debug("Out of memory", file, line);
alloc_list=(ALLOC_LIST *)str_alloc_detached_debug(size, file, line)-1;
alloc_list->prev=NULL;
alloc_list->next=alloc_tls->head;
alloc_list->tls=alloc_tls;
alloc_list->size=size;
alloc_list->valid_canary=canary_initialized; /* before memcpy */
memcpy((u8 *)(alloc_list+1)+size, canary, sizeof canary);
alloc_list->magic=0xdeadbeef;
if(alloc_tls->head)
alloc_tls->head->prev=alloc_list;
alloc_tls->head=alloc_list;
alloc_tls->bytes+=size;
alloc_tls->blocks++;
alloc_list->next=tls_data->alloc_head;
alloc_list->tls=tls_data;
if(tls_data->alloc_head)
tls_data->alloc_head->prev=alloc_list;
tls_data->alloc_head=alloc_list;
tls_data->alloc_bytes+=size;
tls_data->alloc_blocks++;
return alloc_list+1;
}
void *str_realloc_debug(void *ptr, size_t size, char *file, int line) {
ALLOC_LIST *previous_alloc_list, *alloc_list;
void *str_alloc_detached_debug(size_t size, const char *file, int line) {
ALLOC_LIST *alloc_list;
if(!ptr)
return str_alloc(size);
previous_alloc_list=get_alloc_list_ptr(ptr, file, line);
alloc_list=realloc(previous_alloc_list,
sizeof(ALLOC_LIST)+size+sizeof canary);
#if 0
printf("allocating %lu bytes at %s:%d\n", (unsigned long)size, file, line);
#endif
alloc_list=system_malloc(sizeof(ALLOC_LIST)+size+sizeof canary);
if(!alloc_list)
fatal_debug("Out of memory", file, line);
memset(alloc_list, 0, sizeof(ALLOC_LIST)+size+sizeof canary);
alloc_list->prev=NULL; /* for debugging */
alloc_list->next=NULL; /* for debugging */
alloc_list->tls=NULL;
alloc_list->size=size;
alloc_list->alloc_file=file;
alloc_list->alloc_line=line;
alloc_list->free_file="none";
alloc_list->free_line=0;
alloc_list->valid_canary=canary_initialized; /* before memcpy */
memcpy((uint8_t *)(alloc_list+1)+size, canary, sizeof canary);
alloc_list->magic=MAGIC_ALLOCATED;
str_leak_debug(alloc_list, 1);
return alloc_list+1;
}
void *str_realloc_debug(void *ptr, size_t size, const char *file, int line) {
if(ptr)
return str_realloc_internal_debug(ptr, size, file, line);
else
return str_alloc_debug(size, file, line);
}
void *str_realloc_detached_debug(void *ptr, size_t size, const char *file, int line) {
if(ptr)
return str_realloc_internal_debug(ptr, size, file, line);
else
return str_alloc_detached_debug(size, file, line);
}
NOEXPORT void *str_realloc_internal_debug(void *ptr, size_t size, const char *file, int line) {
ALLOC_LIST *prev_alloc_list, *alloc_list;
prev_alloc_list=get_alloc_list_ptr(ptr, file, line);
str_leak_debug(prev_alloc_list, -1);
if(prev_alloc_list->size>size) /* shrinking the allocation */
memset((uint8_t *)ptr+size, 0, prev_alloc_list->size-size); /* paranoia */
alloc_list=system_realloc(prev_alloc_list, sizeof(ALLOC_LIST)+size+sizeof canary);
if(!alloc_list)
fatal_debug("Out of memory", file, line);
ptr=alloc_list+1;
if(size>alloc_list->size) /* growing the allocation */
memset((uint8_t *)ptr+alloc_list->size, 0, size-alloc_list->size);
if(alloc_list->tls) { /* not detached */
/* refresh possibly invalidated linked list pointers */
if(alloc_list->tls->head==previous_alloc_list)
alloc_list->tls->head=alloc_list;
if(alloc_list->tls->alloc_head==prev_alloc_list)
alloc_list->tls->alloc_head=alloc_list;
if(alloc_list->next)
alloc_list->next->prev=alloc_list;
if(alloc_list->prev)
alloc_list->prev->next=alloc_list;
/* update statistics */
alloc_list->tls->bytes+=size-alloc_list->size;
/* update statistics while the old size is still available */
alloc_list->tls->alloc_bytes+=size-alloc_list->size;
}
alloc_list->size=size;
alloc_list->alloc_file=file;
alloc_list->alloc_line=line;
alloc_list->free_file="none";
alloc_list->free_line=0;
alloc_list->valid_canary=canary_initialized; /* before memcpy */
memcpy((u8 *)(alloc_list+1)+size, canary, sizeof canary);
return alloc_list+1;
memcpy((uint8_t *)ptr+size, canary, sizeof canary);
str_leak_debug(alloc_list, 1);
return ptr;
}
/* detach from thread automatic deallocation list */
/* it has no effect if the allocation is already detached */
void str_detach_debug(void *ptr, char *file, int line) {
void str_detach_debug(void *ptr, const char *file, int line) {
ALLOC_LIST *alloc_list;
if(!ptr) /* do not attempt to free null pointers */
@ -296,15 +348,15 @@ void str_detach_debug(void *ptr, char *file, int line) {
alloc_list=get_alloc_list_ptr(ptr, file, line);
if(alloc_list->tls) { /* not detached */
/* remove from linked list */
if(alloc_list->tls->head==alloc_list)
alloc_list->tls->head=alloc_list->next;
if(alloc_list->tls->alloc_head==alloc_list)
alloc_list->tls->alloc_head=alloc_list->next;
if(alloc_list->next)
alloc_list->next->prev=alloc_list->prev;
if(alloc_list->prev)
alloc_list->prev->next=alloc_list->next;
/* update statistics */
alloc_list->tls->bytes-=alloc_list->size;
alloc_list->tls->blocks--;
alloc_list->tls->alloc_bytes-=alloc_list->size;
alloc_list->tls->alloc_blocks--;
/* clear pointers */
alloc_list->next=NULL;
alloc_list->prev=NULL;
@ -312,33 +364,155 @@ void str_detach_debug(void *ptr, char *file, int line) {
}
}
void str_free_debug(void *ptr, char *file, int line) {
void str_free_debug(void *ptr, const char *file, int line) {
ALLOC_LIST *alloc_list;
if(!ptr) /* do not attempt to free null pointers */
return;
str_detach_debug(ptr, file, line);
alloc_list=(ALLOC_LIST *)ptr-1;
alloc_list->magic=0xdefec8ed; /* to detect double free attempts */
free(alloc_list);
if(alloc_list->magic==MAGIC_DEALLOCATED) { /* double free */
/* this may (unlikely) log garbage instead of file names */
s_log(LOG_CRIT,
"Double free attempt: ptr=%p alloc=%s:%d free#1=%s:%d free#2=%s:%d",
ptr,
alloc_list->alloc_file, alloc_list->alloc_line,
alloc_list->free_file, alloc_list->free_line,
file, line);
return;
}
str_detach_debug(ptr, file, line);
str_leak_debug(alloc_list, -1);
alloc_list->free_file=file;
alloc_list->free_line=line;
alloc_list->magic=MAGIC_DEALLOCATED; /* detect double free attempts */
memset(ptr, 0, alloc_list->size+sizeof canary); /* paranoia */
system_free(alloc_list);
}
static ALLOC_LIST *get_alloc_list_ptr(void *ptr, char *file, int line) {
NOEXPORT ALLOC_LIST *get_alloc_list_ptr(void *ptr, const char *file, int line) {
ALLOC_LIST *alloc_list;
if(!tls_initialized)
fatal_debug("str not initialized", file, line);
alloc_list=(ALLOC_LIST *)ptr-1;
if(alloc_list->magic!=0xdeadbeef) { /* not allocated by str_alloc() */
if(alloc_list->magic==0xdefec8ed)
fatal_debug("Double free attempt", file, line);
else
fatal_debug("Bad magic", file, line); /* LOL */
}
if(alloc_list->tls /* not detached */ && alloc_list->tls!=get_alloc_tls())
if(alloc_list->magic!=MAGIC_ALLOCATED) /* not allocated by str_alloc() */
fatal_debug("Bad magic", file, line); /* LOL */
if(alloc_list->tls /* not detached */ && alloc_list->tls!=tls_get())
fatal_debug("Memory allocated in a different thread", file, line);
if(alloc_list->valid_canary &&
memcmp((u8 *)ptr+alloc_list->size, canary, sizeof canary))
if(alloc_list->valid_canary!=CANARY_UNINTIALIZED &&
safe_memcmp((uint8_t *)ptr+alloc_list->size, canary, sizeof canary))
fatal_debug("Dead canary", file, line); /* LOL */
return alloc_list;
}
/**************************************** memory leak detection */
NOEXPORT void str_leak_debug(const ALLOC_LIST *alloc_list, int change) {
static size_t entries=0;
LEAK_ENTRY *entry;
int new_entry, allocations;
#if defined(USE_PTHREAD) || defined(USE_WIN32)
if(!&stunnel_locks[STUNNEL_LOCKS-1]) /* threads not initialized */
return;
#endif /* defined(USE_PTHREAD) || defined(USE_WIN32) */
if(!number_of_sections) /* configuration file not initialized */
return;
entry=leak_search(alloc_list);
/* the race condition may lead to false positives, which is handled later */
new_entry=entry->alloc_line!=alloc_list->alloc_line ||
entry->alloc_file!=alloc_list->alloc_file;
if(new_entry) { /* the file:line pair was encountered for the first time */
stunnel_write_lock(&stunnel_locks[LOCK_LEAK_HASH]);
entry=leak_search(alloc_list); /* the list may have changed */
if(entry->alloc_line==0) {
if(entries>LEAK_TABLE_SIZE-100) { /* this should never happen */
stunnel_write_unlock(&stunnel_locks[LOCK_LEAK_HASH]);
return;
}
entries++;
entry->alloc_line=alloc_list->alloc_line;
entry->alloc_file=alloc_list->alloc_file;
}
stunnel_write_unlock(&stunnel_locks[LOCK_LEAK_HASH]);
}
#ifdef PRECISE_LEAK_ALLOCATON_COUNTERS
/* this is *really* slow in OpenSSL < 1.1.0 */
CRYPTO_atomic_add(&entry->num, change, &allocations,
&stunnel_locks[LOCK_LEAK_HASH]);
#else
allocations=(entry->num+=change); /* we just need an estimate... */
#endif
if(allocations<=leak_threshold()) /* leak not detected */
return;
if(allocations<=entry->max) /* not the biggest leak for this entry */
return;
if(entry->max) { /* not the first time we found a leak for this entry */
entry->max=allocations; /* just update the value */
return;
}
/* we *may* need to allocate a new leak_results entry */
/* locking is slow, so we try to avoid it if possible */
stunnel_write_lock(&stunnel_locks[LOCK_LEAK_RESULTS]);
if(entry->max==0) { /* the table may have changed */
leak_results[leak_result_num]=entry;
entry->max=allocations;
++leak_result_num; /* at the end to avoid a lock in leak_report() */
} else { /* gracefully handle the race condition */
entry->max=allocations;
}
stunnel_write_unlock(&stunnel_locks[LOCK_LEAK_RESULTS]);
}
/* O(1) hash table lookup */
NOEXPORT LEAK_ENTRY *leak_search(const ALLOC_LIST *alloc_list) {
int i=alloc_list->alloc_line%LEAK_TABLE_SIZE;
while(!(leak_hash_table[i].alloc_line==0 ||
(leak_hash_table[i].alloc_line==alloc_list->alloc_line &&
leak_hash_table[i].alloc_file==alloc_list->alloc_file)))
i=(i+1)%LEAK_TABLE_SIZE;
return leak_hash_table+i;
}
/* report identified leaks */
NOEXPORT void leak_report() {
int i;
long limit;
limit=leak_threshold();
for(i=0; i<leak_result_num; ++i)
if(leak_results[i] /* an officious compiler could reorder code */ &&
leak_results[i]->max>limit /* the limit could have changed */)
s_log(LOG_WARNING, "Possible memory leak at %s:%d: %d allocations",
leak_results[i]->alloc_file, leak_results[i]->alloc_line,
leak_results[i]->max);
}
NOEXPORT long leak_threshold() {
long limit;
limit=10000*((int)number_of_sections+1);
#ifndef USE_FORK
limit+=100*num_clients;
#endif
return limit;
}
/**************************************** memcmp() replacement */
/* a version of memcmp() with execution time not dependent on data values */
/* it does *not* allow testing whether s1 is greater or lesser than s2 */
int safe_memcmp(const void *s1, const void *s2, size_t n) {
uint8_t *p1=(uint8_t *)s1, *p2=(uint8_t *)s2;
int r=0;
while(n--)
r|=(*p1++)^(*p2++);
return r;
}
/* end of str.c */

828
src/stunnel.c
View File

File diff suppressed because it is too large Load Diff

BIN
src/stunnel.ico
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 4.6 KiB

After

Width:  |  Height:  |  Size: 15 KiB

6
src/stunnel3.in
View File

@ -1,7 +1,7 @@
#!/usr/bin/perl
#
# stunnel3 Perl wrapper to use stunnel 3.x syntax in stunnel >=4.05
# Copyright (C) 2004-2012 Michal Trojnara <Michal.Trojnara@mirt.net>
# Copyright (C) 2004-2012 Michal Trojnara <Michal.Trojnara@stunnel.org>
# Version: 2.03
# Date: 2011.10.22
#
@ -22,7 +22,7 @@ use POSIX;
use Getopt::Std;
# Configuration - path to stunnel (version >=4.05)
$stunnel_bin='@prefix@/bin/stunnel';
$stunnel_bin='@bindir@/stunnel';
# stunnel3 script body begins here
($read_fd, $write_fd)=POSIX::pipe();
@ -67,7 +67,7 @@ print("setgid = $opt_g\n") if defined $opt_g;
print("pid = $opt_P\n") if defined $opt_P;
print("connect = $opt_r\n") if defined $opt_r;
print("pty = yes\n"), $opt_l=$opt_L if defined $opt_L;
print("exec = $opt_l\nexecargs = " . join(' ', $opt_l, @ARGV) . "\n") if defined $opt_l;
print("exec = $opt_l\nexecArgs = " . join(' ', $opt_l, @ARGV) . "\n") if defined $opt_l;
print("[stunnel3]\n") if defined $opt_d;
close(STUNNEL);

195
src/tls.c Normal file
View File

@ -0,0 +1,195 @@
/*
* stunnel TLS offloading and load-balancing proxy
* Copyright (C) 1998-2017 Michal Trojnara <Michal.Trojnara@stunnel.org>
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
* See the GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License along
* with this program; if not, see <http://www.gnu.org/licenses>.
*
* Linking stunnel statically or dynamically with other modules is making
* a combined work based on stunnel. Thus, the terms and conditions of
* the GNU General Public License cover the whole combination.
*
* In addition, as a special exception, the copyright holder of stunnel
* gives you permission to combine stunnel with free software programs or
* libraries that are released under the GNU LGPL and with code included
* in the standard release of OpenSSL under the OpenSSL License (or
* modified versions of such code, with unchanged license). You may copy
* and distribute such a system following the terms of the GNU GPL for
* stunnel and the licenses of the other code concerned.
*
* Note that people who make modified versions of stunnel are not obligated
* to grant this special exception for their modified versions; it is their
* choice whether to do so. The GNU General Public License gives permission
* to release a modified version without this exception; this exception
* also makes it possible to release a modified version which carries
* forward this exception.
*/
#include "common.h"
#include "prototypes.h"
volatile int tls_initialized=0;
NOEXPORT void tls_platform_init();
#if OPENSSL_VERSION_NUMBER<0x10100000L
NOEXPORT void free_function(void *);
#endif
/**************************************** thread local storage */
/* this has to be the first function called from ui_*.c */
void tls_init() {
tls_platform_init();
tls_initialized=1;
ui_tls=tls_alloc(NULL, NULL, "ui");
#if OPENSSL_VERSION_NUMBER>=0x10100000L
CRYPTO_set_mem_functions(str_alloc_detached_debug,
str_realloc_detached_debug, str_free_debug);
#else
CRYPTO_set_mem_ex_functions(str_alloc_detached_debug,
str_realloc_detached_debug, free_function);
#endif
}
/* this has to be the first function called by a new thread */
TLS_DATA *tls_alloc(CLI *c, TLS_DATA *inherited, char *txt) {
TLS_DATA *tls_data;
if(inherited) { /* reuse the thread-local storage after fork() */
tls_data=inherited;
str_free(tls_data->id);
} else {
tls_data=calloc(1, sizeof(TLS_DATA));
if(!tls_data)
fatal("Out of memory");
if(c)
c->tls=tls_data;
str_init(tls_data);
tls_data->c=c;
tls_data->opt=c?c->opt:&service_options;
}
tls_data->id="unconfigured";
tls_set(tls_data);
/* str.c functions can be used below this point */
if(txt) {
tls_data->id=str_dup(txt);
str_detach(tls_data->id); /* it is deallocated after str_stats() */
} else if(c) {
tls_data->id=log_id(c);
str_detach(tls_data->id); /* it is deallocated after str_stats() */
}
return tls_data;
}
/* per-thread thread-local storage cleanup */
void tls_cleanup() {
TLS_DATA *tls_data;
tls_data=tls_get();
if(!tls_data)
return;
str_cleanup(tls_data);
str_free(tls_data->id); /* detached allocation */
tls_set(NULL);
free(tls_data);
}
#ifdef USE_UCONTEXT
static TLS_DATA *global_tls=NULL;
NOEXPORT void tls_platform_init() {
}
void tls_set(TLS_DATA *tls_data) {
if(ready_head)
ready_head->tls=tls_data;
else /* ucontext threads not initialized */
global_tls=tls_data;
}
TLS_DATA *tls_get() {
if(ready_head)
return ready_head->tls;
else /* ucontext threads not initialized */
return global_tls;
}
#endif /* USE_UCONTEXT */
#ifdef USE_FORK
static TLS_DATA *global_tls=NULL;
NOEXPORT void tls_platform_init() {
}
void tls_set(TLS_DATA *tls_data) {
global_tls=tls_data;
}
TLS_DATA *tls_get() {
return global_tls;
}
#endif /* USE_FORK */
#ifdef USE_PTHREAD
static pthread_key_t pthread_key;
NOEXPORT void tls_platform_init() {
pthread_key_create(&pthread_key, NULL);
}
void tls_set(TLS_DATA *tls_data) {
pthread_setspecific(pthread_key, tls_data);
}
TLS_DATA *tls_get() {
return pthread_getspecific(pthread_key);
}
#endif /* USE_PTHREAD */
#ifdef USE_WIN32
static DWORD tls_index;
NOEXPORT void tls_platform_init() {
tls_index=TlsAlloc();
}
void tls_set(TLS_DATA *tls_data) {
TlsSetValue(tls_index, tls_data);
}
TLS_DATA *tls_get() {
return TlsGetValue(tls_index);
}
#endif /* USE_WIN32 */
/**************************************** OpenSSL allocator hook */
#if OPENSSL_VERSION_NUMBER<0x10100000L
NOEXPORT void free_function(void *ptr) {
/* CRYPTO_set_mem_ex_functions() needs a function rather than a macro */
/* unfortunately, OpenSSL provides no file:line information here */
str_free_debug(ptr, "OpenSSL", 0);
}
#endif
/* end of tls.c */

268
src/ui_unix.c Normal file
View File

@ -0,0 +1,268 @@
/*
* stunnel TLS offloading and load-balancing proxy
* Copyright (C) 1998-2017 Michal Trojnara <Michal.Trojnara@stunnel.org>
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
* See the GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License along
* with this program; if not, see <http://www.gnu.org/licenses>.
*
* Linking stunnel statically or dynamically with other modules is making
* a combined work based on stunnel. Thus, the terms and conditions of
* the GNU General Public License cover the whole combination.
*
* In addition, as a special exception, the copyright holder of stunnel
* gives you permission to combine stunnel with free software programs or
* libraries that are released under the GNU LGPL and with code included
* in the standard release of OpenSSL under the OpenSSL License (or
* modified versions of such code, with unchanged license). You may copy
* and distribute such a system following the terms of the GNU GPL for
* stunnel and the licenses of the other code concerned.
*
* Note that people who make modified versions of stunnel are not obligated
* to grant this special exception for their modified versions; it is their
* choice whether to do so. The GNU General Public License gives permission
* to release a modified version without this exception; this exception
* also makes it possible to release a modified version which carries
* forward this exception.
*/
#include "common.h"
#include "prototypes.h"
NOEXPORT int main_unix(int, char*[]);
#if !defined(__vms) && !defined(USE_OS2)
NOEXPORT int daemonize(int);
NOEXPORT int create_pid(void);
NOEXPORT void delete_pid(void);
#endif
#ifndef USE_OS2
NOEXPORT void signal_handler(int);
#endif
int main(int argc, char* argv[]) { /* execution begins here 8-) */
int retval;
#ifdef M_MMAP_THRESHOLD
mallopt(M_MMAP_THRESHOLD, 4096);
#endif
tls_init(); /* initialize thread-local storage */
retval=main_unix(argc, argv);
main_cleanup();
return retval;
}
NOEXPORT int main_unix(int argc, char* argv[]) {
int configure_status;
#if !defined(__vms) && !defined(USE_OS2)
int fd;
fd=open("/dev/null", O_RDWR); /* open /dev/null before chroot */
if(fd==INVALID_SOCKET)
fatal("Could not open /dev/null");
#endif
main_init();
configure_status=main_configure(argc>1 ? argv[1] : NULL,
argc>2 ? argv[2] : NULL);
switch(configure_status) {
case 1: /* error -> exit with 1 to indicate error */
close(fd);
return 1;
case 2: /* information printed -> exit with 0 to indicate success */
close(fd);
return 0;
}
if(service_options.next) { /* there are service sections -> daemon mode */
#if !defined(__vms) && !defined(USE_OS2)
if(daemonize(fd)) {
close(fd);
return 1;
}
close(fd);
/* create_pid() must be called after drop_privileges()
* or it won't be possible to remove the file on exit */
/* create_pid() must be called after daemonize()
* since the final pid is not known beforehand */
if(create_pid())
return 1;
#endif
#ifndef USE_OS2
signal(SIGCHLD, signal_handler); /* handle dead children */
signal(SIGHUP, signal_handler); /* configuration reload */
signal(SIGUSR1, signal_handler); /* log reopen */
signal(SIGPIPE, SIG_IGN); /* ignore broken pipe */
if(signal(SIGTERM, SIG_IGN)!=SIG_IGN)
signal(SIGTERM, signal_handler); /* fatal */
if(signal(SIGQUIT, SIG_IGN)!=SIG_IGN)
signal(SIGQUIT, signal_handler); /* fatal */
if(signal(SIGINT, SIG_IGN)!=SIG_IGN)
signal(SIGINT, signal_handler); /* fatal */
#endif
daemon_loop();
} else { /* inetd mode */
CLI *c;
#if !defined(__vms) && !defined(USE_OS2)
close(fd);
#endif /* standard Unix */
#ifndef USE_OS2
signal(SIGCHLD, SIG_IGN); /* ignore dead children */
signal(SIGPIPE, SIG_IGN); /* ignore broken pipe */
#endif
set_nonblock(0, 1); /* stdin */
set_nonblock(1, 1); /* stdout */
c=alloc_client_session(&service_options, 0, 1);
tls_alloc(c, ui_tls, NULL);
client_main(c);
}
return 0;
}
#ifndef USE_OS2
NOEXPORT void signal_handler(int sig) {
int saved_errno;
saved_errno=errno;
signal_post(sig);
signal(sig, signal_handler);
errno=saved_errno;
}
#endif
#if !defined(__vms) && !defined(USE_OS2)
NOEXPORT int daemonize(int fd) { /* go to background */
if(global_options.option.foreground)
return 0;
dup2(fd, 0);
dup2(fd, 1);
dup2(fd, 2);
#if defined(HAVE_DAEMON) && !defined(__BEOS__)
/* set noclose option when calling daemon() function,
* so it does not require /dev/null device in the chrooted directory */
if(daemon(0, 1)==-1) {
ioerror("daemon");
return 1;
}
#else
chdir("/");
switch(fork()) {
case -1: /* fork failed */
ioerror("fork");
return 1;
case 0: /* child */
break;
default: /* parent */
exit(0);
}
#endif
tls_alloc(NULL, ui_tls, "main"); /* reuse thread-local storage */
#ifdef HAVE_SETSID
setsid(); /* ignore the error */
#endif
return 0;
}
NOEXPORT int create_pid(void) {
int pf;
char *pid;
if(!global_options.pidfile) {
s_log(LOG_DEBUG, "No pid file being created");
return 0;
}
if(global_options.pidfile[0]!='/') {
/* to prevent creating pid file relative to '/' after daemonize() */
s_log(LOG_ERR, "Pid file (%s) must be full path name", global_options.pidfile);
return 1;
}
global_options.dpid=(unsigned long)getpid();
/* silently remove old pid file */
unlink(global_options.pidfile);
pf=open(global_options.pidfile, O_WRONLY|O_CREAT|O_TRUNC|O_EXCL, 0644);
if(pf==-1) {
s_log(LOG_ERR, "Cannot create pid file %s", global_options.pidfile);
ioerror("create");
return 1;
}
pid=str_printf("%lu\n", global_options.dpid);
if(write(pf, pid, strlen(pid))<(int)strlen(pid)) {
s_log(LOG_ERR, "Cannot write pid file %s", global_options.pidfile);
ioerror("write");
return 1;
}
str_free(pid);
close(pf);
s_log(LOG_DEBUG, "Created pid file %s", global_options.pidfile);
atexit(delete_pid);
return 0;
}
NOEXPORT void delete_pid(void) {
if((unsigned long)getpid()!=global_options.dpid)
return; /* current process is not main daemon process */
s_log(LOG_DEBUG, "removing pid file %s", global_options.pidfile);
if(unlink(global_options.pidfile)<0)
ioerror(global_options.pidfile); /* not critical */
}
#endif /* standard Unix */
/**************************************** options callbacks */
void ui_config_reloaded(void) {
/* no action */
}
#ifdef ICON_IMAGE
ICON_IMAGE load_icon_default(ICON_TYPE icon) {
(void)icon; /* squash the unused parameter warning */
return (ICON_IMAGE)0;
}
ICON_IMAGE load_icon_file(const char *file) {
(void)file; /* squash the unused parameter warning */
return (ICON_IMAGE)0;
}
#endif
/**************************************** client callbacks */
void ui_new_chain(const unsigned section_number) {
(void)section_number; /* squash the unused parameter warning */
}
void ui_clients(const long num) {
(void)num; /* squash the unused parameter warning */
}
/**************************************** s_log callbacks */
void ui_new_log(const char *line) {
fprintf(stderr, "%s\n", line);
}
/**************************************** ctx callbacks */
int ui_passwd_cb(char *buf, int size, int rwflag, void *userdata) {
return PEM_def_callback(buf, size, rwflag, userdata);
}
#ifndef OPENSSL_NO_ENGINE
UI_METHOD *UI_stunnel() {
return UI_OpenSSL();
}
#endif
/* end of ui_unix.c */

138
src/ui_win_cli.c Normal file
View File

@ -0,0 +1,138 @@
/*
* stunnel TLS offloading and load-balancing proxy
* Copyright (C) 1998-2017 Michal Trojnara <Michal.Trojnara@stunnel.org>
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
* See the GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License along
* with this program; if not, see <http://www.gnu.org/licenses>.
*
* Linking stunnel statically or dynamically with other modules is making
* a combined work based on stunnel. Thus, the terms and conditions of
* the GNU General Public License cover the whole combination.
*
* In addition, as a special exception, the copyright holder of stunnel
* gives you permission to combine stunnel with free software programs or
* libraries that are released under the GNU LGPL and with code included
* in the standard release of OpenSSL under the OpenSSL License (or
* modified versions of such code, with unchanged license). You may copy
* and distribute such a system following the terms of the GNU GPL for
* stunnel and the licenses of the other code concerned.
*
* Note that people who make modified versions of stunnel are not obligated
* to grant this special exception for their modified versions; it is their
* choice whether to do so. The GNU General Public License gives permission
* to release a modified version without this exception; this exception
* also makes it possible to release a modified version which carries
* forward this exception.
*/
#include "common.h"
#include "prototypes.h"
int main(int argc, char *argv[]) {
static struct WSAData wsa_state;
TCHAR *c, stunnel_exe_path[MAX_PATH];
tls_init(); /* initialize thread-local storage */
/* set current working directory and engine path */
GetModuleFileName(0, stunnel_exe_path, MAX_PATH);
c=_tcsrchr(stunnel_exe_path, TEXT('\\')); /* last backslash */
if(c) { /* found */
*c=TEXT('\0'); /* truncate the program name */
c=_tcsrchr(stunnel_exe_path, TEXT('\\')); /* previous backslash */
if(c && !_tcscmp(c+1, TEXT("bin")))
*c=TEXT('\0'); /* truncate "bin" */
}
#ifndef _WIN32_WCE
if(!SetCurrentDirectory(stunnel_exe_path)) {
/* log to stderr, as s_log() is not initialized */
_ftprintf(stderr, TEXT("Cannot set directory to %s"),
stunnel_exe_path);
return 1;
}
/* try to enter the "config" subdirectory, ignore the result */
SetCurrentDirectory(TEXT("config"));
#endif
_tputenv(str_tprintf(TEXT("OPENSSL_ENGINES=%s\\engines"),
stunnel_exe_path));
if(WSAStartup(MAKEWORD(1, 1), &wsa_state))
return 1;
resolver_init();
main_init();
if(!main_configure(argc>1 ? argv[1] : NULL, argc>2 ? argv[2] : NULL))
daemon_loop();
main_cleanup();
return 0;
}
/**************************************** options callbacks */
void ui_config_reloaded(void) {
/* no action */
}
ICON_IMAGE load_icon_default(ICON_TYPE type) {
(void)type; /* squash the unused parameter warning */
return NULL;
}
ICON_IMAGE load_icon_file(const char *name) {
(void)name; /* squash the unused parameter warning */
return NULL;
}
/**************************************** client callbacks */
void ui_new_chain(const unsigned section_number) {
(void)section_number; /* squash the unused parameter warning */
}
void ui_clients(const long num) {
(void)num; /* squash the unused parameter warning */
}
/**************************************** s_log callbacks */
void message_box(LPCTSTR text, const UINT type) {
MessageBox(NULL, text, TEXT("stunnel"), type);
}
void ui_new_log(const char *line) {
LPTSTR tstr;
tstr=str2tstr(line);
#ifdef _WIN32_WCE
/* log to Windows CE debug output stream */
RETAILMSG(TRUE, (TEXT("%s\r\n"), tstr));
#else
/* use UTF-16 or native codepage rather than UTF-8 */
_ftprintf(stderr, TEXT("%s\r\n"), tstr);
fflush(stderr);
#endif
str_free(tstr);
}
/**************************************** ctx callbacks */
int ui_passwd_cb(char *buf, int size, int rwflag, void *userdata) {
return PEM_def_callback(buf, size, rwflag, userdata);
}
#ifndef OPENSSL_NO_ENGINE
UI_METHOD *UI_stunnel() {
return UI_OpenSSL();
}
#endif
/* end of ui_win_cli.c */

994
src/gui.c → src/ui_win_gui.c
View File

File diff suppressed because it is too large Load Diff

66
src/vc.mak
View File

@ -1,4 +1,4 @@
# vc.mak by Michal Trojnara 1998-2013
# vc.mak by Michal Trojnara 1998-2017
# with help of David Gillingham <dgillingham@gmail.com>
# with help of Pierre Delaage <delaage.pierre@free.fr>
@ -8,49 +8,51 @@
# - Visual C++ 2005 Professional Edition
# - Visual C++ 2008 Express Edition
!IF [ml64.exe /help >NUL 2>&1]
TARGET=win32
!ELSE
TARGET=win64
!ENDIF
!MESSAGE Detected target: $(TARGET)
!MESSAGE
# modify this to point to your OpenSSL directory
# either install a precompiled version (*not* the "Light" one) from
# http://www.slproweb.com/products/Win32OpenSSL.html
#SSLDIR=C:\OpenSSL-Win32
#INCDIR=$(SSLDIR)\include
#FIPSDIR=$(SSLDIR)\include
#LIBDIR=$(SSLDIR)\lib
# or compile one yourself
#SSLDIR=..\..\openssl-1.0.1e
#INCDIR=$(SSLDIR)\inc32
#FIPSDIR=$(SSLDIR)\inc32
#LIBDIR=$(SSLDIR)\out32dll
SSLDIR=\devel\$(TARGET)\openssl
# or simply install with "nmake -f ms\ntdll.mak install"
SSLDIR=\usr\local\ssl
#SSLDIR=\usr\local\ssl
INCDIR=$(SSLDIR)\include
FIPSDIR=$(SSLDIR)\fips-2.0\include
LIBDIR=$(SSLDIR)\lib
TARGETCPU=W32
SRC=..\src
OBJROOT=..\obj
OBJ=$(OBJROOT)\$(TARGETCPU)
OBJ=$(OBJROOT)\$(TARGET)
BINROOT=..\bin
BIN=$(BINROOT)\$(TARGETCPU)
BIN=$(BINROOT)\$(TARGET)
SHAREDOBJS=$(OBJ)\stunnel.obj $(OBJ)\ssl.obj $(OBJ)\ctx.obj \
$(OBJ)\verify.obj $(OBJ)\file.obj $(OBJ)\client.obj \
$(OBJ)\protocol.obj $(OBJ)\sthreads.obj $(OBJ)\log.obj \
$(OBJ)\options.obj $(OBJ)\network.obj $(OBJ)\resolver.obj \
$(OBJ)\str.obj $(OBJ)/fd.obj
GUIOBJS=$(OBJ)\gui.obj $(OBJ)\resources.res
NOGUIOBJS=$(OBJ)\nogui.obj
$(OBJ)\str.obj $(OBJ)\tls.obj $(OBJ)\fd.obj $(OBJ)\dhparam.obj \
$(OBJ)\cron.obj
GUIOBJS=$(OBJ)\ui_win_gui.obj $(OBJ)\resources.res
CLIOBJS=$(OBJ)\ui_win_cli.obj
CC=cl
LINK=link
CFLAGS=/MD /W3 /O2 /nologo /I"$(INCDIR)" /I"$(FIPSDIR)"
LDFLAGS=/NOLOGO
UNICODEFLAGS=/DUNICODE /D_UNICODE
CFLAGS=/MD /W3 /O2 /nologo /I"$(INCDIR)" $(UNICODEFLAGS)
LDFLAGS=/NOLOGO /DEBUG
SHAREDLIBS=ws2_32.lib user32.lib
GUILIBS=advapi32.lib comdlg32.lib crypt32.lib gdi32.lib \
psapi.lib shell32.lib
NOGUILIBS=
SHAREDLIBS=ws2_32.lib user32.lib shell32.lib kernel32.lib
GUILIBS=advapi32.lib comdlg32.lib crypt32.lib gdi32.lib psapi.lib
CLILIBS=
SSLLIBS=/LIBPATH:"$(LIBDIR)" libeay32.lib ssleay32.lib
# static linking:
# /LIBPATH:"$(LIBDIR)\VC\static" libeay32MD.lib ssleay32MD.lib
@ -60,13 +62,15 @@ SSLLIBS=/LIBPATH:"$(LIBDIR)" libeay32.lib ssleay32.lib
{$(SRC)\}.rc{$(OBJ)\}.res:
$(RC) -fo$@ -r $<
all: makedirs $(BIN)\stunnel.exe $(BIN)\tstunnel.exe
all: build
build: makedirs $(BIN)\stunnel.exe $(BIN)\tstunnel.exe
clean:
-@ del $(SHAREDOBJS) >NUL 2>&1
-@ del $(GUIBJS) >NUL 2>&1
-@ del $(NOGUIBJS) >NUL 2>&1
-@ del $(GUIOBJS) >NUL 2>&1
-@ del $(CLIOBJS) >NUL 2>&1
# -@ del *.manifest >NUL 2>&1
-@ del $(BIN)\stunnel.exe >NUL 2>&1
-@ del $(BIN)\stunnel.exe.manifest >NUL 2>&1
@ -75,7 +79,7 @@ clean:
-@ rmdir $(OBJ) >NUL 2>&1
-@ rmdir $(BIN) >NUL 2>&1
makedirs:
makedirs:
-@ IF NOT EXIST $(OBJROOT) mkdir $(OBJROOT) >NUL 2>&1
-@ IF NOT EXIST $(OBJ) mkdir $(OBJ) >NUL 2>&1
-@ IF NOT EXIST $(BINROOT) mkdir $(BINROOT) >NUL 2>&1
@ -83,15 +87,15 @@ makedirs:
$(SHAREDOBJS): *.h vc.mak
$(GUIOBJS): *.h vc.mak
$(NOGUIOBJS): *.h vc.mak
$(CLIOBJS): *.h vc.mak
$(BIN)\stunnel.exe: $(SHAREDOBJS) $(GUIOBJS)
$(LINK) $(LDFLAGS) $(SHAREDLIBS) $(GUILIBS) $(SSLLIBS) /OUT:$@ $**
IF EXIST $@.manifest \
mt -nologo -manifest $@.manifest -outputresource:$@;1
$(BIN)\tstunnel.exe: $(SHAREDOBJS) $(NOGUIOBJS)
$(LINK) $(LDFLAGS) $(SHAREDLIBS) $(NOGUILIBS) $(SSLLIBS) /OUT:$@ $**
$(BIN)\tstunnel.exe: $(SHAREDOBJS) $(CLIOBJS)
$(LINK) $(LDFLAGS) $(SHAREDLIBS) $(CLILIBS) $(SSLLIBS) /OUT:$@ $**
IF EXIST $@.manifest \
mt -nologo -manifest $@.manifest -outputresource:$@;1

836
src/verify.c
View File

File diff suppressed because it is too large Load Diff

183
src/version.h
View File

@ -1,88 +1,95 @@
/*
* stunnel Universal SSL tunnel
* Copyright (C) 1998-2013 Michal Trojnara <Michal.Trojnara@mirt.net>
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
* See the GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License along
* with this program; if not, see <http://www.gnu.org/licenses>.
*
* Linking stunnel statically or dynamically with other modules is making
* a combined work based on stunnel. Thus, the terms and conditions of
* the GNU General Public License cover the whole combination.
*
* In addition, as a special exception, the copyright holder of stunnel
* gives you permission to combine stunnel with free software programs or
* libraries that are released under the GNU LGPL and with code included
* in the standard release of OpenSSL under the OpenSSL License (or
* modified versions of such code, with unchanged license). You may copy
* and distribute such a system following the terms of the GNU GPL for
* stunnel and the licenses of the other code concerned.
*
* Note that people who make modified versions of stunnel are not obligated
* to grant this special exception for their modified versions; it is their
* choice whether to do so. The GNU General Public License gives permission
* to release a modified version without this exception; this exception
* also makes it possible to release a modified version which carries
* forward this exception.
*/
#ifndef VERSION_MAJOR
#ifdef HAVE_CONFIG_H
#include "config.h"
#endif /* HAVE_CONFIG_H */
/* HOST may be undefined on Win32 platform */
#ifndef HOST
#ifdef __MINGW32__
#define HOST "x86-pc-mingw32-gnu"
#else /* __MINGW32__ */
#ifdef _MSC_VER
#define _QUOTEME(x) #x
#define QUOTEME(x) _QUOTEME(x)
#define HOST "x86-pc-msvc-" ## QUOTEME(_MSC_VER)
#else /* _MSC_VER */
#define HOST "x86-pc-unknown"
#endif /* _MSC_VER */
#endif /* __MINGW32__ */
#endif /* HOST */
/* START CUSTOMIZE */
#define VERSION_MAJOR 4
#define VERSION_MINOR 57
/* END CUSTOMIZE */
/* all the following macros are ABSOLUTELY NECESSARY to have proper string
* construction with VARIOUS C preprocessors (EVC, VC, BCC, GCC) */
#define STRINGIZE0(x) #x
#define STRINGIZE(x) STRINGIZE0(x)
#define STRZCONCAT30(a,b,c) a##b##c
#define STRZCONCAT3(a,b,c) STRZCONCAT30(a,b,c)
/* for resource.rc, stunnel.c, gui.c */
#define STUNNEL_VERSION0 STRZCONCAT3(VERSION_MAJOR, . , VERSION_MINOR)
#define STUNNEL_VERSION STRINGIZE(STUNNEL_VERSION0)
/* for resources.rc */
#define STUNNEL_VERSION_FIELDS VERSION_MAJOR,VERSION_MINOR,0,0
#define STUNNEL_PRODUCTNAME "stunnel " STUNNEL_VERSION " for " HOST
/* some useful tricks for preprocessing debugging */
#if 0
#pragma message ( "VERSION.H: STUNNEL_VERSION is " STUNNEL_VERSION )
#pragma message ( "VERSION.H: HOST is " HOST )
#pragma message ( "VERSION.H: STUNNEL_PRODUCTNAME is " STUNNEL_PRODUCTNAME )
#endif
#endif /* VERSION_MAJOR */
/* end of version.h */
/*
* stunnel TLS offloading and load-balancing proxy
* Copyright (C) 1998-2017 Michal Trojnara <Michal.Trojnara@stunnel.org>
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
* See the GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License along
* with this program; if not, see <http://www.gnu.org/licenses>.
*
* Linking stunnel statically or dynamically with other modules is making
* a combined work based on stunnel. Thus, the terms and conditions of
* the GNU General Public License cover the whole combination.
*
* In addition, as a special exception, the copyright holder of stunnel
* gives you permission to combine stunnel with free software programs or
* libraries that are released under the GNU LGPL and with code included
* in the standard release of OpenSSL under the OpenSSL License (or
* modified versions of such code, with unchanged license). You may copy
* and distribute such a system following the terms of the GNU GPL for
* stunnel and the licenses of the other code concerned.
*
* Note that people who make modified versions of stunnel are not obligated
* to grant this special exception for their modified versions; it is their
* choice whether to do so. The GNU General Public License gives permission
* to release a modified version without this exception; this exception
* also makes it possible to release a modified version which carries
* forward this exception.
*/
#ifndef VERSION_MAJOR
#ifdef HAVE_CONFIG_H
#include "config.h"
#endif /* HAVE_CONFIG_H */
/* HOST may be undefined on Win32 platform */
#ifndef HOST
#if defined(_WIN64)
#define PLATFORM "x64"
#elif defined(_WIN32)
#define PLATFORM "x86"
#else /* although MSDN claims that _WIN32 is always defined */
#define PLATFORM "unknown"
#endif
#ifdef __MINGW32__
#define HOST PLATFORM "-pc-mingw32-gnu"
#else /* __MINGW32__ */
#ifdef _MSC_VER
#define xstr(a) str(a)
#define str(a) #a
#define HOST PLATFORM "-pc-msvc-" xstr(_MSC_VER)
#else /* _MSC_VER */
#define HOST PLATFORM "-pc-unknown"
#endif /* _MSC_VER */
#endif /* __MINGW32__ */
#endif /* HOST */
/* START CUSTOMIZE */
#define VERSION_MAJOR 5
#define VERSION_MINOR 42
/* END CUSTOMIZE */
/* all the following macros are ABSOLUTELY NECESSARY to have proper string
* construction with VARIOUS C preprocessors (EVC, VC, BCC, GCC) */
#define STRINGIZE0(x) #x
#define STRINGIZE(x) STRINGIZE0(x)
#define STRZCONCAT30(a,b,c) a##b##c
#define STRZCONCAT3(a,b,c) STRZCONCAT30(a,b,c)
/* for resource.rc, stunnel.c, gui.c */
#define STUNNEL_VERSION0 STRZCONCAT3(VERSION_MAJOR, . , VERSION_MINOR)
#define STUNNEL_VERSION STRINGIZE(STUNNEL_VERSION0)
/* for resources.rc */
#define STUNNEL_VERSION_FIELDS VERSION_MAJOR,VERSION_MINOR,0,0
#define STUNNEL_PRODUCTNAME "stunnel " STUNNEL_VERSION " for " HOST
/* some useful tricks for preprocessing debugging */
#if 0
#pragma message ( "VERSION.H: STUNNEL_VERSION is " STUNNEL_VERSION )
#pragma message ( "VERSION.H: HOST is " HOST )
#pragma message ( "VERSION.H: STUNNEL_PRODUCTNAME is " STUNNEL_PRODUCTNAME )
#endif
#endif /* VERSION_MAJOR */
/* end of version.h */

49
tools/Makefile.am
View File

@ -1,36 +1,41 @@
## Process this file with automake to produce Makefile.in
# by Michal Trojnara 2015-2017
EXTRA_DIST = ca.html ca.pl importCA.html importCA.sh script.sh \
stunnel.spec stunnel.cnf stunnel.nsi stunnel.license stunnel.conf
EXTRA_DIST = ca.html ca.pl importCA.html importCA.sh script.sh makecert.sh
EXTRA_DIST += openssl.cnf stunnel.nsi stunnel.license stunnel.conf
EXTRA_DIST += stunnel.conf-sample.in stunnel.init.in stunnel.service.in
EXTRA_DIST += stunnel.logrotate stunnel.rh.init stunnel.spec
confdir = $(sysconfdir)/stunnel
conf_DATA = stunnel.conf-sample
docdir = $(datadir)/doc/stunnel
examplesdir = $(docdir)/examples
examples_DATA = ca.html ca.pl importCA.html importCA.sh script.sh \
stunnel.spec stunnel.init stunnel.service
examples_DATA = stunnel.init stunnel.service
examples_DATA += stunnel.logrotate stunnel.rh.init stunnel.spec
examples_DATA += ca.html ca.pl importCA.html importCA.sh script.sh
CLEANFILES = stunnel.conf-sample stunnel.init stunnel.service
OPENSSL=$(SSLDIR)/bin/openssl
install-data-local:
if test ! -r $(DESTDIR)$(confdir)/stunnel.pem; then \
if test -r "$(RANDOM_FILE)"; then \
dd if="$(RANDOM_FILE)" of=stunnel.rnd bs=256 count=1; \
RND="-rand stunnel.rnd"; \
else \
RND=""; \
fi; \
$(OPENSSL) req -new -x509 -days 365 $$RND \
-config $(srcdir)/stunnel.cnf \
-out stunnel.pem -keyout stunnel.pem; \
$(OPENSSL) gendh $$RND 1024 >> stunnel.pem; \
$(OPENSSL) x509 -subject -dates -fingerprint -noout -in stunnel.pem; \
${INSTALL} -m 600 stunnel.pem $(DESTDIR)$(confdir)/stunnel.pem; \
rm stunnel.pem; \
fi
${INSTALL} -d -m 1770 $(DESTDIR)$(localstatedir)/lib/stunnel
-chgrp $(DEFAULT_GROUP) $(DESTDIR)$(localstatedir)/lib/stunnel
clean-local:
-rm -f stunnel.rnd
cert:
$(srcdir)/makecert.sh $(srcdir) $(SSLDIR) $(RANDOM_FILE)
${INSTALL} -b -m 600 stunnel.pem $(DESTDIR)$(confdir)/stunnel.pem
rm -f stunnel.pem
edit = sed \
-e 's|@prefix[@]|$(prefix)|g' \
-e 's|@bindir[@]|$(bindir)|g' \
-e 's|@localstatedir[@]|$(localstatedir)|g' \
-e 's|@sysconfdir[@]|$(sysconfdir)|g' \
-e 's|@DEFAULT_GROUP[@]|$(DEFAULT_GROUP)|g'
stunnel.conf-sample stunnel.init stunnel.service: Makefile
$(edit) '$(srcdir)/$@.in' >$@
stunnel.conf-sample: $(srcdir)/stunnel.conf-sample.in
stunnel.init: $(srcdir)/stunnel.init.in
stunnel.service: $(srcdir)/stunnel.service.in

203
tools/Makefile.in
View File

@ -1,9 +1,8 @@
# Makefile.in generated by automake 1.11.1 from Makefile.am.
# Makefile.in generated by automake 1.14.1 from Makefile.am.
# @configure_input@
# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation,
# Inc.
# Copyright (C) 1994-2013 Free Software Foundation, Inc.
# This Makefile.in is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
# with or without modifications, as long as this notice is preserved.
@ -15,7 +14,54 @@
@SET_MAKE@
# by Michal Trojnara 2015-2017
VPATH = @srcdir@
am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
am__make_running_with_option = \
case $${target_option-} in \
?) ;; \
*) echo "am__make_running_with_option: internal error: invalid" \
"target option '$${target_option-}' specified" >&2; \
exit 1;; \
esac; \
has_opt=no; \
sane_makeflags=$$MAKEFLAGS; \
if $(am__is_gnu_make); then \
sane_makeflags=$$MFLAGS; \
else \
case $$MAKEFLAGS in \
*\\[\ \ ]*) \
bs=\\; \
sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \
| sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \
esac; \
fi; \
skip_next=no; \
strip_trailopt () \
{ \
flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \
}; \
for flg in $$sane_makeflags; do \
test $$skip_next = yes && { skip_next=no; continue; }; \
case $$flg in \
*=*|--*) continue;; \
-*I) strip_trailopt 'I'; skip_next=yes;; \
-*I?*) strip_trailopt 'I';; \
-*O) strip_trailopt 'O'; skip_next=yes;; \
-*O?*) strip_trailopt 'O';; \
-*l) strip_trailopt 'l'; skip_next=yes;; \
-*l?*) strip_trailopt 'l';; \
-[dEDm]) skip_next=yes;; \
-[JT]) skip_next=yes;; \
esac; \
case $$flg in \
*$$target_option*) has_opt=yes; break;; \
esac; \
done; \
test $$has_opt = yes
am__make_dryrun = (target_option=n; $(am__make_running_with_option))
am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
pkgdatadir = $(datadir)/@PACKAGE@
pkgincludedir = $(includedir)/@PACKAGE@
pkglibdir = $(libdir)/@PACKAGE@
@ -35,9 +81,7 @@ POST_UNINSTALL = :
build_triplet = @build@
host_triplet = @host@
subdir = tools
DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in \
$(srcdir)/stunnel.conf-sample.in $(srcdir)/stunnel.init.in \
$(srcdir)/stunnel.service.in
DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
am__aclocal_m4_deps = $(top_srcdir)/m4/libtool.m4 \
$(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \
@ -47,10 +91,27 @@ am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
$(ACLOCAL_M4)
mkinstalldirs = $(install_sh) -d
CONFIG_HEADER = $(top_builddir)/src/config.h
CONFIG_CLEAN_FILES = stunnel.conf-sample stunnel.init stunnel.service
CONFIG_CLEAN_FILES =
CONFIG_CLEAN_VPATH_FILES =
AM_V_P = $(am__v_P_@AM_V@)
am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
am__v_P_0 = false
am__v_P_1 = :
AM_V_GEN = $(am__v_GEN_@AM_V@)
am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
am__v_GEN_0 = @echo " GEN " $@;
am__v_GEN_1 =
AM_V_at = $(am__v_at_@AM_V@)
am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
am__v_at_0 = @
am__v_at_1 =
SOURCES =
DIST_SOURCES =
am__can_run_installinfo = \
case $$AM_UPDATE_INFO_DIR in \
n|no|NO) false;; \
*) (install-info --version) >/dev/null 2>&1;; \
esac
am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
am__vpath_adj = case $$p in \
$(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
@ -72,11 +133,19 @@ am__nobase_list = $(am__nobase_strip_setup); \
am__base_list = \
sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
am__uninstall_files_from_dir = { \
test -z "$$files" \
|| { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
|| { echo " ( cd '$$dir' && rm -f" $$files ")"; \
$(am__cd) "$$dir" && rm -f $$files; }; \
}
am__installdirs = "$(DESTDIR)$(confdir)" "$(DESTDIR)$(examplesdir)"
DATA = $(conf_DATA) $(examples_DATA)
am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
AMTAR = @AMTAR@
AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
AR = @AR@
AUTOCONF = @AUTOCONF@
AUTOHEADER = @AUTOHEADER@
@ -91,6 +160,7 @@ CYGPATH_W = @CYGPATH_W@
DEFAULT_GROUP = @DEFAULT_GROUP@
DEFS = @DEFS@
DEPDIR = @DEPDIR@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
ECHO_C = @ECHO_C@
@ -115,6 +185,7 @@ LIPO = @LIPO@
LN_S = @LN_S@
LTLIBOBJS = @LTLIBOBJS@
MAKEINFO = @MAKEINFO@
MANIFEST_TOOL = @MANIFEST_TOOL@
MKDIR_P = @MKDIR_P@
NM = @NM@
NMEDIT = @NMEDIT@
@ -130,6 +201,9 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@
PACKAGE_URL = @PACKAGE_URL@
PACKAGE_VERSION = @PACKAGE_VERSION@
PATH_SEPARATOR = @PATH_SEPARATOR@
PTHREAD_CC = @PTHREAD_CC@
PTHREAD_CFLAGS = @PTHREAD_CFLAGS@
PTHREAD_LIBS = @PTHREAD_LIBS@
RANDOM_FILE = @RANDOM_FILE@
RANLIB = @RANLIB@
SED = @SED@
@ -142,6 +216,7 @@ abs_builddir = @abs_builddir@
abs_srcdir = @abs_srcdir@
abs_top_builddir = @abs_top_builddir@
abs_top_srcdir = @abs_top_srcdir@
ac_ct_AR = @ac_ct_AR@
ac_ct_CC = @ac_ct_CC@
ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
am__include = @am__include@
@ -149,6 +224,7 @@ am__leading_dot = @am__leading_dot@
am__quote = @am__quote@
am__tar = @am__tar@
am__untar = @am__untar@
ax_pthread_config = @ax_pthread_config@
bindir = @bindir@
build = @build@
build_alias = @build_alias@
@ -174,7 +250,6 @@ libdir = @libdir@
libexecdir = @libexecdir@
localedir = @localedir@
localstatedir = @localstatedir@
lt_ECHO = @lt_ECHO@
mandir = @mandir@
mkdir_p = @mkdir_p@
oldincludedir = @oldincludedir@
@ -182,27 +257,34 @@ pdfdir = @pdfdir@
prefix = @prefix@
program_transform_name = @program_transform_name@
psdir = @psdir@
runstatedir = @runstatedir@
sbindir = @sbindir@
sharedstatedir = @sharedstatedir@
srcdir = @srcdir@
stunnel_CFLAGS = @stunnel_CFLAGS@
stunnel_LDFLAGF = @stunnel_LDFLAGF@
stunnel_LDFLAGS = @stunnel_LDFLAGS@
sysconfdir = @sysconfdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
top_srcdir = @top_srcdir@
EXTRA_DIST = ca.html ca.pl importCA.html importCA.sh script.sh \
stunnel.spec stunnel.cnf stunnel.nsi stunnel.license stunnel.conf
makecert.sh openssl.cnf stunnel.nsi stunnel.license \
stunnel.conf stunnel.conf-sample.in stunnel.init.in \
stunnel.service.in stunnel.logrotate stunnel.rh.init \
stunnel.spec
confdir = $(sysconfdir)/stunnel
conf_DATA = stunnel.conf-sample
examplesdir = $(docdir)/examples
examples_DATA = ca.html ca.pl importCA.html importCA.sh script.sh \
stunnel.spec stunnel.init stunnel.service
examples_DATA = stunnel.init stunnel.service stunnel.logrotate \
stunnel.rh.init stunnel.spec ca.html ca.pl importCA.html \
importCA.sh script.sh
CLEANFILES = stunnel.conf-sample stunnel.init stunnel.service
edit = sed \
-e 's|@prefix[@]|$(prefix)|g' \
-e 's|@bindir[@]|$(bindir)|g' \
-e 's|@localstatedir[@]|$(localstatedir)|g' \
-e 's|@sysconfdir[@]|$(sysconfdir)|g' \
-e 's|@DEFAULT_GROUP[@]|$(DEFAULT_GROUP)|g'
OPENSSL = $(SSLDIR)/bin/openssl
all: all-am
.SUFFIXES:
@ -236,12 +318,6 @@ $(top_srcdir)/configure: $(am__configure_deps)
$(ACLOCAL_M4): $(am__aclocal_m4_deps)
cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
$(am__aclocal_m4_deps):
stunnel.conf-sample: $(top_builddir)/config.status $(srcdir)/stunnel.conf-sample.in
cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@
stunnel.init: $(top_builddir)/config.status $(srcdir)/stunnel.init.in
cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@
stunnel.service: $(top_builddir)/config.status $(srcdir)/stunnel.service.in
cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@
mostlyclean-libtool:
-rm -f *.lo
@ -250,8 +326,11 @@ clean-libtool:
-rm -rf .libs _libs
install-confDATA: $(conf_DATA)
@$(NORMAL_INSTALL)
test -z "$(confdir)" || $(MKDIR_P) "$(DESTDIR)$(confdir)"
@list='$(conf_DATA)'; test -n "$(confdir)" || list=; \
if test -n "$$list"; then \
echo " $(MKDIR_P) '$(DESTDIR)$(confdir)'"; \
$(MKDIR_P) "$(DESTDIR)$(confdir)" || exit 1; \
fi; \
for p in $$list; do \
if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
echo "$$d$$p"; \
@ -265,13 +344,14 @@ uninstall-confDATA:
@$(NORMAL_UNINSTALL)
@list='$(conf_DATA)'; test -n "$(confdir)" || list=; \
files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
test -n "$$files" || exit 0; \
echo " ( cd '$(DESTDIR)$(confdir)' && rm -f" $$files ")"; \
cd "$(DESTDIR)$(confdir)" && rm -f $$files
dir='$(DESTDIR)$(confdir)'; $(am__uninstall_files_from_dir)
install-examplesDATA: $(examples_DATA)
@$(NORMAL_INSTALL)
test -z "$(examplesdir)" || $(MKDIR_P) "$(DESTDIR)$(examplesdir)"
@list='$(examples_DATA)'; test -n "$(examplesdir)" || list=; \
if test -n "$$list"; then \
echo " $(MKDIR_P) '$(DESTDIR)$(examplesdir)'"; \
$(MKDIR_P) "$(DESTDIR)$(examplesdir)" || exit 1; \
fi; \
for p in $$list; do \
if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
echo "$$d$$p"; \
@ -285,14 +365,12 @@ uninstall-examplesDATA:
@$(NORMAL_UNINSTALL)
@list='$(examples_DATA)'; test -n "$(examplesdir)" || list=; \
files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
test -n "$$files" || exit 0; \
echo " ( cd '$(DESTDIR)$(examplesdir)' && rm -f" $$files ")"; \
cd "$(DESTDIR)$(examplesdir)" && rm -f $$files
tags: TAGS
TAGS:
dir='$(DESTDIR)$(examplesdir)'; $(am__uninstall_files_from_dir)
tags TAGS:
ctags: CTAGS
CTAGS:
ctags CTAGS:
cscope cscopelist:
distdir: $(DISTFILES)
@ -342,13 +420,19 @@ install-am: all-am
installcheck: installcheck-am
install-strip:
$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
`test -z '$(STRIP)' || \
echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
if test -z '$(STRIP)'; then \
$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
install; \
else \
$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
"INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
fi
mostlyclean-generic:
clean-generic:
-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
distclean-generic:
-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
@ -359,7 +443,7 @@ maintainer-clean-generic:
@echo "it deletes files that may require special tools to rebuild."
clean: clean-am
clean-am: clean-generic clean-libtool clean-local mostlyclean-am
clean-am: clean-generic clean-libtool mostlyclean-am
distclean: distclean-am
-rm -f Makefile
@ -427,40 +511,35 @@ uninstall-am: uninstall-confDATA uninstall-examplesDATA
.MAKE: install-am install-strip
.PHONY: all all-am check check-am clean clean-generic clean-libtool \
clean-local distclean distclean-generic distclean-libtool \
distdir dvi dvi-am html html-am info info-am install \
install-am install-confDATA install-data install-data-am \
install-data-local install-dvi install-dvi-am \
cscopelist-am ctags-am distclean distclean-generic \
distclean-libtool distdir dvi dvi-am html html-am info info-am \
install install-am install-confDATA install-data \
install-data-am install-data-local install-dvi install-dvi-am \
install-examplesDATA install-exec install-exec-am install-html \
install-html-am install-info install-info-am install-man \
install-pdf install-pdf-am install-ps install-ps-am \
install-strip installcheck installcheck-am installdirs \
maintainer-clean maintainer-clean-generic mostlyclean \
mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
uninstall uninstall-am uninstall-confDATA \
tags-am uninstall uninstall-am uninstall-confDATA \
uninstall-examplesDATA
install-data-local:
if test ! -r $(DESTDIR)$(confdir)/stunnel.pem; then \
if test -r "$(RANDOM_FILE)"; then \
dd if="$(RANDOM_FILE)" of=stunnel.rnd bs=256 count=1; \
RND="-rand stunnel.rnd"; \
else \
RND=""; \
fi; \
$(OPENSSL) req -new -x509 -days 365 $$RND \
-config $(srcdir)/stunnel.cnf \
-out stunnel.pem -keyout stunnel.pem; \
$(OPENSSL) gendh $$RND 1024 >> stunnel.pem; \
$(OPENSSL) x509 -subject -dates -fingerprint -noout -in stunnel.pem; \
${INSTALL} -m 600 stunnel.pem $(DESTDIR)$(confdir)/stunnel.pem; \
rm stunnel.pem; \
fi
${INSTALL} -d -m 1770 $(DESTDIR)$(localstatedir)/lib/stunnel
-chgrp $(DEFAULT_GROUP) $(DESTDIR)$(localstatedir)/lib/stunnel
clean-local:
-rm -f stunnel.rnd
cert:
$(srcdir)/makecert.sh $(srcdir) $(SSLDIR) $(RANDOM_FILE)
${INSTALL} -b -m 600 stunnel.pem $(DESTDIR)$(confdir)/stunnel.pem
rm -f stunnel.pem
stunnel.conf-sample stunnel.init stunnel.service: Makefile
$(edit) '$(srcdir)/$@.in' >$@
stunnel.conf-sample: $(srcdir)/stunnel.conf-sample.in
stunnel.init: $(srcdir)/stunnel.init.in
stunnel.service: $(srcdir)/stunnel.service.in
# Tell versions [3.59,3.63) of GNU make to not export all variables.
# Otherwise a system limit (for SysV at least) may be exceeded.

2
tools/ca.pl
View File

@ -61,5 +61,5 @@ sub ReadForm {
sub Error {
print "Content-type: text/html\n\n";
print "<P><P><center><H1>Cant open file</H1></center>\n";
print "<P><P><center><H1>Can't open file</H1></center>\n";
}

29
tools/makecert.sh Executable file
View File

@ -0,0 +1,29 @@
#!/bin/sh
if test -n "$1"; then
CONF="$1/openssl.cnf"
else
CONF="openssl.cnf"
fi
if test -n "$2"; then
OPENSSL="$2/bin/openssl"
else
OPENSSL=openssl
fi
if test -n "$3"; then
RAND="$3"
else
RAND="/dev/urandom"
fi
dd if="$RAND" of=stunnel.rnd bs=256 count=1
$OPENSSL req -new -x509 -days 1461 -rand stunnel.rnd -config $CONF \
-out stunnel.pem -keyout stunnel.pem
rm -f stunnel.rnd
echo
echo "Certificate details:"
$OPENSSL x509 -subject -dates -fingerprint -noout -in stunnel.pem
echo

23
tools/stunnel.cnf → tools/openssl.cnf
View File

@ -1,15 +1,23 @@
# OpenSSL configuration file to create a server certificate
# by Michal Trojnara 1998-2013
# by Michal Trojnara 1998-2017
[ req ]
# the default key length is secure and quite fast - do not change it
default_bits = 2048
# comment out the next line to protect the private key with a passphrase
encrypt_key = no
distinguished_name = req_dn
x509_extensions = cert_type
# the default key length is secure and quite fast - do not change it
default_bits = 2048
default_md = sha1
x509_extensions = stunnel_extensions
distinguished_name = stunnel_dn
[ req_dn ]
[ stunnel_extensions ]
nsCertType = server
basicConstraints = CA:TRUE,pathlen:0
keyUsage = keyCertSign
extendedKeyUsage = serverAuth
nsComment = "stunnel self-signed certificate"
[ stunnel_dn ]
countryName = Country Name (2 letter code)
countryName_default = PL
countryName_min = 2
@ -37,6 +45,3 @@ organizationalUnitName_default = Provisional CA
# See http://home.netscape.com/eng/security/ssl_2.0_certificate.html
# to see how Netscape understands commonName.
[ cert_type ]
nsCertType = server

146
tools/stunnel.conf
View File

@ -1,4 +1,4 @@
; Sample stunnel configuration file for Win32 by Michal Trojnara 2002-2012
; Sample stunnel configuration file for Win32 by Michal Trojnara 2002-2017
; Some options used here may be inadequate for your particular configuration
; This sample file does *not* represent stunnel.conf defaults
; Please consult the manual for detailed description of available options
@ -7,85 +7,129 @@
; * Global options *
; **************************************************************************
; Debugging stuff (may useful for troubleshooting)
;debug = 7
; Debugging stuff (may be useful for troubleshooting)
;debug = info
;output = stunnel.log
; Disable FIPS mode to allow non-approved protocols and algorithms
;fips = no
; Enable FIPS 140-2 mode if needed for compliance
;fips = yes
; Microsoft CryptoAPI engine allows for authentication with private keys
; stored in the Windows certificate store
; Each section using this feature also needs the "engineId = capi" option
;engine = capi
; The pkcs11 engine allows for authentication with cryptographic
; keys isolated in a hardware or software token
; MODULE_PATH specifies the path to the pkcs11 module shared library,
; e.g. softhsm2.dll or opensc-pkcs11.so
; Each section using this feature also needs the "engineId = pkcs11" option
;engine = pkcs11
;engineCtrl = MODULE_PATH:softhsm2.dll
;engineCtrl = PIN:1234
; **************************************************************************
; * Service defaults may also be specified in individual service sections *
; **************************************************************************
; Certificate/key is needed in server mode and optional in client mode
cert = stunnel.pem
;key = stunnel.pem
; Authentication stuff needs to be configured to prevent MITM attacks
; It is not enabled by default!
;verify = 2
; Don't forget to c_rehash CApath
;CApath = certs
; It's often easier to use CAfile
;CAfile = certs.pem
; Don't forget to c_rehash CRLpath
;CRLpath = crls
; Alternatively CRLfile can be used
;CRLfile = crls.pem
; Disable support for insecure SSLv2 protocol
options = NO_SSLv2
; Workaround for Eudora bug
;options = DONT_INSERT_EMPTY_FRAGMENTS
; Enable support for the insecure SSLv3 protocol
;options = -NO_SSLv3
; These options provide additional security at some performance degradation
;options = SINGLE_ECDH_USE
;options = SINGLE_DH_USE
; **************************************************************************
; * Include all configuration file fragments from the specified folder *
; **************************************************************************
;include = conf.d
; **************************************************************************
; * Service definitions (at least one service has to be defined) *
; **************************************************************************
; Example SSL server mode services
; ***************************************** Example TLS client mode services
[pop3s]
accept = 995
connect = 110
[gmail-pop3]
client = yes
accept = 127.0.0.1:110
connect = pop.gmail.com:995
verifyChain = yes
CAfile = ca-certs.pem
checkHost = pop.gmail.com
OCSPaia = yes
[imaps]
accept = 993
connect = 143
[gmail-imap]
client = yes
accept = 127.0.0.1:143
connect = imap.gmail.com:993
verifyChain = yes
CAfile = ca-certs.pem
checkHost = imap.gmail.com
OCSPaia = yes
[ssmtp]
accept = 465
connect = 25
[gmail-smtp]
client = yes
accept = 127.0.0.1:25
connect = smtp.gmail.com:465
verifyChain = yes
CAfile = ca-certs.pem
checkHost = smtp.gmail.com
OCSPaia = yes
; Example SSL client mode services
;[gmail-pop3]
; Encrypted HTTP proxy authenticated with a client certificate
; located in the Windows certificate store
;[example-proxy]
;client = yes
;accept = 127.0.0.1:110
;connect = pop.gmail.com:995
;accept = 127.0.0.1:8080
;connect = example.com:8443
;engineId = capi
;[gmail-imap]
; Encrypted HTTP proxy authenticated with a client certificate
; located in a cryptographic token
;[example-pkcs11]
;client = yes
;accept = 127.0.0.1:143
;connect = imap.gmail.com:993
;accept = 127.0.0.1:8080
;connect = example.com:8443
;engineId = pkcs11
;cert = pkcs11:token=MyToken;object=MyCert
;key = pkcs11:token=MyToken;object=MyKey
;[gmail-smtp]
;client = yes
;accept = 127.0.0.1:25
;connect = smtp.gmail.com:465
; ***************************************** Example TLS server mode services
; Example SSL front-end to a web server
;[pop3s]
;accept = 995
;connect = 110
;cert = stunnel.pem
;[imaps]
;accept = 993
;connect = 143
;cert = stunnel.pem
;[ssmtp]
;accept = 465
;connect = 25
;cert = stunnel.pem
; TLS front-end to a web server
;[https]
;accept = 443
;connect = 80
; "TIMEOUTclose = 0" is a workaround for a design flaw in Microsoft SSL
; Microsoft implementations do not use SSL close-notify alert and thus
; they are vulnerable to truncation attacks
;cert = stunnel.pem
; "TIMEOUTclose = 0" is a workaround for a design flaw in Microsoft SChannel
; Microsoft implementations do not use TLS close-notify alert and thus they
; are vulnerable to truncation attacks
;TIMEOUTclose = 0
; Remote cmd.exe protected with PSK-authenticated TLS
; Create "secrets.txt" containing IDENTITY:KEY pairs
;[cmd]
;accept = 1337
;exec = c:\windows\system32\cmd.exe
;execArgs = cmd.exe
;ciphers = PSK
;PSKsecrets = secrets.txt
; vim:ft=dosini

161
tools/stunnel.conf-sample.in
View File

@ -1,4 +1,4 @@
; Sample stunnel configuration file for Unix by Michal Trojnara 2002-2013
; Sample stunnel configuration file for Unix by Michal Trojnara 2002-2017
; Some options used here may be inadequate for your particular configuration
; This sample file does *not* represent stunnel.conf defaults
; Please consult the manual for detailed description of available options
@ -7,94 +7,135 @@
; * Global options *
; **************************************************************************
; A copy of some devices and system files is needed within the chroot jail
; Chroot conflicts with configuration file reload and many other features
chroot = @prefix@/var/lib/stunnel/
; Chroot jail can be escaped if setuid option is not used
setuid = nobody
setgid = @DEFAULT_GROUP@
; It is recommended to drop root privileges if stunnel is started by root
;setuid = nobody
;setgid = @DEFAULT_GROUP@
; PID is created inside the chroot jail
pid = /stunnel.pid
; PID file is created inside the chroot jail (if enabled)
;pid = @localstatedir@/run/stunnel.pid
; Debugging stuff (may useful for troubleshooting)
;debug = 7
;output = stunnel.log
; Debugging stuff (may be useful for troubleshooting)
;foreground = yes
;debug = info
;output = @localstatedir@/log/stunnel.log
; Enable FIPS 140-2 mode if needed for compliance
;fips = yes
; The pkcs11 engine allows for authentication with cryptographic
; keys isolated in a hardware or software token
; MODULE_PATH specifies the path to the pkcs11 module shared library,
; e.g. softhsm2.dll or opensc-pkcs11.so
; Each section using this feature also needs the "engineId = pkcs11" option
;engine = pkcs11
;engineCtrl = MODULE_PATH:/usr/lib/softhsm/libsofthsm2.so
;engineCtrl = PIN:1234
; **************************************************************************
; * Service defaults may also be specified in individual service sections *
; **************************************************************************
; Certificate/key is needed in server mode and optional in client mode
cert = @prefix@/etc/stunnel/mail.pem
;key = @prefix@/etc/stunnel/mail.pem
; Authentication stuff needs to be configured to prevent MITM attacks
; It is not enabled by default!
;verify = 2
; Don't forget to c_rehash CApath
; CApath is located inside chroot jail
;CApath = /certs
; It's often easier to use CAfile
;CAfile = @prefix@/etc/stunnel/certs.pem
; Don't forget to c_rehash CRLpath
; CRLpath is located inside chroot jail
;CRLpath = /crls
; Alternatively CRLfile can be used
;CRLfile = @prefix@/etc/stunnel/crls.pem
; Disable support for insecure SSLv2 protocol
options = NO_SSLv2
; Workaround for Eudora bug
;options = DONT_INSERT_EMPTY_FRAGMENTS
; Enable support for the insecure SSLv3 protocol
;options = -NO_SSLv3
; These options provide additional security at some performance degradation
;options = SINGLE_ECDH_USE
;options = SINGLE_DH_USE
; **************************************************************************
; * Include all configuration file fragments from the specified folder *
; **************************************************************************
;include = @sysconfdir@/stunnel/conf.d
; **************************************************************************
; * Service definitions (remove all services for inetd mode) *
; **************************************************************************
; Example SSL server mode services
; ***************************************** Example TLS client mode services
[pop3s]
accept = 995
connect = 110
; The following examples use /etc/ssl/certs, which is the common location
; of a hashed directory containing trusted CA certificates. This is not
; a hardcoded path of the stunnel package, as it is not related to the
; stunnel configuration in @sysconfdir@/stunnel/.
[imaps]
accept = 993
connect = 143
[gmail-pop3]
client = yes
accept = 127.0.0.1:110
connect = pop.gmail.com:995
verifyChain = yes
CApath = /etc/ssl/certs
checkHost = pop.gmail.com
OCSPaia = yes
[ssmtp]
accept = 465
connect = 25
[gmail-imap]
client = yes
accept = 127.0.0.1:143
connect = imap.gmail.com:993
verifyChain = yes
CApath = /etc/ssl/certs
checkHost = imap.gmail.com
OCSPaia = yes
; Example SSL client mode services
[gmail-smtp]
client = yes
accept = 127.0.0.1:25
connect = smtp.gmail.com:465
verifyChain = yes
CApath = /etc/ssl/certs
checkHost = smtp.gmail.com
OCSPaia = yes
;[gmail-pop3]
; Encrypted HTTP proxy authenticated with a client certificate
; located in a cryptographic token
;[example-pkcs11]
;client = yes
;accept = 127.0.0.1:110
;connect = pop.gmail.com:995
;accept = 127.0.0.1:8080
;connect = example.com:8443
;engineId = pkcs11
;cert = pkcs11:token=MyToken;object=MyCert
;key = pkcs11:token=MyToken;object=MyKey
;[gmail-imap]
;client = yes
;accept = 127.0.0.1:143
;connect = imap.gmail.com:993
; ***************************************** Example TLS server mode services
;[gmail-smtp]
;client = yes
;accept = 127.0.0.1:25
;connect = smtp.gmail.com:465
;[pop3s]
;accept = 995
;connect = 110
;cert = @sysconfdir@/stunnel/stunnel.pem
; Example SSL front-end to a web server
;[imaps]
;accept = 993
;connect = 143
;cert = @sysconfdir@/stunnel/stunnel.pem
;[ssmtp]
;accept = 465
;connect = 25
;cert = @sysconfdir@/stunnel/stunnel.pem
; TLS front-end to a web server
;[https]
;accept = 443
;connect = 80
; "TIMEOUTclose = 0" is a workaround for a design flaw in Microsoft SSL
; Microsoft implementations do not use SSL close-notify alert and thus
; they are vulnerable to truncation attacks
;cert = @sysconfdir@/stunnel/stunnel.pem
; "TIMEOUTclose = 0" is a workaround for a design flaw in Microsoft SChannel
; Microsoft implementations do not use TLS close-notify alert and thus they
; are vulnerable to truncation attacks
;TIMEOUTclose = 0
; Remote shell protected with PSK-authenticated TLS
; Create "@sysconfdir@/stunnel/secrets.txt" containing IDENTITY:KEY pairs
;[shell]
;accept = 1337
;exec = /bin/sh
;execArgs = sh -i
;ciphers = PSK
;PSKsecrets = @sysconfdir@/stunnel/secrets.txt
; Non-standard MySQL-over-TLS encapsulation connecting the Unix socket
;[mysql]
;cert = @sysconfdir@/stunnel/stunnel.pem
;accept = 3307
;connect = /run/mysqld/mysqld.sock
; vim:ft=dosini

213
tools/stunnel.init.in
View File

@ -7,112 +7,203 @@
# Should-Stop: $syslog
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Start or stop stunnel 4.x (SSL tunnel for network daemons)
# Short-Description: Start or stop stunnel 4.x (TLS tunnel for network daemons)
# Description: Starts or stops all configured TLS network tunnels. Each *.conf file in
# @sysconfdir@/stunnel/ will spawn a separate stunnel process. The list of files
# can be overridden in @sysconfdir@/default/stunnel, and that same file can be used
# to completely disable *all* tunnels.
### END INIT INFO
# Author / upstream maintainer note:
# With the planned introduction of a control interface (conceptually similar to
# apache2ctl), running separate processes for each *.conf will become obsolete.
# Please add "include = @sysconfdir@/stunnel/conf.d" to stunnel.conf instead.
. /lib/lsb/init-functions
DEFAULTPIDFILE="/var/run/stunnel.pid"
DAEMON=@prefix@/bin/stunnel
DAEMON=@bindir@/stunnel
NAME=stunnel
DESC="SSL tunnels"
FILES="/etc/stunnel/*.conf"
DESC="TLS tunnels"
OPTIONS=""
ENABLED=0
get_pids() {
local file=$1
if test -f $file; then
CHROOT=`grep "^chroot" $file|sed "s;.*= *;;"`
PIDFILE=`grep "^pid" $file|sed "s;.*= *;;"`
if [ "$PIDFILE" = "" ]; then
PIDFILE=$DEFAULTPIDFILE
fi
if test -f $CHROOT/$PIDFILE; then
cat $CHROOT/$PIDFILE
fi
fi
get_opt() {
sed -e "s;^[[:space:]]*;;" -e "s;[[:space:]]*$;;" \
-e "s;[[:space:]]*=[[:space:]]*;=;" "$1" |
grep -i "^$2=" | sed -e "s;^[^=]*=;;"
}
get_pidfile() {
local file=$1
if [ -f $file ]; then
CHROOT=`get_opt $file chroot`
PIDFILE=`get_opt $file pid`
if [ "$PIDFILE" = "" ]; then
PIDFILE=$DEFAULTPIDFILE
fi
echo "$CHROOT/$PIDFILE"
fi
}
startdaemons() {
local res file args pidfile warn status
if ! [ -d /var/run/stunnel ]; then
rm -rf /var/run/stunnel
install -d -o stunnel -g stunnel /var/run/stunnel
fi
if [ -n "$RLIMITS" ]; then
ulimit $RLIMITS
fi
res=0
for file in $FILES; do
if test -f $file; then
ARGS="$file $OPTIONS"
PROCLIST=`get_pids $file`
if [ "$PROCLIST" ] && kill -s 0 $PROCLIST 2>/dev/null; then
echo -n "[Already running: $file] "
elif $DAEMON $ARGS; then
echo -n "[Started: $file] "
if [ -f $file ]; then
echo -n " $file: "
args="$file $OPTIONS"
pidfile=`get_pidfile $file`
if egrep -qe '^pid[[:space:]]*=' "$file"; then
warn=''
else
echo "[Failed: $file]"
echo "You should check that you have specified the pid= in you configuration file"
exit 1
warn=' (no pid=pidfile specified!)'
fi
status=0
start_daemon -p "$pidfile" "$DAEMON" $args || status=$?
if [ "$status" -eq 0 ]; then
echo -n "started$warn"
else
echo "failed$warn"
echo "You should check that you have specified the pid= in you configuration file"
res=1
fi
fi
done;
echo ''
return "$res"
}
killdaemons()
{
SIGNAL=${1:-TERM}
local sig file pidfile status
sig=${1:-TERM}
res=0
for file in $FILES; do
PROCLIST=`get_pids $file`
if [ "$PROCLIST" ] && kill -s 0 $PROCLIST 2>/dev/null; then
kill -s $SIGNAL $PROCLIST
echo -n "[stopped: $file] "
echo -n " $file: "
pidfile=`get_pidfile $file`
if [ ! -e "$pidfile" ]; then
echo -n "no pid file"
else
status=0
killproc -p "$pidfile" "$DAEMON" "$sig" || status=$?
if [ "$status" -eq 0 ]; then
echo -n 'stopped'
else
echo -n 'failed'
res=1
fi
fi
done
echo ''
return "$res"
}
querydaemons()
{
local res file pidfile status
res=0
for file in $FILES; do
echo -n " $file: "
pidfile=`get_pidfile "$file"`
if [ ! -e "$pidfile" ]; then
echo -n 'no pid file'
res=1
else
status=0
pidofproc -p "$pidfile" "$DAEMON" >/dev/null || status="$?"
if [ "$status" = 0 ]; then
echo -n 'running'
elif [ "$status" = 4 ]; then
echo "cannot access the pid file $pidfile"
res=1
else
echo -n 'stopped'
res=1
fi
fi
done
echo ''
exit "$res"
}
if [ "x$OPTIONS" != "x" ]; then
OPTIONS="-- $OPTIONS"
fi
test -f /etc/default/stunnel && . /etc/default/stunnel
[ -f @sysconfdir@/default/stunnel ] && . @sysconfdir@/default/stunnel
if [ "$ENABLED" = "0" ] ; then
echo "$DESC disabled, see /etc/default/stunnel"
echo "$DESC disabled, see @sysconfdir@/default/stunnel"
exit 0
fi
test -x $DAEMON || exit 0
# If the user want to manage a single tunnel, the conf file's name
# is in $2. Otherwise, respect @sysconfdir@/default/stunnel4 setting.
# If no setting there, use @sysconfdir@/stunnel/*.conf.
if [ -n "${2:-}" ]; then
if [ -e "@sysconfdir@/stunnel/$2.conf" ]; then
FILES="@sysconfdir@/stunnel/$2.conf"
else
echo >&2 "@sysconfdir@/stunnel/$2.conf does not exist."
exit 1
fi
else
if [ -z "$FILES" ]; then
FILES="@sysconfdir@/stunnel/*.conf"
fi
fi
[ -x $DAEMON ] || exit 0
set -e
res=0
case "$1" in
start)
echo -n "Starting $DESC: "
startdaemons
echo "$NAME."
;;
echo -n "Starting $DESC:"
startdaemons
res=$?
;;
stop)
echo -n "Stopping $DESC: "
killdaemons
echo "$NAME."
;;
echo -n "Stopping $DESC:"
killdaemons
res=$?
;;
reopen-logs)
echo -n "Reopening log files $DESC: "
killdaemons USR1
echo "$NAME."
;;
echo -n "Reopening log files $DESC:"
killdaemons USR1
res=$?
;;
force-reload|reload)
echo -n "Reloading configuration $DESC: "
killdaemons HUP
echo "$NAME."
;;
echo -n "Reloading configuration $DESC:"
killdaemons HUP
res=$?
;;
restart)
echo -n "Restarting $DESC: "
killdaemons
sleep 5
startdaemons
echo "$NAME."
;;
echo -n "Restarting $DESC:"
killdaemons && startdaemons
res=$?
;;
status)
echo -n "$DESC status:"
querydaemons
res=$?
;;
*)
N=/etc/init.d/$NAME
echo "Usage: $N {start|stop|reload|reopen-logs|restart}" >&2
exit 1
;;
N=@sysconfdir@/init.d/$NAME
echo "Usage: $N {start|stop|status|reload|reopen-logs|restart} [<stunnel instance>]" >&2
res=1
;;
esac
exit 0
exit "$res"

2
tools/stunnel.license
View File

@ -1,4 +1,4 @@
Copyright (C) 1998-2013 Michal Trojnara
Copyright (C) 1998-2017 Michal Trojnara
This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.

9
tools/stunnel.logrotate Normal file
View File

@ -0,0 +1,9 @@
/var/log/stunnel/*.log {
weekly
rotate 10
copytruncate
delaycompress
compress
notifempty
missingok
}

767
tools/stunnel.nsi
View File

@ -1,289 +1,556 @@
# NSIS stunnel installer by Michal Trojnara 1998-2013
# NSIS stunnel installer by Michal Trojnara 1998-2017
!define /ifndef VERSION testing
!define /ifndef ARCH win32
!define REGKEY_INSTALL "Software\NSIS_stunnel"
!define REGKEY_UNINST \
"Software\Microsoft\Windows\CurrentVersion\Uninstall\stunnel"
!define SHORTCUTS "stunnel $MultiUser.InstallMode"
SetCompressor /SOLID LZMA
Name "stunnel ${VERSION}"
OutFile "stunnel-${VERSION}-${ARCH}-installer.exe"
BrandingText "Author: Michal Trojnara"
# MultiUser
!define MULTIUSER_EXECUTIONLEVEL Highest
!define MULTIUSER_MUI
!define MULTIUSER_INSTALLMODE_COMMANDLINE
!define MULTIUSER_INSTALLMODE_INSTDIR "stunnel"
!define MULTIUSER_INSTALLMODE_INSTDIR_REGISTRY_KEY "${REGKEY_INSTALL}"
!define MULTIUSER_INSTALLMODE_INSTDIR_REGISTRY_VALUENAME "Install_Dir"
!define MULTIUSER_INSTALLMODE_DEFAULT_REGISTRY_KEY "${REGKEY_INSTALL}"
!define MULTIUSER_INSTALLMODE_DEFAULT_REGISTRY_VALUENAME "Install_Mode"
!include MultiUser.nsh
# Modern UI
!define MUI_FINISHPAGE_RUN "$INSTDIR\bin\stunnel.exe"
!define MUI_FINISHPAGE_RUN_TEXT "Start stunnel after installation"
!define MUI_FINISHPAGE_RUN_NOTCHECKED
!include "MUI2.nsh"
# define SF_SELECTED
!include "Sections.nsh"
!ifndef VERSION
!define VERSION 4.57
!endif
!ifndef ZLIBDIR
!define ZLIBDIR zlib-1.2.7
!endif
!ifndef OPENSSLDIR
!define OPENSSLDIR openssl-1.0.1e
!endif
# additional plugins
!addplugindir "plugins/SimpleFC"
!addplugindir "plugins/ShellLink/Plugins"
Name "stunnel ${VERSION}"
OutFile "stunnel-${VERSION}-installer.exe"
InstallDir "$PROGRAMFILES\stunnel"
BrandingText "Author: Michal Trojnara"
LicenseData "stunnel.license"
SetCompressor /SOLID LZMA
InstallDirRegKey HKLM "Software\NSIS_stunnel" "Install_Dir"
!define /ifndef ROOT_DIR \devel
RequestExecutionLevel admin
!define /ifndef STUNNEL_DIR ${ROOT_DIR}\src\stunnel
!define /ifndef STUNNEL_BIN_DIR ${STUNNEL_DIR}\bin\${ARCH}
!define /ifndef STUNNEL_TOOLS_DIR ${STUNNEL_DIR}\tools
!define /ifndef STUNNEL_DOC_DIR ${STUNNEL_DIR}\doc
!define /ifndef STUNNEL_SRC_DIR ${STUNNEL_DIR}\src
Page license
Page components
Page directory
Page instfiles
!define /ifndef BIN_DIR ${ROOT_DIR}\${ARCH}
!define /ifndef OPENSSL_DIR ${BIN_DIR}\openssl
!define /ifndef OPENSSL_BIN_DIR ${OPENSSL_DIR}\bin
!define /ifndef OPENSSL_ENGINES_DIR ${OPENSSL_DIR}\lib\engines
!define /ifndef ZLIB_DIR ${BIN_DIR}\zlib
!define /ifndef REDIST_DIR ${BIN_DIR}\redist
UninstPage uninstConfirm
UninstPage instfiles
!define /ifndef LIBP11_DIR ${ROOT_DIR}\src\libp11-0.4.7\src
Section "Stunnel Core Files (required)"
SectionIn RO
SetOutPath "$INSTDIR"
!define MUI_ICON ${STUNNEL_SRC_DIR}\stunnel.ico
# stop the service, exit stunnel
ReadRegStr $R0 HKLM \
"Software\Microsoft\Windows NT\CurrentVersion" CurrentVersion
IfErrors skip_service_stop
ExecWait '"$INSTDIR\stunnel.exe" -stop -quiet'
skip_service_stop:
ExecWait '"$INSTDIR\stunnel.exe" -exit -quiet'
!insertmacro MUI_PAGE_LICENSE "stunnel.license"
!insertmacro MULTIUSER_PAGE_INSTALLMODE
!insertmacro MUI_PAGE_COMPONENTS
!insertmacro MUI_PAGE_DIRECTORY
!insertmacro MUI_PAGE_INSTFILES
!insertmacro MUI_PAGE_FINISH
# write files
SetOverwrite off
File "stunnel.conf"
SetOverwrite on
!cd ".."
!cd "doc"
File "stunnel.html"
!cd ".."
!cd "bin"
!cd "W32"
File "stunnel.exe"
File "stunnel.exe.manifest"
!cd ".."
!cd ".."
!cd ".."
!cd "${ZLIBDIR}"
File "zlib1.dll"
File "zlib1.dll.manifest"
!cd ".."
!cd "${OPENSSLDIR}"
!cd "out32dll"
File "*.dll"
File "*.dll.manifest"
!cd ".."
!cd ".."
!cd "redist"
File "msvcr90.dll"
File "Microsoft.VC90.CRT.manifest"
!cd ".."
!cd "stunnel"
!cd "tools"
!insertmacro MUI_UNPAGE_CONFIRM
!insertmacro MUI_UNPAGE_INSTFILES
# add firewall rule
SimpleFC::AddApplication "stunnel (GUI Version)" \
"$INSTDIR\stunnel.exe" 0 2 "" 1
Pop $0 # returns error(1)/success(0)
DetailPrint "SimpleFC::AddApplication: $0"
!insertmacro MUI_LANGUAGE "English"
# write uninstaller and its registry entries
WriteUninstaller "uninstall.exe"
WriteRegStr HKLM "Software\NSIS_stunnel" "Install_Dir" "$INSTDIR"
WriteRegStr HKLM \
"Software\Microsoft\Windows\CurrentVersion\Uninstall\stunnel" \
"DisplayName" "stunnel"
WriteRegStr HKLM \
"Software\Microsoft\Windows\CurrentVersion\Uninstall\stunnel" \
"UninstallString" '"$INSTDIR\uninstall.exe"'
WriteRegDWORD HKLM \
"Software\Microsoft\Windows\CurrentVersion\Uninstall\stunnel" \
"NoModify" 1
WriteRegDWORD HKLM \
"Software\Microsoft\Windows\CurrentVersion\Uninstall\stunnel" \
"NoRepair" 1
SectionEnd
!macro MoveFiles src dst pattern
FindFirst $0 $1 "${src}\${pattern}"
!define MoveFilesId ${__LINE__}
loop_${MoveFilesId}:
StrCmp $1 "" done_${MoveFilesId}
Rename "${src}\$1" "${dst}\$1"
FindNext $0 $1
Goto loop_${MoveFilesId}
done_${MoveFilesId}:
FindClose $0
!undef MoveFilesId
!macroend
Section "Self-signed Certificate Tools" sectionCA
SetOutPath "$INSTDIR"
!cd ".."
!cd ".."
!cd "${OPENSSLDIR}"
!cd "out32dll"
File "openssl.exe"
File "openssl.exe.manifest"
!cd ".."
!cd ".."
!cd "stunnel"
!cd "tools"
File "stunnel.cnf"
IfSilent lbl_skip_new_pem
IfFileExists "$INSTDIR\stunnel.pem" lbl_skip_new_pem
ExecWait '"$INSTDIR\openssl.exe" req -new -x509 -days 365 -config stunnel.cnf -out stunnel.pem -keyout stunnel.pem'
lbl_skip_new_pem:
SectionEnd
!macro DetailError message
# pop the error and log the failure
!define DetailErrorId ${__LINE__}
Pop $0 # returns error(-1)/success(0)
IntCmp $0 0 done_${DetailErrorId}
DetailPrint "${message}"
done_${DetailErrorId}:
!undef DetailErrorId
!macroend
Section "Terminal Version of stunnel" sectionTERM
SetOutPath "$INSTDIR"
!cd ".."
!cd "bin"
!cd "W32"
File "tstunnel.exe"
File "tstunnel.exe.manifest"
!cd ".."
!cd ".."
!cd "tools"
# add firewall rule
SimpleFC::AddApplication "stunnel (Terminal Version)" \
"$INSTDIR\tstunnel.exe" 0 2 "" 1
Pop $0 # returns error(1)/success(0)
DetailPrint "SimpleFC::AddApplication: $0"
SectionEnd
!macro SetRunAsAdmin path
# run the link as administrator if InstallMode is AllUsers
!define SetRunAsAdminId ${__LINE__}
StrCmp $MultiUser.InstallMode "CurrentUser" done_${SetRunAsAdminId}
ShellLink::SetRunAsAdministrator "$SMPROGRAMS\${SHORTCUTS}\${path}.lnk"
!insertmacro DetailError "ShellLink::SetRunAsAdministrator failed for ${path}"
done_${SetRunAsAdminId}:
!undef SetRunAsAdminId
!macroend
Section "Start Menu Shortcuts"
SetShellVarContext all
CreateDirectory "$SMPROGRAMS\stunnel"
Var /GLOBAL gui_restart
Var /GLOBAL service_restart
Var /GLOBAL service_reinstall
Var /GLOBAL exe
# remove old links
Delete "$SMPROGRAMS\stunnel\*.lnk"
Delete "$SMPROGRAMS\stunnel\*.url"
# main link
CreateShortCut "$SMPROGRAMS\stunnel\stunnel GUI Start.lnk" \
"$INSTDIR\stunnel.exe" "" "$INSTDIR\stunnel.exe" 0
CreateShortCut "$SMPROGRAMS\stunnel\stunnel GUI Stop.lnk" \
"$INSTDIR\stunnel.exe" "-exit" "$INSTDIR\stunnel.exe" 0
# tstunnel
SectionGetFlags ${sectionTERM} $0
IntOp $0 $0 & ${SF_SELECTED}
IntCmp $0 0 lbl_noTERM
CreateShortCut "$SMPROGRAMS\stunnel\stunnel Terminal Start.lnk" \
"$INSTDIR\tstunnel.exe" "" "$INSTDIR\tstunnel.exe" 0
lbl_noTERM:
# NT service
!macro TerminateStunnel
# initialize with nonzero values: do not restart/reinstall
StrCpy $service_restart 1
StrCpy $service_reinstall 1
# find the old stunnel executable
StrCpy $exe "$INSTDIR\bin\stunnel.exe"
IfFileExists "$exe" found
StrCpy $exe "$INSTDIR\stunnel.exe"
IfFileExists "$exe" found done
found:
# exit the stunnel GUI
ExecWait '"$exe" -exit -quiet' $gui_restart
# stop and uninstall the stunnel service
# setup $service_restart and $service_reinstall
StrCmp $MultiUser.InstallMode "CurrentUser" done
ClearErrors
ReadRegStr $R0 HKLM \
"Software\Microsoft\Windows NT\CurrentVersion" CurrentVersion
IfErrors skip_service_links
IfErrors done
ExecWait '"$exe" -stop -quiet' $service_restart
IntCmp $service_restart 0 0 not_stopped not_stopped
DetailPrint "Service stopped"
not_stopped:
StrCmp "$exe" "$INSTDIR\bin\stunnel.exe" done # no need to uninstall
ExecWait '"$exe" -uninstall -quiet' $service_reinstall
IntCmp $service_reinstall 0 0 done done
DetailPrint "Service uninstalled"
done:
!macroend
CreateShortCut "$SMPROGRAMS\stunnel\stunnel Service Install.lnk" \
"$INSTDIR\stunnel.exe" "-install" "$INSTDIR\stunnel.exe" 0
ShellLink::SetRunAsAdministrator \
"$SMPROGRAMS\stunnel\stunnel Service Install.lnk"
Pop $0 # returns error(-1)/success(0)
DetailPrint "ShellLink::SetRunAsAdministrator: $0"
!macro RestartStunnel
# install the service if $service_reinstall is 0
IntCmp $service_reinstall 0 0 no_service_reinstall no_service_reinstall
ExecWait '"$INSTDIR\bin\stunnel.exe" -install -quiet' $service_reinstall
IntCmp $service_reinstall 0 0 no_service_reinstall no_service_reinstall
DetailPrint "Service installed"
no_service_reinstall:
# start the service if $service_restart is 0
IntCmp $service_restart 0 0 no_service_restart no_service_restart
ExecWait '"$INSTDIR\bin\stunnel.exe" -start -quiet' $service_restart
IntCmp $service_restart 0 0 no_service_restart no_service_restart
DetailPrint "Service started"
no_service_restart:
# start the gui if $gui_restart is 0
# it does not work against stunnel older than 5.23 due to a bug
# IntCmp $gui_restart 0 0 no_gui_restart no_gui_restart
# Exec '"$INSTDIR\bin\stunnel.exe"'
# no_gui_restart:
!macroend
CreateShortCut "$SMPROGRAMS\stunnel\stunnel Service Uninstall.lnk" \
"$INSTDIR\stunnel.exe" "-uninstall" "$INSTDIR\stunnel.exe" 0
ShellLink::SetRunAsAdministrator \
"$SMPROGRAMS\stunnel\stunnel Service Uninstall.lnk"
Pop $0 # returns error(-1)/success(0)
DetailPrint "ShellLink::SetRunAsAdministrator: $0"
!macro CleanupStunnelFiles
# current versions
Delete "$INSTDIR\config\openssl.cnf"
CreateShortCut "$SMPROGRAMS\stunnel\stunnel Service Start.lnk" \
"$INSTDIR\stunnel.exe" "-start" "$INSTDIR\stunnel.exe" 0
ShellLink::SetRunAsAdministrator \
"$SMPROGRAMS\stunnel\stunnel Service Start.lnk"
Pop $0 # returns error(-1)/success(0)
DetailPrint "ShellLink::SetRunAsAdministrator: $0"
Delete "$INSTDIR\bin\stunnel.exe"
Delete "$INSTDIR\bin\stunnel.pdb"
Delete "$INSTDIR\bin\tstunnel.exe"
Delete "$INSTDIR\bin\tstunnel.pdb"
Delete "$INSTDIR\bin\openssl.exe"
Delete "$INSTDIR\bin\openssl.pdb"
Delete "$INSTDIR\bin\libeay32.dll"
Delete "$INSTDIR\bin\libeay32.pdb"
Delete "$INSTDIR\bin\ssleay32.dll"
Delete "$INSTDIR\bin\ssleay32.pdb"
Delete "$INSTDIR\bin\zlib1.dll"
Delete "$INSTDIR\bin\zlib1.pdb"
Delete "$INSTDIR\bin\msvcr90.dll"
Delete "$INSTDIR\bin\Microsoft.VC90.CRT.Manifest"
RMDir "$INSTDIR\bin"
CreateShortCut "$SMPROGRAMS\stunnel\stunnel Service Stop.lnk" \
"$INSTDIR\stunnel.exe" "-stop" "$INSTDIR\stunnel.exe" 0
ShellLink::SetRunAsAdministrator \
"$SMPROGRAMS\stunnel\stunnel Service Stop.lnk"
Pop $0 # returns error(-1)/success(0)
DetailPrint "ShellLink::SetRunAsAdministrator: $0"
skip_service_links:
Delete "$INSTDIR\engines\capi.dll"
Delete "$INSTDIR\engines\capi.pdb"
Delete "$INSTDIR\engines\chil.dll"
Delete "$INSTDIR\engines\chil.pdb"
Delete "$INSTDIR\engines\gmp.dll"
Delete "$INSTDIR\engines\gmp.pdb"
Delete "$INSTDIR\engines\gost.dll"
Delete "$INSTDIR\engines\gost.pdb"
Delete "$INSTDIR\engines\padlock.dll"
Delete "$INSTDIR\engines\padlock.pdb"
Delete "$INSTDIR\engines\ubsec.dll"
Delete "$INSTDIR\engines\ubsec.pdb"
Delete "$INSTDIR\engines\pkcs11.dll"
Delete "$INSTDIR\engines\pkcs11.pdb"
RMDir "$INSTDIR\engines"
# edit config file
CreateShortCut "$SMPROGRAMS\stunnel\Edit stunnel.conf.lnk" \
"notepad.exe" "$INSTDIR\stunnel.conf" "notepad.exe" 0
ShellLink::SetRunAsAdministrator \
"$SMPROGRAMS\stunnel\Edit stunnel.conf.lnk"
Pop $0 # returns error(-1)/success(0)
DetailPrint "ShellLink::SetRunAsAdministrator: $0"
Delete "$INSTDIR\doc\*.html"
RMDir "$INSTDIR\doc"
SectionGetFlags ${sectionCA} $0
IntOp $0 $0 & ${SF_SELECTED}
IntCmp $0 0 lbl_noCA
# menu and desktop shortcuts
Delete "$SMPROGRAMS\${SHORTCUTS}\*.lnk"
Delete "$SMPROGRAMS\${SHORTCUTS}\*.url"
RMDir "$SMPROGRAMS\${SHORTCUTS}"
Delete "$DESKTOP\${SHORTCUTS}.lnk"
# OpenSSL shell
CreateShortCut "$SMPROGRAMS\stunnel\OpenSSL Shell.lnk" \
"$INSTDIR\openssl.exe" "" "$INSTDIR\openssl.exe" 0
# make stunnel.pem
CreateShortCut "$SMPROGRAMS\stunnel\Build Self-signed stunnel.pem.lnk" \
"$INSTDIR\openssl.exe" \
"req -new -x509 -days 365 -config stunnel.cnf -out stunnel.pem -keyout stunnel.pem"
ShellLink::SetRunAsAdministrator \
"$SMPROGRAMS\stunnel\\Build Self-signed stunnel.pem.lnk"
Pop $0 # returns error(-1)/success(0)
DetailPrint "ShellLink::SetRunAsAdministrator: $0"
lbl_noCA:
# help/uninstall
WriteINIStr "$SMPROGRAMS\stunnel\Manual.url" "InternetShortcut" \
"URL" "file://$INSTDIR/stunnel.html"
CreateShortCut "$SMPROGRAMS\stunnel\Uninstall stunnel.lnk" \
"$INSTDIR\uninstall.exe" "" "$INSTDIR\uninstall.exe" 0
SectionEnd
Section "Desktop Shortcut"
SetShellVarContext all
Delete "$DESKTOP\stunnel.lnk"
CreateShortCut "$DESKTOP\stunnel.lnk" \
"$INSTDIR\stunnel.exe" "" "$INSTDIR\stunnel.exe" 0
SectionEnd
Section "Uninstall"
ClearErrors
# stop and remove the service, exit stunnel
ReadRegStr $R0 HKLM \
"Software\Microsoft\Windows NT\CurrentVersion" CurrentVersion
IfErrors skip_service_uninstall
ExecWait '"$INSTDIR\stunnel.exe" -stop -quiet'
ExecWait '"$INSTDIR\stunnel.exe" -uninstall -quiet'
skip_service_uninstall:
ExecWait '"$INSTDIR\stunnel.exe" -exit -quiet'
# remove stunnel folder
Delete "$INSTDIR\stunnel.conf"
Delete "$INSTDIR\stunnel.pem"
# obsolete versions
Delete "$INSTDIR\stunnel.exe"
Delete "$INSTDIR\stunnel.exe.manifest"
Delete "$INSTDIR\stunnel.pdb"
Delete "$INSTDIR\tstunnel.exe"
Delete "$INSTDIR\tstunnel.exe.manifest"
Delete "$INSTDIR\stunnel.cnf"
Delete "$INSTDIR\tstunnel.pdb"
Delete "$INSTDIR\openssl.exe"
Delete "$INSTDIR\openssl.exe.manifest"
Delete "$INSTDIR\*.dll"
Delete "$INSTDIR\*.dll.manifest"
Delete "$INSTDIR\Microsoft.VC90.CRT.manifest"
Delete "$INSTDIR\stunnel.html"
Delete "$INSTDIR\uninstall.exe"
RMDir "$INSTDIR"
Delete "$INSTDIR\openssl.pdb"
Delete "$INSTDIR\libeay32.dll"
Delete "$INSTDIR\libeay32.pdb"
Delete "$INSTDIR\ssleay32.dll"
Delete "$INSTDIR\ssleay32.pdb"
Delete "$INSTDIR\zlib1.dll"
Delete "$INSTDIR\zlib1.pdb"
Delete "$INSTDIR\msvcr90.dll"
# remove menu shortcuts
SetShellVarContext all
Delete "$DESKTOP\stunnel.lnk"
Delete "$INSTDIR\openssl.cnf"
Delete "$INSTDIR\stunnel.html"
Delete "$INSTDIR\stunnel.cnf"
Delete "$INSTDIR\stunnel.exe.manifest"
Delete "$INSTDIR\tstunnel.exe.manifest"
Delete "$INSTDIR\openssl.exe.manifest"
Delete "$INSTDIR\libeay32.dll.manifest"
Delete "$INSTDIR\ssleay32.dll.manifest"
Delete "$INSTDIR\zlib1.dll.manifest"
Delete "$INSTDIR\Microsoft.VC90.CRT.Manifest"
Delete "$INSTDIR\4758cca.dll"
Delete "$INSTDIR\4758cca.dll.manifest"
Delete "$INSTDIR\4758cca.pdb"
Delete "$INSTDIR\aep.dll"
Delete "$INSTDIR\aep.dll.manifest"
Delete "$INSTDIR\aep.pdb"
Delete "$INSTDIR\atalla.dll"
Delete "$INSTDIR\atalla.dll.manifest"
Delete "$INSTDIR\atalla.pdb"
Delete "$INSTDIR\capi.dll"
Delete "$INSTDIR\capi.dll.manifest"
Delete "$INSTDIR\capi.pdb"
Delete "$INSTDIR\chil.dll"
Delete "$INSTDIR\chil.dll.manifest"
Delete "$INSTDIR\chil.pdb"
Delete "$INSTDIR\cswift.dll"
Delete "$INSTDIR\cswift.dll.manifest"
Delete "$INSTDIR\cswift.pdb"
Delete "$INSTDIR\gmp.dll"
Delete "$INSTDIR\gmp.dll.manifest"
Delete "$INSTDIR\gmp.pdb"
Delete "$INSTDIR\gost.dll"
Delete "$INSTDIR\gost.dll.manifest"
Delete "$INSTDIR\gost.pdb"
Delete "$INSTDIR\nuron.dll"
Delete "$INSTDIR\nuron.dll.manifest"
Delete "$INSTDIR\nuron.pdb"
Delete "$INSTDIR\padlock.dll"
Delete "$INSTDIR\padlock.dll.manifest"
Delete "$INSTDIR\padlock.pdb"
Delete "$INSTDIR\sureware.dll"
Delete "$INSTDIR\sureware.dll.manifest"
Delete "$INSTDIR\sureware.pdb"
Delete "$INSTDIR\ubsec.dll"
Delete "$INSTDIR\ubsec.dll.manifest"
Delete "$INSTDIR\ubsec.pdb"
# obsolete menu and desktop shortcuts
Delete "$SMPROGRAMS\stunnel\*.lnk"
Delete "$SMPROGRAMS\stunnel\*.url"
RMDir "$SMPROGRAMS\stunnel"
Delete "$DESKTOP\stunnel.lnk"
# remove firewall rules
SimpleFC::RemoveApplication "$INSTDIR\stunnel.exe"
Pop $0 # returns error(1)/success(0)
DetailPrint "SimpleFC::RemoveApplication: $0"
SimpleFC::RemoveApplication "$INSTDIR\tstunnel.exe"
Pop $0 # returns error(1)/success(0)
DetailPrint "SimpleFC::RemoveApplication: $0"
# refresh the screen
System::Call 'Shell32::SHChangeNotify(i 0x8000000, i 0, i 0, i 0)'
!macroend
# remove uninstaller registry entires
DeleteRegKey HKLM \
"Software\Microsoft\Windows\CurrentVersion\Uninstall\stunnel"
DeleteRegKey HKLM "Software\NSIS_stunnel"
Function .onInit
!insertmacro MULTIUSER_INIT
FunctionEnd
Function un.onInit
!insertmacro MULTIUSER_UNINIT
FunctionEnd
Section "Core Files" sectionCORE
SectionIn RO
# save the installer configuration
WriteRegStr SHCTX "${REGKEY_INSTALL}" "Install_Dir" "$INSTDIR"
WriteRegStr SHCTX "${REGKEY_INSTALL}" "Install_Mode" "$MultiUser.InstallMode"
!insertmacro TerminateStunnel
!insertmacro CleanupStunnelFiles
# update the configuration (migrate the old one if available)
SetOutPath "$INSTDIR\config" # this also creates the directory
!insertmacro MoveFiles "$INSTDIR" "$INSTDIR\config" "*.conf"
!insertmacro MoveFiles "$INSTDIR" "$INSTDIR\config" "*.pem"
!insertmacro MoveFiles "$INSTDIR" "$INSTDIR\config" "*.crt"
!insertmacro MoveFiles "$INSTDIR" "$INSTDIR\config" "*.key"
SetOverwrite off
File "${STUNNEL_TOOLS_DIR}\stunnel.conf"
SetOverwrite on
File "${STUNNEL_TOOLS_DIR}\ca-certs.pem"
# write new executables/libraries files
SetOutPath "$INSTDIR\bin"
File "${STUNNEL_BIN_DIR}\stunnel.exe"
File "${OPENSSL_BIN_DIR}\libeay32.dll"
File "${OPENSSL_BIN_DIR}\ssleay32.dll"
!if ${ARCH} == win32
File "${ZLIB_DIR}\zlib1.dll"
File "${REDIST_DIR}\msvcr90.dll"
File "${REDIST_DIR}\Microsoft.VC90.CRT.Manifest"
# MINGW builds requires libssp-0.dll instead of msvcr90.dll
!else
File "${REDIST_DIR}\vcruntime140.dll"
!endif
# write new engine libraries
SetOutPath "$INSTDIR\engines"
File "${OPENSSL_ENGINES_DIR}\capi.dll"
File "${OPENSSL_ENGINES_DIR}\chil.dll"
File "${OPENSSL_ENGINES_DIR}\gmp.dll"
File "${OPENSSL_ENGINES_DIR}\gost.dll"
File "${OPENSSL_ENGINES_DIR}\padlock.dll"
File "${OPENSSL_ENGINES_DIR}\ubsec.dll"
File "${LIBP11_DIR}\pkcs11.dll"
# write new documentation
SetOutPath "$INSTDIR\doc"
File "${STUNNEL_DOC_DIR}\stunnel.html"
# add firewall rule
SimpleFC::AddApplication "stunnel (GUI Version)" \
"$INSTDIR\bin\stunnel.exe" 0 2 "" 1
!insertmacro DetailError "SimpleFC::AddApplication failed for stunnel.exe"
# write uninstaller and its registry entries
WriteUninstaller "uninstall.exe"
WriteRegStr SHCTX "${REGKEY_UNINST}" "DisplayName" \
"stunnel installed for $MultiUser.InstallMode"
WriteRegStr SHCTX "${REGKEY_UNINST}" "DisplayVersion" "${VERSION}"
WriteRegStr SHCTX "${REGKEY_UNINST}" "DisplayIcon" "$INSTDIR\bin\stunnel.exe"
WriteRegStr SHCTX "${REGKEY_UNINST}" "Publisher" "Michal Trojnara"
WriteRegStr SHCTX "${REGKEY_UNINST}" \
"UninstallString" '"$INSTDIR\uninstall.exe" /$MultiUser.InstallMode'
WriteRegDWORD SHCTX "${REGKEY_UNINST}" "NoModify" 1
WriteRegDWORD SHCTX "${REGKEY_UNINST}" "NoRepair" 1
SectionEnd
SectionGroup "Tools" groupTOOLS
Section "openssl.exe" sectionOPENSSL
SetOutPath "$INSTDIR\bin"
File "${OPENSSL_BIN_DIR}\openssl.exe"
SetOutPath "$INSTDIR\config"
File "${STUNNEL_TOOLS_DIR}\openssl.cnf"
# create stunnel.pem
IfSilent no_new_pem
IfFileExists "$INSTDIR\config\stunnel.pem" no_new_pem
# set HOME for the .rnd file
ReadEnvStr $0 "HOME"
StrCmp $0 "" home_defined
System::Call 'Kernel32::SetEnvironmentVariable(t, t) i("HOME", "$INSTDIR\config").r0'
home_defined:
ExecWait '"$INSTDIR\bin\openssl.exe" req -new -x509 -days 365 -config "$INSTDIR\config\openssl.cnf" -out "$INSTDIR\config\stunnel.pem" -keyout "$INSTDIR\config\stunnel.pem"'
no_new_pem:
SectionEnd
Section "tstunnel.exe" sectionTSTUNNEL
SetOutPath "$INSTDIR\bin"
File "${STUNNEL_BIN_DIR}\tstunnel.exe"
# add firewall rule
SimpleFC::AddApplication "stunnel (Terminal Version)" \
"$INSTDIR\bin\tstunnel.exe" 0 2 "" 1
!insertmacro DetailError "SimpleFC::AddApplication failed for tstunnel.exe"
SectionEnd
SectionGroupEnd
SectionGroup "Shortcuts" groupSHORTCUTS
Section "Start Menu" sectionMENU
CreateDirectory "$SMPROGRAMS\${SHORTCUTS}"
# the core links
CreateShortCut "$SMPROGRAMS\${SHORTCUTS}\stunnel GUI Start.lnk" \
"$INSTDIR\bin\stunnel.exe" "" "$INSTDIR\bin\stunnel.exe"
CreateShortCut "$SMPROGRAMS\${SHORTCUTS}\stunnel GUI Stop.lnk" \
"$INSTDIR\bin\stunnel.exe" "-exit" "$INSTDIR\bin\stunnel.exe"
# tstunnel
SectionGetFlags ${sectionTSTUNNEL} $0
IntOp $0 $0 & ${SF_SELECTED}
IntCmp $0 0 no_tstunnel_shortcut
CreateShortCut "$SMPROGRAMS\${SHORTCUTS}\stunnel Terminal Start.lnk" \
"$INSTDIR\bin\tstunnel.exe" "" "$INSTDIR\bin\tstunnel.exe"
no_tstunnel_shortcut:
# NT service management
ClearErrors
ReadRegStr $R0 HKLM \
"Software\Microsoft\Windows NT\CurrentVersion" CurrentVersion
IfErrors no_service_shortcuts
StrCmp $MultiUser.InstallMode "CurrentUser" no_service_shortcuts
CreateShortCut "$SMPROGRAMS\${SHORTCUTS}\stunnel Service Install.lnk" \
"$INSTDIR\bin\stunnel.exe" "-install" "$INSTDIR\bin\stunnel.exe"
!insertmacro SetRunAsAdmin "stunnel Service Install"
CreateShortCut "$SMPROGRAMS\${SHORTCUTS}\stunnel Service Uninstall.lnk" \
"$INSTDIR\bin\stunnel.exe" "-uninstall" "$INSTDIR\bin\stunnel.exe"
!insertmacro SetRunAsAdmin "stunnel Service Uninstall"
CreateShortCut "$SMPROGRAMS\${SHORTCUTS}\stunnel Service Start.lnk" \
"$INSTDIR\bin\stunnel.exe" "-start" "$INSTDIR\bin\stunnel.exe"
!insertmacro SetRunAsAdmin "stunnel Service Start"
CreateShortCut "$SMPROGRAMS\${SHORTCUTS}\stunnel Service Stop.lnk" \
"$INSTDIR\bin\stunnel.exe" "-stop" "$INSTDIR\bin\stunnel.exe"
!insertmacro SetRunAsAdmin "stunnel Service Stop"
CreateShortCut "$SMPROGRAMS\${SHORTCUTS}\stunnel Service Configuration File Reload.lnk" \
"$INSTDIR\bin\stunnel.exe" "-reload" "$INSTDIR\bin\stunnel.exe"
!insertmacro SetRunAsAdmin "stunnel Service Configuration File Reload"
CreateShortCut "$SMPROGRAMS\${SHORTCUTS}\stunnel Service Log File Reopen.lnk" \
"$INSTDIR\bin\stunnel.exe" "-reopen" "$INSTDIR\bin\stunnel.exe"
!insertmacro SetRunAsAdmin "stunnel Service Log File Reopen"
no_service_shortcuts:
# edit config file
CreateShortCut "$SMPROGRAMS\${SHORTCUTS}\Edit stunnel.conf.lnk" \
"notepad.exe" "$INSTDIR\config\stunnel.conf" "notepad.exe"
!insertmacro SetRunAsAdmin "Edit stunnel.conf"
SectionGetFlags ${sectionOPENSSL} $0
IntOp $0 $0 & ${SF_SELECTED}
IntCmp $0 0 no_openssl_shortcuts
# OpenSSL shell
CreateShortCut "$SMPROGRAMS\${SHORTCUTS}\OpenSSL Shell.lnk" \
"$INSTDIR\bin\openssl.exe" "" "$INSTDIR\bin\openssl.exe"
# make stunnel.pem
CreateShortCut "$SMPROGRAMS\${SHORTCUTS}\Build a Self-signed stunnel.pem.lnk" \
"$INSTDIR\bin\openssl.exe" \
'req -new -x509 -days 365 -config "$INSTDIR\config\openssl.cnf" -out "$INSTDIR\config\stunnel.pem" -keyout "$INSTDIR\config\stunnel.pem"'
!insertmacro SetRunAsAdmin "Build a Self-signed stunnel.pem"
no_openssl_shortcuts:
# the fine manual
WriteINIStr "$SMPROGRAMS\${SHORTCUTS}\stunnel Manual Page.url" \
"InternetShortcut" "URL" "file://$INSTDIR\doc\stunnel.html"
# uninstall
CreateShortCut "$SMPROGRAMS\${SHORTCUTS}\Uninstall stunnel.lnk" \
"$INSTDIR\uninstall.exe" "/$MultiUser.InstallMode" \
"$INSTDIR\uninstall.exe"
SectionEnd
Section "Desktop" sectionDESKTOP
# create the link
CreateShortCut "$DESKTOP\${SHORTCUTS}.lnk" \
"$INSTDIR\bin\stunnel.exe" "" "$INSTDIR\bin\stunnel.exe"
# refresh the screen
System::Call 'Shell32::SHChangeNotify(i 0x8000000, i 0, i 0, i 0)'
SectionEnd
SectionGroupEnd
Section /o "Debugging Symbols" sectionDEBUG
SetOutPath "$INSTDIR\bin"
# core components
File "${STUNNEL_BIN_DIR}\stunnel.pdb"
File "${OPENSSL_BIN_DIR}\libeay32.pdb"
File "${OPENSSL_BIN_DIR}\ssleay32.pdb"
!if ${ARCH} == win32
File "${ZLIB_DIR}\zlib1.pdb"
!endif
# optional tstunnel.exe
SectionGetFlags ${sectionTSTUNNEL} $0
IntOp $0 $0 & ${SF_SELECTED}
IntCmp $0 0 no_tstunnel_pdb
File "${STUNNEL_BIN_DIR}\tstunnel.pdb"
no_tstunnel_pdb:
# optional openssl.exe
SectionGetFlags ${sectionOPENSSL} $0
IntOp $0 $0 & ${SF_SELECTED}
IntCmp $0 0 no_openssl_pdb
File "${OPENSSL_BIN_DIR}\openssl.pdb"
no_openssl_pdb:
# engines
SetOutPath "$INSTDIR\engines"
File "${OPENSSL_ENGINES_DIR}\capi.pdb"
File "${OPENSSL_ENGINES_DIR}\chil.pdb"
File "${OPENSSL_ENGINES_DIR}\gmp.pdb"
File "${OPENSSL_ENGINES_DIR}\gost.pdb"
File "${OPENSSL_ENGINES_DIR}\padlock.pdb"
File "${OPENSSL_ENGINES_DIR}\ubsec.pdb"
# File "${LIBP11_DIR}\pkcs11.pdb"
SetOutPath "$INSTDIR"
SectionEnd
Section
!insertmacro RestartStunnel
SectionEnd
Section "Uninstall"
!insertmacro TerminateStunnel
!insertmacro CleanupStunnelFiles
# remove the stunnel directory
Delete "$INSTDIR\config\stunnel.pem"
Delete "$INSTDIR\config\stunnel.conf"
RMDir "$INSTDIR\config"
Delete "$INSTDIR\uninstall.exe"
RMDir "$INSTDIR"
# remove firewall rules
SimpleFC::RemoveApplication "$INSTDIR\bin\stunnel.exe"
!insertmacro DetailError "SimpleFC::RemoveApplication failed for stunnel.exe"
SimpleFC::RemoveApplication "$INSTDIR\bin\tstunnel.exe"
!insertmacro DetailError "SimpleFC::RemoveApplication failed for tstunnel.exe"
# remove the installer and uninstaller registry entires
DeleteRegKey SHCTX "${REGKEY_INSTALL}"
DeleteRegKey SHCTX "${REGKEY_UNINST}"
SectionEnd
LangString DESC_sectionCORE ${LANG_ENGLISH} \
"Installs the stunnel executable and the required libraries.$\r$\nThis component also creates a sample stunnel.conf if no such file exists."
LangString DESC_sectionOPENSSL ${LANG_ENGLISH} \
"Installs openssl.exe, the OpenSSL command-line tool.$\r$\nThis component also builds a self-signed stunnel.pem file if no such file exists."
LangString DESC_sectionTSTUNNEL ${LANG_ENGLISH} \
"Installs tstunnel.exe, the command-line version of stunnel.$\r$\ntstunnel.exe is often used for scripting."
LangString DESC_sectionMENU ${LANG_ENGLISH} \
"Installs the Start Menu shortcuts for managing stunnel."
LangString DESC_sectionDESKTOP ${LANG_ENGLISH} \
"Installs the Desktop shortcut for stunnel."
LangString DESC_sectionDEBUG ${LANG_ENGLISH} \
"Installs the .PDB (program database) files for the executables and libraries."
LangString DESC_groupTOOLS ${LANG_ENGLISH} \
"Installs optional (but useful) tools."
LangString DESC_groupSHORTCUTS ${LANG_ENGLISH} \
"Installs menu and desktop shortcuts."
!insertmacro MUI_FUNCTION_DESCRIPTION_BEGIN
!insertmacro MUI_DESCRIPTION_TEXT ${sectionCORE} $(DESC_sectionCORE)
!insertmacro MUI_DESCRIPTION_TEXT ${sectionOPENSSL} $(DESC_sectionOPENSSL)
!insertmacro MUI_DESCRIPTION_TEXT ${sectionTSTUNNEL} $(DESC_sectionTSTUNNEL)
!insertmacro MUI_DESCRIPTION_TEXT ${sectionMENU} $(DESC_sectionMENU)
!insertmacro MUI_DESCRIPTION_TEXT ${sectionDESKTOP} $(DESC_sectionDESKTOP)
!insertmacro MUI_DESCRIPTION_TEXT ${sectionDEBUG} $(DESC_sectionDEBUG)
!insertmacro MUI_DESCRIPTION_TEXT ${groupTOOLS} $(DESC_groupTOOLS)
!insertmacro MUI_DESCRIPTION_TEXT ${groupSHORTCUTS} $(DESC_groupSHORTCUTS)
!insertmacro MUI_FUNCTION_DESCRIPTION_END
# end of stunnel.nsi

106
tools/stunnel.rh.init Normal file
View File

@ -0,0 +1,106 @@
#!/bin/sh
#
# stunnel Starts or stops Stunnel daemon
#
# chkconfig: - 48 52
# description: Starts or stops Stunnel daemon
#
### BEGIN INIT INFO
# Provides: stunnel
# Required-Start: $local_fs $remote_fs
# Required-Stop: $local_fs $remote_fs
# Should-Start: $syslog
# Should-Stop: $syslog
# Default-Start:
# Default-Stop: 0 1 2 3 4 5 6
# Short-Description: Start or stop stunnel 4.x (TLS tunnel for network daemons)
# Description: Starts or stops all configured TLS network tunnels. Each *.conf file in
# /etc/stunnel/ will spawn a separate stunnel process. The list of files
# can be overridden in /etc/sysconfig/stunnel, and that same file can be used
# to completely disable *all* tunnels.
### END INIT INFO
# Source function library.
. /etc/rc.d/init.d/functions
exec="/usr/bin/stunnel"
prog="stunnel"
config="/etc/stunnel/stunnel.conf"
[ -e /etc/sysconfig/$prog ] && . /etc/sysconfig/$prog
lockfile=/var/lock/subsys/$prog
start() {
[ -x $exec ] || exit 5
[ -f $config ] || exit 6
echo -n $"Starting $prog: "
daemon ${exec} ${config}
retval=$?
echo
[ $retval -eq 0 ] && touch $lockfile
return $retval
}
stop() {
echo -n $"Stopping $prog: "
killproc ${prog}
retval=$?
echo
[ $retval -eq 0 ] && rm -f $lockfile
return $retval
}
restart() {
stop
start
}
reload() {
restart
}
force_reload() {
restart
}
rh_status() {
status $prog
}
rh_status_q() {
rh_status >/dev/null 2>&1
}
case "$1" in
start)
rh_status_q && exit 0
$1
;;
stop)
rh_status_q || exit 0
$1
;;
restart)
$1
;;
reload)
rh_status_q || exit 7
$1
;;
force-reload)
force_reload
;;
status)
rh_status
;;
condrestart|try-restart)
rh_status_q || exit 0
restart
;;
*)
echo $"Usage: $0 {start|stop|status|restart|condrestart|try-restart|reload|force-reload}"
exit 2
esac
exit $?

Some files were not shown because too many files have changed in this diff Show More