From d419cab3c4515e5d03c397d2d0ca42d9819ff3e7 Mon Sep 17 00:00:00 2001 From: Mario Fetka Date: Wed, 15 Nov 2017 15:03:25 +0100 Subject: [PATCH] Imported Upstream version 5.42 --- .travis.yml | 27 + AUTHORS | 2 +- COPYING | 2 +- CREDITS | 39 +- ChangeLog | 670 ++- INSTALL | 378 +- INSTALL.FIPS | 12 +- INSTALL.W32 | 79 +- Makefile.am | 43 +- Makefile.in | 465 +- PORTS | 13 +- TODO | 55 +- aclocal.m4 | 1451 ++++- auto/compile | 232 +- auto/config.guess | 358 +- auto/config.sub | 142 +- auto/depcomp | 580 +- auto/install-sh | 59 +- auto/ltmain.sh | 4036 ++++++++----- auto/missing | 458 +- build-android.sh | 24 +- configure | 6351 +++++++++++++++------ configure.ac | 492 +- doc/Makefile.am | 36 +- doc/Makefile.in | 216 +- doc/en/VNC_StunnelHOWTO.html | 20 +- doc/pl/tworzenie_certyfikatow.html | 4 +- doc/stunnel.8 | 993 ---- doc/stunnel.8.in | 1395 +++++ doc/stunnel.fr.8 | 574 -- doc/stunnel.fr.html | 670 --- doc/stunnel.fr.pod | 636 --- doc/stunnel.html | 1120 ---- doc/stunnel.html.in | 1625 ++++++ doc/{stunnel.pl.8 => stunnel.pl.8.in} | 1129 ++-- doc/stunnel.pl.html | 1158 ---- doc/stunnel.pl.html.in | 1626 ++++++ doc/{stunnel.pl.pod => stunnel.pl.pod.in} | 810 ++- doc/stunnel.pod | 1124 ---- doc/stunnel.pod.in | 1529 +++++ m4/libtool.m4 | 2290 +++++--- m4/ltoptions.m4 | 32 +- m4/ltversion.m4 | 12 +- m4/lt~obsolete.m4 | 12 +- src/Makefile.am | 111 +- src/Makefile.in | 818 +-- src/active.ico | Bin 0 -> 1150 bytes src/client.c | 1273 +++-- src/common.h | 231 +- src/config.h.in | 139 +- src/cron.c | 201 + src/ctx.c | 1181 ++-- src/dhparam.c | 57 + src/env.c | 10 +- src/error.ico | Bin 0 -> 1150 bytes src/evc.mak | 64 +- src/fd.c | 53 +- src/file.c | 139 +- src/idle.ico | Bin 0 -> 1150 bytes src/libwrap.c | 73 +- src/log.c | 235 +- src/make.bat | 4 +- src/makew32.bat | 36 +- src/mingw.mak | 59 +- src/mingw.mk | 54 + src/network.c | 554 +- src/nogui.c | 101 - src/options.c | 2611 ++++++--- src/os2.mak | 15 +- src/protocol.c | 982 +++- src/prototypes.h | 616 +- src/pty.c | 10 +- src/resolver.c | 337 +- src/resources.h | 10 +- src/resources.rc | 75 +- src/ssl.c | 198 +- src/sthreads.c | 518 +- src/str.c | 554 +- src/stunnel.c | 828 +-- src/stunnel.ico | Bin 4710 -> 15086 bytes src/stunnel3.in | 6 +- src/tls.c | 195 + src/ui_unix.c | 268 + src/ui_win_cli.c | 138 + src/{gui.c => ui_win_gui.c} | 994 ++-- src/vc.mak | 66 +- src/verify.c | 836 ++- src/version.h | 183 +- tools/Makefile.am | 49 +- tools/Makefile.in | 203 +- tools/ca.pl | 2 +- tools/makecert.sh | 29 + tools/{stunnel.cnf => openssl.cnf} | 23 +- tools/stunnel.conf | 146 +- tools/stunnel.conf-sample.in | 161 +- tools/stunnel.init.in | 213 +- tools/stunnel.license | 2 +- tools/stunnel.logrotate | 9 + tools/stunnel.nsi | 767 ++- tools/stunnel.rh.init | 106 + tools/stunnel.service.in | 4 +- tools/stunnel.spec | 144 +- 102 files changed, 31695 insertions(+), 17975 deletions(-) create mode 100644 .travis.yml mode change 100644 => 100755 auto/config.guess mode change 100644 => 100755 auto/config.sub mode change 100755 => 100644 auto/ltmain.sh delete mode 100644 doc/stunnel.8 create mode 100644 doc/stunnel.8.in delete mode 100644 doc/stunnel.fr.8 delete mode 100644 doc/stunnel.fr.html delete mode 100644 doc/stunnel.fr.pod delete mode 100644 doc/stunnel.html create mode 100644 doc/stunnel.html.in rename doc/{stunnel.pl.8 => stunnel.pl.8.in} (50%) delete mode 100644 doc/stunnel.pl.html create mode 100644 doc/stunnel.pl.html.in rename doc/{stunnel.pl.pod => stunnel.pl.pod.in} (54%) delete mode 100644 doc/stunnel.pod create mode 100644 doc/stunnel.pod.in create mode 100644 src/active.ico create mode 100644 src/cron.c create mode 100644 src/dhparam.c create mode 100644 src/error.ico create mode 100644 src/idle.ico create mode 100644 src/mingw.mk delete mode 100644 src/nogui.c create mode 100644 src/tls.c create mode 100644 src/ui_unix.c create mode 100644 src/ui_win_cli.c rename src/{gui.c => ui_win_gui.c} (54%) create mode 100755 tools/makecert.sh rename tools/{stunnel.cnf => openssl.cnf} (74%) create mode 100644 tools/stunnel.logrotate create mode 100644 tools/stunnel.rh.init diff --git a/.travis.yml b/.travis.yml new file mode 100644 index 0000000..8ec6beb --- /dev/null +++ b/.travis.yml @@ -0,0 +1,27 @@ +sudo: false + +language: c + +os: + - linux + - osx + +compiler: + - gcc + - clang + +env: + - CONFIGURE_OPTIONS='--with-threads=pthread' + - CONFIGURE_OPTIONS='--with-threads=fork' + - CONFIGURE_OPTIONS='--with-threads=ucontext' + - CONFIGURE_OPTIONS='--disable-ipv6 --disable-fips --disable-systemd --disable-libwrap' + +addons: + apt: + packages: + - libssl-dev + - libwrap0-dev + +before_script: autoreconf -fvi && touch src/dhparam.c + +script: ./configure $CONFIGURE_OPTIONS && make && make test diff --git a/AUTHORS b/AUTHORS index 27993a2..1196721 100644 --- a/AUTHORS +++ b/AUTHORS @@ -1,4 +1,4 @@ stunnel authors -Michal Trojnara +Michal Trojnara diff --git a/COPYING b/COPYING index e139a18..ca8f9b4 100644 --- a/COPYING +++ b/COPYING @@ -1,6 +1,6 @@ stunnel license (see COPYRIGHT.GPL for detailed GPL conditions) -Copyright (C) 1998-2013 Michal Trojnara +Copyright (C) 1998-2017 Michal Trojnara This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software diff --git a/CREDITS b/CREDITS index 8ece5a7..c9ad66a 100644 --- a/CREDITS +++ b/CREDITS @@ -1,9 +1,40 @@ -Special thx to: +stunnel code contributions + +The code contributions are licensed as public domain unless stated otherwise. + +Several Win32 and WCE improvements and bugfixes: +* Pierre Delaage + +systemd socket activation in version 5.05: +Copyright (c) 2014 Mark Theunissen + +Permission is hereby granted, free of charge, to any person obtaining a copy of +this software and associated documentation files (the "Software"), to deal in +the Software without restriction, including without limitation the rights to +use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies +of the Software, and to permit persons to whom the Software is furnished to do +so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. + +Several bugfixes and improvements mostly in versions 3.xx: +* Brian Hatch + +Initial PTY support in version 3.05: +* Dirk O. Siebnich + +Initial SSL support in versions 1.x: * Adam Hernik * Pawel Krawczyk -* Brian Hatch -* Dirk O. Siebnich for PTY support and many others... - diff --git a/ChangeLog b/ChangeLog index 93a3a67..154d2a8 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,670 @@ stunnel change log +Version 5.42, 2017.07.16, urgency: HIGH +* New features + - "redirect" also supports "exec" and not only "connect". + - PKCS#11 engine DLL updated to version 0.4.7. +* Bugfixes + - Fixed premature cron thread initialization causing hangs. + - Fixed "verifyPeer = yes" on OpenSSL <= 1.0.1. + - Fixed pthreads support on OpenSolaris. + +Version 5.41, 2017.04.01, urgency: MEDIUM +* New features + - PKCS#11 engine DLL updated to version 0.4.5. + - Default engine UI set with ENGINE_CTRL_SET_USER_INTERFACE. + - Key file name added into the passphrase console prompt. + - Performance optimization in memory leak detection. +* Bugfixes + - Fixed crashes with the OpenSSL 1.1.0 branch. + - Fixed certificate verification with "verifyPeer = yes" + and "verifyChain = no" (the default), while the peer + only returns a single certificate. + +Version 5.40, 2017.01.28, urgency: HIGH +* Security bugfixes + - OpenSSL DLLs updated to version 1.0.2k. + https://www.openssl.org/news/secadv/20170126.txt +* New features + - DH ciphersuites are now disabled by default. + - The daily server DH parameter regeneration is only performed if + DH ciphersuites are enabled in the configuration file. + - "checkHost" and "checkEmail" were modified to require either + "verifyChain" or "verifyPeer" (thx to Małorzata Olszówka). +* Bugfixes + - Fixed setting default ciphers. + +Version 5.39, 2017.01.01, urgency: LOW +* New features + - PKCS#11 engine (pkcs11.dll) added to the Win32 build. + - Per-destination TLS session cache added for the client mode. + - The new "logId" parameter "process" added to log PID values. + - Added support for the new SSL_set_options() values. + - Updated the manual page. + - Obsolete references to "SSL" replaced with "TLS". +* Bugfixes + - Fixed "logId" parameter to also work in inetd mode. + - "delay = yes" properly enforces "failover = prio". + - Fixed fd_set allocation size on Win64. + - Fixed reloading invalid configuration file on Win32. + - Fixed resolving addresses with unconfigured network interfaces. + +Version 5.38, 2016.11.26, urgency: MEDIUM +* New features + - "sni=" can be used to prevent sending the SNI extension. + - The AI_ADDRCONFIG resolver flag is used when available. + - Merged Debian 06-lfs.patch (thx to Peter Pentchev). +* Bugfixes + - Fixed a memory allocation bug causing crashes with OpenSSL 1.1.0. + - Fixed error handling for mixed IPv4/IPv6 destinations. + - Merged Debian 08-typos.patch (thx to Peter Pentchev). + +Version 5.37, 2016.11.06, urgency: MEDIUM +* Bugfixes + - OpenSSL DLLs updated to version 1.0.2j (stops crashes). + - The default SNI target (not handled by any slave service) + is handled by the master service rather than rejected. + - Removed thread synchronization in the FORK threading model. + +Version 5.36, 2016.09.22, urgency: HIGH +* Security bugfixes + - OpenSSL DLLs updated to version 1.0.2i. + https://www.openssl.org/news/secadv_20160922.txt +* New features + - Added support for OpenSSL 1.1.0 built with "no-deprecated". + - Removed direct zlib dependency. + +Version 5.35, 2016.07.18, urgency: HIGH +* Bugfixes + - Fixed incorrectly enforced client certificate requests. + - Only default to SO_EXCLUSIVEADDRUSE on Vista and later. + - Fixed thread safety of the configuration file reopening. + +Version 5.34, 2016.07.05, urgency: HIGH +* Security bugfixes + - Fixed malfunctioning "verify = 4". +* New features + - Bind sockets with SO_EXCLUSIVEADDRUSE on WIN32. + - Added three new service-level options: requireCert, verifyChain, + and verifyPeer for fine-grained certificate verification control. + - Improved compatibility with the current OpenSSL 1.1.0-dev tree. + +Version 5.33, 2016.06.23, urgency: HIGH +* New features + - Improved memory leak detection performance and accuracy. + - Improved compatibility with the current OpenSSL 1.1.0-dev tree. + - SNI support also enabled on OpenSSL 0.9.8f and later (thx to + Guillermo Rodriguez Garcia). + - Added support for PKCS #12 (.p12/.pfx) certificates (thx to + Dmitry Bakshaev). +* Bugfixes + - Fixed a TLS session caching memory leak (thx to Richard Kraemer). + Before stunnel 5.27 this leak only emerged with sessiond enabled. + - Yet another WinCE socket fix (thx to Richard Kraemer). + - Fixed passphrase/pin dialogs in tstunnel.exe. + - Fixed a FORK threading build regression bug. + - OPENSSL_NO_DH compilation fix (thx to Brian Lin). + +Version 5.32, 2016.05.03, urgency: HIGH +* Security bugfixes + - OpenSSL DLLs updated to version 1.0.2h. + https://www.openssl.org/news/secadv_20160503.txt +* New features + - New "socket = a:IPV6_V6ONLY=yes" option to only bind IPv6. + - Memory leak detection. + - Improved compatibility with the current OpenSSL 1.1.0-dev tree. + - Added/fixed Red Hat scripts (thx to Andrew Colin Kissa). +* Bugfixes + - Workaround for a WinCE sockets quirk (thx to Richard Kraemer). + - Fixed data alignment on 64-bit MSVC (thx to Yuris W. Auzins). + +Version 5.31, 2016.03.01, urgency: HIGH +* Security bugfixes + - OpenSSL DLLs updated to version 1.0.2g. + https://www.openssl.org/news/secadv_20160301.txt +* New features + - Added logging the list of client CAs requested by the server. + - Improved compatibility with the current OpenSSL 1.1.0-dev tree. +* Bugfixes + - Only reset the watchdog if some data was actually transferred. + - A workaround implemented for the unexpected exceptfds set by + select() on WinCE 6.0 (thx to Richard Kraemer). + - Fixed logging an incorrect value of the round-robin starting + point (thx to Jose Alf.). + +Version 5.30, 2016.01.28, urgency: HIGH +* Security bugfixes + - OpenSSL DLLs updated to version 1.0.2f. + https://www.openssl.org/news/secadv_20160128.txt +* New features + - Improved compatibility with the current OpenSSL 1.1.0-dev tree. + - Added OpenSSL autodetection for the recent versions of Xcode. +* Bugfixes + - Fixed references to /etc removed from stunnel.init.in. + - Stopped even trying -fstack-protector on unsupported platforms + (thx to Rob Lockhart). + +Version 5.29, 2016.01.08, urgency: LOW +* New features + - New WIN32 icons. + - Performance improvement: rwlocks used for locking with pthreads. +* Bugfixes + - Compilation fix for *BSD. + - Fixed configuration file reload for relative stunnel.conf path + on Unix. + - Fixed ignoring CRLfile unless CAfile was also specified (thx + to Strukov Petr). + +Version 5.28, 2015.12.11, urgency: HIGH +* New features + - Build matrix (.travis.yml) extended with ./configure options. + - mingw.mak updated to build tstunnel.exe (thx to Jose Alf.). +* Bugfixes + - Fixed incomplete initialization. + - Fixed UCONTEXT threading on OSX. + - Fixed exit codes for information requests (as + in "stunnel -version" or "stunnel -help"). + +Version 5.27, 2015.12.03, urgency: MEDIUM +* Security bugfixes + - OpenSSL DLLs updated to version 1.0.2e. + https://www.openssl.org/news/secadv_20151203.txt +* New features + - Automated build testing configured with .travis.yml. + - Added reading server certificates from hardware engines. + For example: cert = id_45 + - Only attempt to use potentially harmful compiler or linker + options if gcc was detected. + - /opt/csw added to the OpenSSL directory lookup list. + - mingw.mak updates (thx to Jose Alf.). + - TODO list updated. + +Version 5.26, 2015.11.06, urgency: MEDIUM +* Bugfixes + - Compilation fixes for OSX, *BSD and Solaris. + +Version 5.25, 2015.11.02, urgency: MEDIUM +* New features + - SMTP client protocol negotiation support for + "protocolUsername", "protocolPassword", and + "protocolAuthentication" (thx to Douglas Harris). + - New service-level option "config" to specify configuration + commands introduced in OpenSSL 1.0.2 (thx to Stephen Wall). + - The global option "foreground" now also accepts "quiet" + parameter, which does not enable logging to stderr. + - Manual page updated. + - Obsolete OpenSSL engines removed from the Windows build: + 4758cca, aep, atalla, cswift, nuron, sureware. + - Improved compatibility with the current OpenSSL 1.1.0-dev tree: + gracefully handle symbols renamed from SSLeay* to OpenSSL*. +* Bugfixes + - Fixed the "s_poll_wait returned 1, but no descriptor + is ready" internal error. + - Fixed "exec" hangs due to incorrect thread-local + storage handling (thx to Philip Craig). + - Fixed PRNG initialization (thx to Philip Craig). + - Setting socket options no longer performed on PTYs. + - Fixed 64-bit Windows build. + +Version 5.24, 2015.10.08, urgency: MEDIUM +* New features + - Custom CRL verification was replaced with the internal + OpenSSL functionality. + - *BSD support for "transparent = destination" and + client-side "protocol = socks". This feature should + work at least on FreeBSD, OpenBSD and OS X. + - Added a new "protocolDomain" option for the NTLM + authentication (thx to Andreas Botsikas). + - Improved compatibility of the NTLM phase 1 message (thx + to Andreas Botsikas). + - "setuid" and "setgid" options are now also available + in service sections. They can be used to set owner + and group of the Unix socket specified with "accept". + - Added support for the new OpenSSL 1.0.2 SSL options. + - Added OPENSSL_NO_EGD support (thx to Bernard Spil). + - VC autodetection added to makew32.bat (thx to Andreas + Botsikas). +* Bugfixes + - Fixed the RESOLVE [F0] TOR extension support in SOCKS5. + - Fixed the error code reported on the failed bind() + requests. + - Fixed the sequential log id with the FORK threading. + - Restored the missing Microsoft.VC90.CRT.manifest file. + +Version 5.23, 2015.09.02, urgency: LOW +* New features + - Client-side support for the SOCKS protocol. + See https://www.stunnel.org/socksvpn.html for details. + - Reject SOCKS requests to connect loopback addresses. + - New service-level option "OCSPnonce". + The default value is "OCSPnonce = no". + - Win32 directory structure rearranged. The installer + script provides automatic migration for common setups. + - Added Win32 installer option to install stunnel for the + current user only. This feature does not deploy the NT + service, but it also does not require aministrative + privileges to install and configure stunnel. + - stunnel.cnf was renamed to openssl.cnf in order to + to prevent users from mixing it up with stunnel.conf. + - Win32 desktop is automatically refreshed when the icon + is created or removed. + - The ca-certs.pem file is now updated on stunnel upgrade. + - Inactive ports were removed from the PORTS file. + - Added IPv6 support to the transparent proxy code. +* Bugfixes + - Compilation fix for OpenSSL version older than 1.0.0. + - Compilation fix for mingw. + +Version 5.22, 2015.07.30, urgency: HIGH +* New features + - "OCSPaia = yes" added to the configuration file templates. + - Improved double free detection. +* Bugfixes + - Fixed a number of OCSP bugs. The most severe of those + bugs caused stunnel to treat OCSP responses that failed + OCSP_basic_verify() checks as if they were successful. + - Fixed the passive IPv6 resolver (broken in stunnel 5.21). + +Version 5.21, 2015.07.27, urgency: MEDIUM +* New features + - Signal names are displayed instead of numbers. + - First resolve IPv4 addresses on passive resolver requests. + This speeds up stunnel startup on Win32 with a slow/defunct + DNS service. + - The "make check" target was modified to only build Win32 + executables when stunnel is built from a git repository (thx + to Peter Pentchev). + - More elaborate descriptions were added to the warning about + using "verify = 2" without "checkHost" or "checkIP". + - Performance optimization was performed on the debug code. +* Bugfixes + - Fixed the FORK and UCONTEXT threading support. + - Fixed "failover=prio" (broken since stunnel 5.15). + - Added a retry when sleep(3) was interrupted by a signal + in the cron thread scheduler. + +Version 5.20, 2015.07.09, urgency: HIGH +* Security bugfixes + - OpenSSL DLLs updated to version 1.0.2d. + https://www.openssl.org/news/secadv_20150709.txt +* New features + - poll(2) re-enabled on MacOS X 10.5 and later. + - Xcode SDK is automatically used on MacOS X if no other + locally installed OpenSSL directory is found. + - The SSL library detection algorithm was made a bit smarter. + - Warnings about insecure authentication were modified to + include the name of the affected service section. + - A warning was added to stunnel.init if no pid file was + specified in the configuration file (thx to Peter Pentchev). + - Optional debugging symbols are included in the Win32 installer. + - Documentation updates (closes Debian bug #781669). +* Bugfixes + - Signal pipe reinitialization added to prevent turning the + main accepting thread into a busy wait loop when an external + condition breaks the signal pipe. This bug was found to + surface on Win32, but other platforms may also be affected. + - Fixed removing the disabled taskbar icon. + - Generated temporary DH parameters are used for configuration + reload instead of the static defaults. + - LSB compatibility fixes added to the stunnel.init script (thx + to Peter Pentchev). + - Fixed the manual page headers (thx to Gleydson Soares). + +Version 5.19, 2015.06.16, urgency: MEDIUM: +* New features + - OpenSSL DLLs updated to version 1.0.2c. + - Added a runtime check whether COMP_zlib() method is implemented + in order to improve compatibility with the Debian OpenSSL build. +* Bugfixes + - Improved socket error handling. + - Cron thread priority on Win32 platform changed to + THREAD_PRIORITY_LOWEST to improve portability. + - Makefile bugfixes for stunnel 5.18 regressions. + - Fixed some typos in docs and scripts (thx to Peter Pentchev). + - Fixed a log level check condition (thx to Peter Pentchev). + +Version 5.18, 2015.06.12, urgency: MEDIUM: +* New features + - OpenSSL DLLs updated to version 1.0.2b. + https://www.openssl.org/news/secadv_20150611.txt + - Added "include" configuration file option to include all + configuration file parts located in a specified directory. + - Log file is reopened every 24 hours. With "log = overwrite" + this feature can be used to prevent filling up disk space. + - Temporary DH parameters are refreshed every 24 hours, unless + static DH parameters were provided in the certificate file. + - Unique initial DH parameters are distributed with each release. + - Warnings are logged on potentially insecure authentication. + - Improved compatibility with the current OpenSSL 1.1.0-dev tree: + removed RLE compression support, etc. + - Updated stunnel.spec (thx to Bill Quayle). +* Bugfixes + - Fixed handling of dynamic connect targets. + - Fixed handling of trailing whitespaces in the Content-Length + header of the NTLM authentication. + - Fixed --sysconfdir and --localstatedir handling (thx to + Dagobert Michelsen). + +Version 5.17, 2015.04.29, urgency: HIGH: +* Bugfixes + - Fixed a NULL pointer dereference causing the service to crash. + This bug was introduced in stunnel 5.15. + +Version 5.16, 2015.04.19, urgency: MEDIUM: +* Bugfixes + - Fixed compilation with old versions of gcc. + +Version 5.15, 2015.04.16, urgency: LOW: +* New features + - Added new service-level options "checkHost", "checkEmail" and + "checkIP" for additional checks of the peer certificate subject. + These options require OpenSSL version 1.0.2 or higher. + - Win32 binary distribution now ships with the Mozilla root CA + bundle. This bundle is intended be used together with the new + "checkHost" option to validate server certs accepted by Mozilla. + - New commandline options "-reload" to reload the configuration + file and "-reopen" to reopen the log file of stunnel running + as a Windows service (thx to Marc McLaughlin). + - Added session persistence based on negotiated TLS sessions. + https://en.wikipedia.org/wiki/Load_balancing_%28computing%29#Persistence + The current implementation does not support external TLS + session caching with sessiond. + - MEDIUM ciphers (currently SEED and RC4) are removed from the + default cipher list. + - The "redirect" option was improved to not only redirect sessions + established with an untrusted certificate, but also sessions + established without a client certificate. + - OpenSSL version checking modified to distinguish FIPS and + non-FIPS builds. + - Improved compatibility with the current OpenSSL 1.1.0-dev tree. + - Removed support for OpenSSL versions older than 0.9.7. + The final update for the OpenSSL 0.9.6 branch was 17 Mar 2004. + - "sessiond" support improved to also work in OpenSSL 0.9.7. + - Randomize the initial value of the round-robin counter. + - New stunnel.conf templates are provided for Windows and Unix. +* Bugfixes + - Fixed compilation against old versions of OpenSSL. + - Fixed memory leaks in certificate verification. + +Version 5.14, 2015.03.25, urgency: HIGH: +* Security bugfixes + - The "redirect" option now also redirects clients on SSL session + reuse. In stunnel versions 5.00 to 5.13 reused sessions were + instead always connected hosts specified with the "connect" + option regardless of their certificate verification result. + This vulnerability was reported by Johan Olofsson. +* New features + - Windows service is automatically restarted after upgrade. +* Bugfixes + - Fixed a memory allocation error during Unix daemon shutdown. + - Fixed handling multiple connect/redirect destinations. + - OpenSSL FIPS builds are now correctly reported on startup. + +Version 5.13, 2015.03.20, urgency: MEDIUM: +* New features + - The "service" option was modified to also control the syslog + service name. +* Bugfixes + - Fixed Windows service crash. + +Version 5.12, 2015.03.19, urgency: HIGH: +* Security bugfixes + - OpenSSL DLLs updated to version 1.0.2a. + https://www.openssl.org/news/secadv_20150319.txt +* New features + - New service-level option "logId" to specify the + connection identifier type. Currently supported types: + "sequential" (default), "unique", and "thread". + - New service-level option "debug" to individually control + logging verbosity of defined services. +* Bugfixes + - OCSP fixed on Windows platform (thx to Alec Kosky). + +Version 5.11, 2015.03.11, urgency: LOW: +* New features + - OpenSSL DLLs updated to version 1.0.2. + - Removed dereferences of internal OpenSSL data structures. + - PSK key lookup algorithm performance improved from + O(N) (linear) to O(log N) (logarithmic). +* Bugfixes + - Fixed peer certificate list in the main window on Win32 + (thx to @fyer for reporting it). + - Fixed console logging in tstunnel.exe. + - _tputenv_s() replaced with more portable _tputenv() on Win32. + +Version 5.10, 2015.01.22, urgency: LOW: +* New features + - OCSP AIA (Authority Information Access) support. This feature + can be enabled with the new service-level option "OCSPaia". + - Additional security features of the linker are enabled: + "-z relro", "-z now", "-z noexecstack". +* Bugfixes + - OpenSSL DLLs updated to version 1.0.1l. + https://www.openssl.org/news/secadv_20150108.txt + - FIPS canister updated to version 2.0.9 in the Win32 binary + build. + +Version 5.09, 2015.01.02, urgency: LOW: +* New features + - Added PSK authentication with two new service-level + configuration file options "PSKsecrets" and "PSKidentity". + - Added additional security checks to the OpenSSL memory + management functions. + - Added support for the OPENSSL_NO_OCSP and OPENSSL_NO_ENGINE + OpenSSL configuration flags. + - Added compatibility with the current OpenSSL 1.1.0-dev tree. +* Bugfixes + - Removed defective s_poll_error() code occasionally causing + connections to be prematurely closed (truncated). + This bug was introduced in stunnel 4.34. + - Fixed ./configure systemd detection (thx to Kip Walraven). + - Fixed ./configure sysroot detection (thx to Kip Walraven). + - Fixed compilation against old versions of OpenSSL. + - Removed outdated French manual page. + +Version 5.08, 2014.12.09, urgency: MEDIUM: +* New features + - Added SOCKS4/SOCKS4a protocol support. + - Added SOCKS5 protocol support. + - Added SOCKS RESOLVE [F0] TOR extension support. + - Updated automake to version 1.14.1. + - OpenSSL directory searching is now relative to the sysroot. +* Bugfixes + - Fixed improper hangup condition handling. + - Fixed missing -pic linker option. This is required for + Android 5.0 and improves security. + +Version 5.07, 2014.11.01, urgency: MEDIUM: +* New features + - Several SMTP server protocol negotiation improvements. + - Added UTF-8 byte order marks to stunnel.conf templates. + - DH parameters are no longer generated by "make cert". + The hardcoded DH parameters are sufficiently secure, + and modern TLS implementations will use ECDH anyway. + - Updated manual for the "options" configuration file option. + - Added support for systemd 209 or later. + - New --disable-systemd ./configure option. + - setuid/setgid commented out in stunnel.conf-sample. +* Bugfixes + - Added support for UTF-8 byte order mark in stunnel.conf. + - Compilation fix for OpenSSL with disabled SSLv2 or SSLv3. + - Non-blocking mode set on inetd and systemd descriptors. + - shfolder.h replaced with shlobj.h for compatibility + with modern Microsoft compilers. + +Version 5.06, 2014.10.15, urgency: HIGH: +* Security bugfixes + - OpenSSL DLLs updated to version 1.0.1j. + https://www.openssl.org/news/secadv_20141015.txt + - The insecure SSLv2 protocol is now disabled by default. + It can be enabled with "options = -NO_SSLv2". + - The insecure SSLv3 protocol is now disabled by default. + It can be enabled with "options = -NO_SSLv3". + - Default sslVersion changed to "all" (also in FIPS mode) + to autonegotiate the highest supported TLS version. +* New features + - Added missing SSL options to match OpenSSL 1.0.1j. + - New "-options" commandline option to display the list + of supported SSL options. +* Bugfixes + - Fixed FORK threading build regression bug. + - Fixed missing periodic Win32 GUI log updates. + +Version 5.05, 2014.10.10, urgency: MEDIUM: +* New features + - Asynchronous communication with the GUI thread for faster + logging on Win32. + - systemd socket activation (thx to Mark Theunissen). + - The parameter of "options" can now be prefixed with "-" + to clear an SSL option, for example: + "options = -LEGACY_SERVER_CONNECT". + - Improved "transparent = destination" manual page (thx to + Vadim Penzin). +* Bugfixes + - Fixed POLLIN|POLLHUP condition handling error resulting + in prematurely closed (truncated) connection. + - Fixed a null pointer dereference regression bug in the + "transparent = destination" functionality (thx to + Vadim Penzin). This bug was introduced in stunnel 5.00. + - Fixed startup thread synchronization with Win32 GUI. + - Fixed erroneously closed stdin/stdout/stderr if specified + as the -fd commandline option parameter. + - A number of minor Win32 GUI bugfixes and improvements. + - Merged most of the Windows CE patches (thx to Pierre Delaage). + - Fixed incorrect CreateService() error message on Win32. + - Implemented a workaround for defective Cygwin file + descriptor passing breaking the libwrap support: + http://wiki.osdev.org/Cygwin_Issues#Passing_file_descriptors + +Version 5.04, 2014.09.21, urgency: LOW: +* New features + - Support for local mode ("exec" option) on Win32. + - Support for UTF-8 config file and log file. + - Win32 UTF-16 build (thx to Pierre Delaage for support). + - Support for Unicode file names on Win32. + - A more explicit service description provided for the + Windows SCM (thx to Pierre Delaage). + - TCP/IP dependency added for NT service in order to prevent + initialization failure at boot time. + - FIPS canister updated to version 2.0.8 in the Win32 binary + build. +* Bugfixes + - load_icon_default() modified to return copies of default icons + instead of the original resources to prevent the resources + from being destroyed. + - Partially merged Windows CE patches (thx to Pierre Delaage). + - Fixed typos in stunnel.init.in and vc.mak. + - Fixed incorrect memory allocation statistics update in + str_realloc(). + - Missing REMOTE_PORT environmental variable is provided to + processes spawned with "exec" on Unix platforms. + - Taskbar icon is no longer disabled for NT service. + - Fixed taskbar icon initialization when commandline options are + specified. + - Reportedly more compatible values used for the dwDesiredAccess + parameter of the CreateFile() function (thx to Pierre Delaage). + - A number of minor Win32 GUI bugfixes and improvements. + +Version 5.03, 2014.08.07, urgency: HIGH: +* Security bugfixes + - OpenSSL DLLs updated to version 1.0.1i. + See https://www.openssl.org/news/secadv_20140806.txt +* New features + - FIPS autoconfiguration cleanup. + - FIPS canister updated to version 2.0.6. + - Improved SNI diagnostic logging. +* Bugfixes + - Compilation fixes for old versions of OpenSSL. + - Fixed whitespace handling in the stunnel.init script. + +Version 5.02, 2014.06.09, urgency: HIGH: +* Security bugfixes + - OpenSSL DLLs updated to version 1.0.1h. + See https://www.openssl.org/news/secadv_20140605.txt +* New features + - Major rewrite of the protocol.c interface: it is now possible to add + protocol negotiations at multiple connection phases, protocols can + individually decide whether the remote connection will be + established before or after SSL/TLS is negotiated. + - Heap memory blocks are wiped before release. This only works for + block allocated by stunnel, and not by OpenSSL or other libraries. + - The safe_memcmp() function implemented with execution time not + dependent on the compared data. + - Updated the stunnel.conf and stunnel.init templates. + - Added a client-mode example to the manual. +* Bugfixes + - Fixed "failover = rr" broken since version 5.00. + - Fixed "taskbar = no" broken since version 5.00. + - Compilation fix for missing SSL_OP_MSIE_SSLV2_RSA_PADDING option. + +Version 5.01, 2014.04.08, urgency: HIGH: +* Security bugfixes + - OpenSSL DLLs updated to version 1.0.1g. + This version mitigates TLS heartbeat read overrun (CVE-2014-0160). +* New features + - X.509 extensions added to the created self-signed stunnel.pem. + - "FIPS = no" also allowed in non-FIPS builds of stunnel. + - Search all certificates with the same subject name for a matching + public key rather than only the first one (thx to Leon Winter). + - Create logs in the local application data folder if stunnel folder + is not writable on Win32. +* Bugfixes + - close_notify not sent when SSL still has some data buffered. + - Protocol negotiation with server-side SNI fixed. + - A Mac OS X missing symbols fixed. + - Win32 configuration file reload crash fixed. + - Added s_pool_free() on exec+connect service retires. + - Line-buffering enforced on stderr output. + +stunnel 5.00 disables some features previously enabled by default. +Users should review whether the new defaults are appropriate for their +particular deployments. Packages maintainers may consider prepending +the old defaults for "fips" (if supported by their OpenSSL library), +"pid" and "libwrap" to stunnel.conf during automated updates. + +Version 5.00, 2014.03.06, urgency: HIGH: +* Security bugfixes + - Added PRNG state update in fork threading (CVE-2014-0016). +* New global configuration file defaults + - Default "fips" option value is now "no", as FIPS mode is only + helpful for compliance, and never for actual security. + - Default "pid" is now "", i.e. not to create a pid file at startup. +* New service-level configuration file defaults + - Default "ciphers" updated to "HIGH:MEDIUM:+3DES:+DH:!aNULL:!SSLv2" + due to AlFBPPS attack and bad performance of DH ciphersuites. + - Default "libwrap" setting is now "no" to improve performance. +* New features + - OpenSSL DLLs updated to version 1.0.1f. + - zlib DLL updated to version 1.2.8. + - autoconf scripts upgraded to version 2.69. + - TLS 1.1 and TLS 1.2 are now allowed in the FIPS mode. + - New service-level option "redirect" to redirect SSL client + connections on authentication failures instead of rejecting them. + - New global "engineDefault" configuration file option to control + which OpenSSL tasks are delegated to the current engine. + Available tasks: ALL, RSA, DSA, ECDH, ECDSA, DH, RAND, CIPHERS, + DIGESTS, PKEY, PKEY_CRYPTO, PKEY_ASN1. + - New service-level configuration file option "engineId" to select + the engine by identifier, e.g. "engineId = capi". + - New global configuration file option "log" to control whether to + append (the default), or to overwrite log file while (re)opening. + - Different taskbar icon colors to indicate the service state. + - New global configuration file options "iconIdle", "iconActive", + and "iconError" to select status icon on GUI taskbar. + - Removed the limit of 63 stunnel.conf sections on Win32 platform. + - Installation of a sample certificate was moved to a separate "cert" + target in order to allow unattended (e.g. scripted) installations. + - Reduced length of the logged thread identifier. It is still based + on the OS thread ID, and thus not unique over long periods of time. + - Improved readability of error messages printed when stunnel refuses + to start due to a critical error. +* Bugfixes + - LD_PRELOAD Solaris compatibility bug fixed (thx to Norm Jacobs). + - CRYPTO_NUM_LOCKS replaced with CRYPTO_num_locks() to improve binary + compatibility with diverse builds of OpenSSL (thx to Norm Jacobs). + - Corrected round-robin failover behavior under heavy load. + - Numerous fixes in the engine support code. + - On Win32 platform .rnd file moved from c:\ to the stunnel folder. Version 4.57, 2015.04.01, urgency: HIGH: * Security bugfixes @@ -116,6 +781,7 @@ Version 4.51, 2012.01.09, urgency: MEDIUM: - New "compression = deflate" global option to enable RFC 2246 compresion. For compatibility with previous versions "compression = zlib" and "compression = rle" also enable the deflate (RFC 2246) compression. + - Compression is disabled by default. - Separate default ciphers and sslVersion for "fips = yes" and "fips = no". - UAC support for editing configuration file with Windows GUI. * Bugfixes @@ -518,7 +1184,7 @@ Version 4.19, 2006.11.11, urgency: LOW/EXPERIMENTAL: - There are a lot of new features in this version. I recommend to test it well before upgrading your mission-critical systems. * New features - - New service-level option to specify OCSP server flag: + - New service-level option to specify an OCSP responder flag: OCSPflag = - "protocolCredentials" option changed to "protocolUsername" and "protocolPassword" @@ -574,7 +1240,7 @@ Version 4.16, 2006.08.31, urgency: MEDIUM: - Default group is now detected by configure script. - Check for maximum number of defined services added. - OpenSSL_add_all_algorithms() added to SSL initialization. - - configure script sections reordered to detect pthread library funcions. + - configure script sections reordered to detect pthread library functions. - RFC 2487 autodetection improved. High resolution s_poll_wait() not currently supported by UCONTEXT threading. - More precise description of cert directory file names (thx to Muhammad diff --git a/INSTALL b/INSTALL index 9458fc7..2099840 100644 --- a/INSTALL +++ b/INSTALL @@ -1,40 +1,370 @@ -stunnel Unix install notes +Installation Instructions +************************* +Copyright (C) 1994-1996, 1999-2002, 2004-2013 Free Software Foundation, +Inc. -1. If your machine supports POSIX threads make sure your SSL - library is compiled with -DTHREADS. + Copying and distribution of this file, with or without modification, +are permitted in any medium without royalty provided the copyright +notice and this notice are preserved. This file is offered as-is, +without warranty of any kind. -2. Compile the software: +Basic Installation +================== - ./configure - make - make install + Briefly, the shell command `./configure && make && make install' +should configure, build, and install this package. The following +more-detailed instructions are generic; see the `README' file for +instructions specific to this package. Some packages provide this +`INSTALL' file but do not implement all of the features documented +below. The lack of an optional feature in a given package is not +necessarily a bug. More recommendations for GNU packages can be found +in *note Makefile Conventions: (standards)Makefile Conventions. - (see potential options for 'configure' at the end of this file) + The `configure' shell script attempts to guess correct values for +various system-dependent variables used during compilation. It uses +those values to create a `Makefile' in each directory of the package. +It may also create one or more `.h' files containing system-dependent +definitions. Finally, it creates a shell script `config.status' that +you can run in the future to recreate the current configuration, and a +file `config.log' containing compiler output (useful mainly for +debugging `configure'). -3. Create stunnel configuration file (stunnel.conf). + It can also use an optional file (typically called `config.cache' +and enabled with `--cache-file=config.cache' or simply `-C') that saves +the results of its tests to speed up reconfiguring. Caching is +disabled by default to prevent problems with accidental use of stale +cache files. -4. Add stunnel invocation to your system's startup files. - For SysV-compatible init you can use stunnel.init script. + If you need to do unusual things to compile the package, please try +to figure out how `configure' could check whether to do them, and mail +diffs or instructions to the address given in the `README' so they can +be considered for the next release. If you are using the cache, and at +some point `config.cache' contains results you don't want to keep, you +may remove or edit it. - or + The file `configure.ac' (or `configure.in') is used to create +`configure' by a program called `autoconf'. You need `configure.ac' if +you want to change it or regenerate `configure' using a newer version +of `autoconf'. - Modify /etc/services and /etc/inetd.conf, restart inetd (inetd mode). + The simplest way to compile this package is: - See the manual for details. + 1. `cd' to the directory containing the package's source code and type + `./configure' to configure the package for your system. -5. There are a variety of compile-time options you may supply when - running configure. Most commonly used are: + Running `configure' might take a while. While running, it prints + some messages telling which features it is checking for. - --with-ssl=DIR - where your SSL libraries and include files are installed + 2. Type `make' to compile the package. - --with-random=FILE - read randomness from FILE for PRNG seeding + 3. Optionally, type `make check' to run any self-tests that come with + the package, generally using the just-built uninstalled binaries. - --with-egd-socket=FILE - location of Entropy Gathering Daemon socket, if running EGD - (for example on a machine that lacks a /dev/urandom device) + 4. Type `make install' to install the programs and any data files and + documentation. When installing into a prefix owned by root, it is + recommended that the package be configured and built as a regular + user, and only the `make install' phase executed with root + privileges. - Use `./configure --help' to see all the options. + 5. Optionally, type `make installcheck' to repeat any self-tests, but + this time using the binaries in their final installed location. + This target does not install anything. Running this target as a + regular user, particularly if the prior `make install' required + root privileges, verifies that the installation completed + correctly. + 6. You can remove the program binaries and object files from the + source code directory by typing `make clean'. To also remove the + files that `configure' created (so you can compile the package for + a different kind of computer), type `make distclean'. There is + also a `make maintainer-clean' target, but that is intended mainly + for the package's developers. If you use it, you may have to get + all sorts of other programs in order to regenerate files that came + with the distribution. + + 7. Often, you can also type `make uninstall' to remove the installed + files again. In practice, not all packages have tested that + uninstallation works correctly, even though it is required by the + GNU Coding Standards. + + 8. Some packages, particularly those that use Automake, provide `make + distcheck', which can by used by developers to test that all other + targets like `make install' and `make uninstall' work correctly. + This target is generally not run by end users. + +Compilers and Options +===================== + + Some systems require unusual options for compilation or linking that +the `configure' script does not know about. Run `./configure --help' +for details on some of the pertinent environment variables. + + You can give `configure' initial values for configuration parameters +by setting variables in the command line or in the environment. Here +is an example: + + ./configure CC=c99 CFLAGS=-g LIBS=-lposix + + *Note Defining Variables::, for more details. + +Compiling For Multiple Architectures +==================================== + + You can compile the package for more than one kind of computer at the +same time, by placing the object files for each architecture in their +own directory. To do this, you can use GNU `make'. `cd' to the +directory where you want the object files and executables to go and run +the `configure' script. `configure' automatically checks for the +source code in the directory that `configure' is in and in `..'. This +is known as a "VPATH" build. + + With a non-GNU `make', it is safer to compile the package for one +architecture at a time in the source code directory. After you have +installed the package for one architecture, use `make distclean' before +reconfiguring for another architecture. + + On MacOS X 10.5 and later systems, you can create libraries and +executables that work on multiple system types--known as "fat" or +"universal" binaries--by specifying multiple `-arch' options to the +compiler but only a single `-arch' option to the preprocessor. Like +this: + + ./configure CC="gcc -arch i386 -arch x86_64 -arch ppc -arch ppc64" \ + CXX="g++ -arch i386 -arch x86_64 -arch ppc -arch ppc64" \ + CPP="gcc -E" CXXCPP="g++ -E" + + This is not guaranteed to produce working output in all cases, you +may have to build one architecture at a time and combine the results +using the `lipo' tool if you have problems. + +Installation Names +================== + + By default, `make install' installs the package's commands under +`/usr/local/bin', include files under `/usr/local/include', etc. You +can specify an installation prefix other than `/usr/local' by giving +`configure' the option `--prefix=PREFIX', where PREFIX must be an +absolute file name. + + You can specify separate installation prefixes for +architecture-specific files and architecture-independent files. If you +pass the option `--exec-prefix=PREFIX' to `configure', the package uses +PREFIX as the prefix for installing programs and libraries. +Documentation and other data files still use the regular prefix. + + In addition, if you use an unusual directory layout you can give +options like `--bindir=DIR' to specify different values for particular +kinds of files. Run `configure --help' for a list of the directories +you can set and what kinds of files go in them. In general, the +default for these options is expressed in terms of `${prefix}', so that +specifying just `--prefix' will affect all of the other directory +specifications that were not explicitly provided. + + The most portable way to affect installation locations is to pass the +correct locations to `configure'; however, many packages provide one or +both of the following shortcuts of passing variable assignments to the +`make install' command line to change installation locations without +having to reconfigure or recompile. + + The first method involves providing an override variable for each +affected directory. For example, `make install +prefix=/alternate/directory' will choose an alternate location for all +directory configuration variables that were expressed in terms of +`${prefix}'. Any directories that were specified during `configure', +but not in terms of `${prefix}', must each be overridden at install +time for the entire installation to be relocated. The approach of +makefile variable overrides for each directory variable is required by +the GNU Coding Standards, and ideally causes no recompilation. +However, some platforms have known limitations with the semantics of +shared libraries that end up requiring recompilation when using this +method, particularly noticeable in packages that use GNU Libtool. + + The second method involves providing the `DESTDIR' variable. For +example, `make install DESTDIR=/alternate/directory' will prepend +`/alternate/directory' before all installation names. The approach of +`DESTDIR' overrides is not required by the GNU Coding Standards, and +does not work on platforms that have drive letters. On the other hand, +it does better at avoiding recompilation issues, and works well even +when some directory options were not specified in terms of `${prefix}' +at `configure' time. + +Optional Features +================= + + If the package supports it, you can cause programs to be installed +with an extra prefix or suffix on their names by giving `configure' the +option `--program-prefix=PREFIX' or `--program-suffix=SUFFIX'. + + Some packages pay attention to `--enable-FEATURE' options to +`configure', where FEATURE indicates an optional part of the package. +They may also pay attention to `--with-PACKAGE' options, where PACKAGE +is something like `gnu-as' or `x' (for the X Window System). The +`README' should mention any `--enable-' and `--with-' options that the +package recognizes. + + For packages that use the X Window System, `configure' can usually +find the X include and library files automatically, but if it doesn't, +you can use the `configure' options `--x-includes=DIR' and +`--x-libraries=DIR' to specify their locations. + + Some packages offer the ability to configure how verbose the +execution of `make' will be. For these packages, running `./configure +--enable-silent-rules' sets the default to minimal output, which can be +overridden with `make V=1'; while running `./configure +--disable-silent-rules' sets the default to verbose, which can be +overridden with `make V=0'. + +Particular systems +================== + + On HP-UX, the default C compiler is not ANSI C compatible. If GNU +CC is not installed, it is recommended to use the following options in +order to use an ANSI C compiler: + + ./configure CC="cc -Ae -D_XOPEN_SOURCE=500" + +and if that doesn't work, install pre-built binaries of GCC for HP-UX. + + HP-UX `make' updates targets which have the same time stamps as +their prerequisites, which makes it generally unusable when shipped +generated files such as `configure' are involved. Use GNU `make' +instead. + + On OSF/1 a.k.a. Tru64, some versions of the default C compiler cannot +parse its `' header file. The option `-nodtk' can be used as +a workaround. If GNU CC is not installed, it is therefore recommended +to try + + ./configure CC="cc" + +and if that doesn't work, try + + ./configure CC="cc -nodtk" + + On Solaris, don't put `/usr/ucb' early in your `PATH'. This +directory contains several dysfunctional programs; working variants of +these programs are available in `/usr/bin'. So, if you need `/usr/ucb' +in your `PATH', put it _after_ `/usr/bin'. + + On Haiku, software installed for all users goes in `/boot/common', +not `/usr/local'. It is recommended to use the following options: + + ./configure --prefix=/boot/common + +Specifying the System Type +========================== + + There may be some features `configure' cannot figure out +automatically, but needs to determine by the type of machine the package +will run on. Usually, assuming the package is built to be run on the +_same_ architectures, `configure' can figure that out, but if it prints +a message saying it cannot guess the machine type, give it the +`--build=TYPE' option. TYPE can either be a short name for the system +type, such as `sun4', or a canonical name which has the form: + + CPU-COMPANY-SYSTEM + +where SYSTEM can have one of these forms: + + OS + KERNEL-OS + + See the file `config.sub' for the possible values of each field. If +`config.sub' isn't included in this package, then this package doesn't +need to know the machine type. + + If you are _building_ compiler tools for cross-compiling, you should +use the option `--target=TYPE' to select the type of system they will +produce code for. + + If you want to _use_ a cross compiler, that generates code for a +platform different from the build platform, you should specify the +"host" platform (i.e., that on which the generated programs will +eventually be run) with `--host=TYPE'. + +Sharing Defaults +================ + + If you want to set default values for `configure' scripts to share, +you can create a site shell script called `config.site' that gives +default values for variables like `CC', `cache_file', and `prefix'. +`configure' looks for `PREFIX/share/config.site' if it exists, then +`PREFIX/etc/config.site' if it exists. Or, you can set the +`CONFIG_SITE' environment variable to the location of the site script. +A warning: not all `configure' scripts look for a site script. + +Defining Variables +================== + + Variables not defined in a site shell script can be set in the +environment passed to `configure'. However, some packages may run +configure again during the build, and the customized values of these +variables may be lost. In order to avoid this problem, you should set +them in the `configure' command line, using `VAR=value'. For example: + + ./configure CC=/usr/local2/bin/gcc + +causes the specified `gcc' to be used as the C compiler (unless it is +overridden in the site shell script). + +Unfortunately, this technique does not work for `CONFIG_SHELL' due to +an Autoconf limitation. Until the limitation is lifted, you can use +this workaround: + + CONFIG_SHELL=/bin/bash ./configure CONFIG_SHELL=/bin/bash + +`configure' Invocation +====================== + + `configure' recognizes the following options to control how it +operates. + +`--help' +`-h' + Print a summary of all of the options to `configure', and exit. + +`--help=short' +`--help=recursive' + Print a summary of the options unique to this package's + `configure', and exit. The `short' variant lists options used + only in the top level, while the `recursive' variant lists options + also present in any nested packages. + +`--version' +`-V' + Print the version of Autoconf used to generate the `configure' + script, and exit. + +`--cache-file=FILE' + Enable the cache: use and save the results of the tests in FILE, + traditionally `config.cache'. FILE defaults to `/dev/null' to + disable caching. + +`--config-cache' +`-C' + Alias for `--cache-file=config.cache'. + +`--quiet' +`--silent' +`-q' + Do not print messages saying which checks are being made. To + suppress all normal output, redirect it to `/dev/null' (any error + messages will still be shown). + +`--srcdir=DIR' + Look for the package's source code in directory DIR. Usually + `configure' can determine that directory automatically. + +`--prefix=DIR' + Use DIR as the installation prefix. *note Installation Names:: + for more details, including other options available for fine-tuning + the installation locations. + +`--no-create' +`-n' + Run the configure checks, but stop before creating any output + files. + +`configure' also accepts some other, not widely useful, options. Run +`configure --help' for more details. diff --git a/INSTALL.FIPS b/INSTALL.FIPS index e438f9a..247e025 100644 --- a/INSTALL.FIPS +++ b/INSTALL.FIPS @@ -2,10 +2,12 @@ stunnel FIPS install notes Unix HOWTO: -FIPS mode is autodetected if possible. You can force it with: - ./configure --enable-fips -or disable with: - ./configure --disable-fips +* Only dynamic linking of the FIPS-enabled OpenSSL is currently supported, + i.e. FIPS-enabled OpenSSL has to be configured with "shared" parameter. +* FIPS mode is autodetected if possible. It can be forced with: + ./configure --enable-fips + or disable with: + ./configure --disable-fips WIN32 HOWTO: * On 32-bit Windows install one of the following compilers: @@ -15,7 +17,7 @@ WIN32 HOWTO: - MSVC 8.0 (VS 2005) Standard or Professional Edition - MSVC 9.0 (VS 2008) Standard or Professional Edition * Build FIPS-compliant OpenSSL DLLS according to: - http://www.openssl.org/docs/fips/UserGuide-1.2.pdf + https://www.openssl.org/docs/fips/UserGuide-2.0.pdf * Build stunnel normally with MSVC or Mingw. Mingw build requires DLL stubs. Stubs can be built with: dlltool --def ms/libeay32.def --output-lib libcrypto.a diff --git a/INSTALL.W32 b/INSTALL.W32 index fa6a85d..c5a4926 100644 --- a/INSTALL.W32 +++ b/INSTALL.W32 @@ -1,51 +1,66 @@ stunnel Windows install notes -Building stunnel from source (optional): +Cross-compiling stunnel from source with MinGW (optional): - 1) Install mingw32 cross-compiler o a Unix/Linux machine. - In Debian all you need is: - apt-get install gcc-mingw32 - Native compilation on a Windows machine is possible, but not supported. + 1) Install the mingw32 cross-compiler on a Unix/Linux machine. + On Debian (and derivatives, including Ubuntu): + sudo apt-get install gcc-mingw-w64-i686 + On Arch Linux: + sudo pacman -S mingw-w64-gcc - 2) Download the recent zlib from http://www.zlib.net/ - Update the following definitions in win32/Makefile.gcc file: - SHARED_MODE=1 - PREFIX = i586-mingw32msvc- - then build zlib with: - make -f win32/Makefile.gcc - and install it in mingw32 tree: - sudo BINARY_PATH=~/ \ - INCLUDE_PATH=/usr/i586-mingw32msvc/include/ \ - LIBRARY_PATH=/usr/i586-mingw32msvc/lib/ \ - make -f win32/Makefile.gcc install - - 3) Download the recent OpenSSL in unpack it to /usr/src/ directory. - cd /usr/src + 2) Download the recent OpenSSL and unpack it: tar zvxf ~/openssl-(version).tar.gz - mv openssl-(version) openssl-(version)-i586 + mv openssl-(version) openssl-(version)-i686 + cd openssl-(version)-i686/ - 4) Build OpenSSL. - ./Configure --cross-compile-prefix=i586-mingw32msvc- mingw shared zlib-dynamic + 3) Build OpenSSL. + For 32-bit Windows: + ./Configure \ + --cross-compile-prefix=i686-w64-mingw32- \ + --openssldir=/opt/openssl-mingw mingw shared make + sudo make install + sudo cp ms/applink.c /opt/openssl-mingw/include/openssl/ + For 64-bit Windows: + ./Configure \ + --cross-compile-prefix=x86_64-w64-mingw32- \ + --openssldir=/opt/openssl-mingw64 mingw64 shared + make + sudo make install + sudo cp ms/applink.c /opt/openssl-mingw64/include/openssl/ - 5) Download and unpack stunnel-(version).tar.gz. + 4) Download and unpack stunnel-(version).tar.gz. - 6) Configure stunnel. + 5) Configure stunnel: cd stunnel-(version) - ./configure --with-ssl=/path/to/openssl-(version) + ./configure - 7) Build windows executable. + 6) Build Windows 32-bit and/or 64-bit executables: cd src - make stunnel.exe + make mingw + make mingw64 + + +Building stunnel from source with MinGW (optional): + + Building on a Windows machine is possible, but not currently supported. + + +Building stunnel from source with Visual Studio (optional): + + TODO Installing stunnel: - 1) run installer to install precompiled binaries or copy stunnel.exe and - OpenSSL DLLs into a directory + 1) Run installer to install the precompiled binaries, or + copy the stunnel.exe or tstunnel.exe executable located in the + /stunnel-(version)/bin/mingw/ directory into the destination + directory on a Windows machine, and + copy OpenSSL DLLs: libeay32.dll, libssp-0.dll and ssleay32.dll + into the same directory, if necessary. - 2) read the manual (stunnel.html) - - 3) create/edit stunnel.conf configuration file + 2) Read the manual (stunnel.html). + 3) Create/edit the stunnel.conf configuration file. diff --git a/Makefile.am b/Makefile.am index cf9fea1..b7a2503 100644 --- a/Makefile.am +++ b/Makefile.am @@ -1,4 +1,5 @@ ## Process this file with automake to produce Makefile.in +# by Michal Trojnara 2015-2017 ACLOCAL_AMFLAGS = -I m4 @@ -10,7 +11,7 @@ libtool: $(LIBTOOL_DEPS) EXTRA_DIST = PORTS BUGS COPYRIGHT.GPL CREDITS EXTRA_DIST += INSTALL.W32 INSTALL.WCE INSTALL.FIPS -EXTRA_DIST += build-android.sh +EXTRA_DIST += build-android.sh .travis.yml docdir = $(datadir)/doc/stunnel doc_DATA = INSTALL README TODO COPYING AUTHORS ChangeLog @@ -21,19 +22,39 @@ distcleancheck_listfiles = find -type f -exec sh -c 'test -f $(srcdir)/{} || ech distclean-local: rm -rf autom4te.cache - rm -f $(distdir)-installer.exe +# rm -f $(distdir)-win32-installer.exe #dist-hook: -# makensis -NOCD -DVERSION=${VERSION} -DSRCDIR=$(srcdir) \ -# -DOPENSSL=/usr/src/openssl-0.9.8u-fips/out32dll \ -# -DZLIB=/usr/src/zlib-1.2.6-i586 \ +# makensis -NOCD -DVERSION=${VERSION} \ +# -DSTUNNEL_DIR=$(srcdir) \ +# -DROOT_DIR=/usr/src \ # $(srcdir)/tools/stunnel.nsi -# cp -f $(distdir)-installer.exe ../dist -# gpg --yes --armor --detach-sign --force-v3-sigs ../dist/$(distdir)-installer.exe - sign: dist - cp -f $(distdir).tar.gz ../dist - gpg --yes --armor --detach-sign --force-v3-sigs ../dist/$(distdir).tar.gz - sha256sum $(distdir).tar.gz | tee ../dist/$(distdir).tar.gz.sha256 + cp -f $(distdir).tar.gz $(distdir)-win32-installer.exe $(distdir)-android.zip ../dist + gpg-agent --daemon /bin/sh -c "cd ../dist; gpg --yes --armor --detach-sign --force-v3-sigs $(distdir).tar.gz; gpg --yes --armor --detach-sign --force-v3-sigs $(distdir)-win32-installer.exe; gpg --yes --armor --detach-sign --force-v3-sigs $(distdir)-android.zip" + sha256sum $(distdir).tar.gz >../dist/$(distdir).tar.gz.sha256 + sha256sum $(distdir)-win32-installer.exe >../dist/$(distdir)-win32-installer.exe.sha256 + sha256sum $(distdir)-android.zip >../dist/$(distdir)-android.zip.sha256 + cat ../dist/$(distdir)*.sha256 | tac +cert: + $(MAKE) -C tools cert + +test: + $(abs_builddir)/src/stunnel -version + @echo "No tests are currently implemented" + +install-data-hook: + @echo "*********************************************************" + @echo "* Type 'make cert' to also install a sample certificate *" + @echo "*********************************************************" + +edit = sed \ + -e 's|@bindir[@]|$(bindir)|g' \ + -e 's|@sysconfdir[@]|$(sysconfdir)|g' + +stunnel.pod: Makefile + $(edit) '$(srcdir)/$@.in' >$@ + +stunnel.pod: $(srcdir)/stunnel.pod diff --git a/Makefile.in b/Makefile.in index 806d7bd..d893acb 100644 --- a/Makefile.in +++ b/Makefile.in @@ -1,9 +1,8 @@ -# Makefile.in generated by automake 1.11.1 from Makefile.am. +# Makefile.in generated by automake 1.14.1 from Makefile.am. # @configure_input@ -# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, -# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, -# Inc. +# Copyright (C) 1994-2013 Free Software Foundation, Inc. + # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. @@ -15,7 +14,54 @@ @SET_MAKE@ +# by Michal Trojnara 2015-2017 + VPATH = @srcdir@ +am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' +am__make_running_with_option = \ + case $${target_option-} in \ + ?) ;; \ + *) echo "am__make_running_with_option: internal error: invalid" \ + "target option '$${target_option-}' specified" >&2; \ + exit 1;; \ + esac; \ + has_opt=no; \ + sane_makeflags=$$MAKEFLAGS; \ + if $(am__is_gnu_make); then \ + sane_makeflags=$$MFLAGS; \ + else \ + case $$MAKEFLAGS in \ + *\\[\ \ ]*) \ + bs=\\; \ + sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \ + | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \ + esac; \ + fi; \ + skip_next=no; \ + strip_trailopt () \ + { \ + flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \ + }; \ + for flg in $$sane_makeflags; do \ + test $$skip_next = yes && { skip_next=no; continue; }; \ + case $$flg in \ + *=*|--*) continue;; \ + -*I) strip_trailopt 'I'; skip_next=yes;; \ + -*I?*) strip_trailopt 'I';; \ + -*O) strip_trailopt 'O'; skip_next=yes;; \ + -*O?*) strip_trailopt 'O';; \ + -*l) strip_trailopt 'l'; skip_next=yes;; \ + -*l?*) strip_trailopt 'l';; \ + -[dEDm]) skip_next=yes;; \ + -[JT]) skip_next=yes;; \ + esac; \ + case $$flg in \ + *$$target_option*) has_opt=yes; break;; \ + esac; \ + done; \ + test $$has_opt = yes +am__make_dryrun = (target_option=n; $(am__make_running_with_option)) +am__make_keepgoing = (target_option=k; $(am__make_running_with_option)) pkgdatadir = $(datadir)/@PACKAGE@ pkgincludedir = $(includedir)/@PACKAGE@ pkglibdir = $(libdir)/@PACKAGE@ @@ -35,11 +81,14 @@ POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ subdir = . -DIST_COMMON = README $(am__configure_deps) $(srcdir)/Makefile.am \ - $(srcdir)/Makefile.in $(top_srcdir)/configure AUTHORS COPYING \ - ChangeLog INSTALL NEWS TODO auto/compile auto/config.guess \ - auto/config.sub auto/depcomp auto/install-sh auto/ltmain.sh \ - auto/missing +DIST_COMMON = INSTALL NEWS README AUTHORS ChangeLog \ + $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ + $(top_srcdir)/configure $(am__configure_deps) COPYING TODO \ + auto/compile auto/config.guess auto/config.sub auto/depcomp \ + auto/install-sh auto/missing auto/ltmain.sh \ + $(top_srcdir)/auto/compile $(top_srcdir)/auto/config.guess \ + $(top_srcdir)/auto/config.sub $(top_srcdir)/auto/install-sh \ + $(top_srcdir)/auto/ltmain.sh $(top_srcdir)/auto/missing ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/m4/libtool.m4 \ $(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \ @@ -53,15 +102,33 @@ mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/src/config.h CONFIG_CLEAN_FILES = CONFIG_CLEAN_VPATH_FILES = +AM_V_P = $(am__v_P_@AM_V@) +am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) +am__v_P_0 = false +am__v_P_1 = : +AM_V_GEN = $(am__v_GEN_@AM_V@) +am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@) +am__v_GEN_0 = @echo " GEN " $@; +am__v_GEN_1 = +AM_V_at = $(am__v_at_@AM_V@) +am__v_at_ = $(am__v_at_@AM_DEFAULT_V@) +am__v_at_0 = @ +am__v_at_1 = SOURCES = DIST_SOURCES = -RECURSIVE_TARGETS = all-recursive check-recursive dvi-recursive \ - html-recursive info-recursive install-data-recursive \ - install-dvi-recursive install-exec-recursive \ - install-html-recursive install-info-recursive \ - install-pdf-recursive install-ps-recursive install-recursive \ - installcheck-recursive installdirs-recursive pdf-recursive \ - ps-recursive uninstall-recursive +RECURSIVE_TARGETS = all-recursive check-recursive cscopelist-recursive \ + ctags-recursive dvi-recursive html-recursive info-recursive \ + install-data-recursive install-dvi-recursive \ + install-exec-recursive install-html-recursive \ + install-info-recursive install-pdf-recursive \ + install-ps-recursive install-recursive installcheck-recursive \ + installdirs-recursive pdf-recursive ps-recursive \ + tags-recursive uninstall-recursive +am__can_run_installinfo = \ + case $$AM_UPDATE_INFO_DIR in \ + n|no|NO) false;; \ + *) (install-info --version) >/dev/null 2>&1;; \ + esac am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; am__vpath_adj = case $$p in \ $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ @@ -83,23 +150,53 @@ am__nobase_list = $(am__nobase_strip_setup); \ am__base_list = \ sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' +am__uninstall_files_from_dir = { \ + test -z "$$files" \ + || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \ + || { echo " ( cd '$$dir' && rm -f" $$files ")"; \ + $(am__cd) "$$dir" && rm -f $$files; }; \ + } am__installdirs = "$(DESTDIR)$(docdir)" DATA = $(doc_DATA) RECURSIVE_CLEAN_TARGETS = mostlyclean-recursive clean-recursive \ distclean-recursive maintainer-clean-recursive -AM_RECURSIVE_TARGETS = $(RECURSIVE_TARGETS:-recursive=) \ - $(RECURSIVE_CLEAN_TARGETS:-recursive=) tags TAGS ctags CTAGS \ - distdir dist dist-all distcheck +am__recursive_targets = \ + $(RECURSIVE_TARGETS) \ + $(RECURSIVE_CLEAN_TARGETS) \ + $(am__extra_recursive_targets) +AM_RECURSIVE_TARGETS = $(am__recursive_targets:-recursive=) TAGS CTAGS \ + cscope distdir dist dist-all distcheck +am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) +# Read a list of newline-separated strings from the standard input, +# and print each of them once, without duplicates. Input order is +# *not* preserved. +am__uniquify_input = $(AWK) '\ + BEGIN { nonempty = 0; } \ + { items[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in items) print i; }; } \ +' +# Make sure the list of sources is unique. This is necessary because, +# e.g., the same source file might be shared among _SOURCES variables +# for different programs/libraries. +am__define_uniq_tagged_files = \ + list='$(am__tagged_files)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | $(am__uniquify_input)` ETAGS = etags CTAGS = ctags +CSCOPE = cscope DIST_SUBDIRS = $(SUBDIRS) DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) distdir = $(PACKAGE)-$(VERSION) top_distdir = $(distdir) am__remove_distdir = \ - { test ! -d "$(distdir)" \ - || { find "$(distdir)" -type d ! -perm -200 -exec chmod u+w {} ';' \ - && rm -fr "$(distdir)"; }; } + if test -d "$(distdir)"; then \ + find "$(distdir)" -type d ! -perm -200 -exec chmod u+w {} ';' \ + && rm -rf "$(distdir)" \ + || { sleep 5 && rm -rf "$(distdir)"; }; \ + else :; fi +am__post_remove_distdir = $(am__remove_distdir) am__relativize = \ dir0=`pwd`; \ sed_first='s,^\([^/]*\)/.*$$,\1,'; \ @@ -127,9 +224,13 @@ am__relativize = \ reldir="$$dir2" DIST_ARCHIVES = $(distdir).tar.gz GZIP_ENV = --best +DIST_TARGETS = dist-gzip distuninstallcheck_listfiles = find . -type f -print +am__distuninstallcheck_listfiles = $(distuninstallcheck_listfiles) \ + | sed 's|^\./|$(prefix)/|' | grep -v '$(infodir)/dir$$' ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ +AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ @@ -144,6 +245,7 @@ CYGPATH_W = @CYGPATH_W@ DEFAULT_GROUP = @DEFAULT_GROUP@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ +DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ @@ -168,6 +270,7 @@ LIPO = @LIPO@ LN_S = @LN_S@ LTLIBOBJS = @LTLIBOBJS@ MAKEINFO = @MAKEINFO@ +MANIFEST_TOOL = @MANIFEST_TOOL@ MKDIR_P = @MKDIR_P@ NM = @NM@ NMEDIT = @NMEDIT@ @@ -183,6 +286,9 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PTHREAD_CC = @PTHREAD_CC@ +PTHREAD_CFLAGS = @PTHREAD_CFLAGS@ +PTHREAD_LIBS = @PTHREAD_LIBS@ RANDOM_FILE = @RANDOM_FILE@ RANLIB = @RANLIB@ SED = @SED@ @@ -195,6 +301,7 @@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ abs_top_builddir = @abs_top_builddir@ abs_top_srcdir = @abs_top_srcdir@ +ac_ct_AR = @ac_ct_AR@ ac_ct_CC = @ac_ct_CC@ ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ am__include = @am__include@ @@ -202,6 +309,7 @@ am__leading_dot = @am__leading_dot@ am__quote = @am__quote@ am__tar = @am__tar@ am__untar = @am__untar@ +ax_pthread_config = @ax_pthread_config@ bindir = @bindir@ build = @build@ build_alias = @build_alias@ @@ -227,7 +335,6 @@ libdir = @libdir@ libexecdir = @libexecdir@ localedir = @localedir@ localstatedir = @localstatedir@ -lt_ECHO = @lt_ECHO@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ @@ -235,12 +342,10 @@ pdfdir = @pdfdir@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ +runstatedir = @runstatedir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ -stunnel_CFLAGS = @stunnel_CFLAGS@ -stunnel_LDFLAGF = @stunnel_LDFLAGF@ -stunnel_LDFLAGS = @stunnel_LDFLAGS@ sysconfdir = @sysconfdir@ target_alias = @target_alias@ top_build_prefix = @top_build_prefix@ @@ -249,14 +354,18 @@ top_srcdir = @top_srcdir@ ACLOCAL_AMFLAGS = -I m4 SUBDIRS = src doc tools EXTRA_DIST = PORTS BUGS COPYRIGHT.GPL CREDITS INSTALL.W32 INSTALL.WCE \ - INSTALL.FIPS build-android.sh + INSTALL.FIPS build-android.sh .travis.yml doc_DATA = INSTALL README TODO COPYING AUTHORS ChangeLog PORTS BUGS \ COPYRIGHT.GPL CREDITS INSTALL.W32 INSTALL.WCE INSTALL.FIPS distcleancheck_listfiles = find -type f -exec sh -c 'test -f $(srcdir)/{} || echo {}' ';' +edit = sed \ + -e 's|@bindir[@]|$(bindir)|g' \ + -e 's|@sysconfdir[@]|$(sysconfdir)|g' + all: all-recursive .SUFFIXES: -am--refresh: +am--refresh: Makefile @: $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) @for dep in $?; do \ @@ -301,8 +410,11 @@ distclean-libtool: -rm -f libtool config.lt install-docDATA: $(doc_DATA) @$(NORMAL_INSTALL) - test -z "$(docdir)" || $(MKDIR_P) "$(DESTDIR)$(docdir)" @list='$(doc_DATA)'; test -n "$(docdir)" || list=; \ + if test -n "$$list"; then \ + echo " $(MKDIR_P) '$(DESTDIR)$(docdir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(docdir)" || exit 1; \ + fi; \ for p in $$list; do \ if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ echo "$$d$$p"; \ @@ -316,27 +428,28 @@ uninstall-docDATA: @$(NORMAL_UNINSTALL) @list='$(doc_DATA)'; test -n "$(docdir)" || list=; \ files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \ - test -n "$$files" || exit 0; \ - echo " ( cd '$(DESTDIR)$(docdir)' && rm -f" $$files ")"; \ - cd "$(DESTDIR)$(docdir)" && rm -f $$files + dir='$(DESTDIR)$(docdir)'; $(am__uninstall_files_from_dir) # This directory's subdirectories are mostly independent; you can cd -# into them and run `make' without going through this Makefile. -# To change the values of `make' variables: instead of editing Makefiles, -# (1) if the variable is set in `config.status', edit `config.status' -# (which will cause the Makefiles to be regenerated when you run `make'); -# (2) otherwise, pass the desired values on the `make' command line. -$(RECURSIVE_TARGETS): - @fail= failcom='exit 1'; \ - for f in x $$MAKEFLAGS; do \ - case $$f in \ - *=* | --[!k]*);; \ - *k*) failcom='fail=yes';; \ - esac; \ - done; \ +# into them and run 'make' without going through this Makefile. +# To change the values of 'make' variables: instead of editing Makefiles, +# (1) if the variable is set in 'config.status', edit 'config.status' +# (which will cause the Makefiles to be regenerated when you run 'make'); +# (2) otherwise, pass the desired values on the 'make' command line. +$(am__recursive_targets): + @fail=; \ + if $(am__make_keepgoing); then \ + failcom='fail=yes'; \ + else \ + failcom='exit 1'; \ + fi; \ dot_seen=no; \ target=`echo $@ | sed s/-recursive//`; \ - list='$(SUBDIRS)'; for subdir in $$list; do \ + case "$@" in \ + distclean-* | maintainer-clean-*) list='$(DIST_SUBDIRS)' ;; \ + *) list='$(SUBDIRS)' ;; \ + esac; \ + for subdir in $$list; do \ echo "Making $$target in $$subdir"; \ if test "$$subdir" = "."; then \ dot_seen=yes; \ @@ -351,57 +464,12 @@ $(RECURSIVE_TARGETS): $(MAKE) $(AM_MAKEFLAGS) "$$target-am" || exit 1; \ fi; test -z "$$fail" -$(RECURSIVE_CLEAN_TARGETS): - @fail= failcom='exit 1'; \ - for f in x $$MAKEFLAGS; do \ - case $$f in \ - *=* | --[!k]*);; \ - *k*) failcom='fail=yes';; \ - esac; \ - done; \ - dot_seen=no; \ - case "$@" in \ - distclean-* | maintainer-clean-*) list='$(DIST_SUBDIRS)' ;; \ - *) list='$(SUBDIRS)' ;; \ - esac; \ - rev=''; for subdir in $$list; do \ - if test "$$subdir" = "."; then :; else \ - rev="$$subdir $$rev"; \ - fi; \ - done; \ - rev="$$rev ."; \ - target=`echo $@ | sed s/-recursive//`; \ - for subdir in $$rev; do \ - echo "Making $$target in $$subdir"; \ - if test "$$subdir" = "."; then \ - local_target="$$target-am"; \ - else \ - local_target="$$target"; \ - fi; \ - ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \ - || eval $$failcom; \ - done && test -z "$$fail" -tags-recursive: - list='$(SUBDIRS)'; for subdir in $$list; do \ - test "$$subdir" = . || ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) tags); \ - done -ctags-recursive: - list='$(SUBDIRS)'; for subdir in $$list; do \ - test "$$subdir" = . || ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) ctags); \ - done +ID: $(am__tagged_files) + $(am__define_uniq_tagged_files); mkid -fID $$unique +tags: tags-recursive +TAGS: tags -ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ - END { if (nonempty) { for (i in files) print i; }; }'`; \ - mkid -fID $$unique -tags: TAGS - -TAGS: tags-recursive $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) +tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) set x; \ here=`pwd`; \ if ($(ETAGS) --etags-include --version) >/dev/null 2>&1; then \ @@ -417,12 +485,7 @@ TAGS: tags-recursive $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ set "$$@" "$$include_option=$$here/$$subdir/TAGS"; \ fi; \ done; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ - END { if (nonempty) { for (i in files) print i; }; }'`; \ + $(am__define_uniq_tagged_files); \ shift; \ if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ test -n "$$unique" || unique=$$empty_fix; \ @@ -434,15 +497,11 @@ TAGS: tags-recursive $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ $$unique; \ fi; \ fi -ctags: CTAGS -CTAGS: ctags-recursive $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ - END { if (nonempty) { for (i in files) print i; }; }'`; \ +ctags: ctags-recursive + +CTAGS: ctags +ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) + $(am__define_uniq_tagged_files); \ test -z "$(CTAGS_ARGS)$$unique" \ || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ $$unique @@ -451,9 +510,31 @@ GTAGS: here=`$(am__cd) $(top_builddir) && pwd` \ && $(am__cd) $(top_srcdir) \ && gtags -i $(GTAGS_ARGS) "$$here" +cscope: cscope.files + test ! -s cscope.files \ + || $(CSCOPE) -b -q $(AM_CSCOPEFLAGS) $(CSCOPEFLAGS) -i cscope.files $(CSCOPE_ARGS) +clean-cscope: + -rm -f cscope.files +cscope.files: clean-cscope cscopelist +cscopelist: cscopelist-recursive + +cscopelist-am: $(am__tagged_files) + list='$(am__tagged_files)'; \ + case "$(srcdir)" in \ + [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \ + *) sdir=$(subdir)/$(srcdir) ;; \ + esac; \ + for i in $$list; do \ + if test -f "$$i"; then \ + echo "$(subdir)/$$i"; \ + else \ + echo "$$sdir/$$i"; \ + fi; \ + done >> $(top_builddir)/cscope.files distclean-tags: -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + -rm -f cscope.out cscope.in.out cscope.po.out cscope.files distdir: $(DISTFILES) $(am__remove_distdir) @@ -489,13 +570,10 @@ distdir: $(DISTFILES) done @list='$(DIST_SUBDIRS)'; for subdir in $$list; do \ if test "$$subdir" = .; then :; else \ - test -d "$(distdir)/$$subdir" \ - || $(MKDIR_P) "$(distdir)/$$subdir" \ - || exit 1; \ - fi; \ - done - @list='$(DIST_SUBDIRS)'; for subdir in $$list; do \ - if test "$$subdir" = .; then :; else \ + $(am__make_dryrun) \ + || test -d "$(distdir)/$$subdir" \ + || $(MKDIR_P) "$(distdir)/$$subdir" \ + || exit 1; \ dir1=$$subdir; dir2="$(distdir)/$$subdir"; \ $(am__relativize); \ new_distdir=$$reldir; \ @@ -524,36 +602,42 @@ distdir: $(DISTFILES) || chmod -R a+r "$(distdir)" dist-gzip: distdir tardir=$(distdir) && $(am__tar) | GZIP=$(GZIP_ENV) gzip -c >$(distdir).tar.gz - $(am__remove_distdir) + $(am__post_remove_distdir) dist-bzip2: distdir - tardir=$(distdir) && $(am__tar) | bzip2 -9 -c >$(distdir).tar.bz2 - $(am__remove_distdir) + tardir=$(distdir) && $(am__tar) | BZIP2=$${BZIP2--9} bzip2 -c >$(distdir).tar.bz2 + $(am__post_remove_distdir) -dist-lzma: distdir - tardir=$(distdir) && $(am__tar) | lzma -9 -c >$(distdir).tar.lzma - $(am__remove_distdir) +dist-lzip: distdir + tardir=$(distdir) && $(am__tar) | lzip -c $${LZIP_OPT--9} >$(distdir).tar.lz + $(am__post_remove_distdir) dist-xz: distdir - tardir=$(distdir) && $(am__tar) | xz -c >$(distdir).tar.xz - $(am__remove_distdir) + tardir=$(distdir) && $(am__tar) | XZ_OPT=$${XZ_OPT--e} xz -c >$(distdir).tar.xz + $(am__post_remove_distdir) dist-tarZ: distdir + @echo WARNING: "Support for shar distribution archives is" \ + "deprecated." >&2 + @echo WARNING: "It will be removed altogether in Automake 2.0" >&2 tardir=$(distdir) && $(am__tar) | compress -c >$(distdir).tar.Z - $(am__remove_distdir) + $(am__post_remove_distdir) dist-shar: distdir + @echo WARNING: "Support for distribution archives compressed with" \ + "legacy program 'compress' is deprecated." >&2 + @echo WARNING: "It will be removed altogether in Automake 2.0" >&2 shar $(distdir) | GZIP=$(GZIP_ENV) gzip -c >$(distdir).shar.gz - $(am__remove_distdir) + $(am__post_remove_distdir) dist-zip: distdir -rm -f $(distdir).zip zip -rq $(distdir).zip $(distdir) - $(am__remove_distdir) + $(am__post_remove_distdir) -dist dist-all: distdir - tardir=$(distdir) && $(am__tar) | GZIP=$(GZIP_ENV) gzip -c >$(distdir).tar.gz - $(am__remove_distdir) +dist dist-all: + $(MAKE) $(AM_MAKEFLAGS) $(DIST_TARGETS) am__post_remove_distdir='@:' + $(am__post_remove_distdir) # This target untars the dist file and tries a VPATH configuration. Then # it guarantees that the distribution is self-contained by making another @@ -564,8 +648,8 @@ distcheck: dist GZIP=$(GZIP_ENV) gzip -dc $(distdir).tar.gz | $(am__untar) ;;\ *.tar.bz2*) \ bzip2 -dc $(distdir).tar.bz2 | $(am__untar) ;;\ - *.tar.lzma*) \ - lzma -dc $(distdir).tar.lzma | $(am__untar) ;;\ + *.tar.lz*) \ + lzip -dc $(distdir).tar.lz | $(am__untar) ;;\ *.tar.xz*) \ xz -dc $(distdir).tar.xz | $(am__untar) ;;\ *.tar.Z*) \ @@ -575,17 +659,19 @@ distcheck: dist *.zip*) \ unzip $(distdir).zip ;;\ esac - chmod -R a-w $(distdir); chmod u+w $(distdir) - mkdir $(distdir)/_build - mkdir $(distdir)/_inst + chmod -R a-w $(distdir) + chmod u+w $(distdir) + mkdir $(distdir)/_build $(distdir)/_inst chmod a-w $(distdir) test -d $(distdir)/_build || exit 0; \ dc_install_base=`$(am__cd) $(distdir)/_inst && pwd | sed -e 's,^[^:\\/]:[\\/],/,'` \ && dc_destdir="$${TMPDIR-/tmp}/am-dc-$$$$/" \ && am__cwd=`pwd` \ && $(am__cd) $(distdir)/_build \ - && ../configure --srcdir=.. --prefix="$$dc_install_base" \ + && ../configure \ + $(AM_DISTCHECK_CONFIGURE_FLAGS) \ $(DISTCHECK_CONFIGURE_FLAGS) \ + --srcdir=.. --prefix="$$dc_install_base" \ && $(MAKE) $(AM_MAKEFLAGS) \ && $(MAKE) $(AM_MAKEFLAGS) dvi \ && $(MAKE) $(AM_MAKEFLAGS) check \ @@ -608,13 +694,21 @@ distcheck: dist && $(MAKE) $(AM_MAKEFLAGS) distcleancheck \ && cd "$$am__cwd" \ || exit 1 - $(am__remove_distdir) + $(am__post_remove_distdir) @(echo "$(distdir) archives ready for distribution: "; \ list='$(DIST_ARCHIVES)'; for i in $$list; do echo $$i; done) | \ sed -e 1h -e 1s/./=/g -e 1p -e 1x -e '$$p' -e '$$x' distuninstallcheck: - @$(am__cd) '$(distuninstallcheck_dir)' \ - && test `$(distuninstallcheck_listfiles) | wc -l` -le 1 \ + @test -n '$(distuninstallcheck_dir)' || { \ + echo 'ERROR: trying to run $@ with an empty' \ + '$$(distuninstallcheck_dir)' >&2; \ + exit 1; \ + }; \ + $(am__cd) '$(distuninstallcheck_dir)' || { \ + echo 'ERROR: cannot chdir into $(distuninstallcheck_dir)' >&2; \ + exit 1; \ + }; \ + test `$(am__distuninstallcheck_listfiles) | wc -l` -eq 0 \ || { echo "ERROR: files left after uninstall:" ; \ if test -n "$(DESTDIR)"; then \ echo " (check DESTDIR support)"; \ @@ -648,10 +742,15 @@ install-am: all-am installcheck: installcheck-recursive install-strip: - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ - `test -z '$(STRIP)' || \ - echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install + if test -z '$(STRIP)'; then \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + install; \ + else \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \ + fi mostlyclean-generic: clean-generic: @@ -686,7 +785,8 @@ info: info-recursive info-am: install-data-am: install-docDATA - + @$(NORMAL_INSTALL) + $(MAKE) $(AM_MAKEFLAGS) install-data-hook install-dvi: install-dvi-recursive install-dvi-am: @@ -733,46 +833,63 @@ ps-am: uninstall-am: uninstall-docDATA -.MAKE: $(RECURSIVE_CLEAN_TARGETS) $(RECURSIVE_TARGETS) ctags-recursive \ - install-am install-strip tags-recursive +.MAKE: $(am__recursive_targets) install-am install-data-am \ + install-strip -.PHONY: $(RECURSIVE_CLEAN_TARGETS) $(RECURSIVE_TARGETS) CTAGS GTAGS \ - all all-am am--refresh check check-am clean clean-generic \ - clean-libtool ctags ctags-recursive dist dist-all dist-bzip2 \ - dist-gzip dist-lzma dist-shar dist-tarZ dist-xz dist-zip \ - distcheck distclean distclean-generic distclean-libtool \ - distclean-local distclean-tags distcleancheck distdir \ - distuninstallcheck dvi dvi-am html html-am info info-am \ - install install-am install-data install-data-am \ - install-docDATA install-dvi install-dvi-am install-exec \ - install-exec-am install-html install-html-am install-info \ - install-info-am install-man install-pdf install-pdf-am \ - install-ps install-ps-am install-strip installcheck \ - installcheck-am installdirs installdirs-am maintainer-clean \ - maintainer-clean-generic mostlyclean mostlyclean-generic \ - mostlyclean-libtool pdf pdf-am ps ps-am tags tags-recursive \ - uninstall uninstall-am uninstall-docDATA +.PHONY: $(am__recursive_targets) CTAGS GTAGS TAGS all all-am \ + am--refresh check check-am clean clean-cscope clean-generic \ + clean-libtool cscope cscopelist-am ctags ctags-am dist \ + dist-all dist-bzip2 dist-gzip dist-lzip dist-shar dist-tarZ \ + dist-xz dist-zip distcheck distclean distclean-generic \ + distclean-libtool distclean-local distclean-tags \ + distcleancheck distdir distuninstallcheck dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-data-hook install-docDATA install-dvi \ + install-dvi-am install-exec install-exec-am install-html \ + install-html-am install-info install-info-am install-man \ + install-pdf install-pdf-am install-ps install-ps-am \ + install-strip installcheck installcheck-am installdirs \ + installdirs-am maintainer-clean maintainer-clean-generic \ + mostlyclean mostlyclean-generic mostlyclean-libtool pdf pdf-am \ + ps ps-am tags tags-am uninstall uninstall-am uninstall-docDATA libtool: $(LIBTOOL_DEPS) $(SHELL) ./config.status libtool distclean-local: rm -rf autom4te.cache - rm -f $(distdir)-installer.exe +# rm -f $(distdir)-win32-installer.exe #dist-hook: -# makensis -NOCD -DVERSION=${VERSION} -DSRCDIR=$(srcdir) \ -# -DOPENSSL=/usr/src/openssl-0.9.8u-fips/out32dll \ -# -DZLIB=/usr/src/zlib-1.2.6-i586 \ +# makensis -NOCD -DVERSION=${VERSION} \ +# -DSTUNNEL_DIR=$(srcdir) \ +# -DROOT_DIR=/usr/src \ # $(srcdir)/tools/stunnel.nsi -# cp -f $(distdir)-installer.exe ../dist -# gpg --yes --armor --detach-sign --force-v3-sigs ../dist/$(distdir)-installer.exe - sign: dist - cp -f $(distdir).tar.gz ../dist - gpg --yes --armor --detach-sign --force-v3-sigs ../dist/$(distdir).tar.gz - sha256sum $(distdir).tar.gz | tee ../dist/$(distdir).tar.gz.sha256 + cp -f $(distdir).tar.gz $(distdir)-win32-installer.exe $(distdir)-android.zip ../dist + gpg-agent --daemon /bin/sh -c "cd ../dist; gpg --yes --armor --detach-sign --force-v3-sigs $(distdir).tar.gz; gpg --yes --armor --detach-sign --force-v3-sigs $(distdir)-win32-installer.exe; gpg --yes --armor --detach-sign --force-v3-sigs $(distdir)-android.zip" + sha256sum $(distdir).tar.gz >../dist/$(distdir).tar.gz.sha256 + sha256sum $(distdir)-win32-installer.exe >../dist/$(distdir)-win32-installer.exe.sha256 + sha256sum $(distdir)-android.zip >../dist/$(distdir)-android.zip.sha256 + cat ../dist/$(distdir)*.sha256 | tac + +cert: + $(MAKE) -C tools cert + +test: + $(abs_builddir)/src/stunnel -version + @echo "No tests are currently implemented" + +install-data-hook: + @echo "*********************************************************" + @echo "* Type 'make cert' to also install a sample certificate *" + @echo "*********************************************************" + +stunnel.pod: Makefile + $(edit) '$(srcdir)/$@.in' >$@ + +stunnel.pod: $(srcdir)/stunnel.pod # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. diff --git a/PORTS b/PORTS index 7c0f6e5..acff98b 100644 --- a/PORTS +++ b/PORTS @@ -1,22 +1,17 @@ stunnel known port maintainers -* AmigaOS - - Diego Casorran * Cygwin - Andrew Schulman * Debian GNU/Linux - - Luis Rodrigo Gallardo Cruz + - Peter Pentchev * FreeBSD - Ryan Steinmetz * NetBSD - Martti Kuparinen * OpenBSD - - Jakob Schlyter -* OpenSolaris - - Mark Fenwick -* OS/2 - - Paul Smedley + - Gleydson Soares +* OpenCSW Solaris + - Dagobert Michelsen * RedHat Linux - Damien Miller - diff --git a/TODO b/TODO index 35d6f0a..50785c9 100644 --- a/TODO +++ b/TODO @@ -3,41 +3,48 @@ stunnel TODO High priority features. They will likely be supported some day. A sponsor could allocate my time to get them faster. -* Perform protocol negotiations after SSL negotiations if possible. -* Command-line server control interface on both Unix and Windows. -* Separate GUI process running as current user on Windows. +* Add client certificate autoselection based on the list of accepted issuers: + SSL_CTX_set_client_cert_cb(), SSL_get_client_CA_list(). +* Add an Apparmor profile. * Optional line-buffering of the log file. -* etc/stunnel/conf.d/* files automatically processed while reading - etc/stunnel/stunnel.conf -* Android GUI. -* Support for CryptoAPI certificates and private keys with OpenSSL CAPI - engine (this feature is incompatible with FIPS support). -* Indirect CRL support (RFC 3280, section 5). +* Log rotation on Windows. * Configuration file option to limit the number of concurrent connections. -* SOCKS 4 protocol support. - http://archive.socks.permeo.com/protocol/socks4.protocol -* Option to redirect instead of rejecting connections on failed authentication. - -Low priority features. They will unlikely ever be supported. +* Implement reference counting of the SERVICE_OPTIONS structure + - Add 'leastconn' failover strategy to order defined 'connect' targets + by the number of active connections. + - Add '-status' command line option reporting the number of clients + connected to each service. + - Deallocate SERVICE_OPTIONS structure when the configuration file + is reloaded *and* old connections are closed. +* Command-line server control interface on both Unix and Windows. +* Separate GUI process running as the current user on Windows. +* An Android GUI. +* OCSP stapling (tlsext_status). +* Extend session tickets and/or sessiond to also serialize application + data ("redirect" state and session persistence). +* Indirect CRL support (RFC 3280, section 5). * Provide 64-bit Windows builds (besides 32-bit builds). This requires either Microsoft Visual Studio Standard Edition or Microsoft Visual Studio Professional Edition in order to retain FIPS compliance. -* Service-level logging configuration (separate verbosity and destination). -* Key renegotiation (re-handshake) for long connections. +* MSI installer for Windows. +* Add user-defined headers to CONNECT proxy requests. + This can be used to impersonate other software (e.g. web browsers). + +Low priority features. They will unlikely ever be supported. +* Database and/or directory interface for retrieving PSK secrets. +* Support static FIPS-enabled build. +* Service-level logging destination. +* Enforce key renegotiation (re-handshake) for long connections. * Logging to NT EventLog on Windows. -* Log rotation on Windows. * Internationalization of logged messages (i18n). * Generic scripting engine instead or static protocol.c. Features I won't support, unless convinced otherwise by a wealthy sponsor. -* Protocol support *after* SSL is negotiated: - - Support for adding X-Forwarded-For to HTTP request headers. - This feature is less useful since PROXY protocol support is available. - - Support for adding X-Forwarded-For to SMTP email headers. - This feature is most likely to be implemented as a separate proxy. +* Support for adding X-Forwarded-For to HTTP request headers. + This feature is less useful since PROXY protocol support is available. +* Support for adding X-Forwarded-For to SMTP email headers. + This feature is most likely to be implemented as a separate proxy. * Additional certificate checks (including wildcard comparison) based on: - - CN (Common Name); - - SAN (Subject Alternative Name); - O (Organization), and - OU (Organizational Unit). * Set processes title that appear on the ps(1) and top(1) commands. diff --git a/aclocal.m4 b/aclocal.m4 index ce7d4c0..959a404 100644 --- a/aclocal.m4 +++ b/aclocal.m4 @@ -1,7 +1,7 @@ -# generated automatically by aclocal 1.11.1 -*- Autoconf -*- +# generated automatically by aclocal 1.14.1 -*- Autoconf -*- + +# Copyright (C) 1996-2013 Free Software Foundation, Inc. -# Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, -# 2005, 2006, 2007, 2008, 2009 Free Software Foundation, Inc. # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. @@ -11,15 +11,736 @@ # even the implied warranty of MERCHANTABILITY or FITNESS FOR A # PARTICULAR PURPOSE. +m4_ifndef([AC_CONFIG_MACRO_DIRS], [m4_defun([_AM_CONFIG_MACRO_DIRS], [])m4_defun([AC_CONFIG_MACRO_DIRS], [_AM_CONFIG_MACRO_DIRS($@)])]) m4_ifndef([AC_AUTOCONF_VERSION], [m4_copy([m4_PACKAGE_VERSION], [AC_AUTOCONF_VERSION])])dnl -m4_if(m4_defn([AC_AUTOCONF_VERSION]), [2.67],, -[m4_warning([this file was generated for autoconf 2.67. +m4_if(m4_defn([AC_AUTOCONF_VERSION]), [2.69],, +[m4_warning([this file was generated for autoconf 2.69. You have another version of autoconf. It may work, but is not guaranteed to. If you have problems, you may need to regenerate the build system entirely. -To do so, use the procedure documented by the package, typically `autoreconf'.])]) +To do so, use the procedure documented by the package, typically 'autoreconf'.])]) -# Copyright (C) 2002, 2003, 2005, 2006, 2007, 2008 Free Software Foundation, Inc. +# =========================================================================== +# http://www.gnu.org/software/autoconf-archive/ax_append_compile_flags.html +# =========================================================================== +# +# SYNOPSIS +# +# AX_APPEND_COMPILE_FLAGS([FLAG1 FLAG2 ...], [FLAGS-VARIABLE], [EXTRA-FLAGS]) +# +# DESCRIPTION +# +# For every FLAG1, FLAG2 it is checked whether the compiler works with the +# flag. If it does, the flag is added FLAGS-VARIABLE +# +# If FLAGS-VARIABLE is not specified, the current language's flags (e.g. +# CFLAGS) is used. During the check the flag is always added to the +# current language's flags. +# +# If EXTRA-FLAGS is defined, it is added to the current language's default +# flags (e.g. CFLAGS) when the check is done. The check is thus made with +# the flags: "CFLAGS EXTRA-FLAGS FLAG". This can for example be used to +# force the compiler to issue an error when a bad flag is given. +# +# NOTE: This macro depends on the AX_APPEND_FLAG and +# AX_CHECK_COMPILE_FLAG. Please keep this macro in sync with +# AX_APPEND_LINK_FLAGS. +# +# LICENSE +# +# Copyright (c) 2011 Maarten Bosmans +# +# This program is free software: you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General +# Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program. If not, see . +# +# As a special exception, the respective Autoconf Macro's copyright owner +# gives unlimited permission to copy, distribute and modify the configure +# scripts that are the output of Autoconf when processing the Macro. You +# need not follow the terms of the GNU General Public License when using +# or distributing such scripts, even though portions of the text of the +# Macro appear in them. The GNU General Public License (GPL) does govern +# all other use of the material that constitutes the Autoconf Macro. +# +# This special exception to the GPL applies to versions of the Autoconf +# Macro released by the Autoconf Archive. When you make and distribute a +# modified version of the Autoconf Macro, you may extend this special +# exception to the GPL to apply to your modified version as well. + +#serial 4 + +AC_DEFUN([AX_APPEND_COMPILE_FLAGS], +[AX_REQUIRE_DEFINED([AX_CHECK_COMPILE_FLAG]) +AX_REQUIRE_DEFINED([AX_APPEND_FLAG]) +for flag in $1; do + AX_CHECK_COMPILE_FLAG([$flag], [AX_APPEND_FLAG([$flag], [$2])], [], [$3]) +done +])dnl AX_APPEND_COMPILE_FLAGS + +# =========================================================================== +# http://www.gnu.org/software/autoconf-archive/ax_append_flag.html +# =========================================================================== +# +# SYNOPSIS +# +# AX_APPEND_FLAG(FLAG, [FLAGS-VARIABLE]) +# +# DESCRIPTION +# +# FLAG is appended to the FLAGS-VARIABLE shell variable, with a space +# added in between. +# +# If FLAGS-VARIABLE is not specified, the current language's flags (e.g. +# CFLAGS) is used. FLAGS-VARIABLE is not changed if it already contains +# FLAG. If FLAGS-VARIABLE is unset in the shell, it is set to exactly +# FLAG. +# +# NOTE: Implementation based on AX_CFLAGS_GCC_OPTION. +# +# LICENSE +# +# Copyright (c) 2008 Guido U. Draheim +# Copyright (c) 2011 Maarten Bosmans +# +# This program is free software: you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General +# Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program. If not, see . +# +# As a special exception, the respective Autoconf Macro's copyright owner +# gives unlimited permission to copy, distribute and modify the configure +# scripts that are the output of Autoconf when processing the Macro. You +# need not follow the terms of the GNU General Public License when using +# or distributing such scripts, even though portions of the text of the +# Macro appear in them. The GNU General Public License (GPL) does govern +# all other use of the material that constitutes the Autoconf Macro. +# +# This special exception to the GPL applies to versions of the Autoconf +# Macro released by the Autoconf Archive. When you make and distribute a +# modified version of the Autoconf Macro, you may extend this special +# exception to the GPL to apply to your modified version as well. + +#serial 2 + +AC_DEFUN([AX_APPEND_FLAG], +[AC_PREREQ(2.59)dnl for _AC_LANG_PREFIX +AS_VAR_PUSHDEF([FLAGS], [m4_default($2,_AC_LANG_PREFIX[FLAGS])])dnl +AS_VAR_SET_IF(FLAGS, + [case " AS_VAR_GET(FLAGS) " in + *" $1 "*) + AC_RUN_LOG([: FLAGS already contains $1]) + ;; + *) + AC_RUN_LOG([: FLAGS="$FLAGS $1"]) + AS_VAR_SET(FLAGS, ["AS_VAR_GET(FLAGS) $1"]) + ;; + esac], + [AS_VAR_SET(FLAGS,["$1"])]) +AS_VAR_POPDEF([FLAGS])dnl +])dnl AX_APPEND_FLAG + +# =========================================================================== +# http://www.gnu.org/software/autoconf-archive/ax_append_link_flags.html +# =========================================================================== +# +# SYNOPSIS +# +# AX_APPEND_LINK_FLAGS([FLAG1 FLAG2 ...], [FLAGS-VARIABLE], [EXTRA-FLAGS]) +# +# DESCRIPTION +# +# For every FLAG1, FLAG2 it is checked whether the linker works with the +# flag. If it does, the flag is added FLAGS-VARIABLE +# +# If FLAGS-VARIABLE is not specified, the linker's flags (LDFLAGS) is +# used. During the check the flag is always added to the linker's flags. +# +# If EXTRA-FLAGS is defined, it is added to the linker's default flags +# when the check is done. The check is thus made with the flags: "LDFLAGS +# EXTRA-FLAGS FLAG". This can for example be used to force the linker to +# issue an error when a bad flag is given. +# +# NOTE: This macro depends on the AX_APPEND_FLAG and AX_CHECK_LINK_FLAG. +# Please keep this macro in sync with AX_APPEND_COMPILE_FLAGS. +# +# LICENSE +# +# Copyright (c) 2011 Maarten Bosmans +# +# This program is free software: you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General +# Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program. If not, see . +# +# As a special exception, the respective Autoconf Macro's copyright owner +# gives unlimited permission to copy, distribute and modify the configure +# scripts that are the output of Autoconf when processing the Macro. You +# need not follow the terms of the GNU General Public License when using +# or distributing such scripts, even though portions of the text of the +# Macro appear in them. The GNU General Public License (GPL) does govern +# all other use of the material that constitutes the Autoconf Macro. +# +# This special exception to the GPL applies to versions of the Autoconf +# Macro released by the Autoconf Archive. When you make and distribute a +# modified version of the Autoconf Macro, you may extend this special +# exception to the GPL to apply to your modified version as well. + +#serial 4 + +AC_DEFUN([AX_APPEND_LINK_FLAGS], +[AX_REQUIRE_DEFINED([AX_CHECK_LINK_FLAG]) +AX_REQUIRE_DEFINED([AX_APPEND_FLAG]) +for flag in $1; do + AX_CHECK_LINK_FLAG([$flag], [AX_APPEND_FLAG([$flag], [m4_default([$2], [LDFLAGS])])], [], [$3]) +done +])dnl AX_APPEND_LINK_FLAGS + +# =========================================================================== +# http://www.gnu.org/software/autoconf-archive/ax_check_compile_flag.html +# =========================================================================== +# +# SYNOPSIS +# +# AX_CHECK_COMPILE_FLAG(FLAG, [ACTION-SUCCESS], [ACTION-FAILURE], [EXTRA-FLAGS], [INPUT]) +# +# DESCRIPTION +# +# Check whether the given FLAG works with the current language's compiler +# or gives an error. (Warnings, however, are ignored) +# +# ACTION-SUCCESS/ACTION-FAILURE are shell commands to execute on +# success/failure. +# +# If EXTRA-FLAGS is defined, it is added to the current language's default +# flags (e.g. CFLAGS) when the check is done. The check is thus made with +# the flags: "CFLAGS EXTRA-FLAGS FLAG". This can for example be used to +# force the compiler to issue an error when a bad flag is given. +# +# INPUT gives an alternative input source to AC_COMPILE_IFELSE. +# +# NOTE: Implementation based on AX_CFLAGS_GCC_OPTION. Please keep this +# macro in sync with AX_CHECK_{PREPROC,LINK}_FLAG. +# +# LICENSE +# +# Copyright (c) 2008 Guido U. Draheim +# Copyright (c) 2011 Maarten Bosmans +# +# This program is free software: you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General +# Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program. If not, see . +# +# As a special exception, the respective Autoconf Macro's copyright owner +# gives unlimited permission to copy, distribute and modify the configure +# scripts that are the output of Autoconf when processing the Macro. You +# need not follow the terms of the GNU General Public License when using +# or distributing such scripts, even though portions of the text of the +# Macro appear in them. The GNU General Public License (GPL) does govern +# all other use of the material that constitutes the Autoconf Macro. +# +# This special exception to the GPL applies to versions of the Autoconf +# Macro released by the Autoconf Archive. When you make and distribute a +# modified version of the Autoconf Macro, you may extend this special +# exception to the GPL to apply to your modified version as well. + +#serial 3 + +AC_DEFUN([AX_CHECK_COMPILE_FLAG], +[AC_PREREQ(2.59)dnl for _AC_LANG_PREFIX +AS_VAR_PUSHDEF([CACHEVAR],[ax_cv_check_[]_AC_LANG_ABBREV[]flags_$4_$1])dnl +AC_CACHE_CHECK([whether _AC_LANG compiler accepts $1], CACHEVAR, [ + ax_check_save_flags=$[]_AC_LANG_PREFIX[]FLAGS + _AC_LANG_PREFIX[]FLAGS="$[]_AC_LANG_PREFIX[]FLAGS $4 $1" + AC_COMPILE_IFELSE([m4_default([$5],[AC_LANG_PROGRAM()])], + [AS_VAR_SET(CACHEVAR,[yes])], + [AS_VAR_SET(CACHEVAR,[no])]) + _AC_LANG_PREFIX[]FLAGS=$ax_check_save_flags]) +AS_IF([test x"AS_VAR_GET(CACHEVAR)" = xyes], + [m4_default([$2], :)], + [m4_default([$3], :)]) +AS_VAR_POPDEF([CACHEVAR])dnl +])dnl AX_CHECK_COMPILE_FLAGS + +# =========================================================================== +# http://www.gnu.org/software/autoconf-archive/ax_check_link_flag.html +# =========================================================================== +# +# SYNOPSIS +# +# AX_CHECK_LINK_FLAG(FLAG, [ACTION-SUCCESS], [ACTION-FAILURE], [EXTRA-FLAGS], [INPUT]) +# +# DESCRIPTION +# +# Check whether the given FLAG works with the linker or gives an error. +# (Warnings, however, are ignored) +# +# ACTION-SUCCESS/ACTION-FAILURE are shell commands to execute on +# success/failure. +# +# If EXTRA-FLAGS is defined, it is added to the linker's default flags +# when the check is done. The check is thus made with the flags: "LDFLAGS +# EXTRA-FLAGS FLAG". This can for example be used to force the linker to +# issue an error when a bad flag is given. +# +# INPUT gives an alternative input source to AC_LINK_IFELSE. +# +# NOTE: Implementation based on AX_CFLAGS_GCC_OPTION. Please keep this +# macro in sync with AX_CHECK_{PREPROC,COMPILE}_FLAG. +# +# LICENSE +# +# Copyright (c) 2008 Guido U. Draheim +# Copyright (c) 2011 Maarten Bosmans +# +# This program is free software: you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General +# Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program. If not, see . +# +# As a special exception, the respective Autoconf Macro's copyright owner +# gives unlimited permission to copy, distribute and modify the configure +# scripts that are the output of Autoconf when processing the Macro. You +# need not follow the terms of the GNU General Public License when using +# or distributing such scripts, even though portions of the text of the +# Macro appear in them. The GNU General Public License (GPL) does govern +# all other use of the material that constitutes the Autoconf Macro. +# +# This special exception to the GPL applies to versions of the Autoconf +# Macro released by the Autoconf Archive. When you make and distribute a +# modified version of the Autoconf Macro, you may extend this special +# exception to the GPL to apply to your modified version as well. + +#serial 3 + +AC_DEFUN([AX_CHECK_LINK_FLAG], +[AS_VAR_PUSHDEF([CACHEVAR],[ax_cv_check_ldflags_$4_$1])dnl +AC_CACHE_CHECK([whether the linker accepts $1], CACHEVAR, [ + ax_check_save_flags=$LDFLAGS + LDFLAGS="$LDFLAGS $4 $1" + AC_LINK_IFELSE([m4_default([$5],[AC_LANG_PROGRAM()])], + [AS_VAR_SET(CACHEVAR,[yes])], + [AS_VAR_SET(CACHEVAR,[no])]) + LDFLAGS=$ax_check_save_flags]) +AS_IF([test x"AS_VAR_GET(CACHEVAR)" = xyes], + [m4_default([$2], :)], + [m4_default([$3], :)]) +AS_VAR_POPDEF([CACHEVAR])dnl +])dnl AX_CHECK_LINK_FLAGS + +# =========================================================================== +# http://www.gnu.org/software/autoconf-archive/ax_pthread.html +# =========================================================================== +# +# SYNOPSIS +# +# AX_PTHREAD([ACTION-IF-FOUND[, ACTION-IF-NOT-FOUND]]) +# +# DESCRIPTION +# +# This macro figures out how to build C programs using POSIX threads. It +# sets the PTHREAD_LIBS output variable to the threads library and linker +# flags, and the PTHREAD_CFLAGS output variable to any special C compiler +# flags that are needed. (The user can also force certain compiler +# flags/libs to be tested by setting these environment variables.) +# +# Also sets PTHREAD_CC to any special C compiler that is needed for +# multi-threaded programs (defaults to the value of CC otherwise). (This +# is necessary on AIX to use the special cc_r compiler alias.) +# +# NOTE: You are assumed to not only compile your program with these flags, +# but also link it with them as well. e.g. you should link with +# $PTHREAD_CC $CFLAGS $PTHREAD_CFLAGS $LDFLAGS ... $PTHREAD_LIBS $LIBS +# +# If you are only building threads programs, you may wish to use these +# variables in your default LIBS, CFLAGS, and CC: +# +# LIBS="$PTHREAD_LIBS $LIBS" +# CFLAGS="$CFLAGS $PTHREAD_CFLAGS" +# CC="$PTHREAD_CC" +# +# In addition, if the PTHREAD_CREATE_JOINABLE thread-attribute constant +# has a nonstandard name, defines PTHREAD_CREATE_JOINABLE to that name +# (e.g. PTHREAD_CREATE_UNDETACHED on AIX). +# +# Also HAVE_PTHREAD_PRIO_INHERIT is defined if pthread is found and the +# PTHREAD_PRIO_INHERIT symbol is defined when compiling with +# PTHREAD_CFLAGS. +# +# ACTION-IF-FOUND is a list of shell commands to run if a threads library +# is found, and ACTION-IF-NOT-FOUND is a list of commands to run it if it +# is not found. If ACTION-IF-FOUND is not specified, the default action +# will define HAVE_PTHREAD. +# +# Please let the authors know if this macro fails on any platform, or if +# you have any other suggestions or comments. This macro was based on work +# by SGJ on autoconf scripts for FFTW (http://www.fftw.org/) (with help +# from M. Frigo), as well as ac_pthread and hb_pthread macros posted by +# Alejandro Forero Cuervo to the autoconf macro repository. We are also +# grateful for the helpful feedback of numerous users. +# +# Updated for Autoconf 2.68 by Daniel Richard G. +# +# LICENSE +# +# Copyright (c) 2008 Steven G. Johnson +# Copyright (c) 2011 Daniel Richard G. +# +# This program is free software: you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General +# Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program. If not, see . +# +# As a special exception, the respective Autoconf Macro's copyright owner +# gives unlimited permission to copy, distribute and modify the configure +# scripts that are the output of Autoconf when processing the Macro. You +# need not follow the terms of the GNU General Public License when using +# or distributing such scripts, even though portions of the text of the +# Macro appear in them. The GNU General Public License (GPL) does govern +# all other use of the material that constitutes the Autoconf Macro. +# +# This special exception to the GPL applies to versions of the Autoconf +# Macro released by the Autoconf Archive. When you make and distribute a +# modified version of the Autoconf Macro, you may extend this special +# exception to the GPL to apply to your modified version as well. + +#serial 21 + +AU_ALIAS([ACX_PTHREAD], [AX_PTHREAD]) +AC_DEFUN([AX_PTHREAD], [ +AC_REQUIRE([AC_CANONICAL_HOST]) +AC_LANG_PUSH([C]) +ax_pthread_ok=no + +# We used to check for pthread.h first, but this fails if pthread.h +# requires special compiler flags (e.g. on True64 or Sequent). +# It gets checked for in the link test anyway. + +# First of all, check if the user has set any of the PTHREAD_LIBS, +# etcetera environment variables, and if threads linking works using +# them: +if test x"$PTHREAD_LIBS$PTHREAD_CFLAGS" != x; then + save_CFLAGS="$CFLAGS" + CFLAGS="$CFLAGS $PTHREAD_CFLAGS" + save_LIBS="$LIBS" + LIBS="$PTHREAD_LIBS $LIBS" + AC_MSG_CHECKING([for pthread_join in LIBS=$PTHREAD_LIBS with CFLAGS=$PTHREAD_CFLAGS]) + AC_TRY_LINK_FUNC([pthread_join], [ax_pthread_ok=yes]) + AC_MSG_RESULT([$ax_pthread_ok]) + if test x"$ax_pthread_ok" = xno; then + PTHREAD_LIBS="" + PTHREAD_CFLAGS="" + fi + LIBS="$save_LIBS" + CFLAGS="$save_CFLAGS" +fi + +# We must check for the threads library under a number of different +# names; the ordering is very important because some systems +# (e.g. DEC) have both -lpthread and -lpthreads, where one of the +# libraries is broken (non-POSIX). + +# Create a list of thread flags to try. Items starting with a "-" are +# C compiler flags, and other items are library names, except for "none" +# which indicates that we try without any flags at all, and "pthread-config" +# which is a program returning the flags for the Pth emulation library. + +ax_pthread_flags="pthreads none -Kthread -kthread lthread -pthread -pthreads -mthreads pthread --thread-safe -mt pthread-config" + +# The ordering *is* (sometimes) important. Some notes on the +# individual items follow: + +# pthreads: AIX (must check this before -lpthread) +# none: in case threads are in libc; should be tried before -Kthread and +# other compiler flags to prevent continual compiler warnings +# -Kthread: Sequent (threads in libc, but -Kthread needed for pthread.h) +# -kthread: FreeBSD kernel threads (preferred to -pthread since SMP-able) +# lthread: LinuxThreads port on FreeBSD (also preferred to -pthread) +# -pthread: Linux/gcc (kernel threads), BSD/gcc (userland threads) +# -pthreads: Solaris/gcc +# -mthreads: Mingw32/gcc, Lynx/gcc +# -mt: Sun Workshop C (may only link SunOS threads [-lthread], but it +# doesn't hurt to check since this sometimes defines pthreads too; +# also defines -D_REENTRANT) +# ... -mt is also the pthreads flag for HP/aCC +# pthread: Linux, etcetera +# --thread-safe: KAI C++ +# pthread-config: use pthread-config program (for GNU Pth library) + +case ${host_os} in + solaris*) + + # On Solaris (at least, for some versions), libc contains stubbed + # (non-functional) versions of the pthreads routines, so link-based + # tests will erroneously succeed. (We need to link with -pthreads/-mt/ + # -lpthread.) (The stubs are missing pthread_cleanup_push, or rather + # a function called by this macro, so we could check for that, but + # who knows whether they'll stub that too in a future libc.) So, + # we'll just look for -pthreads and -lpthread first: + + ax_pthread_flags="-pthreads pthread -mt -pthread $ax_pthread_flags" + ;; + + darwin*) + ax_pthread_flags="-pthread $ax_pthread_flags" + ;; +esac + +# Clang doesn't consider unrecognized options an error unless we specify +# -Werror. We throw in some extra Clang-specific options to ensure that +# this doesn't happen for GCC, which also accepts -Werror. + +AC_MSG_CHECKING([if compiler needs -Werror to reject unknown flags]) +save_CFLAGS="$CFLAGS" +ax_pthread_extra_flags="-Werror" +CFLAGS="$CFLAGS $ax_pthread_extra_flags -Wunknown-warning-option -Wsizeof-array-argument" +AC_COMPILE_IFELSE([AC_LANG_PROGRAM([int foo(void);],[foo()])], + [AC_MSG_RESULT([yes])], + [ax_pthread_extra_flags= + AC_MSG_RESULT([no])]) +CFLAGS="$save_CFLAGS" + +if test x"$ax_pthread_ok" = xno; then +for flag in $ax_pthread_flags; do + + case $flag in + none) + AC_MSG_CHECKING([whether pthreads work without any flags]) + ;; + + -*) + AC_MSG_CHECKING([whether pthreads work with $flag]) + PTHREAD_CFLAGS="$flag" + ;; + + pthread-config) + AC_CHECK_PROG([ax_pthread_config], [pthread-config], [yes], [no]) + if test x"$ax_pthread_config" = xno; then continue; fi + PTHREAD_CFLAGS="`pthread-config --cflags`" + PTHREAD_LIBS="`pthread-config --ldflags` `pthread-config --libs`" + ;; + + *) + AC_MSG_CHECKING([for the pthreads library -l$flag]) + PTHREAD_LIBS="-l$flag" + ;; + esac + + save_LIBS="$LIBS" + save_CFLAGS="$CFLAGS" + LIBS="$PTHREAD_LIBS $LIBS" + CFLAGS="$CFLAGS $PTHREAD_CFLAGS $ax_pthread_extra_flags" + + # Check for various functions. We must include pthread.h, + # since some functions may be macros. (On the Sequent, we + # need a special flag -Kthread to make this header compile.) + # We check for pthread_join because it is in -lpthread on IRIX + # while pthread_create is in libc. We check for pthread_attr_init + # due to DEC craziness with -lpthreads. We check for + # pthread_cleanup_push because it is one of the few pthread + # functions on Solaris that doesn't have a non-functional libc stub. + # We try pthread_create on general principles. + AC_LINK_IFELSE([AC_LANG_PROGRAM([#include + static void routine(void *a) { a = 0; } + static void *start_routine(void *a) { return a; }], + [pthread_t th; pthread_attr_t attr; + pthread_create(&th, 0, start_routine, 0); + pthread_join(th, 0); + pthread_attr_init(&attr); + pthread_cleanup_push(routine, 0); + pthread_cleanup_pop(0) /* ; */])], + [ax_pthread_ok=yes], + []) + + LIBS="$save_LIBS" + CFLAGS="$save_CFLAGS" + + AC_MSG_RESULT([$ax_pthread_ok]) + if test "x$ax_pthread_ok" = xyes; then + break; + fi + + PTHREAD_LIBS="" + PTHREAD_CFLAGS="" +done +fi + +# Various other checks: +if test "x$ax_pthread_ok" = xyes; then + save_LIBS="$LIBS" + LIBS="$PTHREAD_LIBS $LIBS" + save_CFLAGS="$CFLAGS" + CFLAGS="$CFLAGS $PTHREAD_CFLAGS" + + # Detect AIX lossage: JOINABLE attribute is called UNDETACHED. + AC_MSG_CHECKING([for joinable pthread attribute]) + attr_name=unknown + for attr in PTHREAD_CREATE_JOINABLE PTHREAD_CREATE_UNDETACHED; do + AC_LINK_IFELSE([AC_LANG_PROGRAM([#include ], + [int attr = $attr; return attr /* ; */])], + [attr_name=$attr; break], + []) + done + AC_MSG_RESULT([$attr_name]) + if test "$attr_name" != PTHREAD_CREATE_JOINABLE; then + AC_DEFINE_UNQUOTED([PTHREAD_CREATE_JOINABLE], [$attr_name], + [Define to necessary symbol if this constant + uses a non-standard name on your system.]) + fi + + AC_MSG_CHECKING([if more special flags are required for pthreads]) + flag=no + case ${host_os} in + aix* | freebsd* | darwin*) flag="-D_THREAD_SAFE";; + osf* | hpux*) flag="-D_REENTRANT";; + solaris*) + if test "$GCC" = "yes"; then + flag="-D_REENTRANT" + else + # TODO: What about Clang on Solaris? + flag="-mt -D_REENTRANT" + fi + ;; + esac + AC_MSG_RESULT([$flag]) + if test "x$flag" != xno; then + PTHREAD_CFLAGS="$flag $PTHREAD_CFLAGS" + fi + + AC_CACHE_CHECK([for PTHREAD_PRIO_INHERIT], + [ax_cv_PTHREAD_PRIO_INHERIT], [ + AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include ]], + [[int i = PTHREAD_PRIO_INHERIT;]])], + [ax_cv_PTHREAD_PRIO_INHERIT=yes], + [ax_cv_PTHREAD_PRIO_INHERIT=no]) + ]) + AS_IF([test "x$ax_cv_PTHREAD_PRIO_INHERIT" = "xyes"], + [AC_DEFINE([HAVE_PTHREAD_PRIO_INHERIT], [1], [Have PTHREAD_PRIO_INHERIT.])]) + + LIBS="$save_LIBS" + CFLAGS="$save_CFLAGS" + + # More AIX lossage: compile with *_r variant + if test "x$GCC" != xyes; then + case $host_os in + aix*) + AS_CASE(["x/$CC"], + [x*/c89|x*/c89_128|x*/c99|x*/c99_128|x*/cc|x*/cc128|x*/xlc|x*/xlc_v6|x*/xlc128|x*/xlc128_v6], + [#handle absolute path differently from PATH based program lookup + AS_CASE(["x$CC"], + [x/*], + [AS_IF([AS_EXECUTABLE_P([${CC}_r])],[PTHREAD_CC="${CC}_r"])], + [AC_CHECK_PROGS([PTHREAD_CC],[${CC}_r],[$CC])])]) + ;; + esac + fi +fi + +test -n "$PTHREAD_CC" || PTHREAD_CC="$CC" + +AC_SUBST([PTHREAD_LIBS]) +AC_SUBST([PTHREAD_CFLAGS]) +AC_SUBST([PTHREAD_CC]) + +# Finally, execute ACTION-IF-FOUND/ACTION-IF-NOT-FOUND: +if test x"$ax_pthread_ok" = xyes; then + ifelse([$1],,[AC_DEFINE([HAVE_PTHREAD],[1],[Define if you have POSIX threads libraries and header files.])],[$1]) + : +else + ax_pthread_ok=no + $2 +fi +AC_LANG_POP +])dnl AX_PTHREAD + +# =========================================================================== +# http://www.gnu.org/software/autoconf-archive/ax_require_defined.html +# =========================================================================== +# +# SYNOPSIS +# +# AX_REQUIRE_DEFINED(MACRO) +# +# DESCRIPTION +# +# AX_REQUIRE_DEFINED is a simple helper for making sure other macros have +# been defined and thus are available for use. This avoids random issues +# where a macro isn't expanded. Instead the configure script emits a +# non-fatal: +# +# ./configure: line 1673: AX_CFLAGS_WARN_ALL: command not found +# +# It's like AC_REQUIRE except it doesn't expand the required macro. +# +# Here's an example: +# +# AX_REQUIRE_DEFINED([AX_CHECK_LINK_FLAG]) +# +# LICENSE +# +# Copyright (c) 2014 Mike Frysinger +# +# Copying and distribution of this file, with or without modification, are +# permitted in any medium without royalty provided the copyright notice +# and this notice are preserved. This file is offered as-is, without any +# warranty. + +#serial 1 + +AC_DEFUN([AX_REQUIRE_DEFINED], [dnl + m4_ifndef([$1], [m4_fatal([macro ]$1[ is not defined; is a m4 file missing?])]) +])dnl AX_REQUIRE_DEFINED + +# Copyright (C) 2002-2013 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -31,10 +752,10 @@ To do so, use the procedure documented by the package, typically `autoreconf'.]) # generated from the m4 files accompanying Automake X.Y. # (This private macro should not be called outside this file.) AC_DEFUN([AM_AUTOMAKE_VERSION], -[am__api_version='1.11' +[am__api_version='1.14' dnl Some users find AM_AUTOMAKE_VERSION and mistake it for a way to dnl require some minimum version. Point them to the right macro. -m4_if([$1], [1.11.1], [], +m4_if([$1], [1.14.1], [], [AC_FATAL([Do not call $0, use AM_INIT_AUTOMAKE([$1]).])])dnl ]) @@ -50,22 +771,22 @@ m4_define([_AM_AUTOCONF_VERSION], []) # Call AM_AUTOMAKE_VERSION and AM_AUTOMAKE_VERSION so they can be traced. # This function is AC_REQUIREd by AM_INIT_AUTOMAKE. AC_DEFUN([AM_SET_CURRENT_AUTOMAKE_VERSION], -[AM_AUTOMAKE_VERSION([1.11.1])dnl +[AM_AUTOMAKE_VERSION([1.14.1])dnl m4_ifndef([AC_AUTOCONF_VERSION], [m4_copy([m4_PACKAGE_VERSION], [AC_AUTOCONF_VERSION])])dnl _AM_AUTOCONF_VERSION(m4_defn([AC_AUTOCONF_VERSION]))]) # AM_AUX_DIR_EXPAND -*- Autoconf -*- -# Copyright (C) 2001, 2003, 2005 Free Software Foundation, Inc. +# Copyright (C) 2001-2013 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. # For projects using AC_CONFIG_AUX_DIR([foo]), Autoconf sets -# $ac_aux_dir to `$srcdir/foo'. In other projects, it is set to -# `$srcdir', `$srcdir/..', or `$srcdir/../..'. +# $ac_aux_dir to '$srcdir/foo'. In other projects, it is set to +# '$srcdir', '$srcdir/..', or '$srcdir/../..'. # # Of course, Automake must honor this variable whenever it calls a # tool from the auxiliary directory. The problem is that $srcdir (and @@ -84,7 +805,7 @@ _AM_AUTOCONF_VERSION(m4_defn([AC_AUTOCONF_VERSION]))]) # # The reason of the latter failure is that $top_srcdir and $ac_aux_dir # are both prefixed by $srcdir. In an in-source build this is usually -# harmless because $srcdir is `.', but things will broke when you +# harmless because $srcdir is '.', but things will broke when you # start a VPATH build or use an absolute $srcdir. # # So we could use something similar to $top_srcdir/$ac_aux_dir/missing, @@ -102,30 +823,26 @@ _AM_AUTOCONF_VERSION(m4_defn([AC_AUTOCONF_VERSION]))]) # configured tree to be moved without reconfiguration. AC_DEFUN([AM_AUX_DIR_EXPAND], -[dnl Rely on autoconf to set up CDPATH properly. -AC_PREREQ([2.50])dnl -# expand $ac_aux_dir to an absolute path -am_aux_dir=`cd $ac_aux_dir && pwd` +[AC_REQUIRE([AC_CONFIG_AUX_DIR_DEFAULT])dnl +# Expand $ac_aux_dir to an absolute path. +am_aux_dir=`cd "$ac_aux_dir" && pwd` ]) # AM_CONDITIONAL -*- Autoconf -*- -# Copyright (C) 1997, 2000, 2001, 2003, 2004, 2005, 2006, 2008 -# Free Software Foundation, Inc. +# Copyright (C) 1997-2013 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. -# serial 9 - # AM_CONDITIONAL(NAME, SHELL-CONDITION) # ------------------------------------- # Define a conditional. AC_DEFUN([AM_CONDITIONAL], -[AC_PREREQ(2.52)dnl - ifelse([$1], [TRUE], [AC_FATAL([$0: invalid condition: $1])], - [$1], [FALSE], [AC_FATAL([$0: invalid condition: $1])])dnl +[AC_PREREQ([2.52])dnl + m4_if([$1], [TRUE], [AC_FATAL([$0: invalid condition: $1])], + [$1], [FALSE], [AC_FATAL([$0: invalid condition: $1])])dnl AC_SUBST([$1_TRUE])dnl AC_SUBST([$1_FALSE])dnl _AM_SUBST_NOTMAKE([$1_TRUE])dnl @@ -144,16 +861,14 @@ AC_CONFIG_COMMANDS_PRE( Usually this means the macro was only invoked conditionally.]]) fi])]) -# Copyright (C) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2009 -# Free Software Foundation, Inc. +# Copyright (C) 1999-2013 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. -# serial 10 -# There are a few dirty hacks below to avoid letting `AC_PROG_CC' be +# There are a few dirty hacks below to avoid letting 'AC_PROG_CC' be # written in clear, in which case automake, when reading aclocal.m4, # will think it sees a *use*, and therefore will trigger all it's # C support machinery. Also note that it means that autoscan, seeing @@ -163,7 +878,7 @@ fi])]) # _AM_DEPENDENCIES(NAME) # ---------------------- # See how the compiler implements dependency checking. -# NAME is "CC", "CXX", "GCJ", or "OBJC". +# NAME is "CC", "CXX", "OBJC", "OBJCXX", "UPC", or "GJC". # We try a few techniques and use that to set a single cache variable. # # We don't AC_REQUIRE the corresponding AC_PROG_CC since the latter was @@ -176,12 +891,13 @@ AC_REQUIRE([AM_OUTPUT_DEPENDENCY_COMMANDS])dnl AC_REQUIRE([AM_MAKE_INCLUDE])dnl AC_REQUIRE([AM_DEP_TRACK])dnl -ifelse([$1], CC, [depcc="$CC" am_compiler_list=], - [$1], CXX, [depcc="$CXX" am_compiler_list=], - [$1], OBJC, [depcc="$OBJC" am_compiler_list='gcc3 gcc'], - [$1], UPC, [depcc="$UPC" am_compiler_list=], - [$1], GCJ, [depcc="$GCJ" am_compiler_list='gcc3 gcc'], - [depcc="$$1" am_compiler_list=]) +m4_if([$1], [CC], [depcc="$CC" am_compiler_list=], + [$1], [CXX], [depcc="$CXX" am_compiler_list=], + [$1], [OBJC], [depcc="$OBJC" am_compiler_list='gcc3 gcc'], + [$1], [OBJCXX], [depcc="$OBJCXX" am_compiler_list='gcc3 gcc'], + [$1], [UPC], [depcc="$UPC" am_compiler_list=], + [$1], [GCJ], [depcc="$GCJ" am_compiler_list='gcc3 gcc'], + [depcc="$$1" am_compiler_list=]) AC_CACHE_CHECK([dependency style of $depcc], [am_cv_$1_dependencies_compiler_type], @@ -189,8 +905,9 @@ AC_CACHE_CHECK([dependency style of $depcc], # We make a subdir and do the tests there. Otherwise we can end up # making bogus files that we don't know about and never remove. For # instance it was reported that on HP-UX the gcc test will end up - # making a dummy file named `D' -- because `-MD' means `put the output - # in D'. + # making a dummy file named 'D' -- because '-MD' means "put the output + # in D". + rm -rf conftest.dir mkdir conftest.dir # Copy depcomp to subdir because otherwise we won't find it if we're # using a relative directory. @@ -229,16 +946,16 @@ AC_CACHE_CHECK([dependency style of $depcc], : > sub/conftest.c for i in 1 2 3 4 5 6; do echo '#include "conftst'$i'.h"' >> sub/conftest.c - # Using `: > sub/conftst$i.h' creates only sub/conftst1.h with - # Solaris 8's {/usr,}/bin/sh. - touch sub/conftst$i.h + # Using ": > sub/conftst$i.h" creates only sub/conftst1.h with + # Solaris 10 /bin/sh. + echo '/* dummy */' > sub/conftst$i.h done echo "${am__include} ${am__quote}sub/conftest.Po${am__quote}" > confmf - # We check with `-c' and `-o' for the sake of the "dashmstdout" + # We check with '-c' and '-o' for the sake of the "dashmstdout" # mode. It turns out that the SunPro C++ compiler does not properly - # handle `-M -o', and we need to detect this. Also, some Intel - # versions had trouble with output in subdirs + # handle '-M -o', and we need to detect this. Also, some Intel + # versions had trouble with output in subdirs. am__obj=sub/conftest.${OBJEXT-o} am__minus_obj="-o $am__obj" case $depmode in @@ -247,16 +964,16 @@ AC_CACHE_CHECK([dependency style of $depcc], test "$am__universal" = false || continue ;; nosideeffect) - # after this tag, mechanisms are not by side-effect, so they'll - # only be used when explicitly requested + # After this tag, mechanisms are not by side-effect, so they'll + # only be used when explicitly requested. if test "x$enable_dependency_tracking" = xyes; then continue else break fi ;; - msvisualcpp | msvcmsys) - # This compiler won't grok `-c -o', but also, the minuso test has + msvc7 | msvc7msys | msvisualcpp | msvcmsys) + # This compiler won't grok '-c -o', but also, the minuso test has # not run yet. These depmodes are late enough in the game, and # so weak that their functioning should not be impacted. am__obj=conftest.${OBJEXT-o} @@ -304,7 +1021,7 @@ AM_CONDITIONAL([am__fastdep$1], [ # AM_SET_DEPDIR # ------------- # Choose a directory name for dependency files. -# This macro is AC_REQUIREd in _AM_DEPENDENCIES +# This macro is AC_REQUIREd in _AM_DEPENDENCIES. AC_DEFUN([AM_SET_DEPDIR], [AC_REQUIRE([AM_SET_LEADING_DOT])dnl AC_SUBST([DEPDIR], ["${am__leading_dot}deps"])dnl @@ -314,34 +1031,39 @@ AC_SUBST([DEPDIR], ["${am__leading_dot}deps"])dnl # AM_DEP_TRACK # ------------ AC_DEFUN([AM_DEP_TRACK], -[AC_ARG_ENABLE(dependency-tracking, -[ --disable-dependency-tracking speeds up one-time build - --enable-dependency-tracking do not reject slow dependency extractors]) +[AC_ARG_ENABLE([dependency-tracking], [dnl +AS_HELP_STRING( + [--enable-dependency-tracking], + [do not reject slow dependency extractors]) +AS_HELP_STRING( + [--disable-dependency-tracking], + [speeds up one-time build])]) if test "x$enable_dependency_tracking" != xno; then am_depcomp="$ac_aux_dir/depcomp" AMDEPBACKSLASH='\' + am__nodep='_no' fi AM_CONDITIONAL([AMDEP], [test "x$enable_dependency_tracking" != xno]) AC_SUBST([AMDEPBACKSLASH])dnl _AM_SUBST_NOTMAKE([AMDEPBACKSLASH])dnl +AC_SUBST([am__nodep])dnl +_AM_SUBST_NOTMAKE([am__nodep])dnl ]) # Generate code to set up dependency tracking. -*- Autoconf -*- -# Copyright (C) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2008 -# Free Software Foundation, Inc. +# Copyright (C) 1999-2013 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. -#serial 5 # _AM_OUTPUT_DEPENDENCY_COMMANDS # ------------------------------ AC_DEFUN([_AM_OUTPUT_DEPENDENCY_COMMANDS], [{ - # Autoconf 2.62 quotes --file arguments for eval, but not when files + # Older Autoconf quotes --file arguments for eval, but not when files # are listed without --file. Let's play safe and only enable the eval # if we detect the quoting. case $CONFIG_FILES in @@ -354,7 +1076,7 @@ AC_DEFUN([_AM_OUTPUT_DEPENDENCY_COMMANDS], # Strip MF so we end up with the name of the file. mf=`echo "$mf" | sed -e 's/:.*$//'` # Check whether this is an Automake generated Makefile or not. - # We used to match only the files named `Makefile.in', but + # We used to match only the files named 'Makefile.in', but # some people rename them; so instead we look at the file content. # Grep'ing the first line is not enough: some people post-process # each Makefile.in and add a new line on top of each file to say so. @@ -366,21 +1088,19 @@ AC_DEFUN([_AM_OUTPUT_DEPENDENCY_COMMANDS], continue fi # Extract the definition of DEPDIR, am__include, and am__quote - # from the Makefile without running `make'. + # from the Makefile without running 'make'. DEPDIR=`sed -n 's/^DEPDIR = //p' < "$mf"` test -z "$DEPDIR" && continue am__include=`sed -n 's/^am__include = //p' < "$mf"` - test -z "am__include" && continue + test -z "$am__include" && continue am__quote=`sed -n 's/^am__quote = //p' < "$mf"` - # When using ansi2knr, U may be empty or an underscore; expand it - U=`sed -n 's/^U = //p' < "$mf"` # Find all dependency output files, they are included files with # $(DEPDIR) in their names. We invoke sed twice because it is the # simplest approach to changing $(DEPDIR) to its actual value in the # expansion. for file in `sed -n " s/^$am__include $am__quote\(.*(DEPDIR).*\)$am__quote"'$/\1/p' <"$mf" | \ - sed -e 's/\$(DEPDIR)/'"$DEPDIR"'/g' -e 's/\$U/'"$U"'/g'`; do + sed -e 's/\$(DEPDIR)/'"$DEPDIR"'/g'`; do # Make sure the directory exists. test -f "$dirpart/$file" && continue fdir=`AS_DIRNAME(["$file"])` @@ -398,7 +1118,7 @@ AC_DEFUN([_AM_OUTPUT_DEPENDENCY_COMMANDS], # This macro should only be invoked once -- use via AC_REQUIRE. # # This code is only required when automatic dependency tracking -# is enabled. FIXME. This creates each `.P' file that we will +# is enabled. FIXME. This creates each '.P' file that we will # need in order to bootstrap the dependency handling code. AC_DEFUN([AM_OUTPUT_DEPENDENCY_COMMANDS], [AC_CONFIG_COMMANDS([depfiles], @@ -408,18 +1128,21 @@ AC_DEFUN([AM_OUTPUT_DEPENDENCY_COMMANDS], # Do all the work for Automake. -*- Autoconf -*- -# Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, -# 2005, 2006, 2008, 2009 Free Software Foundation, Inc. +# Copyright (C) 1996-2013 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. -# serial 16 - # This macro actually does too much. Some checks are only needed if # your package does certain things. But this isn't really a big deal. +dnl Redefine AC_PROG_CC to automatically invoke _AM_PROG_CC_C_O. +m4_define([AC_PROG_CC], +m4_defn([AC_PROG_CC]) +[_AM_PROG_CC_C_O +]) + # AM_INIT_AUTOMAKE(PACKAGE, VERSION, [NO-DEFINE]) # AM_INIT_AUTOMAKE([OPTIONS]) # ----------------------------------------------- @@ -432,7 +1155,7 @@ AC_DEFUN([AM_OUTPUT_DEPENDENCY_COMMANDS], # arguments mandatory, and then we can depend on a new Autoconf # release and drop the old call support. AC_DEFUN([AM_INIT_AUTOMAKE], -[AC_PREREQ([2.62])dnl +[AC_PREREQ([2.65])dnl dnl Autoconf wants to disallow AM_ names. We explicitly allow dnl the ones we care about. m4_pattern_allow([^AM_[A-Z]+FLAGS$])dnl @@ -461,31 +1184,40 @@ AC_SUBST([CYGPATH_W]) # Define the identity of the package. dnl Distinguish between old-style and new-style calls. m4_ifval([$2], -[m4_ifval([$3], [_AM_SET_OPTION([no-define])])dnl +[AC_DIAGNOSE([obsolete], + [$0: two- and three-arguments forms are deprecated.]) +m4_ifval([$3], [_AM_SET_OPTION([no-define])])dnl AC_SUBST([PACKAGE], [$1])dnl AC_SUBST([VERSION], [$2])], [_AM_SET_OPTIONS([$1])dnl dnl Diagnose old-style AC_INIT with new-style AM_AUTOMAKE_INIT. -m4_if(m4_ifdef([AC_PACKAGE_NAME], 1)m4_ifdef([AC_PACKAGE_VERSION], 1), 11,, +m4_if( + m4_ifdef([AC_PACKAGE_NAME], [ok]):m4_ifdef([AC_PACKAGE_VERSION], [ok]), + [ok:ok],, [m4_fatal([AC_INIT should be called with package and version arguments])])dnl AC_SUBST([PACKAGE], ['AC_PACKAGE_TARNAME'])dnl AC_SUBST([VERSION], ['AC_PACKAGE_VERSION'])])dnl _AM_IF_OPTION([no-define],, -[AC_DEFINE_UNQUOTED(PACKAGE, "$PACKAGE", [Name of package]) - AC_DEFINE_UNQUOTED(VERSION, "$VERSION", [Version number of package])])dnl +[AC_DEFINE_UNQUOTED([PACKAGE], ["$PACKAGE"], [Name of package]) + AC_DEFINE_UNQUOTED([VERSION], ["$VERSION"], [Version number of package])])dnl # Some tools Automake needs. AC_REQUIRE([AM_SANITY_CHECK])dnl AC_REQUIRE([AC_ARG_PROGRAM])dnl -AM_MISSING_PROG(ACLOCAL, aclocal-${am__api_version}) -AM_MISSING_PROG(AUTOCONF, autoconf) -AM_MISSING_PROG(AUTOMAKE, automake-${am__api_version}) -AM_MISSING_PROG(AUTOHEADER, autoheader) -AM_MISSING_PROG(MAKEINFO, makeinfo) +AM_MISSING_PROG([ACLOCAL], [aclocal-${am__api_version}]) +AM_MISSING_PROG([AUTOCONF], [autoconf]) +AM_MISSING_PROG([AUTOMAKE], [automake-${am__api_version}]) +AM_MISSING_PROG([AUTOHEADER], [autoheader]) +AM_MISSING_PROG([MAKEINFO], [makeinfo]) AC_REQUIRE([AM_PROG_INSTALL_SH])dnl AC_REQUIRE([AM_PROG_INSTALL_STRIP])dnl -AC_REQUIRE([AM_PROG_MKDIR_P])dnl +AC_REQUIRE([AC_PROG_MKDIR_P])dnl +# For better backward compatibility. To be removed once Automake 1.9.x +# dies out for good. For more background, see: +# +# +AC_SUBST([mkdir_p], ['$(MKDIR_P)']) # We need awk for the "check" target. The system "awk" is bad on # some platforms. AC_REQUIRE([AC_PROG_AWK])dnl @@ -496,34 +1228,79 @@ _AM_IF_OPTION([tar-ustar], [_AM_PROG_TAR([ustar])], [_AM_PROG_TAR([v7])])]) _AM_IF_OPTION([no-dependencies],, [AC_PROVIDE_IFELSE([AC_PROG_CC], - [_AM_DEPENDENCIES(CC)], - [define([AC_PROG_CC], - defn([AC_PROG_CC])[_AM_DEPENDENCIES(CC)])])dnl + [_AM_DEPENDENCIES([CC])], + [m4_define([AC_PROG_CC], + m4_defn([AC_PROG_CC])[_AM_DEPENDENCIES([CC])])])dnl AC_PROVIDE_IFELSE([AC_PROG_CXX], - [_AM_DEPENDENCIES(CXX)], - [define([AC_PROG_CXX], - defn([AC_PROG_CXX])[_AM_DEPENDENCIES(CXX)])])dnl + [_AM_DEPENDENCIES([CXX])], + [m4_define([AC_PROG_CXX], + m4_defn([AC_PROG_CXX])[_AM_DEPENDENCIES([CXX])])])dnl AC_PROVIDE_IFELSE([AC_PROG_OBJC], - [_AM_DEPENDENCIES(OBJC)], - [define([AC_PROG_OBJC], - defn([AC_PROG_OBJC])[_AM_DEPENDENCIES(OBJC)])])dnl + [_AM_DEPENDENCIES([OBJC])], + [m4_define([AC_PROG_OBJC], + m4_defn([AC_PROG_OBJC])[_AM_DEPENDENCIES([OBJC])])])dnl +AC_PROVIDE_IFELSE([AC_PROG_OBJCXX], + [_AM_DEPENDENCIES([OBJCXX])], + [m4_define([AC_PROG_OBJCXX], + m4_defn([AC_PROG_OBJCXX])[_AM_DEPENDENCIES([OBJCXX])])])dnl ]) -_AM_IF_OPTION([silent-rules], [AC_REQUIRE([AM_SILENT_RULES])])dnl -dnl The `parallel-tests' driver may need to know about EXEEXT, so add the -dnl `am__EXEEXT' conditional if _AM_COMPILER_EXEEXT was seen. This macro -dnl is hooked onto _AC_COMPILER_EXEEXT early, see below. +AC_REQUIRE([AM_SILENT_RULES])dnl +dnl The testsuite driver may need to know about EXEEXT, so add the +dnl 'am__EXEEXT' conditional if _AM_COMPILER_EXEEXT was seen. This +dnl macro is hooked onto _AC_COMPILER_EXEEXT early, see below. AC_CONFIG_COMMANDS_PRE(dnl [m4_provide_if([_AM_COMPILER_EXEEXT], [AM_CONDITIONAL([am__EXEEXT], [test -n "$EXEEXT"])])])dnl + +# POSIX will say in a future version that running "rm -f" with no argument +# is OK; and we want to be able to make that assumption in our Makefile +# recipes. So use an aggressive probe to check that the usage we want is +# actually supported "in the wild" to an acceptable degree. +# See automake bug#10828. +# To make any issue more visible, cause the running configure to be aborted +# by default if the 'rm' program in use doesn't match our expectations; the +# user can still override this though. +if rm -f && rm -fr && rm -rf; then : OK; else + cat >&2 <<'END' +Oops! + +Your 'rm' program seems unable to run without file operands specified +on the command line, even when the '-f' option is present. This is contrary +to the behaviour of most rm programs out there, and not conforming with +the upcoming POSIX standard: + +Please tell bug-automake@gnu.org about your system, including the value +of your $PATH and any error possibly output before this message. This +can help us improve future automake versions. + +END + if test x"$ACCEPT_INFERIOR_RM_PROGRAM" = x"yes"; then + echo 'Configuration will proceed anyway, since you have set the' >&2 + echo 'ACCEPT_INFERIOR_RM_PROGRAM variable to "yes"' >&2 + echo >&2 + else + cat >&2 <<'END' +Aborting the configuration process, to ensure you take notice of the issue. + +You can download and install GNU coreutils to get an 'rm' implementation +that behaves properly: . + +If you want to complete the configuration process using your problematic +'rm' anyway, export the environment variable ACCEPT_INFERIOR_RM_PROGRAM +to "yes", and re-run configure. + +END + AC_MSG_ERROR([Your 'rm' program is bad, sorry.]) + fi +fi ]) -dnl Hook into `_AC_COMPILER_EXEEXT' early to learn its expansion. Do not +dnl Hook into '_AC_COMPILER_EXEEXT' early to learn its expansion. Do not dnl add the conditional right here, as _AC_COMPILER_EXEEXT may be further dnl mangled by Autoconf and run in a shell conditional statement. m4_define([_AC_COMPILER_EXEEXT], m4_defn([_AC_COMPILER_EXEEXT])[m4_provide([_AM_COMPILER_EXEEXT])]) - # When config.status generates a header, we must update the stamp-h file. # This file resides in the same directory as the config header # that is generated. The stamp files are numbered to have different names. @@ -545,7 +1322,7 @@ for _am_header in $config_headers :; do done echo "timestamp for $_am_arg" >`AS_DIRNAME(["$_am_arg"])`/stamp-h[]$_am_stamp_count]) -# Copyright (C) 2001, 2003, 2005, 2008 Free Software Foundation, Inc. +# Copyright (C) 2001-2013 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -564,16 +1341,14 @@ if test x"${install_sh}" != xset; then install_sh="\${SHELL} $am_aux_dir/install-sh" esac fi -AC_SUBST(install_sh)]) +AC_SUBST([install_sh])]) -# Copyright (C) 2003, 2005 Free Software Foundation, Inc. +# Copyright (C) 2003-2013 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. -# serial 2 - # Check whether the underlying file-system supports filenames # with a leading dot. For instance MS-DOS doesn't. AC_DEFUN([AM_SET_LEADING_DOT], @@ -589,14 +1364,12 @@ AC_SUBST([am__leading_dot])]) # Check to see how 'make' treats includes. -*- Autoconf -*- -# Copyright (C) 2001, 2002, 2003, 2005, 2009 Free Software Foundation, Inc. +# Copyright (C) 2001-2013 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. -# serial 4 - # AM_MAKE_INCLUDE() # ----------------- # Check to see how make treats includes. @@ -614,7 +1387,7 @@ am__quote= _am_result=none # First try GNU make style include. echo "include confinc" > confmf -# Ignore all kinds of additional output from `make'. +# Ignore all kinds of additional output from 'make'. case `$am_make -s -f confmf 2> /dev/null` in #( *the\ am__doit\ target*) am__include=include @@ -639,52 +1412,14 @@ AC_MSG_RESULT([$_am_result]) rm -f confinc confmf ]) -# Copyright (C) 1999, 2000, 2001, 2003, 2004, 2005, 2008 -# Free Software Foundation, Inc. -# -# This file is free software; the Free Software Foundation -# gives unlimited permission to copy and/or distribute it, -# with or without modifications, as long as this notice is preserved. - -# serial 6 - -# AM_PROG_CC_C_O -# -------------- -# Like AC_PROG_CC_C_O, but changed for automake. -AC_DEFUN([AM_PROG_CC_C_O], -[AC_REQUIRE([AC_PROG_CC_C_O])dnl -AC_REQUIRE([AM_AUX_DIR_EXPAND])dnl -AC_REQUIRE_AUX_FILE([compile])dnl -# FIXME: we rely on the cache variable name because -# there is no other way. -set dummy $CC -am_cc=`echo $[2] | sed ['s/[^a-zA-Z0-9_]/_/g;s/^[0-9]/_/']` -eval am_t=\$ac_cv_prog_cc_${am_cc}_c_o -if test "$am_t" != yes; then - # Losing compiler, so override with the script. - # FIXME: It is wrong to rewrite CC. - # But if we don't then we get into trouble of one sort or another. - # A longer-term fix would be to have automake use am__CC in this case, - # and then we could set am__CC="\$(top_srcdir)/compile \$(CC)" - CC="$am_aux_dir/compile $CC" -fi -dnl Make sure AC_PROG_CC is never called again, or it will override our -dnl setting of CC. -m4_define([AC_PROG_CC], - [m4_fatal([AC_PROG_CC cannot be called after AM_PROG_CC_C_O])]) -]) - # Fake the existence of programs that GNU maintainers use. -*- Autoconf -*- -# Copyright (C) 1997, 1999, 2000, 2001, 2003, 2004, 2005, 2008 -# Free Software Foundation, Inc. +# Copyright (C) 1997-2013 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. -# serial 6 - # AM_MISSING_PROG(NAME, PROGRAM) # ------------------------------ AC_DEFUN([AM_MISSING_PROG], @@ -692,11 +1427,10 @@ AC_DEFUN([AM_MISSING_PROG], $1=${$1-"${am_missing_run}$2"} AC_SUBST($1)]) - # AM_MISSING_HAS_RUN # ------------------ -# Define MISSING if not defined so far and test if it supports --run. -# If it does, set am_missing_run to use it, otherwise, to nothing. +# Define MISSING if not defined so far and test if it is modern enough. +# If it is, set am_missing_run to use it, otherwise, to nothing. AC_DEFUN([AM_MISSING_HAS_RUN], [AC_REQUIRE([AM_AUX_DIR_EXPAND])dnl AC_REQUIRE_AUX_FILE([missing])dnl @@ -709,63 +1443,35 @@ if test x"${MISSING+set}" != xset; then esac fi # Use eval to expand $SHELL -if eval "$MISSING --run true"; then - am_missing_run="$MISSING --run " +if eval "$MISSING --is-lightweight"; then + am_missing_run="$MISSING " else am_missing_run= - AC_MSG_WARN([`missing' script is too old or missing]) + AC_MSG_WARN(['missing' script is too old or missing]) fi ]) -# Copyright (C) 2003, 2004, 2005, 2006 Free Software Foundation, Inc. -# -# This file is free software; the Free Software Foundation -# gives unlimited permission to copy and/or distribute it, -# with or without modifications, as long as this notice is preserved. - -# AM_PROG_MKDIR_P -# --------------- -# Check for `mkdir -p'. -AC_DEFUN([AM_PROG_MKDIR_P], -[AC_PREREQ([2.60])dnl -AC_REQUIRE([AC_PROG_MKDIR_P])dnl -dnl Automake 1.8 to 1.9.6 used to define mkdir_p. We now use MKDIR_P, -dnl while keeping a definition of mkdir_p for backward compatibility. -dnl @MKDIR_P@ is magic: AC_OUTPUT adjusts its value for each Makefile. -dnl However we cannot define mkdir_p as $(MKDIR_P) for the sake of -dnl Makefile.ins that do not define MKDIR_P, so we do our own -dnl adjustment using top_builddir (which is defined more often than -dnl MKDIR_P). -AC_SUBST([mkdir_p], ["$MKDIR_P"])dnl -case $mkdir_p in - [[\\/$]]* | ?:[[\\/]]*) ;; - */*) mkdir_p="\$(top_builddir)/$mkdir_p" ;; -esac -]) - # Helper functions for option handling. -*- Autoconf -*- -# Copyright (C) 2001, 2002, 2003, 2005, 2008 Free Software Foundation, Inc. +# Copyright (C) 2001-2013 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. -# serial 4 - # _AM_MANGLE_OPTION(NAME) # ----------------------- AC_DEFUN([_AM_MANGLE_OPTION], [[_AM_OPTION_]m4_bpatsubst($1, [[^a-zA-Z0-9_]], [_])]) # _AM_SET_OPTION(NAME) -# ------------------------------ +# -------------------- # Set option NAME. Presently that only means defining a flag for this option. AC_DEFUN([_AM_SET_OPTION], -[m4_define(_AM_MANGLE_OPTION([$1]), 1)]) +[m4_define(_AM_MANGLE_OPTION([$1]), [1])]) # _AM_SET_OPTIONS(OPTIONS) -# ---------------------------------- +# ------------------------ # OPTIONS is a space-separated list of Automake options. AC_DEFUN([_AM_SET_OPTIONS], [m4_foreach_w([_AM_Option], [$1], [_AM_SET_OPTION(_AM_Option)])]) @@ -776,24 +1482,82 @@ AC_DEFUN([_AM_SET_OPTIONS], AC_DEFUN([_AM_IF_OPTION], [m4_ifset(_AM_MANGLE_OPTION([$1]), [$2], [$3])]) -# Check to make sure that the build environment is sane. -*- Autoconf -*- - -# Copyright (C) 1996, 1997, 2000, 2001, 2003, 2005, 2008 -# Free Software Foundation, Inc. +# Copyright (C) 1999-2013 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. -# serial 5 +# _AM_PROG_CC_C_O +# --------------- +# Like AC_PROG_CC_C_O, but changed for automake. We rewrite AC_PROG_CC +# to automatically call this. +AC_DEFUN([_AM_PROG_CC_C_O], +[AC_REQUIRE([AM_AUX_DIR_EXPAND])dnl +AC_REQUIRE_AUX_FILE([compile])dnl +AC_LANG_PUSH([C])dnl +AC_CACHE_CHECK( + [whether $CC understands -c and -o together], + [am_cv_prog_cc_c_o], + [AC_LANG_CONFTEST([AC_LANG_PROGRAM([])]) + # Make sure it works both with $CC and with simple cc. + # Following AC_PROG_CC_C_O, we do the test twice because some + # compilers refuse to overwrite an existing .o file with -o, + # though they will create one. + am_cv_prog_cc_c_o=yes + for am_i in 1 2; do + if AM_RUN_LOG([$CC -c conftest.$ac_ext -o conftest2.$ac_objext]) \ + && test -f conftest2.$ac_objext; then + : OK + else + am_cv_prog_cc_c_o=no + break + fi + done + rm -f core conftest* + unset am_i]) +if test "$am_cv_prog_cc_c_o" != yes; then + # Losing compiler, so override with the script. + # FIXME: It is wrong to rewrite CC. + # But if we don't then we get into trouble of one sort or another. + # A longer-term fix would be to have automake use am__CC in this case, + # and then we could set am__CC="\$(top_srcdir)/compile \$(CC)" + CC="$am_aux_dir/compile $CC" +fi +AC_LANG_POP([C])]) + +# For backward compatibility. +AC_DEFUN_ONCE([AM_PROG_CC_C_O], [AC_REQUIRE([AC_PROG_CC])]) + +# Copyright (C) 2001-2013 Free Software Foundation, Inc. +# +# This file is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# AM_RUN_LOG(COMMAND) +# ------------------- +# Run COMMAND, save the exit status in ac_status, and log it. +# (This has been adapted from Autoconf's _AC_RUN_LOG macro.) +AC_DEFUN([AM_RUN_LOG], +[{ echo "$as_me:$LINENO: $1" >&AS_MESSAGE_LOG_FD + ($1) >&AS_MESSAGE_LOG_FD 2>&AS_MESSAGE_LOG_FD + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&AS_MESSAGE_LOG_FD + (exit $ac_status); }]) + +# Check to make sure that the build environment is sane. -*- Autoconf -*- + +# Copyright (C) 1996-2013 Free Software Foundation, Inc. +# +# This file is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. # AM_SANITY_CHECK # --------------- AC_DEFUN([AM_SANITY_CHECK], [AC_MSG_CHECKING([whether build environment is sane]) -# Just in case -sleep 1 -echo timestamp > conftest.file # Reject unsafe characters in $srcdir or the absolute working directory # name. Accept space and tab only in the latter. am_lf=' @@ -804,32 +1568,40 @@ case `pwd` in esac case $srcdir in *[[\\\"\#\$\&\'\`$am_lf\ \ ]]*) - AC_MSG_ERROR([unsafe srcdir value: `$srcdir']);; + AC_MSG_ERROR([unsafe srcdir value: '$srcdir']);; esac -# Do `set' in a subshell so we don't clobber the current shell's +# Do 'set' in a subshell so we don't clobber the current shell's # arguments. Must try -L first in case configure is actually a # symlink; some systems play weird games with the mod time of symlinks # (eg FreeBSD returns the mod time of the symlink's containing # directory). if ( - set X `ls -Lt "$srcdir/configure" conftest.file 2> /dev/null` - if test "$[*]" = "X"; then - # -L didn't work. - set X `ls -t "$srcdir/configure" conftest.file` - fi - rm -f conftest.file - if test "$[*]" != "X $srcdir/configure conftest.file" \ - && test "$[*]" != "X conftest.file $srcdir/configure"; then - - # If neither matched, then we have a broken ls. This can happen - # if, for instance, CONFIG_SHELL is bash and it inherits a - # broken ls alias from the environment. This has actually - # happened. Such a system could not be considered "sane". - AC_MSG_ERROR([ls -t appears to fail. Make sure there is not a broken -alias in your environment]) - fi + am_has_slept=no + for am_try in 1 2; do + echo "timestamp, slept: $am_has_slept" > conftest.file + set X `ls -Lt "$srcdir/configure" conftest.file 2> /dev/null` + if test "$[*]" = "X"; then + # -L didn't work. + set X `ls -t "$srcdir/configure" conftest.file` + fi + if test "$[*]" != "X $srcdir/configure conftest.file" \ + && test "$[*]" != "X conftest.file $srcdir/configure"; then + # If neither matched, then we have a broken ls. This can happen + # if, for instance, CONFIG_SHELL is bash and it inherits a + # broken ls alias from the environment. This has actually + # happened. Such a system could not be considered "sane". + AC_MSG_ERROR([ls -t appears to fail. Make sure there is not a broken + alias in your environment]) + fi + if test "$[2]" = conftest.file || test $am_try -eq 2; then + break + fi + # Just in case. + sleep 1 + am_has_slept=yes + done test "$[2]" = conftest.file ) then @@ -839,9 +1611,85 @@ else AC_MSG_ERROR([newly created file is older than distributed files! Check your system clock]) fi -AC_MSG_RESULT(yes)]) +AC_MSG_RESULT([yes]) +# If we didn't sleep, we still need to ensure time stamps of config.status and +# generated files are strictly newer. +am_sleep_pid= +if grep 'slept: no' conftest.file >/dev/null 2>&1; then + ( sleep 1 ) & + am_sleep_pid=$! +fi +AC_CONFIG_COMMANDS_PRE( + [AC_MSG_CHECKING([that generated files are newer than configure]) + if test -n "$am_sleep_pid"; then + # Hide warnings about reused PIDs. + wait $am_sleep_pid 2>/dev/null + fi + AC_MSG_RESULT([done])]) +rm -f conftest.file +]) -# Copyright (C) 2001, 2003, 2005 Free Software Foundation, Inc. +# Copyright (C) 2009-2013 Free Software Foundation, Inc. +# +# This file is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# AM_SILENT_RULES([DEFAULT]) +# -------------------------- +# Enable less verbose build rules; with the default set to DEFAULT +# ("yes" being less verbose, "no" or empty being verbose). +AC_DEFUN([AM_SILENT_RULES], +[AC_ARG_ENABLE([silent-rules], [dnl +AS_HELP_STRING( + [--enable-silent-rules], + [less verbose build output (undo: "make V=1")]) +AS_HELP_STRING( + [--disable-silent-rules], + [verbose build output (undo: "make V=0")])dnl +]) +case $enable_silent_rules in @%:@ ((( + yes) AM_DEFAULT_VERBOSITY=0;; + no) AM_DEFAULT_VERBOSITY=1;; + *) AM_DEFAULT_VERBOSITY=m4_if([$1], [yes], [0], [1]);; +esac +dnl +dnl A few 'make' implementations (e.g., NonStop OS and NextStep) +dnl do not support nested variable expansions. +dnl See automake bug#9928 and bug#10237. +am_make=${MAKE-make} +AC_CACHE_CHECK([whether $am_make supports nested variables], + [am_cv_make_support_nested_variables], + [if AS_ECHO([['TRUE=$(BAR$(V)) +BAR0=false +BAR1=true +V=1 +am__doit: + @$(TRUE) +.PHONY: am__doit']]) | $am_make -f - >/dev/null 2>&1; then + am_cv_make_support_nested_variables=yes +else + am_cv_make_support_nested_variables=no +fi]) +if test $am_cv_make_support_nested_variables = yes; then + dnl Using '$V' instead of '$(V)' breaks IRIX make. + AM_V='$(V)' + AM_DEFAULT_V='$(AM_DEFAULT_VERBOSITY)' +else + AM_V=$AM_DEFAULT_VERBOSITY + AM_DEFAULT_V=$AM_DEFAULT_VERBOSITY +fi +AC_SUBST([AM_V])dnl +AM_SUBST_NOTMAKE([AM_V])dnl +AC_SUBST([AM_DEFAULT_V])dnl +AM_SUBST_NOTMAKE([AM_DEFAULT_V])dnl +AC_SUBST([AM_DEFAULT_VERBOSITY])dnl +AM_BACKSLASH='\' +AC_SUBST([AM_BACKSLASH])dnl +_AM_SUBST_NOTMAKE([AM_BACKSLASH])dnl +]) + +# Copyright (C) 2001-2013 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -849,34 +1697,32 @@ AC_MSG_RESULT(yes)]) # AM_PROG_INSTALL_STRIP # --------------------- -# One issue with vendor `install' (even GNU) is that you can't +# One issue with vendor 'install' (even GNU) is that you can't # specify the program used to strip binaries. This is especially # annoying in cross-compiling environments, where the build's strip # is unlikely to handle the host's binaries. # Fortunately install-sh will honor a STRIPPROG variable, so we -# always use install-sh in `make install-strip', and initialize +# always use install-sh in "make install-strip", and initialize # STRIPPROG with the value of the STRIP variable (set by the user). AC_DEFUN([AM_PROG_INSTALL_STRIP], [AC_REQUIRE([AM_PROG_INSTALL_SH])dnl -# Installed binaries are usually stripped using `strip' when the user -# run `make install-strip'. However `strip' might not be the right +# Installed binaries are usually stripped using 'strip' when the user +# run "make install-strip". However 'strip' might not be the right # tool to use in cross-compilation environments, therefore Automake -# will honor the `STRIP' environment variable to overrule this program. -dnl Don't test for $cross_compiling = yes, because it might be `maybe'. +# will honor the 'STRIP' environment variable to overrule this program. +dnl Don't test for $cross_compiling = yes, because it might be 'maybe'. if test "$cross_compiling" != no; then AC_CHECK_TOOL([STRIP], [strip], :) fi INSTALL_STRIP_PROGRAM="\$(install_sh) -c -s" AC_SUBST([INSTALL_STRIP_PROGRAM])]) -# Copyright (C) 2006, 2008 Free Software Foundation, Inc. +# Copyright (C) 2006-2013 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. -# serial 2 - # _AM_SUBST_NOTMAKE(VARIABLE) # --------------------------- # Prevent Automake from outputting VARIABLE = @VARIABLE@ in Makefile.in. @@ -884,24 +1730,22 @@ AC_SUBST([INSTALL_STRIP_PROGRAM])]) AC_DEFUN([_AM_SUBST_NOTMAKE]) # AM_SUBST_NOTMAKE(VARIABLE) -# --------------------------- +# -------------------------- # Public sister of _AM_SUBST_NOTMAKE. AC_DEFUN([AM_SUBST_NOTMAKE], [_AM_SUBST_NOTMAKE($@)]) # Check how to create a tarball. -*- Autoconf -*- -# Copyright (C) 2004, 2005 Free Software Foundation, Inc. +# Copyright (C) 2004-2013 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. -# serial 2 - # _AM_PROG_TAR(FORMAT) # -------------------- # Check how to create a tarball in format FORMAT. -# FORMAT should be one of `v7', `ustar', or `pax'. +# FORMAT should be one of 'v7', 'ustar', or 'pax'. # # Substitute a variable $(am__tar) that is a command # writing to stdout a FORMAT-tarball containing the directory @@ -911,75 +1755,114 @@ AC_DEFUN([AM_SUBST_NOTMAKE], [_AM_SUBST_NOTMAKE($@)]) # Substitute a variable $(am__untar) that extract such # a tarball read from stdin. # $(am__untar) < result.tar +# AC_DEFUN([_AM_PROG_TAR], -[# Always define AMTAR for backward compatibility. -AM_MISSING_PROG([AMTAR], [tar]) -m4_if([$1], [v7], - [am__tar='${AMTAR} chof - "$$tardir"'; am__untar='${AMTAR} xf -'], - [m4_case([$1], [ustar],, [pax],, - [m4_fatal([Unknown tar format])]) -AC_MSG_CHECKING([how to create a $1 tar archive]) -# Loop over all known methods to create a tar archive until one works. +[# Always define AMTAR for backward compatibility. Yes, it's still used +# in the wild :-( We should find a proper way to deprecate it ... +AC_SUBST([AMTAR], ['$${TAR-tar}']) + +# We'll loop over all known methods to create a tar archive until one works. _am_tools='gnutar m4_if([$1], [ustar], [plaintar]) pax cpio none' -_am_tools=${am_cv_prog_tar_$1-$_am_tools} -# Do not fold the above two line into one, because Tru64 sh and -# Solaris sh will not grok spaces in the rhs of `-'. -for _am_tool in $_am_tools -do - case $_am_tool in - gnutar) - for _am_tar in tar gnutar gtar; - do - AM_RUN_LOG([$_am_tar --version]) && break - done - am__tar="$_am_tar --format=m4_if([$1], [pax], [posix], [$1]) -chf - "'"$$tardir"' - am__tar_="$_am_tar --format=m4_if([$1], [pax], [posix], [$1]) -chf - "'"$tardir"' - am__untar="$_am_tar -xf -" - ;; - plaintar) - # Must skip GNU tar: if it does not support --format= it doesn't create - # ustar tarball either. - (tar --version) >/dev/null 2>&1 && continue - am__tar='tar chf - "$$tardir"' - am__tar_='tar chf - "$tardir"' - am__untar='tar xf -' - ;; - pax) - am__tar='pax -L -x $1 -w "$$tardir"' - am__tar_='pax -L -x $1 -w "$tardir"' - am__untar='pax -r' - ;; - cpio) - am__tar='find "$$tardir" -print | cpio -o -H $1 -L' - am__tar_='find "$tardir" -print | cpio -o -H $1 -L' - am__untar='cpio -i -H $1 -d' - ;; - none) - am__tar=false - am__tar_=false - am__untar=false - ;; - esac - # If the value was cached, stop now. We just wanted to have am__tar - # and am__untar set. - test -n "${am_cv_prog_tar_$1}" && break +m4_if([$1], [v7], + [am__tar='$${TAR-tar} chof - "$$tardir"' am__untar='$${TAR-tar} xf -'], - # tar/untar a dummy directory, and stop if the command works + [m4_case([$1], + [ustar], + [# The POSIX 1988 'ustar' format is defined with fixed-size fields. + # There is notably a 21 bits limit for the UID and the GID. In fact, + # the 'pax' utility can hang on bigger UID/GID (see automake bug#8343 + # and bug#13588). + am_max_uid=2097151 # 2^21 - 1 + am_max_gid=$am_max_uid + # The $UID and $GID variables are not portable, so we need to resort + # to the POSIX-mandated id(1) utility. Errors in the 'id' calls + # below are definitely unexpected, so allow the users to see them + # (that is, avoid stderr redirection). + am_uid=`id -u || echo unknown` + am_gid=`id -g || echo unknown` + AC_MSG_CHECKING([whether UID '$am_uid' is supported by ustar format]) + if test $am_uid -le $am_max_uid; then + AC_MSG_RESULT([yes]) + else + AC_MSG_RESULT([no]) + _am_tools=none + fi + AC_MSG_CHECKING([whether GID '$am_gid' is supported by ustar format]) + if test $am_gid -le $am_max_gid; then + AC_MSG_RESULT([yes]) + else + AC_MSG_RESULT([no]) + _am_tools=none + fi], + + [pax], + [], + + [m4_fatal([Unknown tar format])]) + + AC_MSG_CHECKING([how to create a $1 tar archive]) + + # Go ahead even if we have the value already cached. We do so because we + # need to set the values for the 'am__tar' and 'am__untar' variables. + _am_tools=${am_cv_prog_tar_$1-$_am_tools} + + for _am_tool in $_am_tools; do + case $_am_tool in + gnutar) + for _am_tar in tar gnutar gtar; do + AM_RUN_LOG([$_am_tar --version]) && break + done + am__tar="$_am_tar --format=m4_if([$1], [pax], [posix], [$1]) -chf - "'"$$tardir"' + am__tar_="$_am_tar --format=m4_if([$1], [pax], [posix], [$1]) -chf - "'"$tardir"' + am__untar="$_am_tar -xf -" + ;; + plaintar) + # Must skip GNU tar: if it does not support --format= it doesn't create + # ustar tarball either. + (tar --version) >/dev/null 2>&1 && continue + am__tar='tar chf - "$$tardir"' + am__tar_='tar chf - "$tardir"' + am__untar='tar xf -' + ;; + pax) + am__tar='pax -L -x $1 -w "$$tardir"' + am__tar_='pax -L -x $1 -w "$tardir"' + am__untar='pax -r' + ;; + cpio) + am__tar='find "$$tardir" -print | cpio -o -H $1 -L' + am__tar_='find "$tardir" -print | cpio -o -H $1 -L' + am__untar='cpio -i -H $1 -d' + ;; + none) + am__tar=false + am__tar_=false + am__untar=false + ;; + esac + + # If the value was cached, stop now. We just wanted to have am__tar + # and am__untar set. + test -n "${am_cv_prog_tar_$1}" && break + + # tar/untar a dummy directory, and stop if the command works. + rm -rf conftest.dir + mkdir conftest.dir + echo GrepMe > conftest.dir/file + AM_RUN_LOG([tardir=conftest.dir && eval $am__tar_ >conftest.tar]) + rm -rf conftest.dir + if test -s conftest.tar; then + AM_RUN_LOG([$am__untar /dev/null 2>&1 && break + fi + done rm -rf conftest.dir - mkdir conftest.dir - echo GrepMe > conftest.dir/file - AM_RUN_LOG([tardir=conftest.dir && eval $am__tar_ >conftest.tar]) - rm -rf conftest.dir - if test -s conftest.tar; then - AM_RUN_LOG([$am__untar /dev/null 2>&1 && break - fi -done -rm -rf conftest.dir -AC_CACHE_VAL([am_cv_prog_tar_$1], [am_cv_prog_tar_$1=$_am_tool]) -AC_MSG_RESULT([$am_cv_prog_tar_$1])]) + AC_CACHE_VAL([am_cv_prog_tar_$1], [am_cv_prog_tar_$1=$_am_tool]) + AC_MSG_RESULT([$am_cv_prog_tar_$1])]) + AC_SUBST([am__tar]) AC_SUBST([am__untar]) ]) # _AM_PROG_TAR diff --git a/auto/compile b/auto/compile index c0096a7..531136b 100755 --- a/auto/compile +++ b/auto/compile @@ -1,10 +1,9 @@ #! /bin/sh -# Wrapper for compilers which do not understand `-c -o'. +# Wrapper for compilers which do not understand '-c -o'. -scriptversion=2009-10-06.20; # UTC +scriptversion=2012-10-14.11; # UTC -# Copyright (C) 1999, 2000, 2003, 2004, 2005, 2009 Free Software -# Foundation, Inc. +# Copyright (C) 1999-2013 Free Software Foundation, Inc. # Written by Tom Tromey . # # This program is free software; you can redistribute it and/or modify @@ -29,21 +28,224 @@ scriptversion=2009-10-06.20; # UTC # bugs to or send patches to # . +nl=' +' + +# We need space, tab and new line, in precisely that order. Quoting is +# there to prevent tools from complaining about whitespace usage. +IFS=" "" $nl" + +file_conv= + +# func_file_conv build_file lazy +# Convert a $build file to $host form and store it in $file +# Currently only supports Windows hosts. If the determined conversion +# type is listed in (the comma separated) LAZY, no conversion will +# take place. +func_file_conv () +{ + file=$1 + case $file in + / | /[!/]*) # absolute file, and not a UNC file + if test -z "$file_conv"; then + # lazily determine how to convert abs files + case `uname -s` in + MINGW*) + file_conv=mingw + ;; + CYGWIN*) + file_conv=cygwin + ;; + *) + file_conv=wine + ;; + esac + fi + case $file_conv/,$2, in + *,$file_conv,*) + ;; + mingw/*) + file=`cmd //C echo "$file " | sed -e 's/"\(.*\) " *$/\1/'` + ;; + cygwin/*) + file=`cygpath -m "$file" || echo "$file"` + ;; + wine/*) + file=`winepath -w "$file" || echo "$file"` + ;; + esac + ;; + esac +} + +# func_cl_dashL linkdir +# Make cl look for libraries in LINKDIR +func_cl_dashL () +{ + func_file_conv "$1" + if test -z "$lib_path"; then + lib_path=$file + else + lib_path="$lib_path;$file" + fi + linker_opts="$linker_opts -LIBPATH:$file" +} + +# func_cl_dashl library +# Do a library search-path lookup for cl +func_cl_dashl () +{ + lib=$1 + found=no + save_IFS=$IFS + IFS=';' + for dir in $lib_path $LIB + do + IFS=$save_IFS + if $shared && test -f "$dir/$lib.dll.lib"; then + found=yes + lib=$dir/$lib.dll.lib + break + fi + if test -f "$dir/$lib.lib"; then + found=yes + lib=$dir/$lib.lib + break + fi + if test -f "$dir/lib$lib.a"; then + found=yes + lib=$dir/lib$lib.a + break + fi + done + IFS=$save_IFS + + if test "$found" != yes; then + lib=$lib.lib + fi +} + +# func_cl_wrapper cl arg... +# Adjust compile command to suit cl +func_cl_wrapper () +{ + # Assume a capable shell + lib_path= + shared=: + linker_opts= + for arg + do + if test -n "$eat"; then + eat= + else + case $1 in + -o) + # configure might choose to run compile as 'compile cc -o foo foo.c'. + eat=1 + case $2 in + *.o | *.[oO][bB][jJ]) + func_file_conv "$2" + set x "$@" -Fo"$file" + shift + ;; + *) + func_file_conv "$2" + set x "$@" -Fe"$file" + shift + ;; + esac + ;; + -I) + eat=1 + func_file_conv "$2" mingw + set x "$@" -I"$file" + shift + ;; + -I*) + func_file_conv "${1#-I}" mingw + set x "$@" -I"$file" + shift + ;; + -l) + eat=1 + func_cl_dashl "$2" + set x "$@" "$lib" + shift + ;; + -l*) + func_cl_dashl "${1#-l}" + set x "$@" "$lib" + shift + ;; + -L) + eat=1 + func_cl_dashL "$2" + ;; + -L*) + func_cl_dashL "${1#-L}" + ;; + -static) + shared=false + ;; + -Wl,*) + arg=${1#-Wl,} + save_ifs="$IFS"; IFS=',' + for flag in $arg; do + IFS="$save_ifs" + linker_opts="$linker_opts $flag" + done + IFS="$save_ifs" + ;; + -Xlinker) + eat=1 + linker_opts="$linker_opts $2" + ;; + -*) + set x "$@" "$1" + shift + ;; + *.cc | *.CC | *.cxx | *.CXX | *.[cC]++) + func_file_conv "$1" + set x "$@" -Tp"$file" + shift + ;; + *.c | *.cpp | *.CPP | *.lib | *.LIB | *.Lib | *.OBJ | *.obj | *.[oO]) + func_file_conv "$1" mingw + set x "$@" "$file" + shift + ;; + *) + set x "$@" "$1" + shift + ;; + esac + fi + shift + done + if test -n "$linker_opts"; then + linker_opts="-link$linker_opts" + fi + exec "$@" $linker_opts + exit 1 +} + +eat= + case $1 in '') - echo "$0: No command. Try \`$0 --help' for more information." 1>&2 + echo "$0: No command. Try '$0 --help' for more information." 1>&2 exit 1; ;; -h | --h*) cat <<\EOF Usage: compile [--help] [--version] PROGRAM [ARGS] -Wrapper for compilers which do not understand `-c -o'. -Remove `-o dest.o' from ARGS, run PROGRAM with the remaining +Wrapper for compilers which do not understand '-c -o'. +Remove '-o dest.o' from ARGS, run PROGRAM with the remaining arguments, and rename the output as expected. If you are trying to build a whole package this is not the -right script to run: please start by reading the file `INSTALL'. +right script to run: please start by reading the file 'INSTALL'. Report bugs to . EOF @@ -53,11 +255,13 @@ EOF echo "compile $scriptversion" exit $? ;; + cl | *[/\\]cl | cl.exe | *[/\\]cl.exe ) + func_cl_wrapper "$@" # Doesn't return... + ;; esac ofile= cfile= -eat= for arg do @@ -66,8 +270,8 @@ do else case $1 in -o) - # configure might choose to run compile as `compile cc -o foo foo.c'. - # So we strip `-o arg' only if arg is an object. + # configure might choose to run compile as 'compile cc -o foo foo.c'. + # So we strip '-o arg' only if arg is an object. eat=1 case $2 in *.o | *.obj) @@ -94,10 +298,10 @@ do done if test -z "$ofile" || test -z "$cfile"; then - # If no `-o' option was seen then we might have been invoked from a + # If no '-o' option was seen then we might have been invoked from a # pattern rule where we don't need one. That is ok -- this is a # normal compilation that the losing compiler can handle. If no - # `.c' file was seen then we are probably linking. That is also + # '.c' file was seen then we are probably linking. That is also # ok. exec "$@" fi @@ -106,7 +310,7 @@ fi cofile=`echo "$cfile" | sed 's|^.*[\\/]||; s|^[a-zA-Z]:||; s/\.c$/.o/'` # Create the lock directory. -# Note: use `[/\\:.-]' here to ensure that we don't use the same name +# Note: use '[/\\:.-]' here to ensure that we don't use the same name # that we are using for the .o file. Also, base the name on the expected # object file name, since that is what matters with a parallel build. lockdir=`echo "$cofile" | sed -e 's|[/\\:.-]|_|g'`.d diff --git a/auto/config.guess b/auto/config.guess old mode 100644 new mode 100755 index 8152efd..1f5c50c --- a/auto/config.guess +++ b/auto/config.guess @@ -1,14 +1,12 @@ #! /bin/sh # Attempt to guess a canonical system name. -# Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, -# 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, -# 2011 Free Software Foundation, Inc. +# Copyright 1992-2014 Free Software Foundation, Inc. -timestamp='2011-11-11' +timestamp='2014-03-23' # This file is free software; you can redistribute it and/or modify it # under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 2 of the License, or +# the Free Software Foundation; either version 3 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, but @@ -17,26 +15,22 @@ timestamp='2011-11-11' # General Public License for more details. # # You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA -# 02110-1301, USA. +# along with this program; if not, see . # # As a special exception to the GNU General Public License, if you # distribute this file as part of a program that contains a # configuration script generated by Autoconf, you may include it under -# the same distribution terms that you use for the rest of that program. - - -# Originally written by Per Bothner. Please send patches (context -# diff format) to and include a ChangeLog -# entry. +# the same distribution terms that you use for the rest of that +# program. This Exception is an additional permission under section 7 +# of the GNU General Public License, version 3 ("GPLv3"). # -# This script attempts to guess a canonical system name similar to -# config.sub. If it succeeds, it prints the system name on stdout, and -# exits with 0. Otherwise, it exits with 1. +# Originally written by Per Bothner. # # You can get the latest version of this script from: # http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.guess;hb=HEAD +# +# Please send patches with a ChangeLog entry to config-patches@gnu.org. + me=`echo "$0" | sed -e 's,.*/,,'` @@ -56,9 +50,7 @@ version="\ GNU config.guess ($timestamp) Originally written by Per Bothner. -Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, -2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free -Software Foundation, Inc. +Copyright 1992-2014 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE." @@ -140,12 +132,33 @@ UNAME_RELEASE=`(uname -r) 2>/dev/null` || UNAME_RELEASE=unknown UNAME_SYSTEM=`(uname -s) 2>/dev/null` || UNAME_SYSTEM=unknown UNAME_VERSION=`(uname -v) 2>/dev/null` || UNAME_VERSION=unknown +case "${UNAME_SYSTEM}" in +Linux|GNU|GNU/*) + # If the system lacks a compiler, then just pick glibc. + # We could probably try harder. + LIBC=gnu + + eval $set_cc_for_build + cat <<-EOF > $dummy.c + #include + #if defined(__UCLIBC__) + LIBC=uclibc + #elif defined(__dietlibc__) + LIBC=dietlibc + #else + LIBC=gnu + #endif + EOF + eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep '^LIBC' | sed 's, ,,g'` + ;; +esac + # Note: order is significant - the case branches are not exclusive. case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in *:NetBSD:*:*) # NetBSD (nbsd) targets should (where applicable) match one or - # more of the tupples: *-*-netbsdelf*, *-*-netbsdaout*, + # more of the tuples: *-*-netbsdelf*, *-*-netbsdaout*, # *-*-netbsdecoff* and *-*-netbsd*. For targets that recently # switched to ELF, *-*-netbsd* would select the old # object file format. This provides both forward @@ -202,6 +215,10 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in # CPU_TYPE-MANUFACTURER-OPERATING_SYSTEM is used. echo "${machine}-${os}${release}" exit ;; + *:Bitrig:*:*) + UNAME_MACHINE_ARCH=`arch | sed 's/Bitrig.//'` + echo ${UNAME_MACHINE_ARCH}-unknown-bitrig${UNAME_RELEASE} + exit ;; *:OpenBSD:*:*) UNAME_MACHINE_ARCH=`arch | sed 's/OpenBSD.//'` echo ${UNAME_MACHINE_ARCH}-unknown-openbsd${UNAME_RELEASE} @@ -304,7 +321,7 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in arm:RISC*:1.[012]*:*|arm:riscix:1.[012]*:*) echo arm-acorn-riscix${UNAME_RELEASE} exit ;; - arm:riscos:*:*|arm:RISCOS:*:*) + arm*:riscos:*:*|arm*:RISCOS:*:*) echo arm-unknown-riscos exit ;; SR2?01:HI-UX/MPP:*:* | SR8000:HI-UX/MPP:*:*) @@ -803,10 +820,13 @@ EOF i*:CYGWIN*:*) echo ${UNAME_MACHINE}-pc-cygwin exit ;; + *:MINGW64*:*) + echo ${UNAME_MACHINE}-pc-mingw64 + exit ;; *:MINGW*:*) echo ${UNAME_MACHINE}-pc-mingw32 exit ;; - i*:MSYS*:*) + *:MSYS*:*) echo ${UNAME_MACHINE}-pc-msys exit ;; i*:windows32*:*) @@ -854,15 +874,22 @@ EOF exit ;; *:GNU:*:*) # the GNU system - echo `echo ${UNAME_MACHINE}|sed -e 's,[-/].*$,,'`-unknown-gnu`echo ${UNAME_RELEASE}|sed -e 's,/.*$,,'` + echo `echo ${UNAME_MACHINE}|sed -e 's,[-/].*$,,'`-unknown-${LIBC}`echo ${UNAME_RELEASE}|sed -e 's,/.*$,,'` exit ;; *:GNU/*:*:*) # other systems with GNU libc and userland - echo ${UNAME_MACHINE}-unknown-`echo ${UNAME_SYSTEM} | sed 's,^[^/]*/,,' | tr '[A-Z]' '[a-z]'``echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`-gnu + echo ${UNAME_MACHINE}-unknown-`echo ${UNAME_SYSTEM} | sed 's,^[^/]*/,,' | tr '[A-Z]' '[a-z]'``echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`-${LIBC} exit ;; i*86:Minix:*:*) echo ${UNAME_MACHINE}-pc-minix exit ;; + aarch64:Linux:*:*) + echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + exit ;; + aarch64_be:Linux:*:*) + UNAME_MACHINE=aarch64_be + echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + exit ;; alpha:Linux:*:*) case `sed -n '/^cpu model/s/^.*: \(.*\)/\1/p' < /proc/cpuinfo` in EV5) UNAME_MACHINE=alphaev5 ;; @@ -874,59 +901,54 @@ EOF EV68*) UNAME_MACHINE=alphaev68 ;; esac objdump --private-headers /bin/sh | grep -q ld.so.1 - if test "$?" = 0 ; then LIBC="libc1" ; else LIBC="" ; fi - echo ${UNAME_MACHINE}-unknown-linux-gnu${LIBC} + if test "$?" = 0 ; then LIBC="gnulibc1" ; fi + echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + exit ;; + arc:Linux:*:* | arceb:Linux:*:*) + echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; arm*:Linux:*:*) eval $set_cc_for_build if echo __ARM_EABI__ | $CC_FOR_BUILD -E - 2>/dev/null \ | grep -q __ARM_EABI__ then - echo ${UNAME_MACHINE}-unknown-linux-gnu + echo ${UNAME_MACHINE}-unknown-linux-${LIBC} else if echo __ARM_PCS_VFP | $CC_FOR_BUILD -E - 2>/dev/null \ | grep -q __ARM_PCS_VFP then - echo ${UNAME_MACHINE}-unknown-linux-gnueabi + echo ${UNAME_MACHINE}-unknown-linux-${LIBC}eabi else - echo ${UNAME_MACHINE}-unknown-linux-gnueabihf + echo ${UNAME_MACHINE}-unknown-linux-${LIBC}eabihf fi fi exit ;; avr32*:Linux:*:*) - echo ${UNAME_MACHINE}-unknown-linux-gnu + echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; cris:Linux:*:*) - echo cris-axis-linux-gnu + echo ${UNAME_MACHINE}-axis-linux-${LIBC} exit ;; crisv32:Linux:*:*) - echo crisv32-axis-linux-gnu + echo ${UNAME_MACHINE}-axis-linux-${LIBC} exit ;; frv:Linux:*:*) - echo frv-unknown-linux-gnu + echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; hexagon:Linux:*:*) - echo hexagon-unknown-linux-gnu + echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; i*86:Linux:*:*) - LIBC=gnu - eval $set_cc_for_build - sed 's/^ //' << EOF >$dummy.c - #ifdef __dietlibc__ - LIBC=dietlibc - #endif -EOF - eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep '^LIBC'` - echo "${UNAME_MACHINE}-pc-linux-${LIBC}" + echo ${UNAME_MACHINE}-pc-linux-${LIBC} exit ;; ia64:Linux:*:*) - echo ${UNAME_MACHINE}-unknown-linux-gnu + echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; m32r*:Linux:*:*) - echo ${UNAME_MACHINE}-unknown-linux-gnu + echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; m68*:Linux:*:*) - echo ${UNAME_MACHINE}-unknown-linux-gnu + echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; mips:Linux:*:* | mips64:Linux:*:*) eval $set_cc_for_build @@ -945,54 +967,63 @@ EOF #endif EOF eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep '^CPU'` - test x"${CPU}" != x && { echo "${CPU}-unknown-linux-gnu"; exit; } + test x"${CPU}" != x && { echo "${CPU}-unknown-linux-${LIBC}"; exit; } ;; - or32:Linux:*:*) - echo or32-unknown-linux-gnu + openrisc*:Linux:*:*) + echo or1k-unknown-linux-${LIBC} + exit ;; + or32:Linux:*:* | or1k*:Linux:*:*) + echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; padre:Linux:*:*) - echo sparc-unknown-linux-gnu + echo sparc-unknown-linux-${LIBC} exit ;; parisc64:Linux:*:* | hppa64:Linux:*:*) - echo hppa64-unknown-linux-gnu + echo hppa64-unknown-linux-${LIBC} exit ;; parisc:Linux:*:* | hppa:Linux:*:*) # Look for CPU level case `grep '^cpu[^a-z]*:' /proc/cpuinfo 2>/dev/null | cut -d' ' -f2` in - PA7*) echo hppa1.1-unknown-linux-gnu ;; - PA8*) echo hppa2.0-unknown-linux-gnu ;; - *) echo hppa-unknown-linux-gnu ;; + PA7*) echo hppa1.1-unknown-linux-${LIBC} ;; + PA8*) echo hppa2.0-unknown-linux-${LIBC} ;; + *) echo hppa-unknown-linux-${LIBC} ;; esac exit ;; ppc64:Linux:*:*) - echo powerpc64-unknown-linux-gnu + echo powerpc64-unknown-linux-${LIBC} exit ;; ppc:Linux:*:*) - echo powerpc-unknown-linux-gnu + echo powerpc-unknown-linux-${LIBC} + exit ;; + ppc64le:Linux:*:*) + echo powerpc64le-unknown-linux-${LIBC} + exit ;; + ppcle:Linux:*:*) + echo powerpcle-unknown-linux-${LIBC} exit ;; s390:Linux:*:* | s390x:Linux:*:*) - echo ${UNAME_MACHINE}-ibm-linux + echo ${UNAME_MACHINE}-ibm-linux-${LIBC} exit ;; sh64*:Linux:*:*) - echo ${UNAME_MACHINE}-unknown-linux-gnu + echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; sh*:Linux:*:*) - echo ${UNAME_MACHINE}-unknown-linux-gnu + echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; sparc:Linux:*:* | sparc64:Linux:*:*) - echo ${UNAME_MACHINE}-unknown-linux-gnu + echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; tile*:Linux:*:*) - echo ${UNAME_MACHINE}-unknown-linux-gnu + echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; vax:Linux:*:*) - echo ${UNAME_MACHINE}-dec-linux-gnu + echo ${UNAME_MACHINE}-dec-linux-${LIBC} exit ;; x86_64:Linux:*:*) - echo x86_64-unknown-linux-gnu + echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; xtensa*:Linux:*:*) - echo ${UNAME_MACHINE}-unknown-linux-gnu + echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; i*86:DYNIX/ptx:4*:*) # ptx 4.0 does uname -s correctly, with DYNIX/ptx in there. @@ -1196,6 +1227,9 @@ EOF BePC:Haiku:*:*) # Haiku running on Intel PC compatible. echo i586-pc-haiku exit ;; + x86_64:Haiku:*:*) + echo x86_64-unknown-haiku + exit ;; SX-4:SUPER-UX:*:*) echo sx4-nec-superux${UNAME_RELEASE} exit ;; @@ -1222,19 +1256,31 @@ EOF exit ;; *:Darwin:*:*) UNAME_PROCESSOR=`uname -p` || UNAME_PROCESSOR=unknown - case $UNAME_PROCESSOR in - i386) - eval $set_cc_for_build - if [ "$CC_FOR_BUILD" != 'no_compiler_found' ]; then - if (echo '#ifdef __LP64__'; echo IS_64BIT_ARCH; echo '#endif') | \ - (CCOPTS= $CC_FOR_BUILD -E - 2>/dev/null) | \ - grep IS_64BIT_ARCH >/dev/null - then - UNAME_PROCESSOR="x86_64" - fi - fi ;; - unknown) UNAME_PROCESSOR=powerpc ;; - esac + eval $set_cc_for_build + if test "$UNAME_PROCESSOR" = unknown ; then + UNAME_PROCESSOR=powerpc + fi + if test `echo "$UNAME_RELEASE" | sed -e 's/\..*//'` -le 10 ; then + if [ "$CC_FOR_BUILD" != 'no_compiler_found' ]; then + if (echo '#ifdef __LP64__'; echo IS_64BIT_ARCH; echo '#endif') | \ + (CCOPTS= $CC_FOR_BUILD -E - 2>/dev/null) | \ + grep IS_64BIT_ARCH >/dev/null + then + case $UNAME_PROCESSOR in + i386) UNAME_PROCESSOR=x86_64 ;; + powerpc) UNAME_PROCESSOR=powerpc64 ;; + esac + fi + fi + elif test "$UNAME_PROCESSOR" = i386 ; then + # Avoid executing cc on OS X 10.9, as it ships with a stub + # that puts up a graphical alert prompting to install + # developer tools. Any system running Mac OS X 10.7 or + # later (Darwin 11 and later) is required to have a 64-bit + # processor. This is not true of the ARM version of Darwin + # that Apple uses in portable devices. + UNAME_PROCESSOR=x86_64 + fi echo ${UNAME_PROCESSOR}-apple-darwin${UNAME_RELEASE} exit ;; *:procnto*:*:* | *:QNX:[0123456789]*:*) @@ -1251,7 +1297,7 @@ EOF NEO-?:NONSTOP_KERNEL:*:*) echo neo-tandem-nsk${UNAME_RELEASE} exit ;; - NSE-?:NONSTOP_KERNEL:*:*) + NSE-*:NONSTOP_KERNEL:*:*) echo nse-tandem-nsk${UNAME_RELEASE} exit ;; NSR-?:NONSTOP_KERNEL:*:*) @@ -1320,159 +1366,11 @@ EOF i*86:AROS:*:*) echo ${UNAME_MACHINE}-pc-aros exit ;; + x86_64:VMkernel:*:*) + echo ${UNAME_MACHINE}-unknown-esx + exit ;; esac -#echo '(No uname command or uname output not recognized.)' 1>&2 -#echo "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" 1>&2 - -eval $set_cc_for_build -cat >$dummy.c < -# include -#endif -main () -{ -#if defined (sony) -#if defined (MIPSEB) - /* BFD wants "bsd" instead of "newsos". Perhaps BFD should be changed, - I don't know.... */ - printf ("mips-sony-bsd\n"); exit (0); -#else -#include - printf ("m68k-sony-newsos%s\n", -#ifdef NEWSOS4 - "4" -#else - "" -#endif - ); exit (0); -#endif -#endif - -#if defined (__arm) && defined (__acorn) && defined (__unix) - printf ("arm-acorn-riscix\n"); exit (0); -#endif - -#if defined (hp300) && !defined (hpux) - printf ("m68k-hp-bsd\n"); exit (0); -#endif - -#if defined (NeXT) -#if !defined (__ARCHITECTURE__) -#define __ARCHITECTURE__ "m68k" -#endif - int version; - version=`(hostinfo | sed -n 's/.*NeXT Mach \([0-9]*\).*/\1/p') 2>/dev/null`; - if (version < 4) - printf ("%s-next-nextstep%d\n", __ARCHITECTURE__, version); - else - printf ("%s-next-openstep%d\n", __ARCHITECTURE__, version); - exit (0); -#endif - -#if defined (MULTIMAX) || defined (n16) -#if defined (UMAXV) - printf ("ns32k-encore-sysv\n"); exit (0); -#else -#if defined (CMU) - printf ("ns32k-encore-mach\n"); exit (0); -#else - printf ("ns32k-encore-bsd\n"); exit (0); -#endif -#endif -#endif - -#if defined (__386BSD__) - printf ("i386-pc-bsd\n"); exit (0); -#endif - -#if defined (sequent) -#if defined (i386) - printf ("i386-sequent-dynix\n"); exit (0); -#endif -#if defined (ns32000) - printf ("ns32k-sequent-dynix\n"); exit (0); -#endif -#endif - -#if defined (_SEQUENT_) - struct utsname un; - - uname(&un); - - if (strncmp(un.version, "V2", 2) == 0) { - printf ("i386-sequent-ptx2\n"); exit (0); - } - if (strncmp(un.version, "V1", 2) == 0) { /* XXX is V1 correct? */ - printf ("i386-sequent-ptx1\n"); exit (0); - } - printf ("i386-sequent-ptx\n"); exit (0); - -#endif - -#if defined (vax) -# if !defined (ultrix) -# include -# if defined (BSD) -# if BSD == 43 - printf ("vax-dec-bsd4.3\n"); exit (0); -# else -# if BSD == 199006 - printf ("vax-dec-bsd4.3reno\n"); exit (0); -# else - printf ("vax-dec-bsd\n"); exit (0); -# endif -# endif -# else - printf ("vax-dec-bsd\n"); exit (0); -# endif -# else - printf ("vax-dec-ultrix\n"); exit (0); -# endif -#endif - -#if defined (alliant) && defined (i860) - printf ("i860-alliant-bsd\n"); exit (0); -#endif - - exit (1); -} -EOF - -$CC_FOR_BUILD -o $dummy $dummy.c 2>/dev/null && SYSTEM_NAME=`$dummy` && - { echo "$SYSTEM_NAME"; exit; } - -# Apollos put the system type in the environment. - -test -d /usr/apollo && { echo ${ISP}-apollo-${SYSTYPE}; exit; } - -# Convex versions that predate uname can use getsysinfo(1) - -if [ -x /usr/convex/getsysinfo ] -then - case `getsysinfo -f cpu_type` in - c1*) - echo c1-convex-bsd - exit ;; - c2*) - if getsysinfo -f scalar_acc - then echo c32-convex-bsd - else echo c2-convex-bsd - fi - exit ;; - c34*) - echo c34-convex-bsd - exit ;; - c38*) - echo c38-convex-bsd - exit ;; - c4*) - echo c4-convex-bsd - exit ;; - esac -fi - cat >&2 <. # # As a special exception to the GNU General Public License, if you # distribute this file as part of a program that contains a # configuration script generated by Autoconf, you may include it under -# the same distribution terms that you use for the rest of that program. +# the same distribution terms that you use for the rest of that +# program. This Exception is an additional permission under section 7 +# of the GNU General Public License, version 3 ("GPLv3"). -# Please send patches to . Submit a context -# diff and a properly formatted GNU ChangeLog entry. +# Please send patches with a ChangeLog entry to config-patches@gnu.org. # # Configuration subroutine to validate and canonicalize a configuration type. # Supply the specified configuration type as an argument. @@ -75,9 +68,7 @@ Report bugs and patches to ." version="\ GNU config.sub ($timestamp) -Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, -2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free -Software Foundation, Inc. +Copyright 1992-2014 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE." @@ -125,13 +116,17 @@ esac maybe_os=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\2/'` case $maybe_os in nto-qnx* | linux-gnu* | linux-android* | linux-dietlibc | linux-newlib* | \ - linux-uclibc* | uclinux-uclibc* | uclinux-gnu* | kfreebsd*-gnu* | \ + linux-musl* | linux-uclibc* | uclinux-uclibc* | uclinux-gnu* | kfreebsd*-gnu* | \ knetbsd*-gnu* | netbsd*-gnu* | \ kopensolaris*-gnu* | \ storm-chaos* | os2-emx* | rtmk-nova*) os=-$maybe_os basic_machine=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'` ;; + android-linux) + os=-linux-android + basic_machine=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'`-unknown + ;; *) basic_machine=`echo $1 | sed 's/-[^-]*$//'` if [ $basic_machine != $1 ] @@ -154,7 +149,7 @@ case $os in -convergent* | -ncr* | -news | -32* | -3600* | -3100* | -hitachi* |\ -c[123]* | -convex* | -sun | -crds | -omron* | -dg | -ultra | -tti* | \ -harris | -dolphin | -highlevel | -gould | -cbm | -ns | -masscomp | \ - -apple | -axis | -knuth | -cray | -microblaze) + -apple | -axis | -knuth | -cray | -microblaze*) os= basic_machine=$1 ;; @@ -223,6 +218,12 @@ case $os in -isc*) basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` ;; + -lynx*178) + os=-lynxos178 + ;; + -lynx*5) + os=-lynxos5 + ;; -lynx*) os=-lynxos ;; @@ -247,13 +248,16 @@ case $basic_machine in # Some are omitted here because they have special meanings below. 1750a | 580 \ | a29k \ + | aarch64 | aarch64_be \ | alpha | alphaev[4-8] | alphaev56 | alphaev6[78] | alphapca5[67] \ | alpha64 | alpha64ev[4-8] | alpha64ev56 | alpha64ev6[78] | alpha64pca5[67] \ | am33_2.0 \ - | arc | arm | arm[bl]e | arme[lb] | armv[2345] | armv[345][lb] | avr | avr32 \ - | be32 | be64 \ + | arc | arceb \ + | arm | arm[bl]e | arme[lb] | armv[2-8] | armv[3-8][lb] | armv7[arm] \ + | avr | avr32 \ + | be32 | be64 \ | bfin \ - | c4x | clipper \ + | c4x | c8051 | clipper \ | d10v | d30v | dlx | dsp16xx \ | epiphany \ | fido | fr30 | frv \ @@ -261,10 +265,11 @@ case $basic_machine in | hexagon \ | i370 | i860 | i960 | ia64 \ | ip2k | iq2000 \ + | k1om \ | le32 | le64 \ | lm32 \ | m32c | m32r | m32rle | m68000 | m68k | m88k \ - | maxq | mb | microblaze | mcore | mep | metag \ + | maxq | mb | microblaze | microblazeel | mcore | mep | metag \ | mips | mipsbe | mipseb | mipsel | mipsle \ | mips16 \ | mips64 | mips64el \ @@ -278,23 +283,26 @@ case $basic_machine in | mips64vr5900 | mips64vr5900el \ | mipsisa32 | mipsisa32el \ | mipsisa32r2 | mipsisa32r2el \ + | mipsisa32r6 | mipsisa32r6el \ | mipsisa64 | mipsisa64el \ | mipsisa64r2 | mipsisa64r2el \ + | mipsisa64r6 | mipsisa64r6el \ | mipsisa64sb1 | mipsisa64sb1el \ | mipsisa64sr71k | mipsisa64sr71kel \ + | mipsr5900 | mipsr5900el \ | mipstx39 | mipstx39el \ | mn10200 | mn10300 \ | moxie \ | mt \ | msp430 \ | nds32 | nds32le | nds32be \ - | nios | nios2 \ + | nios | nios2 | nios2eb | nios2el \ | ns16k | ns32k \ - | open8 \ - | or32 \ + | open8 | or1k | or1knd | or32 \ | pdp10 | pdp11 | pj | pjl \ | powerpc | powerpc64 | powerpc64le | powerpcle \ | pyramid \ + | riscv32 | riscv64 \ | rl78 | rx \ | score \ | sh | sh[1234] | sh[24]a | sh[24]aeb | sh[23]e | sh[34]eb | sheb | shbe | shle | sh[1234]le | sh3ele \ @@ -319,8 +327,7 @@ case $basic_machine in c6x) basic_machine=tic6x-unknown ;; - m6811 | m68hc11 | m6812 | m68hc12 | picochip) - # Motorola 68HC11/12. + m6811 | m68hc11 | m6812 | m68hc12 | m68hcs12x | nvptx | picochip) basic_machine=$basic_machine-unknown os=-none ;; @@ -333,7 +340,10 @@ case $basic_machine in strongarm | thumb | xscale) basic_machine=arm-unknown ;; - + xgate) + basic_machine=$basic_machine-unknown + os=-none + ;; xscaleeb) basic_machine=armeb-unknown ;; @@ -356,15 +366,16 @@ case $basic_machine in # Recognize the basic CPU types with company name. 580-* \ | a29k-* \ + | aarch64-* | aarch64_be-* \ | alpha-* | alphaev[4-8]-* | alphaev56-* | alphaev6[78]-* \ | alpha64-* | alpha64ev[4-8]-* | alpha64ev56-* | alpha64ev6[78]-* \ - | alphapca5[67]-* | alpha64pca5[67]-* | arc-* \ + | alphapca5[67]-* | alpha64pca5[67]-* | arc-* | arceb-* \ | arm-* | armbe-* | armle-* | armeb-* | armv*-* \ | avr-* | avr32-* \ | be32-* | be64-* \ | bfin-* | bs2000-* \ | c[123]* | c30-* | [cjt]90-* | c4x-* \ - | clipper-* | craynv-* | cydra-* \ + | c8051-* | clipper-* | craynv-* | cydra-* \ | d10v-* | d30v-* | dlx-* \ | elxsi-* \ | f30[01]-* | f700-* | fido-* | fr30-* | frv-* | fx80-* \ @@ -373,11 +384,13 @@ case $basic_machine in | hexagon-* \ | i*86-* | i860-* | i960-* | ia64-* \ | ip2k-* | iq2000-* \ + | k1om-* \ | le32-* | le64-* \ | lm32-* \ | m32c-* | m32r-* | m32rle-* \ | m68000-* | m680[012346]0-* | m68360-* | m683?2-* | m68k-* \ - | m88110-* | m88k-* | maxq-* | mcore-* | metag-* | microblaze-* \ + | m88110-* | m88k-* | maxq-* | mcore-* | metag-* \ + | microblaze-* | microblazeel-* \ | mips-* | mipsbe-* | mipseb-* | mipsel-* | mipsle-* \ | mips16-* \ | mips64-* | mips64el-* \ @@ -391,18 +404,22 @@ case $basic_machine in | mips64vr5900-* | mips64vr5900el-* \ | mipsisa32-* | mipsisa32el-* \ | mipsisa32r2-* | mipsisa32r2el-* \ + | mipsisa32r6-* | mipsisa32r6el-* \ | mipsisa64-* | mipsisa64el-* \ | mipsisa64r2-* | mipsisa64r2el-* \ + | mipsisa64r6-* | mipsisa64r6el-* \ | mipsisa64sb1-* | mipsisa64sb1el-* \ | mipsisa64sr71k-* | mipsisa64sr71kel-* \ + | mipsr5900-* | mipsr5900el-* \ | mipstx39-* | mipstx39el-* \ | mmix-* \ | mt-* \ | msp430-* \ | nds32-* | nds32le-* | nds32be-* \ - | nios-* | nios2-* \ + | nios-* | nios2-* | nios2eb-* | nios2el-* \ | none-* | np1-* | ns16k-* | ns32k-* \ | open8-* \ + | or1k*-* \ | orion-* \ | pdp10-* | pdp11-* | pj-* | pjl-* | pn-* | power-* \ | powerpc-* | powerpc64-* | powerpc64le-* | powerpcle-* \ @@ -719,7 +736,6 @@ case $basic_machine in i370-ibm* | ibm*) basic_machine=i370-ibm ;; -# I'm not sure what "Sysv32" means. Should this be sysv3.2? i*86v32) basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'` os=-sysv32 @@ -777,11 +793,15 @@ case $basic_machine in basic_machine=ns32k-utek os=-sysv ;; - microblaze) + microblaze*) basic_machine=microblaze-xilinx ;; + mingw64) + basic_machine=x86_64-pc + os=-mingw64 + ;; mingw32) - basic_machine=i386-pc + basic_machine=i686-pc os=-mingw32 ;; mingw32ce) @@ -809,6 +829,10 @@ case $basic_machine in basic_machine=powerpc-unknown os=-morphos ;; + moxiebox) + basic_machine=moxie-unknown + os=-moxiebox + ;; msdos) basic_machine=i386-pc os=-msdos @@ -817,7 +841,7 @@ case $basic_machine in basic_machine=`echo $basic_machine | sed -e 's/ms1-/mt-/'` ;; msys) - basic_machine=i386-pc + basic_machine=i686-pc os=-msys ;; mvs) @@ -1008,7 +1032,11 @@ case $basic_machine in basic_machine=i586-unknown os=-pw32 ;; - rdos) + rdos | rdos64) + basic_machine=x86_64-pc + os=-rdos + ;; + rdos32) basic_machine=i386-pc os=-rdos ;; @@ -1335,29 +1363,29 @@ case $os in -gnu* | -bsd* | -mach* | -minix* | -genix* | -ultrix* | -irix* \ | -*vms* | -sco* | -esix* | -isc* | -aix* | -cnk* | -sunos | -sunos[34]*\ | -hpux* | -unos* | -osf* | -luna* | -dgux* | -auroraux* | -solaris* \ - | -sym* | -kopensolaris* \ + | -sym* | -kopensolaris* | -plan9* \ | -amigaos* | -amigados* | -msdos* | -newsos* | -unicos* | -aof* \ | -aos* | -aros* \ | -nindy* | -vxsim* | -vxworks* | -ebmon* | -hms* | -mvs* \ | -clix* | -riscos* | -uniplus* | -iris* | -rtu* | -xenix* \ | -hiux* | -386bsd* | -knetbsd* | -mirbsd* | -netbsd* \ - | -openbsd* | -solidbsd* \ + | -bitrig* | -openbsd* | -solidbsd* \ | -ekkobsd* | -kfreebsd* | -freebsd* | -riscix* | -lynxos* \ | -bosx* | -nextstep* | -cxux* | -aout* | -elf* | -oabi* \ | -ptx* | -coff* | -ecoff* | -winnt* | -domain* | -vsta* \ | -udi* | -eabi* | -lites* | -ieee* | -go32* | -aux* \ | -chorusos* | -chorusrdb* | -cegcc* \ | -cygwin* | -msys* | -pe* | -psos* | -moss* | -proelf* | -rtems* \ - | -mingw32* | -linux-gnu* | -linux-android* \ - | -linux-newlib* | -linux-uclibc* \ - | -uxpv* | -beos* | -mpeix* | -udk* \ + | -mingw32* | -mingw64* | -linux-gnu* | -linux-android* \ + | -linux-newlib* | -linux-musl* | -linux-uclibc* \ + | -uxpv* | -beos* | -mpeix* | -udk* | -moxiebox* \ | -interix* | -uwin* | -mks* | -rhapsody* | -darwin* | -opened* \ | -openstep* | -oskit* | -conix* | -pw32* | -nonstopux* \ | -storm-chaos* | -tops10* | -tenex* | -tops20* | -its* \ | -os2* | -vos* | -palmos* | -uclinux* | -nucleus* \ | -morphos* | -superux* | -rtmk* | -rtmk-nova* | -windiss* \ | -powermax* | -dnix* | -nx6 | -nx7 | -sei* | -dragonfly* \ - | -skyos* | -haiku* | -rdos* | -toppers* | -drops* | -es*) + | -skyos* | -haiku* | -rdos* | -toppers* | -drops* | -es* | -tirtos*) # Remember, each alternative MUST END IN *, to match a version number. ;; -qnx*) @@ -1481,9 +1509,6 @@ case $os in -aros*) os=-aros ;; - -kaos*) - os=-kaos - ;; -zvmoe) os=-zvmoe ;; @@ -1532,6 +1557,12 @@ case $basic_machine in c4x-* | tic4x-*) os=-coff ;; + c8051-*) + os=-elf + ;; + hexagon-*) + os=-elf + ;; tic54x-*) os=-coff ;; @@ -1559,9 +1590,6 @@ case $basic_machine in ;; m68000-sun) os=-sunos3 - # This also exists in the configure program, but was not the - # default. - # os=-sunos4 ;; m68*-cisco) os=-aout diff --git a/auto/depcomp b/auto/depcomp index e5f9736..4ebd5b3 100755 --- a/auto/depcomp +++ b/auto/depcomp @@ -1,10 +1,9 @@ #! /bin/sh # depcomp - compile a program generating dependencies as side-effects -scriptversion=2007-03-29.01 +scriptversion=2013-05-30.07; # UTC -# Copyright (C) 1999, 2000, 2003, 2004, 2005, 2006, 2007 Free Software -# Foundation, Inc. +# Copyright (C) 1999-2013 Free Software Foundation, Inc. # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -17,9 +16,7 @@ scriptversion=2007-03-29.01 # GNU General Public License for more details. # You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA -# 02110-1301, USA. +# along with this program. If not, see . # As a special exception to the GNU General Public License, if you # distribute this file as part of a program that contains a @@ -30,9 +27,9 @@ scriptversion=2007-03-29.01 case $1 in '') - echo "$0: No command. Try \`$0 --help' for more information." 1>&2 - exit 1; - ;; + echo "$0: No command. Try '$0 --help' for more information." 1>&2 + exit 1; + ;; -h | --h*) cat <<\EOF Usage: depcomp [--help] [--version] PROGRAM [ARGS] @@ -42,11 +39,11 @@ as side-effects. Environment variables: depmode Dependency tracking mode. - source Source file read by `PROGRAMS ARGS'. - object Object file output by `PROGRAMS ARGS'. + source Source file read by 'PROGRAMS ARGS'. + object Object file output by 'PROGRAMS ARGS'. DEPDIR directory where to store dependencies. depfile Dependency file to output. - tmpdepfile Temporary file to use when outputing dependencies. + tmpdepfile Temporary file to use when outputting dependencies. libtool Whether libtool is used (yes/no). Report bugs to . @@ -59,6 +56,66 @@ EOF ;; esac +# Get the directory component of the given path, and save it in the +# global variables '$dir'. Note that this directory component will +# be either empty or ending with a '/' character. This is deliberate. +set_dir_from () +{ + case $1 in + */*) dir=`echo "$1" | sed -e 's|/[^/]*$|/|'`;; + *) dir=;; + esac +} + +# Get the suffix-stripped basename of the given path, and save it the +# global variable '$base'. +set_base_from () +{ + base=`echo "$1" | sed -e 's|^.*/||' -e 's/\.[^.]*$//'` +} + +# If no dependency file was actually created by the compiler invocation, +# we still have to create a dummy depfile, to avoid errors with the +# Makefile "include basename.Plo" scheme. +make_dummy_depfile () +{ + echo "#dummy" > "$depfile" +} + +# Factor out some common post-processing of the generated depfile. +# Requires the auxiliary global variable '$tmpdepfile' to be set. +aix_post_process_depfile () +{ + # If the compiler actually managed to produce a dependency file, + # post-process it. + if test -f "$tmpdepfile"; then + # Each line is of the form 'foo.o: dependency.h'. + # Do two passes, one to just change these to + # $object: dependency.h + # and one to simply output + # dependency.h: + # which is needed to avoid the deleted-header problem. + { sed -e "s,^.*\.[$lower]*:,$object:," < "$tmpdepfile" + sed -e "s,^.*\.[$lower]*:[$tab ]*,," -e 's,$,:,' < "$tmpdepfile" + } > "$depfile" + rm -f "$tmpdepfile" + else + make_dummy_depfile + fi +} + +# A tabulation character. +tab=' ' +# A newline character. +nl=' +' +# Character ranges might be problematic outside the C locale. +# These definitions help. +upper=ABCDEFGHIJKLMNOPQRSTUVWXYZ +lower=abcdefghijklmnopqrstuvwxyz +digits=0123456789 +alpha=${upper}${lower} + if test -z "$depmode" || test -z "$source" || test -z "$object"; then echo "depcomp: Variables source, object and depmode must be set" 1>&2 exit 1 @@ -71,6 +128,9 @@ tmpdepfile=${tmpdepfile-`echo "$depfile" | sed 's/\.\([^.]*\)$/.T\1/'`} rm -f "$tmpdepfile" +# Avoid interferences from the environment. +gccflag= dashmflag= + # Some modes work just like other modes, but use different flags. We # parameterize here, but still list the modes in the big case below, # to make depend.m4 easier to write. Note that we *cannot* use a case @@ -82,9 +142,32 @@ if test "$depmode" = hp; then fi if test "$depmode" = dashXmstdout; then - # This is just like dashmstdout with a different argument. - dashmflag=-xM - depmode=dashmstdout + # This is just like dashmstdout with a different argument. + dashmflag=-xM + depmode=dashmstdout +fi + +cygpath_u="cygpath -u -f -" +if test "$depmode" = msvcmsys; then + # This is just like msvisualcpp but w/o cygpath translation. + # Just convert the backslash-escaped backslashes to single forward + # slashes to satisfy depend.m4 + cygpath_u='sed s,\\\\,/,g' + depmode=msvisualcpp +fi + +if test "$depmode" = msvc7msys; then + # This is just like msvc7 but w/o cygpath translation. + # Just convert the backslash-escaped backslashes to single forward + # slashes to satisfy depend.m4 + cygpath_u='sed s,\\\\,/,g' + depmode=msvc7 +fi + +if test "$depmode" = xlc; then + # IBM C/C++ Compilers xlc/xlC can output gcc-like dependency information. + gccflag=-qmakedep=gcc,-MF + depmode=gcc fi case "$depmode" in @@ -107,8 +190,7 @@ gcc3) done "$@" stat=$? - if test $stat -eq 0; then : - else + if test $stat -ne 0; then rm -f "$tmpdepfile" exit $stat fi @@ -116,13 +198,17 @@ gcc3) ;; gcc) +## Note that this doesn't just cater to obsosete pre-3.x GCC compilers. +## but also to in-use compilers like IMB xlc/xlC and the HP C compiler. +## (see the conditional assignment to $gccflag above). ## There are various ways to get dependency output from gcc. Here's ## why we pick this rather obscure method: ## - Don't want to use -MD because we'd like the dependencies to end ## up in a subdir. Having to rename by hand is ugly. ## (We might end up doing this anyway to support other compilers.) ## - The DEPENDENCIES_OUTPUT environment variable makes gcc act like -## -MM, not -M (despite what the docs say). +## -MM, not -M (despite what the docs say). Also, it might not be +## supported by the other compilers which use the 'gcc' depmode. ## - Using -M directly means running the compiler twice (even worse ## than renaming). if test -z "$gccflag"; then @@ -130,31 +216,31 @@ gcc) fi "$@" -Wp,"$gccflag$tmpdepfile" stat=$? - if test $stat -eq 0; then : - else + if test $stat -ne 0; then rm -f "$tmpdepfile" exit $stat fi rm -f "$depfile" echo "$object : \\" > "$depfile" - alpha=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz -## The second -e expression handles DOS-style file names with drive letters. + # The second -e expression handles DOS-style file names with drive + # letters. sed -e 's/^[^:]*: / /' \ -e 's/^['$alpha']:\/[^:]*: / /' < "$tmpdepfile" >> "$depfile" -## This next piece of magic avoids the `deleted header file' problem. +## This next piece of magic avoids the "deleted header file" problem. ## The problem is that when a header file which appears in a .P file ## is deleted, the dependency causes make to die (because there is ## typically no way to rebuild the header). We avoid this by adding ## dummy dependencies for each header file. Too bad gcc doesn't do ## this for us directly. - tr ' ' ' -' < "$tmpdepfile" | -## Some versions of gcc put a space before the `:'. On the theory +## Some versions of gcc put a space before the ':'. On the theory ## that the space means something, we add a space to the output as -## well. +## well. hp depmode also adds that space, but also prefixes the VPATH +## to the object. Take care to not repeat it in the output. ## Some versions of the HPUX 10.20 sed can't process this invocation ## correctly. Breaking it into two sed invocations is a workaround. - sed -e 's/^\\$//' -e '/^$/d' -e '/:$/d' | sed -e 's/$/ :/' >> "$depfile" + tr ' ' "$nl" < "$tmpdepfile" \ + | sed -e 's/^\\$//' -e '/^$/d' -e "s|.*$object$||" -e '/:$/d' \ + | sed -e 's/$/ :/' >> "$depfile" rm -f "$tmpdepfile" ;; @@ -172,8 +258,7 @@ sgi) "$@" -MDupdate "$tmpdepfile" fi stat=$? - if test $stat -eq 0; then : - else + if test $stat -ne 0; then rm -f "$tmpdepfile" exit $stat fi @@ -181,43 +266,41 @@ sgi) if test -f "$tmpdepfile"; then # yes, the sourcefile depend on other files echo "$object : \\" > "$depfile" - # Clip off the initial element (the dependent). Don't try to be # clever and replace this with sed code, as IRIX sed won't handle # lines with more than a fixed number of characters (4096 in # IRIX 6.2 sed, 8192 in IRIX 6.5). We also remove comment lines; - # the IRIX cc adds comments like `#:fec' to the end of the + # the IRIX cc adds comments like '#:fec' to the end of the # dependency line. - tr ' ' ' -' < "$tmpdepfile" \ - | sed -e 's/^.*\.o://' -e 's/#.*$//' -e '/^$/ d' | \ - tr ' -' ' ' >> $depfile - echo >> $depfile - + tr ' ' "$nl" < "$tmpdepfile" \ + | sed -e 's/^.*\.o://' -e 's/#.*$//' -e '/^$/ d' \ + | tr "$nl" ' ' >> "$depfile" + echo >> "$depfile" # The second pass generates a dummy entry for each header file. - tr ' ' ' -' < "$tmpdepfile" \ - | sed -e 's/^.*\.o://' -e 's/#.*$//' -e '/^$/ d' -e 's/$/:/' \ - >> $depfile + tr ' ' "$nl" < "$tmpdepfile" \ + | sed -e 's/^.*\.o://' -e 's/#.*$//' -e '/^$/ d' -e 's/$/:/' \ + >> "$depfile" else - # The sourcefile does not contain any dependencies, so just - # store a dummy comment line, to avoid errors with the Makefile - # "include basename.Plo" scheme. - echo "#dummy" > "$depfile" + make_dummy_depfile fi rm -f "$tmpdepfile" ;; +xlc) + # This case exists only to let depend.m4 do its work. It works by + # looking at the text of this script. This case will never be run, + # since it is checked for above. + exit 1 + ;; + aix) # The C for AIX Compiler uses -M and outputs the dependencies # in a .u file. In older versions, this file always lives in the - # current directory. Also, the AIX compiler puts `$object:' at the + # current directory. Also, the AIX compiler puts '$object:' at the # start of each line; $object doesn't have directory information. # Version 6 uses the directory in both cases. - dir=`echo "$object" | sed -e 's|/[^/]*$|/|'` - test "x$dir" = "x$object" && dir= - base=`echo "$object" | sed -e 's|^.*/||' -e 's/\.o$//' -e 's/\.lo$//'` + set_dir_from "$object" + set_base_from "$object" if test "$libtool" = yes; then tmpdepfile1=$dir$base.u tmpdepfile2=$base.u @@ -230,9 +313,7 @@ aix) "$@" -M fi stat=$? - - if test $stat -eq 0; then : - else + if test $stat -ne 0; then rm -f "$tmpdepfile1" "$tmpdepfile2" "$tmpdepfile3" exit $stat fi @@ -241,44 +322,100 @@ aix) do test -f "$tmpdepfile" && break done - if test -f "$tmpdepfile"; then - # Each line is of the form `foo.o: dependent.h'. - # Do two passes, one to just change these to - # `$object: dependent.h' and one to simply `dependent.h:'. - sed -e "s,^.*\.[a-z]*:,$object:," < "$tmpdepfile" > "$depfile" - # That's a tab and a space in the []. - sed -e 's,^.*\.[a-z]*:[ ]*,,' -e 's,$,:,' < "$tmpdepfile" >> "$depfile" - else - # The sourcefile does not contain any dependencies, so just - # store a dummy comment line, to avoid errors with the Makefile - # "include basename.Plo" scheme. - echo "#dummy" > "$depfile" + aix_post_process_depfile + ;; + +tcc) + # tcc (Tiny C Compiler) understand '-MD -MF file' since version 0.9.26 + # FIXME: That version still under development at the moment of writing. + # Make that this statement remains true also for stable, released + # versions. + # It will wrap lines (doesn't matter whether long or short) with a + # trailing '\', as in: + # + # foo.o : \ + # foo.c \ + # foo.h \ + # + # It will put a trailing '\' even on the last line, and will use leading + # spaces rather than leading tabs (at least since its commit 0394caf7 + # "Emit spaces for -MD"). + "$@" -MD -MF "$tmpdepfile" + stat=$? + if test $stat -ne 0; then + rm -f "$tmpdepfile" + exit $stat fi + rm -f "$depfile" + # Each non-empty line is of the form 'foo.o : \' or ' dep.h \'. + # We have to change lines of the first kind to '$object: \'. + sed -e "s|.*:|$object :|" < "$tmpdepfile" > "$depfile" + # And for each line of the second kind, we have to emit a 'dep.h:' + # dummy dependency, to avoid the deleted-header problem. + sed -n -e 's|^ *\(.*\) *\\$|\1:|p' < "$tmpdepfile" >> "$depfile" rm -f "$tmpdepfile" ;; -icc) - # Intel's C compiler understands `-MD -MF file'. However on - # icc -MD -MF foo.d -c -o sub/foo.o sub/foo.c - # ICC 7.0 will fill foo.d with something like - # foo.o: sub/foo.c - # foo.o: sub/foo.h - # which is wrong. We want: - # sub/foo.o: sub/foo.c - # sub/foo.o: sub/foo.h - # sub/foo.c: - # sub/foo.h: - # ICC 7.1 will output +## The order of this option in the case statement is important, since the +## shell code in configure will try each of these formats in the order +## listed in this file. A plain '-MD' option would be understood by many +## compilers, so we must ensure this comes after the gcc and icc options. +pgcc) + # Portland's C compiler understands '-MD'. + # Will always output deps to 'file.d' where file is the root name of the + # source file under compilation, even if file resides in a subdirectory. + # The object file name does not affect the name of the '.d' file. + # pgcc 10.2 will output # foo.o: sub/foo.c sub/foo.h - # and will wrap long lines using \ : + # and will wrap long lines using '\' : # foo.o: sub/foo.c ... \ # sub/foo.h ... \ # ... + set_dir_from "$object" + # Use the source, not the object, to determine the base name, since + # that's sadly what pgcc will do too. + set_base_from "$source" + tmpdepfile=$base.d - "$@" -MD -MF "$tmpdepfile" - stat=$? - if test $stat -eq 0; then : - else + # For projects that build the same source file twice into different object + # files, the pgcc approach of using the *source* file root name can cause + # problems in parallel builds. Use a locking strategy to avoid stomping on + # the same $tmpdepfile. + lockdir=$base.d-lock + trap " + echo '$0: caught signal, cleaning up...' >&2 + rmdir '$lockdir' + exit 1 + " 1 2 13 15 + numtries=100 + i=$numtries + while test $i -gt 0; do + # mkdir is a portable test-and-set. + if mkdir "$lockdir" 2>/dev/null; then + # This process acquired the lock. + "$@" -MD + stat=$? + # Release the lock. + rmdir "$lockdir" + break + else + # If the lock is being held by a different process, wait + # until the winning process is done or we timeout. + while test -d "$lockdir" && test $i -gt 0; do + sleep 1 + i=`expr $i - 1` + done + fi + i=`expr $i - 1` + done + trap - 1 2 13 15 + if test $i -le 0; then + echo "$0: failed to acquire lock after $numtries attempts" >&2 + echo "$0: check lockdir '$lockdir'" >&2 + exit 1 + fi + + if test $stat -ne 0; then rm -f "$tmpdepfile" exit $stat fi @@ -290,8 +427,8 @@ icc) sed "s,^[^:]*:,$object :," < "$tmpdepfile" > "$depfile" # Some versions of the HPUX 10.20 sed can't process this invocation # correctly. Breaking it into two sed invocations is a workaround. - sed 's,^[^:]*: \(.*\)$,\1,;s/^\\$//;/^$/d;/:$/d' < "$tmpdepfile" | - sed -e 's/$/ :/' >> "$depfile" + sed 's,^[^:]*: \(.*\)$,\1,;s/^\\$//;/^$/d;/:$/d' < "$tmpdepfile" \ + | sed -e 's/$/ :/' >> "$depfile" rm -f "$tmpdepfile" ;; @@ -302,9 +439,8 @@ hp2) # 'foo.d', which lands next to the object file, wherever that # happens to be. # Much of this is similar to the tru64 case; see comments there. - dir=`echo "$object" | sed -e 's|/[^/]*$|/|'` - test "x$dir" = "x$object" && dir= - base=`echo "$object" | sed -e 's|^.*/||' -e 's/\.o$//' -e 's/\.lo$//'` + set_dir_from "$object" + set_base_from "$object" if test "$libtool" = yes; then tmpdepfile1=$dir$base.d tmpdepfile2=$dir.libs/$base.d @@ -315,8 +451,7 @@ hp2) "$@" +Maked fi stat=$? - if test $stat -eq 0; then : - else + if test $stat -ne 0; then rm -f "$tmpdepfile1" "$tmpdepfile2" exit $stat fi @@ -326,72 +461,107 @@ hp2) test -f "$tmpdepfile" && break done if test -f "$tmpdepfile"; then - sed -e "s,^.*\.[a-z]*:,$object:," "$tmpdepfile" > "$depfile" - # Add `dependent.h:' lines. - sed -ne '2,${; s/^ *//; s/ \\*$//; s/$/:/; p;}' "$tmpdepfile" >> "$depfile" + sed -e "s,^.*\.[$lower]*:,$object:," "$tmpdepfile" > "$depfile" + # Add 'dependent.h:' lines. + sed -ne '2,${ + s/^ *// + s/ \\*$// + s/$/:/ + p + }' "$tmpdepfile" >> "$depfile" else - echo "#dummy" > "$depfile" + make_dummy_depfile fi rm -f "$tmpdepfile" "$tmpdepfile2" ;; tru64) - # The Tru64 compiler uses -MD to generate dependencies as a side - # effect. `cc -MD -o foo.o ...' puts the dependencies into `foo.o.d'. - # At least on Alpha/Redhat 6.1, Compaq CCC V6.2-504 seems to put - # dependencies in `foo.d' instead, so we check for that too. - # Subdirectories are respected. - dir=`echo "$object" | sed -e 's|/[^/]*$|/|'` - test "x$dir" = "x$object" && dir= - base=`echo "$object" | sed -e 's|^.*/||' -e 's/\.o$//' -e 's/\.lo$//'` + # The Tru64 compiler uses -MD to generate dependencies as a side + # effect. 'cc -MD -o foo.o ...' puts the dependencies into 'foo.o.d'. + # At least on Alpha/Redhat 6.1, Compaq CCC V6.2-504 seems to put + # dependencies in 'foo.d' instead, so we check for that too. + # Subdirectories are respected. + set_dir_from "$object" + set_base_from "$object" - if test "$libtool" = yes; then - # With Tru64 cc, shared objects can also be used to make a - # static library. This mechanism is used in libtool 1.4 series to - # handle both shared and static libraries in a single compilation. - # With libtool 1.4, dependencies were output in $dir.libs/$base.lo.d. - # - # With libtool 1.5 this exception was removed, and libtool now - # generates 2 separate objects for the 2 libraries. These two - # compilations output dependencies in $dir.libs/$base.o.d and - # in $dir$base.o.d. We have to check for both files, because - # one of the two compilations can be disabled. We should prefer - # $dir$base.o.d over $dir.libs/$base.o.d because the latter is - # automatically cleaned when .libs/ is deleted, while ignoring - # the former would cause a distcleancheck panic. - tmpdepfile1=$dir.libs/$base.lo.d # libtool 1.4 - tmpdepfile2=$dir$base.o.d # libtool 1.5 - tmpdepfile3=$dir.libs/$base.o.d # libtool 1.5 - tmpdepfile4=$dir.libs/$base.d # Compaq CCC V6.2-504 - "$@" -Wc,-MD - else - tmpdepfile1=$dir$base.o.d - tmpdepfile2=$dir$base.d - tmpdepfile3=$dir$base.d - tmpdepfile4=$dir$base.d - "$@" -MD - fi + if test "$libtool" = yes; then + # Libtool generates 2 separate objects for the 2 libraries. These + # two compilations output dependencies in $dir.libs/$base.o.d and + # in $dir$base.o.d. We have to check for both files, because + # one of the two compilations can be disabled. We should prefer + # $dir$base.o.d over $dir.libs/$base.o.d because the latter is + # automatically cleaned when .libs/ is deleted, while ignoring + # the former would cause a distcleancheck panic. + tmpdepfile1=$dir$base.o.d # libtool 1.5 + tmpdepfile2=$dir.libs/$base.o.d # Likewise. + tmpdepfile3=$dir.libs/$base.d # Compaq CCC V6.2-504 + "$@" -Wc,-MD + else + tmpdepfile1=$dir$base.d + tmpdepfile2=$dir$base.d + tmpdepfile3=$dir$base.d + "$@" -MD + fi - stat=$? - if test $stat -eq 0; then : - else - rm -f "$tmpdepfile1" "$tmpdepfile2" "$tmpdepfile3" "$tmpdepfile4" - exit $stat - fi + stat=$? + if test $stat -ne 0; then + rm -f "$tmpdepfile1" "$tmpdepfile2" "$tmpdepfile3" + exit $stat + fi - for tmpdepfile in "$tmpdepfile1" "$tmpdepfile2" "$tmpdepfile3" "$tmpdepfile4" - do - test -f "$tmpdepfile" && break - done - if test -f "$tmpdepfile"; then - sed -e "s,^.*\.[a-z]*:,$object:," < "$tmpdepfile" > "$depfile" - # That's a tab and a space in the []. - sed -e 's,^.*\.[a-z]*:[ ]*,,' -e 's,$,:,' < "$tmpdepfile" >> "$depfile" - else - echo "#dummy" > "$depfile" - fi - rm -f "$tmpdepfile" - ;; + for tmpdepfile in "$tmpdepfile1" "$tmpdepfile2" "$tmpdepfile3" + do + test -f "$tmpdepfile" && break + done + # Same post-processing that is required for AIX mode. + aix_post_process_depfile + ;; + +msvc7) + if test "$libtool" = yes; then + showIncludes=-Wc,-showIncludes + else + showIncludes=-showIncludes + fi + "$@" $showIncludes > "$tmpdepfile" + stat=$? + grep -v '^Note: including file: ' "$tmpdepfile" + if test $stat -ne 0; then + rm -f "$tmpdepfile" + exit $stat + fi + rm -f "$depfile" + echo "$object : \\" > "$depfile" + # The first sed program below extracts the file names and escapes + # backslashes for cygpath. The second sed program outputs the file + # name when reading, but also accumulates all include files in the + # hold buffer in order to output them again at the end. This only + # works with sed implementations that can handle large buffers. + sed < "$tmpdepfile" -n ' +/^Note: including file: *\(.*\)/ { + s//\1/ + s/\\/\\\\/g + p +}' | $cygpath_u | sort -u | sed -n ' +s/ /\\ /g +s/\(.*\)/'"$tab"'\1 \\/p +s/.\(.*\) \\/\1:/ +H +$ { + s/.*/'"$tab"'/ + G + p +}' >> "$depfile" + echo >> "$depfile" # make sure the fragment doesn't end with a backslash + rm -f "$tmpdepfile" + ;; + +msvc7msys) + # This case exists only to let depend.m4 do its work. It works by + # looking at the text of this script. This case will never be run, + # since it is checked for above. + exit 1 + ;; #nosideeffect) # This comment above is used by automake to tell side-effect @@ -404,13 +574,13 @@ dashmstdout) # Remove the call to Libtool. if test "$libtool" = yes; then - while test $1 != '--mode=compile'; do + while test "X$1" != 'X--mode=compile'; do shift done shift fi - # Remove `-o $object'. + # Remove '-o $object'. IFS=" " for arg do @@ -430,18 +600,18 @@ dashmstdout) done test -z "$dashmflag" && dashmflag=-M - # Require at least two characters before searching for `:' + # Require at least two characters before searching for ':' # in the target name. This is to cope with DOS-style filenames: - # a dependency such as `c:/foo/bar' could be seen as target `c' otherwise. + # a dependency such as 'c:/foo/bar' could be seen as target 'c' otherwise. "$@" $dashmflag | - sed 's:^[ ]*[^: ][^:][^:]*\:[ ]*:'"$object"'\: :' > "$tmpdepfile" + sed "s|^[$tab ]*[^:$tab ][^:][^:]*:[$tab ]*|$object: |" > "$tmpdepfile" rm -f "$depfile" cat < "$tmpdepfile" > "$depfile" - tr ' ' ' -' < "$tmpdepfile" | \ -## Some versions of the HPUX 10.20 sed can't process this invocation -## correctly. Breaking it into two sed invocations is a workaround. - sed -e 's/^\\$//' -e '/^$/d' -e '/:$/d' | sed -e 's/$/ :/' >> "$depfile" + # Some versions of the HPUX 10.20 sed can't process this sed invocation + # correctly. Breaking it into two sed invocations is a workaround. + tr ' ' "$nl" < "$tmpdepfile" \ + | sed -e 's/^\\$//' -e '/^$/d' -e '/:$/d' \ + | sed -e 's/$/ :/' >> "$depfile" rm -f "$tmpdepfile" ;; @@ -455,41 +625,51 @@ makedepend) "$@" || exit $? # Remove any Libtool call if test "$libtool" = yes; then - while test $1 != '--mode=compile'; do + while test "X$1" != 'X--mode=compile'; do shift done shift fi # X makedepend shift - cleared=no - for arg in "$@"; do + cleared=no eat=no + for arg + do case $cleared in no) set ""; shift cleared=yes ;; esac + if test $eat = yes; then + eat=no + continue + fi case "$arg" in -D*|-I*) set fnord "$@" "$arg"; shift ;; # Strip any option that makedepend may not understand. Remove # the object too, otherwise makedepend will parse it as a source file. + -arch) + eat=yes ;; -*|$object) ;; *) set fnord "$@" "$arg"; shift ;; esac done - obj_suffix="`echo $object | sed 's/^.*\././'`" + obj_suffix=`echo "$object" | sed 's/^.*\././'` touch "$tmpdepfile" ${MAKEDEPEND-makedepend} -o"$obj_suffix" -f"$tmpdepfile" "$@" rm -f "$depfile" - cat < "$tmpdepfile" > "$depfile" - sed '1,2d' "$tmpdepfile" | tr ' ' ' -' | \ -## Some versions of the HPUX 10.20 sed can't process this invocation -## correctly. Breaking it into two sed invocations is a workaround. - sed -e 's/^\\$//' -e '/^$/d' -e '/:$/d' | sed -e 's/$/ :/' >> "$depfile" + # makedepend may prepend the VPATH from the source file name to the object. + # No need to regex-escape $object, excess matching of '.' is harmless. + sed "s|^.*\($object *:\)|\1|" "$tmpdepfile" > "$depfile" + # Some versions of the HPUX 10.20 sed can't process the last invocation + # correctly. Breaking it into two sed invocations is a workaround. + sed '1,2d' "$tmpdepfile" \ + | tr ' ' "$nl" \ + | sed -e 's/^\\$//' -e '/^$/d' -e '/:$/d' \ + | sed -e 's/$/ :/' >> "$depfile" rm -f "$tmpdepfile" "$tmpdepfile".bak ;; @@ -500,13 +680,13 @@ cpp) # Remove the call to Libtool. if test "$libtool" = yes; then - while test $1 != '--mode=compile'; do + while test "X$1" != 'X--mode=compile'; do shift done shift fi - # Remove `-o $object'. + # Remove '-o $object'. IFS=" " for arg do @@ -525,10 +705,10 @@ cpp) esac done - "$@" -E | - sed -n -e '/^# [0-9][0-9]* "\([^"]*\)".*/ s:: \1 \\:p' \ - -e '/^#line [0-9][0-9]* "\([^"]*\)".*/ s:: \1 \\:p' | - sed '$ s: \\$::' > "$tmpdepfile" + "$@" -E \ + | sed -n -e '/^# [0-9][0-9]* "\([^"]*\)".*/ s:: \1 \\:p' \ + -e '/^#line [0-9][0-9]* "\([^"]*\)".*/ s:: \1 \\:p' \ + | sed '$ s: \\$::' > "$tmpdepfile" rm -f "$depfile" echo "$object : \\" > "$depfile" cat < "$tmpdepfile" >> "$depfile" @@ -538,35 +718,56 @@ cpp) msvisualcpp) # Important note: in order to support this mode, a compiler *must* - # always write the preprocessed file to stdout, regardless of -o, - # because we must use -o when running libtool. + # always write the preprocessed file to stdout. "$@" || exit $? + + # Remove the call to Libtool. + if test "$libtool" = yes; then + while test "X$1" != 'X--mode=compile'; do + shift + done + shift + fi + IFS=" " for arg do case "$arg" in + -o) + shift + ;; + $object) + shift + ;; "-Gm"|"/Gm"|"-Gi"|"/Gi"|"-ZI"|"/ZI") - set fnord "$@" - shift - shift - ;; + set fnord "$@" + shift + shift + ;; *) - set fnord "$@" "$arg" - shift - shift - ;; + set fnord "$@" "$arg" + shift + shift + ;; esac done - "$@" -E | - sed -n '/^#line [0-9][0-9]* "\([^"]*\)"/ s::echo "`cygpath -u \\"\1\\"`":p' | sort | uniq > "$tmpdepfile" + "$@" -E 2>/dev/null | + sed -n '/^#line [0-9][0-9]* "\([^"]*\)"/ s::\1:p' | $cygpath_u | sort -u > "$tmpdepfile" rm -f "$depfile" echo "$object : \\" > "$depfile" - . "$tmpdepfile" | sed 's% %\\ %g' | sed -n '/^\(.*\)$/ s:: \1 \\:p' >> "$depfile" - echo " " >> "$depfile" - . "$tmpdepfile" | sed 's% %\\ %g' | sed -n '/^\(.*\)$/ s::\1\::p' >> "$depfile" + sed < "$tmpdepfile" -n -e 's% %\\ %g' -e '/^\(.*\)$/ s::'"$tab"'\1 \\:p' >> "$depfile" + echo "$tab" >> "$depfile" + sed < "$tmpdepfile" -n -e 's% %\\ %g' -e '/^\(.*\)$/ s::\1\::p' >> "$depfile" rm -f "$tmpdepfile" ;; +msvcmsys) + # This case exists only to let depend.m4 do its work. It works by + # looking at the text of this script. This case will never be run, + # since it is checked for above. + exit 1 + ;; + none) exec "$@" ;; @@ -585,5 +786,6 @@ exit 0 # eval: (add-hook 'write-file-hooks 'time-stamp) # time-stamp-start: "scriptversion=" # time-stamp-format: "%:y-%02m-%02d.%02H" -# time-stamp-end: "$" +# time-stamp-time-zone: "UTC" +# time-stamp-end: "; # UTC" # End: diff --git a/auto/install-sh b/auto/install-sh index a5897de..756420d 100755 --- a/auto/install-sh +++ b/auto/install-sh @@ -1,7 +1,7 @@ #!/bin/sh # install - install a program, script, or datafile -scriptversion=2006-12-25.00 +scriptversion=2011-11-20.07; # UTC # This originates from X11R5 (mit/util/scripts/install.sh), which was # later released in X11R6 (xc/config/util/install.sh) with the @@ -35,7 +35,7 @@ scriptversion=2006-12-25.00 # FSF changes to this file are in the public domain. # # Calling this script install-sh is preferred over install.sh, to prevent -# `make' implicit rules from creating a file called install from it +# 'make' implicit rules from creating a file called install from it # when there is no Makefile. # # This script is compatible with the BSD install script, but was written @@ -156,6 +156,10 @@ while test $# -ne 0; do -s) stripcmd=$stripprog;; -t) dst_arg=$2 + # Protect names problematic for 'test' and other utilities. + case $dst_arg in + -* | [=\(\)!]) dst_arg=./$dst_arg;; + esac shift;; -T) no_target_directory=true;; @@ -186,6 +190,10 @@ if test $# -ne 0 && test -z "$dir_arg$dst_arg"; then fi shift # arg dst_arg=$arg + # Protect names problematic for 'test' and other utilities. + case $dst_arg in + -* | [=\(\)!]) dst_arg=./$dst_arg;; + esac done fi @@ -194,13 +202,17 @@ if test $# -eq 0; then echo "$0: no input file specified." >&2 exit 1 fi - # It's OK to call `install-sh -d' without argument. + # It's OK to call 'install-sh -d' without argument. # This can happen when creating conditional directories. exit 0 fi if test -z "$dir_arg"; then - trap '(exit $?); exit' 1 2 13 15 + do_exit='(exit $ret); exit $ret' + trap "ret=129; $do_exit" 1 + trap "ret=130; $do_exit" 2 + trap "ret=141; $do_exit" 13 + trap "ret=143; $do_exit" 15 # Set umask so as not to create temps with too-generous modes. # However, 'strip' requires both read and write access to temps. @@ -228,9 +240,9 @@ fi for src do - # Protect names starting with `-'. + # Protect names problematic for 'test' and other utilities. case $src in - -*) src=./$src;; + -* | [=\(\)!]) src=./$src;; esac if test -n "$dir_arg"; then @@ -252,12 +264,7 @@ do echo "$0: no destination specified." >&2 exit 1 fi - dst=$dst_arg - # Protect names starting with `-'. - case $dst in - -*) dst=./$dst;; - esac # If destination is a directory, append the input filename; won't work # if double slashes aren't ignored. @@ -338,34 +345,41 @@ do # is incompatible with FreeBSD 'install' when (umask & 300) != 0. ;; *) + # $RANDOM is not portable (e.g. dash); use it when possible to + # lower collision chance tmpdir=${TMPDIR-/tmp}/ins$RANDOM-$$ - trap 'ret=$?; rmdir "$tmpdir/d" "$tmpdir" 2>/dev/null; exit $ret' 0 + trap 'ret=$?; rmdir "$tmpdir/a/b" "$tmpdir/a" "$tmpdir" 2>/dev/null; exit $ret' 0 + # As "mkdir -p" follows symlinks and we work in /tmp possibly; so + # create the $tmpdir first (and fail if unsuccessful) to make sure + # that nobody tries to guess the $tmpdir name. if (umask $mkdir_umask && - exec $mkdirprog $mkdir_mode -p -- "$tmpdir/d") >/dev/null 2>&1 + $mkdirprog $mkdir_mode "$tmpdir" && + exec $mkdirprog $mkdir_mode -p -- "$tmpdir/a/b") >/dev/null 2>&1 then if test -z "$dir_arg" || { # Check for POSIX incompatibilities with -m. # HP-UX 11.23 and IRIX 6.5 mkdir -m -p sets group- or - # other-writeable bit of parent directory when it shouldn't. + # other-writable bit of parent directory when it shouldn't. # FreeBSD 6.1 mkdir -m -p sets mode of existing directory. - ls_ld_tmpdir=`ls -ld "$tmpdir"` + test_tmpdir="$tmpdir/a" + ls_ld_tmpdir=`ls -ld "$test_tmpdir"` case $ls_ld_tmpdir in d????-?r-*) different_mode=700;; d????-?--*) different_mode=755;; *) false;; esac && - $mkdirprog -m$different_mode -p -- "$tmpdir" && { - ls_ld_tmpdir_1=`ls -ld "$tmpdir"` + $mkdirprog -m$different_mode -p -- "$test_tmpdir" && { + ls_ld_tmpdir_1=`ls -ld "$test_tmpdir"` test "$ls_ld_tmpdir" = "$ls_ld_tmpdir_1" } } then posix_mkdir=: fi - rmdir "$tmpdir/d" "$tmpdir" + rmdir "$tmpdir/a/b" "$tmpdir/a" "$tmpdir" else # Remove any dirs left behind by ancient mkdir implementations. - rmdir ./$mkdir_mode ./-p ./-- 2>/dev/null + rmdir ./$mkdir_mode ./-p ./-- "$tmpdir" 2>/dev/null fi trap '' 0;; esac;; @@ -385,7 +399,7 @@ do case $dstdir in /*) prefix='/';; - -*) prefix='./';; + [-=\(\)!]*) prefix='./';; *) prefix='';; esac @@ -403,7 +417,7 @@ do for d do - test -z "$d" && continue + test X"$d" = X && continue prefix=$prefix$d if test -d "$prefix"; then @@ -515,5 +529,6 @@ done # eval: (add-hook 'write-file-hooks 'time-stamp) # time-stamp-start: "scriptversion=" # time-stamp-format: "%:y-%02m-%02d.%02H" -# time-stamp-end: "$" +# time-stamp-time-zone: "UTC" +# time-stamp-end: "; # UTC" # End: diff --git a/auto/ltmain.sh b/auto/ltmain.sh old mode 100755 new mode 100644 index d88da2c..bffda54 --- a/auto/ltmain.sh +++ b/auto/ltmain.sh @@ -1,9 +1,9 @@ -# Generated from ltmain.m4sh. -# ltmain.sh (GNU libtool) 2.2.6b +# libtool (GNU libtool) 2.4.2 # Written by Gordon Matzigkeit , 1996 -# Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2003, 2004, 2005, 2006, 2007 2008 Free Software Foundation, Inc. +# Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2003, 2004, 2005, 2006, +# 2007, 2008, 2009, 2010, 2011 Free Software Foundation, Inc. # This is free software; see the source for copying conditions. There is NO # warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. @@ -32,50 +32,57 @@ # # Provide generalized library-building support services. # -# --config show all configuration variables -# --debug enable verbose shell tracing -# -n, --dry-run display commands without modifying any files -# --features display basic configuration information and exit -# --mode=MODE use operation mode MODE -# --preserve-dup-deps don't remove duplicate dependency libraries -# --quiet, --silent don't print informational messages -# --tag=TAG use configuration variables from tag TAG -# -v, --verbose print informational messages (default) -# --version print version information -# -h, --help print short or long help message +# --config show all configuration variables +# --debug enable verbose shell tracing +# -n, --dry-run display commands without modifying any files +# --features display basic configuration information and exit +# --mode=MODE use operation mode MODE +# --preserve-dup-deps don't remove duplicate dependency libraries +# --quiet, --silent don't print informational messages +# --no-quiet, --no-silent +# print informational messages (default) +# --no-warn don't display warning messages +# --tag=TAG use configuration variables from tag TAG +# -v, --verbose print more informational messages than default +# --no-verbose don't print the extra informational messages +# --version print version information +# -h, --help, --help-all print short, long, or detailed help message # # MODE must be one of the following: # -# clean remove files from the build directory -# compile compile a source file into a libtool object -# execute automatically set library path, then run a program -# finish complete the installation of libtool libraries -# install install libraries or executables -# link create a library or an executable -# uninstall remove libraries from an installed directory +# clean remove files from the build directory +# compile compile a source file into a libtool object +# execute automatically set library path, then run a program +# finish complete the installation of libtool libraries +# install install libraries or executables +# link create a library or an executable +# uninstall remove libraries from an installed directory # -# MODE-ARGS vary depending on the MODE. +# MODE-ARGS vary depending on the MODE. When passed as first option, +# `--mode=MODE' may be abbreviated as `MODE' or a unique abbreviation of that. # Try `$progname --help --mode=MODE' for a more detailed description of MODE. # # When reporting a bug, please describe a test case to reproduce it and # include the following information: # -# host-triplet: $host -# shell: $SHELL -# compiler: $LTCC -# compiler flags: $LTCFLAGS -# linker: $LD (gnu? $with_gnu_ld) -# $progname: (GNU libtool) 2.2.6b Debian-2.2.6b-2 -# automake: $automake_version -# autoconf: $autoconf_version +# host-triplet: $host +# shell: $SHELL +# compiler: $LTCC +# compiler flags: $LTCFLAGS +# linker: $LD (gnu? $with_gnu_ld) +# $progname: (GNU libtool) 2.4.2 Debian-2.4.2-1.11 +# automake: $automake_version +# autoconf: $autoconf_version # # Report bugs to . +# GNU libtool home page: . +# General help using GNU software: . -PROGRAM=ltmain.sh +PROGRAM=libtool PACKAGE=libtool -VERSION="2.2.6b Debian-2.2.6b-2" +VERSION="2.4.2 Debian-2.4.2-1.11" TIMESTAMP="" -package_revision=1.3017 +package_revision=1.3337 # Be Bourne compatible if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then @@ -91,10 +98,15 @@ fi BIN_SH=xpg4; export BIN_SH # for Tru64 DUALCASE=1; export DUALCASE # for MKS sh +# A function that is used when there is no print builtin or printf. +func_fallback_echo () +{ + eval 'cat <<_LTECHO_EOF +$1 +_LTECHO_EOF' +} + # NLS nuisances: We save the old values to restore during execute mode. -# Only set LANG and LC_ALL to C if already set. -# These must not be set unconditionally because not all systems understand -# e.g. LANG=C (notably SCO). lt_user_locale= lt_safe_locale= for lt_var in LANG LANGUAGE LC_ALL LC_CTYPE LC_COLLATE LC_MESSAGES @@ -107,24 +119,28 @@ do lt_safe_locale=\"$lt_var=C; \$lt_safe_locale\" fi" done +LC_ALL=C +LANGUAGE=C +export LANGUAGE LC_ALL $lt_unset CDPATH +# Work around backward compatibility issue on IRIX 6.5. On IRIX 6.4+, sh +# is ksh but when the shell is invoked as "sh" and the current value of +# the _XPG environment variable is not equal to 1 (one), the special +# positional parameter $0, within a function call, is the name of the +# function. +progpath="$0" : ${CP="cp -f"} -: ${ECHO="echo"} -: ${EGREP="/bin/grep -E"} -: ${FGREP="/bin/grep -F"} -: ${GREP="/bin/grep"} -: ${LN_S="ln -s"} +test "${ECHO+set}" = set || ECHO=${as_echo-'printf %s\n'} : ${MAKE="make"} : ${MKDIR="mkdir"} : ${MV="mv -f"} : ${RM="rm -f"} -: ${SED="/bin/sed"} : ${SHELL="${CONFIG_SHELL-/bin/sh}"} : ${Xsed="$SED -e 1s/^X//"} @@ -144,6 +160,27 @@ IFS=" $lt_nl" dirname="s,/[^/]*$,," basename="s,^.*/,," +# func_dirname file append nondir_replacement +# Compute the dirname of FILE. If nonempty, add APPEND to the result, +# otherwise set result to NONDIR_REPLACEMENT. +func_dirname () +{ + func_dirname_result=`$ECHO "${1}" | $SED "$dirname"` + if test "X$func_dirname_result" = "X${1}"; then + func_dirname_result="${3}" + else + func_dirname_result="$func_dirname_result${2}" + fi +} # func_dirname may be replaced by extended shell implementation + + +# func_basename file +func_basename () +{ + func_basename_result=`$ECHO "${1}" | $SED "$basename"` +} # func_basename may be replaced by extended shell implementation + + # func_dirname_and_basename file append nondir_replacement # perform func_basename and func_dirname in a single function # call: @@ -158,33 +195,183 @@ basename="s,^.*/,," # those functions but instead duplicate the functionality here. func_dirname_and_basename () { - # Extract subdirectory from the argument. - func_dirname_result=`$ECHO "X${1}" | $Xsed -e "$dirname"` - if test "X$func_dirname_result" = "X${1}"; then - func_dirname_result="${3}" - else - func_dirname_result="$func_dirname_result${2}" - fi - func_basename_result=`$ECHO "X${1}" | $Xsed -e "$basename"` + # Extract subdirectory from the argument. + func_dirname_result=`$ECHO "${1}" | $SED -e "$dirname"` + if test "X$func_dirname_result" = "X${1}"; then + func_dirname_result="${3}" + else + func_dirname_result="$func_dirname_result${2}" + fi + func_basename_result=`$ECHO "${1}" | $SED -e "$basename"` +} # func_dirname_and_basename may be replaced by extended shell implementation + + +# func_stripname prefix suffix name +# strip PREFIX and SUFFIX off of NAME. +# PREFIX and SUFFIX must not contain globbing or regex special +# characters, hashes, percent signs, but SUFFIX may contain a leading +# dot (in which case that matches only a dot). +# func_strip_suffix prefix name +func_stripname () +{ + case ${2} in + .*) func_stripname_result=`$ECHO "${3}" | $SED "s%^${1}%%; s%\\\\${2}\$%%"`;; + *) func_stripname_result=`$ECHO "${3}" | $SED "s%^${1}%%; s%${2}\$%%"`;; + esac +} # func_stripname may be replaced by extended shell implementation + + +# These SED scripts presuppose an absolute path with a trailing slash. +pathcar='s,^/\([^/]*\).*$,\1,' +pathcdr='s,^/[^/]*,,' +removedotparts=':dotsl + s@/\./@/@g + t dotsl + s,/\.$,/,' +collapseslashes='s@/\{1,\}@/@g' +finalslash='s,/*$,/,' + +# func_normal_abspath PATH +# Remove doubled-up and trailing slashes, "." path components, +# and cancel out any ".." path components in PATH after making +# it an absolute path. +# value returned in "$func_normal_abspath_result" +func_normal_abspath () +{ + # Start from root dir and reassemble the path. + func_normal_abspath_result= + func_normal_abspath_tpath=$1 + func_normal_abspath_altnamespace= + case $func_normal_abspath_tpath in + "") + # Empty path, that just means $cwd. + func_stripname '' '/' "`pwd`" + func_normal_abspath_result=$func_stripname_result + return + ;; + # The next three entries are used to spot a run of precisely + # two leading slashes without using negated character classes; + # we take advantage of case's first-match behaviour. + ///*) + # Unusual form of absolute path, do nothing. + ;; + //*) + # Not necessarily an ordinary path; POSIX reserves leading '//' + # and for example Cygwin uses it to access remote file shares + # over CIFS/SMB, so we conserve a leading double slash if found. + func_normal_abspath_altnamespace=/ + ;; + /*) + # Absolute path, do nothing. + ;; + *) + # Relative path, prepend $cwd. + func_normal_abspath_tpath=`pwd`/$func_normal_abspath_tpath + ;; + esac + # Cancel out all the simple stuff to save iterations. We also want + # the path to end with a slash for ease of parsing, so make sure + # there is one (and only one) here. + func_normal_abspath_tpath=`$ECHO "$func_normal_abspath_tpath" | $SED \ + -e "$removedotparts" -e "$collapseslashes" -e "$finalslash"` + while :; do + # Processed it all yet? + if test "$func_normal_abspath_tpath" = / ; then + # If we ascended to the root using ".." the result may be empty now. + if test -z "$func_normal_abspath_result" ; then + func_normal_abspath_result=/ + fi + break + fi + func_normal_abspath_tcomponent=`$ECHO "$func_normal_abspath_tpath" | $SED \ + -e "$pathcar"` + func_normal_abspath_tpath=`$ECHO "$func_normal_abspath_tpath" | $SED \ + -e "$pathcdr"` + # Figure out what to do with it + case $func_normal_abspath_tcomponent in + "") + # Trailing empty path component, ignore it. + ;; + ..) + # Parent dir; strip last assembled component from result. + func_dirname "$func_normal_abspath_result" + func_normal_abspath_result=$func_dirname_result + ;; + *) + # Actual path component, append it. + func_normal_abspath_result=$func_normal_abspath_result/$func_normal_abspath_tcomponent + ;; + esac + done + # Restore leading double-slash if one was found on entry. + func_normal_abspath_result=$func_normal_abspath_altnamespace$func_normal_abspath_result } -# Generated shell functions inserted here. +# func_relative_path SRCDIR DSTDIR +# generates a relative path from SRCDIR to DSTDIR, with a trailing +# slash if non-empty, suitable for immediately appending a filename +# without needing to append a separator. +# value returned in "$func_relative_path_result" +func_relative_path () +{ + func_relative_path_result= + func_normal_abspath "$1" + func_relative_path_tlibdir=$func_normal_abspath_result + func_normal_abspath "$2" + func_relative_path_tbindir=$func_normal_abspath_result -# Work around backward compatibility issue on IRIX 6.5. On IRIX 6.4+, sh -# is ksh but when the shell is invoked as "sh" and the current value of -# the _XPG environment variable is not equal to 1 (one), the special -# positional parameter $0, within a function call, is the name of the -# function. -progpath="$0" + # Ascend the tree starting from libdir + while :; do + # check if we have found a prefix of bindir + case $func_relative_path_tbindir in + $func_relative_path_tlibdir) + # found an exact match + func_relative_path_tcancelled= + break + ;; + $func_relative_path_tlibdir*) + # found a matching prefix + func_stripname "$func_relative_path_tlibdir" '' "$func_relative_path_tbindir" + func_relative_path_tcancelled=$func_stripname_result + if test -z "$func_relative_path_result"; then + func_relative_path_result=. + fi + break + ;; + *) + func_dirname $func_relative_path_tlibdir + func_relative_path_tlibdir=${func_dirname_result} + if test "x$func_relative_path_tlibdir" = x ; then + # Have to descend all the way to the root! + func_relative_path_result=../$func_relative_path_result + func_relative_path_tcancelled=$func_relative_path_tbindir + break + fi + func_relative_path_result=../$func_relative_path_result + ;; + esac + done + + # Now calculate path; take care to avoid doubling-up slashes. + func_stripname '' '/' "$func_relative_path_result" + func_relative_path_result=$func_stripname_result + func_stripname '/' '/' "$func_relative_path_tcancelled" + if test "x$func_stripname_result" != x ; then + func_relative_path_result=${func_relative_path_result}/${func_stripname_result} + fi + + # Normalisation. If bindir is libdir, return empty string, + # else relative path ending with a slash; either way, target + # file name can be directly appended. + if test ! -z "$func_relative_path_result"; then + func_stripname './' '' "$func_relative_path_result/" + func_relative_path_result=$func_stripname_result + fi +} # The name of this program: -# In the unlikely event $progname began with a '-', it would play havoc with -# func_echo (imagine progname=-n), so we prepend ./ in that case: func_dirname_and_basename "$progpath" progname=$func_basename_result -case $progname in - -*) progname=./$progname ;; -esac # Make sure we have an absolute path for reexecution: case $progpath in @@ -196,7 +383,7 @@ case $progpath in ;; *) save_IFS="$IFS" - IFS=: + IFS=${PATH_SEPARATOR-:} for progdir in $PATH; do IFS="$save_IFS" test -x "$progdir/$progname" && break @@ -215,6 +402,15 @@ sed_quote_subst='s/\([`"$\\]\)/\\\1/g' # Same as above, but do not quote variable references. double_quote_subst='s/\(["`\\]\)/\\\1/g' +# Sed substitution that turns a string into a regex matching for the +# string literally. +sed_make_literal_regex='s,[].[^$\\*\/],\\&,g' + +# Sed substitution that converts a w32 file name or path +# which contains forward slashes, into one that contains +# (escaped) backslashes. A very naive implementation. +lt_sed_naive_backslashify='s|\\\\*|\\|g;s|/|\\|g;s|\\|\\\\|g' + # Re-`\' parameter expansions in output of double_quote_subst that were # `\'-ed in input to the same. If an odd number of `\' preceded a '$' # in input to double_quote_subst, that '$' was protected from expansion. @@ -243,7 +439,7 @@ opt_warning=: # name if it has been set yet. func_echo () { - $ECHO "$progname${mode+: }$mode: $*" + $ECHO "$progname: ${opt_mode+$opt_mode: }$*" } # func_verbose arg... @@ -258,18 +454,25 @@ func_verbose () : } +# func_echo_all arg... +# Invoke $ECHO with all args, space-separated. +func_echo_all () +{ + $ECHO "$*" +} + # func_error arg... # Echo program name prefixed message to standard error. func_error () { - $ECHO "$progname${mode+: }$mode: "${1+"$@"} 1>&2 + $ECHO "$progname: ${opt_mode+$opt_mode: }"${1+"$@"} 1>&2 } # func_warning arg... # Echo program name prefixed warning message to standard error. func_warning () { - $opt_warning && $ECHO "$progname${mode+: }$mode: warning: "${1+"$@"} 1>&2 + $opt_warning && $ECHO "$progname: ${opt_mode+$opt_mode: }warning: "${1+"$@"} 1>&2 # bash bug again: : @@ -326,9 +529,9 @@ func_mkdir_p () case $my_directory_path in */*) ;; *) break ;; esac # ...otherwise throw away the child directory and loop - my_directory_path=`$ECHO "X$my_directory_path" | $Xsed -e "$dirname"` + my_directory_path=`$ECHO "$my_directory_path" | $SED -e "$dirname"` done - my_dir_list=`$ECHO "X$my_dir_list" | $Xsed -e 's,:*$,,'` + my_dir_list=`$ECHO "$my_dir_list" | $SED 's,:*$,,'` save_mkdir_p_IFS="$IFS"; IFS=':' for my_dir in $my_dir_list; do @@ -378,7 +581,7 @@ func_mktempdir () func_fatal_error "cannot create temporary directory \`$my_tmpdir'" fi - $ECHO "X$my_tmpdir" | $Xsed + $ECHO "$my_tmpdir" } @@ -392,7 +595,7 @@ func_quote_for_eval () { case $1 in *[\\\`\"\$]*) - func_quote_for_eval_unquoted_result=`$ECHO "X$1" | $Xsed -e "$sed_quote_subst"` ;; + func_quote_for_eval_unquoted_result=`$ECHO "$1" | $SED "$sed_quote_subst"` ;; *) func_quote_for_eval_unquoted_result="$1" ;; esac @@ -419,7 +622,7 @@ func_quote_for_expand () { case $1 in *[\\\`\"]*) - my_arg=`$ECHO "X$1" | $Xsed \ + my_arg=`$ECHO "$1" | $SED \ -e "$double_quote_subst" -e "$sed_double_backslash"` ;; *) my_arg="$1" ;; @@ -488,15 +691,39 @@ func_show_eval_locale () fi } - - +# func_tr_sh +# Turn $1 into a string suitable for a shell variable name. +# Result is stored in $func_tr_sh_result. All characters +# not in the set a-zA-Z0-9_ are replaced with '_'. Further, +# if $1 begins with a digit, a '_' is prepended as well. +func_tr_sh () +{ + case $1 in + [0-9]* | *[!a-zA-Z0-9_]*) + func_tr_sh_result=`$ECHO "$1" | $SED 's/^\([0-9]\)/_\1/; s/[^a-zA-Z0-9_]/_/g'` + ;; + * ) + func_tr_sh_result=$1 + ;; + esac +} # func_version # Echo version message to standard output and exit. func_version () { - $SED -n '/^# '$PROGRAM' (GNU /,/# warranty; / { + $opt_debug + + $SED -n '/(C)/!b go + :more + /\./!{ + N + s/\n# / / + b more + } + :go + /^# '$PROGRAM' (GNU /,/# warranty; / { s/^# // s/^# *$// s/\((C)\)[ 0-9,-]*\( [1-9][0-9]*\)/\1\2/ @@ -509,22 +736,28 @@ func_version () # Echo short help message to standard output and exit. func_usage () { - $SED -n '/^# Usage:/,/# -h/ { + $opt_debug + + $SED -n '/^# Usage:/,/^# *.*--help/ { s/^# // s/^# *$// s/\$progname/'$progname'/ p }' < "$progpath" - $ECHO + echo $ECHO "run \`$progname --help | more' for full usage" exit $? } -# func_help -# Echo long help message to standard output and exit. +# func_help [NOEXIT] +# Echo long help message to standard output and exit, +# unless 'noexit' is passed as argument. func_help () { + $opt_debug + $SED -n '/^# Usage:/,/# Report bugs to/ { + :print s/^# // s/^# *$// s*\$progname*'$progname'* @@ -534,11 +767,18 @@ func_help () s*\$LTCFLAGS*'"$LTCFLAGS"'* s*\$LD*'"$LD"'* s/\$with_gnu_ld/'"$with_gnu_ld"'/ - s/\$automake_version/'"`(automake --version) 2>/dev/null |$SED 1q`"'/ - s/\$autoconf_version/'"`(autoconf --version) 2>/dev/null |$SED 1q`"'/ + s/\$automake_version/'"`(${AUTOMAKE-automake} --version) 2>/dev/null |$SED 1q`"'/ + s/\$autoconf_version/'"`(${AUTOCONF-autoconf} --version) 2>/dev/null |$SED 1q`"'/ p - }' < "$progpath" - exit $? + d + } + /^# .* home page:/b print + /^# General help using/b print + ' < "$progpath" + ret=$? + if test -z "$1"; then + exit $ret + fi } # func_missing_arg argname @@ -546,63 +786,106 @@ func_help () # exit_cmd. func_missing_arg () { - func_error "missing argument for $1" + $opt_debug + + func_error "missing argument for $1." exit_cmd=exit } + +# func_split_short_opt shortopt +# Set func_split_short_opt_name and func_split_short_opt_arg shell +# variables after splitting SHORTOPT after the 2nd character. +func_split_short_opt () +{ + my_sed_short_opt='1s/^\(..\).*$/\1/;q' + my_sed_short_rest='1s/^..\(.*\)$/\1/;q' + + func_split_short_opt_name=`$ECHO "$1" | $SED "$my_sed_short_opt"` + func_split_short_opt_arg=`$ECHO "$1" | $SED "$my_sed_short_rest"` +} # func_split_short_opt may be replaced by extended shell implementation + + +# func_split_long_opt longopt +# Set func_split_long_opt_name and func_split_long_opt_arg shell +# variables after splitting LONGOPT at the `=' sign. +func_split_long_opt () +{ + my_sed_long_opt='1s/^\(--[^=]*\)=.*/\1/;q' + my_sed_long_arg='1s/^--[^=]*=//' + + func_split_long_opt_name=`$ECHO "$1" | $SED "$my_sed_long_opt"` + func_split_long_opt_arg=`$ECHO "$1" | $SED "$my_sed_long_arg"` +} # func_split_long_opt may be replaced by extended shell implementation + exit_cmd=: -# Check that we have a working $ECHO. -if test "X$1" = X--no-reexec; then - # Discard the --no-reexec flag, and continue. - shift -elif test "X$1" = X--fallback-echo; then - # Avoid inline document here, it may be left over - : -elif test "X`{ $ECHO '\t'; } 2>/dev/null`" = 'X\t'; then - # Yippee, $ECHO works! - : -else - # Restart under the correct shell, and then maybe $ECHO will work. - exec $SHELL "$progpath" --no-reexec ${1+"$@"} -fi - -if test "X$1" = X--fallback-echo; then - # used as fallback echo - shift - cat </dev/null || echo $max_cmd_len` +} # func_len may be replaced by extended shell implementation + + +# func_lo2o object +func_lo2o () +{ + func_lo2o_result=`$ECHO "${1}" | $SED "$lo2o"` +} # func_lo2o may be replaced by extended shell implementation + + +# func_xform libobj-or-source +func_xform () +{ + func_xform_result=`$ECHO "${1}" | $SED 's/\.[^.]*$/.lo/'` +} # func_xform may be replaced by extended shell implementation + + # func_fatal_configuration arg... # Echo program name prefixed message to standard error, followed by # a configuration failure hint, and exit. @@ -636,16 +919,16 @@ func_config () # Display the features supported by this script. func_features () { - $ECHO "host: $host" + echo "host: $host" if test "$build_libtool_libs" = yes; then - $ECHO "enable shared libraries" + echo "enable shared libraries" else - $ECHO "disable shared libraries" + echo "disable shared libraries" fi if test "$build_old_libs" = yes; then - $ECHO "enable static libraries" + echo "enable static libraries" else - $ECHO "disable static libraries" + echo "disable static libraries" fi exit $? @@ -692,133 +975,6 @@ func_enable_tag () esac } -# Parse options once, thoroughly. This comes as soon as possible in -# the script to make things like `libtool --version' happen quickly. -{ - - # Shorthand for --mode=foo, only valid as the first argument - case $1 in - clean|clea|cle|cl) - shift; set dummy --mode clean ${1+"$@"}; shift - ;; - compile|compil|compi|comp|com|co|c) - shift; set dummy --mode compile ${1+"$@"}; shift - ;; - execute|execut|execu|exec|exe|ex|e) - shift; set dummy --mode execute ${1+"$@"}; shift - ;; - finish|finis|fini|fin|fi|f) - shift; set dummy --mode finish ${1+"$@"}; shift - ;; - install|instal|insta|inst|ins|in|i) - shift; set dummy --mode install ${1+"$@"}; shift - ;; - link|lin|li|l) - shift; set dummy --mode link ${1+"$@"}; shift - ;; - uninstall|uninstal|uninsta|uninst|unins|unin|uni|un|u) - shift; set dummy --mode uninstall ${1+"$@"}; shift - ;; - esac - - # Parse non-mode specific arguments: - while test "$#" -gt 0; do - opt="$1" - shift - - case $opt in - --config) func_config ;; - - --debug) preserve_args="$preserve_args $opt" - func_echo "enabling shell trace mode" - opt_debug='set -x' - $opt_debug - ;; - - -dlopen) test "$#" -eq 0 && func_missing_arg "$opt" && break - execute_dlfiles="$execute_dlfiles $1" - shift - ;; - - --dry-run | -n) opt_dry_run=: ;; - --features) func_features ;; - --finish) mode="finish" ;; - - --mode) test "$#" -eq 0 && func_missing_arg "$opt" && break - case $1 in - # Valid mode arguments: - clean) ;; - compile) ;; - execute) ;; - finish) ;; - install) ;; - link) ;; - relink) ;; - uninstall) ;; - - # Catch anything else as an error - *) func_error "invalid argument for $opt" - exit_cmd=exit - break - ;; - esac - - mode="$1" - shift - ;; - - --preserve-dup-deps) - opt_duplicate_deps=: ;; - - --quiet|--silent) preserve_args="$preserve_args $opt" - opt_silent=: - ;; - - --verbose| -v) preserve_args="$preserve_args $opt" - opt_silent=false - ;; - - --tag) test "$#" -eq 0 && func_missing_arg "$opt" && break - preserve_args="$preserve_args $opt $1" - func_enable_tag "$1" # tagname is set here - shift - ;; - - # Separate optargs to long options: - -dlopen=*|--mode=*|--tag=*) - func_opt_split "$opt" - set dummy "$func_opt_split_opt" "$func_opt_split_arg" ${1+"$@"} - shift - ;; - - -\?|-h) func_usage ;; - --help) opt_help=: ;; - --version) func_version ;; - - -*) func_fatal_help "unrecognized option \`$opt'" ;; - - *) nonopt="$opt" - break - ;; - esac - done - - - case $host in - *cygwin* | *mingw* | *pw32* | *cegcc*) - # don't eliminate duplications in $postdeps and $predeps - opt_duplicate_compiler_generated_deps=: - ;; - *) - opt_duplicate_compiler_generated_deps=$opt_duplicate_deps - ;; - esac - - # Having warned about all mis-specified options, bail out if - # anything was wrong. - $exit_cmd $EXIT_FAILURE -} - # func_check_version_match # Ensure that we are using m4 macros, and libtool script from the same # release of libtool. @@ -855,38 +1011,219 @@ _LT_EOF } +# Shorthand for --mode=foo, only valid as the first argument +case $1 in +clean|clea|cle|cl) + shift; set dummy --mode clean ${1+"$@"}; shift + ;; +compile|compil|compi|comp|com|co|c) + shift; set dummy --mode compile ${1+"$@"}; shift + ;; +execute|execut|execu|exec|exe|ex|e) + shift; set dummy --mode execute ${1+"$@"}; shift + ;; +finish|finis|fini|fin|fi|f) + shift; set dummy --mode finish ${1+"$@"}; shift + ;; +install|instal|insta|inst|ins|in|i) + shift; set dummy --mode install ${1+"$@"}; shift + ;; +link|lin|li|l) + shift; set dummy --mode link ${1+"$@"}; shift + ;; +uninstall|uninstal|uninsta|uninst|unins|unin|uni|un|u) + shift; set dummy --mode uninstall ${1+"$@"}; shift + ;; +esac + + + +# Option defaults: +opt_debug=: +opt_dry_run=false +opt_config=false +opt_preserve_dup_deps=false +opt_features=false +opt_finish=false +opt_help=false +opt_help_all=false +opt_silent=: +opt_warning=: +opt_verbose=: +opt_silent=false +opt_verbose=false + + +# Parse options once, thoroughly. This comes as soon as possible in the +# script to make things like `--version' happen as quickly as we can. +{ + # this just eases exit handling + while test $# -gt 0; do + opt="$1" + shift + case $opt in + --debug|-x) opt_debug='set -x' + func_echo "enabling shell trace mode" + $opt_debug + ;; + --dry-run|--dryrun|-n) + opt_dry_run=: + ;; + --config) + opt_config=: +func_config + ;; + --dlopen|-dlopen) + optarg="$1" + opt_dlopen="${opt_dlopen+$opt_dlopen +}$optarg" + shift + ;; + --preserve-dup-deps) + opt_preserve_dup_deps=: + ;; + --features) + opt_features=: +func_features + ;; + --finish) + opt_finish=: +set dummy --mode finish ${1+"$@"}; shift + ;; + --help) + opt_help=: + ;; + --help-all) + opt_help_all=: +opt_help=': help-all' + ;; + --mode) + test $# = 0 && func_missing_arg $opt && break + optarg="$1" + opt_mode="$optarg" +case $optarg in + # Valid mode arguments: + clean|compile|execute|finish|install|link|relink|uninstall) ;; + + # Catch anything else as an error + *) func_error "invalid argument for $opt" + exit_cmd=exit + break + ;; +esac + shift + ;; + --no-silent|--no-quiet) + opt_silent=false +func_append preserve_args " $opt" + ;; + --no-warning|--no-warn) + opt_warning=false +func_append preserve_args " $opt" + ;; + --no-verbose) + opt_verbose=false +func_append preserve_args " $opt" + ;; + --silent|--quiet) + opt_silent=: +func_append preserve_args " $opt" + opt_verbose=false + ;; + --verbose|-v) + opt_verbose=: +func_append preserve_args " $opt" +opt_silent=false + ;; + --tag) + test $# = 0 && func_missing_arg $opt && break + optarg="$1" + opt_tag="$optarg" +func_append preserve_args " $opt $optarg" +func_enable_tag "$optarg" + shift + ;; + + -\?|-h) func_usage ;; + --help) func_help ;; + --version) func_version ;; + + # Separate optargs to long options: + --*=*) + func_split_long_opt "$opt" + set dummy "$func_split_long_opt_name" "$func_split_long_opt_arg" ${1+"$@"} + shift + ;; + + # Separate non-argument short options: + -\?*|-h*|-n*|-v*) + func_split_short_opt "$opt" + set dummy "$func_split_short_opt_name" "-$func_split_short_opt_arg" ${1+"$@"} + shift + ;; + + --) break ;; + -*) func_fatal_help "unrecognized option \`$opt'" ;; + *) set dummy "$opt" ${1+"$@"}; shift; break ;; + esac + done + + # Validate options: + + # save first non-option argument + if test "$#" -gt 0; then + nonopt="$opt" + shift + fi + + # preserve --debug + test "$opt_debug" = : || func_append preserve_args " --debug" + + case $host in + *cygwin* | *mingw* | *pw32* | *cegcc*) + # don't eliminate duplications in $postdeps and $predeps + opt_duplicate_compiler_generated_deps=: + ;; + *) + opt_duplicate_compiler_generated_deps=$opt_preserve_dup_deps + ;; + esac + + $opt_help || { + # Sanity checks first: + func_check_version_match + + if test "$build_libtool_libs" != yes && test "$build_old_libs" != yes; then + func_fatal_configuration "not configured to build any kind of library" + fi + + # Darwin sucks + eval std_shrext=\"$shrext_cmds\" + + # Only execute mode is allowed to have -dlopen flags. + if test -n "$opt_dlopen" && test "$opt_mode" != execute; then + func_error "unrecognized option \`-dlopen'" + $ECHO "$help" 1>&2 + exit $EXIT_FAILURE + fi + + # Change the help message to a mode-specific one. + generic_help="$help" + help="Try \`$progname --help --mode=$opt_mode' for more information." + } + + + # Bail if the options were screwed + $exit_cmd $EXIT_FAILURE +} + + + + ## ----------- ## ## Main. ## ## ----------- ## -$opt_help || { - # Sanity checks first: - func_check_version_match - - if test "$build_libtool_libs" != yes && test "$build_old_libs" != yes; then - func_fatal_configuration "not configured to build any kind of library" - fi - - test -z "$mode" && func_fatal_error "error: you must specify a MODE." - - - # Darwin sucks - eval std_shrext=\"$shrext_cmds\" - - - # Only execute mode is allowed to have -dlopen flags. - if test -n "$execute_dlfiles" && test "$mode" != execute; then - func_error "unrecognized option \`-dlopen'" - $ECHO "$help" 1>&2 - exit $EXIT_FAILURE - fi - - # Change the help message to a mode-specific one. - generic_help="$help" - help="Try \`$progname --help --mode=$mode' for more information." -} - - # func_lalib_p file # True iff FILE is a libtool `.la' library or `.lo' object file. # This function is only a basic sanity check; it will hardly flush out @@ -950,12 +1287,9 @@ func_ltwrapper_executable_p () # temporary ltwrapper_script. func_ltwrapper_scriptname () { - func_ltwrapper_scriptname_result="" - if func_ltwrapper_executable_p "$1"; then - func_dirname_and_basename "$1" "" "." - func_stripname '' '.exe' "$func_basename_result" - func_ltwrapper_scriptname_result="$func_dirname_result/$objdir/${func_stripname_result}_ltshwrapper" - fi + func_dirname_and_basename "$1" "" "." + func_stripname '' '.exe' "$func_basename_result" + func_ltwrapper_scriptname_result="$func_dirname_result/$objdir/${func_stripname_result}_ltshwrapper" } # func_ltwrapper_p file @@ -1001,6 +1335,37 @@ func_source () } +# func_resolve_sysroot PATH +# Replace a leading = in PATH with a sysroot. Store the result into +# func_resolve_sysroot_result +func_resolve_sysroot () +{ + func_resolve_sysroot_result=$1 + case $func_resolve_sysroot_result in + =*) + func_stripname '=' '' "$func_resolve_sysroot_result" + func_resolve_sysroot_result=$lt_sysroot$func_stripname_result + ;; + esac +} + +# func_replace_sysroot PATH +# If PATH begins with the sysroot, replace it with = and +# store the result into func_replace_sysroot_result. +func_replace_sysroot () +{ + case "$lt_sysroot:$1" in + ?*:"$lt_sysroot"*) + func_stripname "$lt_sysroot" '' "$1" + func_replace_sysroot_result="=$func_stripname_result" + ;; + *) + # Including no sysroot. + func_replace_sysroot_result=$1 + ;; + esac +} + # func_infer_tag arg # Infer tagged configuration to use if any are available and # if one wasn't chosen via the "--tag" command line option. @@ -1013,13 +1378,15 @@ func_infer_tag () if test -n "$available_tags" && test -z "$tagname"; then CC_quoted= for arg in $CC; do - func_quote_for_eval "$arg" - CC_quoted="$CC_quoted $func_quote_for_eval_result" + func_append_quoted CC_quoted "$arg" done + CC_expanded=`func_echo_all $CC` + CC_quoted_expanded=`func_echo_all $CC_quoted` case $@ in # Blanks in the command may have been stripped by the calling shell, # but not from the CC environment variable when configure was run. - " $CC "* | "$CC "* | " `$ECHO $CC` "* | "`$ECHO $CC` "* | " $CC_quoted"* | "$CC_quoted "* | " `$ECHO $CC_quoted` "* | "`$ECHO $CC_quoted` "*) ;; + " $CC "* | "$CC "* | " $CC_expanded "* | "$CC_expanded "* | \ + " $CC_quoted"* | "$CC_quoted "* | " $CC_quoted_expanded "* | "$CC_quoted_expanded "*) ;; # Blanks at the start of $base_compile will cause this to fail # if we don't check for them as well. *) @@ -1030,11 +1397,13 @@ func_infer_tag () CC_quoted= for arg in $CC; do # Double-quote args containing other shell metacharacters. - func_quote_for_eval "$arg" - CC_quoted="$CC_quoted $func_quote_for_eval_result" + func_append_quoted CC_quoted "$arg" done + CC_expanded=`func_echo_all $CC` + CC_quoted_expanded=`func_echo_all $CC_quoted` case "$@ " in - " $CC "* | "$CC "* | " `$ECHO $CC` "* | "`$ECHO $CC` "* | " $CC_quoted"* | "$CC_quoted "* | " `$ECHO $CC_quoted` "* | "`$ECHO $CC_quoted` "*) + " $CC "* | "$CC "* | " $CC_expanded "* | "$CC_expanded "* | \ + " $CC_quoted"* | "$CC_quoted "* | " $CC_quoted_expanded "* | "$CC_quoted_expanded "*) # The compiler in the base compile command matches # the one in the tagged configuration. # Assume this is the tagged configuration we want. @@ -1097,6 +1466,486 @@ EOF } } + +################################################## +# FILE NAME AND PATH CONVERSION HELPER FUNCTIONS # +################################################## + +# func_convert_core_file_wine_to_w32 ARG +# Helper function used by file name conversion functions when $build is *nix, +# and $host is mingw, cygwin, or some other w32 environment. Relies on a +# correctly configured wine environment available, with the winepath program +# in $build's $PATH. +# +# ARG is the $build file name to be converted to w32 format. +# Result is available in $func_convert_core_file_wine_to_w32_result, and will +# be empty on error (or when ARG is empty) +func_convert_core_file_wine_to_w32 () +{ + $opt_debug + func_convert_core_file_wine_to_w32_result="$1" + if test -n "$1"; then + # Unfortunately, winepath does not exit with a non-zero error code, so we + # are forced to check the contents of stdout. On the other hand, if the + # command is not found, the shell will set an exit code of 127 and print + # *an error message* to stdout. So we must check for both error code of + # zero AND non-empty stdout, which explains the odd construction: + func_convert_core_file_wine_to_w32_tmp=`winepath -w "$1" 2>/dev/null` + if test "$?" -eq 0 && test -n "${func_convert_core_file_wine_to_w32_tmp}"; then + func_convert_core_file_wine_to_w32_result=`$ECHO "$func_convert_core_file_wine_to_w32_tmp" | + $SED -e "$lt_sed_naive_backslashify"` + else + func_convert_core_file_wine_to_w32_result= + fi + fi +} +# end: func_convert_core_file_wine_to_w32 + + +# func_convert_core_path_wine_to_w32 ARG +# Helper function used by path conversion functions when $build is *nix, and +# $host is mingw, cygwin, or some other w32 environment. Relies on a correctly +# configured wine environment available, with the winepath program in $build's +# $PATH. Assumes ARG has no leading or trailing path separator characters. +# +# ARG is path to be converted from $build format to win32. +# Result is available in $func_convert_core_path_wine_to_w32_result. +# Unconvertible file (directory) names in ARG are skipped; if no directory names +# are convertible, then the result may be empty. +func_convert_core_path_wine_to_w32 () +{ + $opt_debug + # unfortunately, winepath doesn't convert paths, only file names + func_convert_core_path_wine_to_w32_result="" + if test -n "$1"; then + oldIFS=$IFS + IFS=: + for func_convert_core_path_wine_to_w32_f in $1; do + IFS=$oldIFS + func_convert_core_file_wine_to_w32 "$func_convert_core_path_wine_to_w32_f" + if test -n "$func_convert_core_file_wine_to_w32_result" ; then + if test -z "$func_convert_core_path_wine_to_w32_result"; then + func_convert_core_path_wine_to_w32_result="$func_convert_core_file_wine_to_w32_result" + else + func_append func_convert_core_path_wine_to_w32_result ";$func_convert_core_file_wine_to_w32_result" + fi + fi + done + IFS=$oldIFS + fi +} +# end: func_convert_core_path_wine_to_w32 + + +# func_cygpath ARGS... +# Wrapper around calling the cygpath program via LT_CYGPATH. This is used when +# when (1) $build is *nix and Cygwin is hosted via a wine environment; or (2) +# $build is MSYS and $host is Cygwin, or (3) $build is Cygwin. In case (1) or +# (2), returns the Cygwin file name or path in func_cygpath_result (input +# file name or path is assumed to be in w32 format, as previously converted +# from $build's *nix or MSYS format). In case (3), returns the w32 file name +# or path in func_cygpath_result (input file name or path is assumed to be in +# Cygwin format). Returns an empty string on error. +# +# ARGS are passed to cygpath, with the last one being the file name or path to +# be converted. +# +# Specify the absolute *nix (or w32) name to cygpath in the LT_CYGPATH +# environment variable; do not put it in $PATH. +func_cygpath () +{ + $opt_debug + if test -n "$LT_CYGPATH" && test -f "$LT_CYGPATH"; then + func_cygpath_result=`$LT_CYGPATH "$@" 2>/dev/null` + if test "$?" -ne 0; then + # on failure, ensure result is empty + func_cygpath_result= + fi + else + func_cygpath_result= + func_error "LT_CYGPATH is empty or specifies non-existent file: \`$LT_CYGPATH'" + fi +} +#end: func_cygpath + + +# func_convert_core_msys_to_w32 ARG +# Convert file name or path ARG from MSYS format to w32 format. Return +# result in func_convert_core_msys_to_w32_result. +func_convert_core_msys_to_w32 () +{ + $opt_debug + # awkward: cmd appends spaces to result + func_convert_core_msys_to_w32_result=`( cmd //c echo "$1" ) 2>/dev/null | + $SED -e 's/[ ]*$//' -e "$lt_sed_naive_backslashify"` +} +#end: func_convert_core_msys_to_w32 + + +# func_convert_file_check ARG1 ARG2 +# Verify that ARG1 (a file name in $build format) was converted to $host +# format in ARG2. Otherwise, emit an error message, but continue (resetting +# func_to_host_file_result to ARG1). +func_convert_file_check () +{ + $opt_debug + if test -z "$2" && test -n "$1" ; then + func_error "Could not determine host file name corresponding to" + func_error " \`$1'" + func_error "Continuing, but uninstalled executables may not work." + # Fallback: + func_to_host_file_result="$1" + fi +} +# end func_convert_file_check + + +# func_convert_path_check FROM_PATHSEP TO_PATHSEP FROM_PATH TO_PATH +# Verify that FROM_PATH (a path in $build format) was converted to $host +# format in TO_PATH. Otherwise, emit an error message, but continue, resetting +# func_to_host_file_result to a simplistic fallback value (see below). +func_convert_path_check () +{ + $opt_debug + if test -z "$4" && test -n "$3"; then + func_error "Could not determine the host path corresponding to" + func_error " \`$3'" + func_error "Continuing, but uninstalled executables may not work." + # Fallback. This is a deliberately simplistic "conversion" and + # should not be "improved". See libtool.info. + if test "x$1" != "x$2"; then + lt_replace_pathsep_chars="s|$1|$2|g" + func_to_host_path_result=`echo "$3" | + $SED -e "$lt_replace_pathsep_chars"` + else + func_to_host_path_result="$3" + fi + fi +} +# end func_convert_path_check + + +# func_convert_path_front_back_pathsep FRONTPAT BACKPAT REPL ORIG +# Modifies func_to_host_path_result by prepending REPL if ORIG matches FRONTPAT +# and appending REPL if ORIG matches BACKPAT. +func_convert_path_front_back_pathsep () +{ + $opt_debug + case $4 in + $1 ) func_to_host_path_result="$3$func_to_host_path_result" + ;; + esac + case $4 in + $2 ) func_append func_to_host_path_result "$3" + ;; + esac +} +# end func_convert_path_front_back_pathsep + + +################################################## +# $build to $host FILE NAME CONVERSION FUNCTIONS # +################################################## +# invoked via `$to_host_file_cmd ARG' +# +# In each case, ARG is the path to be converted from $build to $host format. +# Result will be available in $func_to_host_file_result. + + +# func_to_host_file ARG +# Converts the file name ARG from $build format to $host format. Return result +# in func_to_host_file_result. +func_to_host_file () +{ + $opt_debug + $to_host_file_cmd "$1" +} +# end func_to_host_file + + +# func_to_tool_file ARG LAZY +# converts the file name ARG from $build format to toolchain format. Return +# result in func_to_tool_file_result. If the conversion in use is listed +# in (the comma separated) LAZY, no conversion takes place. +func_to_tool_file () +{ + $opt_debug + case ,$2, in + *,"$to_tool_file_cmd",*) + func_to_tool_file_result=$1 + ;; + *) + $to_tool_file_cmd "$1" + func_to_tool_file_result=$func_to_host_file_result + ;; + esac +} +# end func_to_tool_file + + +# func_convert_file_noop ARG +# Copy ARG to func_to_host_file_result. +func_convert_file_noop () +{ + func_to_host_file_result="$1" +} +# end func_convert_file_noop + + +# func_convert_file_msys_to_w32 ARG +# Convert file name ARG from (mingw) MSYS to (mingw) w32 format; automatic +# conversion to w32 is not available inside the cwrapper. Returns result in +# func_to_host_file_result. +func_convert_file_msys_to_w32 () +{ + $opt_debug + func_to_host_file_result="$1" + if test -n "$1"; then + func_convert_core_msys_to_w32 "$1" + func_to_host_file_result="$func_convert_core_msys_to_w32_result" + fi + func_convert_file_check "$1" "$func_to_host_file_result" +} +# end func_convert_file_msys_to_w32 + + +# func_convert_file_cygwin_to_w32 ARG +# Convert file name ARG from Cygwin to w32 format. Returns result in +# func_to_host_file_result. +func_convert_file_cygwin_to_w32 () +{ + $opt_debug + func_to_host_file_result="$1" + if test -n "$1"; then + # because $build is cygwin, we call "the" cygpath in $PATH; no need to use + # LT_CYGPATH in this case. + func_to_host_file_result=`cygpath -m "$1"` + fi + func_convert_file_check "$1" "$func_to_host_file_result" +} +# end func_convert_file_cygwin_to_w32 + + +# func_convert_file_nix_to_w32 ARG +# Convert file name ARG from *nix to w32 format. Requires a wine environment +# and a working winepath. Returns result in func_to_host_file_result. +func_convert_file_nix_to_w32 () +{ + $opt_debug + func_to_host_file_result="$1" + if test -n "$1"; then + func_convert_core_file_wine_to_w32 "$1" + func_to_host_file_result="$func_convert_core_file_wine_to_w32_result" + fi + func_convert_file_check "$1" "$func_to_host_file_result" +} +# end func_convert_file_nix_to_w32 + + +# func_convert_file_msys_to_cygwin ARG +# Convert file name ARG from MSYS to Cygwin format. Requires LT_CYGPATH set. +# Returns result in func_to_host_file_result. +func_convert_file_msys_to_cygwin () +{ + $opt_debug + func_to_host_file_result="$1" + if test -n "$1"; then + func_convert_core_msys_to_w32 "$1" + func_cygpath -u "$func_convert_core_msys_to_w32_result" + func_to_host_file_result="$func_cygpath_result" + fi + func_convert_file_check "$1" "$func_to_host_file_result" +} +# end func_convert_file_msys_to_cygwin + + +# func_convert_file_nix_to_cygwin ARG +# Convert file name ARG from *nix to Cygwin format. Requires Cygwin installed +# in a wine environment, working winepath, and LT_CYGPATH set. Returns result +# in func_to_host_file_result. +func_convert_file_nix_to_cygwin () +{ + $opt_debug + func_to_host_file_result="$1" + if test -n "$1"; then + # convert from *nix to w32, then use cygpath to convert from w32 to cygwin. + func_convert_core_file_wine_to_w32 "$1" + func_cygpath -u "$func_convert_core_file_wine_to_w32_result" + func_to_host_file_result="$func_cygpath_result" + fi + func_convert_file_check "$1" "$func_to_host_file_result" +} +# end func_convert_file_nix_to_cygwin + + +############################################# +# $build to $host PATH CONVERSION FUNCTIONS # +############################################# +# invoked via `$to_host_path_cmd ARG' +# +# In each case, ARG is the path to be converted from $build to $host format. +# The result will be available in $func_to_host_path_result. +# +# Path separators are also converted from $build format to $host format. If +# ARG begins or ends with a path separator character, it is preserved (but +# converted to $host format) on output. +# +# All path conversion functions are named using the following convention: +# file name conversion function : func_convert_file_X_to_Y () +# path conversion function : func_convert_path_X_to_Y () +# where, for any given $build/$host combination the 'X_to_Y' value is the +# same. If conversion functions are added for new $build/$host combinations, +# the two new functions must follow this pattern, or func_init_to_host_path_cmd +# will break. + + +# func_init_to_host_path_cmd +# Ensures that function "pointer" variable $to_host_path_cmd is set to the +# appropriate value, based on the value of $to_host_file_cmd. +to_host_path_cmd= +func_init_to_host_path_cmd () +{ + $opt_debug + if test -z "$to_host_path_cmd"; then + func_stripname 'func_convert_file_' '' "$to_host_file_cmd" + to_host_path_cmd="func_convert_path_${func_stripname_result}" + fi +} + + +# func_to_host_path ARG +# Converts the path ARG from $build format to $host format. Return result +# in func_to_host_path_result. +func_to_host_path () +{ + $opt_debug + func_init_to_host_path_cmd + $to_host_path_cmd "$1" +} +# end func_to_host_path + + +# func_convert_path_noop ARG +# Copy ARG to func_to_host_path_result. +func_convert_path_noop () +{ + func_to_host_path_result="$1" +} +# end func_convert_path_noop + + +# func_convert_path_msys_to_w32 ARG +# Convert path ARG from (mingw) MSYS to (mingw) w32 format; automatic +# conversion to w32 is not available inside the cwrapper. Returns result in +# func_to_host_path_result. +func_convert_path_msys_to_w32 () +{ + $opt_debug + func_to_host_path_result="$1" + if test -n "$1"; then + # Remove leading and trailing path separator characters from ARG. MSYS + # behavior is inconsistent here; cygpath turns them into '.;' and ';.'; + # and winepath ignores them completely. + func_stripname : : "$1" + func_to_host_path_tmp1=$func_stripname_result + func_convert_core_msys_to_w32 "$func_to_host_path_tmp1" + func_to_host_path_result="$func_convert_core_msys_to_w32_result" + func_convert_path_check : ";" \ + "$func_to_host_path_tmp1" "$func_to_host_path_result" + func_convert_path_front_back_pathsep ":*" "*:" ";" "$1" + fi +} +# end func_convert_path_msys_to_w32 + + +# func_convert_path_cygwin_to_w32 ARG +# Convert path ARG from Cygwin to w32 format. Returns result in +# func_to_host_file_result. +func_convert_path_cygwin_to_w32 () +{ + $opt_debug + func_to_host_path_result="$1" + if test -n "$1"; then + # See func_convert_path_msys_to_w32: + func_stripname : : "$1" + func_to_host_path_tmp1=$func_stripname_result + func_to_host_path_result=`cygpath -m -p "$func_to_host_path_tmp1"` + func_convert_path_check : ";" \ + "$func_to_host_path_tmp1" "$func_to_host_path_result" + func_convert_path_front_back_pathsep ":*" "*:" ";" "$1" + fi +} +# end func_convert_path_cygwin_to_w32 + + +# func_convert_path_nix_to_w32 ARG +# Convert path ARG from *nix to w32 format. Requires a wine environment and +# a working winepath. Returns result in func_to_host_file_result. +func_convert_path_nix_to_w32 () +{ + $opt_debug + func_to_host_path_result="$1" + if test -n "$1"; then + # See func_convert_path_msys_to_w32: + func_stripname : : "$1" + func_to_host_path_tmp1=$func_stripname_result + func_convert_core_path_wine_to_w32 "$func_to_host_path_tmp1" + func_to_host_path_result="$func_convert_core_path_wine_to_w32_result" + func_convert_path_check : ";" \ + "$func_to_host_path_tmp1" "$func_to_host_path_result" + func_convert_path_front_back_pathsep ":*" "*:" ";" "$1" + fi +} +# end func_convert_path_nix_to_w32 + + +# func_convert_path_msys_to_cygwin ARG +# Convert path ARG from MSYS to Cygwin format. Requires LT_CYGPATH set. +# Returns result in func_to_host_file_result. +func_convert_path_msys_to_cygwin () +{ + $opt_debug + func_to_host_path_result="$1" + if test -n "$1"; then + # See func_convert_path_msys_to_w32: + func_stripname : : "$1" + func_to_host_path_tmp1=$func_stripname_result + func_convert_core_msys_to_w32 "$func_to_host_path_tmp1" + func_cygpath -u -p "$func_convert_core_msys_to_w32_result" + func_to_host_path_result="$func_cygpath_result" + func_convert_path_check : : \ + "$func_to_host_path_tmp1" "$func_to_host_path_result" + func_convert_path_front_back_pathsep ":*" "*:" : "$1" + fi +} +# end func_convert_path_msys_to_cygwin + + +# func_convert_path_nix_to_cygwin ARG +# Convert path ARG from *nix to Cygwin format. Requires Cygwin installed in a +# a wine environment, working winepath, and LT_CYGPATH set. Returns result in +# func_to_host_file_result. +func_convert_path_nix_to_cygwin () +{ + $opt_debug + func_to_host_path_result="$1" + if test -n "$1"; then + # Remove leading and trailing path separator characters from + # ARG. msys behavior is inconsistent here, cygpath turns them + # into '.;' and ';.', and winepath ignores them completely. + func_stripname : : "$1" + func_to_host_path_tmp1=$func_stripname_result + func_convert_core_path_wine_to_w32 "$func_to_host_path_tmp1" + func_cygpath -u -p "$func_convert_core_path_wine_to_w32_result" + func_to_host_path_result="$func_cygpath_result" + func_convert_path_check : : \ + "$func_to_host_path_tmp1" "$func_to_host_path_result" + func_convert_path_front_back_pathsep ":*" "*:" : "$1" + fi +} +# end func_convert_path_nix_to_cygwin + + # func_mode_compile arg... func_mode_compile () { @@ -1137,12 +1986,12 @@ func_mode_compile () ;; -pie | -fpie | -fPIE) - pie_flag="$pie_flag $arg" + func_append pie_flag " $arg" continue ;; -shared | -static | -prefer-pic | -prefer-non-pic) - later="$later $arg" + func_append later " $arg" continue ;; @@ -1163,15 +2012,14 @@ func_mode_compile () save_ifs="$IFS"; IFS=',' for arg in $args; do IFS="$save_ifs" - func_quote_for_eval "$arg" - lastarg="$lastarg $func_quote_for_eval_result" + func_append_quoted lastarg "$arg" done IFS="$save_ifs" func_stripname ' ' '' "$lastarg" lastarg=$func_stripname_result # Add the arguments to base_compile. - base_compile="$base_compile $lastarg" + func_append base_compile " $lastarg" continue ;; @@ -1187,8 +2035,7 @@ func_mode_compile () esac # case $arg_mode # Aesthetically quote the previous argument. - func_quote_for_eval "$lastarg" - base_compile="$base_compile $func_quote_for_eval_result" + func_append_quoted base_compile "$lastarg" done # for arg case $arg_mode in @@ -1213,7 +2060,7 @@ func_mode_compile () *.[cCFSifmso] | \ *.ada | *.adb | *.ads | *.asm | \ *.c++ | *.cc | *.ii | *.class | *.cpp | *.cxx | \ - *.[fF][09]? | *.for | *.java | *.obj | *.sx) + *.[fF][09]? | *.for | *.java | *.go | *.obj | *.sx | *.cu | *.cup) func_xform "$libobj" libobj=$func_xform_result ;; @@ -1288,7 +2135,7 @@ func_mode_compile () # Calculate the filename of the output object if compiler does # not support -o with -c if test "$compiler_c_o" = no; then - output_obj=`$ECHO "X$srcfile" | $Xsed -e 's%^.*/%%' -e 's%\.[^.]*$%%'`.${objext} + output_obj=`$ECHO "$srcfile" | $SED 's%^.*/%%; s%\.[^.]*$%%'`.${objext} lockfile="$output_obj.lock" else output_obj= @@ -1319,17 +2166,16 @@ compiler." $opt_dry_run || $RM $removelist exit $EXIT_FAILURE fi - removelist="$removelist $output_obj" + func_append removelist " $output_obj" $ECHO "$srcfile" > "$lockfile" fi $opt_dry_run || $RM $removelist - removelist="$removelist $lockfile" + func_append removelist " $lockfile" trap '$opt_dry_run || $RM $removelist; exit $EXIT_FAILURE' 1 2 15 - if test -n "$fix_srcfile_path"; then - eval srcfile=\"$fix_srcfile_path\" - fi + func_to_tool_file "$srcfile" func_convert_file_msys_to_w32 + srcfile=$func_to_tool_file_result func_quote_for_eval "$srcfile" qsrcfile=$func_quote_for_eval_result @@ -1349,7 +2195,7 @@ compiler." if test -z "$output_obj"; then # Place PIC objects in $objdir - command="$command -o $lobj" + func_append command " -o $lobj" fi func_show_eval_locale "$command" \ @@ -1396,11 +2242,11 @@ compiler." command="$base_compile $qsrcfile $pic_flag" fi if test "$compiler_c_o" = yes; then - command="$command -o $obj" + func_append command " -o $obj" fi # Suppress compiler output if we already did a PIC compilation. - command="$command$suppress_output" + func_append command "$suppress_output" func_show_eval_locale "$command" \ '$opt_dry_run || $RM $removelist; exit $EXIT_FAILURE' @@ -1445,13 +2291,13 @@ compiler." } $opt_help || { -test "$mode" = compile && func_mode_compile ${1+"$@"} + test "$opt_mode" = compile && func_mode_compile ${1+"$@"} } func_mode_help () { # We need to display help for each of the modes. - case $mode in + case $opt_mode in "") # Generic help is extracted from the usage comments # at the start of this file. @@ -1482,10 +2328,11 @@ This mode accepts the following additional options: -o OUTPUT-FILE set the output file name to OUTPUT-FILE -no-suppress do not suppress compiler output for multiple passes - -prefer-pic try to building PIC objects only - -prefer-non-pic try to building non-PIC objects only + -prefer-pic try to build PIC objects only + -prefer-non-pic try to build non-PIC objects only -shared do not build a \`.o' file suitable for static linking -static only build a \`.o' file suitable for static linking + -Wc,FLAG pass FLAG directly to the compiler COMPILE-COMMAND is a command to be used in creating a \`standard' object file from the given SOURCEFILE. @@ -1538,7 +2385,7 @@ either the \`install' or \`cp' program. The following components of INSTALL-COMMAND are treated specially: - -inst-prefix PREFIX-DIR Use PREFIX-DIR as a staging area for installation + -inst-prefix-dir PREFIX-DIR Use PREFIX-DIR as a staging area for installation The rest of the components are interpreted as arguments to that command (only BSD-compatible install options are recognized)." @@ -1558,6 +2405,8 @@ The following components of LINK-COMMAND are treated specially: -all-static do not do any dynamic linking at all -avoid-version do not add a version suffix if possible + -bindir BINDIR specify path to binaries directory (for systems where + libraries must be found in the PATH setting at runtime) -dlopen FILE \`-dlpreopen' FILE if it cannot be dlopened at runtime -dlpreopen FILE link in FILE and add its symbols to lt_preloaded_symbols -export-dynamic allow symbols from OUTPUT-FILE to be resolved with dlsym(3) @@ -1586,6 +2435,11 @@ The following components of LINK-COMMAND are treated specially: -version-info CURRENT[:REVISION[:AGE]] specify library version info [each variable defaults to 0] -weak LIBNAME declare that the target provides the LIBNAME interface + -Wc,FLAG + -Xcompiler FLAG pass linker-specific FLAG directly to the compiler + -Wl,FLAG + -Xlinker FLAG pass linker-specific FLAG directly to the linker + -XCClinker FLAG pass link-specific FLAG to the compiler driver (CC) All other options (arguments beginning with \`-') are ignored. @@ -1619,18 +2473,44 @@ Otherwise, only FILE itself is deleted using RM." ;; *) - func_fatal_help "invalid operation mode \`$mode'" + func_fatal_help "invalid operation mode \`$opt_mode'" ;; esac - $ECHO + echo $ECHO "Try \`$progname --help' for more information about other modes." - - exit $? } - # Now that we've collected a possible --mode arg, show help if necessary - $opt_help && func_mode_help +# Now that we've collected a possible --mode arg, show help if necessary +if $opt_help; then + if test "$opt_help" = :; then + func_mode_help + else + { + func_help noexit + for opt_mode in compile link execute install finish uninstall clean; do + func_mode_help + done + } | sed -n '1p; 2,$s/^Usage:/ or: /p' + { + func_help noexit + for opt_mode in compile link execute install finish uninstall clean; do + echo + func_mode_help + done + } | + sed '1d + /^When reporting/,/^Report/{ + H + d + } + $x + /information about other modes/d + /more detailed .*MODE/d + s/^Usage:.*--mode=\([^ ]*\) .*/Description of \1 mode:/' + fi + exit $? +fi # func_mode_execute arg... @@ -1643,13 +2523,16 @@ func_mode_execute () func_fatal_help "you must specify a COMMAND" # Handle -dlopen flags immediately. - for file in $execute_dlfiles; do + for file in $opt_dlopen; do test -f "$file" \ || func_fatal_help "\`$file' is not a file" dir= case $file in *.la) + func_resolve_sysroot "$file" + file=$func_resolve_sysroot_result + # Check to see that this really is a libtool archive. func_lalib_unsafe_p "$file" \ || func_fatal_help "\`$lib' is not a valid libtool archive" @@ -1671,7 +2554,7 @@ func_mode_execute () dir="$func_dirname_result" if test -f "$dir/$objdir/$dlname"; then - dir="$dir/$objdir" + func_append dir "/$objdir" else if test ! -f "$dir/$dlname"; then func_fatal_error "cannot find \`$dlname' in \`$dir' or \`$dir/$objdir'" @@ -1712,7 +2595,7 @@ func_mode_execute () for file do case $file in - -*) ;; + -* | *.la | *.lo ) ;; *) # Do a test to see if this is really a libtool program. if func_ltwrapper_script_p "$file"; then @@ -1728,8 +2611,7 @@ func_mode_execute () ;; esac # Quote arguments (to preserve shell metacharacters). - func_quote_for_eval "$file" - args="$args $func_quote_for_eval_result" + func_append_quoted args "$file" done if test "X$opt_dry_run" = Xfalse; then @@ -1754,29 +2636,66 @@ func_mode_execute () # Display what would be done. if test -n "$shlibpath_var"; then eval "\$ECHO \"\$shlibpath_var=\$$shlibpath_var\"" - $ECHO "export $shlibpath_var" + echo "export $shlibpath_var" fi $ECHO "$cmd$args" exit $EXIT_SUCCESS fi } -test "$mode" = execute && func_mode_execute ${1+"$@"} +test "$opt_mode" = execute && func_mode_execute ${1+"$@"} # func_mode_finish arg... func_mode_finish () { $opt_debug - libdirs="$nonopt" + libs= + libdirs= admincmds= - if test -n "$finish_cmds$finish_eval" && test -n "$libdirs"; then - for dir - do - libdirs="$libdirs $dir" - done + for opt in "$nonopt" ${1+"$@"} + do + if test -d "$opt"; then + func_append libdirs " $opt" + elif test -f "$opt"; then + if func_lalib_unsafe_p "$opt"; then + func_append libs " $opt" + else + func_warning "\`$opt' is not a valid libtool archive" + fi + + else + func_fatal_error "invalid argument \`$opt'" + fi + done + + if test -n "$libs"; then + if test -n "$lt_sysroot"; then + sysroot_regex=`$ECHO "$lt_sysroot" | $SED "$sed_make_literal_regex"` + sysroot_cmd="s/\([ ']\)$sysroot_regex/\1/g;" + else + sysroot_cmd= + fi + + # Remove sysroot references + if $opt_dry_run; then + for lib in $libs; do + echo "removing references to $lt_sysroot and \`=' prefixes from $lib" + done + else + tmpdir=`func_mktempdir` + for lib in $libs; do + sed -e "${sysroot_cmd} s/\([ ']-[LR]\)=/\1/g; s/\([ ']\)=/\1/g" $lib \ + > $tmpdir/tmp-la + mv -f $tmpdir/tmp-la $lib + done + ${RM}r "$tmpdir" + fi + fi + + if test -n "$finish_cmds$finish_eval" && test -n "$libdirs"; then for libdir in $libdirs; do if test -n "$finish_cmds"; then # Do each command in the finish commands. @@ -1786,7 +2705,7 @@ func_mode_finish () if test -n "$finish_eval"; then # Do the single finish_eval. eval cmds=\"$finish_eval\" - $opt_dry_run || eval "$cmds" || admincmds="$admincmds + $opt_dry_run || eval "$cmds" || func_append admincmds " $cmds" fi done @@ -1795,53 +2714,55 @@ func_mode_finish () # Exit here if they wanted silent mode. $opt_silent && exit $EXIT_SUCCESS - $ECHO "X----------------------------------------------------------------------" | $Xsed - $ECHO "Libraries have been installed in:" - for libdir in $libdirs; do - $ECHO " $libdir" - done - $ECHO - $ECHO "If you ever happen to want to link against installed libraries" - $ECHO "in a given directory, LIBDIR, you must either use libtool, and" - $ECHO "specify the full pathname of the library, or use the \`-LLIBDIR'" - $ECHO "flag during linking and do at least one of the following:" - if test -n "$shlibpath_var"; then - $ECHO " - add LIBDIR to the \`$shlibpath_var' environment variable" - $ECHO " during execution" - fi - if test -n "$runpath_var"; then - $ECHO " - add LIBDIR to the \`$runpath_var' environment variable" - $ECHO " during linking" - fi - if test -n "$hardcode_libdir_flag_spec"; then - libdir=LIBDIR - eval flag=\"$hardcode_libdir_flag_spec\" + if test -n "$finish_cmds$finish_eval" && test -n "$libdirs"; then + echo "----------------------------------------------------------------------" + echo "Libraries have been installed in:" + for libdir in $libdirs; do + $ECHO " $libdir" + done + echo + echo "If you ever happen to want to link against installed libraries" + echo "in a given directory, LIBDIR, you must either use libtool, and" + echo "specify the full pathname of the library, or use the \`-LLIBDIR'" + echo "flag during linking and do at least one of the following:" + if test -n "$shlibpath_var"; then + echo " - add LIBDIR to the \`$shlibpath_var' environment variable" + echo " during execution" + fi + if test -n "$runpath_var"; then + echo " - add LIBDIR to the \`$runpath_var' environment variable" + echo " during linking" + fi + if test -n "$hardcode_libdir_flag_spec"; then + libdir=LIBDIR + eval flag=\"$hardcode_libdir_flag_spec\" - $ECHO " - use the \`$flag' linker flag" - fi - if test -n "$admincmds"; then - $ECHO " - have your system administrator run these commands:$admincmds" - fi - if test -f /etc/ld.so.conf; then - $ECHO " - have your system administrator add LIBDIR to \`/etc/ld.so.conf'" - fi - $ECHO + $ECHO " - use the \`$flag' linker flag" + fi + if test -n "$admincmds"; then + $ECHO " - have your system administrator run these commands:$admincmds" + fi + if test -f /etc/ld.so.conf; then + echo " - have your system administrator add LIBDIR to \`/etc/ld.so.conf'" + fi + echo - $ECHO "See any operating system documentation about shared libraries for" - case $host in - solaris2.[6789]|solaris2.1[0-9]) - $ECHO "more information, such as the ld(1), crle(1) and ld.so(8) manual" - $ECHO "pages." - ;; - *) - $ECHO "more information, such as the ld(1) and ld.so(8) manual pages." - ;; - esac - $ECHO "X----------------------------------------------------------------------" | $Xsed + echo "See any operating system documentation about shared libraries for" + case $host in + solaris2.[6789]|solaris2.1[0-9]) + echo "more information, such as the ld(1), crle(1) and ld.so(8) manual" + echo "pages." + ;; + *) + echo "more information, such as the ld(1) and ld.so(8) manual pages." + ;; + esac + echo "----------------------------------------------------------------------" + fi exit $EXIT_SUCCESS } -test "$mode" = finish && func_mode_finish ${1+"$@"} +test "$opt_mode" = finish && func_mode_finish ${1+"$@"} # func_mode_install arg... @@ -1852,7 +2773,7 @@ func_mode_install () # install_prog (especially on Windows NT). if test "$nonopt" = "$SHELL" || test "$nonopt" = /bin/sh || # Allow the use of GNU shtool's install command. - $ECHO "X$nonopt" | $GREP shtool >/dev/null; then + case $nonopt in *shtool*) :;; *) false;; esac; then # Aesthetically quote it. func_quote_for_eval "$nonopt" install_prog="$func_quote_for_eval_result " @@ -1866,7 +2787,12 @@ func_mode_install () # The real first argument should be the name of the installation program. # Aesthetically quote it. func_quote_for_eval "$arg" - install_prog="$install_prog$func_quote_for_eval_result" + func_append install_prog "$func_quote_for_eval_result" + install_shared_prog=$install_prog + case " $install_prog " in + *[\\\ /]cp\ *) install_cp=: ;; + *) install_cp=false ;; + esac # We need to accept at least all the BSD install flags. dest= @@ -1876,10 +2802,12 @@ func_mode_install () install_type= isdir=no stripme= + no_mode=: for arg do + arg2= if test -n "$dest"; then - files="$files $dest" + func_append files " $dest" dest=$arg continue fi @@ -1887,10 +2815,9 @@ func_mode_install () case $arg in -d) isdir=yes ;; -f) - case " $install_prog " in - *[\\\ /]cp\ *) ;; - *) prev=$arg ;; - esac + if $install_cp; then :; else + prev=$arg + fi ;; -g | -m | -o) prev=$arg @@ -1904,6 +2831,10 @@ func_mode_install () *) # If the previous option needed an argument, then skip it. if test -n "$prev"; then + if test "x$prev" = x-m && test -n "$install_override_mode"; then + arg2=$install_override_mode + no_mode=false + fi prev= else dest=$arg @@ -1914,7 +2845,11 @@ func_mode_install () # Aesthetically quote the argument. func_quote_for_eval "$arg" - install_prog="$install_prog $func_quote_for_eval_result" + func_append install_prog " $func_quote_for_eval_result" + if test -n "$arg2"; then + func_quote_for_eval "$arg2" + fi + func_append install_shared_prog " $func_quote_for_eval_result" done test -z "$install_prog" && \ @@ -1923,6 +2858,13 @@ func_mode_install () test -n "$prev" && \ func_fatal_help "the \`$prev' option requires an argument" + if test -n "$install_override_mode" && $no_mode; then + if $install_cp; then :; else + func_quote_for_eval "$install_override_mode" + func_append install_shared_prog " -m $func_quote_for_eval_result" + fi + fi + if test -z "$files"; then if test -z "$dest"; then func_fatal_help "no file or destination specified" @@ -1977,10 +2919,13 @@ func_mode_install () case $file in *.$libext) # Do the static libraries later. - staticlibs="$staticlibs $file" + func_append staticlibs " $file" ;; *.la) + func_resolve_sysroot "$file" + file=$func_resolve_sysroot_result + # Check to see that this really is a libtool archive. func_lalib_unsafe_p "$file" \ || func_fatal_help "\`$file' is not a valid libtool archive" @@ -1994,23 +2939,23 @@ func_mode_install () if test "X$destdir" = "X$libdir"; then case "$current_libdirs " in *" $libdir "*) ;; - *) current_libdirs="$current_libdirs $libdir" ;; + *) func_append current_libdirs " $libdir" ;; esac else # Note the libdir as a future libdir. case "$future_libdirs " in *" $libdir "*) ;; - *) future_libdirs="$future_libdirs $libdir" ;; + *) func_append future_libdirs " $libdir" ;; esac fi func_dirname "$file" "/" "" dir="$func_dirname_result" - dir="$dir$objdir" + func_append dir "$objdir" if test -n "$relink_command"; then # Determine the prefix the user has applied to our future dir. - inst_prefix_dir=`$ECHO "X$destdir" | $Xsed -e "s%$libdir\$%%"` + inst_prefix_dir=`$ECHO "$destdir" | $SED -e "s%$libdir\$%%"` # Don't allow the user to place us outside of our expected # location b/c this prevents finding dependent libraries that @@ -2023,9 +2968,9 @@ func_mode_install () if test -n "$inst_prefix_dir"; then # Stick the inst_prefix_dir data into the link command. - relink_command=`$ECHO "X$relink_command" | $Xsed -e "s%@inst_prefix_dir@%-inst-prefix-dir $inst_prefix_dir%"` + relink_command=`$ECHO "$relink_command" | $SED "s%@inst_prefix_dir@%-inst-prefix-dir $inst_prefix_dir%"` else - relink_command=`$ECHO "X$relink_command" | $Xsed -e "s%@inst_prefix_dir@%%"` + relink_command=`$ECHO "$relink_command" | $SED "s%@inst_prefix_dir@%%"` fi func_warning "relinking \`$file'" @@ -2043,7 +2988,7 @@ func_mode_install () test -n "$relink_command" && srcname="$realname"T # Install the shared library and build the symlinks. - func_show_eval "$install_prog $dir/$srcname $destdir/$realname" \ + func_show_eval "$install_shared_prog $dir/$srcname $destdir/$realname" \ 'exit $?' tstripme="$stripme" case $host_os in @@ -2083,7 +3028,7 @@ func_mode_install () func_show_eval "$install_prog $instname $destdir/$name" 'exit $?' # Maybe install the static library, too. - test -n "$old_library" && staticlibs="$staticlibs $dir/$old_library" + test -n "$old_library" && func_append staticlibs " $dir/$old_library" ;; *.lo) @@ -2183,7 +3128,7 @@ func_mode_install () if test -f "$lib"; then func_source "$lib" fi - libfile="$libdir/"`$ECHO "X$lib" | $Xsed -e 's%^.*/%%g'` ### testsuite: skip nested quoting test + libfile="$libdir/"`$ECHO "$lib" | $SED 's%^.*/%%g'` ### testsuite: skip nested quoting test if test -n "$libdir" && test ! -f "$libfile"; then func_warning "\`$lib' has not been installed in \`$libdir'" finalize=no @@ -2202,7 +3147,7 @@ func_mode_install () file="$func_basename_result" outputname="$tmpdir/$file" # Replace the output file specification. - relink_command=`$ECHO "X$relink_command" | $Xsed -e 's%@OUTPUT@%'"$outputname"'%g'` + relink_command=`$ECHO "$relink_command" | $SED 's%@OUTPUT@%'"$outputname"'%g'` $opt_silent || { func_quote_for_expand "$relink_command" @@ -2221,7 +3166,7 @@ func_mode_install () } else # Install the binary that we compiled earlier. - file=`$ECHO "X$file$stripped_ext" | $Xsed -e "s%\([^/]*\)$%$objdir/\1%"` + file=`$ECHO "$file$stripped_ext" | $SED "s%\([^/]*\)$%$objdir/\1%"` fi fi @@ -2257,11 +3202,13 @@ func_mode_install () # Set up the ranlib parameters. oldlib="$destdir/$name" + func_to_tool_file "$oldlib" func_convert_file_msys_to_w32 + tool_oldlib=$func_to_tool_file_result func_show_eval "$install_prog \$file \$oldlib" 'exit $?' if test -n "$stripme" && test -n "$old_striplib"; then - func_show_eval "$old_striplib $oldlib" 'exit $?' + func_show_eval "$old_striplib $tool_oldlib" 'exit $?' fi # Do each command in the postinstall commands. @@ -2280,7 +3227,7 @@ func_mode_install () fi } -test "$mode" = install && func_mode_install ${1+"$@"} +test "$opt_mode" = install && func_mode_install ${1+"$@"} # func_generate_dlsyms outputname originator pic_p @@ -2323,6 +3270,22 @@ func_generate_dlsyms () extern \"C\" { #endif +#if defined(__GNUC__) && (((__GNUC__ == 4) && (__GNUC_MINOR__ >= 4)) || (__GNUC__ > 4)) +#pragma GCC diagnostic ignored \"-Wstrict-prototypes\" +#endif + +/* Keep this code in sync between libtool.m4, ltmain, lt_system.h, and tests. */ +#if defined(_WIN32) || defined(__CYGWIN__) || defined(_WIN32_WCE) +/* DATA imports from DLLs on WIN32 con't be const, because runtime + relocations are performed -- see ld's documentation on pseudo-relocs. */ +# define LT_DLSYM_CONST +#elif defined(__osf__) +/* This system does not cope well with relocations in const data. */ +# define LT_DLSYM_CONST +#else +# define LT_DLSYM_CONST const +#endif + /* External symbol declarations for the compiler. */\ " @@ -2332,10 +3295,11 @@ extern \"C\" { $opt_dry_run || echo ': @PROGRAM@ ' > "$nlist" # Add our own program objects to the symbol list. - progfiles=`$ECHO "X$objs$old_deplibs" | $SP2NL | $Xsed -e "$lo2o" | $NL2SP` + progfiles=`$ECHO "$objs$old_deplibs" | $SP2NL | $SED "$lo2o" | $NL2SP` for progfile in $progfiles; do - func_verbose "extracting global C symbols from \`$progfile'" - $opt_dry_run || eval "$NM $progfile | $global_symbol_pipe >> '$nlist'" + func_to_tool_file "$progfile" func_convert_file_msys_to_w32 + func_verbose "extracting global C symbols from \`$func_to_tool_file_result'" + $opt_dry_run || eval "$NM $func_to_tool_file_result | $global_symbol_pipe >> '$nlist'" done if test -n "$exclude_expsyms"; then @@ -2371,7 +3335,7 @@ extern \"C\" { eval '$GREP -f "$output_objdir/$outputname.exp" < "$nlist" > "$nlist"T' eval '$MV "$nlist"T "$nlist"' case $host in - *cygwin | *mingw* | *cegcc* ) + *cygwin* | *mingw* | *cegcc* ) eval "echo EXPORTS "'> "$output_objdir/$outputname.def"' eval 'cat "$nlist" >> "$output_objdir/$outputname.def"' ;; @@ -2384,10 +3348,52 @@ extern \"C\" { func_verbose "extracting global C symbols from \`$dlprefile'" func_basename "$dlprefile" name="$func_basename_result" - $opt_dry_run || { - eval '$ECHO ": $name " >> "$nlist"' - eval "$NM $dlprefile 2>/dev/null | $global_symbol_pipe >> '$nlist'" - } + case $host in + *cygwin* | *mingw* | *cegcc* ) + # if an import library, we need to obtain dlname + if func_win32_import_lib_p "$dlprefile"; then + func_tr_sh "$dlprefile" + eval "curr_lafile=\$libfile_$func_tr_sh_result" + dlprefile_dlbasename="" + if test -n "$curr_lafile" && func_lalib_p "$curr_lafile"; then + # Use subshell, to avoid clobbering current variable values + dlprefile_dlname=`source "$curr_lafile" && echo "$dlname"` + if test -n "$dlprefile_dlname" ; then + func_basename "$dlprefile_dlname" + dlprefile_dlbasename="$func_basename_result" + else + # no lafile. user explicitly requested -dlpreopen . + $sharedlib_from_linklib_cmd "$dlprefile" + dlprefile_dlbasename=$sharedlib_from_linklib_result + fi + fi + $opt_dry_run || { + if test -n "$dlprefile_dlbasename" ; then + eval '$ECHO ": $dlprefile_dlbasename" >> "$nlist"' + else + func_warning "Could not compute DLL name from $name" + eval '$ECHO ": $name " >> "$nlist"' + fi + func_to_tool_file "$dlprefile" func_convert_file_msys_to_w32 + eval "$NM \"$func_to_tool_file_result\" 2>/dev/null | $global_symbol_pipe | + $SED -e '/I __imp/d' -e 's/I __nm_/D /;s/_nm__//' >> '$nlist'" + } + else # not an import lib + $opt_dry_run || { + eval '$ECHO ": $name " >> "$nlist"' + func_to_tool_file "$dlprefile" func_convert_file_msys_to_w32 + eval "$NM \"$func_to_tool_file_result\" 2>/dev/null | $global_symbol_pipe >> '$nlist'" + } + fi + ;; + *) + $opt_dry_run || { + eval '$ECHO ": $name " >> "$nlist"' + func_to_tool_file "$dlprefile" func_convert_file_msys_to_w32 + eval "$NM \"$func_to_tool_file_result\" 2>/dev/null | $global_symbol_pipe >> '$nlist'" + } + ;; + esac done $opt_dry_run || { @@ -2415,36 +3421,19 @@ extern \"C\" { if test -f "$nlist"S; then eval "$global_symbol_to_cdecl"' < "$nlist"S >> "$output_objdir/$my_dlsyms"' else - $ECHO '/* NONE */' >> "$output_objdir/$my_dlsyms" + echo '/* NONE */' >> "$output_objdir/$my_dlsyms" fi - $ECHO >> "$output_objdir/$my_dlsyms" "\ + echo >> "$output_objdir/$my_dlsyms" "\ /* The mapping between symbol names and symbols. */ typedef struct { const char *name; void *address; } lt_dlsymlist; -" - case $host in - *cygwin* | *mingw* | *cegcc* ) - $ECHO >> "$output_objdir/$my_dlsyms" "\ -/* DATA imports from DLLs on WIN32 con't be const, because - runtime relocations are performed -- see ld's documentation - on pseudo-relocs. */" - lt_dlsym_const= ;; - *osf5*) - echo >> "$output_objdir/$my_dlsyms" "\ -/* This system does not cope well with relocations in const data */" - lt_dlsym_const= ;; - *) - lt_dlsym_const=const ;; - esac - - $ECHO >> "$output_objdir/$my_dlsyms" "\ -extern $lt_dlsym_const lt_dlsymlist +extern LT_DLSYM_CONST lt_dlsymlist lt_${my_prefix}_LTX_preloaded_symbols[]; -$lt_dlsym_const lt_dlsymlist +LT_DLSYM_CONST lt_dlsymlist lt_${my_prefix}_LTX_preloaded_symbols[] = {\ { \"$my_originator\", (void *) 0 }," @@ -2457,7 +3446,7 @@ lt_${my_prefix}_LTX_preloaded_symbols[] = eval "$global_symbol_to_c_name_address_lib_prefix" < "$nlist" >> "$output_objdir/$my_dlsyms" ;; esac - $ECHO >> "$output_objdir/$my_dlsyms" "\ + echo >> "$output_objdir/$my_dlsyms" "\ {0, (void *) 0} }; @@ -2484,7 +3473,7 @@ static const void *lt_preloaded_setup() { # linked before any other PIC object. But we must not use # pic_flag when linking with -static. The problem exists in # FreeBSD 2.2.6 and is fixed in FreeBSD 3.1. - *-*-freebsd2*|*-*-freebsd3.0*|*-*-freebsdelf3.0*) + *-*-freebsd2.*|*-*-freebsd3.0*|*-*-freebsdelf3.0*) pic_flag_for_symtable=" $pic_flag -DFREEBSD_WORKAROUND" ;; *-*-hpux*) pic_flag_for_symtable=" $pic_flag" ;; @@ -2500,7 +3489,7 @@ static const void *lt_preloaded_setup() { for arg in $LTCFLAGS; do case $arg in -pie | -fpie | -fPIE) ;; - *) symtab_cflags="$symtab_cflags $arg" ;; + *) func_append symtab_cflags " $arg" ;; esac done @@ -2515,16 +3504,16 @@ static const void *lt_preloaded_setup() { case $host in *cygwin* | *mingw* | *cegcc* ) if test -f "$output_objdir/$my_outputname.def"; then - compile_command=`$ECHO "X$compile_command" | $Xsed -e "s%@SYMFILE@%$output_objdir/$my_outputname.def $symfileobj%"` - finalize_command=`$ECHO "X$finalize_command" | $Xsed -e "s%@SYMFILE@%$output_objdir/$my_outputname.def $symfileobj%"` + compile_command=`$ECHO "$compile_command" | $SED "s%@SYMFILE@%$output_objdir/$my_outputname.def $symfileobj%"` + finalize_command=`$ECHO "$finalize_command" | $SED "s%@SYMFILE@%$output_objdir/$my_outputname.def $symfileobj%"` else - compile_command=`$ECHO "X$compile_command" | $Xsed -e "s%@SYMFILE@%$symfileobj%"` - finalize_command=`$ECHO "X$finalize_command" | $Xsed -e "s%@SYMFILE@%$symfileobj%"` + compile_command=`$ECHO "$compile_command" | $SED "s%@SYMFILE@%$symfileobj%"` + finalize_command=`$ECHO "$finalize_command" | $SED "s%@SYMFILE@%$symfileobj%"` fi ;; *) - compile_command=`$ECHO "X$compile_command" | $Xsed -e "s%@SYMFILE@%$symfileobj%"` - finalize_command=`$ECHO "X$finalize_command" | $Xsed -e "s%@SYMFILE@%$symfileobj%"` + compile_command=`$ECHO "$compile_command" | $SED "s%@SYMFILE@%$symfileobj%"` + finalize_command=`$ECHO "$finalize_command" | $SED "s%@SYMFILE@%$symfileobj%"` ;; esac ;; @@ -2538,8 +3527,8 @@ static const void *lt_preloaded_setup() { # really was required. # Nullify the symbol file. - compile_command=`$ECHO "X$compile_command" | $Xsed -e "s% @SYMFILE@%%"` - finalize_command=`$ECHO "X$finalize_command" | $Xsed -e "s% @SYMFILE@%%"` + compile_command=`$ECHO "$compile_command" | $SED "s% @SYMFILE@%%"` + finalize_command=`$ECHO "$finalize_command" | $SED "s% @SYMFILE@%%"` fi } @@ -2549,6 +3538,7 @@ static const void *lt_preloaded_setup() { # Need a lot of goo to handle *both* DLLs and import libs # Has to be a shell function in order to 'eat' the argument # that is supplied when $file_magic_command is called. +# Despite the name, also deal with 64 bit binaries. func_win32_libid () { $opt_debug @@ -2559,9 +3549,11 @@ func_win32_libid () win32_libid_type="x86 archive import" ;; *ar\ archive*) # could be an import, or static + # Keep the egrep pattern in sync with the one in _LT_CHECK_MAGIC_METHOD. if eval $OBJDUMP -f $1 | $SED -e '10q' 2>/dev/null | - $EGREP 'file format pe-i386(.*architecture: i386)?' >/dev/null ; then - win32_nmres=`eval $NM -f posix -A $1 | + $EGREP 'file format (pei*-i386(.*architecture: i386)?|pe-arm-wince|pe-x86-64)' >/dev/null; then + func_to_tool_file "$1" func_convert_file_msys_to_w32 + win32_nmres=`eval $NM -f posix -A \"$func_to_tool_file_result\" | $SED -n -e ' 1,100{ / I /{ @@ -2590,6 +3582,131 @@ func_win32_libid () $ECHO "$win32_libid_type" } +# func_cygming_dll_for_implib ARG +# +# Platform-specific function to extract the +# name of the DLL associated with the specified +# import library ARG. +# Invoked by eval'ing the libtool variable +# $sharedlib_from_linklib_cmd +# Result is available in the variable +# $sharedlib_from_linklib_result +func_cygming_dll_for_implib () +{ + $opt_debug + sharedlib_from_linklib_result=`$DLLTOOL --identify-strict --identify "$1"` +} + +# func_cygming_dll_for_implib_fallback_core SECTION_NAME LIBNAMEs +# +# The is the core of a fallback implementation of a +# platform-specific function to extract the name of the +# DLL associated with the specified import library LIBNAME. +# +# SECTION_NAME is either .idata$6 or .idata$7, depending +# on the platform and compiler that created the implib. +# +# Echos the name of the DLL associated with the +# specified import library. +func_cygming_dll_for_implib_fallback_core () +{ + $opt_debug + match_literal=`$ECHO "$1" | $SED "$sed_make_literal_regex"` + $OBJDUMP -s --section "$1" "$2" 2>/dev/null | + $SED '/^Contents of section '"$match_literal"':/{ + # Place marker at beginning of archive member dllname section + s/.*/====MARK====/ + p + d + } + # These lines can sometimes be longer than 43 characters, but + # are always uninteresting + /:[ ]*file format pe[i]\{,1\}-/d + /^In archive [^:]*:/d + # Ensure marker is printed + /^====MARK====/p + # Remove all lines with less than 43 characters + /^.\{43\}/!d + # From remaining lines, remove first 43 characters + s/^.\{43\}//' | + $SED -n ' + # Join marker and all lines until next marker into a single line + /^====MARK====/ b para + H + $ b para + b + :para + x + s/\n//g + # Remove the marker + s/^====MARK====// + # Remove trailing dots and whitespace + s/[\. \t]*$// + # Print + /./p' | + # we now have a list, one entry per line, of the stringified + # contents of the appropriate section of all members of the + # archive which possess that section. Heuristic: eliminate + # all those which have a first or second character that is + # a '.' (that is, objdump's representation of an unprintable + # character.) This should work for all archives with less than + # 0x302f exports -- but will fail for DLLs whose name actually + # begins with a literal '.' or a single character followed by + # a '.'. + # + # Of those that remain, print the first one. + $SED -e '/^\./d;/^.\./d;q' +} + +# func_cygming_gnu_implib_p ARG +# This predicate returns with zero status (TRUE) if +# ARG is a GNU/binutils-style import library. Returns +# with nonzero status (FALSE) otherwise. +func_cygming_gnu_implib_p () +{ + $opt_debug + func_to_tool_file "$1" func_convert_file_msys_to_w32 + func_cygming_gnu_implib_tmp=`$NM "$func_to_tool_file_result" | eval "$global_symbol_pipe" | $EGREP ' (_head_[A-Za-z0-9_]+_[ad]l*|[A-Za-z0-9_]+_[ad]l*_iname)$'` + test -n "$func_cygming_gnu_implib_tmp" +} + +# func_cygming_ms_implib_p ARG +# This predicate returns with zero status (TRUE) if +# ARG is an MS-style import library. Returns +# with nonzero status (FALSE) otherwise. +func_cygming_ms_implib_p () +{ + $opt_debug + func_to_tool_file "$1" func_convert_file_msys_to_w32 + func_cygming_ms_implib_tmp=`$NM "$func_to_tool_file_result" | eval "$global_symbol_pipe" | $GREP '_NULL_IMPORT_DESCRIPTOR'` + test -n "$func_cygming_ms_implib_tmp" +} + +# func_cygming_dll_for_implib_fallback ARG +# Platform-specific function to extract the +# name of the DLL associated with the specified +# import library ARG. +# +# This fallback implementation is for use when $DLLTOOL +# does not support the --identify-strict option. +# Invoked by eval'ing the libtool variable +# $sharedlib_from_linklib_cmd +# Result is available in the variable +# $sharedlib_from_linklib_result +func_cygming_dll_for_implib_fallback () +{ + $opt_debug + if func_cygming_gnu_implib_p "$1" ; then + # binutils import library + sharedlib_from_linklib_result=`func_cygming_dll_for_implib_fallback_core '.idata$7' "$1"` + elif func_cygming_ms_implib_p "$1" ; then + # ms-generated import library + sharedlib_from_linklib_result=`func_cygming_dll_for_implib_fallback_core '.idata$6' "$1"` + else + # unknown + sharedlib_from_linklib_result="" + fi +} # func_extract_an_archive dir oldlib @@ -2598,7 +3715,18 @@ func_extract_an_archive () $opt_debug f_ex_an_ar_dir="$1"; shift f_ex_an_ar_oldlib="$1" - func_show_eval "(cd \$f_ex_an_ar_dir && $AR x \"\$f_ex_an_ar_oldlib\")" 'exit $?' + if test "$lock_old_archive_extraction" = yes; then + lockfile=$f_ex_an_ar_oldlib.lock + until $opt_dry_run || ln "$progpath" "$lockfile" 2>/dev/null; do + func_echo "Waiting for $lockfile to be removed" + sleep 2 + done + fi + func_show_eval "(cd \$f_ex_an_ar_dir && $AR x \"\$f_ex_an_ar_oldlib\")" \ + 'stat=$?; rm -f "$lockfile"; exit $stat' + if test "$lock_old_archive_extraction" = yes; then + $opt_dry_run || rm -f "$lockfile" + fi if ($AR t "$f_ex_an_ar_oldlib" | sort | sort -uc >/dev/null 2>&1); then : else @@ -2669,7 +3797,7 @@ func_extract_archives () darwin_file= darwin_files= for darwin_file in $darwin_filelist; do - darwin_files=`find unfat-$$ -name $darwin_file -print | $NL2SP` + darwin_files=`find unfat-$$ -name $darwin_file -print | sort | $NL2SP` $LIPO -create -output "$darwin_file" $darwin_files done # $darwin_filelist $RM -rf unfat-$$ @@ -2684,25 +3812,30 @@ func_extract_archives () func_extract_an_archive "$my_xdir" "$my_xabs" ;; esac - my_oldobjs="$my_oldobjs "`find $my_xdir -name \*.$objext -print -o -name \*.lo -print | $NL2SP` + my_oldobjs="$my_oldobjs "`find $my_xdir -name \*.$objext -print -o -name \*.lo -print | sort | $NL2SP` done func_extract_archives_result="$my_oldobjs" } - -# func_emit_wrapper_part1 [arg=no] +# func_emit_wrapper [arg=no] # -# Emit the first part of a libtool wrapper script on stdout. -# For more information, see the description associated with -# func_emit_wrapper(), below. -func_emit_wrapper_part1 () +# Emit a libtool wrapper script on stdout. +# Don't directly open a file because we may want to +# incorporate the script contents within a cygwin/mingw +# wrapper executable. Must ONLY be called from within +# func_mode_link because it depends on a number of variables +# set therein. +# +# ARG is the value that the WRAPPER_SCRIPT_BELONGS_IN_OBJDIR +# variable will take. If 'yes', then the emitted script +# will assume that the directory in which it is stored is +# the $objdir directory. This is a cygwin/mingw-specific +# behavior. +func_emit_wrapper () { - func_emit_wrapper_part1_arg1=no - if test -n "$1" ; then - func_emit_wrapper_part1_arg1=$1 - fi + func_emit_wrapper_arg1=${1-no} $ECHO "\ #! $SHELL @@ -2718,7 +3851,6 @@ func_emit_wrapper_part1 () # Sed substitution that helps us do robust quoting. It backslashifies # metacharacters that are still active within double-quoted strings. -Xsed='${SED} -e 1s/^X//' sed_quote_subst='$sed_quote_subst' # Be Bourne compatible @@ -2749,31 +3881,135 @@ if test \"\$libtool_install_magic\" = \"$magic\"; then else # When we are sourced in execute mode, \$file and \$ECHO are already set. if test \"\$libtool_execute_magic\" != \"$magic\"; then - ECHO=\"$qecho\" - file=\"\$0\" - # Make sure echo works. - if test \"X\$1\" = X--no-reexec; then - # Discard the --no-reexec flag, and continue. - shift - elif test \"X\`{ \$ECHO '\t'; } 2>/dev/null\`\" = 'X\t'; then - # Yippee, \$ECHO works! - : - else - # Restart under the correct shell, and then maybe \$ECHO will work. - exec $SHELL \"\$0\" --no-reexec \${1+\"\$@\"} - fi - fi\ + file=\"\$0\"" + + qECHO=`$ECHO "$ECHO" | $SED "$sed_quote_subst"` + $ECHO "\ + +# A function that is used when there is no print builtin or printf. +func_fallback_echo () +{ + eval 'cat <<_LTECHO_EOF +\$1 +_LTECHO_EOF' +} + ECHO=\"$qECHO\" + fi + +# Very basic option parsing. These options are (a) specific to +# the libtool wrapper, (b) are identical between the wrapper +# /script/ and the wrapper /executable/ which is used only on +# windows platforms, and (c) all begin with the string "--lt-" +# (application programs are unlikely to have options which match +# this pattern). +# +# There are only two supported options: --lt-debug and +# --lt-dump-script. There is, deliberately, no --lt-help. +# +# The first argument to this parsing function should be the +# script's $0 value, followed by "$@". +lt_option_debug= +func_parse_lt_options () +{ + lt_script_arg0=\$0 + shift + for lt_opt + do + case \"\$lt_opt\" in + --lt-debug) lt_option_debug=1 ;; + --lt-dump-script) + lt_dump_D=\`\$ECHO \"X\$lt_script_arg0\" | $SED -e 's/^X//' -e 's%/[^/]*$%%'\` + test \"X\$lt_dump_D\" = \"X\$lt_script_arg0\" && lt_dump_D=. + lt_dump_F=\`\$ECHO \"X\$lt_script_arg0\" | $SED -e 's/^X//' -e 's%^.*/%%'\` + cat \"\$lt_dump_D/\$lt_dump_F\" + exit 0 + ;; + --lt-*) + \$ECHO \"Unrecognized --lt- option: '\$lt_opt'\" 1>&2 + exit 1 + ;; + esac + done + + # Print the debug banner immediately: + if test -n \"\$lt_option_debug\"; then + echo \"${outputname}:${output}:\${LINENO}: libtool wrapper (GNU $PACKAGE$TIMESTAMP) $VERSION\" 1>&2 + fi +} + +# Used when --lt-debug. Prints its arguments to stdout +# (redirection is the responsibility of the caller) +func_lt_dump_args () +{ + lt_dump_args_N=1; + for lt_arg + do + \$ECHO \"${outputname}:${output}:\${LINENO}: newargv[\$lt_dump_args_N]: \$lt_arg\" + lt_dump_args_N=\`expr \$lt_dump_args_N + 1\` + done +} + +# Core function for launching the target application +func_exec_program_core () +{ " - $ECHO "\ + case $host in + # Backslashes separate directories on plain windows + *-*-mingw | *-*-os2* | *-cegcc*) + $ECHO "\ + if test -n \"\$lt_option_debug\"; then + \$ECHO \"${outputname}:${output}:\${LINENO}: newargv[0]: \$progdir\\\\\$program\" 1>&2 + func_lt_dump_args \${1+\"\$@\"} 1>&2 + fi + exec \"\$progdir\\\\\$program\" \${1+\"\$@\"} +" + ;; + + *) + $ECHO "\ + if test -n \"\$lt_option_debug\"; then + \$ECHO \"${outputname}:${output}:\${LINENO}: newargv[0]: \$progdir/\$program\" 1>&2 + func_lt_dump_args \${1+\"\$@\"} 1>&2 + fi + exec \"\$progdir/\$program\" \${1+\"\$@\"} +" + ;; + esac + $ECHO "\ + \$ECHO \"\$0: cannot exec \$program \$*\" 1>&2 + exit 1 +} + +# A function to encapsulate launching the target application +# Strips options in the --lt-* namespace from \$@ and +# launches target application with the remaining arguments. +func_exec_program () +{ + case \" \$* \" in + *\\ --lt-*) + for lt_wr_arg + do + case \$lt_wr_arg in + --lt-*) ;; + *) set x \"\$@\" \"\$lt_wr_arg\"; shift;; + esac + shift + done ;; + esac + func_exec_program_core \${1+\"\$@\"} +} + + # Parse options + func_parse_lt_options \"\$0\" \${1+\"\$@\"} # Find the directory that this script lives in. - thisdir=\`\$ECHO \"X\$file\" | \$Xsed -e 's%/[^/]*$%%'\` + thisdir=\`\$ECHO \"\$file\" | $SED 's%/[^/]*$%%'\` test \"x\$thisdir\" = \"x\$file\" && thisdir=. # Follow symbolic links until we get to the real thisdir. - file=\`ls -ld \"\$file\" | ${SED} -n 's/.*-> //p'\` + file=\`ls -ld \"\$file\" | $SED -n 's/.*-> //p'\` while test -n \"\$file\"; do - destdir=\`\$ECHO \"X\$file\" | \$Xsed -e 's%/[^/]*\$%%'\` + destdir=\`\$ECHO \"\$file\" | $SED 's%/[^/]*\$%%'\` # If there was a directory component, then change thisdir. if test \"x\$destdir\" != \"x\$file\"; then @@ -2783,30 +4019,13 @@ else esac fi - file=\`\$ECHO \"X\$file\" | \$Xsed -e 's%^.*/%%'\` - file=\`ls -ld \"\$thisdir/\$file\" | ${SED} -n 's/.*-> //p'\` + file=\`\$ECHO \"\$file\" | $SED 's%^.*/%%'\` + file=\`ls -ld \"\$thisdir/\$file\" | $SED -n 's/.*-> //p'\` done -" -} -# end: func_emit_wrapper_part1 - -# func_emit_wrapper_part2 [arg=no] -# -# Emit the second part of a libtool wrapper script on stdout. -# For more information, see the description associated with -# func_emit_wrapper(), below. -func_emit_wrapper_part2 () -{ - func_emit_wrapper_part2_arg1=no - if test -n "$1" ; then - func_emit_wrapper_part2_arg1=$1 - fi - - $ECHO "\ # Usually 'no', except on cygwin/mingw when embedded into # the cwrapper. - WRAPPER_SCRIPT_BELONGS_IN_OBJDIR=$func_emit_wrapper_part2_arg1 + WRAPPER_SCRIPT_BELONGS_IN_OBJDIR=$func_emit_wrapper_arg1 if test \"\$WRAPPER_SCRIPT_BELONGS_IN_OBJDIR\" = \"yes\"; then # special case for '.' if test \"\$thisdir\" = \".\"; then @@ -2814,7 +4033,7 @@ func_emit_wrapper_part2 () fi # remove .libs from thisdir case \"\$thisdir\" in - *[\\\\/]$objdir ) thisdir=\`\$ECHO \"X\$thisdir\" | \$Xsed -e 's%[\\\\/][^\\\\/]*$%%'\` ;; + *[\\\\/]$objdir ) thisdir=\`\$ECHO \"\$thisdir\" | $SED 's%[\\\\/][^\\\\/]*$%%'\` ;; $objdir ) thisdir=. ;; esac fi @@ -2869,6 +4088,18 @@ func_emit_wrapper_part2 () if test -f \"\$progdir/\$program\"; then" + # fixup the dll searchpath if we need to. + # + # Fix the DLL searchpath if we need to. Do this before prepending + # to shlibpath, because on Windows, both are PATH and uninstalled + # libraries must come first. + if test -n "$dllsearchpath"; then + $ECHO "\ + # Add the dll search path components to the executable PATH + PATH=$dllsearchpath:\$PATH +" + fi + # Export our shlibpath_var if we have one. if test "$shlibpath_overrides_runpath" = yes && test -n "$shlibpath_var" && test -n "$temp_rpath"; then $ECHO "\ @@ -2877,254 +4108,29 @@ func_emit_wrapper_part2 () # Some systems cannot cope with colon-terminated $shlibpath_var # The second colon is a workaround for a bug in BeOS R4 sed - $shlibpath_var=\`\$ECHO \"X\$$shlibpath_var\" | \$Xsed -e 's/::*\$//'\` + $shlibpath_var=\`\$ECHO \"\$$shlibpath_var\" | $SED 's/::*\$//'\` export $shlibpath_var " fi - # fixup the dll searchpath if we need to. - if test -n "$dllsearchpath"; then - $ECHO "\ - # Add the dll search path components to the executable PATH - PATH=$dllsearchpath:\$PATH -" - fi - $ECHO "\ if test \"\$libtool_execute_magic\" != \"$magic\"; then # Run the actual program with our arguments. -" - case $host in - # Backslashes separate directories on plain windows - *-*-mingw | *-*-os2* | *-cegcc*) - $ECHO "\ - exec \"\$progdir\\\\\$program\" \${1+\"\$@\"} -" - ;; - - *) - $ECHO "\ - exec \"\$progdir/\$program\" \${1+\"\$@\"} -" - ;; - esac - $ECHO "\ - \$ECHO \"\$0: cannot exec \$program \$*\" 1>&2 - exit 1 + func_exec_program \${1+\"\$@\"} fi else # The program doesn't exist. \$ECHO \"\$0: error: \\\`\$progdir/\$program' does not exist\" 1>&2 \$ECHO \"This script is just a wrapper for \$program.\" 1>&2 - $ECHO \"See the $PACKAGE documentation for more information.\" 1>&2 + \$ECHO \"See the $PACKAGE documentation for more information.\" 1>&2 exit 1 fi fi\ " } -# end: func_emit_wrapper_part2 -# func_emit_wrapper [arg=no] -# -# Emit a libtool wrapper script on stdout. -# Don't directly open a file because we may want to -# incorporate the script contents within a cygwin/mingw -# wrapper executable. Must ONLY be called from within -# func_mode_link because it depends on a number of variables -# set therein. -# -# ARG is the value that the WRAPPER_SCRIPT_BELONGS_IN_OBJDIR -# variable will take. If 'yes', then the emitted script -# will assume that the directory in which it is stored is -# the $objdir directory. This is a cygwin/mingw-specific -# behavior. -func_emit_wrapper () -{ - func_emit_wrapper_arg1=no - if test -n "$1" ; then - func_emit_wrapper_arg1=$1 - fi - - # split this up so that func_emit_cwrapperexe_src - # can call each part independently. - func_emit_wrapper_part1 "${func_emit_wrapper_arg1}" - func_emit_wrapper_part2 "${func_emit_wrapper_arg1}" -} - - -# func_to_host_path arg -# -# Convert paths to host format when used with build tools. -# Intended for use with "native" mingw (where libtool itself -# is running under the msys shell), or in the following cross- -# build environments: -# $build $host -# mingw (msys) mingw [e.g. native] -# cygwin mingw -# *nix + wine mingw -# where wine is equipped with the `winepath' executable. -# In the native mingw case, the (msys) shell automatically -# converts paths for any non-msys applications it launches, -# but that facility isn't available from inside the cwrapper. -# Similar accommodations are necessary for $host mingw and -# $build cygwin. Calling this function does no harm for other -# $host/$build combinations not listed above. -# -# ARG is the path (on $build) that should be converted to -# the proper representation for $host. The result is stored -# in $func_to_host_path_result. -func_to_host_path () -{ - func_to_host_path_result="$1" - if test -n "$1" ; then - case $host in - *mingw* ) - lt_sed_naive_backslashify='s|\\\\*|\\|g;s|/|\\|g;s|\\|\\\\|g' - case $build in - *mingw* ) # actually, msys - # awkward: cmd appends spaces to result - lt_sed_strip_trailing_spaces="s/[ ]*\$//" - func_to_host_path_tmp1=`( cmd //c echo "$1" |\ - $SED -e "$lt_sed_strip_trailing_spaces" ) 2>/dev/null || echo ""` - func_to_host_path_result=`echo "$func_to_host_path_tmp1" |\ - $SED -e "$lt_sed_naive_backslashify"` - ;; - *cygwin* ) - func_to_host_path_tmp1=`cygpath -w "$1"` - func_to_host_path_result=`echo "$func_to_host_path_tmp1" |\ - $SED -e "$lt_sed_naive_backslashify"` - ;; - * ) - # Unfortunately, winepath does not exit with a non-zero - # error code, so we are forced to check the contents of - # stdout. On the other hand, if the command is not - # found, the shell will set an exit code of 127 and print - # *an error message* to stdout. So we must check for both - # error code of zero AND non-empty stdout, which explains - # the odd construction: - func_to_host_path_tmp1=`winepath -w "$1" 2>/dev/null` - if test "$?" -eq 0 && test -n "${func_to_host_path_tmp1}"; then - func_to_host_path_result=`echo "$func_to_host_path_tmp1" |\ - $SED -e "$lt_sed_naive_backslashify"` - else - # Allow warning below. - func_to_host_path_result="" - fi - ;; - esac - if test -z "$func_to_host_path_result" ; then - func_error "Could not determine host path corresponding to" - func_error " '$1'" - func_error "Continuing, but uninstalled executables may not work." - # Fallback: - func_to_host_path_result="$1" - fi - ;; - esac - fi -} -# end: func_to_host_path - -# func_to_host_pathlist arg -# -# Convert pathlists to host format when used with build tools. -# See func_to_host_path(), above. This function supports the -# following $build/$host combinations (but does no harm for -# combinations not listed here): -# $build $host -# mingw (msys) mingw [e.g. native] -# cygwin mingw -# *nix + wine mingw -# -# Path separators are also converted from $build format to -# $host format. If ARG begins or ends with a path separator -# character, it is preserved (but converted to $host format) -# on output. -# -# ARG is a pathlist (on $build) that should be converted to -# the proper representation on $host. The result is stored -# in $func_to_host_pathlist_result. -func_to_host_pathlist () -{ - func_to_host_pathlist_result="$1" - if test -n "$1" ; then - case $host in - *mingw* ) - lt_sed_naive_backslashify='s|\\\\*|\\|g;s|/|\\|g;s|\\|\\\\|g' - # Remove leading and trailing path separator characters from - # ARG. msys behavior is inconsistent here, cygpath turns them - # into '.;' and ';.', and winepath ignores them completely. - func_to_host_pathlist_tmp2="$1" - # Once set for this call, this variable should not be - # reassigned. It is used in tha fallback case. - func_to_host_pathlist_tmp1=`echo "$func_to_host_pathlist_tmp2" |\ - $SED -e 's|^:*||' -e 's|:*$||'` - case $build in - *mingw* ) # Actually, msys. - # Awkward: cmd appends spaces to result. - lt_sed_strip_trailing_spaces="s/[ ]*\$//" - func_to_host_pathlist_tmp2=`( cmd //c echo "$func_to_host_pathlist_tmp1" |\ - $SED -e "$lt_sed_strip_trailing_spaces" ) 2>/dev/null || echo ""` - func_to_host_pathlist_result=`echo "$func_to_host_pathlist_tmp2" |\ - $SED -e "$lt_sed_naive_backslashify"` - ;; - *cygwin* ) - func_to_host_pathlist_tmp2=`cygpath -w -p "$func_to_host_pathlist_tmp1"` - func_to_host_pathlist_result=`echo "$func_to_host_pathlist_tmp2" |\ - $SED -e "$lt_sed_naive_backslashify"` - ;; - * ) - # unfortunately, winepath doesn't convert pathlists - func_to_host_pathlist_result="" - func_to_host_pathlist_oldIFS=$IFS - IFS=: - for func_to_host_pathlist_f in $func_to_host_pathlist_tmp1 ; do - IFS=$func_to_host_pathlist_oldIFS - if test -n "$func_to_host_pathlist_f" ; then - func_to_host_path "$func_to_host_pathlist_f" - if test -n "$func_to_host_path_result" ; then - if test -z "$func_to_host_pathlist_result" ; then - func_to_host_pathlist_result="$func_to_host_path_result" - else - func_to_host_pathlist_result="$func_to_host_pathlist_result;$func_to_host_path_result" - fi - fi - fi - IFS=: - done - IFS=$func_to_host_pathlist_oldIFS - ;; - esac - if test -z "$func_to_host_pathlist_result" ; then - func_error "Could not determine the host path(s) corresponding to" - func_error " '$1'" - func_error "Continuing, but uninstalled executables may not work." - # Fallback. This may break if $1 contains DOS-style drive - # specifications. The fix is not to complicate the expression - # below, but for the user to provide a working wine installation - # with winepath so that path translation in the cross-to-mingw - # case works properly. - lt_replace_pathsep_nix_to_dos="s|:|;|g" - func_to_host_pathlist_result=`echo "$func_to_host_pathlist_tmp1" |\ - $SED -e "$lt_replace_pathsep_nix_to_dos"` - fi - # Now, add the leading and trailing path separators back - case "$1" in - :* ) func_to_host_pathlist_result=";$func_to_host_pathlist_result" - ;; - esac - case "$1" in - *: ) func_to_host_pathlist_result="$func_to_host_pathlist_result;" - ;; - esac - ;; - esac - fi -} -# end: func_to_host_pathlist - # func_emit_cwrapperexe_src # emit the source code for a wrapper executable on stdout # Must ONLY be called from within func_mode_link because @@ -3141,31 +4147,23 @@ func_emit_cwrapperexe_src () This wrapper executable should never be moved out of the build directory. If it is, it will not operate correctly. - - Currently, it simply execs the wrapper *script* "$SHELL $output", - but could eventually absorb all of the scripts functionality and - exec $objdir/$outputname directly. */ EOF cat <<"EOF" +#ifdef _MSC_VER +# define _CRT_SECURE_NO_DEPRECATE 1 +#endif #include #include #ifdef _MSC_VER # include # include # include -# define setmode _setmode #else # include # include # ifdef __CYGWIN__ # include -# define HAVE_SETENV -# ifdef __STRICT_ANSI__ -char *realpath (const char *, char *); -int putenv (char *); -int setenv (const char *, const char *, int); -# endif # endif #endif #include @@ -3177,6 +4175,44 @@ int setenv (const char *, const char *, int); #include #include +/* declarations of non-ANSI functions */ +#if defined(__MINGW32__) +# ifdef __STRICT_ANSI__ +int _putenv (const char *); +# endif +#elif defined(__CYGWIN__) +# ifdef __STRICT_ANSI__ +char *realpath (const char *, char *); +int putenv (char *); +int setenv (const char *, const char *, int); +# endif +/* #elif defined (other platforms) ... */ +#endif + +/* portability defines, excluding path handling macros */ +#if defined(_MSC_VER) +# define setmode _setmode +# define stat _stat +# define chmod _chmod +# define getcwd _getcwd +# define putenv _putenv +# define S_IXUSR _S_IEXEC +# ifndef _INTPTR_T_DEFINED +# define _INTPTR_T_DEFINED +# define intptr_t int +# endif +#elif defined(__MINGW32__) +# define setmode _setmode +# define stat _stat +# define chmod _chmod +# define getcwd _getcwd +# define putenv _putenv +#elif defined(__CYGWIN__) +# define HAVE_SETENV +# define FOPEN_WB "wb" +/* #elif defined (other platforms) ... */ +#endif + #if defined(PATH_MAX) # define LT_PATHMAX PATH_MAX #elif defined(MAXPATHLEN) @@ -3192,14 +4228,7 @@ int setenv (const char *, const char *, int); # define S_IXGRP 0 #endif -#ifdef _MSC_VER -# define S_IXUSR _S_IEXEC -# define stat _stat -# ifndef _INTPTR_T_DEFINED -# define intptr_t int -# endif -#endif - +/* path handling portability macros */ #ifndef DIR_SEPARATOR # define DIR_SEPARATOR '/' # define PATH_SEPARATOR ':' @@ -3230,10 +4259,6 @@ int setenv (const char *, const char *, int); # define IS_PATH_SEPARATOR(ch) ((ch) == PATH_SEPARATOR_2) #endif /* PATH_SEPARATOR_2 */ -#ifdef __CYGWIN__ -# define FOPEN_WB "wb" -#endif - #ifndef FOPEN_WB # define FOPEN_WB "w" #endif @@ -3246,22 +4271,13 @@ int setenv (const char *, const char *, int); if (stale) { free ((void *) stale); stale = 0; } \ } while (0) -#undef LTWRAPPER_DEBUGPRINTF -#if defined DEBUGWRAPPER -# define LTWRAPPER_DEBUGPRINTF(args) ltwrapper_debugprintf args -static void -ltwrapper_debugprintf (const char *fmt, ...) -{ - va_list args; - va_start (args, fmt); - (void) vfprintf (stderr, fmt, args); - va_end (args); -} +#if defined(LT_DEBUGWRAPPER) +static int lt_debug = 1; #else -# define LTWRAPPER_DEBUGPRINTF(args) +static int lt_debug = 0; #endif -const char *program_name = NULL; +const char *program_name = "libtool-wrapper"; /* in case xstrdup fails */ void *xmalloc (size_t num); char *xstrdup (const char *string); @@ -3271,41 +4287,27 @@ char *chase_symlinks (const char *pathspec); int make_executable (const char *path); int check_executable (const char *path); char *strendzap (char *str, const char *pat); -void lt_fatal (const char *message, ...); +void lt_debugprintf (const char *file, int line, const char *fmt, ...); +void lt_fatal (const char *file, int line, const char *message, ...); +static const char *nonnull (const char *s); +static const char *nonempty (const char *s); void lt_setenv (const char *name, const char *value); char *lt_extend_str (const char *orig_value, const char *add, int to_end); -void lt_opt_process_env_set (const char *arg); -void lt_opt_process_env_prepend (const char *arg); -void lt_opt_process_env_append (const char *arg); -int lt_split_name_value (const char *arg, char** name, char** value); void lt_update_exe_path (const char *name, const char *value); void lt_update_lib_path (const char *name, const char *value); - -static const char *script_text_part1 = +char **prepare_spawn (char **argv); +void lt_dump_script (FILE *f); EOF - func_emit_wrapper_part1 yes | - $SED -e 's/\([\\"]\)/\\\1/g' \ - -e 's/^/ "/' -e 's/$/\\n"/' - echo ";" cat <"))); + lt_debugprintf (__FILE__, __LINE__, "(main) lt_argv_zero: %s\n", + nonnull (lt_argv_zero)); for (i = 0; i < newargc; i++) { - LTWRAPPER_DEBUGPRINTF (("(main) newargz[%d] : %s\n", i, (newargz[i] ? newargz[i] : ""))); + lt_debugprintf (__FILE__, __LINE__, "(main) newargz[%d]: %s\n", + i, nonnull (newargz[i])); } EOF @@ -3560,11 +4523,14 @@ EOF mingw*) cat <<"EOF" /* execv doesn't actually work on mingw as expected on unix */ + newargz = prepare_spawn (newargz); rval = _spawnv (_P_WAIT, lt_argv_zero, (const char * const *) newargz); if (rval == -1) { /* failed to start process */ - LTWRAPPER_DEBUGPRINTF (("(main) failed to launch target \"%s\": errno = %d\n", lt_argv_zero, errno)); + lt_debugprintf (__FILE__, __LINE__, + "(main) failed to launch target \"%s\": %s\n", + lt_argv_zero, nonnull (strerror (errno))); return 127; } return rval; @@ -3586,7 +4552,7 @@ xmalloc (size_t num) { void *p = (void *) malloc (num); if (!p) - lt_fatal ("Memory exhausted"); + lt_fatal (__FILE__, __LINE__, "memory exhausted"); return p; } @@ -3620,8 +4586,8 @@ check_executable (const char *path) { struct stat st; - LTWRAPPER_DEBUGPRINTF (("(check_executable) : %s\n", - path ? (*path ? path : "EMPTY!") : "NULL!")); + lt_debugprintf (__FILE__, __LINE__, "(check_executable): %s\n", + nonempty (path)); if ((!path) || (!*path)) return 0; @@ -3638,8 +4604,8 @@ make_executable (const char *path) int rval = 0; struct stat st; - LTWRAPPER_DEBUGPRINTF (("(make_executable) : %s\n", - path ? (*path ? path : "EMPTY!") : "NULL!")); + lt_debugprintf (__FILE__, __LINE__, "(make_executable): %s\n", + nonempty (path)); if ((!path) || (!*path)) return 0; @@ -3665,8 +4631,8 @@ find_executable (const char *wrapper) int tmp_len; char *concat_name; - LTWRAPPER_DEBUGPRINTF (("(find_executable) : %s\n", - wrapper ? (*wrapper ? wrapper : "EMPTY!") : "NULL!")); + lt_debugprintf (__FILE__, __LINE__, "(find_executable): %s\n", + nonempty (wrapper)); if ((wrapper == NULL) || (*wrapper == '\0')) return NULL; @@ -3719,7 +4685,8 @@ find_executable (const char *wrapper) { /* empty path: current directory */ if (getcwd (tmp, LT_PATHMAX) == NULL) - lt_fatal ("getcwd failed"); + lt_fatal (__FILE__, __LINE__, "getcwd failed: %s", + nonnull (strerror (errno))); tmp_len = strlen (tmp); concat_name = XMALLOC (char, tmp_len + 1 + strlen (wrapper) + 1); @@ -3744,7 +4711,8 @@ find_executable (const char *wrapper) } /* Relative path | not found in path: prepend cwd */ if (getcwd (tmp, LT_PATHMAX) == NULL) - lt_fatal ("getcwd failed"); + lt_fatal (__FILE__, __LINE__, "getcwd failed: %s", + nonnull (strerror (errno))); tmp_len = strlen (tmp); concat_name = XMALLOC (char, tmp_len + 1 + strlen (wrapper) + 1); memcpy (concat_name, tmp, tmp_len); @@ -3770,8 +4738,9 @@ chase_symlinks (const char *pathspec) int has_symlinks = 0; while (strlen (tmp_pathspec) && !has_symlinks) { - LTWRAPPER_DEBUGPRINTF (("checking path component for symlinks: %s\n", - tmp_pathspec)); + lt_debugprintf (__FILE__, __LINE__, + "checking path component for symlinks: %s\n", + tmp_pathspec); if (lstat (tmp_pathspec, &s) == 0) { if (S_ISLNK (s.st_mode) != 0) @@ -3793,8 +4762,9 @@ chase_symlinks (const char *pathspec) } else { - char *errstr = strerror (errno); - lt_fatal ("Error accessing file %s (%s)", tmp_pathspec, errstr); + lt_fatal (__FILE__, __LINE__, + "error accessing file \"%s\": %s", + tmp_pathspec, nonnull (strerror (errno))); } } XFREE (tmp_pathspec); @@ -3807,7 +4777,8 @@ chase_symlinks (const char *pathspec) tmp_pathspec = realpath (pathspec, buf); if (tmp_pathspec == 0) { - lt_fatal ("Could not follow symlinks for %s", pathspec); + lt_fatal (__FILE__, __LINE__, + "could not follow symlinks for %s", pathspec); } return xstrdup (tmp_pathspec); #endif @@ -3833,11 +4804,25 @@ strendzap (char *str, const char *pat) return str; } +void +lt_debugprintf (const char *file, int line, const char *fmt, ...) +{ + va_list args; + if (lt_debug) + { + (void) fprintf (stderr, "%s:%s:%d: ", program_name, file, line); + va_start (args, fmt); + (void) vfprintf (stderr, fmt, args); + va_end (args); + } +} + static void -lt_error_core (int exit_status, const char *mode, +lt_error_core (int exit_status, const char *file, + int line, const char *mode, const char *message, va_list ap) { - fprintf (stderr, "%s: %s: ", program_name, mode); + fprintf (stderr, "%s:%s:%d: %s: ", program_name, file, line, mode); vfprintf (stderr, message, ap); fprintf (stderr, ".\n"); @@ -3846,20 +4831,32 @@ lt_error_core (int exit_status, const char *mode, } void -lt_fatal (const char *message, ...) +lt_fatal (const char *file, int line, const char *message, ...) { va_list ap; va_start (ap, message); - lt_error_core (EXIT_FAILURE, "FATAL", message, ap); + lt_error_core (EXIT_FAILURE, file, line, "FATAL", message, ap); va_end (ap); } +static const char * +nonnull (const char *s) +{ + return s ? s : "(null)"; +} + +static const char * +nonempty (const char *s) +{ + return (s && !*s) ? "(empty)" : nonnull (s); +} + void lt_setenv (const char *name, const char *value) { - LTWRAPPER_DEBUGPRINTF (("(lt_setenv) setting '%s' to '%s'\n", - (name ? name : ""), - (value ? value : ""))); + lt_debugprintf (__FILE__, __LINE__, + "(lt_setenv) setting '%s' to '%s'\n", + nonnull (name), nonnull (value)); { #ifdef HAVE_SETENV /* always make a copy, for consistency with !HAVE_SETENV */ @@ -3904,95 +4901,12 @@ lt_extend_str (const char *orig_value, const char *add, int to_end) return new_value; } -int -lt_split_name_value (const char *arg, char** name, char** value) -{ - const char *p; - int len; - if (!arg || !*arg) - return 1; - - p = strchr (arg, (int)'='); - - if (!p) - return 1; - - *value = xstrdup (++p); - - len = strlen (arg) - strlen (*value); - *name = XMALLOC (char, len); - strncpy (*name, arg, len-1); - (*name)[len - 1] = '\0'; - - return 0; -} - -void -lt_opt_process_env_set (const char *arg) -{ - char *name = NULL; - char *value = NULL; - - if (lt_split_name_value (arg, &name, &value) != 0) - { - XFREE (name); - XFREE (value); - lt_fatal ("bad argument for %s: '%s'", env_set_opt, arg); - } - - lt_setenv (name, value); - XFREE (name); - XFREE (value); -} - -void -lt_opt_process_env_prepend (const char *arg) -{ - char *name = NULL; - char *value = NULL; - char *new_value = NULL; - - if (lt_split_name_value (arg, &name, &value) != 0) - { - XFREE (name); - XFREE (value); - lt_fatal ("bad argument for %s: '%s'", env_prepend_opt, arg); - } - - new_value = lt_extend_str (getenv (name), value, 0); - lt_setenv (name, new_value); - XFREE (new_value); - XFREE (name); - XFREE (value); -} - -void -lt_opt_process_env_append (const char *arg) -{ - char *name = NULL; - char *value = NULL; - char *new_value = NULL; - - if (lt_split_name_value (arg, &name, &value) != 0) - { - XFREE (name); - XFREE (value); - lt_fatal ("bad argument for %s: '%s'", env_append_opt, arg); - } - - new_value = lt_extend_str (getenv (name), value, 1); - lt_setenv (name, new_value); - XFREE (new_value); - XFREE (name); - XFREE (value); -} - void lt_update_exe_path (const char *name, const char *value) { - LTWRAPPER_DEBUGPRINTF (("(lt_update_exe_path) modifying '%s' by prepending '%s'\n", - (name ? name : ""), - (value ? value : ""))); + lt_debugprintf (__FILE__, __LINE__, + "(lt_update_exe_path) modifying '%s' by prepending '%s'\n", + nonnull (name), nonnull (value)); if (name && *name && value && *value) { @@ -4011,9 +4925,9 @@ lt_update_exe_path (const char *name, const char *value) void lt_update_lib_path (const char *name, const char *value) { - LTWRAPPER_DEBUGPRINTF (("(lt_update_lib_path) modifying '%s' by prepending '%s'\n", - (name ? name : ""), - (value ? value : ""))); + lt_debugprintf (__FILE__, __LINE__, + "(lt_update_lib_path) modifying '%s' by prepending '%s'\n", + nonnull (name), nonnull (value)); if (name && *name && value && *value) { @@ -4023,11 +4937,158 @@ lt_update_lib_path (const char *name, const char *value) } } +EOF + case $host_os in + mingw*) + cat <<"EOF" +/* Prepares an argument vector before calling spawn(). + Note that spawn() does not by itself call the command interpreter + (getenv ("COMSPEC") != NULL ? getenv ("COMSPEC") : + ({ OSVERSIONINFO v; v.dwOSVersionInfoSize = sizeof(OSVERSIONINFO); + GetVersionEx(&v); + v.dwPlatformId == VER_PLATFORM_WIN32_NT; + }) ? "cmd.exe" : "command.com"). + Instead it simply concatenates the arguments, separated by ' ', and calls + CreateProcess(). We must quote the arguments since Win32 CreateProcess() + interprets characters like ' ', '\t', '\\', '"' (but not '<' and '>') in a + special way: + - Space and tab are interpreted as delimiters. They are not treated as + delimiters if they are surrounded by double quotes: "...". + - Unescaped double quotes are removed from the input. Their only effect is + that within double quotes, space and tab are treated like normal + characters. + - Backslashes not followed by double quotes are not special. + - But 2*n+1 backslashes followed by a double quote become + n backslashes followed by a double quote (n >= 0): + \" -> " + \\\" -> \" + \\\\\" -> \\" + */ +#define SHELL_SPECIAL_CHARS "\"\\ \001\002\003\004\005\006\007\010\011\012\013\014\015\016\017\020\021\022\023\024\025\026\027\030\031\032\033\034\035\036\037" +#define SHELL_SPACE_CHARS " \001\002\003\004\005\006\007\010\011\012\013\014\015\016\017\020\021\022\023\024\025\026\027\030\031\032\033\034\035\036\037" +char ** +prepare_spawn (char **argv) +{ + size_t argc; + char **new_argv; + size_t i; + + /* Count number of arguments. */ + for (argc = 0; argv[argc] != NULL; argc++) + ; + + /* Allocate new argument vector. */ + new_argv = XMALLOC (char *, argc + 1); + + /* Put quoted arguments into the new argument vector. */ + for (i = 0; i < argc; i++) + { + const char *string = argv[i]; + + if (string[0] == '\0') + new_argv[i] = xstrdup ("\"\""); + else if (strpbrk (string, SHELL_SPECIAL_CHARS) != NULL) + { + int quote_around = (strpbrk (string, SHELL_SPACE_CHARS) != NULL); + size_t length; + unsigned int backslashes; + const char *s; + char *quoted_string; + char *p; + + length = 0; + backslashes = 0; + if (quote_around) + length++; + for (s = string; *s != '\0'; s++) + { + char c = *s; + if (c == '"') + length += backslashes + 1; + length++; + if (c == '\\') + backslashes++; + else + backslashes = 0; + } + if (quote_around) + length += backslashes + 1; + + quoted_string = XMALLOC (char, length + 1); + + p = quoted_string; + backslashes = 0; + if (quote_around) + *p++ = '"'; + for (s = string; *s != '\0'; s++) + { + char c = *s; + if (c == '"') + { + unsigned int j; + for (j = backslashes + 1; j > 0; j--) + *p++ = '\\'; + } + *p++ = c; + if (c == '\\') + backslashes++; + else + backslashes = 0; + } + if (quote_around) + { + unsigned int j; + for (j = backslashes; j > 0; j--) + *p++ = '\\'; + *p++ = '"'; + } + *p = '\0'; + + new_argv[i] = quoted_string; + } + else + new_argv[i] = (char *) string; + } + new_argv[argc] = NULL; + + return new_argv; +} +EOF + ;; + esac + + cat <<"EOF" +void lt_dump_script (FILE* f) +{ +EOF + func_emit_wrapper yes | + $SED -n -e ' +s/^\(.\{79\}\)\(..*\)/\1\ +\2/ +h +s/\([\\"]\)/\\\1/g +s/$/\\n/ +s/\([^\n]*\).*/ fputs ("\1", f);/p +g +D' + cat <<"EOF" +} EOF } # end: func_emit_cwrapperexe_src +# func_win32_import_lib_p ARG +# True if ARG is an import lib, as indicated by $file_magic_cmd +func_win32_import_lib_p () +{ + $opt_debug + case `eval $file_magic_cmd \"\$1\" 2>/dev/null | $SED -e 10q` in + *import*) : ;; + *) false ;; + esac +} + # func_mode_link arg... func_mode_link () { @@ -4072,6 +5133,7 @@ func_mode_link () new_inherited_linker_flags= avoid_version=no + bindir= dlfiles= dlprefiles= dlself=no @@ -4164,6 +5226,11 @@ func_mode_link () esac case $prev in + bindir) + bindir="$arg" + prev= + continue + ;; dlfiles|dlprefiles) if test "$preload" = no; then # Add the symbol object into the linking commands. @@ -4195,9 +5262,9 @@ func_mode_link () ;; *) if test "$prev" = dlfiles; then - dlfiles="$dlfiles $arg" + func_append dlfiles " $arg" else - dlprefiles="$dlprefiles $arg" + func_append dlprefiles " $arg" fi prev= continue @@ -4221,7 +5288,7 @@ func_mode_link () *-*-darwin*) case "$deplibs " in *" $qarg.ltframework "*) ;; - *) deplibs="$deplibs $qarg.ltframework" # this is fixed later + *) func_append deplibs " $qarg.ltframework" # this is fixed later ;; esac ;; @@ -4240,7 +5307,7 @@ func_mode_link () moreargs= for fil in `cat "$save_arg"` do -# moreargs="$moreargs $fil" +# func_append moreargs " $fil" arg=$fil # A libtool-controlled object. @@ -4269,7 +5336,7 @@ func_mode_link () if test "$prev" = dlfiles; then if test "$build_libtool_libs" = yes && test "$dlopen_support" = yes; then - dlfiles="$dlfiles $pic_object" + func_append dlfiles " $pic_object" prev= continue else @@ -4281,7 +5348,7 @@ func_mode_link () # CHECK ME: I think I busted this. -Ossama if test "$prev" = dlprefiles; then # Preload the old-style object. - dlprefiles="$dlprefiles $pic_object" + func_append dlprefiles " $pic_object" prev= fi @@ -4351,12 +5418,12 @@ func_mode_link () if test "$prev" = rpath; then case "$rpath " in *" $arg "*) ;; - *) rpath="$rpath $arg" ;; + *) func_append rpath " $arg" ;; esac else case "$xrpath " in *" $arg "*) ;; - *) xrpath="$xrpath $arg" ;; + *) func_append xrpath " $arg" ;; esac fi prev= @@ -4368,28 +5435,28 @@ func_mode_link () continue ;; weak) - weak_libs="$weak_libs $arg" + func_append weak_libs " $arg" prev= continue ;; xcclinker) - linker_flags="$linker_flags $qarg" - compiler_flags="$compiler_flags $qarg" + func_append linker_flags " $qarg" + func_append compiler_flags " $qarg" prev= func_append compile_command " $qarg" func_append finalize_command " $qarg" continue ;; xcompiler) - compiler_flags="$compiler_flags $qarg" + func_append compiler_flags " $qarg" prev= func_append compile_command " $qarg" func_append finalize_command " $qarg" continue ;; xlinker) - linker_flags="$linker_flags $qarg" - compiler_flags="$compiler_flags $wl$qarg" + func_append linker_flags " $qarg" + func_append compiler_flags " $wl$qarg" prev= func_append compile_command " $wl$qarg" func_append finalize_command " $wl$qarg" @@ -4425,6 +5492,11 @@ func_mode_link () continue ;; + -bindir) + prev=bindir + continue + ;; + -dlopen) prev=dlfiles continue @@ -4475,15 +5547,16 @@ func_mode_link () ;; -L*) - func_stripname '-L' '' "$arg" - dir=$func_stripname_result - if test -z "$dir"; then + func_stripname "-L" '' "$arg" + if test -z "$func_stripname_result"; then if test "$#" -gt 0; then func_fatal_error "require no space between \`-L' and \`$1'" else func_fatal_error "need path for \`-L' option" fi fi + func_resolve_sysroot "$func_stripname_result" + dir=$func_resolve_sysroot_result # We need an absolute path. case $dir in [\\/]* | [A-Za-z]:[\\/]*) ;; @@ -4495,24 +5568,30 @@ func_mode_link () ;; esac case "$deplibs " in - *" -L$dir "*) ;; + *" -L$dir "* | *" $arg "*) + # Will only happen for absolute or sysroot arguments + ;; *) - deplibs="$deplibs -L$dir" - lib_search_path="$lib_search_path $dir" + # Preserve sysroot, but never include relative directories + case $dir in + [\\/]* | [A-Za-z]:[\\/]* | =*) func_append deplibs " $arg" ;; + *) func_append deplibs " -L$dir" ;; + esac + func_append lib_search_path " $dir" ;; esac case $host in *-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-os2* | *-cegcc*) - testbindir=`$ECHO "X$dir" | $Xsed -e 's*/lib$*/bin*'` + testbindir=`$ECHO "$dir" | $SED 's*/lib$*/bin*'` case :$dllsearchpath: in *":$dir:"*) ;; ::) dllsearchpath=$dir;; - *) dllsearchpath="$dllsearchpath:$dir";; + *) func_append dllsearchpath ":$dir";; esac case :$dllsearchpath: in *":$testbindir:"*) ;; ::) dllsearchpath=$testbindir;; - *) dllsearchpath="$dllsearchpath:$testbindir";; + *) func_append dllsearchpath ":$testbindir";; esac ;; esac @@ -4522,7 +5601,7 @@ func_mode_link () -l*) if test "X$arg" = "X-lc" || test "X$arg" = "X-lm"; then case $host in - *-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-beos* | *-cegcc*) + *-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-beos* | *-cegcc* | *-*-haiku*) # These systems don't actually have a C or math library (as such) continue ;; @@ -4536,7 +5615,7 @@ func_mode_link () ;; *-*-rhapsody* | *-*-darwin1.[012]) # Rhapsody C and math libraries are in the System framework - deplibs="$deplibs System.ltframework" + func_append deplibs " System.ltframework" continue ;; *-*-sco3.2v5* | *-*-sco5v6*) @@ -4556,7 +5635,7 @@ func_mode_link () ;; esac fi - deplibs="$deplibs $arg" + func_append deplibs " $arg" continue ;; @@ -4568,21 +5647,22 @@ func_mode_link () # Tru64 UNIX uses -model [arg] to determine the layout of C++ # classes, name mangling, and exception handling. # Darwin uses the -arch flag to determine output architecture. - -model|-arch|-isysroot) - compiler_flags="$compiler_flags $arg" + -model|-arch|-isysroot|--sysroot) + func_append compiler_flags " $arg" func_append compile_command " $arg" func_append finalize_command " $arg" prev=xcompiler continue ;; - -mt|-mthreads|-kthread|-Kthread|-pthread|-pthreads|--thread-safe|-threads) - compiler_flags="$compiler_flags $arg" + -mt|-mthreads|-kthread|-Kthread|-pthread|-pthreads|--thread-safe \ + |-threads|-fopenmp|-openmp|-mp|-xopenmp|-omp|-qsmp=*) + func_append compiler_flags " $arg" func_append compile_command " $arg" func_append finalize_command " $arg" case "$new_inherited_linker_flags " in *" $arg "*) ;; - * ) new_inherited_linker_flags="$new_inherited_linker_flags $arg" ;; + * ) func_append new_inherited_linker_flags " $arg" ;; esac continue ;; @@ -4649,13 +5729,17 @@ func_mode_link () # We need an absolute path. case $dir in [\\/]* | [A-Za-z]:[\\/]*) ;; + =*) + func_stripname '=' '' "$dir" + dir=$lt_sysroot$func_stripname_result + ;; *) func_fatal_error "only absolute run-paths are allowed" ;; esac case "$xrpath " in *" $dir "*) ;; - *) xrpath="$xrpath $dir" ;; + *) func_append xrpath " $dir" ;; esac continue ;; @@ -4708,8 +5792,8 @@ func_mode_link () for flag in $args; do IFS="$save_ifs" func_quote_for_eval "$flag" - arg="$arg $wl$func_quote_for_eval_result" - compiler_flags="$compiler_flags $func_quote_for_eval_result" + func_append arg " $func_quote_for_eval_result" + func_append compiler_flags " $func_quote_for_eval_result" done IFS="$save_ifs" func_stripname ' ' '' "$arg" @@ -4724,9 +5808,9 @@ func_mode_link () for flag in $args; do IFS="$save_ifs" func_quote_for_eval "$flag" - arg="$arg $wl$func_quote_for_eval_result" - compiler_flags="$compiler_flags $wl$func_quote_for_eval_result" - linker_flags="$linker_flags $func_quote_for_eval_result" + func_append arg " $wl$func_quote_for_eval_result" + func_append compiler_flags " $wl$func_quote_for_eval_result" + func_append linker_flags " $func_quote_for_eval_result" done IFS="$save_ifs" func_stripname ' ' '' "$arg" @@ -4754,23 +5838,27 @@ func_mode_link () arg="$func_quote_for_eval_result" ;; - # -64, -mips[0-9] enable 64-bit mode on the SGI compiler - # -r[0-9][0-9]* specifies the processor on the SGI compiler - # -xarch=*, -xtarget=* enable 64-bit mode on the Sun compiler - # +DA*, +DD* enable 64-bit mode on the HP compiler - # -q* pass through compiler args for the IBM compiler - # -m*, -t[45]*, -txscale* pass through architecture-specific - # compiler args for GCC - # -F/path gives path to uninstalled frameworks, gcc on darwin - # -p, -pg, --coverage, -fprofile-* pass through profiling flag for GCC - # @file GCC response files + # Flags to be passed through unchanged, with rationale: + # -64, -mips[0-9] enable 64-bit mode for the SGI compiler + # -r[0-9][0-9]* specify processor for the SGI compiler + # -xarch=*, -xtarget=* enable 64-bit mode for the Sun compiler + # +DA*, +DD* enable 64-bit mode for the HP compiler + # -q* compiler args for the IBM compiler + # -m*, -t[45]*, -txscale* architecture-specific flags for GCC + # -F/path path to uninstalled frameworks, gcc on darwin + # -p, -pg, --coverage, -fprofile-* profiling flags for GCC + # @file GCC response files + # -tp=* Portland pgcc target processor selection + # --sysroot=* for sysroot support + # -O*, -flto*, -fwhopr*, -fuse-linker-plugin GCC link-time optimization -64|-mips[0-9]|-r[0-9][0-9]*|-xarch=*|-xtarget=*|+DA*|+DD*|-q*|-m*| \ - -t[45]*|-txscale*|-p|-pg|--coverage|-fprofile-*|-F*|@*) + -t[45]*|-txscale*|-p|-pg|--coverage|-fprofile-*|-F*|@*|-tp=*|--sysroot=*| \ + -O*|-flto*|-fwhopr*|-fuse-linker-plugin) func_quote_for_eval "$arg" arg="$func_quote_for_eval_result" func_append compile_command " $arg" func_append finalize_command " $arg" - compiler_flags="$compiler_flags $arg" + func_append compiler_flags " $arg" continue ;; @@ -4782,7 +5870,7 @@ func_mode_link () *.$objext) # A standard object. - objs="$objs $arg" + func_append objs " $arg" ;; *.lo) @@ -4813,7 +5901,7 @@ func_mode_link () if test "$prev" = dlfiles; then if test "$build_libtool_libs" = yes && test "$dlopen_support" = yes; then - dlfiles="$dlfiles $pic_object" + func_append dlfiles " $pic_object" prev= continue else @@ -4825,7 +5913,7 @@ func_mode_link () # CHECK ME: I think I busted this. -Ossama if test "$prev" = dlprefiles; then # Preload the old-style object. - dlprefiles="$dlprefiles $pic_object" + func_append dlprefiles " $pic_object" prev= fi @@ -4870,24 +5958,25 @@ func_mode_link () *.$libext) # An archive. - deplibs="$deplibs $arg" - old_deplibs="$old_deplibs $arg" + func_append deplibs " $arg" + func_append old_deplibs " $arg" continue ;; *.la) # A libtool-controlled library. + func_resolve_sysroot "$arg" if test "$prev" = dlfiles; then # This library was specified with -dlopen. - dlfiles="$dlfiles $arg" + func_append dlfiles " $func_resolve_sysroot_result" prev= elif test "$prev" = dlprefiles; then # The library was specified with -dlpreopen. - dlprefiles="$dlprefiles $arg" + func_append dlprefiles " $func_resolve_sysroot_result" prev= else - deplibs="$deplibs $arg" + func_append deplibs " $func_resolve_sysroot_result" fi continue ;; @@ -4925,7 +6014,7 @@ func_mode_link () if test -n "$shlibpath_var"; then # get the directories listed in $shlibpath_var - eval shlib_search_path=\`\$ECHO \"X\${$shlibpath_var}\" \| \$Xsed -e \'s/:/ /g\'\` + eval shlib_search_path=\`\$ECHO \"\${$shlibpath_var}\" \| \$SED \'s/:/ /g\'\` else shlib_search_path= fi @@ -4934,6 +6023,8 @@ func_mode_link () func_dirname "$output" "/" "" output_objdir="$func_dirname_result$objdir" + func_to_tool_file "$output_objdir/" + tool_output_objdir=$func_to_tool_file_result # Create the object directory. func_mkdir_p "$output_objdir" @@ -4954,12 +6045,12 @@ func_mode_link () # Find all interdependent deplibs by searching for libraries # that are linked more than once (e.g. -la -lb -la) for deplib in $deplibs; do - if $opt_duplicate_deps ; then + if $opt_preserve_dup_deps ; then case "$libs " in - *" $deplib "*) specialdeplibs="$specialdeplibs $deplib" ;; + *" $deplib "*) func_append specialdeplibs " $deplib" ;; esac fi - libs="$libs $deplib" + func_append libs " $deplib" done if test "$linkmode" = lib; then @@ -4972,9 +6063,9 @@ func_mode_link () if $opt_duplicate_compiler_generated_deps; then for pre_post_dep in $predeps $postdeps; do case "$pre_post_deps " in - *" $pre_post_dep "*) specialdeplibs="$specialdeplibs $pre_post_deps" ;; + *" $pre_post_dep "*) func_append specialdeplibs " $pre_post_deps" ;; esac - pre_post_deps="$pre_post_deps $pre_post_dep" + func_append pre_post_deps " $pre_post_dep" done fi pre_post_deps= @@ -5044,17 +6135,19 @@ func_mode_link () for lib in $dlprefiles; do # Ignore non-libtool-libs dependency_libs= + func_resolve_sysroot "$lib" case $lib in - *.la) func_source "$lib" ;; + *.la) func_source "$func_resolve_sysroot_result" ;; esac # Collect preopened libtool deplibs, except any this library # has declared as weak libs for deplib in $dependency_libs; do - deplib_base=`$ECHO "X$deplib" | $Xsed -e "$basename"` + func_basename "$deplib" + deplib_base=$func_basename_result case " $weak_libs " in *" $deplib_base "*) ;; - *) deplibs="$deplibs $deplib" ;; + *) func_append deplibs " $deplib" ;; esac done done @@ -5070,16 +6163,17 @@ func_mode_link () lib= found=no case $deplib in - -mt|-mthreads|-kthread|-Kthread|-pthread|-pthreads|--thread-safe|-threads) + -mt|-mthreads|-kthread|-Kthread|-pthread|-pthreads|--thread-safe \ + |-threads|-fopenmp|-openmp|-mp|-xopenmp|-omp|-qsmp=*) if test "$linkmode,$pass" = "prog,link"; then compile_deplibs="$deplib $compile_deplibs" finalize_deplibs="$deplib $finalize_deplibs" else - compiler_flags="$compiler_flags $deplib" + func_append compiler_flags " $deplib" if test "$linkmode" = lib ; then case "$new_inherited_linker_flags " in *" $deplib "*) ;; - * ) new_inherited_linker_flags="$new_inherited_linker_flags $deplib" ;; + * ) func_append new_inherited_linker_flags " $deplib" ;; esac fi fi @@ -5164,7 +6258,7 @@ func_mode_link () if test "$linkmode" = lib ; then case "$new_inherited_linker_flags " in *" $deplib "*) ;; - * ) new_inherited_linker_flags="$new_inherited_linker_flags $deplib" ;; + * ) func_append new_inherited_linker_flags " $deplib" ;; esac fi fi @@ -5177,7 +6271,8 @@ func_mode_link () test "$pass" = conv && continue newdependency_libs="$deplib $newdependency_libs" func_stripname '-L' '' "$deplib" - newlib_search_path="$newlib_search_path $func_stripname_result" + func_resolve_sysroot "$func_stripname_result" + func_append newlib_search_path " $func_resolve_sysroot_result" ;; prog) if test "$pass" = conv; then @@ -5191,7 +6286,8 @@ func_mode_link () finalize_deplibs="$deplib $finalize_deplibs" fi func_stripname '-L' '' "$deplib" - newlib_search_path="$newlib_search_path $func_stripname_result" + func_resolve_sysroot "$func_stripname_result" + func_append newlib_search_path " $func_resolve_sysroot_result" ;; *) func_warning "\`-L' is ignored for archives/objects" @@ -5202,17 +6298,21 @@ func_mode_link () -R*) if test "$pass" = link; then func_stripname '-R' '' "$deplib" - dir=$func_stripname_result + func_resolve_sysroot "$func_stripname_result" + dir=$func_resolve_sysroot_result # Make sure the xrpath contains only unique directories. case "$xrpath " in *" $dir "*) ;; - *) xrpath="$xrpath $dir" ;; + *) func_append xrpath " $dir" ;; esac fi deplibs="$deplib $deplibs" continue ;; - *.la) lib="$deplib" ;; + *.la) + func_resolve_sysroot "$deplib" + lib=$func_resolve_sysroot_result + ;; *.$libext) if test "$pass" = conv; then deplibs="$deplib $deplibs" @@ -5230,7 +6330,7 @@ func_mode_link () match_pattern*) set dummy $deplibs_check_method; shift match_pattern_regex=`expr "$deplibs_check_method" : "$1 \(.*\)"` - if eval "\$ECHO \"X$deplib\"" 2>/dev/null | $Xsed -e 10q \ + if eval "\$ECHO \"$deplib\"" 2>/dev/null | $SED 10q \ | $EGREP "$match_pattern_regex" > /dev/null; then valid_a_lib=yes fi @@ -5240,15 +6340,15 @@ func_mode_link () ;; esac if test "$valid_a_lib" != yes; then - $ECHO + echo $ECHO "*** Warning: Trying to link with static lib archive $deplib." - $ECHO "*** I have the capability to make that library automatically link in when" - $ECHO "*** you link to this library. But I can only do this if you have a" - $ECHO "*** shared version of the library, which you do not appear to have" - $ECHO "*** because the file extensions .$libext of this argument makes me believe" - $ECHO "*** that it is just a static archive that I should not use here." + echo "*** I have the capability to make that library automatically link in when" + echo "*** you link to this library. But I can only do this if you have a" + echo "*** shared version of the library, which you do not appear to have" + echo "*** because the file extensions .$libext of this argument makes me believe" + echo "*** that it is just a static archive that I should not use here." else - $ECHO + echo $ECHO "*** Warning: Linking the shared library $output against the" $ECHO "*** static library $deplib is not portable!" deplibs="$deplib $deplibs" @@ -5275,11 +6375,11 @@ func_mode_link () if test "$pass" = dlpreopen || test "$dlopen_support" != yes || test "$build_libtool_libs" = no; then # If there is no dlopen support or we're linking statically, # we need to preload. - newdlprefiles="$newdlprefiles $deplib" + func_append newdlprefiles " $deplib" compile_deplibs="$deplib $compile_deplibs" finalize_deplibs="$deplib $finalize_deplibs" else - newdlfiles="$newdlfiles $deplib" + func_append newdlfiles " $deplib" fi fi continue @@ -5321,20 +6421,20 @@ func_mode_link () # Convert "-framework foo" to "foo.ltframework" if test -n "$inherited_linker_flags"; then - tmp_inherited_linker_flags=`$ECHO "X$inherited_linker_flags" | $Xsed -e 's/-framework \([^ $]*\)/\1.ltframework/g'` + tmp_inherited_linker_flags=`$ECHO "$inherited_linker_flags" | $SED 's/-framework \([^ $]*\)/\1.ltframework/g'` for tmp_inherited_linker_flag in $tmp_inherited_linker_flags; do case " $new_inherited_linker_flags " in *" $tmp_inherited_linker_flag "*) ;; - *) new_inherited_linker_flags="$new_inherited_linker_flags $tmp_inherited_linker_flag";; + *) func_append new_inherited_linker_flags " $tmp_inherited_linker_flag";; esac done fi - dependency_libs=`$ECHO "X $dependency_libs" | $Xsed -e 's% \([^ $]*\).ltframework% -framework \1%g'` + dependency_libs=`$ECHO " $dependency_libs" | $SED 's% \([^ $]*\).ltframework% -framework \1%g'` if test "$linkmode,$pass" = "lib,link" || test "$linkmode,$pass" = "prog,scan" || { test "$linkmode" != prog && test "$linkmode" != lib; }; then - test -n "$dlopen" && dlfiles="$dlfiles $dlopen" - test -n "$dlpreopen" && dlprefiles="$dlprefiles $dlpreopen" + test -n "$dlopen" && func_append dlfiles " $dlopen" + test -n "$dlpreopen" && func_append dlprefiles " $dlpreopen" fi if test "$pass" = conv; then @@ -5345,17 +6445,17 @@ func_mode_link () func_fatal_error "cannot find name of link library for \`$lib'" fi # It is a libtool convenience library, so add in its objects. - convenience="$convenience $ladir/$objdir/$old_library" - old_convenience="$old_convenience $ladir/$objdir/$old_library" + func_append convenience " $ladir/$objdir/$old_library" + func_append old_convenience " $ladir/$objdir/$old_library" tmp_libs= for deplib in $dependency_libs; do deplibs="$deplib $deplibs" - if $opt_duplicate_deps ; then + if $opt_preserve_dup_deps ; then case "$tmp_libs " in - *" $deplib "*) specialdeplibs="$specialdeplibs $deplib" ;; + *" $deplib "*) func_append specialdeplibs " $deplib" ;; esac fi - tmp_libs="$tmp_libs $deplib" + func_append tmp_libs " $deplib" done elif test "$linkmode" != prog && test "$linkmode" != lib; then func_fatal_error "\`$lib' is not a convenience library" @@ -5366,9 +6466,15 @@ func_mode_link () # Get the name of the library we link against. linklib= - for l in $old_library $library_names; do - linklib="$l" - done + if test -n "$old_library" && + { test "$prefer_static_libs" = yes || + test "$prefer_static_libs,$installed" = "built,no"; }; then + linklib=$old_library + else + for l in $old_library $library_names; do + linklib="$l" + done + fi if test -z "$linklib"; then func_fatal_error "cannot find name of link library for \`$lib'" fi @@ -5385,9 +6491,9 @@ func_mode_link () # statically, we need to preload. We also need to preload any # dependent libraries so libltdl's deplib preloader doesn't # bomb out in the load deplibs phase. - dlprefiles="$dlprefiles $lib $dependency_libs" + func_append dlprefiles " $lib $dependency_libs" else - newdlfiles="$newdlfiles $lib" + func_append newdlfiles " $lib" fi continue fi # $pass = dlopen @@ -5409,14 +6515,14 @@ func_mode_link () # Find the relevant object directory and library name. if test "X$installed" = Xyes; then - if test ! -f "$libdir/$linklib" && test -f "$abs_ladir/$linklib"; then + if test ! -f "$lt_sysroot$libdir/$linklib" && test -f "$abs_ladir/$linklib"; then func_warning "library \`$lib' was moved." dir="$ladir" absdir="$abs_ladir" libdir="$abs_ladir" else - dir="$libdir" - absdir="$libdir" + dir="$lt_sysroot$libdir" + absdir="$lt_sysroot$libdir" fi test "X$hardcode_automatic" = Xyes && avoidtemprpath=yes else @@ -5424,12 +6530,12 @@ func_mode_link () dir="$ladir" absdir="$abs_ladir" # Remove this search path later - notinst_path="$notinst_path $abs_ladir" + func_append notinst_path " $abs_ladir" else dir="$ladir/$objdir" absdir="$abs_ladir/$objdir" # Remove this search path later - notinst_path="$notinst_path $abs_ladir" + func_append notinst_path " $abs_ladir" fi fi # $installed = yes func_stripname 'lib' '.la' "$laname" @@ -5440,20 +6546,46 @@ func_mode_link () if test -z "$libdir" && test "$linkmode" = prog; then func_fatal_error "only libraries may -dlpreopen a convenience library: \`$lib'" fi - # Prefer using a static library (so that no silly _DYNAMIC symbols - # are required to link). - if test -n "$old_library"; then - newdlprefiles="$newdlprefiles $dir/$old_library" - # Keep a list of preopened convenience libraries to check - # that they are being used correctly in the link pass. - test -z "$libdir" && \ - dlpreconveniencelibs="$dlpreconveniencelibs $dir/$old_library" - # Otherwise, use the dlname, so that lt_dlopen finds it. - elif test -n "$dlname"; then - newdlprefiles="$newdlprefiles $dir/$dlname" - else - newdlprefiles="$newdlprefiles $dir/$linklib" - fi + case "$host" in + # special handling for platforms with PE-DLLs. + *cygwin* | *mingw* | *cegcc* ) + # Linker will automatically link against shared library if both + # static and shared are present. Therefore, ensure we extract + # symbols from the import library if a shared library is present + # (otherwise, the dlopen module name will be incorrect). We do + # this by putting the import library name into $newdlprefiles. + # We recover the dlopen module name by 'saving' the la file + # name in a special purpose variable, and (later) extracting the + # dlname from the la file. + if test -n "$dlname"; then + func_tr_sh "$dir/$linklib" + eval "libfile_$func_tr_sh_result=\$abs_ladir/\$laname" + func_append newdlprefiles " $dir/$linklib" + else + func_append newdlprefiles " $dir/$old_library" + # Keep a list of preopened convenience libraries to check + # that they are being used correctly in the link pass. + test -z "$libdir" && \ + func_append dlpreconveniencelibs " $dir/$old_library" + fi + ;; + * ) + # Prefer using a static library (so that no silly _DYNAMIC symbols + # are required to link). + if test -n "$old_library"; then + func_append newdlprefiles " $dir/$old_library" + # Keep a list of preopened convenience libraries to check + # that they are being used correctly in the link pass. + test -z "$libdir" && \ + func_append dlpreconveniencelibs " $dir/$old_library" + # Otherwise, use the dlname, so that lt_dlopen finds it. + elif test -n "$dlname"; then + func_append newdlprefiles " $dir/$dlname" + else + func_append newdlprefiles " $dir/$linklib" + fi + ;; + esac fi # $pass = dlpreopen if test -z "$libdir"; then @@ -5471,7 +6603,7 @@ func_mode_link () if test "$linkmode" = prog && test "$pass" != link; then - newlib_search_path="$newlib_search_path $ladir" + func_append newlib_search_path " $ladir" deplibs="$lib $deplibs" linkalldeplibs=no @@ -5484,7 +6616,8 @@ func_mode_link () for deplib in $dependency_libs; do case $deplib in -L*) func_stripname '-L' '' "$deplib" - newlib_search_path="$newlib_search_path $func_stripname_result" + func_resolve_sysroot "$func_stripname_result" + func_append newlib_search_path " $func_resolve_sysroot_result" ;; esac # Need to link against all dependency_libs? @@ -5495,12 +6628,12 @@ func_mode_link () # or/and link against static libraries newdependency_libs="$deplib $newdependency_libs" fi - if $opt_duplicate_deps ; then + if $opt_preserve_dup_deps ; then case "$tmp_libs " in - *" $deplib "*) specialdeplibs="$specialdeplibs $deplib" ;; + *" $deplib "*) func_append specialdeplibs " $deplib" ;; esac fi - tmp_libs="$tmp_libs $deplib" + func_append tmp_libs " $deplib" done # for deplib continue fi # $linkmode = prog... @@ -5515,7 +6648,7 @@ func_mode_link () # Make sure the rpath contains only unique directories. case "$temp_rpath:" in *"$absdir:"*) ;; - *) temp_rpath="$temp_rpath$absdir:" ;; + *) func_append temp_rpath "$absdir:" ;; esac fi @@ -5527,7 +6660,7 @@ func_mode_link () *) case "$compile_rpath " in *" $absdir "*) ;; - *) compile_rpath="$compile_rpath $absdir" + *) func_append compile_rpath " $absdir" ;; esac ;; esac @@ -5536,7 +6669,7 @@ func_mode_link () *) case "$finalize_rpath " in *" $libdir "*) ;; - *) finalize_rpath="$finalize_rpath $libdir" + *) func_append finalize_rpath " $libdir" ;; esac ;; esac @@ -5561,12 +6694,12 @@ func_mode_link () case $host in *cygwin* | *mingw* | *cegcc*) # No point in relinking DLLs because paths are not encoded - notinst_deplibs="$notinst_deplibs $lib" + func_append notinst_deplibs " $lib" need_relink=no ;; *) if test "$installed" = no; then - notinst_deplibs="$notinst_deplibs $lib" + func_append notinst_deplibs " $lib" need_relink=yes fi ;; @@ -5583,7 +6716,7 @@ func_mode_link () fi done if test -z "$dlopenmodule" && test "$shouldnotlink" = yes && test "$pass" = link; then - $ECHO + echo if test "$linkmode" = prog; then $ECHO "*** Warning: Linking the executable $output against the loadable module" else @@ -5601,7 +6734,7 @@ func_mode_link () *) case "$compile_rpath " in *" $absdir "*) ;; - *) compile_rpath="$compile_rpath $absdir" + *) func_append compile_rpath " $absdir" ;; esac ;; esac @@ -5610,7 +6743,7 @@ func_mode_link () *) case "$finalize_rpath " in *" $libdir "*) ;; - *) finalize_rpath="$finalize_rpath $libdir" + *) func_append finalize_rpath " $libdir" ;; esac ;; esac @@ -5664,7 +6797,7 @@ func_mode_link () linklib=$newlib fi # test -n "$old_archive_from_expsyms_cmds" - if test "$linkmode" = prog || test "$mode" != relink; then + if test "$linkmode" = prog || test "$opt_mode" != relink; then add_shlibpath= add_dir= add= @@ -5686,9 +6819,9 @@ func_mode_link () if test "X$dlopenmodule" != "X$lib"; then $ECHO "*** Warning: lib $linklib is a module, not a shared library" if test -z "$old_library" ; then - $ECHO - $ECHO "*** And there doesn't seem to be a static archive available" - $ECHO "*** The link will probably fail, sorry" + echo + echo "*** And there doesn't seem to be a static archive available" + echo "*** The link will probably fail, sorry" else add="$dir/$old_library" fi @@ -5715,12 +6848,12 @@ func_mode_link () test "$hardcode_direct_absolute" = no; then add="$dir/$linklib" elif test "$hardcode_minus_L" = yes; then - add_dir="-L$dir" + add_dir="-L$absdir" # Try looking first in the location we're being installed to. if test -n "$inst_prefix_dir"; then case $libdir in [\\/]*) - add_dir="$add_dir -L$inst_prefix_dir$libdir" + func_append add_dir " -L$inst_prefix_dir$libdir" ;; esac fi @@ -5742,7 +6875,7 @@ func_mode_link () if test -n "$add_shlibpath"; then case :$compile_shlibpath: in *":$add_shlibpath:"*) ;; - *) compile_shlibpath="$compile_shlibpath$add_shlibpath:" ;; + *) func_append compile_shlibpath "$add_shlibpath:" ;; esac fi if test "$linkmode" = prog; then @@ -5756,13 +6889,13 @@ func_mode_link () test "$hardcode_shlibpath_var" = yes; then case :$finalize_shlibpath: in *":$libdir:"*) ;; - *) finalize_shlibpath="$finalize_shlibpath$libdir:" ;; + *) func_append finalize_shlibpath "$libdir:" ;; esac fi fi fi - if test "$linkmode" = prog || test "$mode" = relink; then + if test "$linkmode" = prog || test "$opt_mode" = relink; then add_shlibpath= add_dir= add= @@ -5776,7 +6909,7 @@ func_mode_link () elif test "$hardcode_shlibpath_var" = yes; then case :$finalize_shlibpath: in *":$libdir:"*) ;; - *) finalize_shlibpath="$finalize_shlibpath$libdir:" ;; + *) func_append finalize_shlibpath "$libdir:" ;; esac add="-l$name" elif test "$hardcode_automatic" = yes; then @@ -5793,7 +6926,7 @@ func_mode_link () if test -n "$inst_prefix_dir"; then case $libdir in [\\/]*) - add_dir="$add_dir -L$inst_prefix_dir$libdir" + func_append add_dir " -L$inst_prefix_dir$libdir" ;; esac fi @@ -5828,21 +6961,21 @@ func_mode_link () # Just print a warning and add the library to dependency_libs so # that the program can be linked against the static library. - $ECHO + echo $ECHO "*** Warning: This system can not link to static lib archive $lib." - $ECHO "*** I have the capability to make that library automatically link in when" - $ECHO "*** you link to this library. But I can only do this if you have a" - $ECHO "*** shared version of the library, which you do not appear to have." + echo "*** I have the capability to make that library automatically link in when" + echo "*** you link to this library. But I can only do this if you have a" + echo "*** shared version of the library, which you do not appear to have." if test "$module" = yes; then - $ECHO "*** But as you try to build a module library, libtool will still create " - $ECHO "*** a static module, that should work as long as the dlopening application" - $ECHO "*** is linked with the -dlopen flag to resolve symbols at runtime." + echo "*** But as you try to build a module library, libtool will still create " + echo "*** a static module, that should work as long as the dlopening application" + echo "*** is linked with the -dlopen flag to resolve symbols at runtime." if test -z "$global_symbol_pipe"; then - $ECHO - $ECHO "*** However, this would only work if libtool was able to extract symbol" - $ECHO "*** lists from a program, using \`nm' or equivalent, but libtool could" - $ECHO "*** not find such a program. So, this module is probably useless." - $ECHO "*** \`nm' from GNU binutils and a full rebuild may help." + echo + echo "*** However, this would only work if libtool was able to extract symbol" + echo "*** lists from a program, using \`nm' or equivalent, but libtool could" + echo "*** not find such a program. So, this module is probably useless." + echo "*** \`nm' from GNU binutils and a full rebuild may help." fi if test "$build_old_libs" = no; then build_libtool_libs=module @@ -5870,27 +7003,33 @@ func_mode_link () temp_xrpath=$func_stripname_result case " $xrpath " in *" $temp_xrpath "*) ;; - *) xrpath="$xrpath $temp_xrpath";; + *) func_append xrpath " $temp_xrpath";; esac;; - *) temp_deplibs="$temp_deplibs $libdir";; + *) func_append temp_deplibs " $libdir";; esac done dependency_libs="$temp_deplibs" fi - newlib_search_path="$newlib_search_path $absdir" + func_append newlib_search_path " $absdir" # Link against this library test "$link_static" = no && newdependency_libs="$abs_ladir/$laname $newdependency_libs" # ... and its dependency_libs tmp_libs= for deplib in $dependency_libs; do newdependency_libs="$deplib $newdependency_libs" - if $opt_duplicate_deps ; then + case $deplib in + -L*) func_stripname '-L' '' "$deplib" + func_resolve_sysroot "$func_stripname_result";; + *) func_resolve_sysroot "$deplib" ;; + esac + if $opt_preserve_dup_deps ; then case "$tmp_libs " in - *" $deplib "*) specialdeplibs="$specialdeplibs $deplib" ;; + *" $func_resolve_sysroot_result "*) + func_append specialdeplibs " $func_resolve_sysroot_result" ;; esac fi - tmp_libs="$tmp_libs $deplib" + func_append tmp_libs " $func_resolve_sysroot_result" done if test "$link_all_deplibs" != no; then @@ -5900,8 +7039,10 @@ func_mode_link () case $deplib in -L*) path="$deplib" ;; *.la) + func_resolve_sysroot "$deplib" + deplib=$func_resolve_sysroot_result func_dirname "$deplib" "" "." - dir="$func_dirname_result" + dir=$func_dirname_result # We need an absolute path. case $dir in [\\/]* | [A-Za-z]:[\\/]*) absdir="$dir" ;; @@ -5928,8 +7069,8 @@ func_mode_link () if test -z "$darwin_install_name"; then darwin_install_name=`${OTOOL64} -L $depdepl | awk '{if (NR == 2) {print $1;exit}}'` fi - compiler_flags="$compiler_flags ${wl}-dylib_file ${wl}${darwin_install_name}:${depdepl}" - linker_flags="$linker_flags -dylib_file ${darwin_install_name}:${depdepl}" + func_append compiler_flags " ${wl}-dylib_file ${wl}${darwin_install_name}:${depdepl}" + func_append linker_flags " -dylib_file ${darwin_install_name}:${depdepl}" path= fi fi @@ -5962,7 +7103,7 @@ func_mode_link () compile_deplibs="$new_inherited_linker_flags $compile_deplibs" finalize_deplibs="$new_inherited_linker_flags $finalize_deplibs" else - compiler_flags="$compiler_flags "`$ECHO "X $new_inherited_linker_flags" | $Xsed -e 's% \([^ $]*\).ltframework% -framework \1%g'` + compiler_flags="$compiler_flags "`$ECHO " $new_inherited_linker_flags" | $SED 's% \([^ $]*\).ltframework% -framework \1%g'` fi fi dependency_libs="$newdependency_libs" @@ -5979,7 +7120,7 @@ func_mode_link () for dir in $newlib_search_path; do case "$lib_search_path " in *" $dir "*) ;; - *) lib_search_path="$lib_search_path $dir" ;; + *) func_append lib_search_path " $dir" ;; esac done newlib_search_path= @@ -6037,10 +7178,10 @@ func_mode_link () -L*) case " $tmp_libs " in *" $deplib "*) ;; - *) tmp_libs="$tmp_libs $deplib" ;; + *) func_append tmp_libs " $deplib" ;; esac ;; - *) tmp_libs="$tmp_libs $deplib" ;; + *) func_append tmp_libs " $deplib" ;; esac done eval $var=\"$tmp_libs\" @@ -6056,7 +7197,7 @@ func_mode_link () ;; esac if test -n "$i" ; then - tmp_libs="$tmp_libs $i" + func_append tmp_libs " $i" fi done dependency_libs=$tmp_libs @@ -6097,7 +7238,7 @@ func_mode_link () # Now set the variables for building old libraries. build_libtool_libs=no oldlibs="$output" - objs="$objs$old_deplibs" + func_append objs "$old_deplibs" ;; lib) @@ -6130,10 +7271,10 @@ func_mode_link () if test "$deplibs_check_method" != pass_all; then func_fatal_error "cannot build libtool library \`$output' from non-libtool objects on this host:$objs" else - $ECHO + echo $ECHO "*** Warning: Linking the shared library $output against the non-libtool" $ECHO "*** objects $objs is not portable!" - libobjs="$libobjs $objs" + func_append libobjs " $objs" fi fi @@ -6192,13 +7333,14 @@ func_mode_link () # which has an extra 1 added just for fun # case $version_type in + # correct linux to gnu/linux during the next big refactor darwin|linux|osf|windows|none) func_arith $number_major + $number_minor current=$func_arith_result age="$number_minor" revision="$number_revision" ;; - freebsd-aout|freebsd-elf|sunos) + freebsd-aout|freebsd-elf|qnx|sunos) current="$number_major" revision="$number_minor" age="0" @@ -6311,7 +7453,7 @@ func_mode_link () versuffix="$major.$revision" ;; - linux) + linux) # correct to gnu/linux during the next big refactor func_arith $current - $age major=.$func_arith_result versuffix="$major.$age.$revision" @@ -6334,7 +7476,7 @@ func_mode_link () done # Make executables depend on our current version. - verstring="$verstring:${current}.0" + func_append verstring ":${current}.0" ;; qnx) @@ -6402,10 +7544,10 @@ func_mode_link () fi func_generate_dlsyms "$libname" "$libname" "yes" - libobjs="$libobjs $symfileobj" + func_append libobjs " $symfileobj" test "X$libobjs" = "X " && libobjs= - if test "$mode" != relink; then + if test "$opt_mode" != relink; then # Remove our outputs, but don't remove object files since they # may have been created when compiling PIC objects. removelist= @@ -6421,7 +7563,7 @@ func_mode_link () continue fi fi - removelist="$removelist $p" + func_append removelist " $p" ;; *) ;; esac @@ -6432,27 +7574,28 @@ func_mode_link () # Now set the variables for building old libraries. if test "$build_old_libs" = yes && test "$build_libtool_libs" != convenience ; then - oldlibs="$oldlibs $output_objdir/$libname.$libext" + func_append oldlibs " $output_objdir/$libname.$libext" # Transform .lo files to .o files. - oldobjs="$objs "`$ECHO "X$libobjs" | $SP2NL | $Xsed -e '/\.'${libext}'$/d' -e "$lo2o" | $NL2SP` + oldobjs="$objs "`$ECHO "$libobjs" | $SP2NL | $SED "/\.${libext}$/d; $lo2o" | $NL2SP` fi # Eliminate all temporary directories. #for path in $notinst_path; do - # lib_search_path=`$ECHO "X$lib_search_path " | $Xsed -e "s% $path % %g"` - # deplibs=`$ECHO "X$deplibs " | $Xsed -e "s% -L$path % %g"` - # dependency_libs=`$ECHO "X$dependency_libs " | $Xsed -e "s% -L$path % %g"` + # lib_search_path=`$ECHO "$lib_search_path " | $SED "s% $path % %g"` + # deplibs=`$ECHO "$deplibs " | $SED "s% -L$path % %g"` + # dependency_libs=`$ECHO "$dependency_libs " | $SED "s% -L$path % %g"` #done if test -n "$xrpath"; then # If the user specified any rpath flags, then add them. temp_xrpath= for libdir in $xrpath; do - temp_xrpath="$temp_xrpath -R$libdir" + func_replace_sysroot "$libdir" + func_append temp_xrpath " -R$func_replace_sysroot_result" case "$finalize_rpath " in *" $libdir "*) ;; - *) finalize_rpath="$finalize_rpath $libdir" ;; + *) func_append finalize_rpath " $libdir" ;; esac done if test "$hardcode_into_libs" != yes || test "$build_old_libs" = yes; then @@ -6466,7 +7609,7 @@ func_mode_link () for lib in $old_dlfiles; do case " $dlprefiles $dlfiles " in *" $lib "*) ;; - *) dlfiles="$dlfiles $lib" ;; + *) func_append dlfiles " $lib" ;; esac done @@ -6476,19 +7619,19 @@ func_mode_link () for lib in $old_dlprefiles; do case "$dlprefiles " in *" $lib "*) ;; - *) dlprefiles="$dlprefiles $lib" ;; + *) func_append dlprefiles " $lib" ;; esac done if test "$build_libtool_libs" = yes; then if test -n "$rpath"; then case $host in - *-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-os2* | *-*-beos* | *-cegcc*) + *-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-os2* | *-*-beos* | *-cegcc* | *-*-haiku*) # these systems don't actually have a c library (as such)! ;; *-*-rhapsody* | *-*-darwin1.[012]) # Rhapsody C library is in the System framework - deplibs="$deplibs System.ltframework" + func_append deplibs " System.ltframework" ;; *-*-netbsd*) # Don't link with libc until the a.out ld.so is fixed. @@ -6505,7 +7648,7 @@ func_mode_link () *) # Add libc to deplibs on all other systems if necessary. if test "$build_libtool_need_lc" = "yes"; then - deplibs="$deplibs -lc" + func_append deplibs " -lc" fi ;; esac @@ -6554,7 +7697,7 @@ EOF if test "X$allow_libtool_libs_with_static_runtimes" = "Xyes" ; then case " $predeps $postdeps " in *" $i "*) - newdeplibs="$newdeplibs $i" + func_append newdeplibs " $i" i="" ;; esac @@ -6565,21 +7708,21 @@ EOF set dummy $deplib_matches; shift deplib_match=$1 if test `expr "$ldd_output" : ".*$deplib_match"` -ne 0 ; then - newdeplibs="$newdeplibs $i" + func_append newdeplibs " $i" else droppeddeps=yes - $ECHO + echo $ECHO "*** Warning: dynamic linker does not accept needed library $i." - $ECHO "*** I have the capability to make that library automatically link in when" - $ECHO "*** you link to this library. But I can only do this if you have a" - $ECHO "*** shared version of the library, which I believe you do not have" - $ECHO "*** because a test_compile did reveal that the linker did not use it for" - $ECHO "*** its dynamic dependency list that programs get resolved with at runtime." + echo "*** I have the capability to make that library automatically link in when" + echo "*** you link to this library. But I can only do this if you have a" + echo "*** shared version of the library, which I believe you do not have" + echo "*** because a test_compile did reveal that the linker did not use it for" + echo "*** its dynamic dependency list that programs get resolved with at runtime." fi fi ;; *) - newdeplibs="$newdeplibs $i" + func_append newdeplibs " $i" ;; esac done @@ -6597,7 +7740,7 @@ EOF if test "X$allow_libtool_libs_with_static_runtimes" = "Xyes" ; then case " $predeps $postdeps " in *" $i "*) - newdeplibs="$newdeplibs $i" + func_append newdeplibs " $i" i="" ;; esac @@ -6608,29 +7751,29 @@ EOF set dummy $deplib_matches; shift deplib_match=$1 if test `expr "$ldd_output" : ".*$deplib_match"` -ne 0 ; then - newdeplibs="$newdeplibs $i" + func_append newdeplibs " $i" else droppeddeps=yes - $ECHO + echo $ECHO "*** Warning: dynamic linker does not accept needed library $i." - $ECHO "*** I have the capability to make that library automatically link in when" - $ECHO "*** you link to this library. But I can only do this if you have a" - $ECHO "*** shared version of the library, which you do not appear to have" - $ECHO "*** because a test_compile did reveal that the linker did not use this one" - $ECHO "*** as a dynamic dependency that programs can get resolved with at runtime." + echo "*** I have the capability to make that library automatically link in when" + echo "*** you link to this library. But I can only do this if you have a" + echo "*** shared version of the library, which you do not appear to have" + echo "*** because a test_compile did reveal that the linker did not use this one" + echo "*** as a dynamic dependency that programs can get resolved with at runtime." fi fi else droppeddeps=yes - $ECHO + echo $ECHO "*** Warning! Library $i is needed by this library but I was not able to" - $ECHO "*** make it link in! You will probably need to install it or some" - $ECHO "*** library that it depends on before this library will be fully" - $ECHO "*** functional. Installing it before continuing would be even better." + echo "*** make it link in! You will probably need to install it or some" + echo "*** library that it depends on before this library will be fully" + echo "*** functional. Installing it before continuing would be even better." fi ;; *) - newdeplibs="$newdeplibs $i" + func_append newdeplibs " $i" ;; esac done @@ -6647,15 +7790,27 @@ EOF if test "X$allow_libtool_libs_with_static_runtimes" = "Xyes" ; then case " $predeps $postdeps " in *" $a_deplib "*) - newdeplibs="$newdeplibs $a_deplib" + func_append newdeplibs " $a_deplib" a_deplib="" ;; esac fi if test -n "$a_deplib" ; then libname=`eval "\\$ECHO \"$libname_spec\""` + if test -n "$file_magic_glob"; then + libnameglob=`func_echo_all "$libname" | $SED -e $file_magic_glob` + else + libnameglob=$libname + fi + test "$want_nocaseglob" = yes && nocaseglob=`shopt -p nocaseglob` for i in $lib_search_path $sys_lib_search_path $shlib_search_path; do - potential_libs=`ls $i/$libname[.-]* 2>/dev/null` + if test "$want_nocaseglob" = yes; then + shopt -s nocaseglob + potential_libs=`ls $i/$libnameglob[.-]* 2>/dev/null` + $nocaseglob + else + potential_libs=`ls $i/$libnameglob[.-]* 2>/dev/null` + fi for potent_lib in $potential_libs; do # Follow soft links. if ls -lLd "$potent_lib" 2>/dev/null | @@ -6672,13 +7827,13 @@ EOF potliblink=`ls -ld $potlib | ${SED} 's/.* -> //'` case $potliblink in [\\/]* | [A-Za-z]:[\\/]*) potlib="$potliblink";; - *) potlib=`$ECHO "X$potlib" | $Xsed -e 's,[^/]*$,,'`"$potliblink";; + *) potlib=`$ECHO "$potlib" | $SED 's,[^/]*$,,'`"$potliblink";; esac done if eval $file_magic_cmd \"\$potlib\" 2>/dev/null | $SED -e 10q | $EGREP "$file_magic_regex" > /dev/null; then - newdeplibs="$newdeplibs $a_deplib" + func_append newdeplibs " $a_deplib" a_deplib="" break 2 fi @@ -6687,12 +7842,12 @@ EOF fi if test -n "$a_deplib" ; then droppeddeps=yes - $ECHO + echo $ECHO "*** Warning: linker path does not have real file for library $a_deplib." - $ECHO "*** I have the capability to make that library automatically link in when" - $ECHO "*** you link to this library. But I can only do this if you have a" - $ECHO "*** shared version of the library, which you do not appear to have" - $ECHO "*** because I did check the linker path looking for a file starting" + echo "*** I have the capability to make that library automatically link in when" + echo "*** you link to this library. But I can only do this if you have a" + echo "*** shared version of the library, which you do not appear to have" + echo "*** because I did check the linker path looking for a file starting" if test -z "$potlib" ; then $ECHO "*** with $libname but no candidates were found. (...for file magic test)" else @@ -6703,7 +7858,7 @@ EOF ;; *) # Add a -L argument. - newdeplibs="$newdeplibs $a_deplib" + func_append newdeplibs " $a_deplib" ;; esac done # Gone through all deplibs. @@ -6719,7 +7874,7 @@ EOF if test "X$allow_libtool_libs_with_static_runtimes" = "Xyes" ; then case " $predeps $postdeps " in *" $a_deplib "*) - newdeplibs="$newdeplibs $a_deplib" + func_append newdeplibs " $a_deplib" a_deplib="" ;; esac @@ -6730,9 +7885,9 @@ EOF potential_libs=`ls $i/$libname[.-]* 2>/dev/null` for potent_lib in $potential_libs; do potlib="$potent_lib" # see symlink-check above in file_magic test - if eval "\$ECHO \"X$potent_lib\"" 2>/dev/null | $Xsed -e 10q | \ + if eval "\$ECHO \"$potent_lib\"" 2>/dev/null | $SED 10q | \ $EGREP "$match_pattern_regex" > /dev/null; then - newdeplibs="$newdeplibs $a_deplib" + func_append newdeplibs " $a_deplib" a_deplib="" break 2 fi @@ -6741,12 +7896,12 @@ EOF fi if test -n "$a_deplib" ; then droppeddeps=yes - $ECHO + echo $ECHO "*** Warning: linker path does not have real file for library $a_deplib." - $ECHO "*** I have the capability to make that library automatically link in when" - $ECHO "*** you link to this library. But I can only do this if you have a" - $ECHO "*** shared version of the library, which you do not appear to have" - $ECHO "*** because I did check the linker path looking for a file starting" + echo "*** I have the capability to make that library automatically link in when" + echo "*** you link to this library. But I can only do this if you have a" + echo "*** shared version of the library, which you do not appear to have" + echo "*** because I did check the linker path looking for a file starting" if test -z "$potlib" ; then $ECHO "*** with $libname but no candidates were found. (...for regex pattern test)" else @@ -6757,32 +7912,32 @@ EOF ;; *) # Add a -L argument. - newdeplibs="$newdeplibs $a_deplib" + func_append newdeplibs " $a_deplib" ;; esac done # Gone through all deplibs. ;; none | unknown | *) newdeplibs="" - tmp_deplibs=`$ECHO "X $deplibs" | $Xsed \ - -e 's/ -lc$//' -e 's/ -[LR][^ ]*//g'` + tmp_deplibs=`$ECHO " $deplibs" | $SED 's/ -lc$//; s/ -[LR][^ ]*//g'` if test "X$allow_libtool_libs_with_static_runtimes" = "Xyes" ; then for i in $predeps $postdeps ; do # can't use Xsed below, because $i might contain '/' - tmp_deplibs=`$ECHO "X $tmp_deplibs" | $Xsed -e "s,$i,,"` + tmp_deplibs=`$ECHO " $tmp_deplibs" | $SED "s,$i,,"` done fi - if $ECHO "X $tmp_deplibs" | $Xsed -e 's/[ ]//g' | - $GREP . >/dev/null; then - $ECHO + case $tmp_deplibs in + *[!\ \ ]*) + echo if test "X$deplibs_check_method" = "Xnone"; then - $ECHO "*** Warning: inter-library dependencies are not supported in this platform." + echo "*** Warning: inter-library dependencies are not supported in this platform." else - $ECHO "*** Warning: inter-library dependencies are not known to be supported." + echo "*** Warning: inter-library dependencies are not known to be supported." fi - $ECHO "*** All declared inter-library dependencies are being dropped." + echo "*** All declared inter-library dependencies are being dropped." droppeddeps=yes - fi + ;; + esac ;; esac versuffix=$versuffix_save @@ -6794,23 +7949,23 @@ EOF case $host in *-*-rhapsody* | *-*-darwin1.[012]) # On Rhapsody replace the C library with the System framework - newdeplibs=`$ECHO "X $newdeplibs" | $Xsed -e 's/ -lc / System.ltframework /'` + newdeplibs=`$ECHO " $newdeplibs" | $SED 's/ -lc / System.ltframework /'` ;; esac if test "$droppeddeps" = yes; then if test "$module" = yes; then - $ECHO - $ECHO "*** Warning: libtool could not satisfy all declared inter-library" + echo + echo "*** Warning: libtool could not satisfy all declared inter-library" $ECHO "*** dependencies of module $libname. Therefore, libtool will create" - $ECHO "*** a static module, that should work as long as the dlopening" - $ECHO "*** application is linked with the -dlopen flag." + echo "*** a static module, that should work as long as the dlopening" + echo "*** application is linked with the -dlopen flag." if test -z "$global_symbol_pipe"; then - $ECHO - $ECHO "*** However, this would only work if libtool was able to extract symbol" - $ECHO "*** lists from a program, using \`nm' or equivalent, but libtool could" - $ECHO "*** not find such a program. So, this module is probably useless." - $ECHO "*** \`nm' from GNU binutils and a full rebuild may help." + echo + echo "*** However, this would only work if libtool was able to extract symbol" + echo "*** lists from a program, using \`nm' or equivalent, but libtool could" + echo "*** not find such a program. So, this module is probably useless." + echo "*** \`nm' from GNU binutils and a full rebuild may help." fi if test "$build_old_libs" = no; then oldlibs="$output_objdir/$libname.$libext" @@ -6820,16 +7975,16 @@ EOF build_libtool_libs=no fi else - $ECHO "*** The inter-library dependencies that have been dropped here will be" - $ECHO "*** automatically added whenever a program is linked with this library" - $ECHO "*** or is declared to -dlopen it." + echo "*** The inter-library dependencies that have been dropped here will be" + echo "*** automatically added whenever a program is linked with this library" + echo "*** or is declared to -dlopen it." if test "$allow_undefined" = no; then - $ECHO - $ECHO "*** Since this library must not contain undefined symbols," - $ECHO "*** because either the platform does not support them or" - $ECHO "*** it was explicitly requested with -no-undefined," - $ECHO "*** libtool will only create a static version of it." + echo + echo "*** Since this library must not contain undefined symbols," + echo "*** because either the platform does not support them or" + echo "*** it was explicitly requested with -no-undefined," + echo "*** libtool will only create a static version of it." if test "$build_old_libs" = no; then oldlibs="$output_objdir/$libname.$libext" build_libtool_libs=module @@ -6846,9 +8001,9 @@ EOF # Time to change all our "foo.ltframework" stuff back to "-framework foo" case $host in *-*-darwin*) - newdeplibs=`$ECHO "X $newdeplibs" | $Xsed -e 's% \([^ $]*\).ltframework% -framework \1%g'` - new_inherited_linker_flags=`$ECHO "X $new_inherited_linker_flags" | $Xsed -e 's% \([^ $]*\).ltframework% -framework \1%g'` - deplibs=`$ECHO "X $deplibs" | $Xsed -e 's% \([^ $]*\).ltframework% -framework \1%g'` + newdeplibs=`$ECHO " $newdeplibs" | $SED 's% \([^ $]*\).ltframework% -framework \1%g'` + new_inherited_linker_flags=`$ECHO " $new_inherited_linker_flags" | $SED 's% \([^ $]*\).ltframework% -framework \1%g'` + deplibs=`$ECHO " $deplibs" | $SED 's% \([^ $]*\).ltframework% -framework \1%g'` ;; esac @@ -6861,7 +8016,7 @@ EOF *) case " $deplibs " in *" -L$path/$objdir "*) - new_libs="$new_libs -L$path/$objdir" ;; + func_append new_libs " -L$path/$objdir" ;; esac ;; esac @@ -6871,10 +8026,10 @@ EOF -L*) case " $new_libs " in *" $deplib "*) ;; - *) new_libs="$new_libs $deplib" ;; + *) func_append new_libs " $deplib" ;; esac ;; - *) new_libs="$new_libs $deplib" ;; + *) func_append new_libs " $deplib" ;; esac done deplibs="$new_libs" @@ -6886,15 +8041,22 @@ EOF # Test again, we may have decided not to build it any more if test "$build_libtool_libs" = yes; then + # Remove ${wl} instances when linking with ld. + # FIXME: should test the right _cmds variable. + case $archive_cmds in + *\$LD\ *) wl= ;; + esac if test "$hardcode_into_libs" = yes; then # Hardcode the library paths hardcode_libdirs= dep_rpath= rpath="$finalize_rpath" - test "$mode" != relink && rpath="$compile_rpath$rpath" + test "$opt_mode" != relink && rpath="$compile_rpath$rpath" for libdir in $rpath; do if test -n "$hardcode_libdir_flag_spec"; then if test -n "$hardcode_libdir_separator"; then + func_replace_sysroot "$libdir" + libdir=$func_replace_sysroot_result if test -z "$hardcode_libdirs"; then hardcode_libdirs="$libdir" else @@ -6903,18 +8065,18 @@ EOF *"$hardcode_libdir_separator$libdir$hardcode_libdir_separator"*) ;; *) - hardcode_libdirs="$hardcode_libdirs$hardcode_libdir_separator$libdir" + func_append hardcode_libdirs "$hardcode_libdir_separator$libdir" ;; esac fi else eval flag=\"$hardcode_libdir_flag_spec\" - dep_rpath="$dep_rpath $flag" + func_append dep_rpath " $flag" fi elif test -n "$runpath_var"; then case "$perm_rpath " in *" $libdir "*) ;; - *) perm_rpath="$perm_rpath $libdir" ;; + *) func_append perm_rpath " $libdir" ;; esac fi done @@ -6922,17 +8084,13 @@ EOF if test -n "$hardcode_libdir_separator" && test -n "$hardcode_libdirs"; then libdir="$hardcode_libdirs" - if test -n "$hardcode_libdir_flag_spec_ld"; then - eval dep_rpath=\"$hardcode_libdir_flag_spec_ld\" - else - eval dep_rpath=\"$hardcode_libdir_flag_spec\" - fi + eval "dep_rpath=\"$hardcode_libdir_flag_spec\"" fi if test -n "$runpath_var" && test -n "$perm_rpath"; then # We should set the runpath_var. rpath= for dir in $perm_rpath; do - rpath="$rpath$dir:" + func_append rpath "$dir:" done eval "$runpath_var='$rpath\$$runpath_var'; export $runpath_var" fi @@ -6940,7 +8098,7 @@ EOF fi shlibpath="$finalize_shlibpath" - test "$mode" != relink && shlibpath="$compile_shlibpath$shlibpath" + test "$opt_mode" != relink && shlibpath="$compile_shlibpath$shlibpath" if test -n "$shlibpath"; then eval "$shlibpath_var='$shlibpath\$$shlibpath_var'; export $shlibpath_var" fi @@ -6966,18 +8124,18 @@ EOF linknames= for link do - linknames="$linknames $link" + func_append linknames " $link" done # Use standard objects if they are pic - test -z "$pic_flag" && libobjs=`$ECHO "X$libobjs" | $SP2NL | $Xsed -e "$lo2o" | $NL2SP` + test -z "$pic_flag" && libobjs=`$ECHO "$libobjs" | $SP2NL | $SED "$lo2o" | $NL2SP` test "X$libobjs" = "X " && libobjs= delfiles= if test -n "$export_symbols" && test -n "$include_expsyms"; then $opt_dry_run || cp "$export_symbols" "$output_objdir/$libname.uexp" export_symbols="$output_objdir/$libname.uexp" - delfiles="$delfiles $export_symbols" + func_append delfiles " $export_symbols" fi orig_export_symbols= @@ -7008,14 +8166,46 @@ EOF $opt_dry_run || $RM $export_symbols cmds=$export_symbols_cmds save_ifs="$IFS"; IFS='~' - for cmd in $cmds; do + for cmd1 in $cmds; do IFS="$save_ifs" - eval cmd=\"$cmd\" - func_len " $cmd" - len=$func_len_result - if test "$len" -lt "$max_cmd_len" || test "$max_cmd_len" -le -1; then + # Take the normal branch if the nm_file_list_spec branch + # doesn't work or if tool conversion is not needed. + case $nm_file_list_spec~$to_tool_file_cmd in + *~func_convert_file_noop | *~func_convert_file_msys_to_w32 | ~*) + try_normal_branch=yes + eval cmd=\"$cmd1\" + func_len " $cmd" + len=$func_len_result + ;; + *) + try_normal_branch=no + ;; + esac + if test "$try_normal_branch" = yes \ + && { test "$len" -lt "$max_cmd_len" \ + || test "$max_cmd_len" -le -1; } + then func_show_eval "$cmd" 'exit $?' skipped_export=false + elif test -n "$nm_file_list_spec"; then + func_basename "$output" + output_la=$func_basename_result + save_libobjs=$libobjs + save_output=$output + output=${output_objdir}/${output_la}.nm + func_to_tool_file "$output" + libobjs=$nm_file_list_spec$func_to_tool_file_result + func_append delfiles " $output" + func_verbose "creating $NM input file list: $output" + for obj in $save_libobjs; do + func_to_tool_file "$obj" + $ECHO "$func_to_tool_file_result" + done > "$output" + eval cmd=\"$cmd1\" + func_show_eval "$cmd" 'exit $?' + output=$save_output + libobjs=$save_libobjs + skipped_export=false else # The command line is too long to execute in one step. func_verbose "using reloadable object file for export list..." @@ -7036,7 +8226,7 @@ EOF if test -n "$export_symbols" && test -n "$include_expsyms"; then tmp_export_symbols="$export_symbols" test -n "$orig_export_symbols" && tmp_export_symbols="$orig_export_symbols" - $opt_dry_run || eval '$ECHO "X$include_expsyms" | $Xsed | $SP2NL >> "$tmp_export_symbols"' + $opt_dry_run || eval '$ECHO "$include_expsyms" | $SP2NL >> "$tmp_export_symbols"' fi if test "X$skipped_export" != "X:" && test -n "$orig_export_symbols"; then @@ -7048,7 +8238,7 @@ EOF # global variables. join(1) would be nice here, but unfortunately # isn't a blessed tool. $opt_dry_run || $SED -e '/[ ,]DATA/!d;s,\(.*\)\([ \,].*\),s|^\1$|\1\2|,' < $export_symbols > $output_objdir/$libname.filter - delfiles="$delfiles $export_symbols $output_objdir/$libname.filter" + func_append delfiles " $export_symbols $output_objdir/$libname.filter" export_symbols=$output_objdir/$libname.def $opt_dry_run || $SED -f $output_objdir/$libname.filter < $orig_export_symbols > $export_symbols fi @@ -7058,7 +8248,7 @@ EOF case " $convenience " in *" $test_deplib "*) ;; *) - tmp_deplibs="$tmp_deplibs $test_deplib" + func_append tmp_deplibs " $test_deplib" ;; esac done @@ -7078,21 +8268,21 @@ EOF test "X$libobjs" = "X " && libobjs= else gentop="$output_objdir/${outputname}x" - generated="$generated $gentop" + func_append generated " $gentop" func_extract_archives $gentop $convenience - libobjs="$libobjs $func_extract_archives_result" + func_append libobjs " $func_extract_archives_result" test "X$libobjs" = "X " && libobjs= fi fi if test "$thread_safe" = yes && test -n "$thread_safe_flag_spec"; then eval flag=\"$thread_safe_flag_spec\" - linker_flags="$linker_flags $flag" + func_append linker_flags " $flag" fi # Make a backup of the uninstalled library when relinking - if test "$mode" = relink; then + if test "$opt_mode" = relink; then $opt_dry_run || eval '(cd $output_objdir && $RM ${realname}U && $MV $realname ${realname}U)' || exit $? fi @@ -7137,7 +8327,8 @@ EOF save_libobjs=$libobjs fi save_output=$output - output_la=`$ECHO "X$output" | $Xsed -e "$basename"` + func_basename "$output" + output_la=$func_basename_result # Clear the reloadable object creation command queue and # initialize k to one. @@ -7150,13 +8341,16 @@ EOF if test -n "$save_libobjs" && test "X$skipped_export" != "X:" && test "$with_gnu_ld" = yes; then output=${output_objdir}/${output_la}.lnkscript func_verbose "creating GNU ld script: $output" - $ECHO 'INPUT (' > $output + echo 'INPUT (' > $output for obj in $save_libobjs do - $ECHO "$obj" >> $output + func_to_tool_file "$obj" + $ECHO "$func_to_tool_file_result" >> $output done - $ECHO ')' >> $output - delfiles="$delfiles $output" + echo ')' >> $output + func_append delfiles " $output" + func_to_tool_file "$output" + output=$func_to_tool_file_result elif test -n "$save_libobjs" && test "X$skipped_export" != "X:" && test "X$file_list_spec" != X; then output=${output_objdir}/${output_la}.lnk func_verbose "creating linker input file list: $output" @@ -7170,10 +8364,12 @@ EOF fi for obj do - $ECHO "$obj" >> $output + func_to_tool_file "$obj" + $ECHO "$func_to_tool_file_result" >> $output done - delfiles="$delfiles $output" - output=$firstobj\"$file_list_spec$output\" + func_append delfiles " $output" + func_to_tool_file "$output" + output=$firstobj\"$file_list_spec$func_to_tool_file_result\" else if test -n "$save_libobjs"; then func_verbose "creating reloadable object files..." @@ -7197,17 +8393,19 @@ EOF # command to the queue. if test "$k" -eq 1 ; then # The first file doesn't have a previous command to add. - eval concat_cmds=\"$reload_cmds $objlist $last_robj\" + reload_objs=$objlist + eval concat_cmds=\"$reload_cmds\" else # All subsequent reloadable object files will link in # the last one created. - eval concat_cmds=\"\$concat_cmds~$reload_cmds $objlist $last_robj~\$RM $last_robj\" + reload_objs="$objlist $last_robj" + eval concat_cmds=\"\$concat_cmds~$reload_cmds~\$RM $last_robj\" fi last_robj=$output_objdir/$output_la-${k}.$objext func_arith $k + 1 k=$func_arith_result output=$output_objdir/$output_la-${k}.$objext - objlist=$obj + objlist=" $obj" func_len " $last_robj" func_arith $len0 + $func_len_result len=$func_arith_result @@ -7217,11 +8415,12 @@ EOF # reloadable object file. All subsequent reloadable object # files will link in the last one created. test -z "$concat_cmds" || concat_cmds=$concat_cmds~ - eval concat_cmds=\"\${concat_cmds}$reload_cmds $objlist $last_robj\" + reload_objs="$objlist $last_robj" + eval concat_cmds=\"\${concat_cmds}$reload_cmds\" if test -n "$last_robj"; then eval concat_cmds=\"\${concat_cmds}~\$RM $last_robj\" fi - delfiles="$delfiles $output" + func_append delfiles " $output" else output= @@ -7255,7 +8454,7 @@ EOF lt_exit=$? # Restore the uninstalled library and exit - if test "$mode" = relink; then + if test "$opt_mode" = relink; then ( cd "$output_objdir" && \ $RM "${realname}T" && \ $MV "${realname}U" "$realname" ) @@ -7276,7 +8475,7 @@ EOF if test -n "$export_symbols" && test -n "$include_expsyms"; then tmp_export_symbols="$export_symbols" test -n "$orig_export_symbols" && tmp_export_symbols="$orig_export_symbols" - $opt_dry_run || eval '$ECHO "X$include_expsyms" | $Xsed | $SP2NL >> "$tmp_export_symbols"' + $opt_dry_run || eval '$ECHO "$include_expsyms" | $SP2NL >> "$tmp_export_symbols"' fi if test -n "$orig_export_symbols"; then @@ -7288,7 +8487,7 @@ EOF # global variables. join(1) would be nice here, but unfortunately # isn't a blessed tool. $opt_dry_run || $SED -e '/[ ,]DATA/!d;s,\(.*\)\([ \,].*\),s|^\1$|\1\2|,' < $export_symbols > $output_objdir/$libname.filter - delfiles="$delfiles $export_symbols $output_objdir/$libname.filter" + func_append delfiles " $export_symbols $output_objdir/$libname.filter" export_symbols=$output_objdir/$libname.def $opt_dry_run || $SED -f $output_objdir/$libname.filter < $orig_export_symbols > $export_symbols fi @@ -7329,10 +8528,10 @@ EOF # Add any objects from preloaded convenience libraries if test -n "$dlprefiles"; then gentop="$output_objdir/${outputname}x" - generated="$generated $gentop" + func_append generated " $gentop" func_extract_archives $gentop $dlprefiles - libobjs="$libobjs $func_extract_archives_result" + func_append libobjs " $func_extract_archives_result" test "X$libobjs" = "X " && libobjs= fi @@ -7348,7 +8547,7 @@ EOF lt_exit=$? # Restore the uninstalled library and exit - if test "$mode" = relink; then + if test "$opt_mode" = relink; then ( cd "$output_objdir" && \ $RM "${realname}T" && \ $MV "${realname}U" "$realname" ) @@ -7360,7 +8559,7 @@ EOF IFS="$save_ifs" # Restore the uninstalled library and exit - if test "$mode" = relink; then + if test "$opt_mode" = relink; then $opt_dry_run || eval '(cd $output_objdir && $RM ${realname}T && $MV $realname ${realname}T && $MV ${realname}U $realname)' || exit $? if test -n "$convenience"; then @@ -7441,18 +8640,21 @@ EOF if test -n "$convenience"; then if test -n "$whole_archive_flag_spec"; then eval tmp_whole_archive_flags=\"$whole_archive_flag_spec\" - reload_conv_objs=$reload_objs\ `$ECHO "X$tmp_whole_archive_flags" | $Xsed -e 's|,| |g'` + reload_conv_objs=$reload_objs\ `$ECHO "$tmp_whole_archive_flags" | $SED 's|,| |g'` else gentop="$output_objdir/${obj}x" - generated="$generated $gentop" + func_append generated " $gentop" func_extract_archives $gentop $convenience reload_conv_objs="$reload_objs $func_extract_archives_result" fi fi + # If we're not building shared, we need to use non_pic_objs + test "$build_libtool_libs" != yes && libobjs="$non_pic_objects" + # Create the old-style object. - reload_objs="$objs$old_deplibs "`$ECHO "X$libobjs" | $SP2NL | $Xsed -e '/\.'${libext}$'/d' -e '/\.lib$/d' -e "$lo2o" | $NL2SP`" $reload_conv_objs" ### testsuite: skip nested quoting test + reload_objs="$objs$old_deplibs "`$ECHO "$libobjs" | $SP2NL | $SED "/\.${libext}$/d; /\.lib$/d; $lo2o" | $NL2SP`" $reload_conv_objs" ### testsuite: skip nested quoting test output="$obj" func_execute_cmds "$reload_cmds" 'exit $?' @@ -7512,8 +8714,8 @@ EOF case $host in *-*-rhapsody* | *-*-darwin1.[012]) # On Rhapsody replace the C library is the System framework - compile_deplibs=`$ECHO "X $compile_deplibs" | $Xsed -e 's/ -lc / System.ltframework /'` - finalize_deplibs=`$ECHO "X $finalize_deplibs" | $Xsed -e 's/ -lc / System.ltframework /'` + compile_deplibs=`$ECHO " $compile_deplibs" | $SED 's/ -lc / System.ltframework /'` + finalize_deplibs=`$ECHO " $finalize_deplibs" | $SED 's/ -lc / System.ltframework /'` ;; esac @@ -7524,14 +8726,14 @@ EOF if test "$tagname" = CXX ; then case ${MACOSX_DEPLOYMENT_TARGET-10.0} in 10.[0123]) - compile_command="$compile_command ${wl}-bind_at_load" - finalize_command="$finalize_command ${wl}-bind_at_load" + func_append compile_command " ${wl}-bind_at_load" + func_append finalize_command " ${wl}-bind_at_load" ;; esac fi # Time to change all our "foo.ltframework" stuff back to "-framework foo" - compile_deplibs=`$ECHO "X $compile_deplibs" | $Xsed -e 's% \([^ $]*\).ltframework% -framework \1%g'` - finalize_deplibs=`$ECHO "X $finalize_deplibs" | $Xsed -e 's% \([^ $]*\).ltframework% -framework \1%g'` + compile_deplibs=`$ECHO " $compile_deplibs" | $SED 's% \([^ $]*\).ltframework% -framework \1%g'` + finalize_deplibs=`$ECHO " $finalize_deplibs" | $SED 's% \([^ $]*\).ltframework% -framework \1%g'` ;; esac @@ -7545,7 +8747,7 @@ EOF *) case " $compile_deplibs " in *" -L$path/$objdir "*) - new_libs="$new_libs -L$path/$objdir" ;; + func_append new_libs " -L$path/$objdir" ;; esac ;; esac @@ -7555,17 +8757,17 @@ EOF -L*) case " $new_libs " in *" $deplib "*) ;; - *) new_libs="$new_libs $deplib" ;; + *) func_append new_libs " $deplib" ;; esac ;; - *) new_libs="$new_libs $deplib" ;; + *) func_append new_libs " $deplib" ;; esac done compile_deplibs="$new_libs" - compile_command="$compile_command $compile_deplibs" - finalize_command="$finalize_command $finalize_deplibs" + func_append compile_command " $compile_deplibs" + func_append finalize_command " $finalize_deplibs" if test -n "$rpath$xrpath"; then # If the user specified any rpath flags, then add them. @@ -7573,7 +8775,7 @@ EOF # This is the magic to use -rpath. case "$finalize_rpath " in *" $libdir "*) ;; - *) finalize_rpath="$finalize_rpath $libdir" ;; + *) func_append finalize_rpath " $libdir" ;; esac done fi @@ -7592,18 +8794,18 @@ EOF *"$hardcode_libdir_separator$libdir$hardcode_libdir_separator"*) ;; *) - hardcode_libdirs="$hardcode_libdirs$hardcode_libdir_separator$libdir" + func_append hardcode_libdirs "$hardcode_libdir_separator$libdir" ;; esac fi else eval flag=\"$hardcode_libdir_flag_spec\" - rpath="$rpath $flag" + func_append rpath " $flag" fi elif test -n "$runpath_var"; then case "$perm_rpath " in *" $libdir "*) ;; - *) perm_rpath="$perm_rpath $libdir" ;; + *) func_append perm_rpath " $libdir" ;; esac fi case $host in @@ -7612,12 +8814,12 @@ EOF case :$dllsearchpath: in *":$libdir:"*) ;; ::) dllsearchpath=$libdir;; - *) dllsearchpath="$dllsearchpath:$libdir";; + *) func_append dllsearchpath ":$libdir";; esac case :$dllsearchpath: in *":$testbindir:"*) ;; ::) dllsearchpath=$testbindir;; - *) dllsearchpath="$dllsearchpath:$testbindir";; + *) func_append dllsearchpath ":$testbindir";; esac ;; esac @@ -7643,18 +8845,18 @@ EOF *"$hardcode_libdir_separator$libdir$hardcode_libdir_separator"*) ;; *) - hardcode_libdirs="$hardcode_libdirs$hardcode_libdir_separator$libdir" + func_append hardcode_libdirs "$hardcode_libdir_separator$libdir" ;; esac fi else eval flag=\"$hardcode_libdir_flag_spec\" - rpath="$rpath $flag" + func_append rpath " $flag" fi elif test -n "$runpath_var"; then case "$finalize_perm_rpath " in *" $libdir "*) ;; - *) finalize_perm_rpath="$finalize_perm_rpath $libdir" ;; + *) func_append finalize_perm_rpath " $libdir" ;; esac fi done @@ -7668,8 +8870,8 @@ EOF if test -n "$libobjs" && test "$build_old_libs" = yes; then # Transform all the library objects into standard objects. - compile_command=`$ECHO "X$compile_command" | $SP2NL | $Xsed -e "$lo2o" | $NL2SP` - finalize_command=`$ECHO "X$finalize_command" | $SP2NL | $Xsed -e "$lo2o" | $NL2SP` + compile_command=`$ECHO "$compile_command" | $SP2NL | $SED "$lo2o" | $NL2SP` + finalize_command=`$ECHO "$finalize_command" | $SP2NL | $SED "$lo2o" | $NL2SP` fi func_generate_dlsyms "$outputname" "@PROGRAM@" "no" @@ -7681,15 +8883,15 @@ EOF wrappers_required=yes case $host in + *cegcc* | *mingw32ce*) + # Disable wrappers for cegcc and mingw32ce hosts, we are cross compiling anyway. + wrappers_required=no + ;; *cygwin* | *mingw* ) if test "$build_libtool_libs" != yes; then wrappers_required=no fi ;; - *cegcc) - # Disable wrappers for cegcc, we are cross compiling anyway. - wrappers_required=no - ;; *) if test "$need_relink" = no || test "$build_libtool_libs" != yes; then wrappers_required=no @@ -7698,13 +8900,19 @@ EOF esac if test "$wrappers_required" = no; then # Replace the output file specification. - compile_command=`$ECHO "X$compile_command" | $Xsed -e 's%@OUTPUT@%'"$output"'%g'` + compile_command=`$ECHO "$compile_command" | $SED 's%@OUTPUT@%'"$output"'%g'` link_command="$compile_command$compile_rpath" # We have no uninstalled library dependencies, so finalize right now. exit_status=0 func_show_eval "$link_command" 'exit_status=$?' + if test -n "$postlink_cmds"; then + func_to_tool_file "$output" + postlink_cmds=`func_echo_all "$postlink_cmds" | $SED -e 's%@OUTPUT@%'"$output"'%g' -e 's%@TOOL_OUTPUT@%'"$func_to_tool_file_result"'%g'` + func_execute_cmds "$postlink_cmds" 'exit $?' + fi + # Delete the generated files. if test -f "$output_objdir/${outputname}S.${objext}"; then func_show_eval '$RM "$output_objdir/${outputname}S.${objext}"' @@ -7727,7 +8935,7 @@ EOF # We should set the runpath_var. rpath= for dir in $perm_rpath; do - rpath="$rpath$dir:" + func_append rpath "$dir:" done compile_var="$runpath_var=\"$rpath\$$runpath_var\" " fi @@ -7735,7 +8943,7 @@ EOF # We should set the runpath_var. rpath= for dir in $finalize_perm_rpath; do - rpath="$rpath$dir:" + func_append rpath "$dir:" done finalize_var="$runpath_var=\"$rpath\$$runpath_var\" " fi @@ -7745,11 +8953,18 @@ EOF # We don't need to create a wrapper script. link_command="$compile_var$compile_command$compile_rpath" # Replace the output file specification. - link_command=`$ECHO "X$link_command" | $Xsed -e 's%@OUTPUT@%'"$output"'%g'` + link_command=`$ECHO "$link_command" | $SED 's%@OUTPUT@%'"$output"'%g'` # Delete the old output file. $opt_dry_run || $RM $output # Link the executable and exit func_show_eval "$link_command" 'exit $?' + + if test -n "$postlink_cmds"; then + func_to_tool_file "$output" + postlink_cmds=`func_echo_all "$postlink_cmds" | $SED -e 's%@OUTPUT@%'"$output"'%g' -e 's%@TOOL_OUTPUT@%'"$func_to_tool_file_result"'%g'` + func_execute_cmds "$postlink_cmds" 'exit $?' + fi + exit $EXIT_SUCCESS fi @@ -7764,7 +8979,7 @@ EOF if test "$fast_install" != no; then link_command="$finalize_var$compile_command$finalize_rpath" if test "$fast_install" = yes; then - relink_command=`$ECHO "X$compile_var$compile_command$compile_rpath" | $Xsed -e 's%@OUTPUT@%\$progdir/\$file%g'` + relink_command=`$ECHO "$compile_var$compile_command$compile_rpath" | $SED 's%@OUTPUT@%\$progdir/\$file%g'` else # fast_install is set to needless relink_command= @@ -7776,13 +8991,19 @@ EOF fi # Replace the output file specification. - link_command=`$ECHO "X$link_command" | $Xsed -e 's%@OUTPUT@%'"$output_objdir/$outputname"'%g'` + link_command=`$ECHO "$link_command" | $SED 's%@OUTPUT@%'"$output_objdir/$outputname"'%g'` # Delete the old output files. $opt_dry_run || $RM $output $output_objdir/$outputname $output_objdir/lt-$outputname func_show_eval "$link_command" 'exit $?' + if test -n "$postlink_cmds"; then + func_to_tool_file "$output_objdir/$outputname" + postlink_cmds=`func_echo_all "$postlink_cmds" | $SED -e 's%@OUTPUT@%'"$output_objdir/$outputname"'%g' -e 's%@TOOL_OUTPUT@%'"$func_to_tool_file_result"'%g'` + func_execute_cmds "$postlink_cmds" 'exit $?' + fi + # Now create the wrapper script. func_verbose "creating $output" @@ -7800,18 +9021,7 @@ EOF fi done relink_command="(cd `pwd`; $relink_command)" - relink_command=`$ECHO "X$relink_command" | $Xsed -e "$sed_quote_subst"` - fi - - # Quote $ECHO for shipping. - if test "X$ECHO" = "X$SHELL $progpath --fallback-echo"; then - case $progpath in - [\\/]* | [A-Za-z]:[\\/]*) qecho="$SHELL $progpath --fallback-echo";; - *) qecho="$SHELL `pwd`/$progpath --fallback-echo";; - esac - qecho=`$ECHO "X$qecho" | $Xsed -e "$sed_quote_subst"` - else - qecho=`$ECHO "X$ECHO" | $Xsed -e "$sed_quote_subst"` + relink_command=`$ECHO "$relink_command" | $SED "$sed_quote_subst"` fi # Only actually do things if not in dry run mode. @@ -7891,7 +9101,7 @@ EOF else oldobjs="$old_deplibs $non_pic_objects" if test "$preload" = yes && test -f "$symfileobj"; then - oldobjs="$oldobjs $symfileobj" + func_append oldobjs " $symfileobj" fi fi addlibs="$old_convenience" @@ -7899,10 +9109,10 @@ EOF if test -n "$addlibs"; then gentop="$output_objdir/${outputname}x" - generated="$generated $gentop" + func_append generated " $gentop" func_extract_archives $gentop $addlibs - oldobjs="$oldobjs $func_extract_archives_result" + func_append oldobjs " $func_extract_archives_result" fi # Do each command in the archive commands. @@ -7913,10 +9123,10 @@ EOF # Add any objects from preloaded convenience libraries if test -n "$dlprefiles"; then gentop="$output_objdir/${outputname}x" - generated="$generated $gentop" + func_append generated " $gentop" func_extract_archives $gentop $dlprefiles - oldobjs="$oldobjs $func_extract_archives_result" + func_append oldobjs " $func_extract_archives_result" fi # POSIX demands no paths to be encoded in archives. We have @@ -7932,9 +9142,9 @@ EOF done | sort | sort -uc >/dev/null 2>&1); then : else - $ECHO "copying selected object files to avoid basename conflicts..." + echo "copying selected object files to avoid basename conflicts..." gentop="$output_objdir/${outputname}x" - generated="$generated $gentop" + func_append generated " $gentop" func_mkdir_p "$gentop" save_oldobjs=$oldobjs oldobjs= @@ -7958,18 +9168,30 @@ EOF esac done func_show_eval "ln $obj $gentop/$newobj || cp $obj $gentop/$newobj" - oldobjs="$oldobjs $gentop/$newobj" + func_append oldobjs " $gentop/$newobj" ;; - *) oldobjs="$oldobjs $obj" ;; + *) func_append oldobjs " $obj" ;; esac done fi + func_to_tool_file "$oldlib" func_convert_file_msys_to_w32 + tool_oldlib=$func_to_tool_file_result eval cmds=\"$old_archive_cmds\" func_len " $cmds" len=$func_len_result if test "$len" -lt "$max_cmd_len" || test "$max_cmd_len" -le -1; then cmds=$old_archive_cmds + elif test -n "$archiver_list_spec"; then + func_verbose "using command file archive linking..." + for obj in $oldobjs + do + func_to_tool_file "$obj" + $ECHO "$func_to_tool_file_result" + done > $output_objdir/$libname.libcmd + func_to_tool_file "$output_objdir/$libname.libcmd" + oldobjs=" $archiver_list_spec$func_to_tool_file_result" + cmds=$old_archive_cmds else # the command line is too long to link in one step, link in parts func_verbose "using piecewise archive linking..." @@ -8043,7 +9265,7 @@ EOF done # Quote the link command for shipping. relink_command="(cd `pwd`; $SHELL $progpath $preserve_args --mode=relink $libtool_args @inst_prefix_dir@)" - relink_command=`$ECHO "X$relink_command" | $Xsed -e "$sed_quote_subst"` + relink_command=`$ECHO "$relink_command" | $SED "$sed_quote_subst"` if test "$hardcode_automatic" = yes ; then relink_command= fi @@ -8063,12 +9285,23 @@ EOF *.la) func_basename "$deplib" name="$func_basename_result" - eval libdir=`${SED} -n -e 's/^libdir=\(.*\)$/\1/p' $deplib` + func_resolve_sysroot "$deplib" + eval libdir=`${SED} -n -e 's/^libdir=\(.*\)$/\1/p' $func_resolve_sysroot_result` test -z "$libdir" && \ func_fatal_error "\`$deplib' is not a valid libtool archive" - newdependency_libs="$newdependency_libs $libdir/$name" + func_append newdependency_libs " ${lt_sysroot:+=}$libdir/$name" ;; - *) newdependency_libs="$newdependency_libs $deplib" ;; + -L*) + func_stripname -L '' "$deplib" + func_replace_sysroot "$func_stripname_result" + func_append newdependency_libs " -L$func_replace_sysroot_result" + ;; + -R*) + func_stripname -R '' "$deplib" + func_replace_sysroot "$func_stripname_result" + func_append newdependency_libs " -R$func_replace_sysroot_result" + ;; + *) func_append newdependency_libs " $deplib" ;; esac done dependency_libs="$newdependency_libs" @@ -8082,9 +9315,9 @@ EOF eval libdir=`${SED} -n -e 's/^libdir=\(.*\)$/\1/p' $lib` test -z "$libdir" && \ func_fatal_error "\`$lib' is not a valid libtool archive" - newdlfiles="$newdlfiles $libdir/$name" + func_append newdlfiles " ${lt_sysroot:+=}$libdir/$name" ;; - *) newdlfiles="$newdlfiles $lib" ;; + *) func_append newdlfiles " $lib" ;; esac done dlfiles="$newdlfiles" @@ -8101,7 +9334,7 @@ EOF eval libdir=`${SED} -n -e 's/^libdir=\(.*\)$/\1/p' $lib` test -z "$libdir" && \ func_fatal_error "\`$lib' is not a valid libtool archive" - newdlprefiles="$newdlprefiles $libdir/$name" + func_append newdlprefiles " ${lt_sysroot:+=}$libdir/$name" ;; esac done @@ -8113,7 +9346,7 @@ EOF [\\/]* | [A-Za-z]:[\\/]*) abs="$lib" ;; *) abs=`pwd`"/$lib" ;; esac - newdlfiles="$newdlfiles $abs" + func_append newdlfiles " $abs" done dlfiles="$newdlfiles" newdlprefiles= @@ -8122,15 +9355,33 @@ EOF [\\/]* | [A-Za-z]:[\\/]*) abs="$lib" ;; *) abs=`pwd`"/$lib" ;; esac - newdlprefiles="$newdlprefiles $abs" + func_append newdlprefiles " $abs" done dlprefiles="$newdlprefiles" fi $RM $output # place dlname in correct position for cygwin + # In fact, it would be nice if we could use this code for all target + # systems that can't hard-code library paths into their executables + # and that have no shared library path variable independent of PATH, + # but it turns out we can't easily determine that from inspecting + # libtool variables, so we have to hard-code the OSs to which it + # applies here; at the moment, that means platforms that use the PE + # object format with DLL files. See the long comment at the top of + # tests/bindir.at for full details. tdlname=$dlname case $host,$output,$installed,$module,$dlname in - *cygwin*,*lai,yes,no,*.dll | *mingw*,*lai,yes,no,*.dll | *cegcc*,*lai,yes,no,*.dll) tdlname=../bin/$dlname ;; + *cygwin*,*lai,yes,no,*.dll | *mingw*,*lai,yes,no,*.dll | *cegcc*,*lai,yes,no,*.dll) + # If a -bindir argument was supplied, place the dll there. + if test "x$bindir" != x ; + then + func_relative_path "$install_libdir" "$bindir" + tdlname=$func_relative_path_result$dlname + else + # Otherwise fall back on heuristic. + tdlname=../bin/$dlname + fi + ;; esac $ECHO > $output "\ # $outputname - a libtool library file @@ -8189,7 +9440,7 @@ relink_command=\"$relink_command\"" exit $EXIT_SUCCESS } -{ test "$mode" = link || test "$mode" = relink; } && +{ test "$opt_mode" = link || test "$opt_mode" = relink; } && func_mode_link ${1+"$@"} @@ -8209,9 +9460,9 @@ func_mode_uninstall () for arg do case $arg in - -f) RM="$RM $arg"; rmforce=yes ;; - -*) RM="$RM $arg" ;; - *) files="$files $arg" ;; + -f) func_append RM " $arg"; rmforce=yes ;; + -*) func_append RM " $arg" ;; + *) func_append files " $arg" ;; esac done @@ -8220,24 +9471,23 @@ func_mode_uninstall () rmdirs= - origobjdir="$objdir" for file in $files; do func_dirname "$file" "" "." dir="$func_dirname_result" if test "X$dir" = X.; then - objdir="$origobjdir" + odir="$objdir" else - objdir="$dir/$origobjdir" + odir="$dir/$objdir" fi func_basename "$file" name="$func_basename_result" - test "$mode" = uninstall && objdir="$dir" + test "$opt_mode" = uninstall && odir="$dir" - # Remember objdir for removal later, being careful to avoid duplicates - if test "$mode" = clean; then + # Remember odir for removal later, being careful to avoid duplicates + if test "$opt_mode" = clean; then case " $rmdirs " in - *" $objdir "*) ;; - *) rmdirs="$rmdirs $objdir" ;; + *" $odir "*) ;; + *) func_append rmdirs " $odir" ;; esac fi @@ -8263,18 +9513,17 @@ func_mode_uninstall () # Delete the libtool libraries and symlinks. for n in $library_names; do - rmfiles="$rmfiles $objdir/$n" + func_append rmfiles " $odir/$n" done - test -n "$old_library" && rmfiles="$rmfiles $objdir/$old_library" + test -n "$old_library" && func_append rmfiles " $odir/$old_library" - case "$mode" in + case "$opt_mode" in clean) - case " $library_names " in - # " " in the beginning catches empty $dlname + case " $library_names " in *" $dlname "*) ;; - *) rmfiles="$rmfiles $objdir/$dlname" ;; + *) test -n "$dlname" && func_append rmfiles " $odir/$dlname" ;; esac - test -n "$libdir" && rmfiles="$rmfiles $objdir/$name $objdir/${name}i" + test -n "$libdir" && func_append rmfiles " $odir/$name $odir/${name}i" ;; uninstall) if test -n "$library_names"; then @@ -8302,19 +9551,19 @@ func_mode_uninstall () # Add PIC object to the list of files to remove. if test -n "$pic_object" && test "$pic_object" != none; then - rmfiles="$rmfiles $dir/$pic_object" + func_append rmfiles " $dir/$pic_object" fi # Add non-PIC object to the list of files to remove. if test -n "$non_pic_object" && test "$non_pic_object" != none; then - rmfiles="$rmfiles $dir/$non_pic_object" + func_append rmfiles " $dir/$non_pic_object" fi fi ;; *) - if test "$mode" = clean ; then + if test "$opt_mode" = clean ; then noexename=$name case $file in *.exe) @@ -8324,7 +9573,7 @@ func_mode_uninstall () noexename=$func_stripname_result # $file with .exe has already been added to rmfiles, # add $file without .exe - rmfiles="$rmfiles $file" + func_append rmfiles " $file" ;; esac # Do a test to see if this is a libtool program. @@ -8333,7 +9582,7 @@ func_mode_uninstall () func_ltwrapper_scriptname "$file" relink_command= func_source $func_ltwrapper_scriptname_result - rmfiles="$rmfiles $func_ltwrapper_scriptname_result" + func_append rmfiles " $func_ltwrapper_scriptname_result" else relink_command= func_source $dir/$noexename @@ -8341,12 +9590,12 @@ func_mode_uninstall () # note $name still contains .exe if it was in $file originally # as does the version of $file that was added into $rmfiles - rmfiles="$rmfiles $objdir/$name $objdir/${name}S.${objext}" + func_append rmfiles " $odir/$name $odir/${name}S.${objext}" if test "$fast_install" = yes && test -n "$relink_command"; then - rmfiles="$rmfiles $objdir/lt-$name" + func_append rmfiles " $odir/lt-$name" fi if test "X$noexename" != "X$name" ; then - rmfiles="$rmfiles $objdir/lt-${noexename}.c" + func_append rmfiles " $odir/lt-${noexename}.c" fi fi fi @@ -8354,7 +9603,6 @@ func_mode_uninstall () esac func_show_eval "$RM $rmfiles" 'exit_status=1' done - objdir="$origobjdir" # Try to remove the ${objdir}s in the directories where we deleted files for dir in $rmdirs; do @@ -8366,16 +9614,16 @@ func_mode_uninstall () exit $exit_status } -{ test "$mode" = uninstall || test "$mode" = clean; } && +{ test "$opt_mode" = uninstall || test "$opt_mode" = clean; } && func_mode_uninstall ${1+"$@"} -test -z "$mode" && { +test -z "$opt_mode" && { help="$generic_help" func_fatal_help "you must specify a MODE" } test -z "$exec_cmd" && \ - func_fatal_help "invalid operation mode \`$mode'" + func_fatal_help "invalid operation mode \`$opt_mode'" if test -n "$exec_cmd"; then eval exec "$exec_cmd" diff --git a/auto/missing b/auto/missing index 1c8ff70..db98974 100755 --- a/auto/missing +++ b/auto/missing @@ -1,11 +1,10 @@ #! /bin/sh -# Common stub for a few missing GNU programs while installing. +# Common wrapper for a few potentially missing GNU programs. -scriptversion=2006-05-10.23 +scriptversion=2013-10-28.13; # UTC -# Copyright (C) 1996, 1997, 1999, 2000, 2002, 2003, 2004, 2005, 2006 -# Free Software Foundation, Inc. -# Originally by Fran,cois Pinard , 1996. +# Copyright (C) 1996-2013 Free Software Foundation, Inc. +# Originally written by Fran,cois Pinard , 1996. # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -18,9 +17,7 @@ scriptversion=2006-05-10.23 # GNU General Public License for more details. # You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA -# 02110-1301, USA. +# along with this program. If not, see . # As a special exception to the GNU General Public License, if you # distribute this file as part of a program that contains a @@ -28,66 +25,40 @@ scriptversion=2006-05-10.23 # the same distribution terms that you use for the rest of that program. if test $# -eq 0; then - echo 1>&2 "Try \`$0 --help' for more information" + echo 1>&2 "Try '$0 --help' for more information" exit 1 fi -run=: -sed_output='s/.* --output[ =]\([^ ]*\).*/\1/p' -sed_minuso='s/.* -o \([^ ]*\).*/\1/p' - -# In the cases where this matters, `missing' is being run in the -# srcdir already. -if test -f configure.ac; then - configure_ac=configure.ac -else - configure_ac=configure.in -fi - -msg="missing on your system" - case $1 in ---run) - # Try to run requested program, and just exit if it succeeds. - run= - shift - "$@" && exit 0 - # Exit code 63 means version mismatch. This often happens - # when the user try to use an ancient version of a tool on - # a file that requires a minimum version. In this case we - # we should proceed has if the program had been absent, or - # if --run hadn't been passed. - if test $? = 63; then - run=: - msg="probably too old" - fi - ;; + + --is-lightweight) + # Used by our autoconf macros to check whether the available missing + # script is modern enough. + exit 0 + ;; + + --run) + # Back-compat with the calling convention used by older automake. + shift + ;; -h|--h|--he|--hel|--help) echo "\ $0 [OPTION]... PROGRAM [ARGUMENT]... -Handle \`PROGRAM [ARGUMENT]...' for when PROGRAM is missing, or return an -error status if there is no known handling for PROGRAM. +Run 'PROGRAM [ARGUMENT]...', returning a proper advice when this fails due +to PROGRAM being missing or too old. Options: -h, --help display this help and exit -v, --version output version information and exit - --run try to run the given command, and emulate it if it fails Supported PROGRAM values: - aclocal touch file \`aclocal.m4' - autoconf touch file \`configure' - autoheader touch file \`config.h.in' - autom4te touch the output file, or create a stub one - automake touch all \`Makefile.in' files - bison create \`y.tab.[ch]', if possible, from existing .[ch] - flex create \`lex.yy.c', if possible, from existing .c - help2man touch the output file - lex create \`lex.yy.c', if possible, from existing .c - makeinfo touch the output file - tar try tar, gnutar, gtar, then tar without non-portable flags - yacc create \`y.tab.[ch]', if possible, from existing .[ch] + aclocal autoconf autoheader autom4te automake makeinfo + bison yacc flex lex help2man + +Version suffixes to PROGRAM as well as the prefixes 'gnu-', 'gnu', and +'g' are ignored when checking the name. Send bug reports to ." exit $? @@ -99,269 +70,146 @@ Send bug reports to ." ;; -*) - echo 1>&2 "$0: Unknown \`$1' option" - echo 1>&2 "Try \`$0 --help' for more information" + echo 1>&2 "$0: unknown '$1' option" + echo 1>&2 "Try '$0 --help' for more information" exit 1 ;; esac -# Now exit if we have it, but it failed. Also exit now if we -# don't have it and --version was passed (most likely to detect -# the program). -case $1 in - lex|yacc) - # Not GNU programs, they don't have --version. +# Run the given program, remember its exit status. +"$@"; st=$? + +# If it succeeded, we are done. +test $st -eq 0 && exit 0 + +# Also exit now if we it failed (or wasn't found), and '--version' was +# passed; such an option is passed most likely to detect whether the +# program is present and works. +case $2 in --version|--help) exit $st;; esac + +# Exit code 63 means version mismatch. This often happens when the user +# tries to use an ancient version of a tool on a file that requires a +# minimum version. +if test $st -eq 63; then + msg="probably too old" +elif test $st -eq 127; then + # Program was missing. + msg="missing on your system" +else + # Program was found and executed, but failed. Give up. + exit $st +fi + +perl_URL=http://www.perl.org/ +flex_URL=http://flex.sourceforge.net/ +gnu_software_URL=http://www.gnu.org/software + +program_details () +{ + case $1 in + aclocal|automake) + echo "The '$1' program is part of the GNU Automake package:" + echo "<$gnu_software_URL/automake>" + echo "It also requires GNU Autoconf, GNU m4 and Perl in order to run:" + echo "<$gnu_software_URL/autoconf>" + echo "<$gnu_software_URL/m4/>" + echo "<$perl_URL>" + ;; + autoconf|autom4te|autoheader) + echo "The '$1' program is part of the GNU Autoconf package:" + echo "<$gnu_software_URL/autoconf/>" + echo "It also requires GNU m4 and Perl in order to run:" + echo "<$gnu_software_URL/m4/>" + echo "<$perl_URL>" + ;; + esac +} + +give_advice () +{ + # Normalize program name to check for. + normalized_program=`echo "$1" | sed ' + s/^gnu-//; t + s/^gnu//; t + s/^g//; t'` + + printf '%s\n' "'$1' is $msg." + + configure_deps="'configure.ac' or m4 files included by 'configure.ac'" + case $normalized_program in + autoconf*) + echo "You should only need it if you modified 'configure.ac'," + echo "or m4 files included by it." + program_details 'autoconf' + ;; + autoheader*) + echo "You should only need it if you modified 'acconfig.h' or" + echo "$configure_deps." + program_details 'autoheader' + ;; + automake*) + echo "You should only need it if you modified 'Makefile.am' or" + echo "$configure_deps." + program_details 'automake' + ;; + aclocal*) + echo "You should only need it if you modified 'acinclude.m4' or" + echo "$configure_deps." + program_details 'aclocal' + ;; + autom4te*) + echo "You might have modified some maintainer files that require" + echo "the 'autom4te' program to be rebuilt." + program_details 'autom4te' + ;; + bison*|yacc*) + echo "You should only need it if you modified a '.y' file." + echo "You may want to install the GNU Bison package:" + echo "<$gnu_software_URL/bison/>" + ;; + lex*|flex*) + echo "You should only need it if you modified a '.l' file." + echo "You may want to install the Fast Lexical Analyzer package:" + echo "<$flex_URL>" + ;; + help2man*) + echo "You should only need it if you modified a dependency" \ + "of a man page." + echo "You may want to install the GNU Help2man package:" + echo "<$gnu_software_URL/help2man/>" ;; + makeinfo*) + echo "You should only need it if you modified a '.texi' file, or" + echo "any other file indirectly affecting the aspect of the manual." + echo "You might want to install the Texinfo package:" + echo "<$gnu_software_URL/texinfo/>" + echo "The spurious makeinfo call might also be the consequence of" + echo "using a buggy 'make' (AIX, DU, IRIX), in which case you might" + echo "want to install GNU make:" + echo "<$gnu_software_URL/make/>" + ;; + *) + echo "You might have modified some files without having the proper" + echo "tools for further handling them. Check the 'README' file, it" + echo "often tells you about the needed prerequisites for installing" + echo "this package. You may also peek at any GNU archive site, in" + echo "case some other package contains this missing '$1' program." + ;; + esac +} - tar) - if test -n "$run"; then - echo 1>&2 "ERROR: \`tar' requires --run" - exit 1 - elif test "x$2" = "x--version" || test "x$2" = "x--help"; then - exit 1 - fi - ;; +give_advice "$1" | sed -e '1s/^/WARNING: /' \ + -e '2,$s/^/ /' >&2 - *) - if test -z "$run" && ($1 --version) > /dev/null 2>&1; then - # We have it, but it failed. - exit 1 - elif test "x$2" = "x--version" || test "x$2" = "x--help"; then - # Could not run --version or --help. This is probably someone - # running `$TOOL --version' or `$TOOL --help' to check whether - # $TOOL exists and not knowing $TOOL uses missing. - exit 1 - fi - ;; -esac - -# If it does not exist, or fails to run (possibly an outdated version), -# try to emulate it. -case $1 in - aclocal*) - echo 1>&2 "\ -WARNING: \`$1' is $msg. You should only need it if - you modified \`acinclude.m4' or \`${configure_ac}'. You might want - to install the \`Automake' and \`Perl' packages. Grab them from - any GNU archive site." - touch aclocal.m4 - ;; - - autoconf) - echo 1>&2 "\ -WARNING: \`$1' is $msg. You should only need it if - you modified \`${configure_ac}'. You might want to install the - \`Autoconf' and \`GNU m4' packages. Grab them from any GNU - archive site." - touch configure - ;; - - autoheader) - echo 1>&2 "\ -WARNING: \`$1' is $msg. You should only need it if - you modified \`acconfig.h' or \`${configure_ac}'. You might want - to install the \`Autoconf' and \`GNU m4' packages. Grab them - from any GNU archive site." - files=`sed -n 's/^[ ]*A[CM]_CONFIG_HEADER(\([^)]*\)).*/\1/p' ${configure_ac}` - test -z "$files" && files="config.h" - touch_files= - for f in $files; do - case $f in - *:*) touch_files="$touch_files "`echo "$f" | - sed -e 's/^[^:]*://' -e 's/:.*//'`;; - *) touch_files="$touch_files $f.in";; - esac - done - touch $touch_files - ;; - - automake*) - echo 1>&2 "\ -WARNING: \`$1' is $msg. You should only need it if - you modified \`Makefile.am', \`acinclude.m4' or \`${configure_ac}'. - You might want to install the \`Automake' and \`Perl' packages. - Grab them from any GNU archive site." - find . -type f -name Makefile.am -print | - sed 's/\.am$/.in/' | - while read f; do touch "$f"; done - ;; - - autom4te) - echo 1>&2 "\ -WARNING: \`$1' is needed, but is $msg. - You might have modified some files without having the - proper tools for further handling them. - You can get \`$1' as part of \`Autoconf' from any GNU - archive site." - - file=`echo "$*" | sed -n "$sed_output"` - test -z "$file" && file=`echo "$*" | sed -n "$sed_minuso"` - if test -f "$file"; then - touch $file - else - test -z "$file" || exec >$file - echo "#! /bin/sh" - echo "# Created by GNU Automake missing as a replacement of" - echo "# $ $@" - echo "exit 0" - chmod +x $file - exit 1 - fi - ;; - - bison|yacc) - echo 1>&2 "\ -WARNING: \`$1' $msg. You should only need it if - you modified a \`.y' file. You may need the \`Bison' package - in order for those modifications to take effect. You can get - \`Bison' from any GNU archive site." - rm -f y.tab.c y.tab.h - if test $# -ne 1; then - eval LASTARG="\${$#}" - case $LASTARG in - *.y) - SRCFILE=`echo "$LASTARG" | sed 's/y$/c/'` - if test -f "$SRCFILE"; then - cp "$SRCFILE" y.tab.c - fi - SRCFILE=`echo "$LASTARG" | sed 's/y$/h/'` - if test -f "$SRCFILE"; then - cp "$SRCFILE" y.tab.h - fi - ;; - esac - fi - if test ! -f y.tab.h; then - echo >y.tab.h - fi - if test ! -f y.tab.c; then - echo 'main() { return 0; }' >y.tab.c - fi - ;; - - lex|flex) - echo 1>&2 "\ -WARNING: \`$1' is $msg. You should only need it if - you modified a \`.l' file. You may need the \`Flex' package - in order for those modifications to take effect. You can get - \`Flex' from any GNU archive site." - rm -f lex.yy.c - if test $# -ne 1; then - eval LASTARG="\${$#}" - case $LASTARG in - *.l) - SRCFILE=`echo "$LASTARG" | sed 's/l$/c/'` - if test -f "$SRCFILE"; then - cp "$SRCFILE" lex.yy.c - fi - ;; - esac - fi - if test ! -f lex.yy.c; then - echo 'main() { return 0; }' >lex.yy.c - fi - ;; - - help2man) - echo 1>&2 "\ -WARNING: \`$1' is $msg. You should only need it if - you modified a dependency of a manual page. You may need the - \`Help2man' package in order for those modifications to take - effect. You can get \`Help2man' from any GNU archive site." - - file=`echo "$*" | sed -n "$sed_output"` - test -z "$file" && file=`echo "$*" | sed -n "$sed_minuso"` - if test -f "$file"; then - touch $file - else - test -z "$file" || exec >$file - echo ".ab help2man is required to generate this page" - exit 1 - fi - ;; - - makeinfo) - echo 1>&2 "\ -WARNING: \`$1' is $msg. You should only need it if - you modified a \`.texi' or \`.texinfo' file, or any other file - indirectly affecting the aspect of the manual. The spurious - call might also be the consequence of using a buggy \`make' (AIX, - DU, IRIX). You might want to install the \`Texinfo' package or - the \`GNU make' package. Grab either from any GNU archive site." - # The file to touch is that specified with -o ... - file=`echo "$*" | sed -n "$sed_output"` - test -z "$file" && file=`echo "$*" | sed -n "$sed_minuso"` - if test -z "$file"; then - # ... or it is the one specified with @setfilename ... - infile=`echo "$*" | sed 's/.* \([^ ]*\) *$/\1/'` - file=`sed -n ' - /^@setfilename/{ - s/.* \([^ ]*\) *$/\1/ - p - q - }' $infile` - # ... or it is derived from the source name (dir/f.texi becomes f.info) - test -z "$file" && file=`echo "$infile" | sed 's,.*/,,;s,.[^.]*$,,'`.info - fi - # If the file does not exist, the user really needs makeinfo; - # let's fail without touching anything. - test -f $file || exit 1 - touch $file - ;; - - tar) - shift - - # We have already tried tar in the generic part. - # Look for gnutar/gtar before invocation to avoid ugly error - # messages. - if (gnutar --version > /dev/null 2>&1); then - gnutar "$@" && exit 0 - fi - if (gtar --version > /dev/null 2>&1); then - gtar "$@" && exit 0 - fi - firstarg="$1" - if shift; then - case $firstarg in - *o*) - firstarg=`echo "$firstarg" | sed s/o//` - tar "$firstarg" "$@" && exit 0 - ;; - esac - case $firstarg in - *h*) - firstarg=`echo "$firstarg" | sed s/h//` - tar "$firstarg" "$@" && exit 0 - ;; - esac - fi - - echo 1>&2 "\ -WARNING: I can't seem to be able to run \`tar' with the given arguments. - You may want to install GNU tar or Free paxutils, or check the - command line arguments." - exit 1 - ;; - - *) - echo 1>&2 "\ -WARNING: \`$1' is needed, and is $msg. - You might have modified some files without having the - proper tools for further handling them. Check the \`README' file, - it often tells you about the needed prerequisites for installing - this package. You may also peek at any GNU archive site, in case - some other package would contain this missing \`$1' program." - exit 1 - ;; -esac - -exit 0 +# Propagate the correct exit status (expected to be 127 for a program +# not found, 63 for a program that failed due to version mismatch). +exit $st # Local variables: # eval: (add-hook 'write-file-hooks 'time-stamp) # time-stamp-start: "scriptversion=" # time-stamp-format: "%:y-%02m-%02d.%02H" -# time-stamp-end: "$" +# time-stamp-time-zone: "UTC" +# time-stamp-end: "; # UTC" # End: diff --git a/build-android.sh b/build-android.sh index d46771c..faeec09 100755 --- a/build-android.sh +++ b/build-android.sh @@ -1,31 +1,25 @@ #!/bin/sh set -ev -VERSION=4.57 +VERSION=5.42 DST=stunnel-$VERSION-android -# to build Zlib: -# export CHOST=arm-linux-androideabi -# ./configure --static --prefix=/opt/androideabi/sysroot -# make -# make install - # to build OpenSSL: -# export CC=arm-linux-androideabi-gcc -# ./Configure linux-armv4 threads no-shared zlib no-dso --openssldir=/opt/androideabi/sysroot -# make +# ./Configure threads no-shared no-dso --cross-compile-prefix=arm-linux-androideabi- --openssldir=/opt/androideabi/sysroot linux-armv4 # make install +test -f Makefile && make distclean mkdir -p bin/android cd bin/android -../../configure --build=i686-pc-linux-gnu --host=arm-linux-androideabi --prefix=/data/local --with-ssl=/opt/androideabi/sysroot +../../configure --with-sysroot --build=i686-pc-linux-gnu --host=arm-linux-androideabi --prefix=/data/local make clean make cd ../.. mkdir $DST -cp bin/android/src/stunnel /opt/androideabi/sysroot/bin/openssl $DST +cp bin/android/src/stunnel $DST # arm-linux-androideabi-strip $DST/stunnel $DST/openssl -arm-linux-androideabi-strip $DST/openssl +# cp /opt/androideabi/sysroot/bin/openssl $DST +# arm-linux-androideabi-strip $DST/openssl zip -r $DST.zip $DST rm -rf $DST -sha256sum $DST.zip -mv $DST.zip ../dist/ +# sha256sum $DST.zip +# mv $DST.zip ../dist/ diff --git a/configure b/configure index 61e6e15..91512c1 100755 --- a/configure +++ b/configure @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for stunnel 4.57. +# Generated by GNU Autoconf 2.69 for stunnel 5.42. # # # Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc. @@ -196,6 +196,14 @@ test -x / || exit 1" as_lineno_2=";as_suggested=$as_suggested$LINENO;as_suggested=$as_suggested" as_lineno_2a=\$LINENO eval 'test \"x\$as_lineno_1'\$as_run'\" != \"x\$as_lineno_2'\$as_run'\" && test \"x\`expr \$as_lineno_1'\$as_run' + 1\`\" = \"x\$as_lineno_2'\$as_run'\"' || exit 1 + + test -n \"\${ZSH_VERSION+set}\${BASH_VERSION+set}\" || ( + ECHO='\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\' + ECHO=\$ECHO\$ECHO\$ECHO\$ECHO\$ECHO + ECHO=\$ECHO\$ECHO\$ECHO\$ECHO\$ECHO\$ECHO + PATH=/empty FPATH=/empty; export PATH FPATH + test \"X\`printf %s \$ECHO\`\" = \"X\$ECHO\" \\ + || test \"X\`print -r -- \$ECHO\`\" = \"X\$ECHO\" ) || exit 1 test \$(( 1 + 1 )) = 2 || exit 1" if (eval "$as_required") 2>/dev/null; then : as_have_required=yes @@ -553,155 +561,8 @@ as_tr_cpp="eval sed 'y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g'" # Sed expression to map a string onto a valid variable name. as_tr_sh="eval sed 'y%*+%pp%;s%[^_$as_cr_alnum]%_%g'" - - -# Check that we are running under the correct shell. SHELL=${CONFIG_SHELL-/bin/sh} -case X$lt_ECHO in -X*--fallback-echo) - # Remove one level of quotation (which was required for Make). - ECHO=`echo "$lt_ECHO" | sed 's,\\\\\$\\$0,'$0','` - ;; -esac - -ECHO=${lt_ECHO-echo} -if test "X$1" = X--no-reexec; then - # Discard the --no-reexec flag, and continue. - shift -elif test "X$1" = X--fallback-echo; then - # Avoid inline document here, it may be left over - : -elif test "X`{ $ECHO '\t'; } 2>/dev/null`" = 'X\t' ; then - # Yippee, $ECHO works! - : -else - # Restart under the correct shell. - exec $SHELL "$0" --no-reexec ${1+"$@"} -fi - -if test "X$1" = X--fallback-echo; then - # used as fallback echo - shift - cat <<_LT_EOF -$* -_LT_EOF - exit 0 -fi - -# The HP-UX ksh and POSIX shell print the target directory to stdout -# if CDPATH is set. -(unset CDPATH) >/dev/null 2>&1 && unset CDPATH - -if test -z "$lt_ECHO"; then - if test "X${echo_test_string+set}" != Xset; then - # find a string as large as possible, as long as the shell can cope with it - for cmd in 'sed 50q "$0"' 'sed 20q "$0"' 'sed 10q "$0"' 'sed 2q "$0"' 'echo test'; do - # expected sizes: less than 2Kb, 1Kb, 512 bytes, 16 bytes, ... - if { echo_test_string=`eval $cmd`; } 2>/dev/null && - { test "X$echo_test_string" = "X$echo_test_string"; } 2>/dev/null - then - break - fi - done - fi - - if test "X`{ $ECHO '\t'; } 2>/dev/null`" = 'X\t' && - echo_testing_string=`{ $ECHO "$echo_test_string"; } 2>/dev/null` && - test "X$echo_testing_string" = "X$echo_test_string"; then - : - else - # The Solaris, AIX, and Digital Unix default echo programs unquote - # backslashes. This makes it impossible to quote backslashes using - # echo "$something" | sed 's/\\/\\\\/g' - # - # So, first we look for a working echo in the user's PATH. - - lt_save_ifs="$IFS"; IFS=$PATH_SEPARATOR - for dir in $PATH /usr/ucb; do - IFS="$lt_save_ifs" - if (test -f $dir/echo || test -f $dir/echo$ac_exeext) && - test "X`($dir/echo '\t') 2>/dev/null`" = 'X\t' && - echo_testing_string=`($dir/echo "$echo_test_string") 2>/dev/null` && - test "X$echo_testing_string" = "X$echo_test_string"; then - ECHO="$dir/echo" - break - fi - done - IFS="$lt_save_ifs" - - if test "X$ECHO" = Xecho; then - # We didn't find a better echo, so look for alternatives. - if test "X`{ print -r '\t'; } 2>/dev/null`" = 'X\t' && - echo_testing_string=`{ print -r "$echo_test_string"; } 2>/dev/null` && - test "X$echo_testing_string" = "X$echo_test_string"; then - # This shell has a builtin print -r that does the trick. - ECHO='print -r' - elif { test -f /bin/ksh || test -f /bin/ksh$ac_exeext; } && - test "X$CONFIG_SHELL" != X/bin/ksh; then - # If we have ksh, try running configure again with it. - ORIGINAL_CONFIG_SHELL=${CONFIG_SHELL-/bin/sh} - export ORIGINAL_CONFIG_SHELL - CONFIG_SHELL=/bin/ksh - export CONFIG_SHELL - exec $CONFIG_SHELL "$0" --no-reexec ${1+"$@"} - else - # Try using printf. - ECHO='printf %s\n' - if test "X`{ $ECHO '\t'; } 2>/dev/null`" = 'X\t' && - echo_testing_string=`{ $ECHO "$echo_test_string"; } 2>/dev/null` && - test "X$echo_testing_string" = "X$echo_test_string"; then - # Cool, printf works - : - elif echo_testing_string=`($ORIGINAL_CONFIG_SHELL "$0" --fallback-echo '\t') 2>/dev/null` && - test "X$echo_testing_string" = 'X\t' && - echo_testing_string=`($ORIGINAL_CONFIG_SHELL "$0" --fallback-echo "$echo_test_string") 2>/dev/null` && - test "X$echo_testing_string" = "X$echo_test_string"; then - CONFIG_SHELL=$ORIGINAL_CONFIG_SHELL - export CONFIG_SHELL - SHELL="$CONFIG_SHELL" - export SHELL - ECHO="$CONFIG_SHELL $0 --fallback-echo" - elif echo_testing_string=`($CONFIG_SHELL "$0" --fallback-echo '\t') 2>/dev/null` && - test "X$echo_testing_string" = 'X\t' && - echo_testing_string=`($CONFIG_SHELL "$0" --fallback-echo "$echo_test_string") 2>/dev/null` && - test "X$echo_testing_string" = "X$echo_test_string"; then - ECHO="$CONFIG_SHELL $0 --fallback-echo" - else - # maybe with a smaller string... - prev=: - - for cmd in 'echo test' 'sed 2q "$0"' 'sed 10q "$0"' 'sed 20q "$0"' 'sed 50q "$0"'; do - if { test "X$echo_test_string" = "X`eval $cmd`"; } 2>/dev/null - then - break - fi - prev="$cmd" - done - - if test "$prev" != 'sed 50q "$0"'; then - echo_test_string=`eval $prev` - export echo_test_string - exec ${ORIGINAL_CONFIG_SHELL-${CONFIG_SHELL-/bin/sh}} "$0" ${1+"$@"} - else - # Oops. We lost completely, so just stick with echo. - ECHO=echo - fi - fi - fi - fi - fi -fi - -# Copy echo and quote the copy suitably for passing to libtool from -# the Makefile, instead of quoting the original, which is used later. -lt_ECHO=$ECHO -if test "X$lt_ECHO" = "X$CONFIG_SHELL $0 --fallback-echo"; then - lt_ECHO="$CONFIG_SHELL \\\$\$0 --fallback-echo" -fi - - - test -n "$DJDIR" || exec 7<&0 &1 @@ -726,8 +587,8 @@ MAKEFLAGS= # Identity of this package. PACKAGE_NAME='stunnel' PACKAGE_TARNAME='stunnel' -PACKAGE_VERSION='4.57' -PACKAGE_STRING='stunnel 4.57' +PACKAGE_VERSION='5.42' +PACKAGE_STRING='stunnel 5.42' PACKAGE_BUGREPORT='' PACKAGE_URL='' @@ -782,9 +643,11 @@ OTOOL LIPO NMEDIT DSYMUTIL -lt_ECHO +MANIFEST_TOOL RANLIB +ac_ct_AR AR +DLLTOOL OBJDUMP LN_S NM @@ -796,12 +659,14 @@ EGREP GREP SED LIBTOOL -stunnel_LDFLAGF -stunnel_CFLAGS -stunnel_LDFLAGS +PTHREAD_CFLAGS +PTHREAD_LIBS +PTHREAD_CC +ax_pthread_config am__fastdepCC_FALSE am__fastdepCC_TRUE CCDEPMODE +am__nodep AMDEPBACKSLASH AMDEP_FALSE AMDEP_TRUE @@ -823,6 +688,12 @@ build_os build_vendor build_cpu build +AUTHOR_TESTS_FALSE +AUTHOR_TESTS_TRUE +AM_BACKSLASH +AM_DEFAULT_VERBOSITY +AM_DEFAULT_V +AM_V am__untar am__tar AMTAR @@ -865,6 +736,7 @@ infodir docdir oldincludedir includedir +runstatedir localstatedir sharedstatedir sysconfdir @@ -887,19 +759,23 @@ SHELL' ac_subst_files='' ac_user_opts=' enable_option_checking +enable_silent_rules enable_dependency_tracking +with_threads enable_static enable_shared with_pic enable_fast_install with_gnu_ld +with_sysroot enable_libtool_lock with_egd_socket with_random -with_threads +enable_largefile enable_ipv6 -enable_libwrap enable_fips +enable_systemd +enable_libwrap with_ssl ' ac_precious_vars='build_alias @@ -949,6 +825,7 @@ datadir='${datarootdir}' sysconfdir='${prefix}/etc' sharedstatedir='${prefix}/com' localstatedir='${prefix}/var' +runstatedir='${localstatedir}/run' includedir='${prefix}/include' oldincludedir='/usr/include' docdir='${datarootdir}/doc/${PACKAGE_TARNAME}' @@ -1201,6 +1078,15 @@ do | -silent | --silent | --silen | --sile | --sil) silent=yes ;; + -runstatedir | --runstatedir | --runstatedi | --runstated \ + | --runstate | --runstat | --runsta | --runst | --runs \ + | --run | --ru | --r) + ac_prev=runstatedir ;; + -runstatedir=* | --runstatedir=* | --runstatedi=* | --runstated=* \ + | --runstate=* | --runstat=* | --runsta=* | --runst=* | --runs=* \ + | --run=* | --ru=* | --r=*) + runstatedir=$ac_optarg ;; + -sbindir | --sbindir | --sbindi | --sbind | --sbin | --sbi | --sb) ac_prev=sbindir ;; -sbindir=* | --sbindir=* | --sbindi=* | --sbind=* | --sbin=* \ @@ -1338,7 +1224,7 @@ fi for ac_var in exec_prefix prefix bindir sbindir libexecdir datarootdir \ datadir sysconfdir sharedstatedir localstatedir includedir \ oldincludedir docdir infodir htmldir dvidir pdfdir psdir \ - libdir localedir mandir + libdir localedir mandir runstatedir do eval ac_val=\$$ac_var # Remove trailing slashes. @@ -1451,7 +1337,7 @@ if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures stunnel 4.57 to adapt to many kinds of systems. +\`configure' configures stunnel 5.42 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1491,6 +1377,7 @@ Fine tuning of the installation directories: --sysconfdir=DIR read-only single-machine data [PREFIX/etc] --sharedstatedir=DIR modifiable architecture-independent data [PREFIX/com] --localstatedir=DIR modifiable single-machine data [PREFIX/var] + --runstatedir=DIR modifiable per-process data [LOCALSTATEDIR/run] --libdir=DIR object code libraries [EPREFIX/lib] --includedir=DIR C header files [PREFIX/include] --oldincludedir=DIR C header files for non-gcc [/usr/include] @@ -1521,7 +1408,7 @@ fi if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of stunnel 4.57:";; + short | recursive ) echo "Configuration of stunnel 5.42:";; esac cat <<\_ACEOF @@ -1529,27 +1416,35 @@ Optional Features: --disable-option-checking ignore unrecognized --enable/--with options --disable-FEATURE do not include FEATURE (same as --enable-FEATURE=no) --enable-FEATURE[=ARG] include FEATURE [ARG=yes] - --disable-dependency-tracking speeds up one-time build - --enable-dependency-tracking do not reject slow dependency extractors + --enable-silent-rules less verbose build output (undo: "make V=1") + --disable-silent-rules verbose build output (undo: "make V=0") + --enable-dependency-tracking + do not reject slow dependency extractors + --disable-dependency-tracking + speeds up one-time build --enable-static[=PKGS] build static libraries [default=no] --enable-shared[=PKGS] build shared libraries [default=yes] --enable-fast-install[=PKGS] optimize for fast installation [default=yes] --disable-libtool-lock avoid locking (might break parallel builds) - --enable-ipv6 Enable IPv6 support - --disable-libwrap Disable TCP wrappers library support - --enable-fips Enable OpenSSL FIPS mode + --disable-largefile omit support for large files + --disable-ipv6 disable IPv6 support + --disable-fips disable OpenSSL FIPS support + --disable-systemd disable systemd socket activation support + --disable-libwrap disable TCP wrappers support Optional Packages: --with-PACKAGE[=ARG] use PACKAGE [ARG=yes] --without-PACKAGE do not use PACKAGE (same as --with-PACKAGE=no) - --with-pic try to use only PIC/non-PIC objects [default=use + --with-threads=model select threading model (ucontext/pthread/fork) + --with-pic[=PKGS] try to use only PIC/non-PIC objects [default=use both] --with-gnu-ld assume the C compiler uses GNU ld [default=no] + --with-sysroot=DIR Search for dependent libraries within DIR + (or the compiler's sysroot if not specified). --with-egd-socket=FILE Entropy Gathering Daemon socket path --with-random=FILE read randomness from file (default=/dev/urandom) - --with-threads=model select threading model (ucontext/pthread/fork) - --with-ssl=DIR location of installed SSL libraries/include files + --with-ssl=DIR location of installed TLS libraries/include files Some influential environment variables: CC C compiler command @@ -1627,7 +1522,7 @@ fi test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -stunnel configure 4.57 +stunnel configure 5.42 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -1902,23 +1797,31 @@ $as_echo "$ac_res" >&6; } } # ac_fn_c_check_func -# ac_fn_c_compute_int LINENO EXPR VAR INCLUDES -# -------------------------------------------- -# Tries to find the compile-time value of EXPR in a program that includes -# INCLUDES, setting VAR accordingly. Returns whether the value could be -# computed -ac_fn_c_compute_int () +# ac_fn_c_find_intX_t LINENO BITS VAR +# ----------------------------------- +# Finds a signed integer type with width BITS, setting cache variable VAR +# accordingly. +ac_fn_c_find_intX_t () { as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack - if test "$cross_compiling" = yes; then - # Depending upon the size, compute the lo and hi bounds. -cat confdefs.h - <<_ACEOF >conftest.$ac_ext + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for int$2_t" >&5 +$as_echo_n "checking for int$2_t... " >&6; } +if eval \${$3+:} false; then : + $as_echo_n "(cached) " >&6 +else + eval "$3=no" + # Order is important - never check a type that is potentially smaller + # than half of the expected target width. + for ac_type in int$2_t 'int' 'long int' \ + 'long long int' 'short int' 'signed char'; do + cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ -$4 +$ac_includes_default + enum { N = $2 / 2 - 1 }; int main () { -static int test_array [1 - 2 * !(($2) >= 0)]; +static int test_array [1 - 2 * !(0 < ($ac_type) ((((($ac_type) 1 << N) << N) - 1) * 2 + 1))]; test_array [0] = 0; return test_array [0]; @@ -1927,42 +1830,15 @@ return test_array [0]; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : - ac_lo=0 ac_mid=0 - while :; do - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -$4 -int -main () -{ -static int test_array [1 - 2 * !(($2) <= $ac_mid)]; -test_array [0] = 0; -return test_array [0]; - - ; - return 0; -} -_ACEOF -if ac_fn_c_try_compile "$LINENO"; then : - ac_hi=$ac_mid; break -else - as_fn_arith $ac_mid + 1 && ac_lo=$as_val - if test $ac_lo -le $ac_mid; then - ac_lo= ac_hi= - break - fi - as_fn_arith 2 '*' $ac_mid + 1 && ac_mid=$as_val -fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext - done -else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ -$4 +$ac_includes_default + enum { N = $2 / 2 - 1 }; int main () { -static int test_array [1 - 2 * !(($2) < 0)]; +static int test_array [1 - 2 * !(($ac_type) ((((($ac_type) 1 << N) << N) - 1) * 2 + 1) + < ($ac_type) ((((($ac_type) 1 << N) << N) - 1) * 2 + 2))]; test_array [0] = 0; return test_array [0]; @@ -1971,119 +1847,85 @@ return test_array [0]; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : - ac_hi=-1 ac_mid=-1 - while :; do - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -$4 -int -main () -{ -static int test_array [1 - 2 * !(($2) >= $ac_mid)]; -test_array [0] = 0; -return test_array [0]; - ; - return 0; -} -_ACEOF -if ac_fn_c_try_compile "$LINENO"; then : - ac_lo=$ac_mid; break else - as_fn_arith '(' $ac_mid ')' - 1 && ac_hi=$as_val - if test $ac_mid -le $ac_hi; then - ac_lo= ac_hi= - break - fi - as_fn_arith 2 '*' $ac_mid && ac_mid=$as_val -fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext - done -else - ac_lo= ac_hi= -fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext -fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext -# Binary search between lo and hi bounds. -while test "x$ac_lo" != "x$ac_hi"; do - as_fn_arith '(' $ac_hi - $ac_lo ')' / 2 + $ac_lo && ac_mid=$as_val - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -$4 -int -main () -{ -static int test_array [1 - 2 * !(($2) <= $ac_mid)]; -test_array [0] = 0; -return test_array [0]; - - ; - return 0; -} -_ACEOF -if ac_fn_c_try_compile "$LINENO"; then : - ac_hi=$ac_mid -else - as_fn_arith '(' $ac_mid ')' + 1 && ac_lo=$as_val -fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext -done -case $ac_lo in #(( -?*) eval "$3=\$ac_lo"; ac_retval=0 ;; -'') ac_retval=1 ;; + case $ac_type in #( + int$2_t) : + eval "$3=yes" ;; #( + *) : + eval "$3=\$ac_type" ;; esac - else - cat confdefs.h - <<_ACEOF >conftest.$ac_ext +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + if eval test \"x\$"$3"\" = x"no"; then : + +else + break +fi + done +fi +eval ac_res=\$$3 + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 +$as_echo "$ac_res" >&6; } + eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno + +} # ac_fn_c_find_intX_t + +# ac_fn_c_find_uintX_t LINENO BITS VAR +# ------------------------------------ +# Finds an unsigned integer type with width BITS, setting cache variable VAR +# accordingly. +ac_fn_c_find_uintX_t () +{ + as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for uint$2_t" >&5 +$as_echo_n "checking for uint$2_t... " >&6; } +if eval \${$3+:} false; then : + $as_echo_n "(cached) " >&6 +else + eval "$3=no" + # Order is important - never check a type that is potentially smaller + # than half of the expected target width. + for ac_type in uint$2_t 'unsigned int' 'unsigned long int' \ + 'unsigned long long int' 'unsigned short int' 'unsigned char'; do + cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ -$4 -static long int longval () { return $2; } -static unsigned long int ulongval () { return $2; } -#include -#include +$ac_includes_default int main () { - - FILE *f = fopen ("conftest.val", "w"); - if (! f) - return 1; - if (($2) < 0) - { - long int i = longval (); - if (i != ($2)) - return 1; - fprintf (f, "%ld", i); - } - else - { - unsigned long int i = ulongval (); - if (i != ($2)) - return 1; - fprintf (f, "%lu", i); - } - /* Do not output a trailing newline, as this causes \r\n confusion - on some platforms. */ - return ferror (f) || fclose (f) != 0; +static int test_array [1 - 2 * !((($ac_type) -1 >> ($2 / 2 - 1)) >> ($2 / 2 - 1) == 3)]; +test_array [0] = 0; +return test_array [0]; ; return 0; } _ACEOF -if ac_fn_c_try_run "$LINENO"; then : - echo >>conftest.val; read $3 &5 +$as_echo "$ac_res" >&6; } eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno - as_fn_set_status $ac_retval -} # ac_fn_c_compute_int +} # ac_fn_c_find_uintX_t # ac_fn_c_check_type LINENO TYPE VAR INCLUDES # ------------------------------------------- @@ -2286,7 +2128,7 @@ cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by stunnel $as_me 4.57, which was +It was created by stunnel $as_me 5.42, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -2666,7 +2508,10 @@ ac_configure="$SHELL $ac_aux_dir/configure" # Please don't use this var. -am__api_version='1.11' +ac_config_headers="$ac_config_headers src/config.h" + + +am__api_version='1.14' # Find a good install program. We prefer a C program (faster), # so one script is as good as another. But avoid the broken or @@ -2763,9 +2608,6 @@ test -z "$INSTALL_DATA" && INSTALL_DATA='${INSTALL} -m 644' { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether build environment is sane" >&5 $as_echo_n "checking whether build environment is sane... " >&6; } -# Just in case -sleep 1 -echo timestamp > conftest.file # Reject unsafe characters in $srcdir or the absolute working directory # name. Accept space and tab only in the latter. am_lf=' @@ -2776,32 +2618,40 @@ case `pwd` in esac case $srcdir in *[\\\"\#\$\&\'\`$am_lf\ \ ]*) - as_fn_error $? "unsafe srcdir value: \`$srcdir'" "$LINENO" 5;; + as_fn_error $? "unsafe srcdir value: '$srcdir'" "$LINENO" 5;; esac -# Do `set' in a subshell so we don't clobber the current shell's +# Do 'set' in a subshell so we don't clobber the current shell's # arguments. Must try -L first in case configure is actually a # symlink; some systems play weird games with the mod time of symlinks # (eg FreeBSD returns the mod time of the symlink's containing # directory). if ( - set X `ls -Lt "$srcdir/configure" conftest.file 2> /dev/null` - if test "$*" = "X"; then - # -L didn't work. - set X `ls -t "$srcdir/configure" conftest.file` - fi - rm -f conftest.file - if test "$*" != "X $srcdir/configure conftest.file" \ - && test "$*" != "X conftest.file $srcdir/configure"; then - - # If neither matched, then we have a broken ls. This can happen - # if, for instance, CONFIG_SHELL is bash and it inherits a - # broken ls alias from the environment. This has actually - # happened. Such a system could not be considered "sane". - as_fn_error $? "ls -t appears to fail. Make sure there is not a broken -alias in your environment" "$LINENO" 5 - fi + am_has_slept=no + for am_try in 1 2; do + echo "timestamp, slept: $am_has_slept" > conftest.file + set X `ls -Lt "$srcdir/configure" conftest.file 2> /dev/null` + if test "$*" = "X"; then + # -L didn't work. + set X `ls -t "$srcdir/configure" conftest.file` + fi + if test "$*" != "X $srcdir/configure conftest.file" \ + && test "$*" != "X conftest.file $srcdir/configure"; then + # If neither matched, then we have a broken ls. This can happen + # if, for instance, CONFIG_SHELL is bash and it inherits a + # broken ls alias from the environment. This has actually + # happened. Such a system could not be considered "sane". + as_fn_error $? "ls -t appears to fail. Make sure there is not a broken + alias in your environment" "$LINENO" 5 + fi + if test "$2" = conftest.file || test $am_try -eq 2; then + break + fi + # Just in case. + sleep 1 + am_has_slept=yes + done test "$2" = conftest.file ) then @@ -2813,6 +2663,16 @@ Check your system clock" "$LINENO" 5 fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 $as_echo "yes" >&6; } +# If we didn't sleep, we still need to ensure time stamps of config.status and +# generated files are strictly newer. +am_sleep_pid= +if grep 'slept: no' conftest.file >/dev/null 2>&1; then + ( sleep 1 ) & + am_sleep_pid=$! +fi + +rm -f conftest.file + test "$program_prefix" != NONE && program_transform_name="s&^&$program_prefix&;$program_transform_name" # Use a double $ so make ignores it. @@ -2823,8 +2683,8 @@ test "$program_suffix" != NONE && ac_script='s/[\\$]/&&/g;s/;s,x,x,$//' program_transform_name=`$as_echo "$program_transform_name" | sed "$ac_script"` -# expand $ac_aux_dir to an absolute path -am_aux_dir=`cd $ac_aux_dir && pwd` +# Expand $ac_aux_dir to an absolute path. +am_aux_dir=`cd "$ac_aux_dir" && pwd` if test x"${MISSING+set}" != xset; then case $am_aux_dir in @@ -2835,12 +2695,12 @@ if test x"${MISSING+set}" != xset; then esac fi # Use eval to expand $SHELL -if eval "$MISSING --run true"; then - am_missing_run="$MISSING --run " +if eval "$MISSING --is-lightweight"; then + am_missing_run="$MISSING " else am_missing_run= - { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: \`missing' script is too old or missing" >&5 -$as_echo "$as_me: WARNING: \`missing' script is too old or missing" >&2;} + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: 'missing' script is too old or missing" >&5 +$as_echo "$as_me: WARNING: 'missing' script is too old or missing" >&2;} fi if test x"${install_sh}" != xset; then @@ -2852,10 +2712,10 @@ if test x"${install_sh}" != xset; then esac fi -# Installed binaries are usually stripped using `strip' when the user -# run `make install-strip'. However `strip' might not be the right +# Installed binaries are usually stripped using 'strip' when the user +# run "make install-strip". However 'strip' might not be the right # tool to use in cross-compilation environments, therefore Automake -# will honor the `STRIP' environment variable to overrule this program. +# will honor the 'STRIP' environment variable to overrule this program. if test "$cross_compiling" != no; then if test -n "$ac_tool_prefix"; then # Extract the first word of "${ac_tool_prefix}strip", so it can be a program name with args. @@ -2994,12 +2854,6 @@ fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $MKDIR_P" >&5 $as_echo "$MKDIR_P" >&6; } -mkdir_p="$MKDIR_P" -case $mkdir_p in - [\\/$]* | ?:[\\/]*) ;; - */*) mkdir_p="\$(top_builddir)/$mkdir_p" ;; -esac - for ac_prog in gawk mawk nawk awk do # Extract the first word of "$ac_prog", so it can be a program name with args. @@ -3082,6 +2936,45 @@ else fi rmdir .tst 2>/dev/null +# Check whether --enable-silent-rules was given. +if test "${enable_silent_rules+set}" = set; then : + enableval=$enable_silent_rules; +fi + +case $enable_silent_rules in # ((( + yes) AM_DEFAULT_VERBOSITY=0;; + no) AM_DEFAULT_VERBOSITY=1;; + *) AM_DEFAULT_VERBOSITY=1;; +esac +am_make=${MAKE-make} +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $am_make supports nested variables" >&5 +$as_echo_n "checking whether $am_make supports nested variables... " >&6; } +if ${am_cv_make_support_nested_variables+:} false; then : + $as_echo_n "(cached) " >&6 +else + if $as_echo 'TRUE=$(BAR$(V)) +BAR0=false +BAR1=true +V=1 +am__doit: + @$(TRUE) +.PHONY: am__doit' | $am_make -f - >/dev/null 2>&1; then + am_cv_make_support_nested_variables=yes +else + am_cv_make_support_nested_variables=no +fi +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $am_cv_make_support_nested_variables" >&5 +$as_echo "$am_cv_make_support_nested_variables" >&6; } +if test $am_cv_make_support_nested_variables = yes; then + AM_V='$(V)' + AM_DEFAULT_V='$(AM_DEFAULT_VERBOSITY)' +else + AM_V=$AM_DEFAULT_VERBOSITY + AM_DEFAULT_V=$AM_DEFAULT_VERBOSITY +fi +AM_BACKSLASH='\' + if test "`cd $srcdir && pwd`" != "`pwd`"; then # Use -I$(srcdir) only when $(srcdir) != ., so that make's output # is not polluted with repeated "-I." @@ -3103,8 +2996,8 @@ fi # Define the identity of the package. - PACKAGE=stunnel - VERSION=4.57 + PACKAGE='stunnel' + VERSION='5.42' cat >>confdefs.h <<_ACEOF @@ -3132,24 +3025,79 @@ AUTOHEADER=${AUTOHEADER-"${am_missing_run}autoheader"} MAKEINFO=${MAKEINFO-"${am_missing_run}makeinfo"} +# For better backward compatibility. To be removed once Automake 1.9.x +# dies out for good. For more background, see: +# +# +mkdir_p='$(MKDIR_P)' + # We need awk for the "check" target. The system "awk" is bad on # some platforms. -# Always define AMTAR for backward compatibility. +# Always define AMTAR for backward compatibility. Yes, it's still used +# in the wild :-( We should find a proper way to deprecate it ... +AMTAR='$${TAR-tar}' -AMTAR=${AMTAR-"${am_missing_run}tar"} -am__tar='${AMTAR} chof - "$$tardir"'; am__untar='${AMTAR} xf -' +# We'll loop over all known methods to create a tar archive until one works. +_am_tools='gnutar pax cpio none' + +am__tar='$${TAR-tar} chof - "$$tardir"' am__untar='$${TAR-tar} xf -' -ac_config_headers="$ac_config_headers src/config.h" + +# POSIX will say in a future version that running "rm -f" with no argument +# is OK; and we want to be able to make that assumption in our Makefile +# recipes. So use an aggressive probe to check that the usage we want is +# actually supported "in the wild" to an acceptable degree. +# See automake bug#10828. +# To make any issue more visible, cause the running configure to be aborted +# by default if the 'rm' program in use doesn't match our expectations; the +# user can still override this though. +if rm -f && rm -fr && rm -rf; then : OK; else + cat >&2 <<'END' +Oops! + +Your 'rm' program seems unable to run without file operands specified +on the command line, even when the '-f' option is present. This is contrary +to the behaviour of most rm programs out there, and not conforming with +the upcoming POSIX standard: + +Please tell bug-automake@gnu.org about your system, including the value +of your $PATH and any error possibly output before this message. This +can help us improve future automake versions. + +END + if test x"$ACCEPT_INFERIOR_RM_PROGRAM" = x"yes"; then + echo 'Configuration will proceed anyway, since you have set the' >&2 + echo 'ACCEPT_INFERIOR_RM_PROGRAM variable to "yes"' >&2 + echo >&2 + else + cat >&2 <<'END' +Aborting the configuration process, to ensure you take notice of the issue. + +You can download and install GNU coreutils to get an 'rm' implementation +that behaves properly: . + +If you want to complete the configuration process using your problematic +'rm' anyway, export the environment variable ACCEPT_INFERIOR_RM_PROGRAM +to "yes", and re-run configure. + +END + as_fn_error $? "Your 'rm' program is bad, sorry." "$LINENO" 5 + fi +fi - -$as_echo "#define _GNU_SOURCE 1" >>confdefs.h - + if test -d ".git"; then + AUTHOR_TESTS_TRUE= + AUTHOR_TESTS_FALSE='#' +else + AUTHOR_TESTS_TRUE='#' + AUTHOR_TESTS_FALSE= +fi # Make sure we can run config.sub. $SHELL "$ac_aux_dir/config.sub" sun4 >/dev/null 2>&1 || @@ -3242,6 +3190,24 @@ cat >>confdefs.h <<_ACEOF _ACEOF +case "$host_os" in +*darwin*) + # OSX does not declare ucontext without _XOPEN_SOURCE + +$as_echo "#define _XOPEN_SOURCE 500" >>confdefs.h + + # OSX does not declare chroot() without _DARWIN_C_SOURCE + +$as_echo "#define _DARWIN_C_SOURCE 1" >>confdefs.h + + ;; +*) + +$as_echo "#define _GNU_SOURCE 1" >>confdefs.h + + ;; +esac + ac_ext=c ac_cpp='$CPP $CPPFLAGS' ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' @@ -4030,6 +3996,65 @@ ac_cpp='$CPP $CPPFLAGS' ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' ac_compiler_gnu=$ac_cv_c_compiler_gnu + +ac_ext=c +ac_cpp='$CPP $CPPFLAGS' +ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' +ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' +ac_compiler_gnu=$ac_cv_c_compiler_gnu +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $CC understands -c and -o together" >&5 +$as_echo_n "checking whether $CC understands -c and -o together... " >&6; } +if ${am_cv_prog_cc_c_o+:} false; then : + $as_echo_n "(cached) " >&6 +else + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +int +main () +{ + + ; + return 0; +} +_ACEOF + # Make sure it works both with $CC and with simple cc. + # Following AC_PROG_CC_C_O, we do the test twice because some + # compilers refuse to overwrite an existing .o file with -o, + # though they will create one. + am_cv_prog_cc_c_o=yes + for am_i in 1 2; do + if { echo "$as_me:$LINENO: $CC -c conftest.$ac_ext -o conftest2.$ac_objext" >&5 + ($CC -c conftest.$ac_ext -o conftest2.$ac_objext) >&5 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } \ + && test -f conftest2.$ac_objext; then + : OK + else + am_cv_prog_cc_c_o=no + break + fi + done + rm -f core conftest* + unset am_i +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $am_cv_prog_cc_c_o" >&5 +$as_echo "$am_cv_prog_cc_c_o" >&6; } +if test "$am_cv_prog_cc_c_o" != yes; then + # Losing compiler, so override with the script. + # FIXME: It is wrong to rewrite CC. + # But if we don't then we get into trouble of one sort or another. + # A longer-term fix would be to have automake use am__CC in this case, + # and then we could set am__CC="\$(top_srcdir)/compile \$(CC)" + CC="$am_aux_dir/compile $CC" +fi +ac_ext=c +ac_cpp='$CPP $CPPFLAGS' +ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' +ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' +ac_compiler_gnu=$ac_cv_c_compiler_gnu + DEPDIR="${am__leading_dot}deps" ac_config_commands="$ac_config_commands depfiles" @@ -4049,7 +4074,7 @@ am__quote= _am_result=none # First try GNU make style include. echo "include confinc" > confmf -# Ignore all kinds of additional output from `make'. +# Ignore all kinds of additional output from 'make'. case `$am_make -s -f confmf 2> /dev/null` in #( *the\ am__doit\ target*) am__include=include @@ -4082,6 +4107,7 @@ fi if test "x$enable_dependency_tracking" != xno; then am_depcomp="$ac_aux_dir/depcomp" AMDEPBACKSLASH='\' + am__nodep='_no' fi if test "x$enable_dependency_tracking" != xno; then AMDEP_TRUE= @@ -4104,8 +4130,9 @@ else # We make a subdir and do the tests there. Otherwise we can end up # making bogus files that we don't know about and never remove. For # instance it was reported that on HP-UX the gcc test will end up - # making a dummy file named `D' -- because `-MD' means `put the output - # in D'. + # making a dummy file named 'D' -- because '-MD' means "put the output + # in D". + rm -rf conftest.dir mkdir conftest.dir # Copy depcomp to subdir because otherwise we won't find it if we're # using a relative directory. @@ -4139,16 +4166,16 @@ else : > sub/conftest.c for i in 1 2 3 4 5 6; do echo '#include "conftst'$i'.h"' >> sub/conftest.c - # Using `: > sub/conftst$i.h' creates only sub/conftst1.h with - # Solaris 8's {/usr,}/bin/sh. - touch sub/conftst$i.h + # Using ": > sub/conftst$i.h" creates only sub/conftst1.h with + # Solaris 10 /bin/sh. + echo '/* dummy */' > sub/conftst$i.h done echo "${am__include} ${am__quote}sub/conftest.Po${am__quote}" > confmf - # We check with `-c' and `-o' for the sake of the "dashmstdout" + # We check with '-c' and '-o' for the sake of the "dashmstdout" # mode. It turns out that the SunPro C++ compiler does not properly - # handle `-M -o', and we need to detect this. Also, some Intel - # versions had trouble with output in subdirs + # handle '-M -o', and we need to detect this. Also, some Intel + # versions had trouble with output in subdirs. am__obj=sub/conftest.${OBJEXT-o} am__minus_obj="-o $am__obj" case $depmode in @@ -4157,16 +4184,16 @@ else test "$am__universal" = false || continue ;; nosideeffect) - # after this tag, mechanisms are not by side-effect, so they'll - # only be used when explicitly requested + # After this tag, mechanisms are not by side-effect, so they'll + # only be used when explicitly requested. if test "x$enable_dependency_tracking" = xyes; then continue else break fi ;; - msvisualcpp | msvcmsys) - # This compiler won't grok `-c -o', but also, the minuso test has + msvc7 | msvc7msys | msvisualcpp | msvcmsys) + # This compiler won't grok '-c -o', but also, the minuso test has # not run yet. These depmodes are late enough in the game, and # so weak that their functioning should not be impacted. am__obj=conftest.${OBJEXT-o} @@ -4220,131 +4247,6 @@ else fi -if test "x$CC" != xcc; then - { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $CC and cc understand -c and -o together" >&5 -$as_echo_n "checking whether $CC and cc understand -c and -o together... " >&6; } -else - { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether cc understands -c and -o together" >&5 -$as_echo_n "checking whether cc understands -c and -o together... " >&6; } -fi -set dummy $CC; ac_cc=`$as_echo "$2" | - sed 's/[^a-zA-Z0-9_]/_/g;s/^[0-9]/_/'` -if eval \${ac_cv_prog_cc_${ac_cc}_c_o+:} false; then : - $as_echo_n "(cached) " >&6 -else - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -int -main () -{ - - ; - return 0; -} -_ACEOF -# Make sure it works both with $CC and with simple cc. -# We do the test twice because some compilers refuse to overwrite an -# existing .o file with -o, though they will create one. -ac_try='$CC -c conftest.$ac_ext -o conftest2.$ac_objext >&5' -rm -f conftest2.* -if { { case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" -$as_echo "$ac_try_echo"; } >&5 - (eval "$ac_try") 2>&5 - ac_status=$? - $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 - test $ac_status = 0; } && - test -f conftest2.$ac_objext && { { case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" -$as_echo "$ac_try_echo"; } >&5 - (eval "$ac_try") 2>&5 - ac_status=$? - $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 - test $ac_status = 0; }; -then - eval ac_cv_prog_cc_${ac_cc}_c_o=yes - if test "x$CC" != xcc; then - # Test first that cc exists at all. - if { ac_try='cc -c conftest.$ac_ext >&5' - { { case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" -$as_echo "$ac_try_echo"; } >&5 - (eval "$ac_try") 2>&5 - ac_status=$? - $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 - test $ac_status = 0; }; }; then - ac_try='cc -c conftest.$ac_ext -o conftest2.$ac_objext >&5' - rm -f conftest2.* - if { { case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" -$as_echo "$ac_try_echo"; } >&5 - (eval "$ac_try") 2>&5 - ac_status=$? - $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 - test $ac_status = 0; } && - test -f conftest2.$ac_objext && { { case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" -$as_echo "$ac_try_echo"; } >&5 - (eval "$ac_try") 2>&5 - ac_status=$? - $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 - test $ac_status = 0; }; - then - # cc works too. - : - else - # cc exists but doesn't like -o. - eval ac_cv_prog_cc_${ac_cc}_c_o=no - fi - fi - fi -else - eval ac_cv_prog_cc_${ac_cc}_c_o=no -fi -rm -f core conftest* - -fi -if eval test \$ac_cv_prog_cc_${ac_cc}_c_o = yes; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 -$as_echo "yes" >&6; } -else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -$as_echo "no" >&6; } - -$as_echo "#define NO_MINUS_C_MINUS_O 1" >>confdefs.h - -fi - -# FIXME: we rely on the cache variable name because -# there is no other way. -set dummy $CC -am_cc=`echo $2 | sed 's/[^a-zA-Z0-9_]/_/g;s/^[0-9]/_/'` -eval am_t=\$ac_cv_prog_cc_${am_cc}_c_o -if test "$am_t" != yes; then - # Losing compiler, so override with the script. - # FIXME: It is wrong to rewrite CC. - # But if we don't then we get into trouble of one sort or another. - # A longer-term fix would be to have automake use am__CC in this case, - # and then we could set am__CC="\$(top_srcdir)/compile \$(CC)" - CC="$am_aux_dir/compile $CC" -fi - { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether ${MAKE-make} sets \$(MAKE)" >&5 @@ -4378,166 +4280,1914 @@ $as_echo "no" >&6; } SET_MAKE="MAKE=${MAKE-make}" fi +# silent build by default +# Check whether --enable-silent-rules was given. +if test "${enable_silent_rules+set}" = set; then : + enableval=$enable_silent_rules; +fi + +case $enable_silent_rules in # ((( + yes) AM_DEFAULT_VERBOSITY=0;; + no) AM_DEFAULT_VERBOSITY=1;; + *) AM_DEFAULT_VERBOSITY=0;; +esac +am_make=${MAKE-make} +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $am_make supports nested variables" >&5 +$as_echo_n "checking whether $am_make supports nested variables... " >&6; } +if ${am_cv_make_support_nested_variables+:} false; then : + $as_echo_n "(cached) " >&6 +else + if $as_echo 'TRUE=$(BAR$(V)) +BAR0=false +BAR1=true +V=1 +am__doit: + @$(TRUE) +.PHONY: am__doit' | $am_make -f - >/dev/null 2>&1; then + am_cv_make_support_nested_variables=yes +else + am_cv_make_support_nested_variables=no +fi +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $am_cv_make_support_nested_variables" >&5 +$as_echo "$am_cv_make_support_nested_variables" >&6; } +if test $am_cv_make_support_nested_variables = yes; then + AM_V='$(V)' + AM_DEFAULT_V='$(AM_DEFAULT_VERBOSITY)' +else + AM_V=$AM_DEFAULT_VERBOSITY + AM_DEFAULT_V=$AM_DEFAULT_VERBOSITY +fi +AM_BACKSLASH='\' + + +{ $as_echo "$as_me:${as_lineno-$LINENO}: **************************************** thread model" >&5 +$as_echo "$as_me: **************************************** thread model" >&6;} +# thread detection should be done first, as it may change the CC variable + + + +# Check whether --with-threads was given. +if test "${with_threads+set}" = set; then : + withval=$with_threads; + case "$withval" in + ucontext) + { $as_echo "$as_me:${as_lineno-$LINENO}: UCONTEXT mode selected" >&5 +$as_echo "$as_me: UCONTEXT mode selected" >&6;} + +$as_echo "#define USE_UCONTEXT 1" >>confdefs.h + + ;; + pthread) + { $as_echo "$as_me:${as_lineno-$LINENO}: PTHREAD mode selected" >&5 +$as_echo "$as_me: PTHREAD mode selected" >&6;} + + +ac_ext=c +ac_cpp='$CPP $CPPFLAGS' +ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' +ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' +ac_compiler_gnu=$ac_cv_c_compiler_gnu + +ax_pthread_ok=no + +# We used to check for pthread.h first, but this fails if pthread.h +# requires special compiler flags (e.g. on True64 or Sequent). +# It gets checked for in the link test anyway. + +# First of all, check if the user has set any of the PTHREAD_LIBS, +# etcetera environment variables, and if threads linking works using +# them: +if test x"$PTHREAD_LIBS$PTHREAD_CFLAGS" != x; then + save_CFLAGS="$CFLAGS" + CFLAGS="$CFLAGS $PTHREAD_CFLAGS" + save_LIBS="$LIBS" + LIBS="$PTHREAD_LIBS $LIBS" + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for pthread_join in LIBS=$PTHREAD_LIBS with CFLAGS=$PTHREAD_CFLAGS" >&5 +$as_echo_n "checking for pthread_join in LIBS=$PTHREAD_LIBS with CFLAGS=$PTHREAD_CFLAGS... " >&6; } + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char pthread_join (); +int +main () +{ +return pthread_join (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ax_pthread_ok=yes +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_pthread_ok" >&5 +$as_echo "$ax_pthread_ok" >&6; } + if test x"$ax_pthread_ok" = xno; then + PTHREAD_LIBS="" + PTHREAD_CFLAGS="" + fi + LIBS="$save_LIBS" + CFLAGS="$save_CFLAGS" +fi + +# We must check for the threads library under a number of different +# names; the ordering is very important because some systems +# (e.g. DEC) have both -lpthread and -lpthreads, where one of the +# libraries is broken (non-POSIX). + +# Create a list of thread flags to try. Items starting with a "-" are +# C compiler flags, and other items are library names, except for "none" +# which indicates that we try without any flags at all, and "pthread-config" +# which is a program returning the flags for the Pth emulation library. + +ax_pthread_flags="pthreads none -Kthread -kthread lthread -pthread -pthreads -mthreads pthread --thread-safe -mt pthread-config" + +# The ordering *is* (sometimes) important. Some notes on the +# individual items follow: + +# pthreads: AIX (must check this before -lpthread) +# none: in case threads are in libc; should be tried before -Kthread and +# other compiler flags to prevent continual compiler warnings +# -Kthread: Sequent (threads in libc, but -Kthread needed for pthread.h) +# -kthread: FreeBSD kernel threads (preferred to -pthread since SMP-able) +# lthread: LinuxThreads port on FreeBSD (also preferred to -pthread) +# -pthread: Linux/gcc (kernel threads), BSD/gcc (userland threads) +# -pthreads: Solaris/gcc +# -mthreads: Mingw32/gcc, Lynx/gcc +# -mt: Sun Workshop C (may only link SunOS threads [-lthread], but it +# doesn't hurt to check since this sometimes defines pthreads too; +# also defines -D_REENTRANT) +# ... -mt is also the pthreads flag for HP/aCC +# pthread: Linux, etcetera +# --thread-safe: KAI C++ +# pthread-config: use pthread-config program (for GNU Pth library) + +case ${host_os} in + solaris*) + + # On Solaris (at least, for some versions), libc contains stubbed + # (non-functional) versions of the pthreads routines, so link-based + # tests will erroneously succeed. (We need to link with -pthreads/-mt/ + # -lpthread.) (The stubs are missing pthread_cleanup_push, or rather + # a function called by this macro, so we could check for that, but + # who knows whether they'll stub that too in a future libc.) So, + # we'll just look for -pthreads and -lpthread first: + + ax_pthread_flags="-pthreads pthread -mt -pthread $ax_pthread_flags" + ;; + + darwin*) + ax_pthread_flags="-pthread $ax_pthread_flags" + ;; +esac + +# Clang doesn't consider unrecognized options an error unless we specify +# -Werror. We throw in some extra Clang-specific options to ensure that +# this doesn't happen for GCC, which also accepts -Werror. + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking if compiler needs -Werror to reject unknown flags" >&5 +$as_echo_n "checking if compiler needs -Werror to reject unknown flags... " >&6; } +save_CFLAGS="$CFLAGS" +ax_pthread_extra_flags="-Werror" +CFLAGS="$CFLAGS $ax_pthread_extra_flags -Wunknown-warning-option -Wsizeof-array-argument" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +int foo(void); +int +main () +{ +foo() + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } +else + ax_pthread_extra_flags= + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +CFLAGS="$save_CFLAGS" + +if test x"$ax_pthread_ok" = xno; then +for flag in $ax_pthread_flags; do + + case $flag in + none) + { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether pthreads work without any flags" >&5 +$as_echo_n "checking whether pthreads work without any flags... " >&6; } + ;; + + -*) + { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether pthreads work with $flag" >&5 +$as_echo_n "checking whether pthreads work with $flag... " >&6; } + PTHREAD_CFLAGS="$flag" + ;; + + pthread-config) + # Extract the first word of "pthread-config", so it can be a program name with args. +set dummy pthread-config; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_prog_ax_pthread_config+:} false; then : + $as_echo_n "(cached) " >&6 +else + if test -n "$ax_pthread_config"; then + ac_cv_prog_ax_pthread_config="$ax_pthread_config" # Let the user override the test. +else +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_prog_ax_pthread_config="yes" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + + test -z "$ac_cv_prog_ax_pthread_config" && ac_cv_prog_ax_pthread_config="no" +fi +fi +ax_pthread_config=$ac_cv_prog_ax_pthread_config +if test -n "$ax_pthread_config"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_pthread_config" >&5 +$as_echo "$ax_pthread_config" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + + if test x"$ax_pthread_config" = xno; then continue; fi + PTHREAD_CFLAGS="`pthread-config --cflags`" + PTHREAD_LIBS="`pthread-config --ldflags` `pthread-config --libs`" + ;; + + *) + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for the pthreads library -l$flag" >&5 +$as_echo_n "checking for the pthreads library -l$flag... " >&6; } + PTHREAD_LIBS="-l$flag" + ;; + esac + + save_LIBS="$LIBS" + save_CFLAGS="$CFLAGS" + LIBS="$PTHREAD_LIBS $LIBS" + CFLAGS="$CFLAGS $PTHREAD_CFLAGS $ax_pthread_extra_flags" + + # Check for various functions. We must include pthread.h, + # since some functions may be macros. (On the Sequent, we + # need a special flag -Kthread to make this header compile.) + # We check for pthread_join because it is in -lpthread on IRIX + # while pthread_create is in libc. We check for pthread_attr_init + # due to DEC craziness with -lpthreads. We check for + # pthread_cleanup_push because it is one of the few pthread + # functions on Solaris that doesn't have a non-functional libc stub. + # We try pthread_create on general principles. + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#include + static void routine(void *a) { a = 0; } + static void *start_routine(void *a) { return a; } +int +main () +{ +pthread_t th; pthread_attr_t attr; + pthread_create(&th, 0, start_routine, 0); + pthread_join(th, 0); + pthread_attr_init(&attr); + pthread_cleanup_push(routine, 0); + pthread_cleanup_pop(0) /* ; */ + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ax_pthread_ok=yes +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext + + LIBS="$save_LIBS" + CFLAGS="$save_CFLAGS" + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_pthread_ok" >&5 +$as_echo "$ax_pthread_ok" >&6; } + if test "x$ax_pthread_ok" = xyes; then + break; + fi + + PTHREAD_LIBS="" + PTHREAD_CFLAGS="" +done +fi + +# Various other checks: +if test "x$ax_pthread_ok" = xyes; then + save_LIBS="$LIBS" + LIBS="$PTHREAD_LIBS $LIBS" + save_CFLAGS="$CFLAGS" + CFLAGS="$CFLAGS $PTHREAD_CFLAGS" + + # Detect AIX lossage: JOINABLE attribute is called UNDETACHED. + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for joinable pthread attribute" >&5 +$as_echo_n "checking for joinable pthread attribute... " >&6; } + attr_name=unknown + for attr in PTHREAD_CREATE_JOINABLE PTHREAD_CREATE_UNDETACHED; do + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#include +int +main () +{ +int attr = $attr; return attr /* ; */ + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + attr_name=$attr; break +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext + done + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $attr_name" >&5 +$as_echo "$attr_name" >&6; } + if test "$attr_name" != PTHREAD_CREATE_JOINABLE; then + +cat >>confdefs.h <<_ACEOF +#define PTHREAD_CREATE_JOINABLE $attr_name +_ACEOF + + fi + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking if more special flags are required for pthreads" >&5 +$as_echo_n "checking if more special flags are required for pthreads... " >&6; } + flag=no + case ${host_os} in + aix* | freebsd* | darwin*) flag="-D_THREAD_SAFE";; + osf* | hpux*) flag="-D_REENTRANT";; + solaris*) + if test "$GCC" = "yes"; then + flag="-D_REENTRANT" + else + # TODO: What about Clang on Solaris? + flag="-mt -D_REENTRANT" + fi + ;; + esac + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $flag" >&5 +$as_echo "$flag" >&6; } + if test "x$flag" != xno; then + PTHREAD_CFLAGS="$flag $PTHREAD_CFLAGS" + fi + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for PTHREAD_PRIO_INHERIT" >&5 +$as_echo_n "checking for PTHREAD_PRIO_INHERIT... " >&6; } +if ${ax_cv_PTHREAD_PRIO_INHERIT+:} false; then : + $as_echo_n "(cached) " >&6 +else + + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#include +int +main () +{ +int i = PTHREAD_PRIO_INHERIT; + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ax_cv_PTHREAD_PRIO_INHERIT=yes +else + ax_cv_PTHREAD_PRIO_INHERIT=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext + +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_PTHREAD_PRIO_INHERIT" >&5 +$as_echo "$ax_cv_PTHREAD_PRIO_INHERIT" >&6; } + if test "x$ax_cv_PTHREAD_PRIO_INHERIT" = "xyes"; then : + +$as_echo "#define HAVE_PTHREAD_PRIO_INHERIT 1" >>confdefs.h + +fi + + LIBS="$save_LIBS" + CFLAGS="$save_CFLAGS" + + # More AIX lossage: compile with *_r variant + if test "x$GCC" != xyes; then + case $host_os in + aix*) + case "x/$CC" in #( + x*/c89|x*/c89_128|x*/c99|x*/c99_128|x*/cc|x*/cc128|x*/xlc|x*/xlc_v6|x*/xlc128|x*/xlc128_v6) : + #handle absolute path differently from PATH based program lookup + case "x$CC" in #( + x/*) : + if as_fn_executable_p ${CC}_r; then : + PTHREAD_CC="${CC}_r" +fi ;; #( + *) : + for ac_prog in ${CC}_r +do + # Extract the first word of "$ac_prog", so it can be a program name with args. +set dummy $ac_prog; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_prog_PTHREAD_CC+:} false; then : + $as_echo_n "(cached) " >&6 +else + if test -n "$PTHREAD_CC"; then + ac_cv_prog_PTHREAD_CC="$PTHREAD_CC" # Let the user override the test. +else +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_prog_PTHREAD_CC="$ac_prog" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + +fi +fi +PTHREAD_CC=$ac_cv_prog_PTHREAD_CC +if test -n "$PTHREAD_CC"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $PTHREAD_CC" >&5 +$as_echo "$PTHREAD_CC" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + + test -n "$PTHREAD_CC" && break +done +test -n "$PTHREAD_CC" || PTHREAD_CC="$CC" + ;; +esac ;; #( + *) : + ;; +esac + ;; + esac + fi +fi + +test -n "$PTHREAD_CC" || PTHREAD_CC="$CC" + + + + + +# Finally, execute ACTION-IF-FOUND/ACTION-IF-NOT-FOUND: +if test x"$ax_pthread_ok" = xyes; then + +$as_echo "#define HAVE_PTHREAD 1" >>confdefs.h + + : +else + ax_pthread_ok=no + +fi +ac_ext=c +ac_cpp='$CPP $CPPFLAGS' +ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' +ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' +ac_compiler_gnu=$ac_cv_c_compiler_gnu + + + LIBS="$PTHREAD_LIBS $LIBS" + CFLAGS="$CFLAGS $PTHREAD_CFLAGS" + CC="$PTHREAD_CC" + +$as_echo "#define USE_PTHREAD 1" >>confdefs.h + + ;; + fork) + { $as_echo "$as_me:${as_lineno-$LINENO}: FORK mode selected" >&5 +$as_echo "$as_me: FORK mode selected" >&6;} + +$as_echo "#define USE_FORK 1" >>confdefs.h + + ;; + *) + as_fn_error $? "Unknown thread model \"${withval}\"" "$LINENO" 5 + ;; + esac + +else + + # do not attempt to autodetect UCONTEXT threading + + +ac_ext=c +ac_cpp='$CPP $CPPFLAGS' +ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' +ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' +ac_compiler_gnu=$ac_cv_c_compiler_gnu + +ax_pthread_ok=no + +# We used to check for pthread.h first, but this fails if pthread.h +# requires special compiler flags (e.g. on True64 or Sequent). +# It gets checked for in the link test anyway. + +# First of all, check if the user has set any of the PTHREAD_LIBS, +# etcetera environment variables, and if threads linking works using +# them: +if test x"$PTHREAD_LIBS$PTHREAD_CFLAGS" != x; then + save_CFLAGS="$CFLAGS" + CFLAGS="$CFLAGS $PTHREAD_CFLAGS" + save_LIBS="$LIBS" + LIBS="$PTHREAD_LIBS $LIBS" + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for pthread_join in LIBS=$PTHREAD_LIBS with CFLAGS=$PTHREAD_CFLAGS" >&5 +$as_echo_n "checking for pthread_join in LIBS=$PTHREAD_LIBS with CFLAGS=$PTHREAD_CFLAGS... " >&6; } + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char pthread_join (); +int +main () +{ +return pthread_join (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ax_pthread_ok=yes +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_pthread_ok" >&5 +$as_echo "$ax_pthread_ok" >&6; } + if test x"$ax_pthread_ok" = xno; then + PTHREAD_LIBS="" + PTHREAD_CFLAGS="" + fi + LIBS="$save_LIBS" + CFLAGS="$save_CFLAGS" +fi + +# We must check for the threads library under a number of different +# names; the ordering is very important because some systems +# (e.g. DEC) have both -lpthread and -lpthreads, where one of the +# libraries is broken (non-POSIX). + +# Create a list of thread flags to try. Items starting with a "-" are +# C compiler flags, and other items are library names, except for "none" +# which indicates that we try without any flags at all, and "pthread-config" +# which is a program returning the flags for the Pth emulation library. + +ax_pthread_flags="pthreads none -Kthread -kthread lthread -pthread -pthreads -mthreads pthread --thread-safe -mt pthread-config" + +# The ordering *is* (sometimes) important. Some notes on the +# individual items follow: + +# pthreads: AIX (must check this before -lpthread) +# none: in case threads are in libc; should be tried before -Kthread and +# other compiler flags to prevent continual compiler warnings +# -Kthread: Sequent (threads in libc, but -Kthread needed for pthread.h) +# -kthread: FreeBSD kernel threads (preferred to -pthread since SMP-able) +# lthread: LinuxThreads port on FreeBSD (also preferred to -pthread) +# -pthread: Linux/gcc (kernel threads), BSD/gcc (userland threads) +# -pthreads: Solaris/gcc +# -mthreads: Mingw32/gcc, Lynx/gcc +# -mt: Sun Workshop C (may only link SunOS threads [-lthread], but it +# doesn't hurt to check since this sometimes defines pthreads too; +# also defines -D_REENTRANT) +# ... -mt is also the pthreads flag for HP/aCC +# pthread: Linux, etcetera +# --thread-safe: KAI C++ +# pthread-config: use pthread-config program (for GNU Pth library) + +case ${host_os} in + solaris*) + + # On Solaris (at least, for some versions), libc contains stubbed + # (non-functional) versions of the pthreads routines, so link-based + # tests will erroneously succeed. (We need to link with -pthreads/-mt/ + # -lpthread.) (The stubs are missing pthread_cleanup_push, or rather + # a function called by this macro, so we could check for that, but + # who knows whether they'll stub that too in a future libc.) So, + # we'll just look for -pthreads and -lpthread first: + + ax_pthread_flags="-pthreads pthread -mt -pthread $ax_pthread_flags" + ;; + + darwin*) + ax_pthread_flags="-pthread $ax_pthread_flags" + ;; +esac + +# Clang doesn't consider unrecognized options an error unless we specify +# -Werror. We throw in some extra Clang-specific options to ensure that +# this doesn't happen for GCC, which also accepts -Werror. + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking if compiler needs -Werror to reject unknown flags" >&5 +$as_echo_n "checking if compiler needs -Werror to reject unknown flags... " >&6; } +save_CFLAGS="$CFLAGS" +ax_pthread_extra_flags="-Werror" +CFLAGS="$CFLAGS $ax_pthread_extra_flags -Wunknown-warning-option -Wsizeof-array-argument" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +int foo(void); +int +main () +{ +foo() + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } +else + ax_pthread_extra_flags= + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +CFLAGS="$save_CFLAGS" + +if test x"$ax_pthread_ok" = xno; then +for flag in $ax_pthread_flags; do + + case $flag in + none) + { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether pthreads work without any flags" >&5 +$as_echo_n "checking whether pthreads work without any flags... " >&6; } + ;; + + -*) + { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether pthreads work with $flag" >&5 +$as_echo_n "checking whether pthreads work with $flag... " >&6; } + PTHREAD_CFLAGS="$flag" + ;; + + pthread-config) + # Extract the first word of "pthread-config", so it can be a program name with args. +set dummy pthread-config; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_prog_ax_pthread_config+:} false; then : + $as_echo_n "(cached) " >&6 +else + if test -n "$ax_pthread_config"; then + ac_cv_prog_ax_pthread_config="$ax_pthread_config" # Let the user override the test. +else +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_prog_ax_pthread_config="yes" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + + test -z "$ac_cv_prog_ax_pthread_config" && ac_cv_prog_ax_pthread_config="no" +fi +fi +ax_pthread_config=$ac_cv_prog_ax_pthread_config +if test -n "$ax_pthread_config"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_pthread_config" >&5 +$as_echo "$ax_pthread_config" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + + if test x"$ax_pthread_config" = xno; then continue; fi + PTHREAD_CFLAGS="`pthread-config --cflags`" + PTHREAD_LIBS="`pthread-config --ldflags` `pthread-config --libs`" + ;; + + *) + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for the pthreads library -l$flag" >&5 +$as_echo_n "checking for the pthreads library -l$flag... " >&6; } + PTHREAD_LIBS="-l$flag" + ;; + esac + + save_LIBS="$LIBS" + save_CFLAGS="$CFLAGS" + LIBS="$PTHREAD_LIBS $LIBS" + CFLAGS="$CFLAGS $PTHREAD_CFLAGS $ax_pthread_extra_flags" + + # Check for various functions. We must include pthread.h, + # since some functions may be macros. (On the Sequent, we + # need a special flag -Kthread to make this header compile.) + # We check for pthread_join because it is in -lpthread on IRIX + # while pthread_create is in libc. We check for pthread_attr_init + # due to DEC craziness with -lpthreads. We check for + # pthread_cleanup_push because it is one of the few pthread + # functions on Solaris that doesn't have a non-functional libc stub. + # We try pthread_create on general principles. + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#include + static void routine(void *a) { a = 0; } + static void *start_routine(void *a) { return a; } +int +main () +{ +pthread_t th; pthread_attr_t attr; + pthread_create(&th, 0, start_routine, 0); + pthread_join(th, 0); + pthread_attr_init(&attr); + pthread_cleanup_push(routine, 0); + pthread_cleanup_pop(0) /* ; */ + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ax_pthread_ok=yes +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext + + LIBS="$save_LIBS" + CFLAGS="$save_CFLAGS" + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_pthread_ok" >&5 +$as_echo "$ax_pthread_ok" >&6; } + if test "x$ax_pthread_ok" = xyes; then + break; + fi + + PTHREAD_LIBS="" + PTHREAD_CFLAGS="" +done +fi + +# Various other checks: +if test "x$ax_pthread_ok" = xyes; then + save_LIBS="$LIBS" + LIBS="$PTHREAD_LIBS $LIBS" + save_CFLAGS="$CFLAGS" + CFLAGS="$CFLAGS $PTHREAD_CFLAGS" + + # Detect AIX lossage: JOINABLE attribute is called UNDETACHED. + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for joinable pthread attribute" >&5 +$as_echo_n "checking for joinable pthread attribute... " >&6; } + attr_name=unknown + for attr in PTHREAD_CREATE_JOINABLE PTHREAD_CREATE_UNDETACHED; do + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#include +int +main () +{ +int attr = $attr; return attr /* ; */ + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + attr_name=$attr; break +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext + done + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $attr_name" >&5 +$as_echo "$attr_name" >&6; } + if test "$attr_name" != PTHREAD_CREATE_JOINABLE; then + +cat >>confdefs.h <<_ACEOF +#define PTHREAD_CREATE_JOINABLE $attr_name +_ACEOF + + fi + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking if more special flags are required for pthreads" >&5 +$as_echo_n "checking if more special flags are required for pthreads... " >&6; } + flag=no + case ${host_os} in + aix* | freebsd* | darwin*) flag="-D_THREAD_SAFE";; + osf* | hpux*) flag="-D_REENTRANT";; + solaris*) + if test "$GCC" = "yes"; then + flag="-D_REENTRANT" + else + # TODO: What about Clang on Solaris? + flag="-mt -D_REENTRANT" + fi + ;; + esac + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $flag" >&5 +$as_echo "$flag" >&6; } + if test "x$flag" != xno; then + PTHREAD_CFLAGS="$flag $PTHREAD_CFLAGS" + fi + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for PTHREAD_PRIO_INHERIT" >&5 +$as_echo_n "checking for PTHREAD_PRIO_INHERIT... " >&6; } +if ${ax_cv_PTHREAD_PRIO_INHERIT+:} false; then : + $as_echo_n "(cached) " >&6 +else + + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#include +int +main () +{ +int i = PTHREAD_PRIO_INHERIT; + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ax_cv_PTHREAD_PRIO_INHERIT=yes +else + ax_cv_PTHREAD_PRIO_INHERIT=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext + +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_PTHREAD_PRIO_INHERIT" >&5 +$as_echo "$ax_cv_PTHREAD_PRIO_INHERIT" >&6; } + if test "x$ax_cv_PTHREAD_PRIO_INHERIT" = "xyes"; then : + +$as_echo "#define HAVE_PTHREAD_PRIO_INHERIT 1" >>confdefs.h + +fi + + LIBS="$save_LIBS" + CFLAGS="$save_CFLAGS" + + # More AIX lossage: compile with *_r variant + if test "x$GCC" != xyes; then + case $host_os in + aix*) + case "x/$CC" in #( + x*/c89|x*/c89_128|x*/c99|x*/c99_128|x*/cc|x*/cc128|x*/xlc|x*/xlc_v6|x*/xlc128|x*/xlc128_v6) : + #handle absolute path differently from PATH based program lookup + case "x$CC" in #( + x/*) : + if as_fn_executable_p ${CC}_r; then : + PTHREAD_CC="${CC}_r" +fi ;; #( + *) : + for ac_prog in ${CC}_r +do + # Extract the first word of "$ac_prog", so it can be a program name with args. +set dummy $ac_prog; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_prog_PTHREAD_CC+:} false; then : + $as_echo_n "(cached) " >&6 +else + if test -n "$PTHREAD_CC"; then + ac_cv_prog_PTHREAD_CC="$PTHREAD_CC" # Let the user override the test. +else +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_prog_PTHREAD_CC="$ac_prog" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + +fi +fi +PTHREAD_CC=$ac_cv_prog_PTHREAD_CC +if test -n "$PTHREAD_CC"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $PTHREAD_CC" >&5 +$as_echo "$PTHREAD_CC" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + + test -n "$PTHREAD_CC" && break +done +test -n "$PTHREAD_CC" || PTHREAD_CC="$CC" + ;; +esac ;; #( + *) : + ;; +esac + ;; + esac + fi +fi + +test -n "$PTHREAD_CC" || PTHREAD_CC="$CC" + + + + + +# Finally, execute ACTION-IF-FOUND/ACTION-IF-NOT-FOUND: +if test x"$ax_pthread_ok" = xyes; then + + { $as_echo "$as_me:${as_lineno-$LINENO}: PTHREAD thread model detected" >&5 +$as_echo "$as_me: PTHREAD thread model detected" >&6;} + LIBS="$PTHREAD_LIBS $LIBS" + CFLAGS="$CFLAGS $PTHREAD_CFLAGS" + CC="$PTHREAD_CC" + +$as_echo "#define USE_PTHREAD 1" >>confdefs.h + + + : +else + ax_pthread_ok=no + + { $as_echo "$as_me:${as_lineno-$LINENO}: FORK thread model detected" >&5 +$as_echo "$as_me: FORK thread model detected" >&6;} + +$as_echo "#define USE_FORK 1" >>confdefs.h + + +fi +ac_ext=c +ac_cpp='$CPP $CPPFLAGS' +ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' +ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' +ac_compiler_gnu=$ac_cv_c_compiler_gnu + + + +fi -# Checks for typedefs, structures, and compiler characteristics -# AC_C_CONST -# AC_TYPE_SIZE_T -# AC_TYPE_PID_T -# AC_HEADER_TIME { $as_echo "$as_me:${as_lineno-$LINENO}: **************************************** compiler/linker flags" >&5 $as_echo "$as_me: **************************************** compiler/linker flags" >&6;} +if test "$GCC" = yes; then -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $CC accepts -pthread" >&5 -$as_echo_n "checking whether $CC accepts -pthread... " >&6; } -valid_CFLAGS="$CFLAGS"; CFLAGS="$CFLAGS -pthread" -valid_LDFLAGS="$LDFLAGS"; LDFLAGS="$LDFLAGS -pthread" - -cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -int main() {return 0;} -_ACEOF -if ac_fn_c_try_link "$LINENO"; then : - - { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 -$as_echo "yes" >&6; } - stunnel_CFLAGS="$stunnel_CFLAGS -pthread" - - stunnel_LDFLAGF="$stunnel_LDFLAGF -pthread" +for flag in -Wall; do + as_CACHEVAR=`$as_echo "ax_cv_check_cflags__$flag" | $as_tr_sh` +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts $flag" >&5 +$as_echo_n "checking whether C compiler accepts $flag... " >&6; } +if eval \${$as_CACHEVAR+:} false; then : + $as_echo_n "(cached) " >&6 else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -$as_echo "no" >&6; } + ax_check_save_flags=$CFLAGS + CFLAGS="$CFLAGS $flag" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +int +main () +{ + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + eval "$as_CACHEVAR=yes" +else + eval "$as_CACHEVAR=no" +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + CFLAGS=$ax_check_save_flags +fi +eval ac_res=\$$as_CACHEVAR + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 +$as_echo "$ac_res" >&6; } +if test x"`eval 'as_val=${'$as_CACHEVAR'};$as_echo "$as_val"'`" = xyes; then : + if ${CFLAGS+:} false; then : + case " $CFLAGS " in + *" $flag "*) + { { $as_echo "$as_me:${as_lineno-$LINENO}: : CFLAGS already contains \$flag"; } >&5 + (: CFLAGS already contains $flag) 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } + ;; + *) + { { $as_echo "$as_me:${as_lineno-$LINENO}: : CFLAGS=\"\$CFLAGS \$flag\""; } >&5 + (: CFLAGS="$CFLAGS $flag") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } + CFLAGS="$CFLAGS $flag" + ;; + esac +else + CFLAGS="$flag" +fi + +else + : +fi + +done + + + + + +for flag in -Wextra; do + as_CACHEVAR=`$as_echo "ax_cv_check_cflags__$flag" | $as_tr_sh` +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts $flag" >&5 +$as_echo_n "checking whether C compiler accepts $flag... " >&6; } +if eval \${$as_CACHEVAR+:} false; then : + $as_echo_n "(cached) " >&6 +else + + ax_check_save_flags=$CFLAGS + CFLAGS="$CFLAGS $flag" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +int +main () +{ + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + eval "$as_CACHEVAR=yes" +else + eval "$as_CACHEVAR=no" +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + CFLAGS=$ax_check_save_flags +fi +eval ac_res=\$$as_CACHEVAR + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 +$as_echo "$ac_res" >&6; } +if test x"`eval 'as_val=${'$as_CACHEVAR'};$as_echo "$as_val"'`" = xyes; then : + if ${CFLAGS+:} false; then : + case " $CFLAGS " in + *" $flag "*) + { { $as_echo "$as_me:${as_lineno-$LINENO}: : CFLAGS already contains \$flag"; } >&5 + (: CFLAGS already contains $flag) 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } + ;; + *) + { { $as_echo "$as_me:${as_lineno-$LINENO}: : CFLAGS=\"\$CFLAGS \$flag\""; } >&5 + (: CFLAGS="$CFLAGS $flag") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } + CFLAGS="$CFLAGS $flag" + ;; + esac +else + CFLAGS="$flag" +fi + +else + : +fi + +done + + + + + +for flag in -Wpedantic; do + as_CACHEVAR=`$as_echo "ax_cv_check_cflags__$flag" | $as_tr_sh` +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts $flag" >&5 +$as_echo_n "checking whether C compiler accepts $flag... " >&6; } +if eval \${$as_CACHEVAR+:} false; then : + $as_echo_n "(cached) " >&6 +else + + ax_check_save_flags=$CFLAGS + CFLAGS="$CFLAGS $flag" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +int +main () +{ + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + eval "$as_CACHEVAR=yes" +else + eval "$as_CACHEVAR=no" +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + CFLAGS=$ax_check_save_flags +fi +eval ac_res=\$$as_CACHEVAR + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 +$as_echo "$ac_res" >&6; } +if test x"`eval 'as_val=${'$as_CACHEVAR'};$as_echo "$as_val"'`" = xyes; then : + if ${CFLAGS+:} false; then : + case " $CFLAGS " in + *" $flag "*) + { { $as_echo "$as_me:${as_lineno-$LINENO}: : CFLAGS already contains \$flag"; } >&5 + (: CFLAGS already contains $flag) 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } + ;; + *) + { { $as_echo "$as_me:${as_lineno-$LINENO}: : CFLAGS=\"\$CFLAGS \$flag\""; } >&5 + (: CFLAGS="$CFLAGS $flag") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } + CFLAGS="$CFLAGS $flag" + ;; + esac +else + CFLAGS="$flag" +fi + +else + : +fi + +done + + + + + +for flag in -Wformat=2; do + as_CACHEVAR=`$as_echo "ax_cv_check_cflags__$flag" | $as_tr_sh` +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts $flag" >&5 +$as_echo_n "checking whether C compiler accepts $flag... " >&6; } +if eval \${$as_CACHEVAR+:} false; then : + $as_echo_n "(cached) " >&6 +else + + ax_check_save_flags=$CFLAGS + CFLAGS="$CFLAGS $flag" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +int +main () +{ + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + eval "$as_CACHEVAR=yes" +else + eval "$as_CACHEVAR=no" +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + CFLAGS=$ax_check_save_flags +fi +eval ac_res=\$$as_CACHEVAR + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 +$as_echo "$ac_res" >&6; } +if test x"`eval 'as_val=${'$as_CACHEVAR'};$as_echo "$as_val"'`" = xyes; then : + if ${CFLAGS+:} false; then : + case " $CFLAGS " in + *" $flag "*) + { { $as_echo "$as_me:${as_lineno-$LINENO}: : CFLAGS already contains \$flag"; } >&5 + (: CFLAGS already contains $flag) 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } + ;; + *) + { { $as_echo "$as_me:${as_lineno-$LINENO}: : CFLAGS=\"\$CFLAGS \$flag\""; } >&5 + (: CFLAGS="$CFLAGS $flag") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } + CFLAGS="$CFLAGS $flag" + ;; + esac +else + CFLAGS="$flag" +fi + +else + : +fi + +done + + + + + +for flag in -Wconversion; do + as_CACHEVAR=`$as_echo "ax_cv_check_cflags__$flag" | $as_tr_sh` +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts $flag" >&5 +$as_echo_n "checking whether C compiler accepts $flag... " >&6; } +if eval \${$as_CACHEVAR+:} false; then : + $as_echo_n "(cached) " >&6 +else + + ax_check_save_flags=$CFLAGS + CFLAGS="$CFLAGS $flag" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +int +main () +{ + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + eval "$as_CACHEVAR=yes" +else + eval "$as_CACHEVAR=no" +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + CFLAGS=$ax_check_save_flags +fi +eval ac_res=\$$as_CACHEVAR + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 +$as_echo "$ac_res" >&6; } +if test x"`eval 'as_val=${'$as_CACHEVAR'};$as_echo "$as_val"'`" = xyes; then : + if ${CFLAGS+:} false; then : + case " $CFLAGS " in + *" $flag "*) + { { $as_echo "$as_me:${as_lineno-$LINENO}: : CFLAGS already contains \$flag"; } >&5 + (: CFLAGS already contains $flag) 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } + ;; + *) + { { $as_echo "$as_me:${as_lineno-$LINENO}: : CFLAGS=\"\$CFLAGS \$flag\""; } >&5 + (: CFLAGS="$CFLAGS $flag") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } + CFLAGS="$CFLAGS $flag" + ;; + esac +else + CFLAGS="$flag" +fi + +else + : +fi + +done + + + + + +for flag in -Wno-long-long; do + as_CACHEVAR=`$as_echo "ax_cv_check_cflags__$flag" | $as_tr_sh` +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts $flag" >&5 +$as_echo_n "checking whether C compiler accepts $flag... " >&6; } +if eval \${$as_CACHEVAR+:} false; then : + $as_echo_n "(cached) " >&6 +else + + ax_check_save_flags=$CFLAGS + CFLAGS="$CFLAGS $flag" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +int +main () +{ + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + eval "$as_CACHEVAR=yes" +else + eval "$as_CACHEVAR=no" +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + CFLAGS=$ax_check_save_flags +fi +eval ac_res=\$$as_CACHEVAR + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 +$as_echo "$ac_res" >&6; } +if test x"`eval 'as_val=${'$as_CACHEVAR'};$as_echo "$as_val"'`" = xyes; then : + if ${CFLAGS+:} false; then : + case " $CFLAGS " in + *" $flag "*) + { { $as_echo "$as_me:${as_lineno-$LINENO}: : CFLAGS already contains \$flag"; } >&5 + (: CFLAGS already contains $flag) 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } + ;; + *) + { { $as_echo "$as_me:${as_lineno-$LINENO}: : CFLAGS=\"\$CFLAGS \$flag\""; } >&5 + (: CFLAGS="$CFLAGS $flag") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } + CFLAGS="$CFLAGS $flag" + ;; + esac +else + CFLAGS="$flag" +fi + +else + : +fi + +done + + + + + +for flag in -Wno-deprecated-declarations; do + as_CACHEVAR=`$as_echo "ax_cv_check_cflags__$flag" | $as_tr_sh` +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts $flag" >&5 +$as_echo_n "checking whether C compiler accepts $flag... " >&6; } +if eval \${$as_CACHEVAR+:} false; then : + $as_echo_n "(cached) " >&6 +else + + ax_check_save_flags=$CFLAGS + CFLAGS="$CFLAGS $flag" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +int +main () +{ + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + eval "$as_CACHEVAR=yes" +else + eval "$as_CACHEVAR=no" +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + CFLAGS=$ax_check_save_flags +fi +eval ac_res=\$$as_CACHEVAR + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 +$as_echo "$ac_res" >&6; } +if test x"`eval 'as_val=${'$as_CACHEVAR'};$as_echo "$as_val"'`" = xyes; then : + if ${CFLAGS+:} false; then : + case " $CFLAGS " in + *" $flag "*) + { { $as_echo "$as_me:${as_lineno-$LINENO}: : CFLAGS already contains \$flag"; } >&5 + (: CFLAGS already contains $flag) 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } + ;; + *) + { { $as_echo "$as_me:${as_lineno-$LINENO}: : CFLAGS=\"\$CFLAGS \$flag\""; } >&5 + (: CFLAGS="$CFLAGS $flag") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } + CFLAGS="$CFLAGS $flag" + ;; + esac +else + CFLAGS="$flag" +fi + +else + : +fi + +done + + + + + +for flag in -fPIE; do + as_CACHEVAR=`$as_echo "ax_cv_check_cflags__$flag" | $as_tr_sh` +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts $flag" >&5 +$as_echo_n "checking whether C compiler accepts $flag... " >&6; } +if eval \${$as_CACHEVAR+:} false; then : + $as_echo_n "(cached) " >&6 +else + + ax_check_save_flags=$CFLAGS + CFLAGS="$CFLAGS $flag" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +int +main () +{ + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + eval "$as_CACHEVAR=yes" +else + eval "$as_CACHEVAR=no" +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + CFLAGS=$ax_check_save_flags +fi +eval ac_res=\$$as_CACHEVAR + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 +$as_echo "$ac_res" >&6; } +if test x"`eval 'as_val=${'$as_CACHEVAR'};$as_echo "$as_val"'`" = xyes; then : + if ${CFLAGS+:} false; then : + case " $CFLAGS " in + *" $flag "*) + { { $as_echo "$as_me:${as_lineno-$LINENO}: : CFLAGS already contains \$flag"; } >&5 + (: CFLAGS already contains $flag) 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } + ;; + *) + { { $as_echo "$as_me:${as_lineno-$LINENO}: : CFLAGS=\"\$CFLAGS \$flag\""; } >&5 + (: CFLAGS="$CFLAGS $flag") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } + CFLAGS="$CFLAGS $flag" + ;; + esac +else + CFLAGS="$flag" +fi + +else + : +fi + +done + + case "${host}" in + avr-*.* | powerpc-*-aix* | rl78-*.* | visium-*.*) + ;; + *) + + + + +for flag in -fstack-protector; do + as_CACHEVAR=`$as_echo "ax_cv_check_cflags__$flag" | $as_tr_sh` +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts $flag" >&5 +$as_echo_n "checking whether C compiler accepts $flag... " >&6; } +if eval \${$as_CACHEVAR+:} false; then : + $as_echo_n "(cached) " >&6 +else + + ax_check_save_flags=$CFLAGS + CFLAGS="$CFLAGS $flag" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +int +main () +{ + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + eval "$as_CACHEVAR=yes" +else + eval "$as_CACHEVAR=no" +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + CFLAGS=$ax_check_save_flags +fi +eval ac_res=\$$as_CACHEVAR + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 +$as_echo "$ac_res" >&6; } +if test x"`eval 'as_val=${'$as_CACHEVAR'};$as_echo "$as_val"'`" = xyes; then : + if ${CFLAGS+:} false; then : + case " $CFLAGS " in + *" $flag "*) + { { $as_echo "$as_me:${as_lineno-$LINENO}: : CFLAGS already contains \$flag"; } >&5 + (: CFLAGS already contains $flag) 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } + ;; + *) + { { $as_echo "$as_me:${as_lineno-$LINENO}: : CFLAGS=\"\$CFLAGS \$flag\""; } >&5 + (: CFLAGS="$CFLAGS $flag") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } + CFLAGS="$CFLAGS $flag" + ;; + esac +else + CFLAGS="$flag" +fi + +else + : +fi + +done + + ;; + esac + + + + +for flag in -fPIE -pie; do + as_CACHEVAR=`$as_echo "ax_cv_check_ldflags__$flag" | $as_tr_sh` +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the linker accepts $flag" >&5 +$as_echo_n "checking whether the linker accepts $flag... " >&6; } +if eval \${$as_CACHEVAR+:} false; then : + $as_echo_n "(cached) " >&6 +else + + ax_check_save_flags=$LDFLAGS + LDFLAGS="$LDFLAGS $flag" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +int +main () +{ + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + eval "$as_CACHEVAR=yes" +else + eval "$as_CACHEVAR=no" fi rm -f core conftest.err conftest.$ac_objext \ conftest$ac_exeext conftest.$ac_ext -CFLAGS="$valid_CFLAGS"; LDFLAGS="$valid_LDFLAGS" - -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $CC accepts -fstack-protector" >&5 -$as_echo_n "checking whether $CC accepts -fstack-protector... " >&6; } -valid_CFLAGS="$CFLAGS"; CFLAGS="$CFLAGS -fstack-protector" -valid_LDFLAGS="$LDFLAGS"; LDFLAGS="$LDFLAGS -fstack-protector" -cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -int main() {return 0;} -_ACEOF -if ac_fn_c_try_link "$LINENO"; then : - - { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 -$as_echo "yes" >&6; } - stunnel_CFLAGS="$stunnel_CFLAGS -fstack-protector" - - stunnel_LDFLAGF="$stunnel_LDFLAGF -fstack-protector" - + LDFLAGS=$ax_check_save_flags +fi +eval ac_res=\$$as_CACHEVAR + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 +$as_echo "$ac_res" >&6; } +if test x"`eval 'as_val=${'$as_CACHEVAR'};$as_echo "$as_val"'`" = xyes; then : + if ${LDFLAGS+:} false; then : + case " $LDFLAGS " in + *" $flag "*) + { { $as_echo "$as_me:${as_lineno-$LINENO}: : LDFLAGS already contains \$flag"; } >&5 + (: LDFLAGS already contains $flag) 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } + ;; + *) + { { $as_echo "$as_me:${as_lineno-$LINENO}: : LDFLAGS=\"\$LDFLAGS \$flag\""; } >&5 + (: LDFLAGS="$LDFLAGS $flag") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } + LDFLAGS="$LDFLAGS $flag" + ;; + esac +else + LDFLAGS="$flag" +fi else + : +fi - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -$as_echo "no" >&6; } +done + + + + +for flag in -Wl,-z,relro; do + as_CACHEVAR=`$as_echo "ax_cv_check_ldflags__$flag" | $as_tr_sh` +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the linker accepts $flag" >&5 +$as_echo_n "checking whether the linker accepts $flag... " >&6; } +if eval \${$as_CACHEVAR+:} false; then : + $as_echo_n "(cached) " >&6 +else + + ax_check_save_flags=$LDFLAGS + LDFLAGS="$LDFLAGS $flag" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +int +main () +{ + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + eval "$as_CACHEVAR=yes" +else + eval "$as_CACHEVAR=no" fi rm -f core conftest.err conftest.$ac_objext \ conftest$ac_exeext conftest.$ac_ext -CFLAGS="$valid_CFLAGS"; LDFLAGS="$valid_LDFLAGS" - -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $CC accepts -pie" >&5 -$as_echo_n "checking whether $CC accepts -pie... " >&6; } -valid_CFLAGS="$CFLAGS"; CFLAGS="$CFLAGS -fPIE" -valid_LDFLAGS="$LDFLAGS"; LDFLAGS="$LDFLAGS -pie -fPIE" -cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -int main() {return 0;} -_ACEOF -if ac_fn_c_try_link "$LINENO"; then : - - { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 -$as_echo "yes" >&6; } - stunnel_CFLAGS="$stunnel_CFLAGS -fPIE" - - stunnel_LDFLAGF="$stunnel_LDFLAGF -pie -fPIE" - + LDFLAGS=$ax_check_save_flags +fi +eval ac_res=\$$as_CACHEVAR + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 +$as_echo "$ac_res" >&6; } +if test x"`eval 'as_val=${'$as_CACHEVAR'};$as_echo "$as_val"'`" = xyes; then : + if ${LDFLAGS+:} false; then : + case " $LDFLAGS " in + *" $flag "*) + { { $as_echo "$as_me:${as_lineno-$LINENO}: : LDFLAGS already contains \$flag"; } >&5 + (: LDFLAGS already contains $flag) 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } + ;; + *) + { { $as_echo "$as_me:${as_lineno-$LINENO}: : LDFLAGS=\"\$LDFLAGS \$flag\""; } >&5 + (: LDFLAGS="$LDFLAGS $flag") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } + LDFLAGS="$LDFLAGS $flag" + ;; + esac +else + LDFLAGS="$flag" +fi else + : +fi - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -$as_echo "no" >&6; } +done + + + + +for flag in -Wl,-z,now; do + as_CACHEVAR=`$as_echo "ax_cv_check_ldflags__$flag" | $as_tr_sh` +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the linker accepts $flag" >&5 +$as_echo_n "checking whether the linker accepts $flag... " >&6; } +if eval \${$as_CACHEVAR+:} false; then : + $as_echo_n "(cached) " >&6 +else + + ax_check_save_flags=$LDFLAGS + LDFLAGS="$LDFLAGS $flag" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +int +main () +{ + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + eval "$as_CACHEVAR=yes" +else + eval "$as_CACHEVAR=no" fi rm -f core conftest.err conftest.$ac_objext \ conftest$ac_exeext conftest.$ac_ext -CFLAGS="$valid_CFLAGS"; LDFLAGS="$valid_LDFLAGS" + LDFLAGS=$ax_check_save_flags +fi +eval ac_res=\$$as_CACHEVAR + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 +$as_echo "$ac_res" >&6; } +if test x"`eval 'as_val=${'$as_CACHEVAR'};$as_echo "$as_val"'`" = xyes; then : + if ${LDFLAGS+:} false; then : + case " $LDFLAGS " in + *" $flag "*) + { { $as_echo "$as_me:${as_lineno-$LINENO}: : LDFLAGS already contains \$flag"; } >&5 + (: LDFLAGS already contains $flag) 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } + ;; + *) + { { $as_echo "$as_me:${as_lineno-$LINENO}: : LDFLAGS=\"\$LDFLAGS \$flag\""; } >&5 + (: LDFLAGS="$LDFLAGS $flag") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } + LDFLAGS="$LDFLAGS $flag" + ;; + esac +else + LDFLAGS="$flag" +fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $CC accepts -Wall" >&5 -$as_echo_n "checking whether $CC accepts -Wall... " >&6; } -valid_CFLAGS="$CFLAGS"; CFLAGS="$CFLAGS -Wall" -cat confdefs.h - <<_ACEOF >conftest.$ac_ext +else + : +fi + +done + + + + + +for flag in -Wl,-z,noexecstack; do + as_CACHEVAR=`$as_echo "ax_cv_check_ldflags__$flag" | $as_tr_sh` +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the linker accepts $flag" >&5 +$as_echo_n "checking whether the linker accepts $flag... " >&6; } +if eval \${$as_CACHEVAR+:} false; then : + $as_echo_n "(cached) " >&6 +else + + ax_check_save_flags=$LDFLAGS + LDFLAGS="$LDFLAGS $flag" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ -int main() {return 0;} + +int +main () +{ + + ; + return 0; +} _ACEOF if ac_fn_c_try_link "$LINENO"; then : - { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 -$as_echo "yes" >&6; } + eval "$as_CACHEVAR=yes" else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -$as_echo "no" >&6; }; CFLAGS="$valid_CFLAGS" + eval "$as_CACHEVAR=no" fi rm -f core conftest.err conftest.$ac_objext \ conftest$ac_exeext conftest.$ac_ext - -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $CC accepts -Wextra" >&5 -$as_echo_n "checking whether $CC accepts -Wextra... " >&6; } -valid_CFLAGS="$CFLAGS"; CFLAGS="$CFLAGS -Wextra" -cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -int main() {return 0;} -_ACEOF -if ac_fn_c_try_link "$LINENO"; then : - { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 -$as_echo "yes" >&6; } -else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -$as_echo "no" >&6; }; CFLAGS="$valid_CFLAGS" + LDFLAGS=$ax_check_save_flags fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext - -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $CC accepts -Wno-long-long" >&5 -$as_echo_n "checking whether $CC accepts -Wno-long-long... " >&6; } -valid_CFLAGS="$CFLAGS"; CFLAGS="$CFLAGS -Wno-long-long" -cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -int main() {return 0;} -_ACEOF -if ac_fn_c_try_link "$LINENO"; then : - { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 -$as_echo "yes" >&6; } +eval ac_res=\$$as_CACHEVAR + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 +$as_echo "$ac_res" >&6; } +if test x"`eval 'as_val=${'$as_CACHEVAR'};$as_echo "$as_val"'`" = xyes; then : + if ${LDFLAGS+:} false; then : + case " $LDFLAGS " in + *" $flag "*) + { { $as_echo "$as_me:${as_lineno-$LINENO}: : LDFLAGS already contains \$flag"; } >&5 + (: LDFLAGS already contains $flag) 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } + ;; + *) + { { $as_echo "$as_me:${as_lineno-$LINENO}: : LDFLAGS=\"\$LDFLAGS \$flag\""; } >&5 + (: LDFLAGS="$LDFLAGS $flag") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } + LDFLAGS="$LDFLAGS $flag" + ;; + esac else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -$as_echo "no" >&6; }; CFLAGS="$valid_CFLAGS" + LDFLAGS="$flag" fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $CC accepts -pedantic" >&5 -$as_echo_n "checking whether $CC accepts -pedantic... " >&6; } -valid_CFLAGS="$CFLAGS"; CFLAGS="$CFLAGS -pedantic" -cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -int main() {return 0;} -_ACEOF -if ac_fn_c_try_link "$LINENO"; then : - { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 -$as_echo "yes" >&6; } else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -$as_echo "no" >&6; }; CFLAGS="$valid_CFLAGS" + : fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext + +done + +fi + + + + +for flag in -D_FORTIFY_SOURCE=2; do + as_CACHEVAR=`$as_echo "ax_cv_check_cflags__$flag" | $as_tr_sh` +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts $flag" >&5 +$as_echo_n "checking whether C compiler accepts $flag... " >&6; } +if eval \${$as_CACHEVAR+:} false; then : + $as_echo_n "(cached) " >&6 +else + + ax_check_save_flags=$CFLAGS + CFLAGS="$CFLAGS $flag" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +int +main () +{ + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + eval "$as_CACHEVAR=yes" +else + eval "$as_CACHEVAR=no" +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + CFLAGS=$ax_check_save_flags +fi +eval ac_res=\$$as_CACHEVAR + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 +$as_echo "$ac_res" >&6; } +if test x"`eval 'as_val=${'$as_CACHEVAR'};$as_echo "$as_val"'`" = xyes; then : + if ${CFLAGS+:} false; then : + case " $CFLAGS " in + *" $flag "*) + { { $as_echo "$as_me:${as_lineno-$LINENO}: : CFLAGS already contains \$flag"; } >&5 + (: CFLAGS already contains $flag) 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } + ;; + *) + { { $as_echo "$as_me:${as_lineno-$LINENO}: : CFLAGS=\"\$CFLAGS \$flag\""; } >&5 + (: CFLAGS="$CFLAGS $flag") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } + CFLAGS="$CFLAGS $flag" + ;; + esac +else + CFLAGS="$flag" +fi + +else + : +fi + +done + { $as_echo "$as_me:${as_lineno-$LINENO}: **************************************** libtool" >&5 $as_echo "$as_me: **************************************** libtool" >&6;} @@ -4549,8 +6199,8 @@ esac -macro_version='2.2.6b' -macro_revision='1.3017' +macro_version='2.4.2' +macro_revision='1.3337' @@ -4566,6 +6216,75 @@ macro_revision='1.3017' ltmain="$ac_aux_dir/ltmain.sh" +# Backslashify metacharacters that are still active within +# double-quoted strings. +sed_quote_subst='s/\(["`$\\]\)/\\\1/g' + +# Same as above, but do not quote variable references. +double_quote_subst='s/\(["`\\]\)/\\\1/g' + +# Sed substitution to delay expansion of an escaped shell variable in a +# double_quote_subst'ed string. +delay_variable_subst='s/\\\\\\\\\\\$/\\\\\\$/g' + +# Sed substitution to delay expansion of an escaped single quote. +delay_single_quote_subst='s/'\''/'\'\\\\\\\'\''/g' + +# Sed substitution to avoid accidental globbing in evaled expressions +no_glob_subst='s/\*/\\\*/g' + +ECHO='\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\' +ECHO=$ECHO$ECHO$ECHO$ECHO$ECHO +ECHO=$ECHO$ECHO$ECHO$ECHO$ECHO$ECHO + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking how to print strings" >&5 +$as_echo_n "checking how to print strings... " >&6; } +# Test print first, because it will be a builtin if present. +if test "X`( print -r -- -n ) 2>/dev/null`" = X-n && \ + test "X`print -r -- $ECHO 2>/dev/null`" = "X$ECHO"; then + ECHO='print -r --' +elif test "X`printf %s $ECHO 2>/dev/null`" = "X$ECHO"; then + ECHO='printf %s\n' +else + # Use this function as a fallback that always works. + func_fallback_echo () + { + eval 'cat <<_LTECHO_EOF +$1 +_LTECHO_EOF' + } + ECHO='func_fallback_echo' +fi + +# func_echo_all arg... +# Invoke $ECHO with all args, space-separated. +func_echo_all () +{ + $ECHO "" +} + +case "$ECHO" in + printf*) { $as_echo "$as_me:${as_lineno-$LINENO}: result: printf" >&5 +$as_echo "printf" >&6; } ;; + print*) { $as_echo "$as_me:${as_lineno-$LINENO}: result: print -r" >&5 +$as_echo "print -r" >&6; } ;; + *) { $as_echo "$as_me:${as_lineno-$LINENO}: result: cat" >&5 +$as_echo "cat" >&6; } ;; +esac + + + + + + + + + + + + + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for a sed that does not truncate output" >&5 $as_echo_n "checking for a sed that does not truncate output... " >&6; } if ${ac_cv_path_SED+:} false; then : @@ -5031,8 +6750,11 @@ if test "$lt_cv_path_NM" != "no"; then NM="$lt_cv_path_NM" else # Didn't find any BSD compatible name lister, look for dumpbin. - if test -n "$ac_tool_prefix"; then - for ac_prog in "dumpbin -symbols" "link -dump -symbols" + if test -n "$DUMPBIN"; then : + # Let the user override the test. + else + if test -n "$ac_tool_prefix"; then + for ac_prog in dumpbin "link -dump" do # Extract the first word of "$ac_tool_prefix$ac_prog", so it can be a program name with args. set dummy $ac_tool_prefix$ac_prog; ac_word=$2 @@ -5076,7 +6798,7 @@ fi fi if test -z "$DUMPBIN"; then ac_ct_DUMPBIN=$DUMPBIN - for ac_prog in "dumpbin -symbols" "link -dump -symbols" + for ac_prog in dumpbin "link -dump" do # Extract the first word of "$ac_prog", so it can be a program name with args. set dummy $ac_prog; ac_word=$2 @@ -5131,6 +6853,15 @@ esac fi fi + case `$DUMPBIN -symbols /dev/null 2>&1 | sed '1q'` in + *COFF*) + DUMPBIN="$DUMPBIN -symbols" + ;; + *) + DUMPBIN=: + ;; + esac + fi if test "$DUMPBIN" != ":"; then NM="$DUMPBIN" @@ -5150,13 +6881,13 @@ if ${lt_cv_nm_interface+:} false; then : else lt_cv_nm_interface="BSD nm" echo "int some_variable = 0;" > conftest.$ac_ext - (eval echo "\"\$as_me:5153: $ac_compile\"" >&5) + (eval echo "\"\$as_me:$LINENO: $ac_compile\"" >&5) (eval "$ac_compile" 2>conftest.err) cat conftest.err >&5 - (eval echo "\"\$as_me:5156: $NM \\\"conftest.$ac_objext\\\"\"" >&5) + (eval echo "\"\$as_me:$LINENO: $NM \\\"conftest.$ac_objext\\\"\"" >&5) (eval "$NM \"conftest.$ac_objext\"" 2>conftest.err > conftest.out) cat conftest.err >&5 - (eval echo "\"\$as_me:5159: output\"" >&5) + (eval echo "\"\$as_me:$LINENO: output\"" >&5) cat conftest.out >&5 if $GREP 'External.*some_variable' conftest.out > /dev/null; then lt_cv_nm_interface="MS dumpbin" @@ -5213,6 +6944,11 @@ else lt_cv_sys_max_cmd_len=8192; ;; + mint*) + # On MiNT this can take a long time and run out of memory. + lt_cv_sys_max_cmd_len=8192; + ;; + amigaos*) # On AmigaOS with pdksh, this test takes hours, literally. # So we just punt and use a minimum line length of 8192. @@ -5238,6 +6974,11 @@ else lt_cv_sys_max_cmd_len=196608 ;; + os2*) + # The test takes a long time on OS/2. + lt_cv_sys_max_cmd_len=8192 + ;; + osf*) # Dr. Hans Ekkehard Plesser reports seeing a kernel panic running configure # due to this test when exec_disable_arg_limit is 1 on Tru64. It is not @@ -5264,7 +7005,8 @@ else ;; *) lt_cv_sys_max_cmd_len=`(getconf ARG_MAX) 2> /dev/null` - if test -n "$lt_cv_sys_max_cmd_len"; then + if test -n "$lt_cv_sys_max_cmd_len" && \ + test undefined != "$lt_cv_sys_max_cmd_len"; then lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \/ 4` lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \* 3` else @@ -5277,8 +7019,8 @@ else # If test is not a shell built-in, we'll probably end up computing a # maximum length that is only half of the actual maximum length, but # we can't tell. - while { test "X"`$SHELL $0 --fallback-echo "X$teststring$teststring" 2>/dev/null` \ - = "XX$teststring$teststring"; } >/dev/null 2>&1 && + while { test "X"`env echo "$teststring$teststring" 2>/dev/null` \ + = "X$teststring$teststring"; } >/dev/null 2>&1 && test $i != 17 # 1/2 MB should be enough do i=`expr $i + 1` @@ -5320,8 +7062,8 @@ $as_echo_n "checking whether the shell understands some XSI constructs... " >&6; # Try some XSI features xsi_shell=no ( _lt_dummy="a/b/c" - test "${_lt_dummy##*/},${_lt_dummy%/*},"${_lt_dummy%"$_lt_dummy"}, \ - = c,a/b,, \ + test "${_lt_dummy##*/},${_lt_dummy%/*},${_lt_dummy#??}"${_lt_dummy%"$_lt_dummy"}, \ + = c,a/b,b/c, \ && eval 'test $(( 1 + 1 )) -eq 2 \ && test "${#_lt_dummy}" -eq 5' ) >/dev/null 2>&1 \ && xsi_shell=yes @@ -5370,6 +7112,80 @@ esac +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking how to convert $build file names to $host format" >&5 +$as_echo_n "checking how to convert $build file names to $host format... " >&6; } +if ${lt_cv_to_host_file_cmd+:} false; then : + $as_echo_n "(cached) " >&6 +else + case $host in + *-*-mingw* ) + case $build in + *-*-mingw* ) # actually msys + lt_cv_to_host_file_cmd=func_convert_file_msys_to_w32 + ;; + *-*-cygwin* ) + lt_cv_to_host_file_cmd=func_convert_file_cygwin_to_w32 + ;; + * ) # otherwise, assume *nix + lt_cv_to_host_file_cmd=func_convert_file_nix_to_w32 + ;; + esac + ;; + *-*-cygwin* ) + case $build in + *-*-mingw* ) # actually msys + lt_cv_to_host_file_cmd=func_convert_file_msys_to_cygwin + ;; + *-*-cygwin* ) + lt_cv_to_host_file_cmd=func_convert_file_noop + ;; + * ) # otherwise, assume *nix + lt_cv_to_host_file_cmd=func_convert_file_nix_to_cygwin + ;; + esac + ;; + * ) # unhandled hosts (and "normal" native builds) + lt_cv_to_host_file_cmd=func_convert_file_noop + ;; +esac + +fi + +to_host_file_cmd=$lt_cv_to_host_file_cmd +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_to_host_file_cmd" >&5 +$as_echo "$lt_cv_to_host_file_cmd" >&6; } + + + + + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking how to convert $build file names to toolchain format" >&5 +$as_echo_n "checking how to convert $build file names to toolchain format... " >&6; } +if ${lt_cv_to_tool_file_cmd+:} false; then : + $as_echo_n "(cached) " >&6 +else + #assume ordinary cross tools, or native build. +lt_cv_to_tool_file_cmd=func_convert_file_noop +case $host in + *-*-mingw* ) + case $build in + *-*-mingw* ) # actually msys + lt_cv_to_tool_file_cmd=func_convert_file_msys_to_w32 + ;; + esac + ;; +esac + +fi + +to_tool_file_cmd=$lt_cv_to_tool_file_cmd +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_to_tool_file_cmd" >&5 +$as_echo "$lt_cv_to_tool_file_cmd" >&6; } + + + + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $LD option to reload object files" >&5 $as_echo_n "checking for $LD option to reload object files... " >&6; } if ${lt_cv_ld_reload_flag+:} false; then : @@ -5386,6 +7202,11 @@ case $reload_flag in esac reload_cmds='$LD$reload_flag -o $output$reload_objs' case $host_os in + cygwin* | mingw* | pw32* | cegcc*) + if test "$GCC" != yes; then + reload_cmds=false + fi + ;; darwin*) if test "$GCC" = yes; then reload_cmds='$LTCC $LTCFLAGS -nostdlib ${wl}-r -o $output$reload_objs' @@ -5549,16 +7370,18 @@ mingw* | pw32*) # Base MSYS/MinGW do not provide the 'file' command needed by # func_win32_libid shell function, so use a weaker test based on 'objdump', # unless we find 'file', for example because we are cross-compiling. - if ( file / ) >/dev/null 2>&1; then + # func_win32_libid assumes BSD nm, so disallow it if using MS dumpbin. + if ( test "$lt_cv_nm_interface" = "BSD nm" && file / ) >/dev/null 2>&1; then lt_cv_deplibs_check_method='file_magic ^x86 archive import|^x86 DLL' lt_cv_file_magic_cmd='func_win32_libid' else - lt_cv_deplibs_check_method='file_magic file format pei*-i386(.*architecture: i386)?' + # Keep this pattern in sync with the one in func_win32_libid. + lt_cv_deplibs_check_method='file_magic file format (pei*-i386(.*architecture: i386)?|pe-arm-wince|pe-x86-64)' lt_cv_file_magic_cmd='$OBJDUMP -f' fi ;; -cegcc) +cegcc*) # use the weaker test based on 'objdump'. See mingw*. lt_cv_deplibs_check_method='file_magic file format pe-arm-.*little(.*architecture: arm)?' lt_cv_file_magic_cmd='$OBJDUMP -f' @@ -5584,7 +7407,7 @@ freebsd* | dragonfly*) fi ;; -gnu*) +haiku*) lt_cv_deplibs_check_method=pass_all ;; @@ -5596,11 +7419,11 @@ hpux10.20* | hpux11*) lt_cv_file_magic_test_file=/usr/lib/hpux32/libc.so ;; hppa*64*) - lt_cv_deplibs_check_method='file_magic (s[0-9][0-9][0-9]|ELF-[0-9][0-9]) shared object file - PA-RISC [0-9].[0-9]' + lt_cv_deplibs_check_method='file_magic (s[0-9][0-9][0-9]|ELF[ -][0-9][0-9])(-bit)?( [LM]SB)? shared object( file)?[, -]* PA-RISC [0-9]\.[0-9]' lt_cv_file_magic_test_file=/usr/lib/pa20_64/libc.sl ;; *) - lt_cv_deplibs_check_method='file_magic (s[0-9][0-9][0-9]|PA-RISC[0-9].[0-9]) shared library' + lt_cv_deplibs_check_method='file_magic (s[0-9][0-9][0-9]|PA-RISC[0-9]\.[0-9]) shared library' lt_cv_file_magic_test_file=/usr/lib/libc.sl ;; esac @@ -5621,8 +7444,8 @@ irix5* | irix6* | nonstopux*) lt_cv_deplibs_check_method=pass_all ;; -# This must be Linux ELF. -linux* | k*bsd*-gnu | kopensolaris*-gnu) +# This must be glibc/ELF. +linux* | k*bsd*-gnu | kopensolaris*-gnu | gnu*) lt_cv_deplibs_check_method=pass_all ;; @@ -5703,6 +7526,21 @@ esac fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_deplibs_check_method" >&5 $as_echo "$lt_cv_deplibs_check_method" >&6; } + +file_magic_glob= +want_nocaseglob=no +if test "$build" = "$host"; then + case $host_os in + mingw* | pw32*) + if ( shopt | grep nocaseglob ) >/dev/null 2>&1; then + want_nocaseglob=yes + else + file_magic_glob=`echo aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ | $SED -e "s/\(..\)/s\/[\1]\/[\1]\/g;/g"` + fi + ;; + esac +fi + file_magic_cmd=$lt_cv_file_magic_cmd deplibs_check_method=$lt_cv_deplibs_check_method test -z "$deplibs_check_method" && deplibs_check_method=unknown @@ -5716,11 +7554,164 @@ test -z "$deplibs_check_method" && deplibs_check_method=unknown + + + + + + + + + + if test -n "$ac_tool_prefix"; then - # Extract the first word of "${ac_tool_prefix}ar", so it can be a program name with args. -set dummy ${ac_tool_prefix}ar; ac_word=$2 + # Extract the first word of "${ac_tool_prefix}dlltool", so it can be a program name with args. +set dummy ${ac_tool_prefix}dlltool; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_prog_DLLTOOL+:} false; then : + $as_echo_n "(cached) " >&6 +else + if test -n "$DLLTOOL"; then + ac_cv_prog_DLLTOOL="$DLLTOOL" # Let the user override the test. +else +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_prog_DLLTOOL="${ac_tool_prefix}dlltool" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + +fi +fi +DLLTOOL=$ac_cv_prog_DLLTOOL +if test -n "$DLLTOOL"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $DLLTOOL" >&5 +$as_echo "$DLLTOOL" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + +fi +if test -z "$ac_cv_prog_DLLTOOL"; then + ac_ct_DLLTOOL=$DLLTOOL + # Extract the first word of "dlltool", so it can be a program name with args. +set dummy dlltool; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_prog_ac_ct_DLLTOOL+:} false; then : + $as_echo_n "(cached) " >&6 +else + if test -n "$ac_ct_DLLTOOL"; then + ac_cv_prog_ac_ct_DLLTOOL="$ac_ct_DLLTOOL" # Let the user override the test. +else +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_prog_ac_ct_DLLTOOL="dlltool" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + +fi +fi +ac_ct_DLLTOOL=$ac_cv_prog_ac_ct_DLLTOOL +if test -n "$ac_ct_DLLTOOL"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_DLLTOOL" >&5 +$as_echo "$ac_ct_DLLTOOL" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + if test "x$ac_ct_DLLTOOL" = x; then + DLLTOOL="false" + else + case $cross_compiling:$ac_tool_warned in +yes:) +{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 +$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} +ac_tool_warned=yes ;; +esac + DLLTOOL=$ac_ct_DLLTOOL + fi +else + DLLTOOL="$ac_cv_prog_DLLTOOL" +fi + +test -z "$DLLTOOL" && DLLTOOL=dlltool + + + + + + + + + + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking how to associate runtime and link libraries" >&5 +$as_echo_n "checking how to associate runtime and link libraries... " >&6; } +if ${lt_cv_sharedlib_from_linklib_cmd+:} false; then : + $as_echo_n "(cached) " >&6 +else + lt_cv_sharedlib_from_linklib_cmd='unknown' + +case $host_os in +cygwin* | mingw* | pw32* | cegcc*) + # two different shell functions defined in ltmain.sh + # decide which to use based on capabilities of $DLLTOOL + case `$DLLTOOL --help 2>&1` in + *--identify-strict*) + lt_cv_sharedlib_from_linklib_cmd=func_cygming_dll_for_implib + ;; + *) + lt_cv_sharedlib_from_linklib_cmd=func_cygming_dll_for_implib_fallback + ;; + esac + ;; +*) + # fallback: assume linklib IS sharedlib + lt_cv_sharedlib_from_linklib_cmd="$ECHO" + ;; +esac + +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_sharedlib_from_linklib_cmd" >&5 +$as_echo "$lt_cv_sharedlib_from_linklib_cmd" >&6; } +sharedlib_from_linklib_cmd=$lt_cv_sharedlib_from_linklib_cmd +test -z "$sharedlib_from_linklib_cmd" && sharedlib_from_linklib_cmd=$ECHO + + + + + + + +if test -n "$ac_tool_prefix"; then + for ac_prog in ar + do + # Extract the first word of "$ac_tool_prefix$ac_prog", so it can be a program name with args. +set dummy $ac_tool_prefix$ac_prog; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } if ${ac_cv_prog_AR+:} false; then : @@ -5736,7 +7727,7 @@ do test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then - ac_cv_prog_AR="${ac_tool_prefix}ar" + ac_cv_prog_AR="$ac_tool_prefix$ac_prog" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi @@ -5756,11 +7747,15 @@ $as_echo "no" >&6; } fi + test -n "$AR" && break + done fi -if test -z "$ac_cv_prog_AR"; then +if test -z "$AR"; then ac_ct_AR=$AR - # Extract the first word of "ar", so it can be a program name with args. -set dummy ar; ac_word=$2 + for ac_prog in ar +do + # Extract the first word of "$ac_prog", so it can be a program name with args. +set dummy $ac_prog; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } if ${ac_cv_prog_ac_ct_AR+:} false; then : @@ -5776,7 +7771,7 @@ do test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then - ac_cv_prog_ac_ct_AR="ar" + ac_cv_prog_ac_ct_AR="$ac_prog" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi @@ -5795,6 +7790,10 @@ else $as_echo "no" >&6; } fi + + test -n "$ac_ct_AR" && break +done + if test "x$ac_ct_AR" = x; then AR="false" else @@ -5806,12 +7805,10 @@ ac_tool_warned=yes ;; esac AR=$ac_ct_AR fi -else - AR="$ac_cv_prog_AR" fi -test -z "$AR" && AR=ar -test -z "$AR_FLAGS" && AR_FLAGS=cru +: ${AR=ar} +: ${AR_FLAGS=cru} @@ -5823,6 +7820,64 @@ test -z "$AR_FLAGS" && AR_FLAGS=cru +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for archiver @FILE support" >&5 +$as_echo_n "checking for archiver @FILE support... " >&6; } +if ${lt_cv_ar_at_file+:} false; then : + $as_echo_n "(cached) " >&6 +else + lt_cv_ar_at_file=no + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +int +main () +{ + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + echo conftest.$ac_objext > conftest.lst + lt_ar_try='$AR $AR_FLAGS libconftest.a @conftest.lst >&5' + { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$lt_ar_try\""; } >&5 + (eval $lt_ar_try) 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } + if test "$ac_status" -eq 0; then + # Ensure the archiver fails upon bogus file names. + rm -f conftest.$ac_objext libconftest.a + { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$lt_ar_try\""; } >&5 + (eval $lt_ar_try) 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } + if test "$ac_status" -ne 0; then + lt_cv_ar_at_file=@ + fi + fi + rm -f conftest.* libconftest.a + +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_ar_at_file" >&5 +$as_echo "$lt_cv_ar_at_file" >&6; } + +if test "x$lt_cv_ar_at_file" = xno; then + archiver_list_spec= +else + archiver_list_spec=$lt_cv_ar_at_file +fi + + + + + + + if test -n "$ac_tool_prefix"; then # Extract the first word of "${ac_tool_prefix}strip", so it can be a program name with args. set dummy ${ac_tool_prefix}strip; ac_word=$2 @@ -6029,15 +8084,27 @@ old_postuninstall_cmds= if test -n "$RANLIB"; then case $host_os in openbsd*) - old_postinstall_cmds="$old_postinstall_cmds~\$RANLIB -t \$oldlib" + old_postinstall_cmds="$old_postinstall_cmds~\$RANLIB -t \$tool_oldlib" ;; *) - old_postinstall_cmds="$old_postinstall_cmds~\$RANLIB \$oldlib" + old_postinstall_cmds="$old_postinstall_cmds~\$RANLIB \$tool_oldlib" ;; esac - old_archive_cmds="$old_archive_cmds~\$RANLIB \$oldlib" + old_archive_cmds="$old_archive_cmds~\$RANLIB \$tool_oldlib" fi +case $host_os in + darwin*) + lock_old_archive_extraction=yes ;; + *) + lock_old_archive_extraction=no ;; +esac + + + + + + @@ -6145,8 +8212,8 @@ esac lt_cv_sys_global_symbol_to_cdecl="sed -n -e 's/^T .* \(.*\)$/extern int \1();/p' -e 's/^$symcode* .* \(.*\)$/extern char \1;/p'" # Transform an extracted symbol line into symbol name and symbol address -lt_cv_sys_global_symbol_to_c_name_address="sed -n -e 's/^: \([^ ]*\) $/ {\\\"\1\\\", (void *) 0},/p' -e 's/^$symcode* \([^ ]*\) \([^ ]*\)$/ {\"\2\", (void *) \&\2},/p'" -lt_cv_sys_global_symbol_to_c_name_address_lib_prefix="sed -n -e 's/^: \([^ ]*\) $/ {\\\"\1\\\", (void *) 0},/p' -e 's/^$symcode* \([^ ]*\) \(lib[^ ]*\)$/ {\"\2\", (void *) \&\2},/p' -e 's/^$symcode* \([^ ]*\) \([^ ]*\)$/ {\"lib\2\", (void *) \&\2},/p'" +lt_cv_sys_global_symbol_to_c_name_address="sed -n -e 's/^: \([^ ]*\)[ ]*$/ {\\\"\1\\\", (void *) 0},/p' -e 's/^$symcode* \([^ ]*\) \([^ ]*\)$/ {\"\2\", (void *) \&\2},/p'" +lt_cv_sys_global_symbol_to_c_name_address_lib_prefix="sed -n -e 's/^: \([^ ]*\)[ ]*$/ {\\\"\1\\\", (void *) 0},/p' -e 's/^$symcode* \([^ ]*\) \(lib[^ ]*\)$/ {\"\2\", (void *) \&\2},/p' -e 's/^$symcode* \([^ ]*\) \([^ ]*\)$/ {\"lib\2\", (void *) \&\2},/p'" # Handle CRLF in mingw tool chain opt_cr= @@ -6170,6 +8237,7 @@ for ac_symprfx in "" "_"; do # which start with @ or ?. lt_cv_sys_global_symbol_pipe="$AWK '"\ " {last_section=section; section=\$ 3};"\ +" /^COFF SYMBOL TABLE/{for(i in hide) delete hide[i]};"\ " /Section length .*#relocs.*(pick any)/{hide[last_section]=1};"\ " \$ 0!~/External *\|/{next};"\ " / 0+ UNDEF /{next}; / UNDEF \([^|]\)*()/{next};"\ @@ -6182,6 +8250,7 @@ for ac_symprfx in "" "_"; do else lt_cv_sys_global_symbol_pipe="sed -n -e 's/^.*[ ]\($symcode$symcode*\)[ ][ ]*$ac_symprfx$sympat$opt_cr$/$symxfrm/p'" fi + lt_cv_sys_global_symbol_pipe="$lt_cv_sys_global_symbol_pipe | sed '/ __gnu_lto/d'" # Check to see that the pipe works correctly. pipe_works=no @@ -6207,8 +8276,8 @@ _LT_EOF test $ac_status = 0; }; then # Now try to grab the symbols. nlist=conftest.nm - if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$NM conftest.$ac_objext \| $lt_cv_sys_global_symbol_pipe \> $nlist\""; } >&5 - (eval $NM conftest.$ac_objext \| $lt_cv_sys_global_symbol_pipe \> $nlist) 2>&5 + if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$NM conftest.$ac_objext \| "$lt_cv_sys_global_symbol_pipe" \> $nlist\""; } >&5 + (eval $NM conftest.$ac_objext \| "$lt_cv_sys_global_symbol_pipe" \> $nlist) 2>&5 ac_status=$? $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; } && test -s "$nlist"; then @@ -6223,6 +8292,18 @@ _LT_EOF if $GREP ' nm_test_var$' "$nlist" >/dev/null; then if $GREP ' nm_test_func$' "$nlist" >/dev/null; then cat <<_LT_EOF > conftest.$ac_ext +/* Keep this code in sync between libtool.m4, ltmain, lt_system.h, and tests. */ +#if defined(_WIN32) || defined(__CYGWIN__) || defined(_WIN32_WCE) +/* DATA imports from DLLs on WIN32 con't be const, because runtime + relocations are performed -- see ld's documentation on pseudo-relocs. */ +# define LT_DLSYM_CONST +#elif defined(__osf__) +/* This system does not cope well with relocations in const data. */ +# define LT_DLSYM_CONST +#else +# define LT_DLSYM_CONST const +#endif + #ifdef __cplusplus extern "C" { #endif @@ -6234,7 +8315,7 @@ _LT_EOF cat <<_LT_EOF >> conftest.$ac_ext /* The mapping between symbol names and symbols. */ -const struct { +LT_DLSYM_CONST struct { const char *name; void *address; } @@ -6260,8 +8341,8 @@ static const void *lt_preloaded_setup() { _LT_EOF # Now try linking the two files. mv conftest.$ac_objext conftstm.$ac_objext - lt_save_LIBS="$LIBS" - lt_save_CFLAGS="$CFLAGS" + lt_globsym_save_LIBS=$LIBS + lt_globsym_save_CFLAGS=$CFLAGS LIBS="conftstm.$ac_objext" CFLAGS="$CFLAGS$lt_prog_compiler_no_builtin_flag" if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_link\""; } >&5 @@ -6271,8 +8352,8 @@ _LT_EOF test $ac_status = 0; } && test -s conftest${ac_exeext}; then pipe_works=yes fi - LIBS="$lt_save_LIBS" - CFLAGS="$lt_save_CFLAGS" + LIBS=$lt_globsym_save_LIBS + CFLAGS=$lt_globsym_save_CFLAGS else echo "cannot find nm_test_func in $nlist" >&5 fi @@ -6309,6 +8390,12 @@ else $as_echo "ok" >&6; } fi +# Response file support. +if test "$lt_cv_nm_interface" = "MS dumpbin"; then + nm_file_list_spec='@' +elif $NM --help 2>/dev/null | grep '[@]FILE' >/dev/null; then + nm_file_list_spec='@' +fi @@ -6329,6 +8416,49 @@ fi + + + + + + + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for sysroot" >&5 +$as_echo_n "checking for sysroot... " >&6; } + +# Check whether --with-sysroot was given. +if test "${with_sysroot+set}" = set; then : + withval=$with_sysroot; +else + with_sysroot=no +fi + + +lt_sysroot= +case ${with_sysroot} in #( + yes) + if test "$GCC" = yes; then + lt_sysroot=`$CC --print-sysroot 2>/dev/null` + fi + ;; #( + /*) + lt_sysroot=`echo "$with_sysroot" | sed -e "$sed_quote_subst"` + ;; #( + no|'') + ;; #( + *) + { $as_echo "$as_me:${as_lineno-$LINENO}: result: ${with_sysroot}" >&5 +$as_echo "${with_sysroot}" >&6; } + as_fn_error $? "The sysroot must be an absolute path." "$LINENO" 5 + ;; +esac + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: ${lt_sysroot:-no}" >&5 +$as_echo "${lt_sysroot:-no}" >&6; } + + + + # Check whether --enable-libtool-lock was given. if test "${enable_libtool_lock+set}" = set; then : @@ -6361,7 +8491,7 @@ ia64-*-hpux*) ;; *-*-irix6*) # Find out which ABI we are using. - echo '#line 6364 "configure"' > conftest.$ac_ext + echo '#line '$LINENO' "configure"' > conftest.$ac_ext if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_compile\""; } >&5 (eval $ac_compile) 2>&5 ac_status=$? @@ -6396,7 +8526,7 @@ ia64-*-hpux*) rm -rf conftest* ;; -x86_64-*kfreebsd*-gnu|x86_64-*linux*|ppc*-*linux*|powerpc*-*linux*| \ +x86_64-*kfreebsd*-gnu|x86_64-*linux*|powerpc*-*linux*| \ s390*-*linux*|s390*-*tpf*|sparc*-*linux*) # Find out which ABI we are using. echo 'int i;' > conftest.$ac_ext @@ -6412,9 +8542,19 @@ s390*-*linux*|s390*-*tpf*|sparc*-*linux*) LD="${LD-ld} -m elf_i386_fbsd" ;; x86_64-*linux*) - LD="${LD-ld} -m elf_i386" + case `/usr/bin/file conftest.o` in + *x86-64*) + LD="${LD-ld} -m elf32_x86_64" + ;; + *) + LD="${LD-ld} -m elf_i386" + ;; + esac ;; - ppc64-*linux*|powerpc64-*linux*) + powerpc64le-*) + LD="${LD-ld} -m elf32lppclinux" + ;; + powerpc64-*) LD="${LD-ld} -m elf32ppclinux" ;; s390x-*linux*) @@ -6433,7 +8573,10 @@ s390*-*linux*|s390*-*tpf*|sparc*-*linux*) x86_64-*linux*) LD="${LD-ld} -m elf_x86_64" ;; - ppc*-*linux*|powerpc*-*linux*) + powerpcle-*) + LD="${LD-ld} -m elf64lppc" + ;; + powerpc-*) LD="${LD-ld} -m elf64ppc" ;; s390*-*linux*|s390*-*tpf*) @@ -6496,7 +8639,7 @@ $as_echo "$lt_cv_cc_needs_belf" >&6; } CFLAGS="$SAVE_CFLAGS" fi ;; -sparc*-*solaris*) +*-*solaris*) # Find out which ABI we are using. echo 'int i;' > conftest.$ac_ext if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_compile\""; } >&5 @@ -6507,7 +8650,20 @@ sparc*-*solaris*) case `/usr/bin/file conftest.o` in *64-bit*) case $lt_cv_prog_gnu_ld in - yes*) LD="${LD-ld} -m elf64_sparc" ;; + yes*) + case $host in + i?86-*-solaris*) + LD="${LD-ld} -m elf_x86_64" + ;; + sparc*-*-solaris*) + LD="${LD-ld} -m elf64_sparc" + ;; + esac + # GNU ld 2.21 introduced _sol2 emulations. Use them if available. + if ${LD-ld} -V | grep _sol2 >/dev/null 2>&1; then + LD="${LD-ld}_sol2" + fi + ;; *) if ${LD-ld} -64 -r -o conftest2.o conftest.o >/dev/null 2>&1; then LD="${LD-ld} -64" @@ -6523,6 +8679,123 @@ esac need_locks="$enable_libtool_lock" +if test -n "$ac_tool_prefix"; then + # Extract the first word of "${ac_tool_prefix}mt", so it can be a program name with args. +set dummy ${ac_tool_prefix}mt; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_prog_MANIFEST_TOOL+:} false; then : + $as_echo_n "(cached) " >&6 +else + if test -n "$MANIFEST_TOOL"; then + ac_cv_prog_MANIFEST_TOOL="$MANIFEST_TOOL" # Let the user override the test. +else +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_prog_MANIFEST_TOOL="${ac_tool_prefix}mt" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + +fi +fi +MANIFEST_TOOL=$ac_cv_prog_MANIFEST_TOOL +if test -n "$MANIFEST_TOOL"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $MANIFEST_TOOL" >&5 +$as_echo "$MANIFEST_TOOL" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + +fi +if test -z "$ac_cv_prog_MANIFEST_TOOL"; then + ac_ct_MANIFEST_TOOL=$MANIFEST_TOOL + # Extract the first word of "mt", so it can be a program name with args. +set dummy mt; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_prog_ac_ct_MANIFEST_TOOL+:} false; then : + $as_echo_n "(cached) " >&6 +else + if test -n "$ac_ct_MANIFEST_TOOL"; then + ac_cv_prog_ac_ct_MANIFEST_TOOL="$ac_ct_MANIFEST_TOOL" # Let the user override the test. +else +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_prog_ac_ct_MANIFEST_TOOL="mt" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + +fi +fi +ac_ct_MANIFEST_TOOL=$ac_cv_prog_ac_ct_MANIFEST_TOOL +if test -n "$ac_ct_MANIFEST_TOOL"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_MANIFEST_TOOL" >&5 +$as_echo "$ac_ct_MANIFEST_TOOL" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + if test "x$ac_ct_MANIFEST_TOOL" = x; then + MANIFEST_TOOL=":" + else + case $cross_compiling:$ac_tool_warned in +yes:) +{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 +$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} +ac_tool_warned=yes ;; +esac + MANIFEST_TOOL=$ac_ct_MANIFEST_TOOL + fi +else + MANIFEST_TOOL="$ac_cv_prog_MANIFEST_TOOL" +fi + +test -z "$MANIFEST_TOOL" && MANIFEST_TOOL=mt +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking if $MANIFEST_TOOL is a manifest tool" >&5 +$as_echo_n "checking if $MANIFEST_TOOL is a manifest tool... " >&6; } +if ${lt_cv_path_mainfest_tool+:} false; then : + $as_echo_n "(cached) " >&6 +else + lt_cv_path_mainfest_tool=no + echo "$as_me:$LINENO: $MANIFEST_TOOL '-?'" >&5 + $MANIFEST_TOOL '-?' 2>conftest.err > conftest.out + cat conftest.err >&5 + if $GREP 'Manifest Tool' conftest.out > /dev/null; then + lt_cv_path_mainfest_tool=yes + fi + rm -f conftest* +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_path_mainfest_tool" >&5 +$as_echo "$lt_cv_path_mainfest_tool" >&6; } +if test "x$lt_cv_path_mainfest_tool" != xyes; then + MANIFEST_TOOL=: +fi + + + + + case $host_os in rhapsody* | darwin*) @@ -7030,7 +9303,13 @@ else $LTCC $LTCFLAGS $LDFLAGS -o libconftest.dylib \ -dynamiclib -Wl,-single_module conftest.c 2>conftest.err _lt_result=$? - if test -f libconftest.dylib && test ! -s conftest.err && test $_lt_result = 0; then + # If there is a non-empty error log, and "single_module" + # appears in it, assume the flag caused a linker warning + if test -s conftest.err && $GREP single_module conftest.err; then + cat conftest.err >&5 + # Otherwise, if the output was created with a 0 exit code from + # the compiler, it worked. + elif test -f libconftest.dylib && test $_lt_result -eq 0; then lt_cv_apple_cc_single_mod=yes else cat conftest.err >&5 @@ -7041,6 +9320,7 @@ else fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_apple_cc_single_mod" >&5 $as_echo "$lt_cv_apple_cc_single_mod" >&6; } + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for -exported_symbols_list linker flag" >&5 $as_echo_n "checking for -exported_symbols_list linker flag... " >&6; } if ${lt_cv_ld_exported_symbols_list+:} false; then : @@ -7073,6 +9353,41 @@ rm -f core conftest.err conftest.$ac_objext \ fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_ld_exported_symbols_list" >&5 $as_echo "$lt_cv_ld_exported_symbols_list" >&6; } + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for -force_load linker flag" >&5 +$as_echo_n "checking for -force_load linker flag... " >&6; } +if ${lt_cv_ld_force_load+:} false; then : + $as_echo_n "(cached) " >&6 +else + lt_cv_ld_force_load=no + cat > conftest.c << _LT_EOF +int forced_loaded() { return 2;} +_LT_EOF + echo "$LTCC $LTCFLAGS -c -o conftest.o conftest.c" >&5 + $LTCC $LTCFLAGS -c -o conftest.o conftest.c 2>&5 + echo "$AR cru libconftest.a conftest.o" >&5 + $AR cru libconftest.a conftest.o 2>&5 + echo "$RANLIB libconftest.a" >&5 + $RANLIB libconftest.a 2>&5 + cat > conftest.c << _LT_EOF +int main() { return 0;} +_LT_EOF + echo "$LTCC $LTCFLAGS $LDFLAGS -o conftest conftest.c -Wl,-force_load,./libconftest.a" >&5 + $LTCC $LTCFLAGS $LDFLAGS -o conftest conftest.c -Wl,-force_load,./libconftest.a 2>conftest.err + _lt_result=$? + if test -s conftest.err && $GREP force_load conftest.err; then + cat conftest.err >&5 + elif test -f conftest && test $_lt_result -eq 0 && $GREP forced_load conftest >/dev/null 2>&1 ; then + lt_cv_ld_force_load=yes + else + cat conftest.err >&5 + fi + rm -f conftest.err libconftest.a conftest conftest.c + rm -rf conftest.dSYM + +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_ld_force_load" >&5 +$as_echo "$lt_cv_ld_force_load" >&6; } case $host_os in rhapsody* | darwin1.[012]) _lt_dar_allow_undefined='${wl}-undefined ${wl}suppress' ;; @@ -7100,7 +9415,7 @@ $as_echo "$lt_cv_ld_exported_symbols_list" >&6; } else _lt_dar_export_syms='~$NMEDIT -s $output_objdir/${libname}-symbols.expsym ${lib}' fi - if test "$DSYMUTIL" != ":"; then + if test "$DSYMUTIL" != ":" && test "$lt_cv_ld_force_load" = "no"; then _lt_dsymutil='~$DSYMUTIL $lib || :' else _lt_dsymutil= @@ -7390,6 +9705,8 @@ done + + # Set options # Check whether --enable-static was given. if test "${enable_static+set}" = set; then : @@ -7464,7 +9781,22 @@ fi # Check whether --with-pic was given. if test "${with_pic+set}" = set; then : - withval=$with_pic; pic_mode="$withval" + withval=$with_pic; lt_p=${PACKAGE-default} + case $withval in + yes|no) pic_mode=$withval ;; + *) + pic_mode=default + # Look at the argument we got. We use all the common list separators. + lt_save_ifs="$IFS"; IFS="${IFS}$PATH_SEPARATOR," + for lt_pkg in $withval; do + IFS="$lt_save_ifs" + if test "X$lt_pkg" = "X$lt_p"; then + pic_mode=yes + fi + done + IFS="$lt_save_ifs" + ;; + esac else pic_mode=default fi @@ -7535,6 +9867,11 @@ LIBTOOL='$(SHELL) $(top_builddir)/libtool' + + + + + @@ -7590,19 +9927,6 @@ _ACEOF - - - - - - - - - - - - - case $host_os in aix3*) # AIX sometimes has problems with the GCC collect2 program. For some @@ -7615,23 +9939,6 @@ aix3*) ;; esac -# Sed substitution that helps us do robust quoting. It backslashifies -# metacharacters that are still active within double-quoted strings. -sed_quote_subst='s/\(["`$\\]\)/\\\1/g' - -# Same as above, but do not quote variable references. -double_quote_subst='s/\(["`\\]\)/\\\1/g' - -# Sed substitution to delay expansion of an escaped shell variable in a -# double_quote_subst'ed string. -delay_variable_subst='s/\\\\\\\\\\\$/\\\\\\$/g' - -# Sed substitution to delay expansion of an escaped single quote. -delay_single_quote_subst='s/'\''/'\'\\\\\\\'\''/g' - -# Sed substitution to avoid accidental globbing in evaled expressions -no_glob_subst='s/\*/\\\*/g' - # Global variables: ofile=libtool can_build_shared=yes @@ -7660,7 +9967,7 @@ for cc_temp in $compiler""; do *) break;; esac done -cc_basename=`$ECHO "X$cc_temp" | $Xsed -e 's%.*/%%' -e "s%^$host_alias-%%"` +cc_basename=`$ECHO "$cc_temp" | $SED "s%.*/%%; s%^$host_alias-%%"` # Only perform the check for file, if the check method requires it @@ -7869,7 +10176,12 @@ if test -n "$compiler"; then lt_prog_compiler_no_builtin_flag= if test "$GCC" = yes; then - lt_prog_compiler_no_builtin_flag=' -fno-builtin' + case $cc_basename in + nvcc*) + lt_prog_compiler_no_builtin_flag=' -Xcompiler -fno-builtin' ;; + *) + lt_prog_compiler_no_builtin_flag=' -fno-builtin' ;; + esac { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $compiler supports -fno-rtti -fno-exceptions" >&5 $as_echo_n "checking if $compiler supports -fno-rtti -fno-exceptions... " >&6; } @@ -7889,15 +10201,15 @@ else -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:7892: $lt_compile\"" >&5) + (eval echo "\"\$as_me:$LINENO: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:7896: \$? = $ac_status" >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings other than the usual output. - $ECHO "X$_lt_compiler_boilerplate" | $Xsed -e '/^$/d' >conftest.exp + $ECHO "$_lt_compiler_boilerplate" | $SED '/^$/d' >conftest.exp $SED '/^$/d; /^ *+/d' conftest.err >conftest.er2 if test ! -s conftest.er2 || diff conftest.exp conftest.er2 >/dev/null; then lt_cv_prog_compiler_rtti_exceptions=yes @@ -7926,8 +10238,6 @@ fi lt_prog_compiler_pic= lt_prog_compiler_static= -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $compiler option to produce PIC" >&5 -$as_echo_n "checking for $compiler option to produce PIC... " >&6; } if test "$GCC" = yes; then lt_prog_compiler_wl='-Wl,' @@ -7975,6 +10285,12 @@ $as_echo_n "checking for $compiler option to produce PIC... " >&6; } lt_prog_compiler_pic='-fno-common' ;; + haiku*) + # PIC is the default for Haiku. + # The "-static" flag exists, but is broken. + lt_prog_compiler_static= + ;; + hpux*) # PIC is the default for 64-bit PA HP-UX, but not for 32-bit # PA HP-UX. On IA64 HP-UX, PIC is the default but the pic flag @@ -8017,6 +10333,15 @@ $as_echo_n "checking for $compiler option to produce PIC... " >&6; } lt_prog_compiler_pic='-fPIC' ;; esac + + case $cc_basename in + nvcc*) # Cuda Compiler Driver 2.2 + lt_prog_compiler_wl='-Xlinker ' + if test -n "$lt_prog_compiler_pic"; then + lt_prog_compiler_pic="-Xcompiler $lt_prog_compiler_pic" + fi + ;; + esac else # PORTME Check for flag to pass linker flags through the system compiler. case $host_os in @@ -8058,7 +10383,7 @@ $as_echo_n "checking for $compiler option to produce PIC... " >&6; } lt_prog_compiler_static='-non_shared' ;; - linux* | k*bsd*-gnu | kopensolaris*-gnu) + linux* | k*bsd*-gnu | kopensolaris*-gnu | gnu*) case $cc_basename in # old Intel for x86_64 which still supported -KPIC. ecc*) @@ -8079,7 +10404,13 @@ $as_echo_n "checking for $compiler option to produce PIC... " >&6; } lt_prog_compiler_pic='--shared' lt_prog_compiler_static='--static' ;; - pgcc* | pgf77* | pgf90* | pgf95*) + nagfor*) + # NAG Fortran compiler + lt_prog_compiler_wl='-Wl,-Wl,,' + lt_prog_compiler_pic='-PIC' + lt_prog_compiler_static='-Bstatic' + ;; + pgcc* | pgf77* | pgf90* | pgf95* | pgfortran*) # Portland Group compilers (*not* the Pentium gcc compiler, # which looks to be a dead project) lt_prog_compiler_wl='-Wl,' @@ -8091,25 +10422,40 @@ $as_echo_n "checking for $compiler option to produce PIC... " >&6; } # All Alpha code is PIC. lt_prog_compiler_static='-non_shared' ;; - xl*) - # IBM XL C 8.0/Fortran 10.1 on PPC + xl* | bgxl* | bgf* | mpixl*) + # IBM XL C 8.0/Fortran 10.1, 11.1 on PPC and BlueGene lt_prog_compiler_wl='-Wl,' lt_prog_compiler_pic='-qpic' lt_prog_compiler_static='-qstaticlink' ;; *) case `$CC -V 2>&1 | sed 5q` in + *Sun\ Ceres\ Fortran* | *Sun*Fortran*\ [1-7].* | *Sun*Fortran*\ 8.[0-3]*) + # Sun Fortran 8.3 passes all unrecognized flags to the linker + lt_prog_compiler_pic='-KPIC' + lt_prog_compiler_static='-Bstatic' + lt_prog_compiler_wl='' + ;; + *Sun\ F* | *Sun*Fortran*) + lt_prog_compiler_pic='-KPIC' + lt_prog_compiler_static='-Bstatic' + lt_prog_compiler_wl='-Qoption ld ' + ;; *Sun\ C*) # Sun C 5.9 lt_prog_compiler_pic='-KPIC' lt_prog_compiler_static='-Bstatic' lt_prog_compiler_wl='-Wl,' ;; - *Sun\ F*) - # Sun Fortran 8.3 passes all unrecognized flags to the linker - lt_prog_compiler_pic='-KPIC' + *Intel*\ [CF]*Compiler*) + lt_prog_compiler_wl='-Wl,' + lt_prog_compiler_pic='-fPIC' + lt_prog_compiler_static='-static' + ;; + *Portland\ Group*) + lt_prog_compiler_wl='-Wl,' + lt_prog_compiler_pic='-fpic' lt_prog_compiler_static='-Bstatic' - lt_prog_compiler_wl='' ;; esac ;; @@ -8141,7 +10487,7 @@ $as_echo_n "checking for $compiler option to produce PIC... " >&6; } lt_prog_compiler_pic='-KPIC' lt_prog_compiler_static='-Bstatic' case $cc_basename in - f77* | f90* | f95*) + f77* | f90* | f95* | sunf77* | sunf90* | sunf95*) lt_prog_compiler_wl='-Qoption ld ';; *) lt_prog_compiler_wl='-Wl,';; @@ -8198,13 +10544,17 @@ case $host_os in lt_prog_compiler_pic="$lt_prog_compiler_pic -DPIC" ;; esac -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_prog_compiler_pic" >&5 -$as_echo "$lt_prog_compiler_pic" >&6; } - - - - +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $compiler option to produce PIC" >&5 +$as_echo_n "checking for $compiler option to produce PIC... " >&6; } +if ${lt_cv_prog_compiler_pic+:} false; then : + $as_echo_n "(cached) " >&6 +else + lt_cv_prog_compiler_pic=$lt_prog_compiler_pic +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_prog_compiler_pic" >&5 +$as_echo "$lt_cv_prog_compiler_pic" >&6; } +lt_prog_compiler_pic=$lt_cv_prog_compiler_pic # # Check to make sure the PIC flag actually works. @@ -8228,15 +10578,15 @@ else -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:8231: $lt_compile\"" >&5) + (eval echo "\"\$as_me:$LINENO: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:8235: \$? = $ac_status" >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings other than the usual output. - $ECHO "X$_lt_compiler_boilerplate" | $Xsed -e '/^$/d' >conftest.exp + $ECHO "$_lt_compiler_boilerplate" | $SED '/^$/d' >conftest.exp $SED '/^$/d; /^ *+/d' conftest.err >conftest.er2 if test ! -s conftest.er2 || diff conftest.exp conftest.er2 >/dev/null; then lt_cv_prog_compiler_pic_works=yes @@ -8265,6 +10615,11 @@ fi + + + + + # # Check to make sure the static flag actually works. # @@ -8284,7 +10639,7 @@ else if test -s conftest.err; then # Append any errors to the config.log. cat conftest.err 1>&5 - $ECHO "X$_lt_linker_boilerplate" | $Xsed -e '/^$/d' > conftest.exp + $ECHO "$_lt_linker_boilerplate" | $SED '/^$/d' > conftest.exp $SED '/^$/d; /^ *+/d' conftest.err >conftest.er2 if diff conftest.exp conftest.er2 >/dev/null; then lt_cv_prog_compiler_static_works=yes @@ -8333,16 +10688,16 @@ else -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:8336: $lt_compile\"" >&5) + (eval echo "\"\$as_me:$LINENO: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 - echo "$as_me:8340: \$? = $ac_status" >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings - $ECHO "X$_lt_compiler_boilerplate" | $Xsed -e '/^$/d' > out/conftest.exp + $ECHO "$_lt_compiler_boilerplate" | $SED '/^$/d' > out/conftest.exp $SED '/^$/d; /^ *+/d' out/conftest.err >out/conftest.er2 if test ! -s out/conftest.er2 || diff out/conftest.exp out/conftest.er2 >/dev/null; then lt_cv_prog_compiler_c_o=yes @@ -8388,16 +10743,16 @@ else -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:8391: $lt_compile\"" >&5) + (eval echo "\"\$as_me:$LINENO: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 - echo "$as_me:8395: \$? = $ac_status" >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings - $ECHO "X$_lt_compiler_boilerplate" | $Xsed -e '/^$/d' > out/conftest.exp + $ECHO "$_lt_compiler_boilerplate" | $SED '/^$/d' > out/conftest.exp $SED '/^$/d; /^ *+/d' out/conftest.err >out/conftest.er2 if test ! -s out/conftest.er2 || diff out/conftest.exp out/conftest.er2 >/dev/null; then lt_cv_prog_compiler_c_o=yes @@ -8463,7 +10818,6 @@ $as_echo_n "checking whether the $compiler linker ($LD) supports shared librarie hardcode_direct=no hardcode_direct_absolute=no hardcode_libdir_flag_spec= - hardcode_libdir_flag_spec_ld= hardcode_libdir_separator= hardcode_minus_L=no hardcode_shlibpath_var=unsupported @@ -8507,13 +10861,39 @@ $as_echo_n "checking whether the $compiler linker ($LD) supports shared librarie openbsd*) with_gnu_ld=no ;; - linux* | k*bsd*-gnu) + linux* | k*bsd*-gnu | gnu*) link_all_deplibs=no ;; esac ld_shlibs=yes + + # On some targets, GNU ld is compatible enough with the native linker + # that we're better off using the native interface for both. + lt_use_gnu_ld_interface=no if test "$with_gnu_ld" = yes; then + case $host_os in + aix*) + # The AIX port of GNU ld has always aspired to compatibility + # with the native linker. However, as the warning in the GNU ld + # block says, versions before 2.19.5* couldn't really create working + # shared libraries, regardless of the interface used. + case `$LD -v 2>&1` in + *\ \(GNU\ Binutils\)\ 2.19.5*) ;; + *\ \(GNU\ Binutils\)\ 2.[2-9]*) ;; + *\ \(GNU\ Binutils\)\ [3-9]*) ;; + *) + lt_use_gnu_ld_interface=yes + ;; + esac + ;; + *) + lt_use_gnu_ld_interface=yes + ;; + esac + fi + + if test "$lt_use_gnu_ld_interface" = yes; then # If archive_cmds runs LD, not CC, wlarc should be empty wlarc='${wl}' @@ -8547,11 +10927,12 @@ $as_echo_n "checking whether the $compiler linker ($LD) supports shared librarie ld_shlibs=no cat <<_LT_EOF 1>&2 -*** Warning: the GNU linker, at least up to release 2.9.1, is reported +*** Warning: the GNU linker, at least up to release 2.19, is reported *** to be unable to reliably create shared libraries on AIX. *** Therefore, libtool is disabling shared libraries support. If you -*** really care for shared libraries, you may want to modify your PATH -*** so that a non-GNU linker is found, and then restart. +*** really care for shared libraries, you may want to install binutils +*** 2.20 or above, or modify your PATH so that a non-GNU linker is found. +*** You will then need to restart the configuration process. _LT_EOF fi @@ -8587,10 +10968,12 @@ _LT_EOF # _LT_TAGVAR(hardcode_libdir_flag_spec, ) is actually meaningless, # as there is no search path for DLLs. hardcode_libdir_flag_spec='-L$libdir' + export_dynamic_flag_spec='${wl}--export-all-symbols' allow_undefined_flag=unsupported always_export_symbols=no enable_shared_with_static_runtimes=yes - export_symbols_cmds='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[BCDGRS][ ]/s/.*[ ]\([^ ]*\)/\1 DATA/'\'' | $SED -e '\''/^[AITW][ ]/s/.*[ ]//'\'' | sort | uniq > $export_symbols' + export_symbols_cmds='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[BCDGRS][ ]/s/.*[ ]\([^ ]*\)/\1 DATA/;s/^.*[ ]__nm__\([^ ]*\)[ ][^ ]*/\1 DATA/;/^I[ ]/d;/^[AITW][ ]/s/.* //'\'' | sort | uniq > $export_symbols' + exclude_expsyms='[_]+GLOBAL_OFFSET_TABLE_|[_]+GLOBAL__[FID]_.*|[_]+head_[A-Za-z0-9_]+_dll|[A-Za-z0-9_]+_dll_iname' if $LD --help 2>&1 | $GREP 'auto-import' > /dev/null; then archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib' @@ -8608,6 +10991,11 @@ _LT_EOF fi ;; + haiku*) + archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib' + link_all_deplibs=yes + ;; + interix[3-9]*) hardcode_direct=no hardcode_shlibpath_var=no @@ -8633,15 +11021,16 @@ _LT_EOF if $LD --help 2>&1 | $EGREP ': supported targets:.* elf' > /dev/null \ && test "$tmp_diet" = no then - tmp_addflag= + tmp_addflag=' $pic_flag' tmp_sharedflag='-shared' case $cc_basename,$host_cpu in pgcc*) # Portland Group C compiler - whole_archive_flag_spec='${wl}--whole-archive`for conv in $convenience\"\"; do test -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; $ECHO \"$new_convenience\"` ${wl}--no-whole-archive' + whole_archive_flag_spec='${wl}--whole-archive`for conv in $convenience\"\"; do test -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; func_echo_all \"$new_convenience\"` ${wl}--no-whole-archive' tmp_addflag=' $pic_flag' ;; - pgf77* | pgf90* | pgf95*) # Portland Group f77 and f90 compilers - whole_archive_flag_spec='${wl}--whole-archive`for conv in $convenience\"\"; do test -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; $ECHO \"$new_convenience\"` ${wl}--no-whole-archive' + pgf77* | pgf90* | pgf95* | pgfortran*) + # Portland Group f77 and f90 compilers + whole_archive_flag_spec='${wl}--whole-archive`for conv in $convenience\"\"; do test -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; func_echo_all \"$new_convenience\"` ${wl}--no-whole-archive' tmp_addflag=' $pic_flag -Mnomain' ;; ecc*,ia64* | icc*,ia64*) # Intel C compiler on ia64 tmp_addflag=' -i_dynamic' ;; @@ -8652,13 +11041,17 @@ _LT_EOF lf95*) # Lahey Fortran 8.1 whole_archive_flag_spec= tmp_sharedflag='--shared' ;; - xl[cC]*) # IBM XL C 8.0 on PPC (deal with xlf below) + xl[cC]* | bgxl[cC]* | mpixl[cC]*) # IBM XL C 8.0 on PPC (deal with xlf below) tmp_sharedflag='-qmkshrobj' tmp_addflag= ;; + nvcc*) # Cuda Compiler Driver 2.2 + whole_archive_flag_spec='${wl}--whole-archive`for conv in $convenience\"\"; do test -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; func_echo_all \"$new_convenience\"` ${wl}--no-whole-archive' + compiler_needs_object=yes + ;; esac case `$CC -V 2>&1 | sed 5q` in *Sun\ C*) # Sun C 5.9 - whole_archive_flag_spec='${wl}--whole-archive`new_convenience=; for conv in $convenience\"\"; do test -z \"$conv\" || new_convenience=\"$new_convenience,$conv\"; done; $ECHO \"$new_convenience\"` ${wl}--no-whole-archive' + whole_archive_flag_spec='${wl}--whole-archive`new_convenience=; for conv in $convenience\"\"; do test -z \"$conv\" || new_convenience=\"$new_convenience,$conv\"; done; func_echo_all \"$new_convenience\"` ${wl}--no-whole-archive' compiler_needs_object=yes tmp_sharedflag='-G' ;; *Sun\ F*) # Sun Fortran 8.3 @@ -8674,17 +11067,16 @@ _LT_EOF fi case $cc_basename in - xlf*) + xlf* | bgf* | bgxlf* | mpixlf*) # IBM XL Fortran 10.1 on PPC cannot create shared libs itself whole_archive_flag_spec='--whole-archive$convenience --no-whole-archive' - hardcode_libdir_flag_spec= - hardcode_libdir_flag_spec_ld='-rpath $libdir' - archive_cmds='$LD -shared $libobjs $deplibs $compiler_flags -soname $soname -o $lib' + hardcode_libdir_flag_spec='${wl}-rpath ${wl}$libdir' + archive_cmds='$LD -shared $libobjs $deplibs $linker_flags -soname $soname -o $lib' if test "x$supports_anon_versioning" = xyes; then archive_expsym_cmds='echo "{ global:" > $output_objdir/$libname.ver~ cat $export_symbols | sed -e "s/\(.*\)/\1;/" >> $output_objdir/$libname.ver~ echo "local: *; };" >> $output_objdir/$libname.ver~ - $LD -shared $libobjs $deplibs $compiler_flags -soname $soname -version-script $output_objdir/$libname.ver -o $lib' + $LD -shared $libobjs $deplibs $linker_flags -soname $soname -version-script $output_objdir/$libname.ver -o $lib' fi ;; esac @@ -8698,8 +11090,8 @@ _LT_EOF archive_cmds='$LD -Bshareable $libobjs $deplibs $linker_flags -o $lib' wlarc= else - archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib' - archive_expsym_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib' + archive_cmds='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib' + archive_expsym_cmds='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib' fi ;; @@ -8717,8 +11109,8 @@ _LT_EOF _LT_EOF elif $LD --help 2>&1 | $GREP ': supported targets:.* elf' > /dev/null; then - archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib' - archive_expsym_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib' + archive_cmds='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib' + archive_expsym_cmds='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib' else ld_shlibs=no fi @@ -8764,8 +11156,8 @@ _LT_EOF *) if $LD --help 2>&1 | $GREP ': supported targets:.* elf' > /dev/null; then - archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib' - archive_expsym_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib' + archive_cmds='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib' + archive_expsym_cmds='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib' else ld_shlibs=no fi @@ -8805,8 +11197,10 @@ _LT_EOF else # If we're using GNU nm, then we don't want the "-C" option. # -C means demangle to AIX nm, but means don't demangle with GNU nm + # Also, AIX nm treats weak defined symbols like other global + # defined symbols, whereas GNU nm marks them as "W". if $NM -V 2>&1 | $GREP 'GNU' > /dev/null; then - export_symbols_cmds='$NM -Bpg $libobjs $convenience | awk '\''{ if (((\$ 2 == "T") || (\$ 2 == "D") || (\$ 2 == "B")) && (substr(\$ 3,1,1) != ".")) { print \$ 3 } }'\'' | sort -u > $export_symbols' + export_symbols_cmds='$NM -Bpg $libobjs $convenience | awk '\''{ if (((\$ 2 == "T") || (\$ 2 == "D") || (\$ 2 == "B") || (\$ 2 == "W")) && (substr(\$ 3,1,1) != ".")) { print \$ 3 } }'\'' | sort -u > $export_symbols' else export_symbols_cmds='$NM -BCpg $libobjs $convenience | awk '\''{ if (((\$ 2 == "T") || (\$ 2 == "D") || (\$ 2 == "B")) && (substr(\$ 3,1,1) != ".")) { print \$ 3 } }'\'' | sort -u > $export_symbols' fi @@ -8894,7 +11288,13 @@ _LT_EOF allow_undefined_flag='-berok' # Determine the default libpath from the value encoded in an # empty executable. - cat confdefs.h - <<_ACEOF >conftest.$ac_ext + if test "${lt_cv_aix_libpath+set}" = set; then + aix_libpath=$lt_cv_aix_libpath +else + if ${lt_cv_aix_libpath_+:} false; then : + $as_echo_n "(cached) " >&6 +else + cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int @@ -8907,25 +11307,32 @@ main () _ACEOF if ac_fn_c_try_link "$LINENO"; then : -lt_aix_libpath_sed=' - /Import File Strings/,/^$/ { - /^0/ { - s/^0 *\(.*\)$/\1/ - p - } - }' -aix_libpath=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"` -# Check for a 64-bit object if we didn't find anything. -if test -z "$aix_libpath"; then - aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"` -fi + lt_aix_libpath_sed=' + /Import File Strings/,/^$/ { + /^0/ { + s/^0 *\([^ ]*\) *$/\1/ + p + } + }' + lt_cv_aix_libpath_=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"` + # Check for a 64-bit object if we didn't find anything. + if test -z "$lt_cv_aix_libpath_"; then + lt_cv_aix_libpath_=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"` + fi fi rm -f core conftest.err conftest.$ac_objext \ conftest$ac_exeext conftest.$ac_ext -if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi + if test -z "$lt_cv_aix_libpath_"; then + lt_cv_aix_libpath_="/usr/lib:/lib" + fi + +fi + + aix_libpath=$lt_cv_aix_libpath_ +fi hardcode_libdir_flag_spec='${wl}-blibpath:$libdir:'"$aix_libpath" - archive_expsym_cmds='$CC -o $output_objdir/$soname $libobjs $deplibs '"\${wl}$no_entry_flag"' $compiler_flags `if test "x${allow_undefined_flag}" != "x"; then $ECHO "X${wl}${allow_undefined_flag}" | $Xsed; else :; fi` '"\${wl}$exp_sym_flag:\$export_symbols $shared_flag" + archive_expsym_cmds='$CC -o $output_objdir/$soname $libobjs $deplibs '"\${wl}$no_entry_flag"' $compiler_flags `if test "x${allow_undefined_flag}" != "x"; then func_echo_all "${wl}${allow_undefined_flag}"; else :; fi` '"\${wl}$exp_sym_flag:\$export_symbols $shared_flag" else if test "$host_cpu" = ia64; then hardcode_libdir_flag_spec='${wl}-R $libdir:/usr/lib:/lib' @@ -8934,7 +11341,13 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi else # Determine the default libpath from the value encoded in an # empty executable. - cat confdefs.h - <<_ACEOF >conftest.$ac_ext + if test "${lt_cv_aix_libpath+set}" = set; then + aix_libpath=$lt_cv_aix_libpath +else + if ${lt_cv_aix_libpath_+:} false; then : + $as_echo_n "(cached) " >&6 +else + cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int @@ -8947,30 +11360,42 @@ main () _ACEOF if ac_fn_c_try_link "$LINENO"; then : -lt_aix_libpath_sed=' - /Import File Strings/,/^$/ { - /^0/ { - s/^0 *\(.*\)$/\1/ - p - } - }' -aix_libpath=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"` -# Check for a 64-bit object if we didn't find anything. -if test -z "$aix_libpath"; then - aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"` -fi + lt_aix_libpath_sed=' + /Import File Strings/,/^$/ { + /^0/ { + s/^0 *\([^ ]*\) *$/\1/ + p + } + }' + lt_cv_aix_libpath_=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"` + # Check for a 64-bit object if we didn't find anything. + if test -z "$lt_cv_aix_libpath_"; then + lt_cv_aix_libpath_=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"` + fi fi rm -f core conftest.err conftest.$ac_objext \ conftest$ac_exeext conftest.$ac_ext -if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi + if test -z "$lt_cv_aix_libpath_"; then + lt_cv_aix_libpath_="/usr/lib:/lib" + fi + +fi + + aix_libpath=$lt_cv_aix_libpath_ +fi hardcode_libdir_flag_spec='${wl}-blibpath:$libdir:'"$aix_libpath" # Warning - without using the other run time loading flags, # -berok will link without error, but may produce a broken library. no_undefined_flag=' ${wl}-bernotok' allow_undefined_flag=' ${wl}-berok' - # Exported symbols can be pulled into shared objects from archives - whole_archive_flag_spec='$convenience' + if test "$with_gnu_ld" = yes; then + # We only use this code for GNU lds that support --whole-archive. + whole_archive_flag_spec='${wl}--whole-archive$convenience ${wl}--no-whole-archive' + else + # Exported symbols can be pulled into shared objects from archives + whole_archive_flag_spec='$convenience' + fi archive_cmds_need_lc=yes # This is similar to how AIX traditionally builds its shared libraries. archive_expsym_cmds="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs ${wl}-bnoentry $compiler_flags ${wl}-bE:$export_symbols${allow_undefined_flag}~$AR $AR_FLAGS $output_objdir/$libname$release.a $output_objdir/$soname' @@ -9002,20 +11427,64 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi # Microsoft Visual C++. # hardcode_libdir_flag_spec is actually meaningless, as there is # no search path for DLLs. - hardcode_libdir_flag_spec=' ' - allow_undefined_flag=unsupported - # Tell ltmain to make .lib files, not .a files. - libext=lib - # Tell ltmain to make .dll files, not .so files. - shrext_cmds=".dll" - # FIXME: Setting linknames here is a bad hack. - archive_cmds='$CC -o $lib $libobjs $compiler_flags `$ECHO "X$deplibs" | $Xsed -e '\''s/ -lc$//'\''` -link -dll~linknames=' - # The linker will automatically build a .lib file if we build a DLL. - old_archive_from_new_cmds='true' - # FIXME: Should let the user specify the lib program. - old_archive_cmds='lib -OUT:$oldlib$oldobjs$old_deplibs' - fix_srcfile_path='`cygpath -w "$srcfile"`' - enable_shared_with_static_runtimes=yes + case $cc_basename in + cl*) + # Native MSVC + hardcode_libdir_flag_spec=' ' + allow_undefined_flag=unsupported + always_export_symbols=yes + file_list_spec='@' + # Tell ltmain to make .lib files, not .a files. + libext=lib + # Tell ltmain to make .dll files, not .so files. + shrext_cmds=".dll" + # FIXME: Setting linknames here is a bad hack. + archive_cmds='$CC -o $output_objdir/$soname $libobjs $compiler_flags $deplibs -Wl,-dll~linknames=' + archive_expsym_cmds='if test "x`$SED 1q $export_symbols`" = xEXPORTS; then + sed -n -e 's/\\\\\\\(.*\\\\\\\)/-link\\\ -EXPORT:\\\\\\\1/' -e '1\\\!p' < $export_symbols > $output_objdir/$soname.exp; + else + sed -e 's/\\\\\\\(.*\\\\\\\)/-link\\\ -EXPORT:\\\\\\\1/' < $export_symbols > $output_objdir/$soname.exp; + fi~ + $CC -o $tool_output_objdir$soname $libobjs $compiler_flags $deplibs "@$tool_output_objdir$soname.exp" -Wl,-DLL,-IMPLIB:"$tool_output_objdir$libname.dll.lib"~ + linknames=' + # The linker will not automatically build a static lib if we build a DLL. + # _LT_TAGVAR(old_archive_from_new_cmds, )='true' + enable_shared_with_static_runtimes=yes + exclude_expsyms='_NULL_IMPORT_DESCRIPTOR|_IMPORT_DESCRIPTOR_.*' + export_symbols_cmds='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[BCDGRS][ ]/s/.*[ ]\([^ ]*\)/\1,DATA/'\'' | $SED -e '\''/^[AITW][ ]/s/.*[ ]//'\'' | sort | uniq > $export_symbols' + # Don't use ranlib + old_postinstall_cmds='chmod 644 $oldlib' + postlink_cmds='lt_outputfile="@OUTPUT@"~ + lt_tool_outputfile="@TOOL_OUTPUT@"~ + case $lt_outputfile in + *.exe|*.EXE) ;; + *) + lt_outputfile="$lt_outputfile.exe" + lt_tool_outputfile="$lt_tool_outputfile.exe" + ;; + esac~ + if test "$MANIFEST_TOOL" != ":" && test -f "$lt_outputfile.manifest"; then + $MANIFEST_TOOL -manifest "$lt_tool_outputfile.manifest" -outputresource:"$lt_tool_outputfile" || exit 1; + $RM "$lt_outputfile.manifest"; + fi' + ;; + *) + # Assume MSVC wrapper + hardcode_libdir_flag_spec=' ' + allow_undefined_flag=unsupported + # Tell ltmain to make .lib files, not .a files. + libext=lib + # Tell ltmain to make .dll files, not .so files. + shrext_cmds=".dll" + # FIXME: Setting linknames here is a bad hack. + archive_cmds='$CC -o $lib $libobjs $compiler_flags `func_echo_all "$deplibs" | $SED '\''s/ -lc$//'\''` -link -dll~linknames=' + # The linker will automatically build a .lib file if we build a DLL. + old_archive_from_new_cmds='true' + # FIXME: Should let the user specify the lib program. + old_archive_cmds='lib -OUT:$oldlib$oldobjs$old_deplibs' + enable_shared_with_static_runtimes=yes + ;; + esac ;; darwin* | rhapsody*) @@ -9025,7 +11494,12 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi hardcode_direct=no hardcode_automatic=yes hardcode_shlibpath_var=unsupported - whole_archive_flag_spec='' + if test "$lt_cv_ld_force_load" = "yes"; then + whole_archive_flag_spec='`for conv in $convenience\"\"; do test -n \"$conv\" && new_convenience=\"$new_convenience ${wl}-force_load,$conv\"; done; func_echo_all \"$new_convenience\"`' + + else + whole_archive_flag_spec='' + fi link_all_deplibs=yes allow_undefined_flag="$_lt_dar_allow_undefined" case $cc_basename in @@ -9033,7 +11507,7 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi *) _lt_dar_can_shared=$GCC ;; esac if test "$_lt_dar_can_shared" = "yes"; then - output_verbose_link_cmd=echo + output_verbose_link_cmd=func_echo_all archive_cmds="\$CC -dynamiclib \$allow_undefined_flag -o \$lib \$libobjs \$deplibs \$compiler_flags -install_name \$rpath/\$soname \$verstring $_lt_dar_single_mod${_lt_dsymutil}" module_cmds="\$CC \$allow_undefined_flag -o \$lib -bundle \$libobjs \$deplibs \$compiler_flags${_lt_dsymutil}" archive_expsym_cmds="sed 's,^,_,' < \$export_symbols > \$output_objdir/\${libname}-symbols.expsym~\$CC -dynamiclib \$allow_undefined_flag -o \$lib \$libobjs \$deplibs \$compiler_flags -install_name \$rpath/\$soname \$verstring ${_lt_dar_single_mod}${_lt_dar_export_syms}${_lt_dsymutil}" @@ -9051,10 +11525,6 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi hardcode_shlibpath_var=no ;; - freebsd1*) - ld_shlibs=no - ;; - # FreeBSD 2.2.[012] allows us to include c++rt0.o to get C++ constructor # support. Future versions do this automatically, but an explicit c++rt0.o # does not break anything, and helps significantly (at the cost of a little @@ -9067,7 +11537,7 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi ;; # Unfortunately, older versions of FreeBSD 2 do not have this feature. - freebsd2*) + freebsd2.*) archive_cmds='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags' hardcode_direct=yes hardcode_minus_L=yes @@ -9076,7 +11546,7 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi # FreeBSD 3 and greater uses gcc -shared to do shared libraries. freebsd* | dragonfly*) - archive_cmds='$CC -shared -o $lib $libobjs $deplibs $compiler_flags' + archive_cmds='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags' hardcode_libdir_flag_spec='-R$libdir' hardcode_direct=yes hardcode_shlibpath_var=no @@ -9084,7 +11554,7 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi hpux9*) if test "$GCC" = yes; then - archive_cmds='$RM $output_objdir/$soname~$CC -shared -fPIC ${wl}+b ${wl}$install_libdir -o $output_objdir/$soname $libobjs $deplibs $compiler_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib' + archive_cmds='$RM $output_objdir/$soname~$CC -shared $pic_flag ${wl}+b ${wl}$install_libdir -o $output_objdir/$soname $libobjs $deplibs $compiler_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib' else archive_cmds='$RM $output_objdir/$soname~$LD -b +b $install_libdir -o $output_objdir/$soname $libobjs $deplibs $linker_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib' fi @@ -9099,14 +11569,13 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi ;; hpux10*) - if test "$GCC" = yes -a "$with_gnu_ld" = no; then - archive_cmds='$CC -shared -fPIC ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags' + if test "$GCC" = yes && test "$with_gnu_ld" = no; then + archive_cmds='$CC -shared $pic_flag ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags' else archive_cmds='$LD -b +h $soname +b $install_libdir -o $lib $libobjs $deplibs $linker_flags' fi if test "$with_gnu_ld" = no; then hardcode_libdir_flag_spec='${wl}+b ${wl}$libdir' - hardcode_libdir_flag_spec_ld='+b $libdir' hardcode_libdir_separator=: hardcode_direct=yes hardcode_direct_absolute=yes @@ -9118,16 +11587,16 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi ;; hpux11*) - if test "$GCC" = yes -a "$with_gnu_ld" = no; then + if test "$GCC" = yes && test "$with_gnu_ld" = no; then case $host_cpu in hppa*64*) archive_cmds='$CC -shared ${wl}+h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags' ;; ia64*) - archive_cmds='$CC -shared -fPIC ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $libobjs $deplibs $compiler_flags' + archive_cmds='$CC -shared $pic_flag ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $libobjs $deplibs $compiler_flags' ;; *) - archive_cmds='$CC -shared -fPIC ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags' + archive_cmds='$CC -shared $pic_flag ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags' ;; esac else @@ -9139,7 +11608,46 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi archive_cmds='$CC -b ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $libobjs $deplibs $compiler_flags' ;; *) - archive_cmds='$CC -b ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags' + + # Older versions of the 11.00 compiler do not understand -b yet + # (HP92453-01 A.11.01.20 doesn't, HP92453-01 B.11.X.35175-35176.GP does) + { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $CC understands -b" >&5 +$as_echo_n "checking if $CC understands -b... " >&6; } +if ${lt_cv_prog_compiler__b+:} false; then : + $as_echo_n "(cached) " >&6 +else + lt_cv_prog_compiler__b=no + save_LDFLAGS="$LDFLAGS" + LDFLAGS="$LDFLAGS -b" + echo "$lt_simple_link_test_code" > conftest.$ac_ext + if (eval $ac_link 2>conftest.err) && test -s conftest$ac_exeext; then + # The linker can only warn and ignore the option if not recognized + # So say no if there are warnings + if test -s conftest.err; then + # Append any errors to the config.log. + cat conftest.err 1>&5 + $ECHO "$_lt_linker_boilerplate" | $SED '/^$/d' > conftest.exp + $SED '/^$/d; /^ *+/d' conftest.err >conftest.er2 + if diff conftest.exp conftest.er2 >/dev/null; then + lt_cv_prog_compiler__b=yes + fi + else + lt_cv_prog_compiler__b=yes + fi + fi + $RM -r conftest* + LDFLAGS="$save_LDFLAGS" + +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_prog_compiler__b" >&5 +$as_echo "$lt_cv_prog_compiler__b" >&6; } + +if test x"$lt_cv_prog_compiler__b" = xyes; then + archive_cmds='$CC -b ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags' +else + archive_cmds='$LD -b +h $soname +b $install_libdir -o $lib $libobjs $deplibs $linker_flags' +fi + ;; esac fi @@ -9167,26 +11675,39 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi irix5* | irix6* | nonstopux*) if test "$GCC" = yes; then - archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && $ECHO "X${wl}-set_version ${wl}$verstring" | $Xsed` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib' + archive_cmds='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && func_echo_all "${wl}-set_version ${wl}$verstring"` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib' # Try to use the -exported_symbol ld option, if it does not # work, assume that -exports_file does not work either and # implicitly export all symbols. - save_LDFLAGS="$LDFLAGS" - LDFLAGS="$LDFLAGS -shared ${wl}-exported_symbol ${wl}foo ${wl}-update_registry ${wl}/dev/null" - cat confdefs.h - <<_ACEOF >conftest.$ac_ext + # This should be the same for all languages, so no per-tag cache variable. + { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the $host_os linker accepts -exported_symbol" >&5 +$as_echo_n "checking whether the $host_os linker accepts -exported_symbol... " >&6; } +if ${lt_cv_irix_exported_symbol+:} false; then : + $as_echo_n "(cached) " >&6 +else + save_LDFLAGS="$LDFLAGS" + LDFLAGS="$LDFLAGS -shared ${wl}-exported_symbol ${wl}foo ${wl}-update_registry ${wl}/dev/null" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ -int foo(void) {} +int foo (void) { return 0; } _ACEOF if ac_fn_c_try_link "$LINENO"; then : - archive_expsym_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && $ECHO "X${wl}-set_version ${wl}$verstring" | $Xsed` ${wl}-update_registry ${wl}${output_objdir}/so_locations ${wl}-exports_file ${wl}$export_symbols -o $lib' - + lt_cv_irix_exported_symbol=yes +else + lt_cv_irix_exported_symbol=no fi rm -f core conftest.err conftest.$ac_objext \ conftest$ac_exeext conftest.$ac_ext - LDFLAGS="$save_LDFLAGS" + LDFLAGS="$save_LDFLAGS" +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_irix_exported_symbol" >&5 +$as_echo "$lt_cv_irix_exported_symbol" >&6; } + if test "$lt_cv_irix_exported_symbol" = yes; then + archive_expsym_cmds='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && func_echo_all "${wl}-set_version ${wl}$verstring"` ${wl}-update_registry ${wl}${output_objdir}/so_locations ${wl}-exports_file ${wl}$export_symbols -o $lib' + fi else - archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags -soname $soname `test -n "$verstring" && $ECHO "X-set_version $verstring" | $Xsed` -update_registry ${output_objdir}/so_locations -o $lib' - archive_expsym_cmds='$CC -shared $libobjs $deplibs $compiler_flags -soname $soname `test -n "$verstring" && $ECHO "X-set_version $verstring" | $Xsed` -update_registry ${output_objdir}/so_locations -exports_file $export_symbols -o $lib' + archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags -soname $soname `test -n "$verstring" && func_echo_all "-set_version $verstring"` -update_registry ${output_objdir}/so_locations -o $lib' + archive_expsym_cmds='$CC -shared $libobjs $deplibs $compiler_flags -soname $soname `test -n "$verstring" && func_echo_all "-set_version $verstring"` -update_registry ${output_objdir}/so_locations -exports_file $export_symbols -o $lib' fi archive_cmds_need_lc='no' hardcode_libdir_flag_spec='${wl}-rpath ${wl}$libdir' @@ -9248,17 +11769,17 @@ rm -f core conftest.err conftest.$ac_objext \ hardcode_libdir_flag_spec='-L$libdir' hardcode_minus_L=yes allow_undefined_flag=unsupported - archive_cmds='$ECHO "LIBRARY $libname INITINSTANCE" > $output_objdir/$libname.def~$ECHO "DESCRIPTION \"$libname\"" >> $output_objdir/$libname.def~$ECHO DATA >> $output_objdir/$libname.def~$ECHO " SINGLE NONSHARED" >> $output_objdir/$libname.def~$ECHO EXPORTS >> $output_objdir/$libname.def~emxexp $libobjs >> $output_objdir/$libname.def~$CC -Zdll -Zcrtdll -o $lib $libobjs $deplibs $compiler_flags $output_objdir/$libname.def' + archive_cmds='$ECHO "LIBRARY $libname INITINSTANCE" > $output_objdir/$libname.def~$ECHO "DESCRIPTION \"$libname\"" >> $output_objdir/$libname.def~echo DATA >> $output_objdir/$libname.def~echo " SINGLE NONSHARED" >> $output_objdir/$libname.def~echo EXPORTS >> $output_objdir/$libname.def~emxexp $libobjs >> $output_objdir/$libname.def~$CC -Zdll -Zcrtdll -o $lib $libobjs $deplibs $compiler_flags $output_objdir/$libname.def' old_archive_from_new_cmds='emximp -o $output_objdir/$libname.a $output_objdir/$libname.def' ;; osf3*) if test "$GCC" = yes; then allow_undefined_flag=' ${wl}-expect_unresolved ${wl}\*' - archive_cmds='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && $ECHO "X${wl}-set_version ${wl}$verstring" | $Xsed` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib' + archive_cmds='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && func_echo_all "${wl}-set_version ${wl}$verstring"` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib' else allow_undefined_flag=' -expect_unresolved \*' - archive_cmds='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags -soname $soname `test -n "$verstring" && $ECHO "X-set_version $verstring" | $Xsed` -update_registry ${output_objdir}/so_locations -o $lib' + archive_cmds='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags -soname $soname `test -n "$verstring" && func_echo_all "-set_version $verstring"` -update_registry ${output_objdir}/so_locations -o $lib' fi archive_cmds_need_lc='no' hardcode_libdir_flag_spec='${wl}-rpath ${wl}$libdir' @@ -9268,13 +11789,13 @@ rm -f core conftest.err conftest.$ac_objext \ osf4* | osf5*) # as osf3* with the addition of -msym flag if test "$GCC" = yes; then allow_undefined_flag=' ${wl}-expect_unresolved ${wl}\*' - archive_cmds='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags ${wl}-msym ${wl}-soname ${wl}$soname `test -n "$verstring" && $ECHO "X${wl}-set_version ${wl}$verstring" | $Xsed` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib' + archive_cmds='$CC -shared${allow_undefined_flag} $pic_flag $libobjs $deplibs $compiler_flags ${wl}-msym ${wl}-soname ${wl}$soname `test -n "$verstring" && func_echo_all "${wl}-set_version ${wl}$verstring"` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib' hardcode_libdir_flag_spec='${wl}-rpath ${wl}$libdir' else allow_undefined_flag=' -expect_unresolved \*' - archive_cmds='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags -msym -soname $soname `test -n "$verstring" && $ECHO "X-set_version $verstring" | $Xsed` -update_registry ${output_objdir}/so_locations -o $lib' + archive_cmds='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags -msym -soname $soname `test -n "$verstring" && func_echo_all "-set_version $verstring"` -update_registry ${output_objdir}/so_locations -o $lib' archive_expsym_cmds='for i in `cat $export_symbols`; do printf "%s %s\\n" -exported_symbol "\$i" >> $lib.exp; done; printf "%s\\n" "-hidden">> $lib.exp~ - $CC -shared${allow_undefined_flag} ${wl}-input ${wl}$lib.exp $compiler_flags $libobjs $deplibs -soname $soname `test -n "$verstring" && $ECHO "X-set_version $verstring" | $Xsed` -update_registry ${output_objdir}/so_locations -o $lib~$RM $lib.exp' + $CC -shared${allow_undefined_flag} ${wl}-input ${wl}$lib.exp $compiler_flags $libobjs $deplibs -soname $soname `test -n "$verstring" && $ECHO "-set_version $verstring"` -update_registry ${output_objdir}/so_locations -o $lib~$RM $lib.exp' # Both c and cxx compiler support -rpath directly hardcode_libdir_flag_spec='-rpath $libdir' @@ -9287,9 +11808,9 @@ rm -f core conftest.err conftest.$ac_objext \ no_undefined_flag=' -z defs' if test "$GCC" = yes; then wlarc='${wl}' - archive_cmds='$CC -shared ${wl}-z ${wl}text ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags' + archive_cmds='$CC -shared $pic_flag ${wl}-z ${wl}text ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags' archive_expsym_cmds='echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~echo "local: *; };" >> $lib.exp~ - $CC -shared ${wl}-z ${wl}text ${wl}-M ${wl}$lib.exp ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags~$RM $lib.exp' + $CC -shared $pic_flag ${wl}-z ${wl}text ${wl}-M ${wl}$lib.exp ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags~$RM $lib.exp' else case `$CC -V 2>&1` in *"Compilers 5.0"*) @@ -9477,44 +11998,50 @@ x|xyes) # to ld, don't add -lc before -lgcc. { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether -lc should be explicitly linked in" >&5 $as_echo_n "checking whether -lc should be explicitly linked in... " >&6; } - $RM conftest* - echo "$lt_simple_compile_test_code" > conftest.$ac_ext +if ${lt_cv_archive_cmds_need_lc+:} false; then : + $as_echo_n "(cached) " >&6 +else + $RM conftest* + echo "$lt_simple_compile_test_code" > conftest.$ac_ext - if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_compile\""; } >&5 + if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_compile\""; } >&5 (eval $ac_compile) 2>&5 ac_status=$? $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; } 2>conftest.err; then - soname=conftest - lib=conftest - libobjs=conftest.$ac_objext - deplibs= - wl=$lt_prog_compiler_wl - pic_flag=$lt_prog_compiler_pic - compiler_flags=-v - linker_flags=-v - verstring= - output_objdir=. - libname=conftest - lt_save_allow_undefined_flag=$allow_undefined_flag - allow_undefined_flag= - if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$archive_cmds 2\>\&1 \| $GREP \" -lc \" \>/dev/null 2\>\&1\""; } >&5 + soname=conftest + lib=conftest + libobjs=conftest.$ac_objext + deplibs= + wl=$lt_prog_compiler_wl + pic_flag=$lt_prog_compiler_pic + compiler_flags=-v + linker_flags=-v + verstring= + output_objdir=. + libname=conftest + lt_save_allow_undefined_flag=$allow_undefined_flag + allow_undefined_flag= + if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$archive_cmds 2\>\&1 \| $GREP \" -lc \" \>/dev/null 2\>\&1\""; } >&5 (eval $archive_cmds 2\>\&1 \| $GREP \" -lc \" \>/dev/null 2\>\&1) 2>&5 ac_status=$? $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; } - then - archive_cmds_need_lc=no - else - archive_cmds_need_lc=yes - fi - allow_undefined_flag=$lt_save_allow_undefined_flag - else - cat conftest.err 1>&5 - fi - $RM conftest* - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $archive_cmds_need_lc" >&5 -$as_echo "$archive_cmds_need_lc" >&6; } + then + lt_cv_archive_cmds_need_lc=no + else + lt_cv_archive_cmds_need_lc=yes + fi + allow_undefined_flag=$lt_save_allow_undefined_flag + else + cat conftest.err 1>&5 + fi + $RM conftest* + +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_archive_cmds_need_lc" >&5 +$as_echo "$lt_cv_archive_cmds_need_lc" >&6; } + archive_cmds_need_lc=$lt_cv_archive_cmds_need_lc ;; esac fi @@ -9666,11 +12193,6 @@ esac - - - - - @@ -9685,16 +12207,23 @@ if test "$GCC" = yes; then darwin*) lt_awk_arg="/^libraries:/,/LR/" ;; *) lt_awk_arg="/^libraries:/" ;; esac - lt_search_path_spec=`$CC -print-search-dirs | awk $lt_awk_arg | $SED -e "s/^libraries://" -e "s,=/,/,g"` - if $ECHO "$lt_search_path_spec" | $GREP ';' >/dev/null ; then + case $host_os in + mingw* | cegcc*) lt_sed_strip_eq="s,=\([A-Za-z]:\),\1,g" ;; + *) lt_sed_strip_eq="s,=/,/,g" ;; + esac + lt_search_path_spec=`$CC -print-search-dirs | awk $lt_awk_arg | $SED -e "s/^libraries://" -e $lt_sed_strip_eq` + case $lt_search_path_spec in + *\;*) # if the path contains ";" then we assume it to be the separator # otherwise default to the standard path separator (i.e. ":") - it is # assumed that no part of a normal pathname contains ";" but that should # okay in the real world where ";" in dirpaths is itself problematic. - lt_search_path_spec=`$ECHO "$lt_search_path_spec" | $SED -e 's/;/ /g'` - else - lt_search_path_spec=`$ECHO "$lt_search_path_spec" | $SED -e "s/$PATH_SEPARATOR/ /g"` - fi + lt_search_path_spec=`$ECHO "$lt_search_path_spec" | $SED 's/;/ /g'` + ;; + *) + lt_search_path_spec=`$ECHO "$lt_search_path_spec" | $SED "s/$PATH_SEPARATOR/ /g"` + ;; + esac # Ok, now we have the path, separated by spaces, we can step through it # and add multilib dir if necessary. lt_tmp_lt_search_path_spec= @@ -9707,7 +12236,7 @@ if test "$GCC" = yes; then lt_tmp_lt_search_path_spec="$lt_tmp_lt_search_path_spec $lt_sys_path" fi done - lt_search_path_spec=`$ECHO $lt_tmp_lt_search_path_spec | awk ' + lt_search_path_spec=`$ECHO "$lt_tmp_lt_search_path_spec" | awk ' BEGIN {RS=" "; FS="/|\n";} { lt_foo=""; lt_count=0; @@ -9727,7 +12256,13 @@ BEGIN {RS=" "; FS="/|\n";} { if (lt_foo != "") { lt_freq[lt_foo]++; } if (lt_freq[lt_foo] == 1) { print lt_foo; } }'` - sys_lib_search_path_spec=`$ECHO $lt_search_path_spec` + # AWK program above erroneously prepends '/' to C:/dos/paths + # for these hosts. + case $host_os in + mingw* | cegcc*) lt_search_path_spec=`$ECHO "$lt_search_path_spec" |\ + $SED 's,/\([A-Za-z]:\),\1,g'` ;; + esac + sys_lib_search_path_spec=`$ECHO "$lt_search_path_spec" | $lt_NL2SP` else sys_lib_search_path_spec="/lib /usr/lib /usr/local/lib" fi @@ -9753,7 +12288,7 @@ need_version=unknown case $host_os in aix3*) - version_type=linux + version_type=linux # correct to gnu/linux during the next big refactor library_names_spec='${libname}${release}${shared_ext}$versuffix $libname.a' shlibpath_var=LIBPATH @@ -9762,7 +12297,7 @@ aix3*) ;; aix[4-9]*) - version_type=linux + version_type=linux # correct to gnu/linux during the next big refactor need_lib_prefix=no need_version=no hardcode_into_libs=yes @@ -9815,7 +12350,7 @@ amigaos*) m68k) library_names_spec='$libname.ixlibrary $libname.a' # Create ${libname}_ixlibrary.a entries in /sys/libs. - finish_eval='for lib in `ls $libdir/*.ixlibrary 2>/dev/null`; do libname=`$ECHO "X$lib" | $Xsed -e '\''s%^.*/\([^/]*\)\.ixlibrary$%\1%'\''`; test $RM /sys/libs/${libname}_ixlibrary.a; $show "cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a"; cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a || exit 1; done' + finish_eval='for lib in `ls $libdir/*.ixlibrary 2>/dev/null`; do libname=`func_echo_all "$lib" | $SED '\''s%^.*/\([^/]*\)\.ixlibrary$%\1%'\''`; test $RM /sys/libs/${libname}_ixlibrary.a; $show "cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a"; cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a || exit 1; done' ;; esac ;; @@ -9827,7 +12362,7 @@ beos*) ;; bsdi[45]*) - version_type=linux + version_type=linux # correct to gnu/linux during the next big refactor need_version=no library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' soname_spec='${libname}${release}${shared_ext}$major' @@ -9846,8 +12381,9 @@ cygwin* | mingw* | pw32* | cegcc*) need_version=no need_lib_prefix=no - case $GCC,$host_os in - yes,cygwin* | yes,mingw* | yes,pw32* | yes,cegcc*) + case $GCC,$cc_basename in + yes,*) + # gcc library_names_spec='$libname.dll.a' # DLL is installed to $(libdir)/../bin by postinstall_cmds postinstall_cmds='base_file=`basename \${file}`~ @@ -9868,36 +12404,83 @@ cygwin* | mingw* | pw32* | cegcc*) cygwin*) # Cygwin DLLs use 'cyg' prefix rather than 'lib' soname_spec='`echo ${libname} | sed -e 's/^lib/cyg/'``echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext}' - sys_lib_search_path_spec="/usr/lib /lib/w32api /lib /usr/local/lib" + + sys_lib_search_path_spec="$sys_lib_search_path_spec /usr/lib/w32api" ;; mingw* | cegcc*) # MinGW DLLs use traditional 'lib' prefix soname_spec='${libname}`echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext}' - sys_lib_search_path_spec=`$CC -print-search-dirs | $GREP "^libraries:" | $SED -e "s/^libraries://" -e "s,=/,/,g"` - if $ECHO "$sys_lib_search_path_spec" | $GREP ';[c-zC-Z]:/' >/dev/null; then - # It is most probably a Windows format PATH printed by - # mingw gcc, but we are running on Cygwin. Gcc prints its search - # path with ; separators, and with drive letters. We can handle the - # drive letters (cygwin fileutils understands them), so leave them, - # especially as we might pass files found there to a mingw objdump, - # which wouldn't understand a cygwinified path. Ahh. - sys_lib_search_path_spec=`$ECHO "$sys_lib_search_path_spec" | $SED -e 's/;/ /g'` - else - sys_lib_search_path_spec=`$ECHO "$sys_lib_search_path_spec" | $SED -e "s/$PATH_SEPARATOR/ /g"` - fi ;; pw32*) # pw32 DLLs use 'pw' prefix rather than 'lib' library_names_spec='`echo ${libname} | sed -e 's/^lib/pw/'``echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext}' ;; esac + dynamic_linker='Win32 ld.exe' + ;; + + *,cl*) + # Native MSVC + libname_spec='$name' + soname_spec='${libname}`echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext}' + library_names_spec='${libname}.dll.lib' + + case $build_os in + mingw*) + sys_lib_search_path_spec= + lt_save_ifs=$IFS + IFS=';' + for lt_path in $LIB + do + IFS=$lt_save_ifs + # Let DOS variable expansion print the short 8.3 style file name. + lt_path=`cd "$lt_path" 2>/dev/null && cmd //C "for %i in (".") do @echo %~si"` + sys_lib_search_path_spec="$sys_lib_search_path_spec $lt_path" + done + IFS=$lt_save_ifs + # Convert to MSYS style. + sys_lib_search_path_spec=`$ECHO "$sys_lib_search_path_spec" | sed -e 's|\\\\|/|g' -e 's| \\([a-zA-Z]\\):| /\\1|g' -e 's|^ ||'` + ;; + cygwin*) + # Convert to unix form, then to dos form, then back to unix form + # but this time dos style (no spaces!) so that the unix form looks + # like /cygdrive/c/PROGRA~1:/cygdr... + sys_lib_search_path_spec=`cygpath --path --unix "$LIB"` + sys_lib_search_path_spec=`cygpath --path --dos "$sys_lib_search_path_spec" 2>/dev/null` + sys_lib_search_path_spec=`cygpath --path --unix "$sys_lib_search_path_spec" | $SED -e "s/$PATH_SEPARATOR/ /g"` + ;; + *) + sys_lib_search_path_spec="$LIB" + if $ECHO "$sys_lib_search_path_spec" | $GREP ';[c-zC-Z]:/' >/dev/null; then + # It is most probably a Windows format PATH. + sys_lib_search_path_spec=`$ECHO "$sys_lib_search_path_spec" | $SED -e 's/;/ /g'` + else + sys_lib_search_path_spec=`$ECHO "$sys_lib_search_path_spec" | $SED -e "s/$PATH_SEPARATOR/ /g"` + fi + # FIXME: find the short name or the path components, as spaces are + # common. (e.g. "Program Files" -> "PROGRA~1") + ;; + esac + + # DLL is installed to $(libdir)/../bin by postinstall_cmds + postinstall_cmds='base_file=`basename \${file}`~ + dlpath=`$SHELL 2>&1 -c '\''. $dir/'\''\${base_file}'\''i; echo \$dlname'\''`~ + dldir=$destdir/`dirname \$dlpath`~ + test -d \$dldir || mkdir -p \$dldir~ + $install_prog $dir/$dlname \$dldir/$dlname' + postuninstall_cmds='dldll=`$SHELL 2>&1 -c '\''. $file; echo \$dlname'\''`~ + dlpath=$dir/\$dldll~ + $RM \$dlpath' + shlibpath_overrides_runpath=yes + dynamic_linker='Win32 link.exe' ;; *) + # Assume MSVC wrapper library_names_spec='${libname}`echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext} $libname.lib' + dynamic_linker='Win32 ld.exe' ;; esac - dynamic_linker='Win32 ld.exe' # FIXME: first we should search . and the directory the executable is in shlibpath_var=PATH ;; @@ -9918,7 +12501,7 @@ darwin* | rhapsody*) ;; dgux*) - version_type=linux + version_type=linux # correct to gnu/linux during the next big refactor need_lib_prefix=no need_version=no library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname$shared_ext' @@ -9926,10 +12509,6 @@ dgux*) shlibpath_var=LD_LIBRARY_PATH ;; -freebsd1*) - dynamic_linker=no - ;; - freebsd* | dragonfly*) # DragonFly does not have aout. When/if they implement a new # versioning mechanism, adjust this. @@ -9937,7 +12516,7 @@ freebsd* | dragonfly*) objformat=`/usr/bin/objformat` else case $host_os in - freebsd[123]*) objformat=aout ;; + freebsd[23].*) objformat=aout ;; *) objformat=elf ;; esac fi @@ -9955,7 +12534,7 @@ freebsd* | dragonfly*) esac shlibpath_var=LD_LIBRARY_PATH case $host_os in - freebsd2*) + freebsd2.*) shlibpath_overrides_runpath=yes ;; freebsd3.[01]* | freebsdelf3.[01]*) @@ -9974,13 +12553,16 @@ freebsd* | dragonfly*) esac ;; -gnu*) - version_type=linux +haiku*) + version_type=linux # correct to gnu/linux during the next big refactor need_lib_prefix=no need_version=no + dynamic_linker="$host_os runtime_loader" library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}${major} ${libname}${shared_ext}' soname_spec='${libname}${release}${shared_ext}$major' - shlibpath_var=LD_LIBRARY_PATH + shlibpath_var=LIBRARY_PATH + shlibpath_overrides_runpath=yes + sys_lib_dlsearch_path_spec='/boot/home/config/lib /boot/common/lib /boot/system/lib' hardcode_into_libs=yes ;; @@ -10026,12 +12608,14 @@ hpux9* | hpux10* | hpux11*) soname_spec='${libname}${release}${shared_ext}$major' ;; esac - # HP-UX runs *really* slowly unless shared libraries are mode 555. + # HP-UX runs *really* slowly unless shared libraries are mode 555, ... postinstall_cmds='chmod 555 $lib' + # or fails outright, so override atomically: + install_override_mode=555 ;; interix[3-9]*) - version_type=linux + version_type=linux # correct to gnu/linux during the next big refactor need_lib_prefix=no need_version=no library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}' @@ -10047,7 +12631,7 @@ irix5* | irix6* | nonstopux*) nonstopux*) version_type=nonstopux ;; *) if test "$lt_cv_prog_gnu_ld" = yes; then - version_type=linux + version_type=linux # correct to gnu/linux during the next big refactor else version_type=irix fi ;; @@ -10084,9 +12668,9 @@ linux*oldld* | linux*aout* | linux*coff*) dynamic_linker=no ;; -# This must be Linux ELF. -linux* | k*bsd*-gnu | kopensolaris*-gnu) - version_type=linux +# This must be glibc/ELF. +linux* | k*bsd*-gnu | kopensolaris*-gnu | gnu*) + version_type=linux # correct to gnu/linux during the next big refactor need_lib_prefix=no need_version=no library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' @@ -10094,12 +12678,17 @@ linux* | k*bsd*-gnu | kopensolaris*-gnu) finish_cmds='PATH="\$PATH:/sbin" ldconfig -n $libdir' shlibpath_var=LD_LIBRARY_PATH shlibpath_overrides_runpath=no + # Some binutils ld are patched to set DT_RUNPATH - save_LDFLAGS=$LDFLAGS - save_libdir=$libdir - eval "libdir=/foo; wl=\"$lt_prog_compiler_wl\"; \ - LDFLAGS=\"\$LDFLAGS $hardcode_libdir_flag_spec\"" - cat confdefs.h - <<_ACEOF >conftest.$ac_ext + if ${lt_cv_shlibpath_overrides_runpath+:} false; then : + $as_echo_n "(cached) " >&6 +else + lt_cv_shlibpath_overrides_runpath=no + save_LDFLAGS=$LDFLAGS + save_libdir=$libdir + eval "libdir=/foo; wl=\"$lt_prog_compiler_wl\"; \ + LDFLAGS=\"\$LDFLAGS $hardcode_libdir_flag_spec\"" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int @@ -10112,13 +12701,17 @@ main () _ACEOF if ac_fn_c_try_link "$LINENO"; then : if ($OBJDUMP -p conftest$ac_exeext) 2>/dev/null | grep "RUNPATH.*$libdir" >/dev/null; then : - shlibpath_overrides_runpath=yes + lt_cv_shlibpath_overrides_runpath=yes fi fi rm -f core conftest.err conftest.$ac_objext \ conftest$ac_exeext conftest.$ac_ext - LDFLAGS=$save_LDFLAGS - libdir=$save_libdir + LDFLAGS=$save_LDFLAGS + libdir=$save_libdir + +fi + + shlibpath_overrides_runpath=$lt_cv_shlibpath_overrides_runpath # This implies no fast_install, which is unacceptable. # Some rework will be needed to allow for fast_install @@ -10127,7 +12720,7 @@ rm -f core conftest.err conftest.$ac_objext \ # Append ld.so.conf contents to the search path if test -f /etc/ld.so.conf; then - lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \$2)); skip = 1; } { if (!skip) print \$0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;/^[ ]*hwcap[ ]/d;s/[:, ]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;/^$/d' | tr '\n' ' '` + lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \$2)); skip = 1; } { if (!skip) print \$0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;/^[ ]*hwcap[ ]/d;s/[:, ]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;s/"//g;/^$/d' | tr '\n' ' '` sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra" fi @@ -10171,7 +12764,7 @@ netbsd*) ;; newsos6) - version_type=linux + version_type=linux # correct to gnu/linux during the next big refactor library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' shlibpath_var=LD_LIBRARY_PATH shlibpath_overrides_runpath=yes @@ -10240,7 +12833,7 @@ rdos*) ;; solaris*) - version_type=linux + version_type=linux # correct to gnu/linux during the next big refactor need_lib_prefix=no need_version=no library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' @@ -10265,7 +12858,7 @@ sunos4*) ;; sysv4 | sysv4.3*) - version_type=linux + version_type=linux # correct to gnu/linux during the next big refactor library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' soname_spec='${libname}${release}${shared_ext}$major' shlibpath_var=LD_LIBRARY_PATH @@ -10289,7 +12882,7 @@ sysv4 | sysv4.3*) sysv4*MP*) if test -d /usr/nec ;then - version_type=linux + version_type=linux # correct to gnu/linux during the next big refactor library_names_spec='$libname${shared_ext}.$versuffix $libname${shared_ext}.$major $libname${shared_ext}' soname_spec='$libname${shared_ext}.$major' shlibpath_var=LD_LIBRARY_PATH @@ -10320,7 +12913,7 @@ sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX* | sysv4*uw2*) tpf*) # TPF is a cross-target only. Preferred cross-host = GNU/Linux. - version_type=linux + version_type=linux # correct to gnu/linux during the next big refactor need_lib_prefix=no need_version=no library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' @@ -10330,7 +12923,7 @@ tpf*) ;; uts4*) - version_type=linux + version_type=linux # correct to gnu/linux during the next big refactor library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' soname_spec='${libname}${release}${shared_ext}$major' shlibpath_var=LD_LIBRARY_PATH @@ -10436,6 +13029,11 @@ fi + + + + + @@ -10772,7 +13370,7 @@ else lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_status=$lt_dlunknown cat > conftest.$ac_ext <<_LT_EOF -#line 10775 "configure" +#line $LINENO "configure" #include "confdefs.h" #if HAVE_DLFCN_H @@ -10813,7 +13411,13 @@ else # endif #endif -void fnord() { int i=42;} +/* When -fvisbility=hidden is used, assume the code has been annotated + correspondingly for the symbols needed. */ +#if defined(__GNUC__) && (((__GNUC__ == 3) && (__GNUC_MINOR__ >= 3)) || (__GNUC__ > 3)) +int fnord () __attribute__((visibility("default"))); +#endif + +int fnord () { return 42; } int main () { void *self = dlopen (0, LT_DLGLOBAL|LT_DLLAZY_OR_NOW); @@ -10822,7 +13426,11 @@ int main () if (self) { if (dlsym (self,"fnord")) status = $lt_dlno_uscore; - else if (dlsym( self,"_fnord")) status = $lt_dlneed_uscore; + else + { + if (dlsym( self,"_fnord")) status = $lt_dlneed_uscore; + else puts (dlerror ()); + } /* dlclose (self); */ } else @@ -10868,7 +13476,7 @@ else lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_status=$lt_dlunknown cat > conftest.$ac_ext <<_LT_EOF -#line 10871 "configure" +#line $LINENO "configure" #include "confdefs.h" #if HAVE_DLFCN_H @@ -10909,7 +13517,13 @@ else # endif #endif -void fnord() { int i=42;} +/* When -fvisbility=hidden is used, assume the code has been annotated + correspondingly for the symbols needed. */ +#if defined(__GNUC__) && (((__GNUC__ == 3) && (__GNUC_MINOR__ >= 3)) || (__GNUC__ > 3)) +int fnord () __attribute__((visibility("default"))); +#endif + +int fnord () { return 42; } int main () { void *self = dlopen (0, LT_DLGLOBAL|LT_DLLAZY_OR_NOW); @@ -10918,7 +13532,11 @@ int main () if (self) { if (dlsym (self,"fnord")) status = $lt_dlno_uscore; - else if (dlsym( self,"_fnord")) status = $lt_dlneed_uscore; + else + { + if (dlsym( self,"_fnord")) status = $lt_dlneed_uscore; + else puts (dlerror ()); + } /* dlclose (self); */ } else @@ -11087,6 +13705,8 @@ CC="$lt_save_CC" + + ac_config_commands="$ac_config_commands libtool" @@ -11099,138 +13719,155 @@ CC="$lt_save_CC" { $as_echo "$as_me:${as_lineno-$LINENO}: **************************************** types" >&5 $as_echo "$as_me: **************************************** types" >&6;} -# The cast to long int works around a bug in the HP C Compiler -# version HP92453-01 B.11.11.23709.GP, which incorrectly rejects -# declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'. -# This bug is HP SR number 8606223364. -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking size of unsigned char" >&5 -$as_echo_n "checking size of unsigned char... " >&6; } -if ${ac_cv_sizeof_unsigned_char+:} false; then : - $as_echo_n "(cached) " >&6 -else - if ac_fn_c_compute_int "$LINENO" "(long int) (sizeof (unsigned char))" "ac_cv_sizeof_unsigned_char" "$ac_includes_default"; then : +ac_fn_c_find_intX_t "$LINENO" "8" "ac_cv_c_int8_t" +case $ac_cv_c_int8_t in #( + no|yes) ;; #( + *) -else - if test "$ac_cv_type_unsigned_char" = yes; then - { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 -$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} -as_fn_error 77 "cannot compute sizeof (unsigned char) -See \`config.log' for more details" "$LINENO" 5; } - else - ac_cv_sizeof_unsigned_char=0 - fi -fi +cat >>confdefs.h <<_ACEOF +#define int8_t $ac_cv_c_int8_t +_ACEOF +;; +esac -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_sizeof_unsigned_char" >&5 -$as_echo "$ac_cv_sizeof_unsigned_char" >&6; } +ac_fn_c_find_intX_t "$LINENO" "16" "ac_cv_c_int16_t" +case $ac_cv_c_int16_t in #( + no|yes) ;; #( + *) +cat >>confdefs.h <<_ACEOF +#define int16_t $ac_cv_c_int16_t +_ACEOF +;; +esac + +ac_fn_c_find_intX_t "$LINENO" "32" "ac_cv_c_int32_t" +case $ac_cv_c_int32_t in #( + no|yes) ;; #( + *) + +cat >>confdefs.h <<_ACEOF +#define int32_t $ac_cv_c_int32_t +_ACEOF +;; +esac + +ac_fn_c_find_intX_t "$LINENO" "64" "ac_cv_c_int64_t" +case $ac_cv_c_int64_t in #( + no|yes) ;; #( + *) + +cat >>confdefs.h <<_ACEOF +#define int64_t $ac_cv_c_int64_t +_ACEOF +;; +esac + +ac_fn_c_find_uintX_t "$LINENO" "8" "ac_cv_c_uint8_t" +case $ac_cv_c_uint8_t in #( + no|yes) ;; #( + *) + +$as_echo "#define _UINT8_T 1" >>confdefs.h cat >>confdefs.h <<_ACEOF -#define SIZEOF_UNSIGNED_CHAR $ac_cv_sizeof_unsigned_char +#define uint8_t $ac_cv_c_uint8_t _ACEOF +;; + esac - -# The cast to long int works around a bug in the HP C Compiler -# version HP92453-01 B.11.11.23709.GP, which incorrectly rejects -# declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'. -# This bug is HP SR number 8606223364. -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking size of unsigned short" >&5 -$as_echo_n "checking size of unsigned short... " >&6; } -if ${ac_cv_sizeof_unsigned_short+:} false; then : - $as_echo_n "(cached) " >&6 -else - if ac_fn_c_compute_int "$LINENO" "(long int) (sizeof (unsigned short))" "ac_cv_sizeof_unsigned_short" "$ac_includes_default"; then : - -else - if test "$ac_cv_type_unsigned_short" = yes; then - { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 -$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} -as_fn_error 77 "cannot compute sizeof (unsigned short) -See \`config.log' for more details" "$LINENO" 5; } - else - ac_cv_sizeof_unsigned_short=0 - fi -fi - -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_sizeof_unsigned_short" >&5 -$as_echo "$ac_cv_sizeof_unsigned_short" >&6; } - +ac_fn_c_find_uintX_t "$LINENO" "16" "ac_cv_c_uint16_t" +case $ac_cv_c_uint16_t in #( + no|yes) ;; #( + *) cat >>confdefs.h <<_ACEOF -#define SIZEOF_UNSIGNED_SHORT $ac_cv_sizeof_unsigned_short +#define uint16_t $ac_cv_c_uint16_t _ACEOF +;; + esac +ac_fn_c_find_uintX_t "$LINENO" "32" "ac_cv_c_uint32_t" +case $ac_cv_c_uint32_t in #( + no|yes) ;; #( + *) -# The cast to long int works around a bug in the HP C Compiler -# version HP92453-01 B.11.11.23709.GP, which incorrectly rejects -# declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'. -# This bug is HP SR number 8606223364. -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking size of unsigned int" >&5 -$as_echo_n "checking size of unsigned int... " >&6; } -if ${ac_cv_sizeof_unsigned_int+:} false; then : - $as_echo_n "(cached) " >&6 -else - if ac_fn_c_compute_int "$LINENO" "(long int) (sizeof (unsigned int))" "ac_cv_sizeof_unsigned_int" "$ac_includes_default"; then : - -else - if test "$ac_cv_type_unsigned_int" = yes; then - { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 -$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} -as_fn_error 77 "cannot compute sizeof (unsigned int) -See \`config.log' for more details" "$LINENO" 5; } - else - ac_cv_sizeof_unsigned_int=0 - fi -fi - -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_sizeof_unsigned_int" >&5 -$as_echo "$ac_cv_sizeof_unsigned_int" >&6; } - +$as_echo "#define _UINT32_T 1" >>confdefs.h cat >>confdefs.h <<_ACEOF -#define SIZEOF_UNSIGNED_INT $ac_cv_sizeof_unsigned_int +#define uint32_t $ac_cv_c_uint32_t _ACEOF +;; + esac +ac_fn_c_find_uintX_t "$LINENO" "64" "ac_cv_c_uint64_t" +case $ac_cv_c_uint64_t in #( + no|yes) ;; #( + *) -# The cast to long int works around a bug in the HP C Compiler -# version HP92453-01 B.11.11.23709.GP, which incorrectly rejects -# declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'. -# This bug is HP SR number 8606223364. -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking size of unsigned long" >&5 -$as_echo_n "checking size of unsigned long... " >&6; } -if ${ac_cv_sizeof_unsigned_long+:} false; then : - $as_echo_n "(cached) " >&6 -else - if ac_fn_c_compute_int "$LINENO" "(long int) (sizeof (unsigned long))" "ac_cv_sizeof_unsigned_long" "$ac_includes_default"; then : - -else - if test "$ac_cv_type_unsigned_long" = yes; then - { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 -$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} -as_fn_error 77 "cannot compute sizeof (unsigned long) -See \`config.log' for more details" "$LINENO" 5; } - else - ac_cv_sizeof_unsigned_long=0 - fi -fi - -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_sizeof_unsigned_long" >&5 -$as_echo "$ac_cv_sizeof_unsigned_long" >&6; } - +$as_echo "#define _UINT64_T 1" >>confdefs.h cat >>confdefs.h <<_ACEOF -#define SIZEOF_UNSIGNED_LONG $ac_cv_sizeof_unsigned_long +#define uint64_t $ac_cv_c_uint64_t +_ACEOF +;; + esac + +ac_fn_c_check_type "$LINENO" "size_t" "ac_cv_type_size_t" "$ac_includes_default" +if test "x$ac_cv_type_size_t" = xyes; then : + +else + +cat >>confdefs.h <<_ACEOF +#define size_t unsigned int _ACEOF +fi +ac_fn_c_check_type "$LINENO" "ssize_t" "ac_cv_type_ssize_t" "$ac_includes_default" +if test "x$ac_cv_type_ssize_t" = xyes; then : + +else + +cat >>confdefs.h <<_ACEOF +#define ssize_t int +_ACEOF + +fi + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for uid_t in sys/types.h" >&5 +$as_echo_n "checking for uid_t in sys/types.h... " >&6; } +if ${ac_cv_type_uid_t+:} false; then : + $as_echo_n "(cached) " >&6 +else + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#include + +_ACEOF +if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | + $EGREP "uid_t" >/dev/null 2>&1; then : + ac_cv_type_uid_t=yes +else + ac_cv_type_uid_t=no +fi +rm -f conftest* + +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_type_uid_t" >&5 +$as_echo "$ac_cv_type_uid_t" >&6; } +if test $ac_cv_type_uid_t = no; then + +$as_echo "#define uid_t int" >>confdefs.h + + +$as_echo "#define gid_t int" >>confdefs.h + +fi { $as_echo "$as_me:${as_lineno-$LINENO}: checking for socklen_t" >&5 $as_echo_n "checking for socklen_t... " >&6; } @@ -11252,7 +13889,6 @@ $as_echo "#define socklen_t int" >>confdefs.h fi rm -f conftest* - ac_fn_c_check_type "$LINENO" "struct sockaddr_un" "ac_cv_type_struct_sockaddr_un" "#include " if test "x$ac_cv_type_struct_sockaddr_un" = xyes; then : @@ -11278,7 +13914,7 @@ fi { $as_echo "$as_me:${as_lineno-$LINENO}: **************************************** PTY device files" >&5 $as_echo "$as_me: **************************************** PTY device files" >&6;} -if test "$cross_compiling" = "no"; then +if test "x$cross_compiling" = "xno"; then as_ac_File=`$as_echo "ac_cv_file_"/dev/ptmx"" | $as_tr_sh` { $as_echo "$as_me:${as_lineno-$LINENO}: checking for \"/dev/ptmx\"" >&5 $as_echo_n "checking for \"/dev/ptmx\"... " >&6; } @@ -11333,7 +13969,7 @@ fi { $as_echo "$as_me:${as_lineno-$LINENO}: **************************************** entropy sources" >&5 $as_echo "$as_me: **************************************** entropy sources" >&6;} -if test "$cross_compiling" = "no"; then +if test "x$cross_compiling" = "xno"; then # Check whether --with-egd-socket was given. if test "${with_egd_socket+set}" = set; then : @@ -11398,7 +14034,7 @@ fi { $as_echo "$as_me:${as_lineno-$LINENO}: **************************************** default group" >&5 $as_echo "$as_me: **************************************** default group" >&6;} DEFAULT_GROUP=nobody -if test "$cross_compiling" = "no"; then +if test "x$cross_compiling" = "xno"; then grep '^nogroup:' /etc/group >/dev/null && DEFAULT_GROUP=nogroup else { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: cross-compilation: assuming nogroup is not available" >&5 @@ -11410,12 +14046,214 @@ $as_echo_n "checking for default group... " >&6; } $as_echo "$DEFAULT_GROUP" >&6; } +# Check whether --enable-largefile was given. +if test "${enable_largefile+set}" = set; then : + enableval=$enable_largefile; +fi + +if test "$enable_largefile" != no; then + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for special C compiler options needed for large files" >&5 +$as_echo_n "checking for special C compiler options needed for large files... " >&6; } +if ${ac_cv_sys_largefile_CC+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_cv_sys_largefile_CC=no + if test "$GCC" != yes; then + ac_save_CC=$CC + while :; do + # IRIX 6.2 and later do not support large files by default, + # so use the C compiler's -n32 option if that helps. + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#include + /* Check that off_t can represent 2**63 - 1 correctly. + We can't simply define LARGE_OFF_T to be 9223372036854775807, + since some C++ compilers masquerading as C compilers + incorrectly reject 9223372036854775807. */ +#define LARGE_OFF_T ((((off_t) 1 << 31) << 31) - 1 + (((off_t) 1 << 31) << 31)) + int off_t_is_large[(LARGE_OFF_T % 2147483629 == 721 + && LARGE_OFF_T % 2147483647 == 1) + ? 1 : -1]; +int +main () +{ + + ; + return 0; +} +_ACEOF + if ac_fn_c_try_compile "$LINENO"; then : + break +fi +rm -f core conftest.err conftest.$ac_objext + CC="$CC -n32" + if ac_fn_c_try_compile "$LINENO"; then : + ac_cv_sys_largefile_CC=' -n32'; break +fi +rm -f core conftest.err conftest.$ac_objext + break + done + CC=$ac_save_CC + rm -f conftest.$ac_ext + fi +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_sys_largefile_CC" >&5 +$as_echo "$ac_cv_sys_largefile_CC" >&6; } + if test "$ac_cv_sys_largefile_CC" != no; then + CC=$CC$ac_cv_sys_largefile_CC + fi + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for _FILE_OFFSET_BITS value needed for large files" >&5 +$as_echo_n "checking for _FILE_OFFSET_BITS value needed for large files... " >&6; } +if ${ac_cv_sys_file_offset_bits+:} false; then : + $as_echo_n "(cached) " >&6 +else + while :; do + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#include + /* Check that off_t can represent 2**63 - 1 correctly. + We can't simply define LARGE_OFF_T to be 9223372036854775807, + since some C++ compilers masquerading as C compilers + incorrectly reject 9223372036854775807. */ +#define LARGE_OFF_T ((((off_t) 1 << 31) << 31) - 1 + (((off_t) 1 << 31) << 31)) + int off_t_is_large[(LARGE_OFF_T % 2147483629 == 721 + && LARGE_OFF_T % 2147483647 == 1) + ? 1 : -1]; +int +main () +{ + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + ac_cv_sys_file_offset_bits=no; break +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#define _FILE_OFFSET_BITS 64 +#include + /* Check that off_t can represent 2**63 - 1 correctly. + We can't simply define LARGE_OFF_T to be 9223372036854775807, + since some C++ compilers masquerading as C compilers + incorrectly reject 9223372036854775807. */ +#define LARGE_OFF_T ((((off_t) 1 << 31) << 31) - 1 + (((off_t) 1 << 31) << 31)) + int off_t_is_large[(LARGE_OFF_T % 2147483629 == 721 + && LARGE_OFF_T % 2147483647 == 1) + ? 1 : -1]; +int +main () +{ + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + ac_cv_sys_file_offset_bits=64; break +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + ac_cv_sys_file_offset_bits=unknown + break +done +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_sys_file_offset_bits" >&5 +$as_echo "$ac_cv_sys_file_offset_bits" >&6; } +case $ac_cv_sys_file_offset_bits in #( + no | unknown) ;; + *) +cat >>confdefs.h <<_ACEOF +#define _FILE_OFFSET_BITS $ac_cv_sys_file_offset_bits +_ACEOF +;; +esac +rm -rf conftest* + if test $ac_cv_sys_file_offset_bits = unknown; then + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for _LARGE_FILES value needed for large files" >&5 +$as_echo_n "checking for _LARGE_FILES value needed for large files... " >&6; } +if ${ac_cv_sys_large_files+:} false; then : + $as_echo_n "(cached) " >&6 +else + while :; do + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#include + /* Check that off_t can represent 2**63 - 1 correctly. + We can't simply define LARGE_OFF_T to be 9223372036854775807, + since some C++ compilers masquerading as C compilers + incorrectly reject 9223372036854775807. */ +#define LARGE_OFF_T ((((off_t) 1 << 31) << 31) - 1 + (((off_t) 1 << 31) << 31)) + int off_t_is_large[(LARGE_OFF_T % 2147483629 == 721 + && LARGE_OFF_T % 2147483647 == 1) + ? 1 : -1]; +int +main () +{ + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + ac_cv_sys_large_files=no; break +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#define _LARGE_FILES 1 +#include + /* Check that off_t can represent 2**63 - 1 correctly. + We can't simply define LARGE_OFF_T to be 9223372036854775807, + since some C++ compilers masquerading as C compilers + incorrectly reject 9223372036854775807. */ +#define LARGE_OFF_T ((((off_t) 1 << 31) << 31) - 1 + (((off_t) 1 << 31) << 31)) + int off_t_is_large[(LARGE_OFF_T % 2147483629 == 721 + && LARGE_OFF_T % 2147483647 == 1) + ? 1 : -1]; +int +main () +{ + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + ac_cv_sys_large_files=1; break +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + ac_cv_sys_large_files=unknown + break +done +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_sys_large_files" >&5 +$as_echo "$ac_cv_sys_large_files" >&6; } +case $ac_cv_sys_large_files in #( + no | unknown) ;; + *) +cat >>confdefs.h <<_ACEOF +#define _LARGE_FILES $ac_cv_sys_large_files +_ACEOF +;; +esac +rm -rf conftest* + fi + + +fi + + { $as_echo "$as_me:${as_lineno-$LINENO}: **************************************** header files" >&5 $as_echo "$as_me: **************************************** header files" >&6;} # AC_HEADER_DIRENT # AC_HEADER_STDC # AC_HEADER_SYS_WAIT -for ac_header in malloc.h ucontext.h pthread.h poll.h tcpd.h stropts.h grp.h unistd.h util.h libutil.h pty.h +for ac_header in stdint.h inttypes.h malloc.h ucontext.h pthread.h poll.h \ + tcpd.h stropts.h grp.h unistd.h util.h libutil.h pty.h limits.h do : as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh` ac_fn_c_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default" @@ -11428,7 +14266,8 @@ fi done -for ac_header in sys/types.h sys/select.h sys/poll.h sys/socket.h sys/un.h sys/ioctl.h sys/filio.h sys/resource.h sys/uio.h +for ac_header in sys/types.h sys/select.h sys/poll.h sys/socket.h sys/un.h \ + sys/ioctl.h sys/filio.h sys/resource.h sys/uio.h sys/syscall.h do : as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh` ac_fn_c_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default" @@ -11441,6 +14280,18 @@ fi done +for ac_header in linux/sched.h +do : + ac_fn_c_check_header_mongrel "$LINENO" "linux/sched.h" "ac_cv_header_linux_sched_h" "$ac_includes_default" +if test "x$ac_cv_header_linux_sched_h" = xyes; then : + cat >>confdefs.h <<_ACEOF +#define HAVE_LINUX_SCHED_H 1 +_ACEOF + +fi + +done + ac_fn_c_check_member "$LINENO" "struct msghdr" "msg_control" "ac_cv_member_struct_msghdr_msg_control" " $ac_includes_default #include @@ -11703,7 +14554,7 @@ if test "$ac_res" != no; then : fi -# Checks for dynamic loader and zlib needed by OpenSSL +# Checks for dynamic loader needed by OpenSSL { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing dlopen" >&5 $as_echo_n "checking for library containing dlopen... " >&6; } if ${ac_cv_search_dlopen+:} false; then : @@ -11816,269 +14667,12 @@ if test "$ac_res" != no; then : fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing inflateEnd" >&5 -$as_echo_n "checking for library containing inflateEnd... " >&6; } -if ${ac_cv_search_inflateEnd+:} false; then : - $as_echo_n "(cached) " >&6 -else - ac_func_search_save_LIBS=$LIBS -cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -/* Override any GCC internal prototype to avoid an error. - Use char because int might match the return type of a GCC - builtin and then its argument prototype would still apply. */ -#ifdef __cplusplus -extern "C" -#endif -char inflateEnd (); -int -main () -{ -return inflateEnd (); - ; - return 0; -} -_ACEOF -for ac_lib in '' z; do - if test -z "$ac_lib"; then - ac_res="none required" - else - ac_res=-l$ac_lib - LIBS="-l$ac_lib $ac_func_search_save_LIBS" - fi - if ac_fn_c_try_link "$LINENO"; then : - ac_cv_search_inflateEnd=$ac_res -fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext - if ${ac_cv_search_inflateEnd+:} false; then : - break -fi -done -if ${ac_cv_search_inflateEnd+:} false; then : - -else - ac_cv_search_inflateEnd=no -fi -rm conftest.$ac_ext -LIBS=$ac_func_search_save_LIBS -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_inflateEnd" >&5 -$as_echo "$ac_cv_search_inflateEnd" >&6; } -ac_res=$ac_cv_search_inflateEnd -if test "$ac_res" != no; then : - test "$ac_res" = "none required" || LIBS="$ac_res $LIBS" - -fi - # Add BeOS libraries -if test "$host_os" = "beos"; then +if test "x$host_os" = "xbeos"; then LIBS="$LIBS -lbe -lroot -lbind" fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: **************************************** thread model" >&5 -$as_echo "$as_me: **************************************** thread model" >&6;} - -checkpthreadlib() { : - # 1. BSD hack: attempt to use alternative libc implementation if available - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for pthread_create in -lc_r" >&5 -$as_echo_n "checking for pthread_create in -lc_r... " >&6; } -if ${ac_cv_lib_c_r_pthread_create+:} false; then : - $as_echo_n "(cached) " >&6 -else - ac_check_lib_save_LIBS=$LIBS -LIBS="-lc_r $LIBS" -cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -/* Override any GCC internal prototype to avoid an error. - Use char because int might match the return type of a GCC - builtin and then its argument prototype would still apply. */ -#ifdef __cplusplus -extern "C" -#endif -char pthread_create (); -int -main () -{ -return pthread_create (); - ; - return 0; -} -_ACEOF -if ac_fn_c_try_link "$LINENO"; then : - ac_cv_lib_c_r_pthread_create=yes -else - ac_cv_lib_c_r_pthread_create=no -fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext -LIBS=$ac_check_lib_save_LIBS -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_c_r_pthread_create" >&5 -$as_echo "$ac_cv_lib_c_r_pthread_create" >&6; } -if test "x$ac_cv_lib_c_r_pthread_create" = xyes; then : - - LIBS="$LIBS -pthread" - HAVE_LIBPTHREAD="yes" - -$as_echo "#define HAVE_LIBPTHREAD 1" >>confdefs.h - - - -fi - - - # 2. try to use from standard libc (required by Android and possibly other platforms) - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for pthread_create in -lc" >&5 -$as_echo_n "checking for pthread_create in -lc... " >&6; } -if ${ac_cv_lib_c_pthread_create+:} false; then : - $as_echo_n "(cached) " >&6 -else - ac_check_lib_save_LIBS=$LIBS -LIBS="-lc $LIBS" -cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -/* Override any GCC internal prototype to avoid an error. - Use char because int might match the return type of a GCC - builtin and then its argument prototype would still apply. */ -#ifdef __cplusplus -extern "C" -#endif -char pthread_create (); -int -main () -{ -return pthread_create (); - ; - return 0; -} -_ACEOF -if ac_fn_c_try_link "$LINENO"; then : - ac_cv_lib_c_pthread_create=yes -else - ac_cv_lib_c_pthread_create=no -fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext -LIBS=$ac_check_lib_save_LIBS -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_c_pthread_create" >&5 -$as_echo "$ac_cv_lib_c_pthread_create" >&6; } -if test "x$ac_cv_lib_c_pthread_create" = xyes; then : - - HAVE_LIBPTHREAD="yes" - -$as_echo "#define HAVE_LIBPTHREAD 1" >>confdefs.h - - - -fi - - - # 3. try libpthread: OSF hack instead of simple AC_CHECK_LIB here - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for pthread_create in -lpthread" >&5 -$as_echo_n "checking for pthread_create in -lpthread... " >&6; } - valid_LIBS="$LIBS" - LIBS="$valid_LIBS -lpthread" - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -#include - -int -main () -{ - -pthread_create((void *)0, (void *)0, (void *)0, (void *)0) - - - ; - return 0; -} -_ACEOF -if ac_fn_c_try_link "$LINENO"; then : - - { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 -$as_echo "yes" >&6; } - HAVE_LIBPTHREAD="yes" - -$as_echo "#define HAVE_LIBPTHREAD 1" >>confdefs.h - - -else - - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -$as_echo "no" >&6; } - LIBS="$valid_LIBS" - - -fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext -} - - -# Check whether --with-threads was given. -if test "${with_threads+set}" = set; then : - withval=$with_threads; - case "$withval" in - ucontext) - { $as_echo "$as_me:${as_lineno-$LINENO}: UCONTEXT mode selected" >&5 -$as_echo "$as_me: UCONTEXT mode selected" >&6;} - -$as_echo "#define USE_UCONTEXT 1" >>confdefs.h - - ;; - pthread) - checkpthreadlib - { $as_echo "$as_me:${as_lineno-$LINENO}: PTHREAD mode selected" >&5 -$as_echo "$as_me: PTHREAD mode selected" >&6;} - -$as_echo "#define USE_PTHREAD 1" >>confdefs.h - - ;; - fork) - { $as_echo "$as_me:${as_lineno-$LINENO}: FORK mode selected" >&5 -$as_echo "$as_me: FORK mode selected" >&6;} - -$as_echo "#define USE_FORK 1" >>confdefs.h - - ;; - *) - as_fn_error $? "Unknown thread model \"${withval}\"" "$LINENO" 5 - ;; - esac - -else - - checkpthreadlib - if test "$HAVE_LIBPTHREAD" = "yes" -a "$ac_cv_header_pthread_h" = "yes"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: PTHREAD thread model detected" >&5 -$as_echo "$as_me: PTHREAD thread model detected" >&6;} - -$as_echo "#define USE_PTHREAD 1" >>confdefs.h - - elif test "$ac_cv_func_getcontext" = "yes" -a "$ac_cv_header_ucontext_h" = "yes"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: UCONTEXT thread model detected" >&5 -$as_echo "$as_me: UCONTEXT thread model detected" >&6;} - -$as_echo "#define USE_UCONTEXT 1" >>confdefs.h - - else - { $as_echo "$as_me:${as_lineno-$LINENO}: FORK thread model detected" >&5 -$as_echo "$as_me: FORK thread model detected" >&6;} - -$as_echo "#define USE_FORK 1" >>confdefs.h - - fi - -fi - - { $as_echo "$as_me:${as_lineno-$LINENO}: **************************************** library functions" >&5 $as_echo "$as_me: **************************************** library functions" >&6;} # safe string operations @@ -12108,7 +14702,7 @@ fi done # Unix -for ac_func in daemon waitpid wait4 setsid setgroups chroot +for ac_func in daemon waitpid wait4 setsid setgroups chroot realpath do : as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var" @@ -12214,11 +14808,11 @@ rm -f core conftest.err conftest.$ac_objext \ conftest$ac_exeext conftest.$ac_ext ;; esac -# poll() is not recommended on Mac OS X <=10.3 and broken on Mac OS X >=10.4 +# poll() is not recommended on Mac OS X <= 10.3 and broken on Mac OS X 10.4 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for broken poll() implementation" >&5 $as_echo_n "checking for broken poll() implementation... " >&6; } case "$host_os" in -darwin*) +darwin0-8.*) { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes (poll() disabled)" >&5 $as_echo "yes (poll() disabled)" >&6; } @@ -12269,30 +14863,238 @@ $as_echo "error" >&6; } esac else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 -$as_echo "yes" >&6; }; + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes (default)" >&5 +$as_echo "yes (default)" >&6; } + $as_echo "#define USE_IPv6 1" >>confdefs.h + +fi + + +# FIPS Mode +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to enable FIPS support" >&5 +$as_echo_n "checking whether to enable FIPS support... " >&6; } +# Check whether --enable-fips was given. +if test "${enable_fips+set}" = set; then : + enableval=$enable_fips; + case "$enableval" in + yes) { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + use_fips="yes" + +$as_echo "#define USE_FIPS 1" >>confdefs.h + + ;; + no) { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + use_fips="no" + ;; + *) { $as_echo "$as_me:${as_lineno-$LINENO}: result: error" >&5 +$as_echo "error" >&6; } + as_fn_error $? "bad value \"${enableval}\"" "$LINENO" 5 + ;; + esac + +else + + use_fips="auto" + { $as_echo "$as_me:${as_lineno-$LINENO}: result: autodetecting" >&5 +$as_echo "autodetecting" >&6; } + + +fi + + +# Disable systemd socket activation support +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to enable systemd socket activation support" >&5 +$as_echo_n "checking whether to enable systemd socket activation support... " >&6; } +# Check whether --enable-systemd was given. +if test "${enable_systemd+set}" = set; then : + enableval=$enable_systemd; + case "$enableval" in + yes) { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing sd_listen_fds" >&5 +$as_echo_n "checking for library containing sd_listen_fds... " >&6; } +if ${ac_cv_search_sd_listen_fds+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_func_search_save_LIBS=$LIBS +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char sd_listen_fds (); +int +main () +{ +return sd_listen_fds (); + ; + return 0; +} +_ACEOF +for ac_lib in '' systemd systemd-daemon; do + if test -z "$ac_lib"; then + ac_res="none required" + else + ac_res=-l$ac_lib + LIBS="-l$ac_lib $ac_func_search_save_LIBS" + fi + if ac_fn_c_try_link "$LINENO"; then : + ac_cv_search_sd_listen_fds=$ac_res +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext + if ${ac_cv_search_sd_listen_fds+:} false; then : + break +fi +done +if ${ac_cv_search_sd_listen_fds+:} false; then : + +else + ac_cv_search_sd_listen_fds=no +fi +rm conftest.$ac_ext +LIBS=$ac_func_search_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_sd_listen_fds" >&5 +$as_echo "$ac_cv_search_sd_listen_fds" >&6; } +ac_res=$ac_cv_search_sd_listen_fds +if test "$ac_res" != no; then : + test "$ac_res" = "none required" || LIBS="$ac_res $LIBS" + +fi + + +$as_echo "#define USE_SYSTEMD 1" >>confdefs.h + + ;; + no) { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + ;; + *) { $as_echo "$as_me:${as_lineno-$LINENO}: result: error" >&5 +$as_echo "error" >&6; } + as_fn_error $? "Bad value \"${enableval}\"" "$LINENO" 5 + ;; + esac + +else + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: autodetecting" >&5 +$as_echo "autodetecting" >&6; } + # the library name has changed to -lsystemd in systemd 209 + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing sd_listen_fds" >&5 +$as_echo_n "checking for library containing sd_listen_fds... " >&6; } +if ${ac_cv_search_sd_listen_fds+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_func_search_save_LIBS=$LIBS +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char sd_listen_fds (); +int +main () +{ +return sd_listen_fds (); + ; + return 0; +} +_ACEOF +for ac_lib in '' systemd systemd-daemon; do + if test -z "$ac_lib"; then + ac_res="none required" + else + ac_res=-l$ac_lib + LIBS="-l$ac_lib $ac_func_search_save_LIBS" + fi + if ac_fn_c_try_link "$LINENO"; then : + ac_cv_search_sd_listen_fds=$ac_res +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext + if ${ac_cv_search_sd_listen_fds+:} false; then : + break +fi +done +if ${ac_cv_search_sd_listen_fds+:} false; then : + +else + ac_cv_search_sd_listen_fds=no +fi +rm conftest.$ac_ext +LIBS=$ac_func_search_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_sd_listen_fds" >&5 +$as_echo "$ac_cv_search_sd_listen_fds" >&6; } +ac_res=$ac_cv_search_sd_listen_fds +if test "$ac_res" != no; then : + test "$ac_res" = "none required" || LIBS="$ac_res $LIBS" + for ac_header in systemd/sd-daemon.h +do : + ac_fn_c_check_header_mongrel "$LINENO" "systemd/sd-daemon.h" "ac_cv_header_systemd_sd_daemon_h" "$ac_includes_default" +if test "x$ac_cv_header_systemd_sd_daemon_h" = xyes; then : + cat >>confdefs.h <<_ACEOF +#define HAVE_SYSTEMD_SD_DAEMON_H 1 +_ACEOF + + +$as_echo "#define USE_SYSTEMD 1" >>confdefs.h + + { $as_echo "$as_me:${as_lineno-$LINENO}: systemd support enabled" >&5 +$as_echo "$as_me: systemd support enabled" >&6;} + +else + + { $as_echo "$as_me:${as_lineno-$LINENO}: systemd header not found" >&5 +$as_echo "$as_me: systemd header not found" >&6;} + +fi + +done + +else + + { $as_echo "$as_me:${as_lineno-$LINENO}: systemd library not found" >&5 +$as_echo "$as_me: systemd library not found" >&6;} + +fi + + + fi # Disable use of libwrap (TCP wrappers) # it should be the last check! -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to disable TCP wrappers library support" >&5 -$as_echo_n "checking whether to disable TCP wrappers library support... " >&6; } +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to enable TCP wrappers support" >&5 +$as_echo_n "checking whether to enable TCP wrappers support... " >&6; } # Check whether --enable-libwrap was given. if test "${enable_libwrap+set}" = set; then : enableval=$enable_libwrap; case "$enableval" in - yes) { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -$as_echo "no" >&6; } + yes) { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } -$as_echo "#define HAVE_LIBWRAP 1" >>confdefs.h +$as_echo "#define USE_LIBWRAP 1" >>confdefs.h LIBS="$LIBS -lwrap" ;; - no) { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 -$as_echo "yes" >&6; } + no) { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } ;; *) { $as_echo "$as_me:${as_lineno-$LINENO}: result: error" >&5 $as_echo "error" >&6; } @@ -12311,27 +15113,34 @@ $as_echo_n "checking for hosts_access in -lwrap... " >&6; } cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ -int hosts_access(); int allow_severity, deny_severity; - + int hosts_access(); int allow_severity, deny_severity; int main () { - hosts_access() - - ; return 0; } + _ACEOF if ac_fn_c_try_link "$LINENO"; then : - { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 $as_echo "yes" >&6; }; -$as_echo "#define HAVE_LIBWRAP 1" >>confdefs.h + +$as_echo "#define USE_LIBWRAP 1" >>confdefs.h + + { $as_echo "$as_me:${as_lineno-$LINENO}: libwrap support enabled" >&5 +$as_echo "$as_me: libwrap support enabled" >&6;} else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -$as_echo "no" >&6; }; LIBS="$valid_LIBS" + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + LIBS="$valid_LIBS" + { $as_echo "$as_me:${as_lineno-$LINENO}: libwrap library not found" >&5 +$as_echo "$as_me: libwrap library not found" >&6;} + fi rm -f core conftest.err conftest.$ac_objext \ @@ -12341,78 +15150,59 @@ rm -f core conftest.err conftest.$ac_objext \ fi -# FIPS Mode -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to enable FIPS mode support" >&5 -$as_echo_n "checking whether to enable FIPS mode support... " >&6; } -# Check whether --enable-fips was given. -if test "${enable_fips+set}" = set; then : - enableval=$enable_fips; - case "$enableval" in - yes) { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 -$as_echo "yes" >&6; } - sub_dirs="/ssl/fips /ssl/fips-1.0 /" - fips="yes" - -$as_echo "#define USE_FIPS 1" >>confdefs.h - - ;; - no) { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -$as_echo "no" >&6; } - sub_dirs="/ssl /openssl /" - fips="no" - ;; - *) { $as_echo "$as_me:${as_lineno-$LINENO}: result: error" >&5 -$as_echo "error" >&6; } - as_fn_error $? "bad value \"${enableval}\"" "$LINENO" 5 - ;; - esac +{ $as_echo "$as_me:${as_lineno-$LINENO}: **************************************** TLS" >&5 +$as_echo "$as_me: **************************************** TLS" >&6;} +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for compiler sysroot" >&5 +$as_echo_n "checking for compiler sysroot... " >&6; } +if test "x$GCC" = "xyes"; then + sysroot=`$CC --print-sysroot 2>/dev/null` +fi +if test -z "$sysroot" -o "x$sysroot" = "x/"; then + sysroot="" + { $as_echo "$as_me:${as_lineno-$LINENO}: result: /" >&5 +$as_echo "/" >&6; } else - - sub_dirs="/ssl/fips /ssl/fips-1.0 /ssl /openssl /" - fips="auto" - { $as_echo "$as_me:${as_lineno-$LINENO}: result: autodetecting" >&5 -$as_echo "autodetecting" >&6; } - - + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $sysroot" >&5 +$as_echo "$sysroot" >&6; } fi - -{ $as_echo "$as_me:${as_lineno-$LINENO}: **************************************** SSL" >&5 -$as_echo "$as_me: **************************************** SSL" >&6;} check_ssl_dir() { : - SSLDIR="$1" - if test -f "$1/include/openssl/ssl.h"; then - return 0 - fi - return 1 + test -n "$1" -a -f "$1/include/openssl/ssl.h" && SSLDIR="$1" } -# Check for SSL directory -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for SSL directory" >&5 -$as_echo_n "checking for SSL directory... " >&6; } +find_ssl_dir() { : + stunnel_prefix="$prefix" + test "x$stunnel_prefix" = "xNONE" && stunnel_prefix=$ac_default_prefix + for main_dir in "$stunnel_prefix" "/usr/local" "/usr/lib" "/usr/pkg" "/opt/local" "/opt" "/opt/csw" "/usr" ""; do + for sub_dir in "/ssl" "/openssl" "/ossl" ""; do + check_ssl_dir "$sysroot$main_dir$sub_dir" && return + done + done + if test -x "/usr/bin/xcrun"; then + sdk_path=`/usr/bin/xcrun --sdk macosx --show-sdk-path` + check_ssl_dir "$sdk_path/usr" && return + fi + check_ssl_dir "/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/swift-migrator/sdk/MacOSX.sdk/usr" +} + +SSLDIR="" +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for TLS directory" >&5 +$as_echo_n "checking for TLS directory... " >&6; } # Check whether --with-ssl was given. if test "${with_ssl+set}" = set; then : - withval=$with_ssl; - check_ssl_dir "$withval" - + withval=$with_ssl; check_ssl_dir "$withval" else - - for main_dir in /usr/local /usr/lib /usr/pkg /opt/local /opt /usr; do - for sub_dir in $sub_dirs; do - check_ssl_dir "$main_dir$sub_dir" && break 2 - done - done - + find_ssl_dir fi -if test ! -d "$SSLDIR"; then +if test -z "$SSLDIR"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: not found" >&5 $as_echo "not found" >&6; } as_fn_error $? " -Couldn't find your SSL library installation dir +Could not find your TLS library installation dir Use --with-ssl option to fix this problem " "$LINENO" 5 fi @@ -12428,46 +15218,7 @@ _ACEOF valid_CPPFLAGS="$CPPFLAGS"; CPPFLAGS="$CPPFLAGS -I$SSLDIR/include" valid_LIBS="$LIBS"; LIBS="$LIBS -L$SSLDIR/lib64 -L$SSLDIR/lib -lssl -lcrypto" -as_ac_Header=`$as_echo "ac_cv_header_$SSLDIR/include/openssl/engine.h" | $as_tr_sh` -ac_fn_c_check_header_mongrel "$LINENO" "$SSLDIR/include/openssl/engine.h" "$as_ac_Header" "$ac_includes_default" -if eval test \"x\$"$as_ac_Header"\" = x"yes"; then : - -$as_echo "#define HAVE_OSSL_ENGINE_H 1" >>confdefs.h - -else - { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: OpenSSL engine header not found" >&5 -$as_echo "$as_me: WARNING: OpenSSL engine header not found" >&2;} -fi - - - -as_ac_Header=`$as_echo "ac_cv_header_$SSLDIR/include/openssl/ocsp.h" | $as_tr_sh` -ac_fn_c_check_header_mongrel "$LINENO" "$SSLDIR/include/openssl/ocsp.h" "$as_ac_Header" "$ac_includes_default" -if eval test \"x\$"$as_ac_Header"\" = x"yes"; then : - -$as_echo "#define HAVE_OSSL_OCSP_H 1" >>confdefs.h - -else - { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: OpenSSL ocsp header not found" >&5 -$as_echo "$as_me: WARNING: OpenSSL ocsp header not found" >&2;} -fi - - - -as_ac_Header=`$as_echo "ac_cv_header_$SSLDIR/include/openssl/fips.h" | $as_tr_sh` -ac_fn_c_check_header_mongrel "$LINENO" "$SSLDIR/include/openssl/fips.h" "$as_ac_Header" "$ac_includes_default" -if eval test \"x\$"$as_ac_Header"\" = x"yes"; then : - -$as_echo "#define HAVE_OSSL_FIPS_H 1" >>confdefs.h - -else - { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: OpenSSL fips header not found" >&5 -$as_echo "$as_me: WARNING: OpenSSL fips header not found" >&2;} -fi - - - -if test "$fips" = "auto"; then +if test "x$use_fips" = "xauto"; then for ac_func in FIPS_mode_set do : ac_fn_c_check_func "$LINENO" "FIPS_mode_set" "ac_cv_func_FIPS_mode_set" @@ -12479,13 +15230,13 @@ _ACEOF $as_echo "#define USE_FIPS 1" >>confdefs.h - { $as_echo "$as_me:${as_lineno-$LINENO}: FIPS mode detected" >&5 -$as_echo "$as_me: FIPS mode detected" >&6;} + { $as_echo "$as_me:${as_lineno-$LINENO}: FIPS support enabled" >&5 +$as_echo "$as_me: FIPS support enabled" >&6;} else - { $as_echo "$as_me:${as_lineno-$LINENO}: FIPS mode not detected" >&5 -$as_echo "$as_me: FIPS mode not detected" >&6;} + { $as_echo "$as_me:${as_lineno-$LINENO}: FIPS support not found" >&5 +$as_echo "$as_me: FIPS support not found" >&6;} fi done @@ -12497,7 +15248,7 @@ LIBS="$valid_LIBS" { $as_echo "$as_me:${as_lineno-$LINENO}: **************************************** write the results" >&5 $as_echo "$as_me: **************************************** write the results" >&6;} -ac_config_files="$ac_config_files Makefile src/Makefile src/stunnel3 doc/Makefile tools/Makefile tools/stunnel.conf-sample tools/stunnel.init tools/stunnel.service" +ac_config_files="$ac_config_files Makefile src/Makefile doc/Makefile tools/Makefile" cat >confcache <<\_ACEOF # This file is a shell script that caches the results of configure @@ -12608,6 +15359,14 @@ LIBOBJS=$ac_libobjs LTLIBOBJS=$ac_ltlibobjs +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking that generated files are newer than configure" >&5 +$as_echo_n "checking that generated files are newer than configure... " >&6; } + if test -n "$am_sleep_pid"; then + # Hide warnings about reused PIDs. + wait $am_sleep_pid 2>/dev/null + fi + { $as_echo "$as_me:${as_lineno-$LINENO}: result: done" >&5 +$as_echo "done" >&6; } if test -n "$EXEEXT"; then am__EXEEXT_TRUE= am__EXEEXT_FALSE='#' @@ -12616,6 +15375,10 @@ else am__EXEEXT_FALSE= fi +if test -z "${AUTHOR_TESTS_TRUE}" && test -z "${AUTHOR_TESTS_FALSE}"; then + as_fn_error $? "conditional \"AUTHOR_TESTS\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 +fi if test -z "${AMDEP_TRUE}" && test -z "${AMDEP_FALSE}"; then as_fn_error $? "conditional \"AMDEP\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 @@ -13021,7 +15784,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by stunnel $as_me 4.57, which was +This file was extended by stunnel $as_me 5.42, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -13087,7 +15850,7 @@ _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -stunnel config.status 4.57 +stunnel config.status 5.42 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" @@ -13216,131 +15979,154 @@ AMDEP_TRUE="$AMDEP_TRUE" ac_aux_dir="$ac_aux_dir" sed_quote_subst='$sed_quote_subst' double_quote_subst='$double_quote_subst' delay_variable_subst='$delay_variable_subst' -macro_version='`$ECHO "X$macro_version" | $Xsed -e "$delay_single_quote_subst"`' -macro_revision='`$ECHO "X$macro_revision" | $Xsed -e "$delay_single_quote_subst"`' -enable_static='`$ECHO "X$enable_static" | $Xsed -e "$delay_single_quote_subst"`' -enable_shared='`$ECHO "X$enable_shared" | $Xsed -e "$delay_single_quote_subst"`' -pic_mode='`$ECHO "X$pic_mode" | $Xsed -e "$delay_single_quote_subst"`' -enable_fast_install='`$ECHO "X$enable_fast_install" | $Xsed -e "$delay_single_quote_subst"`' -host_alias='`$ECHO "X$host_alias" | $Xsed -e "$delay_single_quote_subst"`' -host='`$ECHO "X$host" | $Xsed -e "$delay_single_quote_subst"`' -host_os='`$ECHO "X$host_os" | $Xsed -e "$delay_single_quote_subst"`' -build_alias='`$ECHO "X$build_alias" | $Xsed -e "$delay_single_quote_subst"`' -build='`$ECHO "X$build" | $Xsed -e "$delay_single_quote_subst"`' -build_os='`$ECHO "X$build_os" | $Xsed -e "$delay_single_quote_subst"`' -SED='`$ECHO "X$SED" | $Xsed -e "$delay_single_quote_subst"`' -Xsed='`$ECHO "X$Xsed" | $Xsed -e "$delay_single_quote_subst"`' -GREP='`$ECHO "X$GREP" | $Xsed -e "$delay_single_quote_subst"`' -EGREP='`$ECHO "X$EGREP" | $Xsed -e "$delay_single_quote_subst"`' -FGREP='`$ECHO "X$FGREP" | $Xsed -e "$delay_single_quote_subst"`' -LD='`$ECHO "X$LD" | $Xsed -e "$delay_single_quote_subst"`' -NM='`$ECHO "X$NM" | $Xsed -e "$delay_single_quote_subst"`' -LN_S='`$ECHO "X$LN_S" | $Xsed -e "$delay_single_quote_subst"`' -max_cmd_len='`$ECHO "X$max_cmd_len" | $Xsed -e "$delay_single_quote_subst"`' -ac_objext='`$ECHO "X$ac_objext" | $Xsed -e "$delay_single_quote_subst"`' -exeext='`$ECHO "X$exeext" | $Xsed -e "$delay_single_quote_subst"`' -lt_unset='`$ECHO "X$lt_unset" | $Xsed -e "$delay_single_quote_subst"`' -lt_SP2NL='`$ECHO "X$lt_SP2NL" | $Xsed -e "$delay_single_quote_subst"`' -lt_NL2SP='`$ECHO "X$lt_NL2SP" | $Xsed -e "$delay_single_quote_subst"`' -reload_flag='`$ECHO "X$reload_flag" | $Xsed -e "$delay_single_quote_subst"`' -reload_cmds='`$ECHO "X$reload_cmds" | $Xsed -e "$delay_single_quote_subst"`' -OBJDUMP='`$ECHO "X$OBJDUMP" | $Xsed -e "$delay_single_quote_subst"`' -deplibs_check_method='`$ECHO "X$deplibs_check_method" | $Xsed -e "$delay_single_quote_subst"`' -file_magic_cmd='`$ECHO "X$file_magic_cmd" | $Xsed -e "$delay_single_quote_subst"`' -AR='`$ECHO "X$AR" | $Xsed -e "$delay_single_quote_subst"`' -AR_FLAGS='`$ECHO "X$AR_FLAGS" | $Xsed -e "$delay_single_quote_subst"`' -STRIP='`$ECHO "X$STRIP" | $Xsed -e "$delay_single_quote_subst"`' -RANLIB='`$ECHO "X$RANLIB" | $Xsed -e "$delay_single_quote_subst"`' -old_postinstall_cmds='`$ECHO "X$old_postinstall_cmds" | $Xsed -e "$delay_single_quote_subst"`' -old_postuninstall_cmds='`$ECHO "X$old_postuninstall_cmds" | $Xsed -e "$delay_single_quote_subst"`' -old_archive_cmds='`$ECHO "X$old_archive_cmds" | $Xsed -e "$delay_single_quote_subst"`' -CC='`$ECHO "X$CC" | $Xsed -e "$delay_single_quote_subst"`' -CFLAGS='`$ECHO "X$CFLAGS" | $Xsed -e "$delay_single_quote_subst"`' -compiler='`$ECHO "X$compiler" | $Xsed -e "$delay_single_quote_subst"`' -GCC='`$ECHO "X$GCC" | $Xsed -e "$delay_single_quote_subst"`' -lt_cv_sys_global_symbol_pipe='`$ECHO "X$lt_cv_sys_global_symbol_pipe" | $Xsed -e "$delay_single_quote_subst"`' -lt_cv_sys_global_symbol_to_cdecl='`$ECHO "X$lt_cv_sys_global_symbol_to_cdecl" | $Xsed -e "$delay_single_quote_subst"`' -lt_cv_sys_global_symbol_to_c_name_address='`$ECHO "X$lt_cv_sys_global_symbol_to_c_name_address" | $Xsed -e "$delay_single_quote_subst"`' -lt_cv_sys_global_symbol_to_c_name_address_lib_prefix='`$ECHO "X$lt_cv_sys_global_symbol_to_c_name_address_lib_prefix" | $Xsed -e "$delay_single_quote_subst"`' -objdir='`$ECHO "X$objdir" | $Xsed -e "$delay_single_quote_subst"`' -SHELL='`$ECHO "X$SHELL" | $Xsed -e "$delay_single_quote_subst"`' -ECHO='`$ECHO "X$ECHO" | $Xsed -e "$delay_single_quote_subst"`' -MAGIC_CMD='`$ECHO "X$MAGIC_CMD" | $Xsed -e "$delay_single_quote_subst"`' -lt_prog_compiler_no_builtin_flag='`$ECHO "X$lt_prog_compiler_no_builtin_flag" | $Xsed -e "$delay_single_quote_subst"`' -lt_prog_compiler_wl='`$ECHO "X$lt_prog_compiler_wl" | $Xsed -e "$delay_single_quote_subst"`' -lt_prog_compiler_pic='`$ECHO "X$lt_prog_compiler_pic" | $Xsed -e "$delay_single_quote_subst"`' -lt_prog_compiler_static='`$ECHO "X$lt_prog_compiler_static" | $Xsed -e "$delay_single_quote_subst"`' -lt_cv_prog_compiler_c_o='`$ECHO "X$lt_cv_prog_compiler_c_o" | $Xsed -e "$delay_single_quote_subst"`' -need_locks='`$ECHO "X$need_locks" | $Xsed -e "$delay_single_quote_subst"`' -DSYMUTIL='`$ECHO "X$DSYMUTIL" | $Xsed -e "$delay_single_quote_subst"`' -NMEDIT='`$ECHO "X$NMEDIT" | $Xsed -e "$delay_single_quote_subst"`' -LIPO='`$ECHO "X$LIPO" | $Xsed -e "$delay_single_quote_subst"`' -OTOOL='`$ECHO "X$OTOOL" | $Xsed -e "$delay_single_quote_subst"`' -OTOOL64='`$ECHO "X$OTOOL64" | $Xsed -e "$delay_single_quote_subst"`' -libext='`$ECHO "X$libext" | $Xsed -e "$delay_single_quote_subst"`' -shrext_cmds='`$ECHO "X$shrext_cmds" | $Xsed -e "$delay_single_quote_subst"`' -extract_expsyms_cmds='`$ECHO "X$extract_expsyms_cmds" | $Xsed -e "$delay_single_quote_subst"`' -archive_cmds_need_lc='`$ECHO "X$archive_cmds_need_lc" | $Xsed -e "$delay_single_quote_subst"`' -enable_shared_with_static_runtimes='`$ECHO "X$enable_shared_with_static_runtimes" | $Xsed -e "$delay_single_quote_subst"`' -export_dynamic_flag_spec='`$ECHO "X$export_dynamic_flag_spec" | $Xsed -e "$delay_single_quote_subst"`' -whole_archive_flag_spec='`$ECHO "X$whole_archive_flag_spec" | $Xsed -e "$delay_single_quote_subst"`' -compiler_needs_object='`$ECHO "X$compiler_needs_object" | $Xsed -e "$delay_single_quote_subst"`' -old_archive_from_new_cmds='`$ECHO "X$old_archive_from_new_cmds" | $Xsed -e "$delay_single_quote_subst"`' -old_archive_from_expsyms_cmds='`$ECHO "X$old_archive_from_expsyms_cmds" | $Xsed -e "$delay_single_quote_subst"`' -archive_cmds='`$ECHO "X$archive_cmds" | $Xsed -e "$delay_single_quote_subst"`' -archive_expsym_cmds='`$ECHO "X$archive_expsym_cmds" | $Xsed -e "$delay_single_quote_subst"`' -module_cmds='`$ECHO "X$module_cmds" | $Xsed -e "$delay_single_quote_subst"`' -module_expsym_cmds='`$ECHO "X$module_expsym_cmds" | $Xsed -e "$delay_single_quote_subst"`' -with_gnu_ld='`$ECHO "X$with_gnu_ld" | $Xsed -e "$delay_single_quote_subst"`' -allow_undefined_flag='`$ECHO "X$allow_undefined_flag" | $Xsed -e "$delay_single_quote_subst"`' -no_undefined_flag='`$ECHO "X$no_undefined_flag" | $Xsed -e "$delay_single_quote_subst"`' -hardcode_libdir_flag_spec='`$ECHO "X$hardcode_libdir_flag_spec" | $Xsed -e "$delay_single_quote_subst"`' -hardcode_libdir_flag_spec_ld='`$ECHO "X$hardcode_libdir_flag_spec_ld" | $Xsed -e "$delay_single_quote_subst"`' -hardcode_libdir_separator='`$ECHO "X$hardcode_libdir_separator" | $Xsed -e "$delay_single_quote_subst"`' -hardcode_direct='`$ECHO "X$hardcode_direct" | $Xsed -e "$delay_single_quote_subst"`' -hardcode_direct_absolute='`$ECHO "X$hardcode_direct_absolute" | $Xsed -e "$delay_single_quote_subst"`' -hardcode_minus_L='`$ECHO "X$hardcode_minus_L" | $Xsed -e "$delay_single_quote_subst"`' -hardcode_shlibpath_var='`$ECHO "X$hardcode_shlibpath_var" | $Xsed -e "$delay_single_quote_subst"`' -hardcode_automatic='`$ECHO "X$hardcode_automatic" | $Xsed -e "$delay_single_quote_subst"`' -inherit_rpath='`$ECHO "X$inherit_rpath" | $Xsed -e "$delay_single_quote_subst"`' -link_all_deplibs='`$ECHO "X$link_all_deplibs" | $Xsed -e "$delay_single_quote_subst"`' -fix_srcfile_path='`$ECHO "X$fix_srcfile_path" | $Xsed -e "$delay_single_quote_subst"`' -always_export_symbols='`$ECHO "X$always_export_symbols" | $Xsed -e "$delay_single_quote_subst"`' -export_symbols_cmds='`$ECHO "X$export_symbols_cmds" | $Xsed -e "$delay_single_quote_subst"`' -exclude_expsyms='`$ECHO "X$exclude_expsyms" | $Xsed -e "$delay_single_quote_subst"`' -include_expsyms='`$ECHO "X$include_expsyms" | $Xsed -e "$delay_single_quote_subst"`' -prelink_cmds='`$ECHO "X$prelink_cmds" | $Xsed -e "$delay_single_quote_subst"`' -file_list_spec='`$ECHO "X$file_list_spec" | $Xsed -e "$delay_single_quote_subst"`' -variables_saved_for_relink='`$ECHO "X$variables_saved_for_relink" | $Xsed -e "$delay_single_quote_subst"`' -need_lib_prefix='`$ECHO "X$need_lib_prefix" | $Xsed -e "$delay_single_quote_subst"`' -need_version='`$ECHO "X$need_version" | $Xsed -e "$delay_single_quote_subst"`' -version_type='`$ECHO "X$version_type" | $Xsed -e "$delay_single_quote_subst"`' -runpath_var='`$ECHO "X$runpath_var" | $Xsed -e "$delay_single_quote_subst"`' -shlibpath_var='`$ECHO "X$shlibpath_var" | $Xsed -e "$delay_single_quote_subst"`' -shlibpath_overrides_runpath='`$ECHO "X$shlibpath_overrides_runpath" | $Xsed -e "$delay_single_quote_subst"`' -libname_spec='`$ECHO "X$libname_spec" | $Xsed -e "$delay_single_quote_subst"`' -library_names_spec='`$ECHO "X$library_names_spec" | $Xsed -e "$delay_single_quote_subst"`' -soname_spec='`$ECHO "X$soname_spec" | $Xsed -e "$delay_single_quote_subst"`' -postinstall_cmds='`$ECHO "X$postinstall_cmds" | $Xsed -e "$delay_single_quote_subst"`' -postuninstall_cmds='`$ECHO "X$postuninstall_cmds" | $Xsed -e "$delay_single_quote_subst"`' -finish_cmds='`$ECHO "X$finish_cmds" | $Xsed -e "$delay_single_quote_subst"`' -finish_eval='`$ECHO "X$finish_eval" | $Xsed -e "$delay_single_quote_subst"`' -hardcode_into_libs='`$ECHO "X$hardcode_into_libs" | $Xsed -e "$delay_single_quote_subst"`' -sys_lib_search_path_spec='`$ECHO "X$sys_lib_search_path_spec" | $Xsed -e "$delay_single_quote_subst"`' -sys_lib_dlsearch_path_spec='`$ECHO "X$sys_lib_dlsearch_path_spec" | $Xsed -e "$delay_single_quote_subst"`' -hardcode_action='`$ECHO "X$hardcode_action" | $Xsed -e "$delay_single_quote_subst"`' -enable_dlopen='`$ECHO "X$enable_dlopen" | $Xsed -e "$delay_single_quote_subst"`' -enable_dlopen_self='`$ECHO "X$enable_dlopen_self" | $Xsed -e "$delay_single_quote_subst"`' -enable_dlopen_self_static='`$ECHO "X$enable_dlopen_self_static" | $Xsed -e "$delay_single_quote_subst"`' -old_striplib='`$ECHO "X$old_striplib" | $Xsed -e "$delay_single_quote_subst"`' -striplib='`$ECHO "X$striplib" | $Xsed -e "$delay_single_quote_subst"`' +macro_version='`$ECHO "$macro_version" | $SED "$delay_single_quote_subst"`' +macro_revision='`$ECHO "$macro_revision" | $SED "$delay_single_quote_subst"`' +enable_static='`$ECHO "$enable_static" | $SED "$delay_single_quote_subst"`' +enable_shared='`$ECHO "$enable_shared" | $SED "$delay_single_quote_subst"`' +pic_mode='`$ECHO "$pic_mode" | $SED "$delay_single_quote_subst"`' +enable_fast_install='`$ECHO "$enable_fast_install" | $SED "$delay_single_quote_subst"`' +SHELL='`$ECHO "$SHELL" | $SED "$delay_single_quote_subst"`' +ECHO='`$ECHO "$ECHO" | $SED "$delay_single_quote_subst"`' +PATH_SEPARATOR='`$ECHO "$PATH_SEPARATOR" | $SED "$delay_single_quote_subst"`' +host_alias='`$ECHO "$host_alias" | $SED "$delay_single_quote_subst"`' +host='`$ECHO "$host" | $SED "$delay_single_quote_subst"`' +host_os='`$ECHO "$host_os" | $SED "$delay_single_quote_subst"`' +build_alias='`$ECHO "$build_alias" | $SED "$delay_single_quote_subst"`' +build='`$ECHO "$build" | $SED "$delay_single_quote_subst"`' +build_os='`$ECHO "$build_os" | $SED "$delay_single_quote_subst"`' +SED='`$ECHO "$SED" | $SED "$delay_single_quote_subst"`' +Xsed='`$ECHO "$Xsed" | $SED "$delay_single_quote_subst"`' +GREP='`$ECHO "$GREP" | $SED "$delay_single_quote_subst"`' +EGREP='`$ECHO "$EGREP" | $SED "$delay_single_quote_subst"`' +FGREP='`$ECHO "$FGREP" | $SED "$delay_single_quote_subst"`' +LD='`$ECHO "$LD" | $SED "$delay_single_quote_subst"`' +NM='`$ECHO "$NM" | $SED "$delay_single_quote_subst"`' +LN_S='`$ECHO "$LN_S" | $SED "$delay_single_quote_subst"`' +max_cmd_len='`$ECHO "$max_cmd_len" | $SED "$delay_single_quote_subst"`' +ac_objext='`$ECHO "$ac_objext" | $SED "$delay_single_quote_subst"`' +exeext='`$ECHO "$exeext" | $SED "$delay_single_quote_subst"`' +lt_unset='`$ECHO "$lt_unset" | $SED "$delay_single_quote_subst"`' +lt_SP2NL='`$ECHO "$lt_SP2NL" | $SED "$delay_single_quote_subst"`' +lt_NL2SP='`$ECHO "$lt_NL2SP" | $SED "$delay_single_quote_subst"`' +lt_cv_to_host_file_cmd='`$ECHO "$lt_cv_to_host_file_cmd" | $SED "$delay_single_quote_subst"`' +lt_cv_to_tool_file_cmd='`$ECHO "$lt_cv_to_tool_file_cmd" | $SED "$delay_single_quote_subst"`' +reload_flag='`$ECHO "$reload_flag" | $SED "$delay_single_quote_subst"`' +reload_cmds='`$ECHO "$reload_cmds" | $SED "$delay_single_quote_subst"`' +OBJDUMP='`$ECHO "$OBJDUMP" | $SED "$delay_single_quote_subst"`' +deplibs_check_method='`$ECHO "$deplibs_check_method" | $SED "$delay_single_quote_subst"`' +file_magic_cmd='`$ECHO "$file_magic_cmd" | $SED "$delay_single_quote_subst"`' +file_magic_glob='`$ECHO "$file_magic_glob" | $SED "$delay_single_quote_subst"`' +want_nocaseglob='`$ECHO "$want_nocaseglob" | $SED "$delay_single_quote_subst"`' +DLLTOOL='`$ECHO "$DLLTOOL" | $SED "$delay_single_quote_subst"`' +sharedlib_from_linklib_cmd='`$ECHO "$sharedlib_from_linklib_cmd" | $SED "$delay_single_quote_subst"`' +AR='`$ECHO "$AR" | $SED "$delay_single_quote_subst"`' +AR_FLAGS='`$ECHO "$AR_FLAGS" | $SED "$delay_single_quote_subst"`' +archiver_list_spec='`$ECHO "$archiver_list_spec" | $SED "$delay_single_quote_subst"`' +STRIP='`$ECHO "$STRIP" | $SED "$delay_single_quote_subst"`' +RANLIB='`$ECHO "$RANLIB" | $SED "$delay_single_quote_subst"`' +old_postinstall_cmds='`$ECHO "$old_postinstall_cmds" | $SED "$delay_single_quote_subst"`' +old_postuninstall_cmds='`$ECHO "$old_postuninstall_cmds" | $SED "$delay_single_quote_subst"`' +old_archive_cmds='`$ECHO "$old_archive_cmds" | $SED "$delay_single_quote_subst"`' +lock_old_archive_extraction='`$ECHO "$lock_old_archive_extraction" | $SED "$delay_single_quote_subst"`' +CC='`$ECHO "$CC" | $SED "$delay_single_quote_subst"`' +CFLAGS='`$ECHO "$CFLAGS" | $SED "$delay_single_quote_subst"`' +compiler='`$ECHO "$compiler" | $SED "$delay_single_quote_subst"`' +GCC='`$ECHO "$GCC" | $SED "$delay_single_quote_subst"`' +lt_cv_sys_global_symbol_pipe='`$ECHO "$lt_cv_sys_global_symbol_pipe" | $SED "$delay_single_quote_subst"`' +lt_cv_sys_global_symbol_to_cdecl='`$ECHO "$lt_cv_sys_global_symbol_to_cdecl" | $SED "$delay_single_quote_subst"`' +lt_cv_sys_global_symbol_to_c_name_address='`$ECHO "$lt_cv_sys_global_symbol_to_c_name_address" | $SED "$delay_single_quote_subst"`' +lt_cv_sys_global_symbol_to_c_name_address_lib_prefix='`$ECHO "$lt_cv_sys_global_symbol_to_c_name_address_lib_prefix" | $SED "$delay_single_quote_subst"`' +nm_file_list_spec='`$ECHO "$nm_file_list_spec" | $SED "$delay_single_quote_subst"`' +lt_sysroot='`$ECHO "$lt_sysroot" | $SED "$delay_single_quote_subst"`' +objdir='`$ECHO "$objdir" | $SED "$delay_single_quote_subst"`' +MAGIC_CMD='`$ECHO "$MAGIC_CMD" | $SED "$delay_single_quote_subst"`' +lt_prog_compiler_no_builtin_flag='`$ECHO "$lt_prog_compiler_no_builtin_flag" | $SED "$delay_single_quote_subst"`' +lt_prog_compiler_pic='`$ECHO "$lt_prog_compiler_pic" | $SED "$delay_single_quote_subst"`' +lt_prog_compiler_wl='`$ECHO "$lt_prog_compiler_wl" | $SED "$delay_single_quote_subst"`' +lt_prog_compiler_static='`$ECHO "$lt_prog_compiler_static" | $SED "$delay_single_quote_subst"`' +lt_cv_prog_compiler_c_o='`$ECHO "$lt_cv_prog_compiler_c_o" | $SED "$delay_single_quote_subst"`' +need_locks='`$ECHO "$need_locks" | $SED "$delay_single_quote_subst"`' +MANIFEST_TOOL='`$ECHO "$MANIFEST_TOOL" | $SED "$delay_single_quote_subst"`' +DSYMUTIL='`$ECHO "$DSYMUTIL" | $SED "$delay_single_quote_subst"`' +NMEDIT='`$ECHO "$NMEDIT" | $SED "$delay_single_quote_subst"`' +LIPO='`$ECHO "$LIPO" | $SED "$delay_single_quote_subst"`' +OTOOL='`$ECHO "$OTOOL" | $SED "$delay_single_quote_subst"`' +OTOOL64='`$ECHO "$OTOOL64" | $SED "$delay_single_quote_subst"`' +libext='`$ECHO "$libext" | $SED "$delay_single_quote_subst"`' +shrext_cmds='`$ECHO "$shrext_cmds" | $SED "$delay_single_quote_subst"`' +extract_expsyms_cmds='`$ECHO "$extract_expsyms_cmds" | $SED "$delay_single_quote_subst"`' +archive_cmds_need_lc='`$ECHO "$archive_cmds_need_lc" | $SED "$delay_single_quote_subst"`' +enable_shared_with_static_runtimes='`$ECHO "$enable_shared_with_static_runtimes" | $SED "$delay_single_quote_subst"`' +export_dynamic_flag_spec='`$ECHO "$export_dynamic_flag_spec" | $SED "$delay_single_quote_subst"`' +whole_archive_flag_spec='`$ECHO "$whole_archive_flag_spec" | $SED "$delay_single_quote_subst"`' +compiler_needs_object='`$ECHO "$compiler_needs_object" | $SED "$delay_single_quote_subst"`' +old_archive_from_new_cmds='`$ECHO "$old_archive_from_new_cmds" | $SED "$delay_single_quote_subst"`' +old_archive_from_expsyms_cmds='`$ECHO "$old_archive_from_expsyms_cmds" | $SED "$delay_single_quote_subst"`' +archive_cmds='`$ECHO "$archive_cmds" | $SED "$delay_single_quote_subst"`' +archive_expsym_cmds='`$ECHO "$archive_expsym_cmds" | $SED "$delay_single_quote_subst"`' +module_cmds='`$ECHO "$module_cmds" | $SED "$delay_single_quote_subst"`' +module_expsym_cmds='`$ECHO "$module_expsym_cmds" | $SED "$delay_single_quote_subst"`' +with_gnu_ld='`$ECHO "$with_gnu_ld" | $SED "$delay_single_quote_subst"`' +allow_undefined_flag='`$ECHO "$allow_undefined_flag" | $SED "$delay_single_quote_subst"`' +no_undefined_flag='`$ECHO "$no_undefined_flag" | $SED "$delay_single_quote_subst"`' +hardcode_libdir_flag_spec='`$ECHO "$hardcode_libdir_flag_spec" | $SED "$delay_single_quote_subst"`' +hardcode_libdir_separator='`$ECHO "$hardcode_libdir_separator" | $SED "$delay_single_quote_subst"`' +hardcode_direct='`$ECHO "$hardcode_direct" | $SED "$delay_single_quote_subst"`' +hardcode_direct_absolute='`$ECHO "$hardcode_direct_absolute" | $SED "$delay_single_quote_subst"`' +hardcode_minus_L='`$ECHO "$hardcode_minus_L" | $SED "$delay_single_quote_subst"`' +hardcode_shlibpath_var='`$ECHO "$hardcode_shlibpath_var" | $SED "$delay_single_quote_subst"`' +hardcode_automatic='`$ECHO "$hardcode_automatic" | $SED "$delay_single_quote_subst"`' +inherit_rpath='`$ECHO "$inherit_rpath" | $SED "$delay_single_quote_subst"`' +link_all_deplibs='`$ECHO "$link_all_deplibs" | $SED "$delay_single_quote_subst"`' +always_export_symbols='`$ECHO "$always_export_symbols" | $SED "$delay_single_quote_subst"`' +export_symbols_cmds='`$ECHO "$export_symbols_cmds" | $SED "$delay_single_quote_subst"`' +exclude_expsyms='`$ECHO "$exclude_expsyms" | $SED "$delay_single_quote_subst"`' +include_expsyms='`$ECHO "$include_expsyms" | $SED "$delay_single_quote_subst"`' +prelink_cmds='`$ECHO "$prelink_cmds" | $SED "$delay_single_quote_subst"`' +postlink_cmds='`$ECHO "$postlink_cmds" | $SED "$delay_single_quote_subst"`' +file_list_spec='`$ECHO "$file_list_spec" | $SED "$delay_single_quote_subst"`' +variables_saved_for_relink='`$ECHO "$variables_saved_for_relink" | $SED "$delay_single_quote_subst"`' +need_lib_prefix='`$ECHO "$need_lib_prefix" | $SED "$delay_single_quote_subst"`' +need_version='`$ECHO "$need_version" | $SED "$delay_single_quote_subst"`' +version_type='`$ECHO "$version_type" | $SED "$delay_single_quote_subst"`' +runpath_var='`$ECHO "$runpath_var" | $SED "$delay_single_quote_subst"`' +shlibpath_var='`$ECHO "$shlibpath_var" | $SED "$delay_single_quote_subst"`' +shlibpath_overrides_runpath='`$ECHO "$shlibpath_overrides_runpath" | $SED "$delay_single_quote_subst"`' +libname_spec='`$ECHO "$libname_spec" | $SED "$delay_single_quote_subst"`' +library_names_spec='`$ECHO "$library_names_spec" | $SED "$delay_single_quote_subst"`' +soname_spec='`$ECHO "$soname_spec" | $SED "$delay_single_quote_subst"`' +install_override_mode='`$ECHO "$install_override_mode" | $SED "$delay_single_quote_subst"`' +postinstall_cmds='`$ECHO "$postinstall_cmds" | $SED "$delay_single_quote_subst"`' +postuninstall_cmds='`$ECHO "$postuninstall_cmds" | $SED "$delay_single_quote_subst"`' +finish_cmds='`$ECHO "$finish_cmds" | $SED "$delay_single_quote_subst"`' +finish_eval='`$ECHO "$finish_eval" | $SED "$delay_single_quote_subst"`' +hardcode_into_libs='`$ECHO "$hardcode_into_libs" | $SED "$delay_single_quote_subst"`' +sys_lib_search_path_spec='`$ECHO "$sys_lib_search_path_spec" | $SED "$delay_single_quote_subst"`' +sys_lib_dlsearch_path_spec='`$ECHO "$sys_lib_dlsearch_path_spec" | $SED "$delay_single_quote_subst"`' +hardcode_action='`$ECHO "$hardcode_action" | $SED "$delay_single_quote_subst"`' +enable_dlopen='`$ECHO "$enable_dlopen" | $SED "$delay_single_quote_subst"`' +enable_dlopen_self='`$ECHO "$enable_dlopen_self" | $SED "$delay_single_quote_subst"`' +enable_dlopen_self_static='`$ECHO "$enable_dlopen_self_static" | $SED "$delay_single_quote_subst"`' +old_striplib='`$ECHO "$old_striplib" | $SED "$delay_single_quote_subst"`' +striplib='`$ECHO "$striplib" | $SED "$delay_single_quote_subst"`' LTCC='$LTCC' LTCFLAGS='$LTCFLAGS' compiler='$compiler_DEFAULT' +# A function that is used when there is no print builtin or printf. +func_fallback_echo () +{ + eval 'cat <<_LTECHO_EOF +\$1 +_LTECHO_EOF' +} + # Quote evaled strings. -for var in SED \ +for var in SHELL \ +ECHO \ +PATH_SEPARATOR \ +SED \ GREP \ EGREP \ FGREP \ @@ -13353,8 +16139,13 @@ reload_flag \ OBJDUMP \ deplibs_check_method \ file_magic_cmd \ +file_magic_glob \ +want_nocaseglob \ +DLLTOOL \ +sharedlib_from_linklib_cmd \ AR \ AR_FLAGS \ +archiver_list_spec \ STRIP \ RANLIB \ CC \ @@ -13364,14 +16155,14 @@ lt_cv_sys_global_symbol_pipe \ lt_cv_sys_global_symbol_to_cdecl \ lt_cv_sys_global_symbol_to_c_name_address \ lt_cv_sys_global_symbol_to_c_name_address_lib_prefix \ -SHELL \ -ECHO \ +nm_file_list_spec \ lt_prog_compiler_no_builtin_flag \ -lt_prog_compiler_wl \ lt_prog_compiler_pic \ +lt_prog_compiler_wl \ lt_prog_compiler_static \ lt_cv_prog_compiler_c_o \ need_locks \ +MANIFEST_TOOL \ DSYMUTIL \ NMEDIT \ LIPO \ @@ -13385,9 +16176,7 @@ with_gnu_ld \ allow_undefined_flag \ no_undefined_flag \ hardcode_libdir_flag_spec \ -hardcode_libdir_flag_spec_ld \ hardcode_libdir_separator \ -fix_srcfile_path \ exclude_expsyms \ include_expsyms \ file_list_spec \ @@ -13395,12 +16184,13 @@ variables_saved_for_relink \ libname_spec \ library_names_spec \ soname_spec \ +install_override_mode \ finish_eval \ old_striplib \ striplib; do - case \`eval \\\\\$ECHO "X\\\\\$\$var"\` in + case \`eval \\\\\$ECHO \\\\""\\\\\$\$var"\\\\"\` in *[\\\\\\\`\\"\\\$]*) - eval "lt_\$var=\\\\\\"\\\`\\\$ECHO \\"X\\\$\$var\\" | \\\$Xsed -e \\"\\\$sed_quote_subst\\"\\\`\\\\\\"" + eval "lt_\$var=\\\\\\"\\\`\\\$ECHO \\"\\\$\$var\\" | \\\$SED \\"\\\$sed_quote_subst\\"\\\`\\\\\\"" ;; *) eval "lt_\$var=\\\\\\"\\\$\$var\\\\\\"" @@ -13422,14 +16212,15 @@ module_cmds \ module_expsym_cmds \ export_symbols_cmds \ prelink_cmds \ +postlink_cmds \ postinstall_cmds \ postuninstall_cmds \ finish_cmds \ sys_lib_search_path_spec \ sys_lib_dlsearch_path_spec; do - case \`eval \\\\\$ECHO "X\\\\\$\$var"\` in + case \`eval \\\\\$ECHO \\\\""\\\\\$\$var"\\\\"\` in *[\\\\\\\`\\"\\\$]*) - eval "lt_\$var=\\\\\\"\\\`\\\$ECHO \\"X\\\$\$var\\" | \\\$Xsed -e \\"\\\$double_quote_subst\\" -e \\"\\\$sed_quote_subst\\" -e \\"\\\$delay_variable_subst\\"\\\`\\\\\\"" + eval "lt_\$var=\\\\\\"\\\`\\\$ECHO \\"\\\$\$var\\" | \\\$SED -e \\"\\\$double_quote_subst\\" -e \\"\\\$sed_quote_subst\\" -e \\"\\\$delay_variable_subst\\"\\\`\\\\\\"" ;; *) eval "lt_\$var=\\\\\\"\\\$\$var\\\\\\"" @@ -13437,12 +16228,6 @@ sys_lib_dlsearch_path_spec; do esac done -# Fix-up fallback echo if it was mangled by the above quoting rules. -case \$lt_ECHO in -*'\\\$0 --fallback-echo"') lt_ECHO=\`\$ECHO "X\$lt_ECHO" | \$Xsed -e 's/\\\\\\\\\\\\\\\$0 --fallback-echo"\$/\$0 --fallback-echo"/'\` - ;; -esac - ac_aux_dir='$ac_aux_dir' xsi_shell='$xsi_shell' lt_shell_append='$lt_shell_append' @@ -13476,12 +16261,8 @@ do "libtool") CONFIG_COMMANDS="$CONFIG_COMMANDS libtool" ;; "Makefile") CONFIG_FILES="$CONFIG_FILES Makefile" ;; "src/Makefile") CONFIG_FILES="$CONFIG_FILES src/Makefile" ;; - "src/stunnel3") CONFIG_FILES="$CONFIG_FILES src/stunnel3" ;; "doc/Makefile") CONFIG_FILES="$CONFIG_FILES doc/Makefile" ;; "tools/Makefile") CONFIG_FILES="$CONFIG_FILES tools/Makefile" ;; - "tools/stunnel.conf-sample") CONFIG_FILES="$CONFIG_FILES tools/stunnel.conf-sample" ;; - "tools/stunnel.init") CONFIG_FILES="$CONFIG_FILES tools/stunnel.init" ;; - "tools/stunnel.service") CONFIG_FILES="$CONFIG_FILES tools/stunnel.service" ;; *) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5;; esac @@ -14078,7 +16859,7 @@ $as_echo "$as_me: executing $ac_file commands" >&6;} case $ac_file$ac_mode in "depfiles":C) test x"$AMDEP_TRUE" != x"" || { - # Autoconf 2.62 quotes --file arguments for eval, but not when files + # Older Autoconf quotes --file arguments for eval, but not when files # are listed without --file. Let's play safe and only enable the eval # if we detect the quoting. case $CONFIG_FILES in @@ -14091,7 +16872,7 @@ $as_echo "$as_me: executing $ac_file commands" >&6;} # Strip MF so we end up with the name of the file. mf=`echo "$mf" | sed -e 's/:.*$//'` # Check whether this is an Automake generated Makefile or not. - # We used to match only the files named `Makefile.in', but + # We used to match only the files named 'Makefile.in', but # some people rename them; so instead we look at the file content. # Grep'ing the first line is not enough: some people post-process # each Makefile.in and add a new line on top of each file to say so. @@ -14125,21 +16906,19 @@ $as_echo X"$mf" | continue fi # Extract the definition of DEPDIR, am__include, and am__quote - # from the Makefile without running `make'. + # from the Makefile without running 'make'. DEPDIR=`sed -n 's/^DEPDIR = //p' < "$mf"` test -z "$DEPDIR" && continue am__include=`sed -n 's/^am__include = //p' < "$mf"` - test -z "am__include" && continue + test -z "$am__include" && continue am__quote=`sed -n 's/^am__quote = //p' < "$mf"` - # When using ansi2knr, U may be empty or an underscore; expand it - U=`sed -n 's/^U = //p' < "$mf"` # Find all dependency output files, they are included files with # $(DEPDIR) in their names. We invoke sed twice because it is the # simplest approach to changing $(DEPDIR) to its actual value in the # expansion. for file in `sed -n " s/^$am__include $am__quote\(.*(DEPDIR).*\)$am__quote"'$/\1/p' <"$mf" | \ - sed -e 's/\$(DEPDIR)/'"$DEPDIR"'/g' -e 's/\$U/'"$U"'/g'`; do + sed -e 's/\$(DEPDIR)/'"$DEPDIR"'/g'`; do # Make sure the directory exists. test -f "$dirpart/$file" && continue fdir=`$as_dirname -- "$file" || @@ -14193,7 +16972,8 @@ $as_echo X"$file" | # NOTE: Changes made to this file will be lost: look at ltmain.sh. # # Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2003, 2004, 2005, -# 2006, 2007, 2008 Free Software Foundation, Inc. +# 2006, 2007, 2008, 2009, 2010, 2011 Free Software +# Foundation, Inc. # Written by Gordon Matzigkeit, 1996 # # This file is part of GNU Libtool. @@ -14241,6 +17021,15 @@ pic_mode=$pic_mode # Whether or not to optimize for fast installation. fast_install=$enable_fast_install +# Shell to use when invoking shell scripts. +SHELL=$lt_SHELL + +# An echo program that protects backslashes. +ECHO=$lt_ECHO + +# The PATH separator for the build system. +PATH_SEPARATOR=$lt_PATH_SEPARATOR + # The host system. host_alias=$host_alias host=$host @@ -14290,9 +17079,11 @@ SP2NL=$lt_lt_SP2NL # turn newlines into spaces. NL2SP=$lt_lt_NL2SP -# How to create reloadable object files. -reload_flag=$lt_reload_flag -reload_cmds=$lt_reload_cmds +# convert \$build file names to \$host format. +to_host_file_cmd=$lt_cv_to_host_file_cmd + +# convert \$build files to toolchain format. +to_tool_file_cmd=$lt_cv_to_tool_file_cmd # An object symbol dumper. OBJDUMP=$lt_OBJDUMP @@ -14300,13 +17091,30 @@ OBJDUMP=$lt_OBJDUMP # Method to check whether dependent libraries are shared objects. deplibs_check_method=$lt_deplibs_check_method -# Command to use when deplibs_check_method == "file_magic". +# Command to use when deplibs_check_method = "file_magic". file_magic_cmd=$lt_file_magic_cmd +# How to find potential files when deplibs_check_method = "file_magic". +file_magic_glob=$lt_file_magic_glob + +# Find potential files using nocaseglob when deplibs_check_method = "file_magic". +want_nocaseglob=$lt_want_nocaseglob + +# DLL creation program. +DLLTOOL=$lt_DLLTOOL + +# Command to associate shared and link libraries. +sharedlib_from_linklib_cmd=$lt_sharedlib_from_linklib_cmd + # The archiver. AR=$lt_AR + +# Flags to create an archive. AR_FLAGS=$lt_AR_FLAGS +# How to feed a file listing to the archiver. +archiver_list_spec=$lt_archiver_list_spec + # A symbol stripping program. STRIP=$lt_STRIP @@ -14315,6 +17123,9 @@ RANLIB=$lt_RANLIB old_postinstall_cmds=$lt_old_postinstall_cmds old_postuninstall_cmds=$lt_old_postuninstall_cmds +# Whether to use a lock for old archive extraction. +lock_old_archive_extraction=$lock_old_archive_extraction + # A C compiler. LTCC=$lt_CC @@ -14333,21 +17144,24 @@ global_symbol_to_c_name_address=$lt_lt_cv_sys_global_symbol_to_c_name_address # Transform the output of nm in a C name address pair when lib prefix is needed. global_symbol_to_c_name_address_lib_prefix=$lt_lt_cv_sys_global_symbol_to_c_name_address_lib_prefix +# Specify filename containing input files for \$NM. +nm_file_list_spec=$lt_nm_file_list_spec + +# The root where to search for dependent libraries,and in which our libraries should be installed. +lt_sysroot=$lt_sysroot + # The name of the directory that contains temporary libtool files. objdir=$objdir -# Shell to use when invoking shell scripts. -SHELL=$lt_SHELL - -# An echo program that does not interpret backslashes. -ECHO=$lt_ECHO - # Used to examine libraries when file_magic_cmd begins with "file". MAGIC_CMD=$MAGIC_CMD # Must we lock files when doing compilation? need_locks=$lt_need_locks +# Manifest tool. +MANIFEST_TOOL=$lt_MANIFEST_TOOL + # Tool to manipulate archived DWARF debug symbol files on Mac OS X. DSYMUTIL=$lt_DSYMUTIL @@ -14404,6 +17218,9 @@ library_names_spec=$lt_library_names_spec # The coded name of the library, if different from the real name. soname_spec=$lt_soname_spec +# Permission mode override for installation of shared libraries. +install_override_mode=$lt_install_override_mode + # Command to use after installation of a shared archive. postinstall_cmds=$lt_postinstall_cmds @@ -14443,6 +17260,10 @@ striplib=$lt_striplib # The linker used to build libraries. LD=$lt_LD +# How to create reloadable object files. +reload_flag=$lt_reload_flag +reload_cmds=$lt_reload_cmds + # Commands used to build an old-style archive. old_archive_cmds=$lt_old_archive_cmds @@ -14455,12 +17276,12 @@ with_gcc=$GCC # Compiler flag to turn off builtin functions. no_builtin_flag=$lt_lt_prog_compiler_no_builtin_flag -# How to pass a linker flag through the compiler. -wl=$lt_lt_prog_compiler_wl - # Additional compiler flags for building library objects. pic_flag=$lt_lt_prog_compiler_pic +# How to pass a linker flag through the compiler. +wl=$lt_lt_prog_compiler_wl + # Compiler flag to prevent dynamic linking. link_static_flag=$lt_lt_prog_compiler_static @@ -14510,10 +17331,6 @@ no_undefined_flag=$lt_no_undefined_flag # This must work even if \$libdir does not exist hardcode_libdir_flag_spec=$lt_hardcode_libdir_flag_spec -# If ld is used when linking, flag to hardcode \$libdir into a binary -# during linking. This must work even if \$libdir does not exist. -hardcode_libdir_flag_spec_ld=$lt_hardcode_libdir_flag_spec_ld - # Whether we need a single "-rpath" flag with a separated argument. hardcode_libdir_separator=$lt_hardcode_libdir_separator @@ -14547,9 +17364,6 @@ inherit_rpath=$inherit_rpath # Whether libtool must link a program against all its dependency libraries. link_all_deplibs=$link_all_deplibs -# Fix the shell variable \$srcfile for the compiler. -fix_srcfile_path=$lt_fix_srcfile_path - # Set to "yes" if exported symbols are required. always_export_symbols=$always_export_symbols @@ -14565,6 +17379,9 @@ include_expsyms=$lt_include_expsyms # Commands necessary for linking programs (against libraries) with templates. prelink_cmds=$lt_prelink_cmds +# Commands necessary for finishing linking programs. +postlink_cmds=$lt_postlink_cmds + # Specify filename containing input files. file_list_spec=$lt_file_list_spec @@ -14597,212 +17414,169 @@ ltmain="$ac_aux_dir/ltmain.sh" # if finds mixed CR/LF and LF-only lines. Since sed operates in # text mode, it properly converts lines to CR/LF. This bash problem # is reportedly fixed, but why not run on old versions too? - sed '/^# Generated shell functions inserted here/q' "$ltmain" >> "$cfgfile" \ - || (rm -f "$cfgfile"; exit 1) + sed '$q' "$ltmain" >> "$cfgfile" \ + || (rm -f "$cfgfile"; exit 1) - case $xsi_shell in - yes) - cat << \_LT_EOF >> "$cfgfile" - -# func_dirname file append nondir_replacement -# Compute the dirname of FILE. If nonempty, add APPEND to the result, -# otherwise set result to NONDIR_REPLACEMENT. -func_dirname () -{ - case ${1} in - */*) func_dirname_result="${1%/*}${2}" ;; - * ) func_dirname_result="${3}" ;; - esac -} - -# func_basename file -func_basename () -{ - func_basename_result="${1##*/}" -} - -# func_dirname_and_basename file append nondir_replacement -# perform func_basename and func_dirname in a single function -# call: -# dirname: Compute the dirname of FILE. If nonempty, -# add APPEND to the result, otherwise set result -# to NONDIR_REPLACEMENT. -# value returned in "$func_dirname_result" -# basename: Compute filename of FILE. -# value retuned in "$func_basename_result" -# Implementation must be kept synchronized with func_dirname -# and func_basename. For efficiency, we do not delegate to -# those functions but instead duplicate the functionality here. -func_dirname_and_basename () -{ - case ${1} in - */*) func_dirname_result="${1%/*}${2}" ;; - * ) func_dirname_result="${3}" ;; - esac - func_basename_result="${1##*/}" -} - -# func_stripname prefix suffix name -# strip PREFIX and SUFFIX off of NAME. -# PREFIX and SUFFIX must not contain globbing or regex special -# characters, hashes, percent signs, but SUFFIX may contain a leading -# dot (in which case that matches only a dot). -func_stripname () -{ - # pdksh 5.2.14 does not do ${X%$Y} correctly if both X and Y are - # positional parameters, so assign one to ordinary parameter first. - func_stripname_result=${3} - func_stripname_result=${func_stripname_result#"${1}"} - func_stripname_result=${func_stripname_result%"${2}"} -} - -# func_opt_split -func_opt_split () -{ - func_opt_split_opt=${1%%=*} - func_opt_split_arg=${1#*=} -} - -# func_lo2o object -func_lo2o () -{ - case ${1} in - *.lo) func_lo2o_result=${1%.lo}.${objext} ;; - *) func_lo2o_result=${1} ;; - esac -} - -# func_xform libobj-or-source -func_xform () -{ - func_xform_result=${1%.*}.lo -} - -# func_arith arithmetic-term... -func_arith () -{ - func_arith_result=$(( $* )) -} - -# func_len string -# STRING may not start with a hyphen. -func_len () -{ - func_len_result=${#1} -} - -_LT_EOF - ;; - *) # Bourne compatible functions. - cat << \_LT_EOF >> "$cfgfile" - -# func_dirname file append nondir_replacement -# Compute the dirname of FILE. If nonempty, add APPEND to the result, -# otherwise set result to NONDIR_REPLACEMENT. -func_dirname () -{ - # Extract subdirectory from the argument. - func_dirname_result=`$ECHO "X${1}" | $Xsed -e "$dirname"` - if test "X$func_dirname_result" = "X${1}"; then - func_dirname_result="${3}" - else - func_dirname_result="$func_dirname_result${2}" - fi -} - -# func_basename file -func_basename () -{ - func_basename_result=`$ECHO "X${1}" | $Xsed -e "$basename"` -} + if test x"$xsi_shell" = xyes; then + sed -e '/^func_dirname ()$/,/^} # func_dirname /c\ +func_dirname ()\ +{\ +\ case ${1} in\ +\ */*) func_dirname_result="${1%/*}${2}" ;;\ +\ * ) func_dirname_result="${3}" ;;\ +\ esac\ +} # Extended-shell func_dirname implementation' "$cfgfile" > $cfgfile.tmp \ + && mv -f "$cfgfile.tmp" "$cfgfile" \ + || (rm -f "$cfgfile" && cp "$cfgfile.tmp" "$cfgfile" && rm -f "$cfgfile.tmp") +test 0 -eq $? || _lt_function_replace_fail=: -# func_stripname prefix suffix name -# strip PREFIX and SUFFIX off of NAME. -# PREFIX and SUFFIX must not contain globbing or regex special -# characters, hashes, percent signs, but SUFFIX may contain a leading -# dot (in which case that matches only a dot). -# func_strip_suffix prefix name -func_stripname () -{ - case ${2} in - .*) func_stripname_result=`$ECHO "X${3}" \ - | $Xsed -e "s%^${1}%%" -e "s%\\\\${2}\$%%"`;; - *) func_stripname_result=`$ECHO "X${3}" \ - | $Xsed -e "s%^${1}%%" -e "s%${2}\$%%"`;; - esac -} - -# sed scripts: -my_sed_long_opt='1s/^\(-[^=]*\)=.*/\1/;q' -my_sed_long_arg='1s/^-[^=]*=//' - -# func_opt_split -func_opt_split () -{ - func_opt_split_opt=`$ECHO "X${1}" | $Xsed -e "$my_sed_long_opt"` - func_opt_split_arg=`$ECHO "X${1}" | $Xsed -e "$my_sed_long_arg"` -} - -# func_lo2o object -func_lo2o () -{ - func_lo2o_result=`$ECHO "X${1}" | $Xsed -e "$lo2o"` -} - -# func_xform libobj-or-source -func_xform () -{ - func_xform_result=`$ECHO "X${1}" | $Xsed -e 's/\.[^.]*$/.lo/'` -} - -# func_arith arithmetic-term... -func_arith () -{ - func_arith_result=`expr "$@"` -} - -# func_len string -# STRING may not start with a hyphen. -func_len () -{ - func_len_result=`expr "$1" : ".*" 2>/dev/null || echo $max_cmd_len` -} - -_LT_EOF -esac - -case $lt_shell_append in - yes) - cat << \_LT_EOF >> "$cfgfile" - -# func_append var value -# Append VALUE to the end of shell variable VAR. -func_append () -{ - eval "$1+=\$2" -} -_LT_EOF - ;; - *) - cat << \_LT_EOF >> "$cfgfile" - -# func_append var value -# Append VALUE to the end of shell variable VAR. -func_append () -{ - eval "$1=\$$1\$2" -} - -_LT_EOF - ;; - esac + sed -e '/^func_basename ()$/,/^} # func_basename /c\ +func_basename ()\ +{\ +\ func_basename_result="${1##*/}"\ +} # Extended-shell func_basename implementation' "$cfgfile" > $cfgfile.tmp \ + && mv -f "$cfgfile.tmp" "$cfgfile" \ + || (rm -f "$cfgfile" && cp "$cfgfile.tmp" "$cfgfile" && rm -f "$cfgfile.tmp") +test 0 -eq $? || _lt_function_replace_fail=: - sed -n '/^# Generated shell functions inserted here/,$p' "$ltmain" >> "$cfgfile" \ - || (rm -f "$cfgfile"; exit 1) + sed -e '/^func_dirname_and_basename ()$/,/^} # func_dirname_and_basename /c\ +func_dirname_and_basename ()\ +{\ +\ case ${1} in\ +\ */*) func_dirname_result="${1%/*}${2}" ;;\ +\ * ) func_dirname_result="${3}" ;;\ +\ esac\ +\ func_basename_result="${1##*/}"\ +} # Extended-shell func_dirname_and_basename implementation' "$cfgfile" > $cfgfile.tmp \ + && mv -f "$cfgfile.tmp" "$cfgfile" \ + || (rm -f "$cfgfile" && cp "$cfgfile.tmp" "$cfgfile" && rm -f "$cfgfile.tmp") +test 0 -eq $? || _lt_function_replace_fail=: - mv -f "$cfgfile" "$ofile" || + + sed -e '/^func_stripname ()$/,/^} # func_stripname /c\ +func_stripname ()\ +{\ +\ # pdksh 5.2.14 does not do ${X%$Y} correctly if both X and Y are\ +\ # positional parameters, so assign one to ordinary parameter first.\ +\ func_stripname_result=${3}\ +\ func_stripname_result=${func_stripname_result#"${1}"}\ +\ func_stripname_result=${func_stripname_result%"${2}"}\ +} # Extended-shell func_stripname implementation' "$cfgfile" > $cfgfile.tmp \ + && mv -f "$cfgfile.tmp" "$cfgfile" \ + || (rm -f "$cfgfile" && cp "$cfgfile.tmp" "$cfgfile" && rm -f "$cfgfile.tmp") +test 0 -eq $? || _lt_function_replace_fail=: + + + sed -e '/^func_split_long_opt ()$/,/^} # func_split_long_opt /c\ +func_split_long_opt ()\ +{\ +\ func_split_long_opt_name=${1%%=*}\ +\ func_split_long_opt_arg=${1#*=}\ +} # Extended-shell func_split_long_opt implementation' "$cfgfile" > $cfgfile.tmp \ + && mv -f "$cfgfile.tmp" "$cfgfile" \ + || (rm -f "$cfgfile" && cp "$cfgfile.tmp" "$cfgfile" && rm -f "$cfgfile.tmp") +test 0 -eq $? || _lt_function_replace_fail=: + + + sed -e '/^func_split_short_opt ()$/,/^} # func_split_short_opt /c\ +func_split_short_opt ()\ +{\ +\ func_split_short_opt_arg=${1#??}\ +\ func_split_short_opt_name=${1%"$func_split_short_opt_arg"}\ +} # Extended-shell func_split_short_opt implementation' "$cfgfile" > $cfgfile.tmp \ + && mv -f "$cfgfile.tmp" "$cfgfile" \ + || (rm -f "$cfgfile" && cp "$cfgfile.tmp" "$cfgfile" && rm -f "$cfgfile.tmp") +test 0 -eq $? || _lt_function_replace_fail=: + + + sed -e '/^func_lo2o ()$/,/^} # func_lo2o /c\ +func_lo2o ()\ +{\ +\ case ${1} in\ +\ *.lo) func_lo2o_result=${1%.lo}.${objext} ;;\ +\ *) func_lo2o_result=${1} ;;\ +\ esac\ +} # Extended-shell func_lo2o implementation' "$cfgfile" > $cfgfile.tmp \ + && mv -f "$cfgfile.tmp" "$cfgfile" \ + || (rm -f "$cfgfile" && cp "$cfgfile.tmp" "$cfgfile" && rm -f "$cfgfile.tmp") +test 0 -eq $? || _lt_function_replace_fail=: + + + sed -e '/^func_xform ()$/,/^} # func_xform /c\ +func_xform ()\ +{\ + func_xform_result=${1%.*}.lo\ +} # Extended-shell func_xform implementation' "$cfgfile" > $cfgfile.tmp \ + && mv -f "$cfgfile.tmp" "$cfgfile" \ + || (rm -f "$cfgfile" && cp "$cfgfile.tmp" "$cfgfile" && rm -f "$cfgfile.tmp") +test 0 -eq $? || _lt_function_replace_fail=: + + + sed -e '/^func_arith ()$/,/^} # func_arith /c\ +func_arith ()\ +{\ + func_arith_result=$(( $* ))\ +} # Extended-shell func_arith implementation' "$cfgfile" > $cfgfile.tmp \ + && mv -f "$cfgfile.tmp" "$cfgfile" \ + || (rm -f "$cfgfile" && cp "$cfgfile.tmp" "$cfgfile" && rm -f "$cfgfile.tmp") +test 0 -eq $? || _lt_function_replace_fail=: + + + sed -e '/^func_len ()$/,/^} # func_len /c\ +func_len ()\ +{\ + func_len_result=${#1}\ +} # Extended-shell func_len implementation' "$cfgfile" > $cfgfile.tmp \ + && mv -f "$cfgfile.tmp" "$cfgfile" \ + || (rm -f "$cfgfile" && cp "$cfgfile.tmp" "$cfgfile" && rm -f "$cfgfile.tmp") +test 0 -eq $? || _lt_function_replace_fail=: + +fi + +if test x"$lt_shell_append" = xyes; then + sed -e '/^func_append ()$/,/^} # func_append /c\ +func_append ()\ +{\ + eval "${1}+=\\${2}"\ +} # Extended-shell func_append implementation' "$cfgfile" > $cfgfile.tmp \ + && mv -f "$cfgfile.tmp" "$cfgfile" \ + || (rm -f "$cfgfile" && cp "$cfgfile.tmp" "$cfgfile" && rm -f "$cfgfile.tmp") +test 0 -eq $? || _lt_function_replace_fail=: + + + sed -e '/^func_append_quoted ()$/,/^} # func_append_quoted /c\ +func_append_quoted ()\ +{\ +\ func_quote_for_eval "${2}"\ +\ eval "${1}+=\\\\ \\$func_quote_for_eval_result"\ +} # Extended-shell func_append_quoted implementation' "$cfgfile" > $cfgfile.tmp \ + && mv -f "$cfgfile.tmp" "$cfgfile" \ + || (rm -f "$cfgfile" && cp "$cfgfile.tmp" "$cfgfile" && rm -f "$cfgfile.tmp") +test 0 -eq $? || _lt_function_replace_fail=: + + + # Save a `func_append' function call where possible by direct use of '+=' + sed -e 's%func_append \([a-zA-Z_]\{1,\}\) "%\1+="%g' $cfgfile > $cfgfile.tmp \ + && mv -f "$cfgfile.tmp" "$cfgfile" \ + || (rm -f "$cfgfile" && cp "$cfgfile.tmp" "$cfgfile" && rm -f "$cfgfile.tmp") + test 0 -eq $? || _lt_function_replace_fail=: +else + # Save a `func_append' function call even when '+=' is not available + sed -e 's%func_append \([a-zA-Z_]\{1,\}\) "%\1="$\1%g' $cfgfile > $cfgfile.tmp \ + && mv -f "$cfgfile.tmp" "$cfgfile" \ + || (rm -f "$cfgfile" && cp "$cfgfile.tmp" "$cfgfile" && rm -f "$cfgfile.tmp") + test 0 -eq $? || _lt_function_replace_fail=: +fi + +if test x"$_lt_function_replace_fail" = x":"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: Unable to substitute extended shell functions in $ofile" >&5 +$as_echo "$as_me: WARNING: Unable to substitute extended shell functions in $ofile" >&2;} +fi + + + mv -f "$cfgfile" "$ofile" || (rm -f "$ofile" && cp "$cfgfile" "$ofile" && rm -f "$cfgfile") chmod +x "$ofile" @@ -14848,4 +17622,5 @@ fi { $as_echo "$as_me:${as_lineno-$LINENO}: **************************************** success" >&5 $as_echo "$as_me: **************************************** success" >&6;} +# vim:ft=automake # End of configure.ac diff --git a/configure.ac b/configure.ac index 7f0087b..0cb4c13 100644 --- a/configure.ac +++ b/configure.ac @@ -1,14 +1,14 @@ # Process this file with autoconf to produce a configure script. -AC_INIT([stunnel],[4.57]) +AC_INIT([stunnel],[5.42]) AC_MSG_NOTICE([**************************************** initialization]) AC_CONFIG_AUX_DIR(auto) AC_CONFIG_MACRO_DIR([m4]) -AM_INIT_AUTOMAKE(stunnel, 4.57) AC_CONFIG_HEADERS([src/config.h]) AC_CONFIG_SRCDIR([src/stunnel.c]) -AC_DEFINE([_GNU_SOURCE], [1], [Use GNU source]) +AM_INIT_AUTOMAKE +AM_CONDITIONAL([AUTHOR_TESTS], [test -d ".git"]) AC_CANONICAL_HOST AC_SUBST([host]) AC_DEFINE_UNQUOTED([HOST], ["$host"], [Host description]) @@ -17,104 +17,116 @@ AC_DEFINE_UNQUOTED(esc(CPU_$host_cpu)) AC_DEFINE_UNQUOTED(esc(VENDOR_$host_vendor)) AC_DEFINE_UNQUOTED(esc(OS_$host_os)) +case "$host_os" in +*darwin*) + # OSX does not declare ucontext without _XOPEN_SOURCE + AC_DEFINE([_XOPEN_SOURCE], [500], [Use X/Open 5 with POSIX 1995]) + # OSX does not declare chroot() without _DARWIN_C_SOURCE + AC_DEFINE([_DARWIN_C_SOURCE], [1], [Use Darwin source]) + ;; +*) + AC_DEFINE([_GNU_SOURCE], [1], [Use GNU source]) + ;; +esac + AC_PROG_CC AM_PROG_CC_C_O AC_PROG_INSTALL AC_PROG_MAKE_SET +# silent build by default +ifdef([AM_SILENT_RULES], [AM_SILENT_RULES([yes])]) -# Checks for typedefs, structures, and compiler characteristics -# AC_C_CONST -# AC_TYPE_SIZE_T -# AC_TYPE_PID_T -# AC_HEADER_TIME +AC_MSG_NOTICE([**************************************** thread model]) +# thread detection should be done first, as it may change the CC variable + +AC_ARG_WITH(threads, +[ --with-threads=model select threading model (ucontext/pthread/fork)], +[ + case "$withval" in + ucontext) + AC_MSG_NOTICE([UCONTEXT mode selected]) + AC_DEFINE([USE_UCONTEXT], [1], [Define to 1 to select UCONTEXT mode]) + ;; + pthread) + AC_MSG_NOTICE([PTHREAD mode selected]) + AX_PTHREAD() + LIBS="$PTHREAD_LIBS $LIBS" + CFLAGS="$CFLAGS $PTHREAD_CFLAGS" + CC="$PTHREAD_CC" + AC_DEFINE([USE_PTHREAD], [1], [Define to 1 to select PTHREAD mode]) + ;; + fork) + AC_MSG_NOTICE([FORK mode selected]) + AC_DEFINE([USE_FORK], [1], [Define to 1 to select FORK mode]) + ;; + *) + AC_MSG_ERROR([Unknown thread model \"${withval}\"]) + ;; + esac +], [ + # do not attempt to autodetect UCONTEXT threading + AX_PTHREAD([ + AC_MSG_NOTICE([PTHREAD thread model detected]) + LIBS="$PTHREAD_LIBS $LIBS" + CFLAGS="$CFLAGS $PTHREAD_CFLAGS" + CC="$PTHREAD_CC" + AC_DEFINE([USE_PTHREAD], [1], [Define to 1 to select PTHREAD mode]) + ], [ + AC_MSG_NOTICE([FORK thread model detected]) + AC_DEFINE([USE_FORK], [1], [Define to 1 to select FORK mode]) + ]) +]) AC_MSG_NOTICE([**************************************** compiler/linker flags]) -AC_SUBST([stunnel_LDFLAGS]) - -AC_MSG_CHECKING([whether $CC accepts -pthread]) -valid_CFLAGS="$CFLAGS"; CFLAGS="$CFLAGS -pthread" -valid_LDFLAGS="$LDFLAGS"; LDFLAGS="$LDFLAGS -pthread" -AC_LINK_IFELSE([int main() {return 0;}], - [ - AC_MSG_RESULT([yes]) - AC_SUBST([stunnel_CFLAGS], ["$stunnel_CFLAGS -pthread"]) - AC_SUBST([stunnel_LDFLAGF], ["$stunnel_LDFLAGF -pthread"]) - ], [ - AC_MSG_RESULT([no]) - ]) -CFLAGS="$valid_CFLAGS"; LDFLAGS="$valid_LDFLAGS" - -AC_MSG_CHECKING([whether $CC accepts -fstack-protector]) -valid_CFLAGS="$CFLAGS"; CFLAGS="$CFLAGS -fstack-protector" -valid_LDFLAGS="$LDFLAGS"; LDFLAGS="$LDFLAGS -fstack-protector" -AC_LINK_IFELSE([int main() {return 0;}], - [ - AC_MSG_RESULT([yes]) - AC_SUBST([stunnel_CFLAGS], ["$stunnel_CFLAGS -fstack-protector"]) - AC_SUBST([stunnel_LDFLAGF], ["$stunnel_LDFLAGF -fstack-protector"]) - ], [ - AC_MSG_RESULT([no]) - ]) -CFLAGS="$valid_CFLAGS"; LDFLAGS="$valid_LDFLAGS" - -AC_MSG_CHECKING([whether $CC accepts -pie]) -valid_CFLAGS="$CFLAGS"; CFLAGS="$CFLAGS -fPIE" -valid_LDFLAGS="$LDFLAGS"; LDFLAGS="$LDFLAGS -pie -fPIE" -AC_LINK_IFELSE([int main() {return 0;}], - [ - AC_MSG_RESULT([yes]) - AC_SUBST([stunnel_CFLAGS], ["$stunnel_CFLAGS -fPIE"]) - AC_SUBST([stunnel_LDFLAGF], ["$stunnel_LDFLAGF -pie -fPIE"]) - ], [ - AC_MSG_RESULT([no]) - ]) -CFLAGS="$valid_CFLAGS"; LDFLAGS="$valid_LDFLAGS" - -AC_MSG_CHECKING([whether $CC accepts -Wall]) -valid_CFLAGS="$CFLAGS"; CFLAGS="$CFLAGS -Wall" -AC_LINK_IFELSE([int main() {return 0;}], - [AC_MSG_RESULT([yes])], - [AC_MSG_RESULT([no]); CFLAGS="$valid_CFLAGS"]) - -AC_MSG_CHECKING([whether $CC accepts -Wextra]) -valid_CFLAGS="$CFLAGS"; CFLAGS="$CFLAGS -Wextra" -AC_LINK_IFELSE([int main() {return 0;}], - [AC_MSG_RESULT([yes])], - [AC_MSG_RESULT([no]); CFLAGS="$valid_CFLAGS"]) - -AC_MSG_CHECKING([whether $CC accepts -Wno-long-long]) -valid_CFLAGS="$CFLAGS"; CFLAGS="$CFLAGS -Wno-long-long" -AC_LINK_IFELSE([int main() {return 0;}], - [AC_MSG_RESULT([yes])], - [AC_MSG_RESULT([no]); CFLAGS="$valid_CFLAGS"]) - -AC_MSG_CHECKING([whether $CC accepts -pedantic]) -valid_CFLAGS="$CFLAGS"; CFLAGS="$CFLAGS -pedantic" -AC_LINK_IFELSE([int main() {return 0;}], - [AC_MSG_RESULT([yes])], - [AC_MSG_RESULT([no]); CFLAGS="$valid_CFLAGS"]) +if test "$GCC" = yes; then + AX_APPEND_COMPILE_FLAGS([-Wall]) + AX_APPEND_COMPILE_FLAGS([-Wextra]) + AX_APPEND_COMPILE_FLAGS([-Wpedantic]) + AX_APPEND_COMPILE_FLAGS([-Wformat=2]) + AX_APPEND_COMPILE_FLAGS([-Wconversion]) + AX_APPEND_COMPILE_FLAGS([-Wno-long-long]) + AX_APPEND_COMPILE_FLAGS([-Wno-deprecated-declarations]) + AX_APPEND_COMPILE_FLAGS([-fPIE]) + case "${host}" in + avr-*.* | powerpc-*-aix* | rl78-*.* | visium-*.*) + ;; + *) + AX_APPEND_COMPILE_FLAGS([-fstack-protector]) + ;; + esac + AX_APPEND_LINK_FLAGS([-fPIE -pie]) + AX_APPEND_LINK_FLAGS([-Wl,-z,relro]) + AX_APPEND_LINK_FLAGS([-Wl,-z,now]) + AX_APPEND_LINK_FLAGS([-Wl,-z,noexecstack]) +fi +AX_APPEND_COMPILE_FLAGS([-D_FORTIFY_SOURCE=2]) AC_MSG_NOTICE([**************************************** libtool]) LT_INIT([disable-static]) AC_SUBST([LIBTOOL_DEPS]) AC_MSG_NOTICE([**************************************** types]) -AC_CHECK_SIZEOF(unsigned char) -AC_CHECK_SIZEOF(unsigned short) -AC_CHECK_SIZEOF(unsigned int) -AC_CHECK_SIZEOF(unsigned long) - +AC_TYPE_INT8_T +AC_TYPE_INT16_T +AC_TYPE_INT32_T +AC_TYPE_INT64_T +AC_TYPE_UINT8_T +AC_TYPE_UINT16_T +AC_TYPE_UINT32_T +AC_TYPE_UINT64_T +AC_TYPE_SIZE_T +AC_TYPE_SSIZE_T +AC_TYPE_UID_T AC_MSG_CHECKING([for socklen_t]) AC_EGREP_HEADER(socklen_t, sys/socket.h, AC_MSG_RESULT([yes]), AC_MSG_RESULT([no (defined as int)]) AC_DEFINE([socklen_t], [int], [Type of socklen_t])) - AC_CHECK_TYPES([struct sockaddr_un], [], [], [#include ]) AC_CHECK_TYPES([struct addrinfo], [], [], [#include ]) AC_MSG_NOTICE([**************************************** PTY device files]) -if test "$cross_compiling" = "no"; then +if test "x$cross_compiling" = "xno"; then AC_CHECK_FILE("/dev/ptmx", AC_DEFINE([HAVE_DEV_PTMX], [1], [Define to 1 if you have '/dev/ptmx' device.])) AC_CHECK_FILE("/dev/ptc", AC_DEFINE([HAVE_DEV_PTS_AND_PTC], [1], @@ -125,13 +137,14 @@ fi AC_MSG_NOTICE([**************************************** entropy sources]) -if test "$cross_compiling" = "no"; then +if test "x$cross_compiling" = "xno"; then AC_ARG_WITH(egd-socket, [ --with-egd-socket=FILE Entropy Gathering Daemon socket path], [EGD_SOCKET="$withval"] ) if test -n "$EGD_SOCKET"; then - AC_DEFINE_UNQUOTED([EGD_SOCKET], ["$EGD_SOCKET"], [Entropy Gathering Daemon socket path]) + AC_DEFINE_UNQUOTED([EGD_SOCKET], ["$EGD_SOCKET"], + [Entropy Gathering Daemon socket path]) fi # Check for user-specified random device @@ -153,7 +166,7 @@ fi AC_MSG_NOTICE([**************************************** default group]) DEFAULT_GROUP=nobody -if test "$cross_compiling" = "no"; then +if test "x$cross_compiling" = "xno"; then grep '^nogroup:' /etc/group >/dev/null && DEFAULT_GROUP=nogroup else AC_MSG_WARN([cross-compilation: assuming nogroup is not available]) @@ -162,12 +175,17 @@ AC_MSG_CHECKING([for default group]) AC_MSG_RESULT([$DEFAULT_GROUP]) AC_SUBST([DEFAULT_GROUP]) +AC_SYS_LARGEFILE + AC_MSG_NOTICE([**************************************** header files]) # AC_HEADER_DIRENT # AC_HEADER_STDC # AC_HEADER_SYS_WAIT -AC_CHECK_HEADERS([malloc.h ucontext.h pthread.h poll.h tcpd.h stropts.h grp.h unistd.h util.h libutil.h pty.h]) -AC_CHECK_HEADERS([sys/types.h sys/select.h sys/poll.h sys/socket.h sys/un.h sys/ioctl.h sys/filio.h sys/resource.h sys/uio.h]) +AC_CHECK_HEADERS([stdint.h inttypes.h malloc.h ucontext.h pthread.h poll.h \ + tcpd.h stropts.h grp.h unistd.h util.h libutil.h pty.h limits.h]) +AC_CHECK_HEADERS([sys/types.h sys/select.h sys/poll.h sys/socket.h sys/un.h \ + sys/ioctl.h sys/filio.h sys/resource.h sys/uio.h sys/syscall.h]) +AC_CHECK_HEADERS([linux/sched.h]) AC_CHECK_MEMBERS([struct msghdr.msg_control], [AC_DEFINE([HAVE_MSGHDR_MSG_CONTROL], [1], [Define to 1 if you have 'msghdr.msg_control' structure.])], [], [ @@ -188,102 +206,22 @@ AC_SEARCH_LIBS([gethostbyname], [nsl]) AC_SEARCH_LIBS([yp_get_default_domain], [nsl]) AC_SEARCH_LIBS([socket], [socket]) AC_SEARCH_LIBS([openpty], [util]) -# Checks for dynamic loader and zlib needed by OpenSSL +# Checks for dynamic loader needed by OpenSSL AC_SEARCH_LIBS([dlopen], [dl]) AC_SEARCH_LIBS([shl_load], [dld]) -AC_SEARCH_LIBS([inflateEnd], [z]) # Add BeOS libraries -if test "$host_os" = "beos"; then +if test "x$host_os" = "xbeos"; then LIBS="$LIBS -lbe -lroot -lbind" fi -AC_MSG_NOTICE([**************************************** thread model]) - -checkpthreadlib() { : - # 1. BSD hack: attempt to use alternative libc implementation if available - AC_CHECK_LIB([c_r], [pthread_create], - [ - LIBS="$LIBS -pthread" - HAVE_LIBPTHREAD="yes" - AC_DEFINE([HAVE_LIBPTHREAD], [1], [Define to 1 if you have 'libpthread' library.]) - ] - ) - - # 2. try to use from standard libc (required by Android and possibly other platforms) - AC_CHECK_LIB([c], [pthread_create], - [ - HAVE_LIBPTHREAD="yes" - AC_DEFINE([HAVE_LIBPTHREAD], [1], [Define to 1 if you have 'libpthread' library.]) - ] - ) - - # 3. try libpthread: OSF hack instead of simple AC_CHECK_LIB here - AC_MSG_CHECKING([for pthread_create in -lpthread]) - valid_LIBS="$LIBS" - LIBS="$valid_LIBS -lpthread" - AC_LINK_IFELSE( - [AC_LANG_PROGRAM( - [ -#include - ], - [ -pthread_create((void *)0, (void *)0, (void *)0, (void *)0) - ] - )], - [ - AC_MSG_RESULT([yes]) - HAVE_LIBPTHREAD="yes" - AC_DEFINE([HAVE_LIBPTHREAD], [1], [Define to 1 if you have 'libpthread' library.]) - ], [ - AC_MSG_RESULT([no]) - LIBS="$valid_LIBS" - ] - ) -} - -AC_ARG_WITH(threads, -[ --with-threads=model select threading model (ucontext/pthread/fork)], -[ - case "$withval" in - ucontext) - AC_MSG_NOTICE([UCONTEXT mode selected]) - AC_DEFINE([USE_UCONTEXT], [1], [Define to 1 to select UCONTEXT mode]) - ;; - pthread) - checkpthreadlib - AC_MSG_NOTICE([PTHREAD mode selected]) - AC_DEFINE([USE_PTHREAD], [1], [Define to 1 to select PTHREAD mode]) - ;; - fork) - AC_MSG_NOTICE([FORK mode selected]) - AC_DEFINE([USE_FORK], [1], [Define to 1 to select FORK mode]) - ;; - *) - AC_MSG_ERROR([Unknown thread model \"${withval}\"]) - ;; - esac -], [ - checkpthreadlib - if test "$HAVE_LIBPTHREAD" = "yes" -a "$ac_cv_header_pthread_h" = "yes"; then - AC_MSG_NOTICE([PTHREAD thread model detected]) - AC_DEFINE([USE_PTHREAD], [1], [Define to 1 to select PTHREAD mode]) - elif test "$ac_cv_func_getcontext" = "yes" -a "$ac_cv_header_ucontext_h" = "yes"; then - AC_MSG_NOTICE([UCONTEXT thread model detected]) - AC_DEFINE([USE_UCONTEXT], [1], [Define to 1 to select UCONTEXT mode]) - else - AC_MSG_NOTICE([FORK thread model detected]) - AC_DEFINE([USE_FORK], [1], [Define to 1 to select FORK mode]) - fi -]) - AC_MSG_NOTICE([**************************************** library functions]) # safe string operations AC_CHECK_FUNCS(snprintf vsnprintf) # pseudoterminal AC_CHECK_FUNCS(openpty _getpty) # Unix -AC_CHECK_FUNCS(daemon waitpid wait4 setsid setgroups chroot) +AC_CHECK_FUNCS(daemon waitpid wait4 setsid setgroups chroot realpath) # limits AC_CHECK_FUNCS(sysconf getrlimit) # threads/reentrant functions @@ -316,10 +254,10 @@ getaddrinfo(NULL, NULL, NULL, NULL); [AC_MSG_RESULT([no])]) ;; esac -# poll() is not recommended on Mac OS X <=10.3 and broken on Mac OS X >=10.4 +# poll() is not recommended on Mac OS X <= 10.3 and broken on Mac OS X 10.4 AC_MSG_CHECKING([for broken poll() implementation]) case "$host_os" in -darwin*) +darwin[0-8].*) AC_MSG_RESULT([yes (poll() disabled)]) AC_DEFINE([BROKEN_POLL], [1], [Define to 1 if you have a broken 'poll' implementation.]) ;; @@ -334,11 +272,12 @@ AC_MSG_NOTICE([**************************************** optional features]) # Use IPv6? AC_MSG_CHECKING([whether to enable IPv6 support]) AC_ARG_ENABLE(ipv6, -[ --enable-ipv6 Enable IPv6 support], +[ --disable-ipv6 disable IPv6 support], [ case "$enableval" in yes) AC_MSG_RESULT([yes]) - AC_DEFINE([USE_IPv6], [1], [Define to 1 to enable IPv6 support]) + AC_DEFINE([USE_IPv6], [1], + [Define to 1 to enable IPv6 support]) ;; no) AC_MSG_RESULT([no]) ;; @@ -346,23 +285,86 @@ AC_ARG_ENABLE(ipv6, AC_MSG_ERROR([bad value \"${enableval}\"]) ;; esac + ], [ + AC_MSG_RESULT([yes (default)]) + AC_DEFINE([USE_IPv6], [1], [Define to 1 to enable IPv6 support]) + ], [ + AC_MSG_RESULT([no]) + ] +) + +# FIPS Mode +AC_MSG_CHECKING([whether to enable FIPS support]) +AC_ARG_ENABLE(fips, +[ --disable-fips disable OpenSSL FIPS support], + [ + case "$enableval" in + yes) AC_MSG_RESULT([no]) + use_fips="yes" + AC_DEFINE([USE_FIPS], [1], + [Define to 1 to enable OpenSSL FIPS support]) + ;; + no) AC_MSG_RESULT([no]) + use_fips="no" + ;; + *) AC_MSG_RESULT([error]) + AC_MSG_ERROR([bad value \"${enableval}\"]) + ;; + esac ], - [AC_MSG_RESULT([yes]); AC_DEFINE([USE_IPv6], [1], [Define to 1 to enable IPv6 support])], - [AC_MSG_RESULT([no])] + [ + use_fips="auto" + AC_MSG_RESULT([autodetecting]) + ] +) + +# Disable systemd socket activation support +AC_MSG_CHECKING([whether to enable systemd socket activation support]) +AC_ARG_ENABLE(systemd, +[ --disable-systemd disable systemd socket activation support], + [ + case "$enableval" in + yes) AC_MSG_RESULT([yes]) + AC_SEARCH_LIBS([sd_listen_fds], [systemd systemd-daemon]) + AC_DEFINE([USE_SYSTEMD], [1], + [Define to 1 to enable systemd socket activation]) + ;; + no) AC_MSG_RESULT([no]) + ;; + *) AC_MSG_RESULT([error]) + AC_MSG_ERROR([Bad value \"${enableval}\"]) + ;; + esac + ], + [ + AC_MSG_RESULT([autodetecting]) + # the library name has changed to -lsystemd in systemd 209 + AC_SEARCH_LIBS([sd_listen_fds], [systemd systemd-daemon], + [ AC_CHECK_HEADERS([systemd/sd-daemon.h], [ + AC_DEFINE([USE_SYSTEMD], [1], + [Define to 1 to enable systemd socket activation]) + AC_MSG_NOTICE([systemd support enabled]) + ], [ + AC_MSG_NOTICE([systemd header not found]) + ]) ], [ + AC_MSG_NOTICE([systemd library not found]) + ]) + ] ) # Disable use of libwrap (TCP wrappers) # it should be the last check! -AC_MSG_CHECKING([whether to disable TCP wrappers library support]) +AC_MSG_CHECKING([whether to enable TCP wrappers support]) AC_ARG_ENABLE(libwrap, -[ --disable-libwrap Disable TCP wrappers library support], +[ --disable-libwrap disable TCP wrappers support], [ case "$enableval" in - yes) AC_MSG_RESULT([no]) - AC_DEFINE([HAVE_LIBWRAP], [1], [Define to 1 if you have 'libwrap' library.]) + yes) AC_MSG_RESULT([yes]) + AC_DEFINE([USE_LIBWRAP], [1], + [Define to 1 to enable TCP wrappers support]) LIBS="$LIBS -lwrap" ;; - no) AC_MSG_RESULT([yes]) + no) AC_MSG_RESULT([no]) ;; *) AC_MSG_RESULT([error]) AC_MSG_ERROR([Bad value \"${enableval}\"]) @@ -375,106 +377,83 @@ AC_ARG_ENABLE(libwrap, valid_LIBS="$LIBS" LIBS="$valid_LIBS -lwrap" AC_LINK_IFELSE( - [AC_LANG_PROGRAM( - [ -int hosts_access(); int allow_severity, deny_severity; - ], - [ -hosts_access() - ] - )], - [AC_MSG_RESULT([yes]); AC_DEFINE([HAVE_LIBWRAP], [1], [Define to 1 if you have 'libwrap' library.])], - [AC_MSG_RESULT([no]); LIBS="$valid_LIBS"] + [ + AC_LANG_PROGRAM( + [int hosts_access(); int allow_severity, deny_severity;], + [hosts_access()]) + ], [ + AC_MSG_RESULT([yes]); + AC_DEFINE([USE_LIBWRAP], [1], + [Define to 1 to enable TCP wrappers support]) + AC_MSG_NOTICE([libwrap support enabled]) + ], [ + AC_MSG_RESULT([no]) + LIBS="$valid_LIBS" + AC_MSG_NOTICE([libwrap library not found]) + ] ) ] ) -# FIPS Mode -AC_MSG_CHECKING([whether to enable FIPS mode support]) -AC_ARG_ENABLE(fips, -[ --enable-fips Enable OpenSSL FIPS mode], - [ - case "$enableval" in - yes) AC_MSG_RESULT([yes]) - sub_dirs="/ssl/fips /ssl/fips-1.0 /" - fips="yes" - AC_DEFINE([USE_FIPS], [1], [Define to 1 to enable OpenSSL FIPS mode]) - ;; - no) AC_MSG_RESULT([no]) - sub_dirs="/ssl /openssl /" - fips="no" - ;; - *) AC_MSG_RESULT([error]) - AC_MSG_ERROR([bad value \"${enableval}\"]) - ;; - esac - ], - [ - sub_dirs="/ssl/fips /ssl/fips-1.0 /ssl /openssl /" - fips="auto" - AC_MSG_RESULT([autodetecting]) - ] -) +AC_MSG_NOTICE([**************************************** TLS]) + +AC_MSG_CHECKING([for compiler sysroot]) +if test "x$GCC" = "xyes"; then + sysroot=`$CC --print-sysroot 2>/dev/null` +fi +if test -z "$sysroot" -o "x$sysroot" = "x/"; then + sysroot="" + AC_MSG_RESULT([/]) +else + AC_MSG_RESULT([$sysroot]) +fi -AC_MSG_NOTICE([**************************************** SSL]) check_ssl_dir() { : - SSLDIR="$1" - if test -f "$1/include/openssl/ssl.h"; then - return 0 - fi - return 1 + test -n "$1" -a -f "$1/include/openssl/ssl.h" && SSLDIR="$1" } -# Check for SSL directory -AC_MSG_CHECKING([for SSL directory]) -AC_ARG_WITH(ssl, -[ --with-ssl=DIR location of installed SSL libraries/include files], - [ - check_ssl_dir "$withval" - ], - [ - for main_dir in /usr/local /usr/lib /usr/pkg /opt/local /opt /usr; do - for sub_dir in $sub_dirs; do - check_ssl_dir "$main_dir$sub_dir" && break 2 - done +find_ssl_dir() { : + stunnel_prefix="$prefix" + test "x$stunnel_prefix" = "xNONE" && stunnel_prefix=$ac_default_prefix + for main_dir in "$stunnel_prefix" "/usr/local" "/usr/lib" "/usr/pkg" "/opt/local" "/opt" "/opt/csw" "/usr" ""; do + for sub_dir in "/ssl" "/openssl" "/ossl" ""; do + check_ssl_dir "$sysroot$main_dir$sub_dir" && return done - ] + done + if test -x "/usr/bin/xcrun"; then + sdk_path=`/usr/bin/xcrun --sdk macosx --show-sdk-path` + check_ssl_dir "$sdk_path/usr" && return + fi + check_ssl_dir "/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/swift-migrator/sdk/MacOSX.sdk/usr" +} + +SSLDIR="" +AC_MSG_CHECKING([for TLS directory]) +AC_ARG_WITH(ssl, +[ --with-ssl=DIR location of installed TLS libraries/include files], + [check_ssl_dir "$withval"], + [find_ssl_dir] ) -if test ! -d "$SSLDIR"; then +if test -z "$SSLDIR"; then AC_MSG_RESULT([not found]) AC_MSG_ERROR([ -Couldn't find your SSL library installation dir +Could not find your TLS library installation dir Use --with-ssl option to fix this problem ]) fi AC_MSG_RESULT([$SSLDIR]) AC_SUBST([SSLDIR]) -AC_DEFINE_UNQUOTED([SSLDIR], ["$SSLDIR"], [SSL directory]) +AC_DEFINE_UNQUOTED([SSLDIR], ["$SSLDIR"], [TLS directory]) valid_CPPFLAGS="$CPPFLAGS"; CPPFLAGS="$CPPFLAGS -I$SSLDIR/include" valid_LIBS="$LIBS"; LIBS="$LIBS -L$SSLDIR/lib64 -L$SSLDIR/lib -lssl -lcrypto" -AC_CHECK_HEADER([$SSLDIR/include/openssl/engine.h], - [AC_DEFINE([HAVE_OSSL_ENGINE_H], [1], - [Define to 1 if you have header file.])], - [AC_MSG_WARN([OpenSSL engine header not found])]) - -AC_CHECK_HEADER([$SSLDIR/include/openssl/ocsp.h], - [AC_DEFINE([HAVE_OSSL_OCSP_H], [1], - [Define to 1 if you have header file.])], - [AC_MSG_WARN([OpenSSL ocsp header not found])]) - -AC_CHECK_HEADER([$SSLDIR/include/openssl/fips.h], - [AC_DEFINE([HAVE_OSSL_FIPS_H], [1], - [Define to 1 if you have header file.])], - [AC_MSG_WARN([OpenSSL fips header not found])]) - -if test "$fips" = "auto"; then +if test "x$use_fips" = "xauto"; then AC_CHECK_FUNCS(FIPS_mode_set, [ - AC_DEFINE([USE_FIPS], [1], [Define to 1 to enable OpenSSL FIPS mode.]) - AC_MSG_NOTICE([FIPS mode detected]) + AC_DEFINE([USE_FIPS], [1], [Define to 1 to enable OpenSSL FIPS support]) + AC_MSG_NOTICE([FIPS support enabled]) ], [ - AC_MSG_NOTICE([FIPS mode not detected]) + AC_MSG_NOTICE([FIPS support not found]) ]) fi @@ -482,8 +461,9 @@ CPPFLAGS="$valid_CPPFLAGS" LIBS="$valid_LIBS" AC_MSG_NOTICE([**************************************** write the results]) -AC_CONFIG_FILES([Makefile src/Makefile src/stunnel3 doc/Makefile tools/Makefile tools/stunnel.conf-sample tools/stunnel.init tools/stunnel.service]) +AC_CONFIG_FILES([Makefile src/Makefile doc/Makefile tools/Makefile]) AC_OUTPUT AC_MSG_NOTICE([**************************************** success]) +# vim:ft=automake # End of configure.ac diff --git a/doc/Makefile.am b/doc/Makefile.am index f1f6938..8af6ca8 100644 --- a/doc/Makefile.am +++ b/doc/Makefile.am @@ -1,21 +1,35 @@ ## Process this file with automake to produce Makefile.in +# by Michal Trojnara 2015-2017 -EXTRA_DIST = stunnel.pod stunnel.pl.pod stunnel.fr.pod \ - stunnel.8 stunnel.pl.8 stunnel.fr.8 \ - stunnel.html stunnel.pl.html stunnel.fr.html en pl +EXTRA_DIST = stunnel.pod.in stunnel.8.in stunnel.html.in en +EXTRA_DIST += stunnel.pl.pod.in stunnel.pl.8.in stunnel.pl.html.in pl -man_MANS = stunnel.8 stunnel.pl.8 stunnel.fr.8 +man_MANS = stunnel.8 stunnel.pl.8 docdir = $(datadir)/doc/stunnel -doc_DATA = stunnel.html stunnel.pl.html stunnel.fr.html +doc_DATA = stunnel.html stunnel.pl.html -SUFFIXES = .pod .8 .html +CLEANFILES = $(man_MANS) $(doc_DATA) -.pod.8: - pod2man -u --section=8 --release=$(VERSION) --center=stunnel \ - --date=`date +%Y.%m.%d` $< $@ +SUFFIXES = .pod.in .8.in .html.in -.pod.html: - pod2html --noindex --title stunnel.8 --infile=$< --outfile=$@ +.pod.in.8.in: + pod2man -u -n stunnel -s 8 -r $(VERSION) \ + -c "stunnel TLS Proxy" -d `date +%Y.%m.%d` $< $@ + +.pod.in.html.in: + pod2html --index --backlink --header \ + --title "stunnel TLS Proxy" --infile=$< --outfile=$@ rm -f pod2htmd.tmp pod2htmi.tmp +edit = sed \ + -e 's|@bindir[@]|$(bindir)|g' \ + -e 's|@sysconfdir[@]|$(sysconfdir)|g' + +$(man_MANS) $(doc_DATA): Makefile + $(edit) '$(srcdir)/$@.in' >$@ + +stunnel.8: $(srcdir)/stunnel.8.in +stunnel.html: $(srcdir)/stunnel.html.in +stunnel.pl.8: $(srcdir)/stunnel.pl.8.in +stunnel.pl.html: $(srcdir)/stunnel.pl.html.in diff --git a/doc/Makefile.in b/doc/Makefile.in index 0b4687d..9af4501 100644 --- a/doc/Makefile.in +++ b/doc/Makefile.in @@ -1,9 +1,8 @@ -# Makefile.in generated by automake 1.11.1 from Makefile.am. +# Makefile.in generated by automake 1.14.1 from Makefile.am. # @configure_input@ -# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, -# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, -# Inc. +# Copyright (C) 1994-2013 Free Software Foundation, Inc. + # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. @@ -15,7 +14,54 @@ @SET_MAKE@ +# by Michal Trojnara 2015-2017 + VPATH = @srcdir@ +am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' +am__make_running_with_option = \ + case $${target_option-} in \ + ?) ;; \ + *) echo "am__make_running_with_option: internal error: invalid" \ + "target option '$${target_option-}' specified" >&2; \ + exit 1;; \ + esac; \ + has_opt=no; \ + sane_makeflags=$$MAKEFLAGS; \ + if $(am__is_gnu_make); then \ + sane_makeflags=$$MFLAGS; \ + else \ + case $$MAKEFLAGS in \ + *\\[\ \ ]*) \ + bs=\\; \ + sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \ + | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \ + esac; \ + fi; \ + skip_next=no; \ + strip_trailopt () \ + { \ + flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \ + }; \ + for flg in $$sane_makeflags; do \ + test $$skip_next = yes && { skip_next=no; continue; }; \ + case $$flg in \ + *=*|--*) continue;; \ + -*I) strip_trailopt 'I'; skip_next=yes;; \ + -*I?*) strip_trailopt 'I';; \ + -*O) strip_trailopt 'O'; skip_next=yes;; \ + -*O?*) strip_trailopt 'O';; \ + -*l) strip_trailopt 'l'; skip_next=yes;; \ + -*l?*) strip_trailopt 'l';; \ + -[dEDm]) skip_next=yes;; \ + -[JT]) skip_next=yes;; \ + esac; \ + case $$flg in \ + *$$target_option*) has_opt=yes; break;; \ + esac; \ + done; \ + test $$has_opt = yes +am__make_dryrun = (target_option=n; $(am__make_running_with_option)) +am__make_keepgoing = (target_option=k; $(am__make_running_with_option)) pkgdatadir = $(datadir)/@PACKAGE@ pkgincludedir = $(includedir)/@PACKAGE@ pkglibdir = $(libdir)/@PACKAGE@ @@ -35,7 +81,7 @@ POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ subdir = doc -DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in +DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/m4/libtool.m4 \ $(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \ @@ -47,8 +93,25 @@ mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/src/config.h CONFIG_CLEAN_FILES = CONFIG_CLEAN_VPATH_FILES = +AM_V_P = $(am__v_P_@AM_V@) +am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) +am__v_P_0 = false +am__v_P_1 = : +AM_V_GEN = $(am__v_GEN_@AM_V@) +am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@) +am__v_GEN_0 = @echo " GEN " $@; +am__v_GEN_1 = +AM_V_at = $(am__v_at_@AM_V@) +am__v_at_ = $(am__v_at_@AM_DEFAULT_V@) +am__v_at_0 = @ +am__v_at_1 = SOURCES = DIST_SOURCES = +am__can_run_installinfo = \ + case $$AM_UPDATE_INFO_DIR in \ + n|no|NO) false;; \ + *) (install-info --version) >/dev/null 2>&1;; \ + esac am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; am__vpath_adj = case $$p in \ $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ @@ -70,14 +133,22 @@ am__nobase_list = $(am__nobase_strip_setup); \ am__base_list = \ sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' +am__uninstall_files_from_dir = { \ + test -z "$$files" \ + || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \ + || { echo " ( cd '$$dir' && rm -f" $$files ")"; \ + $(am__cd) "$$dir" && rm -f $$files; }; \ + } man8dir = $(mandir)/man8 am__installdirs = "$(DESTDIR)$(man8dir)" "$(DESTDIR)$(docdir)" NROFF = nroff MANS = $(man_MANS) DATA = $(doc_DATA) +am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ +AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ @@ -92,6 +163,7 @@ CYGPATH_W = @CYGPATH_W@ DEFAULT_GROUP = @DEFAULT_GROUP@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ +DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ @@ -116,6 +188,7 @@ LIPO = @LIPO@ LN_S = @LN_S@ LTLIBOBJS = @LTLIBOBJS@ MAKEINFO = @MAKEINFO@ +MANIFEST_TOOL = @MANIFEST_TOOL@ MKDIR_P = @MKDIR_P@ NM = @NM@ NMEDIT = @NMEDIT@ @@ -131,6 +204,9 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PTHREAD_CC = @PTHREAD_CC@ +PTHREAD_CFLAGS = @PTHREAD_CFLAGS@ +PTHREAD_LIBS = @PTHREAD_LIBS@ RANDOM_FILE = @RANDOM_FILE@ RANLIB = @RANLIB@ SED = @SED@ @@ -143,6 +219,7 @@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ abs_top_builddir = @abs_top_builddir@ abs_top_srcdir = @abs_top_srcdir@ +ac_ct_AR = @ac_ct_AR@ ac_ct_CC = @ac_ct_CC@ ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ am__include = @am__include@ @@ -150,6 +227,7 @@ am__leading_dot = @am__leading_dot@ am__quote = @am__quote@ am__tar = @am__tar@ am__untar = @am__untar@ +ax_pthread_config = @ax_pthread_config@ bindir = @bindir@ build = @build@ build_alias = @build_alias@ @@ -175,7 +253,6 @@ libdir = @libdir@ libexecdir = @libexecdir@ localedir = @localedir@ localstatedir = @localstatedir@ -lt_ECHO = @lt_ECHO@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ @@ -183,28 +260,29 @@ pdfdir = @pdfdir@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ +runstatedir = @runstatedir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ -stunnel_CFLAGS = @stunnel_CFLAGS@ -stunnel_LDFLAGF = @stunnel_LDFLAGF@ -stunnel_LDFLAGS = @stunnel_LDFLAGS@ sysconfdir = @sysconfdir@ target_alias = @target_alias@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ -EXTRA_DIST = stunnel.pod stunnel.pl.pod stunnel.fr.pod \ - stunnel.8 stunnel.pl.8 stunnel.fr.8 \ - stunnel.html stunnel.pl.html stunnel.fr.html en pl +EXTRA_DIST = stunnel.pod.in stunnel.8.in stunnel.html.in en \ + stunnel.pl.pod.in stunnel.pl.8.in stunnel.pl.html.in pl +man_MANS = stunnel.8 stunnel.pl.8 +doc_DATA = stunnel.html stunnel.pl.html +CLEANFILES = $(man_MANS) $(doc_DATA) +SUFFIXES = .pod.in .8.in .html.in +edit = sed \ + -e 's|@bindir[@]|$(bindir)|g' \ + -e 's|@sysconfdir[@]|$(sysconfdir)|g' -man_MANS = stunnel.8 stunnel.pl.8 stunnel.fr.8 -doc_DATA = stunnel.html stunnel.pl.html stunnel.fr.html -SUFFIXES = .pod .8 .html all: all-am .SUFFIXES: -.SUFFIXES: .pod .8 .html +.SUFFIXES: .pod.in .8.in .html.in $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) @for dep in $?; do \ case '$(am__configure_deps)' in \ @@ -243,11 +321,18 @@ clean-libtool: -rm -rf .libs _libs install-man8: $(man_MANS) @$(NORMAL_INSTALL) - test -z "$(man8dir)" || $(MKDIR_P) "$(DESTDIR)$(man8dir)" - @list=''; test -n "$(man8dir)" || exit 0; \ - { for i in $$list; do echo "$$i"; done; \ - l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done | \ - sed -n '/\.8[a-z]*$$/p'; \ + @list1=''; \ + list2='$(man_MANS)'; \ + test -n "$(man8dir)" \ + && test -n "`echo $$list1$$list2`" \ + || exit 0; \ + echo " $(MKDIR_P) '$(DESTDIR)$(man8dir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(man8dir)" || exit 1; \ + { for i in $$list1; do echo "$$i"; done; \ + if test -n "$$list2"; then \ + for i in $$list2; do echo "$$i"; done \ + | sed -n '/\.8[a-z]*$$/p'; \ + fi; \ } | while read p; do \ if test -f $$p; then d=; else d="$(srcdir)/"; fi; \ echo "$$d$$p"; echo "$$p"; \ @@ -276,13 +361,14 @@ uninstall-man8: sed -n '/\.8[a-z]*$$/p'; \ } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \ -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \ - test -z "$$files" || { \ - echo " ( cd '$(DESTDIR)$(man8dir)' && rm -f" $$files ")"; \ - cd "$(DESTDIR)$(man8dir)" && rm -f $$files; } + dir='$(DESTDIR)$(man8dir)'; $(am__uninstall_files_from_dir) install-docDATA: $(doc_DATA) @$(NORMAL_INSTALL) - test -z "$(docdir)" || $(MKDIR_P) "$(DESTDIR)$(docdir)" @list='$(doc_DATA)'; test -n "$(docdir)" || list=; \ + if test -n "$$list"; then \ + echo " $(MKDIR_P) '$(DESTDIR)$(docdir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(docdir)" || exit 1; \ + fi; \ for p in $$list; do \ if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ echo "$$d$$p"; \ @@ -296,30 +382,15 @@ uninstall-docDATA: @$(NORMAL_UNINSTALL) @list='$(doc_DATA)'; test -n "$(docdir)" || list=; \ files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \ - test -n "$$files" || exit 0; \ - echo " ( cd '$(DESTDIR)$(docdir)' && rm -f" $$files ")"; \ - cd "$(DESTDIR)$(docdir)" && rm -f $$files -tags: TAGS -TAGS: + dir='$(DESTDIR)$(docdir)'; $(am__uninstall_files_from_dir) +tags TAGS: -ctags: CTAGS -CTAGS: +ctags CTAGS: + +cscope cscopelist: distdir: $(DISTFILES) - @list='$(MANS)'; if test -n "$$list"; then \ - list=`for p in $$list; do \ - if test -f $$p; then d=; else d="$(srcdir)/"; fi; \ - if test -f "$$d$$p"; then echo "$$d$$p"; else :; fi; done`; \ - if test -n "$$list" && \ - grep 'ab help2man is required to generate this page' $$list >/dev/null; then \ - echo "error: found man pages containing the \`missing help2man' replacement text:" >&2; \ - grep -l 'ab help2man is required to generate this page' $$list | sed 's/^/ /' >&2; \ - echo " to fix them, install help2man, remove and regenerate the man pages;" >&2; \ - echo " typically \`make maintainer-clean' will remove them" >&2; \ - exit 1; \ - else :; fi; \ - else :; fi @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ list='$(DISTFILES)'; \ @@ -366,13 +437,19 @@ install-am: all-am installcheck: installcheck-am install-strip: - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ - `test -z '$(STRIP)' || \ - echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install + if test -z '$(STRIP)'; then \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + install; \ + else \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \ + fi mostlyclean-generic: clean-generic: + -test -z "$(CLEANFILES)" || rm -f $(CLEANFILES) distclean-generic: -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) @@ -452,27 +529,36 @@ uninstall-man: uninstall-man8 .MAKE: install-am install-strip .PHONY: all all-am check check-am clean clean-generic clean-libtool \ - distclean distclean-generic distclean-libtool distdir dvi \ - dvi-am html html-am info info-am install install-am \ - install-data install-data-am install-docDATA install-dvi \ - install-dvi-am install-exec install-exec-am install-html \ - install-html-am install-info install-info-am install-man \ - install-man8 install-pdf install-pdf-am install-ps \ - install-ps-am install-strip installcheck installcheck-am \ - installdirs maintainer-clean maintainer-clean-generic \ - mostlyclean mostlyclean-generic mostlyclean-libtool pdf pdf-am \ - ps ps-am uninstall uninstall-am uninstall-docDATA \ - uninstall-man uninstall-man8 + cscopelist-am ctags-am distclean distclean-generic \ + distclean-libtool distdir dvi dvi-am html html-am info info-am \ + install install-am install-data install-data-am \ + install-docDATA install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-man install-man8 install-pdf \ + install-pdf-am install-ps install-ps-am install-strip \ + installcheck installcheck-am installdirs maintainer-clean \ + maintainer-clean-generic mostlyclean mostlyclean-generic \ + mostlyclean-libtool pdf pdf-am ps ps-am tags-am uninstall \ + uninstall-am uninstall-docDATA uninstall-man uninstall-man8 -.pod.8: - pod2man -u --section=8 --release=$(VERSION) --center=stunnel \ - --date=`date +%Y.%m.%d` $< $@ +.pod.in.8.in: + pod2man -u -n stunnel -s 8 -r $(VERSION) \ + -c "stunnel TLS Proxy" -d `date +%Y.%m.%d` $< $@ -.pod.html: - pod2html --noindex --title stunnel.8 --infile=$< --outfile=$@ +.pod.in.html.in: + pod2html --index --backlink --header \ + --title "stunnel TLS Proxy" --infile=$< --outfile=$@ rm -f pod2htmd.tmp pod2htmi.tmp +$(man_MANS) $(doc_DATA): Makefile + $(edit) '$(srcdir)/$@.in' >$@ + +stunnel.8: $(srcdir)/stunnel.8.in +stunnel.html: $(srcdir)/stunnel.html.in +stunnel.pl.8: $(srcdir)/stunnel.pl.8.in +stunnel.pl.html: $(srcdir)/stunnel.pl.html.in + # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. .NOEXPORT: diff --git a/doc/en/VNC_StunnelHOWTO.html b/doc/en/VNC_StunnelHOWTO.html index 0261c14..7116551 100644 --- a/doc/en/VNC_StunnelHOWTO.html +++ b/doc/en/VNC_StunnelHOWTO.html @@ -36,8 +36,8 @@ HOWTO and then we'll look at the theory behind all this.


    -

  1. Download and install openSSL, - SSLEay, and Stunnel on the Linux/Unix box. Download the modules.

    +

  2. Download and install OpenSSL, + SSLeay, and Stunnel on the Linux/Unix box. Download the modules.

a) [root@anthrax$]gunzip openssl-x.xx.tar.gz (repeat for all 3 the @@ -52,7 +52,7 @@ modules)

save the file as VNCRegEdit.REG on the Windows 2000 box

--cut here and copy -to VNCRegEdit.REG the double click file to +to VNCRegEdit.REG then double click the file to import--
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\ORL\WinVNC3]
AllowLoopback=dword:00000001

[HKEY_LOCAL_MACHINE\Software\ORL\WinVNC3\Default]
AllowLoopback=dword:00000001
--stop here--

@@ -87,7 +87,7 @@ here--

execute the following command and let it run in its own terminal.

stunnel -d 5900 -r -unix.ip.adress:5900 -c

+unix.ip.address:5900 -c

.

  1. And on the Windows 2000 machine @@ -109,7 +109,7 @@ the window

    2000 command as follows:

    stunnel -d 5902 -r -unix.ip.adress:5902

    +unix.ip.address:5902

    and remember to start another vncserver on the Linux box for each VNC display


    @@ -165,11 +165,11 @@ desired "display" number.


    To connect from the client machine you -need to enter the client machines IP address and the "display" +need to enter the client machine's IP address and the "display" (from the port conversion). But VNC will think that you are trying to connect to the local machine and does not allow this. To override -this add the following to you registry.

    --cut here and copy to -anything.reg. the double click file to +this add the following to your registry.

    --cut here and copy to +anything.reg. then double click the file to import--
    REGEDIT4

    [HKEY_LOCAL_MACHINE\Software\ORL\WinVNC3]
    AllowLoopback=dword:00000001

    [HKEY_LOCAL_MACHINE\Software\ORL\WinVNC3\Default]
    AllowLoopback=dword:00000001
    --stop here--

    Now VNC will not complain. So you need to always run stunnel in client mode on the Windows machine and then connect with @@ -182,9 +182,9 @@ way, *NIX doesn't complain about this. There is no setting needed if


    Unfortunately this will not work well -with the build in web version. If you did not known about it, try +with the built-in web version. If you did not known about it, try http'ing into a machine running VNC server on it, to port 58XX (where XX is the display number), and the Java client will be loaded.

    - \ No newline at end of file + diff --git a/doc/pl/tworzenie_certyfikatow.html b/doc/pl/tworzenie_certyfikatow.html index f38a957..60ebf04 100644 --- a/doc/pl/tworzenie_certyfikatow.html +++ b/doc/pl/tworzenie_certyfikatow.html @@ -93,7 +93,7 @@ private key # private random number file
     
    x509_extensions = usr_cert              -# The extentions to add to the cert +# The extensions to add to the cert
    crl_extensions  = crl_ext               # Extensions to add to CRL
    default_days    = 365                   @@ -147,7 +147,7 @@ look
    distinguished_name      = req_distinguished_name
    attributes                      = req_attributes -
    x509_extensions = v3_ca # The extentions to add to the self signed +
    x509_extensions = v3_ca # The extensions to add to the self signed cert
     
    [ req_distinguished_name ] diff --git a/doc/stunnel.8 b/doc/stunnel.8 deleted file mode 100644 index 7624a27..0000000 --- a/doc/stunnel.8 +++ /dev/null @@ -1,993 +0,0 @@ -.\" Automatically generated by Pod::Man 2.22 (Pod::Simple 3.07) -.\" -.\" Standard preamble: -.\" ======================================================================== -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Vb \" Begin verbatim text -.ft CW -.nf -.ne \\$1 -.. -.de Ve \" End verbatim text -.ft R -.fi -.. -.\" Set up some character translations and predefined strings. \*(-- will -.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left -.\" double quote, and \*(R" will give a right double quote. \*(C+ will -.\" give a nicer C++. Capital omega is used to do unbreakable dashes and -.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, -.\" nothing in troff, for use with C<>. -.tr \(*W- -.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' -.ie n \{\ -. ds -- \(*W- -. ds PI pi -. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch -. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch -. ds L" "" -. ds R" "" -. ds C` "" -. ds C' "" -'br\} -.el\{\ -. ds -- \|\(em\| -. ds PI \(*p -. ds L" `` -. ds R" '' -'br\} -.\" -.\" Escape single quotes in literal strings from groff's Unicode transform. -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" -.\" If the F register is turned on, we'll generate index entries on stderr for -.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index -.\" entries marked with X<> in POD. Of course, you'll have to process the -.\" output yourself in some meaningful fashion. -.ie \nF \{\ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" -.. -. nr % 0 -. rr F -.\} -.el \{\ -. de IX -.. -.\} -.\" ======================================================================== -.\" -.IX Title "STUNNEL 8" -.TH STUNNEL 8 "2013.03.20" "4.56" "stunnel" -.\" For nroff, turn off justification. Always turn off hyphenation; it makes -.\" way too many mistakes in technical documents. -.if n .ad l -.nh -.SH "NAME" -stunnel \- universal SSL tunnel -.SH "SYNOPSIS" -.IX Header "SYNOPSIS" -.IP "\fBUnix:\fR" 4 -.IX Item "Unix:" -\&\fBstunnel\fR [] | \-fd n | \-help | \-version | \-sockets -.IP "\fB\s-1WIN32:\s0\fR" 4 -.IX Item "WIN32:" -\&\fBstunnel\fR [ [\-install | \-uninstall | \-start | \-stop] | \-exit] - [\-quiet] [] ] | \-help | \-version | \-sockets -.SH "DESCRIPTION" -.IX Header "DESCRIPTION" -The \fBstunnel\fR program is designed to work as \fI\s-1SSL\s0\fR encryption wrapper -between remote clients and local (\fIinetd\fR\-startable) or remote -servers. The concept is that having non-SSL aware daemons running on -your system you can easily set them up to communicate with clients over -secure \s-1SSL\s0 channels. -.PP -\&\fBstunnel\fR can be used to add \s-1SSL\s0 functionality to commonly used \fIInetd\fR -daemons like \s-1POP\-2\s0, \s-1POP\-3\s0, and \s-1IMAP\s0 servers, to standalone daemons like -\&\s-1NNTP\s0, \s-1SMTP\s0 and \s-1HTTP\s0, and in tunneling \s-1PPP\s0 over network sockets without -changes to the source code. -.PP -This product includes cryptographic software written by -Eric Young (eay@cryptsoft.com) -.SH "OPTIONS" -.IX Header "OPTIONS" -.IP "<\fBfilename\fR>" 4 -.IX Item "" -Use specified configuration file -.IP "\fB\-fd n\fR (Unix only)" 4 -.IX Item "-fd n (Unix only)" -Read the config file from specified file descriptor -.IP "\fB\-help\fR" 4 -.IX Item "-help" -Print \fBstunnel\fR help menu -.IP "\fB\-version\fR" 4 -.IX Item "-version" -Print \fBstunnel\fR version and compile time defaults -.IP "\fB\-sockets\fR" 4 -.IX Item "-sockets" -Print default socket options -.IP "\fB\-install\fR (\s-1NT/2000/XP\s0 only)" 4 -.IX Item "-install (NT/2000/XP only)" -Install \s-1NT\s0 Service -.IP "\fB\-uninstall\fR (\s-1NT/2000/XP\s0 only)" 4 -.IX Item "-uninstall (NT/2000/XP only)" -Uninstall \s-1NT\s0 Service -.IP "\fB\-start\fR (\s-1NT/2000/XP\s0 only)" 4 -.IX Item "-start (NT/2000/XP only)" -Start \s-1NT\s0 Service -.IP "\fB\-stop\fR (\s-1NT/2000/XP\s0 only)" 4 -.IX Item "-stop (NT/2000/XP only)" -Stop \s-1NT\s0 Service -.IP "\fB\-exit\fR (Win32 only)" 4 -.IX Item "-exit (Win32 only)" -Exit an already started stunnel -.IP "\fB\-quiet\fR (\s-1NT/2000/XP\s0 only)" 4 -.IX Item "-quiet (NT/2000/XP only)" -Don't display any message boxes -.SH "CONFIGURATION FILE" -.IX Header "CONFIGURATION FILE" -Each line of the configuration file can be either: -.IP "\(bu" 4 -An empty line (ignored). -.IP "\(bu" 4 -A comment starting with ';' (ignored). -.IP "\(bu" 4 -An 'option_name = option_value' pair. -.IP "\(bu" 4 -\&'[service_name]' indicating a start of a service definition. -.PP -An address parameter of an option may be either: -.IP "\(bu" 4 -A port number. -.IP "\(bu" 4 -A colon-separated pair of \s-1IP\s0 address (either IPv4, IPv6, or domain name) and port number. -.IP "\(bu" 4 -A Unix socket path (Unix only). -.SS "\s-1GLOBAL\s0 \s-1OPTIONS\s0" -.IX Subsection "GLOBAL OPTIONS" -.IP "\fBchroot\fR = directory (Unix only)" 4 -.IX Item "chroot = directory (Unix only)" -directory to chroot \fBstunnel\fR process -.Sp -\&\fBchroot\fR keeps \fBstunnel\fR in chrooted jail. \fICApath\fR, \fICRLpath\fR, \fIpid\fR -and \fIexec\fR are located inside the jail and the patches have to be relative -to the directory specified with \fBchroot\fR. -.Sp -Several functions of the operating system also need their files to be located within chroot jail, e.g.: -.RS 4 -.IP "\(bu" 4 -Delayed resolver typically needs /etc/nsswitch.conf and /etc/resolv.conf. -.IP "\(bu" 4 -Local time in log files needs /etc/timezone. -.IP "\(bu" 4 -Some other functions may need devices, e.g. /dev/zero or /dev/null. -.RE -.RS 4 -.RE -.IP "\fBcompression\fR = deflate | zlib | rle" 4 -.IX Item "compression = deflate | zlib | rle" -select data compression algorithm -.Sp -default: no compression -.Sp -deflate is the standard compression method as described in \s-1RFC\s0 1951. -.Sp -zlib compression of \fBOpenSSL 0.9.8\fR or above is not backward compatible with -\&\fBOpenSSL 0.9.7\fR. -.Sp -rle compression is currently not implemented by the \fBOpenSSL\fR library. -.IP "\fBdebug\fR = [facility.]level" 4 -.IX Item "debug = [facility.]level" -debugging level -.Sp -Level is a one of the syslog level names or numbers -emerg (0), alert (1), crit (2), err (3), warning (4), notice (5), -info (6), or debug (7). All logs for the specified level and -all levels numerically less than it will be shown. Use \fIdebug = debug\fR or -\&\fIdebug = 7\fR for greatest debugging output. The default is notice (5). -.Sp -The syslog facility 'daemon' will be used unless a facility name is supplied. -(Facilities are not supported on Win32.) -.Sp -Case is ignored for both facilities and levels. -.IP "\fB\s-1EGD\s0\fR = egd path (Unix only)" 4 -.IX Item "EGD = egd path (Unix only)" -path to Entropy Gathering Daemon socket -.Sp -Entropy Gathering Daemon socket to use to feed \fBOpenSSL\fR random number -generator. (Available only if compiled with \fBOpenSSL 0.9.5a\fR or higher) -.IP "\fBengine\fR = auto | " 4 -.IX Item "engine = auto | " -select hardware engine -.Sp -default: software-only cryptography -.Sp -Here is an example of advanced engine configuration to read private key from an -OpenSC engine -.Sp -.Vb 7 -\& engine=dynamic -\& engineCtrl=SO_PATH:/usr/lib/opensc/engine_pkcs11.so -\& engineCtrl=ID:pkcs11 -\& engineCtrl=LIST_ADD:1 -\& engineCtrl=LOAD -\& engineCtrl=MODULE_PATH:/usr/lib/pkcs11/opensc\-pkcs11.so -\& engineCtrl=INIT -\& -\& [service] -\& engineNum=1 -\& key=id_45 -.Ve -.IP "\fBengineCtrl\fR = command[:parameter]" 4 -.IX Item "engineCtrl = command[:parameter]" -control hardware engine -.Sp -Special commands \*(L"\s-1LOAD\s0\*(R" and \*(L"\s-1INIT\s0\*(R" can be used to load and initialize the -engine cryptogaphic module. -.IP "\fBfips\fR = yes | no" 4 -.IX Item "fips = yes | no" -Enable or disable \s-1FIPS\s0 140\-2 mode. -.Sp -This option allows to disable entering \s-1FIPS\s0 mode if \fBstunnel\fR was compiled -with \s-1FIPS\s0 140\-2 support. -.Sp -default: yes -.IP "\fBforeground\fR = yes | no (Unix only)" 4 -.IX Item "foreground = yes | no (Unix only)" -foreground mode -.Sp -Stay in foreground (don't fork) and log to stderr -instead of via syslog (unless \fIoutput\fR is specified). -.Sp -default: background in daemon mode -.IP "\fBoutput\fR = file" 4 -.IX Item "output = file" -append log messages to a file -.Sp -/dev/stdout device can be used to send log messages to the standard -output (for example to log them with daemontools splogger). -.IP "\fBpid\fR = file (Unix only)" 4 -.IX Item "pid = file (Unix only)" -pid file location -.Sp -If the argument is empty, then no pid file will be created. -.Sp -\&\fIpid\fR path is relative to \fIchroot\fR directory if specified. -.IP "\fBRNDbytes\fR = bytes" 4 -.IX Item "RNDbytes = bytes" -bytes to read from random seed files -.Sp -Number of bytes of data read from random seed files. With \s-1SSL\s0 versions less -than \fB0.9.5a\fR, also determines how many bytes of data are considered -sufficient to seed the \s-1PRNG\s0. More recent \fBOpenSSL\fR versions have a builtin -function to determine when sufficient randomness is available. -.IP "\fBRNDfile\fR = file" 4 -.IX Item "RNDfile = file" -path to file with random seed data -.Sp -The \s-1SSL\s0 library will use data from this file first to seed the random -number generator. -.IP "\fBRNDoverwrite\fR = yes | no" 4 -.IX Item "RNDoverwrite = yes | no" -overwrite the random seed files with new random data -.Sp -default: yes -.IP "\fBservice\fR = servicename (Unix only)" 4 -.IX Item "service = servicename (Unix only)" -use specified string as \fIinetd\fR mode service name for \s-1TCP\s0 Wrapper library -.Sp -default: stunnel -.IP "\fBsetgid\fR = groupname (Unix only)" 4 -.IX Item "setgid = groupname (Unix only)" -\&\fIsetgid()\fR to groupname in daemon mode and clears all other groups -.IP "\fBsetuid\fR = username (Unix only)" 4 -.IX Item "setuid = username (Unix only)" -\&\fIsetuid()\fR to username in daemon mode -.IP "\fBsocket\fR = a|l|r:option=value[:value]" 4 -.IX Item "socket = a|l|r:option=value[:value]" -Set an option on accept/local/remote socket -.Sp -The values for linger option are l_onof:l_linger. -The values for time are tv_sec:tv_usec. -.Sp -Examples: -.Sp -.Vb 9 -\& socket = l:SO_LINGER=1:60 -\& set one minute timeout for closing local socket -\& socket = r:SO_OOBINLINE=yes -\& place out\-of\-band data directly into the -\& receive data stream for remote sockets -\& socket = a:SO_REUSEADDR=no -\& disable address reuse (enabled by default) -\& socket = a:SO_BINDTODEVICE=lo -\& only accept connections on loopback interface -.Ve -.IP "\fBsyslog\fR = yes | no (Unix only)" 4 -.IX Item "syslog = yes | no (Unix only)" -enable logging via syslog -.Sp -default: yes -.IP "\fBtaskbar\fR = yes | no (\s-1WIN32\s0 only)" 4 -.IX Item "taskbar = yes | no (WIN32 only)" -enable the taskbar icon -.Sp -default: yes -.SS "SERVICE-LEVEL \s-1OPTIONS\s0" -.IX Subsection "SERVICE-LEVEL OPTIONS" -Each configuration section begins with service name in square brackets. -The service name is used for libwrap (\s-1TCP\s0 Wrappers) access control and lets -you distinguish \fBstunnel\fR services in your log files. -.PP -Note that if you wish to run \fBstunnel\fR in \fIinetd\fR mode (where it -is provided a network socket by a server such as \fIinetd\fR, \fIxinetd\fR, -or \fItcpserver\fR) then you should read the section entitled \fI\s-1INETD\s0 \s-1MODE\s0\fR -below. -.IP "\fBaccept\fR = address" 4 -.IX Item "accept = address" -accept connections on specified address -.Sp -If no host specified, defaults to all IPv4 addresses for the local host. -.Sp -To listen on all IPv6 addresses use: -.Sp -.Vb 1 -\& connect = :::port -.Ve -.IP "\fBCApath\fR = directory" 4 -.IX Item "CApath = directory" -Certificate Authority directory -.Sp -This is the directory in which \fBstunnel\fR will look for certificates when using -the \fIverify\fR. Note that the certificates in this directory should be named -\&\s-1XXXXXXXX\s0.0 where \s-1XXXXXXXX\s0 is the hash value of the \s-1DER\s0 encoded subject of the -cert. -.Sp -The hash algorithm has been changed in \fBOpenSSL 1.0.0\fR. It is required to -c_rehash the directory on upgrade from \fBOpenSSL 0.x.x\fR to \fBOpenSSL 1.x.x\fR. -.Sp -\&\fICApath\fR path is relative to \fIchroot\fR directory if specified. -.IP "\fBCAfile\fR = certfile" 4 -.IX Item "CAfile = certfile" -Certificate Authority file -.Sp -This file contains multiple \s-1CA\s0 certificates, used with the \fIverify\fR. -.IP "\fBcert\fR = pemfile" 4 -.IX Item "cert = pemfile" -certificate chain \s-1PEM\s0 file name -.Sp -A \s-1PEM\s0 is always needed in server mode. -Specifying this flag in client mode will use this certificate chain -as a client side certificate chain. Using client side certs is optional. -The certificates must be in \s-1PEM\s0 format and must be sorted starting with the -certificate to the highest level (root \s-1CA\s0). -.IP "\fBciphers\fR = cipherlist" 4 -.IX Item "ciphers = cipherlist" -Select permitted \s-1SSL\s0 ciphers -.Sp -A colon delimited list of the ciphers to allow in the \s-1SSL\s0 connection. -For example \s-1DES\-CBC3\-SHA:IDEA\-CBC\-MD5\s0 -.IP "\fBclient\fR = yes | no" 4 -.IX Item "client = yes | no" -client mode (remote service uses \s-1SSL\s0) -.Sp -default: no (server mode) -.IP "\fBconnect\fR = address" 4 -.IX Item "connect = address" -connect to a remote address -.Sp -If no host is specified, the host defaults to localhost. -.Sp -Multiple \fBconnect\fR options are allowed in a single service section. -.Sp -If host resolves to multiple addresses and/or if multiple \fIconnect\fR -options are specified, then the remote address is chosen using a -round-robin algorithm. -.IP "\fBCRLpath\fR = directory" 4 -.IX Item "CRLpath = directory" -Certificate Revocation Lists directory -.Sp -This is the directory in which \fBstunnel\fR will look for CRLs when -using the \fIverify\fR. Note that the CRLs in this directory should -be named \s-1XXXXXXXX\s0.r0 where \s-1XXXXXXXX\s0 is the hash value of the \s-1CRL\s0. -.Sp -The hash algorithm has been changed in \fBOpenSSL 1.0.0\fR. It is required to -c_rehash the directory on upgrade from \fBOpenSSL 0.x.x\fR to \fBOpenSSL 1.x.x\fR. -.Sp -\&\fICRLpath\fR path is relative to \fIchroot\fR directory if specified. -.IP "\fBCRLfile\fR = certfile" 4 -.IX Item "CRLfile = certfile" -Certificate Revocation Lists file -.Sp -This file contains multiple CRLs, used with the \fIverify\fR. -.IP "\fBcurve\fR = nid" 4 -.IX Item "curve = nid" -specify \s-1ECDH\s0 curve name -.Sp -To get a list of supported cuves use: -.Sp -.Vb 1 -\& openssl ecparam \-list_curves -.Ve -.Sp -default: prime256v1 -.IP "\fBdelay\fR = yes | no" 4 -.IX Item "delay = yes | no" -delay \s-1DNS\s0 lookup for 'connect' option -.Sp -This option is useful for dynamic \s-1DNS\s0, or when \s-1DNS\s0 is not available during -\&\fBstunnel\fR startup (road warrior \s-1VPN\s0, dial-up configurations). -.IP "\fBengineNum\fR = engine number" 4 -.IX Item "engineNum = engine number" -select engine number to read private key -.Sp -The engines are numbered starting from 1. -.IP "\fBexec\fR = executable_path" 4 -.IX Item "exec = executable_path" -execute local inetd-type program -.Sp -\&\fIexec\fR path is relative to \fIchroot\fR directory if specified. -.ie n .IP "\fBexecargs\fR = $0 $1 $2 ..." 4 -.el .IP "\fBexecargs\fR = \f(CW$0\fR \f(CW$1\fR \f(CW$2\fR ..." 4 -.IX Item "execargs = $0 $1 $2 ..." -arguments for \fIexec\fR including program name ($0) -.Sp -Quoting is currently not supported. -Arguments are separated with arbitrary number of whitespaces. -.IP "\fBfailover\fR = rr | prio" 4 -.IX Item "failover = rr | prio" -Failover strategy for multiple \*(L"connect\*(R" targets. -.Sp -.Vb 2 -\& rr (round robin) \- fair load distribution -\& prio (priority) \- use the order specified in config file -.Ve -.Sp -default: rr -.IP "\fBident\fR = username" 4 -.IX Item "ident = username" -use \s-1IDENT\s0 (\s-1RFC\s0 1413) username checking -.IP "\fBkey\fR = keyfile" 4 -.IX Item "key = keyfile" -private key for certificate specified with \fIcert\fR option -.Sp -Private key is needed to authenticate certificate owner. -Since this file should be kept secret it should only be readable -to its owner. On Unix systems you can use the following command: -.Sp -.Vb 1 -\& chmod 600 keyfile -.Ve -.Sp -default: value of \fIcert\fR option -.IP "\fBlibwrap\fR = yes | no" 4 -.IX Item "libwrap = yes | no" -Enable or disable the use of /etc/hosts.allow and /etc/hosts.deny. -.Sp -default: yes -.IP "\fBlocal\fR = host" 4 -.IX Item "local = host" -\&\s-1IP\s0 of the outgoing interface is used as source for remote connections. -Use this option to bind a static local \s-1IP\s0 address, instead. -.IP "\fBsni\fR = service_name:server_name_pattern (server mode)" 4 -.IX Item "sni = service_name:server_name_pattern (server mode)" -Use the service as a slave service (a name-based virtual server) for Server -Name Indication \s-1TLS\s0 extension (\s-1RFC\s0 3546). -.Sp -\&\fIservice_name\fR specifies the master service that accepts client connections -with \fIaccept\fR option. \fIserver_name_pattern\fR specifies the host name to be -redirected. The pattern may start with '*' character, e.g. '*.example.com'. -Multiple slave services are normally specified for a single master service. -\&\fIsni\fR option can also be specified more than once within a single slave -service. -.Sp -This service, as well as the master service, may not be configured in client -mode. -.Sp -\&\fIconnect\fR option of the slave service is ignored when \fIprotocol\fR option is -specified, as \fIprotocol\fR connects remote host before \s-1TLS\s0 handshake. -.Sp -Libwrap checks (Unix only) are performed twice: with master service name after -\&\s-1TCP\s0 connection is accepted, and with slave service name during \s-1TLS\s0 handshake. -.Sp -Option \fIsni\fR is only available when compiled with \fBOpenSSL 1.0.0\fR and later. -.IP "\fBsni\fR = server_name (client mode)" 4 -.IX Item "sni = server_name (client mode)" -Use the parameter as the value of \s-1TLS\s0 Server Name Indication (\s-1RFC\s0 3546) -extension. -.Sp -Option \fIsni\fR is only available when compiled with \fBOpenSSL 1.0.0\fR and later. -.IP "\fB\s-1OCSP\s0\fR = url" 4 -.IX Item "OCSP = url" -select \s-1OCSP\s0 server for certificate verification -.IP "\fBOCSPflag\fR = flag" 4 -.IX Item "OCSPflag = flag" -specify \s-1OCSP\s0 server flag -.Sp -Several \fIOCSPflag\fR can be used to specify multiple flags. -.Sp -currently supported flags: \s-1NOCERTS\s0, \s-1NOINTERN\s0 \s-1NOSIGS\s0, \s-1NOCHAIN\s0, \s-1NOVERIFY\s0, -\&\s-1NOEXPLICIT\s0, \s-1NOCASIGN\s0, \s-1NODELEGATED\s0, \s-1NOCHECKS\s0, \s-1TRUSTOTHER\s0, \s-1RESPID_KEY\s0, \s-1NOTIME\s0 -.IP "\fBoptions\fR = SSL_options" 4 -.IX Item "options = SSL_options" -\&\fBOpenSSL\fR library options -.Sp -The parameter is the \fBOpenSSL\fR option name as described in the -\&\fI\fISSL_CTX_set_options\fI\|(3ssl)\fR manual, but without \fI\s-1SSL_OP_\s0\fR prefix. -Several \fIoptions\fR can be used to specify multiple options. -.Sp -For example for compatibility with erroneous Eudora \s-1SSL\s0 implementation -the following option can be used: -.Sp -.Vb 1 -\& options = DONT_INSERT_EMPTY_FRAGMENTS -.Ve -.IP "\fBprotocol\fR = proto" 4 -.IX Item "protocol = proto" -application protocol to negotiate \s-1SSL\s0 -.Sp -This option enables initial, protocol-specific negotiation of the \s-1SSL/TLS\s0 -encryption. -\&\fIprotocol\fR option should not be used with \s-1SSL\s0 encryption on a separate port. -.Sp -Currently supported protocols: -.RS 4 -.IP "\fIcifs\fR" 4 -.IX Item "cifs" -Proprietary (undocummented) extension of \s-1CIFS\s0 protocol implemented in Samba. -Support for this extension was dropped in Samba 3.0.0. -.IP "\fIconnect\fR" 4 -.IX Item "connect" -Based on \s-1RFC\s0 2817 \- \fIUpgrading to \s-1TLS\s0 Within \s-1HTTP/1\s0.1\fR, section 5.2 \- \fIRequesting a Tunnel with \s-1CONNECT\s0\fR -.Sp -This protocol is only supported in client mode. -.IP "\fIimap\fR" 4 -.IX Item "imap" -Based on \s-1RFC\s0 2595 \- \fIUsing \s-1TLS\s0 with \s-1IMAP\s0, \s-1POP3\s0 and \s-1ACAP\s0\fR -.IP "\fInntp\fR" 4 -.IX Item "nntp" -Based on \s-1RFC\s0 4642 \- \fIUsing Transport Layer Security (\s-1TLS\s0) with Network News Transfer Protocol (\s-1NNTP\s0)\fR -.Sp -This protocol is only supported in client mode. -.IP "\fIpgsql\fR" 4 -.IX Item "pgsql" -Based on http://www.postgresql.org/docs/8.3/static/protocol\-flow.html#AEN73982 -.IP "\fIpop3\fR" 4 -.IX Item "pop3" -Based on \s-1RFC\s0 2449 \- \fI\s-1POP3\s0 Extension Mechanism\fR -.IP "\fIproxy\fR" 4 -.IX Item "proxy" -Haproxy client \s-1IP\s0 address http://haproxy.1wt.eu/download/1.5/doc/proxy\-protocol.txt -.IP "\fIsmtp\fR" 4 -.IX Item "smtp" -Based on \s-1RFC\s0 2487 \- \fI\s-1SMTP\s0 Service Extension for Secure \s-1SMTP\s0 over \s-1TLS\s0\fR -.RE -.RS 4 -.RE -.IP "\fBprotocolAuthentication\fR = auth_type" 4 -.IX Item "protocolAuthentication = auth_type" -authentication type for protocol negotiations -.Sp -currently supported: basic, \s-1NTLM\s0 -.Sp -Currently authentication type only applies to the 'connect' protocol. -.Sp -default: basic -.IP "\fBprotocolHost\fR = host:port" 4 -.IX Item "protocolHost = host:port" -destination address for protocol negotiations -.Sp -\&\fIprotocolHost\fR specifies the final \s-1SSL\s0 server to be connected by the proxy, -and not the proxy server directly connected by \fBstunnel\fR. -The proxy server should be specified with the 'connect' option. -.Sp -Currently protocol destination address only applies to 'connect' protocol. -.IP "\fBprotocolPassword\fR = password" 4 -.IX Item "protocolPassword = password" -password for protocol negotiations -.IP "\fBprotocolUsername\fR = username" 4 -.IX Item "protocolUsername = username" -username for protocol negotiations -.IP "\fBpty\fR = yes | no (Unix only)" 4 -.IX Item "pty = yes | no (Unix only)" -allocate pseudo terminal for 'exec' option -.IP "\fBrenegotiation\fR = yes | no" 4 -.IX Item "renegotiation = yes | no" -support \s-1SSL\s0 renegotiation -.Sp -Applications of the \s-1SSL\s0 renegotiation include some authentication scenarios, -or re-keying long lasting connections. -.Sp -On the other hand this feature can facilitate a trivial CPU-exhaustion -DoS attack: -.Sp -http://vincent.bernat.im/en/blog/2011\-ssl\-dos\-mitigation.html -.Sp -Please note that disabling \s-1SSL\s0 renegotiation does not fully mitigate -this issue. -.Sp -default: yes (if supported by \fBOpenSSL\fR) -.IP "\fBreset\fR = yes | no" 4 -.IX Item "reset = yes | no" -attempt to use \s-1TCP\s0 \s-1RST\s0 flag to indicate an error -.Sp -This option is not supported on some platforms. -.Sp -default: yes -.IP "\fBretry\fR = yes | no" 4 -.IX Item "retry = yes | no" -reconnect a connect+exec section after it's disconnected -.Sp -default: no -.IP "\fBsessionCacheSize\fR = size" 4 -.IX Item "sessionCacheSize = size" -session cache size -.Sp -\&\fIsessionCacheSize\fR specifies the maximum number of the internal session cache -entries. -.Sp -The value of 0 can be used for unlimited size. It is not recommended -for production use due to the risk of memory exhaustion DoS attack. -.IP "\fBsessionCacheTimeout\fR = timeout" 4 -.IX Item "sessionCacheTimeout = timeout" -session cache timeout -.Sp -This is the number of seconds to keep cached \s-1SSL\s0 sessions. -.IP "\fBsessiond\fR = host:port" 4 -.IX Item "sessiond = host:port" -address of sessiond \s-1SSL\s0 cache server -.IP "\fBsslVersion\fR = version" 4 -.IX Item "sslVersion = version" -select version of \s-1SSL\s0 protocol -.Sp -Allowed options: all, SSLv2, SSLv3, TLSv1, TLSv1.1, TLSv1.2 -.IP "\fBstack\fR = bytes (except for \s-1FORK\s0 model)" 4 -.IX Item "stack = bytes (except for FORK model)" -thread stack size -.IP "\fBTIMEOUTbusy\fR = seconds" 4 -.IX Item "TIMEOUTbusy = seconds" -time to wait for expected data -.IP "\fBTIMEOUTclose\fR = seconds" 4 -.IX Item "TIMEOUTclose = seconds" -time to wait for close_notify (set to 0 for buggy \s-1MSIE\s0) -.IP "\fBTIMEOUTconnect\fR = seconds" 4 -.IX Item "TIMEOUTconnect = seconds" -time to wait to connect a remote host -.IP "\fBTIMEOUTidle\fR = seconds" 4 -.IX Item "TIMEOUTidle = seconds" -time to keep an idle connection -.IP "\fBtransparent\fR = none | source | destination | both (Unix only)" 4 -.IX Item "transparent = none | source | destination | both (Unix only)" -enable transparent proxy support on selected platforms -.Sp -Supported values: -.RS 4 -.IP "\fInone\fR" 4 -.IX Item "none" -Disable transparent proxy support. This is the default. -.IP "\fIsource\fR" 4 -.IX Item "source" -Re-write address to appear as if wrapped daemon is connecting -from the \s-1SSL\s0 client machine instead of the machine running \fBstunnel\fR. -.Sp -This option is currently available in: -.RS 4 -.IP "Remote mode (\fIconnect\fR option) on \fILinux >=2.6.28\fR" 4 -.IX Item "Remote mode (connect option) on Linux >=2.6.28" -This configuration requires \fBstunnel\fR to be executed as root and without -\&\fIsetuid\fR option. -.Sp -This configuration requires the following setup for iptables and routing -(possibly in /etc/rc.local or equivalent file): -.Sp -.Vb 7 -\& iptables \-t mangle \-N DIVERT -\& iptables \-t mangle \-A PREROUTING \-p tcp \-m socket \-j DIVERT -\& iptables \-t mangle \-A DIVERT \-j MARK \-\-set\-mark 1 -\& iptables \-t mangle \-A DIVERT \-j ACCEPT -\& ip rule add fwmark 1 lookup 100 -\& ip route add local 0.0.0.0/0 dev lo table 100 -\& echo 0 >/proc/sys/net/ipv4/conf/lo/rp_filter -.Ve -.Sp -\&\fBstunnel\fR must also to be executed as root and without \fIsetuid\fR option. -.IP "Remote mode (\fIconnect\fR option) on \fILinux 2.2.x\fR" 4 -.IX Item "Remote mode (connect option) on Linux 2.2.x" -This configuration requires kernel to be compiled with \fItransparent proxy\fR -option. -Connected service must be installed on a separate host. -Routing towards the clients has to go through the \fBstunnel\fR box. -.Sp -\&\fBstunnel\fR must also to be executed as root and without \fIsetuid\fR option. -.IP "Remote mode (\fIconnect\fR option) on \fIFreeBSD >=8.0\fR" 4 -.IX Item "Remote mode (connect option) on FreeBSD >=8.0" -This configuration requires additional firewall and routing setup. -\&\fBstunnel\fR must also to be executed as root and without \fIsetuid\fR option. -.IP "Local mode (\fIexec\fR option)" 4 -.IX Item "Local mode (exec option)" -This configuration works by pre-loading \fIlibstunnel.so\fR shared library. -_RLD_LIST environment variable is used on Tru64, and \s-1LD_PRELOAD\s0 variable on -other platforms. -.RE -.RS 4 -.RE -.IP "\fIdestination\fR" 4 -.IX Item "destination" -Original destination is used instead of \fIconnect\fR option. -.Sp -A service section for transparent destination may look like this: -.Sp -.Vb 4 -\& [transparent] -\& client=yes -\& accept= -\& transparent=destination -.Ve -.Sp -This configuration requires the following setup for iptables -(possibly in /etc/rc.local or equivalent file): -.Sp -.Vb 2 -\& /sbin/iptables \-I INPUT \-i eth0 \-p tcp \-\-dport \-j ACCEPT -\& /sbin/iptables \-t nat \-I PREROUTING \-i eth0 \-p tcp \-\-dport \-j DNAT \-\-to\-destination : -.Ve -.Sp -Transparent destination option is currently only supported on Linux. -.IP "\fIboth\fR" 4 -.IX Item "both" -Use both \fIsource\fR and \fIdestination\fR transparent proxy. -.RE -.RS 4 -.Sp -Two legacy options are also supported for backward compatibility: -.IP "\fIyes\fR" 4 -.IX Item "yes" -This options has been renamed to \fIsource\fR. -.IP "\fIno\fR" 4 -.IX Item "no" -This options has been renamed to \fInone\fR. -.RE -.RS 4 -.RE -.IP "\fBverify\fR = level" 4 -.IX Item "verify = level" -verify peer certificate -.RS 4 -.IP "level 0" 4 -.IX Item "level 0" -Request and ignore peer certificate. -.IP "level 1" 4 -.IX Item "level 1" -Verify peer certificate if present. -.IP "level 2" 4 -.IX Item "level 2" -Verify peer certificate. -.IP "level 3" 4 -.IX Item "level 3" -Verify peer with locally installed certificate. -.IP "level 4" 4 -.IX Item "level 4" -Ignore \s-1CA\s0 chain and only verify peer certificate. -.IP "default" 4 -.IX Item "default" -No verify. -.RE -.RS 4 -.Sp -It is important to understand, that this option was solely designed for access -control and not for authorization. Specifically for level 2 every non-revoked -certificate is accepted regardless of its Common Name. For this reason a -dedicated \s-1CA\s0 should be used with level 2, and not a generic \s-1CA\s0 commonly used -for webservers. Level 3 is preferred for point-to-point connections. -.RE -.SH "RETURN VALUE" -.IX Header "RETURN VALUE" -\&\fBstunnel\fR returns zero on success, non-zero on error. -.SH "SIGNALS" -.IX Header "SIGNALS" -The following signals can be used to control \fBstunnel\fR in Unix environment: -.IP "\s-1SIGHUP\s0" 4 -.IX Item "SIGHUP" -Force a reload of the configuration file. -.Sp -Some global options will not be reloaded: -.RS 4 -.IP "\(bu" 4 -chroot -.IP "\(bu" 4 -foreground -.IP "\(bu" 4 -pid -.IP "\(bu" 4 -setgid -.IP "\(bu" 4 -setuid -.RE -.RS 4 -.Sp -The use of 'setuid' option will also prevent \fBstunnel\fR from binding privileged -(<1024) ports during configuration reloading. -.Sp -When 'chroot' option is used, \fBstunnel\fR will look for all its files (including -configuration file, certificates, log file and pid file) within the chroot -jail. -.RE -.IP "\s-1SIGUSR1\s0" 4 -.IX Item "SIGUSR1" -Close and reopen \fBstunnel\fR log file. -This function can be used for log rotation. -.IP "\s-1SIGTERM\s0, \s-1SIGQUIT\s0, \s-1SIGINT\s0" 4 -.IX Item "SIGTERM, SIGQUIT, SIGINT" -Shut \fBstunnel\fR down. -.PP -The result of sending any other signals to the server is undefined. -.SH "EXAMPLES" -.IX Header "EXAMPLES" -In order to provide \s-1SSL\s0 encapsulation to your local \fIimapd\fR service, use -.PP -.Vb 4 -\& [imapd] -\& accept = 993 -\& exec = /usr/sbin/imapd -\& execargs = imapd -.Ve -.PP -If you want to provide tunneling to your \fIpppd\fR daemon on port 2020, -use something like -.PP -.Vb 5 -\& [vpn] -\& accept = 2020 -\& exec = /usr/sbin/pppd -\& execargs = pppd local -\& pty = yes -.Ve -.PP -If you want to use \fBstunnel\fR in \fIinetd\fR mode to launch your imapd -process, you'd use this \fIstunnel.conf\fR. -Note there must be no \fI[service_name]\fR section. -.PP -.Vb 2 -\& exec = /usr/sbin/imapd -\& execargs = imapd -.Ve -.SH "NOTES" -.IX Header "NOTES" -.SS "\s-1RESTRICTIONS\s0" -.IX Subsection "RESTRICTIONS" -\&\fBstunnel\fR cannot be used for the \s-1FTP\s0 daemon because of the nature -of the \s-1FTP\s0 protocol which utilizes multiple ports for data transfers. -There are available \s-1SSL\s0 enabled versions of \s-1FTP\s0 and telnet daemons, however. -.SS "\s-1INETD\s0 \s-1MODE\s0" -.IX Subsection "INETD MODE" -The most common use of \fBstunnel\fR is to listen on a network -port and establish communication with either a new port -via the connect option, or a new program via the \fIexec\fR option. -However there is a special case when you wish to have -some other program accept incoming connections and -launch \fBstunnel\fR, for example with \fIinetd\fR, \fIxinetd\fR, -or \fItcpserver\fR. -.PP -For example, if you have the following line in \fIinetd.conf\fR: -.PP -.Vb 1 -\& imaps stream tcp nowait root /usr/bin/stunnel stunnel /etc/stunnel/imaps.conf -.Ve -.PP -In these cases, the \fIinetd\fR\-style program is responsible -for binding a network socket (\fIimaps\fR above) and handing -it to \fBstunnel\fR when a connection is received. -Thus you do not want \fBstunnel\fR to have any \fIaccept\fR option. -All the \fIService Level Options\fR should be placed in the -global options section, and no \fI[service_name]\fR section -will be present. See the \fI\s-1EXAMPLES\s0\fR section for example -configurations. -.SS "\s-1CERTIFICATES\s0" -.IX Subsection "CERTIFICATES" -Each \s-1SSL\s0 enabled daemon needs to present a valid X.509 certificate -to the peer. It also needs a private key to decrypt the incoming -data. The easiest way to obtain a certificate and a key is to -generate them with the free \fBOpenSSL\fR package. You can find more -information on certificates generation on pages listed below. -.PP -The order of contents of the \fI.pem\fR file is important. It should contain the -unencrypted private key first, then a signed certificate (not certificate -request). There should be also empty lines after certificate and private key. -Plaintext certificate information appended on the top of generated certificate -should be discarded. So the file should look like this: -.PP -.Vb 8 -\& \-\-\-\-\-BEGIN RSA PRIVATE KEY\-\-\-\-\- -\& [encoded key] -\& \-\-\-\-\-END RSA PRIVATE KEY\-\-\-\-\- -\& [empty line] -\& \-\-\-\-\-BEGIN CERTIFICATE\-\-\-\-\- -\& [encoded certificate] -\& \-\-\-\-\-END CERTIFICATE\-\-\-\-\- -\& [empty line] -.Ve -.SS "\s-1RANDOMNESS\s0" -.IX Subsection "RANDOMNESS" -\&\fBstunnel\fR needs to seed the \s-1PRNG\s0 (pseudo random number generator) in -order for \s-1SSL\s0 to use good randomness. The following sources are loaded -in order until sufficient random data has been gathered: -.IP "\(bu" 4 -The file specified with the \fIRNDfile\fR flag. -.IP "\(bu" 4 -The file specified by the \s-1RANDFILE\s0 environment variable, if set. -.IP "\(bu" 4 -The file .rnd in your home directory, if \s-1RANDFILE\s0 not set. -.IP "\(bu" 4 -The file specified with '\-\-with\-random' at compile time. -.IP "\(bu" 4 -The contents of the screen if running on Windows. -.IP "\(bu" 4 -The egd socket specified with the \fI\s-1EGD\s0\fR flag. -.IP "\(bu" 4 -The egd socket specified with '\-\-with\-egd\-sock' at compile time. -.IP "\(bu" 4 -The /dev/urandom device. -.PP -With recent (\fBOpenSSL 0.9.5a\fR or later) version of \s-1SSL\s0 it will stop loading -random data automatically when sufficient entropy has been gathered. With -previous versions it will continue to gather from all the above sources since -no \s-1SSL\s0 function exists to tell when enough data is available. -.PP -Note that on Windows machines that do not have console user interaction -(mouse movements, creating windows, etc.) the screen contents are not -variable enough to be sufficient, and you should provide a random file -for use with the \fIRNDfile\fR flag. -.PP -Note that the file specified with the \fIRNDfile\fR flag should contain -random data \*(-- that means it should contain different information -each time \fBstunnel\fR is run. This is handled automatically -unless the \fIRNDoverwrite\fR flag is used. If you wish to update this file -manually, the \fIopenssl rand\fR command in recent versions of \fBOpenSSL\fR, -would be useful. -.PP -Important note: If /dev/urandom is available, \fBOpenSSL\fR often seeds the \s-1PRNG\s0 -with it while checking the random state. On systems with /dev/urandom -\&\fBOpenSSL\fR is likely to use it even though it is listed at the very bottom of -the list above. This is the behaviour of \fBOpenSSL\fR and not \fBstunnel\fR. -.SS "\s-1DH\s0 \s-1PARAMETERS\s0" -.IX Subsection "DH PARAMETERS" -Stunnel 4.40 and later contains hardcoded 2048\-bit \s-1DH\s0 parameters. -.PP -It is also possible to specify \s-1DH\s0 parameters in the certificate file: -.PP -.Vb 1 -\& openssl dhparam 2048 >> stunnel.pem -.Ve -.PP -\&\s-1DH\s0 parameter generation may take several minutes. -.SH "FILES" -.IX Header "FILES" -.IP "\fIstunnel.conf\fR" 4 -.IX Item "stunnel.conf" -\&\fBstunnel\fR configuration file -.SH "BUGS" -.IX Header "BUGS" -Option \fIexecargs\fR and Win32 command line does not support quoting. -.SH "SEE ALSO" -.IX Header "SEE ALSO" -.IP "\fItcpd\fR\|(8)" 4 -.IX Item "tcpd" -access control facility for internet services -.IP "\fIinetd\fR\|(8)" 4 -.IX Item "inetd" -internet 'super\-server' -.IP "\fIhttp://www.stunnel.org/\fR" 4 -.IX Item "http://www.stunnel.org/" -\&\fBstunnel\fR homepage -.IP "\fIhttp://www.openssl.org/\fR" 4 -.IX Item "http://www.openssl.org/" -\&\fBOpenSSL\fR project website -.SH "AUTHOR" -.IX Header "AUTHOR" -.IP "Michał Trojnara" 4 -.IX Item "Michał Trojnara" -<\fIMichal.Trojnara@mirt.net\fR> diff --git a/doc/stunnel.8.in b/doc/stunnel.8.in new file mode 100644 index 0000000..e5ac8e6 --- /dev/null +++ b/doc/stunnel.8.in @@ -0,0 +1,1395 @@ +.\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.28) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is turned on, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.nr rF 0 +.if \n(.g .if rF .nr rF 1 +.if (\n(rF:(\n(.g==0)) \{ +. if \nF \{ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{ +. nr % 0 +. nr F 2 +. \} +. \} +.\} +.rr rF +.\" ======================================================================== +.\" +.IX Title "stunnel 8" +.TH stunnel 8 "2017.04.01" "5.42" "stunnel TLS Proxy" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +stunnel \- TLS offloading and load\-balancing proxy +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.IP "\fBUnix:\fR" 4 +.IX Item "Unix:" +\&\fBstunnel\fR [\s-1FILE\s0] | \-fd N | \-help | \-version | \-sockets | \-options +.IP "\fB\s-1WIN32:\s0\fR" 4 +.IX Item "WIN32:" +\&\fBstunnel\fR [ [ \-install | \-uninstall | \-start | \-stop | + \-reload | \-reopen | \-exit ] [\-quiet] [\s-1FILE\s0] ] | + \-help | \-version | \-sockets | \-options +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +The \fBstunnel\fR program is designed to work as \fI\s-1TLS\s0\fR encryption wrapper +between remote clients and local (\fIinetd\fR\-startable) or remote +servers. The concept is that having non-TLS aware daemons running on +your system you can easily set them up to communicate with clients over +secure \fI\s-1TLS\s0\fR channels. +.PP +\&\fBstunnel\fR can be used to add \fI\s-1TLS\s0\fR functionality to commonly used \fIInetd\fR +daemons like \s-1POP\-2, POP\-3,\s0 and \s-1IMAP\s0 servers, to standalone daemons like +\&\s-1NNTP, SMTP\s0 and \s-1HTTP,\s0 and in tunneling \s-1PPP\s0 over network sockets without +changes to the source code. +.PP +This product includes cryptographic software written by +Eric Young (eay@cryptsoft.com) +.SH "OPTIONS" +.IX Header "OPTIONS" +.IP "\fB\s-1FILE\s0\fR" 4 +.IX Item "FILE" +Use specified configuration file +.IP "\fB\-fd N\fR (Unix only)" 4 +.IX Item "-fd N (Unix only)" +Read the config file from specified file descriptor +.IP "\fB\-help\fR" 4 +.IX Item "-help" +Print \fBstunnel\fR help menu +.IP "\fB\-version\fR" 4 +.IX Item "-version" +Print \fBstunnel\fR version and compile time defaults +.IP "\fB\-sockets\fR" 4 +.IX Item "-sockets" +Print default socket options +.IP "\fB\-options\fR" 4 +.IX Item "-options" +Print supported \s-1TLS\s0 options +.IP "\fB\-install\fR (Windows \s-1NT\s0 and later only)" 4 +.IX Item "-install (Windows NT and later only)" +Install \s-1NT\s0 Service +.IP "\fB\-uninstall\fR (Windows \s-1NT\s0 and later only)" 4 +.IX Item "-uninstall (Windows NT and later only)" +Uninstall \s-1NT\s0 Service +.IP "\fB\-start\fR (Windows \s-1NT\s0 and later only)" 4 +.IX Item "-start (Windows NT and later only)" +Start \s-1NT\s0 Service +.IP "\fB\-stop\fR (Windows \s-1NT\s0 and later only)" 4 +.IX Item "-stop (Windows NT and later only)" +Stop \s-1NT\s0 Service +.IP "\fB\-reload\fR (Windows \s-1NT\s0 and later only)" 4 +.IX Item "-reload (Windows NT and later only)" +Reload the configuration file of the running \s-1NT\s0 Service +.IP "\fB\-reopen\fR (Windows \s-1NT\s0 and later only)" 4 +.IX Item "-reopen (Windows NT and later only)" +Reopen the log file of the running \s-1NT\s0 Service +.IP "\fB\-exit\fR (Win32 only)" 4 +.IX Item "-exit (Win32 only)" +Exit an already started stunnel +.IP "\fB\-quiet\fR (Win32 only)" 4 +.IX Item "-quiet (Win32 only)" +Don't display any message boxes +.SH "CONFIGURATION FILE" +.IX Header "CONFIGURATION FILE" +Each line of the configuration file can be either: +.IP "\(bu" 4 +An empty line (ignored). +.IP "\(bu" 4 +A comment starting with ';' (ignored). +.IP "\(bu" 4 +An 'option_name = option_value' pair. +.IP "\(bu" 4 +\&'[service_name]' indicating a start of a service definition. +.PP +An address parameter of an option may be either: +.IP "\(bu" 4 +A port number. +.IP "\(bu" 4 +A colon-separated pair of \s-1IP\s0 address (either IPv4, IPv6, or domain name) and port number. +.IP "\(bu" 4 +A Unix socket path (Unix only). +.SS "\s-1GLOBAL OPTIONS\s0" +.IX Subsection "GLOBAL OPTIONS" +.IP "\fBchroot\fR = \s-1DIRECTORY \s0(Unix only)" 4 +.IX Item "chroot = DIRECTORY (Unix only)" +directory to chroot \fBstunnel\fR process +.Sp +\&\fBchroot\fR keeps \fBstunnel\fR in a chrooted jail. \fICApath\fR, \fICRLpath\fR, \fIpid\fR +and \fIexec\fR are located inside the jail and the patches have to be relative +to the directory specified with \fBchroot\fR. +.Sp +Several functions of the operating system also need their files to be located within the chroot jail, e.g.: +.RS 4 +.IP "\(bu" 4 +Delayed resolver typically needs /etc/nsswitch.conf and /etc/resolv.conf. +.IP "\(bu" 4 +Local time in log files needs /etc/timezone. +.IP "\(bu" 4 +Some other functions may need devices, e.g. /dev/zero or /dev/null. +.RE +.RS 4 +.RE +.IP "\fBcompression\fR = deflate | zlib" 4 +.IX Item "compression = deflate | zlib" +select data compression algorithm +.Sp +default: no compression +.Sp +Deflate is the standard compression method as described in \s-1RFC 1951.\s0 +.IP "\fBdebug\fR = [\s-1FACILITY.\s0]LEVEL" 4 +.IX Item "debug = [FACILITY.]LEVEL" +debugging level +.Sp +Level is one of the syslog level names or numbers +emerg (0), alert (1), crit (2), err (3), warning (4), notice (5), +info (6), or debug (7). All logs for the specified level and +all levels numerically less than it will be shown. Use \fIdebug = debug\fR or +\&\fIdebug = 7\fR for greatest debugging output. The default is notice (5). +.Sp +The syslog facility 'daemon' will be used unless a facility name is supplied. +(Facilities are not supported on Win32.) +.Sp +Case is ignored for both facilities and levels. +.IP "\fB\s-1EGD\s0\fR = \s-1EGD_PATH \s0(Unix only)" 4 +.IX Item "EGD = EGD_PATH (Unix only)" +path to Entropy Gathering Daemon socket +.Sp +Entropy Gathering Daemon socket to use to feed the \fBOpenSSL\fR random number +generator. +.IP "\fBengine\fR = auto | \s-1ENGINE_ID\s0" 4 +.IX Item "engine = auto | ENGINE_ID" +select hardware or software cryptographic engine +.Sp +default: software-only cryptography +.Sp +See Examples section for an engine configuration to use the certificate and the corresponding private key from a cryptographic device. +.IP "\fBengineCtrl\fR = COMMAND[:PARAMETER]" 4 +.IX Item "engineCtrl = COMMAND[:PARAMETER]" +control hardware engine +.IP "\fBengineDefault\fR = \s-1TASK_LIST\s0" 4 +.IX Item "engineDefault = TASK_LIST" +set OpenSSL tasks delegated to the current engine +.Sp +The parameter specifies a comma-separated list of task to be delegated to the +current engine. +.Sp +The following tasks may be available, if supported by the engine: \s-1ALL, RSA, +DSA, ECDH, ECDSA, DH, RAND, CIPHERS, DIGESTS, PKEY, PKEY_CRYPTO, PKEY_ASN1.\s0 +.IP "\fBfips\fR = yes | no" 4 +.IX Item "fips = yes | no" +enable or disable \s-1FIPS 140\-2\s0 mode. +.Sp +This option allows you to disable entering \s-1FIPS\s0 mode if \fBstunnel\fR was compiled +with \s-1FIPS 140\-2\s0 support. +.Sp +default: no (since version 5.00) +.IP "\fBforeground\fR = yes | quiet | no (Unix only)" 4 +.IX Item "foreground = yes | quiet | no (Unix only)" +foreground mode +.Sp +Stay in foreground (don't fork). +.Sp +With the \fIyes\fR parameter it also logs to stderr in addition to +the destinations specified with \fIsyslog\fR and \fIoutput\fR. +.Sp +default: background in daemon mode +.IP "\fBiconActive\fR = \s-1ICON_FILE \s0(\s-1GUI\s0 only)" 4 +.IX Item "iconActive = ICON_FILE (GUI only)" +\&\s-1GUI\s0 icon to be displayed when there are established connections +.Sp +On Windows platform the parameter should be an .ico file containing a 16x16 +pixel image. +.IP "\fBiconError\fR = \s-1ICON_FILE \s0(\s-1GUI\s0 only)" 4 +.IX Item "iconError = ICON_FILE (GUI only)" +\&\s-1GUI\s0 icon to be displayed when no valid configuration is loaded +.Sp +On Windows platform the parameter should be an .ico file containing a 16x16 +pixel image. +.IP "\fBiconIdle\fR = \s-1ICON_FILE \s0(\s-1GUI\s0 only)" 4 +.IX Item "iconIdle = ICON_FILE (GUI only)" +\&\s-1GUI\s0 icon to be displayed when there are no established connections +.Sp +On Windows platform the parameter should be an .ico file containing a 16x16 +pixel image. +.IP "\fBlog\fR = append | overwrite" 4 +.IX Item "log = append | overwrite" +log file handling +.Sp +This option allows you to choose whether the log file (specified with the \fIoutput\fR +option) is appended or overwritten when opened or re-opened. +.Sp +default: append +.IP "\fBoutput\fR = \s-1FILE\s0" 4 +.IX Item "output = FILE" +append log messages to a file +.Sp +/dev/stdout device can be used to send log messages to the standard +output (for example to log them with daemontools splogger). +.IP "\fBpid\fR = \s-1FILE \s0(Unix only)" 4 +.IX Item "pid = FILE (Unix only)" +pid file location +.Sp +If the argument is empty, then no pid file will be created. +.Sp +\&\fIpid\fR path is relative to the \fIchroot\fR directory if specified. +.IP "\fBRNDbytes\fR = \s-1BYTES\s0" 4 +.IX Item "RNDbytes = BYTES" +bytes to read from random seed files +.IP "\fBRNDfile\fR = \s-1FILE\s0" 4 +.IX Item "RNDfile = FILE" +path to file with random seed data +.Sp +The OpenSSL library will use data from this file first to seed the random +number generator. +.IP "\fBRNDoverwrite\fR = yes | no" 4 +.IX Item "RNDoverwrite = yes | no" +overwrite the random seed files with new random data +.Sp +default: yes +.IP "\fBservice\fR = \s-1SERVICE \s0(Unix only)" 4 +.IX Item "service = SERVICE (Unix only)" +stunnel service name +.Sp +The specified service name is used for syslog and as the \fIinetd\fR mode service +name for \s-1TCP\s0 Wrappers. While this option can technically be specified in the +service sections, it is only useful in global options. +.Sp +default: stunnel +.IP "\fBsocket\fR = a|l|r:OPTION=VALUE[:VALUE]" 4 +.IX Item "socket = a|l|r:OPTION=VALUE[:VALUE]" +Set an option on the accept/local/remote socket +.Sp +The values for the linger option are l_onof:l_linger. +The values for the time are tv_sec:tv_usec. +.Sp +Examples: +.Sp +.Vb 9 +\& socket = l:SO_LINGER=1:60 +\& set one minute timeout for closing local socket +\& socket = r:SO_OOBINLINE=yes +\& place out\-of\-band data directly into the +\& receive data stream for remote sockets +\& socket = a:SO_REUSEADDR=no +\& disable address reuse (enabled by default) +\& socket = a:SO_BINDTODEVICE=lo +\& only accept connections on loopback interface +.Ve +.IP "\fBsyslog\fR = yes | no (Unix only)" 4 +.IX Item "syslog = yes | no (Unix only)" +enable logging via syslog +.Sp +default: yes +.IP "\fBtaskbar\fR = yes | no (\s-1WIN32\s0 only)" 4 +.IX Item "taskbar = yes | no (WIN32 only)" +enable the taskbar icon +.Sp +default: yes +.SS "SERVICE-LEVEL \s-1OPTIONS\s0" +.IX Subsection "SERVICE-LEVEL OPTIONS" +Each configuration section begins with a service name in square brackets. +The service name is used for libwrap (\s-1TCP\s0 Wrappers) access control and lets +you distinguish \fBstunnel\fR services in your log files. +.PP +Note that if you wish to run \fBstunnel\fR in \fIinetd\fR mode (where it +is provided a network socket by a server such as \fIinetd\fR, \fIxinetd\fR, +or \fItcpserver\fR) then you should read the section entitled \fI\s-1INETD MODE\s0\fR +below. +.IP "\fBaccept\fR = [\s-1HOST:\s0]PORT" 4 +.IX Item "accept = [HOST:]PORT" +accept connections on specified address +.Sp +If no host specified, defaults to all IPv4 addresses for the local host. +.Sp +To listen on all IPv6 addresses use: +.Sp +.Vb 1 +\& accept = :::PORT +.Ve +.IP "\fBCApath\fR = \s-1DIRECTORY\s0" 4 +.IX Item "CApath = DIRECTORY" +Certificate Authority directory +.Sp +This is the directory in which \fBstunnel\fR will look for certificates when using +the \fIverifyChain\fR or \fIverifyPeer\fR options. Note that the certificates in +this directory should be named \s-1XXXXXXXX.0\s0 where \s-1XXXXXXXX\s0 is the hash value of +the \s-1DER\s0 encoded subject of the cert. +.Sp +The hash algorithm has been changed in \fBOpenSSL 1.0.0\fR. It is required to +c_rehash the directory on upgrade from \fBOpenSSL 0.x.x\fR to \fBOpenSSL 1.x.x\fR. +.Sp +\&\fICApath\fR path is relative to the \fIchroot\fR directory if specified. +.IP "\fBCAfile\fR = \s-1CA_FILE\s0" 4 +.IX Item "CAfile = CA_FILE" +Certificate Authority file +.Sp +This file contains multiple \s-1CA\s0 certificates, to be used with the \fIverifyChain\fR +and \fIverifyPeer\fR options. +.IP "\fBcert\fR = \s-1CERT_FILE\s0" 4 +.IX Item "cert = CERT_FILE" +certificate chain file name +.Sp +The parameter specifies the file containing certificates used by \fBstunnel\fR +to authenticate itself against the remote client or server. +The file should contain the whole certificate chain starting from the actual +server/client certificate, and ending with the self-signed root \s-1CA\s0 certificate. +The file must be either in \s-1PEM\s0 or P12 format. +.Sp +A certificate chain is required in server mode, and optional in client mode. +.Sp +This parameter is also used as the certificate identifier when a hardware +engine is enabled. +.IP "\fBcheckEmail\fR = \s-1EMAIL\s0" 4 +.IX Item "checkEmail = EMAIL" +email address of the peer certificate subject +.Sp +Multiple \fIcheckEmail\fR options are allowed in a single service section. +Certificates are accepted if no \fIcheckEmail\fR option was specified, or the +email address of the peer certificate matches any of the email addresses +specified with \fIcheckEmail\fR. +.Sp +This option requires OpenSSL 1.0.2 or later. +.IP "\fBcheckHost\fR = \s-1HOST\s0" 4 +.IX Item "checkHost = HOST" +host of the peer certificate subject +.Sp +Multiple \fIcheckHost\fR options are allowed in a single service section. +Certificates are accepted if no \fIcheckHost\fR option was specified, or the host +name of the peer certificate matches any of the hosts specified with +\&\fIcheckHost\fR. +.Sp +This option requires OpenSSL 1.0.2 or later. +.IP "\fBcheckIP\fR = \s-1IP\s0" 4 +.IX Item "checkIP = IP" +\&\s-1IP\s0 address of the peer certificate subject +.Sp +Multiple \fIcheckIP\fR options are allowed in a single service section. +Certificates are accepted if no \fIcheckIP\fR option was specified, or the \s-1IP\s0 +address of the peer certificate matches any of the \s-1IP\s0 addresses specified with +\&\fIcheckIP\fR. +.Sp +This option requires OpenSSL 1.0.2 or later. +.IP "\fBciphers\fR = \s-1CIPHER_LIST\s0" 4 +.IX Item "ciphers = CIPHER_LIST" +Select permitted \s-1TLS\s0 ciphers +.Sp +A colon-delimited list of the ciphers to allow in the \s-1TLS\s0 connection, +for example \s-1DES\-CBC3\-SHA:IDEA\-CBC\-MD5.\s0 +.IP "\fBclient\fR = yes | no" 4 +.IX Item "client = yes | no" +client mode (remote service uses \s-1TLS\s0) +.Sp +default: no (server mode) +.IP "\fBconfig\fR = COMMAND[:PARAMETER]" 4 +.IX Item "config = COMMAND[:PARAMETER]" +\&\fBOpenSSL\fR configuration command +.Sp +The \fBOpenSSL\fR configuration command is executed with the specified parameter. +This allows any configuration commands to be invoked from the stunnel +configuration file. Supported commands are described on the +\&\fI\fISSL_CONF_cmd\fI\|(3ssl)\fR manual page. +.Sp +Several \fIconfig\fR lines can be used to specify multiple configuration commands. +.Sp +This option requires OpenSSL 1.0.2 or later. +.IP "\fBconnect\fR = [\s-1HOST:\s0]PORT" 4 +.IX Item "connect = [HOST:]PORT" +connect to a remote address +.Sp +If no host is specified, the host defaults to localhost. +.Sp +Multiple \fIconnect\fR options are allowed in a single service section. +.Sp +If host resolves to multiple addresses and/or if multiple \fIconnect\fR +options are specified, then the remote address is chosen using a +round-robin algorithm. +.IP "\fBCRLpath\fR = \s-1DIRECTORY\s0" 4 +.IX Item "CRLpath = DIRECTORY" +Certificate Revocation Lists directory +.Sp +This is the directory in which \fBstunnel\fR will look for CRLs when using the +\&\fIverifyChain\fR and \fIverifyPeer\fR options. Note that the CRLs in this directory +should be named \s-1XXXXXXXX\s0.r0 where \s-1XXXXXXXX\s0 is the hash value of the \s-1CRL.\s0 +.Sp +The hash algorithm has been changed in \fBOpenSSL 1.0.0\fR. It is required to +c_rehash the directory on upgrade from \fBOpenSSL 0.x.x\fR to \fBOpenSSL 1.x.x\fR. +.Sp +\&\fICRLpath\fR path is relative to the \fIchroot\fR directory if specified. +.IP "\fBCRLfile\fR = \s-1CRL_FILE\s0" 4 +.IX Item "CRLfile = CRL_FILE" +Certificate Revocation Lists file +.Sp +This file contains multiple CRLs, used with the \fIverifyChain\fR and +\&\fIverifyPeer\fR options. +.IP "\fBcurve\fR = \s-1NID\s0" 4 +.IX Item "curve = NID" +specify \s-1ECDH\s0 curve name +.Sp +To get a list of supported curves use: +.Sp +.Vb 1 +\& openssl ecparam \-list_curves +.Ve +.Sp +default: prime256v1 +.IP "\fBlogId\fR = \s-1TYPE\s0" 4 +.IX Item "logId = TYPE" +connection identifier type +.Sp +This identifier allows you to distinguish log entries generated for each of the +connections. +.Sp +Currently supported types: +.RS 4 +.IP "\fIsequential\fR" 4 +.IX Item "sequential" +The numeric sequential identifier is only unique within a single instance of +\&\fBstunnel\fR, but very compact. It is most useful for manual log analysis. +.IP "\fIunique\fR" 4 +.IX Item "unique" +This alphanumeric identifier is globally unique, but longer than the sequential +number. It is most useful for automated log analysis. +.IP "\fIthread\fR" 4 +.IX Item "thread" +The operating system thread identifier is neither unique (even within a single +instance of \fBstunnel\fR) nor short. It is most useful for debugging software +or configuration issues. +.IP "\fIprocess\fR" 4 +.IX Item "process" +The operating system process identifier (\s-1PID\s0) may be useful in the inetd mode. +.RE +.RS 4 +.Sp +default: sequential +.RE +.IP "\fBdebug\fR = \s-1LEVEL\s0" 4 +.IX Item "debug = LEVEL" +debugging level +.Sp +Level is a one of the syslog level names or numbers +emerg (0), alert (1), crit (2), err (3), warning (4), notice (5), +info (6), or debug (7). All logs for the specified level and +all levels numerically less than it will be shown. Use \fIdebug = debug\fR or +\&\fIdebug = 7\fR for greatest debugging output. The default is notice (5). +.IP "\fBdelay\fR = yes | no" 4 +.IX Item "delay = yes | no" +delay \s-1DNS\s0 lookup for the \fIconnect\fR option +.Sp +This option is useful for dynamic \s-1DNS,\s0 or when \s-1DNS\s0 is not available during +\&\fBstunnel\fR startup (road warrior \s-1VPN,\s0 dial-up configurations). +.Sp +Delayed resolver mode is automatically engaged when stunnel fails to resolve on +startup any of the \fIconnect\fR targets for a service. +.Sp +Delayed resolver inflicts \fIfailover = prio\fR. +.Sp +default: no +.IP "\fBengineId\fR = \s-1ENGINE_ID\s0" 4 +.IX Item "engineId = ENGINE_ID" +select engine \s-1ID\s0 for the service +.IP "\fBengineNum\fR = \s-1ENGINE_NUMBER\s0" 4 +.IX Item "engineNum = ENGINE_NUMBER" +select engine number for the service +.Sp +The engines are numbered starting from 1. +.IP "\fBexec\fR = \s-1EXECUTABLE_PATH\s0" 4 +.IX Item "exec = EXECUTABLE_PATH" +execute a local inetd-type program +.Sp +\&\fIexec\fR path is relative to the \fIchroot\fR directory if specified. +.Sp +The following environmental variables are set on Unix platforms: +\&\s-1REMOTE_HOST, REMOTE_PORT, SSL_CLIENT_DN, SSL_CLIENT_I_DN.\s0 +.ie n .IP "\fBexecArgs\fR = $0 $1 $2 ..." 4 +.el .IP "\fBexecArgs\fR = \f(CW$0\fR \f(CW$1\fR \f(CW$2\fR ..." 4 +.IX Item "execArgs = $0 $1 $2 ..." +arguments for \fIexec\fR including the program name ($0) +.Sp +Quoting is currently not supported. +Arguments are separated with an arbitrary amount of whitespace. +.IP "\fBfailover\fR = rr | prio" 4 +.IX Item "failover = rr | prio" +Failover strategy for multiple \*(L"connect\*(R" targets. +.RS 4 +.IP "\fIrr\fR" 4 +.IX Item "rr" +round robin \- fair load distribution +.IP "\fIprio\fR" 4 +.IX Item "prio" +priority \- use the order specified in config file +.RE +.RS 4 +.Sp +default: rr +.RE +.IP "\fBident\fR = \s-1USERNAME\s0" 4 +.IX Item "ident = USERNAME" +use \s-1IDENT \s0(\s-1RFC 1413\s0) username checking +.IP "\fBinclude\fR = \s-1DIRECTORY\s0" 4 +.IX Item "include = DIRECTORY" +include all configuration file parts located in \s-1DIRECTORY\s0 +.Sp +The files are included in the ascending alphabetical order of their names. +.IP "\fBkey\fR = \s-1KEY_FILE\s0" 4 +.IX Item "key = KEY_FILE" +private key for the certificate specified with \fIcert\fR option +.Sp +A private key is needed to authenticate the certificate owner. +Since this file should be kept secret it should only be readable +by its owner. On Unix systems you can use the following command: +.Sp +.Vb 1 +\& chmod 600 keyfile +.Ve +.Sp +This parameter is also used as the private key identifier when a hardware +engine is enabled. +.Sp +default: the value of the \fIcert\fR option +.IP "\fBlibwrap\fR = yes | no" 4 +.IX Item "libwrap = yes | no" +Enable or disable the use of /etc/hosts.allow and /etc/hosts.deny. +.Sp +default: no (since version 5.00) +.IP "\fBlocal\fR = \s-1HOST\s0" 4 +.IX Item "local = HOST" +By default, the \s-1IP\s0 address of the outgoing interface is used as the source for +remote connections. Use this option to bind a static local \s-1IP\s0 address instead. +.IP "\fB\s-1OCSP\s0\fR = \s-1URL\s0" 4 +.IX Item "OCSP = URL" +select \s-1OCSP\s0 responder for certificate verification +.IP "\fBOCSPaia\fR = yes | no" 4 +.IX Item "OCSPaia = yes | no" +validate certificates with their \s-1AIA OCSP\s0 responders +.Sp +This option enables \fIstunnel\fR to validate certificates with the list of +\&\s-1OCSP\s0 responder URLs retrieved from their \s-1AIA \s0(Authority Information Access) +extension. +.IP "\fBOCSPflag\fR = \s-1OCSP_FLAG\s0" 4 +.IX Item "OCSPflag = OCSP_FLAG" +specify \s-1OCSP\s0 responder flag +.Sp +Several \fIOCSPflag\fR can be used to specify multiple flags. +.Sp +currently supported flags: \s-1NOCERTS, NOINTERN, NOSIGS, NOCHAIN, NOVERIFY, +NOEXPLICIT, NOCASIGN, NODELEGATED, NOCHECKS, TRUSTOTHER, RESPID_KEY, NOTIME\s0 +.IP "\fBOCSPnonce\fR = yes | no" 4 +.IX Item "OCSPnonce = yes | no" +send and verify the \s-1OCSP\s0 nonce extension +.Sp +This option protects the \s-1OCSP\s0 protocol against replay attacks. Due to its +computational overhead, the nonce extension is usually only supported on +internal (e.g. corporate) responders, and not on public \s-1OCSP\s0 responders. +.IP "\fBoptions\fR = \s-1SSL_OPTIONS\s0" 4 +.IX Item "options = SSL_OPTIONS" +\&\fBOpenSSL\fR library options +.Sp +The parameter is the \fBOpenSSL\fR option name as described in the +\&\fI\fISSL_CTX_set_options\fI\|(3ssl)\fR manual, but without \fI\s-1SSL_OP_\s0\fR prefix. +\&\fIstunnel \-options\fR lists the options found to be allowed in the +current combination of \fIstunnel\fR and the \fIOpenSSL\fR library used +to build it. +.Sp +Several \fIoption\fR lines can be used to specify multiple options. +An option name can be prepended with a dash (\*(L"\-\*(R") to disable the option. +.Sp +For example, for compatibility with the erroneous Eudora \s-1TLS\s0 +implementation, the following option can be used: +.Sp +.Vb 1 +\& options = DONT_INSERT_EMPTY_FRAGMENTS +.Ve +.Sp +default: +.Sp +.Vb 2 +\& options = NO_SSLv2 +\& options = NO_SSLv3 +.Ve +.IP "\fBprotocol\fR = \s-1PROTO\s0" 4 +.IX Item "protocol = PROTO" +application protocol to negotiate \s-1TLS\s0 +.Sp +This option enables initial, protocol-specific negotiation of the \s-1TLS\s0 +encryption. +The \fIprotocol\fR option should not be used with \s-1TLS\s0 encryption on a separate port. +.Sp +Currently supported protocols: +.RS 4 +.IP "\fIcifs\fR" 4 +.IX Item "cifs" +Proprietary (undocummented) extension of \s-1CIFS\s0 protocol implemented in Samba. +Support for this extension was dropped in Samba 3.0.0. +.IP "\fIconnect\fR" 4 +.IX Item "connect" +Based on \s-1RFC 2817 \- \s0\fIUpgrading to \s-1TLS\s0 Within \s-1HTTP/1.1\s0\fR, section 5.2 \- \fIRequesting a Tunnel with \s-1CONNECT\s0\fR +.Sp +This protocol is only supported in client mode. +.IP "\fIimap\fR" 4 +.IX Item "imap" +Based on \s-1RFC 2595 \- \s0\fIUsing \s-1TLS\s0 with \s-1IMAP, POP3\s0 and \s-1ACAP\s0\fR +.IP "\fInntp\fR" 4 +.IX Item "nntp" +Based on \s-1RFC 4642 \- \s0\fIUsing Transport Layer Security (\s-1TLS\s0) with Network News Transfer Protocol (\s-1NNTP\s0)\fR +.Sp +This protocol is only supported in client mode. +.IP "\fIpgsql\fR" 4 +.IX Item "pgsql" +Based on +\&\fIhttp://www.postgresql.org/docs/8.3/static/protocol\-flow.html#AEN73982\fR +.IP "\fIpop3\fR" 4 +.IX Item "pop3" +Based on \s-1RFC 2449 \- \s0\fI\s-1POP3\s0 Extension Mechanism\fR +.IP "\fIproxy\fR" 4 +.IX Item "proxy" +Haproxy client \s-1IP\s0 address +\&\fIhttp://haproxy.1wt.eu/download/1.5/doc/proxy\-protocol.txt\fR +.IP "\fIsmtp\fR" 4 +.IX Item "smtp" +Based on \s-1RFC 2487 \- \s0\fI\s-1SMTP\s0 Service Extension for Secure \s-1SMTP\s0 over \s-1TLS\s0\fR +.IP "\fIsocks\fR" 4 +.IX Item "socks" +\&\s-1SOCKS\s0 versions 4, 4a, and 5 are supported. The \s-1SOCKS\s0 protocol itself +is encapsulated within \s-1TLS\s0 encryption layer to protect the final +destination address. +.Sp +\&\fIhttp://www.openssh.com/txt/socks4.protocol\fR +.Sp +\&\fIhttp://www.openssh.com/txt/socks4a.protocol\fR +.Sp +The \s-1BIND\s0 command of the \s-1SOCKS\s0 protocol is not supported. +The \s-1USERID\s0 parameter is ignored. +.Sp +See Examples section for sample configuration files for \s-1VPN\s0 based on \s-1SOCKS\s0 +encryption. +.RE +.RS 4 +.RE +.IP "\fBprotocolAuthentication\fR = \s-1AUTHENTICATION\s0" 4 +.IX Item "protocolAuthentication = AUTHENTICATION" +authentication type for the protocol negotiations +.Sp +Currently, this option is only supported in the client-side 'connect' and +\&'smtp' protocols. +.Sp +Supported authentication types for the 'connect' protocol are 'basic' or +\&'ntlm'. The default 'connect' authentication type is 'basic'. +.Sp +Supported authentication types for the 'smtp' protocol are 'plain' or 'login'. +The default 'smtp' authentication type is 'plain'. +.IP "\fBprotocolDomain\fR = \s-1DOMAIN\s0" 4 +.IX Item "protocolDomain = DOMAIN" +domain for the protocol negotiations +.Sp +Currently, this option is only supported in the client-side 'connect' protocol. +.IP "\fBprotocolHost\fR = \s-1HOST:PORT\s0" 4 +.IX Item "protocolHost = HOST:PORT" +destination address for the protocol negotiations +.Sp +\&\fIprotocolHost\fR specifies the final \s-1TLS\s0 server to be connected to by the proxy, +and not the proxy server directly connected by \fBstunnel\fR. +The proxy server should be specified with the 'connect' option. +.Sp +Currently the protocol destination address only applies to the 'connect' +protocol. +.IP "\fBprotocolPassword\fR = \s-1PASSWORD\s0" 4 +.IX Item "protocolPassword = PASSWORD" +password for the protocol negotiations +.Sp +Currently, this option is only supported in the client-side 'connect' and +\&'smtp' protocols. +.IP "\fBprotocolUsername\fR = \s-1USERNAME\s0" 4 +.IX Item "protocolUsername = USERNAME" +username for the protocol negotiations +.Sp +Currently, this option is only supported in the client-side 'connect' and +\&'smtp' protocols. +.IP "\fBPSKidentity\fR = \s-1IDENTITY\s0" 4 +.IX Item "PSKidentity = IDENTITY" +\&\s-1PSK\s0 identity for the \s-1PSK\s0 client +.Sp +\&\fIPSKidentity\fR can be used on \fBstunnel\fR clients to select the \s-1PSK\s0 identity +used for authentication. This option is ignored in server sections. +.Sp +default: the first identity specified in the \fIPSKsecrets\fR file. +.IP "\fBPSKsecrets\fR = \s-1FILE\s0" 4 +.IX Item "PSKsecrets = FILE" +file with \s-1PSK\s0 identities and corresponding keys +.Sp +Each line of the file in the following format: +.Sp +.Vb 1 +\& IDENTITY:KEY +.Ve +.Sp +The key is required to be at least 20 characters long. +The file should not be world-readable nor world-writable. +.IP "\fBpty\fR = yes | no (Unix only)" 4 +.IX Item "pty = yes | no (Unix only)" +allocate a pseudoterminal for 'exec' option +.IP "\fBredirect\fR = [\s-1HOST:\s0]PORT" 4 +.IX Item "redirect = [HOST:]PORT" +redirect \s-1TLS\s0 client connections on certificate-based authentication failures +.Sp +This option only works in server mode. +Some protocol negotiations are also incompatible with the \fIredirect\fR option. +.IP "\fBrenegotiation\fR = yes | no" 4 +.IX Item "renegotiation = yes | no" +support \s-1TLS\s0 renegotiation +.Sp +Applications of the \s-1TLS\s0 renegotiation include some authentication scenarios, +or re-keying long lasting connections. +.Sp +On the other hand this feature can facilitate a trivial CPU-exhaustion +DoS attack: +.Sp +\&\fIhttp://vincent.bernat.im/en/blog/2011\-ssl\-dos\-mitigation.html\fR +.Sp +Please note that disabling \s-1TLS\s0 renegotiation does not fully mitigate +this issue. +.Sp +default: yes (if supported by \fBOpenSSL\fR) +.IP "\fBreset\fR = yes | no" 4 +.IX Item "reset = yes | no" +attempt to use the \s-1TCP RST\s0 flag to indicate an error +.Sp +This option is not supported on some platforms. +.Sp +default: yes +.IP "\fBretry\fR = yes | no" 4 +.IX Item "retry = yes | no" +reconnect a connect+exec section after it was disconnected +.Sp +default: no +.IP "\fBrequireCert\fR = yes | no" 4 +.IX Item "requireCert = yes | no" +require a client certificate for \fIverifyChain\fR or \fIverifyPeer\fR +.Sp +With \fIrequireCert\fR set to \fIno\fR, the \fBstunnel\fR server accepts client +connections that did not present a certificate. +.Sp +Both \fIverifyChain = yes\fR and \fIverifyPeer = yes\fR imply \fIrequireCert = yes\fR. +.Sp +default: no +.IP "\fBsetgid\fR = \s-1GROUP \s0(Unix only)" 4 +.IX Item "setgid = GROUP (Unix only)" +Unix group id +.Sp +As a global option: \fIsetgid()\fR to the specified group in daemon mode and clear all other groups. +.Sp +As a service-level option: set the group of the Unix socket specified with \*(L"accept\*(R". +.IP "\fBsetuid\fR = \s-1USER \s0(Unix only)" 4 +.IX Item "setuid = USER (Unix only)" +Unix user id +.Sp +As a global option: \fIsetuid()\fR to the specified user in daemon mode. +.Sp +As a service-level option: set the owner of the Unix socket specified with \*(L"accept\*(R". +.IP "\fBsessionCacheSize\fR = \s-1NUM_ENTRIES\s0" 4 +.IX Item "sessionCacheSize = NUM_ENTRIES" +session cache size +.Sp +\&\fIsessionCacheSize\fR specifies the maximum number of the internal session cache +entries. +.Sp +The value of 0 can be used for unlimited size. It is not recommended +for production use due to the risk of a memory exhaustion DoS attack. +.IP "\fBsessionCacheTimeout\fR = \s-1TIMEOUT\s0" 4 +.IX Item "sessionCacheTimeout = TIMEOUT" +session cache timeout +.Sp +This is the number of seconds to keep cached \s-1TLS\s0 sessions. +.IP "\fBsessiond\fR = \s-1HOST:PORT\s0" 4 +.IX Item "sessiond = HOST:PORT" +address of sessiond \s-1TLS\s0 cache server +.IP "\fBsni\fR = \s-1SERVICE_NAME:SERVER_NAME_PATTERN \s0(server mode)" 4 +.IX Item "sni = SERVICE_NAME:SERVER_NAME_PATTERN (server mode)" +Use the service as a slave service (a name-based virtual server) for Server +Name Indication \s-1TLS\s0 extension (\s-1RFC 3546\s0). +.Sp +\&\fI\s-1SERVICE_NAME\s0\fR specifies the master service that accepts client connections +with the \fIaccept\fR option. \fI\s-1SERVER_NAME_PATTERN\s0\fR specifies the host name to +be redirected. The pattern may start with the '*' character, e.g. +\&'*.example.com'. Multiple slave services are normally specified for a single +master service. The \fIsni\fR option can also be specified more than once within +a single slave service. +.Sp +This service, as well as the master service, may not be configured in client +mode. +.Sp +The \fIconnect\fR option of the slave service is ignored when the \fIprotocol\fR +option is specified, as \fIprotocol\fR connects to the remote host before \s-1TLS\s0 +handshake. +.Sp +Libwrap checks (Unix only) are performed twice: with the master service name +after \s-1TCP\s0 connection is accepted, and with the slave service name during the +\&\s-1TLS\s0 handshake. +.Sp +The \fIsni\fR option is only available when compiled with \fBOpenSSL 1.0.0\fR and +later. +.IP "\fBsni\fR = \s-1SERVER_NAME \s0(client mode)" 4 +.IX Item "sni = SERVER_NAME (client mode)" +Use the parameter as the value of \s-1TLS\s0 Server Name Indication (\s-1RFC 3546\s0) +extension. +.Sp +Empty \s-1SERVER_NAME\s0 disables sending the \s-1SNI\s0 extension. +.Sp +The \fIsni\fR option is only available when compiled with \fBOpenSSL 1.0.0\fR and +later. +.IP "\fBsslVersion\fR = \s-1SSL_VERSION\s0" 4 +.IX Item "sslVersion = SSL_VERSION" +select the \s-1TLS\s0 protocol version +.Sp +Supported values: all, SSLv2, SSLv3, TLSv1, TLSv1.1, TLSv1.2 +.Sp +Availability of specific protocols depends on the linked OpenSSL library. +Older versions of OpenSSL do not support TLSv1.1 and TLSv1.2. +Newer versions of OpenSSL do not support SSLv2. +.Sp +Obsolete SSLv2 and SSLv3 are currently disabled by default. +See the \fBoptions\fR option documentation for details. +.IP "\fBstack\fR = \s-1BYTES \s0(except for \s-1FORK\s0 model)" 4 +.IX Item "stack = BYTES (except for FORK model)" +thread stack size +.IP "\fBTIMEOUTbusy\fR = \s-1SECONDS\s0" 4 +.IX Item "TIMEOUTbusy = SECONDS" +time to wait for expected data +.IP "\fBTIMEOUTclose\fR = \s-1SECONDS\s0" 4 +.IX Item "TIMEOUTclose = SECONDS" +time to wait for close_notify (set to 0 for buggy \s-1MSIE\s0) +.IP "\fBTIMEOUTconnect\fR = \s-1SECONDS\s0" 4 +.IX Item "TIMEOUTconnect = SECONDS" +time to wait to connect to a remote host +.IP "\fBTIMEOUTidle\fR = \s-1SECONDS\s0" 4 +.IX Item "TIMEOUTidle = SECONDS" +time to keep an idle connection +.IP "\fBtransparent\fR = none | source | destination | both (Unix only)" 4 +.IX Item "transparent = none | source | destination | both (Unix only)" +enable transparent proxy support on selected platforms +.Sp +Supported values: +.RS 4 +.IP "\fInone\fR" 4 +.IX Item "none" +Disable transparent proxy support. This is the default. +.IP "\fIsource\fR" 4 +.IX Item "source" +Re-write the address to appear as if a wrapped daemon is connecting +from the \s-1TLS\s0 client machine instead of the machine running \fBstunnel\fR. +.Sp +This option is currently available in: +.RS 4 +.IP "Remote mode (\fIconnect\fR option) on \fILinux >=2.6.28\fR" 4 +.IX Item "Remote mode (connect option) on Linux >=2.6.28" +This configuration requires \fBstunnel\fR to be executed as root and without +the \fIsetuid\fR option. +.Sp +This configuration requires the following setup for iptables and routing +(possibly in /etc/rc.local or equivalent file): +.Sp +.Vb 7 +\& iptables \-t mangle \-N DIVERT +\& iptables \-t mangle \-A PREROUTING \-p tcp \-m socket \-j DIVERT +\& iptables \-t mangle \-A DIVERT \-j MARK \-\-set\-mark 1 +\& iptables \-t mangle \-A DIVERT \-j ACCEPT +\& ip rule add fwmark 1 lookup 100 +\& ip route add local 0.0.0.0/0 dev lo table 100 +\& echo 0 >/proc/sys/net/ipv4/conf/lo/rp_filter +.Ve +.Sp +\&\fBstunnel\fR must also to be executed as root and without the \fIsetuid\fR option. +.IP "Remote mode (\fIconnect\fR option) on \fILinux 2.2.x\fR" 4 +.IX Item "Remote mode (connect option) on Linux 2.2.x" +This configuration requires the kernel to be compiled with the \fItransparent proxy\fR +option. +Connected service must be installed on a separate host. +Routing towards the clients has to go through the \fBstunnel\fR box. +.Sp +\&\fBstunnel\fR must also to be executed as root and without the \fIsetuid\fR option. +.IP "Remote mode (\fIconnect\fR option) on \fIFreeBSD >=8.0\fR" 4 +.IX Item "Remote mode (connect option) on FreeBSD >=8.0" +This configuration requires additional firewall and routing setup. +\&\fBstunnel\fR must also to be executed as root and without the \fIsetuid\fR option. +.IP "Local mode (\fIexec\fR option)" 4 +.IX Item "Local mode (exec option)" +This configuration works by pre-loading the \fIlibstunnel.so\fR shared library. +_RLD_LIST environment variable is used on Tru64, and \s-1LD_PRELOAD\s0 variable on +other platforms. +.RE +.RS 4 +.RE +.IP "\fIdestination\fR" 4 +.IX Item "destination" +The original destination is used instead of the \fIconnect\fR option. +.Sp +A service section for transparent destination may look like this: +.Sp +.Vb 4 +\& [transparent] +\& client = yes +\& accept = +\& transparent = destination +.Ve +.Sp +This configuration requires iptables setup to work, +possibly in /etc/rc.local or equivalent file. +.Sp +For a connect target installed on the same host: +.Sp +.Vb 3 +\& /sbin/iptables \-t nat \-I OUTPUT \-p tcp \-\-dport \e +\& \-m ! \-\-uid\-owner \e +\& \-j DNAT \-\-to\-destination : +.Ve +.Sp +For a connect target installed on a remote host: +.Sp +.Vb 3 +\& /sbin/iptables \-I INPUT \-i eth0 \-p tcp \-\-dport \-j ACCEPT +\& /sbin/iptables \-t nat \-I PREROUTING \-p tcp \-\-dport \e +\& \-i eth0 \-j DNAT \-\-to\-destination : +.Ve +.Sp +The transparent destination option is currently only supported on Linux. +.IP "\fIboth\fR" 4 +.IX Item "both" +Use both \fIsource\fR and \fIdestination\fR transparent proxy. +.RE +.RS 4 +.Sp +Two legacy options are also supported for backward compatibility: +.IP "\fIyes\fR" 4 +.IX Item "yes" +This option has been renamed to \fIsource\fR. +.IP "\fIno\fR" 4 +.IX Item "no" +This option has been renamed to \fInone\fR. +.RE +.RS 4 +.RE +.IP "\fBverify\fR = \s-1LEVEL\s0" 4 +.IX Item "verify = LEVEL" +verify the peer certificate +.Sp +This option is obsolete and should be replaced with the \fIverifyChain\fR +and \fIverifyPeer\fR options. +.RS 4 +.IP "level 0" 4 +.IX Item "level 0" +Request and ignore the peer certificate. +.IP "level 1" 4 +.IX Item "level 1" +Verify the peer certificate if present. +.IP "level 2" 4 +.IX Item "level 2" +Verify the peer certificate. +.IP "level 3" 4 +.IX Item "level 3" +Verify the peer against a locally installed certificate. +.IP "level 4" 4 +.IX Item "level 4" +Ignore the chain and only verify the peer certificate. +.IP "default" 4 +.IX Item "default" +No verify. +.RE +.RS 4 +.RE +.IP "\fBverifyChain\fR = yes | no" 4 +.IX Item "verifyChain = yes | no" +verify the peer certificate chain starting from the root \s-1CA\s0 +.Sp +For server certificate verification it is essential to also require a specific +certificate with \fIcheckHost\fR or \fIcheckIP\fR. +.Sp +The self-signed root \s-1CA\s0 certificate needs to be stored either in the file +specified with \fICAfile\fR, or in the directory specified with \fICApath\fR. +.Sp +default: no +.IP "\fBverifyPeer\fR = yes | no" 4 +.IX Item "verifyPeer = yes | no" +verify the peer certificate +.Sp +The peer certificate needs to be stored either in the file +specified with \fICAfile\fR, or in the directory specified with \fICApath\fR. +.Sp +default: no +.SH "RETURN VALUE" +.IX Header "RETURN VALUE" +\&\fBstunnel\fR returns zero on success, non-zero on error. +.SH "SIGNALS" +.IX Header "SIGNALS" +The following signals can be used to control \fBstunnel\fR in Unix environment: +.IP "\s-1SIGHUP\s0" 4 +.IX Item "SIGHUP" +Force a reload of the configuration file. +.Sp +Some global options will not be reloaded: +.RS 4 +.IP "\(bu" 4 +chroot +.IP "\(bu" 4 +foreground +.IP "\(bu" 4 +pid +.IP "\(bu" 4 +setgid +.IP "\(bu" 4 +setuid +.RE +.RS 4 +.Sp +The use of the 'setuid' option will also prevent \fBstunnel\fR from binding to privileged +(<1024) ports during configuration reloading. +.Sp +When the 'chroot' option is used, \fBstunnel\fR will look for all its files (including +the configuration file, certificates, the log file and the pid file) within the chroot +jail. +.RE +.IP "\s-1SIGUSR1\s0" 4 +.IX Item "SIGUSR1" +Close and reopen the \fBstunnel\fR log file. +This function can be used for log rotation. +.IP "\s-1SIGTERM, SIGQUIT, SIGINT\s0" 4 +.IX Item "SIGTERM, SIGQUIT, SIGINT" +Shut \fBstunnel\fR down. +.PP +The result of sending any other signals to the server is undefined. +.SH "EXAMPLES" +.IX Header "EXAMPLES" +In order to provide \s-1TLS\s0 encapsulation to your local \fIimapd\fR service, use: +.PP +.Vb 4 +\& [imapd] +\& accept = 993 +\& exec = /usr/sbin/imapd +\& execArgs = imapd +.Ve +.PP +or in remote mode: +.PP +.Vb 3 +\& [imapd] +\& accept = 993 +\& connect = 143 +.Ve +.PP +In order to let your local e\-mail client connect to a TLS-enabled \fIimapd\fR +service on another server, configure the e\-mail client to connect to localhost +on port 119 and use: +.PP +.Vb 4 +\& [imap] +\& client = yes +\& accept = 143 +\& connect = servername:993 +.Ve +.PP +If you want to provide tunneling to your \fIpppd\fR daemon on port 2020, +use something like: +.PP +.Vb 5 +\& [vpn] +\& accept = 2020 +\& exec = /usr/sbin/pppd +\& execArgs = pppd local +\& pty = yes +.Ve +.PP +If you want to use \fBstunnel\fR in \fIinetd\fR mode to launch your imapd +process, you'd use this \fIstunnel.conf\fR. +Note there must be no \fI[service_name]\fR section. +.PP +.Vb 2 +\& exec = /usr/sbin/imapd +\& execArgs = imapd +.Ve +.PP +To setup \s-1SOCKS VPN\s0 configure the following client service: +.PP +.Vb 6 +\& [socks_client] +\& client = yes +\& accept = 127.0.0.1:1080 +\& connect = vpn_server:9080 +\& verifyPeer = yes +\& CAfile = stunnel.pem +.Ve +.PP +The corresponding configuration on the vpn_server host: +.PP +.Vb 5 +\& [socks_server] +\& protocol = socks +\& accept = 9080 +\& cert = stunnel.pem +\& key = stunnel.key +.Ve +.PP +Now test your configuration on the client machine with: +.PP +.Vb 1 +\& curl \-\-socks4a localhost http://www.example.com/ +.Ve +.PP +An example server mode \s-1SNI\s0 configuration: +.PP +.Vb 5 +\& [virtual] +\& ; master service +\& accept = 443 +\& cert = default.pem +\& connect = default.internal.mydomain.com:8080 +\& +\& [sni1] +\& ; slave service 1 +\& sni = virtual:server1.mydomain.com +\& cert = server1.pem +\& connect = server1.internal.mydomain.com:8081 +\& +\& [sni2] +\& ; slave service 2 +\& sni = virtual:server2.mydomain.com +\& cert = server2.pem +\& connect = server2.internal.mydomain.com:8082 +\& verifyPeer = yes +\& CAfile = server2\-allowed\-clients.pem +.Ve +.PP +An example of advanced engine configuration allows for authentication with private keys +stored in the Windows certificate store (Windows only). +With the \s-1CAPI\s0 engine you don't need to manually select the client key to use. +The client key is automatically selected based on the list of CAs trusted by the server. +.PP +.Vb 1 +\& engine = capi +\& +\& [service] +\& engineId = capi +\& client = yes +\& accept = 127.0.0.1:8080 +\& connect = example.com:8443 +.Ve +.PP +An example of advanced engine configuration to use the certificate and the corresponding private key from a pkcs11 engine: +.PP +.Vb 3 +\& engine = pkcs11 +\& engineCtrl = MODULE_PATH:opensc\-pkcs11.so +\& engineCtrl = PIN:123456 +\& +\& [service] +\& engineId = pkcs11 +\& client = yes +\& accept = 127.0.0.1:8080 +\& connect = example.com:843 +\& cert = pkcs11:token=MyToken;object=MyCert +\& key = pkcs11:token=MyToken;object=MyKey +.Ve +.PP +An example of advanced engine configuration to use the certificate and the corresponding private key from a SoftHSM token: +.PP +.Vb 3 +\& engine = pkcs11 +\& engineCtrl = MODULE_PATH:softhsm2.dll +\& engineCtrl = PIN:12345 +\& +\& [service] +\& engineId = pkcs11 +\& client = yes +\& accept = 127.0.0.1:8080 +\& connect = example.com:843 +\& cert = pkcs11:token=MyToken;object=KeyCert +.Ve +.SH "NOTES" +.IX Header "NOTES" +.SS "\s-1RESTRICTIONS\s0" +.IX Subsection "RESTRICTIONS" +\&\fBstunnel\fR cannot be used for the \s-1FTP\s0 daemon because of the nature +of the \s-1FTP\s0 protocol which utilizes multiple ports for data transfers. +There are available TLS-enabled versions of \s-1FTP\s0 and telnet daemons, however. +.SS "\s-1INETD MODE\s0" +.IX Subsection "INETD MODE" +The most common use of \fBstunnel\fR is to listen on a network +port and establish communication with either a new port +via the connect option, or a new program via the \fIexec\fR option. +However there is a special case when you wish to have +some other program accept incoming connections and +launch \fBstunnel\fR, for example with \fIinetd\fR, \fIxinetd\fR, +or \fItcpserver\fR. +.PP +For example, if you have the following line in \fIinetd.conf\fR: +.PP +.Vb 1 +\& imaps stream tcp nowait root @bindir@/stunnel stunnel @sysconfdir@/stunnel/imaps.conf +.Ve +.PP +In these cases, the \fIinetd\fR\-style program is responsible +for binding a network socket (\fIimaps\fR above) and handing +it to \fBstunnel\fR when a connection is received. +Thus you do not want \fBstunnel\fR to have any \fIaccept\fR option. +All the \fIService Level Options\fR should be placed in the +global options section, and no \fI[service_name]\fR section +will be present. See the \fI\s-1EXAMPLES\s0\fR section for example +configurations. +.SS "\s-1CERTIFICATES\s0" +.IX Subsection "CERTIFICATES" +Each TLS-enabled daemon needs to present a valid X.509 certificate +to the peer. It also needs a private key to decrypt the incoming +data. The easiest way to obtain a certificate and a key is to +generate them with the free \fBOpenSSL\fR package. You can find more +information on certificates generation on pages listed below. +.PP +The order of contents of the \fI.pem\fR file is important. It should contain the +unencrypted private key first, then a signed certificate (not certificate +request). There should also be empty lines after the certificate and the private key. +Any plaintext certificate information appended on the top of generated certificate +should be discarded. So the file should look like this: +.PP +.Vb 8 +\& \-\-\-\-\-BEGIN RSA PRIVATE KEY\-\-\-\-\- +\& [encoded key] +\& \-\-\-\-\-END RSA PRIVATE KEY\-\-\-\-\- +\& [empty line] +\& \-\-\-\-\-BEGIN CERTIFICATE\-\-\-\-\- +\& [encoded certificate] +\& \-\-\-\-\-END CERTIFICATE\-\-\-\-\- +\& [empty line] +.Ve +.SS "\s-1RANDOMNESS\s0" +.IX Subsection "RANDOMNESS" +\&\fBstunnel\fR needs to seed the \s-1PRNG \s0(pseudo-random number generator) in +order for \s-1TLS\s0 to use good randomness. The following sources are loaded +in order until sufficient random data has been gathered: +.IP "\(bu" 4 +The file specified with the \fIRNDfile\fR flag. +.IP "\(bu" 4 +The file specified by the \s-1RANDFILE\s0 environment variable, if set. +.IP "\(bu" 4 +The file .rnd in your home directory, if \s-1RANDFILE\s0 not set. +.IP "\(bu" 4 +The file specified with '\-\-with\-random' at compile time. +.IP "\(bu" 4 +The contents of the screen if running on Windows. +.IP "\(bu" 4 +The egd socket specified with the \fI\s-1EGD\s0\fR flag. +.IP "\(bu" 4 +The egd socket specified with '\-\-with\-egd\-sock' at compile time. +.IP "\(bu" 4 +The /dev/urandom device. +.PP +Note that on Windows machines that do not have console user interaction +(mouse movements, creating windows, etc.) the screen contents are not +variable enough to be sufficient, and you should provide a random file +for use with the \fIRNDfile\fR flag. +.PP +Note that the file specified with the \fIRNDfile\fR flag should contain +random data \*(-- that means it should contain different information +each time \fBstunnel\fR is run. This is handled automatically +unless the \fIRNDoverwrite\fR flag is used. If you wish to update this file +manually, the \fIopenssl rand\fR command in recent versions of \fBOpenSSL\fR, +would be useful. +.PP +Important note: If /dev/urandom is available, \fBOpenSSL\fR often seeds the \s-1PRNG\s0 +with it while checking the random state. On systems with /dev/urandom +\&\fBOpenSSL\fR is likely to use it even though it is listed at the very bottom of +the list above. This is the behaviour of \fBOpenSSL\fR and not \fBstunnel\fR. +.SS "\s-1DH PARAMETERS\s0" +.IX Subsection "DH PARAMETERS" +\&\fBstunnel\fR 4.40 and later contains hardcoded 2048\-bit \s-1DH\s0 parameters. Starting +with \fBstunnel\fR 5.18, these hardcoded \s-1DH\s0 parameters are replaced every 24 hours +with autogenerated temporary \s-1DH\s0 parameters. \s-1DH\s0 parameter generation may take +several minutes. +.PP +Alternatively, it is possible to specify static \s-1DH\s0 parameters in the +certificate file, which disables generating temporary \s-1DH\s0 parameters: +.PP +.Vb 1 +\& openssl dhparam 2048 >> stunnel.pem +.Ve +.SH "FILES" +.IX Header "FILES" +.ie n .IP "\fI\fI@sysconfdir\fI@/stunnel/stunnel.conf\fR" 4 +.el .IP "\fI\f(CI@sysconfdir\fI@/stunnel/stunnel.conf\fR" 4 +.IX Item "@sysconfdir@/stunnel/stunnel.conf" +\&\fBstunnel\fR configuration file +.SH "BUGS" +.IX Header "BUGS" +The \fIexecArgs\fR option and the Win32 command line do not support quoting. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +.IP "\fItcpd\fR\|(8)" 4 +.IX Item "tcpd" +access control facility for internet services +.IP "\fIinetd\fR\|(8)" 4 +.IX Item "inetd" +internet 'super\-server' +.IP "\fIhttp://www.stunnel.org/\fR" 4 +.IX Item "http://www.stunnel.org/" +\&\fBstunnel\fR homepage +.IP "\fIhttp://www.openssl.org/\fR" 4 +.IX Item "http://www.openssl.org/" +\&\fBOpenSSL\fR project website +.SH "AUTHOR" +.IX Header "AUTHOR" +.IP "Michał Trojnara" 4 +.IX Item "Michał Trojnara" +<\fIMichal.Trojnara@stunnel.org\fR> diff --git a/doc/stunnel.fr.8 b/doc/stunnel.fr.8 deleted file mode 100644 index 9ae901a..0000000 --- a/doc/stunnel.fr.8 +++ /dev/null @@ -1,574 +0,0 @@ -.\" Automatically generated by Pod::Man 2.22 (Pod::Simple 3.07) -.\" -.\" Standard preamble: -.\" ======================================================================== -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Vb \" Begin verbatim text -.ft CW -.nf -.ne \\$1 -.. -.de Ve \" End verbatim text -.ft R -.fi -.. -.\" Set up some character translations and predefined strings. \*(-- will -.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left -.\" double quote, and \*(R" will give a right double quote. \*(C+ will -.\" give a nicer C++. Capital omega is used to do unbreakable dashes and -.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, -.\" nothing in troff, for use with C<>. -.tr \(*W- -.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' -.ie n \{\ -. ds -- \(*W- -. ds PI pi -. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch -. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch -. ds L" "" -. ds R" "" -. ds C` "" -. ds C' "" -'br\} -.el\{\ -. ds -- \|\(em\| -. ds PI \(*p -. ds L" `` -. ds R" '' -'br\} -.\" -.\" Escape single quotes in literal strings from groff's Unicode transform. -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" -.\" If the F register is turned on, we'll generate index entries on stderr for -.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index -.\" entries marked with X<> in POD. Of course, you'll have to process the -.\" output yourself in some meaningful fashion. -.ie \nF \{\ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" -.. -. nr % 0 -. rr F -.\} -.el \{\ -. de IX -.. -.\} -.\" ======================================================================== -.\" -.IX Title "STUNNEL.FR 8" -.TH STUNNEL.FR 8 "2013.03.19" "4.56" "stunnel" -.\" For nroff, turn off justification. Always turn off hyphenation; it makes -.\" way too many mistakes in technical documents. -.if n .ad l -.nh -.SH "NOM" -.IX Header "NOM" -stunnel \- tunnel \s-1SSL\s0 universel -.SH "SYNOPSIS" -.IX Header "SYNOPSIS" -.IP "\fBUnix:\fR" 4 -.IX Item "Unix:" -\&\fBstunnel\fR [fichier] | \-fd [n] | \-help | \-version | \-sockets -.IP "\fB\s-1WIN32:\s0\fR" 4 -.IX Item "WIN32:" -\&\fBstunnel\fR [fichier] | \-install | \-uninstall | \-help | \-version | \-sockets -.SH "DESCRIPTION" -.IX Header "DESCRIPTION" -Le programme \fBstunnel\fR est conçu pour fonctionner comme une couche -de chiffrement \fI\s-1SSL\s0\fR entre des clients distants et des serveurs locaux -(\fIinetd\fR\-démarrables) ou distants. Le concept est qu'à partir de daemons -non-SSL présents sur le système, on peut facilement les configurer pour -communiquer avec des clients sur des liens sécurisés \s-1SSL\s0. -.PP -\&\fBstunnel\fR peut être utilisé pour ajouter des fonctionnalités \s-1SSL\s0 à des -daemons classiques \fIInetd\fR tels que les serveurs \s-1POP\-2\s0, \s-1POP\-3\s0 et \s-1IMAP\s0, -à d'autres autonomes tels que \s-1NNTP\s0, \s-1SMTP\s0 et \s-1HTTP\s0, ainsi que pour tunneliser -\&\s-1PPP\s0 sur des sockets réseau sans modification du code source. -.PP -Ce produit inclut du code de chiffrement écrit par -Eric Young (eay@cryptsoft.com) -.SH "OPTIONS" -.IX Header "OPTIONS" -.IP "\fB[fichier]\fR" 4 -.IX Item "[fichier]" -Utilisation du fichier de configuration spécifié. -.IP "\fB\-fd [n]\fR (Unix seulement)" 4 -.IX Item "-fd [n] (Unix seulement)" -Lecture du fichier de configuration depuis le descripteur de -fichier indiqué. -.IP "\fB\-help\fR" 4 -.IX Item "-help" -Affiche le menu d'aide de \fBstunnel\fR. -.IP "\fB\-version\fR" 4 -.IX Item "-version" -Affiche la version de \fBstunnel\fR et les options de compilation. -.IP "\fB\-sockets\fR" 4 -.IX Item "-sockets" -Affiche les options socket par défaut. -.IP "\fB\-install\fR (\s-1NT/2000/XP\s0 seulement)" 4 -.IX Item "-install (NT/2000/XP seulement)" -Installe un service \s-1NT\s0. -.IP "\fB\-uninstall\fR (\s-1NT/2000/XP\s0 only)" 4 -.IX Item "-uninstall (NT/2000/XP only)" -Désinstalle un service \s-1NT\s0. -.SH "FICHIER DE CONFIGURATION" -.IX Header "FICHIER DE CONFIGURATION" -Chaque ligne du fichier de configuration peut être soit : -.IP "\(bu" 4 -une ligne vide (ignorée) ; -.IP "\(bu" 4 -un commentaire commençant par « # » (ignoré) ; -.IP "\(bu" 4 -une paire « option = valeur » ; -.IP "\(bu" 4 -« [service_name] » indiquant le début de la définition d'un service ; -.SS "\s-1OPTIONS\s0 \s-1GLOBALES\s0" -.IX Subsection "OPTIONS GLOBALES" -.IP "\fBCApath\fR = répertoire" 4 -.IX Item "CApath = répertoire" -Répertoire des autorités de certification (\s-1CA\s0) -.Sp -C'est le répertoire dans lequel \fBstunnel\fR cherche les certificats si -l'on utilise \fIverify\fR. Les certificats doivent être dénommés selon la -forme \s-1XXXXXXXX\s0.0, où \s-1XXXXXXXX\s0 est la valeur de hachage du certificat. -.Sp -Le cas échéant, le répertoire \fICApath\fR est relatif au répertoire \fIchroot\fR. -.IP "\fBCAfile\fR = fichier" 4 -.IX Item "CAfile = fichier" -Fichier d'autorités de certification -.Sp -Ce fichier, utilisé avec \fIverify\fR, contient plusieurs certificats de \s-1CA\s0. -.IP "\fBcert\fR = fichier" 4 -.IX Item "cert = fichier" -Fichier de chaîne de certificats \s-1PEM\s0 -.Sp -Une \s-1PEM\s0 est toujours nécessaire en mode serveur. -En mode client, cette option utilise cette \s-1PEM\s0 comme une chaîne côté client. -L'utilisation de certificats côté client est optionnelle. Les certificats -doivent être au format \s-1PEM\s0 et triés par ordre de niveau décroissant (\s-1CA\s0 racine -en premier). -.IP "\fBchroot\fR = répertoire (Unix seulement)" 4 -.IX Item "chroot = répertoire (Unix seulement)" -Répertoire de chroot du processus \fBstunnel\fR -.Sp -\&\fBchroot\fR enferme \fBstunnel\fR dans une cellule chroot. \fICApath\fR, \fICRLpath\fR, \fIpid\fR -et \fIexec\fR sont situés à l'intérieur de la cellule et les répertoires doivent être -relatifs au répertoire correspondant. -.Sp -Pour que le contrôle de libwrap (wrappeur \s-1TCP\s0) soit effectif dans un environnement -chroot, il faut aussi y recopier leurs fichiers de configuration (/etc/hosts.allow et -/etc/hosts.deny). -.IP "\fBciphers\fR = listes de chiffre" 4 -.IX Item "ciphers = listes de chiffre" -Sélection des chiffres \s-1SSL\s0 autorisés -.Sp -Liste délimitée par deux-points (« : ») des chiffres autorisés pour la connexion \s-1SSL\s0. -Exemple : \s-1DES\-CBC3\-SHA:IDEA\-CBC\-MD5\s0 -.IP "\fBclient\fR = yes | no" 4 -.IX Item "client = yes | no" -Mode client (Le service distant utilise \s-1SSL\s0) -.Sp -Par défaut : no (mode server) -.IP "\fBCRLpath\fR = répertoire" 4 -.IX Item "CRLpath = répertoire" -Répertoire des listes de révocation de certificats (\s-1CRL\s0) -.Sp -C'est le répertoire dans lequel \fBstunnel\fR recherche les \s-1CRL\s0 avec -l'option \fIverify\fR. Les \s-1CRL\s0 doivent être dénommés selon la -forme \s-1XXXXXXXX\s0.0 où \s-1XXXXXXXX\s0 est la valeur de hachage de la \s-1CRL\s0. -.Sp -Le cas échéant, le répertoire \fICRLpath\fR est relatif au répertoire \fIchroot\fR. -.IP "\fBCRLfile\fR = fichier" 4 -.IX Item "CRLfile = fichier" -Fichier de listes de révocation de certificats (\s-1CRL\s0) -.Sp -Ce fichier, utilisé avec \fIverify\fR, contient plusieurs \s-1CRL\s0. -.IP "\fBdebug\fR = [facilité.]niveau" 4 -.IX Item "debug = [facilité.]niveau" -niveau de déverminage -.Sp -Le niveau est un nom ou un numéro conforme à ceux de syslog : -emerg (0), alert (1), crit (2), err (3), warning (4), notice (5), -info (6) ou debug (7). Toutes les traces du niveau indiqué et des niveaux -numériquement inférieurs seront affichées. \fBdebug = debug\fR ou -\&\fBdebug = 7\fR donneront le maximum d'informations. La valeur par défaut -est notice (5). -.Sp -La facilité syslog « daemon » est utilisée, sauf si un autre nom est spécifié -(Win32 ne permet pas l'usage des facilités.) -.Sp -La casse est ignorée, aussi bien pour la facilité que pour le niveau. -.IP "\fB\s-1EGD\s0\fR = chemin (Unix seulement)" 4 -.IX Item "EGD = chemin (Unix seulement)" -Emplacement du socket du daemon de recueil d'entropie (\s-1EGD\s0 \- Entropy Gathering Daemon) -.Sp -Socket \s-1EGD\s0 à utiliser pour alimenter le générateur d'aléatoires de OpenSSL (disponible -seulement si la compilation a été effectuée avec OpenSSL 0.9.5a ou supérieur). -.IP "\fBforeground\fR = yes | no (Unix seulement)" 4 -.IX Item "foreground = yes | no (Unix seulement)" -Mode avant-plan -.Sp -Reste en avant-plan (sans fork) et dirige la trace sur stderr -au lieu de syslog (sauf si \fBoutput\fR est spécifié). -.Sp -Par défault : arrière\-plan en mode daemon. -.IP "\fBkey\fR = fichier" 4 -.IX Item "key = fichier" -Fichier de clef privée pour le certificat spécifié par \fIcert\fR -.Sp -La clef privée est nécessaire pour authentifier le titulaire du -certificat. -Puisque ce fichier doit rester secret, il ne doit être lisible que -par son propriétaire. Sur les systèmes Unix, on peut utiliser la -commande suivante : -.Sp -.Vb 1 -\& chmod 600 fichier -.Ve -.Sp -Par défault : Valeur de \fIcert\fR -.IP "\fBoptions\fR = Options_SSL" 4 -.IX Item "options = Options_SSL" -Options de la bibliothèque OpenSSL -.Sp -Le paramètre est l'option OpenSSL décrite dans la page de man -\&\fI\fISSL_CTX_set_options\fI\|(3ssl)\fR, débarassée du préfixe \fI\s-1SSL_OP_\s0\fR. -Plusieurs \fIoptions\fR peuvent être spécifiées. -.Sp -Par exemple, pour la compatibilité avec l'implantation \s-1SSL\s0 défaillante -d'Eudora, on peut utiliser : -.Sp -.Vb 1 -\& options = DONT_INSERT_EMPTY_FRAGMENTS -.Ve -.IP "\fBoutput\fR = fichier" 4 -.IX Item "output = fichier" -Ajoute la trace à la fin d'un fichier au lieu d'utiliser syslog. -.Sp -/dev/stdout peut être utilisé pour afficher les traces sur la sortie standard -(par exemple pour les traiter avec les outils splogger). -.IP "\fBpid\fR = fichier (Unix seulement)" 4 -.IX Item "pid = fichier (Unix seulement)" -Emplacement du fichier pid -.Sp -Si l'argument est vide, aucun fichier ne sera créé. -.Sp -Le cas échéant, le chemin \fIpid\fR est relatif au répertoire \fIchroot\fR. -.IP "\fBRNDbytes\fR = nombre" 4 -.IX Item "RNDbytes = nombre" -Nombre d'octets à lire depuis les fichiers de « sel » aléatoire -.Sp -Avec les \s-1SSL\s0 de version inférieure à 0.9.5a, détermine aussi le nombre -d'octets considérés comme suffisants pour « saler » le \s-1PRNG\s0. Les versions plus -récentes d'OpenSSL ont une fonction intégrée qui détermine lorsque l'aléatoire -est suffisant. -.IP "\fBRNDfile\fR = fichier" 4 -.IX Item "RNDfile = fichier" -chemin du fichier de données de « sel » aléatoire -.Sp -La bibliothèque \s-1SSL\s0 utilise prioritairement les données de ce fichier pour -« saler » le générateur d'aléatoire. -.IP "\fBRNDoverwrite\fR = yes | no" 4 -.IX Item "RNDoverwrite = yes | no" -Recouvre les fichiers de « sel » avec de nouvelles données aléatoires. -.Sp -Par défaut : yes -.IP "\fBservice\fR = nom" 4 -.IX Item "service = nom" -Définit le nom de service à utiliser -.Sp -\&\fBSous Unix :\fR nom de service du mode \fIinetd\fR pour la bibliothèque \s-1TCP\s0 Wrapper. -.Sp -Par défaut : stunnel -.IP "\fBsession\fR = timeout" 4 -.IX Item "session = timeout" -Timeout du cache de session -.IP "\fBsetgid\fR = nom (Unix seulement)" 4 -.IX Item "setgid = nom (Unix seulement)" -Nom de groupe utilisé en mode daemon (les éventuels autres noms de groupe attribués sont supprimés) -.IP "\fBsetuid\fR = nom (Unix seulement)" 4 -.IX Item "setuid = nom (Unix seulement)" -Nom d'utilisateur utilisé en mode daemon -.IP "\fBsocket\fR = a|l|r:option=valeur[:valeur]" 4 -.IX Item "socket = a|l|r:option=valeur[:valeur]" -Configure une option de socket accept (a), locale (l) ou distante (r) -.Sp -Les valeurs de l'option linger sont : l_onof:l_linger. -Les valeurs de l'option time sont : tv_sec:tv_usec. -.Sp -Exemples : -.Sp -.Vb 9 -\& socket = l:SO_LINGER=1:60 -\& définit un délai d\*(Aqune minute pour la clôture des sockets locaux -\& socket = r:SO_OOBINLINE=yes -\& Place directement les données hors\-bande dans le flux de réception -\& des sockets distants -\& socket = a:SO_REUSEADDR=no -\& désactive la réutilisation d\*(Aqadresses (activée par défaut) -\& socket = a:SO_BINDTODEVICE=lo -\& limite l\*(Aqacceptation des connexions sur la seule interface de bouclage -.Ve -.IP "\fBtaskbar\fR = yes | no (\s-1WIN32\s0 seulement)" 4 -.IX Item "taskbar = yes | no (WIN32 seulement)" -active l'icône de la barre de tâches -.Sp -Par défaut : yes -.IP "\fBverify\fR = niveau" 4 -.IX Item "verify = niveau" -Vérifie le certificat du correspondant -.Sp -.Vb 3 -\& niveau 1 \- vérifie le certificat s\*(Aqil est présent -\& niveau 2 \- vérifie le certificat -\& niveau 3 \- contrôle le correspondant avec le certificat local -.Ve -.Sp -Par défaut \- pas de vérification -.SS "\s-1OPTIONS\s0 \s-1DE\s0 \s-1SERVICE\s0" -.IX Subsection "OPTIONS DE SERVICE" -Chaque section de configuration commence par le nom du service entre crochets. -Celui-ci est utilisé par le contrôle d'accès de libwrap (\s-1TCP\s0 Wrappers) et sert -à distinguer les services \fBstunnel\fR dans les fichiers de traces. -.PP -Si l'on souhaite utiliser \fBstunnel\fR en mode \fIinetd\fR (lorsqu'un socket lui est -fourni par un serveur comme \fIinetd\fR, \fIxinetd\fR ou \fItcpserver\fR), il faut se -reporter à la section \fI\s-1MODE\s0 \s-1INETD\s0\fR plus bas. -.IP "\fBaccept\fR = [hôte:]port" 4 -.IX Item "accept = [hôte:]port" -Accepte des connexions sur le port spécifié -.Sp -Si l'hôte n'est pas indiqué, le port est ouvert pour toutes les adresses \s-1IP\s0 de -la machine locale. -.IP "\fBconnect\fR = [hôte:]port" 4 -.IX Item "connect = [hôte:]port" -Se connecte au port distant indiqué -.Sp -Par défaut, l'hôte est localhost. -.IP "\fBdelay\fR = yes | no" 4 -.IX Item "delay = yes | no" -Retarde la recherche \s-1DNS\s0 pour l'option « connect » -.IP "\fBexec\fR = chemin_exécutable (Unix seulement)" 4 -.IX Item "exec = chemin_exécutable (Unix seulement)" -Exécute un programme local de type inetd -.Sp -Le cas échéant, le chemin \fIexec\fR est relatif au répertoire \fIchroot\fR. -.ie n .IP "\fBexecargs\fR = $0 $1 $2 ... (Unix seulement)" 4 -.el .IP "\fBexecargs\fR = \f(CW$0\fR \f(CW$1\fR \f(CW$2\fR ... (Unix seulement)" 4 -.IX Item "execargs = $0 $1 $2 ... (Unix seulement)" -Arguments pour \fIexec\fR, y compris le nom du programme ($0) -.Sp -Les quotes ne peuvent actuellement pas être utilisées. -Les arguments sont séparés par un nombre quelconque d'espaces. -.IP "\fBident\fR = nom" 4 -.IX Item "ident = nom" -Applique le contrôle d'identité d'utilisateur \s-1IDENT\s0 (\s-1RFC\s0 1413) -.IP "\fBlocal\fR = hôte" 4 -.IX Item "local = hôte" -Adresse \s-1IP\s0 de l'interface de sortie utilisée pour les connexions distantes. -Cette option permet de relier une adresse statique locale. -.IP "\fBprotocol\fR = protocole" 4 -.IX Item "protocol = protocole" -Négocie avec \s-1SSL\s0 selon le protocole indiqué -.Sp -Actuellement gérés : cifs, nntp, pop3, smtp -.IP "\fBpty\fR = yes | no (Unix seulement)" 4 -.IX Item "pty = yes | no (Unix seulement)" -Alloue un pseudo-terminal pour l'option « exec » -.IP "\fBTIMEOUTbusy\fR = secondes" 4 -.IX Item "TIMEOUTbusy = secondes" -Durée d'attente de données -.IP "\fBTIMEOUTclose\fR = secondes" 4 -.IX Item "TIMEOUTclose = secondes" -Durée d'attente du close_notify (mis à 0 pour \s-1MSIE\s0 qui est bogué) -.IP "\fBTIMEOUTidle\fR = secondes" 4 -.IX Item "TIMEOUTidle = secondes" -Durée d'attente sur une connexion inactive -.IP "\fBtransparent\fR = yes | no (Unix seulement)" 4 -.IX Item "transparent = yes | no (Unix seulement)" -Mode mandataire transparent -.Sp -Ré\-écrit les adresses pour qu'elles apparaissent provenir de la -machine client \s-1SSL\s0 plutôt que de celle qui exécute \fBstunnel\fR. -Cette option n'est disponible en mode local (option \fIexec\fR) qu'avec -la bibliothèque partagée LD_PRELOADing env.so shared library et en mode -distant (option \fIconnect\fR) sur les noyaux Linux 2.2 compilés avec -l'option \fItransparent proxy\fR et seulement en mode serveur. Cette -option ne se combine pas au mode mandataire (\fIconnect\fR) sauf si la -route par défaut du client vers la cible passe par l'hôte qui fait -tourner \fBstunnel\fR, qui ne peut être localhost. -.SH "VALEUR DE RETOUR" -.IX Header "VALEUR DE RETOUR" -\&\fBstunnel\fR renvoie zéro en cas de succès, une autre valeur en cas d'erreur. -.SH "EXEMPLES" -.IX Header "EXEMPLES" -Pour encapsuler votre service \fIimapd\fR local avec \s-1SSL\s0 : -.PP -.Vb 4 -\& [imapd] -\& accept = 993 -\& exec = /usr/sbin/imapd -\& execargs = imapd -.Ve -.PP -Pour tunneliser un daemon \fIpppd\fR sur le port 2020 : -.PP -.Vb 5 -\& [vpn] -\& accept = 2020 -\& exec = /usr/sbin/pppd -\& execargs = pppd local -\& pty = yes -.Ve -.PP -Configuration de \fIstunnel.conf\fR pour utiliser \fBstunnel\fR en mode \fIinetd\fR -qui lance imapd à son tour (il ne doit pas y avoir de section \fI[service_name]\fR) : -.PP -.Vb 2 -\& exec = /usr/sbin/imapd -\& execargs = imapd -.Ve -.SH "FICHIERS" -.IX Header "FICHIERS" -.IP "\fIstunnel.conf\fR" 4 -.IX Item "stunnel.conf" -Fichier de configuration de \fBstunnel\fR -.IP "\fIstunnel.pem\fR" 4 -.IX Item "stunnel.pem" -Certificat et clef privée de \fBstunnel\fR -.SH "BOGUES" -.IX Header "BOGUES" -L'option \fIexecargs\fR n'admet pas les quotes. -.SH "RESTRICTIONS" -.IX Header "RESTRICTIONS" -\&\fBstunnel\fR ne peut être utilisé pour le daemon \s-1FTP\s0 en raison de la nature -du protocole \s-1FTP\s0 qui utilise des ports multiples pour les transferts de données. -Il existe cependant des versions \s-1SSL\s0 de \s-1FTP\s0 et de telnet. -.SH "NOTES" -.IX Header "NOTES" -.SS "\s-1MODE\s0 \s-1INETD\s0" -.IX Subsection "MODE INETD" -L'utilisation la plus commune de \fBstunnel\fR consiste à écouter un port -réseau et à établir une communication, soit avec un nouveau port -avec l'option \fIconnect\fR, soit avec un programme avec l'option \fIexec\fR. -On peut parfois cependant souhaiter qu'un autre programme reçoive les -connexions entrantes et lance \fBstunnel\fR, par exemple avec \fIinetd\fR, -\&\fIxinetd\fR ou \fItcpserver\fR. -.PP -Si, par exemple, la ligne suivante se trouve dans \fIinetd.conf\fR : -.PP -.Vb 1 -\& imaps stream tcp nowait root /usr/bin/stunnel stunnel /etc/stunnel/imaps.conf -.Ve -.PP -Dans ces cas, c'est le programme du genre \fIinetd\fR\-style qui est -responsable de l'établissement de la connexion (\fIimaps\fR ci-dessus) et de passer -celle-ci à \fBstunnel\fR. -Ainsi, \fBstunnel\fR ne doit alors avoir aucune option \fIaccept\fR. -Toutes les \fIoptions de niveau service\fR doivent être placées dans -la section des options globales et aucune section \fI[service_name]\fR ne doit -être présente. Voir la section \fI\s-1EXEMPLES\s0\fR pour des exemples de configurations. -.SS "\s-1CERTIFICATS\s0" -.IX Subsection "CERTIFICATS" -Chaque daemon à propriétés \s-1SSL\s0 doit présenter un certificat X.509 -valide à son interlocuteur. Il a aussi besoin d'une clef privé pour -déchiffrer les données entrantes. La méthode la plus simple pour -obtenir un certificat et une clef est d'engendrer celles-ci avec -le paquetage libre \fIOpenSSL\fR. Plus d'informations sur la génération de -certificats se trouvent dans les pages indiquées plus bas. -.PP -Deux choses importantes lors de la génération de paires certificat-clef -pour \fBstunnel\fR : -.IP "\(bu" 4 -la clef privée ne peut être chiffrée puisque le serveur n'a aucun moyen -d'obtenir le mot de passe de l'utilisateur ; pour produire une clef non chiffrée, -ajouter l'option \fI\-nodes\fR à la commande \fBreq\fR de \fIOpenSSL\fR ; -.IP "\(bu" 4 -l'ordre du contenu du fichier \fI.pem\fR est significatif : il doit contenir d'abord -une clef privée non chiffrée, puis un certificat signé (et non une demande de certificat). -Il doit aussi y avoir des lignes vides après le certificat et après la clef privée. -L'information textuelle ajoutée au début d'un certificat doit être supprimée afin que -le fichier ait l'allure suivante : -.Sp -.Vb 8 -\& \-\-\-\-\-BEGIN RSA PRIVATE KEY\-\-\-\-\- -\& [clef encodée] -\& \-\-\-\-\-END RSA PRIVATE KEY\-\-\-\-\- -\& [ligne vide] -\& \-\-\-\-\-BEGIN CERTIFICATE\-\-\-\-\- -\& [certificat encodé] -\& \-\-\-\-\-END CERTIFICATE\-\-\-\-\- -\& [ligne vide] -.Ve -.SS "\s-1ALEATOIRE\s0" -.IX Subsection "ALEATOIRE" -\&\fBstunnel\fR doit « saler » le générateur de pseudo\-aléatoires \s-1PRNG\s0 (pseudo random -number generator) afin que \s-1SSL\s0 utilise un aléatoire de qualité. Les sources suivantes -sont chargées dans l'ordre jusqu'à ce qu'une quantité suffisante de données soit lue : -.IP "\(bu" 4 -le fichier spécifié par \fIRNDfile\fR ; -.IP "\(bu" 4 -le fichier spécifié par la variable d'environnement \s-1RANDFILE\s0, à défaut -le fichier .rnd du répertoire \f(CW$HOME\fR de l'utilisateur ; -.IP "\(bu" 4 -le fichier spécifié par « \-\-with\-random » lors de la compilation ; -.IP "\(bu" 4 -le contenu de l'écran (MS-Windows seulement) ; -.IP "\(bu" 4 -le socket \s-1EGD\s0 spécifié par \fI\s-1EGD\s0\fR ; -.IP "\(bu" 4 -le socket \s-1EGD\s0 spécifié par « \-\-with\-egd\-sock » lors de la compilation ; -.IP "\(bu" 4 -le périphérique /dev/urandom. -.PP -Avec un OpenSSL récent (>=OpenSSL 0.9.5a) le chargement de données s'arrête -automatiquement lorsqu'un niveau d'entropie suffisant est atteint. -Les versions précédentes continuent à lire toutes les sources puisqu'aucune -fonction \s-1SSL\s0 ne leur permet de savoir que suffisamment de données sont disponibles. -.PP -Sur les machines MS-Windows qui n'ont pas d'interaction utilisateur sur la console, -(mouvements de souris, création de fenêtres, etc.), le contenu de l'écran n'est -pas suffisamment changeant et il est nécessaire de fournir un fichier d'aléatoire -par le biais de \fIRNDfile\fR. -.PP -Le fichier spécifié par \fIRNDfile\fR doit contenir des informations aléatoires \*(-- -c'est\-à\-dire des informations différentes à chaque lancement de \fBstunnel\fR. -Cela est géré automatiquement sauf si l'option \fIRNDoverwrite\fR est utilisée. -Si l'on souhaite procéder manuellement à la mise à jour de ce fichier, la -commande \fIopenssl rand\fR des versions récentes d'OpenSSL sera sans doute utile. -.PP -Note importante : si /dev/urandom est disponible, OpenSSL a l'habitude d'utiliser -celui-ci pour « saler » le \s-1PRNG\s0 même lorsqu'il contrôle l'état de l'aléatoire ; -ainsi, même si /dev/urandom est dernier de la liste ci-dessus, il est vraisemblable -qu'il soit utilisé s'il est présent. -Ce n'est pas le comportement de \fBstunnel\fR, c'est celui d'OpenSSL. -.SH "VOIR AUSSI" -.IX Header "VOIR AUSSI" -.IP "\fItcpd\fR\|(8)" 4 -.IX Item "tcpd" -Service de contrôle d'accès pour les services internet -.IP "\fIinetd\fR\|(8)" 4 -.IX Item "inetd" -« super-serveur » internet -.IP "\fIhttp://www.stunnel.org/\fR" 4 -.IX Item "http://www.stunnel.org/" -Page de référence de \fBstunnel\fR -.IP "\fIhttp://www.openssl.org/\fR" 4 -.IX Item "http://www.openssl.org/" -Site web du projet OpenSSL -.SH "AUTEUR" -.IX Header "AUTEUR" -.IP "Michał Trojnara" 4 -.IX Item "Michał Trojnara" -<\fIMichal.Trojnara@mirt.net\fR> -.SH "ADAPTATION FRANÇAISE" -.IX Header "ADAPTATION FRANÇAISE" -.IP "Bernard Choppy" 4 -.IX Item "Bernard Choppy" -<\fIchoppy \s-1AT\s0 free \s-1POINT\s0 fr\fR> diff --git a/doc/stunnel.fr.html b/doc/stunnel.fr.html deleted file mode 100644 index 1d29a49..0000000 --- a/doc/stunnel.fr.html +++ /dev/null @@ -1,670 +0,0 @@ - - - - -stunnel.8 - - - - - - - - -
    -

    - - - -
    - - -

    -

    -

    NOM

    -

    stunnel - tunnel SSL universel

    -

    -

    -
    -

    SYNOPSIS

    -
    -
    Unix:
    - -
    -

    stunnel [fichier] | -fd [n] | -help | -version | -sockets

    -
    -
    WIN32:
    - -
    -

    stunnel [fichier] | -install | -uninstall | -help | -version | -sockets

    -
    -
    -

    -

    -
    -

    DESCRIPTION

    -

    Le programme stunnel est conçu pour fonctionner comme une couche -de chiffrement SSL entre des clients distants et des serveurs locaux -(inetd-démarrables) ou distants. Le concept est qu'à partir de daemons -non-SSL présents sur le système, on peut facilement les configurer pour -communiquer avec des clients sur des liens sécurisés SSL.

    -

    stunnel peut être utilisé pour ajouter des fonctionnalités SSL à des -daemons classiques Inetd tels que les serveurs POP-2, POP-3 et IMAP, -à d'autres autonomes tels que NNTP, SMTP et HTTP, ainsi que pour tunneliser -PPP sur des sockets réseau sans modification du code source.

    -

    Ce produit inclut du code de chiffrement écrit par -Eric Young (eay@cryptsoft.com)

    -

    -

    -
    -

    OPTIONS

    -
    -
    [fichier]
    - -
    -

    Utilisation du fichier de configuration spécifié.

    -
    -
    -fd [n] (Unix seulement)
    - -
    -

    Lecture du fichier de configuration depuis le descripteur de -fichier indiqué.

    -
    -
    -help
    - -
    -

    Affiche le menu d'aide de stunnel.

    -
    -
    -version
    - -
    -

    Affiche la version de stunnel et les options de compilation.

    -
    -
    -sockets
    - -
    -

    Affiche les options socket par défaut.

    -
    -
    -install (NT/2000/XP seulement)
    - -
    -

    Installe un service NT.

    -
    -
    -uninstall (NT/2000/XP only)
    - -
    -

    Désinstalle un service NT.

    -
    -
    -

    -

    -
    -

    FICHIER DE CONFIGURATION

    -

    Chaque ligne du fichier de configuration peut être soit :

    -
      -
    • -

      une ligne vide (ignorée) ;

      -
      • -
    • -

      un commentaire commençant par « # » (ignoré) ;

      -
      • -
    • -

      une paire « option = valeur » ;

      -
      • -
    • -

      « [service_name] » indiquant le début de la définition d'un service ;

      -
      • -
    -

    -

    -

    OPTIONS GLOBALES

    -
    -
    CApath = répertoire
    - -
    -

    Répertoire des autorités de certification (CA)

    -

    C'est le répertoire dans lequel stunnel cherche les certificats si -l'on utilise verify. Les certificats doivent être dénommés selon la -forme XXXXXXXX.0, où XXXXXXXX est la valeur de hachage du certificat.

    -

    Le cas échéant, le répertoire CApath est relatif au répertoire chroot.

    -
    -
    CAfile = fichier
    - -
    -

    Fichier d'autorités de certification

    -

    Ce fichier, utilisé avec verify, contient plusieurs certificats de CA.

    -
    -
    cert = fichier
    - -
    -

    Fichier de chaîne de certificats PEM

    -

    Une PEM est toujours nécessaire en mode serveur. -En mode client, cette option utilise cette PEM comme une chaîne côté client. -L'utilisation de certificats côté client est optionnelle. Les certificats -doivent être au format PEM et triés par ordre de niveau décroissant (CA racine -en premier).

    -
    -
    chroot = répertoire (Unix seulement)
    - -
    -

    Répertoire de chroot du processus stunnel

    -

    chroot enferme stunnel dans une cellule chroot. CApath, CRLpath, pid -et exec sont situés à l'intérieur de la cellule et les répertoires doivent être -relatifs au répertoire correspondant.

    -

    Pour que le contrôle de libwrap (wrappeur TCP) soit effectif dans un environnement -chroot, il faut aussi y recopier leurs fichiers de configuration (/etc/hosts.allow et -/etc/hosts.deny).

    -
    -
    ciphers = listes de chiffre
    - -
    -

    Sélection des chiffres SSL autorisés

    -

    Liste délimitée par deux-points (« : ») des chiffres autorisés pour la connexion SSL. -Exemple : DES-CBC3-SHA:IDEA-CBC-MD5

    -
    -
    client = yes | no
    - -
    -

    Mode client (Le service distant utilise SSL)

    -

    Par défaut : no (mode server)

    -
    -
    CRLpath = répertoire
    - -
    -

    Répertoire des listes de révocation de certificats (CRL)

    -

    C'est le répertoire dans lequel stunnel recherche les CRL avec -l'option verify. Les CRL doivent être dénommés selon la -forme XXXXXXXX.0 où XXXXXXXX est la valeur de hachage de la CRL.

    -

    Le cas échéant, le répertoire CRLpath est relatif au répertoire chroot.

    -
    -
    CRLfile = fichier
    - -
    -

    Fichier de listes de révocation de certificats (CRL)

    -

    Ce fichier, utilisé avec verify, contient plusieurs CRL.

    -
    -
    debug = [facilité.]niveau
    - -
    -

    niveau de déverminage

    -

    Le niveau est un nom ou un numéro conforme à ceux de syslog : -emerg (0), alert (1), crit (2), err (3), warning (4), notice (5), -info (6) ou debug (7). Toutes les traces du niveau indiqué et des niveaux -numériquement inférieurs seront affichées. debug = debug ou -debug = 7 donneront le maximum d'informations. La valeur par défaut -est notice (5).

    -

    La facilité syslog « daemon » est utilisée, sauf si un autre nom est spécifié -(Win32 ne permet pas l'usage des facilités.)

    -

    La casse est ignorée, aussi bien pour la facilité que pour le niveau.

    -
    -
    EGD = chemin (Unix seulement)
    - -
    -

    Emplacement du socket du daemon de recueil d'entropie (EGD - Entropy Gathering Daemon)

    -

    Socket EGD à utiliser pour alimenter le générateur d'aléatoires de OpenSSL (disponible -seulement si la compilation a été effectuée avec OpenSSL 0.9.5a ou supérieur).

    -
    -
    foreground = yes | no (Unix seulement)
    - -
    -

    Mode avant-plan

    -

    Reste en avant-plan (sans fork) et dirige la trace sur stderr -au lieu de syslog (sauf si output est spécifié).

    -

    Par défault : arrière-plan en mode daemon.

    -
    -
    key = fichier
    - -
    -

    Fichier de clef privée pour le certificat spécifié par cert

    -

    La clef privée est nécessaire pour authentifier le titulaire du -certificat. -Puisque ce fichier doit rester secret, il ne doit être lisible que -par son propriétaire. Sur les systèmes Unix, on peut utiliser la -commande suivante :

    -
    -    chmod 600 fichier
    -

    Par défault : Valeur de cert

    -
    -
    options = Options_SSL
    - -
    -

    Options de la bibliothèque OpenSSL

    -

    Le paramètre est l'option OpenSSL décrite dans la page de man -SSL_CTX_set_options(3ssl), débarassée du préfixe SSL_OP_. -Plusieurs options peuvent être spécifiées.

    -

    Par exemple, pour la compatibilité avec l'implantation SSL défaillante -d'Eudora, on peut utiliser :

    -
    -    options = DONT_INSERT_EMPTY_FRAGMENTS
    -
    -
    output = fichier
    - -
    -

    Ajoute la trace à la fin d'un fichier au lieu d'utiliser syslog.

    -

    /dev/stdout peut être utilisé pour afficher les traces sur la sortie standard -(par exemple pour les traiter avec les outils splogger).

    -
    -
    pid = fichier (Unix seulement)
    - -
    -

    Emplacement du fichier pid

    -

    Si l'argument est vide, aucun fichier ne sera créé.

    -

    Le cas échéant, le chemin pid est relatif au répertoire chroot.

    -
    -
    RNDbytes = nombre
    - -
    -

    Nombre d'octets à lire depuis les fichiers de « sel » aléatoire

    -

    Avec les SSL de version inférieure à 0.9.5a, détermine aussi le nombre -d'octets considérés comme suffisants pour « saler » le PRNG. Les versions plus -récentes d'OpenSSL ont une fonction intégrée qui détermine lorsque l'aléatoire -est suffisant.

    -
    -
    RNDfile = fichier
    - -
    -

    chemin du fichier de données de « sel » aléatoire

    -

    La bibliothèque SSL utilise prioritairement les données de ce fichier pour -« saler » le générateur d'aléatoire.

    -
    -
    RNDoverwrite = yes | no
    - -
    -

    Recouvre les fichiers de « sel » avec de nouvelles données aléatoires.

    -

    Par défaut : yes

    -
    -
    service = nom
    - -
    -

    Définit le nom de service à utiliser

    -

    Sous Unix : nom de service du mode inetd pour la bibliothèque TCP Wrapper.

    -

    Par défaut : stunnel

    -
    -
    session = timeout
    - -
    -

    Timeout du cache de session

    -
    -
    setgid = nom (Unix seulement)
    - -
    -

    Nom de groupe utilisé en mode daemon (les éventuels autres noms de groupe attribués sont supprimés)

    -
    -
    setuid = nom (Unix seulement)
    - -
    -

    Nom d'utilisateur utilisé en mode daemon

    -
    -
    socket = a|l|r:option=valeur[:valeur]
    - -
    -

    Configure une option de socket accept (a), locale (l) ou distante (r)

    -

    Les valeurs de l'option linger sont : l_onof:l_linger. -Les valeurs de l'option time sont : tv_sec:tv_usec.

    -

    Exemples :

    -
    -    socket = l:SO_LINGER=1:60
-        définit un délai d'une minute pour la clôture des sockets locaux
-    socket = r:SO_OOBINLINE=yes
-        Place directement les données hors-bande dans le flux de réception
-        des sockets distants
-    socket = a:SO_REUSEADDR=no
-        désactive la réutilisation d'adresses (activée par défaut)
-    socket = a:SO_BINDTODEVICE=lo
-        limite l'acceptation des connexions sur la seule interface de bouclage
    -
    -
    taskbar = yes | no (WIN32 seulement)
    - -
    -

    active l'icône de la barre de tâches

    -

    Par défaut : yes

    -
    -
    verify = niveau
    - -
    -

    Vérifie le certificat du correspondant

    -
    -    niveau 1 - vérifie le certificat s'il est présent
-    niveau 2 - vérifie le certificat
-    niveau 3 - contrôle le correspondant avec le certificat local
    -

    Par défaut - pas de vérification

    -
    -
    -

    -

    -

    OPTIONS DE SERVICE

    -

    Chaque section de configuration commence par le nom du service entre crochets. -Celui-ci est utilisé par le contrôle d'accès de libwrap (TCP Wrappers) et sert -à distinguer les services stunnel dans les fichiers de traces.

    -

    Si l'on souhaite utiliser stunnel en mode inetd (lorsqu'un socket lui est -fourni par un serveur comme inetd, xinetd ou tcpserver), il faut se -reporter à la section MODE INETD plus bas.

    -
    -
    accept = [hôte:]port
    - -
    -

    Accepte des connexions sur le port spécifié

    -

    Si l'hôte n'est pas indiqué, le port est ouvert pour toutes les adresses IP de -la machine locale.

    -
    -
    connect = [hôte:]port
    - -
    -

    Se connecte au port distant indiqué

    -

    Par défaut, l'hôte est localhost.

    -
    -
    delay = yes | no
    - -
    -

    Retarde la recherche DNS pour l'option « connect »

    -
    -
    exec = chemin_exécutable (Unix seulement)
    - -
    -

    Exécute un programme local de type inetd

    -

    Le cas échéant, le chemin exec est relatif au répertoire chroot.

    -
    -
    execargs = $0 $1 $2 ... (Unix seulement)
    - -
    -

    Arguments pour exec, y compris le nom du programme ($0)

    -

    Les quotes ne peuvent actuellement pas être utilisées. -Les arguments sont séparés par un nombre quelconque d'espaces.

    -
    -
    ident = nom
    - -
    -

    Applique le contrôle d'identité d'utilisateur IDENT (RFC 1413)

    -
    -
    local = hôte
    - -
    -

    Adresse IP de l'interface de sortie utilisée pour les connexions distantes. -Cette option permet de relier une adresse statique locale.

    -
    -
    protocol = protocole
    - -
    -

    Négocie avec SSL selon le protocole indiqué

    -

    Actuellement gérés : cifs, nntp, pop3, smtp

    -
    -
    pty = yes | no (Unix seulement)
    - -
    -

    Alloue un pseudo-terminal pour l'option « exec »

    -
    -
    TIMEOUTbusy = secondes
    - -
    -

    Durée d'attente de données

    -
    -
    TIMEOUTclose = secondes
    - -
    -

    Durée d'attente du close_notify (mis à 0 pour MSIE qui est bogué)

    -
    -
    TIMEOUTidle = secondes
    - -
    -

    Durée d'attente sur une connexion inactive

    -
    -
    transparent = yes | no (Unix seulement)
    - -
    -

    Mode mandataire transparent

    -

    Ré-écrit les adresses pour qu'elles apparaissent provenir de la -machine client SSL plutôt que de celle qui exécute stunnel. -Cette option n'est disponible en mode local (option exec) qu'avec -la bibliothèque partagée LD_PRELOADing env.so shared library et en mode -distant (option connect) sur les noyaux Linux 2.2 compilés avec -l'option transparent proxy et seulement en mode serveur. Cette -option ne se combine pas au mode mandataire (connect) sauf si la -route par défaut du client vers la cible passe par l'hôte qui fait -tourner stunnel, qui ne peut être localhost.

    -
    -
    -

    -

    -
    -

    VALEUR DE RETOUR

    -

    stunnel renvoie zéro en cas de succès, une autre valeur en cas d'erreur.

    -

    -

    -
    -

    EXEMPLES

    -

    Pour encapsuler votre service imapd local avec SSL :

    -
    -    [imapd]
-    accept = 993
-    exec = /usr/sbin/imapd
-    execargs = imapd
    -

    Pour tunneliser un daemon pppd sur le port 2020 :

    -
    -    [vpn]
-    accept = 2020
-    exec = /usr/sbin/pppd
-    execargs = pppd local
-    pty = yes
    -

    Configuration de stunnel.conf pour utiliser stunnel en mode inetd -qui lance imapd à son tour (il ne doit pas y avoir de section [service_name]) :

    -
    -    exec = /usr/sbin/imapd
-    execargs = imapd
    -

    -

    -
    -

    FICHIERS

    -
    -
    stunnel.conf
    - -
    -

    Fichier de configuration de stunnel

    -
    -
    stunnel.pem
    - -
    -

    Certificat et clef privée de stunnel

    -
    -
    -

    -

    -
    -

    BOGUES

    -

    L'option execargs n'admet pas les quotes.

    -

    -

    -
    -

    RESTRICTIONS

    -

    stunnel ne peut être utilisé pour le daemon FTP en raison de la nature -du protocole FTP qui utilise des ports multiples pour les transferts de données. -Il existe cependant des versions SSL de FTP et de telnet.

    -

    -

    -
    -

    NOTES

    -

    -

    -

    MODE INETD

    -

    L'utilisation la plus commune de stunnel consiste à écouter un port -réseau et à établir une communication, soit avec un nouveau port -avec l'option connect, soit avec un programme avec l'option exec. -On peut parfois cependant souhaiter qu'un autre programme reçoive les -connexions entrantes et lance stunnel, par exemple avec inetd, -xinetd ou tcpserver.

    -

    Si, par exemple, la ligne suivante se trouve dans inetd.conf :

    -
    -    imaps stream tcp nowait root /usr/bin/stunnel stunnel /etc/stunnel/imaps.conf
    -

    Dans ces cas, c'est le programme du genre inetd-style qui est -responsable de l'établissement de la connexion (imaps ci-dessus) et de passer -celle-ci à stunnel. -Ainsi, stunnel ne doit alors avoir aucune option accept. -Toutes les options de niveau service doivent être placées dans -la section des options globales et aucune section [service_name] ne doit -être présente. Voir la section EXEMPLES pour des exemples de configurations.

    -

    -

    -

    CERTIFICATS

    -

    Chaque daemon à propriétés SSL doit présenter un certificat X.509 -valide à son interlocuteur. Il a aussi besoin d'une clef privé pour -déchiffrer les données entrantes. La méthode la plus simple pour -obtenir un certificat et une clef est d'engendrer celles-ci avec -le paquetage libre OpenSSL. Plus d'informations sur la génération de -certificats se trouvent dans les pages indiquées plus bas.

    -

    Deux choses importantes lors de la génération de paires certificat-clef -pour stunnel :

    -
      -
    • -

      la clef privée ne peut être chiffrée puisque le serveur n'a aucun moyen -d'obtenir le mot de passe de l'utilisateur ; pour produire une clef non chiffrée, -ajouter l'option -nodes à la commande req de OpenSSL ;

      -
      • -
    • -

      l'ordre du contenu du fichier .pem est significatif : il doit contenir d'abord -une clef privée non chiffrée, puis un certificat signé (et non une demande de certificat). -Il doit aussi y avoir des lignes vides après le certificat et après la clef privée. -L'information textuelle ajoutée au début d'un certificat doit être supprimée afin que -le fichier ait l'allure suivante :

      -
      -    -----BEGIN RSA PRIVATE KEY-----
-    [clef encodée]
-    -----END RSA PRIVATE KEY-----
-    [ligne vide]
-    -----BEGIN CERTIFICATE-----
-    [certificat encodé]
-    -----END CERTIFICATE-----
-    [ligne vide]
      -
      • -
    -

    -

    -

    ALEATOIRE

    -

    stunnel doit « saler » le générateur de pseudo-aléatoires PRNG (pseudo random -number generator) afin que SSL utilise un aléatoire de qualité. Les sources suivantes -sont chargées dans l'ordre jusqu'à ce qu'une quantité suffisante de données soit lue :

    -
      -
    • -

      le fichier spécifié par RNDfile ;

      -
      • -
    • -

      le fichier spécifié par la variable d'environnement RANDFILE, à défaut -le fichier .rnd du répertoire $HOME de l'utilisateur ;

      -
      • -
    • -

      le fichier spécifié par « --with-random » lors de la compilation ;

      -
      • -
    • -

      le contenu de l'écran (MS-Windows seulement) ;

      -
      • -
    • -

      le socket EGD spécifié par EGD ;

      -
      • -
    • -

      le socket EGD spécifié par « --with-egd-sock » lors de la compilation ;

      -
      • -
    • -

      le périphérique /dev/urandom.

      -
      • -
    -

    Avec un OpenSSL récent (>=OpenSSL 0.9.5a) le chargement de données s'arrête -automatiquement lorsqu'un niveau d'entropie suffisant est atteint. -Les versions précédentes continuent à lire toutes les sources puisqu'aucune -fonction SSL ne leur permet de savoir que suffisamment de données sont disponibles.

    -

    Sur les machines MS-Windows qui n'ont pas d'interaction utilisateur sur la console, -(mouvements de souris, création de fenêtres, etc.), le contenu de l'écran n'est -pas suffisamment changeant et il est nécessaire de fournir un fichier d'aléatoire -par le biais de RNDfile.

    -

    Le fichier spécifié par RNDfile doit contenir des informations aléatoires -- -c'est-à-dire des informations différentes à chaque lancement de stunnel. -Cela est géré automatiquement sauf si l'option RNDoverwrite est utilisée. -Si l'on souhaite procéder manuellement à la mise à jour de ce fichier, la -commande openssl rand des versions récentes d'OpenSSL sera sans doute utile.

    -

    Note importante : si /dev/urandom est disponible, OpenSSL a l'habitude d'utiliser -celui-ci pour « saler » le PRNG même lorsqu'il contrôle l'état de l'aléatoire ; -ainsi, même si /dev/urandom est dernier de la liste ci-dessus, il est vraisemblable -qu'il soit utilisé s'il est présent. -Ce n'est pas le comportement de stunnel, c'est celui d'OpenSSL.

    -

    -

    -
    -

    VOIR AUSSI

    -
    -
    tcpd(8)
    - -
    -

    Service de contrôle d'accès pour les services internet

    -
    -
    inetd(8)
    - -
    -

    « super-serveur » internet

    -
    -
    http://www.stunnel.org/
    - -
    -

    Page de référence de stunnel

    -
    -
    http://www.openssl.org/
    - -
    -

    Site web du projet OpenSSL

    -
    -
    -

    -

    -
    -

    AUTEUR

    -
    -
    Michał Trojnara
    - -
    -

    <Michal.Trojnara@mirt.net>

    -
    -
    -

    -

    -
    -

    ADAPTATION FRANÇAISE

    -
    -
    Bernard Choppy
    - -
    -

    <choppy AT free POINT fr>

    -
    -
    - - - - diff --git a/doc/stunnel.fr.pod b/doc/stunnel.fr.pod deleted file mode 100644 index 4a1362a..0000000 --- a/doc/stunnel.fr.pod +++ /dev/null @@ -1,636 +0,0 @@ -=head1 NOM - -=encoding utf8 - -stunnel - tunnel SSL universel - -=head1 SYNOPSIS - -=over 4 - -=item B - -B S<[fichier]> | S<-fd [n]> | S<-help> | S<-version> | S<-sockets> - -=item B - -B S<[fichier]> | S<-install> | S<-uninstall> | S<-help> | S<-version> | S<-sockets> - -=back - - -=head1 DESCRIPTION - -Le programme B est conçu pour fonctionner comme une couche -de chiffrement I entre des clients distants et des serveurs locaux -(I-démarrables) ou distants. Le concept est qu'à partir de daemons -non-SSL présents sur le système, on peut facilement les configurer pour -communiquer avec des clients sur des liens sécurisés SSL. - -B peut être utilisé pour ajouter des fonctionnalités SSL à des -daemons classiques I tels que les serveurs POP-2, POP-3 et IMAP, -à d'autres autonomes tels que NNTP, SMTP et HTTP, ainsi que pour tunneliser -PPP sur des sockets réseau sans modification du code source. - -Ce produit inclut du code de chiffrement écrit par -Eric Young (eay@cryptsoft.com) - - -=head1 OPTIONS - -=over 4 - -=item B<[fichier]> - -Utilisation du fichier de configuration spécifié. - -=item B<-fd [n]> (Unix seulement) - -Lecture du fichier de configuration depuis le descripteur de -fichier indiqué. - -=item B<-help> - -Affiche le menu d'aide de B. - -=item B<-version> - -Affiche la version de B et les options de compilation. - -=item B<-sockets> - -Affiche les options socket par défaut. - -=item B<-install> (NT/2000/XP seulement) - -Installe un service NT. - -=item B<-uninstall> (NT/2000/XP only) - -Désinstalle un service NT. - -=back - - -=head1 FICHIER DE CONFIGURATION - -Chaque ligne du fichier de configuration peut être soitE: - -=over 4 - -=item * - -une ligne vide (ignorée)E; - -=item * - -un commentaire commençant par «E#E» (ignoré)E; - -=item * - -une paire «Eoption = valeurE»E; - -=item * - -«E[service_name]E» indiquant le début de la définition d'un serviceE; - -=back - -=head2 OPTIONS GLOBALES - -=over 4 - -=item B = répertoire - -Répertoire des autorités de certification (CA) - -C'est le répertoire dans lequel B cherche les certificats si -l'on utilise I. Les certificats doivent être dénommés selon la -forme XXXXXXXX.0, où XXXXXXXX est la valeur de hachage du certificat. - -Le cas échéant, le répertoire I est relatif au répertoire I. - -=item B = fichier - -Fichier d'autorités de certification - -Ce fichier, utilisé avec I, contient plusieurs certificats de CA. - -=item B = fichier - -Fichier de chaîne de certificats PEM - -Une PEM est toujours nécessaire en mode serveur. -En mode client, cette option utilise cette PEM comme une chaîne côté client. -L'utilisation de certificats côté client est optionnelle. Les certificats -doivent être au format PEM et triés par ordre de niveau décroissant (CA racine -en premier). - -=item B = répertoire (Unix seulement) - -Répertoire de chroot du processus B - -B enferme B dans une cellule chroot. I, I, I -et I sont situés à l'intérieur de la cellule et les répertoires doivent être -relatifs au répertoire correspondant. - -Pour que le contrôle de libwrap (wrappeur TCP) soit effectif dans un environnement -chroot, il faut aussi y recopier leurs fichiers de configuration (/etc/hosts.allow et -/etc/hosts.deny). - -=item B = listes de chiffre - -Sélection des chiffres SSL autorisés - -Liste délimitée par deux-points («E:E») des chiffres autorisés pour la connexion SSL. -ExempleE: DES-CBC3-SHA:IDEA-CBC-MD5 - -=item B = yes | no - -Mode client (Le service distant utilise SSL) - -Par défautE: no (mode server) - -=item B = répertoire - -Répertoire des listes de révocation de certificats (CRL) - -C'est le répertoire dans lequel B recherche les CRL avec -l'option I. Les CRL doivent être dénommés selon la -forme XXXXXXXX.0 où XXXXXXXX est la valeur de hachage de la CRL. - -Le cas échéant, le répertoire I est relatif au répertoire I. - -=item B = fichier - -Fichier de listes de révocation de certificats (CRL) - -Ce fichier, utilisé avec I, contient plusieurs CRL. - -=item B = [facilité.]niveau - -niveau de déverminage - -Le niveau est un nom ou un numéro conforme à ceux de syslogE: -emerg (0), alert (1), crit (2), err (3), warning (4), notice (5), -info (6) ou debug (7). Toutes les traces du niveau indiqué et des niveaux -numériquement inférieurs seront affichées. B ou -B donneront le maximum d'informations. La valeur par défaut -est notice (5). - -La facilité syslog «EdaemonE» est utilisée, sauf si un autre nom est spécifié -(Win32 ne permet pas l'usage des facilités.) - -La casse est ignorée, aussi bien pour la facilité que pour le niveau. - -=item B = chemin (Unix seulement) - -Emplacement du socket du daemon de recueil d'entropie (EGD - Entropy Gathering Daemon) - -Socket EGD à utiliser pour alimenter le générateur d'aléatoires de OpenSSL (disponible -seulement si la compilation a été effectuée avec OpenSSL 0.9.5a ou supérieur). - -=item B = yes | no (Unix seulement) - -Mode avant-plan - -Reste en avant-plan (sans fork) et dirige la trace sur stderr -au lieu de syslog (sauf si B est spécifié). - -Par défaultE: arrière-plan en mode daemon. - -=item B = fichier - -Fichier de clef privée pour le certificat spécifié par I - -La clef privée est nécessaire pour authentifier le titulaire du -certificat. -Puisque ce fichier doit rester secret, il ne doit être lisible que -par son propriétaire. Sur les systèmes Unix, on peut utiliser la -commande suivanteE: - - chmod 600 fichier - -Par défaultE: Valeur de I - -=item B = Options_SSL - -Options de la bibliothèque OpenSSL - -Le paramètre est l'option OpenSSL décrite dans la page de man -I, débarassée du préfixe I. -Plusieurs I peuvent être spécifiées. - -Par exemple, pour la compatibilité avec l'implantation SSL défaillante -d'Eudora, on peut utiliserE: - - options = DONT_INSERT_EMPTY_FRAGMENTS - -=item B = fichier - -Ajoute la trace à la fin d'un fichier au lieu d'utiliser syslog. - -/dev/stdout peut être utilisé pour afficher les traces sur la sortie standard -(par exemple pour les traiter avec les outils splogger). - -=item B = fichier (Unix seulement) - -Emplacement du fichier pid - -Si l'argument est vide, aucun fichier ne sera créé. - -Le cas échéant, le chemin I est relatif au répertoire I. - -=item B = nombre - -Nombre d'octets à lire depuis les fichiers de «EselE» aléatoire - -Avec les SSL de version inférieure à 0.9.5a, détermine aussi le nombre -d'octets considérés comme suffisants pour «EsalerE» le PRNG. Les versions plus -récentes d'OpenSSL ont une fonction intégrée qui détermine lorsque l'aléatoire -est suffisant. - -=item B = fichier - -chemin du fichier de données de «EselE» aléatoire - -La bibliothèque SSL utilise prioritairement les données de ce fichier pour -«EsalerE» le générateur d'aléatoire. - -=item B = yes | no - -Recouvre les fichiers de «EselE» avec de nouvelles données aléatoires. - -Par défautE: yes - -=item B = nom - -Définit le nom de service à utiliser - -B:> nom de service du mode I pour la bibliothèque TCP Wrapper. - -Par défautE: stunnel - -=item B = timeout - -Timeout du cache de session - -=item B = nom (Unix seulement) - -Nom de groupe utilisé en mode daemon (les éventuels autres noms de groupe attribués sont supprimés) - -=item B = nom (Unix seulement) - -Nom d'utilisateur utilisé en mode daemon - -=item B = a|l|r:option=valeur[:valeur] - -Configure une option de socket accept (a), locale (l) ou distante (r) - -Les valeurs de l'option linger sontE: l_onof:l_linger. -Les valeurs de l'option time sontE: tv_sec:tv_usec. - -ExemplesE: - - socket = l:SO_LINGER=1:60 - définit un délai d'une minute pour la clôture des sockets locaux - socket = r:SO_OOBINLINE=yes - Place directement les données hors-bande dans le flux de réception - des sockets distants - socket = a:SO_REUSEADDR=no - désactive la réutilisation d'adresses (activée par défaut) - socket = a:SO_BINDTODEVICE=lo - limite l'acceptation des connexions sur la seule interface de bouclage - -=item B = yes | no (WIN32 seulement) - -active l'icône de la barre de tâches - -Par défautE: yes - -=item B = niveau - -Vérifie le certificat du correspondant - - niveau 1 - vérifie le certificat s'il est présent - niveau 2 - vérifie le certificat - niveau 3 - contrôle le correspondant avec le certificat local - -Par défaut - pas de vérification - -=back - - -=head2 OPTIONS DE SERVICE - -Chaque section de configuration commence par le nom du service entre crochets. -Celui-ci est utilisé par le contrôle d'accès de libwrap (TCP Wrappers) et sert -à distinguer les services B dans les fichiers de traces. - -Si l'on souhaite utiliser B en mode I (lorsqu'un socket lui est -fourni par un serveur comme I, I ou I), il faut se -reporter à la section I plus bas. - - -=over 4 - -=item B = [hôte:]port - -Accepte des connexions sur le port spécifié - -Si l'hôte n'est pas indiqué, le port est ouvert pour toutes les adresses IP de -la machine locale. - -=item B = [hôte:]port - -Se connecte au port distant indiqué - -Par défaut, l'hôte est localhost. - -=item B = yes | no - -Retarde la recherche DNS pour l'option «EconnectE» - -=item B = chemin_exécutable (Unix seulement) - -Exécute un programme local de type inetd - -Le cas échéant, le chemin I est relatif au répertoire I. - -=item B = $0 $1 $2 ... (Unix seulement) - -Arguments pour I, y compris le nom du programme ($0) - -Les quotes ne peuvent actuellement pas être utilisées. -Les arguments sont séparés par un nombre quelconque d'espaces. - -=item B = nom - -Applique le contrôle d'identité d'utilisateur IDENT (RFC 1413) - -=item B = hôte - -Adresse IP de l'interface de sortie utilisée pour les connexions distantes. -Cette option permet de relier une adresse statique locale. - -=item B = protocole - -Négocie avec SSL selon le protocole indiqué - -Actuellement gérésE: cifs, nntp, pop3, smtp - -=item B = yes | no (Unix seulement) - -Alloue un pseudo-terminal pour l'option «EexecE» - -=item B = secondes - -Durée d'attente de données - -=item B = secondes - -Durée d'attente du close_notify (mis à 0 pour MSIE qui est bogué) - -=item B = secondes - -Durée d'attente sur une connexion inactive - -=item B = yes | no (Unix seulement) - -Mode mandataire transparent - -Ré-écrit les adresses pour qu'elles apparaissent provenir de la -machine client SSL plutôt que de celle qui exécute B. -Cette option n'est disponible en mode local (option I) qu'avec -la bibliothèque partagée LD_PRELOADing env.so shared library et en mode -distant (option I) sur les noyaux Linux 2.2 compilés avec -l'option I et seulement en mode serveur. Cette -option ne se combine pas au mode mandataire (I) sauf si la -route par défaut du client vers la cible passe par l'hôte qui fait -tourner B, qui ne peut être localhost. - -=back - - -=head1 VALEUR DE RETOUR - -B renvoie zéro en cas de succès, une autre valeur en cas d'erreur. - - -=head1 EXEMPLES - -Pour encapsuler votre service I local avec SSLE: - - [imapd] - accept = 993 - exec = /usr/sbin/imapd - execargs = imapd - -Pour tunneliser un daemon I sur le port 2020E: - - [vpn] - accept = 2020 - exec = /usr/sbin/pppd - execargs = pppd local - pty = yes - -Configuration de I pour utiliser B en mode I -qui lance imapd à son tour (il ne doit pas y avoir de section I<[service_name]>)E: - - exec = /usr/sbin/imapd - execargs = imapd - - -=head1 FICHIERS - -=over 4 - -=item F - -Fichier de configuration de B - -=item F - -Certificat et clef privée de B - -=back - - -=head1 BOGUES - -L'option I n'admet pas les quotes. - - -=head1 RESTRICTIONS - -B ne peut être utilisé pour le daemon FTP en raison de la nature -du protocole FTP qui utilise des ports multiples pour les transferts de données. -Il existe cependant des versions SSL de FTP et de telnet. - - -=head1 NOTES - -=head2 MODE INETD - -L'utilisation la plus commune de B consiste à écouter un port -réseau et à établir une communication, soit avec un nouveau port -avec l'option I, soit avec un programme avec l'option I. -On peut parfois cependant souhaiter qu'un autre programme reçoive les -connexions entrantes et lance B, par exemple avec I, -I ou I. - -Si, par exemple, la ligne suivante se trouve dans IE: - - imaps stream tcp nowait root /usr/bin/stunnel stunnel /etc/stunnel/imaps.conf - -Dans ces cas, c'est le programme du genre I-style qui est -responsable de l'établissement de la connexion (I ci-dessus) et de passer -celle-ci à B. -Ainsi, B ne doit alors avoir aucune option I. -Toutes les I doivent être placées dans -la section des options globales et aucune section I<[service_name]> ne doit -être présente. Voir la section I pour des exemples de configurations. - -=head2 CERTIFICATS - -Chaque daemon à propriétés SSL doit présenter un certificat X.509 -valide à son interlocuteur. Il a aussi besoin d'une clef privé pour -déchiffrer les données entrantes. La méthode la plus simple pour -obtenir un certificat et une clef est d'engendrer celles-ci avec -le paquetage libre I. Plus d'informations sur la génération de -certificats se trouvent dans les pages indiquées plus bas. - -Deux choses importantes lors de la génération de paires certificat-clef -pour BE: - -=over 4 - -=item * - -la clef privée ne peut être chiffrée puisque le serveur n'a aucun moyen -d'obtenir le mot de passe de l'utilisateurE; pour produire une clef non chiffrée, -ajouter l'option I<-nodes> à la commande B de IE; - -=item * - -l'ordre du contenu du fichier I<.pem> est significatifE: il doit contenir d'abord -une clef privée non chiffrée, puis un certificat signé (et non une demande de certificat). -Il doit aussi y avoir des lignes vides après le certificat et après la clef privée. -L'information textuelle ajoutée au début d'un certificat doit être supprimée afin que -le fichier ait l'allure suivanteE: - - -----BEGIN RSA PRIVATE KEY----- - [clef encodée] - -----END RSA PRIVATE KEY----- - [ligne vide] - -----BEGIN CERTIFICATE----- - [certificat encodé] - -----END CERTIFICATE----- - [ligne vide] - -=back - -=head2 ALEATOIRE - -B doit «EsalerE» le générateur de pseudo-aléatoires PRNG (pseudo random -number generator) afin que SSL utilise un aléatoire de qualité. Les sources suivantes -sont chargées dans l'ordre jusqu'à ce qu'une quantité suffisante de données soit lueE: - -=over 4 - -=item * - -le fichier spécifié par IE; - -=item * - -le fichier spécifié par la variable d'environnement RANDFILE, à défaut -le fichier .rnd du répertoire $HOME de l'utilisateurE; - -=item * - -le fichier spécifié par «E--with-randomE» lors de la compilationE; - -=item * - -le contenu de l'écran (MS-Windows seulement)E; - -=item * - -le socket EGD spécifié par IE; - -=item * - -le socket EGD spécifié par «E--with-egd-sockE» lors de la compilationE; - -=item * - -le périphérique /dev/urandom. - -=back - -Avec un OpenSSL récent (>=OpenSSL 0.9.5a) le chargement de données s'arrête -automatiquement lorsqu'un niveau d'entropie suffisant est atteint. -Les versions précédentes continuent à lire toutes les sources puisqu'aucune -fonction SSL ne leur permet de savoir que suffisamment de données sont disponibles. - -Sur les machines MS-Windows qui n'ont pas d'interaction utilisateur sur la console, -(mouvements de souris, création de fenêtres, etc.), le contenu de l'écran n'est -pas suffisamment changeant et il est nécessaire de fournir un fichier d'aléatoire -par le biais de I. - -Le fichier spécifié par I doit contenir des informations aléatoires -- -c'est-à-dire des informations différentes à chaque lancement de B. -Cela est géré automatiquement sauf si l'option I est utilisée. -Si l'on souhaite procéder manuellement à la mise à jour de ce fichier, la -commande I des versions récentes d'OpenSSL sera sans doute utile. - -Note importanteE: si /dev/urandom est disponible, OpenSSL a l'habitude d'utiliser -celui-ci pour «EsalerE» le PRNG même lorsqu'il contrôle l'état de l'aléatoireE; -ainsi, même si /dev/urandom est dernier de la liste ci-dessus, il est vraisemblable -qu'il soit utilisé s'il est présent. -Ce n'est pas le comportement de B, c'est celui d'OpenSSL. - - -=head1 VOIR AUSSI - -=over 4 - -=item L - -Service de contrôle d'accès pour les services internet - -=item L - -«Esuper-serveurE» internet - -=item F - -Page de référence de B - -=item F - -Site web du projet OpenSSL - -=back - - -=head1 AUTEUR - -=over 4 - -=item Michał Trojnara - -> - -=back - -=head1 ADAPTATION FRANÇAISE - -=over 4 - -=item Bernard Choppy - -> - -=back diff --git a/doc/stunnel.html b/doc/stunnel.html deleted file mode 100644 index 9eef2c0..0000000 --- a/doc/stunnel.html +++ /dev/null @@ -1,1120 +0,0 @@ - - - - -stunnel.8 - - - - - - - - -
    -

    - - - -
    - - -

    -

    -

    NAME

    -

    stunnel - universal SSL tunnel

    -

    -

    -
    -

    SYNOPSIS

    -
    -
    Unix:
    - -
    -

    stunnel [<filename>] | -fd n | -help | -version | -sockets

    -
    -
    WIN32:
    - -
    -

    stunnel [ [-install | -uninstall | -start | -stop] | -exit] - [-quiet] [<filename>] ] | -help | -version | -sockets

    -
    -
    -

    -

    -
    -

    DESCRIPTION

    -

    The stunnel program is designed to work as SSL encryption wrapper -between remote clients and local (inetd-startable) or remote -servers. The concept is that having non-SSL aware daemons running on -your system you can easily set them up to communicate with clients over -secure SSL channels.

    -

    stunnel can be used to add SSL functionality to commonly used Inetd -daemons like POP-2, POP-3, and IMAP servers, to standalone daemons like -NNTP, SMTP and HTTP, and in tunneling PPP over network sockets without -changes to the source code.

    -

    This product includes cryptographic software written by -Eric Young (eay@cryptsoft.com)

    -

    -

    -
    -

    OPTIONS

    -
    -
    <filename>
    - -
    -

    Use specified configuration file

    -
    -
    -fd n (Unix only)
    - -
    -

    Read the config file from specified file descriptor

    -
    -
    -help
    - -
    -

    Print stunnel help menu

    -
    -
    -version
    - -
    -

    Print stunnel version and compile time defaults

    -
    -
    -sockets
    - -
    -

    Print default socket options

    -
    -
    -install (NT/2000/XP only)
    - -
    -

    Install NT Service

    -
    -
    -uninstall (NT/2000/XP only)
    - -
    -

    Uninstall NT Service

    -
    -
    -start (NT/2000/XP only)
    - -
    -

    Start NT Service

    -
    -
    -stop (NT/2000/XP only)
    - -
    -

    Stop NT Service

    -
    -
    -exit (Win32 only)
    - -
    -

    Exit an already started stunnel

    -
    -
    -quiet (NT/2000/XP only)
    - -
    -

    Don't display any message boxes

    -
    -
    -

    -

    -
    -

    CONFIGURATION FILE

    -

    Each line of the configuration file can be either:

    -
      -
    • -

      An empty line (ignored).

      -
      • -
    • -

      A comment starting with ';' (ignored).

      -
      • -
    • -

      An 'option_name = option_value' pair.

      -
      • -
    • -

      '[service_name]' indicating a start of a service definition.

      -
      • -
    -

    An address parameter of an option may be either:

    -
      -
    • -

      A port number.

      -
      • -
    • -

      A colon-separated pair of IP address (either IPv4, IPv6, or domain name) and port number.

      -
      • -
    • -

      A Unix socket path (Unix only).

      -
      • -
    -

    -

    -

    GLOBAL OPTIONS

    -
    -
    chroot = directory (Unix only)
    - -
    -

    directory to chroot stunnel process

    -

    chroot keeps stunnel in chrooted jail. CApath, CRLpath, pid -and exec are located inside the jail and the patches have to be relative -to the directory specified with chroot.

    -

    Several functions of the operating system also need their files to be located within chroot jail, e.g.:

    -
      -
    • -

      Delayed resolver typically needs /etc/nsswitch.conf and /etc/resolv.conf.

      -
      • -
    • -

      Local time in log files needs /etc/timezone.

      -
      • -
    • -

      Some other functions may need devices, e.g. /dev/zero or /dev/null.

      -
      • -
    -
    -
    compression = deflate | zlib | rle
    - -
    -

    select data compression algorithm

    -

    default: no compression

    -

    deflate is the standard compression method as described in RFC 1951.

    -

    zlib compression of OpenSSL 0.9.8 or above is not backward compatible with -OpenSSL 0.9.7.

    -

    rle compression is currently not implemented by the OpenSSL library.

    -
    -
    debug = [facility.]level
    - -
    -

    debugging level

    -

    Level is a one of the syslog level names or numbers -emerg (0), alert (1), crit (2), err (3), warning (4), notice (5), -info (6), or debug (7). All logs for the specified level and -all levels numerically less than it will be shown. Use debug = debug or -debug = 7 for greatest debugging output. The default is notice (5).

    -

    The syslog facility 'daemon' will be used unless a facility name is supplied. -(Facilities are not supported on Win32.)

    -

    Case is ignored for both facilities and levels.

    -
    -
    EGD = egd path (Unix only)
    - -
    -

    path to Entropy Gathering Daemon socket

    -

    Entropy Gathering Daemon socket to use to feed OpenSSL random number -generator. (Available only if compiled with OpenSSL 0.9.5a or higher)

    -
    -
    engine = auto | <engine id>
    - -
    -

    select hardware engine

    -

    default: software-only cryptography

    -

    Here is an example of advanced engine configuration to read private key from an -OpenSC engine

    -
    -    engine=dynamic
-    engineCtrl=SO_PATH:/usr/lib/opensc/engine_pkcs11.so
-    engineCtrl=ID:pkcs11
-    engineCtrl=LIST_ADD:1
-    engineCtrl=LOAD
-    engineCtrl=MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so
-    engineCtrl=INIT
    -
    -    [service]
-    engineNum=1
-    key=id_45
    -
    -
    engineCtrl = command[:parameter]
    - -
    -

    control hardware engine

    -

    Special commands "LOAD" and "INIT" can be used to load and initialize the -engine cryptogaphic module.

    -
    -
    fips = yes | no
    - -
    -

    Enable or disable FIPS 140-2 mode.

    -

    This option allows to disable entering FIPS mode if stunnel was compiled -with FIPS 140-2 support.

    -

    default: yes

    -
    -
    foreground = yes | no (Unix only)
    - -
    -

    foreground mode

    -

    Stay in foreground (don't fork) and log to stderr -instead of via syslog (unless output is specified).

    -

    default: background in daemon mode

    -
    -
    output = file
    - -
    -

    append log messages to a file

    -

    /dev/stdout device can be used to send log messages to the standard -output (for example to log them with daemontools splogger).

    -
    -
    pid = file (Unix only)
    - -
    -

    pid file location

    -

    If the argument is empty, then no pid file will be created.

    -

    pid path is relative to chroot directory if specified.

    -
    -
    RNDbytes = bytes
    - -
    -

    bytes to read from random seed files

    -

    Number of bytes of data read from random seed files. With SSL versions less -than 0.9.5a, also determines how many bytes of data are considered -sufficient to seed the PRNG. More recent OpenSSL versions have a builtin -function to determine when sufficient randomness is available.

    -
    -
    RNDfile = file
    - -
    -

    path to file with random seed data

    -

    The SSL library will use data from this file first to seed the random -number generator.

    -
    -
    RNDoverwrite = yes | no
    - -
    -

    overwrite the random seed files with new random data

    -

    default: yes

    -
    -
    service = servicename (Unix only)
    - -
    -

    use specified string as inetd mode service name for TCP Wrapper library

    -

    default: stunnel

    -
    -
    setgid = groupname (Unix only)
    - -
    -

    setgid() to groupname in daemon mode and clears all other groups

    -
    -
    setuid = username (Unix only)
    - -
    -

    setuid() to username in daemon mode

    -
    -
    socket = a|l|r:option=value[:value]
    - -
    -

    Set an option on accept/local/remote socket

    -

    The values for linger option are l_onof:l_linger. -The values for time are tv_sec:tv_usec.

    -

    Examples:

    -
    -    socket = l:SO_LINGER=1:60
-        set one minute timeout for closing local socket
-    socket = r:SO_OOBINLINE=yes
-        place out-of-band data directly into the
-        receive data stream for remote sockets
-    socket = a:SO_REUSEADDR=no
-        disable address reuse (enabled by default)
-    socket = a:SO_BINDTODEVICE=lo
-        only accept connections on loopback interface
    -
    -
    syslog = yes | no (Unix only)
    - -
    -

    enable logging via syslog

    -

    default: yes

    -
    -
    taskbar = yes | no (WIN32 only)
    - -
    -

    enable the taskbar icon

    -

    default: yes

    -
    -
    -

    -

    -

    SERVICE-LEVEL OPTIONS

    -

    Each configuration section begins with service name in square brackets. -The service name is used for libwrap (TCP Wrappers) access control and lets -you distinguish stunnel services in your log files.

    -

    Note that if you wish to run stunnel in inetd mode (where it -is provided a network socket by a server such as inetd, xinetd, -or tcpserver) then you should read the section entitled INETD MODE -below.

    -
    -
    accept = address
    - -
    -

    accept connections on specified address

    -

    If no host specified, defaults to all IPv4 addresses for the local host.

    -

    To listen on all IPv6 addresses use:

    -
    -    connect = :::port
    -
    -
    CApath = directory
    - -
    -

    Certificate Authority directory

    -

    This is the directory in which stunnel will look for certificates when using -the verify. Note that the certificates in this directory should be named -XXXXXXXX.0 where XXXXXXXX is the hash value of the DER encoded subject of the -cert.

    -

    The hash algorithm has been changed in OpenSSL 1.0.0. It is required to -c_rehash the directory on upgrade from OpenSSL 0.x.x to OpenSSL 1.x.x.

    -

    CApath path is relative to chroot directory if specified.

    -
    -
    CAfile = certfile
    - -
    -

    Certificate Authority file

    -

    This file contains multiple CA certificates, used with the verify.

    -
    -
    cert = pemfile
    - -
    -

    certificate chain PEM file name

    -

    A PEM is always needed in server mode. -Specifying this flag in client mode will use this certificate chain -as a client side certificate chain. Using client side certs is optional. -The certificates must be in PEM format and must be sorted starting with the -certificate to the highest level (root CA).

    -
    -
    ciphers = cipherlist
    - -
    -

    Select permitted SSL ciphers

    -

    A colon delimited list of the ciphers to allow in the SSL connection. -For example DES-CBC3-SHA:IDEA-CBC-MD5

    -
    -
    client = yes | no
    - -
    -

    client mode (remote service uses SSL)

    -

    default: no (server mode)

    -
    -
    connect = address
    - -
    -

    connect to a remote address

    -

    If no host is specified, the host defaults to localhost.

    -

    Multiple connect options are allowed in a single service section.

    -

    If host resolves to multiple addresses and/or if multiple connect -options are specified, then the remote address is chosen using a -round-robin algorithm.

    -
    -
    CRLpath = directory
    - -
    -

    Certificate Revocation Lists directory

    -

    This is the directory in which stunnel will look for CRLs when -using the verify. Note that the CRLs in this directory should -be named XXXXXXXX.r0 where XXXXXXXX is the hash value of the CRL.

    -

    The hash algorithm has been changed in OpenSSL 1.0.0. It is required to -c_rehash the directory on upgrade from OpenSSL 0.x.x to OpenSSL 1.x.x.

    -

    CRLpath path is relative to chroot directory if specified.

    -
    -
    CRLfile = certfile
    - -
    -

    Certificate Revocation Lists file

    -

    This file contains multiple CRLs, used with the verify.

    -
    -
    curve = nid
    - -
    -

    specify ECDH curve name

    -

    To get a list of supported cuves use:

    -
    -    openssl ecparam -list_curves
    -

    default: prime256v1

    -
    -
    delay = yes | no
    - -
    -

    delay DNS lookup for 'connect' option

    -

    This option is useful for dynamic DNS, or when DNS is not available during -stunnel startup (road warrior VPN, dial-up configurations).

    -
    -
    engineNum = engine number
    - -
    -

    select engine number to read private key

    -

    The engines are numbered starting from 1.

    -
    -
    exec = executable_path
    - -
    -

    execute local inetd-type program

    -

    exec path is relative to chroot directory if specified.

    -
    -
    execargs = $0 $1 $2 ...
    - -
    -

    arguments for exec including program name ($0)

    -

    Quoting is currently not supported. -Arguments are separated with arbitrary number of whitespaces.

    -
    -
    failover = rr | prio
    - -
    -

    Failover strategy for multiple "connect" targets.

    -
    -    rr (round robin) - fair load distribution
-    prio (priority) - use the order specified in config file
    -

    default: rr

    -
    -
    ident = username
    - -
    -

    use IDENT (RFC 1413) username checking

    -
    -
    key = keyfile
    - -
    -

    private key for certificate specified with cert option

    -

    Private key is needed to authenticate certificate owner. -Since this file should be kept secret it should only be readable -to its owner. On Unix systems you can use the following command:

    -
    -    chmod 600 keyfile
    -

    default: value of cert option

    -
    -
    libwrap = yes | no
    - -
    -

    Enable or disable the use of /etc/hosts.allow and /etc/hosts.deny.

    -

    default: yes

    -
    -
    local = host
    - -
    -

    IP of the outgoing interface is used as source for remote connections. -Use this option to bind a static local IP address, instead.

    -
    -
    sni = service_name:server_name_pattern (server mode)
    - -
    -

    Use the service as a slave service (a name-based virtual server) for Server -Name Indication TLS extension (RFC 3546).

    -

    service_name specifies the master service that accepts client connections -with accept option. server_name_pattern specifies the host name to be -redirected. The pattern may start with '*' character, e.g. '*.example.com'. -Multiple slave services are normally specified for a single master service. -sni option can also be specified more than once within a single slave -service.

    -

    This service, as well as the master service, may not be configured in client -mode.

    -

    connect option of the slave service is ignored when protocol option is -specified, as protocol connects remote host before TLS handshake.

    -

    Libwrap checks (Unix only) are performed twice: with master service name after -TCP connection is accepted, and with slave service name during TLS handshake.

    -

    Option sni is only available when compiled with OpenSSL 1.0.0 and later.

    -
    -
    sni = server_name (client mode)
    - -
    -

    Use the parameter as the value of TLS Server Name Indication (RFC 3546) -extension.

    -

    Option sni is only available when compiled with OpenSSL 1.0.0 and later.

    -
    -
    OCSP = url
    - -
    -

    select OCSP server for certificate verification

    -
    -
    OCSPflag = flag
    - -
    -

    specify OCSP server flag

    -

    Several OCSPflag can be used to specify multiple flags.

    -

    currently supported flags: NOCERTS, NOINTERN NOSIGS, NOCHAIN, NOVERIFY, -NOEXPLICIT, NOCASIGN, NODELEGATED, NOCHECKS, TRUSTOTHER, RESPID_KEY, NOTIME

    -
    -
    options = SSL_options
    - -
    -

    OpenSSL library options

    -

    The parameter is the OpenSSL option name as described in the -SSL_CTX_set_options(3ssl) manual, but without SSL_OP_ prefix. -Several options can be used to specify multiple options.

    -

    For example for compatibility with erroneous Eudora SSL implementation -the following option can be used:

    -
    -    options = DONT_INSERT_EMPTY_FRAGMENTS
    -
    -
    protocol = proto
    - -
    -

    application protocol to negotiate SSL

    -

    This option enables initial, protocol-specific negotiation of the SSL/TLS -encryption. -protocol option should not be used with SSL encryption on a separate port.

    -

    Currently supported protocols:

    -
    -
    cifs
    - -
    -

    Proprietary (undocummented) extension of CIFS protocol implemented in Samba. -Support for this extension was dropped in Samba 3.0.0.

    -
    -
    connect
    - -
    -

    Based on RFC 2817 - Upgrading to TLS Within HTTP/1.1, section 5.2 - Requesting a Tunnel with CONNECT

    -

    This protocol is only supported in client mode.

    -
    -
    imap
    - -
    -

    Based on RFC 2595 - Using TLS with IMAP, POP3 and ACAP

    -
    -
    nntp
    - -
    -

    Based on RFC 4642 - Using Transport Layer Security (TLS) with Network News Transfer Protocol (NNTP)

    -

    This protocol is only supported in client mode.

    -
    -
    pgsql
    - -
    -

    Based on http://www.postgresql.org/docs/8.3/static/protocol-flow.html#AEN73982

    -
    -
    pop3
    - -
    -

    Based on RFC 2449 - POP3 Extension Mechanism

    -
    -
    proxy
    - -
    -

    Haproxy client IP address http://haproxy.1wt.eu/download/1.5/doc/proxy-protocol.txt

    -
    -
    smtp
    - -
    -

    Based on RFC 2487 - SMTP Service Extension for Secure SMTP over TLS

    -
    -
    -
    -
    protocolAuthentication = auth_type
    - -
    -

    authentication type for protocol negotiations

    -

    currently supported: basic, NTLM

    -

    Currently authentication type only applies to the 'connect' protocol.

    -

    default: basic

    -
    -
    protocolHost = host:port
    - -
    -

    destination address for protocol negotiations

    -

    protocolHost specifies the final SSL server to be connected by the proxy, -and not the proxy server directly connected by stunnel. -The proxy server should be specified with the 'connect' option.

    -

    Currently protocol destination address only applies to 'connect' protocol.

    -
    -
    protocolPassword = password
    - -
    -

    password for protocol negotiations

    -
    -
    protocolUsername = username
    - -
    -

    username for protocol negotiations

    -
    -
    pty = yes | no (Unix only)
    - -
    -

    allocate pseudo terminal for 'exec' option

    -
    -
    renegotiation = yes | no
    - -
    -

    support SSL renegotiation

    -

    Applications of the SSL renegotiation include some authentication scenarios, -or re-keying long lasting connections.

    -

    On the other hand this feature can facilitate a trivial CPU-exhaustion -DoS attack:

    -

    http://vincent.bernat.im/en/blog/2011-ssl-dos-mitigation.html

    -

    Please note that disabling SSL renegotiation does not fully mitigate -this issue.

    -

    default: yes (if supported by OpenSSL)

    -
    -
    reset = yes | no
    - -
    -

    attempt to use TCP RST flag to indicate an error

    -

    This option is not supported on some platforms.

    -

    default: yes

    -
    -
    retry = yes | no
    - -
    -

    reconnect a connect+exec section after it's disconnected

    -

    default: no

    -
    -
    sessionCacheSize = size
    - -
    -

    session cache size

    -

    sessionCacheSize specifies the maximum number of the internal session cache -entries.

    -

    The value of 0 can be used for unlimited size. It is not recommended -for production use due to the risk of memory exhaustion DoS attack.

    -
    -
    sessionCacheTimeout = timeout
    - -
    -

    session cache timeout

    -

    This is the number of seconds to keep cached SSL sessions.

    -
    -
    sessiond = host:port
    - -
    -

    address of sessiond SSL cache server

    -
    -
    sslVersion = version
    - -
    -

    select version of SSL protocol

    -

    Allowed options: all, SSLv2, SSLv3, TLSv1, TLSv1.1, TLSv1.2

    -
    -
    stack = bytes (except for FORK model)
    - -
    -

    thread stack size

    -
    -
    TIMEOUTbusy = seconds
    - -
    -

    time to wait for expected data

    -
    -
    TIMEOUTclose = seconds
    - -
    -

    time to wait for close_notify (set to 0 for buggy MSIE)

    -
    -
    TIMEOUTconnect = seconds
    - -
    -

    time to wait to connect a remote host

    -
    -
    TIMEOUTidle = seconds
    - -
    -

    time to keep an idle connection

    -
    -
    transparent = none | source | destination | both (Unix only)
    - -
    -

    enable transparent proxy support on selected platforms

    -

    Supported values:

    -
    -
    none
    - -
    -

    Disable transparent proxy support. This is the default.

    -
    -
    source
    - -
    -

    Re-write address to appear as if wrapped daemon is connecting -from the SSL client machine instead of the machine running stunnel.

    -

    This option is currently available in:

    -
    -
    Remote mode (connect option) on Linux >=2.6.28
    - -
    -

    This configuration requires stunnel to be executed as root and without -setuid option.

    -

    This configuration requires the following setup for iptables and routing -(possibly in /etc/rc.local or equivalent file):

    -
    -    iptables -t mangle -N DIVERT
-    iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
-    iptables -t mangle -A DIVERT -j MARK --set-mark 1
-    iptables -t mangle -A DIVERT -j ACCEPT
-    ip rule add fwmark 1 lookup 100
-    ip route add local 0.0.0.0/0 dev lo table 100
-    echo 0 >/proc/sys/net/ipv4/conf/lo/rp_filter
    -

    stunnel must also to be executed as root and without setuid option.

    -
    -
    Remote mode (connect option) on Linux 2.2.x
    - -
    -

    This configuration requires kernel to be compiled with transparent proxy -option. -Connected service must be installed on a separate host. -Routing towards the clients has to go through the stunnel box.

    -

    stunnel must also to be executed as root and without setuid option.

    -
    -
    Remote mode (connect option) on FreeBSD >=8.0
    - -
    -

    This configuration requires additional firewall and routing setup. -stunnel must also to be executed as root and without setuid option.

    -
    -
    Local mode (exec option)
    - -
    -

    This configuration works by pre-loading libstunnel.so shared library. -_RLD_LIST environment variable is used on Tru64, and LD_PRELOAD variable on -other platforms.

    -
    -
    -
    -
    destination
    - -
    -

    Original destination is used instead of connect option.

    -

    A service section for transparent destination may look like this:

    -
    -    [transparent]
-    client=yes
-    accept=<stunnel_port>
-    transparent=destination
    -

    This configuration requires the following setup for iptables -(possibly in /etc/rc.local or equivalent file):

    -
    -    /sbin/iptables -I INPUT -i eth0 -p tcp --dport <stunnel_port> -j ACCEPT
-    /sbin/iptables -t nat -I PREROUTING -i eth0 -p tcp --dport <redirected_port> -j DNAT --to-destination <local_ip>:<stunnel_port>
    -

    Transparent destination option is currently only supported on Linux.

    -
    -
    both
    - -
    -

    Use both source and destination transparent proxy.

    -
    -
    -

    Two legacy options are also supported for backward compatibility:

    -
    -
    yes
    - -
    -

    This options has been renamed to source.

    -
    -
    no
    - -
    -

    This options has been renamed to none.

    -
    -
    -
    -
    verify = level
    - -
    -

    verify peer certificate

    -
    -
    level 0
    - -
    -

    Request and ignore peer certificate.

    -
    -
    level 1
    - -
    -

    Verify peer certificate if present.

    -
    -
    level 2
    - -
    -

    Verify peer certificate.

    -
    -
    level 3
    - -
    -

    Verify peer with locally installed certificate.

    -
    -
    level 4
    - -
    -

    Ignore CA chain and only verify peer certificate.

    -
    -
    default
    - -
    -

    No verify.

    -
    -
    -

    It is important to understand, that this option was solely designed for access -control and not for authorization. Specifically for level 2 every non-revoked -certificate is accepted regardless of its Common Name. For this reason a -dedicated CA should be used with level 2, and not a generic CA commonly used -for webservers. Level 3 is preferred for point-to-point connections.

    -
    -
    -

    -

    -
    -

    RETURN VALUE

    -

    stunnel returns zero on success, non-zero on error.

    -

    -

    -
    -

    SIGNALS

    -

    The following signals can be used to control stunnel in Unix environment:

    -
    -
    SIGHUP
    - -
    -

    Force a reload of the configuration file.

    -

    Some global options will not be reloaded:

    -
      -
    • -

      chroot

      -
      • -
    • -

      foreground

      -
      • -
    • -

      pid

      -
      • -
    • -

      setgid

      -
      • -
    • -

      setuid

      -
      • -
    -

    The use of 'setuid' option will also prevent stunnel from binding privileged -(<1024) ports during configuration reloading.

    -

    When 'chroot' option is used, stunnel will look for all its files (including -configuration file, certificates, log file and pid file) within the chroot -jail.

    -
    -
    SIGUSR1
    - -
    -

    Close and reopen stunnel log file. -This function can be used for log rotation.

    -
    -
    SIGTERM, SIGQUIT, SIGINT
    - -
    -

    Shut stunnel down.

    -
    -
    -

    The result of sending any other signals to the server is undefined.

    -

    -

    -
    -

    EXAMPLES

    -

    In order to provide SSL encapsulation to your local imapd service, use

    -
    -    [imapd]
-    accept = 993
-    exec = /usr/sbin/imapd
-    execargs = imapd
    -

    If you want to provide tunneling to your pppd daemon on port 2020, -use something like

    -
    -    [vpn]
-    accept = 2020
-    exec = /usr/sbin/pppd
-    execargs = pppd local
-    pty = yes
    -

    If you want to use stunnel in inetd mode to launch your imapd -process, you'd use this stunnel.conf. -Note there must be no [service_name] section.

    -
    -    exec = /usr/sbin/imapd
-    execargs = imapd
    -

    -

    -
    -

    NOTES

    -

    -

    -

    RESTRICTIONS

    -

    stunnel cannot be used for the FTP daemon because of the nature -of the FTP protocol which utilizes multiple ports for data transfers. -There are available SSL enabled versions of FTP and telnet daemons, however.

    -

    -

    -

    INETD MODE

    -

    The most common use of stunnel is to listen on a network -port and establish communication with either a new port -via the connect option, or a new program via the exec option. -However there is a special case when you wish to have -some other program accept incoming connections and -launch stunnel, for example with inetd, xinetd, -or tcpserver.

    -

    For example, if you have the following line in inetd.conf:

    -
    -    imaps stream tcp nowait root /usr/bin/stunnel stunnel /etc/stunnel/imaps.conf
    -

    In these cases, the inetd-style program is responsible -for binding a network socket (imaps above) and handing -it to stunnel when a connection is received. -Thus you do not want stunnel to have any accept option. -All the Service Level Options should be placed in the -global options section, and no [service_name] section -will be present. See the EXAMPLES section for example -configurations.

    -

    -

    -

    CERTIFICATES

    -

    Each SSL enabled daemon needs to present a valid X.509 certificate -to the peer. It also needs a private key to decrypt the incoming -data. The easiest way to obtain a certificate and a key is to -generate them with the free OpenSSL package. You can find more -information on certificates generation on pages listed below.

    -

    The order of contents of the .pem file is important. It should contain the -unencrypted private key first, then a signed certificate (not certificate -request). There should be also empty lines after certificate and private key. -Plaintext certificate information appended on the top of generated certificate -should be discarded. So the file should look like this:

    -
    -    -----BEGIN RSA PRIVATE KEY-----
-    [encoded key]
-    -----END RSA PRIVATE KEY-----
-    [empty line]
-    -----BEGIN CERTIFICATE-----
-    [encoded certificate]
-    -----END CERTIFICATE-----
-    [empty line]
    -

    -

    -

    RANDOMNESS

    -

    stunnel needs to seed the PRNG (pseudo random number generator) in -order for SSL to use good randomness. The following sources are loaded -in order until sufficient random data has been gathered:

    -
      -
    • -

      The file specified with the RNDfile flag.

      -
      • -
    • -

      The file specified by the RANDFILE environment variable, if set.

      -
      • -
    • -

      The file .rnd in your home directory, if RANDFILE not set.

      -
      • -
    • -

      The file specified with '--with-random' at compile time.

      -
      • -
    • -

      The contents of the screen if running on Windows.

      -
      • -
    • -

      The egd socket specified with the EGD flag.

      -
      • -
    • -

      The egd socket specified with '--with-egd-sock' at compile time.

      -
      • -
    • -

      The /dev/urandom device.

      -
      • -
    -

    With recent (OpenSSL 0.9.5a or later) version of SSL it will stop loading -random data automatically when sufficient entropy has been gathered. With -previous versions it will continue to gather from all the above sources since -no SSL function exists to tell when enough data is available.

    -

    Note that on Windows machines that do not have console user interaction -(mouse movements, creating windows, etc.) the screen contents are not -variable enough to be sufficient, and you should provide a random file -for use with the RNDfile flag.

    -

    Note that the file specified with the RNDfile flag should contain -random data -- that means it should contain different information -each time stunnel is run. This is handled automatically -unless the RNDoverwrite flag is used. If you wish to update this file -manually, the openssl rand command in recent versions of OpenSSL, -would be useful.

    -

    Important note: If /dev/urandom is available, OpenSSL often seeds the PRNG -with it while checking the random state. On systems with /dev/urandom -OpenSSL is likely to use it even though it is listed at the very bottom of -the list above. This is the behaviour of OpenSSL and not stunnel.

    -

    -

    -

    DH PARAMETERS

    -

    Stunnel 4.40 and later contains hardcoded 2048-bit DH parameters.

    -

    It is also possible to specify DH parameters in the certificate file:

    -
    -    openssl dhparam 2048 >> stunnel.pem
    -

    DH parameter generation may take several minutes.

    -

    -

    -
    -

    FILES

    -
    -
    stunnel.conf
    - -
    -

    stunnel configuration file

    -
    -
    -

    -

    -
    -

    BUGS

    -

    Option execargs and Win32 command line does not support quoting.

    -

    -

    -
    -

    SEE ALSO

    -
    -
    tcpd(8)
    - -
    -

    access control facility for internet services

    -
    -
    inetd(8)
    - -
    -

    internet 'super-server'

    -
    -
    http://www.stunnel.org/
    - -
    -

    stunnel homepage

    -
    -
    http://www.openssl.org/
    - -
    -

    OpenSSL project website

    -
    -
    -

    -

    -
    -

    AUTHOR

    -
    -
    Michał Trojnara
    - -
    -

    <Michal.Trojnara@mirt.net>

    -
    -
    - - - - diff --git a/doc/stunnel.html.in b/doc/stunnel.html.in new file mode 100644 index 0000000..8aa7ca4 --- /dev/null +++ b/doc/stunnel.html.in @@ -0,0 +1,1625 @@ + + + + +stunnel TLS Proxy + + + + + + + +
    + stunnel TLS Proxy +
    + + + + + +

    NAME

     + +

    stunnel - TLS offloading and load-balancing proxy

    + +

    SYNOPSIS

     + +
    + +
    Unix:
    +
    + +

    stunnel [FILE] | -fd N | -help | -version | -sockets | -options

    + +
    +
    WIN32:
    +
    + +

    stunnel [ [ -install | -uninstall | -start | -stop | -reload | -reopen | -exit ] [-quiet] [FILE] ] | -help | -version | -sockets | -options

    + +
    +
    + +

    DESCRIPTION

     + +

    The stunnel program is designed to work as TLS encryption wrapper between remote clients and local (inetd-startable) or remote servers. The concept is that having non-TLS aware daemons running on your system you can easily set them up to communicate with clients over secure TLS channels.

    + +

    stunnel can be used to add TLS functionality to commonly used Inetd daemons like POP-2, POP-3, and IMAP servers, to standalone daemons like NNTP, SMTP and HTTP, and in tunneling PPP over network sockets without changes to the source code.

    + +

    This product includes cryptographic software written by Eric Young (eay@cryptsoft.com)

    + +

    OPTIONS

     + +
    + +
    FILE
    +
    + +

    Use specified configuration file

    + +
    +
    -fd N (Unix only)
    +
    + +

    Read the config file from specified file descriptor

    + +
    +
    -help
    +
    + +

    Print stunnel help menu

    + +
    +
    -version
    +
    + +

    Print stunnel version and compile time defaults

    + +
    +
    -sockets
    +
    + +

    Print default socket options

    + +
    +
    -options
    +
    + +

    Print supported TLS options

    + +
    +
    -install (Windows NT and later only)
    +
    + +

    Install NT Service

    + +
    +
    -uninstall (Windows NT and later only)
    +
    + +

    Uninstall NT Service

    + +
    +
    -start (Windows NT and later only)
    +
    + +

    Start NT Service

    + +
    +
    -stop (Windows NT and later only)
    +
    + +

    Stop NT Service

    + +
    +
    -reload (Windows NT and later only)
    +
    + +

    Reload the configuration file of the running NT Service

    + +
    +
    -reopen (Windows NT and later only)
    +
    + +

    Reopen the log file of the running NT Service

    + +
    +
    -exit (Win32 only)
    +
    + +

    Exit an already started stunnel

    + +
    +
    -quiet (Win32 only)
    +
    + +

    Don't display any message boxes

    + +
    +
    + +

    CONFIGURATION FILE

     + +

    Each line of the configuration file can be either:

    + +
      + +

    • An empty line (ignored).

      + +
      • +

    • A comment starting with ';' (ignored).

      + +
      • +

    • An 'option_name = option_value' pair.

      + +
      • +

    • '[service_name]' indicating a start of a service definition.

      + +
      • +
    + +

    An address parameter of an option may be either:

    + +
      + +

    • A port number.

      + +
      • +

    • A colon-separated pair of IP address (either IPv4, IPv6, or domain name) and port number.

      + +
      • +

    • A Unix socket path (Unix only).

      + +
      • +
    + +

    GLOBAL OPTIONS

    + +
    + +
    chroot = DIRECTORY (Unix only)
    +
    + +

    directory to chroot stunnel process

    + +

    chroot keeps stunnel in a chrooted jail. CApath, CRLpath, pid and exec are located inside the jail and the patches have to be relative to the directory specified with chroot.

    + +

    Several functions of the operating system also need their files to be located within the chroot jail, e.g.:

    + +
      + +

    • Delayed resolver typically needs /etc/nsswitch.conf and /etc/resolv.conf.

      + +
      • +

    • Local time in log files needs /etc/timezone.

      + +
      • +

    • Some other functions may need devices, e.g. /dev/zero or /dev/null.

      + +
      • +
    + +
    +
    compression = deflate | zlib
    +
    + +

    select data compression algorithm

    + +

    default: no compression

    + +

    Deflate is the standard compression method as described in RFC 1951.

    + +
    +
    debug = [FACILITY.]LEVEL
    +
    + +

    debugging level

    + +

    Level is one of the syslog level names or numbers emerg (0), alert (1), crit (2), err (3), warning (4), notice (5), info (6), or debug (7). All logs for the specified level and all levels numerically less than it will be shown. Use debug = debug or debug = 7 for greatest debugging output. The default is notice (5).

    + +

    The syslog facility 'daemon' will be used unless a facility name is supplied. (Facilities are not supported on Win32.)

    + +

    Case is ignored for both facilities and levels.

    + +
    +
    EGD = EGD_PATH (Unix only)
    +
    + +

    path to Entropy Gathering Daemon socket

    + +

    Entropy Gathering Daemon socket to use to feed the OpenSSL random number generator.

    + +
    +
    engine = auto | ENGINE_ID
    +
    + +

    select hardware or software cryptographic engine

    + +

    default: software-only cryptography

    + +

    See Examples section for an engine configuration to use the certificate and the corresponding private key from a cryptographic device.

    + +
    +
    engineCtrl = COMMAND[:PARAMETER]
    +
    + +

    control hardware engine

    + +
    +
    engineDefault = TASK_LIST
    +
    + +

    set OpenSSL tasks delegated to the current engine

    + +

    The parameter specifies a comma-separated list of task to be delegated to the current engine.

    + +

    The following tasks may be available, if supported by the engine: ALL, RSA, DSA, ECDH, ECDSA, DH, RAND, CIPHERS, DIGESTS, PKEY, PKEY_CRYPTO, PKEY_ASN1.

    + +
    +
    fips = yes | no
    +
    + +

    enable or disable FIPS 140-2 mode.

    + +

    This option allows you to disable entering FIPS mode if stunnel was compiled with FIPS 140-2 support.

    + +

    default: no (since version 5.00)

    + +
    +
    foreground = yes | quiet | no (Unix only)
    +
    + +

    foreground mode

    + +

    Stay in foreground (don't fork).

    + +

    With the yes parameter it also logs to stderr in addition to the destinations specified with syslog and output.

    + +

    default: background in daemon mode

    + +
    +
    iconActive = ICON_FILE (GUI only)
    +
    + +

    GUI icon to be displayed when there are established connections

    + +

    On Windows platform the parameter should be an .ico file containing a 16x16 pixel image.

    + +
    +
    iconError = ICON_FILE (GUI only)
    +
    + +

    GUI icon to be displayed when no valid configuration is loaded

    + +

    On Windows platform the parameter should be an .ico file containing a 16x16 pixel image.

    + +
    +
    iconIdle = ICON_FILE (GUI only)
    +
    + +

    GUI icon to be displayed when there are no established connections

    + +

    On Windows platform the parameter should be an .ico file containing a 16x16 pixel image.

    + +
    +
    log = append | overwrite
    +
    + +

    log file handling

    + +

    This option allows you to choose whether the log file (specified with the output option) is appended or overwritten when opened or re-opened.

    + +

    default: append

    + +
    +
    output = FILE
    +
    + +

    append log messages to a file

    + +

    /dev/stdout device can be used to send log messages to the standard output (for example to log them with daemontools splogger).

    + +
    +
    pid = FILE (Unix only)
    +
    + +

    pid file location

    + +

    If the argument is empty, then no pid file will be created.

    + +

    pid path is relative to the chroot directory if specified.

    + +
    +
    RNDbytes = BYTES
    +
    + +

    bytes to read from random seed files

    + +
    +
    RNDfile = FILE
    +
    + +

    path to file with random seed data

    + +

    The OpenSSL library will use data from this file first to seed the random number generator.

    + +
    +
    RNDoverwrite = yes | no
    +
    + +

    overwrite the random seed files with new random data

    + +

    default: yes

    + +
    +
    service = SERVICE (Unix only)
    +
    + +

    stunnel service name

    + +

    The specified service name is used for syslog and as the inetd mode service name for TCP Wrappers. While this option can technically be specified in the service sections, it is only useful in global options.

    + +

    default: stunnel

    + +
    +
    socket = a|l|r:OPTION=VALUE[:VALUE]
    +
    + +

    Set an option on the accept/local/remote socket

    + +

    The values for the linger option are l_onof:l_linger. The values for the time are tv_sec:tv_usec.

    + +

    Examples:

    + +
        socket = l:SO_LINGER=1:60
+        set one minute timeout for closing local socket
+    socket = r:SO_OOBINLINE=yes
+        place out-of-band data directly into the
+        receive data stream for remote sockets
+    socket = a:SO_REUSEADDR=no
+        disable address reuse (enabled by default)
+    socket = a:SO_BINDTODEVICE=lo
+        only accept connections on loopback interface
    + +
    +
    syslog = yes | no (Unix only)
    +
    + +

    enable logging via syslog

    + +

    default: yes

    + +
    +
    taskbar = yes | no (WIN32 only)
    +
    + +

    enable the taskbar icon

    + +

    default: yes

    + +
    +
    + +

    SERVICE-LEVEL OPTIONS

    + +

    Each configuration section begins with a service name in square brackets. The service name is used for libwrap (TCP Wrappers) access control and lets you distinguish stunnel services in your log files.

    + +

    Note that if you wish to run stunnel in inetd mode (where it is provided a network socket by a server such as inetd, xinetd, or tcpserver) then you should read the section entitled INETD MODE below.

    + +
    + +
    accept = [HOST:]PORT
    +
    + +

    accept connections on specified address

    + +

    If no host specified, defaults to all IPv4 addresses for the local host.

    + +

    To listen on all IPv6 addresses use:

    + +
        accept = :::PORT
    + +
    +
    CApath = DIRECTORY
    +
    + +

    Certificate Authority directory

    + +

    This is the directory in which stunnel will look for certificates when using the verifyChain or verifyPeer options. Note that the certificates in this directory should be named XXXXXXXX.0 where XXXXXXXX is the hash value of the DER encoded subject of the cert.

    + +

    The hash algorithm has been changed in OpenSSL 1.0.0. It is required to c_rehash the directory on upgrade from OpenSSL 0.x.x to OpenSSL 1.x.x.

    + +

    CApath path is relative to the chroot directory if specified.

    + +
    +
    CAfile = CA_FILE
    +
    + +

    Certificate Authority file

    + +

    This file contains multiple CA certificates, to be used with the verifyChain and verifyPeer options.

    + +
    +
    cert = CERT_FILE
    +
    + +

    certificate chain file name

    + +

    The parameter specifies the file containing certificates used by stunnel to authenticate itself against the remote client or server. The file should contain the whole certificate chain starting from the actual server/client certificate, and ending with the self-signed root CA certificate. The file must be either in PEM or P12 format.

    + +

    A certificate chain is required in server mode, and optional in client mode.

    + +

    This parameter is also used as the certificate identifier when a hardware engine is enabled.

    + +
    +
    checkEmail = EMAIL
    +
    + +

    email address of the peer certificate subject

    + +

    Multiple checkEmail options are allowed in a single service section. Certificates are accepted if no checkEmail option was specified, or the email address of the peer certificate matches any of the email addresses specified with checkEmail.

    + +

    This option requires OpenSSL 1.0.2 or later.

    + +
    +
    checkHost = HOST
    +
    + +

    host of the peer certificate subject

    + +

    Multiple checkHost options are allowed in a single service section. Certificates are accepted if no checkHost option was specified, or the host name of the peer certificate matches any of the hosts specified with checkHost.

    + +

    This option requires OpenSSL 1.0.2 or later.

    + +
    +
    checkIP = IP
    +
    + +

    IP address of the peer certificate subject

    + +

    Multiple checkIP options are allowed in a single service section. Certificates are accepted if no checkIP option was specified, or the IP address of the peer certificate matches any of the IP addresses specified with checkIP.

    + +

    This option requires OpenSSL 1.0.2 or later.

    + +
    +
    ciphers = CIPHER_LIST
    +
    + +

    Select permitted TLS ciphers

    + +

    A colon-delimited list of the ciphers to allow in the TLS connection, for example DES-CBC3-SHA:IDEA-CBC-MD5.

    + +
    +
    client = yes | no
    +
    + +

    client mode (remote service uses TLS)

    + +

    default: no (server mode)

    + +
    +
    config = COMMAND[:PARAMETER]
    +
    + +

    OpenSSL configuration command

    + +

    The OpenSSL configuration command is executed with the specified parameter. This allows any configuration commands to be invoked from the stunnel configuration file. Supported commands are described on the SSL_CONF_cmd(3ssl) manual page.

    + +

    Several config lines can be used to specify multiple configuration commands.

    + +

    This option requires OpenSSL 1.0.2 or later.

    + +
    +
    connect = [HOST:]PORT
    +
    + +

    connect to a remote address

    + +

    If no host is specified, the host defaults to localhost.

    + +

    Multiple connect options are allowed in a single service section.

    + +

    If host resolves to multiple addresses and/or if multiple connect options are specified, then the remote address is chosen using a round-robin algorithm.

    + +
    +
    CRLpath = DIRECTORY
    +
    + +

    Certificate Revocation Lists directory

    + +

    This is the directory in which stunnel will look for CRLs when using the verifyChain and verifyPeer options. Note that the CRLs in this directory should be named XXXXXXXX.r0 where XXXXXXXX is the hash value of the CRL.

    + +

    The hash algorithm has been changed in OpenSSL 1.0.0. It is required to c_rehash the directory on upgrade from OpenSSL 0.x.x to OpenSSL 1.x.x.

    + +

    CRLpath path is relative to the chroot directory if specified.

    + +
    +
    CRLfile = CRL_FILE
    +
    + +

    Certificate Revocation Lists file

    + +

    This file contains multiple CRLs, used with the verifyChain and verifyPeer options.

    + +
    +
    curve = NID
    +
    + +

    specify ECDH curve name

    + +

    To get a list of supported curves use:

    + +
        openssl ecparam -list_curves
    + +

    default: prime256v1

    + +
    +
    logId = TYPE
    +
    + +

    connection identifier type

    + +

    This identifier allows you to distinguish log entries generated for each of the connections.

    + +

    Currently supported types:

    + +
    + +
    sequential
    +
    + +

    The numeric sequential identifier is only unique within a single instance of stunnel, but very compact. It is most useful for manual log analysis.

    + +
    +
    unique
    +
    + +

    This alphanumeric identifier is globally unique, but longer than the sequential number. It is most useful for automated log analysis.

    + +
    +
    thread
    +
    + +

    The operating system thread identifier is neither unique (even within a single instance of stunnel) nor short. It is most useful for debugging software or configuration issues.

    + +
    +
    process
    +
    + +

    The operating system process identifier (PID) may be useful in the inetd mode.

    + +
    +
    + +

    default: sequential

    + +
    +
    debug = LEVEL
    +
    + +

    debugging level

    + +

    Level is a one of the syslog level names or numbers emerg (0), alert (1), crit (2), err (3), warning (4), notice (5), info (6), or debug (7). All logs for the specified level and all levels numerically less than it will be shown. Use debug = debug or debug = 7 for greatest debugging output. The default is notice (5).

    + +
    +
    delay = yes | no
    +
    + +

    delay DNS lookup for the connect option

    + +

    This option is useful for dynamic DNS, or when DNS is not available during stunnel startup (road warrior VPN, dial-up configurations).

    + +

    Delayed resolver mode is automatically engaged when stunnel fails to resolve on startup any of the connect targets for a service.

    + +

    Delayed resolver inflicts failover = prio.

    + +

    default: no

    + +
    +
    engineId = ENGINE_ID
    +
    + +

    select engine ID for the service

    + +
    +
    engineNum = ENGINE_NUMBER
    +
    + +

    select engine number for the service

    + +

    The engines are numbered starting from 1.

    + +
    +
    exec = EXECUTABLE_PATH
    +
    + +

    execute a local inetd-type program

    + +

    exec path is relative to the chroot directory if specified.

    + +

    The following environmental variables are set on Unix platforms: REMOTE_HOST, REMOTE_PORT, SSL_CLIENT_DN, SSL_CLIENT_I_DN.

    + +
    +
    execArgs = $0 $1 $2 ...
    +
    + +

    arguments for exec including the program name ($0)

    + +

    Quoting is currently not supported. Arguments are separated with an arbitrary amount of whitespace.

    + +
    +
    failover = rr | prio
    +
    + +

    Failover strategy for multiple "connect" targets.

    + +
    + +
    rr
    +
    + +

    round robin - fair load distribution

    + +
    +
    prio
    +
    + +

    priority - use the order specified in config file

    + +
    +
    + +

    default: rr

    + +
    +
    ident = USERNAME
    +
    + +

    use IDENT (RFC 1413) username checking

    + +
    +
    include = DIRECTORY
    +
    + +

    include all configuration file parts located in DIRECTORY

    + +

    The files are included in the ascending alphabetical order of their names.

    + +
    +
    key = KEY_FILE
    +
    + +

    private key for the certificate specified with cert option

    + +

    A private key is needed to authenticate the certificate owner. Since this file should be kept secret it should only be readable by its owner. On Unix systems you can use the following command:

    + +
        chmod 600 keyfile
    + +

    This parameter is also used as the private key identifier when a hardware engine is enabled.

    + +

    default: the value of the cert option

    + +
    +
    libwrap = yes | no
    +
    + +

    Enable or disable the use of /etc/hosts.allow and /etc/hosts.deny.

    + +

    default: no (since version 5.00)

    + +
    +
    local = HOST
    +
    + +

    By default, the IP address of the outgoing interface is used as the source for remote connections. Use this option to bind a static local IP address instead.

    + +
    +
    OCSP = URL
    +
    + +

    select OCSP responder for certificate verification

    + +
    +
    OCSPaia = yes | no
    +
    + +

    validate certificates with their AIA OCSP responders

    + +

    This option enables stunnel to validate certificates with the list of OCSP responder URLs retrieved from their AIA (Authority Information Access) extension.

    + +
    +
    OCSPflag = OCSP_FLAG
    +
    + +

    specify OCSP responder flag

    + +

    Several OCSPflag can be used to specify multiple flags.

    + +

    currently supported flags: NOCERTS, NOINTERN, NOSIGS, NOCHAIN, NOVERIFY, NOEXPLICIT, NOCASIGN, NODELEGATED, NOCHECKS, TRUSTOTHER, RESPID_KEY, NOTIME

    + +
    +
    OCSPnonce = yes | no
    +
    + +

    send and verify the OCSP nonce extension

    + +

    This option protects the OCSP protocol against replay attacks. Due to its computational overhead, the nonce extension is usually only supported on internal (e.g. corporate) responders, and not on public OCSP responders.

    + +
    +
    options = SSL_OPTIONS
    +
    + +

    OpenSSL library options

    + +

    The parameter is the OpenSSL option name as described in the SSL_CTX_set_options(3ssl) manual, but without SSL_OP_ prefix. stunnel -options lists the options found to be allowed in the current combination of stunnel and the OpenSSL library used to build it.

    + +

    Several option lines can be used to specify multiple options. An option name can be prepended with a dash ("-") to disable the option.

    + +

    For example, for compatibility with the erroneous Eudora TLS implementation, the following option can be used:

    + +
        options = DONT_INSERT_EMPTY_FRAGMENTS
    + +

    default:

    + +
        options = NO_SSLv2
+    options = NO_SSLv3
    + +
    +
    protocol = PROTO
    +
    + +

    application protocol to negotiate TLS

    + +

    This option enables initial, protocol-specific negotiation of the TLS encryption. The protocol option should not be used with TLS encryption on a separate port.

    + +

    Currently supported protocols:

    + +
    + +
    cifs
    +
    + +

    Proprietary (undocummented) extension of CIFS protocol implemented in Samba. Support for this extension was dropped in Samba 3.0.0.

    + +
    +
    connect
    +
    + +

    Based on RFC 2817 - Upgrading to TLS Within HTTP/1.1, section 5.2 - Requesting a Tunnel with CONNECT

    + +

    This protocol is only supported in client mode.

    + +
    +
    imap
    +
    + +

    Based on RFC 2595 - Using TLS with IMAP, POP3 and ACAP

    + +
    +
    nntp
    +
    + +

    Based on RFC 4642 - Using Transport Layer Security (TLS) with Network News Transfer Protocol (NNTP)

    + +

    This protocol is only supported in client mode.

    + +
    +
    pgsql
    +
    + +

    Based on http://www.postgresql.org/docs/8.3/static/protocol-flow.html#AEN73982

    + +
    +
    pop3
    +
    + +

    Based on RFC 2449 - POP3 Extension Mechanism

    + +
    +
    proxy
    +
    + +

    Haproxy client IP address http://haproxy.1wt.eu/download/1.5/doc/proxy-protocol.txt

    + +
    +
    smtp
    +
    + +

    Based on RFC 2487 - SMTP Service Extension for Secure SMTP over TLS

    + +
    +
    socks
    +
    + +

    SOCKS versions 4, 4a, and 5 are supported. The SOCKS protocol itself is encapsulated within TLS encryption layer to protect the final destination address.

    + +

    http://www.openssh.com/txt/socks4.protocol

    + +

    http://www.openssh.com/txt/socks4a.protocol

    + +

    The BIND command of the SOCKS protocol is not supported. The USERID parameter is ignored.

    + +

    See Examples section for sample configuration files for VPN based on SOCKS encryption.

    + +
    +
    + +
    +
    protocolAuthentication = AUTHENTICATION
    +
    + +

    authentication type for the protocol negotiations

    + +

    Currently, this option is only supported in the client-side 'connect' and 'smtp' protocols.

    + +

    Supported authentication types for the 'connect' protocol are 'basic' or 'ntlm'. The default 'connect' authentication type is 'basic'.

    + +

    Supported authentication types for the 'smtp' protocol are 'plain' or 'login'. The default 'smtp' authentication type is 'plain'.

    + +
    +
    protocolDomain = DOMAIN
    +
    + +

    domain for the protocol negotiations

    + +

    Currently, this option is only supported in the client-side 'connect' protocol.

    + +
    +
    protocolHost = HOST:PORT
    +
    + +

    destination address for the protocol negotiations

    + +

    protocolHost specifies the final TLS server to be connected to by the proxy, and not the proxy server directly connected by stunnel. The proxy server should be specified with the 'connect' option.

    + +

    Currently the protocol destination address only applies to the 'connect' protocol.

    + +
    +
    protocolPassword = PASSWORD
    +
    + +

    password for the protocol negotiations

    + +

    Currently, this option is only supported in the client-side 'connect' and 'smtp' protocols.

    + +
    +
    protocolUsername = USERNAME
    +
    + +

    username for the protocol negotiations

    + +

    Currently, this option is only supported in the client-side 'connect' and 'smtp' protocols.

    + +
    +
    PSKidentity = IDENTITY
    +
    + +

    PSK identity for the PSK client

    + +

    PSKidentity can be used on stunnel clients to select the PSK identity used for authentication. This option is ignored in server sections.

    + +

    default: the first identity specified in the PSKsecrets file.

    + +
    +
    PSKsecrets = FILE
    +
    + +

    file with PSK identities and corresponding keys

    + +

    Each line of the file in the following format:

    + +
        IDENTITY:KEY
    + +

    The key is required to be at least 20 characters long. The file should not be world-readable nor world-writable.

    + +
    +
    pty = yes | no (Unix only)
    +
    + +

    allocate a pseudoterminal for 'exec' option

    + +
    +
    redirect = [HOST:]PORT
    +
    + +

    redirect TLS client connections on certificate-based authentication failures

    + +

    This option only works in server mode. Some protocol negotiations are also incompatible with the redirect option.

    + +
    +
    renegotiation = yes | no
    +
    + +

    support TLS renegotiation

    + +

    Applications of the TLS renegotiation include some authentication scenarios, or re-keying long lasting connections.

    + +

    On the other hand this feature can facilitate a trivial CPU-exhaustion DoS attack:

    + +

    http://vincent.bernat.im/en/blog/2011-ssl-dos-mitigation.html

    + +

    Please note that disabling TLS renegotiation does not fully mitigate this issue.

    + +

    default: yes (if supported by OpenSSL)

    + +
    +
    reset = yes | no
    +
    + +

    attempt to use the TCP RST flag to indicate an error

    + +

    This option is not supported on some platforms.

    + +

    default: yes

    + +
    +
    retry = yes | no
    +
    + +

    reconnect a connect+exec section after it was disconnected

    + +

    default: no

    + +
    +
    requireCert = yes | no
    +
    + +

    require a client certificate for verifyChain or verifyPeer

    + +

    With requireCert set to no, the stunnel server accepts client connections that did not present a certificate.

    + +

    Both verifyChain = yes and verifyPeer = yes imply requireCert = yes.

    + +

    default: no

    + +
    +
    setgid = GROUP (Unix only)
    +
    + +

    Unix group id

    + +

    As a global option: setgid() to the specified group in daemon mode and clear all other groups.

    + +

    As a service-level option: set the group of the Unix socket specified with "accept".

    + +
    +
    setuid = USER (Unix only)
    +
    + +

    Unix user id

    + +

    As a global option: setuid() to the specified user in daemon mode.

    + +

    As a service-level option: set the owner of the Unix socket specified with "accept".

    + +
    +
    sessionCacheSize = NUM_ENTRIES
    +
    + +

    session cache size

    + +

    sessionCacheSize specifies the maximum number of the internal session cache entries.

    + +

    The value of 0 can be used for unlimited size. It is not recommended for production use due to the risk of a memory exhaustion DoS attack.

    + +
    +
    sessionCacheTimeout = TIMEOUT
    +
    + +

    session cache timeout

    + +

    This is the number of seconds to keep cached TLS sessions.

    + +
    +
    sessiond = HOST:PORT
    +
    + +

    address of sessiond TLS cache server

    + +
    +
    sni = SERVICE_NAME:SERVER_NAME_PATTERN (server mode)
    +
    + +

    Use the service as a slave service (a name-based virtual server) for Server Name Indication TLS extension (RFC 3546).

    + +

    SERVICE_NAME specifies the master service that accepts client connections with the accept option. SERVER_NAME_PATTERN specifies the host name to be redirected. The pattern may start with the '*' character, e.g. '*.example.com'. Multiple slave services are normally specified for a single master service. The sni option can also be specified more than once within a single slave service.

    + +

    This service, as well as the master service, may not be configured in client mode.

    + +

    The connect option of the slave service is ignored when the protocol option is specified, as protocol connects to the remote host before TLS handshake.

    + +

    Libwrap checks (Unix only) are performed twice: with the master service name after TCP connection is accepted, and with the slave service name during the TLS handshake.

    + +

    The sni option is only available when compiled with OpenSSL 1.0.0 and later.

    + +
    +
    sni = SERVER_NAME (client mode)
    +
    + +

    Use the parameter as the value of TLS Server Name Indication (RFC 3546) extension.

    + +

    Empty SERVER_NAME disables sending the SNI extension.

    + +

    The sni option is only available when compiled with OpenSSL 1.0.0 and later.

    + +
    +
    sslVersion = SSL_VERSION
    +
    + +

    select the TLS protocol version

    + +

    Supported values: all, SSLv2, SSLv3, TLSv1, TLSv1.1, TLSv1.2

    + +

    Availability of specific protocols depends on the linked OpenSSL library. Older versions of OpenSSL do not support TLSv1.1 and TLSv1.2. Newer versions of OpenSSL do not support SSLv2.

    + +

    Obsolete SSLv2 and SSLv3 are currently disabled by default. See the options option documentation for details.

    + +
    +
    stack = BYTES (except for FORK model)
    +
    + +

    thread stack size

    + +
    +
    TIMEOUTbusy = SECONDS
    +
    + +

    time to wait for expected data

    + +
    +
    TIMEOUTclose = SECONDS
    +
    + +

    time to wait for close_notify (set to 0 for buggy MSIE)

    + +
    +
    TIMEOUTconnect = SECONDS
    +
    + +

    time to wait to connect to a remote host

    + +
    +
    TIMEOUTidle = SECONDS
    +
    + +

    time to keep an idle connection

    + +
    +
    transparent = none | source | destination | both (Unix only)
    +
    + +

    enable transparent proxy support on selected platforms

    + +

    Supported values:

    + +
    + +
    none
    +
    + +

    Disable transparent proxy support. This is the default.

    + +
    +
    source
    +
    + +

    Re-write the address to appear as if a wrapped daemon is connecting from the TLS client machine instead of the machine running stunnel.

    + +

    This option is currently available in:

    + +
    + +
    Remote mode (connect option) on Linux >=2.6.28
    +
    + +

    This configuration requires stunnel to be executed as root and without the setuid option.

    + +

    This configuration requires the following setup for iptables and routing (possibly in /etc/rc.local or equivalent file):

    + +
        iptables -t mangle -N DIVERT
+    iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
+    iptables -t mangle -A DIVERT -j MARK --set-mark 1
+    iptables -t mangle -A DIVERT -j ACCEPT
+    ip rule add fwmark 1 lookup 100
+    ip route add local 0.0.0.0/0 dev lo table 100
+    echo 0 >/proc/sys/net/ipv4/conf/lo/rp_filter
    + +

    stunnel must also to be executed as root and without the setuid option.

    + +
    +
    Remote mode (connect option) on Linux 2.2.x
    +
    + +

    This configuration requires the kernel to be compiled with the transparent proxy option. Connected service must be installed on a separate host. Routing towards the clients has to go through the stunnel box.

    + +

    stunnel must also to be executed as root and without the setuid option.

    + +
    +
    Remote mode (connect option) on FreeBSD >=8.0
    +
    + +

    This configuration requires additional firewall and routing setup. stunnel must also to be executed as root and without the setuid option.

    + +
    +
    Local mode (exec option)
    +
    + +

    This configuration works by pre-loading the libstunnel.so shared library. _RLD_LIST environment variable is used on Tru64, and LD_PRELOAD variable on other platforms.

    + +
    +
    + +
    +
    destination
    +
    + +

    The original destination is used instead of the connect option.

    + +

    A service section for transparent destination may look like this:

    + +
        [transparent]
+    client = yes
+    accept = <stunnel_port>
+    transparent = destination
    + +

    This configuration requires iptables setup to work, possibly in /etc/rc.local or equivalent file.

    + +

    For a connect target installed on the same host:

    + +
        /sbin/iptables -t nat -I OUTPUT -p tcp --dport <redirected_port> \
+        -m ! --uid-owner <stunnel_user_id> \
+        -j DNAT --to-destination <local_ip>:<stunnel_port>
    + +

    For a connect target installed on a remote host:

    + +
        /sbin/iptables -I INPUT -i eth0 -p tcp --dport <stunnel_port> -j ACCEPT
+    /sbin/iptables -t nat -I PREROUTING -p tcp --dport <redirected_port> \
+        -i eth0 -j DNAT --to-destination <local_ip>:<stunnel_port>
    + +

    The transparent destination option is currently only supported on Linux.

    + +
    +
    both
    +
    + +

    Use both source and destination transparent proxy.

    + +
    +
    + +

    Two legacy options are also supported for backward compatibility:

    + +
    + +
    yes
    +
    + +

    This option has been renamed to source.

    + +
    +
    no
    +
    + +

    This option has been renamed to none.

    + +
    +
    + +
    +
    verify = LEVEL
    +
    + +

    verify the peer certificate

    + +

    This option is obsolete and should be replaced with the verifyChain and verifyPeer options.

    + +
    + +
    level 0
    +
    + +

    Request and ignore the peer certificate.

    + +
    +
    level 1
    +
    + +

    Verify the peer certificate if present.

    + +
    +
    level 2
    +
    + +

    Verify the peer certificate.

    + +
    +
    level 3
    +
    + +

    Verify the peer against a locally installed certificate.

    + +
    +
    level 4
    +
    + +

    Ignore the chain and only verify the peer certificate.

    + +
    +
    default
    +
    + +

    No verify.

    + +
    +
    + +
    +
    verifyChain = yes | no
    +
    + +

    verify the peer certificate chain starting from the root CA

    + +

    For server certificate verification it is essential to also require a specific certificate with checkHost or checkIP.

    + +

    The self-signed root CA certificate needs to be stored either in the file specified with CAfile, or in the directory specified with CApath.

    + +

    default: no

    + +
    +
    verifyPeer = yes | no
    +
    + +

    verify the peer certificate

    + +

    The peer certificate needs to be stored either in the file specified with CAfile, or in the directory specified with CApath.

    + +

    default: no

    + +
    +
    + +

    RETURN VALUE

     + +

    stunnel returns zero on success, non-zero on error.

    + +

    SIGNALS

     + +

    The following signals can be used to control stunnel in Unix environment:

    + +
    + +
    SIGHUP
    +
    + +

    Force a reload of the configuration file.

    + +

    Some global options will not be reloaded:

    + +
      + +

    • chroot

      + +
      • +

    • foreground

      + +
      • +

    • pid

      + +
      • +

    • setgid

      + +
      • +

    • setuid

      + +
      • +
    + +

    The use of the 'setuid' option will also prevent stunnel from binding to privileged (<1024) ports during configuration reloading.

    + +

    When the 'chroot' option is used, stunnel will look for all its files (including the configuration file, certificates, the log file and the pid file) within the chroot jail.

    + +
    +
    SIGUSR1
    +
    + +

    Close and reopen the stunnel log file. This function can be used for log rotation.

    + +
    +
    SIGTERM, SIGQUIT, SIGINT
    +
    + +

    Shut stunnel down.

    + +
    +
    + +

    The result of sending any other signals to the server is undefined.

    + +

    EXAMPLES

     + +

    In order to provide TLS encapsulation to your local imapd service, use:

    + +
        [imapd]
+    accept = 993
+    exec = /usr/sbin/imapd
+    execArgs = imapd
    + +

    or in remote mode:

    + +
        [imapd]
+    accept = 993
+    connect = 143
    + +

    In order to let your local e-mail client connect to a TLS-enabled imapd service on another server, configure the e-mail client to connect to localhost on port 119 and use:

    + +
        [imap]
+    client = yes
+    accept = 143
+    connect = servername:993
    + +

    If you want to provide tunneling to your pppd daemon on port 2020, use something like:

    + +
        [vpn]
+    accept = 2020
+    exec = /usr/sbin/pppd
+    execArgs = pppd local
+    pty = yes
    + +

    If you want to use stunnel in inetd mode to launch your imapd process, you'd use this stunnel.conf. Note there must be no [service_name] section.

    + +
        exec = /usr/sbin/imapd
+    execArgs = imapd
    + +

    To setup SOCKS VPN configure the following client service:

    + +
        [socks_client]
+    client = yes
+    accept = 127.0.0.1:1080
+    connect = vpn_server:9080
+    verifyPeer = yes
+    CAfile = stunnel.pem
    + +

    The corresponding configuration on the vpn_server host:

    + +
        [socks_server]
+    protocol = socks
+    accept = 9080
+    cert = stunnel.pem
+    key = stunnel.key
    + +

    Now test your configuration on the client machine with:

    + +
        curl --socks4a localhost http://www.example.com/
    + +

    An example server mode SNI configuration:

    + +
        [virtual]
+    ; master service
+    accept = 443
+    cert =  default.pem
+    connect = default.internal.mydomain.com:8080
+
+    [sni1]
+    ; slave service 1
+    sni = virtual:server1.mydomain.com
+    cert = server1.pem
+    connect = server1.internal.mydomain.com:8081
+
+    [sni2]
+    ; slave service 2
+    sni = virtual:server2.mydomain.com
+    cert = server2.pem
+    connect = server2.internal.mydomain.com:8082
+    verifyPeer = yes
+    CAfile = server2-allowed-clients.pem
    + +

    An example of advanced engine configuration allows for authentication with private keys stored in the Windows certificate store (Windows only). With the CAPI engine you don't need to manually select the client key to use. The client key is automatically selected based on the list of CAs trusted by the server.

    + +
        engine = capi
+
+    [service]
+    engineId = capi
+    client = yes
+    accept = 127.0.0.1:8080
+    connect = example.com:8443
    + +

    An example of advanced engine configuration to use the certificate and the corresponding private key from a pkcs11 engine:

    + +
        engine = pkcs11
+    engineCtrl = MODULE_PATH:opensc-pkcs11.so
+    engineCtrl = PIN:123456
+
+    [service]
+    engineId = pkcs11
+    client = yes
+    accept = 127.0.0.1:8080
+    connect = example.com:843
+    cert = pkcs11:token=MyToken;object=MyCert
+    key = pkcs11:token=MyToken;object=MyKey
    + +

    An example of advanced engine configuration to use the certificate and the corresponding private key from a SoftHSM token:

    + +
        engine = pkcs11
+    engineCtrl = MODULE_PATH:softhsm2.dll
+    engineCtrl = PIN:12345
+
+    [service]
+    engineId = pkcs11
+    client = yes
+    accept = 127.0.0.1:8080
+    connect = example.com:843
+    cert = pkcs11:token=MyToken;object=KeyCert
    + +

    NOTES

     + +

    RESTRICTIONS

    + +

    stunnel cannot be used for the FTP daemon because of the nature of the FTP protocol which utilizes multiple ports for data transfers. There are available TLS-enabled versions of FTP and telnet daemons, however.

    + +

    INETD MODE

    + +

    The most common use of stunnel is to listen on a network port and establish communication with either a new port via the connect option, or a new program via the exec option. However there is a special case when you wish to have some other program accept incoming connections and launch stunnel, for example with inetd, xinetd, or tcpserver.

    + +

    For example, if you have the following line in inetd.conf:

    + +
        imaps stream tcp nowait root @bindir@/stunnel stunnel @sysconfdir@/stunnel/imaps.conf
    + +

    In these cases, the inetd-style program is responsible for binding a network socket (imaps above) and handing it to stunnel when a connection is received. Thus you do not want stunnel to have any accept option. All the Service Level Options should be placed in the global options section, and no [service_name] section will be present. See the EXAMPLES section for example configurations.

    + +

    CERTIFICATES

    + +

    Each TLS-enabled daemon needs to present a valid X.509 certificate to the peer. It also needs a private key to decrypt the incoming data. The easiest way to obtain a certificate and a key is to generate them with the free OpenSSL package. You can find more information on certificates generation on pages listed below.

    + +

    The order of contents of the .pem file is important. It should contain the unencrypted private key first, then a signed certificate (not certificate request). There should also be empty lines after the certificate and the private key. Any plaintext certificate information appended on the top of generated certificate should be discarded. So the file should look like this:

    + +
        -----BEGIN RSA PRIVATE KEY-----
+    [encoded key]
+    -----END RSA PRIVATE KEY-----
+    [empty line]
+    -----BEGIN CERTIFICATE-----
+    [encoded certificate]
+    -----END CERTIFICATE-----
+    [empty line]
    + +

    RANDOMNESS

    + +

    stunnel needs to seed the PRNG (pseudo-random number generator) in order for TLS to use good randomness. The following sources are loaded in order until sufficient random data has been gathered:

    + +
      + +

    • The file specified with the RNDfile flag.

      + +
      • +

    • The file specified by the RANDFILE environment variable, if set.

      + +
      • +

    • The file .rnd in your home directory, if RANDFILE not set.

      + +
      • +

    • The file specified with '--with-random' at compile time.

      + +
      • +

    • The contents of the screen if running on Windows.

      + +
      • +

    • The egd socket specified with the EGD flag.

      + +
      • +

    • The egd socket specified with '--with-egd-sock' at compile time.

      + +
      • +

    • The /dev/urandom device.

      + +
      • +
    + +

    Note that on Windows machines that do not have console user interaction (mouse movements, creating windows, etc.) the screen contents are not variable enough to be sufficient, and you should provide a random file for use with the RNDfile flag.

    + +

    Note that the file specified with the RNDfile flag should contain random data -- that means it should contain different information each time stunnel is run. This is handled automatically unless the RNDoverwrite flag is used. If you wish to update this file manually, the openssl rand command in recent versions of OpenSSL, would be useful.

    + +

    Important note: If /dev/urandom is available, OpenSSL often seeds the PRNG with it while checking the random state. On systems with /dev/urandom OpenSSL is likely to use it even though it is listed at the very bottom of the list above. This is the behaviour of OpenSSL and not stunnel.

    + +

    DH PARAMETERS

    + +

    stunnel 4.40 and later contains hardcoded 2048-bit DH parameters. Starting with stunnel 5.18, these hardcoded DH parameters are replaced every 24 hours with autogenerated temporary DH parameters. DH parameter generation may take several minutes.

    + +

    Alternatively, it is possible to specify static DH parameters in the certificate file, which disables generating temporary DH parameters:

    + +
        openssl dhparam 2048 >> stunnel.pem
    + +

    FILES

     + +
    + +
    @sysconfdir@/stunnel/stunnel.conf
    +
    + +

    stunnel configuration file

    + +
    +
    + +

    BUGS

     + +

    The execArgs option and the Win32 command line do not support quoting.

    + +

    SEE ALSO

     + +
    + +
    tcpd(8)
    +
    + +

    access control facility for internet services

    + +
    +
    inetd(8)
    +
    + +

    internet 'super-server'

    + +
    +
    http://www.stunnel.org/
    +
    + +

    stunnel homepage

    + +
    +
    http://www.openssl.org/
    +
    + +

    OpenSSL project website

    + +
    +
    + +

    AUTHOR

     + +
    + +
    Michał Trojnara
    +
    + +

    <Michal.Trojnara@stunnel.org>

    + +
    +
    + + + +
    + stunnel TLS Proxy +
    + + + + + + diff --git a/doc/stunnel.pl.8 b/doc/stunnel.pl.8.in similarity index 50% rename from doc/stunnel.pl.8 rename to doc/stunnel.pl.8.in index 0df17bc..71f7560 100644 --- a/doc/stunnel.pl.8 +++ b/doc/stunnel.pl.8.in @@ -1,4 +1,4 @@ -.\" Automatically generated by Pod::Man 2.22 (Pod::Simple 3.07) +.\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.28) .\" .\" Standard preamble: .\" ======================================================================== @@ -38,6 +38,8 @@ . ds PI \(*p . ds L" `` . ds R" '' +. ds C` +. ds C' 'br\} .\" .\" Escape single quotes in literal strings from groff's Unicode transform. @@ -48,57 +50,65 @@ .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index .\" entries marked with X<> in POD. Of course, you'll have to process the .\" output yourself in some meaningful fashion. -.ie \nF \{\ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX .. -. nr % 0 -. rr F -.\} -.el \{\ -. de IX +.nr rF 0 +.if \n(.g .if rF .nr rF 1 +.if (\n(rF:(\n(.g==0)) \{ +. if \nF \{ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" .. +. if !\nF==2 \{ +. nr % 0 +. nr F 2 +. \} +. \} .\} +.rr rF .\" ======================================================================== .\" -.IX Title "STUNNEL.PL 8" -.TH STUNNEL.PL 8 "2013.03.22" "4.56" "stunnel" +.IX Title "stunnel 8" +.TH stunnel 8 "2017.04.01" "5.42" "stunnel TLS Proxy" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAZWA" .IX Header "NAZWA" -stunnel \- uniwersalny tunel protokołu \s-1SSL\s0 +stunnel \- uniwersalny tunel protokołu \s-1TLS\s0 .SH "SKŁADNIA" .IX Header "SKŁADNIA" .IP "\fBUnix:\fR" 4 .IX Item "Unix:" -\&\fBstunnel\fR [] | \-fd n | \-help | \-version | \-sockets +\&\fBstunnel\fR [\s-1PLIK\s0] | \-fd N | \-help | \-version | \-sockets | \-options .IP "\fB\s-1WIN32:\s0\fR" 4 .IX Item "WIN32:" -\&\fBstunnel\fR [ [\-install | \-uninstall | \-start | \-stop ] | \-exit] - [\-quiet] [] ] | \-help | \-version | \-sockets +\&\fBstunnel\fR [ [ \-install | \-uninstall | \-start | \-stop | + \-reload | \-reopen | \-exit ] [\-quiet] [\s-1PLIK\s0] ] | + \-help | \-version | \-sockets | \-options .SH "OPIS" .IX Header "OPIS" -Program \fBstunnel\fR został zaprojektowany do opakowywania w protokół \fI\s-1SSL\s0\fR +Program \fBstunnel\fR został zaprojektowany do opakowywania w protokół \fI\s-1TLS\s0\fR połączeń pomiędzy zdalnymi klientami a lokalnymi lub zdalnymi serwerami. Przez serwer lokalny rozumiana jest aplikacja przeznaczona do uruchamiania przy pomocy \fIinetd\fR. Stunnel pozwala na proste zestawienie komunikacji serwerów nie posiadających -funkcjonalności \fI\s-1SSL\s0\fR poprzez bezpieczne kanały \fI\s-1SSL\s0\fR. +funkcjonalności \fI\s-1TLS\s0\fR poprzez bezpieczne kanały \fI\s-1TLS\s0\fR. .PP -\&\fBstunnel\fR pozwala dodać funkcjonalność \fI\s-1SSL\s0\fR do powszechnie stosowanych +\&\fBstunnel\fR pozwala dodać funkcjonalność \fI\s-1TLS\s0\fR do powszechnie stosowanych demonów \fIinetd\fR, np. \fIpop3\fR lub \fIimap\fR, do samodzielnych demonów, np. \fInntp\fR, \fIsmtp\fR lub \fIhttp\fR, a nawet tunelować ppp poprzez gniazda sieciowe bez zmian w kodzie źródłowym. .SH "OPCJE" .IX Header "OPCJE" -.IP "<\fBplik\fR>" 4 -.IX Item "" +.IP "\fB\s-1PLIK\s0\fR" 4 +.IX Item "PLIK" użyj podanego pliku konfiguracyjnego -.IP "\fB\-fd n\fR (tylko Unix)" 4 -.IX Item "-fd n (tylko Unix)" +.IP "\fB\-fd N\fR (tylko Unix)" 4 +.IX Item "-fd N (tylko Unix)" wczytaj konfigurację z podanego deskryptora pliku .IP "\fB\-help\fR" 4 .IX Item "-help" @@ -109,25 +119,33 @@ drukuj wersję programu i domyślne wartości parametrów .IP "\fB\-sockets\fR" 4 .IX Item "-sockets" drukuj domyślne opcje gniazd -.IP "\fB\-install\fR (tylko \s-1NT/2000/XP\s0)" 4 -.IX Item "-install (tylko NT/2000/XP)" +.IP "\fB\-options\fR" 4 +.IX Item "-options" +drukuj wspierane opcje \s-1TLS\s0 +.IP "\fB\-install\fR (tylko Windows \s-1NT\s0 lub nowszy)" 4 +.IX Item "-install (tylko Windows NT lub nowszy)" instaluj serwis \s-1NT\s0 -.IP "\fB\-uninstall\fR (tylko \s-1NT/2000/XP\s0)" 4 -.IX Item "-uninstall (tylko NT/2000/XP)" +.IP "\fB\-uninstall\fR (tylko Windows \s-1NT\s0 lub nowszy)" 4 +.IX Item "-uninstall (tylko Windows NT lub nowszy)" odinstaluj serwis \s-1NT\s0 -.IP "\fB\-start\fR (tylko \s-1NT/2000/XP\s0)" 4 -.IX Item "-start (tylko NT/2000/XP)" +.IP "\fB\-start\fR (tylko Windows \s-1NT\s0 lub nowszy)" 4 +.IX Item "-start (tylko Windows NT lub nowszy)" uruchom serwis \s-1NT\s0 -.IP "\fB\-stop\fR (tylko \s-1NT/2000/XP\s0)" 4 -.IX Item "-stop (tylko NT/2000/XP)" +.IP "\fB\-stop\fR (tylko Windows \s-1NT\s0 lub nowszy)" 4 +.IX Item "-stop (tylko Windows NT lub nowszy)" zatrzymaj serwis \s-1NT\s0 +.IP "\fB\-reload\fR (tylko Windows \s-1NT\s0 lub nowszy)" 4 +.IX Item "-reload (tylko Windows NT lub nowszy)" +przeładuj plik konfiguracyjny uruchomionego serwisu \s-1NT\s0 +.IP "\fB\-reopen\fR (tylko Windows \s-1NT\s0 lub nowszy)" 4 +.IX Item "-reopen (tylko Windows NT lub nowszy)" +otwórz ponownie log uruchomionego serwisu \s-1NT\s0 .IP "\fB\-exit\fR (tylko Win32)" 4 .IX Item "-exit (tylko Win32)" zatrzymaj uruchomiony program -.IP "\fB\-quiet\fR (tylko \s-1NT/2000/XP\s0)" 4 -.IX Item "-quiet (tylko NT/2000/XP)" -nie wyświetlaj okienka informującego o pomyślnym zainstalowaniu lub -odinstalowaniu +.IP "\fB\-quiet\fR (tylko Win32)" 4 +.IX Item "-quiet (tylko Win32)" +nie wyświetlaj okienek z komunikatami .SH "PLIK KONFIGURACYJNY" .IX Header "PLIK KONFIGURACYJNY" Linia w pliku konfiguracyjnym może być: @@ -147,10 +165,10 @@ numerem portu oddzieloną średnikiem parą adresu (IPv4, IPv6, lub nazwą domenową) i numeru portu .IP "\(bu" 4 ścieżką do gniazda Unix (tylko Unix) -.SS "\s-1OPCJE\s0 \s-1GLOBALNE\s0" +.SS "\s-1OPCJE GLOBALNE\s0" .IX Subsection "OPCJE GLOBALNE" -.IP "\fBchroot\fR = katalog (tylko Unix)" 4 -.IX Item "chroot = katalog (tylko Unix)" +.IP "\fBchroot\fR = \s-1KATALOG \s0(tylko Unix)" 4 +.IX Item "chroot = KATALOG (tylko Unix)" katalog roboczego korzenia systemu plików .Sp Opcja określa katalog, w którym uwięziony zostanie proces programu @@ -170,20 +188,15 @@ niektóre inne pliki mogą potrzebować plików urządzeń, np. /dev/zero lub /d .RE .RS 4 .RE -.IP "\fBcompression\fR = deflate | zlib | rle" 4 -.IX Item "compression = deflate | zlib | rle" +.IP "\fBcompression\fR = deflate | zlib" 4 +.IX Item "compression = deflate | zlib" wybór algorytmu kompresji przesyłanych danych .Sp domyślnie: bez kompresji .Sp -Algorytm deflate jest standardową metodą kompresji zgodnie z \s-1RFC\s0 1951. -.Sp -Kompresja zlib zaimplementowana w \fBOpenSSL 0.9.8\fR i nowszych nie jest -kompatybilna implementacją \fBOpenSSL 0.9.7\fR. -.Sp -Kompresja rle nie jest zaimplementowana w aktualnych wersjach \fBOpenSSL\fR. -.IP "\fBdebug\fR = poziom[.podsystem]" 4 -.IX Item "debug = poziom[.podsystem]" +Algorytm deflate jest standardową metodą kompresji zgodnie z \s-1RFC 1951.\s0 +.IP "\fBdebug\fR = [\s-1PODSYSTEM\s0].POZIOM" 4 +.IX Item "debug = [PODSYSTEM].POZIOM" szczegółowość logowania .Sp Poziom logowania można określić przy pomocy jednej z nazw lub liczb: @@ -197,83 +210,95 @@ O ile nie wyspecyfikowano podsystemu użyty będzie domyślny: daemon. Podsystemy nie są wspierane przez platformę Win32. .Sp Wielkość liter jest ignorowana zarówno dla poziomu jak podsystemu. -.IP "\fB\s-1EGD\s0\fR = ścieżka_do_EGD (tylko Unix)" 4 -.IX Item "EGD = ścieżka_do_EGD (tylko Unix)" +.IP "\fB\s-1EGD\s0\fR = ŚCIEŻKA_DO_EGD (tylko Unix)" 4 +.IX Item "EGD = ŚCIEŻKA_DO_EGD (tylko Unix)" ścieżka do gniazda programu Entropy Gathering Daemon .Sp Opcja pozwala określić ścieżkę do gniazda programu Entropy Gathering Daemon używanego do zainicjalizowania generatora ciągów pseudolosowych biblioteki -\&\fBOpenSSL\fR. Opcja jest dostępna z biblioteką \fBOpenSSL 0.9.5a\fR lub nowszą. -.IP "\fBengine\fR = auto | " 4 -.IX Item "engine = auto | " +\&\fBOpenSSL\fR. +.IP "\fBengine\fR = auto | IDENTYFIKATOR_URZĄDZENIA" 4 +.IX Item "engine = auto | IDENTYFIKATOR_URZĄDZENIA" wybór sprzętowego urządzenia kryptograficznego .Sp domyślnie: bez wykorzystania urządzeń kryptograficznych .Sp -Przykładowa konfiguracja umożliwiająca odczytanie klucza prywatnego z -urządzenia zgodnego z OpenSC: -.Sp -.Vb 7 -\& engine=dynamic -\& engineCtrl=SO_PATH:/usr/lib/opensc/engine_pkcs11.so -\& engineCtrl=ID:pkcs11 -\& engineCtrl=LIST_ADD:1 -\& engineCtrl=LOAD -\& engineCtrl=MODULE_PATH:/usr/lib/pkcs11/opensc\-pkcs11.so -\& engineCtrl=INIT -\& -\& [service] -\& engineNum=1 -\& key=id_45 -.Ve -.IP "\fBengineCtrl\fR = [:]" 4 -.IX Item "engineCtrl = [:]" +Sekcja PRZYKŁADY zawiera przykładowe konfiguracje wykorzystujące +urządzenia kryptograficzne. +.IP "\fBengineCtrl\fR = KOMENDA[:PARAMETR]" 4 +.IX Item "engineCtrl = KOMENDA[:PARAMETR]" konfiguracja urządzenia kryptograficznego +.IP "\fBengineDefault\fR = LISTA_ZADAŃ" 4 +.IX Item "engineDefault = LISTA_ZADAŃ" +lista zadań OpenSSL oddelegowanych do bieżącego urządzenia .Sp -Specjalne komendy \*(L"\s-1LOAD\s0\*(R" i \*(L"\s-1INIT\s0\*(R" pozwalają na załadowanie i inicjalizację -modułu kryptograficznego urządzenia. +Parametrem jest lista oddzielonych przecinkami zadań OpenSSL, które mają +zostać oddelegowane do bieżącego urządzenia kryptograficznego. +.Sp +W zależności od konkretnego urządzenia dostępne mogą być następujące zadania: +\&\s-1ALL, RSA, DSA, ECDH, ECDSA, DH, RAND, CIPHERS, DIGESTS, PKEY, PKEY_CRYPTO, +PKEY_ASN1.\s0 .IP "\fBfips\fR = yes | no" 4 .IX Item "fips = yes | no" -Włącz lub wyłącz tryb \s-1FIPS\s0 140\-2. +tryb \s-1FIPS 140\-2\s0 .Sp -Opcja pozwala wyłączyć wejście w tryb \s-1FIPS\s0, jeśli \fBstunnel\fR został -skompilowany ze wsparciem dla \s-1FIPS\s0 140\-2. +Opcja pozwala wyłączyć wejście w tryb \s-1FIPS,\s0 jeśli \fBstunnel\fR został +skompilowany ze wsparciem dla \s-1FIPS 140\-2.\s0 .Sp -domyślnie: yes (pracuj w trybie \s-1FIPS\s0 140\-2) -.IP "\fBforeground\fR = yes | no (tylko Unix)" 4 -.IX Item "foreground = yes | no (tylko Unix)" +domyślnie: no (od wersji 5.00) +.IP "\fBforeground\fR = yes | quiet | no (tylko Unix)" 4 +.IX Item "foreground = yes | quiet | no (tylko Unix)" tryb pierwszoplanowy .Sp -Użycie tej opcji powoduje, że \fBstunnel\fR nie przechodzi w tło logując -swoje komunikaty na konsolę zamiast przez \fIsyslog\fR (o ile nie użyto -opcji \fIoutput\fR). -.IP "\fBoutput\fR = plik" 4 -.IX Item "output = plik" +Użycie tej opcji powoduje, że \fBstunnel\fR nie przechodzi w tło. +.Sp +Parametr \fIyes\fR powoduje dodatkowo, że komunikaty diagnostyczne logowane są na +standardowy strumień błędów (stderr) oprócz wyjść zdefiniowanych przy pomocy +opcji \fIsyslog\fR i \fIoutput\fR. +.IP "\fBiconActive\fR = PLIK_Z_IKONKĄ (tylko \s-1GUI\s0)" 4 +.IX Item "iconActive = PLIK_Z_IKONKĄ (tylko GUI)" +ikonka wyświetlana przy obecności aktywnych połączeń do usługi +.Sp +W systemie Windows ikonka to plik .ico zawierający obrazek 16x16 pikseli. +.IP "\fBiconError\fR = PLIK_Z_IKONKĄ (tylko \s-1GUI\s0)" 4 +.IX Item "iconError = PLIK_Z_IKONKĄ (tylko GUI)" +ikonka wyświetlana, jeżeli nie został załadowany poprawny plik konfiguracyjny +.Sp +W systemie Windows ikonka to plik .ico zawierający obrazek 16x16 pikseli. +.IP "\fBiconIdle\fR = PLIK_Z_IKONKĄ (tylko \s-1GUI\s0)" 4 +.IX Item "iconIdle = PLIK_Z_IKONKĄ (tylko GUI)" +ikonka wyświetlana przy braku aktywnych połączeń do usługi +.Sp +W systemie Windows ikonka to plik .ico zawierający obrazek 16x16 pikseli. +.IP "\fBlog\fR = append | overwrite" 4 +.IX Item "log = append | overwrite" +obsługa logów +.Sp +Ta opcja pozwala określić, czy nowe logi w pliku (określonym w opcji \fIoutput\fR) będą dodawane czy nadpisywane. +.Sp +domyślnie: append +.IP "\fBoutput\fR = \s-1PLIK\s0" 4 +.IX Item "output = PLIK" plik, do którego dopisane zostaną logi .Sp Użycie tej opcji powoduje dopisanie logów do podanego pliku. .Sp -Do kierowaniakomunikatów na standardowe wyjście (na przykład po to, żeby +Do kierowania komunikatów na standardowe wyjście (na przykład po to, żeby zalogować je programem splogger z pakietu daemontools) można podać jako parametr urządzenie /dev/stdout. -.IP "\fBpid\fR = plik (tylko Unix)" 4 -.IX Item "pid = plik (tylko Unix)" +.IP "\fBpid\fR = \s-1PLIK \s0(tylko Unix)" 4 +.IX Item "pid = PLIK (tylko Unix)" położenie pliku z numerem procesu .Sp -Jeżeli argument jest pusty plik nie zostanie stworzony. +Jeżeli argument jest pusty, plik nie zostanie stworzony. .Sp Jeżeli zdefiniowano katalog \fIchroot\fR, to ścieżka do \fIpid\fR jest określona względem tego katalogu. -.IP "\fBRNDbytes\fR = liczba_bajtów" 4 -.IX Item "RNDbytes = liczba_bajtów" +.IP "\fBRNDbytes\fR = LICZBA_BAJTÓW" 4 +.IX Item "RNDbytes = LICZBA_BAJTÓW" liczba bajtów do zainicjowania generatora pseudolosowego -.Sp -W wersjach biblioteki \fBOpenSSL\fR starszych niż \fB0.9.5a\fR opcja ta określa -również liczbę bajtów wystarczających do zainicjowania \s-1PRNG\s0. -Nowsze wersje biblioteki mają wbudowaną funkcję określającą, czy -dostarczona ilość losowości jest wystarczająca do zainicjowania generatora. -.IP "\fBRNDfile\fR = plik" 4 -.IX Item "RNDfile = plik" +.IP "\fBRNDfile\fR = \s-1PLIK\s0" 4 +.IX Item "RNDfile = PLIK" ścieżka do pliku zawierającego losowe dane .Sp Biblioteka \fBOpenSSL\fR użyje danych z tego pliku do zainicjowania @@ -283,19 +308,18 @@ generatora pseudolosowego. nadpisz plik nowymi wartościami pseudolosowymi .Sp domyślnie: yes (nadpisz) -.IP "\fBservice\fR = nazwa_serwisu (tylko Unix)" 4 -.IX Item "service = nazwa_serwisu (tylko Unix)" -użyj parametru jako nazwy serwisu dla biblioteki \s-1TCP\s0 Wrapper w trybie \fIinetd\fR +.IP "\fBservice\fR = \s-1SERWIS \s0(tylko Unix)" 4 +.IX Item "service = SERWIS (tylko Unix)" +nazwa usługi +.Sp +Podana nazwa usługi będzie używana jako nazwa usługi dla inicjalizacji sysloga, +oraz dla biblioteki \s-1TCP\s0 Wrapper w trybie \fIinetd\fR. Chociaż technicznie można +użyć tej opcji w trybie w sekcji usług, to jest ona użyteczna jedynie w opcjach +globalnych. .Sp domyślnie: stunnel -.IP "\fBsetgid\fR = identyfikator_grupy (tylko Unix)" 4 -.IX Item "setgid = identyfikator_grupy (tylko Unix)" -grupa z której prawami pracował będzie \fBstunnel\fR -.IP "\fBsetuid\fR = identyfikator_użytkownika (tylko Unix)" 4 -.IX Item "setuid = identyfikator_użytkownika (tylko Unix)" -użytkownik, z którego prawami pracował będzie \fBstunnel\fR -.IP "\fBsocket\fR = a|l|r:option=value[:value]" 4 -.IX Item "socket = a|l|r:option=value[:value]" +.IP "\fBsocket\fR = a|l|r:OPCJA=WARTOŚĆ[:WARTOŚĆ]" 4 +.IX Item "socket = a|l|r:OPCJA=WARTOŚĆ[:WARTOŚĆ]" ustaw opcję na akceptującym/lokalnym/zdalnym gnieździe .Sp Dla opcji linger wartości mają postać l_onof:l_linger. @@ -337,9 +361,9 @@ usługi w logach. .PP Jeżeli \fBstunnel\fR ma zostać użyty w trybie \fIinetd\fR, gdzie za odebranie połączenia odpowiada osobny program (zwykle \fIinetd\fR, \fIxinetd\fR -lub \fItcpserver\fR), należy przeczytać sekcję \fI\s-1TRYB\s0 \s-1INETD\s0\fR poniżej. -.IP "\fBaccept\fR = [adres:]port" 4 -.IX Item "accept = [adres:]port" +lub \fItcpserver\fR), należy przeczytać sekcję \fI\s-1TRYB INETD\s0\fR poniżej. +.IP "\fBaccept\fR = [\s-1HOST:\s0]PORT" 4 +.IX Item "accept = [HOST:]PORT" nasłuchuje na połączenia na podanym adresie i porcie .Sp Jeżeli nie został podany adres, \fBstunnel\fR domyślnie nasłuchuje @@ -350,13 +374,13 @@ Aby nasłuchiwać na wszystkich adresach IPv6 należy użyć: .Vb 1 \& accept = :::port .Ve -.IP "\fBCApath\fR = katalog_CA" 4 -.IX Item "CApath = katalog_CA" +.IP "\fBCApath\fR = \s-1KATALOG_CA\s0" 4 +.IX Item "CApath = KATALOG_CA" katalog Centrum Certyfikacji .Sp -Opcja określa katalog, w którym \fBstunnel\fR będzie szukał certyfikatów, -jeżeli użyta została opcja \fIverify\fR. Pliki z certyfikatami muszą -posiadać specjalne nazwy \s-1XXXXXXXX\s0.0, gdzie \s-1XXXXXXXX\s0 jest skrótem +Opcja określa katalog, w którym \fBstunnel\fR będzie szukał certyfikatów, jeżeli +użyta została opcja \fIverifyChain\fR lub \fIverifyPeer\fR. Pliki z certyfikatami +muszą posiadać specjalne nazwy \s-1XXXXXXXX.0,\s0 gdzie \s-1XXXXXXXX\s0 jest skrótem kryptograficznym reprezentacji \s-1DER\s0 nazwy podmiotu certyfikatu. .Sp Funkcja skrótu została zmieniona w \fBOpenSSL 1.0.0\fR. @@ -364,63 +388,112 @@ Należy wykonać c_rehash przy zmianie \fBOpenSSL 0.x.x\fR na \fB1.x.x\fR. .Sp Jeżeli zdefiniowano katalog \fIchroot\fR, to ścieżka do \fICApath\fR jest określona względem tego katalogu. -.IP "\fBCAfile\fR = plik_CA" 4 -.IX Item "CAfile = plik_CA" +.IP "\fBCAfile\fR = \s-1PLIK_CA\s0" 4 +.IX Item "CAfile = PLIK_CA" plik Centrum Certyfikacji .Sp Opcja pozwala określić położenie pliku zawierającego certyfikaty używane -przez opcję \fIverify\fR. -.IP "\fBcert\fR = plik_pem" 4 -.IX Item "cert = plik_pem" +przez opcję \fIverifyChain\fR lub \fIverifyPeer\fR. +.IP "\fBcert\fR = \s-1PLIK_CERT\s0" 4 +.IX Item "cert = PLIK_CERT" plik z łańcuchem certyfikatów .Sp Opcja określa położenie pliku zawierającego certyfikaty używane przez program \fBstunnel\fR do uwierzytelnienia się przed drugą stroną połączenia. +Plik powinien zawierać kompletny łańcuch certyfikatów począwszy od certyfikatu +klienta/serwera, a skończywszy na samopodpisanym certyfikacie głównego \s-1CA.\s0 +Obsługiwane są pliki w formacie \s-1PEM\s0 lub P12. +.Sp Certyfikat jest konieczny, aby używać programu w trybie serwera. W trybie klienta certyfikat jest opcjonalny. -.IP "\fBciphers\fR = lista_szyfrów" 4 -.IX Item "ciphers = lista_szyfrów" -lista dozwolonych szyfrów \s-1SSL\s0 +.Sp +Jeżeli używane jest sprzętowe urządzenie kryptograficzne, to opcja \fBcert\fR +pozwala wybrać identyfikator używanego certyfikatu. +.IP "\fBcheckEmail\fR = \s-1EMAIL\s0" 4 +.IX Item "checkEmail = EMAIL" +adres email przedstawionego certyfikatu +.Sp +Pojedyncza sekcja może zawierać wiele wystąpień opcji \fBcheckEmail\fR. +Certyfikaty są akceptowane, jeżeli sekcja nie zawiera opcji \fBcheckEmail\fR, +albo adres email przedstawionego certyfikatu pasuje do jednego z adresów +email określonych przy pomocy \fBcheckEmail\fR. +.Sp +Opcja ta wymaga biblioteki OpenSSL w wersji 1.0.2 lub nowszej. +.IP "\fBcheckHost\fR = \s-1NAZWA_SERWERA\s0" 4 +.IX Item "checkHost = NAZWA_SERWERA" +nazwa serwera przedstawionego certyfikatu +.Sp +Pojedyncza sekcja może zawierać wiele wystąpień opcji \fBcheckHost\fR. +Certyfikaty są akceptowane, jeżeli sekcja nie zawiera opcji \fBcheckHost\fR, albo +nazwa serwera przedstawionego certyfikatu pasuje do jednego nazw określonych +przy pomocy \fBcheckHost\fR. +.Sp +Opcja ta wymaga biblioteki OpenSSL w wersji 1.0.2 lub nowszej. +.IP "\fBcheckIP\fR = \s-1IP\s0" 4 +.IX Item "checkIP = IP" +adres \s-1IP\s0 przedstawionego certyfikatu +.Sp +Pojedyncza sekcja może zawierać wiele wystąpień opcji \fBcheckIP\fR. Certyfikaty +są akceptowane, jeżeli sekcja nie zawiera opcji \fBcheckIP\fR, albo adres \s-1IP\s0 +przedstawionego certyfikatu pasuje do jednego z adresów \s-1IP\s0 określonych przy +pomocy \fBcheckIP\fR. +.Sp +Opcja ta wymaga biblioteki OpenSSL w wersji 1.0.2 lub nowszej. +.IP "\fBciphers\fR = LISTA_SZYFRÓW" 4 +.IX Item "ciphers = LISTA_SZYFRÓW" +lista dozwolonych szyfrów \s-1TLS\s0 .Sp Parametrem tej opcji jest lista szyfrów, które będą użyte przy -otwieraniu nowych połączeń \s-1SSL\s0, np.: \s-1DES\-CBC3\-SHA:IDEA\-CBC\-MD5\s0 +otwieraniu nowych połączeń \s-1TLS,\s0 np.: \s-1DES\-CBC3\-SHA:IDEA\-CBC\-MD5\s0 .IP "\fBclient\fR = yes | no" 4 .IX Item "client = yes | no" -tryb kliencki (zdalna usługa używa \s-1SSL\s0) +tryb kliencki (zdalna usługa używa \s-1TLS\s0) .Sp domyślnie: no (tryb serwerowy) -.IP "\fBconnect\fR = [adres:]port" 4 -.IX Item "connect = [adres:]port" +.IP "\fBconfig\fR = KOMENDA[:PARAMETR]" 4 +.IX Item "config = KOMENDA[:PARAMETR]" +komenda konfiguracyjna \fBOpenSSL\fR +.Sp +Komenda konfiguracyjna \fBOpenSSL\fR zostaje wykonana z podanym parametrem. +Pozwala to na wydawanie komend konfiguracyjnych \fBOpenSSL\fR z pliku +konfiguracyjnego stunnela. Dostępne komendy opisane są w manualu +\&\fI\fISSL_CONF_cmd\fI\|(3ssl)\fR. +.Sp +Możliwe jest wyspecyfikowanie wielu opcji \fBOpenSSL\fR przez wielokrotne użycie +komendy \fBconfig\fR. +.Sp +Opcja ta wymaga biblioteki OpenSSL w wersji 1.0.2 lub nowszej. +.IP "\fBconnect\fR = [\s-1HOST:\s0]PORT" 4 +.IX Item "connect = [HOST:]PORT" połącz się ze zdalnym serwerem na podany port .Sp Jeżeli nie został podany adres, \fBstunnel\fR domyślnie łączy się z lokalnym serwerem. .Sp -Komenda może byc użyta wielokrotnie w pojedynczej sekcji +Komenda może być użyta wielokrotnie w pojedynczej sekcji celem zapewnienia wysokiej niezawodności lub rozłożenia ruchu pomiędzy wiele serwerów. -.IP "\fBCRLpath\fR = katalog_CRL" 4 -.IX Item "CRLpath = katalog_CRL" +.IP "\fBCRLpath\fR = \s-1KATALOG_CRL\s0" 4 +.IX Item "CRLpath = KATALOG_CRL" katalog List Odwołanych Certyfikatów (\s-1CRL\s0) .Sp -Opcja określa katalog, w którym \fBstunnel\fR będzie szukał list \s-1CRL\s0, -jeżeli użyta została opcja \fIverify\fR. Pliki z listami \s-1CRL\s0 muszą -posiadać specjalne nazwy \s-1XXXXXXXX\s0.r0, gdzie \s-1XXXXXXXX\s0 jest skrótem -listy \s-1CRL\s0. +Opcja określa katalog, w którym \fBstunnel\fR będzie szukał list \s-1CRL\s0 używanych +przez opcje \fIverifyChain\fR i \fIverifyPeer\fR. Pliki z listami \s-1CRL\s0 muszą posiadać +specjalne nazwy \s-1XXXXXXXX\s0.r0, gdzie \s-1XXXXXXXX\s0 jest skrótem listy \s-1CRL.\s0 .Sp Funkcja skrótu została zmieniona \fBOpenSSL 1.0.0\fR. Należy wykonać c_rehash przy zmianie \fBOpenSSL 0.x.x\fR na \fB1.x.x\fR. .Sp Jeżeli zdefiniowano katalog \fIchroot\fR, to ścieżka do \fICRLpath\fR jest określona względem tego katalogu. -.IP "\fBCRLfile\fR = plik_CRL" 4 -.IX Item "CRLfile = plik_CRL" +.IP "\fBCRLfile\fR = \s-1PLIK_CRL\s0" 4 +.IX Item "CRLfile = PLIK_CRL" plik List Odwołanych Certyfikatów (\s-1CRL\s0) .Sp Opcja pozwala określić położenie pliku zawierającego listy \s-1CRL\s0 używane -przez opcję \fIverify\fR. -.IP "\fBcurve\fR = nid" 4 -.IX Item "curve = nid" +przez opcje \fIverifyChain\fR i \fIverifyPeer\fR. +.IP "\fBcurve\fR = \s-1NID\s0" 4 +.IX Item "curve = NID" krzywa dla \s-1ECDH\s0 .Sp Listę dostępnych krzywych można uzyskać poleceniem: @@ -430,26 +503,82 @@ Listę dostępnych krzywych można uzyskać poleceniem: .Ve .Sp domyślnie: prime256v1 +.IP "\fBlogId\fR = \s-1TYP\s0" 4 +.IX Item "logId = TYP" +typ identyfikatora połączenia klienta +.Sp +Identyfikator ten pozwala rozróżnić wpisy w logu wygenerowane dla +poszczególnych połączeń. +.Sp +Aktualnie wspierane typy: +.RS 4 +.IP "\fIsequential\fR" 4 +.IX Item "sequential" +Kolejny numer połączenia jest unikalny jedynie w obrębie pojedynczej instancji +programu \fBstunnel\fR, ale bardzo krótki. Jest on szczególnie użyteczny przy +ręcznej analizie logów. +.IP "\fIunique\fR" 4 +.IX Item "unique" +Ten rodzaj identyfikatora jest globalnie unikalny, ale znacznie dłuższy, niż +kolejny numer połączenia. Jest on szczególnie użyteczny przy zautomatyzowanej +analizie logów. +.IP "\fIthread\fR" 4 +.IX Item "thread" +Identyfikator wątku systemu operacyjnego nie jest ani unikalny (nawet w obrębie +pojedynczej instancji programu \fBstunnel\fR), ani krótki. Jest on szczególnie +użyteczny przy diagnozowaniu problemów z oprogramowaniem lub konfiguracją. +.IP "\fIprocess\fR" 4 +.IX Item "process" +Identyfikator procesu (\s-1PID\s0) może być użyteczny w trybie inetd. +.RE +.RS 4 +.Sp +domyślnie: sequential +.RE +.IP "\fBdebug\fR = \s-1POZIOM\s0" 4 +.IX Item "debug = POZIOM" +szczegółowość logowania +.Sp +Poziom logowania można określić przy pomocy jednej z nazw lub liczb: +emerg (0), alert (1), crit (2), err (3), warning (4), notice (5), +info (6) lub debug (7). +Zapisywane są komunikaty o poziomie niższym (numerycznie) lub równym podanemu. +Do uzyskania najwyższego poziomu szczegółowości można użyć opcji +\&\fIdebug = debug\fR lub \fIdebug = 7\fR. Domyślnym poziomem jest notice (5). .IP "\fBdelay\fR = yes | no" 4 .IX Item "delay = yes | no" opóźnij rozwinięcie adresu \s-1DNS\s0 podanego w opcji \fIconnect\fR .Sp -Opcja jest przydatna przy dynamicznym \s-1DNS\s0, albo gdy usługa \s-1DNS\s0 nie jest -dostępna przy starcie programu \fBstunnel\fR (klient \s-1VPN\s0, połączenie wdzwaniane). -.IP "\fBengineNum\fR = " 4 -.IX Item "engineNum = " -wybierz urządzenie do odczyta klucza prywatnego +Opcja jest przydatna przy dynamicznym \s-1DNS,\s0 albo gdy usługa \s-1DNS\s0 nie jest +dostępna przy starcie programu \fBstunnel\fR (klient \s-1VPN,\s0 połączenie wdzwaniane). +.Sp +Opóźnione rozwijanie adresu \s-1DNS\s0 jest włączane automatycznie, jeżeli nie +powiedzie się rozwinięcie któregokolwiek z adresów \fIconnect\fR dla danej +usługi. +.Sp +Opóźnione rozwijanie adresu automatycznie aktywuje \fIfailover = prio\fR. +.Sp +default: no +.IP "\fBengineId\fR = NUMER_URZĄDZENIA" 4 +.IX Item "engineId = NUMER_URZĄDZENIA" +wybierz urządzenie dla usługi +.IP "\fBengineNum\fR = NUMER_URZĄDZENIA" 4 +.IX Item "engineNum = NUMER_URZĄDZENIA" +wybierz urządzenie dla usługi .Sp Urządzenia są numerowane od 1 w górę. -.IP "\fBexec\fR = ścieżka_do_programu" 4 -.IX Item "exec = ścieżka_do_programu" +.IP "\fBexec\fR = ŚCIEŻKA_DO_PROGRAMU" 4 +.IX Item "exec = ŚCIEŻKA_DO_PROGRAMU" wykonaj lokalny program przystosowany do pracy z superdemonem inetd .Sp Jeżeli zdefiniowano katalog \fIchroot\fR, to ścieżka do \fIexec\fR jest określona względem tego katalogu. -.ie n .IP "\fBexecargs\fR = $0 $1 $2 ..." 4 -.el .IP "\fBexecargs\fR = \f(CW$0\fR \f(CW$1\fR \f(CW$2\fR ..." 4 -.IX Item "execargs = $0 $1 $2 ..." +.Sp +Na platformach Unix ustawiane są następujące zmienne środowiskowe: +\&\s-1REMOTE_HOST, REMOTE_PORT, SSL_CLIENT_DN, SSL_CLIENT_I_DN.\s0 +.ie n .IP "\fBexecArgs\fR = $0 $1 $2 ..." 4 +.el .IP "\fBexecArgs\fR = \f(CW$0\fR \f(CW$1\fR \f(CW$2\fR ..." 4 +.IX Item "execArgs = $0 $1 $2 ..." argumenty do opcji \fIexec\fR włącznie z nazwą programu ($0) .Sp Cytowanie nie jest wspierane w obecnej wersji programu. @@ -457,18 +586,28 @@ Argumenty są rozdzielone dowolną liczbą białych znaków. .IP "\fBfailover\fR = rr | prio" 4 .IX Item "failover = rr | prio" Strategia wybierania serwerów wyspecyfikowanych parametrami \*(L"connect\*(R". -.Sp -.Vb 2 -\& rr (round robin) \- sprawiedliwe rozłożenie obciążenia -\& prio (priority) \- użyj kolejności opcji w pliku konfiguracyjnym -.Ve +.RS 4 +.IP "\fIrr\fR" 4 +.IX Item "rr" +round robin \- sprawiedliwe rozłożenie obciążenia +.IP "\fIprio\fR" 4 +.IX Item "prio" +priority \- użyj kolejności opcji w pliku konfiguracyjnym +.RE +.RS 4 .Sp domyślnie: rr -.IP "\fBident\fR = nazwa_użytkownika" 4 -.IX Item "ident = nazwa_użytkownika" -weryfikuj nazwę zdalnego użytkownika korzystając z protokołu \s-1IDENT\s0 (\s-1RFC\s0 1413) -.IP "\fBkey\fR = plik_klucza" 4 -.IX Item "key = plik_klucza" +.RE +.IP "\fBident\fR = NAZWA_UŻYTKOWNIKA" 4 +.IX Item "ident = NAZWA_UŻYTKOWNIKA" +weryfikuj nazwę zdalnego użytkownika korzystając z protokołu \s-1IDENT \s0(\s-1RFC 1413\s0) +.IP "\fBinclude\fR = \s-1KATALOG\s0" 4 +.IX Item "include = KATALOG" +wczytaj fragmenty plików konfiguracyjnych z podanego katalogu +.Sp +Pliki są wczytywane w rosnącej kolejności alfabetycznej ich nazw. +.IP "\fBkey\fR = \s-1PLIK_KLUCZA\s0" 4 +.IX Item "key = PLIK_KLUCZA" klucz prywatny do certyfikatu podanego w opcji \fIcert\fR .Sp Klucz prywatny jest potrzebny do uwierzytelnienia właściciela certyfikatu. @@ -480,27 +619,274 @@ komendą: \& chmod 600 keyfile .Ve .Sp +Jeżeli używane jest sprzętowe urządzenie kryptograficzne, to opcja \fBkey\fR +pozwala wybrać identyfikator używanego klucza prywatnego. +.Sp domyślnie: wartość opcji \fIcert\fR .IP "\fBlibwrap\fR = yes | no" 4 .IX Item "libwrap = yes | no" włącz lub wyłącz korzystanie z /etc/hosts.allow i /etc/hosts.deny. .Sp -domyślnie: yes -.IP "\fBlocal\fR = serwer" 4 -.IX Item "local = serwer" +domyślnie: no (od wersji 5.00) +.IP "\fBlocal\fR = \s-1HOST\s0" 4 +.IX Item "local = HOST" \&\s-1IP\s0 źródła do nawiązywania zdalnych połączeń .Sp Domyślnie używane jest \s-1IP\s0 najbardziej zewnętrznego interfejsu w stronę serwera, do którego nawiązywane jest połączenie. -.IP "\fBsni\fR = nazwa_usługi:wzorzec_nazwy_serwera (tryb serwera)" 4 -.IX Item "sni = nazwa_usługi:wzorzec_nazwy_serwera (tryb serwera)" -Użyj usługi jako podrzędnej (virtualnego serwera) dla rozszerzenia \s-1TLS\s0 Server -Name Indication (\s-1RFC\s0 3546). +.IP "\fB\s-1OCSP\s0\fR = \s-1URL\s0" 4 +.IX Item "OCSP = URL" +responder \s-1OCSP\s0 do weryfikacji certyfikatów +.IP "\fBOCSPaia\fR = yes | no" 4 +.IX Item "OCSPaia = yes | no" +weryfikuj certyfikaty przy użyciu respondertów \s-1AIA\s0 .Sp -\&\fInazwa_usługi\fR wskazuje usługę nadrzędną, która odbiera połączenia od klientów -przy pomocy opcji \fIaccept\fR. \fIwzorzec_nazwy_serwera\fR wskazuje nazwę serwera -wirtualnego. Wzorzec może zaczynać się znakiem '*', np. '*.example.com". -Z pojedyńczą usługą nadrzędną powiązane jest zwykle wiele usług podrzędnych. +Opcja \fIOCSPaia\fR pozwala na weryfikowanie certyfikatów przy pomocy listy URLi +responderów \s-1OCSP\s0 przesłanych w rozszerzeniach \s-1AIA \s0(Authority Information Access). +.IP "\fBOCSPflag\fR = \s-1FLAGA_OCSP\s0" 4 +.IX Item "OCSPflag = FLAGA_OCSP" +flaga respondera \s-1OCSP\s0 +.Sp +Aktualnie wspierane flagi: \s-1NOCERTS, NOINTERN, NOSIGS, NOCHAIN, NOVERIFY, +NOEXPLICIT, NOCASIGN, NODELEGATED, NOCHECKS, TRUSTOTHER, RESPID_KEY, NOTIME\s0 +.Sp +Aby wyspecyfikować kilka flag należy użyć \fIOCSPflag\fR wielokrotnie. +.IP "\fBOCSPnonce\fR = yes | no" 4 +.IX Item "OCSPnonce = yes | no" +wysyłaj i weryfikuj \s-1OCSP\s0 nonce +.Sp +Opcja \fBOCSPnonce\fR zabezpiecza protokół \s-1OCSP\s0 przed atakami powtórzeniowymi. +Ze względu na złożoność obliczeniową rozszerzenie nonce jest zwykle wspierane +jedynie przez wewnętrzne (np. korporacyjne), a nie przez publiczne respondery +\&\s-1OCSP.\s0 +.IP "\fBoptions\fR = \s-1OPCJE_SSL\s0" 4 +.IX Item "options = OPCJE_SSL" +opcje biblioteki \fBOpenSSL\fR +.Sp +Parametrem jest nazwa opcji zgodnie z opisem w \fI\fISSL_CTX_set_options\fI\|(3ssl)\fR, +ale bez przedrostka \fI\s-1SSL_OP_\s0\fR. +\&\fIstunnel \-options\fR wyświetla opcje dozwolone w aktualnej kombinacji +programu \fIstunnel\fR i biblioteki \fIOpenSSL\fR. +.Sp +Aby wyspecyfikować kilka opcji należy użyć \fIoptions\fR wielokrotnie. +Nazwa opcji może być poprzedzona myślnikiem (\*(L"\-\*(R") celem wyłączenia opcji. +.Sp +Na przykład, dla zachowania kompatybilności z błędami implementacji \s-1TLS\s0 +w programie Eudora, można użyć opcji: +.Sp +.Vb 1 +\& options = DONT_INSERT_EMPTY_FRAGMENTS +.Ve +.Sp +domyślnie: +.Sp +.Vb 2 +\& options = NO_SSLv2 +\& options = NO_SSLv3 +.Ve +.IP "\fBprotocol\fR = PROTOKÓŁ" 4 +.IX Item "protocol = PROTOKÓŁ" +negocjuj \s-1TLS\s0 podanym protokołem aplikacyjnym +.Sp +Opcja ta włącza wstępną negocjację szyfrowania \s-1TLS\s0 dla wybranego protokołu +aplikacyjnego. +Opcji \fIprotocol\fR nie należy używać z szyfrowaniem \s-1TLS\s0 na osobnym porcie. +.Sp +Aktualnie wspierane protokoły: +.RS 4 +.IP "\fIcifs\fR" 4 +.IX Item "cifs" +Nieudokumentowane rozszerzenie protokołu \s-1CIFS\s0 wspierane przez serwer Samba. +Wsparcie dla tego rozrzeczenia zostało zarzucone w wersji 3.0.0 serwera Samba. +.IP "\fIconnect\fR" 4 +.IX Item "connect" +Negocjacja \s-1RFC 2817 \- \s0\fIUpgrading to \s-1TLS\s0 Within \s-1HTTP/1.1\s0\fR, rozdział 5.2 \- \fIRequesting a Tunnel with \s-1CONNECT\s0\fR +.Sp +Ten protokół jest wspierany wyłącznie w trybie klienckim. +.IP "\fIimap\fR" 4 +.IX Item "imap" +Negocjacja \s-1RFC 2595 \- \s0\fIUsing \s-1TLS\s0 with \s-1IMAP, POP3\s0 and \s-1ACAP\s0\fR +.IP "\fInntp\fR" 4 +.IX Item "nntp" +Negocjacja \s-1RFC 4642 \- \s0\fIUsing Transport Layer Security (\s-1TLS\s0) with Network News Transfer Protocol (\s-1NNTP\s0)\fR +.Sp +Ten protokół jest wspierany wyłącznie w trybie klienckim. +.IP "\fIpgsql\fR" 4 +.IX Item "pgsql" +Negocjacja http://www.postgresql.org/docs/8.3/static/protocol\-flow.html#AEN73982 +.IP "\fIpop3\fR" 4 +.IX Item "pop3" +Negocjacja \s-1RFC 2449 \- \s0\fI\s-1POP3\s0 Extension Mechanism\fR +.IP "\fIproxy\fR" 4 +.IX Item "proxy" +Przekazywanie adresu \s-1IP\s0 haproxy http://haproxy.1wt.eu/download/1.5/doc/proxy\-protocol.txt +.IP "\fIsmtp\fR" 4 +.IX Item "smtp" +Negocjacja \s-1RFC 2487 \- \s0\fI\s-1SMTP\s0 Service Extension for Secure \s-1SMTP\s0 over \s-1TLS\s0\fR +.IP "\fIsocks\fR" 4 +.IX Item "socks" +Wspierany jest protokół \s-1SOCKS\s0 w wersjach 4, 4a i 5. +Protokół \s-1SOCKS\s0 enkapsulowany jest w protokole \s-1TLS,\s0 więc adres serwera +docelowego nie jest widoczny dla napastnika przechwytującego ruch sieciowy. +.Sp +\&\fIhttp://www.openssh.com/txt/socks4.protocol\fR +.Sp +\&\fIhttp://www.openssh.com/txt/socks4a.protocol\fR +.Sp +Nie jest wspierana komenda \s-1BIND\s0 protokołu \s-1SOCKS.\s0 +Przesłana wartość parametru \s-1USERID\s0 jest ignorowana. +.Sp +Sekcja PRZYKŁADY zawiera przykładowe pliki konfiguracyjne VPNa zbudowanego +w oparciu o szyfrowany protokół \s-1SOCKS.\s0 +.RE +.RS 4 +.RE +.IP "\fBprotocolAuthentication\fR = \s-1UWIERZYTELNIENIE\s0" 4 +.IX Item "protocolAuthentication = UWIERZYTELNIENIE" +rodzaj uwierzytelnienia do negocjacji protokołu +.Sp +Opcja ta jest wpierana wyłącznie w klienckich protokołach 'connect' i 'smtp'. +.Sp +W protokole 'connect' wspierane jest uwierzytelnienie 'basic' oraz 'ntlm'. +Domyślnym rodzajem uwierzytelnienia protokołu 'connect' jest 'basic'. +.Sp +W protokole 'smtp' wspierane jest uwierzytelnienie 'plain' oraz 'login'. +Domyślnym rodzajem uwierzytelnienia protokołu 'smtp' jest 'plain'. +.IP "\fBprotocolDomain\fR = \s-1DOMENA\s0" 4 +.IX Item "protocolDomain = DOMENA" +domena do negocjacji protokołu +.Sp +W obecnej wersji wybrana domena ma zastosowanie wyłącznie w protokole 'connect'. +.IP "\fBprotocolHost\fR = \s-1HOST:PORT\s0" 4 +.IX Item "protocolHost = HOST:PORT" +adres docelowy do negocjacji protokołu +.Sp +\&\fIprotocolHost\fR określa docelowy serwer \s-1TLS,\s0 do którego połączyć ma się proxy. +Nie jest to adres serwera proxy, do którego połączenie zestawia \fBstunnel\fR. +Adres serwera proxy powinien być określony przy pomocy opcji 'connect'. +.Sp +W obecnej wersji adres docelowy protokołu ma zastosowanie wyłącznie w protokole +\&'connect'. +.IP "\fBprotocolPassword\fR = HASŁO" 4 +.IX Item "protocolPassword = HASŁO" +hasło do negocjacji protokołu +.Sp +Opcja ta jest wspierana wyłącznie w klienckich protokołach 'connect' i 'smtp'. +.IP "\fBprotocolUsername\fR = UŻYTKOWNIK" 4 +.IX Item "protocolUsername = UŻYTKOWNIK" +nazwa użytkownika do negocjacji protokołu +.Sp +Opcja ta jest wspierana wyłącznie w klienckich protokołach 'connect' i 'smtp'. +.IP "\fBPSKidentity\fR = TOŻSAMOŚĆ" 4 +.IX Item "PSKidentity = TOŻSAMOŚĆ" +tożsamość klienta \s-1PSK\s0 +.Sp +\&\fIPSKidentity\fR może zostać użyte w sekcjach klienckich do wybrania +tożsamości użytej do uwierzytelnienia \s-1PSK.\s0 +Opcja jest ignorowana w sekcjach serwerowych. +.Sp +domyślnie: pierwsza tożsamość zdefiniowana w pliku \fIPSKsecrets\fR +.IP "\fBPSKsecrets\fR = \s-1PLIK\s0" 4 +.IX Item "PSKsecrets = PLIK" +plik z tożsamościami i kluczami \s-1PSK\s0 +.Sp +Każda linia pliku jest w następującym formacie: +.Sp +.Vb 1 +\& TOŻSAMOŚĆ:KLUCZ +.Ve +.Sp +Klucz musi być mieć przynajmniej 20 znaków. +Należy ograniczyć dostęp do czytania lub pisania do tego pliku. +.IP "\fBpty\fR = yes | no (tylko Unix)" 4 +.IX Item "pty = yes | no (tylko Unix)" +alokuj pseudoterminal dla programu uruchamianego w opcji 'exec' +.IP "\fBredirect\fR = [\s-1HOST:\s0]PORT" 4 +.IX Item "redirect = [HOST:]PORT" +przekieruj klienta, któremu nie udało się poprawnie uwierzytelnić przy pomocy certyfikatu +.Sp +Opcja działa wyłącznie w trybie serwera. +Część negocjacji protokołów jest niekompatybilna z opcją \fIredirect\fR. +.IP "\fBrenegotiation\fR = yes | no" 4 +.IX Item "renegotiation = yes | no" +pozwalaj na renegocjację \s-1TLS\s0 +.Sp +Zastosowania renegocjacji \s-1TLS\s0 zawierają niektóre scenariusze uwierzytelniania oraz renegocjację kluczy dla długotrwałych połączeń. +.Sp +Z drugiej strony własność na może ułatwić trywialny atak DoS poprzez +wygenerowanie obciążenia procesora: +.Sp +http://vincent.bernat.im/en/blog/2011\-ssl\-dos\-mitigation.html +.Sp +Warto zauważyć, że zablokowanie renegocjacji \s-1TLS\s0 nie zebezpiecza w pełni +przed opisanym problemem. +.Sp +domyślnie: yes (o ile wspierane przez \fBOpenSSL\fR) +.IP "\fBreset\fR = yes | no" 4 +.IX Item "reset = yes | no" +sygnalizuj wystąpienie błędu przy pomocy flagi \s-1TCP RST\s0 +.Sp +Opcja nie jest wspierana na niektórych platformach. +.Sp +domyślnie: yes +.IP "\fBretry\fR = yes | no" 4 +.IX Item "retry = yes | no" +połącz ponownie sekcję connect+exec po rozłączeniu +.Sp +domyślnie: no +.IP "\fBrequireCert\fR = yes | no" 4 +.IX Item "requireCert = yes | no" +wymagaj certyfikatu klienta dla \fIverifyChain\fR lub \fIverifyPeer\fR +.Sp +Przy opcji \fIrequireCert\fR ustawionej na \fIno\fR, \fBstunnel\fR akceptuje +połączenia klientów, które nie wysłały certyfikatu. +.Sp +Zarówno \fIverifyChain = yes\fR jak i \fIverifyPeer = yes\fR +automatycznie ustawiają \fIrequireCert\fR na \fIyes\fR. +.Sp +domyślnie: no +.IP "\fBsetgid\fR = \s-1IDENTYFIKATOR_GRUPY \s0(tylko Unix)" 4 +.IX Item "setgid = IDENTYFIKATOR_GRUPY (tylko Unix)" +identyfikator grupy Unix +.Sp +Jako opcja globalna: grupa, z której prawami pracował będzie \fBstunnel\fR. +.Sp +Jako opcja usługi: grupa gniazda Unix utworzonego przy pomocy opcji \*(L"accept\*(R". +.IP "\fBsetuid\fR = IDENTYFIKATOR_UŻYTKOWNIKA (tylko Unix)" 4 +.IX Item "setuid = IDENTYFIKATOR_UŻYTKOWNIKA (tylko Unix)" +identyfikator użytkownika Unix +.Sp +Jako opcja globalna: użytkownik, z którego prawami pracował będzie \fBstunnel\fR. +.Sp +Jako opcja usługi: właściciel gniazda Unix utworzonego przy pomocy opcji \*(L"accept\*(R". +.IP "\fBsessionCacheSize\fR = \s-1LICZBA_POZYCJI_CACHE\s0" 4 +.IX Item "sessionCacheSize = LICZBA_POZYCJI_CACHE" +rozmiar pamięci podręcznej sesji \s-1TLS\s0 +.Sp +Parametr określa maksymalną liczbę pozycji wewnętrznej pamięci podręcznej +sesji. +.Sp +Wartość 0 oznacza brak ograniczenia rozmiaru. Nie jest to zalecane dla +systemów produkcyjnych z uwagi na ryzyko ataku DoS przez wyczerpanie pamięci +\&\s-1RAM.\s0 +.IP "\fBsessionCacheTimeout\fR = \s-1LICZBA_SEKUND\s0" 4 +.IX Item "sessionCacheTimeout = LICZBA_SEKUND" +przeterminowanie pamięci podręcznej sesji \s-1TLS\s0 +.Sp +Parametr określa czas w sekundach, po którym sesja \s-1TLS\s0 zostanie usunięta z +pamięci podręcznej. +.IP "\fBsessiond\fR = \s-1HOST:PORT\s0" 4 +.IX Item "sessiond = HOST:PORT" +adres sessiond \- servera cache sesji \s-1TLS\s0 +.IP "\fBsni\fR = NAZWA_USŁUGI:WZORZEC_NAZWY_SERWERA (tryb serwera)" 4 +.IX Item "sni = NAZWA_USŁUGI:WZORZEC_NAZWY_SERWERA (tryb serwera)" +Użyj usługi jako podrzędnej (virtualnego serwera) dla rozszerzenia \s-1TLS\s0 Server +Name Indication (\s-1RFC 3546\s0). +.Sp +\&\fINAZWA_USŁUGI\fR wskazuje usługę nadrzędną, która odbiera połączenia od klientów +przy pomocy opcji \fIaccept\fR. \fI\s-1WZORZEC_NAZWY_SERWERA\s0\fR wskazuje nazwę serwera +wirtualnego. Wzorzec może zaczynać się znakiem '*', np. '*.example.com". Z +pojedyńczą usługą nadrzędną powiązane jest zwykle wiele usług podrzędnych. Opcja \fIsni\fR może być rownież użyta wielokrotnie w ramach jednej usługi podrzędnej. .Sp @@ -509,180 +895,47 @@ klienckim. .Sp Opcja \fIconnect\fR usługi podrzędnej jest ignorowana w połączeniu z opcją \&\fIprotocol\fR, gdyż połączenie do zdalnego serwera jest w tym wypadku nawiązywane -przed negocjacją \s-1TLS\s0. +przed negocjacją \s-1TLS.\s0 .Sp Uwierzytelnienie przy pomocy biblioteki libwrap jest realizowane dwukrotnie: -najpierw dla usługi nadrzędnej po odebraniu połączenia \s-1TCP\s0, a następnie dla -usługi podrzędnej podczas negocjacji \s-1TLS\s0. +najpierw dla usługi nadrzędnej po odebraniu połączenia \s-1TCP,\s0 a następnie dla +usługi podrzędnej podczas negocjacji \s-1TLS.\s0 .Sp Opcja \fIsni\fR jest dostępna począwszy od \fBOpenSSL 1.0.0\fR. -.IP "\fBsni\fR = nazwa_serwera (tryb klienta)" 4 -.IX Item "sni = nazwa_serwera (tryb klienta)" +.IP "\fBsni\fR = \s-1NAZWA_SERWERA \s0(tryb klienta)" 4 +.IX Item "sni = NAZWA_SERWERA (tryb klienta)" Użyj parametru jako wartości rozszerzenia \s-1TLS\s0 Server Name Indication -(\s-1RFC\s0 3546). +(\s-1RFC 3546\s0). +.Sp +Pusta wartość parametru \s-1NAZWA_SERWERA\s0 wyłącza wysyłanie rozszerzenia \s-1SNI.\s0 .Sp Opcja \fIsni\fR jest dostępna począwszy od \fBOpenSSL 1.0.0\fR. -.IP "\fB\s-1OCSP\s0\fR = \s-1URL\s0" 4 -.IX Item "OCSP = URL" -serwer \s-1OCSP\s0 do weryfikacji certyfikatów -.IP "\fBOCSPflag\fR = flaga" 4 -.IX Item "OCSPflag = flaga" -flaga serwera \s-1OCSP\s0 +.IP "\fBsslVersion\fR = \s-1WERSJA_SSL\s0" 4 +.IX Item "sslVersion = WERSJA_SSL" +wersja protokołu \s-1TLS\s0 .Sp -aktualnie wspierane flagi: \s-1NOCERTS\s0, \s-1NOINTERN\s0 \s-1NOSIGS\s0, \s-1NOCHAIN\s0, \s-1NOVERIFY\s0, -\&\s-1NOEXPLICIT\s0, \s-1NOCASIGN\s0, \s-1NODELEGATED\s0, \s-1NOCHECKS\s0, \s-1TRUSTOTHER\s0, \s-1RESPID_KEY\s0, \s-1NOTIME\s0 +Wspierane opcje: all, SSLv2, SSLv3, TLSv1, TLSv1.1, TLSv1.2 .Sp -Aby wyspecyfikować kilka flag należy użyć \fIOCSPflag\fR wielokrotnie. -.IP "\fBoptions\fR = opcje_SSL" 4 -.IX Item "options = opcje_SSL" -opcje biblioteki \fBOpenSSL\fR +Dostępność konkretnych protokołów zależy od użytej wersji OpenSSL. +Starsze wersje OpenSSL nie wspierają TLSv1.1 i TLSv1.2. +Nowsze wersje OpenSSL nie wspierają SSLv2. .Sp -Parametrem jest nazwa opcji zgodnie z opisem w \fI\fISSL_CTX_set_options\fI\|(3ssl)\fR, -ale bez przedrostka \fI\s-1SSL_OP_\s0\fR. -Aby wyspecyfikować kilka opcji należy użyć \fIoptions\fR wielokrotnie. -.Sp -Na przykład dla zachowania kompatybilności z błędami implementacji \s-1SSL\s0 -w programie Eudora można użyć opcji: -.Sp -.Vb 1 -\& options = DONT_INSERT_EMPTY_FRAGMENTS -.Ve -.IP "\fBprotocol\fR = protokół" 4 -.IX Item "protocol = protokół" -negocjuj \s-1SSL\s0 podanym protokołem aplikacyjnym -.Sp -Opcja ta włącza wstępną negocjację szyfrowania \s-1SSL\s0 dla wybranego protokołu -aplikacyjnego. -Opcji \fIprotocol\fR nie należy używać z szyfrowaniem \s-1SSL\s0 na osobnym porcie. -.Sp -Aktualnie wspierane protokoły: -.RS 4 -.IP "\fIcifs\fR" 4 -.IX Item "cifs" -Unieudokumentowane rozszerzenie protokołu \s-1CIFS\s0 wspierane przez serwer Samba. -Wsparcie dla tego rozrzeczenia zostało zarzucone w wersji 3.0.0 serwera Samba. -.IP "\fIconnect\fR" 4 -.IX Item "connect" -Negocjacja \s-1RFC\s0 2817 \- \fIUpgrading to \s-1TLS\s0 Within \s-1HTTP/1\s0.1\fR, rozdział 5.2 \- \fIRequesting a Tunnel with \s-1CONNECT\s0\fR -.Sp -Ten protokół jest wspierany wyłącznie w trybie klienckim. -.IP "\fIimap\fR" 4 -.IX Item "imap" -Negocjacja \s-1RFC\s0 2595 \- \fIUsing \s-1TLS\s0 with \s-1IMAP\s0, \s-1POP3\s0 and \s-1ACAP\s0\fR -.IP "\fInntp\fR" 4 -.IX Item "nntp" -Negocjacja \s-1RFC\s0 4642 \- \fIUsing Transport Layer Security (\s-1TLS\s0) with Network News Transfer Protocol (\s-1NNTP\s0)\fR -.Sp -Ten protokół jest wspierany wyłącznie w trybie klienckim. -.IP "\fIpgsql\fR" 4 -.IX Item "pgsql" -Negocjacja http://www.postgresql.org/docs/8.3/static/protocol\-flow.html#AEN73982 -.IP "\fIpop3\fR" 4 -.IX Item "pop3" -Negocjacja \s-1RFC\s0 2449 \- \fI\s-1POP3\s0 Extension Mechanism\fR -.IP "\fIproxy\fR" 4 -.IX Item "proxy" -Przekazywanie adresu \s-1IP\s0 haproxy http://haproxy.1wt.eu/download/1.5/doc/proxy\-protocol.txt -.IP "\fIsmtp\fR" 4 -.IX Item "smtp" -Negocjacja \s-1RFC\s0 2487 \- \fI\s-1SMTP\s0 Service Extension for Secure \s-1SMTP\s0 over \s-1TLS\s0\fR -.RE -.RS 4 -.RE -.IP "\fBprotocolAuthentication\fR = uwierzytelnienie" 4 -.IX Item "protocolAuthentication = uwierzytelnienie" -rodzaj uwierzytelnienia do negocjacji protokołu -.Sp -aktualnie wspierane: basic, \s-1NTLM\s0 -.Sp -Obecnie typ uwierzytelnienia ma zastosowanie wyłącznie w protokole 'connect'. -.Sp -domyślnie: basic -.IP "\fBprotocolHost\fR = adres:port" 4 -.IX Item "protocolHost = adres:port" -adres docelowy do negocjacji protokołu -.Sp -\&\fIprotocolHost\fR określa docelowy serwer \s-1SSL\s0, do którego połączyć ma się proxy. -Nie jest to adres serwera proxy, do którego połączenie zestawia \fBstunnel\fR. -Adres serwera proxy powinien być określony przy pomocy opcji 'connect'. -.Sp -W obecnej wersji adres docelowy protokołu ma zastosowanie wyłącznie w protokole -\&'connect'. -.IP "\fBprotocolPassword\fR = hasło" 4 -.IX Item "protocolPassword = hasło" -hasło do negocjacji protokołu -.IP "\fBprotocolUsername\fR = użytkownik" 4 -.IX Item "protocolUsername = użytkownik" -nazwa użytkownika do negocjacji protokołu -.IP "\fBpty\fR = yes | no (tylko Unix)" 4 -.IX Item "pty = yes | no (tylko Unix)" -alokuj pseudoterminal dla programu uruchamianego w opcji 'exec' -.IP "\fBrenegotiation\fR = yes | no" 4 -.IX Item "renegotiation = yes | no" -pozwalaj na renegocjację \s-1SSL\s0 -.Sp -Wśród zastosowań renegocjacji \s-1SSL\s0 są niektóre scenariusze uwierzytelnienia, -oraz renegocjacja kluczy dla długotrwałych połączeń. -.Sp -Z drugiej strony własność na może ułatwić trywialny atak DoS poprzez -wygenerowanie obciążenia procesora: -.Sp -http://vincent.bernat.im/en/blog/2011\-ssl\-dos\-mitigation.html -.Sp -Warto zauważyć, że zablokowanie renegocjacji \s-1SSL\s0 nie zebezpiecza w pełni -przed opisanym problemem. -.Sp -domyślnie: yes (o ile wspierane przez \fBOpenSSL\fR) -.IP "\fBreset\fR = yes | no" 4 -.IX Item "reset = yes | no" -sygnalizuj wystąpienie błędu przy pomocy flagi \s-1TCP\s0 \s-1RST\s0 -.Sp -Ta opcja nie jest wspierana na niektórych platformach. -.Sp -domyślnie: yes -.IP "\fBretry\fR = yes | no" 4 -.IX Item "retry = yes | no" -połącz ponownie sekcję connect+exec po rozłączeniu -.Sp -domyślnie: no -.IP "\fBsessionCacheSize\fR = rozmiar" 4 -.IX Item "sessionCacheSize = rozmiar" -rozmiar pamięci podręcznej sesji \s-1SSL\s0 -.Sp -Parametr określa maksymalną liczbę pozycji wewnętrznej pamięci podręcznej -sesji. -.Sp -Wartość 0 oznacza brak ograniczenia rozmiaru. Nie jest to zalecane dla -systemów produkcyjnych z uwagi na ryzyko ataku DoS przez wyczerpanie pamięci -\&\s-1RAM\s0. -.IP "\fBsessionCacheTimeout\fR = czas" 4 -.IX Item "sessionCacheTimeout = czas" -przeterminowanie pamięci podręcznej sesji \s-1SSL\s0 -.Sp -Parametr określa czas w sekundach, po którym sesja \s-1SSL\s0 zostanie usunięta z -pamięci podręcznej. -.IP "\fBsessiond\fR = adres:port" 4 -.IX Item "sessiond = adres:port" -adres sessiond \- servera cache sesji \s-1SSL\s0 -.IP "\fBsslVersion\fR = wersja" 4 -.IX Item "sslVersion = wersja" -wersja protokołu \s-1SSL\s0 -.Sp -Dozwolone opcje: all, SSLv2, SSLv3, TLSv1, TLSv1.1, TLSv1.2 -.IP "\fBstack\fR = liczba_bajtów (z wyjątkiem modelu \s-1FORK\s0)" 4 -.IX Item "stack = liczba_bajtów (z wyjątkiem modelu FORK)" +Przestarzałe protokoły SSLv2 i SSLv3 są domyślnie wyłączone. +Szczegółowe informacje dostępne są w opisie opcji \fBoptions\fR. +.IP "\fBstack\fR = LICZBA_BAJTÓW (z wyjątkiem modelu \s-1FORK\s0)" 4 +.IX Item "stack = LICZBA_BAJTÓW (z wyjątkiem modelu FORK)" rozmiar stosu procesora wątku -.IP "\fBTIMEOUTbusy\fR = liczba_sekund" 4 -.IX Item "TIMEOUTbusy = liczba_sekund" +.IP "\fBTIMEOUTbusy\fR = \s-1LICZBA_SEKUND\s0" 4 +.IX Item "TIMEOUTbusy = LICZBA_SEKUND" czas oczekiwania na spodziewane dane -.IP "\fBTIMEOUTclose\fR = liczba_sekund" 4 -.IX Item "TIMEOUTclose = liczba_sekund" +.IP "\fBTIMEOUTclose\fR = \s-1LICZBA_SEKUND\s0" 4 +.IX Item "TIMEOUTclose = LICZBA_SEKUND" czas oczekiwania na close_notify (ustaw na 0, jeżeli klientem jest \s-1MSIE\s0) -.IP "\fBTIMEOUTconnect\fR = liczba_sekund" 4 -.IX Item "TIMEOUTconnect = liczba_sekund" +.IP "\fBTIMEOUTconnect\fR = \s-1LICZBA_SEKUND\s0" 4 +.IX Item "TIMEOUTconnect = LICZBA_SEKUND" czas oczekiwania na nawiązanie połączenia -.IP "\fBTIMEOUTidle\fR = liczba_sekund" 4 -.IX Item "TIMEOUTidle = liczba_sekund" +.IP "\fBTIMEOUTidle\fR = \s-1LICZBA_SEKUND\s0" 4 +.IX Item "TIMEOUTidle = LICZBA_SEKUND" maksymalny czas utrzymywania bezczynnego połączenia .IP "\fBtransparent\fR = none | source | destination | both (tylko Unix)" 4 .IX Item "transparent = none | source | destination | both (tylko Unix)" @@ -743,17 +996,28 @@ Przykładowana konfiguracja przezroczystego adresu docelowego: .Sp .Vb 4 \& [transparent] -\& client=yes -\& accept= -\& transparent=destination +\& client = yes +\& accept = +\& transparent = destination .Ve .Sp -Konfiguracja wymaga następujących ustawień iptables -(na przykład w pliku /etc/rc.local lub analogicznym): +Konfiguracja wymaga ustawień iptables, na przykład w pliku +/etc/rc.local lub analogicznym. .Sp -.Vb 2 +W przypadku docelowej usługi umieszczonej na tej samej maszynie: +.Sp +.Vb 3 +\& /sbin/iptables \-t nat \-I OUTPUT \-p tcp \-\-dport \e +\& \-m ! \-\-uid\-owner \e +\& \-j DNAT \-\-to\-destination : +.Ve +.Sp +W przypadku docelowej usługi umieszczonej na zdalnej maszynie: +.Sp +.Vb 3 \& /sbin/iptables \-I INPUT \-i eth0 \-p tcp \-\-dport \-j ACCEPT -\& /sbin/iptables \-t nat \-I PREROUTING \-i eth0 \-p tcp \-\-dport \-j DNAT \-\-to\-destination : +\& /sbin/iptables \-t nat \-I PREROUTING \-p tcp \-\-dport \e +\& \-i eth0 \-j DNAT \-\-to\-destination : .Ve .Sp Przezroczysty adres docelowy jest aktualnie wspierany wyłącznie w systemie Linux. @@ -774,9 +1038,12 @@ Opcja została przemianowana na \fInone\fR. .RE .RS 4 .RE -.IP "\fBverify\fR = poziom" 4 -.IX Item "verify = poziom" +.IP "\fBverify\fR = \s-1POZIOM\s0" 4 +.IX Item "verify = POZIOM" weryfikuj certyfikat drugiej strony połączenia +.Sp +Opcja ta jest przestarzała i należy ją zastąpić przez opcje +\&\fIverifyChain\fR i \fIverifyPeer\fR. .RS 4 .IP "\fIpoziom 0\fR" 4 .IX Item "poziom 0" @@ -799,6 +1066,25 @@ nie weryfikuj .RE .RS 4 .RE +.IP "\fBverifyChain\fR = yes | no" 4 +.IX Item "verifyChain = yes | no" +weryfikuj łańcuch certyfikatów drugiej strony +.Sp +Do weryfikacji certyfikatu serwera kluczowe jest, aby wymagać również +konkretnego certyfikatu przy pomocy \fIcheckHost\fR lub \fIcheckIP\fR. +.Sp +Samopodpisany certyfikat głównego \s-1CA\s0 należy umieścić albo w pliku +podanym w opcji \fICAfile\fR, albo w katalogu podanym w opcji \fICApath\fR. +.Sp +domyślnie: no +.IP "\fBverifyPeer\fR = yes | no" 4 +.IX Item "verifyPeer = yes | no" +weryfikuj certyfikat drugiej strony +.Sp +Certyfikat drugiej strony należy umieścić albo w pliku podanym w opcji +\&\fICAfile\fR, albo w katalogu podanym w opcji \fICApath\fR. +.Sp +domyślnie: no .SH "ZWRACANA WARTOŚĆ" .IX Header "ZWRACANA WARTOŚĆ" \&\fBstunnel\fR zwraca zero w przypadku sukcesu, lub wartość niezerową @@ -836,7 +1122,7 @@ plikiem pid) wewnątrz katalogu wskazanego przez 'chroot'. .IX Item "SIGUSR1" Zamknij i otwórz ponownie log. Funkcja ta może zostać użyta w skrypcie rotującym log programu \fBstunnel\fR. -.IP "\s-1SIGTERM\s0, \s-1SIGQUIT\s0, \s-1SIGINT\s0" 4 +.IP "\s-1SIGTERM, SIGQUIT, SIGINT\s0" 4 .IX Item "SIGTERM, SIGQUIT, SIGINT" Zakończ działanie programu. .PP @@ -849,7 +1135,7 @@ Szyfrowanie połączeń do lokalnego serwera \fIimapd\fR można użyć: \& [imapd] \& accept = 993 \& exec = /usr/sbin/imapd -\& execargs = imapd +\& execArgs = imapd .Ve .PP albo w trybie zdalnym: @@ -860,7 +1146,18 @@ albo w trybie zdalnym: \& connect = 143 .Ve .PP -W połączeniu z programem \fIpppd\fR \fBstunnel\fR pozwala zestawić prosty \s-1VPN\s0. +Aby umożliwić lokalnemu klientowi poczty elektronicznej korzystanie z serwera +\&\fIimapd\fR przez \s-1TLS\s0 należy skonfigurować pobieranie poczty z adresu localhost i +portu 119, oraz użyć następującej konfiguracji: +.PP +.Vb 4 +\& [imap] +\& client = yes +\& accept = 143 +\& connect = serwer:993 +.Ve +.PP +W połączeniu z programem \fIpppd\fR \fBstunnel\fR pozwala zestawić prosty \s-1VPN.\s0 Po stronie serwera nasłuchującego na porcie 2020 jego konfiguracja może wyglądać następująco: .PP @@ -868,7 +1165,7 @@ może wyglądać następująco: \& [vpn] \& accept = 2020 \& exec = /usr/sbin/pppd -\& execargs = pppd local +\& execArgs = pppd local \& pty = yes .Ve .PP @@ -878,7 +1175,107 @@ konfiguracyjnym nie ma sekcji \fI[nazwa_usługi]\fR. .PP .Vb 2 \& exec = /usr/sbin/imapd -\& execargs = imapd +\& execArgs = imapd +.Ve +.PP +Aby skonfigurować \s-1VPN\s0 można użyć następującej konfiguracji klienta: +.PP +.Vb 6 +\& [socks_client] +\& client = yes +\& accept = 127.0.0.1:1080 +\& connect = vpn_server:9080 +\& verifyPeer = yes +\& CAfile = stunnel.pem +.Ve +.PP +Odpowiadająca jej konfiguracja serwera vpn_server: +.PP +.Vb 5 +\& [socks_server] +\& protocol = socks +\& accept = 9080 +\& cert = stunnel.pem +\& key = stunnel.key +.Ve +.PP +Do przetestowania konfiguracji można wydać na maszynie klienckiej komendę: +.PP +.Vb 1 +\& curl \-\-socks4a localhost http://www.example.com/ +.Ve +.PP +Przykładowa konfiguracja serwera \s-1SNI:\s0 +.PP +.Vb 5 +\& [virtual] +\& ; usługa nadrzędna +\& accept = 443 +\& cert = default.pem +\& connect = default.internal.mydomain.com:8080 +\& +\& [sni1] +\& ; usługa podrzędna 1 +\& sni = virtual:server1.mydomain.com +\& cert = server1.pem +\& connect = server1.internal.mydomain.com:8081 +\& +\& [sni2] +\& ; usługa podrzędna 2 +\& sni = virtual:server2.mydomain.com +\& cert = server2.pem +\& connect = server2.internal.mydomain.com:8082 +\& verifyPeer = yes +\& CAfile = server2\-allowed\-clients.pem +.Ve +.PP +Przykładowa konfiguracja umożliwiająca uwierzytelnienie z użyciem klucza prywatnego +przechowywanego w Windows Certificate Store (tylko Windows). +W przypadku użycia silnika \s-1CAPI,\s0 nie należy ustawiać opcji cert, gdyż klucz klienta +zostanie automatycznie pobrany z Certificate Store na podstawie zaufanych certyfikatów +\&\s-1CA\s0 przedstawionych przez serwer. +.PP +.Vb 1 +\& engine = capi +\& +\& [service] +\& engineId = capi +\& client = yes +\& accept = 127.0.0.1:8080 +\& connect = example.com:8443 +.Ve +.PP +Przykładowa konfiguracja umożliwiająca użycie certyfikatu i klucza prywatnego z +urządzenia zgodnego z pkcs11: +.PP +.Vb 3 +\& engine = pkcs11 +\& engineCtrl = MODULE_PATH:opensc\-pkcs11.so +\& engineCtrl = PIN:123456 +\& +\& [service] +\& engineId = pkcs11 +\& client = yes +\& accept = 127.0.0.1:8080 +\& connect = example.com:843 +\& cert = pkcs11:token=MyToken;object=MyCert +\& key = pkcs11:token=MyToken;object=MyKey +.Ve +.PP +Przykładowa konfiguracja umożliwiająca użycie certyfikatu i klucza prywatnego +umieszczonego na tokenie SoftHSM +.PP +.Vb 3 +\& engine = pkcs11 +\& engineCtrl = MODULE_PATH:softhsm2.dll +\& engineCtrl = PIN:12345 +\& +\& [service] +\& engineId = pkcs11 +\& client = yes +\& accept = 127.0.0.1:8080 +\& connect = example.com:843 +\& cert = pkcs11:token=MyToken;object=KeyCert .Ve .SH "NOTKI" .IX Header "NOTKI" @@ -888,8 +1285,8 @@ konfiguracyjnym nie ma sekcji \fI[nazwa_usługi]\fR. ponieważ do przesyłania poszczególnych plików używa on dodatkowych połączeń otwieranych na portach o dynamicznie przydzielanych numerach. Istnieją jednak specjalne wersje klientów i serwerów \s-1FTP\s0 pozwalające -na szyfrowanie przesyłanych danych przy pomocy protokołu \fI\s-1SSL\s0\fR. -.SS "\s-1TRYB\s0 \s-1INETD\s0 (tylko Unix)" +na szyfrowanie przesyłanych danych przy pomocy protokołu \fI\s-1TLS\s0\fR. +.SS "\s-1TRYB INETD \s0(tylko Unix)" .IX Subsection "TRYB INETD (tylko Unix)" W większości zastosowań \fBstunnel\fR samodzielnie nasłuchuje na porcie podanym w pliku konfiguracyjnym i tworzy połączenie z innym portem @@ -901,8 +1298,8 @@ programów są inetd, xinetd i tcpserver. Przykładowa linia pliku /etc/inetd.conf może wyglądać tak: .PP .Vb 2 -\& imaps stream tcp nowait root /usr/bin/stunnel -\& stunnel /etc/stunnel/imaps.conf +\& imaps stream tcp nowait root @bindir@/stunnel +\& stunnel @sysconfdir@/stunnel/imaps.conf .Ve .PP Ponieważ w takich przypadkach połączenie na zdefiniowanym porcie @@ -915,7 +1312,7 @@ globalnymi. Przykład takiej konfiguracji znajduje się w sekcji \&\fIPRZYKŁADY\fR. .SS "\s-1CERTYFIKATY\s0" .IX Subsection "CERTYFIKATY" -Protokół \s-1SSL\s0 wymaga, aby każdy serwer przedstawiał się nawiązującemu +Protokół \s-1TLS\s0 wymaga, aby każdy serwer przedstawiał się nawiązującemu połączenie klientowi prawidłowym certyfikatem X.509. Potwierdzenie tożsamości serwera polega na wykazaniu, że posiada on odpowiadający certyfikatowi klucz prywatny. @@ -943,15 +1340,15 @@ następującą postać: .Ve .SS "LOSOWOŚĆ" .IX Subsection "LOSOWOŚĆ" -\&\fBstunnel\fR potrzebuje zainicjować \s-1PRNG\s0 (generator liczb pseudolosowych), -gdyż protokół \s-1SSL\s0 wymaga do bezpieczeństwa kryptograficznego źródła +\&\fBstunnel\fR potrzebuje zainicjować \s-1PRNG \s0(generator liczb pseudolosowych), +gdyż protokół \s-1TLS\s0 wymaga do bezpieczeństwa kryptograficznego źródła dobrej losowości. Następujące źródła są kolejno odczytywane aż do uzyskania wystarczającej ilości entropii: .IP "\(bu" 4 Zawartość pliku podanego w opcji \fIRNDfile\fR. .IP "\(bu" 4 Zawartość pliku o nazwie określonej przez zmienną środowiskową -\&\s-1RANDFILE\s0, o ile jest ona ustawiona. +\&\s-1RANDFILE,\s0 o ile jest ona ustawiona. .IP "\(bu" 4 Plik .rnd umieszczony w katalogu domowym użytkownika, jeżeli zmienna \s-1RANDFILE\s0 nie jest ustawiona. @@ -967,15 +1364,9 @@ programu. .IP "\(bu" 4 Urządzenie /dev/urandom. .PP -Współczesne (\fB0.9.5a\fR lub nowsze) wersje biblioteki \fBOpenSSL\fR automatycznie -zaprzestają ładowania kolejnych danych w momencie uzyskania wystarczającej -ilości entropii. Wcześniejsze wersje biblioteki wykorzystają wszystkie -powyższe źródła, gdyż nie istnieje tam funkcja pozwalająca określić, czy -uzyskano już wystarczająco dużo danych. -.PP Warto zwrócić uwagę, że na maszynach z systemem Windows, na których konsoli nie pracuje użytkownik, zawartość ekranu nie jest wystarczająco -zmienna, aby zainicjować \s-1PRNG\s0. W takim przypadku do zainicjowania +zmienna, aby zainicjować \s-1PRNG. W\s0 takim przypadku do zainicjowania generatora należy użyć opcji \fIRNDfile\fR. .PP Plik \fIRNDfile\fR powinien zawierać dane losowe \*(-- również w tym sensie, @@ -991,26 +1382,28 @@ sprawdzania stanu generatora. W systemach z \fI/dev/urandom\fR urządzenie to będzie najprawdopodobniej użyte, pomimo że znajduje się na samym końcu powyższej listy. Jest to właściwość biblioteki \fBOpenSSL\fR, a nie programu \&\fBstunnel\fR. -.SS "\s-1PARAMETRY\s0 \s-1DH\s0" +.SS "\s-1PARAMETRY DH\s0" .IX Subsection "PARAMETRY DH" Począwszy od wersji 4.40 \fBstunnel\fR zawiera w kodzie programu 2048\-bitowe -parametry \s-1DH\s0. +parametry \s-1DH. \s0 Od wersji 5.18 te początkowe wartości parametrów \s-1DH\s0 są +wymieniane na autogenerowane parametry tymczasowe. +Wygenerowanie parametrów \s-1DH\s0 może zająć nawet wiele minut. .PP -Alternatywnie parametry \s-1DH\s0 można umieścić w pliku razem z certyfikatem: +Alternatywnie parametry \s-1DH\s0 można umieścić w pliku razem z certyfikatem, +co wyłącza generowanie parametrów tymczasowych: .PP .Vb 1 \& openssl dhparam 2048 >> stunnel.pem .Ve -.PP -Wygenerowanie parametrów \s-1DH\s0 może zająć nawet wiele minut. .SH "PLIKI" .IX Header "PLIKI" -.IP "\fIstunnel.conf\fR" 4 -.IX Item "stunnel.conf" +.ie n .IP "\fI\fI@sysconfdir\fI@/stunnel/stunnel.conf\fR" 4 +.el .IP "\fI\f(CI@sysconfdir\fI@/stunnel/stunnel.conf\fR" 4 +.IX Item "@sysconfdir@/stunnel/stunnel.conf" plik konfiguracyjny programu .SH "BŁĘDY" .IX Header "BŁĘDY" -Opcja \fIexecargs\fR oraz linia komend Win32 nie obsługuje cytowania. +Opcja \fIexecArgs\fR oraz linia komend Win32 nie obsługuje cytowania. .SH "ZOBACZ RÓWNIEŻ" .IX Header "ZOBACZ RÓWNIEŻ" .IP "\fItcpd\fR\|(8)" 4 @@ -1029,4 +1422,4 @@ strona projektu \fBOpenSSL\fR .IX Header "AUTOR" .IP "Michał Trojnara" 4 .IX Item "Michał Trojnara" -<\fIMichal.Trojnara@mirt.net\fR> +<\fIMichal.Trojnara@stunnel.org\fR> diff --git a/doc/stunnel.pl.html b/doc/stunnel.pl.html deleted file mode 100644 index e9b2433..0000000 --- a/doc/stunnel.pl.html +++ /dev/null @@ -1,1158 +0,0 @@ - - - - -stunnel.8 - - - - - - - - -
    -

    - - - -
    - - -

    -

    -

    NAZWA

    -

    stunnel - uniwersalny tunel protokołu SSL

    -

    -

    -
    -

    SKŁADNIA

    -
    -
    Unix:
    - -
    -

    stunnel [<plik>] | -fd n | -help | -version | -sockets

    -
    -
    WIN32:
    - -
    -

    stunnel [ [-install | -uninstall | -start | -stop ] | -exit] - [-quiet] [<plik>] ] | -help | -version | -sockets

    -
    -
    -

    -

    -
    -

    OPIS

    -

    Program stunnel został zaprojektowany do opakowywania w protokół SSL -połączeń pomiędzy zdalnymi klientami a lokalnymi lub zdalnymi serwerami. -Przez serwer lokalny rozumiana jest aplikacja przeznaczona do uruchamiania -przy pomocy inetd. -Stunnel pozwala na proste zestawienie komunikacji serwerów nie posiadających -funkcjonalności SSL poprzez bezpieczne kanały SSL.

    -

    stunnel pozwala dodać funkcjonalność SSL do powszechnie stosowanych -demonów inetd, np. pop3 lub imap, do samodzielnych demonów, -np. nntp, smtp lub http, a nawet tunelować ppp poprzez gniazda sieciowe -bez zmian w kodzie źródłowym.

    -

    -

    -
    -

    OPCJE

    -
    -
    <plik>
    - -
    -

    użyj podanego pliku konfiguracyjnego

    -
    -
    -fd n (tylko Unix)
    - -
    -

    wczytaj konfigurację z podanego deskryptora pliku

    -
    -
    -help
    - -
    -

    drukuj listę wspieranych opcji

    -
    -
    -version
    - -
    -

    drukuj wersję programu i domyślne wartości parametrów

    -
    -
    -sockets
    - -
    -

    drukuj domyślne opcje gniazd

    -
    -
    -install (tylko NT/2000/XP)
    - -
    -

    instaluj serwis NT

    -
    -
    -uninstall (tylko NT/2000/XP)
    - -
    -

    odinstaluj serwis NT

    -
    -
    -start (tylko NT/2000/XP)
    - -
    -

    uruchom serwis NT

    -
    -
    -stop (tylko NT/2000/XP)
    - -
    -

    zatrzymaj serwis NT

    -
    -
    -exit (tylko Win32)
    - -
    -

    zatrzymaj uruchomiony program

    -
    -
    -quiet (tylko NT/2000/XP)
    - -
    -

    nie wyświetlaj okienka informującego o pomyślnym zainstalowaniu lub -odinstalowaniu

    -
    -
    -

    -

    -
    -

    PLIK KONFIGURACYJNY

    -

    Linia w pliku konfiguracyjnym może być:

    -
      -
    • -

      pusta (ignorowana)

      -
      • -
    • -

      komentarzem rozpoczynającym się znakiem ';' (ignorowana)

      -
      • -
    • -

      parą 'nazwa_opcji = wartość_opcji'

      -
      • -
    • -

      tekstem '[nazwa_usługi]' wskazującym początek definicji usługi

      -
      • -
    -

    Parametr adres może być:

    -
      -
    • -

      numerem portu

      -
      • -
    • -

      oddzieloną średnikiem parą adresu (IPv4, IPv6, lub nazwą domenową) i numeru portu

      -
      • -
    • -

      ścieżką do gniazda Unix (tylko Unix)

      -
      • -
    -

    -

    -

    OPCJE GLOBALNE

    -
    -
    chroot = katalog (tylko Unix)
    - -
    -

    katalog roboczego korzenia systemu plików

    -

    Opcja określa katalog, w którym uwięziony zostanie proces programu -stunnel tuż po jego inicjalizacji, a przed rozpoczęciem odbierania -połączeń. Ścieżki podane w opcjach CApath, CRLpath, pid -oraz exec muszą być umieszczone wewnątrz katalogu podanego w opcji -chroot i określone względem tego katalogu.

    -

    Niektóre funkcje systemu operacyjnego mogą wymagać dodatkowych plików umieszczonych w katalogu podanego w parametrze chroot:

    -
      -
    • -

      opóźnione rozwinięcie adresów DNS typowo wymaga /etc/nsswitch.conf i /etc/resolv.conf

      -
      • -
    • -

      lokalizacja strefy czasowej w logach wymaga pliku /etc/timezone

      -
      • -
    • -

      niektóre inne pliki mogą potrzebować plików urządzeń, np. /dev/zero lub /dev/null

      -
      • -
    -
    -
    compression = deflate | zlib | rle
    - -
    -

    wybór algorytmu kompresji przesyłanych danych

    -

    domyślnie: bez kompresji

    -

    Algorytm deflate jest standardową metodą kompresji zgodnie z RFC 1951.

    -

    Kompresja zlib zaimplementowana w OpenSSL 0.9.8 i nowszych nie jest -kompatybilna implementacją OpenSSL 0.9.7.

    -

    Kompresja rle nie jest zaimplementowana w aktualnych wersjach OpenSSL.

    -
    -
    debug = poziom[.podsystem]
    - -
    -

    szczegółowość logowania

    -

    Poziom logowania można określić przy pomocy jednej z nazw lub liczb: -emerg (0), alert (1), crit (2), err (3), warning (4), notice (5), -info (6) lub debug (7). -Zapisywane są komunikaty o poziomie niższym (numerycznie) lub równym podanemu. -Do uzyskania najwyższego poziomu szczegółowości można użyć opcji -debug = debug lub debug = 7. Domyślnym poziomem jest notice (5).

    -

    O ile nie wyspecyfikowano podsystemu użyty będzie domyślny: daemon. -Podsystemy nie są wspierane przez platformę Win32.

    -

    Wielkość liter jest ignorowana zarówno dla poziomu jak podsystemu.

    -
    -
    EGD = ścieżka_do_EGD (tylko Unix)
    - -
    -

    ścieżka do gniazda programu Entropy Gathering Daemon

    -

    Opcja pozwala określić ścieżkę do gniazda programu Entropy Gathering Daemon -używanego do zainicjalizowania generatora ciągów pseudolosowych biblioteki -OpenSSL. Opcja jest dostępna z biblioteką OpenSSL 0.9.5a lub nowszą.

    -
    -
    engine = auto | <identyfikator urządzenia>
    - -
    -

    wybór sprzętowego urządzenia kryptograficznego

    -

    domyślnie: bez wykorzystania urządzeń kryptograficznych

    -

    Przykładowa konfiguracja umożliwiająca odczytanie klucza prywatnego z -urządzenia zgodnego z OpenSC:

    -
    -    engine=dynamic
-    engineCtrl=SO_PATH:/usr/lib/opensc/engine_pkcs11.so
-    engineCtrl=ID:pkcs11
-    engineCtrl=LIST_ADD:1
-    engineCtrl=LOAD
-    engineCtrl=MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so
-    engineCtrl=INIT
    -
    -    [service]
-    engineNum=1
-    key=id_45
    -
    -
    engineCtrl = <command>[:<parameter>]
    - -
    -

    konfiguracja urządzenia kryptograficznego

    -

    Specjalne komendy "LOAD" i "INIT" pozwalają na załadowanie i inicjalizację -modułu kryptograficznego urządzenia.

    -
    -
    fips = yes | no
    - -
    -

    Włącz lub wyłącz tryb FIPS 140-2.

    -

    Opcja pozwala wyłączyć wejście w tryb FIPS, jeśli stunnel został -skompilowany ze wsparciem dla FIPS 140-2.

    -

    domyślnie: yes (pracuj w trybie FIPS 140-2)

    -
    -
    foreground = yes | no (tylko Unix)
    - -
    -

    tryb pierwszoplanowy

    -

    Użycie tej opcji powoduje, że stunnel nie przechodzi w tło logując -swoje komunikaty na konsolę zamiast przez syslog (o ile nie użyto -opcji output).

    -
    -
    output = plik
    - -
    -

    plik, do którego dopisane zostaną logi

    -

    Użycie tej opcji powoduje dopisanie logów do podanego pliku.

    -

    Do kierowaniakomunikatów na standardowe wyjście (na przykład po to, żeby -zalogować je programem splogger z pakietu daemontools) można podać jako -parametr urządzenie /dev/stdout.

    -
    -
    pid = plik (tylko Unix)
    - -
    -

    położenie pliku z numerem procesu

    -

    Jeżeli argument jest pusty plik nie zostanie stworzony.

    -

    Jeżeli zdefiniowano katalog chroot, to ścieżka do pid jest określona -względem tego katalogu.

    -
    -
    RNDbytes = liczba_bajtów
    - -
    -

    liczba bajtów do zainicjowania generatora pseudolosowego

    -

    W wersjach biblioteki OpenSSL starszych niż 0.9.5a opcja ta określa -również liczbę bajtów wystarczających do zainicjowania PRNG. -Nowsze wersje biblioteki mają wbudowaną funkcję określającą, czy -dostarczona ilość losowości jest wystarczająca do zainicjowania generatora.

    -
    -
    RNDfile = plik
    - -
    -

    ścieżka do pliku zawierającego losowe dane

    -

    Biblioteka OpenSSL użyje danych z tego pliku do zainicjowania -generatora pseudolosowego.

    -
    -
    RNDoverwrite = yes | no
    - -
    -

    nadpisz plik nowymi wartościami pseudolosowymi

    -

    domyślnie: yes (nadpisz)

    -
    -
    service = nazwa_serwisu (tylko Unix)
    - -
    -

    użyj parametru jako nazwy serwisu dla biblioteki TCP Wrapper w trybie inetd

    -

    domyślnie: stunnel

    -
    -
    setgid = identyfikator_grupy (tylko Unix)
    - -
    -

    grupa z której prawami pracował będzie stunnel

    -
    -
    setuid = identyfikator_użytkownika (tylko Unix)
    - -
    -

    użytkownik, z którego prawami pracował będzie stunnel

    -
    -
    socket = a|l|r:option=value[:value]
    - -
    -

    ustaw opcję na akceptującym/lokalnym/zdalnym gnieździe

    -

    Dla opcji linger wartości mają postać l_onof:l_linger. -Dla opcji time wartości mają postać tv_sec:tv_usec.

    -

    Przykłady:

    -
    -    socket = l:SO_LINGER=1:60
-        ustaw jednominutowe przeterminowanie
-        przy zamykaniu lokalnego gniazda
-    socket = r:SO_OOBINLINE=yes
-        umieść dane pozapasmowe (out-of-band)
-        bezpośrednio w strumieniu danych
-        wejściowych dla zdalnych gniazd
-    socket = a:SO_REUSEADDR=no
-        zablokuj ponowne używanie portu
-        (domyślnie włączone)
-    socket = a:SO_BINDTODEVICE=lo
-        przyjmuj połączenia wyłącznie na
-        interfejsie zwrotnym (ang. loopback)
    -
    -
    syslog = yes | no (tylko Unix)
    - -
    -

    włącz logowanie poprzez mechanizm syslog

    -

    domyślnie: yes (włącz)

    -
    -
    taskbar = yes | no (tylko WIN32)
    - -
    -

    włącz ikonkę w prawym dolnym rogu ekranu

    -

    domyślnie: yes (włącz)

    -
    -
    -

    -

    -

    OPCJE USŁUG

    -

    Każda sekcja konfiguracji usługi zaczyna się jej nazwą ujętą w nawias -kwadratowy. Nazwa usługi używana jest do kontroli dostępu przez -bibliotekę libwrap (TCP wrappers) oraz pozwala rozróżnić poszczególne -usługi w logach.

    -

    Jeżeli stunnel ma zostać użyty w trybie inetd, gdzie za odebranie -połączenia odpowiada osobny program (zwykle inetd, xinetd -lub tcpserver), należy przeczytać sekcję TRYB INETD poniżej.

    -
    -
    accept = [adres:]port
    - -
    -

    nasłuchuje na połączenia na podanym adresie i porcie

    -

    Jeżeli nie został podany adres, stunnel domyślnie nasłuchuje -na wszystkich adresach IPv4 lokalnych interfejsów.

    -

    Aby nasłuchiwać na wszystkich adresach IPv6 należy użyć:

    -
    -    accept = :::port
    -
    -
    CApath = katalog_CA
    - -
    -

    katalog Centrum Certyfikacji

    -

    Opcja określa katalog, w którym stunnel będzie szukał certyfikatów, -jeżeli użyta została opcja verify. Pliki z certyfikatami muszą -posiadać specjalne nazwy XXXXXXXX.0, gdzie XXXXXXXX jest skrótem -kryptograficznym reprezentacji DER nazwy podmiotu certyfikatu.

    -

    Funkcja skrótu została zmieniona w OpenSSL 1.0.0. -Należy wykonać c_rehash przy zmianie OpenSSL 0.x.x na 1.x.x.

    -

    Jeżeli zdefiniowano katalog chroot, to ścieżka do CApath jest określona -względem tego katalogu.

    -
    -
    CAfile = plik_CA
    - -
    -

    plik Centrum Certyfikacji

    -

    Opcja pozwala określić położenie pliku zawierającego certyfikaty używane -przez opcję verify.

    -
    -
    cert = plik_pem
    - -
    -

    plik z łańcuchem certyfikatów

    -

    Opcja określa położenie pliku zawierającego certyfikaty używane przez -program stunnel do uwierzytelnienia się przed drugą stroną połączenia. -Certyfikat jest konieczny, aby używać programu w trybie serwera. -W trybie klienta certyfikat jest opcjonalny.

    -
    -
    ciphers = lista_szyfrów
    - -
    -

    lista dozwolonych szyfrów SSL

    -

    Parametrem tej opcji jest lista szyfrów, które będą użyte przy -otwieraniu nowych połączeń SSL, np.: DES-CBC3-SHA:IDEA-CBC-MD5

    -
    -
    client = yes | no
    - -
    -

    tryb kliencki (zdalna usługa używa SSL)

    -

    domyślnie: no (tryb serwerowy)

    -
    -
    connect = [adres:]port
    - -
    -

    połącz się ze zdalnym serwerem na podany port

    -

    Jeżeli nie został podany adres, stunnel domyślnie łączy się -z lokalnym serwerem.

    -

    Komenda może byc użyta wielokrotnie w pojedynczej sekcji -celem zapewnienia wysokiej niezawodności lub rozłożenia -ruchu pomiędzy wiele serwerów.

    -
    -
    CRLpath = katalog_CRL
    - -
    -

    katalog List Odwołanych Certyfikatów (CRL)

    -

    Opcja określa katalog, w którym stunnel będzie szukał list CRL, -jeżeli użyta została opcja verify. Pliki z listami CRL muszą -posiadać specjalne nazwy XXXXXXXX.r0, gdzie XXXXXXXX jest skrótem -listy CRL.

    -

    Funkcja skrótu została zmieniona OpenSSL 1.0.0. -Należy wykonać c_rehash przy zmianie OpenSSL 0.x.x na 1.x.x.

    -

    Jeżeli zdefiniowano katalog chroot, to ścieżka do CRLpath jest określona -względem tego katalogu.

    -
    -
    CRLfile = plik_CRL
    - -
    -

    plik List Odwołanych Certyfikatów (CRL)

    -

    Opcja pozwala określić położenie pliku zawierającego listy CRL używane -przez opcję verify.

    -
    -
    curve = nid
    - -
    -

    krzywa dla ECDH

    -

    Listę dostępnych krzywych można uzyskać poleceniem:

    -
    -    openssl ecparam -list_curves
    -

    domyślnie: prime256v1

    -
    -
    delay = yes | no
    - -
    -

    opóźnij rozwinięcie adresu DNS podanego w opcji connect

    -

    Opcja jest przydatna przy dynamicznym DNS, albo gdy usługa DNS nie jest -dostępna przy starcie programu stunnel (klient VPN, połączenie wdzwaniane).

    -
    -
    engineNum = <numer urządzenia>
    - -
    -

    wybierz urządzenie do odczyta klucza prywatnego

    -

    Urządzenia są numerowane od 1 w górę.

    -
    -
    exec = ścieżka_do_programu
    - -
    -

    wykonaj lokalny program przystosowany do pracy z superdemonem inetd

    -

    Jeżeli zdefiniowano katalog chroot, to ścieżka do exec jest określona -względem tego katalogu.

    -
    -
    execargs = $0 $1 $2 ...
    - -
    -

    argumenty do opcji exec włącznie z nazwą programu ($0)

    -

    Cytowanie nie jest wspierane w obecnej wersji programu. -Argumenty są rozdzielone dowolną liczbą białych znaków.

    -
    -
    failover = rr | prio
    - -
    -

    Strategia wybierania serwerów wyspecyfikowanych parametrami "connect".

    -
    -    rr (round robin) - sprawiedliwe rozłożenie obciążenia
-    prio (priority) - użyj kolejności opcji w pliku konfiguracyjnym
    -

    domyślnie: rr

    -
    -
    ident = nazwa_użytkownika
    - -
    -

    weryfikuj nazwę zdalnego użytkownika korzystając z protokołu IDENT (RFC 1413)

    -
    -
    key = plik_klucza
    - -
    -

    klucz prywatny do certyfikatu podanego w opcji cert

    -

    Klucz prywatny jest potrzebny do uwierzytelnienia właściciela certyfikatu. -Ponieważ powinien on być zachowany w tajemnicy, prawa do jego odczytu -powinien mieć wyłącznie właściciel pliku. W systemie Unix można to osiągnąć -komendą:

    -
    -    chmod 600 keyfile
    -

    domyślnie: wartość opcji cert

    -
    -
    libwrap = yes | no
    - -
    -

    włącz lub wyłącz korzystanie z /etc/hosts.allow i /etc/hosts.deny.

    -

    domyślnie: yes

    -
    -
    local = serwer
    - -
    -

    IP źródła do nawiązywania zdalnych połączeń

    -

    Domyślnie używane jest IP najbardziej zewnętrznego interfejsu w stronę -serwera, do którego nawiązywane jest połączenie.

    -
    -
    sni = nazwa_usługi:wzorzec_nazwy_serwera (tryb serwera)
    - -
    -

    Użyj usługi jako podrzędnej (virtualnego serwera) dla rozszerzenia TLS Server -Name Indication (RFC 3546).

    -

    nazwa_usługi wskazuje usługę nadrzędną, która odbiera połączenia od klientów -przy pomocy opcji accept. wzorzec_nazwy_serwera wskazuje nazwę serwera -wirtualnego. Wzorzec może zaczynać się znakiem '*', np. '*.example.com". -Z pojedyńczą usługą nadrzędną powiązane jest zwykle wiele usług podrzędnych. -Opcja sni może być rownież użyta wielokrotnie w ramach jednej usługi -podrzędnej.

    -

    Zarówno usługa nadrzędna jak i podrzędna nie może być skonfigurowana w trybie -klienckim.

    -

    Opcja connect usługi podrzędnej jest ignorowana w połączeniu z opcją -protocol, gdyż połączenie do zdalnego serwera jest w tym wypadku nawiązywane -przed negocjacją TLS.

    -

    Uwierzytelnienie przy pomocy biblioteki libwrap jest realizowane dwukrotnie: -najpierw dla usługi nadrzędnej po odebraniu połączenia TCP, a następnie dla -usługi podrzędnej podczas negocjacji TLS.

    -

    Opcja sni jest dostępna począwszy od OpenSSL 1.0.0.

    -
    -
    sni = nazwa_serwera (tryb klienta)
    - -
    -

    Użyj parametru jako wartości rozszerzenia TLS Server Name Indication -(RFC 3546).

    -

    Opcja sni jest dostępna począwszy od OpenSSL 1.0.0.

    -
    -
    OCSP = URL
    - -
    -

    serwer OCSP do weryfikacji certyfikatów

    -
    -
    OCSPflag = flaga
    - -
    -

    flaga serwera OCSP

    -

    aktualnie wspierane flagi: NOCERTS, NOINTERN NOSIGS, NOCHAIN, NOVERIFY, -NOEXPLICIT, NOCASIGN, NODELEGATED, NOCHECKS, TRUSTOTHER, RESPID_KEY, NOTIME

    -

    Aby wyspecyfikować kilka flag należy użyć OCSPflag wielokrotnie.

    -
    -
    options = opcje_SSL
    - -
    -

    opcje biblioteki OpenSSL

    -

    Parametrem jest nazwa opcji zgodnie z opisem w SSL_CTX_set_options(3ssl), -ale bez przedrostka SSL_OP_. -Aby wyspecyfikować kilka opcji należy użyć options wielokrotnie.

    -

    Na przykład dla zachowania kompatybilności z błędami implementacji SSL -w programie Eudora można użyć opcji:

    -
    -    options = DONT_INSERT_EMPTY_FRAGMENTS
    -
    -
    protocol = protokół
    - -
    -

    negocjuj SSL podanym protokołem aplikacyjnym

    -

    Opcja ta włącza wstępną negocjację szyfrowania SSL dla wybranego protokołu -aplikacyjnego. -Opcji protocol nie należy używać z szyfrowaniem SSL na osobnym porcie.

    -

    Aktualnie wspierane protokoły:

    -
    -
    cifs
    - -
    -

    Unieudokumentowane rozszerzenie protokołu CIFS wspierane przez serwer Samba. -Wsparcie dla tego rozrzeczenia zostało zarzucone w wersji 3.0.0 serwera Samba.

    -
    -
    connect
    - -
    -

    Negocjacja RFC 2817 - Upgrading to TLS Within HTTP/1.1, rozdział 5.2 - Requesting a Tunnel with CONNECT

    -

    Ten protokół jest wspierany wyłącznie w trybie klienckim.

    -
    -
    imap
    - -
    -

    Negocjacja RFC 2595 - Using TLS with IMAP, POP3 and ACAP

    -
    -
    nntp
    - -
    -

    Negocjacja RFC 4642 - Using Transport Layer Security (TLS) with Network News Transfer Protocol (NNTP)

    -

    Ten protokół jest wspierany wyłącznie w trybie klienckim.

    -
    -
    pgsql
    - -
    -

    Negocjacja http://www.postgresql.org/docs/8.3/static/protocol-flow.html#AEN73982

    -
    -
    pop3
    - -
    -

    Negocjacja RFC 2449 - POP3 Extension Mechanism

    -
    -
    proxy
    - -
    -

    Przekazywanie adresu IP haproxy http://haproxy.1wt.eu/download/1.5/doc/proxy-protocol.txt

    -
    -
    smtp
    - -
    -

    Negocjacja RFC 2487 - SMTP Service Extension for Secure SMTP over TLS

    -
    -
    -
    -
    protocolAuthentication = uwierzytelnienie
    - -
    -

    rodzaj uwierzytelnienia do negocjacji protokołu

    -

    aktualnie wspierane: basic, NTLM

    -

    Obecnie typ uwierzytelnienia ma zastosowanie wyłącznie w protokole 'connect'.

    -

    domyślnie: basic

    -
    -
    protocolHost = adres:port
    - -
    -

    adres docelowy do negocjacji protokołu

    -

    protocolHost określa docelowy serwer SSL, do którego połączyć ma się proxy. -Nie jest to adres serwera proxy, do którego połączenie zestawia stunnel. -Adres serwera proxy powinien być określony przy pomocy opcji 'connect'.

    -

    W obecnej wersji adres docelowy protokołu ma zastosowanie wyłącznie w protokole -'connect'.

    -
    -
    protocolPassword = hasło
    - -
    -

    hasło do negocjacji protokołu

    -
    -
    protocolUsername = użytkownik
    - -
    -

    nazwa użytkownika do negocjacji protokołu

    -
    -
    pty = yes | no (tylko Unix)
    - -
    -

    alokuj pseudoterminal dla programu uruchamianego w opcji 'exec'

    -
    -
    renegotiation = yes | no
    - -
    -

    pozwalaj na renegocjację SSL

    -

    Wśród zastosowań renegocjacji SSL są niektóre scenariusze uwierzytelnienia, -oraz renegocjacja kluczy dla długotrwałych połączeń.

    -

    Z drugiej strony własność na może ułatwić trywialny atak DoS poprzez -wygenerowanie obciążenia procesora:

    -

    http://vincent.bernat.im/en/blog/2011-ssl-dos-mitigation.html

    -

    Warto zauważyć, że zablokowanie renegocjacji SSL nie zebezpiecza w pełni -przed opisanym problemem.

    -

    domyślnie: yes (o ile wspierane przez OpenSSL)

    -
    -
    reset = yes | no
    - -
    -

    sygnalizuj wystąpienie błędu przy pomocy flagi TCP RST

    -

    Ta opcja nie jest wspierana na niektórych platformach.

    -

    domyślnie: yes

    -
    -
    retry = yes | no
    - -
    -

    połącz ponownie sekcję connect+exec po rozłączeniu

    -

    domyślnie: no

    -
    -
    sessionCacheSize = rozmiar
    - -
    -

    rozmiar pamięci podręcznej sesji SSL

    -

    Parametr określa maksymalną liczbę pozycji wewnętrznej pamięci podręcznej -sesji.

    -

    Wartość 0 oznacza brak ograniczenia rozmiaru. Nie jest to zalecane dla -systemów produkcyjnych z uwagi na ryzyko ataku DoS przez wyczerpanie pamięci -RAM.

    -
    -
    sessionCacheTimeout = czas
    - -
    -

    przeterminowanie pamięci podręcznej sesji SSL

    -

    Parametr określa czas w sekundach, po którym sesja SSL zostanie usunięta z -pamięci podręcznej.

    -
    -
    sessiond = adres:port
    - -
    -

    adres sessiond - servera cache sesji SSL

    -
    -
    sslVersion = wersja
    - -
    -

    wersja protokołu SSL

    -

    Dozwolone opcje: all, SSLv2, SSLv3, TLSv1, TLSv1.1, TLSv1.2

    -
    -
    stack = liczba_bajtów (z wyjątkiem modelu FORK)
    - -
    -

    rozmiar stosu procesora wątku

    -
    -
    TIMEOUTbusy = liczba_sekund
    - -
    -

    czas oczekiwania na spodziewane dane

    -
    -
    TIMEOUTclose = liczba_sekund
    - -
    -

    czas oczekiwania na close_notify (ustaw na 0, jeżeli klientem jest MSIE)

    -
    -
    TIMEOUTconnect = liczba_sekund
    - -
    -

    czas oczekiwania na nawiązanie połączenia

    -
    -
    TIMEOUTidle = liczba_sekund
    - -
    -

    maksymalny czas utrzymywania bezczynnego połączenia

    -
    -
    transparent = none | source | destination | both (tylko Unix)
    - -
    -

    tryb przezroczystego proxy na wspieranych platformach

    -

    Wspierane opcje:

    -
    -
    none
    - -
    -

    Zablokuj wsparcie dla przezroczystago proxy. Jest to wartość domyślna.

    -
    -
    source
    - -
    -

    Przepisz adres, aby nawiązywane połączenie wydawało się pochodzić -bezpośrednio od klienta, a nie od programu stunnel.

    -

    Opcja jest aktualnie obsługiwana w:

    -
    -
    Trybie zdalnym (opcja connect) w systemie Linux >=2.6.28
    - -
    -

    Konfiguracja wymaga następujących ustawień iptables oraz routingu -(na przykład w pliku /etc/rc.local lub analogicznym):

    -
    -    iptables -t mangle -N DIVERT
-    iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
-    iptables -t mangle -A DIVERT -j MARK --set-mark 1
-    iptables -t mangle -A DIVERT -j ACCEPT
-    ip rule add fwmark 1 lookup 100
-    ip route add local 0.0.0.0/0 dev lo table 100
-    echo 0 >/proc/sys/net/ipv4/conf/lo/rp_filter
    -

    Konfiguracja ta wymaga, aby stunnel był wykonywany jako root i bez opcji setuid.

    -
    -
    Trybie zdalnym (opcja connect) w systemie Linux 2.2.x
    - -
    -

    Konfiguracja ta wymaga skompilowania jądra z opcją transparent proxy. -Docelowa usługa musi być umieszczona na osobnej maszynie, do której routing -kierowany jest poprzez serwer stunnela.

    -

    Dodatkowo stunnel powinien być wykonywany jako root i bez opcji setuid.

    -
    -
    Trybie zdalnym (opcja connect) w systemie FreeBSD >=8.0
    - -
    -

    Konfiguracja ta wymaga skonfigurowania firewalla i routingu. -stunnel musi być wykonywany jako root i bez opcji setuid.

    -
    -
    Trybie lokalnym (opcja exec)
    - -
    -

    Konfiguracja ta jest realizowana przy pomocy biblioteki libstunnel.so. -Do załadowania biblioteki wykorzystywana jest zmienna środowiskowa _RLD_LIST na -platformie Tru64 lub LD_PRELOAD na innych platformach.

    -
    -
    -
    -
    destination
    - -
    -

    Oryginalny adres docelowy jest używany zamiast opcji connect.

    -

    Przykładowana konfiguracja przezroczystego adresu docelowego:

    -
    -    [transparent]
-    client=yes
-    accept=<port_stunnela>
-    transparent=destination
    -

    Konfiguracja wymaga następujących ustawień iptables -(na przykład w pliku /etc/rc.local lub analogicznym):

    -
    -    /sbin/iptables -I INPUT -i eth0 -p tcp --dport <port_stunnela> -j ACCEPT
-    /sbin/iptables -t nat -I PREROUTING -i eth0 -p tcp --dport <port_przekierowany> -j DNAT --to-destination <lokalne_ip>:<port_stunnela>
    -

    Przezroczysty adres docelowy jest aktualnie wspierany wyłącznie w systemie Linux.

    -
    -
    both
    - -
    -

    Użyj przezroczystego proxy zarówno dla adresu źródłowego jak i docelowego.

    -
    -
    -

    Dla zapewnienia kompatybilności z wcześniejszymim wersjami wspierane są dwie -dodatkowe opcje:

    -
    -
    yes
    - -
    -

    Opcja została przemianowana na source.

    -
    -
    no
    - -
    -

    Opcja została przemianowana na none.

    -
    -
    -
    -
    verify = poziom
    - -
    -

    weryfikuj certyfikat drugiej strony połączenia

    -
    -
    poziom 0
    - -
    -

    zarządaj certyfikatu i zignoruj go

    -
    -
    poziom 1
    - -
    -

    weryfikuj, jeżeli został przedstawiony

    -
    -
    poziom 2
    - -
    -

    weryfikuj z zainstalowanym certyfikatem Centrum Certyfikacji

    -
    -
    poziom 3
    - -
    -

    weryfikuj z lokalnie zainstalowanym certyfikatem drugiej strony

    -
    -
    poziom 4
    - -
    -

    weryfikuj z certyfikatem drugiej strony ignorując łańcuch CA

    -
    -
    domyślnie
    - -
    -

    nie weryfikuj

    -
    -
    -
    -
    -

    -

    -
    -

    ZWRACANA WARTOŚĆ

    -

    stunnel zwraca zero w przypadku sukcesu, lub wartość niezerową -w przypadku błędu.

    -

    -

    -
    -

    SIGNAŁY

    -

    Następujące sygnały mogą być użyte do sterowania programem w systemie Unix:

    -
    -
    SIGHUP
    - -
    -

    Załaduj ponownie plik konfiguracyjny.

    -

    Niektóre globalne opcje nie będą przeładowane:

    -
      -
    • -

      chroot

      -
      • -
    • -

      foreground

      -
      • -
    • -

      pid

      -
      • -
    • -

      setgid

      -
      • -
    • -

      setuid

      -
      • -
    -

    Jeżeli wykorzystywana jest opcja 'setuid' stunnel nie będzie mógł załadować -ponownie konfiguracji wykorzystującej uprzywilejowane (<1024) porty.

    -

    Jeżeli wykorzystywana jest opcja 'chroot' stunnel będzie szukał wszystkich -potrzebnych plików (łącznie z plikiem konfiguracyjnym, certyfikatami, logiem i -plikiem pid) wewnątrz katalogu wskazanego przez 'chroot'.

    -
    -
    SIGUSR1
    - -
    -

    Zamknij i otwórz ponownie log. -Funkcja ta może zostać użyta w skrypcie rotującym log programu stunnel.

    -
    -
    SIGTERM, SIGQUIT, SIGINT
    - -
    -

    Zakończ działanie programu.

    -
    -
    -

    Skutek wysłania innych sygnałów jest niezdefiniowany.

    -

    -

    -
    -

    PRZYKŁADY

    -

    Szyfrowanie połączeń do lokalnego serwera imapd można użyć:

    -
    -    [imapd]
-    accept = 993
-    exec = /usr/sbin/imapd
-    execargs = imapd
    -

    albo w trybie zdalnym:

    -
    -    [imapd]
-    accept = 993
-    connect = 143
    -

    W połączeniu z programem pppd stunnel pozwala zestawić prosty VPN. -Po stronie serwera nasłuchującego na porcie 2020 jego konfiguracja -może wyglądać następująco:

    -
    -    [vpn]
-    accept = 2020
-    exec = /usr/sbin/pppd
-    execargs = pppd local
-    pty = yes
    -

    Poniższy plik konfiguracyjny może być wykorzystany do uruchomienia -programu stunnel w trybie inetd. Warto zauważyć, że w pliku -konfiguracyjnym nie ma sekcji [nazwa_usługi].

    -
    -    exec = /usr/sbin/imapd
-    execargs = imapd
    -

    -

    -
    -

    NOTKI

    -

    -

    -

    OGRANICZENIA

    -

    stunnel nie może być używany do szyfrowania protokołu FTP, -ponieważ do przesyłania poszczególnych plików używa on dodatkowych -połączeń otwieranych na portach o dynamicznie przydzielanych numerach. -Istnieją jednak specjalne wersje klientów i serwerów FTP pozwalające -na szyfrowanie przesyłanych danych przy pomocy protokołu SSL.

    -

    -

    -

    TRYB INETD (tylko Unix)

    -

    W większości zastosowań stunnel samodzielnie nasłuchuje na porcie -podanym w pliku konfiguracyjnym i tworzy połączenie z innym portem -podanym w opcji connect lub nowym programem podanym w opcji exec. -Niektórzy wolą jednak wykorzystywać oddzielny program, który odbiera -połączenia, po czym uruchamia program stunnel. Przykładami takich -programów są inetd, xinetd i tcpserver.

    -

    Przykładowa linia pliku /etc/inetd.conf może wyglądać tak:

    -
    -    imaps stream tcp nowait root /usr/bin/stunnel
-        stunnel /etc/stunnel/imaps.conf
    -

    Ponieważ w takich przypadkach połączenie na zdefiniowanym porcie -(tutaj imaps) nawiązuje osobny program (tutaj inetd), stunnel -nie może używać opcji accept. W pliku konfiguracyjnym nie może -być również zdefiniowana żadna usługa ([nazwa_usługi]), ponieważ -konfiguracja taka pozwala na nawiązanie tylko jednego połączenia. -Wszystkie OPCJE USŁUG powinny być umieszczone razem z opcjami -globalnymi. Przykład takiej konfiguracji znajduje się w sekcji -PRZYKŁADY.

    -

    -

    -

    CERTYFIKATY

    -

    Protokół SSL wymaga, aby każdy serwer przedstawiał się nawiązującemu -połączenie klientowi prawidłowym certyfikatem X.509. -Potwierdzenie tożsamości serwera polega na wykazaniu, że posiada on -odpowiadający certyfikatowi klucz prywatny. -Najprostszą metodą uzyskania certyfikatu jest wygenerowanie go przy pomocy -wolnego pakietu OpenSSL. Więcej informacji na temat generowania -certyfikatów można znaleźć na umieszczonych poniżej stronach.

    -

    Istotną kwestią jest kolejność zawartości pliku .pem. -W pierwszej kolejności powinien on zawierać klucz prywatny, -a dopiero za nim podpisany certyfikat (nie żądanie certyfikatu). -Po certyfikacie i kluczu prywatnym powinny znajdować się puste linie. -Jeżeli przed certyfikatem znajdują się dodatkowe informacje tekstowe, -to powinny one zostać usunięte. Otrzymany plik powinien mieć -następującą postać:

    -
    -    -----BEGIN RSA PRIVATE KEY-----
-    [zakodowany klucz]
-    -----END RSA PRIVATE KEY-----
-    [pusta linia]
-    -----BEGIN CERTIFICATE-----
-    [zakodowany certyfikat]
-    -----END CERTIFICATE-----
-    [pusta linia]
    -

    -

    -

    LOSOWOŚĆ

    -

    stunnel potrzebuje zainicjować PRNG (generator liczb pseudolosowych), -gdyż protokół SSL wymaga do bezpieczeństwa kryptograficznego źródła -dobrej losowości. Następujące źródła są kolejno odczytywane aż do -uzyskania wystarczającej ilości entropii:

    -
      -
    • -

      Zawartość pliku podanego w opcji RNDfile.

      -
      • -
    • -

      Zawartość pliku o nazwie określonej przez zmienną środowiskową -RANDFILE, o ile jest ona ustawiona.

      -
      • -
    • -

      Plik .rnd umieszczony w katalogu domowym użytkownika, -jeżeli zmienna RANDFILE nie jest ustawiona.

      -
      • -
    • -

      Plik podany w opcji '--with-random' w czasie konfiguracji programu.

      -
      • -
    • -

      Zawartość ekranu w systemie Windows.

      -
      • -
    • -

      Gniazdo egd, jeżeli użyta została opcja EGD.

      -
      • -
    • -

      Gniazdo egd podane w opcji '--with-egd-socket' w czasie konfiguracji -programu.

      -
      • -
    • -

      Urządzenie /dev/urandom.

      -
      • -
    -

    Współczesne (0.9.5a lub nowsze) wersje biblioteki OpenSSL automatycznie -zaprzestają ładowania kolejnych danych w momencie uzyskania wystarczającej -ilości entropii. Wcześniejsze wersje biblioteki wykorzystają wszystkie -powyższe źródła, gdyż nie istnieje tam funkcja pozwalająca określić, czy -uzyskano już wystarczająco dużo danych.

    -

    Warto zwrócić uwagę, że na maszynach z systemem Windows, na których -konsoli nie pracuje użytkownik, zawartość ekranu nie jest wystarczająco -zmienna, aby zainicjować PRNG. W takim przypadku do zainicjowania -generatora należy użyć opcji RNDfile.

    -

    Plik RNDfile powinien zawierać dane losowe -- również w tym sensie, -że powinny być one inne przy każdym uruchomieniu programu stunnel. -O ile nie użyta została opcja RNDoverwrite jest to robione -automatycznie. Do ręcznego uzyskania takiego pliku użyteczna -może być komenda openssl rand dostarczana ze współczesnymi -wersjami pakietu OpenSSL.

    -

    Jeszcze jedna istotna informacja -- jeżeli dostępne jest urządzenie -/dev/urandom biblioteka OpenSSL ma zwyczaj zasilania nim PRNG w trakcie -sprawdzania stanu generatora. W systemach z /dev/urandom urządzenie -to będzie najprawdopodobniej użyte, pomimo że znajduje się na samym końcu -powyższej listy. Jest to właściwość biblioteki OpenSSL, a nie programu -stunnel.

    -

    -

    -

    PARAMETRY DH

    -

    Począwszy od wersji 4.40 stunnel zawiera w kodzie programu 2048-bitowe -parametry DH.

    -

    Alternatywnie parametry DH można umieścić w pliku razem z certyfikatem:

    -
    -    openssl dhparam 2048 >> stunnel.pem
    -

    Wygenerowanie parametrów DH może zająć nawet wiele minut.

    -

    -

    -
    -

    PLIKI

    -
    -
    stunnel.conf
    - -
    -

    plik konfiguracyjny programu

    -
    -
    -

    -

    -
    -

    BŁĘDY

    -

    Opcja execargs oraz linia komend Win32 nie obsługuje cytowania.

    -

    -

    -
    -

    ZOBACZ RÓWNIEŻ

    -
    -
    tcpd(8)
    - -
    -

    biblioteka kontroli dostępu do usług internetowych

    -
    -
    inetd(8)
    - -
    -

    'super-serwer' internetowy

    -
    -
    http://www.stunnel.org/
    - -
    -

    strona domowa programu stunnel

    -
    -
    http://www.openssl.org/
    - -
    -

    strona projektu OpenSSL

    -
    -
    -

    -

    -
    -

    AUTOR

    -
    -
    Michał Trojnara
    - -
    -

    <Michal.Trojnara@mirt.net>

    -
    -
    - - - - diff --git a/doc/stunnel.pl.html.in b/doc/stunnel.pl.html.in new file mode 100644 index 0000000..48fc9cf --- /dev/null +++ b/doc/stunnel.pl.html.in @@ -0,0 +1,1626 @@ + + + + +stunnel TLS Proxy + + + + + + + +
    + stunnel TLS Proxy +
    + + + + + +

    NAZWA

     + +

    stunnel - uniwersalny tunel protokołu TLS

    + +

    SKŁADNIA

     + +
    + +
    Unix:
    +
    + +

    stunnel [PLIK] | -fd N | -help | -version | -sockets | -options

    + +
    +
    WIN32:
    +
    + +

    stunnel [ [ -install | -uninstall | -start | -stop | -reload | -reopen | -exit ] [-quiet] [PLIK] ] | -help | -version | -sockets | -options

    + +
    +
    + +

    OPIS

     + +

    Program stunnel został zaprojektowany do opakowywania w protokół TLS połączeń pomiędzy zdalnymi klientami a lokalnymi lub zdalnymi serwerami. Przez serwer lokalny rozumiana jest aplikacja przeznaczona do uruchamiania przy pomocy inetd. Stunnel pozwala na proste zestawienie komunikacji serwerów nie posiadających funkcjonalności TLS poprzez bezpieczne kanały TLS.

    + +

    stunnel pozwala dodać funkcjonalność TLS do powszechnie stosowanych demonów inetd, np. pop3 lub imap, do samodzielnych demonów, np. nntp, smtp lub http, a nawet tunelować ppp poprzez gniazda sieciowe bez zmian w kodzie źródłowym.

    + +

    OPCJE

     + +
    + +
    PLIK
    +
    + +

    użyj podanego pliku konfiguracyjnego

    + +
    +
    -fd N (tylko Unix)
    +
    + +

    wczytaj konfigurację z podanego deskryptora pliku

    + +
    +
    -help
    +
    + +

    drukuj listę wspieranych opcji

    + +
    +
    -version
    +
    + +

    drukuj wersję programu i domyślne wartości parametrów

    + +
    +
    -sockets
    +
    + +

    drukuj domyślne opcje gniazd

    + +
    +
    -options
    +
    + +

    drukuj wspierane opcje TLS

    + +
    +
    -install (tylko Windows NT lub nowszy)
    +
    + +

    instaluj serwis NT

    + +
    +
    -uninstall (tylko Windows NT lub nowszy)
    +
    + +

    odinstaluj serwis NT

    + +
    +
    -start (tylko Windows NT lub nowszy)
    +
    + +

    uruchom serwis NT

    + +
    +
    -stop (tylko Windows NT lub nowszy)
    +
    + +

    zatrzymaj serwis NT

    + +
    +
    -reload (tylko Windows NT lub nowszy)
    +
    + +

    przeładuj plik konfiguracyjny uruchomionego serwisu NT

    + +
    +
    -reopen (tylko Windows NT lub nowszy)
    +
    + +

    otwórz ponownie log uruchomionego serwisu NT

    + +
    +
    -exit (tylko Win32)
    +
    + +

    zatrzymaj uruchomiony program

    + +
    +
    -quiet (tylko Win32)
    +
    + +

    nie wyświetlaj okienek z komunikatami

    + +
    +
    + +

    PLIK KONFIGURACYJNY

     + +

    Linia w pliku konfiguracyjnym może być:

    + +
      + +

    • pusta (ignorowana)

      + +
      • +

    • komentarzem rozpoczynającym się znakiem ';' (ignorowana)

      + +
      • +

    • parą 'nazwa_opcji = wartość_opcji'

      + +
      • +

    • tekstem '[nazwa_usługi]' wskazującym początek definicji usługi

      + +
      • +
    + +

    Parametr adres może być:

    + +
      + +

    • numerem portu

      + +
      • +

    • oddzieloną średnikiem parą adresu (IPv4, IPv6, lub nazwą domenową) i numeru portu

      + +
      • +

    • ścieżką do gniazda Unix (tylko Unix)

      + +
      • +
    + +

    OPCJE GLOBALNE

    + +
    + +
    chroot = KATALOG (tylko Unix)
    +
    + +

    katalog roboczego korzenia systemu plików

    + +

    Opcja określa katalog, w którym uwięziony zostanie proces programu stunnel tuż po jego inicjalizacji, a przed rozpoczęciem odbierania połączeń. Ścieżki podane w opcjach CApath, CRLpath, pid oraz exec muszą być umieszczone wewnątrz katalogu podanego w opcji chroot i określone względem tego katalogu.

    + +

    Niektóre funkcje systemu operacyjnego mogą wymagać dodatkowych plików umieszczonych w katalogu podanego w parametrze chroot:

    + +
      + +

    • opóźnione rozwinięcie adresów DNS typowo wymaga /etc/nsswitch.conf i /etc/resolv.conf

      + +
      • +

    • lokalizacja strefy czasowej w logach wymaga pliku /etc/timezone

      + +
      • +

    • niektóre inne pliki mogą potrzebować plików urządzeń, np. /dev/zero lub /dev/null

      + +
      • +
    + +
    +
    compression = deflate | zlib
    +
    + +

    wybór algorytmu kompresji przesyłanych danych

    + +

    domyślnie: bez kompresji

    + +

    Algorytm deflate jest standardową metodą kompresji zgodnie z RFC 1951.

    + +
    +
    debug = [PODSYSTEM].POZIOM
    +
    + +

    szczegółowość logowania

    + +

    Poziom logowania można określić przy pomocy jednej z nazw lub liczb: emerg (0), alert (1), crit (2), err (3), warning (4), notice (5), info (6) lub debug (7). Zapisywane są komunikaty o poziomie niższym (numerycznie) lub równym podanemu. Do uzyskania najwyższego poziomu szczegółowości można użyć opcji debug = debug lub debug = 7. Domyślnym poziomem jest notice (5).

    + +

    O ile nie wyspecyfikowano podsystemu użyty będzie domyślny: daemon. Podsystemy nie są wspierane przez platformę Win32.

    + +

    Wielkość liter jest ignorowana zarówno dla poziomu jak podsystemu.

    + +
    +
    EGD = ŚCIEŻKA_DO_EGD (tylko Unix)
    +
    + +

    ścieżka do gniazda programu Entropy Gathering Daemon

    + +

    Opcja pozwala określić ścieżkę do gniazda programu Entropy Gathering Daemon używanego do zainicjalizowania generatora ciągów pseudolosowych biblioteki OpenSSL.

    + +
    +
    engine = auto | IDENTYFIKATOR_URZĄDZENIA
    +
    + +

    wybór sprzętowego urządzenia kryptograficznego

    + +

    domyślnie: bez wykorzystania urządzeń kryptograficznych

    + +

    Sekcja PRZYKŁADY zawiera przykładowe konfiguracje wykorzystujące urządzenia kryptograficzne.

    + +
    +
    engineCtrl = KOMENDA[:PARAMETR]
    +
    + +

    konfiguracja urządzenia kryptograficznego

    + +
    +
    engineDefault = LISTA_ZADAŃ
    +
    + +

    lista zadań OpenSSL oddelegowanych do bieżącego urządzenia

    + +

    Parametrem jest lista oddzielonych przecinkami zadań OpenSSL, które mają zostać oddelegowane do bieżącego urządzenia kryptograficznego.

    + +

    W zależności od konkretnego urządzenia dostępne mogą być następujące zadania: ALL, RSA, DSA, ECDH, ECDSA, DH, RAND, CIPHERS, DIGESTS, PKEY, PKEY_CRYPTO, PKEY_ASN1.

    + +
    +
    fips = yes | no
    +
    + +

    tryb FIPS 140-2

    + +

    Opcja pozwala wyłączyć wejście w tryb FIPS, jeśli stunnel został skompilowany ze wsparciem dla FIPS 140-2.

    + +

    domyślnie: no (od wersji 5.00)

    + +
    +
    foreground = yes | quiet | no (tylko Unix)
    +
    + +

    tryb pierwszoplanowy

    + +

    Użycie tej opcji powoduje, że stunnel nie przechodzi w tło.

    + +

    Parametr yes powoduje dodatkowo, że komunikaty diagnostyczne logowane są na standardowy strumień błędów (stderr) oprócz wyjść zdefiniowanych przy pomocy opcji syslog i output.

    + +
    +
    iconActive = PLIK_Z_IKONKĄ (tylko GUI)
    +
    + +

    ikonka wyświetlana przy obecności aktywnych połączeń do usługi

    + +

    W systemie Windows ikonka to plik .ico zawierający obrazek 16x16 pikseli.

    + +
    +
    iconError = PLIK_Z_IKONKĄ (tylko GUI)
    +
    + +

    ikonka wyświetlana, jeżeli nie został załadowany poprawny plik konfiguracyjny

    + +

    W systemie Windows ikonka to plik .ico zawierający obrazek 16x16 pikseli.

    + +
    +
    iconIdle = PLIK_Z_IKONKĄ (tylko GUI)
    +
    + +

    ikonka wyświetlana przy braku aktywnych połączeń do usługi

    + +

    W systemie Windows ikonka to plik .ico zawierający obrazek 16x16 pikseli.

    + +
    +
    log = append | overwrite
    +
    + +

    obsługa logów

    + +

    Ta opcja pozwala określić, czy nowe logi w pliku (określonym w opcji output) będą dodawane czy nadpisywane.

    + +

    domyślnie: append

    + +
    +
    output = PLIK
    +
    + +

    plik, do którego dopisane zostaną logi

    + +

    Użycie tej opcji powoduje dopisanie logów do podanego pliku.

    + +

    Do kierowania komunikatów na standardowe wyjście (na przykład po to, żeby zalogować je programem splogger z pakietu daemontools) można podać jako parametr urządzenie /dev/stdout.

    + +
    +
    pid = PLIK (tylko Unix)
    +
    + +

    położenie pliku z numerem procesu

    + +

    Jeżeli argument jest pusty, plik nie zostanie stworzony.

    + +

    Jeżeli zdefiniowano katalog chroot, to ścieżka do pid jest określona względem tego katalogu.

    + +
    +
    RNDbytes = LICZBA_BAJTÓW
    +
    + +

    liczba bajtów do zainicjowania generatora pseudolosowego

    + +
    +
    RNDfile = PLIK
    +
    + +

    ścieżka do pliku zawierającego losowe dane

    + +

    Biblioteka OpenSSL użyje danych z tego pliku do zainicjowania generatora pseudolosowego.

    + +
    +
    RNDoverwrite = yes | no
    +
    + +

    nadpisz plik nowymi wartościami pseudolosowymi

    + +

    domyślnie: yes (nadpisz)

    + +
    +
    service = SERWIS (tylko Unix)
    +
    + +

    nazwa usługi

    + +

    Podana nazwa usługi będzie używana jako nazwa usługi dla inicjalizacji sysloga, oraz dla biblioteki TCP Wrapper w trybie inetd. Chociaż technicznie można użyć tej opcji w trybie w sekcji usług, to jest ona użyteczna jedynie w opcjach globalnych.

    + +

    domyślnie: stunnel

    + +
    +
    socket = a|l|r:OPCJA=WARTOŚĆ[:WARTOŚĆ]
    +
    + +

    ustaw opcję na akceptującym/lokalnym/zdalnym gnieździe

    + +

    Dla opcji linger wartości mają postać l_onof:l_linger. Dla opcji time wartości mają postać tv_sec:tv_usec.

    + +

    Przykłady:

    + +
        socket = l:SO_LINGER=1:60
+        ustaw jednominutowe przeterminowanie
+        przy zamykaniu lokalnego gniazda
+    socket = r:SO_OOBINLINE=yes
+        umieść dane pozapasmowe (out-of-band)
+        bezpośrednio w strumieniu danych
+        wejściowych dla zdalnych gniazd
+    socket = a:SO_REUSEADDR=no
+        zablokuj ponowne używanie portu
+        (domyślnie włączone)
+    socket = a:SO_BINDTODEVICE=lo
+        przyjmuj połączenia wyłącznie na
+        interfejsie zwrotnym (ang. loopback)
    + +
    +
    syslog = yes | no (tylko Unix)
    +
    + +

    włącz logowanie poprzez mechanizm syslog

    + +

    domyślnie: yes (włącz)

    + +
    +
    taskbar = yes | no (tylko WIN32)
    +
    + +

    włącz ikonkę w prawym dolnym rogu ekranu

    + +

    domyślnie: yes (włącz)

    + +
    +
    + +

    OPCJE USŁUG

    + +

    Każda sekcja konfiguracji usługi zaczyna się jej nazwą ujętą w nawias kwadratowy. Nazwa usługi używana jest do kontroli dostępu przez bibliotekę libwrap (TCP wrappers) oraz pozwala rozróżnić poszczególne usługi w logach.

    + +

    Jeżeli stunnel ma zostać użyty w trybie inetd, gdzie za odebranie połączenia odpowiada osobny program (zwykle inetd, xinetd lub tcpserver), należy przeczytać sekcję TRYB INETD poniżej.

    + +
    + +
    accept = [HOST:]PORT
    +
    + +

    nasłuchuje na połączenia na podanym adresie i porcie

    + +

    Jeżeli nie został podany adres, stunnel domyślnie nasłuchuje na wszystkich adresach IPv4 lokalnych interfejsów.

    + +

    Aby nasłuchiwać na wszystkich adresach IPv6 należy użyć:

    + +
        accept = :::port
    + +
    +
    CApath = KATALOG_CA
    +
    + +

    katalog Centrum Certyfikacji

    + +

    Opcja określa katalog, w którym stunnel będzie szukał certyfikatów, jeżeli użyta została opcja verifyChain lub verifyPeer. Pliki z certyfikatami muszą posiadać specjalne nazwy XXXXXXXX.0, gdzie XXXXXXXX jest skrótem kryptograficznym reprezentacji DER nazwy podmiotu certyfikatu.

    + +

    Funkcja skrótu została zmieniona w OpenSSL 1.0.0. Należy wykonać c_rehash przy zmianie OpenSSL 0.x.x na 1.x.x.

    + +

    Jeżeli zdefiniowano katalog chroot, to ścieżka do CApath jest określona względem tego katalogu.

    + +
    +
    CAfile = PLIK_CA
    +
    + +

    plik Centrum Certyfikacji

    + +

    Opcja pozwala określić położenie pliku zawierającego certyfikaty używane przez opcję verifyChain lub verifyPeer.

    + +
    +
    cert = PLIK_CERT
    +
    + +

    plik z łańcuchem certyfikatów

    + +

    Opcja określa położenie pliku zawierającego certyfikaty używane przez program stunnel do uwierzytelnienia się przed drugą stroną połączenia. Plik powinien zawierać kompletny łańcuch certyfikatów począwszy od certyfikatu klienta/serwera, a skończywszy na samopodpisanym certyfikacie głównego CA. Obsługiwane są pliki w formacie PEM lub P12.

    + +

    Certyfikat jest konieczny, aby używać programu w trybie serwera. W trybie klienta certyfikat jest opcjonalny.

    + +

    Jeżeli używane jest sprzętowe urządzenie kryptograficzne, to opcja cert pozwala wybrać identyfikator używanego certyfikatu.

    + +
    +
    checkEmail = EMAIL
    +
    + +

    adres email przedstawionego certyfikatu

    + +

    Pojedyncza sekcja może zawierać wiele wystąpień opcji checkEmail. Certyfikaty są akceptowane, jeżeli sekcja nie zawiera opcji checkEmail, albo adres email przedstawionego certyfikatu pasuje do jednego z adresów email określonych przy pomocy checkEmail.

    + +

    Opcja ta wymaga biblioteki OpenSSL w wersji 1.0.2 lub nowszej.

    + +
    +
    checkHost = NAZWA_SERWERA
    +
    + +

    nazwa serwera przedstawionego certyfikatu

    + +

    Pojedyncza sekcja może zawierać wiele wystąpień opcji checkHost. Certyfikaty są akceptowane, jeżeli sekcja nie zawiera opcji checkHost, albo nazwa serwera przedstawionego certyfikatu pasuje do jednego nazw określonych przy pomocy checkHost.

    + +

    Opcja ta wymaga biblioteki OpenSSL w wersji 1.0.2 lub nowszej.

    + +
    +
    checkIP = IP
    +
    + +

    adres IP przedstawionego certyfikatu

    + +

    Pojedyncza sekcja może zawierać wiele wystąpień opcji checkIP. Certyfikaty są akceptowane, jeżeli sekcja nie zawiera opcji checkIP, albo adres IP przedstawionego certyfikatu pasuje do jednego z adresów IP określonych przy pomocy checkIP.

    + +

    Opcja ta wymaga biblioteki OpenSSL w wersji 1.0.2 lub nowszej.

    + +
    +
    ciphers = LISTA_SZYFRÓW
    +
    + +

    lista dozwolonych szyfrów TLS

    + +

    Parametrem tej opcji jest lista szyfrów, które będą użyte przy otwieraniu nowych połączeń TLS, np.: DES-CBC3-SHA:IDEA-CBC-MD5

    + +
    +
    client = yes | no
    +
    + +

    tryb kliencki (zdalna usługa używa TLS)

    + +

    domyślnie: no (tryb serwerowy)

    + +
    +
    config = KOMENDA[:PARAMETR]
    +
    + +

    komenda konfiguracyjna OpenSSL

    + +

    Komenda konfiguracyjna OpenSSL zostaje wykonana z podanym parametrem. Pozwala to na wydawanie komend konfiguracyjnych OpenSSL z pliku konfiguracyjnego stunnela. Dostępne komendy opisane są w manualu SSL_CONF_cmd(3ssl).

    + +

    Możliwe jest wyspecyfikowanie wielu opcji OpenSSL przez wielokrotne użycie komendy config.

    + +

    Opcja ta wymaga biblioteki OpenSSL w wersji 1.0.2 lub nowszej.

    + +
    +
    connect = [HOST:]PORT
    +
    + +

    połącz się ze zdalnym serwerem na podany port

    + +

    Jeżeli nie został podany adres, stunnel domyślnie łączy się z lokalnym serwerem.

    + +

    Komenda może być użyta wielokrotnie w pojedynczej sekcji celem zapewnienia wysokiej niezawodności lub rozłożenia ruchu pomiędzy wiele serwerów.

    + +
    +
    CRLpath = KATALOG_CRL
    +
    + +

    katalog List Odwołanych Certyfikatów (CRL)

    + +

    Opcja określa katalog, w którym stunnel będzie szukał list CRL używanych przez opcje verifyChain i verifyPeer. Pliki z listami CRL muszą posiadać specjalne nazwy XXXXXXXX.r0, gdzie XXXXXXXX jest skrótem listy CRL.

    + +

    Funkcja skrótu została zmieniona OpenSSL 1.0.0. Należy wykonać c_rehash przy zmianie OpenSSL 0.x.x na 1.x.x.

    + +

    Jeżeli zdefiniowano katalog chroot, to ścieżka do CRLpath jest określona względem tego katalogu.

    + +
    +
    CRLfile = PLIK_CRL
    +
    + +

    plik List Odwołanych Certyfikatów (CRL)

    + +

    Opcja pozwala określić położenie pliku zawierającego listy CRL używane przez opcje verifyChain i verifyPeer.

    + +
    +
    curve = NID
    +
    + +

    krzywa dla ECDH

    + +

    Listę dostępnych krzywych można uzyskać poleceniem:

    + +
        openssl ecparam -list_curves
    + +

    domyślnie: prime256v1

    + +
    +
    logId = TYP
    +
    + +

    typ identyfikatora połączenia klienta

    + +

    Identyfikator ten pozwala rozróżnić wpisy w logu wygenerowane dla poszczególnych połączeń.

    + +

    Aktualnie wspierane typy:

    + +
    + +
    sequential
    +
    + +

    Kolejny numer połączenia jest unikalny jedynie w obrębie pojedynczej instancji programu stunnel, ale bardzo krótki. Jest on szczególnie użyteczny przy ręcznej analizie logów.

    + +
    +
    unique
    +
    + +

    Ten rodzaj identyfikatora jest globalnie unikalny, ale znacznie dłuższy, niż kolejny numer połączenia. Jest on szczególnie użyteczny przy zautomatyzowanej analizie logów.

    + +
    +
    thread
    +
    + +

    Identyfikator wątku systemu operacyjnego nie jest ani unikalny (nawet w obrębie pojedynczej instancji programu stunnel), ani krótki. Jest on szczególnie użyteczny przy diagnozowaniu problemów z oprogramowaniem lub konfiguracją.

    + +
    +
    process
    +
    + +

    Identyfikator procesu (PID) może być użyteczny w trybie inetd.

    + +
    +
    + +

    domyślnie: sequential

    + +
    +
    debug = POZIOM
    +
    + +

    szczegółowość logowania

    + +

    Poziom logowania można określić przy pomocy jednej z nazw lub liczb: emerg (0), alert (1), crit (2), err (3), warning (4), notice (5), info (6) lub debug (7). Zapisywane są komunikaty o poziomie niższym (numerycznie) lub równym podanemu. Do uzyskania najwyższego poziomu szczegółowości można użyć opcji debug = debug lub debug = 7. Domyślnym poziomem jest notice (5).

    + +
    +
    delay = yes | no
    +
    + +

    opóźnij rozwinięcie adresu DNS podanego w opcji connect

    + +

    Opcja jest przydatna przy dynamicznym DNS, albo gdy usługa DNS nie jest dostępna przy starcie programu stunnel (klient VPN, połączenie wdzwaniane).

    + +

    Opóźnione rozwijanie adresu DNS jest włączane automatycznie, jeżeli nie powiedzie się rozwinięcie któregokolwiek z adresów connect dla danej usługi.

    + +

    Opóźnione rozwijanie adresu automatycznie aktywuje failover = prio.

    + +

    default: no

    + +
    +
    engineId = NUMER_URZĄDZENIA
    +
    + +

    wybierz urządzenie dla usługi

    + +
    +
    engineNum = NUMER_URZĄDZENIA
    +
    + +

    wybierz urządzenie dla usługi

    + +

    Urządzenia są numerowane od 1 w górę.

    + +
    +
    exec = ŚCIEŻKA_DO_PROGRAMU
    +
    + +

    wykonaj lokalny program przystosowany do pracy z superdemonem inetd

    + +

    Jeżeli zdefiniowano katalog chroot, to ścieżka do exec jest określona względem tego katalogu.

    + +

    Na platformach Unix ustawiane są następujące zmienne środowiskowe: REMOTE_HOST, REMOTE_PORT, SSL_CLIENT_DN, SSL_CLIENT_I_DN.

    + +
    +
    execArgs = $0 $1 $2 ...
    +
    + +

    argumenty do opcji exec włącznie z nazwą programu ($0)

    + +

    Cytowanie nie jest wspierane w obecnej wersji programu. Argumenty są rozdzielone dowolną liczbą białych znaków.

    + +
    +
    failover = rr | prio
    +
    + +

    Strategia wybierania serwerów wyspecyfikowanych parametrami "connect".

    + +
    + +
    rr
    +
    + +

    round robin - sprawiedliwe rozłożenie obciążenia

    + +
    +
    prio
    +
    + +

    priority - użyj kolejności opcji w pliku konfiguracyjnym

    + +
    +
    + +

    domyślnie: rr

    + +
    +
    ident = NAZWA_UŻYTKOWNIKA
    +
    + +

    weryfikuj nazwę zdalnego użytkownika korzystając z protokołu IDENT (RFC 1413)

    + +
    +
    include = KATALOG
    +
    + +

    wczytaj fragmenty plików konfiguracyjnych z podanego katalogu

    + +

    Pliki są wczytywane w rosnącej kolejności alfabetycznej ich nazw.

    + +
    +
    key = PLIK_KLUCZA
    +
    + +

    klucz prywatny do certyfikatu podanego w opcji cert

    + +

    Klucz prywatny jest potrzebny do uwierzytelnienia właściciela certyfikatu. Ponieważ powinien on być zachowany w tajemnicy, prawa do jego odczytu powinien mieć wyłącznie właściciel pliku. W systemie Unix można to osiągnąć komendą:

    + +
        chmod 600 keyfile
    + +

    Jeżeli używane jest sprzętowe urządzenie kryptograficzne, to opcja key pozwala wybrać identyfikator używanego klucza prywatnego.

    + +

    domyślnie: wartość opcji cert

    + +
    +
    libwrap = yes | no
    +
    + +

    włącz lub wyłącz korzystanie z /etc/hosts.allow i /etc/hosts.deny.

    + +

    domyślnie: no (od wersji 5.00)

    + +
    +
    local = HOST
    +
    + +

    IP źródła do nawiązywania zdalnych połączeń

    + +

    Domyślnie używane jest IP najbardziej zewnętrznego interfejsu w stronę serwera, do którego nawiązywane jest połączenie.

    + +
    +
    OCSP = URL
    +
    + +

    responder OCSP do weryfikacji certyfikatów

    + +
    +
    OCSPaia = yes | no
    +
    + +

    weryfikuj certyfikaty przy użyciu respondertów AIA

    + +

    Opcja OCSPaia pozwala na weryfikowanie certyfikatów przy pomocy listy URLi responderów OCSP przesłanych w rozszerzeniach AIA (Authority Information Access).

    + +
    +
    OCSPflag = FLAGA_OCSP
    +
    + +

    flaga respondera OCSP

    + +

    Aktualnie wspierane flagi: NOCERTS, NOINTERN, NOSIGS, NOCHAIN, NOVERIFY, NOEXPLICIT, NOCASIGN, NODELEGATED, NOCHECKS, TRUSTOTHER, RESPID_KEY, NOTIME

    + +

    Aby wyspecyfikować kilka flag należy użyć OCSPflag wielokrotnie.

    + +
    +
    OCSPnonce = yes | no
    +
    + +

    wysyłaj i weryfikuj OCSP nonce

    + +

    Opcja OCSPnonce zabezpiecza protokół OCSP przed atakami powtórzeniowymi. Ze względu na złożoność obliczeniową rozszerzenie nonce jest zwykle wspierane jedynie przez wewnętrzne (np. korporacyjne), a nie przez publiczne respondery OCSP.

    + +
    +
    options = OPCJE_SSL
    +
    + +

    opcje biblioteki OpenSSL

    + +

    Parametrem jest nazwa opcji zgodnie z opisem w SSL_CTX_set_options(3ssl), ale bez przedrostka SSL_OP_. stunnel -options wyświetla opcje dozwolone w aktualnej kombinacji programu stunnel i biblioteki OpenSSL.

    + +

    Aby wyspecyfikować kilka opcji należy użyć options wielokrotnie. Nazwa opcji może być poprzedzona myślnikiem ("-") celem wyłączenia opcji.

    + +

    Na przykład, dla zachowania kompatybilności z błędami implementacji TLS w programie Eudora, można użyć opcji:

    + +
        options = DONT_INSERT_EMPTY_FRAGMENTS
    + +

    domyślnie:

    + +
        options = NO_SSLv2
+    options = NO_SSLv3
    + +
    +
    protocol = PROTOKÓŁ
    +
    + +

    negocjuj TLS podanym protokołem aplikacyjnym

    + +

    Opcja ta włącza wstępną negocjację szyfrowania TLS dla wybranego protokołu aplikacyjnego. Opcji protocol nie należy używać z szyfrowaniem TLS na osobnym porcie.

    + +

    Aktualnie wspierane protokoły:

    + +
    + +
    cifs
    +
    + +

    Nieudokumentowane rozszerzenie protokołu CIFS wspierane przez serwer Samba. Wsparcie dla tego rozrzeczenia zostało zarzucone w wersji 3.0.0 serwera Samba.

    + +
    +
    connect
    +
    + +

    Negocjacja RFC 2817 - Upgrading to TLS Within HTTP/1.1, rozdział 5.2 - Requesting a Tunnel with CONNECT

    + +

    Ten protokół jest wspierany wyłącznie w trybie klienckim.

    + +
    +
    imap
    +
    + +

    Negocjacja RFC 2595 - Using TLS with IMAP, POP3 and ACAP

    + +
    +
    nntp
    +
    + +

    Negocjacja RFC 4642 - Using Transport Layer Security (TLS) with Network News Transfer Protocol (NNTP)

    + +

    Ten protokół jest wspierany wyłącznie w trybie klienckim.

    + +
    +
    pgsql
    +
    + +

    Negocjacja http://www.postgresql.org/docs/8.3/static/protocol-flow.html#AEN73982

    + +
    +
    pop3
    +
    + +

    Negocjacja RFC 2449 - POP3 Extension Mechanism

    + +
    +
    proxy
    +
    + +

    Przekazywanie adresu IP haproxy http://haproxy.1wt.eu/download/1.5/doc/proxy-protocol.txt

    + +
    +
    smtp
    +
    + +

    Negocjacja RFC 2487 - SMTP Service Extension for Secure SMTP over TLS

    + +
    +
    socks
    +
    + +

    Wspierany jest protokół SOCKS w wersjach 4, 4a i 5. Protokół SOCKS enkapsulowany jest w protokole TLS, więc adres serwera docelowego nie jest widoczny dla napastnika przechwytującego ruch sieciowy.

    + +

    http://www.openssh.com/txt/socks4.protocol

    + +

    http://www.openssh.com/txt/socks4a.protocol

    + +

    Nie jest wspierana komenda BIND protokołu SOCKS. Przesłana wartość parametru USERID jest ignorowana.

    + +

    Sekcja PRZYKŁADY zawiera przykładowe pliki konfiguracyjne VPNa zbudowanego w oparciu o szyfrowany protokół SOCKS.

    + +
    +
    + +
    +
    protocolAuthentication = UWIERZYTELNIENIE
    +
    + +

    rodzaj uwierzytelnienia do negocjacji protokołu

    + +

    Opcja ta jest wpierana wyłącznie w klienckich protokołach 'connect' i 'smtp'.

    + +

    W protokole 'connect' wspierane jest uwierzytelnienie 'basic' oraz 'ntlm'. Domyślnym rodzajem uwierzytelnienia protokołu 'connect' jest 'basic'.

    + +

    W protokole 'smtp' wspierane jest uwierzytelnienie 'plain' oraz 'login'. Domyślnym rodzajem uwierzytelnienia protokołu 'smtp' jest 'plain'.

    + +
    +
    protocolDomain = DOMENA
    +
    + +

    domena do negocjacji protokołu

    + +

    W obecnej wersji wybrana domena ma zastosowanie wyłącznie w protokole 'connect'.

    + +
    +
    protocolHost = HOST:PORT
    +
    + +

    adres docelowy do negocjacji protokołu

    + +

    protocolHost określa docelowy serwer TLS, do którego połączyć ma się proxy. Nie jest to adres serwera proxy, do którego połączenie zestawia stunnel. Adres serwera proxy powinien być określony przy pomocy opcji 'connect'.

    + +

    W obecnej wersji adres docelowy protokołu ma zastosowanie wyłącznie w protokole 'connect'.

    + +
    +
    protocolPassword = HASŁO
    +
    + +

    hasło do negocjacji protokołu

    + +

    Opcja ta jest wspierana wyłącznie w klienckich protokołach 'connect' i 'smtp'.

    + +
    +
    protocolUsername = UŻYTKOWNIK
    +
    + +

    nazwa użytkownika do negocjacji protokołu

    + +

    Opcja ta jest wspierana wyłącznie w klienckich protokołach 'connect' i 'smtp'.

    + +
    +
    PSKidentity = TOŻSAMOŚĆ
    +
    + +

    tożsamość klienta PSK

    + +

    PSKidentity może zostać użyte w sekcjach klienckich do wybrania tożsamości użytej do uwierzytelnienia PSK. Opcja jest ignorowana w sekcjach serwerowych.

    + +

    domyślnie: pierwsza tożsamość zdefiniowana w pliku PSKsecrets

    + +
    +
    PSKsecrets = PLIK
    +
    + +

    plik z tożsamościami i kluczami PSK

    + +

    Każda linia pliku jest w następującym formacie:

    + +
        TOŻSAMOŚĆ:KLUCZ
    + +

    Klucz musi być mieć przynajmniej 20 znaków. Należy ograniczyć dostęp do czytania lub pisania do tego pliku.

    + +
    +
    pty = yes | no (tylko Unix)
    +
    + +

    alokuj pseudoterminal dla programu uruchamianego w opcji 'exec'

    + +
    +
    redirect = [HOST:]PORT
    +
    + +

    przekieruj klienta, któremu nie udało się poprawnie uwierzytelnić przy pomocy certyfikatu

    + +

    Opcja działa wyłącznie w trybie serwera. Część negocjacji protokołów jest niekompatybilna z opcją redirect.

    + +
    +
    renegotiation = yes | no
    +
    + +

    pozwalaj na renegocjację TLS

    + +

    Zastosowania renegocjacji TLS zawierają niektóre scenariusze uwierzytelniania oraz renegocjację kluczy dla długotrwałych połączeń.

    + +

    Z drugiej strony własność na może ułatwić trywialny atak DoS poprzez wygenerowanie obciążenia procesora:

    + +

    http://vincent.bernat.im/en/blog/2011-ssl-dos-mitigation.html

    + +

    Warto zauważyć, że zablokowanie renegocjacji TLS nie zebezpiecza w pełni przed opisanym problemem.

    + +

    domyślnie: yes (o ile wspierane przez OpenSSL)

    + +
    +
    reset = yes | no
    +
    + +

    sygnalizuj wystąpienie błędu przy pomocy flagi TCP RST

    + +

    Opcja nie jest wspierana na niektórych platformach.

    + +

    domyślnie: yes

    + +
    +
    retry = yes | no
    +
    + +

    połącz ponownie sekcję connect+exec po rozłączeniu

    + +

    domyślnie: no

    + +
    +
    requireCert = yes | no
    +
    + +

    wymagaj certyfikatu klienta dla verifyChain lub verifyPeer

    + +

    Przy opcji requireCert ustawionej na no, stunnel akceptuje połączenia klientów, które nie wysłały certyfikatu.

    + +

    Zarówno verifyChain = yes jak i verifyPeer = yes automatycznie ustawiają requireCert na yes.

    + +

    domyślnie: no

    + +
    +
    setgid = IDENTYFIKATOR_GRUPY (tylko Unix)
    +
    + +

    identyfikator grupy Unix

    + +

    Jako opcja globalna: grupa, z której prawami pracował będzie stunnel.

    + +

    Jako opcja usługi: grupa gniazda Unix utworzonego przy pomocy opcji "accept".

    + +
    +
    setuid = IDENTYFIKATOR_UŻYTKOWNIKA (tylko Unix)
    +
    + +

    identyfikator użytkownika Unix

    + +

    Jako opcja globalna: użytkownik, z którego prawami pracował będzie stunnel.

    + +

    Jako opcja usługi: właściciel gniazda Unix utworzonego przy pomocy opcji "accept".

    + +
    +
    sessionCacheSize = LICZBA_POZYCJI_CACHE
    +
    + +

    rozmiar pamięci podręcznej sesji TLS

    + +

    Parametr określa maksymalną liczbę pozycji wewnętrznej pamięci podręcznej sesji.

    + +

    Wartość 0 oznacza brak ograniczenia rozmiaru. Nie jest to zalecane dla systemów produkcyjnych z uwagi na ryzyko ataku DoS przez wyczerpanie pamięci RAM.

    + +
    +
    sessionCacheTimeout = LICZBA_SEKUND
    +
    + +

    przeterminowanie pamięci podręcznej sesji TLS

    + +

    Parametr określa czas w sekundach, po którym sesja TLS zostanie usunięta z pamięci podręcznej.

    + +
    +
    sessiond = HOST:PORT
    +
    + +

    adres sessiond - servera cache sesji TLS

    + +
    +
    sni = NAZWA_USŁUGI:WZORZEC_NAZWY_SERWERA (tryb serwera)
    +
    + +

    Użyj usługi jako podrzędnej (virtualnego serwera) dla rozszerzenia TLS Server Name Indication (RFC 3546).

    + +

    NAZWA_USŁUGI wskazuje usługę nadrzędną, która odbiera połączenia od klientów przy pomocy opcji accept. WZORZEC_NAZWY_SERWERA wskazuje nazwę serwera wirtualnego. Wzorzec może zaczynać się znakiem '*', np. '*.example.com". Z pojedyńczą usługą nadrzędną powiązane jest zwykle wiele usług podrzędnych. Opcja sni może być rownież użyta wielokrotnie w ramach jednej usługi podrzędnej.

    + +

    Zarówno usługa nadrzędna jak i podrzędna nie może być skonfigurowana w trybie klienckim.

    + +

    Opcja connect usługi podrzędnej jest ignorowana w połączeniu z opcją protocol, gdyż połączenie do zdalnego serwera jest w tym wypadku nawiązywane przed negocjacją TLS.

    + +

    Uwierzytelnienie przy pomocy biblioteki libwrap jest realizowane dwukrotnie: najpierw dla usługi nadrzędnej po odebraniu połączenia TCP, a następnie dla usługi podrzędnej podczas negocjacji TLS.

    + +

    Opcja sni jest dostępna począwszy od OpenSSL 1.0.0.

    + +
    +
    sni = NAZWA_SERWERA (tryb klienta)
    +
    + +

    Użyj parametru jako wartości rozszerzenia TLS Server Name Indication (RFC 3546).

    + +

    Pusta wartość parametru NAZWA_SERWERA wyłącza wysyłanie rozszerzenia SNI.

    + +

    Opcja sni jest dostępna począwszy od OpenSSL 1.0.0.

    + +
    +
    sslVersion = WERSJA_SSL
    +
    + +

    wersja protokołu TLS

    + +

    Wspierane opcje: all, SSLv2, SSLv3, TLSv1, TLSv1.1, TLSv1.2

    + +

    Dostępność konkretnych protokołów zależy od użytej wersji OpenSSL. Starsze wersje OpenSSL nie wspierają TLSv1.1 i TLSv1.2. Nowsze wersje OpenSSL nie wspierają SSLv2.

    + +

    Przestarzałe protokoły SSLv2 i SSLv3 są domyślnie wyłączone. Szczegółowe informacje dostępne są w opisie opcji options.

    + +
    +
    stack = LICZBA_BAJTÓW (z wyjątkiem modelu FORK)
    +
    + +

    rozmiar stosu procesora wątku

    + +
    +
    TIMEOUTbusy = LICZBA_SEKUND
    +
    + +

    czas oczekiwania na spodziewane dane

    + +
    +
    TIMEOUTclose = LICZBA_SEKUND
    +
    + +

    czas oczekiwania na close_notify (ustaw na 0, jeżeli klientem jest MSIE)

    + +
    +
    TIMEOUTconnect = LICZBA_SEKUND
    +
    + +

    czas oczekiwania na nawiązanie połączenia

    + +
    +
    TIMEOUTidle = LICZBA_SEKUND
    +
    + +

    maksymalny czas utrzymywania bezczynnego połączenia

    + +
    +
    transparent = none | source | destination | both (tylko Unix)
    +
    + +

    tryb przezroczystego proxy na wspieranych platformach

    + +

    Wspierane opcje:

    + +
    + +
    none
    +
    + +

    Zablokuj wsparcie dla przezroczystago proxy. Jest to wartość domyślna.

    + +
    +
    source
    +
    + +

    Przepisz adres, aby nawiązywane połączenie wydawało się pochodzić bezpośrednio od klienta, a nie od programu stunnel.

    + +

    Opcja jest aktualnie obsługiwana w:

    + +
    + +
    Trybie zdalnym (opcja connect) w systemie Linux >=2.6.28
    +
    + +

    Konfiguracja wymaga następujących ustawień iptables oraz routingu (na przykład w pliku /etc/rc.local lub analogicznym):

    + +
        iptables -t mangle -N DIVERT
+    iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
+    iptables -t mangle -A DIVERT -j MARK --set-mark 1
+    iptables -t mangle -A DIVERT -j ACCEPT
+    ip rule add fwmark 1 lookup 100
+    ip route add local 0.0.0.0/0 dev lo table 100
+    echo 0 >/proc/sys/net/ipv4/conf/lo/rp_filter
    + +

    Konfiguracja ta wymaga, aby stunnel był wykonywany jako root i bez opcji setuid.

    + +
    +
    Trybie zdalnym (opcja connect) w systemie Linux 2.2.x
    +
    + +

    Konfiguracja ta wymaga skompilowania jądra z opcją transparent proxy. Docelowa usługa musi być umieszczona na osobnej maszynie, do której routing kierowany jest poprzez serwer stunnela.

    + +

    Dodatkowo stunnel powinien być wykonywany jako root i bez opcji setuid.

    + +
    +
    Trybie zdalnym (opcja connect) w systemie FreeBSD >=8.0
    +
    + +

    Konfiguracja ta wymaga skonfigurowania firewalla i routingu. stunnel musi być wykonywany jako root i bez opcji setuid.

    + +
    +
    Trybie lokalnym (opcja exec)
    +
    + +

    Konfiguracja ta jest realizowana przy pomocy biblioteki libstunnel.so. Do załadowania biblioteki wykorzystywana jest zmienna środowiskowa _RLD_LIST na platformie Tru64 lub LD_PRELOAD na innych platformach.

    + +
    +
    + +
    +
    destination
    +
    + +

    Oryginalny adres docelowy jest używany zamiast opcji connect.

    + +

    Przykładowana konfiguracja przezroczystego adresu docelowego:

    + +
        [transparent]
+    client = yes
+    accept = <port_stunnela>
+    transparent = destination
    + +

    Konfiguracja wymaga ustawień iptables, na przykład w pliku /etc/rc.local lub analogicznym.

    + +

    W przypadku docelowej usługi umieszczonej na tej samej maszynie:

    + +
        /sbin/iptables -t nat -I OUTPUT -p tcp --dport <port_przekierowany> \
+        -m ! --uid-owner <identyfikator_użytkownika_stunnela> \
+        -j DNAT --to-destination <lokalne_ip>:<lokalny_port>
    + +

    W przypadku docelowej usługi umieszczonej na zdalnej maszynie:

    + +
        /sbin/iptables -I INPUT -i eth0 -p tcp --dport <port_stunnela> -j ACCEPT
+    /sbin/iptables -t nat -I PREROUTING -p tcp --dport <port_przekierowany> \
+        -i eth0 -j DNAT --to-destination <lokalne_ip>:<port_stunnela>
    + +

    Przezroczysty adres docelowy jest aktualnie wspierany wyłącznie w systemie Linux.

    + +
    +
    both
    +
    + +

    Użyj przezroczystego proxy zarówno dla adresu źródłowego jak i docelowego.

    + +
    +
    + +

    Dla zapewnienia kompatybilności z wcześniejszymim wersjami wspierane są dwie dodatkowe opcje:

    + +
    + +
    yes
    +
    + +

    Opcja została przemianowana na source.

    + +
    +
    no
    +
    + +

    Opcja została przemianowana na none.

    + +
    +
    + +
    +
    verify = POZIOM
    +
    + +

    weryfikuj certyfikat drugiej strony połączenia

    + +

    Opcja ta jest przestarzała i należy ją zastąpić przez opcje verifyChain i verifyPeer.

    + +
    + +
    poziom 0
    +
    + +

    zarządaj certyfikatu i zignoruj go

    + +
    +
    poziom 1
    +
    + +

    weryfikuj, jeżeli został przedstawiony

    + +
    +
    poziom 2
    +
    + +

    weryfikuj z zainstalowanym certyfikatem Centrum Certyfikacji

    + +
    +
    poziom 3
    +
    + +

    weryfikuj z lokalnie zainstalowanym certyfikatem drugiej strony

    + +
    +
    poziom 4
    +
    + +

    weryfikuj z certyfikatem drugiej strony ignorując łańcuch CA

    + +
    +
    domyślnie
    +
    + +

    nie weryfikuj

    + +
    +
    + +
    +
    verifyChain = yes | no
    +
    + +

    weryfikuj łańcuch certyfikatów drugiej strony

    + +

    Do weryfikacji certyfikatu serwera kluczowe jest, aby wymagać również konkretnego certyfikatu przy pomocy checkHost lub checkIP.

    + +

    Samopodpisany certyfikat głównego CA należy umieścić albo w pliku podanym w opcji CAfile, albo w katalogu podanym w opcji CApath.

    + +

    domyślnie: no

    + +
    +
    verifyPeer = yes | no
    +
    + +

    weryfikuj certyfikat drugiej strony

    + +

    Certyfikat drugiej strony należy umieścić albo w pliku podanym w opcji CAfile, albo w katalogu podanym w opcji CApath.

    + +

    domyślnie: no

    + +
    +
    + +

    ZWRACANA WARTOŚĆ

     + +

    stunnel zwraca zero w przypadku sukcesu, lub wartość niezerową w przypadku błędu.

    + +

    SIGNAŁY

     + +

    Następujące sygnały mogą być użyte do sterowania programem w systemie Unix:

    + +
    + +
    SIGHUP
    +
    + +

    Załaduj ponownie plik konfiguracyjny.

    + +

    Niektóre globalne opcje nie będą przeładowane:

    + +
      + +

    • chroot

      + +
      • +

    • foreground

      + +
      • +

    • pid

      + +
      • +

    • setgid

      + +
      • +

    • setuid

      + +
      • +
    + +

    Jeżeli wykorzystywana jest opcja 'setuid' stunnel nie będzie mógł załadować ponownie konfiguracji wykorzystującej uprzywilejowane (<1024) porty.

    + +

    Jeżeli wykorzystywana jest opcja 'chroot' stunnel będzie szukał wszystkich potrzebnych plików (łącznie z plikiem konfiguracyjnym, certyfikatami, logiem i plikiem pid) wewnątrz katalogu wskazanego przez 'chroot'.

    + +
    +
    SIGUSR1
    +
    + +

    Zamknij i otwórz ponownie log. Funkcja ta może zostać użyta w skrypcie rotującym log programu stunnel.

    + +
    +
    SIGTERM, SIGQUIT, SIGINT
    +
    + +

    Zakończ działanie programu.

    + +
    +
    + +

    Skutek wysłania innych sygnałów jest niezdefiniowany.

    + +

    PRZYKŁADY

     + +

    Szyfrowanie połączeń do lokalnego serwera imapd można użyć:

    + +
        [imapd]
+    accept = 993
+    exec = /usr/sbin/imapd
+    execArgs = imapd
    + +

    albo w trybie zdalnym:

    + +
        [imapd]
+    accept = 993
+    connect = 143
    + +

    Aby umożliwić lokalnemu klientowi poczty elektronicznej korzystanie z serwera imapd przez TLS należy skonfigurować pobieranie poczty z adresu localhost i portu 119, oraz użyć następującej konfiguracji:

    + +
        [imap]
+    client = yes
+    accept = 143
+    connect = serwer:993
    + +

    W połączeniu z programem pppd stunnel pozwala zestawić prosty VPN. Po stronie serwera nasłuchującego na porcie 2020 jego konfiguracja może wyglądać następująco:

    + +
        [vpn]
+    accept = 2020
+    exec = /usr/sbin/pppd
+    execArgs = pppd local
+    pty = yes
    + +

    Poniższy plik konfiguracyjny może być wykorzystany do uruchomienia programu stunnel w trybie inetd. Warto zauważyć, że w pliku konfiguracyjnym nie ma sekcji [nazwa_usługi].

    + +
        exec = /usr/sbin/imapd
+    execArgs = imapd
    + +

    Aby skonfigurować VPN można użyć następującej konfiguracji klienta:

    + +
        [socks_client]
+    client = yes
+    accept = 127.0.0.1:1080
+    connect = vpn_server:9080
+    verifyPeer = yes
+    CAfile = stunnel.pem
    + +

    Odpowiadająca jej konfiguracja serwera vpn_server:

    + +
        [socks_server]
+    protocol = socks
+    accept = 9080
+    cert = stunnel.pem
+    key = stunnel.key
    + +

    Do przetestowania konfiguracji można wydać na maszynie klienckiej komendę:

    + +
        curl --socks4a localhost http://www.example.com/
    + +

    Przykładowa konfiguracja serwera SNI:

    + +
        [virtual]
+    ; usługa nadrzędna
+    accept = 443
+    cert =  default.pem
+    connect = default.internal.mydomain.com:8080
+
+    [sni1]
+    ; usługa podrzędna 1
+    sni = virtual:server1.mydomain.com
+    cert = server1.pem
+    connect = server1.internal.mydomain.com:8081
+
+    [sni2]
+    ; usługa podrzędna 2
+    sni = virtual:server2.mydomain.com
+    cert = server2.pem
+    connect = server2.internal.mydomain.com:8082
+    verifyPeer = yes
+    CAfile = server2-allowed-clients.pem
    + +

    Przykładowa konfiguracja umożliwiająca uwierzytelnienie z użyciem klucza prywatnego przechowywanego w Windows Certificate Store (tylko Windows). W przypadku użycia silnika CAPI, nie należy ustawiać opcji cert, gdyż klucz klienta zostanie automatycznie pobrany z Certificate Store na podstawie zaufanych certyfikatów CA przedstawionych przez serwer.

    + +
        engine = capi
+
+    [service]
+    engineId = capi
+    client = yes
+    accept = 127.0.0.1:8080
+    connect = example.com:8443
    + +

    Przykładowa konfiguracja umożliwiająca użycie certyfikatu i klucza prywatnego z urządzenia zgodnego z pkcs11:

    + +
        engine = pkcs11
+    engineCtrl = MODULE_PATH:opensc-pkcs11.so
+    engineCtrl = PIN:123456
+
+    [service]
+    engineId = pkcs11
+    client = yes
+    accept = 127.0.0.1:8080
+    connect = example.com:843
+    cert = pkcs11:token=MyToken;object=MyCert
+    key = pkcs11:token=MyToken;object=MyKey
    + +

    Przykładowa konfiguracja umożliwiająca użycie certyfikatu i klucza prywatnego umieszczonego na tokenie SoftHSM

    + +
        engine = pkcs11
+    engineCtrl = MODULE_PATH:softhsm2.dll
+    engineCtrl = PIN:12345
+
+    [service]
+    engineId = pkcs11
+    client = yes
+    accept = 127.0.0.1:8080
+    connect = example.com:843
+    cert = pkcs11:token=MyToken;object=KeyCert
    + +

    NOTKI

     + +

    OGRANICZENIA

    + +

    stunnel nie może być używany do szyfrowania protokołu FTP, ponieważ do przesyłania poszczególnych plików używa on dodatkowych połączeń otwieranych na portach o dynamicznie przydzielanych numerach. Istnieją jednak specjalne wersje klientów i serwerów FTP pozwalające na szyfrowanie przesyłanych danych przy pomocy protokołu TLS.

    + +

    TRYB INETD (tylko Unix)

    + +

    W większości zastosowań stunnel samodzielnie nasłuchuje na porcie podanym w pliku konfiguracyjnym i tworzy połączenie z innym portem podanym w opcji connect lub nowym programem podanym w opcji exec. Niektórzy wolą jednak wykorzystywać oddzielny program, który odbiera połączenia, po czym uruchamia program stunnel. Przykładami takich programów są inetd, xinetd i tcpserver.

    + +

    Przykładowa linia pliku /etc/inetd.conf może wyglądać tak:

    + +
        imaps stream tcp nowait root @bindir@/stunnel
+        stunnel @sysconfdir@/stunnel/imaps.conf
    + +

    Ponieważ w takich przypadkach połączenie na zdefiniowanym porcie (tutaj imaps) nawiązuje osobny program (tutaj inetd), stunnel nie może używać opcji accept. W pliku konfiguracyjnym nie może być również zdefiniowana żadna usługa ([nazwa_usługi]), ponieważ konfiguracja taka pozwala na nawiązanie tylko jednego połączenia. Wszystkie OPCJE USŁUG powinny być umieszczone razem z opcjami globalnymi. Przykład takiej konfiguracji znajduje się w sekcji PRZYKŁADY.

    + +

    CERTYFIKATY

    + +

    Protokół TLS wymaga, aby każdy serwer przedstawiał się nawiązującemu połączenie klientowi prawidłowym certyfikatem X.509. Potwierdzenie tożsamości serwera polega na wykazaniu, że posiada on odpowiadający certyfikatowi klucz prywatny. Najprostszą metodą uzyskania certyfikatu jest wygenerowanie go przy pomocy wolnego pakietu OpenSSL. Więcej informacji na temat generowania certyfikatów można znaleźć na umieszczonych poniżej stronach.

    + +

    Istotną kwestią jest kolejność zawartości pliku .pem. W pierwszej kolejności powinien on zawierać klucz prywatny, a dopiero za nim podpisany certyfikat (nie żądanie certyfikatu). Po certyfikacie i kluczu prywatnym powinny znajdować się puste linie. Jeżeli przed certyfikatem znajdują się dodatkowe informacje tekstowe, to powinny one zostać usunięte. Otrzymany plik powinien mieć następującą postać:

    + +
        -----BEGIN RSA PRIVATE KEY-----
+    [zakodowany klucz]
+    -----END RSA PRIVATE KEY-----
+    [pusta linia]
+    -----BEGIN CERTIFICATE-----
+    [zakodowany certyfikat]
+    -----END CERTIFICATE-----
+    [pusta linia]
    + +

    LOSOWOŚĆ

    + +

    stunnel potrzebuje zainicjować PRNG (generator liczb pseudolosowych), gdyż protokół TLS wymaga do bezpieczeństwa kryptograficznego źródła dobrej losowości. Następujące źródła są kolejno odczytywane aż do uzyskania wystarczającej ilości entropii:

    + +
      + +

    • Zawartość pliku podanego w opcji RNDfile.

      + +
      • +

    • Zawartość pliku o nazwie określonej przez zmienną środowiskową RANDFILE, o ile jest ona ustawiona.

      + +
      • +

    • Plik .rnd umieszczony w katalogu domowym użytkownika, jeżeli zmienna RANDFILE nie jest ustawiona.

      + +
      • +

    • Plik podany w opcji '--with-random' w czasie konfiguracji programu.

      + +
      • +

    • Zawartość ekranu w systemie Windows.

      + +
      • +

    • Gniazdo egd, jeżeli użyta została opcja EGD.

      + +
      • +

    • Gniazdo egd podane w opcji '--with-egd-socket' w czasie konfiguracji programu.

      + +
      • +

    • Urządzenie /dev/urandom.

      + +
      • +
    + +

    Warto zwrócić uwagę, że na maszynach z systemem Windows, na których konsoli nie pracuje użytkownik, zawartość ekranu nie jest wystarczająco zmienna, aby zainicjować PRNG. W takim przypadku do zainicjowania generatora należy użyć opcji RNDfile.

    + +

    Plik RNDfile powinien zawierać dane losowe -- również w tym sensie, że powinny być one inne przy każdym uruchomieniu programu stunnel. O ile nie użyta została opcja RNDoverwrite jest to robione automatycznie. Do ręcznego uzyskania takiego pliku użyteczna może być komenda openssl rand dostarczana ze współczesnymi wersjami pakietu OpenSSL.

    + +

    Jeszcze jedna istotna informacja -- jeżeli dostępne jest urządzenie /dev/urandom biblioteka OpenSSL ma zwyczaj zasilania nim PRNG w trakcie sprawdzania stanu generatora. W systemach z /dev/urandom urządzenie to będzie najprawdopodobniej użyte, pomimo że znajduje się na samym końcu powyższej listy. Jest to właściwość biblioteki OpenSSL, a nie programu stunnel.

    + +

    PARAMETRY DH

    + +

    Począwszy od wersji 4.40 stunnel zawiera w kodzie programu 2048-bitowe parametry DH. Od wersji 5.18 te początkowe wartości parametrów DH są wymieniane na autogenerowane parametry tymczasowe. Wygenerowanie parametrów DH może zająć nawet wiele minut.

    + +

    Alternatywnie parametry DH można umieścić w pliku razem z certyfikatem, co wyłącza generowanie parametrów tymczasowych:

    + +
        openssl dhparam 2048 >> stunnel.pem
    + +

    PLIKI

     + +
    + +
    @sysconfdir@/stunnel/stunnel.conf
    +
    + +

    plik konfiguracyjny programu

    + +
    +
    + +

    BŁĘDY

     + +

    Opcja execArgs oraz linia komend Win32 nie obsługuje cytowania.

    + +

    ZOBACZ RÓWNIEŻ

     + +
    + +
    tcpd(8)
    +
    + +

    biblioteka kontroli dostępu do usług internetowych

    + +
    +
    inetd(8)
    +
    + +

    'super-serwer' internetowy

    + +
    +
    http://www.stunnel.org/
    +
    + +

    strona domowa programu stunnel

    + +
    +
    http://www.openssl.org/
    +
    + +

    strona projektu OpenSSL

    + +
    +
    + +

    AUTOR

     + +
    + +
    Michał Trojnara
    +
    + +

    <Michal.Trojnara@stunnel.org>

    + +
    +
    + + + +
    + stunnel TLS Proxy +
    + + + + + + diff --git a/doc/stunnel.pl.pod b/doc/stunnel.pl.pod.in similarity index 54% rename from doc/stunnel.pl.pod rename to doc/stunnel.pl.pod.in index f203312..9661ebe 100644 --- a/doc/stunnel.pl.pod +++ b/doc/stunnel.pl.pod.in @@ -2,7 +2,7 @@ =encoding utf8 -stunnel - uniwersalny tunel protokołu SSL +stunnel - uniwersalny tunel protokołu TLS =head1 SKŁADNIA @@ -11,26 +11,27 @@ stunnel - uniwersalny tunel protokołu SSL =item B -B [>] | S<-fd n> | S<-help> | S<-version> | S<-sockets> +B [S] | S<-fd N> | S<-help> | S<-version> | S<-sockets> | S<-options> =item B -B [ [S<-install> | S<-uninstall> | S<-start> | S<-stop> ] | S<-exit>] - [S<-quiet>] [>] ] | S<-help> | S<-version> | S<-sockets> +B [ [ S<-install> | S<-uninstall> | S<-start> | S<-stop> | + S<-reload> | S<-reopen> | S<-exit> ] [S<-quiet>] [S] ] | + S<-help> | S<-version> | S<-sockets> | S<-options> =back =head1 OPIS -Program B został zaprojektowany do opakowywania w protokół I +Program B został zaprojektowany do opakowywania w protokół I połączeń pomiędzy zdalnymi klientami a lokalnymi lub zdalnymi serwerami. Przez serwer lokalny rozumiana jest aplikacja przeznaczona do uruchamiania przy pomocy I. Stunnel pozwala na proste zestawienie komunikacji serwerów nie posiadających -funkcjonalności I poprzez bezpieczne kanały I. +funkcjonalności I poprzez bezpieczne kanały I. -B pozwala dodać funkcjonalność I do powszechnie stosowanych +B pozwala dodać funkcjonalność I do powszechnie stosowanych demonów I, np. I lub I, do samodzielnych demonów, np. I, I lub I, a nawet tunelować ppp poprzez gniazda sieciowe bez zmian w kodzie źródłowym. @@ -40,11 +41,11 @@ bez zmian w kodzie źródłowym. =over 4 -=item > +=item B użyj podanego pliku konfiguracyjnego -=item B<-fd n> (tylko Unix) +=item B<-fd N> (tylko Unix) wczytaj konfigurację z podanego deskryptora pliku @@ -60,30 +61,41 @@ drukuj wersję programu i domyślne wartości parametrów drukuj domyślne opcje gniazd -=item B<-install> (tylko NT/2000/XP) +=item B<-options> + +drukuj wspierane opcje TLS + +=item B<-install> (tylko Windows NT lub nowszy) instaluj serwis NT -=item B<-uninstall> (tylko NT/2000/XP) +=item B<-uninstall> (tylko Windows NT lub nowszy) odinstaluj serwis NT -=item B<-start> (tylko NT/2000/XP) +=item B<-start> (tylko Windows NT lub nowszy) uruchom serwis NT -=item B<-stop> (tylko NT/2000/XP) +=item B<-stop> (tylko Windows NT lub nowszy) zatrzymaj serwis NT +=item B<-reload> (tylko Windows NT lub nowszy) + +przeładuj plik konfiguracyjny uruchomionego serwisu NT + +=item B<-reopen> (tylko Windows NT lub nowszy) + +otwórz ponownie log uruchomionego serwisu NT + =item B<-exit> (tylko Win32) zatrzymaj uruchomiony program -=item B<-quiet> (tylko NT/2000/XP) +=item B<-quiet> (tylko Win32) -nie wyświetlaj okienka informującego o pomyślnym zainstalowaniu lub -odinstalowaniu +nie wyświetlaj okienek z komunikatami =back @@ -134,7 +146,7 @@ oddzieloną średnikiem parą adresu (IPv4, IPv6, lub nazwą domenową) i numeru =over 4 -=item B = katalog (tylko Unix) +=item B = KATALOG (tylko Unix) katalog roboczego korzenia systemu plików @@ -162,7 +174,7 @@ niektóre inne pliki mogą potrzebować plików urządzeń, np. /dev/zero lub /d =back -=item B = deflate | zlib | rle +=item B = deflate | zlib wybór algorytmu kompresji przesyłanych danych @@ -170,12 +182,7 @@ domyślnie: bez kompresji Algorytm deflate jest standardową metodą kompresji zgodnie z RFC 1951. -Kompresja zlib zaimplementowana w B i nowszych nie jest -kompatybilna implementacją B. - -Kompresja rle nie jest zaimplementowana w aktualnych wersjach B. - -=item B = poziom[.podsystem] +=item B = [PODSYSTEM].POZIOM szczegółowość logowania @@ -191,88 +198,107 @@ Podsystemy nie są wspierane przez platformę Win32. Wielkość liter jest ignorowana zarówno dla poziomu jak podsystemu. -=item B = ścieżka_do_EGD (tylko Unix) +=item B = ŚCIEŻKA_DO_EGD (tylko Unix) ścieżka do gniazda programu Entropy Gathering Daemon Opcja pozwala określić ścieżkę do gniazda programu Entropy Gathering Daemon używanego do zainicjalizowania generatora ciągów pseudolosowych biblioteki -B. Opcja jest dostępna z biblioteką B lub nowszą. +B. -=item B = auto | +=item B = auto | IDENTYFIKATOR_URZĄDZENIA wybór sprzętowego urządzenia kryptograficznego domyślnie: bez wykorzystania urządzeń kryptograficznych -Przykładowa konfiguracja umożliwiająca odczytanie klucza prywatnego z -urządzenia zgodnego z OpenSC: +Sekcja PRZYKŁADY zawiera przykładowe konfiguracje wykorzystujące +urządzenia kryptograficzne. - engine=dynamic - engineCtrl=SO_PATH:/usr/lib/opensc/engine_pkcs11.so - engineCtrl=ID:pkcs11 - engineCtrl=LIST_ADD:1 - engineCtrl=LOAD - engineCtrl=MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so - engineCtrl=INIT - - [service] - engineNum=1 - key=id_45 - -=item B = [:] +=item B = KOMENDA[:PARAMETR] konfiguracja urządzenia kryptograficznego -Specjalne komendy "LOAD" i "INIT" pozwalają na załadowanie i inicjalizację -modułu kryptograficznego urządzenia. +=item B = LISTA_ZADAŃ + +lista zadań OpenSSL oddelegowanych do bieżącego urządzenia + +Parametrem jest lista oddzielonych przecinkami zadań OpenSSL, które mają +zostać oddelegowane do bieżącego urządzenia kryptograficznego. + +W zależności od konkretnego urządzenia dostępne mogą być następujące zadania: +ALL, RSA, DSA, ECDH, ECDSA, DH, RAND, CIPHERS, DIGESTS, PKEY, PKEY_CRYPTO, +PKEY_ASN1. =item B = yes | no -Włącz lub wyłącz tryb FIPS 140-2. +tryb FIPS 140-2 Opcja pozwala wyłączyć wejście w tryb FIPS, jeśli B został skompilowany ze wsparciem dla FIPS 140-2. -domyślnie: yes (pracuj w trybie FIPS 140-2) +domyślnie: no (od wersji 5.00) -=item B = yes | no (tylko Unix) +=item B = yes | quiet | no (tylko Unix) tryb pierwszoplanowy -Użycie tej opcji powoduje, że B nie przechodzi w tło logując -swoje komunikaty na konsolę zamiast przez I (o ile nie użyto -opcji I). +Użycie tej opcji powoduje, że B nie przechodzi w tło. -=item B = plik +Parametr I powoduje dodatkowo, że komunikaty diagnostyczne logowane są na +standardowy strumień błędów (stderr) oprócz wyjść zdefiniowanych przy pomocy +opcji I i I. + +=item B = PLIK_Z_IKONKĄ (tylko GUI) + +ikonka wyświetlana przy obecności aktywnych połączeń do usługi + +W systemie Windows ikonka to plik .ico zawierający obrazek 16x16 pikseli. + +=item B = PLIK_Z_IKONKĄ (tylko GUI) + +ikonka wyświetlana, jeżeli nie został załadowany poprawny plik konfiguracyjny + +W systemie Windows ikonka to plik .ico zawierający obrazek 16x16 pikseli. + +=item B = PLIK_Z_IKONKĄ (tylko GUI) + +ikonka wyświetlana przy braku aktywnych połączeń do usługi + +W systemie Windows ikonka to plik .ico zawierający obrazek 16x16 pikseli. + +=item B = append | overwrite + +obsługa logów + +Ta opcja pozwala określić, czy nowe logi w pliku (określonym w opcji I) będą dodawane czy nadpisywane. + +domyślnie: append + +=item B = PLIK plik, do którego dopisane zostaną logi Użycie tej opcji powoduje dopisanie logów do podanego pliku. -Do kierowaniakomunikatów na standardowe wyjście (na przykład po to, żeby +Do kierowania komunikatów na standardowe wyjście (na przykład po to, żeby zalogować je programem splogger z pakietu daemontools) można podać jako parametr urządzenie /dev/stdout. -=item B = plik (tylko Unix) +=item B = PLIK (tylko Unix) położenie pliku z numerem procesu -Jeżeli argument jest pusty plik nie zostanie stworzony. +Jeżeli argument jest pusty, plik nie zostanie stworzony. Jeżeli zdefiniowano katalog I, to ścieżka do I jest określona względem tego katalogu. -=item B = liczba_bajtów +=item B = LICZBA_BAJTÓW liczba bajtów do zainicjowania generatora pseudolosowego -W wersjach biblioteki B starszych niż B<0.9.5a> opcja ta określa -również liczbę bajtów wystarczających do zainicjowania PRNG. -Nowsze wersje biblioteki mają wbudowaną funkcję określającą, czy -dostarczona ilość losowości jest wystarczająca do zainicjowania generatora. - -=item B = plik +=item B = PLIK ścieżka do pliku zawierającego losowe dane @@ -285,21 +311,18 @@ nadpisz plik nowymi wartościami pseudolosowymi domyślnie: yes (nadpisz) -=item B = nazwa_serwisu (tylko Unix) +=item B = SERWIS (tylko Unix) -użyj parametru jako nazwy serwisu dla biblioteki TCP Wrapper w trybie I +nazwa usługi + +Podana nazwa usługi będzie używana jako nazwa usługi dla inicjalizacji sysloga, +oraz dla biblioteki TCP Wrapper w trybie I. Chociaż technicznie można +użyć tej opcji w trybie w sekcji usług, to jest ona użyteczna jedynie w opcjach +globalnych. domyślnie: stunnel -=item B = identyfikator_grupy (tylko Unix) - -grupa z której prawami pracował będzie B - -=item B = identyfikator_użytkownika (tylko Unix) - -użytkownik, z którego prawami pracował będzie B - -=item B = a|l|r:option=value[:value] +=item B = a|l|r:OPCJA=WARTOŚĆ[:WARTOŚĆ] ustaw opcję na akceptującym/lokalnym/zdalnym gnieździe @@ -350,7 +373,7 @@ lub I), należy przeczytać sekcję I poniżej. =over 4 -=item B = [adres:]port +=item B = [HOST:]PORT nasłuchuje na połączenia na podanym adresie i porcie @@ -361,13 +384,13 @@ Aby nasłuchiwać na wszystkich adresach IPv6 należy użyć: accept = :::port -=item B = katalog_CA +=item B = KATALOG_CA katalog Centrum Certyfikacji -Opcja określa katalog, w którym B będzie szukał certyfikatów, -jeżeli użyta została opcja I. Pliki z certyfikatami muszą -posiadać specjalne nazwy XXXXXXXX.0, gdzie XXXXXXXX jest skrótem +Opcja określa katalog, w którym B będzie szukał certyfikatów, jeżeli +użyta została opcja I lub I. Pliki z certyfikatami +muszą posiadać specjalne nazwy XXXXXXXX.0, gdzie XXXXXXXX jest skrótem kryptograficznym reprezentacji DER nazwy podmiotu certyfikatu. Funkcja skrótu została zmieniona w B. @@ -376,54 +399,107 @@ Należy wykonać c_rehash przy zmianie B na B<1.x.x>. Jeżeli zdefiniowano katalog I, to ścieżka do I jest określona względem tego katalogu. -=item B = plik_CA +=item B = PLIK_CA plik Centrum Certyfikacji Opcja pozwala określić położenie pliku zawierającego certyfikaty używane -przez opcję I. +przez opcję I lub I. -=item B = plik_pem +=item B = PLIK_CERT plik z łańcuchem certyfikatów Opcja określa położenie pliku zawierającego certyfikaty używane przez program B do uwierzytelnienia się przed drugą stroną połączenia. +Plik powinien zawierać kompletny łańcuch certyfikatów począwszy od certyfikatu +klienta/serwera, a skończywszy na samopodpisanym certyfikacie głównego CA. +Obsługiwane są pliki w formacie PEM lub P12. + Certyfikat jest konieczny, aby używać programu w trybie serwera. W trybie klienta certyfikat jest opcjonalny. -=item B = lista_szyfrów +Jeżeli używane jest sprzętowe urządzenie kryptograficzne, to opcja B +pozwala wybrać identyfikator używanego certyfikatu. -lista dozwolonych szyfrów SSL +=item B = EMAIL + +adres email przedstawionego certyfikatu + +Pojedyncza sekcja może zawierać wiele wystąpień opcji B. +Certyfikaty są akceptowane, jeżeli sekcja nie zawiera opcji B, +albo adres email przedstawionego certyfikatu pasuje do jednego z adresów +email określonych przy pomocy B. + +Opcja ta wymaga biblioteki OpenSSL w wersji 1.0.2 lub nowszej. + +=item B = NAZWA_SERWERA + +nazwa serwera przedstawionego certyfikatu + +Pojedyncza sekcja może zawierać wiele wystąpień opcji B. +Certyfikaty są akceptowane, jeżeli sekcja nie zawiera opcji B, albo +nazwa serwera przedstawionego certyfikatu pasuje do jednego nazw określonych +przy pomocy B. + +Opcja ta wymaga biblioteki OpenSSL w wersji 1.0.2 lub nowszej. + +=item B = IP + +adres IP przedstawionego certyfikatu + +Pojedyncza sekcja może zawierać wiele wystąpień opcji B. Certyfikaty +są akceptowane, jeżeli sekcja nie zawiera opcji B, albo adres IP +przedstawionego certyfikatu pasuje do jednego z adresów IP określonych przy +pomocy B. + +Opcja ta wymaga biblioteki OpenSSL w wersji 1.0.2 lub nowszej. + +=item B = LISTA_SZYFRÓW + +lista dozwolonych szyfrów TLS Parametrem tej opcji jest lista szyfrów, które będą użyte przy -otwieraniu nowych połączeń SSL, np.: DES-CBC3-SHA:IDEA-CBC-MD5 +otwieraniu nowych połączeń TLS, np.: DES-CBC3-SHA:IDEA-CBC-MD5 =item B = yes | no -tryb kliencki (zdalna usługa używa SSL) +tryb kliencki (zdalna usługa używa TLS) domyślnie: no (tryb serwerowy) -=item B = [adres:]port +=item B = KOMENDA[:PARAMETR] + +komenda konfiguracyjna B + +Komenda konfiguracyjna B zostaje wykonana z podanym parametrem. +Pozwala to na wydawanie komend konfiguracyjnych B z pliku +konfiguracyjnego stunnela. Dostępne komendy opisane są w manualu +I. + +Możliwe jest wyspecyfikowanie wielu opcji B przez wielokrotne użycie +komendy B. + +Opcja ta wymaga biblioteki OpenSSL w wersji 1.0.2 lub nowszej. + +=item B = [HOST:]PORT połącz się ze zdalnym serwerem na podany port Jeżeli nie został podany adres, B domyślnie łączy się z lokalnym serwerem. -Komenda może byc użyta wielokrotnie w pojedynczej sekcji +Komenda może być użyta wielokrotnie w pojedynczej sekcji celem zapewnienia wysokiej niezawodności lub rozłożenia ruchu pomiędzy wiele serwerów. -=item B = katalog_CRL +=item B = KATALOG_CRL katalog List Odwołanych Certyfikatów (CRL) -Opcja określa katalog, w którym B będzie szukał list CRL, -jeżeli użyta została opcja I. Pliki z listami CRL muszą -posiadać specjalne nazwy XXXXXXXX.r0, gdzie XXXXXXXX jest skrótem -listy CRL. +Opcja określa katalog, w którym B będzie szukał list CRL używanych +przez opcje I i I. Pliki z listami CRL muszą posiadać +specjalne nazwy XXXXXXXX.r0, gdzie XXXXXXXX jest skrótem listy CRL. Funkcja skrótu została zmieniona B. Należy wykonać c_rehash przy zmianie B na B<1.x.x>. @@ -431,14 +507,14 @@ Należy wykonać c_rehash przy zmianie B na B<1.x.x>. Jeżeli zdefiniowano katalog I, to ścieżka do I jest określona względem tego katalogu. -=item B = plik_CRL +=item B = PLIK_CRL plik List Odwołanych Certyfikatów (CRL) Opcja pozwala określić położenie pliku zawierającego listy CRL używane -przez opcję I. +przez opcje I i I. -=item B = nid +=item B = NID krzywa dla ECDH @@ -448,6 +524,54 @@ Listę dostępnych krzywych można uzyskać poleceniem: domyślnie: prime256v1 +=item B = TYP + +typ identyfikatora połączenia klienta + +Identyfikator ten pozwala rozróżnić wpisy w logu wygenerowane dla +poszczególnych połączeń. + +Aktualnie wspierane typy: + +=over 4 + +=item I + +Kolejny numer połączenia jest unikalny jedynie w obrębie pojedynczej instancji +programu B, ale bardzo krótki. Jest on szczególnie użyteczny przy +ręcznej analizie logów. + +=item I + +Ten rodzaj identyfikatora jest globalnie unikalny, ale znacznie dłuższy, niż +kolejny numer połączenia. Jest on szczególnie użyteczny przy zautomatyzowanej +analizie logów. + +=item I + +Identyfikator wątku systemu operacyjnego nie jest ani unikalny (nawet w obrębie +pojedynczej instancji programu B), ani krótki. Jest on szczególnie +użyteczny przy diagnozowaniu problemów z oprogramowaniem lub konfiguracją. + +=item I + +Identyfikator procesu (PID) może być użyteczny w trybie inetd. + +=back + +domyślnie: sequential + +=item B = POZIOM + +szczegółowość logowania + +Poziom logowania można określić przy pomocy jednej z nazw lub liczb: +emerg (0), alert (1), crit (2), err (3), warning (4), notice (5), +info (6) lub debug (7). +Zapisywane są komunikaty o poziomie niższym (numerycznie) lub równym podanemu. +Do uzyskania najwyższego poziomu szczegółowości można użyć opcji +I lub I. Domyślnym poziomem jest notice (5). + =item B = yes | no opóźnij rozwinięcie adresu DNS podanego w opcji I @@ -455,20 +579,35 @@ opóźnij rozwinięcie adresu DNS podanego w opcji I Opcja jest przydatna przy dynamicznym DNS, albo gdy usługa DNS nie jest dostępna przy starcie programu B (klient VPN, połączenie wdzwaniane). -=item B = +Opóźnione rozwijanie adresu DNS jest włączane automatycznie, jeżeli nie +powiedzie się rozwinięcie któregokolwiek z adresów I dla danej +usługi. -wybierz urządzenie do odczyta klucza prywatnego +Opóźnione rozwijanie adresu automatycznie aktywuje I. + +default: no + +=item B = NUMER_URZĄDZENIA + +wybierz urządzenie dla usługi + +=item B = NUMER_URZĄDZENIA + +wybierz urządzenie dla usługi Urządzenia są numerowane od 1 w górę. -=item B = ścieżka_do_programu +=item B = ŚCIEŻKA_DO_PROGRAMU wykonaj lokalny program przystosowany do pracy z superdemonem inetd Jeżeli zdefiniowano katalog I, to ścieżka do I jest określona względem tego katalogu. -=item B = $0 $1 $2 ... +Na platformach Unix ustawiane są następujące zmienne środowiskowe: +REMOTE_HOST, REMOTE_PORT, SSL_CLIENT_DN, SSL_CLIENT_I_DN. + +=item B = $0 $1 $2 ... argumenty do opcji I włącznie z nazwą programu ($0) @@ -479,16 +618,31 @@ Argumenty są rozdzielone dowolną liczbą białych znaków. Strategia wybierania serwerów wyspecyfikowanych parametrami "connect". - rr (round robin) - sprawiedliwe rozłożenie obciążenia - prio (priority) - użyj kolejności opcji w pliku konfiguracyjnym +=over 4 + +=item I + +round robin - sprawiedliwe rozłożenie obciążenia + +=item I + +priority - użyj kolejności opcji w pliku konfiguracyjnym + +=back domyślnie: rr -=item B = nazwa_użytkownika +=item B = NAZWA_UŻYTKOWNIKA weryfikuj nazwę zdalnego użytkownika korzystając z protokołu IDENT (RFC 1413) -=item B = plik_klucza +=item B = KATALOG + +wczytaj fragmenty plików konfiguracyjnych z podanego katalogu + +Pliki są wczytywane w rosnącej kolejności alfabetycznej ich nazw. + +=item B = PLIK_KLUCZA klucz prywatny do certyfikatu podanego w opcji I @@ -499,86 +653,82 @@ komendą: chmod 600 keyfile +Jeżeli używane jest sprzętowe urządzenie kryptograficzne, to opcja B +pozwala wybrać identyfikator używanego klucza prywatnego. + domyślnie: wartość opcji I =item B = yes | no włącz lub wyłącz korzystanie z /etc/hosts.allow i /etc/hosts.deny. -domyślnie: yes +domyślnie: no (od wersji 5.00) -=item B = serwer +=item B = HOST IP źródła do nawiązywania zdalnych połączeń Domyślnie używane jest IP najbardziej zewnętrznego interfejsu w stronę serwera, do którego nawiązywane jest połączenie. -=item B = nazwa_usługi:wzorzec_nazwy_serwera (tryb serwera) - -Użyj usługi jako podrzędnej (virtualnego serwera) dla rozszerzenia TLS Server -Name Indication (RFC 3546). - -I wskazuje usługę nadrzędną, która odbiera połączenia od klientów -przy pomocy opcji I. I wskazuje nazwę serwera -wirtualnego. Wzorzec może zaczynać się znakiem '*', np. '*.example.com". -Z pojedyńczą usługą nadrzędną powiązane jest zwykle wiele usług podrzędnych. -Opcja I może być rownież użyta wielokrotnie w ramach jednej usługi -podrzędnej. - -Zarówno usługa nadrzędna jak i podrzędna nie może być skonfigurowana w trybie -klienckim. - -Opcja I usługi podrzędnej jest ignorowana w połączeniu z opcją -I, gdyż połączenie do zdalnego serwera jest w tym wypadku nawiązywane -przed negocjacją TLS. - -Uwierzytelnienie przy pomocy biblioteki libwrap jest realizowane dwukrotnie: -najpierw dla usługi nadrzędnej po odebraniu połączenia TCP, a następnie dla -usługi podrzędnej podczas negocjacji TLS. - -Opcja I jest dostępna począwszy od B. - -=item B = nazwa_serwera (tryb klienta) - -Użyj parametru jako wartości rozszerzenia TLS Server Name Indication -(RFC 3546). - -Opcja I jest dostępna począwszy od B. - =item B = URL -serwer OCSP do weryfikacji certyfikatów +responder OCSP do weryfikacji certyfikatów -=item B = flaga +=item B = yes | no -flaga serwera OCSP +weryfikuj certyfikaty przy użyciu respondertów AIA -aktualnie wspierane flagi: NOCERTS, NOINTERN NOSIGS, NOCHAIN, NOVERIFY, +Opcja I pozwala na weryfikowanie certyfikatów przy pomocy listy URLi +responderów OCSP przesłanych w rozszerzeniach AIA (Authority Information Access). + +=item B = FLAGA_OCSP + +flaga respondera OCSP + +Aktualnie wspierane flagi: NOCERTS, NOINTERN, NOSIGS, NOCHAIN, NOVERIFY, NOEXPLICIT, NOCASIGN, NODELEGATED, NOCHECKS, TRUSTOTHER, RESPID_KEY, NOTIME Aby wyspecyfikować kilka flag należy użyć I wielokrotnie. -=item B = opcje_SSL +=item B = yes | no + +wysyłaj i weryfikuj OCSP nonce + +Opcja B zabezpiecza protokół OCSP przed atakami powtórzeniowymi. +Ze względu na złożoność obliczeniową rozszerzenie nonce jest zwykle wspierane +jedynie przez wewnętrzne (np. korporacyjne), a nie przez publiczne respondery +OCSP. + +=item B = OPCJE_SSL opcje biblioteki B Parametrem jest nazwa opcji zgodnie z opisem w I, ale bez przedrostka I. -Aby wyspecyfikować kilka opcji należy użyć I wielokrotnie. +I wyświetla opcje dozwolone w aktualnej kombinacji +programu I i biblioteki I. -Na przykład dla zachowania kompatybilności z błędami implementacji SSL -w programie Eudora można użyć opcji: +Aby wyspecyfikować kilka opcji należy użyć I wielokrotnie. +Nazwa opcji może być poprzedzona myślnikiem ("-") celem wyłączenia opcji. + +Na przykład, dla zachowania kompatybilności z błędami implementacji TLS +w programie Eudora, można użyć opcji: options = DONT_INSERT_EMPTY_FRAGMENTS -=item B = protokół +domyślnie: -negocjuj SSL podanym protokołem aplikacyjnym + options = NO_SSLv2 + options = NO_SSLv3 -Opcja ta włącza wstępną negocjację szyfrowania SSL dla wybranego protokołu +=item B = PROTOKÓŁ + +negocjuj TLS podanym protokołem aplikacyjnym + +Opcja ta włącza wstępną negocjację szyfrowania TLS dla wybranego protokołu aplikacyjnego. -Opcji I nie należy używać z szyfrowaniem SSL na osobnym porcie. +Opcji I nie należy używać z szyfrowaniem TLS na osobnym porcie. Aktualnie wspierane protokoły: @@ -586,7 +736,7 @@ Aktualnie wspierane protokoły: =item I -Unieudokumentowane rozszerzenie protokołu CIFS wspierane przez serwer Samba. +Nieudokumentowane rozszerzenie protokołu CIFS wspierane przez serwer Samba. Wsparcie dla tego rozrzeczenia zostało zarzucone w wersji 3.0.0 serwera Samba. =item I @@ -621,54 +771,109 @@ Przekazywanie adresu IP haproxy http://haproxy.1wt.eu/download/1.5/doc/proxy-pro Negocjacja RFC 2487 - I +=item I + +Wspierany jest protokół SOCKS w wersjach 4, 4a i 5. +Protokół SOCKS enkapsulowany jest w protokole TLS, więc adres serwera +docelowego nie jest widoczny dla napastnika przechwytującego ruch sieciowy. + +F + +F + +Nie jest wspierana komenda BIND protokołu SOCKS. +Przesłana wartość parametru USERID jest ignorowana. + +Sekcja PRZYKŁADY zawiera przykładowe pliki konfiguracyjne VPNa zbudowanego +w oparciu o szyfrowany protokół SOCKS. + =back -=item B = uwierzytelnienie +=item B = UWIERZYTELNIENIE rodzaj uwierzytelnienia do negocjacji protokołu -aktualnie wspierane: basic, NTLM +Opcja ta jest wpierana wyłącznie w klienckich protokołach 'connect' i 'smtp'. -Obecnie typ uwierzytelnienia ma zastosowanie wyłącznie w protokole 'connect'. +W protokole 'connect' wspierane jest uwierzytelnienie 'basic' oraz 'ntlm'. +Domyślnym rodzajem uwierzytelnienia protokołu 'connect' jest 'basic'. -domyślnie: basic +W protokole 'smtp' wspierane jest uwierzytelnienie 'plain' oraz 'login'. +Domyślnym rodzajem uwierzytelnienia protokołu 'smtp' jest 'plain'. -=item B = adres:port +=item B = DOMENA + +domena do negocjacji protokołu + +W obecnej wersji wybrana domena ma zastosowanie wyłącznie w protokole 'connect'. + +=item B = HOST:PORT adres docelowy do negocjacji protokołu -I określa docelowy serwer SSL, do którego połączyć ma się proxy. +I określa docelowy serwer TLS, do którego połączyć ma się proxy. Nie jest to adres serwera proxy, do którego połączenie zestawia B. Adres serwera proxy powinien być określony przy pomocy opcji 'connect'. W obecnej wersji adres docelowy protokołu ma zastosowanie wyłącznie w protokole 'connect'. -=item B = hasło +=item B = HASŁO hasło do negocjacji protokołu -=item B = użytkownik +Opcja ta jest wspierana wyłącznie w klienckich protokołach 'connect' i 'smtp'. + +=item B = UŻYTKOWNIK nazwa użytkownika do negocjacji protokołu +Opcja ta jest wspierana wyłącznie w klienckich protokołach 'connect' i 'smtp'. + +=item B = TOŻSAMOŚĆ + +tożsamość klienta PSK + +I może zostać użyte w sekcjach klienckich do wybrania +tożsamości użytej do uwierzytelnienia PSK. +Opcja jest ignorowana w sekcjach serwerowych. + +domyślnie: pierwsza tożsamość zdefiniowana w pliku I + +=item B = PLIK + +plik z tożsamościami i kluczami PSK + +Każda linia pliku jest w następującym formacie: + + TOŻSAMOŚĆ:KLUCZ + +Klucz musi być mieć przynajmniej 20 znaków. +Należy ograniczyć dostęp do czytania lub pisania do tego pliku. + =item B = yes | no (tylko Unix) alokuj pseudoterminal dla programu uruchamianego w opcji 'exec' +=item B = [HOST:]PORT + +przekieruj klienta, któremu nie udało się poprawnie uwierzytelnić przy pomocy certyfikatu + +Opcja działa wyłącznie w trybie serwera. +Część negocjacji protokołów jest niekompatybilna z opcją I. + =item B = yes | no -pozwalaj na renegocjację SSL +pozwalaj na renegocjację TLS -Wśród zastosowań renegocjacji SSL są niektóre scenariusze uwierzytelnienia, -oraz renegocjacja kluczy dla długotrwałych połączeń. +Zastosowania renegocjacji TLS zawierają niektóre scenariusze uwierzytelniania oraz renegocjację kluczy dla długotrwałych połączeń. Z drugiej strony własność na może ułatwić trywialny atak DoS poprzez wygenerowanie obciążenia procesora: http://vincent.bernat.im/en/blog/2011-ssl-dos-mitigation.html -Warto zauważyć, że zablokowanie renegocjacji SSL nie zebezpiecza w pełni +Warto zauważyć, że zablokowanie renegocjacji TLS nie zebezpiecza w pełni przed opisanym problemem. domyślnie: yes (o ile wspierane przez B) @@ -677,7 +882,7 @@ domyślnie: yes (o ile wspierane przez B) sygnalizuj wystąpienie błędu przy pomocy flagi TCP RST -Ta opcja nie jest wspierana na niektórych platformach. +Opcja nie jest wspierana na niektórych platformach. domyślnie: yes @@ -687,9 +892,37 @@ połącz ponownie sekcję connect+exec po rozłączeniu domyślnie: no -=item B = rozmiar +=item B = yes | no -rozmiar pamięci podręcznej sesji SSL +wymagaj certyfikatu klienta dla I lub I + +Przy opcji I ustawionej na I, B akceptuje +połączenia klientów, które nie wysłały certyfikatu. + +Zarówno I jak i I +automatycznie ustawiają I na I. + +domyślnie: no + +=item B = IDENTYFIKATOR_GRUPY (tylko Unix) + +identyfikator grupy Unix + +Jako opcja globalna: grupa, z której prawami pracował będzie B. + +Jako opcja usługi: grupa gniazda Unix utworzonego przy pomocy opcji "accept". + +=item B = IDENTYFIKATOR_UŻYTKOWNIKA (tylko Unix) + +identyfikator użytkownika Unix + +Jako opcja globalna: użytkownik, z którego prawami pracował będzie B. + +Jako opcja usługi: właściciel gniazda Unix utworzonego przy pomocy opcji "accept". + +=item B = LICZBA_POZYCJI_CACHE + +rozmiar pamięci podręcznej sesji TLS Parametr określa maksymalną liczbę pozycji wewnętrznej pamięci podręcznej sesji. @@ -698,40 +931,81 @@ Wartość 0 oznacza brak ograniczenia rozmiaru. Nie jest to zalecane dla systemów produkcyjnych z uwagi na ryzyko ataku DoS przez wyczerpanie pamięci RAM. -=item B = czas +=item B = LICZBA_SEKUND -przeterminowanie pamięci podręcznej sesji SSL +przeterminowanie pamięci podręcznej sesji TLS -Parametr określa czas w sekundach, po którym sesja SSL zostanie usunięta z +Parametr określa czas w sekundach, po którym sesja TLS zostanie usunięta z pamięci podręcznej. -=item B = adres:port +=item B = HOST:PORT -adres sessiond - servera cache sesji SSL +adres sessiond - servera cache sesji TLS -=item B = wersja +=item B = NAZWA_USŁUGI:WZORZEC_NAZWY_SERWERA (tryb serwera) -wersja protokołu SSL +Użyj usługi jako podrzędnej (virtualnego serwera) dla rozszerzenia TLS Server +Name Indication (RFC 3546). -Dozwolone opcje: all, SSLv2, SSLv3, TLSv1, TLSv1.1, TLSv1.2 +I wskazuje usługę nadrzędną, która odbiera połączenia od klientów +przy pomocy opcji I. I wskazuje nazwę serwera +wirtualnego. Wzorzec może zaczynać się znakiem '*', np. '*.example.com". Z +pojedyńczą usługą nadrzędną powiązane jest zwykle wiele usług podrzędnych. +Opcja I może być rownież użyta wielokrotnie w ramach jednej usługi +podrzędnej. -=item B = liczba_bajtów (z wyjątkiem modelu FORK) +Zarówno usługa nadrzędna jak i podrzędna nie może być skonfigurowana w trybie +klienckim. -rozmiar stosu procesora wątku +Opcja I usługi podrzędnej jest ignorowana w połączeniu z opcją +I, gdyż połączenie do zdalnego serwera jest w tym wypadku nawiązywane +przed negocjacją TLS. -=item B = liczba_sekund +Uwierzytelnienie przy pomocy biblioteki libwrap jest realizowane dwukrotnie: +najpierw dla usługi nadrzędnej po odebraniu połączenia TCP, a następnie dla +usługi podrzędnej podczas negocjacji TLS. + +Opcja I jest dostępna począwszy od B. + +=item B = NAZWA_SERWERA (tryb klienta) + +Użyj parametru jako wartości rozszerzenia TLS Server Name Indication +(RFC 3546). + +Pusta wartość parametru NAZWA_SERWERA wyłącza wysyłanie rozszerzenia SNI. + +Opcja I jest dostępna począwszy od B. + +=item B = WERSJA_SSL + +wersja protokołu TLS + +Wspierane opcje: all, SSLv2, SSLv3, TLSv1, TLSv1.1, TLSv1.2 + +Dostępność konkretnych protokołów zależy od użytej wersji OpenSSL. +Starsze wersje OpenSSL nie wspierają TLSv1.1 i TLSv1.2. +Nowsze wersje OpenSSL nie wspierają SSLv2. + +Przestarzałe protokoły SSLv2 i SSLv3 są domyślnie wyłączone. +Szczegółowe informacje dostępne są w opisie opcji B. + +=item B = LICZBA_BAJTÓW (z wyjątkiem modelu FORK) + +rozmiar stosu procesora wątku + +=item B = LICZBA_SEKUND czas oczekiwania na spodziewane dane -=item B = liczba_sekund +=item B = LICZBA_SEKUND czas oczekiwania na close_notify (ustaw na 0, jeżeli klientem jest MSIE) -=item B = liczba_sekund +=item B = LICZBA_SEKUND czas oczekiwania na nawiązanie połączenia -=item B = liczba_sekund +=item B = LICZBA_SEKUND maksymalny czas utrzymywania bezczynnego połączenia @@ -799,15 +1073,24 @@ Oryginalny adres docelowy jest używany zamiast opcji I. Przykładowana konfiguracja przezroczystego adresu docelowego: [transparent] - client=yes - accept= - transparent=destination + client = yes + accept = + transparent = destination -Konfiguracja wymaga następujących ustawień iptables -(na przykład w pliku /etc/rc.local lub analogicznym): +Konfiguracja wymaga ustawień iptables, na przykład w pliku +/etc/rc.local lub analogicznym. + +W przypadku docelowej usługi umieszczonej na tej samej maszynie: + + /sbin/iptables -t nat -I OUTPUT -p tcp --dport \ + -m ! --uid-owner \ + -j DNAT --to-destination : + +W przypadku docelowej usługi umieszczonej na zdalnej maszynie: /sbin/iptables -I INPUT -i eth0 -p tcp --dport -j ACCEPT - /sbin/iptables -t nat -I PREROUTING -i eth0 -p tcp --dport -j DNAT --to-destination : + /sbin/iptables -t nat -I PREROUTING -p tcp --dport \ + -i eth0 -j DNAT --to-destination : Przezroczysty adres docelowy jest aktualnie wspierany wyłącznie w systemie Linux. @@ -832,10 +1115,13 @@ Opcja została przemianowana na I. =back -=item B = poziom +=item B = POZIOM weryfikuj certyfikat drugiej strony połączenia +Opcja ta jest przestarzała i należy ją zastąpić przez opcje +I i I. + =over 4 =item I @@ -864,6 +1150,27 @@ nie weryfikuj =back +=item B = yes | no + +weryfikuj łańcuch certyfikatów drugiej strony + +Do weryfikacji certyfikatu serwera kluczowe jest, aby wymagać również +konkretnego certyfikatu przy pomocy I lub I. + +Samopodpisany certyfikat głównego CA należy umieścić albo w pliku +podanym w opcji I, albo w katalogu podanym w opcji I. + +domyślnie: no + +=item B = yes | no + +weryfikuj certyfikat drugiej strony + +Certyfikat drugiej strony należy umieścić albo w pliku podanym w opcji +I, albo w katalogu podanym w opcji I. + +domyślnie: no + =back @@ -937,7 +1244,7 @@ Szyfrowanie połączeń do lokalnego serwera I można użyć: [imapd] accept = 993 exec = /usr/sbin/imapd - execargs = imapd + execArgs = imapd albo w trybie zdalnym: @@ -945,6 +1252,15 @@ albo w trybie zdalnym: accept = 993 connect = 143 +Aby umożliwić lokalnemu klientowi poczty elektronicznej korzystanie z serwera +I przez TLS należy skonfigurować pobieranie poczty z adresu localhost i +portu 119, oraz użyć następującej konfiguracji: + + [imap] + client = yes + accept = 143 + connect = serwer:993 + W połączeniu z programem I B pozwala zestawić prosty VPN. Po stronie serwera nasłuchującego na porcie 2020 jego konfiguracja może wyglądać następująco: @@ -952,7 +1268,7 @@ może wyglądać następująco: [vpn] accept = 2020 exec = /usr/sbin/pppd - execargs = pppd local + execArgs = pppd local pty = yes Poniższy plik konfiguracyjny może być wykorzystany do uruchomienia @@ -960,8 +1276,93 @@ programu B w trybie I. Warto zauważyć, że w pliku konfiguracyjnym nie ma sekcji I<[nazwa_usługi]>. exec = /usr/sbin/imapd - execargs = imapd + execArgs = imapd +Aby skonfigurować VPN można użyć następującej konfiguracji klienta: + + [socks_client] + client = yes + accept = 127.0.0.1:1080 + connect = vpn_server:9080 + verifyPeer = yes + CAfile = stunnel.pem + +Odpowiadająca jej konfiguracja serwera vpn_server: + + [socks_server] + protocol = socks + accept = 9080 + cert = stunnel.pem + key = stunnel.key + +Do przetestowania konfiguracji można wydać na maszynie klienckiej komendę: + + curl --socks4a localhost http://www.example.com/ + +Przykładowa konfiguracja serwera SNI: + + [virtual] + ; usługa nadrzędna + accept = 443 + cert = default.pem + connect = default.internal.mydomain.com:8080 + + [sni1] + ; usługa podrzędna 1 + sni = virtual:server1.mydomain.com + cert = server1.pem + connect = server1.internal.mydomain.com:8081 + + [sni2] + ; usługa podrzędna 2 + sni = virtual:server2.mydomain.com + cert = server2.pem + connect = server2.internal.mydomain.com:8082 + verifyPeer = yes + CAfile = server2-allowed-clients.pem + +Przykładowa konfiguracja umożliwiająca uwierzytelnienie z użyciem klucza prywatnego +przechowywanego w Windows Certificate Store (tylko Windows). +W przypadku użycia silnika CAPI, nie należy ustawiać opcji cert, gdyż klucz klienta +zostanie automatycznie pobrany z Certificate Store na podstawie zaufanych certyfikatów +CA przedstawionych przez serwer. + + engine = capi + + [service] + engineId = capi + client = yes + accept = 127.0.0.1:8080 + connect = example.com:8443 + +Przykładowa konfiguracja umożliwiająca użycie certyfikatu i klucza prywatnego z +urządzenia zgodnego z pkcs11: + + engine = pkcs11 + engineCtrl = MODULE_PATH:opensc-pkcs11.so + engineCtrl = PIN:123456 + + [service] + engineId = pkcs11 + client = yes + accept = 127.0.0.1:8080 + connect = example.com:843 + cert = pkcs11:token=MyToken;object=MyCert + key = pkcs11:token=MyToken;object=MyKey + +Przykładowa konfiguracja umożliwiająca użycie certyfikatu i klucza prywatnego +umieszczonego na tokenie SoftHSM + + engine = pkcs11 + engineCtrl = MODULE_PATH:softhsm2.dll + engineCtrl = PIN:12345 + + [service] + engineId = pkcs11 + client = yes + accept = 127.0.0.1:8080 + connect = example.com:843 + cert = pkcs11:token=MyToken;object=KeyCert =head1 NOTKI @@ -971,7 +1372,7 @@ B nie może być używany do szyfrowania protokołu I, ponieważ do przesyłania poszczególnych plików używa on dodatkowych połączeń otwieranych na portach o dynamicznie przydzielanych numerach. Istnieją jednak specjalne wersje klientów i serwerów FTP pozwalające -na szyfrowanie przesyłanych danych przy pomocy protokołu I. +na szyfrowanie przesyłanych danych przy pomocy protokołu I. =head2 TRYB INETD (tylko Unix) @@ -984,8 +1385,8 @@ programów są inetd, xinetd i tcpserver. Przykładowa linia pliku /etc/inetd.conf może wyglądać tak: - imaps stream tcp nowait root /usr/bin/stunnel - stunnel /etc/stunnel/imaps.conf + imaps stream tcp nowait root @bindir@/stunnel + stunnel @sysconfdir@/stunnel/imaps.conf Ponieważ w takich przypadkach połączenie na zdefiniowanym porcie (tutaj I) nawiązuje osobny program (tutaj I), B @@ -998,7 +1399,7 @@ I. =head2 CERTYFIKATY -Protokół SSL wymaga, aby każdy serwer przedstawiał się nawiązującemu +Protokół TLS wymaga, aby każdy serwer przedstawiał się nawiązującemu połączenie klientowi prawidłowym certyfikatem X.509. Potwierdzenie tożsamości serwera polega na wykazaniu, że posiada on odpowiadający certyfikatowi klucz prywatny. @@ -1026,7 +1427,7 @@ następującą postać: =head2 LOSOWOŚĆ B potrzebuje zainicjować PRNG (generator liczb pseudolosowych), -gdyż protokół SSL wymaga do bezpieczeństwa kryptograficznego źródła +gdyż protokół TLS wymaga do bezpieczeństwa kryptograficznego źródła dobrej losowości. Następujące źródła są kolejno odczytywane aż do uzyskania wystarczającej ilości entropii: @@ -1069,12 +1470,6 @@ Urządzenie /dev/urandom. =back -Współczesne (B<0.9.5a> lub nowsze) wersje biblioteki B automatycznie -zaprzestają ładowania kolejnych danych w momencie uzyskania wystarczającej -ilości entropii. Wcześniejsze wersje biblioteki wykorzystają wszystkie -powyższe źródła, gdyż nie istnieje tam funkcja pozwalająca określić, czy -uzyskano już wystarczająco dużo danych. - Warto zwrócić uwagę, że na maszynach z systemem Windows, na których konsoli nie pracuje użytkownik, zawartość ekranu nie jest wystarczająco zmienna, aby zainicjować PRNG. W takim przypadku do zainicjowania @@ -1097,20 +1492,21 @@ B. =head2 PARAMETRY DH Począwszy od wersji 4.40 B zawiera w kodzie programu 2048-bitowe -parametry DH. +parametry DH. Od wersji 5.18 te początkowe wartości parametrów DH są +wymieniane na autogenerowane parametry tymczasowe. +Wygenerowanie parametrów DH może zająć nawet wiele minut. -Alternatywnie parametry DH można umieścić w pliku razem z certyfikatem: +Alternatywnie parametry DH można umieścić w pliku razem z certyfikatem, +co wyłącza generowanie parametrów tymczasowych: openssl dhparam 2048 >> stunnel.pem -Wygenerowanie parametrów DH może zająć nawet wiele minut. - =head1 PLIKI =over 4 -=item F +=item F<@sysconfdir@/stunnel/stunnel.conf> plik konfiguracyjny programu @@ -1119,7 +1515,7 @@ plik konfiguracyjny programu =head1 BŁĘDY -Opcja I oraz linia komend Win32 nie obsługuje cytowania. +Opcja I oraz linia komend Win32 nie obsługuje cytowania. =head1 ZOBACZ RÓWNIEŻ @@ -1151,7 +1547,9 @@ strona projektu B =item Michał Trojnara -> +> =back +=for comment +vim:spelllang=pl:spell diff --git a/doc/stunnel.pod b/doc/stunnel.pod deleted file mode 100644 index 4d21676..0000000 --- a/doc/stunnel.pod +++ /dev/null @@ -1,1124 +0,0 @@ -=head1 NAME - -=encoding utf8 - -stunnel - universal SSL tunnel - - -=head1 SYNOPSIS - -=over 4 - -=item B - -B [>] | S<-fd n> | S<-help> | S<-version> | S<-sockets> - -=item B - -B [ [S<-install> | S<-uninstall> | S<-start> | S<-stop>] | S<-exit>] - [S<-quiet>] [>] ] | S<-help> | S<-version> | S<-sockets> - -=back - - -=head1 DESCRIPTION - -The B program is designed to work as I encryption wrapper -between remote clients and local (I-startable) or remote -servers. The concept is that having non-SSL aware daemons running on -your system you can easily set them up to communicate with clients over -secure SSL channels. - -B can be used to add SSL functionality to commonly used I -daemons like POP-2, POP-3, and IMAP servers, to standalone daemons like -NNTP, SMTP and HTTP, and in tunneling PPP over network sockets without -changes to the source code. - -This product includes cryptographic software written by -Eric Young (eay@cryptsoft.com) - - -=head1 OPTIONS - -=over 4 - -=item > - -Use specified configuration file - -=item B<-fd n> (Unix only) - -Read the config file from specified file descriptor - -=item B<-help> - -Print B help menu - -=item B<-version> - -Print B version and compile time defaults - -=item B<-sockets> - -Print default socket options - -=item B<-install> (NT/2000/XP only) - -Install NT Service - -=item B<-uninstall> (NT/2000/XP only) - -Uninstall NT Service - -=item B<-start> (NT/2000/XP only) - -Start NT Service - -=item B<-stop> (NT/2000/XP only) - -Stop NT Service - -=item B<-exit> (Win32 only) - -Exit an already started stunnel - -=item B<-quiet> (NT/2000/XP only) - -Don't display any message boxes - -=back - - -=head1 CONFIGURATION FILE - -Each line of the configuration file can be either: - -=over 4 - -=item * - -An empty line (ignored). - -=item * - -A comment starting with ';' (ignored). - -=item * - -An 'option_name = option_value' pair. - -=item * - -'[service_name]' indicating a start of a service definition. - -=back - -An address parameter of an option may be either: - -=over 4 - -=item * - -A port number. - -=item * - -A colon-separated pair of IP address (either IPv4, IPv6, or domain name) and port number. - -=item * - -A Unix socket path (Unix only). - -=back - -=head2 GLOBAL OPTIONS - -=over 4 - -=item B = directory (Unix only) - -directory to chroot B process - -B keeps B in chrooted jail. I, I, I -and I are located inside the jail and the patches have to be relative -to the directory specified with B. - -Several functions of the operating system also need their files to be located within chroot jail, e.g.: - -=over 4 - -=item * - -Delayed resolver typically needs /etc/nsswitch.conf and /etc/resolv.conf. - -=item * - -Local time in log files needs /etc/timezone. - -=item * - -Some other functions may need devices, e.g. /dev/zero or /dev/null. - -=back - -=item B = deflate | zlib | rle - -select data compression algorithm - -default: no compression - -deflate is the standard compression method as described in RFC 1951. - -zlib compression of B or above is not backward compatible with -B. - -rle compression is currently not implemented by the B library. - -=item B = [facility.]level - -debugging level - -Level is a one of the syslog level names or numbers -emerg (0), alert (1), crit (2), err (3), warning (4), notice (5), -info (6), or debug (7). All logs for the specified level and -all levels numerically less than it will be shown. Use I or -I for greatest debugging output. The default is notice (5). - -The syslog facility 'daemon' will be used unless a facility name is supplied. -(Facilities are not supported on Win32.) - -Case is ignored for both facilities and levels. - -=item B = egd path (Unix only) - -path to Entropy Gathering Daemon socket - -Entropy Gathering Daemon socket to use to feed B random number -generator. (Available only if compiled with B or higher) - -=item B = auto | - -select hardware engine - -default: software-only cryptography - -Here is an example of advanced engine configuration to read private key from an -OpenSC engine - - engine=dynamic - engineCtrl=SO_PATH:/usr/lib/opensc/engine_pkcs11.so - engineCtrl=ID:pkcs11 - engineCtrl=LIST_ADD:1 - engineCtrl=LOAD - engineCtrl=MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so - engineCtrl=INIT - - [service] - engineNum=1 - key=id_45 - -=item B = command[:parameter] - -control hardware engine - -Special commands "LOAD" and "INIT" can be used to load and initialize the -engine cryptogaphic module. - -=item B = yes | no - -Enable or disable FIPS 140-2 mode. - -This option allows to disable entering FIPS mode if B was compiled -with FIPS 140-2 support. - -default: yes - -=item B = yes | no (Unix only) - -foreground mode - -Stay in foreground (don't fork) and log to stderr -instead of via syslog (unless I is specified). - -default: background in daemon mode - -=item B = file - -append log messages to a file - -/dev/stdout device can be used to send log messages to the standard -output (for example to log them with daemontools splogger). - -=item B = file (Unix only) - -pid file location - -If the argument is empty, then no pid file will be created. - -I path is relative to I directory if specified. - -=item B = bytes - -bytes to read from random seed files - -Number of bytes of data read from random seed files. With SSL versions less -than B<0.9.5a>, also determines how many bytes of data are considered -sufficient to seed the PRNG. More recent B versions have a builtin -function to determine when sufficient randomness is available. - -=item B = file - -path to file with random seed data - -The SSL library will use data from this file first to seed the random -number generator. - -=item B = yes | no - -overwrite the random seed files with new random data - -default: yes - -=item B = servicename (Unix only) - -use specified string as I mode service name for TCP Wrapper library - -default: stunnel - -=item B = groupname (Unix only) - -setgid() to groupname in daemon mode and clears all other groups - -=item B = username (Unix only) - -setuid() to username in daemon mode - -=item B = a|l|r:option=value[:value] - -Set an option on accept/local/remote socket - -The values for linger option are l_onof:l_linger. -The values for time are tv_sec:tv_usec. - -Examples: - - socket = l:SO_LINGER=1:60 - set one minute timeout for closing local socket - socket = r:SO_OOBINLINE=yes - place out-of-band data directly into the - receive data stream for remote sockets - socket = a:SO_REUSEADDR=no - disable address reuse (enabled by default) - socket = a:SO_BINDTODEVICE=lo - only accept connections on loopback interface - -=item B = yes | no (Unix only) - -enable logging via syslog - -default: yes - -=item B = yes | no (WIN32 only) - -enable the taskbar icon - -default: yes - -=back - - -=head2 SERVICE-LEVEL OPTIONS - -Each configuration section begins with service name in square brackets. -The service name is used for libwrap (TCP Wrappers) access control and lets -you distinguish B services in your log files. - -Note that if you wish to run B in I mode (where it -is provided a network socket by a server such as I, I, -or I) then you should read the section entitled I -below. - - -=over 4 - -=item B = address - -accept connections on specified address - -If no host specified, defaults to all IPv4 addresses for the local host. - -To listen on all IPv6 addresses use: - - connect = :::port - -=item B = directory - -Certificate Authority directory - -This is the directory in which B will look for certificates when using -the I. Note that the certificates in this directory should be named -XXXXXXXX.0 where XXXXXXXX is the hash value of the DER encoded subject of the -cert. - -The hash algorithm has been changed in B. It is required to -c_rehash the directory on upgrade from B to B. - -I path is relative to I directory if specified. - -=item B = certfile - -Certificate Authority file - -This file contains multiple CA certificates, used with the I. - -=item B = pemfile - -certificate chain PEM file name - -A PEM is always needed in server mode. -Specifying this flag in client mode will use this certificate chain -as a client side certificate chain. Using client side certs is optional. -The certificates must be in PEM format and must be sorted starting with the -certificate to the highest level (root CA). - -=item B = cipherlist - -Select permitted SSL ciphers - -A colon delimited list of the ciphers to allow in the SSL connection. -For example DES-CBC3-SHA:IDEA-CBC-MD5 - -=item B = yes | no - -client mode (remote service uses SSL) - -default: no (server mode) - -=item B = address - -connect to a remote address - -If no host is specified, the host defaults to localhost. - -Multiple B options are allowed in a single service section. - -If host resolves to multiple addresses and/or if multiple I -options are specified, then the remote address is chosen using a -round-robin algorithm. - -=item B = directory - -Certificate Revocation Lists directory - -This is the directory in which B will look for CRLs when -using the I. Note that the CRLs in this directory should -be named XXXXXXXX.r0 where XXXXXXXX is the hash value of the CRL. - -The hash algorithm has been changed in B. It is required to -c_rehash the directory on upgrade from B to B. - -I path is relative to I directory if specified. - -=item B = certfile - -Certificate Revocation Lists file - -This file contains multiple CRLs, used with the I. - -=item B = nid - -specify ECDH curve name - -To get a list of supported cuves use: - - openssl ecparam -list_curves - -default: prime256v1 - -=item B = yes | no - -delay DNS lookup for 'connect' option - -This option is useful for dynamic DNS, or when DNS is not available during -B startup (road warrior VPN, dial-up configurations). - -=item B = engine number - -select engine number to read private key - -The engines are numbered starting from 1. - -=item B = executable_path - -execute local inetd-type program - -I path is relative to I directory if specified. - -=item B = $0 $1 $2 ... - -arguments for I including program name ($0) - -Quoting is currently not supported. -Arguments are separated with arbitrary number of whitespaces. - -=item B = rr | prio - -Failover strategy for multiple "connect" targets. - - rr (round robin) - fair load distribution - prio (priority) - use the order specified in config file - -default: rr - -=item B = username - -use IDENT (RFC 1413) username checking - -=item B = keyfile - -private key for certificate specified with I option - -Private key is needed to authenticate certificate owner. -Since this file should be kept secret it should only be readable -to its owner. On Unix systems you can use the following command: - - chmod 600 keyfile - -default: value of I option - -=item B = yes | no - -Enable or disable the use of /etc/hosts.allow and /etc/hosts.deny. - -default: yes - -=item B = host - -IP of the outgoing interface is used as source for remote connections. -Use this option to bind a static local IP address, instead. - -=item B = service_name:server_name_pattern (server mode) - -Use the service as a slave service (a name-based virtual server) for Server -Name Indication TLS extension (RFC 3546). - -I specifies the master service that accepts client connections -with I option. I specifies the host name to be -redirected. The pattern may start with '*' character, e.g. '*.example.com'. -Multiple slave services are normally specified for a single master service. -I option can also be specified more than once within a single slave -service. - -This service, as well as the master service, may not be configured in client -mode. - -I option of the slave service is ignored when I option is -specified, as I connects remote host before TLS handshake. - -Libwrap checks (Unix only) are performed twice: with master service name after -TCP connection is accepted, and with slave service name during TLS handshake. - -Option I is only available when compiled with B and later. - -=item B = server_name (client mode) - -Use the parameter as the value of TLS Server Name Indication (RFC 3546) -extension. - -Option I is only available when compiled with B and later. - -=item B = url - -select OCSP server for certificate verification - -=item B = flag - -specify OCSP server flag - -Several I can be used to specify multiple flags. - -currently supported flags: NOCERTS, NOINTERN NOSIGS, NOCHAIN, NOVERIFY, -NOEXPLICIT, NOCASIGN, NODELEGATED, NOCHECKS, TRUSTOTHER, RESPID_KEY, NOTIME - -=item B = SSL_options - -B library options - -The parameter is the B option name as described in the -I manual, but without I prefix. -Several I can be used to specify multiple options. - -For example for compatibility with erroneous Eudora SSL implementation -the following option can be used: - - options = DONT_INSERT_EMPTY_FRAGMENTS - -=item B = proto - -application protocol to negotiate SSL - -This option enables initial, protocol-specific negotiation of the SSL/TLS -encryption. -I option should not be used with SSL encryption on a separate port. - -Currently supported protocols: - -=over 4 - -=item I - -Proprietary (undocummented) extension of CIFS protocol implemented in Samba. -Support for this extension was dropped in Samba 3.0.0. - -=item I - -Based on RFC 2817 - I, section 5.2 - I - -This protocol is only supported in client mode. - -=item I - -Based on RFC 2595 - I - -=item I - -Based on RFC 4642 - I - -This protocol is only supported in client mode. - -=item I - -Based on http://www.postgresql.org/docs/8.3/static/protocol-flow.html#AEN73982 - -=item I - -Based on RFC 2449 - I - -=item I - -Haproxy client IP address http://haproxy.1wt.eu/download/1.5/doc/proxy-protocol.txt - -=item I - -Based on RFC 2487 - I - -=back - -=item B = auth_type - -authentication type for protocol negotiations - -currently supported: basic, NTLM - -Currently authentication type only applies to the 'connect' protocol. - -default: basic - -=item B = host:port - -destination address for protocol negotiations - -I specifies the final SSL server to be connected by the proxy, -and not the proxy server directly connected by B. -The proxy server should be specified with the 'connect' option. - -Currently protocol destination address only applies to 'connect' protocol. - -=item B = password - -password for protocol negotiations - -=item B = username - -username for protocol negotiations - -=item B = yes | no (Unix only) - -allocate pseudo terminal for 'exec' option - -=item B = yes | no - -support SSL renegotiation - -Applications of the SSL renegotiation include some authentication scenarios, -or re-keying long lasting connections. - -On the other hand this feature can facilitate a trivial CPU-exhaustion -DoS attack: - -http://vincent.bernat.im/en/blog/2011-ssl-dos-mitigation.html - -Please note that disabling SSL renegotiation does not fully mitigate -this issue. - -default: yes (if supported by B) - -=item B = yes | no - -attempt to use TCP RST flag to indicate an error - -This option is not supported on some platforms. - -default: yes - -=item B = yes | no - -reconnect a connect+exec section after it's disconnected - -default: no - -=item B = size - -session cache size - -I specifies the maximum number of the internal session cache -entries. - -The value of 0 can be used for unlimited size. It is not recommended -for production use due to the risk of memory exhaustion DoS attack. - -=item B = timeout - -session cache timeout - -This is the number of seconds to keep cached SSL sessions. - -=item B = host:port - -address of sessiond SSL cache server - -=item B = version - -select version of SSL protocol - -Allowed options: all, SSLv2, SSLv3, TLSv1, TLSv1.1, TLSv1.2 - -=item B = bytes (except for FORK model) - -thread stack size - -=item B = seconds - -time to wait for expected data - -=item B = seconds - -time to wait for close_notify (set to 0 for buggy MSIE) - -=item B = seconds - -time to wait to connect a remote host - -=item B = seconds - -time to keep an idle connection - -=item B = none | source | destination | both (Unix only) - -enable transparent proxy support on selected platforms - -Supported values: - -=over 4 - -=item I - -Disable transparent proxy support. This is the default. - -=item I - -Re-write address to appear as if wrapped daemon is connecting -from the SSL client machine instead of the machine running B. - -This option is currently available in: - -=over 4 - -=item Remote mode (I option) on I=2.6.28> - -This configuration requires B to be executed as root and without -I option. - -This configuration requires the following setup for iptables and routing -(possibly in /etc/rc.local or equivalent file): - - iptables -t mangle -N DIVERT - iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT - iptables -t mangle -A DIVERT -j MARK --set-mark 1 - iptables -t mangle -A DIVERT -j ACCEPT - ip rule add fwmark 1 lookup 100 - ip route add local 0.0.0.0/0 dev lo table 100 - echo 0 >/proc/sys/net/ipv4/conf/lo/rp_filter - -B must also to be executed as root and without I option. - -=item Remote mode (I option) on I - -This configuration requires kernel to be compiled with I -option. -Connected service must be installed on a separate host. -Routing towards the clients has to go through the B box. - -B must also to be executed as root and without I option. - -=item Remote mode (I option) on I=8.0> - -This configuration requires additional firewall and routing setup. -B must also to be executed as root and without I option. - -=item Local mode (I option) - -This configuration works by pre-loading I shared library. -_RLD_LIST environment variable is used on Tru64, and LD_PRELOAD variable on -other platforms. - -=back - -=item I - -Original destination is used instead of I option. - -A service section for transparent destination may look like this: - - [transparent] - client=yes - accept= - transparent=destination - -This configuration requires the following setup for iptables -(possibly in /etc/rc.local or equivalent file): - - /sbin/iptables -I INPUT -i eth0 -p tcp --dport -j ACCEPT - /sbin/iptables -t nat -I PREROUTING -i eth0 -p tcp --dport -j DNAT --to-destination : - -Transparent destination option is currently only supported on Linux. - -=item I - -Use both I and I transparent proxy. - -=back - -Two legacy options are also supported for backward compatibility: - -=over 4 - -=item I - -This options has been renamed to I. - -=item I - -This options has been renamed to I. - -=back - - -=item B = level - -verify peer certificate - -=over 4 - -=item level 0 - -Request and ignore peer certificate. - -=item level 1 - -Verify peer certificate if present. - -=item level 2 - -Verify peer certificate. - -=item level 3 - -Verify peer with locally installed certificate. - -=item level 4 - -Ignore CA chain and only verify peer certificate. - -=item default - -No verify. - -=back - -It is important to understand, that this option was solely designed for access -control and not for authorization. Specifically for level 2 every non-revoked -certificate is accepted regardless of its Common Name. For this reason a -dedicated CA should be used with level 2, and not a generic CA commonly used -for webservers. Level 3 is preferred for point-to-point connections. - -=back - - -=head1 RETURN VALUE - -B returns zero on success, non-zero on error. - - -=head1 SIGNALS - -The following signals can be used to control B in Unix environment: - -=over 4 - -=item SIGHUP - -Force a reload of the configuration file. - -Some global options will not be reloaded: - -=over 4 - -=item * - -chroot - -=item * - -foreground - -=item * - -pid - -=item * - -setgid - -=item * - -setuid - -=back - -The use of 'setuid' option will also prevent B from binding privileged -(<1024) ports during configuration reloading. - -When 'chroot' option is used, B will look for all its files (including -configuration file, certificates, log file and pid file) within the chroot -jail. - -=item SIGUSR1 - -Close and reopen B log file. -This function can be used for log rotation. - -=item SIGTERM, SIGQUIT, SIGINT - -Shut B down. - -=back - -The result of sending any other signals to the server is undefined. - - -=head1 EXAMPLES - -In order to provide SSL encapsulation to your local I service, use - - [imapd] - accept = 993 - exec = /usr/sbin/imapd - execargs = imapd - -If you want to provide tunneling to your I daemon on port 2020, -use something like - - [vpn] - accept = 2020 - exec = /usr/sbin/pppd - execargs = pppd local - pty = yes - -If you want to use B in I mode to launch your imapd -process, you'd use this I. -Note there must be no I<[service_name]> section. - - exec = /usr/sbin/imapd - execargs = imapd - - -=head1 NOTES - -=head2 RESTRICTIONS - -B cannot be used for the FTP daemon because of the nature -of the FTP protocol which utilizes multiple ports for data transfers. -There are available SSL enabled versions of FTP and telnet daemons, however. - - -=head2 INETD MODE - -The most common use of B is to listen on a network -port and establish communication with either a new port -via the connect option, or a new program via the I option. -However there is a special case when you wish to have -some other program accept incoming connections and -launch B, for example with I, I, -or I. - -For example, if you have the following line in I: - - imaps stream tcp nowait root /usr/bin/stunnel stunnel /etc/stunnel/imaps.conf - -In these cases, the I-style program is responsible -for binding a network socket (I above) and handing -it to B when a connection is received. -Thus you do not want B to have any I option. -All the I should be placed in the -global options section, and no I<[service_name]> section -will be present. See the I section for example -configurations. - -=head2 CERTIFICATES - -Each SSL enabled daemon needs to present a valid X.509 certificate -to the peer. It also needs a private key to decrypt the incoming -data. The easiest way to obtain a certificate and a key is to -generate them with the free B package. You can find more -information on certificates generation on pages listed below. - -The order of contents of the I<.pem> file is important. It should contain the -unencrypted private key first, then a signed certificate (not certificate -request). There should be also empty lines after certificate and private key. -Plaintext certificate information appended on the top of generated certificate -should be discarded. So the file should look like this: - - -----BEGIN RSA PRIVATE KEY----- - [encoded key] - -----END RSA PRIVATE KEY----- - [empty line] - -----BEGIN CERTIFICATE----- - [encoded certificate] - -----END CERTIFICATE----- - [empty line] - -=head2 RANDOMNESS - -B needs to seed the PRNG (pseudo random number generator) in -order for SSL to use good randomness. The following sources are loaded -in order until sufficient random data has been gathered: - -=over 4 - -=item * - -The file specified with the I flag. - -=item * - -The file specified by the RANDFILE environment variable, if set. - -=item * - -The file .rnd in your home directory, if RANDFILE not set. - -=item * - -The file specified with '--with-random' at compile time. - -=item * - -The contents of the screen if running on Windows. - -=item * - -The egd socket specified with the I flag. - -=item * - -The egd socket specified with '--with-egd-sock' at compile time. - -=item * - -The /dev/urandom device. - -=back - -With recent (B or later) version of SSL it will stop loading -random data automatically when sufficient entropy has been gathered. With -previous versions it will continue to gather from all the above sources since -no SSL function exists to tell when enough data is available. - -Note that on Windows machines that do not have console user interaction -(mouse movements, creating windows, etc.) the screen contents are not -variable enough to be sufficient, and you should provide a random file -for use with the I flag. - -Note that the file specified with the I flag should contain -random data -- that means it should contain different information -each time B is run. This is handled automatically -unless the I flag is used. If you wish to update this file -manually, the I command in recent versions of B, -would be useful. - -Important note: If /dev/urandom is available, B often seeds the PRNG -with it while checking the random state. On systems with /dev/urandom -B is likely to use it even though it is listed at the very bottom of -the list above. This is the behaviour of B and not B. - -=head2 DH PARAMETERS - -Stunnel 4.40 and later contains hardcoded 2048-bit DH parameters. - -It is also possible to specify DH parameters in the certificate file: - - openssl dhparam 2048 >> stunnel.pem - -DH parameter generation may take several minutes. - - -=head1 FILES - -=over 4 - -=item F - -B configuration file - -=back - - -=head1 BUGS - -Option I and Win32 command line does not support quoting. - - -=head1 SEE ALSO - -=over 4 - -=item L - -access control facility for internet services - -=item L - -internet 'super-server' - -=item F - -B homepage - -=item F - -B project website - -=back - - -=head1 AUTHOR - -=over 4 - -=item Michał Trojnara - -> - -=back - diff --git a/doc/stunnel.pod.in b/doc/stunnel.pod.in new file mode 100644 index 0000000..6118d12 --- /dev/null +++ b/doc/stunnel.pod.in @@ -0,0 +1,1529 @@ +=head1 NAME + +=encoding utf8 + +stunnel - TLS offloading and load-balancing proxy + + +=head1 SYNOPSIS + +=over 4 + +=item B + +B [S] | S<-fd N> | S<-help> | S<-version> | S<-sockets> | S<-options> + +=item B + +B [ [ S<-install> | S<-uninstall> | S<-start> | S<-stop> | + S<-reload> | S<-reopen> | S<-exit> ] [S<-quiet>] [S] ] | + S<-help> | S<-version> | S<-sockets> | S<-options> + +=back + + +=head1 DESCRIPTION + +The B program is designed to work as I encryption wrapper +between remote clients and local (I-startable) or remote +servers. The concept is that having non-TLS aware daemons running on +your system you can easily set them up to communicate with clients over +secure I channels. + +B can be used to add I functionality to commonly used I +daemons like POP-2, POP-3, and IMAP servers, to standalone daemons like +NNTP, SMTP and HTTP, and in tunneling PPP over network sockets without +changes to the source code. + +This product includes cryptographic software written by +Eric Young (eay@cryptsoft.com) + + +=head1 OPTIONS + +=over 4 + +=item B + +Use specified configuration file + +=item B<-fd N> (Unix only) + +Read the config file from specified file descriptor + +=item B<-help> + +Print B help menu + +=item B<-version> + +Print B version and compile time defaults + +=item B<-sockets> + +Print default socket options + +=item B<-options> + +Print supported TLS options + +=item B<-install> (Windows NT and later only) + +Install NT Service + +=item B<-uninstall> (Windows NT and later only) + +Uninstall NT Service + +=item B<-start> (Windows NT and later only) + +Start NT Service + +=item B<-stop> (Windows NT and later only) + +Stop NT Service + +=item B<-reload> (Windows NT and later only) + +Reload the configuration file of the running NT Service + +=item B<-reopen> (Windows NT and later only) + +Reopen the log file of the running NT Service + +=item B<-exit> (Win32 only) + +Exit an already started stunnel + +=item B<-quiet> (Win32 only) + +Don't display any message boxes + +=back + + +=head1 CONFIGURATION FILE + +Each line of the configuration file can be either: + +=over 4 + +=item * + +An empty line (ignored). + +=item * + +A comment starting with ';' (ignored). + +=item * + +An 'option_name = option_value' pair. + +=item * + +'[service_name]' indicating a start of a service definition. + +=back + +An address parameter of an option may be either: + +=over 4 + +=item * + +A port number. + +=item * + +A colon-separated pair of IP address (either IPv4, IPv6, or domain name) and port number. + +=item * + +A Unix socket path (Unix only). + +=back + +=head2 GLOBAL OPTIONS + +=over 4 + +=item B = DIRECTORY (Unix only) + +directory to chroot B process + +B keeps B in a chrooted jail. I, I, I +and I are located inside the jail and the patches have to be relative +to the directory specified with B. + +Several functions of the operating system also need their files to be located within the chroot jail, e.g.: + +=over 4 + +=item * + +Delayed resolver typically needs /etc/nsswitch.conf and /etc/resolv.conf. + +=item * + +Local time in log files needs /etc/timezone. + +=item * + +Some other functions may need devices, e.g. /dev/zero or /dev/null. + +=back + +=item B = deflate | zlib + +select data compression algorithm + +default: no compression + +Deflate is the standard compression method as described in RFC 1951. + +=item B = [FACILITY.]LEVEL + +debugging level + +Level is one of the syslog level names or numbers +emerg (0), alert (1), crit (2), err (3), warning (4), notice (5), +info (6), or debug (7). All logs for the specified level and +all levels numerically less than it will be shown. Use I or +I for greatest debugging output. The default is notice (5). + +The syslog facility 'daemon' will be used unless a facility name is supplied. +(Facilities are not supported on Win32.) + +Case is ignored for both facilities and levels. + +=item B = EGD_PATH (Unix only) + +path to Entropy Gathering Daemon socket + +Entropy Gathering Daemon socket to use to feed the B random number +generator. + +=item B = auto | ENGINE_ID + +select hardware or software cryptographic engine + +default: software-only cryptography + +See Examples section for an engine configuration to use the certificate and the corresponding private key from a cryptographic device. + +=item B = COMMAND[:PARAMETER] + +control hardware engine + +=item B = TASK_LIST + +set OpenSSL tasks delegated to the current engine + +The parameter specifies a comma-separated list of task to be delegated to the +current engine. + +The following tasks may be available, if supported by the engine: ALL, RSA, +DSA, ECDH, ECDSA, DH, RAND, CIPHERS, DIGESTS, PKEY, PKEY_CRYPTO, PKEY_ASN1. + +=item B = yes | no + +enable or disable FIPS 140-2 mode. + +This option allows you to disable entering FIPS mode if B was compiled +with FIPS 140-2 support. + +default: no (since version 5.00) + +=item B = yes | quiet | no (Unix only) + +foreground mode + +Stay in foreground (don't fork). + +With the I parameter it also logs to stderr in addition to +the destinations specified with I and I. + +default: background in daemon mode + +=item B = ICON_FILE (GUI only) + +GUI icon to be displayed when there are established connections + +On Windows platform the parameter should be an .ico file containing a 16x16 +pixel image. + +=item B = ICON_FILE (GUI only) + +GUI icon to be displayed when no valid configuration is loaded + +On Windows platform the parameter should be an .ico file containing a 16x16 +pixel image. + +=item B = ICON_FILE (GUI only) + +GUI icon to be displayed when there are no established connections + +On Windows platform the parameter should be an .ico file containing a 16x16 +pixel image. + +=item B = append | overwrite + +log file handling + +This option allows you to choose whether the log file (specified with the I +option) is appended or overwritten when opened or re-opened. + +default: append + +=item B = FILE + +append log messages to a file + +/dev/stdout device can be used to send log messages to the standard +output (for example to log them with daemontools splogger). + +=item B = FILE (Unix only) + +pid file location + +If the argument is empty, then no pid file will be created. + +I path is relative to the I directory if specified. + +=item B = BYTES + +bytes to read from random seed files + +=item B = FILE + +path to file with random seed data + +The OpenSSL library will use data from this file first to seed the random +number generator. + +=item B = yes | no + +overwrite the random seed files with new random data + +default: yes + +=item B = SERVICE (Unix only) + +stunnel service name + +The specified service name is used for syslog and as the I mode service +name for TCP Wrappers. While this option can technically be specified in the +service sections, it is only useful in global options. + +default: stunnel + +=item B = a|l|r:OPTION=VALUE[:VALUE] + +Set an option on the accept/local/remote socket + +The values for the linger option are l_onof:l_linger. +The values for the time are tv_sec:tv_usec. + +Examples: + + socket = l:SO_LINGER=1:60 + set one minute timeout for closing local socket + socket = r:SO_OOBINLINE=yes + place out-of-band data directly into the + receive data stream for remote sockets + socket = a:SO_REUSEADDR=no + disable address reuse (enabled by default) + socket = a:SO_BINDTODEVICE=lo + only accept connections on loopback interface + +=item B = yes | no (Unix only) + +enable logging via syslog + +default: yes + +=item B = yes | no (WIN32 only) + +enable the taskbar icon + +default: yes + +=back + + +=head2 SERVICE-LEVEL OPTIONS + +Each configuration section begins with a service name in square brackets. +The service name is used for libwrap (TCP Wrappers) access control and lets +you distinguish B services in your log files. + +Note that if you wish to run B in I mode (where it +is provided a network socket by a server such as I, I, +or I) then you should read the section entitled I +below. + + +=over 4 + +=item B = [HOST:]PORT + +accept connections on specified address + +If no host specified, defaults to all IPv4 addresses for the local host. + +To listen on all IPv6 addresses use: + + accept = :::PORT + +=item B = DIRECTORY + +Certificate Authority directory + +This is the directory in which B will look for certificates when using +the I or I options. Note that the certificates in +this directory should be named XXXXXXXX.0 where XXXXXXXX is the hash value of +the DER encoded subject of the cert. + +The hash algorithm has been changed in B. It is required to +c_rehash the directory on upgrade from B to B. + +I path is relative to the I directory if specified. + +=item B = CA_FILE + +Certificate Authority file + +This file contains multiple CA certificates, to be used with the I +and I options. + +=item B = CERT_FILE + +certificate chain file name + +The parameter specifies the file containing certificates used by B +to authenticate itself against the remote client or server. +The file should contain the whole certificate chain starting from the actual +server/client certificate, and ending with the self-signed root CA certificate. +The file must be either in PEM or P12 format. + +A certificate chain is required in server mode, and optional in client mode. + +This parameter is also used as the certificate identifier when a hardware +engine is enabled. + +=item B = EMAIL + +email address of the peer certificate subject + +Multiple I options are allowed in a single service section. +Certificates are accepted if no I option was specified, or the +email address of the peer certificate matches any of the email addresses +specified with I. + +This option requires OpenSSL 1.0.2 or later. + +=item B = HOST + +host of the peer certificate subject + +Multiple I options are allowed in a single service section. +Certificates are accepted if no I option was specified, or the host +name of the peer certificate matches any of the hosts specified with +I. + +This option requires OpenSSL 1.0.2 or later. + +=item B = IP + +IP address of the peer certificate subject + +Multiple I options are allowed in a single service section. +Certificates are accepted if no I option was specified, or the IP +address of the peer certificate matches any of the IP addresses specified with +I. + +This option requires OpenSSL 1.0.2 or later. + +=item B = CIPHER_LIST + +Select permitted TLS ciphers + +A colon-delimited list of the ciphers to allow in the TLS connection, +for example DES-CBC3-SHA:IDEA-CBC-MD5. + +=item B = yes | no + +client mode (remote service uses TLS) + +default: no (server mode) + +=item B = COMMAND[:PARAMETER] + +B configuration command + +The B configuration command is executed with the specified parameter. +This allows any configuration commands to be invoked from the stunnel +configuration file. Supported commands are described on the +I manual page. + +Several I lines can be used to specify multiple configuration commands. + +This option requires OpenSSL 1.0.2 or later. + +=item B = [HOST:]PORT + +connect to a remote address + +If no host is specified, the host defaults to localhost. + +Multiple I options are allowed in a single service section. + +If host resolves to multiple addresses and/or if multiple I +options are specified, then the remote address is chosen using a +round-robin algorithm. + +=item B = DIRECTORY + +Certificate Revocation Lists directory + +This is the directory in which B will look for CRLs when using the +I and I options. Note that the CRLs in this directory +should be named XXXXXXXX.r0 where XXXXXXXX is the hash value of the CRL. + +The hash algorithm has been changed in B. It is required to +c_rehash the directory on upgrade from B to B. + +I path is relative to the I directory if specified. + +=item B = CRL_FILE + +Certificate Revocation Lists file + +This file contains multiple CRLs, used with the I and +I options. + +=item B = NID + +specify ECDH curve name + +To get a list of supported curves use: + + openssl ecparam -list_curves + +default: prime256v1 + +=item B = TYPE + +connection identifier type + +This identifier allows you to distinguish log entries generated for each of the +connections. + +Currently supported types: + +=over 4 + +=item I + +The numeric sequential identifier is only unique within a single instance of +B, but very compact. It is most useful for manual log analysis. + +=item I + +This alphanumeric identifier is globally unique, but longer than the sequential +number. It is most useful for automated log analysis. + +=item I + +The operating system thread identifier is neither unique (even within a single +instance of B) nor short. It is most useful for debugging software +or configuration issues. + +=item I + +The operating system process identifier (PID) may be useful in the inetd mode. + +=back + +default: sequential + +=item B = LEVEL + +debugging level + +Level is a one of the syslog level names or numbers +emerg (0), alert (1), crit (2), err (3), warning (4), notice (5), +info (6), or debug (7). All logs for the specified level and +all levels numerically less than it will be shown. Use I or +I for greatest debugging output. The default is notice (5). + +=item B = yes | no + +delay DNS lookup for the I option + +This option is useful for dynamic DNS, or when DNS is not available during +B startup (road warrior VPN, dial-up configurations). + +Delayed resolver mode is automatically engaged when stunnel fails to resolve on +startup any of the I targets for a service. + +Delayed resolver inflicts I. + +default: no + +=item B = ENGINE_ID + +select engine ID for the service + +=item B = ENGINE_NUMBER + +select engine number for the service + +The engines are numbered starting from 1. + +=item B = EXECUTABLE_PATH + +execute a local inetd-type program + +I path is relative to the I directory if specified. + +The following environmental variables are set on Unix platforms: +REMOTE_HOST, REMOTE_PORT, SSL_CLIENT_DN, SSL_CLIENT_I_DN. + +=item B = $0 $1 $2 ... + +arguments for I including the program name ($0) + +Quoting is currently not supported. +Arguments are separated with an arbitrary amount of whitespace. + +=item B = rr | prio + +Failover strategy for multiple "connect" targets. + +=over 4 + +=item I + +round robin - fair load distribution + +=item I + +priority - use the order specified in config file + +=back + +default: rr + +=item B = USERNAME + +use IDENT (RFC 1413) username checking + +=item B = DIRECTORY + +include all configuration file parts located in DIRECTORY + +The files are included in the ascending alphabetical order of their names. + +=item B = KEY_FILE + +private key for the certificate specified with I option + +A private key is needed to authenticate the certificate owner. +Since this file should be kept secret it should only be readable +by its owner. On Unix systems you can use the following command: + + chmod 600 keyfile + +This parameter is also used as the private key identifier when a hardware +engine is enabled. + +default: the value of the I option + +=item B = yes | no + +Enable or disable the use of /etc/hosts.allow and /etc/hosts.deny. + +default: no (since version 5.00) + +=item B = HOST + +By default, the IP address of the outgoing interface is used as the source for +remote connections. Use this option to bind a static local IP address instead. + +=item B = URL + +select OCSP responder for certificate verification + +=item B = yes | no + +validate certificates with their AIA OCSP responders + +This option enables I to validate certificates with the list of +OCSP responder URLs retrieved from their AIA (Authority Information Access) +extension. + +=item B = OCSP_FLAG + +specify OCSP responder flag + +Several I can be used to specify multiple flags. + +currently supported flags: NOCERTS, NOINTERN, NOSIGS, NOCHAIN, NOVERIFY, +NOEXPLICIT, NOCASIGN, NODELEGATED, NOCHECKS, TRUSTOTHER, RESPID_KEY, NOTIME + +=item B = yes | no + +send and verify the OCSP nonce extension + +This option protects the OCSP protocol against replay attacks. Due to its +computational overhead, the nonce extension is usually only supported on +internal (e.g. corporate) responders, and not on public OCSP responders. + +=item B = SSL_OPTIONS + +B library options + +The parameter is the B option name as described in the +I manual, but without I prefix. +I lists the options found to be allowed in the +current combination of I and the I library used +to build it. + +Several I