debmon/stunnel4
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Compare commits

merge into: debmon:pristine-tar
Branches Tags
debmon:master
debmon:pristine-tar
debmon:upstream
debmon:upstream/5.44
debmon:upstream/5.42
debmon:debian/4.57
debmon:upstream/4.57
debmon:debian/4.53-1.1
debmon:upstream/4.53
...
pull from: debmon:master
Branches Tags
debmon:master
debmon:pristine-tar
debmon:upstream
debmon:upstream/5.44
debmon:upstream/5.42
debmon:debian/4.57
debmon:upstream/4.57
debmon:debian/4.53-1.1
debmon:upstream/4.53

No commits in common. "pristine-tar" and "master" have entirely different histories.
pristine-t ... master

199 changed files with 90540 additions and 4 deletions
Show Stats Expand all files Collapse all files

34
.travis.yml Normal file
View File

@ -0,0 +1,34 @@
sudo: false
language: c
os:
- linux
- osx
compiler:
- gcc
- clang
env:
- CONFIGURE_OPTIONS='--with-threads=pthread'
- CONFIGURE_OPTIONS='--with-threads=fork'
- CONFIGURE_OPTIONS='--with-threads=ucontext'
- CONFIGURE_OPTIONS='--disable-ipv6 --disable-fips --disable-systemd --disable-libwrap'
addons:
apt:
packages:
- autoconf-archive
- libssl-dev
- libwrap0-dev
- nmap
before_script:
- if [ "$TRAVIS_OS_NAME" == "osx" ]; then brew update; brew install autoconf-archive nmap; fi; true
- autoreconf -fvi && touch src/dhparam.c
script:
- ./configure $CONFIGURE_OPTIONS
- make
- make test || ( for FILE in tests/logs/*.log; do echo "*** $FILE ***"; cat "$FILE"; done; false )

4
AUTHORS Normal file
View File

@ -0,0 +1,4 @@
stunnel authors
Michal Trojnara <Michal.Trojnara@stunnel.org>

5
BUGS Normal file
View File

@ -0,0 +1,5 @@
stunnel known bugs
- Shared library for transparent proxy does not support IPv6.

33
COPYING Normal file
View File

@ -0,0 +1,33 @@
stunnel license (see COPYRIGHT.GPL for detailed GPL conditions)
Copyright (C) 1998-2017 Michal Trojnara
This program is free software; you can redistribute it and/or modify it under
the terms of the GNU General Public License as published by the Free Software
Foundation; either version 2 of the License, or (at your option) any later
version.
This program is distributed in the hope that it will be useful, but WITHOUT
ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with
this program; if not, see <http://www.gnu.org/licenses>.
Linking stunnel statically or dynamically with other modules is making
a combined work based on stunnel. Thus, the terms and conditions of the
GNU General Public License cover the whole combination.
In addition, as a special exception, the copyright holder of stunnel gives you
permission to combine stunnel with free software programs or libraries that
are released under the GNU LGPL and with code included in the standard release
of OpenSSL under the OpenSSL License (or modified versions of such code, with
unchanged license). You may copy and distribute such a system following the
terms of the GNU GPL for stunnel and the licenses of the other code concerned.
Note that people who make modified versions of stunnel are not obligated to
grant this special exception for their modified versions; it is their choice
whether to do so. The GNU General Public License gives permission to release
a modified version without this exception; this exception also makes it
possible to release a modified version which carries forward this exception.

339
COPYRIGHT.GPL Normal file
View File

@ -0,0 +1,339 @@
GNU GENERAL PUBLIC LICENSE
Version 2, June 1991
Copyright (C) 1989, 1991 Free Software Foundation, Inc.
51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA.
Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed.
Preamble
The licenses for most software are designed to take away your
freedom to share and change it. By contrast, the GNU General Public
License is intended to guarantee your freedom to share and change free
software--to make sure the software is free for all its users. This
General Public License applies to most of the Free Software
Foundation's software and to any other program whose authors commit to
using it. (Some other Free Software Foundation software is covered by
the GNU Library General Public License instead.) You can apply it to
your programs, too.
When we speak of free software, we are referring to freedom, not
price. Our General Public Licenses are designed to make sure that you
have the freedom to distribute copies of free software (and charge for
this service if you wish), that you receive source code or can get it
if you want it, that you can change the software or use pieces of it
in new free programs; and that you know you can do these things.
To protect your rights, we need to make restrictions that forbid
anyone to deny you these rights or to ask you to surrender the rights.
These restrictions translate to certain responsibilities for you if you
distribute copies of the software, or if you modify it.
For example, if you distribute copies of such a program, whether
gratis or for a fee, you must give the recipients all the rights that
you have. You must make sure that they, too, receive or can get the
source code. And you must show them these terms so they know their
rights.
We protect your rights with two steps: (1) copyright the software, and
(2) offer you this license which gives you legal permission to copy,
distribute and/or modify the software.
Also, for each author's protection and ours, we want to make certain
that everyone understands that there is no warranty for this free
software. If the software is modified by someone else and passed on, we
want its recipients to know that what they have is not the original, so
that any problems introduced by others will not reflect on the original
authors' reputations.
Finally, any free program is threatened constantly by software
patents. We wish to avoid the danger that redistributors of a free
program will individually obtain patent licenses, in effect making the
program proprietary. To prevent this, we have made it clear that any
patent must be licensed for everyone's free use or not licensed at all.
The precise terms and conditions for copying, distribution and
modification follow.
GNU GENERAL PUBLIC LICENSE
TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
0. This License applies to any program or other work which contains
a notice placed by the copyright holder saying it may be distributed
under the terms of this General Public License. The "Program", below,
refers to any such program or work, and a "work based on the Program"
means either the Program or any derivative work under copyright law:
that is to say, a work containing the Program or a portion of it,
either verbatim or with modifications and/or translated into another
language. (Hereinafter, translation is included without limitation in
the term "modification".) Each licensee is addressed as "you".
Activities other than copying, distribution and modification are not
covered by this License; they are outside its scope. The act of
running the Program is not restricted, and the output from the Program
is covered only if its contents constitute a work based on the
Program (independent of having been made by running the Program).
Whether that is true depends on what the Program does.
1. You may copy and distribute verbatim copies of the Program's
source code as you receive it, in any medium, provided that you
conspicuously and appropriately publish on each copy an appropriate
copyright notice and disclaimer of warranty; keep intact all the
notices that refer to this License and to the absence of any warranty;
and give any other recipients of the Program a copy of this License
along with the Program.
You may charge a fee for the physical act of transferring a copy, and
you may at your option offer warranty protection in exchange for a fee.
2. You may modify your copy or copies of the Program or any portion
of it, thus forming a work based on the Program, and copy and
distribute such modifications or work under the terms of Section 1
above, provided that you also meet all of these conditions:
a) You must cause the modified files to carry prominent notices
stating that you changed the files and the date of any change.
b) You must cause any work that you distribute or publish, that in
whole or in part contains or is derived from the Program or any
part thereof, to be licensed as a whole at no charge to all third
parties under the terms of this License.
c) If the modified program normally reads commands interactively
when run, you must cause it, when started running for such
interactive use in the most ordinary way, to print or display an
announcement including an appropriate copyright notice and a
notice that there is no warranty (or else, saying that you provide
a warranty) and that users may redistribute the program under
these conditions, and telling the user how to view a copy of this
License. (Exception: if the Program itself is interactive but
does not normally print such an announcement, your work based on
the Program is not required to print an announcement.)
These requirements apply to the modified work as a whole. If
identifiable sections of that work are not derived from the Program,
and can be reasonably considered independent and separate works in
themselves, then this License, and its terms, do not apply to those
sections when you distribute them as separate works. But when you
distribute the same sections as part of a whole which is a work based
on the Program, the distribution of the whole must be on the terms of
this License, whose permissions for other licensees extend to the
entire whole, and thus to each and every part regardless of who wrote it.
Thus, it is not the intent of this section to claim rights or contest
your rights to work written entirely by you; rather, the intent is to
exercise the right to control the distribution of derivative or
collective works based on the Program.
In addition, mere aggregation of another work not based on the Program
with the Program (or with a work based on the Program) on a volume of
a storage or distribution medium does not bring the other work under
the scope of this License.
3. You may copy and distribute the Program (or a work based on it,
under Section 2) in object code or executable form under the terms of
Sections 1 and 2 above provided that you also do one of the following:
a) Accompany it with the complete corresponding machine-readable
source code, which must be distributed under the terms of Sections
1 and 2 above on a medium customarily used for software interchange; or,
b) Accompany it with a written offer, valid for at least three
years, to give any third party, for a charge no more than your
cost of physically performing source distribution, a complete
machine-readable copy of the corresponding source code, to be
distributed under the terms of Sections 1 and 2 above on a medium
customarily used for software interchange; or,
c) Accompany it with the information you received as to the offer
to distribute corresponding source code. (This alternative is
allowed only for noncommercial distribution and only if you
received the program in object code or executable form with such
an offer, in accord with Subsection b above.)
The source code for a work means the preferred form of the work for
making modifications to it. For an executable work, complete source
code means all the source code for all modules it contains, plus any
associated interface definition files, plus the scripts used to
control compilation and installation of the executable. However, as a
special exception, the source code distributed need not include
anything that is normally distributed (in either source or binary
form) with the major components (compiler, kernel, and so on) of the
operating system on which the executable runs, unless that component
itself accompanies the executable.
If distribution of executable or object code is made by offering
access to copy from a designated place, then offering equivalent
access to copy the source code from the same place counts as
distribution of the source code, even though third parties are not
compelled to copy the source along with the object code.
4. You may not copy, modify, sublicense, or distribute the Program
except as expressly provided under this License. Any attempt
otherwise to copy, modify, sublicense or distribute the Program is
void, and will automatically terminate your rights under this License.
However, parties who have received copies, or rights, from you under
this License will not have their licenses terminated so long as such
parties remain in full compliance.
5. You are not required to accept this License, since you have not
signed it. However, nothing else grants you permission to modify or
distribute the Program or its derivative works. These actions are
prohibited by law if you do not accept this License. Therefore, by
modifying or distributing the Program (or any work based on the
Program), you indicate your acceptance of this License to do so, and
all its terms and conditions for copying, distributing or modifying
the Program or works based on it.
6. Each time you redistribute the Program (or any work based on the
Program), the recipient automatically receives a license from the
original licensor to copy, distribute or modify the Program subject to
these terms and conditions. You may not impose any further
restrictions on the recipients' exercise of the rights granted herein.
You are not responsible for enforcing compliance by third parties to
this License.
7. If, as a consequence of a court judgment or allegation of patent
infringement or for any other reason (not limited to patent issues),
conditions are imposed on you (whether by court order, agreement or
otherwise) that contradict the conditions of this License, they do not
excuse you from the conditions of this License. If you cannot
distribute so as to satisfy simultaneously your obligations under this
License and any other pertinent obligations, then as a consequence you
may not distribute the Program at all. For example, if a patent
license would not permit royalty-free redistribution of the Program by
all those who receive copies directly or indirectly through you, then
the only way you could satisfy both it and this License would be to
refrain entirely from distribution of the Program.
If any portion of this section is held invalid or unenforceable under
any particular circumstance, the balance of the section is intended to
apply and the section as a whole is intended to apply in other
circumstances.
It is not the purpose of this section to induce you to infringe any
patents or other property right claims or to contest validity of any
such claims; this section has the sole purpose of protecting the
integrity of the free software distribution system, which is
implemented by public license practices. Many people have made
generous contributions to the wide range of software distributed
through that system in reliance on consistent application of that
system; it is up to the author/donor to decide if he or she is willing
to distribute software through any other system and a licensee cannot
impose that choice.
This section is intended to make thoroughly clear what is believed to
be a consequence of the rest of this License.
8. If the distribution and/or use of the Program is restricted in
certain countries either by patents or by copyrighted interfaces, the
original copyright holder who places the Program under this License
may add an explicit geographical distribution limitation excluding
those countries, so that distribution is permitted only in or among
countries not thus excluded. In such case, this License incorporates
the limitation as if written in the body of this License.
9. The Free Software Foundation may publish revised and/or new versions
of the General Public License from time to time. Such new versions will
be similar in spirit to the present version, but may differ in detail to
address new problems or concerns.
Each version is given a distinguishing version number. If the Program
specifies a version number of this License which applies to it and "any
later version", you have the option of following the terms and conditions
either of that version or of any later version published by the Free
Software Foundation. If the Program does not specify a version number of
this License, you may choose any version ever published by the Free Software
Foundation.
10. If you wish to incorporate parts of the Program into other free
programs whose distribution conditions are different, write to the author
to ask for permission. For software which is copyrighted by the Free
Software Foundation, write to the Free Software Foundation; we sometimes
make exceptions for this. Our decision will be guided by the two goals
of preserving the free status of all derivatives of our free software and
of promoting the sharing and reuse of software generally.
NO WARRANTY
11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
REPAIR OR CORRECTION.
12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES.
END OF TERMS AND CONDITIONS
Appendix: How to Apply These Terms to Your New Programs
If you develop a new program, and you want it to be of the greatest
possible use to the public, the best way to achieve this is to make it
free software which everyone can redistribute and change under these terms.
To do so, attach the following notices to the program. It is safest
to attach them to the start of each source file to most effectively
convey the exclusion of warranty; and each file should have at least
the "copyright" line and a pointer to where the full notice is found.
<one line to give the program's name and a brief idea of what it does.>
Copyright (C) 19yy <name of author>
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA.
Also add information on how to contact you by electronic and paper mail.
If the program is interactive, make it output a short notice like this
when it starts in an interactive mode:
Gnomovision version 69, Copyright (C) 19yy name of author
Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
This is free software, and you are welcome to redistribute it
under certain conditions; type `show c' for details.
The hypothetical commands `show w' and `show c' should show the appropriate
parts of the General Public License. Of course, the commands you use may
be called something other than `show w' and `show c'; they could even be
mouse-clicks or menu items--whatever suits your program.
You should also get your employer (if you work as a programmer) or your
school, if any, to sign a "copyright disclaimer" for the program, if
necessary. Here is a sample; alter the names:
Yoyodyne, Inc., hereby disclaims all copyright interest in the program
`Gnomovision' (which makes passes at compilers) written by James Hacker.
<signature of Ty Coon>, 1 April 1989
Ty Coon, President of Vice
This General Public License does not permit incorporating your program into
proprietary programs. If your program is a subroutine library, you may
consider it more useful to permit linking proprietary applications with the
library. If this is what you want to do, use the GNU Library General
Public License instead of this License.

40
CREDITS Normal file
View File

@ -0,0 +1,40 @@
stunnel code contributions
The code contributions are licensed as public domain unless stated otherwise.
Several Win32 and WCE improvements and bugfixes:
* Pierre Delaage <delaage.pierre@free.fr>
systemd socket activation in version 5.05:
Copyright (c) 2014 Mark Theunissen
Permission is hereby granted, free of charge, to any person obtaining a copy of
this software and associated documentation files (the "Software"), to deal in
the Software without restriction, including without limitation the rights to
use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies
of the Software, and to permit persons to whom the Software is furnished to do
so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
Several bugfixes and improvements mostly in versions 3.xx:
* Brian Hatch <bri@stunnel.org>
Initial PTY support in version 3.05:
* Dirk O. Siebnich <dok@vossnet.de>
Initial SSL support in versions 1.x:
* Adam Hernik <adas@infocentrum.com>
* Pawel Krawczyk <kravietz@ceti.com.pl>
and many others...

1921
ChangeLog Normal file
View File

File diff suppressed because it is too large Load Diff

370
INSTALL Normal file
View File

@ -0,0 +1,370 @@
Installation Instructions
*************************
Copyright (C) 1994-1996, 1999-2002, 2004-2013 Free Software Foundation,
Inc.
Copying and distribution of this file, with or without modification,
are permitted in any medium without royalty provided the copyright
notice and this notice are preserved. This file is offered as-is,
without warranty of any kind.
Basic Installation
==================
Briefly, the shell command `./configure && make && make install'
should configure, build, and install this package. The following
more-detailed instructions are generic; see the `README' file for
instructions specific to this package. Some packages provide this
`INSTALL' file but do not implement all of the features documented
below. The lack of an optional feature in a given package is not
necessarily a bug. More recommendations for GNU packages can be found
in *note Makefile Conventions: (standards)Makefile Conventions.
The `configure' shell script attempts to guess correct values for
various system-dependent variables used during compilation. It uses
those values to create a `Makefile' in each directory of the package.
It may also create one or more `.h' files containing system-dependent
definitions. Finally, it creates a shell script `config.status' that
you can run in the future to recreate the current configuration, and a
file `config.log' containing compiler output (useful mainly for
debugging `configure').
It can also use an optional file (typically called `config.cache'
and enabled with `--cache-file=config.cache' or simply `-C') that saves
the results of its tests to speed up reconfiguring. Caching is
disabled by default to prevent problems with accidental use of stale
cache files.
If you need to do unusual things to compile the package, please try
to figure out how `configure' could check whether to do them, and mail
diffs or instructions to the address given in the `README' so they can
be considered for the next release. If you are using the cache, and at
some point `config.cache' contains results you don't want to keep, you
may remove or edit it.
The file `configure.ac' (or `configure.in') is used to create
`configure' by a program called `autoconf'. You need `configure.ac' if
you want to change it or regenerate `configure' using a newer version
of `autoconf'.
The simplest way to compile this package is:
1. `cd' to the directory containing the package's source code and type
`./configure' to configure the package for your system.
Running `configure' might take a while. While running, it prints
some messages telling which features it is checking for.
2. Type `make' to compile the package.
3. Optionally, type `make check' to run any self-tests that come with
the package, generally using the just-built uninstalled binaries.
4. Type `make install' to install the programs and any data files and
documentation. When installing into a prefix owned by root, it is
recommended that the package be configured and built as a regular
user, and only the `make install' phase executed with root
privileges.
5. Optionally, type `make installcheck' to repeat any self-tests, but
this time using the binaries in their final installed location.
This target does not install anything. Running this target as a
regular user, particularly if the prior `make install' required
root privileges, verifies that the installation completed
correctly.
6. You can remove the program binaries and object files from the
source code directory by typing `make clean'. To also remove the
files that `configure' created (so you can compile the package for
a different kind of computer), type `make distclean'. There is
also a `make maintainer-clean' target, but that is intended mainly
for the package's developers. If you use it, you may have to get
all sorts of other programs in order to regenerate files that came
with the distribution.
7. Often, you can also type `make uninstall' to remove the installed
files again. In practice, not all packages have tested that
uninstallation works correctly, even though it is required by the
GNU Coding Standards.
8. Some packages, particularly those that use Automake, provide `make
distcheck', which can by used by developers to test that all other
targets like `make install' and `make uninstall' work correctly.
This target is generally not run by end users.
Compilers and Options
=====================
Some systems require unusual options for compilation or linking that
the `configure' script does not know about. Run `./configure --help'
for details on some of the pertinent environment variables.
You can give `configure' initial values for configuration parameters
by setting variables in the command line or in the environment. Here
is an example:
./configure CC=c99 CFLAGS=-g LIBS=-lposix
*Note Defining Variables::, for more details.
Compiling For Multiple Architectures
====================================
You can compile the package for more than one kind of computer at the
same time, by placing the object files for each architecture in their
own directory. To do this, you can use GNU `make'. `cd' to the
directory where you want the object files and executables to go and run
the `configure' script. `configure' automatically checks for the
source code in the directory that `configure' is in and in `..'. This
is known as a "VPATH" build.
With a non-GNU `make', it is safer to compile the package for one
architecture at a time in the source code directory. After you have
installed the package for one architecture, use `make distclean' before
reconfiguring for another architecture.
On MacOS X 10.5 and later systems, you can create libraries and
executables that work on multiple system types--known as "fat" or
"universal" binaries--by specifying multiple `-arch' options to the
compiler but only a single `-arch' option to the preprocessor. Like
this:
./configure CC="gcc -arch i386 -arch x86_64 -arch ppc -arch ppc64" \
CXX="g++ -arch i386 -arch x86_64 -arch ppc -arch ppc64" \
CPP="gcc -E" CXXCPP="g++ -E"
This is not guaranteed to produce working output in all cases, you
may have to build one architecture at a time and combine the results
using the `lipo' tool if you have problems.
Installation Names
==================
By default, `make install' installs the package's commands under
`/usr/local/bin', include files under `/usr/local/include', etc. You
can specify an installation prefix other than `/usr/local' by giving
`configure' the option `--prefix=PREFIX', where PREFIX must be an
absolute file name.
You can specify separate installation prefixes for
architecture-specific files and architecture-independent files. If you
pass the option `--exec-prefix=PREFIX' to `configure', the package uses
PREFIX as the prefix for installing programs and libraries.
Documentation and other data files still use the regular prefix.
In addition, if you use an unusual directory layout you can give
options like `--bindir=DIR' to specify different values for particular
kinds of files. Run `configure --help' for a list of the directories
you can set and what kinds of files go in them. In general, the
default for these options is expressed in terms of `${prefix}', so that
specifying just `--prefix' will affect all of the other directory
specifications that were not explicitly provided.
The most portable way to affect installation locations is to pass the
correct locations to `configure'; however, many packages provide one or
both of the following shortcuts of passing variable assignments to the
`make install' command line to change installation locations without
having to reconfigure or recompile.
The first method involves providing an override variable for each
affected directory. For example, `make install
prefix=/alternate/directory' will choose an alternate location for all
directory configuration variables that were expressed in terms of
`${prefix}'. Any directories that were specified during `configure',
but not in terms of `${prefix}', must each be overridden at install
time for the entire installation to be relocated. The approach of
makefile variable overrides for each directory variable is required by
the GNU Coding Standards, and ideally causes no recompilation.
However, some platforms have known limitations with the semantics of
shared libraries that end up requiring recompilation when using this
method, particularly noticeable in packages that use GNU Libtool.
The second method involves providing the `DESTDIR' variable. For
example, `make install DESTDIR=/alternate/directory' will prepend
`/alternate/directory' before all installation names. The approach of
`DESTDIR' overrides is not required by the GNU Coding Standards, and
does not work on platforms that have drive letters. On the other hand,
it does better at avoiding recompilation issues, and works well even
when some directory options were not specified in terms of `${prefix}'
at `configure' time.
Optional Features
=================
If the package supports it, you can cause programs to be installed
with an extra prefix or suffix on their names by giving `configure' the
option `--program-prefix=PREFIX' or `--program-suffix=SUFFIX'.
Some packages pay attention to `--enable-FEATURE' options to
`configure', where FEATURE indicates an optional part of the package.
They may also pay attention to `--with-PACKAGE' options, where PACKAGE
is something like `gnu-as' or `x' (for the X Window System). The
`README' should mention any `--enable-' and `--with-' options that the
package recognizes.
For packages that use the X Window System, `configure' can usually
find the X include and library files automatically, but if it doesn't,
you can use the `configure' options `--x-includes=DIR' and
`--x-libraries=DIR' to specify their locations.
Some packages offer the ability to configure how verbose the
execution of `make' will be. For these packages, running `./configure
--enable-silent-rules' sets the default to minimal output, which can be
overridden with `make V=1'; while running `./configure
--disable-silent-rules' sets the default to verbose, which can be
overridden with `make V=0'.
Particular systems
==================
On HP-UX, the default C compiler is not ANSI C compatible. If GNU
CC is not installed, it is recommended to use the following options in
order to use an ANSI C compiler:
./configure CC="cc -Ae -D_XOPEN_SOURCE=500"
and if that doesn't work, install pre-built binaries of GCC for HP-UX.
HP-UX `make' updates targets which have the same time stamps as
their prerequisites, which makes it generally unusable when shipped
generated files such as `configure' are involved. Use GNU `make'
instead.
On OSF/1 a.k.a. Tru64, some versions of the default C compiler cannot
parse its `<wchar.h>' header file. The option `-nodtk' can be used as
a workaround. If GNU CC is not installed, it is therefore recommended
to try
./configure CC="cc"
and if that doesn't work, try
./configure CC="cc -nodtk"
On Solaris, don't put `/usr/ucb' early in your `PATH'. This
directory contains several dysfunctional programs; working variants of
these programs are available in `/usr/bin'. So, if you need `/usr/ucb'
in your `PATH', put it _after_ `/usr/bin'.
On Haiku, software installed for all users goes in `/boot/common',
not `/usr/local'. It is recommended to use the following options:
./configure --prefix=/boot/common
Specifying the System Type
==========================
There may be some features `configure' cannot figure out
automatically, but needs to determine by the type of machine the package
will run on. Usually, assuming the package is built to be run on the
_same_ architectures, `configure' can figure that out, but if it prints
a message saying it cannot guess the machine type, give it the
`--build=TYPE' option. TYPE can either be a short name for the system
type, such as `sun4', or a canonical name which has the form:
CPU-COMPANY-SYSTEM
where SYSTEM can have one of these forms:
OS
KERNEL-OS
See the file `config.sub' for the possible values of each field. If
`config.sub' isn't included in this package, then this package doesn't
need to know the machine type.
If you are _building_ compiler tools for cross-compiling, you should
use the option `--target=TYPE' to select the type of system they will
produce code for.
If you want to _use_ a cross compiler, that generates code for a
platform different from the build platform, you should specify the
"host" platform (i.e., that on which the generated programs will
eventually be run) with `--host=TYPE'.
Sharing Defaults
================
If you want to set default values for `configure' scripts to share,
you can create a site shell script called `config.site' that gives
default values for variables like `CC', `cache_file', and `prefix'.
`configure' looks for `PREFIX/share/config.site' if it exists, then
`PREFIX/etc/config.site' if it exists. Or, you can set the
`CONFIG_SITE' environment variable to the location of the site script.
A warning: not all `configure' scripts look for a site script.
Defining Variables
==================
Variables not defined in a site shell script can be set in the
environment passed to `configure'. However, some packages may run
configure again during the build, and the customized values of these
variables may be lost. In order to avoid this problem, you should set
them in the `configure' command line, using `VAR=value'. For example:
./configure CC=/usr/local2/bin/gcc
causes the specified `gcc' to be used as the C compiler (unless it is
overridden in the site shell script).
Unfortunately, this technique does not work for `CONFIG_SHELL' due to
an Autoconf limitation. Until the limitation is lifted, you can use
this workaround:
CONFIG_SHELL=/bin/bash ./configure CONFIG_SHELL=/bin/bash
`configure' Invocation
======================
`configure' recognizes the following options to control how it
operates.
`--help'
`-h'
Print a summary of all of the options to `configure', and exit.
`--help=short'
`--help=recursive'
Print a summary of the options unique to this package's
`configure', and exit. The `short' variant lists options used
only in the top level, while the `recursive' variant lists options
also present in any nested packages.
`--version'
`-V'
Print the version of Autoconf used to generate the `configure'
script, and exit.
`--cache-file=FILE'
Enable the cache: use and save the results of the tests in FILE,
traditionally `config.cache'. FILE defaults to `/dev/null' to
disable caching.
`--config-cache'
`-C'
Alias for `--cache-file=config.cache'.
`--quiet'
`--silent'
`-q'
Do not print messages saying which checks are being made. To
suppress all normal output, redirect it to `/dev/null' (any error
messages will still be shown).
`--srcdir=DIR'
Look for the package's source code in directory DIR. Usually
`configure' can determine that directory automatically.
`--prefix=DIR'
Use DIR as the installation prefix. *note Installation Names::
for more details, including other options available for fine-tuning
the installation locations.
`--no-create'
`-n'
Run the configure checks, but stop before creating any output
files.
`configure' also accepts some other, not widely useful, options. Run
`configure --help' for more details.

25
INSTALL.FIPS Normal file
View File

@ -0,0 +1,25 @@
stunnel FIPS install notes
Unix HOWTO:
* Only dynamic linking of the FIPS-enabled OpenSSL is currently supported,
i.e. FIPS-enabled OpenSSL has to be configured with "shared" parameter.
* FIPS mode is autodetected if possible. It can be forced with:
./configure --enable-fips
or disable with:
./configure --disable-fips
WIN32 HOWTO:
* On 32-bit Windows install one of the following compilers:
- MSVC 8.0 (VS 2005) Standard or Professional Edition
- MSVC 9.0 (VS 2008) any edition including Express Edition
* On 64-bit Windows install one of the following compilers:
- MSVC 8.0 (VS 2005) Standard or Professional Edition
- MSVC 9.0 (VS 2008) Standard or Professional Edition
* Build FIPS-compliant OpenSSL DLLS according to:
https://www.openssl.org/docs/fips/UserGuide-2.0.pdf
* Build stunnel normally with MSVC or Mingw.
Mingw build requires DLL stubs. Stubs can be built with:
dlltool --def ms/libeay32.def --output-lib libcrypto.a
dlltool --def ms/ssleay32.def --output-lib libssl.a

66
INSTALL.W32 Normal file
View File

@ -0,0 +1,66 @@
stunnel Windows install notes
Cross-compiling stunnel from source with MinGW (optional):
1) Install the mingw32 cross-compiler on a Unix/Linux machine.
On Debian (and derivatives, including Ubuntu):
sudo apt-get install gcc-mingw-w64-i686
On Arch Linux:
sudo pacman -S mingw-w64-gcc
2) Download the recent OpenSSL and unpack it:
tar zvxf ~/openssl-(version).tar.gz
mv openssl-(version) openssl-(version)-i686
cd openssl-(version)-i686/
3) Build OpenSSL.
For 32-bit Windows:
./Configure \
--cross-compile-prefix=i686-w64-mingw32- \
--openssldir=/opt/openssl-mingw mingw shared
make
sudo make install
sudo cp ms/applink.c /opt/openssl-mingw/include/openssl/
For 64-bit Windows:
./Configure \
--cross-compile-prefix=x86_64-w64-mingw32- \
--openssldir=/opt/openssl-mingw64 mingw64 shared
make
sudo make install
sudo cp ms/applink.c /opt/openssl-mingw64/include/openssl/
4) Download and unpack stunnel-(version).tar.gz.
5) Configure stunnel:
cd stunnel-(version)
./configure
6) Build Windows 32-bit and/or 64-bit executables:
cd src
make mingw
make mingw64
Building stunnel from source with MinGW (optional):
Building on a Windows machine is possible, but not currently supported.
Building stunnel from source with Visual Studio (optional):
TODO
Installing stunnel:
1) Run installer to install the precompiled binaries, or
copy the stunnel.exe or tstunnel.exe executable located in the
/stunnel-(version)/bin/mingw/ directory into the destination
directory on a Windows machine, and
copy OpenSSL DLLs: libeay32.dll, libssp-0.dll and ssleay32.dll
into the same directory, if necessary.
2) Read the manual (stunnel.html).
3) Create/edit the stunnel.conf configuration file.

45
INSTALL.WCE Normal file
View File

@ -0,0 +1,45 @@
stunnel Windows CE install notes
Two stunnel executables are available for Windows CE platform:
1) stunnel.exe - version with interactive GUI
2) tstunnel.exe - non-iteractive version for headless devices
Building stunnel from source (optional):
1) install the following tools:
evt2002web_min.exe from http://www.microsoft.com/
ActivePerl from http://www.activestate.com/Products/ActivePerl/
unzip.exe (file needs to be renamed) from
http://www.mirrorservice.org/sites/ftp.info-zip.org/pub/infozip/WIN32/
2) download the OpenSSL source files (the whole directory):
ftp://ftp.stunnel.org/stunnel/openssl/ce/
3) your directory should look like this:
build.bat
build.pl
unzip.exe
src\openssl-0.9.8a.zip
src\wcecompat-1.2.zip
4) type "build" to build OpenSSL
5) download and unpack stunnel-(version).tar.gz
4) enter "stunnel-(version)\src" subdirectory
5) type "makece" to build stunnel
Installing stunnel:
1) copy OpenSSL DLLs and stunnel.exe or tstunnel.exe into \stunnel directory
2) read the manual (stunnel.html)
3) create/edit stunnel.conf configuration file

58
Makefile.am Normal file
View File

@ -0,0 +1,58 @@
## Process this file with automake to produce Makefile.in
# by Michal Trojnara 2015-2017
ACLOCAL_AMFLAGS = -I m4
SUBDIRS = src doc tools tests
LIBTOOL_DEPS = @LIBTOOL_DEPS@
libtool: $(LIBTOOL_DEPS)
$(SHELL) ./config.status libtool
EXTRA_DIST = PORTS BUGS COPYRIGHT.GPL CREDITS
EXTRA_DIST += INSTALL.W32 INSTALL.WCE INSTALL.FIPS
EXTRA_DIST += build-android.sh .travis.yml
docdir = $(datadir)/doc/stunnel
doc_DATA = INSTALL README TODO COPYING AUTHORS ChangeLog
doc_DATA += PORTS BUGS COPYRIGHT.GPL CREDITS
doc_DATA += INSTALL.W32 INSTALL.WCE INSTALL.FIPS
distcleancheck_listfiles = find -type f -exec sh -c 'test -f $(srcdir)/{} || echo {}' ';'
distclean-local:
rm -rf autom4te.cache
# rm -f $(distdir)-win32-installer.exe
#dist-hook:
# makensis -NOCD -DVERSION=${VERSION} \
# -DSTUNNEL_DIR=$(srcdir) \
# -DROOT_DIR=/usr/src \
# $(srcdir)/tools/stunnel.nsi
sign: dist
cp -f $(distdir).tar.gz $(distdir)-win32-installer.exe $(distdir)-android.zip ../dist
gpg-agent --daemon /bin/sh -c "cd ../dist; gpg --yes --armor --detach-sign --force-v3-sigs $(distdir).tar.gz; gpg --yes --armor --detach-sign --force-v3-sigs $(distdir)-win32-installer.exe; gpg --yes --armor --detach-sign --force-v3-sigs $(distdir)-android.zip"
sha256sum $(distdir).tar.gz >../dist/$(distdir).tar.gz.sha256
sha256sum $(distdir)-win32-installer.exe >../dist/$(distdir)-win32-installer.exe.sha256
sha256sum $(distdir)-android.zip >../dist/$(distdir)-android.zip.sha256
cat ../dist/$(distdir)*.sha256 | tac
cert:
$(MAKE) -C tools cert
test: check
install-data-hook:
@echo "*********************************************************"
@echo "* Type 'make cert' to also install a sample certificate *"
@echo "*********************************************************"
edit = sed \
-e 's|@bindir[@]|$(bindir)|g' \
-e 's|@sysconfdir[@]|$(sysconfdir)|g'
stunnel.pod: Makefile
$(edit) '$(srcdir)/$@.in' >$@
stunnel.pod: $(srcdir)/stunnel.pod

907
Makefile.in Normal file
View File

@ -0,0 +1,907 @@
# Makefile.in generated by automake 1.15 from Makefile.am.
# @configure_input@
# Copyright (C) 1994-2014 Free Software Foundation, Inc.
# This Makefile.in is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
# with or without modifications, as long as this notice is preserved.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
# PARTICULAR PURPOSE.
@SET_MAKE@
# by Michal Trojnara 2015-2017
VPATH = @srcdir@
am__is_gnu_make = { \
if test -z '$(MAKELEVEL)'; then \
false; \
elif test -n '$(MAKE_HOST)'; then \
true; \
elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
true; \
else \
false; \
fi; \
}
am__make_running_with_option = \
case $${target_option-} in \
?) ;; \
*) echo "am__make_running_with_option: internal error: invalid" \
"target option '$${target_option-}' specified" >&2; \
exit 1;; \
esac; \
has_opt=no; \
sane_makeflags=$$MAKEFLAGS; \
if $(am__is_gnu_make); then \
sane_makeflags=$$MFLAGS; \
else \
case $$MAKEFLAGS in \
*\\[\ \ ]*) \
bs=\\; \
sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \
| sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \
esac; \
fi; \
skip_next=no; \
strip_trailopt () \
{ \
flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \
}; \
for flg in $$sane_makeflags; do \
test $$skip_next = yes && { skip_next=no; continue; }; \
case $$flg in \
*=*|--*) continue;; \
-*I) strip_trailopt 'I'; skip_next=yes;; \
-*I?*) strip_trailopt 'I';; \
-*O) strip_trailopt 'O'; skip_next=yes;; \
-*O?*) strip_trailopt 'O';; \
-*l) strip_trailopt 'l'; skip_next=yes;; \
-*l?*) strip_trailopt 'l';; \
-[dEDm]) skip_next=yes;; \
-[JT]) skip_next=yes;; \
esac; \
case $$flg in \
*$$target_option*) has_opt=yes; break;; \
esac; \
done; \
test $$has_opt = yes
am__make_dryrun = (target_option=n; $(am__make_running_with_option))
am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
pkgdatadir = $(datadir)/@PACKAGE@
pkgincludedir = $(includedir)/@PACKAGE@
pkglibdir = $(libdir)/@PACKAGE@
pkglibexecdir = $(libexecdir)/@PACKAGE@
am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
install_sh_DATA = $(install_sh) -c -m 644
install_sh_PROGRAM = $(install_sh) -c
install_sh_SCRIPT = $(install_sh) -c
INSTALL_HEADER = $(INSTALL_DATA)
transform = $(program_transform_name)
NORMAL_INSTALL = :
PRE_INSTALL = :
POST_INSTALL = :
NORMAL_UNINSTALL = :
PRE_UNINSTALL = :
POST_UNINSTALL = :
build_triplet = @build@
host_triplet = @host@
subdir = .
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
am__aclocal_m4_deps = $(top_srcdir)/m4/libtool.m4 \
$(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \
$(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \
$(top_srcdir)/configure.ac
am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
$(ACLOCAL_M4)
DIST_COMMON = $(srcdir)/Makefile.am $(top_srcdir)/configure \
$(am__configure_deps) $(am__DIST_COMMON)
am__CONFIG_DISTCLEAN_FILES = config.status config.cache config.log \
configure.lineno config.status.lineno
mkinstalldirs = $(install_sh) -d
CONFIG_HEADER = $(top_builddir)/src/config.h
CONFIG_CLEAN_FILES =
CONFIG_CLEAN_VPATH_FILES =
AM_V_P = $(am__v_P_@AM_V@)
am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
am__v_P_0 = false
am__v_P_1 = :
AM_V_GEN = $(am__v_GEN_@AM_V@)
am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
am__v_GEN_0 = @echo " GEN " $@;
am__v_GEN_1 =
AM_V_at = $(am__v_at_@AM_V@)
am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
am__v_at_0 = @
am__v_at_1 =
SOURCES =
DIST_SOURCES =
RECURSIVE_TARGETS = all-recursive check-recursive cscopelist-recursive \
ctags-recursive dvi-recursive html-recursive info-recursive \
install-data-recursive install-dvi-recursive \
install-exec-recursive install-html-recursive \
install-info-recursive install-pdf-recursive \
install-ps-recursive install-recursive installcheck-recursive \
installdirs-recursive pdf-recursive ps-recursive \
tags-recursive uninstall-recursive
am__can_run_installinfo = \
case $$AM_UPDATE_INFO_DIR in \
n|no|NO) false;; \
*) (install-info --version) >/dev/null 2>&1;; \
esac
am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
am__vpath_adj = case $$p in \
$(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
*) f=$$p;; \
esac;
am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
am__install_max = 40
am__nobase_strip_setup = \
srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
am__nobase_strip = \
for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
am__nobase_list = $(am__nobase_strip_setup); \
for p in $$list; do echo "$$p $$p"; done | \
sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
$(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
if (++n[$$2] == $(am__install_max)) \
{ print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
END { for (dir in files) print dir, files[dir] }'
am__base_list = \
sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
am__uninstall_files_from_dir = { \
test -z "$$files" \
|| { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
|| { echo " ( cd '$$dir' && rm -f" $$files ")"; \
$(am__cd) "$$dir" && rm -f $$files; }; \
}
am__installdirs = "$(DESTDIR)$(docdir)"
DATA = $(doc_DATA)
RECURSIVE_CLEAN_TARGETS = mostlyclean-recursive clean-recursive \
distclean-recursive maintainer-clean-recursive
am__recursive_targets = \
$(RECURSIVE_TARGETS) \
$(RECURSIVE_CLEAN_TARGETS) \
$(am__extra_recursive_targets)
AM_RECURSIVE_TARGETS = $(am__recursive_targets:-recursive=) TAGS CTAGS \
cscope distdir dist dist-all distcheck
am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
# Read a list of newline-separated strings from the standard input,
# and print each of them once, without duplicates. Input order is
# *not* preserved.
am__uniquify_input = $(AWK) '\
BEGIN { nonempty = 0; } \
{ items[$$0] = 1; nonempty = 1; } \
END { if (nonempty) { for (i in items) print i; }; } \
'
# Make sure the list of sources is unique. This is necessary because,
# e.g., the same source file might be shared among _SOURCES variables
# for different programs/libraries.
am__define_uniq_tagged_files = \
list='$(am__tagged_files)'; \
unique=`for i in $$list; do \
if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
done | $(am__uniquify_input)`
ETAGS = etags
CTAGS = ctags
CSCOPE = cscope
DIST_SUBDIRS = $(SUBDIRS)
am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/auto/compile \
$(top_srcdir)/auto/config.guess $(top_srcdir)/auto/config.sub \
$(top_srcdir)/auto/install-sh $(top_srcdir)/auto/ltmain.sh \
$(top_srcdir)/auto/missing AUTHORS COPYING ChangeLog INSTALL \
NEWS README TODO auto/compile auto/config.guess \
auto/config.sub auto/depcomp auto/install-sh auto/ltmain.sh \
auto/missing
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
distdir = $(PACKAGE)-$(VERSION)
top_distdir = $(distdir)
am__remove_distdir = \
if test -d "$(distdir)"; then \
find "$(distdir)" -type d ! -perm -200 -exec chmod u+w {} ';' \
&& rm -rf "$(distdir)" \
|| { sleep 5 && rm -rf "$(distdir)"; }; \
else :; fi
am__post_remove_distdir = $(am__remove_distdir)
am__relativize = \
dir0=`pwd`; \
sed_first='s,^\([^/]*\)/.*$$,\1,'; \
sed_rest='s,^[^/]*/*,,'; \
sed_last='s,^.*/\([^/]*\)$$,\1,'; \
sed_butlast='s,/*[^/]*$$,,'; \
while test -n "$$dir1"; do \
first=`echo "$$dir1" | sed -e "$$sed_first"`; \
if test "$$first" != "."; then \
if test "$$first" = ".."; then \
dir2=`echo "$$dir0" | sed -e "$$sed_last"`/"$$dir2"; \
dir0=`echo "$$dir0" | sed -e "$$sed_butlast"`; \
else \
first2=`echo "$$dir2" | sed -e "$$sed_first"`; \
if test "$$first2" = "$$first"; then \
dir2=`echo "$$dir2" | sed -e "$$sed_rest"`; \
else \
dir2="../$$dir2"; \
fi; \
dir0="$$dir0"/"$$first"; \
fi; \
fi; \
dir1=`echo "$$dir1" | sed -e "$$sed_rest"`; \
done; \
reldir="$$dir2"
DIST_ARCHIVES = $(distdir).tar.gz
GZIP_ENV = --best
DIST_TARGETS = dist-gzip
distuninstallcheck_listfiles = find . -type f -print
am__distuninstallcheck_listfiles = $(distuninstallcheck_listfiles) \
| sed 's|^\./|$(prefix)/|' | grep -v '$(infodir)/dir$$'
ACLOCAL = @ACLOCAL@
AMTAR = @AMTAR@
AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
AR = @AR@
AUTOCONF = @AUTOCONF@
AUTOHEADER = @AUTOHEADER@
AUTOMAKE = @AUTOMAKE@
AWK = @AWK@
CC = @CC@
CCDEPMODE = @CCDEPMODE@
CFLAGS = @CFLAGS@
CPP = @CPP@
CPPFLAGS = @CPPFLAGS@
CYGPATH_W = @CYGPATH_W@
DEFAULT_GROUP = @DEFAULT_GROUP@
DEFS = @DEFS@
DEPDIR = @DEPDIR@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
EGREP = @EGREP@
EXEEXT = @EXEEXT@
FGREP = @FGREP@
GREP = @GREP@
INSTALL = @INSTALL@
INSTALL_DATA = @INSTALL_DATA@
INSTALL_PROGRAM = @INSTALL_PROGRAM@
INSTALL_SCRIPT = @INSTALL_SCRIPT@
INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
LD = @LD@
LDFLAGS = @LDFLAGS@
LIBOBJS = @LIBOBJS@
LIBS = @LIBS@
LIBTOOL = @LIBTOOL@
LIBTOOL_DEPS = @LIBTOOL_DEPS@
LIPO = @LIPO@
LN_S = @LN_S@
LTLIBOBJS = @LTLIBOBJS@
LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
MAKEINFO = @MAKEINFO@
MANIFEST_TOOL = @MANIFEST_TOOL@
MKDIR_P = @MKDIR_P@
NM = @NM@
NMEDIT = @NMEDIT@
OBJDUMP = @OBJDUMP@
OBJEXT = @OBJEXT@
OTOOL = @OTOOL@
OTOOL64 = @OTOOL64@
PACKAGE = @PACKAGE@
PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
PACKAGE_NAME = @PACKAGE_NAME@
PACKAGE_STRING = @PACKAGE_STRING@
PACKAGE_TARNAME = @PACKAGE_TARNAME@
PACKAGE_URL = @PACKAGE_URL@
PACKAGE_VERSION = @PACKAGE_VERSION@
PATH_SEPARATOR = @PATH_SEPARATOR@
PTHREAD_CC = @PTHREAD_CC@
PTHREAD_CFLAGS = @PTHREAD_CFLAGS@
PTHREAD_LIBS = @PTHREAD_LIBS@
RANDOM_FILE = @RANDOM_FILE@
RANLIB = @RANLIB@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
SSLDIR = @SSLDIR@
STRIP = @STRIP@
VERSION = @VERSION@
abs_builddir = @abs_builddir@
abs_srcdir = @abs_srcdir@
abs_top_builddir = @abs_top_builddir@
abs_top_srcdir = @abs_top_srcdir@
ac_ct_AR = @ac_ct_AR@
ac_ct_CC = @ac_ct_CC@
ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
am__include = @am__include@
am__leading_dot = @am__leading_dot@
am__quote = @am__quote@
am__tar = @am__tar@
am__untar = @am__untar@
ax_pthread_config = @ax_pthread_config@
bindir = @bindir@
build = @build@
build_alias = @build_alias@
build_cpu = @build_cpu@
build_os = @build_os@
build_vendor = @build_vendor@
builddir = @builddir@
datadir = @datadir@
datarootdir = @datarootdir@
docdir = $(datadir)/doc/stunnel
dvidir = @dvidir@
exec_prefix = @exec_prefix@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
host_os = @host_os@
host_vendor = @host_vendor@
htmldir = @htmldir@
includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
libdir = @libdir@
libexecdir = @libexecdir@
localedir = @localedir@
localstatedir = @localstatedir@
mandir = @mandir@
mkdir_p = @mkdir_p@
oldincludedir = @oldincludedir@
pdfdir = @pdfdir@
prefix = @prefix@
program_transform_name = @program_transform_name@
psdir = @psdir@
runstatedir = @runstatedir@
sbindir = @sbindir@
sharedstatedir = @sharedstatedir@
srcdir = @srcdir@
sysconfdir = @sysconfdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
top_srcdir = @top_srcdir@
ACLOCAL_AMFLAGS = -I m4
SUBDIRS = src doc tools tests
EXTRA_DIST = PORTS BUGS COPYRIGHT.GPL CREDITS INSTALL.W32 INSTALL.WCE \
INSTALL.FIPS build-android.sh .travis.yml
doc_DATA = INSTALL README TODO COPYING AUTHORS ChangeLog PORTS BUGS \
COPYRIGHT.GPL CREDITS INSTALL.W32 INSTALL.WCE INSTALL.FIPS
distcleancheck_listfiles = find -type f -exec sh -c 'test -f $(srcdir)/{} || echo {}' ';'
edit = sed \
-e 's|@bindir[@]|$(bindir)|g' \
-e 's|@sysconfdir[@]|$(sysconfdir)|g'
all: all-recursive
.SUFFIXES:
am--refresh: Makefile
@:
$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps)
@for dep in $?; do \
case '$(am__configure_deps)' in \
*$$dep*) \
echo ' cd $(srcdir) && $(AUTOMAKE) --gnu'; \
$(am__cd) $(srcdir) && $(AUTOMAKE) --gnu \
&& exit 0; \
exit 1;; \
esac; \
done; \
echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu Makefile'; \
$(am__cd) $(top_srcdir) && \
$(AUTOMAKE) --gnu Makefile
Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
@case '$?' in \
*config.status*) \
echo ' $(SHELL) ./config.status'; \
$(SHELL) ./config.status;; \
*) \
echo ' cd $(top_builddir) && $(SHELL) ./config.status $@ $(am__depfiles_maybe)'; \
cd $(top_builddir) && $(SHELL) ./config.status $@ $(am__depfiles_maybe);; \
esac;
$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
$(SHELL) ./config.status --recheck
$(top_srcdir)/configure: $(am__configure_deps)
$(am__cd) $(srcdir) && $(AUTOCONF)
$(ACLOCAL_M4): $(am__aclocal_m4_deps)
$(am__cd) $(srcdir) && $(ACLOCAL) $(ACLOCAL_AMFLAGS)
$(am__aclocal_m4_deps):
mostlyclean-libtool:
-rm -f *.lo
clean-libtool:
-rm -rf .libs _libs
distclean-libtool:
-rm -f libtool config.lt
install-docDATA: $(doc_DATA)
@$(NORMAL_INSTALL)
@list='$(doc_DATA)'; test -n "$(docdir)" || list=; \
if test -n "$$list"; then \
echo " $(MKDIR_P) '$(DESTDIR)$(docdir)'"; \
$(MKDIR_P) "$(DESTDIR)$(docdir)" || exit 1; \
fi; \
for p in $$list; do \
if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
echo "$$d$$p"; \
done | $(am__base_list) | \
while read files; do \
echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(docdir)'"; \
$(INSTALL_DATA) $$files "$(DESTDIR)$(docdir)" || exit $$?; \
done
uninstall-docDATA:
@$(NORMAL_UNINSTALL)
@list='$(doc_DATA)'; test -n "$(docdir)" || list=; \
files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
dir='$(DESTDIR)$(docdir)'; $(am__uninstall_files_from_dir)
# This directory's subdirectories are mostly independent; you can cd
# into them and run 'make' without going through this Makefile.
# To change the values of 'make' variables: instead of editing Makefiles,
# (1) if the variable is set in 'config.status', edit 'config.status'
# (which will cause the Makefiles to be regenerated when you run 'make');
# (2) otherwise, pass the desired values on the 'make' command line.
$(am__recursive_targets):
@fail=; \
if $(am__make_keepgoing); then \
failcom='fail=yes'; \
else \
failcom='exit 1'; \
fi; \
dot_seen=no; \
target=`echo $@ | sed s/-recursive//`; \
case "$@" in \
distclean-* | maintainer-clean-*) list='$(DIST_SUBDIRS)' ;; \
*) list='$(SUBDIRS)' ;; \
esac; \
for subdir in $$list; do \
echo "Making $$target in $$subdir"; \
if test "$$subdir" = "."; then \
dot_seen=yes; \
local_target="$$target-am"; \
else \
local_target="$$target"; \
fi; \
($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \
|| eval $$failcom; \
done; \
if test "$$dot_seen" = "no"; then \
$(MAKE) $(AM_MAKEFLAGS) "$$target-am" || exit 1; \
fi; test -z "$$fail"
ID: $(am__tagged_files)
$(am__define_uniq_tagged_files); mkid -fID $$unique
tags: tags-recursive
TAGS: tags
tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
set x; \
here=`pwd`; \
if ($(ETAGS) --etags-include --version) >/dev/null 2>&1; then \
include_option=--etags-include; \
empty_fix=.; \
else \
include_option=--include; \
empty_fix=; \
fi; \
list='$(SUBDIRS)'; for subdir in $$list; do \
if test "$$subdir" = .; then :; else \
test ! -f $$subdir/TAGS || \
set "$$@" "$$include_option=$$here/$$subdir/TAGS"; \
fi; \
done; \
$(am__define_uniq_tagged_files); \
shift; \
if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
test -n "$$unique" || unique=$$empty_fix; \
if test $$# -gt 0; then \
$(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
"$$@" $$unique; \
else \
$(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
$$unique; \
fi; \
fi
ctags: ctags-recursive
CTAGS: ctags
ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
$(am__define_uniq_tagged_files); \
test -z "$(CTAGS_ARGS)$$unique" \
|| $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
$$unique
GTAGS:
here=`$(am__cd) $(top_builddir) && pwd` \
&& $(am__cd) $(top_srcdir) \
&& gtags -i $(GTAGS_ARGS) "$$here"
cscope: cscope.files
test ! -s cscope.files \
|| $(CSCOPE) -b -q $(AM_CSCOPEFLAGS) $(CSCOPEFLAGS) -i cscope.files $(CSCOPE_ARGS)
clean-cscope:
-rm -f cscope.files
cscope.files: clean-cscope cscopelist
cscopelist: cscopelist-recursive
cscopelist-am: $(am__tagged_files)
list='$(am__tagged_files)'; \
case "$(srcdir)" in \
[\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \
*) sdir=$(subdir)/$(srcdir) ;; \
esac; \
for i in $$list; do \
if test -f "$$i"; then \
echo "$(subdir)/$$i"; \
else \
echo "$$sdir/$$i"; \
fi; \
done >> $(top_builddir)/cscope.files
distclean-tags:
-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
-rm -f cscope.out cscope.in.out cscope.po.out cscope.files
distdir: $(DISTFILES)
$(am__remove_distdir)
test -d "$(distdir)" || mkdir "$(distdir)"
@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
list='$(DISTFILES)'; \
dist_files=`for file in $$list; do echo $$file; done | \
sed -e "s|^$$srcdirstrip/||;t" \
-e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
case $$dist_files in \
*/*) $(MKDIR_P) `echo "$$dist_files" | \
sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
sort -u` ;; \
esac; \
for file in $$dist_files; do \
if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
if test -d $$d/$$file; then \
dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
if test -d "$(distdir)/$$file"; then \
find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
fi; \
if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
fi; \
cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
else \
test -f "$(distdir)/$$file" \
|| cp -p $$d/$$file "$(distdir)/$$file" \
|| exit 1; \
fi; \
done
@list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
if test "$$subdir" = .; then :; else \
$(am__make_dryrun) \
|| test -d "$(distdir)/$$subdir" \
|| $(MKDIR_P) "$(distdir)/$$subdir" \
|| exit 1; \
dir1=$$subdir; dir2="$(distdir)/$$subdir"; \
$(am__relativize); \
new_distdir=$$reldir; \
dir1=$$subdir; dir2="$(top_distdir)"; \
$(am__relativize); \
new_top_distdir=$$reldir; \
echo " (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) top_distdir="$$new_top_distdir" distdir="$$new_distdir" \\"; \
echo " am__remove_distdir=: am__skip_length_check=: am__skip_mode_fix=: distdir)"; \
($(am__cd) $$subdir && \
$(MAKE) $(AM_MAKEFLAGS) \
top_distdir="$$new_top_distdir" \
distdir="$$new_distdir" \
am__remove_distdir=: \
am__skip_length_check=: \
am__skip_mode_fix=: \
distdir) \
|| exit 1; \
fi; \
done
-test -n "$(am__skip_mode_fix)" \
|| find "$(distdir)" -type d ! -perm -755 \
-exec chmod u+rwx,go+rx {} \; -o \
! -type d ! -perm -444 -links 1 -exec chmod a+r {} \; -o \
! -type d ! -perm -400 -exec chmod a+r {} \; -o \
! -type d ! -perm -444 -exec $(install_sh) -c -m a+r {} {} \; \
|| chmod -R a+r "$(distdir)"
dist-gzip: distdir
tardir=$(distdir) && $(am__tar) | GZIP=$(GZIP_ENV) gzip -c >$(distdir).tar.gz
$(am__post_remove_distdir)
dist-bzip2: distdir
tardir=$(distdir) && $(am__tar) | BZIP2=$${BZIP2--9} bzip2 -c >$(distdir).tar.bz2
$(am__post_remove_distdir)
dist-lzip: distdir
tardir=$(distdir) && $(am__tar) | lzip -c $${LZIP_OPT--9} >$(distdir).tar.lz
$(am__post_remove_distdir)
dist-xz: distdir
tardir=$(distdir) && $(am__tar) | XZ_OPT=$${XZ_OPT--e} xz -c >$(distdir).tar.xz
$(am__post_remove_distdir)
dist-tarZ: distdir
@echo WARNING: "Support for distribution archives compressed with" \
"legacy program 'compress' is deprecated." >&2
@echo WARNING: "It will be removed altogether in Automake 2.0" >&2
tardir=$(distdir) && $(am__tar) | compress -c >$(distdir).tar.Z
$(am__post_remove_distdir)
dist-shar: distdir
@echo WARNING: "Support for shar distribution archives is" \
"deprecated." >&2
@echo WARNING: "It will be removed altogether in Automake 2.0" >&2
shar $(distdir) | GZIP=$(GZIP_ENV) gzip -c >$(distdir).shar.gz
$(am__post_remove_distdir)
dist-zip: distdir
-rm -f $(distdir).zip
zip -rq $(distdir).zip $(distdir)
$(am__post_remove_distdir)
dist dist-all:
$(MAKE) $(AM_MAKEFLAGS) $(DIST_TARGETS) am__post_remove_distdir='@:'
$(am__post_remove_distdir)
# This target untars the dist file and tries a VPATH configuration. Then
# it guarantees that the distribution is self-contained by making another
# tarfile.
distcheck: dist
case '$(DIST_ARCHIVES)' in \
*.tar.gz*) \
GZIP=$(GZIP_ENV) gzip -dc $(distdir).tar.gz | $(am__untar) ;;\
*.tar.bz2*) \
bzip2 -dc $(distdir).tar.bz2 | $(am__untar) ;;\
*.tar.lz*) \
lzip -dc $(distdir).tar.lz | $(am__untar) ;;\
*.tar.xz*) \
xz -dc $(distdir).tar.xz | $(am__untar) ;;\
*.tar.Z*) \
uncompress -c $(distdir).tar.Z | $(am__untar) ;;\
*.shar.gz*) \
GZIP=$(GZIP_ENV) gzip -dc $(distdir).shar.gz | unshar ;;\
*.zip*) \
unzip $(distdir).zip ;;\
esac
chmod -R a-w $(distdir)
chmod u+w $(distdir)
mkdir $(distdir)/_build $(distdir)/_build/sub $(distdir)/_inst
chmod a-w $(distdir)
test -d $(distdir)/_build || exit 0; \
dc_install_base=`$(am__cd) $(distdir)/_inst && pwd | sed -e 's,^[^:\\/]:[\\/],/,'` \
&& dc_destdir="$${TMPDIR-/tmp}/am-dc-$$$$/" \
&& am__cwd=`pwd` \
&& $(am__cd) $(distdir)/_build/sub \
&& ../../configure \
$(AM_DISTCHECK_CONFIGURE_FLAGS) \
$(DISTCHECK_CONFIGURE_FLAGS) \
--srcdir=../.. --prefix="$$dc_install_base" \
&& $(MAKE) $(AM_MAKEFLAGS) \
&& $(MAKE) $(AM_MAKEFLAGS) dvi \
&& $(MAKE) $(AM_MAKEFLAGS) check \
&& $(MAKE) $(AM_MAKEFLAGS) install \
&& $(MAKE) $(AM_MAKEFLAGS) installcheck \
&& $(MAKE) $(AM_MAKEFLAGS) uninstall \
&& $(MAKE) $(AM_MAKEFLAGS) distuninstallcheck_dir="$$dc_install_base" \
distuninstallcheck \
&& chmod -R a-w "$$dc_install_base" \
&& ({ \
(cd ../.. && umask 077 && mkdir "$$dc_destdir") \
&& $(MAKE) $(AM_MAKEFLAGS) DESTDIR="$$dc_destdir" install \
&& $(MAKE) $(AM_MAKEFLAGS) DESTDIR="$$dc_destdir" uninstall \
&& $(MAKE) $(AM_MAKEFLAGS) DESTDIR="$$dc_destdir" \
distuninstallcheck_dir="$$dc_destdir" distuninstallcheck; \
} || { rm -rf "$$dc_destdir"; exit 1; }) \
&& rm -rf "$$dc_destdir" \
&& $(MAKE) $(AM_MAKEFLAGS) dist \
&& rm -rf $(DIST_ARCHIVES) \
&& $(MAKE) $(AM_MAKEFLAGS) distcleancheck \
&& cd "$$am__cwd" \
|| exit 1
$(am__post_remove_distdir)
@(echo "$(distdir) archives ready for distribution: "; \
list='$(DIST_ARCHIVES)'; for i in $$list; do echo $$i; done) | \
sed -e 1h -e 1s/./=/g -e 1p -e 1x -e '$$p' -e '$$x'
distuninstallcheck:
@test -n '$(distuninstallcheck_dir)' || { \
echo 'ERROR: trying to run $@ with an empty' \
'$$(distuninstallcheck_dir)' >&2; \
exit 1; \
}; \
$(am__cd) '$(distuninstallcheck_dir)' || { \
echo 'ERROR: cannot chdir into $(distuninstallcheck_dir)' >&2; \
exit 1; \
}; \
test `$(am__distuninstallcheck_listfiles) | wc -l` -eq 0 \
|| { echo "ERROR: files left after uninstall:" ; \
if test -n "$(DESTDIR)"; then \
echo " (check DESTDIR support)"; \
fi ; \
$(distuninstallcheck_listfiles) ; \
exit 1; } >&2
distcleancheck: distclean
@if test '$(srcdir)' = . ; then \
echo "ERROR: distcleancheck can only run from a VPATH build" ; \
exit 1 ; \
fi
@test `$(distcleancheck_listfiles) | wc -l` -eq 0 \
|| { echo "ERROR: files left in build directory after distclean:" ; \
$(distcleancheck_listfiles) ; \
exit 1; } >&2
check-am: all-am
check: check-recursive
all-am: Makefile $(DATA)
installdirs: installdirs-recursive
installdirs-am:
for dir in "$(DESTDIR)$(docdir)"; do \
test -z "$$dir" || $(MKDIR_P) "$$dir"; \
done
install: install-recursive
install-exec: install-exec-recursive
install-data: install-data-recursive
uninstall: uninstall-recursive
install-am: all-am
@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
installcheck: installcheck-recursive
install-strip:
if test -z '$(STRIP)'; then \
$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
install; \
else \
$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
"INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
fi
mostlyclean-generic:
clean-generic:
distclean-generic:
-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
maintainer-clean-generic:
@echo "This command is intended for maintainers to use"
@echo "it deletes files that may require special tools to rebuild."
clean: clean-recursive
clean-am: clean-generic clean-libtool mostlyclean-am
distclean: distclean-recursive
-rm -f $(am__CONFIG_DISTCLEAN_FILES)
-rm -f Makefile
distclean-am: clean-am distclean-generic distclean-libtool \
distclean-local distclean-tags
dvi: dvi-recursive
dvi-am:
html: html-recursive
html-am:
info: info-recursive
info-am:
install-data-am: install-docDATA
@$(NORMAL_INSTALL)
$(MAKE) $(AM_MAKEFLAGS) install-data-hook
install-dvi: install-dvi-recursive
install-dvi-am:
install-exec-am:
install-html: install-html-recursive
install-html-am:
install-info: install-info-recursive
install-info-am:
install-man:
install-pdf: install-pdf-recursive
install-pdf-am:
install-ps: install-ps-recursive
install-ps-am:
installcheck-am:
maintainer-clean: maintainer-clean-recursive
-rm -f $(am__CONFIG_DISTCLEAN_FILES)
-rm -rf $(top_srcdir)/autom4te.cache
-rm -f Makefile
maintainer-clean-am: distclean-am maintainer-clean-generic
mostlyclean: mostlyclean-recursive
mostlyclean-am: mostlyclean-generic mostlyclean-libtool
pdf: pdf-recursive
pdf-am:
ps: ps-recursive
ps-am:
uninstall-am: uninstall-docDATA
.MAKE: $(am__recursive_targets) install-am install-data-am \
install-strip
.PHONY: $(am__recursive_targets) CTAGS GTAGS TAGS all all-am \
am--refresh check check-am clean clean-cscope clean-generic \
clean-libtool cscope cscopelist-am ctags ctags-am dist \
dist-all dist-bzip2 dist-gzip dist-lzip dist-shar dist-tarZ \
dist-xz dist-zip distcheck distclean distclean-generic \
distclean-libtool distclean-local distclean-tags \
distcleancheck distdir distuninstallcheck dvi dvi-am html \
html-am info info-am install install-am install-data \
install-data-am install-data-hook install-docDATA install-dvi \
install-dvi-am install-exec install-exec-am install-html \
install-html-am install-info install-info-am install-man \
install-pdf install-pdf-am install-ps install-ps-am \
install-strip installcheck installcheck-am installdirs \
installdirs-am maintainer-clean maintainer-clean-generic \
mostlyclean mostlyclean-generic mostlyclean-libtool pdf pdf-am \
ps ps-am tags tags-am uninstall uninstall-am uninstall-docDATA
.PRECIOUS: Makefile
libtool: $(LIBTOOL_DEPS)
$(SHELL) ./config.status libtool
distclean-local:
rm -rf autom4te.cache
# rm -f $(distdir)-win32-installer.exe
#dist-hook:
# makensis -NOCD -DVERSION=${VERSION} \
# -DSTUNNEL_DIR=$(srcdir) \
# -DROOT_DIR=/usr/src \
# $(srcdir)/tools/stunnel.nsi
sign: dist
cp -f $(distdir).tar.gz $(distdir)-win32-installer.exe $(distdir)-android.zip ../dist
gpg-agent --daemon /bin/sh -c "cd ../dist; gpg --yes --armor --detach-sign --force-v3-sigs $(distdir).tar.gz; gpg --yes --armor --detach-sign --force-v3-sigs $(distdir)-win32-installer.exe; gpg --yes --armor --detach-sign --force-v3-sigs $(distdir)-android.zip"
sha256sum $(distdir).tar.gz >../dist/$(distdir).tar.gz.sha256
sha256sum $(distdir)-win32-installer.exe >../dist/$(distdir)-win32-installer.exe.sha256
sha256sum $(distdir)-android.zip >../dist/$(distdir)-android.zip.sha256
cat ../dist/$(distdir)*.sha256 | tac
cert:
$(MAKE) -C tools cert
test: check
install-data-hook:
@echo "*********************************************************"
@echo "* Type 'make cert' to also install a sample certificate *"
@echo "*********************************************************"
stunnel.pod: Makefile
$(edit) '$(srcdir)/$@.in' >$@
stunnel.pod: $(srcdir)/stunnel.pod
# Tell versions [3.59,3.63) of GNU make to not export all variables.
# Otherwise a system limit (for SysV at least) may be exceeded.
.NOEXPORT:

1
NEWS Normal file
View File

@ -0,0 +1 @@
See the ChangeLog file for the latest news.

17
PORTS Normal file
View File

@ -0,0 +1,17 @@
stunnel known port maintainers
* Cygwin
- Andrew Schulman <andrex@alumni.utexas.net>
* Debian GNU/Linux
- Peter Pentchev <roam@ringlet.net>
* FreeBSD
- Ryan Steinmetz <zi@FreeBSD.org>
* NetBSD
- Martti Kuparinen <martti.kuparinen@iki.fi>
* OpenBSD
- Gleydson Soares <gsoares@openbsd.org>
* OpenCSW Solaris
- Dagobert Michelsen <dam@opencsw.org>
* RedHat Linux
- Damien Miller <dmiller@ilogic.com.au>

30
README Normal file
View File

@ -0,0 +1,30 @@
stunnel overview
Short description
The stunnel program is designed to work as an SSL encryption
wrapper between remote client and local (inetd-startable) or
remote servers. The goal is to facilitate SSL encryption and
authentication for non-SSL-aware programs.
stunnel can be used to add SSL functionality to commonly
used inetd daemons like POP-2, POP-3 and IMAP servers
without any changes in the programs' code.
Compile instructions
See INSTALL file.
License
See COPYING file.
Other files you should read
Changelog What I did
TODO What I'm going to do
Reporting problems and other contacts
See FAQ file.

52
TODO Normal file
View File

@ -0,0 +1,52 @@
stunnel TODO
High priority features. They will likely be supported some day.
A sponsor could allocate my time to get them faster.
* Add client certificate autoselection based on the list of accepted issuers:
SSL_CTX_set_client_cert_cb(), SSL_get_client_CA_list().
* Add an Apparmor profile.
* Optional line-buffering of the log file.
* Log rotation on Windows.
* Configuration file option to limit the number of concurrent connections.
* Implement reference counting of the SERVICE_OPTIONS structure
- Add 'leastconn' failover strategy to order defined 'connect' targets
by the number of active connections.
- Add '-status' command line option reporting the number of clients
connected to each service.
- Deallocate SERVICE_OPTIONS structure when the configuration file
is reloaded *and* old connections are closed.
* Command-line server control interface on both Unix and Windows.
* Separate GUI process running as the current user on Windows.
* An Android GUI.
* OCSP stapling (tlsext_status).
* Extend session tickets and/or sessiond to also serialize application
data ("redirect" state and session persistence).
* Indirect CRL support (RFC 3280, section 5).
* Provide 64-bit Windows builds (besides 32-bit builds).
This requires either Microsoft Visual Studio Standard Edition or Microsoft
Visual Studio Professional Edition in order to retain FIPS compliance.
* MSI installer for Windows.
* Add user-defined headers to CONNECT proxy requests.
This can be used to impersonate other software (e.g. web browsers).
Low priority features. They will unlikely ever be supported.
* Database and/or directory interface for retrieving PSK secrets.
* Support static FIPS-enabled build.
* Service-level logging destination.
* Enforce key renegotiation (re-handshake) for long connections.
* Logging to NT EventLog on Windows.
* Internationalization of logged messages (i18n).
* Generic scripting engine instead or static protocol.c.
Features I won't support, unless convinced otherwise by a wealthy sponsor.
* Support for adding X-Forwarded-For to HTTP request headers.
This feature is less useful since PROXY protocol support is available.
* Support for adding X-Forwarded-For to SMTP email headers.
This feature is most likely to be implemented as a separate proxy.
* Additional certificate checks (including wildcard comparison) based on:
- O (Organization), and
- OU (Organizational Unit).
* Set processes title that appear on the ps(1) and top(1) commands.
I could not find a portable *and* non-copyleft library for it.

2037
aclocal.m4 vendored Normal file
View File

File diff suppressed because it is too large Load Diff

347
auto/compile Executable file
View File

@ -0,0 +1,347 @@
#! /bin/sh
# Wrapper for compilers which do not understand '-c -o'.
scriptversion=2012-10-14.11; # UTC
# Copyright (C) 1999-2014 Free Software Foundation, Inc.
# Written by Tom Tromey <tromey@cygnus.com>.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2, or (at your option)
# any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# As a special exception to the GNU General Public License, if you
# distribute this file as part of a program that contains a
# configuration script generated by Autoconf, you may include it under
# the same distribution terms that you use for the rest of that program.
# This file is maintained in Automake, please report
# bugs to <bug-automake@gnu.org> or send patches to
# <automake-patches@gnu.org>.
nl='
'
# We need space, tab and new line, in precisely that order. Quoting is
# there to prevent tools from complaining about whitespace usage.
IFS=" "" $nl"
file_conv=
# func_file_conv build_file lazy
# Convert a $build file to $host form and store it in $file
# Currently only supports Windows hosts. If the determined conversion
# type is listed in (the comma separated) LAZY, no conversion will
# take place.
func_file_conv ()
{
file=$1
case $file in
/ | /[!/]*) # absolute file, and not a UNC file
if test -z "$file_conv"; then
# lazily determine how to convert abs files
case `uname -s` in
MINGW*)
file_conv=mingw
;;
CYGWIN*)
file_conv=cygwin
;;
*)
file_conv=wine
;;
esac
fi
case $file_conv/,$2, in
*,$file_conv,*)
;;
mingw/*)
file=`cmd //C echo "$file " | sed -e 's/"\(.*\) " *$/\1/'`
;;
cygwin/*)
file=`cygpath -m "$file" || echo "$file"`
;;
wine/*)
file=`winepath -w "$file" || echo "$file"`
;;
esac
;;
esac
}
# func_cl_dashL linkdir
# Make cl look for libraries in LINKDIR
func_cl_dashL ()
{
func_file_conv "$1"
if test -z "$lib_path"; then
lib_path=$file
else
lib_path="$lib_path;$file"
fi
linker_opts="$linker_opts -LIBPATH:$file"
}
# func_cl_dashl library
# Do a library search-path lookup for cl
func_cl_dashl ()
{
lib=$1
found=no
save_IFS=$IFS
IFS=';'
for dir in $lib_path $LIB
do
IFS=$save_IFS
if $shared && test -f "$dir/$lib.dll.lib"; then
found=yes
lib=$dir/$lib.dll.lib
break
fi
if test -f "$dir/$lib.lib"; then
found=yes
lib=$dir/$lib.lib
break
fi
if test -f "$dir/lib$lib.a"; then
found=yes
lib=$dir/lib$lib.a
break
fi
done
IFS=$save_IFS
if test "$found" != yes; then
lib=$lib.lib
fi
}
# func_cl_wrapper cl arg...
# Adjust compile command to suit cl
func_cl_wrapper ()
{
# Assume a capable shell
lib_path=
shared=:
linker_opts=
for arg
do
if test -n "$eat"; then
eat=
else
case $1 in
-o)
# configure might choose to run compile as 'compile cc -o foo foo.c'.
eat=1
case $2 in
*.o | *.[oO][bB][jJ])
func_file_conv "$2"
set x "$@" -Fo"$file"
shift
;;
*)
func_file_conv "$2"
set x "$@" -Fe"$file"
shift
;;
esac
;;
-I)
eat=1
func_file_conv "$2" mingw
set x "$@" -I"$file"
shift
;;
-I*)
func_file_conv "${1#-I}" mingw
set x "$@" -I"$file"
shift
;;
-l)
eat=1
func_cl_dashl "$2"
set x "$@" "$lib"
shift
;;
-l*)
func_cl_dashl "${1#-l}"
set x "$@" "$lib"
shift
;;
-L)
eat=1
func_cl_dashL "$2"
;;
-L*)
func_cl_dashL "${1#-L}"
;;
-static)
shared=false
;;
-Wl,*)
arg=${1#-Wl,}
save_ifs="$IFS"; IFS=','
for flag in $arg; do
IFS="$save_ifs"
linker_opts="$linker_opts $flag"
done
IFS="$save_ifs"
;;
-Xlinker)
eat=1
linker_opts="$linker_opts $2"
;;
-*)
set x "$@" "$1"
shift
;;
*.cc | *.CC | *.cxx | *.CXX | *.[cC]++)
func_file_conv "$1"
set x "$@" -Tp"$file"
shift
;;
*.c | *.cpp | *.CPP | *.lib | *.LIB | *.Lib | *.OBJ | *.obj | *.[oO])
func_file_conv "$1" mingw
set x "$@" "$file"
shift
;;
*)
set x "$@" "$1"
shift
;;
esac
fi
shift
done
if test -n "$linker_opts"; then
linker_opts="-link$linker_opts"
fi
exec "$@" $linker_opts
exit 1
}
eat=
case $1 in
'')
echo "$0: No command. Try '$0 --help' for more information." 1>&2
exit 1;
;;
-h | --h*)
cat <<\EOF
Usage: compile [--help] [--version] PROGRAM [ARGS]
Wrapper for compilers which do not understand '-c -o'.
Remove '-o dest.o' from ARGS, run PROGRAM with the remaining
arguments, and rename the output as expected.
If you are trying to build a whole package this is not the
right script to run: please start by reading the file 'INSTALL'.
Report bugs to <bug-automake@gnu.org>.
EOF
exit $?
;;
-v | --v*)
echo "compile $scriptversion"
exit $?
;;
cl | *[/\\]cl | cl.exe | *[/\\]cl.exe )
func_cl_wrapper "$@" # Doesn't return...
;;
esac
ofile=
cfile=
for arg
do
if test -n "$eat"; then
eat=
else
case $1 in
-o)
# configure might choose to run compile as 'compile cc -o foo foo.c'.
# So we strip '-o arg' only if arg is an object.
eat=1
case $2 in
*.o | *.obj)
ofile=$2
;;
*)
set x "$@" -o "$2"
shift
;;
esac
;;
*.c)
cfile=$1
set x "$@" "$1"
shift
;;
*)
set x "$@" "$1"
shift
;;
esac
fi
shift
done
if test -z "$ofile" || test -z "$cfile"; then
# If no '-o' option was seen then we might have been invoked from a
# pattern rule where we don't need one. That is ok -- this is a
# normal compilation that the losing compiler can handle. If no
# '.c' file was seen then we are probably linking. That is also
# ok.
exec "$@"
fi
# Name of file we expect compiler to create.
cofile=`echo "$cfile" | sed 's|^.*[\\/]||; s|^[a-zA-Z]:||; s/\.c$/.o/'`
# Create the lock directory.
# Note: use '[/\\:.-]' here to ensure that we don't use the same name
# that we are using for the .o file. Also, base the name on the expected
# object file name, since that is what matters with a parallel build.
lockdir=`echo "$cofile" | sed -e 's|[/\\:.-]|_|g'`.d
while true; do
if mkdir "$lockdir" >/dev/null 2>&1; then
break
fi
sleep 1
done
# FIXME: race condition here if user kills between mkdir and trap.
trap "rmdir '$lockdir'; exit 1" 1 2 15
# Run the compile.
"$@"
ret=$?
if test -f "$cofile"; then
test "$cofile" = "$ofile" || mv "$cofile" "$ofile"
elif test -f "${cofile}bj"; then
test "${cofile}bj" = "$ofile" || mv "${cofile}bj" "$ofile"
fi
rmdir "$lockdir"
exit $ret
# Local Variables:
# mode: shell-script
# sh-indentation: 2
# eval: (add-hook 'write-file-hooks 'time-stamp)
# time-stamp-start: "scriptversion="
# time-stamp-format: "%:y-%02m-%02d.%02H"
# time-stamp-time-zone: "UTC"
# time-stamp-end: "; # UTC"
# End:

1462
auto/config.guess vendored Executable file
View File

File diff suppressed because it is too large Load Diff

1825
auto/config.sub vendored Executable file
View File

File diff suppressed because it is too large Load Diff

791
auto/depcomp Executable file
View File

@ -0,0 +1,791 @@
#! /bin/sh
# depcomp - compile a program generating dependencies as side-effects
scriptversion=2013-05-30.07; # UTC
# Copyright (C) 1999-2014 Free Software Foundation, Inc.
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2, or (at your option)
# any later version.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# As a special exception to the GNU General Public License, if you
# distribute this file as part of a program that contains a
# configuration script generated by Autoconf, you may include it under
# the same distribution terms that you use for the rest of that program.
# Originally written by Alexandre Oliva <oliva@dcc.unicamp.br>.
case $1 in
'')
echo "$0: No command. Try '$0 --help' for more information." 1>&2
exit 1;
;;
-h | --h*)
cat <<\EOF
Usage: depcomp [--help] [--version] PROGRAM [ARGS]
Run PROGRAMS ARGS to compile a file, generating dependencies
as side-effects.
Environment variables:
depmode Dependency tracking mode.
source Source file read by 'PROGRAMS ARGS'.
object Object file output by 'PROGRAMS ARGS'.
DEPDIR directory where to store dependencies.
depfile Dependency file to output.
tmpdepfile Temporary file to use when outputting dependencies.
libtool Whether libtool is used (yes/no).
Report bugs to <bug-automake@gnu.org>.
EOF
exit $?
;;
-v | --v*)
echo "depcomp $scriptversion"
exit $?
;;
esac
# Get the directory component of the given path, and save it in the
# global variables '$dir'. Note that this directory component will
# be either empty or ending with a '/' character. This is deliberate.
set_dir_from ()
{
case $1 in
*/*) dir=`echo "$1" | sed -e 's|/[^/]*$|/|'`;;
*) dir=;;
esac
}
# Get the suffix-stripped basename of the given path, and save it the
# global variable '$base'.
set_base_from ()
{
base=`echo "$1" | sed -e 's|^.*/||' -e 's/\.[^.]*$//'`
}
# If no dependency file was actually created by the compiler invocation,
# we still have to create a dummy depfile, to avoid errors with the
# Makefile "include basename.Plo" scheme.
make_dummy_depfile ()
{
echo "#dummy" > "$depfile"
}
# Factor out some common post-processing of the generated depfile.
# Requires the auxiliary global variable '$tmpdepfile' to be set.
aix_post_process_depfile ()
{
# If the compiler actually managed to produce a dependency file,
# post-process it.
if test -f "$tmpdepfile"; then
# Each line is of the form 'foo.o: dependency.h'.
# Do two passes, one to just change these to
# $object: dependency.h
# and one to simply output
# dependency.h:
# which is needed to avoid the deleted-header problem.
{ sed -e "s,^.*\.[$lower]*:,$object:," < "$tmpdepfile"
sed -e "s,^.*\.[$lower]*:[$tab ]*,," -e 's,$,:,' < "$tmpdepfile"
} > "$depfile"
rm -f "$tmpdepfile"
else
make_dummy_depfile
fi
}
# A tabulation character.
tab=' '
# A newline character.
nl='
'
# Character ranges might be problematic outside the C locale.
# These definitions help.
upper=ABCDEFGHIJKLMNOPQRSTUVWXYZ
lower=abcdefghijklmnopqrstuvwxyz
digits=0123456789
alpha=${upper}${lower}
if test -z "$depmode" || test -z "$source" || test -z "$object"; then
echo "depcomp: Variables source, object and depmode must be set" 1>&2
exit 1
fi
# Dependencies for sub/bar.o or sub/bar.obj go into sub/.deps/bar.Po.
depfile=${depfile-`echo "$object" |
sed 's|[^\\/]*$|'${DEPDIR-.deps}'/&|;s|\.\([^.]*\)$|.P\1|;s|Pobj$|Po|'`}
tmpdepfile=${tmpdepfile-`echo "$depfile" | sed 's/\.\([^.]*\)$/.T\1/'`}
rm -f "$tmpdepfile"
# Avoid interferences from the environment.
gccflag= dashmflag=
# Some modes work just like other modes, but use different flags. We
# parameterize here, but still list the modes in the big case below,
# to make depend.m4 easier to write. Note that we *cannot* use a case
# here, because this file can only contain one case statement.
if test "$depmode" = hp; then
# HP compiler uses -M and no extra arg.
gccflag=-M
depmode=gcc
fi
if test "$depmode" = dashXmstdout; then
# This is just like dashmstdout with a different argument.
dashmflag=-xM
depmode=dashmstdout
fi
cygpath_u="cygpath -u -f -"
if test "$depmode" = msvcmsys; then
# This is just like msvisualcpp but w/o cygpath translation.
# Just convert the backslash-escaped backslashes to single forward
# slashes to satisfy depend.m4
cygpath_u='sed s,\\\\,/,g'
depmode=msvisualcpp
fi
if test "$depmode" = msvc7msys; then
# This is just like msvc7 but w/o cygpath translation.
# Just convert the backslash-escaped backslashes to single forward
# slashes to satisfy depend.m4
cygpath_u='sed s,\\\\,/,g'
depmode=msvc7
fi
if test "$depmode" = xlc; then
# IBM C/C++ Compilers xlc/xlC can output gcc-like dependency information.
gccflag=-qmakedep=gcc,-MF
depmode=gcc
fi
case "$depmode" in
gcc3)
## gcc 3 implements dependency tracking that does exactly what
## we want. Yay! Note: for some reason libtool 1.4 doesn't like
## it if -MD -MP comes after the -MF stuff. Hmm.
## Unfortunately, FreeBSD c89 acceptance of flags depends upon
## the command line argument order; so add the flags where they
## appear in depend2.am. Note that the slowdown incurred here
## affects only configure: in makefiles, %FASTDEP% shortcuts this.
for arg
do
case $arg in
-c) set fnord "$@" -MT "$object" -MD -MP -MF "$tmpdepfile" "$arg" ;;
*) set fnord "$@" "$arg" ;;
esac
shift # fnord
shift # $arg
done
"$@"
stat=$?
if test $stat -ne 0; then
rm -f "$tmpdepfile"
exit $stat
fi
mv "$tmpdepfile" "$depfile"
;;
gcc)
## Note that this doesn't just cater to obsosete pre-3.x GCC compilers.
## but also to in-use compilers like IMB xlc/xlC and the HP C compiler.
## (see the conditional assignment to $gccflag above).
## There are various ways to get dependency output from gcc. Here's
## why we pick this rather obscure method:
## - Don't want to use -MD because we'd like the dependencies to end
## up in a subdir. Having to rename by hand is ugly.
## (We might end up doing this anyway to support other compilers.)
## - The DEPENDENCIES_OUTPUT environment variable makes gcc act like
## -MM, not -M (despite what the docs say). Also, it might not be
## supported by the other compilers which use the 'gcc' depmode.
## - Using -M directly means running the compiler twice (even worse
## than renaming).
if test -z "$gccflag"; then
gccflag=-MD,
fi
"$@" -Wp,"$gccflag$tmpdepfile"
stat=$?
if test $stat -ne 0; then
rm -f "$tmpdepfile"
exit $stat
fi
rm -f "$depfile"
echo "$object : \\" > "$depfile"
# The second -e expression handles DOS-style file names with drive
# letters.
sed -e 's/^[^:]*: / /' \
-e 's/^['$alpha']:\/[^:]*: / /' < "$tmpdepfile" >> "$depfile"
## This next piece of magic avoids the "deleted header file" problem.
## The problem is that when a header file which appears in a .P file
## is deleted, the dependency causes make to die (because there is
## typically no way to rebuild the header). We avoid this by adding
## dummy dependencies for each header file. Too bad gcc doesn't do
## this for us directly.
## Some versions of gcc put a space before the ':'. On the theory
## that the space means something, we add a space to the output as
## well. hp depmode also adds that space, but also prefixes the VPATH
## to the object. Take care to not repeat it in the output.
## Some versions of the HPUX 10.20 sed can't process this invocation
## correctly. Breaking it into two sed invocations is a workaround.
tr ' ' "$nl" < "$tmpdepfile" \
| sed -e 's/^\\$//' -e '/^$/d' -e "s|.*$object$||" -e '/:$/d' \
| sed -e 's/$/ :/' >> "$depfile"
rm -f "$tmpdepfile"
;;
hp)
# This case exists only to let depend.m4 do its work. It works by
# looking at the text of this script. This case will never be run,
# since it is checked for above.
exit 1
;;
sgi)
if test "$libtool" = yes; then
"$@" "-Wp,-MDupdate,$tmpdepfile"
else
"$@" -MDupdate "$tmpdepfile"
fi
stat=$?
if test $stat -ne 0; then
rm -f "$tmpdepfile"
exit $stat
fi
rm -f "$depfile"
if test -f "$tmpdepfile"; then # yes, the sourcefile depend on other files
echo "$object : \\" > "$depfile"
# Clip off the initial element (the dependent). Don't try to be
# clever and replace this with sed code, as IRIX sed won't handle
# lines with more than a fixed number of characters (4096 in
# IRIX 6.2 sed, 8192 in IRIX 6.5). We also remove comment lines;
# the IRIX cc adds comments like '#:fec' to the end of the
# dependency line.
tr ' ' "$nl" < "$tmpdepfile" \
| sed -e 's/^.*\.o://' -e 's/#.*$//' -e '/^$/ d' \
| tr "$nl" ' ' >> "$depfile"
echo >> "$depfile"
# The second pass generates a dummy entry for each header file.
tr ' ' "$nl" < "$tmpdepfile" \
| sed -e 's/^.*\.o://' -e 's/#.*$//' -e '/^$/ d' -e 's/$/:/' \
>> "$depfile"
else
make_dummy_depfile
fi
rm -f "$tmpdepfile"
;;
xlc)
# This case exists only to let depend.m4 do its work. It works by
# looking at the text of this script. This case will never be run,
# since it is checked for above.
exit 1
;;
aix)
# The C for AIX Compiler uses -M and outputs the dependencies
# in a .u file. In older versions, this file always lives in the
# current directory. Also, the AIX compiler puts '$object:' at the
# start of each line; $object doesn't have directory information.
# Version 6 uses the directory in both cases.
set_dir_from "$object"
set_base_from "$object"
if test "$libtool" = yes; then
tmpdepfile1=$dir$base.u
tmpdepfile2=$base.u
tmpdepfile3=$dir.libs/$base.u
"$@" -Wc,-M
else
tmpdepfile1=$dir$base.u
tmpdepfile2=$dir$base.u
tmpdepfile3=$dir$base.u
"$@" -M
fi
stat=$?
if test $stat -ne 0; then
rm -f "$tmpdepfile1" "$tmpdepfile2" "$tmpdepfile3"
exit $stat
fi
for tmpdepfile in "$tmpdepfile1" "$tmpdepfile2" "$tmpdepfile3"
do
test -f "$tmpdepfile" && break
done
aix_post_process_depfile
;;
tcc)
# tcc (Tiny C Compiler) understand '-MD -MF file' since version 0.9.26
# FIXME: That version still under development at the moment of writing.
# Make that this statement remains true also for stable, released
# versions.
# It will wrap lines (doesn't matter whether long or short) with a
# trailing '\', as in:
#
# foo.o : \
# foo.c \
# foo.h \
#
# It will put a trailing '\' even on the last line, and will use leading
# spaces rather than leading tabs (at least since its commit 0394caf7
# "Emit spaces for -MD").
"$@" -MD -MF "$tmpdepfile"
stat=$?
if test $stat -ne 0; then
rm -f "$tmpdepfile"
exit $stat
fi
rm -f "$depfile"
# Each non-empty line is of the form 'foo.o : \' or ' dep.h \'.
# We have to change lines of the first kind to '$object: \'.
sed -e "s|.*:|$object :|" < "$tmpdepfile" > "$depfile"
# And for each line of the second kind, we have to emit a 'dep.h:'
# dummy dependency, to avoid the deleted-header problem.
sed -n -e 's|^ *\(.*\) *\\$|\1:|p' < "$tmpdepfile" >> "$depfile"
rm -f "$tmpdepfile"
;;
## The order of this option in the case statement is important, since the
## shell code in configure will try each of these formats in the order
## listed in this file. A plain '-MD' option would be understood by many
## compilers, so we must ensure this comes after the gcc and icc options.
pgcc)
# Portland's C compiler understands '-MD'.
# Will always output deps to 'file.d' where file is the root name of the
# source file under compilation, even if file resides in a subdirectory.
# The object file name does not affect the name of the '.d' file.
# pgcc 10.2 will output
# foo.o: sub/foo.c sub/foo.h
# and will wrap long lines using '\' :
# foo.o: sub/foo.c ... \
# sub/foo.h ... \
# ...
set_dir_from "$object"
# Use the source, not the object, to determine the base name, since
# that's sadly what pgcc will do too.
set_base_from "$source"
tmpdepfile=$base.d
# For projects that build the same source file twice into different object
# files, the pgcc approach of using the *source* file root name can cause
# problems in parallel builds. Use a locking strategy to avoid stomping on
# the same $tmpdepfile.
lockdir=$base.d-lock
trap "
echo '$0: caught signal, cleaning up...' >&2
rmdir '$lockdir'
exit 1
" 1 2 13 15
numtries=100
i=$numtries
while test $i -gt 0; do
# mkdir is a portable test-and-set.
if mkdir "$lockdir" 2>/dev/null; then
# This process acquired the lock.
"$@" -MD
stat=$?
# Release the lock.
rmdir "$lockdir"
break
else
# If the lock is being held by a different process, wait
# until the winning process is done or we timeout.
while test -d "$lockdir" && test $i -gt 0; do
sleep 1
i=`expr $i - 1`
done
fi
i=`expr $i - 1`
done
trap - 1 2 13 15
if test $i -le 0; then
echo "$0: failed to acquire lock after $numtries attempts" >&2
echo "$0: check lockdir '$lockdir'" >&2
exit 1
fi
if test $stat -ne 0; then
rm -f "$tmpdepfile"
exit $stat
fi
rm -f "$depfile"
# Each line is of the form `foo.o: dependent.h',
# or `foo.o: dep1.h dep2.h \', or ` dep3.h dep4.h \'.
# Do two passes, one to just change these to
# `$object: dependent.h' and one to simply `dependent.h:'.
sed "s,^[^:]*:,$object :," < "$tmpdepfile" > "$depfile"
# Some versions of the HPUX 10.20 sed can't process this invocation
# correctly. Breaking it into two sed invocations is a workaround.
sed 's,^[^:]*: \(.*\)$,\1,;s/^\\$//;/^$/d;/:$/d' < "$tmpdepfile" \
| sed -e 's/$/ :/' >> "$depfile"
rm -f "$tmpdepfile"
;;
hp2)
# The "hp" stanza above does not work with aCC (C++) and HP's ia64
# compilers, which have integrated preprocessors. The correct option
# to use with these is +Maked; it writes dependencies to a file named
# 'foo.d', which lands next to the object file, wherever that
# happens to be.
# Much of this is similar to the tru64 case; see comments there.
set_dir_from "$object"
set_base_from "$object"
if test "$libtool" = yes; then
tmpdepfile1=$dir$base.d
tmpdepfile2=$dir.libs/$base.d
"$@" -Wc,+Maked
else
tmpdepfile1=$dir$base.d
tmpdepfile2=$dir$base.d
"$@" +Maked
fi
stat=$?
if test $stat -ne 0; then
rm -f "$tmpdepfile1" "$tmpdepfile2"
exit $stat
fi
for tmpdepfile in "$tmpdepfile1" "$tmpdepfile2"
do
test -f "$tmpdepfile" && break
done
if test -f "$tmpdepfile"; then
sed -e "s,^.*\.[$lower]*:,$object:," "$tmpdepfile" > "$depfile"
# Add 'dependent.h:' lines.
sed -ne '2,${
s/^ *//
s/ \\*$//
s/$/:/
p
}' "$tmpdepfile" >> "$depfile"
else
make_dummy_depfile
fi
rm -f "$tmpdepfile" "$tmpdepfile2"
;;
tru64)
# The Tru64 compiler uses -MD to generate dependencies as a side
# effect. 'cc -MD -o foo.o ...' puts the dependencies into 'foo.o.d'.
# At least on Alpha/Redhat 6.1, Compaq CCC V6.2-504 seems to put
# dependencies in 'foo.d' instead, so we check for that too.
# Subdirectories are respected.
set_dir_from "$object"
set_base_from "$object"
if test "$libtool" = yes; then
# Libtool generates 2 separate objects for the 2 libraries. These
# two compilations output dependencies in $dir.libs/$base.o.d and
# in $dir$base.o.d. We have to check for both files, because
# one of the two compilations can be disabled. We should prefer
# $dir$base.o.d over $dir.libs/$base.o.d because the latter is
# automatically cleaned when .libs/ is deleted, while ignoring
# the former would cause a distcleancheck panic.
tmpdepfile1=$dir$base.o.d # libtool 1.5
tmpdepfile2=$dir.libs/$base.o.d # Likewise.
tmpdepfile3=$dir.libs/$base.d # Compaq CCC V6.2-504
"$@" -Wc,-MD
else
tmpdepfile1=$dir$base.d
tmpdepfile2=$dir$base.d
tmpdepfile3=$dir$base.d
"$@" -MD
fi
stat=$?
if test $stat -ne 0; then
rm -f "$tmpdepfile1" "$tmpdepfile2" "$tmpdepfile3"
exit $stat
fi
for tmpdepfile in "$tmpdepfile1" "$tmpdepfile2" "$tmpdepfile3"
do
test -f "$tmpdepfile" && break
done
# Same post-processing that is required for AIX mode.
aix_post_process_depfile
;;
msvc7)
if test "$libtool" = yes; then
showIncludes=-Wc,-showIncludes
else
showIncludes=-showIncludes
fi
"$@" $showIncludes > "$tmpdepfile"
stat=$?
grep -v '^Note: including file: ' "$tmpdepfile"
if test $stat -ne 0; then
rm -f "$tmpdepfile"
exit $stat
fi
rm -f "$depfile"
echo "$object : \\" > "$depfile"
# The first sed program below extracts the file names and escapes
# backslashes for cygpath. The second sed program outputs the file
# name when reading, but also accumulates all include files in the
# hold buffer in order to output them again at the end. This only
# works with sed implementations that can handle large buffers.
sed < "$tmpdepfile" -n '
/^Note: including file: *\(.*\)/ {
s//\1/
s/\\/\\\\/g
p
}' | $cygpath_u | sort -u | sed -n '
s/ /\\ /g
s/\(.*\)/'"$tab"'\1 \\/p
s/.\(.*\) \\/\1:/
H
$ {
s/.*/'"$tab"'/
G
p
}' >> "$depfile"
echo >> "$depfile" # make sure the fragment doesn't end with a backslash
rm -f "$tmpdepfile"
;;
msvc7msys)
# This case exists only to let depend.m4 do its work. It works by
# looking at the text of this script. This case will never be run,
# since it is checked for above.
exit 1
;;
#nosideeffect)
# This comment above is used by automake to tell side-effect
# dependency tracking mechanisms from slower ones.
dashmstdout)
# Important note: in order to support this mode, a compiler *must*
# always write the preprocessed file to stdout, regardless of -o.
"$@" || exit $?
# Remove the call to Libtool.
if test "$libtool" = yes; then
while test "X$1" != 'X--mode=compile'; do
shift
done
shift
fi
# Remove '-o $object'.
IFS=" "
for arg
do
case $arg in
-o)
shift
;;
$object)
shift
;;
*)
set fnord "$@" "$arg"
shift # fnord
shift # $arg
;;
esac
done
test -z "$dashmflag" && dashmflag=-M
# Require at least two characters before searching for ':'
# in the target name. This is to cope with DOS-style filenames:
# a dependency such as 'c:/foo/bar' could be seen as target 'c' otherwise.
"$@" $dashmflag |
sed "s|^[$tab ]*[^:$tab ][^:][^:]*:[$tab ]*|$object: |" > "$tmpdepfile"
rm -f "$depfile"
cat < "$tmpdepfile" > "$depfile"
# Some versions of the HPUX 10.20 sed can't process this sed invocation
# correctly. Breaking it into two sed invocations is a workaround.
tr ' ' "$nl" < "$tmpdepfile" \
| sed -e 's/^\\$//' -e '/^$/d' -e '/:$/d' \
| sed -e 's/$/ :/' >> "$depfile"
rm -f "$tmpdepfile"
;;
dashXmstdout)
# This case only exists to satisfy depend.m4. It is never actually
# run, as this mode is specially recognized in the preamble.
exit 1
;;
makedepend)
"$@" || exit $?
# Remove any Libtool call
if test "$libtool" = yes; then
while test "X$1" != 'X--mode=compile'; do
shift
done
shift
fi
# X makedepend
shift
cleared=no eat=no
for arg
do
case $cleared in
no)
set ""; shift
cleared=yes ;;
esac
if test $eat = yes; then
eat=no
continue
fi
case "$arg" in
-D*|-I*)
set fnord "$@" "$arg"; shift ;;
# Strip any option that makedepend may not understand. Remove
# the object too, otherwise makedepend will parse it as a source file.
-arch)
eat=yes ;;
-*|$object)
;;
*)
set fnord "$@" "$arg"; shift ;;
esac
done
obj_suffix=`echo "$object" | sed 's/^.*\././'`
touch "$tmpdepfile"
${MAKEDEPEND-makedepend} -o"$obj_suffix" -f"$tmpdepfile" "$@"
rm -f "$depfile"
# makedepend may prepend the VPATH from the source file name to the object.
# No need to regex-escape $object, excess matching of '.' is harmless.
sed "s|^.*\($object *:\)|\1|" "$tmpdepfile" > "$depfile"
# Some versions of the HPUX 10.20 sed can't process the last invocation
# correctly. Breaking it into two sed invocations is a workaround.
sed '1,2d' "$tmpdepfile" \
| tr ' ' "$nl" \
| sed -e 's/^\\$//' -e '/^$/d' -e '/:$/d' \
| sed -e 's/$/ :/' >> "$depfile"
rm -f "$tmpdepfile" "$tmpdepfile".bak
;;
cpp)
# Important note: in order to support this mode, a compiler *must*
# always write the preprocessed file to stdout.
"$@" || exit $?
# Remove the call to Libtool.
if test "$libtool" = yes; then
while test "X$1" != 'X--mode=compile'; do
shift
done
shift
fi
# Remove '-o $object'.
IFS=" "
for arg
do
case $arg in
-o)
shift
;;
$object)
shift
;;
*)
set fnord "$@" "$arg"
shift # fnord
shift # $arg
;;
esac
done
"$@" -E \
| sed -n -e '/^# [0-9][0-9]* "\([^"]*\)".*/ s:: \1 \\:p' \
-e '/^#line [0-9][0-9]* "\([^"]*\)".*/ s:: \1 \\:p' \
| sed '$ s: \\$::' > "$tmpdepfile"
rm -f "$depfile"
echo "$object : \\" > "$depfile"
cat < "$tmpdepfile" >> "$depfile"
sed < "$tmpdepfile" '/^$/d;s/^ //;s/ \\$//;s/$/ :/' >> "$depfile"
rm -f "$tmpdepfile"
;;
msvisualcpp)
# Important note: in order to support this mode, a compiler *must*
# always write the preprocessed file to stdout.
"$@" || exit $?
# Remove the call to Libtool.
if test "$libtool" = yes; then
while test "X$1" != 'X--mode=compile'; do
shift
done
shift
fi
IFS=" "
for arg
do
case "$arg" in
-o)
shift
;;
$object)
shift
;;
"-Gm"|"/Gm"|"-Gi"|"/Gi"|"-ZI"|"/ZI")
set fnord "$@"
shift
shift
;;
*)
set fnord "$@" "$arg"
shift
shift
;;
esac
done
"$@" -E 2>/dev/null |
sed -n '/^#line [0-9][0-9]* "\([^"]*\)"/ s::\1:p' | $cygpath_u | sort -u > "$tmpdepfile"
rm -f "$depfile"
echo "$object : \\" > "$depfile"
sed < "$tmpdepfile" -n -e 's% %\\ %g' -e '/^\(.*\)$/ s::'"$tab"'\1 \\:p' >> "$depfile"
echo "$tab" >> "$depfile"
sed < "$tmpdepfile" -n -e 's% %\\ %g' -e '/^\(.*\)$/ s::\1\::p' >> "$depfile"
rm -f "$tmpdepfile"
;;
msvcmsys)
# This case exists only to let depend.m4 do its work. It works by
# looking at the text of this script. This case will never be run,
# since it is checked for above.
exit 1
;;
none)
exec "$@"
;;
*)
echo "Unknown depmode $depmode" 1>&2
exit 1
;;
esac
exit 0
# Local Variables:
# mode: shell-script
# sh-indentation: 2
# eval: (add-hook 'write-file-hooks 'time-stamp)
# time-stamp-start: "scriptversion="
# time-stamp-format: "%:y-%02m-%02d.%02H"
# time-stamp-time-zone: "UTC"
# time-stamp-end: "; # UTC"
# End:

508
auto/install-sh Executable file
View File

@ -0,0 +1,508 @@
#!/bin/sh
# install - install a program, script, or datafile
scriptversion=2014-09-12.12; # UTC
# This originates from X11R5 (mit/util/scripts/install.sh), which was
# later released in X11R6 (xc/config/util/install.sh) with the
# following copyright and license.
#
# Copyright (C) 1994 X Consortium
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to
# deal in the Software without restriction, including without limitation the
# rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
# sell copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in
# all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# X CONSORTIUM BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN
# AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNEC-
# TION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
#
# Except as contained in this notice, the name of the X Consortium shall not
# be used in advertising or otherwise to promote the sale, use or other deal-
# ings in this Software without prior written authorization from the X Consor-
# tium.
#
#
# FSF changes to this file are in the public domain.
#
# Calling this script install-sh is preferred over install.sh, to prevent
# 'make' implicit rules from creating a file called install from it
# when there is no Makefile.
#
# This script is compatible with the BSD install script, but was written
# from scratch.
tab=' '
nl='
'
IFS=" $tab$nl"
# Set DOITPROG to "echo" to test this script.
doit=${DOITPROG-}
doit_exec=${doit:-exec}
# Put in absolute file names if you don't have them in your path;
# or use environment vars.
chgrpprog=${CHGRPPROG-chgrp}
chmodprog=${CHMODPROG-chmod}
chownprog=${CHOWNPROG-chown}
cmpprog=${CMPPROG-cmp}
cpprog=${CPPROG-cp}
mkdirprog=${MKDIRPROG-mkdir}
mvprog=${MVPROG-mv}
rmprog=${RMPROG-rm}
stripprog=${STRIPPROG-strip}
posix_mkdir=
# Desired mode of installed file.
mode=0755
chgrpcmd=
chmodcmd=$chmodprog
chowncmd=
mvcmd=$mvprog
rmcmd="$rmprog -f"
stripcmd=
src=
dst=
dir_arg=
dst_arg=
copy_on_change=false
is_target_a_directory=possibly
usage="\
Usage: $0 [OPTION]... [-T] SRCFILE DSTFILE
or: $0 [OPTION]... SRCFILES... DIRECTORY
or: $0 [OPTION]... -t DIRECTORY SRCFILES...
or: $0 [OPTION]... -d DIRECTORIES...
In the 1st form, copy SRCFILE to DSTFILE.
In the 2nd and 3rd, copy all SRCFILES to DIRECTORY.
In the 4th, create DIRECTORIES.
Options:
--help display this help and exit.
--version display version info and exit.
-c (ignored)
-C install only if different (preserve the last data modification time)
-d create directories instead of installing files.
-g GROUP $chgrpprog installed files to GROUP.
-m MODE $chmodprog installed files to MODE.
-o USER $chownprog installed files to USER.
-s $stripprog installed files.
-t DIRECTORY install into DIRECTORY.
-T report an error if DSTFILE is a directory.
Environment variables override the default commands:
CHGRPPROG CHMODPROG CHOWNPROG CMPPROG CPPROG MKDIRPROG MVPROG
RMPROG STRIPPROG
"
while test $# -ne 0; do
case $1 in
-c) ;;
-C) copy_on_change=true;;
-d) dir_arg=true;;
-g) chgrpcmd="$chgrpprog $2"
shift;;
--help) echo "$usage"; exit $?;;
-m) mode=$2
case $mode in
*' '* | *"$tab"* | *"$nl"* | *'*'* | *'?'* | *'['*)
echo "$0: invalid mode: $mode" >&2
exit 1;;
esac
shift;;
-o) chowncmd="$chownprog $2"
shift;;
-s) stripcmd=$stripprog;;
-t)
is_target_a_directory=always
dst_arg=$2
# Protect names problematic for 'test' and other utilities.
case $dst_arg in
-* | [=\(\)!]) dst_arg=./$dst_arg;;
esac
shift;;
-T) is_target_a_directory=never;;
--version) echo "$0 $scriptversion"; exit $?;;
--) shift
break;;
-*) echo "$0: invalid option: $1" >&2
exit 1;;
*) break;;
esac
shift
done
# We allow the use of options -d and -T together, by making -d
# take the precedence; this is for compatibility with GNU install.
if test -n "$dir_arg"; then
if test -n "$dst_arg"; then
echo "$0: target directory not allowed when installing a directory." >&2
exit 1
fi
fi
if test $# -ne 0 && test -z "$dir_arg$dst_arg"; then
# When -d is used, all remaining arguments are directories to create.
# When -t is used, the destination is already specified.
# Otherwise, the last argument is the destination. Remove it from $@.
for arg
do
if test -n "$dst_arg"; then
# $@ is not empty: it contains at least $arg.
set fnord "$@" "$dst_arg"
shift # fnord
fi
shift # arg
dst_arg=$arg
# Protect names problematic for 'test' and other utilities.
case $dst_arg in
-* | [=\(\)!]) dst_arg=./$dst_arg;;
esac
done
fi
if test $# -eq 0; then
if test -z "$dir_arg"; then
echo "$0: no input file specified." >&2
exit 1
fi
# It's OK to call 'install-sh -d' without argument.
# This can happen when creating conditional directories.
exit 0
fi
if test -z "$dir_arg"; then
if test $# -gt 1 || test "$is_target_a_directory" = always; then
if test ! -d "$dst_arg"; then
echo "$0: $dst_arg: Is not a directory." >&2
exit 1
fi
fi
fi
if test -z "$dir_arg"; then
do_exit='(exit $ret); exit $ret'
trap "ret=129; $do_exit" 1
trap "ret=130; $do_exit" 2
trap "ret=141; $do_exit" 13
trap "ret=143; $do_exit" 15
# Set umask so as not to create temps with too-generous modes.
# However, 'strip' requires both read and write access to temps.
case $mode in
# Optimize common cases.
*644) cp_umask=133;;
*755) cp_umask=22;;
*[0-7])
if test -z "$stripcmd"; then
u_plus_rw=
else
u_plus_rw='% 200'
fi
cp_umask=`expr '(' 777 - $mode % 1000 ')' $u_plus_rw`;;
*)
if test -z "$stripcmd"; then
u_plus_rw=
else
u_plus_rw=,u+rw
fi
cp_umask=$mode$u_plus_rw;;
esac
fi
for src
do
# Protect names problematic for 'test' and other utilities.
case $src in
-* | [=\(\)!]) src=./$src;;
esac
if test -n "$dir_arg"; then
dst=$src
dstdir=$dst
test -d "$dstdir"
dstdir_status=$?
else
# Waiting for this to be detected by the "$cpprog $src $dsttmp" command
# might cause directories to be created, which would be especially bad
# if $src (and thus $dsttmp) contains '*'.
if test ! -f "$src" && test ! -d "$src"; then
echo "$0: $src does not exist." >&2
exit 1
fi
if test -z "$dst_arg"; then
echo "$0: no destination specified." >&2
exit 1
fi
dst=$dst_arg
# If destination is a directory, append the input filename; won't work
# if double slashes aren't ignored.
if test -d "$dst"; then
if test "$is_target_a_directory" = never; then
echo "$0: $dst_arg: Is a directory" >&2
exit 1
fi
dstdir=$dst
dst=$dstdir/`basename "$src"`
dstdir_status=0
else
dstdir=`dirname "$dst"`
test -d "$dstdir"
dstdir_status=$?
fi
fi
obsolete_mkdir_used=false
if test $dstdir_status != 0; then
case $posix_mkdir in
'')
# Create intermediate dirs using mode 755 as modified by the umask.
# This is like FreeBSD 'install' as of 1997-10-28.
umask=`umask`
case $stripcmd.$umask in
# Optimize common cases.
*[2367][2367]) mkdir_umask=$umask;;
.*0[02][02] | .[02][02] | .[02]) mkdir_umask=22;;
*[0-7])
mkdir_umask=`expr $umask + 22 \
- $umask % 100 % 40 + $umask % 20 \
- $umask % 10 % 4 + $umask % 2
`;;
*) mkdir_umask=$umask,go-w;;
esac
# With -d, create the new directory with the user-specified mode.
# Otherwise, rely on $mkdir_umask.
if test -n "$dir_arg"; then
mkdir_mode=-m$mode
else
mkdir_mode=
fi
posix_mkdir=false
case $umask in
*[123567][0-7][0-7])
# POSIX mkdir -p sets u+wx bits regardless of umask, which
# is incompatible with FreeBSD 'install' when (umask & 300) != 0.
;;
*)
# $RANDOM is not portable (e.g. dash); use it when possible to
# lower collision chance
tmpdir=${TMPDIR-/tmp}/ins$RANDOM-$$
trap 'ret=$?; rmdir "$tmpdir/a/b" "$tmpdir/a" "$tmpdir" 2>/dev/null; exit $ret' 0
# As "mkdir -p" follows symlinks and we work in /tmp possibly; so
# create the $tmpdir first (and fail if unsuccessful) to make sure
# that nobody tries to guess the $tmpdir name.
if (umask $mkdir_umask &&
$mkdirprog $mkdir_mode "$tmpdir" &&
exec $mkdirprog $mkdir_mode -p -- "$tmpdir/a/b") >/dev/null 2>&1
then
if test -z "$dir_arg" || {
# Check for POSIX incompatibilities with -m.
# HP-UX 11.23 and IRIX 6.5 mkdir -m -p sets group- or
# other-writable bit of parent directory when it shouldn't.
# FreeBSD 6.1 mkdir -m -p sets mode of existing directory.
test_tmpdir="$tmpdir/a"
ls_ld_tmpdir=`ls -ld "$test_tmpdir"`
case $ls_ld_tmpdir in
d????-?r-*) different_mode=700;;
d????-?--*) different_mode=755;;
*) false;;
esac &&
$mkdirprog -m$different_mode -p -- "$test_tmpdir" && {
ls_ld_tmpdir_1=`ls -ld "$test_tmpdir"`
test "$ls_ld_tmpdir" = "$ls_ld_tmpdir_1"
}
}
then posix_mkdir=:
fi
rmdir "$tmpdir/a/b" "$tmpdir/a" "$tmpdir"
else
# Remove any dirs left behind by ancient mkdir implementations.
rmdir ./$mkdir_mode ./-p ./-- "$tmpdir" 2>/dev/null
fi
trap '' 0;;
esac;;
esac
if
$posix_mkdir && (
umask $mkdir_umask &&
$doit_exec $mkdirprog $mkdir_mode -p -- "$dstdir"
)
then :
else
# The umask is ridiculous, or mkdir does not conform to POSIX,
# or it failed possibly due to a race condition. Create the
# directory the slow way, step by step, checking for races as we go.
case $dstdir in
/*) prefix='/';;
[-=\(\)!]*) prefix='./';;
*) prefix='';;
esac
oIFS=$IFS
IFS=/
set -f
set fnord $dstdir
shift
set +f
IFS=$oIFS
prefixes=
for d
do
test X"$d" = X && continue
prefix=$prefix$d
if test -d "$prefix"; then
prefixes=
else
if $posix_mkdir; then
(umask=$mkdir_umask &&
$doit_exec $mkdirprog $mkdir_mode -p -- "$dstdir") && break
# Don't fail if two instances are running concurrently.
test -d "$prefix" || exit 1
else
case $prefix in
*\'*) qprefix=`echo "$prefix" | sed "s/'/'\\\\\\\\''/g"`;;
*) qprefix=$prefix;;
esac
prefixes="$prefixes '$qprefix'"
fi
fi
prefix=$prefix/
done
if test -n "$prefixes"; then
# Don't fail if two instances are running concurrently.
(umask $mkdir_umask &&
eval "\$doit_exec \$mkdirprog $prefixes") ||
test -d "$dstdir" || exit 1
obsolete_mkdir_used=true
fi
fi
fi
if test -n "$dir_arg"; then
{ test -z "$chowncmd" || $doit $chowncmd "$dst"; } &&
{ test -z "$chgrpcmd" || $doit $chgrpcmd "$dst"; } &&
{ test "$obsolete_mkdir_used$chowncmd$chgrpcmd" = false ||
test -z "$chmodcmd" || $doit $chmodcmd $mode "$dst"; } || exit 1
else
# Make a couple of temp file names in the proper directory.
dsttmp=$dstdir/_inst.$$_
rmtmp=$dstdir/_rm.$$_
# Trap to clean up those temp files at exit.
trap 'ret=$?; rm -f "$dsttmp" "$rmtmp" && exit $ret' 0
# Copy the file name to the temp name.
(umask $cp_umask && $doit_exec $cpprog "$src" "$dsttmp") &&
# and set any options; do chmod last to preserve setuid bits.
#
# If any of these fail, we abort the whole thing. If we want to
# ignore errors from any of these, just make sure not to ignore
# errors from the above "$doit $cpprog $src $dsttmp" command.
#
{ test -z "$chowncmd" || $doit $chowncmd "$dsttmp"; } &&
{ test -z "$chgrpcmd" || $doit $chgrpcmd "$dsttmp"; } &&
{ test -z "$stripcmd" || $doit $stripcmd "$dsttmp"; } &&
{ test -z "$chmodcmd" || $doit $chmodcmd $mode "$dsttmp"; } &&
# If -C, don't bother to copy if it wouldn't change the file.
if $copy_on_change &&
old=`LC_ALL=C ls -dlL "$dst" 2>/dev/null` &&
new=`LC_ALL=C ls -dlL "$dsttmp" 2>/dev/null` &&
set -f &&
set X $old && old=:$2:$4:$5:$6 &&
set X $new && new=:$2:$4:$5:$6 &&
set +f &&
test "$old" = "$new" &&
$cmpprog "$dst" "$dsttmp" >/dev/null 2>&1
then
rm -f "$dsttmp"
else
# Rename the file to the real destination.
$doit $mvcmd -f "$dsttmp" "$dst" 2>/dev/null ||
# The rename failed, perhaps because mv can't rename something else
# to itself, or perhaps because mv is so ancient that it does not
# support -f.
{
# Now remove or move aside any old file at destination location.
# We try this two ways since rm can't unlink itself on some
# systems and the destination file might be busy for other
# reasons. In this case, the final cleanup might fail but the new
# file should still install successfully.
{
test ! -f "$dst" ||
$doit $rmcmd -f "$dst" 2>/dev/null ||
{ $doit $mvcmd -f "$dst" "$rmtmp" 2>/dev/null &&
{ $doit $rmcmd -f "$rmtmp" 2>/dev/null; :; }
} ||
{ echo "$0: cannot unlink or rename $dst" >&2
(exit 1); exit 1
}
} &&
# Now rename the file to the real destination.
$doit $mvcmd "$dsttmp" "$dst"
}
fi || exit 1
trap '' 0
fi
done
# Local variables:
# eval: (add-hook 'write-file-hooks 'time-stamp)
# time-stamp-start: "scriptversion="
# time-stamp-format: "%:y-%02m-%02d.%02H"
# time-stamp-time-zone: "UTC"
# time-stamp-end: "; # UTC"
# End:

11156
auto/ltmain.sh Normal file
View File

File diff suppressed because it is too large Load Diff

215
auto/missing Executable file
View File

@ -0,0 +1,215 @@
#! /bin/sh
# Common wrapper for a few potentially missing GNU programs.
scriptversion=2013-10-28.13; # UTC
# Copyright (C) 1996-2014 Free Software Foundation, Inc.
# Originally written by Fran,cois Pinard <pinard@iro.umontreal.ca>, 1996.
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2, or (at your option)
# any later version.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# As a special exception to the GNU General Public License, if you
# distribute this file as part of a program that contains a
# configuration script generated by Autoconf, you may include it under
# the same distribution terms that you use for the rest of that program.
if test $# -eq 0; then
echo 1>&2 "Try '$0 --help' for more information"
exit 1
fi
case $1 in
--is-lightweight)
# Used by our autoconf macros to check whether the available missing
# script is modern enough.
exit 0
;;
--run)
# Back-compat with the calling convention used by older automake.
shift
;;
-h|--h|--he|--hel|--help)
echo "\
$0 [OPTION]... PROGRAM [ARGUMENT]...
Run 'PROGRAM [ARGUMENT]...', returning a proper advice when this fails due
to PROGRAM being missing or too old.
Options:
-h, --help display this help and exit
-v, --version output version information and exit
Supported PROGRAM values:
aclocal autoconf autoheader autom4te automake makeinfo
bison yacc flex lex help2man
Version suffixes to PROGRAM as well as the prefixes 'gnu-', 'gnu', and
'g' are ignored when checking the name.
Send bug reports to <bug-automake@gnu.org>."
exit $?
;;
-v|--v|--ve|--ver|--vers|--versi|--versio|--version)
echo "missing $scriptversion (GNU Automake)"
exit $?
;;
-*)
echo 1>&2 "$0: unknown '$1' option"
echo 1>&2 "Try '$0 --help' for more information"
exit 1
;;
esac
# Run the given program, remember its exit status.
"$@"; st=$?
# If it succeeded, we are done.
test $st -eq 0 && exit 0
# Also exit now if we it failed (or wasn't found), and '--version' was
# passed; such an option is passed most likely to detect whether the
# program is present and works.
case $2 in --version|--help) exit $st;; esac
# Exit code 63 means version mismatch. This often happens when the user
# tries to use an ancient version of a tool on a file that requires a
# minimum version.
if test $st -eq 63; then
msg="probably too old"
elif test $st -eq 127; then
# Program was missing.
msg="missing on your system"
else
# Program was found and executed, but failed. Give up.
exit $st
fi
perl_URL=http://www.perl.org/
flex_URL=http://flex.sourceforge.net/
gnu_software_URL=http://www.gnu.org/software
program_details ()
{
case $1 in
aclocal|automake)
echo "The '$1' program is part of the GNU Automake package:"
echo "<$gnu_software_URL/automake>"
echo "It also requires GNU Autoconf, GNU m4 and Perl in order to run:"
echo "<$gnu_software_URL/autoconf>"
echo "<$gnu_software_URL/m4/>"
echo "<$perl_URL>"
;;
autoconf|autom4te|autoheader)
echo "The '$1' program is part of the GNU Autoconf package:"
echo "<$gnu_software_URL/autoconf/>"
echo "It also requires GNU m4 and Perl in order to run:"
echo "<$gnu_software_URL/m4/>"
echo "<$perl_URL>"
;;
esac
}
give_advice ()
{
# Normalize program name to check for.
normalized_program=`echo "$1" | sed '
s/^gnu-//; t
s/^gnu//; t
s/^g//; t'`
printf '%s\n' "'$1' is $msg."
configure_deps="'configure.ac' or m4 files included by 'configure.ac'"
case $normalized_program in
autoconf*)
echo "You should only need it if you modified 'configure.ac',"
echo "or m4 files included by it."
program_details 'autoconf'
;;
autoheader*)
echo "You should only need it if you modified 'acconfig.h' or"
echo "$configure_deps."
program_details 'autoheader'
;;
automake*)
echo "You should only need it if you modified 'Makefile.am' or"
echo "$configure_deps."
program_details 'automake'
;;
aclocal*)
echo "You should only need it if you modified 'acinclude.m4' or"
echo "$configure_deps."
program_details 'aclocal'
;;
autom4te*)
echo "You might have modified some maintainer files that require"
echo "the 'autom4te' program to be rebuilt."
program_details 'autom4te'
;;
bison*|yacc*)
echo "You should only need it if you modified a '.y' file."
echo "You may want to install the GNU Bison package:"
echo "<$gnu_software_URL/bison/>"
;;
lex*|flex*)
echo "You should only need it if you modified a '.l' file."
echo "You may want to install the Fast Lexical Analyzer package:"
echo "<$flex_URL>"
;;
help2man*)
echo "You should only need it if you modified a dependency" \
"of a man page."
echo "You may want to install the GNU Help2man package:"
echo "<$gnu_software_URL/help2man/>"
;;
makeinfo*)
echo "You should only need it if you modified a '.texi' file, or"
echo "any other file indirectly affecting the aspect of the manual."
echo "You might want to install the Texinfo package:"
echo "<$gnu_software_URL/texinfo/>"
echo "The spurious makeinfo call might also be the consequence of"
echo "using a buggy 'make' (AIX, DU, IRIX), in which case you might"
echo "want to install GNU make:"
echo "<$gnu_software_URL/make/>"
;;
*)
echo "You might have modified some files without having the proper"
echo "tools for further handling them. Check the 'README' file, it"
echo "often tells you about the needed prerequisites for installing"
echo "this package. You may also peek at any GNU archive site, in"
echo "case some other package contains this missing '$1' program."
;;
esac
}
give_advice "$1" | sed -e '1s/^/WARNING: /' \
-e '2,$s/^/ /' >&2
# Propagate the correct exit status (expected to be 127 for a program
# not found, 63 for a program that failed due to version mismatch).
exit $st
# Local variables:
# eval: (add-hook 'write-file-hooks 'time-stamp)
# time-stamp-start: "scriptversion="
# time-stamp-format: "%:y-%02m-%02d.%02H"
# time-stamp-time-zone: "UTC"
# time-stamp-end: "; # UTC"
# End:

25
build-android.sh Executable file
View File

@ -0,0 +1,25 @@
#!/bin/sh
set -ev
VERSION=5.44
DST=stunnel-$VERSION-android
# to build OpenSSL:
# ./Configure threads no-shared no-dso --cross-compile-prefix=arm-linux-androideabi- --prefix=/opt/androideabi/sysroot linux-armv4
# make install
test -f Makefile && make distclean
mkdir -p bin/android
cd bin/android
../../configure --with-sysroot --build=i686-pc-linux-gnu --host=arm-linux-androideabi --prefix=/data/local
make clean
make
cd ../..
mkdir $DST
cp bin/android/src/stunnel $DST
# arm-linux-androideabi-strip $DST/stunnel $DST/openssl
# cp /opt/androideabi/sysroot/bin/openssl $DST
# arm-linux-androideabi-strip $DST/openssl
zip -r $DST.zip $DST
rm -rf $DST
# sha256sum $DST.zip
# mv $DST.zip ../dist/

18648
configure vendored Executable file
View File

File diff suppressed because it is too large Load Diff

469
configure.ac Normal file
View File

@ -0,0 +1,469 @@
# Process this file with autoconf to produce a configure script.
AC_INIT([stunnel],[5.44])
AC_MSG_NOTICE([**************************************** initialization])
AC_CONFIG_AUX_DIR(auto)
AC_CONFIG_MACRO_DIR([m4])
AC_CONFIG_HEADERS([src/config.h])
AC_CONFIG_SRCDIR([src/stunnel.c])
AM_INIT_AUTOMAKE
AM_CONDITIONAL([AUTHOR_TESTS], [test -d ".git"])
AC_CANONICAL_HOST
AC_SUBST([host])
AC_DEFINE_UNQUOTED([HOST], ["$host"], [Host description])
define([esc], [`echo ]$1[ | tr abcdefghijklmnopqrstuvwxyz.- ABCDEFGHIJKLMNOPQRSTUVWXYZ__ | tr -dc ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890_`])
AC_DEFINE_UNQUOTED(esc(CPU_$host_cpu))
AC_DEFINE_UNQUOTED(esc(VENDOR_$host_vendor))
AC_DEFINE_UNQUOTED(esc(OS_$host_os))
case "$host_os" in
*darwin*)
# OSX does not declare ucontext without _XOPEN_SOURCE
AC_DEFINE([_XOPEN_SOURCE], [500], [Use X/Open 5 with POSIX 1995])
# OSX does not declare chroot() without _DARWIN_C_SOURCE
AC_DEFINE([_DARWIN_C_SOURCE], [1], [Use Darwin source])
;;
*)
AC_DEFINE([_GNU_SOURCE], [1], [Use GNU source])
;;
esac
AC_PROG_CC
AM_PROG_CC_C_O
AC_PROG_INSTALL
AC_PROG_MAKE_SET
# silent build by default
ifdef([AM_SILENT_RULES], [AM_SILENT_RULES([yes])])
AC_MSG_NOTICE([**************************************** thread model])
# thread detection should be done first, as it may change the CC variable
AC_ARG_WITH(threads,
[ --with-threads=model select threading model (ucontext/pthread/fork)],
[
case "$withval" in
ucontext)
AC_MSG_NOTICE([UCONTEXT mode selected])
AC_DEFINE([USE_UCONTEXT], [1], [Define to 1 to select UCONTEXT mode])
;;
pthread)
AC_MSG_NOTICE([PTHREAD mode selected])
AX_PTHREAD()
LIBS="$PTHREAD_LIBS $LIBS"
CFLAGS="$CFLAGS $PTHREAD_CFLAGS"
CC="$PTHREAD_CC"
AC_DEFINE([USE_PTHREAD], [1], [Define to 1 to select PTHREAD mode])
;;
fork)
AC_MSG_NOTICE([FORK mode selected])
AC_DEFINE([USE_FORK], [1], [Define to 1 to select FORK mode])
;;
*)
AC_MSG_ERROR([Unknown thread model \"${withval}\"])
;;
esac
], [
# do not attempt to autodetect UCONTEXT threading
AX_PTHREAD([
AC_MSG_NOTICE([PTHREAD thread model detected])
LIBS="$PTHREAD_LIBS $LIBS"
CFLAGS="$CFLAGS $PTHREAD_CFLAGS"
CC="$PTHREAD_CC"
AC_DEFINE([USE_PTHREAD], [1], [Define to 1 to select PTHREAD mode])
], [
AC_MSG_NOTICE([FORK thread model detected])
AC_DEFINE([USE_FORK], [1], [Define to 1 to select FORK mode])
])
])
AC_MSG_NOTICE([**************************************** compiler/linker flags])
if test "$GCC" = yes; then
AX_APPEND_COMPILE_FLAGS([-Wall])
AX_APPEND_COMPILE_FLAGS([-Wextra])
AX_APPEND_COMPILE_FLAGS([-Wpedantic])
AX_APPEND_COMPILE_FLAGS([-Wformat=2])
AX_APPEND_COMPILE_FLAGS([-Wconversion])
AX_APPEND_COMPILE_FLAGS([-Wno-long-long])
AX_APPEND_COMPILE_FLAGS([-Wno-deprecated-declarations])
AX_APPEND_COMPILE_FLAGS([-fPIE])
case "${host}" in
avr-*.* | powerpc-*-aix* | rl78-*.* | visium-*.*)
;;
*)
AX_APPEND_COMPILE_FLAGS([-fstack-protector])
;;
esac
AX_APPEND_LINK_FLAGS([-fPIE -pie])
AX_APPEND_LINK_FLAGS([-Wl,-z,relro])
AX_APPEND_LINK_FLAGS([-Wl,-z,now])
AX_APPEND_LINK_FLAGS([-Wl,-z,noexecstack])
fi
AX_APPEND_COMPILE_FLAGS([-D_FORTIFY_SOURCE=2])
AC_MSG_NOTICE([**************************************** libtool])
LT_INIT([disable-static])
AC_SUBST([LIBTOOL_DEPS])
AC_MSG_NOTICE([**************************************** types])
AC_TYPE_INT8_T
AC_TYPE_INT16_T
AC_TYPE_INT32_T
AC_TYPE_INT64_T
AC_TYPE_UINT8_T
AC_TYPE_UINT16_T
AC_TYPE_UINT32_T
AC_TYPE_UINT64_T
AC_TYPE_SIZE_T
AC_TYPE_SSIZE_T
AC_TYPE_UID_T
AC_MSG_CHECKING([for socklen_t])
AC_EGREP_HEADER(socklen_t, sys/socket.h,
AC_MSG_RESULT([yes]),
AC_MSG_RESULT([no (defined as int)])
AC_DEFINE([socklen_t], [int], [Type of socklen_t]))
AC_CHECK_TYPES([struct sockaddr_un], [], [], [#include <sys/un.h>])
AC_CHECK_TYPES([struct addrinfo], [], [], [#include <netdb.h>])
AC_MSG_NOTICE([**************************************** PTY device files])
if test "x$cross_compiling" = "xno"; then
AC_CHECK_FILE("/dev/ptmx", AC_DEFINE([HAVE_DEV_PTMX], [1],
[Define to 1 if you have '/dev/ptmx' device.]))
AC_CHECK_FILE("/dev/ptc", AC_DEFINE([HAVE_DEV_PTS_AND_PTC], [1],
[Define to 1 if you have '/dev/ptc' device.]))
else
AC_MSG_WARN([cross-compilation: assuming /dev/ptmx and /dev/ptc are not available])
fi
AC_MSG_NOTICE([**************************************** entropy sources])
if test "x$cross_compiling" = "xno"; then
AC_ARG_WITH(egd-socket,
[ --with-egd-socket=FILE Entropy Gathering Daemon socket path],
[EGD_SOCKET="$withval"]
)
if test -n "$EGD_SOCKET"; then
AC_DEFINE_UNQUOTED([EGD_SOCKET], ["$EGD_SOCKET"],
[Entropy Gathering Daemon socket path])
fi
# Check for user-specified random device
AC_ARG_WITH(random,
[ --with-random=FILE read randomness from file (default=/dev/urandom)],
[RANDOM_FILE="$withval"],
[
# Check for random device
AC_CHECK_FILE("/dev/urandom", RANDOM_FILE="/dev/urandom")
]
)
if test -n "$RANDOM_FILE"; then
AC_SUBST([RANDOM_FILE])
AC_DEFINE_UNQUOTED([RANDOM_FILE], ["$RANDOM_FILE"], [Random file path])
fi
else
AC_MSG_WARN([cross-compilation: assuming entropy sources are not available])
fi
AC_MSG_NOTICE([**************************************** default group])
DEFAULT_GROUP=nobody
if test "x$cross_compiling" = "xno"; then
grep '^nogroup:' /etc/group >/dev/null && DEFAULT_GROUP=nogroup
else
AC_MSG_WARN([cross-compilation: assuming nogroup is not available])
fi
AC_MSG_CHECKING([for default group])
AC_MSG_RESULT([$DEFAULT_GROUP])
AC_SUBST([DEFAULT_GROUP])
AC_SYS_LARGEFILE
AC_MSG_NOTICE([**************************************** header files])
# AC_HEADER_DIRENT
# AC_HEADER_STDC
# AC_HEADER_SYS_WAIT
AC_CHECK_HEADERS([stdint.h inttypes.h malloc.h ucontext.h pthread.h poll.h \
tcpd.h stropts.h grp.h unistd.h util.h libutil.h pty.h limits.h])
AC_CHECK_HEADERS([sys/types.h sys/select.h sys/poll.h sys/socket.h sys/un.h \
sys/ioctl.h sys/filio.h sys/resource.h sys/uio.h sys/syscall.h])
AC_CHECK_HEADERS([linux/sched.h])
AC_CHECK_MEMBERS([struct msghdr.msg_control],
[AC_DEFINE([HAVE_MSGHDR_MSG_CONTROL], [1],
[Define to 1 if you have 'msghdr.msg_control' structure.])], [], [
AC_INCLUDES_DEFAULT
#include <sys/socket.h>
])
AC_CHECK_HEADERS([linux/netfilter_ipv4.h], , ,
[
#include <limits.h>
#include <linux/types.h>
#include <sys/socket.h>
#include <netdb.h>
])
AC_MSG_NOTICE([**************************************** libraries])
# Checks for standard libraries
AC_SEARCH_LIBS([gethostbyname], [nsl])
AC_SEARCH_LIBS([yp_get_default_domain], [nsl])
AC_SEARCH_LIBS([socket], [socket])
AC_SEARCH_LIBS([openpty], [util])
# Checks for dynamic loader needed by OpenSSL
AC_SEARCH_LIBS([dlopen], [dl])
AC_SEARCH_LIBS([shl_load], [dld])
# Add BeOS libraries
if test "x$host_os" = "xbeos"; then
LIBS="$LIBS -lbe -lroot -lbind"
fi
AC_MSG_NOTICE([**************************************** library functions])
# safe string operations
AC_CHECK_FUNCS(snprintf vsnprintf)
# pseudoterminal
AC_CHECK_FUNCS(openpty _getpty)
# Unix
AC_CHECK_FUNCS(daemon waitpid wait4 setsid setgroups chroot realpath)
# limits
AC_CHECK_FUNCS(sysconf getrlimit)
# threads/reentrant functions
AC_CHECK_FUNCS(pthread_sigmask localtime_r)
# threads
AC_CHECK_FUNCS(getcontext __makecontext_v2)
# sockets
AC_CHECK_FUNCS(poll gethostbyname2 endhostent getnameinfo)
AC_MSG_CHECKING([for getaddrinfo])
case "$host_os" in
*androideabi*)
# http://stackoverflow.com/questions/7818246/segmentation-fault-in-getaddrinfo
AC_MSG_RESULT([no (buggy Android implementation)])
;;
*)
# Tru64 UNIX has getaddrinfo() but has it renamed in libc as
# something else so we must include <netdb.h> to get the
# redefinition.
AC_LINK_IFELSE(
[AC_LANG_PROGRAM(
[
AC_INCLUDES_DEFAULT
#include <sys/socket.h>
#include <netdb.h>
],
[
getaddrinfo(NULL, NULL, NULL, NULL);
],)],
[AC_MSG_RESULT([yes]); AC_DEFINE([HAVE_GETADDRINFO], [1], [Define to 1 if you have 'getaddrinfo' function.])],
[AC_MSG_RESULT([no])])
;;
esac
# poll() is not recommended on Mac OS X <= 10.3 and broken on Mac OS X 10.4
AC_MSG_CHECKING([for broken poll() implementation])
case "$host_os" in
darwin[0-8].*)
AC_MSG_RESULT([yes (poll() disabled)])
AC_DEFINE([BROKEN_POLL], [1], [Define to 1 if you have a broken 'poll' implementation.])
;;
*)
AC_MSG_RESULT([no])
;;
esac
# GNU extensions
AC_CHECK_FUNCS(pipe2 accept4)
AC_MSG_NOTICE([**************************************** optional features])
# Use IPv6?
AC_MSG_CHECKING([whether to enable IPv6 support])
AC_ARG_ENABLE(ipv6,
[ --disable-ipv6 disable IPv6 support],
[
case "$enableval" in
yes) AC_MSG_RESULT([yes])
AC_DEFINE([USE_IPv6], [1],
[Define to 1 to enable IPv6 support])
;;
no) AC_MSG_RESULT([no])
;;
*) AC_MSG_RESULT([error])
AC_MSG_ERROR([bad value \"${enableval}\"])
;;
esac
], [
AC_MSG_RESULT([yes (default)])
AC_DEFINE([USE_IPv6], [1], [Define to 1 to enable IPv6 support])
], [
AC_MSG_RESULT([no])
]
)
# FIPS Mode
AC_MSG_CHECKING([whether to enable FIPS support])
AC_ARG_ENABLE(fips,
[ --disable-fips disable OpenSSL FIPS support],
[
case "$enableval" in
yes) AC_MSG_RESULT([no])
use_fips="yes"
AC_DEFINE([USE_FIPS], [1],
[Define to 1 to enable OpenSSL FIPS support])
;;
no) AC_MSG_RESULT([no])
use_fips="no"
;;
*) AC_MSG_RESULT([error])
AC_MSG_ERROR([bad value \"${enableval}\"])
;;
esac
],
[
use_fips="auto"
AC_MSG_RESULT([autodetecting])
]
)
# Disable systemd socket activation support
AC_MSG_CHECKING([whether to enable systemd socket activation support])
AC_ARG_ENABLE(systemd,
[ --disable-systemd disable systemd socket activation support],
[
case "$enableval" in
yes) AC_MSG_RESULT([yes])
AC_SEARCH_LIBS([sd_listen_fds], [systemd systemd-daemon])
AC_DEFINE([USE_SYSTEMD], [1],
[Define to 1 to enable systemd socket activation])
;;
no) AC_MSG_RESULT([no])
;;
*) AC_MSG_RESULT([error])
AC_MSG_ERROR([Bad value \"${enableval}\"])
;;
esac
],
[
AC_MSG_RESULT([autodetecting])
# the library name has changed to -lsystemd in systemd 209
AC_SEARCH_LIBS([sd_listen_fds], [systemd systemd-daemon],
[ AC_CHECK_HEADERS([systemd/sd-daemon.h], [
AC_DEFINE([USE_SYSTEMD], [1],
[Define to 1 to enable systemd socket activation])
AC_MSG_NOTICE([systemd support enabled])
], [
AC_MSG_NOTICE([systemd header not found])
]) ], [
AC_MSG_NOTICE([systemd library not found])
])
]
)
# Disable use of libwrap (TCP wrappers)
# it should be the last check!
AC_MSG_CHECKING([whether to enable TCP wrappers support])
AC_ARG_ENABLE(libwrap,
[ --disable-libwrap disable TCP wrappers support],
[
case "$enableval" in
yes) AC_MSG_RESULT([yes])
AC_DEFINE([USE_LIBWRAP], [1],
[Define to 1 to enable TCP wrappers support])
LIBS="$LIBS -lwrap"
;;
no) AC_MSG_RESULT([no])
;;
*) AC_MSG_RESULT([error])
AC_MSG_ERROR([Bad value \"${enableval}\"])
;;
esac
],
[
AC_MSG_RESULT([autodetecting])
AC_MSG_CHECKING([for hosts_access in -lwrap])
valid_LIBS="$LIBS"
LIBS="$valid_LIBS -lwrap"
AC_LINK_IFELSE(
[
AC_LANG_PROGRAM(
[int hosts_access(); int allow_severity, deny_severity;],
[hosts_access()])
], [
AC_MSG_RESULT([yes]);
AC_DEFINE([USE_LIBWRAP], [1],
[Define to 1 to enable TCP wrappers support])
AC_MSG_NOTICE([libwrap support enabled])
], [
AC_MSG_RESULT([no])
LIBS="$valid_LIBS"
AC_MSG_NOTICE([libwrap library not found])
]
)
]
)
AC_MSG_NOTICE([**************************************** TLS])
AC_MSG_CHECKING([for compiler sysroot])
if test "x$GCC" = "xyes"; then
sysroot=`$CC --print-sysroot 2>/dev/null`
fi
if test -z "$sysroot" -o "x$sysroot" = "x/"; then
sysroot=""
AC_MSG_RESULT([/])
else
AC_MSG_RESULT([$sysroot])
fi
check_ssl_dir() { :
test -n "$1" -a -f "$1/include/openssl/ssl.h" && SSLDIR="$1"
}
find_ssl_dir() { :
stunnel_prefix="$prefix"
test "x$stunnel_prefix" = "xNONE" && stunnel_prefix=$ac_default_prefix
for main_dir in "$stunnel_prefix" "/usr/local" "/usr/lib" "/usr/pkg" "/opt/local" "/opt" "/opt/csw" "/usr" ""; do
for sub_dir in "/ssl" "/openssl" "/ossl" ""; do
check_ssl_dir "$sysroot$main_dir$sub_dir" && return
done
done
if test -x "/usr/bin/xcrun"; then
sdk_path=`/usr/bin/xcrun --sdk macosx --show-sdk-path`
check_ssl_dir "$sdk_path/usr" && return
fi
check_ssl_dir "/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/swift-migrator/sdk/MacOSX.sdk/usr"
}
SSLDIR=""
AC_MSG_CHECKING([for TLS directory])
AC_ARG_WITH(ssl,
[ --with-ssl=DIR location of installed TLS libraries/include files],
[check_ssl_dir "$withval"],
[find_ssl_dir]
)
if test -z "$SSLDIR"; then
AC_MSG_RESULT([not found])
AC_MSG_ERROR([
Could not find your TLS library installation dir
Use --with-ssl option to fix this problem
])
fi
AC_MSG_RESULT([$SSLDIR])
AC_SUBST([SSLDIR])
AC_DEFINE_UNQUOTED([SSLDIR], ["$SSLDIR"], [TLS directory])
valid_CPPFLAGS="$CPPFLAGS"; CPPFLAGS="$CPPFLAGS -I$SSLDIR/include"
valid_LIBS="$LIBS"; LIBS="$LIBS -L$SSLDIR/lib64 -L$SSLDIR/lib -lssl -lcrypto"
if test "x$use_fips" = "xauto"; then
AC_CHECK_FUNCS(FIPS_mode_set, [
AC_DEFINE([USE_FIPS], [1], [Define to 1 to enable OpenSSL FIPS support])
AC_MSG_NOTICE([FIPS support enabled])
], [
AC_MSG_NOTICE([FIPS support not found])
])
fi
CPPFLAGS="$valid_CPPFLAGS"
LIBS="$valid_LIBS"
AC_MSG_NOTICE([**************************************** write the results])
AC_CONFIG_FILES([Makefile src/Makefile doc/Makefile tools/Makefile tests/Makefile])
AC_OUTPUT
AC_MSG_NOTICE([**************************************** success])
# vim:ft=automake
# End of configure.ac

84
debian/README.Debian vendored Normal file
View File

@ -0,0 +1,84 @@
This is the Stunnel 4.x package for Debian.
* Upgrading from stunnel to stunnel4
Stunnel 3 has been deprecated from Debian. The new stunnel4 has a
different command line syntax and configuration. You will need to
update your scripts.
The wrapper script /usr/bin/stunnel3 understands stunnel3 command line
syntax and calls stunnel4 with appropriate options. It appears to
support every stunnel3 option *except* -S (which controls the defaults
used for certificate sources).
* Basic configuration
After installation, you should :
- edit /etc/stunnel/stunnel.conf
- edit /etc/default/stunnel and set ENABLE=1, if you want your
configured tunnels to start automatically on boot.
- generate a certificate for use with stunnel if you want to use server mode
Sergio Rua <srua@debian.org> made a perl front-end for the stunnel
configuration. It is very simple and only includes a couple of configuration
options. This script is located in
/usr/share/doc/stunnel4/contrib/StunnelConf-0.1.pl
It requires libgnome2-perl and libgtk2-perl.
* How to create SSL keys for stunnel
The certificates default directory is /etc/ssl/certs, so cd into that dir
and issue the command:
openssl req -new -x509 -nodes -days 365 -out stunnel.pem -keyout stunnel.pem
Fill in the info requested.
Change 'stunnel.pem' to the name of the certificate you need to
create. stunnel.pem will be used by default by stunnel, but you want
to create different certificates for different services you run with
stunnel. Make sure only root can read the file (or only the user that
needs to read it, if stunnel is run as that user):
chmod 600 stunnel.pem
Now you need to append the DH parameters to the certificate.
First you need to generate some amount of random data:
dd if=/dev/urandom of=temp_file count=2
Use /dev/random if you want a more secure source of data, but make
sure you have enough entropy on you system (the output file should be
at least 512 bytes long).
And now make openssl generate the DH parameters and append them to the
certificate file:
openssl dhparam -rand temp_file 512 >> stunnel.pem
You also want to link the certificate to its hash name so that openssl
can find it also by that means:
ln -sf stunnel.pem `openssl x509 -noout -hash < stunnel.pem`.0
Read the manual page for openssl for more info on the various options.
* FIPS
Since version 4.21 stunnel includes support for OpenSSL's FIPS mode. However,
using it requires stunnel to be compiled statically against OpenSSL and all
supporting libraries. Thus, this option is disabled in the Debian package.
See the OpenSSL FIPS User Guide at
https://www.openssl.org/docs/fips/UserGuide-2.0.pdf
and the OpenSSL notes about FIPS 140-2 at
https://www.openssl.org/docs/fips/fipsnotes.html
- Julien LEMOINE <speedblue@debian.org>, Sun, 19 Feb 2006 17:31:24 +0100
-- Luis Rodrigo Gallardo Cruz <rodrigo@nul-unu.com>, Sat, 30 Oct 2007 14:50:54 z

477
debian/StunnelConf-0.1.pl vendored Normal file
View File

@ -0,0 +1,477 @@
#!/usr/bin/perl
# Copyright (C) 2004 Sergio Rua <srua@debian.org>
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2, or (at your option)
# any later version.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
# 02111-1307, USA.
#
# On Debian GNU/Linux systems, the complete text of the GNU General
# Public License can be found in `/usr/share/common-licenses/GPL'.
use strict;
use Gtk2;
use Gnome2;
use Gtk2::SimpleList;
use constant TRUE => 1;
use constant FALSE => 0;
# Please configure if necessary!
my $cfgfile = "/etc/stunnel/stunnel.conf";
my $backup_cfg = 1;
my $base_cfg_dir = $cfgfile;$base_cfg_dir=~s/\/stunnel\.conf//g;
# global variables
my $ekey;
my $ecert;
my $verify;
my $app;
my $elog;
my $clientmode;
my $debuglevel;
my $capath;
my $list;
sub mydie
{
my ($msg)=@_;
print "$msg\n";
Gtk2->main_quit;
exit (-1);
}
sub sel_file
{
my ($title,$entry,$isfile)=@_;
my $fsel=Gtk2::FileSelection->new($title);
$fsel->ok_button->signal_connect("clicked",sub {
print "OK: ". $fsel->get_filename."\n";
$entry->set_text($fsel->get_filename);
$fsel->destroy;
});
$fsel->cancel_button->signal_connect("clicked",sub { $fsel->destroy; });
$fsel->show;
}
sub add_connection
{
my $win = new Gtk2::Window("toplevel");
$win->set_position("center");
my $vbox = new Gtk2::VBox( 0, 2 );
$win->add($vbox);
$vbox->show;
my $druid = new Gnome2::Druid;
$druid->signal_connect("cancel", sub { $win->destroy; } );
$vbox->pack_start($druid,0,0,0);
my $druid_start = new Gnome2::DruidPageEdge("GNOME_EDGE_START");
$druid_start->set_title("Connections setup");
$druid_start->set_text("Please follow this configuration wizard to ".
"configure your connections\n");
# $druid_start->set_watermark($logo);
$druid_start->show;
$druid->append_page($druid_start);
# Second Step: accepting connections
my $druid_name = new Gnome2::DruidPageStandard();
$druid_name->set_title("Connection name");
my $dvbox=new Gtk2::VBox(2,2);
my $dtable=new Gtk2::Table(2,2,FALSE);
$dvbox->pack_start($dtable,FALSE,FALSE,0);
my $label=new Gtk2::Label("Enter this connection name");
$dtable->attach($label,0,1,0,1,["fill"],["fill"],0,0);
my $ename=new Gtk2::Entry();
$dtable->attach($ename,1,2,0,1,["fill"],["fill"],0,0);
$druid_name->append_item("",$dvbox,"");
$druid_name->show_all;
# add page to the druid
$druid->append_page($druid_name);
# Second Step: accepting connections
my $druid_accept = new Gnome2::DruidPageStandard();
$druid_accept->set_title("Accepting connections");
my $dvbox=new Gtk2::VBox(2,2);
my $dtable=new Gtk2::Table(2,2,FALSE);
$dvbox->pack_start($dtable,FALSE,FALSE,0);
my $accept_error=new Gtk2::Label("");
$dtable->attach($accept_error,0,1,0,1,["fill"],["fill"],0,0);
my $label=new Gtk2::Label("IP or hostname");
$dtable->attach($label,0,1,1,2,["fill"],["fill"],0,0);
my $eip=new Gtk2::Entry();
$dtable->attach($eip,1,2,1,2,["fill"],["fill"],0,0);
my $label=new Gtk2::Label("Port number");
$dtable->attach($label,0,1,2,3,["fill"],["fill"],0,0);
my $eport=new Gtk2::Entry();
$dtable->attach($eport,1,2,2,3,["fill"],["fill"],0,0);
$druid_accept->append_item("",$dvbox,"");
$druid_accept->show_all;
# add page to the druid
$druid->append_page($druid_accept);
# Third Step: connecting to...
my $druid_connect = new Gnome2::DruidPageStandard();
$druid_connect->set_title("Connection To...");
my $dvbox=new Gtk2::VBox(2,2);
my $dtable=new Gtk2::Table(2,2,FALSE);
$dvbox->pack_start($dtable,FALSE,FALSE,0);
my $label=new Gtk2::Label("IP or hostname");
$dtable->attach($label,0,1,0,1,["fill"],["fill"],0,0);
my $etoip=new Gtk2::Entry();
$dtable->attach($etoip,1,2,0,1,["fill"],["fill"],0,0);
my $label=new Gtk2::Label("Port number");
$dtable->attach($label,0,1,1,2,["fill"],["fill"],0,0);
my $etoport=new Gtk2::Entry();
$dtable->attach($etoport,1,2,1,2,["fill"],["fill"],0,0);
$druid_connect->append_item("",$dvbox,"");
$druid_connect->show_all;
# add page to the druid
$druid->append_page($druid_connect);
# Finishing and adding connection
my $druid_finish = new Gnome2::DruidPageEdge("GNOME_EDGE_FINISH");
$druid_finish->set_title("Configuration Finished.");
$druid_finish->set_text("The configuration has been finished. Click to either save or cancel");
# $druid_finish->set_logo($logo2);
$druid_finish->signal_connect("finish", sub {
my $acip=$eip->get_text();
my $acport=$eport->get_text();
my $coip=$etoip->get_text();
my $coport=$etoport->get_text();
my $dslist = $list->{data};
push @$dslist, [ $ename->get_text(), $acip.":".$acport, $coip.":".$coport ];
$win->destroy;
});
$druid_finish->show;
$druid->append_page($druid_finish);
$druid->show;
$win->show;
}
sub load_config_file
{
my $con=$list->{data};
my $name="";
my $accept="";
my $connect="";
if (! -s $cfgfile) {
print "Config file not found. Starting from scratch!\n";
return (0);
}
open F, "<$cfgfile" or die "$cfgfile: $!\n";
while (<F>) {
$_=~s/\n//g;
if ($_=~/^cert.*=.*/) {
(undef,my $value) = split "=",$_;
$value=~s/(\ |\t)//g;
$ecert->set_text($value);
} elsif ($_=~/^key.*=.*/) {
(undef,my $value) = split "=",$_;
$value=~s/(\ |\t)//g;
$ekey->set_text($value);
} elsif ($_=~/^verify.*=.*/) {
(undef,my $value) = split "=",$_;
$value=~s/(\ |\t)//g;
if ($value==1) {
$verify->entry->set_text("verify peer certificate if present");
} elsif ($value==2) {
$verify->entry->set_text("verify peer certificate");
} elsif ($value==3) {
$verify->entry->set_text("verify peer with locally installed certificate");
} else {
$verify->entry->set_text("no verify");
}
} elsif ($_=~/^client.*=.*/) {
(undef,my $value) = split "=",$_;
$value=~s/(\ |\t)//g;
$clientmode->entry->set_text($value);
} elsif ($_=~/^(capath|CApath).*=.*/) {
(undef,my $value) = split "=",$_;
$value=~s/(\ |\t)//g;
$capath->set_text($value);
} elsif ($_=~/^debug.*=.*/) {
(undef,my $value) = split "=",$_;
$value=~s/(\ |\t)//g;
$debuglevel->entry->set_text($value);
} elsif ($_=~/^output.*=.*/) {
(undef,my $value) = split "=",$_;
$value=~s/(\ |\t)//g;
$elog->set_text($value);
} elsif ($_=~/^\[.*/) {
$_=~s/\[//g;
$_=~s/\]//g;
$name=$_;
} elsif ($_=~/^accept.*=.*/) {
(undef,$accept) = split "=",$_;
$accept=~s/(\ |\t)//g;
} elsif ($_=~/^connect.*=.*/) {
(undef,$connect) = split "=",$_;
$connect=~s/(\ |\t)//g;
}
# load connection
if (($accept) && ($name) && ($connect)) {
push @$con, [ $name, $accept, $connect ];
$name=$connect=$accept="";
}
}
close F;
}
sub save_config_file
{
if ($backup_cfg) {
chdir ($base_cfg_dir);
rename($cfgfile,$cfgfile.".$$") or
print "Error at \n$cfgfile: $!\nNo backup made!\n";
}
open O, ">$cfgfile" or
mydie "Cannot open config file: $!\n";
print "Saving $cfgfile\n\n\n";
print O "# Configuration file created by \"stunnelconf\" by ".
"Sergio Rua <srua\@debian.org>\n\n";
if ($ekey->get_text()) {
print O "key = ".$ekey->get_text()."\n";
}
if ($ecert->get_text()) {
print O "cert = ".$ecert->get_text()."\n";
}
print O "verify = ".$verify->entry->get_text()."\n";
print O "output = ".$elog->get_text()."\n";
print O "client = ".$clientmode->entry->get_text()."\n";
print O "debug = ".$debuglevel->entry->get_text()."\n";
print O "CApath = ".$capath->get_text()."\n";
print O "\n\n"; # just some spaces
my @rowref = @{$list->{data}};
my $i=0;
for $i (0 .. $#rowref) {
print O "[".$rowref[$i][0] . "]\n";
# if no hostname, ugly ":" to be removed
$rowref[$i][1]=~s/^://g;
$rowref[$i][2]=~s/^://g;
print O "accept = ".$rowref[$i][1] . "\n";
print O "connect = ".$rowref[$i][2] . "\n";
print O "\n"; # just some spaces
}
close O;
Gtk2->main_quit;
return 0;
}
sub create_main_win
{
$app = Gnome2::App->new ("stunnel-conf");
$app->set_default_size(470,410);
$app->signal_connect( 'destroy' => sub { Gtk2->main_quit; } );
$app->set_title("Stunnel Configuration");
my $vbox=Gtk2::VBox->new(FALSE,0);
my $frame=Gtk2::Frame->new("Common options");
$vbox->pack_start($frame,TRUE, TRUE, 0);
my $table=Gtk2::Table->new(6, 2, FALSE);
$frame->add($table);
my $label0=Gtk2::Label->new("Private Key");
$table->attach($label0,0,1,0,1,["fill"],["fill"],0,0);
my $label1=Gtk2::Label->new("Certificate");
$table->attach($label1,0,1,1,2,["fill"],["fill"],0,0);
my $label2=Gtk2::Label->new("Verify level");
$table->attach($label2,0,1,2,3,["fill"],["fill"],0,0);
my $label3=Gtk2::Label->new("Log output");
$table->attach($label3,0,1,3,4,["fill"],["fill"],0,0);
my $label4=Gtk2::Label->new("Client mode");
$table->attach($label4,0,1,4,5,["fill"],["fill"],0,0);
my $label5=Gtk2::Label->new("Debug level");
$table->attach($label5,0,1,5,6,["fill"],["fill"],0,0);
my $label6=Gtk2::Label->new("Certificates path");
$table->attach($label6,0,1,6,7,["fill"],["fill"],0,0);
# Private Key
my $hbox0=Gtk2::HBox->new(FALSE,0);
$table->attach($hbox0,1,2,0,1,["fill"],["fill"],0,0);
$ekey=Gtk2::Entry->new();
$hbox0->pack_start($ekey,TRUE,TRUE,0);
my $bkey=Gtk2::Button->new_from_stock("gtk-open");
$bkey->signal_connect("clicked",sub {
sel_file("Select private key",$ekey);
});
$hbox0->pack_start($bkey,FALSE,FALSE,0);
# Certificate
my $hbox1=Gtk2::HBox->new(FALSE,0);
$table->attach($hbox1,1,2,1,2,["fill"],["fill"],0,0);
$ecert=Gtk2::Entry->new();
$hbox1->pack_start($ecert,TRUE,TRUE,0);
my $bcert=Gtk2::Button->new_from_stock("gtk-open");
$bcert->signal_connect("clicked",sub {
sel_file("Select certificate",$ecert);
});
$hbox1->pack_start($bcert,FALSE,FALSE,0);
# Auth level - verify
$verify = Gtk2::Combo->new();
$verify->entry->set_text("no verify");
$verify->set_popdown_strings(("no verify",
"verify peer certificate if present",
"verify peer certificate",
"verify peer with locally installed certificate"));
$table->attach($verify,1,2,2,3,["fill"],["fill"],0,0);
# Log output
my $hbox2=Gtk2::HBox->new(FALSE,0);
$table->attach($hbox2,1,2,3,4,["fill"],["fill"],0,0);
$elog=Gtk2::Entry->new();
$hbox2->pack_start($elog,TRUE,TRUE,0);
my $blog=Gtk2::Button->new_from_stock("gtk-open");
$blog->signal_connect("clicked",sub {
sel_file("Select log file",$elog);
});
$hbox2->pack_start($blog,FALSE,FALSE,0);
# Client mode
$clientmode = Gtk2::Combo->new();
$clientmode->entry->set_text("no verify");
$clientmode->set_popdown_strings(("yes","no"));
$table->attach($clientmode,1,2,4,5,["fill"],["fill"],0,0);
# Debug level
$debuglevel = Gtk2::Combo->new();
$debuglevel->entry->set_text("no verify");
$debuglevel->set_popdown_strings(("0","1","5","7"));
$table->attach($debuglevel,1,2,5,6,["fill"],["fill"],0,0);
# CA path
my $hbox3=Gtk2::HBox->new(FALSE,0);
$table->attach($hbox3,1,2,6,7,["fill"],["fill"],0,0);
$capath=Gtk2::Entry->new();
$hbox3->pack_start($capath,TRUE,TRUE,0);
# my $bcapath=Gtk2::Button->new_from_stock("gtk-open");
# $bcapath->signal_connect("clicked",sub {
# sel_file("Select Certificates Path",$capath);
# });
# $hbox3->pack_start($bcapath,FALSE,FALSE,0);
# connections section
my $frame2=Gtk2::Frame->new("Connections");
$vbox->pack_start($frame2,TRUE, TRUE, 0);
my $hbox4=Gtk2::HBox->new(FALSE,0);
$list=Gtk2::SimpleList->new (
'Name' => 'text',
'Accept' => 'text',
'Connect' => 'text',
);
# $list->get_selection->set_mode ('multiple');
my $scwin = Gtk2::ScrolledWindow->new;
$scwin->set_policy (qw/automatic automatic/);
$scwin->add($list);
$hbox4->pack_start($scwin,TRUE,TRUE,0);
# list buttons
my $vbbox=Gtk2::VButtonBox->new();
$vbbox->set_layout('spread');
my $badd = Gtk2::Button->new_from_stock('gtk-add');
$badd->signal_connect( 'clicked' => sub { add_connection; } );
$vbbox->add($badd);
# my $bedit = Gtk2::Button->new_from_stock('gtk-properties');
# $bedit->signal_connect( 'clicked' => sub {
# print "Edit\n";
# } );
# $vbbox->add($bedit);
my $brem = Gtk2::Button->new_from_stock('gtk-remove');
$brem->signal_connect( 'clicked' => sub {
my @sel = $list->get_selected_indices;
print @sel;
foreach my $i (@sel) {
delete $list->{data}[$i];
}
} );
$vbbox->add($brem);
$hbox4->pack_start($vbbox,FALSE,FALSE,0);
# main buttons!!!
my $bbox=Gtk2::HButtonBox->new();
$bbox->set_layout('spread');
my $bok = Gtk2::Button->new_from_stock('gtk-ok');
$bok->signal_connect( 'clicked' => sub { save_config_file; } );
$bbox->add($bok);
my $bcancel = Gtk2::Button->new_from_stock('gtk-cancel');
$bcancel->signal_connect( 'clicked' => sub { Gtk2->main_quit;} );
$bbox->add($bcancel);
$vbox->pack_start($bbox,FALSE,FALSE,0);
$frame2->add($hbox4);
# App contents and show them
$app->set_contents($vbox);
$app->show_all;
}
#
# MAIN MAIN MAIN
#
#
Gnome2::Program->init ("stunnelconf", "0.1");
$app=create_main_win;
load_config_file;
Gtk2->main;
exit 0;

1324
debian/changelog vendored Normal file
View File

File diff suppressed because it is too large Load Diff

6
debian/clean vendored Normal file
View File

@ -0,0 +1,6 @@
build-stamp
debian/stunnel4.init
doc/stunnel.8
doc/stunnel.html
doc/stunnel4.8
doc/stunnel4.pl.8

1
debian/compat vendored Normal file
View File

@ -0,0 +1 @@
10

45
debian/control vendored Normal file
View File

@ -0,0 +1,45 @@
Source: stunnel4
Section: net
Priority: optional
Build-Depends:
debhelper (>= 10),
autoconf-archive,
libssl-dev,
libsystemd-dev [linux-any],
libwrap0-dev,
netcat-traditional,
openssl,
net-tools,
procps
Maintainer: Peter Pentchev <roam@ringlet.net>
Uploaders: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Standards-Version: 4.1.1
Vcs-Browser: https://anonscm.debian.org/cgit/collab-maint/stunnel.git
Vcs-Git: https://anonscm.debian.org/git/collab-maint/stunnel.git
Homepage: https://www.stunnel.org/
Rules-Requires-Root: no
Package: stunnel4
Architecture: any
Provides: stunnel
Depends:
${shlibs:Depends},
${misc:Depends},
${perl:Depends},
lsb-base,
netbase,
openssl
Pre-Depends: adduser
Suggests: logcheck-database
Description: Universal SSL tunnel for network daemons
The stunnel program is designed to work as SSL encryption
wrapper between remote client and local (inetd-startable) or
remote server. The concept is that having non-SSL aware daemons
running on your system you can easily setup them to
communicate with clients over secure SSL channel.
.
stunnel can be used to add SSL functionality to commonly
used inetd daemons like POP-2, POP-3 and IMAP servers
without any changes in the programs' code.
.
This package contains a wrapper script for compatibility with stunnel 3.x

59
debian/copyright vendored Normal file
View File

@ -0,0 +1,59 @@
Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
Upstream-Name: stunnel
Upstream-Contact: Michal Trojnara <Michal.Trojnara@stunnel.org>
Source: https://www.stunnel.org/downloads.html
License: GPL-2+-openssl
Files: *
Copyright:
(C) 1998-2017 Michal Trojnara <Michal.Trojnara@stunnel.org>
(c) 2014 Mark Theunissen
License: GPL-2+-openssl
Files: src/stunnel3.in
Copyright: (C) 2004-2012 Michal Trojnara <Michal.Trojnara@stunnel.org>
License: GPL-2+
Files: debian/*
Copyright:
(C) 1998-2001 Paolo Molaro <lupus@debian.org>
(C) 2003-2007 Julien Lemoine <speedblue@debian.org>
(C) 2007-2012 Luis Rodrigo Gallardo Cruz <rodrigo@debian.org>
(C) 2013 Salvatore Bonaccorso <carnil@debian.org>
(C) 2014-2017 Peter Pentchev <roam@ringlet.net>
License: GPL-2+-openssl
License: GPL-2+-openssl
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
.
On Debian systems, the complete text of the GNU General Public License
can be found in file "/usr/share/common-licenses/GPL-2".
.
Linking stunnel statically or dynamically with other modules is making
a combined work based on stunnel. Thus, the terms and conditions of the
GNU General Public License cover the whole combination.
.
In addition, as a special exception, the copyright holder of stunnel gives you
permission to combine stunnel with free software programs or libraries that
are released under the GNU LGPL and with code included in the standard release
of OpenSSL under the OpenSSL License (or modified versions of such code, with
unchanged license). You may copy and distribute such a system following the
terms of the GNU GPL for stunnel and the licenses of the other code concerned.
.
Note that people who make modified versions of stunnel are not obligated to
grant this special exception for their modified versions; it is their choice
whether to do so. The GNU General Public License gives permission to release
a modified version without this exception; this exception also makes it
possible to release a modified version which carries forward this exception.
License: GPL-2+
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
.
On Debian systems, the complete text of the GNU General Public License
can be found in file "/usr/share/common-licenses/GPL-2".

1
debian/dirs vendored Normal file
View File

@ -0,0 +1 @@
etc/stunnel

10
debian/doc-base vendored Normal file
View File

@ -0,0 +1,10 @@
Document: stunnel4
Title: Stunnel documentation
Author: Michal Trojnara
Abstract: This manual documents stunnel, a SSL-enhanced client and
server wrapper.
Section: System/Security
Format: HTML
Index: /usr/share/doc/stunnel4/stunnel.html
Files: /usr/share/doc/stunnel4/stunnel*.html

4
debian/docs vendored Normal file
View File

@ -0,0 +1,4 @@
BUGS
NEWS
README
TODO

38
debian/patches/01-fix-paths.patch vendored Normal file
View File

@ -0,0 +1,38 @@
Description: Update the installation directories.
Change @prefix@/... to @localstatedir@ or @sysconfdir@ as appropriate
to comply with the FHS
Forwarded: not-needed
Author: Paolo Molaro <lupus@debian.org>
Author: Julien Lemoine <speedblue@debian.org>
Author: Luis Rodrigo Gallardo Cruz <rodrigo@debian.org>
Last-Update: 2016-07-06
--- a/tools/stunnel.conf-sample.in
+++ b/tools/stunnel.conf-sample.in
@@ -64,7 +64,7 @@
accept = 127.0.0.1:110
connect = pop.gmail.com:995
verifyChain = yes
-CApath = /etc/ssl/certs
+CApath = @sysconfdir/ssl/certs
checkHost = pop.gmail.com
OCSPaia = yes
@@ -73,7 +73,7 @@
accept = 127.0.0.1:143
connect = imap.gmail.com:993
verifyChain = yes
-CApath = /etc/ssl/certs
+CApath = @sysconfdir/ssl/certs
checkHost = imap.gmail.com
OCSPaia = yes
@@ -82,7 +82,7 @@
accept = 127.0.0.1:25
connect = smtp.gmail.com:465
verifyChain = yes
-CApath = /etc/ssl/certs
+CApath = @sysconfdir/ssl/certs
checkHost = smtp.gmail.com
OCSPaia = yes

103
debian/patches/02-rename-binary.patch vendored Normal file
View File

@ -0,0 +1,103 @@
Description: Change references to the binary from stunnel to stunnel4
Forwarded: not-needed
Author: Julien Lemoine <speedblue@debian.org>
Author: Luis Rodrigo Gallardo Cruz <rodrigo@debian.org>
Last-Update: 2017-09-23
--- a/src/stunnel3.in
+++ b/src/stunnel3.in
@@ -22,7 +22,7 @@
use Getopt::Std;
# Configuration - path to stunnel (version >=4.05)
-$stunnel_bin='@bindir@/stunnel';
+$stunnel_bin='@bindir@/stunnel4';
# stunnel3 script body begins here
($read_fd, $write_fd)=POSIX::pipe();
--- a/tools/stunnel.init.in
+++ b/tools/stunnel.init.in
@@ -1,6 +1,6 @@
#! /bin/sh -e
### BEGIN INIT INFO
-# Provides: stunnel
+# Provides: stunnel4
# Required-Start: $local_fs $remote_fs
# Required-Stop: $local_fs $remote_fs
# Should-Start: $syslog
@@ -21,8 +21,8 @@
. /lib/lsb/init-functions
-DEFAULTPIDFILE="/var/run/stunnel.pid"
-DAEMON=@bindir@/stunnel
+DEFAULTPIDFILE="/var/run/stunnel4.pid"
+DAEMON=@bindir@/stunnel4
NAME=stunnel
DESC="TLS tunnels"
OPTIONS=""
@@ -49,9 +49,9 @@
startdaemons() {
local res file args pidfile warn status
- if ! [ -d /var/run/stunnel ]; then
- rm -rf /var/run/stunnel
- install -d -o stunnel -g stunnel /var/run/stunnel
+ if ! [ -d /var/run/stunnel4 ]; then
+ rm -rf /var/run/stunnel4
+ install -d -o stunnel4 -g stunnel4 /var/run/stunnel4
fi
if [ -n "$RLIMITS" ]; then
ulimit $RLIMITS
@@ -141,9 +141,9 @@
OPTIONS="-- $OPTIONS"
fi
-[ -f @sysconfdir@/default/stunnel ] && . @sysconfdir@/default/stunnel
+[ -f @sysconfdir@/default/stunnel4 ] && . @sysconfdir@/default/stunnel4
if [ "$ENABLED" = "0" ] ; then
- echo "$DESC disabled, see @sysconfdir@/default/stunnel"
+ echo "$DESC disabled, see @sysconfdir@/default/stunnel4"
exit 0
fi
--- a/tools/script.sh
+++ b/tools/script.sh
@@ -2,7 +2,7 @@
REMOTE_HOST="www.mirt.net:443"
echo "client script connecting $REMOTE_HOST"
-/usr/local/bin/stunnel -fd 10 \
+/usr/bin/stunnel4 -fd 10 \
11<&0 <<EOT 10<&0 0<&11 11<&-
client=yes
connect=$REMOTE_HOST
--- a/doc/Makefile.am
+++ b/doc/Makefile.am
@@ -15,11 +15,11 @@
.pod.in.8.in:
pod2man -u -n stunnel -s 8 -r $(VERSION) \
- -c "stunnel TLS Proxy" -d `date +%Y.%m.%d` $< $@
+ -c "stunnel4 TLS Proxy" -d `date +%Y.%m.%d` $< $@
.pod.in.html.in:
pod2html --index --backlink --header \
- --title "stunnel TLS Proxy" --infile=$< --outfile=$@
+ --title "stunnel4 TLS Proxy" --infile=$< --outfile=$@
rm -f pod2htmd.tmp pod2htmi.tmp
edit = sed \
--- a/doc/stunnel.pl.8.in
+++ b/doc/stunnel.pl.8.in
@@ -70,8 +70,8 @@
.rr rF
.\" ========================================================================
.\"
-.IX Title "stunnel 8"
-.TH stunnel 8 "2017.04.01" "5.42" "stunnel TLS Proxy"
+.IX Title "stunnel4 8"
+.TH stunnel 8 "2017.04.01" "5.42" "stunnel4 TLS Proxy"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l

19
debian/patches/03-runas-user.patch vendored Normal file
View File

@ -0,0 +1,19 @@
Description: Change the default user the binary will run as to stunnel4
Forwarded: not-needed
Author: Julien Lemoine <speedblue@debian.org>
Author: Luis Rodrigo Gallardo Cruz <rodrigo@debian.org>
Last-Update: 2015-06-13
--- a/tools/stunnel.conf-sample.in
+++ b/tools/stunnel.conf-sample.in
@@ -8,8 +8,8 @@
; **************************************************************************
; It is recommended to drop root privileges if stunnel is started by root
-;setuid = nobody
-;setgid = @DEFAULT_GROUP@
+;setuid = stunnel4
+;setgid = stunnel4
; PID file is created inside the chroot jail (if enabled)
;pid = @localstatedir@/run/stunnel.pid

44
debian/patches/04-restore-pidfile-default.patch vendored Normal file
View File

@ -0,0 +1,44 @@
Description: Temporarily restore the pid file creation by default.
The init script will not be able to monitor the automatically-started
instances of stunnel if there is no pid file. For the present for the
upgrade from 4.53 the "create the pid file by default" behavior is
restored and the init script warns about configuration files that have
no "pid" setting. The intention is that in a future version the init
script will refuse to start stunnel for these configurations.
Forwarded: not-needed
Author: Peter Pentchev <roam@ringlet.net>
Bug-Debian: https://bugs.debian.org/744851
Last-Update: 2017-07-03
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -44,6 +44,7 @@
stunnel_CPPFLAGS += -I$(SSLDIR)/include
stunnel_CPPFLAGS += -DLIBDIR='"$(pkglibdir)"'
stunnel_CPPFLAGS += -DCONFDIR='"$(sysconfdir)/stunnel"'
+stunnel_CPPFLAGS += -DPIDFILE='"$(localstatedir)/run/stunnel4.pid"'
# TLS library
stunnel_LDFLAGS = -L$(SSLDIR)/lib64 -L$(SSLDIR)/lib -lssl -lcrypto
--- a/src/options.c
+++ b/src/options.c
@@ -917,7 +917,7 @@
#ifndef USE_WIN32
switch(cmd) {
case CMD_BEGIN:
- new_global_options.pidfile=NULL; /* do not create a pid file */
+ new_global_options.pidfile=PIDFILE;
break;
case CMD_EXEC:
if(strcasecmp(opt, "pid"))
@@ -932,9 +932,10 @@
case CMD_FREE:
break;
case CMD_DEFAULT:
+ s_log(LOG_NOTICE, "%-22s = %s", "pid", PIDFILE);
break;
case CMD_HELP:
- s_log(LOG_NOTICE, "%-22s = pid file", "pid");
+ s_log(LOG_NOTICE, "%-22s = pid file (empty to disable creating)", "pid");
break;
}
#endif

16
debian/patches/05-author-tests.patch vendored Normal file
View File

@ -0,0 +1,16 @@
Description: Only build the Win32 executables if requested.
Author: Peter Pentchev <roam@ringlet.net>
Forwarded: not yet
Last-Update: 2015-11-11
--- a/configure.ac
+++ b/configure.ac
@@ -8,7 +8,7 @@
AC_CONFIG_SRCDIR([src/stunnel.c])
AM_INIT_AUTOMAKE
-AM_CONDITIONAL([AUTHOR_TESTS], [test -d ".git"])
+AM_CONDITIONAL([AUTHOR_TESTS], [test -n "$AUTHOR_TESTS"])
AC_CANONICAL_HOST
AC_SUBST([host])
AC_DEFINE_UNQUOTED([HOST], ["$host"], [Host description])

71
debian/patches/07-path-max.patch vendored Normal file
View File

@ -0,0 +1,71 @@
Description: Allocate the config filename dynamically.
Avoid the use of PATH_MAX which may not be defined.
Forwarded: not-yet
Author: Peter Pentchev <roam@ringlet.net>
Last-Update: 2017-07-03
--- a/src/common.h
+++ b/src/common.h
@@ -94,7 +94,6 @@
typedef int ssize_t;
#endif /* _WIN64 */
#endif /* !__MINGW32__ */
-#define PATH_MAX MAX_PATH
#define USE_IPv6
#define _CRT_SECURE_NO_DEPRECATE
#define _CRT_NONSTDC_NO_DEPRECATE
--- a/src/options.c
+++ b/src/options.c
@@ -211,7 +211,7 @@
NOEXPORT char **argalloc(char *);
#endif
-char configuration_file[PATH_MAX];
+char *configuration_file;
GLOBAL_OPTIONS global_options;
SERVICE_OPTIONS service_options;
@@ -289,17 +289,27 @@
}
#ifdef HAVE_REALPATH
+ char *nconf;
if(type==CONF_FILE) {
- if(!realpath(name, configuration_file)) {
+ nconf = realpath(name, NULL);
+ if(nconf == NULL) {
s_log(LOG_ERR, "Invalid configuration file name \"%s\"", name);
ioerror("realpath");
return 1;
}
- return options_parse(type);
- }
+ free(configuration_file);
+ } else
#endif
- strncpy(configuration_file, name, PATH_MAX-1);
- configuration_file[PATH_MAX-1]='\0';
+ {
+ size_t sz = strlen(name) + 1;
+ nconf = realloc(configuration_file, sz);
+ if(nconf == NULL) {
+ s_log(LOG_ERR, "Could not allocate memory");
+ return 1;
+ }
+ snprintf(nconf, sz, "%s", name);
+ }
+ configuration_file = nconf;
return options_parse(type);
}
--- a/src/prototypes.h
+++ b/src/prototypes.h
@@ -430,7 +430,7 @@
/**************************************** prototypes for options.c */
-extern char configuration_file[PATH_MAX];
+extern char *configuration_file;
extern unsigned number_of_sections;
int options_cmdline(char *, char *);

76
debian/patches/09-try-restart.patch vendored Normal file
View File

@ -0,0 +1,76 @@
Description: Implement try-restart in the SysV init script.
Forwarded: not-yet
Author: Peter Pentchev <roam@ringlet.net>
Last-Update: 2017-07-03
--- a/tools/stunnel.init.in
+++ b/tools/stunnel.init.in
@@ -137,6 +137,47 @@
exit "$res"
}
+restartrunningdaemons()
+{
+ local res file pidfile status args
+
+ res=0
+ for file in $FILES; do
+ echo -n " $file: "
+ pidfile=`get_pidfile "$file"`
+ if [ ! -e "$pidfile" ]; then
+ echo -n 'no pid file'
+ else
+ status=0
+ pidofproc -p "$pidfile" "$DAEMON" >/dev/null || status="$?"
+ if [ "$status" = 0 ]; then
+ echo -n 'stopping'
+ killproc -p "$pidfile" "$DAEMON" "$sig" || status="$?"
+ if [ "$status" -eq 0 ]; then
+ echo -n ' starting'
+ args="$file $OPTIONS"
+ start_daemon -p "$pidfile" "$DAEMON" $args || status="$?"
+ if [ "$status" -eq 0 ]; then
+ echo -n ' started'
+ else
+ echo ' failed'
+ res=1
+ fi
+ else
+ echo -n ' failed'
+ res=1
+ fi
+ elif [ "$status" = 4 ]; then
+ echo "cannot access the pid file $pidfile"
+ else
+ echo -n 'stopped'
+ fi
+ fi
+ done
+ echo ''
+ exit "$res"
+}
+
if [ "x$OPTIONS" != "x" ]; then
OPTIONS="-- $OPTIONS"
fi
@@ -194,6 +235,11 @@
killdaemons && startdaemons
res=$?
;;
+ try-restart)
+ echo -n "Restarting $DESC if running:"
+ restartrunningdaemons
+ res=$?
+ ;;
status)
echo -n "$DESC status:"
querydaemons
@@ -201,7 +247,7 @@
;;
*)
N=@sysconfdir@/init.d/$NAME
- echo "Usage: $N {start|stop|status|reload|reopen-logs|restart} [<stunnel instance>]" >&2
+ echo "Usage: $N {start|stop|status|reload|reopen-logs|restart|try-restart} [<stunnel instance>]" >&2
res=1
;;
esac

7
debian/patches/series vendored Normal file
View File

@ -0,0 +1,7 @@
01-fix-paths.patch
02-rename-binary.patch
03-runas-user.patch
04-restore-pidfile-default.patch
05-author-tests.patch
07-path-max.patch
09-try-restart.patch

67
debian/postinst vendored Normal file
View File

@ -0,0 +1,67 @@
#!/bin/sh
set -e
USER="stunnel4"
CHOWN="/bin/chown"
#USERDEL="/usr/sbin/userdel"
ADDUSER="/usr/sbin/adduser"
ID="/usr/bin/id"
GROUPMOD="/usr/sbin/groupmod"
#GROUPDEL="/usr/sbin/groupdel"
###
# 1. get current stunnel uid and gid if user exists.
set -e
if $ID $USER > /dev/null 2>&1; then
IUID=`$ID --user $USER`
IGID=`$ID --group $USER`
else
IUID="NONE"
IGID="NONE"
fi
###
# 2. Ensure that no standard account or group will remain before adding the
# new user
#if [ "$IUID" != "NONE" ]; then # remove existing user
# $USERDEL $USER
#fi
#if $GROUPMOD $USER > /dev/null 2>&1; then
# $GROUPDEL $USER;
#fi
if [ "$IUID" = "NONE" ]; then
$ADDUSER --system --disabled-password --disabled-login \
--home /var/run/stunnel4 \
--no-create-home --group $USER
fi
# /var/run/stunnel4 is not a directory, create it...
if ! test -d /var/run/stunnel4; then
rm -rf /var/run/stunnel4;
mkdir /var/run/stunnel4
fi
$CHOWN $USER:$USER /var/run/stunnel4 || true
# /var/log/stunnel4 is not a directory, create it...
if ! test -d /var/log/stunnel4; then
rm -rf /var/log/stunnel4;
mkdir /var/log/stunnel4
fi
$CHOWN -R $USER:$USER /var/log/stunnel4
# /var/lib/stunnel4 is not a directory, create it...
if ! test -d /var/lib/stunnel4; then
rm -rf /var/lib/stunnel4;
mkdir /var/lib/stunnel4
fi
$CHOWN -R $USER:$USER /var/lib/stunnel4
if ! test -f /var/log/stunnel4/stunnel.log; then
touch /var/log/stunnel4/stunnel.log
$CHOWN -R $USER:$USER /var/log/stunnel4/stunnel.log
fi
#DEBHELPER#

17
debian/postrm vendored Normal file
View File

@ -0,0 +1,17 @@
#!/bin/sh
set -e
if [ x$1 = "xpurge" ]; then
echo You may want to delete the generated stunnel.pem file
echo in /etc/ssl/certs.
# Remove chroot dir if present. It may contain logfiles
rm -rf /var/lib/stunnel4 || true
# Log files must be removed on purge (Policy 10.8)
rm -f /var/log/stunnel4/stunnel.log* || true
rmdir /var/log/stunnel4 || true
fi
#DEBHELPER#

79
debian/rules vendored Executable file
View File

@ -0,0 +1,79 @@
#!/usr/bin/make -f
# -*- makefile -*-
# Uncomment this to turn on verbose mode.
#export DH_VERBOSE=1
# debian/rules file for the Debian GNU/Linux stunnel package
# Copyright 2003 by Julien LEMOINE <speedblue@debian.org>
# Copyright 2014 by Peter Pentchev <roam@ringlet.net>
ifeq (,$(filter nodoc,$(DEB_BUILD_OPTIONS) $(DEB_BUILD_PROFILES)))
DEB_NODOC=0
else
DEB_NODOC=1
endif
export DEB_BUILD_MAINT_OPTIONS = hardening=+all
export DEB_CFLAGS_MAINT_APPEND=-Wall
multiarch_path= $(shell dpkg-architecture -qDEB_HOST_MULTIARCH)
override_dh_auto_configure:
dh_auto_configure -- \
--enable-ipv6 --with-threads=pthread
override_dh_auto_install:
dh_auto_install -- -C src
ifeq ($(DEB_NODOC),0)
dh_auto_install -- -C doc
endif
# .la file is useless
rm $(CURDIR)/debian/stunnel4/usr/lib/$(multiarch_path)/stunnel/libstunnel.la
# Rename binary
mv $(CURDIR)/debian/stunnel4/usr/bin/stunnel \
$(CURDIR)/debian/stunnel4/usr/bin/stunnel4
# Copy sample init script into place for dh_installinit
cp $(CURDIR)/tools/stunnel.init $(CURDIR)/debian/stunnel4.init
ifeq ($(DEB_NODOC),0)
ln doc/stunnel.8 doc/stunnel4.8
ln doc/stunnel.pl.8 doc/stunnel4.pl.8
# Manpages will be installed by dh_installman
rm -rf $(CURDIR)/debian/stunnel4/usr/share/man
# Move docs into proper dir
mv $(CURDIR)/debian/stunnel4/usr/share/doc/stunnel \
$(CURDIR)/debian/stunnel4/usr/share/doc/stunnel4
# Basic docs for the user on how to create an initial configuration
install -p -m 0644 $(CURDIR)/debian/stunnel4.conf.README \
$(CURDIR)/debian/stunnel4/etc/stunnel/README
endif
ifeq ($(DEB_NODOC),1)
override_dh_installdocs:
mkdir -p $(CURDIR)/debian/stunnel4/usr/share/doc/stunnel4
install -c -o root -g root -m 644 $(CURDIR)/debian/copyright $(CURDIR)/debian/stunnel4/usr/share/doc/stunnel4/
override_dh_installman:
override_dh_link:
dh_link
rm $(CURDIR)/debian/stunnel4/usr/share/man/man8/stunnel.8.gz
rmdir $(CURDIR)/debian/stunnel4/usr/share/man/man8
rmdir $(CURDIR)/debian/stunnel4/usr/share/man
endif
override_dh_installppp:
dh_installppp --name=0stunnel4
override_dh_compress:
dh_compress --exclude=StunnelConf-0.1.pl
%:
dh $@

1
debian/source/format vendored Normal file
View File

@ -0,0 +1 @@
3.0 (quilt)

510
debian/stunnel3.8 vendored Normal file
View File

@ -0,0 +1,510 @@
.\" Automatically generated by Pod::Man v1.34, Pod::Parser v1.13
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sh \" Subsection heading
.br
.if t .Sp
.ne 5
.PP
\fB\\$1\fR
.PP
..
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. | will give a
.\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used to
.\" do unbreakable dashes and therefore won't be available. \*(C` and \*(C'
.\" expand to `' in nroff, nothing in troff, for use with C<>.
.tr \(*W-|\(bv\*(Tr
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
'br\}
.\"
.\" If the F register is turned on, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. nr % 0
. rr F
.\}
.\"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.hy 0
.if n .na
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "STUNNEL 1"
.TH STUNNEL 8 "2003-08-01" " " " "
.SH "NAME"
stunnel \- universal SSL tunnel
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
\&\fBstunnel\fR [\-c\ |\ \-T] [\-D\ [facility.]level] [\-O\ a|l|r:option=value[:value]] [\-o\ file] [\-C\ cipherlist] [\-p\ pemfile] [\-v\ level] [\-A\ certfile] [\-S\ sources] [\-a\ directory] [\-t\ timeout] [\-u\ ident_username] [\-s\ setuid_user]
[\-g\ setgid_group] [\-n\ protocol] [\-P\ {\ filename\ |\ ''\ }\ ] [\-B\ bytes] [\-R\ randfile] [\-W] [\-E\ socket] [\-I\ host]
[\-d\ [host:]port\ [\-f]\ ] [\ \-r\ [host:]port\ |\ {\ \-l\ |\ \-L\ }\ program\ [\-\-\ progname\ args]\ ]
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The \fBstunnel\fR program is designed to work as \fI\s-1SSL\s0\fR encryption
wrapper between remote clients and local (\fIinetd\fR\-startable) or
remote servers. The concept is that having non-SSL aware daemons
running on your system you can easily set them up to communicate with
clients over secure \s-1SSL\s0 channels.
.PP
\&\fBstunnel\fR can be used to add \s-1SSL\s0 functionality to commonly used
\&\fIinetd\fR daemons like \s-1POP\-2\s0, \s-1POP\-3\s0, and \s-1IMAP\s0 servers, to standalone
daemons like \s-1NNTP\s0, \s-1SMTP\s0 and \s-1HTTP\s0, and in tunneling \s-1PPP\s0 over network
sockets without changes to the source code.
.PP
This product includes cryptographic software written by Eric Young
(eay@cryptsoft.com)
.SH "OPTIONS"
.IX Header "OPTIONS"
.IP "\fB\-h\fR" 4
.IX Item "-h"
Print stunnel help menu
.IP "\fB\-D\fR level" 4
.IX Item "-D level"
Debugging level
.Sp
Level is a one of the syslog level names or numbers emerg (0), alert
(1), crit (2), err (3), warning (4), notice (5), info (6), or debug
(7). All logs for the specified level and all levels numerically less
than it will be shown. Use \-D debug or \-D 7 for greatest debugging
output. The default is notice (5).
.Sp
The syslog facility 'daemon' will be used unless a facility name is
supplied. (Facilities are not supported on windows.)
.Sp
Case is ignored for both facilities and levels.
.IP "\fB\-O\fR a|l|r:option=value[:value]" 4
.IX Item "-O a|l|r:option=value[:value]"
Set an option on accept/local/remote socket
.Sp
The values for linger option are l_onof:l_linger. The values for time
are tv_sec:tv_usec.
.Sp
\&\fBExamples:\fR
.Sp
\&\fB\-O l:SO_LINGER=1:60\fR \- set one minute timeout for closing local
socket
.Sp
\&\fB\-O r:TCP_NODELAY=1\fR \- turn off the Nagle algorithm for remote
sockets
.Sp
\&\fB\-O r:SO_OOBINLINE=1\fR \- place out-of-band data directly into the
receive data stream for remote sockets
.Sp
\&\fB\-O a:SO_REUSEADDR=0\fR \- disable address reuse (enabled by default)
.Sp
\&\fB\-O a:SO_BINDTODEVICE=lo\fR \- only accept connections on loopback
interface
.Sp
The available options and their defaults are:
Option Accept Local Remote OS default
SO_DEBUG -- -- -- 0
SO_DONTROUTE -- -- -- 0
SO_KEEPALIVE -- -- -- 0
SO_LINGER -- -- -- 0:0
SO_OOBINLINE -- -- -- 0
SO_RCVBUF -- -- -- 87380
SO_SNDBUF -- -- -- 16384
SO_RCVLOWAT -- -- -- 1
SO_SNDLOWAT -- -- -- 1
SO_RCVTIMEO -- -- -- 0:0
SO_SNDTIMEO -- -- -- 0:0
SO_REUSEADDR 1 -- -- 0
SO_BINDTODEVICE -- -- -- --
IP_TOS -- -- -- 0
IP_TTL -- -- -- 64
TCP_NODELAY -- -- -- 0
.IP "\fB\-o\fR file" 4
.IX Item "-o file"
Append log messages to a file.
.IP "\fB\-C\fR cipherlist" 4
.IX Item "-C cipherlist"
Select permitted \s-1SSL\s0 ciphers
.Sp
A colon delimited list of the ciphers to allow in the \s-1SSL\s0 connection.
For example \s-1DES\-CBC3\-SHA:IDEA\-CBC\-MD5\s0
.IP "\fB\-c\fR" 4
.IX Item "-c"
client mode (remote service uses \s-1SSL\s0)
.Sp
default: server mode
.IP "\fB\-T\fR" 4
.IX Item "-T"
transparent proxy mode
.Sp
Re-write address to appear as if wrapped daemon is connecting from the
\&\s-1SSL\s0 client machine instead of the machine running stunnel. Available
only on some operating systems (Linux only, we believe) and then only
in server mode. Note that this option will not combine with proxy mode
(\-r) unless the client's default route to the target machine lies
through the host running stunnel, which cannot be localhost.
.IP "\fB\-p\fR pemfile" 4
.IX Item "-p pemfile"
private key and certificate chain \s-1PEM\s0 file name
.Sp
A \s-1PEM\s0 is always needed in server mode (by default located in
\fI/etc/stunnel/stunnel.pem\fR). Specifying this flag in client mode
will use this key and certificate chain as a client side certificate
chain. Using client side certs is optional. The certificates must be
in \s-1PEM\s0 format and must be sorted starting with the certificate
to the highest level (root \s-1CA\s0).
.IP "\fB\-v\fR level" 4
.IX Item "-v level"
verify peer certificate
.RS 4
.IP "\(bu" 8
level 1 \- verify peer certificate if present
.IP "\(bu" 8
level 2 \- verify peer certificate
.IP "\(bu" 8
level 3 \- verify peer with locally installed certificate
.IP "\(bu" 8
default \- no verify
.RE
.RS 4
.RE
.IP "\fB\-a\fR directory" 4
.IX Item "-a directory"
client certificate directory
.Sp
This is the directory in which stunnel will look for certificates when
using the \fI\-v\fR options. Note that the certificates in this directory
should be named \s-1XXXXXXXX\s0.0 where \s-1XXXXXXXX\s0 is the hash value of the
cert.
.IP "\fB\-A\fR certfile" 4
.IX Item "-A certfile"
Certificate Authority file
.Sp
This file contains multiple \s-1CA\s0 certificates, used with the \fI\-v\fR
options.
.IP "\fB\-t\fR timeout" 4
.IX Item "-t timeout"
session cache timeout
.Sp
default: 300 seconds.
.IP "\fB\-N\fR servicename" 4
.IX Item "-N servicename"
Service name to use for tcpwrappers. If not specified then a
tcpwrapper service name will be generated automatically for you. This
will also be used when auto-generating pid filenames.
.IP "\fB\-u\fR ident_username" 4
.IX Item "-u ident_username"
Use \s-1IDENT\s0 (\s-1RFC\s0 1413) username checking
.IP "\fB\-n\fR proto" 4
.IX Item "-n proto"
Negotiate \s-1SSL\s0 with specified protocol
.Sp
currently supported: smtp, pop3, nntp
.IP "\fB\-E\fR socket" 4
.IX Item "-E socket"
Entropy Gathering Daemon socket to use to feed OpenSSL random number
generator. (Available only if compiled with OpenSSL 0.9.5a or higher)
.IP "\fB\-R\fR filename" 4
.IX Item "-R filename"
File containing random input. The \s-1SSL\s0 library will use data from this
file first to seed the random number generator.
.IP "\fB\-W\fR" 4
.IX Item "-W"
Do not overwrite the random seed files with new random data.
.IP "\fB\-B\fR bytes" 4
.IX Item "-B bytes"
Number of bytes of data read from random seed files. With \s-1SSL\s0
versions less than 0.9.5a, also determines how many bytes of data are
considered sufficient to seed the \s-1PRNG\s0. More recent OpenSSL versions
have a builtin function to determine when sufficient randomness is
available.
.IP "\fB\-I\fR host" 4
.IX Item "-I host"
\&\s-1IP\s0 of the outgoing interface is used as source for remote connections.
Use this option to bind a static local \s-1IP\s0 address, instead.
.IP "\fB\-d\fR [host:]port" 4
.IX Item "-d [host:]port"
daemon mode
.Sp
Listen for connections on [host:]port. If no host specified, defaults
to all \s-1IP\s0 addresses for the local host.
.Sp
default: inetd mode
.IP "\fB\-f\fR" 4
.IX Item "-f"
foreground mode
.Sp
Stay in foreground (don't fork) and log to stderr instead of via
syslog (unless \-o is specified).
.Sp
default: background in daemon mode
.IP "\fB\-l\fR program [\-\- programname [arg1 arg2 arg3...] ]" 4
.IX Item "-l program [-- programname [arg1 arg2 arg3...] ]"
execute local inetd-type program.
.IP "\fB\-L\fR program [\-\- programname [arg1 arg2 arg3...] ]" 4
.IX Item "-L program [-- programname [arg1 arg2 arg3...] ]"
open local pty and execute program.
.IP "\fB\-s\fR username" 4
.IX Item "-s username"
\&\fIsetuid()\fR to username in daemon mode
.IP "\fB\-g\fR groupname" 4
.IX Item "-g groupname"
\&\fIsetgid()\fR to groupname in daemon mode. Clears all other groups.
.IP "\fB\-P\fR { file | '' }" 4
.IX Item "-P { file | '' }"
Pid file location
.Sp
If the argument is a filename, then that filename will be used for the
pid. If the argument is empty ('', not missing), then no pid file will
be created.
.IP "\fB\-r\fR [host:]port" 4
.IX Item "-r [host:]port"
connect to remote service
.Sp
If no host specified, defaults to localhost.
.SH "EXAMPLES"
.IX Header "EXAMPLES"
In order to provide \s-1SSL\s0 encapsulation to your local \fIimapd\fR service,
use
.PP
.Vb 1
\& stunnel \-d 993 \-l /usr/sbin/imapd \-\- imapd
.Ve
.PP
In order to let your local e-mail client connect to a \s-1SSL\s0-enabled
\fIimapd\fR service on another server, configure the e-mail client to connect to
localhost on port 119 and use:
.PP
.Vb 1
\& stunnel \-c \-d 143 \-r servername:993
.Ve
.PP
If you want to provide tunneling to your \fIpppd\fR daemon on port 2020,
use something like
.PP
.Vb 1
\& stunnel \-d 2020 \-L /usr/sbin/pppd \-\- pppd local
.Ve
.SH "ENVIRONMENT"
.IX Header "ENVIRONMENT"
If Stunnel is used to create local processes using the \fB\-l\fR or \fB\-L\fR
options, it will set the following environment variables
.IP "\s-1REMOTE_HOST\s0" 4
.IX Item "REMOTE_HOST"
The \s-1IP\s0 address of the remote end of the connection.
.IP "\s-1SSL_CLIENT_DN\s0" 4
.IX Item "SSL_CLIENT_DN"
The \s-1DN\s0 (Distinguished Name, aka subject name) of the peer certificate,
if a certificate was present and verified.
.IP "\s-1SSL_CLIENT_I_DN\s0" 4
.IX Item "SSL_CLIENT_I_DN"
The Issuer's \s-1DN\s0 of the peer's certificate, if a certificate was
present and verified.
.SH "CERTIFICATES"
.IX Header "CERTIFICATES"
.IP "\(bu" 4
Each \s-1SSL\s0 enabled daemon needs to present a valid X.509 certificate to
the peer. It also needs a private key to decrypt the incoming data.
The easiest way to obtain a certificate and a key is to generate them
with the free \fIopenssl\fR package. You can find more information on
certificates generation on pages listed below.
.Sp
Two things are important when generating certificate-key pairs for
\&\fBstunnel\fR. The private key cannot be encrypted, because the server
has no way to obtain the password from the user. To produce an
unencrypted key add the \fI\-nodes\fR option when running the \fBreq\fR
command from the \fIopenssl\fR kit.
.Sp
The order of contents of the \fI.pem\fR file is also important. It should
contain the unencrypted private key first, then a signed certificate
(not certificate request). There should be also empty lines after
certificate and private key. Plaintext certificate information
appended on the top of generated certificate should be discarded. So
the file should look like this:
.Sp
.Vb 8
\& \-\-\-\-\-BEGIN RSA PRIVATE KEY\-\-\-\-\-
\& [encoded key]
\& \-\-\-\-\-END RSA PRIVATE KEY\-\-\-\-\-
\& [empty line]
\& \-\-\-\-\-BEGIN CERTIFICATE\-\-\-\-\-
\& [encoded certificate]
\& \-\-\-\-\-END CERTIFICATE\-\-\-\-\-
\& [empty line]
.Ve
.SH "RANDOMNESS"
.IX Header "RANDOMNESS"
.IP "\(bu" 4
\&\fIstunnel\fR needs to seed the \s-1PRNG\s0 (pseudo random number generator) in
order for \s-1SSL\s0 to use good randomness. The following sources are
loaded in order until sufficient random data has been gathered:
.RS 4
.IP "\(bu" 8
The file specified with the \fI\-R\fR flag.
.IP "\(bu" 8
The file specified by the \s-1RANDFILE\s0 environment variable, if set.
.IP "\(bu" 8
The file .rnd in your home directory, if \s-1RANDFILE\s0 not set.
.IP "\(bu" 8
The file specified with '\-\-with\-random' at compile time.
.IP "\(bu" 8
The contents of the screen if running on Windows.
.IP "\(bu" 8
The egd socket specified with the \fI\-E\fR flag.
.IP "\(bu" 8
The egd socket specified with '\-\-with\-egd\-sock' at compile time.
.IP "\(bu" 8
The /dev/urandom device.
.RE
.RS 4
.Sp
With recent (>=OpenSSL 0.9.5a) version of \s-1SSL\s0 it will stop loading
random data automatically when sufficient entropy has been gathered.
With previous versions it will continue to gather from all the above
sources since no \s-1SSL\s0 function exists to tell when enough data is
available.
.Sp
Note that on Windows machines that do not have console user
interaction (mouse movements, creating windows, etc) the screen
contents are not variable enough to be sufficient, and you should
provide a random file for use with the \fI\-R\fR flag.
.Sp
Note that the file specified with the \fI\-R\fR flag should contain random
data \*(-- that means it should contain different information each time
\&\fIstunnel\fR is run. This is handled automatically unless the \fI\-W\fR
flag is used. If you wish to update this file manually, the \fIopenssl
rand\fR command in recent versions of OpenSSL, would be useful.
.Sp
One important note \*(-- if /dev/urandom is available, OpenSSL has a
habit of seeding the \s-1PRNG\s0 with it even when checking the random state,
so on systems with /dev/urandom you're likely to use it even though
it's listed at the very bottom of the list above. This isn't
stunnel's behaviour, it's OpenSSLs.
.RE
.SH "LIMITATIONS"
.IX Header "LIMITATIONS"
.IP "\(bu" 4
\&\fIstunnel\fR cannot be used for the \s-1FTP\s0 daemon because of the nature of
the \s-1FTP\s0 protocol which utilizes multiple ports for data transfers.
There are available \s-1SSL\s0 enabled versions of \s-1FTP\s0 and telnet daemons,
however.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
.RS 4
.IP "\fItcpd\fR\|(8)" 8
.IX Item "tcpd"
access control facility for internet services
.IP "\fIinetd\fR\|(8)" 8
.IX Item "inetd"
internet ``super\-server''
.IP "\fIhttps://www.stunnel.org/\fR" 8
.IX Item "https://www.stunnel.org/"
Stunnel homepage
.IP "\fIhttps://www.openssl.org/\fR" 8
.IX Item "https://www.openssl.org/"
OpenSSL project website
.RE
.RS 4
.RE
.SH "AUTHOR"
.IX Header "AUTHOR"
.RS 4
.IP "Michal Trojnara" 8
.IX Item "Michal Trojnara"
<\fIMichal.Trojnara@stunnel.org\fR>
.RE
.RS 4
.RE

9
debian/stunnel4.0stunnel4.ppp.ip-down vendored Normal file
View File

@ -0,0 +1,9 @@
#!/bin/sh
# if this script gets called, we assume that the machine has lost
# IPv4 connectivity -> restart stunnel (do not stop it, it is possible
# to have a eth connection)
test -f /etc/default/stunnel4 && . /etc/default/stunnel4
test "$PPP_RESTART" != "0" || exit 0
invoke-rc.d stunnel4 restart

7
debian/stunnel4.0stunnel4.ppp.ip-up vendored Normal file
View File

@ -0,0 +1,7 @@
#!/bin/sh
test -f /etc/default/stunnel4 && . /etc/default/stunnel4
test "$PPP_RESTART" != "0" || exit 0
invoke-rc.d stunnel4 restart

96
debian/stunnel4.NEWS vendored Normal file
View File

@ -0,0 +1,96 @@
stunnel4 (3:5.06-1) unstable; urgency=medium
There are two major changes in this version of stunnel.
First, the /usr/bin/stunnel symlink has been switched from stunnel3
to stunnel4. This should not affect any tools that invoke stunnel
using the stunnel4 name, and it should not affect any Debian packages
that use stunnel. However, any local tools that invoke stunnel with
3.x-style command-line options instead of a 4.x-style configuration
file should make sure that they use the stunnel3 executable name and
not simply stunnel any more, or they should be converted to use
a 4.x-style configuration file (there is no need to create an actual
file on the filesystem, the configuration may be passed to stunnel
on its standard input using the "-fd 0" command-line option).
Second, this version DISABLES support for the SSLv2 and SSLv3 protocols!
If needed, it may be re-enabled by editing the stunnel configuration
file and adding "-NO_SSLv2" or "-NO_SSLv3" respectively to
the "options" setting; see /etc/stunnel/README for an example.
-- Peter Pentchev <roam@ringlet.net> Thu, 16 Oct 2014 13:56:35 +0300
stunnel4 (3:5.01-3) unstable; urgency=medium
This version temporarily brings back the creation of a default pid
file, /var/run/stunnel4.pid, if there is no "pid" setting in
the configuration file. The reason for this is that the init script
cannot monitor the started stunnel processes if there is no pid file
at all.
The init script now warns about configuration files that have no
"pid" setting and will thus use the default pid file location.
In the future it will refuse to start with such configurations, so
it would be best to add the "pid" setting to all the *.conf files in
the /etc/stunnel/ directory.
-- Peter Pentchev <roam@ringlet.net> Fri, 18 Apr 2014 14:37:42 +0300
stunnel (3:5.01-2) unstable; urgency=medium
This version DISABLES the RLE compression method, too. This means
that stunnel currently has no compression methods available at all,
since the underlying OpenSSL library does not have any, either.
Tunnel configurations that explicitly set "compression" will NEED
to be modified.
-- Peter Pentchev <roam@ringlet.net> Mon, 14 Apr 2014 15:04:56 +0300
stunnel (3:5.01-1) unstable; urgency=medium
This version DISABLES the creation of the process ID file and
the use of TCP wrappers for access control by default!
Tunnel configurations that use PID files (e.g. for monitoring) or
TCP wrappers (/etc/hosts.allow, /etc/hosts.deny) will NEED to be
modified to explicitly specify the 'pidfile' global option or
the 'libwrap' service-level option respectively.
This version also DISABLES the "zlib" and "deflate" compression
algorithms because they are not supported in the Debian OpenSSL
package since version 1.0.1e-5. The only supported compression
algorithm is "rle". Tunnel configurations that explicitly set
"compression" to something other than "rle" will NEED to be modified.
-- Peter Pentchev <roam@ringlet.net> Tue, 25 Mar 2014 18:05:11 +0200
stunnel (3:4.33-1) experimental; urgency=low
This version introduces support for reloading the configuration file
and for closing/reopening log files. The init script has been
updated to provide these options, and the default logrotate
configuration has been updated to take advantage of them.
-- Luis Rodrigo Gallardo Cruz <rodrigo@debian.org> Thu, 04 Feb 2010 19:52:23 -0800
stunnel (3:4.28-1) unstable; urgency=low
The default behaviour of the logrotate configuration for stunnel4
has been changed. Instead of restarting stunnel after rotating the
log files we now use the 'copytruncate' keyword. This avoids the
problems associated with the restart, but introduces the possibility
of loosing small amounts of log data. Please see Debian bugs
#535915, #535924 and #323171 for more info.
-- Luis Rodrigo Gallardo Cruz <rodrigo@debian.org> Wed, 25 Nov 2009 17:12:42 -0800
stunnel (2:4.140-5) unstable; urgency=low
stunnel/stunnel4 binaries are located in /usr/bin instead of
/usr/sbin in order to be FHS compliant (they can be used by normal
user). You need to update your scripts to refer to this new location
-- Julien Lemoine <speedblue@debian.org> Sun, 19 Feb 2006 17:31:24 +0100

13
debian/stunnel4.conf.README vendored Normal file
View File

@ -0,0 +1,13 @@
Stunnel 4 configuration files.
Files found under the /etc/stunnel directory that end with .conf are
used by the stunnel4 service as configuration files, and each will be
used to start a daemon process setting up a tunnel with the given
configuration. Note that this directory is initially empty, as the
settings you may want for your tunnels are completely system dependent.
In order to have the tunnels start up automatically on system boot you
must *also* set ENABLED to 1 in /etc/default/stunnel4
A sample configuration file with defaults may be found at
/usr/share/doc/stunnel4/examples/stunnel.conf-sample

18
debian/stunnel4.default vendored Normal file
View File

@ -0,0 +1,18 @@
# /etc/default/stunnel
# Julien LEMOINE <speedblue@debian.org>
# September 2003
# Change to one to enable stunnel automatic startup
ENABLED=0
FILES="/etc/stunnel/*.conf"
OPTIONS=""
# Change to one to enable ppp restart scripts
PPP_RESTART=0
# Change to enable the setting of limits on the stunnel instances
# For example, to set a large limit on file descriptors (to enable
# more simultaneous client connections), set RLIMITS="-n 4096"
# More than one resource limit may be modified at the same time,
# e.g. RLIMITS="-n 4096 -d unlimited"
RLIMITS=""

6
debian/stunnel4.examples vendored Normal file
View File

@ -0,0 +1,6 @@
tools/ca.html
tools/ca.pl
tools/importCA.html
tools/importCA.sh
tools/openssl.cnf
tools/stunnel.conf-sample

1
debian/stunnel4.install vendored Normal file
View File

@ -0,0 +1 @@
debian/StunnelConf-0.1.pl usr/share/doc/stunnel4/contrib

2
debian/stunnel4.links vendored Normal file
View File

@ -0,0 +1,2 @@
/usr/bin/stunnel4 /usr/bin/stunnel
/usr/share/man/man8/stunnel4.8.gz /usr/share/man/man8/stunnel.8.gz

5
debian/stunnel4.lintian-overrides vendored Normal file
View File

@ -0,0 +1,5 @@
# No character arrays anywhere in this .so
stunnel4: hardening-no-stackprotector usr/lib/stunnel/libstunnel.so
# Not a typo at all.
stunnel4: spelling-error-in-manpage usr/share/man/man8/stunnel4.8.gz CAs Case

13
debian/stunnel4.logrotate vendored Normal file
View File

@ -0,0 +1,13 @@
/var/log/stunnel4/*.log {
daily
missingok
rotate 365
compress
delaycompress
notifempty
create 640 stunnel4 stunnel4
sharedscripts
postrotate
/etc/init.d/stunnel4 reopen-logs > /dev/null
endscript
}

3
debian/stunnel4.manpages vendored Normal file
View File

@ -0,0 +1,3 @@
doc/stunnel4.8
doc/stunnel4.pl.8
debian/stunnel3.8

21
debian/tests/certs/certificate.pem vendored Normal file
View File

@ -0,0 +1,21 @@
-----BEGIN CERTIFICATE-----
MIIDfDCCAmSgAwIBAgIJAPFcHvXjRYbZMA0GCSqGSIb3DQEBCwUAMFMxCzAJBgNV
BAYTAkJHMQ4wDAYDVQQIDAVTb2ZpYTEOMAwGA1UEBwwFU29maWExEDAOBgNVBAoM
B1JpbmdsZXQxEjAQBgNVBAMMCWxvY2FsaG9zdDAeFw0xNzA2MTIyMzAzMjdaFw0y
NzA2MTAyMzAzMjdaMFMxCzAJBgNVBAYTAkJHMQ4wDAYDVQQIDAVTb2ZpYTEOMAwG
A1UEBwwFU29maWExEDAOBgNVBAoMB1JpbmdsZXQxEjAQBgNVBAMMCWxvY2FsaG9z
dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMp0QYS6IZ1To2h68NcZ
zmnAQfzodFcD7Lhp2CcDOBXRrKfPq1NUqUXMGvcHcPbmT84W2OGGfh11MKvksuof
4+juU4+1uujPJoOmREi7WjVzEVWUftvFUqeTigFz96EMsVui4UbTUxX6ACIsXXwg
v1b/rpyVZJvTucKsyP5ml5OXaPFe5mXUQtdaJsjpV4ikq4O9vcYdMt0Y8IVbxpCO
5CryW3KUHzBUS7uqO2nbLXZBOkJHCgxDawAlTeDRW/uJOl7nnSUgo0HiojG4qhY6
spYmQ9ijtj1vX5H2tsf97rZCbU5JMFqX8XcJgTWKTYHlxkBYbB6QkPyhiOXDo/M/
oJ8CAwEAAaNTMFEwHQYDVR0OBBYEFPwfXq4qd8stmvstPC3QdFL716XRMB8GA1Ud
IwQYMBaAFPwfXq4qd8stmvstPC3QdFL716XRMA8GA1UdEwEB/wQFMAMBAf8wDQYJ
KoZIhvcNAQELBQADggEBADkuMAUB2Uyx23oN9ZxZsAWOdJoSUIWs4qxc5eQ/qjj7
64zm62ZaVc8F6AyMYxHZvOKxvN/Pg19dSZelvTpgSqXLbirstRgsBCIXO2q6UYo2
BUpZovZ4DOll+sAbmrZJRDiVO1XeCqqjr0v0I7NfJ5r31K1tfaZxGovUdC+M3xJ6
yRrFWfF+EdlvVRFQt97mZXtcTDFWk7+CT6fgfLnCxTuMcSNtzM60FCBS5wz0MPSA
BGje1qXUMzwN2T0aDyxWNRdvFGMHC8Z23EOa3roK+NybS2PVAu7MpxDTBZdHSGtG
5wqY6fq5kww8OI9AlPNYVtqXrFrF6Lj5m/jhUHcAIUU=
-----END CERTIFICATE-----

28
debian/tests/certs/key.pem vendored Normal file
View File

@ -0,0 +1,28 @@
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDKdEGEuiGdU6No
evDXGc5pwEH86HRXA+y4adgnAzgV0aynz6tTVKlFzBr3B3D25k/OFtjhhn4ddTCr
5LLqH+Po7lOPtbrozyaDpkRIu1o1cxFVlH7bxVKnk4oBc/ehDLFbouFG01MV+gAi
LF18IL9W/66clWSb07nCrMj+ZpeTl2jxXuZl1ELXWibI6VeIpKuDvb3GHTLdGPCF
W8aQjuQq8ltylB8wVEu7qjtp2y12QTpCRwoMQ2sAJU3g0Vv7iTpe550lIKNB4qIx
uKoWOrKWJkPYo7Y9b1+R9rbH/e62Qm1OSTBal/F3CYE1ik2B5cZAWGwekJD8oYjl
w6PzP6CfAgMBAAECggEAf+TrUuamv5WLoEAyDyCdVg7/YL6UaDfxfhpXU2XkM1xu
vuAg8haEjLRAwJdx1HdwKNgkEGx/FSroIV7ra53Tw11zalC6j8H1KauKbYv1k9hq
Ne8GKN3Btl0tDHfvEk1LaYE+4Rg036g8F1qBgB3L4jDJZN+3W/1n10SCALxcuv4G
XMJOcrhW3KBlEJpIBhz+ROPeiZX8VwB2iK7jg0Bebh7XuNFCFOiFqq6UfFRNeGBi
Ca9rZdUP0YmxNPEXzGu1TEv1edX0Nf3jRKERQrZ3Sg6ogPcqQSQ1VP052Hc0Tqpl
akrRrVMfbbQQIMc9JrxJmXb7/OHeS1R50Ci5x7weoQKBgQDwYSGSypJl6lWpgrm6
5HuIem0AK9gmOAyiR0UdjMwVybeHhcldK8ABFcsdUt7v84+kCKkRhEX//QWjowMF
0OJ2i7Y1VbdyNd7exPW5zmYAiBX+oR3JKMekjPRCUamg5P2fSrVqDHvz7WU7hoQb
0jcIu8kwtPjw5uz13OWWbmEjTwKBgQDXnDZ0nQoXUO8VkNYaWQzukIcKdB71v2DZ
KiaJvPFjTGPUwwd/kEcU7/wMet4UKff4XjOaX+f2tFZm+vrYs6RfqnLlRFlkhKJZ
HColltm8KV6w+LnwkPUuY4HnDJepU6eBC2wtGPU1n1YXCwgDL+MTIpLFuveQ9w/N
wTRP3USZsQKBgDy9Tm55IWT/QYYDskq3UT+7L6/LZGLD5u1adOxyl18qCWYFOEyC
sZGUoC5YslyPfsxEI/R5J/b3SGWA21Ks5Yxu4Su47RG+6wH/YtgAf2XC/UvKCmy6
EThTJaVcXTB6rFuD1TNm1Cte4SWZZ+hfxeg/CydzkzPMJjQ6DQll+sWhAoGBAKJj
tV//JyqIeonznE4b4/GKSStGaksM6RSm+n+jHut7DXWhrnQVZnQOi/eaUsk9Etat
nJAYy8yz5p+JSIUOSC8FYaPr5qgefWhAHj5Rb4yYXAlOTD0z8HYP3Db49QFDUFWR
FNiig4zvhRe150L/PjebQpBKUUuNyQlfCtdb/98BAoGARMZNl+0FEzw714ataoWk
1IPoe7oIzaoYTqPcpQT0AGOdfYRS3ffJFe2Foa0K7MVyxNA/OjyheYVtD2IgmoTv
WkRr6xM4nphza595yB5q+psKwOdQvP5XsyiJOXDixzn+yFIqrdQlmBNZHT1z/jwr
oBRWtTVO2aX5pBUjvBu3eQ0=
-----END PRIVATE KEY-----

6
debian/tests/control vendored Normal file
View File

@ -0,0 +1,6 @@
Test-Command: env TEST_STUNNEL=/usr/bin/stunnel4 debian/tests/runtime
Depends: @, perl, libanyevent-perl, libnet-ssleay-perl, libpath-tiny-perl
Restrictions: allow-stderr
Test-Command: debian/tests/upstream
Depends: @, netcat-traditional

647
debian/tests/runtime vendored Executable file
View File

@ -0,0 +1,647 @@
#!/usr/bin/perl
use v5.14;
use strict;
use warnings;
use AnyEvent;
use AnyEvent::Handle;
use AnyEvent::Socket qw(tcp_connect tcp_server);
use AnyEvent::Util qw(portable_socketpair);
use Fcntl qw(F_GETFD F_SETFD FD_CLOEXEC);
use IO::Handle;
use Path::Tiny 0.097;
use POSIX qw(WNOHANG);
use Socket;
# AnyEvent's TLS support seems to require this...
use threads;
my %children;
my $child_reaper_w;
my $greeting = 'Well hello there!';
sub reap_leftover_children();
sub child_reaper();
sub register_child_reaper()
{
$child_reaper_w = AnyEvent->signal(
signal => 'CHLD',
cb => \&child_reaper,
);
$SIG{__DIE__} = sub {
my ($msg) = @_;
warn "__DIE__ handler invoked: ".($msg =~ s/[\r\n]*$//sr)."\n";
reap_leftover_children;
};
}
sub unregister_child_reaper()
{
undef $child_reaper_w;
}
sub child_reaper()
{
while (1) {
my $pid = waitpid -1, WNOHANG;
my $status = $?;
if (!defined $pid) {
die "Could not waitpid() in a SIGCHLD handler: $!\n";
} elsif ($pid == 0 || $pid == -1) {
last;
} else {
$children{$pid}{cv} //= AnyEvent->condvar;
$children{$pid}{cv}->send($status);
}
}
}
sub register_child($ $)
{
my ($pid, $desc) = @_;
# Weird, but we want it to be at least reasonably atomic-like
$children{$pid}{cv} //= AnyEvent->condvar;
my $ch = $children{$pid};
$ch->{pid} = $pid;
$ch->{desc} = $desc;
}
sub dump_children()
{
join '', map {
my $ch = $children{$_};
"\t$ch->{pid}\t".
($ch->{cv}->ready
? $ch->{cv}->recv
: '(none)'
).
"\t$ch->{desc}\n"
} sort { $a <=> $b } keys %children
}
sub wait_for_child($)
{
my ($pid) = @_;
if (!defined $children{$pid}) {
die "Internal error: wait_for_child() invoked for ".
"unregistered pid $pid\n".dump_children;
}
my $status = $children{$pid}{cv}->recv;
delete $children{$pid};
return $status;
}
sub reap_leftover_children()
{
say 'Oof, let us see if there are any children left';
if (!%children) {
say 'Everyone has been accounted for; great!';
return;
}
for my $pid (keys %children) {
my $ch = $children{$pid};
if ($ch->{cv}->ready) {
my $status = wait_for_child $pid;
say "Hm, child $pid seems to have finished already, status $status";
}
}
if (!%children) {
say 'Everyone has actually been accounted for; great!';
return;
}
for my $pid (keys %children) {
say "Pffth, sending a SIGKILL to $pid";
kill 'KILL', $pid;
}
for my $pid (keys %children) {
my $ch = $children{$pid};
if ($ch->{cv}->ready) {
wait_for_child $pid;
say "OK, $pid done";
}
}
# Bah, figure out some way to let the loop run even if we're within the loop...
if (%children) {
say 'Some children remaining, laying low for a second...';
sleep 1;
for my $pid (keys %children) {
say "- waiting for $pid ($children{$pid}{desc})";
wait_for_child $pid;
say "- OK, $pid done";
}
}
if (%children) {
say 'Something really weird happened, why are there still children around?';
say dump_children;
}
}
sub close_on_exec($ $)
{
my ($fh, $close) = @_;
my $flags = fcntl $fh, F_GETFD, 0 or
die "Could not obtain a file descriptor's flags: $!\n";
my $nflags = $close
? ($flags | FD_CLOEXEC)
: ($flags & ~FD_CLOEXEC);
fcntl $fh, F_SETFD, $nflags or
die "Could not set a file descriptor's flags: $!\n";
}
sub anyevent_socketpair($)
{
my ($name) = @_;
my ($fh1, $fh2) = portable_socketpair;
if (!defined $fh1) {
die "Could not create the $name socketpair: $!\n";
}
$fh1->autoflush(1);
$fh2->autoflush(1);
return (AnyEvent::Handle->new(fh => $fh1), AnyEvent::Handle->new(fh => $fh2));
}
sub find_listening_port($ $ $ $ $)
{
my ($address, $port_start, $step, $count, $cb) = @_;
my $res;
my $port = $port_start;
for (1..$count) {
eval {
$res = tcp_server $address, $port, $cb;
};
last if $res;
say "Could not listen on $address:$port: $@";
$port += $step;
}
if (!defined $res) {
die "Could not find a listening port on $address\n";
}
return ($port, $res);
}
my %conns;
sub register_client_connection($)
{
my ($fh) = @_;
my $sockaddr = getsockname $fh;
if (!defined $sockaddr) {
die "Could not obtain the local address of the just-connected socket: $!\n";
}
my ($port, $addr_num) = sockaddr_in $sockaddr;
if (!defined $port || !defined $addr_num) {
die "Could not decode the address and port from a sockaddr_in structure: $!\n";
}
my $addr = inet_ntoa $addr_num;
if (!defined $addr) {
die "Could not decode a numeric address: $!\n";
}
my $id = "$addr:$port";
$conns{$id}{cv} //= AnyEvent->condvar;
$conns{$id}{fh} //= $fh;
return $id;
}
sub await_client_connection($ $; $)
{
my ($lis_main, $cv, $skip_register) = @_;
my $die = sub {
warn "@_";
$cv->send(undef);
};
$lis_main->rtimeout(10);
$lis_main->on_rtimeout(sub { $die->("The listener's accept message timed out\n") });
$lis_main->push_read(line => sub {
my ($handle, $line) = @_;
if ($line !~ m{^ accept \s+ (?<id> \S+ ) $}x) {
return $die->("The accept server did not send an 'accept' message: $line\n");
}
my ($id) = $+{id};
$conns{$id}{cv} //= AnyEvent->condvar unless $skip_register;
$lis_main->rtimeout(10);
$lis_main->on_rtimeout(sub { $die->("The listener's close message timed out\n") });
$lis_main->push_read(line => sub {
my ($handle, $line) = @_;
if ($line !~ m{^ close \s+ (?<id> \S+ ) $}x) {
return $die->("The accept server did not send an 'close' message: $line\n");
}
my ($cid) = $+{id};
if ($cid ne $id) {
return $die->("The accept server's 'close' message had id '$cid' instead of the accepted one '$id'\n");
}
$lis_main->rtimeout(0);
$cv->send($id);
});
});
}
sub adopt_client_connection($ $)
{
my ($id, $opts) = @_;
my $w;
my $do_close = sub {
my ($err) = @_;
$w->push_shutdown;
$w->destroy;
undef $w;
undef $conns{$id}{handle};
#close $conns{$id}{fh};
if (defined $err) {
warn "$err\n";
$conns{$id}{cv}->send(undef);
} else {
$conns{$id}{cv}->send(1);
}
};
$w = AnyEvent::Handle->new(
fh => $conns{$id}{fh},
%{$opts}, # TLS or something?
on_error => sub {
my ($handle, $fatal, $message) = @_;
if (!$fatal) {
warn "A non-fatal error occurred reading from the $id connection: $message\n";
} else {
$do_close->("A fatal error occurred reading from the $id connection: $message");
}
},
rtimeout => 10,
on_rtimeout => sub {
$do_close->("Reading from the $id connection timed out");
},
);
$w->push_read(line => sub {
my ($handle, $line) = @_;
$w->rtimeout(0);
if ($line ne $greeting) {
$do_close->("The $id connection sent us a line that was not the greeting: expected '$greeting', got '$line'");
} else {
$do_close->(undef);
}
});
$conns{$id}{handle} = $w;
}
sub client_connect($ $ $)
{
my ($address, $port, $cv) = @_;
return tcp_connect $address, $port, sub {
my ($fh) = @_;
if (!defined $fh) {
die "Could not connect to the cleartext listening socket on $address:$port: $!\n";
}
my $id = register_client_connection $fh;
say "Connected to $address:$port, local $id";
$cv->send($id);
adopt_client_connection($id, {});
};
}
MAIN:
{
my $stunnel = $ENV{TEST_STUNNEL} // 'stunnel4';
my $test_done = AnyEvent->condvar;
my ($certsdir, $certfile, $keyfile);
for my $name (qw(certs debian/tests/certs)) {
my $dir = path($name);
if (-d $dir) {
$certfile = $dir->child('certificate.pem');
$keyfile = $dir->child('key.pem');
if (-f $certfile && -f $keyfile) {
$certsdir = path($dir);
last;
}
}
}
die "Could not locate the test certificates directory\n" unless defined $certsdir;
say "Found the certificate at $certfile and the private key at $keyfile";
my $tempdir = Path::Tiny->tempdir;
say "Using the $tempdir temporary directory";
register_child_reaper;
{
say 'About to get the stunnel version information';
pipe my $s_in, my $s_out or die "Could not create an fd pair: $!\n";
close_on_exec $s_in, 0;
close_on_exec $s_out, 0;
my $pid = fork;
if (!defined $pid) {
die "Could not fork for stunnel: $!\n";
} elsif ($pid == 0) {
open STDERR, '>&', $s_out or
die "Could not reopen stderr in the child process: $!\n";
close STDIN or
die "Could not close stdin in the child process: $!\n";
close STDOUT or
die "Could not close stdout in the child process: $!\n";
close $s_in or
die "Could not close the reader fd in the child process: $!\n";
exec $stunnel, '-version';
die "Could not execute '$stunnel': $!\n";
}
register_child $pid, "$stunnel -version";
close $s_out or
die "Could not close the writer fd in the parent process: $!\n";
my ($got_version, $before_version) = (undef, '');
my $eof = AnyEvent->condvar;
my $f_out = AnyEvent->io(
fh => $s_in,
poll => 'r',
cb => sub {
my $line = <$s_in>;
if (!defined $line) {
$eof->send($got_version);
} elsif (!$got_version) {
if ($line =~ m{^
stunnel \s+
(?<version> \d+ \. \S+)
\s+ on \s+
}x) {
$got_version = $+{version};
} else {
$before_version .= $line;
}
}
});
$eof->recv;
if ($before_version ne '') {
warn "stunnel produced output before the version number:\n$before_version\n";
}
if (!defined $got_version) {
die "Could not get the stunnel version number\n";
}
say "Got stunnel version $got_version";
my $status = wait_for_child $pid;
if ($status != 0) {
die "stunnel -version did not exit successfully, status $status\n";
}
}
my ($lis_listener, $lis_main) = anyevent_socketpair 'listener';
my $listen_address = '127.0.0.1';
my %listen_clear_conns;
my ($listen_clear_port, $listen_clear) = find_listening_port $listen_address, 6502, 200, 100, sub {
my ($fh, $host, $port) = @_;
my $id = "$host:$port";
say "Accepted a connection from $id";
$lis_listener->push_write("accept $id\n");
my $w;
my $do_close = sub {
$w->destroy;
delete $listen_clear_conns{$id};
};
$w = AnyEvent::Handle->new(
fh => $fh,
on_error => sub {
my ($handle, $fatal, $message) = @_;
warn "A ".($fatal ? 'fatal' : 'non-fatal').
"error occurred writing to the $id connection: $message\n";
$do_close->();
},
timeout => 10,
on_timeout => sub {
my ($handle) = @_;
warn "Writing to the $id connection timed out\n";
$do_close->();
},
on_read => sub {
my ($handle) = @_;
warn "The $id connection sent data to the server?!\n";
$do_close->();
},
on_eof => sub {
my ($handle) = @_;
say "Got an eof from $id, all seems well";
$do_close->();
$lis_listener->push_write("close $id\n");
},
);
$w->push_write("$greeting\n");
$w->push_shutdown;
$listen_clear_conns{$id} = $w;
};
say "Listening for cleartext connections on $listen_address:$listen_clear_port";
{
my $listener_test_id_cv = AnyEvent->condvar;
my $check_listen_clear = client_connect $listen_address, $listen_clear_port, $listener_test_id_cv;
my $id = $listener_test_id_cv->recv;
if (!defined $id) {
die "Could not connect to the cleartext server\n";
}
say "Got a local connection id $id";
my $listener_test_done = AnyEvent->condvar;
await_client_connection $lis_main, $listener_test_done;
say 'Waiting for the server to acknowledge a completed client connection';
my $sid = $listener_test_done->recv;
if (!defined $sid) {
die "The listener did not acknowledge the connection\n";
} elsif ($sid ne $id) {
die "The listener did not acknowledge the same connection: expected '$id', got '$sid'\n";
}
say 'Waiting for the client connection itself to report completion';
my $res = $conns{$id}{cv}->recv;
if (!defined $res) {
die "The client connection did not complete the chat with the cleartext server\n";
}
say 'Looks like we are done with the test cleartext connection!';
}
my $st_server_port;
{
my $dummy;
($st_server_port, $dummy) = find_listening_port $listen_address, 8086, 200, 100, sub {
my ($fh) = @_;
say "Eh, we really didn't expect a connection here, did we now...";
$fh->close;
};
say "Got listening port $st_server_port for the stunnel server";
undef $dummy;
say 'Let us hope this was enough to get stunnel to listen there...';
}
my ($st_pid, $st_logfile);
{
my $st_config = $tempdir->child('stunnel.conf');
$st_logfile = $tempdir->child('stunnel.log');
my $st_pidfile = $tempdir->child('stunnel.pid');
$st_config->spew_utf8(<<"EOCONF") or die "Could not create the $st_config stunnel config file: $!\n";
pid = $st_pidfile
foreground = yes
output = $st_logfile
cert = $certfile
key = $keyfile
[test]
accept = $listen_address:$st_server_port
connect = $listen_address:$listen_clear_port
EOCONF
say "Created the stunnel config file $st_config:\n======\n".$st_config->slurp_utf8.'======';
$st_pid = fork;
if (!defined $st_pid) {
die "Could not fork for the stunnel server: $!\n";
} elsif ($st_pid == 0) {
my @cmd = ($stunnel, $st_config);
exec { $cmd[0] } @cmd;
die "Could not execute '@cmd': $!\n";
}
say "Started the stunnel server, pid $st_pid";
register_child $st_pid, "stunnel server ($listen_address:$st_server_port)";
}
{
for my $iter (1..10) {
say "Trying a connection through stunnel, iteration $iter";
my $st_conn_cv = AnyEvent->condvar;
my $st_conn;
{
my $st_conn_attempts = 10;
my $st_conn_timer;
$st_conn_timer = AnyEvent->timer(after => 0.1, interval => 1, cb => sub {
say "Trying to connect to the stunnel server at $listen_address:$st_server_port";
$st_conn = tcp_connect $listen_address, $st_server_port, sub {
my ($fh) = @_;
if (!defined $fh) {
# FIXME: Eh, well, reschedule, right?
say "Could not connect to $listen_address:$st_server_port: $!";
if ($children{$st_pid}{cv}->ready) {
say 'Err, the stunnel process seems to have terminated';
undef $st_conn_timer;
$st_conn_cv->send(undef);
return;
}
$st_conn_attempts--;
if ($st_conn_attempts == 0) {
say 'Time after time...';
undef $st_conn_timer;
$st_conn_cv->send(undef);
return;
}
say 'Will retry in a little while';
return;
}
say '...connected!';
$st_conn_timer = undef;
$st_conn_cv->send($fh);
};
});
}
my $st_conn_fh = $st_conn_cv->recv;
if (!defined $st_conn_fh) {
my $log_text = (-f $st_logfile)
? "$st_logfile contents:\n".$st_logfile->slurp_utf8
: "(no log information)";
$log_text .= "\n" unless $log_text =~ /\n\Z/ms;
die "Could not connect to the stunnel service:\n$log_text";
}
my $id = register_client_connection $st_conn_fh;
say "Registered a client connection as $id";
adopt_client_connection $id, { tls => 'connect', };
say 'Waiting for the cleartext listener to receive this connection';
my $stunnel_test_done = AnyEvent->condvar;
await_client_connection $lis_main, $stunnel_test_done, 1;
my $sid = $stunnel_test_done->recv;
if (!defined $sid) {
die "The listener did not acknowledge the connection\n";
} elsif ($sid eq $id) {
die "The listener reported the same connection ID '$id'?!\n";
}
say "The server reported a completed connection: $sid";
my $res = $conns{$id}{cv}->recv;
if (!defined $res) {
die "The connection to stunnel did not report a successful chat\n";
}
say "The stunnel connection seems to have gone through for iteration $iter";
}
}
{
say "Trying to stop stunnel at pid $st_pid";
kill 'TERM', $st_pid or
die "Could not send a terminate signal to the stunnel at pid $st_pid: $!\n";
my $status = wait_for_child $st_pid;
if ($status != 0) {
die "The stunnel process terminated with exit status $status\n";
} else {
say 'The stunnel process terminated successfully';
}
}
{
say 'Checking for leftover children';
if (%children) {
# Our 'die' handler will kill and reap them.
die "Child processes left over:\n".
dump_children;
} else {
say 'No child processes left over';
}
unregister_child_reaper;
};
{
say 'Making sure the AnyEvent loop is still sane';
if ($test_done->ready) {
die "The AnyEvent loop raised the flag prematurely\n";
}
$test_done->send(42);
my $res = $test_done->recv;
if ($res != 42) {
die "The AnyEvent loop does not seem to be quite alive and sane, got a result of '$res' instead of 42\n";
}
say 'Fine!';
};
}

15
debian/tests/upstream vendored Executable file
View File

@ -0,0 +1,15 @@
#!/bin/sh
set -e
ln -s /usr/bin/stunnel4 src/stunnel
cd tests
if ! ./make_test; then
printf '\n\n=== Some tests failed; here are all the logs...\n\n' 1>&2
for fname in logs/*.log; do
printf -- '\n\n=== %s\n\n' "$fname" 1>&2
cat -- "$fname" 1>&2
done
false
fi

5
debian/upstream/metadata vendored Normal file
View File

@ -0,0 +1,5 @@
Name: stunnel
Bug-Submit: https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
Contact: https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
FAQ: https://www.stunnel.org/faq.html
Security-Contact: Michal Trojnara <Michal.Trojnara@stunnel.org>

111
debian/upstream/signing-key.asc vendored Normal file
View File

@ -0,0 +1,111 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1
mQINBFTU6YwBEAC6PP7E4J6cRZQsJlFE+o3zdQYo7Mg2sVxDR6K9Cha52wn7P0t0
hHUd0CSmWyfjmYUy3/7jYjgKe4oiGzeSCVK8b3TiX3ylHi/nW3mixwpDPwFmr5Cf
ce55Ro3TdIeslRGigK8Hl+/l4n9c9z/AiTvcdAEQ34BJhERce4/KFx+/omiaxe7S
fzzU/+52zy+v4FfnclgRQrzrD8sxNag6CQOaQ8lTMczNkBkDlhQTOPYkfNf76PUY
kbWpcH7n9N50nddjEaLf7DPjOETc4OH/g5a99FSEJL7jyEgn+C8RX7RpbbAxCNlX
1231NZoresLmxSulB6fRWLmhJ8pES3sRxE1IfwUfPpUZuTPzwXEFJY6StY5OCVy8
rNFpkYlEePuVn74XkGbvv7dkkisq4Hp59zfIUaNVRod0Xk2rM8Rx8d5IK801Ywsn
RyzCE02zt3N2O4IdXI1qQ1gMJNyaE/k2Qk8buh8BsKJzZca34WGocHOxz2O5s7FN
Q1pLNpLmuHZIdyvYqcsenLz5EV8X2LztRmJ3Se4ag/XyXPYwS6lXX1YUGVxZpk0E
sQDRdJvYCsGcUy253w+W7Nm/BtjKi6/PJmjEEU7ieHppR9Yp+LI3lyzNBeZAIVqk
4Hco05l4GUKtEDFfOQ58sULDqJWmpH4T72DHeCpfRB0guaPa5TYY7B0umQARAQAB
tC5NaWNoYcWCIFRyb2puYXJhIDxNaWNoYWwuVHJvam5hcmFAc3R1bm5lbC5vcmc+
iQI4BBMBAgAiBQJU1Q1lAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRCx
BIky3Tqqo71TEACWO31ZIOrknCsgmE90Q0yBPYD8CA8aM9OLO9qVYRR+SKQ6VAFn
/qWCoG/z3aMOUJJFDMmBDTSiGZ43jReQVc1PvoNUKFXkD13vrDNGg+IMr+jefjy/
RkFC5rdIAOzl6nMRFH5D/KDtvuXUGfjaN9NorCyv5acOa6GinTFANHYW79DSvt0d
aTG0RFimVTKtAh8oxxBGGUvZ/60SJT5I3pwKKX5t6t+LaUgUz/55p5j36dyhZTmk
X6jVyczkfjBwy9i2jD8kZ1w+EQOPGy1hHCHaaN5ku3Bh4hiZrlh8ncpipOMeOJ5Y
71Cze/JROyu3jkR/59LuPJLbUkwNPZXuMM+D4EY19NWKqWFgcsjaF5juS36xgblQ
odAOXBZcnzH14bxlRElWNLhMib+piIL0BaK2cpplwJ+bzQRkyWzqrl5xu/AeE/fQ
BdeRxL1jg4e9Ozei4Pkz0acoxIg2mdR6b36UpOWKvBQYZ8m4TbsWBRrDjcxKeul7
ObsodFoGTteRxqN9glhNd+n5bJAesGzUN86e3NmCoxCUQMaKlrMEVUMwaaSOVWYN
CfwXSe42dK2ZrV4psIYIwfktTkF60N3KeBbTs7/HhS/R229+lQCL90bcKRiv2Szc
vqR6v78xnbnANm0SX/b6M7xNBf8lWXwS9TlR9AzA4XC7FqNLYTMGV56TmLQrTWlj
aGHFgiBUcm9qbmFyYSA8TWljaGFsLlRyb2puYXJhQG1pcnQubmV0PokCOAQTAQIA
IgUCVNTpjAIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQsQSJMt06qqOP
9Q/+MNv7sHcx1y4xH4iysPmjL+ABTonZeUIW/j1Mlgve8jxta7ApuDm0WIgMQd/p
WgjG88g/2hSs1DRmuo67pP+v3l+HgmhQaqQe9XoaQHyygfrDwGEKAjA5++6hg88X
F5GNuchUoY2wHCLByuxdaaT9wDSUGHzj+VlQYcaVqry/u8+wRhuxr89avh7nebj2
Dw1qkIuR6+wuaYAU19mazzmdnDLh/3rYHT7vVJt751JHyx4fnJtKI7eDWxpSGfhc
K63SWtHToJKg4jbdIZMORVVvOetpRbPvF8qoR32LZSfF/rPJtNhWgcsLUCpZn6Ey
G6jigx8mhY2WupRNHutSES+qKNffCMi7fbpQfl4wJqzlNxJJK1zGu2ox255l+fXJ
eQJh7fvvcNieuQApKhOL+mOz1fyRnUhx/GjGncOmCgZldTLEF8DeHuuluXgFlDXJ
cX6poh7vyt3uJ14SCyiV1cLnXmCoxXRmQNlb4zTGoAvfOw/DFH3EzQ44dK/Z1HOI
fJeYILxe+JP2E8TNXUvr/wck12yQ8kaqFzHSQBcV+0S49+pIpoK475LVrOs6S9Jj
hMt4WVfX4PY+IE8wGnZyJw1gvPXdk1P98lHR/Fv0WG/kWiemrDXPM1tjnIas6EGm
zxT/iywGF4tdsVHviETVgRGpKHgEtB/hwsCeGUTAmHDbXQS0L01pY2hhxYIgVHJv
am5hcmEgPE1pY2hhbC5Ucm9qbmFyYUBtb2JpLWNvbS5uZXQ+iQI4BBMBAgAiBQJU
1Q03AhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRCxBIky3TqqoyVkEACt
MHa7x5PQ0ZNJ8TrvVd/VrT5USuHwwFwnnsYUNzSc95gSwSEaPC3xwgs9cX3VRmOw
b3IiCQQ7R0EamH/ydmZnlesbCsnamLl6dEmzS284lnnMd5X0wep2qq3SlS1z+5wW
4ZnoodX98E7RyecjMYPLH+uAqGqg3nHG8eOpoSDMvIOJtOIvDc9Y6tbNsBbeKbOC
yB7A08TMzVqayQvXzm6QShHTicra69oqIzhmu2zII3ZWVwkfEGweuN0vdocoXiqr
entcyF3KLUX/LooDzdCAxuoJdovg41E69rXEWF//IP5XBT0LUDTzqwmBe7nOfoJF
2RAHn3ySogdL6WNSGaH5B5NK1jGflj/Hr/HBHIYYx820P4aEXSyxbLQW1F0HWlAA
Q9+EmjJssbv7cIq2DV2Ls3AOeY0GAWhTdvUVdVpOG+TuWRUi61XwjWPfvrJDH8ME
oLRb2MhNRffle8hSdF8TP4CO1TCxtSFs0NXT1I/HazvacHzvbXspFDJvbYJsy+pR
vOsf2QCcY5xb633duU60+IHJ9GMOV/ZqQR744wAxu+e/ZHpa2+mpI9VpTMuBTMFC
OQKbiLacsDJtFqsenZAyhcTU4DPFa0bkMO67Gwl0skuk2x8/0R3EgJ9JvNlsEz6v
BaHpWhEddU1m6FMKKZkfo0xnyFr/WPT6zti9iKTnIbkCDQRU1OvDARAA8gIC641d
K6ap9W1K3EkqRn0z6zizdVGr/jvf8xFXeUq+auxixZ0tEY6NM5CBSya5BCK9IGVW
mJNbazyWUa4llA6EvmUxcTeGE7ppQA4Kl1bzvUq5upo+8+0VuqvLC/bVz0DUnFSW
JYHAZrPZ+yO0yMq8vaGTo5kwKixQ4Ni+N+1EiALKZex1g6UW9d0HAcYEa/lTWhz3
J0V1yyY4Vov30gtoo67KkSC/SswZzIR00CQGrz3twlGuB73Sm1YfqDqbY8dQLJey
U0ovIeU95VI5cQF6D1H8YdaMWQm6MtVAfIX5WMoH+eq4Ank9hilReGANkIWNSqM2
1Drdu3crbGIYiZPEadKfGxwquwvRDTEgD4gjqMvEdxA2W6s4WR36SwMkeOtESj21
MiR2YDcbIzIbUh9p0P8DZGvQcVh45jCgdOcL5th9R076npXHn8FIe2IfAZnX1Onp
sKn/YqJ0wNFhGYWxV/yZA10NbFKFXhD1FGqrOz6lSqmqDz00tXofF432ae+7PzTP
9n4cij4k0SYG1l/LThnOYL3SNUCG3rCASeWoXmhxCYRGi0Xw3IJrcpVNmNQD+SLL
TjVB94AlDjSlx1q0V+9ymhGHi51wsBSajMwDexaSI/WM1y9lROwl7eeAD41fPArz
TleAqT89akWLevTBLWvj59mku9vZAW26/1UAEQEAAYkCHwQYAQIACQUCVNTrwwIb
DAAKCRCxBIky3Tqqo2NCEACHJ7e0l8NhS4slfzej1AAXOwL1wDexn6thpgexAyqZ
LIaibqhIybhSo1LOL1NY/55ytscbOQL7NliRAXVN6F9lcer+qzxL5JgxzUU6drya
pNZYs06u3wfr8ZtSbvIAON/w89tm9tHxoNUIYZZUZROFBW6fn8RkhboQs0hJFxWf
WghOxhS0TXJ8/MZ4YcfDy+Ew6LIAym3A1XY+++2VMEHqKcyhU95W5sqAsfO5MkRW
a0E9JTS2dWTteNTWPonywJGX/mSVVMZgOZF6o32Vb9LTnB676YQaPiMlu2qg+vRk
RM/zyGjvPx7hilf68CWxZcIHslfp5gJV6RvtlK+muEvIkSmNYyi8hQp1Y5C6uWb9
JWt/9ISJ+Xz+n+5nAHEUzW/LeEDyhjVlS9vOoAAy18r47mQybzJ2q2zOHo9zl3fK
OJ2S4SFBKGHuIhPOxG2CruhxN9U5+RwTDqKECeuCZROMYQLzlmIP2vM/NuFVhQm8
iNhbTvEenh4mWD4IuOHJkqvzKKzAXllosuUK4B0kblh4GaOVmEjaXGw8789rOlQz
D5566SgKPDNUtom5/eIcy6/UYBoFd7lLltIVSSCA1VUMU4MWJgjwa9gk6MxoNe8d
cJ197oQMfhZNjJ80S5C+a2al4wrR2vL/3hXhy2M2kG73RLSzxEiVoJsG+hbzNtfI
a7kCDQRU1O5ZARAA1pGrQ1V3YMXF3DzwvA/uWb912pwqUvMAAKvYCDiELIOP07c3
2+z04N/bOXjiZ2Jb8AuICj4v92tXAygtf18zxwoU8AOXiuScP3wy1ZprBw8k71dN
y0XmEXbiX7tkLoe0OzWlCaNTajSXTELT+nYHTOkBsrC4T+y7AwYueQJYUaRkJR/5
Tc68UnRSO295pgJd7EoWWAky3bdH+TKN0MsagCJwa+RrXFGtIKjU0XAKsddTxQKx
2SUGF0QVdNZ/14Duo73btoXtHgB0oxewnsiJp5XKWYm57RSNLv1LKr26iSUtUM1C
AIZALuGMAyQXVEo7OmzuZmN0yRYM7FSnpG4rIDnDxYhDTaa+xWb738V8uLQDZAVn
AuBEhq1RQEDrRM/XLbibvVBzpd+JI9WneNEp0ehq5sEC6FbKYz0HqVk2SH1Dpb0t
grtxz3c7rPs7vRdmFMxTuYctSzuqNHpKX+C6rgyAW2sxEKD0ys8OYEa3hvrQFSAz
nM/j3X8dge1DriHIQd/Dt4+LMdPcsQk3vty7pYxZIDRa9hl7ngaesQSZ/7PV/cj7
U7qieTr1ulO1Gc5GcyS2Hu4P9109HX1tBEQvGHpbqe9Lc2d0VKgHVjG9vDLrE1h/
qXKbmn0LF1YR4djaM+sYCfYOO+WzZKUACPdMq3Lid/3oQ71p6eNgu6lQcgEAEQEA
AYkEPgQYAQIACQUCVNTuWQIbAgIpCRCxBIky3Tqqo8FdIAQZAQIABgUCVNTuWQAK
CRAu/H/w1BbgFNx6EACR7CKB3Mv2lNaRRraVRwjNrumyODqsnX/oe3lad04iCBb9
JxGyNyTGF0s6teoaocXxIeZ50bF7GuYcnepMGpniMCkE2ymlM6ruFNNTUYC02Fsr
owKQboC7S5DN2l7lb4nlgyDX7nOlOMmhTc3D/QsduMyS9H5kjFFKtzLYOwREV/RH
I/wQUyTyze8qs/BxpT3/HsSJuGZybLSd/fmeM43xghcdfDgKTaGkFkhhW7UWgtOh
QtYxr0VD4HEw4C+nMyksqKAIFMBjJAqtsuWeSgavVrbU8KrzlcJFHSrovZ7Pi0mK
MYHGomPstZcZxwr15t3BhDvogMSRscU1mLUigLEGiWxPVxtQlmHTZfMns4Cy04S7
jK4Gix0PN4Xi/9rOcLFCb5zddcLVrqiuT+dt/O/TPKUKHTvLL1gF4Dlypbu8TQWt
O7xDSPy7wSdPWUN5GBjsxbZfVlWpvvVMmGUuygIl0LkrJLKGxk36AnNpEPqsQ9e9
Rsgu5dP9lGPz3igxE3p+UlhWo5eqJqZwAfEFb+0PQzKSQ6zIFQAf50eSI/pWf+Xp
9XOT47d4y8aWzHA7T/ja9tbyd+eg71ZOqOFtVP8zFWvmPnoosxrBR7qK/RBY5/PX
KhfG10yEYXSjTap4dmsy430l8Mcuqo55iixgT5vxZfTeyFjTjHmjuHD1rTTfpXk4
D/9GI9cIfrWczhrbWN8BoP66ImMXpVhZzDt6S5u9dHSNJdqivDzCkktb/psXILvv
u3qLmb1nJbsNzN9GJm6LoduzCJ4SqaodjhMkNi/Tc95dx0n2cCP2Rh/jvzo7zrqQ
O09c8at/pFEiF8LgUlc5QaB/GNhXBqJog2yOzUPGKq0OMy/wttW42TCe7V+J8fnn
16xfGhnVwmiWRQaqdCiFDY2IiOHhnRwfJVANrddfuU/AJ8vY8XXzrxI7YZL43V53
0Wich1VB00XLFU8aj08FsjdFvR77AAxFU+Cd6sH6yq6jsRXppQ0BOO15aR+wopEv
tKwDdRu3TaweC1XMLLQ4XuN9Ql0bMH0d626uMG2zUfZGO1jNTOS4sUhEqJsImbsL
/hgNDKYvfo0wSHPWmQo9njw7aG8Mey77I3fL1ELj/Tfa86njPpJ/tmFMLV9ntWAC
cW/c3tojdcP278rTw/4zk+Sr2Zv+3bP1yjJd0z4B3gYYz2BUYTU7dyiA41Kgk4Zf
V1n2NUAxQJYzvEIAZcMEWA3rOTb+AjcBVXX89Gk0BEykVmA9G808tbmI+4DUd2c/
+d1xeufb43TGOiwKqwY+Os9iey3FbsnoYuzKPsd5LByJFEudbMB152h95u/NysaM
0AjC+yPtlpSLUIaDUW75VAlQKPWj1Ag5uVpc2ScMEjevQQ==
=muMw
-----END PGP PUBLIC KEY BLOCK-----

8
debian/watch vendored Normal file
View File

@ -0,0 +1,8 @@
version=4
# Latest version is directly at /stunnel
opts=pgpsigurlmangle=s/$/.asc/ \
https://www.stunnel.org/downloads.html downloads/stunnel-([\d.]+)@ARCHIVE_EXT@ debian
opts=pgpsigurlmangle=s/$/.asc/,pasv \
ftp://ftp.stunnel.org/stunnel/archive/5.x/stunnel-([\d.]+)@ARCHIVE_EXT@

35
doc/Makefile.am Normal file
View File

@ -0,0 +1,35 @@
## Process this file with automake to produce Makefile.in
# by Michal Trojnara 2015-2017
EXTRA_DIST = stunnel.pod.in stunnel.8.in stunnel.html.in en
EXTRA_DIST += stunnel.pl.pod.in stunnel.pl.8.in stunnel.pl.html.in pl
man_MANS = stunnel.8 stunnel.pl.8
docdir = $(datadir)/doc/stunnel
doc_DATA = stunnel.html stunnel.pl.html
CLEANFILES = $(man_MANS) $(doc_DATA)
SUFFIXES = .pod.in .8.in .html.in
.pod.in.8.in:
pod2man -u -n stunnel -s 8 -r $(VERSION) \
-c "stunnel TLS Proxy" -d `date +%Y.%m.%d` $< $@
.pod.in.html.in:
pod2html --index --backlink --header \
--title "stunnel TLS Proxy" --infile=$< --outfile=$@
rm -f pod2htmd.tmp pod2htmi.tmp
edit = sed \
-e 's|@bindir[@]|$(bindir)|g' \
-e 's|@sysconfdir[@]|$(sysconfdir)|g'
$(man_MANS) $(doc_DATA): Makefile
$(edit) '$(srcdir)/$@.in' >$@
stunnel.8: $(srcdir)/stunnel.8.in
stunnel.html: $(srcdir)/stunnel.html.in
stunnel.pl.8: $(srcdir)/stunnel.pl.8.in
stunnel.pl.html: $(srcdir)/stunnel.pl.html.in

577
doc/Makefile.in Normal file
View File

@ -0,0 +1,577 @@
# Makefile.in generated by automake 1.15 from Makefile.am.
# @configure_input@
# Copyright (C) 1994-2014 Free Software Foundation, Inc.
# This Makefile.in is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
# with or without modifications, as long as this notice is preserved.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
# PARTICULAR PURPOSE.
@SET_MAKE@
# by Michal Trojnara 2015-2017
VPATH = @srcdir@
am__is_gnu_make = { \
if test -z '$(MAKELEVEL)'; then \
false; \
elif test -n '$(MAKE_HOST)'; then \
true; \
elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
true; \
else \
false; \
fi; \
}
am__make_running_with_option = \
case $${target_option-} in \
?) ;; \
*) echo "am__make_running_with_option: internal error: invalid" \
"target option '$${target_option-}' specified" >&2; \
exit 1;; \
esac; \
has_opt=no; \
sane_makeflags=$$MAKEFLAGS; \
if $(am__is_gnu_make); then \
sane_makeflags=$$MFLAGS; \
else \
case $$MAKEFLAGS in \
*\\[\ \ ]*) \
bs=\\; \
sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \
| sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \
esac; \
fi; \
skip_next=no; \
strip_trailopt () \
{ \
flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \
}; \
for flg in $$sane_makeflags; do \
test $$skip_next = yes && { skip_next=no; continue; }; \
case $$flg in \
*=*|--*) continue;; \
-*I) strip_trailopt 'I'; skip_next=yes;; \
-*I?*) strip_trailopt 'I';; \
-*O) strip_trailopt 'O'; skip_next=yes;; \
-*O?*) strip_trailopt 'O';; \
-*l) strip_trailopt 'l'; skip_next=yes;; \
-*l?*) strip_trailopt 'l';; \
-[dEDm]) skip_next=yes;; \
-[JT]) skip_next=yes;; \
esac; \
case $$flg in \
*$$target_option*) has_opt=yes; break;; \
esac; \
done; \
test $$has_opt = yes
am__make_dryrun = (target_option=n; $(am__make_running_with_option))
am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
pkgdatadir = $(datadir)/@PACKAGE@
pkgincludedir = $(includedir)/@PACKAGE@
pkglibdir = $(libdir)/@PACKAGE@
pkglibexecdir = $(libexecdir)/@PACKAGE@
am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
install_sh_DATA = $(install_sh) -c -m 644
install_sh_PROGRAM = $(install_sh) -c
install_sh_SCRIPT = $(install_sh) -c
INSTALL_HEADER = $(INSTALL_DATA)
transform = $(program_transform_name)
NORMAL_INSTALL = :
PRE_INSTALL = :
POST_INSTALL = :
NORMAL_UNINSTALL = :
PRE_UNINSTALL = :
POST_UNINSTALL = :
build_triplet = @build@
host_triplet = @host@
subdir = doc
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
am__aclocal_m4_deps = $(top_srcdir)/m4/libtool.m4 \
$(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \
$(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \
$(top_srcdir)/configure.ac
am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
$(ACLOCAL_M4)
DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON)
mkinstalldirs = $(install_sh) -d
CONFIG_HEADER = $(top_builddir)/src/config.h
CONFIG_CLEAN_FILES =
CONFIG_CLEAN_VPATH_FILES =
AM_V_P = $(am__v_P_@AM_V@)
am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
am__v_P_0 = false
am__v_P_1 = :
AM_V_GEN = $(am__v_GEN_@AM_V@)
am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
am__v_GEN_0 = @echo " GEN " $@;
am__v_GEN_1 =
AM_V_at = $(am__v_at_@AM_V@)
am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
am__v_at_0 = @
am__v_at_1 =
SOURCES =
DIST_SOURCES =
am__can_run_installinfo = \
case $$AM_UPDATE_INFO_DIR in \
n|no|NO) false;; \
*) (install-info --version) >/dev/null 2>&1;; \
esac
am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
am__vpath_adj = case $$p in \
$(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
*) f=$$p;; \
esac;
am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
am__install_max = 40
am__nobase_strip_setup = \
srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
am__nobase_strip = \
for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
am__nobase_list = $(am__nobase_strip_setup); \
for p in $$list; do echo "$$p $$p"; done | \
sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
$(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
if (++n[$$2] == $(am__install_max)) \
{ print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
END { for (dir in files) print dir, files[dir] }'
am__base_list = \
sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
am__uninstall_files_from_dir = { \
test -z "$$files" \
|| { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
|| { echo " ( cd '$$dir' && rm -f" $$files ")"; \
$(am__cd) "$$dir" && rm -f $$files; }; \
}
man8dir = $(mandir)/man8
am__installdirs = "$(DESTDIR)$(man8dir)" "$(DESTDIR)$(docdir)"
NROFF = nroff
MANS = $(man_MANS)
DATA = $(doc_DATA)
am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
am__DIST_COMMON = $(srcdir)/Makefile.in
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
AMTAR = @AMTAR@
AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
AR = @AR@
AUTOCONF = @AUTOCONF@
AUTOHEADER = @AUTOHEADER@
AUTOMAKE = @AUTOMAKE@
AWK = @AWK@
CC = @CC@
CCDEPMODE = @CCDEPMODE@
CFLAGS = @CFLAGS@
CPP = @CPP@
CPPFLAGS = @CPPFLAGS@
CYGPATH_W = @CYGPATH_W@
DEFAULT_GROUP = @DEFAULT_GROUP@
DEFS = @DEFS@
DEPDIR = @DEPDIR@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
EGREP = @EGREP@
EXEEXT = @EXEEXT@
FGREP = @FGREP@
GREP = @GREP@
INSTALL = @INSTALL@
INSTALL_DATA = @INSTALL_DATA@
INSTALL_PROGRAM = @INSTALL_PROGRAM@
INSTALL_SCRIPT = @INSTALL_SCRIPT@
INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
LD = @LD@
LDFLAGS = @LDFLAGS@
LIBOBJS = @LIBOBJS@
LIBS = @LIBS@
LIBTOOL = @LIBTOOL@
LIBTOOL_DEPS = @LIBTOOL_DEPS@
LIPO = @LIPO@
LN_S = @LN_S@
LTLIBOBJS = @LTLIBOBJS@
LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
MAKEINFO = @MAKEINFO@
MANIFEST_TOOL = @MANIFEST_TOOL@
MKDIR_P = @MKDIR_P@
NM = @NM@
NMEDIT = @NMEDIT@
OBJDUMP = @OBJDUMP@
OBJEXT = @OBJEXT@
OTOOL = @OTOOL@
OTOOL64 = @OTOOL64@
PACKAGE = @PACKAGE@
PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
PACKAGE_NAME = @PACKAGE_NAME@
PACKAGE_STRING = @PACKAGE_STRING@
PACKAGE_TARNAME = @PACKAGE_TARNAME@
PACKAGE_URL = @PACKAGE_URL@
PACKAGE_VERSION = @PACKAGE_VERSION@
PATH_SEPARATOR = @PATH_SEPARATOR@
PTHREAD_CC = @PTHREAD_CC@
PTHREAD_CFLAGS = @PTHREAD_CFLAGS@
PTHREAD_LIBS = @PTHREAD_LIBS@
RANDOM_FILE = @RANDOM_FILE@
RANLIB = @RANLIB@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
SSLDIR = @SSLDIR@
STRIP = @STRIP@
VERSION = @VERSION@
abs_builddir = @abs_builddir@
abs_srcdir = @abs_srcdir@
abs_top_builddir = @abs_top_builddir@
abs_top_srcdir = @abs_top_srcdir@
ac_ct_AR = @ac_ct_AR@
ac_ct_CC = @ac_ct_CC@
ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
am__include = @am__include@
am__leading_dot = @am__leading_dot@
am__quote = @am__quote@
am__tar = @am__tar@
am__untar = @am__untar@
ax_pthread_config = @ax_pthread_config@
bindir = @bindir@
build = @build@
build_alias = @build_alias@
build_cpu = @build_cpu@
build_os = @build_os@
build_vendor = @build_vendor@
builddir = @builddir@
datadir = @datadir@
datarootdir = @datarootdir@
docdir = $(datadir)/doc/stunnel
dvidir = @dvidir@
exec_prefix = @exec_prefix@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
host_os = @host_os@
host_vendor = @host_vendor@
htmldir = @htmldir@
includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
libdir = @libdir@
libexecdir = @libexecdir@
localedir = @localedir@
localstatedir = @localstatedir@
mandir = @mandir@
mkdir_p = @mkdir_p@
oldincludedir = @oldincludedir@
pdfdir = @pdfdir@
prefix = @prefix@
program_transform_name = @program_transform_name@
psdir = @psdir@
runstatedir = @runstatedir@
sbindir = @sbindir@
sharedstatedir = @sharedstatedir@
srcdir = @srcdir@
sysconfdir = @sysconfdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
top_srcdir = @top_srcdir@
EXTRA_DIST = stunnel.pod.in stunnel.8.in stunnel.html.in en \
stunnel.pl.pod.in stunnel.pl.8.in stunnel.pl.html.in pl
man_MANS = stunnel.8 stunnel.pl.8
doc_DATA = stunnel.html stunnel.pl.html
CLEANFILES = $(man_MANS) $(doc_DATA)
SUFFIXES = .pod.in .8.in .html.in
edit = sed \
-e 's|@bindir[@]|$(bindir)|g' \
-e 's|@sysconfdir[@]|$(sysconfdir)|g'
all: all-am
.SUFFIXES:
.SUFFIXES: .pod.in .8.in .html.in
$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps)
@for dep in $?; do \
case '$(am__configure_deps)' in \
*$$dep*) \
( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
&& { if test -f $@; then exit 0; else break; fi; }; \
exit 1;; \
esac; \
done; \
echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu doc/Makefile'; \
$(am__cd) $(top_srcdir) && \
$(AUTOMAKE) --gnu doc/Makefile
Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
@case '$?' in \
*config.status*) \
cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
*) \
echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
esac;
$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
$(top_srcdir)/configure: $(am__configure_deps)
cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
$(ACLOCAL_M4): $(am__aclocal_m4_deps)
cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
$(am__aclocal_m4_deps):
mostlyclean-libtool:
-rm -f *.lo
clean-libtool:
-rm -rf .libs _libs
install-man8: $(man_MANS)
@$(NORMAL_INSTALL)
@list1=''; \
list2='$(man_MANS)'; \
test -n "$(man8dir)" \
&& test -n "`echo $$list1$$list2`" \
|| exit 0; \
echo " $(MKDIR_P) '$(DESTDIR)$(man8dir)'"; \
$(MKDIR_P) "$(DESTDIR)$(man8dir)" || exit 1; \
{ for i in $$list1; do echo "$$i"; done; \
if test -n "$$list2"; then \
for i in $$list2; do echo "$$i"; done \
| sed -n '/\.8[a-z]*$$/p'; \
fi; \
} | while read p; do \
if test -f $$p; then d=; else d="$(srcdir)/"; fi; \
echo "$$d$$p"; echo "$$p"; \
done | \
sed -e 'n;s,.*/,,;p;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \
-e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,' | \
sed 'N;N;s,\n, ,g' | { \
list=; while read file base inst; do \
if test "$$base" = "$$inst"; then list="$$list $$file"; else \
echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \
$(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst" || exit $$?; \
fi; \
done; \
for i in $$list; do echo "$$i"; done | $(am__base_list) | \
while read files; do \
test -z "$$files" || { \
echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(man8dir)'"; \
$(INSTALL_DATA) $$files "$(DESTDIR)$(man8dir)" || exit $$?; }; \
done; }
uninstall-man8:
@$(NORMAL_UNINSTALL)
@list=''; test -n "$(man8dir)" || exit 0; \
files=`{ for i in $$list; do echo "$$i"; done; \
l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done | \
sed -n '/\.8[a-z]*$$/p'; \
} | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \
-e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \
dir='$(DESTDIR)$(man8dir)'; $(am__uninstall_files_from_dir)
install-docDATA: $(doc_DATA)
@$(NORMAL_INSTALL)
@list='$(doc_DATA)'; test -n "$(docdir)" || list=; \
if test -n "$$list"; then \
echo " $(MKDIR_P) '$(DESTDIR)$(docdir)'"; \
$(MKDIR_P) "$(DESTDIR)$(docdir)" || exit 1; \
fi; \
for p in $$list; do \
if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
echo "$$d$$p"; \
done | $(am__base_list) | \
while read files; do \
echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(docdir)'"; \
$(INSTALL_DATA) $$files "$(DESTDIR)$(docdir)" || exit $$?; \
done
uninstall-docDATA:
@$(NORMAL_UNINSTALL)
@list='$(doc_DATA)'; test -n "$(docdir)" || list=; \
files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
dir='$(DESTDIR)$(docdir)'; $(am__uninstall_files_from_dir)
tags TAGS:
ctags CTAGS:
cscope cscopelist:
distdir: $(DISTFILES)
@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
list='$(DISTFILES)'; \
dist_files=`for file in $$list; do echo $$file; done | \
sed -e "s|^$$srcdirstrip/||;t" \
-e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
case $$dist_files in \
*/*) $(MKDIR_P) `echo "$$dist_files" | \
sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
sort -u` ;; \
esac; \
for file in $$dist_files; do \
if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
if test -d $$d/$$file; then \
dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
if test -d "$(distdir)/$$file"; then \
find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
fi; \
if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
fi; \
cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
else \
test -f "$(distdir)/$$file" \
|| cp -p $$d/$$file "$(distdir)/$$file" \
|| exit 1; \
fi; \
done
check-am: all-am
check: check-am
all-am: Makefile $(MANS) $(DATA)
installdirs:
for dir in "$(DESTDIR)$(man8dir)" "$(DESTDIR)$(docdir)"; do \
test -z "$$dir" || $(MKDIR_P) "$$dir"; \
done
install: install-am
install-exec: install-exec-am
install-data: install-data-am
uninstall: uninstall-am
install-am: all-am
@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
installcheck: installcheck-am
install-strip:
if test -z '$(STRIP)'; then \
$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
install; \
else \
$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
"INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
fi
mostlyclean-generic:
clean-generic:
-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
distclean-generic:
-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
maintainer-clean-generic:
@echo "This command is intended for maintainers to use"
@echo "it deletes files that may require special tools to rebuild."
clean: clean-am
clean-am: clean-generic clean-libtool mostlyclean-am
distclean: distclean-am
-rm -f Makefile
distclean-am: clean-am distclean-generic
dvi: dvi-am
dvi-am:
html: html-am
html-am:
info: info-am
info-am:
install-data-am: install-docDATA install-man
install-dvi: install-dvi-am
install-dvi-am:
install-exec-am:
install-html: install-html-am
install-html-am:
install-info: install-info-am
install-info-am:
install-man: install-man8
install-pdf: install-pdf-am
install-pdf-am:
install-ps: install-ps-am
install-ps-am:
installcheck-am:
maintainer-clean: maintainer-clean-am
-rm -f Makefile
maintainer-clean-am: distclean-am maintainer-clean-generic
mostlyclean: mostlyclean-am
mostlyclean-am: mostlyclean-generic mostlyclean-libtool
pdf: pdf-am
pdf-am:
ps: ps-am
ps-am:
uninstall-am: uninstall-docDATA uninstall-man
uninstall-man: uninstall-man8
.MAKE: install-am install-strip
.PHONY: all all-am check check-am clean clean-generic clean-libtool \
cscopelist-am ctags-am distclean distclean-generic \
distclean-libtool distdir dvi dvi-am html html-am info info-am \
install install-am install-data install-data-am \
install-docDATA install-dvi install-dvi-am install-exec \
install-exec-am install-html install-html-am install-info \
install-info-am install-man install-man8 install-pdf \
install-pdf-am install-ps install-ps-am install-strip \
installcheck installcheck-am installdirs maintainer-clean \
maintainer-clean-generic mostlyclean mostlyclean-generic \
mostlyclean-libtool pdf pdf-am ps ps-am tags-am uninstall \
uninstall-am uninstall-docDATA uninstall-man uninstall-man8
.PRECIOUS: Makefile
.pod.in.8.in:
pod2man -u -n stunnel -s 8 -r $(VERSION) \
-c "stunnel TLS Proxy" -d `date +%Y.%m.%d` $< $@
.pod.in.html.in:
pod2html --index --backlink --header \
--title "stunnel TLS Proxy" --infile=$< --outfile=$@
rm -f pod2htmd.tmp pod2htmi.tmp
$(man_MANS) $(doc_DATA): Makefile
$(edit) '$(srcdir)/$@.in' >$@
stunnel.8: $(srcdir)/stunnel.8.in
stunnel.html: $(srcdir)/stunnel.html.in
stunnel.pl.8: $(srcdir)/stunnel.pl.8.in
stunnel.pl.html: $(srcdir)/stunnel.pl.html.in
# Tell versions [3.59,3.63) of GNU make to not export all variables.
# Otherwise a system limit (for SysV at least) may be exceeded.
.NOEXPORT:

190
doc/en/VNC_StunnelHOWTO.html Normal file
View File

@ -0,0 +1,190 @@
<!-- saved from url=(0022)http://internet.e-mail -->
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=iso-8859-1">
<TITLE></TITLE>
<META NAME="GENERATOR" CONTENT="StarOffice/5.2 (Win32)">
<META NAME="CREATED" CONTENT="20010220;7501784">
<META NAME="CHANGED" CONTENT="16010101;0">
<STYLE>
<!--
@page { margin: 2cm }
-->
</STYLE>
</HEAD>
<BODY>
<P ALIGN=CENTER STYLE="margin-bottom: 0cm"><FONT SIZE=4 STYLE="font-size: 16pt"><U><B>VNC
over STUNNEL with a Linux server and Windows 2000 client HOWTO</B></U></FONT></P>
<P ALIGN=CENTER STYLE="margin-bottom: 0cm"><BR>
</P>
<P STYLE="margin-bottom: 0cm">19 February 2001</P>
<P STYLE="margin-bottom: 0cm">ver 1.0</P>
<P STYLE="margin-bottom: 0cm">by Craig Furter and Arno van der Walt</P>
<P STYLE="margin-bottom: 0cm">contact us at <A HREF="mailto:cfurter@vexen.co.za">cfurter@vexen.co.za</A>
and <A HREF="mailto:arnovdw@mycomax.com">arnovdw@mycomax.com</A></P>
<P STYLE="margin-bottom: 0cm"><BR>
</P>
<P STYLE="margin-bottom: 0cm"><BR>
</P>
<P STYLE="margin-bottom: 0cm">We assume that you have already
downloaded VNCServer and VNCViewer.</P>
<P STYLE="margin-bottom: 0cm"><BR>
</P>
<P STYLE="margin-bottom: 0cm">First of all there is a step by step
HOWTO and then we'll look at the theory behind all this.</P>
<P STYLE="margin-bottom: 0cm"><BR>
</P>
<OL>
<LI><P STYLE="margin-bottom: 0cm">Download and install OpenSSL,
SSLeay, and Stunnel on the Linux/Unix box. Download the modules.</P>
</OL>
<P STYLE="margin-left: 0.5cm; margin-bottom: 0cm">a)
[root@anthrax$]gunzip openssl-x.xx.tar.gz (repeat for all 3 the
modules)</P>
<P STYLE="margin-left: 0.5cm; margin-bottom: 0cm">b)
[root@anthrax$]tar &#150; xvf openssl-x.xx.tar (repeat for all 3 the
modules)</P>
<P STYLE="margin-left: 0.5cm; margin-bottom: 0cm"><BR>
</P>
<OL>
<LI><P STYLE="margin-bottom: 0cm">Copy the following to Notepad and
save the file as VNCRegEdit.REG on the Windows 2000 box</P>
</OL>
<P STYLE="margin-left: 0.5cm; margin-bottom: 0cm">--cut here and copy
to VNCRegEdit.REG then double click the file to
import--<BR>REGEDIT4<BR><BR>[HKEY_LOCAL_MACHINE\Software\ORL\WinVNC3]<BR>AllowLoopback=dword:00000001<BR><BR>[HKEY_LOCAL_MACHINE\Software\ORL\WinVNC3\Default]<BR>AllowLoopback=dword:00000001<BR>--stop
here--<BR><BR>
</P>
<P STYLE="margin-left: 0.5cm; margin-bottom: 0cm"><BR>
</P>
<OL>
<LI><P STYLE="margin-bottom: 0cm">Install Stunnel on the Windows
2000 machine by copying the following files to your \WINNT\SYSTEM32\
directory</P>
</OL>
<P STYLE="margin-left: 0.5cm; margin-bottom: 0cm">a)libeay32.dll</P>
<P STYLE="margin-left: 0.5cm; margin-bottom: 0cm">b)libssl.dll</P>
<P STYLE="margin-left: 0.5cm; margin-bottom: 0cm">c)stunnel.pem</P>
<P STYLE="margin-left: 0.5cm; margin-bottom: 0cm"><BR>
</P>
<OL>
<LI><P STYLE="margin-bottom: 0cm">On the Linux box execute the
following command as root and let it run in its own terminal.</P>
</OL>
<P STYLE="margin-left: 0.5cm; margin-bottom: 0cm">./stunnel -d 5900
-r 5901</P>
<P STYLE="margin-left: 0.5cm; margin-bottom: 0cm"><BR>
</P>
<OL>
<LI><P STYLE="margin-bottom: 0cm">Execute vncserver (it should run
as display:1 when you execute the ps aux |grep vnc command)</P>
</OL>
<P STYLE="margin-left: 0.5cm; margin-bottom: 0cm"><BR>
</P>
<OL>
<LI><P STYLE="margin-bottom: 0cm">Now on the Windows 2000 machine
execute the following command and let it run in its own terminal.</P>
</OL>
<P STYLE="margin-left: 0.5cm; margin-bottom: 0cm">stunnel -d 5900 -r
unix.ip.address:5900 -c</P>
<P STYLE="margin-left: 0.5cm; margin-bottom: 0cm">.</P>
<OL>
<LI><P STYLE="margin-bottom: 0cm">And on the Windows 2000 machine
open VNCviewer and connect to localhost specifying no display</P>
</OL>
<P STYLE="margin-left: 0.5cm; margin-bottom: 0cm">ie. 10.10.1.53 in
the window</P>
<P STYLE="margin-left: 0.5cm; margin-bottom: 0cm"><BR>
</P>
<OL>
<LI><P STYLE="margin-bottom: 0cm">For each additional display repeat
steps 4 &#150; 6 and increment the specified ports with 2 ie. The
Linux command will look as follows:</P>
</OL>
<P STYLE="margin-left: 0.5cm; margin-bottom: 0cm"> ./stunnel -d 5902
-r 5903
</P>
<P STYLE="margin-left: 0.5cm; margin-bottom: 0cm">and the Windows
2000 command as follows:
</P>
<P STYLE="margin-left: 0.5cm; margin-bottom: 0cm">stunnel -d 5902 -r
unix.ip.address:5902</P>
<P STYLE="margin-left: 0.5cm; margin-bottom: 0cm">and remember to
start another vncserver on the Linux box for each VNC display</P>
<P STYLE="margin-bottom: 0cm"><BR>
</P>
<P STYLE="margin-bottom: 0cm"><BR>
</P>
<OL>
<LI><P STYLE="margin-bottom: 0cm">The display number on the
vncviewer must also be incremented with two ie:</P>
</OL>
<P STYLE="margin-left: 0.5cm; margin-bottom: 0cm">10.10.1.53:2 etc.</P>
<P STYLE="margin-bottom: 0cm"><BR>
</P>
<P STYLE="margin-bottom: 0cm"><FONT SIZE=4><U>The THEORY</U></FONT></P>
<P STYLE="margin-bottom: 0cm"><BR>
</P>
<P STYLE="margin-bottom: 0cm"><U>Tunneling:</U></P>
<P STYLE="margin-bottom: 0cm"><BR>
</P>
<P STYLE="margin-bottom: 0cm">What this means is that software
(daemon) runs on the client and server machine. In this case, the
Windows 2000 machine is the client and the server is the *NIX
machine. Stunnel will then run as client on Windows 2000 and server
mode on the UNIX box.<BR><BR>eg:<BR>Windows:<BR>stunnel -d 5900 -r
unix.ip.address:5900 -c<BR><BR>UNIX<BR>stunnel -d 5900 -r 5901<BR><BR>This
means that connecting to VNC display 0 in the localhost will transfer
all the calls to the *NIX machine on display 1. So the VNC server on
the *NIX machine must be running on display 1. Not display 0. If you
run stunnel before VNC, VNC will automatically move to display 1
noticing that port 5900 (&quot;display&quot; 0) is already in
use).<BR><BR>What happens now is that when you connect to port 5900
on the Windows machine via an &quot;unsecured&quot; connection, a
secure &quot;tunnel&quot; is opened from Windows 2000 to the *NIX
machine on port 5900. The *NIX machine then opens a &quot;unsecured&quot;
connection to itself on port 5901. We now have a secure tunnel
available.</P>
<P STYLE="margin-bottom: 0cm"><BR>
</P>
<P STYLE="margin-bottom: 0cm"><U>A bit about VNC and displays</U></P>
<P STYLE="margin-bottom: 0cm"><BR>
</P>
<P STYLE="margin-bottom: 0cm">The -d is the listening IPaddress:port
and the -r is the remote IPaddress:port. VNC uses port 5900 for
display 0. That means that display 1 will be 5901. If you want VNC
server to listen for a connection on port 80 then the display number
will be 80 - 5900 = -5820. If you want VNC server to<BR>listen on
port 14000 then the display number is 14000 - 5900 = 8100.<BR><BR>So
all you have to do is run stunnel on the UNIX machine and VNC on the
desired &quot;display&quot; number.</P>
<P STYLE="margin-bottom: 0cm"><BR>
</P>
<P STYLE="margin-bottom: 0cm"><U>VNC on the Windows 2000 machine</U></P>
<P STYLE="margin-bottom: 0cm"><BR>
</P>
<P STYLE="margin-bottom: 0cm">To connect from the client machine you
need to enter the client machine's IP address and the &quot;display&quot;
(from the port conversion). But VNC will think that you are trying to
connect to the local machine and does not allow this. To override
this add the following to your registry.<BR><BR>--cut here and copy to
anything.reg. then double click the file to
import--<BR>REGEDIT4<BR><BR>[HKEY_LOCAL_MACHINE\Software\ORL\WinVNC3]<BR>AllowLoopback=dword:00000001<BR><BR>[HKEY_LOCAL_MACHINE\Software\ORL\WinVNC3\Default]<BR>AllowLoopback=dword:00000001<BR>--stop
here--<BR><BR>Now VNC will not complain. So you need to always run
stunnel in client mode on the Windows machine and then connect with
VNCViewer to the localhost on the correct &quot;display&quot;. By the
way, *NIX doesn't complain about this. There is no setting needed if
*NIX to *NIX.</P>
<P STYLE="margin-bottom: 0cm"><BR>
</P>
<P STYLE="margin-bottom: 0cm"><U>VNC's Java client</U></P>
<P STYLE="margin-bottom: 0cm"><BR>
</P>
<P STYLE="margin-bottom: 0cm">Unfortunately this will not work well
with the built-in web version. If you did not known about it, try
http'ing into a machine running VNC server on it, to port 58XX (where
XX is the display number), and the Java client will be loaded.<BR><BR>
</P>
</BODY>
</HTML>

143
doc/pl/faq.stunnel-2.html Normal file
View File

@ -0,0 +1,143 @@
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-2">
<TITLE>Gdy pojawiają się kłopoty</TITLE>
</HEAD>
<BODY TEXT="#000000" BGCOLOR="#FFFFFF" LINK="#0000EF" VLINK="#51188E" ALINK="#FF0000">
<B>Q: </B>Próbuje kompilować stunnel jednak dostaje
następujące komunikaty:
<BR>stunnel.c:69: ssl.h: No such file or directory
<BR>stunnel.c:71: bio.h: No such file or directory
<BR>stunnel.c:72: pem.h: No such file or directory
<BR>make: *** [stunnel.o] Error 1
<P><B>A:</B> Są dwie prawdopodobne przyczyny: nie masz zainstalowanego
w systemie pakietu SSLeay lub pakiet nie znajduje sie w miejscu domyślnym
czyli<B> /usr/local/ssl. </B>Należy zainstalować SSLeay lub też poprawić
Makefile tak by ścieżka była prawidłowa.
<BR>
<HR WIDTH="100%">
<BR><B>Q:</B>&nbsp; Próbuje uruchomić stunnel jako wrapper dla httpd. Po
wydaniu komendy: <B>stunnel 443 @localhost:80</B> demon się nie uruchamia
a w syslogu pojawia się komunikat "<B>stunnel[2481]: getpeername: Socket
operation on non-socket (88)"</B><B></B>
<P><B>A</B>: Jest to błąd charakterystyczny dla Linuxa. Należy w pliku
stunnel.c zmienić linię<B> #define INET_SOCKET_PAIR 1</B> na
<BR><B>#define INET_SOCKET_PAIR 0</B> i zrekompilować program ponownie.
<BR>
<HR WIDTH="100%">
<BR><B>Q:</B> Stunnel nadal się nie uruchamia a w syslogu pojawia się komunikat
"<B>stunnel[2525]: /usr/local/ssl/certs/localhost:80.pem: No such file
or directory (2)</B>"<B></B>
<P><B>A:</B> Nie posiadasz odpowiedniego certyfikatu dla demona. Stunnel
w celu poprawnego działania <B>MUSI</B> posiadać certyfikat. W celu wygenerowania
odpowiedniego certyfikatu należy wydać komende: <B>/usr/local/ssl/bin/ssleay
req -new -x509 -nodes -out server.pem -days 365 -keyout server.pem</B>&nbsp;
bądź też użyć <B>Makefile</B> dołączonego do programu stunnel i przy pomocy
komendy <B>make cert </B>stworzyć certyfikat. Tak utworzony certyfikat (server.pem)
należy umieścić w katalogu <B>/usr/local/ssl/certs</B> i utworzyć doń odpowiednie
linki lub zmieć nazwę certyfikatu na wymaganą przez stunnel.
<BR>
<HR WIDTH="100%">
<BR><B>Q:</B> Wygenerowałem odpowiedni certyfikat przy pomocy skryptu CA.sh,
a stunnel <B>przy starcie prosi o podanie hasła</B>. Jak można przekazać
hasło zabezpieczające certyfikat do programu ?<B></B>
<P><B>A:</B> W chwili obecnej jest to niemożliwe. Certyfikaty którymi posługuje
sie stunnel nie mogą być zabezpieczane hasłem. Przy tworzeniu certyfikatu
należy użyć opcji -nodes (lub utworzyć certyfikat przy pomocy makefile
odstarczonego z programem).
<BR>
<HR WIDTH="100%">
<BR><B>Q:</B> Po uruchomieniu programu stunnel w syslogu pojawia się komunikat:
"<B>stunnel[2805]: WARNING: Wrong permissions on /usr/local/ssl/certs/localhost:80.pem</B>".
Co jest nie tak ?<B></B>
<P><B>A:</B> To tylko ostrzeżenie ! Certyfikat nie powien dać się odczytać
przez innych użytkowników systemu. Prawidłowe prawa dostępu powinny być
następujące: <B>-rw------&nbsp;&nbsp; 1 root&nbsp;&nbsp;&nbsp;&nbsp; root&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
1370 Nov 8 1997&nbsp; server.pem </B>(jeśli uruchamiającym stunnel jest
root).
<BR>
<HR WIDTH="100%">
<BR><B>Q:</B> Probowałem zrobić tunelowanie połączenia do demona <B>pop3</B>.
Pomimo zrobienia prawidłowego wpisu do inetd.conf
<BR>"spop3&nbsp; stream&nbsp; tcp&nbsp; nowait&nbsp; root&nbsp; /usr/sbin/stunnel&nbsp;
qpopper -s" stunnel nie działa a w syslogu pojawia się komunikat:
<BR><B>inetd[2949]: spop3/tcp: unknown service.</B><B></B>
<P><B>A: </B>Nie zrobiłeś dodatkowych wpisów do pliku <B>/etc/services.</B>
Zgodnie z rfc???? prawidłowymi portami na których działają demony posługujące
się SSL są:
<TABLE>
<TR>
<TD>https</TD>
<TD>443/tcp</TD>
<TD># HTTP over SSL&nbsp;</TD>
</TR>
<TR>
<TD>ssmtp</TD>
<TD>465/tcp</TD>
<TD># SMTP over SSL&nbsp;</TD>
</TR>
<TR>
<TD>snews</TD>
<TD>563/tcp</TD>
<TD># NNTP over SSL&nbsp;</TD>
</TR>
<TR>
<TD>ssl-ldap</TD>
<TD>636/tcp</TD>
<TD># LDAP over SSL&nbsp;</TD>
</TR>
<TR>
<TD>simap</TD>
<TD>993/tcp</TD>
<TD># IMAP over SSL&nbsp;</TD>
</TR>
<TR>
<TD>spop3</TD>
<TD>995/tcp</TD>
<TD># POP-3 over SSL&nbsp;</TD>
</TR>
</TABLE>
Jeśli nie chesz robić poprawek zamiast nazwy serwisu użyj numeru portu
na którym on działa.
<BR>
<HR WIDTH="100%">
<BR><B>Q:</B> Dobrze, zrobiłem wymagany wpis lecz w dalszym ciagu stunnel
nie działa, natomiast w syslogu pojawia sie wpis:
<BR>&nbsp;<B>stunnel[3015]: execvp: No such file or directory (2). </B>Co
jeszcze jest nie tak ?<B></B>
<P><B>A:</B>&nbsp; Prawdopodone są dwie przyczyny: pierwsza w twoim systemie
nie ma demona dla ktorego zrobiłeś wpis w inetd.conf,
<BR>(spop3&nbsp; stream&nbsp; tcp&nbsp; nowait&nbsp; root&nbsp; /usr/sbin/stunnel&nbsp;
qpopper -s) lub też dany program jest w systemie, jednak ścieżka dostępu
do niego nie jest wymieniona w zmiennej systemowej <B>$PATH</B>. Należy
więc poprawić zapis w inetd.conf uzupełniając o pełna ścieżke dostępu do
demona np.&nbsp; <B>spop3&nbsp; stream&nbsp; tcp&nbsp; nowait&nbsp; root&nbsp;
/usr/sbin/stunnel&nbsp; /usr/sbin/qpopper -s</B>
<BR>&nbsp;
<BR>&nbsp;
</BODY>
</HTML>

744
doc/pl/tworzenie_certyfikatow.html Normal file
View File

@ -0,0 +1,744 @@
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-2">
<META NAME="Author" CONTENT="Adam Hernik">
<TITLE>Wszystko co powiniene¶ wiedzieæ o tworzeniu certyfikatów ale nie chce Ci siê poszukaæ w dokumentacji</TITLE>
</HEAD>
<BODY TEXT="#000000" BGCOLOR="#CCCCCC" LINK="#0000EF" VLINK="#51188E" ALINK="#FF0000">
<CENTER>
<H1>
<FONT SIZE=+2>Wszystko co powiniene¶ wiedzieæ o tworzeniu certyfikatów
ale nie chce Ci siê</FONT></H1></CENTER>
<CENTER>
<H1>
<FONT SIZE=+2>poszukaæ w dokumentacji.</FONT></H1></CENTER>
&nbsp;
<P><B><FONT SIZE=+1>Co powinno znajdowaæ siê na Twoim dysku zamin zostaniesz
"Certificate Authorities".</FONT></B>
<P>Podstawowym oprogramowaniem jest oczywi¶cie <A HREF="http://www.openssl.org">openssl</A>.
W tym miejscu nale¿y zachowaæ czujno¶æ
<BR>bo openssl <B>MUSI</B> byæ co najmniej w wersji 0.9.2b dziêki czemu
ominie Ciê czê¶æ karko³omnych
<BR>operacji przy pomocy <A HREF="http://www.drh-consultancy.demon.co.uk">pcks12</A>
ktory tak¿e musisz posiadaæ w swoich zasobach dyskowych.
<BR>Je¶li masz ju¿ zainstalowane powy¿sze oprogramowanie mo¿esz zacz±æ
tworzyæ certyfikaty.
<P><B><FONT SIZE=+1>Konfiguracja openssl.</FONT></B>
<P>Zak³adam ze openssl jest zainstalowany standardowo czyli w <B>/usr/local/ssl</B>.
Pierwszym krokiem jest
<BR>przejrzenie i "dokonfigurowanie" <B>/usr/local/ssl/lib/openssl.cnf</B>.
Mój domowy konfig wygl±da nastêpuj±co
<BR>(kolorem czerwonym zaznaczylem opcje które raczej powiniene¶ zmieniæ)
:
<BR><FONT SIZE=-2><A HREF="#koniec openssl.cnf">je¶li nie chce Ci siê tego
czytaæ to skocz na koniec konfiga</A></FONT>
<P><I>#</I>
<BR><I># OpenSSL example configuration file.</I>
<BR><I># This is mostly being used for generation of certificate requests.</I>
<BR><I>#</I>
<BR><I>&nbsp;</I>
<BR><I>RANDFILE&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
= $ENV::HOME/.rnd</I>
<BR><I>oid_file&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
= $ENV::HOME/.oid</I>
<BR><I>oid_section&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
= new_oids</I>
<BR><I>&nbsp;</I>
<BR><I>[ new_oids ]</I>
<BR><I>&nbsp;</I>
<BR><I># We can add new OIDs in here for use by 'ca' and 'req'.</I>
<BR><I># Add a simple OID like this:</I>
<BR><I># testoid1=1.2.3.4</I>
<BR><I># Or use config file substitution like this:</I>
<BR><I># testoid2=${testoid1}.5.6</I>
<BR><I>&nbsp;</I>
<BR><I>####################################################################</I>
<BR><I>[ ca ]</I>
<BR><I>default_ca&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; = CA_default&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
# The default ca section</I>
<BR><I>&nbsp;</I>
<BR><I>####################################################################</I>
<BR><I>[ CA_default ]</I>
<BR><I>&nbsp;</I>
<BR><I>dir&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
= ./demoCA&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
# Where everything is kept</I>
<BR><I>certs&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
= $dir/certs&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
# Where the issued certs are kept</I>
<BR><I>crl_dir&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; = $dir/crl&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
# Where the issued crl are kept</I>
<BR><I>database&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; = $dir/index.txt&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
# database index file.</I>
<BR><I>new_certs_dir&nbsp;&nbsp; = $dir/newcerts&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
# default place for new certs.</I>
<BR><I>&nbsp;</I>
<BR><I>certificate&nbsp;&nbsp;&nbsp;&nbsp; = $dir/cacert.pem&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
# The CA certificate</I>
<BR><I>serial&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; = $dir/serial&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
# The current serial number</I>
<BR><I>crl&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
= $dir/crl.pem&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; #
The current CRL</I>
<BR><I>private_key&nbsp;&nbsp;&nbsp;&nbsp; = $dir/private/cakey.pem# The
private key</I>
<BR><I>RANDFILE&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; = $dir/private/.rand&nbsp;&nbsp;&nbsp;
# private random number file</I>
<BR><I>&nbsp;</I>
<BR><I>x509_extensions = usr_cert&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
# The extensions to add to the cert</I>
<BR><I>crl_extensions&nbsp; = crl_ext&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
# Extensions to add to CRL</I>
<BR><I>default_days&nbsp;&nbsp;&nbsp; = 365&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
# how long to certify for</I>
<BR><I>default_crl_days= 30&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
# how long before next CRL</I>
<BR><I>default_md&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; = md5&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
# which md to use.</I>
<BR><I>preserve&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; = no&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
# keep passed DN ordering</I>
<BR><I>&nbsp;</I>
<BR><I># A few difference way of specifying how similar the request should
look</I>
<BR><I># For type CA, the listed attributes must be the same, and the optional</I>
<BR><I># and supplied fields are just that :-)</I>
<BR><I>policy&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; = policy_match</I>
<BR><I># For the CA policy</I>
<BR><I>[ policy_match ]</I>
<BR><I>countryName&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
= match</I>
<BR><I>stateOrProvinceName&nbsp;&nbsp;&nbsp;&nbsp; = match</I>
<BR><I>organizationName&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; = match</I>
<BR><I>organizationalUnitName&nbsp; = optional</I>
<BR><I>commonName&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
= supplied</I>
<BR><I>emailAddress&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
= optional</I>
<BR><I>&nbsp;</I>
<BR><I># For the 'anything' policy</I>
<BR><I># At this point in time, you must list all acceptable 'object'</I>
<BR><I># types.</I>
<BR><I>[ policy_anything ]</I>
<BR><I>countryName&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
= optional</I>
<BR><I>stateOrProvinceName&nbsp;&nbsp;&nbsp;&nbsp; = optional</I>
<BR><I>localityName&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
= optional</I>
<BR><I>organizationName&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; = optional</I>
<BR><I>organizationalUnitName&nbsp; = optional</I>
<BR><I>commonName&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
= supplied</I>
<BR><I>emailAddress&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
= optional</I>
<BR><I>&nbsp;</I>
<BR><I>####################################################################</I>
<BR><A NAME="req"></A><I>[ req ]</I>
<BR><I>default_bits&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
= <FONT COLOR="#FF0000">1024</FONT></I>
<BR><I>default_keyfile&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
= privkey.pem</I>
<BR><I>distinguished_name&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; = req_distinguished_name</I>
<BR><I>attributes&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
= req_attributes</I>
<BR><I>x509_extensions = v3_ca # The extensions to add to the self signed
cert</I>
<BR><I>&nbsp;</I>
<BR><I>[ req_distinguished_name ]</I>
<BR><I>countryName&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
= Country Name (2 letter code)</I>
<BR><I>countryName_default&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
= <FONT COLOR="#FF0000">PL</FONT></I>
<BR><I>countryName_min&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
= 2</I>
<BR><I>countryName_max&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
= 2</I>
<BR><I>&nbsp;</I>
<BR><I>stateOrProvinceName&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
= State i Prowincja</I>
<BR><I>stateOrProvinceName_default&nbsp;&nbsp;&nbsp;&nbsp; = <FONT COLOR="#FF0000">State-Prowincja
domyslna</FONT></I>
<BR><I>localityName&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
= Locality Name (eg, city)</I>
<BR><I>localityName_default&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
= <FONT COLOR="#FF0000">Lodz</FONT></I>
<BR><I>&nbsp;</I>
<BR><I>0.organizationName&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
= Organization Name (eg, company)</I>
<BR><I>0.organizationName_default&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; = <FONT COLOR="#FF0000">Nawza
Organizacji</FONT></I>
<BR><I>&nbsp;</I>
<BR><I># we can do this but it is not needed normally :-)</I>
<BR><I>#1.organizationName&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
= Second Organization Name (eg, company)</I>
<BR><I>#1.organizationName_default&nbsp;&nbsp;&nbsp;&nbsp; = World Wide
Web Pty Ltd</I>
<BR><I>organizationalUnitName&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
= Organizational Unit Name (eg, section)</I>
<BR><I>organizationalUnitName_default&nbsp; = <FONT COLOR="#FF0000">Unit
name domyslny</FONT></I>
<BR><I>&nbsp;</I>
<BR><I>commonName&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
= Common Name (eg, YOUR name)</I>
<BR><I>commonName_max&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
= 64</I>
<BR><I>&nbsp;</I>
<BR><I>emailAddress&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
= Email Address</I>
<BR><I>emailAddress_max&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
= 40</I>
<BR><I>&nbsp;</I>
<BR><I># SET-ex3&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
= SET extension number 3</I>
<BR><I>&nbsp;</I>
<BR><I>[ req_attributes ]</I>
<BR><I>challengePassword&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
= A challenge password</I>
<BR><I>challengePassword_min&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; = 4</I>
<BR><I>challengePassword_max&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; = 20</I>
<BR><I>&nbsp;</I>
<BR><I>unstructuredName&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
= An optional company name</I>
<BR><I>&nbsp;</I>
<BR><A NAME="usr_cert"></A><I>[ usr_cert ]</I>
<BR><I>&nbsp;</I>
<BR><I># These extensions are added when 'ca' signs a request.</I>
<BR><I>&nbsp;</I>
<BR><I># This goes against PKIX guidelines but some CAs do it and some
software</I>
<BR><I># requires this to avoid interpreting an end user certificate as
a CA.</I>
<BR><I>&nbsp;</I>
<BR><I>basicConstraints=CA:FALSE</I>
<BR><I>&nbsp;</I>
<BR><I># Here are some examples of the usage of nsCertType. If it is omitted</I>
<BR><I># the certificate can be used for anything *except* object signing.</I>
<BR><I>&nbsp;</I>
<BR><A NAME="server"></A><I># This is OK for an SSL server.</I>
<BR><I><FONT COLOR="#006600">#nsCertType&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
= server</FONT></I>
<BR><I>&nbsp;</I>
<BR><I># For an object signing certificate this would be used.</I>
<BR><I>#nsCertType = objsign</I>
<BR><I>&nbsp;</I>
<BR><A NAME="klient"></A><I># For normal client use this is typical</I>
<BR><I><FONT COLOR="#006600">nsCertType = client, email</FONT></I>
<BR><I>&nbsp;</I>
<BR><I># This is typical also</I>
<BR><I>&nbsp;</I>
<BR><I>keyUsage = nonRepudiation, digitalSignature, keyEncipherment</I>
<BR><I>&nbsp;</I>
<BR><I>nsComment&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
= "<FONT COLOR="#FF0000">OpenSSL Generated Certificate</FONT>"</I>
<BR><I>&nbsp;</I>
<BR><I># PKIX recommendations</I>
<BR><I>subjectKeyIdentifier=hash</I>
<BR><I>authorityKeyIdentifier=keyid,issuer:always</I>
<BR><I># Import the email address.</I>
<BR><I>&nbsp;</I>
<BR><I>subjectAltName=email:copy</I>
<BR><I>&nbsp;</I>
<BR><I># Copy subject details</I>
<BR><I>&nbsp;</I>
<BR><I>issuerAltName=issuer:copy</I>
<BR><I>&nbsp;</I>
<BR><I>#nsCaRevocationUrl&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
= http://www.domain.dom/ca-crl.pem</I>
<BR><I>#nsBaseUrl</I>
<BR><I>#nsRevocationUrl</I>
<BR><I>#nsRenewalUrl</I>
<BR><I>#nsCaPolicyUrl</I>
<BR><I>#nsSslServerName</I>
<BR><I>&nbsp;</I>
<BR><I>[ v3_ca]</I>
<BR><I>&nbsp;</I>
<BR><I># Extensions for a typical CA</I>
<BR><I>&nbsp;</I>
<BR><I># It's a CA certificate</I>
<BR><I>basicConstraints = CA:true</I>
<BR><I>&nbsp;</I>
<BR><I># PKIX recommendation.</I>
<BR><I>&nbsp;</I>
<BR><I>subjectKeyIdentifier=hash</I>
<BR><I>&nbsp;</I>
<BR><I>authorityKeyIdentifier=keyid:always,issuer:always</I>
<BR><I>&nbsp;</I>
<BR><I># This is what PKIX recommends but some broken software chokes on
critical</I>
<BR><I># extensions.</I>
<BR><I>#basicConstraints = critical,CA:true</I>
<BR><I>&nbsp;</I>
<BR><I># Key usage: again this should really be critical.</I>
<BR><I>keyUsage = cRLSign, keyCertSign</I>
<BR><I>&nbsp;</I>
<BR><I># Some might want this also</I>
<BR><I>nsCertType = sslCA, emailCA, objCA</I>
<BR><I>&nbsp;</I>
<BR><I># Include email address in subject alt name: another PKIX recommendation</I>
<BR><I>subjectAltName=email:copy</I>
<BR><I># Copy issuer details</I>
<BR><I>issuerAltName=issuer:copy</I>
<BR><I>&nbsp;</I>
<BR><I># RAW DER hex encoding of an extension: beware experts only!</I>
<BR><I># 1.2.3.5=RAW:02:03</I>
<BR><I># You can even override a supported extension:</I>
<BR><I># basicConstraints= critical, RAW:30:03:01:01:FF</I>
<BR><I>&nbsp;</I>
<BR><I>[ crl_ext ]</I>
<BR><I>&nbsp;</I>
<BR><I># CRL extensions.</I>
<BR><I># Only issuerAltName and authorityKeyIdentifier make any sense in
a CRL.</I>
<P><I>issuerAltName=issuer:copy</I>
<BR><I>authorityKeyIdentifier=keyid:always,issuer:always</I>
<BR>################################################################################
<BR>########## koniec pliku openssl.cnf
<P><A NAME="koniec openssl.cnf"></A>Jak widaæ zmiany s± praktycznie kosmetyczne.&nbsp;
Nale¿y zwrócic jedynie uwagê na opcjê <A HREF="#req">default_bits</A> w
sekcji req.
<BR>W momencie generowania certyfikatu CA powinna mieæ ona warto¶æ 1024
lub wiêcej, natomiast w trakcie tworzenia
<BR>certyfikatów klienckich winno mieæ siê na uwadze wredn± cechê produktów
M$ dostêpnych poza granicami USA.
<BR>Nie s± one w stanie zaimportowaæ kluczy maj±cych wiêcej ni¿ 512 bitów.
W takim przypadku default_bits nale¿y
<BR>zmniejszyæ do tej warto¶ci. Je¶li chodzi o Netscapa konieczno¶æ taka
nie wystêpuje, nawet gdy nie jest on
<BR>patchowany przy pomocy <A HREF="http://www.fortify.net/">Fortify</A>.
Jednak¿e klucz nie powinien byæ wiêkszy ni¿ 1024 bity.
<P><B><FONT SIZE=+1>Generowanie certyfikatu CA</FONT></B>
<P>Pierwszy± czynno¶ci± jak± nale¿y wykonaæ jest wygenerowanie certyfikatu
CA czyli czego¶ czym bêd±
<BR>podpiswane certyfikaty udostêpniane klientom. Uruchom rxvt lub co¶
innego i wykonaj polecenie:
<P><I>adas:~# <B>cd /usr/local/ssl/bin</B></I>
<BR><I>adas:/usr/local/ssl/bin# <B>./CA.pl -newca</B></I>
<P><I>CA certificate filename (or enter to create)</I>
<P><I>Making CA certificate ...</I>
<BR><I>Using configuration from /usr/local/ssl/lib/openssl.cnf</I>
<BR><I>Generating a 1024 bit RSA private key</I>
<BR><I>..+++++</I>
<BR><I>....+++++</I>
<BR><I>writing new private key to './demoCA/private/cakey.pem'</I>
<BR><A NAME="pem_pass"></A><I><FONT COLOR="#009900">Enter PEM pass phrase:</FONT></I>
<BR><I><FONT COLOR="#009900">Verifying password - Enter PEM pass phrase:</FONT></I>
<BR><I>-----</I>
<BR><I>You are about to be asked to enter information that will be incorporated</I>
<BR><I>into your certificate request.</I>
<BR><I>What you are about to enter is what is called a Distinguished Name
or a DN.</I>
<BR><I>There are quite a few fields but you can leave some blank</I>
<BR><I>For some fields there will be a default value,</I>
<BR><I>If you enter '.', the field will be left blank.</I>
<BR><I>-----</I>
<BR><I>Country Name (2 letter code) [PL]:</I>
<BR><I>State i Prowincja [Kraina Bezrobotnych Szwaczek]:</I>
<BR><I>Locality Name (eg, city) [Lodz]:</I>
<BR><I>Organization Name (eg, company) [Instytut Badan Czarow i Magii]:</I>
<BR><I>Organizational Unit Name (eg, section) [Komorka d/s Egzorcyzmow
i Opentan]:</I>
<BR><I>Common Name (eg, YOUR name) []:Adam Hernik</I>
<BR><I>Email Address []:adas@infocentrum.com</I>
<P><I>adas:/usr/local/ssl/bin#</I>
<P>Skrypt CA.pl uruchomiony poraz pierwszy tworzy w /usr/local/ssl/bin
katalog o nazwie demoCA w którym znajduje siê
<BR>wygenerowany przed chwil± certyfikat publiczny <B>cacert.pem</B> (do³±czany
pó¿niej do certyfikatów klienckich) oraz tajny
<BR>zabezpieczony <A HREF="#pem_pass">has³em</A> klucz <B>cakey.pem</B>
którym bêdziesz podpisywa³ certyfikaty wydawane u¿ytkownikom. Klucz i has³o
<BR>oczywi¶cie nale¿y dobrze chroniæ i najlepiej jest gdy znajduje siê
na serwerze tylko w momencie generowania certyfikatu.
<BR>Ponowne uruchomienie CA.pl z parametrem -newca niszczy to co pracowicie
stworzy³e¶ i generuje nowy klucz i certyfikat.
<BR>&nbsp;
<P><B><FONT SIZE=+1>Tworzenie certyfikatu dla stunnela i innych serwerów</FONT></B>
<BR>&nbsp;
<P>Zanim siê do tego zabierzesz powiniene¶ lekko zmodyfikowac skrypt <B>CA.pl</B>
oraz plik konfiguracyjny <B>openssl.cnf</B>.
<BR>Skopiuj je odpowiednio do plików <B>/usr/local/ssl/bin/CAserv.pl</B>
i <B>/usr/local/ssl/lib/openssl_serv.cnf</B>.<B></B>
<BR>Generowane certyfikaty domy¶lnie zabezpieczone s± has³em, w takim przypadku
w momencie startu stunnela zawsze
<BR>bêdziesz pytany o haslo zabezpieczaj±ce, co skutecznie uniemo¿liwi
automatyczne uruchamianie programu w czasie
<BR>bootowania&nbsp; serwera, czy te¿ przy próbie wystartowania go przez
inetd. Nale¿y poprawiæ <B>linie 40</B> i <B>41</B> skryptu
<BR><B>CAserv.pl</B> z
<P><FONT COLOR="#006600">linia 40:</FONT>
<BR><B>$REQ="openssl req <I>$SSLEAY_CONFIG</I>";</B>
<BR>na
<BR><B>$REQ="openssl req <FONT COLOR="#FF0000">-nodes -config /usr/local/ssl/lib/openssl_serv.cnf</FONT>";</B>
<P><FONT COLOR="#006600">linia 41:</FONT>
<BR><B>$CA="openssl ca <I>$SSLEAY_CONFIG</I>";</B>
<BR>na
<BR><B>$CA="openssl ca <FONT COLOR="#FF0000">-config /usr/local/ssl/lib/openssl_serv.cnf</FONT>";</B>
<BR>&nbsp;
<P>Natomiast w pliku <B>/usr/local/ssl/lib/openssl_serv.cnf </B>nalezy&nbsp;
w sekcji <A HREF="#usr_cert">usr_cert</A> "zahashowaæ" linijkê
<BR><A HREF="#klient">nsCertType = client, email</A>&nbsp; oraz "odhashowaæ"
linijkê <A HREF="#server">nsCertType&nbsp;&nbsp; = server</A> . Je¶li tego
nie zrobisz klient nie bêdzie
<BR>poprawnie rozpoznawa³ typu certyfikatu. A teraz kolej na wygenerowanie
"requestu" posy³anego zazwyczaj do CA.
<BR>Bêd±c w katalogu /usr/local/ssl/bin wykonaj:
<P><I>adas:/usr/local/ssl/bin# .<B>/CAserv.pl -newreq</B></I>
<BR><I>Using configuration from /usr/local/ssl/lib/openssl_serv.cnf</I>
<BR><I>Generating a 1024 bit RSA private key</I>
<BR><I>..............................+++++</I>
<BR><I>.........+++++</I>
<BR><I>writing new private key to 'newreq.pem'</I>
<BR><I>-----</I>
<BR><I>You are about to be asked to enter information that will be incorporated</I>
<BR><I>into your certificate request.</I>
<BR><I>What you are about to enter is what is called a Distinguished Name
or a DN.</I>
<BR><I>There are quite a few fields but you can leave some blank</I>
<BR><I>For some fields there will be a default value,</I>
<BR><I>If you enter '.', the field will be left blank.</I>
<BR><I>-----</I>
<BR><I>Country Name (2 letter code) [PL]:</I>
<BR><I>State i Prowincja [Kraina Bezrobotnych Szwaczek]:Kraina latajacych
scyzorykow</I>
<BR><I>Locality Name (eg, city) [Lodz]:Sielpia</I>
<BR><I>Organization Name (eg, company) [Instytut Badan Czarow i Magii]:Bar
Sloneczko</I>
<BR><I>Organizational Unit Name (eg, section) [Komorka d/s Egzorcyzmow
i Opentan]:Kuflownia</I>
<BR><I><FONT COLOR="#FF0000">Common Name (eg, YOUR name) []:adas.pl</FONT></I>
<BR><I>Email Address []:adas@adas.pl</I>
<P><I>Please enter the following 'extra' attributes</I>
<BR><I>to be sent with your certificate request</I>
<BR><I>A challenge password []:</I>
<BR><I>An optional company name []:</I>
<BR><I>Request (and private key) is in newreq.pem</I>
<BR><I>adas:/usr/local/ssl/bin#</I>
<P>Polem o którym warto wspomnieæ jest "Common Name" (zaznaczone na czerwono).
W trakcie generowania requestu
<BR>nale¿y w tym miejscu wpisaæ <B>FQDN serwera</B> na którym bêdzie on
u¿ywany. W przeciwnym wypadku w chwili
<BR>po³±czenia klient bêdzie twierdzi³, ¿e certyfikat jakim przedstawia
siê serwer nie nale¿y do niego. Unikniemy w ten
<BR>sposób niepotrzebnego klikania. Kolejn± czynno¶ci± jest podpisanie
wygenerowanego requestu. W katalogu
<BR>/usr/local/ssl/bin wykonaj polecenie:
<P><I>adas:/usr/local/ssl/bin# .<B>/CAserv.pl -sign</B></I>
<BR><I>Using configuration from /usr/local/ssl/lib/openssl.cnf</I>
<BR><I><FONT COLOR="#009900">Enter PEM pass phrase:</FONT></I>
<BR><I>Check that the request matches the signature</I>
<BR><I>Signature ok</I>
<BR><I>The Subjects Distinguished Name is as follows</I>
<BR><I>countryName&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
:PRINTABLE:'PL'</I>
<BR><I>stateOrProvinceName&nbsp;&nbsp; :PRINTABLE:'Kraina latajacych scyzorykow'</I>
<BR><I>localityName&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
:PRINTABLE:'Sielpia'</I>
<BR><I>organizationName&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; :PRINTABLE:'Bar Sloneczko'</I>
<BR><I>organizationalUnitName:PRINTABLE:'Kuflownia'</I>
<BR><I>commonName&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
:PRINTABLE:'adas.pl'</I>
<BR><I>emailAddress&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
:IA5STRING:'adas@adas.pl'</I>
<BR><I>Certificate is to be certified until Mar 26 21:06:13 2000 GMT (365
days)</I>
<BR><I>Sign the certificate? [y/n]:y</I>
<BR>&nbsp;
<P><I>1 out of 1 certificate requests certified, commit? [y/n]y</I>
<BR><I>Write out database with 1 new entries</I>
<BR><I>Data Base Updated</I>
<BR><I>Signed certificate is in newcert.pem</I>
<BR><I>adas:/usr/local/ssl/bin#</I>
<P>W trakcie podpisywania bêdziesz pytany o has³o zabezpieczaj±ce klucz
prywatny CA (zaznaczone na zielono).
<BR>Po tej operacji powiniene¶ w katalogu /usr/local/ssl/bin otrzymaæ 2
pliki: <B>newcert.pem</B> oraz <B>newreq.pem</B>.
<BR>Zanim zaczniesz ich u¿ywaæ musisz wykonaæ jeszcze jedn± operacje, a
mianowicie z³orzyæ wszystko do kupy.
<BR>Wykonujesz: <B>cat newcert.pem newreq.pem > httpds.pem</B> a nastêpnie
poddajesz tak powsta³y certyfikat edycji.
<BR>Nale¿y z pliku httpds.pem nale¿y usun±æ wszystkie niepotrzebne informacje
tak by pozosta³ jedynie certyfikat oraz
<BR>klucz prywatny. Po tej operacji plik httpds.pem powinien wygl±daæ mniej
wiêcej tak:
<P><I>issuer :/C=PL/ST=Kraina Bezrobotnych Szwaczek/L=Lodz/O=Instytut Badan
Czarow i Magii/OU=Komorka d/s Egzorcyzmow i opentan/CN=Adam Hernik/Email=adas@infocentrum.com</I>
<BR><I>subject:/C=PL/ST=Kraina latajacych scyzorykow/L=Sielpia/O=Bar Sloneczko/OU=Kuflownia/CN=adas.pl/</I>
<BR><I>Email=adas@adas.pl</I>
<BR><I>-----BEGIN CERTIFICATE-----</I>
<BR><I>&nbsp;Tu s± magiczne dane</I>
<BR><I>-----END CERTIFICATE-----</I>
<P><I>-----BEGIN RSA PRIVATE KEY-----</I>
<BR><I>&nbsp; I tu te¿ s± magiczne dane</I>
<BR><I>-----END RSA PRIVATE KEY-----</I>
<P>Spreparowany w ten sposób plik umieszczamy w katalogu /usr/local/ssl/certs
i zajmujemy siê generowaniem dwu
<BR>certyfikatów klienckich.
<BR>&nbsp;
<P><B><FONT SIZE=+1>Generowanie i importowanie certyfikatów klienckich
do Netscape Communikatora.</FONT></B>
<BR>&nbsp;
<BR>Generalnie s± dwie metody tworzenia i importowania certyfikatów klienckich
do Netscapa
<BR><B>Sposób pierwszy:</B>
<BR>Przy pomocy komendy <B>CA.pl -newreq</B> wygeneruj request a nastêpnie
przy pomocy <B>CA.pl -sign</B> podpisz go.
<BR>Pytanie o <I>challenge password</I> zignoruj. Kolejn± czynno¶ci± jest
scalenie i podczyszczenie certyfikatu.
<BR>W przypadku certyfikatu klienta wa¿ne jest podanie <B>prawid³owego
adresu email</B> <B>!</B> Bez tego nie bêdzie mo¿na
<BR>podpisywaæ i szyfrowaæ listów.&nbsp; Stwórz dwa certyfikaty. Bêd± one
potrzebne do wyja¶nienia dzia³ania opcji -v 3
<BR>programu stunnel. Zak³adam ¿e pierwszy certyfikat nale¿y do Jana Kowalskiego
jan@ibczim.pl zachowany w
<BR>pliku jan.pem a drugi do Genowefy Pigwy pigwa@scyzoryki.pl znajduj±cym
siê w pliku pigwa.pem.&nbsp; Przed
<BR>zaimportowaniem plików do Netscpea nale¿y przekonwertowaæ je z formatu
PEM do PCKS12. Wykonuje siê to
<BR>przy pomocy wspomnianego na pocz±tku programu <B>pcks12</B>. Aby przekonwertowaæ
certyfikat Jan Kowalskiego,
<BR>w katalogu w ktorym znajduje siê plik jan.pem wykonaj:
<BR>&nbsp;
<P><B>pkcs12 -export -name "Jan Kowalski jan@ibczim.pl" -in jan.pem -out
jan.p12 -certfile /usr/local/ssl/bin/demoCA/cacert.pem</B>
<P>(<FONT COLOR="#990000">jest to jedna linia !!!</FONT>)
<BR>w wyniku czego powstanie plik jan.p12 który mo¿na zaimportowaæ do Netscapea.
Bardzo wa¿n± opcj± jest
<BR><B><I>-certfile /usr/local/ssl/bin/demoCA/cacert.pem</I></B>. Bez niej
nie bêdzie mo¿na w prawid³owy sposób podpisywaæ listów.
<BR>Prze³±cznik -certfile powoduje do³±czenie publicznego certyfikatu CA
do certyfikatu klienta dziêki czemu Netscape
<BR>jest wstanie "wyekstrachowaæ" certyfikat CA i dodaæ go do wewnêtrznej
bazy CA. Wykonaj powy¿sz± operacjê tak¿e
<BR>dla pigwy. Samo zaimportowanie certyfikatu jest bardzo proste wykonuje
siê to klikaj±c w Netscape na
<P><B>Security-> Yours -> Import a Certificate</B>
<P>Po zaimportowaniu nale¿y w <B>Security -> Signers</B> zaznaczyæ nasz
CA certyfikat a nastêpnie klikn±æ na przycisku Edit
<BR>oraz "zaczekowaæ" opcje:
<P><I>Accept this Certificate Authority for Certifying network sites</I>
<BR><I>Accept this Certificate Authority for Certifying e-mail users</I>
<P>Od tej pory nasz certyfikat bêdzie traktowany na równi z innymi, komercyjnymi.
<P><B>Sposób drugi:</B>
<BR>Polega on na wygenerowaniu i imporcie certyfikatu poprzez strone www.
Wraz z stunnelem dostarczane s±
<BR>przk³adowe strony (dwie) i skrypty (dwa).&nbsp; Skrypty nale¿y raczej
traktowaæ jako wzorzec i ka¿dy powinien napisaæ
<BR>swoje, bardziej bezpieczne. Pierwszym krokiem jest import certyfikatu
CA. U¿ywa siê do tego strony <B>importCA.html</B>
<BR>oraz skryptu <B>importCA.sh</B>. Sam skrypt wygl±da tak:
<P><I>#!/bin/bash</I>
<P><I>echo "Content-type: application/x-x509-ca-cert"</I>
<BR><I>echo</I>
<BR><I>cat <FONT COLOR="#CC0000">/var/lib/httpds/cgi-bin/<B>cacert.pem</B></FONT></I>
<P>cacert.pem jest to oczywi¶cie certyfikat publiczny CA znajduj±cy siê
w katalogu /usr/local/ssl/bin/demoCA
<BR>który nale¿y przekopiowaæ do katalogu cgi-bin serwera httpd oraz nadaæ
mu odpowiednie prawa dostêpu.
<BR>Po zaimportowaniu certyfikatu CA nale¿y w Security->Signers zaznaczyæ
do jakich celów bêdziemy uznawli
<BR>go za wiarygodny. Do generowania certyfikatu klienta wykorzystamy pozosta³±
strone i skrypt. Zanim do tego dojdzie
<BR>nale¿y "dokonfigurowaæ" skrypt i stworzyæ potrzebne katalogi.&nbsp;
W /tmp (lub w innym miejscu) nalezy stworzyæ
<BR>katalog ssl a nastêpnie przekopiowaæ do niego katalog <B>/usr/local/bin/demoCA</B>
oraz plik <B>openssl.cnf</B>.
<BR>Jako ¿e skrypty domy¶lnie uruchamiane s± z prawami u¿ytkownika nobody
nale¿y uczyniæ go&nbsp; wla¶cicielem
<BR>katalogu /tmp/ssl i ca³ej jego zawarto¶ci. Kolejn± czynno¶ci± jest
wygenerowanie pliku <B>.rnd</B>. W Linuxie robimy to
<BR>tak:
<BR><B>cat /dev/random > /tmp/ssl/.rnd</B>
<BR>czekamy chwilkê tak by plik .rnd mia³ wielko¶æ oko³o 1024 B po czym
w³a¶cicielem pliku robimy u¿ytkownika nobody.
<BR>Teraz trzeba przekonfigurowaæ plik /tmp/ssl/openssl.cnf
<P><I>#</I>
<BR><I># OpenSSL example configuration file.</I>
<BR><I># This is mostly being used for generation of certificate requests.</I>
<BR><I>#</I>
<BR><I>&nbsp;</I>
<BR><I><FONT COLOR="#FF0000">RANDFILE&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
= /tmp/ssl/.rnd</FONT></I>
<BR><I>#oid_file&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
= /tmp/ssl/.oid</I>
<BR><I>oid_section&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
= new_oids</I>
<BR><I>&nbsp;</I>
<BR><I>[ new_oids ]</I>
<BR><I>&nbsp;</I>
<BR><I># We can add new OIDs in here for use by 'ca' and 'req'.</I>
<BR><I># Add a simple OID like this:</I>
<BR><I># testoid1=1.2.3.4</I>
<BR><I># Or use config file substitution like this:</I>
<BR><I># testoid2=${testoid1}.5.6</I><I></I>
<P><I>####################################################################</I>
<BR><I>[ ca ]</I>
<BR><I>default_ca&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; = CA_default&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
# The default ca section</I><I></I>
<P><I>####################################################################</I>
<BR><I>[ CA_default ]</I>
<BR><I>&nbsp;</I>
<BR><I><FONT COLOR="#FF0000">dir&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
= /tmp/ssl/demoCA&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
# Where everything is kept</FONT></I>
<BR><I>certs&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
= $dir/certs&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
# Where the issued certs are kept</I>
<BR><I>crl_dir&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; = $dir/crl&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
# Where the issued crl are kept</I>
<BR><I>database&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; = $dir/index.txt&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
# database index file.</I>
<BR><I>new_certs_dir&nbsp;&nbsp; = $dir/newcerts&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
# default place for new certs.</I>
<BR>&nbsp;
<BR>Nale¿y zmieniæ opcje zaznaczone na czerwono. Ostatni± czynno¶ci± jest
sprawdzenie i ewentualne poprawienie
<BR>strony ca.html i skryptu ca.pl. W pliku ca.html nalezy wpisaæ poprawn±
nazwê serwera na którym znajduje siê
<BR>skrypt ca.pl czyli linijkê <B>&lt;FORM ACTION="<FONT COLOR="#FF0000">http://localhost/cgi-bin/ca.pl</FONT>"
METHOD=POST></B>. W ca.pl
<BR>nale¿y skontrolowaæ poprawno¶æ podanych ¶cie¿ek oraz wpisaæ has³o jakim
zabezpieczony jest klucz prywatny CA
<BR>(zmienna $certpass zaznaczona na czerwono).
<BR>&nbsp;
<P><I>#!/usr/bin/perl</I>
<BR><I>#ca.pl</I><I></I>
<P><I>$config&nbsp;&nbsp; = "/tmp/ssl/openssl.cnf";</I>
<BR><I>$capath&nbsp;&nbsp; = "/usr/local/ssl/bin/openssl ca";</I>
<BR><I><FONT COLOR="#FF0000">$certpass = "tu_jest_haslo";</FONT></I>
<BR><I>$tempca&nbsp;&nbsp; = "/tmp/ssl/cli".rand 10000;</I>
<BR><I>$tempout&nbsp; = "/tmp/ssl/certtmp".rand 10000;</I>
<BR><I>$caout&nbsp;&nbsp;&nbsp; = "/tmp/ssl/certwynik.txt";</I>
<BR><I>$CAcert&nbsp;&nbsp; = "/tmp/ssl/demoCA/cacert.pem";</I>
<BR><I>...</I>
<BR>&nbsp;
<P>Po umieszczeniu tak przygotowanych stron i skryptów na serwerze bêdzie
mo¿na generowaæ certyfikaty dla klientów.
<P><B>Wady i zalety obydwu sposobów generowania i instalowania certyfikatów.</B>
<P><A NAME="usuwanie"></A>Jak wynika z powy¿szego opisu bezpieczniejszym
i polecanym przeze mnie jest sposób pierwszy. Jego powa¿n± wad±
<BR>jest&nbsp; fakt ¿e cz³owiek generuj±cy certyfikaty znajduje siê w posiadaniu
klucza prywatnego osoby wystêpuj±cej o
<BR>certyfikat.&nbsp; <FONT COLOR="#FF0000">Oczywi¶cie uczciwy CA powinien
skasowaæ go, zaraz po utworzeniu</FONT>. W takim wypadku metoda pierwsza
<BR>spe³nia&nbsp; wszelkie wymogi. Sposób drugi prócz samych wad ma jedn±
acz ogromn± zaletê. Mianowicie klucz prywatny
<BR>klienta&nbsp; nigdy nie opuszcza jego komputera. Do wad mo¿na zaliczyæ
fakt ¿e has³o zabezpieczaj±ce klucz prywatny CA
<BR>znajduje siê na serwerze i to w dodatku w ¿aden sposób nie chronione.&nbsp;
Kolejn± wad± jest generowanie kompletnych
<BR>certyfikatów przez strone www, co mo¿e groziæ wykradzeniem klucza prywatnego.
Rozwi±zaniem mo¿e byæ sk³adowanie
<BR>requestów w bazie danych a nastpnie rêczna ich obróbka przez administratora.
Reasumuj±c, sposób drugi nale¿y
<BR>potraktowaæ jako demonstracje metody któr± mo¿na przeæwiczyæ przed
napisaniem porz±dnych skryptów.
<BR>&nbsp;<B><FONT SIZE=+1></FONT></B>
<P><B><FONT SIZE=+1>Tajemniczy prze³±cznik -v 3 w stunnelu</FONT></B>
<P>Stunnel posiada trzy tryby weryfikacji klienta.
<BR>Pierwszy opcja <B><FONT SIZE=+1>-v 1</FONT></B> oznacza ¿e nale¿y spróbowaæ
zweryfikowaæ osobê nawi±zuj±c± po³±czenie czyli uzyskaæ jej
<BR>ceryfikat. Je¶li operacja ta siê nie powiedzie, mimo wszystko dostêp
do serwera bêdzie zapewniony.
<BR>Prze³±cznik <B><FONT SIZE=+1>-v 2</FONT></B> nakazuje stunnelowi zweryfikowaæ
klienta. Je¶li u¿ytkownik nie posiada certyfikatu lub certyfikat
<BR>jest niewa¿ny, niew³a¶ciwy czy te¿ nie posiadamy certyfikatu CA którym
podpisany jest certyfikat klienta
<BR><FONT SIZE=-2>(straszny jest ten jêzyk polski)</FONT> nawi±zanie po³±czenia
z serwerem bêdzie niemo¿liwe. I wreszcie opcja <B><FONT SIZE=+1>-v 3</FONT></B>
nakazuj±ca
<BR>stunnelowi zweryfikowaæ klienta a tak¿e poszukaæ jego certyfikatu w
naszej lokalnej bazie.
<BR>Dzieki opcji -v 3 mo¿emy stworzyæ bardzo selektywny dostêp do us³ug
oferowanych przez serwer, unikaj±c generowania du¿ych ilo¶ci certyfikatów.
<FONT COLOR="#FF0000">Uwaga ogólna: do poprawnej weryfikacji klienta KONIECZNE
jest posiadanie certyfikatu CA którym podpisany&nbsp; jest sprawdzany certyfikat</FONT>.
Bez tego stunnel nie jest wstanie przeprowadziæ poprawnej autoryzacji klienta.
Próba taka koñczy siê b³êdami "<B>VERIFY ERROR: self signed certificate
for .....</B>" oraz "<B>SSL_accept: error:140890B1:SSL routines:</B> <B>SSL3_GET_CLIENT_CERTIFICATE:no
certificate returned</B>". A teraz przyk³ad praktyczny: chcemy aby do https
bêd±cym na <B>porcie 444</B> mia³y dostêp wszystkie osoby maj±ce certyfikaty
natomiast
<BR>do do https na <B>porcie 445</B> dostêp mia³ tylko Jan Kowalski. Pierwsz±
czynno¶ci± jak± nale¿y wykonaæ jest skopiowanie
<BR>certyfikatu CA do katalogu <B>/usr/local/ssl/certs</B> (default cert
area), nastêpnie w tym katalogu nale¿y utworzyæ
<BR>podkatalog o&nbsp; nazwie <B>mytrusted</B>, poczym skopiowaæ do niego
certyfikat klienta czyli jan.pem. <A HREF="#usuwanie"><B>Uwaga</B>: z pliku
jan.pem</A>
<BR><A HREF="#usuwanie"><B>MUSISZ</B> usun±æ klucz prywatny</A> !!! Czyli&nbsp;
to co siê znajduje miêdzy
<P>-----BEGIN RSA PRIVATE KEY-----
<BR>.......
<BR>-----END RSA PRIVATE KEY-----
<P>³±cznie z powy¿szymi liniami. Nastêpnie w katalogach <B>/usr/local/ssl/certs</B>
i <B>/usr/local/ssl/certs/mytrusted</B> nale¿y
<BR>wykonaæ polecenie
<BR><B>/usr/local/ssl/bin/c_rehash ./</B>
<BR>Teraz kolej na uruchomienie stunnela:
<BR><B>stunnel -d 444 -r 80 -v 2</B>
<BR>oraz
<BR><B>stunnel -d 445 -r 80 -v 3</B>
<BR>Netscapem nale¿y po³±czyæ sie z https://localhost:444/ a po pytaniu
o certyfikat przedstawiæ certyfikat nale¿±cy
<BR>do pigwy. Dostêp do serwera bêdzie zapewniony. Czynno¶c tê nale¿y powtórzyæ
przedstawiaj±c siê za drugim razem
<BR>certyfikatem Jana Kowalskiego. Po³±czenie tak¿e bêdzie zrealizowane.&nbsp;
W przypadku https://localhost:445/ wej¶cie
<BR>na serwer bêdzie zapewnione tylko po wylegitymowaniu siê certyfikatem
Jana Kowalskiego. Po kazdej zmianie w
<BR>katalogu /usr/local/ssl/certs/mytrusted nale¿y wykonaæ komendê c_rehash
./ i zrestartowaæ stunnela.
<BR>&nbsp;
</BODY>
</HTML>

1395
doc/stunnel.8.in Normal file
View File

File diff suppressed because it is too large Load Diff

1625
doc/stunnel.html.in Normal file
View File

File diff suppressed because it is too large Load Diff

1425
doc/stunnel.pl.8.in Normal file
View File

File diff suppressed because it is too large Load Diff

1626
doc/stunnel.pl.html.in Normal file
View File

File diff suppressed because it is too large Load Diff

1555
doc/stunnel.pl.pod.in Normal file
View File

File diff suppressed because it is too large Load Diff

1529
doc/stunnel.pod.in Normal file
View File

File diff suppressed because it is too large Load Diff

8387
m4/libtool.m4 vendored Normal file
View File

File diff suppressed because it is too large Load Diff

437
m4/ltoptions.m4 vendored Normal file
View File

@ -0,0 +1,437 @@
# Helper functions for option handling. -*- Autoconf -*-
#
# Copyright (C) 2004-2005, 2007-2009, 2011-2015 Free Software
# Foundation, Inc.
# Written by Gary V. Vaughan, 2004
#
# This file is free software; the Free Software Foundation gives
# unlimited permission to copy and/or distribute it, with or without
# modifications, as long as this notice is preserved.
# serial 8 ltoptions.m4
# This is to help aclocal find these macros, as it can't see m4_define.
AC_DEFUN([LTOPTIONS_VERSION], [m4_if([1])])
# _LT_MANGLE_OPTION(MACRO-NAME, OPTION-NAME)
# ------------------------------------------
m4_define([_LT_MANGLE_OPTION],
[[_LT_OPTION_]m4_bpatsubst($1__$2, [[^a-zA-Z0-9_]], [_])])
# _LT_SET_OPTION(MACRO-NAME, OPTION-NAME)
# ---------------------------------------
# Set option OPTION-NAME for macro MACRO-NAME, and if there is a
# matching handler defined, dispatch to it. Other OPTION-NAMEs are
# saved as a flag.
m4_define([_LT_SET_OPTION],
[m4_define(_LT_MANGLE_OPTION([$1], [$2]))dnl
m4_ifdef(_LT_MANGLE_DEFUN([$1], [$2]),
_LT_MANGLE_DEFUN([$1], [$2]),
[m4_warning([Unknown $1 option '$2'])])[]dnl
])
# _LT_IF_OPTION(MACRO-NAME, OPTION-NAME, IF-SET, [IF-NOT-SET])
# ------------------------------------------------------------
# Execute IF-SET if OPTION is set, IF-NOT-SET otherwise.
m4_define([_LT_IF_OPTION],
[m4_ifdef(_LT_MANGLE_OPTION([$1], [$2]), [$3], [$4])])
# _LT_UNLESS_OPTIONS(MACRO-NAME, OPTION-LIST, IF-NOT-SET)
# -------------------------------------------------------
# Execute IF-NOT-SET unless all options in OPTION-LIST for MACRO-NAME
# are set.
m4_define([_LT_UNLESS_OPTIONS],
[m4_foreach([_LT_Option], m4_split(m4_normalize([$2])),
[m4_ifdef(_LT_MANGLE_OPTION([$1], _LT_Option),
[m4_define([$0_found])])])[]dnl
m4_ifdef([$0_found], [m4_undefine([$0_found])], [$3
])[]dnl
])
# _LT_SET_OPTIONS(MACRO-NAME, OPTION-LIST)
# ----------------------------------------
# OPTION-LIST is a space-separated list of Libtool options associated
# with MACRO-NAME. If any OPTION has a matching handler declared with
# LT_OPTION_DEFINE, dispatch to that macro; otherwise complain about
# the unknown option and exit.
m4_defun([_LT_SET_OPTIONS],
[# Set options
m4_foreach([_LT_Option], m4_split(m4_normalize([$2])),
[_LT_SET_OPTION([$1], _LT_Option)])
m4_if([$1],[LT_INIT],[
dnl
dnl Simply set some default values (i.e off) if boolean options were not
dnl specified:
_LT_UNLESS_OPTIONS([LT_INIT], [dlopen], [enable_dlopen=no
])
_LT_UNLESS_OPTIONS([LT_INIT], [win32-dll], [enable_win32_dll=no
])
dnl
dnl If no reference was made to various pairs of opposing options, then
dnl we run the default mode handler for the pair. For example, if neither
dnl 'shared' nor 'disable-shared' was passed, we enable building of shared
dnl archives by default:
_LT_UNLESS_OPTIONS([LT_INIT], [shared disable-shared], [_LT_ENABLE_SHARED])
_LT_UNLESS_OPTIONS([LT_INIT], [static disable-static], [_LT_ENABLE_STATIC])
_LT_UNLESS_OPTIONS([LT_INIT], [pic-only no-pic], [_LT_WITH_PIC])
_LT_UNLESS_OPTIONS([LT_INIT], [fast-install disable-fast-install],
[_LT_ENABLE_FAST_INSTALL])
_LT_UNLESS_OPTIONS([LT_INIT], [aix-soname=aix aix-soname=both aix-soname=svr4],
[_LT_WITH_AIX_SONAME([aix])])
])
])# _LT_SET_OPTIONS
## --------------------------------- ##
## Macros to handle LT_INIT options. ##
## --------------------------------- ##
# _LT_MANGLE_DEFUN(MACRO-NAME, OPTION-NAME)
# -----------------------------------------
m4_define([_LT_MANGLE_DEFUN],
[[_LT_OPTION_DEFUN_]m4_bpatsubst(m4_toupper([$1__$2]), [[^A-Z0-9_]], [_])])
# LT_OPTION_DEFINE(MACRO-NAME, OPTION-NAME, CODE)
# -----------------------------------------------
m4_define([LT_OPTION_DEFINE],
[m4_define(_LT_MANGLE_DEFUN([$1], [$2]), [$3])[]dnl
])# LT_OPTION_DEFINE
# dlopen
# ------
LT_OPTION_DEFINE([LT_INIT], [dlopen], [enable_dlopen=yes
])
AU_DEFUN([AC_LIBTOOL_DLOPEN],
[_LT_SET_OPTION([LT_INIT], [dlopen])
AC_DIAGNOSE([obsolete],
[$0: Remove this warning and the call to _LT_SET_OPTION when you
put the 'dlopen' option into LT_INIT's first parameter.])
])
dnl aclocal-1.4 backwards compatibility:
dnl AC_DEFUN([AC_LIBTOOL_DLOPEN], [])
# win32-dll
# ---------
# Declare package support for building win32 dll's.
LT_OPTION_DEFINE([LT_INIT], [win32-dll],
[enable_win32_dll=yes
case $host in
*-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-cegcc*)
AC_CHECK_TOOL(AS, as, false)
AC_CHECK_TOOL(DLLTOOL, dlltool, false)
AC_CHECK_TOOL(OBJDUMP, objdump, false)
;;
esac
test -z "$AS" && AS=as
_LT_DECL([], [AS], [1], [Assembler program])dnl
test -z "$DLLTOOL" && DLLTOOL=dlltool
_LT_DECL([], [DLLTOOL], [1], [DLL creation program])dnl
test -z "$OBJDUMP" && OBJDUMP=objdump
_LT_DECL([], [OBJDUMP], [1], [Object dumper program])dnl
])# win32-dll
AU_DEFUN([AC_LIBTOOL_WIN32_DLL],
[AC_REQUIRE([AC_CANONICAL_HOST])dnl
_LT_SET_OPTION([LT_INIT], [win32-dll])
AC_DIAGNOSE([obsolete],
[$0: Remove this warning and the call to _LT_SET_OPTION when you
put the 'win32-dll' option into LT_INIT's first parameter.])
])
dnl aclocal-1.4 backwards compatibility:
dnl AC_DEFUN([AC_LIBTOOL_WIN32_DLL], [])
# _LT_ENABLE_SHARED([DEFAULT])
# ----------------------------
# implement the --enable-shared flag, and supports the 'shared' and
# 'disable-shared' LT_INIT options.
# DEFAULT is either 'yes' or 'no'. If omitted, it defaults to 'yes'.
m4_define([_LT_ENABLE_SHARED],
[m4_define([_LT_ENABLE_SHARED_DEFAULT], [m4_if($1, no, no, yes)])dnl
AC_ARG_ENABLE([shared],
[AS_HELP_STRING([--enable-shared@<:@=PKGS@:>@],
[build shared libraries @<:@default=]_LT_ENABLE_SHARED_DEFAULT[@:>@])],
[p=${PACKAGE-default}
case $enableval in
yes) enable_shared=yes ;;
no) enable_shared=no ;;
*)
enable_shared=no
# Look at the argument we got. We use all the common list separators.
lt_save_ifs=$IFS; IFS=$IFS$PATH_SEPARATOR,
for pkg in $enableval; do
IFS=$lt_save_ifs
if test "X$pkg" = "X$p"; then
enable_shared=yes
fi
done
IFS=$lt_save_ifs
;;
esac],
[enable_shared=]_LT_ENABLE_SHARED_DEFAULT)
_LT_DECL([build_libtool_libs], [enable_shared], [0],
[Whether or not to build shared libraries])
])# _LT_ENABLE_SHARED
LT_OPTION_DEFINE([LT_INIT], [shared], [_LT_ENABLE_SHARED([yes])])
LT_OPTION_DEFINE([LT_INIT], [disable-shared], [_LT_ENABLE_SHARED([no])])
# Old names:
AC_DEFUN([AC_ENABLE_SHARED],
[_LT_SET_OPTION([LT_INIT], m4_if([$1], [no], [disable-])[shared])
])
AC_DEFUN([AC_DISABLE_SHARED],
[_LT_SET_OPTION([LT_INIT], [disable-shared])
])
AU_DEFUN([AM_ENABLE_SHARED], [AC_ENABLE_SHARED($@)])
AU_DEFUN([AM_DISABLE_SHARED], [AC_DISABLE_SHARED($@)])
dnl aclocal-1.4 backwards compatibility:
dnl AC_DEFUN([AM_ENABLE_SHARED], [])
dnl AC_DEFUN([AM_DISABLE_SHARED], [])
# _LT_ENABLE_STATIC([DEFAULT])
# ----------------------------
# implement the --enable-static flag, and support the 'static' and
# 'disable-static' LT_INIT options.
# DEFAULT is either 'yes' or 'no'. If omitted, it defaults to 'yes'.
m4_define([_LT_ENABLE_STATIC],
[m4_define([_LT_ENABLE_STATIC_DEFAULT], [m4_if($1, no, no, yes)])dnl
AC_ARG_ENABLE([static],
[AS_HELP_STRING([--enable-static@<:@=PKGS@:>@],
[build static libraries @<:@default=]_LT_ENABLE_STATIC_DEFAULT[@:>@])],
[p=${PACKAGE-default}
case $enableval in
yes) enable_static=yes ;;
no) enable_static=no ;;
*)
enable_static=no
# Look at the argument we got. We use all the common list separators.
lt_save_ifs=$IFS; IFS=$IFS$PATH_SEPARATOR,
for pkg in $enableval; do
IFS=$lt_save_ifs
if test "X$pkg" = "X$p"; then
enable_static=yes
fi
done
IFS=$lt_save_ifs
;;
esac],
[enable_static=]_LT_ENABLE_STATIC_DEFAULT)
_LT_DECL([build_old_libs], [enable_static], [0],
[Whether or not to build static libraries])
])# _LT_ENABLE_STATIC
LT_OPTION_DEFINE([LT_INIT], [static], [_LT_ENABLE_STATIC([yes])])
LT_OPTION_DEFINE([LT_INIT], [disable-static], [_LT_ENABLE_STATIC([no])])
# Old names:
AC_DEFUN([AC_ENABLE_STATIC],
[_LT_SET_OPTION([LT_INIT], m4_if([$1], [no], [disable-])[static])
])
AC_DEFUN([AC_DISABLE_STATIC],
[_LT_SET_OPTION([LT_INIT], [disable-static])
])
AU_DEFUN([AM_ENABLE_STATIC], [AC_ENABLE_STATIC($@)])
AU_DEFUN([AM_DISABLE_STATIC], [AC_DISABLE_STATIC($@)])
dnl aclocal-1.4 backwards compatibility:
dnl AC_DEFUN([AM_ENABLE_STATIC], [])
dnl AC_DEFUN([AM_DISABLE_STATIC], [])
# _LT_ENABLE_FAST_INSTALL([DEFAULT])
# ----------------------------------
# implement the --enable-fast-install flag, and support the 'fast-install'
# and 'disable-fast-install' LT_INIT options.
# DEFAULT is either 'yes' or 'no'. If omitted, it defaults to 'yes'.
m4_define([_LT_ENABLE_FAST_INSTALL],
[m4_define([_LT_ENABLE_FAST_INSTALL_DEFAULT], [m4_if($1, no, no, yes)])dnl
AC_ARG_ENABLE([fast-install],
[AS_HELP_STRING([--enable-fast-install@<:@=PKGS@:>@],
[optimize for fast installation @<:@default=]_LT_ENABLE_FAST_INSTALL_DEFAULT[@:>@])],
[p=${PACKAGE-default}
case $enableval in
yes) enable_fast_install=yes ;;
no) enable_fast_install=no ;;
*)
enable_fast_install=no
# Look at the argument we got. We use all the common list separators.
lt_save_ifs=$IFS; IFS=$IFS$PATH_SEPARATOR,
for pkg in $enableval; do
IFS=$lt_save_ifs
if test "X$pkg" = "X$p"; then
enable_fast_install=yes
fi
done
IFS=$lt_save_ifs
;;
esac],
[enable_fast_install=]_LT_ENABLE_FAST_INSTALL_DEFAULT)
_LT_DECL([fast_install], [enable_fast_install], [0],
[Whether or not to optimize for fast installation])dnl
])# _LT_ENABLE_FAST_INSTALL
LT_OPTION_DEFINE([LT_INIT], [fast-install], [_LT_ENABLE_FAST_INSTALL([yes])])
LT_OPTION_DEFINE([LT_INIT], [disable-fast-install], [_LT_ENABLE_FAST_INSTALL([no])])
# Old names:
AU_DEFUN([AC_ENABLE_FAST_INSTALL],
[_LT_SET_OPTION([LT_INIT], m4_if([$1], [no], [disable-])[fast-install])
AC_DIAGNOSE([obsolete],
[$0: Remove this warning and the call to _LT_SET_OPTION when you put
the 'fast-install' option into LT_INIT's first parameter.])
])
AU_DEFUN([AC_DISABLE_FAST_INSTALL],
[_LT_SET_OPTION([LT_INIT], [disable-fast-install])
AC_DIAGNOSE([obsolete],
[$0: Remove this warning and the call to _LT_SET_OPTION when you put
the 'disable-fast-install' option into LT_INIT's first parameter.])
])
dnl aclocal-1.4 backwards compatibility:
dnl AC_DEFUN([AC_ENABLE_FAST_INSTALL], [])
dnl AC_DEFUN([AM_DISABLE_FAST_INSTALL], [])
# _LT_WITH_AIX_SONAME([DEFAULT])
# ----------------------------------
# implement the --with-aix-soname flag, and support the `aix-soname=aix'
# and `aix-soname=both' and `aix-soname=svr4' LT_INIT options. DEFAULT
# is either `aix', `both' or `svr4'. If omitted, it defaults to `aix'.
m4_define([_LT_WITH_AIX_SONAME],
[m4_define([_LT_WITH_AIX_SONAME_DEFAULT], [m4_if($1, svr4, svr4, m4_if($1, both, both, aix))])dnl
shared_archive_member_spec=
case $host,$enable_shared in
power*-*-aix[[5-9]]*,yes)
AC_MSG_CHECKING([which variant of shared library versioning to provide])
AC_ARG_WITH([aix-soname],
[AS_HELP_STRING([--with-aix-soname=aix|svr4|both],
[shared library versioning (aka "SONAME") variant to provide on AIX, @<:@default=]_LT_WITH_AIX_SONAME_DEFAULT[@:>@.])],
[case $withval in
aix|svr4|both)
;;
*)
AC_MSG_ERROR([Unknown argument to --with-aix-soname])
;;
esac
lt_cv_with_aix_soname=$with_aix_soname],
[AC_CACHE_VAL([lt_cv_with_aix_soname],
[lt_cv_with_aix_soname=]_LT_WITH_AIX_SONAME_DEFAULT)
with_aix_soname=$lt_cv_with_aix_soname])
AC_MSG_RESULT([$with_aix_soname])
if test aix != "$with_aix_soname"; then
# For the AIX way of multilib, we name the shared archive member
# based on the bitwidth used, traditionally 'shr.o' or 'shr_64.o',
# and 'shr.imp' or 'shr_64.imp', respectively, for the Import File.
# Even when GNU compilers ignore OBJECT_MODE but need '-maix64' flag,
# the AIX toolchain works better with OBJECT_MODE set (default 32).
if test 64 = "${OBJECT_MODE-32}"; then
shared_archive_member_spec=shr_64
else
shared_archive_member_spec=shr
fi
fi
;;
*)
with_aix_soname=aix
;;
esac
_LT_DECL([], [shared_archive_member_spec], [0],
[Shared archive member basename, for filename based shared library versioning on AIX])dnl
])# _LT_WITH_AIX_SONAME
LT_OPTION_DEFINE([LT_INIT], [aix-soname=aix], [_LT_WITH_AIX_SONAME([aix])])
LT_OPTION_DEFINE([LT_INIT], [aix-soname=both], [_LT_WITH_AIX_SONAME([both])])
LT_OPTION_DEFINE([LT_INIT], [aix-soname=svr4], [_LT_WITH_AIX_SONAME([svr4])])
# _LT_WITH_PIC([MODE])
# --------------------
# implement the --with-pic flag, and support the 'pic-only' and 'no-pic'
# LT_INIT options.
# MODE is either 'yes' or 'no'. If omitted, it defaults to 'both'.
m4_define([_LT_WITH_PIC],
[AC_ARG_WITH([pic],
[AS_HELP_STRING([--with-pic@<:@=PKGS@:>@],
[try to use only PIC/non-PIC objects @<:@default=use both@:>@])],
[lt_p=${PACKAGE-default}
case $withval in
yes|no) pic_mode=$withval ;;
*)
pic_mode=default
# Look at the argument we got. We use all the common list separators.
lt_save_ifs=$IFS; IFS=$IFS$PATH_SEPARATOR,
for lt_pkg in $withval; do
IFS=$lt_save_ifs
if test "X$lt_pkg" = "X$lt_p"; then
pic_mode=yes
fi
done
IFS=$lt_save_ifs
;;
esac],
[pic_mode=m4_default([$1], [default])])
_LT_DECL([], [pic_mode], [0], [What type of objects to build])dnl
])# _LT_WITH_PIC
LT_OPTION_DEFINE([LT_INIT], [pic-only], [_LT_WITH_PIC([yes])])
LT_OPTION_DEFINE([LT_INIT], [no-pic], [_LT_WITH_PIC([no])])
# Old name:
AU_DEFUN([AC_LIBTOOL_PICMODE],
[_LT_SET_OPTION([LT_INIT], [pic-only])
AC_DIAGNOSE([obsolete],
[$0: Remove this warning and the call to _LT_SET_OPTION when you
put the 'pic-only' option into LT_INIT's first parameter.])
])
dnl aclocal-1.4 backwards compatibility:
dnl AC_DEFUN([AC_LIBTOOL_PICMODE], [])
## ----------------- ##
## LTDL_INIT Options ##
## ----------------- ##
m4_define([_LTDL_MODE], [])
LT_OPTION_DEFINE([LTDL_INIT], [nonrecursive],
[m4_define([_LTDL_MODE], [nonrecursive])])
LT_OPTION_DEFINE([LTDL_INIT], [recursive],
[m4_define([_LTDL_MODE], [recursive])])
LT_OPTION_DEFINE([LTDL_INIT], [subproject],
[m4_define([_LTDL_MODE], [subproject])])
m4_define([_LTDL_TYPE], [])
LT_OPTION_DEFINE([LTDL_INIT], [installable],
[m4_define([_LTDL_TYPE], [installable])])
LT_OPTION_DEFINE([LTDL_INIT], [convenience],
[m4_define([_LTDL_TYPE], [convenience])])

124
m4/ltsugar.m4 vendored Normal file
View File

@ -0,0 +1,124 @@
# ltsugar.m4 -- libtool m4 base layer. -*-Autoconf-*-
#
# Copyright (C) 2004-2005, 2007-2008, 2011-2015 Free Software
# Foundation, Inc.
# Written by Gary V. Vaughan, 2004
#
# This file is free software; the Free Software Foundation gives
# unlimited permission to copy and/or distribute it, with or without
# modifications, as long as this notice is preserved.
# serial 6 ltsugar.m4
# This is to help aclocal find these macros, as it can't see m4_define.
AC_DEFUN([LTSUGAR_VERSION], [m4_if([0.1])])
# lt_join(SEP, ARG1, [ARG2...])
# -----------------------------
# Produce ARG1SEPARG2...SEPARGn, omitting [] arguments and their
# associated separator.
# Needed until we can rely on m4_join from Autoconf 2.62, since all earlier
# versions in m4sugar had bugs.
m4_define([lt_join],
[m4_if([$#], [1], [],
[$#], [2], [[$2]],
[m4_if([$2], [], [], [[$2]_])$0([$1], m4_shift(m4_shift($@)))])])
m4_define([_lt_join],
[m4_if([$#$2], [2], [],
[m4_if([$2], [], [], [[$1$2]])$0([$1], m4_shift(m4_shift($@)))])])
# lt_car(LIST)
# lt_cdr(LIST)
# ------------
# Manipulate m4 lists.
# These macros are necessary as long as will still need to support
# Autoconf-2.59, which quotes differently.
m4_define([lt_car], [[$1]])
m4_define([lt_cdr],
[m4_if([$#], 0, [m4_fatal([$0: cannot be called without arguments])],
[$#], 1, [],
[m4_dquote(m4_shift($@))])])
m4_define([lt_unquote], $1)
# lt_append(MACRO-NAME, STRING, [SEPARATOR])
# ------------------------------------------
# Redefine MACRO-NAME to hold its former content plus 'SEPARATOR''STRING'.
# Note that neither SEPARATOR nor STRING are expanded; they are appended
# to MACRO-NAME as is (leaving the expansion for when MACRO-NAME is invoked).
# No SEPARATOR is output if MACRO-NAME was previously undefined (different
# than defined and empty).
#
# This macro is needed until we can rely on Autoconf 2.62, since earlier
# versions of m4sugar mistakenly expanded SEPARATOR but not STRING.
m4_define([lt_append],
[m4_define([$1],
m4_ifdef([$1], [m4_defn([$1])[$3]])[$2])])
# lt_combine(SEP, PREFIX-LIST, INFIX, SUFFIX1, [SUFFIX2...])
# ----------------------------------------------------------
# Produce a SEP delimited list of all paired combinations of elements of
# PREFIX-LIST with SUFFIX1 through SUFFIXn. Each element of the list
# has the form PREFIXmINFIXSUFFIXn.
# Needed until we can rely on m4_combine added in Autoconf 2.62.
m4_define([lt_combine],
[m4_if(m4_eval([$# > 3]), [1],
[m4_pushdef([_Lt_sep], [m4_define([_Lt_sep], m4_defn([lt_car]))])]]dnl
[[m4_foreach([_Lt_prefix], [$2],
[m4_foreach([_Lt_suffix],
]m4_dquote(m4_dquote(m4_shift(m4_shift(m4_shift($@)))))[,
[_Lt_sep([$1])[]m4_defn([_Lt_prefix])[$3]m4_defn([_Lt_suffix])])])])])
# lt_if_append_uniq(MACRO-NAME, VARNAME, [SEPARATOR], [UNIQ], [NOT-UNIQ])
# -----------------------------------------------------------------------
# Iff MACRO-NAME does not yet contain VARNAME, then append it (delimited
# by SEPARATOR if supplied) and expand UNIQ, else NOT-UNIQ.
m4_define([lt_if_append_uniq],
[m4_ifdef([$1],
[m4_if(m4_index([$3]m4_defn([$1])[$3], [$3$2$3]), [-1],
[lt_append([$1], [$2], [$3])$4],
[$5])],
[lt_append([$1], [$2], [$3])$4])])
# lt_dict_add(DICT, KEY, VALUE)
# -----------------------------
m4_define([lt_dict_add],
[m4_define([$1($2)], [$3])])
# lt_dict_add_subkey(DICT, KEY, SUBKEY, VALUE)
# --------------------------------------------
m4_define([lt_dict_add_subkey],
[m4_define([$1($2:$3)], [$4])])
# lt_dict_fetch(DICT, KEY, [SUBKEY])
# ----------------------------------
m4_define([lt_dict_fetch],
[m4_ifval([$3],
m4_ifdef([$1($2:$3)], [m4_defn([$1($2:$3)])]),
m4_ifdef([$1($2)], [m4_defn([$1($2)])]))])
# lt_if_dict_fetch(DICT, KEY, [SUBKEY], VALUE, IF-TRUE, [IF-FALSE])
# -----------------------------------------------------------------
m4_define([lt_if_dict_fetch],
[m4_if(lt_dict_fetch([$1], [$2], [$3]), [$4],
[$5],
[$6])])
# lt_dict_filter(DICT, [SUBKEY], VALUE, [SEPARATOR], KEY, [...])
# --------------------------------------------------------------
m4_define([lt_dict_filter],
[m4_if([$5], [], [],
[lt_join(m4_quote(m4_default([$4], [[, ]])),
lt_unquote(m4_split(m4_normalize(m4_foreach(_Lt_key, lt_car([m4_shiftn(4, $@)]),
[lt_if_dict_fetch([$1], _Lt_key, [$2], [$3], [_Lt_key ])])))))])[]dnl
])

23
m4/ltversion.m4 vendored Normal file
View File

@ -0,0 +1,23 @@
# ltversion.m4 -- version numbers -*- Autoconf -*-
#
# Copyright (C) 2004, 2011-2015 Free Software Foundation, Inc.
# Written by Scott James Remnant, 2004
#
# This file is free software; the Free Software Foundation gives
# unlimited permission to copy and/or distribute it, with or without
# modifications, as long as this notice is preserved.
# @configure_input@
# serial 4179 ltversion.m4
# This file is part of GNU Libtool
m4_define([LT_PACKAGE_VERSION], [2.4.6])
m4_define([LT_PACKAGE_REVISION], [2.4.6])
AC_DEFUN([LTVERSION_VERSION],
[macro_version='2.4.6'
macro_revision='2.4.6'
_LT_DECL(, macro_version, 0, [Which release of libtool.m4 was used?])
_LT_DECL(, macro_revision, 0)
])

99
m4/lt~obsolete.m4 vendored Normal file
View File

@ -0,0 +1,99 @@
# lt~obsolete.m4 -- aclocal satisfying obsolete definitions. -*-Autoconf-*-
#
# Copyright (C) 2004-2005, 2007, 2009, 2011-2015 Free Software
# Foundation, Inc.
# Written by Scott James Remnant, 2004.
#
# This file is free software; the Free Software Foundation gives
# unlimited permission to copy and/or distribute it, with or without
# modifications, as long as this notice is preserved.
# serial 5 lt~obsolete.m4
# These exist entirely to fool aclocal when bootstrapping libtool.
#
# In the past libtool.m4 has provided macros via AC_DEFUN (or AU_DEFUN),
# which have later been changed to m4_define as they aren't part of the
# exported API, or moved to Autoconf or Automake where they belong.
#
# The trouble is, aclocal is a bit thick. It'll see the old AC_DEFUN
# in /usr/share/aclocal/libtool.m4 and remember it, then when it sees us
# using a macro with the same name in our local m4/libtool.m4 it'll
# pull the old libtool.m4 in (it doesn't see our shiny new m4_define
# and doesn't know about Autoconf macros at all.)
#
# So we provide this file, which has a silly filename so it's always
# included after everything else. This provides aclocal with the
# AC_DEFUNs it wants, but when m4 processes it, it doesn't do anything
# because those macros already exist, or will be overwritten later.
# We use AC_DEFUN over AU_DEFUN for compatibility with aclocal-1.6.
#
# Anytime we withdraw an AC_DEFUN or AU_DEFUN, remember to add it here.
# Yes, that means every name once taken will need to remain here until
# we give up compatibility with versions before 1.7, at which point
# we need to keep only those names which we still refer to.
# This is to help aclocal find these macros, as it can't see m4_define.
AC_DEFUN([LTOBSOLETE_VERSION], [m4_if([1])])
m4_ifndef([AC_LIBTOOL_LINKER_OPTION], [AC_DEFUN([AC_LIBTOOL_LINKER_OPTION])])
m4_ifndef([AC_PROG_EGREP], [AC_DEFUN([AC_PROG_EGREP])])
m4_ifndef([_LT_AC_PROG_ECHO_BACKSLASH], [AC_DEFUN([_LT_AC_PROG_ECHO_BACKSLASH])])
m4_ifndef([_LT_AC_SHELL_INIT], [AC_DEFUN([_LT_AC_SHELL_INIT])])
m4_ifndef([_LT_AC_SYS_LIBPATH_AIX], [AC_DEFUN([_LT_AC_SYS_LIBPATH_AIX])])
m4_ifndef([_LT_PROG_LTMAIN], [AC_DEFUN([_LT_PROG_LTMAIN])])
m4_ifndef([_LT_AC_TAGVAR], [AC_DEFUN([_LT_AC_TAGVAR])])
m4_ifndef([AC_LTDL_ENABLE_INSTALL], [AC_DEFUN([AC_LTDL_ENABLE_INSTALL])])
m4_ifndef([AC_LTDL_PREOPEN], [AC_DEFUN([AC_LTDL_PREOPEN])])
m4_ifndef([_LT_AC_SYS_COMPILER], [AC_DEFUN([_LT_AC_SYS_COMPILER])])
m4_ifndef([_LT_AC_LOCK], [AC_DEFUN([_LT_AC_LOCK])])
m4_ifndef([AC_LIBTOOL_SYS_OLD_ARCHIVE], [AC_DEFUN([AC_LIBTOOL_SYS_OLD_ARCHIVE])])
m4_ifndef([_LT_AC_TRY_DLOPEN_SELF], [AC_DEFUN([_LT_AC_TRY_DLOPEN_SELF])])
m4_ifndef([AC_LIBTOOL_PROG_CC_C_O], [AC_DEFUN([AC_LIBTOOL_PROG_CC_C_O])])
m4_ifndef([AC_LIBTOOL_SYS_HARD_LINK_LOCKS], [AC_DEFUN([AC_LIBTOOL_SYS_HARD_LINK_LOCKS])])
m4_ifndef([AC_LIBTOOL_OBJDIR], [AC_DEFUN([AC_LIBTOOL_OBJDIR])])
m4_ifndef([AC_LTDL_OBJDIR], [AC_DEFUN([AC_LTDL_OBJDIR])])
m4_ifndef([AC_LIBTOOL_PROG_LD_HARDCODE_LIBPATH], [AC_DEFUN([AC_LIBTOOL_PROG_LD_HARDCODE_LIBPATH])])
m4_ifndef([AC_LIBTOOL_SYS_LIB_STRIP], [AC_DEFUN([AC_LIBTOOL_SYS_LIB_STRIP])])
m4_ifndef([AC_PATH_MAGIC], [AC_DEFUN([AC_PATH_MAGIC])])
m4_ifndef([AC_PROG_LD_GNU], [AC_DEFUN([AC_PROG_LD_GNU])])
m4_ifndef([AC_PROG_LD_RELOAD_FLAG], [AC_DEFUN([AC_PROG_LD_RELOAD_FLAG])])
m4_ifndef([AC_DEPLIBS_CHECK_METHOD], [AC_DEFUN([AC_DEPLIBS_CHECK_METHOD])])
m4_ifndef([AC_LIBTOOL_PROG_COMPILER_NO_RTTI], [AC_DEFUN([AC_LIBTOOL_PROG_COMPILER_NO_RTTI])])
m4_ifndef([AC_LIBTOOL_SYS_GLOBAL_SYMBOL_PIPE], [AC_DEFUN([AC_LIBTOOL_SYS_GLOBAL_SYMBOL_PIPE])])
m4_ifndef([AC_LIBTOOL_PROG_COMPILER_PIC], [AC_DEFUN([AC_LIBTOOL_PROG_COMPILER_PIC])])
m4_ifndef([AC_LIBTOOL_PROG_LD_SHLIBS], [AC_DEFUN([AC_LIBTOOL_PROG_LD_SHLIBS])])
m4_ifndef([AC_LIBTOOL_POSTDEP_PREDEP], [AC_DEFUN([AC_LIBTOOL_POSTDEP_PREDEP])])
m4_ifndef([LT_AC_PROG_EGREP], [AC_DEFUN([LT_AC_PROG_EGREP])])
m4_ifndef([LT_AC_PROG_SED], [AC_DEFUN([LT_AC_PROG_SED])])
m4_ifndef([_LT_CC_BASENAME], [AC_DEFUN([_LT_CC_BASENAME])])
m4_ifndef([_LT_COMPILER_BOILERPLATE], [AC_DEFUN([_LT_COMPILER_BOILERPLATE])])
m4_ifndef([_LT_LINKER_BOILERPLATE], [AC_DEFUN([_LT_LINKER_BOILERPLATE])])
m4_ifndef([_AC_PROG_LIBTOOL], [AC_DEFUN([_AC_PROG_LIBTOOL])])
m4_ifndef([AC_LIBTOOL_SETUP], [AC_DEFUN([AC_LIBTOOL_SETUP])])
m4_ifndef([_LT_AC_CHECK_DLFCN], [AC_DEFUN([_LT_AC_CHECK_DLFCN])])
m4_ifndef([AC_LIBTOOL_SYS_DYNAMIC_LINKER], [AC_DEFUN([AC_LIBTOOL_SYS_DYNAMIC_LINKER])])
m4_ifndef([_LT_AC_TAGCONFIG], [AC_DEFUN([_LT_AC_TAGCONFIG])])
m4_ifndef([AC_DISABLE_FAST_INSTALL], [AC_DEFUN([AC_DISABLE_FAST_INSTALL])])
m4_ifndef([_LT_AC_LANG_CXX], [AC_DEFUN([_LT_AC_LANG_CXX])])
m4_ifndef([_LT_AC_LANG_F77], [AC_DEFUN([_LT_AC_LANG_F77])])
m4_ifndef([_LT_AC_LANG_GCJ], [AC_DEFUN([_LT_AC_LANG_GCJ])])
m4_ifndef([AC_LIBTOOL_LANG_C_CONFIG], [AC_DEFUN([AC_LIBTOOL_LANG_C_CONFIG])])
m4_ifndef([_LT_AC_LANG_C_CONFIG], [AC_DEFUN([_LT_AC_LANG_C_CONFIG])])
m4_ifndef([AC_LIBTOOL_LANG_CXX_CONFIG], [AC_DEFUN([AC_LIBTOOL_LANG_CXX_CONFIG])])
m4_ifndef([_LT_AC_LANG_CXX_CONFIG], [AC_DEFUN([_LT_AC_LANG_CXX_CONFIG])])
m4_ifndef([AC_LIBTOOL_LANG_F77_CONFIG], [AC_DEFUN([AC_LIBTOOL_LANG_F77_CONFIG])])
m4_ifndef([_LT_AC_LANG_F77_CONFIG], [AC_DEFUN([_LT_AC_LANG_F77_CONFIG])])
m4_ifndef([AC_LIBTOOL_LANG_GCJ_CONFIG], [AC_DEFUN([AC_LIBTOOL_LANG_GCJ_CONFIG])])
m4_ifndef([_LT_AC_LANG_GCJ_CONFIG], [AC_DEFUN([_LT_AC_LANG_GCJ_CONFIG])])
m4_ifndef([AC_LIBTOOL_LANG_RC_CONFIG], [AC_DEFUN([AC_LIBTOOL_LANG_RC_CONFIG])])
m4_ifndef([_LT_AC_LANG_RC_CONFIG], [AC_DEFUN([_LT_AC_LANG_RC_CONFIG])])
m4_ifndef([AC_LIBTOOL_CONFIG], [AC_DEFUN([AC_LIBTOOL_CONFIG])])
m4_ifndef([_LT_AC_FILE_LTDLL_C], [AC_DEFUN([_LT_AC_FILE_LTDLL_C])])
m4_ifndef([_LT_REQUIRED_DARWIN_CHECKS], [AC_DEFUN([_LT_REQUIRED_DARWIN_CHECKS])])
m4_ifndef([_LT_AC_PROG_CXXCPP], [AC_DEFUN([_LT_AC_PROG_CXXCPP])])
m4_ifndef([_LT_PREPARE_SED_QUOTE_VARS], [AC_DEFUN([_LT_PREPARE_SED_QUOTE_VARS])])
m4_ifndef([_LT_PROG_ECHO_BACKSLASH], [AC_DEFUN([_LT_PROG_ECHO_BACKSLASH])])
m4_ifndef([_LT_PROG_F77], [AC_DEFUN([_LT_PROG_F77])])
m4_ifndef([_LT_PROG_FC], [AC_DEFUN([_LT_PROG_FC])])
m4_ifndef([_LT_PROG_CXX], [AC_DEFUN([_LT_PROG_CXX])])

84
src/Makefile.am Normal file
View File

@ -0,0 +1,84 @@
## Process this file with automake to produce Makefile.in
# by Michal Trojnara 2015-2017
###############################################################################
# File lists #
###############################################################################
common_headers = common.h prototypes.h version.h
common_sources = tls.c str.c file.c client.c log.c options.c protocol.c
common_sources += network.c resolver.c ssl.c ctx.c verify.c sthreads.c
common_sources += fd.c dhparam.c cron.c stunnel.c
unix_sources = pty.c libwrap.c ui_unix.c
shared_sources = env.c
win32_gui_sources = ui_win_gui.c resources.h resources.rc
win32_gui_sources += stunnel.ico active.ico error.ico idle.ico
win32_cli_sources = ui_win_cli.c
###############################################################################
# Generate a new set of DH parameters for each version #
###############################################################################
dhparam.c: version.h
echo '#include "common.h"' >dhparam.c
echo '#ifndef OPENSSL_NO_DH' >>dhparam.c
echo '#define DN_new DH_new' >>dhparam.c
openssl dhparam -noout -C 2048 >>dhparam.c
echo '#endif /* OPENSSL_NO_DH */' >>dhparam.c
###############################################################################
# Unix executables and shared library #
###############################################################################
bin_PROGRAMS = stunnel
stunnel_SOURCES = $(common_headers) $(common_sources) $(unix_sources)
bin_SCRIPTS = stunnel3
EXTRA_DIST = stunnel3.in
CLEANFILES = stunnel3
# Red Hat "by design" bug #82369
stunnel_CPPFLAGS = -I/usr/kerberos/include
# Additional preprocesor definitions
stunnel_CPPFLAGS += -I$(SSLDIR)/include
stunnel_CPPFLAGS += -DLIBDIR='"$(pkglibdir)"'
stunnel_CPPFLAGS += -DCONFDIR='"$(sysconfdir)/stunnel"'
# TLS library
stunnel_LDFLAGS = -L$(SSLDIR)/lib64 -L$(SSLDIR)/lib -lssl -lcrypto
# stunnel3 script
edit = sed \
-e 's|@bindir[@]|$(bindir)|g'
stunnel3: Makefile
$(edit) '$(srcdir)/$@.in' >$@
stunnel3: $(srcdir)/stunnel3.in
# Unix shared library
pkglib_LTLIBRARIES = libstunnel.la
libstunnel_la_SOURCES = $(shared_sources)
libstunnel_la_LDFLAGS = -avoid-version
###############################################################################
# Win32 executables #
###############################################################################
if AUTHOR_TESTS
# Just check if the programs can be built, don't perform any actual tests
#check-local: mingw mingw64
endif
mingw:
$(MAKE) -f $(srcdir)/mingw.mk srcdir=$(srcdir) win32_targetcpu=i686 win32_mingw=mingw
mingw64:
$(MAKE) -f $(srcdir)/mingw.mk srcdir=$(srcdir) win32_targetcpu=x86_64 win32_mingw=mingw64
.PHONY: mingw mingw64
clean-local:
rm -rf ../obj ../bin
# Remaining files to be included
EXTRA_DIST += $(win32_gui_sources) $(win32_cli_sources)
EXTRA_DIST += make.bat makece.bat makew32.bat
EXTRA_DIST += mingw.mk mingw.mak evc.mak vc.mak os2.mak

1157
src/Makefile.in Normal file
View File

File diff suppressed because it is too large Load Diff

BIN
src/active.ico Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 1.1 KiB

1619
src/client.c Normal file
View File

File diff suppressed because it is too large Load Diff

525
src/common.h Normal file
View File

@ -0,0 +1,525 @@
/*
* stunnel TLS offloading and load-balancing proxy
* Copyright (C) 1998-2017 Michal Trojnara <Michal.Trojnara@stunnel.org>
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
* See the GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License along
* with this program; if not, see <http://www.gnu.org/licenses>.
*
* Linking stunnel statically or dynamically with other modules is making
* a combined work based on stunnel. Thus, the terms and conditions of
* the GNU General Public License cover the whole combination.
*
* In addition, as a special exception, the copyright holder of stunnel
* gives you permission to combine stunnel with free software programs or
* libraries that are released under the GNU LGPL and with code included
* in the standard release of OpenSSL under the OpenSSL License (or
* modified versions of such code, with unchanged license). You may copy
* and distribute such a system following the terms of the GNU GPL for
* stunnel and the licenses of the other code concerned.
*
* Note that people who make modified versions of stunnel are not obligated
* to grant this special exception for their modified versions; it is their
* choice whether to do so. The GNU General Public License gives permission
* to release a modified version without this exception; this exception
* also makes it possible to release a modified version which carries
* forward this exception.
*/
#ifndef COMMON_H
#define COMMON_H
#include "version.h"
/**************************************** common constants */
#define LIBWRAP_CLIENTS 5
/* CPU stack size */
#define DEFAULT_STACK_SIZE 65536
/* #define DEBUG_STACK_SIZE */
/* I/O buffer size: 18432 (0x4800) is the maximum size of TLS record payload */
#define BUFFSIZE 18432
/* how many bytes of random input to read from files for PRNG */
/* OpenSSL likes at least 128 bits, so 64 bytes seems plenty. */
#define RANDOM_BYTES 64
/* for FormatGuard */
/* #define __NO_FORMATGUARD_ */
/* additional diagnostic messages */
/* #define DEBUG_FD_ALLOC */
#ifdef DEBUG_INFO
#define NOEXPORT
#else
#define NOEXPORT static
#endif
/**************************************** platform */
#ifdef _WIN32
#define USE_WIN32
#endif
#ifdef _WIN32_WCE
#define USE_WIN32
typedef int socklen_t;
#endif
#ifdef USE_WIN32
typedef signed char int8_t;
typedef signed short int16_t;
typedef signed int int32_t;
typedef signed long long int64_t;
typedef unsigned char uint8_t;
typedef unsigned short uint16_t;
typedef unsigned int uint32_t;
typedef unsigned long long uint64_t;
#ifndef __MINGW32__
#ifdef _WIN64
typedef __int64 ssize_t;
#else /* _WIN64 */
typedef int ssize_t;
#endif /* _WIN64 */
#endif /* !__MINGW32__ */
#define PATH_MAX MAX_PATH
#define USE_IPv6
#define _CRT_SECURE_NO_DEPRECATE
#define _CRT_NONSTDC_NO_DEPRECATE
#define _CRT_NON_CONFORMING_SWPRINTFS
/* prevent including wincrypt.h, as it defines its own OCSP_RESPONSE */
#define __WINCRYPT_H__
#define S_EADDRINUSE WSAEADDRINUSE
/* winsock does not define WSAEAGAIN */
/* in most (but not all!) BSD implementations EAGAIN==EWOULDBLOCK */
#define S_EAGAIN WSAEWOULDBLOCK
#define S_ECONNRESET WSAECONNRESET
#define S_EINPROGRESS WSAEINPROGRESS
#define S_EINTR WSAEINTR
#define S_EINVAL WSAEINVAL
#define S_EISCONN WSAEISCONN
#define S_EMFILE WSAEMFILE
/* winsock does not define WSAENFILE */
#define S_ENOBUFS WSAENOBUFS
/* winsock does not define WSAENOMEM */
#define S_ENOPROTOOPT WSAENOPROTOOPT
#define S_ENOTSOCK WSAENOTSOCK
#define S_EOPNOTSUPP WSAEOPNOTSUPP
#define S_EWOULDBLOCK WSAEWOULDBLOCK
#define S_ECONNABORTED WSAECONNABORTED
#else /* USE_WIN32 */
#define S_EADDRINUSE EADDRINUSE
#define S_EAGAIN EAGAIN
#define S_ECONNRESET ECONNRESET
#define S_EINPROGRESS EINPROGRESS
#define S_EINTR EINTR
#define S_EINVAL EINVAL
#define S_EISCONN EISCONN
#define S_EMFILE EMFILE
#ifdef ENFILE
#define S_ENFILE ENFILE
#endif
#ifdef ENOBUFS
#define S_ENOBUFS ENOBUFS
#endif
#ifdef ENOMEM
#define S_ENOMEM ENOMEM
#endif
#define S_ENOPROTOOPT ENOPROTOOPT
#define S_ENOTSOCK ENOTSOCK
#define S_EOPNOTSUPP EOPNOTSUPP
#define S_EWOULDBLOCK EWOULDBLOCK
#define S_ECONNABORTED ECONNABORTED
#endif /* USE_WIN32 */
/**************************************** generic headers */
#ifdef __vms
#include <starlet.h>
#endif /* __vms */
/* for nsr-tandem-nsk architecture */
#ifdef __TANDEM
#include <floss.h>
#endif
/* threads model */
#ifdef USE_UCONTEXT
#define __MAKECONTEXT_V2_SOURCE
#include <ucontext.h>
#endif
#ifdef USE_PTHREAD
#ifndef THREADS
#define THREADS
#endif
#ifndef _REENTRANT
/* _REENTRANT is required for thread-safe errno on Solaris */
#define _REENTRANT
#endif
#ifndef _THREAD_SAFE
#define _THREAD_SAFE
#endif
#include <pthread.h>
#endif
/* systemd */
#ifdef USE_SYSTEMD
#include <systemd/sd-daemon.h>
#endif
#ifdef HAVE_STDINT_H
#include <stdint.h>
#endif
#ifdef HAVE_INTTYPES_H
#include <inttypes.h>
#endif
/* must be included before sys/stat.h for Ultrix */
/* must be included before sys/socket.h for OpenBSD */
#include <sys/types.h> /* u_short, u_long */
/* general headers */
#include <stdio.h>
/* must be included before sys/stat.h for Ultrix */
#ifndef _WIN32_WCE
#include <errno.h>
#endif
#include <stdlib.h>
#include <stdarg.h> /* va_ */
#include <string.h>
#include <ctype.h> /* isalnum */
#include <time.h>
#include <sys/stat.h> /* stat */
#include <setjmp.h>
#include <fcntl.h>
/**************************************** WIN32 headers */
#ifdef USE_WIN32
#define HAVE_STRUCT_ADDRINFO
#define HAVE_SNPRINTF
#define snprintf _snprintf
#define HAVE_VSNPRINTF
#define vsnprintf _vsnprintf
#define strcasecmp _stricmp
#define strncasecmp _strnicmp
#define sleep(c) Sleep(1000*(c))
#define get_last_socket_error() WSAGetLastError()
#define set_last_socket_error(e) WSASetLastError(e)
#define get_last_error() GetLastError()
#define set_last_error(e) SetLastError(e)
#define readsocket(s,b,n) recv((s),(b),(int)(n),0)
#define writesocket(s,b,n) send((s),(b),(int)(n),0)
/* #define Win32_Winsock */
#define __USE_W32_SOCKETS
/* Winsock2 header for IPv6 definitions */
#include <winsock2.h>
#include <ws2tcpip.h>
#include <windows.h>
#include <process.h> /* _beginthread */
#include <shlobj.h> /* SHGetFolderPath */
#include <tchar.h>
#include "resources.h"
/**************************************** non-WIN32 headers */
#else /* USE_WIN32 */
#ifdef __INNOTEK_LIBC__
#define socklen_t __socklen_t
#define strcasecmp stricmp
#define strncasecmp strnicmp
#define NI_NUMERICHOST 1
#define NI_NUMERICSERV 2
#define get_last_socket_error() sock_errno()
#define set_last_socket_error(e) ()
#define get_last_error() errno
#define set_last_error(e) (errno=(e))
#define readsocket(s,b,n) recv((s),(b),(n),0)
#define writesocket(s,b,n) send((s),(b),(n),0)
#define closesocket(s) close(s)
#define ioctlsocket(a,b,c) so_ioctl((a),(b),(c))
#else
#define get_last_socket_error() errno
#define set_last_socket_error(e) (errno=(e))
#define get_last_error() errno
#define set_last_error(e) (errno=(e))
#define readsocket(s,b,n) read((s),(b),(n))
#define writesocket(s,b,n) write((s),(b),(n))
#define closesocket(s) close(s)
#define ioctlsocket(a,b,c) ioctl((a),(b),(c))
#endif
typedef int SOCKET;
#define INVALID_SOCKET (-1)
/* OpenVMS compatibility */
#ifdef __vms
#define LIBDIR "__NA__"
#ifdef __alpha
#define HOST "alpha-openvms"
#else
#define HOST "vax-openvms"
#endif
#include <inet.h>
#include <unistd.h>
#else /* __vms */
#include <syslog.h>
#endif /* __vms */
/* Unix-specific headers */
#include <signal.h> /* signal */
#include <sys/wait.h> /* wait */
#ifdef HAVE_LIMITS_H
#include <limits.h> /* INT_MAX */
#endif
#ifdef HAVE_SYS_RESOURCE_H
#include <sys/resource.h> /* getrlimit */
#endif
#ifdef HAVE_UNISTD_H
#include <unistd.h> /* getpid, fork, execvp, exit */
#endif
#ifdef HAVE_STROPTS_H
#include <stropts.h>
#endif
#ifdef HAVE_MALLOC_H
#include <malloc.h> /* mallopt */
#endif
#ifdef HAVE_SYS_SELECT_H
#include <sys/select.h> /* for aix */
#endif
#include <dirent.h>
#if defined(HAVE_POLL) && !defined(BROKEN_POLL)
#ifdef HAVE_POLL_H
#include <poll.h>
#define USE_POLL
#else /* HAVE_POLL_H */
#ifdef HAVE_SYS_POLL_H
#include <sys/poll.h>
#define USE_POLL
#endif /* HAVE_SYS_POLL_H */
#endif /* HAVE_POLL_H */
#endif /* HAVE_POLL && !BROKEN_POLL */
#ifdef HAVE_SYS_FILIO_H
#include <sys/filio.h> /* for FIONBIO */
#endif
#include <pwd.h>
#ifdef HAVE_GRP_H
#include <grp.h>
#endif
#ifdef __BEOS__
#include <posix/grp.h>
#endif
#ifdef HAVE_SYS_UIO_H
#include <sys/uio.h> /* struct iovec */
#endif /* HAVE_SYS_UIO_H */
/* BSD sockets */
#include <netinet/in.h> /* struct sockaddr_in */
#include <sys/socket.h> /* getpeername */
#include <arpa/inet.h> /* inet_ntoa */
#include <sys/time.h> /* select */
#include <sys/ioctl.h> /* ioctl */
#ifdef HAVE_SYS_UN_H
#include <sys/un.h>
#endif
#include <netinet/tcp.h>
#include <netdb.h>
#ifndef INADDR_ANY
#define INADDR_ANY (u32)0x00000000
#endif
#ifndef INADDR_LOOPBACK
#define INADDR_LOOPBACK (u32)0x7F000001
#endif
#if defined(HAVE_WAITPID)
/* for SYSV systems */
#define wait_for_pid(a, b, c) waitpid((a), (b), (c))
#define HAVE_WAIT_FOR_PID 1
#elif defined(HAVE_WAIT4)
/* for BSD systems */
#define wait_for_pid(a, b, c) wait4((a), (b), (c), NULL)
#define HAVE_WAIT_FOR_PID 1
#endif
/* SunOS 4 */
#if defined(sun) && !defined(__svr4__) && !defined(__SVR4)
#define atexit(a) on_exit((a), NULL)
extern int sys_nerr;
extern char *sys_errlist[];
#define strerror(num) ((num)==0 ? "No error" : \
((num)>=sys_nerr ? "Unknown error" : sys_errlist[num]))
#endif /* SunOS 4 */
/* AIX does not have SOL_TCP defined */
#ifndef SOL_TCP
#define SOL_TCP SOL_SOCKET
#endif /* SOL_TCP */
/* Linux */
#ifdef __linux__
#ifndef IP_FREEBIND
/* kernel headers without IP_FREEBIND definition */
#define IP_FREEBIND 15
#endif /* IP_FREEBIND */
#ifndef IP_TRANSPARENT
/* kernel headers without IP_TRANSPARENT definition */
#define IP_TRANSPARENT 19
#endif /* IP_TRANSPARENT */
#ifdef HAVE_LINUX_NETFILTER_IPV4_H
#include <limits.h>
#include <linux/types.h>
#include <linux/netfilter_ipv4.h>
#endif /* HAVE_LINUX_NETFILTER_IPV4_H */
#endif /* __linux__ */
#ifdef HAVE_SYS_SYSCALL_H
#include <sys/syscall.h> /* SYS_gettid */
#endif
#ifdef HAVE_LINUX_SCHED_H
#include <linux/sched.h> /* SCHED_BATCH */
#endif
#endif /* USE_WIN32 */
#ifndef S_ISREG
#define S_ISREG(m) (((m)&S_IFMT)==S_IFREG)
#endif
/**************************************** OpenSSL headers */
#define OPENSSL_THREAD_DEFINES
#include <openssl/opensslconf.h>
/* opensslv.h requires prior opensslconf.h to include -fips in version string */
#include <openssl/opensslv.h>
#if OPENSSL_VERSION_NUMBER<0x0090700fL
#error OpenSSL 0.9.7 or later is required
#endif /* OpenSSL older than 0.9.7 */
#if defined(USE_PTHREAD) && !defined(OPENSSL_THREADS)
#error OpenSSL library compiled without thread support
#endif /* !OPENSSL_THREADS && USE_PTHREAD */
#if OPENSSL_VERSION_NUMBER<0x0090800fL
#define OPENSSL_NO_ECDH
#define OPENSSL_NO_COMP
#endif /* OpenSSL older than 0.9.8 */
/* non-blocking OCSP API is not available before OpenSSL 0.9.8h */
#if OPENSSL_VERSION_NUMBER<0x00908080L
#ifndef OPENSSL_NO_OCSP
#define OPENSSL_NO_OCSP
#endif /* !defined(OPENSSL_NO_OCSP) */
#endif /* OpenSSL older than 0.9.8h */
#if OPENSSL_VERSION_NUMBER<0x00908060L
#define OPENSSL_NO_TLSEXT
#endif /* OpenSSL older than 0.9.8f */
#if OPENSSL_VERSION_NUMBER<0x10000000L
#define OPENSSL_NO_PSK
#endif /* OpenSSL older than 1.0.0 */
#if OPENSSL_VERSION_NUMBER<0x10001000L || defined(OPENSSL_NO_TLS1)
#define OPENSSL_NO_TLS1_1
#define OPENSSL_NO_TLS1_2
#endif /* OpenSSL older than 1.0.1 || defined(OPENSSL_NO_TLS1) */
#if OPENSSL_VERSION_NUMBER>=0x10100000L
#ifndef OPENSSL_NO_SSL2
#define OPENSSL_NO_SSL2
#endif /* !defined(OPENSSL_NO_SSL2) */
#else /* OpenSSL older than 1.1.0 */
#define X509_STORE_CTX_get0_chain(x) X509_STORE_CTX_get_chain(x)
#endif /* OpenSSL 1.1.0 or newer */
#if defined(USE_WIN32) && defined(OPENSSL_FIPS)
#define USE_FIPS
#endif
#include <openssl/lhash.h>
#include <openssl/ssl.h>
#include <openssl/ui.h>
#include <openssl/err.h>
#include <openssl/crypto.h> /* for CRYPTO_* and SSLeay_version */
#include <openssl/rand.h>
#include <openssl/bn.h>
#include <openssl/pkcs12.h>
#ifndef OPENSSL_NO_MD4
#include <openssl/md4.h>
#endif /* !defined(OPENSSL_NO_MD4) */
#include <openssl/des.h>
#ifndef OPENSSL_NO_DH
#include <openssl/dh.h>
#if OPENSSL_VERSION_NUMBER<0x10100000L
int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g);
#endif /* OpenSSL older than 1.1.0 */
#endif /* !defined(OPENSSL_NO_DH) */
#ifndef OPENSSL_NO_ENGINE
#include <openssl/engine.h>
#endif /* !defined(OPENSSL_NO_ENGINE) */
#ifndef OPENSSL_NO_OCSP
#include <openssl/ocsp.h>
#endif /* !defined(OPENSSL_NO_OCSP) */
#ifndef OPENSSL_NO_COMP
/* not defined in public headers before OpenSSL 0.9.8 */
STACK_OF(SSL_COMP) *SSL_COMP_get_compression_methods(void);
#endif /* !defined(OPENSSL_NO_COMP) */
#ifndef OPENSSL_VERSION
#define OPENSSL_VERSION SSLEAY_VERSION
#define OpenSSL_version_num() SSLeay()
#define OpenSSL_version(x) SSLeay_version(x)
#endif
/**************************************** other defines */
/* always use IPv4 defaults! */
#define DEFAULT_LOOPBACK "127.0.0.1"
#define DEFAULT_ANY "0.0.0.0"
#if 0
#define DEFAULT_LOOPBACK "::1"
#define DEFAULT_ANY "::"
#endif
#if defined (USE_WIN32) || defined (__vms)
#define LOG_EMERG 0
#define LOG_ALERT 1
#define LOG_CRIT 2
#define LOG_ERR 3
#define LOG_WARNING 4
#define LOG_NOTICE 5
#define LOG_INFO 6
#define LOG_DEBUG 7
#endif /* defined (USE_WIN32) || defined (__vms) */
#ifndef offsetof
#define offsetof(T, F) ((unsigned)((char *)&((T *)0L)->F - (char *)0L))
#endif
#endif /* defined COMMON_H */
/* end of common.h */

351
src/config.h.in Normal file
View File

@ -0,0 +1,351 @@
/* src/config.h.in. Generated from configure.ac by autoheader. */
/* Define to 1 if you have a broken 'poll' implementation. */
#undef BROKEN_POLL
/* Entropy Gathering Daemon socket path */
#undef EGD_SOCKET
/* Define to 1 if you have the `accept4' function. */
#undef HAVE_ACCEPT4
/* Define to 1 if you have the `chroot' function. */
#undef HAVE_CHROOT
/* Define to 1 if you have the `daemon' function. */
#undef HAVE_DAEMON
/* Define to 1 if you have '/dev/ptmx' device. */
#undef HAVE_DEV_PTMX
/* Define to 1 if you have '/dev/ptc' device. */
#undef HAVE_DEV_PTS_AND_PTC
/* Define to 1 if you have the <dlfcn.h> header file. */
#undef HAVE_DLFCN_H
/* Define to 1 if you have the `endhostent' function. */
#undef HAVE_ENDHOSTENT
/* Define to 1 if you have the `FIPS_mode_set' function. */
#undef HAVE_FIPS_MODE_SET
/* Define to 1 if you have 'getaddrinfo' function. */
#undef HAVE_GETADDRINFO
/* Define to 1 if you have the `getcontext' function. */
#undef HAVE_GETCONTEXT
/* Define to 1 if you have the `gethostbyname2' function. */
#undef HAVE_GETHOSTBYNAME2
/* Define to 1 if you have the `getnameinfo' function. */
#undef HAVE_GETNAMEINFO
/* Define to 1 if you have the `getrlimit' function. */
#undef HAVE_GETRLIMIT
/* Define to 1 if you have the <grp.h> header file. */
#undef HAVE_GRP_H
/* Define to 1 if you have the <inttypes.h> header file. */
#undef HAVE_INTTYPES_H
/* Define to 1 if you have the <libutil.h> header file. */
#undef HAVE_LIBUTIL_H
/* Define to 1 if you have the <limits.h> header file. */
#undef HAVE_LIMITS_H
/* Define to 1 if you have the <linux/netfilter_ipv4.h> header file. */
#undef HAVE_LINUX_NETFILTER_IPV4_H
/* Define to 1 if you have the <linux/sched.h> header file. */
#undef HAVE_LINUX_SCHED_H
/* Define to 1 if you have the `localtime_r' function. */
#undef HAVE_LOCALTIME_R
/* Define to 1 if you have the <malloc.h> header file. */
#undef HAVE_MALLOC_H
/* Define to 1 if you have the <memory.h> header file. */
#undef HAVE_MEMORY_H
/* Define to 1 if you have 'msghdr.msg_control' structure. */
#undef HAVE_MSGHDR_MSG_CONTROL
/* Define to 1 if you have the `openpty' function. */
#undef HAVE_OPENPTY
/* Define to 1 if you have the `pipe2' function. */
#undef HAVE_PIPE2
/* Define to 1 if you have the `poll' function. */
#undef HAVE_POLL
/* Define to 1 if you have the <poll.h> header file. */
#undef HAVE_POLL_H
/* Define if you have POSIX threads libraries and header files. */
#undef HAVE_PTHREAD
/* Define to 1 if you have the <pthread.h> header file. */
#undef HAVE_PTHREAD_H
/* Have PTHREAD_PRIO_INHERIT. */
#undef HAVE_PTHREAD_PRIO_INHERIT
/* Define to 1 if you have the `pthread_sigmask' function. */
#undef HAVE_PTHREAD_SIGMASK
/* Define to 1 if you have the <pty.h> header file. */
#undef HAVE_PTY_H
/* Define to 1 if you have the `realpath' function. */
#undef HAVE_REALPATH
/* Define to 1 if you have the `setgroups' function. */
#undef HAVE_SETGROUPS
/* Define to 1 if you have the `setsid' function. */
#undef HAVE_SETSID
/* Define to 1 if you have the `snprintf' function. */
#undef HAVE_SNPRINTF
/* Define to 1 if you have the <stdint.h> header file. */
#undef HAVE_STDINT_H
/* Define to 1 if you have the <stdlib.h> header file. */
#undef HAVE_STDLIB_H
/* Define to 1 if you have the <strings.h> header file. */
#undef HAVE_STRINGS_H
/* Define to 1 if you have the <string.h> header file. */
#undef HAVE_STRING_H
/* Define to 1 if you have the <stropts.h> header file. */
#undef HAVE_STROPTS_H
/* Define to 1 if the system has the type `struct addrinfo'. */
#undef HAVE_STRUCT_ADDRINFO
/* Define to 1 if `msg_control' is a member of `struct msghdr'. */
#undef HAVE_STRUCT_MSGHDR_MSG_CONTROL
/* Define to 1 if the system has the type `struct sockaddr_un'. */
#undef HAVE_STRUCT_SOCKADDR_UN
/* Define to 1 if you have the `sysconf' function. */
#undef HAVE_SYSCONF
/* Define to 1 if you have the <systemd/sd-daemon.h> header file. */
#undef HAVE_SYSTEMD_SD_DAEMON_H
/* Define to 1 if you have the <sys/filio.h> header file. */
#undef HAVE_SYS_FILIO_H
/* Define to 1 if you have the <sys/ioctl.h> header file. */
#undef HAVE_SYS_IOCTL_H
/* Define to 1 if you have the <sys/poll.h> header file. */
#undef HAVE_SYS_POLL_H
/* Define to 1 if you have the <sys/resource.h> header file. */
#undef HAVE_SYS_RESOURCE_H
/* Define to 1 if you have the <sys/select.h> header file. */
#undef HAVE_SYS_SELECT_H
/* Define to 1 if you have the <sys/socket.h> header file. */
#undef HAVE_SYS_SOCKET_H
/* Define to 1 if you have the <sys/stat.h> header file. */
#undef HAVE_SYS_STAT_H
/* Define to 1 if you have the <sys/syscall.h> header file. */
#undef HAVE_SYS_SYSCALL_H
/* Define to 1 if you have the <sys/types.h> header file. */
#undef HAVE_SYS_TYPES_H
/* Define to 1 if you have the <sys/uio.h> header file. */
#undef HAVE_SYS_UIO_H
/* Define to 1 if you have the <sys/un.h> header file. */
#undef HAVE_SYS_UN_H
/* Define to 1 if you have the <tcpd.h> header file. */
#undef HAVE_TCPD_H
/* Define to 1 if you have the <ucontext.h> header file. */
#undef HAVE_UCONTEXT_H
/* Define to 1 if you have the <unistd.h> header file. */
#undef HAVE_UNISTD_H
/* Define to 1 if you have the <util.h> header file. */
#undef HAVE_UTIL_H
/* Define to 1 if you have the `vsnprintf' function. */
#undef HAVE_VSNPRINTF
/* Define to 1 if you have the `wait4' function. */
#undef HAVE_WAIT4
/* Define to 1 if you have the `waitpid' function. */
#undef HAVE_WAITPID
/* Define to 1 if you have the `_getpty' function. */
#undef HAVE__GETPTY
/* Define to 1 if you have the `__makecontext_v2' function. */
#undef HAVE___MAKECONTEXT_V2
/* Host description */
#undef HOST
/* Define to the sub-directory where libtool stores uninstalled libraries. */
#undef LT_OBJDIR
/* Name of package */
#undef PACKAGE
/* Define to the address where bug reports for this package should be sent. */
#undef PACKAGE_BUGREPORT
/* Define to the full name of this package. */
#undef PACKAGE_NAME
/* Define to the full name and version of this package. */
#undef PACKAGE_STRING
/* Define to the one symbol short name of this package. */
#undef PACKAGE_TARNAME
/* Define to the home page for this package. */
#undef PACKAGE_URL
/* Define to the version of this package. */
#undef PACKAGE_VERSION
/* Define to necessary symbol if this constant uses a non-standard name on
your system. */
#undef PTHREAD_CREATE_JOINABLE
/* Random file path */
#undef RANDOM_FILE
/* TLS directory */
#undef SSLDIR
/* Define to 1 if you have the ANSI C header files. */
#undef STDC_HEADERS
/* Define to 1 to enable OpenSSL FIPS support */
#undef USE_FIPS
/* Define to 1 to select FORK mode */
#undef USE_FORK
/* Define to 1 to enable IPv6 support */
#undef USE_IPv6
/* Define to 1 to enable TCP wrappers support */
#undef USE_LIBWRAP
/* Define to 1 to select PTHREAD mode */
#undef USE_PTHREAD
/* Define to 1 to enable systemd socket activation */
#undef USE_SYSTEMD
/* Define to 1 to select UCONTEXT mode */
#undef USE_UCONTEXT
/* Version number of package */
#undef VERSION
/* Use Darwin source */
#undef _DARWIN_C_SOURCE
/* Enable large inode numbers on Mac OS X 10.5. */
#ifndef _DARWIN_USE_64_BIT_INODE
# define _DARWIN_USE_64_BIT_INODE 1
#endif
/* Number of bits in a file offset, on hosts where this is settable. */
#undef _FILE_OFFSET_BITS
/* Use GNU source */
#undef _GNU_SOURCE
/* Define for large files, on AIX-style hosts. */
#undef _LARGE_FILES
/* Define for Solaris 2.5.1 so the uint32_t typedef from <sys/synch.h>,
<pthread.h>, or <semaphore.h> is not used. If the typedef were allowed, the
#define below would cause a syntax error. */
#undef _UINT32_T
/* Define for Solaris 2.5.1 so the uint64_t typedef from <sys/synch.h>,
<pthread.h>, or <semaphore.h> is not used. If the typedef were allowed, the
#define below would cause a syntax error. */
#undef _UINT64_T
/* Define for Solaris 2.5.1 so the uint8_t typedef from <sys/synch.h>,
<pthread.h>, or <semaphore.h> is not used. If the typedef were allowed, the
#define below would cause a syntax error. */
#undef _UINT8_T
/* Use X/Open 5 with POSIX 1995 */
#undef _XOPEN_SOURCE
/* Define to `int' if <sys/types.h> doesn't define. */
#undef gid_t
/* Define to the type of a signed integer type of width exactly 16 bits if
such a type exists and the standard includes do not define it. */
#undef int16_t
/* Define to the type of a signed integer type of width exactly 32 bits if
such a type exists and the standard includes do not define it. */
#undef int32_t
/* Define to the type of a signed integer type of width exactly 64 bits if
such a type exists and the standard includes do not define it. */
#undef int64_t
/* Define to the type of a signed integer type of width exactly 8 bits if such
a type exists and the standard includes do not define it. */
#undef int8_t
/* Define to `unsigned int' if <sys/types.h> does not define. */
#undef size_t
/* Type of socklen_t */
#undef socklen_t
/* Define to `int' if <sys/types.h> does not define. */
#undef ssize_t
/* Define to `int' if <sys/types.h> doesn't define. */
#undef uid_t
/* Define to the type of an unsigned integer type of width exactly 16 bits if
such a type exists and the standard includes do not define it. */
#undef uint16_t
/* Define to the type of an unsigned integer type of width exactly 32 bits if
such a type exists and the standard includes do not define it. */
#undef uint32_t
/* Define to the type of an unsigned integer type of width exactly 64 bits if
such a type exists and the standard includes do not define it. */
#undef uint64_t
/* Define to the type of an unsigned integer type of width exactly 8 bits if
such a type exists and the standard includes do not define it. */
#undef uint8_t

201
src/cron.c Normal file
View File

@ -0,0 +1,201 @@
/*
* stunnel TLS offloading and load-balancing proxy
* Copyright (C) 1998-2017 Michal Trojnara <Michal.Trojnara@stunnel.org>
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
* See the GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License along
* with this program; if not, see <http://www.gnu.org/licenses>.
*
* Linking stunnel statically or dynamically with other modules is making
* a combined work based on stunnel. Thus, the terms and conditions of
* the GNU General Public License cover the whole combination.
*
* In addition, as a special exception, the copyright holder of stunnel
* gives you permission to combine stunnel with free software programs or
* libraries that are released under the GNU LGPL and with code included
* in the standard release of OpenSSL under the OpenSSL License (or
* modified versions of such code, with unchanged license). You may copy
* and distribute such a system following the terms of the GNU GPL for
* stunnel and the licenses of the other code concerned.
*
* Note that people who make modified versions of stunnel are not obligated
* to grant this special exception for their modified versions; it is their
* choice whether to do so. The GNU General Public License gives permission
* to release a modified version without this exception; this exception
* also makes it possible to release a modified version which carries
* forward this exception.
*/
#include "common.h"
#include "prototypes.h"
#ifdef USE_PTHREAD
NOEXPORT void *cron_thread(void *arg);
#endif
#ifdef USE_WIN32
NOEXPORT void cron_thread(void *arg);
#endif
#if defined(USE_PTHREAD) || defined(USE_WIN32)
NOEXPORT void cron_worker(void);
NOEXPORT void cron_dh_param(void);
#endif
#if defined(USE_PTHREAD)
int cron_init() {
pthread_t thread;
pthread_attr_t pth_attr;
#if defined(HAVE_PTHREAD_SIGMASK) && !defined(__APPLE__)
sigset_t new_set, old_set;
#endif /* HAVE_PTHREAD_SIGMASK && !__APPLE__*/
#if defined(HAVE_PTHREAD_SIGMASK) && !defined(__APPLE__)
sigfillset(&new_set);
pthread_sigmask(SIG_SETMASK, &new_set, &old_set); /* block signals */
#endif /* HAVE_PTHREAD_SIGMASK && !__APPLE__*/
pthread_attr_init(&pth_attr);
pthread_attr_setdetachstate(&pth_attr, PTHREAD_CREATE_DETACHED);
if(pthread_create(&thread, &pth_attr, cron_thread, NULL))
ioerror("pthread_create");
pthread_attr_destroy(&pth_attr);
#if defined(HAVE_PTHREAD_SIGMASK) && !defined(__APPLE__)
pthread_sigmask(SIG_SETMASK, &old_set, NULL); /* unblock signals */
#endif /* HAVE_PTHREAD_SIGMASK && !__APPLE__*/
return 0;
}
NOEXPORT void *cron_thread(void *arg) {
#ifdef SCHED_BATCH
struct sched_param param;
#endif
(void)arg; /* squash the unused parameter warning */
tls_alloc(NULL, NULL, "cron");
#ifdef SCHED_BATCH
param.sched_priority=0;
if(pthread_setschedparam(pthread_self(), SCHED_BATCH, &param))
ioerror("pthread_getschedparam");
#endif
cron_worker();
return NULL; /* it should never be executed */
}
#elif defined(USE_WIN32)
int cron_init() {
if((long)_beginthread(cron_thread, 0, NULL)==-1)
ioerror("_beginthread");
return 0;
}
NOEXPORT void cron_thread(void *arg) {
(void)arg; /* squash the unused parameter warning */
tls_alloc(NULL, NULL, "cron");
if(!SetThreadPriority(GetCurrentThread(), THREAD_PRIORITY_LOWEST))
ioerror("SetThreadPriority");
cron_worker();
_endthread(); /* it should never be executed */
}
#else /* !defined(USE_PTHREAD) && !defined(USE_WIN32) */
int cron_init() {
/* not implemented for now */
return 0;
}
#endif
/* run the cron job every 24 hours */
#define CRON_PERIOD (24*60*60)
#if defined(USE_PTHREAD) || defined(USE_WIN32)
NOEXPORT void cron_worker(void) {
time_t now, then;
int delay;
s_log(LOG_DEBUG, "Cron thread initialized");
sleep(60); /* allow the other services to start with idle CPU */
time(&then);
for(;;) {
s_log(LOG_INFO, "Executing cron jobs");
#ifndef OPENSSL_NO_DH
cron_dh_param();
#endif /* OPENSSL_NO_DH */
time(&now);
s_log(LOG_INFO, "Cron jobs completed in %d seconds", (int)(now-then));
then+=CRON_PERIOD;
if(then>now) {
delay=(int)(then-now);
} else {
s_log(LOG_NOTICE, "Cron backlog cleared (possible hibernation)");
delay=CRON_PERIOD-(int)(now-then)%CRON_PERIOD;
then=now+delay;
}
s_log(LOG_DEBUG, "Waiting %d seconds", delay);
do { /* retry sleep() if it was interrupted by a signal */
sleep((unsigned)delay);
time(&now);
delay=(int)(then-now);
} while(delay>0);
s_log(LOG_INFO, "Reopening log file");
signal_post(SIGNAL_REOPEN_LOG);
}
}
#ifndef OPENSSL_NO_DH
NOEXPORT void cron_dh_param(void) {
SERVICE_OPTIONS *opt;
DH *dh;
if(!dh_needed)
return;
s_log(LOG_NOTICE, "Updating DH parameters");
#if OPENSSL_VERSION_NUMBER>=0x0090800fL
/* generate 2048-bit DH parameters */
dh=DH_new();
if(!dh) {
sslerror("DH_new");
return;
}
if(!DH_generate_parameters_ex(dh, 2048, 2, NULL)) {
DH_free(dh);
sslerror("DH_generate_parameters_ex");
return;
}
#else /* OpenSSL older than 0.9.8 */
dh=DH_generate_parameters(2048, 2, NULL, NULL);
if(!dh) {
sslerror("DH_generate_parameters");
return;
}
#endif
/* update global dh_params for future configuration reloads */
stunnel_write_lock(&stunnel_locks[LOCK_DH]);
DH_free(dh_params);
dh_params=dh;
stunnel_write_unlock(&stunnel_locks[LOCK_DH]);
/* set for all sections that require it */
for(opt=service_options.next; opt; opt=opt->next)
if(opt->option.dh_needed)
SSL_CTX_set_tmp_dh(opt->ctx, dh);
s_log(LOG_NOTICE, "DH parameters updated");
}
#endif /* OPENSSL_NO_DH */
#endif /* USE_PTHREAD || USE_WIN32 */
/* end of cron.c */

1260
src/ctx.c Normal file
View File

File diff suppressed because it is too large Load Diff

57
src/dhparam.c Normal file
View File

@ -0,0 +1,57 @@
#include "common.h"
#ifndef OPENSSL_NO_DH
#define DN_new DH_new
#ifndef HEADER_DH_H
# include <openssl/dh.h>
#endif
DH *get_dh2048()
{
static unsigned char dhp_2048[] = {
0xEF, 0xED, 0x5C, 0xA2, 0x8E, 0x37, 0xD8, 0xF4, 0xD1, 0xE9,
0x85, 0x06, 0x79, 0x0E, 0xC0, 0xBC, 0xD2, 0xF3, 0xBC, 0x26,
0xAE, 0x63, 0xB9, 0x06, 0xDF, 0x16, 0xDB, 0xE5, 0x76, 0x76,
0xD5, 0xBC, 0x4F, 0xC1, 0x55, 0x28, 0xC9, 0x7A, 0xC8, 0xD6,
0x1E, 0xB0, 0x5D, 0x85, 0x12, 0x39, 0x62, 0x06, 0x9D, 0x99,
0x4D, 0xCF, 0x79, 0x27, 0x94, 0xB6, 0xE1, 0xC2, 0x92, 0x06,
0xA3, 0xCF, 0x10, 0x25, 0xC4, 0x3D, 0x01, 0xD2, 0x34, 0x0C,
0x1F, 0xB2, 0xA3, 0x0D, 0xA8, 0xDC, 0xB6, 0x5F, 0xDB, 0x8C,
0xF6, 0x73, 0xC2, 0x07, 0x70, 0x4D, 0x01, 0x85, 0xE8, 0x49,
0xBC, 0xC1, 0x80, 0x6C, 0x77, 0x71, 0xFF, 0x5D, 0x25, 0x2F,
0x64, 0x5F, 0x0D, 0x33, 0xB3, 0x43, 0x24, 0xC0, 0xFC, 0xB3,
0x94, 0xEA, 0xF2, 0xB7, 0x24, 0x08, 0x12, 0x74, 0x9D, 0xEA,
0x20, 0x31, 0xD7, 0x0C, 0x0A, 0x84, 0x37, 0xCF, 0x34, 0x56,
0x85, 0xFB, 0xF4, 0x7C, 0xF4, 0x4E, 0x67, 0x0E, 0x63, 0xB2,
0x49, 0xAF, 0xA6, 0x43, 0xD3, 0x6E, 0x60, 0xA9, 0x96, 0xD6,
0xE8, 0x63, 0x7E, 0x23, 0x39, 0x91, 0xE1, 0xF6, 0xC3, 0x8B,
0x60, 0x92, 0x73, 0xB9, 0x5A, 0x69, 0xDF, 0x8A, 0xD4, 0x0E,
0x1C, 0x95, 0x82, 0x59, 0xE4, 0x3B, 0xA8, 0xAC, 0x46, 0x47,
0xE2, 0xFE, 0x98, 0xD7, 0xC2, 0xD4, 0xC6, 0x0A, 0xC5, 0x23,
0x98, 0xCA, 0x0C, 0x5A, 0x82, 0xE1, 0x17, 0xC8, 0xA4, 0x5C,
0x43, 0x2A, 0xE5, 0x5B, 0x20, 0x7C, 0x36, 0x90, 0x71, 0xB6,
0x02, 0x55, 0xF5, 0x26, 0x13, 0xCF, 0xB3, 0x4C, 0xB7, 0x89,
0x57, 0xC8, 0x27, 0x28, 0x72, 0x04, 0xF1, 0x78, 0x4B, 0xFF,
0xB3, 0x78, 0x60, 0x79, 0xEF, 0xDD, 0xDE, 0x34, 0x88, 0xE2,
0x00, 0x13, 0xED, 0x4B, 0x9F, 0xE7, 0x71, 0xBA, 0x68, 0xF6,
0xD2, 0x9E, 0xF3, 0x3B, 0x2D, 0x2B
};
static unsigned char dhg_2048[] = {
0x02
};
DH *dh = DH_new();
BIGNUM *dhp_bn, *dhg_bn;
if (dh == NULL)
return NULL;
dhp_bn = BN_bin2bn(dhp_2048, sizeof (dhp_2048), NULL);
dhg_bn = BN_bin2bn(dhg_2048, sizeof (dhg_2048), NULL);
if (dhp_bn == NULL || dhg_bn == NULL
|| !DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn)) {
DH_free(dh);
BN_free(dhp_bn);
BN_free(dhg_bn);
return NULL;
}
return dh;
}
#endif /* OPENSSL_NO_DH */

70
src/env.c Normal file
View File

@ -0,0 +1,70 @@
/*
* stunnel TLS offloading and load-balancing proxy
* Copyright (C) 1998-2017 Michal Trojnara <Michal.Trojnara@stunnel.org>
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
* See the GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License along
* with this program; if not, see <http://www.gnu.org/licenses>.
*
* Linking stunnel statically or dynamically with other modules is making
* a combined work based on stunnel. Thus, the terms and conditions of
* the GNU General Public License cover the whole combination.
*
* In addition, as a special exception, the copyright holder of stunnel
* gives you permission to combine stunnel with free software programs or
* libraries that are released under the GNU LGPL and with code included
* in the standard release of OpenSSL under the OpenSSL License (or
* modified versions of such code, with unchanged license). You may copy
* and distribute such a system following the terms of the GNU GPL for
* stunnel and the licenses of the other code concerned.
*
* Note that people who make modified versions of stunnel are not obligated
* to grant this special exception for their modified versions; it is their
* choice whether to do so. The GNU General Public License gives permission
* to release a modified version without this exception; this exception
* also makes it possible to release a modified version which carries
* forward this exception.
*/
/* getpeername() can't be declared in the following includes */
#define getpeername no_getpeername
#include <sys/types.h>
#include <sys/socket.h> /* for AF_INET */
#include <netinet/in.h>
#include <arpa/inet.h> /* for inet_addr() */
#include <stdlib.h> /* for getenv() */
#ifdef __BEOS__
#include <be/bone/arpa/inet.h> /* for AF_INET */
#include <be/bone/sys/socket.h> /* for AF_INET */
#else
#include <sys/socket.h> /* for AF_INET */
#endif
#undef getpeername
int getpeername(int s, struct sockaddr_in *name, int *len) {
char *value;
(void)s; /* squash the unused parameter warning */
(void)len; /* squash the unused parameter warning */
name->sin_family=AF_INET;
if((value=getenv("REMOTE_HOST")))
name->sin_addr.s_addr=inet_addr(value);
else
name->sin_addr.s_addr=htonl(INADDR_ANY);
if((value=getenv("REMOTE_PORT")))
name->sin_port=htons((uint16_t)atoi(value));
else
name->sin_port=htons(0); /* dynamic port allocation */
return 0;
}
/* end of env.c */

BIN
src/error.ico Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 1.1 KiB

167
src/evc.mak Normal file
View File

@ -0,0 +1,167 @@
# wce.mak for stunnel.exe by Michal Trojnara 2006-2012
# with help of Pierre Delaage <delaage.pierre@free.fr>
# pdelaage 20140610 : added UNICODE optional FLAG, always ACTIVE on WCE because of poor ANSI support
# pdelaage 20140610 : added _WIN32_WCE flag for RC compilation, to preprocess out "HELP" unsupported menu flag on WCE
# pdelaage 20140610 : ws2 lib is required to get WSAGetLastError routine (absent from winsock lib)
# pdelaage 20140610 : /Dx86 flag required for X86/Emulator targets, to get proper definition for InterlockedExchange
# pdelaage 20140610 : /MT flag is NON-SENSE for X86-WCE platforms, it is only meaningful for X86-W32-Desktop.
# for X86-WCE targets, although compiler "cl.exe" is REALLY the same as desktop W32 VS6 C++ compiler,
# the MT flags relating to LIBCMT is useless BECAUSE LIBCMT does NOT exist on WCE. No msvcrt on WCE either...
# pdelaage 20140610 : Note on /MC flag
# For other targets than X86/Emulator, /MC flag is redundant with "/nodefaultlib coredll.lib corelibc.lib" LD lib list.
# For << X86 / Emulator >> target, as the cl.exe compiler IS the SAME as the standard VS6.0 C++ compiler for Desktop Pentium processor,
# /MC flag is in fact NOT existing, thus requiring an explicit linking with core libs by using :
# /NODEFAULTLIB coredll.lib corelibc.lib,
# something that is correct for any WCE target, X86 and other, and leading /MC flag to be useless ALSO for other target than X86.
#
# DEFAULTLIB management: only 2 are necessary
# defaultlibS, as given for CLxxx in the MS doc, ARE WRONG
# !!!!!!!!!!!!!!
# CUSTOMIZE THIS according to your wcecompat and openssl directories
# !!!!!!!!!!!!!!
# Modify this to point to your actual openssl compile directory
# (You did already compile openssl, didn't you???)
SSLDIR=C:\Users\pdelaage\Dvts\Contrib\openssl
# Note that we currently use a multi-target customized version of legacy Essemer/wcecompat lib
COMPATDIR=C:\Users\pdelaage\Dvts\Contrib\wcecompat\v12\patched3emu
WCEVER=420
# !!!!!!!!!!!!!!!!!!
# END CUSTOMIZATION
# !!!!!!!!!!!!!!!!!!
!IF "$(TARGETCPU)"=="X86"
WCETARGETCPU=_X86_
LDTARGETCPU=X86
#pdelaage 20140621 /Dx86 for inline defs of InterlockedExchange inline in winbase.h; no more /MT
MORECFLAGS=/Dx86
# TODO: continue list for other targets : see wcecompat/wcedefs.mak for a good ref.
# see also openssl/util/pl/vc-32.pl, also link /?
# for LDTARGETCPU: /MACHINE:{AM33|ARM|IA64|M32R|MIPS|MIPS16|MIPSFPU|MIPSFPU16|MIPSR41XX|SH3|SH3DSP|SH4|SH5|THUMB|X86}
# see wce/include/winnt.h for other "target architecture" flag
!ELSEIF "$(TARGETCPU)"=="emulator"
WCETARGETCPU=_X86_
LDTARGETCPU=X86
#pdelaage 20140621 /Dx86 for inline defs of InterlockedExchange inline in winbase.h; no more /MT
MORECFLAGS=/Dx86
!ELSEIF "$(TARGETCPU)"=="MIPS16" || "$(TARGETCPU)"=="MIPSII" || "$(TARGETCPU)"=="MIPSII_FP" || "$(TARGETCPU)"=="MIPSIV" || "$(TARGETCPU)"=="MIPSIV_FP"
WCETARGETCPU=_MIPS_
LDTARGETCPU=MIPS
#pdelaage 20140621 no more /MC required
MORECFLAGS=/DMIPS
!ELSEIF "$(TARGETCPU)"=="SH3" || "$(TARGETCPU)"=="SH4"
WCETARGETCPU=SHx
LDTARGETCPU=$(TARGETCPU)
#pdelaage 20140621 no more /MC required
MORECFLAGS=
!ELSE
# default is ARM !
# !IF "$(TARGETCPU)"=="ARMV4" || "$(TARGETCPU)"=="ARMV4I" || "$(TARGETCPU)"=="ARMV4T"
# the following flag is required by (eg) winnt.h, and is different from targetcpu (armV4)
WCETARGETCPU=ARM
LDTARGETCPU=ARM
#pdelaage 20140621 no more /MC required
MORECFLAGS=
!ENDIF
# ceutilsdir probably useless (nb : were tools from essemer; but ms delivers a cecopy anyway, see ms dld site)
CEUTILSDIR=..\..\ceutils
# "ce:" is not a correct location , but we never "make install"
DSTDIR=ce:\stunnel
# use MS env vars, as in wcecompat and openssl makefiles
SDKDIR=$(SDKROOT)\$(OSVERSION)\$(PLATFORM)
INCLUDES=-I$(SSLDIR)\inc32 -I$(COMPATDIR)\include -I"$(SDKDIR)\include\$(TARGETCPU)"
# for X86 and other it appears that /MC or /ML flags are absurd,
# we always have to override runtime lib list to coredll and corelibc
#LIBS=/NODEFAULTLIB winsock.lib wcecompatex.lib libeay32.lib ssleay32.lib coredll.lib corelibc.lib
LIBS=/NODEFAULTLIB ws2.lib wcecompatex.lib libeay32.lib ssleay32.lib coredll.lib corelibc.lib
DEFINES=/DHOST=\"$(TARGETCPU)-WCE-eVC-$(WCEVER)\"
# pdelaage 20140610 added unicode flag : ALWAYS ACTIVE on WCE, because of poor ANSI support by the MS SDK
UNICODEFLAGS=/DUNICODE -D_UNICODE
# /O1 /Oi more correct vs MS doc
CFLAGS=/nologo $(MORECFLAGS) /O1 /Oi /W3 /WX /GF /Gy $(DEFINES) /D$(WCETARGETCPU) /D$(TARGETCPU) /DUNDER_CE=$(WCEVER) /D_WIN32_WCE=$(WCEVER) $(UNICODEFLAGS) $(INCLUDES)
# pdelaage 20140610 : RC compilation requires D_WIN32_WCE flag to comment out unsupported "HELP" flag in menu definition, in resources.rc file
RFLAGS=$(DEFINES) /D_WIN32_WCE=$(WCEVER) $(INCLUDES)
# LDFLAGS: since openssl >> 098a (eg 098h) out32dll is out32dll_targetCPU for WCE
# delaage added $(TARGETCPU) in legacy Essemer/wcecompat libpath
# to ease multitarget compilation without recompiling everything
# this customized version is available on:
# http://delaage.pierre.free.fr/contrib/wcecompat/wcecompat12_patched.zip
LDFLAGS=/nologo /subsystem:windowsce,3.00 /machine:$(LDTARGETCPU) /libpath:"$(SDKDIR)\lib\$(TARGETCPU)" /libpath:"$(COMPATDIR)\lib\$(TARGETCPU)" /libpath:"$(SSLDIR)\out32dll_$(TARGETCPU)"
# Multi-target support for stunnel
SRC=..\src
OBJROOT=..\obj
OBJ=$(OBJROOT)\$(TARGETCPU)
BINROOT=..\bin
BIN=$(BINROOT)\$(TARGETCPU)
OBJS=$(OBJ)\stunnel.obj $(OBJ)\ssl.obj $(OBJ)\ctx.obj $(OBJ)\verify.obj \
$(OBJ)\file.obj $(OBJ)\client.obj $(OBJ)\protocol.obj $(OBJ)\sthreads.obj \
$(OBJ)\log.obj $(OBJ)\options.obj $(OBJ)\network.obj $(OBJ)\resolver.obj \
$(OBJ)\str.obj $(OBJ)\tls.obj $(OBJ)\fd.obj $(OBJ)\dhparam.obj \
$(OBJ)\cron.obj
GUIOBJS=$(OBJ)\ui_win_gui.obj $(OBJ)\resources.res
CLIOBJS=$(OBJ)\ui_win_cli.obj
{$(SRC)\}.c{$(OBJ)\}.obj:
$(CC) $(CFLAGS) -Fo$@ -c $<
{$(SRC)\}.cpp{$(OBJ)\}.obj:
$(CC) $(CFLAGS) -Fo$@ -c $<
{$(SRC)\}.rc{$(OBJ)\}.res:
$(RC) $(RFLAGS) -fo$@ -r $<
all: makedirs $(BIN)\stunnel.exe $(BIN)\tstunnel.exe
makedirs:
-@ IF NOT EXIST $(OBJROOT) mkdir $(OBJROOT) >NUL 2>&1
-@ IF NOT EXIST $(OBJ) mkdir $(OBJ) >NUL 2>&1
-@ IF NOT EXIST $(BINROOT) mkdir $(BINROOT) >NUL 2>&1
-@ IF NOT EXIST $(BIN) mkdir $(BIN) >NUL 2>&1
$(BIN)\stunnel.exe:$(OBJS) $(GUIOBJS)
link $(LDFLAGS) /out:$(BIN)\stunnel.exe $(LIBS) commctrl.lib $**
$(BIN)\tstunnel.exe:$(OBJS) $(CLIOBJS)
link $(LDFLAGS) /out:$(BIN)\tstunnel.exe $(LIBS) $**
$(OBJ)\resources.res: $(SRC)\resources.rc $(SRC)\resources.h $(SRC)\version.h
$(OBJ)\ui_win_gui.obj: $(SRC)\ui_win_gui.c $(SRC)\version.h
$(OBJ)\stunnel.obj: $(SRC)\stunnel.c $(SRC)\version.h
# now list of openssl dll has more files,
# but we do not use "make install" for stunnel
# ceutils come from essemer/wcecompat website
# some tools can be found at MS website
# TODO: update all this ceutils stuff, or suppress it
install: stunnel.exe tstunnel.exe
$(CEUTILSDIR)\cemkdir $(DSTDIR) || echo Directory exists?
$(CEUTILSDIR)\cecopy stunnel.exe $(DSTDIR)
$(CEUTILSDIR)\cecopy tstunnel.exe $(DSTDIR)
$(CEUTILSDIR)\cecopy $(SSLDIR)\out32dll_$(TARGETCPU)\libeay32.dll $(DSTDIR)
$(CEUTILSDIR)\cecopy $(SSLDIR)\out32dll_$(TARGETCPU)\ssleay32.dll $(DSTDIR)
clean:
-@ IF NOT "$(TARGETCPU)"=="" del $(OBJS) $(GUIOBJS) $(CLIOBJS) $(BIN)\stunnel.exe $(BIN)\tstunnel.exe >NUL 2>&1
-@ IF NOT "$(TARGETCPU)"=="" rmdir $(OBJ) >NUL 2>&1
-@ IF NOT "$(TARGETCPU)"=="" rmdir $(BIN) >NUL 2>&1

259
src/fd.c Normal file
View File

@ -0,0 +1,259 @@
/*
* stunnel TLS offloading and load-balancing proxy
* Copyright (C) 1998-2017 Michal Trojnara <Michal.Trojnara@stunnel.org>
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
* See the GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License along
* with this program; if not, see <http://www.gnu.org/licenses>.
*
* Linking stunnel statically or dynamically with other modules is making
* a combined work based on stunnel. Thus, the terms and conditions of
* the GNU General Public License cover the whole combination.
*
* In addition, as a special exception, the copyright holder of stunnel
* gives you permission to combine stunnel with free software programs or
* libraries that are released under the GNU LGPL and with code included
* in the standard release of OpenSSL under the OpenSSL License (or
* modified versions of such code, with unchanged license). You may copy
* and distribute such a system following the terms of the GNU GPL for
* stunnel and the licenses of the other code concerned.
*
* Note that people who make modified versions of stunnel are not obligated
* to grant this special exception for their modified versions; it is their
* choice whether to do so. The GNU General Public License gives permission
* to release a modified version without this exception; this exception
* also makes it possible to release a modified version which carries
* forward this exception.
*/
#include "common.h"
#include "prototypes.h"
#if defined HAVE_PIPE2 && defined HAVE_ACCEPT4
#define USE_NEW_LINUX_API 1
#endif
/* try to use non-POSIX O_NDELAY on obsolete BSD systems */
#if !defined O_NONBLOCK && defined O_NDELAY
#define O_NONBLOCK O_NDELAY
#endif
/**************************************** prototypes */
NOEXPORT SOCKET setup_fd(SOCKET, int, char *);
/**************************************** internal limit of file descriptors */
#ifndef USE_FORK
static SOCKET max_fds;
void get_limits(void) { /* set max_fds and max_clients */
/* start with current ulimit */
#if defined(HAVE_SYSCONF)
errno=0;
max_fds=(SOCKET)sysconf(_SC_OPEN_MAX);
if(errno)
ioerror("sysconf");
if(max_fds<0)
max_fds=0; /* unlimited */
#elif defined(HAVE_GETRLIMIT)
struct rlimit rlim;
if(getrlimit(RLIMIT_NOFILE, &rlim)<0) {
ioerror("getrlimit");
max_fds=0; /* unlimited */
} else
max_fds=rlim.rlim_cur!=RLIM_INFINITY ? rlim.rlim_cur : 0;
#else
max_fds=0; /* unlimited */
#endif /* HAVE_SYSCONF || HAVE_GETRLIMIT */
#if !defined(USE_WIN32) && !defined(USE_POLL) && !defined(__INNOTEK_LIBC__)
/* apply FD_SETSIZE if select() is used on Unix */
if(!max_fds || max_fds>FD_SETSIZE)
max_fds=FD_SETSIZE; /* start with select() limit */
#endif /* select() on Unix */
/* stunnel needs at least 16 file descriptors */
if(max_fds && max_fds<16)
max_fds=16;
if(max_fds) {
max_clients=(long)(max_fds>=256 ? max_fds*125/256 : (max_fds-6)/2);
s_log(LOG_DEBUG, "Clients allowed=%ld", max_clients);
} else {
max_clients=0;
s_log(LOG_DEBUG, "No limit detected for the number of clients");
}
}
#endif
/**************************************** file descriptor validation */
SOCKET s_socket(int domain, int type, int protocol, int nonblock, char *msg) {
SOCKET fd;
#ifdef USE_NEW_LINUX_API
if(nonblock)
type|=SOCK_NONBLOCK;
type|=SOCK_CLOEXEC;
#endif
#ifdef USE_WIN32
/* http://stackoverflow.com/questions/4993119 */
/* CreateProcess() needs a non-overlapped handle */
fd=WSASocket(domain, type, protocol, NULL, 0, 0);
#else /* USE_WIN32 */
fd=socket(domain, type, protocol);
#endif /* USE_WIN32 */
return setup_fd(fd, nonblock, msg);
}
SOCKET s_accept(SOCKET sockfd, struct sockaddr *addr, socklen_t *addrlen,
int nonblock, char *msg) {
SOCKET fd;
#ifdef USE_NEW_LINUX_API
if(nonblock)
fd=accept4(sockfd, addr, addrlen, SOCK_NONBLOCK|SOCK_CLOEXEC);
else
fd=accept4(sockfd, addr, addrlen, SOCK_CLOEXEC);
#else
fd=accept(sockfd, addr, addrlen);
#endif
return setup_fd(fd, nonblock, msg);
}
#ifndef USE_WIN32
int s_socketpair(int domain, int type, int protocol, SOCKET sv[2],
int nonblock, char *msg) {
#ifdef USE_NEW_LINUX_API
if(nonblock)
type|=SOCK_NONBLOCK;
type|=SOCK_CLOEXEC;
#endif
if(socketpair(domain, type, protocol, sv)<0) {
ioerror(msg);
return -1;
}
if(setup_fd(sv[0], nonblock, msg)<0) {
closesocket(sv[1]);
return -1;
}
if(setup_fd(sv[1], nonblock, msg)<0) {
closesocket(sv[0]);
return -1;
}
return 0;
}
int s_pipe(int pipefd[2], int nonblock, char *msg) {
int retval;
#ifdef USE_NEW_LINUX_API
if(nonblock)
retval=pipe2(pipefd, O_NONBLOCK|O_CLOEXEC);
else
retval=pipe2(pipefd, O_CLOEXEC);
#else
retval=pipe(pipefd);
#endif
if(retval<0) {
ioerror(msg);
return -1;
}
if(setup_fd(pipefd[0], nonblock, msg)<0) {
close(pipefd[1]);
return -1;
}
if(setup_fd(pipefd[1], nonblock, msg)<0) {
close(pipefd[0]);
return -1;
}
return 0;
}
#endif /* USE_WIN32 */
NOEXPORT SOCKET setup_fd(SOCKET fd, int nonblock, char *msg) {
#if !defined USE_NEW_LINUX_API && defined FD_CLOEXEC
int err;
#endif
if(fd==INVALID_SOCKET) {
sockerror(msg);
return INVALID_SOCKET;
}
#ifndef USE_FORK
if(max_fds && fd>=max_fds) {
s_log(LOG_ERR, "%s: FD=%d out of range (max %d)",
msg, (int)fd, (int)max_fds);
closesocket(fd);
return INVALID_SOCKET;
}
#endif
#ifdef USE_NEW_LINUX_API
(void)nonblock; /* squash the unused parameter warning */
#else /* set O_NONBLOCK and F_SETFD */
set_nonblock(fd, (unsigned long)nonblock);
#ifdef FD_CLOEXEC
do {
err=fcntl(fd, F_SETFD, FD_CLOEXEC);
} while(err<0 && get_last_socket_error()==S_EINTR);
if(err<0)
sockerror("fcntl SETFD"); /* non-critical */
#endif /* FD_CLOEXEC */
#endif /* USE_NEW_LINUX_API */
#ifdef DEBUG_FD_ALLOC
s_log(LOG_DEBUG, "%s: FD=%d allocated (%sblocking mode)",
msg, fd, nonblock?"non-":"");
#endif /* DEBUG_FD_ALLOC */
return fd;
}
void set_nonblock(SOCKET fd, unsigned long nonblock) {
#if defined F_GETFL && defined F_SETFL && defined O_NONBLOCK && !defined __INNOTEK_LIBC__
int err, flags;
do {
flags=fcntl(fd, F_GETFL, 0);
} while(flags<0 && get_last_socket_error()==S_EINTR);
if(flags<0) {
sockerror("fcntl GETFL"); /* non-critical */
return;
}
if(nonblock)
flags|=O_NONBLOCK;
else
flags&=~O_NONBLOCK;
do {
err=fcntl(fd, F_SETFL, flags);
} while(err<0 && get_last_socket_error()==S_EINTR);
if(err<0)
sockerror("fcntl SETFL"); /* non-critical */
#else /* WIN32 or similar */
if(ioctlsocket(fd, (long)FIONBIO, &nonblock)<0)
sockerror("ioctlsocket"); /* non-critical */
#if 0
else
s_log(LOG_DEBUG, "Socket %d set to %s mode",
fd, nonblock ? "non-blocking" : "blocking");
#endif
#endif
}
/* end of fd.c */

266
src/file.c Normal file
View File

@ -0,0 +1,266 @@
/*
* stunnel TLS offloading and load-balancing proxy
* Copyright (C) 1998-2017 Michal Trojnara <Michal.Trojnara@stunnel.org>
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
* See the GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License along
* with this program; if not, see <http://www.gnu.org/licenses>.
*
* Linking stunnel statically or dynamically with other modules is making
* a combined work based on stunnel. Thus, the terms and conditions of
* the GNU General Public License cover the whole combination.
*
* In addition, as a special exception, the copyright holder of stunnel
* gives you permission to combine stunnel with free software programs or
* libraries that are released under the GNU LGPL and with code included
* in the standard release of OpenSSL under the OpenSSL License (or
* modified versions of such code, with unchanged license). You may copy
* and distribute such a system following the terms of the GNU GPL for
* stunnel and the licenses of the other code concerned.
*
* Note that people who make modified versions of stunnel are not obligated
* to grant this special exception for their modified versions; it is their
* choice whether to do so. The GNU General Public License gives permission
* to release a modified version without this exception; this exception
* also makes it possible to release a modified version which carries
* forward this exception.
*/
#include "common.h"
#include "prototypes.h"
#ifdef USE_WIN32
DISK_FILE *file_open(char *name, FILE_MODE mode) {
DISK_FILE *df;
LPTSTR tname;
HANDLE fh;
DWORD desired_access, creation_disposition;
/* open file */
switch(mode) {
case FILE_MODE_READ:
desired_access=GENERIC_READ;
creation_disposition=OPEN_EXISTING;
break;
case FILE_MODE_APPEND:
/* reportedly more compatible than FILE_APPEND_DATA */
desired_access=GENERIC_WRITE;
creation_disposition=OPEN_ALWAYS; /* keep the data */
break;
case FILE_MODE_OVERWRITE:
desired_access=GENERIC_WRITE;
creation_disposition=CREATE_ALWAYS; /* remove the data */
break;
default: /* invalid mode */
return NULL;
}
tname=str2tstr(name);
fh=CreateFile(tname, desired_access, FILE_SHARE_READ, NULL,
creation_disposition, FILE_ATTRIBUTE_NORMAL, (HANDLE)NULL);
str_free(tname); /* str_free() overwrites GetLastError() value */
if(fh==INVALID_HANDLE_VALUE)
return NULL;
if(mode==FILE_MODE_APPEND) /* workaround for FILE_APPEND_DATA */
SetFilePointer(fh, 0, NULL, FILE_END);
/* setup df structure */
df=str_alloc(sizeof df);
df->fh=fh;
return df;
}
#else /* USE_WIN32 */
DISK_FILE *file_fdopen(int fd) {
DISK_FILE *df;
df=str_alloc(sizeof(DISK_FILE));
df->fd=fd;
return df;
}
DISK_FILE *file_open(char *name, FILE_MODE mode) {
DISK_FILE *df;
int fd, flags;
/* open file */
switch(mode) {
case FILE_MODE_READ:
flags=O_RDONLY;
break;
case FILE_MODE_APPEND:
flags=O_CREAT|O_WRONLY|O_APPEND;
break;
case FILE_MODE_OVERWRITE:
flags=O_CREAT|O_WRONLY|O_TRUNC;
break;
default: /* invalid mode */
return NULL;
}
#ifdef O_NONBLOCK
flags|=O_NONBLOCK;
#elif defined O_NDELAY
flags|=O_NDELAY;
#endif
#ifdef O_CLOEXEC
flags|=O_CLOEXEC;
#endif /* O_CLOEXEC */
fd=open(name, flags, 0640);
if(fd==INVALID_SOCKET)
return NULL;
/* setup df structure */
df=str_alloc(sizeof df);
df->fd=fd;
return df;
}
#endif /* USE_WIN32 */
void file_close(DISK_FILE *df) {
if(!df) /* nothing to do */
return;
#ifdef USE_WIN32
CloseHandle(df->fh);
#else /* USE_WIN32 */
if(df->fd>2) /* never close stdin/stdout/stder */
close(df->fd);
#endif /* USE_WIN32 */
str_free(df);
}
ssize_t file_getline(DISK_FILE *df, char *line, int len) {
/* this version is really slow, but performance is not important here */
/* (no buffering is implemented) */
ssize_t i;
#ifdef USE_WIN32
DWORD num;
#else /* USE_WIN32 */
ssize_t num;
#endif /* USE_WIN32 */
if(!df) /* not opened */
return -1;
for(i=0; i<len-1; i++) {
#ifdef USE_WIN32
ReadFile(df->fh, line+i, 1, &num, NULL);
#else /* USE_WIN32 */
num=read(df->fd, line+i, 1);
#endif /* USE_WIN32 */
if(num!=1) { /* EOF */
if(i) /* any previously retrieved data */
break;
else
return -1;
}
if(line[i]=='\n') /* LF */
break;
if(line[i]=='\r') /* CR */
--i; /* ignore - it must be the last check */
}
line[i]='\0';
return i;
}
ssize_t file_putline(DISK_FILE *df, char *line) {
char *buff;
size_t len;
#ifdef USE_WIN32
DWORD num;
#else /* USE_WIN32 */
ssize_t num;
#endif /* USE_WIN32 */
len=strlen(line);
buff=str_alloc(len+2); /* +2 for CR+LF */
strcpy(buff, line);
#ifdef USE_WIN32
buff[len++]='\r'; /* CR */
#endif /* USE_WIN32 */
buff[len++]='\n'; /* LF */
#ifdef USE_WIN32
WriteFile(df->fh, buff, (DWORD)len, &num, NULL);
#else /* USE_WIN32 */
/* no file -> write to stderr */
num=write(df ? df->fd : 2, buff, len);
#endif /* USE_WIN32 */
str_free(buff);
return (ssize_t)num;
}
int file_permissions(const char *file_name) {
#if !defined(USE_WIN32) && !defined(USE_OS2)
struct stat sb; /* buffer for stat */
/* check permissions of the private key file */
if(stat(file_name, &sb)) {
ioerror(file_name);
return 1; /* FAILED */
}
if(sb.st_mode & 7)
s_log(LOG_WARNING,
"Insecure file permissions on %s", file_name);
#else
(void)file_name; /* squash the unused parameter warning */
#endif
return 0;
}
#ifdef USE_WIN32
LPTSTR str2tstr(LPCSTR in) {
LPTSTR out;
#ifdef UNICODE
int len;
len=MultiByteToWideChar(CP_UTF8, 0, in, -1, NULL, 0);
if(!len)
return str_tprintf(TEXT("MultiByteToWideChar() failed"));
out=str_alloc(((size_t)len+1)*sizeof(WCHAR));
len=MultiByteToWideChar(CP_UTF8, 0, in, -1, out, len);
if(!len) {
str_free(out);
return str_tprintf(TEXT("MultiByteToWideChar() failed"));
}
#else
/* FIXME: convert UTF-8 to native codepage */
out=str_dup(in);
#endif
return out;
}
LPSTR tstr2str(LPCTSTR in) {
LPSTR out;
#ifdef UNICODE
int len;
len=WideCharToMultiByte(CP_UTF8, 0, in, -1, NULL, 0, NULL, NULL);
if(!len)
return str_printf("WideCharToMultiByte() failed");
out=str_alloc((size_t)len+1);
len=WideCharToMultiByte(CP_UTF8, 0, in, -1, out, len, NULL, NULL);
if(!len) {
str_free(out);
return str_printf("WideCharToMultiByte() failed");
}
#else
/* FIXME: convert native codepage to UTF-8 */
out=str_dup(in);
#endif
return out;
}
#endif /* USE_WIN32 */
/* end of file.c */

Some files were not shown because too many files have changed in this diff Show More