debmon
/
stunnel4
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Compare commits

base: debmon:upstream/4.53
Branches Tags
debmon:master
debmon:pristine-tar
debmon:upstream
debmon:upstream/5.44
debmon:upstream/5.42
debmon:debian/4.57
debmon:upstream/4.57
debmon:debian/4.53-1.1
debmon:upstream/4.53
...
compare: debmon:master
Branches Tags
debmon:master
debmon:pristine-tar
debmon:upstream
debmon:upstream/5.44
debmon:upstream/5.42
debmon:debian/4.57
debmon:upstream/4.57
debmon:debian/4.53-1.1
debmon:upstream/4.53

15 Commits
upstream/4 ... master

Author SHA1 Message Date
Mario Fetka 3f780093b7 Bump 2019-08-02 16:02:55 +02:00
Peter Pentchev a4672526d7 Imported Debian patch 3:5.44-1 2018-03-29 12:42:36 +02:00
Mario Fetka 814d2ec685 Imported Upstream version 5.44 2018-03-29 12:42:35 +02:00
Mario Fetka 814d9ca18b Bump 2017-11-15 15:06:40 +01:00
Mario Fetka d419cab3c4 Imported Upstream version 5.42 2017-11-15 15:03:25 +01:00
Peter Pentchev 10de5e9e32 Imported Debian patch 3:5.42-1 2017-11-15 15:03:25 +01:00
Mario Fetka 98b4ec0cd9 Bump 2017-11-15 15:03:17 +01:00
Mario Fetka 8e9bdf3481 Bump 2017-03-28 10:47:03 +02:00
Mario Fetka 18f12ad1bc Bump 2017-03-28 10:42:58 +02:00
Mario Fetka 83fe2cf45c Bump 2017-03-28 10:30:49 +02:00
Mario Fetka 595593c0e7 Bump 2017-03-28 10:29:18 +02:00
Mario Fetka 4e8986c5ef Bump 2017-03-28 10:20:27 +02:00
Mario Fetka b8998ae382 Merge tag 'upstream/4.57' 
Upstream version 4.57
 2017-03-28 10:18:04 +02:00
Mario Fetka 74a62c14eb Imported Upstream version 4.57 2017-03-28 10:18:03 +02:00
Salvatore Bonaccorso 8e474e5321 Imported Debian patch 3:4.53-1.1 2017-03-28 09:58:14 +02:00
190 changed files with 49441 additions and 24799 deletions
Show Stats Expand all files Collapse all files

34
.travis.yml Normal file
View File

@ -0,0 +1,34 @@
sudo: false
language: c
os:
- linux
- osx
compiler:
- gcc
- clang
env:
- CONFIGURE_OPTIONS='--with-threads=pthread'
- CONFIGURE_OPTIONS='--with-threads=fork'
- CONFIGURE_OPTIONS='--with-threads=ucontext'
- CONFIGURE_OPTIONS='--disable-ipv6 --disable-fips --disable-systemd --disable-libwrap'
addons:
apt:
packages:
- autoconf-archive
- libssl-dev
- libwrap0-dev
- nmap
before_script:
- if [ "$TRAVIS_OS_NAME" == "osx" ]; then brew update; brew install autoconf-archive nmap; fi; true
- autoreconf -fvi && touch src/dhparam.c
script:
- ./configure $CONFIGURE_OPTIONS
- make
- make test || ( for FILE in tests/logs/*.log; do echo "*** $FILE ***"; cat "$FILE"; done; false )

2
AUTHORS
View File

@ -1,4 +1,4 @@
stunnel authors
Michal Trojnara <Michal.Trojnara@mirt.net>
Michal Trojnara <Michal.Trojnara@stunnel.org>

2
COPYING
View File

@ -1,6 +1,6 @@
stunnel license (see COPYRIGHT.GPL for detailed GPL conditions)
Copyright (C) 1998-2012 Michal Trojnara
Copyright (C) 1998-2017 Michal Trojnara
This program is free software; you can redistribute it and/or modify it under
the terms of the GNU General Public License as published by the Free Software

39
CREDITS
View File

@ -1,9 +1,40 @@
Special thx to:
stunnel code contributions
The code contributions are licensed as public domain unless stated otherwise.
Several Win32 and WCE improvements and bugfixes:
* Pierre Delaage <delaage.pierre@free.fr>
systemd socket activation in version 5.05:
Copyright (c) 2014 Mark Theunissen
Permission is hereby granted, free of charge, to any person obtaining a copy of
this software and associated documentation files (the "Software"), to deal in
the Software without restriction, including without limitation the rights to
use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies
of the Software, and to permit persons to whom the Software is furnished to do
so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
Several bugfixes and improvements mostly in versions 3.xx:
* Brian Hatch <bri@stunnel.org>
Initial PTY support in version 3.05:
* Dirk O. Siebnich <dok@vossnet.de>
Initial SSL support in versions 1.x:
* Adam Hernik <adas@infocentrum.com>
* Pawel Krawczyk <kravietz@ceti.com.pl>
* Brian Hatch <bri@stunnel.org>
* Dirk O. Siebnich <dok@vossnet.de> for PTY support
and many others...

777
ChangeLog
View File

@ -1,5 +1,767 @@
stunnel change log
Version 5.44, 2017.11.26, urgency: MEDIUM
* New features
- Signed Win32 executables, libraries, and installer.
* Bugfixes
- Default accept address restored to INADDR_ANY.
- Fixed a race condition in "make check".
- Fixed removing the pid file after configuration reload.
Version 5.43, 2017.11.05, urgency: LOW
* New features
- OpenSSL DLLs updated to version 1.0.2m.
- Android build updated to OpenSSL 1.1.0g.
- Allow for multiple "accept" ports per section.
- Self-test framework (make check).
- Added config load before OpenSSL init (thx to Dmitrii Pichulin).
- OpenSSL 1.1.0 support for Travis CI.
- OpenSSL 1.1.1-dev compilation fixes.
* Bugfixes
- Fixed a memory fault on Solaris.
- Fixed round-robin failover in the FORK threading model.
- Fixed handling SSL_ERROR_ZERO_RETURN in SSL_shutdown().
- Minor fixes of the logging subsystem.
Version 5.42, 2017.07.16, urgency: HIGH
* New features
- "redirect" also supports "exec" and not only "connect".
- PKCS#11 engine DLL updated to version 0.4.7.
* Bugfixes
- Fixed premature cron thread initialization causing hangs.
- Fixed "verifyPeer = yes" on OpenSSL <= 1.0.1.
- Fixed pthreads support on OpenSolaris.
Version 5.41, 2017.04.01, urgency: MEDIUM
* New features
- PKCS#11 engine DLL updated to version 0.4.5.
- Default engine UI set with ENGINE_CTRL_SET_USER_INTERFACE.
- Key file name added into the passphrase console prompt.
- Performance optimization in memory leak detection.
* Bugfixes
- Fixed crashes with the OpenSSL 1.1.0 branch.
- Fixed certificate verification with "verifyPeer = yes"
and "verifyChain = no" (the default), while the peer
only returns a single certificate.
Version 5.40, 2017.01.28, urgency: HIGH
* Security bugfixes
- OpenSSL DLLs updated to version 1.0.2k.
https://www.openssl.org/news/secadv/20170126.txt
* New features
- DH ciphersuites are now disabled by default.
- The daily server DH parameter regeneration is only performed if
DH ciphersuites are enabled in the configuration file.
- "checkHost" and "checkEmail" were modified to require either
"verifyChain" or "verifyPeer" (thx to Małorzata Olszówka).
* Bugfixes
- Fixed setting default ciphers.
Version 5.39, 2017.01.01, urgency: LOW
* New features
- PKCS#11 engine (pkcs11.dll) added to the Win32 build.
- Per-destination TLS session cache added for the client mode.
- The new "logId" parameter "process" added to log PID values.
- Added support for the new SSL_set_options() values.
- Updated the manual page.
- Obsolete references to "SSL" replaced with "TLS".
* Bugfixes
- Fixed "logId" parameter to also work in inetd mode.
- "delay = yes" properly enforces "failover = prio".
- Fixed fd_set allocation size on Win64.
- Fixed reloading invalid configuration file on Win32.
- Fixed resolving addresses with unconfigured network interfaces.
Version 5.38, 2016.11.26, urgency: MEDIUM
* New features
- "sni=" can be used to prevent sending the SNI extension.
- The AI_ADDRCONFIG resolver flag is used when available.
- Merged Debian 06-lfs.patch (thx to Peter Pentchev).
* Bugfixes
- Fixed a memory allocation bug causing crashes with OpenSSL 1.1.0.
- Fixed error handling for mixed IPv4/IPv6 destinations.
- Merged Debian 08-typos.patch (thx to Peter Pentchev).
Version 5.37, 2016.11.06, urgency: MEDIUM
* Bugfixes
- OpenSSL DLLs updated to version 1.0.2j (stops crashes).
- The default SNI target (not handled by any slave service)
is handled by the master service rather than rejected.
- Removed thread synchronization in the FORK threading model.
Version 5.36, 2016.09.22, urgency: HIGH
* Security bugfixes
- OpenSSL DLLs updated to version 1.0.2i.
https://www.openssl.org/news/secadv_20160922.txt
* New features
- Added support for OpenSSL 1.1.0 built with "no-deprecated".
- Removed direct zlib dependency.
Version 5.35, 2016.07.18, urgency: HIGH
* Bugfixes
- Fixed incorrectly enforced client certificate requests.
- Only default to SO_EXCLUSIVEADDRUSE on Vista and later.
- Fixed thread safety of the configuration file reopening.
Version 5.34, 2016.07.05, urgency: HIGH
* Security bugfixes
- Fixed malfunctioning "verify = 4".
* New features
- Bind sockets with SO_EXCLUSIVEADDRUSE on WIN32.
- Added three new service-level options: requireCert, verifyChain,
and verifyPeer for fine-grained certificate verification control.
- Improved compatibility with the current OpenSSL 1.1.0-dev tree.
Version 5.33, 2016.06.23, urgency: HIGH
* New features
- Improved memory leak detection performance and accuracy.
- Improved compatibility with the current OpenSSL 1.1.0-dev tree.
- SNI support also enabled on OpenSSL 0.9.8f and later (thx to
Guillermo Rodriguez Garcia).
- Added support for PKCS #12 (.p12/.pfx) certificates (thx to
Dmitry Bakshaev).
* Bugfixes
- Fixed a TLS session caching memory leak (thx to Richard Kraemer).
Before stunnel 5.27 this leak only emerged with sessiond enabled.
- Yet another WinCE socket fix (thx to Richard Kraemer).
- Fixed passphrase/pin dialogs in tstunnel.exe.
- Fixed a FORK threading build regression bug.
- OPENSSL_NO_DH compilation fix (thx to Brian Lin).
Version 5.32, 2016.05.03, urgency: HIGH
* Security bugfixes
- OpenSSL DLLs updated to version 1.0.2h.
https://www.openssl.org/news/secadv_20160503.txt
* New features
- New "socket = a:IPV6_V6ONLY=yes" option to only bind IPv6.
- Memory leak detection.
- Improved compatibility with the current OpenSSL 1.1.0-dev tree.
- Added/fixed Red Hat scripts (thx to Andrew Colin Kissa).
* Bugfixes
- Workaround for a WinCE sockets quirk (thx to Richard Kraemer).
- Fixed data alignment on 64-bit MSVC (thx to Yuris W. Auzins).
Version 5.31, 2016.03.01, urgency: HIGH
* Security bugfixes
- OpenSSL DLLs updated to version 1.0.2g.
https://www.openssl.org/news/secadv_20160301.txt
* New features
- Added logging the list of client CAs requested by the server.
- Improved compatibility with the current OpenSSL 1.1.0-dev tree.
* Bugfixes
- Only reset the watchdog if some data was actually transferred.
- A workaround implemented for the unexpected exceptfds set by
select() on WinCE 6.0 (thx to Richard Kraemer).
- Fixed logging an incorrect value of the round-robin starting
point (thx to Jose Alf.).
Version 5.30, 2016.01.28, urgency: HIGH
* Security bugfixes
- OpenSSL DLLs updated to version 1.0.2f.
https://www.openssl.org/news/secadv_20160128.txt
* New features
- Improved compatibility with the current OpenSSL 1.1.0-dev tree.
- Added OpenSSL autodetection for the recent versions of Xcode.
* Bugfixes
- Fixed references to /etc removed from stunnel.init.in.
- Stopped even trying -fstack-protector on unsupported platforms
(thx to Rob Lockhart).
Version 5.29, 2016.01.08, urgency: LOW
* New features
- New WIN32 icons.
- Performance improvement: rwlocks used for locking with pthreads.
* Bugfixes
- Compilation fix for *BSD.
- Fixed configuration file reload for relative stunnel.conf path
on Unix.
- Fixed ignoring CRLfile unless CAfile was also specified (thx
to Strukov Petr).
Version 5.28, 2015.12.11, urgency: HIGH
* New features
- Build matrix (.travis.yml) extended with ./configure options.
- mingw.mak updated to build tstunnel.exe (thx to Jose Alf.).
* Bugfixes
- Fixed incomplete initialization.
- Fixed UCONTEXT threading on OSX.
- Fixed exit codes for information requests (as
in "stunnel -version" or "stunnel -help").
Version 5.27, 2015.12.03, urgency: MEDIUM
* Security bugfixes
- OpenSSL DLLs updated to version 1.0.2e.
https://www.openssl.org/news/secadv_20151203.txt
* New features
- Automated build testing configured with .travis.yml.
- Added reading server certificates from hardware engines.
For example: cert = id_45
- Only attempt to use potentially harmful compiler or linker
options if gcc was detected.
- /opt/csw added to the OpenSSL directory lookup list.
- mingw.mak updates (thx to Jose Alf.).
- TODO list updated.
Version 5.26, 2015.11.06, urgency: MEDIUM
* Bugfixes
- Compilation fixes for OSX, *BSD and Solaris.
Version 5.25, 2015.11.02, urgency: MEDIUM
* New features
- SMTP client protocol negotiation support for
"protocolUsername", "protocolPassword", and
"protocolAuthentication" (thx to Douglas Harris).
- New service-level option "config" to specify configuration
commands introduced in OpenSSL 1.0.2 (thx to Stephen Wall).
- The global option "foreground" now also accepts "quiet"
parameter, which does not enable logging to stderr.
- Manual page updated.
- Obsolete OpenSSL engines removed from the Windows build:
4758cca, aep, atalla, cswift, nuron, sureware.
- Improved compatibility with the current OpenSSL 1.1.0-dev tree:
gracefully handle symbols renamed from SSLeay* to OpenSSL*.
* Bugfixes
- Fixed the "s_poll_wait returned 1, but no descriptor
is ready" internal error.
- Fixed "exec" hangs due to incorrect thread-local
storage handling (thx to Philip Craig).
- Fixed PRNG initialization (thx to Philip Craig).
- Setting socket options no longer performed on PTYs.
- Fixed 64-bit Windows build.
Version 5.24, 2015.10.08, urgency: MEDIUM
* New features
- Custom CRL verification was replaced with the internal
OpenSSL functionality.
- *BSD support for "transparent = destination" and
client-side "protocol = socks". This feature should
work at least on FreeBSD, OpenBSD and OS X.
- Added a new "protocolDomain" option for the NTLM
authentication (thx to Andreas Botsikas).
- Improved compatibility of the NTLM phase 1 message (thx
to Andreas Botsikas).
- "setuid" and "setgid" options are now also available
in service sections. They can be used to set owner
and group of the Unix socket specified with "accept".
- Added support for the new OpenSSL 1.0.2 SSL options.
- Added OPENSSL_NO_EGD support (thx to Bernard Spil).
- VC autodetection added to makew32.bat (thx to Andreas
Botsikas).
* Bugfixes
- Fixed the RESOLVE [F0] TOR extension support in SOCKS5.
- Fixed the error code reported on the failed bind()
requests.
- Fixed the sequential log id with the FORK threading.
- Restored the missing Microsoft.VC90.CRT.manifest file.
Version 5.23, 2015.09.02, urgency: LOW
* New features
- Client-side support for the SOCKS protocol.
See https://www.stunnel.org/socksvpn.html for details.
- Reject SOCKS requests to connect loopback addresses.
- New service-level option "OCSPnonce".
The default value is "OCSPnonce = no".
- Win32 directory structure rearranged. The installer
script provides automatic migration for common setups.
- Added Win32 installer option to install stunnel for the
current user only. This feature does not deploy the NT
service, but it also does not require aministrative
privileges to install and configure stunnel.
- stunnel.cnf was renamed to openssl.cnf in order to
to prevent users from mixing it up with stunnel.conf.
- Win32 desktop is automatically refreshed when the icon
is created or removed.
- The ca-certs.pem file is now updated on stunnel upgrade.
- Inactive ports were removed from the PORTS file.
- Added IPv6 support to the transparent proxy code.
* Bugfixes
- Compilation fix for OpenSSL version older than 1.0.0.
- Compilation fix for mingw.
Version 5.22, 2015.07.30, urgency: HIGH
* New features
- "OCSPaia = yes" added to the configuration file templates.
- Improved double free detection.
* Bugfixes
- Fixed a number of OCSP bugs. The most severe of those
bugs caused stunnel to treat OCSP responses that failed
OCSP_basic_verify() checks as if they were successful.
- Fixed the passive IPv6 resolver (broken in stunnel 5.21).
Version 5.21, 2015.07.27, urgency: MEDIUM
* New features
- Signal names are displayed instead of numbers.
- First resolve IPv4 addresses on passive resolver requests.
This speeds up stunnel startup on Win32 with a slow/defunct
DNS service.
- The "make check" target was modified to only build Win32
executables when stunnel is built from a git repository (thx
to Peter Pentchev).
- More elaborate descriptions were added to the warning about
using "verify = 2" without "checkHost" or "checkIP".
- Performance optimization was performed on the debug code.
* Bugfixes
- Fixed the FORK and UCONTEXT threading support.
- Fixed "failover=prio" (broken since stunnel 5.15).
- Added a retry when sleep(3) was interrupted by a signal
in the cron thread scheduler.
Version 5.20, 2015.07.09, urgency: HIGH
* Security bugfixes
- OpenSSL DLLs updated to version 1.0.2d.
https://www.openssl.org/news/secadv_20150709.txt
* New features
- poll(2) re-enabled on MacOS X 10.5 and later.
- Xcode SDK is automatically used on MacOS X if no other
locally installed OpenSSL directory is found.
- The SSL library detection algorithm was made a bit smarter.
- Warnings about insecure authentication were modified to
include the name of the affected service section.
- A warning was added to stunnel.init if no pid file was
specified in the configuration file (thx to Peter Pentchev).
- Optional debugging symbols are included in the Win32 installer.
- Documentation updates (closes Debian bug #781669).
* Bugfixes
- Signal pipe reinitialization added to prevent turning the
main accepting thread into a busy wait loop when an external
condition breaks the signal pipe. This bug was found to
surface on Win32, but other platforms may also be affected.
- Fixed removing the disabled taskbar icon.
- Generated temporary DH parameters are used for configuration
reload instead of the static defaults.
- LSB compatibility fixes added to the stunnel.init script (thx
to Peter Pentchev).
- Fixed the manual page headers (thx to Gleydson Soares).
Version 5.19, 2015.06.16, urgency: MEDIUM:
* New features
- OpenSSL DLLs updated to version 1.0.2c.
- Added a runtime check whether COMP_zlib() method is implemented
in order to improve compatibility with the Debian OpenSSL build.
* Bugfixes
- Improved socket error handling.
- Cron thread priority on Win32 platform changed to
THREAD_PRIORITY_LOWEST to improve portability.
- Makefile bugfixes for stunnel 5.18 regressions.
- Fixed some typos in docs and scripts (thx to Peter Pentchev).
- Fixed a log level check condition (thx to Peter Pentchev).
Version 5.18, 2015.06.12, urgency: MEDIUM:
* New features
- OpenSSL DLLs updated to version 1.0.2b.
https://www.openssl.org/news/secadv_20150611.txt
- Added "include" configuration file option to include all
configuration file parts located in a specified directory.
- Log file is reopened every 24 hours. With "log = overwrite"
this feature can be used to prevent filling up disk space.
- Temporary DH parameters are refreshed every 24 hours, unless
static DH parameters were provided in the certificate file.
- Unique initial DH parameters are distributed with each release.
- Warnings are logged on potentially insecure authentication.
- Improved compatibility with the current OpenSSL 1.1.0-dev tree:
removed RLE compression support, etc.
- Updated stunnel.spec (thx to Bill Quayle).
* Bugfixes
- Fixed handling of dynamic connect targets.
- Fixed handling of trailing whitespaces in the Content-Length
header of the NTLM authentication.
- Fixed --sysconfdir and --localstatedir handling (thx to
Dagobert Michelsen).
Version 5.17, 2015.04.29, urgency: HIGH:
* Bugfixes
- Fixed a NULL pointer dereference causing the service to crash.
This bug was introduced in stunnel 5.15.
Version 5.16, 2015.04.19, urgency: MEDIUM:
* Bugfixes
- Fixed compilation with old versions of gcc.
Version 5.15, 2015.04.16, urgency: LOW:
* New features
- Added new service-level options "checkHost", "checkEmail" and
"checkIP" for additional checks of the peer certificate subject.
These options require OpenSSL version 1.0.2 or higher.
- Win32 binary distribution now ships with the Mozilla root CA
bundle. This bundle is intended be used together with the new
"checkHost" option to validate server certs accepted by Mozilla.
- New commandline options "-reload" to reload the configuration
file and "-reopen" to reopen the log file of stunnel running
as a Windows service (thx to Marc McLaughlin).
- Added session persistence based on negotiated TLS sessions.
https://en.wikipedia.org/wiki/Load_balancing_%28computing%29#Persistence
The current implementation does not support external TLS
session caching with sessiond.
- MEDIUM ciphers (currently SEED and RC4) are removed from the
default cipher list.
- The "redirect" option was improved to not only redirect sessions
established with an untrusted certificate, but also sessions
established without a client certificate.
- OpenSSL version checking modified to distinguish FIPS and
non-FIPS builds.
- Improved compatibility with the current OpenSSL 1.1.0-dev tree.
- Removed support for OpenSSL versions older than 0.9.7.
The final update for the OpenSSL 0.9.6 branch was 17 Mar 2004.
- "sessiond" support improved to also work in OpenSSL 0.9.7.
- Randomize the initial value of the round-robin counter.
- New stunnel.conf templates are provided for Windows and Unix.
* Bugfixes
- Fixed compilation against old versions of OpenSSL.
- Fixed memory leaks in certificate verification.
Version 5.14, 2015.03.25, urgency: HIGH:
* Security bugfixes
- The "redirect" option now also redirects clients on SSL session
reuse. In stunnel versions 5.00 to 5.13 reused sessions were
instead always connected hosts specified with the "connect"
option regardless of their certificate verification result.
This vulnerability was reported by Johan Olofsson.
* New features
- Windows service is automatically restarted after upgrade.
* Bugfixes
- Fixed a memory allocation error during Unix daemon shutdown.
- Fixed handling multiple connect/redirect destinations.
- OpenSSL FIPS builds are now correctly reported on startup.
Version 5.13, 2015.03.20, urgency: MEDIUM:
* New features
- The "service" option was modified to also control the syslog
service name.
* Bugfixes
- Fixed Windows service crash.
Version 5.12, 2015.03.19, urgency: HIGH:
* Security bugfixes
- OpenSSL DLLs updated to version 1.0.2a.
https://www.openssl.org/news/secadv_20150319.txt
* New features
- New service-level option "logId" to specify the
connection identifier type. Currently supported types:
"sequential" (default), "unique", and "thread".
- New service-level option "debug" to individually control
logging verbosity of defined services.
* Bugfixes
- OCSP fixed on Windows platform (thx to Alec Kosky).
Version 5.11, 2015.03.11, urgency: LOW:
* New features
- OpenSSL DLLs updated to version 1.0.2.
- Removed dereferences of internal OpenSSL data structures.
- PSK key lookup algorithm performance improved from
O(N) (linear) to O(log N) (logarithmic).
* Bugfixes
- Fixed peer certificate list in the main window on Win32
(thx to @fyer for reporting it).
- Fixed console logging in tstunnel.exe.
- _tputenv_s() replaced with more portable _tputenv() on Win32.
Version 5.10, 2015.01.22, urgency: LOW:
* New features
- OCSP AIA (Authority Information Access) support. This feature
can be enabled with the new service-level option "OCSPaia".
- Additional security features of the linker are enabled:
"-z relro", "-z now", "-z noexecstack".
* Bugfixes
- OpenSSL DLLs updated to version 1.0.1l.
https://www.openssl.org/news/secadv_20150108.txt
- FIPS canister updated to version 2.0.9 in the Win32 binary
build.
Version 5.09, 2015.01.02, urgency: LOW:
* New features
- Added PSK authentication with two new service-level
configuration file options "PSKsecrets" and "PSKidentity".
- Added additional security checks to the OpenSSL memory
management functions.
- Added support for the OPENSSL_NO_OCSP and OPENSSL_NO_ENGINE
OpenSSL configuration flags.
- Added compatibility with the current OpenSSL 1.1.0-dev tree.
* Bugfixes
- Removed defective s_poll_error() code occasionally causing
connections to be prematurely closed (truncated).
This bug was introduced in stunnel 4.34.
- Fixed ./configure systemd detection (thx to Kip Walraven).
- Fixed ./configure sysroot detection (thx to Kip Walraven).
- Fixed compilation against old versions of OpenSSL.
- Removed outdated French manual page.
Version 5.08, 2014.12.09, urgency: MEDIUM:
* New features
- Added SOCKS4/SOCKS4a protocol support.
- Added SOCKS5 protocol support.
- Added SOCKS RESOLVE [F0] TOR extension support.
- Updated automake to version 1.14.1.
- OpenSSL directory searching is now relative to the sysroot.
* Bugfixes
- Fixed improper hangup condition handling.
- Fixed missing -pic linker option. This is required for
Android 5.0 and improves security.
Version 5.07, 2014.11.01, urgency: MEDIUM:
* New features
- Several SMTP server protocol negotiation improvements.
- Added UTF-8 byte order marks to stunnel.conf templates.
- DH parameters are no longer generated by "make cert".
The hardcoded DH parameters are sufficiently secure,
and modern TLS implementations will use ECDH anyway.
- Updated manual for the "options" configuration file option.
- Added support for systemd 209 or later.
- New --disable-systemd ./configure option.
- setuid/setgid commented out in stunnel.conf-sample.
* Bugfixes
- Added support for UTF-8 byte order mark in stunnel.conf.
- Compilation fix for OpenSSL with disabled SSLv2 or SSLv3.
- Non-blocking mode set on inetd and systemd descriptors.
- shfolder.h replaced with shlobj.h for compatibility
with modern Microsoft compilers.
Version 5.06, 2014.10.15, urgency: HIGH:
* Security bugfixes
- OpenSSL DLLs updated to version 1.0.1j.
https://www.openssl.org/news/secadv_20141015.txt
- The insecure SSLv2 protocol is now disabled by default.
It can be enabled with "options = -NO_SSLv2".
- The insecure SSLv3 protocol is now disabled by default.
It can be enabled with "options = -NO_SSLv3".
- Default sslVersion changed to "all" (also in FIPS mode)
to autonegotiate the highest supported TLS version.
* New features
- Added missing SSL options to match OpenSSL 1.0.1j.
- New "-options" commandline option to display the list
of supported SSL options.
* Bugfixes
- Fixed FORK threading build regression bug.
- Fixed missing periodic Win32 GUI log updates.
Version 5.05, 2014.10.10, urgency: MEDIUM:
* New features
- Asynchronous communication with the GUI thread for faster
logging on Win32.
- systemd socket activation (thx to Mark Theunissen).
- The parameter of "options" can now be prefixed with "-"
to clear an SSL option, for example:
"options = -LEGACY_SERVER_CONNECT".
- Improved "transparent = destination" manual page (thx to
Vadim Penzin).
* Bugfixes
- Fixed POLLIN|POLLHUP condition handling error resulting
in prematurely closed (truncated) connection.
- Fixed a null pointer dereference regression bug in the
"transparent = destination" functionality (thx to
Vadim Penzin). This bug was introduced in stunnel 5.00.
- Fixed startup thread synchronization with Win32 GUI.
- Fixed erroneously closed stdin/stdout/stderr if specified
as the -fd commandline option parameter.
- A number of minor Win32 GUI bugfixes and improvements.
- Merged most of the Windows CE patches (thx to Pierre Delaage).
- Fixed incorrect CreateService() error message on Win32.
- Implemented a workaround for defective Cygwin file
descriptor passing breaking the libwrap support:
http://wiki.osdev.org/Cygwin_Issues#Passing_file_descriptors
Version 5.04, 2014.09.21, urgency: LOW:
* New features
- Support for local mode ("exec" option) on Win32.
- Support for UTF-8 config file and log file.
- Win32 UTF-16 build (thx to Pierre Delaage for support).
- Support for Unicode file names on Win32.
- A more explicit service description provided for the
Windows SCM (thx to Pierre Delaage).
- TCP/IP dependency added for NT service in order to prevent
initialization failure at boot time.
- FIPS canister updated to version 2.0.8 in the Win32 binary
build.
* Bugfixes
- load_icon_default() modified to return copies of default icons
instead of the original resources to prevent the resources
from being destroyed.
- Partially merged Windows CE patches (thx to Pierre Delaage).
- Fixed typos in stunnel.init.in and vc.mak.
- Fixed incorrect memory allocation statistics update in
str_realloc().
- Missing REMOTE_PORT environmental variable is provided to
processes spawned with "exec" on Unix platforms.
- Taskbar icon is no longer disabled for NT service.
- Fixed taskbar icon initialization when commandline options are
specified.
- Reportedly more compatible values used for the dwDesiredAccess
parameter of the CreateFile() function (thx to Pierre Delaage).
- A number of minor Win32 GUI bugfixes and improvements.
Version 5.03, 2014.08.07, urgency: HIGH:
* Security bugfixes
- OpenSSL DLLs updated to version 1.0.1i.
See https://www.openssl.org/news/secadv_20140806.txt
* New features
- FIPS autoconfiguration cleanup.
- FIPS canister updated to version 2.0.6.
- Improved SNI diagnostic logging.
* Bugfixes
- Compilation fixes for old versions of OpenSSL.
- Fixed whitespace handling in the stunnel.init script.
Version 5.02, 2014.06.09, urgency: HIGH:
* Security bugfixes
- OpenSSL DLLs updated to version 1.0.1h.
See https://www.openssl.org/news/secadv_20140605.txt
* New features
- Major rewrite of the protocol.c interface: it is now possible to add
protocol negotiations at multiple connection phases, protocols can
individually decide whether the remote connection will be
established before or after SSL/TLS is negotiated.
- Heap memory blocks are wiped before release. This only works for
block allocated by stunnel, and not by OpenSSL or other libraries.
- The safe_memcmp() function implemented with execution time not
dependent on the compared data.
- Updated the stunnel.conf and stunnel.init templates.
- Added a client-mode example to the manual.
* Bugfixes
- Fixed "failover = rr" broken since version 5.00.
- Fixed "taskbar = no" broken since version 5.00.
- Compilation fix for missing SSL_OP_MSIE_SSLV2_RSA_PADDING option.
Version 5.01, 2014.04.08, urgency: HIGH:
* Security bugfixes
- OpenSSL DLLs updated to version 1.0.1g.
This version mitigates TLS heartbeat read overrun (CVE-2014-0160).
* New features
- X.509 extensions added to the created self-signed stunnel.pem.
- "FIPS = no" also allowed in non-FIPS builds of stunnel.
- Search all certificates with the same subject name for a matching
public key rather than only the first one (thx to Leon Winter).
- Create logs in the local application data folder if stunnel folder
is not writable on Win32.
* Bugfixes
- close_notify not sent when SSL still has some data buffered.
- Protocol negotiation with server-side SNI fixed.
- A Mac OS X missing symbols fixed.
- Win32 configuration file reload crash fixed.
- Added s_pool_free() on exec+connect service retires.
- Line-buffering enforced on stderr output.
stunnel 5.00 disables some features previously enabled by default.
Users should review whether the new defaults are appropriate for their
particular deployments. Packages maintainers may consider prepending
the old defaults for "fips" (if supported by their OpenSSL library),
"pid" and "libwrap" to stunnel.conf during automated updates.
Version 5.00, 2014.03.06, urgency: HIGH:
* Security bugfixes
- Added PRNG state update in fork threading (CVE-2014-0016).
* New global configuration file defaults
- Default "fips" option value is now "no", as FIPS mode is only
helpful for compliance, and never for actual security.
- Default "pid" is now "", i.e. not to create a pid file at startup.
* New service-level configuration file defaults
- Default "ciphers" updated to "HIGH:MEDIUM:+3DES:+DH:!aNULL:!SSLv2"
due to AlFBPPS attack and bad performance of DH ciphersuites.
- Default "libwrap" setting is now "no" to improve performance.
* New features
- OpenSSL DLLs updated to version 1.0.1f.
- zlib DLL updated to version 1.2.8.
- autoconf scripts upgraded to version 2.69.
- TLS 1.1 and TLS 1.2 are now allowed in the FIPS mode.
- New service-level option "redirect" to redirect SSL client
connections on authentication failures instead of rejecting them.
- New global "engineDefault" configuration file option to control
which OpenSSL tasks are delegated to the current engine.
Available tasks: ALL, RSA, DSA, ECDH, ECDSA, DH, RAND, CIPHERS,
DIGESTS, PKEY, PKEY_CRYPTO, PKEY_ASN1.
- New service-level configuration file option "engineId" to select
the engine by identifier, e.g. "engineId = capi".
- New global configuration file option "log" to control whether to
append (the default), or to overwrite log file while (re)opening.
- Different taskbar icon colors to indicate the service state.
- New global configuration file options "iconIdle", "iconActive",
and "iconError" to select status icon on GUI taskbar.
- Removed the limit of 63 stunnel.conf sections on Win32 platform.
- Installation of a sample certificate was moved to a separate "cert"
target in order to allow unattended (e.g. scripted) installations.
- Reduced length of the logged thread identifier. It is still based
on the OS thread ID, and thus not unique over long periods of time.
- Improved readability of error messages printed when stunnel refuses
to start due to a critical error.
* Bugfixes
- LD_PRELOAD Solaris compatibility bug fixed (thx to Norm Jacobs).
- CRYPTO_NUM_LOCKS replaced with CRYPTO_num_locks() to improve binary
compatibility with diverse builds of OpenSSL (thx to Norm Jacobs).
- Corrected round-robin failover behavior under heavy load.
- Numerous fixes in the engine support code.
- On Win32 platform .rnd file moved from c:\ to the stunnel folder.
Version 4.57, 2015.04.01, urgency: HIGH:
* Security bugfixes
- Added PRNG state update in fork threading (CVE-2014-0016).
Version 4.56, 2013.03.22, urgency: HIGH:
* New features
- Win32 installer automatically configures firewall exceptions.
- Win32 installer configures administrative shortcuts to invoke UAC.
- Improved Win32 GUI shutdown time.
* Bugfixes
- Fixed a regression bug introduced in version 4.55 causing random
crashes on several platforms, including Windows 7.
- Fixed startup crashes on some Win32 systems.
- Fixed incorrect "stunnel -exit" process synchronisation.
- Fixed FIPS detection with new versions of the OpenSSL library.
- Failure to open the log file at startup is no longer ignored.
Version 4.55, 2013.03.03, urgency: HIGH:
* Security bugfixes
- Buffer overflow vulnerability fixed in the NTLM authentication
of the CONNECT protocol negotiation.
See https://www.stunnel.org/CVE-2013-1762.html for details.
- OpenSSL updated to version 1.0.1e in Win32/Android builds.
* New features
- SNI wildcard matching in server mode.
- Terminal version of stunnel (tstunnel.exe) build for Win32.
* Bugfixes
- Fixed write half-close handling in the transfer() function (thx to
Dustin Lundquist).
- Fixed EAGAIN error handling in the transfer() function (thx to Jan Bee).
- Restored default signal handlers before execvp() (thx to Michael Weiser).
- Fixed memory leaks in protocol negotiation (thx to Arthur Mesh).
- Fixed a file descriptor leak during configuration file reload (thx to
Arthur Mesh).
- Closed SSL sockets were removed from the transfer() c->fds poll.
- Minor fix in handling exotic inetd-mode configurations.
- WCE compilation fixes.
- IPv6 compilation fix in protocol.c.
- Windows installer fixes.
Version 4.54, 2012.10.09, urgency: MEDIUM:
* New Win32 features
- FIPS module updated to version 2.0.
- OpenSSL DLLs updated to version 1.0.1c.
- zlib DLL updated to version 1.2.7.
- Engine DLLs added: 4758cca, aep, atalla, capi, chil, cswift, gmp, gost,
nuron, padlock, sureware, ubsec.
* Other new features
- "session" option renamed to more readable "sessionCacheTimeout".
The old name remains accepted for backward compatibility.
- New service-level "sessionCacheSize" option to control session cache size.
- New service-level option "reset" to control whether TCP RST flag is used
to indicate errors. The default value is "reset = yes".
- New service-level option "renegotiation" to disable SSL renegotiation.
This feature is based on a public-domain patch by Janusz Dziemidowicz.
- New FreeBSD socket options: IP_FREEBIND, IP_BINDANY, IPV6_BINDANY (thx
to Janusz Dziemidowicz).
- New parameters to configure TLS v1.1/v1.2 with OpenSSL version 1.0.1
or higher (thx to Henrik Riomar).
* Bugfixes
- Fixed "Application Failed to Initialize Properly (0xc0150002)" error.
- Fixed missing SSL state debug log entries.
- Fixed a race condition in libwrap code resulting in random stalls (thx
to Andrew Skalski).
- Session cache purged at configuration file reload to reduce memory leak.
Remaining leak of a few kilobytes per section is yet to be fixed.
- Fixed a regression bug in "transparent = destination" functionality (thx
to Stefan Lauterbach). This bug was introduced in stunnel 4.51.
- "transparent = destination" is now a valid endpoint in inetd mode.
- "delay = yes" fixed to work even if specified *after* "connect" option.
- Multiple "connect" targets fixed to also work with delayed resolver.
- The number of resolver retries of EAI_AGAIN error has been limited to 3
in order to prevent infinite loops.
Version 4.53, 2012.03.19, urgency: MEDIUM:
* New features
@ -42,6 +804,7 @@ Version 4.51, 2012.01.09, urgency: MEDIUM:
- New "compression = deflate" global option to enable RFC 2246 compresion.
For compatibility with previous versions "compression = zlib" and
"compression = rle" also enable the deflate (RFC 2246) compression.
- Compression is disabled by default.
- Separate default ciphers and sslVersion for "fips = yes" and "fips = no".
- UAC support for editing configuration file with Windows GUI.
* Bugfixes
@ -94,14 +857,14 @@ Version 4.46, 2011.11.04, urgency: LOW:
- Added "verify = 4" mode to ignore CA chain and only verify peer certificate.
- Removed the limit of 16 IP addresses for a single 'connect' option.
- Removed the limit of 256 stunnel.conf sections in PTHREAD threading model.
It is still not possible have more than 63 sections on WIN32 platform.
It is still not possible have more than 63 sections on Win32 platform.
http://msdn.microsoft.com/en-us/library/windows/desktop/ms740141(v=vs.85).aspx
* Optimizations
- Reduced per-connection memory usage.
- Performed a major refactoring of internal data structures. Extensive
internal testing was performed, but some regression bugs are expected.
* Bugfixes
- Fixed WIN32 compilation with Mingw32.
- Fixed Win32 compilation with Mingw32.
- Fixed non-blocking API emulation layer in UCONTEXT threading model.
- Fixed signal handling in UCONTEXT threading model.
@ -146,7 +909,7 @@ Version 4.43, 2011.09.07, urgency: MEDIUM:
- Major optimization of the logging subsystem.
Benchmarks indicate up to 15% stunnel performance improvement.
* Bugfixes
- Fixed WIN32 configuration file reload.
- Fixed Win32 configuration file reload.
- Fixed FORK and UCONTEXT threading models.
- Corrected INSTALL.W32 file.
@ -280,14 +1043,14 @@ Version 4.34, 2010.09.19, urgency: LOW:
* Bugfixes
- Implemented fixes in user interface to enter engine PIN.
- Fixed a transfer() loop issue on socket errors.
- Fixed missing WIN32 taskbar icon while displaying a global option error.
- Fixed missing Win32 taskbar icon while displaying a global option error.
Version 4.33, 2010.04.05, urgency: MEDIUM:
* New features
- Win32 DLLs for OpenSSL 1.0.0.
This library requires to c_rehash CApath/CRLpath directories on upgrade.
- Win32 DLLs for zlib 1.2.4.
- Experimental support for local mode on WIN32 platform.
- Experimental support for local mode on Win32 platform.
Try "exec = c:\windows\system32\cmd.exe".
* Bugfixes
- Inetd mode fixed.
@ -444,7 +1207,7 @@ Version 4.19, 2006.11.11, urgency: LOW/EXPERIMENTAL:
- There are a lot of new features in this version. I recommend
to test it well before upgrading your mission-critical systems.
* New features
- New service-level option to specify OCSP server flag:
- New service-level option to specify an OCSP responder flag:
OCSPflag = <flag>
- "protocolCredentials" option changed to "protocolUsername"
and "protocolPassword"
@ -500,7 +1263,7 @@ Version 4.16, 2006.08.31, urgency: MEDIUM:
- Default group is now detected by configure script.
- Check for maximum number of defined services added.
- OpenSSL_add_all_algorithms() added to SSL initialization.
- configure script sections reordered to detect pthread library funcions.
- configure script sections reordered to detect pthread library functions.
- RFC 2487 autodetection improved. High resolution s_poll_wait()
not currently supported by UCONTEXT threading.
- More precise description of cert directory file names (thx to Muhammad

378
INSTALL
View File

@ -1,40 +1,370 @@
stunnel Unix install notes
Installation Instructions
*************************
Copyright (C) 1994-1996, 1999-2002, 2004-2013 Free Software Foundation,
Inc.
1. If your machine supports POSIX threads make sure your SSL
library is compiled with -DTHREADS.
Copying and distribution of this file, with or without modification,
are permitted in any medium without royalty provided the copyright
notice and this notice are preserved. This file is offered as-is,
without warranty of any kind.
2. Compile the software:
Basic Installation
==================
./configure
make
make install
Briefly, the shell command `./configure && make && make install'
should configure, build, and install this package. The following
more-detailed instructions are generic; see the `README' file for
instructions specific to this package. Some packages provide this
`INSTALL' file but do not implement all of the features documented
below. The lack of an optional feature in a given package is not
necessarily a bug. More recommendations for GNU packages can be found
in *note Makefile Conventions: (standards)Makefile Conventions.
(see potential options for 'configure' at the end of this file)
The `configure' shell script attempts to guess correct values for
various system-dependent variables used during compilation. It uses
those values to create a `Makefile' in each directory of the package.
It may also create one or more `.h' files containing system-dependent
definitions. Finally, it creates a shell script `config.status' that
you can run in the future to recreate the current configuration, and a
file `config.log' containing compiler output (useful mainly for
debugging `configure').
3. Create stunnel configuration file (stunnel.conf).
It can also use an optional file (typically called `config.cache'
and enabled with `--cache-file=config.cache' or simply `-C') that saves
the results of its tests to speed up reconfiguring. Caching is
disabled by default to prevent problems with accidental use of stale
cache files.
4. Add stunnel invocation to your system's startup files.
For SysV-compatible init you can use stunnel.init script.
If you need to do unusual things to compile the package, please try
to figure out how `configure' could check whether to do them, and mail
diffs or instructions to the address given in the `README' so they can
be considered for the next release. If you are using the cache, and at
some point `config.cache' contains results you don't want to keep, you
may remove or edit it.
or
The file `configure.ac' (or `configure.in') is used to create
`configure' by a program called `autoconf'. You need `configure.ac' if
you want to change it or regenerate `configure' using a newer version
of `autoconf'.
Modify /etc/services and /etc/inetd.conf, restart inetd (inetd mode).
The simplest way to compile this package is:
See the manual for details.
1. `cd' to the directory containing the package's source code and type
`./configure' to configure the package for your system.
5. There are a variety of compile-time options you may supply when
running configure. Most commonly used are:
Running `configure' might take a while. While running, it prints
some messages telling which features it is checking for.
--with-ssl=DIR
where your SSL libraries and include files are installed
2. Type `make' to compile the package.
--with-random=FILE
read randomness from FILE for PRNG seeding
3. Optionally, type `make check' to run any self-tests that come with
the package, generally using the just-built uninstalled binaries.
--with-egd-socket=FILE
location of Entropy Gathering Daemon socket, if running EGD
(for example on a machine that lacks a /dev/urandom device)
4. Type `make install' to install the programs and any data files and
documentation. When installing into a prefix owned by root, it is
recommended that the package be configured and built as a regular
user, and only the `make install' phase executed with root
privileges.
Use `./configure --help' to see all the options.
5. Optionally, type `make installcheck' to repeat any self-tests, but
this time using the binaries in their final installed location.
This target does not install anything. Running this target as a
regular user, particularly if the prior `make install' required
root privileges, verifies that the installation completed
correctly.
6. You can remove the program binaries and object files from the
source code directory by typing `make clean'. To also remove the
files that `configure' created (so you can compile the package for
a different kind of computer), type `make distclean'. There is
also a `make maintainer-clean' target, but that is intended mainly
for the package's developers. If you use it, you may have to get
all sorts of other programs in order to regenerate files that came
with the distribution.
7. Often, you can also type `make uninstall' to remove the installed
files again. In practice, not all packages have tested that
uninstallation works correctly, even though it is required by the
GNU Coding Standards.
8. Some packages, particularly those that use Automake, provide `make
distcheck', which can by used by developers to test that all other
targets like `make install' and `make uninstall' work correctly.
This target is generally not run by end users.
Compilers and Options
=====================
Some systems require unusual options for compilation or linking that
the `configure' script does not know about. Run `./configure --help'
for details on some of the pertinent environment variables.
You can give `configure' initial values for configuration parameters
by setting variables in the command line or in the environment. Here
is an example:
./configure CC=c99 CFLAGS=-g LIBS=-lposix
*Note Defining Variables::, for more details.
Compiling For Multiple Architectures
====================================
You can compile the package for more than one kind of computer at the
same time, by placing the object files for each architecture in their
own directory. To do this, you can use GNU `make'. `cd' to the
directory where you want the object files and executables to go and run
the `configure' script. `configure' automatically checks for the
source code in the directory that `configure' is in and in `..'. This
is known as a "VPATH" build.
With a non-GNU `make', it is safer to compile the package for one
architecture at a time in the source code directory. After you have
installed the package for one architecture, use `make distclean' before
reconfiguring for another architecture.
On MacOS X 10.5 and later systems, you can create libraries and
executables that work on multiple system types--known as "fat" or
"universal" binaries--by specifying multiple `-arch' options to the
compiler but only a single `-arch' option to the preprocessor. Like
this:
./configure CC="gcc -arch i386 -arch x86_64 -arch ppc -arch ppc64" \
CXX="g++ -arch i386 -arch x86_64 -arch ppc -arch ppc64" \
CPP="gcc -E" CXXCPP="g++ -E"
This is not guaranteed to produce working output in all cases, you
may have to build one architecture at a time and combine the results
using the `lipo' tool if you have problems.
Installation Names
==================
By default, `make install' installs the package's commands under
`/usr/local/bin', include files under `/usr/local/include', etc. You
can specify an installation prefix other than `/usr/local' by giving
`configure' the option `--prefix=PREFIX', where PREFIX must be an
absolute file name.
You can specify separate installation prefixes for
architecture-specific files and architecture-independent files. If you
pass the option `--exec-prefix=PREFIX' to `configure', the package uses
PREFIX as the prefix for installing programs and libraries.
Documentation and other data files still use the regular prefix.
In addition, if you use an unusual directory layout you can give
options like `--bindir=DIR' to specify different values for particular
kinds of files. Run `configure --help' for a list of the directories
you can set and what kinds of files go in them. In general, the
default for these options is expressed in terms of `${prefix}', so that
specifying just `--prefix' will affect all of the other directory
specifications that were not explicitly provided.
The most portable way to affect installation locations is to pass the
correct locations to `configure'; however, many packages provide one or
both of the following shortcuts of passing variable assignments to the
`make install' command line to change installation locations without
having to reconfigure or recompile.
The first method involves providing an override variable for each
affected directory. For example, `make install
prefix=/alternate/directory' will choose an alternate location for all
directory configuration variables that were expressed in terms of
`${prefix}'. Any directories that were specified during `configure',
but not in terms of `${prefix}', must each be overridden at install
time for the entire installation to be relocated. The approach of
makefile variable overrides for each directory variable is required by
the GNU Coding Standards, and ideally causes no recompilation.
However, some platforms have known limitations with the semantics of
shared libraries that end up requiring recompilation when using this
method, particularly noticeable in packages that use GNU Libtool.
The second method involves providing the `DESTDIR' variable. For
example, `make install DESTDIR=/alternate/directory' will prepend
`/alternate/directory' before all installation names. The approach of
`DESTDIR' overrides is not required by the GNU Coding Standards, and
does not work on platforms that have drive letters. On the other hand,
it does better at avoiding recompilation issues, and works well even
when some directory options were not specified in terms of `${prefix}'
at `configure' time.
Optional Features
=================
If the package supports it, you can cause programs to be installed
with an extra prefix or suffix on their names by giving `configure' the
option `--program-prefix=PREFIX' or `--program-suffix=SUFFIX'.
Some packages pay attention to `--enable-FEATURE' options to
`configure', where FEATURE indicates an optional part of the package.
They may also pay attention to `--with-PACKAGE' options, where PACKAGE
is something like `gnu-as' or `x' (for the X Window System). The
`README' should mention any `--enable-' and `--with-' options that the
package recognizes.
For packages that use the X Window System, `configure' can usually
find the X include and library files automatically, but if it doesn't,
you can use the `configure' options `--x-includes=DIR' and
`--x-libraries=DIR' to specify their locations.
Some packages offer the ability to configure how verbose the
execution of `make' will be. For these packages, running `./configure
--enable-silent-rules' sets the default to minimal output, which can be
overridden with `make V=1'; while running `./configure
--disable-silent-rules' sets the default to verbose, which can be
overridden with `make V=0'.
Particular systems
==================
On HP-UX, the default C compiler is not ANSI C compatible. If GNU
CC is not installed, it is recommended to use the following options in
order to use an ANSI C compiler:
./configure CC="cc -Ae -D_XOPEN_SOURCE=500"
and if that doesn't work, install pre-built binaries of GCC for HP-UX.
HP-UX `make' updates targets which have the same time stamps as
their prerequisites, which makes it generally unusable when shipped
generated files such as `configure' are involved. Use GNU `make'
instead.
On OSF/1 a.k.a. Tru64, some versions of the default C compiler cannot
parse its `<wchar.h>' header file. The option `-nodtk' can be used as
a workaround. If GNU CC is not installed, it is therefore recommended
to try
./configure CC="cc"
and if that doesn't work, try
./configure CC="cc -nodtk"
On Solaris, don't put `/usr/ucb' early in your `PATH'. This
directory contains several dysfunctional programs; working variants of
these programs are available in `/usr/bin'. So, if you need `/usr/ucb'
in your `PATH', put it _after_ `/usr/bin'.
On Haiku, software installed for all users goes in `/boot/common',
not `/usr/local'. It is recommended to use the following options:
./configure --prefix=/boot/common
Specifying the System Type
==========================
There may be some features `configure' cannot figure out
automatically, but needs to determine by the type of machine the package
will run on. Usually, assuming the package is built to be run on the
_same_ architectures, `configure' can figure that out, but if it prints
a message saying it cannot guess the machine type, give it the
`--build=TYPE' option. TYPE can either be a short name for the system
type, such as `sun4', or a canonical name which has the form:
CPU-COMPANY-SYSTEM
where SYSTEM can have one of these forms:
OS
KERNEL-OS
See the file `config.sub' for the possible values of each field. If
`config.sub' isn't included in this package, then this package doesn't
need to know the machine type.
If you are _building_ compiler tools for cross-compiling, you should
use the option `--target=TYPE' to select the type of system they will
produce code for.
If you want to _use_ a cross compiler, that generates code for a
platform different from the build platform, you should specify the
"host" platform (i.e., that on which the generated programs will
eventually be run) with `--host=TYPE'.
Sharing Defaults
================
If you want to set default values for `configure' scripts to share,
you can create a site shell script called `config.site' that gives
default values for variables like `CC', `cache_file', and `prefix'.
`configure' looks for `PREFIX/share/config.site' if it exists, then
`PREFIX/etc/config.site' if it exists. Or, you can set the
`CONFIG_SITE' environment variable to the location of the site script.
A warning: not all `configure' scripts look for a site script.
Defining Variables
==================
Variables not defined in a site shell script can be set in the
environment passed to `configure'. However, some packages may run
configure again during the build, and the customized values of these
variables may be lost. In order to avoid this problem, you should set
them in the `configure' command line, using `VAR=value'. For example:
./configure CC=/usr/local2/bin/gcc
causes the specified `gcc' to be used as the C compiler (unless it is
overridden in the site shell script).
Unfortunately, this technique does not work for `CONFIG_SHELL' due to
an Autoconf limitation. Until the limitation is lifted, you can use
this workaround:
CONFIG_SHELL=/bin/bash ./configure CONFIG_SHELL=/bin/bash
`configure' Invocation
======================
`configure' recognizes the following options to control how it
operates.
`--help'
`-h'
Print a summary of all of the options to `configure', and exit.
`--help=short'
`--help=recursive'
Print a summary of the options unique to this package's
`configure', and exit. The `short' variant lists options used
only in the top level, while the `recursive' variant lists options
also present in any nested packages.
`--version'
`-V'
Print the version of Autoconf used to generate the `configure'
script, and exit.
`--cache-file=FILE'
Enable the cache: use and save the results of the tests in FILE,
traditionally `config.cache'. FILE defaults to `/dev/null' to
disable caching.
`--config-cache'
`-C'
Alias for `--cache-file=config.cache'.
`--quiet'
`--silent'
`-q'
Do not print messages saying which checks are being made. To
suppress all normal output, redirect it to `/dev/null' (any error
messages will still be shown).
`--srcdir=DIR'
Look for the package's source code in directory DIR. Usually
`configure' can determine that directory automatically.
`--prefix=DIR'
Use DIR as the installation prefix. *note Installation Names::
for more details, including other options available for fine-tuning
the installation locations.
`--no-create'
`-n'
Run the configure checks, but stop before creating any output
files.
`configure' also accepts some other, not widely useful, options. Run
`configure --help' for more details.

12
INSTALL.FIPS
View File

@ -2,10 +2,12 @@ stunnel FIPS install notes
Unix HOWTO:
FIPS mode is autodetected if possible. You can force it with:
./configure --enable-fips
or disable with:
./configure --disable-fips
* Only dynamic linking of the FIPS-enabled OpenSSL is currently supported,
i.e. FIPS-enabled OpenSSL has to be configured with "shared" parameter.
* FIPS mode is autodetected if possible. It can be forced with:
./configure --enable-fips
or disable with:
./configure --disable-fips
WIN32 HOWTO:
* On 32-bit Windows install one of the following compilers:
@ -15,7 +17,7 @@ WIN32 HOWTO:
- MSVC 8.0 (VS 2005) Standard or Professional Edition
- MSVC 9.0 (VS 2008) Standard or Professional Edition
* Build FIPS-compliant OpenSSL DLLS according to:
http://www.openssl.org/docs/fips/UserGuide-1.2.pdf
https://www.openssl.org/docs/fips/UserGuide-2.0.pdf
* Build stunnel normally with MSVC or Mingw.
Mingw build requires DLL stubs. Stubs can be built with:
dlltool --def ms/libeay32.def --output-lib libcrypto.a

79
INSTALL.W32
View File

@ -1,51 +1,66 @@
stunnel Windows install notes
Building stunnel from source (optional):
Cross-compiling stunnel from source with MinGW (optional):
1) Install mingw32 cross-compiler o a Unix/Linux machine.
In Debian all you need is:
apt-get install gcc-mingw32
Native compilation on a Windows machine is possible, but not supported.
1) Install the mingw32 cross-compiler on a Unix/Linux machine.
On Debian (and derivatives, including Ubuntu):
sudo apt-get install gcc-mingw-w64-i686
On Arch Linux:
sudo pacman -S mingw-w64-gcc
2) Download the recent zlib from http://www.zlib.net/
Update the following definitions in win32/Makefile.gcc file:
SHARED_MODE=1
PREFIX = i586-mingw32msvc-
then build zlib with:
make -f win32/Makefile.gcc
and install it in mingw32 tree:
sudo BINARY_PATH=~/ \
INCLUDE_PATH=/usr/i586-mingw32msvc/include/ \
LIBRARY_PATH=/usr/i586-mingw32msvc/lib/ \
make -f win32/Makefile.gcc install
3) Download the recent OpenSSL in unpack it to /usr/src/ directory.
cd /usr/src
2) Download the recent OpenSSL and unpack it:
tar zvxf ~/openssl-(version).tar.gz
mv openssl-(version) openssl-(version)-i586
mv openssl-(version) openssl-(version)-i686
cd openssl-(version)-i686/
4) Build OpenSSL.
./Configure --cross-compile-prefix=i586-mingw32msvc- mingw shared zlib-dynamic
3) Build OpenSSL.
For 32-bit Windows:
./Configure \
--cross-compile-prefix=i686-w64-mingw32- \
--openssldir=/opt/openssl-mingw mingw shared
make
sudo make install
sudo cp ms/applink.c /opt/openssl-mingw/include/openssl/
For 64-bit Windows:
./Configure \
--cross-compile-prefix=x86_64-w64-mingw32- \
--openssldir=/opt/openssl-mingw64 mingw64 shared
make
sudo make install
sudo cp ms/applink.c /opt/openssl-mingw64/include/openssl/
5) Download and unpack stunnel-(version).tar.gz.
4) Download and unpack stunnel-(version).tar.gz.
6) Configure stunnel.
5) Configure stunnel:
cd stunnel-(version)
./configure --with-ssl=/path/to/openssl-(version)
./configure
7) Build windows executable.
6) Build Windows 32-bit and/or 64-bit executables:
cd src
make stunnel.exe
make mingw
make mingw64
Building stunnel from source with MinGW (optional):
Building on a Windows machine is possible, but not currently supported.
Building stunnel from source with Visual Studio (optional):
TODO
Installing stunnel:
1) run installer to install precompiled binaries or copy stunnel.exe and
OpenSSL DLLs into a directory
1) Run installer to install the precompiled binaries, or
copy the stunnel.exe or tstunnel.exe executable located in the
/stunnel-(version)/bin/mingw/ directory into the destination
directory on a Windows machine, and
copy OpenSSL DLLs: libeay32.dll, libssp-0.dll and ssleay32.dll
into the same directory, if necessary.
2) read the manual (stunnel.html)
3) create/edit stunnel.conf configuration file
2) Read the manual (stunnel.html).
3) Create/edit the stunnel.conf configuration file.

45
Makefile.am
View File

@ -1,8 +1,9 @@
## Process this file with automake to produce Makefile.in
# by Michal Trojnara 2015-2017
ACLOCAL_AMFLAGS = -I m4
SUBDIRS = src doc tools
SUBDIRS = src doc tools tests
LIBTOOL_DEPS = @LIBTOOL_DEPS@
libtool: $(LIBTOOL_DEPS)
@ -10,7 +11,7 @@ libtool: $(LIBTOOL_DEPS)
EXTRA_DIST = PORTS BUGS COPYRIGHT.GPL CREDITS
EXTRA_DIST += INSTALL.W32 INSTALL.WCE INSTALL.FIPS
EXTRA_DIST += build-android.sh
EXTRA_DIST += build-android.sh .travis.yml
docdir = $(datadir)/doc/stunnel
doc_DATA = INSTALL README TODO COPYING AUTHORS ChangeLog
@ -21,17 +22,37 @@ distcleancheck_listfiles = find -type f -exec sh -c 'test -f $(srcdir)/{} || ech
distclean-local:
rm -rf autom4te.cache
rm -f $(distdir)-installer.exe
# rm -f $(distdir)-win32-installer.exe
dist-hook:
makensis -NOCD -DVERSION=${VERSION} -DSRCDIR=$(srcdir) \
-DDLLS=/usr/src/openssl-0.9.8s-fips/out32dll \
$(srcdir)/tools/stunnel.nsi
#dist-hook:
# makensis -NOCD -DVERSION=${VERSION} \
# -DSTUNNEL_DIR=$(srcdir) \
# -DROOT_DIR=/usr/src \
# $(srcdir)/tools/stunnel.nsi
sign: dist
cp -f $(distdir).tar.gz ../dist
cp -f $(distdir)-installer.exe ../dist
gpg --yes --armor --detach-sign --force-v3-sigs ../dist/$(distdir).tar.gz
gpg --yes --armor --detach-sign --force-v3-sigs ../dist/$(distdir)-installer.exe
sha256sum $(distdir).tar.gz | tee ../dist/$(distdir).tar.gz.sha256
cp -f $(distdir).tar.gz $(distdir)-win32-installer.exe $(distdir)-android.zip ../dist
gpg-agent --daemon /bin/sh -c "cd ../dist; gpg --yes --armor --detach-sign --force-v3-sigs $(distdir).tar.gz; gpg --yes --armor --detach-sign --force-v3-sigs $(distdir)-win32-installer.exe; gpg --yes --armor --detach-sign --force-v3-sigs $(distdir)-android.zip"
sha256sum $(distdir).tar.gz >../dist/$(distdir).tar.gz.sha256
sha256sum $(distdir)-win32-installer.exe >../dist/$(distdir)-win32-installer.exe.sha256
sha256sum $(distdir)-android.zip >../dist/$(distdir)-android.zip.sha256
cat ../dist/$(distdir)*.sha256 | tac
cert:
$(MAKE) -C tools cert
test: check
install-data-hook:
@echo "*********************************************************"
@echo "* Type 'make cert' to also install a sample certificate *"
@echo "*********************************************************"
edit = sed \
-e 's|@bindir[@]|$(bindir)|g' \
-e 's|@sysconfdir[@]|$(sysconfdir)|g'
stunnel.pod: Makefile
$(edit) '$(srcdir)/$@.in' >$@
stunnel.pod: $(srcdir)/stunnel.pod

481
Makefile.in
View File

@ -1,9 +1,8 @@
# Makefile.in generated by automake 1.11.1 from Makefile.am.
# Makefile.in generated by automake 1.15 from Makefile.am.
# @configure_input@
# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation,
# Inc.
# Copyright (C) 1994-2014 Free Software Foundation, Inc.
# This Makefile.in is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
# with or without modifications, as long as this notice is preserved.
@ -15,7 +14,64 @@
@SET_MAKE@
# by Michal Trojnara 2015-2017
VPATH = @srcdir@
am__is_gnu_make = { \
if test -z '$(MAKELEVEL)'; then \
false; \
elif test -n '$(MAKE_HOST)'; then \
true; \
elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
true; \
else \
false; \
fi; \
}
am__make_running_with_option = \
case $${target_option-} in \
?) ;; \
*) echo "am__make_running_with_option: internal error: invalid" \
"target option '$${target_option-}' specified" >&2; \
exit 1;; \
esac; \
has_opt=no; \
sane_makeflags=$$MAKEFLAGS; \
if $(am__is_gnu_make); then \
sane_makeflags=$$MFLAGS; \
else \
case $$MAKEFLAGS in \
*\\[\ \ ]*) \
bs=\\; \
sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \
| sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \
esac; \
fi; \
skip_next=no; \
strip_trailopt () \
{ \
flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \
}; \
for flg in $$sane_makeflags; do \
test $$skip_next = yes && { skip_next=no; continue; }; \
case $$flg in \
*=*|--*) continue;; \
-*I) strip_trailopt 'I'; skip_next=yes;; \
-*I?*) strip_trailopt 'I';; \
-*O) strip_trailopt 'O'; skip_next=yes;; \
-*O?*) strip_trailopt 'O';; \
-*l) strip_trailopt 'l'; skip_next=yes;; \
-*l?*) strip_trailopt 'l';; \
-[dEDm]) skip_next=yes;; \
-[JT]) skip_next=yes;; \
esac; \
case $$flg in \
*$$target_option*) has_opt=yes; break;; \
esac; \
done; \
test $$has_opt = yes
am__make_dryrun = (target_option=n; $(am__make_running_with_option))
am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
pkgdatadir = $(datadir)/@PACKAGE@
pkgincludedir = $(includedir)/@PACKAGE@
pkglibdir = $(libdir)/@PACKAGE@
@ -35,11 +91,6 @@ POST_UNINSTALL = :
build_triplet = @build@
host_triplet = @host@
subdir = .
DIST_COMMON = README $(am__configure_deps) $(srcdir)/Makefile.am \
$(srcdir)/Makefile.in $(top_srcdir)/configure AUTHORS COPYING \
ChangeLog INSTALL NEWS TODO auto/compile auto/config.guess \
auto/config.sub auto/depcomp auto/install-sh auto/ltmain.sh \
auto/missing
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
am__aclocal_m4_deps = $(top_srcdir)/m4/libtool.m4 \
$(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \
@ -47,21 +98,41 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/libtool.m4 \
$(top_srcdir)/configure.ac
am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
$(ACLOCAL_M4)
DIST_COMMON = $(srcdir)/Makefile.am $(top_srcdir)/configure \
$(am__configure_deps) $(am__DIST_COMMON)
am__CONFIG_DISTCLEAN_FILES = config.status config.cache config.log \
configure.lineno config.status.lineno
mkinstalldirs = $(install_sh) -d
CONFIG_HEADER = $(top_builddir)/src/config.h
CONFIG_CLEAN_FILES =
CONFIG_CLEAN_VPATH_FILES =
AM_V_P = $(am__v_P_@AM_V@)
am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
am__v_P_0 = false
am__v_P_1 = :
AM_V_GEN = $(am__v_GEN_@AM_V@)
am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
am__v_GEN_0 = @echo " GEN " $@;
am__v_GEN_1 =
AM_V_at = $(am__v_at_@AM_V@)
am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
am__v_at_0 = @
am__v_at_1 =
SOURCES =
DIST_SOURCES =
RECURSIVE_TARGETS = all-recursive check-recursive dvi-recursive \
html-recursive info-recursive install-data-recursive \
install-dvi-recursive install-exec-recursive \
install-html-recursive install-info-recursive \
install-pdf-recursive install-ps-recursive install-recursive \
installcheck-recursive installdirs-recursive pdf-recursive \
ps-recursive uninstall-recursive
RECURSIVE_TARGETS = all-recursive check-recursive cscopelist-recursive \
ctags-recursive dvi-recursive html-recursive info-recursive \
install-data-recursive install-dvi-recursive \
install-exec-recursive install-html-recursive \
install-info-recursive install-pdf-recursive \
install-ps-recursive install-recursive installcheck-recursive \
installdirs-recursive pdf-recursive ps-recursive \
tags-recursive uninstall-recursive
am__can_run_installinfo = \
case $$AM_UPDATE_INFO_DIR in \
n|no|NO) false;; \
*) (install-info --version) >/dev/null 2>&1;; \
esac
am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
am__vpath_adj = case $$p in \
$(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
@ -83,23 +154,60 @@ am__nobase_list = $(am__nobase_strip_setup); \
am__base_list = \
sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
am__uninstall_files_from_dir = { \
test -z "$$files" \
|| { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
|| { echo " ( cd '$$dir' && rm -f" $$files ")"; \
$(am__cd) "$$dir" && rm -f $$files; }; \
}
am__installdirs = "$(DESTDIR)$(docdir)"
DATA = $(doc_DATA)
RECURSIVE_CLEAN_TARGETS = mostlyclean-recursive clean-recursive \
distclean-recursive maintainer-clean-recursive
AM_RECURSIVE_TARGETS = $(RECURSIVE_TARGETS:-recursive=) \
$(RECURSIVE_CLEAN_TARGETS:-recursive=) tags TAGS ctags CTAGS \
distdir dist dist-all distcheck
am__recursive_targets = \
$(RECURSIVE_TARGETS) \
$(RECURSIVE_CLEAN_TARGETS) \
$(am__extra_recursive_targets)
AM_RECURSIVE_TARGETS = $(am__recursive_targets:-recursive=) TAGS CTAGS \
cscope distdir dist dist-all distcheck
am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
# Read a list of newline-separated strings from the standard input,
# and print each of them once, without duplicates. Input order is
# *not* preserved.
am__uniquify_input = $(AWK) '\
BEGIN { nonempty = 0; } \
{ items[$$0] = 1; nonempty = 1; } \
END { if (nonempty) { for (i in items) print i; }; } \
'
# Make sure the list of sources is unique. This is necessary because,
# e.g., the same source file might be shared among _SOURCES variables
# for different programs/libraries.
am__define_uniq_tagged_files = \
list='$(am__tagged_files)'; \
unique=`for i in $$list; do \
if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
done | $(am__uniquify_input)`
ETAGS = etags
CTAGS = ctags
CSCOPE = cscope
DIST_SUBDIRS = $(SUBDIRS)
am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/auto/compile \
$(top_srcdir)/auto/config.guess $(top_srcdir)/auto/config.sub \
$(top_srcdir)/auto/install-sh $(top_srcdir)/auto/ltmain.sh \
$(top_srcdir)/auto/missing AUTHORS COPYING ChangeLog INSTALL \
NEWS README TODO auto/compile auto/config.guess \
auto/config.sub auto/depcomp auto/install-sh auto/ltmain.sh \
auto/missing
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
distdir = $(PACKAGE)-$(VERSION)
top_distdir = $(distdir)
am__remove_distdir = \
{ test ! -d "$(distdir)" \
|| { find "$(distdir)" -type d ! -perm -200 -exec chmod u+w {} ';' \
&& rm -fr "$(distdir)"; }; }
if test -d "$(distdir)"; then \
find "$(distdir)" -type d ! -perm -200 -exec chmod u+w {} ';' \
&& rm -rf "$(distdir)" \
|| { sleep 5 && rm -rf "$(distdir)"; }; \
else :; fi
am__post_remove_distdir = $(am__remove_distdir)
am__relativize = \
dir0=`pwd`; \
sed_first='s,^\([^/]*\)/.*$$,\1,'; \
@ -127,9 +235,13 @@ am__relativize = \
reldir="$$dir2"
DIST_ARCHIVES = $(distdir).tar.gz
GZIP_ENV = --best
DIST_TARGETS = dist-gzip
distuninstallcheck_listfiles = find . -type f -print
am__distuninstallcheck_listfiles = $(distuninstallcheck_listfiles) \
| sed 's|^\./|$(prefix)/|' | grep -v '$(infodir)/dir$$'
ACLOCAL = @ACLOCAL@
AMTAR = @AMTAR@
AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
AR = @AR@
AUTOCONF = @AUTOCONF@
AUTOHEADER = @AUTOHEADER@
@ -144,6 +256,7 @@ CYGPATH_W = @CYGPATH_W@
DEFAULT_GROUP = @DEFAULT_GROUP@
DEFS = @DEFS@
DEPDIR = @DEPDIR@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
ECHO_C = @ECHO_C@
@ -167,7 +280,9 @@ LIBTOOL_DEPS = @LIBTOOL_DEPS@
LIPO = @LIPO@
LN_S = @LN_S@
LTLIBOBJS = @LTLIBOBJS@
LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
MAKEINFO = @MAKEINFO@
MANIFEST_TOOL = @MANIFEST_TOOL@
MKDIR_P = @MKDIR_P@
NM = @NM@
NMEDIT = @NMEDIT@
@ -183,6 +298,9 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@
PACKAGE_URL = @PACKAGE_URL@
PACKAGE_VERSION = @PACKAGE_VERSION@
PATH_SEPARATOR = @PATH_SEPARATOR@
PTHREAD_CC = @PTHREAD_CC@
PTHREAD_CFLAGS = @PTHREAD_CFLAGS@
PTHREAD_LIBS = @PTHREAD_LIBS@
RANDOM_FILE = @RANDOM_FILE@
RANLIB = @RANLIB@
SED = @SED@
@ -195,6 +313,7 @@ abs_builddir = @abs_builddir@
abs_srcdir = @abs_srcdir@
abs_top_builddir = @abs_top_builddir@
abs_top_srcdir = @abs_top_srcdir@
ac_ct_AR = @ac_ct_AR@
ac_ct_CC = @ac_ct_CC@
ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
am__include = @am__include@
@ -202,6 +321,7 @@ am__leading_dot = @am__leading_dot@
am__quote = @am__quote@
am__tar = @am__tar@
am__untar = @am__untar@
ax_pthread_config = @ax_pthread_config@
bindir = @bindir@
build = @build@
build_alias = @build_alias@
@ -227,7 +347,6 @@ libdir = @libdir@
libexecdir = @libexecdir@
localedir = @localedir@
localstatedir = @localstatedir@
lt_ECHO = @lt_ECHO@
mandir = @mandir@
mkdir_p = @mkdir_p@
oldincludedir = @oldincludedir@
@ -235,28 +354,30 @@ pdfdir = @pdfdir@
prefix = @prefix@
program_transform_name = @program_transform_name@
psdir = @psdir@
runstatedir = @runstatedir@
sbindir = @sbindir@
sharedstatedir = @sharedstatedir@
srcdir = @srcdir@
stunnel_CFLAGS = @stunnel_CFLAGS@
stunnel_LDFLAGF = @stunnel_LDFLAGF@
stunnel_LDFLAGS = @stunnel_LDFLAGS@
sysconfdir = @sysconfdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
top_srcdir = @top_srcdir@
ACLOCAL_AMFLAGS = -I m4
SUBDIRS = src doc tools
SUBDIRS = src doc tools tests
EXTRA_DIST = PORTS BUGS COPYRIGHT.GPL CREDITS INSTALL.W32 INSTALL.WCE \
INSTALL.FIPS build-android.sh
INSTALL.FIPS build-android.sh .travis.yml
doc_DATA = INSTALL README TODO COPYING AUTHORS ChangeLog PORTS BUGS \
COPYRIGHT.GPL CREDITS INSTALL.W32 INSTALL.WCE INSTALL.FIPS
distcleancheck_listfiles = find -type f -exec sh -c 'test -f $(srcdir)/{} || echo {}' ';'
edit = sed \
-e 's|@bindir[@]|$(bindir)|g' \
-e 's|@sysconfdir[@]|$(sysconfdir)|g'
all: all-recursive
.SUFFIXES:
am--refresh:
am--refresh: Makefile
@:
$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps)
@for dep in $?; do \
@ -271,7 +392,6 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps)
echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu Makefile'; \
$(am__cd) $(top_srcdir) && \
$(AUTOMAKE) --gnu Makefile
.PRECIOUS: Makefile
Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
@case '$?' in \
*config.status*) \
@ -301,8 +421,11 @@ distclean-libtool:
-rm -f libtool config.lt
install-docDATA: $(doc_DATA)
@$(NORMAL_INSTALL)
test -z "$(docdir)" || $(MKDIR_P) "$(DESTDIR)$(docdir)"
@list='$(doc_DATA)'; test -n "$(docdir)" || list=; \
if test -n "$$list"; then \
echo " $(MKDIR_P) '$(DESTDIR)$(docdir)'"; \
$(MKDIR_P) "$(DESTDIR)$(docdir)" || exit 1; \
fi; \
for p in $$list; do \
if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
echo "$$d$$p"; \
@ -316,27 +439,28 @@ uninstall-docDATA:
@$(NORMAL_UNINSTALL)
@list='$(doc_DATA)'; test -n "$(docdir)" || list=; \
files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
test -n "$$files" || exit 0; \
echo " ( cd '$(DESTDIR)$(docdir)' && rm -f" $$files ")"; \
cd "$(DESTDIR)$(docdir)" && rm -f $$files
dir='$(DESTDIR)$(docdir)'; $(am__uninstall_files_from_dir)
# This directory's subdirectories are mostly independent; you can cd
# into them and run `make' without going through this Makefile.
# To change the values of `make' variables: instead of editing Makefiles,
# (1) if the variable is set in `config.status', edit `config.status'
# (which will cause the Makefiles to be regenerated when you run `make');
# (2) otherwise, pass the desired values on the `make' command line.
$(RECURSIVE_TARGETS):
@fail= failcom='exit 1'; \
for f in x $$MAKEFLAGS; do \
case $$f in \
*=* | --[!k]*);; \
*k*) failcom='fail=yes';; \
esac; \
done; \
# into them and run 'make' without going through this Makefile.
# To change the values of 'make' variables: instead of editing Makefiles,
# (1) if the variable is set in 'config.status', edit 'config.status'
# (which will cause the Makefiles to be regenerated when you run 'make');
# (2) otherwise, pass the desired values on the 'make' command line.
$(am__recursive_targets):
@fail=; \
if $(am__make_keepgoing); then \
failcom='fail=yes'; \
else \
failcom='exit 1'; \
fi; \
dot_seen=no; \
target=`echo $@ | sed s/-recursive//`; \
list='$(SUBDIRS)'; for subdir in $$list; do \
case "$@" in \
distclean-* | maintainer-clean-*) list='$(DIST_SUBDIRS)' ;; \
*) list='$(SUBDIRS)' ;; \
esac; \
for subdir in $$list; do \
echo "Making $$target in $$subdir"; \
if test "$$subdir" = "."; then \
dot_seen=yes; \
@ -351,57 +475,12 @@ $(RECURSIVE_TARGETS):
$(MAKE) $(AM_MAKEFLAGS) "$$target-am" || exit 1; \
fi; test -z "$$fail"
$(RECURSIVE_CLEAN_TARGETS):
@fail= failcom='exit 1'; \
for f in x $$MAKEFLAGS; do \
case $$f in \
*=* | --[!k]*);; \
*k*) failcom='fail=yes';; \
esac; \
done; \
dot_seen=no; \
case "$@" in \
distclean-* | maintainer-clean-*) list='$(DIST_SUBDIRS)' ;; \
*) list='$(SUBDIRS)' ;; \
esac; \
rev=''; for subdir in $$list; do \
if test "$$subdir" = "."; then :; else \
rev="$$subdir $$rev"; \
fi; \
done; \
rev="$$rev ."; \
target=`echo $@ | sed s/-recursive//`; \
for subdir in $$rev; do \
echo "Making $$target in $$subdir"; \
if test "$$subdir" = "."; then \
local_target="$$target-am"; \
else \
local_target="$$target"; \
fi; \
($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \
|| eval $$failcom; \
done && test -z "$$fail"
tags-recursive:
list='$(SUBDIRS)'; for subdir in $$list; do \
test "$$subdir" = . || ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) tags); \
done
ctags-recursive:
list='$(SUBDIRS)'; for subdir in $$list; do \
test "$$subdir" = . || ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) ctags); \
done
ID: $(am__tagged_files)
$(am__define_uniq_tagged_files); mkid -fID $$unique
tags: tags-recursive
TAGS: tags
ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
unique=`for i in $$list; do \
if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
done | \
$(AWK) '{ files[$$0] = 1; nonempty = 1; } \
END { if (nonempty) { for (i in files) print i; }; }'`; \
mkid -fID $$unique
tags: TAGS
TAGS: tags-recursive $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \
$(TAGS_FILES) $(LISP)
tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
set x; \
here=`pwd`; \
if ($(ETAGS) --etags-include --version) >/dev/null 2>&1; then \
@ -417,12 +496,7 @@ TAGS: tags-recursive $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \
set "$$@" "$$include_option=$$here/$$subdir/TAGS"; \
fi; \
done; \
list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
unique=`for i in $$list; do \
if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
done | \
$(AWK) '{ files[$$0] = 1; nonempty = 1; } \
END { if (nonempty) { for (i in files) print i; }; }'`; \
$(am__define_uniq_tagged_files); \
shift; \
if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
test -n "$$unique" || unique=$$empty_fix; \
@ -434,15 +508,11 @@ TAGS: tags-recursive $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \
$$unique; \
fi; \
fi
ctags: CTAGS
CTAGS: ctags-recursive $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \
$(TAGS_FILES) $(LISP)
list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
unique=`for i in $$list; do \
if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
done | \
$(AWK) '{ files[$$0] = 1; nonempty = 1; } \
END { if (nonempty) { for (i in files) print i; }; }'`; \
ctags: ctags-recursive
CTAGS: ctags
ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
$(am__define_uniq_tagged_files); \
test -z "$(CTAGS_ARGS)$$unique" \
|| $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
$$unique
@ -451,9 +521,31 @@ GTAGS:
here=`$(am__cd) $(top_builddir) && pwd` \
&& $(am__cd) $(top_srcdir) \
&& gtags -i $(GTAGS_ARGS) "$$here"
cscope: cscope.files
test ! -s cscope.files \
|| $(CSCOPE) -b -q $(AM_CSCOPEFLAGS) $(CSCOPEFLAGS) -i cscope.files $(CSCOPE_ARGS)
clean-cscope:
-rm -f cscope.files
cscope.files: clean-cscope cscopelist
cscopelist: cscopelist-recursive
cscopelist-am: $(am__tagged_files)
list='$(am__tagged_files)'; \
case "$(srcdir)" in \
[\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \
*) sdir=$(subdir)/$(srcdir) ;; \
esac; \
for i in $$list; do \
if test -f "$$i"; then \
echo "$(subdir)/$$i"; \
else \
echo "$$sdir/$$i"; \
fi; \
done >> $(top_builddir)/cscope.files
distclean-tags:
-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
-rm -f cscope.out cscope.in.out cscope.po.out cscope.files
distdir: $(DISTFILES)
$(am__remove_distdir)
@ -489,13 +581,10 @@ distdir: $(DISTFILES)
done
@list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
if test "$$subdir" = .; then :; else \
test -d "$(distdir)/$$subdir" \
|| $(MKDIR_P) "$(distdir)/$$subdir" \
|| exit 1; \
fi; \
done
@list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
if test "$$subdir" = .; then :; else \
$(am__make_dryrun) \
|| test -d "$(distdir)/$$subdir" \
|| $(MKDIR_P) "$(distdir)/$$subdir" \
|| exit 1; \
dir1=$$subdir; dir2="$(distdir)/$$subdir"; \
$(am__relativize); \
new_distdir=$$reldir; \
@ -515,9 +604,6 @@ distdir: $(DISTFILES)
|| exit 1; \
fi; \
done
$(MAKE) $(AM_MAKEFLAGS) \
top_distdir="$(top_distdir)" distdir="$(distdir)" \
dist-hook
-test -n "$(am__skip_mode_fix)" \
|| find "$(distdir)" -type d ! -perm -755 \
-exec chmod u+rwx,go+rx {} \; -o \
@ -527,36 +613,42 @@ distdir: $(DISTFILES)
|| chmod -R a+r "$(distdir)"
dist-gzip: distdir
tardir=$(distdir) && $(am__tar) | GZIP=$(GZIP_ENV) gzip -c >$(distdir).tar.gz
$(am__remove_distdir)
$(am__post_remove_distdir)
dist-bzip2: distdir
tardir=$(distdir) && $(am__tar) | bzip2 -9 -c >$(distdir).tar.bz2
$(am__remove_distdir)
tardir=$(distdir) && $(am__tar) | BZIP2=$${BZIP2--9} bzip2 -c >$(distdir).tar.bz2
$(am__post_remove_distdir)
dist-lzma: distdir
tardir=$(distdir) && $(am__tar) | lzma -9 -c >$(distdir).tar.lzma
$(am__remove_distdir)
dist-lzip: distdir
tardir=$(distdir) && $(am__tar) | lzip -c $${LZIP_OPT--9} >$(distdir).tar.lz
$(am__post_remove_distdir)
dist-xz: distdir
tardir=$(distdir) && $(am__tar) | xz -c >$(distdir).tar.xz
$(am__remove_distdir)
tardir=$(distdir) && $(am__tar) | XZ_OPT=$${XZ_OPT--e} xz -c >$(distdir).tar.xz
$(am__post_remove_distdir)
dist-tarZ: distdir
@echo WARNING: "Support for distribution archives compressed with" \
"legacy program 'compress' is deprecated." >&2
@echo WARNING: "It will be removed altogether in Automake 2.0" >&2
tardir=$(distdir) && $(am__tar) | compress -c >$(distdir).tar.Z
$(am__remove_distdir)
$(am__post_remove_distdir)
dist-shar: distdir
@echo WARNING: "Support for shar distribution archives is" \
"deprecated." >&2
@echo WARNING: "It will be removed altogether in Automake 2.0" >&2
shar $(distdir) | GZIP=$(GZIP_ENV) gzip -c >$(distdir).shar.gz
$(am__remove_distdir)
$(am__post_remove_distdir)
dist-zip: distdir
-rm -f $(distdir).zip
zip -rq $(distdir).zip $(distdir)
$(am__remove_distdir)
$(am__post_remove_distdir)
dist dist-all: distdir
tardir=$(distdir) && $(am__tar) | GZIP=$(GZIP_ENV) gzip -c >$(distdir).tar.gz
$(am__remove_distdir)
dist dist-all:
$(MAKE) $(AM_MAKEFLAGS) $(DIST_TARGETS) am__post_remove_distdir='@:'
$(am__post_remove_distdir)
# This target untars the dist file and tries a VPATH configuration. Then
# it guarantees that the distribution is self-contained by making another
@ -567,8 +659,8 @@ distcheck: dist
GZIP=$(GZIP_ENV) gzip -dc $(distdir).tar.gz | $(am__untar) ;;\
*.tar.bz2*) \
bzip2 -dc $(distdir).tar.bz2 | $(am__untar) ;;\
*.tar.lzma*) \
lzma -dc $(distdir).tar.lzma | $(am__untar) ;;\
*.tar.lz*) \
lzip -dc $(distdir).tar.lz | $(am__untar) ;;\
*.tar.xz*) \
xz -dc $(distdir).tar.xz | $(am__untar) ;;\
*.tar.Z*) \
@ -578,17 +670,19 @@ distcheck: dist
*.zip*) \
unzip $(distdir).zip ;;\
esac
chmod -R a-w $(distdir); chmod a+w $(distdir)
mkdir $(distdir)/_build
mkdir $(distdir)/_inst
chmod -R a-w $(distdir)
chmod u+w $(distdir)
mkdir $(distdir)/_build $(distdir)/_build/sub $(distdir)/_inst
chmod a-w $(distdir)
test -d $(distdir)/_build || exit 0; \
dc_install_base=`$(am__cd) $(distdir)/_inst && pwd | sed -e 's,^[^:\\/]:[\\/],/,'` \
&& dc_destdir="$${TMPDIR-/tmp}/am-dc-$$$$/" \
&& am__cwd=`pwd` \
&& $(am__cd) $(distdir)/_build \
&& ../configure --srcdir=.. --prefix="$$dc_install_base" \
&& $(am__cd) $(distdir)/_build/sub \
&& ../../configure \
$(AM_DISTCHECK_CONFIGURE_FLAGS) \
$(DISTCHECK_CONFIGURE_FLAGS) \
--srcdir=../.. --prefix="$$dc_install_base" \
&& $(MAKE) $(AM_MAKEFLAGS) \
&& $(MAKE) $(AM_MAKEFLAGS) dvi \
&& $(MAKE) $(AM_MAKEFLAGS) check \
@ -611,13 +705,21 @@ distcheck: dist
&& $(MAKE) $(AM_MAKEFLAGS) distcleancheck \
&& cd "$$am__cwd" \
|| exit 1
$(am__remove_distdir)
$(am__post_remove_distdir)
@(echo "$(distdir) archives ready for distribution: "; \
list='$(DIST_ARCHIVES)'; for i in $$list; do echo $$i; done) | \
sed -e 1h -e 1s/./=/g -e 1p -e 1x -e '$$p' -e '$$x'
distuninstallcheck:
@$(am__cd) '$(distuninstallcheck_dir)' \
&& test `$(distuninstallcheck_listfiles) | wc -l` -le 1 \
@test -n '$(distuninstallcheck_dir)' || { \
echo 'ERROR: trying to run $@ with an empty' \
'$$(distuninstallcheck_dir)' >&2; \
exit 1; \
}; \
$(am__cd) '$(distuninstallcheck_dir)' || { \
echo 'ERROR: cannot chdir into $(distuninstallcheck_dir)' >&2; \
exit 1; \
}; \
test `$(am__distuninstallcheck_listfiles) | wc -l` -eq 0 \
|| { echo "ERROR: files left after uninstall:" ; \
if test -n "$(DESTDIR)"; then \
echo " (check DESTDIR support)"; \
@ -651,10 +753,15 @@ install-am: all-am
installcheck: installcheck-recursive
install-strip:
$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
`test -z '$(STRIP)' || \
echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
if test -z '$(STRIP)'; then \
$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
install; \
else \
$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
"INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
fi
mostlyclean-generic:
clean-generic:
@ -689,7 +796,8 @@ info: info-recursive
info-am:
install-data-am: install-docDATA
@$(NORMAL_INSTALL)
$(MAKE) $(AM_MAKEFLAGS) install-data-hook
install-dvi: install-dvi-recursive
install-dvi-am:
@ -736,44 +844,63 @@ ps-am:
uninstall-am: uninstall-docDATA
.MAKE: $(RECURSIVE_CLEAN_TARGETS) $(RECURSIVE_TARGETS) ctags-recursive \
install-am install-strip tags-recursive
.MAKE: $(am__recursive_targets) install-am install-data-am \
install-strip
.PHONY: $(RECURSIVE_CLEAN_TARGETS) $(RECURSIVE_TARGETS) CTAGS GTAGS \
all all-am am--refresh check check-am clean clean-generic \
clean-libtool ctags ctags-recursive dist dist-all dist-bzip2 \
dist-gzip dist-hook dist-lzma dist-shar dist-tarZ dist-xz \
dist-zip distcheck distclean distclean-generic \
.PHONY: $(am__recursive_targets) CTAGS GTAGS TAGS all all-am \
am--refresh check check-am clean clean-cscope clean-generic \
clean-libtool cscope cscopelist-am ctags ctags-am dist \
dist-all dist-bzip2 dist-gzip dist-lzip dist-shar dist-tarZ \
dist-xz dist-zip distcheck distclean distclean-generic \
distclean-libtool distclean-local distclean-tags \
distcleancheck distdir distuninstallcheck dvi dvi-am html \
html-am info info-am install install-am install-data \
install-data-am install-docDATA install-dvi install-dvi-am \
install-exec install-exec-am install-html install-html-am \
install-info install-info-am install-man install-pdf \
install-pdf-am install-ps install-ps-am install-strip \
installcheck installcheck-am installdirs installdirs-am \
maintainer-clean maintainer-clean-generic mostlyclean \
mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
tags tags-recursive uninstall uninstall-am uninstall-docDATA
install-data-am install-data-hook install-docDATA install-dvi \
install-dvi-am install-exec install-exec-am install-html \
install-html-am install-info install-info-am install-man \
install-pdf install-pdf-am install-ps install-ps-am \
install-strip installcheck installcheck-am installdirs \
installdirs-am maintainer-clean maintainer-clean-generic \
mostlyclean mostlyclean-generic mostlyclean-libtool pdf pdf-am \
ps ps-am tags tags-am uninstall uninstall-am uninstall-docDATA
.PRECIOUS: Makefile
libtool: $(LIBTOOL_DEPS)
$(SHELL) ./config.status libtool
distclean-local:
rm -rf autom4te.cache
rm -f $(distdir)-installer.exe
# rm -f $(distdir)-win32-installer.exe
dist-hook:
makensis -NOCD -DVERSION=${VERSION} -DSRCDIR=$(srcdir) \
-DDLLS=/usr/src/openssl-0.9.8s-fips/out32dll \
$(srcdir)/tools/stunnel.nsi
#dist-hook:
# makensis -NOCD -DVERSION=${VERSION} \
# -DSTUNNEL_DIR=$(srcdir) \
# -DROOT_DIR=/usr/src \
# $(srcdir)/tools/stunnel.nsi
sign: dist
cp -f $(distdir).tar.gz ../dist
cp -f $(distdir)-installer.exe ../dist
gpg --yes --armor --detach-sign --force-v3-sigs ../dist/$(distdir).tar.gz
gpg --yes --armor --detach-sign --force-v3-sigs ../dist/$(distdir)-installer.exe
sha256sum $(distdir).tar.gz | tee ../dist/$(distdir).tar.gz.sha256
cp -f $(distdir).tar.gz $(distdir)-win32-installer.exe $(distdir)-android.zip ../dist
gpg-agent --daemon /bin/sh -c "cd ../dist; gpg --yes --armor --detach-sign --force-v3-sigs $(distdir).tar.gz; gpg --yes --armor --detach-sign --force-v3-sigs $(distdir)-win32-installer.exe; gpg --yes --armor --detach-sign --force-v3-sigs $(distdir)-android.zip"
sha256sum $(distdir).tar.gz >../dist/$(distdir).tar.gz.sha256
sha256sum $(distdir)-win32-installer.exe >../dist/$(distdir)-win32-installer.exe.sha256
sha256sum $(distdir)-android.zip >../dist/$(distdir)-android.zip.sha256
cat ../dist/$(distdir)*.sha256 | tac
cert:
$(MAKE) -C tools cert
test: check
install-data-hook:
@echo "*********************************************************"
@echo "* Type 'make cert' to also install a sample certificate *"
@echo "*********************************************************"
stunnel.pod: Makefile
$(edit) '$(srcdir)/$@.in' >$@
stunnel.pod: $(srcdir)/stunnel.pod
# Tell versions [3.59,3.63) of GNU make to not export all variables.
# Otherwise a system limit (for SysV at least) may be exceeded.

13
PORTS
View File

@ -1,22 +1,17 @@
stunnel known port maintainers
* AmigaOS
- Diego Casorran <dcr8520@amiga.org>
* Cygwin
- Andrew Schulman <andrex@alumni.utexas.net>
* Debian GNU/Linux
- Luis Rodrigo Gallardo Cruz <rodrigo@nul-unu.com>
- Peter Pentchev <roam@ringlet.net>
* FreeBSD
- Ryan Steinmetz <zi@FreeBSD.org>
* NetBSD
- Martti Kuparinen <martti.kuparinen@iki.fi>
* OpenBSD
- Jakob Schlyter <jakob@openbsd.org>
* OpenSolaris
- Mark Fenwick <Mark.Fenwick@sun.com>
* OS/2
- Paul Smedley <paul@smedley.info>
- Gleydson Soares <gsoares@openbsd.org>
* OpenCSW Solaris
- Dagobert Michelsen <dam@opencsw.org>
* RedHat Linux
- Damien Miller <dmiller@ilogic.com.au>

55
TODO
View File

@ -3,37 +3,50 @@ stunnel TODO
High priority features. They will likely be supported some day.
A sponsor could allocate my time to get them faster.
* Command-line server control interface on both Unix and Windows.
* Separate GUI process running as current user on Windows.
* Add client certificate autoselection based on the list of accepted issuers:
SSL_CTX_set_client_cert_cb(), SSL_get_client_CA_list().
* Add an Apparmor profile.
* Optional line-buffering of the log file.
* etc/stunnel/conf.d/* files automatically processed while reading
etc/stunnel/stunnel.conf
* Android GUI.
* Support for CryptoAPI certificates and private keys with OpenSSL CAPI
engine (this feature is incompatible with FIPS support).
* Indirect CRL support (RFC 3280, section 5).
* Log rotation on Windows.
* Configuration file option to limit the number of concurrent connections.
* SOCKS 4 protocol support.
http://archive.socks.permeo.com/protocol/socks4.protocol
Low priority features. They will unlikely ever be supported.
* Implement reference counting of the SERVICE_OPTIONS structure
- Add 'leastconn' failover strategy to order defined 'connect' targets
by the number of active connections.
- Add '-status' command line option reporting the number of clients
connected to each service.
- Deallocate SERVICE_OPTIONS structure when the configuration file
is reloaded *and* old connections are closed.
* Command-line server control interface on both Unix and Windows.
* Separate GUI process running as the current user on Windows.
* An Android GUI.
* OCSP stapling (tlsext_status).
* Extend session tickets and/or sessiond to also serialize application
data ("redirect" state and session persistence).
* Indirect CRL support (RFC 3280, section 5).
* Provide 64-bit Windows builds (besides 32-bit builds).
This requires either Microsoft Visual Studio Standard Edition or Microsoft
Visual Studio Professional Edition in order to retain FIPS compliance.
* Service-level logging configuration (separate verbosity and destination).
* Key renegotiation (re-handshake) for long connections.
* MSI installer for Windows.
* Add user-defined headers to CONNECT proxy requests.
This can be used to impersonate other software (e.g. web browsers).
Low priority features. They will unlikely ever be supported.
* Database and/or directory interface for retrieving PSK secrets.
* Support static FIPS-enabled build.
* Service-level logging destination.
* Enforce key renegotiation (re-handshake) for long connections.
* Logging to NT EventLog on Windows.
* Internationalization of logged messages (i18n).
* Generic scripting engine instead or static protocol.c.
Features I won't support, unless convinced otherwise by a wealthy sponsor.
* Protocol support *after* SSL is negotiated:
- Support for adding X-Forwarded-For to HTTP request headers.
This feature is less useful since PROXY protocol support is available.
- Support for adding X-Forwarded-For to SMTP email headers.
This feature is most likely to be implemented as a separate proxy.
* Additional certificate checks (including wildcard comparison) based on CN
and X509v3 Subject Alternative Name.
* Support for adding X-Forwarded-For to HTTP request headers.
This feature is less useful since PROXY protocol support is available.
* Support for adding X-Forwarded-For to SMTP email headers.
This feature is most likely to be implemented as a separate proxy.
* Additional certificate checks (including wildcard comparison) based on:
- O (Organization), and
- OU (Organizational Unit).
* Set processes title that appear on the ps(1) and top(1) commands.
I could not find a portable *and* non-copyleft library for it.

1620
aclocal.m4 vendored
View File

File diff suppressed because it is too large Load Diff

232
auto/compile
View File

@ -1,10 +1,9 @@
#! /bin/sh
# Wrapper for compilers which do not understand `-c -o'.
# Wrapper for compilers which do not understand '-c -o'.
scriptversion=2009-10-06.20; # UTC
scriptversion=2012-10-14.11; # UTC
# Copyright (C) 1999, 2000, 2003, 2004, 2005, 2009 Free Software
# Foundation, Inc.
# Copyright (C) 1999-2014 Free Software Foundation, Inc.
# Written by Tom Tromey <tromey@cygnus.com>.
#
# This program is free software; you can redistribute it and/or modify
@ -29,21 +28,224 @@ scriptversion=2009-10-06.20; # UTC
# bugs to <bug-automake@gnu.org> or send patches to
# <automake-patches@gnu.org>.
nl='
'
# We need space, tab and new line, in precisely that order. Quoting is
# there to prevent tools from complaining about whitespace usage.
IFS=" "" $nl"
file_conv=
# func_file_conv build_file lazy
# Convert a $build file to $host form and store it in $file
# Currently only supports Windows hosts. If the determined conversion
# type is listed in (the comma separated) LAZY, no conversion will
# take place.
func_file_conv ()
{
file=$1
case $file in
/ | /[!/]*) # absolute file, and not a UNC file
if test -z "$file_conv"; then
# lazily determine how to convert abs files
case `uname -s` in
MINGW*)
file_conv=mingw
;;
CYGWIN*)
file_conv=cygwin
;;
*)
file_conv=wine
;;
esac
fi
case $file_conv/,$2, in
*,$file_conv,*)
;;
mingw/*)
file=`cmd //C echo "$file " | sed -e 's/"\(.*\) " *$/\1/'`
;;
cygwin/*)
file=`cygpath -m "$file" || echo "$file"`
;;
wine/*)
file=`winepath -w "$file" || echo "$file"`
;;
esac
;;
esac
}
# func_cl_dashL linkdir
# Make cl look for libraries in LINKDIR
func_cl_dashL ()
{
func_file_conv "$1"
if test -z "$lib_path"; then
lib_path=$file
else
lib_path="$lib_path;$file"
fi
linker_opts="$linker_opts -LIBPATH:$file"
}
# func_cl_dashl library
# Do a library search-path lookup for cl
func_cl_dashl ()
{
lib=$1
found=no
save_IFS=$IFS
IFS=';'
for dir in $lib_path $LIB
do
IFS=$save_IFS
if $shared && test -f "$dir/$lib.dll.lib"; then
found=yes
lib=$dir/$lib.dll.lib
break
fi
if test -f "$dir/$lib.lib"; then
found=yes
lib=$dir/$lib.lib
break
fi
if test -f "$dir/lib$lib.a"; then
found=yes
lib=$dir/lib$lib.a
break
fi
done
IFS=$save_IFS
if test "$found" != yes; then
lib=$lib.lib
fi
}
# func_cl_wrapper cl arg...
# Adjust compile command to suit cl
func_cl_wrapper ()
{
# Assume a capable shell
lib_path=
shared=:
linker_opts=
for arg
do
if test -n "$eat"; then
eat=
else
case $1 in
-o)
# configure might choose to run compile as 'compile cc -o foo foo.c'.
eat=1
case $2 in
*.o | *.[oO][bB][jJ])
func_file_conv "$2"
set x "$@" -Fo"$file"
shift
;;
*)
func_file_conv "$2"
set x "$@" -Fe"$file"
shift
;;
esac
;;
-I)
eat=1
func_file_conv "$2" mingw
set x "$@" -I"$file"
shift
;;
-I*)
func_file_conv "${1#-I}" mingw
set x "$@" -I"$file"
shift
;;
-l)
eat=1
func_cl_dashl "$2"
set x "$@" "$lib"
shift
;;
-l*)
func_cl_dashl "${1#-l}"
set x "$@" "$lib"
shift
;;
-L)
eat=1
func_cl_dashL "$2"
;;
-L*)
func_cl_dashL "${1#-L}"
;;
-static)
shared=false
;;
-Wl,*)
arg=${1#-Wl,}
save_ifs="$IFS"; IFS=','
for flag in $arg; do
IFS="$save_ifs"
linker_opts="$linker_opts $flag"
done
IFS="$save_ifs"
;;
-Xlinker)
eat=1
linker_opts="$linker_opts $2"
;;
-*)
set x "$@" "$1"
shift
;;
*.cc | *.CC | *.cxx | *.CXX | *.[cC]++)
func_file_conv "$1"
set x "$@" -Tp"$file"
shift
;;
*.c | *.cpp | *.CPP | *.lib | *.LIB | *.Lib | *.OBJ | *.obj | *.[oO])
func_file_conv "$1" mingw
set x "$@" "$file"
shift
;;
*)
set x "$@" "$1"
shift
;;
esac
fi
shift
done
if test -n "$linker_opts"; then
linker_opts="-link$linker_opts"
fi
exec "$@" $linker_opts
exit 1
}
eat=
case $1 in
'')
echo "$0: No command. Try \`$0 --help' for more information." 1>&2
echo "$0: No command. Try '$0 --help' for more information." 1>&2
exit 1;
;;
-h | --h*)
cat <<\EOF
Usage: compile [--help] [--version] PROGRAM [ARGS]
Wrapper for compilers which do not understand `-c -o'.
Remove `-o dest.o' from ARGS, run PROGRAM with the remaining
Wrapper for compilers which do not understand '-c -o'.
Remove '-o dest.o' from ARGS, run PROGRAM with the remaining
arguments, and rename the output as expected.
If you are trying to build a whole package this is not the
right script to run: please start by reading the file `INSTALL'.
right script to run: please start by reading the file 'INSTALL'.
Report bugs to <bug-automake@gnu.org>.
EOF
@ -53,11 +255,13 @@ EOF
echo "compile $scriptversion"
exit $?
;;
cl | *[/\\]cl | cl.exe | *[/\\]cl.exe )
func_cl_wrapper "$@" # Doesn't return...
;;
esac
ofile=
cfile=
eat=
for arg
do
@ -66,8 +270,8 @@ do
else
case $1 in
-o)
# configure might choose to run compile as `compile cc -o foo foo.c'.
# So we strip `-o arg' only if arg is an object.
# configure might choose to run compile as 'compile cc -o foo foo.c'.
# So we strip '-o arg' only if arg is an object.
eat=1
case $2 in
*.o | *.obj)
@ -94,10 +298,10 @@ do
done
if test -z "$ofile" || test -z "$cfile"; then
# If no `-o' option was seen then we might have been invoked from a
# If no '-o' option was seen then we might have been invoked from a
# pattern rule where we don't need one. That is ok -- this is a
# normal compilation that the losing compiler can handle. If no
# `.c' file was seen then we are probably linking. That is also
# '.c' file was seen then we are probably linking. That is also
# ok.
exec "$@"
fi
@ -106,7 +310,7 @@ fi
cofile=`echo "$cfile" | sed 's|^.*[\\/]||; s|^[a-zA-Z]:||; s/\.c$/.o/'`
# Create the lock directory.
# Note: use `[/\\:.-]' here to ensure that we don't use the same name
# Note: use '[/\\:.-]' here to ensure that we don't use the same name
# that we are using for the .o file. Also, base the name on the expected
# object file name, since that is what matters with a parallel build.
lockdir=`echo "$cofile" | sed -e 's|[/\\:.-]|_|g'`.d

512
auto/config.guess vendored Normal file → Executable file
View File

@ -1,14 +1,12 @@
#! /bin/sh
# Attempt to guess a canonical system name.
# Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999,
# 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010,
# 2011 Free Software Foundation, Inc.
# Copyright 1992-2016 Free Software Foundation, Inc.
timestamp='2011-11-11'
timestamp='2016-10-02'
# This file is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# the Free Software Foundation; either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful, but
@ -17,26 +15,22 @@ timestamp='2011-11-11'
# General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA
# 02110-1301, USA.
# along with this program; if not, see <http://www.gnu.org/licenses/>.
#
# As a special exception to the GNU General Public License, if you
# distribute this file as part of a program that contains a
# configuration script generated by Autoconf, you may include it under
# the same distribution terms that you use for the rest of that program.
# Originally written by Per Bothner. Please send patches (context
# diff format) to <config-patches@gnu.org> and include a ChangeLog
# entry.
# the same distribution terms that you use for the rest of that
# program. This Exception is an additional permission under section 7
# of the GNU General Public License, version 3 ("GPLv3").
#
# This script attempts to guess a canonical system name similar to
# config.sub. If it succeeds, it prints the system name on stdout, and
# exits with 0. Otherwise, it exits with 1.
# Originally written by Per Bothner; maintained since 2000 by Ben Elliston.
#
# You can get the latest version of this script from:
# http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.guess;hb=HEAD
# http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.guess
#
# Please send patches to <config-patches@gnu.org>.
me=`echo "$0" | sed -e 's,.*/,,'`
@ -56,9 +50,7 @@ version="\
GNU config.guess ($timestamp)
Originally written by Per Bothner.
Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000,
2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free
Software Foundation, Inc.
Copyright 1992-2016 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE."
@ -140,12 +132,33 @@ UNAME_RELEASE=`(uname -r) 2>/dev/null` || UNAME_RELEASE=unknown
UNAME_SYSTEM=`(uname -s) 2>/dev/null` || UNAME_SYSTEM=unknown
UNAME_VERSION=`(uname -v) 2>/dev/null` || UNAME_VERSION=unknown
case "${UNAME_SYSTEM}" in
Linux|GNU|GNU/*)
# If the system lacks a compiler, then just pick glibc.
# We could probably try harder.
LIBC=gnu
eval $set_cc_for_build
cat <<-EOF > $dummy.c
#include <features.h>
#if defined(__UCLIBC__)
LIBC=uclibc
#elif defined(__dietlibc__)
LIBC=dietlibc
#else
LIBC=gnu
#endif
EOF
eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep '^LIBC' | sed 's, ,,g'`
;;
esac
# Note: order is significant - the case branches are not exclusive.
case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
*:NetBSD:*:*)
# NetBSD (nbsd) targets should (where applicable) match one or
# more of the tupples: *-*-netbsdelf*, *-*-netbsdaout*,
# more of the tuples: *-*-netbsdelf*, *-*-netbsdaout*,
# *-*-netbsdecoff* and *-*-netbsd*. For targets that recently
# switched to ELF, *-*-netbsd* would select the old
# object file format. This provides both forward
@ -155,19 +168,29 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
# Note: NetBSD doesn't particularly care about the vendor
# portion of the name. We always set it to "unknown".
sysctl="sysctl -n hw.machine_arch"
UNAME_MACHINE_ARCH=`(/sbin/$sysctl 2>/dev/null || \
/usr/sbin/$sysctl 2>/dev/null || echo unknown)`
UNAME_MACHINE_ARCH=`(uname -p 2>/dev/null || \
/sbin/$sysctl 2>/dev/null || \
/usr/sbin/$sysctl 2>/dev/null || \
echo unknown)`
case "${UNAME_MACHINE_ARCH}" in
armeb) machine=armeb-unknown ;;
arm*) machine=arm-unknown ;;
sh3el) machine=shl-unknown ;;
sh3eb) machine=sh-unknown ;;
sh5el) machine=sh5le-unknown ;;
earmv*)
arch=`echo ${UNAME_MACHINE_ARCH} | sed -e 's,^e\(armv[0-9]\).*$,\1,'`
endian=`echo ${UNAME_MACHINE_ARCH} | sed -ne 's,^.*\(eb\)$,\1,p'`
machine=${arch}${endian}-unknown
;;
*) machine=${UNAME_MACHINE_ARCH}-unknown ;;
esac
# The Operating System including object format, if it has switched
# to ELF recently, or will in the future.
# to ELF recently (or will in the future) and ABI.
case "${UNAME_MACHINE_ARCH}" in
earm*)
os=netbsdelf
;;
arm*|i386|m68k|ns32k|sh3*|sparc|vax)
eval $set_cc_for_build
if echo __ELF__ | $CC_FOR_BUILD -E - 2>/dev/null \
@ -184,6 +207,13 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
os=netbsd
;;
esac
# Determine ABI tags.
case "${UNAME_MACHINE_ARCH}" in
earm*)
expr='s/^earmv[0-9]/-eabi/;s/eb$//'
abi=`echo ${UNAME_MACHINE_ARCH} | sed -e "$expr"`
;;
esac
# The OS release
# Debian GNU/NetBSD machines have a different userland, and
# thus, need a distinct triplet. However, they do not need
@ -194,18 +224,26 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
release='-gnu'
;;
*)
release=`echo ${UNAME_RELEASE}|sed -e 's/[-_].*/\./'`
release=`echo ${UNAME_RELEASE} | sed -e 's/[-_].*//' | cut -d. -f1,2`
;;
esac
# Since CPU_TYPE-MANUFACTURER-KERNEL-OPERATING_SYSTEM:
# contains redundant information, the shorter form:
# CPU_TYPE-MANUFACTURER-OPERATING_SYSTEM is used.
echo "${machine}-${os}${release}"
echo "${machine}-${os}${release}${abi}"
exit ;;
*:Bitrig:*:*)
UNAME_MACHINE_ARCH=`arch | sed 's/Bitrig.//'`
echo ${UNAME_MACHINE_ARCH}-unknown-bitrig${UNAME_RELEASE}
exit ;;
*:OpenBSD:*:*)
UNAME_MACHINE_ARCH=`arch | sed 's/OpenBSD.//'`
echo ${UNAME_MACHINE_ARCH}-unknown-openbsd${UNAME_RELEASE}
exit ;;
*:LibertyBSD:*:*)
UNAME_MACHINE_ARCH=`arch | sed 's/^.*BSD\.//'`
echo ${UNAME_MACHINE_ARCH}-unknown-libertybsd${UNAME_RELEASE}
exit ;;
*:ekkoBSD:*:*)
echo ${UNAME_MACHINE}-unknown-ekkobsd${UNAME_RELEASE}
exit ;;
@ -218,6 +256,9 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
*:MirBSD:*:*)
echo ${UNAME_MACHINE}-unknown-mirbsd${UNAME_RELEASE}
exit ;;
*:Sortix:*:*)
echo ${UNAME_MACHINE}-unknown-sortix
exit ;;
alpha:OSF1:*:*)
case $UNAME_RELEASE in
*4.0)
@ -234,42 +275,42 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
ALPHA_CPU_TYPE=`/usr/sbin/psrinfo -v | sed -n -e 's/^ The alpha \(.*\) processor.*$/\1/p' | head -n 1`
case "$ALPHA_CPU_TYPE" in
"EV4 (21064)")
UNAME_MACHINE="alpha" ;;
UNAME_MACHINE=alpha ;;
"EV4.5 (21064)")
UNAME_MACHINE="alpha" ;;
UNAME_MACHINE=alpha ;;
"LCA4 (21066/21068)")
UNAME_MACHINE="alpha" ;;
UNAME_MACHINE=alpha ;;
"EV5 (21164)")
UNAME_MACHINE="alphaev5" ;;
UNAME_MACHINE=alphaev5 ;;
"EV5.6 (21164A)")
UNAME_MACHINE="alphaev56" ;;
UNAME_MACHINE=alphaev56 ;;
"EV5.6 (21164PC)")
UNAME_MACHINE="alphapca56" ;;
UNAME_MACHINE=alphapca56 ;;
"EV5.7 (21164PC)")
UNAME_MACHINE="alphapca57" ;;
UNAME_MACHINE=alphapca57 ;;
"EV6 (21264)")
UNAME_MACHINE="alphaev6" ;;
UNAME_MACHINE=alphaev6 ;;
"EV6.7 (21264A)")
UNAME_MACHINE="alphaev67" ;;
UNAME_MACHINE=alphaev67 ;;
"EV6.8CB (21264C)")
UNAME_MACHINE="alphaev68" ;;
UNAME_MACHINE=alphaev68 ;;
"EV6.8AL (21264B)")
UNAME_MACHINE="alphaev68" ;;
UNAME_MACHINE=alphaev68 ;;
"EV6.8CX (21264D)")
UNAME_MACHINE="alphaev68" ;;
UNAME_MACHINE=alphaev68 ;;
"EV6.9A (21264/EV69A)")
UNAME_MACHINE="alphaev69" ;;
UNAME_MACHINE=alphaev69 ;;
"EV7 (21364)")
UNAME_MACHINE="alphaev7" ;;
UNAME_MACHINE=alphaev7 ;;
"EV7.9 (21364A)")
UNAME_MACHINE="alphaev79" ;;
UNAME_MACHINE=alphaev79 ;;
esac
# A Pn.n version is a patched version.
# A Vn.n version is a released version.
# A Tn.n version is a released field test version.
# A Xn.n version is an unreleased experimental baselevel.
# 1.2 uses "1.2" for uname -r.
echo ${UNAME_MACHINE}-dec-osf`echo ${UNAME_RELEASE} | sed -e 's/^[PVTX]//' | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'`
echo ${UNAME_MACHINE}-dec-osf`echo ${UNAME_RELEASE} | sed -e 's/^[PVTX]//' | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz`
# Reset EXIT trap before exiting to avoid spurious non-zero exit code.
exitcode=$?
trap '' 0
@ -304,7 +345,7 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
arm:RISC*:1.[012]*:*|arm:riscix:1.[012]*:*)
echo arm-acorn-riscix${UNAME_RELEASE}
exit ;;
arm:riscos:*:*|arm:RISCOS:*:*)
arm*:riscos:*:*|arm*:RISCOS:*:*)
echo arm-unknown-riscos
exit ;;
SR2?01:HI-UX/MPP:*:* | SR8000:HI-UX/MPP:*:*)
@ -342,16 +383,16 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
exit ;;
i86pc:SunOS:5.*:* | i86xen:SunOS:5.*:*)
eval $set_cc_for_build
SUN_ARCH="i386"
SUN_ARCH=i386
# If there is a compiler, see if it is configured for 64-bit objects.
# Note that the Sun cc does not turn __LP64__ into 1 like gcc does.
# This test works for both compilers.
if [ "$CC_FOR_BUILD" != 'no_compiler_found' ]; then
if [ "$CC_FOR_BUILD" != no_compiler_found ]; then
if (echo '#ifdef __amd64'; echo IS_64BIT_ARCH; echo '#endif') | \
(CCOPTS= $CC_FOR_BUILD -E - 2>/dev/null) | \
(CCOPTS="" $CC_FOR_BUILD -E - 2>/dev/null) | \
grep IS_64BIT_ARCH >/dev/null
then
SUN_ARCH="x86_64"
SUN_ARCH=x86_64
fi
fi
echo ${SUN_ARCH}-pc-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
@ -376,7 +417,7 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
exit ;;
sun*:*:4.2BSD:*)
UNAME_RELEASE=`(sed 1q /etc/motd | awk '{print substr($5,1,3)}') 2>/dev/null`
test "x${UNAME_RELEASE}" = "x" && UNAME_RELEASE=3
test "x${UNAME_RELEASE}" = x && UNAME_RELEASE=3
case "`/bin/arch`" in
sun3)
echo m68k-sun-sunos${UNAME_RELEASE}
@ -562,8 +603,9 @@ EOF
else
IBM_ARCH=powerpc
fi
if [ -x /usr/bin/oslevel ] ; then
IBM_REV=`/usr/bin/oslevel`
if [ -x /usr/bin/lslpp ] ; then
IBM_REV=`/usr/bin/lslpp -Lqc bos.rte.libc |
awk -F: '{ print $3 }' | sed s/[0-9]*$/0/`
else
IBM_REV=${UNAME_VERSION}.${UNAME_RELEASE}
fi
@ -600,13 +642,13 @@ EOF
sc_cpu_version=`/usr/bin/getconf SC_CPU_VERSION 2>/dev/null`
sc_kernel_bits=`/usr/bin/getconf SC_KERNEL_BITS 2>/dev/null`
case "${sc_cpu_version}" in
523) HP_ARCH="hppa1.0" ;; # CPU_PA_RISC1_0
528) HP_ARCH="hppa1.1" ;; # CPU_PA_RISC1_1
523) HP_ARCH=hppa1.0 ;; # CPU_PA_RISC1_0
528) HP_ARCH=hppa1.1 ;; # CPU_PA_RISC1_1
532) # CPU_PA_RISC2_0
case "${sc_kernel_bits}" in
32) HP_ARCH="hppa2.0n" ;;
64) HP_ARCH="hppa2.0w" ;;
'') HP_ARCH="hppa2.0" ;; # HP-UX 10.20
32) HP_ARCH=hppa2.0n ;;
64) HP_ARCH=hppa2.0w ;;
'') HP_ARCH=hppa2.0 ;; # HP-UX 10.20
esac ;;
esac
fi
@ -645,11 +687,11 @@ EOF
exit (0);
}
EOF
(CCOPTS= $CC_FOR_BUILD -o $dummy $dummy.c 2>/dev/null) && HP_ARCH=`$dummy`
(CCOPTS="" $CC_FOR_BUILD -o $dummy $dummy.c 2>/dev/null) && HP_ARCH=`$dummy`
test -z "$HP_ARCH" && HP_ARCH=hppa
fi ;;
esac
if [ ${HP_ARCH} = "hppa2.0w" ]
if [ ${HP_ARCH} = hppa2.0w ]
then
eval $set_cc_for_build
@ -662,12 +704,12 @@ EOF
# $ CC_FOR_BUILD="cc +DA2.0w" ./config.guess
# => hppa64-hp-hpux11.23
if echo __LP64__ | (CCOPTS= $CC_FOR_BUILD -E - 2>/dev/null) |
if echo __LP64__ | (CCOPTS="" $CC_FOR_BUILD -E - 2>/dev/null) |
grep -q __LP64__
then
HP_ARCH="hppa2.0w"
HP_ARCH=hppa2.0w
else
HP_ARCH="hppa64"
HP_ARCH=hppa64
fi
fi
echo ${HP_ARCH}-hp-hpux${HPUX_REV}
@ -772,14 +814,14 @@ EOF
echo craynv-cray-unicosmp${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/'
exit ;;
F30[01]:UNIX_System_V:*:* | F700:UNIX_System_V:*:*)
FUJITSU_PROC=`uname -m | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'`
FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'`
FUJITSU_PROC=`uname -m | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz`
FUJITSU_SYS=`uname -p | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz | sed -e 's/\///'`
FUJITSU_REL=`echo ${UNAME_RELEASE} | sed -e 's/ /_/'`
echo "${FUJITSU_PROC}-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}"
exit ;;
5000:UNIX_System_V:4.*:*)
FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'`
FUJITSU_REL=`echo ${UNAME_RELEASE} | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/ /_/'`
FUJITSU_SYS=`uname -p | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz | sed -e 's/\///'`
FUJITSU_REL=`echo ${UNAME_RELEASE} | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz | sed -e 's/ /_/'`
echo "sparc-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}"
exit ;;
i*86:BSD/386:*:* | i*86:BSD/OS:*:* | *:Ascend\ Embedded/OS:*:*)
@ -803,10 +845,13 @@ EOF
i*:CYGWIN*:*)
echo ${UNAME_MACHINE}-pc-cygwin
exit ;;
*:MINGW64*:*)
echo ${UNAME_MACHINE}-pc-mingw64
exit ;;
*:MINGW*:*)
echo ${UNAME_MACHINE}-pc-mingw32
exit ;;
i*:MSYS*:*)
*:MSYS*:*)
echo ${UNAME_MACHINE}-pc-msys
exit ;;
i*:windows32*:*)
@ -854,15 +899,22 @@ EOF
exit ;;
*:GNU:*:*)
# the GNU system
echo `echo ${UNAME_MACHINE}|sed -e 's,[-/].*$,,'`-unknown-gnu`echo ${UNAME_RELEASE}|sed -e 's,/.*$,,'`
echo `echo ${UNAME_MACHINE}|sed -e 's,[-/].*$,,'`-unknown-${LIBC}`echo ${UNAME_RELEASE}|sed -e 's,/.*$,,'`
exit ;;
*:GNU/*:*:*)
# other systems with GNU libc and userland
echo ${UNAME_MACHINE}-unknown-`echo ${UNAME_SYSTEM} | sed 's,^[^/]*/,,' | tr '[A-Z]' '[a-z]'``echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`-gnu
echo ${UNAME_MACHINE}-unknown-`echo ${UNAME_SYSTEM} | sed 's,^[^/]*/,,' | tr "[:upper:]" "[:lower:]"``echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`-${LIBC}
exit ;;
i*86:Minix:*:*)
echo ${UNAME_MACHINE}-pc-minix
exit ;;
aarch64:Linux:*:*)
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
exit ;;
aarch64_be:Linux:*:*)
UNAME_MACHINE=aarch64_be
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
exit ;;
alpha:Linux:*:*)
case `sed -n '/^cpu model/s/^.*: \(.*\)/\1/p' < /proc/cpuinfo` in
EV5) UNAME_MACHINE=alphaev5 ;;
@ -874,59 +926,60 @@ EOF
EV68*) UNAME_MACHINE=alphaev68 ;;
esac
objdump --private-headers /bin/sh | grep -q ld.so.1
if test "$?" = 0 ; then LIBC="libc1" ; else LIBC="" ; fi
echo ${UNAME_MACHINE}-unknown-linux-gnu${LIBC}
if test "$?" = 0 ; then LIBC=gnulibc1 ; fi
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
exit ;;
arc:Linux:*:* | arceb:Linux:*:*)
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
exit ;;
arm*:Linux:*:*)
eval $set_cc_for_build
if echo __ARM_EABI__ | $CC_FOR_BUILD -E - 2>/dev/null \
| grep -q __ARM_EABI__
then
echo ${UNAME_MACHINE}-unknown-linux-gnu
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
else
if echo __ARM_PCS_VFP | $CC_FOR_BUILD -E - 2>/dev/null \
| grep -q __ARM_PCS_VFP
then
echo ${UNAME_MACHINE}-unknown-linux-gnueabi
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}eabi
else
echo ${UNAME_MACHINE}-unknown-linux-gnueabihf
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}eabihf
fi
fi
exit ;;
avr32*:Linux:*:*)
echo ${UNAME_MACHINE}-unknown-linux-gnu
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
exit ;;
cris:Linux:*:*)
echo cris-axis-linux-gnu
echo ${UNAME_MACHINE}-axis-linux-${LIBC}
exit ;;
crisv32:Linux:*:*)
echo crisv32-axis-linux-gnu
echo ${UNAME_MACHINE}-axis-linux-${LIBC}
exit ;;
e2k:Linux:*:*)
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
exit ;;
frv:Linux:*:*)
echo frv-unknown-linux-gnu
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
exit ;;
hexagon:Linux:*:*)
echo hexagon-unknown-linux-gnu
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
exit ;;
i*86:Linux:*:*)
LIBC=gnu
eval $set_cc_for_build
sed 's/^ //' << EOF >$dummy.c
#ifdef __dietlibc__
LIBC=dietlibc
#endif
EOF
eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep '^LIBC'`
echo "${UNAME_MACHINE}-pc-linux-${LIBC}"
echo ${UNAME_MACHINE}-pc-linux-${LIBC}
exit ;;
ia64:Linux:*:*)
echo ${UNAME_MACHINE}-unknown-linux-gnu
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
exit ;;
k1om:Linux:*:*)
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
exit ;;
m32r*:Linux:*:*)
echo ${UNAME_MACHINE}-unknown-linux-gnu
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
exit ;;
m68*:Linux:*:*)
echo ${UNAME_MACHINE}-unknown-linux-gnu
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
exit ;;
mips:Linux:*:* | mips64:Linux:*:*)
eval $set_cc_for_build
@ -945,54 +998,69 @@ EOF
#endif
EOF
eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep '^CPU'`
test x"${CPU}" != x && { echo "${CPU}-unknown-linux-gnu"; exit; }
test x"${CPU}" != x && { echo "${CPU}-unknown-linux-${LIBC}"; exit; }
;;
or32:Linux:*:*)
echo or32-unknown-linux-gnu
mips64el:Linux:*:*)
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
exit ;;
openrisc*:Linux:*:*)
echo or1k-unknown-linux-${LIBC}
exit ;;
or32:Linux:*:* | or1k*:Linux:*:*)
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
exit ;;
padre:Linux:*:*)
echo sparc-unknown-linux-gnu
echo sparc-unknown-linux-${LIBC}
exit ;;
parisc64:Linux:*:* | hppa64:Linux:*:*)
echo hppa64-unknown-linux-gnu
echo hppa64-unknown-linux-${LIBC}
exit ;;
parisc:Linux:*:* | hppa:Linux:*:*)
# Look for CPU level
case `grep '^cpu[^a-z]*:' /proc/cpuinfo 2>/dev/null | cut -d' ' -f2` in
PA7*) echo hppa1.1-unknown-linux-gnu ;;
PA8*) echo hppa2.0-unknown-linux-gnu ;;
*) echo hppa-unknown-linux-gnu ;;
PA7*) echo hppa1.1-unknown-linux-${LIBC} ;;
PA8*) echo hppa2.0-unknown-linux-${LIBC} ;;
*) echo hppa-unknown-linux-${LIBC} ;;
esac
exit ;;
ppc64:Linux:*:*)
echo powerpc64-unknown-linux-gnu
echo powerpc64-unknown-linux-${LIBC}
exit ;;
ppc:Linux:*:*)
echo powerpc-unknown-linux-gnu
echo powerpc-unknown-linux-${LIBC}
exit ;;
ppc64le:Linux:*:*)
echo powerpc64le-unknown-linux-${LIBC}
exit ;;
ppcle:Linux:*:*)
echo powerpcle-unknown-linux-${LIBC}
exit ;;
riscv32:Linux:*:* | riscv64:Linux:*:*)
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
exit ;;
s390:Linux:*:* | s390x:Linux:*:*)
echo ${UNAME_MACHINE}-ibm-linux
echo ${UNAME_MACHINE}-ibm-linux-${LIBC}
exit ;;
sh64*:Linux:*:*)
echo ${UNAME_MACHINE}-unknown-linux-gnu
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
exit ;;
sh*:Linux:*:*)
echo ${UNAME_MACHINE}-unknown-linux-gnu
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
exit ;;
sparc:Linux:*:* | sparc64:Linux:*:*)
echo ${UNAME_MACHINE}-unknown-linux-gnu
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
exit ;;
tile*:Linux:*:*)
echo ${UNAME_MACHINE}-unknown-linux-gnu
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
exit ;;
vax:Linux:*:*)
echo ${UNAME_MACHINE}-dec-linux-gnu
echo ${UNAME_MACHINE}-dec-linux-${LIBC}
exit ;;
x86_64:Linux:*:*)
echo x86_64-unknown-linux-gnu
echo ${UNAME_MACHINE}-pc-linux-${LIBC}
exit ;;
xtensa*:Linux:*:*)
echo ${UNAME_MACHINE}-unknown-linux-gnu
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
exit ;;
i*86:DYNIX/ptx:4*:*)
# ptx 4.0 does uname -s correctly, with DYNIX/ptx in there.
@ -1068,7 +1136,7 @@ EOF
# uname -m prints for DJGPP always 'pc', but it prints nothing about
# the processor, so we play safe by assuming i586.
# Note: whatever this is, it MUST be the same as what config.sub
# prints for the "djgpp" host, or else GDB configury will decide that
# prints for the "djgpp" host, or else GDB configure will decide that
# this is a cross-build.
echo i586-pc-msdosdjgpp
exit ;;
@ -1196,6 +1264,9 @@ EOF
BePC:Haiku:*:*) # Haiku running on Intel PC compatible.
echo i586-pc-haiku
exit ;;
x86_64:Haiku:*:*)
echo x86_64-unknown-haiku
exit ;;
SX-4:SUPER-UX:*:*)
echo sx4-nec-superux${UNAME_RELEASE}
exit ;;
@ -1214,6 +1285,9 @@ EOF
SX-8R:SUPER-UX:*:*)
echo sx8r-nec-superux${UNAME_RELEASE}
exit ;;
SX-ACE:SUPER-UX:*:*)
echo sxace-nec-superux${UNAME_RELEASE}
exit ;;
Power*:Rhapsody:*:*)
echo powerpc-apple-rhapsody${UNAME_RELEASE}
exit ;;
@ -1222,24 +1296,36 @@ EOF
exit ;;
*:Darwin:*:*)
UNAME_PROCESSOR=`uname -p` || UNAME_PROCESSOR=unknown
case $UNAME_PROCESSOR in
i386)
eval $set_cc_for_build
if [ "$CC_FOR_BUILD" != 'no_compiler_found' ]; then
if (echo '#ifdef __LP64__'; echo IS_64BIT_ARCH; echo '#endif') | \
(CCOPTS= $CC_FOR_BUILD -E - 2>/dev/null) | \
grep IS_64BIT_ARCH >/dev/null
then
UNAME_PROCESSOR="x86_64"
fi
fi ;;
unknown) UNAME_PROCESSOR=powerpc ;;
esac
eval $set_cc_for_build
if test "$UNAME_PROCESSOR" = unknown ; then
UNAME_PROCESSOR=powerpc
fi
if test `echo "$UNAME_RELEASE" | sed -e 's/\..*//'` -le 10 ; then
if [ "$CC_FOR_BUILD" != no_compiler_found ]; then
if (echo '#ifdef __LP64__'; echo IS_64BIT_ARCH; echo '#endif') | \
(CCOPTS="" $CC_FOR_BUILD -E - 2>/dev/null) | \
grep IS_64BIT_ARCH >/dev/null
then
case $UNAME_PROCESSOR in
i386) UNAME_PROCESSOR=x86_64 ;;
powerpc) UNAME_PROCESSOR=powerpc64 ;;
esac
fi
fi
elif test "$UNAME_PROCESSOR" = i386 ; then
# Avoid executing cc on OS X 10.9, as it ships with a stub
# that puts up a graphical alert prompting to install
# developer tools. Any system running Mac OS X 10.7 or
# later (Darwin 11 and later) is required to have a 64-bit
# processor. This is not true of the ARM version of Darwin
# that Apple uses in portable devices.
UNAME_PROCESSOR=x86_64
fi
echo ${UNAME_PROCESSOR}-apple-darwin${UNAME_RELEASE}
exit ;;
*:procnto*:*:* | *:QNX:[0123456789]*:*)
UNAME_PROCESSOR=`uname -p`
if test "$UNAME_PROCESSOR" = "x86"; then
if test "$UNAME_PROCESSOR" = x86; then
UNAME_PROCESSOR=i386
UNAME_MACHINE=pc
fi
@ -1251,7 +1337,7 @@ EOF
NEO-?:NONSTOP_KERNEL:*:*)
echo neo-tandem-nsk${UNAME_RELEASE}
exit ;;
NSE-?:NONSTOP_KERNEL:*:*)
NSE-*:NONSTOP_KERNEL:*:*)
echo nse-tandem-nsk${UNAME_RELEASE}
exit ;;
NSR-?:NONSTOP_KERNEL:*:*)
@ -1270,7 +1356,7 @@ EOF
# "uname -m" is not consistent, so use $cputype instead. 386
# is converted to i386 for consistency with other x86
# operating systems.
if test "$cputype" = "386"; then
if test "$cputype" = 386; then
UNAME_MACHINE=i386
else
UNAME_MACHINE="$cputype"
@ -1312,7 +1398,7 @@ EOF
echo i386-pc-xenix
exit ;;
i*86:skyos:*:*)
echo ${UNAME_MACHINE}-pc-skyos`echo ${UNAME_RELEASE}` | sed -e 's/ .*$//'
echo ${UNAME_MACHINE}-pc-skyos`echo ${UNAME_RELEASE} | sed -e 's/ .*$//'`
exit ;;
i*86:rdos:*:*)
echo ${UNAME_MACHINE}-pc-rdos
@ -1320,174 +1406,28 @@ EOF
i*86:AROS:*:*)
echo ${UNAME_MACHINE}-pc-aros
exit ;;
x86_64:VMkernel:*:*)
echo ${UNAME_MACHINE}-unknown-esx
exit ;;
amd64:Isilon\ OneFS:*:*)
echo x86_64-unknown-onefs
exit ;;
esac
#echo '(No uname command or uname output not recognized.)' 1>&2
#echo "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" 1>&2
eval $set_cc_for_build
cat >$dummy.c <<EOF
#ifdef _SEQUENT_
# include <sys/types.h>
# include <sys/utsname.h>
#endif
main ()
{
#if defined (sony)
#if defined (MIPSEB)
/* BFD wants "bsd" instead of "newsos". Perhaps BFD should be changed,
I don't know.... */
printf ("mips-sony-bsd\n"); exit (0);
#else
#include <sys/param.h>
printf ("m68k-sony-newsos%s\n",
#ifdef NEWSOS4
"4"
#else
""
#endif
); exit (0);
#endif
#endif
#if defined (__arm) && defined (__acorn) && defined (__unix)
printf ("arm-acorn-riscix\n"); exit (0);
#endif
#if defined (hp300) && !defined (hpux)
printf ("m68k-hp-bsd\n"); exit (0);
#endif
#if defined (NeXT)
#if !defined (__ARCHITECTURE__)
#define __ARCHITECTURE__ "m68k"
#endif
int version;
version=`(hostinfo | sed -n 's/.*NeXT Mach \([0-9]*\).*/\1/p') 2>/dev/null`;
if (version < 4)
printf ("%s-next-nextstep%d\n", __ARCHITECTURE__, version);
else
printf ("%s-next-openstep%d\n", __ARCHITECTURE__, version);
exit (0);
#endif
#if defined (MULTIMAX) || defined (n16)
#if defined (UMAXV)
printf ("ns32k-encore-sysv\n"); exit (0);
#else
#if defined (CMU)
printf ("ns32k-encore-mach\n"); exit (0);
#else
printf ("ns32k-encore-bsd\n"); exit (0);
#endif
#endif
#endif
#if defined (__386BSD__)
printf ("i386-pc-bsd\n"); exit (0);
#endif
#if defined (sequent)
#if defined (i386)
printf ("i386-sequent-dynix\n"); exit (0);
#endif
#if defined (ns32000)
printf ("ns32k-sequent-dynix\n"); exit (0);
#endif
#endif
#if defined (_SEQUENT_)
struct utsname un;
uname(&un);
if (strncmp(un.version, "V2", 2) == 0) {
printf ("i386-sequent-ptx2\n"); exit (0);
}
if (strncmp(un.version, "V1", 2) == 0) { /* XXX is V1 correct? */
printf ("i386-sequent-ptx1\n"); exit (0);
}
printf ("i386-sequent-ptx\n"); exit (0);
#endif
#if defined (vax)
# if !defined (ultrix)
# include <sys/param.h>
# if defined (BSD)
# if BSD == 43
printf ("vax-dec-bsd4.3\n"); exit (0);
# else
# if BSD == 199006
printf ("vax-dec-bsd4.3reno\n"); exit (0);
# else
printf ("vax-dec-bsd\n"); exit (0);
# endif
# endif
# else
printf ("vax-dec-bsd\n"); exit (0);
# endif
# else
printf ("vax-dec-ultrix\n"); exit (0);
# endif
#endif
#if defined (alliant) && defined (i860)
printf ("i860-alliant-bsd\n"); exit (0);
#endif
exit (1);
}
EOF
$CC_FOR_BUILD -o $dummy $dummy.c 2>/dev/null && SYSTEM_NAME=`$dummy` &&
{ echo "$SYSTEM_NAME"; exit; }
# Apollos put the system type in the environment.
test -d /usr/apollo && { echo ${ISP}-apollo-${SYSTYPE}; exit; }
# Convex versions that predate uname can use getsysinfo(1)
if [ -x /usr/convex/getsysinfo ]
then
case `getsysinfo -f cpu_type` in
c1*)
echo c1-convex-bsd
exit ;;
c2*)
if getsysinfo -f scalar_acc
then echo c32-convex-bsd
else echo c2-convex-bsd
fi
exit ;;
c34*)
echo c34-convex-bsd
exit ;;
c38*)
echo c38-convex-bsd
exit ;;
c4*)
echo c4-convex-bsd
exit ;;
esac
fi
cat >&2 <<EOF
$0: unable to guess system type
This script, last modified $timestamp, has failed to recognize
the operating system you are using. It is advised that you
download the most up to date version of the config scripts from
This script (version $timestamp), has failed to recognize the
operating system you are using. If your script is old, overwrite
config.guess and config.sub with the latest versions from:
http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.guess;hb=HEAD
http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.guess
and
http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.sub;hb=HEAD
http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.sub
If the version you run ($0) is already up to date, please
send the following data and any information you think might be
pertinent to <config-patches@gnu.org> in order to provide the needed
information to handle your system.
If $0 has already been updated, send the following data and any
information you think might be pertinent to config-patches@gnu.org to
provide the necessary information to handle your system.
config.guess timestamp = $timestamp

194
auto/config.sub vendored Normal file → Executable file
View File

@ -1,38 +1,31 @@
#! /bin/sh
# Configuration validation subroutine script.
# Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999,
# 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010,
# 2011 Free Software Foundation, Inc.
# Copyright 1992-2016 Free Software Foundation, Inc.
timestamp='2011-11-11'
timestamp='2016-11-04'
# This file is (in principle) common to ALL GNU software.
# The presence of a machine in this file suggests that SOME GNU software
# can handle that machine. It does not imply ALL GNU software can.
#
# This file is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# This file is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA
# 02110-1301, USA.
# along with this program; if not, see <http://www.gnu.org/licenses/>.
#
# As a special exception to the GNU General Public License, if you
# distribute this file as part of a program that contains a
# configuration script generated by Autoconf, you may include it under
# the same distribution terms that you use for the rest of that program.
# the same distribution terms that you use for the rest of that
# program. This Exception is an additional permission under section 7
# of the GNU General Public License, version 3 ("GPLv3").
# Please send patches to <config-patches@gnu.org>. Submit a context
# diff and a properly formatted GNU ChangeLog entry.
# Please send patches to <config-patches@gnu.org>.
#
# Configuration subroutine to validate and canonicalize a configuration type.
# Supply the specified configuration type as an argument.
@ -40,7 +33,7 @@ timestamp='2011-11-11'
# Otherwise, we print the canonical config type on stdout and succeed.
# You can get the latest version of this script from:
# http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.sub;hb=HEAD
# http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.sub
# This file is supposed to be the same for all GNU packages
# and recognize all the CPU types, system types and aliases
@ -60,8 +53,7 @@ timestamp='2011-11-11'
me=`echo "$0" | sed -e 's,.*/,,'`
usage="\
Usage: $0 [OPTION] CPU-MFR-OPSYS
$0 [OPTION] ALIAS
Usage: $0 [OPTION] CPU-MFR-OPSYS or ALIAS
Canonicalize a configuration name.
@ -75,9 +67,7 @@ Report bugs and patches to <config-patches@gnu.org>."
version="\
GNU config.sub ($timestamp)
Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000,
2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free
Software Foundation, Inc.
Copyright 1992-2016 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE."
@ -125,13 +115,17 @@ esac
maybe_os=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\2/'`
case $maybe_os in
nto-qnx* | linux-gnu* | linux-android* | linux-dietlibc | linux-newlib* | \
linux-uclibc* | uclinux-uclibc* | uclinux-gnu* | kfreebsd*-gnu* | \
knetbsd*-gnu* | netbsd*-gnu* | \
kopensolaris*-gnu* | \
linux-musl* | linux-uclibc* | uclinux-uclibc* | uclinux-gnu* | kfreebsd*-gnu* | \
knetbsd*-gnu* | netbsd*-gnu* | netbsd*-eabi* | \
kopensolaris*-gnu* | cloudabi*-eabi* | \
storm-chaos* | os2-emx* | rtmk-nova*)
os=-$maybe_os
basic_machine=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'`
;;
android-linux)
os=-linux-android
basic_machine=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'`-unknown
;;
*)
basic_machine=`echo $1 | sed 's/-[^-]*$//'`
if [ $basic_machine != $1 ]
@ -154,7 +148,7 @@ case $os in
-convergent* | -ncr* | -news | -32* | -3600* | -3100* | -hitachi* |\
-c[123]* | -convex* | -sun | -crds | -omron* | -dg | -ultra | -tti* | \
-harris | -dolphin | -highlevel | -gould | -cbm | -ns | -masscomp | \
-apple | -axis | -knuth | -cray | -microblaze)
-apple | -axis | -knuth | -cray | -microblaze*)
os=
basic_machine=$1
;;
@ -223,6 +217,12 @@ case $os in
-isc*)
basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
;;
-lynx*178)
os=-lynxos178
;;
-lynx*5)
os=-lynxos5
;;
-lynx*)
os=-lynxos
;;
@ -247,24 +247,29 @@ case $basic_machine in
# Some are omitted here because they have special meanings below.
1750a | 580 \
| a29k \
| aarch64 | aarch64_be \
| alpha | alphaev[4-8] | alphaev56 | alphaev6[78] | alphapca5[67] \
| alpha64 | alpha64ev[4-8] | alpha64ev56 | alpha64ev6[78] | alpha64pca5[67] \
| am33_2.0 \
| arc | arm | arm[bl]e | arme[lb] | armv[2345] | armv[345][lb] | avr | avr32 \
| be32 | be64 \
| arc | arceb \
| arm | arm[bl]e | arme[lb] | armv[2-8] | armv[3-8][lb] | armv7[arm] \
| avr | avr32 \
| ba \
| be32 | be64 \
| bfin \
| c4x | clipper \
| c4x | c8051 | clipper \
| d10v | d30v | dlx | dsp16xx \
| epiphany \
| fido | fr30 | frv \
| e2k | epiphany \
| fido | fr30 | frv | ft32 \
| h8300 | h8500 | hppa | hppa1.[01] | hppa2.0 | hppa2.0[nw] | hppa64 \
| hexagon \
| i370 | i860 | i960 | ia64 \
| ip2k | iq2000 \
| k1om \
| le32 | le64 \
| lm32 \
| m32c | m32r | m32rle | m68000 | m68k | m88k \
| maxq | mb | microblaze | mcore | mep | metag \
| maxq | mb | microblaze | microblazeel | mcore | mep | metag \
| mips | mipsbe | mipseb | mipsel | mipsle \
| mips16 \
| mips64 | mips64el \
@ -278,26 +283,30 @@ case $basic_machine in
| mips64vr5900 | mips64vr5900el \
| mipsisa32 | mipsisa32el \
| mipsisa32r2 | mipsisa32r2el \
| mipsisa32r6 | mipsisa32r6el \
| mipsisa64 | mipsisa64el \
| mipsisa64r2 | mipsisa64r2el \
| mipsisa64r6 | mipsisa64r6el \
| mipsisa64sb1 | mipsisa64sb1el \
| mipsisa64sr71k | mipsisa64sr71kel \
| mipsr5900 | mipsr5900el \
| mipstx39 | mipstx39el \
| mn10200 | mn10300 \
| moxie \
| mt \
| msp430 \
| nds32 | nds32le | nds32be \
| nios | nios2 \
| nios | nios2 | nios2eb | nios2el \
| ns16k | ns32k \
| open8 \
| or32 \
| open8 | or1k | or1knd | or32 \
| pdp10 | pdp11 | pj | pjl \
| powerpc | powerpc64 | powerpc64le | powerpcle \
| pru \
| pyramid \
| riscv32 | riscv64 \
| rl78 | rx \
| score \
| sh | sh[1234] | sh[24]a | sh[24]aeb | sh[23]e | sh[34]eb | sheb | shbe | shle | sh[1234]le | sh3ele \
| sh | sh[1234] | sh[24]a | sh[24]aeb | sh[23]e | sh[234]eb | sheb | shbe | shle | sh[1234]le | sh3ele \
| sh64 | sh64le \
| sparc | sparc64 | sparc64b | sparc64v | sparc86x | sparclet | sparclite \
| sparcv8 | sparcv9 | sparcv9b | sparcv9v \
@ -305,6 +314,7 @@ case $basic_machine in
| tahoe | tic4x | tic54x | tic55x | tic6x | tic80 | tron \
| ubicom32 \
| v850 | v850e | v850e1 | v850e2 | v850es | v850e2v3 \
| visium \
| we32k \
| x86 | xc16x | xstormy16 | xtensa \
| z8k | z80)
@ -319,8 +329,10 @@ case $basic_machine in
c6x)
basic_machine=tic6x-unknown
;;
m6811 | m68hc11 | m6812 | m68hc12 | picochip)
# Motorola 68HC11/12.
leon|leon[3-9])
basic_machine=sparc-$basic_machine
;;
m6811 | m68hc11 | m6812 | m68hc12 | m68hcs12x | nvptx | picochip)
basic_machine=$basic_machine-unknown
os=-none
;;
@ -333,7 +345,10 @@ case $basic_machine in
strongarm | thumb | xscale)
basic_machine=arm-unknown
;;
xgate)
basic_machine=$basic_machine-unknown
os=-none
;;
xscaleeb)
basic_machine=armeb-unknown
;;
@ -356,28 +371,32 @@ case $basic_machine in
# Recognize the basic CPU types with company name.
580-* \
| a29k-* \
| aarch64-* | aarch64_be-* \
| alpha-* | alphaev[4-8]-* | alphaev56-* | alphaev6[78]-* \
| alpha64-* | alpha64ev[4-8]-* | alpha64ev56-* | alpha64ev6[78]-* \
| alphapca5[67]-* | alpha64pca5[67]-* | arc-* \
| alphapca5[67]-* | alpha64pca5[67]-* | arc-* | arceb-* \
| arm-* | armbe-* | armle-* | armeb-* | armv*-* \
| avr-* | avr32-* \
| ba-* \
| be32-* | be64-* \
| bfin-* | bs2000-* \
| c[123]* | c30-* | [cjt]90-* | c4x-* \
| clipper-* | craynv-* | cydra-* \
| c8051-* | clipper-* | craynv-* | cydra-* \
| d10v-* | d30v-* | dlx-* \
| elxsi-* \
| e2k-* | elxsi-* \
| f30[01]-* | f700-* | fido-* | fr30-* | frv-* | fx80-* \
| h8300-* | h8500-* \
| hppa-* | hppa1.[01]-* | hppa2.0-* | hppa2.0[nw]-* | hppa64-* \
| hexagon-* \
| i*86-* | i860-* | i960-* | ia64-* \
| ip2k-* | iq2000-* \
| k1om-* \
| le32-* | le64-* \
| lm32-* \
| m32c-* | m32r-* | m32rle-* \
| m68000-* | m680[012346]0-* | m68360-* | m683?2-* | m68k-* \
| m88110-* | m88k-* | maxq-* | mcore-* | metag-* | microblaze-* \
| m88110-* | m88k-* | maxq-* | mcore-* | metag-* \
| microblaze-* | microblazeel-* \
| mips-* | mipsbe-* | mipseb-* | mipsel-* | mipsle-* \
| mips16-* \
| mips64-* | mips64el-* \
@ -391,28 +410,34 @@ case $basic_machine in
| mips64vr5900-* | mips64vr5900el-* \
| mipsisa32-* | mipsisa32el-* \
| mipsisa32r2-* | mipsisa32r2el-* \
| mipsisa32r6-* | mipsisa32r6el-* \
| mipsisa64-* | mipsisa64el-* \
| mipsisa64r2-* | mipsisa64r2el-* \
| mipsisa64r6-* | mipsisa64r6el-* \
| mipsisa64sb1-* | mipsisa64sb1el-* \
| mipsisa64sr71k-* | mipsisa64sr71kel-* \
| mipsr5900-* | mipsr5900el-* \
| mipstx39-* | mipstx39el-* \
| mmix-* \
| mt-* \
| msp430-* \
| nds32-* | nds32le-* | nds32be-* \
| nios-* | nios2-* \
| nios-* | nios2-* | nios2eb-* | nios2el-* \
| none-* | np1-* | ns16k-* | ns32k-* \
| open8-* \
| or1k*-* \
| orion-* \
| pdp10-* | pdp11-* | pj-* | pjl-* | pn-* | power-* \
| powerpc-* | powerpc64-* | powerpc64le-* | powerpcle-* \
| pru-* \
| pyramid-* \
| riscv32-* | riscv64-* \
| rl78-* | romp-* | rs6000-* | rx-* \
| sh-* | sh[1234]-* | sh[24]a-* | sh[24]aeb-* | sh[23]e-* | sh[34]eb-* | sheb-* | shbe-* \
| shle-* | sh[1234]le-* | sh3ele-* | sh64-* | sh64le-* \
| sparc-* | sparc64-* | sparc64b-* | sparc64v-* | sparc86x-* | sparclet-* \
| sparclite-* \
| sparcv8-* | sparcv9-* | sparcv9b-* | sparcv9v-* | sv1-* | sx?-* \
| sparcv8-* | sparcv9-* | sparcv9b-* | sparcv9v-* | sv1-* | sx*-* \
| tahoe-* \
| tic30-* | tic4x-* | tic54x-* | tic55x-* | tic6x-* | tic80-* \
| tile*-* \
@ -420,6 +445,7 @@ case $basic_machine in
| ubicom32-* \
| v850-* | v850e-* | v850e1-* | v850es-* | v850e2-* | v850e2v3-* \
| vax-* \
| visium-* \
| we32k-* \
| x86-* | x86_64-* | xc16x-* | xps100-* \
| xstormy16-* | xtensa*-* \
@ -496,6 +522,9 @@ case $basic_machine in
basic_machine=i386-pc
os=-aros
;;
asmjs)
basic_machine=asmjs-unknown
;;
aux)
basic_machine=m68k-apple
os=-aux
@ -616,6 +645,14 @@ case $basic_machine in
basic_machine=m68k-bull
os=-sysv3
;;
e500v[12])
basic_machine=powerpc-unknown
os=$os"spe"
;;
e500v[12]-*)
basic_machine=powerpc-`echo $basic_machine | sed 's/^[^-]*-//'`
os=$os"spe"
;;
ebmon29k)
basic_machine=a29k-amd
os=-ebmon
@ -719,7 +756,6 @@ case $basic_machine in
i370-ibm* | ibm*)
basic_machine=i370-ibm
;;
# I'm not sure what "Sysv32" means. Should this be sysv3.2?
i*86v32)
basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'`
os=-sysv32
@ -758,6 +794,9 @@ case $basic_machine in
basic_machine=m68k-isi
os=-sysv
;;
leon-*|leon[3-9]-*)
basic_machine=sparc-`echo $basic_machine | sed 's/-.*//'`
;;
m68knommu)
basic_machine=m68k-unknown
os=-linux
@ -777,11 +816,15 @@ case $basic_machine in
basic_machine=ns32k-utek
os=-sysv
;;
microblaze)
microblaze*)
basic_machine=microblaze-xilinx
;;
mingw64)
basic_machine=x86_64-pc
os=-mingw64
;;
mingw32)
basic_machine=i386-pc
basic_machine=i686-pc
os=-mingw32
;;
mingw32ce)
@ -809,6 +852,10 @@ case $basic_machine in
basic_machine=powerpc-unknown
os=-morphos
;;
moxiebox)
basic_machine=moxie-unknown
os=-moxiebox
;;
msdos)
basic_machine=i386-pc
os=-msdos
@ -817,7 +864,7 @@ case $basic_machine in
basic_machine=`echo $basic_machine | sed -e 's/ms1-/mt-/'`
;;
msys)
basic_machine=i386-pc
basic_machine=i686-pc
os=-msys
;;
mvs)
@ -985,7 +1032,7 @@ case $basic_machine in
ppc-* | ppcbe-*)
basic_machine=powerpc-`echo $basic_machine | sed 's/^[^-]*-//'`
;;
ppcle | powerpclittle | ppc-le | powerpc-little)
ppcle | powerpclittle)
basic_machine=powerpcle-unknown
;;
ppcle-* | powerpclittle-*)
@ -995,7 +1042,7 @@ case $basic_machine in
;;
ppc64-*) basic_machine=powerpc64-`echo $basic_machine | sed 's/^[^-]*-//'`
;;
ppc64le | powerpc64little | ppc64-le | powerpc64-little)
ppc64le | powerpc64little)
basic_machine=powerpc64le-unknown
;;
ppc64le-* | powerpc64little-*)
@ -1008,7 +1055,11 @@ case $basic_machine in
basic_machine=i586-unknown
os=-pw32
;;
rdos)
rdos | rdos64)
basic_machine=x86_64-pc
os=-rdos
;;
rdos32)
basic_machine=i386-pc
os=-rdos
;;
@ -1335,29 +1386,30 @@ case $os in
-gnu* | -bsd* | -mach* | -minix* | -genix* | -ultrix* | -irix* \
| -*vms* | -sco* | -esix* | -isc* | -aix* | -cnk* | -sunos | -sunos[34]*\
| -hpux* | -unos* | -osf* | -luna* | -dgux* | -auroraux* | -solaris* \
| -sym* | -kopensolaris* \
| -sym* | -kopensolaris* | -plan9* \
| -amigaos* | -amigados* | -msdos* | -newsos* | -unicos* | -aof* \
| -aos* | -aros* \
| -aos* | -aros* | -cloudabi* | -sortix* \
| -nindy* | -vxsim* | -vxworks* | -ebmon* | -hms* | -mvs* \
| -clix* | -riscos* | -uniplus* | -iris* | -rtu* | -xenix* \
| -hiux* | -386bsd* | -knetbsd* | -mirbsd* | -netbsd* \
| -openbsd* | -solidbsd* \
| -bitrig* | -openbsd* | -solidbsd* | -libertybsd* \
| -ekkobsd* | -kfreebsd* | -freebsd* | -riscix* | -lynxos* \
| -bosx* | -nextstep* | -cxux* | -aout* | -elf* | -oabi* \
| -ptx* | -coff* | -ecoff* | -winnt* | -domain* | -vsta* \
| -udi* | -eabi* | -lites* | -ieee* | -go32* | -aux* \
| -chorusos* | -chorusrdb* | -cegcc* \
| -cygwin* | -msys* | -pe* | -psos* | -moss* | -proelf* | -rtems* \
| -mingw32* | -linux-gnu* | -linux-android* \
| -linux-newlib* | -linux-uclibc* \
| -uxpv* | -beos* | -mpeix* | -udk* \
| -midipix* | -mingw32* | -mingw64* | -linux-gnu* | -linux-android* \
| -linux-newlib* | -linux-musl* | -linux-uclibc* \
| -uxpv* | -beos* | -mpeix* | -udk* | -moxiebox* \
| -interix* | -uwin* | -mks* | -rhapsody* | -darwin* | -opened* \
| -openstep* | -oskit* | -conix* | -pw32* | -nonstopux* \
| -storm-chaos* | -tops10* | -tenex* | -tops20* | -its* \
| -os2* | -vos* | -palmos* | -uclinux* | -nucleus* \
| -morphos* | -superux* | -rtmk* | -rtmk-nova* | -windiss* \
| -powermax* | -dnix* | -nx6 | -nx7 | -sei* | -dragonfly* \
| -skyos* | -haiku* | -rdos* | -toppers* | -drops* | -es*)
| -skyos* | -haiku* | -rdos* | -toppers* | -drops* | -es* \
| -onefs* | -tirtos* | -phoenix* | -fuchsia*)
# Remember, each alternative MUST END IN *, to match a version number.
;;
-qnx*)
@ -1481,9 +1533,6 @@ case $os in
-aros*)
os=-aros
;;
-kaos*)
os=-kaos
;;
-zvmoe)
os=-zvmoe
;;
@ -1492,6 +1541,8 @@ case $os in
;;
-nacl*)
;;
-ios)
;;
-none)
;;
*)
@ -1532,6 +1583,12 @@ case $basic_machine in
c4x-* | tic4x-*)
os=-coff
;;
c8051-*)
os=-elf
;;
hexagon-*)
os=-elf
;;
tic54x-*)
os=-coff
;;
@ -1559,9 +1616,6 @@ case $basic_machine in
;;
m68000-sun)
os=-sunos3
# This also exists in the configure program, but was not the
# default.
# os=-sunos4
;;
m68*-cisco)
os=-aout

580
auto/depcomp
View File

@ -1,10 +1,9 @@
#! /bin/sh
# depcomp - compile a program generating dependencies as side-effects
scriptversion=2007-03-29.01
scriptversion=2013-05-30.07; # UTC
# Copyright (C) 1999, 2000, 2003, 2004, 2005, 2006, 2007 Free Software
# Foundation, Inc.
# Copyright (C) 1999-2014 Free Software Foundation, Inc.
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@ -17,9 +16,7 @@ scriptversion=2007-03-29.01
# GNU General Public License for more details.
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
# 02110-1301, USA.
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# As a special exception to the GNU General Public License, if you
# distribute this file as part of a program that contains a
@ -30,9 +27,9 @@ scriptversion=2007-03-29.01
case $1 in
'')
echo "$0: No command. Try \`$0 --help' for more information." 1>&2
exit 1;
;;
echo "$0: No command. Try '$0 --help' for more information." 1>&2
exit 1;
;;
-h | --h*)
cat <<\EOF
Usage: depcomp [--help] [--version] PROGRAM [ARGS]
@ -42,11 +39,11 @@ as side-effects.
Environment variables:
depmode Dependency tracking mode.
source Source file read by `PROGRAMS ARGS'.
object Object file output by `PROGRAMS ARGS'.
source Source file read by 'PROGRAMS ARGS'.
object Object file output by 'PROGRAMS ARGS'.
DEPDIR directory where to store dependencies.
depfile Dependency file to output.
tmpdepfile Temporary file to use when outputing dependencies.
tmpdepfile Temporary file to use when outputting dependencies.
libtool Whether libtool is used (yes/no).
Report bugs to <bug-automake@gnu.org>.
@ -59,6 +56,66 @@ EOF
;;
esac
# Get the directory component of the given path, and save it in the
# global variables '$dir'. Note that this directory component will
# be either empty or ending with a '/' character. This is deliberate.
set_dir_from ()
{
case $1 in
*/*) dir=`echo "$1" | sed -e 's|/[^/]*$|/|'`;;
*) dir=;;
esac
}
# Get the suffix-stripped basename of the given path, and save it the
# global variable '$base'.
set_base_from ()
{
base=`echo "$1" | sed -e 's|^.*/||' -e 's/\.[^.]*$//'`
}
# If no dependency file was actually created by the compiler invocation,
# we still have to create a dummy depfile, to avoid errors with the
# Makefile "include basename.Plo" scheme.
make_dummy_depfile ()
{
echo "#dummy" > "$depfile"
}
# Factor out some common post-processing of the generated depfile.
# Requires the auxiliary global variable '$tmpdepfile' to be set.
aix_post_process_depfile ()
{
# If the compiler actually managed to produce a dependency file,
# post-process it.
if test -f "$tmpdepfile"; then
# Each line is of the form 'foo.o: dependency.h'.
# Do two passes, one to just change these to
# $object: dependency.h
# and one to simply output
# dependency.h:
# which is needed to avoid the deleted-header problem.
{ sed -e "s,^.*\.[$lower]*:,$object:," < "$tmpdepfile"
sed -e "s,^.*\.[$lower]*:[$tab ]*,," -e 's,$,:,' < "$tmpdepfile"
} > "$depfile"
rm -f "$tmpdepfile"
else
make_dummy_depfile
fi
}
# A tabulation character.
tab=' '
# A newline character.
nl='
'
# Character ranges might be problematic outside the C locale.
# These definitions help.
upper=ABCDEFGHIJKLMNOPQRSTUVWXYZ
lower=abcdefghijklmnopqrstuvwxyz
digits=0123456789
alpha=${upper}${lower}
if test -z "$depmode" || test -z "$source" || test -z "$object"; then
echo "depcomp: Variables source, object and depmode must be set" 1>&2
exit 1
@ -71,6 +128,9 @@ tmpdepfile=${tmpdepfile-`echo "$depfile" | sed 's/\.\([^.]*\)$/.T\1/'`}
rm -f "$tmpdepfile"
# Avoid interferences from the environment.
gccflag= dashmflag=
# Some modes work just like other modes, but use different flags. We
# parameterize here, but still list the modes in the big case below,
# to make depend.m4 easier to write. Note that we *cannot* use a case
@ -82,9 +142,32 @@ if test "$depmode" = hp; then
fi
if test "$depmode" = dashXmstdout; then
# This is just like dashmstdout with a different argument.
dashmflag=-xM
depmode=dashmstdout
# This is just like dashmstdout with a different argument.
dashmflag=-xM
depmode=dashmstdout
fi
cygpath_u="cygpath -u -f -"
if test "$depmode" = msvcmsys; then
# This is just like msvisualcpp but w/o cygpath translation.
# Just convert the backslash-escaped backslashes to single forward
# slashes to satisfy depend.m4
cygpath_u='sed s,\\\\,/,g'
depmode=msvisualcpp
fi
if test "$depmode" = msvc7msys; then
# This is just like msvc7 but w/o cygpath translation.
# Just convert the backslash-escaped backslashes to single forward
# slashes to satisfy depend.m4
cygpath_u='sed s,\\\\,/,g'
depmode=msvc7
fi
if test "$depmode" = xlc; then
# IBM C/C++ Compilers xlc/xlC can output gcc-like dependency information.
gccflag=-qmakedep=gcc,-MF
depmode=gcc
fi
case "$depmode" in
@ -107,8 +190,7 @@ gcc3)
done
"$@"
stat=$?
if test $stat -eq 0; then :
else
if test $stat -ne 0; then
rm -f "$tmpdepfile"
exit $stat
fi
@ -116,13 +198,17 @@ gcc3)
;;
gcc)
## Note that this doesn't just cater to obsosete pre-3.x GCC compilers.
## but also to in-use compilers like IMB xlc/xlC and the HP C compiler.
## (see the conditional assignment to $gccflag above).
## There are various ways to get dependency output from gcc. Here's
## why we pick this rather obscure method:
## - Don't want to use -MD because we'd like the dependencies to end
## up in a subdir. Having to rename by hand is ugly.
## (We might end up doing this anyway to support other compilers.)
## - The DEPENDENCIES_OUTPUT environment variable makes gcc act like
## -MM, not -M (despite what the docs say).
## -MM, not -M (despite what the docs say). Also, it might not be
## supported by the other compilers which use the 'gcc' depmode.
## - Using -M directly means running the compiler twice (even worse
## than renaming).
if test -z "$gccflag"; then
@ -130,31 +216,31 @@ gcc)
fi
"$@" -Wp,"$gccflag$tmpdepfile"
stat=$?
if test $stat -eq 0; then :
else
if test $stat -ne 0; then
rm -f "$tmpdepfile"
exit $stat
fi
rm -f "$depfile"
echo "$object : \\" > "$depfile"
alpha=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
## The second -e expression handles DOS-style file names with drive letters.
# The second -e expression handles DOS-style file names with drive
# letters.
sed -e 's/^[^:]*: / /' \
-e 's/^['$alpha']:\/[^:]*: / /' < "$tmpdepfile" >> "$depfile"
## This next piece of magic avoids the `deleted header file' problem.
## This next piece of magic avoids the "deleted header file" problem.
## The problem is that when a header file which appears in a .P file
## is deleted, the dependency causes make to die (because there is
## typically no way to rebuild the header). We avoid this by adding
## dummy dependencies for each header file. Too bad gcc doesn't do
## this for us directly.
tr ' ' '
' < "$tmpdepfile" |
## Some versions of gcc put a space before the `:'. On the theory
## Some versions of gcc put a space before the ':'. On the theory
## that the space means something, we add a space to the output as
## well.
## well. hp depmode also adds that space, but also prefixes the VPATH
## to the object. Take care to not repeat it in the output.
## Some versions of the HPUX 10.20 sed can't process this invocation
## correctly. Breaking it into two sed invocations is a workaround.
sed -e 's/^\\$//' -e '/^$/d' -e '/:$/d' | sed -e 's/$/ :/' >> "$depfile"
tr ' ' "$nl" < "$tmpdepfile" \
| sed -e 's/^\\$//' -e '/^$/d' -e "s|.*$object$||" -e '/:$/d' \
| sed -e 's/$/ :/' >> "$depfile"
rm -f "$tmpdepfile"
;;
@ -172,8 +258,7 @@ sgi)
"$@" -MDupdate "$tmpdepfile"
fi
stat=$?
if test $stat -eq 0; then :
else
if test $stat -ne 0; then
rm -f "$tmpdepfile"
exit $stat
fi
@ -181,43 +266,41 @@ sgi)
if test -f "$tmpdepfile"; then # yes, the sourcefile depend on other files
echo "$object : \\" > "$depfile"
# Clip off the initial element (the dependent). Don't try to be
# clever and replace this with sed code, as IRIX sed won't handle
# lines with more than a fixed number of characters (4096 in
# IRIX 6.2 sed, 8192 in IRIX 6.5). We also remove comment lines;
# the IRIX cc adds comments like `#:fec' to the end of the
# the IRIX cc adds comments like '#:fec' to the end of the
# dependency line.
tr ' ' '
' < "$tmpdepfile" \
| sed -e 's/^.*\.o://' -e 's/#.*$//' -e '/^$/ d' | \
tr '
' ' ' >> $depfile
echo >> $depfile
tr ' ' "$nl" < "$tmpdepfile" \
| sed -e 's/^.*\.o://' -e 's/#.*$//' -e '/^$/ d' \
| tr "$nl" ' ' >> "$depfile"
echo >> "$depfile"
# The second pass generates a dummy entry for each header file.
tr ' ' '
' < "$tmpdepfile" \
| sed -e 's/^.*\.o://' -e 's/#.*$//' -e '/^$/ d' -e 's/$/:/' \
>> $depfile
tr ' ' "$nl" < "$tmpdepfile" \
| sed -e 's/^.*\.o://' -e 's/#.*$//' -e '/^$/ d' -e 's/$/:/' \
>> "$depfile"
else
# The sourcefile does not contain any dependencies, so just
# store a dummy comment line, to avoid errors with the Makefile
# "include basename.Plo" scheme.
echo "#dummy" > "$depfile"
make_dummy_depfile
fi
rm -f "$tmpdepfile"
;;
xlc)
# This case exists only to let depend.m4 do its work. It works by
# looking at the text of this script. This case will never be run,
# since it is checked for above.
exit 1
;;
aix)
# The C for AIX Compiler uses -M and outputs the dependencies
# in a .u file. In older versions, this file always lives in the
# current directory. Also, the AIX compiler puts `$object:' at the
# current directory. Also, the AIX compiler puts '$object:' at the
# start of each line; $object doesn't have directory information.
# Version 6 uses the directory in both cases.
dir=`echo "$object" | sed -e 's|/[^/]*$|/|'`
test "x$dir" = "x$object" && dir=
base=`echo "$object" | sed -e 's|^.*/||' -e 's/\.o$//' -e 's/\.lo$//'`
set_dir_from "$object"
set_base_from "$object"
if test "$libtool" = yes; then
tmpdepfile1=$dir$base.u
tmpdepfile2=$base.u
@ -230,9 +313,7 @@ aix)
"$@" -M
fi
stat=$?
if test $stat -eq 0; then :
else
if test $stat -ne 0; then
rm -f "$tmpdepfile1" "$tmpdepfile2" "$tmpdepfile3"
exit $stat
fi
@ -241,44 +322,100 @@ aix)
do
test -f "$tmpdepfile" && break
done
if test -f "$tmpdepfile"; then
# Each line is of the form `foo.o: dependent.h'.
# Do two passes, one to just change these to
# `$object: dependent.h' and one to simply `dependent.h:'.
sed -e "s,^.*\.[a-z]*:,$object:," < "$tmpdepfile" > "$depfile"
# That's a tab and a space in the [].
sed -e 's,^.*\.[a-z]*:[ ]*,,' -e 's,$,:,' < "$tmpdepfile" >> "$depfile"
else
# The sourcefile does not contain any dependencies, so just
# store a dummy comment line, to avoid errors with the Makefile
# "include basename.Plo" scheme.
echo "#dummy" > "$depfile"
aix_post_process_depfile
;;
tcc)
# tcc (Tiny C Compiler) understand '-MD -MF file' since version 0.9.26
# FIXME: That version still under development at the moment of writing.
# Make that this statement remains true also for stable, released
# versions.
# It will wrap lines (doesn't matter whether long or short) with a
# trailing '\', as in:
#
# foo.o : \
# foo.c \
# foo.h \
#
# It will put a trailing '\' even on the last line, and will use leading
# spaces rather than leading tabs (at least since its commit 0394caf7
# "Emit spaces for -MD").
"$@" -MD -MF "$tmpdepfile"
stat=$?
if test $stat -ne 0; then
rm -f "$tmpdepfile"
exit $stat
fi
rm -f "$depfile"
# Each non-empty line is of the form 'foo.o : \' or ' dep.h \'.
# We have to change lines of the first kind to '$object: \'.
sed -e "s|.*:|$object :|" < "$tmpdepfile" > "$depfile"
# And for each line of the second kind, we have to emit a 'dep.h:'
# dummy dependency, to avoid the deleted-header problem.
sed -n -e 's|^ *\(.*\) *\\$|\1:|p' < "$tmpdepfile" >> "$depfile"
rm -f "$tmpdepfile"
;;
icc)
# Intel's C compiler understands `-MD -MF file'. However on
# icc -MD -MF foo.d -c -o sub/foo.o sub/foo.c
# ICC 7.0 will fill foo.d with something like
# foo.o: sub/foo.c
# foo.o: sub/foo.h
# which is wrong. We want:
# sub/foo.o: sub/foo.c
# sub/foo.o: sub/foo.h
# sub/foo.c:
# sub/foo.h:
# ICC 7.1 will output
## The order of this option in the case statement is important, since the
## shell code in configure will try each of these formats in the order
## listed in this file. A plain '-MD' option would be understood by many
## compilers, so we must ensure this comes after the gcc and icc options.
pgcc)
# Portland's C compiler understands '-MD'.
# Will always output deps to 'file.d' where file is the root name of the
# source file under compilation, even if file resides in a subdirectory.
# The object file name does not affect the name of the '.d' file.
# pgcc 10.2 will output
# foo.o: sub/foo.c sub/foo.h
# and will wrap long lines using \ :
# and will wrap long lines using '\' :
# foo.o: sub/foo.c ... \
# sub/foo.h ... \
# ...
set_dir_from "$object"
# Use the source, not the object, to determine the base name, since
# that's sadly what pgcc will do too.
set_base_from "$source"
tmpdepfile=$base.d
"$@" -MD -MF "$tmpdepfile"
stat=$?
if test $stat -eq 0; then :
else
# For projects that build the same source file twice into different object
# files, the pgcc approach of using the *source* file root name can cause
# problems in parallel builds. Use a locking strategy to avoid stomping on
# the same $tmpdepfile.
lockdir=$base.d-lock
trap "
echo '$0: caught signal, cleaning up...' >&2
rmdir '$lockdir'
exit 1
" 1 2 13 15
numtries=100
i=$numtries
while test $i -gt 0; do
# mkdir is a portable test-and-set.
if mkdir "$lockdir" 2>/dev/null; then
# This process acquired the lock.
"$@" -MD
stat=$?
# Release the lock.
rmdir "$lockdir"
break
else
# If the lock is being held by a different process, wait
# until the winning process is done or we timeout.
while test -d "$lockdir" && test $i -gt 0; do
sleep 1
i=`expr $i - 1`
done
fi
i=`expr $i - 1`
done
trap - 1 2 13 15
if test $i -le 0; then
echo "$0: failed to acquire lock after $numtries attempts" >&2
echo "$0: check lockdir '$lockdir'" >&2
exit 1
fi
if test $stat -ne 0; then
rm -f "$tmpdepfile"
exit $stat
fi
@ -290,8 +427,8 @@ icc)
sed "s,^[^:]*:,$object :," < "$tmpdepfile" > "$depfile"
# Some versions of the HPUX 10.20 sed can't process this invocation
# correctly. Breaking it into two sed invocations is a workaround.
sed 's,^[^:]*: \(.*\)$,\1,;s/^\\$//;/^$/d;/:$/d' < "$tmpdepfile" |
sed -e 's/$/ :/' >> "$depfile"
sed 's,^[^:]*: \(.*\)$,\1,;s/^\\$//;/^$/d;/:$/d' < "$tmpdepfile" \
| sed -e 's/$/ :/' >> "$depfile"
rm -f "$tmpdepfile"
;;
@ -302,9 +439,8 @@ hp2)
# 'foo.d', which lands next to the object file, wherever that
# happens to be.
# Much of this is similar to the tru64 case; see comments there.
dir=`echo "$object" | sed -e 's|/[^/]*$|/|'`
test "x$dir" = "x$object" && dir=
base=`echo "$object" | sed -e 's|^.*/||' -e 's/\.o$//' -e 's/\.lo$//'`
set_dir_from "$object"
set_base_from "$object"
if test "$libtool" = yes; then
tmpdepfile1=$dir$base.d
tmpdepfile2=$dir.libs/$base.d
@ -315,8 +451,7 @@ hp2)
"$@" +Maked
fi
stat=$?
if test $stat -eq 0; then :
else
if test $stat -ne 0; then
rm -f "$tmpdepfile1" "$tmpdepfile2"
exit $stat
fi
@ -326,72 +461,107 @@ hp2)
test -f "$tmpdepfile" && break
done
if test -f "$tmpdepfile"; then
sed -e "s,^.*\.[a-z]*:,$object:," "$tmpdepfile" > "$depfile"
# Add `dependent.h:' lines.
sed -ne '2,${; s/^ *//; s/ \\*$//; s/$/:/; p;}' "$tmpdepfile" >> "$depfile"
sed -e "s,^.*\.[$lower]*:,$object:," "$tmpdepfile" > "$depfile"
# Add 'dependent.h:' lines.
sed -ne '2,${
s/^ *//
s/ \\*$//
s/$/:/
p
}' "$tmpdepfile" >> "$depfile"
else
echo "#dummy" > "$depfile"
make_dummy_depfile
fi
rm -f "$tmpdepfile" "$tmpdepfile2"
;;
tru64)
# The Tru64 compiler uses -MD to generate dependencies as a side
# effect. `cc -MD -o foo.o ...' puts the dependencies into `foo.o.d'.
# At least on Alpha/Redhat 6.1, Compaq CCC V6.2-504 seems to put
# dependencies in `foo.d' instead, so we check for that too.
# Subdirectories are respected.
dir=`echo "$object" | sed -e 's|/[^/]*$|/|'`
test "x$dir" = "x$object" && dir=
base=`echo "$object" | sed -e 's|^.*/||' -e 's/\.o$//' -e 's/\.lo$//'`
# The Tru64 compiler uses -MD to generate dependencies as a side
# effect. 'cc -MD -o foo.o ...' puts the dependencies into 'foo.o.d'.
# At least on Alpha/Redhat 6.1, Compaq CCC V6.2-504 seems to put
# dependencies in 'foo.d' instead, so we check for that too.
# Subdirectories are respected.
set_dir_from "$object"
set_base_from "$object"
if test "$libtool" = yes; then
# With Tru64 cc, shared objects can also be used to make a
# static library. This mechanism is used in libtool 1.4 series to
# handle both shared and static libraries in a single compilation.
# With libtool 1.4, dependencies were output in $dir.libs/$base.lo.d.
#
# With libtool 1.5 this exception was removed, and libtool now
# generates 2 separate objects for the 2 libraries. These two
# compilations output dependencies in $dir.libs/$base.o.d and
# in $dir$base.o.d. We have to check for both files, because
# one of the two compilations can be disabled. We should prefer
# $dir$base.o.d over $dir.libs/$base.o.d because the latter is
# automatically cleaned when .libs/ is deleted, while ignoring
# the former would cause a distcleancheck panic.
tmpdepfile1=$dir.libs/$base.lo.d # libtool 1.4
tmpdepfile2=$dir$base.o.d # libtool 1.5
tmpdepfile3=$dir.libs/$base.o.d # libtool 1.5
tmpdepfile4=$dir.libs/$base.d # Compaq CCC V6.2-504
"$@" -Wc,-MD
else
tmpdepfile1=$dir$base.o.d
tmpdepfile2=$dir$base.d
tmpdepfile3=$dir$base.d
tmpdepfile4=$dir$base.d
"$@" -MD
fi
if test "$libtool" = yes; then
# Libtool generates 2 separate objects for the 2 libraries. These
# two compilations output dependencies in $dir.libs/$base.o.d and
# in $dir$base.o.d. We have to check for both files, because
# one of the two compilations can be disabled. We should prefer
# $dir$base.o.d over $dir.libs/$base.o.d because the latter is
# automatically cleaned when .libs/ is deleted, while ignoring
# the former would cause a distcleancheck panic.
tmpdepfile1=$dir$base.o.d # libtool 1.5
tmpdepfile2=$dir.libs/$base.o.d # Likewise.
tmpdepfile3=$dir.libs/$base.d # Compaq CCC V6.2-504
"$@" -Wc,-MD
else
tmpdepfile1=$dir$base.d
tmpdepfile2=$dir$base.d
tmpdepfile3=$dir$base.d
"$@" -MD
fi
stat=$?
if test $stat -eq 0; then :
else
rm -f "$tmpdepfile1" "$tmpdepfile2" "$tmpdepfile3" "$tmpdepfile4"
exit $stat
fi
stat=$?
if test $stat -ne 0; then
rm -f "$tmpdepfile1" "$tmpdepfile2" "$tmpdepfile3"
exit $stat
fi
for tmpdepfile in "$tmpdepfile1" "$tmpdepfile2" "$tmpdepfile3" "$tmpdepfile4"
do
test -f "$tmpdepfile" && break
done
if test -f "$tmpdepfile"; then
sed -e "s,^.*\.[a-z]*:,$object:," < "$tmpdepfile" > "$depfile"
# That's a tab and a space in the [].
sed -e 's,^.*\.[a-z]*:[ ]*,,' -e 's,$,:,' < "$tmpdepfile" >> "$depfile"
else
echo "#dummy" > "$depfile"
fi
rm -f "$tmpdepfile"
;;
for tmpdepfile in "$tmpdepfile1" "$tmpdepfile2" "$tmpdepfile3"
do
test -f "$tmpdepfile" && break
done
# Same post-processing that is required for AIX mode.
aix_post_process_depfile
;;
msvc7)
if test "$libtool" = yes; then
showIncludes=-Wc,-showIncludes
else
showIncludes=-showIncludes
fi
"$@" $showIncludes > "$tmpdepfile"
stat=$?
grep -v '^Note: including file: ' "$tmpdepfile"
if test $stat -ne 0; then
rm -f "$tmpdepfile"
exit $stat
fi
rm -f "$depfile"
echo "$object : \\" > "$depfile"
# The first sed program below extracts the file names and escapes
# backslashes for cygpath. The second sed program outputs the file
# name when reading, but also accumulates all include files in the
# hold buffer in order to output them again at the end. This only
# works with sed implementations that can handle large buffers.
sed < "$tmpdepfile" -n '
/^Note: including file: *\(.*\)/ {
s//\1/
s/\\/\\\\/g
p
}' | $cygpath_u | sort -u | sed -n '
s/ /\\ /g
s/\(.*\)/'"$tab"'\1 \\/p
s/.\(.*\) \\/\1:/
H
$ {
s/.*/'"$tab"'/
G
p
}' >> "$depfile"
echo >> "$depfile" # make sure the fragment doesn't end with a backslash
rm -f "$tmpdepfile"
;;
msvc7msys)
# This case exists only to let depend.m4 do its work. It works by
# looking at the text of this script. This case will never be run,
# since it is checked for above.
exit 1
;;
#nosideeffect)
# This comment above is used by automake to tell side-effect
@ -404,13 +574,13 @@ dashmstdout)
# Remove the call to Libtool.
if test "$libtool" = yes; then
while test $1 != '--mode=compile'; do
while test "X$1" != 'X--mode=compile'; do
shift
done
shift
fi
# Remove `-o $object'.
# Remove '-o $object'.
IFS=" "
for arg
do
@ -430,18 +600,18 @@ dashmstdout)
done
test -z "$dashmflag" && dashmflag=-M
# Require at least two characters before searching for `:'
# Require at least two characters before searching for ':'
# in the target name. This is to cope with DOS-style filenames:
# a dependency such as `c:/foo/bar' could be seen as target `c' otherwise.
# a dependency such as 'c:/foo/bar' could be seen as target 'c' otherwise.
"$@" $dashmflag |
sed 's:^[ ]*[^: ][^:][^:]*\:[ ]*:'"$object"'\: :' > "$tmpdepfile"
sed "s|^[$tab ]*[^:$tab ][^:][^:]*:[$tab ]*|$object: |" > "$tmpdepfile"
rm -f "$depfile"
cat < "$tmpdepfile" > "$depfile"
tr ' ' '
' < "$tmpdepfile" | \
## Some versions of the HPUX 10.20 sed can't process this invocation
## correctly. Breaking it into two sed invocations is a workaround.
sed -e 's/^\\$//' -e '/^$/d' -e '/:$/d' | sed -e 's/$/ :/' >> "$depfile"
# Some versions of the HPUX 10.20 sed can't process this sed invocation
# correctly. Breaking it into two sed invocations is a workaround.
tr ' ' "$nl" < "$tmpdepfile" \
| sed -e 's/^\\$//' -e '/^$/d' -e '/:$/d' \
| sed -e 's/$/ :/' >> "$depfile"
rm -f "$tmpdepfile"
;;
@ -455,41 +625,51 @@ makedepend)
"$@" || exit $?
# Remove any Libtool call
if test "$libtool" = yes; then
while test $1 != '--mode=compile'; do
while test "X$1" != 'X--mode=compile'; do
shift
done
shift
fi
# X makedepend
shift
cleared=no
for arg in "$@"; do
cleared=no eat=no
for arg
do
case $cleared in
no)
set ""; shift
cleared=yes ;;
esac
if test $eat = yes; then
eat=no
continue
fi
case "$arg" in
-D*|-I*)
set fnord "$@" "$arg"; shift ;;
# Strip any option that makedepend may not understand. Remove
# the object too, otherwise makedepend will parse it as a source file.
-arch)
eat=yes ;;
-*|$object)
;;
*)
set fnord "$@" "$arg"; shift ;;
esac
done
obj_suffix="`echo $object | sed 's/^.*\././'`"
obj_suffix=`echo "$object" | sed 's/^.*\././'`
touch "$tmpdepfile"
${MAKEDEPEND-makedepend} -o"$obj_suffix" -f"$tmpdepfile" "$@"
rm -f "$depfile"
cat < "$tmpdepfile" > "$depfile"
sed '1,2d' "$tmpdepfile" | tr ' ' '
' | \
## Some versions of the HPUX 10.20 sed can't process this invocation
## correctly. Breaking it into two sed invocations is a workaround.
sed -e 's/^\\$//' -e '/^$/d' -e '/:$/d' | sed -e 's/$/ :/' >> "$depfile"
# makedepend may prepend the VPATH from the source file name to the object.
# No need to regex-escape $object, excess matching of '.' is harmless.
sed "s|^.*\($object *:\)|\1|" "$tmpdepfile" > "$depfile"
# Some versions of the HPUX 10.20 sed can't process the last invocation
# correctly. Breaking it into two sed invocations is a workaround.
sed '1,2d' "$tmpdepfile" \
| tr ' ' "$nl" \
| sed -e 's/^\\$//' -e '/^$/d' -e '/:$/d' \
| sed -e 's/$/ :/' >> "$depfile"
rm -f "$tmpdepfile" "$tmpdepfile".bak
;;
@ -500,13 +680,13 @@ cpp)
# Remove the call to Libtool.
if test "$libtool" = yes; then
while test $1 != '--mode=compile'; do
while test "X$1" != 'X--mode=compile'; do
shift
done
shift
fi
# Remove `-o $object'.
# Remove '-o $object'.
IFS=" "
for arg
do
@ -525,10 +705,10 @@ cpp)
esac
done
"$@" -E |
sed -n -e '/^# [0-9][0-9]* "\([^"]*\)".*/ s:: \1 \\:p' \
-e '/^#line [0-9][0-9]* "\([^"]*\)".*/ s:: \1 \\:p' |
sed '$ s: \\$::' > "$tmpdepfile"
"$@" -E \
| sed -n -e '/^# [0-9][0-9]* "\([^"]*\)".*/ s:: \1 \\:p' \
-e '/^#line [0-9][0-9]* "\([^"]*\)".*/ s:: \1 \\:p' \
| sed '$ s: \\$::' > "$tmpdepfile"
rm -f "$depfile"
echo "$object : \\" > "$depfile"
cat < "$tmpdepfile" >> "$depfile"
@ -538,35 +718,56 @@ cpp)
msvisualcpp)
# Important note: in order to support this mode, a compiler *must*
# always write the preprocessed file to stdout, regardless of -o,
# because we must use -o when running libtool.
# always write the preprocessed file to stdout.
"$@" || exit $?
# Remove the call to Libtool.
if test "$libtool" = yes; then
while test "X$1" != 'X--mode=compile'; do
shift
done
shift
fi
IFS=" "
for arg
do
case "$arg" in
-o)
shift
;;
$object)
shift
;;
"-Gm"|"/Gm"|"-Gi"|"/Gi"|"-ZI"|"/ZI")
set fnord "$@"
shift
shift
;;
set fnord "$@"
shift
shift
;;
*)
set fnord "$@" "$arg"
shift
shift
;;
set fnord "$@" "$arg"
shift
shift
;;
esac
done
"$@" -E |
sed -n '/^#line [0-9][0-9]* "\([^"]*\)"/ s::echo "`cygpath -u \\"\1\\"`":p' | sort | uniq > "$tmpdepfile"
"$@" -E 2>/dev/null |
sed -n '/^#line [0-9][0-9]* "\([^"]*\)"/ s::\1:p' | $cygpath_u | sort -u > "$tmpdepfile"
rm -f "$depfile"
echo "$object : \\" > "$depfile"
. "$tmpdepfile" | sed 's% %\\ %g' | sed -n '/^\(.*\)$/ s:: \1 \\:p' >> "$depfile"
echo " " >> "$depfile"
. "$tmpdepfile" | sed 's% %\\ %g' | sed -n '/^\(.*\)$/ s::\1\::p' >> "$depfile"
sed < "$tmpdepfile" -n -e 's% %\\ %g' -e '/^\(.*\)$/ s::'"$tab"'\1 \\:p' >> "$depfile"
echo "$tab" >> "$depfile"
sed < "$tmpdepfile" -n -e 's% %\\ %g' -e '/^\(.*\)$/ s::\1\::p' >> "$depfile"
rm -f "$tmpdepfile"
;;
msvcmsys)
# This case exists only to let depend.m4 do its work. It works by
# looking at the text of this script. This case will never be run,
# since it is checked for above.
exit 1
;;
none)
exec "$@"
;;
@ -585,5 +786,6 @@ exit 0
# eval: (add-hook 'write-file-hooks 'time-stamp)
# time-stamp-start: "scriptversion="
# time-stamp-format: "%:y-%02m-%02d.%02H"
# time-stamp-end: "$"
# time-stamp-time-zone: "UTC"
# time-stamp-end: "; # UTC"
# End:

383
auto/install-sh
View File

@ -1,7 +1,7 @@
#!/bin/sh
# install - install a program, script, or datafile
scriptversion=2006-12-25.00
scriptversion=2014-09-12.12; # UTC
# This originates from X11R5 (mit/util/scripts/install.sh), which was
# later released in X11R6 (xc/config/util/install.sh) with the
@ -35,25 +35,21 @@ scriptversion=2006-12-25.00
# FSF changes to this file are in the public domain.
#
# Calling this script install-sh is preferred over install.sh, to prevent
# `make' implicit rules from creating a file called install from it
# 'make' implicit rules from creating a file called install from it
# when there is no Makefile.
#
# This script is compatible with the BSD install script, but was written
# from scratch.
tab=' '
nl='
'
IFS=" "" $nl"
IFS=" $tab$nl"
# set DOITPROG to echo to test this script
# Set DOITPROG to "echo" to test this script.
# Don't use :- since 4.3BSD and earlier shells don't like it.
doit=${DOITPROG-}
if test -z "$doit"; then
doit_exec=exec
else
doit_exec=$doit
fi
doit_exec=${doit:-exec}
# Put in absolute file names if you don't have them in your path;
# or use environment vars.
@ -68,17 +64,6 @@ mvprog=${MVPROG-mv}
rmprog=${RMPROG-rm}
stripprog=${STRIPPROG-strip}
posix_glob='?'
initialize_posix_glob='
test "$posix_glob" != "?" || {
if (set -f) 2>/dev/null; then
posix_glob=
else
posix_glob=:
fi
}
'
posix_mkdir=
# Desired mode of installed file.
@ -97,7 +82,7 @@ dir_arg=
dst_arg=
copy_on_change=false
no_target_directory=
is_target_a_directory=possibly
usage="\
Usage: $0 [OPTION]... [-T] SRCFILE DSTFILE
@ -137,42 +122,57 @@ while test $# -ne 0; do
-d) dir_arg=true;;
-g) chgrpcmd="$chgrpprog $2"
shift;;
shift;;
--help) echo "$usage"; exit $?;;
-m) mode=$2
case $mode in
*' '* | *' '* | *'
'* | *'*'* | *'?'* | *'['*)
echo "$0: invalid mode: $mode" >&2
exit 1;;
esac
shift;;
case $mode in
*' '* | *"$tab"* | *"$nl"* | *'*'* | *'?'* | *'['*)
echo "$0: invalid mode: $mode" >&2
exit 1;;
esac
shift;;
-o) chowncmd="$chownprog $2"
shift;;
shift;;
-s) stripcmd=$stripprog;;
-t) dst_arg=$2
shift;;
-t)
is_target_a_directory=always
dst_arg=$2
# Protect names problematic for 'test' and other utilities.
case $dst_arg in
-* | [=\(\)!]) dst_arg=./$dst_arg;;
esac
shift;;
-T) no_target_directory=true;;
-T) is_target_a_directory=never;;
--version) echo "$0 $scriptversion"; exit $?;;
--) shift
break;;
--) shift
break;;
-*) echo "$0: invalid option: $1" >&2
exit 1;;
-*) echo "$0: invalid option: $1" >&2
exit 1;;
*) break;;
esac
shift
done
# We allow the use of options -d and -T together, by making -d
# take the precedence; this is for compatibility with GNU install.
if test -n "$dir_arg"; then
if test -n "$dst_arg"; then
echo "$0: target directory not allowed when installing a directory." >&2
exit 1
fi
fi
if test $# -ne 0 && test -z "$dir_arg$dst_arg"; then
# When -d is used, all remaining arguments are directories to create.
# When -t is used, the destination is already specified.
@ -186,6 +186,10 @@ if test $# -ne 0 && test -z "$dir_arg$dst_arg"; then
fi
shift # arg
dst_arg=$arg
# Protect names problematic for 'test' and other utilities.
case $dst_arg in
-* | [=\(\)!]) dst_arg=./$dst_arg;;
esac
done
fi
@ -194,13 +198,26 @@ if test $# -eq 0; then
echo "$0: no input file specified." >&2
exit 1
fi
# It's OK to call `install-sh -d' without argument.
# It's OK to call 'install-sh -d' without argument.
# This can happen when creating conditional directories.
exit 0
fi
if test -z "$dir_arg"; then
trap '(exit $?); exit' 1 2 13 15
if test $# -gt 1 || test "$is_target_a_directory" = always; then
if test ! -d "$dst_arg"; then
echo "$0: $dst_arg: Is not a directory." >&2
exit 1
fi
fi
fi
if test -z "$dir_arg"; then
do_exit='(exit $ret); exit $ret'
trap "ret=129; $do_exit" 1
trap "ret=130; $do_exit" 2
trap "ret=141; $do_exit" 13
trap "ret=143; $do_exit" 15
# Set umask so as not to create temps with too-generous modes.
# However, 'strip' requires both read and write access to temps.
@ -211,16 +228,16 @@ if test -z "$dir_arg"; then
*[0-7])
if test -z "$stripcmd"; then
u_plus_rw=
u_plus_rw=
else
u_plus_rw='% 200'
u_plus_rw='% 200'
fi
cp_umask=`expr '(' 777 - $mode % 1000 ')' $u_plus_rw`;;
*)
if test -z "$stripcmd"; then
u_plus_rw=
u_plus_rw=
else
u_plus_rw=,u+rw
u_plus_rw=,u+rw
fi
cp_umask=$mode$u_plus_rw;;
esac
@ -228,9 +245,9 @@ fi
for src
do
# Protect names starting with `-'.
# Protect names problematic for 'test' and other utilities.
case $src in
-*) src=./$src;;
-* | [=\(\)!]) src=./$src;;
esac
if test -n "$dir_arg"; then
@ -252,51 +269,20 @@ do
echo "$0: no destination specified." >&2
exit 1
fi
dst=$dst_arg
# Protect names starting with `-'.
case $dst in
-*) dst=./$dst;;
esac
# If destination is a directory, append the input filename; won't work
# if double slashes aren't ignored.
if test -d "$dst"; then
if test -n "$no_target_directory"; then
echo "$0: $dst_arg: Is a directory" >&2
exit 1
if test "$is_target_a_directory" = never; then
echo "$0: $dst_arg: Is a directory" >&2
exit 1
fi
dstdir=$dst
dst=$dstdir/`basename "$src"`
dstdir_status=0
else
# Prefer dirname, but fall back on a substitute if dirname fails.
dstdir=`
(dirname "$dst") 2>/dev/null ||
expr X"$dst" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
X"$dst" : 'X\(//\)[^/]' \| \
X"$dst" : 'X\(//\)$' \| \
X"$dst" : 'X\(/\)' \| . 2>/dev/null ||
echo X"$dst" |
sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{
s//\1/
q
}
/^X\(\/\/\)[^/].*/{
s//\1/
q
}
/^X\(\/\/\)$/{
s//\1/
q
}
/^X\(\/\).*/{
s//\1/
q
}
s/.*/./; q'
`
dstdir=`dirname "$dst"`
test -d "$dstdir"
dstdir_status=$?
fi
@ -307,74 +293,81 @@ do
if test $dstdir_status != 0; then
case $posix_mkdir in
'')
# Create intermediate dirs using mode 755 as modified by the umask.
# This is like FreeBSD 'install' as of 1997-10-28.
umask=`umask`
case $stripcmd.$umask in
# Optimize common cases.
*[2367][2367]) mkdir_umask=$umask;;
.*0[02][02] | .[02][02] | .[02]) mkdir_umask=22;;
# Create intermediate dirs using mode 755 as modified by the umask.
# This is like FreeBSD 'install' as of 1997-10-28.
umask=`umask`
case $stripcmd.$umask in
# Optimize common cases.
*[2367][2367]) mkdir_umask=$umask;;
.*0[02][02] | .[02][02] | .[02]) mkdir_umask=22;;
*[0-7])
mkdir_umask=`expr $umask + 22 \
- $umask % 100 % 40 + $umask % 20 \
- $umask % 10 % 4 + $umask % 2
`;;
*) mkdir_umask=$umask,go-w;;
esac
*[0-7])
mkdir_umask=`expr $umask + 22 \
- $umask % 100 % 40 + $umask % 20 \
- $umask % 10 % 4 + $umask % 2
`;;
*) mkdir_umask=$umask,go-w;;
esac
# With -d, create the new directory with the user-specified mode.
# Otherwise, rely on $mkdir_umask.
if test -n "$dir_arg"; then
mkdir_mode=-m$mode
else
mkdir_mode=
fi
# With -d, create the new directory with the user-specified mode.
# Otherwise, rely on $mkdir_umask.
if test -n "$dir_arg"; then
mkdir_mode=-m$mode
else
mkdir_mode=
fi
posix_mkdir=false
case $umask in
*[123567][0-7][0-7])
# POSIX mkdir -p sets u+wx bits regardless of umask, which
# is incompatible with FreeBSD 'install' when (umask & 300) != 0.
;;
*)
tmpdir=${TMPDIR-/tmp}/ins$RANDOM-$$
trap 'ret=$?; rmdir "$tmpdir/d" "$tmpdir" 2>/dev/null; exit $ret' 0
posix_mkdir=false
case $umask in
*[123567][0-7][0-7])
# POSIX mkdir -p sets u+wx bits regardless of umask, which
# is incompatible with FreeBSD 'install' when (umask & 300) != 0.
;;
*)
# $RANDOM is not portable (e.g. dash); use it when possible to
# lower collision chance
tmpdir=${TMPDIR-/tmp}/ins$RANDOM-$$
trap 'ret=$?; rmdir "$tmpdir/a/b" "$tmpdir/a" "$tmpdir" 2>/dev/null; exit $ret' 0
if (umask $mkdir_umask &&
exec $mkdirprog $mkdir_mode -p -- "$tmpdir/d") >/dev/null 2>&1
then
if test -z "$dir_arg" || {
# Check for POSIX incompatibilities with -m.
# HP-UX 11.23 and IRIX 6.5 mkdir -m -p sets group- or
# other-writeable bit of parent directory when it shouldn't.
# FreeBSD 6.1 mkdir -m -p sets mode of existing directory.
ls_ld_tmpdir=`ls -ld "$tmpdir"`
case $ls_ld_tmpdir in
d????-?r-*) different_mode=700;;
d????-?--*) different_mode=755;;
*) false;;
esac &&
$mkdirprog -m$different_mode -p -- "$tmpdir" && {
ls_ld_tmpdir_1=`ls -ld "$tmpdir"`
test "$ls_ld_tmpdir" = "$ls_ld_tmpdir_1"
}
}
then posix_mkdir=:
fi
rmdir "$tmpdir/d" "$tmpdir"
else
# Remove any dirs left behind by ancient mkdir implementations.
rmdir ./$mkdir_mode ./-p ./-- 2>/dev/null
fi
trap '' 0;;
esac;;
# As "mkdir -p" follows symlinks and we work in /tmp possibly; so
# create the $tmpdir first (and fail if unsuccessful) to make sure
# that nobody tries to guess the $tmpdir name.
if (umask $mkdir_umask &&
$mkdirprog $mkdir_mode "$tmpdir" &&
exec $mkdirprog $mkdir_mode -p -- "$tmpdir/a/b") >/dev/null 2>&1
then
if test -z "$dir_arg" || {
# Check for POSIX incompatibilities with -m.
# HP-UX 11.23 and IRIX 6.5 mkdir -m -p sets group- or
# other-writable bit of parent directory when it shouldn't.
# FreeBSD 6.1 mkdir -m -p sets mode of existing directory.
test_tmpdir="$tmpdir/a"
ls_ld_tmpdir=`ls -ld "$test_tmpdir"`
case $ls_ld_tmpdir in
d????-?r-*) different_mode=700;;
d????-?--*) different_mode=755;;
*) false;;
esac &&
$mkdirprog -m$different_mode -p -- "$test_tmpdir" && {
ls_ld_tmpdir_1=`ls -ld "$test_tmpdir"`
test "$ls_ld_tmpdir" = "$ls_ld_tmpdir_1"
}
}
then posix_mkdir=:
fi
rmdir "$tmpdir/a/b" "$tmpdir/a" "$tmpdir"
else
# Remove any dirs left behind by ancient mkdir implementations.
rmdir ./$mkdir_mode ./-p ./-- "$tmpdir" 2>/dev/null
fi
trap '' 0;;
esac;;
esac
if
$posix_mkdir && (
umask $mkdir_umask &&
$doit_exec $mkdirprog $mkdir_mode -p -- "$dstdir"
umask $mkdir_umask &&
$doit_exec $mkdirprog $mkdir_mode -p -- "$dstdir"
)
then :
else
@ -384,53 +377,51 @@ do
# directory the slow way, step by step, checking for races as we go.
case $dstdir in
/*) prefix='/';;
-*) prefix='./';;
*) prefix='';;
/*) prefix='/';;
[-=\(\)!]*) prefix='./';;
*) prefix='';;
esac
eval "$initialize_posix_glob"
oIFS=$IFS
IFS=/
$posix_glob set -f
set -f
set fnord $dstdir
shift
$posix_glob set +f
set +f
IFS=$oIFS
prefixes=
for d
do
test -z "$d" && continue
test X"$d" = X && continue
prefix=$prefix$d
if test -d "$prefix"; then
prefixes=
else
if $posix_mkdir; then
(umask=$mkdir_umask &&
$doit_exec $mkdirprog $mkdir_mode -p -- "$dstdir") && break
# Don't fail if two instances are running concurrently.
test -d "$prefix" || exit 1
else
case $prefix in
*\'*) qprefix=`echo "$prefix" | sed "s/'/'\\\\\\\\''/g"`;;
*) qprefix=$prefix;;
esac
prefixes="$prefixes '$qprefix'"
fi
fi
prefix=$prefix/
prefix=$prefix$d
if test -d "$prefix"; then
prefixes=
else
if $posix_mkdir; then
(umask=$mkdir_umask &&
$doit_exec $mkdirprog $mkdir_mode -p -- "$dstdir") && break
# Don't fail if two instances are running concurrently.
test -d "$prefix" || exit 1
else
case $prefix in
*\'*) qprefix=`echo "$prefix" | sed "s/'/'\\\\\\\\''/g"`;;
*) qprefix=$prefix;;
esac
prefixes="$prefixes '$qprefix'"
fi
fi
prefix=$prefix/
done
if test -n "$prefixes"; then
# Don't fail if two instances are running concurrently.
(umask $mkdir_umask &&
eval "\$doit_exec \$mkdirprog $prefixes") ||
test -d "$dstdir" || exit 1
obsolete_mkdir_used=true
# Don't fail if two instances are running concurrently.
(umask $mkdir_umask &&
eval "\$doit_exec \$mkdirprog $prefixes") ||
test -d "$dstdir" || exit 1
obsolete_mkdir_used=true
fi
fi
fi
@ -465,15 +456,12 @@ do
# If -C, don't bother to copy if it wouldn't change the file.
if $copy_on_change &&
old=`LC_ALL=C ls -dlL "$dst" 2>/dev/null` &&
new=`LC_ALL=C ls -dlL "$dsttmp" 2>/dev/null` &&
eval "$initialize_posix_glob" &&
$posix_glob set -f &&
old=`LC_ALL=C ls -dlL "$dst" 2>/dev/null` &&
new=`LC_ALL=C ls -dlL "$dsttmp" 2>/dev/null` &&
set -f &&
set X $old && old=:$2:$4:$5:$6 &&
set X $new && new=:$2:$4:$5:$6 &&
$posix_glob set +f &&
set +f &&
test "$old" = "$new" &&
$cmpprog "$dst" "$dsttmp" >/dev/null 2>&1
then
@ -486,24 +474,24 @@ do
# to itself, or perhaps because mv is so ancient that it does not
# support -f.
{
# Now remove or move aside any old file at destination location.
# We try this two ways since rm can't unlink itself on some
# systems and the destination file might be busy for other
# reasons. In this case, the final cleanup might fail but the new
# file should still install successfully.
{
test ! -f "$dst" ||
$doit $rmcmd -f "$dst" 2>/dev/null ||
{ $doit $mvcmd -f "$dst" "$rmtmp" 2>/dev/null &&
{ $doit $rmcmd -f "$rmtmp" 2>/dev/null; :; }
} ||
{ echo "$0: cannot unlink or rename $dst" >&2
(exit 1); exit 1
}
} &&
# Now remove or move aside any old file at destination location.
# We try this two ways since rm can't unlink itself on some
# systems and the destination file might be busy for other
# reasons. In this case, the final cleanup might fail but the new
# file should still install successfully.
{
test ! -f "$dst" ||
$doit $rmcmd -f "$dst" 2>/dev/null ||
{ $doit $mvcmd -f "$dst" "$rmtmp" 2>/dev/null &&
{ $doit $rmcmd -f "$rmtmp" 2>/dev/null; :; }
} ||
{ echo "$0: cannot unlink or rename $dst" >&2
(exit 1); exit 1
}
} &&
# Now rename the file to the real destination.
$doit $mvcmd "$dsttmp" "$dst"
# Now rename the file to the real destination.
$doit $mvcmd "$dsttmp" "$dst"
}
fi || exit 1
@ -515,5 +503,6 @@ done
# eval: (add-hook 'write-file-hooks 'time-stamp)
# time-stamp-start: "scriptversion="
# time-stamp-format: "%:y-%02m-%02d.%02H"
# time-stamp-end: "$"
# time-stamp-time-zone: "UTC"
# time-stamp-end: "; # UTC"
# End:

8067
auto/ltmain.sh Executable file → Normal file
View File

File diff suppressed because it is too large Load Diff

458
auto/missing
View File

@ -1,11 +1,10 @@
#! /bin/sh
# Common stub for a few missing GNU programs while installing.
# Common wrapper for a few potentially missing GNU programs.
scriptversion=2006-05-10.23
scriptversion=2013-10-28.13; # UTC
# Copyright (C) 1996, 1997, 1999, 2000, 2002, 2003, 2004, 2005, 2006
# Free Software Foundation, Inc.
# Originally by Fran,cois Pinard <pinard@iro.umontreal.ca>, 1996.
# Copyright (C) 1996-2014 Free Software Foundation, Inc.
# Originally written by Fran,cois Pinard <pinard@iro.umontreal.ca>, 1996.
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@ -18,9 +17,7 @@ scriptversion=2006-05-10.23
# GNU General Public License for more details.
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
# 02110-1301, USA.
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# As a special exception to the GNU General Public License, if you
# distribute this file as part of a program that contains a
@ -28,66 +25,40 @@ scriptversion=2006-05-10.23
# the same distribution terms that you use for the rest of that program.
if test $# -eq 0; then
echo 1>&2 "Try \`$0 --help' for more information"
echo 1>&2 "Try '$0 --help' for more information"
exit 1
fi
run=:
sed_output='s/.* --output[ =]\([^ ]*\).*/\1/p'
sed_minuso='s/.* -o \([^ ]*\).*/\1/p'
# In the cases where this matters, `missing' is being run in the
# srcdir already.
if test -f configure.ac; then
configure_ac=configure.ac
else
configure_ac=configure.in
fi
msg="missing on your system"
case $1 in
--run)
# Try to run requested program, and just exit if it succeeds.
run=
shift
"$@" && exit 0
# Exit code 63 means version mismatch. This often happens
# when the user try to use an ancient version of a tool on
# a file that requires a minimum version. In this case we
# we should proceed has if the program had been absent, or
# if --run hadn't been passed.
if test $? = 63; then
run=:
msg="probably too old"
fi
;;
--is-lightweight)
# Used by our autoconf macros to check whether the available missing
# script is modern enough.
exit 0
;;
--run)
# Back-compat with the calling convention used by older automake.
shift
;;
-h|--h|--he|--hel|--help)
echo "\
$0 [OPTION]... PROGRAM [ARGUMENT]...
Handle \`PROGRAM [ARGUMENT]...' for when PROGRAM is missing, or return an
error status if there is no known handling for PROGRAM.
Run 'PROGRAM [ARGUMENT]...', returning a proper advice when this fails due
to PROGRAM being missing or too old.
Options:
-h, --help display this help and exit
-v, --version output version information and exit
--run try to run the given command, and emulate it if it fails
Supported PROGRAM values:
aclocal touch file \`aclocal.m4'
autoconf touch file \`configure'
autoheader touch file \`config.h.in'
autom4te touch the output file, or create a stub one
automake touch all \`Makefile.in' files
bison create \`y.tab.[ch]', if possible, from existing .[ch]
flex create \`lex.yy.c', if possible, from existing .c
help2man touch the output file
lex create \`lex.yy.c', if possible, from existing .c
makeinfo touch the output file
tar try tar, gnutar, gtar, then tar without non-portable flags
yacc create \`y.tab.[ch]', if possible, from existing .[ch]
aclocal autoconf autoheader autom4te automake makeinfo
bison yacc flex lex help2man
Version suffixes to PROGRAM as well as the prefixes 'gnu-', 'gnu', and
'g' are ignored when checking the name.
Send bug reports to <bug-automake@gnu.org>."
exit $?
@ -99,269 +70,146 @@ Send bug reports to <bug-automake@gnu.org>."
;;
-*)
echo 1>&2 "$0: Unknown \`$1' option"
echo 1>&2 "Try \`$0 --help' for more information"
echo 1>&2 "$0: unknown '$1' option"
echo 1>&2 "Try '$0 --help' for more information"
exit 1
;;
esac
# Now exit if we have it, but it failed. Also exit now if we
# don't have it and --version was passed (most likely to detect
# the program).
case $1 in
lex|yacc)
# Not GNU programs, they don't have --version.
# Run the given program, remember its exit status.
"$@"; st=$?
# If it succeeded, we are done.
test $st -eq 0 && exit 0
# Also exit now if we it failed (or wasn't found), and '--version' was
# passed; such an option is passed most likely to detect whether the
# program is present and works.
case $2 in --version|--help) exit $st;; esac
# Exit code 63 means version mismatch. This often happens when the user
# tries to use an ancient version of a tool on a file that requires a
# minimum version.
if test $st -eq 63; then
msg="probably too old"
elif test $st -eq 127; then
# Program was missing.
msg="missing on your system"
else
# Program was found and executed, but failed. Give up.
exit $st
fi
perl_URL=http://www.perl.org/
flex_URL=http://flex.sourceforge.net/
gnu_software_URL=http://www.gnu.org/software
program_details ()
{
case $1 in
aclocal|automake)
echo "The '$1' program is part of the GNU Automake package:"
echo "<$gnu_software_URL/automake>"
echo "It also requires GNU Autoconf, GNU m4 and Perl in order to run:"
echo "<$gnu_software_URL/autoconf>"
echo "<$gnu_software_URL/m4/>"
echo "<$perl_URL>"
;;
autoconf|autom4te|autoheader)
echo "The '$1' program is part of the GNU Autoconf package:"
echo "<$gnu_software_URL/autoconf/>"
echo "It also requires GNU m4 and Perl in order to run:"
echo "<$gnu_software_URL/m4/>"
echo "<$perl_URL>"
;;
esac
}
give_advice ()
{
# Normalize program name to check for.
normalized_program=`echo "$1" | sed '
s/^gnu-//; t
s/^gnu//; t
s/^g//; t'`
printf '%s\n' "'$1' is $msg."
configure_deps="'configure.ac' or m4 files included by 'configure.ac'"
case $normalized_program in
autoconf*)
echo "You should only need it if you modified 'configure.ac',"
echo "or m4 files included by it."
program_details 'autoconf'
;;
autoheader*)
echo "You should only need it if you modified 'acconfig.h' or"
echo "$configure_deps."
program_details 'autoheader'
;;
automake*)
echo "You should only need it if you modified 'Makefile.am' or"
echo "$configure_deps."
program_details 'automake'
;;
aclocal*)
echo "You should only need it if you modified 'acinclude.m4' or"
echo "$configure_deps."
program_details 'aclocal'
;;
autom4te*)
echo "You might have modified some maintainer files that require"
echo "the 'autom4te' program to be rebuilt."
program_details 'autom4te'
;;
bison*|yacc*)
echo "You should only need it if you modified a '.y' file."
echo "You may want to install the GNU Bison package:"
echo "<$gnu_software_URL/bison/>"
;;
lex*|flex*)
echo "You should only need it if you modified a '.l' file."
echo "You may want to install the Fast Lexical Analyzer package:"
echo "<$flex_URL>"
;;
help2man*)
echo "You should only need it if you modified a dependency" \
"of a man page."
echo "You may want to install the GNU Help2man package:"
echo "<$gnu_software_URL/help2man/>"
;;
makeinfo*)
echo "You should only need it if you modified a '.texi' file, or"
echo "any other file indirectly affecting the aspect of the manual."
echo "You might want to install the Texinfo package:"
echo "<$gnu_software_URL/texinfo/>"
echo "The spurious makeinfo call might also be the consequence of"
echo "using a buggy 'make' (AIX, DU, IRIX), in which case you might"
echo "want to install GNU make:"
echo "<$gnu_software_URL/make/>"
;;
*)
echo "You might have modified some files without having the proper"
echo "tools for further handling them. Check the 'README' file, it"
echo "often tells you about the needed prerequisites for installing"
echo "this package. You may also peek at any GNU archive site, in"
echo "case some other package contains this missing '$1' program."
;;
esac
}
tar)
if test -n "$run"; then
echo 1>&2 "ERROR: \`tar' requires --run"
exit 1
elif test "x$2" = "x--version" || test "x$2" = "x--help"; then
exit 1
fi
;;
give_advice "$1" | sed -e '1s/^/WARNING: /' \
-e '2,$s/^/ /' >&2
*)
if test -z "$run" && ($1 --version) > /dev/null 2>&1; then
# We have it, but it failed.
exit 1
elif test "x$2" = "x--version" || test "x$2" = "x--help"; then
# Could not run --version or --help. This is probably someone
# running `$TOOL --version' or `$TOOL --help' to check whether
# $TOOL exists and not knowing $TOOL uses missing.
exit 1
fi
;;
esac
# If it does not exist, or fails to run (possibly an outdated version),
# try to emulate it.
case $1 in
aclocal*)
echo 1>&2 "\
WARNING: \`$1' is $msg. You should only need it if
you modified \`acinclude.m4' or \`${configure_ac}'. You might want
to install the \`Automake' and \`Perl' packages. Grab them from
any GNU archive site."
touch aclocal.m4
;;
autoconf)
echo 1>&2 "\
WARNING: \`$1' is $msg. You should only need it if
you modified \`${configure_ac}'. You might want to install the
\`Autoconf' and \`GNU m4' packages. Grab them from any GNU
archive site."
touch configure
;;
autoheader)
echo 1>&2 "\
WARNING: \`$1' is $msg. You should only need it if
you modified \`acconfig.h' or \`${configure_ac}'. You might want
to install the \`Autoconf' and \`GNU m4' packages. Grab them
from any GNU archive site."
files=`sed -n 's/^[ ]*A[CM]_CONFIG_HEADER(\([^)]*\)).*/\1/p' ${configure_ac}`
test -z "$files" && files="config.h"
touch_files=
for f in $files; do
case $f in
*:*) touch_files="$touch_files "`echo "$f" |
sed -e 's/^[^:]*://' -e 's/:.*//'`;;
*) touch_files="$touch_files $f.in";;
esac
done
touch $touch_files
;;
automake*)
echo 1>&2 "\
WARNING: \`$1' is $msg. You should only need it if
you modified \`Makefile.am', \`acinclude.m4' or \`${configure_ac}'.
You might want to install the \`Automake' and \`Perl' packages.
Grab them from any GNU archive site."
find . -type f -name Makefile.am -print |
sed 's/\.am$/.in/' |
while read f; do touch "$f"; done
;;
autom4te)
echo 1>&2 "\
WARNING: \`$1' is needed, but is $msg.
You might have modified some files without having the
proper tools for further handling them.
You can get \`$1' as part of \`Autoconf' from any GNU
archive site."
file=`echo "$*" | sed -n "$sed_output"`
test -z "$file" && file=`echo "$*" | sed -n "$sed_minuso"`
if test -f "$file"; then
touch $file
else
test -z "$file" || exec >$file
echo "#! /bin/sh"
echo "# Created by GNU Automake missing as a replacement of"
echo "# $ $@"
echo "exit 0"
chmod +x $file
exit 1
fi
;;
bison|yacc)
echo 1>&2 "\
WARNING: \`$1' $msg. You should only need it if
you modified a \`.y' file. You may need the \`Bison' package
in order for those modifications to take effect. You can get
\`Bison' from any GNU archive site."
rm -f y.tab.c y.tab.h
if test $# -ne 1; then
eval LASTARG="\${$#}"
case $LASTARG in
*.y)
SRCFILE=`echo "$LASTARG" | sed 's/y$/c/'`
if test -f "$SRCFILE"; then
cp "$SRCFILE" y.tab.c
fi
SRCFILE=`echo "$LASTARG" | sed 's/y$/h/'`
if test -f "$SRCFILE"; then
cp "$SRCFILE" y.tab.h
fi
;;
esac
fi
if test ! -f y.tab.h; then
echo >y.tab.h
fi
if test ! -f y.tab.c; then
echo 'main() { return 0; }' >y.tab.c
fi
;;
lex|flex)
echo 1>&2 "\
WARNING: \`$1' is $msg. You should only need it if
you modified a \`.l' file. You may need the \`Flex' package
in order for those modifications to take effect. You can get
\`Flex' from any GNU archive site."
rm -f lex.yy.c
if test $# -ne 1; then
eval LASTARG="\${$#}"
case $LASTARG in
*.l)
SRCFILE=`echo "$LASTARG" | sed 's/l$/c/'`
if test -f "$SRCFILE"; then
cp "$SRCFILE" lex.yy.c
fi
;;
esac
fi
if test ! -f lex.yy.c; then
echo 'main() { return 0; }' >lex.yy.c
fi
;;
help2man)
echo 1>&2 "\
WARNING: \`$1' is $msg. You should only need it if
you modified a dependency of a manual page. You may need the
\`Help2man' package in order for those modifications to take
effect. You can get \`Help2man' from any GNU archive site."
file=`echo "$*" | sed -n "$sed_output"`
test -z "$file" && file=`echo "$*" | sed -n "$sed_minuso"`
if test -f "$file"; then
touch $file
else
test -z "$file" || exec >$file
echo ".ab help2man is required to generate this page"
exit 1
fi
;;
makeinfo)
echo 1>&2 "\
WARNING: \`$1' is $msg. You should only need it if
you modified a \`.texi' or \`.texinfo' file, or any other file
indirectly affecting the aspect of the manual. The spurious
call might also be the consequence of using a buggy \`make' (AIX,
DU, IRIX). You might want to install the \`Texinfo' package or
the \`GNU make' package. Grab either from any GNU archive site."
# The file to touch is that specified with -o ...
file=`echo "$*" | sed -n "$sed_output"`
test -z "$file" && file=`echo "$*" | sed -n "$sed_minuso"`
if test -z "$file"; then
# ... or it is the one specified with @setfilename ...
infile=`echo "$*" | sed 's/.* \([^ ]*\) *$/\1/'`
file=`sed -n '
/^@setfilename/{
s/.* \([^ ]*\) *$/\1/
p
q
}' $infile`
# ... or it is derived from the source name (dir/f.texi becomes f.info)
test -z "$file" && file=`echo "$infile" | sed 's,.*/,,;s,.[^.]*$,,'`.info
fi
# If the file does not exist, the user really needs makeinfo;
# let's fail without touching anything.
test -f $file || exit 1
touch $file
;;
tar)
shift
# We have already tried tar in the generic part.
# Look for gnutar/gtar before invocation to avoid ugly error
# messages.
if (gnutar --version > /dev/null 2>&1); then
gnutar "$@" && exit 0
fi
if (gtar --version > /dev/null 2>&1); then
gtar "$@" && exit 0
fi
firstarg="$1"
if shift; then
case $firstarg in
*o*)
firstarg=`echo "$firstarg" | sed s/o//`
tar "$firstarg" "$@" && exit 0
;;
esac
case $firstarg in
*h*)
firstarg=`echo "$firstarg" | sed s/h//`
tar "$firstarg" "$@" && exit 0
;;
esac
fi
echo 1>&2 "\
WARNING: I can't seem to be able to run \`tar' with the given arguments.
You may want to install GNU tar or Free paxutils, or check the
command line arguments."
exit 1
;;
*)
echo 1>&2 "\
WARNING: \`$1' is needed, and is $msg.
You might have modified some files without having the
proper tools for further handling them. Check the \`README' file,
it often tells you about the needed prerequisites for installing
this package. You may also peek at any GNU archive site, in case
some other package would contain this missing \`$1' program."
exit 1
;;
esac
exit 0
# Propagate the correct exit status (expected to be 127 for a program
# not found, 63 for a program that failed due to version mismatch).
exit $st
# Local variables:
# eval: (add-hook 'write-file-hooks 'time-stamp)
# time-stamp-start: "scriptversion="
# time-stamp-format: "%:y-%02m-%02d.%02H"
# time-stamp-end: "$"
# time-stamp-time-zone: "UTC"
# time-stamp-end: "; # UTC"
# End:

27
build-android.sh
View File

@ -1,28 +1,25 @@
#!/bin/sh
set -ev
VERSION=4.53
VERSION=5.44
DST=stunnel-$VERSION-android
# to build Zlib:
# export CHOST=arm-linux-androideabi
# ./configure --static --prefix=/opt/androideabi/sysroot
# make
# make install
# to build OpenSSL:
# export CC=arm-linux-androideabi-gcc
# ./Configure linux-armv4 threads no-shared zlib no-dso --openssldir=/opt/androideabi/sysroot
# make
# ./Configure threads no-shared no-dso --cross-compile-prefix=arm-linux-androideabi- --prefix=/opt/androideabi/sysroot linux-armv4
# make install
./configure --build=i686-pc-linux-gnu --host=arm-linux-androideabi --prefix=/data/local --with-ssl=/opt/androideabi/sysroot
test -f Makefile && make distclean
mkdir -p bin/android
cd bin/android
../../configure --with-sysroot --build=i686-pc-linux-gnu --host=arm-linux-androideabi --prefix=/data/local
make clean
make
cd ../..
mkdir $DST
cp src/stunnel /opt/androideabi/sysroot/bin/openssl $DST
cp bin/android/src/stunnel $DST
# arm-linux-androideabi-strip $DST/stunnel $DST/openssl
arm-linux-androideabi-strip $DST/openssl
# cp /opt/androideabi/sysroot/bin/openssl $DST
# arm-linux-androideabi-strip $DST/openssl
zip -r $DST.zip $DST
rm -rf $DST
sha256sum $DST.zip
mv $DST.zip ../dist/
# sha256sum $DST.zip
# mv $DST.zip ../dist/

13749
configure vendored
View File

File diff suppressed because it is too large Load Diff

503
configure.ac
View File

@ -1,14 +1,14 @@
# Process this file with autoconf to produce a configure script.
AC_INIT([stunnel],[4.53])
AC_INIT([stunnel],[5.44])
AC_MSG_NOTICE([**************************************** initialization])
AC_CONFIG_AUX_DIR(auto)
AC_CONFIG_MACRO_DIR([m4])
AM_INIT_AUTOMAKE(stunnel, 4.53)
AC_CONFIG_HEADERS([src/config.h])
AC_CONFIG_SRCDIR([src/stunnel.c])
AC_DEFINE([_GNU_SOURCE], [1], [Use GNU source])
AM_INIT_AUTOMAKE
AM_CONDITIONAL([AUTHOR_TESTS], [test -d ".git"])
AC_CANONICAL_HOST
AC_SUBST([host])
AC_DEFINE_UNQUOTED([HOST], ["$host"], [Host description])
@ -17,104 +17,116 @@ AC_DEFINE_UNQUOTED(esc(CPU_$host_cpu))
AC_DEFINE_UNQUOTED(esc(VENDOR_$host_vendor))
AC_DEFINE_UNQUOTED(esc(OS_$host_os))
case "$host_os" in
*darwin*)
# OSX does not declare ucontext without _XOPEN_SOURCE
AC_DEFINE([_XOPEN_SOURCE], [500], [Use X/Open 5 with POSIX 1995])
# OSX does not declare chroot() without _DARWIN_C_SOURCE
AC_DEFINE([_DARWIN_C_SOURCE], [1], [Use Darwin source])
;;
*)
AC_DEFINE([_GNU_SOURCE], [1], [Use GNU source])
;;
esac
AC_PROG_CC
AM_PROG_CC_C_O
AC_PROG_INSTALL
AC_PROG_MAKE_SET
# silent build by default
ifdef([AM_SILENT_RULES], [AM_SILENT_RULES([yes])])
# Checks for typedefs, structures, and compiler characteristics
# AC_C_CONST
# AC_TYPE_SIZE_T
# AC_TYPE_PID_T
# AC_HEADER_TIME
AC_MSG_NOTICE([**************************************** thread model])
# thread detection should be done first, as it may change the CC variable
AC_ARG_WITH(threads,
[ --with-threads=model select threading model (ucontext/pthread/fork)],
[
case "$withval" in
ucontext)
AC_MSG_NOTICE([UCONTEXT mode selected])
AC_DEFINE([USE_UCONTEXT], [1], [Define to 1 to select UCONTEXT mode])
;;
pthread)
AC_MSG_NOTICE([PTHREAD mode selected])
AX_PTHREAD()
LIBS="$PTHREAD_LIBS $LIBS"
CFLAGS="$CFLAGS $PTHREAD_CFLAGS"
CC="$PTHREAD_CC"
AC_DEFINE([USE_PTHREAD], [1], [Define to 1 to select PTHREAD mode])
;;
fork)
AC_MSG_NOTICE([FORK mode selected])
AC_DEFINE([USE_FORK], [1], [Define to 1 to select FORK mode])
;;
*)
AC_MSG_ERROR([Unknown thread model \"${withval}\"])
;;
esac
], [
# do not attempt to autodetect UCONTEXT threading
AX_PTHREAD([
AC_MSG_NOTICE([PTHREAD thread model detected])
LIBS="$PTHREAD_LIBS $LIBS"
CFLAGS="$CFLAGS $PTHREAD_CFLAGS"
CC="$PTHREAD_CC"
AC_DEFINE([USE_PTHREAD], [1], [Define to 1 to select PTHREAD mode])
], [
AC_MSG_NOTICE([FORK thread model detected])
AC_DEFINE([USE_FORK], [1], [Define to 1 to select FORK mode])
])
])
AC_MSG_NOTICE([**************************************** compiler/linker flags])
AC_SUBST([stunnel_LDFLAGS])
AC_MSG_CHECKING([whether $CC accepts -pthread])
valid_CFLAGS="$CFLAGS"; CFLAGS="$CFLAGS -pthread"
valid_LDFLAGS="$LDFLAGS"; LDFLAGS="$LDFLAGS -pthread"
AC_LINK_IFELSE([int main() {return 0;}],
[
AC_MSG_RESULT([yes])
AC_SUBST([stunnel_CFLAGS], ["$stunnel_CFLAGS -pthread"])
AC_SUBST([stunnel_LDFLAGF], ["$stunnel_LDFLAGF -pthread"])
], [
AC_MSG_RESULT([no])
])
CFLAGS="$valid_CFLAGS"; LDFLAGS="$valid_LDFLAGS"
AC_MSG_CHECKING([whether $CC accepts -fstack-protector])
valid_CFLAGS="$CFLAGS"; CFLAGS="$CFLAGS -fstack-protector"
valid_LDFLAGS="$LDFLAGS"; LDFLAGS="$LDFLAGS -fstack-protector"
AC_LINK_IFELSE([int main() {return 0;}],
[
AC_MSG_RESULT([yes])
AC_SUBST([stunnel_CFLAGS], ["$stunnel_CFLAGS -fstack-protector"])
AC_SUBST([stunnel_LDFLAGF], ["$stunnel_LDFLAGF -fstack-protector"])
], [
AC_MSG_RESULT([no])
])
CFLAGS="$valid_CFLAGS"; LDFLAGS="$valid_LDFLAGS"
AC_MSG_CHECKING([whether $CC accepts -pie])
valid_CFLAGS="$CFLAGS"; CFLAGS="$CFLAGS -fPIE"
valid_LDFLAGS="$LDFLAGS"; LDFLAGS="$LDFLAGS -pie -fPIE"
AC_LINK_IFELSE([int main() {return 0;}],
[
AC_MSG_RESULT([yes])
AC_SUBST([stunnel_CFLAGS], ["$stunnel_CFLAGS -fPIE"])
AC_SUBST([stunnel_LDFLAGF], ["$stunnel_LDFLAGF -pie -fPIE"])
], [
AC_MSG_RESULT([no])
])
CFLAGS="$valid_CFLAGS"; LDFLAGS="$valid_LDFLAGS"
AC_MSG_CHECKING([whether $CC accepts -Wall])
valid_CFLAGS="$CFLAGS"; CFLAGS="$CFLAGS -Wall"
AC_LINK_IFELSE([int main() {return 0;}],
[AC_MSG_RESULT([yes])],
[AC_MSG_RESULT([no]); CFLAGS="$valid_CFLAGS"])
AC_MSG_CHECKING([whether $CC accepts -Wextra])
valid_CFLAGS="$CFLAGS"; CFLAGS="$CFLAGS -Wextra"
AC_LINK_IFELSE([int main() {return 0;}],
[AC_MSG_RESULT([yes])],
[AC_MSG_RESULT([no]); CFLAGS="$valid_CFLAGS"])
AC_MSG_CHECKING([whether $CC accepts -Wno-long-long])
valid_CFLAGS="$CFLAGS"; CFLAGS="$CFLAGS -Wno-long-long"
AC_LINK_IFELSE([int main() {return 0;}],
[AC_MSG_RESULT([yes])],
[AC_MSG_RESULT([no]); CFLAGS="$valid_CFLAGS"])
AC_MSG_CHECKING([whether $CC accepts -pedantic])
valid_CFLAGS="$CFLAGS"; CFLAGS="$CFLAGS -pedantic"
AC_LINK_IFELSE([int main() {return 0;}],
[AC_MSG_RESULT([yes])],
[AC_MSG_RESULT([no]); CFLAGS="$valid_CFLAGS"])
if test "$GCC" = yes; then
AX_APPEND_COMPILE_FLAGS([-Wall])
AX_APPEND_COMPILE_FLAGS([-Wextra])
AX_APPEND_COMPILE_FLAGS([-Wpedantic])
AX_APPEND_COMPILE_FLAGS([-Wformat=2])
AX_APPEND_COMPILE_FLAGS([-Wconversion])
AX_APPEND_COMPILE_FLAGS([-Wno-long-long])
AX_APPEND_COMPILE_FLAGS([-Wno-deprecated-declarations])
AX_APPEND_COMPILE_FLAGS([-fPIE])
case "${host}" in
avr-*.* | powerpc-*-aix* | rl78-*.* | visium-*.*)
;;
*)
AX_APPEND_COMPILE_FLAGS([-fstack-protector])
;;
esac
AX_APPEND_LINK_FLAGS([-fPIE -pie])
AX_APPEND_LINK_FLAGS([-Wl,-z,relro])
AX_APPEND_LINK_FLAGS([-Wl,-z,now])
AX_APPEND_LINK_FLAGS([-Wl,-z,noexecstack])
fi
AX_APPEND_COMPILE_FLAGS([-D_FORTIFY_SOURCE=2])
AC_MSG_NOTICE([**************************************** libtool])
LT_INIT([disable-static])
AC_SUBST([LIBTOOL_DEPS])
AC_MSG_NOTICE([**************************************** types])
AC_CHECK_SIZEOF(unsigned char)
AC_CHECK_SIZEOF(unsigned short)
AC_CHECK_SIZEOF(unsigned int)
AC_CHECK_SIZEOF(unsigned long)
AC_TYPE_INT8_T
AC_TYPE_INT16_T
AC_TYPE_INT32_T
AC_TYPE_INT64_T
AC_TYPE_UINT8_T
AC_TYPE_UINT16_T
AC_TYPE_UINT32_T
AC_TYPE_UINT64_T
AC_TYPE_SIZE_T
AC_TYPE_SSIZE_T
AC_TYPE_UID_T
AC_MSG_CHECKING([for socklen_t])
AC_EGREP_HEADER(socklen_t, sys/socket.h,
AC_MSG_RESULT([yes]),
AC_MSG_RESULT([no (defined as int)])
AC_DEFINE([socklen_t], [int], [Type of socklen_t]))
AC_CHECK_TYPES([struct sockaddr_un], [], [], [#include <sys/un.h>])
AC_CHECK_TYPES([struct addrinfo], [], [], [#include <netdb.h>])
AC_MSG_NOTICE([**************************************** PTY device files])
if test "$cross_compiling" = "no"; then
if test "x$cross_compiling" = "xno"; then
AC_CHECK_FILE("/dev/ptmx", AC_DEFINE([HAVE_DEV_PTMX], [1],
[Define to 1 if you have '/dev/ptmx' device.]))
AC_CHECK_FILE("/dev/ptc", AC_DEFINE([HAVE_DEV_PTS_AND_PTC], [1],
@ -125,13 +137,14 @@ fi
AC_MSG_NOTICE([**************************************** entropy sources])
if test "$cross_compiling" = "no"; then
if test "x$cross_compiling" = "xno"; then
AC_ARG_WITH(egd-socket,
[ --with-egd-socket=FILE Entropy Gathering Daemon socket path],
[EGD_SOCKET="$withval"]
)
if test -n "$EGD_SOCKET"; then
AC_DEFINE_UNQUOTED([EGD_SOCKET], ["$EGD_SOCKET"], [Entropy Gathering Daemon socket path])
AC_DEFINE_UNQUOTED([EGD_SOCKET], ["$EGD_SOCKET"],
[Entropy Gathering Daemon socket path])
fi
# Check for user-specified random device
@ -153,7 +166,7 @@ fi
AC_MSG_NOTICE([**************************************** default group])
DEFAULT_GROUP=nobody
if test "$cross_compiling" = "no"; then
if test "x$cross_compiling" = "xno"; then
grep '^nogroup:' /etc/group >/dev/null && DEFAULT_GROUP=nogroup
else
AC_MSG_WARN([cross-compilation: assuming nogroup is not available])
@ -162,12 +175,17 @@ AC_MSG_CHECKING([for default group])
AC_MSG_RESULT([$DEFAULT_GROUP])
AC_SUBST([DEFAULT_GROUP])
AC_SYS_LARGEFILE
AC_MSG_NOTICE([**************************************** header files])
# AC_HEADER_DIRENT
# AC_HEADER_STDC
# AC_HEADER_SYS_WAIT
AC_CHECK_HEADERS([malloc.h ucontext.h pthread.h poll.h tcpd.h stropts.h grp.h unistd.h util.h libutil.h pty.h])
AC_CHECK_HEADERS([sys/types.h sys/select.h sys/poll.h sys/socket.h sys/un.h sys/ioctl.h sys/filio.h sys/resource.h sys/uio.h])
AC_CHECK_HEADERS([stdint.h inttypes.h malloc.h ucontext.h pthread.h poll.h \
tcpd.h stropts.h grp.h unistd.h util.h libutil.h pty.h limits.h])
AC_CHECK_HEADERS([sys/types.h sys/select.h sys/poll.h sys/socket.h sys/un.h \
sys/ioctl.h sys/filio.h sys/resource.h sys/uio.h sys/syscall.h])
AC_CHECK_HEADERS([linux/sched.h])
AC_CHECK_MEMBERS([struct msghdr.msg_control],
[AC_DEFINE([HAVE_MSGHDR_MSG_CONTROL], [1],
[Define to 1 if you have 'msghdr.msg_control' structure.])], [], [
@ -188,102 +206,22 @@ AC_SEARCH_LIBS([gethostbyname], [nsl])
AC_SEARCH_LIBS([yp_get_default_domain], [nsl])
AC_SEARCH_LIBS([socket], [socket])
AC_SEARCH_LIBS([openpty], [util])
# Checks for dynamic loader and zlib needed by OpenSSL
# Checks for dynamic loader needed by OpenSSL
AC_SEARCH_LIBS([dlopen], [dl])
AC_SEARCH_LIBS([shl_load], [dld])
AC_SEARCH_LIBS([inflateEnd], [z])
# Add BeOS libraries
if test "$host_os" = "beos"; then
if test "x$host_os" = "xbeos"; then
LIBS="$LIBS -lbe -lroot -lbind"
fi
AC_MSG_NOTICE([**************************************** thread model])
checkpthreadlib() { :
# 1. BSD hack: attempt to use alternative libc implementation if available
AC_CHECK_LIB([c_r], [pthread_create],
[
LIBS="$LIBS -pthread"
HAVE_LIBPTHREAD="yes"
AC_DEFINE([HAVE_LIBPTHREAD], [1], [Define to 1 if you have 'libpthread' library.])
]
)
# 2. try to use from standard libc (required by Android and possibly other platforms)
AC_CHECK_LIB([c], [pthread_create],
[
HAVE_LIBPTHREAD="yes"
AC_DEFINE([HAVE_LIBPTHREAD], [1], [Define to 1 if you have 'libpthread' library.])
]
)
# 3. try libpthread: OSF hack instead of simple AC_CHECK_LIB here
AC_MSG_CHECKING([for pthread_create in -lpthread])
valid_LIBS="$LIBS"
LIBS="$valid_LIBS -lpthread"
AC_LINK_IFELSE(
[AC_LANG_PROGRAM(
[
#include <pthread.h>
],
[
pthread_create((void *)0, (void *)0, (void *)0, (void *)0)
]
)],
[
AC_MSG_RESULT([yes])
HAVE_LIBPTHREAD="yes"
AC_DEFINE([HAVE_LIBPTHREAD], [1], [Define to 1 if you have 'libpthread' library.])
], [
AC_MSG_RESULT([no])
LIBS="$valid_LIBS"
]
)
}
AC_ARG_WITH(threads,
[ --with-threads=model select threading model (ucontext/pthread/fork)],
[
case "$withval" in
ucontext)
AC_MSG_NOTICE([UCONTEXT mode selected])
AC_DEFINE([USE_UCONTEXT], [1], [Define to 1 to select UCONTEXT mode])
;;
pthread)
checkpthreadlib
AC_MSG_NOTICE([PTHREAD mode selected])
AC_DEFINE([USE_PTHREAD], [1], [Define to 1 to select PTHREAD mode])
;;
fork)
AC_MSG_NOTICE([FORK mode selected])
AC_DEFINE([USE_FORK], [1], [Define to 1 to select FORK mode])
;;
*)
AC_MSG_ERROR([Unknown thread model \"${withval}\"])
;;
esac
], [
checkpthreadlib
if test "$HAVE_LIBPTHREAD" = "yes" -a "$ac_cv_header_pthread_h" = "yes"; then
AC_MSG_NOTICE([PTHREAD thread model detected])
AC_DEFINE([USE_PTHREAD], [1], [Define to 1 to select PTHREAD mode])
elif test "$ac_cv_func_getcontext" = "yes" -a "$ac_cv_header_ucontext_h" = "yes"; then
AC_MSG_NOTICE([UCONTEXT thread model detected])
AC_DEFINE([USE_UCONTEXT], [1], [Define to 1 to select UCONTEXT mode])
else
AC_MSG_NOTICE([FORK thread model detected])
AC_DEFINE([USE_FORK], [1], [Define to 1 to select FORK mode])
fi
])
AC_MSG_NOTICE([**************************************** library functions])
# safe string operations
AC_CHECK_FUNCS(snprintf vsnprintf)
# pseudoterminal
AC_CHECK_FUNCS(openpty _getpty)
# Unix
AC_CHECK_FUNCS(daemon waitpid wait4 setsid setgroups chroot)
AC_CHECK_FUNCS(daemon waitpid wait4 setsid setgroups chroot realpath)
# limits
AC_CHECK_FUNCS(sysconf getrlimit)
# threads/reentrant functions
@ -316,10 +254,10 @@ getaddrinfo(NULL, NULL, NULL, NULL);
[AC_MSG_RESULT([no])])
;;
esac
# poll() is not recommended on Mac OS X <=10.3 and broken on Mac OS X >=10.4
# poll() is not recommended on Mac OS X <= 10.3 and broken on Mac OS X 10.4
AC_MSG_CHECKING([for broken poll() implementation])
case "$host_os" in
darwin*)
darwin[0-8].*)
AC_MSG_RESULT([yes (poll() disabled)])
AC_DEFINE([BROKEN_POLL], [1], [Define to 1 if you have a broken 'poll' implementation.])
;;
@ -334,11 +272,12 @@ AC_MSG_NOTICE([**************************************** optional features])
# Use IPv6?
AC_MSG_CHECKING([whether to enable IPv6 support])
AC_ARG_ENABLE(ipv6,
[ --enable-ipv6 Enable IPv6 support],
[ --disable-ipv6 disable IPv6 support],
[
case "$enableval" in
yes) AC_MSG_RESULT([yes])
AC_DEFINE([USE_IPv6], [1], [Define to 1 to enable IPv6 support])
AC_DEFINE([USE_IPv6], [1],
[Define to 1 to enable IPv6 support])
;;
no) AC_MSG_RESULT([no])
;;
@ -346,23 +285,86 @@ AC_ARG_ENABLE(ipv6,
AC_MSG_ERROR([bad value \"${enableval}\"])
;;
esac
], [
AC_MSG_RESULT([yes (default)])
AC_DEFINE([USE_IPv6], [1], [Define to 1 to enable IPv6 support])
], [
AC_MSG_RESULT([no])
]
)
# FIPS Mode
AC_MSG_CHECKING([whether to enable FIPS support])
AC_ARG_ENABLE(fips,
[ --disable-fips disable OpenSSL FIPS support],
[
case "$enableval" in
yes) AC_MSG_RESULT([no])
use_fips="yes"
AC_DEFINE([USE_FIPS], [1],
[Define to 1 to enable OpenSSL FIPS support])
;;
no) AC_MSG_RESULT([no])
use_fips="no"
;;
*) AC_MSG_RESULT([error])
AC_MSG_ERROR([bad value \"${enableval}\"])
;;
esac
],
[AC_MSG_RESULT([yes]); AC_DEFINE([USE_IPv6], [1], [Define to 1 to enable IPv6 support])],
[AC_MSG_RESULT([no])]
[
use_fips="auto"
AC_MSG_RESULT([autodetecting])
]
)
# Disable systemd socket activation support
AC_MSG_CHECKING([whether to enable systemd socket activation support])
AC_ARG_ENABLE(systemd,
[ --disable-systemd disable systemd socket activation support],
[
case "$enableval" in
yes) AC_MSG_RESULT([yes])
AC_SEARCH_LIBS([sd_listen_fds], [systemd systemd-daemon])
AC_DEFINE([USE_SYSTEMD], [1],
[Define to 1 to enable systemd socket activation])
;;
no) AC_MSG_RESULT([no])
;;
*) AC_MSG_RESULT([error])
AC_MSG_ERROR([Bad value \"${enableval}\"])
;;
esac
],
[
AC_MSG_RESULT([autodetecting])
# the library name has changed to -lsystemd in systemd 209
AC_SEARCH_LIBS([sd_listen_fds], [systemd systemd-daemon],
[ AC_CHECK_HEADERS([systemd/sd-daemon.h], [
AC_DEFINE([USE_SYSTEMD], [1],
[Define to 1 to enable systemd socket activation])
AC_MSG_NOTICE([systemd support enabled])
], [
AC_MSG_NOTICE([systemd header not found])
]) ], [
AC_MSG_NOTICE([systemd library not found])
])
]
)
# Disable use of libwrap (TCP wrappers)
# it should be the last check!
AC_MSG_CHECKING([whether to disable TCP wrappers library support])
AC_MSG_CHECKING([whether to enable TCP wrappers support])
AC_ARG_ENABLE(libwrap,
[ --disable-libwrap Disable TCP wrappers library support],
[ --disable-libwrap disable TCP wrappers support],
[
case "$enableval" in
yes) AC_MSG_RESULT([no])
AC_DEFINE([HAVE_LIBWRAP], [1], [Define to 1 if you have 'libwrap' library.])
yes) AC_MSG_RESULT([yes])
AC_DEFINE([USE_LIBWRAP], [1],
[Define to 1 to enable TCP wrappers support])
LIBS="$LIBS -lwrap"
;;
no) AC_MSG_RESULT([yes])
no) AC_MSG_RESULT([no])
;;
*) AC_MSG_RESULT([error])
AC_MSG_ERROR([Bad value \"${enableval}\"])
@ -375,120 +377,93 @@ AC_ARG_ENABLE(libwrap,
valid_LIBS="$LIBS"
LIBS="$valid_LIBS -lwrap"
AC_LINK_IFELSE(
[AC_LANG_PROGRAM(
[
int hosts_access(); int allow_severity, deny_severity;
],
[
hosts_access()
]
)],
[AC_MSG_RESULT([yes]); AC_DEFINE([HAVE_LIBWRAP], [1], [Define to 1 if you have 'libwrap' library.])],
[AC_MSG_RESULT([no]); LIBS="$valid_LIBS"]
[
AC_LANG_PROGRAM(
[int hosts_access(); int allow_severity, deny_severity;],
[hosts_access()])
], [
AC_MSG_RESULT([yes]);
AC_DEFINE([USE_LIBWRAP], [1],
[Define to 1 to enable TCP wrappers support])
AC_MSG_NOTICE([libwrap support enabled])
], [
AC_MSG_RESULT([no])
LIBS="$valid_LIBS"
AC_MSG_NOTICE([libwrap library not found])
]
)
]
)
# FIPS Mode
AC_MSG_CHECKING([whether to enable FIPS mode support])
AC_ARG_ENABLE(fips,
[ --enable-fips Enable OpenSSL FIPS mode],
[
case "$enableval" in
yes) AC_MSG_RESULT([yes])
sub_dirs="/ssl/fips /ssl/fips-1.0 /"
fips="yes"
AC_DEFINE([USE_FIPS], [1], [Define to 1 to enable OpenSSL FIPS mode])
;;
no) AC_MSG_RESULT([no])
sub_dirs="/ssl /openssl /"
fips="no"
;;
*) AC_MSG_RESULT([error])
AC_MSG_ERROR([bad value \"${enableval}\"])
;;
esac
],
[
sub_dirs="/ssl/fips /ssl/fips-1.0 /ssl /openssl /"
fips="auto"
AC_MSG_RESULT([autodetecting])
]
)
AC_MSG_NOTICE([**************************************** TLS])
AC_MSG_CHECKING([for compiler sysroot])
if test "x$GCC" = "xyes"; then
sysroot=`$CC --print-sysroot 2>/dev/null`
fi
if test -z "$sysroot" -o "x$sysroot" = "x/"; then
sysroot=""
AC_MSG_RESULT([/])
else
AC_MSG_RESULT([$sysroot])
fi
AC_MSG_NOTICE([**************************************** SSL])
check_ssl_dir() { :
SSLDIR="$1"
if test -f "$1/include/openssl/ssl.h"; then
return 0
fi
return 1
test -n "$1" -a -f "$1/include/openssl/ssl.h" && SSLDIR="$1"
}
# Check for SSL directory
AC_MSG_CHECKING([for SSL directory])
AC_ARG_WITH(ssl,
[ --with-ssl=DIR location of installed SSL libraries/include files],
[
check_ssl_dir "$withval"
],
[
for main_dir in /usr/local /usr/lib /usr/pkg /opt/local /opt /usr; do
for sub_dir in $sub_dirs; do
check_ssl_dir "$main_dir$sub_dir" && break 2
done
find_ssl_dir() { :
stunnel_prefix="$prefix"
test "x$stunnel_prefix" = "xNONE" && stunnel_prefix=$ac_default_prefix
for main_dir in "$stunnel_prefix" "/usr/local" "/usr/lib" "/usr/pkg" "/opt/local" "/opt" "/opt/csw" "/usr" ""; do
for sub_dir in "/ssl" "/openssl" "/ossl" ""; do
check_ssl_dir "$sysroot$main_dir$sub_dir" && return
done
]
done
if test -x "/usr/bin/xcrun"; then
sdk_path=`/usr/bin/xcrun --sdk macosx --show-sdk-path`
check_ssl_dir "$sdk_path/usr" && return
fi
check_ssl_dir "/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/swift-migrator/sdk/MacOSX.sdk/usr"
}
SSLDIR=""
AC_MSG_CHECKING([for TLS directory])
AC_ARG_WITH(ssl,
[ --with-ssl=DIR location of installed TLS libraries/include files],
[check_ssl_dir "$withval"],
[find_ssl_dir]
)
if test ! -d "$SSLDIR"; then
if test -z "$SSLDIR"; then
AC_MSG_RESULT([not found])
AC_MSG_ERROR([
Couldn't find your SSL library installation dir
Could not find your TLS library installation dir
Use --with-ssl option to fix this problem
])
fi
AC_MSG_RESULT([$SSLDIR])
AC_SUBST([SSLDIR])
AC_DEFINE_UNQUOTED([SSLDIR], ["$SSLDIR"], [SSL directory])
AC_DEFINE_UNQUOTED([SSLDIR], ["$SSLDIR"], [TLS directory])
valid_CPPFLAGS="$CPPFLAGS"; CPPFLAGS="$CPPFLAGS -I$SSLDIR/include"
valid_LIBS="$LIBS"; LIBS="$LIBS -L$SSLDIR/lib64 -L$SSLDIR/lib -lssl -lcrypto"
AC_CHECK_HEADER([$SSLDIR/include/openssl/engine.h],
[AC_DEFINE([HAVE_OSSL_ENGINE_H], [1], [Define to 1 if you have <engine.h> header file.])],
[AC_MSG_WARN([OpenSSL engine header not found])])
AC_CHECK_HEADER([$SSLDIR/include/openssl/ocsp.h],
[AC_DEFINE([HAVE_OSSL_OCSP_H], [1], [Define to 1 if you have <ocsp.h> header file.])],
[AC_MSG_WARN([OpenSSL ocsp header not found])])
AC_MSG_CHECKING([for FIPS_mode_set])
if test "$fips" = "auto"; then
AC_LINK_IFELSE(
[AC_LANG_PROGRAM(
[
#include <openssl/fips.h>
],
[
FIPS_mode_set(1);
],
)],
[AC_MSG_RESULT([yes])
AC_DEFINE([USE_FIPS], [1], [Define to 1 to enable OpenSSL FIPS mode.])
], [
AC_MSG_RESULT([no])
]
)
else
AC_MSG_RESULT([test skipped])
if test "x$use_fips" = "xauto"; then
AC_CHECK_FUNCS(FIPS_mode_set, [
AC_DEFINE([USE_FIPS], [1], [Define to 1 to enable OpenSSL FIPS support])
AC_MSG_NOTICE([FIPS support enabled])
], [
AC_MSG_NOTICE([FIPS support not found])
])
fi
CPPFLAGS="$valid_CPPFLAGS"
LIBS="$valid_LIBS"
AC_MSG_NOTICE([**************************************** write the results])
AC_CONFIG_FILES([Makefile src/Makefile src/stunnel3 doc/Makefile tools/Makefile tools/stunnel.conf-sample tools/stunnel.init tools/stunnel.service])
AC_CONFIG_FILES([Makefile src/Makefile doc/Makefile tools/Makefile tests/Makefile])
AC_OUTPUT
AC_MSG_NOTICE([**************************************** success])
# vim:ft=automake
# End of configure.ac

84
debian/README.Debian vendored Normal file
View File

@ -0,0 +1,84 @@
This is the Stunnel 4.x package for Debian.
* Upgrading from stunnel to stunnel4
Stunnel 3 has been deprecated from Debian. The new stunnel4 has a
different command line syntax and configuration. You will need to
update your scripts.
The wrapper script /usr/bin/stunnel3 understands stunnel3 command line
syntax and calls stunnel4 with appropriate options. It appears to
support every stunnel3 option *except* -S (which controls the defaults
used for certificate sources).
* Basic configuration
After installation, you should :
- edit /etc/stunnel/stunnel.conf
- edit /etc/default/stunnel and set ENABLE=1, if you want your
configured tunnels to start automatically on boot.
- generate a certificate for use with stunnel if you want to use server mode
Sergio Rua <srua@debian.org> made a perl front-end for the stunnel
configuration. It is very simple and only includes a couple of configuration
options. This script is located in
/usr/share/doc/stunnel4/contrib/StunnelConf-0.1.pl
It requires libgnome2-perl and libgtk2-perl.
* How to create SSL keys for stunnel
The certificates default directory is /etc/ssl/certs, so cd into that dir
and issue the command:
openssl req -new -x509 -nodes -days 365 -out stunnel.pem -keyout stunnel.pem
Fill in the info requested.
Change 'stunnel.pem' to the name of the certificate you need to
create. stunnel.pem will be used by default by stunnel, but you want
to create different certificates for different services you run with
stunnel. Make sure only root can read the file (or only the user that
needs to read it, if stunnel is run as that user):
chmod 600 stunnel.pem
Now you need to append the DH parameters to the certificate.
First you need to generate some amount of random data:
dd if=/dev/urandom of=temp_file count=2
Use /dev/random if you want a more secure source of data, but make
sure you have enough entropy on you system (the output file should be
at least 512 bytes long).
And now make openssl generate the DH parameters and append them to the
certificate file:
openssl dhparam -rand temp_file 512 >> stunnel.pem
You also want to link the certificate to its hash name so that openssl
can find it also by that means:
ln -sf stunnel.pem `openssl x509 -noout -hash < stunnel.pem`.0
Read the manual page for openssl for more info on the various options.
* FIPS
Since version 4.21 stunnel includes support for OpenSSL's FIPS mode. However,
using it requires stunnel to be compiled statically against OpenSSL and all
supporting libraries. Thus, this option is disabled in the Debian package.
See the OpenSSL FIPS User Guide at
https://www.openssl.org/docs/fips/UserGuide-2.0.pdf
and the OpenSSL notes about FIPS 140-2 at
https://www.openssl.org/docs/fips/fipsnotes.html
- Julien LEMOINE <speedblue@debian.org>, Sun, 19 Feb 2006 17:31:24 +0100
-- Luis Rodrigo Gallardo Cruz <rodrigo@nul-unu.com>, Sat, 30 Oct 2007 14:50:54 z

477
debian/StunnelConf-0.1.pl vendored Normal file
View File

@ -0,0 +1,477 @@
#!/usr/bin/perl
# Copyright (C) 2004 Sergio Rua <srua@debian.org>
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2, or (at your option)
# any later version.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
# 02111-1307, USA.
#
# On Debian GNU/Linux systems, the complete text of the GNU General
# Public License can be found in `/usr/share/common-licenses/GPL'.
use strict;
use Gtk2;
use Gnome2;
use Gtk2::SimpleList;
use constant TRUE => 1;
use constant FALSE => 0;
# Please configure if necessary!
my $cfgfile = "/etc/stunnel/stunnel.conf";
my $backup_cfg = 1;
my $base_cfg_dir = $cfgfile;$base_cfg_dir=~s/\/stunnel\.conf//g;
# global variables
my $ekey;
my $ecert;
my $verify;
my $app;
my $elog;
my $clientmode;
my $debuglevel;
my $capath;
my $list;
sub mydie
{
my ($msg)=@_;
print "$msg\n";
Gtk2->main_quit;
exit (-1);
}
sub sel_file
{
my ($title,$entry,$isfile)=@_;
my $fsel=Gtk2::FileSelection->new($title);
$fsel->ok_button->signal_connect("clicked",sub {
print "OK: ". $fsel->get_filename."\n";
$entry->set_text($fsel->get_filename);
$fsel->destroy;
});
$fsel->cancel_button->signal_connect("clicked",sub { $fsel->destroy; });
$fsel->show;
}
sub add_connection
{
my $win = new Gtk2::Window("toplevel");
$win->set_position("center");
my $vbox = new Gtk2::VBox( 0, 2 );
$win->add($vbox);
$vbox->show;
my $druid = new Gnome2::Druid;
$druid->signal_connect("cancel", sub { $win->destroy; } );
$vbox->pack_start($druid,0,0,0);
my $druid_start = new Gnome2::DruidPageEdge("GNOME_EDGE_START");
$druid_start->set_title("Connections setup");
$druid_start->set_text("Please follow this configuration wizard to ".
"configure your connections\n");
# $druid_start->set_watermark($logo);
$druid_start->show;
$druid->append_page($druid_start);
# Second Step: accepting connections
my $druid_name = new Gnome2::DruidPageStandard();
$druid_name->set_title("Connection name");
my $dvbox=new Gtk2::VBox(2,2);
my $dtable=new Gtk2::Table(2,2,FALSE);
$dvbox->pack_start($dtable,FALSE,FALSE,0);
my $label=new Gtk2::Label("Enter this connection name");
$dtable->attach($label,0,1,0,1,["fill"],["fill"],0,0);
my $ename=new Gtk2::Entry();
$dtable->attach($ename,1,2,0,1,["fill"],["fill"],0,0);
$druid_name->append_item("",$dvbox,"");
$druid_name->show_all;
# add page to the druid
$druid->append_page($druid_name);
# Second Step: accepting connections
my $druid_accept = new Gnome2::DruidPageStandard();
$druid_accept->set_title("Accepting connections");
my $dvbox=new Gtk2::VBox(2,2);
my $dtable=new Gtk2::Table(2,2,FALSE);
$dvbox->pack_start($dtable,FALSE,FALSE,0);
my $accept_error=new Gtk2::Label("");
$dtable->attach($accept_error,0,1,0,1,["fill"],["fill"],0,0);
my $label=new Gtk2::Label("IP or hostname");
$dtable->attach($label,0,1,1,2,["fill"],["fill"],0,0);
my $eip=new Gtk2::Entry();
$dtable->attach($eip,1,2,1,2,["fill"],["fill"],0,0);
my $label=new Gtk2::Label("Port number");
$dtable->attach($label,0,1,2,3,["fill"],["fill"],0,0);
my $eport=new Gtk2::Entry();
$dtable->attach($eport,1,2,2,3,["fill"],["fill"],0,0);
$druid_accept->append_item("",$dvbox,"");
$druid_accept->show_all;
# add page to the druid
$druid->append_page($druid_accept);
# Third Step: connecting to...
my $druid_connect = new Gnome2::DruidPageStandard();
$druid_connect->set_title("Connection To...");
my $dvbox=new Gtk2::VBox(2,2);
my $dtable=new Gtk2::Table(2,2,FALSE);
$dvbox->pack_start($dtable,FALSE,FALSE,0);
my $label=new Gtk2::Label("IP or hostname");
$dtable->attach($label,0,1,0,1,["fill"],["fill"],0,0);
my $etoip=new Gtk2::Entry();
$dtable->attach($etoip,1,2,0,1,["fill"],["fill"],0,0);
my $label=new Gtk2::Label("Port number");
$dtable->attach($label,0,1,1,2,["fill"],["fill"],0,0);
my $etoport=new Gtk2::Entry();
$dtable->attach($etoport,1,2,1,2,["fill"],["fill"],0,0);
$druid_connect->append_item("",$dvbox,"");
$druid_connect->show_all;
# add page to the druid
$druid->append_page($druid_connect);
# Finishing and adding connection
my $druid_finish = new Gnome2::DruidPageEdge("GNOME_EDGE_FINISH");
$druid_finish->set_title("Configuration Finished.");
$druid_finish->set_text("The configuration has been finished. Click to either save or cancel");
# $druid_finish->set_logo($logo2);
$druid_finish->signal_connect("finish", sub {
my $acip=$eip->get_text();
my $acport=$eport->get_text();
my $coip=$etoip->get_text();
my $coport=$etoport->get_text();
my $dslist = $list->{data};
push @$dslist, [ $ename->get_text(), $acip.":".$acport, $coip.":".$coport ];
$win->destroy;
});
$druid_finish->show;
$druid->append_page($druid_finish);
$druid->show;
$win->show;
}
sub load_config_file
{
my $con=$list->{data};
my $name="";
my $accept="";
my $connect="";
if (! -s $cfgfile) {
print "Config file not found. Starting from scratch!\n";
return (0);
}
open F, "<$cfgfile" or die "$cfgfile: $!\n";
while (<F>) {
$_=~s/\n//g;
if ($_=~/^cert.*=.*/) {
(undef,my $value) = split "=",$_;
$value=~s/(\ |\t)//g;
$ecert->set_text($value);
} elsif ($_=~/^key.*=.*/) {
(undef,my $value) = split "=",$_;
$value=~s/(\ |\t)//g;
$ekey->set_text($value);
} elsif ($_=~/^verify.*=.*/) {
(undef,my $value) = split "=",$_;
$value=~s/(\ |\t)//g;
if ($value==1) {
$verify->entry->set_text("verify peer certificate if present");
} elsif ($value==2) {
$verify->entry->set_text("verify peer certificate");
} elsif ($value==3) {
$verify->entry->set_text("verify peer with locally installed certificate");
} else {
$verify->entry->set_text("no verify");
}
} elsif ($_=~/^client.*=.*/) {
(undef,my $value) = split "=",$_;
$value=~s/(\ |\t)//g;
$clientmode->entry->set_text($value);
} elsif ($_=~/^(capath|CApath).*=.*/) {
(undef,my $value) = split "=",$_;
$value=~s/(\ |\t)//g;
$capath->set_text($value);
} elsif ($_=~/^debug.*=.*/) {
(undef,my $value) = split "=",$_;
$value=~s/(\ |\t)//g;
$debuglevel->entry->set_text($value);
} elsif ($_=~/^output.*=.*/) {
(undef,my $value) = split "=",$_;
$value=~s/(\ |\t)//g;
$elog->set_text($value);
} elsif ($_=~/^\[.*/) {
$_=~s/\[//g;
$_=~s/\]//g;
$name=$_;
} elsif ($_=~/^accept.*=.*/) {
(undef,$accept) = split "=",$_;
$accept=~s/(\ |\t)//g;
} elsif ($_=~/^connect.*=.*/) {
(undef,$connect) = split "=",$_;
$connect=~s/(\ |\t)//g;
}
# load connection
if (($accept) && ($name) && ($connect)) {
push @$con, [ $name, $accept, $connect ];
$name=$connect=$accept="";
}
}
close F;
}
sub save_config_file
{
if ($backup_cfg) {
chdir ($base_cfg_dir);
rename($cfgfile,$cfgfile.".$$") or
print "Error at \n$cfgfile: $!\nNo backup made!\n";
}
open O, ">$cfgfile" or
mydie "Cannot open config file: $!\n";
print "Saving $cfgfile\n\n\n";
print O "# Configuration file created by \"stunnelconf\" by ".
"Sergio Rua <srua\@debian.org>\n\n";
if ($ekey->get_text()) {
print O "key = ".$ekey->get_text()."\n";
}
if ($ecert->get_text()) {
print O "cert = ".$ecert->get_text()."\n";
}
print O "verify = ".$verify->entry->get_text()."\n";
print O "output = ".$elog->get_text()."\n";
print O "client = ".$clientmode->entry->get_text()."\n";
print O "debug = ".$debuglevel->entry->get_text()."\n";
print O "CApath = ".$capath->get_text()."\n";
print O "\n\n"; # just some spaces
my @rowref = @{$list->{data}};
my $i=0;
for $i (0 .. $#rowref) {
print O "[".$rowref[$i][0] . "]\n";
# if no hostname, ugly ":" to be removed
$rowref[$i][1]=~s/^://g;
$rowref[$i][2]=~s/^://g;
print O "accept = ".$rowref[$i][1] . "\n";
print O "connect = ".$rowref[$i][2] . "\n";
print O "\n"; # just some spaces
}
close O;
Gtk2->main_quit;
return 0;
}
sub create_main_win
{
$app = Gnome2::App->new ("stunnel-conf");
$app->set_default_size(470,410);
$app->signal_connect( 'destroy' => sub { Gtk2->main_quit; } );
$app->set_title("Stunnel Configuration");
my $vbox=Gtk2::VBox->new(FALSE,0);
my $frame=Gtk2::Frame->new("Common options");
$vbox->pack_start($frame,TRUE, TRUE, 0);
my $table=Gtk2::Table->new(6, 2, FALSE);
$frame->add($table);
my $label0=Gtk2::Label->new("Private Key");
$table->attach($label0,0,1,0,1,["fill"],["fill"],0,0);
my $label1=Gtk2::Label->new("Certificate");
$table->attach($label1,0,1,1,2,["fill"],["fill"],0,0);
my $label2=Gtk2::Label->new("Verify level");
$table->attach($label2,0,1,2,3,["fill"],["fill"],0,0);
my $label3=Gtk2::Label->new("Log output");
$table->attach($label3,0,1,3,4,["fill"],["fill"],0,0);
my $label4=Gtk2::Label->new("Client mode");
$table->attach($label4,0,1,4,5,["fill"],["fill"],0,0);
my $label5=Gtk2::Label->new("Debug level");
$table->attach($label5,0,1,5,6,["fill"],["fill"],0,0);
my $label6=Gtk2::Label->new("Certificates path");
$table->attach($label6,0,1,6,7,["fill"],["fill"],0,0);
# Private Key
my $hbox0=Gtk2::HBox->new(FALSE,0);
$table->attach($hbox0,1,2,0,1,["fill"],["fill"],0,0);
$ekey=Gtk2::Entry->new();
$hbox0->pack_start($ekey,TRUE,TRUE,0);
my $bkey=Gtk2::Button->new_from_stock("gtk-open");
$bkey->signal_connect("clicked",sub {
sel_file("Select private key",$ekey);
});
$hbox0->pack_start($bkey,FALSE,FALSE,0);
# Certificate
my $hbox1=Gtk2::HBox->new(FALSE,0);
$table->attach($hbox1,1,2,1,2,["fill"],["fill"],0,0);
$ecert=Gtk2::Entry->new();
$hbox1->pack_start($ecert,TRUE,TRUE,0);
my $bcert=Gtk2::Button->new_from_stock("gtk-open");
$bcert->signal_connect("clicked",sub {
sel_file("Select certificate",$ecert);
});
$hbox1->pack_start($bcert,FALSE,FALSE,0);
# Auth level - verify
$verify = Gtk2::Combo->new();
$verify->entry->set_text("no verify");
$verify->set_popdown_strings(("no verify",
"verify peer certificate if present",
"verify peer certificate",
"verify peer with locally installed certificate"));
$table->attach($verify,1,2,2,3,["fill"],["fill"],0,0);
# Log output
my $hbox2=Gtk2::HBox->new(FALSE,0);
$table->attach($hbox2,1,2,3,4,["fill"],["fill"],0,0);
$elog=Gtk2::Entry->new();
$hbox2->pack_start($elog,TRUE,TRUE,0);
my $blog=Gtk2::Button->new_from_stock("gtk-open");
$blog->signal_connect("clicked",sub {
sel_file("Select log file",$elog);
});
$hbox2->pack_start($blog,FALSE,FALSE,0);
# Client mode
$clientmode = Gtk2::Combo->new();
$clientmode->entry->set_text("no verify");
$clientmode->set_popdown_strings(("yes","no"));
$table->attach($clientmode,1,2,4,5,["fill"],["fill"],0,0);
# Debug level
$debuglevel = Gtk2::Combo->new();
$debuglevel->entry->set_text("no verify");
$debuglevel->set_popdown_strings(("0","1","5","7"));
$table->attach($debuglevel,1,2,5,6,["fill"],["fill"],0,0);
# CA path
my $hbox3=Gtk2::HBox->new(FALSE,0);
$table->attach($hbox3,1,2,6,7,["fill"],["fill"],0,0);
$capath=Gtk2::Entry->new();
$hbox3->pack_start($capath,TRUE,TRUE,0);
# my $bcapath=Gtk2::Button->new_from_stock("gtk-open");
# $bcapath->signal_connect("clicked",sub {
# sel_file("Select Certificates Path",$capath);
# });
# $hbox3->pack_start($bcapath,FALSE,FALSE,0);
# connections section
my $frame2=Gtk2::Frame->new("Connections");
$vbox->pack_start($frame2,TRUE, TRUE, 0);
my $hbox4=Gtk2::HBox->new(FALSE,0);
$list=Gtk2::SimpleList->new (
'Name' => 'text',
'Accept' => 'text',
'Connect' => 'text',
);
# $list->get_selection->set_mode ('multiple');
my $scwin = Gtk2::ScrolledWindow->new;
$scwin->set_policy (qw/automatic automatic/);
$scwin->add($list);
$hbox4->pack_start($scwin,TRUE,TRUE,0);
# list buttons
my $vbbox=Gtk2::VButtonBox->new();
$vbbox->set_layout('spread');
my $badd = Gtk2::Button->new_from_stock('gtk-add');
$badd->signal_connect( 'clicked' => sub { add_connection; } );
$vbbox->add($badd);
# my $bedit = Gtk2::Button->new_from_stock('gtk-properties');
# $bedit->signal_connect( 'clicked' => sub {
# print "Edit\n";
# } );
# $vbbox->add($bedit);
my $brem = Gtk2::Button->new_from_stock('gtk-remove');
$brem->signal_connect( 'clicked' => sub {
my @sel = $list->get_selected_indices;
print @sel;
foreach my $i (@sel) {
delete $list->{data}[$i];
}
} );
$vbbox->add($brem);
$hbox4->pack_start($vbbox,FALSE,FALSE,0);
# main buttons!!!
my $bbox=Gtk2::HButtonBox->new();
$bbox->set_layout('spread');
my $bok = Gtk2::Button->new_from_stock('gtk-ok');
$bok->signal_connect( 'clicked' => sub { save_config_file; } );
$bbox->add($bok);
my $bcancel = Gtk2::Button->new_from_stock('gtk-cancel');
$bcancel->signal_connect( 'clicked' => sub { Gtk2->main_quit;} );
$bbox->add($bcancel);
$vbox->pack_start($bbox,FALSE,FALSE,0);
$frame2->add($hbox4);
# App contents and show them
$app->set_contents($vbox);
$app->show_all;
}
#
# MAIN MAIN MAIN
#
#
Gnome2::Program->init ("stunnelconf", "0.1");
$app=create_main_win;
load_config_file;
Gtk2->main;
exit 0;

1324
debian/changelog vendored Normal file
View File

File diff suppressed because it is too large Load Diff

6
debian/clean vendored Normal file
View File

@ -0,0 +1,6 @@
build-stamp
debian/stunnel4.init
doc/stunnel.8
doc/stunnel.html
doc/stunnel4.8
doc/stunnel4.pl.8

1
debian/compat vendored Normal file
View File

@ -0,0 +1 @@
10

45
debian/control vendored Normal file
View File

@ -0,0 +1,45 @@
Source: stunnel4
Section: net
Priority: optional
Build-Depends:
debhelper (>= 10),
autoconf-archive,
libssl-dev,
libsystemd-dev [linux-any],
libwrap0-dev,
netcat-traditional,
openssl,
net-tools,
procps
Maintainer: Peter Pentchev <roam@ringlet.net>
Uploaders: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Standards-Version: 4.1.1
Vcs-Browser: https://anonscm.debian.org/cgit/collab-maint/stunnel.git
Vcs-Git: https://anonscm.debian.org/git/collab-maint/stunnel.git
Homepage: https://www.stunnel.org/
Rules-Requires-Root: no
Package: stunnel4
Architecture: any
Provides: stunnel
Depends:
${shlibs:Depends},
${misc:Depends},
${perl:Depends},
lsb-base,
netbase,
openssl
Pre-Depends: adduser
Suggests: logcheck-database
Description: Universal SSL tunnel for network daemons
The stunnel program is designed to work as SSL encryption
wrapper between remote client and local (inetd-startable) or
remote server. The concept is that having non-SSL aware daemons
running on your system you can easily setup them to
communicate with clients over secure SSL channel.
.
stunnel can be used to add SSL functionality to commonly
used inetd daemons like POP-2, POP-3 and IMAP servers
without any changes in the programs' code.
.
This package contains a wrapper script for compatibility with stunnel 3.x

59
debian/copyright vendored Normal file
View File

@ -0,0 +1,59 @@
Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
Upstream-Name: stunnel
Upstream-Contact: Michal Trojnara <Michal.Trojnara@stunnel.org>
Source: https://www.stunnel.org/downloads.html
License: GPL-2+-openssl
Files: *
Copyright:
(C) 1998-2017 Michal Trojnara <Michal.Trojnara@stunnel.org>
(c) 2014 Mark Theunissen
License: GPL-2+-openssl
Files: src/stunnel3.in
Copyright: (C) 2004-2012 Michal Trojnara <Michal.Trojnara@stunnel.org>
License: GPL-2+
Files: debian/*
Copyright:
(C) 1998-2001 Paolo Molaro <lupus@debian.org>
(C) 2003-2007 Julien Lemoine <speedblue@debian.org>
(C) 2007-2012 Luis Rodrigo Gallardo Cruz <rodrigo@debian.org>
(C) 2013 Salvatore Bonaccorso <carnil@debian.org>
(C) 2014-2017 Peter Pentchev <roam@ringlet.net>
License: GPL-2+-openssl
License: GPL-2+-openssl
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
.
On Debian systems, the complete text of the GNU General Public License
can be found in file "/usr/share/common-licenses/GPL-2".
.
Linking stunnel statically or dynamically with other modules is making
a combined work based on stunnel. Thus, the terms and conditions of the
GNU General Public License cover the whole combination.
.
In addition, as a special exception, the copyright holder of stunnel gives you
permission to combine stunnel with free software programs or libraries that
are released under the GNU LGPL and with code included in the standard release
of OpenSSL under the OpenSSL License (or modified versions of such code, with
unchanged license). You may copy and distribute such a system following the
terms of the GNU GPL for stunnel and the licenses of the other code concerned.
.
Note that people who make modified versions of stunnel are not obligated to
grant this special exception for their modified versions; it is their choice
whether to do so. The GNU General Public License gives permission to release
a modified version without this exception; this exception also makes it
possible to release a modified version which carries forward this exception.
License: GPL-2+
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
.
On Debian systems, the complete text of the GNU General Public License
can be found in file "/usr/share/common-licenses/GPL-2".

1
debian/dirs vendored Normal file
View File

@ -0,0 +1 @@
etc/stunnel

10
debian/doc-base vendored Normal file
View File

@ -0,0 +1,10 @@
Document: stunnel4
Title: Stunnel documentation
Author: Michal Trojnara
Abstract: This manual documents stunnel, a SSL-enhanced client and
server wrapper.
Section: System/Security
Format: HTML
Index: /usr/share/doc/stunnel4/stunnel.html
Files: /usr/share/doc/stunnel4/stunnel*.html

4
debian/docs vendored Normal file
View File

@ -0,0 +1,4 @@
BUGS
NEWS
README
TODO

38
debian/patches/01-fix-paths.patch vendored Normal file
View File

@ -0,0 +1,38 @@
Description: Update the installation directories.
Change @prefix@/... to @localstatedir@ or @sysconfdir@ as appropriate
to comply with the FHS
Forwarded: not-needed
Author: Paolo Molaro <lupus@debian.org>
Author: Julien Lemoine <speedblue@debian.org>
Author: Luis Rodrigo Gallardo Cruz <rodrigo@debian.org>
Last-Update: 2016-07-06
--- a/tools/stunnel.conf-sample.in
+++ b/tools/stunnel.conf-sample.in
@@ -64,7 +64,7 @@
accept = 127.0.0.1:110
connect = pop.gmail.com:995
verifyChain = yes
-CApath = /etc/ssl/certs
+CApath = @sysconfdir/ssl/certs
checkHost = pop.gmail.com
OCSPaia = yes
@@ -73,7 +73,7 @@
accept = 127.0.0.1:143
connect = imap.gmail.com:993
verifyChain = yes
-CApath = /etc/ssl/certs
+CApath = @sysconfdir/ssl/certs
checkHost = imap.gmail.com
OCSPaia = yes
@@ -82,7 +82,7 @@
accept = 127.0.0.1:25
connect = smtp.gmail.com:465
verifyChain = yes
-CApath = /etc/ssl/certs
+CApath = @sysconfdir/ssl/certs
checkHost = smtp.gmail.com
OCSPaia = yes

103
debian/patches/02-rename-binary.patch vendored Normal file
View File

@ -0,0 +1,103 @@
Description: Change references to the binary from stunnel to stunnel4
Forwarded: not-needed
Author: Julien Lemoine <speedblue@debian.org>
Author: Luis Rodrigo Gallardo Cruz <rodrigo@debian.org>
Last-Update: 2017-09-23
--- a/src/stunnel3.in
+++ b/src/stunnel3.in
@@ -22,7 +22,7 @@
use Getopt::Std;
# Configuration - path to stunnel (version >=4.05)
-$stunnel_bin='@bindir@/stunnel';
+$stunnel_bin='@bindir@/stunnel4';
# stunnel3 script body begins here
($read_fd, $write_fd)=POSIX::pipe();
--- a/tools/stunnel.init.in
+++ b/tools/stunnel.init.in
@@ -1,6 +1,6 @@
#! /bin/sh -e
### BEGIN INIT INFO
-# Provides: stunnel
+# Provides: stunnel4
# Required-Start: $local_fs $remote_fs
# Required-Stop: $local_fs $remote_fs
# Should-Start: $syslog
@@ -21,8 +21,8 @@
. /lib/lsb/init-functions
-DEFAULTPIDFILE="/var/run/stunnel.pid"
-DAEMON=@bindir@/stunnel
+DEFAULTPIDFILE="/var/run/stunnel4.pid"
+DAEMON=@bindir@/stunnel4
NAME=stunnel
DESC="TLS tunnels"
OPTIONS=""
@@ -49,9 +49,9 @@
startdaemons() {
local res file args pidfile warn status
- if ! [ -d /var/run/stunnel ]; then
- rm -rf /var/run/stunnel
- install -d -o stunnel -g stunnel /var/run/stunnel
+ if ! [ -d /var/run/stunnel4 ]; then
+ rm -rf /var/run/stunnel4
+ install -d -o stunnel4 -g stunnel4 /var/run/stunnel4
fi
if [ -n "$RLIMITS" ]; then
ulimit $RLIMITS
@@ -141,9 +141,9 @@
OPTIONS="-- $OPTIONS"
fi
-[ -f @sysconfdir@/default/stunnel ] && . @sysconfdir@/default/stunnel
+[ -f @sysconfdir@/default/stunnel4 ] && . @sysconfdir@/default/stunnel4
if [ "$ENABLED" = "0" ] ; then
- echo "$DESC disabled, see @sysconfdir@/default/stunnel"
+ echo "$DESC disabled, see @sysconfdir@/default/stunnel4"
exit 0
fi
--- a/tools/script.sh
+++ b/tools/script.sh
@@ -2,7 +2,7 @@
REMOTE_HOST="www.mirt.net:443"
echo "client script connecting $REMOTE_HOST"
-/usr/local/bin/stunnel -fd 10 \
+/usr/bin/stunnel4 -fd 10 \
11<&0 <<EOT 10<&0 0<&11 11<&-
client=yes
connect=$REMOTE_HOST
--- a/doc/Makefile.am
+++ b/doc/Makefile.am
@@ -15,11 +15,11 @@
.pod.in.8.in:
pod2man -u -n stunnel -s 8 -r $(VERSION) \
- -c "stunnel TLS Proxy" -d `date +%Y.%m.%d` $< $@
+ -c "stunnel4 TLS Proxy" -d `date +%Y.%m.%d` $< $@
.pod.in.html.in:
pod2html --index --backlink --header \
- --title "stunnel TLS Proxy" --infile=$< --outfile=$@
+ --title "stunnel4 TLS Proxy" --infile=$< --outfile=$@
rm -f pod2htmd.tmp pod2htmi.tmp
edit = sed \
--- a/doc/stunnel.pl.8.in
+++ b/doc/stunnel.pl.8.in
@@ -70,8 +70,8 @@
.rr rF
.\" ========================================================================
.\"
-.IX Title "stunnel 8"
-.TH stunnel 8 "2017.04.01" "5.42" "stunnel TLS Proxy"
+.IX Title "stunnel4 8"
+.TH stunnel 8 "2017.04.01" "5.42" "stunnel4 TLS Proxy"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l

19
debian/patches/03-runas-user.patch vendored Normal file
View File

@ -0,0 +1,19 @@
Description: Change the default user the binary will run as to stunnel4
Forwarded: not-needed
Author: Julien Lemoine <speedblue@debian.org>
Author: Luis Rodrigo Gallardo Cruz <rodrigo@debian.org>
Last-Update: 2015-06-13
--- a/tools/stunnel.conf-sample.in
+++ b/tools/stunnel.conf-sample.in
@@ -8,8 +8,8 @@
; **************************************************************************
; It is recommended to drop root privileges if stunnel is started by root
-;setuid = nobody
-;setgid = @DEFAULT_GROUP@
+;setuid = stunnel4
+;setgid = stunnel4
; PID file is created inside the chroot jail (if enabled)
;pid = @localstatedir@/run/stunnel.pid

44
debian/patches/04-restore-pidfile-default.patch vendored Normal file
View File

@ -0,0 +1,44 @@
Description: Temporarily restore the pid file creation by default.
The init script will not be able to monitor the automatically-started
instances of stunnel if there is no pid file. For the present for the
upgrade from 4.53 the "create the pid file by default" behavior is
restored and the init script warns about configuration files that have
no "pid" setting. The intention is that in a future version the init
script will refuse to start stunnel for these configurations.
Forwarded: not-needed
Author: Peter Pentchev <roam@ringlet.net>
Bug-Debian: https://bugs.debian.org/744851
Last-Update: 2017-07-03
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -44,6 +44,7 @@
stunnel_CPPFLAGS += -I$(SSLDIR)/include
stunnel_CPPFLAGS += -DLIBDIR='"$(pkglibdir)"'
stunnel_CPPFLAGS += -DCONFDIR='"$(sysconfdir)/stunnel"'
+stunnel_CPPFLAGS += -DPIDFILE='"$(localstatedir)/run/stunnel4.pid"'
# TLS library
stunnel_LDFLAGS = -L$(SSLDIR)/lib64 -L$(SSLDIR)/lib -lssl -lcrypto
--- a/src/options.c
+++ b/src/options.c
@@ -917,7 +917,7 @@
#ifndef USE_WIN32
switch(cmd) {
case CMD_BEGIN:
- new_global_options.pidfile=NULL; /* do not create a pid file */
+ new_global_options.pidfile=PIDFILE;
break;
case CMD_EXEC:
if(strcasecmp(opt, "pid"))
@@ -932,9 +932,10 @@
case CMD_FREE:
break;
case CMD_DEFAULT:
+ s_log(LOG_NOTICE, "%-22s = %s", "pid", PIDFILE);
break;
case CMD_HELP:
- s_log(LOG_NOTICE, "%-22s = pid file", "pid");
+ s_log(LOG_NOTICE, "%-22s = pid file (empty to disable creating)", "pid");
break;
}
#endif

16
debian/patches/05-author-tests.patch vendored Normal file
View File

@ -0,0 +1,16 @@
Description: Only build the Win32 executables if requested.
Author: Peter Pentchev <roam@ringlet.net>
Forwarded: not yet
Last-Update: 2015-11-11
--- a/configure.ac
+++ b/configure.ac
@@ -8,7 +8,7 @@
AC_CONFIG_SRCDIR([src/stunnel.c])
AM_INIT_AUTOMAKE
-AM_CONDITIONAL([AUTHOR_TESTS], [test -d ".git"])
+AM_CONDITIONAL([AUTHOR_TESTS], [test -n "$AUTHOR_TESTS"])
AC_CANONICAL_HOST
AC_SUBST([host])
AC_DEFINE_UNQUOTED([HOST], ["$host"], [Host description])

71
debian/patches/07-path-max.patch vendored Normal file
View File

@ -0,0 +1,71 @@
Description: Allocate the config filename dynamically.
Avoid the use of PATH_MAX which may not be defined.
Forwarded: not-yet
Author: Peter Pentchev <roam@ringlet.net>
Last-Update: 2017-07-03
--- a/src/common.h
+++ b/src/common.h
@@ -94,7 +94,6 @@
typedef int ssize_t;
#endif /* _WIN64 */
#endif /* !__MINGW32__ */
-#define PATH_MAX MAX_PATH
#define USE_IPv6
#define _CRT_SECURE_NO_DEPRECATE
#define _CRT_NONSTDC_NO_DEPRECATE
--- a/src/options.c
+++ b/src/options.c
@@ -211,7 +211,7 @@
NOEXPORT char **argalloc(char *);
#endif
-char configuration_file[PATH_MAX];
+char *configuration_file;
GLOBAL_OPTIONS global_options;
SERVICE_OPTIONS service_options;
@@ -289,17 +289,27 @@
}
#ifdef HAVE_REALPATH
+ char *nconf;
if(type==CONF_FILE) {
- if(!realpath(name, configuration_file)) {
+ nconf = realpath(name, NULL);
+ if(nconf == NULL) {
s_log(LOG_ERR, "Invalid configuration file name \"%s\"", name);
ioerror("realpath");
return 1;
}
- return options_parse(type);
- }
+ free(configuration_file);
+ } else
#endif
- strncpy(configuration_file, name, PATH_MAX-1);
- configuration_file[PATH_MAX-1]='\0';
+ {
+ size_t sz = strlen(name) + 1;
+ nconf = realloc(configuration_file, sz);
+ if(nconf == NULL) {
+ s_log(LOG_ERR, "Could not allocate memory");
+ return 1;
+ }
+ snprintf(nconf, sz, "%s", name);
+ }
+ configuration_file = nconf;
return options_parse(type);
}
--- a/src/prototypes.h
+++ b/src/prototypes.h
@@ -430,7 +430,7 @@
/**************************************** prototypes for options.c */
-extern char configuration_file[PATH_MAX];
+extern char *configuration_file;
extern unsigned number_of_sections;
int options_cmdline(char *, char *);

76
debian/patches/09-try-restart.patch vendored Normal file
View File

@ -0,0 +1,76 @@
Description: Implement try-restart in the SysV init script.
Forwarded: not-yet
Author: Peter Pentchev <roam@ringlet.net>
Last-Update: 2017-07-03
--- a/tools/stunnel.init.in
+++ b/tools/stunnel.init.in
@@ -137,6 +137,47 @@
exit "$res"
}
+restartrunningdaemons()
+{
+ local res file pidfile status args
+
+ res=0
+ for file in $FILES; do
+ echo -n " $file: "
+ pidfile=`get_pidfile "$file"`
+ if [ ! -e "$pidfile" ]; then
+ echo -n 'no pid file'
+ else
+ status=0
+ pidofproc -p "$pidfile" "$DAEMON" >/dev/null || status="$?"
+ if [ "$status" = 0 ]; then
+ echo -n 'stopping'
+ killproc -p "$pidfile" "$DAEMON" "$sig" || status="$?"
+ if [ "$status" -eq 0 ]; then
+ echo -n ' starting'
+ args="$file $OPTIONS"
+ start_daemon -p "$pidfile" "$DAEMON" $args || status="$?"
+ if [ "$status" -eq 0 ]; then
+ echo -n ' started'
+ else
+ echo ' failed'
+ res=1
+ fi
+ else
+ echo -n ' failed'
+ res=1
+ fi
+ elif [ "$status" = 4 ]; then
+ echo "cannot access the pid file $pidfile"
+ else
+ echo -n 'stopped'
+ fi
+ fi
+ done
+ echo ''
+ exit "$res"
+}
+
if [ "x$OPTIONS" != "x" ]; then
OPTIONS="-- $OPTIONS"
fi
@@ -194,6 +235,11 @@
killdaemons && startdaemons
res=$?
;;
+ try-restart)
+ echo -n "Restarting $DESC if running:"
+ restartrunningdaemons
+ res=$?
+ ;;
status)
echo -n "$DESC status:"
querydaemons
@@ -201,7 +247,7 @@
;;
*)
N=@sysconfdir@/init.d/$NAME
- echo "Usage: $N {start|stop|status|reload|reopen-logs|restart} [<stunnel instance>]" >&2
+ echo "Usage: $N {start|stop|status|reload|reopen-logs|restart|try-restart} [<stunnel instance>]" >&2
res=1
;;
esac

7
debian/patches/series vendored Normal file
View File

@ -0,0 +1,7 @@
01-fix-paths.patch
02-rename-binary.patch
03-runas-user.patch
04-restore-pidfile-default.patch
05-author-tests.patch
07-path-max.patch
09-try-restart.patch

67
debian/postinst vendored Normal file
View File

@ -0,0 +1,67 @@
#!/bin/sh
set -e
USER="stunnel4"
CHOWN="/bin/chown"
#USERDEL="/usr/sbin/userdel"
ADDUSER="/usr/sbin/adduser"
ID="/usr/bin/id"
GROUPMOD="/usr/sbin/groupmod"
#GROUPDEL="/usr/sbin/groupdel"
###
# 1. get current stunnel uid and gid if user exists.
set -e
if $ID $USER > /dev/null 2>&1; then
IUID=`$ID --user $USER`
IGID=`$ID --group $USER`
else
IUID="NONE"
IGID="NONE"
fi
###
# 2. Ensure that no standard account or group will remain before adding the
# new user
#if [ "$IUID" != "NONE" ]; then # remove existing user
# $USERDEL $USER
#fi
#if $GROUPMOD $USER > /dev/null 2>&1; then
# $GROUPDEL $USER;
#fi
if [ "$IUID" = "NONE" ]; then
$ADDUSER --system --disabled-password --disabled-login \
--home /var/run/stunnel4 \
--no-create-home --group $USER
fi
# /var/run/stunnel4 is not a directory, create it...
if ! test -d /var/run/stunnel4; then
rm -rf /var/run/stunnel4;
mkdir /var/run/stunnel4
fi
$CHOWN $USER:$USER /var/run/stunnel4 || true
# /var/log/stunnel4 is not a directory, create it...
if ! test -d /var/log/stunnel4; then
rm -rf /var/log/stunnel4;
mkdir /var/log/stunnel4
fi
$CHOWN -R $USER:$USER /var/log/stunnel4
# /var/lib/stunnel4 is not a directory, create it...
if ! test -d /var/lib/stunnel4; then
rm -rf /var/lib/stunnel4;
mkdir /var/lib/stunnel4
fi
$CHOWN -R $USER:$USER /var/lib/stunnel4
if ! test -f /var/log/stunnel4/stunnel.log; then
touch /var/log/stunnel4/stunnel.log
$CHOWN -R $USER:$USER /var/log/stunnel4/stunnel.log
fi
#DEBHELPER#

17
debian/postrm vendored Normal file
View File

@ -0,0 +1,17 @@
#!/bin/sh
set -e
if [ x$1 = "xpurge" ]; then
echo You may want to delete the generated stunnel.pem file
echo in /etc/ssl/certs.
# Remove chroot dir if present. It may contain logfiles
rm -rf /var/lib/stunnel4 || true
# Log files must be removed on purge (Policy 10.8)
rm -f /var/log/stunnel4/stunnel.log* || true
rmdir /var/log/stunnel4 || true
fi
#DEBHELPER#

79
debian/rules vendored Executable file
View File

@ -0,0 +1,79 @@
#!/usr/bin/make -f
# -*- makefile -*-
# Uncomment this to turn on verbose mode.
#export DH_VERBOSE=1
# debian/rules file for the Debian GNU/Linux stunnel package
# Copyright 2003 by Julien LEMOINE <speedblue@debian.org>
# Copyright 2014 by Peter Pentchev <roam@ringlet.net>
ifeq (,$(filter nodoc,$(DEB_BUILD_OPTIONS) $(DEB_BUILD_PROFILES)))
DEB_NODOC=0
else
DEB_NODOC=1
endif
export DEB_BUILD_MAINT_OPTIONS = hardening=+all
export DEB_CFLAGS_MAINT_APPEND=-Wall
multiarch_path= $(shell dpkg-architecture -qDEB_HOST_MULTIARCH)
override_dh_auto_configure:
dh_auto_configure -- \
--enable-ipv6 --with-threads=pthread
override_dh_auto_install:
dh_auto_install -- -C src
ifeq ($(DEB_NODOC),0)
dh_auto_install -- -C doc
endif
# .la file is useless
rm $(CURDIR)/debian/stunnel4/usr/lib/$(multiarch_path)/stunnel/libstunnel.la
# Rename binary
mv $(CURDIR)/debian/stunnel4/usr/bin/stunnel \
$(CURDIR)/debian/stunnel4/usr/bin/stunnel4
# Copy sample init script into place for dh_installinit
cp $(CURDIR)/tools/stunnel.init $(CURDIR)/debian/stunnel4.init
ifeq ($(DEB_NODOC),0)
ln doc/stunnel.8 doc/stunnel4.8
ln doc/stunnel.pl.8 doc/stunnel4.pl.8
# Manpages will be installed by dh_installman
rm -rf $(CURDIR)/debian/stunnel4/usr/share/man
# Move docs into proper dir
mv $(CURDIR)/debian/stunnel4/usr/share/doc/stunnel \
$(CURDIR)/debian/stunnel4/usr/share/doc/stunnel4
# Basic docs for the user on how to create an initial configuration
install -p -m 0644 $(CURDIR)/debian/stunnel4.conf.README \
$(CURDIR)/debian/stunnel4/etc/stunnel/README
endif
ifeq ($(DEB_NODOC),1)
override_dh_installdocs:
mkdir -p $(CURDIR)/debian/stunnel4/usr/share/doc/stunnel4
install -c -o root -g root -m 644 $(CURDIR)/debian/copyright $(CURDIR)/debian/stunnel4/usr/share/doc/stunnel4/
override_dh_installman:
override_dh_link:
dh_link
rm $(CURDIR)/debian/stunnel4/usr/share/man/man8/stunnel.8.gz
rmdir $(CURDIR)/debian/stunnel4/usr/share/man/man8
rmdir $(CURDIR)/debian/stunnel4/usr/share/man
endif
override_dh_installppp:
dh_installppp --name=0stunnel4
override_dh_compress:
dh_compress --exclude=StunnelConf-0.1.pl
%:
dh $@

1
debian/source/format vendored Normal file
View File

@ -0,0 +1 @@
3.0 (quilt)

510
debian/stunnel3.8 vendored Normal file
View File

@ -0,0 +1,510 @@
.\" Automatically generated by Pod::Man v1.34, Pod::Parser v1.13
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sh \" Subsection heading
.br
.if t .Sp
.ne 5
.PP
\fB\\$1\fR
.PP
..
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. | will give a
.\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used to
.\" do unbreakable dashes and therefore won't be available. \*(C` and \*(C'
.\" expand to `' in nroff, nothing in troff, for use with C<>.
.tr \(*W-|\(bv\*(Tr
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
'br\}
.\"
.\" If the F register is turned on, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. nr % 0
. rr F
.\}
.\"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.hy 0
.if n .na
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "STUNNEL 1"
.TH STUNNEL 8 "2003-08-01" " " " "
.SH "NAME"
stunnel \- universal SSL tunnel
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
\&\fBstunnel\fR [\-c\ |\ \-T] [\-D\ [facility.]level] [\-O\ a|l|r:option=value[:value]] [\-o\ file] [\-C\ cipherlist] [\-p\ pemfile] [\-v\ level] [\-A\ certfile] [\-S\ sources] [\-a\ directory] [\-t\ timeout] [\-u\ ident_username] [\-s\ setuid_user]
[\-g\ setgid_group] [\-n\ protocol] [\-P\ {\ filename\ |\ ''\ }\ ] [\-B\ bytes] [\-R\ randfile] [\-W] [\-E\ socket] [\-I\ host]
[\-d\ [host:]port\ [\-f]\ ] [\ \-r\ [host:]port\ |\ {\ \-l\ |\ \-L\ }\ program\ [\-\-\ progname\ args]\ ]
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The \fBstunnel\fR program is designed to work as \fI\s-1SSL\s0\fR encryption
wrapper between remote clients and local (\fIinetd\fR\-startable) or
remote servers. The concept is that having non-SSL aware daemons
running on your system you can easily set them up to communicate with
clients over secure \s-1SSL\s0 channels.
.PP
\&\fBstunnel\fR can be used to add \s-1SSL\s0 functionality to commonly used
\&\fIinetd\fR daemons like \s-1POP\-2\s0, \s-1POP\-3\s0, and \s-1IMAP\s0 servers, to standalone
daemons like \s-1NNTP\s0, \s-1SMTP\s0 and \s-1HTTP\s0, and in tunneling \s-1PPP\s0 over network
sockets without changes to the source code.
.PP
This product includes cryptographic software written by Eric Young
(eay@cryptsoft.com)
.SH "OPTIONS"
.IX Header "OPTIONS"
.IP "\fB\-h\fR" 4
.IX Item "-h"
Print stunnel help menu
.IP "\fB\-D\fR level" 4
.IX Item "-D level"
Debugging level
.Sp
Level is a one of the syslog level names or numbers emerg (0), alert
(1), crit (2), err (3), warning (4), notice (5), info (6), or debug
(7). All logs for the specified level and all levels numerically less
than it will be shown. Use \-D debug or \-D 7 for greatest debugging
output. The default is notice (5).
.Sp
The syslog facility 'daemon' will be used unless a facility name is
supplied. (Facilities are not supported on windows.)
.Sp
Case is ignored for both facilities and levels.
.IP "\fB\-O\fR a|l|r:option=value[:value]" 4
.IX Item "-O a|l|r:option=value[:value]"
Set an option on accept/local/remote socket
.Sp
The values for linger option are l_onof:l_linger. The values for time
are tv_sec:tv_usec.
.Sp
\&\fBExamples:\fR
.Sp
\&\fB\-O l:SO_LINGER=1:60\fR \- set one minute timeout for closing local
socket
.Sp
\&\fB\-O r:TCP_NODELAY=1\fR \- turn off the Nagle algorithm for remote
sockets
.Sp
\&\fB\-O r:SO_OOBINLINE=1\fR \- place out-of-band data directly into the
receive data stream for remote sockets
.Sp
\&\fB\-O a:SO_REUSEADDR=0\fR \- disable address reuse (enabled by default)
.Sp
\&\fB\-O a:SO_BINDTODEVICE=lo\fR \- only accept connections on loopback
interface
.Sp
The available options and their defaults are:
Option Accept Local Remote OS default
SO_DEBUG -- -- -- 0
SO_DONTROUTE -- -- -- 0
SO_KEEPALIVE -- -- -- 0
SO_LINGER -- -- -- 0:0
SO_OOBINLINE -- -- -- 0
SO_RCVBUF -- -- -- 87380
SO_SNDBUF -- -- -- 16384
SO_RCVLOWAT -- -- -- 1
SO_SNDLOWAT -- -- -- 1
SO_RCVTIMEO -- -- -- 0:0
SO_SNDTIMEO -- -- -- 0:0
SO_REUSEADDR 1 -- -- 0
SO_BINDTODEVICE -- -- -- --
IP_TOS -- -- -- 0
IP_TTL -- -- -- 64
TCP_NODELAY -- -- -- 0
.IP "\fB\-o\fR file" 4
.IX Item "-o file"
Append log messages to a file.
.IP "\fB\-C\fR cipherlist" 4
.IX Item "-C cipherlist"
Select permitted \s-1SSL\s0 ciphers
.Sp
A colon delimited list of the ciphers to allow in the \s-1SSL\s0 connection.
For example \s-1DES\-CBC3\-SHA:IDEA\-CBC\-MD5\s0
.IP "\fB\-c\fR" 4
.IX Item "-c"
client mode (remote service uses \s-1SSL\s0)
.Sp
default: server mode
.IP "\fB\-T\fR" 4
.IX Item "-T"
transparent proxy mode
.Sp
Re-write address to appear as if wrapped daemon is connecting from the
\&\s-1SSL\s0 client machine instead of the machine running stunnel. Available
only on some operating systems (Linux only, we believe) and then only
in server mode. Note that this option will not combine with proxy mode
(\-r) unless the client's default route to the target machine lies
through the host running stunnel, which cannot be localhost.
.IP "\fB\-p\fR pemfile" 4
.IX Item "-p pemfile"
private key and certificate chain \s-1PEM\s0 file name
.Sp
A \s-1PEM\s0 is always needed in server mode (by default located in
\fI/etc/stunnel/stunnel.pem\fR). Specifying this flag in client mode
will use this key and certificate chain as a client side certificate
chain. Using client side certs is optional. The certificates must be
in \s-1PEM\s0 format and must be sorted starting with the certificate
to the highest level (root \s-1CA\s0).
.IP "\fB\-v\fR level" 4
.IX Item "-v level"
verify peer certificate
.RS 4
.IP "\(bu" 8
level 1 \- verify peer certificate if present
.IP "\(bu" 8
level 2 \- verify peer certificate
.IP "\(bu" 8
level 3 \- verify peer with locally installed certificate
.IP "\(bu" 8
default \- no verify
.RE
.RS 4
.RE
.IP "\fB\-a\fR directory" 4
.IX Item "-a directory"
client certificate directory
.Sp
This is the directory in which stunnel will look for certificates when
using the \fI\-v\fR options. Note that the certificates in this directory
should be named \s-1XXXXXXXX\s0.0 where \s-1XXXXXXXX\s0 is the hash value of the
cert.
.IP "\fB\-A\fR certfile" 4
.IX Item "-A certfile"
Certificate Authority file
.Sp
This file contains multiple \s-1CA\s0 certificates, used with the \fI\-v\fR
options.
.IP "\fB\-t\fR timeout" 4
.IX Item "-t timeout"
session cache timeout
.Sp
default: 300 seconds.
.IP "\fB\-N\fR servicename" 4
.IX Item "-N servicename"
Service name to use for tcpwrappers. If not specified then a
tcpwrapper service name will be generated automatically for you. This
will also be used when auto-generating pid filenames.
.IP "\fB\-u\fR ident_username" 4
.IX Item "-u ident_username"
Use \s-1IDENT\s0 (\s-1RFC\s0 1413) username checking
.IP "\fB\-n\fR proto" 4
.IX Item "-n proto"
Negotiate \s-1SSL\s0 with specified protocol
.Sp
currently supported: smtp, pop3, nntp
.IP "\fB\-E\fR socket" 4
.IX Item "-E socket"
Entropy Gathering Daemon socket to use to feed OpenSSL random number
generator. (Available only if compiled with OpenSSL 0.9.5a or higher)
.IP "\fB\-R\fR filename" 4
.IX Item "-R filename"
File containing random input. The \s-1SSL\s0 library will use data from this
file first to seed the random number generator.
.IP "\fB\-W\fR" 4
.IX Item "-W"
Do not overwrite the random seed files with new random data.
.IP "\fB\-B\fR bytes" 4
.IX Item "-B bytes"
Number of bytes of data read from random seed files. With \s-1SSL\s0
versions less than 0.9.5a, also determines how many bytes of data are
considered sufficient to seed the \s-1PRNG\s0. More recent OpenSSL versions
have a builtin function to determine when sufficient randomness is
available.
.IP "\fB\-I\fR host" 4
.IX Item "-I host"
\&\s-1IP\s0 of the outgoing interface is used as source for remote connections.
Use this option to bind a static local \s-1IP\s0 address, instead.
.IP "\fB\-d\fR [host:]port" 4
.IX Item "-d [host:]port"
daemon mode
.Sp
Listen for connections on [host:]port. If no host specified, defaults
to all \s-1IP\s0 addresses for the local host.
.Sp
default: inetd mode
.IP "\fB\-f\fR" 4
.IX Item "-f"
foreground mode
.Sp
Stay in foreground (don't fork) and log to stderr instead of via
syslog (unless \-o is specified).
.Sp
default: background in daemon mode
.IP "\fB\-l\fR program [\-\- programname [arg1 arg2 arg3...] ]" 4
.IX Item "-l program [-- programname [arg1 arg2 arg3...] ]"
execute local inetd-type program.
.IP "\fB\-L\fR program [\-\- programname [arg1 arg2 arg3...] ]" 4
.IX Item "-L program [-- programname [arg1 arg2 arg3...] ]"
open local pty and execute program.
.IP "\fB\-s\fR username" 4
.IX Item "-s username"
\&\fIsetuid()\fR to username in daemon mode
.IP "\fB\-g\fR groupname" 4
.IX Item "-g groupname"
\&\fIsetgid()\fR to groupname in daemon mode. Clears all other groups.
.IP "\fB\-P\fR { file | '' }" 4
.IX Item "-P { file | '' }"
Pid file location
.Sp
If the argument is a filename, then that filename will be used for the
pid. If the argument is empty ('', not missing), then no pid file will
be created.
.IP "\fB\-r\fR [host:]port" 4
.IX Item "-r [host:]port"
connect to remote service
.Sp
If no host specified, defaults to localhost.
.SH "EXAMPLES"
.IX Header "EXAMPLES"
In order to provide \s-1SSL\s0 encapsulation to your local \fIimapd\fR service,
use
.PP
.Vb 1
\& stunnel \-d 993 \-l /usr/sbin/imapd \-\- imapd
.Ve
.PP
In order to let your local e-mail client connect to a \s-1SSL\s0-enabled
\fIimapd\fR service on another server, configure the e-mail client to connect to
localhost on port 119 and use:
.PP
.Vb 1
\& stunnel \-c \-d 143 \-r servername:993
.Ve
.PP
If you want to provide tunneling to your \fIpppd\fR daemon on port 2020,
use something like
.PP
.Vb 1
\& stunnel \-d 2020 \-L /usr/sbin/pppd \-\- pppd local
.Ve
.SH "ENVIRONMENT"
.IX Header "ENVIRONMENT"
If Stunnel is used to create local processes using the \fB\-l\fR or \fB\-L\fR
options, it will set the following environment variables
.IP "\s-1REMOTE_HOST\s0" 4
.IX Item "REMOTE_HOST"
The \s-1IP\s0 address of the remote end of the connection.
.IP "\s-1SSL_CLIENT_DN\s0" 4
.IX Item "SSL_CLIENT_DN"
The \s-1DN\s0 (Distinguished Name, aka subject name) of the peer certificate,
if a certificate was present and verified.
.IP "\s-1SSL_CLIENT_I_DN\s0" 4
.IX Item "SSL_CLIENT_I_DN"
The Issuer's \s-1DN\s0 of the peer's certificate, if a certificate was
present and verified.
.SH "CERTIFICATES"
.IX Header "CERTIFICATES"
.IP "\(bu" 4
Each \s-1SSL\s0 enabled daemon needs to present a valid X.509 certificate to
the peer. It also needs a private key to decrypt the incoming data.
The easiest way to obtain a certificate and a key is to generate them
with the free \fIopenssl\fR package. You can find more information on
certificates generation on pages listed below.
.Sp
Two things are important when generating certificate-key pairs for
\&\fBstunnel\fR. The private key cannot be encrypted, because the server
has no way to obtain the password from the user. To produce an
unencrypted key add the \fI\-nodes\fR option when running the \fBreq\fR
command from the \fIopenssl\fR kit.
.Sp
The order of contents of the \fI.pem\fR file is also important. It should
contain the unencrypted private key first, then a signed certificate
(not certificate request). There should be also empty lines after
certificate and private key. Plaintext certificate information
appended on the top of generated certificate should be discarded. So
the file should look like this:
.Sp
.Vb 8
\& \-\-\-\-\-BEGIN RSA PRIVATE KEY\-\-\-\-\-
\& [encoded key]
\& \-\-\-\-\-END RSA PRIVATE KEY\-\-\-\-\-
\& [empty line]
\& \-\-\-\-\-BEGIN CERTIFICATE\-\-\-\-\-
\& [encoded certificate]
\& \-\-\-\-\-END CERTIFICATE\-\-\-\-\-
\& [empty line]
.Ve
.SH "RANDOMNESS"
.IX Header "RANDOMNESS"
.IP "\(bu" 4
\&\fIstunnel\fR needs to seed the \s-1PRNG\s0 (pseudo random number generator) in
order for \s-1SSL\s0 to use good randomness. The following sources are
loaded in order until sufficient random data has been gathered:
.RS 4
.IP "\(bu" 8
The file specified with the \fI\-R\fR flag.
.IP "\(bu" 8
The file specified by the \s-1RANDFILE\s0 environment variable, if set.
.IP "\(bu" 8
The file .rnd in your home directory, if \s-1RANDFILE\s0 not set.
.IP "\(bu" 8
The file specified with '\-\-with\-random' at compile time.
.IP "\(bu" 8
The contents of the screen if running on Windows.
.IP "\(bu" 8
The egd socket specified with the \fI\-E\fR flag.
.IP "\(bu" 8
The egd socket specified with '\-\-with\-egd\-sock' at compile time.
.IP "\(bu" 8
The /dev/urandom device.
.RE
.RS 4
.Sp
With recent (>=OpenSSL 0.9.5a) version of \s-1SSL\s0 it will stop loading
random data automatically when sufficient entropy has been gathered.
With previous versions it will continue to gather from all the above
sources since no \s-1SSL\s0 function exists to tell when enough data is
available.
.Sp
Note that on Windows machines that do not have console user
interaction (mouse movements, creating windows, etc) the screen
contents are not variable enough to be sufficient, and you should
provide a random file for use with the \fI\-R\fR flag.
.Sp
Note that the file specified with the \fI\-R\fR flag should contain random
data \*(-- that means it should contain different information each time
\&\fIstunnel\fR is run. This is handled automatically unless the \fI\-W\fR
flag is used. If you wish to update this file manually, the \fIopenssl
rand\fR command in recent versions of OpenSSL, would be useful.
.Sp
One important note \*(-- if /dev/urandom is available, OpenSSL has a
habit of seeding the \s-1PRNG\s0 with it even when checking the random state,
so on systems with /dev/urandom you're likely to use it even though
it's listed at the very bottom of the list above. This isn't
stunnel's behaviour, it's OpenSSLs.
.RE
.SH "LIMITATIONS"
.IX Header "LIMITATIONS"
.IP "\(bu" 4
\&\fIstunnel\fR cannot be used for the \s-1FTP\s0 daemon because of the nature of
the \s-1FTP\s0 protocol which utilizes multiple ports for data transfers.
There are available \s-1SSL\s0 enabled versions of \s-1FTP\s0 and telnet daemons,
however.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
.RS 4
.IP "\fItcpd\fR\|(8)" 8
.IX Item "tcpd"
access control facility for internet services
.IP "\fIinetd\fR\|(8)" 8
.IX Item "inetd"
internet ``super\-server''
.IP "\fIhttps://www.stunnel.org/\fR" 8
.IX Item "https://www.stunnel.org/"
Stunnel homepage
.IP "\fIhttps://www.openssl.org/\fR" 8
.IX Item "https://www.openssl.org/"
OpenSSL project website
.RE
.RS 4
.RE
.SH "AUTHOR"
.IX Header "AUTHOR"
.RS 4
.IP "Michal Trojnara" 8
.IX Item "Michal Trojnara"
<\fIMichal.Trojnara@stunnel.org\fR>
.RE
.RS 4
.RE

9
debian/stunnel4.0stunnel4.ppp.ip-down vendored Normal file
View File

@ -0,0 +1,9 @@
#!/bin/sh
# if this script gets called, we assume that the machine has lost
# IPv4 connectivity -> restart stunnel (do not stop it, it is possible
# to have a eth connection)
test -f /etc/default/stunnel4 && . /etc/default/stunnel4
test "$PPP_RESTART" != "0" || exit 0
invoke-rc.d stunnel4 restart

7
debian/stunnel4.0stunnel4.ppp.ip-up vendored Normal file
View File

@ -0,0 +1,7 @@
#!/bin/sh
test -f /etc/default/stunnel4 && . /etc/default/stunnel4
test "$PPP_RESTART" != "0" || exit 0
invoke-rc.d stunnel4 restart

96
debian/stunnel4.NEWS vendored Normal file
View File

@ -0,0 +1,96 @@
stunnel4 (3:5.06-1) unstable; urgency=medium
There are two major changes in this version of stunnel.
First, the /usr/bin/stunnel symlink has been switched from stunnel3
to stunnel4. This should not affect any tools that invoke stunnel
using the stunnel4 name, and it should not affect any Debian packages
that use stunnel. However, any local tools that invoke stunnel with
3.x-style command-line options instead of a 4.x-style configuration
file should make sure that they use the stunnel3 executable name and
not simply stunnel any more, or they should be converted to use
a 4.x-style configuration file (there is no need to create an actual
file on the filesystem, the configuration may be passed to stunnel
on its standard input using the "-fd 0" command-line option).
Second, this version DISABLES support for the SSLv2 and SSLv3 protocols!
If needed, it may be re-enabled by editing the stunnel configuration
file and adding "-NO_SSLv2" or "-NO_SSLv3" respectively to
the "options" setting; see /etc/stunnel/README for an example.
-- Peter Pentchev <roam@ringlet.net> Thu, 16 Oct 2014 13:56:35 +0300
stunnel4 (3:5.01-3) unstable; urgency=medium
This version temporarily brings back the creation of a default pid
file, /var/run/stunnel4.pid, if there is no "pid" setting in
the configuration file. The reason for this is that the init script
cannot monitor the started stunnel processes if there is no pid file
at all.
The init script now warns about configuration files that have no
"pid" setting and will thus use the default pid file location.
In the future it will refuse to start with such configurations, so
it would be best to add the "pid" setting to all the *.conf files in
the /etc/stunnel/ directory.
-- Peter Pentchev <roam@ringlet.net> Fri, 18 Apr 2014 14:37:42 +0300
stunnel (3:5.01-2) unstable; urgency=medium
This version DISABLES the RLE compression method, too. This means
that stunnel currently has no compression methods available at all,
since the underlying OpenSSL library does not have any, either.
Tunnel configurations that explicitly set "compression" will NEED
to be modified.
-- Peter Pentchev <roam@ringlet.net> Mon, 14 Apr 2014 15:04:56 +0300
stunnel (3:5.01-1) unstable; urgency=medium
This version DISABLES the creation of the process ID file and
the use of TCP wrappers for access control by default!
Tunnel configurations that use PID files (e.g. for monitoring) or
TCP wrappers (/etc/hosts.allow, /etc/hosts.deny) will NEED to be
modified to explicitly specify the 'pidfile' global option or
the 'libwrap' service-level option respectively.
This version also DISABLES the "zlib" and "deflate" compression
algorithms because they are not supported in the Debian OpenSSL
package since version 1.0.1e-5. The only supported compression
algorithm is "rle". Tunnel configurations that explicitly set
"compression" to something other than "rle" will NEED to be modified.
-- Peter Pentchev <roam@ringlet.net> Tue, 25 Mar 2014 18:05:11 +0200
stunnel (3:4.33-1) experimental; urgency=low
This version introduces support for reloading the configuration file
and for closing/reopening log files. The init script has been
updated to provide these options, and the default logrotate
configuration has been updated to take advantage of them.
-- Luis Rodrigo Gallardo Cruz <rodrigo@debian.org> Thu, 04 Feb 2010 19:52:23 -0800
stunnel (3:4.28-1) unstable; urgency=low
The default behaviour of the logrotate configuration for stunnel4
has been changed. Instead of restarting stunnel after rotating the
log files we now use the 'copytruncate' keyword. This avoids the
problems associated with the restart, but introduces the possibility
of loosing small amounts of log data. Please see Debian bugs
#535915, #535924 and #323171 for more info.
-- Luis Rodrigo Gallardo Cruz <rodrigo@debian.org> Wed, 25 Nov 2009 17:12:42 -0800
stunnel (2:4.140-5) unstable; urgency=low
stunnel/stunnel4 binaries are located in /usr/bin instead of
/usr/sbin in order to be FHS compliant (they can be used by normal
user). You need to update your scripts to refer to this new location
-- Julien Lemoine <speedblue@debian.org> Sun, 19 Feb 2006 17:31:24 +0100

13
debian/stunnel4.conf.README vendored Normal file
View File

@ -0,0 +1,13 @@
Stunnel 4 configuration files.
Files found under the /etc/stunnel directory that end with .conf are
used by the stunnel4 service as configuration files, and each will be
used to start a daemon process setting up a tunnel with the given
configuration. Note that this directory is initially empty, as the
settings you may want for your tunnels are completely system dependent.
In order to have the tunnels start up automatically on system boot you
must *also* set ENABLED to 1 in /etc/default/stunnel4
A sample configuration file with defaults may be found at
/usr/share/doc/stunnel4/examples/stunnel.conf-sample

18
debian/stunnel4.default vendored Normal file
View File

@ -0,0 +1,18 @@
# /etc/default/stunnel
# Julien LEMOINE <speedblue@debian.org>
# September 2003
# Change to one to enable stunnel automatic startup
ENABLED=0
FILES="/etc/stunnel/*.conf"
OPTIONS=""
# Change to one to enable ppp restart scripts
PPP_RESTART=0
# Change to enable the setting of limits on the stunnel instances
# For example, to set a large limit on file descriptors (to enable
# more simultaneous client connections), set RLIMITS="-n 4096"
# More than one resource limit may be modified at the same time,
# e.g. RLIMITS="-n 4096 -d unlimited"
RLIMITS=""

6
debian/stunnel4.examples vendored Normal file
View File

@ -0,0 +1,6 @@
tools/ca.html
tools/ca.pl
tools/importCA.html
tools/importCA.sh
tools/openssl.cnf
tools/stunnel.conf-sample

1
debian/stunnel4.install vendored Normal file
View File

@ -0,0 +1 @@
debian/StunnelConf-0.1.pl usr/share/doc/stunnel4/contrib

2
debian/stunnel4.links vendored Normal file
View File

@ -0,0 +1,2 @@
/usr/bin/stunnel4 /usr/bin/stunnel
/usr/share/man/man8/stunnel4.8.gz /usr/share/man/man8/stunnel.8.gz

5
debian/stunnel4.lintian-overrides vendored Normal file
View File

@ -0,0 +1,5 @@
# No character arrays anywhere in this .so
stunnel4: hardening-no-stackprotector usr/lib/stunnel/libstunnel.so
# Not a typo at all.
stunnel4: spelling-error-in-manpage usr/share/man/man8/stunnel4.8.gz CAs Case

13
debian/stunnel4.logrotate vendored Normal file
View File

@ -0,0 +1,13 @@
/var/log/stunnel4/*.log {
daily
missingok
rotate 365
compress
delaycompress
notifempty
create 640 stunnel4 stunnel4
sharedscripts
postrotate
/etc/init.d/stunnel4 reopen-logs > /dev/null
endscript
}

3
debian/stunnel4.manpages vendored Normal file
View File

@ -0,0 +1,3 @@
doc/stunnel4.8
doc/stunnel4.pl.8
debian/stunnel3.8

21
debian/tests/certs/certificate.pem vendored Normal file
View File

@ -0,0 +1,21 @@
-----BEGIN CERTIFICATE-----
MIIDfDCCAmSgAwIBAgIJAPFcHvXjRYbZMA0GCSqGSIb3DQEBCwUAMFMxCzAJBgNV
BAYTAkJHMQ4wDAYDVQQIDAVTb2ZpYTEOMAwGA1UEBwwFU29maWExEDAOBgNVBAoM
B1JpbmdsZXQxEjAQBgNVBAMMCWxvY2FsaG9zdDAeFw0xNzA2MTIyMzAzMjdaFw0y
NzA2MTAyMzAzMjdaMFMxCzAJBgNVBAYTAkJHMQ4wDAYDVQQIDAVTb2ZpYTEOMAwG
A1UEBwwFU29maWExEDAOBgNVBAoMB1JpbmdsZXQxEjAQBgNVBAMMCWxvY2FsaG9z
dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMp0QYS6IZ1To2h68NcZ
zmnAQfzodFcD7Lhp2CcDOBXRrKfPq1NUqUXMGvcHcPbmT84W2OGGfh11MKvksuof
4+juU4+1uujPJoOmREi7WjVzEVWUftvFUqeTigFz96EMsVui4UbTUxX6ACIsXXwg
v1b/rpyVZJvTucKsyP5ml5OXaPFe5mXUQtdaJsjpV4ikq4O9vcYdMt0Y8IVbxpCO
5CryW3KUHzBUS7uqO2nbLXZBOkJHCgxDawAlTeDRW/uJOl7nnSUgo0HiojG4qhY6
spYmQ9ijtj1vX5H2tsf97rZCbU5JMFqX8XcJgTWKTYHlxkBYbB6QkPyhiOXDo/M/
oJ8CAwEAAaNTMFEwHQYDVR0OBBYEFPwfXq4qd8stmvstPC3QdFL716XRMB8GA1Ud
IwQYMBaAFPwfXq4qd8stmvstPC3QdFL716XRMA8GA1UdEwEB/wQFMAMBAf8wDQYJ
KoZIhvcNAQELBQADggEBADkuMAUB2Uyx23oN9ZxZsAWOdJoSUIWs4qxc5eQ/qjj7
64zm62ZaVc8F6AyMYxHZvOKxvN/Pg19dSZelvTpgSqXLbirstRgsBCIXO2q6UYo2
BUpZovZ4DOll+sAbmrZJRDiVO1XeCqqjr0v0I7NfJ5r31K1tfaZxGovUdC+M3xJ6
yRrFWfF+EdlvVRFQt97mZXtcTDFWk7+CT6fgfLnCxTuMcSNtzM60FCBS5wz0MPSA
BGje1qXUMzwN2T0aDyxWNRdvFGMHC8Z23EOa3roK+NybS2PVAu7MpxDTBZdHSGtG
5wqY6fq5kww8OI9AlPNYVtqXrFrF6Lj5m/jhUHcAIUU=
-----END CERTIFICATE-----

28
debian/tests/certs/key.pem vendored Normal file
View File

@ -0,0 +1,28 @@
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDKdEGEuiGdU6No
evDXGc5pwEH86HRXA+y4adgnAzgV0aynz6tTVKlFzBr3B3D25k/OFtjhhn4ddTCr
5LLqH+Po7lOPtbrozyaDpkRIu1o1cxFVlH7bxVKnk4oBc/ehDLFbouFG01MV+gAi
LF18IL9W/66clWSb07nCrMj+ZpeTl2jxXuZl1ELXWibI6VeIpKuDvb3GHTLdGPCF
W8aQjuQq8ltylB8wVEu7qjtp2y12QTpCRwoMQ2sAJU3g0Vv7iTpe550lIKNB4qIx
uKoWOrKWJkPYo7Y9b1+R9rbH/e62Qm1OSTBal/F3CYE1ik2B5cZAWGwekJD8oYjl
w6PzP6CfAgMBAAECggEAf+TrUuamv5WLoEAyDyCdVg7/YL6UaDfxfhpXU2XkM1xu
vuAg8haEjLRAwJdx1HdwKNgkEGx/FSroIV7ra53Tw11zalC6j8H1KauKbYv1k9hq
Ne8GKN3Btl0tDHfvEk1LaYE+4Rg036g8F1qBgB3L4jDJZN+3W/1n10SCALxcuv4G
XMJOcrhW3KBlEJpIBhz+ROPeiZX8VwB2iK7jg0Bebh7XuNFCFOiFqq6UfFRNeGBi
Ca9rZdUP0YmxNPEXzGu1TEv1edX0Nf3jRKERQrZ3Sg6ogPcqQSQ1VP052Hc0Tqpl
akrRrVMfbbQQIMc9JrxJmXb7/OHeS1R50Ci5x7weoQKBgQDwYSGSypJl6lWpgrm6
5HuIem0AK9gmOAyiR0UdjMwVybeHhcldK8ABFcsdUt7v84+kCKkRhEX//QWjowMF
0OJ2i7Y1VbdyNd7exPW5zmYAiBX+oR3JKMekjPRCUamg5P2fSrVqDHvz7WU7hoQb
0jcIu8kwtPjw5uz13OWWbmEjTwKBgQDXnDZ0nQoXUO8VkNYaWQzukIcKdB71v2DZ
KiaJvPFjTGPUwwd/kEcU7/wMet4UKff4XjOaX+f2tFZm+vrYs6RfqnLlRFlkhKJZ
HColltm8KV6w+LnwkPUuY4HnDJepU6eBC2wtGPU1n1YXCwgDL+MTIpLFuveQ9w/N
wTRP3USZsQKBgDy9Tm55IWT/QYYDskq3UT+7L6/LZGLD5u1adOxyl18qCWYFOEyC
sZGUoC5YslyPfsxEI/R5J/b3SGWA21Ks5Yxu4Su47RG+6wH/YtgAf2XC/UvKCmy6
EThTJaVcXTB6rFuD1TNm1Cte4SWZZ+hfxeg/CydzkzPMJjQ6DQll+sWhAoGBAKJj
tV//JyqIeonznE4b4/GKSStGaksM6RSm+n+jHut7DXWhrnQVZnQOi/eaUsk9Etat
nJAYy8yz5p+JSIUOSC8FYaPr5qgefWhAHj5Rb4yYXAlOTD0z8HYP3Db49QFDUFWR
FNiig4zvhRe150L/PjebQpBKUUuNyQlfCtdb/98BAoGARMZNl+0FEzw714ataoWk
1IPoe7oIzaoYTqPcpQT0AGOdfYRS3ffJFe2Foa0K7MVyxNA/OjyheYVtD2IgmoTv
WkRr6xM4nphza595yB5q+psKwOdQvP5XsyiJOXDixzn+yFIqrdQlmBNZHT1z/jwr
oBRWtTVO2aX5pBUjvBu3eQ0=
-----END PRIVATE KEY-----

6
debian/tests/control vendored Normal file
View File

@ -0,0 +1,6 @@
Test-Command: env TEST_STUNNEL=/usr/bin/stunnel4 debian/tests/runtime
Depends: @, perl, libanyevent-perl, libnet-ssleay-perl, libpath-tiny-perl
Restrictions: allow-stderr
Test-Command: debian/tests/upstream
Depends: @, netcat-traditional

647
debian/tests/runtime vendored Executable file
View File

@ -0,0 +1,647 @@
#!/usr/bin/perl
use v5.14;
use strict;
use warnings;
use AnyEvent;
use AnyEvent::Handle;
use AnyEvent::Socket qw(tcp_connect tcp_server);
use AnyEvent::Util qw(portable_socketpair);
use Fcntl qw(F_GETFD F_SETFD FD_CLOEXEC);
use IO::Handle;
use Path::Tiny 0.097;
use POSIX qw(WNOHANG);
use Socket;
# AnyEvent's TLS support seems to require this...
use threads;
my %children;
my $child_reaper_w;
my $greeting = 'Well hello there!';
sub reap_leftover_children();
sub child_reaper();
sub register_child_reaper()
{
$child_reaper_w = AnyEvent->signal(
signal => 'CHLD',
cb => \&child_reaper,
);
$SIG{__DIE__} = sub {
my ($msg) = @_;
warn "__DIE__ handler invoked: ".($msg =~ s/[\r\n]*$//sr)."\n";
reap_leftover_children;
};
}
sub unregister_child_reaper()
{
undef $child_reaper_w;
}
sub child_reaper()
{
while (1) {
my $pid = waitpid -1, WNOHANG;
my $status = $?;
if (!defined $pid) {
die "Could not waitpid() in a SIGCHLD handler: $!\n";
} elsif ($pid == 0 || $pid == -1) {
last;
} else {
$children{$pid}{cv} //= AnyEvent->condvar;
$children{$pid}{cv}->send($status);
}
}
}
sub register_child($ $)
{
my ($pid, $desc) = @_;
# Weird, but we want it to be at least reasonably atomic-like
$children{$pid}{cv} //= AnyEvent->condvar;
my $ch = $children{$pid};
$ch->{pid} = $pid;
$ch->{desc} = $desc;
}
sub dump_children()
{
join '', map {
my $ch = $children{$_};
"\t$ch->{pid}\t".
($ch->{cv}->ready
? $ch->{cv}->recv
: '(none)'
).
"\t$ch->{desc}\n"
} sort { $a <=> $b } keys %children
}
sub wait_for_child($)
{
my ($pid) = @_;
if (!defined $children{$pid}) {
die "Internal error: wait_for_child() invoked for ".
"unregistered pid $pid\n".dump_children;
}
my $status = $children{$pid}{cv}->recv;
delete $children{$pid};
return $status;
}
sub reap_leftover_children()
{
say 'Oof, let us see if there are any children left';
if (!%children) {
say 'Everyone has been accounted for; great!';
return;
}
for my $pid (keys %children) {
my $ch = $children{$pid};
if ($ch->{cv}->ready) {
my $status = wait_for_child $pid;
say "Hm, child $pid seems to have finished already, status $status";
}
}
if (!%children) {
say 'Everyone has actually been accounted for; great!';
return;
}
for my $pid (keys %children) {
say "Pffth, sending a SIGKILL to $pid";
kill 'KILL', $pid;
}
for my $pid (keys %children) {
my $ch = $children{$pid};
if ($ch->{cv}->ready) {
wait_for_child $pid;
say "OK, $pid done";
}
}
# Bah, figure out some way to let the loop run even if we're within the loop...
if (%children) {
say 'Some children remaining, laying low for a second...';
sleep 1;
for my $pid (keys %children) {
say "- waiting for $pid ($children{$pid}{desc})";
wait_for_child $pid;
say "- OK, $pid done";
}
}
if (%children) {
say 'Something really weird happened, why are there still children around?';
say dump_children;
}
}
sub close_on_exec($ $)
{
my ($fh, $close) = @_;
my $flags = fcntl $fh, F_GETFD, 0 or
die "Could not obtain a file descriptor's flags: $!\n";
my $nflags = $close
? ($flags | FD_CLOEXEC)
: ($flags & ~FD_CLOEXEC);
fcntl $fh, F_SETFD, $nflags or
die "Could not set a file descriptor's flags: $!\n";
}
sub anyevent_socketpair($)
{
my ($name) = @_;
my ($fh1, $fh2) = portable_socketpair;
if (!defined $fh1) {
die "Could not create the $name socketpair: $!\n";
}
$fh1->autoflush(1);
$fh2->autoflush(1);
return (AnyEvent::Handle->new(fh => $fh1), AnyEvent::Handle->new(fh => $fh2));
}
sub find_listening_port($ $ $ $ $)
{
my ($address, $port_start, $step, $count, $cb) = @_;
my $res;
my $port = $port_start;
for (1..$count) {
eval {
$res = tcp_server $address, $port, $cb;
};
last if $res;
say "Could not listen on $address:$port: $@";
$port += $step;
}
if (!defined $res) {
die "Could not find a listening port on $address\n";
}
return ($port, $res);
}
my %conns;
sub register_client_connection($)
{
my ($fh) = @_;
my $sockaddr = getsockname $fh;
if (!defined $sockaddr) {
die "Could not obtain the local address of the just-connected socket: $!\n";
}
my ($port, $addr_num) = sockaddr_in $sockaddr;
if (!defined $port || !defined $addr_num) {
die "Could not decode the address and port from a sockaddr_in structure: $!\n";
}
my $addr = inet_ntoa $addr_num;
if (!defined $addr) {
die "Could not decode a numeric address: $!\n";
}
my $id = "$addr:$port";
$conns{$id}{cv} //= AnyEvent->condvar;
$conns{$id}{fh} //= $fh;
return $id;
}
sub await_client_connection($ $; $)
{
my ($lis_main, $cv, $skip_register) = @_;
my $die = sub {
warn "@_";
$cv->send(undef);
};
$lis_main->rtimeout(10);
$lis_main->on_rtimeout(sub { $die->("The listener's accept message timed out\n") });
$lis_main->push_read(line => sub {
my ($handle, $line) = @_;
if ($line !~ m{^ accept \s+ (?<id> \S+ ) $}x) {
return $die->("The accept server did not send an 'accept' message: $line\n");
}
my ($id) = $+{id};
$conns{$id}{cv} //= AnyEvent->condvar unless $skip_register;
$lis_main->rtimeout(10);
$lis_main->on_rtimeout(sub { $die->("The listener's close message timed out\n") });
$lis_main->push_read(line => sub {
my ($handle, $line) = @_;
if ($line !~ m{^ close \s+ (?<id> \S+ ) $}x) {
return $die->("The accept server did not send an 'close' message: $line\n");
}
my ($cid) = $+{id};
if ($cid ne $id) {
return $die->("The accept server's 'close' message had id '$cid' instead of the accepted one '$id'\n");
}
$lis_main->rtimeout(0);
$cv->send($id);
});
});
}
sub adopt_client_connection($ $)
{
my ($id, $opts) = @_;
my $w;
my $do_close = sub {
my ($err) = @_;
$w->push_shutdown;
$w->destroy;
undef $w;
undef $conns{$id}{handle};
#close $conns{$id}{fh};
if (defined $err) {
warn "$err\n";
$conns{$id}{cv}->send(undef);
} else {
$conns{$id}{cv}->send(1);
}
};
$w = AnyEvent::Handle->new(
fh => $conns{$id}{fh},
%{$opts}, # TLS or something?
on_error => sub {
my ($handle, $fatal, $message) = @_;
if (!$fatal) {
warn "A non-fatal error occurred reading from the $id connection: $message\n";
} else {
$do_close->("A fatal error occurred reading from the $id connection: $message");
}
},
rtimeout => 10,
on_rtimeout => sub {
$do_close->("Reading from the $id connection timed out");
},
);
$w->push_read(line => sub {
my ($handle, $line) = @_;
$w->rtimeout(0);
if ($line ne $greeting) {
$do_close->("The $id connection sent us a line that was not the greeting: expected '$greeting', got '$line'");
} else {
$do_close->(undef);
}
});
$conns{$id}{handle} = $w;
}
sub client_connect($ $ $)
{
my ($address, $port, $cv) = @_;
return tcp_connect $address, $port, sub {
my ($fh) = @_;
if (!defined $fh) {
die "Could not connect to the cleartext listening socket on $address:$port: $!\n";
}
my $id = register_client_connection $fh;
say "Connected to $address:$port, local $id";
$cv->send($id);
adopt_client_connection($id, {});
};
}
MAIN:
{
my $stunnel = $ENV{TEST_STUNNEL} // 'stunnel4';
my $test_done = AnyEvent->condvar;
my ($certsdir, $certfile, $keyfile);
for my $name (qw(certs debian/tests/certs)) {
my $dir = path($name);
if (-d $dir) {
$certfile = $dir->child('certificate.pem');
$keyfile = $dir->child('key.pem');
if (-f $certfile && -f $keyfile) {
$certsdir = path($dir);
last;
}
}
}
die "Could not locate the test certificates directory\n" unless defined $certsdir;
say "Found the certificate at $certfile and the private key at $keyfile";
my $tempdir = Path::Tiny->tempdir;
say "Using the $tempdir temporary directory";
register_child_reaper;
{
say 'About to get the stunnel version information';
pipe my $s_in, my $s_out or die "Could not create an fd pair: $!\n";
close_on_exec $s_in, 0;
close_on_exec $s_out, 0;
my $pid = fork;
if (!defined $pid) {
die "Could not fork for stunnel: $!\n";
} elsif ($pid == 0) {
open STDERR, '>&', $s_out or
die "Could not reopen stderr in the child process: $!\n";
close STDIN or
die "Could not close stdin in the child process: $!\n";
close STDOUT or
die "Could not close stdout in the child process: $!\n";
close $s_in or
die "Could not close the reader fd in the child process: $!\n";
exec $stunnel, '-version';
die "Could not execute '$stunnel': $!\n";
}
register_child $pid, "$stunnel -version";
close $s_out or
die "Could not close the writer fd in the parent process: $!\n";
my ($got_version, $before_version) = (undef, '');
my $eof = AnyEvent->condvar;
my $f_out = AnyEvent->io(
fh => $s_in,
poll => 'r',
cb => sub {
my $line = <$s_in>;
if (!defined $line) {
$eof->send($got_version);
} elsif (!$got_version) {
if ($line =~ m{^
stunnel \s+
(?<version> \d+ \. \S+)
\s+ on \s+
}x) {
$got_version = $+{version};
} else {
$before_version .= $line;
}
}
});
$eof->recv;
if ($before_version ne '') {
warn "stunnel produced output before the version number:\n$before_version\n";
}
if (!defined $got_version) {
die "Could not get the stunnel version number\n";
}
say "Got stunnel version $got_version";
my $status = wait_for_child $pid;
if ($status != 0) {
die "stunnel -version did not exit successfully, status $status\n";
}
}
my ($lis_listener, $lis_main) = anyevent_socketpair 'listener';
my $listen_address = '127.0.0.1';
my %listen_clear_conns;
my ($listen_clear_port, $listen_clear) = find_listening_port $listen_address, 6502, 200, 100, sub {
my ($fh, $host, $port) = @_;
my $id = "$host:$port";
say "Accepted a connection from $id";
$lis_listener->push_write("accept $id\n");
my $w;
my $do_close = sub {
$w->destroy;
delete $listen_clear_conns{$id};
};
$w = AnyEvent::Handle->new(
fh => $fh,
on_error => sub {
my ($handle, $fatal, $message) = @_;
warn "A ".($fatal ? 'fatal' : 'non-fatal').
"error occurred writing to the $id connection: $message\n";
$do_close->();
},
timeout => 10,
on_timeout => sub {
my ($handle) = @_;
warn "Writing to the $id connection timed out\n";
$do_close->();
},
on_read => sub {
my ($handle) = @_;
warn "The $id connection sent data to the server?!\n";
$do_close->();
},
on_eof => sub {
my ($handle) = @_;
say "Got an eof from $id, all seems well";
$do_close->();
$lis_listener->push_write("close $id\n");
},
);
$w->push_write("$greeting\n");
$w->push_shutdown;
$listen_clear_conns{$id} = $w;
};
say "Listening for cleartext connections on $listen_address:$listen_clear_port";
{
my $listener_test_id_cv = AnyEvent->condvar;
my $check_listen_clear = client_connect $listen_address, $listen_clear_port, $listener_test_id_cv;
my $id = $listener_test_id_cv->recv;
if (!defined $id) {
die "Could not connect to the cleartext server\n";
}
say "Got a local connection id $id";
my $listener_test_done = AnyEvent->condvar;
await_client_connection $lis_main, $listener_test_done;
say 'Waiting for the server to acknowledge a completed client connection';
my $sid = $listener_test_done->recv;
if (!defined $sid) {
die "The listener did not acknowledge the connection\n";
} elsif ($sid ne $id) {
die "The listener did not acknowledge the same connection: expected '$id', got '$sid'\n";
}
say 'Waiting for the client connection itself to report completion';
my $res = $conns{$id}{cv}->recv;
if (!defined $res) {
die "The client connection did not complete the chat with the cleartext server\n";
}
say 'Looks like we are done with the test cleartext connection!';
}
my $st_server_port;
{
my $dummy;
($st_server_port, $dummy) = find_listening_port $listen_address, 8086, 200, 100, sub {
my ($fh) = @_;
say "Eh, we really didn't expect a connection here, did we now...";
$fh->close;
};
say "Got listening port $st_server_port for the stunnel server";
undef $dummy;
say 'Let us hope this was enough to get stunnel to listen there...';
}
my ($st_pid, $st_logfile);
{
my $st_config = $tempdir->child('stunnel.conf');
$st_logfile = $tempdir->child('stunnel.log');
my $st_pidfile = $tempdir->child('stunnel.pid');
$st_config->spew_utf8(<<"EOCONF") or die "Could not create the $st_config stunnel config file: $!\n";
pid = $st_pidfile
foreground = yes
output = $st_logfile
cert = $certfile
key = $keyfile
[test]
accept = $listen_address:$st_server_port
connect = $listen_address:$listen_clear_port
EOCONF
say "Created the stunnel config file $st_config:\n======\n".$st_config->slurp_utf8.'======';
$st_pid = fork;
if (!defined $st_pid) {
die "Could not fork for the stunnel server: $!\n";
} elsif ($st_pid == 0) {
my @cmd = ($stunnel, $st_config);
exec { $cmd[0] } @cmd;
die "Could not execute '@cmd': $!\n";
}
say "Started the stunnel server, pid $st_pid";
register_child $st_pid, "stunnel server ($listen_address:$st_server_port)";
}
{
for my $iter (1..10) {
say "Trying a connection through stunnel, iteration $iter";
my $st_conn_cv = AnyEvent->condvar;
my $st_conn;
{
my $st_conn_attempts = 10;
my $st_conn_timer;
$st_conn_timer = AnyEvent->timer(after => 0.1, interval => 1, cb => sub {
say "Trying to connect to the stunnel server at $listen_address:$st_server_port";
$st_conn = tcp_connect $listen_address, $st_server_port, sub {
my ($fh) = @_;
if (!defined $fh) {
# FIXME: Eh, well, reschedule, right?
say "Could not connect to $listen_address:$st_server_port: $!";
if ($children{$st_pid}{cv}->ready) {
say 'Err, the stunnel process seems to have terminated';
undef $st_conn_timer;
$st_conn_cv->send(undef);
return;
}
$st_conn_attempts--;
if ($st_conn_attempts == 0) {
say 'Time after time...';
undef $st_conn_timer;
$st_conn_cv->send(undef);
return;
}
say 'Will retry in a little while';
return;
}
say '...connected!';
$st_conn_timer = undef;
$st_conn_cv->send($fh);
};
});
}
my $st_conn_fh = $st_conn_cv->recv;
if (!defined $st_conn_fh) {
my $log_text = (-f $st_logfile)
? "$st_logfile contents:\n".$st_logfile->slurp_utf8
: "(no log information)";
$log_text .= "\n" unless $log_text =~ /\n\Z/ms;
die "Could not connect to the stunnel service:\n$log_text";
}
my $id = register_client_connection $st_conn_fh;
say "Registered a client connection as $id";
adopt_client_connection $id, { tls => 'connect', };
say 'Waiting for the cleartext listener to receive this connection';
my $stunnel_test_done = AnyEvent->condvar;
await_client_connection $lis_main, $stunnel_test_done, 1;
my $sid = $stunnel_test_done->recv;
if (!defined $sid) {
die "The listener did not acknowledge the connection\n";
} elsif ($sid eq $id) {
die "The listener reported the same connection ID '$id'?!\n";
}
say "The server reported a completed connection: $sid";
my $res = $conns{$id}{cv}->recv;
if (!defined $res) {
die "The connection to stunnel did not report a successful chat\n";
}
say "The stunnel connection seems to have gone through for iteration $iter";
}
}
{
say "Trying to stop stunnel at pid $st_pid";
kill 'TERM', $st_pid or
die "Could not send a terminate signal to the stunnel at pid $st_pid: $!\n";
my $status = wait_for_child $st_pid;
if ($status != 0) {
die "The stunnel process terminated with exit status $status\n";
} else {
say 'The stunnel process terminated successfully';
}
}
{
say 'Checking for leftover children';
if (%children) {
# Our 'die' handler will kill and reap them.
die "Child processes left over:\n".
dump_children;
} else {
say 'No child processes left over';
}
unregister_child_reaper;
};
{
say 'Making sure the AnyEvent loop is still sane';
if ($test_done->ready) {
die "The AnyEvent loop raised the flag prematurely\n";
}
$test_done->send(42);
my $res = $test_done->recv;
if ($res != 42) {
die "The AnyEvent loop does not seem to be quite alive and sane, got a result of '$res' instead of 42\n";
}
say 'Fine!';
};
}

15
debian/tests/upstream vendored Executable file
View File

@ -0,0 +1,15 @@
#!/bin/sh
set -e
ln -s /usr/bin/stunnel4 src/stunnel
cd tests
if ! ./make_test; then
printf '\n\n=== Some tests failed; here are all the logs...\n\n' 1>&2
for fname in logs/*.log; do
printf -- '\n\n=== %s\n\n' "$fname" 1>&2
cat -- "$fname" 1>&2
done
false
fi

5
debian/upstream/metadata vendored Normal file
View File

@ -0,0 +1,5 @@
Name: stunnel
Bug-Submit: https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
Contact: https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
FAQ: https://www.stunnel.org/faq.html
Security-Contact: Michal Trojnara <Michal.Trojnara@stunnel.org>

111
debian/upstream/signing-key.asc vendored Normal file
View File

@ -0,0 +1,111 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1
mQINBFTU6YwBEAC6PP7E4J6cRZQsJlFE+o3zdQYo7Mg2sVxDR6K9Cha52wn7P0t0
hHUd0CSmWyfjmYUy3/7jYjgKe4oiGzeSCVK8b3TiX3ylHi/nW3mixwpDPwFmr5Cf
ce55Ro3TdIeslRGigK8Hl+/l4n9c9z/AiTvcdAEQ34BJhERce4/KFx+/omiaxe7S
fzzU/+52zy+v4FfnclgRQrzrD8sxNag6CQOaQ8lTMczNkBkDlhQTOPYkfNf76PUY
kbWpcH7n9N50nddjEaLf7DPjOETc4OH/g5a99FSEJL7jyEgn+C8RX7RpbbAxCNlX
1231NZoresLmxSulB6fRWLmhJ8pES3sRxE1IfwUfPpUZuTPzwXEFJY6StY5OCVy8
rNFpkYlEePuVn74XkGbvv7dkkisq4Hp59zfIUaNVRod0Xk2rM8Rx8d5IK801Ywsn
RyzCE02zt3N2O4IdXI1qQ1gMJNyaE/k2Qk8buh8BsKJzZca34WGocHOxz2O5s7FN
Q1pLNpLmuHZIdyvYqcsenLz5EV8X2LztRmJ3Se4ag/XyXPYwS6lXX1YUGVxZpk0E
sQDRdJvYCsGcUy253w+W7Nm/BtjKi6/PJmjEEU7ieHppR9Yp+LI3lyzNBeZAIVqk
4Hco05l4GUKtEDFfOQ58sULDqJWmpH4T72DHeCpfRB0guaPa5TYY7B0umQARAQAB
tC5NaWNoYcWCIFRyb2puYXJhIDxNaWNoYWwuVHJvam5hcmFAc3R1bm5lbC5vcmc+
iQI4BBMBAgAiBQJU1Q1lAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRCx
BIky3Tqqo71TEACWO31ZIOrknCsgmE90Q0yBPYD8CA8aM9OLO9qVYRR+SKQ6VAFn
/qWCoG/z3aMOUJJFDMmBDTSiGZ43jReQVc1PvoNUKFXkD13vrDNGg+IMr+jefjy/
RkFC5rdIAOzl6nMRFH5D/KDtvuXUGfjaN9NorCyv5acOa6GinTFANHYW79DSvt0d
aTG0RFimVTKtAh8oxxBGGUvZ/60SJT5I3pwKKX5t6t+LaUgUz/55p5j36dyhZTmk
X6jVyczkfjBwy9i2jD8kZ1w+EQOPGy1hHCHaaN5ku3Bh4hiZrlh8ncpipOMeOJ5Y
71Cze/JROyu3jkR/59LuPJLbUkwNPZXuMM+D4EY19NWKqWFgcsjaF5juS36xgblQ
odAOXBZcnzH14bxlRElWNLhMib+piIL0BaK2cpplwJ+bzQRkyWzqrl5xu/AeE/fQ
BdeRxL1jg4e9Ozei4Pkz0acoxIg2mdR6b36UpOWKvBQYZ8m4TbsWBRrDjcxKeul7
ObsodFoGTteRxqN9glhNd+n5bJAesGzUN86e3NmCoxCUQMaKlrMEVUMwaaSOVWYN
CfwXSe42dK2ZrV4psIYIwfktTkF60N3KeBbTs7/HhS/R229+lQCL90bcKRiv2Szc
vqR6v78xnbnANm0SX/b6M7xNBf8lWXwS9TlR9AzA4XC7FqNLYTMGV56TmLQrTWlj
aGHFgiBUcm9qbmFyYSA8TWljaGFsLlRyb2puYXJhQG1pcnQubmV0PokCOAQTAQIA
IgUCVNTpjAIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQsQSJMt06qqOP
9Q/+MNv7sHcx1y4xH4iysPmjL+ABTonZeUIW/j1Mlgve8jxta7ApuDm0WIgMQd/p
WgjG88g/2hSs1DRmuo67pP+v3l+HgmhQaqQe9XoaQHyygfrDwGEKAjA5++6hg88X
F5GNuchUoY2wHCLByuxdaaT9wDSUGHzj+VlQYcaVqry/u8+wRhuxr89avh7nebj2
Dw1qkIuR6+wuaYAU19mazzmdnDLh/3rYHT7vVJt751JHyx4fnJtKI7eDWxpSGfhc
K63SWtHToJKg4jbdIZMORVVvOetpRbPvF8qoR32LZSfF/rPJtNhWgcsLUCpZn6Ey
G6jigx8mhY2WupRNHutSES+qKNffCMi7fbpQfl4wJqzlNxJJK1zGu2ox255l+fXJ
eQJh7fvvcNieuQApKhOL+mOz1fyRnUhx/GjGncOmCgZldTLEF8DeHuuluXgFlDXJ
cX6poh7vyt3uJ14SCyiV1cLnXmCoxXRmQNlb4zTGoAvfOw/DFH3EzQ44dK/Z1HOI
fJeYILxe+JP2E8TNXUvr/wck12yQ8kaqFzHSQBcV+0S49+pIpoK475LVrOs6S9Jj
hMt4WVfX4PY+IE8wGnZyJw1gvPXdk1P98lHR/Fv0WG/kWiemrDXPM1tjnIas6EGm
zxT/iywGF4tdsVHviETVgRGpKHgEtB/hwsCeGUTAmHDbXQS0L01pY2hhxYIgVHJv
am5hcmEgPE1pY2hhbC5Ucm9qbmFyYUBtb2JpLWNvbS5uZXQ+iQI4BBMBAgAiBQJU
1Q03AhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRCxBIky3TqqoyVkEACt
MHa7x5PQ0ZNJ8TrvVd/VrT5USuHwwFwnnsYUNzSc95gSwSEaPC3xwgs9cX3VRmOw
b3IiCQQ7R0EamH/ydmZnlesbCsnamLl6dEmzS284lnnMd5X0wep2qq3SlS1z+5wW
4ZnoodX98E7RyecjMYPLH+uAqGqg3nHG8eOpoSDMvIOJtOIvDc9Y6tbNsBbeKbOC
yB7A08TMzVqayQvXzm6QShHTicra69oqIzhmu2zII3ZWVwkfEGweuN0vdocoXiqr
entcyF3KLUX/LooDzdCAxuoJdovg41E69rXEWF//IP5XBT0LUDTzqwmBe7nOfoJF
2RAHn3ySogdL6WNSGaH5B5NK1jGflj/Hr/HBHIYYx820P4aEXSyxbLQW1F0HWlAA
Q9+EmjJssbv7cIq2DV2Ls3AOeY0GAWhTdvUVdVpOG+TuWRUi61XwjWPfvrJDH8ME
oLRb2MhNRffle8hSdF8TP4CO1TCxtSFs0NXT1I/HazvacHzvbXspFDJvbYJsy+pR
vOsf2QCcY5xb633duU60+IHJ9GMOV/ZqQR744wAxu+e/ZHpa2+mpI9VpTMuBTMFC
OQKbiLacsDJtFqsenZAyhcTU4DPFa0bkMO67Gwl0skuk2x8/0R3EgJ9JvNlsEz6v
BaHpWhEddU1m6FMKKZkfo0xnyFr/WPT6zti9iKTnIbkCDQRU1OvDARAA8gIC641d
K6ap9W1K3EkqRn0z6zizdVGr/jvf8xFXeUq+auxixZ0tEY6NM5CBSya5BCK9IGVW
mJNbazyWUa4llA6EvmUxcTeGE7ppQA4Kl1bzvUq5upo+8+0VuqvLC/bVz0DUnFSW
JYHAZrPZ+yO0yMq8vaGTo5kwKixQ4Ni+N+1EiALKZex1g6UW9d0HAcYEa/lTWhz3
J0V1yyY4Vov30gtoo67KkSC/SswZzIR00CQGrz3twlGuB73Sm1YfqDqbY8dQLJey
U0ovIeU95VI5cQF6D1H8YdaMWQm6MtVAfIX5WMoH+eq4Ank9hilReGANkIWNSqM2
1Drdu3crbGIYiZPEadKfGxwquwvRDTEgD4gjqMvEdxA2W6s4WR36SwMkeOtESj21
MiR2YDcbIzIbUh9p0P8DZGvQcVh45jCgdOcL5th9R076npXHn8FIe2IfAZnX1Onp
sKn/YqJ0wNFhGYWxV/yZA10NbFKFXhD1FGqrOz6lSqmqDz00tXofF432ae+7PzTP
9n4cij4k0SYG1l/LThnOYL3SNUCG3rCASeWoXmhxCYRGi0Xw3IJrcpVNmNQD+SLL
TjVB94AlDjSlx1q0V+9ymhGHi51wsBSajMwDexaSI/WM1y9lROwl7eeAD41fPArz
TleAqT89akWLevTBLWvj59mku9vZAW26/1UAEQEAAYkCHwQYAQIACQUCVNTrwwIb
DAAKCRCxBIky3Tqqo2NCEACHJ7e0l8NhS4slfzej1AAXOwL1wDexn6thpgexAyqZ
LIaibqhIybhSo1LOL1NY/55ytscbOQL7NliRAXVN6F9lcer+qzxL5JgxzUU6drya
pNZYs06u3wfr8ZtSbvIAON/w89tm9tHxoNUIYZZUZROFBW6fn8RkhboQs0hJFxWf
WghOxhS0TXJ8/MZ4YcfDy+Ew6LIAym3A1XY+++2VMEHqKcyhU95W5sqAsfO5MkRW
a0E9JTS2dWTteNTWPonywJGX/mSVVMZgOZF6o32Vb9LTnB676YQaPiMlu2qg+vRk
RM/zyGjvPx7hilf68CWxZcIHslfp5gJV6RvtlK+muEvIkSmNYyi8hQp1Y5C6uWb9
JWt/9ISJ+Xz+n+5nAHEUzW/LeEDyhjVlS9vOoAAy18r47mQybzJ2q2zOHo9zl3fK
OJ2S4SFBKGHuIhPOxG2CruhxN9U5+RwTDqKECeuCZROMYQLzlmIP2vM/NuFVhQm8
iNhbTvEenh4mWD4IuOHJkqvzKKzAXllosuUK4B0kblh4GaOVmEjaXGw8789rOlQz
D5566SgKPDNUtom5/eIcy6/UYBoFd7lLltIVSSCA1VUMU4MWJgjwa9gk6MxoNe8d
cJ197oQMfhZNjJ80S5C+a2al4wrR2vL/3hXhy2M2kG73RLSzxEiVoJsG+hbzNtfI
a7kCDQRU1O5ZARAA1pGrQ1V3YMXF3DzwvA/uWb912pwqUvMAAKvYCDiELIOP07c3
2+z04N/bOXjiZ2Jb8AuICj4v92tXAygtf18zxwoU8AOXiuScP3wy1ZprBw8k71dN
y0XmEXbiX7tkLoe0OzWlCaNTajSXTELT+nYHTOkBsrC4T+y7AwYueQJYUaRkJR/5
Tc68UnRSO295pgJd7EoWWAky3bdH+TKN0MsagCJwa+RrXFGtIKjU0XAKsddTxQKx
2SUGF0QVdNZ/14Duo73btoXtHgB0oxewnsiJp5XKWYm57RSNLv1LKr26iSUtUM1C
AIZALuGMAyQXVEo7OmzuZmN0yRYM7FSnpG4rIDnDxYhDTaa+xWb738V8uLQDZAVn
AuBEhq1RQEDrRM/XLbibvVBzpd+JI9WneNEp0ehq5sEC6FbKYz0HqVk2SH1Dpb0t
grtxz3c7rPs7vRdmFMxTuYctSzuqNHpKX+C6rgyAW2sxEKD0ys8OYEa3hvrQFSAz
nM/j3X8dge1DriHIQd/Dt4+LMdPcsQk3vty7pYxZIDRa9hl7ngaesQSZ/7PV/cj7
U7qieTr1ulO1Gc5GcyS2Hu4P9109HX1tBEQvGHpbqe9Lc2d0VKgHVjG9vDLrE1h/
qXKbmn0LF1YR4djaM+sYCfYOO+WzZKUACPdMq3Lid/3oQ71p6eNgu6lQcgEAEQEA
AYkEPgQYAQIACQUCVNTuWQIbAgIpCRCxBIky3Tqqo8FdIAQZAQIABgUCVNTuWQAK
CRAu/H/w1BbgFNx6EACR7CKB3Mv2lNaRRraVRwjNrumyODqsnX/oe3lad04iCBb9
JxGyNyTGF0s6teoaocXxIeZ50bF7GuYcnepMGpniMCkE2ymlM6ruFNNTUYC02Fsr
owKQboC7S5DN2l7lb4nlgyDX7nOlOMmhTc3D/QsduMyS9H5kjFFKtzLYOwREV/RH
I/wQUyTyze8qs/BxpT3/HsSJuGZybLSd/fmeM43xghcdfDgKTaGkFkhhW7UWgtOh
QtYxr0VD4HEw4C+nMyksqKAIFMBjJAqtsuWeSgavVrbU8KrzlcJFHSrovZ7Pi0mK
MYHGomPstZcZxwr15t3BhDvogMSRscU1mLUigLEGiWxPVxtQlmHTZfMns4Cy04S7
jK4Gix0PN4Xi/9rOcLFCb5zddcLVrqiuT+dt/O/TPKUKHTvLL1gF4Dlypbu8TQWt
O7xDSPy7wSdPWUN5GBjsxbZfVlWpvvVMmGUuygIl0LkrJLKGxk36AnNpEPqsQ9e9
Rsgu5dP9lGPz3igxE3p+UlhWo5eqJqZwAfEFb+0PQzKSQ6zIFQAf50eSI/pWf+Xp
9XOT47d4y8aWzHA7T/ja9tbyd+eg71ZOqOFtVP8zFWvmPnoosxrBR7qK/RBY5/PX
KhfG10yEYXSjTap4dmsy430l8Mcuqo55iixgT5vxZfTeyFjTjHmjuHD1rTTfpXk4
D/9GI9cIfrWczhrbWN8BoP66ImMXpVhZzDt6S5u9dHSNJdqivDzCkktb/psXILvv
u3qLmb1nJbsNzN9GJm6LoduzCJ4SqaodjhMkNi/Tc95dx0n2cCP2Rh/jvzo7zrqQ
O09c8at/pFEiF8LgUlc5QaB/GNhXBqJog2yOzUPGKq0OMy/wttW42TCe7V+J8fnn
16xfGhnVwmiWRQaqdCiFDY2IiOHhnRwfJVANrddfuU/AJ8vY8XXzrxI7YZL43V53
0Wich1VB00XLFU8aj08FsjdFvR77AAxFU+Cd6sH6yq6jsRXppQ0BOO15aR+wopEv
tKwDdRu3TaweC1XMLLQ4XuN9Ql0bMH0d626uMG2zUfZGO1jNTOS4sUhEqJsImbsL
/hgNDKYvfo0wSHPWmQo9njw7aG8Mey77I3fL1ELj/Tfa86njPpJ/tmFMLV9ntWAC
cW/c3tojdcP278rTw/4zk+Sr2Zv+3bP1yjJd0z4B3gYYz2BUYTU7dyiA41Kgk4Zf
V1n2NUAxQJYzvEIAZcMEWA3rOTb+AjcBVXX89Gk0BEykVmA9G808tbmI+4DUd2c/
+d1xeufb43TGOiwKqwY+Os9iey3FbsnoYuzKPsd5LByJFEudbMB152h95u/NysaM
0AjC+yPtlpSLUIaDUW75VAlQKPWj1Ag5uVpc2ScMEjevQQ==
=muMw
-----END PGP PUBLIC KEY BLOCK-----

8
debian/watch vendored Normal file
View File

@ -0,0 +1,8 @@
version=4
# Latest version is directly at /stunnel
opts=pgpsigurlmangle=s/$/.asc/ \
https://www.stunnel.org/downloads.html downloads/stunnel-([\d.]+)@ARCHIVE_EXT@ debian
opts=pgpsigurlmangle=s/$/.asc/,pasv \
ftp://ftp.stunnel.org/stunnel/archive/5.x/stunnel-([\d.]+)@ARCHIVE_EXT@

36
doc/Makefile.am
View File

@ -1,21 +1,35 @@
## Process this file with automake to produce Makefile.in
# by Michal Trojnara 2015-2017
EXTRA_DIST = stunnel.pod stunnel.pl.pod stunnel.fr.pod \
stunnel.8 stunnel.pl.8 stunnel.fr.8 \
stunnel.html stunnel.pl.html stunnel.fr.html en pl
EXTRA_DIST = stunnel.pod.in stunnel.8.in stunnel.html.in en
EXTRA_DIST += stunnel.pl.pod.in stunnel.pl.8.in stunnel.pl.html.in pl
man_MANS = stunnel.8 stunnel.pl.8 stunnel.fr.8
man_MANS = stunnel.8 stunnel.pl.8
docdir = $(datadir)/doc/stunnel
doc_DATA = stunnel.html stunnel.pl.html stunnel.fr.html
doc_DATA = stunnel.html stunnel.pl.html
SUFFIXES = .pod .8 .html
CLEANFILES = $(man_MANS) $(doc_DATA)
.pod.8:
pod2man -u --section=8 --release=$(VERSION) --center=stunnel \
--date=`date +%Y.%m.%d` $< $@
SUFFIXES = .pod.in .8.in .html.in
.pod.html:
pod2html --noindex --title stunnel.8 --infile=$< --outfile=$@
.pod.in.8.in:
pod2man -u -n stunnel -s 8 -r $(VERSION) \
-c "stunnel TLS Proxy" -d `date +%Y.%m.%d` $< $@
.pod.in.html.in:
pod2html --index --backlink --header \
--title "stunnel TLS Proxy" --infile=$< --outfile=$@
rm -f pod2htmd.tmp pod2htmi.tmp
edit = sed \
-e 's|@bindir[@]|$(bindir)|g' \
-e 's|@sysconfdir[@]|$(sysconfdir)|g'
$(man_MANS) $(doc_DATA): Makefile
$(edit) '$(srcdir)/$@.in' >$@
stunnel.8: $(srcdir)/stunnel.8.in
stunnel.html: $(srcdir)/stunnel.html.in
stunnel.pl.8: $(srcdir)/stunnel.pl.8.in
stunnel.pl.html: $(srcdir)/stunnel.pl.html.in

231
doc/Makefile.in
View File

@ -1,9 +1,8 @@
# Makefile.in generated by automake 1.11.1 from Makefile.am.
# Makefile.in generated by automake 1.15 from Makefile.am.
# @configure_input@
# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation,
# Inc.
# Copyright (C) 1994-2014 Free Software Foundation, Inc.
# This Makefile.in is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
# with or without modifications, as long as this notice is preserved.
@ -15,7 +14,64 @@
@SET_MAKE@
# by Michal Trojnara 2015-2017
VPATH = @srcdir@
am__is_gnu_make = { \
if test -z '$(MAKELEVEL)'; then \
false; \
elif test -n '$(MAKE_HOST)'; then \
true; \
elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
true; \
else \
false; \
fi; \
}
am__make_running_with_option = \
case $${target_option-} in \
?) ;; \
*) echo "am__make_running_with_option: internal error: invalid" \
"target option '$${target_option-}' specified" >&2; \
exit 1;; \
esac; \
has_opt=no; \
sane_makeflags=$$MAKEFLAGS; \
if $(am__is_gnu_make); then \
sane_makeflags=$$MFLAGS; \
else \
case $$MAKEFLAGS in \
*\\[\ \ ]*) \
bs=\\; \
sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \
| sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \
esac; \
fi; \
skip_next=no; \
strip_trailopt () \
{ \
flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \
}; \
for flg in $$sane_makeflags; do \
test $$skip_next = yes && { skip_next=no; continue; }; \
case $$flg in \
*=*|--*) continue;; \
-*I) strip_trailopt 'I'; skip_next=yes;; \
-*I?*) strip_trailopt 'I';; \
-*O) strip_trailopt 'O'; skip_next=yes;; \
-*O?*) strip_trailopt 'O';; \
-*l) strip_trailopt 'l'; skip_next=yes;; \
-*l?*) strip_trailopt 'l';; \
-[dEDm]) skip_next=yes;; \
-[JT]) skip_next=yes;; \
esac; \
case $$flg in \
*$$target_option*) has_opt=yes; break;; \
esac; \
done; \
test $$has_opt = yes
am__make_dryrun = (target_option=n; $(am__make_running_with_option))
am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
pkgdatadir = $(datadir)/@PACKAGE@
pkgincludedir = $(includedir)/@PACKAGE@
pkglibdir = $(libdir)/@PACKAGE@
@ -35,7 +91,6 @@ POST_UNINSTALL = :
build_triplet = @build@
host_triplet = @host@
subdir = doc
DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
am__aclocal_m4_deps = $(top_srcdir)/m4/libtool.m4 \
$(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \
@ -43,12 +98,30 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/libtool.m4 \
$(top_srcdir)/configure.ac
am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
$(ACLOCAL_M4)
DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON)
mkinstalldirs = $(install_sh) -d
CONFIG_HEADER = $(top_builddir)/src/config.h
CONFIG_CLEAN_FILES =
CONFIG_CLEAN_VPATH_FILES =
AM_V_P = $(am__v_P_@AM_V@)
am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
am__v_P_0 = false
am__v_P_1 = :
AM_V_GEN = $(am__v_GEN_@AM_V@)
am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
am__v_GEN_0 = @echo " GEN " $@;
am__v_GEN_1 =
AM_V_at = $(am__v_at_@AM_V@)
am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
am__v_at_0 = @
am__v_at_1 =
SOURCES =
DIST_SOURCES =
am__can_run_installinfo = \
case $$AM_UPDATE_INFO_DIR in \
n|no|NO) false;; \
*) (install-info --version) >/dev/null 2>&1;; \
esac
am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
am__vpath_adj = case $$p in \
$(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
@ -70,14 +143,23 @@ am__nobase_list = $(am__nobase_strip_setup); \
am__base_list = \
sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
am__uninstall_files_from_dir = { \
test -z "$$files" \
|| { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
|| { echo " ( cd '$$dir' && rm -f" $$files ")"; \
$(am__cd) "$$dir" && rm -f $$files; }; \
}
man8dir = $(mandir)/man8
am__installdirs = "$(DESTDIR)$(man8dir)" "$(DESTDIR)$(docdir)"
NROFF = nroff
MANS = $(man_MANS)
DATA = $(doc_DATA)
am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
am__DIST_COMMON = $(srcdir)/Makefile.in
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
AMTAR = @AMTAR@
AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
AR = @AR@
AUTOCONF = @AUTOCONF@
AUTOHEADER = @AUTOHEADER@
@ -92,6 +174,7 @@ CYGPATH_W = @CYGPATH_W@
DEFAULT_GROUP = @DEFAULT_GROUP@
DEFS = @DEFS@
DEPDIR = @DEPDIR@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
ECHO_C = @ECHO_C@
@ -115,7 +198,9 @@ LIBTOOL_DEPS = @LIBTOOL_DEPS@
LIPO = @LIPO@
LN_S = @LN_S@
LTLIBOBJS = @LTLIBOBJS@
LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
MAKEINFO = @MAKEINFO@
MANIFEST_TOOL = @MANIFEST_TOOL@
MKDIR_P = @MKDIR_P@
NM = @NM@
NMEDIT = @NMEDIT@
@ -131,6 +216,9 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@
PACKAGE_URL = @PACKAGE_URL@
PACKAGE_VERSION = @PACKAGE_VERSION@
PATH_SEPARATOR = @PATH_SEPARATOR@
PTHREAD_CC = @PTHREAD_CC@
PTHREAD_CFLAGS = @PTHREAD_CFLAGS@
PTHREAD_LIBS = @PTHREAD_LIBS@
RANDOM_FILE = @RANDOM_FILE@
RANLIB = @RANLIB@
SED = @SED@
@ -143,6 +231,7 @@ abs_builddir = @abs_builddir@
abs_srcdir = @abs_srcdir@
abs_top_builddir = @abs_top_builddir@
abs_top_srcdir = @abs_top_srcdir@
ac_ct_AR = @ac_ct_AR@
ac_ct_CC = @ac_ct_CC@
ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
am__include = @am__include@
@ -150,6 +239,7 @@ am__leading_dot = @am__leading_dot@
am__quote = @am__quote@
am__tar = @am__tar@
am__untar = @am__untar@
ax_pthread_config = @ax_pthread_config@
bindir = @bindir@
build = @build@
build_alias = @build_alias@
@ -175,7 +265,6 @@ libdir = @libdir@
libexecdir = @libexecdir@
localedir = @localedir@
localstatedir = @localstatedir@
lt_ECHO = @lt_ECHO@
mandir = @mandir@
mkdir_p = @mkdir_p@
oldincludedir = @oldincludedir@
@ -183,28 +272,29 @@ pdfdir = @pdfdir@
prefix = @prefix@
program_transform_name = @program_transform_name@
psdir = @psdir@
runstatedir = @runstatedir@
sbindir = @sbindir@
sharedstatedir = @sharedstatedir@
srcdir = @srcdir@
stunnel_CFLAGS = @stunnel_CFLAGS@
stunnel_LDFLAGF = @stunnel_LDFLAGF@
stunnel_LDFLAGS = @stunnel_LDFLAGS@
sysconfdir = @sysconfdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
top_srcdir = @top_srcdir@
EXTRA_DIST = stunnel.pod stunnel.pl.pod stunnel.fr.pod \
stunnel.8 stunnel.pl.8 stunnel.fr.8 \
stunnel.html stunnel.pl.html stunnel.fr.html en pl
EXTRA_DIST = stunnel.pod.in stunnel.8.in stunnel.html.in en \
stunnel.pl.pod.in stunnel.pl.8.in stunnel.pl.html.in pl
man_MANS = stunnel.8 stunnel.pl.8
doc_DATA = stunnel.html stunnel.pl.html
CLEANFILES = $(man_MANS) $(doc_DATA)
SUFFIXES = .pod.in .8.in .html.in
edit = sed \
-e 's|@bindir[@]|$(bindir)|g' \
-e 's|@sysconfdir[@]|$(sysconfdir)|g'
man_MANS = stunnel.8 stunnel.pl.8 stunnel.fr.8
doc_DATA = stunnel.html stunnel.pl.html stunnel.fr.html
SUFFIXES = .pod .8 .html
all: all-am
.SUFFIXES:
.SUFFIXES: .pod .8 .html
.SUFFIXES: .pod.in .8.in .html.in
$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps)
@for dep in $?; do \
case '$(am__configure_deps)' in \
@ -217,7 +307,6 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps)
echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu doc/Makefile'; \
$(am__cd) $(top_srcdir) && \
$(AUTOMAKE) --gnu doc/Makefile
.PRECIOUS: Makefile
Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
@case '$?' in \
*config.status*) \
@ -243,11 +332,18 @@ clean-libtool:
-rm -rf .libs _libs
install-man8: $(man_MANS)
@$(NORMAL_INSTALL)
test -z "$(man8dir)" || $(MKDIR_P) "$(DESTDIR)$(man8dir)"
@list=''; test -n "$(man8dir)" || exit 0; \
{ for i in $$list; do echo "$$i"; done; \
l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done | \
sed -n '/\.8[a-z]*$$/p'; \
@list1=''; \
list2='$(man_MANS)'; \
test -n "$(man8dir)" \
&& test -n "`echo $$list1$$list2`" \
|| exit 0; \
echo " $(MKDIR_P) '$(DESTDIR)$(man8dir)'"; \
$(MKDIR_P) "$(DESTDIR)$(man8dir)" || exit 1; \
{ for i in $$list1; do echo "$$i"; done; \
if test -n "$$list2"; then \
for i in $$list2; do echo "$$i"; done \
| sed -n '/\.8[a-z]*$$/p'; \
fi; \
} | while read p; do \
if test -f $$p; then d=; else d="$(srcdir)/"; fi; \
echo "$$d$$p"; echo "$$p"; \
@ -276,13 +372,14 @@ uninstall-man8:
sed -n '/\.8[a-z]*$$/p'; \
} | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \
-e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \
test -z "$$files" || { \
echo " ( cd '$(DESTDIR)$(man8dir)' && rm -f" $$files ")"; \
cd "$(DESTDIR)$(man8dir)" && rm -f $$files; }
dir='$(DESTDIR)$(man8dir)'; $(am__uninstall_files_from_dir)
install-docDATA: $(doc_DATA)
@$(NORMAL_INSTALL)
test -z "$(docdir)" || $(MKDIR_P) "$(DESTDIR)$(docdir)"
@list='$(doc_DATA)'; test -n "$(docdir)" || list=; \
if test -n "$$list"; then \
echo " $(MKDIR_P) '$(DESTDIR)$(docdir)'"; \
$(MKDIR_P) "$(DESTDIR)$(docdir)" || exit 1; \
fi; \
for p in $$list; do \
if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
echo "$$d$$p"; \
@ -296,30 +393,15 @@ uninstall-docDATA:
@$(NORMAL_UNINSTALL)
@list='$(doc_DATA)'; test -n "$(docdir)" || list=; \
files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
test -n "$$files" || exit 0; \
echo " ( cd '$(DESTDIR)$(docdir)' && rm -f" $$files ")"; \
cd "$(DESTDIR)$(docdir)" && rm -f $$files
tags: TAGS
TAGS:
dir='$(DESTDIR)$(docdir)'; $(am__uninstall_files_from_dir)
tags TAGS:
ctags: CTAGS
CTAGS:
ctags CTAGS:
cscope cscopelist:
distdir: $(DISTFILES)
@list='$(MANS)'; if test -n "$$list"; then \
list=`for p in $$list; do \
if test -f $$p; then d=; else d="$(srcdir)/"; fi; \
if test -f "$$d$$p"; then echo "$$d$$p"; else :; fi; done`; \
if test -n "$$list" && \
grep 'ab help2man is required to generate this page' $$list >/dev/null; then \
echo "error: found man pages containing the \`missing help2man' replacement text:" >&2; \
grep -l 'ab help2man is required to generate this page' $$list | sed 's/^/ /' >&2; \
echo " to fix them, install help2man, remove and regenerate the man pages;" >&2; \
echo " typically \`make maintainer-clean' will remove them" >&2; \
exit 1; \
else :; fi; \
else :; fi
@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
list='$(DISTFILES)'; \
@ -366,13 +448,19 @@ install-am: all-am
installcheck: installcheck-am
install-strip:
$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
`test -z '$(STRIP)' || \
echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
if test -z '$(STRIP)'; then \
$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
install; \
else \
$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
"INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
fi
mostlyclean-generic:
clean-generic:
-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
distclean-generic:
-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
@ -452,27 +540,38 @@ uninstall-man: uninstall-man8
.MAKE: install-am install-strip
.PHONY: all all-am check check-am clean clean-generic clean-libtool \
distclean distclean-generic distclean-libtool distdir dvi \
dvi-am html html-am info info-am install install-am \
install-data install-data-am install-docDATA install-dvi \
install-dvi-am install-exec install-exec-am install-html \
install-html-am install-info install-info-am install-man \
install-man8 install-pdf install-pdf-am install-ps \
install-ps-am install-strip installcheck installcheck-am \
installdirs maintainer-clean maintainer-clean-generic \
mostlyclean mostlyclean-generic mostlyclean-libtool pdf pdf-am \
ps ps-am uninstall uninstall-am uninstall-docDATA \
uninstall-man uninstall-man8
cscopelist-am ctags-am distclean distclean-generic \
distclean-libtool distdir dvi dvi-am html html-am info info-am \
install install-am install-data install-data-am \
install-docDATA install-dvi install-dvi-am install-exec \
install-exec-am install-html install-html-am install-info \
install-info-am install-man install-man8 install-pdf \
install-pdf-am install-ps install-ps-am install-strip \
installcheck installcheck-am installdirs maintainer-clean \
maintainer-clean-generic mostlyclean mostlyclean-generic \
mostlyclean-libtool pdf pdf-am ps ps-am tags-am uninstall \
uninstall-am uninstall-docDATA uninstall-man uninstall-man8
.PRECIOUS: Makefile
.pod.8:
pod2man -u --section=8 --release=$(VERSION) --center=stunnel \
--date=`date +%Y.%m.%d` $< $@
.pod.in.8.in:
pod2man -u -n stunnel -s 8 -r $(VERSION) \
-c "stunnel TLS Proxy" -d `date +%Y.%m.%d` $< $@
.pod.html:
pod2html --noindex --title stunnel.8 --infile=$< --outfile=$@
.pod.in.html.in:
pod2html --index --backlink --header \
--title "stunnel TLS Proxy" --infile=$< --outfile=$@
rm -f pod2htmd.tmp pod2htmi.tmp
$(man_MANS) $(doc_DATA): Makefile
$(edit) '$(srcdir)/$@.in' >$@
stunnel.8: $(srcdir)/stunnel.8.in
stunnel.html: $(srcdir)/stunnel.html.in
stunnel.pl.8: $(srcdir)/stunnel.pl.8.in
stunnel.pl.html: $(srcdir)/stunnel.pl.html.in
# Tell versions [3.59,3.63) of GNU make to not export all variables.
# Otherwise a system limit (for SysV at least) may be exceeded.
.NOEXPORT:

20
doc/en/VNC_StunnelHOWTO.html
View File

@ -36,8 +36,8 @@ HOWTO and then we'll look at the theory behind all this.</P>
<P STYLE="margin-bottom: 0cm"><BR>
</P>
<OL>
<LI><P STYLE="margin-bottom: 0cm">Download and install openSSL,
SSLEay, and Stunnel on the Linux/Unix box. Download the modules.</P>
<LI><P STYLE="margin-bottom: 0cm">Download and install OpenSSL,
SSLeay, and Stunnel on the Linux/Unix box. Download the modules.</P>
</OL>
<P STYLE="margin-left: 0.5cm; margin-bottom: 0cm">a)
[root@anthrax$]gunzip openssl-x.xx.tar.gz (repeat for all 3 the
@ -52,7 +52,7 @@ modules)</P>
save the file as VNCRegEdit.REG on the Windows 2000 box</P>
</OL>
<P STYLE="margin-left: 0.5cm; margin-bottom: 0cm">--cut here and copy
to VNCRegEdit.REG the double click file to
to VNCRegEdit.REG then double click the file to
import--<BR>REGEDIT4<BR><BR>[HKEY_LOCAL_MACHINE\Software\ORL\WinVNC3]<BR>AllowLoopback=dword:00000001<BR><BR>[HKEY_LOCAL_MACHINE\Software\ORL\WinVNC3\Default]<BR>AllowLoopback=dword:00000001<BR>--stop
here--<BR><BR>
</P>
@ -87,7 +87,7 @@ here--<BR><BR>
execute the following command and let it run in its own terminal.</P>
</OL>
<P STYLE="margin-left: 0.5cm; margin-bottom: 0cm">stunnel -d 5900 -r
unix.ip.adress:5900 -c</P>
unix.ip.address:5900 -c</P>
<P STYLE="margin-left: 0.5cm; margin-bottom: 0cm">.</P>
<OL>
<LI><P STYLE="margin-bottom: 0cm">And on the Windows 2000 machine
@ -109,7 +109,7 @@ the window</P>
2000 command as follows:
</P>
<P STYLE="margin-left: 0.5cm; margin-bottom: 0cm">stunnel -d 5902 -r
unix.ip.adress:5902</P>
unix.ip.address:5902</P>
<P STYLE="margin-left: 0.5cm; margin-bottom: 0cm">and remember to
start another vncserver on the Linux box for each VNC display</P>
<P STYLE="margin-bottom: 0cm"><BR>
@ -165,11 +165,11 @@ desired &quot;display&quot; number.</P>
<P STYLE="margin-bottom: 0cm"><BR>
</P>
<P STYLE="margin-bottom: 0cm">To connect from the client machine you
need to enter the client machines IP address and the &quot;display&quot;
need to enter the client machine's IP address and the &quot;display&quot;
(from the port conversion). But VNC will think that you are trying to
connect to the local machine and does not allow this. To override
this add the following to you registry.<BR><BR>--cut here and copy to
anything.reg. the double click file to
this add the following to your registry.<BR><BR>--cut here and copy to
anything.reg. then double click the file to
import--<BR>REGEDIT4<BR><BR>[HKEY_LOCAL_MACHINE\Software\ORL\WinVNC3]<BR>AllowLoopback=dword:00000001<BR><BR>[HKEY_LOCAL_MACHINE\Software\ORL\WinVNC3\Default]<BR>AllowLoopback=dword:00000001<BR>--stop
here--<BR><BR>Now VNC will not complain. So you need to always run
stunnel in client mode on the Windows machine and then connect with
@ -182,9 +182,9 @@ way, *NIX doesn't complain about this. There is no setting needed if
<P STYLE="margin-bottom: 0cm"><BR>
</P>
<P STYLE="margin-bottom: 0cm">Unfortunately this will not work well
with the build in web version. If you did not known about it, try
with the built-in web version. If you did not known about it, try
http'ing into a machine running VNC server on it, to port 58XX (where
XX is the display number), and the Java client will be loaded.<BR><BR>
</P>
</BODY>
</HTML>
</HTML>

4
doc/pl/tworzenie_certyfikatow.html
View File

@ -93,7 +93,7 @@ private key</I>
# private random number file</I>
<BR><I>&nbsp;</I>
<BR><I>x509_extensions = usr_cert&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
# The extentions to add to the cert</I>
# The extensions to add to the cert</I>
<BR><I>crl_extensions&nbsp; = crl_ext&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
# Extensions to add to CRL</I>
<BR><I>default_days&nbsp;&nbsp;&nbsp; = 365&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
@ -147,7 +147,7 @@ look</I>
<BR><I>distinguished_name&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; = req_distinguished_name</I>
<BR><I>attributes&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
= req_attributes</I>
<BR><I>x509_extensions = v3_ca # The extentions to add to the self signed
<BR><I>x509_extensions = v3_ca # The extensions to add to the self signed
cert</I>
<BR><I>&nbsp;</I>
<BR><I>[ req_distinguished_name ]</I>

930
doc/stunnel.8
View File

@ -1,930 +0,0 @@
.\" Automatically generated by Pod::Man 2.22 (Pod::Simple 3.07)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is turned on, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.ie \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. nr % 0
. rr F
.\}
.el \{\
. de IX
..
.\}
.\" ========================================================================
.\"
.IX Title "STUNNEL 8"
.TH STUNNEL 8 "2012.01.14" "4.53" "stunnel"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
stunnel \- universal SSL tunnel
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.IP "\fBUnix:\fR" 4
.IX Item "Unix:"
\&\fBstunnel\fR [<filename>] | \-fd n | \-help | \-version | \-sockets
.IP "\fB\s-1WIN32:\s0\fR" 4
.IX Item "WIN32:"
\&\fBstunnel\fR [ [\-install | \-uninstall | \-start | \-stop] | \-exit]
[\-quiet] [<filename>] ] | \-help | \-version | \-sockets
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The \fBstunnel\fR program is designed to work as \fI\s-1SSL\s0\fR encryption wrapper
between remote clients and local (\fIinetd\fR\-startable) or remote
servers. The concept is that having non-SSL aware daemons running on
your system you can easily set them up to communicate with clients over
secure \s-1SSL\s0 channels.
.PP
\&\fBstunnel\fR can be used to add \s-1SSL\s0 functionality to commonly used \fIInetd\fR
daemons like \s-1POP\-2\s0, \s-1POP\-3\s0, and \s-1IMAP\s0 servers, to standalone daemons like
\&\s-1NNTP\s0, \s-1SMTP\s0 and \s-1HTTP\s0, and in tunneling \s-1PPP\s0 over network sockets without
changes to the source code.
.PP
This product includes cryptographic software written by
Eric Young (eay@cryptsoft.com)
.SH "OPTIONS"
.IX Header "OPTIONS"
.IP "<\fBfilename\fR>" 4
.IX Item "<filename>"
Use specified configuration file
.IP "\fB\-fd n\fR (Unix only)" 4
.IX Item "-fd n (Unix only)"
Read the config file from specified file descriptor
.IP "\fB\-help\fR" 4
.IX Item "-help"
Print \fBstunnel\fR help menu
.IP "\fB\-version\fR" 4
.IX Item "-version"
Print \fBstunnel\fR version and compile time defaults
.IP "\fB\-sockets\fR" 4
.IX Item "-sockets"
Print default socket options
.IP "\fB\-install\fR (\s-1NT/2000/XP\s0 only)" 4
.IX Item "-install (NT/2000/XP only)"
Install \s-1NT\s0 Service
.IP "\fB\-uninstall\fR (\s-1NT/2000/XP\s0 only)" 4
.IX Item "-uninstall (NT/2000/XP only)"
Uninstall \s-1NT\s0 Service
.IP "\fB\-start\fR (\s-1NT/2000/XP\s0 only)" 4
.IX Item "-start (NT/2000/XP only)"
Start \s-1NT\s0 Service
.IP "\fB\-stop\fR (\s-1NT/2000/XP\s0 only)" 4
.IX Item "-stop (NT/2000/XP only)"
Stop \s-1NT\s0 Service
.IP "\fB\-exit\fR (Win32 only)" 4
.IX Item "-exit (Win32 only)"
Exit an already started stunnel
.IP "\fB\-quiet\fR (\s-1NT/2000/XP\s0 only)" 4
.IX Item "-quiet (NT/2000/XP only)"
Don't display any message boxes
.SH "CONFIGURATION FILE"
.IX Header "CONFIGURATION FILE"
Each line of the configuration file can be either:
.IP "\(bu" 4
an empty line (ignored)
.IP "\(bu" 4
a comment starting with ';' (ignored)
.IP "\(bu" 4
an 'option_name = option_value' pair
.IP "\(bu" 4
\&'[service_name]' indicating a start of a service definition
.PP
An address parameter of an option may be either:
.IP "\(bu" 4
a port number
.IP "\(bu" 4
a colon-separated pair of \s-1IP\s0 address (either IPv4, IPv6, or domain name) and port number
.IP "\(bu" 4
a Unix socket path (Unix only)
.SS "\s-1GLOBAL\s0 \s-1OPTIONS\s0"
.IX Subsection "GLOBAL OPTIONS"
.IP "\fBchroot\fR = directory (Unix only)" 4
.IX Item "chroot = directory (Unix only)"
directory to chroot \fBstunnel\fR process
.Sp
\&\fBchroot\fR keeps \fBstunnel\fR in chrooted jail. \fICApath\fR, \fICRLpath\fR, \fIpid\fR
and \fIexec\fR are located inside the jail and the patches have to be relative
to the directory specified with \fBchroot\fR.
.IP "\fBcompression\fR = deflate | zlib | rle" 4
.IX Item "compression = deflate | zlib | rle"
select data compression algorithm
.Sp
default: no compression
.Sp
deflate is the standard compression method as described in \s-1RFC\s0 1951.
.Sp
zlib compression of OpenSSL 0.9.8 or above is not backward compatible with
OpenSSL 0.9.7.
.Sp
rle compression is currently not implemented by the OpenSSL library.
.IP "\fBdebug\fR = [facility.]level" 4
.IX Item "debug = [facility.]level"
debugging level
.Sp
Level is a one of the syslog level names or numbers
emerg (0), alert (1), crit (2), err (3), warning (4), notice (5),
info (6), or debug (7). All logs for the specified level and
all levels numerically less than it will be shown. Use \fIdebug = debug\fR or
\&\fIdebug = 7\fR for greatest debugging output. The default is notice (5).
.Sp
The syslog facility 'daemon' will be used unless a facility name is supplied.
(Facilities are not supported on Win32.)
.Sp
Case is ignored for both facilities and levels.
.IP "\fB\s-1EGD\s0\fR = egd path (Unix only)" 4
.IX Item "EGD = egd path (Unix only)"
path to Entropy Gathering Daemon socket
.Sp
Entropy Gathering Daemon socket to use to feed OpenSSL random number
generator. (Available only if compiled with OpenSSL 0.9.5a or higher)
.IP "\fBengine\fR = auto | <engine id>" 4
.IX Item "engine = auto | <engine id>"
select hardware engine
.Sp
default: software-only cryptography
.Sp
Here is an example of advanced engine configuration to read private key from an
OpenSC engine
.Sp
.Vb 7
\& engine=dynamic
\& engineCtrl=SO_PATH:/usr/lib/opensc/engine_pkcs11.so
\& engineCtrl=ID:pkcs11
\& engineCtrl=LIST_ADD:1
\& engineCtrl=LOAD
\& engineCtrl=MODULE_PATH:/usr/lib/pkcs11/opensc\-pkcs11.so
\& engineCtrl=INIT
\&
\& [service]
\& engineNum=1
\& key=id_45
.Ve
.IP "\fBengineCtrl\fR = command[:parameter]" 4
.IX Item "engineCtrl = command[:parameter]"
control hardware engine
.Sp
Special commands \*(L"\s-1LOAD\s0\*(R" and \*(L"\s-1INIT\s0\*(R" can be used to load and initialize the
engine cryptogaphic module.
.IP "\fBfips\fR = yes | no" 4
.IX Item "fips = yes | no"
Enable or disable \s-1FIPS\s0 140\-2 mode.
.Sp
This option allows to disable entering \s-1FIPS\s0 mode if stunnel was compiled with
\&\s-1FIPS\s0 140\-2 support.
.Sp
default: yes
.IP "\fBforeground\fR = yes | no (Unix only)" 4
.IX Item "foreground = yes | no (Unix only)"
foreground mode
.Sp
Stay in foreground (don't fork) and log to stderr
instead of via syslog (unless \fIoutput\fR is specified).
.Sp
default: background in daemon mode
.IP "\fBoutput\fR = file" 4
.IX Item "output = file"
append log messages to a file
.Sp
/dev/stdout device can be used to send log messages to the standard
output (for example to log them with daemontools splogger).
.IP "\fBpid\fR = file (Unix only)" 4
.IX Item "pid = file (Unix only)"
pid file location
.Sp
If the argument is empty, then no pid file will be created.
.Sp
\&\fIpid\fR path is relative to \fIchroot\fR directory if specified.
.IP "\fBRNDbytes\fR = bytes" 4
.IX Item "RNDbytes = bytes"
bytes to read from random seed files
.Sp
Number of bytes of data read from random seed files. With \s-1SSL\s0 versions
less than 0.9.5a, also determines how many bytes of data are considered
sufficient to seed the \s-1PRNG\s0. More recent OpenSSL versions have a builtin
function to determine when sufficient randomness is available.
.IP "\fBRNDfile\fR = file" 4
.IX Item "RNDfile = file"
path to file with random seed data
.Sp
The \s-1SSL\s0 library will use data from this file first to seed the random
number generator.
.IP "\fBRNDoverwrite\fR = yes | no" 4
.IX Item "RNDoverwrite = yes | no"
overwrite the random seed files with new random data
.Sp
default: yes
.IP "\fBservice\fR = servicename (Unix only)" 4
.IX Item "service = servicename (Unix only)"
use specified string as \fIinetd\fR mode service name for \s-1TCP\s0 Wrapper library
.Sp
default: stunnel
.IP "\fBsetgid\fR = groupname (Unix only)" 4
.IX Item "setgid = groupname (Unix only)"
\&\fIsetgid()\fR to groupname in daemon mode and clears all other groups
.IP "\fBsetuid\fR = username (Unix only)" 4
.IX Item "setuid = username (Unix only)"
\&\fIsetuid()\fR to username in daemon mode
.IP "\fBsocket\fR = a|l|r:option=value[:value]" 4
.IX Item "socket = a|l|r:option=value[:value]"
Set an option on accept/local/remote socket
.Sp
The values for linger option are l_onof:l_linger.
The values for time are tv_sec:tv_usec.
.Sp
Examples:
.Sp
.Vb 9
\& socket = l:SO_LINGER=1:60
\& set one minute timeout for closing local socket
\& socket = r:SO_OOBINLINE=yes
\& place out\-of\-band data directly into the
\& receive data stream for remote sockets
\& socket = a:SO_REUSEADDR=no
\& disable address reuse (enabled by default)
\& socket = a:SO_BINDTODEVICE=lo
\& only accept connections on loopback interface
.Ve
.IP "\fBsyslog\fR = yes | no (Unix only)" 4
.IX Item "syslog = yes | no (Unix only)"
enable logging via syslog
.Sp
default: yes
.IP "\fBtaskbar\fR = yes | no (\s-1WIN32\s0 only)" 4
.IX Item "taskbar = yes | no (WIN32 only)"
enable the taskbar icon
.Sp
default: yes
.SS "SERVICE-LEVEL \s-1OPTIONS\s0"
.IX Subsection "SERVICE-LEVEL OPTIONS"
Each configuration section begins with service name in square brackets.
The service name is used for libwrap (\s-1TCP\s0 Wrappers) access control and lets
you distinguish \fBstunnel\fR services in your log files.
.PP
Note that if you wish to run \fBstunnel\fR in \fIinetd\fR mode (where it
is provided a network socket by a server such as \fIinetd\fR, \fIxinetd\fR,
or \fItcpserver\fR) then you should read the section entitled \fI\s-1INETD\s0 \s-1MODE\s0\fR
below.
.IP "\fBaccept\fR = address" 4
.IX Item "accept = address"
accept connections on specified address
.Sp
If no host specified, defaults to all IPv4 addresses for the local host.
.Sp
To listen on all IPv6 addresses use:
.Sp
.Vb 1
\& connect = :::port
.Ve
.IP "\fBCApath\fR = directory" 4
.IX Item "CApath = directory"
Certificate Authority directory
.Sp
This is the directory in which \fBstunnel\fR will look for certificates when using
the \fIverify\fR. Note that the certificates in this directory should be named
\&\s-1XXXXXXXX\s0.0 where \s-1XXXXXXXX\s0 is the hash value of the \s-1DER\s0 encoded subject of the
cert.
.Sp
The hash algorithm has been changed in OpenSSL 1.0.0. It is required to
c_rehash the directory on upgrade from OpenSSL 0.x.x to OpenSSL 1.x.x.
.Sp
\&\fICApath\fR path is relative to \fIchroot\fR directory if specified.
.IP "\fBCAfile\fR = certfile" 4
.IX Item "CAfile = certfile"
Certificate Authority file
.Sp
This file contains multiple \s-1CA\s0 certificates, used with the \fIverify\fR.
.IP "\fBcert\fR = pemfile" 4
.IX Item "cert = pemfile"
certificate chain \s-1PEM\s0 file name
.Sp
A \s-1PEM\s0 is always needed in server mode.
Specifying this flag in client mode will use this certificate chain
as a client side certificate chain. Using client side certs is optional.
The certificates must be in \s-1PEM\s0 format and must be sorted starting with the
certificate to the highest level (root \s-1CA\s0).
.IP "\fBciphers\fR = cipherlist" 4
.IX Item "ciphers = cipherlist"
Select permitted \s-1SSL\s0 ciphers
.Sp
A colon delimited list of the ciphers to allow in the \s-1SSL\s0 connection.
For example \s-1DES\-CBC3\-SHA:IDEA\-CBC\-MD5\s0
.IP "\fBclient\fR = yes | no" 4
.IX Item "client = yes | no"
client mode (remote service uses \s-1SSL\s0)
.Sp
default: no (server mode)
.IP "\fBconnect\fR = address" 4
.IX Item "connect = address"
connect to a remote address
.Sp
If no host is specified, the host defaults to localhost.
.Sp
Multiple \fBconnect\fR options are allowed in a single service section.
.Sp
If host resolves to multiple addresses and/or if multiple \fIconnect\fR
options are specified, then the remote address is chosen using a
round-robin algorithm.
.IP "\fBCRLpath\fR = directory" 4
.IX Item "CRLpath = directory"
Certificate Revocation Lists directory
.Sp
This is the directory in which \fBstunnel\fR will look for CRLs when
using the \fIverify\fR. Note that the CRLs in this directory should
be named \s-1XXXXXXXX\s0.r0 where \s-1XXXXXXXX\s0 is the hash value of the \s-1CRL\s0.
.Sp
The hash algorithm has been changed in OpenSSL 1.0.0. It is required to
c_rehash the directory on upgrade from OpenSSL 0.x.x to OpenSSL 1.x.x.
.Sp
\&\fICRLpath\fR path is relative to \fIchroot\fR directory if specified.
.IP "\fBCRLfile\fR = certfile" 4
.IX Item "CRLfile = certfile"
Certificate Revocation Lists file
.Sp
This file contains multiple CRLs, used with the \fIverify\fR.
.IP "\fBcurve\fR = nid" 4
.IX Item "curve = nid"
specify \s-1ECDH\s0 curve name
.Sp
To get a list of supported cuves use:
.Sp
.Vb 1
\& openssl ecparam \-list_curves
.Ve
.Sp
default: prime256v1
.IP "\fBdelay\fR = yes | no" 4
.IX Item "delay = yes | no"
delay \s-1DNS\s0 lookup for 'connect' option
.Sp
This option is useful for dynamic \s-1DNS\s0, or when \s-1DNS\s0 is not available during
stunnel startup (road warrior \s-1VPN\s0, dial-up configurations).
.IP "\fBengineNum\fR = engine number" 4
.IX Item "engineNum = engine number"
select engine number to read private key
.Sp
The engines are numbered starting from 1.
.IP "\fBexec\fR = executable_path" 4
.IX Item "exec = executable_path"
execute local inetd-type program
.Sp
\&\fIexec\fR path is relative to \fIchroot\fR directory if specified.
.ie n .IP "\fBexecargs\fR = $0 $1 $2 ..." 4
.el .IP "\fBexecargs\fR = \f(CW$0\fR \f(CW$1\fR \f(CW$2\fR ..." 4
.IX Item "execargs = $0 $1 $2 ..."
arguments for \fIexec\fR including program name ($0)
.Sp
Quoting is currently not supported.
Arguments are separated with arbitrary number of whitespaces.
.IP "\fBfailover\fR = rr | prio" 4
.IX Item "failover = rr | prio"
Failover strategy for multiple \*(L"connect\*(R" targets.
.Sp
.Vb 2
\& rr (round robin) \- fair load distribution
\& prio (priority) \- use the order specified in config file
.Ve
.Sp
default: rr
.IP "\fBident\fR = username" 4
.IX Item "ident = username"
use \s-1IDENT\s0 (\s-1RFC\s0 1413) username checking
.IP "\fBkey\fR = keyfile" 4
.IX Item "key = keyfile"
private key for certificate specified with \fIcert\fR option
.Sp
Private key is needed to authenticate certificate owner.
Since this file should be kept secret it should only be readable
to its owner. On Unix systems you can use the following command:
.Sp
.Vb 1
\& chmod 600 keyfile
.Ve
.Sp
default: value of \fIcert\fR option
.IP "\fBlibwrap\fR = yes | no" 4
.IX Item "libwrap = yes | no"
Enable or disable the use of /etc/hosts.allow and /etc/hosts.deny.
.Sp
default: yes
.IP "\fBlocal\fR = host" 4
.IX Item "local = host"
\&\s-1IP\s0 of the outgoing interface is used as source for remote connections.
Use this option to bind a static local \s-1IP\s0 address, instead.
.IP "\fBsni\fR = service_name:server_name (server mode)" 4
.IX Item "sni = service_name:server_name (server mode)"
Use the service as a slave service (a name-based virtual server) for Server
Name Indication \s-1TLS\s0 extension (\s-1RFC\s0 3546).
.Sp
\&\fIservice_name\fR specifies the master service that accepts client connections
with \fIaccept\fR option. \fIserver_name\fR specifies the host name to be redirected.
Multiple slave services are normally specified for a single master service.
\&\fIsni\fR option can also be specified more than once within a single slave service.
.Sp
This service, as well as the master service, may not be configured in client mode.
\&\fIconnect\fR option of the slave service is ignored when \fIprotocol\fR option is
specified, as \fIprotocol\fR connects remote host before \s-1TLS\s0 handshake.
Libwrap checks (Unix only) are performed twice: with master service name after
\&\s-1TCP\s0 connection is accepted, and with slave service name during \s-1TLS\s0 handshake.
.Sp
Option \fIsni\fR is only available when compiled with OpenSSL 1.0.0 and later.
.IP "\fBsni\fR = server_name (client mode)" 4
.IX Item "sni = server_name (client mode)"
Use the parameter as the value of \s-1TLS\s0 Server Name Indication (\s-1RFC\s0 3546)
extension.
.Sp
Option \fIsni\fR is only available when compiled with OpenSSL 1.0.0 and later.
.IP "\fB\s-1OCSP\s0\fR = url" 4
.IX Item "OCSP = url"
select \s-1OCSP\s0 server for certificate verification
.IP "\fBOCSPflag\fR = flag" 4
.IX Item "OCSPflag = flag"
specify \s-1OCSP\s0 server flag
.Sp
Several \fIOCSPflag\fR can be used to specify multiple flags.
.Sp
currently supported flags: \s-1NOCERTS\s0, \s-1NOINTERN\s0 \s-1NOSIGS\s0, \s-1NOCHAIN\s0, \s-1NOVERIFY\s0,
\&\s-1NOEXPLICIT\s0, \s-1NOCASIGN\s0, \s-1NODELEGATED\s0, \s-1NOCHECKS\s0, \s-1TRUSTOTHER\s0, \s-1RESPID_KEY\s0, \s-1NOTIME\s0
.IP "\fBoptions\fR = SSL_options" 4
.IX Item "options = SSL_options"
OpenSSL library options
.Sp
The parameter is the OpenSSL option name as described in the
\&\fI\fISSL_CTX_set_options\fI\|(3ssl)\fR manual, but without \fI\s-1SSL_OP_\s0\fR prefix.
Several \fIoptions\fR can be used to specify multiple options.
.Sp
For example for compatibility with erroneous Eudora \s-1SSL\s0 implementation
the following option can be used:
.Sp
.Vb 1
\& options = DONT_INSERT_EMPTY_FRAGMENTS
.Ve
.IP "\fBprotocol\fR = proto" 4
.IX Item "protocol = proto"
application protocol to negotiate \s-1SSL\s0 (e.g. \fIstarttls\fR or \fIstls\fR)
.Sp
\&\fIprotocol\fR option should not be used with \s-1SSL\s0 encryption on a separate port.
.Sp
Currently supported protocols:
.RS 4
.IP "\fIcifs\fR" 4
.IX Item "cifs"
Proprietary (undocummented) extension of \s-1CIFS\s0 protocol implemented in Samba.
Support for this extension was dropped in Samba 3.0.0.
.IP "\fIconnect\fR" 4
.IX Item "connect"
Based on \s-1RFC\s0 2817 \- \fIUpgrading to \s-1TLS\s0 Within \s-1HTTP/1\s0.1\fR, section 5.2 \- \fIRequesting a Tunnel with \s-1CONNECT\s0\fR
.Sp
This protocol is only supported in client mode.
.IP "\fIimap\fR" 4
.IX Item "imap"
Based on \s-1RFC\s0 2595 \- \fIUsing \s-1TLS\s0 with \s-1IMAP\s0, \s-1POP3\s0 and \s-1ACAP\s0\fR
.IP "\fInntp\fR" 4
.IX Item "nntp"
Based on \s-1RFC\s0 4642 \- \fIUsing Transport Layer Security (\s-1TLS\s0) with Network News Transfer Protocol (\s-1NNTP\s0)\fR
.Sp
This protocol is only supported in client mode.
.IP "\fIpgsql\fR" 4
.IX Item "pgsql"
Based on http://www.postgresql.org/docs/8.3/static/protocol\-flow.html#AEN73982
.IP "\fIpop3\fR" 4
.IX Item "pop3"
Based on \s-1RFC\s0 2449 \- \fI\s-1POP3\s0 Extension Mechanism\fR
.IP "\fIproxy\fR" 4
.IX Item "proxy"
Haproxy client \s-1IP\s0 address http://haproxy.1wt.eu/download/1.5/doc/proxy\-protocol.txt
.IP "\fIsmtp\fR" 4
.IX Item "smtp"
Based on \s-1RFC\s0 2487 \- \fI\s-1SMTP\s0 Service Extension for Secure \s-1SMTP\s0 over \s-1TLS\s0\fR
.RE
.RS 4
.RE
.IP "\fBprotocolAuthentication\fR = auth_type" 4
.IX Item "protocolAuthentication = auth_type"
authentication type for protocol negotiations
.Sp
currently supported: basic, \s-1NTLM\s0
.Sp
Currently authentication type only applies to 'connect' protocol.
.Sp
default: basic
.IP "\fBprotocolHost\fR = host:port" 4
.IX Item "protocolHost = host:port"
destination address for protocol negotiations
.IP "\fBprotocolPassword\fR = password" 4
.IX Item "protocolPassword = password"
password for protocol negotiations
.IP "\fBprotocolUsername\fR = username" 4
.IX Item "protocolUsername = username"
username for protocol negotiations
.IP "\fBpty\fR = yes | no (Unix only)" 4
.IX Item "pty = yes | no (Unix only)"
allocate pseudo terminal for 'exec' option
.IP "\fBretry\fR = yes | no (Unix only)" 4
.IX Item "retry = yes | no (Unix only)"
reconnect a connect+exec section after it's disconnected
.Sp
default: no
.IP "\fBsession\fR = timeout" 4
.IX Item "session = timeout"
session cache timeout
.IP "\fBsessiond\fR = host:port" 4
.IX Item "sessiond = host:port"
address of sessiond \s-1SSL\s0 cache server
.IP "\fBsslVersion\fR = version" 4
.IX Item "sslVersion = version"
select version of \s-1SSL\s0 protocol
.Sp
Allowed options: all, SSLv2, SSLv3, TLSv1
.IP "\fBstack\fR = bytes (except for \s-1FORK\s0 model)" 4
.IX Item "stack = bytes (except for FORK model)"
thread stack size
.IP "\fBTIMEOUTbusy\fR = seconds" 4
.IX Item "TIMEOUTbusy = seconds"
time to wait for expected data
.IP "\fBTIMEOUTclose\fR = seconds" 4
.IX Item "TIMEOUTclose = seconds"
time to wait for close_notify (set to 0 for buggy \s-1MSIE\s0)
.IP "\fBTIMEOUTconnect\fR = seconds" 4
.IX Item "TIMEOUTconnect = seconds"
time to wait to connect a remote host
.IP "\fBTIMEOUTidle\fR = seconds" 4
.IX Item "TIMEOUTidle = seconds"
time to keep an idle connection
.IP "\fBtransparent\fR = none | source | destination | both (Unix only)" 4
.IX Item "transparent = none | source | destination | both (Unix only)"
enable transparent proxy support on selected platforms
.Sp
Supported values:
.RS 4
.IP "\fInone\fR" 4
.IX Item "none"
Disable transparent proxy support. This is the default.
.IP "\fIsource\fR" 4
.IX Item "source"
Re-write address to appear as if wrapped daemon is connecting
from the \s-1SSL\s0 client machine instead of the machine running \fBstunnel\fR.
.Sp
This option is currently available in:
.RS 4
.IP "Remote mode (\fIconnect\fR option) on \fILinux >=2.6.28\fR" 4
.IX Item "Remote mode (connect option) on Linux >=2.6.28"
This configuration requires stunnel to be executed as root and without
\&\fIsetuid\fR option.
.Sp
This configuration requires the following setup for iptables and routing
(possibly in /etc/rc.local or equivalent file):
.Sp
.Vb 7
\& iptables \-t mangle \-N DIVERT
\& iptables \-t mangle \-A PREROUTING \-p tcp \-m socket \-j DIVERT
\& iptables \-t mangle \-A DIVERT \-j MARK \-\-set\-mark 1
\& iptables \-t mangle \-A DIVERT \-j ACCEPT
\& ip rule add fwmark 1 lookup 100
\& ip route add local 0.0.0.0/0 dev lo table 100
\& echo 0 >/proc/sys/net/ipv4/conf/lo/rp_filter
.Ve
.Sp
\&\fBstunnel\fR must also to be executed as root and without \fIsetuid\fR option.
.IP "Remote mode (\fIconnect\fR option) on \fILinux 2.2.x\fR" 4
.IX Item "Remote mode (connect option) on Linux 2.2.x"
This configuration requires kernel to be compiled with \fItransparent proxy\fR option.
Connected service must be installed on a separate host.
Routing towards the clients has to go through the stunnel box.
.Sp
\&\fBstunnel\fR must also to be executed as root and without \fIsetuid\fR option.
.IP "Remote mode (\fIconnect\fR option) on \fIFreeBSD >=8.0\fR" 4
.IX Item "Remote mode (connect option) on FreeBSD >=8.0"
This configuration requires additional firewall and routing setup.
\&\fBstunnel\fR must also to be executed as root and without \fIsetuid\fR option.
.IP "Local mode (\fIexec\fR option)" 4
.IX Item "Local mode (exec option)"
This configuration works by pre-loading \fIlibstunnel.so\fR shared library.
_RLD_LIST environment variable is used on Tru64, and \s-1LD_PRELOAD\s0 variable on
other platforms.
.RE
.RS 4
.RE
.IP "\fIdestination\fR" 4
.IX Item "destination"
Original destination is used instead of \fIconnect\fR option.
.Sp
A service section for transparent destination may look like this:
.Sp
.Vb 4
\& [transparent]
\& client=yes
\& accept=<stunnel_port>
\& transparent=destination
.Ve
.Sp
This configuration requires the following setup for iptables
(possibly in /etc/rc.local or equivalent file):
.Sp
.Vb 2
\& /sbin/iptables \-I INPUT \-i eth0 \-p tcp \-\-dport <stunnel_port> \-j ACCEPT
\& /sbin/iptables \-t nat \-I PREROUTING \-i eth0 \-p tcp \-\-dport <redirected_port> \-j DNAT \-\-to\-destination <local_ip>:<stunnel_port>
.Ve
.Sp
Transparent destination option is currently only supported on Linux.
.IP "\fIboth\fR" 4
.IX Item "both"
Use both \fIsource\fR and \fIdestination\fR transparent proxy.
.RE
.RS 4
.Sp
Two legacy options are also supported for backward compatibility:
.IP "\fIyes\fR" 4
.IX Item "yes"
This options has been renamed to \fIsource\fR.
.IP "\fIno\fR" 4
.IX Item "no"
This options has been renamed to \fInone\fR.
.RE
.RS 4
.RE
.IP "\fBverify\fR = level" 4
.IX Item "verify = level"
verify peer certificate
.RS 4
.IP "\fIlevel 0\fR \- request and ignore peer certificate" 4
.IX Item "level 0 - request and ignore peer certificate"
.PD 0
.IP "\fIlevel 1\fR \- verify peer certificate if present" 4
.IX Item "level 1 - verify peer certificate if present"
.IP "\fIlevel 2\fR \- verify peer certificate" 4
.IX Item "level 2 - verify peer certificate"
.IP "\fIlevel 3\fR \- verify peer with locally installed certificate" 4
.IX Item "level 3 - verify peer with locally installed certificate"
.IP "\fIlevel 4\fR \- ignore \s-1CA\s0 chain and only verify peer certificate" 4
.IX Item "level 4 - ignore CA chain and only verify peer certificate"
.IP "\fIdefault\fR \- no verify" 4
.IX Item "default - no verify"
.RE
.RS 4
.PD
.Sp
It is important to understand, that this option was solely designed for access
control and not for authorization. Specifically for level 2 every non-revoked
certificate is accepted regardless of its Common Name. For this reason a
dedicated \s-1CA\s0 should be used with level 2, and not a generic \s-1CA\s0 commonly used
for webservers. Level 3 is preferred for point-to-point connections.
.RE
.SH "RETURN VALUE"
.IX Header "RETURN VALUE"
\&\fBstunnel\fR returns zero on success, non-zero on error.
.SH "SIGNALS"
.IX Header "SIGNALS"
The following signals can be used to control stunnel in Unix environment:
.IP "\s-1SIGHUP\s0" 4
.IX Item "SIGHUP"
Force a reload of the configuration file.
.Sp
Some global options will not be reloaded:
.RS 4
.IP "\(bu" 4
chroot
.IP "\(bu" 4
foreground
.IP "\(bu" 4
pid
.IP "\(bu" 4
setgid
.IP "\(bu" 4
setuid
.RE
.RS 4
.Sp
The use of 'setuid' option will also prevent stunnel from binding privileged
(<1024) ports during configuration reloading.
.Sp
When 'chroot' option is used, stunnel will look for all its files (including
configuration file, certificates, log file and pid file) within the chroot
jail.
.RE
.IP "\s-1SIGUSR1\s0" 4
.IX Item "SIGUSR1"
Close and reopen stunnel log file.
This function can be used for log rotation.
.IP "\s-1SIGTERM\s0, \s-1SIGQUIT\s0, \s-1SIGINT\s0" 4
.IX Item "SIGTERM, SIGQUIT, SIGINT"
Shut stunnel down.
.PP
The result of sending any other signals to the server is undefined.
.SH "EXAMPLES"
.IX Header "EXAMPLES"
In order to provide \s-1SSL\s0 encapsulation to your local \fIimapd\fR service, use
.PP
.Vb 4
\& [imapd]
\& accept = 993
\& exec = /usr/sbin/imapd
\& execargs = imapd
.Ve
.PP
If you want to provide tunneling to your \fIpppd\fR daemon on port 2020,
use something like
.PP
.Vb 5
\& [vpn]
\& accept = 2020
\& exec = /usr/sbin/pppd
\& execargs = pppd local
\& pty = yes
.Ve
.PP
If you want to use \fBstunnel\fR in \fIinetd\fR mode to launch your imapd
process, you'd use this \fIstunnel.conf\fR.
Note there must be no \fI[service_name]\fR section.
.PP
.Vb 2
\& exec = /usr/sbin/imapd
\& execargs = imapd
.Ve
.SH "NOTES"
.IX Header "NOTES"
.SS "\s-1RESTRICTIONS\s0"
.IX Subsection "RESTRICTIONS"
\&\fBstunnel\fR cannot be used for the \s-1FTP\s0 daemon because of the nature
of the \s-1FTP\s0 protocol which utilizes multiple ports for data transfers.
There are available \s-1SSL\s0 enabled versions of \s-1FTP\s0 and telnet daemons, however.
.SS "\s-1INETD\s0 \s-1MODE\s0"
.IX Subsection "INETD MODE"
The most common use of \fBstunnel\fR is to listen on a network
port and establish communication with either a new port
via the connect option, or a new program via the \fIexec\fR option.
However there is a special case when you wish to have
some other program accept incoming connections and
launch \fBstunnel\fR, for example with \fIinetd\fR, \fIxinetd\fR,
or \fItcpserver\fR.
.PP
For example, if you have the following line in \fIinetd.conf\fR:
.PP
.Vb 1
\& imaps stream tcp nowait root /usr/bin/stunnel stunnel /etc/stunnel/imaps.conf
.Ve
.PP
In these cases, the \fIinetd\fR\-style program is responsible
for binding a network socket (\fIimaps\fR above) and handing
it to \fBstunnel\fR when a connection is received.
Thus you do not want \fBstunnel\fR to have any \fIaccept\fR option.
All the \fIService Level Options\fR should be placed in the
global options section, and no \fI[service_name]\fR section
will be present. See the \fI\s-1EXAMPLES\s0\fR section for example
configurations.
.SS "\s-1CERTIFICATES\s0"
.IX Subsection "CERTIFICATES"
Each \s-1SSL\s0 enabled daemon needs to present a valid X.509 certificate
to the peer. It also needs a private key to decrypt the incoming
data. The easiest way to obtain a certificate and a key is to
generate them with the free \fIOpenSSL\fR package. You can find more
information on certificates generation on pages listed below.
.PP
The order of contents of the \fI.pem\fR file is important. It should contain the
unencrypted private key first, then a signed certificate (not certificate
request). There should be also empty lines after certificate and private key.
Plaintext certificate information appended on the top of generated certificate
should be discarded. So the file should look like this:
.PP
.Vb 8
\& \-\-\-\-\-BEGIN RSA PRIVATE KEY\-\-\-\-\-
\& [encoded key]
\& \-\-\-\-\-END RSA PRIVATE KEY\-\-\-\-\-
\& [empty line]
\& \-\-\-\-\-BEGIN CERTIFICATE\-\-\-\-\-
\& [encoded certificate]
\& \-\-\-\-\-END CERTIFICATE\-\-\-\-\-
\& [empty line]
.Ve
.SS "\s-1RANDOMNESS\s0"
.IX Subsection "RANDOMNESS"
\&\fBstunnel\fR needs to seed the \s-1PRNG\s0 (pseudo random number generator) in
order for \s-1SSL\s0 to use good randomness. The following sources are loaded
in order until sufficient random data has been gathered:
.IP "\(bu" 4
The file specified with the \fIRNDfile\fR flag.
.IP "\(bu" 4
The file specified by the \s-1RANDFILE\s0 environment variable, if set.
.IP "\(bu" 4
The file .rnd in your home directory, if \s-1RANDFILE\s0 not set.
.IP "\(bu" 4
The file specified with '\-\-with\-random' at compile time.
.IP "\(bu" 4
The contents of the screen if running on Windows.
.IP "\(bu" 4
The egd socket specified with the \fI\s-1EGD\s0\fR flag.
.IP "\(bu" 4
The egd socket specified with '\-\-with\-egd\-sock' at compile time.
.IP "\(bu" 4
The /dev/urandom device.
.PP
With recent (>=OpenSSL 0.9.5a) version of \s-1SSL\s0 it will stop loading
random data automatically when sufficient entropy has been gathered.
With previous versions it will continue to gather from all the above
sources since no \s-1SSL\s0 function exists to tell when enough data is available.
.PP
Note that on Windows machines that do not have console user interaction
(mouse movements, creating windows, etc.) the screen contents are not
variable enough to be sufficient, and you should provide a random file
for use with the \fIRNDfile\fR flag.
.PP
Note that the file specified with the \fIRNDfile\fR flag should contain
random data \*(-- that means it should contain different information
each time \fBstunnel\fR is run. This is handled automatically
unless the \fIRNDoverwrite\fR flag is used. If you wish to update this file
manually, the \fIopenssl rand\fR command in recent versions of OpenSSL,
would be useful.
.PP
One important note \*(-- if /dev/urandom is available, OpenSSL has a habit of
seeding the \s-1PRNG\s0 with it even when checking the random state, so on
systems with /dev/urandom you're likely to use it even though it's listed
at the very bottom of the list above. This isn't \fBstunnel's\fR behaviour, it's
OpenSSLs.
.SS "\s-1DH\s0 \s-1PARAMETERS\s0"
.IX Subsection "DH PARAMETERS"
Stunnel 4.40 and later contains hardcoded 2048\-bit \s-1DH\s0 parameters.
.PP
It is also possible to specify \s-1DH\s0 parameters in the certificate file:
.PP
.Vb 1
\& openssl dhparam 2048 >> stunnel.pem
.Ve
.PP
\&\s-1DH\s0 parameter generation may take several minutes.
.SH "FILES"
.IX Header "FILES"
.IP "\fIstunnel.conf\fR" 4
.IX Item "stunnel.conf"
\&\fBstunnel\fR configuration file
.SH "BUGS"
.IX Header "BUGS"
Option \fIexecargs\fR does not support quoting.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
.IP "\fItcpd\fR\|(8)" 4
.IX Item "tcpd"
access control facility for internet services
.IP "\fIinetd\fR\|(8)" 4
.IX Item "inetd"
internet 'super\-server'
.IP "\fIhttp://www.stunnel.org/\fR" 4
.IX Item "http://www.stunnel.org/"
\&\fBstunnel\fR homepage
.IP "\fIhttp://www.openssl.org/\fR" 4
.IX Item "http://www.openssl.org/"
OpenSSL project website
.SH "AUTHOR"
.IX Header "AUTHOR"
.IP "Michał Trojnara" 4
.IX Item "Michał Trojnara"
<\fIMichal.Trojnara@mirt.net\fR>

1395
doc/stunnel.8.in Normal file
View File

File diff suppressed because it is too large Load Diff

574
doc/stunnel.fr.8
View File

@ -1,574 +0,0 @@
.\" Automatically generated by Pod::Man 2.22 (Pod::Simple 3.07)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is turned on, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.ie \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. nr % 0
. rr F
.\}
.el \{\
. de IX
..
.\}
.\" ========================================================================
.\"
.IX Title "STUNNEL.FR 8"
.TH STUNNEL.FR 8 "2012.01.12" "4.53" "stunnel"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NOM"
.IX Header "NOM"
stunnel \- tunnel \s-1SSL\s0 universel
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.IP "\fBUnix:\fR" 4
.IX Item "Unix:"
\&\fBstunnel\fR [fichier] | \-fd [n] | \-help | \-version | \-sockets
.IP "\fB\s-1WIN32:\s0\fR" 4
.IX Item "WIN32:"
\&\fBstunnel\fR [fichier] | \-install | \-uninstall | \-help | \-version | \-sockets
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
Le programme \fBstunnel\fR est conçu pour fonctionner comme une couche
de chiffrement \fI\s-1SSL\s0\fR entre des clients distants et des serveurs locaux
(\fIinetd\fR\-démarrables) ou distants. Le concept est qu'à partir de daemons
non-SSL présents sur le système, on peut facilement les configurer pour
communiquer avec des clients sur des liens sécurisés \s-1SSL\s0.
.PP
\&\fBstunnel\fR peut être utilisé pour ajouter des fonctionnalités \s-1SSL\s0 à des
daemons classiques \fIInetd\fR tels que les serveurs \s-1POP\-2\s0, \s-1POP\-3\s0 et \s-1IMAP\s0,
à d'autres autonomes tels que \s-1NNTP\s0, \s-1SMTP\s0 et \s-1HTTP\s0, ainsi que pour tunneliser
\&\s-1PPP\s0 sur des sockets réseau sans modification du code source.
.PP
Ce produit inclut du code de chiffrement écrit par
Eric Young (eay@cryptsoft.com)
.SH "OPTIONS"
.IX Header "OPTIONS"
.IP "\fB[fichier]\fR" 4
.IX Item "[fichier]"
Utilisation du fichier de configuration spécifié.
.IP "\fB\-fd [n]\fR (Unix seulement)" 4
.IX Item "-fd [n] (Unix seulement)"
Lecture du fichier de configuration depuis le descripteur de
fichier indiqué.
.IP "\fB\-help\fR" 4
.IX Item "-help"
Affiche le menu d'aide de \fBstunnel\fR.
.IP "\fB\-version\fR" 4
.IX Item "-version"
Affiche la version de \fBstunnel\fR et les options de compilation.
.IP "\fB\-sockets\fR" 4
.IX Item "-sockets"
Affiche les options socket par défaut.
.IP "\fB\-install\fR (\s-1NT/2000/XP\s0 seulement)" 4
.IX Item "-install (NT/2000/XP seulement)"
Installe un service \s-1NT\s0.
.IP "\fB\-uninstall\fR (\s-1NT/2000/XP\s0 only)" 4
.IX Item "-uninstall (NT/2000/XP only)"
Désinstalle un service \s-1NT\s0.
.SH "FICHIER DE CONFIGURATION"
.IX Header "FICHIER DE CONFIGURATION"
Chaque ligne du fichier de configuration peut être soit :
.IP "\(bu" 4
une ligne vide (ignorée) ;
.IP "\(bu" 4
un commentaire commençant par « # » (ignoré) ;
.IP "\(bu" 4
une paire « option = valeur » ;
.IP "\(bu" 4
« [service_name] » indiquant le début de la définition d'un service ;
.SS "\s-1OPTIONS\s0 \s-1GLOBALES\s0"
.IX Subsection "OPTIONS GLOBALES"
.IP "\fBCApath\fR = répertoire" 4
.IX Item "CApath = répertoire"
Répertoire des autorités de certification (\s-1CA\s0)
.Sp
C'est le répertoire dans lequel \fBstunnel\fR cherche les certificats si
l'on utilise \fIverify\fR. Les certificats doivent être dénommés selon la
forme \s-1XXXXXXXX\s0.0, où \s-1XXXXXXXX\s0 est la valeur de hachage du certificat.
.Sp
Le cas échéant, le répertoire \fICApath\fR est relatif au répertoire \fIchroot\fR.
.IP "\fBCAfile\fR = fichier" 4
.IX Item "CAfile = fichier"
Fichier d'autorités de certification
.Sp
Ce fichier, utilisé avec \fIverify\fR, contient plusieurs certificats de \s-1CA\s0.
.IP "\fBcert\fR = fichier" 4
.IX Item "cert = fichier"
Fichier de chaîne de certificats \s-1PEM\s0
.Sp
Une \s-1PEM\s0 est toujours nécessaire en mode serveur.
En mode client, cette option utilise cette \s-1PEM\s0 comme une chaîne côté client.
L'utilisation de certificats côté client est optionnelle. Les certificats
doivent être au format \s-1PEM\s0 et triés par ordre de niveau décroissant (\s-1CA\s0 racine
en premier).
.IP "\fBchroot\fR = répertoire (Unix seulement)" 4
.IX Item "chroot = répertoire (Unix seulement)"
Répertoire de chroot du processus \fBstunnel\fR
.Sp
\&\fBchroot\fR enferme \fBstunnel\fR dans une cellule chroot. \fICApath\fR, \fICRLpath\fR, \fIpid\fR
et \fIexec\fR sont situés à l'intérieur de la cellule et les répertoires doivent être
relatifs au répertoire correspondant.
.Sp
Pour que le contrôle de libwrap (wrappeur \s-1TCP\s0) soit effectif dans un environnement
chroot, il faut aussi y recopier leurs fichiers de configuration (/etc/hosts.allow et
/etc/hosts.deny).
.IP "\fBciphers\fR = listes de chiffre" 4
.IX Item "ciphers = listes de chiffre"
Sélection des chiffres \s-1SSL\s0 autorisés
.Sp
Liste délimitée par deux-points (« : ») des chiffres autorisés pour la connexion \s-1SSL\s0.
Exemple : \s-1DES\-CBC3\-SHA:IDEA\-CBC\-MD5\s0
.IP "\fBclient\fR = yes | no" 4
.IX Item "client = yes | no"
Mode client (Le service distant utilise \s-1SSL\s0)
.Sp
Par défaut : no (mode server)
.IP "\fBCRLpath\fR = répertoire" 4
.IX Item "CRLpath = répertoire"
Répertoire des listes de révocation de certificats (\s-1CRL\s0)
.Sp
C'est le répertoire dans lequel \fBstunnel\fR recherche les \s-1CRL\s0 avec
l'option \fIverify\fR. Les \s-1CRL\s0 doivent être dénommés selon la
forme \s-1XXXXXXXX\s0.0 où \s-1XXXXXXXX\s0 est la valeur de hachage de la \s-1CRL\s0.
.Sp
Le cas échéant, le répertoire \fICRLpath\fR est relatif au répertoire \fIchroot\fR.
.IP "\fBCRLfile\fR = fichier" 4
.IX Item "CRLfile = fichier"
Fichier de listes de révocation de certificats (\s-1CRL\s0)
.Sp
Ce fichier, utilisé avec \fIverify\fR, contient plusieurs \s-1CRL\s0.
.IP "\fBdebug\fR = [facilité.]niveau" 4
.IX Item "debug = [facilité.]niveau"
niveau de déverminage
.Sp
Le niveau est un nom ou un numéro conforme à ceux de syslog :
emerg (0), alert (1), crit (2), err (3), warning (4), notice (5),
info (6) ou debug (7). Toutes les traces du niveau indiqué et des niveaux
numériquement inférieurs seront affichées. \fBdebug = debug\fR ou
\&\fBdebug = 7\fR donneront le maximum d'informations. La valeur par défaut
est notice (5).
.Sp
La facilité syslog « daemon » est utilisée, sauf si un autre nom est spécifié
(Win32 ne permet pas l'usage des facilités.)
.Sp
La casse est ignorée, aussi bien pour la facilité que pour le niveau.
.IP "\fB\s-1EGD\s0\fR = chemin (Unix seulement)" 4
.IX Item "EGD = chemin (Unix seulement)"
Emplacement du socket du daemon de recueil d'entropie (\s-1EGD\s0 \- Entropy Gathering Daemon)
.Sp
Socket \s-1EGD\s0 à utiliser pour alimenter le générateur d'aléatoires de OpenSSL (disponible
seulement si la compilation a été effectuée avec OpenSSL 0.9.5a ou supérieur).
.IP "\fBforeground\fR = yes | no (Unix seulement)" 4
.IX Item "foreground = yes | no (Unix seulement)"
Mode avant-plan
.Sp
Reste en avant-plan (sans fork) et dirige la trace sur stderr
au lieu de syslog (sauf si \fBoutput\fR est spécifié).
.Sp
Par défault : arrière\-plan en mode daemon.
.IP "\fBkey\fR = fichier" 4
.IX Item "key = fichier"
Fichier de clef privée pour le certificat spécifié par \fIcert\fR
.Sp
La clef privée est nécessaire pour authentifier le titulaire du
certificat.
Puisque ce fichier doit rester secret, il ne doit être lisible que
par son propriétaire. Sur les systèmes Unix, on peut utiliser la
commande suivante :
.Sp
.Vb 1
\& chmod 600 fichier
.Ve
.Sp
Par défault : Valeur de \fIcert\fR
.IP "\fBoptions\fR = Options_SSL" 4
.IX Item "options = Options_SSL"
Options de la bibliothèque OpenSSL
.Sp
Le paramètre est l'option OpenSSL décrite dans la page de man
\&\fI\fISSL_CTX_set_options\fI\|(3ssl)\fR, débarassée du préfixe \fI\s-1SSL_OP_\s0\fR.
Plusieurs \fIoptions\fR peuvent être spécifiées.
.Sp
Par exemple, pour la compatibilité avec l'implantation \s-1SSL\s0 défaillante
d'Eudora, on peut utiliser :
.Sp
.Vb 1
\& options = DONT_INSERT_EMPTY_FRAGMENTS
.Ve
.IP "\fBoutput\fR = fichier" 4
.IX Item "output = fichier"
Ajoute la trace à la fin d'un fichier au lieu d'utiliser syslog.
.Sp
/dev/stdout peut être utilisé pour afficher les traces sur la sortie standard
(par exemple pour les traiter avec les outils splogger).
.IP "\fBpid\fR = fichier (Unix seulement)" 4
.IX Item "pid = fichier (Unix seulement)"
Emplacement du fichier pid
.Sp
Si l'argument est vide, aucun fichier ne sera créé.
.Sp
Le cas échéant, le chemin \fIpid\fR est relatif au répertoire \fIchroot\fR.
.IP "\fBRNDbytes\fR = nombre" 4
.IX Item "RNDbytes = nombre"
Nombre d'octets à lire depuis les fichiers de « sel » aléatoire
.Sp
Avec les \s-1SSL\s0 de version inférieure à 0.9.5a, détermine aussi le nombre
d'octets considérés comme suffisants pour « saler » le \s-1PRNG\s0. Les versions plus
récentes d'OpenSSL ont une fonction intégrée qui détermine lorsque l'aléatoire
est suffisant.
.IP "\fBRNDfile\fR = fichier" 4
.IX Item "RNDfile = fichier"
chemin du fichier de données de « sel » aléatoire
.Sp
La bibliothèque \s-1SSL\s0 utilise prioritairement les données de ce fichier pour
« saler » le générateur d'aléatoire.
.IP "\fBRNDoverwrite\fR = yes | no" 4
.IX Item "RNDoverwrite = yes | no"
Recouvre les fichiers de « sel » avec de nouvelles données aléatoires.
.Sp
Par défaut : yes
.IP "\fBservice\fR = nom" 4
.IX Item "service = nom"
Définit le nom de service à utiliser
.Sp
\&\fBSous Unix :\fR nom de service du mode \fIinetd\fR pour la bibliothèque \s-1TCP\s0 Wrapper.
.Sp
Par défaut : stunnel
.IP "\fBsession\fR = timeout" 4
.IX Item "session = timeout"
Timeout du cache de session
.IP "\fBsetgid\fR = nom (Unix seulement)" 4
.IX Item "setgid = nom (Unix seulement)"
Nom de groupe utilisé en mode daemon (les éventuels autres noms de groupe attribués sont supprimés)
.IP "\fBsetuid\fR = nom (Unix seulement)" 4
.IX Item "setuid = nom (Unix seulement)"
Nom d'utilisateur utilisé en mode daemon
.IP "\fBsocket\fR = a|l|r:option=valeur[:valeur]" 4
.IX Item "socket = a|l|r:option=valeur[:valeur]"
Configure une option de socket accept (a), locale (l) ou distante (r)
.Sp
Les valeurs de l'option linger sont : l_onof:l_linger.
Les valeurs de l'option time sont : tv_sec:tv_usec.
.Sp
Exemples :
.Sp
.Vb 9
\& socket = l:SO_LINGER=1:60
\& définit un délai d\*(Aqune minute pour la clôture des sockets locaux
\& socket = r:SO_OOBINLINE=yes
\& Place directement les données hors\-bande dans le flux de réception
\& des sockets distants
\& socket = a:SO_REUSEADDR=no
\& désactive la réutilisation d\*(Aqadresses (activée par défaut)
\& socket = a:SO_BINDTODEVICE=lo
\& limite l\*(Aqacceptation des connexions sur la seule interface de bouclage
.Ve
.IP "\fBtaskbar\fR = yes | no (\s-1WIN32\s0 seulement)" 4
.IX Item "taskbar = yes | no (WIN32 seulement)"
active l'icône de la barre de tâches
.Sp
Par défaut : yes
.IP "\fBverify\fR = niveau" 4
.IX Item "verify = niveau"
Vérifie le certificat du correspondant
.Sp
.Vb 3
\& niveau 1 \- vérifie le certificat s\*(Aqil est présent
\& niveau 2 \- vérifie le certificat
\& niveau 3 \- contrôle le correspondant avec le certificat local
.Ve
.Sp
Par défaut \- pas de vérification
.SS "\s-1OPTIONS\s0 \s-1DE\s0 \s-1SERVICE\s0"
.IX Subsection "OPTIONS DE SERVICE"
Chaque section de configuration commence par le nom du service entre crochets.
Celui-ci est utilisé par le contrôle d'accès de libwrap (\s-1TCP\s0 Wrappers) et sert
à distinguer les services \fBstunnel\fR dans les fichiers de traces.
.PP
Si l'on souhaite utiliser \fBstunnel\fR en mode \fIinetd\fR (lorsqu'un socket lui est
fourni par un serveur comme \fIinetd\fR, \fIxinetd\fR ou \fItcpserver\fR), il faut se
reporter à la section \fI\s-1MODE\s0 \s-1INETD\s0\fR plus bas.
.IP "\fBaccept\fR = [hôte:]port" 4
.IX Item "accept = [hôte:]port"
Accepte des connexions sur le port spécifié
.Sp
Si l'hôte n'est pas indiqué, le port est ouvert pour toutes les adresses \s-1IP\s0 de
la machine locale.
.IP "\fBconnect\fR = [hôte:]port" 4
.IX Item "connect = [hôte:]port"
Se connecte au port distant indiqué
.Sp
Par défaut, l'hôte est localhost.
.IP "\fBdelay\fR = yes | no" 4
.IX Item "delay = yes | no"
Retarde la recherche \s-1DNS\s0 pour l'option « connect »
.IP "\fBexec\fR = chemin_exécutable (Unix seulement)" 4
.IX Item "exec = chemin_exécutable (Unix seulement)"
Exécute un programme local de type inetd
.Sp
Le cas échéant, le chemin \fIexec\fR est relatif au répertoire \fIchroot\fR.
.ie n .IP "\fBexecargs\fR = $0 $1 $2 ... (Unix seulement)" 4
.el .IP "\fBexecargs\fR = \f(CW$0\fR \f(CW$1\fR \f(CW$2\fR ... (Unix seulement)" 4
.IX Item "execargs = $0 $1 $2 ... (Unix seulement)"
Arguments pour \fIexec\fR, y compris le nom du programme ($0)
.Sp
Les quotes ne peuvent actuellement pas être utilisées.
Les arguments sont séparés par un nombre quelconque d'espaces.
.IP "\fBident\fR = nom" 4
.IX Item "ident = nom"
Applique le contrôle d'identité d'utilisateur \s-1IDENT\s0 (\s-1RFC\s0 1413)
.IP "\fBlocal\fR = hôte" 4
.IX Item "local = hôte"
Adresse \s-1IP\s0 de l'interface de sortie utilisée pour les connexions distantes.
Cette option permet de relier une adresse statique locale.
.IP "\fBprotocol\fR = protocole" 4
.IX Item "protocol = protocole"
Négocie avec \s-1SSL\s0 selon le protocole indiqué
.Sp
Actuellement gérés : cifs, nntp, pop3, smtp
.IP "\fBpty\fR = yes | no (Unix seulement)" 4
.IX Item "pty = yes | no (Unix seulement)"
Alloue un pseudo-terminal pour l'option « exec »
.IP "\fBTIMEOUTbusy\fR = secondes" 4
.IX Item "TIMEOUTbusy = secondes"
Durée d'attente de données
.IP "\fBTIMEOUTclose\fR = secondes" 4
.IX Item "TIMEOUTclose = secondes"
Durée d'attente du close_notify (mis à 0 pour \s-1MSIE\s0 qui est bogué)
.IP "\fBTIMEOUTidle\fR = secondes" 4
.IX Item "TIMEOUTidle = secondes"
Durée d'attente sur une connexion inactive
.IP "\fBtransparent\fR = yes | no (Unix seulement)" 4
.IX Item "transparent = yes | no (Unix seulement)"
Mode mandataire transparent
.Sp
\-écrit les adresses pour qu'elles apparaissent provenir de la
machine client \s-1SSL\s0 plutôt que de celle qui exécute \fBstunnel\fR.
Cette option n'est disponible en mode local (option \fIexec\fR) qu'avec
la bibliothèque partagée LD_PRELOADing env.so shared library et en mode
distant (option \fIconnect\fR) sur les noyaux Linux 2.2 compilés avec
l'option \fItransparent proxy\fR et seulement en mode serveur. Cette
option ne se combine pas au mode mandataire (\fIconnect\fR) sauf si la
route par défaut du client vers la cible passe par l'hôte qui fait
tourner \fBstunnel\fR, qui ne peut être localhost.
.SH "VALEUR DE RETOUR"
.IX Header "VALEUR DE RETOUR"
\&\fBstunnel\fR renvoie zéro en cas de succès, une autre valeur en cas d'erreur.
.SH "EXEMPLES"
.IX Header "EXEMPLES"
Pour encapsuler votre service \fIimapd\fR local avec \s-1SSL\s0 :
.PP
.Vb 4
\& [imapd]
\& accept = 993
\& exec = /usr/sbin/imapd
\& execargs = imapd
.Ve
.PP
Pour tunneliser un daemon \fIpppd\fR sur le port 2020 :
.PP
.Vb 5
\& [vpn]
\& accept = 2020
\& exec = /usr/sbin/pppd
\& execargs = pppd local
\& pty = yes
.Ve
.PP
Configuration de \fIstunnel.conf\fR pour utiliser \fBstunnel\fR en mode \fIinetd\fR
qui lance imapd à son tour (il ne doit pas y avoir de section \fI[service_name]\fR) :
.PP
.Vb 2
\& exec = /usr/sbin/imapd
\& execargs = imapd
.Ve
.SH "FICHIERS"
.IX Header "FICHIERS"
.IP "\fIstunnel.conf\fR" 4
.IX Item "stunnel.conf"
Fichier de configuration de \fBstunnel\fR
.IP "\fIstunnel.pem\fR" 4
.IX Item "stunnel.pem"
Certificat et clef privée de \fBstunnel\fR
.SH "BOGUES"
.IX Header "BOGUES"
L'option \fIexecargs\fR n'admet pas les quotes.
.SH "RESTRICTIONS"
.IX Header "RESTRICTIONS"
\&\fBstunnel\fR ne peut être utilisé pour le daemon \s-1FTP\s0 en raison de la nature
du protocole \s-1FTP\s0 qui utilise des ports multiples pour les transferts de données.
Il existe cependant des versions \s-1SSL\s0 de \s-1FTP\s0 et de telnet.
.SH "NOTES"
.IX Header "NOTES"
.SS "\s-1MODE\s0 \s-1INETD\s0"
.IX Subsection "MODE INETD"
L'utilisation la plus commune de \fBstunnel\fR consiste à écouter un port
réseau et à établir une communication, soit avec un nouveau port
avec l'option \fIconnect\fR, soit avec un programme avec l'option \fIexec\fR.
On peut parfois cependant souhaiter qu'un autre programme reçoive les
connexions entrantes et lance \fBstunnel\fR, par exemple avec \fIinetd\fR,
\&\fIxinetd\fR ou \fItcpserver\fR.
.PP
Si, par exemple, la ligne suivante se trouve dans \fIinetd.conf\fR :
.PP
.Vb 1
\& imaps stream tcp nowait root /usr/bin/stunnel stunnel /etc/stunnel/imaps.conf
.Ve
.PP
Dans ces cas, c'est le programme du genre \fIinetd\fR\-style qui est
responsable de l'établissement de la connexion (\fIimaps\fR ci-dessus) et de passer
celle-ci à \fBstunnel\fR.
Ainsi, \fBstunnel\fR ne doit alors avoir aucune option \fIaccept\fR.
Toutes les \fIoptions de niveau service\fR doivent être placées dans
la section des options globales et aucune section \fI[service_name]\fR ne doit
être présente. Voir la section \fI\s-1EXEMPLES\s0\fR pour des exemples de configurations.
.SS "\s-1CERTIFICATS\s0"
.IX Subsection "CERTIFICATS"
Chaque daemon à propriétés \s-1SSL\s0 doit présenter un certificat X.509
valide à son interlocuteur. Il a aussi besoin d'une clef privé pour
déchiffrer les données entrantes. La méthode la plus simple pour
obtenir un certificat et une clef est d'engendrer celles-ci avec
le paquetage libre \fIOpenSSL\fR. Plus d'informations sur la génération de
certificats se trouvent dans les pages indiquées plus bas.
.PP
Deux choses importantes lors de la génération de paires certificat-clef
pour \fBstunnel\fR :
.IP "\(bu" 4
la clef privée ne peut être chiffrée puisque le serveur n'a aucun moyen
d'obtenir le mot de passe de l'utilisateur ; pour produire une clef non chiffrée,
ajouter l'option \fI\-nodes\fR à la commande \fBreq\fR de \fIOpenSSL\fR ;
.IP "\(bu" 4
l'ordre du contenu du fichier \fI.pem\fR est significatif : il doit contenir d'abord
une clef privée non chiffrée, puis un certificat signé (et non une demande de certificat).
Il doit aussi y avoir des lignes vides après le certificat et après la clef privée.
L'information textuelle ajoutée au début d'un certificat doit être supprimée afin que
le fichier ait l'allure suivante :
.Sp
.Vb 8
\& \-\-\-\-\-BEGIN RSA PRIVATE KEY\-\-\-\-\-
\& [clef encodée]
\& \-\-\-\-\-END RSA PRIVATE KEY\-\-\-\-\-
\& [ligne vide]
\& \-\-\-\-\-BEGIN CERTIFICATE\-\-\-\-\-
\& [certificat encodé]
\& \-\-\-\-\-END CERTIFICATE\-\-\-\-\-
\& [ligne vide]
.Ve
.SS "\s-1ALEATOIRE\s0"
.IX Subsection "ALEATOIRE"
\&\fBstunnel\fR doit « saler » le générateur de pseudo\-aléatoires \s-1PRNG\s0 (pseudo random
number generator) afin que \s-1SSL\s0 utilise un aléatoire de qualité. Les sources suivantes
sont chargées dans l'ordre jusqu'à ce qu'une quantité suffisante de données soit lue :
.IP "\(bu" 4
le fichier spécifié par \fIRNDfile\fR ;
.IP "\(bu" 4
le fichier spécifié par la variable d'environnement \s-1RANDFILE\s0, à défaut
le fichier .rnd du répertoire \f(CW$HOME\fR de l'utilisateur ;
.IP "\(bu" 4
le fichier spécifié par « \-\-with\-random » lors de la compilation ;
.IP "\(bu" 4
le contenu de l'écran (MS-Windows seulement) ;
.IP "\(bu" 4
le socket \s-1EGD\s0 spécifié par \fI\s-1EGD\s0\fR ;
.IP "\(bu" 4
le socket \s-1EGD\s0 spécifié par « \-\-with\-egd\-sock » lors de la compilation ;
.IP "\(bu" 4
le périphérique /dev/urandom.
.PP
Avec un OpenSSL récent (>=OpenSSL 0.9.5a) le chargement de données s'arrête
automatiquement lorsqu'un niveau d'entropie suffisant est atteint.
Les versions précédentes continuent à lire toutes les sources puisqu'aucune
fonction \s-1SSL\s0 ne leur permet de savoir que suffisamment de données sont disponibles.
.PP
Sur les machines MS-Windows qui n'ont pas d'interaction utilisateur sur la console,
(mouvements de souris, création de fenêtres, etc.), le contenu de l'écran n'est
pas suffisamment changeant et il est nécessaire de fournir un fichier d'aléatoire
par le biais de \fIRNDfile\fR.
.PP
Le fichier spécifié par \fIRNDfile\fR doit contenir des informations aléatoires \*(--
c'est\-à\-dire des informations différentes à chaque lancement de \fBstunnel\fR.
Cela est géré automatiquement sauf si l'option \fIRNDoverwrite\fR est utilisée.
Si l'on souhaite procéder manuellement à la mise à jour de ce fichier, la
commande \fIopenssl rand\fR des versions récentes d'OpenSSL sera sans doute utile.
.PP
Note importante : si /dev/urandom est disponible, OpenSSL a l'habitude d'utiliser
celui-ci pour « saler » le \s-1PRNG\s0 même lorsqu'il contrôle l'état de l'aléatoire ;
ainsi, même si /dev/urandom est dernier de la liste ci-dessus, il est vraisemblable
qu'il soit utilisé s'il est présent.
Ce n'est pas le comportement de \fBstunnel\fR, c'est celui d'OpenSSL.
.SH "VOIR AUSSI"
.IX Header "VOIR AUSSI"
.IP "\fItcpd\fR\|(8)" 4
.IX Item "tcpd"
Service de contrôle d'accès pour les services internet
.IP "\fIinetd\fR\|(8)" 4
.IX Item "inetd"
« super-serveur » internet
.IP "\fIhttp://www.stunnel.org/\fR" 4
.IX Item "http://www.stunnel.org/"
Page de référence de \fBstunnel\fR
.IP "\fIhttp://www.openssl.org/\fR" 4
.IX Item "http://www.openssl.org/"
Site web du projet OpenSSL
.SH "AUTEUR"
.IX Header "AUTEUR"
.IP "Michał Trojnara" 4
.IX Item "Michał Trojnara"
<\fIMichal.Trojnara@mirt.net\fR>
.SH "ADAPTATION FRANÇAISE"
.IX Header "ADAPTATION FRANÇAISE"
.IP "Bernard Choppy" 4
.IX Item "Bernard Choppy"
<\fIchoppy \s-1AT\s0 free \s-1POINT\s0 fr\fR>

670
doc/stunnel.fr.html
View File

@ -1,670 +0,0 @@
<?xml version="1.0" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>stunnel.8</title>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<link rev="made" href="mailto:root@localhost" />
</head>
<body style="background-color: white">
<!-- INDEX BEGIN -->
<div name="index">
<p><a name="__index__"></a></p>
<!--
<ul>
<li><a href="#nom">NOM</a></li>
<li><a href="#synopsis">SYNOPSIS</a></li>
<li><a href="#description">DESCRIPTION</a></li>
<li><a href="#options">OPTIONS</a></li>
<li><a href="#fichier_de_configuration">FICHIER DE CONFIGURATION</a></li>
<ul>
<li><a href="#options_globales">OPTIONS GLOBALES</a></li>
<li><a href="#options_de_service">OPTIONS DE SERVICE</a></li>
</ul>
<li><a href="#valeur_de_retour">VALEUR DE RETOUR</a></li>
<li><a href="#exemples">EXEMPLES</a></li>
<li><a href="#fichiers">FICHIERS</a></li>
<li><a href="#bogues">BOGUES</a></li>
<li><a href="#restrictions">RESTRICTIONS</a></li>
<li><a href="#notes">NOTES</a></li>
<ul>
<li><a href="#mode_inetd">MODE INETD</a></li>
<li><a href="#certificats">CERTIFICATS</a></li>
<li><a href="#aleatoire">ALEATOIRE</a></li>
</ul>
<li><a href="#voir_aussi">VOIR AUSSI</a></li>
<li><a href="#auteur">AUTEUR</a></li>
<li><a href="#adaptation_fran__aise">ADAPTATION FRANÇAISE</a></li>
</ul>
-->
</div>
<!-- INDEX END -->
<p>
</p>
<h1><a name="nom">NOM</a></h1>
<p>stunnel - tunnel SSL universel</p>
<p>
</p>
<hr />
<h1><a name="synopsis">SYNOPSIS</a></h1>
<dl>
<dt><strong><a name="unix" class="item"><strong>Unix:</strong></a></strong></dt>
<dd>
<p><strong>stunnel</strong> [fichier] | -fd&nbsp;[n] | -help | -version | -sockets</p>
</dd>
<dt><strong><a name="win32" class="item"><strong>WIN32:</strong></a></strong></dt>
<dd>
<p><strong>stunnel</strong> [fichier] | -install | -uninstall | -help | -version | -sockets</p>
</dd>
</dl>
<p>
</p>
<hr />
<h1><a name="description">DESCRIPTION</a></h1>
<p>Le programme <strong>stunnel</strong> est conçu pour fonctionner comme une couche
de chiffrement <em>SSL</em> entre des clients distants et des serveurs locaux
(<em>inetd</em>-démarrables) ou distants. Le concept est qu'à partir de daemons
non-SSL présents sur le système, on peut facilement les configurer pour
communiquer avec des clients sur des liens sécurisés SSL.</p>
<p><strong>stunnel</strong> peut être utilisé pour ajouter des fonctionnalités SSL à des
daemons classiques <em>Inetd</em> tels que les serveurs POP-2, POP-3 et IMAP,
à d'autres autonomes tels que NNTP, SMTP et HTTP, ainsi que pour tunneliser
PPP sur des sockets réseau sans modification du code source.</p>
<p>Ce produit inclut du code de chiffrement écrit par
Eric Young (<a href="mailto:eay@cryptsoft.com">eay@cryptsoft.com</a>)</p>
<p>
</p>
<hr />
<h1><a name="options">OPTIONS</a></h1>
<dl>
<dt><strong><a name="fichier" class="item"><strong>[fichier]</strong></a></strong></dt>
<dd>
<p>Utilisation du fichier de configuration spécifié.</p>
</dd>
<dt><strong><a name="fd_n_unix_seulement" class="item"><strong>-fd [n]</strong> (Unix seulement)</a></strong></dt>
<dd>
<p>Lecture du fichier de configuration depuis le descripteur de
fichier indiqué.</p>
</dd>
<dt><strong><a name="help" class="item"><strong>-help</strong></a></strong></dt>
<dd>
<p>Affiche le menu d'aide de <strong>stunnel</strong>.</p>
</dd>
<dt><strong><a name="version" class="item"><strong>-version</strong></a></strong></dt>
<dd>
<p>Affiche la version de <strong>stunnel</strong> et les options de compilation.</p>
</dd>
<dt><strong><a name="sockets" class="item"><strong>-sockets</strong></a></strong></dt>
<dd>
<p>Affiche les options socket par défaut.</p>
</dd>
<dt><strong><a name="install" class="item"><strong>-install</strong> (NT/2000/XP seulement)</a></strong></dt>
<dd>
<p>Installe un service NT.</p>
</dd>
<dt><strong><a name="uninstall" class="item"><strong>-uninstall</strong> (NT/2000/XP only)</a></strong></dt>
<dd>
<p>Désinstalle un service NT.</p>
</dd>
</dl>
<p>
</p>
<hr />
<h1><a name="fichier_de_configuration">FICHIER DE CONFIGURATION</a></h1>
<p>Chaque ligne du fichier de configuration peut être soit&nbsp;:</p>
<ul>
<li>
<p>une ligne vide (ignorée)&nbsp;;</p>
</li>
<li>
<p>un commentaire commençant par «&nbsp;#&nbsp;» (ignoré)&nbsp;;</p>
</li>
<li>
<p>une paire «&nbsp;option = valeur&nbsp;»&nbsp;;</p>
</li>
<li>
<p>«&nbsp;[service_name]&nbsp;» indiquant le début de la définition d'un service&nbsp;;</p>
</li>
</ul>
<p>
</p>
<h2><a name="options_globales">OPTIONS GLOBALES</a></h2>
<dl>
<dt><strong><a name="capath_r_pertoire" class="item"><strong>CApath</strong> = répertoire</a></strong></dt>
<dd>
<p>Répertoire des autorités de certification (CA)</p>
<p>C'est le répertoire dans lequel <strong>stunnel</strong> cherche les certificats si
l'on utilise <em>verify</em>. Les certificats doivent être dénommés selon la
forme XXXXXXXX.0, où XXXXXXXX est la valeur de hachage du certificat.</p>
<p>Le cas échéant, le répertoire <em>CApath</em> est relatif au répertoire <em>chroot</em>.</p>
</dd>
<dt><strong><a name="cafile_fichier" class="item"><strong>CAfile</strong> = fichier</a></strong></dt>
<dd>
<p>Fichier d'autorités de certification</p>
<p>Ce fichier, utilisé avec <em>verify</em>, contient plusieurs certificats de CA.</p>
</dd>
<dt><strong><a name="cert_fichier" class="item"><strong>cert</strong> = fichier</a></strong></dt>
<dd>
<p>Fichier de chaîne de certificats PEM</p>
<p>Une PEM est toujours nécessaire en mode serveur.
En mode client, cette option utilise cette PEM comme une chaîne côté client.
L'utilisation de certificats côté client est optionnelle. Les certificats
doivent être au format PEM et triés par ordre de niveau décroissant (CA racine
en premier).</p>
</dd>
<dt><strong><a name="pertoire" class="item"><strong>chroot</strong> = répertoire (Unix seulement)</a></strong></dt>
<dd>
<p>Répertoire de chroot du processus <strong>stunnel</strong></p>
<p><strong>chroot</strong> enferme <strong>stunnel</strong> dans une cellule chroot. <em>CApath</em>, <em>CRLpath</em>, <em>pid</em>
et <em>exec</em> sont situés à l'intérieur de la cellule et les répertoires doivent être
relatifs au répertoire correspondant.</p>
<p>Pour que le contrôle de libwrap (wrappeur TCP) soit effectif dans un environnement
chroot, il faut aussi y recopier leurs fichiers de configuration (/etc/hosts.allow et
/etc/hosts.deny).</p>
</dd>
<dt><strong><a name="ciphers_listes_de_chiffre" class="item"><strong>ciphers</strong> = listes de chiffre</a></strong></dt>
<dd>
<p>Sélection des chiffres SSL autorisés</p>
<p>Liste délimitée par deux-points («&nbsp;:&nbsp;») des chiffres autorisés pour la connexion SSL.
Exemple&nbsp;: DES-CBC3-SHA:IDEA-CBC-MD5</p>
</dd>
<dt><strong><a name="client_yes_no" class="item"><strong>client</strong> = yes | no</a></strong></dt>
<dd>
<p>Mode client (Le service distant utilise SSL)</p>
<p>Par défaut&nbsp;: no (mode server)</p>
</dd>
<dt><strong><a name="crlpath_r_pertoire" class="item"><strong>CRLpath</strong> = répertoire</a></strong></dt>
<dd>
<p>Répertoire des listes de révocation de certificats (CRL)</p>
<p>C'est le répertoire dans lequel <strong>stunnel</strong> recherche les CRL avec
l'option <em>verify</em>. Les CRL doivent être dénommés selon la
forme XXXXXXXX.0 où XXXXXXXX est la valeur de hachage de la CRL.</p>
<p>Le cas échéant, le répertoire <em>CRLpath</em> est relatif au répertoire <em>chroot</em>.</p>
</dd>
<dt><strong><a name="crlfile_fichier" class="item"><strong>CRLfile</strong> = fichier</a></strong></dt>
<dd>
<p>Fichier de listes de révocation de certificats (CRL)</p>
<p>Ce fichier, utilisé avec <em>verify</em>, contient plusieurs CRL.</p>
</dd>
<dt><strong><a name="debug_facilit_niveau" class="item"><strong>debug</strong> = [facilité.]niveau</a></strong></dt>
<dd>
<p>niveau de déverminage</p>
<p>Le niveau est un nom ou un numéro conforme à ceux de syslog&nbsp;:
emerg (0), alert (1), crit (2), err (3), warning (4), notice (5),
info (6) ou debug (7). Toutes les traces du niveau indiqué et des niveaux
numériquement inférieurs seront affichées. <strong>debug = debug</strong> ou
<strong>debug = 7</strong> donneront le maximum d'informations. La valeur par défaut
est notice (5).</p>
<p>La facilité syslog «&nbsp;daemon&nbsp;» est utilisée, sauf si un autre nom est spécifié
(Win32 ne permet pas l'usage des facilités.)</p>
<p>La casse est ignorée, aussi bien pour la facilité que pour le niveau.</p>
</dd>
<dt><strong><a name="chemin" class="item"><strong>EGD</strong> = chemin (Unix seulement)</a></strong></dt>
<dd>
<p>Emplacement du socket du daemon de recueil d'entropie (EGD - Entropy Gathering Daemon)</p>
<p>Socket EGD à utiliser pour alimenter le générateur d'aléatoires de OpenSSL (disponible
seulement si la compilation a été effectuée avec OpenSSL 0.9.5a ou supérieur).</p>
</dd>
<dt><strong><a name="no" class="item"><strong>foreground</strong> = yes | no (Unix seulement)</a></strong></dt>
<dd>
<p>Mode avant-plan</p>
<p>Reste en avant-plan (sans fork) et dirige la trace sur stderr
au lieu de syslog (sauf si <strong>output</strong> est spécifié).</p>
<p>Par défault&nbsp;: arrière-plan en mode daemon.</p>
</dd>
<dt><strong><a name="key_fichier" class="item"><strong>key</strong> = fichier</a></strong></dt>
<dd>
<p>Fichier de clef privée pour le certificat spécifié par <em>cert</em></p>
<p>La clef privée est nécessaire pour authentifier le titulaire du
certificat.
Puisque ce fichier doit rester secret, il ne doit être lisible que
par son propriétaire. Sur les systèmes Unix, on peut utiliser la
commande suivante&nbsp;:</p>
<pre>
chmod 600 fichier</pre>
<p>Par défault&nbsp;: Valeur de <em>cert</em></p>
</dd>
<dt><strong><a name="options_options_ssl" class="item"><strong>options</strong> = Options_SSL</a></strong></dt>
<dd>
<p>Options de la bibliothèque OpenSSL</p>
<p>Le paramètre est l'option OpenSSL décrite dans la page de man
<em>SSL_CTX_set_options(3ssl)</em>, débarassée du préfixe <em>SSL_OP_</em>.
Plusieurs <em>options</em> peuvent être spécifiées.</p>
<p>Par exemple, pour la compatibilité avec l'implantation SSL défaillante
d'Eudora, on peut utiliser&nbsp;:</p>
<pre>
options = DONT_INSERT_EMPTY_FRAGMENTS</pre>
</dd>
<dt><strong><a name="output_fichier" class="item"><strong>output</strong> = fichier</a></strong></dt>
<dd>
<p>Ajoute la trace à la fin d'un fichier au lieu d'utiliser syslog.</p>
<p>/dev/stdout peut être utilisé pour afficher les traces sur la sortie standard
(par exemple pour les traiter avec les outils splogger).</p>
</dd>
<dt><strong><strong>pid</strong> = fichier (Unix seulement)</strong></dt>
<dd>
<p>Emplacement du fichier pid</p>
<p>Si l'argument est vide, aucun fichier ne sera créé.</p>
<p>Le cas échéant, le chemin <em>pid</em> est relatif au répertoire <em>chroot</em>.</p>
</dd>
<dt><strong><a name="rndbytes_nombre" class="item"><strong>RNDbytes</strong> = nombre</a></strong></dt>
<dd>
<p>Nombre d'octets à lire depuis les fichiers de «&nbsp;sel&nbsp;» aléatoire</p>
<p>Avec les SSL de version inférieure à 0.9.5a, détermine aussi le nombre
d'octets considérés comme suffisants pour «&nbsp;saler&nbsp;» le PRNG. Les versions plus
récentes d'OpenSSL ont une fonction intégrée qui détermine lorsque l'aléatoire
est suffisant.</p>
</dd>
<dt><strong><a name="rndfile_fichier" class="item"><strong>RNDfile</strong> = fichier</a></strong></dt>
<dd>
<p>chemin du fichier de données de «&nbsp;sel&nbsp;» aléatoire</p>
<p>La bibliothèque SSL utilise prioritairement les données de ce fichier pour
«&nbsp;saler&nbsp;» le générateur d'aléatoire.</p>
</dd>
<dt><strong><a name="rndoverwrite_yes_no" class="item"><strong>RNDoverwrite</strong> = yes | no</a></strong></dt>
<dd>
<p>Recouvre les fichiers de «&nbsp;sel&nbsp;» avec de nouvelles données aléatoires.</p>
<p>Par défaut&nbsp;: yes</p>
</dd>
<dt><strong><a name="service_nom" class="item"><strong>service</strong> = nom</a></strong></dt>
<dd>
<p>Définit le nom de service à utiliser</p>
<p><strong>Sous Unix&nbsp;:</strong> nom de service du mode <em>inetd</em> pour la bibliothèque TCP Wrapper.</p>
<p>Par défaut&nbsp;: stunnel</p>
</dd>
<dt><strong><a name="session_timeout" class="item"><strong>session</strong> = timeout</a></strong></dt>
<dd>
<p>Timeout du cache de session</p>
</dd>
<dt><strong><a name="nom" class="item"><strong>setgid</strong> = nom (Unix seulement)</a></strong></dt>
<dd>
<p>Nom de groupe utilisé en mode daemon (les éventuels autres noms de groupe attribués sont supprimés)</p>
</dd>
<dt><strong><strong>setuid</strong> = nom (Unix seulement)</strong></dt>
<dd>
<p>Nom d'utilisateur utilisé en mode daemon</p>
</dd>
<dt><strong><a name="socket_a_l_r_option_valeur_valeur" class="item"><strong>socket</strong> = a|l|r:option=valeur[:valeur]</a></strong></dt>
<dd>
<p>Configure une option de socket accept (a), locale (l) ou distante (r)</p>
<p>Les valeurs de l'option linger sont&nbsp;: l_onof:l_linger.
Les valeurs de l'option time sont&nbsp;: tv_sec:tv_usec.</p>
<p>Exemples&nbsp;:</p>
<pre>
socket = l:SO_LINGER=1:60
définit un délai d'une minute pour la clôture des sockets locaux
socket = r:SO_OOBINLINE=yes
Place directement les données hors-bande dans le flux de réception
des sockets distants
socket = a:SO_REUSEADDR=no
désactive la réutilisation d'adresses (activée par défaut)
socket = a:SO_BINDTODEVICE=lo
limite l'acceptation des connexions sur la seule interface de bouclage</pre>
</dd>
<dt><strong><strong>taskbar</strong> = yes | no (WIN32 seulement)</strong></dt>
<dd>
<p>active l'icône de la barre de tâches</p>
<p>Par défaut&nbsp;: yes</p>
</dd>
<dt><strong><a name="verify_niveau" class="item"><strong>verify</strong> = niveau</a></strong></dt>
<dd>
<p>Vérifie le certificat du correspondant</p>
<pre>
niveau 1 - vérifie le certificat s'il est présent
niveau 2 - vérifie le certificat
niveau 3 - contrôle le correspondant avec le certificat local</pre>
<p>Par défaut - pas de vérification</p>
</dd>
</dl>
<p>
</p>
<h2><a name="options_de_service">OPTIONS DE SERVICE</a></h2>
<p>Chaque section de configuration commence par le nom du service entre crochets.
Celui-ci est utilisé par le contrôle d'accès de libwrap (TCP Wrappers) et sert
à distinguer les services <strong>stunnel</strong> dans les fichiers de traces.</p>
<p>Si l'on souhaite utiliser <strong>stunnel</strong> en mode <em>inetd</em> (lorsqu'un socket lui est
fourni par un serveur comme <em>inetd</em>, <em>xinetd</em> ou <em>tcpserver</em>), il faut se
reporter à la section <em>MODE INETD</em> plus bas.</p>
<dl>
<dt><strong><a name="accept_h_te_port" class="item"><strong>accept</strong> = [hôte:]port</a></strong></dt>
<dd>
<p>Accepte des connexions sur le port spécifié</p>
<p>Si l'hôte n'est pas indiqué, le port est ouvert pour toutes les adresses IP de
la machine locale.</p>
</dd>
<dt><strong><a name="connect_h_te_port" class="item"><strong>connect</strong> = [hôte:]port</a></strong></dt>
<dd>
<p>Se connecte au port distant indiqué</p>
<p>Par défaut, l'hôte est localhost.</p>
</dd>
<dt><strong><a name="delay_yes_no" class="item"><strong>delay</strong> = yes | no</a></strong></dt>
<dd>
<p>Retarde la recherche DNS pour l'option «&nbsp;connect&nbsp;»</p>
</dd>
<dt><strong><a name="cutable" class="item"><strong>exec</strong> = chemin_exécutable (Unix seulement)</a></strong></dt>
<dd>
<p>Exécute un programme local de type inetd</p>
<p>Le cas échéant, le chemin <em>exec</em> est relatif au répertoire <em>chroot</em>.</p>
</dd>
<dt><strong><a name="execargs_0_1_2_unix_seulement" class="item"><strong>execargs</strong> = $0 $1 $2 ... (Unix seulement)</a></strong></dt>
<dd>
<p>Arguments pour <em>exec</em>, y compris le nom du programme ($0)</p>
<p>Les quotes ne peuvent actuellement pas être utilisées.
Les arguments sont séparés par un nombre quelconque d'espaces.</p>
</dd>
<dt><strong><a name="ident_nom" class="item"><strong>ident</strong> = nom</a></strong></dt>
<dd>
<p>Applique le contrôle d'identité d'utilisateur IDENT (<a href="http://www.ietf.org/rfc/rfc1413.txt" class="rfc">RFC 1413</a>)</p>
</dd>
<dt><strong><a name="local_h_te" class="item"><strong>local</strong> = hôte</a></strong></dt>
<dd>
<p>Adresse IP de l'interface de sortie utilisée pour les connexions distantes.
Cette option permet de relier une adresse statique locale.</p>
</dd>
<dt><strong><a name="protocol_protocole" class="item"><strong>protocol</strong> = protocole</a></strong></dt>
<dd>
<p>Négocie avec SSL selon le protocole indiqué</p>
<p>Actuellement gérés&nbsp;: cifs, nntp, pop3, smtp</p>
</dd>
<dt><strong><strong>pty</strong> = yes | no (Unix seulement)</strong></dt>
<dd>
<p>Alloue un pseudo-terminal pour l'option «&nbsp;exec&nbsp;»</p>
</dd>
<dt><strong><a name="timeoutbusy_secondes" class="item"><strong>TIMEOUTbusy</strong> = secondes</a></strong></dt>
<dd>
<p>Durée d'attente de données</p>
</dd>
<dt><strong><a name="timeoutclose_secondes" class="item"><strong>TIMEOUTclose</strong> = secondes</a></strong></dt>
<dd>
<p>Durée d'attente du close_notify (mis à 0 pour MSIE qui est bogué)</p>
</dd>
<dt><strong><a name="timeoutidle_secondes" class="item"><strong>TIMEOUTidle</strong> = secondes</a></strong></dt>
<dd>
<p>Durée d'attente sur une connexion inactive</p>
</dd>
<dt><strong><strong>transparent</strong> = yes | no (Unix seulement)</strong></dt>
<dd>
<p>Mode mandataire transparent</p>
<p>Ré-écrit les adresses pour qu'elles apparaissent provenir de la
machine client SSL plutôt que de celle qui exécute <strong>stunnel</strong>.
Cette option n'est disponible en mode local (option <em>exec</em>) qu'avec
la bibliothèque partagée LD_PRELOADing env.so shared library et en mode
distant (option <em>connect</em>) sur les noyaux Linux 2.2 compilés avec
l'option <em>transparent proxy</em> et seulement en mode serveur. Cette
option ne se combine pas au mode mandataire (<em>connect</em>) sauf si la
route par défaut du client vers la cible passe par l'hôte qui fait
tourner <strong>stunnel</strong>, qui ne peut être localhost.</p>
</dd>
</dl>
<p>
</p>
<hr />
<h1><a name="valeur_de_retour">VALEUR DE RETOUR</a></h1>
<p><strong>stunnel</strong> renvoie zéro en cas de succès, une autre valeur en cas d'erreur.</p>
<p>
</p>
<hr />
<h1><a name="exemples">EXEMPLES</a></h1>
<p>Pour encapsuler votre service <em>imapd</em> local avec SSL&nbsp;:</p>
<pre>
[imapd]
accept = 993
exec = /usr/sbin/imapd
execargs = imapd</pre>
<p>Pour tunneliser un daemon <em>pppd</em> sur le port 2020&nbsp;:</p>
<pre>
[vpn]
accept = 2020
exec = /usr/sbin/pppd
execargs = pppd local
pty = yes</pre>
<p>Configuration de <em>stunnel.conf</em> pour utiliser <strong>stunnel</strong> en mode <em>inetd</em>
qui lance imapd à son tour (il ne doit pas y avoir de section <em>[service_name]</em>)&nbsp;:</p>
<pre>
exec = /usr/sbin/imapd
execargs = imapd</pre>
<p>
</p>
<hr />
<h1><a name="fichiers">FICHIERS</a></h1>
<dl>
<dt><strong><a name="stunnel_conf" class="item"><em class="file">stunnel.conf</em></a></strong></dt>
<dd>
<p>Fichier de configuration de <strong>stunnel</strong></p>
</dd>
<dt><strong><a name="stunnel_pem" class="item"><em class="file">stunnel.pem</em></a></strong></dt>
<dd>
<p>Certificat et clef privée de <strong>stunnel</strong></p>
</dd>
</dl>
<p>
</p>
<hr />
<h1><a name="bogues">BOGUES</a></h1>
<p>L'option <em>execargs</em> n'admet pas les quotes.</p>
<p>
</p>
<hr />
<h1><a name="restrictions">RESTRICTIONS</a></h1>
<p><strong>stunnel</strong> ne peut être utilisé pour le daemon FTP en raison de la nature
du protocole FTP qui utilise des ports multiples pour les transferts de données.
Il existe cependant des versions SSL de FTP et de telnet.</p>
<p>
</p>
<hr />
<h1><a name="notes">NOTES</a></h1>
<p>
</p>
<h2><a name="mode_inetd">MODE INETD</a></h2>
<p>L'utilisation la plus commune de <strong>stunnel</strong> consiste à écouter un port
réseau et à établir une communication, soit avec un nouveau port
avec l'option <em>connect</em>, soit avec un programme avec l'option <em>exec</em>.
On peut parfois cependant souhaiter qu'un autre programme reçoive les
connexions entrantes et lance <strong>stunnel</strong>, par exemple avec <em>inetd</em>,
<em>xinetd</em> ou <em>tcpserver</em>.</p>
<p>Si, par exemple, la ligne suivante se trouve dans <em>inetd.conf</em>&nbsp;:</p>
<pre>
imaps stream tcp nowait root /usr/bin/stunnel stunnel /etc/stunnel/imaps.conf</pre>
<p>Dans ces cas, c'est le programme du genre <em>inetd</em>-style qui est
responsable de l'établissement de la connexion (<em>imaps</em> ci-dessus) et de passer
celle-ci à <strong>stunnel</strong>.
Ainsi, <strong>stunnel</strong> ne doit alors avoir aucune option <em>accept</em>.
Toutes les <em>options de niveau service</em> doivent être placées dans
la section des options globales et aucune section <em>[service_name]</em> ne doit
être présente. Voir la section <em>EXEMPLES</em> pour des exemples de configurations.</p>
<p>
</p>
<h2><a name="certificats">CERTIFICATS</a></h2>
<p>Chaque daemon à propriétés SSL doit présenter un certificat X.509
valide à son interlocuteur. Il a aussi besoin d'une clef privé pour
déchiffrer les données entrantes. La méthode la plus simple pour
obtenir un certificat et une clef est d'engendrer celles-ci avec
le paquetage libre <em>OpenSSL</em>. Plus d'informations sur la génération de
certificats se trouvent dans les pages indiquées plus bas.</p>
<p>Deux choses importantes lors de la génération de paires certificat-clef
pour <strong>stunnel</strong>&nbsp;:</p>
<ul>
<li>
<p>la clef privée ne peut être chiffrée puisque le serveur n'a aucun moyen
d'obtenir le mot de passe de l'utilisateur&nbsp;; pour produire une clef non chiffrée,
ajouter l'option <em>-nodes</em> à la commande <strong>req</strong> de <em>OpenSSL</em>&nbsp;;</p>
</li>
<li>
<p>l'ordre du contenu du fichier <em>.pem</em> est significatif&nbsp;: il doit contenir d'abord
une clef privée non chiffrée, puis un certificat signé (et non une demande de certificat).
Il doit aussi y avoir des lignes vides après le certificat et après la clef privée.
L'information textuelle ajoutée au début d'un certificat doit être supprimée afin que
le fichier ait l'allure suivante&nbsp;:</p>
<pre>
-----BEGIN RSA PRIVATE KEY-----
[clef encodée]
-----END RSA PRIVATE KEY-----
[ligne vide]
-----BEGIN CERTIFICATE-----
[certificat encodé]
-----END CERTIFICATE-----
[ligne vide]</pre>
</li>
</ul>
<p>
</p>
<h2><a name="aleatoire">ALEATOIRE</a></h2>
<p><strong>stunnel</strong> doit «&nbsp;saler&nbsp;» le générateur de pseudo-aléatoires PRNG (pseudo random
number generator) afin que SSL utilise un aléatoire de qualité. Les sources suivantes
sont chargées dans l'ordre jusqu'à ce qu'une quantité suffisante de données soit lue&nbsp;:</p>
<ul>
<li>
<p>le fichier spécifié par <em>RNDfile</em>&nbsp;;</p>
</li>
<li>
<p>le fichier spécifié par la variable d'environnement RANDFILE, à défaut
le fichier .rnd du répertoire $HOME de l'utilisateur&nbsp;;</p>
</li>
<li>
<p>le fichier spécifié par «&nbsp;--with-random&nbsp;» lors de la compilation&nbsp;;</p>
</li>
<li>
<p>le contenu de l'écran (MS-Windows seulement)&nbsp;;</p>
</li>
<li>
<p>le socket EGD spécifié par <em>EGD</em>&nbsp;;</p>
</li>
<li>
<p>le socket EGD spécifié par «&nbsp;--with-egd-sock&nbsp;» lors de la compilation&nbsp;;</p>
</li>
<li>
<p>le périphérique /dev/urandom.</p>
</li>
</ul>
<p>Avec un OpenSSL récent (&gt;=OpenSSL 0.9.5a) le chargement de données s'arrête
automatiquement lorsqu'un niveau d'entropie suffisant est atteint.
Les versions précédentes continuent à lire toutes les sources puisqu'aucune
fonction SSL ne leur permet de savoir que suffisamment de données sont disponibles.</p>
<p>Sur les machines MS-Windows qui n'ont pas d'interaction utilisateur sur la console,
(mouvements de souris, création de fenêtres, etc.), le contenu de l'écran n'est
pas suffisamment changeant et il est nécessaire de fournir un fichier d'aléatoire
par le biais de <em>RNDfile</em>.</p>
<p>Le fichier spécifié par <em>RNDfile</em> doit contenir des informations aléatoires --
c'est-à-dire des informations différentes à chaque lancement de <strong>stunnel</strong>.
Cela est géré automatiquement sauf si l'option <em>RNDoverwrite</em> est utilisée.
Si l'on souhaite procéder manuellement à la mise à jour de ce fichier, la
commande <em>openssl rand</em> des versions récentes d'OpenSSL sera sans doute utile.</p>
<p>Note importante&nbsp;: si /dev/urandom est disponible, OpenSSL a l'habitude d'utiliser
celui-ci pour «&nbsp;saler&nbsp;» le PRNG même lorsqu'il contrôle l'état de l'aléatoire&nbsp;;
ainsi, même si /dev/urandom est dernier de la liste ci-dessus, il est vraisemblable
qu'il soit utilisé s'il est présent.
Ce n'est pas le comportement de <strong>stunnel</strong>, c'est celui d'OpenSSL.</p>
<p>
</p>
<hr />
<h1><a name="voir_aussi">VOIR AUSSI</a></h1>
<dl>
<dt><strong><a name="tcpd" class="item"><a href="#tcpd">tcpd(8)</a></a></strong></dt>
<dd>
<p>Service de contrôle d'accès pour les services internet</p>
</dd>
<dt><strong><a name="inetd" class="item"><a href="#inetd">inetd(8)</a></a></strong></dt>
<dd>
<p>«&nbsp;super-serveur&nbsp;» internet</p>
</dd>
<dt><strong><a name="http_www_stunnel_org" class="item"><em class="file"><a href="http://www.stunnel.org/">http://www.stunnel.org/</a></em></a></strong></dt>
<dd>
<p>Page de référence de <strong>stunnel</strong></p>
</dd>
<dt><strong><a name="http_www_openssl_org" class="item"><em class="file"><a href="http://www.openssl.org/">http://www.openssl.org/</a></em></a></strong></dt>
<dd>
<p>Site web du projet OpenSSL</p>
</dd>
</dl>
<p>
</p>
<hr />
<h1><a name="auteur">AUTEUR</a></h1>
<dl>
<dt><strong><a name="micha_trojnara" class="item">Michał Trojnara</a></strong></dt>
<dd>
<p>&lt;<em class="file"><a href="mailto:Michal.Trojnara@mirt.net">Michal.Trojnara@mirt.net</a></em>&gt;</p>
</dd>
</dl>
<p>
</p>
<hr />
<h1><a name="adaptation_fran__aise">ADAPTATION FRANÇAISE</a></h1>
<dl>
<dt><strong><a name="bernard_choppy" class="item">Bernard Choppy</a></strong></dt>
<dd>
<p>&lt;<em class="file">choppy AT free POINT fr</em>&gt;</p>
</dd>
</dl>
</body>
</html>

636
doc/stunnel.fr.pod
View File

@ -1,636 +0,0 @@
=head1 NOM
=encoding utf8
stunnel - tunnel SSL universel
=head1 SYNOPSIS
=over 4
=item B<Unix:>
B<stunnel> S<[fichier]> | S<-fd [n]> | S<-help> | S<-version> | S<-sockets>
=item B<WIN32:>
B<stunnel> S<[fichier]> | S<-install> | S<-uninstall> | S<-help> | S<-version> | S<-sockets>
=back
=head1 DESCRIPTION
Le programme B<stunnel> est conçu pour fonctionner comme une couche
de chiffrement I<SSL> entre des clients distants et des serveurs locaux
(I<inetd>-démarrables) ou distants. Le concept est qu'à partir de daemons
non-SSL présents sur le système, on peut facilement les configurer pour
communiquer avec des clients sur des liens sécurisés SSL.
B<stunnel> peut être utilisé pour ajouter des fonctionnalités SSL à des
daemons classiques I<Inetd> tels que les serveurs POP-2, POP-3 et IMAP,
à d'autres autonomes tels que NNTP, SMTP et HTTP, ainsi que pour tunneliser
PPP sur des sockets réseau sans modification du code source.
Ce produit inclut du code de chiffrement écrit par
Eric Young (eay@cryptsoft.com)
=head1 OPTIONS
=over 4
=item B<[fichier]>
Utilisation du fichier de configuration spécifié.
=item B<-fd [n]> (Unix seulement)
Lecture du fichier de configuration depuis le descripteur de
fichier indiqué.
=item B<-help>
Affiche le menu d'aide de B<stunnel>.
=item B<-version>
Affiche la version de B<stunnel> et les options de compilation.
=item B<-sockets>
Affiche les options socket par défaut.
=item B<-install> (NT/2000/XP seulement)
Installe un service NT.
=item B<-uninstall> (NT/2000/XP only)
Désinstalle un service NT.
=back
=head1 FICHIER DE CONFIGURATION
Chaque ligne du fichier de configuration peut être soitE<nbsp>:
=over 4
=item *
une ligne vide (ignorée)E<nbsp>;
=item *
un commentaire commençant par «E<nbsp>#E<nbsp>» (ignoré)E<nbsp>;
=item *
une paire «E<nbsp>option = valeurE<nbsp>»E<nbsp>;
=item *
«E<nbsp>[service_name]E<nbsp>» indiquant le début de la définition d'un serviceE<nbsp>;
=back
=head2 OPTIONS GLOBALES
=over 4
=item B<CApath> = répertoire
Répertoire des autorités de certification (CA)
C'est le répertoire dans lequel B<stunnel> cherche les certificats si
l'on utilise I<verify>. Les certificats doivent être dénommés selon la
forme XXXXXXXX.0, où XXXXXXXX est la valeur de hachage du certificat.
Le cas échéant, le répertoire I<CApath> est relatif au répertoire I<chroot>.
=item B<CAfile> = fichier
Fichier d'autorités de certification
Ce fichier, utilisé avec I<verify>, contient plusieurs certificats de CA.
=item B<cert> = fichier
Fichier de chaîne de certificats PEM
Une PEM est toujours nécessaire en mode serveur.
En mode client, cette option utilise cette PEM comme une chaîne côté client.
L'utilisation de certificats côté client est optionnelle. Les certificats
doivent être au format PEM et triés par ordre de niveau décroissant (CA racine
en premier).
=item B<chroot> = répertoire (Unix seulement)
Répertoire de chroot du processus B<stunnel>
B<chroot> enferme B<stunnel> dans une cellule chroot. I<CApath>, I<CRLpath>, I<pid>
et I<exec> sont situés à l'intérieur de la cellule et les répertoires doivent être
relatifs au répertoire correspondant.
Pour que le contrôle de libwrap (wrappeur TCP) soit effectif dans un environnement
chroot, il faut aussi y recopier leurs fichiers de configuration (/etc/hosts.allow et
/etc/hosts.deny).
=item B<ciphers> = listes de chiffre
Sélection des chiffres SSL autorisés
Liste délimitée par deux-points («E<nbsp>:E<nbsp>») des chiffres autorisés pour la connexion SSL.
ExempleE<nbsp>: DES-CBC3-SHA:IDEA-CBC-MD5
=item B<client> = yes | no
Mode client (Le service distant utilise SSL)
Par défautE<nbsp>: no (mode server)
=item B<CRLpath> = répertoire
Répertoire des listes de révocation de certificats (CRL)
C'est le répertoire dans lequel B<stunnel> recherche les CRL avec
l'option I<verify>. Les CRL doivent être dénommés selon la
forme XXXXXXXX.0 où XXXXXXXX est la valeur de hachage de la CRL.
Le cas échéant, le répertoire I<CRLpath> est relatif au répertoire I<chroot>.
=item B<CRLfile> = fichier
Fichier de listes de révocation de certificats (CRL)
Ce fichier, utilisé avec I<verify>, contient plusieurs CRL.
=item B<debug> = [facilité.]niveau
niveau de déverminage
Le niveau est un nom ou un numéro conforme à ceux de syslogE<nbsp>:
emerg (0), alert (1), crit (2), err (3), warning (4), notice (5),
info (6) ou debug (7). Toutes les traces du niveau indiqué et des niveaux
numériquement inférieurs seront affichées. B<debug = debug> ou
B<debug = 7> donneront le maximum d'informations. La valeur par défaut
est notice (5).
La facilité syslog «E<nbsp>daemonE<nbsp>» est utilisée, sauf si un autre nom est spécifié
(Win32 ne permet pas l'usage des facilités.)
La casse est ignorée, aussi bien pour la facilité que pour le niveau.
=item B<EGD> = chemin (Unix seulement)
Emplacement du socket du daemon de recueil d'entropie (EGD - Entropy Gathering Daemon)
Socket EGD à utiliser pour alimenter le générateur d'aléatoires de OpenSSL (disponible
seulement si la compilation a été effectuée avec OpenSSL 0.9.5a ou supérieur).
=item B<foreground> = yes | no (Unix seulement)
Mode avant-plan
Reste en avant-plan (sans fork) et dirige la trace sur stderr
au lieu de syslog (sauf si B<output> est spécifié).
Par défaultE<nbsp>: arrière-plan en mode daemon.
=item B<key> = fichier
Fichier de clef privée pour le certificat spécifié par I<cert>
La clef privée est nécessaire pour authentifier le titulaire du
certificat.
Puisque ce fichier doit rester secret, il ne doit être lisible que
par son propriétaire. Sur les systèmes Unix, on peut utiliser la
commande suivanteE<nbsp>:
chmod 600 fichier
Par défaultE<nbsp>: Valeur de I<cert>
=item B<options> = Options_SSL
Options de la bibliothèque OpenSSL
Le paramètre est l'option OpenSSL décrite dans la page de man
I<SSL_CTX_set_options(3ssl)>, débarassée du préfixe I<SSL_OP_>.
Plusieurs I<options> peuvent être spécifiées.
Par exemple, pour la compatibilité avec l'implantation SSL défaillante
d'Eudora, on peut utiliserE<nbsp>:
options = DONT_INSERT_EMPTY_FRAGMENTS
=item B<output> = fichier
Ajoute la trace à la fin d'un fichier au lieu d'utiliser syslog.
/dev/stdout peut être utilisé pour afficher les traces sur la sortie standard
(par exemple pour les traiter avec les outils splogger).
=item B<pid> = fichier (Unix seulement)
Emplacement du fichier pid
Si l'argument est vide, aucun fichier ne sera créé.
Le cas échéant, le chemin I<pid> est relatif au répertoire I<chroot>.
=item B<RNDbytes> = nombre
Nombre d'octets à lire depuis les fichiers de «E<nbsp>selE<nbsp>» aléatoire
Avec les SSL de version inférieure à 0.9.5a, détermine aussi le nombre
d'octets considérés comme suffisants pour «E<nbsp>salerE<nbsp>» le PRNG. Les versions plus
récentes d'OpenSSL ont une fonction intégrée qui détermine lorsque l'aléatoire
est suffisant.
=item B<RNDfile> = fichier
chemin du fichier de données de «E<nbsp>selE<nbsp>» aléatoire
La bibliothèque SSL utilise prioritairement les données de ce fichier pour
«E<nbsp>salerE<nbsp>» le générateur d'aléatoire.
=item B<RNDoverwrite> = yes | no
Recouvre les fichiers de «E<nbsp>selE<nbsp>» avec de nouvelles données aléatoires.
Par défautE<nbsp>: yes
=item B<service> = nom
Définit le nom de service à utiliser
B<Sous UnixE<nbsp>:> nom de service du mode I<inetd> pour la bibliothèque TCP Wrapper.
Par défautE<nbsp>: stunnel
=item B<session> = timeout
Timeout du cache de session
=item B<setgid> = nom (Unix seulement)
Nom de groupe utilisé en mode daemon (les éventuels autres noms de groupe attribués sont supprimés)
=item B<setuid> = nom (Unix seulement)
Nom d'utilisateur utilisé en mode daemon
=item B<socket> = a|l|r:option=valeur[:valeur]
Configure une option de socket accept (a), locale (l) ou distante (r)
Les valeurs de l'option linger sontE<nbsp>: l_onof:l_linger.
Les valeurs de l'option time sontE<nbsp>: tv_sec:tv_usec.
ExemplesE<nbsp>:
socket = l:SO_LINGER=1:60
définit un délai d'une minute pour la clôture des sockets locaux
socket = r:SO_OOBINLINE=yes
Place directement les données hors-bande dans le flux de réception
des sockets distants
socket = a:SO_REUSEADDR=no
désactive la réutilisation d'adresses (activée par défaut)
socket = a:SO_BINDTODEVICE=lo
limite l'acceptation des connexions sur la seule interface de bouclage
=item B<taskbar> = yes | no (WIN32 seulement)
active l'icône de la barre de tâches
Par défautE<nbsp>: yes
=item B<verify> = niveau
Vérifie le certificat du correspondant
niveau 1 - vérifie le certificat s'il est présent
niveau 2 - vérifie le certificat
niveau 3 - contrôle le correspondant avec le certificat local
Par défaut - pas de vérification
=back
=head2 OPTIONS DE SERVICE
Chaque section de configuration commence par le nom du service entre crochets.
Celui-ci est utilisé par le contrôle d'accès de libwrap (TCP Wrappers) et sert
à distinguer les services B<stunnel> dans les fichiers de traces.
Si l'on souhaite utiliser B<stunnel> en mode I<inetd> (lorsqu'un socket lui est
fourni par un serveur comme I<inetd>, I<xinetd> ou I<tcpserver>), il faut se
reporter à la section I<MODE INETD> plus bas.
=over 4
=item B<accept> = [hôte:]port
Accepte des connexions sur le port spécifié
Si l'hôte n'est pas indiqué, le port est ouvert pour toutes les adresses IP de
la machine locale.
=item B<connect> = [hôte:]port
Se connecte au port distant indiqué
Par défaut, l'hôte est localhost.
=item B<delay> = yes | no
Retarde la recherche DNS pour l'option «E<nbsp>connectE<nbsp>»
=item B<exec> = chemin_exécutable (Unix seulement)
Exécute un programme local de type inetd
Le cas échéant, le chemin I<exec> est relatif au répertoire I<chroot>.
=item B<execargs> = $0 $1 $2 ... (Unix seulement)
Arguments pour I<exec>, y compris le nom du programme ($0)
Les quotes ne peuvent actuellement pas être utilisées.
Les arguments sont séparés par un nombre quelconque d'espaces.
=item B<ident> = nom
Applique le contrôle d'identité d'utilisateur IDENT (RFC 1413)
=item B<local> = hôte
Adresse IP de l'interface de sortie utilisée pour les connexions distantes.
Cette option permet de relier une adresse statique locale.
=item B<protocol> = protocole
Négocie avec SSL selon le protocole indiqué
Actuellement gérésE<nbsp>: cifs, nntp, pop3, smtp
=item B<pty> = yes | no (Unix seulement)
Alloue un pseudo-terminal pour l'option «E<nbsp>execE<nbsp>»
=item B<TIMEOUTbusy> = secondes
Durée d'attente de données
=item B<TIMEOUTclose> = secondes
Durée d'attente du close_notify (mis à 0 pour MSIE qui est bogué)
=item B<TIMEOUTidle> = secondes
Durée d'attente sur une connexion inactive
=item B<transparent> = yes | no (Unix seulement)
Mode mandataire transparent
Ré-écrit les adresses pour qu'elles apparaissent provenir de la
machine client SSL plutôt que de celle qui exécute B<stunnel>.
Cette option n'est disponible en mode local (option I<exec>) qu'avec
la bibliothèque partagée LD_PRELOADing env.so shared library et en mode
distant (option I<connect>) sur les noyaux Linux 2.2 compilés avec
l'option I<transparent proxy> et seulement en mode serveur. Cette
option ne se combine pas au mode mandataire (I<connect>) sauf si la
route par défaut du client vers la cible passe par l'hôte qui fait
tourner B<stunnel>, qui ne peut être localhost.
=back
=head1 VALEUR DE RETOUR
B<stunnel> renvoie zéro en cas de succès, une autre valeur en cas d'erreur.
=head1 EXEMPLES
Pour encapsuler votre service I<imapd> local avec SSLE<nbsp>:
[imapd]
accept = 993
exec = /usr/sbin/imapd
execargs = imapd
Pour tunneliser un daemon I<pppd> sur le port 2020E<nbsp>:
[vpn]
accept = 2020
exec = /usr/sbin/pppd
execargs = pppd local
pty = yes
Configuration de I<stunnel.conf> pour utiliser B<stunnel> en mode I<inetd>
qui lance imapd à son tour (il ne doit pas y avoir de section I<[service_name]>)E<nbsp>:
exec = /usr/sbin/imapd
execargs = imapd
=head1 FICHIERS
=over 4
=item F<stunnel.conf>
Fichier de configuration de B<stunnel>
=item F<stunnel.pem>
Certificat et clef privée de B<stunnel>
=back
=head1 BOGUES
L'option I<execargs> n'admet pas les quotes.
=head1 RESTRICTIONS
B<stunnel> ne peut être utilisé pour le daemon FTP en raison de la nature
du protocole FTP qui utilise des ports multiples pour les transferts de données.
Il existe cependant des versions SSL de FTP et de telnet.
=head1 NOTES
=head2 MODE INETD
L'utilisation la plus commune de B<stunnel> consiste à écouter un port
réseau et à établir une communication, soit avec un nouveau port
avec l'option I<connect>, soit avec un programme avec l'option I<exec>.
On peut parfois cependant souhaiter qu'un autre programme reçoive les
connexions entrantes et lance B<stunnel>, par exemple avec I<inetd>,
I<xinetd> ou I<tcpserver>.
Si, par exemple, la ligne suivante se trouve dans I<inetd.conf>E<nbsp>:
imaps stream tcp nowait root /usr/bin/stunnel stunnel /etc/stunnel/imaps.conf
Dans ces cas, c'est le programme du genre I<inetd>-style qui est
responsable de l'établissement de la connexion (I<imaps> ci-dessus) et de passer
celle-ci à B<stunnel>.
Ainsi, B<stunnel> ne doit alors avoir aucune option I<accept>.
Toutes les I<options de niveau service> doivent être placées dans
la section des options globales et aucune section I<[service_name]> ne doit
être présente. Voir la section I<EXEMPLES> pour des exemples de configurations.
=head2 CERTIFICATS
Chaque daemon à propriétés SSL doit présenter un certificat X.509
valide à son interlocuteur. Il a aussi besoin d'une clef privé pour
déchiffrer les données entrantes. La méthode la plus simple pour
obtenir un certificat et une clef est d'engendrer celles-ci avec
le paquetage libre I<OpenSSL>. Plus d'informations sur la génération de
certificats se trouvent dans les pages indiquées plus bas.
Deux choses importantes lors de la génération de paires certificat-clef
pour B<stunnel>E<nbsp>:
=over 4
=item *
la clef privée ne peut être chiffrée puisque le serveur n'a aucun moyen
d'obtenir le mot de passe de l'utilisateurE<nbsp>; pour produire une clef non chiffrée,
ajouter l'option I<-nodes> à la commande B<req> de I<OpenSSL>E<nbsp>;
=item *
l'ordre du contenu du fichier I<.pem> est significatifE<nbsp>: il doit contenir d'abord
une clef privée non chiffrée, puis un certificat signé (et non une demande de certificat).
Il doit aussi y avoir des lignes vides après le certificat et après la clef privée.
L'information textuelle ajoutée au début d'un certificat doit être supprimée afin que
le fichier ait l'allure suivanteE<nbsp>:
-----BEGIN RSA PRIVATE KEY-----
[clef encodée]
-----END RSA PRIVATE KEY-----
[ligne vide]
-----BEGIN CERTIFICATE-----
[certificat encodé]
-----END CERTIFICATE-----
[ligne vide]
=back
=head2 ALEATOIRE
B<stunnel> doit «E<nbsp>salerE<nbsp>» le générateur de pseudo-aléatoires PRNG (pseudo random
number generator) afin que SSL utilise un aléatoire de qualité. Les sources suivantes
sont chargées dans l'ordre jusqu'à ce qu'une quantité suffisante de données soit lueE<nbsp>:
=over 4
=item *
le fichier spécifié par I<RNDfile>E<nbsp>;
=item *
le fichier spécifié par la variable d'environnement RANDFILE, à défaut
le fichier .rnd du répertoire $HOME de l'utilisateurE<nbsp>;
=item *
le fichier spécifié par «E<nbsp>--with-randomE<nbsp>» lors de la compilationE<nbsp>;
=item *
le contenu de l'écran (MS-Windows seulement)E<nbsp>;
=item *
le socket EGD spécifié par I<EGD>E<nbsp>;
=item *
le socket EGD spécifié par «E<nbsp>--with-egd-sockE<nbsp>» lors de la compilationE<nbsp>;
=item *
le périphérique /dev/urandom.
=back
Avec un OpenSSL récent (>=OpenSSL 0.9.5a) le chargement de données s'arrête
automatiquement lorsqu'un niveau d'entropie suffisant est atteint.
Les versions précédentes continuent à lire toutes les sources puisqu'aucune
fonction SSL ne leur permet de savoir que suffisamment de données sont disponibles.
Sur les machines MS-Windows qui n'ont pas d'interaction utilisateur sur la console,
(mouvements de souris, création de fenêtres, etc.), le contenu de l'écran n'est
pas suffisamment changeant et il est nécessaire de fournir un fichier d'aléatoire
par le biais de I<RNDfile>.
Le fichier spécifié par I<RNDfile> doit contenir des informations aléatoires --
c'est-à-dire des informations différentes à chaque lancement de B<stunnel>.
Cela est géré automatiquement sauf si l'option I<RNDoverwrite> est utilisée.
Si l'on souhaite procéder manuellement à la mise à jour de ce fichier, la
commande I<openssl rand> des versions récentes d'OpenSSL sera sans doute utile.
Note importanteE<nbsp>: si /dev/urandom est disponible, OpenSSL a l'habitude d'utiliser
celui-ci pour «E<nbsp>salerE<nbsp>» le PRNG même lorsqu'il contrôle l'état de l'aléatoireE<nbsp>;
ainsi, même si /dev/urandom est dernier de la liste ci-dessus, il est vraisemblable
qu'il soit utilisé s'il est présent.
Ce n'est pas le comportement de B<stunnel>, c'est celui d'OpenSSL.
=head1 VOIR AUSSI
=over 4
=item L<tcpd(8)>
Service de contrôle d'accès pour les services internet
=item L<inetd(8)>
«E<nbsp>super-serveurE<nbsp>» internet
=item F<http://www.stunnel.org/>
Page de référence de B<stunnel>
=item F<http://www.openssl.org/>
Site web du projet OpenSSL
=back
=head1 AUTEUR
=over 4
=item Michał Trojnara
<F<Michal.Trojnara@mirt.net>>
=back
=head1 ADAPTATION FRANÇAISE
=over 4
=item Bernard Choppy
<F<choppy AT free POINT fr>>
=back

1051
doc/stunnel.html
View File

File diff suppressed because it is too large Load Diff

1625
doc/stunnel.html.in Normal file
View File

File diff suppressed because it is too large Load Diff

967
doc/stunnel.pl.8
View File

@ -1,967 +0,0 @@
.\" Automatically generated by Pod::Man 2.22 (Pod::Simple 3.07)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is turned on, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.ie \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. nr % 0
. rr F
.\}
.el \{\
. de IX
..
.\}
.\" ========================================================================
.\"
.IX Title "STUNNEL.PL 8"
.TH STUNNEL.PL 8 "2012.01.14" "4.53" "stunnel"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAZWA"
.IX Header "NAZWA"
stunnel \- uniwersalny tunel protokołu \s-1SSL\s0
.SH "SKŁADNIA"
.IX Header "SKŁADNIA"
.IP "\fBUnix:\fR" 4
.IX Item "Unix:"
\&\fBstunnel\fR [<plik>] | \-fd n | \-help | \-version | \-sockets
.IP "\fB\s-1WIN32:\s0\fR" 4
.IX Item "WIN32:"
\&\fBstunnel\fR [ [\-install | \-uninstall | \-start | \-stop ] | \-exit]
[\-quiet] [<plik>] ] | \-help | \-version | \-sockets
.SH "OPIS"
.IX Header "OPIS"
Program \fBstunnel\fR został zaprojektowany do opakowywania w protokół \fI\s-1SSL\s0\fR
połączeń pomiędzy zdalnymi klientami a lokalnymi lub zdalnymi serwerami.
Przez serwer lokalny rozumiana jest aplikacja przeznaczona do uruchamiania
przy pomocy \fIinetd\fR.
Stunnel pozwala na proste zestawienie komunikacji serwerów nie posiadających
funkcjonalności \fI\s-1SSL\s0\fR poprzez bezpieczne kanały \fI\s-1SSL\s0\fR.
.PP
\&\fBstunnel\fR pozwala dodać funkcjonalność \fI\s-1SSL\s0\fR do powszechnie stosowanych
demonów \fIinetd\fR, np. \fIpop3\fR lub \fIimap\fR, do samodzielnych demonów,
np. \fInntp\fR, \fIsmtp\fR lub \fIhttp\fR, a nawet tunelować ppp poprzez gniazda sieciowe
bez zmian w kodzie źródłowym.
.SH "OPCJE"
.IX Header "OPCJE"
.IP "<\fBplik\fR>" 4
.IX Item "<plik>"
użyj podanego pliku konfiguracyjnego
.IP "\fB\-fd n\fR (tylko Unix)" 4
.IX Item "-fd n (tylko Unix)"
wczytaj konfigurację z podanego deskryptora pliku
.IP "\fB\-help\fR" 4
.IX Item "-help"
drukuj listę wspieranych opcji
.IP "\fB\-version\fR" 4
.IX Item "-version"
drukuj wersję programu i domyślne wartości parametrów
.IP "\fB\-sockets\fR" 4
.IX Item "-sockets"
drukuj domyślne opcje gniazd
.IP "\fB\-install\fR (tylko \s-1NT/2000/XP\s0)" 4
.IX Item "-install (tylko NT/2000/XP)"
instaluj serwis \s-1NT\s0
.IP "\fB\-uninstall\fR (tylko \s-1NT/2000/XP\s0)" 4
.IX Item "-uninstall (tylko NT/2000/XP)"
odinstaluj serwis \s-1NT\s0
.IP "\fB\-start\fR (tylko \s-1NT/2000/XP\s0)" 4
.IX Item "-start (tylko NT/2000/XP)"
uruchom serwis \s-1NT\s0
.IP "\fB\-stop\fR (tylko \s-1NT/2000/XP\s0)" 4
.IX Item "-stop (tylko NT/2000/XP)"
zatrzymaj serwis \s-1NT\s0
.IP "\fB\-exit\fR (tylko Win32)" 4
.IX Item "-exit (tylko Win32)"
zatrzymaj uruchomiony program
.IP "\fB\-quiet\fR (tylko \s-1NT/2000/XP\s0)" 4
.IX Item "-quiet (tylko NT/2000/XP)"
nie wyświetlaj okienka informującego o pomyślnym zainstalowaniu lub
odinstalowaniu
.SH "PLIK KONFIGURACYJNY"
.IX Header "PLIK KONFIGURACYJNY"
Linia w pliku konfiguracyjnym może być:
.IP "\(bu" 4
pusta (ignorowana)
.IP "\(bu" 4
komentarzem rozpoczynającym się znakiem ';' (ignorowana)
.IP "\(bu" 4
parą 'nazwa_opcji = wartość_opcji'
.IP "\(bu" 4
tekstem '[nazwa_usługi]' wskazującym początek definicji usługi
.PP
Parametr adres może być:
.IP "\(bu" 4
numerem portu
.IP "\(bu" 4
oddzieloną średnikiem parą adresu (IPv4, IPv6, lub nazwą domenową) i numeru portu
.IP "\(bu" 4
ścieżką do gniazda Unix (tylko Unix)
.SS "\s-1OPCJE\s0 \s-1GLOBALNE\s0"
.IX Subsection "OPCJE GLOBALNE"
.IP "\fBchroot\fR = katalog (tylko Unix)" 4
.IX Item "chroot = katalog (tylko Unix)"
katalog roboczego korzenia systemu plików
.Sp
Opcja określa katalog, w którym uwięziony zostanie proces programu
\&\fBstunnel\fR tuż po jego inicjalizacji, a przed rozpoczęciem odbierania
połączeń. Ścieżki podane w opcjach \fICApath\fR, \fICRLpath\fR, \fIpid\fR
oraz \fIexec\fR muszą być umieszczone wewnątrz katalogu podanego w opcji
\&\fIchroot\fR i określone względem tego katalogu.
.IP "\fBcompression\fR = deflate | zlib | rle" 4
.IX Item "compression = deflate | zlib | rle"
wybór algorytmu kompresji przesyłanych danych
.Sp
domyślnie: bez kompresji
.Sp
Algorytm deflate jest standardową metodą kompresji zgodnie z \s-1RFC\s0 1951.
.Sp
Kompresja zlib zaimplementowana w OpenSSL 0.9.8 i nowszych nie jest
kompatybilna implementacją OpenSSL 0.9.7.
.Sp
Kompresja rle nie jest zaimplementowana w aktualnych wersjach OpenSSL.
.IP "\fBdebug\fR = poziom[.podsystem]" 4
.IX Item "debug = poziom[.podsystem]"
szczegółowość logowania
.Sp
Poziom logowania można określić przy pomocy jednej z nazw lub liczb:
emerg (0), alert (1), crit (2), err (3), warning (4), notice (5),
info (6) lub debug (7).
Zapisywane są komunikaty o poziomie niższym (numerycznie) lub równym podanemu.
Do uzyskania najwyższego poziomu szczegółowości można użyć opcji
\&\fIdebug = debug\fR lub \fIdebug = 7\fR. Domyślnym poziomem jest notice (5).
.Sp
O ile nie wyspecyfikowano podsystemu użyty będzie domyślny: daemon.
Podsystemy nie są wspierane przez platformę Win32.
.Sp
Wielkość liter jest ignorowana zarówno dla poziomu jak podsystemu.
.IP "\fB\s-1EGD\s0\fR = ścieżka_do_EGD (tylko Unix)" 4
.IX Item "EGD = ścieżka_do_EGD (tylko Unix)"
ścieżka do gniazda programu Entropy Gathering Daemon
.Sp
Opcja pozwala określić ścieżkę do gniazda programu Entropy Gathering Daemon
używanego do zainicjalizowania generatora ciągów pseudolosowych biblioteki
OpenSSL. Opcja jest dostępna z biblioteką OpenSSL 0.9.5a lub nowszą.
.IP "\fBengine\fR = auto | <identyfikator urządzenia>" 4
.IX Item "engine = auto | <identyfikator urządzenia>"
wybór sprzętowego urządzenia kryptograficznego
.Sp
domyślnie: bez wykorzystania urządzeń kryptograficznych
.Sp
Przykładowa konfiguracja umożliwiająca odczytanie klucza prywatnego z
urządzenia zgodnego z OpenSC:
.Sp
.Vb 7
\& engine=dynamic
\& engineCtrl=SO_PATH:/usr/lib/opensc/engine_pkcs11.so
\& engineCtrl=ID:pkcs11
\& engineCtrl=LIST_ADD:1
\& engineCtrl=LOAD
\& engineCtrl=MODULE_PATH:/usr/lib/pkcs11/opensc\-pkcs11.so
\& engineCtrl=INIT
\&
\& [service]
\& engineNum=1
\& key=id_45
.Ve
.IP "\fBengineCtrl\fR = <command>[:<parameter>]" 4
.IX Item "engineCtrl = <command>[:<parameter>]"
konfiguracja urządzenia kryptograficznego
.Sp
Specjalne komendy \*(L"\s-1LOAD\s0\*(R" i \*(L"\s-1INIT\s0\*(R" pozwalają na załadowanie i inicjalizację
modułu kryptograficznego urządzenia.
.IP "\fBfips\fR = yes | no" 4
.IX Item "fips = yes | no"
Włącz lub wyłącz tryb \s-1FIPS\s0 140\-2.
.Sp
Opcja pozwala wyłączyć wejście w tryb \s-1FIPS\s0, jeśli stunnel został skompilowany
ze wsparciem dla \s-1FIPS\s0 140\-2.
.Sp
domyślnie: yes (pracuj w trybie \s-1FIPS\s0 140\-2)
.IP "\fBforeground\fR = yes | no (tylko Unix)" 4
.IX Item "foreground = yes | no (tylko Unix)"
tryb pierwszoplanowy
.Sp
Użycie tej opcji powoduje, że \fIstunnel\fR nie przechodzi w tło logując
swoje komunikaty na konsolę zamiast przez \fIsyslog\fR (o ile nie użyto
opcji \fIoutput\fR).
.IP "\fBoutput\fR = plik" 4
.IX Item "output = plik"
plik, do którego dopisane zostaną logi
.Sp
Użycie tej opcji powoduje dopisanie logów do podanego pliku.
.Sp
Do kierowaniakomunikatów na standardowe wyjście (na przykład po to, żeby
zalogować je programem splogger z pakietu daemontools) można podać jako
parametr urządzenie /dev/stdout.
.IP "\fBpid\fR = plik (tylko Unix)" 4
.IX Item "pid = plik (tylko Unix)"
położenie pliku z numerem procesu
.Sp
Jeżeli argument jest pusty plik nie zostanie stworzony.
.Sp
Jeżeli zdefiniowano katalog \fIchroot\fR, to ścieżka do \fIpid\fR jest określona
względem tego katalogu.
.IP "\fBRNDbytes\fR = liczba_bajtów" 4
.IX Item "RNDbytes = liczba_bajtów"
liczba bajtów do zainicjowania generatora pseudolosowego
.Sp
W wersjach biblioteki OpenSSL starszych niż 0.9.5a opcja ta określa
również liczbę bajtów wystarczających do zainicjowania \s-1PRNG\s0.
Nowsze wersje biblioteki mają wbudowaną funkcję określającą, czy
dostarczona ilość losowości jest wystarczająca do zainicjowania generatora.
.IP "\fBRNDfile\fR = plik" 4
.IX Item "RNDfile = plik"
ścieżka do pliku zawierającego losowe dane
.Sp
Biblioteka OpenSSL użyje danych z tego pliku do zainicjowania
generatora pseudolosowego.
.IP "\fBRNDoverwrite\fR = yes | no" 4
.IX Item "RNDoverwrite = yes | no"
nadpisz plik nowymi wartościami pseudolosowymi
.Sp
domyślnie: yes (nadpisz)
.IP "\fBservice\fR = nazwa_serwisu (tylko Unix)" 4
.IX Item "service = nazwa_serwisu (tylko Unix)"
użyj parametru jako nazwy serwisu dla biblioteki \s-1TCP\s0 Wrapper w trybie \fIinetd\fR
.Sp
domyślnie: stunnel
.IP "\fBsetgid\fR = identyfikator_grupy (tylko Unix)" 4
.IX Item "setgid = identyfikator_grupy (tylko Unix)"
grupa z której prawami pracował będzie \fIstunnel\fR
.IP "\fBsetuid\fR = identyfikator_użytkownika (tylko Unix)" 4
.IX Item "setuid = identyfikator_użytkownika (tylko Unix)"
użytkownik, z którego prawami pracował będzie \fIstunnel\fR
.IP "\fBsocket\fR = a|l|r:option=value[:value]" 4
.IX Item "socket = a|l|r:option=value[:value]"
ustaw opcję na akceptującym/lokalnym/zdalnym gnieździe
.Sp
Dla opcji linger wartości mają postać l_onof:l_linger.
Dla opcji time wartości mają postać tv_sec:tv_usec.
.Sp
Przykłady:
.Sp
.Vb 10
\& socket = l:SO_LINGER=1:60
\& ustaw jednominutowe przeterminowanie
\& przy zamykaniu lokalnego gniazda
\& socket = r:SO_OOBINLINE=yes
\& umieść dane pozapasmowe (out\-of\-band)
\& bezpośrednio w strumieniu danych
\& wejściowych dla zdalnych gniazd
\& socket = a:SO_REUSEADDR=no
\& zablokuj ponowne używanie portu
\& (domyślnie włączone)
\& socket = a:SO_BINDTODEVICE=lo
\& przyjmuj połączenia wyłącznie na
\& interfejsie zwrotnym (ang. loopback)
.Ve
.IP "\fBsyslog\fR = yes | no (tylko Unix)" 4
.IX Item "syslog = yes | no (tylko Unix)"
włącz logowanie poprzez mechanizm syslog
.Sp
domyślnie: yes (włącz)
.IP "\fBtaskbar\fR = yes | no (tylko \s-1WIN32\s0)" 4
.IX Item "taskbar = yes | no (tylko WIN32)"
włącz ikonkę w prawym dolnym rogu ekranu
.Sp
domyślnie: yes (włącz)
.SS "\s-1OPCJE\s0 USŁUG"
.IX Subsection "OPCJE USŁUG"
Każda sekcja konfiguracji usługi zaczyna się jej nazwą ujętą w nawias
kwadratowy. Nazwa usługi używana jest do kontroli dostępu przez
bibliotekę libwrap (\s-1TCP\s0 wrappers) oraz pozwala rozróżnić poszczególne
usługi w logach.
.PP
Jeżeli \fBstunnel\fR ma zostać użyty w trybie \fIinetd\fR, gdzie za odebranie
połączenia odpowiada osobny program (zwykle \fIinetd\fR, \fIxinetd\fR
lub \fItcpserver\fR), należy przeczytać sekcję \fI\s-1TRYB\s0 \s-1INETD\s0\fR poniżej.
.IP "\fBaccept\fR = [adres:]port" 4
.IX Item "accept = [adres:]port"
nasłuchuje na połączenia na podanym adresie i porcie
.Sp
Jeżeli nie został podany adres, \fIstunnel\fR domyślnie nasłuchuje
na wszystkich adresach IPv4 lokalnych interfejsów.
.Sp
Aby nasłuchiwać na wszystkich adresach IPv6 należy użyć:
.Sp
.Vb 1
\& accept = :::port
.Ve
.IP "\fBCApath\fR = katalog_CA" 4
.IX Item "CApath = katalog_CA"
katalog Centrum Certyfikacji
.Sp
Opcja określa katalog, w którym \fBstunnel\fR będzie szukał certyfikatów,
jeżeli użyta została opcja \fIverify\fR. Pliki z certyfikatami muszą
posiadać specjalne nazwy \s-1XXXXXXXX\s0.0, gdzie \s-1XXXXXXXX\s0 jest skrótem
kryptograficznym reprezentacji \s-1DER\s0 nazwy podmiotu certyfikatu.
.Sp
Funkcja skrótu została zmieniona w wersji 1.0.0 biblioteki OpenSSL.
Należy wykonać c_rehash przy zmianie OpenSSL 0.x.x na 1.x.x.
.Sp
Jeżeli zdefiniowano katalog \fIchroot\fR, to ścieżka do \fICApath\fR jest określona
względem tego katalogu.
.IP "\fBCAfile\fR = plik_CA" 4
.IX Item "CAfile = plik_CA"
plik Centrum Certyfikacji
.Sp
Opcja pozwala określić położenie pliku zawierającego certyfikaty używane
przez opcję \fIverify\fR.
.IP "\fBcert\fR = plik_pem" 4
.IX Item "cert = plik_pem"
plik z łańcuchem certyfikatów
.Sp
Opcja określa położenie pliku zawierającego certyfikaty używane przez
program \fBstunnel\fR do uwierzytelnienia się przed drugą stroną połączenia.
Certyfikat jest konieczny, aby używać programu w trybie serwera.
W trybie klienta certyfikat jest opcjonalny.
.IP "\fBciphers\fR = lista_szyfrów" 4
.IX Item "ciphers = lista_szyfrów"
lista dozwolonych szyfrów \s-1SSL\s0
.Sp
Parametrem tej opcji jest lista szyfrów, które będą użyte przy
otwieraniu nowych połączeń \s-1SSL\s0, np.: \s-1DES\-CBC3\-SHA:IDEA\-CBC\-MD5\s0
.IP "\fBclient\fR = yes | no" 4
.IX Item "client = yes | no"
tryb kliencki (zdalna usługa używa \s-1SSL\s0)
.Sp
domyślnie: no (tryb serwerowy)
.IP "\fBconnect\fR = [adres:]port" 4
.IX Item "connect = [adres:]port"
połącz się ze zdalnym serwerem na podany port
.Sp
Jeżeli nie został podany adres, \fIstunnel\fR domyślnie łączy się
z lokalnym serwerem.
.Sp
Komenda może byc użyta wielokrotnie w pojedynczej sekcji
celem zapewnienia wysokiej niezawodności lub rozłożenia
ruchu pomiędzy wiele serwerów.
.IP "\fBCRLpath\fR = katalog_CRL" 4
.IX Item "CRLpath = katalog_CRL"
katalog List Odwołanych Certyfikatów (\s-1CRL\s0)
.Sp
Opcja określa katalog, w którym \fBstunnel\fR będzie szukał list \s-1CRL\s0,
jeżeli użyta została opcja \fIverify\fR. Pliki z listami \s-1CRL\s0 muszą
posiadać specjalne nazwy \s-1XXXXXXXX\s0.r0, gdzie \s-1XXXXXXXX\s0 jest skrótem
listy \s-1CRL\s0.
.Sp
Funkcja skrótu została zmieniona w wersji 1.0.0 biblioteki OpenSSL.
Należy wykonać c_rehash przy zmianie OpenSSL 0.x.x na 1.x.x.
.Sp
Jeżeli zdefiniowano katalog \fIchroot\fR, to ścieżka do \fICRLpath\fR jest określona
względem tego katalogu.
.IP "\fBCRLfile\fR = plik_CRL" 4
.IX Item "CRLfile = plik_CRL"
plik List Odwołanych Certyfikatów (\s-1CRL\s0)
.Sp
Opcja pozwala określić położenie pliku zawierającego listy \s-1CRL\s0 używane
przez opcję \fIverify\fR.
.IP "\fBcurve\fR = nid" 4
.IX Item "curve = nid"
krzywa dla \s-1ECDH\s0
.Sp
Listę dostępnych krzywych można uzyskać poleceniem:
.Sp
.Vb 1
\& openssl ecparam \-list_curves
.Ve
.Sp
domyślnie: prime256v1
.IP "\fBdelay\fR = yes | no" 4
.IX Item "delay = yes | no"
opóźnij rozwinięcie adresu \s-1DNS\s0 podanego w opcji \fIconnect\fR
.Sp
Opcja jest przydatna przy dynamicznym \s-1DNS\s0, albo gdy usługa \s-1DNS\s0 nie jest
dostępna przy starcie programu stunnel (klient \s-1VPN\s0, połączenie wdzwaniane).
.IP "\fBengineNum\fR = <numer urządzenia>" 4
.IX Item "engineNum = <numer urządzenia>"
wybierz urządzenie do odczyta klucza prywatnego
.Sp
Urządzenia są numerowane od 1 w górę.
.IP "\fBexec\fR = ścieżka_do_programu" 4
.IX Item "exec = ścieżka_do_programu"
wykonaj lokalny program przystosowany do pracy z superdemonem inetd
.Sp
Jeżeli zdefiniowano katalog \fIchroot\fR, to ścieżka do \fIexec\fR jest określona
względem tego katalogu.
.ie n .IP "\fBexecargs\fR = $0 $1 $2 ..." 4
.el .IP "\fBexecargs\fR = \f(CW$0\fR \f(CW$1\fR \f(CW$2\fR ..." 4
.IX Item "execargs = $0 $1 $2 ..."
argumenty do opcji \fIexec\fR włącznie z nazwą programu ($0)
.Sp
Cytowanie nie jest wspierane w obecnej wersji programu.
Argumenty są rozdzielone dowolną liczbą białych znaków.
.IP "\fBfailover\fR = rr | prio" 4
.IX Item "failover = rr | prio"
Strategia wybierania serwerów wyspecyfikowanych parametrami \*(L"connect\*(R".
.Sp
.Vb 2
\& rr (round robin) \- sprawiedliwe rozłożenie obciążenia
\& prio (priority) \- użyj kolejności opcji w pliku konfiguracyjnym
.Ve
.Sp
domyślnie: rr
.IP "\fBident\fR = nazwa_użytkownika" 4
.IX Item "ident = nazwa_użytkownika"
weryfikuj nazwę zdalnego użytkownika korzystając z protokołu \s-1IDENT\s0 (\s-1RFC\s0 1413)
.IP "\fBkey\fR = plik_klucza" 4
.IX Item "key = plik_klucza"
klucz prywatny do certyfikatu podanego w opcji \fIcert\fR
.Sp
Klucz prywatny jest potrzebny do uwierzytelnienia właściciela certyfikatu.
Ponieważ powinien on być zachowany w tajemnicy, prawa do jego odczytu
powinien mieć wyłącznie właściciel pliku. W systemie Unix można to osiągnąć
komendą:
.Sp
.Vb 1
\& chmod 600 keyfile
.Ve
.Sp
domyślnie: wartość opcji \fIcert\fR
.IP "\fBlibwrap\fR = yes | no" 4
.IX Item "libwrap = yes | no"
włącz lub wyłącz korzystanie z /etc/hosts.allow i /etc/hosts.deny.
.Sp
domyślnie: yes
.IP "\fBlocal\fR = serwer" 4
.IX Item "local = serwer"
\&\s-1IP\s0 źródła do nawiązywania zdalnych połączeń
.Sp
Domyślnie używane jest \s-1IP\s0 najbardziej zewnętrznego interfejsu w stronę
serwera, do którego nawiązywane jest połączenie.
.IP "\fBsni\fR = nazwa_usługi:nazwa_serwera (tryb serwera)" 4
.IX Item "sni = nazwa_usługi:nazwa_serwera (tryb serwera)"
Użyj usługi jako podrzędnej (virtualnego serwera) dla rozszerzenia \s-1TLS\s0 Server
Name Indication (\s-1RFC\s0 3546).
.Sp
\&\fInazwa_usługi\fR wskazuje usługę nadrzędną, która odbiera połączenia od klientów
przy pomocy opcji \fIaccept\fR. \fInazwa_serwera\fR wskazuje nazwę serwera
wirtualnego. Z pojedyńczą usługą nadrzędną powiązane jest zwykle wiele usług
podrzędnych. Opcja \fIsni\fR może być rownież użyta wielokrotnie w ramach jednej
usługi podrzędnej.
.Sp
Zarówno usługa nadrzędna jak i podrzędna nie może być skonfigurowana w trybie
klienckim. Opcja \fIconnect\fR usługi podrzędnej jest ignorowana w połączeniu z
opcją \fIprotocol\fR, gdyż połączenie do zdalnego serwera jest w tym wypadku
nawiązywane przed negocjacją \s-1TLS\s0. Uwierzytelnienie przy pomocy biblioteki
libwrap jest realizowane dwukrotnie: najpierw dla usługi nadrzędnej po
odebraniu połączenia \s-1TCP\s0, a następnie dla usługi podrzędnej podczas negocjacji
\&\s-1TLS\s0.
.Sp
Opcja \fIsni\fR jest dostępna począwszy od wersji 1.0.0 biblioteki OpenSSL.
.IP "\fBsni\fR = nazwa_serwera (tryb klienta)" 4
.IX Item "sni = nazwa_serwera (tryb klienta)"
Użyj parametru jako wartości rozszerzenia \s-1TLS\s0 Server Name Indication
(\s-1RFC\s0 3546).
.Sp
Opcja \fIsni\fR jest dostępna począwszy od wersji 1.0.0 biblioteki OpenSSL.
.IP "\fB\s-1OCSP\s0\fR = \s-1URL\s0" 4
.IX Item "OCSP = URL"
serwer \s-1OCSP\s0 do weryfikacji certyfikatów
.IP "\fBOCSPflag\fR = flaga" 4
.IX Item "OCSPflag = flaga"
flaga serwera \s-1OCSP\s0
.Sp
aktualnie wspierane flagi: \s-1NOCERTS\s0, \s-1NOINTERN\s0 \s-1NOSIGS\s0, \s-1NOCHAIN\s0, \s-1NOVERIFY\s0,
\&\s-1NOEXPLICIT\s0, \s-1NOCASIGN\s0, \s-1NODELEGATED\s0, \s-1NOCHECKS\s0, \s-1TRUSTOTHER\s0, \s-1RESPID_KEY\s0, \s-1NOTIME\s0
.Sp
Aby wyspecyfikować kilka flag należy użyć \fIOCSPflag\fR wielokrotnie.
.IP "\fBoptions\fR = opcje_SSL" 4
.IX Item "options = opcje_SSL"
opcje biblioteki OpenSSL
.Sp
Parametrem jest nazwa opcji zgodnie z opisem w \fI\fISSL_CTX_set_options\fI\|(3ssl)\fR,
ale bez przedrostka \fI\s-1SSL_OP_\s0\fR.
Aby wyspecyfikować kilka opcji należy użyć \fIoptions\fR wielokrotnie.
.Sp
Na przykład dla zachowania kompatybilności z błędami implementacji \s-1SSL\s0
w programie Eudora można użyć opcji:
.Sp
.Vb 1
\& options = DONT_INSERT_EMPTY_FRAGMENTS
.Ve
.IP "\fBprotocol\fR = protokół" 4
.IX Item "protocol = protokół"
negocjuj \s-1SSL\s0 podanym protokołem aplikacyjnym (np. \fIstarttls\fR lub \fIstls\fR)
.Sp
Opcji \fIprotocol\fR nie należy używać z szyfrowaniem \s-1SSL\s0 na osobnym porcie.
.Sp
Aktualnie wspierane protokoły:
.RS 4
.IP "\fIcifs\fR" 4
.IX Item "cifs"
Unieudokumentowane rozszerzenie protokołu \s-1CIFS\s0 wspierane przez serwer Samba.
Wsparcie dla tego rozrzeczenia zostało zarzucone w wersji 3.0.0 serwera Samba.
.IP "\fIconnect\fR" 4
.IX Item "connect"
Negocjacja \s-1RFC\s0 2817 \- \fIUpgrading to \s-1TLS\s0 Within \s-1HTTP/1\s0.1\fR, rozdział 5.2 \- \fIRequesting a Tunnel with \s-1CONNECT\s0\fR
.Sp
Ten protokół jest wspierany wyłącznie w trybie klienckim.
.IP "\fIimap\fR" 4
.IX Item "imap"
Negocjacja \s-1RFC\s0 2595 \- \fIUsing \s-1TLS\s0 with \s-1IMAP\s0, \s-1POP3\s0 and \s-1ACAP\s0\fR
.IP "\fInntp\fR" 4
.IX Item "nntp"
Negocjacja \s-1RFC\s0 4642 \- \fIUsing Transport Layer Security (\s-1TLS\s0) with Network News Transfer Protocol (\s-1NNTP\s0)\fR
.Sp
Ten protokół jest wspierany wyłącznie w trybie klienckim.
.IP "\fIpgsql\fR" 4
.IX Item "pgsql"
Negocjacja http://www.postgresql.org/docs/8.3/static/protocol\-flow.html#AEN73982
.IP "\fIpop3\fR" 4
.IX Item "pop3"
Negocjacja \s-1RFC\s0 2449 \- \fI\s-1POP3\s0 Extension Mechanism\fR
.IP "\fIproxy\fR" 4
.IX Item "proxy"
Przekazywanie adresu \s-1IP\s0 haproxy http://haproxy.1wt.eu/download/1.5/doc/proxy\-protocol.txt
.IP "\fIsmtp\fR" 4
.IX Item "smtp"
Negocjacja \s-1RFC\s0 2487 \- \fI\s-1SMTP\s0 Service Extension for Secure \s-1SMTP\s0 over \s-1TLS\s0\fR
.RE
.RS 4
.RE
.IP "\fBprotocolAuthentication\fR = uwierzytelnienie" 4
.IX Item "protocolAuthentication = uwierzytelnienie"
rodzaj uwierzytelnienia do negocjacji protokołu
.Sp
aktualnie wspierane: basic, \s-1NTLM\s0
.Sp
Obecnie typ uwierzytelnienia ma zastosowanie wyłącznie w protokole 'connect'.
.Sp
domyślnie: basic
.IP "\fBprotocolHost\fR = adres:port" 4
.IX Item "protocolHost = adres:port"
adres docelowy do negocjacji protokołu
.IP "\fBprotocolPassword\fR = hasło" 4
.IX Item "protocolPassword = hasło"
hasło do negocjacji protokołu
.IP "\fBprotocolUsername\fR = użytkownik" 4
.IX Item "protocolUsername = użytkownik"
nazwa użytkownika do negocjacji protokołu
.IP "\fBpty\fR = yes | no (tylko Unix)" 4
.IX Item "pty = yes | no (tylko Unix)"
alokuj pseudoterminal dla programu uruchamianego w opcji 'exec'
.IP "\fBretry\fR = yes | no (tylko Unix)" 4
.IX Item "retry = yes | no (tylko Unix)"
połącz ponownie sekcję connect+exec po rozłączeniu
.Sp
domyślnie: no
.IP "\fBsession\fR = przeterminowanie_pamięci_podręcznej_sesji" 4
.IX Item "session = przeterminowanie_pamięci_podręcznej_sesji"
czas w sekundach, po którym sesja \s-1SSL\s0 zostanie usunięta z pamięci podręcznej
.IP "\fBsessiond\fR = adres:port" 4
.IX Item "sessiond = adres:port"
adres sessiond \- servera cache sesji \s-1SSL\s0
.IP "\fBsslVersion\fR = wersja" 4
.IX Item "sslVersion = wersja"
wersja protokołu \s-1SSL\s0
.Sp
Dozwolone opcje: all, SSLv2, SSLv3, TLSv1
.IP "\fBstack\fR = liczba_bajtów (z wyjątkiem modelu \s-1FORK\s0)" 4
.IX Item "stack = liczba_bajtów (z wyjątkiem modelu FORK)"
rozmiar stosu procesora wątku
.IP "\fBTIMEOUTbusy\fR = liczba_sekund" 4
.IX Item "TIMEOUTbusy = liczba_sekund"
czas oczekiwania na spodziewane dane
.IP "\fBTIMEOUTclose\fR = liczba_sekund" 4
.IX Item "TIMEOUTclose = liczba_sekund"
czas oczekiwania na close_notify (ustaw na 0, jeżeli klientem jest \s-1MSIE\s0)
.IP "\fBTIMEOUTconnect\fR = liczba_sekund" 4
.IX Item "TIMEOUTconnect = liczba_sekund"
czas oczekiwania na nawiązanie połączenia
.IP "\fBTIMEOUTidle\fR = liczba_sekund" 4
.IX Item "TIMEOUTidle = liczba_sekund"
maksymalny czas utrzymywania bezczynnego połączenia
.IP "\fBtransparent\fR = none | source | destination | both (tylko Unix)" 4
.IX Item "transparent = none | source | destination | both (tylko Unix)"
tryb przezroczystego proxy na wspieranych platformach
.Sp
Wspierane opcje:
.RS 4
.IP "\fBnone\fR" 4
.IX Item "none"
Zablokuj wsparcie dla przezroczystago proxy. Jest to wartość domyślna.
.IP "\fBsource\fR" 4
.IX Item "source"
Przepisz adres, aby nawiązywane połączenie wydawało się pochodzić
bezpośrednio od klienta, a nie od programu \fIstunnel\fR.
.Sp
Opcja jest aktualnie obsługiwana w:
.RS 4
.IP "Trybie zdalnym (opcja \fIconnect\fR) w systemie \fILinux >=2.6.28\fR" 4
.IX Item "Trybie zdalnym (opcja connect) w systemie Linux >=2.6.28"
Konfiguracja wymaga następujących ustawień iptables oraz routingu
(na przykład w pliku /etc/rc.local lub analogicznym):
.Sp
.Vb 7
\& iptables \-t mangle \-N DIVERT
\& iptables \-t mangle \-A PREROUTING \-p tcp \-m socket \-j DIVERT
\& iptables \-t mangle \-A DIVERT \-j MARK \-\-set\-mark 1
\& iptables \-t mangle \-A DIVERT \-j ACCEPT
\& ip rule add fwmark 1 lookup 100
\& ip route add local 0.0.0.0/0 dev lo table 100
\& echo 0 >/proc/sys/net/ipv4/conf/lo/rp_filter
.Ve
.Sp
Konfiguracja ta wymaga, aby \fBstunnel\fR był wykonywany jako root i bez opcji \fIsetuid\fR.
.IP "Trybie zdalnym (opcja \fIconnect\fR) w systemie \fILinux 2.2.x\fR" 4
.IX Item "Trybie zdalnym (opcja connect) w systemie Linux 2.2.x"
Konfiguracja ta wymaga skompilowania jądra z opcją \fItransparent proxy\fR.
Docelowa usługa musi być umieszczona na osobnej maszynie, do której routing
kierowany jest poprzez serwer stunnela.
.Sp
Dodatkowo \fBstunnel\fR powinien być wykonywany jako root i bez opcji \fIsetuid\fR.
.IP "Trybie zdalnym (opcja \fIconnect\fR) w systemie \fIFreeBSD >=8.0\fR" 4
.IX Item "Trybie zdalnym (opcja connect) w systemie FreeBSD >=8.0"
Konfiguracja ta wymaga skonfigurowania firewalla i routingu.
\&\fBstunnel\fR musi być wykonywany jako root i bez opcji \fIsetuid\fR.
.IP "Trybie lokalnym (opcja \fIexec\fR)" 4
.IX Item "Trybie lokalnym (opcja exec)"
Konfiguracja ta jest realizowana przy pomocy biblioteki \fIlibstunnel.so\fR.
Do załadowania biblioteki wykorzystywana jest zmienna środowiskowa _RLD_LIST na
platformie Tru64 lub \s-1LD_PRELOAD\s0 na innych platformach.
.RE
.RS 4
.RE
.IP "\fIdestination\fR" 4
.IX Item "destination"
Oryginalny adres docelowy jest używany zamiast opcji \fIconnect\fR.
.Sp
Przykładowana konfiguracja przezroczystego adresu docelowego:
.Sp
.Vb 4
\& [transparent]
\& client=yes
\& accept=<port_stunnela>
\& transparent=destination
.Ve
.Sp
Konfiguracja wymaga następujących ustawień iptables
(na przykład w pliku /etc/rc.local lub analogicznym):
.Sp
.Vb 2
\& /sbin/iptables \-I INPUT \-i eth0 \-p tcp \-\-dport <port_stunnela> \-j ACCEPT
\& /sbin/iptables \-t nat \-I PREROUTING \-i eth0 \-p tcp \-\-dport <port_przekierowany> \-j DNAT \-\-to\-destination <lokalne_ip>:<port_stunnela>
.Ve
.Sp
Przezroczysty adres docelowy jest aktualnie wspierany wyłącznie w systemie Linux.
.IP "\fIboth\fR" 4
.IX Item "both"
Użyj przezroczystego proxy zarówno dla adresu źródłowego jak i docelowego.
.RE
.RS 4
.Sp
Dla zapewnienia kompatybilności z wcześniejszymim wersjami wspierane są dwie
dodatkowe opcje:
.IP "\fIyes\fR" 4
.IX Item "yes"
Opcja została przemianowana na \fIsource\fR.
.IP "\fIno\fR" 4
.IX Item "no"
Opcja została przemianowana na \fInone\fR.
.RE
.RS 4
.RE
.IP "\fBverify\fR = poziom" 4
.IX Item "verify = poziom"
weryfikuj certyfikat drugiej strony połączenia
.RS 4
.IP "\fIpoziom 0\fR \- zarządaj certyfikatu i zignoruj go" 4
.IX Item "poziom 0 - zarządaj certyfikatu i zignoruj go"
.PD 0
.IP "\fIpoziom 1\fR \- weryfikuj, jeżeli został przedstawiony" 4
.IX Item "poziom 1 - weryfikuj, jeżeli został przedstawiony"
.IP "\fIpoziom 2\fR \- weryfikuj z zainstalowanym certyfikatem Centrum Certyfikacji" 4
.IX Item "poziom 2 - weryfikuj z zainstalowanym certyfikatem Centrum Certyfikacji"
.IP "\fIpoziom 3\fR \- weryfikuj z lokalnie zainstalowanym certyfikatem drugiej strony" 4
.IX Item "poziom 3 - weryfikuj z lokalnie zainstalowanym certyfikatem drugiej strony"
.IP "\fIpoziom 4\fR \- weryfikuj z certyfikatem drugiej strony ignorując łańcuch \s-1CA\s0" 4
.IX Item "poziom 4 - weryfikuj z certyfikatem drugiej strony ignorując łańcuch CA"
.IP "\fIdomyślnie\fR \- nie weryfikuj" 4
.IX Item "domyślnie - nie weryfikuj"
.RE
.RS 4
.RE
.PD
.SH "ZWRACANA WARTOŚĆ"
.IX Header "ZWRACANA WARTOŚĆ"
\&\fBstunnel\fR zwraca zero w przypadku sukcesu, lub wartość niezerową
w przypadku błędu.
.SH "SIGNAŁY"
.IX Header "SIGNAŁY"
Następujące sygnały mogą być użyte do sterowania programem w systemie Unix:
.IP "\s-1SIGHUP\s0" 4
.IX Item "SIGHUP"
Załaduj ponownie plik konfiguracyjny.
.Sp
Niektóre globalne opcje nie będą przeładowane:
.RS 4
.IP "\(bu" 4
chroot
.IP "\(bu" 4
foreground
.IP "\(bu" 4
pid
.IP "\(bu" 4
setgid
.IP "\(bu" 4
setuid
.RE
.RS 4
.Sp
Jeżeli wykorzystywana jest opcja 'setuid' stunnel nie będzie mógł załadować
ponownie konfiguracji wykorzystującej uprzywilejowane (<1024) porty.
.Sp
Jeżeli wykorzystywana jest opcja 'chroot' stunnel będzie szukał wszystkich
potrzebnych plików (łącznie z plikiem konfiguracyjnym, certyfikatami, logiem i
plikiem pid) wewnątrz katalogu wskazanego przez 'chroot'.
.RE
.IP "\s-1SIGUSR1\s0" 4
.IX Item "SIGUSR1"
Zamknij i otwórz ponownie log.
Funkcja ta może zostać użyta w skrypcie rotującym log programu stunnel.
.IP "\s-1SIGTERM\s0, \s-1SIGQUIT\s0, \s-1SIGINT\s0" 4
.IX Item "SIGTERM, SIGQUIT, SIGINT"
Zakończ działanie programu.
.PP
Skutek wysłania innych sygnałów jest niezdefiniowany.
.SH "PRZYKŁADY"
.IX Header "PRZYKŁADY"
Szyfrowanie połączeń do lokalnego serwera \fIimapd\fR można użyć:
.PP
.Vb 4
\& [imapd]
\& accept = 993
\& exec = /usr/sbin/imapd
\& execargs = imapd
.Ve
.PP
albo w trybie zdalnym:
.PP
.Vb 3
\& [imapd]
\& accept = 993
\& connect = 143
.Ve
.PP
W połączeniu z programem \fIpppd\fR \fBstunnel\fR pozwala zestawić prosty \s-1VPN\s0.
Po stronie serwera nasłuchującego na porcie 2020 jego konfiguracja
może wyglądać następująco:
.PP
.Vb 5
\& [vpn]
\& accept = 2020
\& exec = /usr/sbin/pppd
\& execargs = pppd local
\& pty = yes
.Ve
.PP
Poniższy plik konfiguracyjny może być wykorzystany do uruchomienia
programu \fBstunnel\fR w trybie \fIinetd\fR. Warto zauważyć, że w pliku
konfiguracyjnym nie ma sekcji \fI[nazwa_usługi]\fR.
.PP
.Vb 2
\& exec = /usr/sbin/imapd
\& execargs = imapd
.Ve
.SH "NOTKI"
.IX Header "NOTKI"
.SS "\s-1OGRANICZENIA\s0"
.IX Subsection "OGRANICZENIA"
\&\fIstunnel\fR nie może być używany do szyfrowania protokołu \fI\s-1FTP\s0\fR,
ponieważ do przesyłania poszczególnych plików używa on dodatkowych
połączeń otwieranych na portach o dynamicznie przydzielanych numerach.
Istnieją jednak specjalne wersje klientów i serwerów \s-1FTP\s0 pozwalające
na szyfrowanie przesyłanych danych przy pomocy protokołu \fI\s-1SSL\s0\fR.
.SS "\s-1TRYB\s0 \s-1INETD\s0 (tylko Unix)"
.IX Subsection "TRYB INETD (tylko Unix)"
W większości zastosowań \fBstunnel\fR samodzielnie nasłuchuje na porcie
podanym w pliku konfiguracyjnym i tworzy połączenie z innym portem
podanym w opcji \fIconnect\fR lub nowym programem podanym w opcji \fIexec\fR.
Niektórzy wolą jednak wykorzystywać oddzielny program, który odbiera
połączenia, po czym uruchamia program \fBstunnel\fR. Przykładami takich
programów są inetd, xinetd i tcpserver.
.PP
Przykładowa linia pliku /etc/inetd.conf może wyglądać tak:
.PP
.Vb 2
\& imaps stream tcp nowait root /usr/bin/stunnel
\& stunnel /etc/stunnel/imaps.conf
.Ve
.PP
Ponieważ w takich przypadkach połączenie na zdefiniowanym porcie
(tutaj \fIimaps\fR) nawiązuje osobny program (tutaj \fIinetd\fR), \fBstunnel\fR
nie może używać opcji \fIaccept\fR. W pliku konfiguracyjnym nie może
być również zdefiniowana żadna usługa (\fI[nazwa_usługi]\fR), ponieważ
konfiguracja taka pozwala na nawiązanie tylko jednego połączenia.
Wszystkie \fI\s-1OPCJE\s0 USŁUG\fR powinny być umieszczone razem z opcjami
globalnymi. Przykład takiej konfiguracji znajduje się w sekcji
\&\fIPRZYKŁADY\fR.
.SS "\s-1CERTYFIKATY\s0"
.IX Subsection "CERTYFIKATY"
Protokół \s-1SSL\s0 wymaga, aby każdy serwer przedstawiał się nawiązującemu
połączenie klientowi prawidłowym certyfikatem X.509.
Potwierdzenie tożsamości serwera polega na wykazaniu, że posiada on
odpowiadający certyfikatowi klucz prywatny.
Najprostszą metodą uzyskania certyfikatu jest wygenerowanie
go przy pomocy wolnego pakietu \fIOpenSSL\fR. Więcej informacji na temat
generowania certyfikatów można znaleźć na umieszczonych poniżej stronach.
.PP
Istotną kwestią jest kolejność zawartości pliku \fI.pem\fR.
W pierwszej kolejności powinien on zawierać klucz prywatny,
a dopiero za nim podpisany certyfikat (nie żądanie certyfikatu).
Po certyfikacie i kluczu prywatnym powinny znajdować się puste linie.
Jeżeli przed certyfikatem znajdują się dodatkowe informacje tekstowe,
to powinny one zostać usunięte. Otrzymany plik powinien mieć
następującą postać:
.PP
.Vb 8
\& \-\-\-\-\-BEGIN RSA PRIVATE KEY\-\-\-\-\-
\& [zakodowany klucz]
\& \-\-\-\-\-END RSA PRIVATE KEY\-\-\-\-\-
\& [pusta linia]
\& \-\-\-\-\-BEGIN CERTIFICATE\-\-\-\-\-
\& [zakodowany certyfikat]
\& \-\-\-\-\-END CERTIFICATE\-\-\-\-\-
\& [pusta linia]
.Ve
.SS "LOSOWOŚĆ"
.IX Subsection "LOSOWOŚĆ"
\&\fBstunnel\fR potrzebuje zainicjować \s-1PRNG\s0 (generator liczb pseudolosowych),
gdyż protokół \s-1SSL\s0 wymaga do bezpieczeństwa kryptograficznego źródła
dobrej losowości. Następujące źródła są kolejno odczytywane aż do
uzyskania wystarczającej ilości entropii:
.IP "\(bu" 4
Zawartość pliku podanego w opcji \fIRNDfile\fR.
.IP "\(bu" 4
Zawartość pliku o nazwie określonej przez zmienną środowiskową
\&\s-1RANDFILE\s0, o ile jest ona ustawiona.
.IP "\(bu" 4
Plik .rnd umieszczony w katalogu domowym użytkownika,
jeżeli zmienna \s-1RANDFILE\s0 nie jest ustawiona.
.IP "\(bu" 4
Plik podany w opcji '\-\-with\-random' w czasie konfiguracji programu.
.IP "\(bu" 4
Zawartość ekranu w systemie Windows.
.IP "\(bu" 4
Gniazdo egd, jeżeli użyta została opcja \fI\s-1EGD\s0\fR.
.IP "\(bu" 4
Gniazdo egd podane w opcji '\-\-with\-egd\-socket' w czasie konfiguracji
programu.
.IP "\(bu" 4
Urządzenie /dev/urandom.
.PP
Współczesne (>=0.9.5a) wersje biblioteki \fIOpenSSL\fR automatycznie
zaprzestają ładowania kolejnych danych w momencie uzyskania wystarczającej
ilości entropii. Wcześniejsze wersje biblioteki wykorzystają wszystkie
powyższe źródła, gdyż nie istnieje tam funkcja pozwalająca określić,
czy uzyskano już wystarczająco dużo danych.
.PP
Warto zwrócić uwagę, że na maszynach z systemem Windows, na których
konsoli nie pracuje użytkownik, zawartość ekranu nie jest wystarczająco
zmienna, aby zainicjować \s-1PRNG\s0. W takim przypadku do zainicjowania
generatora należy użyć opcji \fIRNDfile\fR.
.PP
Plik \fIRNDfile\fR powinien zawierać dane losowe \*(-- również w tym sensie,
że powinny być one inne przy każdym uruchomieniu programu \fBstunnel\fR.
O ile nie użyta została opcja \fIRNDoverwrite\fR jest to robione
automatycznie. Do ręcznego uzyskania takiego pliku użyteczna
może być komenda \fIopenssl rand\fR dostarczana ze współczesnymi
wersjami pakietu \fIOpenSSL\fR.
.PP
Jeszcze jedna istotna informacja \*(-- jeżeli dostępne jest urządzenie
\&\fI/dev/urandom\fR biblioteka \fIOpenSSL\fR ma zwyczaj zasilania nim \s-1PRNG\s0 w trakcie
sprawdzania stanu generatora. W systemach z \fI/dev/urandom\fR urządzenie
to będzie najprawdopodobniej użyte, pomimo że znajduje się na samym końcu
powyższej listy. Jest to właściwość biblioteki \fIOpenSSL\fR, a nie programu
\&\fIstunnel\fR.
.SS "\s-1PARAMETRY\s0 \s-1DH\s0"
.IX Subsection "PARAMETRY DH"
Począwszy od wersji 4.40 stunnel zawiera w kodzie programu 2048\-bitowe
parametry \s-1DH\s0.
.PP
Alternatywnie parametry \s-1DH\s0 można umieścić w pliku razem z certyfikatem:
.PP
.Vb 1
\& openssl dhparam 2048 >> stunnel.pem
.Ve
.PP
Wygenerowanie parametrów \s-1DH\s0 może zająć nawet wiele minut.
.SH "PLIKI"
.IX Header "PLIKI"
.IP "\fIstunnel.conf\fR" 4
.IX Item "stunnel.conf"
plik konfiguracyjny programu
.SH "BŁĘDY"
.IX Header "BŁĘDY"
Opcja \fIexecargs\fR nie obsługuje cytowania.
.SH "ZOBACZ RÓWNIEŻ"
.IX Header "ZOBACZ RÓWNIEŻ"
.IP "\fItcpd\fR\|(8)" 4
.IX Item "tcpd"
biblioteka kontroli dostępu do usług internetowych
.IP "\fIinetd\fR\|(8)" 4
.IX Item "inetd"
\&'super\-serwer' internetowy
.IP "\fIhttp://www.stunnel.org/\fR" 4
.IX Item "http://www.stunnel.org/"
strona domowa programu \fIstunnel\fR
.IP "\fIhttp://www.openssl.org/\fR" 4
.IX Item "http://www.openssl.org/"
strona projektu \fIOpenSSL\fR
.SH "AUTOR"
.IX Header "AUTOR"
.IP "Michał Trojnara" 4
.IX Item "Michał Trojnara"
<\fIMichal.Trojnara@mirt.net\fR>

1425
doc/stunnel.pl.8.in Normal file
View File

File diff suppressed because it is too large Load Diff

1087
doc/stunnel.pl.html
View File

File diff suppressed because it is too large Load Diff

1626
doc/stunnel.pl.html.in Normal file
View File

File diff suppressed because it is too large Load Diff

1035
doc/stunnel.pl.pod
View File

File diff suppressed because it is too large Load Diff

1555
doc/stunnel.pl.pod.in Normal file
View File

File diff suppressed because it is too large Load Diff

1004
doc/stunnel.pod
View File

File diff suppressed because it is too large Load Diff

1529
doc/stunnel.pod.in Normal file
View File

File diff suppressed because it is too large Load Diff

4190
m4/libtool.m4 vendored
View File

File diff suppressed because it is too large Load Diff

147
m4/ltoptions.m4 vendored
View File

@ -1,13 +1,14 @@
# Helper functions for option handling. -*- Autoconf -*-
#
# Copyright (C) 2004, 2005, 2007, 2008 Free Software Foundation, Inc.
# Copyright (C) 2004-2005, 2007-2009, 2011-2015 Free Software
# Foundation, Inc.
# Written by Gary V. Vaughan, 2004
#
# This file is free software; the Free Software Foundation gives
# unlimited permission to copy and/or distribute it, with or without
# modifications, as long as this notice is preserved.
# serial 6 ltoptions.m4
# serial 8 ltoptions.m4
# This is to help aclocal find these macros, as it can't see m4_define.
AC_DEFUN([LTOPTIONS_VERSION], [m4_if([1])])
@ -28,7 +29,7 @@ m4_define([_LT_SET_OPTION],
[m4_define(_LT_MANGLE_OPTION([$1], [$2]))dnl
m4_ifdef(_LT_MANGLE_DEFUN([$1], [$2]),
_LT_MANGLE_DEFUN([$1], [$2]),
[m4_warning([Unknown $1 option `$2'])])[]dnl
[m4_warning([Unknown $1 option '$2'])])[]dnl
])
@ -74,13 +75,15 @@ m4_if([$1],[LT_INIT],[
dnl
dnl If no reference was made to various pairs of opposing options, then
dnl we run the default mode handler for the pair. For example, if neither
dnl `shared' nor `disable-shared' was passed, we enable building of shared
dnl 'shared' nor 'disable-shared' was passed, we enable building of shared
dnl archives by default:
_LT_UNLESS_OPTIONS([LT_INIT], [shared disable-shared], [_LT_ENABLE_SHARED])
_LT_UNLESS_OPTIONS([LT_INIT], [static disable-static], [_LT_ENABLE_STATIC])
_LT_UNLESS_OPTIONS([LT_INIT], [pic-only no-pic], [_LT_WITH_PIC])
_LT_UNLESS_OPTIONS([LT_INIT], [fast-install disable-fast-install],
[_LT_ENABLE_FAST_INSTALL])
[_LT_ENABLE_FAST_INSTALL])
_LT_UNLESS_OPTIONS([LT_INIT], [aix-soname=aix aix-soname=both aix-soname=svr4],
[_LT_WITH_AIX_SONAME([aix])])
])
])# _LT_SET_OPTIONS
@ -111,7 +114,7 @@ AU_DEFUN([AC_LIBTOOL_DLOPEN],
[_LT_SET_OPTION([LT_INIT], [dlopen])
AC_DIAGNOSE([obsolete],
[$0: Remove this warning and the call to _LT_SET_OPTION when you
put the `dlopen' option into LT_INIT's first parameter.])
put the 'dlopen' option into LT_INIT's first parameter.])
])
dnl aclocal-1.4 backwards compatibility:
@ -125,7 +128,7 @@ LT_OPTION_DEFINE([LT_INIT], [win32-dll],
[enable_win32_dll=yes
case $host in
*-*-cygwin* | *-*-mingw* | *-*-pw32* | *-cegcc*)
*-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-cegcc*)
AC_CHECK_TOOL(AS, as, false)
AC_CHECK_TOOL(DLLTOOL, dlltool, false)
AC_CHECK_TOOL(OBJDUMP, objdump, false)
@ -133,13 +136,13 @@ case $host in
esac
test -z "$AS" && AS=as
_LT_DECL([], [AS], [0], [Assembler program])dnl
_LT_DECL([], [AS], [1], [Assembler program])dnl
test -z "$DLLTOOL" && DLLTOOL=dlltool
_LT_DECL([], [DLLTOOL], [0], [DLL creation program])dnl
_LT_DECL([], [DLLTOOL], [1], [DLL creation program])dnl
test -z "$OBJDUMP" && OBJDUMP=objdump
_LT_DECL([], [OBJDUMP], [0], [Object dumper program])dnl
_LT_DECL([], [OBJDUMP], [1], [Object dumper program])dnl
])# win32-dll
AU_DEFUN([AC_LIBTOOL_WIN32_DLL],
@ -147,7 +150,7 @@ AU_DEFUN([AC_LIBTOOL_WIN32_DLL],
_LT_SET_OPTION([LT_INIT], [win32-dll])
AC_DIAGNOSE([obsolete],
[$0: Remove this warning and the call to _LT_SET_OPTION when you
put the `win32-dll' option into LT_INIT's first parameter.])
put the 'win32-dll' option into LT_INIT's first parameter.])
])
dnl aclocal-1.4 backwards compatibility:
@ -156,9 +159,9 @@ dnl AC_DEFUN([AC_LIBTOOL_WIN32_DLL], [])
# _LT_ENABLE_SHARED([DEFAULT])
# ----------------------------
# implement the --enable-shared flag, and supports the `shared' and
# `disable-shared' LT_INIT options.
# DEFAULT is either `yes' or `no'. If omitted, it defaults to `yes'.
# implement the --enable-shared flag, and supports the 'shared' and
# 'disable-shared' LT_INIT options.
# DEFAULT is either 'yes' or 'no'. If omitted, it defaults to 'yes'.
m4_define([_LT_ENABLE_SHARED],
[m4_define([_LT_ENABLE_SHARED_DEFAULT], [m4_if($1, no, no, yes)])dnl
AC_ARG_ENABLE([shared],
@ -171,14 +174,14 @@ AC_ARG_ENABLE([shared],
*)
enable_shared=no
# Look at the argument we got. We use all the common list separators.
lt_save_ifs="$IFS"; IFS="${IFS}$PATH_SEPARATOR,"
lt_save_ifs=$IFS; IFS=$IFS$PATH_SEPARATOR,
for pkg in $enableval; do
IFS="$lt_save_ifs"
IFS=$lt_save_ifs
if test "X$pkg" = "X$p"; then
enable_shared=yes
fi
done
IFS="$lt_save_ifs"
IFS=$lt_save_ifs
;;
esac],
[enable_shared=]_LT_ENABLE_SHARED_DEFAULT)
@ -210,9 +213,9 @@ dnl AC_DEFUN([AM_DISABLE_SHARED], [])
# _LT_ENABLE_STATIC([DEFAULT])
# ----------------------------
# implement the --enable-static flag, and support the `static' and
# `disable-static' LT_INIT options.
# DEFAULT is either `yes' or `no'. If omitted, it defaults to `yes'.
# implement the --enable-static flag, and support the 'static' and
# 'disable-static' LT_INIT options.
# DEFAULT is either 'yes' or 'no'. If omitted, it defaults to 'yes'.
m4_define([_LT_ENABLE_STATIC],
[m4_define([_LT_ENABLE_STATIC_DEFAULT], [m4_if($1, no, no, yes)])dnl
AC_ARG_ENABLE([static],
@ -225,14 +228,14 @@ AC_ARG_ENABLE([static],
*)
enable_static=no
# Look at the argument we got. We use all the common list separators.
lt_save_ifs="$IFS"; IFS="${IFS}$PATH_SEPARATOR,"
lt_save_ifs=$IFS; IFS=$IFS$PATH_SEPARATOR,
for pkg in $enableval; do
IFS="$lt_save_ifs"
IFS=$lt_save_ifs
if test "X$pkg" = "X$p"; then
enable_static=yes
fi
done
IFS="$lt_save_ifs"
IFS=$lt_save_ifs
;;
esac],
[enable_static=]_LT_ENABLE_STATIC_DEFAULT)
@ -264,9 +267,9 @@ dnl AC_DEFUN([AM_DISABLE_STATIC], [])
# _LT_ENABLE_FAST_INSTALL([DEFAULT])
# ----------------------------------
# implement the --enable-fast-install flag, and support the `fast-install'
# and `disable-fast-install' LT_INIT options.
# DEFAULT is either `yes' or `no'. If omitted, it defaults to `yes'.
# implement the --enable-fast-install flag, and support the 'fast-install'
# and 'disable-fast-install' LT_INIT options.
# DEFAULT is either 'yes' or 'no'. If omitted, it defaults to 'yes'.
m4_define([_LT_ENABLE_FAST_INSTALL],
[m4_define([_LT_ENABLE_FAST_INSTALL_DEFAULT], [m4_if($1, no, no, yes)])dnl
AC_ARG_ENABLE([fast-install],
@ -279,14 +282,14 @@ AC_ARG_ENABLE([fast-install],
*)
enable_fast_install=no
# Look at the argument we got. We use all the common list separators.
lt_save_ifs="$IFS"; IFS="${IFS}$PATH_SEPARATOR,"
lt_save_ifs=$IFS; IFS=$IFS$PATH_SEPARATOR,
for pkg in $enableval; do
IFS="$lt_save_ifs"
IFS=$lt_save_ifs
if test "X$pkg" = "X$p"; then
enable_fast_install=yes
fi
done
IFS="$lt_save_ifs"
IFS=$lt_save_ifs
;;
esac],
[enable_fast_install=]_LT_ENABLE_FAST_INSTALL_DEFAULT)
@ -303,14 +306,14 @@ AU_DEFUN([AC_ENABLE_FAST_INSTALL],
[_LT_SET_OPTION([LT_INIT], m4_if([$1], [no], [disable-])[fast-install])
AC_DIAGNOSE([obsolete],
[$0: Remove this warning and the call to _LT_SET_OPTION when you put
the `fast-install' option into LT_INIT's first parameter.])
the 'fast-install' option into LT_INIT's first parameter.])
])
AU_DEFUN([AC_DISABLE_FAST_INSTALL],
[_LT_SET_OPTION([LT_INIT], [disable-fast-install])
AC_DIAGNOSE([obsolete],
[$0: Remove this warning and the call to _LT_SET_OPTION when you put
the `disable-fast-install' option into LT_INIT's first parameter.])
the 'disable-fast-install' option into LT_INIT's first parameter.])
])
dnl aclocal-1.4 backwards compatibility:
@ -318,19 +321,85 @@ dnl AC_DEFUN([AC_ENABLE_FAST_INSTALL], [])
dnl AC_DEFUN([AM_DISABLE_FAST_INSTALL], [])
# _LT_WITH_AIX_SONAME([DEFAULT])
# ----------------------------------
# implement the --with-aix-soname flag, and support the `aix-soname=aix'
# and `aix-soname=both' and `aix-soname=svr4' LT_INIT options. DEFAULT
# is either `aix', `both' or `svr4'. If omitted, it defaults to `aix'.
m4_define([_LT_WITH_AIX_SONAME],
[m4_define([_LT_WITH_AIX_SONAME_DEFAULT], [m4_if($1, svr4, svr4, m4_if($1, both, both, aix))])dnl
shared_archive_member_spec=
case $host,$enable_shared in
power*-*-aix[[5-9]]*,yes)
AC_MSG_CHECKING([which variant of shared library versioning to provide])
AC_ARG_WITH([aix-soname],
[AS_HELP_STRING([--with-aix-soname=aix|svr4|both],
[shared library versioning (aka "SONAME") variant to provide on AIX, @<:@default=]_LT_WITH_AIX_SONAME_DEFAULT[@:>@.])],
[case $withval in
aix|svr4|both)
;;
*)
AC_MSG_ERROR([Unknown argument to --with-aix-soname])
;;
esac
lt_cv_with_aix_soname=$with_aix_soname],
[AC_CACHE_VAL([lt_cv_with_aix_soname],
[lt_cv_with_aix_soname=]_LT_WITH_AIX_SONAME_DEFAULT)
with_aix_soname=$lt_cv_with_aix_soname])
AC_MSG_RESULT([$with_aix_soname])
if test aix != "$with_aix_soname"; then
# For the AIX way of multilib, we name the shared archive member
# based on the bitwidth used, traditionally 'shr.o' or 'shr_64.o',
# and 'shr.imp' or 'shr_64.imp', respectively, for the Import File.
# Even when GNU compilers ignore OBJECT_MODE but need '-maix64' flag,
# the AIX toolchain works better with OBJECT_MODE set (default 32).
if test 64 = "${OBJECT_MODE-32}"; then
shared_archive_member_spec=shr_64
else
shared_archive_member_spec=shr
fi
fi
;;
*)
with_aix_soname=aix
;;
esac
_LT_DECL([], [shared_archive_member_spec], [0],
[Shared archive member basename, for filename based shared library versioning on AIX])dnl
])# _LT_WITH_AIX_SONAME
LT_OPTION_DEFINE([LT_INIT], [aix-soname=aix], [_LT_WITH_AIX_SONAME([aix])])
LT_OPTION_DEFINE([LT_INIT], [aix-soname=both], [_LT_WITH_AIX_SONAME([both])])
LT_OPTION_DEFINE([LT_INIT], [aix-soname=svr4], [_LT_WITH_AIX_SONAME([svr4])])
# _LT_WITH_PIC([MODE])
# --------------------
# implement the --with-pic flag, and support the `pic-only' and `no-pic'
# implement the --with-pic flag, and support the 'pic-only' and 'no-pic'
# LT_INIT options.
# MODE is either `yes' or `no'. If omitted, it defaults to `both'.
# MODE is either 'yes' or 'no'. If omitted, it defaults to 'both'.
m4_define([_LT_WITH_PIC],
[AC_ARG_WITH([pic],
[AS_HELP_STRING([--with-pic],
[AS_HELP_STRING([--with-pic@<:@=PKGS@:>@],
[try to use only PIC/non-PIC objects @<:@default=use both@:>@])],
[pic_mode="$withval"],
[pic_mode=default])
test -z "$pic_mode" && pic_mode=m4_default([$1], [default])
[lt_p=${PACKAGE-default}
case $withval in
yes|no) pic_mode=$withval ;;
*)
pic_mode=default
# Look at the argument we got. We use all the common list separators.
lt_save_ifs=$IFS; IFS=$IFS$PATH_SEPARATOR,
for lt_pkg in $withval; do
IFS=$lt_save_ifs
if test "X$lt_pkg" = "X$lt_p"; then
pic_mode=yes
fi
done
IFS=$lt_save_ifs
;;
esac],
[pic_mode=m4_default([$1], [default])])
_LT_DECL([], [pic_mode], [0], [What type of objects to build])dnl
])# _LT_WITH_PIC
@ -343,7 +412,7 @@ AU_DEFUN([AC_LIBTOOL_PICMODE],
[_LT_SET_OPTION([LT_INIT], [pic-only])
AC_DIAGNOSE([obsolete],
[$0: Remove this warning and the call to _LT_SET_OPTION when you
put the `pic-only' option into LT_INIT's first parameter.])
put the 'pic-only' option into LT_INIT's first parameter.])
])
dnl aclocal-1.4 backwards compatibility:

7
m4/ltsugar.m4 vendored
View File

@ -1,6 +1,7 @@
# ltsugar.m4 -- libtool m4 base layer. -*-Autoconf-*-
#
# Copyright (C) 2004, 2005, 2007, 2008 Free Software Foundation, Inc.
# Copyright (C) 2004-2005, 2007-2008, 2011-2015 Free Software
# Foundation, Inc.
# Written by Gary V. Vaughan, 2004
#
# This file is free software; the Free Software Foundation gives
@ -33,7 +34,7 @@ m4_define([_lt_join],
# ------------
# Manipulate m4 lists.
# These macros are necessary as long as will still need to support
# Autoconf-2.59 which quotes differently.
# Autoconf-2.59, which quotes differently.
m4_define([lt_car], [[$1]])
m4_define([lt_cdr],
[m4_if([$#], 0, [m4_fatal([$0: cannot be called without arguments])],
@ -44,7 +45,7 @@ m4_define([lt_unquote], $1)
# lt_append(MACRO-NAME, STRING, [SEPARATOR])
# ------------------------------------------
# Redefine MACRO-NAME to hold its former content plus `SEPARATOR'`STRING'.
# Redefine MACRO-NAME to hold its former content plus 'SEPARATOR''STRING'.
# Note that neither SEPARATOR nor STRING are expanded; they are appended
# to MACRO-NAME as is (leaving the expansion for when MACRO-NAME is invoked).
# No SEPARATOR is output if MACRO-NAME was previously undefined (different

14
m4/ltversion.m4 vendored
View File

@ -1,23 +1,23 @@
# ltversion.m4 -- version numbers -*- Autoconf -*-
#
# Copyright (C) 2004 Free Software Foundation, Inc.
# Copyright (C) 2004, 2011-2015 Free Software Foundation, Inc.
# Written by Scott James Remnant, 2004
#
# This file is free software; the Free Software Foundation gives
# unlimited permission to copy and/or distribute it, with or without
# modifications, as long as this notice is preserved.
# Generated from ltversion.in.
# @configure_input@
# serial 3017 ltversion.m4
# serial 4179 ltversion.m4
# This file is part of GNU Libtool
m4_define([LT_PACKAGE_VERSION], [2.2.6b])
m4_define([LT_PACKAGE_REVISION], [1.3017])
m4_define([LT_PACKAGE_VERSION], [2.4.6])
m4_define([LT_PACKAGE_REVISION], [2.4.6])
AC_DEFUN([LTVERSION_VERSION],
[macro_version='2.2.6b'
macro_revision='1.3017'
[macro_version='2.4.6'
macro_revision='2.4.6'
_LT_DECL(, macro_version, 0, [Which release of libtool.m4 was used?])
_LT_DECL(, macro_revision, 0)
])

17
m4/lt~obsolete.m4 vendored
View File

@ -1,17 +1,18 @@
# lt~obsolete.m4 -- aclocal satisfying obsolete definitions. -*-Autoconf-*-
#
# Copyright (C) 2004, 2005, 2007 Free Software Foundation, Inc.
# Copyright (C) 2004-2005, 2007, 2009, 2011-2015 Free Software
# Foundation, Inc.
# Written by Scott James Remnant, 2004.
#
# This file is free software; the Free Software Foundation gives
# unlimited permission to copy and/or distribute it, with or without
# modifications, as long as this notice is preserved.
# serial 4 lt~obsolete.m4
# serial 5 lt~obsolete.m4
# These exist entirely to fool aclocal when bootstrapping libtool.
#
# In the past libtool.m4 has provided macros via AC_DEFUN (or AU_DEFUN)
# In the past libtool.m4 has provided macros via AC_DEFUN (or AU_DEFUN),
# which have later been changed to m4_define as they aren't part of the
# exported API, or moved to Autoconf or Automake where they belong.
#
@ -25,7 +26,7 @@
# included after everything else. This provides aclocal with the
# AC_DEFUNs it wants, but when m4 processes it, it doesn't do anything
# because those macros already exist, or will be overwritten later.
# We use AC_DEFUN over AU_DEFUN for compatibility with aclocal-1.6.
# We use AC_DEFUN over AU_DEFUN for compatibility with aclocal-1.6.
#
# Anytime we withdraw an AC_DEFUN or AU_DEFUN, remember to add it here.
# Yes, that means every name once taken will need to remain here until
@ -77,7 +78,6 @@ m4_ifndef([AC_DISABLE_FAST_INSTALL], [AC_DEFUN([AC_DISABLE_FAST_INSTALL])])
m4_ifndef([_LT_AC_LANG_CXX], [AC_DEFUN([_LT_AC_LANG_CXX])])
m4_ifndef([_LT_AC_LANG_F77], [AC_DEFUN([_LT_AC_LANG_F77])])
m4_ifndef([_LT_AC_LANG_GCJ], [AC_DEFUN([_LT_AC_LANG_GCJ])])
m4_ifndef([AC_LIBTOOL_RC], [AC_DEFUN([AC_LIBTOOL_RC])])
m4_ifndef([AC_LIBTOOL_LANG_C_CONFIG], [AC_DEFUN([AC_LIBTOOL_LANG_C_CONFIG])])
m4_ifndef([_LT_AC_LANG_C_CONFIG], [AC_DEFUN([_LT_AC_LANG_C_CONFIG])])
m4_ifndef([AC_LIBTOOL_LANG_CXX_CONFIG], [AC_DEFUN([AC_LIBTOOL_LANG_CXX_CONFIG])])
@ -90,3 +90,10 @@ m4_ifndef([AC_LIBTOOL_LANG_RC_CONFIG], [AC_DEFUN([AC_LIBTOOL_LANG_RC_CONFIG])])
m4_ifndef([_LT_AC_LANG_RC_CONFIG], [AC_DEFUN([_LT_AC_LANG_RC_CONFIG])])
m4_ifndef([AC_LIBTOOL_CONFIG], [AC_DEFUN([AC_LIBTOOL_CONFIG])])
m4_ifndef([_LT_AC_FILE_LTDLL_C], [AC_DEFUN([_LT_AC_FILE_LTDLL_C])])
m4_ifndef([_LT_REQUIRED_DARWIN_CHECKS], [AC_DEFUN([_LT_REQUIRED_DARWIN_CHECKS])])
m4_ifndef([_LT_AC_PROG_CXXCPP], [AC_DEFUN([_LT_AC_PROG_CXXCPP])])
m4_ifndef([_LT_PREPARE_SED_QUOTE_VARS], [AC_DEFUN([_LT_PREPARE_SED_QUOTE_VARS])])
m4_ifndef([_LT_PROG_ECHO_BACKSLASH], [AC_DEFUN([_LT_PROG_ECHO_BACKSLASH])])
m4_ifndef([_LT_PROG_F77], [AC_DEFUN([_LT_PROG_F77])])
m4_ifndef([_LT_PROG_FC], [AC_DEFUN([_LT_PROG_FC])])
m4_ifndef([_LT_PROG_CXX], [AC_DEFUN([_LT_PROG_CXX])])

105
src/Makefile.am
View File

@ -1,22 +1,41 @@
## Process this file with automake to produce Makefile.in
# by Michal Trojnara 2015-2017
###############################################################################
# File lists #
###############################################################################
# File lists
common_headers = common.h prototypes.h version.h
common_sources = str.c file.c client.c log.c options.c protocol.c network.c
common_sources += resolver.c ssl.c ctx.c verify.c sthreads.c fd.c stunnel.c
unix_sources = pty.c libwrap.c
common_sources = tls.c str.c file.c client.c log.c options.c protocol.c
common_sources += network.c resolver.c ssl.c ctx.c verify.c sthreads.c
common_sources += fd.c dhparam.c cron.c stunnel.c
unix_sources = pty.c libwrap.c ui_unix.c
shared_sources = env.c
win32_sources = gui.c resources.h resources.rc stunnel.ico
win32_gui_sources = ui_win_gui.c resources.h resources.rc
win32_gui_sources += stunnel.ico active.ico error.ico idle.ico
win32_cli_sources = ui_win_cli.c
###############################################################################
# Generate a new set of DH parameters for each version #
###############################################################################
dhparam.c: version.h
echo '#include "common.h"' >dhparam.c
echo '#ifndef OPENSSL_NO_DH' >>dhparam.c
echo '#define DN_new DH_new' >>dhparam.c
openssl dhparam -noout -C 2048 >>dhparam.c
echo '#endif /* OPENSSL_NO_DH */' >>dhparam.c
###############################################################################
# Unix executables and shared library #
###############################################################################
# Unix executables
bin_PROGRAMS = stunnel
stunnel_SOURCES = $(common_headers) $(common_sources) $(unix_sources)
bin_SCRIPTS = stunnel3
# Unix shared library
pkglib_LTLIBRARIES = libstunnel.la
libstunnel_la_SOURCES = $(shared_sources)
libstunnel_la_LDFLAGS = -avoid-version
EXTRA_DIST = stunnel3.in
CLEANFILES = stunnel3
# Red Hat "by design" bug #82369
stunnel_CPPFLAGS = -I/usr/kerberos/include
@ -25,49 +44,41 @@ stunnel_CPPFLAGS = -I/usr/kerberos/include
stunnel_CPPFLAGS += -I$(SSLDIR)/include
stunnel_CPPFLAGS += -DLIBDIR='"$(pkglibdir)"'
stunnel_CPPFLAGS += -DCONFDIR='"$(sysconfdir)/stunnel"'
stunnel_CPPFLAGS += -DPIDFILE='"$(localstatedir)/run/stunnel/stunnel.pid"'
# SSL library
# TLS library
stunnel_LDFLAGS = -L$(SSLDIR)/lib64 -L$(SSLDIR)/lib -lssl -lcrypto
# Win32 executable
EXTRA_DIST = nogui.c make.bat makece.bat makew32.bat
EXTRA_DIST += mingw.mak evc.mak vc.mak os2.mak
EXTRA_PROGRAMS = stunnel.exe
stunnel_exe_SOURCES = $(common_headers) $(common_sources) $(win32_sources)
# stunnel3 script
edit = sed \
-e 's|@bindir[@]|$(bindir)|g'
stunnel3: Makefile
$(edit) '$(srcdir)/$@.in' >$@
stunnel3: $(srcdir)/stunnel3.in
OPENSSLDIR = /usr/src/openssl-0.9.8s-fips
WINCPPFLAGS = -I$(OPENSSLDIR)/inc32
# OPENSSLDIR = /usr/src/openssl-1.0.0f-i586
# WINCPPFLAGS = -I$(OPENSSLDIR)/include
WINCFLAGS = -mthreads -fstack-protector -O2 -Wall -Wextra -Wno-long-long -pedantic
WINLDFLAGS = -mthreads -fstack-protector -mwindows -s
WINLIBS = -L$(OPENSSLDIR) -lcrypto -lssl -lpsapi -lws2_32 -lgdi32
# WINLIBS = -L$(OPENSSLDIR) -lzdll -lcrypto.dll -lssl.dll -lpsapi -lws2_32 -lgdi32
# WINLIBS = -L$(OPENSSLDIR) -lzdll -lcrypto -lssl -lpsapi -lws2_32 -lgdi32
WINOBJ = str.obj file.obj client.obj log.obj options.obj protocol.obj
WINOBJ += network.obj resolver.obj ssl.obj ctx.obj verify.obj sthreads.obj
WINOBJ += fd.obj stunnel.obj gui.obj resources.obj
WINPREFIX = i586-mingw32msvc-
WINGCC = $(WINPREFIX)gcc
WINDRES = $(WINPREFIX)windres
# Unix shared library
pkglib_LTLIBRARIES = libstunnel.la
libstunnel_la_SOURCES = $(shared_sources)
libstunnel_la_LDFLAGS = -avoid-version
dist-hook: stunnel.exe
###############################################################################
# Win32 executables #
###############################################################################
distclean-local:
rm -f stunnel.exe
if AUTHOR_TESTS
# Just check if the programs can be built, don't perform any actual tests
#check-local: mingw mingw64
endif
# SUFFIXES = .c .rc .obj
mingw:
$(MAKE) -f $(srcdir)/mingw.mk srcdir=$(srcdir) win32_targetcpu=i686 win32_mingw=mingw
mingw64:
$(MAKE) -f $(srcdir)/mingw.mk srcdir=$(srcdir) win32_targetcpu=x86_64 win32_mingw=mingw64
.PHONY: mingw mingw64
stunnel.exe: $(WINOBJ)
$(WINGCC) $(WINLDFLAGS) -o stunnel.exe $(WINOBJ) $(WINLIBS)
%.obj: %.c $(common_headers)
$(WINGCC) -c $(WINCPPFLAGS) $(WINCFLAGS) -o $@ $<
resources.obj: resources.rc resources.h version.h
$(WINDRES) --include-dir $(srcdir) $< $@
mostlyclean-local:
-rm -f *.obj
clean-local:
rm -rf ../obj ../bin
# Remaining files to be included
EXTRA_DIST += $(win32_gui_sources) $(win32_cli_sources)
EXTRA_DIST += make.bat makece.bat makew32.bat
EXTRA_DIST += mingw.mk mingw.mak evc.mak vc.mak os2.mak

819
src/Makefile.in
View File

File diff suppressed because it is too large Load Diff

BIN
src/active.ico Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 1.1 KiB

1308
src/client.c
View File

File diff suppressed because it is too large Load Diff

231
src/common.h
View File

@ -1,24 +1,24 @@
/*
* stunnel Universal SSL tunnel
* Copyright (C) 1998-2012 Michal Trojnara <Michal.Trojnara@mirt.net>
* stunnel TLS offloading and load-balancing proxy
* Copyright (C) 1998-2017 Michal Trojnara <Michal.Trojnara@stunnel.org>
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version.
*
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
* See the GNU General Public License for more details.
*
*
* You should have received a copy of the GNU General Public License along
* with this program; if not, see <http://www.gnu.org/licenses>.
*
*
* Linking stunnel statically or dynamically with other modules is making
* a combined work based on stunnel. Thus, the terms and conditions of
* the GNU General Public License cover the whole combination.
*
*
* In addition, as a special exception, the copyright holder of stunnel
* gives you permission to combine stunnel with free software programs or
* libraries that are released under the GNU LGPL and with code included
@ -26,7 +26,7 @@
* modified versions of such code, with unchanged license). You may copy
* and distribute such a system following the terms of the GNU GPL for
* stunnel and the licenses of the other code concerned.
*
*
* Note that people who make modified versions of stunnel are not obligated
* to grant this special exception for their modified versions; it is their
* choice whether to do so. The GNU General Public License gives permission
@ -40,7 +40,6 @@
#include "version.h"
/**************************************** common constants */
#define LIBWRAP_CLIENTS 5
@ -49,7 +48,7 @@
#define DEFAULT_STACK_SIZE 65536
/* #define DEBUG_STACK_SIZE */
/* I/O buffer size - 18432 is the maximum size of SSL record payload */
/* I/O buffer size: 18432 (0x4800) is the maximum size of TLS record payload */
#define BUFFSIZE 18432
/* how many bytes of random input to read from files for PRNG */
@ -62,6 +61,12 @@
/* additional diagnostic messages */
/* #define DEBUG_FD_ALLOC */
#ifdef DEBUG_INFO
#define NOEXPORT
#else
#define NOEXPORT static
#endif
/**************************************** platform */
#ifdef _WIN32
@ -70,20 +75,32 @@
#ifdef _WIN32_WCE
#define USE_WIN32
typedef int socklen_t;
typedef int socklen_t;
#endif
#ifdef USE_WIN32
typedef signed char int8_t;
typedef signed short int16_t;
typedef signed int int32_t;
typedef signed long long int64_t;
typedef unsigned char uint8_t;
typedef unsigned short uint16_t;
typedef unsigned int uint32_t;
typedef unsigned long long uint64_t;
#ifndef __MINGW32__
#ifdef _WIN64
typedef __int64 ssize_t;
#else /* _WIN64 */
typedef int ssize_t;
#endif /* _WIN64 */
#endif /* !__MINGW32__ */
#define PATH_MAX MAX_PATH
#define USE_IPv6
#define _CRT_SECURE_NO_DEPRECATE
#define _CRT_NONSTDC_NO_DEPRECATE
#define HAVE_OSSL_ENGINE_H
#define HAVE_OSSL_OCSP_H
/* prevent including wincrypt.h, as it defines it's own OCSP_RESPONSE */
#define _CRT_NON_CONFORMING_SWPRINTFS
/* prevent including wincrypt.h, as it defines its own OCSP_RESPONSE */
#define __WINCRYPT_H__
#endif
#ifdef USE_WIN32
#define S_EADDRINUSE WSAEADDRINUSE
/* winsock does not define WSAEAGAIN */
/* in most (but not all!) BSD implementations EAGAIN==EWOULDBLOCK */
@ -158,9 +175,17 @@ typedef int socklen_t;
#include <pthread.h>
#endif
/* TCP wrapper */
#if defined HAVE_TCPD_H && defined HAVE_LIBWRAP
#define USE_LIBWRAP 1
/* systemd */
#ifdef USE_SYSTEMD
#include <systemd/sd-daemon.h>
#endif
#ifdef HAVE_STDINT_H
#include <stdint.h>
#endif
#ifdef HAVE_INTTYPES_H
#include <inttypes.h>
#endif
/* must be included before sys/stat.h for Ultrix */
@ -185,10 +210,6 @@ typedef int socklen_t;
#ifdef USE_WIN32
typedef unsigned char u8;
typedef unsigned short u16;
typedef unsigned long u32;
#define HAVE_STRUCT_ADDRINFO
#define HAVE_SNPRINTF
#define snprintf _snprintf
@ -202,10 +223,9 @@ typedef unsigned long u32;
#define set_last_socket_error(e) WSASetLastError(e)
#define get_last_error() GetLastError()
#define set_last_error(e) SetLastError(e)
#define readsocket(s,b,n) recv((s),(b),(n),0)
#define writesocket(s,b,n) send((s),(b),(n),0)
#define readsocket(s,b,n) recv((s),(b),(int)(n),0)
#define writesocket(s,b,n) send((s),(b),(int)(n),0)
/* #define FD_SETSIZE 4096 */
/* #define Win32_Winsock */
#define __USE_W32_SOCKETS
@ -216,6 +236,7 @@ typedef unsigned long u32;
#include <windows.h>
#include <process.h> /* _beginthread */
#include <shlobj.h> /* SHGetFolderPath */
#include <tchar.h>
#include "resources.h"
@ -224,22 +245,6 @@ typedef unsigned long u32;
#else /* USE_WIN32 */
#if SIZEOF_UNSIGNED_CHAR == 1
typedef unsigned char u8;
#endif
#if SIZEOF_UNSIGNED_SHORT == 2
typedef unsigned short u16;
#else
typedef unsigned int u16;
#endif
#if SIZEOF_UNSIGNED_INT == 4
typedef unsigned int u32;
#else
typedef unsigned long u32;
#endif
#ifdef __INNOTEK_LIBC__
#define socklen_t __socklen_t
#define strcasecmp stricmp
@ -265,10 +270,12 @@ typedef unsigned long u32;
#define ioctlsocket(a,b,c) ioctl((a),(b),(c))
#endif
typedef int SOCKET;
#define INVALID_SOCKET (-1)
/* OpenVMS compatibility */
#ifdef __vms
#define LIBDIR "__NA__"
#define PIDFILE "SYS$LOGIN:STUNNEL.PID"
#ifdef __alpha
#define HOST "alpha-openvms"
#else
@ -283,6 +290,9 @@ typedef unsigned long u32;
/* Unix-specific headers */
#include <signal.h> /* signal */
#include <sys/wait.h> /* wait */
#ifdef HAVE_LIMITS_H
#include <limits.h> /* INT_MAX */
#endif
#ifdef HAVE_SYS_RESOURCE_H
#include <sys/resource.h> /* getrlimit */
#endif
@ -298,6 +308,7 @@ typedef unsigned long u32;
#ifdef HAVE_SYS_SELECT_H
#include <sys/select.h> /* for aix */
#endif
#include <dirent.h>
#if defined(HAVE_POLL) && !defined(BROKEN_POLL)
#ifdef HAVE_POLL_H
@ -326,6 +337,7 @@ typedef unsigned long u32;
#include <sys/uio.h> /* struct iovec */
#endif /* HAVE_SYS_UIO_H */
/* BSD sockets */
#include <netinet/in.h> /* struct sockaddr_in */
#include <sys/socket.h> /* getpeername */
#include <arpa/inet.h> /* inet_ntoa */
@ -383,83 +395,108 @@ extern char *sys_errlist[];
#include <linux/netfilter_ipv4.h>
#endif /* HAVE_LINUX_NETFILTER_IPV4_H */
#endif /* __linux__ */
#ifdef HAVE_SYS_SYSCALL_H
#include <sys/syscall.h> /* SYS_gettid */
#endif
#ifdef HAVE_LINUX_SCHED_H
#include <linux/sched.h> /* SCHED_BATCH */
#endif
#endif /* USE_WIN32 */
#ifndef S_ISREG
#define S_ISREG(m) (((m)&S_IFMT)==S_IFREG)
#endif
/**************************************** OpenSSL headers */
#define OPENSSL_THREAD_DEFINES
#include <openssl/opensslconf.h>
#if defined(USE_PTHREAD) && !(defined(OPENSSL_THREADS) || \
(OPENSSL_VERSION_NUMBER<0x0090700fL && defined(THREADS)))
/* opensslv.h requires prior opensslconf.h to include -fips in version string */
#include <openssl/opensslv.h>
#if OPENSSL_VERSION_NUMBER<0x0090700fL
#error OpenSSL 0.9.7 or later is required
#endif /* OpenSSL older than 0.9.7 */
#if defined(USE_PTHREAD) && !defined(OPENSSL_THREADS)
#error OpenSSL library compiled without thread support
#endif /* !OPENSSL_THREADS && USE_PTHREAD */
#if defined (USE_WIN32) && defined(OPENSSL_FIPS)
#define USE_FIPS
#endif
/* OpenSSL 0.9.6 comp.h needs ZLIB macro to declare COMP_zlib() */
#define ZLIB
#include <openssl/lhash.h>
#include <openssl/ssl.h>
#include <openssl/err.h>
#include <openssl/crypto.h> /* for CRYPTO_* and SSLeay_version */
#include <openssl/rand.h>
#ifndef OPENSSL_NO_MD4
#include <openssl/md4.h>
#endif
#include <openssl/des.h>
#ifdef HAVE_OSSL_ENGINE_H
#ifndef OPENSSL_NO_ENGINE
#include <openssl/engine.h>
#else
#undef HAVE_OSSL_ENGINE_H
#endif
#endif /* HAVE_OSSL_ENGINE_H */
#if OPENSSL_VERSION_NUMBER<0x0090800fL
#define OPENSSL_NO_ECDH
#define OPENSSL_NO_COMP
#endif /* OpenSSL older than 0.9.8 */
/* non-blocking OCSP API is not available before OpenSSL 0.9.8h */
#if OPENSSL_VERSION_NUMBER<0x00908080L
#ifdef HAVE_OSSL_OCSP_H
#undef HAVE_OSSL_OCSP_H
#endif /* HAVE_OSSL_OCSP_H */
#ifndef OPENSSL_NO_OCSP
#define OPENSSL_NO_OCSP
#endif /* !defined(OPENSSL_NO_OCSP) */
#endif /* OpenSSL older than 0.9.8h */
#ifdef HAVE_OSSL_OCSP_H
#include <openssl/ocsp.h>
#endif /* HAVE_OSSL_OCSP_H */
#ifdef USE_FIPS
#include <openssl/fips.h>
#include <openssl/fips_rand.h>
#endif /* USE_FIPS */
#if OPENSSL_VERSION_NUMBER<0x0090800fL
#define OPENSSL_NO_ECDH
#endif /* OpenSSL version < 0.8.0 */
#if OPENSSL_VERSION_NUMBER<0x00908060L
#define OPENSSL_NO_TLSEXT
#endif /* OpenSSL older than 0.9.8f */
#if OPENSSL_VERSION_NUMBER<0x10000000L
#define OPENSSL_NO_TLSEXT
#endif /* OpenSSL version < 1.0.0 */
#define OPENSSL_NO_PSK
#endif /* OpenSSL older than 1.0.0 */
#if OPENSSL_VERSION_NUMBER<0x10001000L || defined(OPENSSL_NO_TLS1)
#define OPENSSL_NO_TLS1_1
#define OPENSSL_NO_TLS1_2
#endif /* OpenSSL older than 1.0.1 || defined(OPENSSL_NO_TLS1) */
#if OPENSSL_VERSION_NUMBER>=0x10100000L
#ifndef OPENSSL_NO_SSL2
#define OPENSSL_NO_SSL2
#endif /* !defined(OPENSSL_NO_SSL2) */
#else /* OpenSSL older than 1.1.0 */
#define X509_STORE_CTX_get0_chain(x) X509_STORE_CTX_get_chain(x)
#endif /* OpenSSL 1.1.0 or newer */
#if defined(USE_WIN32) && defined(OPENSSL_FIPS)
#define USE_FIPS
#endif
#include <openssl/lhash.h>
#include <openssl/ssl.h>
#include <openssl/ui.h>
#include <openssl/err.h>
#include <openssl/crypto.h> /* for CRYPTO_* and SSLeay_version */
#include <openssl/rand.h>
#include <openssl/bn.h>
#include <openssl/pkcs12.h>
#ifndef OPENSSL_NO_MD4
#include <openssl/md4.h>
#endif /* !defined(OPENSSL_NO_MD4) */
#include <openssl/des.h>
#ifndef OPENSSL_NO_DH
#include <openssl/dh.h>
#if OPENSSL_VERSION_NUMBER<0x10100000L
int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g);
#endif /* OpenSSL older than 1.1.0 */
#endif /* !defined(OPENSSL_NO_DH) */
#ifndef OPENSSL_NO_ENGINE
#include <openssl/engine.h>
#endif /* !defined(OPENSSL_NO_ENGINE) */
#ifndef OPENSSL_NO_OCSP
#include <openssl/ocsp.h>
#endif /* !defined(OPENSSL_NO_OCSP) */
#ifndef OPENSSL_NO_COMP
/* not defined in public headers before OpenSSL 0.9.8 */
STACK_OF(SSL_COMP) *SSL_COMP_get_compression_methods(void);
#endif /* OPENSSL_NO_COMP */
#endif /* !defined(OPENSSL_NO_COMP) */
#ifndef OPENSSL_VERSION
#define OPENSSL_VERSION SSLEAY_VERSION
#define OpenSSL_version_num() SSLeay()
#define OpenSSL_version(x) SSLeay_version(x)
#endif
/**************************************** other defines */
/* change all non-printable characters to '.' */
#define safestring(s) \
do {unsigned char *p; for(p=(unsigned char *)(s); *p; p++) \
if(!isprint((int)*p)) *p='.';} while(0)
/* change all unsafe characters to '.' */
#define safename(s) \
do {unsigned char *p; for(p=(s); *p; p++) \
if(!isalnum((int)*p)) *p='.';} while(0)
/* always use IPv4 defaults! */
#define DEFAULT_LOOPBACK "127.0.0.1"
#define DEFAULT_ANY "0.0.0.0"
@ -480,7 +517,7 @@ STACK_OF(SSL_COMP) *SSL_COMP_get_compression_methods(void);
#endif /* defined (USE_WIN32) || defined (__vms) */
#ifndef offsetof
#define offsetof(T, F) ((unsigned int)((char *)&((T *)0L)->F - (char *)0L))
#define offsetof(T, F) ((unsigned)((char *)&((T *)0L)->F - (char *)0L))
#endif
#endif /* defined COMMON_H */

142
src/config.h.in
View File

@ -27,6 +27,9 @@
/* Define to 1 if you have the `endhostent' function. */
#undef HAVE_ENDHOSTENT
/* Define to 1 if you have the `FIPS_mode_set' function. */
#undef HAVE_FIPS_MODE_SET
/* Define to 1 if you have 'getaddrinfo' function. */
#undef HAVE_GETADDRINFO
@ -48,18 +51,18 @@
/* Define to 1 if you have the <inttypes.h> header file. */
#undef HAVE_INTTYPES_H
/* Define to 1 if you have 'libpthread' library. */
#undef HAVE_LIBPTHREAD
/* Define to 1 if you have the <libutil.h> header file. */
#undef HAVE_LIBUTIL_H
/* Define to 1 if you have 'libwrap' library. */
#undef HAVE_LIBWRAP
/* Define to 1 if you have the <limits.h> header file. */
#undef HAVE_LIMITS_H
/* Define to 1 if you have the <linux/netfilter_ipv4.h> header file. */
#undef HAVE_LINUX_NETFILTER_IPV4_H
/* Define to 1 if you have the <linux/sched.h> header file. */
#undef HAVE_LINUX_SCHED_H
/* Define to 1 if you have the `localtime_r' function. */
#undef HAVE_LOCALTIME_R
@ -75,12 +78,6 @@
/* Define to 1 if you have the `openpty' function. */
#undef HAVE_OPENPTY
/* Define to 1 if you have <engine.h> header file. */
#undef HAVE_OSSL_ENGINE_H
/* Define to 1 if you have <ocsp.h> header file. */
#undef HAVE_OSSL_OCSP_H
/* Define to 1 if you have the `pipe2' function. */
#undef HAVE_PIPE2
@ -90,15 +87,24 @@
/* Define to 1 if you have the <poll.h> header file. */
#undef HAVE_POLL_H
/* Define if you have POSIX threads libraries and header files. */
#undef HAVE_PTHREAD
/* Define to 1 if you have the <pthread.h> header file. */
#undef HAVE_PTHREAD_H
/* Have PTHREAD_PRIO_INHERIT. */
#undef HAVE_PTHREAD_PRIO_INHERIT
/* Define to 1 if you have the `pthread_sigmask' function. */
#undef HAVE_PTHREAD_SIGMASK
/* Define to 1 if you have the <pty.h> header file. */
#undef HAVE_PTY_H
/* Define to 1 if you have the `realpath' function. */
#undef HAVE_REALPATH
/* Define to 1 if you have the `setgroups' function. */
#undef HAVE_SETGROUPS
@ -135,6 +141,9 @@
/* Define to 1 if you have the `sysconf' function. */
#undef HAVE_SYSCONF
/* Define to 1 if you have the <systemd/sd-daemon.h> header file. */
#undef HAVE_SYSTEMD_SD_DAEMON_H
/* Define to 1 if you have the <sys/filio.h> header file. */
#undef HAVE_SYS_FILIO_H
@ -156,6 +165,9 @@
/* Define to 1 if you have the <sys/stat.h> header file. */
#undef HAVE_SYS_STAT_H
/* Define to 1 if you have the <sys/syscall.h> header file. */
#undef HAVE_SYS_SYSCALL_H
/* Define to 1 if you have the <sys/types.h> header file. */
#undef HAVE_SYS_TYPES_H
@ -195,13 +207,9 @@
/* Host description */
#undef HOST
/* Define to the sub-directory in which libtool stores uninstalled libraries.
*/
/* Define to the sub-directory where libtool stores uninstalled libraries. */
#undef LT_OBJDIR
/* Define to 1 if your C compiler doesn't accept -c and -o together. */
#undef NO_MINUS_C_MINUS_O
/* Name of package */
#undef PACKAGE
@ -223,28 +231,20 @@
/* Define to the version of this package. */
#undef PACKAGE_VERSION
/* Define to necessary symbol if this constant uses a non-standard name on
your system. */
#undef PTHREAD_CREATE_JOINABLE
/* Random file path */
#undef RANDOM_FILE
/* The size of `unsigned char', as computed by sizeof. */
#undef SIZEOF_UNSIGNED_CHAR
/* The size of `unsigned int', as computed by sizeof. */
#undef SIZEOF_UNSIGNED_INT
/* The size of `unsigned long', as computed by sizeof. */
#undef SIZEOF_UNSIGNED_LONG
/* The size of `unsigned short', as computed by sizeof. */
#undef SIZEOF_UNSIGNED_SHORT
/* SSL directory */
/* TLS directory */
#undef SSLDIR
/* Define to 1 if you have the ANSI C header files. */
#undef STDC_HEADERS
/* Define to 1 to enable OpenSSL FIPS mode. */
/* Define to 1 to enable OpenSSL FIPS support */
#undef USE_FIPS
/* Define to 1 to select FORK mode */
@ -253,17 +253,99 @@
/* Define to 1 to enable IPv6 support */
#undef USE_IPv6
/* Define to 1 to enable TCP wrappers support */
#undef USE_LIBWRAP
/* Define to 1 to select PTHREAD mode */
#undef USE_PTHREAD
/* Define to 1 to enable systemd socket activation */
#undef USE_SYSTEMD
/* Define to 1 to select UCONTEXT mode */
#undef USE_UCONTEXT
/* Version number of package */
#undef VERSION
/* Use Darwin source */
#undef _DARWIN_C_SOURCE
/* Enable large inode numbers on Mac OS X 10.5. */
#ifndef _DARWIN_USE_64_BIT_INODE
# define _DARWIN_USE_64_BIT_INODE 1
#endif
/* Number of bits in a file offset, on hosts where this is settable. */
#undef _FILE_OFFSET_BITS
/* Use GNU source */
#undef _GNU_SOURCE
/* Define for large files, on AIX-style hosts. */
#undef _LARGE_FILES
/* Define for Solaris 2.5.1 so the uint32_t typedef from <sys/synch.h>,
<pthread.h>, or <semaphore.h> is not used. If the typedef were allowed, the
#define below would cause a syntax error. */
#undef _UINT32_T
/* Define for Solaris 2.5.1 so the uint64_t typedef from <sys/synch.h>,
<pthread.h>, or <semaphore.h> is not used. If the typedef were allowed, the
#define below would cause a syntax error. */
#undef _UINT64_T
/* Define for Solaris 2.5.1 so the uint8_t typedef from <sys/synch.h>,
<pthread.h>, or <semaphore.h> is not used. If the typedef were allowed, the
#define below would cause a syntax error. */
#undef _UINT8_T
/* Use X/Open 5 with POSIX 1995 */
#undef _XOPEN_SOURCE
/* Define to `int' if <sys/types.h> doesn't define. */
#undef gid_t
/* Define to the type of a signed integer type of width exactly 16 bits if
such a type exists and the standard includes do not define it. */
#undef int16_t
/* Define to the type of a signed integer type of width exactly 32 bits if
such a type exists and the standard includes do not define it. */
#undef int32_t
/* Define to the type of a signed integer type of width exactly 64 bits if
such a type exists and the standard includes do not define it. */
#undef int64_t
/* Define to the type of a signed integer type of width exactly 8 bits if such
a type exists and the standard includes do not define it. */
#undef int8_t
/* Define to `unsigned int' if <sys/types.h> does not define. */
#undef size_t
/* Type of socklen_t */
#undef socklen_t
/* Define to `int' if <sys/types.h> does not define. */
#undef ssize_t
/* Define to `int' if <sys/types.h> doesn't define. */
#undef uid_t
/* Define to the type of an unsigned integer type of width exactly 16 bits if
such a type exists and the standard includes do not define it. */
#undef uint16_t
/* Define to the type of an unsigned integer type of width exactly 32 bits if
such a type exists and the standard includes do not define it. */
#undef uint32_t
/* Define to the type of an unsigned integer type of width exactly 64 bits if
such a type exists and the standard includes do not define it. */
#undef uint64_t
/* Define to the type of an unsigned integer type of width exactly 8 bits if
such a type exists and the standard includes do not define it. */
#undef uint8_t

201
src/cron.c Normal file
View File

@ -0,0 +1,201 @@
/*
* stunnel TLS offloading and load-balancing proxy
* Copyright (C) 1998-2017 Michal Trojnara <Michal.Trojnara@stunnel.org>
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
* See the GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License along
* with this program; if not, see <http://www.gnu.org/licenses>.
*
* Linking stunnel statically or dynamically with other modules is making
* a combined work based on stunnel. Thus, the terms and conditions of
* the GNU General Public License cover the whole combination.
*
* In addition, as a special exception, the copyright holder of stunnel
* gives you permission to combine stunnel with free software programs or
* libraries that are released under the GNU LGPL and with code included
* in the standard release of OpenSSL under the OpenSSL License (or
* modified versions of such code, with unchanged license). You may copy
* and distribute such a system following the terms of the GNU GPL for
* stunnel and the licenses of the other code concerned.
*
* Note that people who make modified versions of stunnel are not obligated
* to grant this special exception for their modified versions; it is their
* choice whether to do so. The GNU General Public License gives permission
* to release a modified version without this exception; this exception
* also makes it possible to release a modified version which carries
* forward this exception.
*/
#include "common.h"
#include "prototypes.h"
#ifdef USE_PTHREAD
NOEXPORT void *cron_thread(void *arg);
#endif
#ifdef USE_WIN32
NOEXPORT void cron_thread(void *arg);
#endif
#if defined(USE_PTHREAD) || defined(USE_WIN32)
NOEXPORT void cron_worker(void);
NOEXPORT void cron_dh_param(void);
#endif
#if defined(USE_PTHREAD)
int cron_init() {
pthread_t thread;
pthread_attr_t pth_attr;
#if defined(HAVE_PTHREAD_SIGMASK) && !defined(__APPLE__)
sigset_t new_set, old_set;
#endif /* HAVE_PTHREAD_SIGMASK && !__APPLE__*/
#if defined(HAVE_PTHREAD_SIGMASK) && !defined(__APPLE__)
sigfillset(&new_set);
pthread_sigmask(SIG_SETMASK, &new_set, &old_set); /* block signals */
#endif /* HAVE_PTHREAD_SIGMASK && !__APPLE__*/
pthread_attr_init(&pth_attr);
pthread_attr_setdetachstate(&pth_attr, PTHREAD_CREATE_DETACHED);
if(pthread_create(&thread, &pth_attr, cron_thread, NULL))
ioerror("pthread_create");
pthread_attr_destroy(&pth_attr);
#if defined(HAVE_PTHREAD_SIGMASK) && !defined(__APPLE__)
pthread_sigmask(SIG_SETMASK, &old_set, NULL); /* unblock signals */
#endif /* HAVE_PTHREAD_SIGMASK && !__APPLE__*/
return 0;
}
NOEXPORT void *cron_thread(void *arg) {
#ifdef SCHED_BATCH
struct sched_param param;
#endif
(void)arg; /* squash the unused parameter warning */
tls_alloc(NULL, NULL, "cron");
#ifdef SCHED_BATCH
param.sched_priority=0;
if(pthread_setschedparam(pthread_self(), SCHED_BATCH, &param))
ioerror("pthread_getschedparam");
#endif
cron_worker();
return NULL; /* it should never be executed */
}
#elif defined(USE_WIN32)
int cron_init() {
if((long)_beginthread(cron_thread, 0, NULL)==-1)
ioerror("_beginthread");
return 0;
}
NOEXPORT void cron_thread(void *arg) {
(void)arg; /* squash the unused parameter warning */
tls_alloc(NULL, NULL, "cron");
if(!SetThreadPriority(GetCurrentThread(), THREAD_PRIORITY_LOWEST))
ioerror("SetThreadPriority");
cron_worker();
_endthread(); /* it should never be executed */
}
#else /* !defined(USE_PTHREAD) && !defined(USE_WIN32) */
int cron_init() {
/* not implemented for now */
return 0;
}
#endif
/* run the cron job every 24 hours */
#define CRON_PERIOD (24*60*60)
#if defined(USE_PTHREAD) || defined(USE_WIN32)
NOEXPORT void cron_worker(void) {
time_t now, then;
int delay;
s_log(LOG_DEBUG, "Cron thread initialized");
sleep(60); /* allow the other services to start with idle CPU */
time(&then);
for(;;) {
s_log(LOG_INFO, "Executing cron jobs");
#ifndef OPENSSL_NO_DH
cron_dh_param();
#endif /* OPENSSL_NO_DH */
time(&now);
s_log(LOG_INFO, "Cron jobs completed in %d seconds", (int)(now-then));
then+=CRON_PERIOD;
if(then>now) {
delay=(int)(then-now);
} else {
s_log(LOG_NOTICE, "Cron backlog cleared (possible hibernation)");
delay=CRON_PERIOD-(int)(now-then)%CRON_PERIOD;
then=now+delay;
}
s_log(LOG_DEBUG, "Waiting %d seconds", delay);
do { /* retry sleep() if it was interrupted by a signal */
sleep((unsigned)delay);
time(&now);
delay=(int)(then-now);
} while(delay>0);
s_log(LOG_INFO, "Reopening log file");
signal_post(SIGNAL_REOPEN_LOG);
}
}
#ifndef OPENSSL_NO_DH
NOEXPORT void cron_dh_param(void) {
SERVICE_OPTIONS *opt;
DH *dh;
if(!dh_needed)
return;
s_log(LOG_NOTICE, "Updating DH parameters");
#if OPENSSL_VERSION_NUMBER>=0x0090800fL
/* generate 2048-bit DH parameters */
dh=DH_new();
if(!dh) {
sslerror("DH_new");
return;
}
if(!DH_generate_parameters_ex(dh, 2048, 2, NULL)) {
DH_free(dh);
sslerror("DH_generate_parameters_ex");
return;
}
#else /* OpenSSL older than 0.9.8 */
dh=DH_generate_parameters(2048, 2, NULL, NULL);
if(!dh) {
sslerror("DH_generate_parameters");
return;
}
#endif
/* update global dh_params for future configuration reloads */
stunnel_write_lock(&stunnel_locks[LOCK_DH]);
DH_free(dh_params);
dh_params=dh;
stunnel_write_unlock(&stunnel_locks[LOCK_DH]);
/* set for all sections that require it */
for(opt=service_options.next; opt; opt=opt->next)
if(opt->option.dh_needed)
SSL_CTX_set_tmp_dh(opt->ctx, dh);
s_log(LOG_NOTICE, "DH parameters updated");
}
#endif /* OPENSSL_NO_DH */
#endif /* USE_PTHREAD || USE_WIN32 */
/* end of cron.c */

1207
src/ctx.c
View File

File diff suppressed because it is too large Load Diff

57
src/dhparam.c Normal file
View File

@ -0,0 +1,57 @@
#include "common.h"
#ifndef OPENSSL_NO_DH
#define DN_new DH_new
#ifndef HEADER_DH_H
# include <openssl/dh.h>
#endif
DH *get_dh2048()
{
static unsigned char dhp_2048[] = {
0xEF, 0xED, 0x5C, 0xA2, 0x8E, 0x37, 0xD8, 0xF4, 0xD1, 0xE9,
0x85, 0x06, 0x79, 0x0E, 0xC0, 0xBC, 0xD2, 0xF3, 0xBC, 0x26,
0xAE, 0x63, 0xB9, 0x06, 0xDF, 0x16, 0xDB, 0xE5, 0x76, 0x76,
0xD5, 0xBC, 0x4F, 0xC1, 0x55, 0x28, 0xC9, 0x7A, 0xC8, 0xD6,
0x1E, 0xB0, 0x5D, 0x85, 0x12, 0x39, 0x62, 0x06, 0x9D, 0x99,
0x4D, 0xCF, 0x79, 0x27, 0x94, 0xB6, 0xE1, 0xC2, 0x92, 0x06,
0xA3, 0xCF, 0x10, 0x25, 0xC4, 0x3D, 0x01, 0xD2, 0x34, 0x0C,
0x1F, 0xB2, 0xA3, 0x0D, 0xA8, 0xDC, 0xB6, 0x5F, 0xDB, 0x8C,
0xF6, 0x73, 0xC2, 0x07, 0x70, 0x4D, 0x01, 0x85, 0xE8, 0x49,
0xBC, 0xC1, 0x80, 0x6C, 0x77, 0x71, 0xFF, 0x5D, 0x25, 0x2F,
0x64, 0x5F, 0x0D, 0x33, 0xB3, 0x43, 0x24, 0xC0, 0xFC, 0xB3,
0x94, 0xEA, 0xF2, 0xB7, 0x24, 0x08, 0x12, 0x74, 0x9D, 0xEA,
0x20, 0x31, 0xD7, 0x0C, 0x0A, 0x84, 0x37, 0xCF, 0x34, 0x56,
0x85, 0xFB, 0xF4, 0x7C, 0xF4, 0x4E, 0x67, 0x0E, 0x63, 0xB2,
0x49, 0xAF, 0xA6, 0x43, 0xD3, 0x6E, 0x60, 0xA9, 0x96, 0xD6,
0xE8, 0x63, 0x7E, 0x23, 0x39, 0x91, 0xE1, 0xF6, 0xC3, 0x8B,
0x60, 0x92, 0x73, 0xB9, 0x5A, 0x69, 0xDF, 0x8A, 0xD4, 0x0E,
0x1C, 0x95, 0x82, 0x59, 0xE4, 0x3B, 0xA8, 0xAC, 0x46, 0x47,
0xE2, 0xFE, 0x98, 0xD7, 0xC2, 0xD4, 0xC6, 0x0A, 0xC5, 0x23,
0x98, 0xCA, 0x0C, 0x5A, 0x82, 0xE1, 0x17, 0xC8, 0xA4, 0x5C,
0x43, 0x2A, 0xE5, 0x5B, 0x20, 0x7C, 0x36, 0x90, 0x71, 0xB6,
0x02, 0x55, 0xF5, 0x26, 0x13, 0xCF, 0xB3, 0x4C, 0xB7, 0x89,
0x57, 0xC8, 0x27, 0x28, 0x72, 0x04, 0xF1, 0x78, 0x4B, 0xFF,
0xB3, 0x78, 0x60, 0x79, 0xEF, 0xDD, 0xDE, 0x34, 0x88, 0xE2,
0x00, 0x13, 0xED, 0x4B, 0x9F, 0xE7, 0x71, 0xBA, 0x68, 0xF6,
0xD2, 0x9E, 0xF3, 0x3B, 0x2D, 0x2B
};
static unsigned char dhg_2048[] = {
0x02
};
DH *dh = DH_new();
BIGNUM *dhp_bn, *dhg_bn;
if (dh == NULL)
return NULL;
dhp_bn = BN_bin2bn(dhp_2048, sizeof (dhp_2048), NULL);
dhg_bn = BN_bin2bn(dhg_2048, sizeof (dhg_2048), NULL);
if (dhp_bn == NULL || dhg_bn == NULL
|| !DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn)) {
DH_free(dh);
BN_free(dhp_bn);
BN_free(dhg_bn);
return NULL;
}
return dh;
}
#endif /* OPENSSL_NO_DH */

20
src/env.c
View File

@ -1,24 +1,24 @@
/*
* stunnel Universal SSL tunnel
* Copyright (C) 1998-2012 Michal Trojnara <Michal.Trojnara@mirt.net>
* stunnel TLS offloading and load-balancing proxy
* Copyright (C) 1998-2017 Michal Trojnara <Michal.Trojnara@stunnel.org>
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version.
*
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
* See the GNU General Public License for more details.
*
*
* You should have received a copy of the GNU General Public License along
* with this program; if not, see <http://www.gnu.org/licenses>.
*
*
* Linking stunnel statically or dynamically with other modules is making
* a combined work based on stunnel. Thus, the terms and conditions of
* the GNU General Public License cover the whole combination.
*
*
* In addition, as a special exception, the copyright holder of stunnel
* gives you permission to combine stunnel with free software programs or
* libraries that are released under the GNU LGPL and with code included
@ -26,7 +26,7 @@
* modified versions of such code, with unchanged license). You may copy
* and distribute such a system following the terms of the GNU GPL for
* stunnel and the licenses of the other code concerned.
*
*
* Note that people who make modified versions of stunnel are not obligated
* to grant this special exception for their modified versions; it is their
* choice whether to do so. The GNU General Public License gives permission
@ -53,15 +53,15 @@
int getpeername(int s, struct sockaddr_in *name, int *len) {
char *value;
(void)s; /* skip warning about unused parameter */
(void)len; /* skip warning about unused parameter */
(void)s; /* squash the unused parameter warning */
(void)len; /* squash the unused parameter warning */
name->sin_family=AF_INET;
if((value=getenv("REMOTE_HOST")))
name->sin_addr.s_addr=inet_addr(value);
else
name->sin_addr.s_addr=htonl(INADDR_ANY);
if((value=getenv("REMOTE_PORT")))
name->sin_port=htons(atoi(value));
name->sin_port=htons((uint16_t)atoi(value));
else
name->sin_port=htons(0); /* dynamic port allocation */
return 0;

BIN
src/error.ico Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 1.1 KiB

Some files were not shown because too many files have changed in this diff Show More