debmon
/
stunnel4
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Imported Upstream version 4.53

This commit is contained in:
Mario Fetka 2017-03-28 09:58:13 +02:00
commit ce7eba2efe
97 changed files with 65898 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
AUTHORS Normal file
View File

@ -0,0 +1,4 @@
stunnel authors
Michal Trojnara <Michal.Trojnara@mirt.net>

5
BUGS Normal file
View File

@ -0,0 +1,5 @@
stunnel known bugs
- Shared library for transparent proxy does not support IPv6.

33
COPYING Normal file
View File

@ -0,0 +1,33 @@
stunnel license (see COPYRIGHT.GPL for detailed GPL conditions)
Copyright (C) 1998-2012 Michal Trojnara
This program is free software; you can redistribute it and/or modify it under
the terms of the GNU General Public License as published by the Free Software
Foundation; either version 2 of the License, or (at your option) any later
version.
This program is distributed in the hope that it will be useful, but WITHOUT
ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with
this program; if not, see <http://www.gnu.org/licenses>.
Linking stunnel statically or dynamically with other modules is making
a combined work based on stunnel. Thus, the terms and conditions of the
GNU General Public License cover the whole combination.
In addition, as a special exception, the copyright holder of stunnel gives you
permission to combine stunnel with free software programs or libraries that
are released under the GNU LGPL and with code included in the standard release
of OpenSSL under the OpenSSL License (or modified versions of such code, with
unchanged license). You may copy and distribute such a system following the
terms of the GNU GPL for stunnel and the licenses of the other code concerned.
Note that people who make modified versions of stunnel are not obligated to
grant this special exception for their modified versions; it is their choice
whether to do so. The GNU General Public License gives permission to release
a modified version without this exception; this exception also makes it
possible to release a modified version which carries forward this exception.

339
COPYRIGHT.GPL Normal file
View File

@ -0,0 +1,339 @@
GNU GENERAL PUBLIC LICENSE
Version 2, June 1991
Copyright (C) 1989, 1991 Free Software Foundation, Inc.
51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA.
Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed.
Preamble
The licenses for most software are designed to take away your
freedom to share and change it. By contrast, the GNU General Public
License is intended to guarantee your freedom to share and change free
software--to make sure the software is free for all its users. This
General Public License applies to most of the Free Software
Foundation's software and to any other program whose authors commit to
using it. (Some other Free Software Foundation software is covered by
the GNU Library General Public License instead.) You can apply it to
your programs, too.
When we speak of free software, we are referring to freedom, not
price. Our General Public Licenses are designed to make sure that you
have the freedom to distribute copies of free software (and charge for
this service if you wish), that you receive source code or can get it
if you want it, that you can change the software or use pieces of it
in new free programs; and that you know you can do these things.
To protect your rights, we need to make restrictions that forbid
anyone to deny you these rights or to ask you to surrender the rights.
These restrictions translate to certain responsibilities for you if you
distribute copies of the software, or if you modify it.
For example, if you distribute copies of such a program, whether
gratis or for a fee, you must give the recipients all the rights that
you have. You must make sure that they, too, receive or can get the
source code. And you must show them these terms so they know their
rights.
We protect your rights with two steps: (1) copyright the software, and
(2) offer you this license which gives you legal permission to copy,
distribute and/or modify the software.
Also, for each author's protection and ours, we want to make certain
that everyone understands that there is no warranty for this free
software. If the software is modified by someone else and passed on, we
want its recipients to know that what they have is not the original, so
that any problems introduced by others will not reflect on the original
authors' reputations.
Finally, any free program is threatened constantly by software
patents. We wish to avoid the danger that redistributors of a free
program will individually obtain patent licenses, in effect making the
program proprietary. To prevent this, we have made it clear that any
patent must be licensed for everyone's free use or not licensed at all.
The precise terms and conditions for copying, distribution and
modification follow.
GNU GENERAL PUBLIC LICENSE
TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
0. This License applies to any program or other work which contains
a notice placed by the copyright holder saying it may be distributed
under the terms of this General Public License. The "Program", below,
refers to any such program or work, and a "work based on the Program"
means either the Program or any derivative work under copyright law:
that is to say, a work containing the Program or a portion of it,
either verbatim or with modifications and/or translated into another
language. (Hereinafter, translation is included without limitation in
the term "modification".) Each licensee is addressed as "you".
Activities other than copying, distribution and modification are not
covered by this License; they are outside its scope. The act of
running the Program is not restricted, and the output from the Program
is covered only if its contents constitute a work based on the
Program (independent of having been made by running the Program).
Whether that is true depends on what the Program does.
1. You may copy and distribute verbatim copies of the Program's
source code as you receive it, in any medium, provided that you
conspicuously and appropriately publish on each copy an appropriate
copyright notice and disclaimer of warranty; keep intact all the
notices that refer to this License and to the absence of any warranty;
and give any other recipients of the Program a copy of this License
along with the Program.
You may charge a fee for the physical act of transferring a copy, and
you may at your option offer warranty protection in exchange for a fee.
2. You may modify your copy or copies of the Program or any portion
of it, thus forming a work based on the Program, and copy and
distribute such modifications or work under the terms of Section 1
above, provided that you also meet all of these conditions:
a) You must cause the modified files to carry prominent notices
stating that you changed the files and the date of any change.
b) You must cause any work that you distribute or publish, that in
whole or in part contains or is derived from the Program or any
part thereof, to be licensed as a whole at no charge to all third
parties under the terms of this License.
c) If the modified program normally reads commands interactively
when run, you must cause it, when started running for such
interactive use in the most ordinary way, to print or display an
announcement including an appropriate copyright notice and a
notice that there is no warranty (or else, saying that you provide
a warranty) and that users may redistribute the program under
these conditions, and telling the user how to view a copy of this
License. (Exception: if the Program itself is interactive but
does not normally print such an announcement, your work based on
the Program is not required to print an announcement.)
These requirements apply to the modified work as a whole. If
identifiable sections of that work are not derived from the Program,
and can be reasonably considered independent and separate works in
themselves, then this License, and its terms, do not apply to those
sections when you distribute them as separate works. But when you
distribute the same sections as part of a whole which is a work based
on the Program, the distribution of the whole must be on the terms of
this License, whose permissions for other licensees extend to the
entire whole, and thus to each and every part regardless of who wrote it.
Thus, it is not the intent of this section to claim rights or contest
your rights to work written entirely by you; rather, the intent is to
exercise the right to control the distribution of derivative or
collective works based on the Program.
In addition, mere aggregation of another work not based on the Program
with the Program (or with a work based on the Program) on a volume of
a storage or distribution medium does not bring the other work under
the scope of this License.
3. You may copy and distribute the Program (or a work based on it,
under Section 2) in object code or executable form under the terms of
Sections 1 and 2 above provided that you also do one of the following:
a) Accompany it with the complete corresponding machine-readable
source code, which must be distributed under the terms of Sections
1 and 2 above on a medium customarily used for software interchange; or,
b) Accompany it with a written offer, valid for at least three
years, to give any third party, for a charge no more than your
cost of physically performing source distribution, a complete
machine-readable copy of the corresponding source code, to be
distributed under the terms of Sections 1 and 2 above on a medium
customarily used for software interchange; or,
c) Accompany it with the information you received as to the offer
to distribute corresponding source code. (This alternative is
allowed only for noncommercial distribution and only if you
received the program in object code or executable form with such
an offer, in accord with Subsection b above.)
The source code for a work means the preferred form of the work for
making modifications to it. For an executable work, complete source
code means all the source code for all modules it contains, plus any
associated interface definition files, plus the scripts used to
control compilation and installation of the executable. However, as a
special exception, the source code distributed need not include
anything that is normally distributed (in either source or binary
form) with the major components (compiler, kernel, and so on) of the
operating system on which the executable runs, unless that component
itself accompanies the executable.
If distribution of executable or object code is made by offering
access to copy from a designated place, then offering equivalent
access to copy the source code from the same place counts as
distribution of the source code, even though third parties are not
compelled to copy the source along with the object code.
4. You may not copy, modify, sublicense, or distribute the Program
except as expressly provided under this License. Any attempt
otherwise to copy, modify, sublicense or distribute the Program is
void, and will automatically terminate your rights under this License.
However, parties who have received copies, or rights, from you under
this License will not have their licenses terminated so long as such
parties remain in full compliance.
5. You are not required to accept this License, since you have not
signed it. However, nothing else grants you permission to modify or
distribute the Program or its derivative works. These actions are
prohibited by law if you do not accept this License. Therefore, by
modifying or distributing the Program (or any work based on the
Program), you indicate your acceptance of this License to do so, and
all its terms and conditions for copying, distributing or modifying
the Program or works based on it.
6. Each time you redistribute the Program (or any work based on the
Program), the recipient automatically receives a license from the
original licensor to copy, distribute or modify the Program subject to
these terms and conditions. You may not impose any further
restrictions on the recipients' exercise of the rights granted herein.
You are not responsible for enforcing compliance by third parties to
this License.
7. If, as a consequence of a court judgment or allegation of patent
infringement or for any other reason (not limited to patent issues),
conditions are imposed on you (whether by court order, agreement or
otherwise) that contradict the conditions of this License, they do not
excuse you from the conditions of this License. If you cannot
distribute so as to satisfy simultaneously your obligations under this
License and any other pertinent obligations, then as a consequence you
may not distribute the Program at all. For example, if a patent
license would not permit royalty-free redistribution of the Program by
all those who receive copies directly or indirectly through you, then
the only way you could satisfy both it and this License would be to
refrain entirely from distribution of the Program.
If any portion of this section is held invalid or unenforceable under
any particular circumstance, the balance of the section is intended to
apply and the section as a whole is intended to apply in other
circumstances.
It is not the purpose of this section to induce you to infringe any
patents or other property right claims or to contest validity of any
such claims; this section has the sole purpose of protecting the
integrity of the free software distribution system, which is
implemented by public license practices. Many people have made
generous contributions to the wide range of software distributed
through that system in reliance on consistent application of that
system; it is up to the author/donor to decide if he or she is willing
to distribute software through any other system and a licensee cannot
impose that choice.
This section is intended to make thoroughly clear what is believed to
be a consequence of the rest of this License.
8. If the distribution and/or use of the Program is restricted in
certain countries either by patents or by copyrighted interfaces, the
original copyright holder who places the Program under this License
may add an explicit geographical distribution limitation excluding
those countries, so that distribution is permitted only in or among
countries not thus excluded. In such case, this License incorporates
the limitation as if written in the body of this License.
9. The Free Software Foundation may publish revised and/or new versions
of the General Public License from time to time. Such new versions will
be similar in spirit to the present version, but may differ in detail to
address new problems or concerns.
Each version is given a distinguishing version number. If the Program
specifies a version number of this License which applies to it and "any
later version", you have the option of following the terms and conditions
either of that version or of any later version published by the Free
Software Foundation. If the Program does not specify a version number of
this License, you may choose any version ever published by the Free Software
Foundation.
10. If you wish to incorporate parts of the Program into other free
programs whose distribution conditions are different, write to the author
to ask for permission. For software which is copyrighted by the Free
Software Foundation, write to the Free Software Foundation; we sometimes
make exceptions for this. Our decision will be guided by the two goals
of preserving the free status of all derivatives of our free software and
of promoting the sharing and reuse of software generally.
NO WARRANTY
11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
REPAIR OR CORRECTION.
12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES.
END OF TERMS AND CONDITIONS
Appendix: How to Apply These Terms to Your New Programs
If you develop a new program, and you want it to be of the greatest
possible use to the public, the best way to achieve this is to make it
free software which everyone can redistribute and change under these terms.
To do so, attach the following notices to the program. It is safest
to attach them to the start of each source file to most effectively
convey the exclusion of warranty; and each file should have at least
the "copyright" line and a pointer to where the full notice is found.
<one line to give the program's name and a brief idea of what it does.>
Copyright (C) 19yy <name of author>
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA.
Also add information on how to contact you by electronic and paper mail.
If the program is interactive, make it output a short notice like this
when it starts in an interactive mode:
Gnomovision version 69, Copyright (C) 19yy name of author
Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
This is free software, and you are welcome to redistribute it
under certain conditions; type `show c' for details.
The hypothetical commands `show w' and `show c' should show the appropriate
parts of the General Public License. Of course, the commands you use may
be called something other than `show w' and `show c'; they could even be
mouse-clicks or menu items--whatever suits your program.
You should also get your employer (if you work as a programmer) or your
school, if any, to sign a "copyright disclaimer" for the program, if
necessary. Here is a sample; alter the names:
Yoyodyne, Inc., hereby disclaims all copyright interest in the program
`Gnomovision' (which makes passes at compilers) written by James Hacker.
<signature of Ty Coon>, 1 April 1989
Ty Coon, President of Vice
This General Public License does not permit incorporating your program into
proprietary programs. If your program is a subroutine library, you may
consider it more useful to permit linking proprietary applications with the
library. If this is what you want to do, use the GNU Library General
Public License instead of this License.

9
CREDITS Normal file
View File

@ -0,0 +1,9 @@
Special thx to:
* Adam Hernik <adas@infocentrum.com>
* Pawel Krawczyk <kravietz@ceti.com.pl>
* Brian Hatch <bri@stunnel.org>
* Dirk O. Siebnich <dok@vossnet.de> for PTY support
and many others...

1158
ChangeLog Normal file
View File

File diff suppressed because it is too large Load Diff

40
INSTALL Normal file
View File

@ -0,0 +1,40 @@
stunnel Unix install notes
1. If your machine supports POSIX threads make sure your SSL
library is compiled with -DTHREADS.
2. Compile the software:
./configure
make
make install
(see potential options for 'configure' at the end of this file)
3. Create stunnel configuration file (stunnel.conf).
4. Add stunnel invocation to your system's startup files.
For SysV-compatible init you can use stunnel.init script.
or
Modify /etc/services and /etc/inetd.conf, restart inetd (inetd mode).
See the manual for details.
5. There are a variety of compile-time options you may supply when
running configure. Most commonly used are:
--with-ssl=DIR
where your SSL libraries and include files are installed
--with-random=FILE
read randomness from FILE for PRNG seeding
--with-egd-socket=FILE
location of Entropy Gathering Daemon socket, if running EGD
(for example on a machine that lacks a /dev/urandom device)
Use `./configure --help' to see all the options.

23
INSTALL.FIPS Normal file
View File

@ -0,0 +1,23 @@
stunnel FIPS install notes
Unix HOWTO:
FIPS mode is autodetected if possible. You can force it with:
./configure --enable-fips
or disable with:
./configure --disable-fips
WIN32 HOWTO:
* On 32-bit Windows install one of the following compilers:
- MSVC 8.0 (VS 2005) Standard or Professional Edition
- MSVC 9.0 (VS 2008) any edition including Express Edition
* On 64-bit Windows install one of the following compilers:
- MSVC 8.0 (VS 2005) Standard or Professional Edition
- MSVC 9.0 (VS 2008) Standard or Professional Edition
* Build FIPS-compliant OpenSSL DLLS according to:
http://www.openssl.org/docs/fips/UserGuide-1.2.pdf
* Build stunnel normally with MSVC or Mingw.
Mingw build requires DLL stubs. Stubs can be built with:
dlltool --def ms/libeay32.def --output-lib libcrypto.a
dlltool --def ms/ssleay32.def --output-lib libssl.a

51
INSTALL.W32 Normal file
View File

@ -0,0 +1,51 @@
stunnel Windows install notes
Building stunnel from source (optional):
1) Install mingw32 cross-compiler o a Unix/Linux machine.
In Debian all you need is:
apt-get install gcc-mingw32
Native compilation on a Windows machine is possible, but not supported.
2) Download the recent zlib from http://www.zlib.net/
Update the following definitions in win32/Makefile.gcc file:
SHARED_MODE=1
PREFIX = i586-mingw32msvc-
then build zlib with:
make -f win32/Makefile.gcc
and install it in mingw32 tree:
sudo BINARY_PATH=~/ \
INCLUDE_PATH=/usr/i586-mingw32msvc/include/ \
LIBRARY_PATH=/usr/i586-mingw32msvc/lib/ \
make -f win32/Makefile.gcc install
3) Download the recent OpenSSL in unpack it to /usr/src/ directory.
cd /usr/src
tar zvxf ~/openssl-(version).tar.gz
mv openssl-(version) openssl-(version)-i586
4) Build OpenSSL.
./Configure --cross-compile-prefix=i586-mingw32msvc- mingw shared zlib-dynamic
make
5) Download and unpack stunnel-(version).tar.gz.
6) Configure stunnel.
cd stunnel-(version)
./configure --with-ssl=/path/to/openssl-(version)
7) Build windows executable.
cd src
make stunnel.exe
Installing stunnel:
1) run installer to install precompiled binaries or copy stunnel.exe and
OpenSSL DLLs into a directory
2) read the manual (stunnel.html)
3) create/edit stunnel.conf configuration file

45
INSTALL.WCE Normal file
View File

@ -0,0 +1,45 @@
stunnel Windows CE install notes
Two stunnel executables are available for Windows CE platform:
1) stunnel.exe - version with interactive GUI
2) tstunnel.exe - non-iteractive version for headless devices
Building stunnel from source (optional):
1) install the following tools:
evt2002web_min.exe from http://www.microsoft.com/
ActivePerl from http://www.activestate.com/Products/ActivePerl/
unzip.exe (file needs to be renamed) from
http://www.mirrorservice.org/sites/ftp.info-zip.org/pub/infozip/WIN32/
2) download the OpenSSL source files (the whole directory):
ftp://ftp.stunnel.org/stunnel/openssl/ce/
3) your directory should look like this:
build.bat
build.pl
unzip.exe
src\openssl-0.9.8a.zip
src\wcecompat-1.2.zip
4) type "build" to build OpenSSL
5) download and unpack stunnel-(version).tar.gz
4) enter "stunnel-(version)\src" subdirectory
5) type "makece" to build stunnel
Installing stunnel:
1) copy OpenSSL DLLs and stunnel.exe or tstunnel.exe into \stunnel directory
2) read the manual (stunnel.html)
3) create/edit stunnel.conf configuration file

37
Makefile.am Normal file
View File

@ -0,0 +1,37 @@
## Process this file with automake to produce Makefile.in
ACLOCAL_AMFLAGS = -I m4
SUBDIRS = src doc tools
LIBTOOL_DEPS = @LIBTOOL_DEPS@
libtool: $(LIBTOOL_DEPS)
$(SHELL) ./config.status libtool
EXTRA_DIST = PORTS BUGS COPYRIGHT.GPL CREDITS
EXTRA_DIST += INSTALL.W32 INSTALL.WCE INSTALL.FIPS
EXTRA_DIST += build-android.sh
docdir = $(datadir)/doc/stunnel
doc_DATA = INSTALL README TODO COPYING AUTHORS ChangeLog
doc_DATA += PORTS BUGS COPYRIGHT.GPL CREDITS
doc_DATA += INSTALL.W32 INSTALL.WCE INSTALL.FIPS
distcleancheck_listfiles = find -type f -exec sh -c 'test -f $(srcdir)/{} || echo {}' ';'
distclean-local:
rm -rf autom4te.cache
rm -f $(distdir)-installer.exe
dist-hook:
makensis -NOCD -DVERSION=${VERSION} -DSRCDIR=$(srcdir) \
-DDLLS=/usr/src/openssl-0.9.8s-fips/out32dll \
$(srcdir)/tools/stunnel.nsi
sign: dist
cp -f $(distdir).tar.gz ../dist
cp -f $(distdir)-installer.exe ../dist
gpg --yes --armor --detach-sign --force-v3-sigs ../dist/$(distdir).tar.gz
gpg --yes --armor --detach-sign --force-v3-sigs ../dist/$(distdir)-installer.exe
sha256sum $(distdir).tar.gz | tee ../dist/$(distdir).tar.gz.sha256

780
Makefile.in Normal file
View File

@ -0,0 +1,780 @@
# Makefile.in generated by automake 1.11.1 from Makefile.am.
# @configure_input@
# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation,
# Inc.
# This Makefile.in is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
# with or without modifications, as long as this notice is preserved.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
# PARTICULAR PURPOSE.
@SET_MAKE@
VPATH = @srcdir@
pkgdatadir = $(datadir)/@PACKAGE@
pkgincludedir = $(includedir)/@PACKAGE@
pkglibdir = $(libdir)/@PACKAGE@
pkglibexecdir = $(libexecdir)/@PACKAGE@
am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
install_sh_DATA = $(install_sh) -c -m 644
install_sh_PROGRAM = $(install_sh) -c
install_sh_SCRIPT = $(install_sh) -c
INSTALL_HEADER = $(INSTALL_DATA)
transform = $(program_transform_name)
NORMAL_INSTALL = :
PRE_INSTALL = :
POST_INSTALL = :
NORMAL_UNINSTALL = :
PRE_UNINSTALL = :
POST_UNINSTALL = :
build_triplet = @build@
host_triplet = @host@
subdir = .
DIST_COMMON = README $(am__configure_deps) $(srcdir)/Makefile.am \
$(srcdir)/Makefile.in $(top_srcdir)/configure AUTHORS COPYING \
ChangeLog INSTALL NEWS TODO auto/compile auto/config.guess \
auto/config.sub auto/depcomp auto/install-sh auto/ltmain.sh \
auto/missing
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
am__aclocal_m4_deps = $(top_srcdir)/m4/libtool.m4 \
$(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \
$(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \
$(top_srcdir)/configure.ac
am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
$(ACLOCAL_M4)
am__CONFIG_DISTCLEAN_FILES = config.status config.cache config.log \
configure.lineno config.status.lineno
mkinstalldirs = $(install_sh) -d
CONFIG_HEADER = $(top_builddir)/src/config.h
CONFIG_CLEAN_FILES =
CONFIG_CLEAN_VPATH_FILES =
SOURCES =
DIST_SOURCES =
RECURSIVE_TARGETS = all-recursive check-recursive dvi-recursive \
html-recursive info-recursive install-data-recursive \
install-dvi-recursive install-exec-recursive \
install-html-recursive install-info-recursive \
install-pdf-recursive install-ps-recursive install-recursive \
installcheck-recursive installdirs-recursive pdf-recursive \
ps-recursive uninstall-recursive
am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
am__vpath_adj = case $$p in \
$(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
*) f=$$p;; \
esac;
am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
am__install_max = 40
am__nobase_strip_setup = \
srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
am__nobase_strip = \
for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
am__nobase_list = $(am__nobase_strip_setup); \
for p in $$list; do echo "$$p $$p"; done | \
sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
$(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
if (++n[$$2] == $(am__install_max)) \
{ print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
END { for (dir in files) print dir, files[dir] }'
am__base_list = \
sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
am__installdirs = "$(DESTDIR)$(docdir)"
DATA = $(doc_DATA)
RECURSIVE_CLEAN_TARGETS = mostlyclean-recursive clean-recursive \
distclean-recursive maintainer-clean-recursive
AM_RECURSIVE_TARGETS = $(RECURSIVE_TARGETS:-recursive=) \
$(RECURSIVE_CLEAN_TARGETS:-recursive=) tags TAGS ctags CTAGS \
distdir dist dist-all distcheck
ETAGS = etags
CTAGS = ctags
DIST_SUBDIRS = $(SUBDIRS)
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
distdir = $(PACKAGE)-$(VERSION)
top_distdir = $(distdir)
am__remove_distdir = \
{ test ! -d "$(distdir)" \
|| { find "$(distdir)" -type d ! -perm -200 -exec chmod u+w {} ';' \
&& rm -fr "$(distdir)"; }; }
am__relativize = \
dir0=`pwd`; \
sed_first='s,^\([^/]*\)/.*$$,\1,'; \
sed_rest='s,^[^/]*/*,,'; \
sed_last='s,^.*/\([^/]*\)$$,\1,'; \
sed_butlast='s,/*[^/]*$$,,'; \
while test -n "$$dir1"; do \
first=`echo "$$dir1" | sed -e "$$sed_first"`; \
if test "$$first" != "."; then \
if test "$$first" = ".."; then \
dir2=`echo "$$dir0" | sed -e "$$sed_last"`/"$$dir2"; \
dir0=`echo "$$dir0" | sed -e "$$sed_butlast"`; \
else \
first2=`echo "$$dir2" | sed -e "$$sed_first"`; \
if test "$$first2" = "$$first"; then \
dir2=`echo "$$dir2" | sed -e "$$sed_rest"`; \
else \
dir2="../$$dir2"; \
fi; \
dir0="$$dir0"/"$$first"; \
fi; \
fi; \
dir1=`echo "$$dir1" | sed -e "$$sed_rest"`; \
done; \
reldir="$$dir2"
DIST_ARCHIVES = $(distdir).tar.gz
GZIP_ENV = --best
distuninstallcheck_listfiles = find . -type f -print
ACLOCAL = @ACLOCAL@
AMTAR = @AMTAR@
AR = @AR@
AUTOCONF = @AUTOCONF@
AUTOHEADER = @AUTOHEADER@
AUTOMAKE = @AUTOMAKE@
AWK = @AWK@
CC = @CC@
CCDEPMODE = @CCDEPMODE@
CFLAGS = @CFLAGS@
CPP = @CPP@
CPPFLAGS = @CPPFLAGS@
CYGPATH_W = @CYGPATH_W@
DEFAULT_GROUP = @DEFAULT_GROUP@
DEFS = @DEFS@
DEPDIR = @DEPDIR@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
EGREP = @EGREP@
EXEEXT = @EXEEXT@
FGREP = @FGREP@
GREP = @GREP@
INSTALL = @INSTALL@
INSTALL_DATA = @INSTALL_DATA@
INSTALL_PROGRAM = @INSTALL_PROGRAM@
INSTALL_SCRIPT = @INSTALL_SCRIPT@
INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
LD = @LD@
LDFLAGS = @LDFLAGS@
LIBOBJS = @LIBOBJS@
LIBS = @LIBS@
LIBTOOL = @LIBTOOL@
LIBTOOL_DEPS = @LIBTOOL_DEPS@
LIPO = @LIPO@
LN_S = @LN_S@
LTLIBOBJS = @LTLIBOBJS@
MAKEINFO = @MAKEINFO@
MKDIR_P = @MKDIR_P@
NM = @NM@
NMEDIT = @NMEDIT@
OBJDUMP = @OBJDUMP@
OBJEXT = @OBJEXT@
OTOOL = @OTOOL@
OTOOL64 = @OTOOL64@
PACKAGE = @PACKAGE@
PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
PACKAGE_NAME = @PACKAGE_NAME@
PACKAGE_STRING = @PACKAGE_STRING@
PACKAGE_TARNAME = @PACKAGE_TARNAME@
PACKAGE_URL = @PACKAGE_URL@
PACKAGE_VERSION = @PACKAGE_VERSION@
PATH_SEPARATOR = @PATH_SEPARATOR@
RANDOM_FILE = @RANDOM_FILE@
RANLIB = @RANLIB@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
SSLDIR = @SSLDIR@
STRIP = @STRIP@
VERSION = @VERSION@
abs_builddir = @abs_builddir@
abs_srcdir = @abs_srcdir@
abs_top_builddir = @abs_top_builddir@
abs_top_srcdir = @abs_top_srcdir@
ac_ct_CC = @ac_ct_CC@
ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
am__include = @am__include@
am__leading_dot = @am__leading_dot@
am__quote = @am__quote@
am__tar = @am__tar@
am__untar = @am__untar@
bindir = @bindir@
build = @build@
build_alias = @build_alias@
build_cpu = @build_cpu@
build_os = @build_os@
build_vendor = @build_vendor@
builddir = @builddir@
datadir = @datadir@
datarootdir = @datarootdir@
docdir = $(datadir)/doc/stunnel
dvidir = @dvidir@
exec_prefix = @exec_prefix@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
host_os = @host_os@
host_vendor = @host_vendor@
htmldir = @htmldir@
includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
libdir = @libdir@
libexecdir = @libexecdir@
localedir = @localedir@
localstatedir = @localstatedir@
lt_ECHO = @lt_ECHO@
mandir = @mandir@
mkdir_p = @mkdir_p@
oldincludedir = @oldincludedir@
pdfdir = @pdfdir@
prefix = @prefix@
program_transform_name = @program_transform_name@
psdir = @psdir@
sbindir = @sbindir@
sharedstatedir = @sharedstatedir@
srcdir = @srcdir@
stunnel_CFLAGS = @stunnel_CFLAGS@
stunnel_LDFLAGF = @stunnel_LDFLAGF@
stunnel_LDFLAGS = @stunnel_LDFLAGS@
sysconfdir = @sysconfdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
top_srcdir = @top_srcdir@
ACLOCAL_AMFLAGS = -I m4
SUBDIRS = src doc tools
EXTRA_DIST = PORTS BUGS COPYRIGHT.GPL CREDITS INSTALL.W32 INSTALL.WCE \
INSTALL.FIPS build-android.sh
doc_DATA = INSTALL README TODO COPYING AUTHORS ChangeLog PORTS BUGS \
COPYRIGHT.GPL CREDITS INSTALL.W32 INSTALL.WCE INSTALL.FIPS
distcleancheck_listfiles = find -type f -exec sh -c 'test -f $(srcdir)/{} || echo {}' ';'
all: all-recursive
.SUFFIXES:
am--refresh:
@:
$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps)
@for dep in $?; do \
case '$(am__configure_deps)' in \
*$$dep*) \
echo ' cd $(srcdir) && $(AUTOMAKE) --gnu'; \
$(am__cd) $(srcdir) && $(AUTOMAKE) --gnu \
&& exit 0; \
exit 1;; \
esac; \
done; \
echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu Makefile'; \
$(am__cd) $(top_srcdir) && \
$(AUTOMAKE) --gnu Makefile
.PRECIOUS: Makefile
Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
@case '$?' in \
*config.status*) \
echo ' $(SHELL) ./config.status'; \
$(SHELL) ./config.status;; \
*) \
echo ' cd $(top_builddir) && $(SHELL) ./config.status $@ $(am__depfiles_maybe)'; \
cd $(top_builddir) && $(SHELL) ./config.status $@ $(am__depfiles_maybe);; \
esac;
$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
$(SHELL) ./config.status --recheck
$(top_srcdir)/configure: $(am__configure_deps)
$(am__cd) $(srcdir) && $(AUTOCONF)
$(ACLOCAL_M4): $(am__aclocal_m4_deps)
$(am__cd) $(srcdir) && $(ACLOCAL) $(ACLOCAL_AMFLAGS)
$(am__aclocal_m4_deps):
mostlyclean-libtool:
-rm -f *.lo
clean-libtool:
-rm -rf .libs _libs
distclean-libtool:
-rm -f libtool config.lt
install-docDATA: $(doc_DATA)
@$(NORMAL_INSTALL)
test -z "$(docdir)" || $(MKDIR_P) "$(DESTDIR)$(docdir)"
@list='$(doc_DATA)'; test -n "$(docdir)" || list=; \
for p in $$list; do \
if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
echo "$$d$$p"; \
done | $(am__base_list) | \
while read files; do \
echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(docdir)'"; \
$(INSTALL_DATA) $$files "$(DESTDIR)$(docdir)" || exit $$?; \
done
uninstall-docDATA:
@$(NORMAL_UNINSTALL)
@list='$(doc_DATA)'; test -n "$(docdir)" || list=; \
files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
test -n "$$files" || exit 0; \
echo " ( cd '$(DESTDIR)$(docdir)' && rm -f" $$files ")"; \
cd "$(DESTDIR)$(docdir)" && rm -f $$files
# This directory's subdirectories are mostly independent; you can cd
# into them and run `make' without going through this Makefile.
# To change the values of `make' variables: instead of editing Makefiles,
# (1) if the variable is set in `config.status', edit `config.status'
# (which will cause the Makefiles to be regenerated when you run `make');
# (2) otherwise, pass the desired values on the `make' command line.
$(RECURSIVE_TARGETS):
@fail= failcom='exit 1'; \
for f in x $$MAKEFLAGS; do \
case $$f in \
*=* | --[!k]*);; \
*k*) failcom='fail=yes';; \
esac; \
done; \
dot_seen=no; \
target=`echo $@ | sed s/-recursive//`; \
list='$(SUBDIRS)'; for subdir in $$list; do \
echo "Making $$target in $$subdir"; \
if test "$$subdir" = "."; then \
dot_seen=yes; \
local_target="$$target-am"; \
else \
local_target="$$target"; \
fi; \
($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \
|| eval $$failcom; \
done; \
if test "$$dot_seen" = "no"; then \
$(MAKE) $(AM_MAKEFLAGS) "$$target-am" || exit 1; \
fi; test -z "$$fail"
$(RECURSIVE_CLEAN_TARGETS):
@fail= failcom='exit 1'; \
for f in x $$MAKEFLAGS; do \
case $$f in \
*=* | --[!k]*);; \
*k*) failcom='fail=yes';; \
esac; \
done; \
dot_seen=no; \
case "$@" in \
distclean-* | maintainer-clean-*) list='$(DIST_SUBDIRS)' ;; \
*) list='$(SUBDIRS)' ;; \
esac; \
rev=''; for subdir in $$list; do \
if test "$$subdir" = "."; then :; else \
rev="$$subdir $$rev"; \
fi; \
done; \
rev="$$rev ."; \
target=`echo $@ | sed s/-recursive//`; \
for subdir in $$rev; do \
echo "Making $$target in $$subdir"; \
if test "$$subdir" = "."; then \
local_target="$$target-am"; \
else \
local_target="$$target"; \
fi; \
($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \
|| eval $$failcom; \
done && test -z "$$fail"
tags-recursive:
list='$(SUBDIRS)'; for subdir in $$list; do \
test "$$subdir" = . || ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) tags); \
done
ctags-recursive:
list='$(SUBDIRS)'; for subdir in $$list; do \
test "$$subdir" = . || ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) ctags); \
done
ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
unique=`for i in $$list; do \
if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
done | \
$(AWK) '{ files[$$0] = 1; nonempty = 1; } \
END { if (nonempty) { for (i in files) print i; }; }'`; \
mkid -fID $$unique
tags: TAGS
TAGS: tags-recursive $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \
$(TAGS_FILES) $(LISP)
set x; \
here=`pwd`; \
if ($(ETAGS) --etags-include --version) >/dev/null 2>&1; then \
include_option=--etags-include; \
empty_fix=.; \
else \
include_option=--include; \
empty_fix=; \
fi; \
list='$(SUBDIRS)'; for subdir in $$list; do \
if test "$$subdir" = .; then :; else \
test ! -f $$subdir/TAGS || \
set "$$@" "$$include_option=$$here/$$subdir/TAGS"; \
fi; \
done; \
list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
unique=`for i in $$list; do \
if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
done | \
$(AWK) '{ files[$$0] = 1; nonempty = 1; } \
END { if (nonempty) { for (i in files) print i; }; }'`; \
shift; \
if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
test -n "$$unique" || unique=$$empty_fix; \
if test $$# -gt 0; then \
$(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
"$$@" $$unique; \
else \
$(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
$$unique; \
fi; \
fi
ctags: CTAGS
CTAGS: ctags-recursive $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \
$(TAGS_FILES) $(LISP)
list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
unique=`for i in $$list; do \
if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
done | \
$(AWK) '{ files[$$0] = 1; nonempty = 1; } \
END { if (nonempty) { for (i in files) print i; }; }'`; \
test -z "$(CTAGS_ARGS)$$unique" \
|| $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
$$unique
GTAGS:
here=`$(am__cd) $(top_builddir) && pwd` \
&& $(am__cd) $(top_srcdir) \
&& gtags -i $(GTAGS_ARGS) "$$here"
distclean-tags:
-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
distdir: $(DISTFILES)
$(am__remove_distdir)
test -d "$(distdir)" || mkdir "$(distdir)"
@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
list='$(DISTFILES)'; \
dist_files=`for file in $$list; do echo $$file; done | \
sed -e "s|^$$srcdirstrip/||;t" \
-e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
case $$dist_files in \
*/*) $(MKDIR_P) `echo "$$dist_files" | \
sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
sort -u` ;; \
esac; \
for file in $$dist_files; do \
if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
if test -d $$d/$$file; then \
dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
if test -d "$(distdir)/$$file"; then \
find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
fi; \
if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
fi; \
cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
else \
test -f "$(distdir)/$$file" \
|| cp -p $$d/$$file "$(distdir)/$$file" \
|| exit 1; \
fi; \
done
@list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
if test "$$subdir" = .; then :; else \
test -d "$(distdir)/$$subdir" \
|| $(MKDIR_P) "$(distdir)/$$subdir" \
|| exit 1; \
fi; \
done
@list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
if test "$$subdir" = .; then :; else \
dir1=$$subdir; dir2="$(distdir)/$$subdir"; \
$(am__relativize); \
new_distdir=$$reldir; \
dir1=$$subdir; dir2="$(top_distdir)"; \
$(am__relativize); \
new_top_distdir=$$reldir; \
echo " (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) top_distdir="$$new_top_distdir" distdir="$$new_distdir" \\"; \
echo " am__remove_distdir=: am__skip_length_check=: am__skip_mode_fix=: distdir)"; \
($(am__cd) $$subdir && \
$(MAKE) $(AM_MAKEFLAGS) \
top_distdir="$$new_top_distdir" \
distdir="$$new_distdir" \
am__remove_distdir=: \
am__skip_length_check=: \
am__skip_mode_fix=: \
distdir) \
|| exit 1; \
fi; \
done
$(MAKE) $(AM_MAKEFLAGS) \
top_distdir="$(top_distdir)" distdir="$(distdir)" \
dist-hook
-test -n "$(am__skip_mode_fix)" \
|| find "$(distdir)" -type d ! -perm -755 \
-exec chmod u+rwx,go+rx {} \; -o \
! -type d ! -perm -444 -links 1 -exec chmod a+r {} \; -o \
! -type d ! -perm -400 -exec chmod a+r {} \; -o \
! -type d ! -perm -444 -exec $(install_sh) -c -m a+r {} {} \; \
|| chmod -R a+r "$(distdir)"
dist-gzip: distdir
tardir=$(distdir) && $(am__tar) | GZIP=$(GZIP_ENV) gzip -c >$(distdir).tar.gz
$(am__remove_distdir)
dist-bzip2: distdir
tardir=$(distdir) && $(am__tar) | bzip2 -9 -c >$(distdir).tar.bz2
$(am__remove_distdir)
dist-lzma: distdir
tardir=$(distdir) && $(am__tar) | lzma -9 -c >$(distdir).tar.lzma
$(am__remove_distdir)
dist-xz: distdir
tardir=$(distdir) && $(am__tar) | xz -c >$(distdir).tar.xz
$(am__remove_distdir)
dist-tarZ: distdir
tardir=$(distdir) && $(am__tar) | compress -c >$(distdir).tar.Z
$(am__remove_distdir)
dist-shar: distdir
shar $(distdir) | GZIP=$(GZIP_ENV) gzip -c >$(distdir).shar.gz
$(am__remove_distdir)
dist-zip: distdir
-rm -f $(distdir).zip
zip -rq $(distdir).zip $(distdir)
$(am__remove_distdir)
dist dist-all: distdir
tardir=$(distdir) && $(am__tar) | GZIP=$(GZIP_ENV) gzip -c >$(distdir).tar.gz
$(am__remove_distdir)
# This target untars the dist file and tries a VPATH configuration. Then
# it guarantees that the distribution is self-contained by making another
# tarfile.
distcheck: dist
case '$(DIST_ARCHIVES)' in \
*.tar.gz*) \
GZIP=$(GZIP_ENV) gzip -dc $(distdir).tar.gz | $(am__untar) ;;\
*.tar.bz2*) \
bzip2 -dc $(distdir).tar.bz2 | $(am__untar) ;;\
*.tar.lzma*) \
lzma -dc $(distdir).tar.lzma | $(am__untar) ;;\
*.tar.xz*) \
xz -dc $(distdir).tar.xz | $(am__untar) ;;\
*.tar.Z*) \
uncompress -c $(distdir).tar.Z | $(am__untar) ;;\
*.shar.gz*) \
GZIP=$(GZIP_ENV) gzip -dc $(distdir).shar.gz | unshar ;;\
*.zip*) \
unzip $(distdir).zip ;;\
esac
chmod -R a-w $(distdir); chmod a+w $(distdir)
mkdir $(distdir)/_build
mkdir $(distdir)/_inst
chmod a-w $(distdir)
test -d $(distdir)/_build || exit 0; \
dc_install_base=`$(am__cd) $(distdir)/_inst && pwd | sed -e 's,^[^:\\/]:[\\/],/,'` \
&& dc_destdir="$${TMPDIR-/tmp}/am-dc-$$$$/" \
&& am__cwd=`pwd` \
&& $(am__cd) $(distdir)/_build \
&& ../configure --srcdir=.. --prefix="$$dc_install_base" \
$(DISTCHECK_CONFIGURE_FLAGS) \
&& $(MAKE) $(AM_MAKEFLAGS) \
&& $(MAKE) $(AM_MAKEFLAGS) dvi \
&& $(MAKE) $(AM_MAKEFLAGS) check \
&& $(MAKE) $(AM_MAKEFLAGS) install \
&& $(MAKE) $(AM_MAKEFLAGS) installcheck \
&& $(MAKE) $(AM_MAKEFLAGS) uninstall \
&& $(MAKE) $(AM_MAKEFLAGS) distuninstallcheck_dir="$$dc_install_base" \
distuninstallcheck \
&& chmod -R a-w "$$dc_install_base" \
&& ({ \
(cd ../.. && umask 077 && mkdir "$$dc_destdir") \
&& $(MAKE) $(AM_MAKEFLAGS) DESTDIR="$$dc_destdir" install \
&& $(MAKE) $(AM_MAKEFLAGS) DESTDIR="$$dc_destdir" uninstall \
&& $(MAKE) $(AM_MAKEFLAGS) DESTDIR="$$dc_destdir" \
distuninstallcheck_dir="$$dc_destdir" distuninstallcheck; \
} || { rm -rf "$$dc_destdir"; exit 1; }) \
&& rm -rf "$$dc_destdir" \
&& $(MAKE) $(AM_MAKEFLAGS) dist \
&& rm -rf $(DIST_ARCHIVES) \
&& $(MAKE) $(AM_MAKEFLAGS) distcleancheck \
&& cd "$$am__cwd" \
|| exit 1
$(am__remove_distdir)
@(echo "$(distdir) archives ready for distribution: "; \
list='$(DIST_ARCHIVES)'; for i in $$list; do echo $$i; done) | \
sed -e 1h -e 1s/./=/g -e 1p -e 1x -e '$$p' -e '$$x'
distuninstallcheck:
@$(am__cd) '$(distuninstallcheck_dir)' \
&& test `$(distuninstallcheck_listfiles) | wc -l` -le 1 \
|| { echo "ERROR: files left after uninstall:" ; \
if test -n "$(DESTDIR)"; then \
echo " (check DESTDIR support)"; \
fi ; \
$(distuninstallcheck_listfiles) ; \
exit 1; } >&2
distcleancheck: distclean
@if test '$(srcdir)' = . ; then \
echo "ERROR: distcleancheck can only run from a VPATH build" ; \
exit 1 ; \
fi
@test `$(distcleancheck_listfiles) | wc -l` -eq 0 \
|| { echo "ERROR: files left in build directory after distclean:" ; \
$(distcleancheck_listfiles) ; \
exit 1; } >&2
check-am: all-am
check: check-recursive
all-am: Makefile $(DATA)
installdirs: installdirs-recursive
installdirs-am:
for dir in "$(DESTDIR)$(docdir)"; do \
test -z "$$dir" || $(MKDIR_P) "$$dir"; \
done
install: install-recursive
install-exec: install-exec-recursive
install-data: install-data-recursive
uninstall: uninstall-recursive
install-am: all-am
@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
installcheck: installcheck-recursive
install-strip:
$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
`test -z '$(STRIP)' || \
echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
mostlyclean-generic:
clean-generic:
distclean-generic:
-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
maintainer-clean-generic:
@echo "This command is intended for maintainers to use"
@echo "it deletes files that may require special tools to rebuild."
clean: clean-recursive
clean-am: clean-generic clean-libtool mostlyclean-am
distclean: distclean-recursive
-rm -f $(am__CONFIG_DISTCLEAN_FILES)
-rm -f Makefile
distclean-am: clean-am distclean-generic distclean-libtool \
distclean-local distclean-tags
dvi: dvi-recursive
dvi-am:
html: html-recursive
html-am:
info: info-recursive
info-am:
install-data-am: install-docDATA
install-dvi: install-dvi-recursive
install-dvi-am:
install-exec-am:
install-html: install-html-recursive
install-html-am:
install-info: install-info-recursive
install-info-am:
install-man:
install-pdf: install-pdf-recursive
install-pdf-am:
install-ps: install-ps-recursive
install-ps-am:
installcheck-am:
maintainer-clean: maintainer-clean-recursive
-rm -f $(am__CONFIG_DISTCLEAN_FILES)
-rm -rf $(top_srcdir)/autom4te.cache
-rm -f Makefile
maintainer-clean-am: distclean-am maintainer-clean-generic
mostlyclean: mostlyclean-recursive
mostlyclean-am: mostlyclean-generic mostlyclean-libtool
pdf: pdf-recursive
pdf-am:
ps: ps-recursive
ps-am:
uninstall-am: uninstall-docDATA
.MAKE: $(RECURSIVE_CLEAN_TARGETS) $(RECURSIVE_TARGETS) ctags-recursive \
install-am install-strip tags-recursive
.PHONY: $(RECURSIVE_CLEAN_TARGETS) $(RECURSIVE_TARGETS) CTAGS GTAGS \
all all-am am--refresh check check-am clean clean-generic \
clean-libtool ctags ctags-recursive dist dist-all dist-bzip2 \
dist-gzip dist-hook dist-lzma dist-shar dist-tarZ dist-xz \
dist-zip distcheck distclean distclean-generic \
distclean-libtool distclean-local distclean-tags \
distcleancheck distdir distuninstallcheck dvi dvi-am html \
html-am info info-am install install-am install-data \
install-data-am install-docDATA install-dvi install-dvi-am \
install-exec install-exec-am install-html install-html-am \
install-info install-info-am install-man install-pdf \
install-pdf-am install-ps install-ps-am install-strip \
installcheck installcheck-am installdirs installdirs-am \
maintainer-clean maintainer-clean-generic mostlyclean \
mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
tags tags-recursive uninstall uninstall-am uninstall-docDATA
libtool: $(LIBTOOL_DEPS)
$(SHELL) ./config.status libtool
distclean-local:
rm -rf autom4te.cache
rm -f $(distdir)-installer.exe
dist-hook:
makensis -NOCD -DVERSION=${VERSION} -DSRCDIR=$(srcdir) \
-DDLLS=/usr/src/openssl-0.9.8s-fips/out32dll \
$(srcdir)/tools/stunnel.nsi
sign: dist
cp -f $(distdir).tar.gz ../dist
cp -f $(distdir)-installer.exe ../dist
gpg --yes --armor --detach-sign --force-v3-sigs ../dist/$(distdir).tar.gz
gpg --yes --armor --detach-sign --force-v3-sigs ../dist/$(distdir)-installer.exe
sha256sum $(distdir).tar.gz | tee ../dist/$(distdir).tar.gz.sha256
# Tell versions [3.59,3.63) of GNU make to not export all variables.
# Otherwise a system limit (for SysV at least) may be exceeded.
.NOEXPORT:

1
NEWS Normal file
View File

@ -0,0 +1 @@
See the ChangeLog file for the latest news.

22
PORTS Normal file
View File

@ -0,0 +1,22 @@
stunnel known port maintainers
* AmigaOS
- Diego Casorran <dcr8520@amiga.org>
* Cygwin
- Andrew Schulman <andrex@alumni.utexas.net>
* Debian GNU/Linux
- Luis Rodrigo Gallardo Cruz <rodrigo@nul-unu.com>
* FreeBSD
- Ryan Steinmetz <zi@FreeBSD.org>
* NetBSD
- Martti Kuparinen <martti.kuparinen@iki.fi>
* OpenBSD
- Jakob Schlyter <jakob@openbsd.org>
* OpenSolaris
- Mark Fenwick <Mark.Fenwick@sun.com>
* OS/2
- Paul Smedley <paul@smedley.info>
* RedHat Linux
- Damien Miller <dmiller@ilogic.com.au>

30
README Normal file
View File

@ -0,0 +1,30 @@
stunnel overview
Short description
The stunnel program is designed to work as an SSL encryption
wrapper between remote client and local (inetd-startable) or
remote servers. The goal is to facilitate SSL encryption and
authentication for non-SSL-aware programs.
stunnel can be used to add SSL functionality to commonly
used inetd daemons like POP-2, POP-3 and IMAP servers
without any changes in the programs' code.
Compile instructions
See INSTALL file.
License
See COPYING file.
Other files you should read
Changelog What I did
TODO What I'm going to do
Reporting problems and other contacts
See FAQ file.

39
TODO Normal file
View File

@ -0,0 +1,39 @@
stunnel TODO
High priority features. They will likely be supported some day.
A sponsor could allocate my time to get them faster.
* Command-line server control interface on both Unix and Windows.
* Separate GUI process running as current user on Windows.
* Optional line-buffering of the log file.
* etc/stunnel/conf.d/* files automatically processed while reading
etc/stunnel/stunnel.conf
* Android GUI.
* Support for CryptoAPI certificates and private keys with OpenSSL CAPI
engine (this feature is incompatible with FIPS support).
* Indirect CRL support (RFC 3280, section 5).
* Configuration file option to limit the number of concurrent connections.
* SOCKS 4 protocol support.
http://archive.socks.permeo.com/protocol/socks4.protocol
Low priority features. They will unlikely ever be supported.
* Provide 64-bit Windows builds (besides 32-bit builds).
This requires either Microsoft Visual Studio Standard Edition or Microsoft
Visual Studio Professional Edition in order to retain FIPS compliance.
* Service-level logging configuration (separate verbosity and destination).
* Key renegotiation (re-handshake) for long connections.
* Logging to NT EventLog on Windows.
* Internationalization of logged messages (i18n).
* Generic scripting engine instead or static protocol.c.
Features I won't support, unless convinced otherwise by a wealthy sponsor.
* Protocol support *after* SSL is negotiated:
- Support for adding X-Forwarded-For to HTTP request headers.
This feature is less useful since PROXY protocol support is available.
- Support for adding X-Forwarded-For to SMTP email headers.
This feature is most likely to be implemented as a separate proxy.
* Additional certificate checks (including wildcard comparison) based on CN
and X509v3 Subject Alternative Name.
* Set processes title that appear on the ps(1) and top(1) commands.
I could not find a portable *and* non-copyleft library for it.

991
aclocal.m4 vendored Normal file
View File

@ -0,0 +1,991 @@
# generated automatically by aclocal 1.11.1 -*- Autoconf -*-
# Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004,
# 2005, 2006, 2007, 2008, 2009 Free Software Foundation, Inc.
# This file is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
# with or without modifications, as long as this notice is preserved.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
# PARTICULAR PURPOSE.
m4_ifndef([AC_AUTOCONF_VERSION],
[m4_copy([m4_PACKAGE_VERSION], [AC_AUTOCONF_VERSION])])dnl
m4_if(m4_defn([AC_AUTOCONF_VERSION]), [2.67],,
[m4_warning([this file was generated for autoconf 2.67.
You have another version of autoconf. It may work, but is not guaranteed to.
If you have problems, you may need to regenerate the build system entirely.
To do so, use the procedure documented by the package, typically `autoreconf'.])])
# Copyright (C) 2002, 2003, 2005, 2006, 2007, 2008 Free Software Foundation, Inc.
#
# This file is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
# with or without modifications, as long as this notice is preserved.
# AM_AUTOMAKE_VERSION(VERSION)
# ----------------------------
# Automake X.Y traces this macro to ensure aclocal.m4 has been
# generated from the m4 files accompanying Automake X.Y.
# (This private macro should not be called outside this file.)
AC_DEFUN([AM_AUTOMAKE_VERSION],
[am__api_version='1.11'
dnl Some users find AM_AUTOMAKE_VERSION and mistake it for a way to
dnl require some minimum version. Point them to the right macro.
m4_if([$1], [1.11.1], [],
[AC_FATAL([Do not call $0, use AM_INIT_AUTOMAKE([$1]).])])dnl
])
# _AM_AUTOCONF_VERSION(VERSION)
# -----------------------------
# aclocal traces this macro to find the Autoconf version.
# This is a private macro too. Using m4_define simplifies
# the logic in aclocal, which can simply ignore this definition.
m4_define([_AM_AUTOCONF_VERSION], [])
# AM_SET_CURRENT_AUTOMAKE_VERSION
# -------------------------------
# Call AM_AUTOMAKE_VERSION and AM_AUTOMAKE_VERSION so they can be traced.
# This function is AC_REQUIREd by AM_INIT_AUTOMAKE.
AC_DEFUN([AM_SET_CURRENT_AUTOMAKE_VERSION],
[AM_AUTOMAKE_VERSION([1.11.1])dnl
m4_ifndef([AC_AUTOCONF_VERSION],
[m4_copy([m4_PACKAGE_VERSION], [AC_AUTOCONF_VERSION])])dnl
_AM_AUTOCONF_VERSION(m4_defn([AC_AUTOCONF_VERSION]))])
# AM_AUX_DIR_EXPAND -*- Autoconf -*-
# Copyright (C) 2001, 2003, 2005 Free Software Foundation, Inc.
#
# This file is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
# with or without modifications, as long as this notice is preserved.
# For projects using AC_CONFIG_AUX_DIR([foo]), Autoconf sets
# $ac_aux_dir to `$srcdir/foo'. In other projects, it is set to
# `$srcdir', `$srcdir/..', or `$srcdir/../..'.
#
# Of course, Automake must honor this variable whenever it calls a
# tool from the auxiliary directory. The problem is that $srcdir (and
# therefore $ac_aux_dir as well) can be either absolute or relative,
# depending on how configure is run. This is pretty annoying, since
# it makes $ac_aux_dir quite unusable in subdirectories: in the top
# source directory, any form will work fine, but in subdirectories a
# relative path needs to be adjusted first.
#
# $ac_aux_dir/missing
# fails when called from a subdirectory if $ac_aux_dir is relative
# $top_srcdir/$ac_aux_dir/missing
# fails if $ac_aux_dir is absolute,
# fails when called from a subdirectory in a VPATH build with
# a relative $ac_aux_dir
#
# The reason of the latter failure is that $top_srcdir and $ac_aux_dir
# are both prefixed by $srcdir. In an in-source build this is usually
# harmless because $srcdir is `.', but things will broke when you
# start a VPATH build or use an absolute $srcdir.
#
# So we could use something similar to $top_srcdir/$ac_aux_dir/missing,
# iff we strip the leading $srcdir from $ac_aux_dir. That would be:
# am_aux_dir='\$(top_srcdir)/'`expr "$ac_aux_dir" : "$srcdir//*\(.*\)"`
# and then we would define $MISSING as
# MISSING="\${SHELL} $am_aux_dir/missing"
# This will work as long as MISSING is not called from configure, because
# unfortunately $(top_srcdir) has no meaning in configure.
# However there are other variables, like CC, which are often used in
# configure, and could therefore not use this "fixed" $ac_aux_dir.
#
# Another solution, used here, is to always expand $ac_aux_dir to an
# absolute PATH. The drawback is that using absolute paths prevent a
# configured tree to be moved without reconfiguration.
AC_DEFUN([AM_AUX_DIR_EXPAND],
[dnl Rely on autoconf to set up CDPATH properly.
AC_PREREQ([2.50])dnl
# expand $ac_aux_dir to an absolute path
am_aux_dir=`cd $ac_aux_dir && pwd`
])
# AM_CONDITIONAL -*- Autoconf -*-
# Copyright (C) 1997, 2000, 2001, 2003, 2004, 2005, 2006, 2008
# Free Software Foundation, Inc.
#
# This file is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
# with or without modifications, as long as this notice is preserved.
# serial 9
# AM_CONDITIONAL(NAME, SHELL-CONDITION)
# -------------------------------------
# Define a conditional.
AC_DEFUN([AM_CONDITIONAL],
[AC_PREREQ(2.52)dnl
ifelse([$1], [TRUE], [AC_FATAL([$0: invalid condition: $1])],
[$1], [FALSE], [AC_FATAL([$0: invalid condition: $1])])dnl
AC_SUBST([$1_TRUE])dnl
AC_SUBST([$1_FALSE])dnl
_AM_SUBST_NOTMAKE([$1_TRUE])dnl
_AM_SUBST_NOTMAKE([$1_FALSE])dnl
m4_define([_AM_COND_VALUE_$1], [$2])dnl
if $2; then
$1_TRUE=
$1_FALSE='#'
else
$1_TRUE='#'
$1_FALSE=
fi
AC_CONFIG_COMMANDS_PRE(
[if test -z "${$1_TRUE}" && test -z "${$1_FALSE}"; then
AC_MSG_ERROR([[conditional "$1" was never defined.
Usually this means the macro was only invoked conditionally.]])
fi])])
# Copyright (C) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2009
# Free Software Foundation, Inc.
#
# This file is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
# with or without modifications, as long as this notice is preserved.
# serial 10
# There are a few dirty hacks below to avoid letting `AC_PROG_CC' be
# written in clear, in which case automake, when reading aclocal.m4,
# will think it sees a *use*, and therefore will trigger all it's
# C support machinery. Also note that it means that autoscan, seeing
# CC etc. in the Makefile, will ask for an AC_PROG_CC use...
# _AM_DEPENDENCIES(NAME)
# ----------------------
# See how the compiler implements dependency checking.
# NAME is "CC", "CXX", "GCJ", or "OBJC".
# We try a few techniques and use that to set a single cache variable.
#
# We don't AC_REQUIRE the corresponding AC_PROG_CC since the latter was
# modified to invoke _AM_DEPENDENCIES(CC); we would have a circular
# dependency, and given that the user is not expected to run this macro,
# just rely on AC_PROG_CC.
AC_DEFUN([_AM_DEPENDENCIES],
[AC_REQUIRE([AM_SET_DEPDIR])dnl
AC_REQUIRE([AM_OUTPUT_DEPENDENCY_COMMANDS])dnl
AC_REQUIRE([AM_MAKE_INCLUDE])dnl
AC_REQUIRE([AM_DEP_TRACK])dnl
ifelse([$1], CC, [depcc="$CC" am_compiler_list=],
[$1], CXX, [depcc="$CXX" am_compiler_list=],
[$1], OBJC, [depcc="$OBJC" am_compiler_list='gcc3 gcc'],
[$1], UPC, [depcc="$UPC" am_compiler_list=],
[$1], GCJ, [depcc="$GCJ" am_compiler_list='gcc3 gcc'],
[depcc="$$1" am_compiler_list=])
AC_CACHE_CHECK([dependency style of $depcc],
[am_cv_$1_dependencies_compiler_type],
[if test -z "$AMDEP_TRUE" && test -f "$am_depcomp"; then
# We make a subdir and do the tests there. Otherwise we can end up
# making bogus files that we don't know about and never remove. For
# instance it was reported that on HP-UX the gcc test will end up
# making a dummy file named `D' -- because `-MD' means `put the output
# in D'.
mkdir conftest.dir
# Copy depcomp to subdir because otherwise we won't find it if we're
# using a relative directory.
cp "$am_depcomp" conftest.dir
cd conftest.dir
# We will build objects and dependencies in a subdirectory because
# it helps to detect inapplicable dependency modes. For instance
# both Tru64's cc and ICC support -MD to output dependencies as a
# side effect of compilation, but ICC will put the dependencies in
# the current directory while Tru64 will put them in the object
# directory.
mkdir sub
am_cv_$1_dependencies_compiler_type=none
if test "$am_compiler_list" = ""; then
am_compiler_list=`sed -n ['s/^#*\([a-zA-Z0-9]*\))$/\1/p'] < ./depcomp`
fi
am__universal=false
m4_case([$1], [CC],
[case " $depcc " in #(
*\ -arch\ *\ -arch\ *) am__universal=true ;;
esac],
[CXX],
[case " $depcc " in #(
*\ -arch\ *\ -arch\ *) am__universal=true ;;
esac])
for depmode in $am_compiler_list; do
# Setup a source with many dependencies, because some compilers
# like to wrap large dependency lists on column 80 (with \), and
# we should not choose a depcomp mode which is confused by this.
#
# We need to recreate these files for each test, as the compiler may
# overwrite some of them when testing with obscure command lines.
# This happens at least with the AIX C compiler.
: > sub/conftest.c
for i in 1 2 3 4 5 6; do
echo '#include "conftst'$i'.h"' >> sub/conftest.c
# Using `: > sub/conftst$i.h' creates only sub/conftst1.h with
# Solaris 8's {/usr,}/bin/sh.
touch sub/conftst$i.h
done
echo "${am__include} ${am__quote}sub/conftest.Po${am__quote}" > confmf
# We check with `-c' and `-o' for the sake of the "dashmstdout"
# mode. It turns out that the SunPro C++ compiler does not properly
# handle `-M -o', and we need to detect this. Also, some Intel
# versions had trouble with output in subdirs
am__obj=sub/conftest.${OBJEXT-o}
am__minus_obj="-o $am__obj"
case $depmode in
gcc)
# This depmode causes a compiler race in universal mode.
test "$am__universal" = false || continue
;;
nosideeffect)
# after this tag, mechanisms are not by side-effect, so they'll
# only be used when explicitly requested
if test "x$enable_dependency_tracking" = xyes; then
continue
else
break
fi
;;
msvisualcpp | msvcmsys)
# This compiler won't grok `-c -o', but also, the minuso test has
# not run yet. These depmodes are late enough in the game, and
# so weak that their functioning should not be impacted.
am__obj=conftest.${OBJEXT-o}
am__minus_obj=
;;
none) break ;;
esac
if depmode=$depmode \
source=sub/conftest.c object=$am__obj \
depfile=sub/conftest.Po tmpdepfile=sub/conftest.TPo \
$SHELL ./depcomp $depcc -c $am__minus_obj sub/conftest.c \
>/dev/null 2>conftest.err &&
grep sub/conftst1.h sub/conftest.Po > /dev/null 2>&1 &&
grep sub/conftst6.h sub/conftest.Po > /dev/null 2>&1 &&
grep $am__obj sub/conftest.Po > /dev/null 2>&1 &&
${MAKE-make} -s -f confmf > /dev/null 2>&1; then
# icc doesn't choke on unknown options, it will just issue warnings
# or remarks (even with -Werror). So we grep stderr for any message
# that says an option was ignored or not supported.
# When given -MP, icc 7.0 and 7.1 complain thusly:
# icc: Command line warning: ignoring option '-M'; no argument required
# The diagnosis changed in icc 8.0:
# icc: Command line remark: option '-MP' not supported
if (grep 'ignoring option' conftest.err ||
grep 'not supported' conftest.err) >/dev/null 2>&1; then :; else
am_cv_$1_dependencies_compiler_type=$depmode
break
fi
fi
done
cd ..
rm -rf conftest.dir
else
am_cv_$1_dependencies_compiler_type=none
fi
])
AC_SUBST([$1DEPMODE], [depmode=$am_cv_$1_dependencies_compiler_type])
AM_CONDITIONAL([am__fastdep$1], [
test "x$enable_dependency_tracking" != xno \
&& test "$am_cv_$1_dependencies_compiler_type" = gcc3])
])
# AM_SET_DEPDIR
# -------------
# Choose a directory name for dependency files.
# This macro is AC_REQUIREd in _AM_DEPENDENCIES
AC_DEFUN([AM_SET_DEPDIR],
[AC_REQUIRE([AM_SET_LEADING_DOT])dnl
AC_SUBST([DEPDIR], ["${am__leading_dot}deps"])dnl
])
# AM_DEP_TRACK
# ------------
AC_DEFUN([AM_DEP_TRACK],
[AC_ARG_ENABLE(dependency-tracking,
[ --disable-dependency-tracking speeds up one-time build
--enable-dependency-tracking do not reject slow dependency extractors])
if test "x$enable_dependency_tracking" != xno; then
am_depcomp="$ac_aux_dir/depcomp"
AMDEPBACKSLASH='\'
fi
AM_CONDITIONAL([AMDEP], [test "x$enable_dependency_tracking" != xno])
AC_SUBST([AMDEPBACKSLASH])dnl
_AM_SUBST_NOTMAKE([AMDEPBACKSLASH])dnl
])
# Generate code to set up dependency tracking. -*- Autoconf -*-
# Copyright (C) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2008
# Free Software Foundation, Inc.
#
# This file is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
# with or without modifications, as long as this notice is preserved.
#serial 5
# _AM_OUTPUT_DEPENDENCY_COMMANDS
# ------------------------------
AC_DEFUN([_AM_OUTPUT_DEPENDENCY_COMMANDS],
[{
# Autoconf 2.62 quotes --file arguments for eval, but not when files
# are listed without --file. Let's play safe and only enable the eval
# if we detect the quoting.
case $CONFIG_FILES in
*\'*) eval set x "$CONFIG_FILES" ;;
*) set x $CONFIG_FILES ;;
esac
shift
for mf
do
# Strip MF so we end up with the name of the file.
mf=`echo "$mf" | sed -e 's/:.*$//'`
# Check whether this is an Automake generated Makefile or not.
# We used to match only the files named `Makefile.in', but
# some people rename them; so instead we look at the file content.
# Grep'ing the first line is not enough: some people post-process
# each Makefile.in and add a new line on top of each file to say so.
# Grep'ing the whole file is not good either: AIX grep has a line
# limit of 2048, but all sed's we know have understand at least 4000.
if sed -n 's,^#.*generated by automake.*,X,p' "$mf" | grep X >/dev/null 2>&1; then
dirpart=`AS_DIRNAME("$mf")`
else
continue
fi
# Extract the definition of DEPDIR, am__include, and am__quote
# from the Makefile without running `make'.
DEPDIR=`sed -n 's/^DEPDIR = //p' < "$mf"`
test -z "$DEPDIR" && continue
am__include=`sed -n 's/^am__include = //p' < "$mf"`
test -z "am__include" && continue
am__quote=`sed -n 's/^am__quote = //p' < "$mf"`
# When using ansi2knr, U may be empty or an underscore; expand it
U=`sed -n 's/^U = //p' < "$mf"`
# Find all dependency output files, they are included files with
# $(DEPDIR) in their names. We invoke sed twice because it is the
# simplest approach to changing $(DEPDIR) to its actual value in the
# expansion.
for file in `sed -n "
s/^$am__include $am__quote\(.*(DEPDIR).*\)$am__quote"'$/\1/p' <"$mf" | \
sed -e 's/\$(DEPDIR)/'"$DEPDIR"'/g' -e 's/\$U/'"$U"'/g'`; do
# Make sure the directory exists.
test -f "$dirpart/$file" && continue
fdir=`AS_DIRNAME(["$file"])`
AS_MKDIR_P([$dirpart/$fdir])
# echo "creating $dirpart/$file"
echo '# dummy' > "$dirpart/$file"
done
done
}
])# _AM_OUTPUT_DEPENDENCY_COMMANDS
# AM_OUTPUT_DEPENDENCY_COMMANDS
# -----------------------------
# This macro should only be invoked once -- use via AC_REQUIRE.
#
# This code is only required when automatic dependency tracking
# is enabled. FIXME. This creates each `.P' file that we will
# need in order to bootstrap the dependency handling code.
AC_DEFUN([AM_OUTPUT_DEPENDENCY_COMMANDS],
[AC_CONFIG_COMMANDS([depfiles],
[test x"$AMDEP_TRUE" != x"" || _AM_OUTPUT_DEPENDENCY_COMMANDS],
[AMDEP_TRUE="$AMDEP_TRUE" ac_aux_dir="$ac_aux_dir"])
])
# Do all the work for Automake. -*- Autoconf -*-
# Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004,
# 2005, 2006, 2008, 2009 Free Software Foundation, Inc.
#
# This file is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
# with or without modifications, as long as this notice is preserved.
# serial 16
# This macro actually does too much. Some checks are only needed if
# your package does certain things. But this isn't really a big deal.
# AM_INIT_AUTOMAKE(PACKAGE, VERSION, [NO-DEFINE])
# AM_INIT_AUTOMAKE([OPTIONS])
# -----------------------------------------------
# The call with PACKAGE and VERSION arguments is the old style
# call (pre autoconf-2.50), which is being phased out. PACKAGE
# and VERSION should now be passed to AC_INIT and removed from
# the call to AM_INIT_AUTOMAKE.
# We support both call styles for the transition. After
# the next Automake release, Autoconf can make the AC_INIT
# arguments mandatory, and then we can depend on a new Autoconf
# release and drop the old call support.
AC_DEFUN([AM_INIT_AUTOMAKE],
[AC_PREREQ([2.62])dnl
dnl Autoconf wants to disallow AM_ names. We explicitly allow
dnl the ones we care about.
m4_pattern_allow([^AM_[A-Z]+FLAGS$])dnl
AC_REQUIRE([AM_SET_CURRENT_AUTOMAKE_VERSION])dnl
AC_REQUIRE([AC_PROG_INSTALL])dnl
if test "`cd $srcdir && pwd`" != "`pwd`"; then
# Use -I$(srcdir) only when $(srcdir) != ., so that make's output
# is not polluted with repeated "-I."
AC_SUBST([am__isrc], [' -I$(srcdir)'])_AM_SUBST_NOTMAKE([am__isrc])dnl
# test to see if srcdir already configured
if test -f $srcdir/config.status; then
AC_MSG_ERROR([source directory already configured; run "make distclean" there first])
fi
fi
# test whether we have cygpath
if test -z "$CYGPATH_W"; then
if (cygpath --version) >/dev/null 2>/dev/null; then
CYGPATH_W='cygpath -w'
else
CYGPATH_W=echo
fi
fi
AC_SUBST([CYGPATH_W])
# Define the identity of the package.
dnl Distinguish between old-style and new-style calls.
m4_ifval([$2],
[m4_ifval([$3], [_AM_SET_OPTION([no-define])])dnl
AC_SUBST([PACKAGE], [$1])dnl
AC_SUBST([VERSION], [$2])],
[_AM_SET_OPTIONS([$1])dnl
dnl Diagnose old-style AC_INIT with new-style AM_AUTOMAKE_INIT.
m4_if(m4_ifdef([AC_PACKAGE_NAME], 1)m4_ifdef([AC_PACKAGE_VERSION], 1), 11,,
[m4_fatal([AC_INIT should be called with package and version arguments])])dnl
AC_SUBST([PACKAGE], ['AC_PACKAGE_TARNAME'])dnl
AC_SUBST([VERSION], ['AC_PACKAGE_VERSION'])])dnl
_AM_IF_OPTION([no-define],,
[AC_DEFINE_UNQUOTED(PACKAGE, "$PACKAGE", [Name of package])
AC_DEFINE_UNQUOTED(VERSION, "$VERSION", [Version number of package])])dnl
# Some tools Automake needs.
AC_REQUIRE([AM_SANITY_CHECK])dnl
AC_REQUIRE([AC_ARG_PROGRAM])dnl
AM_MISSING_PROG(ACLOCAL, aclocal-${am__api_version})
AM_MISSING_PROG(AUTOCONF, autoconf)
AM_MISSING_PROG(AUTOMAKE, automake-${am__api_version})
AM_MISSING_PROG(AUTOHEADER, autoheader)
AM_MISSING_PROG(MAKEINFO, makeinfo)
AC_REQUIRE([AM_PROG_INSTALL_SH])dnl
AC_REQUIRE([AM_PROG_INSTALL_STRIP])dnl
AC_REQUIRE([AM_PROG_MKDIR_P])dnl
# We need awk for the "check" target. The system "awk" is bad on
# some platforms.
AC_REQUIRE([AC_PROG_AWK])dnl
AC_REQUIRE([AC_PROG_MAKE_SET])dnl
AC_REQUIRE([AM_SET_LEADING_DOT])dnl
_AM_IF_OPTION([tar-ustar], [_AM_PROG_TAR([ustar])],
[_AM_IF_OPTION([tar-pax], [_AM_PROG_TAR([pax])],
[_AM_PROG_TAR([v7])])])
_AM_IF_OPTION([no-dependencies],,
[AC_PROVIDE_IFELSE([AC_PROG_CC],
[_AM_DEPENDENCIES(CC)],
[define([AC_PROG_CC],
defn([AC_PROG_CC])[_AM_DEPENDENCIES(CC)])])dnl
AC_PROVIDE_IFELSE([AC_PROG_CXX],
[_AM_DEPENDENCIES(CXX)],
[define([AC_PROG_CXX],
defn([AC_PROG_CXX])[_AM_DEPENDENCIES(CXX)])])dnl
AC_PROVIDE_IFELSE([AC_PROG_OBJC],
[_AM_DEPENDENCIES(OBJC)],
[define([AC_PROG_OBJC],
defn([AC_PROG_OBJC])[_AM_DEPENDENCIES(OBJC)])])dnl
])
_AM_IF_OPTION([silent-rules], [AC_REQUIRE([AM_SILENT_RULES])])dnl
dnl The `parallel-tests' driver may need to know about EXEEXT, so add the
dnl `am__EXEEXT' conditional if _AM_COMPILER_EXEEXT was seen. This macro
dnl is hooked onto _AC_COMPILER_EXEEXT early, see below.
AC_CONFIG_COMMANDS_PRE(dnl
[m4_provide_if([_AM_COMPILER_EXEEXT],
[AM_CONDITIONAL([am__EXEEXT], [test -n "$EXEEXT"])])])dnl
])
dnl Hook into `_AC_COMPILER_EXEEXT' early to learn its expansion. Do not
dnl add the conditional right here, as _AC_COMPILER_EXEEXT may be further
dnl mangled by Autoconf and run in a shell conditional statement.
m4_define([_AC_COMPILER_EXEEXT],
m4_defn([_AC_COMPILER_EXEEXT])[m4_provide([_AM_COMPILER_EXEEXT])])
# When config.status generates a header, we must update the stamp-h file.
# This file resides in the same directory as the config header
# that is generated. The stamp files are numbered to have different names.
# Autoconf calls _AC_AM_CONFIG_HEADER_HOOK (when defined) in the
# loop where config.status creates the headers, so we can generate
# our stamp files there.
AC_DEFUN([_AC_AM_CONFIG_HEADER_HOOK],
[# Compute $1's index in $config_headers.
_am_arg=$1
_am_stamp_count=1
for _am_header in $config_headers :; do
case $_am_header in
$_am_arg | $_am_arg:* )
break ;;
* )
_am_stamp_count=`expr $_am_stamp_count + 1` ;;
esac
done
echo "timestamp for $_am_arg" >`AS_DIRNAME(["$_am_arg"])`/stamp-h[]$_am_stamp_count])
# Copyright (C) 2001, 2003, 2005, 2008 Free Software Foundation, Inc.
#
# This file is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
# with or without modifications, as long as this notice is preserved.
# AM_PROG_INSTALL_SH
# ------------------
# Define $install_sh.
AC_DEFUN([AM_PROG_INSTALL_SH],
[AC_REQUIRE([AM_AUX_DIR_EXPAND])dnl
if test x"${install_sh}" != xset; then
case $am_aux_dir in
*\ * | *\ *)
install_sh="\${SHELL} '$am_aux_dir/install-sh'" ;;
*)
install_sh="\${SHELL} $am_aux_dir/install-sh"
esac
fi
AC_SUBST(install_sh)])
# Copyright (C) 2003, 2005 Free Software Foundation, Inc.
#
# This file is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
# with or without modifications, as long as this notice is preserved.
# serial 2
# Check whether the underlying file-system supports filenames
# with a leading dot. For instance MS-DOS doesn't.
AC_DEFUN([AM_SET_LEADING_DOT],
[rm -rf .tst 2>/dev/null
mkdir .tst 2>/dev/null
if test -d .tst; then
am__leading_dot=.
else
am__leading_dot=_
fi
rmdir .tst 2>/dev/null
AC_SUBST([am__leading_dot])])
# Check to see how 'make' treats includes. -*- Autoconf -*-
# Copyright (C) 2001, 2002, 2003, 2005, 2009 Free Software Foundation, Inc.
#
# This file is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
# with or without modifications, as long as this notice is preserved.
# serial 4
# AM_MAKE_INCLUDE()
# -----------------
# Check to see how make treats includes.
AC_DEFUN([AM_MAKE_INCLUDE],
[am_make=${MAKE-make}
cat > confinc << 'END'
am__doit:
@echo this is the am__doit target
.PHONY: am__doit
END
# If we don't find an include directive, just comment out the code.
AC_MSG_CHECKING([for style of include used by $am_make])
am__include="#"
am__quote=
_am_result=none
# First try GNU make style include.
echo "include confinc" > confmf
# Ignore all kinds of additional output from `make'.
case `$am_make -s -f confmf 2> /dev/null` in #(
*the\ am__doit\ target*)
am__include=include
am__quote=
_am_result=GNU
;;
esac
# Now try BSD make style include.
if test "$am__include" = "#"; then
echo '.include "confinc"' > confmf
case `$am_make -s -f confmf 2> /dev/null` in #(
*the\ am__doit\ target*)
am__include=.include
am__quote="\""
_am_result=BSD
;;
esac
fi
AC_SUBST([am__include])
AC_SUBST([am__quote])
AC_MSG_RESULT([$_am_result])
rm -f confinc confmf
])
# Copyright (C) 1999, 2000, 2001, 2003, 2004, 2005, 2008
# Free Software Foundation, Inc.
#
# This file is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
# with or without modifications, as long as this notice is preserved.
# serial 6
# AM_PROG_CC_C_O
# --------------
# Like AC_PROG_CC_C_O, but changed for automake.
AC_DEFUN([AM_PROG_CC_C_O],
[AC_REQUIRE([AC_PROG_CC_C_O])dnl
AC_REQUIRE([AM_AUX_DIR_EXPAND])dnl
AC_REQUIRE_AUX_FILE([compile])dnl
# FIXME: we rely on the cache variable name because
# there is no other way.
set dummy $CC
am_cc=`echo $[2] | sed ['s/[^a-zA-Z0-9_]/_/g;s/^[0-9]/_/']`
eval am_t=\$ac_cv_prog_cc_${am_cc}_c_o
if test "$am_t" != yes; then
# Losing compiler, so override with the script.
# FIXME: It is wrong to rewrite CC.
# But if we don't then we get into trouble of one sort or another.
# A longer-term fix would be to have automake use am__CC in this case,
# and then we could set am__CC="\$(top_srcdir)/compile \$(CC)"
CC="$am_aux_dir/compile $CC"
fi
dnl Make sure AC_PROG_CC is never called again, or it will override our
dnl setting of CC.
m4_define([AC_PROG_CC],
[m4_fatal([AC_PROG_CC cannot be called after AM_PROG_CC_C_O])])
])
# Fake the existence of programs that GNU maintainers use. -*- Autoconf -*-
# Copyright (C) 1997, 1999, 2000, 2001, 2003, 2004, 2005, 2008
# Free Software Foundation, Inc.
#
# This file is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
# with or without modifications, as long as this notice is preserved.
# serial 6
# AM_MISSING_PROG(NAME, PROGRAM)
# ------------------------------
AC_DEFUN([AM_MISSING_PROG],
[AC_REQUIRE([AM_MISSING_HAS_RUN])
$1=${$1-"${am_missing_run}$2"}
AC_SUBST($1)])
# AM_MISSING_HAS_RUN
# ------------------
# Define MISSING if not defined so far and test if it supports --run.
# If it does, set am_missing_run to use it, otherwise, to nothing.
AC_DEFUN([AM_MISSING_HAS_RUN],
[AC_REQUIRE([AM_AUX_DIR_EXPAND])dnl
AC_REQUIRE_AUX_FILE([missing])dnl
if test x"${MISSING+set}" != xset; then
case $am_aux_dir in
*\ * | *\ *)
MISSING="\${SHELL} \"$am_aux_dir/missing\"" ;;
*)
MISSING="\${SHELL} $am_aux_dir/missing" ;;
esac
fi
# Use eval to expand $SHELL
if eval "$MISSING --run true"; then
am_missing_run="$MISSING --run "
else
am_missing_run=
AC_MSG_WARN([`missing' script is too old or missing])
fi
])
# Copyright (C) 2003, 2004, 2005, 2006 Free Software Foundation, Inc.
#
# This file is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
# with or without modifications, as long as this notice is preserved.
# AM_PROG_MKDIR_P
# ---------------
# Check for `mkdir -p'.
AC_DEFUN([AM_PROG_MKDIR_P],
[AC_PREREQ([2.60])dnl
AC_REQUIRE([AC_PROG_MKDIR_P])dnl
dnl Automake 1.8 to 1.9.6 used to define mkdir_p. We now use MKDIR_P,
dnl while keeping a definition of mkdir_p for backward compatibility.
dnl @MKDIR_P@ is magic: AC_OUTPUT adjusts its value for each Makefile.
dnl However we cannot define mkdir_p as $(MKDIR_P) for the sake of
dnl Makefile.ins that do not define MKDIR_P, so we do our own
dnl adjustment using top_builddir (which is defined more often than
dnl MKDIR_P).
AC_SUBST([mkdir_p], ["$MKDIR_P"])dnl
case $mkdir_p in
[[\\/$]]* | ?:[[\\/]]*) ;;
*/*) mkdir_p="\$(top_builddir)/$mkdir_p" ;;
esac
])
# Helper functions for option handling. -*- Autoconf -*-
# Copyright (C) 2001, 2002, 2003, 2005, 2008 Free Software Foundation, Inc.
#
# This file is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
# with or without modifications, as long as this notice is preserved.
# serial 4
# _AM_MANGLE_OPTION(NAME)
# -----------------------
AC_DEFUN([_AM_MANGLE_OPTION],
[[_AM_OPTION_]m4_bpatsubst($1, [[^a-zA-Z0-9_]], [_])])
# _AM_SET_OPTION(NAME)
# ------------------------------
# Set option NAME. Presently that only means defining a flag for this option.
AC_DEFUN([_AM_SET_OPTION],
[m4_define(_AM_MANGLE_OPTION([$1]), 1)])
# _AM_SET_OPTIONS(OPTIONS)
# ----------------------------------
# OPTIONS is a space-separated list of Automake options.
AC_DEFUN([_AM_SET_OPTIONS],
[m4_foreach_w([_AM_Option], [$1], [_AM_SET_OPTION(_AM_Option)])])
# _AM_IF_OPTION(OPTION, IF-SET, [IF-NOT-SET])
# -------------------------------------------
# Execute IF-SET if OPTION is set, IF-NOT-SET otherwise.
AC_DEFUN([_AM_IF_OPTION],
[m4_ifset(_AM_MANGLE_OPTION([$1]), [$2], [$3])])
# Check to make sure that the build environment is sane. -*- Autoconf -*-
# Copyright (C) 1996, 1997, 2000, 2001, 2003, 2005, 2008
# Free Software Foundation, Inc.
#
# This file is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
# with or without modifications, as long as this notice is preserved.
# serial 5
# AM_SANITY_CHECK
# ---------------
AC_DEFUN([AM_SANITY_CHECK],
[AC_MSG_CHECKING([whether build environment is sane])
# Just in case
sleep 1
echo timestamp > conftest.file
# Reject unsafe characters in $srcdir or the absolute working directory
# name. Accept space and tab only in the latter.
am_lf='
'
case `pwd` in
*[[\\\"\#\$\&\'\`$am_lf]]*)
AC_MSG_ERROR([unsafe absolute working directory name]);;
esac
case $srcdir in
*[[\\\"\#\$\&\'\`$am_lf\ \ ]]*)
AC_MSG_ERROR([unsafe srcdir value: `$srcdir']);;
esac
# Do `set' in a subshell so we don't clobber the current shell's
# arguments. Must try -L first in case configure is actually a
# symlink; some systems play weird games with the mod time of symlinks
# (eg FreeBSD returns the mod time of the symlink's containing
# directory).
if (
set X `ls -Lt "$srcdir/configure" conftest.file 2> /dev/null`
if test "$[*]" = "X"; then
# -L didn't work.
set X `ls -t "$srcdir/configure" conftest.file`
fi
rm -f conftest.file
if test "$[*]" != "X $srcdir/configure conftest.file" \
&& test "$[*]" != "X conftest.file $srcdir/configure"; then
# If neither matched, then we have a broken ls. This can happen
# if, for instance, CONFIG_SHELL is bash and it inherits a
# broken ls alias from the environment. This has actually
# happened. Such a system could not be considered "sane".
AC_MSG_ERROR([ls -t appears to fail. Make sure there is not a broken
alias in your environment])
fi
test "$[2]" = conftest.file
)
then
# Ok.
:
else
AC_MSG_ERROR([newly created file is older than distributed files!
Check your system clock])
fi
AC_MSG_RESULT(yes)])
# Copyright (C) 2001, 2003, 2005 Free Software Foundation, Inc.
#
# This file is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
# with or without modifications, as long as this notice is preserved.
# AM_PROG_INSTALL_STRIP
# ---------------------
# One issue with vendor `install' (even GNU) is that you can't
# specify the program used to strip binaries. This is especially
# annoying in cross-compiling environments, where the build's strip
# is unlikely to handle the host's binaries.
# Fortunately install-sh will honor a STRIPPROG variable, so we
# always use install-sh in `make install-strip', and initialize
# STRIPPROG with the value of the STRIP variable (set by the user).
AC_DEFUN([AM_PROG_INSTALL_STRIP],
[AC_REQUIRE([AM_PROG_INSTALL_SH])dnl
# Installed binaries are usually stripped using `strip' when the user
# run `make install-strip'. However `strip' might not be the right
# tool to use in cross-compilation environments, therefore Automake
# will honor the `STRIP' environment variable to overrule this program.
dnl Don't test for $cross_compiling = yes, because it might be `maybe'.
if test "$cross_compiling" != no; then
AC_CHECK_TOOL([STRIP], [strip], :)
fi
INSTALL_STRIP_PROGRAM="\$(install_sh) -c -s"
AC_SUBST([INSTALL_STRIP_PROGRAM])])
# Copyright (C) 2006, 2008 Free Software Foundation, Inc.
#
# This file is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
# with or without modifications, as long as this notice is preserved.
# serial 2
# _AM_SUBST_NOTMAKE(VARIABLE)
# ---------------------------
# Prevent Automake from outputting VARIABLE = @VARIABLE@ in Makefile.in.
# This macro is traced by Automake.
AC_DEFUN([_AM_SUBST_NOTMAKE])
# AM_SUBST_NOTMAKE(VARIABLE)
# ---------------------------
# Public sister of _AM_SUBST_NOTMAKE.
AC_DEFUN([AM_SUBST_NOTMAKE], [_AM_SUBST_NOTMAKE($@)])
# Check how to create a tarball. -*- Autoconf -*-
# Copyright (C) 2004, 2005 Free Software Foundation, Inc.
#
# This file is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
# with or without modifications, as long as this notice is preserved.
# serial 2
# _AM_PROG_TAR(FORMAT)
# --------------------
# Check how to create a tarball in format FORMAT.
# FORMAT should be one of `v7', `ustar', or `pax'.
#
# Substitute a variable $(am__tar) that is a command
# writing to stdout a FORMAT-tarball containing the directory
# $tardir.
# tardir=directory && $(am__tar) > result.tar
#
# Substitute a variable $(am__untar) that extract such
# a tarball read from stdin.
# $(am__untar) < result.tar
AC_DEFUN([_AM_PROG_TAR],
[# Always define AMTAR for backward compatibility.
AM_MISSING_PROG([AMTAR], [tar])
m4_if([$1], [v7],
[am__tar='${AMTAR} chof - "$$tardir"'; am__untar='${AMTAR} xf -'],
[m4_case([$1], [ustar],, [pax],,
[m4_fatal([Unknown tar format])])
AC_MSG_CHECKING([how to create a $1 tar archive])
# Loop over all known methods to create a tar archive until one works.
_am_tools='gnutar m4_if([$1], [ustar], [plaintar]) pax cpio none'
_am_tools=${am_cv_prog_tar_$1-$_am_tools}
# Do not fold the above two line into one, because Tru64 sh and
# Solaris sh will not grok spaces in the rhs of `-'.
for _am_tool in $_am_tools
do
case $_am_tool in
gnutar)
for _am_tar in tar gnutar gtar;
do
AM_RUN_LOG([$_am_tar --version]) && break
done
am__tar="$_am_tar --format=m4_if([$1], [pax], [posix], [$1]) -chf - "'"$$tardir"'
am__tar_="$_am_tar --format=m4_if([$1], [pax], [posix], [$1]) -chf - "'"$tardir"'
am__untar="$_am_tar -xf -"
;;
plaintar)
# Must skip GNU tar: if it does not support --format= it doesn't create
# ustar tarball either.
(tar --version) >/dev/null 2>&1 && continue
am__tar='tar chf - "$$tardir"'
am__tar_='tar chf - "$tardir"'
am__untar='tar xf -'
;;
pax)
am__tar='pax -L -x $1 -w "$$tardir"'
am__tar_='pax -L -x $1 -w "$tardir"'
am__untar='pax -r'
;;
cpio)
am__tar='find "$$tardir" -print | cpio -o -H $1 -L'
am__tar_='find "$tardir" -print | cpio -o -H $1 -L'
am__untar='cpio -i -H $1 -d'
;;
none)
am__tar=false
am__tar_=false
am__untar=false
;;
esac
# If the value was cached, stop now. We just wanted to have am__tar
# and am__untar set.
test -n "${am_cv_prog_tar_$1}" && break
# tar/untar a dummy directory, and stop if the command works
rm -rf conftest.dir
mkdir conftest.dir
echo GrepMe > conftest.dir/file
AM_RUN_LOG([tardir=conftest.dir && eval $am__tar_ >conftest.tar])
rm -rf conftest.dir
if test -s conftest.tar; then
AM_RUN_LOG([$am__untar <conftest.tar])
grep GrepMe conftest.dir/file >/dev/null 2>&1 && break
fi
done
rm -rf conftest.dir
AC_CACHE_VAL([am_cv_prog_tar_$1], [am_cv_prog_tar_$1=$_am_tool])
AC_MSG_RESULT([$am_cv_prog_tar_$1])])
AC_SUBST([am__tar])
AC_SUBST([am__untar])
]) # _AM_PROG_TAR
m4_include([m4/libtool.m4])
m4_include([m4/ltoptions.m4])
m4_include([m4/ltsugar.m4])
m4_include([m4/ltversion.m4])
m4_include([m4/lt~obsolete.m4])

143
auto/compile Executable file
View File

@ -0,0 +1,143 @@
#! /bin/sh
# Wrapper for compilers which do not understand `-c -o'.
scriptversion=2009-10-06.20; # UTC
# Copyright (C) 1999, 2000, 2003, 2004, 2005, 2009 Free Software
# Foundation, Inc.
# Written by Tom Tromey <tromey@cygnus.com>.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2, or (at your option)
# any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# As a special exception to the GNU General Public License, if you
# distribute this file as part of a program that contains a
# configuration script generated by Autoconf, you may include it under
# the same distribution terms that you use for the rest of that program.
# This file is maintained in Automake, please report
# bugs to <bug-automake@gnu.org> or send patches to
# <automake-patches@gnu.org>.
case $1 in
'')
echo "$0: No command. Try \`$0 --help' for more information." 1>&2
exit 1;
;;
-h | --h*)
cat <<\EOF
Usage: compile [--help] [--version] PROGRAM [ARGS]
Wrapper for compilers which do not understand `-c -o'.
Remove `-o dest.o' from ARGS, run PROGRAM with the remaining
arguments, and rename the output as expected.
If you are trying to build a whole package this is not the
right script to run: please start by reading the file `INSTALL'.
Report bugs to <bug-automake@gnu.org>.
EOF
exit $?
;;
-v | --v*)
echo "compile $scriptversion"
exit $?
;;
esac
ofile=
cfile=
eat=
for arg
do
if test -n "$eat"; then
eat=
else
case $1 in
-o)
# configure might choose to run compile as `compile cc -o foo foo.c'.
# So we strip `-o arg' only if arg is an object.
eat=1
case $2 in
*.o | *.obj)
ofile=$2
;;
*)
set x "$@" -o "$2"
shift
;;
esac
;;
*.c)
cfile=$1
set x "$@" "$1"
shift
;;
*)
set x "$@" "$1"
shift
;;
esac
fi
shift
done
if test -z "$ofile" || test -z "$cfile"; then
# If no `-o' option was seen then we might have been invoked from a
# pattern rule where we don't need one. That is ok -- this is a
# normal compilation that the losing compiler can handle. If no
# `.c' file was seen then we are probably linking. That is also
# ok.
exec "$@"
fi
# Name of file we expect compiler to create.
cofile=`echo "$cfile" | sed 's|^.*[\\/]||; s|^[a-zA-Z]:||; s/\.c$/.o/'`
# Create the lock directory.
# Note: use `[/\\:.-]' here to ensure that we don't use the same name
# that we are using for the .o file. Also, base the name on the expected
# object file name, since that is what matters with a parallel build.
lockdir=`echo "$cofile" | sed -e 's|[/\\:.-]|_|g'`.d
while true; do
if mkdir "$lockdir" >/dev/null 2>&1; then
break
fi
sleep 1
done
# FIXME: race condition here if user kills between mkdir and trap.
trap "rmdir '$lockdir'; exit 1" 1 2 15
# Run the compile.
"$@"
ret=$?
if test -f "$cofile"; then
test "$cofile" = "$ofile" || mv "$cofile" "$ofile"
elif test -f "${cofile}bj"; then
test "${cofile}bj" = "$ofile" || mv "${cofile}bj" "$ofile"
fi
rmdir "$lockdir"
exit $ret
# Local Variables:
# mode: shell-script
# sh-indentation: 2
# eval: (add-hook 'write-file-hooks 'time-stamp)
# time-stamp-start: "scriptversion="
# time-stamp-format: "%:y-%02m-%02d.%02H"
# time-stamp-time-zone: "UTC"
# time-stamp-end: "; # UTC"
# End:

1522
auto/config.guess vendored Normal file
View File

File diff suppressed because it is too large Load Diff

1771
auto/config.sub vendored Normal file
View File

File diff suppressed because it is too large Load Diff

589
auto/depcomp Executable file
View File

@ -0,0 +1,589 @@
#! /bin/sh
# depcomp - compile a program generating dependencies as side-effects
scriptversion=2007-03-29.01
# Copyright (C) 1999, 2000, 2003, 2004, 2005, 2006, 2007 Free Software
# Foundation, Inc.
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2, or (at your option)
# any later version.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
# 02110-1301, USA.
# As a special exception to the GNU General Public License, if you
# distribute this file as part of a program that contains a
# configuration script generated by Autoconf, you may include it under
# the same distribution terms that you use for the rest of that program.
# Originally written by Alexandre Oliva <oliva@dcc.unicamp.br>.
case $1 in
'')
echo "$0: No command. Try \`$0 --help' for more information." 1>&2
exit 1;
;;
-h | --h*)
cat <<\EOF
Usage: depcomp [--help] [--version] PROGRAM [ARGS]
Run PROGRAMS ARGS to compile a file, generating dependencies
as side-effects.
Environment variables:
depmode Dependency tracking mode.
source Source file read by `PROGRAMS ARGS'.
object Object file output by `PROGRAMS ARGS'.
DEPDIR directory where to store dependencies.
depfile Dependency file to output.
tmpdepfile Temporary file to use when outputing dependencies.
libtool Whether libtool is used (yes/no).
Report bugs to <bug-automake@gnu.org>.
EOF
exit $?
;;
-v | --v*)
echo "depcomp $scriptversion"
exit $?
;;
esac
if test -z "$depmode" || test -z "$source" || test -z "$object"; then
echo "depcomp: Variables source, object and depmode must be set" 1>&2
exit 1
fi
# Dependencies for sub/bar.o or sub/bar.obj go into sub/.deps/bar.Po.
depfile=${depfile-`echo "$object" |
sed 's|[^\\/]*$|'${DEPDIR-.deps}'/&|;s|\.\([^.]*\)$|.P\1|;s|Pobj$|Po|'`}
tmpdepfile=${tmpdepfile-`echo "$depfile" | sed 's/\.\([^.]*\)$/.T\1/'`}
rm -f "$tmpdepfile"
# Some modes work just like other modes, but use different flags. We
# parameterize here, but still list the modes in the big case below,
# to make depend.m4 easier to write. Note that we *cannot* use a case
# here, because this file can only contain one case statement.
if test "$depmode" = hp; then
# HP compiler uses -M and no extra arg.
gccflag=-M
depmode=gcc
fi
if test "$depmode" = dashXmstdout; then
# This is just like dashmstdout with a different argument.
dashmflag=-xM
depmode=dashmstdout
fi
case "$depmode" in
gcc3)
## gcc 3 implements dependency tracking that does exactly what
## we want. Yay! Note: for some reason libtool 1.4 doesn't like
## it if -MD -MP comes after the -MF stuff. Hmm.
## Unfortunately, FreeBSD c89 acceptance of flags depends upon
## the command line argument order; so add the flags where they
## appear in depend2.am. Note that the slowdown incurred here
## affects only configure: in makefiles, %FASTDEP% shortcuts this.
for arg
do
case $arg in
-c) set fnord "$@" -MT "$object" -MD -MP -MF "$tmpdepfile" "$arg" ;;
*) set fnord "$@" "$arg" ;;
esac
shift # fnord
shift # $arg
done
"$@"
stat=$?
if test $stat -eq 0; then :
else
rm -f "$tmpdepfile"
exit $stat
fi
mv "$tmpdepfile" "$depfile"
;;
gcc)
## There are various ways to get dependency output from gcc. Here's
## why we pick this rather obscure method:
## - Don't want to use -MD because we'd like the dependencies to end
## up in a subdir. Having to rename by hand is ugly.
## (We might end up doing this anyway to support other compilers.)
## - The DEPENDENCIES_OUTPUT environment variable makes gcc act like
## -MM, not -M (despite what the docs say).
## - Using -M directly means running the compiler twice (even worse
## than renaming).
if test -z "$gccflag"; then
gccflag=-MD,
fi
"$@" -Wp,"$gccflag$tmpdepfile"
stat=$?
if test $stat -eq 0; then :
else
rm -f "$tmpdepfile"
exit $stat
fi
rm -f "$depfile"
echo "$object : \\" > "$depfile"
alpha=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
## The second -e expression handles DOS-style file names with drive letters.
sed -e 's/^[^:]*: / /' \
-e 's/^['$alpha']:\/[^:]*: / /' < "$tmpdepfile" >> "$depfile"
## This next piece of magic avoids the `deleted header file' problem.
## The problem is that when a header file which appears in a .P file
## is deleted, the dependency causes make to die (because there is
## typically no way to rebuild the header). We avoid this by adding
## dummy dependencies for each header file. Too bad gcc doesn't do
## this for us directly.
tr ' ' '
' < "$tmpdepfile" |
## Some versions of gcc put a space before the `:'. On the theory
## that the space means something, we add a space to the output as
## well.
## Some versions of the HPUX 10.20 sed can't process this invocation
## correctly. Breaking it into two sed invocations is a workaround.
sed -e 's/^\\$//' -e '/^$/d' -e '/:$/d' | sed -e 's/$/ :/' >> "$depfile"
rm -f "$tmpdepfile"
;;
hp)
# This case exists only to let depend.m4 do its work. It works by
# looking at the text of this script. This case will never be run,
# since it is checked for above.
exit 1
;;
sgi)
if test "$libtool" = yes; then
"$@" "-Wp,-MDupdate,$tmpdepfile"
else
"$@" -MDupdate "$tmpdepfile"
fi
stat=$?
if test $stat -eq 0; then :
else
rm -f "$tmpdepfile"
exit $stat
fi
rm -f "$depfile"
if test -f "$tmpdepfile"; then # yes, the sourcefile depend on other files
echo "$object : \\" > "$depfile"
# Clip off the initial element (the dependent). Don't try to be
# clever and replace this with sed code, as IRIX sed won't handle
# lines with more than a fixed number of characters (4096 in
# IRIX 6.2 sed, 8192 in IRIX 6.5). We also remove comment lines;
# the IRIX cc adds comments like `#:fec' to the end of the
# dependency line.
tr ' ' '
' < "$tmpdepfile" \
| sed -e 's/^.*\.o://' -e 's/#.*$//' -e '/^$/ d' | \
tr '
' ' ' >> $depfile
echo >> $depfile
# The second pass generates a dummy entry for each header file.
tr ' ' '
' < "$tmpdepfile" \
| sed -e 's/^.*\.o://' -e 's/#.*$//' -e '/^$/ d' -e 's/$/:/' \
>> $depfile
else
# The sourcefile does not contain any dependencies, so just
# store a dummy comment line, to avoid errors with the Makefile
# "include basename.Plo" scheme.
echo "#dummy" > "$depfile"
fi
rm -f "$tmpdepfile"
;;
aix)
# The C for AIX Compiler uses -M and outputs the dependencies
# in a .u file. In older versions, this file always lives in the
# current directory. Also, the AIX compiler puts `$object:' at the
# start of each line; $object doesn't have directory information.
# Version 6 uses the directory in both cases.
dir=`echo "$object" | sed -e 's|/[^/]*$|/|'`
test "x$dir" = "x$object" && dir=
base=`echo "$object" | sed -e 's|^.*/||' -e 's/\.o$//' -e 's/\.lo$//'`
if test "$libtool" = yes; then
tmpdepfile1=$dir$base.u
tmpdepfile2=$base.u
tmpdepfile3=$dir.libs/$base.u
"$@" -Wc,-M
else
tmpdepfile1=$dir$base.u
tmpdepfile2=$dir$base.u
tmpdepfile3=$dir$base.u
"$@" -M
fi
stat=$?
if test $stat -eq 0; then :
else
rm -f "$tmpdepfile1" "$tmpdepfile2" "$tmpdepfile3"
exit $stat
fi
for tmpdepfile in "$tmpdepfile1" "$tmpdepfile2" "$tmpdepfile3"
do
test -f "$tmpdepfile" && break
done
if test -f "$tmpdepfile"; then
# Each line is of the form `foo.o: dependent.h'.
# Do two passes, one to just change these to
# `$object: dependent.h' and one to simply `dependent.h:'.
sed -e "s,^.*\.[a-z]*:,$object:," < "$tmpdepfile" > "$depfile"
# That's a tab and a space in the [].
sed -e 's,^.*\.[a-z]*:[ ]*,,' -e 's,$,:,' < "$tmpdepfile" >> "$depfile"
else
# The sourcefile does not contain any dependencies, so just
# store a dummy comment line, to avoid errors with the Makefile
# "include basename.Plo" scheme.
echo "#dummy" > "$depfile"
fi
rm -f "$tmpdepfile"
;;
icc)
# Intel's C compiler understands `-MD -MF file'. However on
# icc -MD -MF foo.d -c -o sub/foo.o sub/foo.c
# ICC 7.0 will fill foo.d with something like
# foo.o: sub/foo.c
# foo.o: sub/foo.h
# which is wrong. We want:
# sub/foo.o: sub/foo.c
# sub/foo.o: sub/foo.h
# sub/foo.c:
# sub/foo.h:
# ICC 7.1 will output
# foo.o: sub/foo.c sub/foo.h
# and will wrap long lines using \ :
# foo.o: sub/foo.c ... \
# sub/foo.h ... \
# ...
"$@" -MD -MF "$tmpdepfile"
stat=$?
if test $stat -eq 0; then :
else
rm -f "$tmpdepfile"
exit $stat
fi
rm -f "$depfile"
# Each line is of the form `foo.o: dependent.h',
# or `foo.o: dep1.h dep2.h \', or ` dep3.h dep4.h \'.
# Do two passes, one to just change these to
# `$object: dependent.h' and one to simply `dependent.h:'.
sed "s,^[^:]*:,$object :," < "$tmpdepfile" > "$depfile"
# Some versions of the HPUX 10.20 sed can't process this invocation
# correctly. Breaking it into two sed invocations is a workaround.
sed 's,^[^:]*: \(.*\)$,\1,;s/^\\$//;/^$/d;/:$/d' < "$tmpdepfile" |
sed -e 's/$/ :/' >> "$depfile"
rm -f "$tmpdepfile"
;;
hp2)
# The "hp" stanza above does not work with aCC (C++) and HP's ia64
# compilers, which have integrated preprocessors. The correct option
# to use with these is +Maked; it writes dependencies to a file named
# 'foo.d', which lands next to the object file, wherever that
# happens to be.
# Much of this is similar to the tru64 case; see comments there.
dir=`echo "$object" | sed -e 's|/[^/]*$|/|'`
test "x$dir" = "x$object" && dir=
base=`echo "$object" | sed -e 's|^.*/||' -e 's/\.o$//' -e 's/\.lo$//'`
if test "$libtool" = yes; then
tmpdepfile1=$dir$base.d
tmpdepfile2=$dir.libs/$base.d
"$@" -Wc,+Maked
else
tmpdepfile1=$dir$base.d
tmpdepfile2=$dir$base.d
"$@" +Maked
fi
stat=$?
if test $stat -eq 0; then :
else
rm -f "$tmpdepfile1" "$tmpdepfile2"
exit $stat
fi
for tmpdepfile in "$tmpdepfile1" "$tmpdepfile2"
do
test -f "$tmpdepfile" && break
done
if test -f "$tmpdepfile"; then
sed -e "s,^.*\.[a-z]*:,$object:," "$tmpdepfile" > "$depfile"
# Add `dependent.h:' lines.
sed -ne '2,${; s/^ *//; s/ \\*$//; s/$/:/; p;}' "$tmpdepfile" >> "$depfile"
else
echo "#dummy" > "$depfile"
fi
rm -f "$tmpdepfile" "$tmpdepfile2"
;;
tru64)
# The Tru64 compiler uses -MD to generate dependencies as a side
# effect. `cc -MD -o foo.o ...' puts the dependencies into `foo.o.d'.
# At least on Alpha/Redhat 6.1, Compaq CCC V6.2-504 seems to put
# dependencies in `foo.d' instead, so we check for that too.
# Subdirectories are respected.
dir=`echo "$object" | sed -e 's|/[^/]*$|/|'`
test "x$dir" = "x$object" && dir=
base=`echo "$object" | sed -e 's|^.*/||' -e 's/\.o$//' -e 's/\.lo$//'`
if test "$libtool" = yes; then
# With Tru64 cc, shared objects can also be used to make a
# static library. This mechanism is used in libtool 1.4 series to
# handle both shared and static libraries in a single compilation.
# With libtool 1.4, dependencies were output in $dir.libs/$base.lo.d.
#
# With libtool 1.5 this exception was removed, and libtool now
# generates 2 separate objects for the 2 libraries. These two
# compilations output dependencies in $dir.libs/$base.o.d and
# in $dir$base.o.d. We have to check for both files, because
# one of the two compilations can be disabled. We should prefer
# $dir$base.o.d over $dir.libs/$base.o.d because the latter is
# automatically cleaned when .libs/ is deleted, while ignoring
# the former would cause a distcleancheck panic.
tmpdepfile1=$dir.libs/$base.lo.d # libtool 1.4
tmpdepfile2=$dir$base.o.d # libtool 1.5
tmpdepfile3=$dir.libs/$base.o.d # libtool 1.5
tmpdepfile4=$dir.libs/$base.d # Compaq CCC V6.2-504
"$@" -Wc,-MD
else
tmpdepfile1=$dir$base.o.d
tmpdepfile2=$dir$base.d
tmpdepfile3=$dir$base.d
tmpdepfile4=$dir$base.d
"$@" -MD
fi
stat=$?
if test $stat -eq 0; then :
else
rm -f "$tmpdepfile1" "$tmpdepfile2" "$tmpdepfile3" "$tmpdepfile4"
exit $stat
fi
for tmpdepfile in "$tmpdepfile1" "$tmpdepfile2" "$tmpdepfile3" "$tmpdepfile4"
do
test -f "$tmpdepfile" && break
done
if test -f "$tmpdepfile"; then
sed -e "s,^.*\.[a-z]*:,$object:," < "$tmpdepfile" > "$depfile"
# That's a tab and a space in the [].
sed -e 's,^.*\.[a-z]*:[ ]*,,' -e 's,$,:,' < "$tmpdepfile" >> "$depfile"
else
echo "#dummy" > "$depfile"
fi
rm -f "$tmpdepfile"
;;
#nosideeffect)
# This comment above is used by automake to tell side-effect
# dependency tracking mechanisms from slower ones.
dashmstdout)
# Important note: in order to support this mode, a compiler *must*
# always write the preprocessed file to stdout, regardless of -o.
"$@" || exit $?
# Remove the call to Libtool.
if test "$libtool" = yes; then
while test $1 != '--mode=compile'; do
shift
done
shift
fi
# Remove `-o $object'.
IFS=" "
for arg
do
case $arg in
-o)
shift
;;
$object)
shift
;;
*)
set fnord "$@" "$arg"
shift # fnord
shift # $arg
;;
esac
done
test -z "$dashmflag" && dashmflag=-M
# Require at least two characters before searching for `:'
# in the target name. This is to cope with DOS-style filenames:
# a dependency such as `c:/foo/bar' could be seen as target `c' otherwise.
"$@" $dashmflag |
sed 's:^[ ]*[^: ][^:][^:]*\:[ ]*:'"$object"'\: :' > "$tmpdepfile"
rm -f "$depfile"
cat < "$tmpdepfile" > "$depfile"
tr ' ' '
' < "$tmpdepfile" | \
## Some versions of the HPUX 10.20 sed can't process this invocation
## correctly. Breaking it into two sed invocations is a workaround.
sed -e 's/^\\$//' -e '/^$/d' -e '/:$/d' | sed -e 's/$/ :/' >> "$depfile"
rm -f "$tmpdepfile"
;;
dashXmstdout)
# This case only exists to satisfy depend.m4. It is never actually
# run, as this mode is specially recognized in the preamble.
exit 1
;;
makedepend)
"$@" || exit $?
# Remove any Libtool call
if test "$libtool" = yes; then
while test $1 != '--mode=compile'; do
shift
done
shift
fi
# X makedepend
shift
cleared=no
for arg in "$@"; do
case $cleared in
no)
set ""; shift
cleared=yes ;;
esac
case "$arg" in
-D*|-I*)
set fnord "$@" "$arg"; shift ;;
# Strip any option that makedepend may not understand. Remove
# the object too, otherwise makedepend will parse it as a source file.
-*|$object)
;;
*)
set fnord "$@" "$arg"; shift ;;
esac
done
obj_suffix="`echo $object | sed 's/^.*\././'`"
touch "$tmpdepfile"
${MAKEDEPEND-makedepend} -o"$obj_suffix" -f"$tmpdepfile" "$@"
rm -f "$depfile"
cat < "$tmpdepfile" > "$depfile"
sed '1,2d' "$tmpdepfile" | tr ' ' '
' | \
## Some versions of the HPUX 10.20 sed can't process this invocation
## correctly. Breaking it into two sed invocations is a workaround.
sed -e 's/^\\$//' -e '/^$/d' -e '/:$/d' | sed -e 's/$/ :/' >> "$depfile"
rm -f "$tmpdepfile" "$tmpdepfile".bak
;;
cpp)
# Important note: in order to support this mode, a compiler *must*
# always write the preprocessed file to stdout.
"$@" || exit $?
# Remove the call to Libtool.
if test "$libtool" = yes; then
while test $1 != '--mode=compile'; do
shift
done
shift
fi
# Remove `-o $object'.
IFS=" "
for arg
do
case $arg in
-o)
shift
;;
$object)
shift
;;
*)
set fnord "$@" "$arg"
shift # fnord
shift # $arg
;;
esac
done
"$@" -E |
sed -n -e '/^# [0-9][0-9]* "\([^"]*\)".*/ s:: \1 \\:p' \
-e '/^#line [0-9][0-9]* "\([^"]*\)".*/ s:: \1 \\:p' |
sed '$ s: \\$::' > "$tmpdepfile"
rm -f "$depfile"
echo "$object : \\" > "$depfile"
cat < "$tmpdepfile" >> "$depfile"
sed < "$tmpdepfile" '/^$/d;s/^ //;s/ \\$//;s/$/ :/' >> "$depfile"
rm -f "$tmpdepfile"
;;
msvisualcpp)
# Important note: in order to support this mode, a compiler *must*
# always write the preprocessed file to stdout, regardless of -o,
# because we must use -o when running libtool.
"$@" || exit $?
IFS=" "
for arg
do
case "$arg" in
"-Gm"|"/Gm"|"-Gi"|"/Gi"|"-ZI"|"/ZI")
set fnord "$@"
shift
shift
;;
*)
set fnord "$@" "$arg"
shift
shift
;;
esac
done
"$@" -E |
sed -n '/^#line [0-9][0-9]* "\([^"]*\)"/ s::echo "`cygpath -u \\"\1\\"`":p' | sort | uniq > "$tmpdepfile"
rm -f "$depfile"
echo "$object : \\" > "$depfile"
. "$tmpdepfile" | sed 's% %\\ %g' | sed -n '/^\(.*\)$/ s:: \1 \\:p' >> "$depfile"
echo " " >> "$depfile"
. "$tmpdepfile" | sed 's% %\\ %g' | sed -n '/^\(.*\)$/ s::\1\::p' >> "$depfile"
rm -f "$tmpdepfile"
;;
none)
exec "$@"
;;
*)
echo "Unknown depmode $depmode" 1>&2
exit 1
;;
esac
exit 0
# Local Variables:
# mode: shell-script
# sh-indentation: 2
# eval: (add-hook 'write-file-hooks 'time-stamp)
# time-stamp-start: "scriptversion="
# time-stamp-format: "%:y-%02m-%02d.%02H"
# time-stamp-end: "$"
# End:

519
auto/install-sh Executable file
View File

@ -0,0 +1,519 @@
#!/bin/sh
# install - install a program, script, or datafile
scriptversion=2006-12-25.00
# This originates from X11R5 (mit/util/scripts/install.sh), which was
# later released in X11R6 (xc/config/util/install.sh) with the
# following copyright and license.
#
# Copyright (C) 1994 X Consortium
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to
# deal in the Software without restriction, including without limitation the
# rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
# sell copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in
# all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# X CONSORTIUM BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN
# AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNEC-
# TION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
#
# Except as contained in this notice, the name of the X Consortium shall not
# be used in advertising or otherwise to promote the sale, use or other deal-
# ings in this Software without prior written authorization from the X Consor-
# tium.
#
#
# FSF changes to this file are in the public domain.
#
# Calling this script install-sh is preferred over install.sh, to prevent
# `make' implicit rules from creating a file called install from it
# when there is no Makefile.
#
# This script is compatible with the BSD install script, but was written
# from scratch.
nl='
'
IFS=" "" $nl"
# set DOITPROG to echo to test this script
# Don't use :- since 4.3BSD and earlier shells don't like it.
doit=${DOITPROG-}
if test -z "$doit"; then
doit_exec=exec
else
doit_exec=$doit
fi
# Put in absolute file names if you don't have them in your path;
# or use environment vars.
chgrpprog=${CHGRPPROG-chgrp}
chmodprog=${CHMODPROG-chmod}
chownprog=${CHOWNPROG-chown}
cmpprog=${CMPPROG-cmp}
cpprog=${CPPROG-cp}
mkdirprog=${MKDIRPROG-mkdir}
mvprog=${MVPROG-mv}
rmprog=${RMPROG-rm}
stripprog=${STRIPPROG-strip}
posix_glob='?'
initialize_posix_glob='
test "$posix_glob" != "?" || {
if (set -f) 2>/dev/null; then
posix_glob=
else
posix_glob=:
fi
}
'
posix_mkdir=
# Desired mode of installed file.
mode=0755
chgrpcmd=
chmodcmd=$chmodprog
chowncmd=
mvcmd=$mvprog
rmcmd="$rmprog -f"
stripcmd=
src=
dst=
dir_arg=
dst_arg=
copy_on_change=false
no_target_directory=
usage="\
Usage: $0 [OPTION]... [-T] SRCFILE DSTFILE
or: $0 [OPTION]... SRCFILES... DIRECTORY
or: $0 [OPTION]... -t DIRECTORY SRCFILES...
or: $0 [OPTION]... -d DIRECTORIES...
In the 1st form, copy SRCFILE to DSTFILE.
In the 2nd and 3rd, copy all SRCFILES to DIRECTORY.
In the 4th, create DIRECTORIES.
Options:
--help display this help and exit.
--version display version info and exit.
-c (ignored)
-C install only if different (preserve the last data modification time)
-d create directories instead of installing files.
-g GROUP $chgrpprog installed files to GROUP.
-m MODE $chmodprog installed files to MODE.
-o USER $chownprog installed files to USER.
-s $stripprog installed files.
-t DIRECTORY install into DIRECTORY.
-T report an error if DSTFILE is a directory.
Environment variables override the default commands:
CHGRPPROG CHMODPROG CHOWNPROG CMPPROG CPPROG MKDIRPROG MVPROG
RMPROG STRIPPROG
"
while test $# -ne 0; do
case $1 in
-c) ;;
-C) copy_on_change=true;;
-d) dir_arg=true;;
-g) chgrpcmd="$chgrpprog $2"
shift;;
--help) echo "$usage"; exit $?;;
-m) mode=$2
case $mode in
*' '* | *' '* | *'
'* | *'*'* | *'?'* | *'['*)
echo "$0: invalid mode: $mode" >&2
exit 1;;
esac
shift;;
-o) chowncmd="$chownprog $2"
shift;;
-s) stripcmd=$stripprog;;
-t) dst_arg=$2
shift;;
-T) no_target_directory=true;;
--version) echo "$0 $scriptversion"; exit $?;;
--) shift
break;;
-*) echo "$0: invalid option: $1" >&2
exit 1;;
*) break;;
esac
shift
done
if test $# -ne 0 && test -z "$dir_arg$dst_arg"; then
# When -d is used, all remaining arguments are directories to create.
# When -t is used, the destination is already specified.
# Otherwise, the last argument is the destination. Remove it from $@.
for arg
do
if test -n "$dst_arg"; then
# $@ is not empty: it contains at least $arg.
set fnord "$@" "$dst_arg"
shift # fnord
fi
shift # arg
dst_arg=$arg
done
fi
if test $# -eq 0; then
if test -z "$dir_arg"; then
echo "$0: no input file specified." >&2
exit 1
fi
# It's OK to call `install-sh -d' without argument.
# This can happen when creating conditional directories.
exit 0
fi
if test -z "$dir_arg"; then
trap '(exit $?); exit' 1 2 13 15
# Set umask so as not to create temps with too-generous modes.
# However, 'strip' requires both read and write access to temps.
case $mode in
# Optimize common cases.
*644) cp_umask=133;;
*755) cp_umask=22;;
*[0-7])
if test -z "$stripcmd"; then
u_plus_rw=
else
u_plus_rw='% 200'
fi
cp_umask=`expr '(' 777 - $mode % 1000 ')' $u_plus_rw`;;
*)
if test -z "$stripcmd"; then
u_plus_rw=
else
u_plus_rw=,u+rw
fi
cp_umask=$mode$u_plus_rw;;
esac
fi
for src
do
# Protect names starting with `-'.
case $src in
-*) src=./$src;;
esac
if test -n "$dir_arg"; then
dst=$src
dstdir=$dst
test -d "$dstdir"
dstdir_status=$?
else
# Waiting for this to be detected by the "$cpprog $src $dsttmp" command
# might cause directories to be created, which would be especially bad
# if $src (and thus $dsttmp) contains '*'.
if test ! -f "$src" && test ! -d "$src"; then
echo "$0: $src does not exist." >&2
exit 1
fi
if test -z "$dst_arg"; then
echo "$0: no destination specified." >&2
exit 1
fi
dst=$dst_arg
# Protect names starting with `-'.
case $dst in
-*) dst=./$dst;;
esac
# If destination is a directory, append the input filename; won't work
# if double slashes aren't ignored.
if test -d "$dst"; then
if test -n "$no_target_directory"; then
echo "$0: $dst_arg: Is a directory" >&2
exit 1
fi
dstdir=$dst
dst=$dstdir/`basename "$src"`
dstdir_status=0
else
# Prefer dirname, but fall back on a substitute if dirname fails.
dstdir=`
(dirname "$dst") 2>/dev/null ||
expr X"$dst" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
X"$dst" : 'X\(//\)[^/]' \| \
X"$dst" : 'X\(//\)$' \| \
X"$dst" : 'X\(/\)' \| . 2>/dev/null ||
echo X"$dst" |
sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{
s//\1/
q
}
/^X\(\/\/\)[^/].*/{
s//\1/
q
}
/^X\(\/\/\)$/{
s//\1/
q
}
/^X\(\/\).*/{
s//\1/
q
}
s/.*/./; q'
`
test -d "$dstdir"
dstdir_status=$?
fi
fi
obsolete_mkdir_used=false
if test $dstdir_status != 0; then
case $posix_mkdir in
'')
# Create intermediate dirs using mode 755 as modified by the umask.
# This is like FreeBSD 'install' as of 1997-10-28.
umask=`umask`
case $stripcmd.$umask in
# Optimize common cases.
*[2367][2367]) mkdir_umask=$umask;;
.*0[02][02] | .[02][02] | .[02]) mkdir_umask=22;;
*[0-7])
mkdir_umask=`expr $umask + 22 \
- $umask % 100 % 40 + $umask % 20 \
- $umask % 10 % 4 + $umask % 2
`;;
*) mkdir_umask=$umask,go-w;;
esac
# With -d, create the new directory with the user-specified mode.
# Otherwise, rely on $mkdir_umask.
if test -n "$dir_arg"; then
mkdir_mode=-m$mode
else
mkdir_mode=
fi
posix_mkdir=false
case $umask in
*[123567][0-7][0-7])
# POSIX mkdir -p sets u+wx bits regardless of umask, which
# is incompatible with FreeBSD 'install' when (umask & 300) != 0.
;;
*)
tmpdir=${TMPDIR-/tmp}/ins$RANDOM-$$
trap 'ret=$?; rmdir "$tmpdir/d" "$tmpdir" 2>/dev/null; exit $ret' 0
if (umask $mkdir_umask &&
exec $mkdirprog $mkdir_mode -p -- "$tmpdir/d") >/dev/null 2>&1
then
if test -z "$dir_arg" || {
# Check for POSIX incompatibilities with -m.
# HP-UX 11.23 and IRIX 6.5 mkdir -m -p sets group- or
# other-writeable bit of parent directory when it shouldn't.
# FreeBSD 6.1 mkdir -m -p sets mode of existing directory.
ls_ld_tmpdir=`ls -ld "$tmpdir"`
case $ls_ld_tmpdir in
d????-?r-*) different_mode=700;;
d????-?--*) different_mode=755;;
*) false;;
esac &&
$mkdirprog -m$different_mode -p -- "$tmpdir" && {
ls_ld_tmpdir_1=`ls -ld "$tmpdir"`
test "$ls_ld_tmpdir" = "$ls_ld_tmpdir_1"
}
}
then posix_mkdir=:
fi
rmdir "$tmpdir/d" "$tmpdir"
else
# Remove any dirs left behind by ancient mkdir implementations.
rmdir ./$mkdir_mode ./-p ./-- 2>/dev/null
fi
trap '' 0;;
esac;;
esac
if
$posix_mkdir && (
umask $mkdir_umask &&
$doit_exec $mkdirprog $mkdir_mode -p -- "$dstdir"
)
then :
else
# The umask is ridiculous, or mkdir does not conform to POSIX,
# or it failed possibly due to a race condition. Create the
# directory the slow way, step by step, checking for races as we go.
case $dstdir in
/*) prefix='/';;
-*) prefix='./';;
*) prefix='';;
esac
eval "$initialize_posix_glob"
oIFS=$IFS
IFS=/
$posix_glob set -f
set fnord $dstdir
shift
$posix_glob set +f
IFS=$oIFS
prefixes=
for d
do
test -z "$d" && continue
prefix=$prefix$d
if test -d "$prefix"; then
prefixes=
else
if $posix_mkdir; then
(umask=$mkdir_umask &&
$doit_exec $mkdirprog $mkdir_mode -p -- "$dstdir") && break
# Don't fail if two instances are running concurrently.
test -d "$prefix" || exit 1
else
case $prefix in
*\'*) qprefix=`echo "$prefix" | sed "s/'/'\\\\\\\\''/g"`;;
*) qprefix=$prefix;;
esac
prefixes="$prefixes '$qprefix'"
fi
fi
prefix=$prefix/
done
if test -n "$prefixes"; then
# Don't fail if two instances are running concurrently.
(umask $mkdir_umask &&
eval "\$doit_exec \$mkdirprog $prefixes") ||
test -d "$dstdir" || exit 1
obsolete_mkdir_used=true
fi
fi
fi
if test -n "$dir_arg"; then
{ test -z "$chowncmd" || $doit $chowncmd "$dst"; } &&
{ test -z "$chgrpcmd" || $doit $chgrpcmd "$dst"; } &&
{ test "$obsolete_mkdir_used$chowncmd$chgrpcmd" = false ||
test -z "$chmodcmd" || $doit $chmodcmd $mode "$dst"; } || exit 1
else
# Make a couple of temp file names in the proper directory.
dsttmp=$dstdir/_inst.$$_
rmtmp=$dstdir/_rm.$$_
# Trap to clean up those temp files at exit.
trap 'ret=$?; rm -f "$dsttmp" "$rmtmp" && exit $ret' 0
# Copy the file name to the temp name.
(umask $cp_umask && $doit_exec $cpprog "$src" "$dsttmp") &&
# and set any options; do chmod last to preserve setuid bits.
#
# If any of these fail, we abort the whole thing. If we want to
# ignore errors from any of these, just make sure not to ignore
# errors from the above "$doit $cpprog $src $dsttmp" command.
#
{ test -z "$chowncmd" || $doit $chowncmd "$dsttmp"; } &&
{ test -z "$chgrpcmd" || $doit $chgrpcmd "$dsttmp"; } &&
{ test -z "$stripcmd" || $doit $stripcmd "$dsttmp"; } &&
{ test -z "$chmodcmd" || $doit $chmodcmd $mode "$dsttmp"; } &&
# If -C, don't bother to copy if it wouldn't change the file.
if $copy_on_change &&
old=`LC_ALL=C ls -dlL "$dst" 2>/dev/null` &&
new=`LC_ALL=C ls -dlL "$dsttmp" 2>/dev/null` &&
eval "$initialize_posix_glob" &&
$posix_glob set -f &&
set X $old && old=:$2:$4:$5:$6 &&
set X $new && new=:$2:$4:$5:$6 &&
$posix_glob set +f &&
test "$old" = "$new" &&
$cmpprog "$dst" "$dsttmp" >/dev/null 2>&1
then
rm -f "$dsttmp"
else
# Rename the file to the real destination.
$doit $mvcmd -f "$dsttmp" "$dst" 2>/dev/null ||
# The rename failed, perhaps because mv can't rename something else
# to itself, or perhaps because mv is so ancient that it does not
# support -f.
{
# Now remove or move aside any old file at destination location.
# We try this two ways since rm can't unlink itself on some
# systems and the destination file might be busy for other
# reasons. In this case, the final cleanup might fail but the new
# file should still install successfully.
{
test ! -f "$dst" ||
$doit $rmcmd -f "$dst" 2>/dev/null ||
{ $doit $mvcmd -f "$dst" "$rmtmp" 2>/dev/null &&
{ $doit $rmcmd -f "$rmtmp" 2>/dev/null; :; }
} ||
{ echo "$0: cannot unlink or rename $dst" >&2
(exit 1); exit 1
}
} &&
# Now rename the file to the real destination.
$doit $mvcmd "$dsttmp" "$dst"
}
fi || exit 1
trap '' 0
fi
done
# Local variables:
# eval: (add-hook 'write-file-hooks 'time-stamp)
# time-stamp-start: "scriptversion="
# time-stamp-format: "%:y-%02m-%02d.%02H"
# time-stamp-end: "$"
# End:

8413
auto/ltmain.sh Executable file
View File

File diff suppressed because it is too large Load Diff

367
auto/missing Executable file
View File

@ -0,0 +1,367 @@
#! /bin/sh
# Common stub for a few missing GNU programs while installing.
scriptversion=2006-05-10.23
# Copyright (C) 1996, 1997, 1999, 2000, 2002, 2003, 2004, 2005, 2006
# Free Software Foundation, Inc.
# Originally by Fran,cois Pinard <pinard@iro.umontreal.ca>, 1996.
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2, or (at your option)
# any later version.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
# 02110-1301, USA.
# As a special exception to the GNU General Public License, if you
# distribute this file as part of a program that contains a
# configuration script generated by Autoconf, you may include it under
# the same distribution terms that you use for the rest of that program.
if test $# -eq 0; then
echo 1>&2 "Try \`$0 --help' for more information"
exit 1
fi
run=:
sed_output='s/.* --output[ =]\([^ ]*\).*/\1/p'
sed_minuso='s/.* -o \([^ ]*\).*/\1/p'
# In the cases where this matters, `missing' is being run in the
# srcdir already.
if test -f configure.ac; then
configure_ac=configure.ac
else
configure_ac=configure.in
fi
msg="missing on your system"
case $1 in
--run)
# Try to run requested program, and just exit if it succeeds.
run=
shift
"$@" && exit 0
# Exit code 63 means version mismatch. This often happens
# when the user try to use an ancient version of a tool on
# a file that requires a minimum version. In this case we
# we should proceed has if the program had been absent, or
# if --run hadn't been passed.
if test $? = 63; then
run=:
msg="probably too old"
fi
;;
-h|--h|--he|--hel|--help)
echo "\
$0 [OPTION]... PROGRAM [ARGUMENT]...
Handle \`PROGRAM [ARGUMENT]...' for when PROGRAM is missing, or return an
error status if there is no known handling for PROGRAM.
Options:
-h, --help display this help and exit
-v, --version output version information and exit
--run try to run the given command, and emulate it if it fails
Supported PROGRAM values:
aclocal touch file \`aclocal.m4'
autoconf touch file \`configure'
autoheader touch file \`config.h.in'
autom4te touch the output file, or create a stub one
automake touch all \`Makefile.in' files
bison create \`y.tab.[ch]', if possible, from existing .[ch]
flex create \`lex.yy.c', if possible, from existing .c
help2man touch the output file
lex create \`lex.yy.c', if possible, from existing .c
makeinfo touch the output file
tar try tar, gnutar, gtar, then tar without non-portable flags
yacc create \`y.tab.[ch]', if possible, from existing .[ch]
Send bug reports to <bug-automake@gnu.org>."
exit $?
;;
-v|--v|--ve|--ver|--vers|--versi|--versio|--version)
echo "missing $scriptversion (GNU Automake)"
exit $?
;;
-*)
echo 1>&2 "$0: Unknown \`$1' option"
echo 1>&2 "Try \`$0 --help' for more information"
exit 1
;;
esac
# Now exit if we have it, but it failed. Also exit now if we
# don't have it and --version was passed (most likely to detect
# the program).
case $1 in
lex|yacc)
# Not GNU programs, they don't have --version.
;;
tar)
if test -n "$run"; then
echo 1>&2 "ERROR: \`tar' requires --run"
exit 1
elif test "x$2" = "x--version" || test "x$2" = "x--help"; then
exit 1
fi
;;
*)
if test -z "$run" && ($1 --version) > /dev/null 2>&1; then
# We have it, but it failed.
exit 1
elif test "x$2" = "x--version" || test "x$2" = "x--help"; then
# Could not run --version or --help. This is probably someone
# running `$TOOL --version' or `$TOOL --help' to check whether
# $TOOL exists and not knowing $TOOL uses missing.
exit 1
fi
;;
esac
# If it does not exist, or fails to run (possibly an outdated version),
# try to emulate it.
case $1 in
aclocal*)
echo 1>&2 "\
WARNING: \`$1' is $msg. You should only need it if
you modified \`acinclude.m4' or \`${configure_ac}'. You might want
to install the \`Automake' and \`Perl' packages. Grab them from
any GNU archive site."
touch aclocal.m4
;;
autoconf)
echo 1>&2 "\
WARNING: \`$1' is $msg. You should only need it if
you modified \`${configure_ac}'. You might want to install the
\`Autoconf' and \`GNU m4' packages. Grab them from any GNU
archive site."
touch configure
;;
autoheader)
echo 1>&2 "\
WARNING: \`$1' is $msg. You should only need it if
you modified \`acconfig.h' or \`${configure_ac}'. You might want
to install the \`Autoconf' and \`GNU m4' packages. Grab them
from any GNU archive site."
files=`sed -n 's/^[ ]*A[CM]_CONFIG_HEADER(\([^)]*\)).*/\1/p' ${configure_ac}`
test -z "$files" && files="config.h"
touch_files=
for f in $files; do
case $f in
*:*) touch_files="$touch_files "`echo "$f" |
sed -e 's/^[^:]*://' -e 's/:.*//'`;;
*) touch_files="$touch_files $f.in";;
esac
done
touch $touch_files
;;
automake*)
echo 1>&2 "\
WARNING: \`$1' is $msg. You should only need it if
you modified \`Makefile.am', \`acinclude.m4' or \`${configure_ac}'.
You might want to install the \`Automake' and \`Perl' packages.
Grab them from any GNU archive site."
find . -type f -name Makefile.am -print |
sed 's/\.am$/.in/' |
while read f; do touch "$f"; done
;;
autom4te)
echo 1>&2 "\
WARNING: \`$1' is needed, but is $msg.
You might have modified some files without having the
proper tools for further handling them.
You can get \`$1' as part of \`Autoconf' from any GNU
archive site."
file=`echo "$*" | sed -n "$sed_output"`
test -z "$file" && file=`echo "$*" | sed -n "$sed_minuso"`
if test -f "$file"; then
touch $file
else
test -z "$file" || exec >$file
echo "#! /bin/sh"
echo "# Created by GNU Automake missing as a replacement of"
echo "# $ $@"
echo "exit 0"
chmod +x $file
exit 1
fi
;;
bison|yacc)
echo 1>&2 "\
WARNING: \`$1' $msg. You should only need it if
you modified a \`.y' file. You may need the \`Bison' package
in order for those modifications to take effect. You can get
\`Bison' from any GNU archive site."
rm -f y.tab.c y.tab.h
if test $# -ne 1; then
eval LASTARG="\${$#}"
case $LASTARG in
*.y)
SRCFILE=`echo "$LASTARG" | sed 's/y$/c/'`
if test -f "$SRCFILE"; then
cp "$SRCFILE" y.tab.c
fi
SRCFILE=`echo "$LASTARG" | sed 's/y$/h/'`
if test -f "$SRCFILE"; then
cp "$SRCFILE" y.tab.h
fi
;;
esac
fi
if test ! -f y.tab.h; then
echo >y.tab.h
fi
if test ! -f y.tab.c; then
echo 'main() { return 0; }' >y.tab.c
fi
;;
lex|flex)
echo 1>&2 "\
WARNING: \`$1' is $msg. You should only need it if
you modified a \`.l' file. You may need the \`Flex' package
in order for those modifications to take effect. You can get
\`Flex' from any GNU archive site."
rm -f lex.yy.c
if test $# -ne 1; then
eval LASTARG="\${$#}"
case $LASTARG in
*.l)
SRCFILE=`echo "$LASTARG" | sed 's/l$/c/'`
if test -f "$SRCFILE"; then
cp "$SRCFILE" lex.yy.c
fi
;;
esac
fi
if test ! -f lex.yy.c; then
echo 'main() { return 0; }' >lex.yy.c
fi
;;
help2man)
echo 1>&2 "\
WARNING: \`$1' is $msg. You should only need it if
you modified a dependency of a manual page. You may need the
\`Help2man' package in order for those modifications to take
effect. You can get \`Help2man' from any GNU archive site."
file=`echo "$*" | sed -n "$sed_output"`
test -z "$file" && file=`echo "$*" | sed -n "$sed_minuso"`
if test -f "$file"; then
touch $file
else
test -z "$file" || exec >$file
echo ".ab help2man is required to generate this page"
exit 1
fi
;;
makeinfo)
echo 1>&2 "\
WARNING: \`$1' is $msg. You should only need it if
you modified a \`.texi' or \`.texinfo' file, or any other file
indirectly affecting the aspect of the manual. The spurious
call might also be the consequence of using a buggy \`make' (AIX,
DU, IRIX). You might want to install the \`Texinfo' package or
the \`GNU make' package. Grab either from any GNU archive site."
# The file to touch is that specified with -o ...
file=`echo "$*" | sed -n "$sed_output"`
test -z "$file" && file=`echo "$*" | sed -n "$sed_minuso"`
if test -z "$file"; then
# ... or it is the one specified with @setfilename ...
infile=`echo "$*" | sed 's/.* \([^ ]*\) *$/\1/'`
file=`sed -n '
/^@setfilename/{
s/.* \([^ ]*\) *$/\1/
p
q
}' $infile`
# ... or it is derived from the source name (dir/f.texi becomes f.info)
test -z "$file" && file=`echo "$infile" | sed 's,.*/,,;s,.[^.]*$,,'`.info
fi
# If the file does not exist, the user really needs makeinfo;
# let's fail without touching anything.
test -f $file || exit 1
touch $file
;;
tar)
shift
# We have already tried tar in the generic part.
# Look for gnutar/gtar before invocation to avoid ugly error
# messages.
if (gnutar --version > /dev/null 2>&1); then
gnutar "$@" && exit 0
fi
if (gtar --version > /dev/null 2>&1); then
gtar "$@" && exit 0
fi
firstarg="$1"
if shift; then
case $firstarg in
*o*)
firstarg=`echo "$firstarg" | sed s/o//`
tar "$firstarg" "$@" && exit 0
;;
esac
case $firstarg in
*h*)
firstarg=`echo "$firstarg" | sed s/h//`
tar "$firstarg" "$@" && exit 0
;;
esac
fi
echo 1>&2 "\
WARNING: I can't seem to be able to run \`tar' with the given arguments.
You may want to install GNU tar or Free paxutils, or check the
command line arguments."
exit 1
;;
*)
echo 1>&2 "\
WARNING: \`$1' is needed, and is $msg.
You might have modified some files without having the
proper tools for further handling them. Check the \`README' file,
it often tells you about the needed prerequisites for installing
this package. You may also peek at any GNU archive site, in case
some other package would contain this missing \`$1' program."
exit 1
;;
esac
exit 0
# Local variables:
# eval: (add-hook 'write-file-hooks 'time-stamp)
# time-stamp-start: "scriptversion="
# time-stamp-format: "%:y-%02m-%02d.%02H"
# time-stamp-end: "$"
# End:

28
build-android.sh Executable file
View File

@ -0,0 +1,28 @@
#!/bin/sh
set -ev
VERSION=4.53
DST=stunnel-$VERSION-android
# to build Zlib:
# export CHOST=arm-linux-androideabi
# ./configure --static --prefix=/opt/androideabi/sysroot
# make
# make install
# to build OpenSSL:
# export CC=arm-linux-androideabi-gcc
# ./Configure linux-armv4 threads no-shared zlib no-dso --openssldir=/opt/androideabi/sysroot
# make
# make install
./configure --build=i686-pc-linux-gnu --host=arm-linux-androideabi --prefix=/data/local --with-ssl=/opt/androideabi/sysroot
make clean
make
mkdir $DST
cp src/stunnel /opt/androideabi/sysroot/bin/openssl $DST
# arm-linux-androideabi-strip $DST/stunnel $DST/openssl
arm-linux-androideabi-strip $DST/openssl
zip -r $DST.zip $DST
rm -rf $DST
sha256sum $DST.zip
mv $DST.zip ../dist/

14819
configure vendored Executable file
View File

File diff suppressed because it is too large Load Diff

494
configure.ac Normal file
View File

@ -0,0 +1,494 @@
# Process this file with autoconf to produce a configure script.
AC_INIT([stunnel],[4.53])
AC_MSG_NOTICE([**************************************** initialization])
AC_CONFIG_AUX_DIR(auto)
AC_CONFIG_MACRO_DIR([m4])
AM_INIT_AUTOMAKE(stunnel, 4.53)
AC_CONFIG_HEADERS([src/config.h])
AC_CONFIG_SRCDIR([src/stunnel.c])
AC_DEFINE([_GNU_SOURCE], [1], [Use GNU source])
AC_CANONICAL_HOST
AC_SUBST([host])
AC_DEFINE_UNQUOTED([HOST], ["$host"], [Host description])
define([esc], [`echo ]$1[ | tr abcdefghijklmnopqrstuvwxyz.- ABCDEFGHIJKLMNOPQRSTUVWXYZ__ | tr -dc ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890_`])
AC_DEFINE_UNQUOTED(esc(CPU_$host_cpu))
AC_DEFINE_UNQUOTED(esc(VENDOR_$host_vendor))
AC_DEFINE_UNQUOTED(esc(OS_$host_os))
AC_PROG_CC
AM_PROG_CC_C_O
AC_PROG_INSTALL
AC_PROG_MAKE_SET
# Checks for typedefs, structures, and compiler characteristics
# AC_C_CONST
# AC_TYPE_SIZE_T
# AC_TYPE_PID_T
# AC_HEADER_TIME
AC_MSG_NOTICE([**************************************** compiler/linker flags])
AC_SUBST([stunnel_LDFLAGS])
AC_MSG_CHECKING([whether $CC accepts -pthread])
valid_CFLAGS="$CFLAGS"; CFLAGS="$CFLAGS -pthread"
valid_LDFLAGS="$LDFLAGS"; LDFLAGS="$LDFLAGS -pthread"
AC_LINK_IFELSE([int main() {return 0;}],
[
AC_MSG_RESULT([yes])
AC_SUBST([stunnel_CFLAGS], ["$stunnel_CFLAGS -pthread"])
AC_SUBST([stunnel_LDFLAGF], ["$stunnel_LDFLAGF -pthread"])
], [
AC_MSG_RESULT([no])
])
CFLAGS="$valid_CFLAGS"; LDFLAGS="$valid_LDFLAGS"
AC_MSG_CHECKING([whether $CC accepts -fstack-protector])
valid_CFLAGS="$CFLAGS"; CFLAGS="$CFLAGS -fstack-protector"
valid_LDFLAGS="$LDFLAGS"; LDFLAGS="$LDFLAGS -fstack-protector"
AC_LINK_IFELSE([int main() {return 0;}],
[
AC_MSG_RESULT([yes])
AC_SUBST([stunnel_CFLAGS], ["$stunnel_CFLAGS -fstack-protector"])
AC_SUBST([stunnel_LDFLAGF], ["$stunnel_LDFLAGF -fstack-protector"])
], [
AC_MSG_RESULT([no])
])
CFLAGS="$valid_CFLAGS"; LDFLAGS="$valid_LDFLAGS"
AC_MSG_CHECKING([whether $CC accepts -pie])
valid_CFLAGS="$CFLAGS"; CFLAGS="$CFLAGS -fPIE"
valid_LDFLAGS="$LDFLAGS"; LDFLAGS="$LDFLAGS -pie -fPIE"
AC_LINK_IFELSE([int main() {return 0;}],
[
AC_MSG_RESULT([yes])
AC_SUBST([stunnel_CFLAGS], ["$stunnel_CFLAGS -fPIE"])
AC_SUBST([stunnel_LDFLAGF], ["$stunnel_LDFLAGF -pie -fPIE"])
], [
AC_MSG_RESULT([no])
])
CFLAGS="$valid_CFLAGS"; LDFLAGS="$valid_LDFLAGS"
AC_MSG_CHECKING([whether $CC accepts -Wall])
valid_CFLAGS="$CFLAGS"; CFLAGS="$CFLAGS -Wall"
AC_LINK_IFELSE([int main() {return 0;}],
[AC_MSG_RESULT([yes])],
[AC_MSG_RESULT([no]); CFLAGS="$valid_CFLAGS"])
AC_MSG_CHECKING([whether $CC accepts -Wextra])
valid_CFLAGS="$CFLAGS"; CFLAGS="$CFLAGS -Wextra"
AC_LINK_IFELSE([int main() {return 0;}],
[AC_MSG_RESULT([yes])],
[AC_MSG_RESULT([no]); CFLAGS="$valid_CFLAGS"])
AC_MSG_CHECKING([whether $CC accepts -Wno-long-long])
valid_CFLAGS="$CFLAGS"; CFLAGS="$CFLAGS -Wno-long-long"
AC_LINK_IFELSE([int main() {return 0;}],
[AC_MSG_RESULT([yes])],
[AC_MSG_RESULT([no]); CFLAGS="$valid_CFLAGS"])
AC_MSG_CHECKING([whether $CC accepts -pedantic])
valid_CFLAGS="$CFLAGS"; CFLAGS="$CFLAGS -pedantic"
AC_LINK_IFELSE([int main() {return 0;}],
[AC_MSG_RESULT([yes])],
[AC_MSG_RESULT([no]); CFLAGS="$valid_CFLAGS"])
AC_MSG_NOTICE([**************************************** libtool])
LT_INIT([disable-static])
AC_SUBST([LIBTOOL_DEPS])
AC_MSG_NOTICE([**************************************** types])
AC_CHECK_SIZEOF(unsigned char)
AC_CHECK_SIZEOF(unsigned short)
AC_CHECK_SIZEOF(unsigned int)
AC_CHECK_SIZEOF(unsigned long)
AC_MSG_CHECKING([for socklen_t])
AC_EGREP_HEADER(socklen_t, sys/socket.h,
AC_MSG_RESULT([yes]),
AC_MSG_RESULT([no (defined as int)])
AC_DEFINE([socklen_t], [int], [Type of socklen_t]))
AC_CHECK_TYPES([struct sockaddr_un], [], [], [#include <sys/un.h>])
AC_CHECK_TYPES([struct addrinfo], [], [], [#include <netdb.h>])
AC_MSG_NOTICE([**************************************** PTY device files])
if test "$cross_compiling" = "no"; then
AC_CHECK_FILE("/dev/ptmx", AC_DEFINE([HAVE_DEV_PTMX], [1],
[Define to 1 if you have '/dev/ptmx' device.]))
AC_CHECK_FILE("/dev/ptc", AC_DEFINE([HAVE_DEV_PTS_AND_PTC], [1],
[Define to 1 if you have '/dev/ptc' device.]))
else
AC_MSG_WARN([cross-compilation: assuming /dev/ptmx and /dev/ptc are not available])
fi
AC_MSG_NOTICE([**************************************** entropy sources])
if test "$cross_compiling" = "no"; then
AC_ARG_WITH(egd-socket,
[ --with-egd-socket=FILE Entropy Gathering Daemon socket path],
[EGD_SOCKET="$withval"]
)
if test -n "$EGD_SOCKET"; then
AC_DEFINE_UNQUOTED([EGD_SOCKET], ["$EGD_SOCKET"], [Entropy Gathering Daemon socket path])
fi
# Check for user-specified random device
AC_ARG_WITH(random,
[ --with-random=FILE read randomness from file (default=/dev/urandom)],
[RANDOM_FILE="$withval"],
[
# Check for random device
AC_CHECK_FILE("/dev/urandom", RANDOM_FILE="/dev/urandom")
]
)
if test -n "$RANDOM_FILE"; then
AC_SUBST([RANDOM_FILE])
AC_DEFINE_UNQUOTED([RANDOM_FILE], ["$RANDOM_FILE"], [Random file path])
fi
else
AC_MSG_WARN([cross-compilation: assuming entropy sources are not available])
fi
AC_MSG_NOTICE([**************************************** default group])
DEFAULT_GROUP=nobody
if test "$cross_compiling" = "no"; then
grep '^nogroup:' /etc/group >/dev/null && DEFAULT_GROUP=nogroup
else
AC_MSG_WARN([cross-compilation: assuming nogroup is not available])
fi
AC_MSG_CHECKING([for default group])
AC_MSG_RESULT([$DEFAULT_GROUP])
AC_SUBST([DEFAULT_GROUP])
AC_MSG_NOTICE([**************************************** header files])
# AC_HEADER_DIRENT
# AC_HEADER_STDC
# AC_HEADER_SYS_WAIT
AC_CHECK_HEADERS([malloc.h ucontext.h pthread.h poll.h tcpd.h stropts.h grp.h unistd.h util.h libutil.h pty.h])
AC_CHECK_HEADERS([sys/types.h sys/select.h sys/poll.h sys/socket.h sys/un.h sys/ioctl.h sys/filio.h sys/resource.h sys/uio.h])
AC_CHECK_MEMBERS([struct msghdr.msg_control],
[AC_DEFINE([HAVE_MSGHDR_MSG_CONTROL], [1],
[Define to 1 if you have 'msghdr.msg_control' structure.])], [], [
AC_INCLUDES_DEFAULT
#include <sys/socket.h>
])
AC_CHECK_HEADERS([linux/netfilter_ipv4.h], , ,
[
#include <limits.h>
#include <linux/types.h>
#include <sys/socket.h>
#include <netdb.h>
])
AC_MSG_NOTICE([**************************************** libraries])
# Checks for standard libraries
AC_SEARCH_LIBS([gethostbyname], [nsl])
AC_SEARCH_LIBS([yp_get_default_domain], [nsl])
AC_SEARCH_LIBS([socket], [socket])
AC_SEARCH_LIBS([openpty], [util])
# Checks for dynamic loader and zlib needed by OpenSSL
AC_SEARCH_LIBS([dlopen], [dl])
AC_SEARCH_LIBS([shl_load], [dld])
AC_SEARCH_LIBS([inflateEnd], [z])
# Add BeOS libraries
if test "$host_os" = "beos"; then
LIBS="$LIBS -lbe -lroot -lbind"
fi
AC_MSG_NOTICE([**************************************** thread model])
checkpthreadlib() { :
# 1. BSD hack: attempt to use alternative libc implementation if available
AC_CHECK_LIB([c_r], [pthread_create],
[
LIBS="$LIBS -pthread"
HAVE_LIBPTHREAD="yes"
AC_DEFINE([HAVE_LIBPTHREAD], [1], [Define to 1 if you have 'libpthread' library.])
]
)
# 2. try to use from standard libc (required by Android and possibly other platforms)
AC_CHECK_LIB([c], [pthread_create],
[
HAVE_LIBPTHREAD="yes"
AC_DEFINE([HAVE_LIBPTHREAD], [1], [Define to 1 if you have 'libpthread' library.])
]
)
# 3. try libpthread: OSF hack instead of simple AC_CHECK_LIB here
AC_MSG_CHECKING([for pthread_create in -lpthread])
valid_LIBS="$LIBS"
LIBS="$valid_LIBS -lpthread"
AC_LINK_IFELSE(
[AC_LANG_PROGRAM(
[
#include <pthread.h>
],
[
pthread_create((void *)0, (void *)0, (void *)0, (void *)0)
]
)],
[
AC_MSG_RESULT([yes])
HAVE_LIBPTHREAD="yes"
AC_DEFINE([HAVE_LIBPTHREAD], [1], [Define to 1 if you have 'libpthread' library.])
], [
AC_MSG_RESULT([no])
LIBS="$valid_LIBS"
]
)
}
AC_ARG_WITH(threads,
[ --with-threads=model select threading model (ucontext/pthread/fork)],
[
case "$withval" in
ucontext)
AC_MSG_NOTICE([UCONTEXT mode selected])
AC_DEFINE([USE_UCONTEXT], [1], [Define to 1 to select UCONTEXT mode])
;;
pthread)
checkpthreadlib
AC_MSG_NOTICE([PTHREAD mode selected])
AC_DEFINE([USE_PTHREAD], [1], [Define to 1 to select PTHREAD mode])
;;
fork)
AC_MSG_NOTICE([FORK mode selected])
AC_DEFINE([USE_FORK], [1], [Define to 1 to select FORK mode])
;;
*)
AC_MSG_ERROR([Unknown thread model \"${withval}\"])
;;
esac
], [
checkpthreadlib
if test "$HAVE_LIBPTHREAD" = "yes" -a "$ac_cv_header_pthread_h" = "yes"; then
AC_MSG_NOTICE([PTHREAD thread model detected])
AC_DEFINE([USE_PTHREAD], [1], [Define to 1 to select PTHREAD mode])
elif test "$ac_cv_func_getcontext" = "yes" -a "$ac_cv_header_ucontext_h" = "yes"; then
AC_MSG_NOTICE([UCONTEXT thread model detected])
AC_DEFINE([USE_UCONTEXT], [1], [Define to 1 to select UCONTEXT mode])
else
AC_MSG_NOTICE([FORK thread model detected])
AC_DEFINE([USE_FORK], [1], [Define to 1 to select FORK mode])
fi
])
AC_MSG_NOTICE([**************************************** library functions])
# safe string operations
AC_CHECK_FUNCS(snprintf vsnprintf)
# pseudoterminal
AC_CHECK_FUNCS(openpty _getpty)
# Unix
AC_CHECK_FUNCS(daemon waitpid wait4 setsid setgroups chroot)
# limits
AC_CHECK_FUNCS(sysconf getrlimit)
# threads/reentrant functions
AC_CHECK_FUNCS(pthread_sigmask localtime_r)
# threads
AC_CHECK_FUNCS(getcontext __makecontext_v2)
# sockets
AC_CHECK_FUNCS(poll gethostbyname2 endhostent getnameinfo)
AC_MSG_CHECKING([for getaddrinfo])
case "$host_os" in
*androideabi*)
# http://stackoverflow.com/questions/7818246/segmentation-fault-in-getaddrinfo
AC_MSG_RESULT([no (buggy Android implementation)])
;;
*)
# Tru64 UNIX has getaddrinfo() but has it renamed in libc as
# something else so we must include <netdb.h> to get the
# redefinition.
AC_LINK_IFELSE(
[AC_LANG_PROGRAM(
[
AC_INCLUDES_DEFAULT
#include <sys/socket.h>
#include <netdb.h>
],
[
getaddrinfo(NULL, NULL, NULL, NULL);
],)],
[AC_MSG_RESULT([yes]); AC_DEFINE([HAVE_GETADDRINFO], [1], [Define to 1 if you have 'getaddrinfo' function.])],
[AC_MSG_RESULT([no])])
;;
esac
# poll() is not recommended on Mac OS X <=10.3 and broken on Mac OS X >=10.4
AC_MSG_CHECKING([for broken poll() implementation])
case "$host_os" in
darwin*)
AC_MSG_RESULT([yes (poll() disabled)])
AC_DEFINE([BROKEN_POLL], [1], [Define to 1 if you have a broken 'poll' implementation.])
;;
*)
AC_MSG_RESULT([no])
;;
esac
# GNU extensions
AC_CHECK_FUNCS(pipe2 accept4)
AC_MSG_NOTICE([**************************************** optional features])
# Use IPv6?
AC_MSG_CHECKING([whether to enable IPv6 support])
AC_ARG_ENABLE(ipv6,
[ --enable-ipv6 Enable IPv6 support],
[
case "$enableval" in
yes) AC_MSG_RESULT([yes])
AC_DEFINE([USE_IPv6], [1], [Define to 1 to enable IPv6 support])
;;
no) AC_MSG_RESULT([no])
;;
*) AC_MSG_RESULT([error])
AC_MSG_ERROR([bad value \"${enableval}\"])
;;
esac
],
[AC_MSG_RESULT([yes]); AC_DEFINE([USE_IPv6], [1], [Define to 1 to enable IPv6 support])],
[AC_MSG_RESULT([no])]
)
# Disable use of libwrap (TCP wrappers)
# it should be the last check!
AC_MSG_CHECKING([whether to disable TCP wrappers library support])
AC_ARG_ENABLE(libwrap,
[ --disable-libwrap Disable TCP wrappers library support],
[
case "$enableval" in
yes) AC_MSG_RESULT([no])
AC_DEFINE([HAVE_LIBWRAP], [1], [Define to 1 if you have 'libwrap' library.])
LIBS="$LIBS -lwrap"
;;
no) AC_MSG_RESULT([yes])
;;
*) AC_MSG_RESULT([error])
AC_MSG_ERROR([Bad value \"${enableval}\"])
;;
esac
],
[
AC_MSG_RESULT([autodetecting])
AC_MSG_CHECKING([for hosts_access in -lwrap])
valid_LIBS="$LIBS"
LIBS="$valid_LIBS -lwrap"
AC_LINK_IFELSE(
[AC_LANG_PROGRAM(
[
int hosts_access(); int allow_severity, deny_severity;
],
[
hosts_access()
]
)],
[AC_MSG_RESULT([yes]); AC_DEFINE([HAVE_LIBWRAP], [1], [Define to 1 if you have 'libwrap' library.])],
[AC_MSG_RESULT([no]); LIBS="$valid_LIBS"]
)
]
)
# FIPS Mode
AC_MSG_CHECKING([whether to enable FIPS mode support])
AC_ARG_ENABLE(fips,
[ --enable-fips Enable OpenSSL FIPS mode],
[
case "$enableval" in
yes) AC_MSG_RESULT([yes])
sub_dirs="/ssl/fips /ssl/fips-1.0 /"
fips="yes"
AC_DEFINE([USE_FIPS], [1], [Define to 1 to enable OpenSSL FIPS mode])
;;
no) AC_MSG_RESULT([no])
sub_dirs="/ssl /openssl /"
fips="no"
;;
*) AC_MSG_RESULT([error])
AC_MSG_ERROR([bad value \"${enableval}\"])
;;
esac
],
[
sub_dirs="/ssl/fips /ssl/fips-1.0 /ssl /openssl /"
fips="auto"
AC_MSG_RESULT([autodetecting])
]
)
AC_MSG_NOTICE([**************************************** SSL])
check_ssl_dir() { :
SSLDIR="$1"
if test -f "$1/include/openssl/ssl.h"; then
return 0
fi
return 1
}
# Check for SSL directory
AC_MSG_CHECKING([for SSL directory])
AC_ARG_WITH(ssl,
[ --with-ssl=DIR location of installed SSL libraries/include files],
[
check_ssl_dir "$withval"
],
[
for main_dir in /usr/local /usr/lib /usr/pkg /opt/local /opt /usr; do
for sub_dir in $sub_dirs; do
check_ssl_dir "$main_dir$sub_dir" && break 2
done
done
]
)
if test ! -d "$SSLDIR"; then
AC_MSG_RESULT([not found])
AC_MSG_ERROR([
Couldn't find your SSL library installation dir
Use --with-ssl option to fix this problem
])
fi
AC_MSG_RESULT([$SSLDIR])
AC_SUBST([SSLDIR])
AC_DEFINE_UNQUOTED([SSLDIR], ["$SSLDIR"], [SSL directory])
valid_CPPFLAGS="$CPPFLAGS"; CPPFLAGS="$CPPFLAGS -I$SSLDIR/include"
valid_LIBS="$LIBS"; LIBS="$LIBS -L$SSLDIR/lib64 -L$SSLDIR/lib -lssl -lcrypto"
AC_CHECK_HEADER([$SSLDIR/include/openssl/engine.h],
[AC_DEFINE([HAVE_OSSL_ENGINE_H], [1], [Define to 1 if you have <engine.h> header file.])],
[AC_MSG_WARN([OpenSSL engine header not found])])
AC_CHECK_HEADER([$SSLDIR/include/openssl/ocsp.h],
[AC_DEFINE([HAVE_OSSL_OCSP_H], [1], [Define to 1 if you have <ocsp.h> header file.])],
[AC_MSG_WARN([OpenSSL ocsp header not found])])
AC_MSG_CHECKING([for FIPS_mode_set])
if test "$fips" = "auto"; then
AC_LINK_IFELSE(
[AC_LANG_PROGRAM(
[
#include <openssl/fips.h>
],
[
FIPS_mode_set(1);
],
)],
[AC_MSG_RESULT([yes])
AC_DEFINE([USE_FIPS], [1], [Define to 1 to enable OpenSSL FIPS mode.])
], [
AC_MSG_RESULT([no])
]
)
else
AC_MSG_RESULT([test skipped])
fi
CPPFLAGS="$valid_CPPFLAGS"
LIBS="$valid_LIBS"
AC_MSG_NOTICE([**************************************** write the results])
AC_CONFIG_FILES([Makefile src/Makefile src/stunnel3 doc/Makefile tools/Makefile tools/stunnel.conf-sample tools/stunnel.init tools/stunnel.service])
AC_OUTPUT
AC_MSG_NOTICE([**************************************** success])
# End of configure.ac

21
doc/Makefile.am Normal file
View File

@ -0,0 +1,21 @@
## Process this file with automake to produce Makefile.in
EXTRA_DIST = stunnel.pod stunnel.pl.pod stunnel.fr.pod \
stunnel.8 stunnel.pl.8 stunnel.fr.8 \
stunnel.html stunnel.pl.html stunnel.fr.html en pl
man_MANS = stunnel.8 stunnel.pl.8 stunnel.fr.8
docdir = $(datadir)/doc/stunnel
doc_DATA = stunnel.html stunnel.pl.html stunnel.fr.html
SUFFIXES = .pod .8 .html
.pod.8:
pod2man -u --section=8 --release=$(VERSION) --center=stunnel \
--date=`date +%Y.%m.%d` $< $@
.pod.html:
pod2html --noindex --title stunnel.8 --infile=$< --outfile=$@
rm -f pod2htmd.tmp pod2htmi.tmp

478
doc/Makefile.in Normal file
View File

@ -0,0 +1,478 @@
# Makefile.in generated by automake 1.11.1 from Makefile.am.
# @configure_input@
# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation,
# Inc.
# This Makefile.in is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
# with or without modifications, as long as this notice is preserved.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
# PARTICULAR PURPOSE.
@SET_MAKE@
VPATH = @srcdir@
pkgdatadir = $(datadir)/@PACKAGE@
pkgincludedir = $(includedir)/@PACKAGE@
pkglibdir = $(libdir)/@PACKAGE@
pkglibexecdir = $(libexecdir)/@PACKAGE@
am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
install_sh_DATA = $(install_sh) -c -m 644
install_sh_PROGRAM = $(install_sh) -c
install_sh_SCRIPT = $(install_sh) -c
INSTALL_HEADER = $(INSTALL_DATA)
transform = $(program_transform_name)
NORMAL_INSTALL = :
PRE_INSTALL = :
POST_INSTALL = :
NORMAL_UNINSTALL = :
PRE_UNINSTALL = :
POST_UNINSTALL = :
build_triplet = @build@
host_triplet = @host@
subdir = doc
DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
am__aclocal_m4_deps = $(top_srcdir)/m4/libtool.m4 \
$(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \
$(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \
$(top_srcdir)/configure.ac
am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
$(ACLOCAL_M4)
mkinstalldirs = $(install_sh) -d
CONFIG_HEADER = $(top_builddir)/src/config.h
CONFIG_CLEAN_FILES =
CONFIG_CLEAN_VPATH_FILES =
SOURCES =
DIST_SOURCES =
am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
am__vpath_adj = case $$p in \
$(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
*) f=$$p;; \
esac;
am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
am__install_max = 40
am__nobase_strip_setup = \
srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
am__nobase_strip = \
for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
am__nobase_list = $(am__nobase_strip_setup); \
for p in $$list; do echo "$$p $$p"; done | \
sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
$(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
if (++n[$$2] == $(am__install_max)) \
{ print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
END { for (dir in files) print dir, files[dir] }'
am__base_list = \
sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
man8dir = $(mandir)/man8
am__installdirs = "$(DESTDIR)$(man8dir)" "$(DESTDIR)$(docdir)"
NROFF = nroff
MANS = $(man_MANS)
DATA = $(doc_DATA)
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
AMTAR = @AMTAR@
AR = @AR@
AUTOCONF = @AUTOCONF@
AUTOHEADER = @AUTOHEADER@
AUTOMAKE = @AUTOMAKE@
AWK = @AWK@
CC = @CC@
CCDEPMODE = @CCDEPMODE@
CFLAGS = @CFLAGS@
CPP = @CPP@
CPPFLAGS = @CPPFLAGS@
CYGPATH_W = @CYGPATH_W@
DEFAULT_GROUP = @DEFAULT_GROUP@
DEFS = @DEFS@
DEPDIR = @DEPDIR@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
EGREP = @EGREP@
EXEEXT = @EXEEXT@
FGREP = @FGREP@
GREP = @GREP@
INSTALL = @INSTALL@
INSTALL_DATA = @INSTALL_DATA@
INSTALL_PROGRAM = @INSTALL_PROGRAM@
INSTALL_SCRIPT = @INSTALL_SCRIPT@
INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
LD = @LD@
LDFLAGS = @LDFLAGS@
LIBOBJS = @LIBOBJS@
LIBS = @LIBS@
LIBTOOL = @LIBTOOL@
LIBTOOL_DEPS = @LIBTOOL_DEPS@
LIPO = @LIPO@
LN_S = @LN_S@
LTLIBOBJS = @LTLIBOBJS@
MAKEINFO = @MAKEINFO@
MKDIR_P = @MKDIR_P@
NM = @NM@
NMEDIT = @NMEDIT@
OBJDUMP = @OBJDUMP@
OBJEXT = @OBJEXT@
OTOOL = @OTOOL@
OTOOL64 = @OTOOL64@
PACKAGE = @PACKAGE@
PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
PACKAGE_NAME = @PACKAGE_NAME@
PACKAGE_STRING = @PACKAGE_STRING@
PACKAGE_TARNAME = @PACKAGE_TARNAME@
PACKAGE_URL = @PACKAGE_URL@
PACKAGE_VERSION = @PACKAGE_VERSION@
PATH_SEPARATOR = @PATH_SEPARATOR@
RANDOM_FILE = @RANDOM_FILE@
RANLIB = @RANLIB@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
SSLDIR = @SSLDIR@
STRIP = @STRIP@
VERSION = @VERSION@
abs_builddir = @abs_builddir@
abs_srcdir = @abs_srcdir@
abs_top_builddir = @abs_top_builddir@
abs_top_srcdir = @abs_top_srcdir@
ac_ct_CC = @ac_ct_CC@
ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
am__include = @am__include@
am__leading_dot = @am__leading_dot@
am__quote = @am__quote@
am__tar = @am__tar@
am__untar = @am__untar@
bindir = @bindir@
build = @build@
build_alias = @build_alias@
build_cpu = @build_cpu@
build_os = @build_os@
build_vendor = @build_vendor@
builddir = @builddir@
datadir = @datadir@
datarootdir = @datarootdir@
docdir = $(datadir)/doc/stunnel
dvidir = @dvidir@
exec_prefix = @exec_prefix@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
host_os = @host_os@
host_vendor = @host_vendor@
htmldir = @htmldir@
includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
libdir = @libdir@
libexecdir = @libexecdir@
localedir = @localedir@
localstatedir = @localstatedir@
lt_ECHO = @lt_ECHO@
mandir = @mandir@
mkdir_p = @mkdir_p@
oldincludedir = @oldincludedir@
pdfdir = @pdfdir@
prefix = @prefix@
program_transform_name = @program_transform_name@
psdir = @psdir@
sbindir = @sbindir@
sharedstatedir = @sharedstatedir@
srcdir = @srcdir@
stunnel_CFLAGS = @stunnel_CFLAGS@
stunnel_LDFLAGF = @stunnel_LDFLAGF@
stunnel_LDFLAGS = @stunnel_LDFLAGS@
sysconfdir = @sysconfdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
top_srcdir = @top_srcdir@
EXTRA_DIST = stunnel.pod stunnel.pl.pod stunnel.fr.pod \
stunnel.8 stunnel.pl.8 stunnel.fr.8 \
stunnel.html stunnel.pl.html stunnel.fr.html en pl
man_MANS = stunnel.8 stunnel.pl.8 stunnel.fr.8
doc_DATA = stunnel.html stunnel.pl.html stunnel.fr.html
SUFFIXES = .pod .8 .html
all: all-am
.SUFFIXES:
.SUFFIXES: .pod .8 .html
$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps)
@for dep in $?; do \
case '$(am__configure_deps)' in \
*$$dep*) \
( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
&& { if test -f $@; then exit 0; else break; fi; }; \
exit 1;; \
esac; \
done; \
echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu doc/Makefile'; \
$(am__cd) $(top_srcdir) && \
$(AUTOMAKE) --gnu doc/Makefile
.PRECIOUS: Makefile
Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
@case '$?' in \
*config.status*) \
cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
*) \
echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
esac;
$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
$(top_srcdir)/configure: $(am__configure_deps)
cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
$(ACLOCAL_M4): $(am__aclocal_m4_deps)
cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
$(am__aclocal_m4_deps):
mostlyclean-libtool:
-rm -f *.lo
clean-libtool:
-rm -rf .libs _libs
install-man8: $(man_MANS)
@$(NORMAL_INSTALL)
test -z "$(man8dir)" || $(MKDIR_P) "$(DESTDIR)$(man8dir)"
@list=''; test -n "$(man8dir)" || exit 0; \
{ for i in $$list; do echo "$$i"; done; \
l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done | \
sed -n '/\.8[a-z]*$$/p'; \
} | while read p; do \
if test -f $$p; then d=; else d="$(srcdir)/"; fi; \
echo "$$d$$p"; echo "$$p"; \
done | \
sed -e 'n;s,.*/,,;p;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \
-e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,' | \
sed 'N;N;s,\n, ,g' | { \
list=; while read file base inst; do \
if test "$$base" = "$$inst"; then list="$$list $$file"; else \
echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \
$(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst" || exit $$?; \
fi; \
done; \
for i in $$list; do echo "$$i"; done | $(am__base_list) | \
while read files; do \
test -z "$$files" || { \
echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(man8dir)'"; \
$(INSTALL_DATA) $$files "$(DESTDIR)$(man8dir)" || exit $$?; }; \
done; }
uninstall-man8:
@$(NORMAL_UNINSTALL)
@list=''; test -n "$(man8dir)" || exit 0; \
files=`{ for i in $$list; do echo "$$i"; done; \
l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done | \
sed -n '/\.8[a-z]*$$/p'; \
} | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \
-e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \
test -z "$$files" || { \
echo " ( cd '$(DESTDIR)$(man8dir)' && rm -f" $$files ")"; \
cd "$(DESTDIR)$(man8dir)" && rm -f $$files; }
install-docDATA: $(doc_DATA)
@$(NORMAL_INSTALL)
test -z "$(docdir)" || $(MKDIR_P) "$(DESTDIR)$(docdir)"
@list='$(doc_DATA)'; test -n "$(docdir)" || list=; \
for p in $$list; do \
if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
echo "$$d$$p"; \
done | $(am__base_list) | \
while read files; do \
echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(docdir)'"; \
$(INSTALL_DATA) $$files "$(DESTDIR)$(docdir)" || exit $$?; \
done
uninstall-docDATA:
@$(NORMAL_UNINSTALL)
@list='$(doc_DATA)'; test -n "$(docdir)" || list=; \
files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
test -n "$$files" || exit 0; \
echo " ( cd '$(DESTDIR)$(docdir)' && rm -f" $$files ")"; \
cd "$(DESTDIR)$(docdir)" && rm -f $$files
tags: TAGS
TAGS:
ctags: CTAGS
CTAGS:
distdir: $(DISTFILES)
@list='$(MANS)'; if test -n "$$list"; then \
list=`for p in $$list; do \
if test -f $$p; then d=; else d="$(srcdir)/"; fi; \
if test -f "$$d$$p"; then echo "$$d$$p"; else :; fi; done`; \
if test -n "$$list" && \
grep 'ab help2man is required to generate this page' $$list >/dev/null; then \
echo "error: found man pages containing the \`missing help2man' replacement text:" >&2; \
grep -l 'ab help2man is required to generate this page' $$list | sed 's/^/ /' >&2; \
echo " to fix them, install help2man, remove and regenerate the man pages;" >&2; \
echo " typically \`make maintainer-clean' will remove them" >&2; \
exit 1; \
else :; fi; \
else :; fi
@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
list='$(DISTFILES)'; \
dist_files=`for file in $$list; do echo $$file; done | \
sed -e "s|^$$srcdirstrip/||;t" \
-e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
case $$dist_files in \
*/*) $(MKDIR_P) `echo "$$dist_files" | \
sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
sort -u` ;; \
esac; \
for file in $$dist_files; do \
if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
if test -d $$d/$$file; then \
dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
if test -d "$(distdir)/$$file"; then \
find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
fi; \
if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
fi; \
cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
else \
test -f "$(distdir)/$$file" \
|| cp -p $$d/$$file "$(distdir)/$$file" \
|| exit 1; \
fi; \
done
check-am: all-am
check: check-am
all-am: Makefile $(MANS) $(DATA)
installdirs:
for dir in "$(DESTDIR)$(man8dir)" "$(DESTDIR)$(docdir)"; do \
test -z "$$dir" || $(MKDIR_P) "$$dir"; \
done
install: install-am
install-exec: install-exec-am
install-data: install-data-am
uninstall: uninstall-am
install-am: all-am
@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
installcheck: installcheck-am
install-strip:
$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
`test -z '$(STRIP)' || \
echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
mostlyclean-generic:
clean-generic:
distclean-generic:
-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
maintainer-clean-generic:
@echo "This command is intended for maintainers to use"
@echo "it deletes files that may require special tools to rebuild."
clean: clean-am
clean-am: clean-generic clean-libtool mostlyclean-am
distclean: distclean-am
-rm -f Makefile
distclean-am: clean-am distclean-generic
dvi: dvi-am
dvi-am:
html: html-am
html-am:
info: info-am
info-am:
install-data-am: install-docDATA install-man
install-dvi: install-dvi-am
install-dvi-am:
install-exec-am:
install-html: install-html-am
install-html-am:
install-info: install-info-am
install-info-am:
install-man: install-man8
install-pdf: install-pdf-am
install-pdf-am:
install-ps: install-ps-am
install-ps-am:
installcheck-am:
maintainer-clean: maintainer-clean-am
-rm -f Makefile
maintainer-clean-am: distclean-am maintainer-clean-generic
mostlyclean: mostlyclean-am
mostlyclean-am: mostlyclean-generic mostlyclean-libtool
pdf: pdf-am
pdf-am:
ps: ps-am
ps-am:
uninstall-am: uninstall-docDATA uninstall-man
uninstall-man: uninstall-man8
.MAKE: install-am install-strip
.PHONY: all all-am check check-am clean clean-generic clean-libtool \
distclean distclean-generic distclean-libtool distdir dvi \
dvi-am html html-am info info-am install install-am \
install-data install-data-am install-docDATA install-dvi \
install-dvi-am install-exec install-exec-am install-html \
install-html-am install-info install-info-am install-man \
install-man8 install-pdf install-pdf-am install-ps \
install-ps-am install-strip installcheck installcheck-am \
installdirs maintainer-clean maintainer-clean-generic \
mostlyclean mostlyclean-generic mostlyclean-libtool pdf pdf-am \
ps ps-am uninstall uninstall-am uninstall-docDATA \
uninstall-man uninstall-man8
.pod.8:
pod2man -u --section=8 --release=$(VERSION) --center=stunnel \
--date=`date +%Y.%m.%d` $< $@
.pod.html:
pod2html --noindex --title stunnel.8 --infile=$< --outfile=$@
rm -f pod2htmd.tmp pod2htmi.tmp
# Tell versions [3.59,3.63) of GNU make to not export all variables.
# Otherwise a system limit (for SysV at least) may be exceeded.
.NOEXPORT:

190
doc/en/VNC_StunnelHOWTO.html Normal file
View File

@ -0,0 +1,190 @@
<!-- saved from url=(0022)http://internet.e-mail -->
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=iso-8859-1">
<TITLE></TITLE>
<META NAME="GENERATOR" CONTENT="StarOffice/5.2 (Win32)">
<META NAME="CREATED" CONTENT="20010220;7501784">
<META NAME="CHANGED" CONTENT="16010101;0">
<STYLE>
<!--
@page { margin: 2cm }
-->
</STYLE>
</HEAD>
<BODY>
<P ALIGN=CENTER STYLE="margin-bottom: 0cm"><FONT SIZE=4 STYLE="font-size: 16pt"><U><B>VNC
over STUNNEL with a Linux server and Windows 2000 client HOWTO</B></U></FONT></P>
<P ALIGN=CENTER STYLE="margin-bottom: 0cm"><BR>
</P>
<P STYLE="margin-bottom: 0cm">19 February 2001</P>
<P STYLE="margin-bottom: 0cm">ver 1.0</P>
<P STYLE="margin-bottom: 0cm">by Craig Furter and Arno van der Walt</P>
<P STYLE="margin-bottom: 0cm">contact us at <A HREF="mailto:cfurter@vexen.co.za">cfurter@vexen.co.za</A>
and <A HREF="mailto:arnovdw@mycomax.com">arnovdw@mycomax.com</A></P>
<P STYLE="margin-bottom: 0cm"><BR>
</P>
<P STYLE="margin-bottom: 0cm"><BR>
</P>
<P STYLE="margin-bottom: 0cm">We assume that you have already
downloaded VNCServer and VNCViewer.</P>
<P STYLE="margin-bottom: 0cm"><BR>
</P>
<P STYLE="margin-bottom: 0cm">First of all there is a step by step
HOWTO and then we'll look at the theory behind all this.</P>
<P STYLE="margin-bottom: 0cm"><BR>
</P>
<OL>
<LI><P STYLE="margin-bottom: 0cm">Download and install openSSL,
SSLEay, and Stunnel on the Linux/Unix box. Download the modules.</P>
</OL>
<P STYLE="margin-left: 0.5cm; margin-bottom: 0cm">a)
[root@anthrax$]gunzip openssl-x.xx.tar.gz (repeat for all 3 the
modules)</P>
<P STYLE="margin-left: 0.5cm; margin-bottom: 0cm">b)
[root@anthrax$]tar &#150; xvf openssl-x.xx.tar (repeat for all 3 the
modules)</P>
<P STYLE="margin-left: 0.5cm; margin-bottom: 0cm"><BR>
</P>
<OL>
<LI><P STYLE="margin-bottom: 0cm">Copy the following to Notepad and
save the file as VNCRegEdit.REG on the Windows 2000 box</P>
</OL>
<P STYLE="margin-left: 0.5cm; margin-bottom: 0cm">--cut here and copy
to VNCRegEdit.REG the double click file to
import--<BR>REGEDIT4<BR><BR>[HKEY_LOCAL_MACHINE\Software\ORL\WinVNC3]<BR>AllowLoopback=dword:00000001<BR><BR>[HKEY_LOCAL_MACHINE\Software\ORL\WinVNC3\Default]<BR>AllowLoopback=dword:00000001<BR>--stop
here--<BR><BR>
</P>
<P STYLE="margin-left: 0.5cm; margin-bottom: 0cm"><BR>
</P>
<OL>
<LI><P STYLE="margin-bottom: 0cm">Install Stunnel on the Windows
2000 machine by copying the following files to your \WINNT\SYSTEM32\
directory</P>
</OL>
<P STYLE="margin-left: 0.5cm; margin-bottom: 0cm">a)libeay32.dll</P>
<P STYLE="margin-left: 0.5cm; margin-bottom: 0cm">b)libssl.dll</P>
<P STYLE="margin-left: 0.5cm; margin-bottom: 0cm">c)stunnel.pem</P>
<P STYLE="margin-left: 0.5cm; margin-bottom: 0cm"><BR>
</P>
<OL>
<LI><P STYLE="margin-bottom: 0cm">On the Linux box execute the
following command as root and let it run in its own terminal.</P>
</OL>
<P STYLE="margin-left: 0.5cm; margin-bottom: 0cm">./stunnel -d 5900
-r 5901</P>
<P STYLE="margin-left: 0.5cm; margin-bottom: 0cm"><BR>
</P>
<OL>
<LI><P STYLE="margin-bottom: 0cm">Execute vncserver (it should run
as display:1 when you execute the ps aux |grep vnc command)</P>
</OL>
<P STYLE="margin-left: 0.5cm; margin-bottom: 0cm"><BR>
</P>
<OL>
<LI><P STYLE="margin-bottom: 0cm">Now on the Windows 2000 machine
execute the following command and let it run in its own terminal.</P>
</OL>
<P STYLE="margin-left: 0.5cm; margin-bottom: 0cm">stunnel -d 5900 -r
unix.ip.adress:5900 -c</P>
<P STYLE="margin-left: 0.5cm; margin-bottom: 0cm">.</P>
<OL>
<LI><P STYLE="margin-bottom: 0cm">And on the Windows 2000 machine
open VNCviewer and connect to localhost specifying no display</P>
</OL>
<P STYLE="margin-left: 0.5cm; margin-bottom: 0cm">ie. 10.10.1.53 in
the window</P>
<P STYLE="margin-left: 0.5cm; margin-bottom: 0cm"><BR>
</P>
<OL>
<LI><P STYLE="margin-bottom: 0cm">For each additional display repeat
steps 4 &#150; 6 and increment the specified ports with 2 ie. The
Linux command will look as follows:</P>
</OL>
<P STYLE="margin-left: 0.5cm; margin-bottom: 0cm"> ./stunnel -d 5902
-r 5903
</P>
<P STYLE="margin-left: 0.5cm; margin-bottom: 0cm">and the Windows
2000 command as follows:
</P>
<P STYLE="margin-left: 0.5cm; margin-bottom: 0cm">stunnel -d 5902 -r
unix.ip.adress:5902</P>
<P STYLE="margin-left: 0.5cm; margin-bottom: 0cm">and remember to
start another vncserver on the Linux box for each VNC display</P>
<P STYLE="margin-bottom: 0cm"><BR>
</P>
<P STYLE="margin-bottom: 0cm"><BR>
</P>
<OL>
<LI><P STYLE="margin-bottom: 0cm">The display number on the
vncviewer must also be incremented with two ie:</P>
</OL>
<P STYLE="margin-left: 0.5cm; margin-bottom: 0cm">10.10.1.53:2 etc.</P>
<P STYLE="margin-bottom: 0cm"><BR>
</P>
<P STYLE="margin-bottom: 0cm"><FONT SIZE=4><U>The THEORY</U></FONT></P>
<P STYLE="margin-bottom: 0cm"><BR>
</P>
<P STYLE="margin-bottom: 0cm"><U>Tunneling:</U></P>
<P STYLE="margin-bottom: 0cm"><BR>
</P>
<P STYLE="margin-bottom: 0cm">What this means is that software
(daemon) runs on the client and server machine. In this case, the
Windows 2000 machine is the client and the server is the *NIX
machine. Stunnel will then run as client on Windows 2000 and server
mode on the UNIX box.<BR><BR>eg:<BR>Windows:<BR>stunnel -d 5900 -r
unix.ip.address:5900 -c<BR><BR>UNIX<BR>stunnel -d 5900 -r 5901<BR><BR>This
means that connecting to VNC display 0 in the localhost will transfer
all the calls to the *NIX machine on display 1. So the VNC server on
the *NIX machine must be running on display 1. Not display 0. If you
run stunnel before VNC, VNC will automatically move to display 1
noticing that port 5900 (&quot;display&quot; 0) is already in
use).<BR><BR>What happens now is that when you connect to port 5900
on the Windows machine via an &quot;unsecured&quot; connection, a
secure &quot;tunnel&quot; is opened from Windows 2000 to the *NIX
machine on port 5900. The *NIX machine then opens a &quot;unsecured&quot;
connection to itself on port 5901. We now have a secure tunnel
available.</P>
<P STYLE="margin-bottom: 0cm"><BR>
</P>
<P STYLE="margin-bottom: 0cm"><U>A bit about VNC and displays</U></P>
<P STYLE="margin-bottom: 0cm"><BR>
</P>
<P STYLE="margin-bottom: 0cm">The -d is the listening IPaddress:port
and the -r is the remote IPaddress:port. VNC uses port 5900 for
display 0. That means that display 1 will be 5901. If you want VNC
server to listen for a connection on port 80 then the display number
will be 80 - 5900 = -5820. If you want VNC server to<BR>listen on
port 14000 then the display number is 14000 - 5900 = 8100.<BR><BR>So
all you have to do is run stunnel on the UNIX machine and VNC on the
desired &quot;display&quot; number.</P>
<P STYLE="margin-bottom: 0cm"><BR>
</P>
<P STYLE="margin-bottom: 0cm"><U>VNC on the Windows 2000 machine</U></P>
<P STYLE="margin-bottom: 0cm"><BR>
</P>
<P STYLE="margin-bottom: 0cm">To connect from the client machine you
need to enter the client machines IP address and the &quot;display&quot;
(from the port conversion). But VNC will think that you are trying to
connect to the local machine and does not allow this. To override
this add the following to you registry.<BR><BR>--cut here and copy to
anything.reg. the double click file to
import--<BR>REGEDIT4<BR><BR>[HKEY_LOCAL_MACHINE\Software\ORL\WinVNC3]<BR>AllowLoopback=dword:00000001<BR><BR>[HKEY_LOCAL_MACHINE\Software\ORL\WinVNC3\Default]<BR>AllowLoopback=dword:00000001<BR>--stop
here--<BR><BR>Now VNC will not complain. So you need to always run
stunnel in client mode on the Windows machine and then connect with
VNCViewer to the localhost on the correct &quot;display&quot;. By the
way, *NIX doesn't complain about this. There is no setting needed if
*NIX to *NIX.</P>
<P STYLE="margin-bottom: 0cm"><BR>
</P>
<P STYLE="margin-bottom: 0cm"><U>VNC's Java client</U></P>
<P STYLE="margin-bottom: 0cm"><BR>
</P>
<P STYLE="margin-bottom: 0cm">Unfortunately this will not work well
with the build in web version. If you did not known about it, try
http'ing into a machine running VNC server on it, to port 58XX (where
XX is the display number), and the Java client will be loaded.<BR><BR>
</P>
</BODY>
</HTML>

143
doc/pl/faq.stunnel-2.html Normal file
View File

@ -0,0 +1,143 @@
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-2">
<TITLE>Gdy pojawiają się kłopoty</TITLE>
</HEAD>
<BODY TEXT="#000000" BGCOLOR="#FFFFFF" LINK="#0000EF" VLINK="#51188E" ALINK="#FF0000">
<B>Q: </B>Próbuje kompilować stunnel jednak dostaje
następujące komunikaty:
<BR>stunnel.c:69: ssl.h: No such file or directory
<BR>stunnel.c:71: bio.h: No such file or directory
<BR>stunnel.c:72: pem.h: No such file or directory
<BR>make: *** [stunnel.o] Error 1
<P><B>A:</B> Są dwie prawdopodobne przyczyny: nie masz zainstalowanego
w systemie pakietu SSLeay lub pakiet nie znajduje sie w miejscu domyślnym
czyli<B> /usr/local/ssl. </B>Należy zainstalować SSLeay lub też poprawić
Makefile tak by ścieżka była prawidłowa.
<BR>
<HR WIDTH="100%">
<BR><B>Q:</B>&nbsp; Próbuje uruchomić stunnel jako wrapper dla httpd. Po
wydaniu komendy: <B>stunnel 443 @localhost:80</B> demon się nie uruchamia
a w syslogu pojawia się komunikat "<B>stunnel[2481]: getpeername: Socket
operation on non-socket (88)"</B><B></B>
<P><B>A</B>: Jest to błąd charakterystyczny dla Linuxa. Należy w pliku
stunnel.c zmienić linię<B> #define INET_SOCKET_PAIR 1</B> na
<BR><B>#define INET_SOCKET_PAIR 0</B> i zrekompilować program ponownie.
<BR>
<HR WIDTH="100%">
<BR><B>Q:</B> Stunnel nadal się nie uruchamia a w syslogu pojawia się komunikat
"<B>stunnel[2525]: /usr/local/ssl/certs/localhost:80.pem: No such file
or directory (2)</B>"<B></B>
<P><B>A:</B> Nie posiadasz odpowiedniego certyfikatu dla demona. Stunnel
w celu poprawnego działania <B>MUSI</B> posiadać certyfikat. W celu wygenerowania
odpowiedniego certyfikatu należy wydać komende: <B>/usr/local/ssl/bin/ssleay
req -new -x509 -nodes -out server.pem -days 365 -keyout server.pem</B>&nbsp;
bądź też użyć <B>Makefile</B> dołączonego do programu stunnel i przy pomocy
komendy <B>make cert </B>stworzyć certyfikat. Tak utworzony certyfikat (server.pem)
należy umieścić w katalogu <B>/usr/local/ssl/certs</B> i utworzyć doń odpowiednie
linki lub zmieć nazwę certyfikatu na wymaganą przez stunnel.
<BR>
<HR WIDTH="100%">
<BR><B>Q:</B> Wygenerowałem odpowiedni certyfikat przy pomocy skryptu CA.sh,
a stunnel <B>przy starcie prosi o podanie hasła</B>. Jak można przekazać
hasło zabezpieczające certyfikat do programu ?<B></B>
<P><B>A:</B> W chwili obecnej jest to niemożliwe. Certyfikaty którymi posługuje
sie stunnel nie mogą być zabezpieczane hasłem. Przy tworzeniu certyfikatu
należy użyć opcji -nodes (lub utworzyć certyfikat przy pomocy makefile
odstarczonego z programem).
<BR>
<HR WIDTH="100%">
<BR><B>Q:</B> Po uruchomieniu programu stunnel w syslogu pojawia się komunikat:
"<B>stunnel[2805]: WARNING: Wrong permissions on /usr/local/ssl/certs/localhost:80.pem</B>".
Co jest nie tak ?<B></B>
<P><B>A:</B> To tylko ostrzeżenie ! Certyfikat nie powien dać się odczytać
przez innych użytkowników systemu. Prawidłowe prawa dostępu powinny być
następujące: <B>-rw------&nbsp;&nbsp; 1 root&nbsp;&nbsp;&nbsp;&nbsp; root&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
1370 Nov 8 1997&nbsp; server.pem </B>(jeśli uruchamiającym stunnel jest
root).
<BR>
<HR WIDTH="100%">
<BR><B>Q:</B> Probowałem zrobić tunelowanie połączenia do demona <B>pop3</B>.
Pomimo zrobienia prawidłowego wpisu do inetd.conf
<BR>"spop3&nbsp; stream&nbsp; tcp&nbsp; nowait&nbsp; root&nbsp; /usr/sbin/stunnel&nbsp;
qpopper -s" stunnel nie działa a w syslogu pojawia się komunikat:
<BR><B>inetd[2949]: spop3/tcp: unknown service.</B><B></B>
<P><B>A: </B>Nie zrobiłeś dodatkowych wpisów do pliku <B>/etc/services.</B>
Zgodnie z rfc???? prawidłowymi portami na których działają demony posługujące
się SSL są:
<TABLE>
<TR>
<TD>https</TD>
<TD>443/tcp</TD>
<TD># HTTP over SSL&nbsp;</TD>
</TR>
<TR>
<TD>ssmtp</TD>
<TD>465/tcp</TD>
<TD># SMTP over SSL&nbsp;</TD>
</TR>
<TR>
<TD>snews</TD>
<TD>563/tcp</TD>
<TD># NNTP over SSL&nbsp;</TD>
</TR>
<TR>
<TD>ssl-ldap</TD>
<TD>636/tcp</TD>
<TD># LDAP over SSL&nbsp;</TD>
</TR>
<TR>
<TD>simap</TD>
<TD>993/tcp</TD>
<TD># IMAP over SSL&nbsp;</TD>
</TR>
<TR>
<TD>spop3</TD>
<TD>995/tcp</TD>
<TD># POP-3 over SSL&nbsp;</TD>
</TR>
</TABLE>
Jeśli nie chesz robić poprawek zamiast nazwy serwisu użyj numeru portu
na którym on działa.
<BR>
<HR WIDTH="100%">
<BR><B>Q:</B> Dobrze, zrobiłem wymagany wpis lecz w dalszym ciagu stunnel
nie działa, natomiast w syslogu pojawia sie wpis:
<BR>&nbsp;<B>stunnel[3015]: execvp: No such file or directory (2). </B>Co
jeszcze jest nie tak ?<B></B>
<P><B>A:</B>&nbsp; Prawdopodone są dwie przyczyny: pierwsza w twoim systemie
nie ma demona dla ktorego zrobiłeś wpis w inetd.conf,
<BR>(spop3&nbsp; stream&nbsp; tcp&nbsp; nowait&nbsp; root&nbsp; /usr/sbin/stunnel&nbsp;
qpopper -s) lub też dany program jest w systemie, jednak ścieżka dostępu
do niego nie jest wymieniona w zmiennej systemowej <B>$PATH</B>. Należy
więc poprawić zapis w inetd.conf uzupełniając o pełna ścieżke dostępu do
demona np.&nbsp; <B>spop3&nbsp; stream&nbsp; tcp&nbsp; nowait&nbsp; root&nbsp;
/usr/sbin/stunnel&nbsp; /usr/sbin/qpopper -s</B>
<BR>&nbsp;
<BR>&nbsp;
</BODY>
</HTML>

744
doc/pl/tworzenie_certyfikatow.html Normal file
View File

@ -0,0 +1,744 @@
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-2">
<META NAME="Author" CONTENT="Adam Hernik">
<TITLE>Wszystko co powiniene¶ wiedzieæ o tworzeniu certyfikatów ale nie chce Ci siê poszukaæ w dokumentacji</TITLE>
</HEAD>
<BODY TEXT="#000000" BGCOLOR="#CCCCCC" LINK="#0000EF" VLINK="#51188E" ALINK="#FF0000">
<CENTER>
<H1>
<FONT SIZE=+2>Wszystko co powiniene¶ wiedzieæ o tworzeniu certyfikatów
ale nie chce Ci siê</FONT></H1></CENTER>
<CENTER>
<H1>
<FONT SIZE=+2>poszukaæ w dokumentacji.</FONT></H1></CENTER>
&nbsp;
<P><B><FONT SIZE=+1>Co powinno znajdowaæ siê na Twoim dysku zamin zostaniesz
"Certificate Authorities".</FONT></B>
<P>Podstawowym oprogramowaniem jest oczywi¶cie <A HREF="http://www.openssl.org">openssl</A>.
W tym miejscu nale¿y zachowaæ czujno¶æ
<BR>bo openssl <B>MUSI</B> byæ co najmniej w wersji 0.9.2b dziêki czemu
ominie Ciê czê¶æ karko³omnych
<BR>operacji przy pomocy <A HREF="http://www.drh-consultancy.demon.co.uk">pcks12</A>
ktory tak¿e musisz posiadaæ w swoich zasobach dyskowych.
<BR>Je¶li masz ju¿ zainstalowane powy¿sze oprogramowanie mo¿esz zacz±æ
tworzyæ certyfikaty.
<P><B><FONT SIZE=+1>Konfiguracja openssl.</FONT></B>
<P>Zak³adam ze openssl jest zainstalowany standardowo czyli w <B>/usr/local/ssl</B>.
Pierwszym krokiem jest
<BR>przejrzenie i "dokonfigurowanie" <B>/usr/local/ssl/lib/openssl.cnf</B>.
Mój domowy konfig wygl±da nastêpuj±co
<BR>(kolorem czerwonym zaznaczylem opcje które raczej powiniene¶ zmieniæ)
:
<BR><FONT SIZE=-2><A HREF="#koniec openssl.cnf">je¶li nie chce Ci siê tego
czytaæ to skocz na koniec konfiga</A></FONT>
<P><I>#</I>
<BR><I># OpenSSL example configuration file.</I>
<BR><I># This is mostly being used for generation of certificate requests.</I>
<BR><I>#</I>
<BR><I>&nbsp;</I>
<BR><I>RANDFILE&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
= $ENV::HOME/.rnd</I>
<BR><I>oid_file&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
= $ENV::HOME/.oid</I>
<BR><I>oid_section&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
= new_oids</I>
<BR><I>&nbsp;</I>
<BR><I>[ new_oids ]</I>
<BR><I>&nbsp;</I>
<BR><I># We can add new OIDs in here for use by 'ca' and 'req'.</I>
<BR><I># Add a simple OID like this:</I>
<BR><I># testoid1=1.2.3.4</I>
<BR><I># Or use config file substitution like this:</I>
<BR><I># testoid2=${testoid1}.5.6</I>
<BR><I>&nbsp;</I>
<BR><I>####################################################################</I>
<BR><I>[ ca ]</I>
<BR><I>default_ca&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; = CA_default&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
# The default ca section</I>
<BR><I>&nbsp;</I>
<BR><I>####################################################################</I>
<BR><I>[ CA_default ]</I>
<BR><I>&nbsp;</I>
<BR><I>dir&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
= ./demoCA&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
# Where everything is kept</I>
<BR><I>certs&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
= $dir/certs&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
# Where the issued certs are kept</I>
<BR><I>crl_dir&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; = $dir/crl&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
# Where the issued crl are kept</I>
<BR><I>database&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; = $dir/index.txt&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
# database index file.</I>
<BR><I>new_certs_dir&nbsp;&nbsp; = $dir/newcerts&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
# default place for new certs.</I>
<BR><I>&nbsp;</I>
<BR><I>certificate&nbsp;&nbsp;&nbsp;&nbsp; = $dir/cacert.pem&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
# The CA certificate</I>
<BR><I>serial&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; = $dir/serial&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
# The current serial number</I>
<BR><I>crl&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
= $dir/crl.pem&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; #
The current CRL</I>
<BR><I>private_key&nbsp;&nbsp;&nbsp;&nbsp; = $dir/private/cakey.pem# The
private key</I>
<BR><I>RANDFILE&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; = $dir/private/.rand&nbsp;&nbsp;&nbsp;
# private random number file</I>
<BR><I>&nbsp;</I>
<BR><I>x509_extensions = usr_cert&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
# The extentions to add to the cert</I>
<BR><I>crl_extensions&nbsp; = crl_ext&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
# Extensions to add to CRL</I>
<BR><I>default_days&nbsp;&nbsp;&nbsp; = 365&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
# how long to certify for</I>
<BR><I>default_crl_days= 30&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
# how long before next CRL</I>
<BR><I>default_md&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; = md5&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
# which md to use.</I>
<BR><I>preserve&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; = no&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
# keep passed DN ordering</I>
<BR><I>&nbsp;</I>
<BR><I># A few difference way of specifying how similar the request should
look</I>
<BR><I># For type CA, the listed attributes must be the same, and the optional</I>
<BR><I># and supplied fields are just that :-)</I>
<BR><I>policy&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; = policy_match</I>
<BR><I># For the CA policy</I>
<BR><I>[ policy_match ]</I>
<BR><I>countryName&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
= match</I>
<BR><I>stateOrProvinceName&nbsp;&nbsp;&nbsp;&nbsp; = match</I>
<BR><I>organizationName&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; = match</I>
<BR><I>organizationalUnitName&nbsp; = optional</I>
<BR><I>commonName&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
= supplied</I>
<BR><I>emailAddress&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
= optional</I>
<BR><I>&nbsp;</I>
<BR><I># For the 'anything' policy</I>
<BR><I># At this point in time, you must list all acceptable 'object'</I>
<BR><I># types.</I>
<BR><I>[ policy_anything ]</I>
<BR><I>countryName&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
= optional</I>
<BR><I>stateOrProvinceName&nbsp;&nbsp;&nbsp;&nbsp; = optional</I>
<BR><I>localityName&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
= optional</I>
<BR><I>organizationName&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; = optional</I>
<BR><I>organizationalUnitName&nbsp; = optional</I>
<BR><I>commonName&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
= supplied</I>
<BR><I>emailAddress&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
= optional</I>
<BR><I>&nbsp;</I>
<BR><I>####################################################################</I>
<BR><A NAME="req"></A><I>[ req ]</I>
<BR><I>default_bits&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
= <FONT COLOR="#FF0000">1024</FONT></I>
<BR><I>default_keyfile&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
= privkey.pem</I>
<BR><I>distinguished_name&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; = req_distinguished_name</I>
<BR><I>attributes&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
= req_attributes</I>
<BR><I>x509_extensions = v3_ca # The extentions to add to the self signed
cert</I>
<BR><I>&nbsp;</I>
<BR><I>[ req_distinguished_name ]</I>
<BR><I>countryName&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
= Country Name (2 letter code)</I>
<BR><I>countryName_default&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
= <FONT COLOR="#FF0000">PL</FONT></I>
<BR><I>countryName_min&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
= 2</I>
<BR><I>countryName_max&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
= 2</I>
<BR><I>&nbsp;</I>
<BR><I>stateOrProvinceName&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
= State i Prowincja</I>
<BR><I>stateOrProvinceName_default&nbsp;&nbsp;&nbsp;&nbsp; = <FONT COLOR="#FF0000">State-Prowincja
domyslna</FONT></I>
<BR><I>localityName&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
= Locality Name (eg, city)</I>
<BR><I>localityName_default&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
= <FONT COLOR="#FF0000">Lodz</FONT></I>
<BR><I>&nbsp;</I>
<BR><I>0.organizationName&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
= Organization Name (eg, company)</I>
<BR><I>0.organizationName_default&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; = <FONT COLOR="#FF0000">Nawza
Organizacji</FONT></I>
<BR><I>&nbsp;</I>
<BR><I># we can do this but it is not needed normally :-)</I>
<BR><I>#1.organizationName&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
= Second Organization Name (eg, company)</I>
<BR><I>#1.organizationName_default&nbsp;&nbsp;&nbsp;&nbsp; = World Wide
Web Pty Ltd</I>
<BR><I>organizationalUnitName&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
= Organizational Unit Name (eg, section)</I>
<BR><I>organizationalUnitName_default&nbsp; = <FONT COLOR="#FF0000">Unit
name domyslny</FONT></I>
<BR><I>&nbsp;</I>
<BR><I>commonName&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
= Common Name (eg, YOUR name)</I>
<BR><I>commonName_max&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
= 64</I>
<BR><I>&nbsp;</I>
<BR><I>emailAddress&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
= Email Address</I>
<BR><I>emailAddress_max&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
= 40</I>
<BR><I>&nbsp;</I>
<BR><I># SET-ex3&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
= SET extension number 3</I>
<BR><I>&nbsp;</I>
<BR><I>[ req_attributes ]</I>
<BR><I>challengePassword&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
= A challenge password</I>
<BR><I>challengePassword_min&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; = 4</I>
<BR><I>challengePassword_max&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; = 20</I>
<BR><I>&nbsp;</I>
<BR><I>unstructuredName&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
= An optional company name</I>
<BR><I>&nbsp;</I>
<BR><A NAME="usr_cert"></A><I>[ usr_cert ]</I>
<BR><I>&nbsp;</I>
<BR><I># These extensions are added when 'ca' signs a request.</I>
<BR><I>&nbsp;</I>
<BR><I># This goes against PKIX guidelines but some CAs do it and some
software</I>
<BR><I># requires this to avoid interpreting an end user certificate as
a CA.</I>
<BR><I>&nbsp;</I>
<BR><I>basicConstraints=CA:FALSE</I>
<BR><I>&nbsp;</I>
<BR><I># Here are some examples of the usage of nsCertType. If it is omitted</I>
<BR><I># the certificate can be used for anything *except* object signing.</I>
<BR><I>&nbsp;</I>
<BR><A NAME="server"></A><I># This is OK for an SSL server.</I>
<BR><I><FONT COLOR="#006600">#nsCertType&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
= server</FONT></I>
<BR><I>&nbsp;</I>
<BR><I># For an object signing certificate this would be used.</I>
<BR><I>#nsCertType = objsign</I>
<BR><I>&nbsp;</I>
<BR><A NAME="klient"></A><I># For normal client use this is typical</I>
<BR><I><FONT COLOR="#006600">nsCertType = client, email</FONT></I>
<BR><I>&nbsp;</I>
<BR><I># This is typical also</I>
<BR><I>&nbsp;</I>
<BR><I>keyUsage = nonRepudiation, digitalSignature, keyEncipherment</I>
<BR><I>&nbsp;</I>
<BR><I>nsComment&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
= "<FONT COLOR="#FF0000">OpenSSL Generated Certificate</FONT>"</I>
<BR><I>&nbsp;</I>
<BR><I># PKIX recommendations</I>
<BR><I>subjectKeyIdentifier=hash</I>
<BR><I>authorityKeyIdentifier=keyid,issuer:always</I>
<BR><I># Import the email address.</I>
<BR><I>&nbsp;</I>
<BR><I>subjectAltName=email:copy</I>
<BR><I>&nbsp;</I>
<BR><I># Copy subject details</I>
<BR><I>&nbsp;</I>
<BR><I>issuerAltName=issuer:copy</I>
<BR><I>&nbsp;</I>
<BR><I>#nsCaRevocationUrl&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
= http://www.domain.dom/ca-crl.pem</I>
<BR><I>#nsBaseUrl</I>
<BR><I>#nsRevocationUrl</I>
<BR><I>#nsRenewalUrl</I>
<BR><I>#nsCaPolicyUrl</I>
<BR><I>#nsSslServerName</I>
<BR><I>&nbsp;</I>
<BR><I>[ v3_ca]</I>
<BR><I>&nbsp;</I>
<BR><I># Extensions for a typical CA</I>
<BR><I>&nbsp;</I>
<BR><I># It's a CA certificate</I>
<BR><I>basicConstraints = CA:true</I>
<BR><I>&nbsp;</I>
<BR><I># PKIX recommendation.</I>
<BR><I>&nbsp;</I>
<BR><I>subjectKeyIdentifier=hash</I>
<BR><I>&nbsp;</I>
<BR><I>authorityKeyIdentifier=keyid:always,issuer:always</I>
<BR><I>&nbsp;</I>
<BR><I># This is what PKIX recommends but some broken software chokes on
critical</I>
<BR><I># extensions.</I>
<BR><I>#basicConstraints = critical,CA:true</I>
<BR><I>&nbsp;</I>
<BR><I># Key usage: again this should really be critical.</I>
<BR><I>keyUsage = cRLSign, keyCertSign</I>
<BR><I>&nbsp;</I>
<BR><I># Some might want this also</I>
<BR><I>nsCertType = sslCA, emailCA, objCA</I>
<BR><I>&nbsp;</I>
<BR><I># Include email address in subject alt name: another PKIX recommendation</I>
<BR><I>subjectAltName=email:copy</I>
<BR><I># Copy issuer details</I>
<BR><I>issuerAltName=issuer:copy</I>
<BR><I>&nbsp;</I>
<BR><I># RAW DER hex encoding of an extension: beware experts only!</I>
<BR><I># 1.2.3.5=RAW:02:03</I>
<BR><I># You can even override a supported extension:</I>
<BR><I># basicConstraints= critical, RAW:30:03:01:01:FF</I>
<BR><I>&nbsp;</I>
<BR><I>[ crl_ext ]</I>
<BR><I>&nbsp;</I>
<BR><I># CRL extensions.</I>
<BR><I># Only issuerAltName and authorityKeyIdentifier make any sense in
a CRL.</I>
<P><I>issuerAltName=issuer:copy</I>
<BR><I>authorityKeyIdentifier=keyid:always,issuer:always</I>
<BR>################################################################################
<BR>########## koniec pliku openssl.cnf
<P><A NAME="koniec openssl.cnf"></A>Jak widaæ zmiany s± praktycznie kosmetyczne.&nbsp;
Nale¿y zwrócic jedynie uwagê na opcjê <A HREF="#req">default_bits</A> w
sekcji req.
<BR>W momencie generowania certyfikatu CA powinna mieæ ona warto¶æ 1024
lub wiêcej, natomiast w trakcie tworzenia
<BR>certyfikatów klienckich winno mieæ siê na uwadze wredn± cechê produktów
M$ dostêpnych poza granicami USA.
<BR>Nie s± one w stanie zaimportowaæ kluczy maj±cych wiêcej ni¿ 512 bitów.
W takim przypadku default_bits nale¿y
<BR>zmniejszyæ do tej warto¶ci. Je¶li chodzi o Netscapa konieczno¶æ taka
nie wystêpuje, nawet gdy nie jest on
<BR>patchowany przy pomocy <A HREF="http://www.fortify.net/">Fortify</A>.
Jednak¿e klucz nie powinien byæ wiêkszy ni¿ 1024 bity.
<P><B><FONT SIZE=+1>Generowanie certyfikatu CA</FONT></B>
<P>Pierwszy± czynno¶ci± jak± nale¿y wykonaæ jest wygenerowanie certyfikatu
CA czyli czego¶ czym bêd±
<BR>podpiswane certyfikaty udostêpniane klientom. Uruchom rxvt lub co¶
innego i wykonaj polecenie:
<P><I>adas:~# <B>cd /usr/local/ssl/bin</B></I>
<BR><I>adas:/usr/local/ssl/bin# <B>./CA.pl -newca</B></I>
<P><I>CA certificate filename (or enter to create)</I>
<P><I>Making CA certificate ...</I>
<BR><I>Using configuration from /usr/local/ssl/lib/openssl.cnf</I>
<BR><I>Generating a 1024 bit RSA private key</I>
<BR><I>..+++++</I>
<BR><I>....+++++</I>
<BR><I>writing new private key to './demoCA/private/cakey.pem'</I>
<BR><A NAME="pem_pass"></A><I><FONT COLOR="#009900">Enter PEM pass phrase:</FONT></I>
<BR><I><FONT COLOR="#009900">Verifying password - Enter PEM pass phrase:</FONT></I>
<BR><I>-----</I>
<BR><I>You are about to be asked to enter information that will be incorporated</I>
<BR><I>into your certificate request.</I>
<BR><I>What you are about to enter is what is called a Distinguished Name
or a DN.</I>
<BR><I>There are quite a few fields but you can leave some blank</I>
<BR><I>For some fields there will be a default value,</I>
<BR><I>If you enter '.', the field will be left blank.</I>
<BR><I>-----</I>
<BR><I>Country Name (2 letter code) [PL]:</I>
<BR><I>State i Prowincja [Kraina Bezrobotnych Szwaczek]:</I>
<BR><I>Locality Name (eg, city) [Lodz]:</I>
<BR><I>Organization Name (eg, company) [Instytut Badan Czarow i Magii]:</I>
<BR><I>Organizational Unit Name (eg, section) [Komorka d/s Egzorcyzmow
i Opentan]:</I>
<BR><I>Common Name (eg, YOUR name) []:Adam Hernik</I>
<BR><I>Email Address []:adas@infocentrum.com</I>
<P><I>adas:/usr/local/ssl/bin#</I>
<P>Skrypt CA.pl uruchomiony poraz pierwszy tworzy w /usr/local/ssl/bin
katalog o nazwie demoCA w którym znajduje siê
<BR>wygenerowany przed chwil± certyfikat publiczny <B>cacert.pem</B> (do³±czany
pó¿niej do certyfikatów klienckich) oraz tajny
<BR>zabezpieczony <A HREF="#pem_pass">has³em</A> klucz <B>cakey.pem</B>
którym bêdziesz podpisywa³ certyfikaty wydawane u¿ytkownikom. Klucz i has³o
<BR>oczywi¶cie nale¿y dobrze chroniæ i najlepiej jest gdy znajduje siê
na serwerze tylko w momencie generowania certyfikatu.
<BR>Ponowne uruchomienie CA.pl z parametrem -newca niszczy to co pracowicie
stworzy³e¶ i generuje nowy klucz i certyfikat.
<BR>&nbsp;
<P><B><FONT SIZE=+1>Tworzenie certyfikatu dla stunnela i innych serwerów</FONT></B>
<BR>&nbsp;
<P>Zanim siê do tego zabierzesz powiniene¶ lekko zmodyfikowac skrypt <B>CA.pl</B>
oraz plik konfiguracyjny <B>openssl.cnf</B>.
<BR>Skopiuj je odpowiednio do plików <B>/usr/local/ssl/bin/CAserv.pl</B>
i <B>/usr/local/ssl/lib/openssl_serv.cnf</B>.<B></B>
<BR>Generowane certyfikaty domy¶lnie zabezpieczone s± has³em, w takim przypadku
w momencie startu stunnela zawsze
<BR>bêdziesz pytany o haslo zabezpieczaj±ce, co skutecznie uniemo¿liwi
automatyczne uruchamianie programu w czasie
<BR>bootowania&nbsp; serwera, czy te¿ przy próbie wystartowania go przez
inetd. Nale¿y poprawiæ <B>linie 40</B> i <B>41</B> skryptu
<BR><B>CAserv.pl</B> z
<P><FONT COLOR="#006600">linia 40:</FONT>
<BR><B>$REQ="openssl req <I>$SSLEAY_CONFIG</I>";</B>
<BR>na
<BR><B>$REQ="openssl req <FONT COLOR="#FF0000">-nodes -config /usr/local/ssl/lib/openssl_serv.cnf</FONT>";</B>
<P><FONT COLOR="#006600">linia 41:</FONT>
<BR><B>$CA="openssl ca <I>$SSLEAY_CONFIG</I>";</B>
<BR>na
<BR><B>$CA="openssl ca <FONT COLOR="#FF0000">-config /usr/local/ssl/lib/openssl_serv.cnf</FONT>";</B>
<BR>&nbsp;
<P>Natomiast w pliku <B>/usr/local/ssl/lib/openssl_serv.cnf </B>nalezy&nbsp;
w sekcji <A HREF="#usr_cert">usr_cert</A> "zahashowaæ" linijkê
<BR><A HREF="#klient">nsCertType = client, email</A>&nbsp; oraz "odhashowaæ"
linijkê <A HREF="#server">nsCertType&nbsp;&nbsp; = server</A> . Je¶li tego
nie zrobisz klient nie bêdzie
<BR>poprawnie rozpoznawa³ typu certyfikatu. A teraz kolej na wygenerowanie
"requestu" posy³anego zazwyczaj do CA.
<BR>Bêd±c w katalogu /usr/local/ssl/bin wykonaj:
<P><I>adas:/usr/local/ssl/bin# .<B>/CAserv.pl -newreq</B></I>
<BR><I>Using configuration from /usr/local/ssl/lib/openssl_serv.cnf</I>
<BR><I>Generating a 1024 bit RSA private key</I>
<BR><I>..............................+++++</I>
<BR><I>.........+++++</I>
<BR><I>writing new private key to 'newreq.pem'</I>
<BR><I>-----</I>
<BR><I>You are about to be asked to enter information that will be incorporated</I>
<BR><I>into your certificate request.</I>
<BR><I>What you are about to enter is what is called a Distinguished Name
or a DN.</I>
<BR><I>There are quite a few fields but you can leave some blank</I>
<BR><I>For some fields there will be a default value,</I>
<BR><I>If you enter '.', the field will be left blank.</I>
<BR><I>-----</I>
<BR><I>Country Name (2 letter code) [PL]:</I>
<BR><I>State i Prowincja [Kraina Bezrobotnych Szwaczek]:Kraina latajacych
scyzorykow</I>
<BR><I>Locality Name (eg, city) [Lodz]:Sielpia</I>
<BR><I>Organization Name (eg, company) [Instytut Badan Czarow i Magii]:Bar
Sloneczko</I>
<BR><I>Organizational Unit Name (eg, section) [Komorka d/s Egzorcyzmow
i Opentan]:Kuflownia</I>
<BR><I><FONT COLOR="#FF0000">Common Name (eg, YOUR name) []:adas.pl</FONT></I>
<BR><I>Email Address []:adas@adas.pl</I>
<P><I>Please enter the following 'extra' attributes</I>
<BR><I>to be sent with your certificate request</I>
<BR><I>A challenge password []:</I>
<BR><I>An optional company name []:</I>
<BR><I>Request (and private key) is in newreq.pem</I>
<BR><I>adas:/usr/local/ssl/bin#</I>
<P>Polem o którym warto wspomnieæ jest "Common Name" (zaznaczone na czerwono).
W trakcie generowania requestu
<BR>nale¿y w tym miejscu wpisaæ <B>FQDN serwera</B> na którym bêdzie on
u¿ywany. W przeciwnym wypadku w chwili
<BR>po³±czenia klient bêdzie twierdzi³, ¿e certyfikat jakim przedstawia
siê serwer nie nale¿y do niego. Unikniemy w ten
<BR>sposób niepotrzebnego klikania. Kolejn± czynno¶ci± jest podpisanie
wygenerowanego requestu. W katalogu
<BR>/usr/local/ssl/bin wykonaj polecenie:
<P><I>adas:/usr/local/ssl/bin# .<B>/CAserv.pl -sign</B></I>
<BR><I>Using configuration from /usr/local/ssl/lib/openssl.cnf</I>
<BR><I><FONT COLOR="#009900">Enter PEM pass phrase:</FONT></I>
<BR><I>Check that the request matches the signature</I>
<BR><I>Signature ok</I>
<BR><I>The Subjects Distinguished Name is as follows</I>
<BR><I>countryName&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
:PRINTABLE:'PL'</I>
<BR><I>stateOrProvinceName&nbsp;&nbsp; :PRINTABLE:'Kraina latajacych scyzorykow'</I>
<BR><I>localityName&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
:PRINTABLE:'Sielpia'</I>
<BR><I>organizationName&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; :PRINTABLE:'Bar Sloneczko'</I>
<BR><I>organizationalUnitName:PRINTABLE:'Kuflownia'</I>
<BR><I>commonName&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
:PRINTABLE:'adas.pl'</I>
<BR><I>emailAddress&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
:IA5STRING:'adas@adas.pl'</I>
<BR><I>Certificate is to be certified until Mar 26 21:06:13 2000 GMT (365
days)</I>
<BR><I>Sign the certificate? [y/n]:y</I>
<BR>&nbsp;
<P><I>1 out of 1 certificate requests certified, commit? [y/n]y</I>
<BR><I>Write out database with 1 new entries</I>
<BR><I>Data Base Updated</I>
<BR><I>Signed certificate is in newcert.pem</I>
<BR><I>adas:/usr/local/ssl/bin#</I>
<P>W trakcie podpisywania bêdziesz pytany o has³o zabezpieczaj±ce klucz
prywatny CA (zaznaczone na zielono).
<BR>Po tej operacji powiniene¶ w katalogu /usr/local/ssl/bin otrzymaæ 2
pliki: <B>newcert.pem</B> oraz <B>newreq.pem</B>.
<BR>Zanim zaczniesz ich u¿ywaæ musisz wykonaæ jeszcze jedn± operacje, a
mianowicie z³orzyæ wszystko do kupy.
<BR>Wykonujesz: <B>cat newcert.pem newreq.pem > httpds.pem</B> a nastêpnie
poddajesz tak powsta³y certyfikat edycji.
<BR>Nale¿y z pliku httpds.pem nale¿y usun±æ wszystkie niepotrzebne informacje
tak by pozosta³ jedynie certyfikat oraz
<BR>klucz prywatny. Po tej operacji plik httpds.pem powinien wygl±daæ mniej
wiêcej tak:
<P><I>issuer :/C=PL/ST=Kraina Bezrobotnych Szwaczek/L=Lodz/O=Instytut Badan
Czarow i Magii/OU=Komorka d/s Egzorcyzmow i opentan/CN=Adam Hernik/Email=adas@infocentrum.com</I>
<BR><I>subject:/C=PL/ST=Kraina latajacych scyzorykow/L=Sielpia/O=Bar Sloneczko/OU=Kuflownia/CN=adas.pl/</I>
<BR><I>Email=adas@adas.pl</I>
<BR><I>-----BEGIN CERTIFICATE-----</I>
<BR><I>&nbsp;Tu s± magiczne dane</I>
<BR><I>-----END CERTIFICATE-----</I>
<P><I>-----BEGIN RSA PRIVATE KEY-----</I>
<BR><I>&nbsp; I tu te¿ s± magiczne dane</I>
<BR><I>-----END RSA PRIVATE KEY-----</I>
<P>Spreparowany w ten sposób plik umieszczamy w katalogu /usr/local/ssl/certs
i zajmujemy siê generowaniem dwu
<BR>certyfikatów klienckich.
<BR>&nbsp;
<P><B><FONT SIZE=+1>Generowanie i importowanie certyfikatów klienckich
do Netscape Communikatora.</FONT></B>
<BR>&nbsp;
<BR>Generalnie s± dwie metody tworzenia i importowania certyfikatów klienckich
do Netscapa
<BR><B>Sposób pierwszy:</B>
<BR>Przy pomocy komendy <B>CA.pl -newreq</B> wygeneruj request a nastêpnie
przy pomocy <B>CA.pl -sign</B> podpisz go.
<BR>Pytanie o <I>challenge password</I> zignoruj. Kolejn± czynno¶ci± jest
scalenie i podczyszczenie certyfikatu.
<BR>W przypadku certyfikatu klienta wa¿ne jest podanie <B>prawid³owego
adresu email</B> <B>!</B> Bez tego nie bêdzie mo¿na
<BR>podpisywaæ i szyfrowaæ listów.&nbsp; Stwórz dwa certyfikaty. Bêd± one
potrzebne do wyja¶nienia dzia³ania opcji -v 3
<BR>programu stunnel. Zak³adam ¿e pierwszy certyfikat nale¿y do Jana Kowalskiego
jan@ibczim.pl zachowany w
<BR>pliku jan.pem a drugi do Genowefy Pigwy pigwa@scyzoryki.pl znajduj±cym
siê w pliku pigwa.pem.&nbsp; Przed
<BR>zaimportowaniem plików do Netscpea nale¿y przekonwertowaæ je z formatu
PEM do PCKS12. Wykonuje siê to
<BR>przy pomocy wspomnianego na pocz±tku programu <B>pcks12</B>. Aby przekonwertowaæ
certyfikat Jan Kowalskiego,
<BR>w katalogu w ktorym znajduje siê plik jan.pem wykonaj:
<BR>&nbsp;
<P><B>pkcs12 -export -name "Jan Kowalski jan@ibczim.pl" -in jan.pem -out
jan.p12 -certfile /usr/local/ssl/bin/demoCA/cacert.pem</B>
<P>(<FONT COLOR="#990000">jest to jedna linia !!!</FONT>)
<BR>w wyniku czego powstanie plik jan.p12 który mo¿na zaimportowaæ do Netscapea.
Bardzo wa¿n± opcj± jest
<BR><B><I>-certfile /usr/local/ssl/bin/demoCA/cacert.pem</I></B>. Bez niej
nie bêdzie mo¿na w prawid³owy sposób podpisywaæ listów.
<BR>Prze³±cznik -certfile powoduje do³±czenie publicznego certyfikatu CA
do certyfikatu klienta dziêki czemu Netscape
<BR>jest wstanie "wyekstrachowaæ" certyfikat CA i dodaæ go do wewnêtrznej
bazy CA. Wykonaj powy¿sz± operacjê tak¿e
<BR>dla pigwy. Samo zaimportowanie certyfikatu jest bardzo proste wykonuje
siê to klikaj±c w Netscape na
<P><B>Security-> Yours -> Import a Certificate</B>
<P>Po zaimportowaniu nale¿y w <B>Security -> Signers</B> zaznaczyæ nasz
CA certyfikat a nastêpnie klikn±æ na przycisku Edit
<BR>oraz "zaczekowaæ" opcje:
<P><I>Accept this Certificate Authority for Certifying network sites</I>
<BR><I>Accept this Certificate Authority for Certifying e-mail users</I>
<P>Od tej pory nasz certyfikat bêdzie traktowany na równi z innymi, komercyjnymi.
<P><B>Sposób drugi:</B>
<BR>Polega on na wygenerowaniu i imporcie certyfikatu poprzez strone www.
Wraz z stunnelem dostarczane s±
<BR>przk³adowe strony (dwie) i skrypty (dwa).&nbsp; Skrypty nale¿y raczej
traktowaæ jako wzorzec i ka¿dy powinien napisaæ
<BR>swoje, bardziej bezpieczne. Pierwszym krokiem jest import certyfikatu
CA. U¿ywa siê do tego strony <B>importCA.html</B>
<BR>oraz skryptu <B>importCA.sh</B>. Sam skrypt wygl±da tak:
<P><I>#!/bin/bash</I>
<P><I>echo "Content-type: application/x-x509-ca-cert"</I>
<BR><I>echo</I>
<BR><I>cat <FONT COLOR="#CC0000">/var/lib/httpds/cgi-bin/<B>cacert.pem</B></FONT></I>
<P>cacert.pem jest to oczywi¶cie certyfikat publiczny CA znajduj±cy siê
w katalogu /usr/local/ssl/bin/demoCA
<BR>który nale¿y przekopiowaæ do katalogu cgi-bin serwera httpd oraz nadaæ
mu odpowiednie prawa dostêpu.
<BR>Po zaimportowaniu certyfikatu CA nale¿y w Security->Signers zaznaczyæ
do jakich celów bêdziemy uznawli
<BR>go za wiarygodny. Do generowania certyfikatu klienta wykorzystamy pozosta³±
strone i skrypt. Zanim do tego dojdzie
<BR>nale¿y "dokonfigurowaæ" skrypt i stworzyæ potrzebne katalogi.&nbsp;
W /tmp (lub w innym miejscu) nalezy stworzyæ
<BR>katalog ssl a nastêpnie przekopiowaæ do niego katalog <B>/usr/local/bin/demoCA</B>
oraz plik <B>openssl.cnf</B>.
<BR>Jako ¿e skrypty domy¶lnie uruchamiane s± z prawami u¿ytkownika nobody
nale¿y uczyniæ go&nbsp; wla¶cicielem
<BR>katalogu /tmp/ssl i ca³ej jego zawarto¶ci. Kolejn± czynno¶ci± jest
wygenerowanie pliku <B>.rnd</B>. W Linuxie robimy to
<BR>tak:
<BR><B>cat /dev/random > /tmp/ssl/.rnd</B>
<BR>czekamy chwilkê tak by plik .rnd mia³ wielko¶æ oko³o 1024 B po czym
w³a¶cicielem pliku robimy u¿ytkownika nobody.
<BR>Teraz trzeba przekonfigurowaæ plik /tmp/ssl/openssl.cnf
<P><I>#</I>
<BR><I># OpenSSL example configuration file.</I>
<BR><I># This is mostly being used for generation of certificate requests.</I>
<BR><I>#</I>
<BR><I>&nbsp;</I>
<BR><I><FONT COLOR="#FF0000">RANDFILE&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
= /tmp/ssl/.rnd</FONT></I>
<BR><I>#oid_file&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
= /tmp/ssl/.oid</I>
<BR><I>oid_section&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
= new_oids</I>
<BR><I>&nbsp;</I>
<BR><I>[ new_oids ]</I>
<BR><I>&nbsp;</I>
<BR><I># We can add new OIDs in here for use by 'ca' and 'req'.</I>
<BR><I># Add a simple OID like this:</I>
<BR><I># testoid1=1.2.3.4</I>
<BR><I># Or use config file substitution like this:</I>
<BR><I># testoid2=${testoid1}.5.6</I><I></I>
<P><I>####################################################################</I>
<BR><I>[ ca ]</I>
<BR><I>default_ca&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; = CA_default&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
# The default ca section</I><I></I>
<P><I>####################################################################</I>
<BR><I>[ CA_default ]</I>
<BR><I>&nbsp;</I>
<BR><I><FONT COLOR="#FF0000">dir&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
= /tmp/ssl/demoCA&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
# Where everything is kept</FONT></I>
<BR><I>certs&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
= $dir/certs&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
# Where the issued certs are kept</I>
<BR><I>crl_dir&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; = $dir/crl&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
# Where the issued crl are kept</I>
<BR><I>database&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; = $dir/index.txt&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
# database index file.</I>
<BR><I>new_certs_dir&nbsp;&nbsp; = $dir/newcerts&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
# default place for new certs.</I>
<BR>&nbsp;
<BR>Nale¿y zmieniæ opcje zaznaczone na czerwono. Ostatni± czynno¶ci± jest
sprawdzenie i ewentualne poprawienie
<BR>strony ca.html i skryptu ca.pl. W pliku ca.html nalezy wpisaæ poprawn±
nazwê serwera na którym znajduje siê
<BR>skrypt ca.pl czyli linijkê <B>&lt;FORM ACTION="<FONT COLOR="#FF0000">http://localhost/cgi-bin/ca.pl</FONT>"
METHOD=POST></B>. W ca.pl
<BR>nale¿y skontrolowaæ poprawno¶æ podanych ¶cie¿ek oraz wpisaæ has³o jakim
zabezpieczony jest klucz prywatny CA
<BR>(zmienna $certpass zaznaczona na czerwono).
<BR>&nbsp;
<P><I>#!/usr/bin/perl</I>
<BR><I>#ca.pl</I><I></I>
<P><I>$config&nbsp;&nbsp; = "/tmp/ssl/openssl.cnf";</I>
<BR><I>$capath&nbsp;&nbsp; = "/usr/local/ssl/bin/openssl ca";</I>
<BR><I><FONT COLOR="#FF0000">$certpass = "tu_jest_haslo";</FONT></I>
<BR><I>$tempca&nbsp;&nbsp; = "/tmp/ssl/cli".rand 10000;</I>
<BR><I>$tempout&nbsp; = "/tmp/ssl/certtmp".rand 10000;</I>
<BR><I>$caout&nbsp;&nbsp;&nbsp; = "/tmp/ssl/certwynik.txt";</I>
<BR><I>$CAcert&nbsp;&nbsp; = "/tmp/ssl/demoCA/cacert.pem";</I>
<BR><I>...</I>
<BR>&nbsp;
<P>Po umieszczeniu tak przygotowanych stron i skryptów na serwerze bêdzie
mo¿na generowaæ certyfikaty dla klientów.
<P><B>Wady i zalety obydwu sposobów generowania i instalowania certyfikatów.</B>
<P><A NAME="usuwanie"></A>Jak wynika z powy¿szego opisu bezpieczniejszym
i polecanym przeze mnie jest sposób pierwszy. Jego powa¿n± wad±
<BR>jest&nbsp; fakt ¿e cz³owiek generuj±cy certyfikaty znajduje siê w posiadaniu
klucza prywatnego osoby wystêpuj±cej o
<BR>certyfikat.&nbsp; <FONT COLOR="#FF0000">Oczywi¶cie uczciwy CA powinien
skasowaæ go, zaraz po utworzeniu</FONT>. W takim wypadku metoda pierwsza
<BR>spe³nia&nbsp; wszelkie wymogi. Sposób drugi prócz samych wad ma jedn±
acz ogromn± zaletê. Mianowicie klucz prywatny
<BR>klienta&nbsp; nigdy nie opuszcza jego komputera. Do wad mo¿na zaliczyæ
fakt ¿e has³o zabezpieczaj±ce klucz prywatny CA
<BR>znajduje siê na serwerze i to w dodatku w ¿aden sposób nie chronione.&nbsp;
Kolejn± wad± jest generowanie kompletnych
<BR>certyfikatów przez strone www, co mo¿e groziæ wykradzeniem klucza prywatnego.
Rozwi±zaniem mo¿e byæ sk³adowanie
<BR>requestów w bazie danych a nastpnie rêczna ich obróbka przez administratora.
Reasumuj±c, sposób drugi nale¿y
<BR>potraktowaæ jako demonstracje metody któr± mo¿na przeæwiczyæ przed
napisaniem porz±dnych skryptów.
<BR>&nbsp;<B><FONT SIZE=+1></FONT></B>
<P><B><FONT SIZE=+1>Tajemniczy prze³±cznik -v 3 w stunnelu</FONT></B>
<P>Stunnel posiada trzy tryby weryfikacji klienta.
<BR>Pierwszy opcja <B><FONT SIZE=+1>-v 1</FONT></B> oznacza ¿e nale¿y spróbowaæ
zweryfikowaæ osobê nawi±zuj±c± po³±czenie czyli uzyskaæ jej
<BR>ceryfikat. Je¶li operacja ta siê nie powiedzie, mimo wszystko dostêp
do serwera bêdzie zapewniony.
<BR>Prze³±cznik <B><FONT SIZE=+1>-v 2</FONT></B> nakazuje stunnelowi zweryfikowaæ
klienta. Je¶li u¿ytkownik nie posiada certyfikatu lub certyfikat
<BR>jest niewa¿ny, niew³a¶ciwy czy te¿ nie posiadamy certyfikatu CA którym
podpisany jest certyfikat klienta
<BR><FONT SIZE=-2>(straszny jest ten jêzyk polski)</FONT> nawi±zanie po³±czenia
z serwerem bêdzie niemo¿liwe. I wreszcie opcja <B><FONT SIZE=+1>-v 3</FONT></B>
nakazuj±ca
<BR>stunnelowi zweryfikowaæ klienta a tak¿e poszukaæ jego certyfikatu w
naszej lokalnej bazie.
<BR>Dzieki opcji -v 3 mo¿emy stworzyæ bardzo selektywny dostêp do us³ug
oferowanych przez serwer, unikaj±c generowania du¿ych ilo¶ci certyfikatów.
<FONT COLOR="#FF0000">Uwaga ogólna: do poprawnej weryfikacji klienta KONIECZNE
jest posiadanie certyfikatu CA którym podpisany&nbsp; jest sprawdzany certyfikat</FONT>.
Bez tego stunnel nie jest wstanie przeprowadziæ poprawnej autoryzacji klienta.
Próba taka koñczy siê b³êdami "<B>VERIFY ERROR: self signed certificate
for .....</B>" oraz "<B>SSL_accept: error:140890B1:SSL routines:</B> <B>SSL3_GET_CLIENT_CERTIFICATE:no
certificate returned</B>". A teraz przyk³ad praktyczny: chcemy aby do https
bêd±cym na <B>porcie 444</B> mia³y dostêp wszystkie osoby maj±ce certyfikaty
natomiast
<BR>do do https na <B>porcie 445</B> dostêp mia³ tylko Jan Kowalski. Pierwsz±
czynno¶ci± jak± nale¿y wykonaæ jest skopiowanie
<BR>certyfikatu CA do katalogu <B>/usr/local/ssl/certs</B> (default cert
area), nastêpnie w tym katalogu nale¿y utworzyæ
<BR>podkatalog o&nbsp; nazwie <B>mytrusted</B>, poczym skopiowaæ do niego
certyfikat klienta czyli jan.pem. <A HREF="#usuwanie"><B>Uwaga</B>: z pliku
jan.pem</A>
<BR><A HREF="#usuwanie"><B>MUSISZ</B> usun±æ klucz prywatny</A> !!! Czyli&nbsp;
to co siê znajduje miêdzy
<P>-----BEGIN RSA PRIVATE KEY-----
<BR>.......
<BR>-----END RSA PRIVATE KEY-----
<P>³±cznie z powy¿szymi liniami. Nastêpnie w katalogach <B>/usr/local/ssl/certs</B>
i <B>/usr/local/ssl/certs/mytrusted</B> nale¿y
<BR>wykonaæ polecenie
<BR><B>/usr/local/ssl/bin/c_rehash ./</B>
<BR>Teraz kolej na uruchomienie stunnela:
<BR><B>stunnel -d 444 -r 80 -v 2</B>
<BR>oraz
<BR><B>stunnel -d 445 -r 80 -v 3</B>
<BR>Netscapem nale¿y po³±czyæ sie z https://localhost:444/ a po pytaniu
o certyfikat przedstawiæ certyfikat nale¿±cy
<BR>do pigwy. Dostêp do serwera bêdzie zapewniony. Czynno¶c tê nale¿y powtórzyæ
przedstawiaj±c siê za drugim razem
<BR>certyfikatem Jana Kowalskiego. Po³±czenie tak¿e bêdzie zrealizowane.&nbsp;
W przypadku https://localhost:445/ wej¶cie
<BR>na serwer bêdzie zapewnione tylko po wylegitymowaniu siê certyfikatem
Jana Kowalskiego. Po kazdej zmianie w
<BR>katalogu /usr/local/ssl/certs/mytrusted nale¿y wykonaæ komendê c_rehash
./ i zrestartowaæ stunnela.
<BR>&nbsp;
</BODY>
</HTML>

930
doc/stunnel.8 Normal file
View File

@ -0,0 +1,930 @@
.\" Automatically generated by Pod::Man 2.22 (Pod::Simple 3.07)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is turned on, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.ie \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. nr % 0
. rr F
.\}
.el \{\
. de IX
..
.\}
.\" ========================================================================
.\"
.IX Title "STUNNEL 8"
.TH STUNNEL 8 "2012.01.14" "4.53" "stunnel"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
stunnel \- universal SSL tunnel
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.IP "\fBUnix:\fR" 4
.IX Item "Unix:"
\&\fBstunnel\fR [<filename>] | \-fd n | \-help | \-version | \-sockets
.IP "\fB\s-1WIN32:\s0\fR" 4
.IX Item "WIN32:"
\&\fBstunnel\fR [ [\-install | \-uninstall | \-start | \-stop] | \-exit]
[\-quiet] [<filename>] ] | \-help | \-version | \-sockets
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The \fBstunnel\fR program is designed to work as \fI\s-1SSL\s0\fR encryption wrapper
between remote clients and local (\fIinetd\fR\-startable) or remote
servers. The concept is that having non-SSL aware daemons running on
your system you can easily set them up to communicate with clients over
secure \s-1SSL\s0 channels.
.PP
\&\fBstunnel\fR can be used to add \s-1SSL\s0 functionality to commonly used \fIInetd\fR
daemons like \s-1POP\-2\s0, \s-1POP\-3\s0, and \s-1IMAP\s0 servers, to standalone daemons like
\&\s-1NNTP\s0, \s-1SMTP\s0 and \s-1HTTP\s0, and in tunneling \s-1PPP\s0 over network sockets without
changes to the source code.
.PP
This product includes cryptographic software written by
Eric Young (eay@cryptsoft.com)
.SH "OPTIONS"
.IX Header "OPTIONS"
.IP "<\fBfilename\fR>" 4
.IX Item "<filename>"
Use specified configuration file
.IP "\fB\-fd n\fR (Unix only)" 4
.IX Item "-fd n (Unix only)"
Read the config file from specified file descriptor
.IP "\fB\-help\fR" 4
.IX Item "-help"
Print \fBstunnel\fR help menu
.IP "\fB\-version\fR" 4
.IX Item "-version"
Print \fBstunnel\fR version and compile time defaults
.IP "\fB\-sockets\fR" 4
.IX Item "-sockets"
Print default socket options
.IP "\fB\-install\fR (\s-1NT/2000/XP\s0 only)" 4
.IX Item "-install (NT/2000/XP only)"
Install \s-1NT\s0 Service
.IP "\fB\-uninstall\fR (\s-1NT/2000/XP\s0 only)" 4
.IX Item "-uninstall (NT/2000/XP only)"
Uninstall \s-1NT\s0 Service
.IP "\fB\-start\fR (\s-1NT/2000/XP\s0 only)" 4
.IX Item "-start (NT/2000/XP only)"
Start \s-1NT\s0 Service
.IP "\fB\-stop\fR (\s-1NT/2000/XP\s0 only)" 4
.IX Item "-stop (NT/2000/XP only)"
Stop \s-1NT\s0 Service
.IP "\fB\-exit\fR (Win32 only)" 4
.IX Item "-exit (Win32 only)"
Exit an already started stunnel
.IP "\fB\-quiet\fR (\s-1NT/2000/XP\s0 only)" 4
.IX Item "-quiet (NT/2000/XP only)"
Don't display any message boxes
.SH "CONFIGURATION FILE"
.IX Header "CONFIGURATION FILE"
Each line of the configuration file can be either:
.IP "\(bu" 4
an empty line (ignored)
.IP "\(bu" 4
a comment starting with ';' (ignored)
.IP "\(bu" 4
an 'option_name = option_value' pair
.IP "\(bu" 4
\&'[service_name]' indicating a start of a service definition
.PP
An address parameter of an option may be either:
.IP "\(bu" 4
a port number
.IP "\(bu" 4
a colon-separated pair of \s-1IP\s0 address (either IPv4, IPv6, or domain name) and port number
.IP "\(bu" 4
a Unix socket path (Unix only)
.SS "\s-1GLOBAL\s0 \s-1OPTIONS\s0"
.IX Subsection "GLOBAL OPTIONS"
.IP "\fBchroot\fR = directory (Unix only)" 4
.IX Item "chroot = directory (Unix only)"
directory to chroot \fBstunnel\fR process
.Sp
\&\fBchroot\fR keeps \fBstunnel\fR in chrooted jail. \fICApath\fR, \fICRLpath\fR, \fIpid\fR
and \fIexec\fR are located inside the jail and the patches have to be relative
to the directory specified with \fBchroot\fR.
.IP "\fBcompression\fR = deflate | zlib | rle" 4
.IX Item "compression = deflate | zlib | rle"
select data compression algorithm
.Sp
default: no compression
.Sp
deflate is the standard compression method as described in \s-1RFC\s0 1951.
.Sp
zlib compression of OpenSSL 0.9.8 or above is not backward compatible with
OpenSSL 0.9.7.
.Sp
rle compression is currently not implemented by the OpenSSL library.
.IP "\fBdebug\fR = [facility.]level" 4
.IX Item "debug = [facility.]level"
debugging level
.Sp
Level is a one of the syslog level names or numbers
emerg (0), alert (1), crit (2), err (3), warning (4), notice (5),
info (6), or debug (7). All logs for the specified level and
all levels numerically less than it will be shown. Use \fIdebug = debug\fR or
\&\fIdebug = 7\fR for greatest debugging output. The default is notice (5).
.Sp
The syslog facility 'daemon' will be used unless a facility name is supplied.
(Facilities are not supported on Win32.)
.Sp
Case is ignored for both facilities and levels.
.IP "\fB\s-1EGD\s0\fR = egd path (Unix only)" 4
.IX Item "EGD = egd path (Unix only)"
path to Entropy Gathering Daemon socket
.Sp
Entropy Gathering Daemon socket to use to feed OpenSSL random number
generator. (Available only if compiled with OpenSSL 0.9.5a or higher)
.IP "\fBengine\fR = auto | <engine id>" 4
.IX Item "engine = auto | <engine id>"
select hardware engine
.Sp
default: software-only cryptography
.Sp
Here is an example of advanced engine configuration to read private key from an
OpenSC engine
.Sp
.Vb 7
\& engine=dynamic
\& engineCtrl=SO_PATH:/usr/lib/opensc/engine_pkcs11.so
\& engineCtrl=ID:pkcs11
\& engineCtrl=LIST_ADD:1
\& engineCtrl=LOAD
\& engineCtrl=MODULE_PATH:/usr/lib/pkcs11/opensc\-pkcs11.so
\& engineCtrl=INIT
\&
\& [service]
\& engineNum=1
\& key=id_45
.Ve
.IP "\fBengineCtrl\fR = command[:parameter]" 4
.IX Item "engineCtrl = command[:parameter]"
control hardware engine
.Sp
Special commands \*(L"\s-1LOAD\s0\*(R" and \*(L"\s-1INIT\s0\*(R" can be used to load and initialize the
engine cryptogaphic module.
.IP "\fBfips\fR = yes | no" 4
.IX Item "fips = yes | no"
Enable or disable \s-1FIPS\s0 140\-2 mode.
.Sp
This option allows to disable entering \s-1FIPS\s0 mode if stunnel was compiled with
\&\s-1FIPS\s0 140\-2 support.
.Sp
default: yes
.IP "\fBforeground\fR = yes | no (Unix only)" 4
.IX Item "foreground = yes | no (Unix only)"
foreground mode
.Sp
Stay in foreground (don't fork) and log to stderr
instead of via syslog (unless \fIoutput\fR is specified).
.Sp
default: background in daemon mode
.IP "\fBoutput\fR = file" 4
.IX Item "output = file"
append log messages to a file
.Sp
/dev/stdout device can be used to send log messages to the standard
output (for example to log them with daemontools splogger).
.IP "\fBpid\fR = file (Unix only)" 4
.IX Item "pid = file (Unix only)"
pid file location
.Sp
If the argument is empty, then no pid file will be created.
.Sp
\&\fIpid\fR path is relative to \fIchroot\fR directory if specified.
.IP "\fBRNDbytes\fR = bytes" 4
.IX Item "RNDbytes = bytes"
bytes to read from random seed files
.Sp
Number of bytes of data read from random seed files. With \s-1SSL\s0 versions
less than 0.9.5a, also determines how many bytes of data are considered
sufficient to seed the \s-1PRNG\s0. More recent OpenSSL versions have a builtin
function to determine when sufficient randomness is available.
.IP "\fBRNDfile\fR = file" 4
.IX Item "RNDfile = file"
path to file with random seed data
.Sp
The \s-1SSL\s0 library will use data from this file first to seed the random
number generator.
.IP "\fBRNDoverwrite\fR = yes | no" 4
.IX Item "RNDoverwrite = yes | no"
overwrite the random seed files with new random data
.Sp
default: yes
.IP "\fBservice\fR = servicename (Unix only)" 4
.IX Item "service = servicename (Unix only)"
use specified string as \fIinetd\fR mode service name for \s-1TCP\s0 Wrapper library
.Sp
default: stunnel
.IP "\fBsetgid\fR = groupname (Unix only)" 4
.IX Item "setgid = groupname (Unix only)"
\&\fIsetgid()\fR to groupname in daemon mode and clears all other groups
.IP "\fBsetuid\fR = username (Unix only)" 4
.IX Item "setuid = username (Unix only)"
\&\fIsetuid()\fR to username in daemon mode
.IP "\fBsocket\fR = a|l|r:option=value[:value]" 4
.IX Item "socket = a|l|r:option=value[:value]"
Set an option on accept/local/remote socket
.Sp
The values for linger option are l_onof:l_linger.
The values for time are tv_sec:tv_usec.
.Sp
Examples:
.Sp
.Vb 9
\& socket = l:SO_LINGER=1:60
\& set one minute timeout for closing local socket
\& socket = r:SO_OOBINLINE=yes
\& place out\-of\-band data directly into the
\& receive data stream for remote sockets
\& socket = a:SO_REUSEADDR=no
\& disable address reuse (enabled by default)
\& socket = a:SO_BINDTODEVICE=lo
\& only accept connections on loopback interface
.Ve
.IP "\fBsyslog\fR = yes | no (Unix only)" 4
.IX Item "syslog = yes | no (Unix only)"
enable logging via syslog
.Sp
default: yes
.IP "\fBtaskbar\fR = yes | no (\s-1WIN32\s0 only)" 4
.IX Item "taskbar = yes | no (WIN32 only)"
enable the taskbar icon
.Sp
default: yes
.SS "SERVICE-LEVEL \s-1OPTIONS\s0"
.IX Subsection "SERVICE-LEVEL OPTIONS"
Each configuration section begins with service name in square brackets.
The service name is used for libwrap (\s-1TCP\s0 Wrappers) access control and lets
you distinguish \fBstunnel\fR services in your log files.
.PP
Note that if you wish to run \fBstunnel\fR in \fIinetd\fR mode (where it
is provided a network socket by a server such as \fIinetd\fR, \fIxinetd\fR,
or \fItcpserver\fR) then you should read the section entitled \fI\s-1INETD\s0 \s-1MODE\s0\fR
below.
.IP "\fBaccept\fR = address" 4
.IX Item "accept = address"
accept connections on specified address
.Sp
If no host specified, defaults to all IPv4 addresses for the local host.
.Sp
To listen on all IPv6 addresses use:
.Sp
.Vb 1
\& connect = :::port
.Ve
.IP "\fBCApath\fR = directory" 4
.IX Item "CApath = directory"
Certificate Authority directory
.Sp
This is the directory in which \fBstunnel\fR will look for certificates when using
the \fIverify\fR. Note that the certificates in this directory should be named
\&\s-1XXXXXXXX\s0.0 where \s-1XXXXXXXX\s0 is the hash value of the \s-1DER\s0 encoded subject of the
cert.
.Sp
The hash algorithm has been changed in OpenSSL 1.0.0. It is required to
c_rehash the directory on upgrade from OpenSSL 0.x.x to OpenSSL 1.x.x.
.Sp
\&\fICApath\fR path is relative to \fIchroot\fR directory if specified.
.IP "\fBCAfile\fR = certfile" 4
.IX Item "CAfile = certfile"
Certificate Authority file
.Sp
This file contains multiple \s-1CA\s0 certificates, used with the \fIverify\fR.
.IP "\fBcert\fR = pemfile" 4
.IX Item "cert = pemfile"
certificate chain \s-1PEM\s0 file name
.Sp
A \s-1PEM\s0 is always needed in server mode.
Specifying this flag in client mode will use this certificate chain
as a client side certificate chain. Using client side certs is optional.
The certificates must be in \s-1PEM\s0 format and must be sorted starting with the
certificate to the highest level (root \s-1CA\s0).
.IP "\fBciphers\fR = cipherlist" 4
.IX Item "ciphers = cipherlist"
Select permitted \s-1SSL\s0 ciphers
.Sp
A colon delimited list of the ciphers to allow in the \s-1SSL\s0 connection.
For example \s-1DES\-CBC3\-SHA:IDEA\-CBC\-MD5\s0
.IP "\fBclient\fR = yes | no" 4
.IX Item "client = yes | no"
client mode (remote service uses \s-1SSL\s0)
.Sp
default: no (server mode)
.IP "\fBconnect\fR = address" 4
.IX Item "connect = address"
connect to a remote address
.Sp
If no host is specified, the host defaults to localhost.
.Sp
Multiple \fBconnect\fR options are allowed in a single service section.
.Sp
If host resolves to multiple addresses and/or if multiple \fIconnect\fR
options are specified, then the remote address is chosen using a
round-robin algorithm.
.IP "\fBCRLpath\fR = directory" 4
.IX Item "CRLpath = directory"
Certificate Revocation Lists directory
.Sp
This is the directory in which \fBstunnel\fR will look for CRLs when
using the \fIverify\fR. Note that the CRLs in this directory should
be named \s-1XXXXXXXX\s0.r0 where \s-1XXXXXXXX\s0 is the hash value of the \s-1CRL\s0.
.Sp
The hash algorithm has been changed in OpenSSL 1.0.0. It is required to
c_rehash the directory on upgrade from OpenSSL 0.x.x to OpenSSL 1.x.x.
.Sp
\&\fICRLpath\fR path is relative to \fIchroot\fR directory if specified.
.IP "\fBCRLfile\fR = certfile" 4
.IX Item "CRLfile = certfile"
Certificate Revocation Lists file
.Sp
This file contains multiple CRLs, used with the \fIverify\fR.
.IP "\fBcurve\fR = nid" 4
.IX Item "curve = nid"
specify \s-1ECDH\s0 curve name
.Sp
To get a list of supported cuves use:
.Sp
.Vb 1
\& openssl ecparam \-list_curves
.Ve
.Sp
default: prime256v1
.IP "\fBdelay\fR = yes | no" 4
.IX Item "delay = yes | no"
delay \s-1DNS\s0 lookup for 'connect' option
.Sp
This option is useful for dynamic \s-1DNS\s0, or when \s-1DNS\s0 is not available during
stunnel startup (road warrior \s-1VPN\s0, dial-up configurations).
.IP "\fBengineNum\fR = engine number" 4
.IX Item "engineNum = engine number"
select engine number to read private key
.Sp
The engines are numbered starting from 1.
.IP "\fBexec\fR = executable_path" 4
.IX Item "exec = executable_path"
execute local inetd-type program
.Sp
\&\fIexec\fR path is relative to \fIchroot\fR directory if specified.
.ie n .IP "\fBexecargs\fR = $0 $1 $2 ..." 4
.el .IP "\fBexecargs\fR = \f(CW$0\fR \f(CW$1\fR \f(CW$2\fR ..." 4
.IX Item "execargs = $0 $1 $2 ..."
arguments for \fIexec\fR including program name ($0)
.Sp
Quoting is currently not supported.
Arguments are separated with arbitrary number of whitespaces.
.IP "\fBfailover\fR = rr | prio" 4
.IX Item "failover = rr | prio"
Failover strategy for multiple \*(L"connect\*(R" targets.
.Sp
.Vb 2
\& rr (round robin) \- fair load distribution
\& prio (priority) \- use the order specified in config file
.Ve
.Sp
default: rr
.IP "\fBident\fR = username" 4
.IX Item "ident = username"
use \s-1IDENT\s0 (\s-1RFC\s0 1413) username checking
.IP "\fBkey\fR = keyfile" 4
.IX Item "key = keyfile"
private key for certificate specified with \fIcert\fR option
.Sp
Private key is needed to authenticate certificate owner.
Since this file should be kept secret it should only be readable
to its owner. On Unix systems you can use the following command:
.Sp
.Vb 1
\& chmod 600 keyfile
.Ve
.Sp
default: value of \fIcert\fR option
.IP "\fBlibwrap\fR = yes | no" 4
.IX Item "libwrap = yes | no"
Enable or disable the use of /etc/hosts.allow and /etc/hosts.deny.
.Sp
default: yes
.IP "\fBlocal\fR = host" 4
.IX Item "local = host"
\&\s-1IP\s0 of the outgoing interface is used as source for remote connections.
Use this option to bind a static local \s-1IP\s0 address, instead.
.IP "\fBsni\fR = service_name:server_name (server mode)" 4
.IX Item "sni = service_name:server_name (server mode)"
Use the service as a slave service (a name-based virtual server) for Server
Name Indication \s-1TLS\s0 extension (\s-1RFC\s0 3546).
.Sp
\&\fIservice_name\fR specifies the master service that accepts client connections
with \fIaccept\fR option. \fIserver_name\fR specifies the host name to be redirected.
Multiple slave services are normally specified for a single master service.
\&\fIsni\fR option can also be specified more than once within a single slave service.
.Sp
This service, as well as the master service, may not be configured in client mode.
\&\fIconnect\fR option of the slave service is ignored when \fIprotocol\fR option is
specified, as \fIprotocol\fR connects remote host before \s-1TLS\s0 handshake.
Libwrap checks (Unix only) are performed twice: with master service name after
\&\s-1TCP\s0 connection is accepted, and with slave service name during \s-1TLS\s0 handshake.
.Sp
Option \fIsni\fR is only available when compiled with OpenSSL 1.0.0 and later.
.IP "\fBsni\fR = server_name (client mode)" 4
.IX Item "sni = server_name (client mode)"
Use the parameter as the value of \s-1TLS\s0 Server Name Indication (\s-1RFC\s0 3546)
extension.
.Sp
Option \fIsni\fR is only available when compiled with OpenSSL 1.0.0 and later.
.IP "\fB\s-1OCSP\s0\fR = url" 4
.IX Item "OCSP = url"
select \s-1OCSP\s0 server for certificate verification
.IP "\fBOCSPflag\fR = flag" 4
.IX Item "OCSPflag = flag"
specify \s-1OCSP\s0 server flag
.Sp
Several \fIOCSPflag\fR can be used to specify multiple flags.
.Sp
currently supported flags: \s-1NOCERTS\s0, \s-1NOINTERN\s0 \s-1NOSIGS\s0, \s-1NOCHAIN\s0, \s-1NOVERIFY\s0,
\&\s-1NOEXPLICIT\s0, \s-1NOCASIGN\s0, \s-1NODELEGATED\s0, \s-1NOCHECKS\s0, \s-1TRUSTOTHER\s0, \s-1RESPID_KEY\s0, \s-1NOTIME\s0
.IP "\fBoptions\fR = SSL_options" 4
.IX Item "options = SSL_options"
OpenSSL library options
.Sp
The parameter is the OpenSSL option name as described in the
\&\fI\fISSL_CTX_set_options\fI\|(3ssl)\fR manual, but without \fI\s-1SSL_OP_\s0\fR prefix.
Several \fIoptions\fR can be used to specify multiple options.
.Sp
For example for compatibility with erroneous Eudora \s-1SSL\s0 implementation
the following option can be used:
.Sp
.Vb 1
\& options = DONT_INSERT_EMPTY_FRAGMENTS
.Ve
.IP "\fBprotocol\fR = proto" 4
.IX Item "protocol = proto"
application protocol to negotiate \s-1SSL\s0 (e.g. \fIstarttls\fR or \fIstls\fR)
.Sp
\&\fIprotocol\fR option should not be used with \s-1SSL\s0 encryption on a separate port.
.Sp
Currently supported protocols:
.RS 4
.IP "\fIcifs\fR" 4
.IX Item "cifs"
Proprietary (undocummented) extension of \s-1CIFS\s0 protocol implemented in Samba.
Support for this extension was dropped in Samba 3.0.0.
.IP "\fIconnect\fR" 4
.IX Item "connect"
Based on \s-1RFC\s0 2817 \- \fIUpgrading to \s-1TLS\s0 Within \s-1HTTP/1\s0.1\fR, section 5.2 \- \fIRequesting a Tunnel with \s-1CONNECT\s0\fR
.Sp
This protocol is only supported in client mode.
.IP "\fIimap\fR" 4
.IX Item "imap"
Based on \s-1RFC\s0 2595 \- \fIUsing \s-1TLS\s0 with \s-1IMAP\s0, \s-1POP3\s0 and \s-1ACAP\s0\fR
.IP "\fInntp\fR" 4
.IX Item "nntp"
Based on \s-1RFC\s0 4642 \- \fIUsing Transport Layer Security (\s-1TLS\s0) with Network News Transfer Protocol (\s-1NNTP\s0)\fR
.Sp
This protocol is only supported in client mode.
.IP "\fIpgsql\fR" 4
.IX Item "pgsql"
Based on http://www.postgresql.org/docs/8.3/static/protocol\-flow.html#AEN73982
.IP "\fIpop3\fR" 4
.IX Item "pop3"
Based on \s-1RFC\s0 2449 \- \fI\s-1POP3\s0 Extension Mechanism\fR
.IP "\fIproxy\fR" 4
.IX Item "proxy"
Haproxy client \s-1IP\s0 address http://haproxy.1wt.eu/download/1.5/doc/proxy\-protocol.txt
.IP "\fIsmtp\fR" 4
.IX Item "smtp"
Based on \s-1RFC\s0 2487 \- \fI\s-1SMTP\s0 Service Extension for Secure \s-1SMTP\s0 over \s-1TLS\s0\fR
.RE
.RS 4
.RE
.IP "\fBprotocolAuthentication\fR = auth_type" 4
.IX Item "protocolAuthentication = auth_type"
authentication type for protocol negotiations
.Sp
currently supported: basic, \s-1NTLM\s0
.Sp
Currently authentication type only applies to 'connect' protocol.
.Sp
default: basic
.IP "\fBprotocolHost\fR = host:port" 4
.IX Item "protocolHost = host:port"
destination address for protocol negotiations
.IP "\fBprotocolPassword\fR = password" 4
.IX Item "protocolPassword = password"
password for protocol negotiations
.IP "\fBprotocolUsername\fR = username" 4
.IX Item "protocolUsername = username"
username for protocol negotiations
.IP "\fBpty\fR = yes | no (Unix only)" 4
.IX Item "pty = yes | no (Unix only)"
allocate pseudo terminal for 'exec' option
.IP "\fBretry\fR = yes | no (Unix only)" 4
.IX Item "retry = yes | no (Unix only)"
reconnect a connect+exec section after it's disconnected
.Sp
default: no
.IP "\fBsession\fR = timeout" 4
.IX Item "session = timeout"
session cache timeout
.IP "\fBsessiond\fR = host:port" 4
.IX Item "sessiond = host:port"
address of sessiond \s-1SSL\s0 cache server
.IP "\fBsslVersion\fR = version" 4
.IX Item "sslVersion = version"
select version of \s-1SSL\s0 protocol
.Sp
Allowed options: all, SSLv2, SSLv3, TLSv1
.IP "\fBstack\fR = bytes (except for \s-1FORK\s0 model)" 4
.IX Item "stack = bytes (except for FORK model)"
thread stack size
.IP "\fBTIMEOUTbusy\fR = seconds" 4
.IX Item "TIMEOUTbusy = seconds"
time to wait for expected data
.IP "\fBTIMEOUTclose\fR = seconds" 4
.IX Item "TIMEOUTclose = seconds"
time to wait for close_notify (set to 0 for buggy \s-1MSIE\s0)
.IP "\fBTIMEOUTconnect\fR = seconds" 4
.IX Item "TIMEOUTconnect = seconds"
time to wait to connect a remote host
.IP "\fBTIMEOUTidle\fR = seconds" 4
.IX Item "TIMEOUTidle = seconds"
time to keep an idle connection
.IP "\fBtransparent\fR = none | source | destination | both (Unix only)" 4
.IX Item "transparent = none | source | destination | both (Unix only)"
enable transparent proxy support on selected platforms
.Sp
Supported values:
.RS 4
.IP "\fInone\fR" 4
.IX Item "none"
Disable transparent proxy support. This is the default.
.IP "\fIsource\fR" 4
.IX Item "source"
Re-write address to appear as if wrapped daemon is connecting
from the \s-1SSL\s0 client machine instead of the machine running \fBstunnel\fR.
.Sp
This option is currently available in:
.RS 4
.IP "Remote mode (\fIconnect\fR option) on \fILinux >=2.6.28\fR" 4
.IX Item "Remote mode (connect option) on Linux >=2.6.28"
This configuration requires stunnel to be executed as root and without
\&\fIsetuid\fR option.
.Sp
This configuration requires the following setup for iptables and routing
(possibly in /etc/rc.local or equivalent file):
.Sp
.Vb 7
\& iptables \-t mangle \-N DIVERT
\& iptables \-t mangle \-A PREROUTING \-p tcp \-m socket \-j DIVERT
\& iptables \-t mangle \-A DIVERT \-j MARK \-\-set\-mark 1
\& iptables \-t mangle \-A DIVERT \-j ACCEPT
\& ip rule add fwmark 1 lookup 100
\& ip route add local 0.0.0.0/0 dev lo table 100
\& echo 0 >/proc/sys/net/ipv4/conf/lo/rp_filter
.Ve
.Sp
\&\fBstunnel\fR must also to be executed as root and without \fIsetuid\fR option.
.IP "Remote mode (\fIconnect\fR option) on \fILinux 2.2.x\fR" 4
.IX Item "Remote mode (connect option) on Linux 2.2.x"
This configuration requires kernel to be compiled with \fItransparent proxy\fR option.
Connected service must be installed on a separate host.
Routing towards the clients has to go through the stunnel box.
.Sp
\&\fBstunnel\fR must also to be executed as root and without \fIsetuid\fR option.
.IP "Remote mode (\fIconnect\fR option) on \fIFreeBSD >=8.0\fR" 4
.IX Item "Remote mode (connect option) on FreeBSD >=8.0"
This configuration requires additional firewall and routing setup.
\&\fBstunnel\fR must also to be executed as root and without \fIsetuid\fR option.
.IP "Local mode (\fIexec\fR option)" 4
.IX Item "Local mode (exec option)"
This configuration works by pre-loading \fIlibstunnel.so\fR shared library.
_RLD_LIST environment variable is used on Tru64, and \s-1LD_PRELOAD\s0 variable on
other platforms.
.RE
.RS 4
.RE
.IP "\fIdestination\fR" 4
.IX Item "destination"
Original destination is used instead of \fIconnect\fR option.
.Sp
A service section for transparent destination may look like this:
.Sp
.Vb 4
\& [transparent]
\& client=yes
\& accept=<stunnel_port>
\& transparent=destination
.Ve
.Sp
This configuration requires the following setup for iptables
(possibly in /etc/rc.local or equivalent file):
.Sp
.Vb 2
\& /sbin/iptables \-I INPUT \-i eth0 \-p tcp \-\-dport <stunnel_port> \-j ACCEPT
\& /sbin/iptables \-t nat \-I PREROUTING \-i eth0 \-p tcp \-\-dport <redirected_port> \-j DNAT \-\-to\-destination <local_ip>:<stunnel_port>
.Ve
.Sp
Transparent destination option is currently only supported on Linux.
.IP "\fIboth\fR" 4
.IX Item "both"
Use both \fIsource\fR and \fIdestination\fR transparent proxy.
.RE
.RS 4
.Sp
Two legacy options are also supported for backward compatibility:
.IP "\fIyes\fR" 4
.IX Item "yes"
This options has been renamed to \fIsource\fR.
.IP "\fIno\fR" 4
.IX Item "no"
This options has been renamed to \fInone\fR.
.RE
.RS 4
.RE
.IP "\fBverify\fR = level" 4
.IX Item "verify = level"
verify peer certificate
.RS 4
.IP "\fIlevel 0\fR \- request and ignore peer certificate" 4
.IX Item "level 0 - request and ignore peer certificate"
.PD 0
.IP "\fIlevel 1\fR \- verify peer certificate if present" 4
.IX Item "level 1 - verify peer certificate if present"
.IP "\fIlevel 2\fR \- verify peer certificate" 4
.IX Item "level 2 - verify peer certificate"
.IP "\fIlevel 3\fR \- verify peer with locally installed certificate" 4
.IX Item "level 3 - verify peer with locally installed certificate"
.IP "\fIlevel 4\fR \- ignore \s-1CA\s0 chain and only verify peer certificate" 4
.IX Item "level 4 - ignore CA chain and only verify peer certificate"
.IP "\fIdefault\fR \- no verify" 4
.IX Item "default - no verify"
.RE
.RS 4
.PD
.Sp
It is important to understand, that this option was solely designed for access
control and not for authorization. Specifically for level 2 every non-revoked
certificate is accepted regardless of its Common Name. For this reason a
dedicated \s-1CA\s0 should be used with level 2, and not a generic \s-1CA\s0 commonly used
for webservers. Level 3 is preferred for point-to-point connections.
.RE
.SH "RETURN VALUE"
.IX Header "RETURN VALUE"
\&\fBstunnel\fR returns zero on success, non-zero on error.
.SH "SIGNALS"
.IX Header "SIGNALS"
The following signals can be used to control stunnel in Unix environment:
.IP "\s-1SIGHUP\s0" 4
.IX Item "SIGHUP"
Force a reload of the configuration file.
.Sp
Some global options will not be reloaded:
.RS 4
.IP "\(bu" 4
chroot
.IP "\(bu" 4
foreground
.IP "\(bu" 4
pid
.IP "\(bu" 4
setgid
.IP "\(bu" 4
setuid
.RE
.RS 4
.Sp
The use of 'setuid' option will also prevent stunnel from binding privileged
(<1024) ports during configuration reloading.
.Sp
When 'chroot' option is used, stunnel will look for all its files (including
configuration file, certificates, log file and pid file) within the chroot
jail.
.RE
.IP "\s-1SIGUSR1\s0" 4
.IX Item "SIGUSR1"
Close and reopen stunnel log file.
This function can be used for log rotation.
.IP "\s-1SIGTERM\s0, \s-1SIGQUIT\s0, \s-1SIGINT\s0" 4
.IX Item "SIGTERM, SIGQUIT, SIGINT"
Shut stunnel down.
.PP
The result of sending any other signals to the server is undefined.
.SH "EXAMPLES"
.IX Header "EXAMPLES"
In order to provide \s-1SSL\s0 encapsulation to your local \fIimapd\fR service, use
.PP
.Vb 4
\& [imapd]
\& accept = 993
\& exec = /usr/sbin/imapd
\& execargs = imapd
.Ve
.PP
If you want to provide tunneling to your \fIpppd\fR daemon on port 2020,
use something like
.PP
.Vb 5
\& [vpn]
\& accept = 2020
\& exec = /usr/sbin/pppd
\& execargs = pppd local
\& pty = yes
.Ve
.PP
If you want to use \fBstunnel\fR in \fIinetd\fR mode to launch your imapd
process, you'd use this \fIstunnel.conf\fR.
Note there must be no \fI[service_name]\fR section.
.PP
.Vb 2
\& exec = /usr/sbin/imapd
\& execargs = imapd
.Ve
.SH "NOTES"
.IX Header "NOTES"
.SS "\s-1RESTRICTIONS\s0"
.IX Subsection "RESTRICTIONS"
\&\fBstunnel\fR cannot be used for the \s-1FTP\s0 daemon because of the nature
of the \s-1FTP\s0 protocol which utilizes multiple ports for data transfers.
There are available \s-1SSL\s0 enabled versions of \s-1FTP\s0 and telnet daemons, however.
.SS "\s-1INETD\s0 \s-1MODE\s0"
.IX Subsection "INETD MODE"
The most common use of \fBstunnel\fR is to listen on a network
port and establish communication with either a new port
via the connect option, or a new program via the \fIexec\fR option.
However there is a special case when you wish to have
some other program accept incoming connections and
launch \fBstunnel\fR, for example with \fIinetd\fR, \fIxinetd\fR,
or \fItcpserver\fR.
.PP
For example, if you have the following line in \fIinetd.conf\fR:
.PP
.Vb 1
\& imaps stream tcp nowait root /usr/bin/stunnel stunnel /etc/stunnel/imaps.conf
.Ve
.PP
In these cases, the \fIinetd\fR\-style program is responsible
for binding a network socket (\fIimaps\fR above) and handing
it to \fBstunnel\fR when a connection is received.
Thus you do not want \fBstunnel\fR to have any \fIaccept\fR option.
All the \fIService Level Options\fR should be placed in the
global options section, and no \fI[service_name]\fR section
will be present. See the \fI\s-1EXAMPLES\s0\fR section for example
configurations.
.SS "\s-1CERTIFICATES\s0"
.IX Subsection "CERTIFICATES"
Each \s-1SSL\s0 enabled daemon needs to present a valid X.509 certificate
to the peer. It also needs a private key to decrypt the incoming
data. The easiest way to obtain a certificate and a key is to
generate them with the free \fIOpenSSL\fR package. You can find more
information on certificates generation on pages listed below.
.PP
The order of contents of the \fI.pem\fR file is important. It should contain the
unencrypted private key first, then a signed certificate (not certificate
request). There should be also empty lines after certificate and private key.
Plaintext certificate information appended on the top of generated certificate
should be discarded. So the file should look like this:
.PP
.Vb 8
\& \-\-\-\-\-BEGIN RSA PRIVATE KEY\-\-\-\-\-
\& [encoded key]
\& \-\-\-\-\-END RSA PRIVATE KEY\-\-\-\-\-
\& [empty line]
\& \-\-\-\-\-BEGIN CERTIFICATE\-\-\-\-\-
\& [encoded certificate]
\& \-\-\-\-\-END CERTIFICATE\-\-\-\-\-
\& [empty line]
.Ve
.SS "\s-1RANDOMNESS\s0"
.IX Subsection "RANDOMNESS"
\&\fBstunnel\fR needs to seed the \s-1PRNG\s0 (pseudo random number generator) in
order for \s-1SSL\s0 to use good randomness. The following sources are loaded
in order until sufficient random data has been gathered:
.IP "\(bu" 4
The file specified with the \fIRNDfile\fR flag.
.IP "\(bu" 4
The file specified by the \s-1RANDFILE\s0 environment variable, if set.
.IP "\(bu" 4
The file .rnd in your home directory, if \s-1RANDFILE\s0 not set.
.IP "\(bu" 4
The file specified with '\-\-with\-random' at compile time.
.IP "\(bu" 4
The contents of the screen if running on Windows.
.IP "\(bu" 4
The egd socket specified with the \fI\s-1EGD\s0\fR flag.
.IP "\(bu" 4
The egd socket specified with '\-\-with\-egd\-sock' at compile time.
.IP "\(bu" 4
The /dev/urandom device.
.PP
With recent (>=OpenSSL 0.9.5a) version of \s-1SSL\s0 it will stop loading
random data automatically when sufficient entropy has been gathered.
With previous versions it will continue to gather from all the above
sources since no \s-1SSL\s0 function exists to tell when enough data is available.
.PP
Note that on Windows machines that do not have console user interaction
(mouse movements, creating windows, etc.) the screen contents are not
variable enough to be sufficient, and you should provide a random file
for use with the \fIRNDfile\fR flag.
.PP
Note that the file specified with the \fIRNDfile\fR flag should contain
random data \*(-- that means it should contain different information
each time \fBstunnel\fR is run. This is handled automatically
unless the \fIRNDoverwrite\fR flag is used. If you wish to update this file
manually, the \fIopenssl rand\fR command in recent versions of OpenSSL,
would be useful.
.PP
One important note \*(-- if /dev/urandom is available, OpenSSL has a habit of
seeding the \s-1PRNG\s0 with it even when checking the random state, so on
systems with /dev/urandom you're likely to use it even though it's listed
at the very bottom of the list above. This isn't \fBstunnel's\fR behaviour, it's
OpenSSLs.
.SS "\s-1DH\s0 \s-1PARAMETERS\s0"
.IX Subsection "DH PARAMETERS"
Stunnel 4.40 and later contains hardcoded 2048\-bit \s-1DH\s0 parameters.
.PP
It is also possible to specify \s-1DH\s0 parameters in the certificate file:
.PP
.Vb 1
\& openssl dhparam 2048 >> stunnel.pem
.Ve
.PP
\&\s-1DH\s0 parameter generation may take several minutes.
.SH "FILES"
.IX Header "FILES"
.IP "\fIstunnel.conf\fR" 4
.IX Item "stunnel.conf"
\&\fBstunnel\fR configuration file
.SH "BUGS"
.IX Header "BUGS"
Option \fIexecargs\fR does not support quoting.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
.IP "\fItcpd\fR\|(8)" 4
.IX Item "tcpd"
access control facility for internet services
.IP "\fIinetd\fR\|(8)" 4
.IX Item "inetd"
internet 'super\-server'
.IP "\fIhttp://www.stunnel.org/\fR" 4
.IX Item "http://www.stunnel.org/"
\&\fBstunnel\fR homepage
.IP "\fIhttp://www.openssl.org/\fR" 4
.IX Item "http://www.openssl.org/"
OpenSSL project website
.SH "AUTHOR"
.IX Header "AUTHOR"
.IP "Michał Trojnara" 4
.IX Item "Michał Trojnara"
<\fIMichal.Trojnara@mirt.net\fR>

574
doc/stunnel.fr.8 Normal file
View File

@ -0,0 +1,574 @@
.\" Automatically generated by Pod::Man 2.22 (Pod::Simple 3.07)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is turned on, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.ie \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. nr % 0
. rr F
.\}
.el \{\
. de IX
..
.\}
.\" ========================================================================
.\"
.IX Title "STUNNEL.FR 8"
.TH STUNNEL.FR 8 "2012.01.12" "4.53" "stunnel"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NOM"
.IX Header "NOM"
stunnel \- tunnel \s-1SSL\s0 universel
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.IP "\fBUnix:\fR" 4
.IX Item "Unix:"
\&\fBstunnel\fR [fichier] | \-fd [n] | \-help | \-version | \-sockets
.IP "\fB\s-1WIN32:\s0\fR" 4
.IX Item "WIN32:"
\&\fBstunnel\fR [fichier] | \-install | \-uninstall | \-help | \-version | \-sockets
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
Le programme \fBstunnel\fR est conçu pour fonctionner comme une couche
de chiffrement \fI\s-1SSL\s0\fR entre des clients distants et des serveurs locaux
(\fIinetd\fR\-démarrables) ou distants. Le concept est qu'à partir de daemons
non-SSL présents sur le système, on peut facilement les configurer pour
communiquer avec des clients sur des liens sécurisés \s-1SSL\s0.
.PP
\&\fBstunnel\fR peut être utilisé pour ajouter des fonctionnalités \s-1SSL\s0 à des
daemons classiques \fIInetd\fR tels que les serveurs \s-1POP\-2\s0, \s-1POP\-3\s0 et \s-1IMAP\s0,
à d'autres autonomes tels que \s-1NNTP\s0, \s-1SMTP\s0 et \s-1HTTP\s0, ainsi que pour tunneliser
\&\s-1PPP\s0 sur des sockets réseau sans modification du code source.
.PP
Ce produit inclut du code de chiffrement écrit par
Eric Young (eay@cryptsoft.com)
.SH "OPTIONS"
.IX Header "OPTIONS"
.IP "\fB[fichier]\fR" 4
.IX Item "[fichier]"
Utilisation du fichier de configuration spécifié.
.IP "\fB\-fd [n]\fR (Unix seulement)" 4
.IX Item "-fd [n] (Unix seulement)"
Lecture du fichier de configuration depuis le descripteur de
fichier indiqué.
.IP "\fB\-help\fR" 4
.IX Item "-help"
Affiche le menu d'aide de \fBstunnel\fR.
.IP "\fB\-version\fR" 4
.IX Item "-version"
Affiche la version de \fBstunnel\fR et les options de compilation.
.IP "\fB\-sockets\fR" 4
.IX Item "-sockets"
Affiche les options socket par défaut.
.IP "\fB\-install\fR (\s-1NT/2000/XP\s0 seulement)" 4
.IX Item "-install (NT/2000/XP seulement)"
Installe un service \s-1NT\s0.
.IP "\fB\-uninstall\fR (\s-1NT/2000/XP\s0 only)" 4
.IX Item "-uninstall (NT/2000/XP only)"
Désinstalle un service \s-1NT\s0.
.SH "FICHIER DE CONFIGURATION"
.IX Header "FICHIER DE CONFIGURATION"
Chaque ligne du fichier de configuration peut être soit :
.IP "\(bu" 4
une ligne vide (ignorée) ;
.IP "\(bu" 4
un commentaire commençant par « # » (ignoré) ;
.IP "\(bu" 4
une paire « option = valeur » ;
.IP "\(bu" 4
« [service_name] » indiquant le début de la définition d'un service ;
.SS "\s-1OPTIONS\s0 \s-1GLOBALES\s0"
.IX Subsection "OPTIONS GLOBALES"
.IP "\fBCApath\fR = répertoire" 4
.IX Item "CApath = répertoire"
Répertoire des autorités de certification (\s-1CA\s0)
.Sp
C'est le répertoire dans lequel \fBstunnel\fR cherche les certificats si
l'on utilise \fIverify\fR. Les certificats doivent être dénommés selon la
forme \s-1XXXXXXXX\s0.0, où \s-1XXXXXXXX\s0 est la valeur de hachage du certificat.
.Sp
Le cas échéant, le répertoire \fICApath\fR est relatif au répertoire \fIchroot\fR.
.IP "\fBCAfile\fR = fichier" 4
.IX Item "CAfile = fichier"
Fichier d'autorités de certification
.Sp
Ce fichier, utilisé avec \fIverify\fR, contient plusieurs certificats de \s-1CA\s0.
.IP "\fBcert\fR = fichier" 4
.IX Item "cert = fichier"
Fichier de chaîne de certificats \s-1PEM\s0
.Sp
Une \s-1PEM\s0 est toujours nécessaire en mode serveur.
En mode client, cette option utilise cette \s-1PEM\s0 comme une chaîne côté client.
L'utilisation de certificats côté client est optionnelle. Les certificats
doivent être au format \s-1PEM\s0 et triés par ordre de niveau décroissant (\s-1CA\s0 racine
en premier).
.IP "\fBchroot\fR = répertoire (Unix seulement)" 4
.IX Item "chroot = répertoire (Unix seulement)"
Répertoire de chroot du processus \fBstunnel\fR
.Sp
\&\fBchroot\fR enferme \fBstunnel\fR dans une cellule chroot. \fICApath\fR, \fICRLpath\fR, \fIpid\fR
et \fIexec\fR sont situés à l'intérieur de la cellule et les répertoires doivent être
relatifs au répertoire correspondant.
.Sp
Pour que le contrôle de libwrap (wrappeur \s-1TCP\s0) soit effectif dans un environnement
chroot, il faut aussi y recopier leurs fichiers de configuration (/etc/hosts.allow et
/etc/hosts.deny).
.IP "\fBciphers\fR = listes de chiffre" 4
.IX Item "ciphers = listes de chiffre"
Sélection des chiffres \s-1SSL\s0 autorisés
.Sp
Liste délimitée par deux-points (« : ») des chiffres autorisés pour la connexion \s-1SSL\s0.
Exemple : \s-1DES\-CBC3\-SHA:IDEA\-CBC\-MD5\s0
.IP "\fBclient\fR = yes | no" 4
.IX Item "client = yes | no"
Mode client (Le service distant utilise \s-1SSL\s0)
.Sp
Par défaut : no (mode server)
.IP "\fBCRLpath\fR = répertoire" 4
.IX Item "CRLpath = répertoire"
Répertoire des listes de révocation de certificats (\s-1CRL\s0)
.Sp
C'est le répertoire dans lequel \fBstunnel\fR recherche les \s-1CRL\s0 avec
l'option \fIverify\fR. Les \s-1CRL\s0 doivent être dénommés selon la
forme \s-1XXXXXXXX\s0.0 où \s-1XXXXXXXX\s0 est la valeur de hachage de la \s-1CRL\s0.
.Sp
Le cas échéant, le répertoire \fICRLpath\fR est relatif au répertoire \fIchroot\fR.
.IP "\fBCRLfile\fR = fichier" 4
.IX Item "CRLfile = fichier"
Fichier de listes de révocation de certificats (\s-1CRL\s0)
.Sp
Ce fichier, utilisé avec \fIverify\fR, contient plusieurs \s-1CRL\s0.
.IP "\fBdebug\fR = [facilité.]niveau" 4
.IX Item "debug = [facilité.]niveau"
niveau de déverminage
.Sp
Le niveau est un nom ou un numéro conforme à ceux de syslog :
emerg (0), alert (1), crit (2), err (3), warning (4), notice (5),
info (6) ou debug (7). Toutes les traces du niveau indiqué et des niveaux
numériquement inférieurs seront affichées. \fBdebug = debug\fR ou
\&\fBdebug = 7\fR donneront le maximum d'informations. La valeur par défaut
est notice (5).
.Sp
La facilité syslog « daemon » est utilisée, sauf si un autre nom est spécifié
(Win32 ne permet pas l'usage des facilités.)
.Sp
La casse est ignorée, aussi bien pour la facilité que pour le niveau.
.IP "\fB\s-1EGD\s0\fR = chemin (Unix seulement)" 4
.IX Item "EGD = chemin (Unix seulement)"
Emplacement du socket du daemon de recueil d'entropie (\s-1EGD\s0 \- Entropy Gathering Daemon)
.Sp
Socket \s-1EGD\s0 à utiliser pour alimenter le générateur d'aléatoires de OpenSSL (disponible
seulement si la compilation a été effectuée avec OpenSSL 0.9.5a ou supérieur).
.IP "\fBforeground\fR = yes | no (Unix seulement)" 4
.IX Item "foreground = yes | no (Unix seulement)"
Mode avant-plan
.Sp
Reste en avant-plan (sans fork) et dirige la trace sur stderr
au lieu de syslog (sauf si \fBoutput\fR est spécifié).
.Sp
Par défault : arrière\-plan en mode daemon.
.IP "\fBkey\fR = fichier" 4
.IX Item "key = fichier"
Fichier de clef privée pour le certificat spécifié par \fIcert\fR
.Sp
La clef privée est nécessaire pour authentifier le titulaire du
certificat.
Puisque ce fichier doit rester secret, il ne doit être lisible que
par son propriétaire. Sur les systèmes Unix, on peut utiliser la
commande suivante :
.Sp
.Vb 1
\& chmod 600 fichier
.Ve
.Sp
Par défault : Valeur de \fIcert\fR
.IP "\fBoptions\fR = Options_SSL" 4
.IX Item "options = Options_SSL"
Options de la bibliothèque OpenSSL
.Sp
Le paramètre est l'option OpenSSL décrite dans la page de man
\&\fI\fISSL_CTX_set_options\fI\|(3ssl)\fR, débarassée du préfixe \fI\s-1SSL_OP_\s0\fR.
Plusieurs \fIoptions\fR peuvent être spécifiées.
.Sp
Par exemple, pour la compatibilité avec l'implantation \s-1SSL\s0 défaillante
d'Eudora, on peut utiliser :
.Sp
.Vb 1
\& options = DONT_INSERT_EMPTY_FRAGMENTS
.Ve
.IP "\fBoutput\fR = fichier" 4
.IX Item "output = fichier"
Ajoute la trace à la fin d'un fichier au lieu d'utiliser syslog.
.Sp
/dev/stdout peut être utilisé pour afficher les traces sur la sortie standard
(par exemple pour les traiter avec les outils splogger).
.IP "\fBpid\fR = fichier (Unix seulement)" 4
.IX Item "pid = fichier (Unix seulement)"
Emplacement du fichier pid
.Sp
Si l'argument est vide, aucun fichier ne sera créé.
.Sp
Le cas échéant, le chemin \fIpid\fR est relatif au répertoire \fIchroot\fR.
.IP "\fBRNDbytes\fR = nombre" 4
.IX Item "RNDbytes = nombre"
Nombre d'octets à lire depuis les fichiers de « sel » aléatoire
.Sp
Avec les \s-1SSL\s0 de version inférieure à 0.9.5a, détermine aussi le nombre
d'octets considérés comme suffisants pour « saler » le \s-1PRNG\s0. Les versions plus
récentes d'OpenSSL ont une fonction intégrée qui détermine lorsque l'aléatoire
est suffisant.
.IP "\fBRNDfile\fR = fichier" 4
.IX Item "RNDfile = fichier"
chemin du fichier de données de « sel » aléatoire
.Sp
La bibliothèque \s-1SSL\s0 utilise prioritairement les données de ce fichier pour
« saler » le générateur d'aléatoire.
.IP "\fBRNDoverwrite\fR = yes | no" 4
.IX Item "RNDoverwrite = yes | no"
Recouvre les fichiers de « sel » avec de nouvelles données aléatoires.
.Sp
Par défaut : yes
.IP "\fBservice\fR = nom" 4
.IX Item "service = nom"
Définit le nom de service à utiliser
.Sp
\&\fBSous Unix :\fR nom de service du mode \fIinetd\fR pour la bibliothèque \s-1TCP\s0 Wrapper.
.Sp
Par défaut : stunnel
.IP "\fBsession\fR = timeout" 4
.IX Item "session = timeout"
Timeout du cache de session
.IP "\fBsetgid\fR = nom (Unix seulement)" 4
.IX Item "setgid = nom (Unix seulement)"
Nom de groupe utilisé en mode daemon (les éventuels autres noms de groupe attribués sont supprimés)
.IP "\fBsetuid\fR = nom (Unix seulement)" 4
.IX Item "setuid = nom (Unix seulement)"
Nom d'utilisateur utilisé en mode daemon
.IP "\fBsocket\fR = a|l|r:option=valeur[:valeur]" 4
.IX Item "socket = a|l|r:option=valeur[:valeur]"
Configure une option de socket accept (a), locale (l) ou distante (r)
.Sp
Les valeurs de l'option linger sont : l_onof:l_linger.
Les valeurs de l'option time sont : tv_sec:tv_usec.
.Sp
Exemples :
.Sp
.Vb 9
\& socket = l:SO_LINGER=1:60
\& définit un délai d\*(Aqune minute pour la clôture des sockets locaux
\& socket = r:SO_OOBINLINE=yes
\& Place directement les données hors\-bande dans le flux de réception
\& des sockets distants
\& socket = a:SO_REUSEADDR=no
\& désactive la réutilisation d\*(Aqadresses (activée par défaut)
\& socket = a:SO_BINDTODEVICE=lo
\& limite l\*(Aqacceptation des connexions sur la seule interface de bouclage
.Ve
.IP "\fBtaskbar\fR = yes | no (\s-1WIN32\s0 seulement)" 4
.IX Item "taskbar = yes | no (WIN32 seulement)"
active l'icône de la barre de tâches
.Sp
Par défaut : yes
.IP "\fBverify\fR = niveau" 4
.IX Item "verify = niveau"
Vérifie le certificat du correspondant
.Sp
.Vb 3
\& niveau 1 \- vérifie le certificat s\*(Aqil est présent
\& niveau 2 \- vérifie le certificat
\& niveau 3 \- contrôle le correspondant avec le certificat local
.Ve
.Sp
Par défaut \- pas de vérification
.SS "\s-1OPTIONS\s0 \s-1DE\s0 \s-1SERVICE\s0"
.IX Subsection "OPTIONS DE SERVICE"
Chaque section de configuration commence par le nom du service entre crochets.
Celui-ci est utilisé par le contrôle d'accès de libwrap (\s-1TCP\s0 Wrappers) et sert
à distinguer les services \fBstunnel\fR dans les fichiers de traces.
.PP
Si l'on souhaite utiliser \fBstunnel\fR en mode \fIinetd\fR (lorsqu'un socket lui est
fourni par un serveur comme \fIinetd\fR, \fIxinetd\fR ou \fItcpserver\fR), il faut se
reporter à la section \fI\s-1MODE\s0 \s-1INETD\s0\fR plus bas.
.IP "\fBaccept\fR = [hôte:]port" 4
.IX Item "accept = [hôte:]port"
Accepte des connexions sur le port spécifié
.Sp
Si l'hôte n'est pas indiqué, le port est ouvert pour toutes les adresses \s-1IP\s0 de
la machine locale.
.IP "\fBconnect\fR = [hôte:]port" 4
.IX Item "connect = [hôte:]port"
Se connecte au port distant indiqué
.Sp
Par défaut, l'hôte est localhost.
.IP "\fBdelay\fR = yes | no" 4
.IX Item "delay = yes | no"
Retarde la recherche \s-1DNS\s0 pour l'option « connect »
.IP "\fBexec\fR = chemin_exécutable (Unix seulement)" 4
.IX Item "exec = chemin_exécutable (Unix seulement)"
Exécute un programme local de type inetd
.Sp
Le cas échéant, le chemin \fIexec\fR est relatif au répertoire \fIchroot\fR.
.ie n .IP "\fBexecargs\fR = $0 $1 $2 ... (Unix seulement)" 4
.el .IP "\fBexecargs\fR = \f(CW$0\fR \f(CW$1\fR \f(CW$2\fR ... (Unix seulement)" 4
.IX Item "execargs = $0 $1 $2 ... (Unix seulement)"
Arguments pour \fIexec\fR, y compris le nom du programme ($0)
.Sp
Les quotes ne peuvent actuellement pas être utilisées.
Les arguments sont séparés par un nombre quelconque d'espaces.
.IP "\fBident\fR = nom" 4
.IX Item "ident = nom"
Applique le contrôle d'identité d'utilisateur \s-1IDENT\s0 (\s-1RFC\s0 1413)
.IP "\fBlocal\fR = hôte" 4
.IX Item "local = hôte"
Adresse \s-1IP\s0 de l'interface de sortie utilisée pour les connexions distantes.
Cette option permet de relier une adresse statique locale.
.IP "\fBprotocol\fR = protocole" 4
.IX Item "protocol = protocole"
Négocie avec \s-1SSL\s0 selon le protocole indiqué
.Sp
Actuellement gérés : cifs, nntp, pop3, smtp
.IP "\fBpty\fR = yes | no (Unix seulement)" 4
.IX Item "pty = yes | no (Unix seulement)"
Alloue un pseudo-terminal pour l'option « exec »
.IP "\fBTIMEOUTbusy\fR = secondes" 4
.IX Item "TIMEOUTbusy = secondes"
Durée d'attente de données
.IP "\fBTIMEOUTclose\fR = secondes" 4
.IX Item "TIMEOUTclose = secondes"
Durée d'attente du close_notify (mis à 0 pour \s-1MSIE\s0 qui est bogué)
.IP "\fBTIMEOUTidle\fR = secondes" 4
.IX Item "TIMEOUTidle = secondes"
Durée d'attente sur une connexion inactive
.IP "\fBtransparent\fR = yes | no (Unix seulement)" 4
.IX Item "transparent = yes | no (Unix seulement)"
Mode mandataire transparent
.Sp
\-écrit les adresses pour qu'elles apparaissent provenir de la
machine client \s-1SSL\s0 plutôt que de celle qui exécute \fBstunnel\fR.
Cette option n'est disponible en mode local (option \fIexec\fR) qu'avec
la bibliothèque partagée LD_PRELOADing env.so shared library et en mode
distant (option \fIconnect\fR) sur les noyaux Linux 2.2 compilés avec
l'option \fItransparent proxy\fR et seulement en mode serveur. Cette
option ne se combine pas au mode mandataire (\fIconnect\fR) sauf si la
route par défaut du client vers la cible passe par l'hôte qui fait
tourner \fBstunnel\fR, qui ne peut être localhost.
.SH "VALEUR DE RETOUR"
.IX Header "VALEUR DE RETOUR"
\&\fBstunnel\fR renvoie zéro en cas de succès, une autre valeur en cas d'erreur.
.SH "EXEMPLES"
.IX Header "EXEMPLES"
Pour encapsuler votre service \fIimapd\fR local avec \s-1SSL\s0 :
.PP
.Vb 4
\& [imapd]
\& accept = 993
\& exec = /usr/sbin/imapd
\& execargs = imapd
.Ve
.PP
Pour tunneliser un daemon \fIpppd\fR sur le port 2020 :
.PP
.Vb 5
\& [vpn]
\& accept = 2020
\& exec = /usr/sbin/pppd
\& execargs = pppd local
\& pty = yes
.Ve
.PP
Configuration de \fIstunnel.conf\fR pour utiliser \fBstunnel\fR en mode \fIinetd\fR
qui lance imapd à son tour (il ne doit pas y avoir de section \fI[service_name]\fR) :
.PP
.Vb 2
\& exec = /usr/sbin/imapd
\& execargs = imapd
.Ve
.SH "FICHIERS"
.IX Header "FICHIERS"
.IP "\fIstunnel.conf\fR" 4
.IX Item "stunnel.conf"
Fichier de configuration de \fBstunnel\fR
.IP "\fIstunnel.pem\fR" 4
.IX Item "stunnel.pem"
Certificat et clef privée de \fBstunnel\fR
.SH "BOGUES"
.IX Header "BOGUES"
L'option \fIexecargs\fR n'admet pas les quotes.
.SH "RESTRICTIONS"
.IX Header "RESTRICTIONS"
\&\fBstunnel\fR ne peut être utilisé pour le daemon \s-1FTP\s0 en raison de la nature
du protocole \s-1FTP\s0 qui utilise des ports multiples pour les transferts de données.
Il existe cependant des versions \s-1SSL\s0 de \s-1FTP\s0 et de telnet.
.SH "NOTES"
.IX Header "NOTES"
.SS "\s-1MODE\s0 \s-1INETD\s0"
.IX Subsection "MODE INETD"
L'utilisation la plus commune de \fBstunnel\fR consiste à écouter un port
réseau et à établir une communication, soit avec un nouveau port
avec l'option \fIconnect\fR, soit avec un programme avec l'option \fIexec\fR.
On peut parfois cependant souhaiter qu'un autre programme reçoive les
connexions entrantes et lance \fBstunnel\fR, par exemple avec \fIinetd\fR,
\&\fIxinetd\fR ou \fItcpserver\fR.
.PP
Si, par exemple, la ligne suivante se trouve dans \fIinetd.conf\fR :
.PP
.Vb 1
\& imaps stream tcp nowait root /usr/bin/stunnel stunnel /etc/stunnel/imaps.conf
.Ve
.PP
Dans ces cas, c'est le programme du genre \fIinetd\fR\-style qui est
responsable de l'établissement de la connexion (\fIimaps\fR ci-dessus) et de passer
celle-ci à \fBstunnel\fR.
Ainsi, \fBstunnel\fR ne doit alors avoir aucune option \fIaccept\fR.
Toutes les \fIoptions de niveau service\fR doivent être placées dans
la section des options globales et aucune section \fI[service_name]\fR ne doit
être présente. Voir la section \fI\s-1EXEMPLES\s0\fR pour des exemples de configurations.
.SS "\s-1CERTIFICATS\s0"
.IX Subsection "CERTIFICATS"
Chaque daemon à propriétés \s-1SSL\s0 doit présenter un certificat X.509
valide à son interlocuteur. Il a aussi besoin d'une clef privé pour
déchiffrer les données entrantes. La méthode la plus simple pour
obtenir un certificat et une clef est d'engendrer celles-ci avec
le paquetage libre \fIOpenSSL\fR. Plus d'informations sur la génération de
certificats se trouvent dans les pages indiquées plus bas.
.PP
Deux choses importantes lors de la génération de paires certificat-clef
pour \fBstunnel\fR :
.IP "\(bu" 4
la clef privée ne peut être chiffrée puisque le serveur n'a aucun moyen
d'obtenir le mot de passe de l'utilisateur ; pour produire une clef non chiffrée,
ajouter l'option \fI\-nodes\fR à la commande \fBreq\fR de \fIOpenSSL\fR ;
.IP "\(bu" 4
l'ordre du contenu du fichier \fI.pem\fR est significatif : il doit contenir d'abord
une clef privée non chiffrée, puis un certificat signé (et non une demande de certificat).
Il doit aussi y avoir des lignes vides après le certificat et après la clef privée.
L'information textuelle ajoutée au début d'un certificat doit être supprimée afin que
le fichier ait l'allure suivante :
.Sp
.Vb 8
\& \-\-\-\-\-BEGIN RSA PRIVATE KEY\-\-\-\-\-
\& [clef encodée]
\& \-\-\-\-\-END RSA PRIVATE KEY\-\-\-\-\-
\& [ligne vide]
\& \-\-\-\-\-BEGIN CERTIFICATE\-\-\-\-\-
\& [certificat encodé]
\& \-\-\-\-\-END CERTIFICATE\-\-\-\-\-
\& [ligne vide]
.Ve
.SS "\s-1ALEATOIRE\s0"
.IX Subsection "ALEATOIRE"
\&\fBstunnel\fR doit « saler » le générateur de pseudo\-aléatoires \s-1PRNG\s0 (pseudo random
number generator) afin que \s-1SSL\s0 utilise un aléatoire de qualité. Les sources suivantes
sont chargées dans l'ordre jusqu'à ce qu'une quantité suffisante de données soit lue :
.IP "\(bu" 4
le fichier spécifié par \fIRNDfile\fR ;
.IP "\(bu" 4
le fichier spécifié par la variable d'environnement \s-1RANDFILE\s0, à défaut
le fichier .rnd du répertoire \f(CW$HOME\fR de l'utilisateur ;
.IP "\(bu" 4
le fichier spécifié par « \-\-with\-random » lors de la compilation ;
.IP "\(bu" 4
le contenu de l'écran (MS-Windows seulement) ;
.IP "\(bu" 4
le socket \s-1EGD\s0 spécifié par \fI\s-1EGD\s0\fR ;
.IP "\(bu" 4
le socket \s-1EGD\s0 spécifié par « \-\-with\-egd\-sock » lors de la compilation ;
.IP "\(bu" 4
le périphérique /dev/urandom.
.PP
Avec un OpenSSL récent (>=OpenSSL 0.9.5a) le chargement de données s'arrête
automatiquement lorsqu'un niveau d'entropie suffisant est atteint.
Les versions précédentes continuent à lire toutes les sources puisqu'aucune
fonction \s-1SSL\s0 ne leur permet de savoir que suffisamment de données sont disponibles.
.PP
Sur les machines MS-Windows qui n'ont pas d'interaction utilisateur sur la console,
(mouvements de souris, création de fenêtres, etc.), le contenu de l'écran n'est
pas suffisamment changeant et il est nécessaire de fournir un fichier d'aléatoire
par le biais de \fIRNDfile\fR.
.PP
Le fichier spécifié par \fIRNDfile\fR doit contenir des informations aléatoires \*(--
c'est\-à\-dire des informations différentes à chaque lancement de \fBstunnel\fR.
Cela est géré automatiquement sauf si l'option \fIRNDoverwrite\fR est utilisée.
Si l'on souhaite procéder manuellement à la mise à jour de ce fichier, la
commande \fIopenssl rand\fR des versions récentes d'OpenSSL sera sans doute utile.
.PP
Note importante : si /dev/urandom est disponible, OpenSSL a l'habitude d'utiliser
celui-ci pour « saler » le \s-1PRNG\s0 même lorsqu'il contrôle l'état de l'aléatoire ;
ainsi, même si /dev/urandom est dernier de la liste ci-dessus, il est vraisemblable
qu'il soit utilisé s'il est présent.
Ce n'est pas le comportement de \fBstunnel\fR, c'est celui d'OpenSSL.
.SH "VOIR AUSSI"
.IX Header "VOIR AUSSI"
.IP "\fItcpd\fR\|(8)" 4
.IX Item "tcpd"
Service de contrôle d'accès pour les services internet
.IP "\fIinetd\fR\|(8)" 4
.IX Item "inetd"
« super-serveur » internet
.IP "\fIhttp://www.stunnel.org/\fR" 4
.IX Item "http://www.stunnel.org/"
Page de référence de \fBstunnel\fR
.IP "\fIhttp://www.openssl.org/\fR" 4
.IX Item "http://www.openssl.org/"
Site web du projet OpenSSL
.SH "AUTEUR"
.IX Header "AUTEUR"
.IP "Michał Trojnara" 4
.IX Item "Michał Trojnara"
<\fIMichal.Trojnara@mirt.net\fR>
.SH "ADAPTATION FRANÇAISE"
.IX Header "ADAPTATION FRANÇAISE"
.IP "Bernard Choppy" 4
.IX Item "Bernard Choppy"
<\fIchoppy \s-1AT\s0 free \s-1POINT\s0 fr\fR>

670
doc/stunnel.fr.html Normal file
View File

@ -0,0 +1,670 @@
<?xml version="1.0" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>stunnel.8</title>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<link rev="made" href="mailto:root@localhost" />
</head>
<body style="background-color: white">
<!-- INDEX BEGIN -->
<div name="index">
<p><a name="__index__"></a></p>
<!--
<ul>
<li><a href="#nom">NOM</a></li>
<li><a href="#synopsis">SYNOPSIS</a></li>
<li><a href="#description">DESCRIPTION</a></li>
<li><a href="#options">OPTIONS</a></li>
<li><a href="#fichier_de_configuration">FICHIER DE CONFIGURATION</a></li>
<ul>
<li><a href="#options_globales">OPTIONS GLOBALES</a></li>
<li><a href="#options_de_service">OPTIONS DE SERVICE</a></li>
</ul>
<li><a href="#valeur_de_retour">VALEUR DE RETOUR</a></li>
<li><a href="#exemples">EXEMPLES</a></li>
<li><a href="#fichiers">FICHIERS</a></li>
<li><a href="#bogues">BOGUES</a></li>
<li><a href="#restrictions">RESTRICTIONS</a></li>
<li><a href="#notes">NOTES</a></li>
<ul>
<li><a href="#mode_inetd">MODE INETD</a></li>
<li><a href="#certificats">CERTIFICATS</a></li>
<li><a href="#aleatoire">ALEATOIRE</a></li>
</ul>
<li><a href="#voir_aussi">VOIR AUSSI</a></li>
<li><a href="#auteur">AUTEUR</a></li>
<li><a href="#adaptation_fran__aise">ADAPTATION FRANÇAISE</a></li>
</ul>
-->
</div>
<!-- INDEX END -->
<p>
</p>
<h1><a name="nom">NOM</a></h1>
<p>stunnel - tunnel SSL universel</p>
<p>
</p>
<hr />
<h1><a name="synopsis">SYNOPSIS</a></h1>
<dl>
<dt><strong><a name="unix" class="item"><strong>Unix:</strong></a></strong></dt>
<dd>
<p><strong>stunnel</strong> [fichier] | -fd&nbsp;[n] | -help | -version | -sockets</p>
</dd>
<dt><strong><a name="win32" class="item"><strong>WIN32:</strong></a></strong></dt>
<dd>
<p><strong>stunnel</strong> [fichier] | -install | -uninstall | -help | -version | -sockets</p>
</dd>
</dl>
<p>
</p>
<hr />
<h1><a name="description">DESCRIPTION</a></h1>
<p>Le programme <strong>stunnel</strong> est conçu pour fonctionner comme une couche
de chiffrement <em>SSL</em> entre des clients distants et des serveurs locaux
(<em>inetd</em>-démarrables) ou distants. Le concept est qu'à partir de daemons
non-SSL présents sur le système, on peut facilement les configurer pour
communiquer avec des clients sur des liens sécurisés SSL.</p>
<p><strong>stunnel</strong> peut être utilisé pour ajouter des fonctionnalités SSL à des
daemons classiques <em>Inetd</em> tels que les serveurs POP-2, POP-3 et IMAP,
à d'autres autonomes tels que NNTP, SMTP et HTTP, ainsi que pour tunneliser
PPP sur des sockets réseau sans modification du code source.</p>
<p>Ce produit inclut du code de chiffrement écrit par
Eric Young (<a href="mailto:eay@cryptsoft.com">eay@cryptsoft.com</a>)</p>
<p>
</p>
<hr />
<h1><a name="options">OPTIONS</a></h1>
<dl>
<dt><strong><a name="fichier" class="item"><strong>[fichier]</strong></a></strong></dt>
<dd>
<p>Utilisation du fichier de configuration spécifié.</p>
</dd>
<dt><strong><a name="fd_n_unix_seulement" class="item"><strong>-fd [n]</strong> (Unix seulement)</a></strong></dt>
<dd>
<p>Lecture du fichier de configuration depuis le descripteur de
fichier indiqué.</p>
</dd>
<dt><strong><a name="help" class="item"><strong>-help</strong></a></strong></dt>
<dd>
<p>Affiche le menu d'aide de <strong>stunnel</strong>.</p>
</dd>
<dt><strong><a name="version" class="item"><strong>-version</strong></a></strong></dt>
<dd>
<p>Affiche la version de <strong>stunnel</strong> et les options de compilation.</p>
</dd>
<dt><strong><a name="sockets" class="item"><strong>-sockets</strong></a></strong></dt>
<dd>
<p>Affiche les options socket par défaut.</p>
</dd>
<dt><strong><a name="install" class="item"><strong>-install</strong> (NT/2000/XP seulement)</a></strong></dt>
<dd>
<p>Installe un service NT.</p>
</dd>
<dt><strong><a name="uninstall" class="item"><strong>-uninstall</strong> (NT/2000/XP only)</a></strong></dt>
<dd>
<p>Désinstalle un service NT.</p>
</dd>
</dl>
<p>
</p>
<hr />
<h1><a name="fichier_de_configuration">FICHIER DE CONFIGURATION</a></h1>
<p>Chaque ligne du fichier de configuration peut être soit&nbsp;:</p>
<ul>
<li>
<p>une ligne vide (ignorée)&nbsp;;</p>
</li>
<li>
<p>un commentaire commençant par «&nbsp;#&nbsp;» (ignoré)&nbsp;;</p>
</li>
<li>
<p>une paire «&nbsp;option = valeur&nbsp;»&nbsp;;</p>
</li>
<li>
<p>«&nbsp;[service_name]&nbsp;» indiquant le début de la définition d'un service&nbsp;;</p>
</li>
</ul>
<p>
</p>
<h2><a name="options_globales">OPTIONS GLOBALES</a></h2>
<dl>
<dt><strong><a name="capath_r_pertoire" class="item"><strong>CApath</strong> = répertoire</a></strong></dt>
<dd>
<p>Répertoire des autorités de certification (CA)</p>
<p>C'est le répertoire dans lequel <strong>stunnel</strong> cherche les certificats si
l'on utilise <em>verify</em>. Les certificats doivent être dénommés selon la
forme XXXXXXXX.0, où XXXXXXXX est la valeur de hachage du certificat.</p>
<p>Le cas échéant, le répertoire <em>CApath</em> est relatif au répertoire <em>chroot</em>.</p>
</dd>
<dt><strong><a name="cafile_fichier" class="item"><strong>CAfile</strong> = fichier</a></strong></dt>
<dd>
<p>Fichier d'autorités de certification</p>
<p>Ce fichier, utilisé avec <em>verify</em>, contient plusieurs certificats de CA.</p>
</dd>
<dt><strong><a name="cert_fichier" class="item"><strong>cert</strong> = fichier</a></strong></dt>
<dd>
<p>Fichier de chaîne de certificats PEM</p>
<p>Une PEM est toujours nécessaire en mode serveur.
En mode client, cette option utilise cette PEM comme une chaîne côté client.
L'utilisation de certificats côté client est optionnelle. Les certificats
doivent être au format PEM et triés par ordre de niveau décroissant (CA racine
en premier).</p>
</dd>
<dt><strong><a name="pertoire" class="item"><strong>chroot</strong> = répertoire (Unix seulement)</a></strong></dt>
<dd>
<p>Répertoire de chroot du processus <strong>stunnel</strong></p>
<p><strong>chroot</strong> enferme <strong>stunnel</strong> dans une cellule chroot. <em>CApath</em>, <em>CRLpath</em>, <em>pid</em>
et <em>exec</em> sont situés à l'intérieur de la cellule et les répertoires doivent être
relatifs au répertoire correspondant.</p>
<p>Pour que le contrôle de libwrap (wrappeur TCP) soit effectif dans un environnement
chroot, il faut aussi y recopier leurs fichiers de configuration (/etc/hosts.allow et
/etc/hosts.deny).</p>
</dd>
<dt><strong><a name="ciphers_listes_de_chiffre" class="item"><strong>ciphers</strong> = listes de chiffre</a></strong></dt>
<dd>
<p>Sélection des chiffres SSL autorisés</p>
<p>Liste délimitée par deux-points («&nbsp;:&nbsp;») des chiffres autorisés pour la connexion SSL.
Exemple&nbsp;: DES-CBC3-SHA:IDEA-CBC-MD5</p>
</dd>
<dt><strong><a name="client_yes_no" class="item"><strong>client</strong> = yes | no</a></strong></dt>
<dd>
<p>Mode client (Le service distant utilise SSL)</p>
<p>Par défaut&nbsp;: no (mode server)</p>
</dd>
<dt><strong><a name="crlpath_r_pertoire" class="item"><strong>CRLpath</strong> = répertoire</a></strong></dt>
<dd>
<p>Répertoire des listes de révocation de certificats (CRL)</p>
<p>C'est le répertoire dans lequel <strong>stunnel</strong> recherche les CRL avec
l'option <em>verify</em>. Les CRL doivent être dénommés selon la
forme XXXXXXXX.0 où XXXXXXXX est la valeur de hachage de la CRL.</p>
<p>Le cas échéant, le répertoire <em>CRLpath</em> est relatif au répertoire <em>chroot</em>.</p>
</dd>
<dt><strong><a name="crlfile_fichier" class="item"><strong>CRLfile</strong> = fichier</a></strong></dt>
<dd>
<p>Fichier de listes de révocation de certificats (CRL)</p>
<p>Ce fichier, utilisé avec <em>verify</em>, contient plusieurs CRL.</p>
</dd>
<dt><strong><a name="debug_facilit_niveau" class="item"><strong>debug</strong> = [facilité.]niveau</a></strong></dt>
<dd>
<p>niveau de déverminage</p>
<p>Le niveau est un nom ou un numéro conforme à ceux de syslog&nbsp;:
emerg (0), alert (1), crit (2), err (3), warning (4), notice (5),
info (6) ou debug (7). Toutes les traces du niveau indiqué et des niveaux
numériquement inférieurs seront affichées. <strong>debug = debug</strong> ou
<strong>debug = 7</strong> donneront le maximum d'informations. La valeur par défaut
est notice (5).</p>
<p>La facilité syslog «&nbsp;daemon&nbsp;» est utilisée, sauf si un autre nom est spécifié
(Win32 ne permet pas l'usage des facilités.)</p>
<p>La casse est ignorée, aussi bien pour la facilité que pour le niveau.</p>
</dd>
<dt><strong><a name="chemin" class="item"><strong>EGD</strong> = chemin (Unix seulement)</a></strong></dt>
<dd>
<p>Emplacement du socket du daemon de recueil d'entropie (EGD - Entropy Gathering Daemon)</p>
<p>Socket EGD à utiliser pour alimenter le générateur d'aléatoires de OpenSSL (disponible
seulement si la compilation a été effectuée avec OpenSSL 0.9.5a ou supérieur).</p>
</dd>
<dt><strong><a name="no" class="item"><strong>foreground</strong> = yes | no (Unix seulement)</a></strong></dt>
<dd>
<p>Mode avant-plan</p>
<p>Reste en avant-plan (sans fork) et dirige la trace sur stderr
au lieu de syslog (sauf si <strong>output</strong> est spécifié).</p>
<p>Par défault&nbsp;: arrière-plan en mode daemon.</p>
</dd>
<dt><strong><a name="key_fichier" class="item"><strong>key</strong> = fichier</a></strong></dt>
<dd>
<p>Fichier de clef privée pour le certificat spécifié par <em>cert</em></p>
<p>La clef privée est nécessaire pour authentifier le titulaire du
certificat.
Puisque ce fichier doit rester secret, il ne doit être lisible que
par son propriétaire. Sur les systèmes Unix, on peut utiliser la
commande suivante&nbsp;:</p>
<pre>
chmod 600 fichier</pre>
<p>Par défault&nbsp;: Valeur de <em>cert</em></p>
</dd>
<dt><strong><a name="options_options_ssl" class="item"><strong>options</strong> = Options_SSL</a></strong></dt>
<dd>
<p>Options de la bibliothèque OpenSSL</p>
<p>Le paramètre est l'option OpenSSL décrite dans la page de man
<em>SSL_CTX_set_options(3ssl)</em>, débarassée du préfixe <em>SSL_OP_</em>.
Plusieurs <em>options</em> peuvent être spécifiées.</p>
<p>Par exemple, pour la compatibilité avec l'implantation SSL défaillante
d'Eudora, on peut utiliser&nbsp;:</p>
<pre>
options = DONT_INSERT_EMPTY_FRAGMENTS</pre>
</dd>
<dt><strong><a name="output_fichier" class="item"><strong>output</strong> = fichier</a></strong></dt>
<dd>
<p>Ajoute la trace à la fin d'un fichier au lieu d'utiliser syslog.</p>
<p>/dev/stdout peut être utilisé pour afficher les traces sur la sortie standard
(par exemple pour les traiter avec les outils splogger).</p>
</dd>
<dt><strong><strong>pid</strong> = fichier (Unix seulement)</strong></dt>
<dd>
<p>Emplacement du fichier pid</p>
<p>Si l'argument est vide, aucun fichier ne sera créé.</p>
<p>Le cas échéant, le chemin <em>pid</em> est relatif au répertoire <em>chroot</em>.</p>
</dd>
<dt><strong><a name="rndbytes_nombre" class="item"><strong>RNDbytes</strong> = nombre</a></strong></dt>
<dd>
<p>Nombre d'octets à lire depuis les fichiers de «&nbsp;sel&nbsp;» aléatoire</p>
<p>Avec les SSL de version inférieure à 0.9.5a, détermine aussi le nombre
d'octets considérés comme suffisants pour «&nbsp;saler&nbsp;» le PRNG. Les versions plus
récentes d'OpenSSL ont une fonction intégrée qui détermine lorsque l'aléatoire
est suffisant.</p>
</dd>
<dt><strong><a name="rndfile_fichier" class="item"><strong>RNDfile</strong> = fichier</a></strong></dt>
<dd>
<p>chemin du fichier de données de «&nbsp;sel&nbsp;» aléatoire</p>
<p>La bibliothèque SSL utilise prioritairement les données de ce fichier pour
«&nbsp;saler&nbsp;» le générateur d'aléatoire.</p>
</dd>
<dt><strong><a name="rndoverwrite_yes_no" class="item"><strong>RNDoverwrite</strong> = yes | no</a></strong></dt>
<dd>
<p>Recouvre les fichiers de «&nbsp;sel&nbsp;» avec de nouvelles données aléatoires.</p>
<p>Par défaut&nbsp;: yes</p>
</dd>
<dt><strong><a name="service_nom" class="item"><strong>service</strong> = nom</a></strong></dt>
<dd>
<p>Définit le nom de service à utiliser</p>
<p><strong>Sous Unix&nbsp;:</strong> nom de service du mode <em>inetd</em> pour la bibliothèque TCP Wrapper.</p>
<p>Par défaut&nbsp;: stunnel</p>
</dd>
<dt><strong><a name="session_timeout" class="item"><strong>session</strong> = timeout</a></strong></dt>
<dd>
<p>Timeout du cache de session</p>
</dd>
<dt><strong><a name="nom" class="item"><strong>setgid</strong> = nom (Unix seulement)</a></strong></dt>
<dd>
<p>Nom de groupe utilisé en mode daemon (les éventuels autres noms de groupe attribués sont supprimés)</p>
</dd>
<dt><strong><strong>setuid</strong> = nom (Unix seulement)</strong></dt>
<dd>
<p>Nom d'utilisateur utilisé en mode daemon</p>
</dd>
<dt><strong><a name="socket_a_l_r_option_valeur_valeur" class="item"><strong>socket</strong> = a|l|r:option=valeur[:valeur]</a></strong></dt>
<dd>
<p>Configure une option de socket accept (a), locale (l) ou distante (r)</p>
<p>Les valeurs de l'option linger sont&nbsp;: l_onof:l_linger.
Les valeurs de l'option time sont&nbsp;: tv_sec:tv_usec.</p>
<p>Exemples&nbsp;:</p>
<pre>
socket = l:SO_LINGER=1:60
définit un délai d'une minute pour la clôture des sockets locaux
socket = r:SO_OOBINLINE=yes
Place directement les données hors-bande dans le flux de réception
des sockets distants
socket = a:SO_REUSEADDR=no
désactive la réutilisation d'adresses (activée par défaut)
socket = a:SO_BINDTODEVICE=lo
limite l'acceptation des connexions sur la seule interface de bouclage</pre>
</dd>
<dt><strong><strong>taskbar</strong> = yes | no (WIN32 seulement)</strong></dt>
<dd>
<p>active l'icône de la barre de tâches</p>
<p>Par défaut&nbsp;: yes</p>
</dd>
<dt><strong><a name="verify_niveau" class="item"><strong>verify</strong> = niveau</a></strong></dt>
<dd>
<p>Vérifie le certificat du correspondant</p>
<pre>
niveau 1 - vérifie le certificat s'il est présent
niveau 2 - vérifie le certificat
niveau 3 - contrôle le correspondant avec le certificat local</pre>
<p>Par défaut - pas de vérification</p>
</dd>
</dl>
<p>
</p>
<h2><a name="options_de_service">OPTIONS DE SERVICE</a></h2>
<p>Chaque section de configuration commence par le nom du service entre crochets.
Celui-ci est utilisé par le contrôle d'accès de libwrap (TCP Wrappers) et sert
à distinguer les services <strong>stunnel</strong> dans les fichiers de traces.</p>
<p>Si l'on souhaite utiliser <strong>stunnel</strong> en mode <em>inetd</em> (lorsqu'un socket lui est
fourni par un serveur comme <em>inetd</em>, <em>xinetd</em> ou <em>tcpserver</em>), il faut se
reporter à la section <em>MODE INETD</em> plus bas.</p>
<dl>
<dt><strong><a name="accept_h_te_port" class="item"><strong>accept</strong> = [hôte:]port</a></strong></dt>
<dd>
<p>Accepte des connexions sur le port spécifié</p>
<p>Si l'hôte n'est pas indiqué, le port est ouvert pour toutes les adresses IP de
la machine locale.</p>
</dd>
<dt><strong><a name="connect_h_te_port" class="item"><strong>connect</strong> = [hôte:]port</a></strong></dt>
<dd>
<p>Se connecte au port distant indiqué</p>
<p>Par défaut, l'hôte est localhost.</p>
</dd>
<dt><strong><a name="delay_yes_no" class="item"><strong>delay</strong> = yes | no</a></strong></dt>
<dd>
<p>Retarde la recherche DNS pour l'option «&nbsp;connect&nbsp;»</p>
</dd>
<dt><strong><a name="cutable" class="item"><strong>exec</strong> = chemin_exécutable (Unix seulement)</a></strong></dt>
<dd>
<p>Exécute un programme local de type inetd</p>
<p>Le cas échéant, le chemin <em>exec</em> est relatif au répertoire <em>chroot</em>.</p>
</dd>
<dt><strong><a name="execargs_0_1_2_unix_seulement" class="item"><strong>execargs</strong> = $0 $1 $2 ... (Unix seulement)</a></strong></dt>
<dd>
<p>Arguments pour <em>exec</em>, y compris le nom du programme ($0)</p>
<p>Les quotes ne peuvent actuellement pas être utilisées.
Les arguments sont séparés par un nombre quelconque d'espaces.</p>
</dd>
<dt><strong><a name="ident_nom" class="item"><strong>ident</strong> = nom</a></strong></dt>
<dd>
<p>Applique le contrôle d'identité d'utilisateur IDENT (<a href="http://www.ietf.org/rfc/rfc1413.txt" class="rfc">RFC 1413</a>)</p>
</dd>
<dt><strong><a name="local_h_te" class="item"><strong>local</strong> = hôte</a></strong></dt>
<dd>
<p>Adresse IP de l'interface de sortie utilisée pour les connexions distantes.
Cette option permet de relier une adresse statique locale.</p>
</dd>
<dt><strong><a name="protocol_protocole" class="item"><strong>protocol</strong> = protocole</a></strong></dt>
<dd>
<p>Négocie avec SSL selon le protocole indiqué</p>
<p>Actuellement gérés&nbsp;: cifs, nntp, pop3, smtp</p>
</dd>
<dt><strong><strong>pty</strong> = yes | no (Unix seulement)</strong></dt>
<dd>
<p>Alloue un pseudo-terminal pour l'option «&nbsp;exec&nbsp;»</p>
</dd>
<dt><strong><a name="timeoutbusy_secondes" class="item"><strong>TIMEOUTbusy</strong> = secondes</a></strong></dt>
<dd>
<p>Durée d'attente de données</p>
</dd>
<dt><strong><a name="timeoutclose_secondes" class="item"><strong>TIMEOUTclose</strong> = secondes</a></strong></dt>
<dd>
<p>Durée d'attente du close_notify (mis à 0 pour MSIE qui est bogué)</p>
</dd>
<dt><strong><a name="timeoutidle_secondes" class="item"><strong>TIMEOUTidle</strong> = secondes</a></strong></dt>
<dd>
<p>Durée d'attente sur une connexion inactive</p>
</dd>
<dt><strong><strong>transparent</strong> = yes | no (Unix seulement)</strong></dt>
<dd>
<p>Mode mandataire transparent</p>
<p>Ré-écrit les adresses pour qu'elles apparaissent provenir de la
machine client SSL plutôt que de celle qui exécute <strong>stunnel</strong>.
Cette option n'est disponible en mode local (option <em>exec</em>) qu'avec
la bibliothèque partagée LD_PRELOADing env.so shared library et en mode
distant (option <em>connect</em>) sur les noyaux Linux 2.2 compilés avec
l'option <em>transparent proxy</em> et seulement en mode serveur. Cette
option ne se combine pas au mode mandataire (<em>connect</em>) sauf si la
route par défaut du client vers la cible passe par l'hôte qui fait
tourner <strong>stunnel</strong>, qui ne peut être localhost.</p>
</dd>
</dl>
<p>
</p>
<hr />
<h1><a name="valeur_de_retour">VALEUR DE RETOUR</a></h1>
<p><strong>stunnel</strong> renvoie zéro en cas de succès, une autre valeur en cas d'erreur.</p>
<p>
</p>
<hr />
<h1><a name="exemples">EXEMPLES</a></h1>
<p>Pour encapsuler votre service <em>imapd</em> local avec SSL&nbsp;:</p>
<pre>
[imapd]
accept = 993
exec = /usr/sbin/imapd
execargs = imapd</pre>
<p>Pour tunneliser un daemon <em>pppd</em> sur le port 2020&nbsp;:</p>
<pre>
[vpn]
accept = 2020
exec = /usr/sbin/pppd
execargs = pppd local
pty = yes</pre>
<p>Configuration de <em>stunnel.conf</em> pour utiliser <strong>stunnel</strong> en mode <em>inetd</em>
qui lance imapd à son tour (il ne doit pas y avoir de section <em>[service_name]</em>)&nbsp;:</p>
<pre>
exec = /usr/sbin/imapd
execargs = imapd</pre>
<p>
</p>
<hr />
<h1><a name="fichiers">FICHIERS</a></h1>
<dl>
<dt><strong><a name="stunnel_conf" class="item"><em class="file">stunnel.conf</em></a></strong></dt>
<dd>
<p>Fichier de configuration de <strong>stunnel</strong></p>
</dd>
<dt><strong><a name="stunnel_pem" class="item"><em class="file">stunnel.pem</em></a></strong></dt>
<dd>
<p>Certificat et clef privée de <strong>stunnel</strong></p>
</dd>
</dl>
<p>
</p>
<hr />
<h1><a name="bogues">BOGUES</a></h1>
<p>L'option <em>execargs</em> n'admet pas les quotes.</p>
<p>
</p>
<hr />
<h1><a name="restrictions">RESTRICTIONS</a></h1>
<p><strong>stunnel</strong> ne peut être utilisé pour le daemon FTP en raison de la nature
du protocole FTP qui utilise des ports multiples pour les transferts de données.
Il existe cependant des versions SSL de FTP et de telnet.</p>
<p>
</p>
<hr />
<h1><a name="notes">NOTES</a></h1>
<p>
</p>
<h2><a name="mode_inetd">MODE INETD</a></h2>
<p>L'utilisation la plus commune de <strong>stunnel</strong> consiste à écouter un port
réseau et à établir une communication, soit avec un nouveau port
avec l'option <em>connect</em>, soit avec un programme avec l'option <em>exec</em>.
On peut parfois cependant souhaiter qu'un autre programme reçoive les
connexions entrantes et lance <strong>stunnel</strong>, par exemple avec <em>inetd</em>,
<em>xinetd</em> ou <em>tcpserver</em>.</p>
<p>Si, par exemple, la ligne suivante se trouve dans <em>inetd.conf</em>&nbsp;:</p>
<pre>
imaps stream tcp nowait root /usr/bin/stunnel stunnel /etc/stunnel/imaps.conf</pre>
<p>Dans ces cas, c'est le programme du genre <em>inetd</em>-style qui est
responsable de l'établissement de la connexion (<em>imaps</em> ci-dessus) et de passer
celle-ci à <strong>stunnel</strong>.
Ainsi, <strong>stunnel</strong> ne doit alors avoir aucune option <em>accept</em>.
Toutes les <em>options de niveau service</em> doivent être placées dans
la section des options globales et aucune section <em>[service_name]</em> ne doit
être présente. Voir la section <em>EXEMPLES</em> pour des exemples de configurations.</p>
<p>
</p>
<h2><a name="certificats">CERTIFICATS</a></h2>
<p>Chaque daemon à propriétés SSL doit présenter un certificat X.509
valide à son interlocuteur. Il a aussi besoin d'une clef privé pour
déchiffrer les données entrantes. La méthode la plus simple pour
obtenir un certificat et une clef est d'engendrer celles-ci avec
le paquetage libre <em>OpenSSL</em>. Plus d'informations sur la génération de
certificats se trouvent dans les pages indiquées plus bas.</p>
<p>Deux choses importantes lors de la génération de paires certificat-clef
pour <strong>stunnel</strong>&nbsp;:</p>
<ul>
<li>
<p>la clef privée ne peut être chiffrée puisque le serveur n'a aucun moyen
d'obtenir le mot de passe de l'utilisateur&nbsp;; pour produire une clef non chiffrée,
ajouter l'option <em>-nodes</em> à la commande <strong>req</strong> de <em>OpenSSL</em>&nbsp;;</p>
</li>
<li>
<p>l'ordre du contenu du fichier <em>.pem</em> est significatif&nbsp;: il doit contenir d'abord
une clef privée non chiffrée, puis un certificat signé (et non une demande de certificat).
Il doit aussi y avoir des lignes vides après le certificat et après la clef privée.
L'information textuelle ajoutée au début d'un certificat doit être supprimée afin que
le fichier ait l'allure suivante&nbsp;:</p>
<pre>
-----BEGIN RSA PRIVATE KEY-----
[clef encodée]
-----END RSA PRIVATE KEY-----
[ligne vide]
-----BEGIN CERTIFICATE-----
[certificat encodé]
-----END CERTIFICATE-----
[ligne vide]</pre>
</li>
</ul>
<p>
</p>
<h2><a name="aleatoire">ALEATOIRE</a></h2>
<p><strong>stunnel</strong> doit «&nbsp;saler&nbsp;» le générateur de pseudo-aléatoires PRNG (pseudo random
number generator) afin que SSL utilise un aléatoire de qualité. Les sources suivantes
sont chargées dans l'ordre jusqu'à ce qu'une quantité suffisante de données soit lue&nbsp;:</p>
<ul>
<li>
<p>le fichier spécifié par <em>RNDfile</em>&nbsp;;</p>
</li>
<li>
<p>le fichier spécifié par la variable d'environnement RANDFILE, à défaut
le fichier .rnd du répertoire $HOME de l'utilisateur&nbsp;;</p>
</li>
<li>
<p>le fichier spécifié par «&nbsp;--with-random&nbsp;» lors de la compilation&nbsp;;</p>
</li>
<li>
<p>le contenu de l'écran (MS-Windows seulement)&nbsp;;</p>
</li>
<li>
<p>le socket EGD spécifié par <em>EGD</em>&nbsp;;</p>
</li>
<li>
<p>le socket EGD spécifié par «&nbsp;--with-egd-sock&nbsp;» lors de la compilation&nbsp;;</p>
</li>
<li>
<p>le périphérique /dev/urandom.</p>
</li>
</ul>
<p>Avec un OpenSSL récent (&gt;=OpenSSL 0.9.5a) le chargement de données s'arrête
automatiquement lorsqu'un niveau d'entropie suffisant est atteint.
Les versions précédentes continuent à lire toutes les sources puisqu'aucune
fonction SSL ne leur permet de savoir que suffisamment de données sont disponibles.</p>
<p>Sur les machines MS-Windows qui n'ont pas d'interaction utilisateur sur la console,
(mouvements de souris, création de fenêtres, etc.), le contenu de l'écran n'est
pas suffisamment changeant et il est nécessaire de fournir un fichier d'aléatoire
par le biais de <em>RNDfile</em>.</p>
<p>Le fichier spécifié par <em>RNDfile</em> doit contenir des informations aléatoires --
c'est-à-dire des informations différentes à chaque lancement de <strong>stunnel</strong>.
Cela est géré automatiquement sauf si l'option <em>RNDoverwrite</em> est utilisée.
Si l'on souhaite procéder manuellement à la mise à jour de ce fichier, la
commande <em>openssl rand</em> des versions récentes d'OpenSSL sera sans doute utile.</p>
<p>Note importante&nbsp;: si /dev/urandom est disponible, OpenSSL a l'habitude d'utiliser
celui-ci pour «&nbsp;saler&nbsp;» le PRNG même lorsqu'il contrôle l'état de l'aléatoire&nbsp;;
ainsi, même si /dev/urandom est dernier de la liste ci-dessus, il est vraisemblable
qu'il soit utilisé s'il est présent.
Ce n'est pas le comportement de <strong>stunnel</strong>, c'est celui d'OpenSSL.</p>
<p>
</p>
<hr />
<h1><a name="voir_aussi">VOIR AUSSI</a></h1>
<dl>
<dt><strong><a name="tcpd" class="item"><a href="#tcpd">tcpd(8)</a></a></strong></dt>
<dd>
<p>Service de contrôle d'accès pour les services internet</p>
</dd>
<dt><strong><a name="inetd" class="item"><a href="#inetd">inetd(8)</a></a></strong></dt>
<dd>
<p>«&nbsp;super-serveur&nbsp;» internet</p>
</dd>
<dt><strong><a name="http_www_stunnel_org" class="item"><em class="file"><a href="http://www.stunnel.org/">http://www.stunnel.org/</a></em></a></strong></dt>
<dd>
<p>Page de référence de <strong>stunnel</strong></p>
</dd>
<dt><strong><a name="http_www_openssl_org" class="item"><em class="file"><a href="http://www.openssl.org/">http://www.openssl.org/</a></em></a></strong></dt>
<dd>
<p>Site web du projet OpenSSL</p>
</dd>
</dl>
<p>
</p>
<hr />
<h1><a name="auteur">AUTEUR</a></h1>
<dl>
<dt><strong><a name="micha_trojnara" class="item">Michał Trojnara</a></strong></dt>
<dd>
<p>&lt;<em class="file"><a href="mailto:Michal.Trojnara@mirt.net">Michal.Trojnara@mirt.net</a></em>&gt;</p>
</dd>
</dl>
<p>
</p>
<hr />
<h1><a name="adaptation_fran__aise">ADAPTATION FRANÇAISE</a></h1>
<dl>
<dt><strong><a name="bernard_choppy" class="item">Bernard Choppy</a></strong></dt>
<dd>
<p>&lt;<em class="file">choppy AT free POINT fr</em>&gt;</p>
</dd>
</dl>
</body>
</html>

636
doc/stunnel.fr.pod Normal file
View File

@ -0,0 +1,636 @@
=head1 NOM
=encoding utf8
stunnel - tunnel SSL universel
=head1 SYNOPSIS
=over 4
=item B<Unix:>
B<stunnel> S<[fichier]> | S<-fd [n]> | S<-help> | S<-version> | S<-sockets>
=item B<WIN32:>
B<stunnel> S<[fichier]> | S<-install> | S<-uninstall> | S<-help> | S<-version> | S<-sockets>
=back
=head1 DESCRIPTION
Le programme B<stunnel> est conçu pour fonctionner comme une couche
de chiffrement I<SSL> entre des clients distants et des serveurs locaux
(I<inetd>-démarrables) ou distants. Le concept est qu'à partir de daemons
non-SSL présents sur le système, on peut facilement les configurer pour
communiquer avec des clients sur des liens sécurisés SSL.
B<stunnel> peut être utilisé pour ajouter des fonctionnalités SSL à des
daemons classiques I<Inetd> tels que les serveurs POP-2, POP-3 et IMAP,
à d'autres autonomes tels que NNTP, SMTP et HTTP, ainsi que pour tunneliser
PPP sur des sockets réseau sans modification du code source.
Ce produit inclut du code de chiffrement écrit par
Eric Young (eay@cryptsoft.com)
=head1 OPTIONS
=over 4
=item B<[fichier]>
Utilisation du fichier de configuration spécifié.
=item B<-fd [n]> (Unix seulement)
Lecture du fichier de configuration depuis le descripteur de
fichier indiqué.
=item B<-help>
Affiche le menu d'aide de B<stunnel>.
=item B<-version>
Affiche la version de B<stunnel> et les options de compilation.
=item B<-sockets>
Affiche les options socket par défaut.
=item B<-install> (NT/2000/XP seulement)
Installe un service NT.
=item B<-uninstall> (NT/2000/XP only)
Désinstalle un service NT.
=back
=head1 FICHIER DE CONFIGURATION
Chaque ligne du fichier de configuration peut être soitE<nbsp>:
=over 4
=item *
une ligne vide (ignorée)E<nbsp>;
=item *
un commentaire commençant par «E<nbsp>#E<nbsp>» (ignoré)E<nbsp>;
=item *
une paire «E<nbsp>option = valeurE<nbsp>»E<nbsp>;
=item *
«E<nbsp>[service_name]E<nbsp>» indiquant le début de la définition d'un serviceE<nbsp>;
=back
=head2 OPTIONS GLOBALES
=over 4
=item B<CApath> = répertoire
Répertoire des autorités de certification (CA)
C'est le répertoire dans lequel B<stunnel> cherche les certificats si
l'on utilise I<verify>. Les certificats doivent être dénommés selon la
forme XXXXXXXX.0, où XXXXXXXX est la valeur de hachage du certificat.
Le cas échéant, le répertoire I<CApath> est relatif au répertoire I<chroot>.
=item B<CAfile> = fichier
Fichier d'autorités de certification
Ce fichier, utilisé avec I<verify>, contient plusieurs certificats de CA.
=item B<cert> = fichier
Fichier de chaîne de certificats PEM
Une PEM est toujours nécessaire en mode serveur.
En mode client, cette option utilise cette PEM comme une chaîne côté client.
L'utilisation de certificats côté client est optionnelle. Les certificats
doivent être au format PEM et triés par ordre de niveau décroissant (CA racine
en premier).
=item B<chroot> = répertoire (Unix seulement)
Répertoire de chroot du processus B<stunnel>
B<chroot> enferme B<stunnel> dans une cellule chroot. I<CApath>, I<CRLpath>, I<pid>
et I<exec> sont situés à l'intérieur de la cellule et les répertoires doivent être
relatifs au répertoire correspondant.
Pour que le contrôle de libwrap (wrappeur TCP) soit effectif dans un environnement
chroot, il faut aussi y recopier leurs fichiers de configuration (/etc/hosts.allow et
/etc/hosts.deny).
=item B<ciphers> = listes de chiffre
Sélection des chiffres SSL autorisés
Liste délimitée par deux-points («E<nbsp>:E<nbsp>») des chiffres autorisés pour la connexion SSL.
ExempleE<nbsp>: DES-CBC3-SHA:IDEA-CBC-MD5
=item B<client> = yes | no
Mode client (Le service distant utilise SSL)
Par défautE<nbsp>: no (mode server)
=item B<CRLpath> = répertoire
Répertoire des listes de révocation de certificats (CRL)
C'est le répertoire dans lequel B<stunnel> recherche les CRL avec
l'option I<verify>. Les CRL doivent être dénommés selon la
forme XXXXXXXX.0 où XXXXXXXX est la valeur de hachage de la CRL.
Le cas échéant, le répertoire I<CRLpath> est relatif au répertoire I<chroot>.
=item B<CRLfile> = fichier
Fichier de listes de révocation de certificats (CRL)
Ce fichier, utilisé avec I<verify>, contient plusieurs CRL.
=item B<debug> = [facilité.]niveau
niveau de déverminage
Le niveau est un nom ou un numéro conforme à ceux de syslogE<nbsp>:
emerg (0), alert (1), crit (2), err (3), warning (4), notice (5),
info (6) ou debug (7). Toutes les traces du niveau indiqué et des niveaux
numériquement inférieurs seront affichées. B<debug = debug> ou
B<debug = 7> donneront le maximum d'informations. La valeur par défaut
est notice (5).
La facilité syslog «E<nbsp>daemonE<nbsp>» est utilisée, sauf si un autre nom est spécifié
(Win32 ne permet pas l'usage des facilités.)
La casse est ignorée, aussi bien pour la facilité que pour le niveau.
=item B<EGD> = chemin (Unix seulement)
Emplacement du socket du daemon de recueil d'entropie (EGD - Entropy Gathering Daemon)
Socket EGD à utiliser pour alimenter le générateur d'aléatoires de OpenSSL (disponible
seulement si la compilation a été effectuée avec OpenSSL 0.9.5a ou supérieur).
=item B<foreground> = yes | no (Unix seulement)
Mode avant-plan
Reste en avant-plan (sans fork) et dirige la trace sur stderr
au lieu de syslog (sauf si B<output> est spécifié).
Par défaultE<nbsp>: arrière-plan en mode daemon.
=item B<key> = fichier
Fichier de clef privée pour le certificat spécifié par I<cert>
La clef privée est nécessaire pour authentifier le titulaire du
certificat.
Puisque ce fichier doit rester secret, il ne doit être lisible que
par son propriétaire. Sur les systèmes Unix, on peut utiliser la
commande suivanteE<nbsp>:
chmod 600 fichier
Par défaultE<nbsp>: Valeur de I<cert>
=item B<options> = Options_SSL
Options de la bibliothèque OpenSSL
Le paramètre est l'option OpenSSL décrite dans la page de man
I<SSL_CTX_set_options(3ssl)>, débarassée du préfixe I<SSL_OP_>.
Plusieurs I<options> peuvent être spécifiées.
Par exemple, pour la compatibilité avec l'implantation SSL défaillante
d'Eudora, on peut utiliserE<nbsp>:
options = DONT_INSERT_EMPTY_FRAGMENTS
=item B<output> = fichier
Ajoute la trace à la fin d'un fichier au lieu d'utiliser syslog.
/dev/stdout peut être utilisé pour afficher les traces sur la sortie standard
(par exemple pour les traiter avec les outils splogger).
=item B<pid> = fichier (Unix seulement)
Emplacement du fichier pid
Si l'argument est vide, aucun fichier ne sera créé.
Le cas échéant, le chemin I<pid> est relatif au répertoire I<chroot>.
=item B<RNDbytes> = nombre
Nombre d'octets à lire depuis les fichiers de «E<nbsp>selE<nbsp>» aléatoire
Avec les SSL de version inférieure à 0.9.5a, détermine aussi le nombre
d'octets considérés comme suffisants pour «E<nbsp>salerE<nbsp>» le PRNG. Les versions plus
récentes d'OpenSSL ont une fonction intégrée qui détermine lorsque l'aléatoire
est suffisant.
=item B<RNDfile> = fichier
chemin du fichier de données de «E<nbsp>selE<nbsp>» aléatoire
La bibliothèque SSL utilise prioritairement les données de ce fichier pour
«E<nbsp>salerE<nbsp>» le générateur d'aléatoire.
=item B<RNDoverwrite> = yes | no
Recouvre les fichiers de «E<nbsp>selE<nbsp>» avec de nouvelles données aléatoires.
Par défautE<nbsp>: yes
=item B<service> = nom
Définit le nom de service à utiliser
B<Sous UnixE<nbsp>:> nom de service du mode I<inetd> pour la bibliothèque TCP Wrapper.
Par défautE<nbsp>: stunnel
=item B<session> = timeout
Timeout du cache de session
=item B<setgid> = nom (Unix seulement)
Nom de groupe utilisé en mode daemon (les éventuels autres noms de groupe attribués sont supprimés)
=item B<setuid> = nom (Unix seulement)
Nom d'utilisateur utilisé en mode daemon
=item B<socket> = a|l|r:option=valeur[:valeur]
Configure une option de socket accept (a), locale (l) ou distante (r)
Les valeurs de l'option linger sontE<nbsp>: l_onof:l_linger.
Les valeurs de l'option time sontE<nbsp>: tv_sec:tv_usec.
ExemplesE<nbsp>:
socket = l:SO_LINGER=1:60
définit un délai d'une minute pour la clôture des sockets locaux
socket = r:SO_OOBINLINE=yes
Place directement les données hors-bande dans le flux de réception
des sockets distants
socket = a:SO_REUSEADDR=no
désactive la réutilisation d'adresses (activée par défaut)
socket = a:SO_BINDTODEVICE=lo
limite l'acceptation des connexions sur la seule interface de bouclage
=item B<taskbar> = yes | no (WIN32 seulement)
active l'icône de la barre de tâches
Par défautE<nbsp>: yes
=item B<verify> = niveau
Vérifie le certificat du correspondant
niveau 1 - vérifie le certificat s'il est présent
niveau 2 - vérifie le certificat
niveau 3 - contrôle le correspondant avec le certificat local
Par défaut - pas de vérification
=back
=head2 OPTIONS DE SERVICE
Chaque section de configuration commence par le nom du service entre crochets.
Celui-ci est utilisé par le contrôle d'accès de libwrap (TCP Wrappers) et sert
à distinguer les services B<stunnel> dans les fichiers de traces.
Si l'on souhaite utiliser B<stunnel> en mode I<inetd> (lorsqu'un socket lui est
fourni par un serveur comme I<inetd>, I<xinetd> ou I<tcpserver>), il faut se
reporter à la section I<MODE INETD> plus bas.
=over 4
=item B<accept> = [hôte:]port
Accepte des connexions sur le port spécifié
Si l'hôte n'est pas indiqué, le port est ouvert pour toutes les adresses IP de
la machine locale.
=item B<connect> = [hôte:]port
Se connecte au port distant indiqué
Par défaut, l'hôte est localhost.
=item B<delay> = yes | no
Retarde la recherche DNS pour l'option «E<nbsp>connectE<nbsp>»
=item B<exec> = chemin_exécutable (Unix seulement)
Exécute un programme local de type inetd
Le cas échéant, le chemin I<exec> est relatif au répertoire I<chroot>.
=item B<execargs> = $0 $1 $2 ... (Unix seulement)
Arguments pour I<exec>, y compris le nom du programme ($0)
Les quotes ne peuvent actuellement pas être utilisées.
Les arguments sont séparés par un nombre quelconque d'espaces.
=item B<ident> = nom
Applique le contrôle d'identité d'utilisateur IDENT (RFC 1413)
=item B<local> = hôte
Adresse IP de l'interface de sortie utilisée pour les connexions distantes.
Cette option permet de relier une adresse statique locale.
=item B<protocol> = protocole
Négocie avec SSL selon le protocole indiqué
Actuellement gérésE<nbsp>: cifs, nntp, pop3, smtp
=item B<pty> = yes | no (Unix seulement)
Alloue un pseudo-terminal pour l'option «E<nbsp>execE<nbsp>»
=item B<TIMEOUTbusy> = secondes
Durée d'attente de données
=item B<TIMEOUTclose> = secondes
Durée d'attente du close_notify (mis à 0 pour MSIE qui est bogué)
=item B<TIMEOUTidle> = secondes
Durée d'attente sur une connexion inactive
=item B<transparent> = yes | no (Unix seulement)
Mode mandataire transparent
Ré-écrit les adresses pour qu'elles apparaissent provenir de la
machine client SSL plutôt que de celle qui exécute B<stunnel>.
Cette option n'est disponible en mode local (option I<exec>) qu'avec
la bibliothèque partagée LD_PRELOADing env.so shared library et en mode
distant (option I<connect>) sur les noyaux Linux 2.2 compilés avec
l'option I<transparent proxy> et seulement en mode serveur. Cette
option ne se combine pas au mode mandataire (I<connect>) sauf si la
route par défaut du client vers la cible passe par l'hôte qui fait
tourner B<stunnel>, qui ne peut être localhost.
=back
=head1 VALEUR DE RETOUR
B<stunnel> renvoie zéro en cas de succès, une autre valeur en cas d'erreur.
=head1 EXEMPLES
Pour encapsuler votre service I<imapd> local avec SSLE<nbsp>:
[imapd]
accept = 993
exec = /usr/sbin/imapd
execargs = imapd
Pour tunneliser un daemon I<pppd> sur le port 2020E<nbsp>:
[vpn]
accept = 2020
exec = /usr/sbin/pppd
execargs = pppd local
pty = yes
Configuration de I<stunnel.conf> pour utiliser B<stunnel> en mode I<inetd>
qui lance imapd à son tour (il ne doit pas y avoir de section I<[service_name]>)E<nbsp>:
exec = /usr/sbin/imapd
execargs = imapd
=head1 FICHIERS
=over 4
=item F<stunnel.conf>
Fichier de configuration de B<stunnel>
=item F<stunnel.pem>
Certificat et clef privée de B<stunnel>
=back
=head1 BOGUES
L'option I<execargs> n'admet pas les quotes.
=head1 RESTRICTIONS
B<stunnel> ne peut être utilisé pour le daemon FTP en raison de la nature
du protocole FTP qui utilise des ports multiples pour les transferts de données.
Il existe cependant des versions SSL de FTP et de telnet.
=head1 NOTES
=head2 MODE INETD
L'utilisation la plus commune de B<stunnel> consiste à écouter un port
réseau et à établir une communication, soit avec un nouveau port
avec l'option I<connect>, soit avec un programme avec l'option I<exec>.
On peut parfois cependant souhaiter qu'un autre programme reçoive les
connexions entrantes et lance B<stunnel>, par exemple avec I<inetd>,
I<xinetd> ou I<tcpserver>.
Si, par exemple, la ligne suivante se trouve dans I<inetd.conf>E<nbsp>:
imaps stream tcp nowait root /usr/bin/stunnel stunnel /etc/stunnel/imaps.conf
Dans ces cas, c'est le programme du genre I<inetd>-style qui est
responsable de l'établissement de la connexion (I<imaps> ci-dessus) et de passer
celle-ci à B<stunnel>.
Ainsi, B<stunnel> ne doit alors avoir aucune option I<accept>.
Toutes les I<options de niveau service> doivent être placées dans
la section des options globales et aucune section I<[service_name]> ne doit
être présente. Voir la section I<EXEMPLES> pour des exemples de configurations.
=head2 CERTIFICATS
Chaque daemon à propriétés SSL doit présenter un certificat X.509
valide à son interlocuteur. Il a aussi besoin d'une clef privé pour
déchiffrer les données entrantes. La méthode la plus simple pour
obtenir un certificat et une clef est d'engendrer celles-ci avec
le paquetage libre I<OpenSSL>. Plus d'informations sur la génération de
certificats se trouvent dans les pages indiquées plus bas.
Deux choses importantes lors de la génération de paires certificat-clef
pour B<stunnel>E<nbsp>:
=over 4
=item *
la clef privée ne peut être chiffrée puisque le serveur n'a aucun moyen
d'obtenir le mot de passe de l'utilisateurE<nbsp>; pour produire une clef non chiffrée,
ajouter l'option I<-nodes> à la commande B<req> de I<OpenSSL>E<nbsp>;
=item *
l'ordre du contenu du fichier I<.pem> est significatifE<nbsp>: il doit contenir d'abord
une clef privée non chiffrée, puis un certificat signé (et non une demande de certificat).
Il doit aussi y avoir des lignes vides après le certificat et après la clef privée.
L'information textuelle ajoutée au début d'un certificat doit être supprimée afin que
le fichier ait l'allure suivanteE<nbsp>:
-----BEGIN RSA PRIVATE KEY-----
[clef encodée]
-----END RSA PRIVATE KEY-----
[ligne vide]
-----BEGIN CERTIFICATE-----
[certificat encodé]
-----END CERTIFICATE-----
[ligne vide]
=back
=head2 ALEATOIRE
B<stunnel> doit «E<nbsp>salerE<nbsp>» le générateur de pseudo-aléatoires PRNG (pseudo random
number generator) afin que SSL utilise un aléatoire de qualité. Les sources suivantes
sont chargées dans l'ordre jusqu'à ce qu'une quantité suffisante de données soit lueE<nbsp>:
=over 4
=item *
le fichier spécifié par I<RNDfile>E<nbsp>;
=item *
le fichier spécifié par la variable d'environnement RANDFILE, à défaut
le fichier .rnd du répertoire $HOME de l'utilisateurE<nbsp>;
=item *
le fichier spécifié par «E<nbsp>--with-randomE<nbsp>» lors de la compilationE<nbsp>;
=item *
le contenu de l'écran (MS-Windows seulement)E<nbsp>;
=item *
le socket EGD spécifié par I<EGD>E<nbsp>;
=item *
le socket EGD spécifié par «E<nbsp>--with-egd-sockE<nbsp>» lors de la compilationE<nbsp>;
=item *
le périphérique /dev/urandom.
=back
Avec un OpenSSL récent (>=OpenSSL 0.9.5a) le chargement de données s'arrête
automatiquement lorsqu'un niveau d'entropie suffisant est atteint.
Les versions précédentes continuent à lire toutes les sources puisqu'aucune
fonction SSL ne leur permet de savoir que suffisamment de données sont disponibles.
Sur les machines MS-Windows qui n'ont pas d'interaction utilisateur sur la console,
(mouvements de souris, création de fenêtres, etc.), le contenu de l'écran n'est
pas suffisamment changeant et il est nécessaire de fournir un fichier d'aléatoire
par le biais de I<RNDfile>.
Le fichier spécifié par I<RNDfile> doit contenir des informations aléatoires --
c'est-à-dire des informations différentes à chaque lancement de B<stunnel>.
Cela est géré automatiquement sauf si l'option I<RNDoverwrite> est utilisée.
Si l'on souhaite procéder manuellement à la mise à jour de ce fichier, la
commande I<openssl rand> des versions récentes d'OpenSSL sera sans doute utile.
Note importanteE<nbsp>: si /dev/urandom est disponible, OpenSSL a l'habitude d'utiliser
celui-ci pour «E<nbsp>salerE<nbsp>» le PRNG même lorsqu'il contrôle l'état de l'aléatoireE<nbsp>;
ainsi, même si /dev/urandom est dernier de la liste ci-dessus, il est vraisemblable
qu'il soit utilisé s'il est présent.
Ce n'est pas le comportement de B<stunnel>, c'est celui d'OpenSSL.
=head1 VOIR AUSSI
=over 4
=item L<tcpd(8)>
Service de contrôle d'accès pour les services internet
=item L<inetd(8)>
«E<nbsp>super-serveurE<nbsp>» internet
=item F<http://www.stunnel.org/>
Page de référence de B<stunnel>
=item F<http://www.openssl.org/>
Site web du projet OpenSSL
=back
=head1 AUTEUR
=over 4
=item Michał Trojnara
<F<Michal.Trojnara@mirt.net>>
=back
=head1 ADAPTATION FRANÇAISE
=over 4
=item Bernard Choppy
<F<choppy AT free POINT fr>>
=back

1051
doc/stunnel.html Normal file
View File

File diff suppressed because it is too large Load Diff

967
doc/stunnel.pl.8 Normal file
View File

@ -0,0 +1,967 @@
.\" Automatically generated by Pod::Man 2.22 (Pod::Simple 3.07)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is turned on, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.ie \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. nr % 0
. rr F
.\}
.el \{\
. de IX
..
.\}
.\" ========================================================================
.\"
.IX Title "STUNNEL.PL 8"
.TH STUNNEL.PL 8 "2012.01.14" "4.53" "stunnel"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAZWA"
.IX Header "NAZWA"
stunnel \- uniwersalny tunel protokołu \s-1SSL\s0
.SH "SKŁADNIA"
.IX Header "SKŁADNIA"
.IP "\fBUnix:\fR" 4
.IX Item "Unix:"
\&\fBstunnel\fR [<plik>] | \-fd n | \-help | \-version | \-sockets
.IP "\fB\s-1WIN32:\s0\fR" 4
.IX Item "WIN32:"
\&\fBstunnel\fR [ [\-install | \-uninstall | \-start | \-stop ] | \-exit]
[\-quiet] [<plik>] ] | \-help | \-version | \-sockets
.SH "OPIS"
.IX Header "OPIS"
Program \fBstunnel\fR został zaprojektowany do opakowywania w protokół \fI\s-1SSL\s0\fR
połączeń pomiędzy zdalnymi klientami a lokalnymi lub zdalnymi serwerami.
Przez serwer lokalny rozumiana jest aplikacja przeznaczona do uruchamiania
przy pomocy \fIinetd\fR.
Stunnel pozwala na proste zestawienie komunikacji serwerów nie posiadających
funkcjonalności \fI\s-1SSL\s0\fR poprzez bezpieczne kanały \fI\s-1SSL\s0\fR.
.PP
\&\fBstunnel\fR pozwala dodać funkcjonalność \fI\s-1SSL\s0\fR do powszechnie stosowanych
demonów \fIinetd\fR, np. \fIpop3\fR lub \fIimap\fR, do samodzielnych demonów,
np. \fInntp\fR, \fIsmtp\fR lub \fIhttp\fR, a nawet tunelować ppp poprzez gniazda sieciowe
bez zmian w kodzie źródłowym.
.SH "OPCJE"
.IX Header "OPCJE"
.IP "<\fBplik\fR>" 4
.IX Item "<plik>"
użyj podanego pliku konfiguracyjnego
.IP "\fB\-fd n\fR (tylko Unix)" 4
.IX Item "-fd n (tylko Unix)"
wczytaj konfigurację z podanego deskryptora pliku
.IP "\fB\-help\fR" 4
.IX Item "-help"
drukuj listę wspieranych opcji
.IP "\fB\-version\fR" 4
.IX Item "-version"
drukuj wersję programu i domyślne wartości parametrów
.IP "\fB\-sockets\fR" 4
.IX Item "-sockets"
drukuj domyślne opcje gniazd
.IP "\fB\-install\fR (tylko \s-1NT/2000/XP\s0)" 4
.IX Item "-install (tylko NT/2000/XP)"
instaluj serwis \s-1NT\s0
.IP "\fB\-uninstall\fR (tylko \s-1NT/2000/XP\s0)" 4
.IX Item "-uninstall (tylko NT/2000/XP)"
odinstaluj serwis \s-1NT\s0
.IP "\fB\-start\fR (tylko \s-1NT/2000/XP\s0)" 4
.IX Item "-start (tylko NT/2000/XP)"
uruchom serwis \s-1NT\s0
.IP "\fB\-stop\fR (tylko \s-1NT/2000/XP\s0)" 4
.IX Item "-stop (tylko NT/2000/XP)"
zatrzymaj serwis \s-1NT\s0
.IP "\fB\-exit\fR (tylko Win32)" 4
.IX Item "-exit (tylko Win32)"
zatrzymaj uruchomiony program
.IP "\fB\-quiet\fR (tylko \s-1NT/2000/XP\s0)" 4
.IX Item "-quiet (tylko NT/2000/XP)"
nie wyświetlaj okienka informującego o pomyślnym zainstalowaniu lub
odinstalowaniu
.SH "PLIK KONFIGURACYJNY"
.IX Header "PLIK KONFIGURACYJNY"
Linia w pliku konfiguracyjnym może być:
.IP "\(bu" 4
pusta (ignorowana)
.IP "\(bu" 4
komentarzem rozpoczynającym się znakiem ';' (ignorowana)
.IP "\(bu" 4
parą 'nazwa_opcji = wartość_opcji'
.IP "\(bu" 4
tekstem '[nazwa_usługi]' wskazującym początek definicji usługi
.PP
Parametr adres może być:
.IP "\(bu" 4
numerem portu
.IP "\(bu" 4
oddzieloną średnikiem parą adresu (IPv4, IPv6, lub nazwą domenową) i numeru portu
.IP "\(bu" 4
ścieżką do gniazda Unix (tylko Unix)
.SS "\s-1OPCJE\s0 \s-1GLOBALNE\s0"
.IX Subsection "OPCJE GLOBALNE"
.IP "\fBchroot\fR = katalog (tylko Unix)" 4
.IX Item "chroot = katalog (tylko Unix)"
katalog roboczego korzenia systemu plików
.Sp
Opcja określa katalog, w którym uwięziony zostanie proces programu
\&\fBstunnel\fR tuż po jego inicjalizacji, a przed rozpoczęciem odbierania
połączeń. Ścieżki podane w opcjach \fICApath\fR, \fICRLpath\fR, \fIpid\fR
oraz \fIexec\fR muszą być umieszczone wewnątrz katalogu podanego w opcji
\&\fIchroot\fR i określone względem tego katalogu.
.IP "\fBcompression\fR = deflate | zlib | rle" 4
.IX Item "compression = deflate | zlib | rle"
wybór algorytmu kompresji przesyłanych danych
.Sp
domyślnie: bez kompresji
.Sp
Algorytm deflate jest standardową metodą kompresji zgodnie z \s-1RFC\s0 1951.
.Sp
Kompresja zlib zaimplementowana w OpenSSL 0.9.8 i nowszych nie jest
kompatybilna implementacją OpenSSL 0.9.7.
.Sp
Kompresja rle nie jest zaimplementowana w aktualnych wersjach OpenSSL.
.IP "\fBdebug\fR = poziom[.podsystem]" 4
.IX Item "debug = poziom[.podsystem]"
szczegółowość logowania
.Sp
Poziom logowania można określić przy pomocy jednej z nazw lub liczb:
emerg (0), alert (1), crit (2), err (3), warning (4), notice (5),
info (6) lub debug (7).
Zapisywane są komunikaty o poziomie niższym (numerycznie) lub równym podanemu.
Do uzyskania najwyższego poziomu szczegółowości można użyć opcji
\&\fIdebug = debug\fR lub \fIdebug = 7\fR. Domyślnym poziomem jest notice (5).
.Sp
O ile nie wyspecyfikowano podsystemu użyty będzie domyślny: daemon.
Podsystemy nie są wspierane przez platformę Win32.
.Sp
Wielkość liter jest ignorowana zarówno dla poziomu jak podsystemu.
.IP "\fB\s-1EGD\s0\fR = ścieżka_do_EGD (tylko Unix)" 4
.IX Item "EGD = ścieżka_do_EGD (tylko Unix)"
ścieżka do gniazda programu Entropy Gathering Daemon
.Sp
Opcja pozwala określić ścieżkę do gniazda programu Entropy Gathering Daemon
używanego do zainicjalizowania generatora ciągów pseudolosowych biblioteki
OpenSSL. Opcja jest dostępna z biblioteką OpenSSL 0.9.5a lub nowszą.
.IP "\fBengine\fR = auto | <identyfikator urządzenia>" 4
.IX Item "engine = auto | <identyfikator urządzenia>"
wybór sprzętowego urządzenia kryptograficznego
.Sp
domyślnie: bez wykorzystania urządzeń kryptograficznych
.Sp
Przykładowa konfiguracja umożliwiająca odczytanie klucza prywatnego z
urządzenia zgodnego z OpenSC:
.Sp
.Vb 7
\& engine=dynamic
\& engineCtrl=SO_PATH:/usr/lib/opensc/engine_pkcs11.so
\& engineCtrl=ID:pkcs11
\& engineCtrl=LIST_ADD:1
\& engineCtrl=LOAD
\& engineCtrl=MODULE_PATH:/usr/lib/pkcs11/opensc\-pkcs11.so
\& engineCtrl=INIT
\&
\& [service]
\& engineNum=1
\& key=id_45
.Ve
.IP "\fBengineCtrl\fR = <command>[:<parameter>]" 4
.IX Item "engineCtrl = <command>[:<parameter>]"
konfiguracja urządzenia kryptograficznego
.Sp
Specjalne komendy \*(L"\s-1LOAD\s0\*(R" i \*(L"\s-1INIT\s0\*(R" pozwalają na załadowanie i inicjalizację
modułu kryptograficznego urządzenia.
.IP "\fBfips\fR = yes | no" 4
.IX Item "fips = yes | no"
Włącz lub wyłącz tryb \s-1FIPS\s0 140\-2.
.Sp
Opcja pozwala wyłączyć wejście w tryb \s-1FIPS\s0, jeśli stunnel został skompilowany
ze wsparciem dla \s-1FIPS\s0 140\-2.
.Sp
domyślnie: yes (pracuj w trybie \s-1FIPS\s0 140\-2)
.IP "\fBforeground\fR = yes | no (tylko Unix)" 4
.IX Item "foreground = yes | no (tylko Unix)"
tryb pierwszoplanowy
.Sp
Użycie tej opcji powoduje, że \fIstunnel\fR nie przechodzi w tło logując
swoje komunikaty na konsolę zamiast przez \fIsyslog\fR (o ile nie użyto
opcji \fIoutput\fR).
.IP "\fBoutput\fR = plik" 4
.IX Item "output = plik"
plik, do którego dopisane zostaną logi
.Sp
Użycie tej opcji powoduje dopisanie logów do podanego pliku.
.Sp
Do kierowaniakomunikatów na standardowe wyjście (na przykład po to, żeby
zalogować je programem splogger z pakietu daemontools) można podać jako
parametr urządzenie /dev/stdout.
.IP "\fBpid\fR = plik (tylko Unix)" 4
.IX Item "pid = plik (tylko Unix)"
położenie pliku z numerem procesu
.Sp
Jeżeli argument jest pusty plik nie zostanie stworzony.
.Sp
Jeżeli zdefiniowano katalog \fIchroot\fR, to ścieżka do \fIpid\fR jest określona
względem tego katalogu.
.IP "\fBRNDbytes\fR = liczba_bajtów" 4
.IX Item "RNDbytes = liczba_bajtów"
liczba bajtów do zainicjowania generatora pseudolosowego
.Sp
W wersjach biblioteki OpenSSL starszych niż 0.9.5a opcja ta określa
również liczbę bajtów wystarczających do zainicjowania \s-1PRNG\s0.
Nowsze wersje biblioteki mają wbudowaną funkcję określającą, czy
dostarczona ilość losowości jest wystarczająca do zainicjowania generatora.
.IP "\fBRNDfile\fR = plik" 4
.IX Item "RNDfile = plik"
ścieżka do pliku zawierającego losowe dane
.Sp
Biblioteka OpenSSL użyje danych z tego pliku do zainicjowania
generatora pseudolosowego.
.IP "\fBRNDoverwrite\fR = yes | no" 4
.IX Item "RNDoverwrite = yes | no"
nadpisz plik nowymi wartościami pseudolosowymi
.Sp
domyślnie: yes (nadpisz)
.IP "\fBservice\fR = nazwa_serwisu (tylko Unix)" 4
.IX Item "service = nazwa_serwisu (tylko Unix)"
użyj parametru jako nazwy serwisu dla biblioteki \s-1TCP\s0 Wrapper w trybie \fIinetd\fR
.Sp
domyślnie: stunnel
.IP "\fBsetgid\fR = identyfikator_grupy (tylko Unix)" 4
.IX Item "setgid = identyfikator_grupy (tylko Unix)"
grupa z której prawami pracował będzie \fIstunnel\fR
.IP "\fBsetuid\fR = identyfikator_użytkownika (tylko Unix)" 4
.IX Item "setuid = identyfikator_użytkownika (tylko Unix)"
użytkownik, z którego prawami pracował będzie \fIstunnel\fR
.IP "\fBsocket\fR = a|l|r:option=value[:value]" 4
.IX Item "socket = a|l|r:option=value[:value]"
ustaw opcję na akceptującym/lokalnym/zdalnym gnieździe
.Sp
Dla opcji linger wartości mają postać l_onof:l_linger.
Dla opcji time wartości mają postać tv_sec:tv_usec.
.Sp
Przykłady:
.Sp
.Vb 10
\& socket = l:SO_LINGER=1:60
\& ustaw jednominutowe przeterminowanie
\& przy zamykaniu lokalnego gniazda
\& socket = r:SO_OOBINLINE=yes
\& umieść dane pozapasmowe (out\-of\-band)
\& bezpośrednio w strumieniu danych
\& wejściowych dla zdalnych gniazd
\& socket = a:SO_REUSEADDR=no
\& zablokuj ponowne używanie portu
\& (domyślnie włączone)
\& socket = a:SO_BINDTODEVICE=lo
\& przyjmuj połączenia wyłącznie na
\& interfejsie zwrotnym (ang. loopback)
.Ve
.IP "\fBsyslog\fR = yes | no (tylko Unix)" 4
.IX Item "syslog = yes | no (tylko Unix)"
włącz logowanie poprzez mechanizm syslog
.Sp
domyślnie: yes (włącz)
.IP "\fBtaskbar\fR = yes | no (tylko \s-1WIN32\s0)" 4
.IX Item "taskbar = yes | no (tylko WIN32)"
włącz ikonkę w prawym dolnym rogu ekranu
.Sp
domyślnie: yes (włącz)
.SS "\s-1OPCJE\s0 USŁUG"
.IX Subsection "OPCJE USŁUG"
Każda sekcja konfiguracji usługi zaczyna się jej nazwą ujętą w nawias
kwadratowy. Nazwa usługi używana jest do kontroli dostępu przez
bibliotekę libwrap (\s-1TCP\s0 wrappers) oraz pozwala rozróżnić poszczególne
usługi w logach.
.PP
Jeżeli \fBstunnel\fR ma zostać użyty w trybie \fIinetd\fR, gdzie za odebranie
połączenia odpowiada osobny program (zwykle \fIinetd\fR, \fIxinetd\fR
lub \fItcpserver\fR), należy przeczytać sekcję \fI\s-1TRYB\s0 \s-1INETD\s0\fR poniżej.
.IP "\fBaccept\fR = [adres:]port" 4
.IX Item "accept = [adres:]port"
nasłuchuje na połączenia na podanym adresie i porcie
.Sp
Jeżeli nie został podany adres, \fIstunnel\fR domyślnie nasłuchuje
na wszystkich adresach IPv4 lokalnych interfejsów.
.Sp
Aby nasłuchiwać na wszystkich adresach IPv6 należy użyć:
.Sp
.Vb 1
\& accept = :::port
.Ve
.IP "\fBCApath\fR = katalog_CA" 4
.IX Item "CApath = katalog_CA"
katalog Centrum Certyfikacji
.Sp
Opcja określa katalog, w którym \fBstunnel\fR będzie szukał certyfikatów,
jeżeli użyta została opcja \fIverify\fR. Pliki z certyfikatami muszą
posiadać specjalne nazwy \s-1XXXXXXXX\s0.0, gdzie \s-1XXXXXXXX\s0 jest skrótem
kryptograficznym reprezentacji \s-1DER\s0 nazwy podmiotu certyfikatu.
.Sp
Funkcja skrótu została zmieniona w wersji 1.0.0 biblioteki OpenSSL.
Należy wykonać c_rehash przy zmianie OpenSSL 0.x.x na 1.x.x.
.Sp
Jeżeli zdefiniowano katalog \fIchroot\fR, to ścieżka do \fICApath\fR jest określona
względem tego katalogu.
.IP "\fBCAfile\fR = plik_CA" 4
.IX Item "CAfile = plik_CA"
plik Centrum Certyfikacji
.Sp
Opcja pozwala określić położenie pliku zawierającego certyfikaty używane
przez opcję \fIverify\fR.
.IP "\fBcert\fR = plik_pem" 4
.IX Item "cert = plik_pem"
plik z łańcuchem certyfikatów
.Sp
Opcja określa położenie pliku zawierającego certyfikaty używane przez
program \fBstunnel\fR do uwierzytelnienia się przed drugą stroną połączenia.
Certyfikat jest konieczny, aby używać programu w trybie serwera.
W trybie klienta certyfikat jest opcjonalny.
.IP "\fBciphers\fR = lista_szyfrów" 4
.IX Item "ciphers = lista_szyfrów"
lista dozwolonych szyfrów \s-1SSL\s0
.Sp
Parametrem tej opcji jest lista szyfrów, które będą użyte przy
otwieraniu nowych połączeń \s-1SSL\s0, np.: \s-1DES\-CBC3\-SHA:IDEA\-CBC\-MD5\s0
.IP "\fBclient\fR = yes | no" 4
.IX Item "client = yes | no"
tryb kliencki (zdalna usługa używa \s-1SSL\s0)
.Sp
domyślnie: no (tryb serwerowy)
.IP "\fBconnect\fR = [adres:]port" 4
.IX Item "connect = [adres:]port"
połącz się ze zdalnym serwerem na podany port
.Sp
Jeżeli nie został podany adres, \fIstunnel\fR domyślnie łączy się
z lokalnym serwerem.
.Sp
Komenda może byc użyta wielokrotnie w pojedynczej sekcji
celem zapewnienia wysokiej niezawodności lub rozłożenia
ruchu pomiędzy wiele serwerów.
.IP "\fBCRLpath\fR = katalog_CRL" 4
.IX Item "CRLpath = katalog_CRL"
katalog List Odwołanych Certyfikatów (\s-1CRL\s0)
.Sp
Opcja określa katalog, w którym \fBstunnel\fR będzie szukał list \s-1CRL\s0,
jeżeli użyta została opcja \fIverify\fR. Pliki z listami \s-1CRL\s0 muszą
posiadać specjalne nazwy \s-1XXXXXXXX\s0.r0, gdzie \s-1XXXXXXXX\s0 jest skrótem
listy \s-1CRL\s0.
.Sp
Funkcja skrótu została zmieniona w wersji 1.0.0 biblioteki OpenSSL.
Należy wykonać c_rehash przy zmianie OpenSSL 0.x.x na 1.x.x.
.Sp
Jeżeli zdefiniowano katalog \fIchroot\fR, to ścieżka do \fICRLpath\fR jest określona
względem tego katalogu.
.IP "\fBCRLfile\fR = plik_CRL" 4
.IX Item "CRLfile = plik_CRL"
plik List Odwołanych Certyfikatów (\s-1CRL\s0)
.Sp
Opcja pozwala określić położenie pliku zawierającego listy \s-1CRL\s0 używane
przez opcję \fIverify\fR.
.IP "\fBcurve\fR = nid" 4
.IX Item "curve = nid"
krzywa dla \s-1ECDH\s0
.Sp
Listę dostępnych krzywych można uzyskać poleceniem:
.Sp
.Vb 1
\& openssl ecparam \-list_curves
.Ve
.Sp
domyślnie: prime256v1
.IP "\fBdelay\fR = yes | no" 4
.IX Item "delay = yes | no"
opóźnij rozwinięcie adresu \s-1DNS\s0 podanego w opcji \fIconnect\fR
.Sp
Opcja jest przydatna przy dynamicznym \s-1DNS\s0, albo gdy usługa \s-1DNS\s0 nie jest
dostępna przy starcie programu stunnel (klient \s-1VPN\s0, połączenie wdzwaniane).
.IP "\fBengineNum\fR = <numer urządzenia>" 4
.IX Item "engineNum = <numer urządzenia>"
wybierz urządzenie do odczyta klucza prywatnego
.Sp
Urządzenia są numerowane od 1 w górę.
.IP "\fBexec\fR = ścieżka_do_programu" 4
.IX Item "exec = ścieżka_do_programu"
wykonaj lokalny program przystosowany do pracy z superdemonem inetd
.Sp
Jeżeli zdefiniowano katalog \fIchroot\fR, to ścieżka do \fIexec\fR jest określona
względem tego katalogu.
.ie n .IP "\fBexecargs\fR = $0 $1 $2 ..." 4
.el .IP "\fBexecargs\fR = \f(CW$0\fR \f(CW$1\fR \f(CW$2\fR ..." 4
.IX Item "execargs = $0 $1 $2 ..."
argumenty do opcji \fIexec\fR włącznie z nazwą programu ($0)
.Sp
Cytowanie nie jest wspierane w obecnej wersji programu.
Argumenty są rozdzielone dowolną liczbą białych znaków.
.IP "\fBfailover\fR = rr | prio" 4
.IX Item "failover = rr | prio"
Strategia wybierania serwerów wyspecyfikowanych parametrami \*(L"connect\*(R".
.Sp
.Vb 2
\& rr (round robin) \- sprawiedliwe rozłożenie obciążenia
\& prio (priority) \- użyj kolejności opcji w pliku konfiguracyjnym
.Ve
.Sp
domyślnie: rr
.IP "\fBident\fR = nazwa_użytkownika" 4
.IX Item "ident = nazwa_użytkownika"
weryfikuj nazwę zdalnego użytkownika korzystając z protokołu \s-1IDENT\s0 (\s-1RFC\s0 1413)
.IP "\fBkey\fR = plik_klucza" 4
.IX Item "key = plik_klucza"
klucz prywatny do certyfikatu podanego w opcji \fIcert\fR
.Sp
Klucz prywatny jest potrzebny do uwierzytelnienia właściciela certyfikatu.
Ponieważ powinien on być zachowany w tajemnicy, prawa do jego odczytu
powinien mieć wyłącznie właściciel pliku. W systemie Unix można to osiągnąć
komendą:
.Sp
.Vb 1
\& chmod 600 keyfile
.Ve
.Sp
domyślnie: wartość opcji \fIcert\fR
.IP "\fBlibwrap\fR = yes | no" 4
.IX Item "libwrap = yes | no"
włącz lub wyłącz korzystanie z /etc/hosts.allow i /etc/hosts.deny.
.Sp
domyślnie: yes
.IP "\fBlocal\fR = serwer" 4
.IX Item "local = serwer"
\&\s-1IP\s0 źródła do nawiązywania zdalnych połączeń
.Sp
Domyślnie używane jest \s-1IP\s0 najbardziej zewnętrznego interfejsu w stronę
serwera, do którego nawiązywane jest połączenie.
.IP "\fBsni\fR = nazwa_usługi:nazwa_serwera (tryb serwera)" 4
.IX Item "sni = nazwa_usługi:nazwa_serwera (tryb serwera)"
Użyj usługi jako podrzędnej (virtualnego serwera) dla rozszerzenia \s-1TLS\s0 Server
Name Indication (\s-1RFC\s0 3546).
.Sp
\&\fInazwa_usługi\fR wskazuje usługę nadrzędną, która odbiera połączenia od klientów
przy pomocy opcji \fIaccept\fR. \fInazwa_serwera\fR wskazuje nazwę serwera
wirtualnego. Z pojedyńczą usługą nadrzędną powiązane jest zwykle wiele usług
podrzędnych. Opcja \fIsni\fR może być rownież użyta wielokrotnie w ramach jednej
usługi podrzędnej.
.Sp
Zarówno usługa nadrzędna jak i podrzędna nie może być skonfigurowana w trybie
klienckim. Opcja \fIconnect\fR usługi podrzędnej jest ignorowana w połączeniu z
opcją \fIprotocol\fR, gdyż połączenie do zdalnego serwera jest w tym wypadku
nawiązywane przed negocjacją \s-1TLS\s0. Uwierzytelnienie przy pomocy biblioteki
libwrap jest realizowane dwukrotnie: najpierw dla usługi nadrzędnej po
odebraniu połączenia \s-1TCP\s0, a następnie dla usługi podrzędnej podczas negocjacji
\&\s-1TLS\s0.
.Sp
Opcja \fIsni\fR jest dostępna począwszy od wersji 1.0.0 biblioteki OpenSSL.
.IP "\fBsni\fR = nazwa_serwera (tryb klienta)" 4
.IX Item "sni = nazwa_serwera (tryb klienta)"
Użyj parametru jako wartości rozszerzenia \s-1TLS\s0 Server Name Indication
(\s-1RFC\s0 3546).
.Sp
Opcja \fIsni\fR jest dostępna począwszy od wersji 1.0.0 biblioteki OpenSSL.
.IP "\fB\s-1OCSP\s0\fR = \s-1URL\s0" 4
.IX Item "OCSP = URL"
serwer \s-1OCSP\s0 do weryfikacji certyfikatów
.IP "\fBOCSPflag\fR = flaga" 4
.IX Item "OCSPflag = flaga"
flaga serwera \s-1OCSP\s0
.Sp
aktualnie wspierane flagi: \s-1NOCERTS\s0, \s-1NOINTERN\s0 \s-1NOSIGS\s0, \s-1NOCHAIN\s0, \s-1NOVERIFY\s0,
\&\s-1NOEXPLICIT\s0, \s-1NOCASIGN\s0, \s-1NODELEGATED\s0, \s-1NOCHECKS\s0, \s-1TRUSTOTHER\s0, \s-1RESPID_KEY\s0, \s-1NOTIME\s0
.Sp
Aby wyspecyfikować kilka flag należy użyć \fIOCSPflag\fR wielokrotnie.
.IP "\fBoptions\fR = opcje_SSL" 4
.IX Item "options = opcje_SSL"
opcje biblioteki OpenSSL
.Sp
Parametrem jest nazwa opcji zgodnie z opisem w \fI\fISSL_CTX_set_options\fI\|(3ssl)\fR,
ale bez przedrostka \fI\s-1SSL_OP_\s0\fR.
Aby wyspecyfikować kilka opcji należy użyć \fIoptions\fR wielokrotnie.
.Sp
Na przykład dla zachowania kompatybilności z błędami implementacji \s-1SSL\s0
w programie Eudora można użyć opcji:
.Sp
.Vb 1
\& options = DONT_INSERT_EMPTY_FRAGMENTS
.Ve
.IP "\fBprotocol\fR = protokół" 4
.IX Item "protocol = protokół"
negocjuj \s-1SSL\s0 podanym protokołem aplikacyjnym (np. \fIstarttls\fR lub \fIstls\fR)
.Sp
Opcji \fIprotocol\fR nie należy używać z szyfrowaniem \s-1SSL\s0 na osobnym porcie.
.Sp
Aktualnie wspierane protokoły:
.RS 4
.IP "\fIcifs\fR" 4
.IX Item "cifs"
Unieudokumentowane rozszerzenie protokołu \s-1CIFS\s0 wspierane przez serwer Samba.
Wsparcie dla tego rozrzeczenia zostało zarzucone w wersji 3.0.0 serwera Samba.
.IP "\fIconnect\fR" 4
.IX Item "connect"
Negocjacja \s-1RFC\s0 2817 \- \fIUpgrading to \s-1TLS\s0 Within \s-1HTTP/1\s0.1\fR, rozdział 5.2 \- \fIRequesting a Tunnel with \s-1CONNECT\s0\fR
.Sp
Ten protokół jest wspierany wyłącznie w trybie klienckim.
.IP "\fIimap\fR" 4
.IX Item "imap"
Negocjacja \s-1RFC\s0 2595 \- \fIUsing \s-1TLS\s0 with \s-1IMAP\s0, \s-1POP3\s0 and \s-1ACAP\s0\fR
.IP "\fInntp\fR" 4
.IX Item "nntp"
Negocjacja \s-1RFC\s0 4642 \- \fIUsing Transport Layer Security (\s-1TLS\s0) with Network News Transfer Protocol (\s-1NNTP\s0)\fR
.Sp
Ten protokół jest wspierany wyłącznie w trybie klienckim.
.IP "\fIpgsql\fR" 4
.IX Item "pgsql"
Negocjacja http://www.postgresql.org/docs/8.3/static/protocol\-flow.html#AEN73982
.IP "\fIpop3\fR" 4
.IX Item "pop3"
Negocjacja \s-1RFC\s0 2449 \- \fI\s-1POP3\s0 Extension Mechanism\fR
.IP "\fIproxy\fR" 4
.IX Item "proxy"
Przekazywanie adresu \s-1IP\s0 haproxy http://haproxy.1wt.eu/download/1.5/doc/proxy\-protocol.txt
.IP "\fIsmtp\fR" 4
.IX Item "smtp"
Negocjacja \s-1RFC\s0 2487 \- \fI\s-1SMTP\s0 Service Extension for Secure \s-1SMTP\s0 over \s-1TLS\s0\fR
.RE
.RS 4
.RE
.IP "\fBprotocolAuthentication\fR = uwierzytelnienie" 4
.IX Item "protocolAuthentication = uwierzytelnienie"
rodzaj uwierzytelnienia do negocjacji protokołu
.Sp
aktualnie wspierane: basic, \s-1NTLM\s0
.Sp
Obecnie typ uwierzytelnienia ma zastosowanie wyłącznie w protokole 'connect'.
.Sp
domyślnie: basic
.IP "\fBprotocolHost\fR = adres:port" 4
.IX Item "protocolHost = adres:port"
adres docelowy do negocjacji protokołu
.IP "\fBprotocolPassword\fR = hasło" 4
.IX Item "protocolPassword = hasło"
hasło do negocjacji protokołu
.IP "\fBprotocolUsername\fR = użytkownik" 4
.IX Item "protocolUsername = użytkownik"
nazwa użytkownika do negocjacji protokołu
.IP "\fBpty\fR = yes | no (tylko Unix)" 4
.IX Item "pty = yes | no (tylko Unix)"
alokuj pseudoterminal dla programu uruchamianego w opcji 'exec'
.IP "\fBretry\fR = yes | no (tylko Unix)" 4
.IX Item "retry = yes | no (tylko Unix)"
połącz ponownie sekcję connect+exec po rozłączeniu
.Sp
domyślnie: no
.IP "\fBsession\fR = przeterminowanie_pamięci_podręcznej_sesji" 4
.IX Item "session = przeterminowanie_pamięci_podręcznej_sesji"
czas w sekundach, po którym sesja \s-1SSL\s0 zostanie usunięta z pamięci podręcznej
.IP "\fBsessiond\fR = adres:port" 4
.IX Item "sessiond = adres:port"
adres sessiond \- servera cache sesji \s-1SSL\s0
.IP "\fBsslVersion\fR = wersja" 4
.IX Item "sslVersion = wersja"
wersja protokołu \s-1SSL\s0
.Sp
Dozwolone opcje: all, SSLv2, SSLv3, TLSv1
.IP "\fBstack\fR = liczba_bajtów (z wyjątkiem modelu \s-1FORK\s0)" 4
.IX Item "stack = liczba_bajtów (z wyjątkiem modelu FORK)"
rozmiar stosu procesora wątku
.IP "\fBTIMEOUTbusy\fR = liczba_sekund" 4
.IX Item "TIMEOUTbusy = liczba_sekund"
czas oczekiwania na spodziewane dane
.IP "\fBTIMEOUTclose\fR = liczba_sekund" 4
.IX Item "TIMEOUTclose = liczba_sekund"
czas oczekiwania na close_notify (ustaw na 0, jeżeli klientem jest \s-1MSIE\s0)
.IP "\fBTIMEOUTconnect\fR = liczba_sekund" 4
.IX Item "TIMEOUTconnect = liczba_sekund"
czas oczekiwania na nawiązanie połączenia
.IP "\fBTIMEOUTidle\fR = liczba_sekund" 4
.IX Item "TIMEOUTidle = liczba_sekund"
maksymalny czas utrzymywania bezczynnego połączenia
.IP "\fBtransparent\fR = none | source | destination | both (tylko Unix)" 4
.IX Item "transparent = none | source | destination | both (tylko Unix)"
tryb przezroczystego proxy na wspieranych platformach
.Sp
Wspierane opcje:
.RS 4
.IP "\fBnone\fR" 4
.IX Item "none"
Zablokuj wsparcie dla przezroczystago proxy. Jest to wartość domyślna.
.IP "\fBsource\fR" 4
.IX Item "source"
Przepisz adres, aby nawiązywane połączenie wydawało się pochodzić
bezpośrednio od klienta, a nie od programu \fIstunnel\fR.
.Sp
Opcja jest aktualnie obsługiwana w:
.RS 4
.IP "Trybie zdalnym (opcja \fIconnect\fR) w systemie \fILinux >=2.6.28\fR" 4
.IX Item "Trybie zdalnym (opcja connect) w systemie Linux >=2.6.28"
Konfiguracja wymaga następujących ustawień iptables oraz routingu
(na przykład w pliku /etc/rc.local lub analogicznym):
.Sp
.Vb 7
\& iptables \-t mangle \-N DIVERT
\& iptables \-t mangle \-A PREROUTING \-p tcp \-m socket \-j DIVERT
\& iptables \-t mangle \-A DIVERT \-j MARK \-\-set\-mark 1
\& iptables \-t mangle \-A DIVERT \-j ACCEPT
\& ip rule add fwmark 1 lookup 100
\& ip route add local 0.0.0.0/0 dev lo table 100
\& echo 0 >/proc/sys/net/ipv4/conf/lo/rp_filter
.Ve
.Sp
Konfiguracja ta wymaga, aby \fBstunnel\fR był wykonywany jako root i bez opcji \fIsetuid\fR.
.IP "Trybie zdalnym (opcja \fIconnect\fR) w systemie \fILinux 2.2.x\fR" 4
.IX Item "Trybie zdalnym (opcja connect) w systemie Linux 2.2.x"
Konfiguracja ta wymaga skompilowania jądra z opcją \fItransparent proxy\fR.
Docelowa usługa musi być umieszczona na osobnej maszynie, do której routing
kierowany jest poprzez serwer stunnela.
.Sp
Dodatkowo \fBstunnel\fR powinien być wykonywany jako root i bez opcji \fIsetuid\fR.
.IP "Trybie zdalnym (opcja \fIconnect\fR) w systemie \fIFreeBSD >=8.0\fR" 4
.IX Item "Trybie zdalnym (opcja connect) w systemie FreeBSD >=8.0"
Konfiguracja ta wymaga skonfigurowania firewalla i routingu.
\&\fBstunnel\fR musi być wykonywany jako root i bez opcji \fIsetuid\fR.
.IP "Trybie lokalnym (opcja \fIexec\fR)" 4
.IX Item "Trybie lokalnym (opcja exec)"
Konfiguracja ta jest realizowana przy pomocy biblioteki \fIlibstunnel.so\fR.
Do załadowania biblioteki wykorzystywana jest zmienna środowiskowa _RLD_LIST na
platformie Tru64 lub \s-1LD_PRELOAD\s0 na innych platformach.
.RE
.RS 4
.RE
.IP "\fIdestination\fR" 4
.IX Item "destination"
Oryginalny adres docelowy jest używany zamiast opcji \fIconnect\fR.
.Sp
Przykładowana konfiguracja przezroczystego adresu docelowego:
.Sp
.Vb 4
\& [transparent]
\& client=yes
\& accept=<port_stunnela>
\& transparent=destination
.Ve
.Sp
Konfiguracja wymaga następujących ustawień iptables
(na przykład w pliku /etc/rc.local lub analogicznym):
.Sp
.Vb 2
\& /sbin/iptables \-I INPUT \-i eth0 \-p tcp \-\-dport <port_stunnela> \-j ACCEPT
\& /sbin/iptables \-t nat \-I PREROUTING \-i eth0 \-p tcp \-\-dport <port_przekierowany> \-j DNAT \-\-to\-destination <lokalne_ip>:<port_stunnela>
.Ve
.Sp
Przezroczysty adres docelowy jest aktualnie wspierany wyłącznie w systemie Linux.
.IP "\fIboth\fR" 4
.IX Item "both"
Użyj przezroczystego proxy zarówno dla adresu źródłowego jak i docelowego.
.RE
.RS 4
.Sp
Dla zapewnienia kompatybilności z wcześniejszymim wersjami wspierane są dwie
dodatkowe opcje:
.IP "\fIyes\fR" 4
.IX Item "yes"
Opcja została przemianowana na \fIsource\fR.
.IP "\fIno\fR" 4
.IX Item "no"
Opcja została przemianowana na \fInone\fR.
.RE
.RS 4
.RE
.IP "\fBverify\fR = poziom" 4
.IX Item "verify = poziom"
weryfikuj certyfikat drugiej strony połączenia
.RS 4
.IP "\fIpoziom 0\fR \- zarządaj certyfikatu i zignoruj go" 4
.IX Item "poziom 0 - zarządaj certyfikatu i zignoruj go"
.PD 0
.IP "\fIpoziom 1\fR \- weryfikuj, jeżeli został przedstawiony" 4
.IX Item "poziom 1 - weryfikuj, jeżeli został przedstawiony"
.IP "\fIpoziom 2\fR \- weryfikuj z zainstalowanym certyfikatem Centrum Certyfikacji" 4
.IX Item "poziom 2 - weryfikuj z zainstalowanym certyfikatem Centrum Certyfikacji"
.IP "\fIpoziom 3\fR \- weryfikuj z lokalnie zainstalowanym certyfikatem drugiej strony" 4
.IX Item "poziom 3 - weryfikuj z lokalnie zainstalowanym certyfikatem drugiej strony"
.IP "\fIpoziom 4\fR \- weryfikuj z certyfikatem drugiej strony ignorując łańcuch \s-1CA\s0" 4
.IX Item "poziom 4 - weryfikuj z certyfikatem drugiej strony ignorując łańcuch CA"
.IP "\fIdomyślnie\fR \- nie weryfikuj" 4
.IX Item "domyślnie - nie weryfikuj"
.RE
.RS 4
.RE
.PD
.SH "ZWRACANA WARTOŚĆ"
.IX Header "ZWRACANA WARTOŚĆ"
\&\fBstunnel\fR zwraca zero w przypadku sukcesu, lub wartość niezerową
w przypadku błędu.
.SH "SIGNAŁY"
.IX Header "SIGNAŁY"
Następujące sygnały mogą być użyte do sterowania programem w systemie Unix:
.IP "\s-1SIGHUP\s0" 4
.IX Item "SIGHUP"
Załaduj ponownie plik konfiguracyjny.
.Sp
Niektóre globalne opcje nie będą przeładowane:
.RS 4
.IP "\(bu" 4
chroot
.IP "\(bu" 4
foreground
.IP "\(bu" 4
pid
.IP "\(bu" 4
setgid
.IP "\(bu" 4
setuid
.RE
.RS 4
.Sp
Jeżeli wykorzystywana jest opcja 'setuid' stunnel nie będzie mógł załadować
ponownie konfiguracji wykorzystującej uprzywilejowane (<1024) porty.
.Sp
Jeżeli wykorzystywana jest opcja 'chroot' stunnel będzie szukał wszystkich
potrzebnych plików (łącznie z plikiem konfiguracyjnym, certyfikatami, logiem i
plikiem pid) wewnątrz katalogu wskazanego przez 'chroot'.
.RE
.IP "\s-1SIGUSR1\s0" 4
.IX Item "SIGUSR1"
Zamknij i otwórz ponownie log.
Funkcja ta może zostać użyta w skrypcie rotującym log programu stunnel.
.IP "\s-1SIGTERM\s0, \s-1SIGQUIT\s0, \s-1SIGINT\s0" 4
.IX Item "SIGTERM, SIGQUIT, SIGINT"
Zakończ działanie programu.
.PP
Skutek wysłania innych sygnałów jest niezdefiniowany.
.SH "PRZYKŁADY"
.IX Header "PRZYKŁADY"
Szyfrowanie połączeń do lokalnego serwera \fIimapd\fR można użyć:
.PP
.Vb 4
\& [imapd]
\& accept = 993
\& exec = /usr/sbin/imapd
\& execargs = imapd
.Ve
.PP
albo w trybie zdalnym:
.PP
.Vb 3
\& [imapd]
\& accept = 993
\& connect = 143
.Ve
.PP
W połączeniu z programem \fIpppd\fR \fBstunnel\fR pozwala zestawić prosty \s-1VPN\s0.
Po stronie serwera nasłuchującego na porcie 2020 jego konfiguracja
może wyglądać następująco:
.PP
.Vb 5
\& [vpn]
\& accept = 2020
\& exec = /usr/sbin/pppd
\& execargs = pppd local
\& pty = yes
.Ve
.PP
Poniższy plik konfiguracyjny może być wykorzystany do uruchomienia
programu \fBstunnel\fR w trybie \fIinetd\fR. Warto zauważyć, że w pliku
konfiguracyjnym nie ma sekcji \fI[nazwa_usługi]\fR.
.PP
.Vb 2
\& exec = /usr/sbin/imapd
\& execargs = imapd
.Ve
.SH "NOTKI"
.IX Header "NOTKI"
.SS "\s-1OGRANICZENIA\s0"
.IX Subsection "OGRANICZENIA"
\&\fIstunnel\fR nie może być używany do szyfrowania protokołu \fI\s-1FTP\s0\fR,
ponieważ do przesyłania poszczególnych plików używa on dodatkowych
połączeń otwieranych na portach o dynamicznie przydzielanych numerach.
Istnieją jednak specjalne wersje klientów i serwerów \s-1FTP\s0 pozwalające
na szyfrowanie przesyłanych danych przy pomocy protokołu \fI\s-1SSL\s0\fR.
.SS "\s-1TRYB\s0 \s-1INETD\s0 (tylko Unix)"
.IX Subsection "TRYB INETD (tylko Unix)"
W większości zastosowań \fBstunnel\fR samodzielnie nasłuchuje na porcie
podanym w pliku konfiguracyjnym i tworzy połączenie z innym portem
podanym w opcji \fIconnect\fR lub nowym programem podanym w opcji \fIexec\fR.
Niektórzy wolą jednak wykorzystywać oddzielny program, który odbiera
połączenia, po czym uruchamia program \fBstunnel\fR. Przykładami takich
programów są inetd, xinetd i tcpserver.
.PP
Przykładowa linia pliku /etc/inetd.conf może wyglądać tak:
.PP
.Vb 2
\& imaps stream tcp nowait root /usr/bin/stunnel
\& stunnel /etc/stunnel/imaps.conf
.Ve
.PP
Ponieważ w takich przypadkach połączenie na zdefiniowanym porcie
(tutaj \fIimaps\fR) nawiązuje osobny program (tutaj \fIinetd\fR), \fBstunnel\fR
nie może używać opcji \fIaccept\fR. W pliku konfiguracyjnym nie może
być również zdefiniowana żadna usługa (\fI[nazwa_usługi]\fR), ponieważ
konfiguracja taka pozwala na nawiązanie tylko jednego połączenia.
Wszystkie \fI\s-1OPCJE\s0 USŁUG\fR powinny być umieszczone razem z opcjami
globalnymi. Przykład takiej konfiguracji znajduje się w sekcji
\&\fIPRZYKŁADY\fR.
.SS "\s-1CERTYFIKATY\s0"
.IX Subsection "CERTYFIKATY"
Protokół \s-1SSL\s0 wymaga, aby każdy serwer przedstawiał się nawiązującemu
połączenie klientowi prawidłowym certyfikatem X.509.
Potwierdzenie tożsamości serwera polega na wykazaniu, że posiada on
odpowiadający certyfikatowi klucz prywatny.
Najprostszą metodą uzyskania certyfikatu jest wygenerowanie
go przy pomocy wolnego pakietu \fIOpenSSL\fR. Więcej informacji na temat
generowania certyfikatów można znaleźć na umieszczonych poniżej stronach.
.PP
Istotną kwestią jest kolejność zawartości pliku \fI.pem\fR.
W pierwszej kolejności powinien on zawierać klucz prywatny,
a dopiero za nim podpisany certyfikat (nie żądanie certyfikatu).
Po certyfikacie i kluczu prywatnym powinny znajdować się puste linie.
Jeżeli przed certyfikatem znajdują się dodatkowe informacje tekstowe,
to powinny one zostać usunięte. Otrzymany plik powinien mieć
następującą postać:
.PP
.Vb 8
\& \-\-\-\-\-BEGIN RSA PRIVATE KEY\-\-\-\-\-
\& [zakodowany klucz]
\& \-\-\-\-\-END RSA PRIVATE KEY\-\-\-\-\-
\& [pusta linia]
\& \-\-\-\-\-BEGIN CERTIFICATE\-\-\-\-\-
\& [zakodowany certyfikat]
\& \-\-\-\-\-END CERTIFICATE\-\-\-\-\-
\& [pusta linia]
.Ve
.SS "LOSOWOŚĆ"
.IX Subsection "LOSOWOŚĆ"
\&\fBstunnel\fR potrzebuje zainicjować \s-1PRNG\s0 (generator liczb pseudolosowych),
gdyż protokół \s-1SSL\s0 wymaga do bezpieczeństwa kryptograficznego źródła
dobrej losowości. Następujące źródła są kolejno odczytywane aż do
uzyskania wystarczającej ilości entropii:
.IP "\(bu" 4
Zawartość pliku podanego w opcji \fIRNDfile\fR.
.IP "\(bu" 4
Zawartość pliku o nazwie określonej przez zmienną środowiskową
\&\s-1RANDFILE\s0, o ile jest ona ustawiona.
.IP "\(bu" 4
Plik .rnd umieszczony w katalogu domowym użytkownika,
jeżeli zmienna \s-1RANDFILE\s0 nie jest ustawiona.
.IP "\(bu" 4
Plik podany w opcji '\-\-with\-random' w czasie konfiguracji programu.
.IP "\(bu" 4
Zawartość ekranu w systemie Windows.
.IP "\(bu" 4
Gniazdo egd, jeżeli użyta została opcja \fI\s-1EGD\s0\fR.
.IP "\(bu" 4
Gniazdo egd podane w opcji '\-\-with\-egd\-socket' w czasie konfiguracji
programu.
.IP "\(bu" 4
Urządzenie /dev/urandom.
.PP
Współczesne (>=0.9.5a) wersje biblioteki \fIOpenSSL\fR automatycznie
zaprzestają ładowania kolejnych danych w momencie uzyskania wystarczającej
ilości entropii. Wcześniejsze wersje biblioteki wykorzystają wszystkie
powyższe źródła, gdyż nie istnieje tam funkcja pozwalająca określić,
czy uzyskano już wystarczająco dużo danych.
.PP
Warto zwrócić uwagę, że na maszynach z systemem Windows, na których
konsoli nie pracuje użytkownik, zawartość ekranu nie jest wystarczająco
zmienna, aby zainicjować \s-1PRNG\s0. W takim przypadku do zainicjowania
generatora należy użyć opcji \fIRNDfile\fR.
.PP
Plik \fIRNDfile\fR powinien zawierać dane losowe \*(-- również w tym sensie,
że powinny być one inne przy każdym uruchomieniu programu \fBstunnel\fR.
O ile nie użyta została opcja \fIRNDoverwrite\fR jest to robione
automatycznie. Do ręcznego uzyskania takiego pliku użyteczna
może być komenda \fIopenssl rand\fR dostarczana ze współczesnymi
wersjami pakietu \fIOpenSSL\fR.
.PP
Jeszcze jedna istotna informacja \*(-- jeżeli dostępne jest urządzenie
\&\fI/dev/urandom\fR biblioteka \fIOpenSSL\fR ma zwyczaj zasilania nim \s-1PRNG\s0 w trakcie
sprawdzania stanu generatora. W systemach z \fI/dev/urandom\fR urządzenie
to będzie najprawdopodobniej użyte, pomimo że znajduje się na samym końcu
powyższej listy. Jest to właściwość biblioteki \fIOpenSSL\fR, a nie programu
\&\fIstunnel\fR.
.SS "\s-1PARAMETRY\s0 \s-1DH\s0"
.IX Subsection "PARAMETRY DH"
Począwszy od wersji 4.40 stunnel zawiera w kodzie programu 2048\-bitowe
parametry \s-1DH\s0.
.PP
Alternatywnie parametry \s-1DH\s0 można umieścić w pliku razem z certyfikatem:
.PP
.Vb 1
\& openssl dhparam 2048 >> stunnel.pem
.Ve
.PP
Wygenerowanie parametrów \s-1DH\s0 może zająć nawet wiele minut.
.SH "PLIKI"
.IX Header "PLIKI"
.IP "\fIstunnel.conf\fR" 4
.IX Item "stunnel.conf"
plik konfiguracyjny programu
.SH "BŁĘDY"
.IX Header "BŁĘDY"
Opcja \fIexecargs\fR nie obsługuje cytowania.
.SH "ZOBACZ RÓWNIEŻ"
.IX Header "ZOBACZ RÓWNIEŻ"
.IP "\fItcpd\fR\|(8)" 4
.IX Item "tcpd"
biblioteka kontroli dostępu do usług internetowych
.IP "\fIinetd\fR\|(8)" 4
.IX Item "inetd"
\&'super\-serwer' internetowy
.IP "\fIhttp://www.stunnel.org/\fR" 4
.IX Item "http://www.stunnel.org/"
strona domowa programu \fIstunnel\fR
.IP "\fIhttp://www.openssl.org/\fR" 4
.IX Item "http://www.openssl.org/"
strona projektu \fIOpenSSL\fR
.SH "AUTOR"
.IX Header "AUTOR"
.IP "Michał Trojnara" 4
.IX Item "Michał Trojnara"
<\fIMichal.Trojnara@mirt.net\fR>

1087
doc/stunnel.pl.html Normal file
View File

File diff suppressed because it is too large Load Diff

1035
doc/stunnel.pl.pod Normal file
View File

File diff suppressed because it is too large Load Diff

1004
doc/stunnel.pod Normal file
View File

File diff suppressed because it is too large Load Diff

7377
m4/libtool.m4 vendored Normal file
View File

File diff suppressed because it is too large Load Diff

368
m4/ltoptions.m4 vendored Normal file
View File

@ -0,0 +1,368 @@
# Helper functions for option handling. -*- Autoconf -*-
#
# Copyright (C) 2004, 2005, 2007, 2008 Free Software Foundation, Inc.
# Written by Gary V. Vaughan, 2004
#
# This file is free software; the Free Software Foundation gives
# unlimited permission to copy and/or distribute it, with or without
# modifications, as long as this notice is preserved.
# serial 6 ltoptions.m4
# This is to help aclocal find these macros, as it can't see m4_define.
AC_DEFUN([LTOPTIONS_VERSION], [m4_if([1])])
# _LT_MANGLE_OPTION(MACRO-NAME, OPTION-NAME)
# ------------------------------------------
m4_define([_LT_MANGLE_OPTION],
[[_LT_OPTION_]m4_bpatsubst($1__$2, [[^a-zA-Z0-9_]], [_])])
# _LT_SET_OPTION(MACRO-NAME, OPTION-NAME)
# ---------------------------------------
# Set option OPTION-NAME for macro MACRO-NAME, and if there is a
# matching handler defined, dispatch to it. Other OPTION-NAMEs are
# saved as a flag.
m4_define([_LT_SET_OPTION],
[m4_define(_LT_MANGLE_OPTION([$1], [$2]))dnl
m4_ifdef(_LT_MANGLE_DEFUN([$1], [$2]),
_LT_MANGLE_DEFUN([$1], [$2]),
[m4_warning([Unknown $1 option `$2'])])[]dnl
])
# _LT_IF_OPTION(MACRO-NAME, OPTION-NAME, IF-SET, [IF-NOT-SET])
# ------------------------------------------------------------
# Execute IF-SET if OPTION is set, IF-NOT-SET otherwise.
m4_define([_LT_IF_OPTION],
[m4_ifdef(_LT_MANGLE_OPTION([$1], [$2]), [$3], [$4])])
# _LT_UNLESS_OPTIONS(MACRO-NAME, OPTION-LIST, IF-NOT-SET)
# -------------------------------------------------------
# Execute IF-NOT-SET unless all options in OPTION-LIST for MACRO-NAME
# are set.
m4_define([_LT_UNLESS_OPTIONS],
[m4_foreach([_LT_Option], m4_split(m4_normalize([$2])),
[m4_ifdef(_LT_MANGLE_OPTION([$1], _LT_Option),
[m4_define([$0_found])])])[]dnl
m4_ifdef([$0_found], [m4_undefine([$0_found])], [$3
])[]dnl
])
# _LT_SET_OPTIONS(MACRO-NAME, OPTION-LIST)
# ----------------------------------------
# OPTION-LIST is a space-separated list of Libtool options associated
# with MACRO-NAME. If any OPTION has a matching handler declared with
# LT_OPTION_DEFINE, dispatch to that macro; otherwise complain about
# the unknown option and exit.
m4_defun([_LT_SET_OPTIONS],
[# Set options
m4_foreach([_LT_Option], m4_split(m4_normalize([$2])),
[_LT_SET_OPTION([$1], _LT_Option)])
m4_if([$1],[LT_INIT],[
dnl
dnl Simply set some default values (i.e off) if boolean options were not
dnl specified:
_LT_UNLESS_OPTIONS([LT_INIT], [dlopen], [enable_dlopen=no
])
_LT_UNLESS_OPTIONS([LT_INIT], [win32-dll], [enable_win32_dll=no
])
dnl
dnl If no reference was made to various pairs of opposing options, then
dnl we run the default mode handler for the pair. For example, if neither
dnl `shared' nor `disable-shared' was passed, we enable building of shared
dnl archives by default:
_LT_UNLESS_OPTIONS([LT_INIT], [shared disable-shared], [_LT_ENABLE_SHARED])
_LT_UNLESS_OPTIONS([LT_INIT], [static disable-static], [_LT_ENABLE_STATIC])
_LT_UNLESS_OPTIONS([LT_INIT], [pic-only no-pic], [_LT_WITH_PIC])
_LT_UNLESS_OPTIONS([LT_INIT], [fast-install disable-fast-install],
[_LT_ENABLE_FAST_INSTALL])
])
])# _LT_SET_OPTIONS
## --------------------------------- ##
## Macros to handle LT_INIT options. ##
## --------------------------------- ##
# _LT_MANGLE_DEFUN(MACRO-NAME, OPTION-NAME)
# -----------------------------------------
m4_define([_LT_MANGLE_DEFUN],
[[_LT_OPTION_DEFUN_]m4_bpatsubst(m4_toupper([$1__$2]), [[^A-Z0-9_]], [_])])
# LT_OPTION_DEFINE(MACRO-NAME, OPTION-NAME, CODE)
# -----------------------------------------------
m4_define([LT_OPTION_DEFINE],
[m4_define(_LT_MANGLE_DEFUN([$1], [$2]), [$3])[]dnl
])# LT_OPTION_DEFINE
# dlopen
# ------
LT_OPTION_DEFINE([LT_INIT], [dlopen], [enable_dlopen=yes
])
AU_DEFUN([AC_LIBTOOL_DLOPEN],
[_LT_SET_OPTION([LT_INIT], [dlopen])
AC_DIAGNOSE([obsolete],
[$0: Remove this warning and the call to _LT_SET_OPTION when you
put the `dlopen' option into LT_INIT's first parameter.])
])
dnl aclocal-1.4 backwards compatibility:
dnl AC_DEFUN([AC_LIBTOOL_DLOPEN], [])
# win32-dll
# ---------
# Declare package support for building win32 dll's.
LT_OPTION_DEFINE([LT_INIT], [win32-dll],
[enable_win32_dll=yes
case $host in
*-*-cygwin* | *-*-mingw* | *-*-pw32* | *-cegcc*)
AC_CHECK_TOOL(AS, as, false)
AC_CHECK_TOOL(DLLTOOL, dlltool, false)
AC_CHECK_TOOL(OBJDUMP, objdump, false)
;;
esac
test -z "$AS" && AS=as
_LT_DECL([], [AS], [0], [Assembler program])dnl
test -z "$DLLTOOL" && DLLTOOL=dlltool
_LT_DECL([], [DLLTOOL], [0], [DLL creation program])dnl
test -z "$OBJDUMP" && OBJDUMP=objdump
_LT_DECL([], [OBJDUMP], [0], [Object dumper program])dnl
])# win32-dll
AU_DEFUN([AC_LIBTOOL_WIN32_DLL],
[AC_REQUIRE([AC_CANONICAL_HOST])dnl
_LT_SET_OPTION([LT_INIT], [win32-dll])
AC_DIAGNOSE([obsolete],
[$0: Remove this warning and the call to _LT_SET_OPTION when you
put the `win32-dll' option into LT_INIT's first parameter.])
])
dnl aclocal-1.4 backwards compatibility:
dnl AC_DEFUN([AC_LIBTOOL_WIN32_DLL], [])
# _LT_ENABLE_SHARED([DEFAULT])
# ----------------------------
# implement the --enable-shared flag, and supports the `shared' and
# `disable-shared' LT_INIT options.
# DEFAULT is either `yes' or `no'. If omitted, it defaults to `yes'.
m4_define([_LT_ENABLE_SHARED],
[m4_define([_LT_ENABLE_SHARED_DEFAULT], [m4_if($1, no, no, yes)])dnl
AC_ARG_ENABLE([shared],
[AS_HELP_STRING([--enable-shared@<:@=PKGS@:>@],
[build shared libraries @<:@default=]_LT_ENABLE_SHARED_DEFAULT[@:>@])],
[p=${PACKAGE-default}
case $enableval in
yes) enable_shared=yes ;;
no) enable_shared=no ;;
*)
enable_shared=no
# Look at the argument we got. We use all the common list separators.
lt_save_ifs="$IFS"; IFS="${IFS}$PATH_SEPARATOR,"
for pkg in $enableval; do
IFS="$lt_save_ifs"
if test "X$pkg" = "X$p"; then
enable_shared=yes
fi
done
IFS="$lt_save_ifs"
;;
esac],
[enable_shared=]_LT_ENABLE_SHARED_DEFAULT)
_LT_DECL([build_libtool_libs], [enable_shared], [0],
[Whether or not to build shared libraries])
])# _LT_ENABLE_SHARED
LT_OPTION_DEFINE([LT_INIT], [shared], [_LT_ENABLE_SHARED([yes])])
LT_OPTION_DEFINE([LT_INIT], [disable-shared], [_LT_ENABLE_SHARED([no])])
# Old names:
AC_DEFUN([AC_ENABLE_SHARED],
[_LT_SET_OPTION([LT_INIT], m4_if([$1], [no], [disable-])[shared])
])
AC_DEFUN([AC_DISABLE_SHARED],
[_LT_SET_OPTION([LT_INIT], [disable-shared])
])
AU_DEFUN([AM_ENABLE_SHARED], [AC_ENABLE_SHARED($@)])
AU_DEFUN([AM_DISABLE_SHARED], [AC_DISABLE_SHARED($@)])
dnl aclocal-1.4 backwards compatibility:
dnl AC_DEFUN([AM_ENABLE_SHARED], [])
dnl AC_DEFUN([AM_DISABLE_SHARED], [])
# _LT_ENABLE_STATIC([DEFAULT])
# ----------------------------
# implement the --enable-static flag, and support the `static' and
# `disable-static' LT_INIT options.
# DEFAULT is either `yes' or `no'. If omitted, it defaults to `yes'.
m4_define([_LT_ENABLE_STATIC],
[m4_define([_LT_ENABLE_STATIC_DEFAULT], [m4_if($1, no, no, yes)])dnl
AC_ARG_ENABLE([static],
[AS_HELP_STRING([--enable-static@<:@=PKGS@:>@],
[build static libraries @<:@default=]_LT_ENABLE_STATIC_DEFAULT[@:>@])],
[p=${PACKAGE-default}
case $enableval in
yes) enable_static=yes ;;
no) enable_static=no ;;
*)
enable_static=no
# Look at the argument we got. We use all the common list separators.
lt_save_ifs="$IFS"; IFS="${IFS}$PATH_SEPARATOR,"
for pkg in $enableval; do
IFS="$lt_save_ifs"
if test "X$pkg" = "X$p"; then
enable_static=yes
fi
done
IFS="$lt_save_ifs"
;;
esac],
[enable_static=]_LT_ENABLE_STATIC_DEFAULT)
_LT_DECL([build_old_libs], [enable_static], [0],
[Whether or not to build static libraries])
])# _LT_ENABLE_STATIC
LT_OPTION_DEFINE([LT_INIT], [static], [_LT_ENABLE_STATIC([yes])])
LT_OPTION_DEFINE([LT_INIT], [disable-static], [_LT_ENABLE_STATIC([no])])
# Old names:
AC_DEFUN([AC_ENABLE_STATIC],
[_LT_SET_OPTION([LT_INIT], m4_if([$1], [no], [disable-])[static])
])
AC_DEFUN([AC_DISABLE_STATIC],
[_LT_SET_OPTION([LT_INIT], [disable-static])
])
AU_DEFUN([AM_ENABLE_STATIC], [AC_ENABLE_STATIC($@)])
AU_DEFUN([AM_DISABLE_STATIC], [AC_DISABLE_STATIC($@)])
dnl aclocal-1.4 backwards compatibility:
dnl AC_DEFUN([AM_ENABLE_STATIC], [])
dnl AC_DEFUN([AM_DISABLE_STATIC], [])
# _LT_ENABLE_FAST_INSTALL([DEFAULT])
# ----------------------------------
# implement the --enable-fast-install flag, and support the `fast-install'
# and `disable-fast-install' LT_INIT options.
# DEFAULT is either `yes' or `no'. If omitted, it defaults to `yes'.
m4_define([_LT_ENABLE_FAST_INSTALL],
[m4_define([_LT_ENABLE_FAST_INSTALL_DEFAULT], [m4_if($1, no, no, yes)])dnl
AC_ARG_ENABLE([fast-install],
[AS_HELP_STRING([--enable-fast-install@<:@=PKGS@:>@],
[optimize for fast installation @<:@default=]_LT_ENABLE_FAST_INSTALL_DEFAULT[@:>@])],
[p=${PACKAGE-default}
case $enableval in
yes) enable_fast_install=yes ;;
no) enable_fast_install=no ;;
*)
enable_fast_install=no
# Look at the argument we got. We use all the common list separators.
lt_save_ifs="$IFS"; IFS="${IFS}$PATH_SEPARATOR,"
for pkg in $enableval; do
IFS="$lt_save_ifs"
if test "X$pkg" = "X$p"; then
enable_fast_install=yes
fi
done
IFS="$lt_save_ifs"
;;
esac],
[enable_fast_install=]_LT_ENABLE_FAST_INSTALL_DEFAULT)
_LT_DECL([fast_install], [enable_fast_install], [0],
[Whether or not to optimize for fast installation])dnl
])# _LT_ENABLE_FAST_INSTALL
LT_OPTION_DEFINE([LT_INIT], [fast-install], [_LT_ENABLE_FAST_INSTALL([yes])])
LT_OPTION_DEFINE([LT_INIT], [disable-fast-install], [_LT_ENABLE_FAST_INSTALL([no])])
# Old names:
AU_DEFUN([AC_ENABLE_FAST_INSTALL],
[_LT_SET_OPTION([LT_INIT], m4_if([$1], [no], [disable-])[fast-install])
AC_DIAGNOSE([obsolete],
[$0: Remove this warning and the call to _LT_SET_OPTION when you put
the `fast-install' option into LT_INIT's first parameter.])
])
AU_DEFUN([AC_DISABLE_FAST_INSTALL],
[_LT_SET_OPTION([LT_INIT], [disable-fast-install])
AC_DIAGNOSE([obsolete],
[$0: Remove this warning and the call to _LT_SET_OPTION when you put
the `disable-fast-install' option into LT_INIT's first parameter.])
])
dnl aclocal-1.4 backwards compatibility:
dnl AC_DEFUN([AC_ENABLE_FAST_INSTALL], [])
dnl AC_DEFUN([AM_DISABLE_FAST_INSTALL], [])
# _LT_WITH_PIC([MODE])
# --------------------
# implement the --with-pic flag, and support the `pic-only' and `no-pic'
# LT_INIT options.
# MODE is either `yes' or `no'. If omitted, it defaults to `both'.
m4_define([_LT_WITH_PIC],
[AC_ARG_WITH([pic],
[AS_HELP_STRING([--with-pic],
[try to use only PIC/non-PIC objects @<:@default=use both@:>@])],
[pic_mode="$withval"],
[pic_mode=default])
test -z "$pic_mode" && pic_mode=m4_default([$1], [default])
_LT_DECL([], [pic_mode], [0], [What type of objects to build])dnl
])# _LT_WITH_PIC
LT_OPTION_DEFINE([LT_INIT], [pic-only], [_LT_WITH_PIC([yes])])
LT_OPTION_DEFINE([LT_INIT], [no-pic], [_LT_WITH_PIC([no])])
# Old name:
AU_DEFUN([AC_LIBTOOL_PICMODE],
[_LT_SET_OPTION([LT_INIT], [pic-only])
AC_DIAGNOSE([obsolete],
[$0: Remove this warning and the call to _LT_SET_OPTION when you
put the `pic-only' option into LT_INIT's first parameter.])
])
dnl aclocal-1.4 backwards compatibility:
dnl AC_DEFUN([AC_LIBTOOL_PICMODE], [])
## ----------------- ##
## LTDL_INIT Options ##
## ----------------- ##
m4_define([_LTDL_MODE], [])
LT_OPTION_DEFINE([LTDL_INIT], [nonrecursive],
[m4_define([_LTDL_MODE], [nonrecursive])])
LT_OPTION_DEFINE([LTDL_INIT], [recursive],
[m4_define([_LTDL_MODE], [recursive])])
LT_OPTION_DEFINE([LTDL_INIT], [subproject],
[m4_define([_LTDL_MODE], [subproject])])
m4_define([_LTDL_TYPE], [])
LT_OPTION_DEFINE([LTDL_INIT], [installable],
[m4_define([_LTDL_TYPE], [installable])])
LT_OPTION_DEFINE([LTDL_INIT], [convenience],
[m4_define([_LTDL_TYPE], [convenience])])

123
m4/ltsugar.m4 vendored Normal file
View File

@ -0,0 +1,123 @@
# ltsugar.m4 -- libtool m4 base layer. -*-Autoconf-*-
#
# Copyright (C) 2004, 2005, 2007, 2008 Free Software Foundation, Inc.
# Written by Gary V. Vaughan, 2004
#
# This file is free software; the Free Software Foundation gives
# unlimited permission to copy and/or distribute it, with or without
# modifications, as long as this notice is preserved.
# serial 6 ltsugar.m4
# This is to help aclocal find these macros, as it can't see m4_define.
AC_DEFUN([LTSUGAR_VERSION], [m4_if([0.1])])
# lt_join(SEP, ARG1, [ARG2...])
# -----------------------------
# Produce ARG1SEPARG2...SEPARGn, omitting [] arguments and their
# associated separator.
# Needed until we can rely on m4_join from Autoconf 2.62, since all earlier
# versions in m4sugar had bugs.
m4_define([lt_join],
[m4_if([$#], [1], [],
[$#], [2], [[$2]],
[m4_if([$2], [], [], [[$2]_])$0([$1], m4_shift(m4_shift($@)))])])
m4_define([_lt_join],
[m4_if([$#$2], [2], [],
[m4_if([$2], [], [], [[$1$2]])$0([$1], m4_shift(m4_shift($@)))])])
# lt_car(LIST)
# lt_cdr(LIST)
# ------------
# Manipulate m4 lists.
# These macros are necessary as long as will still need to support
# Autoconf-2.59 which quotes differently.
m4_define([lt_car], [[$1]])
m4_define([lt_cdr],
[m4_if([$#], 0, [m4_fatal([$0: cannot be called without arguments])],
[$#], 1, [],
[m4_dquote(m4_shift($@))])])
m4_define([lt_unquote], $1)
# lt_append(MACRO-NAME, STRING, [SEPARATOR])
# ------------------------------------------
# Redefine MACRO-NAME to hold its former content plus `SEPARATOR'`STRING'.
# Note that neither SEPARATOR nor STRING are expanded; they are appended
# to MACRO-NAME as is (leaving the expansion for when MACRO-NAME is invoked).
# No SEPARATOR is output if MACRO-NAME was previously undefined (different
# than defined and empty).
#
# This macro is needed until we can rely on Autoconf 2.62, since earlier
# versions of m4sugar mistakenly expanded SEPARATOR but not STRING.
m4_define([lt_append],
[m4_define([$1],
m4_ifdef([$1], [m4_defn([$1])[$3]])[$2])])
# lt_combine(SEP, PREFIX-LIST, INFIX, SUFFIX1, [SUFFIX2...])
# ----------------------------------------------------------
# Produce a SEP delimited list of all paired combinations of elements of
# PREFIX-LIST with SUFFIX1 through SUFFIXn. Each element of the list
# has the form PREFIXmINFIXSUFFIXn.
# Needed until we can rely on m4_combine added in Autoconf 2.62.
m4_define([lt_combine],
[m4_if(m4_eval([$# > 3]), [1],
[m4_pushdef([_Lt_sep], [m4_define([_Lt_sep], m4_defn([lt_car]))])]]dnl
[[m4_foreach([_Lt_prefix], [$2],
[m4_foreach([_Lt_suffix],
]m4_dquote(m4_dquote(m4_shift(m4_shift(m4_shift($@)))))[,
[_Lt_sep([$1])[]m4_defn([_Lt_prefix])[$3]m4_defn([_Lt_suffix])])])])])
# lt_if_append_uniq(MACRO-NAME, VARNAME, [SEPARATOR], [UNIQ], [NOT-UNIQ])
# -----------------------------------------------------------------------
# Iff MACRO-NAME does not yet contain VARNAME, then append it (delimited
# by SEPARATOR if supplied) and expand UNIQ, else NOT-UNIQ.
m4_define([lt_if_append_uniq],
[m4_ifdef([$1],
[m4_if(m4_index([$3]m4_defn([$1])[$3], [$3$2$3]), [-1],
[lt_append([$1], [$2], [$3])$4],
[$5])],
[lt_append([$1], [$2], [$3])$4])])
# lt_dict_add(DICT, KEY, VALUE)
# -----------------------------
m4_define([lt_dict_add],
[m4_define([$1($2)], [$3])])
# lt_dict_add_subkey(DICT, KEY, SUBKEY, VALUE)
# --------------------------------------------
m4_define([lt_dict_add_subkey],
[m4_define([$1($2:$3)], [$4])])
# lt_dict_fetch(DICT, KEY, [SUBKEY])
# ----------------------------------
m4_define([lt_dict_fetch],
[m4_ifval([$3],
m4_ifdef([$1($2:$3)], [m4_defn([$1($2:$3)])]),
m4_ifdef([$1($2)], [m4_defn([$1($2)])]))])
# lt_if_dict_fetch(DICT, KEY, [SUBKEY], VALUE, IF-TRUE, [IF-FALSE])
# -----------------------------------------------------------------
m4_define([lt_if_dict_fetch],
[m4_if(lt_dict_fetch([$1], [$2], [$3]), [$4],
[$5],
[$6])])
# lt_dict_filter(DICT, [SUBKEY], VALUE, [SEPARATOR], KEY, [...])
# --------------------------------------------------------------
m4_define([lt_dict_filter],
[m4_if([$5], [], [],
[lt_join(m4_quote(m4_default([$4], [[, ]])),
lt_unquote(m4_split(m4_normalize(m4_foreach(_Lt_key, lt_car([m4_shiftn(4, $@)]),
[lt_if_dict_fetch([$1], _Lt_key, [$2], [$3], [_Lt_key ])])))))])[]dnl
])

23
m4/ltversion.m4 vendored Normal file
View File

@ -0,0 +1,23 @@
# ltversion.m4 -- version numbers -*- Autoconf -*-
#
# Copyright (C) 2004 Free Software Foundation, Inc.
# Written by Scott James Remnant, 2004
#
# This file is free software; the Free Software Foundation gives
# unlimited permission to copy and/or distribute it, with or without
# modifications, as long as this notice is preserved.
# Generated from ltversion.in.
# serial 3017 ltversion.m4
# This file is part of GNU Libtool
m4_define([LT_PACKAGE_VERSION], [2.2.6b])
m4_define([LT_PACKAGE_REVISION], [1.3017])
AC_DEFUN([LTVERSION_VERSION],
[macro_version='2.2.6b'
macro_revision='1.3017'
_LT_DECL(, macro_version, 0, [Which release of libtool.m4 was used?])
_LT_DECL(, macro_revision, 0)
])

92
m4/lt~obsolete.m4 vendored Normal file
View File

@ -0,0 +1,92 @@
# lt~obsolete.m4 -- aclocal satisfying obsolete definitions. -*-Autoconf-*-
#
# Copyright (C) 2004, 2005, 2007 Free Software Foundation, Inc.
# Written by Scott James Remnant, 2004.
#
# This file is free software; the Free Software Foundation gives
# unlimited permission to copy and/or distribute it, with or without
# modifications, as long as this notice is preserved.
# serial 4 lt~obsolete.m4
# These exist entirely to fool aclocal when bootstrapping libtool.
#
# In the past libtool.m4 has provided macros via AC_DEFUN (or AU_DEFUN)
# which have later been changed to m4_define as they aren't part of the
# exported API, or moved to Autoconf or Automake where they belong.
#
# The trouble is, aclocal is a bit thick. It'll see the old AC_DEFUN
# in /usr/share/aclocal/libtool.m4 and remember it, then when it sees us
# using a macro with the same name in our local m4/libtool.m4 it'll
# pull the old libtool.m4 in (it doesn't see our shiny new m4_define
# and doesn't know about Autoconf macros at all.)
#
# So we provide this file, which has a silly filename so it's always
# included after everything else. This provides aclocal with the
# AC_DEFUNs it wants, but when m4 processes it, it doesn't do anything
# because those macros already exist, or will be overwritten later.
# We use AC_DEFUN over AU_DEFUN for compatibility with aclocal-1.6.
#
# Anytime we withdraw an AC_DEFUN or AU_DEFUN, remember to add it here.
# Yes, that means every name once taken will need to remain here until
# we give up compatibility with versions before 1.7, at which point
# we need to keep only those names which we still refer to.
# This is to help aclocal find these macros, as it can't see m4_define.
AC_DEFUN([LTOBSOLETE_VERSION], [m4_if([1])])
m4_ifndef([AC_LIBTOOL_LINKER_OPTION], [AC_DEFUN([AC_LIBTOOL_LINKER_OPTION])])
m4_ifndef([AC_PROG_EGREP], [AC_DEFUN([AC_PROG_EGREP])])
m4_ifndef([_LT_AC_PROG_ECHO_BACKSLASH], [AC_DEFUN([_LT_AC_PROG_ECHO_BACKSLASH])])
m4_ifndef([_LT_AC_SHELL_INIT], [AC_DEFUN([_LT_AC_SHELL_INIT])])
m4_ifndef([_LT_AC_SYS_LIBPATH_AIX], [AC_DEFUN([_LT_AC_SYS_LIBPATH_AIX])])
m4_ifndef([_LT_PROG_LTMAIN], [AC_DEFUN([_LT_PROG_LTMAIN])])
m4_ifndef([_LT_AC_TAGVAR], [AC_DEFUN([_LT_AC_TAGVAR])])
m4_ifndef([AC_LTDL_ENABLE_INSTALL], [AC_DEFUN([AC_LTDL_ENABLE_INSTALL])])
m4_ifndef([AC_LTDL_PREOPEN], [AC_DEFUN([AC_LTDL_PREOPEN])])
m4_ifndef([_LT_AC_SYS_COMPILER], [AC_DEFUN([_LT_AC_SYS_COMPILER])])
m4_ifndef([_LT_AC_LOCK], [AC_DEFUN([_LT_AC_LOCK])])
m4_ifndef([AC_LIBTOOL_SYS_OLD_ARCHIVE], [AC_DEFUN([AC_LIBTOOL_SYS_OLD_ARCHIVE])])
m4_ifndef([_LT_AC_TRY_DLOPEN_SELF], [AC_DEFUN([_LT_AC_TRY_DLOPEN_SELF])])
m4_ifndef([AC_LIBTOOL_PROG_CC_C_O], [AC_DEFUN([AC_LIBTOOL_PROG_CC_C_O])])
m4_ifndef([AC_LIBTOOL_SYS_HARD_LINK_LOCKS], [AC_DEFUN([AC_LIBTOOL_SYS_HARD_LINK_LOCKS])])
m4_ifndef([AC_LIBTOOL_OBJDIR], [AC_DEFUN([AC_LIBTOOL_OBJDIR])])
m4_ifndef([AC_LTDL_OBJDIR], [AC_DEFUN([AC_LTDL_OBJDIR])])
m4_ifndef([AC_LIBTOOL_PROG_LD_HARDCODE_LIBPATH], [AC_DEFUN([AC_LIBTOOL_PROG_LD_HARDCODE_LIBPATH])])
m4_ifndef([AC_LIBTOOL_SYS_LIB_STRIP], [AC_DEFUN([AC_LIBTOOL_SYS_LIB_STRIP])])
m4_ifndef([AC_PATH_MAGIC], [AC_DEFUN([AC_PATH_MAGIC])])
m4_ifndef([AC_PROG_LD_GNU], [AC_DEFUN([AC_PROG_LD_GNU])])
m4_ifndef([AC_PROG_LD_RELOAD_FLAG], [AC_DEFUN([AC_PROG_LD_RELOAD_FLAG])])
m4_ifndef([AC_DEPLIBS_CHECK_METHOD], [AC_DEFUN([AC_DEPLIBS_CHECK_METHOD])])
m4_ifndef([AC_LIBTOOL_PROG_COMPILER_NO_RTTI], [AC_DEFUN([AC_LIBTOOL_PROG_COMPILER_NO_RTTI])])
m4_ifndef([AC_LIBTOOL_SYS_GLOBAL_SYMBOL_PIPE], [AC_DEFUN([AC_LIBTOOL_SYS_GLOBAL_SYMBOL_PIPE])])
m4_ifndef([AC_LIBTOOL_PROG_COMPILER_PIC], [AC_DEFUN([AC_LIBTOOL_PROG_COMPILER_PIC])])
m4_ifndef([AC_LIBTOOL_PROG_LD_SHLIBS], [AC_DEFUN([AC_LIBTOOL_PROG_LD_SHLIBS])])
m4_ifndef([AC_LIBTOOL_POSTDEP_PREDEP], [AC_DEFUN([AC_LIBTOOL_POSTDEP_PREDEP])])
m4_ifndef([LT_AC_PROG_EGREP], [AC_DEFUN([LT_AC_PROG_EGREP])])
m4_ifndef([LT_AC_PROG_SED], [AC_DEFUN([LT_AC_PROG_SED])])
m4_ifndef([_LT_CC_BASENAME], [AC_DEFUN([_LT_CC_BASENAME])])
m4_ifndef([_LT_COMPILER_BOILERPLATE], [AC_DEFUN([_LT_COMPILER_BOILERPLATE])])
m4_ifndef([_LT_LINKER_BOILERPLATE], [AC_DEFUN([_LT_LINKER_BOILERPLATE])])
m4_ifndef([_AC_PROG_LIBTOOL], [AC_DEFUN([_AC_PROG_LIBTOOL])])
m4_ifndef([AC_LIBTOOL_SETUP], [AC_DEFUN([AC_LIBTOOL_SETUP])])
m4_ifndef([_LT_AC_CHECK_DLFCN], [AC_DEFUN([_LT_AC_CHECK_DLFCN])])
m4_ifndef([AC_LIBTOOL_SYS_DYNAMIC_LINKER], [AC_DEFUN([AC_LIBTOOL_SYS_DYNAMIC_LINKER])])
m4_ifndef([_LT_AC_TAGCONFIG], [AC_DEFUN([_LT_AC_TAGCONFIG])])
m4_ifndef([AC_DISABLE_FAST_INSTALL], [AC_DEFUN([AC_DISABLE_FAST_INSTALL])])
m4_ifndef([_LT_AC_LANG_CXX], [AC_DEFUN([_LT_AC_LANG_CXX])])
m4_ifndef([_LT_AC_LANG_F77], [AC_DEFUN([_LT_AC_LANG_F77])])
m4_ifndef([_LT_AC_LANG_GCJ], [AC_DEFUN([_LT_AC_LANG_GCJ])])
m4_ifndef([AC_LIBTOOL_RC], [AC_DEFUN([AC_LIBTOOL_RC])])
m4_ifndef([AC_LIBTOOL_LANG_C_CONFIG], [AC_DEFUN([AC_LIBTOOL_LANG_C_CONFIG])])
m4_ifndef([_LT_AC_LANG_C_CONFIG], [AC_DEFUN([_LT_AC_LANG_C_CONFIG])])
m4_ifndef([AC_LIBTOOL_LANG_CXX_CONFIG], [AC_DEFUN([AC_LIBTOOL_LANG_CXX_CONFIG])])
m4_ifndef([_LT_AC_LANG_CXX_CONFIG], [AC_DEFUN([_LT_AC_LANG_CXX_CONFIG])])
m4_ifndef([AC_LIBTOOL_LANG_F77_CONFIG], [AC_DEFUN([AC_LIBTOOL_LANG_F77_CONFIG])])
m4_ifndef([_LT_AC_LANG_F77_CONFIG], [AC_DEFUN([_LT_AC_LANG_F77_CONFIG])])
m4_ifndef([AC_LIBTOOL_LANG_GCJ_CONFIG], [AC_DEFUN([AC_LIBTOOL_LANG_GCJ_CONFIG])])
m4_ifndef([_LT_AC_LANG_GCJ_CONFIG], [AC_DEFUN([_LT_AC_LANG_GCJ_CONFIG])])
m4_ifndef([AC_LIBTOOL_LANG_RC_CONFIG], [AC_DEFUN([AC_LIBTOOL_LANG_RC_CONFIG])])
m4_ifndef([_LT_AC_LANG_RC_CONFIG], [AC_DEFUN([_LT_AC_LANG_RC_CONFIG])])
m4_ifndef([AC_LIBTOOL_CONFIG], [AC_DEFUN([AC_LIBTOOL_CONFIG])])
m4_ifndef([_LT_AC_FILE_LTDLL_C], [AC_DEFUN([_LT_AC_FILE_LTDLL_C])])

73
src/Makefile.am Normal file
View File

@ -0,0 +1,73 @@
## Process this file with automake to produce Makefile.in
# File lists
common_headers = common.h prototypes.h version.h
common_sources = str.c file.c client.c log.c options.c protocol.c network.c
common_sources += resolver.c ssl.c ctx.c verify.c sthreads.c fd.c stunnel.c
unix_sources = pty.c libwrap.c
shared_sources = env.c
win32_sources = gui.c resources.h resources.rc stunnel.ico
# Unix executables
bin_PROGRAMS = stunnel
stunnel_SOURCES = $(common_headers) $(common_sources) $(unix_sources)
bin_SCRIPTS = stunnel3
# Unix shared library
pkglib_LTLIBRARIES = libstunnel.la
libstunnel_la_SOURCES = $(shared_sources)
libstunnel_la_LDFLAGS = -avoid-version
# Red Hat "by design" bug #82369
stunnel_CPPFLAGS = -I/usr/kerberos/include
# Additional preprocesor definitions
stunnel_CPPFLAGS += -I$(SSLDIR)/include
stunnel_CPPFLAGS += -DLIBDIR='"$(pkglibdir)"'
stunnel_CPPFLAGS += -DCONFDIR='"$(sysconfdir)/stunnel"'
stunnel_CPPFLAGS += -DPIDFILE='"$(localstatedir)/run/stunnel/stunnel.pid"'
# SSL library
stunnel_LDFLAGS = -L$(SSLDIR)/lib64 -L$(SSLDIR)/lib -lssl -lcrypto
# Win32 executable
EXTRA_DIST = nogui.c make.bat makece.bat makew32.bat
EXTRA_DIST += mingw.mak evc.mak vc.mak os2.mak
EXTRA_PROGRAMS = stunnel.exe
stunnel_exe_SOURCES = $(common_headers) $(common_sources) $(win32_sources)
OPENSSLDIR = /usr/src/openssl-0.9.8s-fips
WINCPPFLAGS = -I$(OPENSSLDIR)/inc32
# OPENSSLDIR = /usr/src/openssl-1.0.0f-i586
# WINCPPFLAGS = -I$(OPENSSLDIR)/include
WINCFLAGS = -mthreads -fstack-protector -O2 -Wall -Wextra -Wno-long-long -pedantic
WINLDFLAGS = -mthreads -fstack-protector -mwindows -s
WINLIBS = -L$(OPENSSLDIR) -lcrypto -lssl -lpsapi -lws2_32 -lgdi32
# WINLIBS = -L$(OPENSSLDIR) -lzdll -lcrypto.dll -lssl.dll -lpsapi -lws2_32 -lgdi32
# WINLIBS = -L$(OPENSSLDIR) -lzdll -lcrypto -lssl -lpsapi -lws2_32 -lgdi32
WINOBJ = str.obj file.obj client.obj log.obj options.obj protocol.obj
WINOBJ += network.obj resolver.obj ssl.obj ctx.obj verify.obj sthreads.obj
WINOBJ += fd.obj stunnel.obj gui.obj resources.obj
WINPREFIX = i586-mingw32msvc-
WINGCC = $(WINPREFIX)gcc
WINDRES = $(WINPREFIX)windres
dist-hook: stunnel.exe
distclean-local:
rm -f stunnel.exe
# SUFFIXES = .c .rc .obj
stunnel.exe: $(WINOBJ)
$(WINGCC) $(WINLDFLAGS) -o stunnel.exe $(WINOBJ) $(WINLIBS)
%.obj: %.c $(common_headers)
$(WINGCC) -c $(WINCPPFLAGS) $(WINCFLAGS) -o $@ $<
resources.obj: resources.rc resources.h version.h
$(WINDRES) --include-dir $(srcdir) $< $@
mostlyclean-local:
-rm -f *.obj

986
src/Makefile.in Normal file
View File

@ -0,0 +1,986 @@
# Makefile.in generated by automake 1.11.1 from Makefile.am.
# @configure_input@
# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation,
# Inc.
# This Makefile.in is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
# with or without modifications, as long as this notice is preserved.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
# PARTICULAR PURPOSE.
@SET_MAKE@
VPATH = @srcdir@
pkgdatadir = $(datadir)/@PACKAGE@
pkgincludedir = $(includedir)/@PACKAGE@
pkglibdir = $(libdir)/@PACKAGE@
pkglibexecdir = $(libexecdir)/@PACKAGE@
am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
install_sh_DATA = $(install_sh) -c -m 644
install_sh_PROGRAM = $(install_sh) -c
install_sh_SCRIPT = $(install_sh) -c
INSTALL_HEADER = $(INSTALL_DATA)
transform = $(program_transform_name)
NORMAL_INSTALL = :
PRE_INSTALL = :
POST_INSTALL = :
NORMAL_UNINSTALL = :
PRE_UNINSTALL = :
POST_UNINSTALL = :
build_triplet = @build@
host_triplet = @host@
bin_PROGRAMS = stunnel$(EXEEXT)
EXTRA_PROGRAMS = stunnel.exe$(EXEEXT)
subdir = src
DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in \
$(srcdir)/config.h.in $(srcdir)/stunnel3.in
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
am__aclocal_m4_deps = $(top_srcdir)/m4/libtool.m4 \
$(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \
$(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \
$(top_srcdir)/configure.ac
am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
$(ACLOCAL_M4)
mkinstalldirs = $(install_sh) -d
CONFIG_HEADER = config.h
CONFIG_CLEAN_FILES = stunnel3
CONFIG_CLEAN_VPATH_FILES =
am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
am__vpath_adj = case $$p in \
$(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
*) f=$$p;; \
esac;
am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
am__install_max = 40
am__nobase_strip_setup = \
srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
am__nobase_strip = \
for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
am__nobase_list = $(am__nobase_strip_setup); \
for p in $$list; do echo "$$p $$p"; done | \
sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
$(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
if (++n[$$2] == $(am__install_max)) \
{ print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
END { for (dir in files) print dir, files[dir] }'
am__base_list = \
sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
am__installdirs = "$(DESTDIR)$(pkglibdir)" "$(DESTDIR)$(bindir)" \
"$(DESTDIR)$(bindir)"
LTLIBRARIES = $(pkglib_LTLIBRARIES)
libstunnel_la_LIBADD =
am__objects_1 = env.lo
am_libstunnel_la_OBJECTS = $(am__objects_1)
libstunnel_la_OBJECTS = $(am_libstunnel_la_OBJECTS)
libstunnel_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
$(libstunnel_la_LDFLAGS) $(LDFLAGS) -o $@
PROGRAMS = $(bin_PROGRAMS)
am__objects_2 =
am__objects_3 = stunnel-str.$(OBJEXT) stunnel-file.$(OBJEXT) \
stunnel-client.$(OBJEXT) stunnel-log.$(OBJEXT) \
stunnel-options.$(OBJEXT) stunnel-protocol.$(OBJEXT) \
stunnel-network.$(OBJEXT) stunnel-resolver.$(OBJEXT) \
stunnel-ssl.$(OBJEXT) stunnel-ctx.$(OBJEXT) \
stunnel-verify.$(OBJEXT) stunnel-sthreads.$(OBJEXT) \
stunnel-fd.$(OBJEXT) stunnel-stunnel.$(OBJEXT)
am__objects_4 = stunnel-pty.$(OBJEXT) stunnel-libwrap.$(OBJEXT)
am_stunnel_OBJECTS = $(am__objects_2) $(am__objects_3) \
$(am__objects_4)
stunnel_OBJECTS = $(am_stunnel_OBJECTS)
stunnel_LDADD = $(LDADD)
stunnel_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
--mode=link $(CCLD) $(stunnel_CFLAGS) $(CFLAGS) \
$(stunnel_LDFLAGS) $(LDFLAGS) -o $@
am__objects_5 = str.$(OBJEXT) file.$(OBJEXT) client.$(OBJEXT) \
log.$(OBJEXT) options.$(OBJEXT) protocol.$(OBJEXT) \
network.$(OBJEXT) resolver.$(OBJEXT) ssl.$(OBJEXT) \
ctx.$(OBJEXT) verify.$(OBJEXT) sthreads.$(OBJEXT) fd.$(OBJEXT) \
stunnel.$(OBJEXT)
am__objects_6 = gui.$(OBJEXT)
am_stunnel_exe_OBJECTS = $(am__objects_2) $(am__objects_5) \
$(am__objects_6)
stunnel_exe_OBJECTS = $(am_stunnel_exe_OBJECTS)
stunnel_exe_LDADD = $(LDADD)
SCRIPTS = $(bin_SCRIPTS)
DEFAULT_INCLUDES = -I.@am__isrc@
depcomp = $(SHELL) $(top_srcdir)/auto/depcomp
am__depfiles_maybe = depfiles
am__mv = mv -f
COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
CCLD = $(CC)
LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
$(LDFLAGS) -o $@
SOURCES = $(libstunnel_la_SOURCES) $(stunnel_SOURCES) \
$(stunnel_exe_SOURCES)
DIST_SOURCES = $(libstunnel_la_SOURCES) $(stunnel_SOURCES) \
$(stunnel_exe_SOURCES)
ETAGS = etags
CTAGS = ctags
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
AMTAR = @AMTAR@
AR = @AR@
AUTOCONF = @AUTOCONF@
AUTOHEADER = @AUTOHEADER@
AUTOMAKE = @AUTOMAKE@
AWK = @AWK@
CC = @CC@
CCDEPMODE = @CCDEPMODE@
CFLAGS = @CFLAGS@
CPP = @CPP@
CPPFLAGS = @CPPFLAGS@
CYGPATH_W = @CYGPATH_W@
DEFAULT_GROUP = @DEFAULT_GROUP@
DEFS = @DEFS@
DEPDIR = @DEPDIR@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
EGREP = @EGREP@
EXEEXT = @EXEEXT@
FGREP = @FGREP@
GREP = @GREP@
INSTALL = @INSTALL@
INSTALL_DATA = @INSTALL_DATA@
INSTALL_PROGRAM = @INSTALL_PROGRAM@
INSTALL_SCRIPT = @INSTALL_SCRIPT@
INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
LD = @LD@
LDFLAGS = @LDFLAGS@
LIBOBJS = @LIBOBJS@
LIBS = @LIBS@
LIBTOOL = @LIBTOOL@
LIBTOOL_DEPS = @LIBTOOL_DEPS@
LIPO = @LIPO@
LN_S = @LN_S@
LTLIBOBJS = @LTLIBOBJS@
MAKEINFO = @MAKEINFO@
MKDIR_P = @MKDIR_P@
NM = @NM@
NMEDIT = @NMEDIT@
OBJDUMP = @OBJDUMP@
OBJEXT = @OBJEXT@
OTOOL = @OTOOL@
OTOOL64 = @OTOOL64@
PACKAGE = @PACKAGE@
PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
PACKAGE_NAME = @PACKAGE_NAME@
PACKAGE_STRING = @PACKAGE_STRING@
PACKAGE_TARNAME = @PACKAGE_TARNAME@
PACKAGE_URL = @PACKAGE_URL@
PACKAGE_VERSION = @PACKAGE_VERSION@
PATH_SEPARATOR = @PATH_SEPARATOR@
RANDOM_FILE = @RANDOM_FILE@
RANLIB = @RANLIB@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
SSLDIR = @SSLDIR@
STRIP = @STRIP@
VERSION = @VERSION@
abs_builddir = @abs_builddir@
abs_srcdir = @abs_srcdir@
abs_top_builddir = @abs_top_builddir@
abs_top_srcdir = @abs_top_srcdir@
ac_ct_CC = @ac_ct_CC@
ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
am__include = @am__include@
am__leading_dot = @am__leading_dot@
am__quote = @am__quote@
am__tar = @am__tar@
am__untar = @am__untar@
bindir = @bindir@
build = @build@
build_alias = @build_alias@
build_cpu = @build_cpu@
build_os = @build_os@
build_vendor = @build_vendor@
builddir = @builddir@
datadir = @datadir@
datarootdir = @datarootdir@
docdir = @docdir@
dvidir = @dvidir@
exec_prefix = @exec_prefix@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
host_os = @host_os@
host_vendor = @host_vendor@
htmldir = @htmldir@
includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
libdir = @libdir@
libexecdir = @libexecdir@
localedir = @localedir@
localstatedir = @localstatedir@
lt_ECHO = @lt_ECHO@
mandir = @mandir@
mkdir_p = @mkdir_p@
oldincludedir = @oldincludedir@
pdfdir = @pdfdir@
prefix = @prefix@
program_transform_name = @program_transform_name@
psdir = @psdir@
sbindir = @sbindir@
sharedstatedir = @sharedstatedir@
srcdir = @srcdir@
stunnel_CFLAGS = @stunnel_CFLAGS@
stunnel_LDFLAGF = @stunnel_LDFLAGF@
# SSL library
stunnel_LDFLAGS = -L$(SSLDIR)/lib64 -L$(SSLDIR)/lib -lssl -lcrypto
sysconfdir = @sysconfdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
top_srcdir = @top_srcdir@
# File lists
common_headers = common.h prototypes.h version.h
common_sources = str.c file.c client.c log.c options.c protocol.c \
network.c resolver.c ssl.c ctx.c verify.c sthreads.c fd.c \
stunnel.c
unix_sources = pty.c libwrap.c
shared_sources = env.c
win32_sources = gui.c resources.h resources.rc stunnel.ico
stunnel_SOURCES = $(common_headers) $(common_sources) $(unix_sources)
bin_SCRIPTS = stunnel3
# Unix shared library
pkglib_LTLIBRARIES = libstunnel.la
libstunnel_la_SOURCES = $(shared_sources)
libstunnel_la_LDFLAGS = -avoid-version
# Red Hat "by design" bug #82369
# Additional preprocesor definitions
stunnel_CPPFLAGS = -I/usr/kerberos/include -I$(SSLDIR)/include \
-DLIBDIR='"$(pkglibdir)"' -DCONFDIR='"$(sysconfdir)/stunnel"' \
-DPIDFILE='"$(localstatedir)/run/stunnel/stunnel.pid"'
# Win32 executable
EXTRA_DIST = nogui.c make.bat makece.bat makew32.bat mingw.mak evc.mak \
vc.mak os2.mak
stunnel_exe_SOURCES = $(common_headers) $(common_sources) $(win32_sources)
OPENSSLDIR = /usr/src/openssl-0.9.8s-fips
WINCPPFLAGS = -I$(OPENSSLDIR)/inc32
# OPENSSLDIR = /usr/src/openssl-1.0.0f-i586
# WINCPPFLAGS = -I$(OPENSSLDIR)/include
WINCFLAGS = -mthreads -fstack-protector -O2 -Wall -Wextra -Wno-long-long -pedantic
WINLDFLAGS = -mthreads -fstack-protector -mwindows -s
WINLIBS = -L$(OPENSSLDIR) -lcrypto -lssl -lpsapi -lws2_32 -lgdi32
# WINLIBS = -L$(OPENSSLDIR) -lzdll -lcrypto.dll -lssl.dll -lpsapi -lws2_32 -lgdi32
# WINLIBS = -L$(OPENSSLDIR) -lzdll -lcrypto -lssl -lpsapi -lws2_32 -lgdi32
WINOBJ = str.obj file.obj client.obj log.obj options.obj protocol.obj \
network.obj resolver.obj ssl.obj ctx.obj verify.obj \
sthreads.obj fd.obj stunnel.obj gui.obj resources.obj
WINPREFIX = i586-mingw32msvc-
WINGCC = $(WINPREFIX)gcc
WINDRES = $(WINPREFIX)windres
all: config.h
$(MAKE) $(AM_MAKEFLAGS) all-am
.SUFFIXES:
.SUFFIXES: .c .lo .o .obj
$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps)
@for dep in $?; do \
case '$(am__configure_deps)' in \
*$$dep*) \
( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
&& { if test -f $@; then exit 0; else break; fi; }; \
exit 1;; \
esac; \
done; \
echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/Makefile'; \
$(am__cd) $(top_srcdir) && \
$(AUTOMAKE) --gnu src/Makefile
.PRECIOUS: Makefile
Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
@case '$?' in \
*config.status*) \
cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
*) \
echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
esac;
$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
$(top_srcdir)/configure: $(am__configure_deps)
cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
$(ACLOCAL_M4): $(am__aclocal_m4_deps)
cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
$(am__aclocal_m4_deps):
config.h: stamp-h1
@if test ! -f $@; then \
rm -f stamp-h1; \
$(MAKE) $(AM_MAKEFLAGS) stamp-h1; \
else :; fi
stamp-h1: $(srcdir)/config.h.in $(top_builddir)/config.status
@rm -f stamp-h1
cd $(top_builddir) && $(SHELL) ./config.status src/config.h
$(srcdir)/config.h.in: $(am__configure_deps)
($(am__cd) $(top_srcdir) && $(AUTOHEADER))
rm -f stamp-h1
touch $@
distclean-hdr:
-rm -f config.h stamp-h1
stunnel3: $(top_builddir)/config.status $(srcdir)/stunnel3.in
cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@
install-pkglibLTLIBRARIES: $(pkglib_LTLIBRARIES)
@$(NORMAL_INSTALL)
test -z "$(pkglibdir)" || $(MKDIR_P) "$(DESTDIR)$(pkglibdir)"
@list='$(pkglib_LTLIBRARIES)'; test -n "$(pkglibdir)" || list=; \
list2=; for p in $$list; do \
if test -f $$p; then \
list2="$$list2 $$p"; \
else :; fi; \
done; \
test -z "$$list2" || { \
echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(pkglibdir)'"; \
$(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(pkglibdir)"; \
}
uninstall-pkglibLTLIBRARIES:
@$(NORMAL_UNINSTALL)
@list='$(pkglib_LTLIBRARIES)'; test -n "$(pkglibdir)" || list=; \
for p in $$list; do \
$(am__strip_dir) \
echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(pkglibdir)/$$f'"; \
$(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(pkglibdir)/$$f"; \
done
clean-pkglibLTLIBRARIES:
-test -z "$(pkglib_LTLIBRARIES)" || rm -f $(pkglib_LTLIBRARIES)
@list='$(pkglib_LTLIBRARIES)'; for p in $$list; do \
dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
test "$$dir" != "$$p" || dir=.; \
echo "rm -f \"$${dir}/so_locations\""; \
rm -f "$${dir}/so_locations"; \
done
libstunnel.la: $(libstunnel_la_OBJECTS) $(libstunnel_la_DEPENDENCIES)
$(libstunnel_la_LINK) -rpath $(pkglibdir) $(libstunnel_la_OBJECTS) $(libstunnel_la_LIBADD) $(LIBS)
install-binPROGRAMS: $(bin_PROGRAMS)
@$(NORMAL_INSTALL)
test -z "$(bindir)" || $(MKDIR_P) "$(DESTDIR)$(bindir)"
@list='$(bin_PROGRAMS)'; test -n "$(bindir)" || list=; \
for p in $$list; do echo "$$p $$p"; done | \
sed 's/$(EXEEXT)$$//' | \
while read p p1; do if test -f $$p || test -f $$p1; \
then echo "$$p"; echo "$$p"; else :; fi; \
done | \
sed -e 'p;s,.*/,,;n;h' -e 's|.*|.|' \
-e 'p;x;s,.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/' | \
sed 'N;N;N;s,\n, ,g' | \
$(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1 } \
{ d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \
if ($$2 == $$4) files[d] = files[d] " " $$1; \
else { print "f", $$3 "/" $$4, $$1; } } \
END { for (d in files) print "f", d, files[d] }' | \
while read type dir files; do \
if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \
test -z "$$files" || { \
echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files '$(DESTDIR)$(bindir)$$dir'"; \
$(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files "$(DESTDIR)$(bindir)$$dir" || exit $$?; \
} \
; done
uninstall-binPROGRAMS:
@$(NORMAL_UNINSTALL)
@list='$(bin_PROGRAMS)'; test -n "$(bindir)" || list=; \
files=`for p in $$list; do echo "$$p"; done | \
sed -e 'h;s,^.*/,,;s/$(EXEEXT)$$//;$(transform)' \
-e 's/$$/$(EXEEXT)/' `; \
test -n "$$list" || exit 0; \
echo " ( cd '$(DESTDIR)$(bindir)' && rm -f" $$files ")"; \
cd "$(DESTDIR)$(bindir)" && rm -f $$files
clean-binPROGRAMS:
@list='$(bin_PROGRAMS)'; test -n "$$list" || exit 0; \
echo " rm -f" $$list; \
rm -f $$list || exit $$?; \
test -n "$(EXEEXT)" || exit 0; \
list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
echo " rm -f" $$list; \
rm -f $$list
stunnel$(EXEEXT): $(stunnel_OBJECTS) $(stunnel_DEPENDENCIES)
@rm -f stunnel$(EXEEXT)
$(stunnel_LINK) $(stunnel_OBJECTS) $(stunnel_LDADD) $(LIBS)
install-binSCRIPTS: $(bin_SCRIPTS)
@$(NORMAL_INSTALL)
test -z "$(bindir)" || $(MKDIR_P) "$(DESTDIR)$(bindir)"
@list='$(bin_SCRIPTS)'; test -n "$(bindir)" || list=; \
for p in $$list; do \
if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
if test -f "$$d$$p"; then echo "$$d$$p"; echo "$$p"; else :; fi; \
done | \
sed -e 'p;s,.*/,,;n' \
-e 'h;s|.*|.|' \
-e 'p;x;s,.*/,,;$(transform)' | sed 'N;N;N;s,\n, ,g' | \
$(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1; } \
{ d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \
if ($$2 == $$4) { files[d] = files[d] " " $$1; \
if (++n[d] == $(am__install_max)) { \
print "f", d, files[d]; n[d] = 0; files[d] = "" } } \
else { print "f", d "/" $$4, $$1 } } \
END { for (d in files) print "f", d, files[d] }' | \
while read type dir files; do \
if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \
test -z "$$files" || { \
echo " $(INSTALL_SCRIPT) $$files '$(DESTDIR)$(bindir)$$dir'"; \
$(INSTALL_SCRIPT) $$files "$(DESTDIR)$(bindir)$$dir" || exit $$?; \
} \
; done
uninstall-binSCRIPTS:
@$(NORMAL_UNINSTALL)
@list='$(bin_SCRIPTS)'; test -n "$(bindir)" || exit 0; \
files=`for p in $$list; do echo "$$p"; done | \
sed -e 's,.*/,,;$(transform)'`; \
test -n "$$list" || exit 0; \
echo " ( cd '$(DESTDIR)$(bindir)' && rm -f" $$files ")"; \
cd "$(DESTDIR)$(bindir)" && rm -f $$files
mostlyclean-compile:
-rm -f *.$(OBJEXT)
distclean-compile:
-rm -f *.tab.c
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/client.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ctx.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/env.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/fd.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/file.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/gui.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/log.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/network.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/options.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/protocol.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/resolver.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ssl.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sthreads.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/str.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stunnel-client.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stunnel-ctx.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stunnel-fd.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stunnel-file.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stunnel-libwrap.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stunnel-log.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stunnel-network.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stunnel-options.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stunnel-protocol.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stunnel-pty.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stunnel-resolver.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stunnel-ssl.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stunnel-sthreads.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stunnel-str.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stunnel-stunnel.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stunnel-verify.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stunnel.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/verify.Po@am__quote@
.c.o:
@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
@am__fastdepCC_FALSE@ $(COMPILE) -c $<
.c.obj:
@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'`
.c.lo:
@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
@am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $<
stunnel-str.o: str.c
@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stunnel_CPPFLAGS) $(CPPFLAGS) $(stunnel_CFLAGS) $(CFLAGS) -MT stunnel-str.o -MD -MP -MF $(DEPDIR)/stunnel-str.Tpo -c -o stunnel-str.o `test -f 'str.c' || echo '$(srcdir)/'`str.c
@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/stunnel-str.Tpo $(DEPDIR)/stunnel-str.Po
@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='str.c' object='stunnel-str.o' libtool=no @AMDEPBACKSLASH@
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stunnel_CPPFLAGS) $(CPPFLAGS) $(stunnel_CFLAGS) $(CFLAGS) -c -o stunnel-str.o `test -f 'str.c' || echo '$(srcdir)/'`str.c
stunnel-str.obj: str.c
@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stunnel_CPPFLAGS) $(CPPFLAGS) $(stunnel_CFLAGS) $(CFLAGS) -MT stunnel-str.obj -MD -MP -MF $(DEPDIR)/stunnel-str.Tpo -c -o stunnel-str.obj `if test -f 'str.c'; then $(CYGPATH_W) 'str.c'; else $(CYGPATH_W) '$(srcdir)/str.c'; fi`
@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/stunnel-str.Tpo $(DEPDIR)/stunnel-str.Po
@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='str.c' object='stunnel-str.obj' libtool=no @AMDEPBACKSLASH@
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stunnel_CPPFLAGS) $(CPPFLAGS) $(stunnel_CFLAGS) $(CFLAGS) -c -o stunnel-str.obj `if test -f 'str.c'; then $(CYGPATH_W) 'str.c'; else $(CYGPATH_W) '$(srcdir)/str.c'; fi`
stunnel-file.o: file.c
@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stunnel_CPPFLAGS) $(CPPFLAGS) $(stunnel_CFLAGS) $(CFLAGS) -MT stunnel-file.o -MD -MP -MF $(DEPDIR)/stunnel-file.Tpo -c -o stunnel-file.o `test -f 'file.c' || echo '$(srcdir)/'`file.c
@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/stunnel-file.Tpo $(DEPDIR)/stunnel-file.Po
@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='file.c' object='stunnel-file.o' libtool=no @AMDEPBACKSLASH@
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stunnel_CPPFLAGS) $(CPPFLAGS) $(stunnel_CFLAGS) $(CFLAGS) -c -o stunnel-file.o `test -f 'file.c' || echo '$(srcdir)/'`file.c
stunnel-file.obj: file.c
@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stunnel_CPPFLAGS) $(CPPFLAGS) $(stunnel_CFLAGS) $(CFLAGS) -MT stunnel-file.obj -MD -MP -MF $(DEPDIR)/stunnel-file.Tpo -c -o stunnel-file.obj `if test -f 'file.c'; then $(CYGPATH_W) 'file.c'; else $(CYGPATH_W) '$(srcdir)/file.c'; fi`
@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/stunnel-file.Tpo $(DEPDIR)/stunnel-file.Po
@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='file.c' object='stunnel-file.obj' libtool=no @AMDEPBACKSLASH@
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stunnel_CPPFLAGS) $(CPPFLAGS) $(stunnel_CFLAGS) $(CFLAGS) -c -o stunnel-file.obj `if test -f 'file.c'; then $(CYGPATH_W) 'file.c'; else $(CYGPATH_W) '$(srcdir)/file.c'; fi`
stunnel-client.o: client.c
@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stunnel_CPPFLAGS) $(CPPFLAGS) $(stunnel_CFLAGS) $(CFLAGS) -MT stunnel-client.o -MD -MP -MF $(DEPDIR)/stunnel-client.Tpo -c -o stunnel-client.o `test -f 'client.c' || echo '$(srcdir)/'`client.c
@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/stunnel-client.Tpo $(DEPDIR)/stunnel-client.Po
@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='client.c' object='stunnel-client.o' libtool=no @AMDEPBACKSLASH@
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stunnel_CPPFLAGS) $(CPPFLAGS) $(stunnel_CFLAGS) $(CFLAGS) -c -o stunnel-client.o `test -f 'client.c' || echo '$(srcdir)/'`client.c
stunnel-client.obj: client.c
@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stunnel_CPPFLAGS) $(CPPFLAGS) $(stunnel_CFLAGS) $(CFLAGS) -MT stunnel-client.obj -MD -MP -MF $(DEPDIR)/stunnel-client.Tpo -c -o stunnel-client.obj `if test -f 'client.c'; then $(CYGPATH_W) 'client.c'; else $(CYGPATH_W) '$(srcdir)/client.c'; fi`
@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/stunnel-client.Tpo $(DEPDIR)/stunnel-client.Po
@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='client.c' object='stunnel-client.obj' libtool=no @AMDEPBACKSLASH@
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stunnel_CPPFLAGS) $(CPPFLAGS) $(stunnel_CFLAGS) $(CFLAGS) -c -o stunnel-client.obj `if test -f 'client.c'; then $(CYGPATH_W) 'client.c'; else $(CYGPATH_W) '$(srcdir)/client.c'; fi`
stunnel-log.o: log.c
@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stunnel_CPPFLAGS) $(CPPFLAGS) $(stunnel_CFLAGS) $(CFLAGS) -MT stunnel-log.o -MD -MP -MF $(DEPDIR)/stunnel-log.Tpo -c -o stunnel-log.o `test -f 'log.c' || echo '$(srcdir)/'`log.c
@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/stunnel-log.Tpo $(DEPDIR)/stunnel-log.Po
@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='log.c' object='stunnel-log.o' libtool=no @AMDEPBACKSLASH@
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stunnel_CPPFLAGS) $(CPPFLAGS) $(stunnel_CFLAGS) $(CFLAGS) -c -o stunnel-log.o `test -f 'log.c' || echo '$(srcdir)/'`log.c
stunnel-log.obj: log.c
@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stunnel_CPPFLAGS) $(CPPFLAGS) $(stunnel_CFLAGS) $(CFLAGS) -MT stunnel-log.obj -MD -MP -MF $(DEPDIR)/stunnel-log.Tpo -c -o stunnel-log.obj `if test -f 'log.c'; then $(CYGPATH_W) 'log.c'; else $(CYGPATH_W) '$(srcdir)/log.c'; fi`
@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/stunnel-log.Tpo $(DEPDIR)/stunnel-log.Po
@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='log.c' object='stunnel-log.obj' libtool=no @AMDEPBACKSLASH@
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stunnel_CPPFLAGS) $(CPPFLAGS) $(stunnel_CFLAGS) $(CFLAGS) -c -o stunnel-log.obj `if test -f 'log.c'; then $(CYGPATH_W) 'log.c'; else $(CYGPATH_W) '$(srcdir)/log.c'; fi`
stunnel-options.o: options.c
@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stunnel_CPPFLAGS) $(CPPFLAGS) $(stunnel_CFLAGS) $(CFLAGS) -MT stunnel-options.o -MD -MP -MF $(DEPDIR)/stunnel-options.Tpo -c -o stunnel-options.o `test -f 'options.c' || echo '$(srcdir)/'`options.c
@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/stunnel-options.Tpo $(DEPDIR)/stunnel-options.Po
@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='options.c' object='stunnel-options.o' libtool=no @AMDEPBACKSLASH@
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stunnel_CPPFLAGS) $(CPPFLAGS) $(stunnel_CFLAGS) $(CFLAGS) -c -o stunnel-options.o `test -f 'options.c' || echo '$(srcdir)/'`options.c
stunnel-options.obj: options.c
@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stunnel_CPPFLAGS) $(CPPFLAGS) $(stunnel_CFLAGS) $(CFLAGS) -MT stunnel-options.obj -MD -MP -MF $(DEPDIR)/stunnel-options.Tpo -c -o stunnel-options.obj `if test -f 'options.c'; then $(CYGPATH_W) 'options.c'; else $(CYGPATH_W) '$(srcdir)/options.c'; fi`
@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/stunnel-options.Tpo $(DEPDIR)/stunnel-options.Po
@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='options.c' object='stunnel-options.obj' libtool=no @AMDEPBACKSLASH@
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stunnel_CPPFLAGS) $(CPPFLAGS) $(stunnel_CFLAGS) $(CFLAGS) -c -o stunnel-options.obj `if test -f 'options.c'; then $(CYGPATH_W) 'options.c'; else $(CYGPATH_W) '$(srcdir)/options.c'; fi`
stunnel-protocol.o: protocol.c
@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stunnel_CPPFLAGS) $(CPPFLAGS) $(stunnel_CFLAGS) $(CFLAGS) -MT stunnel-protocol.o -MD -MP -MF $(DEPDIR)/stunnel-protocol.Tpo -c -o stunnel-protocol.o `test -f 'protocol.c' || echo '$(srcdir)/'`protocol.c
@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/stunnel-protocol.Tpo $(DEPDIR)/stunnel-protocol.Po
@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='protocol.c' object='stunnel-protocol.o' libtool=no @AMDEPBACKSLASH@
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stunnel_CPPFLAGS) $(CPPFLAGS) $(stunnel_CFLAGS) $(CFLAGS) -c -o stunnel-protocol.o `test -f 'protocol.c' || echo '$(srcdir)/'`protocol.c
stunnel-protocol.obj: protocol.c
@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stunnel_CPPFLAGS) $(CPPFLAGS) $(stunnel_CFLAGS) $(CFLAGS) -MT stunnel-protocol.obj -MD -MP -MF $(DEPDIR)/stunnel-protocol.Tpo -c -o stunnel-protocol.obj `if test -f 'protocol.c'; then $(CYGPATH_W) 'protocol.c'; else $(CYGPATH_W) '$(srcdir)/protocol.c'; fi`
@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/stunnel-protocol.Tpo $(DEPDIR)/stunnel-protocol.Po
@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='protocol.c' object='stunnel-protocol.obj' libtool=no @AMDEPBACKSLASH@
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stunnel_CPPFLAGS) $(CPPFLAGS) $(stunnel_CFLAGS) $(CFLAGS) -c -o stunnel-protocol.obj `if test -f 'protocol.c'; then $(CYGPATH_W) 'protocol.c'; else $(CYGPATH_W) '$(srcdir)/protocol.c'; fi`
stunnel-network.o: network.c
@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stunnel_CPPFLAGS) $(CPPFLAGS) $(stunnel_CFLAGS) $(CFLAGS) -MT stunnel-network.o -MD -MP -MF $(DEPDIR)/stunnel-network.Tpo -c -o stunnel-network.o `test -f 'network.c' || echo '$(srcdir)/'`network.c
@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/stunnel-network.Tpo $(DEPDIR)/stunnel-network.Po
@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='network.c' object='stunnel-network.o' libtool=no @AMDEPBACKSLASH@
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stunnel_CPPFLAGS) $(CPPFLAGS) $(stunnel_CFLAGS) $(CFLAGS) -c -o stunnel-network.o `test -f 'network.c' || echo '$(srcdir)/'`network.c
stunnel-network.obj: network.c
@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stunnel_CPPFLAGS) $(CPPFLAGS) $(stunnel_CFLAGS) $(CFLAGS) -MT stunnel-network.obj -MD -MP -MF $(DEPDIR)/stunnel-network.Tpo -c -o stunnel-network.obj `if test -f 'network.c'; then $(CYGPATH_W) 'network.c'; else $(CYGPATH_W) '$(srcdir)/network.c'; fi`
@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/stunnel-network.Tpo $(DEPDIR)/stunnel-network.Po
@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='network.c' object='stunnel-network.obj' libtool=no @AMDEPBACKSLASH@
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stunnel_CPPFLAGS) $(CPPFLAGS) $(stunnel_CFLAGS) $(CFLAGS) -c -o stunnel-network.obj `if test -f 'network.c'; then $(CYGPATH_W) 'network.c'; else $(CYGPATH_W) '$(srcdir)/network.c'; fi`
stunnel-resolver.o: resolver.c
@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stunnel_CPPFLAGS) $(CPPFLAGS) $(stunnel_CFLAGS) $(CFLAGS) -MT stunnel-resolver.o -MD -MP -MF $(DEPDIR)/stunnel-resolver.Tpo -c -o stunnel-resolver.o `test -f 'resolver.c' || echo '$(srcdir)/'`resolver.c
@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/stunnel-resolver.Tpo $(DEPDIR)/stunnel-resolver.Po
@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='resolver.c' object='stunnel-resolver.o' libtool=no @AMDEPBACKSLASH@
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stunnel_CPPFLAGS) $(CPPFLAGS) $(stunnel_CFLAGS) $(CFLAGS) -c -o stunnel-resolver.o `test -f 'resolver.c' || echo '$(srcdir)/'`resolver.c
stunnel-resolver.obj: resolver.c
@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stunnel_CPPFLAGS) $(CPPFLAGS) $(stunnel_CFLAGS) $(CFLAGS) -MT stunnel-resolver.obj -MD -MP -MF $(DEPDIR)/stunnel-resolver.Tpo -c -o stunnel-resolver.obj `if test -f 'resolver.c'; then $(CYGPATH_W) 'resolver.c'; else $(CYGPATH_W) '$(srcdir)/resolver.c'; fi`
@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/stunnel-resolver.Tpo $(DEPDIR)/stunnel-resolver.Po
@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='resolver.c' object='stunnel-resolver.obj' libtool=no @AMDEPBACKSLASH@
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stunnel_CPPFLAGS) $(CPPFLAGS) $(stunnel_CFLAGS) $(CFLAGS) -c -o stunnel-resolver.obj `if test -f 'resolver.c'; then $(CYGPATH_W) 'resolver.c'; else $(CYGPATH_W) '$(srcdir)/resolver.c'; fi`
stunnel-ssl.o: ssl.c
@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stunnel_CPPFLAGS) $(CPPFLAGS) $(stunnel_CFLAGS) $(CFLAGS) -MT stunnel-ssl.o -MD -MP -MF $(DEPDIR)/stunnel-ssl.Tpo -c -o stunnel-ssl.o `test -f 'ssl.c' || echo '$(srcdir)/'`ssl.c
@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/stunnel-ssl.Tpo $(DEPDIR)/stunnel-ssl.Po
@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='ssl.c' object='stunnel-ssl.o' libtool=no @AMDEPBACKSLASH@
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stunnel_CPPFLAGS) $(CPPFLAGS) $(stunnel_CFLAGS) $(CFLAGS) -c -o stunnel-ssl.o `test -f 'ssl.c' || echo '$(srcdir)/'`ssl.c
stunnel-ssl.obj: ssl.c
@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stunnel_CPPFLAGS) $(CPPFLAGS) $(stunnel_CFLAGS) $(CFLAGS) -MT stunnel-ssl.obj -MD -MP -MF $(DEPDIR)/stunnel-ssl.Tpo -c -o stunnel-ssl.obj `if test -f 'ssl.c'; then $(CYGPATH_W) 'ssl.c'; else $(CYGPATH_W) '$(srcdir)/ssl.c'; fi`
@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/stunnel-ssl.Tpo $(DEPDIR)/stunnel-ssl.Po
@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='ssl.c' object='stunnel-ssl.obj' libtool=no @AMDEPBACKSLASH@
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stunnel_CPPFLAGS) $(CPPFLAGS) $(stunnel_CFLAGS) $(CFLAGS) -c -o stunnel-ssl.obj `if test -f 'ssl.c'; then $(CYGPATH_W) 'ssl.c'; else $(CYGPATH_W) '$(srcdir)/ssl.c'; fi`
stunnel-ctx.o: ctx.c
@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stunnel_CPPFLAGS) $(CPPFLAGS) $(stunnel_CFLAGS) $(CFLAGS) -MT stunnel-ctx.o -MD -MP -MF $(DEPDIR)/stunnel-ctx.Tpo -c -o stunnel-ctx.o `test -f 'ctx.c' || echo '$(srcdir)/'`ctx.c
@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/stunnel-ctx.Tpo $(DEPDIR)/stunnel-ctx.Po
@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='ctx.c' object='stunnel-ctx.o' libtool=no @AMDEPBACKSLASH@
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stunnel_CPPFLAGS) $(CPPFLAGS) $(stunnel_CFLAGS) $(CFLAGS) -c -o stunnel-ctx.o `test -f 'ctx.c' || echo '$(srcdir)/'`ctx.c
stunnel-ctx.obj: ctx.c
@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stunnel_CPPFLAGS) $(CPPFLAGS) $(stunnel_CFLAGS) $(CFLAGS) -MT stunnel-ctx.obj -MD -MP -MF $(DEPDIR)/stunnel-ctx.Tpo -c -o stunnel-ctx.obj `if test -f 'ctx.c'; then $(CYGPATH_W) 'ctx.c'; else $(CYGPATH_W) '$(srcdir)/ctx.c'; fi`
@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/stunnel-ctx.Tpo $(DEPDIR)/stunnel-ctx.Po
@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='ctx.c' object='stunnel-ctx.obj' libtool=no @AMDEPBACKSLASH@
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stunnel_CPPFLAGS) $(CPPFLAGS) $(stunnel_CFLAGS) $(CFLAGS) -c -o stunnel-ctx.obj `if test -f 'ctx.c'; then $(CYGPATH_W) 'ctx.c'; else $(CYGPATH_W) '$(srcdir)/ctx.c'; fi`
stunnel-verify.o: verify.c
@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stunnel_CPPFLAGS) $(CPPFLAGS) $(stunnel_CFLAGS) $(CFLAGS) -MT stunnel-verify.o -MD -MP -MF $(DEPDIR)/stunnel-verify.Tpo -c -o stunnel-verify.o `test -f 'verify.c' || echo '$(srcdir)/'`verify.c
@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/stunnel-verify.Tpo $(DEPDIR)/stunnel-verify.Po
@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='verify.c' object='stunnel-verify.o' libtool=no @AMDEPBACKSLASH@
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stunnel_CPPFLAGS) $(CPPFLAGS) $(stunnel_CFLAGS) $(CFLAGS) -c -o stunnel-verify.o `test -f 'verify.c' || echo '$(srcdir)/'`verify.c
stunnel-verify.obj: verify.c
@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stunnel_CPPFLAGS) $(CPPFLAGS) $(stunnel_CFLAGS) $(CFLAGS) -MT stunnel-verify.obj -MD -MP -MF $(DEPDIR)/stunnel-verify.Tpo -c -o stunnel-verify.obj `if test -f 'verify.c'; then $(CYGPATH_W) 'verify.c'; else $(CYGPATH_W) '$(srcdir)/verify.c'; fi`
@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/stunnel-verify.Tpo $(DEPDIR)/stunnel-verify.Po
@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='verify.c' object='stunnel-verify.obj' libtool=no @AMDEPBACKSLASH@
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stunnel_CPPFLAGS) $(CPPFLAGS) $(stunnel_CFLAGS) $(CFLAGS) -c -o stunnel-verify.obj `if test -f 'verify.c'; then $(CYGPATH_W) 'verify.c'; else $(CYGPATH_W) '$(srcdir)/verify.c'; fi`
stunnel-sthreads.o: sthreads.c
@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stunnel_CPPFLAGS) $(CPPFLAGS) $(stunnel_CFLAGS) $(CFLAGS) -MT stunnel-sthreads.o -MD -MP -MF $(DEPDIR)/stunnel-sthreads.Tpo -c -o stunnel-sthreads.o `test -f 'sthreads.c' || echo '$(srcdir)/'`sthreads.c
@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/stunnel-sthreads.Tpo $(DEPDIR)/stunnel-sthreads.Po
@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='sthreads.c' object='stunnel-sthreads.o' libtool=no @AMDEPBACKSLASH@
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stunnel_CPPFLAGS) $(CPPFLAGS) $(stunnel_CFLAGS) $(CFLAGS) -c -o stunnel-sthreads.o `test -f 'sthreads.c' || echo '$(srcdir)/'`sthreads.c
stunnel-sthreads.obj: sthreads.c
@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stunnel_CPPFLAGS) $(CPPFLAGS) $(stunnel_CFLAGS) $(CFLAGS) -MT stunnel-sthreads.obj -MD -MP -MF $(DEPDIR)/stunnel-sthreads.Tpo -c -o stunnel-sthreads.obj `if test -f 'sthreads.c'; then $(CYGPATH_W) 'sthreads.c'; else $(CYGPATH_W) '$(srcdir)/sthreads.c'; fi`
@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/stunnel-sthreads.Tpo $(DEPDIR)/stunnel-sthreads.Po
@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='sthreads.c' object='stunnel-sthreads.obj' libtool=no @AMDEPBACKSLASH@
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stunnel_CPPFLAGS) $(CPPFLAGS) $(stunnel_CFLAGS) $(CFLAGS) -c -o stunnel-sthreads.obj `if test -f 'sthreads.c'; then $(CYGPATH_W) 'sthreads.c'; else $(CYGPATH_W) '$(srcdir)/sthreads.c'; fi`
stunnel-fd.o: fd.c
@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stunnel_CPPFLAGS) $(CPPFLAGS) $(stunnel_CFLAGS) $(CFLAGS) -MT stunnel-fd.o -MD -MP -MF $(DEPDIR)/stunnel-fd.Tpo -c -o stunnel-fd.o `test -f 'fd.c' || echo '$(srcdir)/'`fd.c
@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/stunnel-fd.Tpo $(DEPDIR)/stunnel-fd.Po
@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='fd.c' object='stunnel-fd.o' libtool=no @AMDEPBACKSLASH@
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stunnel_CPPFLAGS) $(CPPFLAGS) $(stunnel_CFLAGS) $(CFLAGS) -c -o stunnel-fd.o `test -f 'fd.c' || echo '$(srcdir)/'`fd.c
stunnel-fd.obj: fd.c
@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stunnel_CPPFLAGS) $(CPPFLAGS) $(stunnel_CFLAGS) $(CFLAGS) -MT stunnel-fd.obj -MD -MP -MF $(DEPDIR)/stunnel-fd.Tpo -c -o stunnel-fd.obj `if test -f 'fd.c'; then $(CYGPATH_W) 'fd.c'; else $(CYGPATH_W) '$(srcdir)/fd.c'; fi`
@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/stunnel-fd.Tpo $(DEPDIR)/stunnel-fd.Po
@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='fd.c' object='stunnel-fd.obj' libtool=no @AMDEPBACKSLASH@
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stunnel_CPPFLAGS) $(CPPFLAGS) $(stunnel_CFLAGS) $(CFLAGS) -c -o stunnel-fd.obj `if test -f 'fd.c'; then $(CYGPATH_W) 'fd.c'; else $(CYGPATH_W) '$(srcdir)/fd.c'; fi`
stunnel-stunnel.o: stunnel.c
@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stunnel_CPPFLAGS) $(CPPFLAGS) $(stunnel_CFLAGS) $(CFLAGS) -MT stunnel-stunnel.o -MD -MP -MF $(DEPDIR)/stunnel-stunnel.Tpo -c -o stunnel-stunnel.o `test -f 'stunnel.c' || echo '$(srcdir)/'`stunnel.c
@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/stunnel-stunnel.Tpo $(DEPDIR)/stunnel-stunnel.Po
@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='stunnel.c' object='stunnel-stunnel.o' libtool=no @AMDEPBACKSLASH@
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stunnel_CPPFLAGS) $(CPPFLAGS) $(stunnel_CFLAGS) $(CFLAGS) -c -o stunnel-stunnel.o `test -f 'stunnel.c' || echo '$(srcdir)/'`stunnel.c
stunnel-stunnel.obj: stunnel.c
@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stunnel_CPPFLAGS) $(CPPFLAGS) $(stunnel_CFLAGS) $(CFLAGS) -MT stunnel-stunnel.obj -MD -MP -MF $(DEPDIR)/stunnel-stunnel.Tpo -c -o stunnel-stunnel.obj `if test -f 'stunnel.c'; then $(CYGPATH_W) 'stunnel.c'; else $(CYGPATH_W) '$(srcdir)/stunnel.c'; fi`
@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/stunnel-stunnel.Tpo $(DEPDIR)/stunnel-stunnel.Po
@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='stunnel.c' object='stunnel-stunnel.obj' libtool=no @AMDEPBACKSLASH@
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stunnel_CPPFLAGS) $(CPPFLAGS) $(stunnel_CFLAGS) $(CFLAGS) -c -o stunnel-stunnel.obj `if test -f 'stunnel.c'; then $(CYGPATH_W) 'stunnel.c'; else $(CYGPATH_W) '$(srcdir)/stunnel.c'; fi`
stunnel-pty.o: pty.c
@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stunnel_CPPFLAGS) $(CPPFLAGS) $(stunnel_CFLAGS) $(CFLAGS) -MT stunnel-pty.o -MD -MP -MF $(DEPDIR)/stunnel-pty.Tpo -c -o stunnel-pty.o `test -f 'pty.c' || echo '$(srcdir)/'`pty.c
@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/stunnel-pty.Tpo $(DEPDIR)/stunnel-pty.Po
@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='pty.c' object='stunnel-pty.o' libtool=no @AMDEPBACKSLASH@
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stunnel_CPPFLAGS) $(CPPFLAGS) $(stunnel_CFLAGS) $(CFLAGS) -c -o stunnel-pty.o `test -f 'pty.c' || echo '$(srcdir)/'`pty.c
stunnel-pty.obj: pty.c
@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stunnel_CPPFLAGS) $(CPPFLAGS) $(stunnel_CFLAGS) $(CFLAGS) -MT stunnel-pty.obj -MD -MP -MF $(DEPDIR)/stunnel-pty.Tpo -c -o stunnel-pty.obj `if test -f 'pty.c'; then $(CYGPATH_W) 'pty.c'; else $(CYGPATH_W) '$(srcdir)/pty.c'; fi`
@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/stunnel-pty.Tpo $(DEPDIR)/stunnel-pty.Po
@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='pty.c' object='stunnel-pty.obj' libtool=no @AMDEPBACKSLASH@
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stunnel_CPPFLAGS) $(CPPFLAGS) $(stunnel_CFLAGS) $(CFLAGS) -c -o stunnel-pty.obj `if test -f 'pty.c'; then $(CYGPATH_W) 'pty.c'; else $(CYGPATH_W) '$(srcdir)/pty.c'; fi`
stunnel-libwrap.o: libwrap.c
@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stunnel_CPPFLAGS) $(CPPFLAGS) $(stunnel_CFLAGS) $(CFLAGS) -MT stunnel-libwrap.o -MD -MP -MF $(DEPDIR)/stunnel-libwrap.Tpo -c -o stunnel-libwrap.o `test -f 'libwrap.c' || echo '$(srcdir)/'`libwrap.c
@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/stunnel-libwrap.Tpo $(DEPDIR)/stunnel-libwrap.Po
@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='libwrap.c' object='stunnel-libwrap.o' libtool=no @AMDEPBACKSLASH@
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stunnel_CPPFLAGS) $(CPPFLAGS) $(stunnel_CFLAGS) $(CFLAGS) -c -o stunnel-libwrap.o `test -f 'libwrap.c' || echo '$(srcdir)/'`libwrap.c
stunnel-libwrap.obj: libwrap.c
@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stunnel_CPPFLAGS) $(CPPFLAGS) $(stunnel_CFLAGS) $(CFLAGS) -MT stunnel-libwrap.obj -MD -MP -MF $(DEPDIR)/stunnel-libwrap.Tpo -c -o stunnel-libwrap.obj `if test -f 'libwrap.c'; then $(CYGPATH_W) 'libwrap.c'; else $(CYGPATH_W) '$(srcdir)/libwrap.c'; fi`
@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/stunnel-libwrap.Tpo $(DEPDIR)/stunnel-libwrap.Po
@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='libwrap.c' object='stunnel-libwrap.obj' libtool=no @AMDEPBACKSLASH@
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(stunnel_CPPFLAGS) $(CPPFLAGS) $(stunnel_CFLAGS) $(CFLAGS) -c -o stunnel-libwrap.obj `if test -f 'libwrap.c'; then $(CYGPATH_W) 'libwrap.c'; else $(CYGPATH_W) '$(srcdir)/libwrap.c'; fi`
mostlyclean-libtool:
-rm -f *.lo
clean-libtool:
-rm -rf .libs _libs
ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
unique=`for i in $$list; do \
if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
done | \
$(AWK) '{ files[$$0] = 1; nonempty = 1; } \
END { if (nonempty) { for (i in files) print i; }; }'`; \
mkid -fID $$unique
tags: TAGS
TAGS: $(HEADERS) $(SOURCES) config.h.in $(TAGS_DEPENDENCIES) \
$(TAGS_FILES) $(LISP)
set x; \
here=`pwd`; \
list='$(SOURCES) $(HEADERS) config.h.in $(LISP) $(TAGS_FILES)'; \
unique=`for i in $$list; do \
if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
done | \
$(AWK) '{ files[$$0] = 1; nonempty = 1; } \
END { if (nonempty) { for (i in files) print i; }; }'`; \
shift; \
if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
test -n "$$unique" || unique=$$empty_fix; \
if test $$# -gt 0; then \
$(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
"$$@" $$unique; \
else \
$(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
$$unique; \
fi; \
fi
ctags: CTAGS
CTAGS: $(HEADERS) $(SOURCES) config.h.in $(TAGS_DEPENDENCIES) \
$(TAGS_FILES) $(LISP)
list='$(SOURCES) $(HEADERS) config.h.in $(LISP) $(TAGS_FILES)'; \
unique=`for i in $$list; do \
if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
done | \
$(AWK) '{ files[$$0] = 1; nonempty = 1; } \
END { if (nonempty) { for (i in files) print i; }; }'`; \
test -z "$(CTAGS_ARGS)$$unique" \
|| $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
$$unique
GTAGS:
here=`$(am__cd) $(top_builddir) && pwd` \
&& $(am__cd) $(top_srcdir) \
&& gtags -i $(GTAGS_ARGS) "$$here"
distclean-tags:
-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
distdir: $(DISTFILES)
@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
list='$(DISTFILES)'; \
dist_files=`for file in $$list; do echo $$file; done | \
sed -e "s|^$$srcdirstrip/||;t" \
-e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
case $$dist_files in \
*/*) $(MKDIR_P) `echo "$$dist_files" | \
sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
sort -u` ;; \
esac; \
for file in $$dist_files; do \
if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
if test -d $$d/$$file; then \
dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
if test -d "$(distdir)/$$file"; then \
find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
fi; \
if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
fi; \
cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
else \
test -f "$(distdir)/$$file" \
|| cp -p $$d/$$file "$(distdir)/$$file" \
|| exit 1; \
fi; \
done
$(MAKE) $(AM_MAKEFLAGS) \
top_distdir="$(top_distdir)" distdir="$(distdir)" \
dist-hook
check-am: all-am
check: check-am
all-am: Makefile $(LTLIBRARIES) $(PROGRAMS) $(SCRIPTS) config.h
installdirs:
for dir in "$(DESTDIR)$(pkglibdir)" "$(DESTDIR)$(bindir)" "$(DESTDIR)$(bindir)"; do \
test -z "$$dir" || $(MKDIR_P) "$$dir"; \
done
install: install-am
install-exec: install-exec-am
install-data: install-data-am
uninstall: uninstall-am
install-am: all-am
@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
installcheck: installcheck-am
install-strip:
$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
`test -z '$(STRIP)' || \
echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
mostlyclean-generic:
clean-generic:
distclean-generic:
-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
maintainer-clean-generic:
@echo "This command is intended for maintainers to use"
@echo "it deletes files that may require special tools to rebuild."
clean: clean-am
clean-am: clean-binPROGRAMS clean-generic clean-libtool \
clean-pkglibLTLIBRARIES mostlyclean-am
distclean: distclean-am
-rm -rf ./$(DEPDIR)
-rm -f Makefile
distclean-am: clean-am distclean-compile distclean-generic \
distclean-hdr distclean-local distclean-tags
dvi: dvi-am
dvi-am:
html: html-am
html-am:
info: info-am
info-am:
install-data-am:
install-dvi: install-dvi-am
install-dvi-am:
install-exec-am: install-binPROGRAMS install-binSCRIPTS \
install-pkglibLTLIBRARIES
install-html: install-html-am
install-html-am:
install-info: install-info-am
install-info-am:
install-man:
install-pdf: install-pdf-am
install-pdf-am:
install-ps: install-ps-am
install-ps-am:
installcheck-am:
maintainer-clean: maintainer-clean-am
-rm -rf ./$(DEPDIR)
-rm -f Makefile
maintainer-clean-am: distclean-am maintainer-clean-generic
mostlyclean: mostlyclean-am
mostlyclean-am: mostlyclean-compile mostlyclean-generic \
mostlyclean-libtool mostlyclean-local
pdf: pdf-am
pdf-am:
ps: ps-am
ps-am:
uninstall-am: uninstall-binPROGRAMS uninstall-binSCRIPTS \
uninstall-pkglibLTLIBRARIES
.MAKE: all install-am install-strip
.PHONY: CTAGS GTAGS all all-am check check-am clean clean-binPROGRAMS \
clean-generic clean-libtool clean-pkglibLTLIBRARIES ctags \
dist-hook distclean distclean-compile distclean-generic \
distclean-hdr distclean-libtool distclean-local distclean-tags \
distdir dvi dvi-am html html-am info info-am install \
install-am install-binPROGRAMS install-binSCRIPTS install-data \
install-data-am install-dvi install-dvi-am install-exec \
install-exec-am install-html install-html-am install-info \
install-info-am install-man install-pdf install-pdf-am \
install-pkglibLTLIBRARIES install-ps install-ps-am \
install-strip installcheck installcheck-am installdirs \
maintainer-clean maintainer-clean-generic mostlyclean \
mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
mostlyclean-local pdf pdf-am ps ps-am tags uninstall \
uninstall-am uninstall-binPROGRAMS uninstall-binSCRIPTS \
uninstall-pkglibLTLIBRARIES
dist-hook: stunnel.exe
distclean-local:
rm -f stunnel.exe
# SUFFIXES = .c .rc .obj
stunnel.exe: $(WINOBJ)
$(WINGCC) $(WINLDFLAGS) -o stunnel.exe $(WINOBJ) $(WINLIBS)
%.obj: %.c $(common_headers)
$(WINGCC) -c $(WINCPPFLAGS) $(WINCFLAGS) -o $@ $<
resources.obj: resources.rc resources.h version.h
$(WINDRES) --include-dir $(srcdir) $< $@
mostlyclean-local:
-rm -f *.obj
# Tell versions [3.59,3.63) of GNU make to not export all variables.
# Otherwise a system limit (for SysV at least) may be exceeded.
.NOEXPORT:

1267
src/client.c Normal file
View File

File diff suppressed because it is too large Load Diff

488
src/common.h Normal file
View File

@ -0,0 +1,488 @@
/*
* stunnel Universal SSL tunnel
* Copyright (C) 1998-2012 Michal Trojnara <Michal.Trojnara@mirt.net>
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
* See the GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License along
* with this program; if not, see <http://www.gnu.org/licenses>.
*
* Linking stunnel statically or dynamically with other modules is making
* a combined work based on stunnel. Thus, the terms and conditions of
* the GNU General Public License cover the whole combination.
*
* In addition, as a special exception, the copyright holder of stunnel
* gives you permission to combine stunnel with free software programs or
* libraries that are released under the GNU LGPL and with code included
* in the standard release of OpenSSL under the OpenSSL License (or
* modified versions of such code, with unchanged license). You may copy
* and distribute such a system following the terms of the GNU GPL for
* stunnel and the licenses of the other code concerned.
*
* Note that people who make modified versions of stunnel are not obligated
* to grant this special exception for their modified versions; it is their
* choice whether to do so. The GNU General Public License gives permission
* to release a modified version without this exception; this exception
* also makes it possible to release a modified version which carries
* forward this exception.
*/
#ifndef COMMON_H
#define COMMON_H
#include "version.h"
/**************************************** common constants */
#define LIBWRAP_CLIENTS 5
/* CPU stack size */
#define DEFAULT_STACK_SIZE 65536
/* #define DEBUG_STACK_SIZE */
/* I/O buffer size - 18432 is the maximum size of SSL record payload */
#define BUFFSIZE 18432
/* how many bytes of random input to read from files for PRNG */
/* OpenSSL likes at least 128 bits, so 64 bytes seems plenty. */
#define RANDOM_BYTES 64
/* for FormatGuard */
/* #define __NO_FORMATGUARD_ */
/* additional diagnostic messages */
/* #define DEBUG_FD_ALLOC */
/**************************************** platform */
#ifdef _WIN32
#define USE_WIN32
#endif
#ifdef _WIN32_WCE
#define USE_WIN32
typedef int socklen_t;
#endif
#ifdef USE_WIN32
#define USE_IPv6
#define _CRT_SECURE_NO_DEPRECATE
#define _CRT_NONSTDC_NO_DEPRECATE
#define HAVE_OSSL_ENGINE_H
#define HAVE_OSSL_OCSP_H
/* prevent including wincrypt.h, as it defines it's own OCSP_RESPONSE */
#define __WINCRYPT_H__
#endif
#ifdef USE_WIN32
#define S_EADDRINUSE WSAEADDRINUSE
/* winsock does not define WSAEAGAIN */
/* in most (but not all!) BSD implementations EAGAIN==EWOULDBLOCK */
#define S_EAGAIN WSAEWOULDBLOCK
#define S_ECONNRESET WSAECONNRESET
#define S_EINPROGRESS WSAEINPROGRESS
#define S_EINTR WSAEINTR
#define S_EINVAL WSAEINVAL
#define S_EISCONN WSAEISCONN
#define S_EMFILE WSAEMFILE
/* winsock does not define WSAENFILE */
#define S_ENOBUFS WSAENOBUFS
/* winsock does not define WSAENOMEM */
#define S_ENOPROTOOPT WSAENOPROTOOPT
#define S_ENOTSOCK WSAENOTSOCK
#define S_EOPNOTSUPP WSAEOPNOTSUPP
#define S_EWOULDBLOCK WSAEWOULDBLOCK
#define S_ECONNABORTED WSAECONNABORTED
#else /* USE_WIN32 */
#define S_EADDRINUSE EADDRINUSE
#define S_EAGAIN EAGAIN
#define S_ECONNRESET ECONNRESET
#define S_EINPROGRESS EINPROGRESS
#define S_EINTR EINTR
#define S_EINVAL EINVAL
#define S_EISCONN EISCONN
#define S_EMFILE EMFILE
#ifdef ENFILE
#define S_ENFILE ENFILE
#endif
#ifdef ENOBUFS
#define S_ENOBUFS ENOBUFS
#endif
#ifdef ENOMEM
#define S_ENOMEM ENOMEM
#endif
#define S_ENOPROTOOPT ENOPROTOOPT
#define S_ENOTSOCK ENOTSOCK
#define S_EOPNOTSUPP EOPNOTSUPP
#define S_EWOULDBLOCK EWOULDBLOCK
#define S_ECONNABORTED ECONNABORTED
#endif /* USE_WIN32 */
/**************************************** generic headers */
#ifdef __vms
#include <starlet.h>
#endif /* __vms */
/* for nsr-tandem-nsk architecture */
#ifdef __TANDEM
#include <floss.h>
#endif
/* threads model */
#ifdef USE_UCONTEXT
#define __MAKECONTEXT_V2_SOURCE
#include <ucontext.h>
#endif
#ifdef USE_PTHREAD
#ifndef THREADS
#define THREADS
#endif
#ifndef _REENTRANT
/* _REENTRANT is required for thread-safe errno on Solaris */
#define _REENTRANT
#endif
#ifndef _THREAD_SAFE
#define _THREAD_SAFE
#endif
#include <pthread.h>
#endif
/* TCP wrapper */
#if defined HAVE_TCPD_H && defined HAVE_LIBWRAP
#define USE_LIBWRAP 1
#endif
/* must be included before sys/stat.h for Ultrix */
/* must be included before sys/socket.h for OpenBSD */
#include <sys/types.h> /* u_short, u_long */
/* general headers */
#include <stdio.h>
/* must be included before sys/stat.h for Ultrix */
#ifndef _WIN32_WCE
#include <errno.h>
#endif
#include <stdlib.h>
#include <stdarg.h> /* va_ */
#include <string.h>
#include <ctype.h> /* isalnum */
#include <time.h>
#include <sys/stat.h> /* stat */
#include <setjmp.h>
#include <fcntl.h>
/**************************************** WIN32 headers */
#ifdef USE_WIN32
typedef unsigned char u8;
typedef unsigned short u16;
typedef unsigned long u32;
#define HAVE_STRUCT_ADDRINFO
#define HAVE_SNPRINTF
#define snprintf _snprintf
#define HAVE_VSNPRINTF
#define vsnprintf _vsnprintf
#define strcasecmp _stricmp
#define strncasecmp _strnicmp
#define sleep(c) Sleep(1000*(c))
#define get_last_socket_error() WSAGetLastError()
#define set_last_socket_error(e) WSASetLastError(e)
#define get_last_error() GetLastError()
#define set_last_error(e) SetLastError(e)
#define readsocket(s,b,n) recv((s),(b),(n),0)
#define writesocket(s,b,n) send((s),(b),(n),0)
/* #define FD_SETSIZE 4096 */
/* #define Win32_Winsock */
#define __USE_W32_SOCKETS
/* Winsock2 header for IPv6 definitions */
#include <winsock2.h>
#include <ws2tcpip.h>
#include <windows.h>
#include <process.h> /* _beginthread */
#include <tchar.h>
#include "resources.h"
/**************************************** non-WIN32 headers */
#else /* USE_WIN32 */
#if SIZEOF_UNSIGNED_CHAR == 1
typedef unsigned char u8;
#endif
#if SIZEOF_UNSIGNED_SHORT == 2
typedef unsigned short u16;
#else
typedef unsigned int u16;
#endif
#if SIZEOF_UNSIGNED_INT == 4
typedef unsigned int u32;
#else
typedef unsigned long u32;
#endif
#ifdef __INNOTEK_LIBC__
#define socklen_t __socklen_t
#define strcasecmp stricmp
#define strncasecmp strnicmp
#define NI_NUMERICHOST 1
#define NI_NUMERICSERV 2
#define get_last_socket_error() sock_errno()
#define set_last_socket_error(e) ()
#define get_last_error() errno
#define set_last_error(e) (errno=(e))
#define readsocket(s,b,n) recv((s),(b),(n),0)
#define writesocket(s,b,n) send((s),(b),(n),0)
#define closesocket(s) close(s)
#define ioctlsocket(a,b,c) so_ioctl((a),(b),(c))
#else
#define get_last_socket_error() errno
#define set_last_socket_error(e) (errno=(e))
#define get_last_error() errno
#define set_last_error(e) (errno=(e))
#define readsocket(s,b,n) read((s),(b),(n))
#define writesocket(s,b,n) write((s),(b),(n))
#define closesocket(s) close(s)
#define ioctlsocket(a,b,c) ioctl((a),(b),(c))
#endif
/* OpenVMS compatibility */
#ifdef __vms
#define LIBDIR "__NA__"
#define PIDFILE "SYS$LOGIN:STUNNEL.PID"
#ifdef __alpha
#define HOST "alpha-openvms"
#else
#define HOST "vax-openvms"
#endif
#include <inet.h>
#include <unistd.h>
#else /* __vms */
#include <syslog.h>
#endif /* __vms */
/* Unix-specific headers */
#include <signal.h> /* signal */
#include <sys/wait.h> /* wait */
#ifdef HAVE_SYS_RESOURCE_H
#include <sys/resource.h> /* getrlimit */
#endif
#ifdef HAVE_UNISTD_H
#include <unistd.h> /* getpid, fork, execvp, exit */
#endif
#ifdef HAVE_STROPTS_H
#include <stropts.h>
#endif
#ifdef HAVE_MALLOC_H
#include <malloc.h> /* mallopt */
#endif
#ifdef HAVE_SYS_SELECT_H
#include <sys/select.h> /* for aix */
#endif
#if defined(HAVE_POLL) && !defined(BROKEN_POLL)
#ifdef HAVE_POLL_H
#include <poll.h>
#define USE_POLL
#else /* HAVE_POLL_H */
#ifdef HAVE_SYS_POLL_H
#include <sys/poll.h>
#define USE_POLL
#endif /* HAVE_SYS_POLL_H */
#endif /* HAVE_POLL_H */
#endif /* HAVE_POLL && !BROKEN_POLL */
#ifdef HAVE_SYS_FILIO_H
#include <sys/filio.h> /* for FIONBIO */
#endif
#include <pwd.h>
#ifdef HAVE_GRP_H
#include <grp.h>
#endif
#ifdef __BEOS__
#include <posix/grp.h>
#endif
#ifdef HAVE_SYS_UIO_H
#include <sys/uio.h> /* struct iovec */
#endif /* HAVE_SYS_UIO_H */
#include <netinet/in.h> /* struct sockaddr_in */
#include <sys/socket.h> /* getpeername */
#include <arpa/inet.h> /* inet_ntoa */
#include <sys/time.h> /* select */
#include <sys/ioctl.h> /* ioctl */
#ifdef HAVE_SYS_UN_H
#include <sys/un.h>
#endif
#include <netinet/tcp.h>
#include <netdb.h>
#ifndef INADDR_ANY
#define INADDR_ANY (u32)0x00000000
#endif
#ifndef INADDR_LOOPBACK
#define INADDR_LOOPBACK (u32)0x7F000001
#endif
#if defined(HAVE_WAITPID)
/* for SYSV systems */
#define wait_for_pid(a, b, c) waitpid((a), (b), (c))
#define HAVE_WAIT_FOR_PID 1
#elif defined(HAVE_WAIT4)
/* for BSD systems */
#define wait_for_pid(a, b, c) wait4((a), (b), (c), NULL)
#define HAVE_WAIT_FOR_PID 1
#endif
/* SunOS 4 */
#if defined(sun) && !defined(__svr4__) && !defined(__SVR4)
#define atexit(a) on_exit((a), NULL)
extern int sys_nerr;
extern char *sys_errlist[];
#define strerror(num) ((num)==0 ? "No error" : \
((num)>=sys_nerr ? "Unknown error" : sys_errlist[num]))
#endif /* SunOS 4 */
/* AIX does not have SOL_TCP defined */
#ifndef SOL_TCP
#define SOL_TCP SOL_SOCKET
#endif /* SOL_TCP */
/* Linux */
#ifdef __linux__
#ifndef IP_FREEBIND
/* kernel headers without IP_FREEBIND definition */
#define IP_FREEBIND 15
#endif /* IP_FREEBIND */
#ifndef IP_TRANSPARENT
/* kernel headers without IP_TRANSPARENT definition */
#define IP_TRANSPARENT 19
#endif /* IP_TRANSPARENT */
#ifdef HAVE_LINUX_NETFILTER_IPV4_H
#include <limits.h>
#include <linux/types.h>
#include <linux/netfilter_ipv4.h>
#endif /* HAVE_LINUX_NETFILTER_IPV4_H */
#endif /* __linux__ */
#endif /* USE_WIN32 */
/**************************************** OpenSSL headers */
#define OPENSSL_THREAD_DEFINES
#include <openssl/opensslconf.h>
#if defined(USE_PTHREAD) && !(defined(OPENSSL_THREADS) || \
(OPENSSL_VERSION_NUMBER<0x0090700fL && defined(THREADS)))
#error OpenSSL library compiled without thread support
#endif /* !OPENSSL_THREADS && USE_PTHREAD */
#if defined (USE_WIN32) && defined(OPENSSL_FIPS)
#define USE_FIPS
#endif
/* OpenSSL 0.9.6 comp.h needs ZLIB macro to declare COMP_zlib() */
#define ZLIB
#include <openssl/lhash.h>
#include <openssl/ssl.h>
#include <openssl/err.h>
#include <openssl/crypto.h> /* for CRYPTO_* and SSLeay_version */
#include <openssl/rand.h>
#ifndef OPENSSL_NO_MD4
#include <openssl/md4.h>
#endif
#include <openssl/des.h>
#ifdef HAVE_OSSL_ENGINE_H
#ifndef OPENSSL_NO_ENGINE
#include <openssl/engine.h>
#else
#undef HAVE_OSSL_ENGINE_H
#endif
#endif /* HAVE_OSSL_ENGINE_H */
/* non-blocking OCSP API is not available before OpenSSL 0.9.8h */
#if OPENSSL_VERSION_NUMBER<0x00908080L
#ifdef HAVE_OSSL_OCSP_H
#undef HAVE_OSSL_OCSP_H
#endif /* HAVE_OSSL_OCSP_H */
#endif /* OpenSSL older than 0.9.8h */
#ifdef HAVE_OSSL_OCSP_H
#include <openssl/ocsp.h>
#endif /* HAVE_OSSL_OCSP_H */
#ifdef USE_FIPS
#include <openssl/fips.h>
#include <openssl/fips_rand.h>
#endif /* USE_FIPS */
#if OPENSSL_VERSION_NUMBER<0x0090800fL
#define OPENSSL_NO_ECDH
#endif /* OpenSSL version < 0.8.0 */
#if OPENSSL_VERSION_NUMBER<0x10000000L
#define OPENSSL_NO_TLSEXT
#endif /* OpenSSL version < 1.0.0 */
#ifndef OPENSSL_NO_COMP
/* not defined in public headers before OpenSSL 0.9.8 */
STACK_OF(SSL_COMP) *SSL_COMP_get_compression_methods(void);
#endif /* OPENSSL_NO_COMP */
/**************************************** other defines */
/* change all non-printable characters to '.' */
#define safestring(s) \
do {unsigned char *p; for(p=(unsigned char *)(s); *p; p++) \
if(!isprint((int)*p)) *p='.';} while(0)
/* change all unsafe characters to '.' */
#define safename(s) \
do {unsigned char *p; for(p=(s); *p; p++) \
if(!isalnum((int)*p)) *p='.';} while(0)
/* always use IPv4 defaults! */
#define DEFAULT_LOOPBACK "127.0.0.1"
#define DEFAULT_ANY "0.0.0.0"
#if 0
#define DEFAULT_LOOPBACK "::1"
#define DEFAULT_ANY "::"
#endif
#if defined (USE_WIN32) || defined (__vms)
#define LOG_EMERG 0
#define LOG_ALERT 1
#define LOG_CRIT 2
#define LOG_ERR 3
#define LOG_WARNING 4
#define LOG_NOTICE 5
#define LOG_INFO 6
#define LOG_DEBUG 7
#endif /* defined (USE_WIN32) || defined (__vms) */
#ifndef offsetof
#define offsetof(T, F) ((unsigned int)((char *)&((T *)0L)->F - (char *)0L))
#endif
#endif /* defined COMMON_H */
/* end of common.h */

269
src/config.h.in Normal file
View File

@ -0,0 +1,269 @@
/* src/config.h.in. Generated from configure.ac by autoheader. */
/* Define to 1 if you have a broken 'poll' implementation. */
#undef BROKEN_POLL
/* Entropy Gathering Daemon socket path */
#undef EGD_SOCKET
/* Define to 1 if you have the `accept4' function. */
#undef HAVE_ACCEPT4
/* Define to 1 if you have the `chroot' function. */
#undef HAVE_CHROOT
/* Define to 1 if you have the `daemon' function. */
#undef HAVE_DAEMON
/* Define to 1 if you have '/dev/ptmx' device. */
#undef HAVE_DEV_PTMX
/* Define to 1 if you have '/dev/ptc' device. */
#undef HAVE_DEV_PTS_AND_PTC
/* Define to 1 if you have the <dlfcn.h> header file. */
#undef HAVE_DLFCN_H
/* Define to 1 if you have the `endhostent' function. */
#undef HAVE_ENDHOSTENT
/* Define to 1 if you have 'getaddrinfo' function. */
#undef HAVE_GETADDRINFO
/* Define to 1 if you have the `getcontext' function. */
#undef HAVE_GETCONTEXT
/* Define to 1 if you have the `gethostbyname2' function. */
#undef HAVE_GETHOSTBYNAME2
/* Define to 1 if you have the `getnameinfo' function. */
#undef HAVE_GETNAMEINFO
/* Define to 1 if you have the `getrlimit' function. */
#undef HAVE_GETRLIMIT
/* Define to 1 if you have the <grp.h> header file. */
#undef HAVE_GRP_H
/* Define to 1 if you have the <inttypes.h> header file. */
#undef HAVE_INTTYPES_H
/* Define to 1 if you have 'libpthread' library. */
#undef HAVE_LIBPTHREAD
/* Define to 1 if you have the <libutil.h> header file. */
#undef HAVE_LIBUTIL_H
/* Define to 1 if you have 'libwrap' library. */
#undef HAVE_LIBWRAP
/* Define to 1 if you have the <linux/netfilter_ipv4.h> header file. */
#undef HAVE_LINUX_NETFILTER_IPV4_H
/* Define to 1 if you have the `localtime_r' function. */
#undef HAVE_LOCALTIME_R
/* Define to 1 if you have the <malloc.h> header file. */
#undef HAVE_MALLOC_H
/* Define to 1 if you have the <memory.h> header file. */
#undef HAVE_MEMORY_H
/* Define to 1 if you have 'msghdr.msg_control' structure. */
#undef HAVE_MSGHDR_MSG_CONTROL
/* Define to 1 if you have the `openpty' function. */
#undef HAVE_OPENPTY
/* Define to 1 if you have <engine.h> header file. */
#undef HAVE_OSSL_ENGINE_H
/* Define to 1 if you have <ocsp.h> header file. */
#undef HAVE_OSSL_OCSP_H
/* Define to 1 if you have the `pipe2' function. */
#undef HAVE_PIPE2
/* Define to 1 if you have the `poll' function. */
#undef HAVE_POLL
/* Define to 1 if you have the <poll.h> header file. */
#undef HAVE_POLL_H
/* Define to 1 if you have the <pthread.h> header file. */
#undef HAVE_PTHREAD_H
/* Define to 1 if you have the `pthread_sigmask' function. */
#undef HAVE_PTHREAD_SIGMASK
/* Define to 1 if you have the <pty.h> header file. */
#undef HAVE_PTY_H
/* Define to 1 if you have the `setgroups' function. */
#undef HAVE_SETGROUPS
/* Define to 1 if you have the `setsid' function. */
#undef HAVE_SETSID
/* Define to 1 if you have the `snprintf' function. */
#undef HAVE_SNPRINTF
/* Define to 1 if you have the <stdint.h> header file. */
#undef HAVE_STDINT_H
/* Define to 1 if you have the <stdlib.h> header file. */
#undef HAVE_STDLIB_H
/* Define to 1 if you have the <strings.h> header file. */
#undef HAVE_STRINGS_H
/* Define to 1 if you have the <string.h> header file. */
#undef HAVE_STRING_H
/* Define to 1 if you have the <stropts.h> header file. */
#undef HAVE_STROPTS_H
/* Define to 1 if the system has the type `struct addrinfo'. */
#undef HAVE_STRUCT_ADDRINFO
/* Define to 1 if `msg_control' is a member of `struct msghdr'. */
#undef HAVE_STRUCT_MSGHDR_MSG_CONTROL
/* Define to 1 if the system has the type `struct sockaddr_un'. */
#undef HAVE_STRUCT_SOCKADDR_UN
/* Define to 1 if you have the `sysconf' function. */
#undef HAVE_SYSCONF
/* Define to 1 if you have the <sys/filio.h> header file. */
#undef HAVE_SYS_FILIO_H
/* Define to 1 if you have the <sys/ioctl.h> header file. */
#undef HAVE_SYS_IOCTL_H
/* Define to 1 if you have the <sys/poll.h> header file. */
#undef HAVE_SYS_POLL_H
/* Define to 1 if you have the <sys/resource.h> header file. */
#undef HAVE_SYS_RESOURCE_H
/* Define to 1 if you have the <sys/select.h> header file. */
#undef HAVE_SYS_SELECT_H
/* Define to 1 if you have the <sys/socket.h> header file. */
#undef HAVE_SYS_SOCKET_H
/* Define to 1 if you have the <sys/stat.h> header file. */
#undef HAVE_SYS_STAT_H
/* Define to 1 if you have the <sys/types.h> header file. */
#undef HAVE_SYS_TYPES_H
/* Define to 1 if you have the <sys/uio.h> header file. */
#undef HAVE_SYS_UIO_H
/* Define to 1 if you have the <sys/un.h> header file. */
#undef HAVE_SYS_UN_H
/* Define to 1 if you have the <tcpd.h> header file. */
#undef HAVE_TCPD_H
/* Define to 1 if you have the <ucontext.h> header file. */
#undef HAVE_UCONTEXT_H
/* Define to 1 if you have the <unistd.h> header file. */
#undef HAVE_UNISTD_H
/* Define to 1 if you have the <util.h> header file. */
#undef HAVE_UTIL_H
/* Define to 1 if you have the `vsnprintf' function. */
#undef HAVE_VSNPRINTF
/* Define to 1 if you have the `wait4' function. */
#undef HAVE_WAIT4
/* Define to 1 if you have the `waitpid' function. */
#undef HAVE_WAITPID
/* Define to 1 if you have the `_getpty' function. */
#undef HAVE__GETPTY
/* Define to 1 if you have the `__makecontext_v2' function. */
#undef HAVE___MAKECONTEXT_V2
/* Host description */
#undef HOST
/* Define to the sub-directory in which libtool stores uninstalled libraries.
*/
#undef LT_OBJDIR
/* Define to 1 if your C compiler doesn't accept -c and -o together. */
#undef NO_MINUS_C_MINUS_O
/* Name of package */
#undef PACKAGE
/* Define to the address where bug reports for this package should be sent. */
#undef PACKAGE_BUGREPORT
/* Define to the full name of this package. */
#undef PACKAGE_NAME
/* Define to the full name and version of this package. */
#undef PACKAGE_STRING
/* Define to the one symbol short name of this package. */
#undef PACKAGE_TARNAME
/* Define to the home page for this package. */
#undef PACKAGE_URL
/* Define to the version of this package. */
#undef PACKAGE_VERSION
/* Random file path */
#undef RANDOM_FILE
/* The size of `unsigned char', as computed by sizeof. */
#undef SIZEOF_UNSIGNED_CHAR
/* The size of `unsigned int', as computed by sizeof. */
#undef SIZEOF_UNSIGNED_INT
/* The size of `unsigned long', as computed by sizeof. */
#undef SIZEOF_UNSIGNED_LONG
/* The size of `unsigned short', as computed by sizeof. */
#undef SIZEOF_UNSIGNED_SHORT
/* SSL directory */
#undef SSLDIR
/* Define to 1 if you have the ANSI C header files. */
#undef STDC_HEADERS
/* Define to 1 to enable OpenSSL FIPS mode. */
#undef USE_FIPS
/* Define to 1 to select FORK mode */
#undef USE_FORK
/* Define to 1 to enable IPv6 support */
#undef USE_IPv6
/* Define to 1 to select PTHREAD mode */
#undef USE_PTHREAD
/* Define to 1 to select UCONTEXT mode */
#undef USE_UCONTEXT
/* Version number of package */
#undef VERSION
/* Use GNU source */
#undef _GNU_SOURCE
/* Type of socklen_t */
#undef socklen_t

687
src/ctx.c Normal file
View File

@ -0,0 +1,687 @@
/*
* stunnel Universal SSL tunnel
* Copyright (C) 1998-2012 Michal Trojnara <Michal.Trojnara@mirt.net>
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
* See the GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License along
* with this program; if not, see <http://www.gnu.org/licenses>.
*
* Linking stunnel statically or dynamically with other modules is making
* a combined work based on stunnel. Thus, the terms and conditions of
* the GNU General Public License cover the whole combination.
*
* In addition, as a special exception, the copyright holder of stunnel
* gives you permission to combine stunnel with free software programs or
* libraries that are released under the GNU LGPL and with code included
* in the standard release of OpenSSL under the OpenSSL License (or
* modified versions of such code, with unchanged license). You may copy
* and distribute such a system following the terms of the GNU GPL for
* stunnel and the licenses of the other code concerned.
*
* Note that people who make modified versions of stunnel are not obligated
* to grant this special exception for their modified versions; it is their
* choice whether to do so. The GNU General Public License gives permission
* to release a modified version without this exception; this exception
* also makes it possible to release a modified version which carries
* forward this exception.
*/
#include "common.h"
#include "prototypes.h"
/**************************************** prototypes */
/* SNI */
#ifndef OPENSSL_NO_TLSEXT
static int servername_cb(SSL *, int *, void *);
#endif
/* DH/ECDH initialization */
#ifndef OPENSSL_NO_DH
static int init_dh(SERVICE_OPTIONS *);
static DH *read_dh(char *);
static DH *get_dh2048(void);
#endif /* OPENSSL_NO_DH */
#ifndef OPENSSL_NO_ECDH
static int init_ecdh(SERVICE_OPTIONS *);
#endif /* USE_ECDH */
/* loading certificate */
static int load_certificate(SERVICE_OPTIONS *);
#if defined(USE_WIN32) || OPENSSL_VERSION_NUMBER>=0x0090700fL
static int password_cb(char *, int, int, void *);
#endif
/* session cache callbacks */
static int sess_new_cb(SSL *, SSL_SESSION *);
static SSL_SESSION *sess_get_cb(SSL *, unsigned char *, int, int *);
static void sess_remove_cb(SSL_CTX *, SSL_SESSION *);
static void cache_transfer(SSL_CTX *, const unsigned int, const unsigned,
const unsigned char *, const unsigned int,
const unsigned char *, const unsigned int,
unsigned char **, unsigned int *);
/* info callbacks */
static void info_callback(
#if OPENSSL_VERSION_NUMBER>=0x0090700fL
const
#endif
SSL *, int, int);
static void sslerror_queue(void);
static void sslerror_log(unsigned long, char *);
/**************************************** initialize section->ctx */
int context_init(SERVICE_OPTIONS *section) { /* init SSL context */
/* create SSL context */
if(section->option.client)
section->ctx=SSL_CTX_new(section->client_method);
else /* server mode */
section->ctx=SSL_CTX_new(section->server_method);
if(!section->ctx) {
sslerror("SSL_CTX_new");
return 1; /* FAILED */
}
SSL_CTX_set_ex_data(section->ctx, opt_index, section); /* for callbacks */
/* initialize certificate verification */
if(load_certificate(section))
return 1; /* FAILED */
if(verify_init(section))
return 1; /* FAILED */
/* initialize DH/ECDH server mode */
if(!section->option.client) {
#ifndef OPENSSL_NO_TLSEXT
SSL_CTX_set_tlsext_servername_arg(section->ctx, section);
SSL_CTX_set_tlsext_servername_callback(section->ctx, servername_cb);
#endif /* OPENSSL_NO_TLSEXT */
#ifndef OPENSSL_NO_DH
init_dh(section); /* ignore the result (errors are not critical) */
#endif /* OPENSSL_NO_DH */
#ifndef OPENSSL_NO_ECDH
init_ecdh(section); /* ignore the result (errors are not critical) */
#endif /* OPENSSL_NO_ECDH */
}
/* setup session cache */
if(!section->option.client) {
unsigned int servname_len=strlen(section->servname);
if(servname_len>SSL_MAX_SSL_SESSION_ID_LENGTH)
servname_len=SSL_MAX_SSL_SESSION_ID_LENGTH;
if(!SSL_CTX_set_session_id_context(section->ctx,
(unsigned char *)section->servname, servname_len)) {
sslerror("SSL_CTX_set_session_id_context");
return 1; /* FAILED */
}
}
SSL_CTX_set_session_cache_mode(section->ctx, SSL_SESS_CACHE_BOTH);
SSL_CTX_set_timeout(section->ctx, section->session_timeout);
if(section->option.sessiond) {
SSL_CTX_sess_set_new_cb(section->ctx, sess_new_cb);
SSL_CTX_sess_set_get_cb(section->ctx, sess_get_cb);
SSL_CTX_sess_set_remove_cb(section->ctx, sess_remove_cb);
}
/* set info callback */
if(global_options.debug_level==LOG_DEBUG) /* performance optimization */
SSL_CTX_set_info_callback(section->ctx, info_callback);
/* ciphers, options, mode */
if(section->cipher_list)
if(!SSL_CTX_set_cipher_list(section->ctx, section->cipher_list)) {
sslerror("SSL_CTX_set_cipher_list");
return 1; /* FAILED */
}
s_log(LOG_DEBUG, "SSL options set: 0x%08lX",
SSL_CTX_set_options(section->ctx, section->ssl_options));
#ifdef SSL_MODE_RELEASE_BUFFERS
SSL_CTX_set_mode(section->ctx,
SSL_MODE_ENABLE_PARTIAL_WRITE |
SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER |
SSL_MODE_RELEASE_BUFFERS);
#else
SSL_CTX_set_mode(section->ctx,
SSL_MODE_ENABLE_PARTIAL_WRITE |
SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
#endif
return 0; /* OK */
}
/**************************************** SNI callback */
#ifndef OPENSSL_NO_TLSEXT
static int servername_cb(SSL *ssl, int *ad, void *arg) {
SERVICE_OPTIONS *section=(SERVICE_OPTIONS *)arg;
const char *servername=SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name);
SERVERNAME_LIST *list;
CLI *c;
#ifdef USE_LIBWRAP
char *accepted_address;
#endif /* USE_LIBWRAP */
/* leave the alert type at SSL_AD_UNRECOGNIZED_NAME */
(void)ad; /* skip warning about unused parameter */
if(!section->servername_list_head) /* no virtual services defined */
return SSL_TLSEXT_ERR_OK;
if(!servername) /* no SNI extension received from the client */
return SSL_TLSEXT_ERR_NOACK;
for(list=section->servername_list_head; list; list=list->next)
if(!strcasecmp(servername, list->servername)) {
c=SSL_get_ex_data(ssl, cli_index);
c->opt=list->opt;
SSL_set_SSL_CTX(ssl, c->opt->ctx);
SSL_set_verify(ssl, SSL_CTX_get_verify_mode(c->opt->ctx),
SSL_CTX_get_verify_callback(c->opt->ctx));
s_log(LOG_NOTICE, "SNI: switched to section %s",
c->opt->servname);
#ifdef USE_LIBWRAP
accepted_address=s_ntop(&c->peer_addr, c->peer_addr_len);
libwrap_auth(c, accepted_address); /* retry on a service switch */
str_free(accepted_address);
#endif /* USE_LIBWRAP */
return SSL_TLSEXT_ERR_OK;
}
s_log(LOG_ERR, "SNI: no service defined for server %s", servername);
return SSL_TLSEXT_ERR_ALERT_FATAL;
}
/* TLSEXT callback return codes:
* - SSL_TLSEXT_ERR_OK
* - SSL_TLSEXT_ERR_ALERT_WARNING
* - SSL_TLSEXT_ERR_ALERT_FATAL
* - SSL_TLSEXT_ERR_NOACK */
#endif /* OPENSSL_NO_TLSEXT */
/**************************************** DH initialization */
#ifndef OPENSSL_NO_DH
static int init_dh(SERVICE_OPTIONS *section) {
DH *dh;
dh=read_dh(section->cert);
if(!dh)
dh=get_dh2048();
if(!dh) {
s_log(LOG_NOTICE, "DH initialization failed");
return 1; /* FAILED */
}
SSL_CTX_set_tmp_dh(section->ctx, dh);
s_log(LOG_DEBUG, "DH initialized with %d-bit key", 8*DH_size(dh));
DH_free(dh);
return 0; /* OK */
}
static DH *read_dh(char *cert) {
DH *dh;
BIO *bio;
if(!cert) {
s_log(LOG_DEBUG, "No certificate available to load DH parameters");
return NULL; /* FAILED */
}
bio=BIO_new_file(cert, "r");
if(!bio) {
sslerror("BIO_new_file");
return NULL; /* FAILED */
}
dh=PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
BIO_free(bio);
if(!dh) {
while(ERR_get_error())
; /* OpenSSL error queue cleanup */
s_log(LOG_DEBUG, "Could not load DH parameters from %s", cert);
return NULL; /* FAILED */
}
s_log(LOG_DEBUG, "Using DH parameters from %s", cert);
return dh;
}
static DH *get_dh2048() {
static unsigned char dh2048_p[]={ /* OpenSSL DH parameters */
0xED,0x92,0x89,0x35,0x82,0x45,0x55,0xCB,0x3B,0xFB,0xA2,0x76,
0x5A,0x69,0x04,0x61,0xBF,0x21,0xF3,0xAB,0x53,0xD2,0xCD,0x21,
0xDA,0xFF,0x78,0x19,0x11,0x52,0xF1,0x0E,0xC1,0xE2,0x55,0xBD,
0x68,0x6F,0x68,0x00,0x53,0xB9,0x22,0x6A,0x2F,0xE4,0x9A,0x34,
0x1F,0x65,0xCC,0x59,0x32,0x8A,0xBD,0xB1,0xDB,0x49,0xED,0xDF,
0xA7,0x12,0x66,0xC3,0xFD,0x21,0x04,0x70,0x18,0xF0,0x7F,0xD6,
0xF7,0x58,0x51,0x19,0x72,0x82,0x7B,0x22,0xA9,0x34,0x18,0x1D,
0x2F,0xCB,0x21,0xCF,0x6D,0x92,0xAE,0x43,0xB6,0xA8,0x29,0xC7,
0x27,0xA3,0xCB,0x00,0xC5,0xF2,0xE5,0xFB,0x0A,0xA4,0x59,0x85,
0xA2,0xBD,0xAD,0x45,0xF0,0xB3,0xAD,0xF9,0xE0,0x81,0x35,0xEE,
0xD9,0x83,0xB3,0xCC,0xAE,0xEA,0xEB,0x66,0xE6,0xA9,0x57,0x66,
0xB9,0xF1,0x28,0xA5,0x3F,0x22,0x80,0xD7,0x0B,0xA6,0xF6,0x71,
0x93,0x9B,0x81,0x0E,0xF8,0x5A,0x90,0xE6,0xCC,0xCA,0x6F,0x66,
0x5F,0x7A,0xC0,0x10,0x1A,0x1E,0xF0,0xFC,0x2D,0xB6,0x08,0x0C,
0x62,0x28,0xB0,0xEC,0xDB,0x89,0x28,0xEE,0x0C,0xA8,0x3D,0x65,
0x94,0x69,0x16,0x69,0x53,0x3C,0x53,0x60,0x13,0xB0,0x2B,0xA7,
0xD4,0x82,0x87,0xAD,0x1C,0x72,0x9E,0x41,0x35,0xFC,0xC2,0x7C,
0xE9,0x51,0xDE,0x61,0x85,0xFC,0x19,0x9B,0x76,0x60,0x0F,0x33,
0xF8,0x6B,0xB3,0xCA,0x52,0x0E,0x29,0xC3,0x07,0xE8,0x90,0x16,
0xCC,0xCC,0x00,0x19,0xB6,0xAD,0xC3,0xA4,0x30,0x8B,0x33,0xA1,
0xAF,0xD8,0x8C,0x8D,0x9D,0x01,0xDB,0xA4,0xC4,0xDD,0x7F,0x0B,
0xBD,0x6F,0x38,0xC3,};
static unsigned char dh2048_g[]={0x02,};
DH *dh;
dh=DH_new();
if(!dh)
return NULL;
dh->p=BN_bin2bn(dh2048_p, sizeof dh2048_p, NULL);
dh->g=BN_bin2bn(dh2048_g, sizeof dh2048_g, NULL);
if(!dh->p || !dh->g) {
DH_free(dh);
return NULL;
}
s_log(LOG_DEBUG, "Using hardcoded DH parameters");
return dh;
}
#endif /* OPENSSL_NO_DH */
/**************************************** ECDH initialization */
#ifndef OPENSSL_NO_ECDH
static int init_ecdh(SERVICE_OPTIONS *section) {
EC_KEY *ecdh;
ecdh=EC_KEY_new_by_curve_name(section->curve);
if(!ecdh) {
s_log(LOG_ERR, "Unable to create curve %s",
OBJ_nid2ln(section->curve));
return 1; /* FAILED */
}
SSL_CTX_set_tmp_ecdh(section->ctx, ecdh);
EC_KEY_free(ecdh);
s_log(LOG_DEBUG, "ECDH initialized with curve %s",
OBJ_nid2ln(section->curve));
return 0; /* OK */
}
#endif /* OPENSSL_NO_ECDH */
/**************************************** loading certificate */
static int cache_initialized=0;
static int load_certificate(SERVICE_OPTIONS *section) {
int i, reason;
UI_DATA ui_data;
#ifdef HAVE_OSSL_ENGINE_H
EVP_PKEY *pkey;
UI_METHOD *ui_method;
#endif
struct stat st; /* buffer for stat */
/* check if certificate exists */
if(!section->key) /* key file not specified */
section->key=section->cert;
#ifdef HAVE_OSSL_ENGINE_H
if(!section->engine)
#endif
if(section->key) {
if(stat(section->key, &st)) {
ioerror(section->key);
return 1; /* FAILED */
}
#if !defined(USE_WIN32) && !defined(USE_OS2)
if(st.st_mode & 7)
s_log(LOG_WARNING, "Insecure file permissions on %s",
section->key);
#endif /* defined USE_WIN32 */
}
if(!section->cert) /* no certificate specified */
return 0; /* OK */
ui_data.section=section; /* setup current section for callbacks */
s_log(LOG_DEBUG, "Certificate: %s", section->cert);
if(!SSL_CTX_use_certificate_chain_file(section->ctx, section->cert)) {
s_log(LOG_ERR, "Error reading certificate file: %s", section->cert);
sslerror("SSL_CTX_use_certificate_chain_file");
return 1; /* FAILED */
}
s_log(LOG_DEBUG, "Certificate loaded");
s_log(LOG_DEBUG, "Key file: %s", section->key);
#if defined(USE_WIN32) || OPENSSL_VERSION_NUMBER>=0x0090700fL
SSL_CTX_set_default_passwd_cb(section->ctx, password_cb);
#endif
#ifdef HAVE_OSSL_ENGINE_H
#ifdef USE_WIN32
ui_method=UI_create_method("stunnel WIN32 UI");
UI_method_set_reader(ui_method, pin_cb);
#else /* USE_WIN32 */
ui_method=UI_OpenSSL();
#endif /* USE_WIN32 */
if(section->engine)
for(i=1; i<=3; i++) {
pkey=ENGINE_load_private_key(section->engine, section->key,
ui_method, &ui_data);
if(!pkey) {
reason=ERR_GET_REASON(ERR_peek_error());
if(i<=2 && (reason==7 || reason==160)) { /* wrong PIN */
sslerror_queue(); /* dump the error queue */
s_log(LOG_ERR, "Wrong PIN: retrying");
continue;
}
sslerror("ENGINE_load_private_key");
return 1; /* FAILED */
}
if(SSL_CTX_use_PrivateKey(section->ctx, pkey))
break; /* success */
sslerror("SSL_CTX_use_PrivateKey");
return 1; /* FAILED */
}
else
#endif /* HAVE_OSSL_ENGINE_H */
for(i=0; i<=3; i++) {
if(!i && !cache_initialized)
continue; /* there is no cached value */
SSL_CTX_set_default_passwd_cb_userdata(section->ctx,
i ? &ui_data : NULL); /* try the cached password first */
if(SSL_CTX_use_PrivateKey_file(section->ctx, section->key,
SSL_FILETYPE_PEM))
break;
reason=ERR_GET_REASON(ERR_peek_error());
if(i<=2 && reason==EVP_R_BAD_DECRYPT) {
sslerror_queue(); /* dump the error queue */
s_log(LOG_ERR, "Wrong pass phrase: retrying");
continue;
}
sslerror("SSL_CTX_use_PrivateKey_file");
return 1; /* FAILED */
}
if(!SSL_CTX_check_private_key(section->ctx)) {
sslerror("Private key does not match the certificate");
return 1; /* FAILED */
}
s_log(LOG_DEBUG, "Private key loaded");
return 0; /* OK */
}
#if defined(USE_WIN32) || OPENSSL_VERSION_NUMBER>=0x0090700fL
static int password_cb(char *buf, int size, int rwflag, void *userdata) {
static char cache[PEM_BUFSIZE];
int len;
if(size>PEM_BUFSIZE)
size=PEM_BUFSIZE;
if(userdata) { /* prompt the user */
#ifdef USE_WIN32
len=passwd_cb(buf, size, rwflag, userdata);
#else
/* PEM_def_callback is defined in OpenSSL 0.9.7 and later */
len=PEM_def_callback(buf, size, rwflag, NULL);
#endif
memcpy(cache, buf, size); /* save in cache */
cache_initialized=1;
} else { /* try the cached value */
strncpy(buf, cache, size);
buf[size-1]='\0';
len=strlen(buf);
}
return len;
}
#endif
/**************************************** session cache callbacks */
#define CACHE_CMD_NEW 0x00
#define CACHE_CMD_GET 0x01
#define CACHE_CMD_REMOVE 0x02
#define CACHE_RESP_ERR 0x80
#define CACHE_RESP_OK 0x81
static int sess_new_cb(SSL *ssl, SSL_SESSION *sess) {
unsigned char *val, *val_tmp;
int val_len;
val_len=i2d_SSL_SESSION(sess, NULL);
val_tmp=val=str_alloc(val_len);
i2d_SSL_SESSION(sess, &val_tmp);
cache_transfer(ssl->ctx, CACHE_CMD_NEW, SSL_SESSION_get_timeout(sess),
sess->session_id, sess->session_id_length, val, val_len, NULL, NULL);
str_free(val);
return 1; /* leave the session in local cache for reuse */
}
static SSL_SESSION *sess_get_cb(SSL *ssl,
unsigned char *key, int key_len, int *do_copy) {
unsigned char *val, *val_tmp=NULL;
unsigned int val_len=0;
SSL_SESSION *sess;
*do_copy = 0; /* allow the session to be freed autmatically */
cache_transfer(ssl->ctx, CACHE_CMD_GET, 0,
key, key_len, NULL, 0, &val, &val_len);
if(!val)
return NULL;
val_tmp=val;
sess=d2i_SSL_SESSION(NULL,
#if OPENSSL_VERSION_NUMBER>=0x0090800fL
(const unsigned char **)
#endif /* OpenSSL version >= 0.8.0 */
&val_tmp, val_len);
str_free(val);
return sess;
}
static void sess_remove_cb(SSL_CTX *ctx, SSL_SESSION *sess) {
cache_transfer(ctx, CACHE_CMD_REMOVE, 0,
sess->session_id, sess->session_id_length, NULL, 0, NULL, NULL);
}
#define MAX_VAL_LEN 512
typedef struct {
u_char version, type;
u_short timeout;
u_char key[SSL_MAX_SSL_SESSION_ID_LENGTH];
u_char val[MAX_VAL_LEN];
} CACHE_PACKET;
static void cache_transfer(SSL_CTX *ctx, const unsigned int type,
const unsigned int timeout,
const unsigned char *key, const unsigned int key_len,
const unsigned char *val, const unsigned int val_len,
unsigned char **ret, unsigned int *ret_len) {
char session_id_txt[2*SSL_MAX_SSL_SESSION_ID_LENGTH+1];
const char hex[16]="0123456789ABCDEF";
const char *type_description[]={"new", "get", "remove"};
unsigned int i;
int s, len;
struct timeval t;
CACHE_PACKET *packet;
SERVICE_OPTIONS *section;
if(ret) /* set error as the default result if required */
*ret=NULL;
/* log the request information */
for(i=0; i<key_len && i<SSL_MAX_SSL_SESSION_ID_LENGTH; ++i) {
session_id_txt[2*i]=hex[key[i]>>4];
session_id_txt[2*i+1]=hex[key[i]&0x0f];
}
session_id_txt[2*i]='\0';
s_log(LOG_INFO,
"cache_transfer: request=%s, timeout=%u, id=%s, length=%d",
type_description[type], timeout, session_id_txt, val_len);
/* allocate UDP packet buffer */
if(key_len>SSL_MAX_SSL_SESSION_ID_LENGTH) {
s_log(LOG_ERR, "cache_transfer: session id too big (%d bytes)",
key_len);
return;
}
if(val_len>MAX_VAL_LEN) {
s_log(LOG_ERR, "cache_transfer: encoded session too big (%d bytes)",
key_len);
return;
}
packet=str_alloc(sizeof(CACHE_PACKET));
/* setup packet */
packet->version=1;
packet->type=type;
packet->timeout=htons((u_short)(timeout<64800?timeout:64800));/* 18 hours */
memcpy(packet->key, key, key_len);
memcpy(packet->val, val, val_len);
/* create the socket */
s=s_socket(AF_INET, SOCK_DGRAM, 0, 0, "cache_transfer: socket");
if(s<0) {
str_free(packet);
return;
}
/* retrieve pointer to the section structure of this ctx */
section=SSL_CTX_get_ex_data(ctx, opt_index);
if(sendto(s, (void *)packet, sizeof(CACHE_PACKET)-MAX_VAL_LEN+val_len, 0,
&section->sessiond_addr.sa, addr_len(&section->sessiond_addr))<0) {
sockerror("cache_transfer: sendto");
closesocket(s);
str_free(packet);
return;
}
if(!ret || !ret_len) { /* no response is required */
closesocket(s);
str_free(packet);
return;
}
/* set recvfrom timeout to 200ms */
t.tv_sec=0;
t.tv_usec=200;
if(setsockopt(s, SOL_SOCKET, SO_RCVTIMEO, (void *)&t, sizeof t)<0) {
sockerror("cache_transfer: setsockopt SO_RCVTIMEO");
closesocket(s);
str_free(packet);
return;
}
/* retrieve response */
len=recv(s, (void *)packet, sizeof(CACHE_PACKET), 0);
closesocket(s);
if(len<0) {
if(get_last_socket_error()==S_EWOULDBLOCK ||
get_last_socket_error()==S_EAGAIN)
s_log(LOG_INFO, "cache_transfer: recv timeout");
else
sockerror("cache_transfer: recv");
str_free(packet);
return;
}
/* parse results */
if(len<(int)sizeof(CACHE_PACKET)-MAX_VAL_LEN || /* too short */
packet->version!=1 || /* wrong version */
memcmp(packet->key, key, key_len)) { /* wrong session id */
s_log(LOG_DEBUG, "cache_transfer: malformed packet received");
str_free(packet);
return;
}
if(packet->type!=CACHE_RESP_OK) {
s_log(LOG_INFO, "cache_transfer: session not found");
str_free(packet);
return;
}
*ret_len=len-(sizeof(CACHE_PACKET)-MAX_VAL_LEN);
*ret=str_alloc(*ret_len);
s_log(LOG_INFO, "cache_transfer: session found");
memcpy(*ret, packet->val, *ret_len);
str_free(packet);
}
/**************************************** informational callback */
static void info_callback(
#if OPENSSL_VERSION_NUMBER>=0x0090700fL
const
#endif
SSL *ssl, int where, int ret) {
if(where & SSL_CB_LOOP) {
s_log(LOG_DEBUG, "SSL state (%s): %s",
where & SSL_ST_CONNECT ? "connect" :
where & SSL_ST_ACCEPT ? "accept" :
"undefined", SSL_state_string_long(ssl));
} else if(where & SSL_CB_ALERT) {
s_log(LOG_DEBUG, "SSL alert (%s): %s: %s",
where & SSL_CB_READ ? "read" : "write",
SSL_alert_type_string_long(ret),
SSL_alert_desc_string_long(ret));
} else if(where==SSL_CB_HANDSHAKE_DONE) {
s_log(LOG_DEBUG, "%4ld items in the session cache",
SSL_CTX_sess_number(ssl->ctx));
s_log(LOG_DEBUG, "%4ld client connects (SSL_connect())",
SSL_CTX_sess_connect(ssl->ctx));
s_log(LOG_DEBUG, "%4ld client connects that finished",
SSL_CTX_sess_connect_good(ssl->ctx));
s_log(LOG_DEBUG, "%4ld client renegotiations requested",
SSL_CTX_sess_connect_renegotiate(ssl->ctx));
s_log(LOG_DEBUG, "%4ld server connects (SSL_accept())",
SSL_CTX_sess_accept(ssl->ctx));
s_log(LOG_DEBUG, "%4ld server connects that finished",
SSL_CTX_sess_accept_good(ssl->ctx));
s_log(LOG_DEBUG, "%4ld server renegotiations requested",
SSL_CTX_sess_accept_renegotiate(ssl->ctx));
s_log(LOG_DEBUG, "%4ld session cache hits",
SSL_CTX_sess_hits(ssl->ctx));
s_log(LOG_DEBUG, "%4ld external session cache hits",
SSL_CTX_sess_cb_hits(ssl->ctx));
s_log(LOG_DEBUG, "%4ld session cache misses",
SSL_CTX_sess_misses(ssl->ctx));
s_log(LOG_DEBUG, "%4ld session cache timeouts",
SSL_CTX_sess_timeouts(ssl->ctx));
}
}
/**************************************** SSL error reporting */
void sslerror(char *txt) { /* OpenSSL error handler */
unsigned long err;
err=ERR_get_error();
if(err) {
sslerror_queue();
sslerror_log(err, txt);
} else {
s_log(LOG_ERR, "%s: Peer suddenly disconnected", txt);
}
}
static void sslerror_queue(void) { /* recursive dump of the error queue */
unsigned long err;
err=ERR_get_error();
if(err) {
sslerror_queue();
sslerror_log(err, "error queue");
}
}
static void sslerror_log(unsigned long err, char *txt) {
char *error_string;
error_string=str_alloc(120);
ERR_error_string(err, error_string);
s_log(LOG_ERR, "%s: %lX: %s", txt, err, error_string);
str_free(error_string);
}
/* end of ctx.c */

70
src/env.c Normal file
View File

@ -0,0 +1,70 @@
/*
* stunnel Universal SSL tunnel
* Copyright (C) 1998-2012 Michal Trojnara <Michal.Trojnara@mirt.net>
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
* See the GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License along
* with this program; if not, see <http://www.gnu.org/licenses>.
*
* Linking stunnel statically or dynamically with other modules is making
* a combined work based on stunnel. Thus, the terms and conditions of
* the GNU General Public License cover the whole combination.
*
* In addition, as a special exception, the copyright holder of stunnel
* gives you permission to combine stunnel with free software programs or
* libraries that are released under the GNU LGPL and with code included
* in the standard release of OpenSSL under the OpenSSL License (or
* modified versions of such code, with unchanged license). You may copy
* and distribute such a system following the terms of the GNU GPL for
* stunnel and the licenses of the other code concerned.
*
* Note that people who make modified versions of stunnel are not obligated
* to grant this special exception for their modified versions; it is their
* choice whether to do so. The GNU General Public License gives permission
* to release a modified version without this exception; this exception
* also makes it possible to release a modified version which carries
* forward this exception.
*/
/* getpeername() can't be declared in the following includes */
#define getpeername no_getpeername
#include <sys/types.h>
#include <sys/socket.h> /* for AF_INET */
#include <netinet/in.h>
#include <arpa/inet.h> /* for inet_addr() */
#include <stdlib.h> /* for getenv() */
#ifdef __BEOS__
#include <be/bone/arpa/inet.h> /* for AF_INET */
#include <be/bone/sys/socket.h> /* for AF_INET */
#else
#include <sys/socket.h> /* for AF_INET */
#endif
#undef getpeername
int getpeername(int s, struct sockaddr_in *name, int *len) {
char *value;
(void)s; /* skip warning about unused parameter */
(void)len; /* skip warning about unused parameter */
name->sin_family=AF_INET;
if((value=getenv("REMOTE_HOST")))
name->sin_addr.s_addr=inet_addr(value);
else
name->sin_addr.s_addr=htonl(INADDR_ANY);
if((value=getenv("REMOTE_PORT")))
name->sin_port=htons(atoi(value));
else
name->sin_port=htons(0); /* dynamic port allocation */
return 0;
}
/* end of env.c */

141
src/evc.mak Normal file
View File

@ -0,0 +1,141 @@
# wce.mak for stunnel.exe by Michal Trojnara 2006-2012
# with help of Pierre Delaage <delaage.pierre@free.fr>
#
# DEFAULTLIB management: only 2 are necessary
# defaultlibS as given for CLxxx in the MS doc ARE WRONG
# !!!!!!!!!!!!!!
# CUSTOMIZE THIS according to your wcecompat and openssl directories
# !!!!!!!!!!!!!!
# Modify this to point to your actual openssl compile directory
# (You did already compile openssl, didn't you???)
SSLDIR=C:\Users\standard\Documents\Dvts\Contrib\openssl\v1.0.0a\patched3
# Note that we currently use a multi-target customized version of legacy Essemer/wcecompat lib
COMPATDIR=C:\Users\standard\Documents\Dvts\Contrib\wcecompat\v12\patchedX86
WCEVER=420
# !!!!!!!!!!!!!!!!!!
# END CUSTOMIZATION
# !!!!!!!!!!!!!!!!!!
!IF "$(TARGETCPU)"=="X86"
WCETARGETCPU=_X86_
LDTARGETCPU=X86
MORECFLAGS=/MT
# TODO: continue list for other targets : see wcecompat/wcedefs.mak for a good ref.
# see also openssl/util/pl/vc-32.pl, also link /?
# for LDTARGETCPU: /MACHINE:{AM33|ARM|IA64|M32R|MIPS|MIPS16|MIPSFPU|MIPSFPU16|MIPSR41XX|SH3|SH3DSP|SH4|SH5|THUMB|X86}
# see wce/include/winnt.h for other "target architecture" flag
!ELSEIF "$(TARGETCPU)"=="emulator"
WCETARGETCPU=_X86_
LDTARGETCPU=X86
MORECFLAGS=/MT
!ELSEIF "$(TARGETCPU)"=="MIPS16" || "$(TARGETCPU)"=="MIPSII" || "$(TARGETCPU)"=="MIPSII_FP" || "$(TARGETCPU)"=="MIPSIV" || "$(TARGETCPU)"=="MIPSIV_FP"
WCETARGETCPU=_MIPS_
LDTARGETCPU=MIPS
MORECFLAGS=/DMIPS /MC
!ELSEIF "$(TARGETCPU)"=="SH3" || "$(TARGETCPU)"=="SH4"
WCETARGETCPU=SHx
LDTARGETCPU=$(TARGETCPU)
MORECFLAGS=/MC
!ELSE
# default is ARM !
# !IF "$(TARGETCPU)"=="ARMV4" || "$(TARGETCPU)"=="ARMV4I" || "$(TARGETCPU)"=="ARMV4T"
# the following flag is required by (eg) winnt.h, and is different from targetcpu (armV4)
WCETARGETCPU=ARM
LDTARGETCPU=ARM
MORECFLAGS=/MC
!ENDIF
# ceutilsdir probably useless (nb : were tools from essemer; but ms delivers a cecopy anyway, see ms dld site)
CEUTILSDIR=..\..\ceutils
# "ce:" is not a correct location , but we never "make install"
DSTDIR=ce:\stunnel
# use MS env vars, as in wcecompat and openssl makefiles
SDKDIR=$(SDKROOT)\$(OSVERSION)\$(PLATFORM)
INCLUDES=-I$(SSLDIR)\inc32 -I$(COMPATDIR)\include -I"$(SDKDIR)\include\$(TARGETCPU)"
# for X86 and other it appears that /MC or /ML flags are absurd,
# we always have to override runtime lib list to coredll and corelibc
LIBS=/NODEFAULTLIB coredll.lib corelibc.lib winsock.lib wcecompatex.lib libeay32.lib ssleay32.lib
DEFINES=/DHOST=\"$(TARGETCPU)-WCE-eVC-$(WCEVER)\"
# /O1 /Oi more correct vs MS doc
CFLAGS=/nologo $(MORECFLAGS) /O1 /Oi /W3 /WX /GF /Gy $(DEFINES) /D$(WCETARGETCPU) /D$(TARGETCPU) /DUNDER_CE=$(WCEVER) /D_WIN32_WCE=$(WCEVER) /DUNICODE -D_UNICODE $(INCLUDES)
RFLAGS=$(DEFINES) $(INCLUDES)
# LDFLAGS: since openssl >> 098a (eg 098h) out32dll is out32dll_targetCPU for WCE
# delaage added $(TARGETCPU) in legacy Essemer/wcecompat libpath
# to ease multitarget compilation without recompiling everything
# this customized version is available on:
# http://delaage.pierre.free.fr/contrib/wcecompat/wcecompat12_patched.zip
LDFLAGS=/nologo /subsystem:windowsce,3.00 /machine:$(LDTARGETCPU) /libpath:"$(SDKDIR)\lib\$(TARGETCPU)" /libpath:"$(COMPATDIR)\lib\$(TARGETCPU)" /libpath:"$(SSLDIR)\out32dll_$(TARGETCPU)"
# Multi-target support for stunnel
SRC=..\src
OBJROOT=..\obj
OBJ=$(OBJROOT)\$(TARGETCPU)
BINROOT=..\bin
BIN=$(BINROOT)\$(TARGETCPU)
OBJS=$(OBJ)\stunnel.obj $(OBJ)\ssl.obj $(OBJ)\ctx.obj $(OBJ)\verify.obj \
$(OBJ)\file.obj $(OBJ)\client.obj $(OBJ)\protocol.obj $(OBJ)\sthreads.obj \
$(OBJ)\log.obj $(OBJ)\options.obj $(OBJ)\network.obj \
$(OBJ)\resolver.obj $(OBJ)\str.obj $(OBJ)\fd.obj
GUIOBJS=$(OBJ)\gui.obj $(OBJ)\resources.res
NOGUIOBJS=$(OBJ)\nogui.obj
{$(SRC)\}.c{$(OBJ)\}.obj:
$(CC) $(CFLAGS) -Fo$@ -c $<
{$(SRC)\}.cpp{$(OBJ)\}.obj:
$(CC) $(CFLAGS) -Fo$@ -c $<
{$(SRC)\}.rc{$(OBJ)\}.res:
$(RC) $(RFLAGS) -fo$@ -r $<
all: makedirs $(BIN)\stunnel.exe $(BIN)\tstunnel.exe
makedirs:
-@ IF NOT EXIST $(OBJROOT) mkdir $(OBJROOT) >NUL 2>&1
-@ IF NOT EXIST $(OBJ) mkdir $(OBJ) >NUL 2>&1
-@ IF NOT EXIST $(BINROOT) mkdir $(BINROOT) >NUL 2>&1
-@ IF NOT EXIST $(BIN) mkdir $(BIN) >NUL 2>&1
$(BIN)\stunnel.exe:$(OBJS) $(GUIOBJS)
link $(LDFLAGS) /out:$(BIN)\stunnel.exe $(LIBS) commctrl.lib $**
$(BIN)\tstunnel.exe:$(OBJS) $(NOGUIOBJS)
link $(LDFLAGS) /out:$(BIN)\tstunnel.exe $(LIBS) $**
$(OBJ)\resources.res: $(SRC)\resources.rc $(SRC)\resources.h $(SRC)\version.h
$(OBJ)\gui.obj: $(SRC)\gui.c $(SRC)\version.h
$(OBJ)\stunnel.obj: $(SRC)\stunnel.c $(SRC)\version.h
# now list of openssl dll has more files,
# but we do not use "make install" for stunnel
# ceutils come from essemer/wcecompat website
# some tools can be found at MS website
# TODO: update all this ceutils stuff, or suppress it
install: stunnel.exe tstunnel.exe
$(CEUTILSDIR)\cemkdir $(DSTDIR) || echo Directory exists?
$(CEUTILSDIR)\cecopy stunnel.exe $(DSTDIR)
$(CEUTILSDIR)\cecopy tstunnel.exe $(DSTDIR)
$(CEUTILSDIR)\cecopy $(SSLDIR)\out32dll_$(TARGETCPU)\libeay32.dll $(DSTDIR)
$(CEUTILSDIR)\cecopy $(SSLDIR)\out32dll_$(TARGETCPU)\ssleay32.dll $(DSTDIR)
clean:
-@ IF NOT "$(TARGETCPU)"=="" del $(OBJS) $(GUIOBJS) $(NOGUIOBJS) $(BIN)\stunnel.exe $(BIN)\tstunnel.exe >NUL 2>&1
-@ IF NOT "$(TARGETCPU)"=="" rmdir $(OBJ) >NUL 2>&1
-@ IF NOT "$(TARGETCPU)"=="" rmdir $(BIN) >NUL 2>&1

250
src/fd.c Normal file
View File

@ -0,0 +1,250 @@
/*
* stunnel Universal SSL tunnel
* Copyright (C) 1998-2012 Michal Trojnara <Michal.Trojnara@mirt.net>
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
* See the GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License along
* with this program; if not, see <http://www.gnu.org/licenses>.
*
* Linking stunnel statically or dynamically with other modules is making
* a combined work based on stunnel. Thus, the terms and conditions of
* the GNU General Public License cover the whole combination.
*
* In addition, as a special exception, the copyright holder of stunnel
* gives you permission to combine stunnel with free software programs or
* libraries that are released under the GNU LGPL and with code included
* in the standard release of OpenSSL under the OpenSSL License (or
* modified versions of such code, with unchanged license). You may copy
* and distribute such a system following the terms of the GNU GPL for
* stunnel and the licenses of the other code concerned.
*
* Note that people who make modified versions of stunnel are not obligated
* to grant this special exception for their modified versions; it is their
* choice whether to do so. The GNU General Public License gives permission
* to release a modified version without this exception; this exception
* also makes it possible to release a modified version which carries
* forward this exception.
*/
#include "common.h"
#include "prototypes.h"
#if defined HAVE_PIPE2 && defined HAVE_ACCEPT4
#define USE_NEW_LINUX_API 1
#endif
/* try to use non-POSIX O_NDELAY on obsolete BSD systems */
#if !defined O_NONBLOCK && defined O_NDELAY
#define O_NONBLOCK O_NDELAY
#endif
/**************************************** prototypes */
static int setup_fd(int, int, char *);
/**************************************** internal limit of file descriptors */
#ifndef USE_FORK
static int max_fds;
void get_limits(void) { /* set max_fds and max_clients */
/* start with current ulimit */
#if defined(HAVE_SYSCONF)
errno=0;
max_fds=sysconf(_SC_OPEN_MAX);
if(errno)
ioerror("sysconf");
if(max_fds<0)
max_fds=0; /* unlimited */
#elif defined(HAVE_GETRLIMIT)
struct rlimit rlim;
if(getrlimit(RLIMIT_NOFILE, &rlim)<0) {
ioerror("getrlimit");
max_fds=0; /* unlimited */
} else
max_fds=rlim.rlim_cur!=RLIM_INFINITY ? rlim.rlim_cur : 0;
#else
max_fds=0; /* unlimited */
#endif /* HAVE_SYSCONF || HAVE_GETRLIMIT */
#if !defined(USE_WIN32) && !defined(USE_POLL) && !defined(__INNOTEK_LIBC__)
/* apply FD_SETSIZE if select() is used on Unix */
if(!max_fds || max_fds>FD_SETSIZE)
max_fds=FD_SETSIZE; /* start with select() limit */
#endif /* select() on Unix */
/* stunnel needs at least 16 file desriptors */
if(max_fds && max_fds<16)
max_fds=16;
if(max_fds) {
max_clients=max_fds>=256 ? max_fds*125/256 : (max_fds-6)/2;
s_log(LOG_DEBUG, "Clients allowed=%d", max_clients);
} else {
max_clients=0;
s_log(LOG_DEBUG, "No limit detected for the number of clients");
}
}
#endif
/**************************************** file descriptor validation */
int s_socket(int domain, int type, int protocol, int nonblock, char *msg) {
#ifdef USE_NEW_LINUX_API
if(nonblock)
type|=SOCK_NONBLOCK;
type|=SOCK_CLOEXEC;
#endif
return setup_fd(socket(domain, type, protocol), nonblock, msg);
}
int s_accept(int sockfd, struct sockaddr *addr, socklen_t *addrlen,
int nonblock, char *msg) {
int fd;
#ifdef USE_NEW_LINUX_API
if(nonblock)
fd=accept4(sockfd, addr, addrlen, SOCK_NONBLOCK|SOCK_CLOEXEC);
else
fd=accept4(sockfd, addr, addrlen, SOCK_CLOEXEC);
#else
fd=accept(sockfd, addr, addrlen);
#endif
return setup_fd(fd, nonblock, msg);
}
#ifndef USE_WIN32
int s_socketpair(int domain, int type, int protocol, int sv[2],
int nonblock, char *msg) {
#ifdef USE_NEW_LINUX_API
if(nonblock)
type|=SOCK_NONBLOCK;
type|=SOCK_CLOEXEC;
#endif
if(socketpair(domain, type, protocol, sv)<0) {
ioerror(msg);
return -1;
}
if(setup_fd(sv[0], nonblock, msg)<0) {
closesocket(sv[1]);
return -1;
}
if(setup_fd(sv[1], nonblock, msg)<0) {
closesocket(sv[0]);
return -1;
}
return 0;
}
int s_pipe(int pipefd[2], int nonblock, char *msg) {
int retval;
#ifdef USE_NEW_LINUX_API
if(nonblock)
retval=pipe2(pipefd, O_NONBLOCK|O_CLOEXEC);
else
retval=pipe2(pipefd, O_CLOEXEC);
#else
retval=pipe(pipefd);
#endif
if(retval<0) {
ioerror(msg);
return -1;
}
if(setup_fd(pipefd[0], nonblock, msg)<0) {
close(pipefd[1]);
return -1;
}
if(setup_fd(pipefd[1], nonblock, msg)<0) {
close(pipefd[0]);
return -1;
}
return 0;
}
#endif /* USE_WIN32 */
static int setup_fd(int fd, int nonblock, char *msg) {
#if !defined USE_NEW_LINUX_API && defined FD_CLOEXEC
int err;
#endif
if(fd<0) {
sockerror(msg);
return -1;
}
#ifndef USE_FORK
if(max_fds && fd>=max_fds) {
s_log(LOG_ERR, "%s: FD=%d out of range (max %d)",
msg, fd, max_fds);
closesocket(fd);
return -1;
}
#endif
#ifdef USE_NEW_LINUX_API
(void)nonblock; /* skip warning about unused parameter */
#else /* set O_NONBLOCK and F_SETFD */
set_nonblock(fd, nonblock);
#ifdef FD_CLOEXEC
do {
err=fcntl(fd, F_SETFD, FD_CLOEXEC);
} while(err<0 && get_last_socket_error()==S_EINTR);
if(err<0)
sockerror("fcntl SETFD"); /* non-critical */
#endif /* FD_CLOEXEC */
#endif /* USE_NEW_LINUX_API */
#ifdef DEBUG_FD_ALLOC
s_log(LOG_DEBUG, "%s: FD=%d allocated (%sblocking mode)",
msg, fd, nonblock?"non-":"");
#endif /* DEBUG_FD_ALLOC */
return fd;
}
void set_nonblock(int fd, unsigned long nonblock) {
#if defined F_GETFL && defined F_SETFL && defined O_NONBLOCK && !defined __INNOTEK_LIBC__
int err, flags;
do {
flags=fcntl(fd, F_GETFL, 0);
} while(flags<0 && get_last_socket_error()==S_EINTR);
if(flags<0) {
sockerror("fcntl GETFL"); /* non-critical */
return;
}
if(nonblock)
flags|=O_NONBLOCK;
else
flags&=~O_NONBLOCK;
do {
err=fcntl(fd, F_SETFL, flags);
} while(err<0 && get_last_socket_error()==S_EINTR);
if(err<0)
sockerror("fcntl SETFL"); /* non-critical */
#else /* WIN32 or similar */
if(ioctlsocket(fd, FIONBIO, &nonblock)<0)
sockerror("ioctlsocket"); /* non-critical */
#if 0
else
s_log(LOG_DEBUG, "Socket %d set to %s mode",
fd, nonblock ? "non-blocking" : "blocking");
#endif
#endif
}
/* end of fd.c */

223
src/file.c Normal file
View File

@ -0,0 +1,223 @@
/*
* stunnel Universal SSL tunnel
* Copyright (C) 1998-2012 Michal Trojnara <Michal.Trojnara@mirt.net>
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
* See the GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License along
* with this program; if not, see <http://www.gnu.org/licenses>.
*
* Linking stunnel statically or dynamically with other modules is making
* a combined work based on stunnel. Thus, the terms and conditions of
* the GNU General Public License cover the whole combination.
*
* In addition, as a special exception, the copyright holder of stunnel
* gives you permission to combine stunnel with free software programs or
* libraries that are released under the GNU LGPL and with code included
* in the standard release of OpenSSL under the OpenSSL License (or
* modified versions of such code, with unchanged license). You may copy
* and distribute such a system following the terms of the GNU GPL for
* stunnel and the licenses of the other code concerned.
*
* Note that people who make modified versions of stunnel are not obligated
* to grant this special exception for their modified versions; it is their
* choice whether to do so. The GNU General Public License gives permission
* to release a modified version without this exception; this exception
* also makes it possible to release a modified version which carries
* forward this exception.
*/
#include "common.h"
#include "prototypes.h"
#ifdef USE_WIN32
DISK_FILE *file_open(char *name, int wr) {
DISK_FILE *df;
LPTSTR tstr;
HANDLE fh;
/* open file */
tstr=str2tstr(name);
fh=CreateFile(tstr, wr ? GENERIC_WRITE : GENERIC_READ,
FILE_SHARE_READ, NULL, wr ? OPEN_ALWAYS : OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL, (HANDLE)NULL);
str_free(tstr);
if(fh==INVALID_HANDLE_VALUE) {
ioerror(name);
return NULL;
}
if(wr) /* append */
SetFilePointer(fh, 0, NULL, FILE_END);
/* setup df structure */
df=str_alloc(sizeof df);
df->fh=fh;
return df;
}
#else /* USE_WIN32 */
DISK_FILE *file_fdopen(int fd) {
DISK_FILE *df;
df=str_alloc(sizeof(DISK_FILE));
df->fd=fd;
return df;
}
DISK_FILE *file_open(char *name, int wr) {
DISK_FILE *df;
int fd, flags;
/* open file */
if(wr)
flags=O_CREAT|O_WRONLY|O_APPEND;
else
flags=O_RDONLY;
#ifdef O_NONBLOCK
flags|=O_NONBLOCK;
#elif defined O_NDELAY
flags|=O_NDELAY;
#endif
#ifdef O_CLOEXEC
flags|=O_CLOEXEC;
#endif /* O_CLOEXEC */
fd=open(name, flags, 0640);
if(fd<0) {
ioerror(name);
return NULL;
}
/* setup df structure */
df=str_alloc(sizeof df);
df->fd=fd;
return df;
}
#endif /* USE_WIN32 */
void file_close(DISK_FILE *df) {
if(!df) /* nothing to do */
return;
#ifdef USE_WIN32
CloseHandle(df->fh);
#else /* USE_WIN32 */
close(df->fd);
#endif /* USE_WIN32 */
str_free(df);
}
int file_getline(DISK_FILE *df, char *line, int len) {
/* this version is really slow, but performance is not important here */
/* (no buffering is implemented) */
int i;
#ifdef USE_WIN32
DWORD num;
#else /* USE_WIN32 */
int num;
#endif /* USE_WIN32 */
if(!df) /* not opened */
return -1;
for(i=0; i<len-1; i++) {
#ifdef USE_WIN32
ReadFile(df->fh, line+i, 1, &num, NULL);
#else /* USE_WIN32 */
num=read(df->fd, line+i, 1);
#endif /* USE_WIN32 */
if(num!=1) { /* EOF */
if(i) /* any previously retrieved data */
break;
else
return -1;
}
if(line[i]=='\n') /* LF */
break;
if(line[i]=='\r') /* CR */
--i; /* ignore - it must be the last check */
}
line[i]='\0';
return i;
}
int file_putline(DISK_FILE *df, char *line) {
int len;
char *buff;
#ifdef USE_WIN32
DWORD num;
#else /* USE_WIN32 */
int num;
#endif /* USE_WIN32 */
len=strlen(line);
buff=str_alloc(len+2); /* +2 for CR+LF */
strcpy(buff, line);
#ifdef USE_WIN32
buff[len++]='\r'; /* CR */
#endif /* USE_WIN32 */
buff[len++]='\n'; /* LF */
#ifdef USE_WIN32
WriteFile(df->fh, buff, len, &num, NULL);
#else /* USE_WIN32 */
/* no file -> write to stderr */
num=write(df ? df->fd : 2, buff, len);
#endif /* USE_WIN32 */
str_free(buff);
return num;
}
#ifdef USE_WIN32
LPTSTR str2tstr(const LPSTR in) {
LPTSTR out;
int len;
#ifdef UNICODE
len=MultiByteToWideChar(CP_ACP, 0, in, -1, NULL, 0);
if(!len)
return NULL;
out=str_alloc((len+1)*sizeof(WCHAR));
len=MultiByteToWideChar(CP_ACP, 0, in, -1, out, len);
if(!len)
return NULL;
#else
len=strlen(in);
out=str_alloc(len+1);
strcpy(out, in);
#endif
return out;
}
LPSTR tstr2str(const LPTSTR in) {
LPSTR out;
int len;
#ifdef UNICODE
len=WideCharToMultiByte(CP_ACP, 0, in, -1, NULL, 0, NULL, NULL);
if(!len)
return NULL;
out=str_alloc(len+1);
len=WideCharToMultiByte(CP_ACP, 0, in, -1, out, len, NULL, NULL);
if(!len)
return NULL;
#else
len=strlen(in);
out=str_alloc(len+1);
strcpy(out, in);
#endif
return out;
}
#endif /* USE_WIN32 */
/* end of file.c */

1311
src/gui.c Normal file
View File

File diff suppressed because it is too large Load Diff

308
src/libwrap.c Normal file
View File

@ -0,0 +1,308 @@
/*
* stunnel Universal SSL tunnel
* Copyright (C) 1998-2012 Michal Trojnara <Michal.Trojnara@mirt.net>
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
* See the GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License along
* with this program; if not, see <http://www.gnu.org/licenses>.
*
* Linking stunnel statically or dynamically with other modules is making
* a combined work based on stunnel. Thus, the terms and conditions of
* the GNU General Public License cover the whole combination.
*
* In addition, as a special exception, the copyright holder of stunnel
* gives you permission to combine stunnel with free software programs or
* libraries that are released under the GNU LGPL and with code included
* in the standard release of OpenSSL under the OpenSSL License (or
* modified versions of such code, with unchanged license). You may copy
* and distribute such a system following the terms of the GNU GPL for
* stunnel and the licenses of the other code concerned.
*
* Note that people who make modified versions of stunnel are not obligated
* to grant this special exception for their modified versions; it is their
* choice whether to do so. The GNU General Public License gives permission
* to release a modified version without this exception; this exception
* also makes it possible to release a modified version which carries
* forward this exception.
*/
#include "common.h"
#include "prototypes.h"
#ifdef USE_LIBWRAP
#include <tcpd.h>
static int check(char *, int);
int allow_severity=LOG_NOTICE, deny_severity=LOG_WARNING;
#ifdef USE_PTHREAD
#define SERVNAME_LEN 256
static ssize_t read_fd(int, void *, size_t, int *);
static ssize_t write_fd(int, void *, size_t, int);
int num_processes=0;
static int *ipc_socket, *busy;
#endif /* USE_PTHREAD */
int libwrap_init() {
#ifdef USE_PTHREAD
int i, j, rfd, result;
char servname[SERVNAME_LEN];
static int initialized=0;
SERVICE_OPTIONS *opt;
if(initialized) /* during startup or previous configuration file reload */
return 0;
for(opt=service_options.next; opt; opt=opt->next)
if(opt->option.libwrap) /* libwrap is enabled for this service */
break;
if(!opt) /* disabled for all sections or inetd mode (no sections) */
return 0;
num_processes=LIBWRAP_CLIENTS;
ipc_socket=str_alloc(2*num_processes*sizeof(int));
busy=str_alloc(num_processes*sizeof(int));
for(i=0; i<num_processes; ++i) { /* spawn a child */
if(s_socketpair(AF_UNIX, SOCK_STREAM, 0, ipc_socket+2*i, 0, "libwrap_init"))
return 1;
switch(fork()) {
case -1: /* error */
ioerror("fork");
return 1;
case 0: /* child */
drop_privileges(0); /* libwrap processes are not chrooted */
close(0); /* stdin */
close(1); /* stdout */
if(!global_options.option.foreground) /* for logging in read_fd */
close(2); /* stderr */
for(j=0; j<=i; ++j) /* close parent-side sockets created so far */
close(ipc_socket[2*j]);
while(1) { /* main libwrap child loop */
if(read_fd(ipc_socket[2*i+1], servname, SERVNAME_LEN, &rfd)<=0)
_exit(0);
result=check(servname, rfd);
write(ipc_socket[2*i+1], (u8 *)&result, sizeof result);
if(rfd>=0)
close(rfd);
}
default: /* parent */
close(ipc_socket[2*i+1]); /* child-side socket */
}
}
initialized=1;
#endif /* USE_PTHREAD */
return 0;
}
void libwrap_auth(CLI *c, char *accepted_address) {
int result=0; /* deny by default */
#ifdef USE_PTHREAD
static volatile int num_busy=0, roundrobin=0;
int retval, my_process;
static pthread_mutex_t mutex=PTHREAD_MUTEX_INITIALIZER;
static pthread_cond_t cond=PTHREAD_COND_INITIALIZER;
#endif /* USE_PTHREAD */
if(!c->opt->option.libwrap) /* libwrap is disabled for this service */
return; /* allow connection */
#ifdef HAVE_STRUCT_SOCKADDR_UN
if(c->peer_addr.sa.sa_family==AF_UNIX) {
s_log(LOG_INFO, "Libwrap is not supported on Unix sockets");
return;
}
#endif
#ifdef USE_PTHREAD
if(num_processes) {
s_log(LOG_DEBUG, "Waiting for a libwrap process");
retval=pthread_mutex_lock(&mutex);
if(retval) {
errno=retval;
ioerror("pthread_mutex_lock");
longjmp(c->err, 1);
}
while(num_busy==num_processes) { /* all child processes are busy */
retval=pthread_cond_wait(&cond, &mutex);
if(retval) {
errno=retval;
ioerror("pthread_cond_wait");
longjmp(c->err, 1);
}
}
while(busy[roundrobin]) /* find a free child process */
roundrobin=(roundrobin+1)%num_processes;
my_process=roundrobin; /* the process allocated by this thread */
++num_busy; /* the child process has been allocated */
busy[my_process]=1; /* mark the child process as busy */
retval=pthread_mutex_unlock(&mutex);
if(retval) {
errno=retval;
ioerror("pthread_mutex_unlock");
longjmp(c->err, 1);
}
s_log(LOG_DEBUG, "Acquired libwrap process #%d", my_process);
write_fd(ipc_socket[2*my_process], c->opt->servname,
strlen(c->opt->servname)+1, c->local_rfd.fd);
read_blocking(c, ipc_socket[2*my_process],
(u8 *)&result, sizeof result);
s_log(LOG_DEBUG, "Releasing libwrap process #%d", my_process);
retval=pthread_mutex_lock(&mutex);
if(retval) {
errno=retval;
ioerror("pthread_mutex_lock");
longjmp(c->err, 1);
}
busy[my_process]=0; /* mark the child process as free */
--num_busy; /* the child process has been released */
if(num_busy==num_processes-1) { /* need to wake up a thread */
retval=pthread_cond_signal(&cond); /* signal waiting threads */
if(retval) {
errno=retval;
ioerror("pthread_cond_signal");
longjmp(c->err, 1);
}
}
retval=pthread_mutex_unlock(&mutex);
if(retval) {
errno=retval;
ioerror("pthread_mutex_unlock");
longjmp(c->err, 1);
}
s_log(LOG_DEBUG, "Released libwrap process #%d", my_process);
} else
#endif /* USE_PTHREAD */
{ /* use original, synchronous libwrap calls */
enter_critical_section(CRIT_LIBWRAP);
result=check(c->opt->servname, c->local_rfd.fd);
leave_critical_section(CRIT_LIBWRAP);
}
if(!result) {
s_log(LOG_WARNING, "Service [%s] REFUSED by libwrap from %s",
c->opt->servname, accepted_address);
s_log(LOG_DEBUG, "See hosts_access(5) manual for details");
longjmp(c->err, 1);
}
s_log(LOG_DEBUG, "Service [%s] permitted by libwrap from %s",
c->opt->servname, accepted_address);
}
static int check(char *name, int fd) {
struct request_info request;
request_init(&request, RQ_DAEMON, name, RQ_FILE, fd, 0);
fromhost(&request);
return hosts_access(&request);
}
#ifdef USE_PTHREAD
static ssize_t read_fd(int fd, void *ptr, size_t nbytes, int *recvfd) {
struct msghdr msg;
struct iovec iov[1];
ssize_t n;
#ifdef HAVE_MSGHDR_MSG_CONTROL
union {
struct cmsghdr cm;
char control[CMSG_SPACE(sizeof(int))];
} control_un;
struct cmsghdr *cmptr;
msg.msg_control=control_un.control;
msg.msg_controllen=sizeof control_un.control;
#else
int newfd;
msg.msg_accrights=(caddr_t)&newfd;
msg.msg_accrightslen=sizeof(int);
#endif
msg.msg_name=NULL;
msg.msg_namelen=0;
iov[0].iov_base=ptr;
iov[0].iov_len=nbytes;
msg.msg_iov=iov;
msg.msg_iovlen=1;
*recvfd=-1; /* descriptor was not passed */
n=recvmsg(fd, &msg, 0);
if(n<=0)
return n;
#ifdef HAVE_MSGHDR_MSG_CONTROL
cmptr=CMSG_FIRSTHDR(&msg);
if(!cmptr || cmptr->cmsg_len!=CMSG_LEN(sizeof(int)))
return n;
if(cmptr->cmsg_level!=SOL_SOCKET) {
s_log(LOG_ERR, "control level != SOL_SOCKET");
return -1;
}
if(cmptr->cmsg_type!=SCM_RIGHTS) {
s_log(LOG_ERR, "control type != SCM_RIGHTS");
return -1;
}
memcpy(recvfd, CMSG_DATA(cmptr), sizeof(int));
#else
if(msg.msg_accrightslen==sizeof(int))
*recvfd=newfd;
#endif
return n;
}
static ssize_t write_fd(int fd, void *ptr, size_t nbytes, int sendfd) {
struct msghdr msg;
struct iovec iov[1];
#ifdef HAVE_MSGHDR_MSG_CONTROL
union {
struct cmsghdr cm;
char control[CMSG_SPACE(sizeof(int))];
} control_un;
struct cmsghdr *cmptr;
msg.msg_control=control_un.control;
msg.msg_controllen=sizeof control_un.control;
cmptr=CMSG_FIRSTHDR(&msg);
cmptr->cmsg_len=CMSG_LEN(sizeof(int));
cmptr->cmsg_level=SOL_SOCKET;
cmptr->cmsg_type=SCM_RIGHTS;
memcpy(CMSG_DATA(cmptr), &sendfd, sizeof(int));
#else
msg.msg_accrights=(caddr_t)&sendfd;
msg.msg_accrightslen=sizeof(int);
#endif
msg.msg_name=NULL;
msg.msg_namelen=0;
iov[0].iov_base=ptr;
iov[0].iov_len=nbytes;
msg.msg_iov=iov;
msg.msg_iovlen=1;
return sendmsg(fd, &msg, 0);
}
#endif /* USE_PTHREAD */
#endif /* USE_LIBWRAP */
/* end of libwrap.c */

390
src/log.c Normal file
View File

@ -0,0 +1,390 @@
/*
* stunnel Universal SSL tunnel
* Copyright (C) 1998-2012 Michal Trojnara <Michal.Trojnara@mirt.net>
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
* See the GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License along
* with this program; if not, see <http://www.gnu.org/licenses>.
*
* Linking stunnel statically or dynamically with other modules is making
* a combined work based on stunnel. Thus, the terms and conditions of
* the GNU General Public License cover the whole combination.
*
* In addition, as a special exception, the copyright holder of stunnel
* gives you permission to combine stunnel with free software programs or
* libraries that are released under the GNU LGPL and with code included
* in the standard release of OpenSSL under the OpenSSL License (or
* modified versions of such code, with unchanged license). You may copy
* and distribute such a system following the terms of the GNU GPL for
* stunnel and the licenses of the other code concerned.
*
* Note that people who make modified versions of stunnel are not obligated
* to grant this special exception for their modified versions; it is their
* choice whether to do so. The GNU General Public License gives permission
* to release a modified version without this exception; this exception
* also makes it possible to release a modified version which carries
* forward this exception.
*/
#include "common.h"
#include "prototypes.h"
static void log_raw(const int, const char *, const char *, const char *);
static DISK_FILE *outfile=NULL;
static struct LIST { /* single-linked list of log lines */
struct LIST *next;
int level;
char *stamp, *id, *text;
} *head=NULL, *tail=NULL;
static LOG_MODE mode=LOG_MODE_NONE;
#if !defined(USE_WIN32) && !defined(__vms)
static int syslog_opened=0;
void syslog_open(void) {
syslog_close();
if(global_options.option.syslog)
#ifdef __ultrix__
openlog("stunnel", 0);
#else
openlog("stunnel", LOG_CONS|LOG_NDELAY, global_options.facility);
#endif /* __ultrix__ */
syslog_opened=1;
}
void syslog_close(void) {
if(syslog_opened) {
if(global_options.option.syslog)
closelog();
syslog_opened=0;
}
}
#endif /* !defined(USE_WIN32) && !defined(__vms) */
void log_open(void) {
if(global_options.output_file) { /* 'output' option specified */
outfile=file_open(global_options.output_file, 1);
if(!outfile)
s_log(LOG_ERR, "Unable to open output file: %s",
global_options.output_file);
}
log_flush(LOG_MODE_CONFIGURED);
}
void log_close(void) {
mode=LOG_MODE_NONE;
if(outfile) {
file_close(outfile);
outfile=NULL;
}
}
void log_flush(LOG_MODE new_mode) {
struct LIST *tmp;
/* prevent changing LOG_MODE_CONFIGURED to LOG_MODE_ERROR
* once stderr file descriptor is closed */
if(mode!=LOG_MODE_CONFIGURED)
mode=new_mode;
enter_critical_section(CRIT_LOG);
while(head) {
log_raw(head->level, head->stamp, head->id, head->text);
str_free(head->stamp);
str_free(head->id);
str_free(head->text);
tmp=head;
head=head->next;
str_free(tmp);
}
leave_critical_section(CRIT_LOG);
head=tail=NULL;
}
void s_log(int level, const char *format, ...) {
va_list ap;
char *text, *stamp, *id;
struct LIST *tmp;
int libc_error, socket_error;
time_t gmt;
struct tm *timeptr;
#if defined(HAVE_LOCALTIME_R) && defined(_REENTRANT)
struct tm timestruct;
#endif
/* performance optimization: skip the trivial case early */
if(mode==LOG_MODE_CONFIGURED && level>global_options.debug_level)
return;
libc_error=get_last_error();
socket_error=get_last_socket_error();
time(&gmt);
#if defined(HAVE_LOCALTIME_R) && defined(_REENTRANT)
timeptr=localtime_r(&gmt, &timestruct);
#else
timeptr=localtime(&gmt);
#endif
stamp=str_printf("%04d.%02d.%02d %02d:%02d:%02d",
timeptr->tm_year+1900, timeptr->tm_mon+1, timeptr->tm_mday,
timeptr->tm_hour, timeptr->tm_min, timeptr->tm_sec);
id=str_printf("LOG%d[%lu:%lu]",
level, stunnel_process_id(), stunnel_thread_id());
va_start(ap, format);
text=str_vprintf(format, ap);
va_end(ap);
if(mode==LOG_MODE_NONE) { /* save the text to log it later */
enter_critical_section(CRIT_LOG);
tmp=str_alloc(sizeof(struct LIST));
str_detach(tmp);
tmp->next=NULL;
tmp->level=level;
tmp->stamp=stamp;
str_detach(tmp->stamp);
tmp->id=id;
str_detach(tmp->id);
tmp->text=text;
str_detach(tmp->text);
if(tail)
tail->next=tmp;
else
head=tmp;
tail=tmp;
leave_critical_section(CRIT_LOG);
} else { /* ready log the text directly */
log_raw(level, stamp, id, text);
str_free(stamp);
str_free(id);
str_free(text);
}
set_last_error(libc_error);
set_last_socket_error(socket_error);
}
static void log_raw(const int level, const char *stamp,
const char *id, const char *text) {
char *line;
/* build the line and log it to syslog/file */
if(mode==LOG_MODE_CONFIGURED) { /* configured */
line=str_printf("%s %s: %s", stamp, id, text);
if(level<=global_options.debug_level) {
#if !defined(USE_WIN32) && !defined(__vms)
if(global_options.option.syslog)
syslog(level, "%s: %s", id, text);
#endif /* USE_WIN32, __vms */
if(outfile)
file_putline(outfile, line); /* send log to file */
}
} else /* LOG_MODE_ERROR or LOG_MODE_INFO */
line=str_dup(text); /* don't log the time stamp in error mode */
/* log the line to GUI/stderr */
#ifdef USE_WIN32
if(mode==LOG_MODE_ERROR || /* always log to the GUI window */
(mode==LOG_MODE_INFO && level<LOG_DEBUG) ||
level<=global_options.debug_level)
SendMessage(hwnd, WM_LOG, (WPARAM)line, 0);
#if 0
/* logging to Windows console for nogui.c */
LPTSTR tstr;
tstr=str2tstr(line);
RETAILMSG(TRUE, (TEXT("%s\r\n"), tstr));
str_free(tstr);
#endif
#else /* Unix */
if(mode==LOG_MODE_ERROR || /* always log LOG_MODE_ERROR to stderr */
(mode==LOG_MODE_INFO && level<LOG_DEBUG) ||
(level<=global_options.debug_level &&
global_options.option.foreground))
fprintf(stderr, "%s\n", line); /* send log to stderr */
#endif
str_free(line);
}
/* critical problem - str.c functions are not safe to use */
void fatal_debug(char *error, char *file, int line) {
char text[80];
#ifdef USE_WIN32
DWORD num;
#endif /* USE_WIN32 */
snprintf(text, sizeof text, /* with newline */
"INTERNAL ERROR: %s at %s, line %d\n", error, file, line);
if(outfile) {
#ifdef USE_WIN32
WriteFile(outfile->fh, text, strlen(text), &num, NULL);
#else /* USE_WIN32 */
/* no file -> write to stderr */
write(outfile ? outfile->fd : 2, text, strlen(text));
#endif /* USE_WIN32 */
}
#ifndef USE_WIN32
if(mode!=LOG_MODE_CONFIGURED || global_options.option.foreground)
fputs(text, stderr);
#endif /* !USE_WIN32 */
snprintf(text, sizeof text, /* without newline */
"INTERNAL ERROR: %s at %s, line %d", error, file, line);
#if !defined(USE_WIN32) && !defined(__vms)
if(global_options.option.syslog)
syslog(LOG_CRIT, "%s", text);
#endif /* USE_WIN32, __vms */
#ifdef USE_WIN32
#ifdef _WIN32_WCE
MessageBox(hwnd, TEXT("INTERNAL ERROR"),
TEXT("stunnel"), MB_ICONERROR);
#else /* _WIN32_WCE */
MessageBox(hwnd, text, "stunnel", MB_ICONERROR);
#endif /* _WIN32_WCE */
#endif /* USE_WIN32 */
abort();
}
void ioerror(const char *txt) { /* input/output error */
log_error(LOG_ERR, get_last_error(), txt);
}
void sockerror(const char *txt) { /* socket error */
log_error(LOG_ERR, get_last_socket_error(), txt);
}
void log_error(int level, int error, const char *txt) { /* generic error */
s_log(level, "%s: %s (%d)", txt, s_strerror(error), error);
}
char *s_strerror(int errnum) {
switch(errnum) {
#ifdef USE_WIN32
case 10004:
return "Interrupted system call (WSAEINTR)";
case 10009:
return "Bad file number (WSAEBADF)";
case 10013:
return "Permission denied (WSAEACCES)";
case 10014:
return "Bad address (WSAEFAULT)";
case 10022:
return "Invalid argument (WSAEINVAL)";
case 10024:
return "Too many open files (WSAEMFILE)";
case 10035:
return "Operation would block (WSAEWOULDBLOCK)";
case 10036:
return "Operation now in progress (WSAEINPROGRESS)";
case 10037:
return "Operation already in progress (WSAEALREADY)";
case 10038:
return "Socket operation on non-socket (WSAENOTSOCK)";
case 10039:
return "Destination address required (WSAEDESTADDRREQ)";
case 10040:
return "Message too long (WSAEMSGSIZE)";
case 10041:
return "Protocol wrong type for socket (WSAEPROTOTYPE)";
case 10042:
return "Bad protocol option (WSAENOPROTOOPT)";
case 10043:
return "Protocol not supported (WSAEPROTONOSUPPORT)";
case 10044:
return "Socket type not supported (WSAESOCKTNOSUPPORT)";
case 10045:
return "Operation not supported on socket (WSAEOPNOTSUPP)";
case 10046:
return "Protocol family not supported (WSAEPFNOSUPPORT)";
case 10047:
return "Address family not supported by protocol family (WSAEAFNOSUPPORT)";
case 10048:
return "Address already in use (WSAEADDRINUSE)";
case 10049:
return "Can't assign requested address (WSAEADDRNOTAVAIL)";
case 10050:
return "Network is down (WSAENETDOWN)";
case 10051:
return "Network is unreachable (WSAENETUNREACH)";
case 10052:
return "Net dropped connection or reset (WSAENETRESET)";
case 10053:
return "Software caused connection abort (WSAECONNABORTED)";
case 10054:
return "Connection reset by peer (WSAECONNRESET)";
case 10055:
return "No buffer space available (WSAENOBUFS)";
case 10056:
return "Socket is already connected (WSAEISCONN)";
case 10057:
return "Socket is not connected (WSAENOTCONN)";
case 10058:
return "Can't send after socket shutdown (WSAESHUTDOWN)";
case 10059:
return "Too many references, can't splice (WSAETOOMANYREFS)";
case 10060:
return "Connection timed out (WSAETIMEDOUT)";
case 10061:
return "Connection refused (WSAECONNREFUSED)";
case 10062:
return "Too many levels of symbolic links (WSAELOOP)";
case 10063:
return "File name too long (WSAENAMETOOLONG)";
case 10064:
return "Host is down (WSAEHOSTDOWN)";
case 10065:
return "No Route to Host (WSAEHOSTUNREACH)";
case 10066:
return "Directory not empty (WSAENOTEMPTY)";
case 10067:
return "Too many processes (WSAEPROCLIM)";
case 10068:
return "Too many users (WSAEUSERS)";
case 10069:
return "Disc Quota Exceeded (WSAEDQUOT)";
case 10070:
return "Stale NFS file handle (WSAESTALE)";
case 10091:
return "Network SubSystem is unavailable (WSASYSNOTREADY)";
case 10092:
return "WINSOCK DLL Version out of range (WSAVERNOTSUPPORTED)";
case 10093:
return "Successful WSASTARTUP not yet performed (WSANOTINITIALISED)";
case 10071:
return "Too many levels of remote in path (WSAEREMOTE)";
case 11001:
return "Host not found (WSAHOST_NOT_FOUND)";
case 11002:
return "Non-Authoritative Host not found (WSATRY_AGAIN)";
case 11003:
return "Non-Recoverable errors: FORMERR, REFUSED, NOTIMP (WSANO_RECOVERY)";
case 11004:
return "Valid name, no data record of requested type (WSANO_DATA)";
#if 0
case 11004: /* typically, only WSANO_DATA is reported */
return "No address, look for MX record (WSANO_ADDRESS)";
#endif
#endif /* defined USE_WIN32 */
default:
return strerror(errnum);
}
}
/* end of log.c */

8
src/make.bat Normal file
View File

@ -0,0 +1,8 @@
@echo off
:: pdelaage commented : make.exe -f mingw.mak %1 %2 %3 %4 %5 %6 %7 %8 %9
:: on Windows, make is Borland make, but mingw.mak is NOW only compatible
:: with gnu make (due to various improvments I made, for compatibility between
:: linux and Windows host environments.
:: and echo OFF is the sign we are HERE on Windows, isn't it?...
mingw32-make.exe -f mingw.mak %1 %2 %3 %4 %5 %6 %7 %8 %9

73
src/makece.bat Normal file
View File

@ -0,0 +1,73 @@
@echo off
:: created by pdelaage on 20100928
:: usage : makece ARMV4|X86|... other cpus: see bat scripts in evc/bin
:: eg makece X86, makece X86 clean
:: makece <=> makece ARMV4 all
:: NEVER DO makece clean ! but makece TARGETCPU clean !
:: Note : adapt EVC/bin/WCE<target>.bat scripts
Title WCE STUNNEL
:: !!!!!!!!!!!!!!
:: CUSTOMIZE THIS according to your EVC INSTALLED ENVIRONMENT
:: !!!!!!!!!!!!!!
set OSVERSION=WCE420
set PLATFORM=STANDARDSDK
set WCEROOT=C:\Program Files\MSEVC4
set SDKROOT=C:\Program Files\Microsoft SDKs
:: !!!!!!!!!!!!!!!!!!
:: END CUSTOMIZATION
:: !!!!!!!!!!!!!!!!!!
:: Define TARGET CPU
:: -----------------
:: define "new" target (useful if one wants to compile for various WCE target CPUs)
if "%1"=="" echo "USAGE : makece TARGETCPU other_make_options..."
if "%1"=="" echo "TARGETCPU=(ARMV4|ARMV4I|ARMV4T|MIPS16|MIPSII|MIPSII_FP|MIPSIV|MIPSIV_FP|SH3|SH4|X86), other cpu: see bat scripts in evc/bin"
if "%1"=="" echo "!!! do not hesitate to adapt evc.mak for CPU and/or better compilation flags !!!"
if "%1"=="" exit /B
:: old code to default to ARMV4, but it is better that users are WARNED that the script now need an explicit target!
::if "%1"=="" set NEWTGTCPU=ARMV4
if NOT DEFINED TARGETCPU set TARGETCPU=XXXXX
if NOT "%1"=="" set NEWTGTCPU=%1
if NOT "%1"=="" shift
echo WCE TARGET CPU is %NEWTGTCPU%
rem Adjust MS EVC env vars
rem ----------------------
rem Check MSenv vars against our ref values
set isenvok=0
if "%NEWTGTCPU%"=="%TARGETCPU%" set /A "isenvok+=1"
if %isenvok%==1 echo WCE ENVIRONMENT OK
if %isenvok%==1 goto envisok
:: useless since separated tgt folders
::echo WCE TARGET CPU changed, destroying every obj files
::del .\*.obj
:: if env is NOT ok, adjust MS EVC env vars to be used by MS WCE<CPU>.BAT
:: (this is to avoid repetitive pollution of PATH)
echo WCE ENVIRONMENT ADJUSTED
:: call "%WCEROOT%\EVC\WCE420\BIN\WCE%NEWTGTCPU%.BAT"
call "%WCEROOT%\EVC\%OSVERSION%\bin\WCE%NEWTGTCPU%.BAT"
set TARGETCPU=%NEWTGTCPU%
:envisok
::exit /B
rem make everything
rem ---------------
nmake /NOLOGO -f evc.mak %1 %2 %3 %4 %5 %6 %7 %8 %9

45
src/makew32.bat Normal file
View File

@ -0,0 +1,45 @@
@echo off
TITLE W32 STUNNEL
::pdelaage 20101026: for use with MS VCexpress 2008 (v9)
::some trick to avoid re-pollution of env vars as much as possible
:: In multitarget compilation environment, it is better to open a new cmd.exe window
:: to avoid pollution of PATH from, eg, some previous WCE compilation attempts.
set NEWTGTCPU=W32
rem Adjust MS VC env vars
rem ---------------------
rem Check MSenv vars against our ref values
set isenvok=0
if NOT DEFINED TARGETCPU set TARGETCPU=XXXXX
if "%NEWTGTCPU%"=="%TARGETCPU%" set /A "isenvok+=1"
if %isenvok%==1 echo W32 ENVIRONMENT OK
if %isenvok%==1 goto envisok
:: useless since separated tgt folders
::echo W32 TARGET CPU changed, destroying every obj files
::del .\*.obj
:: if env is NOT ok, adjust MS VC env vars to be used by MS VC
:: (this is to avoid repetitive pollution of PATH)
echo W32 ENVIRONMENT ADJUSTED
:: reset of INCLUDE needed because of accumulation of includes in vcvars32
set INCLUDE=
call "C:\Program Files\Microsoft Visual Studio 9.0\VC\bin\vcvars32.bat"
set TARGETCPU=%NEWTGTCPU%
:envisok
rem make everything
rem ---------------
nmake.exe -f vc.mak %1 %2 %3 %4 %5 %6 %7 %8 %9

162
src/mingw.mak Normal file
View File

@ -0,0 +1,162 @@
# Simple Makefile.w32 for stunnel.exe by Michal Trojnara 1998-2007
#
# Modified by Brian Hatch (bri@stunnel.org)
# 20101030 pdelaage:
# + multi-HOST management (if used on Windows host or Linux Host)
# + lack of gnu-win32 (rm) detection
# note: rm is used INTERNALLY by gcc for deletion if intermediate files.
# This makefile is only tested on the mingw compiler. Mingw can successfully
# compile both openssl and stunnel. If you want to use another compiler, give
# it a shot, and tell us how it went.
# pdelaage : THIS makefile can be used with mingw-make on Windows or gnu make
# on Linux, to produce the Win32 version of stunnel (target is win32). It
# requires, on Windows, the use of gnu-win32 tools: rm, mkdir, rmdir that
# manages files and dirs BOTH on linux and Windows with / as path separator.
# Note: Native windows equivalent, del and mkdir/rmdir, badly manage / and \,
# so they cannot be used here.
# On Windows host, download:
# http://gnuwin32.sourceforge.net/downlinks/coreutils.php
# if you have forgotten this, this makefile will remind you...
# Modify this to point to your actual openssl compile directory
# (You did already compile openssl, didn't you???)
SSLDIR=../openssl-1.0.0f
#SSLDIR=C:/Users/standard/Documents/Dvts/Contrib/openssl/v1.0.0c/patched3
# c:\, backslash is not correctly recognized by mingw32-make, produces some
# "missing separator" issue.
# pdelaage: simple trick to detect if we are using mingw-gcc on a Windows host,
# or on a linux host. windir is a system environment variable on windows NT
# and above, and then redefine some macros.
# note: ifdef is !IFDEF in MS nmake or Borland make.
# $(info is !MESSAGE in MS nmake or Borland make.
ifdef windir
$(info host machine is a Windows machine )
NULLDEV=NUL
MKDIR="C:\Program Files\GnuWin32\bin\mkdir.exe"
DELFILES="C:\Program Files\GnuWin32\bin\rm.exe" -f
DELDIR="C:\Program Files\GnuWin32\bin\rm.exe" -rf
else
$(info host machine is a linux machine )
NULLDEV=/dev/null
MKDIR=mkdir
DELFILES=rm -f
DELDIR=rm -rf
endif
TARGETCPU=MGW32
SRC=../src
OBJROOT=../obj
OBJ=$(OBJROOT)/$(TARGETCPU)
BINROOT=../bin
BIN=$(BINROOT)/$(TARGETCPU)
OBJS=$(OBJ)/stunnel.o $(OBJ)/ssl.o $(OBJ)/ctx.o $(OBJ)/verify.o \
$(OBJ)/file.o $(OBJ)/client.o $(OBJ)/protocol.o $(OBJ)/sthreads.o \
$(OBJ)/log.o $(OBJ)/options.o $(OBJ)/network.o $(OBJ)/resolver.o \
$(OBJ)/gui.o $(OBJ)/resources.o $(OBJ)/str.o $(OBJ)/fd.o
CC=gcc
RC=windres
# pdelaage note: as a workaround for windres bug on resources.rc, equivalent to
# "use a temp file instead of popen" option between cpp and windres!
RCP=gcc -E -xc-header -DRC_INVOKED
DEFINES=-D_WIN32_WINNT=0x0501
# some preprocessing debug : $(info DEFINES is $(DEFINES) )
#CFLAGS=-g -O2 -Wall $(DEFINES) -I$(SSLDIR)/outinc
#pdelaage : outinc not correct, it is inc32!
CFLAGS=-g -O2 -Wall $(DEFINES) -I$(SSLDIR)/inc32
# RFLAGS, note of pdelaage: windres accepts -fo for compatibility with ms tools
# default options : -J rc -O coff, input rc file, output coff file.
RFLAGS=-v --use-temp-file $(DEFINES)
# following RFLAGS2 useful if one day use-temp-file does not exist anymore
RFLAGS2=-v $(DEFINES)
LDFLAGS=-s
# LIBS=-L$(SSLDIR)/out -lssl -lcrypto -lwsock32 -lgdi32 -lcrypt32
#20101030 pdelaage fix winsock2 and BAD sslpath ! LIBS=-L$(SSLDIR)/out -lzdll -leay32 -lssl32 -lwsock32 -lgdi32 -lcrypt32
# added libeay instead of eay, ssleay instead of ssl32, suppressed zdll useless.
LIBS=-L$(SSLDIR)/out32dll -lssleay32 -llibeay32 -lws2_32 -lpsapi -lgdi32 -lcrypt32
# IMPORTANT pdelaage : restore this if you need (but I do not see why) -lzdll
$(OBJ)/%.o: $(SRC)/%.c
$(CC) $(CFLAGS) -o$@ -c $<
$(OBJ)/%.o: $(SRC)/%.cpp
$(CC) $(CFLAGS) -o$@ -c $<
$(OBJ)/%.o: $(SRC)/%.rc
$(RC) $(RFLAGS) -o$@ $<
# pdelaage : trick for windres preprocessing popen bug on Windows, in case the windres option
# use_temp_file disappear one day...
# comment out the $(RC) rule above to activate the following
$(OBJ)/%.rcp: $(SRC)/%.rc
$(RCP) $(DEFINES) -o$@ $<
$(OBJ)/%.o: $(OBJ)/%.rcp
$(RC) $(RFLAGS2) -o$@ $<
# Note : gnu-make will automatically RM the intermediate "rcp" file
# BUT it will ABSOLUTELY NEED the "rm" command available : not a problem on linux
# but on a windows dev host machine, one will need to install gnu-win32/rm command
# in the system...
# for debug of the preprocessed rcp file, because it is automatically deleted by gnu-make: cp $< $<.2
all: testenv makedirs $(BIN)/stunnel.exe
#pdelaage : testenv purpose is to detect, on windows, whether Gnu-win32 has been properly installed...
# a first call to "true" is made to detect availability, a second is made to stop the make process.
ifdef windir
testenv:
-@ echo OFF
-@ true >$(NULLDEV) 2>&1 || echo You MUST install Gnu-Win32 coreutils \
from http://gnuwin32.sourceforge.net/downlinks/coreutils.php \
and set PATH to include C:\Program Files\GnuWin32\bin
@true >$(NULLDEV) 2>&1
else
testenv:
-@ true >$(NULLDEV) 2>&1 || echo Your system lacks Gnu coreutils tools !!!
@true >$(NULLDEV) 2>&1
endif
clean:
-@ $(DELFILES) $(OBJ)/*.o
-@ $(DELFILES) $(BIN)/stunnel.exe >$(NULLDEV) 2>&1
-@ $(DELDIR) $(OBJ) >$(NULLDEV) 2>&1
-@ $(DELDIR) $(BIN) >$(NULLDEV) 2>&1
makedirs:
-@ $(MKDIR) $(OBJROOT) >$(NULLDEV) 2>&1
-@ $(MKDIR) $(OBJ) >$(NULLDEV) 2>&1
-@ $(MKDIR) $(BINROOT) >$(NULLDEV) 2>&1
-@ $(MKDIR) $(BIN) >$(NULLDEV) 2>&1
# pseudo-target for RC-preprocessor debugging
# result appears OK, as a text file
faketest:
gcc -E -xc-header -DRC_INVOKED $(DEFINES) -o $(SRC)/resources.rcp $(SRC)/resources.rc
$(OBJS): *.h mingw.mak
$(BIN)/stunnel.exe: $(OBJS)
$(CC) $(LDFLAGS) -o $(BIN)/stunnel.exe $(OBJS) $(LIBS) -mwindows
# "missing separator" issue with mingw32-make: tabs MUST BE TABS in your text
# editor, and not set of spaces even if your development host is windows.
# Some \ are badly tolerated by mingw32-make "!" directives, eg as !IF,
# accepted in MS nmake and Borland make ARE NOT supported by gnu make but they
# all have their equivalents.
# Gnu-make is case sensitive, while ms nmake or borland make are not. Anyway,
# on reference to env vars nmake convert env vars to UPPERCASE macro names...

686
src/network.c Normal file
View File

@ -0,0 +1,686 @@
/*
* stunnel Universal SSL tunnel
* Copyright (C) 1998-2012 Michal Trojnara <Michal.Trojnara@mirt.net>
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
* See the GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License along
* with this program; if not, see <http://www.gnu.org/licenses>.
*
* Linking stunnel statically or dynamically with other modules is making
* a combined work based on stunnel. Thus, the terms and conditions of
* the GNU General Public License cover the whole combination.
*
* In addition, as a special exception, the copyright holder of stunnel
* gives you permission to combine stunnel with free software programs or
* libraries that are released under the GNU LGPL and with code included
* in the standard release of OpenSSL under the OpenSSL License (or
* modified versions of such code, with unchanged license). You may copy
* and distribute such a system following the terms of the GNU GPL for
* stunnel and the licenses of the other code concerned.
*
* Note that people who make modified versions of stunnel are not obligated
* to grant this special exception for their modified versions; it is their
* choice whether to do so. The GNU General Public License gives permission
* to release a modified version without this exception; this exception
* also makes it possible to release a modified version which carries
* forward this exception.
*/
#include "common.h"
#include "prototypes.h"
/* #define DEBUG_UCONTEXT */
/**************************************** s_poll functions */
#ifdef USE_POLL
s_poll_set *s_poll_alloc() {
/* it needs to be filled with zeros */
return str_alloc(sizeof(s_poll_set));
}
void s_poll_free(s_poll_set *fds) {
if(fds) {
if(fds->ufds)
str_free(fds->ufds);
str_free(fds);
}
}
void s_poll_init(s_poll_set *fds) {
fds->nfds=0;
fds->allocated=4; /* prealloc 4 file desciptors */
fds->ufds=str_realloc(fds->ufds, fds->allocated*sizeof(struct pollfd));
}
void s_poll_add(s_poll_set *fds, int fd, int rd, int wr) {
unsigned int i;
for(i=0; i<fds->nfds && fds->ufds[i].fd!=fd; i++)
;
if(i==fds->nfds) {
if(i==fds->allocated) {
fds->allocated=i+1;
fds->ufds=str_realloc(fds->ufds, fds->allocated*sizeof(struct pollfd));
}
fds->ufds[i].fd=fd;
fds->ufds[i].events=0;
fds->nfds++;
}
if(rd)
fds->ufds[i].events|=POLLIN;
if(wr)
fds->ufds[i].events|=POLLOUT;
}
int s_poll_canread(s_poll_set *fds, int fd) {
unsigned int i;
for(i=0; i<fds->nfds; i++)
if(fds->ufds[i].fd==fd)
return fds->ufds[i].revents&(POLLIN|POLLHUP); /* read or closed */
return 0;
}
int s_poll_canwrite(s_poll_set *fds, int fd) {
unsigned int i;
for(i=0; i<fds->nfds; i++)
if(fds->ufds[i].fd==fd)
return fds->ufds[i].revents&POLLOUT; /* it is possible to write */
return 0;
}
int s_poll_error(s_poll_set *fds, FD *s) {
unsigned int i;
if(!s->is_socket)
return 0;
for(i=0; i<fds->nfds; i++)
if(fds->ufds[i].fd==s->fd)
return fds->ufds[i].revents&(POLLERR|POLLNVAL) ?
get_socket_error(s->fd) : 0;
return 0;
}
#ifdef USE_UCONTEXT
/* move ready contexts from waiting queue to ready queue */
static void scan_waiting_queue(void) {
int retval;
CONTEXT *context, *prev;
int min_timeout;
unsigned int nfds, i;
time_t now;
static unsigned int max_nfds=0;
static struct pollfd *ufds=NULL;
time(&now);
/* count file descriptors */
min_timeout=-1;
nfds=0;
for(context=waiting_head; context; context=context->next) {
nfds+=context->fds->nfds;
if(context->finish>=0) /* finite time */
if(min_timeout<0 || min_timeout>context->finish-now)
min_timeout=context->finish-now<0 ? 0 : context->finish-now;
}
/* setup ufds structure */
if(nfds>max_nfds) { /* need to allocate more memory */
ufds=str_realloc(ufds, nfds*sizeof(struct pollfd));
max_nfds=nfds;
}
nfds=0;
for(context=waiting_head; context; context=context->next)
for(i=0; i<context->fds->nfds; i++) {
ufds[nfds].fd=context->fds->ufds[i].fd;
ufds[nfds].events=context->fds->ufds[i].events;
nfds++;
}
#ifdef DEBUG_UCONTEXT
s_log(LOG_DEBUG, "Waiting %d second(s) for %d file descriptor(s)",
min_timeout, nfds);
#endif
do { /* skip "Interrupted system call" errors */
retval=poll(ufds, nfds, min_timeout<0 ? -1 : 1000*min_timeout);
} while(retval<0 && get_last_socket_error()==S_EINTR);
time(&now);
/* process the returned data */
nfds=0;
prev=NULL; /* previous element of the waiting queue */
context=waiting_head;
while(context) {
context->ready=0;
/* count ready file descriptors in each context */
for(i=0; i<context->fds->nfds; i++) {
context->fds->ufds[i].revents=ufds[nfds].revents;
#ifdef DEBUG_UCONTEXT
s_log(LOG_DEBUG, "CONTEXT %ld, FD=%d,%s%s ->%s%s%s%s%s",
context->id, ufds[nfds].fd,
ufds[nfds].events & POLLIN ? " IN" : "",
ufds[nfds].events & POLLOUT ? " OUT" : "",
ufds[nfds].revents & POLLIN ? " IN" : "",
ufds[nfds].revents & POLLOUT ? " OUT" : "",
ufds[nfds].revents & POLLERR ? " ERR" : "",
ufds[nfds].revents & POLLHUP ? " HUP" : "",
ufds[nfds].revents & POLLNVAL ? " NVAL" : "");
#endif
if(ufds[nfds].revents)
context->ready++;
nfds++;
}
if(context->ready || (context->finish>=0 && context->finish<=now)) {
/* remove context from the waiting queue */
if(prev)
prev->next=context->next;
else
waiting_head=context->next;
if(!context->next) /* same as context==waiting_tail */
waiting_tail=prev;
/* append context context to the ready queue */
context->next=NULL;
if(ready_tail)
ready_tail->next=context;
ready_tail=context;
if(!ready_head)
ready_head=context;
} else { /* leave the context context in the waiting queue */
prev=context;
}
context=prev ? prev->next : waiting_head;
}
}
int s_poll_wait(s_poll_set *fds, int sec, int msec) {
CONTEXT *context; /* current context */
static CONTEXT *to_free=NULL; /* delayed memory deallocation */
/* FIXME: msec parameter is currently ignored with UCONTEXT threads */
(void)msec; /* skip warning about unused parameter */
/* remove the current context from ready queue */
context=ready_head;
ready_head=ready_head->next;
if(!ready_head) /* the queue is empty */
ready_tail=NULL;
/* it it safe to s_log() after new ready_head is set */
/* it's illegal to deallocate the stack of the current context */
if(to_free) { /* a delayed deallocation is scheduled */
#ifdef DEBUG_UCONTEXT
s_log(LOG_DEBUG, "Releasing context %ld", to_free->id);
#endif
str_free(to_free->stack);
str_free(to_free);
to_free=NULL;
}
/* manage the current thread */
if(fds) { /* something to wait for -> swap the context */
context->fds=fds; /* set file descriptors to wait for */
context->finish=sec<0 ? -1 : time(NULL)+sec;
/* append the current context to the waiting queue */
context->next=NULL;
if(waiting_tail)
waiting_tail->next=context;
waiting_tail=context;
if(!waiting_head)
waiting_head=context;
} else { /* nothing to wait for -> drop the context */
to_free=context; /* schedule for delayed deallocation */
}
while(!ready_head) /* wait until there is a thread to switch to */
scan_waiting_queue();
/* switch threads */
if(fds) { /* swap the current context */
if(context->id!=ready_head->id) {
#ifdef DEBUG_UCONTEXT
s_log(LOG_DEBUG, "Context swap: %ld -> %ld",
context->id, ready_head->id);
#endif
swapcontext(&context->context, &ready_head->context);
#ifdef DEBUG_UCONTEXT
s_log(LOG_DEBUG, "Current context: %ld", ready_head->id);
#endif
}
return ready_head->ready;
} else { /* drop the current context */
#ifdef DEBUG_UCONTEXT
s_log(LOG_DEBUG, "Context set: %ld (dropped) -> %ld",
context->id, ready_head->id);
#endif
setcontext(&ready_head->context);
ioerror("setcontext"); /* should not ever happen */
return 0;
}
}
#else /* USE_UCONTEXT */
int s_poll_wait(s_poll_set *fds, int sec, int msec) {
int retval;
do { /* skip "Interrupted system call" errors */
retval=poll(fds->ufds, fds->nfds, sec<0 ? -1 : 1000*sec+msec);
} while(retval<0 && get_last_socket_error()==S_EINTR);
return retval;
}
#endif /* USE_UCONTEXT */
#else /* select */
s_poll_set *s_poll_alloc() {
/* it needs to be filled with zeros */
return str_alloc(sizeof(s_poll_set));
}
void s_poll_free(s_poll_set *fds) {
if(fds)
str_free(fds);
}
void s_poll_init(s_poll_set *fds) {
FD_ZERO(&fds->irfds);
FD_ZERO(&fds->iwfds);
FD_ZERO(&fds->ixfds);
fds->max=0; /* no file descriptors */
}
void s_poll_add(s_poll_set *fds, int fd, int rd, int wr) {
if(rd)
FD_SET((unsigned int)fd, &fds->irfds);
if(wr)
FD_SET((unsigned int)fd, &fds->iwfds);
/* always expect errors (and the Spanish Inquisition) */
FD_SET((unsigned int)fd, &fds->ixfds);
if(fd>fds->max)
fds->max=fd;
}
int s_poll_canread(s_poll_set *fds, int fd) {
return FD_ISSET(fd, &fds->orfds);
}
int s_poll_canwrite(s_poll_set *fds, int fd) {
return FD_ISSET(fd, &fds->owfds);
}
int s_poll_error(s_poll_set *fds, FD *s) {
if(!s->is_socket)
return 0; /* getsockopt is only available on sockets */
/* error conditions are signaled as read, but apparently *not* in Winsock:
* http://msdn.microsoft.com/en-us/library/windows/desktop/ms737625%28v=vs.85%29.aspx */
if(!(FD_ISSET(s->fd, &fds->orfds) || FD_ISSET(s->fd, &fds->oxfds)))
return 0;
return get_socket_error(s->fd); /* check if it's really an error */
}
int s_poll_wait(s_poll_set *fds, int sec, int msec) {
int retval;
struct timeval tv, *tv_ptr;
do { /* skip "Interrupted system call" errors */
memcpy(&fds->orfds, &fds->irfds, sizeof(fd_set));
memcpy(&fds->owfds, &fds->iwfds, sizeof(fd_set));
memcpy(&fds->oxfds, &fds->ixfds, sizeof(fd_set));
if(sec<0) { /* infinite timeout */
tv_ptr=NULL;
} else {
tv.tv_sec=sec;
tv.tv_usec=1000*msec;
tv_ptr=&tv;
}
retval=select(fds->max+1, &fds->orfds, &fds->owfds, &fds->oxfds, tv_ptr);
} while(retval<0 && get_last_socket_error()==S_EINTR);
return retval;
}
#endif /* USE_POLL */
/**************************************** fd management */
int set_socket_options(int s, int type) {
SOCK_OPT *ptr;
extern SOCK_OPT sock_opts[];
static char *type_str[3]={"accept", "local", "remote"};
int opt_size;
int retval=0; /* no error found */
for(ptr=sock_opts; ptr->opt_str; ptr++) {
if(!ptr->opt_val[type])
continue; /* default */
switch(ptr->opt_type) {
case TYPE_LINGER:
opt_size=sizeof(struct linger);
break;
case TYPE_TIMEVAL:
opt_size=sizeof(struct timeval);
break;
case TYPE_STRING:
opt_size=strlen(ptr->opt_val[type]->c_val)+1;
break;
default:
opt_size=sizeof(int);
}
if(setsockopt(s, ptr->opt_level, ptr->opt_name,
(void *)ptr->opt_val[type], opt_size)) {
if(get_last_socket_error()==S_EOPNOTSUPP) {
/* most likely stdin/stdout or AF_UNIX socket */
s_log(LOG_DEBUG,
"Option %s not supported on %s socket",
ptr->opt_str, type_str[type]);
} else {
sockerror(ptr->opt_str);
retval=-1; /* failed to set this option */
}
}
#ifdef DEBUG_FD_ALLOC
else {
s_log(LOG_DEBUG, "Option %s set on %s socket",
ptr->opt_str, type_str[type]);
}
#endif /* DEBUG_FD_ALLOC */
}
return retval; /* returns 0 when all options succeeded */
}
int get_socket_error(const int fd) {
int err;
socklen_t optlen=sizeof err;
if(getsockopt(fd, SOL_SOCKET, SO_ERROR, (void *)&err, &optlen))
err=get_last_socket_error(); /* failed -> ask why */
return err;
}
/**************************************** simulate blocking I/O */
int connect_blocking(CLI *c, SOCKADDR_UNION *addr, socklen_t addrlen) {
int error;
char *dst;
dst=s_ntop(addr, addrlen);
s_log(LOG_INFO, "connect_blocking: connecting %s", dst);
if(!connect(c->fd, &addr->sa, addrlen)) {
s_log(LOG_NOTICE, "connect_blocking: connected %s", dst);
str_free(dst);
return 0; /* no error -> success (on some OSes over the loopback) */
}
error=get_last_socket_error();
if(error!=S_EINPROGRESS && error!=S_EWOULDBLOCK) {
s_log(LOG_ERR, "connect_blocking: connect %s: %s (%d)",
dst, s_strerror(error), error);
str_free(dst);
return -1;
}
s_log(LOG_DEBUG, "connect_blocking: s_poll_wait %s: waiting %d seconds",
dst, c->opt->timeout_connect);
s_poll_init(c->fds);
s_poll_add(c->fds, c->fd, 1, 1);
switch(s_poll_wait(c->fds, c->opt->timeout_connect, 0)) {
case -1:
error=get_last_socket_error();
s_log(LOG_ERR, "connect_blocking: s_poll_wait %s: %s (%d)",
dst, s_strerror(error), error);
str_free(dst);
return -1;
case 0:
s_log(LOG_ERR, "connect_blocking: s_poll_wait %s:"
" TIMEOUTconnect exceeded", dst);
str_free(dst);
return -1;
default:
error=get_socket_error(c->fd);
if(error) {
s_log(LOG_ERR, "connect_blocking: connect %s: %s (%d)",
dst, s_strerror(error), error);
str_free(dst);
return -1;
}
if(s_poll_canwrite(c->fds, c->fd)) {
s_log(LOG_NOTICE, "connect_blocking: connected %s", dst);
str_free(dst);
return 0; /* success */
}
s_log(LOG_ERR, "connect_blocking: s_poll_wait %s: internal error",
dst);
str_free(dst);
return -1;
}
return -1; /* should not be possible */
}
void write_blocking(CLI *c, int fd, void *ptr, int len) {
/* simulate a blocking write */
int num;
while(len>0) {
s_poll_init(c->fds);
s_poll_add(c->fds, fd, 0, 1); /* write */
switch(s_poll_wait(c->fds, c->opt->timeout_busy, 0)) {
case -1:
sockerror("write_blocking: s_poll_wait");
longjmp(c->err, 1); /* error */
case 0:
s_log(LOG_INFO, "write_blocking: s_poll_wait:"
" TIMEOUTbusy exceeded: sending reset");
longjmp(c->err, 1); /* timeout */
case 1:
break; /* OK */
default:
s_log(LOG_ERR, "write_blocking: s_poll_wait: unknown result");
longjmp(c->err, 1); /* error */
}
num=writesocket(fd, ptr, len);
switch(num) {
case -1: /* error */
sockerror("writesocket (write_blocking)");
longjmp(c->err, 1);
}
ptr=(u8 *)ptr+num;
len-=num;
}
}
void read_blocking(CLI *c, int fd, void *ptr, int len) {
/* simulate a blocking read */
int num;
while(len>0) {
s_poll_init(c->fds);
s_poll_add(c->fds, fd, 1, 0); /* read */
switch(s_poll_wait(c->fds, c->opt->timeout_busy, 0)) {
case -1:
sockerror("read_blocking: s_poll_wait");
longjmp(c->err, 1); /* error */
case 0:
s_log(LOG_INFO, "read_blocking: s_poll_wait:"
" TIMEOUTbusy exceeded: sending reset");
longjmp(c->err, 1); /* timeout */
case 1:
break; /* OK */
default:
s_log(LOG_ERR, "read_blocking: s_poll_wait: unknown result");
longjmp(c->err, 1); /* error */
}
num=readsocket(fd, ptr, len);
switch(num) {
case -1: /* error */
sockerror("readsocket (read_blocking)");
longjmp(c->err, 1);
case 0: /* EOF */
s_log(LOG_ERR, "Unexpected socket close (read_blocking)");
longjmp(c->err, 1);
}
ptr=(u8 *)ptr+num;
len-=num;
}
}
void fd_putline(CLI *c, int fd, const char *line) {
char *tmpline;
const char crlf[]="\r\n";
int len;
tmpline=str_printf("%s%s", line, crlf);
len=strlen(tmpline);
write_blocking(c, fd, tmpline, len);
tmpline[len-2]='\0'; /* remove CRLF */
safestring(tmpline);
s_log(LOG_DEBUG, " -> %s", tmpline);
str_free(tmpline);
}
char *fd_getline(CLI *c, int fd) {
char *line=NULL, *tmpline;
int ptr=0;
for(;;) {
s_poll_init(c->fds);
s_poll_add(c->fds, fd, 1, 0); /* read */
switch(s_poll_wait(c->fds, c->opt->timeout_busy, 0)) {
case -1:
sockerror("fd_getline: s_poll_wait");
str_free(line);
longjmp(c->err, 1); /* error */
case 0:
s_log(LOG_INFO, "fd_getline: s_poll_wait:"
" TIMEOUTbusy exceeded: sending reset");
str_free(line);
longjmp(c->err, 1); /* timeout */
case 1:
break; /* OK */
default:
s_log(LOG_ERR, "fd_getline: s_poll_wait: Unknown result");
str_free(line);
longjmp(c->err, 1); /* error */
}
line=str_realloc(line, ptr+1);
switch(readsocket(fd, line+ptr, 1)) {
case -1: /* error */
sockerror("fd_getline: readsocket");
str_free(line);
longjmp(c->err, 1);
case 0: /* EOF */
s_log(LOG_ERR, "fd_getline: Unexpected socket close");
str_free(line);
longjmp(c->err, 1);
}
if(line[ptr]=='\r')
continue;
if(line[ptr]=='\n')
break;
if(line[ptr]=='\0')
break;
if(++ptr>65536) { /* >64KB --> DoS protection */
s_log(LOG_ERR, "fd_getline: Line too long");
str_free(line);
longjmp(c->err, 1);
}
}
line[ptr]='\0';
tmpline=str_dup(line);
safestring(tmpline);
s_log(LOG_DEBUG, " <- %s", tmpline);
str_free(tmpline);
return line;
}
void fd_printf(CLI *c, int fd, const char *format, ...) {
va_list ap;
char *line;
va_start(ap, format);
line=str_vprintf(format, ap);
va_end(ap);
if(!line) {
s_log(LOG_ERR, "fd_printf: str_vprintf failed");
longjmp(c->err, 1);
}
fd_putline(c, fd, line);
str_free(line);
}
#define INET_SOCKET_PAIR
int make_sockets(int fd[2]) { /* make a pair of connected ipv4 sockets */
#ifdef INET_SOCKET_PAIR
struct sockaddr_in addr;
socklen_t addrlen;
int s; /* temporary socket awaiting for connection */
/* create two *blocking* sockets first */
s=s_socket(AF_INET, SOCK_STREAM, 0, 0, "make_sockets: s_socket#1");
if(s<0) {
return 1;
}
fd[1]=s_socket(AF_INET, SOCK_STREAM, 0, 0, "make_sockets: s_socket#2");
if(fd[1]<0) {
closesocket(s);
return 1;
}
addrlen=sizeof addr;
memset(&addr, 0, addrlen);
addr.sin_family=AF_INET;
addr.sin_addr.s_addr=htonl(INADDR_LOOPBACK);
addr.sin_port=htons(0); /* dynamic port allocation */
if(bind(s, (struct sockaddr *)&addr, addrlen))
log_error(LOG_DEBUG, get_last_socket_error(), "make_sockets: bind#1");
if(bind(fd[1], (struct sockaddr *)&addr, addrlen))
log_error(LOG_DEBUG, get_last_socket_error(), "make_sockets: bind#2");
if(listen(s, 1)) {
sockerror("make_sockets: listen");
closesocket(s);
closesocket(fd[1]);
return 1;
}
if(getsockname(s, (struct sockaddr *)&addr, &addrlen)) {
sockerror("make_sockets: getsockname");
closesocket(s);
closesocket(fd[1]);
return 1;
}
if(connect(fd[1], (struct sockaddr *)&addr, addrlen)) {
sockerror("make_sockets: connect");
closesocket(s);
closesocket(fd[1]);
return 1;
}
fd[0]=s_accept(s, (struct sockaddr *)&addr, &addrlen, 1,
"make_sockets: s_accept");
if(fd[0]<0) {
closesocket(s);
closesocket(fd[1]);
return 1;
}
closesocket(s); /* don't care about the result */
set_nonblock(fd[0], 1);
set_nonblock(fd[1], 1);
#else
if(s_socketpair(AF_UNIX, SOCK_STREAM, 0, fd, 1, "make_sockets: socketpair"))
return 1;
#endif
return 0;
}
/* end of network.c */

63
src/nogui.c Normal file
View File

@ -0,0 +1,63 @@
/*
* stunnel Universal SSL tunnel
* Copyright (C) 1998-2012 Michal Trojnara <Michal.Trojnara@mirt.net>
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
* See the GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License along
* with this program; if not, see <http://www.gnu.org/licenses>.
*
* Linking stunnel statically or dynamically with other modules is making
* a combined work based on stunnel. Thus, the terms and conditions of
* the GNU General Public License cover the whole combination.
*
* In addition, as a special exception, the copyright holder of stunnel
* gives you permission to combine stunnel with free software programs or
* libraries that are released under the GNU LGPL and with code included
* in the standard release of OpenSSL under the OpenSSL License (or
* modified versions of such code, with unchanged license). You may copy
* and distribute such a system following the terms of the GNU GPL for
* stunnel and the licenses of the other code concerned.
*
* Note that people who make modified versions of stunnel are not obligated
* to grant this special exception for their modified versions; it is their
* choice whether to do so. The GNU General Public License gives permission
* to release a modified version without this exception; this exception
* also makes it possible to release a modified version which carries
* forward this exception.
*/
#include "common.h"
#include "prototypes.h"
int main(int argc, char *argv[]) {
static struct WSAData wsa_state;
if(WSAStartup(MAKEWORD(1, 1), &wsa_state))
return 1;
main_initialize();
if(main_configure(argc>1 ? argv[1] : NULL, argc>2 ? argv[2] : NULL))
return 1;
main_execute();
return 0;
}
int passwd_cb(char *buf, int size, int rwflag, void *userdata) {
return 0; /* not implemented */
}
#ifdef HAVE_OSSL_ENGINE_H
int pin_cb(UI *ui, UI_STRING *uis) {
return 0; /* not implemented */
}
#endif
/* end of nogui.c */

2407
src/options.c Normal file
View File

File diff suppressed because it is too large Load Diff

76
src/os2.mak Normal file
View File

@ -0,0 +1,76 @@
prefix=.
DEFS = -DPACKAGE_NAME=\"stunnel\" \
-DPACKAGE_TARNAME=\"stunnel\" \
-DPACKAGE_VERSION=\"4.53\" \
-DPACKAGE_STRING=\"stunnel\ 4.53\" \
-DPACKAGE_BUGREPORT=\"\" \
-DPACKAGE=\"stunnel\" \
-DVERSION=\"4.53\" \
-DSTDC_HEADERS=1 \
-DHAVE_SYS_TYPES_H=1 \
-DHAVE_SYS_STAT_H=1 \
-DHAVE_STDLIB_H=1 \
-DHAVE_STRING_H=1 \
-DHAVE_MEMORY_H=1 \
-DHAVE_STRINGS_H=1 \
-DHAVE_UNISTD_H=1 \
-DHAVE_OSSL_ENGINE_H=1 \
-DSSLDIR=\"/usr\" \
-DHOST=\"i386-pc-os2-emx\" \
-DHAVE_LIBSOCKET=1 \
-DHAVE_GRP_H=1 \
-DHAVE_UNISTD_H=1 \
-DHAVE_SYS_SELECT_H=1 \
-DHAVE_SYS_IOCTL_H=1 \
-DHAVE_SYS_RESOURCE_H=1 \
-DHAVE_SNPRINTF=1 \
-DHAVE_VSNPRINTF=1 \
-DHAVE_WAITPID=1 \
-DHAVE_SYSCONF=1 \
-DHAVE_ENDHOSTENT=1 \
-DUSE_OS2=1 \
-DSIZEOF_UNSIGNED_CHAR=1 \
-DSIZEOF_UNSIGNED_SHORT=2 \
-DSIZEOF_UNSIGNED_INT=4 \
-DSIZEOF_UNSIGNED_LONG=4 \
-DLIBDIR=\"$(prefix)/lib\" \
-DCONFDIR=\"$(prefix)/etc\" \
-DPIDFILE=\"$(prefix)/stunnel.pid\"
CC = gcc
.SUFFIXES = .c .o
OPENSSLDIR = u:/extras
#SYSLOGDIR = /unixos2/workdir/syslog
INCLUDES = -I$(OPENSSLDIR)/outinc
LIBS = -lsocket -L$(OPENSSLDIR)/out -lssl -lcrypto -lz -lsyslog
OBJS = file.o client.o log.o options.o protocol.o network.o ssl.o ctx.o verify.o sthreads.o stunnel.o pty.o resolver.o str.o fd.o
LIBDIR = .
CFLAGS = -O2 -Wall -Wshadow -Wcast-align -Wpointer-arith
all: stunnel.exe
stunnel.exe: $(OBJS)
$(CC) -Zmap $(CFLAGS) -o $@ $(OBJS) $(LIBS)
.c.o:
$(CC) $(CFLAGS) $(DEFS) $(INCLUDES) -o $@ -c $<
client.o: client.c common.h prototypes.h
#env.o: env.c common.h prototypes.h
#gui.o: gui.c common.h prototypes.h
file.o: file.c common.h prototypes.h
network.o: network.c common.h prototypes.h
options.o: options.c common.h prototypes.h
protocol.o: protocol.c common.h prototypes.h
pty.o: pty.c common.h prototypes.h
ssl.o: ssl.c common.h prototypes.h
ctx.o: ctx.c common.h prototypes.h
verify.o: verify.c common.h prototypes.h
sthreads.o: sthreads.c common.h prototypes.h
stunnel.o: stunnel.c common.h prototypes.h
resolver.o: resolver.c common.h prototypes.h
str.o: str.c common.h prototypes.h
fd.o: fd.c common.h prototypes.h
clean:
rm -f *.o *.exe

747
src/protocol.c Normal file
View File

@ -0,0 +1,747 @@
/*
* stunnel Universal SSL tunnel
* Copyright (C) 1998-2012 Michal Trojnara <Michal.Trojnara@mirt.net>
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
* See the GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License along
* with this program; if not, see <http://www.gnu.org/licenses>.
*
* Linking stunnel statically or dynamically with other modules is making
* a combined work based on stunnel. Thus, the terms and conditions of
* the GNU General Public License cover the whole combination.
*
* In addition, as a special exception, the copyright holder of stunnel
* gives you permission to combine stunnel with free software programs or
* libraries that are released under the GNU LGPL and with code included
* in the standard release of OpenSSL under the OpenSSL License (or
* modified versions of such code, with unchanged license). You may copy
* and distribute such a system following the terms of the GNU GPL for
* stunnel and the licenses of the other code concerned.
*
* Note that people who make modified versions of stunnel are not obligated
* to grant this special exception for their modified versions; it is their
* choice whether to do so. The GNU General Public License gives permission
* to release a modified version without this exception; this exception
* also makes it possible to release a modified version which carries
* forward this exception.
*/
#include "common.h"
#include "prototypes.h"
#define isprefix(a, b) (strncasecmp((a), (b), strlen(b))==0)
/* protocol-specific function prototypes */
static void proxy_server(CLI *c);
static void cifs_client(CLI *);
static void cifs_server(CLI *);
static void pgsql_client(CLI *);
static void pgsql_server(CLI *);
static void smtp_client(CLI *);
static void smtp_server(CLI *);
static void pop3_client(CLI *);
static void pop3_server(CLI *);
static void imap_client(CLI *);
static void imap_server(CLI *);
static void nntp_client(CLI *);
static void connect_server(CLI *);
static void connect_client(CLI *);
#if !defined(OPENSSL_NO_MD4) && OPENSSL_VERSION_NUMBER>=0x0090700fL
static void ntlm(CLI *);
static char *ntlm1();
static char *ntlm3(char *, char *, char *);
static void crypt_DES(DES_cblock, DES_cblock, DES_cblock);
#endif
static char *base64(int, char *, int);
/**************************************** framework */
typedef void (*FUNCTION)(CLI *);
static const struct {
char *name;
struct {
PROTOCOL_TYPE type;
FUNCTION func;
} handlers[2];
} protocols[]={
{"proxy", {{PROTOCOL_PRE_SSL, proxy_server}, {PROTOCOL_PRE_SSL, NULL}}},
{"cifs", {{PROTOCOL_PRE_CONNECT, cifs_server}, {PROTOCOL_PRE_SSL, cifs_client}}},
{"pgsql", {{PROTOCOL_PRE_CONNECT, pgsql_server}, {PROTOCOL_PRE_SSL, pgsql_client}}},
{"smtp", {{PROTOCOL_PRE_SSL, smtp_server}, {PROTOCOL_PRE_SSL, smtp_client}}},
{"pop3", {{PROTOCOL_PRE_SSL, pop3_server}, {PROTOCOL_PRE_SSL, pop3_client}}},
{"imap", {{PROTOCOL_PRE_SSL, imap_server}, {PROTOCOL_PRE_SSL, imap_client}}},
{"nntp", {{PROTOCOL_NONE, NULL}, {PROTOCOL_PRE_SSL, nntp_client}}},
{"connect", {{PROTOCOL_PRE_CONNECT, connect_server}, {PROTOCOL_PRE_SSL, connect_client}}},
{NULL, {{PROTOCOL_NONE, NULL}, {PROTOCOL_NONE, NULL}}}
};
int find_protocol_id(const char *name) {
int id;
for(id=0; protocols[id].name; ++id)
if(!strcmp(name, protocols[id].name))
return id;
return -1;
}
void protocol(CLI *c, const PROTOCOL_TYPE type) {
const int id=c->opt->protocol, mode=(unsigned int)c->opt->option.client;
if(id<0 || type!=protocols[id].handlers[mode].type ||
!protocols[id].handlers[mode].func)
return;
s_log(LOG_INFO, "%s-mode %s protocol negotiations started",
mode ? "Client" : "Server", protocols[id].name);
protocols[id].handlers[mode].func(c);
s_log(LOG_INFO, "%s-mode %s protocol negotiations succeeded",
mode ? "Client" : "Server", protocols[id].name);
}
/**************************************** proxy */
/*
* PROXY protocol: http://haproxy.1wt.eu/download/1.5/doc/proxy-protocol.txt
* this is a protocol client support for stunnel acting as an SSL server
* I don't think anything else is useful, but feel free to discuss on the
* stunnel-users mailing list if you disagree
*/
/* IP address textual representation length */
/* 1234:6789:1234:6789:1234:6789:1234:6789 -> 40 chars with '\0' */
#define IP_LEN 40
#define PORT_LEN 6
static void proxy_server(CLI *c) {
SOCKADDR_UNION addr;
socklen_t addrlen;
char src_host[IP_LEN], dst_host[IP_LEN];
char src_port[PORT_LEN], dst_port[PORT_LEN], *proto;
int err;
addrlen=sizeof addr;
if(getpeername(c->local_rfd.fd, &addr.sa, &addrlen)) {
sockerror("getpeername");
longjmp(c->err, 1);
}
err=getnameinfo(&addr.sa, addr_len(&addr), src_host, IP_LEN,
src_port, PORT_LEN, NI_NUMERICHOST|NI_NUMERICSERV);
if(err) {
s_log(LOG_ERR, "getnameinfo: %s", s_gai_strerror(err));
longjmp(c->err, 1);
}
addrlen=sizeof addr;
if(getsockname(c->local_rfd.fd, &addr.sa, &addrlen)) {
sockerror("getsockname");
longjmp(c->err, 1);
}
err=getnameinfo(&addr.sa, addr_len(&addr), dst_host, IP_LEN,
dst_port, PORT_LEN, NI_NUMERICHOST|NI_NUMERICSERV);
if(err) {
s_log(LOG_ERR, "getnameinfo: %s", s_gai_strerror(err));
longjmp(c->err, 1);
}
switch(addr.sa.sa_family) {
case AF_INET:
proto="TCP4";
break;
case AF_INET6:
proto="TCP6";
break;
default: /* AF_UNIX */
proto="UNKNOWN";
}
fd_printf(c, c->remote_fd.fd, "PROXY %s %s %s %s %s",
proto, src_host, dst_host, src_port, dst_port);
}
/**************************************** cifs */
static void cifs_client(CLI *c) {
u8 buffer[5];
u8 request_dummy[4] = {0x81, 0, 0, 0}; /* a zero-length request */
write_blocking(c, c->remote_fd.fd, request_dummy, 4);
read_blocking(c, c->remote_fd.fd, buffer, 5);
if(buffer[0]!=0x83) { /* NB_SSN_NEGRESP */
s_log(LOG_ERR, "Negative response expected");
longjmp(c->err, 1);
}
if(buffer[2]!=0 || buffer[3]!=1) { /* length != 1 */
s_log(LOG_ERR, "Unexpected NetBIOS response size");
longjmp(c->err, 1);
}
if(buffer[4]!=0x8e) { /* use SSL */
s_log(LOG_ERR, "Remote server does not require SSL");
longjmp(c->err, 1);
}
}
static void cifs_server(CLI *c) {
u8 buffer[128];
u8 response_access_denied[5] = {0x83, 0, 0, 1, 0x81};
u8 response_use_ssl[5] = {0x83, 0, 0, 1, 0x8e};
u16 len;
read_blocking(c, c->local_rfd.fd, buffer, 4) ;/* NetBIOS header */
len=buffer[3];
len|=(u16)(buffer[2]) << 8;
if(len>sizeof buffer-4) {
s_log(LOG_ERR, "Received block too long");
longjmp(c->err, 1);
}
read_blocking(c, c->local_rfd.fd, buffer+4, len);
if(buffer[0]!=0x81){ /* NB_SSN_REQUEST */
s_log(LOG_ERR, "Client did not send session setup");
write_blocking(c, c->local_wfd.fd, response_access_denied, 5);
longjmp(c->err, 1);
}
write_blocking(c, c->local_wfd.fd, response_use_ssl, 5);
}
/**************************************** pgsql */
/* http://www.postgresql.org/docs/8.3/static/protocol-flow.html#AEN73982 */
u8 ssl_request[8]={0, 0, 0, 8, 0x04, 0xd2, 0x16, 0x2f};
static void pgsql_client(CLI *c) {
u8 buffer[1];
write_blocking(c, c->remote_fd.fd, ssl_request, sizeof ssl_request);
read_blocking(c, c->remote_fd.fd, buffer, 1);
/* S - accepted, N - rejected, non-SSL preferred */
if(buffer[0]!='S') {
s_log(LOG_ERR, "PostgreSQL server rejected SSL");
longjmp(c->err, 1);
}
}
static void pgsql_server(CLI *c) {
u8 buffer[8], ssl_ok[1]={'S'};
memset(buffer, 0, sizeof buffer);
read_blocking(c, c->local_rfd.fd, buffer, sizeof buffer);
if(memcmp(buffer, ssl_request, sizeof ssl_request)) {
s_log(LOG_ERR, "PostgreSQL client did not request SSL, rejecting");
/* no way to send error on startup, so just drop the client */
longjmp(c->err, 1);
}
write_blocking(c, c->local_wfd.fd, ssl_ok, sizeof ssl_ok);
}
/**************************************** smtp */
static void smtp_client(CLI *c) {
char *line;
do { /* copy multiline greeting */
line=fd_getline(c, c->remote_fd.fd);
fd_putline(c, c->local_wfd.fd, line);
} while(isprefix(line, "220-"));
fd_putline(c, c->remote_fd.fd, "EHLO localhost");
do { /* skip multiline reply */
line=fd_getline(c, c->remote_fd.fd);
} while(isprefix(line, "250-"));
if(!isprefix(line, "250 ")) { /* error */
s_log(LOG_ERR, "Remote server is not RFC 1425 compliant");
longjmp(c->err, 1);
}
fd_putline(c, c->remote_fd.fd, "STARTTLS");
do { /* skip multiline reply */
line=fd_getline(c, c->remote_fd.fd);
} while(isprefix(line, "220-"));
if(!isprefix(line, "220 ")) { /* error */
s_log(LOG_ERR, "Remote server is not RFC 2487 compliant");
longjmp(c->err, 1);
}
}
static void smtp_server(CLI *c) {
char *line;
s_poll_init(c->fds);
s_poll_add(c->fds, c->local_rfd.fd, 1, 0);
switch(s_poll_wait(c->fds, 0, 200)) { /* wait up to 200ms */
case 0: /* fd not ready to read */
s_log(LOG_DEBUG, "RFC 2487 detected");
break;
case 1: /* fd ready to read */
s_log(LOG_DEBUG, "RFC 2487 not detected");
return; /* return if RFC 2487 is not used */
default: /* -1 */
sockerror("RFC2487 (s_poll_wait)");
longjmp(c->err, 1);
}
line=fd_getline(c, c->remote_fd.fd);
if(!isprefix(line, "220")) {
s_log(LOG_ERR, "Unknown server welcome");
longjmp(c->err, 1);
}
fd_printf(c, c->local_wfd.fd, "%s + stunnel", line);
line=fd_getline(c, c->local_rfd.fd);
if(!isprefix(line, "EHLO ")) {
s_log(LOG_ERR, "Unknown client EHLO");
longjmp(c->err, 1);
}
fd_printf(c, c->local_wfd.fd, "250-%s Welcome", line);
fd_putline(c, c->local_wfd.fd, "250 STARTTLS");
line=fd_getline(c, c->local_rfd.fd);
if(!isprefix(line, "STARTTLS")) {
s_log(LOG_ERR, "STARTTLS expected");
longjmp(c->err, 1);
}
fd_putline(c, c->local_wfd.fd, "220 Go ahead");
}
/**************************************** pop3 */
static void pop3_client(CLI *c) {
char *line;
line=fd_getline(c, c->remote_fd.fd);
if(!isprefix(line, "+OK ")) {
s_log(LOG_ERR, "Unknown server welcome");
longjmp(c->err, 1);
}
fd_putline(c, c->local_wfd.fd, line);
fd_putline(c, c->remote_fd.fd, "STLS");
line=fd_getline(c, c->remote_fd.fd);
if(!isprefix(line, "+OK ")) {
s_log(LOG_ERR, "Server does not support TLS");
longjmp(c->err, 1);
}
}
static void pop3_server(CLI *c) {
char *line;
line=fd_getline(c, c->remote_fd.fd);
fd_printf(c, c->local_wfd.fd, "%s + stunnel", line);
line=fd_getline(c, c->local_rfd.fd);
if(isprefix(line, "CAPA")) { /* client wants RFC 2449 extensions */
fd_putline(c, c->local_wfd.fd, "+OK Stunnel capability list follows");
fd_putline(c, c->local_wfd.fd, "STLS");
fd_putline(c, c->local_wfd.fd, ".");
line=fd_getline(c, c->local_rfd.fd);
}
if(!isprefix(line, "STLS")) {
s_log(LOG_ERR, "Client does not want TLS");
longjmp(c->err, 1);
}
fd_putline(c, c->local_wfd.fd, "+OK Stunnel starts TLS negotiation");
}
/**************************************** imap */
static void imap_client(CLI *c) {
char *line;
line=fd_getline(c, c->remote_fd.fd);
if(!isprefix(line, "* OK")) {
s_log(LOG_ERR, "Unknown server welcome");
longjmp(c->err, 1);
}
fd_putline(c, c->local_wfd.fd, line);
fd_putline(c, c->remote_fd.fd, "stunnel STARTTLS");
line=fd_getline(c, c->remote_fd.fd);
if(!isprefix(line, "stunnel OK")) {
fd_putline(c, c->local_wfd.fd,
"* BYE stunnel: Server does not support TLS");
s_log(LOG_ERR, "Server does not support TLS");
longjmp(c->err, 2); /* don't reset */
}
}
static void imap_server(CLI *c) {
char *line, *id, *tail, *capa;
s_poll_init(c->fds);
s_poll_add(c->fds, c->local_rfd.fd, 1, 0);
switch(s_poll_wait(c->fds, 0, 200)) {
case 0: /* fd not ready to read */
s_log(LOG_DEBUG, "RFC 2595 detected");
break;
case 1: /* fd ready to read */
s_log(LOG_DEBUG, "RFC 2595 not detected");
return; /* return if RFC 2595 is not used */
default: /* -1 */
sockerror("RFC2595 (s_poll_wait)");
longjmp(c->err, 1);
}
/* process server welcome and send it to client */
line=fd_getline(c, c->remote_fd.fd);
if(!isprefix(line, "* OK")) {
s_log(LOG_ERR, "Unknown server welcome");
longjmp(c->err, 1);
}
capa=strstr(line, "CAPABILITY");
if(!capa)
capa=strstr(line, "capability");
if(capa)
*capa='K'; /* disable CAPABILITY within greeting */
fd_printf(c, c->local_wfd.fd, "%s (stunnel)", line);
while(1) { /* process client commands */
line=fd_getline(c, c->local_rfd.fd);
/* split line into id and tail */
id=str_dup(line);
tail=strchr(id, ' ');
if(!tail)
break;
*tail++='\0';
if(isprefix(tail, "STARTTLS")) {
fd_printf(c, c->local_wfd.fd,
"%s OK Begin TLS negotiation now", id);
return; /* success */
} else if(isprefix(tail, "CAPABILITY")) {
fd_putline(c, c->remote_fd.fd, line); /* send it to server */
line=fd_getline(c, c->remote_fd.fd); /* get the capabilites */
if(*line=='*') {
/*
* append STARTTLS
* should also add LOGINDISABLED, but can't because
* of Mozilla bug #324138/#312009
* LOGIN would fail as "unexpected command", anyway
*/
fd_printf(c, c->local_wfd.fd, "%s STARTTLS", line);
line=fd_getline(c, c->remote_fd.fd); /* next line */
}
fd_putline(c, c->local_wfd.fd, line); /* forward to the client */
tail=strchr(line, ' ');
if(!tail || !isprefix(tail+1, "OK")) { /* not OK? */
fd_putline(c, c->local_wfd.fd,
"* BYE unexpected server response");
s_log(LOG_ERR, "Unexpected server response: %s", line);
break;
}
} else if(isprefix(tail, "LOGOUT")) {
fd_putline(c, c->local_wfd.fd, "* BYE server terminating");
fd_printf(c, c->local_wfd.fd, "%s OK LOGOUT completed", id);
break;
} else {
fd_putline(c, c->local_wfd.fd, "* BYE stunnel: unexpected command");
fd_printf(c, c->local_wfd.fd, "%s BAD %s unexpected", id, tail);
s_log(LOG_ERR, "Unexpected client command %s", tail);
break;
}
}
/* clean server shutdown */
fd_putline(c, c->remote_fd.fd, "stunnel LOGOUT");
line=fd_getline(c, c->remote_fd.fd);
if(*line=='*')
line=fd_getline(c, c->remote_fd.fd);
longjmp(c->err, 2); /* don't reset */
}
/**************************************** nntp */
static void nntp_client(CLI *c) {
char *line;
line=fd_getline(c, c->remote_fd.fd);
if(!isprefix(line, "200 ") && !isprefix(line, "201 ")) {
s_log(LOG_ERR, "Unknown server welcome");
longjmp(c->err, 1);
}
fd_putline(c, c->local_wfd.fd, line);
fd_putline(c, c->remote_fd.fd, "STARTTLS");
line=fd_getline(c, c->remote_fd.fd);
if(!isprefix(line, "382 ")) {
s_log(LOG_ERR, "Server does not support TLS");
longjmp(c->err, 1);
}
}
/**************************************** connect */
static void connect_server(CLI *c) {
char *request, *proto, *header;
int not_empty;
request=fd_getline(c, c->local_rfd.fd);
if(!isprefix(request, "CONNECT ")) {
fd_putline(c, c->local_wfd.fd, "HTTP/1.0 400 Bad Request Method");
fd_putline(c, c->local_wfd.fd, "Server: stunnel/" STUNNEL_VERSION);
fd_putline(c, c->local_wfd.fd, "");
longjmp(c->err, 1);
}
proto=strchr(request+8, ' ');
if(!proto || !isprefix(proto, " HTTP/")) {
fd_putline(c, c->local_wfd.fd, "HTTP/1.0 400 Bad Request Protocol");
fd_putline(c, c->local_wfd.fd, "Server: stunnel/" STUNNEL_VERSION);
fd_putline(c, c->local_wfd.fd, "");
longjmp(c->err, 1);
}
*proto='\0';
do { /* ignore any headers*/
header=fd_getline(c, c->local_rfd.fd);
not_empty=*header;
str_free(header);
} while(not_empty);
if(!name2addrlist(&c->connect_addr, request+8, DEFAULT_LOOPBACK)) {
fd_putline(c, c->local_wfd.fd, "HTTP/1.0 404 Not Found");
fd_putline(c, c->local_wfd.fd, "Server: stunnel/" STUNNEL_VERSION);
fd_putline(c, c->local_wfd.fd, "");
longjmp(c->err, 1);
}
str_free(request);
fd_putline(c, c->local_wfd.fd, "HTTP/1.0 200 OK");
fd_putline(c, c->local_wfd.fd, "Server: stunnel/" STUNNEL_VERSION);
fd_putline(c, c->local_wfd.fd, "");
}
static void connect_client(CLI *c) {
char *line, *encoded;
if(!c->opt->protocol_host) {
s_log(LOG_ERR, "protocolHost not specified");
longjmp(c->err, 1);
}
fd_printf(c, c->remote_fd.fd, "CONNECT %s HTTP/1.1",
c->opt->protocol_host);
fd_printf(c, c->remote_fd.fd, "Host: %s", c->opt->protocol_host);
if(c->opt->protocol_username && c->opt->protocol_password) {
if(!strcasecmp(c->opt->protocol_authentication, "NTLM")) {
#if !defined(OPENSSL_NO_MD4) && OPENSSL_VERSION_NUMBER>=0x0090700fL
ntlm(c);
#else
s_log(LOG_ERR, "NTLM authentication is not available");
longjmp(c->err, 1);
#endif
} else { /* basic authentication */
line=str_printf("%s:%s",
c->opt->protocol_username, c->opt->protocol_password);
encoded=base64(1, line, strlen(line));
str_free(line);
if(!encoded) {
s_log(LOG_ERR, "Base64 encoder failed");
longjmp(c->err, 1);
}
fd_printf(c, c->remote_fd.fd, "Proxy-Authorization: basic %s",
encoded);
str_free(encoded);
}
}
fd_putline(c, c->remote_fd.fd, ""); /* empty line */
line=fd_getline(c, c->remote_fd.fd);
if(strlen(line)<12 || line[9]!='2') {
/* not "HTTP/1.0 200 Connection established" */
s_log(LOG_ERR, "CONNECT request rejected");
do { /* read all headers */
line=fd_getline(c, c->remote_fd.fd);
} while(*line);
longjmp(c->err, 1);
}
s_log(LOG_INFO, "CONNECT request accepted");
do {
line=fd_getline(c, c->remote_fd.fd); /* read all headers */
} while(*line);
}
#if !defined(OPENSSL_NO_MD4) && OPENSSL_VERSION_NUMBER>=0x0090700fL
/*
* NTLM code is based on the following documentation:
* http://davenport.sourceforge.net/ntlm.html
* http://www.innovation.ch/personal/ronald/ntlm.html
*/
#define s_min(a, b) ((a)>(b)?(b):(a))
static void ntlm(CLI *c) {
char *line, buf[BUFSIZ], *ntlm1_txt, *ntlm2_txt, *ntlm3_txt;
long content_length=0; /* no HTTP content */
/* send Proxy-Authorization (phase 1) */
fd_printf(c, c->remote_fd.fd, "Proxy-Connection: keep-alive");
ntlm1_txt=ntlm1();
if(!ntlm1_txt) {
s_log(LOG_ERR, "Proxy-Authenticate: Failed to build NTLM request");
longjmp(c->err, 1);
}
fd_printf(c, c->remote_fd.fd, "Proxy-Authorization: NTLM %s", ntlm1_txt);
str_free(ntlm1_txt);
fd_putline(c, c->remote_fd.fd, ""); /* empty line */
line=fd_getline(c, c->remote_fd.fd);
/* receive Proxy-Authenticate (phase 2) */
if(line[9]!='4' || line[10]!='0' || line[11]!='7') { /* code 407 */
s_log(LOG_ERR, "NTLM authorization request rejected");
do { /* read all headers */
line=fd_getline(c, c->remote_fd.fd);
} while(*line);
longjmp(c->err, 1);
}
ntlm2_txt=NULL;
do { /* read all headers */
line=fd_getline(c, c->remote_fd.fd);
if(isprefix(line, "Proxy-Authenticate: NTLM "))
ntlm2_txt=str_dup(line+25);
else if(isprefix(line, "Content-Length: "))
content_length=atol(line+16);
} while(*line);
if(!ntlm2_txt) { /* no Proxy-Authenticate: NTLM header */
s_log(LOG_ERR, "Proxy-Authenticate: NTLM header not found");
longjmp(c->err, 1);
}
/* read and ignore HTTP content (if any) */
while(content_length) {
read_blocking(c, c->remote_fd.fd, buf, s_min(content_length, BUFSIZ));
content_length-=s_min(content_length, BUFSIZ);
}
/* send Proxy-Authorization (phase 3) */
fd_printf(c, c->remote_fd.fd, "CONNECT %s HTTP/1.1", c->opt->protocol_host);
fd_printf(c, c->remote_fd.fd, "Host: %s", c->opt->protocol_host);
ntlm3_txt=ntlm3(c->opt->protocol_username, c->opt->protocol_password, ntlm2_txt);
str_free(ntlm2_txt);
if(!ntlm3_txt) {
s_log(LOG_ERR, "Proxy-Authenticate: Failed to build NTLM response");
longjmp(c->err, 1);
}
fd_printf(c, c->remote_fd.fd, "Proxy-Authorization: NTLM %s", ntlm3_txt);
str_free(ntlm3_txt);
}
static char *ntlm1() {
char phase1[16];
memset(phase1, 0, sizeof phase1);
strcpy(phase1, "NTLMSSP");
phase1[8]=1; /* type: 1 */
phase1[12]=2; /* flag: negotiate OEM */
phase1[13]=2; /* flag: negotiate NTLM */
return base64(1, phase1, sizeof phase1); /* encode */
}
static char *ntlm3(char *username, char *password, char *phase2) {
MD4_CTX md4;
char *decoded; /* decoded reply from proxy */
char phase3[146];
unsigned char md4_hash[21];
unsigned int userlen=strlen(username);
unsigned int phase3len=s_min(88+userlen, sizeof phase3);
/* setup phase3 structure */
memset(phase3, 0, sizeof phase3);
strcpy(phase3, "NTLMSSP");
phase3[8]=3; /* type: 3 */
phase3[16]=phase3len; /* LM-resp off */
phase3[20]=24; /* NT-resp len */
phase3[22]=24; /* NT-Resp len */
phase3[24]=64; /* NT-resp off */
phase3[32]=phase3len; /* domain offset */
phase3[36]=userlen; /* user length */
phase3[38]=userlen; /* user length */
phase3[40]=88; /* user offset */
phase3[48]=phase3len; /* host offset */
phase3[56]=phase3len; /* message len */
phase3[60]=2; /* flag: negotiate OEM */
phase3[61]=2; /* flag: negotiate NTLM */
/* calculate MD4 of UTF-16 encoded password */
MD4_Init(&md4);
while(*password) {
MD4_Update(&md4, password++, 1);
MD4_Update(&md4, "", 1); /* UTF-16 */
}
MD4_Final(md4_hash, &md4);
memset(md4_hash+16, 0, 5); /* pad to 21 bytes */
/* decode challenge and calculate response */
decoded=base64(0, phase2, strlen(phase2)); /* decode */
if(!decoded)
return NULL;
crypt_DES((unsigned char *)phase3+64,
(unsigned char *)decoded+24, md4_hash);
crypt_DES((unsigned char *)phase3+72,
(unsigned char *)decoded+24, md4_hash+7);
crypt_DES((unsigned char *)phase3+80,
(unsigned char *)decoded+24, md4_hash+14);
str_free(decoded);
strncpy(phase3+88, username, sizeof phase3-88);
return base64(1, phase3, phase3len); /* encode */
}
static void crypt_DES(DES_cblock dst, const_DES_cblock src, DES_cblock hash) {
DES_cblock key;
DES_key_schedule sched;
/* convert key from 56 to 64 bits */
key[0]=hash[0];
key[1]=((hash[0]&1)<<7)|(hash[1]>>1);
key[2]=((hash[1]&3)<<6)|(hash[2]>>2);
key[3]=((hash[2]&7)<<5)|(hash[3]>>3);
key[4]=((hash[3]&15)<<4)|(hash[4]>>4);
key[5]=((hash[4]&31)<<3)|(hash[5]>>5);
key[6]=((hash[5]&63)<<2)|(hash[6]>>6);
key[7]=((hash[6]&127)<<1);
DES_set_odd_parity(&key);
/* encrypt */
DES_set_key_unchecked(&key, &sched);
DES_ecb_encrypt((const_DES_cblock *)src,
(DES_cblock *)dst, &sched, DES_ENCRYPT);
}
#endif
static char *base64(int encode, char *in, int len) {
BIO *bio, *b64;
char *out;
int n;
b64=BIO_new(BIO_f_base64());
if(!b64)
return NULL;
BIO_set_flags(b64, BIO_FLAGS_BASE64_NO_NL);
bio=BIO_new(BIO_s_mem());
if(!bio) {
str_free(b64);
return NULL;
}
if(encode)
bio=BIO_push(b64, bio);
BIO_write(bio, in, len);
(void)BIO_flush(bio); /* ignore the error if any */
if(encode) {
bio=BIO_pop(bio);
BIO_free(b64);
} else {
bio=BIO_push(b64, bio);
}
n=BIO_pending(bio);
/* 32 bytes as a safety precaution for passing decoded data to crypt_DES */
/* n+1 to get null-terminated string on encode */
out=str_alloc(n<32?32:n+1);
n=BIO_read(bio, out, n);
if(n<0) {
BIO_free_all(bio);
str_free(out);
return NULL;
}
BIO_free_all(bio);
return out;
}
/* end of protocol.c */

590
src/prototypes.h Normal file
View File

@ -0,0 +1,590 @@
/*
* stunnel Universal SSL tunnel
* Copyright (C) 1998-2012 Michal Trojnara <Michal.Trojnara@mirt.net>
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
* See the GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License along
* with this program; if not, see <http://www.gnu.org/licenses>.
*
* Linking stunnel statically or dynamically with other modules is making
* a combined work based on stunnel. Thus, the terms and conditions of
* the GNU General Public License cover the whole combination.
*
* In addition, as a special exception, the copyright holder of stunnel
* gives you permission to combine stunnel with free software programs or
* libraries that are released under the GNU LGPL and with code included
* in the standard release of OpenSSL under the OpenSSL License (or
* modified versions of such code, with unchanged license). You may copy
* and distribute such a system following the terms of the GNU GPL for
* stunnel and the licenses of the other code concerned.
*
* Note that people who make modified versions of stunnel are not obligated
* to grant this special exception for their modified versions; it is their
* choice whether to do so. The GNU General Public License gives permission
* to release a modified version without this exception; this exception
* also makes it possible to release a modified version which carries
* forward this exception.
*/
#ifndef PROTOTYPES_H
#define PROTOTYPES_H
#include "common.h"
/**************************************** data structures */
typedef enum {
LOG_MODE_NONE,
LOG_MODE_ERROR,
LOG_MODE_INFO,
LOG_MODE_CONFIGURED
} LOG_MODE;
typedef union sockaddr_union {
struct sockaddr sa;
struct sockaddr_in in;
#ifdef USE_IPv6
struct sockaddr_in6 in6;
#endif
#ifdef HAVE_STRUCT_SOCKADDR_UN
struct sockaddr_un un;
#endif
} SOCKADDR_UNION;
typedef struct sockaddr_list { /* list of addresses */
SOCKADDR_UNION *addr; /* the list of addresses */
u16 cur; /* current address for round-robin */
u16 num; /* how many addresses are used */
} SOCKADDR_LIST;
#ifndef OPENSSL_NO_COMP
typedef enum {
COMP_NONE, COMP_DEFLATE, COMP_ZLIB, COMP_RLE
} COMP_TYPE;
#endif /* OPENSSL_NO_COMP */
typedef struct {
/* some data for SSL initialization in ssl.c */
#ifndef OPENSSL_NO_COMP
COMP_TYPE compression; /* compression type */
#endif /* OPENSSL_NO_COMP */
char *egd_sock; /* entropy gathering daemon socket */
char *rand_file; /* file with random data */
int random_bytes; /* how many random bytes to read */
/* some global data for stunnel.c */
#ifndef USE_WIN32
#ifdef HAVE_CHROOT
char *chroot_dir;
#endif
unsigned long dpid;
char *pidfile;
int uid, gid;
#endif
/* logging-support data for log.c */
int debug_level; /* debug level for logging */
#ifndef USE_WIN32
int facility; /* debug facility for syslog */
#endif
char *output_file;
/* on/off switches */
struct {
unsigned int rand_write:1; /* overwrite rand_file */
#ifdef USE_WIN32
unsigned int taskbar:1; /* enable the taskbar icon */
#else /* !USE_WIN32 */
unsigned int foreground:1;
unsigned int syslog:1;
#endif
#ifdef USE_FIPS
unsigned int fips:1; /* enable FIPS 140-2 mode */
#endif
} option;
} GLOBAL_OPTIONS;
extern GLOBAL_OPTIONS global_options;
#ifndef OPENSSL_NO_TLSEXT
typedef struct servername_list_struct SERVERNAME_LIST;/* forward declaration */
#endif
typedef struct service_options_struct {
struct service_options_struct *next; /* next node in the services list */
SSL_CTX *ctx; /* SSL context */
char *servname; /* service name for logging & permission checking */
/* service-specific data for sthreads.c */
#ifndef USE_FORK
int stack_size; /* stack size for this thread */
#endif
/* service-specific data for verify.c */
char *ca_dir; /* directory for hashed certs */
char *ca_file; /* file containing bunches of certs */
char *crl_dir; /* directory for hashed CRLs */
char *crl_file; /* file containing bunches of CRLs */
int verify_level;
X509_STORE *revocation_store; /* cert store for CRL checking */
#ifdef HAVE_OSSL_OCSP_H
SOCKADDR_UNION ocsp_addr;
char *ocsp_path;
unsigned long ocsp_flags;
#endif
/* service-specific data for ctx.c */
char *cipher_list;
char *cert; /* cert filename */
char *key; /* pem (priv key/cert) filename */
long session_timeout;
long ssl_options;
SSL_METHOD *client_method, *server_method;
SOCKADDR_UNION sessiond_addr;
#ifndef OPENSSL_NO_TLSEXT
char *sni;
SERVERNAME_LIST *servername_list_head, *servername_list_tail;
#endif
#ifndef OPENSSL_NO_ECDH
int curve;
#endif
#ifdef HAVE_OSSL_ENGINE_H
ENGINE *engine; /* engine to read the private key */
#endif
/* service-specific data for client.c */
int fd; /* file descriptor accepting connections for this service */
SSL_SESSION *session; /* recently used session */
char *execname; /* program name for local mode */
#ifdef USE_WIN32
char *execargs; /* program arguments for local mode */
#else
char **execargs; /* program arguments for local mode */
#endif
SOCKADDR_UNION local_addr, source_addr;
SOCKADDR_LIST connect_addr;
char *username;
char *connect_name;
int timeout_busy; /* maximum waiting for data time */
int timeout_close; /* maximum close_notify time */
int timeout_connect; /* maximum connect() time */
int timeout_idle; /* maximum idle connection time */
enum {FAILOVER_RR, FAILOVER_PRIO} failover; /* failover strategy */
/* service-specific data for protocol.c */
int protocol;
char *protocol_host;
char *protocol_username;
char *protocol_password;
char *protocol_authentication;
/* service-specific data for gui.c */
#ifdef USE_WIN32
int section_number;
LPTSTR file, help;
char *chain;
#endif
/* on/off switches */
struct {
unsigned int accept:1; /* endpoint: accept */
unsigned int client:1;
unsigned int delayed_lookup:1;
#ifdef USE_LIBWRAP
unsigned int libwrap:1;
#endif
unsigned int local:1; /* outgoing interface specified */
unsigned int remote:1; /* endpoint: connect */
unsigned int retry:1; /* loop remote+program */
unsigned int sessiond:1;
unsigned int program:1; /* endpoint: exec */
#ifndef OPENSSL_NO_TLSEXT
unsigned int sni:1; /* endpoint: sni */
#endif
#ifndef USE_WIN32
unsigned int pty:1;
unsigned int transparent_src:1;
unsigned int transparent_dst:1; /* endpoint: transparent destination */
#endif
#ifdef HAVE_OSSL_OCSP_H
unsigned int ocsp:1;
#endif
} option;
} SERVICE_OPTIONS;
extern SERVICE_OPTIONS service_options;
#ifndef OPENSSL_NO_TLSEXT
struct servername_list_struct {
char *servername;
SERVICE_OPTIONS *opt;
struct servername_list_struct *next;
};
#endif
typedef enum {
TYPE_NONE, TYPE_FLAG, TYPE_INT, TYPE_LINGER, TYPE_TIMEVAL, TYPE_STRING
} VAL_TYPE;
typedef union {
int i_val;
long l_val;
char c_val[16];
struct linger linger_val;
struct timeval timeval_val;
} OPT_UNION;
typedef struct {
char *opt_str;
int opt_level;
int opt_name;
VAL_TYPE opt_type;
OPT_UNION *opt_val[3];
} SOCK_OPT;
typedef enum {
CONF_RELOAD, CONF_FILE, CONF_FD
} CONF_TYPE;
/* s_poll_set definition for network.c */
typedef struct {
#ifdef USE_POLL
struct pollfd *ufds;
unsigned int nfds;
unsigned int allocated;
#else /* select */
fd_set irfds, iwfds, ixfds, orfds, owfds, oxfds;
int max;
#endif
} s_poll_set;
typedef struct disk_file {
#ifdef USE_WIN32
HANDLE fh;
#else
int fd;
#endif
/* the inteface is prepared to easily implement buffering if needed */
} DISK_FILE;
/* FD definition for client.c */
typedef struct {
int fd; /* file descriptor */
int is_socket; /* file descriptor is a socket */
} FD;
/**************************************** prototypes for stunnel.c */
#ifndef USE_FORK
extern int max_clients;
extern volatile int num_clients;
#endif
void main_initialize(void);
int main_configure(char *, char *);
void daemon_loop(void);
void unbind_ports(void);
int bind_ports(void);
#if !defined (USE_WIN32) && !defined (__vms) && !defined(USE_OS2)
int drop_privileges(int);
#endif
void signal_post(int);
#if !defined(USE_WIN32) && !defined(USE_OS2)
void child_status(void); /* dead libwrap or 'exec' process detected */
#endif
void stunnel_info(int);
/**************************************** prototypes for fd.c */
#ifndef USE_FORK
void get_limits(void); /* setup global max_clients and max_fds */
#endif
int s_socket(int, int, int, int, char *);
int s_pipe(int [2], int, char *);
int s_socketpair(int, int, int, int [2], int, char *);
int s_accept(int, struct sockaddr *, socklen_t *, int, char *);
void set_nonblock(int, unsigned long);
/**************************************** prototypes for log.c */
#if !defined(USE_WIN32) && !defined(__vms)
void syslog_open(void);
void syslog_close(void);
#endif
void log_open(void);
void log_close(void);
void log_flush(LOG_MODE);
void s_log(int, const char *, ...)
#ifdef __GNUC__
__attribute__((format(printf, 2, 3)));
#else
;
#endif
void fatal_debug(char *, char *, int);
#define fatal(a) fatal_debug((a), __FILE__, __LINE__)
void ioerror(const char *);
void sockerror(const char *);
void log_error(int, int, const char *);
char *s_strerror(int);
/**************************************** prototypes for pty.c */
int pty_allocate(int *, int *, char *);
/**************************************** prototypes for ssl.c */
extern int cli_index, opt_index;
int ssl_init(void);
int ssl_configure(GLOBAL_OPTIONS *);
/**************************************** prototypes for options.c */
int parse_commandline(char *, char *);
int parse_conf(char *, CONF_TYPE);
void apply_conf(void);
/**************************************** prototypes for ctx.c */
typedef struct {
SERVICE_OPTIONS *section;
char pass[PEM_BUFSIZE];
} UI_DATA;
int context_init(SERVICE_OPTIONS *);
void sslerror(char *);
/**************************************** prototypes for verify.c */
int verify_init(SERVICE_OPTIONS *);
/**************************************** prototypes for network.c */
s_poll_set *s_poll_alloc(void);
void s_poll_free(s_poll_set *);
void s_poll_init(s_poll_set *);
void s_poll_add(s_poll_set *, int, int, int);
int s_poll_canread(s_poll_set *, int);
int s_poll_canwrite(s_poll_set *, int);
int s_poll_error(s_poll_set *, FD *);
int s_poll_wait(s_poll_set *, int, int);
#ifdef USE_WIN32
#define SIGNAL_RELOAD_CONFIG 1
#define SIGNAL_REOPEN_LOG 2
#define SIGNAL_TERMINATE 3
#else
#define SIGNAL_RELOAD_CONFIG SIGHUP
#define SIGNAL_REOPEN_LOG SIGUSR1
#define SIGNAL_TERMINATE SIGTERM
#endif
int set_socket_options(int, int);
int get_socket_error(const int);
int make_sockets(int [2]);
/**************************************** prototypes for client.c */
typedef struct {
jmp_buf err; /* exception handler needs to be 16-byte aligned on Itanium */
SSL *ssl; /* SSL connnection */
SERVICE_OPTIONS *opt;
SOCKADDR_UNION peer_addr; /* peer address */
socklen_t peer_addr_len;
SOCKADDR_UNION *bind_addr; /* address to bind() the socket */
SOCKADDR_LIST connect_addr; /* for dynamically assigned addresses */
FD local_rfd, local_wfd; /* read and write local descriptors */
FD remote_fd; /* remote file descriptor */
/* IP for explicit local bind or transparent proxy */
unsigned long pid; /* PID of the local process */
int fd; /* temporary file descriptor */
/* data for transfer() function */
char sock_buff[BUFFSIZE]; /* socket read buffer */
char ssl_buff[BUFFSIZE]; /* SSL read buffer */
int sock_ptr, ssl_ptr; /* index of first unused byte in buffer */
FD *sock_rfd, *sock_wfd; /* read and write socket descriptors */
FD *ssl_rfd, *ssl_wfd; /* read and write SSL descriptors */
int sock_bytes, ssl_bytes; /* bytes written to socket and SSL */
s_poll_set *fds; /* file descriptors */
} CLI;
CLI *alloc_client_session(SERVICE_OPTIONS *, int, int);
void *client_thread(void *);
void client_main(CLI *);
/**************************************** prototypes for network.c */
int connect_blocking(CLI *, SOCKADDR_UNION *, socklen_t);
void write_blocking(CLI *, int fd, void *, int);
void read_blocking(CLI *, int fd, void *, int);
void fd_putline(CLI *, int, const char *);
char *fd_getline(CLI *, int);
/* descriptor versions of fprintf/fscanf */
void fd_printf(CLI *, int, const char *, ...)
#ifdef __GNUC__
__attribute__((format(printf, 3, 4)));
#else
;
#endif
/**************************************** prototype for protocol.c */
typedef enum {
PROTOCOL_NONE,
PROTOCOL_PRE_CONNECT,
PROTOCOL_PRE_SSL,
PROTOCOL_POST_SSL
} PROTOCOL_TYPE;
int find_protocol_id(const char *);
void protocol(CLI *, const PROTOCOL_TYPE);
/**************************************** prototypes for resolver.c */
int name2addr(SOCKADDR_UNION *, char *, char *);
int hostport2addr(SOCKADDR_UNION *, char *, char *);
int name2addrlist(SOCKADDR_LIST *, char *, char *);
int hostport2addrlist(SOCKADDR_LIST *, char *, char *);
char *s_ntop(SOCKADDR_UNION *, socklen_t);
socklen_t addr_len(const SOCKADDR_UNION *);
const char *s_gai_strerror(int);
#ifndef HAVE_GETNAMEINFO
#ifndef NI_NUMERICHOST
#define NI_NUMERICHOST 2
#endif
#ifndef NI_NUMERICSERV
#define NI_NUMERICSERV 8
#endif
#ifdef USE_WIN32
/* rename some locally shadowed declarations */
#define getnameinfo local_getnameinfo
#endif /* defined USE_WIN32 */
int getnameinfo(const struct sockaddr *, int, char *, int, char *, int, int);
#endif /* !defined HAVE_GETNAMEINFO */
/**************************************** prototypes for sthreads.c */
typedef enum {
CRIT_CLIENTS, CRIT_SESSION, CRIT_SSL, /* client.c */
CRIT_INET, /* resolver.c */
#ifndef USE_WIN32
CRIT_LIBWRAP, /* libwrap.c */
#endif
CRIT_LOG, /* log.c */
CRIT_SECTIONS /* number of critical sections */
} SECTION_CODE;
void enter_critical_section(SECTION_CODE);
void leave_critical_section(SECTION_CODE);
int sthreads_init(void);
unsigned long stunnel_process_id(void);
unsigned long stunnel_thread_id(void);
int create_client(int, int, CLI *, void *(*)(void *));
#ifdef USE_UCONTEXT
typedef struct CONTEXT_STRUCTURE {
char *stack; /* CPU stack for this thread */
unsigned long id;
ucontext_t context;
s_poll_set *fds;
int ready; /* number of ready file descriptors */
time_t finish; /* when to finish poll() for this context */
struct CONTEXT_STRUCTURE *next; /* next context on a list */
void *tls; /* thread local storage for str.c */
} CONTEXT;
extern CONTEXT *ready_head, *ready_tail;
extern CONTEXT *waiting_head, *waiting_tail;
#endif
#ifdef _WIN32_WCE
long _beginthread(void (*)(void *), int, void *);
void _endthread(void);
#endif
#ifdef DEBUG_STACK_SIZE
void stack_info(int);
#endif
/**************************************** prototypes for gui.c */
#ifdef USE_WIN32
extern HWND hwnd;
int passwd_cb(char *, int, int, void *);
#ifdef HAVE_OSSL_ENGINE_H
int pin_cb(UI *, UI_STRING *);
#endif
#ifndef _WIN32_WCE
typedef int (CALLBACK * GETADDRINFO) (const char *,
const char *, const struct addrinfo *, struct addrinfo **);
typedef void (CALLBACK * FREEADDRINFO) (struct addrinfo FAR *);
typedef int (CALLBACK * GETNAMEINFO) (const struct sockaddr *, socklen_t,
char *, size_t, char *, size_t, int);
extern GETADDRINFO s_getaddrinfo;
extern FREEADDRINFO s_freeaddrinfo;
extern GETNAMEINFO s_getnameinfo;
#endif /* ! _WIN32_WCE */
#endif /* USE_WIN32 */
/**************************************** prototypes for file.c */
#ifndef USE_WIN32
DISK_FILE *file_fdopen(int);
#endif
DISK_FILE *file_open(char *, int);
void file_close(DISK_FILE *);
int file_getline(DISK_FILE *, char *, int);
int file_putline(DISK_FILE *, char *);
#ifdef USE_WIN32
LPTSTR str2tstr(const LPSTR);
LPSTR tstr2str(const LPTSTR);
#endif
/**************************************** prototypes for libwrap.c */
int libwrap_init();
void libwrap_auth(CLI *, char *);
/**************************************** prototypes for str.c */
void str_init();
void str_canary_init();
void str_cleanup();
void str_stats();
void *str_alloc_debug(size_t, char *, int);
#define str_alloc(a) str_alloc_debug((a), __FILE__, __LINE__)
void *str_realloc_debug(void *, size_t, char *, int);
#define str_realloc(a, b) str_realloc_debug((a), (b), __FILE__, __LINE__)
void str_detach_debug(void *, char *, int);
#define str_detach(a) str_detach_debug((a), __FILE__, __LINE__)
void str_free_debug(void *, char *, int);
#define str_free(a) str_free_debug((a), __FILE__, __LINE__), (a)=NULL
char *str_dup(const char *);
char *str_vprintf(const char *, va_list);
char *str_printf(const char *, ...)
#ifdef __GNUC__
__attribute__((format(printf, 1, 2)));
#else
;
#endif
#endif /* defined PROTOTYPES_H */
/* end of prototypes.h */

221
src/pty.c Normal file
View File

@ -0,0 +1,221 @@
/*
* stunnel Universal SSL tunnel
* Copyright (C) 1998-2012 Michal Trojnara <Michal.Trojnara@mirt.net>
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
* See the GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License along
* with this program; if not, see <http://www.gnu.org/licenses>.
*
* Linking stunnel statically or dynamically with other modules is making
* a combined work based on stunnel. Thus, the terms and conditions of
* the GNU General Public License cover the whole combination.
*
* In addition, as a special exception, the copyright holder of stunnel
* gives you permission to combine stunnel with free software programs or
* libraries that are released under the GNU LGPL and with code included
* in the standard release of OpenSSL under the OpenSSL License (or
* modified versions of such code, with unchanged license). You may copy
* and distribute such a system following the terms of the GNU GPL for
* stunnel and the licenses of the other code concerned.
*
* Note that people who make modified versions of stunnel are not obligated
* to grant this special exception for their modified versions; it is their
* choice whether to do so. The GNU General Public License gives permission
* to release a modified version without this exception; this exception
* also makes it possible to release a modified version which carries
* forward this exception.
*/
#include "common.h"
#include "prototypes.h"
#ifdef HAVE_UTIL_H
#include <util.h>
#endif /* HAVE_UTIL_H */
#ifdef HAVE_SYS_IOCTL_H
#include <sys/ioctl.h>
#endif /* HAVE_SYS_IOCTL_H */
/* pty allocated with _getpty gets broken if we do I_PUSH:es to it. */
#if defined(HAVE__GETPTY) || defined(HAVE_OPENPTY)
#undef HAVE_DEV_PTMX
#endif /* HAVE__GETPTY || HAVE_OPENPTY */
#ifdef HAVE_PTY_H
#include <pty.h>
#endif /* HAVE_PTY_H */
#ifdef HAVE_LIBUTIL_H
#include <libutil.h>
#endif /* HAVE_LIBUTIL_H */
#ifndef O_NOCTTY
#define O_NOCTTY 0
#endif /* O_NOCTTY */
/*
* allocates and opens a pty
* returns -1 if no pty could be allocated, or zero if a pty was successfully
* allocated
* on success, open file descriptors for the pty and tty sides and the name of
* the tty side are returned
* the buffer must be able to hold at least 64 characters
*/
int pty_allocate(int *ptyfd, int *ttyfd, char *namebuf) {
#if defined(HAVE_OPENPTY) || defined(BSD4_4) && !defined(__INNOTEK_LIBC__)
/* openpty(3) exists in OSF/1 and some other os'es */
char buf[64];
int i;
i=openpty(ptyfd, ttyfd, buf, NULL, NULL);
if(i<0) {
ioerror("openpty");
return -1;
}
strcpy(namebuf, buf); /* possible truncation */
return 0;
#else /* HAVE_OPENPTY */
#ifdef HAVE__GETPTY
/*
* _getpty(3) exists in SGI Irix 4.x, 5.x & 6.x -- it generates more
* pty's automagically when needed
*/
char *slave;
slave=_getpty(ptyfd, O_RDWR, 0622, 0);
if(slave==NULL) {
ioerror("_getpty");
return -1;
}
strcpy(namebuf, slave);
/* open the slave side */
*ttyfd=open(namebuf, O_RDWR|O_NOCTTY);
if(*ttyfd<0) {
ioerror(namebuf);
close(*ptyfd);
return -1;
}
return 0;
#else /* HAVE__GETPTY */
#if defined(HAVE_DEV_PTMX)
/*
* this code is used e.g. on Solaris 2.x
* note that Solaris 2.3 * also has bsd-style ptys, but they simply do not
* work
*/
int ptm; char *pts;
ptm=open("/dev/ptmx", O_RDWR|O_NOCTTY);
if(ptm<0) {
ioerror("/dev/ptmx");
return -1;
}
if(grantpt(ptm)<0) {
ioerror("grantpt");
/* return -1; */
/* can you tell me why it doesn't work? */
}
if(unlockpt(ptm)<0) {
ioerror("unlockpt");
return -1;
}
pts=ptsname(ptm);
if(pts==NULL)
s_log(LOG_ERR, "Slave pty side name could not be obtained");
strcpy(namebuf, pts);
*ptyfd=ptm;
/* open the slave side */
*ttyfd=open(namebuf, O_RDWR|O_NOCTTY);
if(*ttyfd<0) {
ioerror(namebuf);
close(*ptyfd);
return -1;
}
/* push the appropriate streams modules, as described in Solaris pts(7) */
if(ioctl(*ttyfd, I_PUSH, "ptem")<0)
ioerror("ioctl I_PUSH ptem");
if(ioctl(*ttyfd, I_PUSH, "ldterm")<0)
ioerror("ioctl I_PUSH ldterm");
if(ioctl(*ttyfd, I_PUSH, "ttcompat")<0)
ioerror("ioctl I_PUSH ttcompat");
return 0;
#else /* HAVE_DEV_PTMX */
#ifdef HAVE_DEV_PTS_AND_PTC
/* AIX-style pty code. */
const char *name;
*ptyfd=open("/dev/ptc", O_RDWR|O_NOCTTY);
if(*ptyfd<0) {
ioerror("open(/dev/ptc)");
return -1;
}
name=ttyname(*ptyfd);
if(!name) {
s_log(LOG_ERR, "Open of /dev/ptc returns device for which ttyname fails");
return -1;
}
strcpy(namebuf, name);
*ttyfd=open(name, O_RDWR|O_NOCTTY);
if(*ttyfd<0) {
ioerror(name);
close(*ptyfd);
return -1;
}
return 0;
#else /* HAVE_DEV_PTS_AND_PTC */
/* BSD-style pty code. */
char buf[64];
int i;
const char *ptymajors="pqrstuvwxyzabcdefghijklmnoABCDEFGHIJKLMNOPQRSTUVWXYZ";
const char *ptyminors="0123456789abcdef";
int num_minors=strlen(ptyminors);
int num_ptys=strlen(ptymajors)*num_minors;
for(i=0; i<num_ptys; i++) {
#ifdef HAVE_SNPRINTF
snprintf(buf, sizeof buf,
#else
sprintf(buf,
#endif
"/dev/pty%c%c", ptymajors[i/num_minors],
ptyminors[i%num_minors]);
*ptyfd=open(buf, O_RDWR|O_NOCTTY);
if(*ptyfd<0)
continue;
#ifdef HAVE_SNPRINTF
snprintf(namebuf, 64,
#else
sprintf(namebuf,
#endif
"/dev/tty%c%c",
ptymajors[i/num_minors], ptyminors[i%num_minors]);
/* open the slave side */
*ttyfd=open(namebuf, O_RDWR | O_NOCTTY);
if(*ttyfd<0) {
ioerror(namebuf);
close(*ptyfd);
return -1;
}
return 0;
}
return -1;
#endif /* HAVE_DEV_PTS_AND_PTC */
#endif /* HAVE_DEV_PTMX */
#endif /* HAVE__GETPTY */
#endif /* HAVE_OPENPTY */
}
/* end of pty.c */

469
src/resolver.c Normal file
View File

@ -0,0 +1,469 @@
/*
* stunnel Universal SSL tunnel
* Copyright (C) 1998-2012 Michal Trojnara <Michal.Trojnara@mirt.net>
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
* See the GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License along
* with this program; if not, see <http://www.gnu.org/licenses>.
*
* Linking stunnel statically or dynamically with other modules is making
* a combined work based on stunnel. Thus, the terms and conditions of
* the GNU General Public License cover the whole combination.
*
* In addition, as a special exception, the copyright holder of stunnel
* gives you permission to combine stunnel with free software programs or
* libraries that are released under the GNU LGPL and with code included
* in the standard release of OpenSSL under the OpenSSL License (or
* modified versions of such code, with unchanged license). You may copy
* and distribute such a system following the terms of the GNU GPL for
* stunnel and the licenses of the other code concerned.
*
* Note that people who make modified versions of stunnel are not obligated
* to grant this special exception for their modified versions; it is their
* choice whether to do so. The GNU General Public License gives permission
* to release a modified version without this exception; this exception
* also makes it possible to release a modified version which carries
* forward this exception.
*/
#include "common.h"
#include "prototypes.h"
/**************************************** prototypes */
#ifndef HAVE_GETADDRINFO
#ifndef EAI_MEMORY
#define EAI_MEMORY 1
#endif
#ifndef EAI_NONAME
#define EAI_NONAME 2
#endif
#ifndef EAI_SERVICE
#define EAI_SERVICE 8
#endif
/* rename some potentially locally shadowed declarations */
#define getaddrinfo local_getaddrinfo
#define freeaddrinfo local_freeaddrinfo
#ifndef HAVE_STRUCT_ADDRINFO
struct addrinfo {
int ai_flags;
int ai_family;
int ai_socktype;
int ai_protocol;
int ai_addrlen;
struct sockaddr *ai_addr;
char *ai_canonname;
struct addrinfo *ai_next;
};
#endif
static int getaddrinfo(const char *, const char *,
const struct addrinfo *, struct addrinfo **);
static int alloc_addresses(struct hostent *, const struct addrinfo *,
u_short port, struct addrinfo **, struct addrinfo **);
static void freeaddrinfo(struct addrinfo *);
#endif /* !defined HAVE_GETADDRINFO */
/**************************************** stunnel resolver API */
int name2addr(SOCKADDR_UNION *addr, char *name, char *default_host) {
SOCKADDR_LIST addr_list;
int retval;
addr_list.num=0;
addr_list.addr=NULL;
retval=name2addrlist(&addr_list, name, default_host);
if(retval>0)
memcpy(addr, &addr_list.addr[0], sizeof *addr);
if(addr_list.addr)
str_free(addr_list.addr);
return retval;
}
int hostport2addr(SOCKADDR_UNION *addr, char *hostname, char *portname) {
SOCKADDR_LIST addr_list;
int retval;
addr_list.num=0;
addr_list.addr=NULL;
retval=hostport2addrlist(&addr_list, hostname, portname);
if(retval>0)
memcpy(addr, &addr_list.addr[0], sizeof *addr);
if(addr_list.addr)
str_free(addr_list.addr);
return retval;
}
int name2addrlist(SOCKADDR_LIST *addr_list, char *name, char *default_host) {
char *tmp, *hostname, *portname;
int retval;
addr_list->cur=0; /* reset round-robin counter */
/* first check if this is a UNIX socket */
#ifdef HAVE_STRUCT_SOCKADDR_UN
if(*name=='/') {
if(offsetof(struct sockaddr_un, sun_path)+strlen(name)+1
> sizeof(struct sockaddr_un)) {
s_log(LOG_ERR, "Unix socket path is too long");
return 0; /* no results */
}
addr_list->addr=str_realloc(addr_list->addr,
(addr_list->num+1)*sizeof(SOCKADDR_UNION));
addr_list->addr[addr_list->num].un.sun_family=AF_UNIX;
strcpy(addr_list->addr[addr_list->num].un.sun_path, name);
return ++(addr_list->num); /* ok - return the number of addresses */
}
#endif
/* set hostname and portname */
tmp=str_dup(name);
portname=strrchr(tmp, ':');
if(portname) {
hostname=tmp;
*portname++='\0';
} else { /* no ':' - use default host IP */
hostname=default_host;
portname=tmp;
}
/* fill addr_list structure */
retval=hostport2addrlist(addr_list, hostname, portname);
str_free(tmp);
return retval;
}
int hostport2addrlist(SOCKADDR_LIST *addr_list,
char *hostname, char *portname) {
struct addrinfo hints, *res=NULL, *cur;
int err;
memset(&hints, 0, sizeof hints);
#if defined(USE_IPv6) || defined(USE_WIN32)
hints.ai_family=PF_UNSPEC;
#else
hints.ai_family=PF_INET;
#endif
hints.ai_socktype=SOCK_STREAM;
hints.ai_protocol=IPPROTO_TCP;
do {
err=getaddrinfo(hostname, portname, &hints, &res);
if(err && res)
freeaddrinfo(res);
if(err==EAI_AGAIN) {
s_log(LOG_DEBUG, "getaddrinfo: EAI_AGAIN received: retrying");
sleep(1);
}
} while(err==EAI_AGAIN);
switch(err) {
case 0:
break; /* success */
case EAI_SERVICE:
s_log(LOG_ERR, "Unknown TCP service '%s'", portname);
return 0; /* error */
default:
s_log(LOG_ERR, "Error resolving '%s': %s",
hostname, s_gai_strerror(err));
return 0; /* error */
}
/* copy the list of addresses */
for(cur=res; cur; cur=cur->ai_next) {
if(cur->ai_addrlen>(int)sizeof(SOCKADDR_UNION)) {
s_log(LOG_ERR, "INTERNAL ERROR: ai_addrlen value too big");
freeaddrinfo(res);
return 0; /* no results */
}
addr_list->addr=str_realloc(addr_list->addr,
(addr_list->num+1)*sizeof(SOCKADDR_UNION));
memcpy(&addr_list->addr[addr_list->num], cur->ai_addr, cur->ai_addrlen);
++(addr_list->num);
}
freeaddrinfo(res);
return addr_list->num; /* ok - return the number of addresses */
}
char *s_ntop(SOCKADDR_UNION *addr, socklen_t addrlen) {
int err;
char *host, *port, *retval;
if(addrlen==sizeof(u_short)) /* see UNIX(7) manual for details */
return str_dup("unnamed socket");
host=str_alloc(256);
port=str_alloc(256); /* needs to be long enough for AF_UNIX path */
err=getnameinfo(&addr->sa, addrlen,
host, 256, port, 256, NI_NUMERICHOST|NI_NUMERICSERV);
if(err) {
s_log(LOG_ERR, "getnameinfo: %s", s_gai_strerror(err));
retval=str_dup("unresolvable address");
} else
retval=str_printf("%s:%s", host, port);
str_free(host);
str_free(port);
return retval;
}
socklen_t addr_len(const SOCKADDR_UNION *addr) {
if(addr->sa.sa_family==AF_INET)
return sizeof(struct sockaddr_in);
#ifdef USE_IPv6
if(addr->sa.sa_family==AF_INET6)
return sizeof(struct sockaddr_in6);
#endif
#ifdef HAVE_STRUCT_SOCKADDR_UN
if(addr->sa.sa_family==AF_UNIX)
return sizeof(struct sockaddr_un);
#endif
s_log(LOG_ERR, "INTERNAL ERROR: Unknown sa_family: %d",
addr->sa.sa_family);
return sizeof(SOCKADDR_UNION);
}
/**************************************** my getaddrinfo() */
/* implementation is limited to functionality needed by stunnel */
#ifndef HAVE_GETADDRINFO
static int getaddrinfo(const char *node, const char *service,
const struct addrinfo *hints, struct addrinfo **res) {
struct hostent *h;
#ifndef _WIN32_WCE
struct servent *p;
#endif
u_short port;
struct addrinfo *ai;
int retval;
char *tmpstr;
#if defined(USE_WIN32) && !defined(_WIN32_WCE)
if(s_getaddrinfo)
return s_getaddrinfo(node, service, hints, res);
#endif
/* decode service name */
port=htons((u_short)strtol(service, &tmpstr, 10));
if(tmpstr==service || *tmpstr) { /* not a number */
#ifdef _WIN32_WCE
return EAI_NONAME;
#else /* defined(_WIN32_WCE) */
p=getservbyname(service, "tcp");
if(!p)
return EAI_NONAME;
port=p->s_port;
#endif /* defined(_WIN32_WCE) */
}
/* allocate addrlist structure */
ai=str_alloc(sizeof(struct addrinfo));
if(hints)
memcpy(ai, hints, sizeof(struct addrinfo));
/* try to decode numerical address */
#if defined(USE_IPv6) && !defined(USE_WIN32)
ai->ai_family=AF_INET6;
ai->ai_addrlen=sizeof(struct sockaddr_in6);
ai->ai_addr=str_alloc(ai->ai_addrlen);
ai->ai_addr->sa_family=AF_INET6;
if(inet_pton(AF_INET6, node,
&((struct sockaddr_in6 *)ai->ai_addr)->sin6_addr)>0) {
#else
ai->ai_family=AF_INET;
ai->ai_addrlen=sizeof(struct sockaddr_in);
ai->ai_addr=str_alloc(ai->ai_addrlen);
ai->ai_addr->sa_family=AF_INET;
((struct sockaddr_in *)ai->ai_addr)->sin_addr.s_addr=inet_addr(node);
if(((struct sockaddr_in *)ai->ai_addr)->sin_addr.s_addr+1) {
/* (signed)((struct sockaddr_in *)ai->ai_addr)->sin_addr.s_addr!=-1 */
#endif
((struct sockaddr_in *)ai->ai_addr)->sin_port=port;
*res=ai;
return 0; /* numerical address resolved */
}
str_free(ai->ai_addr);
str_free(ai);
/* not numerical: need to call resolver library */
*res=NULL;
ai=NULL;
enter_critical_section(CRIT_INET);
#ifdef HAVE_GETHOSTBYNAME2
h=gethostbyname2(node, AF_INET6);
if(h) /* some IPv6 addresses found */
alloc_addresses(h, hints, port, res, &ai); /* ignore the error */
#endif
h=gethostbyname(node); /* get list of addresses */
if(h)
retval=ai ?
alloc_addresses(h, hints, port, &ai->ai_next, &ai) :
alloc_addresses(h, hints, port, res, &ai);
else if(!*res)
retval=EAI_NONAME; /* no results */
else
retval=0;
#ifdef HAVE_ENDHOSTENT
endhostent();
#endif
leave_critical_section(CRIT_INET);
if(retval) { /* error: free allocated memory */
freeaddrinfo(*res);
*res=NULL;
}
return retval;
}
static int alloc_addresses(struct hostent *h, const struct addrinfo *hints,
u_short port, struct addrinfo **head, struct addrinfo **tail) {
int i;
struct addrinfo *ai;
/* copy addresses */
for(i=0; h->h_addr_list[i]; i++) {
ai=str_alloc(sizeof(struct addrinfo));
if(hints)
memcpy(ai, hints, sizeof(struct addrinfo));
ai->ai_next=NULL; /* just in case */
if(*tail) { /* list not empty: add a node */
(*tail)->ai_next=ai;
*tail=ai;
} else { /* list empty: create it */
*head=ai;
*tail=ai;
}
ai->ai_family=h->h_addrtype;
#if defined(USE_IPv6)
if(h->h_addrtype==AF_INET6) {
ai->ai_addrlen=sizeof(struct sockaddr_in6);
ai->ai_addr=str_alloc(ai->ai_addrlen);
memcpy(&((struct sockaddr_in6 *)ai->ai_addr)->sin6_addr,
h->h_addr_list[i], h->h_length);
} else
#endif
{
ai->ai_addrlen=sizeof(struct sockaddr_in);
ai->ai_addr=str_alloc(ai->ai_addrlen);
memcpy(&((struct sockaddr_in *)ai->ai_addr)->sin_addr,
h->h_addr_list[i], h->h_length);
}
ai->ai_addr->sa_family=h->h_addrtype;
/* offsets of sin_port and sin6_port should be the same */
((struct sockaddr_in *)ai->ai_addr)->sin_port=port;
}
return 0; /* success */
}
static void freeaddrinfo(struct addrinfo *current) {
struct addrinfo *next;
#if defined(USE_WIN32) && !defined(_WIN32_WCE)
if(s_freeaddrinfo) {
s_freeaddrinfo(current);
return;
}
#endif
while(current) {
if(current->ai_addr)
str_free(current->ai_addr);
if(current->ai_canonname)
str_free(current->ai_canonname);
next=current->ai_next;
str_free(current);
current=next;
}
}
#endif /* !defined HAVE_GETADDRINFO */
/* due to a problem with Mingw32 I decided to define my own gai_strerror() */
const char *s_gai_strerror(int err) {
switch(err) {
#ifdef EAI_BADFLAGS
case EAI_BADFLAGS:
return "Invalid value for ai_flags (EAI_BADFLAGS)";
#endif
case EAI_NONAME:
return "Neither nodename nor servname known (EAI_NONAME)";
#ifdef EAI_AGAIN
case EAI_AGAIN:
return "Temporary failure in name resolution (EAI_AGAIN)";
#endif
#ifdef EAI_FAIL
case EAI_FAIL:
return "Non-recoverable failure in name resolution (EAI_FAIL)";
#endif
#ifdef EAI_NODATA
#if EAI_NODATA!=EAI_NONAME
case EAI_NODATA:
return "No address associated with nodename (EAI_NODATA)";
#endif /* EAI_NODATA!=EAI_NONAME */
#endif /* defined EAI_NODATA */
#ifdef EAI_FAMILY
case EAI_FAMILY:
return "ai_family not supported (EAI_FAMILY)";
#endif
#ifdef EAI_SOCKTYPE
case EAI_SOCKTYPE:
return "ai_socktype not supported (EAI_SOCKTYPE)";
#endif
#ifdef EAI_SERVICE
case EAI_SERVICE:
return "servname is not supported for ai_socktype (EAI_SERVICE)";
#endif
#ifdef EAI_ADDRFAMILY
case EAI_ADDRFAMILY:
return "Address family for nodename not supported (EAI_ADDRFAMILY)";
#endif /* EAI_ADDRFAMILY */
case EAI_MEMORY:
return "Memory allocation failure (EAI_MEMORY)";
#ifdef EAI_SYSTEM
case EAI_SYSTEM:
return "System error returned in errno (EAI_SYSTEM)";
#endif /* EAI_SYSTEM */
default:
return "Unknown error";
}
}
/**************************************** my getnameinfo() */
/* implementation is limited to functionality needed by stunnel */
#ifndef HAVE_GETNAMEINFO
int getnameinfo(const struct sockaddr *sa, int salen,
char *host, int hostlen, char *serv, int servlen, int flags) {
#if defined(USE_WIN32) && !defined(_WIN32_WCE)
if(s_getnameinfo)
return s_getnameinfo(sa, salen, host, hostlen, serv, servlen, flags);
#endif
if(host && hostlen) {
#if defined(USE_IPv6) && !defined(USE_WIN32)
inet_ntop(sa->sa_family, sa->sa_family==AF_INET6 ?
(void *)&((struct sockaddr_in6 *)sa)->sin6_addr :
(void *)&((struct sockaddr_in *)sa)->sin_addr,
host, hostlen);
#else /* USE_IPv6 */
enter_critical_section(CRIT_INET); /* inet_ntoa is not mt-safe */
strncpy(host, inet_ntoa(((struct sockaddr_in *)sa)->sin_addr),
hostlen);
leave_critical_section(CRIT_INET);
host[hostlen-1]='\0';
#endif /* USE_IPv6 */
}
if(serv && servlen)
sprintf(serv, "%u", ntohs(((struct sockaddr_in *)sa)->sin_port));
/* sin_port is in the same place both in sockaddr_in and sockaddr_in6 */
/* ignore servlen since it's long enough in stunnel code */
return 0;
}
#endif
/* end of resolver.c */

28
src/resources.h Normal file
View File

@ -0,0 +1,28 @@
#define WM_SYSTRAY (WM_USER+0)
#define WM_VALID_CONFIG (WM_APP+0)
#define WM_INVALID_CONFIG (WM_APP+1)
#define WM_LOG (WM_APP+2)
#define WM_NEW_CHAIN (WM_APP+3)
#define IDI_MYICON 10
#define IDE_EDIT 20
#define IDE_PASSEDIT 21
#define IDE_PINEDIT 22
#define IDM_TRAYMENU 30
#define IDM_MAINMENU 31
#define IDM_CLOSE 32
#define IDM_EXIT 33
#define IDM_SHOW_LOG 34
#define IDM_SAVE_LOG 40
#define IDM_REOPEN_LOG 41
#define IDM_EDIT_CONFIG 42
#define IDM_RELOAD_CONFIG 43
#define IDM_ABOUT 50
#define IDM_MANPAGE 51
#define IDM_HOMEPAGE 52
#define IDM_PEER_MENU 60

121
src/resources.rc Normal file
View File

@ -0,0 +1,121 @@
#include <windows.h>
#include "resources.h"
#include "version.h"
VS_VERSION_INFO VERSIONINFO
FILEVERSION STUNNEL_VERSION_FIELDS
PRODUCTVERSION STUNNEL_VERSION_FIELDS
FILEFLAGSMASK VS_FFI_FILEFLAGSMASK
FILEFLAGS 0
FILEOS VOS__WINDOWS32
FILETYPE VFT_APP
FILESUBTYPE VFT2_UNKNOWN
BEGIN
BLOCK "StringFileInfo"
BEGIN
BLOCK "040904E4"
BEGIN
VALUE "CompanyName", "Michal Trojnara"
VALUE "FileDescription", "stunnel - multiplatform SSL tunneling proxy"
VALUE "FileVersion", STUNNEL_VERSION
VALUE "InternalName", "stunnel"
VALUE "LegalCopyright", "© by Michal Trojnara, 1998-2012"
VALUE "OriginalFilename", "stunnel.exe"
VALUE "ProductName", STUNNEL_PRODUCTNAME
VALUE "ProductVersion", STUNNEL_VERSION
END
END
BLOCK "VarFileInfo"
BEGIN
VALUE "Translation", 0x409, 1252
END
END
IDI_MYICON ICON "stunnel.ico"
IDM_MAINMENU MENU
BEGIN
POPUP "&File"
BEGIN
MENUITEM "&Save Log As", IDM_SAVE_LOG
MENUITEM "Reopen &Log File", IDM_REOPEN_LOG, GRAYED
MENUITEM SEPARATOR
MENUITEM "&Close", IDM_CLOSE
END
POPUP "&Configuration"
BEGIN
MENUITEM "&Edit stunnel.conf", IDM_EDIT_CONFIG
MENUITEM "&Reload stunnel.conf", IDM_RELOAD_CONFIG
END
POPUP "&Save peer certificate"
BEGIN
MENUITEM "dummy", 0, GRAYED
END
POPUP "&Help", HELP
BEGIN
MENUITEM "&About", IDM_ABOUT
MENUITEM SEPARATOR
MENUITEM "&Manual", IDM_MANPAGE
MENUITEM "&Homepage", IDM_HOMEPAGE
END
END
IDM_TRAYMENU MENU
BEGIN
POPUP "Ooops?"
BEGIN
MENUITEM "Show Log &Window", IDM_SHOW_LOG
MENUITEM SEPARATOR
POPUP "&Save peer certificate"
BEGIN
MENUITEM "dummy", 0, GRAYED
END
MENUITEM SEPARATOR
MENUITEM "&Edit stunnel.conf", IDM_EDIT_CONFIG
MENUITEM "&Reload stunnel.conf", IDM_RELOAD_CONFIG
MENUITEM "Reopen &Log File", IDM_REOPEN_LOG, GRAYED
MENUITEM SEPARATOR
MENUITEM "&Homepage", IDM_HOMEPAGE
MENUITEM "&Manual", IDM_MANPAGE
MENUITEM "&About", IDM_ABOUT
MENUITEM SEPARATOR
MENUITEM "E&xit", IDM_EXIT
END
END
ABOUTBOX DIALOG DISCARDABLE 0, 0, 140, 68
STYLE DS_MODALFRAME|DS_CENTER|WS_POPUP|WS_CAPTION|WS_SYSMENU
CAPTION "About stunnel"
BEGIN
ICON IDI_MYICON, -1, 9, 8, 18, 20
LTEXT "stunnel version", -1, 30, 4, 52, 8
LTEXT STUNNEL_VERSION, -1, 82, 4, 54, 8
LTEXT "© by Michal Trojnara, 1998-2012", -1, 30, 12, 106, 8
LTEXT "All Rights Reserved", -1, 30, 20, 106, 8
LTEXT "Licensed under the GNU GPL version 2", -1, 4, 28, 132, 8
LTEXT "with a special exception for OpenSSL", -1, 4, 36, 132, 8
DEFPUSHBUTTON "OK",IDOK, 54, 48, 32, 14, WS_GROUP
END
PASSBOX DIALOG DISCARDABLE 0, 0, 158, 51
STYLE DS_MODALFRAME|DS_CENTER|WS_POPUP|WS_CAPTION|WS_SYSMENU
CAPTION ""
BEGIN
ICON IDI_MYICON, -1, 8, 6, 18, 20
LTEXT "Pass phrase:", -1, 33, 9, 50, 8
EDITTEXT IDE_PASSEDIT, 86, 7, 65, 12, ES_PASSWORD|ES_AUTOHSCROLL
DEFPUSHBUTTON "OK",IDOK, 7, 30, 50, 14
PUSHBUTTON "Cancel",IDCANCEL, 101, 30, 50, 14
END
PINBOX DIALOG DISCARDABLE 0, 0, 158, 51
STYLE DS_MODALFRAME|DS_CENTER|WS_POPUP|WS_CAPTION|WS_SYSMENU
CAPTION ""
BEGIN
ICON IDI_MYICON, -1, 8, 6, 18, 20
LTEXT "SmartCard PIN:", -1, 33, 9, 50, 8
EDITTEXT IDE_PINEDIT, 86, 7, 65, 12, ES_PASSWORD|ES_AUTOHSCROLL
DEFPUSHBUTTON "OK",IDOK, 7, 30, 50, 14
PUSHBUTTON "Cancel",IDCANCEL, 101, 30, 50, 14
END

248
src/ssl.c Normal file
View File

@ -0,0 +1,248 @@
/*
* stunnel Universal SSL tunnel
* Copyright (C) 1998-2012 Michal Trojnara <Michal.Trojnara@mirt.net>
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
* See the GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License along
* with this program; if not, see <http://www.gnu.org/licenses>.
*
* Linking stunnel statically or dynamically with other modules is making
* a combined work based on stunnel. Thus, the terms and conditions of
* the GNU General Public License cover the whole combination.
*
* In addition, as a special exception, the copyright holder of stunnel
* gives you permission to combine stunnel with free software programs or
* libraries that are released under the GNU LGPL and with code included
* in the standard release of OpenSSL under the OpenSSL License (or
* modified versions of such code, with unchanged license). You may copy
* and distribute such a system following the terms of the GNU GPL for
* stunnel and the licenses of the other code concerned.
*
* Note that people who make modified versions of stunnel are not obligated
* to grant this special exception for their modified versions; it is their
* choice whether to do so. The GNU General Public License gives permission
* to release a modified version without this exception; this exception
* also makes it possible to release a modified version which carries
* forward this exception.
*/
#include "common.h"
#include "prototypes.h"
/* global OpenSSL initalization: compression, engine, entropy */
static int init_compression(GLOBAL_OPTIONS *);
static int init_prng(GLOBAL_OPTIONS *);
static int add_rand_file(GLOBAL_OPTIONS *, const char *);
int cli_index, opt_index; /* to keep structure for callbacks */
int ssl_init(void) { /* init SSL before parsing configuration file */
SSL_load_error_strings();
SSL_library_init();
cli_index=SSL_get_ex_new_index(0, "cli index", NULL, NULL, NULL);
opt_index=SSL_CTX_get_ex_new_index(0, "opt index", NULL, NULL, NULL);
if(cli_index<0 || opt_index<0)
return 1;
#ifdef HAVE_OSSL_ENGINE_H
ENGINE_load_builtin_engines();
#endif
return 0;
}
int ssl_configure(GLOBAL_OPTIONS *global) { /* configure global SSL settings */
#ifdef USE_FIPS
if(FIPS_mode()!=global->option.fips) {
RAND_set_rand_method(NULL); /* reset RAND methods */
if(!FIPS_mode_set(global->option.fips)) {
ERR_load_crypto_strings();
sslerror("FIPS_mode_set");
return 1;
}
}
s_log(LOG_NOTICE, "FIPS mode is %s",
global->option.fips ? "enabled" : "disabled");
#endif /* USE_FIPS */
if(init_compression(global))
return 1;
if(init_prng(global))
return 1;
s_log(LOG_DEBUG, "PRNG seeded successfully");
return 0; /* SUCCESS */
}
static int init_compression(GLOBAL_OPTIONS *global) {
#ifndef OPENSSL_NO_COMP
SSL_COMP *comp;
STACK_OF(SSL_COMP) *ssl_comp_methods;
ssl_comp_methods=SSL_COMP_get_compression_methods();
if(!ssl_comp_methods) {
if(global->compression==COMP_NONE) {
s_log(LOG_NOTICE, "Failed to get compression methods");
return 0; /* ignore */
} else {
s_log(LOG_ERR, "Failed to get compression methods");
return 1;
}
}
/* delete OpenSSL defaults (empty the SSL_COMP stack) */
/* cannot use sk_SSL_COMP_pop_free, as it also destroys the stack itself */
while(sk_SSL_COMP_num(ssl_comp_methods))
OPENSSL_free(sk_SSL_COMP_pop(ssl_comp_methods));
if(global->compression==COMP_NONE) {
s_log(LOG_DEBUG, "Compression not enabled");
return 0; /* success */
}
/* insert RFC 1951 (DEFLATE) algoritm */
if(SSLeay()>=0x00908051L) { /* 0.9.8e-beta1 */
/* only allow DEFLATE with OpenSSL 0.9.8 or later
with openssl #1468 zlib memory leak fixed */
comp=(SSL_COMP *)OPENSSL_malloc(sizeof(SSL_COMP));
if(!comp) {
s_log(LOG_ERR, "OPENSSL_malloc filed");
return 1;
}
comp->id=1; /* RFC 1951 */
comp->method=COMP_zlib();
if(!comp->method || comp->method->type==NID_undef) {
OPENSSL_free(comp);
s_log(LOG_ERR, "Failed to initialize compression method");
return 1;
}
comp->name=comp->method->name;
sk_SSL_COMP_push(ssl_comp_methods, comp);
}
/* also insert one of obsolete (ZLIB/RLE) algoritms */
comp=(SSL_COMP *)OPENSSL_malloc(sizeof(SSL_COMP));
if(!comp) {
s_log(LOG_ERR, "OPENSSL_malloc filed");
return 1;
}
if(global->compression==COMP_ZLIB) {
comp->id=0xe0; /* 224 - within private range (193 to 255) */
comp->method=COMP_zlib();
} else if(global->compression==COMP_RLE) {
comp->id=0xe1; /* 225 - within private range (193 to 255) */
comp->method=COMP_rle();
} else {
s_log(LOG_INFO, "Compression enabled: %d algorithm(s)",
sk_SSL_COMP_num(ssl_comp_methods));
OPENSSL_free(comp);
return 0;
}
if(!comp->method || comp->method->type==NID_undef) {
OPENSSL_free(comp);
s_log(LOG_ERR, "Failed to initialize compression method");
return 1;
}
comp->name=comp->method->name;
sk_SSL_COMP_push(ssl_comp_methods, comp);
s_log(LOG_INFO, "Compression enabled: %d algorithm(s)",
sk_SSL_COMP_num(ssl_comp_methods));
#endif /* OPENSSL_NO_COMP */
return 0; /* success */
}
static int init_prng(GLOBAL_OPTIONS *global) {
int totbytes=0;
char filename[256];
int bytes;
bytes=0; /* avoid warning if #ifdef'd out for windows */
filename[0]='\0';
/* if they specify a rand file on the command line we
assume that they really do want it, so try it first */
if(global->rand_file) {
totbytes+=add_rand_file(global, global->rand_file);
if(RAND_status())
return 0; /* success */
}
/* try the $RANDFILE or $HOME/.rnd files */
RAND_file_name(filename, 256);
if(filename[0]) {
totbytes+=add_rand_file(global, filename);
if(RAND_status())
return 0; /* success */
}
#ifdef RANDOM_FILE
totbytes+=add_rand_file(global, RANDOM_FILE);
if(RAND_status())
return 0; /* success */
#endif
#ifdef USE_WIN32
RAND_screen();
if(RAND_status()) {
s_log(LOG_DEBUG, "Seeded PRNG with RAND_screen");
return 0; /* success */
}
s_log(LOG_DEBUG, "RAND_screen failed to sufficiently seed PRNG");
#else
if(global->egd_sock) {
if((bytes=RAND_egd(global->egd_sock))==-1) {
s_log(LOG_WARNING, "EGD Socket %s failed", global->egd_sock);
bytes=0;
} else {
totbytes+=bytes;
s_log(LOG_DEBUG, "Snagged %d random bytes from EGD Socket %s",
bytes, global->egd_sock);
return 0; /* OpenSSL always gets what it needs or fails,
so no need to check if seeded sufficiently */
}
}
/* try the good-old default /dev/urandom, if available */
totbytes+=add_rand_file(global, "/dev/urandom");
if(RAND_status())
return 0; /* success */
#endif /* USE_WIN32 */
/* random file specified during configure */
s_log(LOG_ERR, "PRNG seeded with %d bytes total", totbytes);
s_log(LOG_ERR, "PRNG was not seeded with enough random bytes");
return 1; /* FAILED */
}
static int add_rand_file(GLOBAL_OPTIONS *global, const char *filename) {
int readbytes;
int writebytes;
struct stat sb;
if(stat(filename, &sb))
return 0; /* could not stat() file -> return 0 bytes */
if((readbytes=RAND_load_file(filename, global->random_bytes)))
s_log(LOG_DEBUG, "Snagged %d random bytes from %s",
readbytes, filename);
else
s_log(LOG_INFO, "Unable to retrieve any random data from %s",
filename);
/* write new random data for future seeding if it's a regular file */
if(global->option.rand_write && (sb.st_mode & S_IFREG)){
writebytes=RAND_write_file(filename);
if(writebytes==-1)
s_log(LOG_WARNING, "Failed to write strong random data to %s - "
"may be a permissions or seeding problem", filename);
else
s_log(LOG_DEBUG, "Wrote %d new random bytes to %s",
writebytes, filename);
}
return readbytes;
}
/* end of ssl.c */

550
src/sthreads.c Normal file
View File

@ -0,0 +1,550 @@
/*
* stunnel Universal SSL tunnel
* Copyright (C) 1998-2012 Michal Trojnara <Michal.Trojnara@mirt.net>
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
* See the GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License along
* with this program; if not, see <http://www.gnu.org/licenses>.
*
* Linking stunnel statically or dynamically with other modules is making
* a combined work based on stunnel. Thus, the terms and conditions of
* the GNU General Public License cover the whole combination.
*
* In addition, as a special exception, the copyright holder of stunnel
* gives you permission to combine stunnel with free software programs or
* libraries that are released under the GNU LGPL and with code included
* in the standard release of OpenSSL under the OpenSSL License (or
* modified versions of such code, with unchanged license). You may copy
* and distribute such a system following the terms of the GNU GPL for
* stunnel and the licenses of the other code concerned.
*
* Note that people who make modified versions of stunnel are not obligated
* to grant this special exception for their modified versions; it is their
* choice whether to do so. The GNU General Public License gives permission
* to release a modified version without this exception; this exception
* also makes it possible to release a modified version which carries
* forward this exception.
*/
#ifdef USE_OS2
#define INCL_DOSPROCESS
#include <os2.h>
#endif
#include "common.h"
#include "prototypes.h"
#if defined(USE_UCONTEXT) || defined(USE_FORK)
/* no need for critical sections */
void enter_critical_section(SECTION_CODE i) {
(void)i; /* skip warning about unused parameter */
/* empty */
}
void leave_critical_section(SECTION_CODE i) {
(void)i; /* skip warning about unused parameter */
/* empty */
}
#endif /* USE_UCONTEXT || USE_FORK */
#ifdef USE_UCONTEXT
#if defined(CPU_SPARC) && ( \
defined(OS_SOLARIS2_0) || \
defined(OS_SOLARIS2_1) || \
defined(OS_SOLARIS2_2) || \
defined(OS_SOLARIS2_3) || \
defined(OS_SOLARIS2_4) || \
defined(OS_SOLARIS2_5) || \
defined(OS_SOLARIS2_6) || \
defined(OS_SOLARIS2_7) || \
defined(OS_SOLARIS2_8))
#define ARGC 2
#else
#define ARGC 1
#endif
/* first context on the ready list is the active context */
CONTEXT *ready_head=NULL, *ready_tail=NULL; /* ready to execute */
CONTEXT *waiting_head=NULL, *waiting_tail=NULL; /* waiting on poll() */
unsigned long stunnel_process_id(void) {
return (unsigned long)getpid();
}
unsigned long stunnel_thread_id(void) {
return ready_head ? ready_head->id : 0;
}
static CONTEXT *new_context(void) {
static int next_id=1;
CONTEXT *context;
/* allocate and fill the CONTEXT structure */
context=str_alloc(sizeof(CONTEXT));
str_detach(context);
context->id=next_id++;
context->fds=NULL;
context->ready=0;
/* append to the tail of the ready queue */
context->next=NULL;
if(ready_tail)
ready_tail->next=context;
ready_tail=context;
if(!ready_head)
ready_head=context;
return context;
}
int sthreads_init(void) {
/* create the first (listening) context and put it in the running queue */
if(!new_context()) {
s_log(LOG_ERR, "Unable create the listening context");
return 1;
}
/* no need to initialize ucontext_t structure here
it will be initialied with swapcontext() call */
return 0;
}
int create_client(int ls, int s, CLI *arg, void *(*cli)(void *)) {
CONTEXT *context;
(void)ls; /* this parameter is only used with USE_FORK */
s_log(LOG_DEBUG, "Creating a new context");
context=new_context();
if(!context) {
if(arg)
str_free(arg);
if(s>=0)
closesocket(s);
return -1;
}
/* initialize context_t structure */
if(getcontext(&context->context)<0) {
str_free(context);
if(arg)
str_free(arg);
if(s>=0)
closesocket(s);
ioerror("getcontext");
return -1;
}
context->context.uc_link=NULL; /* stunnel does not use uc_link */
/* create stack */
context->stack=str_alloc(arg->opt->stack_size);
str_detach(context->stack);
#if defined(__sgi) || ARGC==2 /* obsolete ss_sp semantics */
context->context.uc_stack.ss_sp=context->stack+arg->opt->stack_size-8;
#else
context->context.uc_stack.ss_sp=context->stack;
#endif
context->context.uc_stack.ss_size=arg->opt->stack_size;
context->context.uc_stack.ss_flags=0;
makecontext(&context->context, (void(*)(void))cli, ARGC, arg);
s_log(LOG_DEBUG, "New context created");
return 0;
}
#endif /* USE_UCONTEXT */
#ifdef USE_FORK
int sthreads_init(void) {
return 0;
}
unsigned long stunnel_process_id(void) {
return (unsigned long)getpid();
}
unsigned long stunnel_thread_id(void) {
return 0L;
}
static void null_handler(int sig) {
(void)sig; /* skip warning about unused parameter */
signal(SIGCHLD, null_handler);
}
int create_client(int ls, int s, CLI *arg, void *(*cli)(void *)) {
switch(fork()) {
case -1: /* error */
if(arg)
str_free(arg);
if(s>=0)
closesocket(s);
return -1;
case 0: /* child */
if(ls>=0)
closesocket(ls);
signal(SIGCHLD, null_handler);
cli(arg);
_exit(0);
default: /* parent */
if(arg)
str_free(arg);
if(s>=0)
closesocket(s);
}
return 0;
}
#endif /* USE_FORK */
#ifdef USE_PTHREAD
static pthread_mutex_t stunnel_cs[CRIT_SECTIONS];
static pthread_mutex_t lock_cs[CRYPTO_NUM_LOCKS];
void enter_critical_section(SECTION_CODE i) {
pthread_mutex_lock(stunnel_cs+i);
}
void leave_critical_section(SECTION_CODE i) {
pthread_mutex_unlock(stunnel_cs+i);
}
static void locking_callback(int mode, int type, const char *file, int line) {
(void)file; /* skip warning about unused parameter */
(void)line; /* skip warning about unused parameter */
if(mode&CRYPTO_LOCK)
pthread_mutex_lock(lock_cs+type);
else
pthread_mutex_unlock(lock_cs+type);
}
struct CRYPTO_dynlock_value {
pthread_mutex_t mutex;
};
static struct CRYPTO_dynlock_value *dyn_create_function(const char *file,
int line) {
struct CRYPTO_dynlock_value *value;
(void)file; /* skip warning about unused parameter */
(void)line; /* skip warning about unused parameter */
value=str_alloc(sizeof(struct CRYPTO_dynlock_value));
str_detach(value);
pthread_mutex_init(&value->mutex, NULL);
return value;
}
static void dyn_lock_function(int mode, struct CRYPTO_dynlock_value *value,
const char *file, int line) {
(void)file; /* skip warning about unused parameter */
(void)line; /* skip warning about unused parameter */
if(mode&CRYPTO_LOCK)
pthread_mutex_lock(&value->mutex);
else
pthread_mutex_unlock(&value->mutex);
}
static void dyn_destroy_function(struct CRYPTO_dynlock_value *value,
const char *file, int line) {
(void)file; /* skip warning about unused parameter */
(void)line; /* skip warning about unused parameter */
pthread_mutex_destroy(&value->mutex);
str_free(value);
}
unsigned long stunnel_process_id(void) {
return (unsigned long)getpid();
}
unsigned long stunnel_thread_id(void) {
return (unsigned long)pthread_self();
}
int sthreads_init(void) {
int i;
/* initialize stunnel critical sections */
for(i=0; i<CRIT_SECTIONS; i++)
pthread_mutex_init(stunnel_cs+i, NULL);
/* initialize OpenSSL locking callback */
for(i=0; i<CRYPTO_NUM_LOCKS; i++)
pthread_mutex_init(lock_cs+i, NULL);
CRYPTO_set_id_callback(stunnel_thread_id);
CRYPTO_set_locking_callback(locking_callback);
/* initialize OpenSSL dynamic locks callbacks */
CRYPTO_set_dynlock_create_callback(dyn_create_function);
CRYPTO_set_dynlock_lock_callback(dyn_lock_function);
CRYPTO_set_dynlock_destroy_callback(dyn_destroy_function);
return 0;
}
int create_client(int ls, int s, CLI *arg, void *(*cli)(void *)) {
pthread_t thread;
pthread_attr_t pth_attr;
int error;
#if defined(HAVE_PTHREAD_SIGMASK) && !defined(__APPLE__)
/* Disabled on OS X due to strange problems on Mac OS X 10.5
it seems to restore signal mask somewhere (I couldn't find where)
effectively blocking signals after first accepted connection */
sigset_t new_set, old_set;
#endif /* HAVE_PTHREAD_SIGMASK && !__APPLE__*/
(void)ls; /* this parameter is only used with USE_FORK */
#if defined(HAVE_PTHREAD_SIGMASK) && !defined(__APPLE__)
/* the idea is that only the main thread handles all the signals with
* posix threads; signals are blocked for any other thread */
sigfillset(&new_set);
pthread_sigmask(SIG_SETMASK, &new_set, &old_set); /* block signals */
#endif /* HAVE_PTHREAD_SIGMASK && !__APPLE__*/
pthread_attr_init(&pth_attr);
pthread_attr_setdetachstate(&pth_attr, PTHREAD_CREATE_DETACHED);
pthread_attr_setstacksize(&pth_attr, arg->opt->stack_size);
error=pthread_create(&thread, &pth_attr, cli, arg);
pthread_attr_destroy(&pth_attr);
#if defined(HAVE_PTHREAD_SIGMASK) && !defined(__APPLE__)
pthread_sigmask(SIG_SETMASK, &old_set, NULL); /* unblock signals */
#endif /* HAVE_PTHREAD_SIGMASK && !__APPLE__*/
if(error) {
errno=error;
ioerror("pthread_create");
if(arg)
str_free(arg);
if(s>=0)
closesocket(s);
return -1;
}
return 0;
}
#endif /* USE_PTHREAD */
#ifdef USE_WIN32
static CRITICAL_SECTION stunnel_cs[CRIT_SECTIONS];
static CRITICAL_SECTION lock_cs[CRYPTO_NUM_LOCKS];
void enter_critical_section(SECTION_CODE i) {
EnterCriticalSection(stunnel_cs+i);
}
void leave_critical_section(SECTION_CODE i) {
LeaveCriticalSection(stunnel_cs+i);
}
static void locking_callback(int mode, int type, const char *file, int line) {
(void)file; /* skip warning about unused parameter */
(void)line; /* skip warning about unused parameter */
if(mode&CRYPTO_LOCK)
EnterCriticalSection(lock_cs+type);
else
LeaveCriticalSection(lock_cs+type);
}
struct CRYPTO_dynlock_value {
CRITICAL_SECTION mutex;
};
static struct CRYPTO_dynlock_value *dyn_create_function(const char *file,
int line) {
struct CRYPTO_dynlock_value *value;
(void)file; /* skip warning about unused parameter */
(void)line; /* skip warning about unused parameter */
value=str_alloc(sizeof(struct CRYPTO_dynlock_value));
str_detach(value);
InitializeCriticalSection(&value->mutex);
return value;
}
static void dyn_lock_function(int mode, struct CRYPTO_dynlock_value *value,
const char *file, int line) {
(void)file; /* skip warning about unused parameter */
(void)line; /* skip warning about unused parameter */
if(mode&CRYPTO_LOCK)
EnterCriticalSection(&value->mutex);
else
LeaveCriticalSection(&value->mutex);
}
static void dyn_destroy_function(struct CRYPTO_dynlock_value *value,
const char *file, int line) {
(void)file; /* skip warning about unused parameter */
(void)line; /* skip warning about unused parameter */
DeleteCriticalSection(&value->mutex);
str_free(value);
}
unsigned long stunnel_process_id(void) {
return GetCurrentProcessId() & 0x00ffffff;
}
unsigned long stunnel_thread_id(void) {
return GetCurrentThreadId() & 0x00ffffff;
}
int sthreads_init(void) {
int i;
/* initialize stunnel critical sections */
for(i=0; i<CRIT_SECTIONS; i++)
InitializeCriticalSection(stunnel_cs+i);
/* initialize OpenSSL locking callback */
for(i=0; i<CRYPTO_NUM_LOCKS; i++)
InitializeCriticalSection(lock_cs+i);
CRYPTO_set_locking_callback(locking_callback);
/* initialize OpenSSL dynamic locks callbacks */
CRYPTO_set_dynlock_create_callback(dyn_create_function);
CRYPTO_set_dynlock_lock_callback(dyn_lock_function);
CRYPTO_set_dynlock_destroy_callback(dyn_destroy_function);
return 0;
}
int create_client(int ls, int s, CLI *arg, void *(*cli)(void *)) {
(void)ls; /* this parameter is only used with USE_FORK */
s_log(LOG_DEBUG, "Creating a new thread");
if((long)_beginthread((void(*)(void *))cli, arg->opt->stack_size, arg)==-1) {
ioerror("_beginthread");
if(arg)
str_free(arg);
if(s>=0)
closesocket(s);
return -1;
}
s_log(LOG_DEBUG, "New thread created");
return 0;
}
#endif /* USE_WIN32 */
#ifdef USE_OS2
void enter_critical_section(SECTION_CODE i) {
DosEnterCritSec();
}
void leave_critical_section(SECTION_CODE i) {
DosExitCritSec();
}
int sthreads_init(void) {
return 0;
}
unsigned long stunnel_process_id(void) {
PTIB ptib=NULL;
DosGetInfoBlocks(&ptib, NULL);
return (unsigned long)ptib->tib_ordinal;
}
unsigned long stunnel_thread_id(void) {
PPIB ppib=NULL;
DosGetInfoBlocks(NULL, &ppib);
return (unsigned long)ppib->pib_ulpid;
}
int create_client(int ls, int s, CLI *arg, void *(*cli)(void *)) {
(void)ls; /* this parameter is only used with USE_FORK */
s_log(LOG_DEBUG, "Creating a new thread");
if((long)_beginthread((void(*)(void *))cli, NULL, arg->opt->stack_size, arg)==-1L) {
ioerror("_beginthread");
if(arg)
str_free(arg);
if(s>=0)
closesocket(s);
return -1;
}
s_log(LOG_DEBUG, "New thread created");
return 0;
}
#endif /* USE_OS2 */
#ifdef _WIN32_WCE
long _beginthread(void (*start_address)(void *),
int stack_size, void *arglist) {
DWORD thread_id;
HANDLE handle;
handle=CreateThread(NULL, stack_size,
(LPTHREAD_START_ROUTINE)start_address, arglist,
STACK_SIZE_PARAM_IS_A_RESERVATION, &thread_id);
if(!handle)
return -1L;
CloseHandle(handle);
return 0;
}
void _endthread(void) {
ExitThread(0);
}
#endif /* _WIN32_WCE */
#ifdef DEBUG_STACK_SIZE
#define STACK_RESERVE (STACK_SIZE/8)
#define VERIFY_AREA ((STACK_SIZE-STACK_RESERVE)/sizeof(u32))
#define TEST_VALUE 0xdeadbeef
/* some heuristic to determine the usage of client stack size */
void stack_info(int init) { /* 1-initialize, 0-display */
u32 table[VERIFY_AREA];
int i, num;
static int min_num=VERIFY_AREA;
if(init) {
for(i=0; i<VERIFY_AREA; i++)
table[i]=TEST_VALUE;
} else {
/* the stack is growing down */
for(i=0; i<VERIFY_AREA; i++)
if(table[i]!=TEST_VALUE)
break;
num=i;
/* the stack is growing up */
for(i=0; i<VERIFY_AREA; i++)
if(table[VERIFY_AREA-i-1]!=TEST_VALUE)
break;
if(i>num) /* use the higher value */
num=i;
if(num<64) {
s_log(LOG_NOTICE, "STACK_RESERVE is too high");
return;
}
if(num<min_num)
min_num=num;
s_log(LOG_NOTICE,
"stack_info: size=%d, current=%d (%d%%), maximum=%d (%d%%)",
STACK_SIZE,
(int)((VERIFY_AREA-num)*sizeof(u32)),
(int)((VERIFY_AREA-num)*sizeof(u32)*100/STACK_SIZE),
(int)((VERIFY_AREA-min_num)*sizeof(u32)),
(int)((VERIFY_AREA-min_num)*sizeof(u32)*100/STACK_SIZE));
}
}
#endif /* DEBUG_STACK_SIZE */
/* end of sthreads.c */

344
src/str.c Normal file
View File

@ -0,0 +1,344 @@
/*
* stunnel Universal SSL tunnel
* Copyright (C) 1998-2012 Michal Trojnara <Michal.Trojnara@mirt.net>
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
* See the GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License along
* with this program; if not, see <http://www.gnu.org/licenses>.
*
* Linking stunnel statically or dynamically with other modules is making
* a combined work based on stunnel. Thus, the terms and conditions of
* the GNU General Public License cover the whole combination.
*
* In addition, as a special exception, the copyright holder of stunnel
* gives you permission to combine stunnel with free software programs or
* libraries that are released under the GNU LGPL and with code included
* in the standard release of OpenSSL under the OpenSSL License (or
* modified versions of such code, with unchanged license). You may copy
* and distribute such a system following the terms of the GNU GPL for
* stunnel and the licenses of the other code concerned.
*
* Note that people who make modified versions of stunnel are not obligated
* to grant this special exception for their modified versions; it is their
* choice whether to do so. The GNU General Public License gives permission
* to release a modified version without this exception; this exception
* also makes it possible to release a modified version which carries
* forward this exception.
*/
#include "common.h"
#include "prototypes.h"
#ifndef va_copy
#ifdef __va_copy
#define va_copy(dst, src) __va_copy((dst), (src))
#else /* __va_copy */
#define va_copy(dst, src) memcpy(&(dst), &(src), sizeof(va_list))
#endif /* __va_copy */
#endif /* va_copy */
static u8 canary[10]; /* 80-bit canary value */
static volatile int canary_initialized=0;
typedef struct alloc_list_struct ALLOC_LIST;
typedef struct {
ALLOC_LIST *head;
size_t bytes, blocks;
} ALLOC_TLS;
struct alloc_list_struct {
ALLOC_LIST *prev, *next;
ALLOC_TLS *tls;
size_t size;
int valid_canary;
unsigned int magic;
/* at least on IA64 allocations need to be aligned */
#ifdef __GNUC__
} __attribute__((aligned(16)));
#else
int padding[2]; /* the number of integers is architecture-specific */
};
#endif
static void set_alloc_tls(ALLOC_TLS *);
static ALLOC_TLS *get_alloc_tls();
static ALLOC_LIST *get_alloc_list_ptr(void *, char *, int);
char *str_dup(const char *str) {
char *retval;
retval=str_alloc(strlen(str)+1);
strcpy(retval, str);
return retval;
}
char *str_printf(const char *format, ...) {
char *txt;
va_list arglist;
va_start(arglist, format);
txt=str_vprintf(format, arglist);
va_end(arglist);
return txt;
}
char *str_vprintf(const char *format, va_list start_ap) {
int n, size=32;
char *p, *np;
va_list ap;
p=str_alloc(size);
for(;;) {
va_copy(ap, start_ap);
n=vsnprintf(p, size, format, ap);
if(n>-1 && n<size)
return p;
if(n>-1) /* glibc 2.1 */
size=n+1; /* precisely what is needed */
else /* glibc 2.0, WIN32, etc. */
size*=2; /* twice the old size */
np=str_realloc(p, size);
p=np; /* LOL */
}
}
#ifdef USE_UCONTEXT
static ALLOC_TLS *global_tls=NULL;
void str_init() {
}
static void set_alloc_tls(ALLOC_TLS *tls) {
if(ready_head)
ready_head->tls=tls;
else /* ucontext threads not initialized */
global_tls=tls;
}
static ALLOC_TLS *get_alloc_tls() {
if(ready_head)
return ready_head->tls;
else /* ucontext threads not initialized */
return global_tls;
}
#endif /* USE_UCONTEXT */
#ifdef USE_FORK
static ALLOC_TLS *global_tls=NULL;
void str_init() {
}
static void set_alloc_tls(ALLOC_TLS *tls) {
global_tls=tls;
}
static ALLOC_TLS *get_alloc_tls() {
return global_tls;
}
#endif /* USE_FORK */
#ifdef USE_PTHREAD
static pthread_key_t pthread_key;
void str_init() {
pthread_key_create(&pthread_key, NULL);
}
static void set_alloc_tls(ALLOC_TLS *tls) {
pthread_setspecific(pthread_key, tls);
}
static ALLOC_TLS *get_alloc_tls() {
return pthread_getspecific(pthread_key);
}
#endif /* USE_PTHREAD */
#ifdef USE_WIN32
static DWORD tls_index;
void str_init() {
tls_index=TlsAlloc();
}
static void set_alloc_tls(ALLOC_TLS *alloc_tls) {
TlsSetValue(tls_index, alloc_tls);
}
static ALLOC_TLS *get_alloc_tls() {
return TlsGetValue(tls_index);
}
#endif /* USE_WIN32 */
void str_canary_init() {
if(canary_initialized) /* prevent double initialization on config reload */
return;
RAND_bytes(canary, sizeof canary);
canary_initialized=1; /* after RAND_bytes */
}
void str_cleanup() {
ALLOC_TLS *alloc_tls;
alloc_tls=get_alloc_tls();
if(alloc_tls) {
while(alloc_tls->head) /* str_free macro requires lvalue parameter */
str_free_debug(alloc_tls->head+1, __FILE__, __LINE__);
set_alloc_tls(NULL);
free(alloc_tls);
}
}
void str_stats() {
ALLOC_TLS *alloc_tls;
alloc_tls=get_alloc_tls();
if(!alloc_tls) {
s_log(LOG_DEBUG, "str_stats: alloc_tls not initialized");
return;
}
if(!alloc_tls->blocks && !alloc_tls->bytes)
return; /* skip if no data is allocated */
s_log(LOG_DEBUG, "str_stats: %lu block(s), "
"%lu data byte(s), %lu control byte(s)",
(unsigned long int)alloc_tls->blocks,
(unsigned long int)alloc_tls->bytes,
(unsigned long int)(alloc_tls->blocks*
(sizeof(ALLOC_LIST)+sizeof canary)));
}
void *str_alloc_debug(size_t size, char *file, int line) {
ALLOC_TLS *alloc_tls;
ALLOC_LIST *alloc_list;
alloc_tls=get_alloc_tls();
if(!alloc_tls) { /* first allocation in this thread */
alloc_tls=calloc(1, sizeof(ALLOC_TLS));
if(!alloc_tls)
fatal_debug("Out of memory", file, line);
alloc_tls->head=NULL;
alloc_tls->bytes=alloc_tls->blocks=0;
set_alloc_tls(alloc_tls);
}
alloc_list=calloc(1, sizeof(ALLOC_LIST)+size+sizeof canary);
if(!alloc_list)
fatal_debug("Out of memory", file, line);
alloc_list->prev=NULL;
alloc_list->next=alloc_tls->head;
alloc_list->tls=alloc_tls;
alloc_list->size=size;
alloc_list->valid_canary=canary_initialized; /* before memcpy */
memcpy((u8 *)(alloc_list+1)+size, canary, sizeof canary);
alloc_list->magic=0xdeadbeef;
if(alloc_tls->head)
alloc_tls->head->prev=alloc_list;
alloc_tls->head=alloc_list;
alloc_tls->bytes+=size;
alloc_tls->blocks++;
return alloc_list+1;
}
void *str_realloc_debug(void *ptr, size_t size, char *file, int line) {
ALLOC_LIST *previous_alloc_list, *alloc_list;
if(!ptr)
return str_alloc(size);
previous_alloc_list=get_alloc_list_ptr(ptr, file, line);
alloc_list=realloc(previous_alloc_list,
sizeof(ALLOC_LIST)+size+sizeof canary);
if(!alloc_list)
fatal_debug("Out of memory", file, line);
if(alloc_list->tls) { /* not detached */
/* refresh possibly invalidated linked list pointers */
if(alloc_list->tls->head==previous_alloc_list)
alloc_list->tls->head=alloc_list;
if(alloc_list->next)
alloc_list->next->prev=alloc_list;
if(alloc_list->prev)
alloc_list->prev->next=alloc_list;
/* update statistics */
alloc_list->tls->bytes+=size-alloc_list->size;
}
alloc_list->size=size;
alloc_list->valid_canary=canary_initialized; /* before memcpy */
memcpy((u8 *)(alloc_list+1)+size, canary, sizeof canary);
return alloc_list+1;
}
/* detach from thread automatic deallocation list */
/* it has no effect if the allocation is already detached */
void str_detach_debug(void *ptr, char *file, int line) {
ALLOC_LIST *alloc_list;
if(!ptr) /* do not attempt to free null pointers */
return;
alloc_list=get_alloc_list_ptr(ptr, file, line);
if(alloc_list->tls) { /* not detached */
/* remove from linked list */
if(alloc_list->tls->head==alloc_list)
alloc_list->tls->head=alloc_list->next;
if(alloc_list->next)
alloc_list->next->prev=alloc_list->prev;
if(alloc_list->prev)
alloc_list->prev->next=alloc_list->next;
/* update statistics */
alloc_list->tls->bytes-=alloc_list->size;
alloc_list->tls->blocks--;
/* clear pointers */
alloc_list->next=NULL;
alloc_list->prev=NULL;
alloc_list->tls=NULL;
}
}
void str_free_debug(void *ptr, char *file, int line) {
ALLOC_LIST *alloc_list;
if(!ptr) /* do not attempt to free null pointers */
return;
str_detach_debug(ptr, file, line);
alloc_list=(ALLOC_LIST *)ptr-1;
alloc_list->magic=0xdefec8ed; /* to detect double free attempts */
free(alloc_list);
}
static ALLOC_LIST *get_alloc_list_ptr(void *ptr, char *file, int line) {
ALLOC_LIST *alloc_list;
alloc_list=(ALLOC_LIST *)ptr-1;
if(alloc_list->magic!=0xdeadbeef) { /* not allocated by str_alloc() */
if(alloc_list->magic==0xdefec8ed)
fatal_debug("Double free attempt", file, line);
else
fatal_debug("Bad magic", file, line); /* LOL */
}
if(alloc_list->tls /* not detached */ && alloc_list->tls!=get_alloc_tls())
fatal_debug("Memory allocated in a different thread", file, line);
if(alloc_list->valid_canary &&
memcmp((u8 *)ptr+alloc_list->size, canary, sizeof canary))
fatal_debug("Dead canary", file, line); /* LOL */
return alloc_list;
}
/* end of str.c */

729
src/stunnel.c Normal file
View File

@ -0,0 +1,729 @@
/*
* stunnel Universal SSL tunnel
* Copyright (C) 1998-2012 Michal Trojnara <Michal.Trojnara@mirt.net>
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
* See the GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License along
* with this program; if not, see <http://www.gnu.org/licenses>.
*
* Linking stunnel statically or dynamically with other modules is making
* a combined work based on stunnel. Thus, the terms and conditions of
* the GNU General Public License cover the whole combination.
*
* In addition, as a special exception, the copyright holder of stunnel
* gives you permission to combine stunnel with free software programs or
* libraries that are released under the GNU LGPL and with code included
* in the standard release of OpenSSL under the OpenSSL License (or
* modified versions of such code, with unchanged license). You may copy
* and distribute such a system following the terms of the GNU GPL for
* stunnel and the licenses of the other code concerned.
*
* Note that people who make modified versions of stunnel are not obligated
* to grant this special exception for their modified versions; it is their
* choice whether to do so. The GNU General Public License gives permission
* to release a modified version without this exception; this exception
* also makes it possible to release a modified version which carries
* forward this exception.
*/
#include "common.h"
#include "prototypes.h"
/* http://www.openssl.org/support/faq.html#PROG2 */
#ifdef USE_WIN32
#ifdef __GNUC__
#pragma GCC diagnostic push
#pragma GCC diagnostic ignored "-pedantic"
#endif /* __GNUC__ */
#include <openssl/applink.c>
#ifdef __GNUC__
#pragma GCC diagnostic pop
#endif /* __GNUC__ */
#endif /* USE_WIN32 */
/**************************************** prototypes */
#ifdef __INNOTEK_LIBC__
struct sockaddr_un {
u_char sun_len; /* sockaddr len including null */
u_char sun_family; /* AF_OS2 or AF_UNIX */
char sun_path[108]; /* path name */
};
#endif
#ifndef USE_WIN32
static int main_unix(int, char*[]);
#endif
static int accept_connection(SERVICE_OPTIONS *);
#ifdef HAVE_CHROOT
static int change_root(void);
#endif
#if !defined(USE_WIN32) && !defined(__vms)
static int daemonize(int);
static int create_pid(void);
static void delete_pid(void);
#endif
#if !defined(USE_WIN32) && !defined(USE_OS2)
static void signal_handler(int);
#endif
static int signal_pipe_init(void);
static int signal_pipe_dispatch(void);
#ifdef USE_FORK
static void client_status(void); /* dead children detected */
#endif
/**************************************** global variables */
static int signal_pipe[2]={-1, -1};
#ifndef USE_FORK
int max_clients=0;
volatile int num_clients=0; /* current number of clients */
#endif
s_poll_set *fds; /* file descriptors of listening sockets */
/**************************************** startup */
#ifndef USE_WIN32
int main(int argc, char* argv[]) { /* execution begins here 8-) */
int retval;
#ifdef M_MMAP_THRESHOLD
mallopt(M_MMAP_THRESHOLD, 4096);
#endif
str_init(); /* initialize per-thread string management */
retval=main_unix(argc, argv);
unbind_ports();
s_poll_free(fds);
fds=NULL;
str_stats();
log_flush(LOG_MODE_ERROR);
return retval;
}
static int main_unix(int argc, char* argv[]) {
#if !defined(__vms) && !defined(USE_OS2)
int fd;
fd=open("/dev/null", O_RDWR); /* open /dev/null before chroot */
if(fd<0)
fatal("Could not open /dev/null");
#endif /* standard Unix */
main_initialize();
if(main_configure(argc>1 ? argv[1] : NULL, argc>2 ? argv[2] : NULL))
return 1;
if(service_options.next) { /* there are service sections -> daemon mode */
#if !defined(__vms) && !defined(USE_OS2)
if(daemonize(fd))
return 1;
close(fd);
/* create_pid() must be called after drop_privileges()
* or it won't be possible to remove the file on exit */
/* create_pid() must be called after daemonize()
* since the final pid is not known beforehand */
if(create_pid())
return 1;
#endif /* standard Unix */
signal(SIGCHLD, signal_handler); /* handle dead children */
signal(SIGHUP, signal_handler); /* configuration reload */
signal(SIGUSR1, signal_handler); /* log reopen */
signal(SIGPIPE, SIG_IGN); /* ignore broken pipe */
if(signal(SIGTERM, SIG_IGN)!=SIG_IGN)
signal(SIGTERM, signal_handler); /* fatal */
if(signal(SIGQUIT, SIG_IGN)!=SIG_IGN)
signal(SIGQUIT, signal_handler); /* fatal */
if(signal(SIGINT, SIG_IGN)!=SIG_IGN)
signal(SIGINT, signal_handler); /* fatal */
daemon_loop();
} else { /* inetd mode */
#if !defined(__vms) && !defined(USE_OS2)
close(fd);
#endif /* standard Unix */
signal(SIGCHLD, SIG_IGN); /* ignore dead children */
signal(SIGPIPE, SIG_IGN); /* ignore broken pipe */
client_main(alloc_client_session(&service_options, 0, 1));
}
return 0;
}
#endif
void main_initialize() { /* one-time initialization */
/* basic initialization contains essential functions required for logging
* subsystem to function properly, thus all errors here are fatal */
if(ssl_init()) /* initialize SSL library */
fatal("SSL initialization failed");
if(sthreads_init()) /* initialize critical sections & SSL callbacks */
fatal("Threads initialization failed");
#ifndef USE_FORK
get_limits(); /* required by setup_fd() */
#endif
fds=s_poll_alloc();
if(signal_pipe_init())
fatal("Signal pipe initialization failed: "
"check your personal firewall");
stunnel_info(LOG_NOTICE);
}
/* configuration-dependent initialization */
int main_configure(char *arg1, char *arg2) {
if(parse_commandline(arg1, arg2))
return 1;
str_canary_init(); /* needs prng initialization from parse_commandline */
#if !defined(USE_WIN32) && !defined(__vms)
/* syslog_open() must be called before change_root()
* to be able to access /dev/log socket */
syslog_open();
#endif /* !defined(USE_WIN32) && !defined(__vms) */
if(bind_ports())
return 1;
#ifdef HAVE_CHROOT
/* change_root() must be called before drop_privileges()
* since chroot() needs root privileges */
if(change_root())
return 1;
#endif /* HAVE_CHROOT */
#if !defined(USE_WIN32) && !defined(__vms) && !defined(USE_OS2)
if(drop_privileges(1))
return 1;
#endif /* standard Unix */
/* log_open() must be be called after drop_privileges()
* or logfile rotation won't be possible */
/* log_open() must be be called before daemonize()
* since daemonize() invalidates stderr */
log_open();
return 0;
}
/**************************************** main loop accepting connections */
void daemon_loop(void) {
SERVICE_OPTIONS *opt;
int temporary_lack_of_resources;
while(1) {
temporary_lack_of_resources=0;
if(s_poll_wait(fds, -1, -1)>=0) {
if(s_poll_canread(fds, signal_pipe[0]))
if(signal_pipe_dispatch()) /* received SIGNAL_TERMINATE */
break; /* terminate daemon_loop */
for(opt=service_options.next; opt; opt=opt->next)
if(opt->option.accept && s_poll_canread(fds, opt->fd))
if(accept_connection(opt))
temporary_lack_of_resources=1;
} else {
log_error(LOG_NOTICE, get_last_socket_error(),
"daemon_loop: s_poll_wait");
temporary_lack_of_resources=1;
}
if(temporary_lack_of_resources) {
s_log(LOG_NOTICE,
"Accepting new connections suspended for 1 second");
sleep(1); /* to avoid log trashing */
}
}
}
/* return 1 when a short delay is needed before another try */
static int accept_connection(SERVICE_OPTIONS *opt) {
SOCKADDR_UNION addr;
char *from_address;
int s;
socklen_t addrlen;
addrlen=sizeof addr;
for(;;) {
s=s_accept(opt->fd, &addr.sa, &addrlen, 1, "local socket");
if(s>=0) /* success! */
break;
switch(get_last_socket_error()) {
case S_EINTR: /* interrupted by a signal */
break; /* retry now */
case S_EMFILE:
#ifdef S_ENFILE
case S_ENFILE:
#endif
#ifdef S_ENOBUFS
case S_ENOBUFS:
#endif
#ifdef S_ENOMEM
case S_ENOMEM:
#endif
return 1; /* temporary lack of resources */
default:
return 0; /* any other error */
}
}
from_address=s_ntop(&addr, addrlen);
s_log(LOG_DEBUG, "Service [%s] accepted (FD=%d) from %s",
opt->servname, s, from_address);
str_free(from_address);
#ifndef USE_FORK
if(max_clients && num_clients>=max_clients) {
s_log(LOG_WARNING, "Connection rejected: too many clients (>=%d)",
max_clients);
closesocket(s);
return 0;
}
#endif
if(create_client(opt->fd, s,
alloc_client_session(opt, s, s), client_thread)) {
s_log(LOG_ERR, "Connection rejected: create_client failed");
closesocket(s);
return 0;
}
return 0;
}
/**************************************** initialization helpers */
/* clear fds, close old ports */
void unbind_ports(void) {
SERVICE_OPTIONS *opt;
#ifdef HAVE_STRUCT_SOCKADDR_UN
struct stat st; /* buffer for stat */
#endif
s_poll_init(fds);
s_poll_add(fds, signal_pipe[0], 1, 0);
for(opt=service_options.next; opt; opt=opt->next)
if(opt->option.accept && opt->fd>=0) {
closesocket(opt->fd);
s_log(LOG_DEBUG, "Service [%s] closed (FD=%d)",
opt->servname, opt->fd);
opt->fd=-1;
#ifdef HAVE_STRUCT_SOCKADDR_UN
if(opt->local_addr.sa.sa_family==AF_UNIX) {
if(lstat(opt->local_addr.un.sun_path, &st))
sockerror(opt->local_addr.un.sun_path);
else if(!S_ISSOCK(st.st_mode))
s_log(LOG_ERR, "Not a socket: %s",
opt->local_addr.un.sun_path);
else if(unlink(opt->local_addr.un.sun_path))
sockerror(opt->local_addr.un.sun_path);
else
s_log(LOG_DEBUG, "Socket removed: %s",
opt->local_addr.un.sun_path);
}
#endif
}
}
/* open new ports, update fds */
int bind_ports(void) {
SERVICE_OPTIONS *opt;
char *local_address;
#ifdef USE_LIBWRAP
/* execute after parse_commandline() to know service_options.next,
* but as early as possible to avoid leaking file descriptors */
/* retry on each bind_ports() in case stunnel.conf was reloaded
without "libwrap = no" */
libwrap_init();
#endif /* USE_LIBWRAP */
s_poll_init(fds);
s_poll_add(fds, signal_pipe[0], 1, 0);
/* allow clean unbind_ports() even though
bind_ports() was not fully performed */
for(opt=service_options.next; opt; opt=opt->next)
if(opt->option.accept)
opt->fd=-1;
for(opt=service_options.next; opt; opt=opt->next) {
if(opt->option.accept) {
opt->fd=s_socket(opt->local_addr.sa.sa_family,
SOCK_STREAM, 0, 1, "accept socket");
if(opt->fd<0)
return 1;
if(set_socket_options(opt->fd, 0)<0) {
closesocket(opt->fd);
return 1;
}
/* local socket can't be unnamed */
local_address=s_ntop(&opt->local_addr, addr_len(&opt->local_addr));
if(bind(opt->fd, &opt->local_addr.sa, addr_len(&opt->local_addr))) {
s_log(LOG_ERR, "Error binding service [%s] to %s",
opt->servname, local_address);
sockerror("bind");
closesocket(opt->fd);
str_free(local_address);
return 1;
}
if(listen(opt->fd, SOMAXCONN)) {
sockerror("listen");
closesocket(opt->fd);
str_free(local_address);
return 1;
}
s_poll_add(fds, opt->fd, 1, 0);
s_log(LOG_DEBUG, "Service [%s] (FD=%d) bound to %s",
opt->servname, opt->fd, local_address);
str_free(local_address);
} else if(opt->option.program && opt->option.remote) {
/* create exec+connect services */
create_client(-1, -1,
alloc_client_session(opt, -1, -1), client_thread);
}
}
return 0; /* OK */
}
#ifdef HAVE_CHROOT
static int change_root(void) {
if(!global_options.chroot_dir)
return 0;
if(chroot(global_options.chroot_dir)) {
sockerror("chroot");
return 1;
}
if(chdir("/")) {
sockerror("chdir");
return 1;
}
return 0;
}
#endif /* HAVE_CHROOT */
#if !defined(USE_WIN32) && !defined(__vms) && !defined(USE_OS2)
int drop_privileges(int critical) {
#ifdef HAVE_SETGROUPS
gid_t gr_list[1];
#endif
/* set uid and gid */
if(global_options.gid) {
if(setgid(global_options.gid) && critical) {
sockerror("setgid");
return 1;
}
#ifdef HAVE_SETGROUPS
gr_list[0]=global_options.gid;
if(setgroups(1, gr_list) && critical) {
sockerror("setgroups");
return 1;
}
#endif
}
if(global_options.uid) {
if(setuid(global_options.uid) && critical) {
sockerror("setuid");
return 1;
}
}
return 0;
}
static int daemonize(int fd) { /* go to background */
if(global_options.option.foreground)
return 0;
dup2(fd, 0);
dup2(fd, 1);
dup2(fd, 2);
#if defined(HAVE_DAEMON) && !defined(__BEOS__)
/* set noclose option when calling daemon() function,
* so it does not require /dev/null device in the chrooted directory */
if(daemon(0, 1)==-1) {
ioerror("daemon");
return 1;
}
#else
chdir("/");
switch(fork()) {
case -1: /* fork failed */
ioerror("fork");
return 1;
case 0: /* child */
break;
default: /* parent */
exit(0);
}
#endif
#ifdef HAVE_SETSID
setsid(); /* ignore the error */
#endif
return 0;
}
static int create_pid(void) {
int pf;
char *pid;
if(!global_options.pidfile) {
s_log(LOG_DEBUG, "No pid file being created");
return 0;
}
if(global_options.pidfile[0]!='/') {
/* to prevent creating pid file relative to '/' after daemonize() */
s_log(LOG_ERR, "Pid file (%s) must be full path name", global_options.pidfile);
return 1;
}
global_options.dpid=(unsigned long)getpid();
/* silently remove old pid file */
unlink(global_options.pidfile);
pf=open(global_options.pidfile, O_WRONLY|O_CREAT|O_TRUNC|O_EXCL, 0644);
if(pf==-1) {
s_log(LOG_ERR, "Cannot create pid file %s", global_options.pidfile);
ioerror("create");
return 1;
}
pid=str_printf("%lu\n", global_options.dpid);
write(pf, pid, strlen(pid));
str_free(pid);
close(pf);
s_log(LOG_DEBUG, "Created pid file %s", global_options.pidfile);
atexit(delete_pid);
return 0;
}
static void delete_pid(void) {
if((unsigned long)getpid()!=global_options.dpid)
return; /* current process is not main daemon process */
s_log(LOG_DEBUG, "removing pid file %s", global_options.pidfile);
if(unlink(global_options.pidfile)<0)
ioerror(global_options.pidfile); /* not critical */
}
#endif /* standard Unix */
/**************************************** signal pipe handling */
static int signal_pipe_init(void) {
#ifdef USE_WIN32
if(make_sockets(signal_pipe))
return 1;
#elif defined(__INNOTEK_LIBC__)
/* Innotek port of GCC can not use select on a pipe:
* use local socket instead */
struct sockaddr_un un;
fd_set set_pipe;
int pipe_in;
FD_ZERO(&set_pipe);
signal_pipe[0]=s_socket(PF_OS2, SOCK_STREAM, 0, 0, "socket#1");
signal_pipe[1]=s_socket(PF_OS2, SOCK_STREAM, 0, 0, "socket#2");
/* connect the two endpoints */
memset(&un, 0, sizeof un);
un.sun_len=sizeof un;
un.sun_family=AF_OS2;
sprintf(un.sun_path, "\\socket\\stunnel-%u", getpid());
/* make the first endpoint listen */
bind(signal_pipe[0], (struct sockaddr *)&un, sizeof un);
listen(signal_pipe[0], 1);
connect(signal_pipe[1], (struct sockaddr *)&un, sizeof un);
FD_SET(signal_pipe[0], &set_pipe);
if(select(signal_pipe[0]+1, &set_pipe, NULL, NULL, NULL)>0) {
pipe_in=signal_pipe[0];
signal_pipe[0]=s_accept(signal_pipe[0], NULL, 0, 0, "accept");
closesocket(pipe_in);
} else {
sockerror("select");
return 1;
}
#else /* Unix */
if(s_pipe(signal_pipe, 1, "signal_pipe"))
return 1;
#endif /* USE_WIN32 */
return 0;
}
void signal_post(int sig) {
writesocket(signal_pipe[1], (char *)&sig, sizeof sig);
}
static int signal_pipe_dispatch(void) {
int sig, err;
s_log(LOG_DEBUG, "Dispatching signals from the signal pipe");
while(readsocket(signal_pipe[0], (char *)&sig, sizeof sig)==sizeof sig) {
switch(sig) {
#ifndef USE_WIN32
case SIGCHLD:
s_log(LOG_DEBUG, "Processing SIGCHLD");
#ifdef USE_FORK
client_status(); /* report status of client process */
#else /* USE_UCONTEXT || USE_PTHREAD */
child_status(); /* report status of libwrap or 'exec' process */
#endif /* defined USE_FORK */
break;
#endif /* !defind USE_WIN32 */
case SIGNAL_RELOAD_CONFIG:
s_log(LOG_DEBUG, "Processing SIGNAL_RELOAD_CONFIG");
err=parse_conf(NULL, CONF_RELOAD);
if(err) {
s_log(LOG_ERR, "Failed to reload the configuration file");
} else {
unbind_ports();
log_close();
apply_conf();
log_open();
if(bind_ports()) {
/* FIXME: handle the error */
}
}
break;
case SIGNAL_REOPEN_LOG:
s_log(LOG_DEBUG, "Processing SIGNAL_REOPEN_LOG");
log_close();
log_open();
s_log(LOG_NOTICE, "Log file reopened");
break;
case SIGNAL_TERMINATE:
s_log(LOG_DEBUG, "Processing SIGNAL_TERMINATE");
s_log(LOG_NOTICE, "Terminated");
return 2;
default:
s_log(LOG_ERR, "Received signal %d; terminating", sig);
return 1;
}
}
s_log(LOG_DEBUG, "Signal pipe is empty");
return 0;
}
#ifdef USE_FORK
static void client_status(void) { /* dead children detected */
int pid, status;
#ifdef HAVE_WAIT_FOR_PID
while((pid=wait_for_pid(-1, &status, WNOHANG))>0) {
#else
if((pid=wait(&status))>0) {
#endif
#ifdef WIFSIGNALED
if(WIFSIGNALED(status)) {
s_log(LOG_DEBUG, "Process %d terminated on signal %d",
pid, WTERMSIG(status));
} else {
s_log(LOG_DEBUG, "Process %d finished with code %d",
pid, WEXITSTATUS(status));
}
}
#else
s_log(LOG_DEBUG, "Process %d finished with code %d",
pid, status);
}
#endif
}
#endif /* defined USE_FORK */
#if !defined(USE_WIN32) && !defined(USE_OS2)
void child_status(void) { /* dead libwrap or 'exec' process detected */
int pid, status;
#ifdef HAVE_WAIT_FOR_PID
while((pid=wait_for_pid(-1, &status, WNOHANG))>0) {
#else
if((pid=wait(&status))>0) {
#endif
#ifdef WIFSIGNALED
if(WIFSIGNALED(status)) {
s_log(LOG_INFO, "Child process %d terminated on signal %d",
pid, WTERMSIG(status));
} else {
s_log(LOG_INFO, "Child process %d finished with code %d",
pid, WEXITSTATUS(status));
}
#else
s_log(LOG_INFO, "Child process %d finished with status %d",
pid, status);
#endif
}
}
static void signal_handler(int sig) {
int saved_errno;
saved_errno=errno;
signal_post(sig);
signal(sig, signal_handler);
errno=saved_errno;
}
#endif /* !defined(USE_WIN32) && !defined(USE_OS2) */
/**************************************** log messages to identify build */
void stunnel_info(int level) {
s_log(level, "stunnel " STUNNEL_VERSION " on " HOST " platform");
if(SSLeay()==SSLEAY_VERSION_NUMBER) {
s_log(level, "Compiled/running with " OPENSSL_VERSION_TEXT);
} else {
s_log(level, "Compiled with " OPENSSL_VERSION_TEXT);
s_log(level, "Running with %s", SSLeay_version(SSLEAY_VERSION));
s_log(level, "Update OpenSSL shared libraries or rebuild stunnel");
}
s_log(level,
"Threading:"
#ifdef USE_UCONTEXT
"UCONTEXT"
#endif
#ifdef USE_PTHREAD
"PTHREAD"
#endif
#ifdef USE_WIN32
"WIN32"
#endif
#ifdef USE_FORK
"FORK"
#endif
" SSL:"
#if defined HAVE_OSSL_ENGINE_H || defined HAVE_OSSL_OCSP_H || defined USE_FIPS
#ifdef HAVE_OSSL_ENGINE_H
"+ENGINE"
#endif
#ifdef HAVE_OSSL_OCSP_H
"+OCSP"
#endif
#ifdef USE_FIPS
"+FIPS"
#endif
#else
"none"
#endif
" Auth:"
#ifdef USE_LIBWRAP
"LIBWRAP"
#else
"none"
#endif
" Sockets:"
#ifdef USE_POLL
"POLL"
#else /* defined(USE_POLL) */
"SELECT"
#endif /* defined(USE_POLL) */
"+IPv%c",
#if defined(USE_WIN32) && !defined(_WIN32_WCE)
s_getaddrinfo ? '6' : '4'
#else /* defined(USE_WIN32) */
#if defined(USE_IPv6)
'6'
#else /* defined(USE_IPv6) */
'4'
#endif /* defined(USE_IPv6) */
#endif /* defined(USE_WIN32) */
);
}
/* end of stunnel.c */

BIN
src/stunnel.ico Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 4.6 KiB

75
src/stunnel3.in Executable file
View File

@ -0,0 +1,75 @@
#!/usr/bin/perl
#
# stunnel3 Perl wrapper to use stunnel 3.x syntax in stunnel >=4.05
# Copyright (C) 2004-2012 Michal Trojnara <Michal.Trojnara@mirt.net>
# Version: 2.03
# Date: 2011.10.22
#
# This program is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by the
# Free Software Foundation; either version 2 of the License, or (at your
# option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
# See the GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License along
# with this program; if not, see <http://www.gnu.org/licenses>.
use POSIX;
use Getopt::Std;
# Configuration - path to stunnel (version >=4.05)
$stunnel_bin='@prefix@/bin/stunnel';
# stunnel3 script body begins here
($read_fd, $write_fd)=POSIX::pipe();
$pid=fork;
die "Can't fork" unless defined $pid;
if($pid) { # parent
POSIX::close($write_fd);
exec "$stunnel_bin -fd $read_fd";
die "$stunnel_bin exec failed";
}
# child
POSIX::close($read_fd);
open(STUNNEL, ">&$write_fd");
# comment out the next line to see the config file
select(STUNNEL);
getopts('cTWfD:O:o:C:p:v:a:A:t:N:u:n:E:R:B:I:d:s:g:P:r:L:l:');
print("client = yes\n") if defined $opt_c;
print("transparent = yes\n") if defined $opt_T;
print("RNDoverwrite = yes\n") if defined $opt_W;
print("foreground = yes\n") if defined $opt_f;
print("debug = $opt_D\n") if defined $opt_D;
print("socket = $opt_O\n") if defined $opt_O;
print("output = $opt_o\n") if defined $opt_o;
print("ciphers = $opt_C\n") if defined $opt_C;
print("cert = $opt_p\n") if defined $opt_p;
print("verify = $opt_v\n") if defined $opt_v;
print("CApath = $opt_a\n") if defined $opt_a;
print("CAfile = $opt_A\n") if defined $opt_A;
print("session = $opt_t\n") if defined $opt_t;
print("service = $opt_N\n") if defined $opt_N;
print("ident = $opt_u\n") if defined $opt_u;
print("protocol = $opt_n\n") if defined $opt_n;
print("EGD = $opt_E\n") if defined $opt_E;
print("RNDfile = $opt_R\n") if defined $opt_R;
print("RNDbytes = $opt_B\n") if defined $opt_B;
print("local = $opt_I\n") if defined $opt_I;
print("accept = $opt_d\n") if defined $opt_d;
print("setuid = $opt_s\n") if defined $opt_s;
print("setgid = $opt_g\n") if defined $opt_g;
print("pid = $opt_P\n") if defined $opt_P;
print("connect = $opt_r\n") if defined $opt_r;
print("pty = yes\n"), $opt_l=$opt_L if defined $opt_L;
print("exec = $opt_l\nexecargs = " . join(' ', $opt_l, @ARGV) . "\n") if defined $opt_l;
print("[stunnel3]\n") if defined $opt_d;
close(STUNNEL);
# stunnel3 script body ends here

76
src/vc.mak Normal file
View File

@ -0,0 +1,76 @@
# vc.mak by Michal Trojnara 1998-2012
# with help of David Gillingham <dgillingham@gmail.com>
# with help of Pierre Delaage <delaage.pierre@free.fr>
# the compilation requires:
# - Visual C++ 2005 Express Edition with Platform SDK
# http://social.msdn.microsoft.com/forums/en-US/Vsexpressvc/thread/c5c3afad-f4c6-4d27-b471-0291e099a742/
# - Visual C++ 2005 Professional Edition
# - Visual C++ 2008 Express Edition
# modify this to point to your OpenSSL directory
# either install a precompiled version (*not* the "Light" one) from
# http://www.slproweb.com/products/Win32OpenSSL.html
SSLDIR=C:\OpenSSL-Win32
INCDIR=$(SSLDIR)\include
LIBDIR=$(SSLDIR)\lib
# or compile one yourself
#SSLDIR=..\..\openssl-1.0.0f
#INCDIR=$(SSLDIR)\inc32
#LIBDIR=$(SSLDIR)\out32dll
TARGETCPU=W32
SRC=..\src
OBJROOT=..\obj
OBJ=$(OBJROOT)\$(TARGETCPU)
BINROOT=..\bin
BIN=$(BINROOT)\$(TARGETCPU)
OBJS=$(OBJ)\stunnel.obj $(OBJ)\ssl.obj $(OBJ)\ctx.obj \
$(OBJ)\verify.obj $(OBJ)\file.obj $(OBJ)\client.obj \
$(OBJ)\protocol.obj $(OBJ)\sthreads.obj $(OBJ)\log.obj \
$(OBJ)\options.obj $(OBJ)\network.obj $(OBJ)\resolver.obj \
$(OBJ)\gui.obj $(OBJ)\resources.res $(OBJ)\str.obj $(OBJ)/fd.obj
CC=cl
LINK=link
CFLAGS=/MD /W3 /O2 /nologo /I"$(INCDIR)"
LDFLAGS=/NOLOGO
LIBS=advapi32.lib comdlg32.lib crypt32.lib gdi32.lib \
psapi.lib shell32.lib user32.lib ws2_32.lib \
/LIBPATH:"$(LIBDIR)" libeay32.lib ssleay32.lib
# static linking:
# /LIBPATH:"$(LIBDIR)\VC\static" libeay32MD.lib ssleay32MD.lib
{$(SRC)\}.c{$(OBJ)\}.obj:
$(CC) $(CFLAGS) -Fo$@ -c $<
{$(SRC)\}.rc{$(OBJ)\}.res:
$(RC) -fo$@ -r $<
all: makedirs $(BIN)\stunnel.exe
clean:
-@ del $(OBJS) >NUL 2>&1
# -@ del *.manifest >NUL 2>&1
-@ del $(BIN)\stunnel.exe >NUL 2>&1
-@ del $(BIN)\stunnel.exe.manifest >NUL 2>&1
-@ rmdir $(OBJ) >NUL 2>&1
-@ rmdir $(BIN) >NUL 2>&1
makedirs:
-@ IF NOT EXIST $(OBJROOT) mkdir $(OBJROOT) >NUL 2>&1
-@ IF NOT EXIST $(OBJ) mkdir $(OBJ) >NUL 2>&1
-@ IF NOT EXIST $(BINROOT) mkdir $(BINROOT) >NUL 2>&1
-@ IF NOT EXIST $(BIN) mkdir $(BIN) >NUL 2>&1
$(OBJS): *.h vc.mak
$(BIN)\stunnel.exe: $(OBJS)
$(LINK) $(LDFLAGS) $(LIBS) /OUT:$@ $**
IF EXIST $@.manifest \
mt -nologo -manifest $@.manifest -outputresource:$@;1
# end of vc.mak

541
src/verify.c Normal file
View File

@ -0,0 +1,541 @@
/*
* stunnel Universal SSL tunnel
* Copyright (C) 1998-2012 Michal Trojnara <Michal.Trojnara@mirt.net>
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
* See the GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License along
* with this program; if not, see <http://www.gnu.org/licenses>.
*
* Linking stunnel statically or dynamically with other modules is making
* a combined work based on stunnel. Thus, the terms and conditions of
* the GNU General Public License cover the whole combination.
*
* In addition, as a special exception, the copyright holder of stunnel
* gives you permission to combine stunnel with free software programs or
* libraries that are released under the GNU LGPL and with code included
* in the standard release of OpenSSL under the OpenSSL License (or
* modified versions of such code, with unchanged license). You may copy
* and distribute such a system following the terms of the GNU GPL for
* stunnel and the licenses of the other code concerned.
*
* Note that people who make modified versions of stunnel are not obligated
* to grant this special exception for their modified versions; it is their
* choice whether to do so. The GNU General Public License gives permission
* to release a modified version without this exception; this exception
* also makes it possible to release a modified version which carries
* forward this exception.
*/
#include "common.h"
#include "prototypes.h"
/**************************************** prototypes */
/* verify initialization */
static int load_file_lookup(X509_STORE *, char *);
static int add_dir_lookup(X509_STORE *, char *);
/* verify callback */
static int verify_callback(int, X509_STORE_CTX *);
static int cert_check(CLI *c, X509_STORE_CTX *, int);
static int crl_check(CLI *c, X509_STORE_CTX *);
#ifdef HAVE_OSSL_OCSP_H
static int ocsp_check(CLI *c, X509_STORE_CTX *);
static OCSP_RESPONSE *ocsp_get_response(CLI *, OCSP_REQUEST *);
#endif
/* utility functions */
static void log_time(const int, const char *, ASN1_TIME *);
/**************************************** verify initialization */
int verify_init(SERVICE_OPTIONS *section) {
if(section->verify_level<0)
return 0; /* OK - no certificate verification */
if(section->verify_level>=2 && !section->ca_file && !section->ca_dir) {
s_log(LOG_ERR,
"Either CApath or CAfile has to be used for authentication");
return 1; /* FAILED */
}
section->revocation_store=X509_STORE_new();
if(!section->revocation_store) {
sslerror("X509_STORE_new");
return 1; /* FAILED */
}
if(section->ca_file) {
if(!SSL_CTX_load_verify_locations(section->ctx,
section->ca_file, NULL)) {
s_log(LOG_ERR, "Error loading verify certificates from %s",
section->ca_file);
sslerror("SSL_CTX_load_verify_locations");
return 1; /* FAILED */
}
/* list of trusted CAs for the client to choose the right cert */
SSL_CTX_set_client_CA_list(section->ctx,
SSL_load_client_CA_file(section->ca_file));
s_log(LOG_DEBUG, "Loaded verify certificates from %s",
section->ca_file);
if(load_file_lookup(section->revocation_store, section->ca_file))
return 1; /* FAILED */
}
if(section->ca_dir) {
if(!SSL_CTX_load_verify_locations(section->ctx,
NULL, section->ca_dir)) {
s_log(LOG_ERR, "Error setting verify directory to %s",
section->ca_dir);
sslerror("SSL_CTX_load_verify_locations");
return 1; /* FAILED */
}
s_log(LOG_DEBUG, "Verify directory set to %s", section->ca_dir);
add_dir_lookup(section->revocation_store, section->ca_dir);
}
if(section->crl_file)
if(load_file_lookup(section->revocation_store, section->crl_file))
return 1; /* FAILED */
if(section->crl_dir) {
section->revocation_store->cache=0; /* don't cache CRLs */
add_dir_lookup(section->revocation_store, section->crl_dir);
}
SSL_CTX_set_verify(section->ctx, SSL_VERIFY_PEER |
(section->verify_level>=2 ? SSL_VERIFY_FAIL_IF_NO_PEER_CERT : 0),
verify_callback);
if(section->ca_dir && section->verify_level>=3)
s_log(LOG_INFO, "Peer certificate location %s", section->ca_dir);
return 0; /* OK */
}
static int load_file_lookup(X509_STORE *store, char *name) {
X509_LOOKUP *lookup;
lookup=X509_STORE_add_lookup(store, X509_LOOKUP_file());
if(!lookup) {
sslerror("X509_STORE_add_lookup");
return 1; /* FAILED */
}
if(!X509_LOOKUP_load_file(lookup, name, X509_FILETYPE_PEM)) {
s_log(LOG_ERR, "Failed to load %s revocation lookup file", name);
sslerror("X509_LOOKUP_load_file");
return 1; /* FAILED */
}
s_log(LOG_DEBUG, "Loaded %s revocation lookup file", name);
return 0; /* OK */
}
static int add_dir_lookup(X509_STORE *store, char *name) {
X509_LOOKUP *lookup;
lookup=X509_STORE_add_lookup(store, X509_LOOKUP_hash_dir());
if(!lookup) {
sslerror("X509_STORE_add_lookup");
return 1; /* FAILED */
}
if(!X509_LOOKUP_add_dir(lookup, name, X509_FILETYPE_PEM)) {
s_log(LOG_ERR, "Failed to add %s revocation lookup directory", name);
sslerror("X509_LOOKUP_add_dir");
return 1; /* FAILED */
}
s_log(LOG_DEBUG, "Added %s revocation lookup directory", name);
return 0; /* OK */
}
/**************************************** verify callback */
static int verify_callback(int preverify_ok, X509_STORE_CTX *callback_ctx) {
/* our verify callback function */
SSL *ssl;
CLI *c;
X509 *cert;
int depth;
char *subject_name;
/* retrieve application specific data */
ssl=X509_STORE_CTX_get_ex_data(callback_ctx,
SSL_get_ex_data_X509_STORE_CTX_idx());
c=SSL_get_ex_data(ssl, cli_index);
cert=X509_STORE_CTX_get_current_cert(callback_ctx);
depth=X509_STORE_CTX_get_error_depth(callback_ctx);
/* certificate name for logging */
subject_name=X509_NAME_oneline(X509_get_subject_name(cert), NULL, 0);
s_log(LOG_DEBUG, "Starting certificate verification: depth=%d, %s",
depth, subject_name);
if(!cert_check(c, callback_ctx, preverify_ok)) {
s_log(LOG_WARNING, "Certificate check failed: depth=%d, %s",
depth, subject_name);
OPENSSL_free(subject_name);
return 0; /* reject connection */
}
if(!crl_check(c, callback_ctx)) {
s_log(LOG_WARNING, "CRL check failed: depth=%d, %s",
depth, subject_name);
OPENSSL_free(subject_name);
return 0; /* reject connection */
}
#ifdef HAVE_OSSL_OCSP_H
if(c->opt->option.ocsp && !ocsp_check(c, callback_ctx)) {
s_log(LOG_WARNING, "OCSP check failed: depth=%d, %s",
depth, subject_name);
OPENSSL_free(subject_name);
return 0; /* reject connection */
}
#endif /* HAVE_OSSL_OCSP_H */
/* errnum=X509_STORE_CTX_get_error(ctx); */
s_log(LOG_NOTICE, "Certificate accepted: depth=%d, %s",
depth, subject_name);
OPENSSL_free(subject_name);
return 1; /* accept connection */
}
/**************************************** certificate checking */
static int cert_check(CLI *c, X509_STORE_CTX *callback_ctx, int preverify_ok) {
X509_OBJECT obj;
#if OPENSSL_VERSION_NUMBER>=0x0090700fL
ASN1_BIT_STRING *local_key, *peer_key;
#endif
X509 *cert;
int depth;
if(c->opt->verify_level<1) {
s_log(LOG_INFO, "CERT: Verification not enabled");
return 1; /* accept connection */
}
cert=X509_STORE_CTX_get_current_cert(callback_ctx);
depth=X509_STORE_CTX_get_error_depth(callback_ctx);
if(!preverify_ok) {
/* remote site specified a certificate, but it's not correct */
if(c->opt->verify_level>=4 && depth>0) {
s_log(LOG_INFO, "CERT: Invalid CA certificate ignored");
return 1; /* accept connection */
} else {
s_log(LOG_WARNING, "CERT: Verification error: %s",
X509_verify_cert_error_string(
X509_STORE_CTX_get_error(callback_ctx)));
return 0; /* reject connection */
}
}
if(c->opt->verify_level>=3 && depth==0) {
if(X509_STORE_get_by_subject(callback_ctx, X509_LU_X509,
X509_get_subject_name(cert), &obj)!=1) {
s_log(LOG_WARNING,
"CERT: Certificate not found in local repository");
return 0; /* reject connection */
}
#if OPENSSL_VERSION_NUMBER>=0x0090700fL
peer_key=X509_get0_pubkey_bitstr(cert);
local_key=X509_get0_pubkey_bitstr(obj.data.x509);
if(!peer_key || !local_key || peer_key->length!=local_key->length ||
memcmp(peer_key->data, local_key->data, local_key->length)) {
s_log(LOG_WARNING, "CERT: Public keys do not match");
return 0; /* reject connection */
}
#endif
s_log(LOG_INFO, "CERT: Locally installed certificate matched");
}
return 1; /* accept connection */
}
/**************************************** CRL checking */
/* based on BSD-style licensed code of mod_ssl */
static int crl_check(CLI *c, X509_STORE_CTX *callback_ctx) {
X509_STORE_CTX store_ctx;
X509_OBJECT obj;
X509_NAME *subject;
X509_NAME *issuer;
X509 *cert;
X509_CRL *crl;
X509_REVOKED *revoked;
EVP_PKEY *pubkey;
long serial;
int i, n, rc;
char *cp;
ASN1_TIME *last_update=NULL, *next_update=NULL;
/* determine certificate ingredients in advance */
cert=X509_STORE_CTX_get_current_cert(callback_ctx);
subject=X509_get_subject_name(cert);
issuer=X509_get_issuer_name(cert);
/* try to retrieve a CRL corresponding to the _subject_ of
* the current certificate in order to verify it's integrity */
memset((char *)&obj, 0, sizeof obj);
X509_STORE_CTX_init(&store_ctx, c->opt->revocation_store, NULL, NULL);
rc=X509_STORE_get_by_subject(&store_ctx, X509_LU_CRL, subject, &obj);
X509_STORE_CTX_cleanup(&store_ctx);
crl=obj.data.crl;
if(rc>0 && crl) {
cp=X509_NAME_oneline(subject, NULL, 0);
s_log(LOG_INFO, "CRL: issuer: %s", cp);
OPENSSL_free(cp);
last_update=X509_CRL_get_lastUpdate(crl);
next_update=X509_CRL_get_nextUpdate(crl);
log_time(LOG_INFO, "CRL: last update", last_update);
log_time(LOG_INFO, "CRL: next update", next_update);
/* verify the signature on this CRL */
pubkey=X509_get_pubkey(cert);
if(X509_CRL_verify(crl, pubkey)<=0) {
s_log(LOG_WARNING, "CRL: Invalid signature");
X509_STORE_CTX_set_error(callback_ctx,
X509_V_ERR_CRL_SIGNATURE_FAILURE);
X509_OBJECT_free_contents(&obj);
if(pubkey)
EVP_PKEY_free(pubkey);
return 0; /* reject connection */
}
if(pubkey)
EVP_PKEY_free(pubkey);
/* check date of CRL to make sure it's not expired */
if(!next_update) {
s_log(LOG_WARNING, "CRL: Invalid nextUpdate field");
X509_STORE_CTX_set_error(callback_ctx,
X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD);
X509_OBJECT_free_contents(&obj);
return 0; /* reject connection */
}
if(X509_cmp_current_time(next_update)<0) {
s_log(LOG_WARNING, "CRL: CRL Expired - revoking all certificates");
X509_STORE_CTX_set_error(callback_ctx, X509_V_ERR_CRL_HAS_EXPIRED);
X509_OBJECT_free_contents(&obj);
return 0; /* reject connection */
}
X509_OBJECT_free_contents(&obj);
}
/* try to retrieve a CRL corresponding to the _issuer_ of
* the current certificate in order to check for revocation */
memset((char *)&obj, 0, sizeof obj);
X509_STORE_CTX_init(&store_ctx, c->opt->revocation_store, NULL, NULL);
rc=X509_STORE_get_by_subject(&store_ctx, X509_LU_CRL, issuer, &obj);
X509_STORE_CTX_cleanup(&store_ctx);
crl=obj.data.crl;
if(rc>0 && crl) {
/* check if the current certificate is revoked by this CRL */
n=sk_X509_REVOKED_num(X509_CRL_get_REVOKED(crl));
for(i=0; i<n; i++) {
revoked=sk_X509_REVOKED_value(X509_CRL_get_REVOKED(crl), i);
if(ASN1_INTEGER_cmp(revoked->serialNumber,
X509_get_serialNumber(cert)) == 0) {
serial=ASN1_INTEGER_get(revoked->serialNumber);
cp=X509_NAME_oneline(issuer, NULL, 0);
s_log(LOG_WARNING, "CRL: Certificate with serial %ld (0x%lX) "
"revoked per CRL from issuer %s", serial, serial, cp);
OPENSSL_free(cp);
X509_STORE_CTX_set_error(callback_ctx, X509_V_ERR_CERT_REVOKED);
X509_OBJECT_free_contents(&obj);
return 0; /* reject connection */
}
}
X509_OBJECT_free_contents(&obj);
}
return 1; /* accept connection */
}
#ifdef HAVE_OSSL_OCSP_H
/**************************************** OCSP checking */
/* TODO: check OCSP server specified in the certificate */
static int ocsp_check(CLI *c, X509_STORE_CTX *callback_ctx) {
int error, retval=0;
X509 *cert;
X509 *issuer=NULL;
OCSP_CERTID *certID;
OCSP_REQUEST *request=NULL;
OCSP_RESPONSE *response=NULL;
OCSP_BASICRESP *basicResponse=NULL;
ASN1_GENERALIZEDTIME *revoked_at=NULL,
*this_update=NULL, *next_update=NULL;
int status, reason;
/* get current certificate ID */
cert=X509_STORE_CTX_get_current_cert(callback_ctx); /* get current cert */
if(X509_STORE_CTX_get1_issuer(&issuer, callback_ctx, cert)!=1) {
sslerror("OCSP: X509_STORE_CTX_get1_issuer");
goto cleanup;
}
certID=OCSP_cert_to_id(0, cert, issuer);
if(!certID) {
sslerror("OCSP: OCSP_cert_to_id");
goto cleanup;
}
/* build request */
request=OCSP_REQUEST_new();
if(!request) {
sslerror("OCSP: OCSP_REQUEST_new");
goto cleanup;
}
if(!OCSP_request_add0_id(request, certID)) {
sslerror("OCSP: OCSP_request_add0_id");
goto cleanup;
}
OCSP_request_add1_nonce(request, 0, -1);
/* send the request and get a response */
response=ocsp_get_response(c, request);
if(!response)
goto cleanup;
error=OCSP_response_status(response);
if(error!=OCSP_RESPONSE_STATUS_SUCCESSFUL) {
s_log(LOG_WARNING, "OCSP: Responder error: %d: %s",
error, OCSP_response_status_str(error));
goto cleanup;
}
s_log(LOG_DEBUG, "OCSP: Response received");
/* verify the response */
basicResponse=OCSP_response_get1_basic(response);
if(!basicResponse) {
sslerror("OCSP: OCSP_response_get1_basic");
goto cleanup;
}
if(OCSP_check_nonce(request, basicResponse)<=0) {
sslerror("OCSP: OCSP_check_nonce");
goto cleanup;
}
if(OCSP_basic_verify(basicResponse, NULL,
c->opt->revocation_store, c->opt->ocsp_flags)<=0) {
sslerror("OCSP: OCSP_basic_verify");
goto cleanup;
}
if(!OCSP_resp_find_status(basicResponse, certID, &status, &reason,
&revoked_at, &this_update, &next_update)) {
sslerror("OCSP: OCSP_resp_find_status");
goto cleanup;
}
s_log(LOG_NOTICE, "OCSP: Status: %d: %s",
status, OCSP_cert_status_str(status));
log_time(LOG_INFO, "OCSP: This update", this_update);
log_time(LOG_INFO, "OCSP: Next update", next_update);
/* check if the response is valid for at least one minute */
if(!OCSP_check_validity(this_update, next_update, 60, -1)) {
sslerror("OCSP: OCSP_check_validity");
goto cleanup;
}
if(status==V_OCSP_CERTSTATUS_REVOKED) {
if(reason==-1)
s_log(LOG_WARNING, "OCSP: Certificate revoked");
else
s_log(LOG_WARNING, "OCSP: Certificate revoked: %d: %s",
reason, OCSP_crl_reason_str(reason));
log_time(LOG_NOTICE, "OCSP: Revoked at", revoked_at);
goto cleanup;
}
retval=1; /* accept connection */
cleanup:
if(issuer)
X509_free(issuer);
if(request)
OCSP_REQUEST_free(request);
if(response)
OCSP_RESPONSE_free(response);
if(basicResponse)
OCSP_BASICRESP_free(basicResponse);
return retval;
}
static OCSP_RESPONSE *ocsp_get_response(CLI *c, OCSP_REQUEST *req) {
BIO *bio=NULL;
OCSP_REQ_CTX *req_ctx=NULL;
OCSP_RESPONSE *resp=NULL;
int err;
/* connect specified OCSP server (responder) */
c->fd=s_socket(c->opt->ocsp_addr.sa.sa_family, SOCK_STREAM, 0,
1, "OCSP: socket (auth_user)");
if(c->fd<0)
goto cleanup;
if(connect_blocking(c, &c->opt->ocsp_addr, addr_len(&c->opt->ocsp_addr)))
goto cleanup;
bio=BIO_new_fd(c->fd, BIO_NOCLOSE);
if(!bio)
goto cleanup;
s_log(LOG_DEBUG, "OCSP: server connected");
/* OCSP protocol communication loop */
req_ctx=OCSP_sendreq_new(bio, c->opt->ocsp_path, req, -1);
if(!req_ctx) {
sslerror("OCSP: OCSP_sendreq_new");
goto cleanup;
}
while(OCSP_sendreq_nbio(&resp, req_ctx)==-1) {
s_poll_init(c->fds);
s_poll_add(c->fds, c->fd, BIO_should_read(bio), BIO_should_write(bio));
err=s_poll_wait(c->fds, c->opt->timeout_busy, 0);
if(err==-1)
sockerror("OCSP: s_poll_wait");
if(err==0)
s_log(LOG_INFO, "OCSP: s_poll_wait: TIMEOUTbusy exceeded");
if(err<=0)
goto cleanup;
}
/* s_log(LOG_DEBUG, "OCSP: context state: 0x%x", *(int *)req_ctx); */
/* http://www.mail-archive.com/openssl-users@openssl.org/msg61691.html */
if(!resp) {
if(ERR_peek_error())
sslerror("OCSP: OCSP_sendreq_nbio");
else /* OpenSSL error: OCSP_sendreq_nbio does not use OCSPerr */
s_log(LOG_ERR, "OCSP: OCSP_sendreq_nbio: OpenSSL internal error");
}
cleanup:
if(req_ctx)
OCSP_REQ_CTX_free(req_ctx);
if(bio)
BIO_free_all(bio);
if(c->fd>=0) {
closesocket(c->fd);
c->fd=-1; /* avoid double close on cleanup */
}
return resp;
}
#endif /* HAVE_OSSL_OCSP_H */
static void log_time(const int level, const char *txt, ASN1_TIME *t) {
char *cp;
BIO *bio;
int n;
if(!t)
return;
bio=BIO_new(BIO_s_mem());
if(!bio)
return;
ASN1_TIME_print(bio, t);
n=BIO_pending(bio);
cp=str_alloc(n+1);
n=BIO_read(bio, cp, n);
if(n<0) {
BIO_free(bio);
str_free(cp);
return;
}
cp[n]='\0';
BIO_free(bio);
s_log(level, "%s: %s", txt, cp);
str_free(cp);
}
/* end of verify.c */

88
src/version.h Normal file
View File

@ -0,0 +1,88 @@
/*
* stunnel Universal SSL tunnel
* Copyright (C) 1998-2012 Michal Trojnara <Michal.Trojnara@mirt.net>
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
* See the GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License along
* with this program; if not, see <http://www.gnu.org/licenses>.
*
* Linking stunnel statically or dynamically with other modules is making
* a combined work based on stunnel. Thus, the terms and conditions of
* the GNU General Public License cover the whole combination.
*
* In addition, as a special exception, the copyright holder of stunnel
* gives you permission to combine stunnel with free software programs or
* libraries that are released under the GNU LGPL and with code included
* in the standard release of OpenSSL under the OpenSSL License (or
* modified versions of such code, with unchanged license). You may copy
* and distribute such a system following the terms of the GNU GPL for
* stunnel and the licenses of the other code concerned.
*
* Note that people who make modified versions of stunnel are not obligated
* to grant this special exception for their modified versions; it is their
* choice whether to do so. The GNU General Public License gives permission
* to release a modified version without this exception; this exception
* also makes it possible to release a modified version which carries
* forward this exception.
*/
#ifndef VERSION_MAJOR
#ifdef HAVE_CONFIG_H
#include "config.h"
#endif /* HAVE_CONFIG_H */
/* HOST may be undefined on Win32 platform */
#ifndef HOST
#ifdef __MINGW32__
#define HOST "x86-pc-mingw32-gnu"
#else /* __MINGW32__ */
#ifdef _MSC_VER
#define _QUOTEME(x) #x
#define QUOTEME(x) _QUOTEME(x)
#define HOST "x86-pc-msvc-" ## QUOTEME(_MSC_VER)
#else /* _MSC_VER */
#define HOST "x86-pc-unknown"
#endif /* _MSC_VER */
#endif /* __MINGW32__ */
#endif /* HOST */
/* START CUSTOMIZE */
#define VERSION_MAJOR 4
#define VERSION_MINOR 53
/* END CUSTOMIZE */
/* all the following macros are ABSOLUTELY NECESSARY to have proper string
* construction with VARIOUS C preprocessors (EVC, VC, BCC, GCC) */
#define STRINGIZE0(x) #x
#define STRINGIZE(x) STRINGIZE0(x)
#define STRZCONCAT30(a,b,c) a##b##c
#define STRZCONCAT3(a,b,c) STRZCONCAT30(a,b,c)
/* for resource.rc, stunnel.c, gui.c */
#define STUNNEL_VERSION0 STRZCONCAT3(VERSION_MAJOR, . , VERSION_MINOR)
#define STUNNEL_VERSION STRINGIZE(STUNNEL_VERSION0)
/* for resources.rc */
#define STUNNEL_VERSION_FIELDS VERSION_MAJOR,VERSION_MINOR,0,0
#define STUNNEL_PRODUCTNAME "stunnel " STUNNEL_VERSION " for " HOST
/* some useful tricks for preprocessing debugging */
#if 0
#pragma message ( "VERSION.H: STUNNEL_VERSION is " STUNNEL_VERSION )
#pragma message ( "VERSION.H: HOST is " HOST )
#pragma message ( "VERSION.H: STUNNEL_PRODUCTNAME is " STUNNEL_PRODUCTNAME )
#endif
#endif /* VERSION_MAJOR */
/* end of version.h */

36
tools/Makefile.am Normal file
View File

@ -0,0 +1,36 @@
## Process this file with automake to produce Makefile.in
EXTRA_DIST = ca.html ca.pl importCA.html importCA.sh script.sh \
stunnel.spec stunnel.cnf stunnel.nsi stunnel.license stunnel.conf
confdir = $(sysconfdir)/stunnel
conf_DATA = stunnel.conf-sample
docdir = $(datadir)/doc/stunnel
examplesdir = $(docdir)/examples
examples_DATA = ca.html ca.pl importCA.html importCA.sh script.sh \
stunnel.spec stunnel.init stunnel.service
OPENSSL=$(SSLDIR)/bin/openssl
install-data-local:
if test ! -r $(DESTDIR)$(confdir)/stunnel.pem; then \
if test -r "$(RANDOM_FILE)"; then \
dd if="$(RANDOM_FILE)" of=stunnel.rnd bs=256 count=1; \
RND="-rand stunnel.rnd"; \
else \
RND=""; \
fi; \
$(OPENSSL) req -new -x509 -days 365 $$RND \
-config $(srcdir)/stunnel.cnf \
-out stunnel.pem -keyout stunnel.pem; \
$(OPENSSL) gendh $$RND 1024 >> stunnel.pem; \
$(OPENSSL) x509 -subject -dates -fingerprint -noout -in stunnel.pem; \
${INSTALL} -m 600 stunnel.pem $(DESTDIR)$(confdir)/stunnel.pem; \
rm stunnel.pem; \
fi
${INSTALL} -d -m 1770 $(DESTDIR)$(localstatedir)/lib/stunnel
-chgrp $(DEFAULT_GROUP) $(DESTDIR)$(localstatedir)/lib/stunnel
clean-local:
-rm -f stunnel.rnd

467
tools/Makefile.in Normal file
View File

@ -0,0 +1,467 @@
# Makefile.in generated by automake 1.11.1 from Makefile.am.
# @configure_input@
# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation,
# Inc.
# This Makefile.in is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
# with or without modifications, as long as this notice is preserved.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
# PARTICULAR PURPOSE.
@SET_MAKE@
VPATH = @srcdir@
pkgdatadir = $(datadir)/@PACKAGE@
pkgincludedir = $(includedir)/@PACKAGE@
pkglibdir = $(libdir)/@PACKAGE@
pkglibexecdir = $(libexecdir)/@PACKAGE@
am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
install_sh_DATA = $(install_sh) -c -m 644
install_sh_PROGRAM = $(install_sh) -c
install_sh_SCRIPT = $(install_sh) -c
INSTALL_HEADER = $(INSTALL_DATA)
transform = $(program_transform_name)
NORMAL_INSTALL = :
PRE_INSTALL = :
POST_INSTALL = :
NORMAL_UNINSTALL = :
PRE_UNINSTALL = :
POST_UNINSTALL = :
build_triplet = @build@
host_triplet = @host@
subdir = tools
DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in \
$(srcdir)/stunnel.conf-sample.in $(srcdir)/stunnel.init.in \
$(srcdir)/stunnel.service.in
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
am__aclocal_m4_deps = $(top_srcdir)/m4/libtool.m4 \
$(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \
$(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \
$(top_srcdir)/configure.ac
am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
$(ACLOCAL_M4)
mkinstalldirs = $(install_sh) -d
CONFIG_HEADER = $(top_builddir)/src/config.h
CONFIG_CLEAN_FILES = stunnel.conf-sample stunnel.init stunnel.service
CONFIG_CLEAN_VPATH_FILES =
SOURCES =
DIST_SOURCES =
am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
am__vpath_adj = case $$p in \
$(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
*) f=$$p;; \
esac;
am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
am__install_max = 40
am__nobase_strip_setup = \
srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
am__nobase_strip = \
for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
am__nobase_list = $(am__nobase_strip_setup); \
for p in $$list; do echo "$$p $$p"; done | \
sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
$(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
if (++n[$$2] == $(am__install_max)) \
{ print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
END { for (dir in files) print dir, files[dir] }'
am__base_list = \
sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
am__installdirs = "$(DESTDIR)$(confdir)" "$(DESTDIR)$(examplesdir)"
DATA = $(conf_DATA) $(examples_DATA)
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
AMTAR = @AMTAR@
AR = @AR@
AUTOCONF = @AUTOCONF@
AUTOHEADER = @AUTOHEADER@
AUTOMAKE = @AUTOMAKE@
AWK = @AWK@
CC = @CC@
CCDEPMODE = @CCDEPMODE@
CFLAGS = @CFLAGS@
CPP = @CPP@
CPPFLAGS = @CPPFLAGS@
CYGPATH_W = @CYGPATH_W@
DEFAULT_GROUP = @DEFAULT_GROUP@
DEFS = @DEFS@
DEPDIR = @DEPDIR@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
EGREP = @EGREP@
EXEEXT = @EXEEXT@
FGREP = @FGREP@
GREP = @GREP@
INSTALL = @INSTALL@
INSTALL_DATA = @INSTALL_DATA@
INSTALL_PROGRAM = @INSTALL_PROGRAM@
INSTALL_SCRIPT = @INSTALL_SCRIPT@
INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
LD = @LD@
LDFLAGS = @LDFLAGS@
LIBOBJS = @LIBOBJS@
LIBS = @LIBS@
LIBTOOL = @LIBTOOL@
LIBTOOL_DEPS = @LIBTOOL_DEPS@
LIPO = @LIPO@
LN_S = @LN_S@
LTLIBOBJS = @LTLIBOBJS@
MAKEINFO = @MAKEINFO@
MKDIR_P = @MKDIR_P@
NM = @NM@
NMEDIT = @NMEDIT@
OBJDUMP = @OBJDUMP@
OBJEXT = @OBJEXT@
OTOOL = @OTOOL@
OTOOL64 = @OTOOL64@
PACKAGE = @PACKAGE@
PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
PACKAGE_NAME = @PACKAGE_NAME@
PACKAGE_STRING = @PACKAGE_STRING@
PACKAGE_TARNAME = @PACKAGE_TARNAME@
PACKAGE_URL = @PACKAGE_URL@
PACKAGE_VERSION = @PACKAGE_VERSION@
PATH_SEPARATOR = @PATH_SEPARATOR@
RANDOM_FILE = @RANDOM_FILE@
RANLIB = @RANLIB@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
SSLDIR = @SSLDIR@
STRIP = @STRIP@
VERSION = @VERSION@
abs_builddir = @abs_builddir@
abs_srcdir = @abs_srcdir@
abs_top_builddir = @abs_top_builddir@
abs_top_srcdir = @abs_top_srcdir@
ac_ct_CC = @ac_ct_CC@
ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
am__include = @am__include@
am__leading_dot = @am__leading_dot@
am__quote = @am__quote@
am__tar = @am__tar@
am__untar = @am__untar@
bindir = @bindir@
build = @build@
build_alias = @build_alias@
build_cpu = @build_cpu@
build_os = @build_os@
build_vendor = @build_vendor@
builddir = @builddir@
datadir = @datadir@
datarootdir = @datarootdir@
docdir = $(datadir)/doc/stunnel
dvidir = @dvidir@
exec_prefix = @exec_prefix@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
host_os = @host_os@
host_vendor = @host_vendor@
htmldir = @htmldir@
includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
libdir = @libdir@
libexecdir = @libexecdir@
localedir = @localedir@
localstatedir = @localstatedir@
lt_ECHO = @lt_ECHO@
mandir = @mandir@
mkdir_p = @mkdir_p@
oldincludedir = @oldincludedir@
pdfdir = @pdfdir@
prefix = @prefix@
program_transform_name = @program_transform_name@
psdir = @psdir@
sbindir = @sbindir@
sharedstatedir = @sharedstatedir@
srcdir = @srcdir@
stunnel_CFLAGS = @stunnel_CFLAGS@
stunnel_LDFLAGF = @stunnel_LDFLAGF@
stunnel_LDFLAGS = @stunnel_LDFLAGS@
sysconfdir = @sysconfdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
top_srcdir = @top_srcdir@
EXTRA_DIST = ca.html ca.pl importCA.html importCA.sh script.sh \
stunnel.spec stunnel.cnf stunnel.nsi stunnel.license stunnel.conf
confdir = $(sysconfdir)/stunnel
conf_DATA = stunnel.conf-sample
examplesdir = $(docdir)/examples
examples_DATA = ca.html ca.pl importCA.html importCA.sh script.sh \
stunnel.spec stunnel.init stunnel.service
OPENSSL = $(SSLDIR)/bin/openssl
all: all-am
.SUFFIXES:
$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps)
@for dep in $?; do \
case '$(am__configure_deps)' in \
*$$dep*) \
( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
&& { if test -f $@; then exit 0; else break; fi; }; \
exit 1;; \
esac; \
done; \
echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu tools/Makefile'; \
$(am__cd) $(top_srcdir) && \
$(AUTOMAKE) --gnu tools/Makefile
.PRECIOUS: Makefile
Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
@case '$?' in \
*config.status*) \
cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
*) \
echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
esac;
$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
$(top_srcdir)/configure: $(am__configure_deps)
cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
$(ACLOCAL_M4): $(am__aclocal_m4_deps)
cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
$(am__aclocal_m4_deps):
stunnel.conf-sample: $(top_builddir)/config.status $(srcdir)/stunnel.conf-sample.in
cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@
stunnel.init: $(top_builddir)/config.status $(srcdir)/stunnel.init.in
cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@
stunnel.service: $(top_builddir)/config.status $(srcdir)/stunnel.service.in
cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@
mostlyclean-libtool:
-rm -f *.lo
clean-libtool:
-rm -rf .libs _libs
install-confDATA: $(conf_DATA)
@$(NORMAL_INSTALL)
test -z "$(confdir)" || $(MKDIR_P) "$(DESTDIR)$(confdir)"
@list='$(conf_DATA)'; test -n "$(confdir)" || list=; \
for p in $$list; do \
if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
echo "$$d$$p"; \
done | $(am__base_list) | \
while read files; do \
echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(confdir)'"; \
$(INSTALL_DATA) $$files "$(DESTDIR)$(confdir)" || exit $$?; \
done
uninstall-confDATA:
@$(NORMAL_UNINSTALL)
@list='$(conf_DATA)'; test -n "$(confdir)" || list=; \
files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
test -n "$$files" || exit 0; \
echo " ( cd '$(DESTDIR)$(confdir)' && rm -f" $$files ")"; \
cd "$(DESTDIR)$(confdir)" && rm -f $$files
install-examplesDATA: $(examples_DATA)
@$(NORMAL_INSTALL)
test -z "$(examplesdir)" || $(MKDIR_P) "$(DESTDIR)$(examplesdir)"
@list='$(examples_DATA)'; test -n "$(examplesdir)" || list=; \
for p in $$list; do \
if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
echo "$$d$$p"; \
done | $(am__base_list) | \
while read files; do \
echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(examplesdir)'"; \
$(INSTALL_DATA) $$files "$(DESTDIR)$(examplesdir)" || exit $$?; \
done
uninstall-examplesDATA:
@$(NORMAL_UNINSTALL)
@list='$(examples_DATA)'; test -n "$(examplesdir)" || list=; \
files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
test -n "$$files" || exit 0; \
echo " ( cd '$(DESTDIR)$(examplesdir)' && rm -f" $$files ")"; \
cd "$(DESTDIR)$(examplesdir)" && rm -f $$files
tags: TAGS
TAGS:
ctags: CTAGS
CTAGS:
distdir: $(DISTFILES)
@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
list='$(DISTFILES)'; \
dist_files=`for file in $$list; do echo $$file; done | \
sed -e "s|^$$srcdirstrip/||;t" \
-e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
case $$dist_files in \
*/*) $(MKDIR_P) `echo "$$dist_files" | \
sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
sort -u` ;; \
esac; \
for file in $$dist_files; do \
if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
if test -d $$d/$$file; then \
dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
if test -d "$(distdir)/$$file"; then \
find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
fi; \
if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
fi; \
cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
else \
test -f "$(distdir)/$$file" \
|| cp -p $$d/$$file "$(distdir)/$$file" \
|| exit 1; \
fi; \
done
check-am: all-am
check: check-am
all-am: Makefile $(DATA)
installdirs:
for dir in "$(DESTDIR)$(confdir)" "$(DESTDIR)$(examplesdir)"; do \
test -z "$$dir" || $(MKDIR_P) "$$dir"; \
done
install: install-am
install-exec: install-exec-am
install-data: install-data-am
uninstall: uninstall-am
install-am: all-am
@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
installcheck: installcheck-am
install-strip:
$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
`test -z '$(STRIP)' || \
echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
mostlyclean-generic:
clean-generic:
distclean-generic:
-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
maintainer-clean-generic:
@echo "This command is intended for maintainers to use"
@echo "it deletes files that may require special tools to rebuild."
clean: clean-am
clean-am: clean-generic clean-libtool clean-local mostlyclean-am
distclean: distclean-am
-rm -f Makefile
distclean-am: clean-am distclean-generic
dvi: dvi-am
dvi-am:
html: html-am
html-am:
info: info-am
info-am:
install-data-am: install-confDATA install-data-local \
install-examplesDATA
install-dvi: install-dvi-am
install-dvi-am:
install-exec-am:
install-html: install-html-am
install-html-am:
install-info: install-info-am
install-info-am:
install-man:
install-pdf: install-pdf-am
install-pdf-am:
install-ps: install-ps-am
install-ps-am:
installcheck-am:
maintainer-clean: maintainer-clean-am
-rm -f Makefile
maintainer-clean-am: distclean-am maintainer-clean-generic
mostlyclean: mostlyclean-am
mostlyclean-am: mostlyclean-generic mostlyclean-libtool
pdf: pdf-am
pdf-am:
ps: ps-am
ps-am:
uninstall-am: uninstall-confDATA uninstall-examplesDATA
.MAKE: install-am install-strip
.PHONY: all all-am check check-am clean clean-generic clean-libtool \
clean-local distclean distclean-generic distclean-libtool \
distdir dvi dvi-am html html-am info info-am install \
install-am install-confDATA install-data install-data-am \
install-data-local install-dvi install-dvi-am \
install-examplesDATA install-exec install-exec-am install-html \
install-html-am install-info install-info-am install-man \
install-pdf install-pdf-am install-ps install-ps-am \
install-strip installcheck installcheck-am installdirs \
maintainer-clean maintainer-clean-generic mostlyclean \
mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
uninstall uninstall-am uninstall-confDATA \
uninstall-examplesDATA
install-data-local:
if test ! -r $(DESTDIR)$(confdir)/stunnel.pem; then \
if test -r "$(RANDOM_FILE)"; then \
dd if="$(RANDOM_FILE)" of=stunnel.rnd bs=256 count=1; \
RND="-rand stunnel.rnd"; \
else \
RND=""; \
fi; \
$(OPENSSL) req -new -x509 -days 365 $$RND \
-config $(srcdir)/stunnel.cnf \
-out stunnel.pem -keyout stunnel.pem; \
$(OPENSSL) gendh $$RND 1024 >> stunnel.pem; \
$(OPENSSL) x509 -subject -dates -fingerprint -noout -in stunnel.pem; \
${INSTALL} -m 600 stunnel.pem $(DESTDIR)$(confdir)/stunnel.pem; \
rm stunnel.pem; \
fi
${INSTALL} -d -m 1770 $(DESTDIR)$(localstatedir)/lib/stunnel
-chgrp $(DEFAULT_GROUP) $(DESTDIR)$(localstatedir)/lib/stunnel
clean-local:
-rm -f stunnel.rnd
# Tell versions [3.59,3.63) of GNU make to not export all variables.
# Otherwise a system limit (for SysV at least) may be exceeded.
.NOEXPORT:

56
tools/ca.html Normal file
View File

@ -0,0 +1,56 @@
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<TITLE>Make your own certificate</TITLE>
</HEAD>
<BODY TEXT="#000000" BGCOLOR="#FFFFCC" LINK="#0000EF" VLINK="#51188E" ALINK="#FF0000">
<FORM ACTION="http://localhost/cgi-bin/ca.pl" METHOD=POST>
<TABLE>
<TR>
<TD>Key bits:</TD>
<TD><KEYGEN NAME="SPKAC"></TD>
</TR>
<TR>
<TD>Your name:</TD>
<TD><INPUT NAME="who" SIZE="40" MAXLENGTH=60 ALIGN=middle></TD>
</TR>
<TR>
<TD>Your e-mail address:</TD>
<TD><INPUT NAME="email" SIZE="40" MAXLENGTH=40 ALIGN=middle></TD>
</TR>
<TR>
<TD>Country name:</TD>
<TD><INPUT NAME="country" SIZE="40" MAXLENGTH=150 ALIGN=middle></TD>
</TR>
<TR>
<TD>State or province name:</TD>
<TD><INPUT NAME="state" SIZE="40" MAXLENGTH=40 ALIGN=middle></TD>
</TR>
<TR>
<TD>Organization:</TD>
<TD><INPUT NAME="organization" SIZE="40" MAXLENGTH=60 ALIGN=middle></TD>
</TR>
<TR>
<TD>Comment:</TD>
<TD><INPUT NAME="comment" SIZE="40" MAXLENGTH=40 ALIGN=middle></TD>
</TR>
</TABLE>
<H3>
<INPUT TYPE=submit VALUE=" Submit ">&nbsp;<INPUT TYPE=reset VALUE=" Reset All "></H3>
</FORM>
</BODY>
</HTML>

65
tools/ca.pl Executable file
View File

@ -0,0 +1,65 @@
#!/usr/bin/perl
$config = "/var/openssl/openssl.cnf";
$capath = "/usr/bin/openssl ca";
$certpass = "mypassword";
$tempca = "/tmp/ssl/cli".rand 10000;
$tempout = "/tmp/ssl/certtmp".rand 10000;
$caout = "/tmp/ssl/certout.txt";
$CAcert = "/var/openssl/localCA/cacert.pem";
$spkac = "";
&ReadForm;
$spkac = $FIELDS{'SPKAC'};
$spkac =~ s/\n//g;
open(TEMPCE,">$tempca") || die &Error;
print TEMPCE "C = $FIELDS{'country'}\n";
print TEMPCE "ST = $FIELDS{'state'}\n";
print TEMPCE "O = $FIELDS{'organization'}\n";
print TEMPCE "Email = $FIELDS{'email'}\n";
print TEMPCE "CN = $FIELDS{'who'}\n";
print TEMPCE "SPKAC = $spkac\n";
close(TEMPCE);
system("$capath -batch -config $config -spkac $tempca -out $tempout -key $certpass -cert $CAcert>> $caout 2>&1");
open(CERT,"$tempout") || die &Error;
@certificate = <CERT>;
close(CERT);
#system("rm -f $tempca");
#system("rm -f $tempout");
print "Content-type: application/x-x509-user-cert\n\n";
print @certificate;
##############################################################
####
#### Procedures
####
sub ReadForm {
if ($ENV{'REQUEST_METHOD'} eq 'GET') {
@pairs = split(/&/, $ENV{'QUERY_STRING'});
}
elsif ($ENV{'REQUEST_METHOD'} eq 'POST') {
read(STDIN, $buffer, $ENV{'CONTENT_LENGTH'});
@pairs = split(/&/, $buffer);
}
foreach $pair (@pairs) {
($name, $value) = split(/=/, $pair);
$name =~ tr/+/ /;
$name =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
$value =~ tr/+/ /;
$value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
$value =~ s/<!--(.|\n)*-->//g;
$FIELDS{$name} = $value;
}
}
sub Error {
print "Content-type: text/html\n\n";
print "<P><P><center><H1>Cant open file</H1></center>\n";
}

16
tools/importCA.html Normal file
View File

@ -0,0 +1,16 @@
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<TITLE>Import CA root certificate</TITLE>
</HEAD>
<BODY TEXT="#000000" BGCOLOR="#FFFFCC" LINK="#0000EF" VLINK="#51188E" ALINK="#FF0000">
&nbsp;
<BR>&nbsp;
<BR>&nbsp;
<BR>&nbsp;
<BR>&nbsp;
<CENTER><FONT SIZE=+2><A HREF="http://localhost/cgi-bin/importCA.sh">Import
CA certificate</A></FONT></CENTER>
</BODY>
</HTML>

5
tools/importCA.sh Executable file
View File

@ -0,0 +1,5 @@
#!/bin/bash
echo "Content-type: application/x-x509-ca-cert"
echo
cat /var/lib/httpds/cgi-bin/cacert.pem

11
tools/script.sh Executable file
View File

@ -0,0 +1,11 @@
#!/bin/bash
REMOTE_HOST="www.mirt.net:443"
echo "client script connecting $REMOTE_HOST"
/usr/local/bin/stunnel -fd 10 \
11<&0 <<EOT 10<&0 0<&11 11<&-
client=yes
connect=$REMOTE_HOST
EOT
echo "client script finished"

42
tools/stunnel.cnf Normal file
View File

@ -0,0 +1,42 @@
# OpenSSL configuration file to create a server certificate
# by Michal Trojnara 1998-2012
[ req ]
# the default key length is secure and quite fast - do not change it
default_bits = 2048
# comment out the next line to protect the private key with a passphrase
encrypt_key = no
distinguished_name = req_dn
x509_extensions = cert_type
[ req_dn ]
countryName = Country Name (2 letter code)
countryName_default = PL
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Mazovia Province
localityName = Locality Name (eg, city)
localityName_default = Warsaw
organizationName = Organization Name (eg, company)
organizationName_default = Stunnel Developers
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = Provisional CA
0.commonName = Common Name (FQDN of your server)
0.commonName_default = localhost
# To create a certificate for more than one name uncomment:
# 1.commonName = DNS alias of your server
# 2.commonName = DNS alias of your server
# ...
# See http://home.netscape.com/eng/security/ssl_2.0_certificate.html
# to see how Netscape understands commonName.
[ cert_type ]
nsCertType = server

91
tools/stunnel.conf Normal file
View File

@ -0,0 +1,91 @@
; Sample stunnel configuration file for Win32 by Michal Trojnara 2002-2012
; Some options used here may be inadequate for your particular configuration
; This sample file does *not* represent stunnel.conf defaults
; Please consult the manual for detailed description of available options
; **************************************************************************
; * Global options *
; **************************************************************************
; Debugging stuff (may useful for troubleshooting)
;debug = 7
;output = stunnel.log
; Disable FIPS mode to allow non-approved protocols and algorithms
;fips = no
; **************************************************************************
; * Service defaults may also be specified in individual service sections *
; **************************************************************************
; Certificate/key is needed in server mode and optional in client mode
cert = stunnel.pem
;key = stunnel.pem
; Authentication stuff needs to be configured to prevent MITM attacks
; It is not enabled by default!
;verify = 2
; Don't forget to c_rehash CApath
;CApath = certs
; It's often easier to use CAfile
;CAfile = certs.pem
; Don't forget to c_rehash CRLpath
;CRLpath = crls
; Alternatively CRLfile can be used
;CRLfile = crls.pem
; Disable support for insecure SSLv2 protocol
options = NO_SSLv2
; Workaround for Eudora bug
;options = DONT_INSERT_EMPTY_FRAGMENTS
; These options provide additional security at some performance degradation
;options = SINGLE_ECDH_USE
;options = SINGLE_DH_USE
; **************************************************************************
; * Service definitions (at least one service has to be defined) *
; **************************************************************************
; Example SSL server mode services
[pop3s]
accept = 995
connect = 110
[imaps]
accept = 993
connect = 143
[ssmtp]
accept = 465
connect = 25
; Example SSL client mode services
;[gmail-pop3]
;client = yes
;accept = 127.0.0.1:110
;connect = pop.gmail.com:995
;[gmail-imap]
;client = yes
;accept = 127.0.0.1:143
;connect = imap.gmail.com:993
;[gmail-smtp]
;client = yes
;accept = 127.0.0.1:25
;connect = smtp.gmail.com:465
; Example SSL front-end to a web server
;[https]
;accept = 443
;connect = 80
; "TIMEOUTclose = 0" is a workaround for a design flaw in Microsoft SSL
; Microsoft implementations do not use SSL close-notify alert and thus
; they are vulnerable to truncation attacks
;TIMEOUTclose = 0
; vim:ft=dosini

100
tools/stunnel.conf-sample.in Normal file
View File

@ -0,0 +1,100 @@
; Sample stunnel configuration file for Unix by Michal Trojnara 2002-2012
; Some options used here may be inadequate for your particular configuration
; This sample file does *not* represent stunnel.conf defaults
; Please consult the manual for detailed description of available options
; **************************************************************************
; * Global options *
; **************************************************************************
; A copy of some devices and system files is needed within the chroot jail
; Chroot conflicts with configuration file reload and many other features
chroot = @prefix@/var/lib/stunnel/
; Chroot jail can be escaped if setuid option is not used
setuid = nobody
setgid = @DEFAULT_GROUP@
; PID is created inside the chroot jail
pid = /stunnel.pid
; Debugging stuff (may useful for troubleshooting)
;debug = 7
;output = stunnel.log
; **************************************************************************
; * Service defaults may also be specified in individual service sections *
; **************************************************************************
; Certificate/key is needed in server mode and optional in client mode
cert = @prefix@/etc/stunnel/mail.pem
;key = @prefix@/etc/stunnel/mail.pem
; Authentication stuff needs to be configured to prevent MITM attacks
; It is not enabled by default!
;verify = 2
; Don't forget to c_rehash CApath
; CApath is located inside chroot jail
;CApath = /certs
; It's often easier to use CAfile
;CAfile = @prefix@/etc/stunnel/certs.pem
; Don't forget to c_rehash CRLpath
; CRLpath is located inside chroot jail
;CRLpath = /crls
; Alternatively CRLfile can be used
;CRLfile = @prefix@/etc/stunnel/crls.pem
; Disable support for insecure SSLv2 protocol
options = NO_SSLv2
; Workaround for Eudora bug
;options = DONT_INSERT_EMPTY_FRAGMENTS
; These options provide additional security at some performance degradation
;options = SINGLE_ECDH_USE
;options = SINGLE_DH_USE
; **************************************************************************
; * Service definitions (remove all services for inetd mode) *
; **************************************************************************
; Example SSL server mode services
[pop3s]
accept = 995
connect = 110
[imaps]
accept = 993
connect = 143
[ssmtp]
accept = 465
connect = 25
; Example SSL client mode services
;[gmail-pop3]
;client = yes
;accept = 127.0.0.1:110
;connect = pop.gmail.com:995
;[gmail-imap]
;client = yes
;accept = 127.0.0.1:143
;connect = imap.gmail.com:993
;[gmail-smtp]
;client = yes
;accept = 127.0.0.1:25
;connect = smtp.gmail.com:465
; Example SSL front-end to a web server
;[https]
;accept = 443
;connect = 80
; "TIMEOUTclose = 0" is a workaround for a design flaw in Microsoft SSL
; Microsoft implementations do not use SSL close-notify alert and thus
; they are vulnerable to truncation attacks
;TIMEOUTclose = 0
; vim:ft=dosini

118
tools/stunnel.init.in Normal file
View File

@ -0,0 +1,118 @@
#! /bin/sh -e
### BEGIN INIT INFO
# Provides: stunnel
# Required-Start: $local_fs $remote_fs
# Required-Stop: $local_fs $remote_fs
# Should-Start: $syslog
# Should-Stop: $syslog
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Start or stop stunnel 4.x (SSL tunnel for network daemons)
### END INIT INFO
DEFAULTPIDFILE="/var/run/stunnel.pid"
DAEMON=@prefix@/bin/stunnel
NAME=stunnel
DESC="SSL tunnels"
FILES="/etc/stunnel/*.conf"
OPTIONS=""
ENABLED=0
get_pids() {
local file=$1
if test -f $file; then
CHROOT=`grep "^chroot" $file|sed "s;.*= *;;"`
PIDFILE=`grep "^pid" $file|sed "s;.*= *;;"`
if [ "$PIDFILE" = "" ]; then
PIDFILE=$DEFAULTPIDFILE
fi
if test -f $CHROOT/$PIDFILE; then
cat $CHROOT/$PIDFILE
fi
fi
}
startdaemons() {
if ! [ -d /var/run/stunnel ]; then
rm -rf /var/run/stunnel
install -d -o stunnel -g stunnel /var/run/stunnel
fi
for file in $FILES; do
if test -f $file; then
ARGS="$file $OPTIONS"
PROCLIST=`get_pids $file`
if [ "$PROCLIST" ] && kill -s 0 $PROCLIST 2>/dev/null; then
echo -n "[Already running: $file] "
elif $DAEMON $ARGS; then
echo -n "[Started: $file] "
else
echo "[Failed: $file]"
echo "You should check that you have specified the pid= in you configuration file"
exit 1
fi
fi
done;
}
killdaemons()
{
SIGNAL=${1:-TERM}
for file in $FILES; do
PROCLIST=`get_pids $file`
if [ "$PROCLIST" ] && kill -s 0 $PROCLIST 2>/dev/null; then
kill -s $SIGNAL $PROCLIST
echo -n "[stopped: $file] "
fi
done
}
if [ "x$OPTIONS" != "x" ]; then
OPTIONS="-- $OPTIONS"
fi
test -f /etc/default/stunnel && . /etc/default/stunnel
if [ "$ENABLED" = "0" ] ; then
echo "$DESC disabled, see /etc/default/stunnel"
exit 0
fi
test -x $DAEMON || exit 0
set -e
case "$1" in
start)
echo -n "Starting $DESC: "
startdaemons
echo "$NAME."
;;
stop)
echo -n "Stopping $DESC: "
killdaemons
echo "$NAME."
;;
reopen-logs)
echo -n "Reopening log files $DESC: "
killdaemons USR1
echo "$NAME."
;;
force-reload|reload)
echo -n "Reloading configuration $DESC: "
killdaemons HUP
echo "$NAME."
;;
restart)
echo -n "Restarting $DESC: "
killdaemons
sleep 5
startdaemons
echo "$NAME."
;;
*)
N=/etc/init.d/$NAME
echo "Usage: $N {start|stop|reload|reopen-logs|restart}" >&2
exit 1
;;
esac
exit 0

13
tools/stunnel.license Normal file
View File

@ -0,0 +1,13 @@
Copyright (C) 1998-2012 Michal Trojnara
This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with this program; if not, see <http://www.gnu.org/licenses>.
Linking stunnel statically or dynamically with other modules is making a combined work based on stunnel. Thus, the terms and conditions of the GNU General Public License cover the whole combination.
In addition, as a special exception, the copyright holder of stunnel gives you permission to combine stunnel with free software programs or libraries that are released under the GNU LGPL and with code included in the standard release of OpenSSL under the OpenSSL License (or modified versions of such code, with unchanged license). You may copy and distribute such a system following the terms of the GNU GPL for stunnel and the licenses of the other code concerned.
Note that people who make modified versions of stunnel are not obligated to grant this special exception for their modified versions; it is their choice whether to do so. The GNU General Public License gives permission to release a modified version without this exception; this exception also makes it possible to release a modified version which carries forward this exception.

182
tools/stunnel.nsi Normal file
View File

@ -0,0 +1,182 @@
# NSIS stunnel installer by Michal Trojnara 1998-2012
!include "Sections.nsh"
Name "stunnel ${VERSION}"
OutFile "stunnel-${VERSION}-installer.exe"
InstallDir "$PROGRAMFILES\stunnel"
BrandingText "Author: Michal Trojnara"
LicenseData "${SRCDIR}/tools/stunnel.license"
SetCompressor /SOLID LZMA
InstallDirRegKey HKLM "Software\NSIS_stunnel" "Install_Dir"
RequestExecutionLevel admin
Page license
Page components
Page directory
Page instfiles
UninstPage uninstConfirm
UninstPage instfiles
Section "Stunnel Core Files (required)"
SectionIn RO
SetOutPath "$INSTDIR"
# stop the service, exit stunnel
ReadRegStr $R0 HKLM \
"Software\Microsoft\Windows NT\CurrentVersion" CurrentVersion
IfErrors skip_service_stop
ExecWait '"$INSTDIR\stunnel.exe" -stop -quiet'
skip_service_stop:
# skip if the previously installed stunnel version is older than 4.40
GetDLLVersion "$INSTDIR\stunnel.exe" $R0 $R1
IfErrors skip_process_exit
ExecWait '"$INSTDIR\stunnel.exe" -exit -quiet'
skip_process_exit:
# write files
SetOverwrite off
File "${SRCDIR}/tools/stunnel.conf"
SetOverwrite on
#File "${DLLS}/*eay32.dll"
File "${DLLS}/libeay32.dll"
File "${DLLS}/ssleay32.dll"
File "${DLLS}/zlib1.dll"
File "${DLLS}/msvcr90.dll"
File "${DLLS}/Microsoft.VC90.CRT.manifest"
File "src/stunnel.exe"
File "${SRCDIR}/doc/stunnel.html"
WriteUninstaller "uninstall.exe"
# add uninstaller registry entries
WriteRegStr HKLM "Software\NSIS_stunnel" "Install_Dir" "$INSTDIR"
WriteRegStr HKLM \
"Software\Microsoft\Windows\CurrentVersion\Uninstall\stunnel" \
"DisplayName" "stunnel"
WriteRegStr HKLM \
"Software\Microsoft\Windows\CurrentVersion\Uninstall\stunnel" \
"UninstallString" '"$INSTDIR\uninstall.exe"'
WriteRegDWORD HKLM \
"Software\Microsoft\Windows\CurrentVersion\Uninstall\stunnel" \
"NoModify" 1
WriteRegDWORD HKLM \
"Software\Microsoft\Windows\CurrentVersion\Uninstall\stunnel" \
"NoRepair" 1
SectionEnd
Section "Self-signed Certificate Tools" sectionCA
SetOutPath "$INSTDIR"
# write files
File "${DLLS}/openssl.exe"
File "${SRCDIR}/tools/stunnel.cnf"
IfSilent lbl_skip_new_pem
IfFileExists "$INSTDIR\stunnel.pem" lbl_skip_new_pem
ExecWait '"$INSTDIR\openssl.exe" req -new -x509 -days 365 -config stunnel.cnf -out stunnel.pem -keyout stunnel.pem'
lbl_skip_new_pem:
SectionEnd
Section "Start Menu Shortcuts"
SetShellVarContext all
CreateDirectory "$SMPROGRAMS\stunnel"
# remove old links
Delete "$SMPROGRAMS\stunnel\*.lnk"
Delete "$SMPROGRAMS\stunnel\*.url"
# main link
CreateShortCut "$SMPROGRAMS\stunnel\Run stunnel.lnk" \
"$INSTDIR\stunnel.exe" "" "$INSTDIR\stunnel.exe" 0
CreateShortCut "$SMPROGRAMS\stunnel\Exit stunnel.lnk" \
"$INSTDIR\stunnel.exe" "-exit" "$INSTDIR\stunnel.exe" 0
# NT service
ClearErrors
ReadRegStr $R0 HKLM \
"Software\Microsoft\Windows NT\CurrentVersion" CurrentVersion
IfErrors skip_service_links
CreateShortCut "$SMPROGRAMS\stunnel\Service install.lnk" \
"$INSTDIR\stunnel.exe" "-install" "$INSTDIR\stunnel.exe" 0
CreateShortCut "$SMPROGRAMS\stunnel\Service uninstall.lnk" \
"$INSTDIR\stunnel.exe" "-uninstall" "$INSTDIR\stunnel.exe" 0
CreateShortCut "$SMPROGRAMS\stunnel\Service start.lnk" \
"$INSTDIR\stunnel.exe" "-start" "$INSTDIR\stunnel.exe" 0
CreateShortCut "$SMPROGRAMS\stunnel\Service stop.lnk" \
"$INSTDIR\stunnel.exe" "-stop" "$INSTDIR\stunnel.exe" 0
skip_service_links:
# edit config file
CreateShortCut "$SMPROGRAMS\stunnel\Edit stunnel.conf.lnk" \
"notepad.exe" "stunnel.conf" "notepad.exe" 0
# OpenSSL shell
CreateShortCut "$SMPROGRAMS\stunnel\OpenSSL Shell.lnk" \
"$INSTDIR\openssl.exe" "" "$INSTDIR\openssl.exe" 0
# make stunnel.pem
SectionGetFlags sectionCA $0
IntOp $0 $0 & SF_SELECTED
IntCmp $0 0 lbl_noCA
CreateShortCut "$SMPROGRAMS\stunnel\Build Self-signed stunnel.pem.lnk" \
"$INSTDIR\openssl.exe" \
"req -new -x509 -days 365 -config stunnel.cnf -out stunnel.pem -keyout stunnel.pem"
lbl_noCA:
# help/uninstall
WriteINIStr "$SMPROGRAMS\stunnel\Manual.url" "InternetShortcut" \
"URL" "file://$INSTDIR/stunnel.html"
CreateShortCut "$SMPROGRAMS\stunnel\Uninstall stunnel.lnk" \
"$INSTDIR\uninstall.exe" "" "$INSTDIR\uninstall.exe" 0
SectionEnd
Section "Desktop Shortcut"
SetShellVarContext all
Delete "$DESKTOP\stunnel.lnk"
CreateShortCut "$DESKTOP\stunnel.lnk" \
"$INSTDIR\stunnel.exe" "" "$INSTDIR\stunnel.exe" 0
SectionEnd
Section "Uninstall"
ClearErrors
# stop and remove the service, exit stunnel
ReadRegStr $R0 HKLM \
"Software\Microsoft\Windows NT\CurrentVersion" CurrentVersion
IfErrors skip_service_uninstall
ExecWait '"$INSTDIR\stunnel.exe" -stop -quiet'
ExecWait '"$INSTDIR\stunnel.exe" -uninstall -quiet'
skip_service_uninstall:
ExecWait '"$INSTDIR\stunnel.exe" -exit -quiet'
# remove stunnel folder
Delete "$INSTDIR\stunnel.conf"
Delete "$INSTDIR\stunnel.pem"
Delete "$INSTDIR\stunnel.exe"
Delete "$INSTDIR\stunnel.cnf"
Delete "$INSTDIR\openssl.exe"
#Delete "$INSTDIR\*eay32.dll"
Delete "$INSTDIR\libeay32.dll"
Delete "$INSTDIR\ssleay32.dll"
Delete "$INSTDIR\zlib1.dll"
Delete "$INSTDIR\msvcr90.dll"
Delete "$INSTDIR\Microsoft.VC90.CRT.manifest"
Delete "$INSTDIR\stunnel.html"
Delete "$INSTDIR\uninstall.exe"
RMDir "$INSTDIR"
# remove menu shortcuts
SetShellVarContext all
Delete "$DESKTOP\stunnel.lnk"
Delete "$SMPROGRAMS\stunnel\*.lnk"
Delete "$SMPROGRAMS\stunnel\*.url"
RMDir "$SMPROGRAMS\stunnel"
# remove uninstaller registry entires
DeleteRegKey HKLM \
"Software\Microsoft\Windows\CurrentVersion\Uninstall\stunnel"
DeleteRegKey HKLM "Software\NSIS_stunnel"
SectionEnd
# end of stunnel.nsi

10
tools/stunnel.service.in Normal file
View File

@ -0,0 +1,10 @@
[Unit]
Description=SSL tunnel for network daemons
After=syslog.target
[Service]
ExecStart=@prefix@/bin/stunnel
Type=forking
[Install]
WantedBy=multi-user.target

91
tools/stunnel.spec Normal file
View File

@ -0,0 +1,91 @@
%define _prefix /usr
%define _sysconfdir /etc
Summary: Program that wraps normal socket connections with SSL/TLS
Name: stunnel
Version: 4.53
Release: 1
Copyright: GPL
Group: Applications/Networking
Source: stunnel-%{version}.tar.gz
Packager: neeo <neeo@irc.pl>
Requires: openssl >= 0.9.6g
BuildRequires: openssl-devel >= 0.9.6g
Buildroot: /var/tmp/stunnel-%{version}-root
%description
The stunnel program is designed to work as SSL encryption wrapper
between remote clients and local (inetd-startable) or remote
servers. The concept is that having non-SSL aware daemons running on
your system you can easily set them up to communicate with clients over
secure SSL channels.
stunnel can be used to add SSL functionality to commonly used inetd
daemons like POP-2, POP-3, and IMAP servers, to standalone daemons like
NNTP, SMTP and HTTP, and in tunneling PPP over network sockets without
changes to the source code.
%prep
%setup -n stunnel-%{version}
%build
if [ ! -x ./configure ]; then
autoconf
autoheader
fi
CFLAGS="%{optflags}" ./configure --prefix=%{_prefix} --sysconfdir=%{_sysconfdir}
%{__make}
%install
%{__rm} -rf %{buildroot}
%{__mkdir} -p %{buildroot}%{_sysconfdir}/stunnel
%{__mkdir} -p %{buildroot}%{_sbindir}
%{__mkdir} -p %{buildroot}%{_libdir}
%{__mkdir} -p %{buildroot}%{_mandir}/man8
%{__mkdir} -p %{buildroot}%{_initrddir}
%{__install} -m755 -s src/stunnel %{buildroot}%{_sbindir}
%{__install} -m755 src/.libs/libstunnel.so %{buildroot}%{_libdir}
%{__install} -m755 src/.libs/libstunnel.la %{buildroot}%{_libdir}
%{__install} -m644 doc/stunnel.8 %{buildroot}%{_mandir}/man8/stunnel.8.gz
%{__install} -m644 tools/stunnel.conf-sample %{buildroot}%{_sysconfdir}/stunnel
%{__install} -m500 tools/stunnel.init %{buildroot}%{_initrddir}/stunnel
%clean
%{__rm} -rf %{buildroot}
%post
ldconfig
%postun
ldconfig
%files
%defattr(-,root,root)
%doc COPYING COPYRIGHT.GPL README ChangeLog doc/stunnel.html doc/en/transproxy.txt doc/en/VNC_StunnelHOWTO.html
%doc tools/ca.html tools/ca.pl tools/importCA.html tools/importCA.sh tools/stunnel.cnf
%dir %{_sysconfdir}/stunnel
%config %{_sysconfdir}/stunnel/*
%{_sbindir}/stunnel
%{_libdir}/libstunnel.so
%{_libdir}/libstunnel.la
%{_mandir}/man8/stunnel.8.gz
%{_initrddir}/stunnel
%changelog
* Fri Sep 09 2005 neeo <neeo@irc.pl>
- lots of changes and cleanups
* Wed Mar 17 2004 neeo <neeo@irc.pl>
- updated for 4.05
* Sun Jun 24 2000 Brian Hatch <bri@stunnel.org>
- updated for 3.8p3
* Wed Jul 14 1999 Dirk O. Siebnich <dok@vossnet.de>
- updated for 3.5.
* Mon Jun 07 1999 Dirk O. Siebnich <dok@vossnet.de>
- adapted from sslwrap RPM spec file