debmon
/
stunnel4
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Imported Debian patch 3:5.42-1

This commit is contained in:
Peter Pentchev 2017-09-23 16:25:21 +03:00 committed by Mario Fetka
parent 98b4ec0cd9 d419cab3c4
commit 10de5e9e32
142 changed files with 33490 additions and 18590 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
.travis.yml Normal file
View File

@ -0,0 +1,27 @@
sudo: false
language: c
os:
- linux
- osx
compiler:
- gcc
- clang
env:
- CONFIGURE_OPTIONS='--with-threads=pthread'
- CONFIGURE_OPTIONS='--with-threads=fork'
- CONFIGURE_OPTIONS='--with-threads=ucontext'
- CONFIGURE_OPTIONS='--disable-ipv6 --disable-fips --disable-systemd --disable-libwrap'
addons:
apt:
packages:
- libssl-dev
- libwrap0-dev
before_script: autoreconf -fvi && touch src/dhparam.c
script: ./configure $CONFIGURE_OPTIONS && make && make test

2
AUTHORS
View File

@ -1,4 +1,4 @@
stunnel authors
Michal Trojnara <Michal.Trojnara@mirt.net>
Michal Trojnara <Michal.Trojnara@stunnel.org>

2
COPYING
View File

@ -1,6 +1,6 @@
stunnel license (see COPYRIGHT.GPL for detailed GPL conditions)
Copyright (C) 1998-2013 Michal Trojnara
Copyright (C) 1998-2017 Michal Trojnara
This program is free software; you can redistribute it and/or modify it under
the terms of the GNU General Public License as published by the Free Software

39
CREDITS
View File

@ -1,9 +1,40 @@
Special thx to:
stunnel code contributions
The code contributions are licensed as public domain unless stated otherwise.
Several Win32 and WCE improvements and bugfixes:
* Pierre Delaage <delaage.pierre@free.fr>
systemd socket activation in version 5.05:
Copyright (c) 2014 Mark Theunissen
Permission is hereby granted, free of charge, to any person obtaining a copy of
this software and associated documentation files (the "Software"), to deal in
the Software without restriction, including without limitation the rights to
use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies
of the Software, and to permit persons to whom the Software is furnished to do
so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
Several bugfixes and improvements mostly in versions 3.xx:
* Brian Hatch <bri@stunnel.org>
Initial PTY support in version 3.05:
* Dirk O. Siebnich <dok@vossnet.de>
Initial SSL support in versions 1.x:
* Adam Hernik <adas@infocentrum.com>
* Pawel Krawczyk <kravietz@ceti.com.pl>
* Brian Hatch <bri@stunnel.org>
* Dirk O. Siebnich <dok@vossnet.de> for PTY support
and many others...

670
ChangeLog
View File

@ -1,5 +1,670 @@
stunnel change log
Version 5.42, 2017.07.16, urgency: HIGH
* New features
- "redirect" also supports "exec" and not only "connect".
- PKCS#11 engine DLL updated to version 0.4.7.
* Bugfixes
- Fixed premature cron thread initialization causing hangs.
- Fixed "verifyPeer = yes" on OpenSSL <= 1.0.1.
- Fixed pthreads support on OpenSolaris.
Version 5.41, 2017.04.01, urgency: MEDIUM
* New features
- PKCS#11 engine DLL updated to version 0.4.5.
- Default engine UI set with ENGINE_CTRL_SET_USER_INTERFACE.
- Key file name added into the passphrase console prompt.
- Performance optimization in memory leak detection.
* Bugfixes
- Fixed crashes with the OpenSSL 1.1.0 branch.
- Fixed certificate verification with "verifyPeer = yes"
and "verifyChain = no" (the default), while the peer
only returns a single certificate.
Version 5.40, 2017.01.28, urgency: HIGH
* Security bugfixes
- OpenSSL DLLs updated to version 1.0.2k.
https://www.openssl.org/news/secadv/20170126.txt
* New features
- DH ciphersuites are now disabled by default.
- The daily server DH parameter regeneration is only performed if
DH ciphersuites are enabled in the configuration file.
- "checkHost" and "checkEmail" were modified to require either
"verifyChain" or "verifyPeer" (thx to Małorzata Olszówka).
* Bugfixes
- Fixed setting default ciphers.
Version 5.39, 2017.01.01, urgency: LOW
* New features
- PKCS#11 engine (pkcs11.dll) added to the Win32 build.
- Per-destination TLS session cache added for the client mode.
- The new "logId" parameter "process" added to log PID values.
- Added support for the new SSL_set_options() values.
- Updated the manual page.
- Obsolete references to "SSL" replaced with "TLS".
* Bugfixes
- Fixed "logId" parameter to also work in inetd mode.
- "delay = yes" properly enforces "failover = prio".
- Fixed fd_set allocation size on Win64.
- Fixed reloading invalid configuration file on Win32.
- Fixed resolving addresses with unconfigured network interfaces.
Version 5.38, 2016.11.26, urgency: MEDIUM
* New features
- "sni=" can be used to prevent sending the SNI extension.
- The AI_ADDRCONFIG resolver flag is used when available.
- Merged Debian 06-lfs.patch (thx to Peter Pentchev).
* Bugfixes
- Fixed a memory allocation bug causing crashes with OpenSSL 1.1.0.
- Fixed error handling for mixed IPv4/IPv6 destinations.
- Merged Debian 08-typos.patch (thx to Peter Pentchev).
Version 5.37, 2016.11.06, urgency: MEDIUM
* Bugfixes
- OpenSSL DLLs updated to version 1.0.2j (stops crashes).
- The default SNI target (not handled by any slave service)
is handled by the master service rather than rejected.
- Removed thread synchronization in the FORK threading model.
Version 5.36, 2016.09.22, urgency: HIGH
* Security bugfixes
- OpenSSL DLLs updated to version 1.0.2i.
https://www.openssl.org/news/secadv_20160922.txt
* New features
- Added support for OpenSSL 1.1.0 built with "no-deprecated".
- Removed direct zlib dependency.
Version 5.35, 2016.07.18, urgency: HIGH
* Bugfixes
- Fixed incorrectly enforced client certificate requests.
- Only default to SO_EXCLUSIVEADDRUSE on Vista and later.
- Fixed thread safety of the configuration file reopening.
Version 5.34, 2016.07.05, urgency: HIGH
* Security bugfixes
- Fixed malfunctioning "verify = 4".
* New features
- Bind sockets with SO_EXCLUSIVEADDRUSE on WIN32.
- Added three new service-level options: requireCert, verifyChain,
and verifyPeer for fine-grained certificate verification control.
- Improved compatibility with the current OpenSSL 1.1.0-dev tree.
Version 5.33, 2016.06.23, urgency: HIGH
* New features
- Improved memory leak detection performance and accuracy.
- Improved compatibility with the current OpenSSL 1.1.0-dev tree.
- SNI support also enabled on OpenSSL 0.9.8f and later (thx to
Guillermo Rodriguez Garcia).
- Added support for PKCS #12 (.p12/.pfx) certificates (thx to
Dmitry Bakshaev).
* Bugfixes
- Fixed a TLS session caching memory leak (thx to Richard Kraemer).
Before stunnel 5.27 this leak only emerged with sessiond enabled.
- Yet another WinCE socket fix (thx to Richard Kraemer).
- Fixed passphrase/pin dialogs in tstunnel.exe.
- Fixed a FORK threading build regression bug.
- OPENSSL_NO_DH compilation fix (thx to Brian Lin).
Version 5.32, 2016.05.03, urgency: HIGH
* Security bugfixes
- OpenSSL DLLs updated to version 1.0.2h.
https://www.openssl.org/news/secadv_20160503.txt
* New features
- New "socket = a:IPV6_V6ONLY=yes" option to only bind IPv6.
- Memory leak detection.
- Improved compatibility with the current OpenSSL 1.1.0-dev tree.
- Added/fixed Red Hat scripts (thx to Andrew Colin Kissa).
* Bugfixes
- Workaround for a WinCE sockets quirk (thx to Richard Kraemer).
- Fixed data alignment on 64-bit MSVC (thx to Yuris W. Auzins).
Version 5.31, 2016.03.01, urgency: HIGH
* Security bugfixes
- OpenSSL DLLs updated to version 1.0.2g.
https://www.openssl.org/news/secadv_20160301.txt
* New features
- Added logging the list of client CAs requested by the server.
- Improved compatibility with the current OpenSSL 1.1.0-dev tree.
* Bugfixes
- Only reset the watchdog if some data was actually transferred.
- A workaround implemented for the unexpected exceptfds set by
select() on WinCE 6.0 (thx to Richard Kraemer).
- Fixed logging an incorrect value of the round-robin starting
point (thx to Jose Alf.).
Version 5.30, 2016.01.28, urgency: HIGH
* Security bugfixes
- OpenSSL DLLs updated to version 1.0.2f.
https://www.openssl.org/news/secadv_20160128.txt
* New features
- Improved compatibility with the current OpenSSL 1.1.0-dev tree.
- Added OpenSSL autodetection for the recent versions of Xcode.
* Bugfixes
- Fixed references to /etc removed from stunnel.init.in.
- Stopped even trying -fstack-protector on unsupported platforms
(thx to Rob Lockhart).
Version 5.29, 2016.01.08, urgency: LOW
* New features
- New WIN32 icons.
- Performance improvement: rwlocks used for locking with pthreads.
* Bugfixes
- Compilation fix for *BSD.
- Fixed configuration file reload for relative stunnel.conf path
on Unix.
- Fixed ignoring CRLfile unless CAfile was also specified (thx
to Strukov Petr).
Version 5.28, 2015.12.11, urgency: HIGH
* New features
- Build matrix (.travis.yml) extended with ./configure options.
- mingw.mak updated to build tstunnel.exe (thx to Jose Alf.).
* Bugfixes
- Fixed incomplete initialization.
- Fixed UCONTEXT threading on OSX.
- Fixed exit codes for information requests (as
in "stunnel -version" or "stunnel -help").
Version 5.27, 2015.12.03, urgency: MEDIUM
* Security bugfixes
- OpenSSL DLLs updated to version 1.0.2e.
https://www.openssl.org/news/secadv_20151203.txt
* New features
- Automated build testing configured with .travis.yml.
- Added reading server certificates from hardware engines.
For example: cert = id_45
- Only attempt to use potentially harmful compiler or linker
options if gcc was detected.
- /opt/csw added to the OpenSSL directory lookup list.
- mingw.mak updates (thx to Jose Alf.).
- TODO list updated.
Version 5.26, 2015.11.06, urgency: MEDIUM
* Bugfixes
- Compilation fixes for OSX, *BSD and Solaris.
Version 5.25, 2015.11.02, urgency: MEDIUM
* New features
- SMTP client protocol negotiation support for
"protocolUsername", "protocolPassword", and
"protocolAuthentication" (thx to Douglas Harris).
- New service-level option "config" to specify configuration
commands introduced in OpenSSL 1.0.2 (thx to Stephen Wall).
- The global option "foreground" now also accepts "quiet"
parameter, which does not enable logging to stderr.
- Manual page updated.
- Obsolete OpenSSL engines removed from the Windows build:
4758cca, aep, atalla, cswift, nuron, sureware.
- Improved compatibility with the current OpenSSL 1.1.0-dev tree:
gracefully handle symbols renamed from SSLeay* to OpenSSL*.
* Bugfixes
- Fixed the "s_poll_wait returned 1, but no descriptor
is ready" internal error.
- Fixed "exec" hangs due to incorrect thread-local
storage handling (thx to Philip Craig).
- Fixed PRNG initialization (thx to Philip Craig).
- Setting socket options no longer performed on PTYs.
- Fixed 64-bit Windows build.
Version 5.24, 2015.10.08, urgency: MEDIUM
* New features
- Custom CRL verification was replaced with the internal
OpenSSL functionality.
- *BSD support for "transparent = destination" and
client-side "protocol = socks". This feature should
work at least on FreeBSD, OpenBSD and OS X.
- Added a new "protocolDomain" option for the NTLM
authentication (thx to Andreas Botsikas).
- Improved compatibility of the NTLM phase 1 message (thx
to Andreas Botsikas).
- "setuid" and "setgid" options are now also available
in service sections. They can be used to set owner
and group of the Unix socket specified with "accept".
- Added support for the new OpenSSL 1.0.2 SSL options.
- Added OPENSSL_NO_EGD support (thx to Bernard Spil).
- VC autodetection added to makew32.bat (thx to Andreas
Botsikas).
* Bugfixes
- Fixed the RESOLVE [F0] TOR extension support in SOCKS5.
- Fixed the error code reported on the failed bind()
requests.
- Fixed the sequential log id with the FORK threading.
- Restored the missing Microsoft.VC90.CRT.manifest file.
Version 5.23, 2015.09.02, urgency: LOW
* New features
- Client-side support for the SOCKS protocol.
See https://www.stunnel.org/socksvpn.html for details.
- Reject SOCKS requests to connect loopback addresses.
- New service-level option "OCSPnonce".
The default value is "OCSPnonce = no".
- Win32 directory structure rearranged. The installer
script provides automatic migration for common setups.
- Added Win32 installer option to install stunnel for the
current user only. This feature does not deploy the NT
service, but it also does not require aministrative
privileges to install and configure stunnel.
- stunnel.cnf was renamed to openssl.cnf in order to
to prevent users from mixing it up with stunnel.conf.
- Win32 desktop is automatically refreshed when the icon
is created or removed.
- The ca-certs.pem file is now updated on stunnel upgrade.
- Inactive ports were removed from the PORTS file.
- Added IPv6 support to the transparent proxy code.
* Bugfixes
- Compilation fix for OpenSSL version older than 1.0.0.
- Compilation fix for mingw.
Version 5.22, 2015.07.30, urgency: HIGH
* New features
- "OCSPaia = yes" added to the configuration file templates.
- Improved double free detection.
* Bugfixes
- Fixed a number of OCSP bugs. The most severe of those
bugs caused stunnel to treat OCSP responses that failed
OCSP_basic_verify() checks as if they were successful.
- Fixed the passive IPv6 resolver (broken in stunnel 5.21).
Version 5.21, 2015.07.27, urgency: MEDIUM
* New features
- Signal names are displayed instead of numbers.
- First resolve IPv4 addresses on passive resolver requests.
This speeds up stunnel startup on Win32 with a slow/defunct
DNS service.
- The "make check" target was modified to only build Win32
executables when stunnel is built from a git repository (thx
to Peter Pentchev).
- More elaborate descriptions were added to the warning about
using "verify = 2" without "checkHost" or "checkIP".
- Performance optimization was performed on the debug code.
* Bugfixes
- Fixed the FORK and UCONTEXT threading support.
- Fixed "failover=prio" (broken since stunnel 5.15).
- Added a retry when sleep(3) was interrupted by a signal
in the cron thread scheduler.
Version 5.20, 2015.07.09, urgency: HIGH
* Security bugfixes
- OpenSSL DLLs updated to version 1.0.2d.
https://www.openssl.org/news/secadv_20150709.txt
* New features
- poll(2) re-enabled on MacOS X 10.5 and later.
- Xcode SDK is automatically used on MacOS X if no other
locally installed OpenSSL directory is found.
- The SSL library detection algorithm was made a bit smarter.
- Warnings about insecure authentication were modified to
include the name of the affected service section.
- A warning was added to stunnel.init if no pid file was
specified in the configuration file (thx to Peter Pentchev).
- Optional debugging symbols are included in the Win32 installer.
- Documentation updates (closes Debian bug #781669).
* Bugfixes
- Signal pipe reinitialization added to prevent turning the
main accepting thread into a busy wait loop when an external
condition breaks the signal pipe. This bug was found to
surface on Win32, but other platforms may also be affected.
- Fixed removing the disabled taskbar icon.
- Generated temporary DH parameters are used for configuration
reload instead of the static defaults.
- LSB compatibility fixes added to the stunnel.init script (thx
to Peter Pentchev).
- Fixed the manual page headers (thx to Gleydson Soares).
Version 5.19, 2015.06.16, urgency: MEDIUM:
* New features
- OpenSSL DLLs updated to version 1.0.2c.
- Added a runtime check whether COMP_zlib() method is implemented
in order to improve compatibility with the Debian OpenSSL build.
* Bugfixes
- Improved socket error handling.
- Cron thread priority on Win32 platform changed to
THREAD_PRIORITY_LOWEST to improve portability.
- Makefile bugfixes for stunnel 5.18 regressions.
- Fixed some typos in docs and scripts (thx to Peter Pentchev).
- Fixed a log level check condition (thx to Peter Pentchev).
Version 5.18, 2015.06.12, urgency: MEDIUM:
* New features
- OpenSSL DLLs updated to version 1.0.2b.
https://www.openssl.org/news/secadv_20150611.txt
- Added "include" configuration file option to include all
configuration file parts located in a specified directory.
- Log file is reopened every 24 hours. With "log = overwrite"
this feature can be used to prevent filling up disk space.
- Temporary DH parameters are refreshed every 24 hours, unless
static DH parameters were provided in the certificate file.
- Unique initial DH parameters are distributed with each release.
- Warnings are logged on potentially insecure authentication.
- Improved compatibility with the current OpenSSL 1.1.0-dev tree:
removed RLE compression support, etc.
- Updated stunnel.spec (thx to Bill Quayle).
* Bugfixes
- Fixed handling of dynamic connect targets.
- Fixed handling of trailing whitespaces in the Content-Length
header of the NTLM authentication.
- Fixed --sysconfdir and --localstatedir handling (thx to
Dagobert Michelsen).
Version 5.17, 2015.04.29, urgency: HIGH:
* Bugfixes
- Fixed a NULL pointer dereference causing the service to crash.
This bug was introduced in stunnel 5.15.
Version 5.16, 2015.04.19, urgency: MEDIUM:
* Bugfixes
- Fixed compilation with old versions of gcc.
Version 5.15, 2015.04.16, urgency: LOW:
* New features
- Added new service-level options "checkHost", "checkEmail" and
"checkIP" for additional checks of the peer certificate subject.
These options require OpenSSL version 1.0.2 or higher.
- Win32 binary distribution now ships with the Mozilla root CA
bundle. This bundle is intended be used together with the new
"checkHost" option to validate server certs accepted by Mozilla.
- New commandline options "-reload" to reload the configuration
file and "-reopen" to reopen the log file of stunnel running
as a Windows service (thx to Marc McLaughlin).
- Added session persistence based on negotiated TLS sessions.
https://en.wikipedia.org/wiki/Load_balancing_%28computing%29#Persistence
The current implementation does not support external TLS
session caching with sessiond.
- MEDIUM ciphers (currently SEED and RC4) are removed from the
default cipher list.
- The "redirect" option was improved to not only redirect sessions
established with an untrusted certificate, but also sessions
established without a client certificate.
- OpenSSL version checking modified to distinguish FIPS and
non-FIPS builds.
- Improved compatibility with the current OpenSSL 1.1.0-dev tree.
- Removed support for OpenSSL versions older than 0.9.7.
The final update for the OpenSSL 0.9.6 branch was 17 Mar 2004.
- "sessiond" support improved to also work in OpenSSL 0.9.7.
- Randomize the initial value of the round-robin counter.
- New stunnel.conf templates are provided for Windows and Unix.
* Bugfixes
- Fixed compilation against old versions of OpenSSL.
- Fixed memory leaks in certificate verification.
Version 5.14, 2015.03.25, urgency: HIGH:
* Security bugfixes
- The "redirect" option now also redirects clients on SSL session
reuse. In stunnel versions 5.00 to 5.13 reused sessions were
instead always connected hosts specified with the "connect"
option regardless of their certificate verification result.
This vulnerability was reported by Johan Olofsson.
* New features
- Windows service is automatically restarted after upgrade.
* Bugfixes
- Fixed a memory allocation error during Unix daemon shutdown.
- Fixed handling multiple connect/redirect destinations.
- OpenSSL FIPS builds are now correctly reported on startup.
Version 5.13, 2015.03.20, urgency: MEDIUM:
* New features
- The "service" option was modified to also control the syslog
service name.
* Bugfixes
- Fixed Windows service crash.
Version 5.12, 2015.03.19, urgency: HIGH:
* Security bugfixes
- OpenSSL DLLs updated to version 1.0.2a.
https://www.openssl.org/news/secadv_20150319.txt
* New features
- New service-level option "logId" to specify the
connection identifier type. Currently supported types:
"sequential" (default), "unique", and "thread".
- New service-level option "debug" to individually control
logging verbosity of defined services.
* Bugfixes
- OCSP fixed on Windows platform (thx to Alec Kosky).
Version 5.11, 2015.03.11, urgency: LOW:
* New features
- OpenSSL DLLs updated to version 1.0.2.
- Removed dereferences of internal OpenSSL data structures.
- PSK key lookup algorithm performance improved from
O(N) (linear) to O(log N) (logarithmic).
* Bugfixes
- Fixed peer certificate list in the main window on Win32
(thx to @fyer for reporting it).
- Fixed console logging in tstunnel.exe.
- _tputenv_s() replaced with more portable _tputenv() on Win32.
Version 5.10, 2015.01.22, urgency: LOW:
* New features
- OCSP AIA (Authority Information Access) support. This feature
can be enabled with the new service-level option "OCSPaia".
- Additional security features of the linker are enabled:
"-z relro", "-z now", "-z noexecstack".
* Bugfixes
- OpenSSL DLLs updated to version 1.0.1l.
https://www.openssl.org/news/secadv_20150108.txt
- FIPS canister updated to version 2.0.9 in the Win32 binary
build.
Version 5.09, 2015.01.02, urgency: LOW:
* New features
- Added PSK authentication with two new service-level
configuration file options "PSKsecrets" and "PSKidentity".
- Added additional security checks to the OpenSSL memory
management functions.
- Added support for the OPENSSL_NO_OCSP and OPENSSL_NO_ENGINE
OpenSSL configuration flags.
- Added compatibility with the current OpenSSL 1.1.0-dev tree.
* Bugfixes
- Removed defective s_poll_error() code occasionally causing
connections to be prematurely closed (truncated).
This bug was introduced in stunnel 4.34.
- Fixed ./configure systemd detection (thx to Kip Walraven).
- Fixed ./configure sysroot detection (thx to Kip Walraven).
- Fixed compilation against old versions of OpenSSL.
- Removed outdated French manual page.
Version 5.08, 2014.12.09, urgency: MEDIUM:
* New features
- Added SOCKS4/SOCKS4a protocol support.
- Added SOCKS5 protocol support.
- Added SOCKS RESOLVE [F0] TOR extension support.
- Updated automake to version 1.14.1.
- OpenSSL directory searching is now relative to the sysroot.
* Bugfixes
- Fixed improper hangup condition handling.
- Fixed missing -pic linker option. This is required for
Android 5.0 and improves security.
Version 5.07, 2014.11.01, urgency: MEDIUM:
* New features
- Several SMTP server protocol negotiation improvements.
- Added UTF-8 byte order marks to stunnel.conf templates.
- DH parameters are no longer generated by "make cert".
The hardcoded DH parameters are sufficiently secure,
and modern TLS implementations will use ECDH anyway.
- Updated manual for the "options" configuration file option.
- Added support for systemd 209 or later.
- New --disable-systemd ./configure option.
- setuid/setgid commented out in stunnel.conf-sample.
* Bugfixes
- Added support for UTF-8 byte order mark in stunnel.conf.
- Compilation fix for OpenSSL with disabled SSLv2 or SSLv3.
- Non-blocking mode set on inetd and systemd descriptors.
- shfolder.h replaced with shlobj.h for compatibility
with modern Microsoft compilers.
Version 5.06, 2014.10.15, urgency: HIGH:
* Security bugfixes
- OpenSSL DLLs updated to version 1.0.1j.
https://www.openssl.org/news/secadv_20141015.txt
- The insecure SSLv2 protocol is now disabled by default.
It can be enabled with "options = -NO_SSLv2".
- The insecure SSLv3 protocol is now disabled by default.
It can be enabled with "options = -NO_SSLv3".
- Default sslVersion changed to "all" (also in FIPS mode)
to autonegotiate the highest supported TLS version.
* New features
- Added missing SSL options to match OpenSSL 1.0.1j.
- New "-options" commandline option to display the list
of supported SSL options.
* Bugfixes
- Fixed FORK threading build regression bug.
- Fixed missing periodic Win32 GUI log updates.
Version 5.05, 2014.10.10, urgency: MEDIUM:
* New features
- Asynchronous communication with the GUI thread for faster
logging on Win32.
- systemd socket activation (thx to Mark Theunissen).
- The parameter of "options" can now be prefixed with "-"
to clear an SSL option, for example:
"options = -LEGACY_SERVER_CONNECT".
- Improved "transparent = destination" manual page (thx to
Vadim Penzin).
* Bugfixes
- Fixed POLLIN|POLLHUP condition handling error resulting
in prematurely closed (truncated) connection.
- Fixed a null pointer dereference regression bug in the
"transparent = destination" functionality (thx to
Vadim Penzin). This bug was introduced in stunnel 5.00.
- Fixed startup thread synchronization with Win32 GUI.
- Fixed erroneously closed stdin/stdout/stderr if specified
as the -fd commandline option parameter.
- A number of minor Win32 GUI bugfixes and improvements.
- Merged most of the Windows CE patches (thx to Pierre Delaage).
- Fixed incorrect CreateService() error message on Win32.
- Implemented a workaround for defective Cygwin file
descriptor passing breaking the libwrap support:
http://wiki.osdev.org/Cygwin_Issues#Passing_file_descriptors
Version 5.04, 2014.09.21, urgency: LOW:
* New features
- Support for local mode ("exec" option) on Win32.
- Support for UTF-8 config file and log file.
- Win32 UTF-16 build (thx to Pierre Delaage for support).
- Support for Unicode file names on Win32.
- A more explicit service description provided for the
Windows SCM (thx to Pierre Delaage).
- TCP/IP dependency added for NT service in order to prevent
initialization failure at boot time.
- FIPS canister updated to version 2.0.8 in the Win32 binary
build.
* Bugfixes
- load_icon_default() modified to return copies of default icons
instead of the original resources to prevent the resources
from being destroyed.
- Partially merged Windows CE patches (thx to Pierre Delaage).
- Fixed typos in stunnel.init.in and vc.mak.
- Fixed incorrect memory allocation statistics update in
str_realloc().
- Missing REMOTE_PORT environmental variable is provided to
processes spawned with "exec" on Unix platforms.
- Taskbar icon is no longer disabled for NT service.
- Fixed taskbar icon initialization when commandline options are
specified.
- Reportedly more compatible values used for the dwDesiredAccess
parameter of the CreateFile() function (thx to Pierre Delaage).
- A number of minor Win32 GUI bugfixes and improvements.
Version 5.03, 2014.08.07, urgency: HIGH:
* Security bugfixes
- OpenSSL DLLs updated to version 1.0.1i.
See https://www.openssl.org/news/secadv_20140806.txt
* New features
- FIPS autoconfiguration cleanup.
- FIPS canister updated to version 2.0.6.
- Improved SNI diagnostic logging.
* Bugfixes
- Compilation fixes for old versions of OpenSSL.
- Fixed whitespace handling in the stunnel.init script.
Version 5.02, 2014.06.09, urgency: HIGH:
* Security bugfixes
- OpenSSL DLLs updated to version 1.0.1h.
See https://www.openssl.org/news/secadv_20140605.txt
* New features
- Major rewrite of the protocol.c interface: it is now possible to add
protocol negotiations at multiple connection phases, protocols can
individually decide whether the remote connection will be
established before or after SSL/TLS is negotiated.
- Heap memory blocks are wiped before release. This only works for
block allocated by stunnel, and not by OpenSSL or other libraries.
- The safe_memcmp() function implemented with execution time not
dependent on the compared data.
- Updated the stunnel.conf and stunnel.init templates.
- Added a client-mode example to the manual.
* Bugfixes
- Fixed "failover = rr" broken since version 5.00.
- Fixed "taskbar = no" broken since version 5.00.
- Compilation fix for missing SSL_OP_MSIE_SSLV2_RSA_PADDING option.
Version 5.01, 2014.04.08, urgency: HIGH:
* Security bugfixes
- OpenSSL DLLs updated to version 1.0.1g.
This version mitigates TLS heartbeat read overrun (CVE-2014-0160).
* New features
- X.509 extensions added to the created self-signed stunnel.pem.
- "FIPS = no" also allowed in non-FIPS builds of stunnel.
- Search all certificates with the same subject name for a matching
public key rather than only the first one (thx to Leon Winter).
- Create logs in the local application data folder if stunnel folder
is not writable on Win32.
* Bugfixes
- close_notify not sent when SSL still has some data buffered.
- Protocol negotiation with server-side SNI fixed.
- A Mac OS X missing symbols fixed.
- Win32 configuration file reload crash fixed.
- Added s_pool_free() on exec+connect service retires.
- Line-buffering enforced on stderr output.
stunnel 5.00 disables some features previously enabled by default.
Users should review whether the new defaults are appropriate for their
particular deployments. Packages maintainers may consider prepending
the old defaults for "fips" (if supported by their OpenSSL library),
"pid" and "libwrap" to stunnel.conf during automated updates.
Version 5.00, 2014.03.06, urgency: HIGH:
* Security bugfixes
- Added PRNG state update in fork threading (CVE-2014-0016).
* New global configuration file defaults
- Default "fips" option value is now "no", as FIPS mode is only
helpful for compliance, and never for actual security.
- Default "pid" is now "", i.e. not to create a pid file at startup.
* New service-level configuration file defaults
- Default "ciphers" updated to "HIGH:MEDIUM:+3DES:+DH:!aNULL:!SSLv2"
due to AlFBPPS attack and bad performance of DH ciphersuites.
- Default "libwrap" setting is now "no" to improve performance.
* New features
- OpenSSL DLLs updated to version 1.0.1f.
- zlib DLL updated to version 1.2.8.
- autoconf scripts upgraded to version 2.69.
- TLS 1.1 and TLS 1.2 are now allowed in the FIPS mode.
- New service-level option "redirect" to redirect SSL client
connections on authentication failures instead of rejecting them.
- New global "engineDefault" configuration file option to control
which OpenSSL tasks are delegated to the current engine.
Available tasks: ALL, RSA, DSA, ECDH, ECDSA, DH, RAND, CIPHERS,
DIGESTS, PKEY, PKEY_CRYPTO, PKEY_ASN1.
- New service-level configuration file option "engineId" to select
the engine by identifier, e.g. "engineId = capi".
- New global configuration file option "log" to control whether to
append (the default), or to overwrite log file while (re)opening.
- Different taskbar icon colors to indicate the service state.
- New global configuration file options "iconIdle", "iconActive",
and "iconError" to select status icon on GUI taskbar.
- Removed the limit of 63 stunnel.conf sections on Win32 platform.
- Installation of a sample certificate was moved to a separate "cert"
target in order to allow unattended (e.g. scripted) installations.
- Reduced length of the logged thread identifier. It is still based
on the OS thread ID, and thus not unique over long periods of time.
- Improved readability of error messages printed when stunnel refuses
to start due to a critical error.
* Bugfixes
- LD_PRELOAD Solaris compatibility bug fixed (thx to Norm Jacobs).
- CRYPTO_NUM_LOCKS replaced with CRYPTO_num_locks() to improve binary
compatibility with diverse builds of OpenSSL (thx to Norm Jacobs).
- Corrected round-robin failover behavior under heavy load.
- Numerous fixes in the engine support code.
- On Win32 platform .rnd file moved from c:\ to the stunnel folder.
Version 4.57, 2015.04.01, urgency: HIGH:
* Security bugfixes
@ -116,6 +781,7 @@ Version 4.51, 2012.01.09, urgency: MEDIUM:
- New "compression = deflate" global option to enable RFC 2246 compresion.
For compatibility with previous versions "compression = zlib" and
"compression = rle" also enable the deflate (RFC 2246) compression.
- Compression is disabled by default.
- Separate default ciphers and sslVersion for "fips = yes" and "fips = no".
- UAC support for editing configuration file with Windows GUI.
* Bugfixes
@ -518,7 +1184,7 @@ Version 4.19, 2006.11.11, urgency: LOW/EXPERIMENTAL:
- There are a lot of new features in this version. I recommend
to test it well before upgrading your mission-critical systems.
* New features
- New service-level option to specify OCSP server flag:
- New service-level option to specify an OCSP responder flag:
OCSPflag = <flag>
- "protocolCredentials" option changed to "protocolUsername"
and "protocolPassword"
@ -574,7 +1240,7 @@ Version 4.16, 2006.08.31, urgency: MEDIUM:
- Default group is now detected by configure script.
- Check for maximum number of defined services added.
- OpenSSL_add_all_algorithms() added to SSL initialization.
- configure script sections reordered to detect pthread library funcions.
- configure script sections reordered to detect pthread library functions.
- RFC 2487 autodetection improved. High resolution s_poll_wait()
not currently supported by UCONTEXT threading.
- More precise description of cert directory file names (thx to Muhammad

378
INSTALL
View File

@ -1,40 +1,370 @@
stunnel Unix install notes
Installation Instructions
*************************
Copyright (C) 1994-1996, 1999-2002, 2004-2013 Free Software Foundation,
Inc.
1. If your machine supports POSIX threads make sure your SSL
library is compiled with -DTHREADS.
Copying and distribution of this file, with or without modification,
are permitted in any medium without royalty provided the copyright
notice and this notice are preserved. This file is offered as-is,
without warranty of any kind.
2. Compile the software:
Basic Installation
==================
./configure
make
make install
Briefly, the shell command `./configure && make && make install'
should configure, build, and install this package. The following
more-detailed instructions are generic; see the `README' file for
instructions specific to this package. Some packages provide this
`INSTALL' file but do not implement all of the features documented
below. The lack of an optional feature in a given package is not
necessarily a bug. More recommendations for GNU packages can be found
in *note Makefile Conventions: (standards)Makefile Conventions.
(see potential options for 'configure' at the end of this file)
The `configure' shell script attempts to guess correct values for
various system-dependent variables used during compilation. It uses
those values to create a `Makefile' in each directory of the package.
It may also create one or more `.h' files containing system-dependent
definitions. Finally, it creates a shell script `config.status' that
you can run in the future to recreate the current configuration, and a
file `config.log' containing compiler output (useful mainly for
debugging `configure').
3. Create stunnel configuration file (stunnel.conf).
It can also use an optional file (typically called `config.cache'
and enabled with `--cache-file=config.cache' or simply `-C') that saves
the results of its tests to speed up reconfiguring. Caching is
disabled by default to prevent problems with accidental use of stale
cache files.
4. Add stunnel invocation to your system's startup files.
For SysV-compatible init you can use stunnel.init script.
If you need to do unusual things to compile the package, please try
to figure out how `configure' could check whether to do them, and mail
diffs or instructions to the address given in the `README' so they can
be considered for the next release. If you are using the cache, and at
some point `config.cache' contains results you don't want to keep, you
may remove or edit it.
or
The file `configure.ac' (or `configure.in') is used to create
`configure' by a program called `autoconf'. You need `configure.ac' if
you want to change it or regenerate `configure' using a newer version
of `autoconf'.
Modify /etc/services and /etc/inetd.conf, restart inetd (inetd mode).
The simplest way to compile this package is:
See the manual for details.
1. `cd' to the directory containing the package's source code and type
`./configure' to configure the package for your system.
5. There are a variety of compile-time options you may supply when
running configure. Most commonly used are:
Running `configure' might take a while. While running, it prints
some messages telling which features it is checking for.
--with-ssl=DIR
where your SSL libraries and include files are installed
2. Type `make' to compile the package.
--with-random=FILE
read randomness from FILE for PRNG seeding
3. Optionally, type `make check' to run any self-tests that come with
the package, generally using the just-built uninstalled binaries.
--with-egd-socket=FILE
location of Entropy Gathering Daemon socket, if running EGD
(for example on a machine that lacks a /dev/urandom device)
4. Type `make install' to install the programs and any data files and
documentation. When installing into a prefix owned by root, it is
recommended that the package be configured and built as a regular
user, and only the `make install' phase executed with root
privileges.
Use `./configure --help' to see all the options.
5. Optionally, type `make installcheck' to repeat any self-tests, but
this time using the binaries in their final installed location.
This target does not install anything. Running this target as a
regular user, particularly if the prior `make install' required
root privileges, verifies that the installation completed
correctly.
6. You can remove the program binaries and object files from the
source code directory by typing `make clean'. To also remove the
files that `configure' created (so you can compile the package for
a different kind of computer), type `make distclean'. There is
also a `make maintainer-clean' target, but that is intended mainly
for the package's developers. If you use it, you may have to get
all sorts of other programs in order to regenerate files that came
with the distribution.
7. Often, you can also type `make uninstall' to remove the installed
files again. In practice, not all packages have tested that
uninstallation works correctly, even though it is required by the
GNU Coding Standards.
8. Some packages, particularly those that use Automake, provide `make
distcheck', which can by used by developers to test that all other
targets like `make install' and `make uninstall' work correctly.
This target is generally not run by end users.
Compilers and Options
=====================
Some systems require unusual options for compilation or linking that
the `configure' script does not know about. Run `./configure --help'
for details on some of the pertinent environment variables.
You can give `configure' initial values for configuration parameters
by setting variables in the command line or in the environment. Here
is an example:
./configure CC=c99 CFLAGS=-g LIBS=-lposix
*Note Defining Variables::, for more details.
Compiling For Multiple Architectures
====================================
You can compile the package for more than one kind of computer at the
same time, by placing the object files for each architecture in their
own directory. To do this, you can use GNU `make'. `cd' to the
directory where you want the object files and executables to go and run
the `configure' script. `configure' automatically checks for the
source code in the directory that `configure' is in and in `..'. This
is known as a "VPATH" build.
With a non-GNU `make', it is safer to compile the package for one
architecture at a time in the source code directory. After you have
installed the package for one architecture, use `make distclean' before
reconfiguring for another architecture.
On MacOS X 10.5 and later systems, you can create libraries and
executables that work on multiple system types--known as "fat" or
"universal" binaries--by specifying multiple `-arch' options to the
compiler but only a single `-arch' option to the preprocessor. Like
this:
./configure CC="gcc -arch i386 -arch x86_64 -arch ppc -arch ppc64" \
CXX="g++ -arch i386 -arch x86_64 -arch ppc -arch ppc64" \
CPP="gcc -E" CXXCPP="g++ -E"
This is not guaranteed to produce working output in all cases, you
may have to build one architecture at a time and combine the results
using the `lipo' tool if you have problems.
Installation Names
==================
By default, `make install' installs the package's commands under
`/usr/local/bin', include files under `/usr/local/include', etc. You
can specify an installation prefix other than `/usr/local' by giving
`configure' the option `--prefix=PREFIX', where PREFIX must be an
absolute file name.
You can specify separate installation prefixes for
architecture-specific files and architecture-independent files. If you
pass the option `--exec-prefix=PREFIX' to `configure', the package uses
PREFIX as the prefix for installing programs and libraries.
Documentation and other data files still use the regular prefix.
In addition, if you use an unusual directory layout you can give
options like `--bindir=DIR' to specify different values for particular
kinds of files. Run `configure --help' for a list of the directories
you can set and what kinds of files go in them. In general, the
default for these options is expressed in terms of `${prefix}', so that
specifying just `--prefix' will affect all of the other directory
specifications that were not explicitly provided.
The most portable way to affect installation locations is to pass the
correct locations to `configure'; however, many packages provide one or
both of the following shortcuts of passing variable assignments to the
`make install' command line to change installation locations without
having to reconfigure or recompile.
The first method involves providing an override variable for each
affected directory. For example, `make install
prefix=/alternate/directory' will choose an alternate location for all
directory configuration variables that were expressed in terms of
`${prefix}'. Any directories that were specified during `configure',
but not in terms of `${prefix}', must each be overridden at install
time for the entire installation to be relocated. The approach of
makefile variable overrides for each directory variable is required by
the GNU Coding Standards, and ideally causes no recompilation.
However, some platforms have known limitations with the semantics of
shared libraries that end up requiring recompilation when using this
method, particularly noticeable in packages that use GNU Libtool.
The second method involves providing the `DESTDIR' variable. For
example, `make install DESTDIR=/alternate/directory' will prepend
`/alternate/directory' before all installation names. The approach of
`DESTDIR' overrides is not required by the GNU Coding Standards, and
does not work on platforms that have drive letters. On the other hand,
it does better at avoiding recompilation issues, and works well even
when some directory options were not specified in terms of `${prefix}'
at `configure' time.
Optional Features
=================
If the package supports it, you can cause programs to be installed
with an extra prefix or suffix on their names by giving `configure' the
option `--program-prefix=PREFIX' or `--program-suffix=SUFFIX'.
Some packages pay attention to `--enable-FEATURE' options to
`configure', where FEATURE indicates an optional part of the package.
They may also pay attention to `--with-PACKAGE' options, where PACKAGE
is something like `gnu-as' or `x' (for the X Window System). The
`README' should mention any `--enable-' and `--with-' options that the
package recognizes.
For packages that use the X Window System, `configure' can usually
find the X include and library files automatically, but if it doesn't,
you can use the `configure' options `--x-includes=DIR' and
`--x-libraries=DIR' to specify their locations.
Some packages offer the ability to configure how verbose the
execution of `make' will be. For these packages, running `./configure
--enable-silent-rules' sets the default to minimal output, which can be
overridden with `make V=1'; while running `./configure
--disable-silent-rules' sets the default to verbose, which can be
overridden with `make V=0'.
Particular systems
==================
On HP-UX, the default C compiler is not ANSI C compatible. If GNU
CC is not installed, it is recommended to use the following options in
order to use an ANSI C compiler:
./configure CC="cc -Ae -D_XOPEN_SOURCE=500"
and if that doesn't work, install pre-built binaries of GCC for HP-UX.
HP-UX `make' updates targets which have the same time stamps as
their prerequisites, which makes it generally unusable when shipped
generated files such as `configure' are involved. Use GNU `make'
instead.
On OSF/1 a.k.a. Tru64, some versions of the default C compiler cannot
parse its `<wchar.h>' header file. The option `-nodtk' can be used as
a workaround. If GNU CC is not installed, it is therefore recommended
to try
./configure CC="cc"
and if that doesn't work, try
./configure CC="cc -nodtk"
On Solaris, don't put `/usr/ucb' early in your `PATH'. This
directory contains several dysfunctional programs; working variants of
these programs are available in `/usr/bin'. So, if you need `/usr/ucb'
in your `PATH', put it _after_ `/usr/bin'.
On Haiku, software installed for all users goes in `/boot/common',
not `/usr/local'. It is recommended to use the following options:
./configure --prefix=/boot/common
Specifying the System Type
==========================
There may be some features `configure' cannot figure out
automatically, but needs to determine by the type of machine the package
will run on. Usually, assuming the package is built to be run on the
_same_ architectures, `configure' can figure that out, but if it prints
a message saying it cannot guess the machine type, give it the
`--build=TYPE' option. TYPE can either be a short name for the system
type, such as `sun4', or a canonical name which has the form:
CPU-COMPANY-SYSTEM
where SYSTEM can have one of these forms:
OS
KERNEL-OS
See the file `config.sub' for the possible values of each field. If
`config.sub' isn't included in this package, then this package doesn't
need to know the machine type.
If you are _building_ compiler tools for cross-compiling, you should
use the option `--target=TYPE' to select the type of system they will
produce code for.
If you want to _use_ a cross compiler, that generates code for a
platform different from the build platform, you should specify the
"host" platform (i.e., that on which the generated programs will
eventually be run) with `--host=TYPE'.
Sharing Defaults
================
If you want to set default values for `configure' scripts to share,
you can create a site shell script called `config.site' that gives
default values for variables like `CC', `cache_file', and `prefix'.
`configure' looks for `PREFIX/share/config.site' if it exists, then
`PREFIX/etc/config.site' if it exists. Or, you can set the
`CONFIG_SITE' environment variable to the location of the site script.
A warning: not all `configure' scripts look for a site script.
Defining Variables
==================
Variables not defined in a site shell script can be set in the
environment passed to `configure'. However, some packages may run
configure again during the build, and the customized values of these
variables may be lost. In order to avoid this problem, you should set
them in the `configure' command line, using `VAR=value'. For example:
./configure CC=/usr/local2/bin/gcc
causes the specified `gcc' to be used as the C compiler (unless it is
overridden in the site shell script).
Unfortunately, this technique does not work for `CONFIG_SHELL' due to
an Autoconf limitation. Until the limitation is lifted, you can use
this workaround:
CONFIG_SHELL=/bin/bash ./configure CONFIG_SHELL=/bin/bash
`configure' Invocation
======================
`configure' recognizes the following options to control how it
operates.
`--help'
`-h'
Print a summary of all of the options to `configure', and exit.
`--help=short'
`--help=recursive'
Print a summary of the options unique to this package's
`configure', and exit. The `short' variant lists options used
only in the top level, while the `recursive' variant lists options
also present in any nested packages.
`--version'
`-V'
Print the version of Autoconf used to generate the `configure'
script, and exit.
`--cache-file=FILE'
Enable the cache: use and save the results of the tests in FILE,
traditionally `config.cache'. FILE defaults to `/dev/null' to
disable caching.
`--config-cache'
`-C'
Alias for `--cache-file=config.cache'.
`--quiet'
`--silent'
`-q'
Do not print messages saying which checks are being made. To
suppress all normal output, redirect it to `/dev/null' (any error
messages will still be shown).
`--srcdir=DIR'
Look for the package's source code in directory DIR. Usually
`configure' can determine that directory automatically.
`--prefix=DIR'
Use DIR as the installation prefix. *note Installation Names::
for more details, including other options available for fine-tuning
the installation locations.
`--no-create'
`-n'
Run the configure checks, but stop before creating any output
files.
`configure' also accepts some other, not widely useful, options. Run
`configure --help' for more details.

12
INSTALL.FIPS
View File

@ -2,10 +2,12 @@ stunnel FIPS install notes
Unix HOWTO:
FIPS mode is autodetected if possible. You can force it with:
./configure --enable-fips
or disable with:
./configure --disable-fips
* Only dynamic linking of the FIPS-enabled OpenSSL is currently supported,
i.e. FIPS-enabled OpenSSL has to be configured with "shared" parameter.
* FIPS mode is autodetected if possible. It can be forced with:
./configure --enable-fips
or disable with:
./configure --disable-fips
WIN32 HOWTO:
* On 32-bit Windows install one of the following compilers:
@ -15,7 +17,7 @@ WIN32 HOWTO:
- MSVC 8.0 (VS 2005) Standard or Professional Edition
- MSVC 9.0 (VS 2008) Standard or Professional Edition
* Build FIPS-compliant OpenSSL DLLS according to:
http://www.openssl.org/docs/fips/UserGuide-1.2.pdf
https://www.openssl.org/docs/fips/UserGuide-2.0.pdf
* Build stunnel normally with MSVC or Mingw.
Mingw build requires DLL stubs. Stubs can be built with:
dlltool --def ms/libeay32.def --output-lib libcrypto.a

79
INSTALL.W32
View File

@ -1,51 +1,66 @@
stunnel Windows install notes
Building stunnel from source (optional):
Cross-compiling stunnel from source with MinGW (optional):
1) Install mingw32 cross-compiler o a Unix/Linux machine.
In Debian all you need is:
apt-get install gcc-mingw32
Native compilation on a Windows machine is possible, but not supported.
1) Install the mingw32 cross-compiler on a Unix/Linux machine.
On Debian (and derivatives, including Ubuntu):
sudo apt-get install gcc-mingw-w64-i686
On Arch Linux:
sudo pacman -S mingw-w64-gcc
2) Download the recent zlib from http://www.zlib.net/
Update the following definitions in win32/Makefile.gcc file:
SHARED_MODE=1
PREFIX = i586-mingw32msvc-
then build zlib with:
make -f win32/Makefile.gcc
and install it in mingw32 tree:
sudo BINARY_PATH=~/ \
INCLUDE_PATH=/usr/i586-mingw32msvc/include/ \
LIBRARY_PATH=/usr/i586-mingw32msvc/lib/ \
make -f win32/Makefile.gcc install
3) Download the recent OpenSSL in unpack it to /usr/src/ directory.
cd /usr/src
2) Download the recent OpenSSL and unpack it:
tar zvxf ~/openssl-(version).tar.gz
mv openssl-(version) openssl-(version)-i586
mv openssl-(version) openssl-(version)-i686
cd openssl-(version)-i686/
4) Build OpenSSL.
./Configure --cross-compile-prefix=i586-mingw32msvc- mingw shared zlib-dynamic
3) Build OpenSSL.
For 32-bit Windows:
./Configure \
--cross-compile-prefix=i686-w64-mingw32- \
--openssldir=/opt/openssl-mingw mingw shared
make
sudo make install
sudo cp ms/applink.c /opt/openssl-mingw/include/openssl/
For 64-bit Windows:
./Configure \
--cross-compile-prefix=x86_64-w64-mingw32- \
--openssldir=/opt/openssl-mingw64 mingw64 shared
make
sudo make install
sudo cp ms/applink.c /opt/openssl-mingw64/include/openssl/
5) Download and unpack stunnel-(version).tar.gz.
4) Download and unpack stunnel-(version).tar.gz.
6) Configure stunnel.
5) Configure stunnel:
cd stunnel-(version)
./configure --with-ssl=/path/to/openssl-(version)
./configure
7) Build windows executable.
6) Build Windows 32-bit and/or 64-bit executables:
cd src
make stunnel.exe
make mingw
make mingw64
Building stunnel from source with MinGW (optional):
Building on a Windows machine is possible, but not currently supported.
Building stunnel from source with Visual Studio (optional):
TODO
Installing stunnel:
1) run installer to install precompiled binaries or copy stunnel.exe and
OpenSSL DLLs into a directory
1) Run installer to install the precompiled binaries, or
copy the stunnel.exe or tstunnel.exe executable located in the
/stunnel-(version)/bin/mingw/ directory into the destination
directory on a Windows machine, and
copy OpenSSL DLLs: libeay32.dll, libssp-0.dll and ssleay32.dll
into the same directory, if necessary.
2) read the manual (stunnel.html)
3) create/edit stunnel.conf configuration file
2) Read the manual (stunnel.html).
3) Create/edit the stunnel.conf configuration file.

43
Makefile.am
View File

@ -1,4 +1,5 @@
## Process this file with automake to produce Makefile.in
# by Michal Trojnara 2015-2017
ACLOCAL_AMFLAGS = -I m4
@ -10,7 +11,7 @@ libtool: $(LIBTOOL_DEPS)
EXTRA_DIST = PORTS BUGS COPYRIGHT.GPL CREDITS
EXTRA_DIST += INSTALL.W32 INSTALL.WCE INSTALL.FIPS
EXTRA_DIST += build-android.sh
EXTRA_DIST += build-android.sh .travis.yml
docdir = $(datadir)/doc/stunnel
doc_DATA = INSTALL README TODO COPYING AUTHORS ChangeLog
@ -21,19 +22,39 @@ distcleancheck_listfiles = find -type f -exec sh -c 'test -f $(srcdir)/{} || ech
distclean-local:
rm -rf autom4te.cache
rm -f $(distdir)-installer.exe
# rm -f $(distdir)-win32-installer.exe
#dist-hook:
# makensis -NOCD -DVERSION=${VERSION} -DSRCDIR=$(srcdir) \
# -DOPENSSL=/usr/src/openssl-0.9.8u-fips/out32dll \
# -DZLIB=/usr/src/zlib-1.2.6-i586 \
# makensis -NOCD -DVERSION=${VERSION} \
# -DSTUNNEL_DIR=$(srcdir) \
# -DROOT_DIR=/usr/src \
# $(srcdir)/tools/stunnel.nsi
# cp -f $(distdir)-installer.exe ../dist
# gpg --yes --armor --detach-sign --force-v3-sigs ../dist/$(distdir)-installer.exe
sign: dist
cp -f $(distdir).tar.gz ../dist
gpg --yes --armor --detach-sign --force-v3-sigs ../dist/$(distdir).tar.gz
sha256sum $(distdir).tar.gz | tee ../dist/$(distdir).tar.gz.sha256
cp -f $(distdir).tar.gz $(distdir)-win32-installer.exe $(distdir)-android.zip ../dist
gpg-agent --daemon /bin/sh -c "cd ../dist; gpg --yes --armor --detach-sign --force-v3-sigs $(distdir).tar.gz; gpg --yes --armor --detach-sign --force-v3-sigs $(distdir)-win32-installer.exe; gpg --yes --armor --detach-sign --force-v3-sigs $(distdir)-android.zip"
sha256sum $(distdir).tar.gz >../dist/$(distdir).tar.gz.sha256
sha256sum $(distdir)-win32-installer.exe >../dist/$(distdir)-win32-installer.exe.sha256
sha256sum $(distdir)-android.zip >../dist/$(distdir)-android.zip.sha256
cat ../dist/$(distdir)*.sha256 | tac
cert:
$(MAKE) -C tools cert
test:
$(abs_builddir)/src/stunnel -version
@echo "No tests are currently implemented"
install-data-hook:
@echo "*********************************************************"
@echo "* Type 'make cert' to also install a sample certificate *"
@echo "*********************************************************"
edit = sed \
-e 's|@bindir[@]|$(bindir)|g' \
-e 's|@sysconfdir[@]|$(sysconfdir)|g'
stunnel.pod: Makefile
$(edit) '$(srcdir)/$@.in' >$@
stunnel.pod: $(srcdir)/stunnel.pod

465
Makefile.in
View File

@ -1,9 +1,8 @@
# Makefile.in generated by automake 1.11.1 from Makefile.am.
# Makefile.in generated by automake 1.14.1 from Makefile.am.
# @configure_input@
# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation,
# Inc.
# Copyright (C) 1994-2013 Free Software Foundation, Inc.
# This Makefile.in is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
# with or without modifications, as long as this notice is preserved.
@ -15,7 +14,54 @@
@SET_MAKE@
# by Michal Trojnara 2015-2017
VPATH = @srcdir@
am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
am__make_running_with_option = \
case $${target_option-} in \
?) ;; \
*) echo "am__make_running_with_option: internal error: invalid" \
"target option '$${target_option-}' specified" >&2; \
exit 1;; \
esac; \
has_opt=no; \
sane_makeflags=$$MAKEFLAGS; \
if $(am__is_gnu_make); then \
sane_makeflags=$$MFLAGS; \
else \
case $$MAKEFLAGS in \
*\\[\ \ ]*) \
bs=\\; \
sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \
| sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \
esac; \
fi; \
skip_next=no; \
strip_trailopt () \
{ \
flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \
}; \
for flg in $$sane_makeflags; do \
test $$skip_next = yes && { skip_next=no; continue; }; \
case $$flg in \
*=*|--*) continue;; \
-*I) strip_trailopt 'I'; skip_next=yes;; \
-*I?*) strip_trailopt 'I';; \
-*O) strip_trailopt 'O'; skip_next=yes;; \
-*O?*) strip_trailopt 'O';; \
-*l) strip_trailopt 'l'; skip_next=yes;; \
-*l?*) strip_trailopt 'l';; \
-[dEDm]) skip_next=yes;; \
-[JT]) skip_next=yes;; \
esac; \
case $$flg in \
*$$target_option*) has_opt=yes; break;; \
esac; \
done; \
test $$has_opt = yes
am__make_dryrun = (target_option=n; $(am__make_running_with_option))
am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
pkgdatadir = $(datadir)/@PACKAGE@
pkgincludedir = $(includedir)/@PACKAGE@
pkglibdir = $(libdir)/@PACKAGE@
@ -35,11 +81,14 @@ POST_UNINSTALL = :
build_triplet = @build@
host_triplet = @host@
subdir = .
DIST_COMMON = README $(am__configure_deps) $(srcdir)/Makefile.am \
$(srcdir)/Makefile.in $(top_srcdir)/configure AUTHORS COPYING \
ChangeLog INSTALL NEWS TODO auto/compile auto/config.guess \
auto/config.sub auto/depcomp auto/install-sh auto/ltmain.sh \
auto/missing
DIST_COMMON = INSTALL NEWS README AUTHORS ChangeLog \
$(srcdir)/Makefile.in $(srcdir)/Makefile.am \
$(top_srcdir)/configure $(am__configure_deps) COPYING TODO \
auto/compile auto/config.guess auto/config.sub auto/depcomp \
auto/install-sh auto/missing auto/ltmain.sh \
$(top_srcdir)/auto/compile $(top_srcdir)/auto/config.guess \
$(top_srcdir)/auto/config.sub $(top_srcdir)/auto/install-sh \
$(top_srcdir)/auto/ltmain.sh $(top_srcdir)/auto/missing
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
am__aclocal_m4_deps = $(top_srcdir)/m4/libtool.m4 \
$(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \
@ -53,15 +102,33 @@ mkinstalldirs = $(install_sh) -d
CONFIG_HEADER = $(top_builddir)/src/config.h
CONFIG_CLEAN_FILES =
CONFIG_CLEAN_VPATH_FILES =
AM_V_P = $(am__v_P_@AM_V@)
am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
am__v_P_0 = false
am__v_P_1 = :
AM_V_GEN = $(am__v_GEN_@AM_V@)
am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
am__v_GEN_0 = @echo " GEN " $@;
am__v_GEN_1 =
AM_V_at = $(am__v_at_@AM_V@)
am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
am__v_at_0 = @
am__v_at_1 =
SOURCES =
DIST_SOURCES =
RECURSIVE_TARGETS = all-recursive check-recursive dvi-recursive \
html-recursive info-recursive install-data-recursive \
install-dvi-recursive install-exec-recursive \
install-html-recursive install-info-recursive \
install-pdf-recursive install-ps-recursive install-recursive \
installcheck-recursive installdirs-recursive pdf-recursive \
ps-recursive uninstall-recursive
RECURSIVE_TARGETS = all-recursive check-recursive cscopelist-recursive \
ctags-recursive dvi-recursive html-recursive info-recursive \
install-data-recursive install-dvi-recursive \
install-exec-recursive install-html-recursive \
install-info-recursive install-pdf-recursive \
install-ps-recursive install-recursive installcheck-recursive \
installdirs-recursive pdf-recursive ps-recursive \
tags-recursive uninstall-recursive
am__can_run_installinfo = \
case $$AM_UPDATE_INFO_DIR in \
n|no|NO) false;; \
*) (install-info --version) >/dev/null 2>&1;; \
esac
am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
am__vpath_adj = case $$p in \
$(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
@ -83,23 +150,53 @@ am__nobase_list = $(am__nobase_strip_setup); \
am__base_list = \
sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
am__uninstall_files_from_dir = { \
test -z "$$files" \
|| { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
|| { echo " ( cd '$$dir' && rm -f" $$files ")"; \
$(am__cd) "$$dir" && rm -f $$files; }; \
}
am__installdirs = "$(DESTDIR)$(docdir)"
DATA = $(doc_DATA)
RECURSIVE_CLEAN_TARGETS = mostlyclean-recursive clean-recursive \
distclean-recursive maintainer-clean-recursive
AM_RECURSIVE_TARGETS = $(RECURSIVE_TARGETS:-recursive=) \
$(RECURSIVE_CLEAN_TARGETS:-recursive=) tags TAGS ctags CTAGS \
distdir dist dist-all distcheck
am__recursive_targets = \
$(RECURSIVE_TARGETS) \
$(RECURSIVE_CLEAN_TARGETS) \
$(am__extra_recursive_targets)
AM_RECURSIVE_TARGETS = $(am__recursive_targets:-recursive=) TAGS CTAGS \
cscope distdir dist dist-all distcheck
am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
# Read a list of newline-separated strings from the standard input,
# and print each of them once, without duplicates. Input order is
# *not* preserved.
am__uniquify_input = $(AWK) '\
BEGIN { nonempty = 0; } \
{ items[$$0] = 1; nonempty = 1; } \
END { if (nonempty) { for (i in items) print i; }; } \
'
# Make sure the list of sources is unique. This is necessary because,
# e.g., the same source file might be shared among _SOURCES variables
# for different programs/libraries.
am__define_uniq_tagged_files = \
list='$(am__tagged_files)'; \
unique=`for i in $$list; do \
if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
done | $(am__uniquify_input)`
ETAGS = etags
CTAGS = ctags
CSCOPE = cscope
DIST_SUBDIRS = $(SUBDIRS)
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
distdir = $(PACKAGE)-$(VERSION)
top_distdir = $(distdir)
am__remove_distdir = \
{ test ! -d "$(distdir)" \
|| { find "$(distdir)" -type d ! -perm -200 -exec chmod u+w {} ';' \
&& rm -fr "$(distdir)"; }; }
if test -d "$(distdir)"; then \
find "$(distdir)" -type d ! -perm -200 -exec chmod u+w {} ';' \
&& rm -rf "$(distdir)" \
|| { sleep 5 && rm -rf "$(distdir)"; }; \
else :; fi
am__post_remove_distdir = $(am__remove_distdir)
am__relativize = \
dir0=`pwd`; \
sed_first='s,^\([^/]*\)/.*$$,\1,'; \
@ -127,9 +224,13 @@ am__relativize = \
reldir="$$dir2"
DIST_ARCHIVES = $(distdir).tar.gz
GZIP_ENV = --best
DIST_TARGETS = dist-gzip
distuninstallcheck_listfiles = find . -type f -print
am__distuninstallcheck_listfiles = $(distuninstallcheck_listfiles) \
| sed 's|^\./|$(prefix)/|' | grep -v '$(infodir)/dir$$'
ACLOCAL = @ACLOCAL@
AMTAR = @AMTAR@
AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
AR = @AR@
AUTOCONF = @AUTOCONF@
AUTOHEADER = @AUTOHEADER@
@ -144,6 +245,7 @@ CYGPATH_W = @CYGPATH_W@
DEFAULT_GROUP = @DEFAULT_GROUP@
DEFS = @DEFS@
DEPDIR = @DEPDIR@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
ECHO_C = @ECHO_C@
@ -168,6 +270,7 @@ LIPO = @LIPO@
LN_S = @LN_S@
LTLIBOBJS = @LTLIBOBJS@
MAKEINFO = @MAKEINFO@
MANIFEST_TOOL = @MANIFEST_TOOL@
MKDIR_P = @MKDIR_P@
NM = @NM@
NMEDIT = @NMEDIT@
@ -183,6 +286,9 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@
PACKAGE_URL = @PACKAGE_URL@
PACKAGE_VERSION = @PACKAGE_VERSION@
PATH_SEPARATOR = @PATH_SEPARATOR@
PTHREAD_CC = @PTHREAD_CC@
PTHREAD_CFLAGS = @PTHREAD_CFLAGS@
PTHREAD_LIBS = @PTHREAD_LIBS@
RANDOM_FILE = @RANDOM_FILE@
RANLIB = @RANLIB@
SED = @SED@
@ -195,6 +301,7 @@ abs_builddir = @abs_builddir@
abs_srcdir = @abs_srcdir@
abs_top_builddir = @abs_top_builddir@
abs_top_srcdir = @abs_top_srcdir@
ac_ct_AR = @ac_ct_AR@
ac_ct_CC = @ac_ct_CC@
ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
am__include = @am__include@
@ -202,6 +309,7 @@ am__leading_dot = @am__leading_dot@
am__quote = @am__quote@
am__tar = @am__tar@
am__untar = @am__untar@
ax_pthread_config = @ax_pthread_config@
bindir = @bindir@
build = @build@
build_alias = @build_alias@
@ -227,7 +335,6 @@ libdir = @libdir@
libexecdir = @libexecdir@
localedir = @localedir@
localstatedir = @localstatedir@
lt_ECHO = @lt_ECHO@
mandir = @mandir@
mkdir_p = @mkdir_p@
oldincludedir = @oldincludedir@
@ -235,12 +342,10 @@ pdfdir = @pdfdir@
prefix = @prefix@
program_transform_name = @program_transform_name@
psdir = @psdir@
runstatedir = @runstatedir@
sbindir = @sbindir@
sharedstatedir = @sharedstatedir@
srcdir = @srcdir@
stunnel_CFLAGS = @stunnel_CFLAGS@
stunnel_LDFLAGF = @stunnel_LDFLAGF@
stunnel_LDFLAGS = @stunnel_LDFLAGS@
sysconfdir = @sysconfdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
@ -249,14 +354,18 @@ top_srcdir = @top_srcdir@
ACLOCAL_AMFLAGS = -I m4
SUBDIRS = src doc tools
EXTRA_DIST = PORTS BUGS COPYRIGHT.GPL CREDITS INSTALL.W32 INSTALL.WCE \
INSTALL.FIPS build-android.sh
INSTALL.FIPS build-android.sh .travis.yml
doc_DATA = INSTALL README TODO COPYING AUTHORS ChangeLog PORTS BUGS \
COPYRIGHT.GPL CREDITS INSTALL.W32 INSTALL.WCE INSTALL.FIPS
distcleancheck_listfiles = find -type f -exec sh -c 'test -f $(srcdir)/{} || echo {}' ';'
edit = sed \
-e 's|@bindir[@]|$(bindir)|g' \
-e 's|@sysconfdir[@]|$(sysconfdir)|g'
all: all-recursive
.SUFFIXES:
am--refresh:
am--refresh: Makefile
@:
$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps)
@for dep in $?; do \
@ -301,8 +410,11 @@ distclean-libtool:
-rm -f libtool config.lt
install-docDATA: $(doc_DATA)
@$(NORMAL_INSTALL)
test -z "$(docdir)" || $(MKDIR_P) "$(DESTDIR)$(docdir)"
@list='$(doc_DATA)'; test -n "$(docdir)" || list=; \
if test -n "$$list"; then \
echo " $(MKDIR_P) '$(DESTDIR)$(docdir)'"; \
$(MKDIR_P) "$(DESTDIR)$(docdir)" || exit 1; \
fi; \
for p in $$list; do \
if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
echo "$$d$$p"; \
@ -316,27 +428,28 @@ uninstall-docDATA:
@$(NORMAL_UNINSTALL)
@list='$(doc_DATA)'; test -n "$(docdir)" || list=; \
files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
test -n "$$files" || exit 0; \
echo " ( cd '$(DESTDIR)$(docdir)' && rm -f" $$files ")"; \
cd "$(DESTDIR)$(docdir)" && rm -f $$files
dir='$(DESTDIR)$(docdir)'; $(am__uninstall_files_from_dir)
# This directory's subdirectories are mostly independent; you can cd
# into them and run `make' without going through this Makefile.
# To change the values of `make' variables: instead of editing Makefiles,
# (1) if the variable is set in `config.status', edit `config.status'
# (which will cause the Makefiles to be regenerated when you run `make');
# (2) otherwise, pass the desired values on the `make' command line.
$(RECURSIVE_TARGETS):
@fail= failcom='exit 1'; \
for f in x $$MAKEFLAGS; do \
case $$f in \
*=* | --[!k]*);; \
*k*) failcom='fail=yes';; \
esac; \
done; \
# into them and run 'make' without going through this Makefile.
# To change the values of 'make' variables: instead of editing Makefiles,
# (1) if the variable is set in 'config.status', edit 'config.status'
# (which will cause the Makefiles to be regenerated when you run 'make');
# (2) otherwise, pass the desired values on the 'make' command line.
$(am__recursive_targets):
@fail=; \
if $(am__make_keepgoing); then \
failcom='fail=yes'; \
else \
failcom='exit 1'; \
fi; \
dot_seen=no; \
target=`echo $@ | sed s/-recursive//`; \
list='$(SUBDIRS)'; for subdir in $$list; do \
case "$@" in \
distclean-* | maintainer-clean-*) list='$(DIST_SUBDIRS)' ;; \
*) list='$(SUBDIRS)' ;; \
esac; \
for subdir in $$list; do \
echo "Making $$target in $$subdir"; \
if test "$$subdir" = "."; then \
dot_seen=yes; \
@ -351,57 +464,12 @@ $(RECURSIVE_TARGETS):
$(MAKE) $(AM_MAKEFLAGS) "$$target-am" || exit 1; \
fi; test -z "$$fail"
$(RECURSIVE_CLEAN_TARGETS):
@fail= failcom='exit 1'; \
for f in x $$MAKEFLAGS; do \
case $$f in \
*=* | --[!k]*);; \
*k*) failcom='fail=yes';; \
esac; \
done; \
dot_seen=no; \
case "$@" in \
distclean-* | maintainer-clean-*) list='$(DIST_SUBDIRS)' ;; \
*) list='$(SUBDIRS)' ;; \
esac; \
rev=''; for subdir in $$list; do \
if test "$$subdir" = "."; then :; else \
rev="$$subdir $$rev"; \
fi; \
done; \
rev="$$rev ."; \
target=`echo $@ | sed s/-recursive//`; \
for subdir in $$rev; do \
echo "Making $$target in $$subdir"; \
if test "$$subdir" = "."; then \
local_target="$$target-am"; \
else \
local_target="$$target"; \
fi; \
($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \
|| eval $$failcom; \
done && test -z "$$fail"
tags-recursive:
list='$(SUBDIRS)'; for subdir in $$list; do \
test "$$subdir" = . || ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) tags); \
done
ctags-recursive:
list='$(SUBDIRS)'; for subdir in $$list; do \
test "$$subdir" = . || ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) ctags); \
done
ID: $(am__tagged_files)
$(am__define_uniq_tagged_files); mkid -fID $$unique
tags: tags-recursive
TAGS: tags
ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
unique=`for i in $$list; do \
if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
done | \
$(AWK) '{ files[$$0] = 1; nonempty = 1; } \
END { if (nonempty) { for (i in files) print i; }; }'`; \
mkid -fID $$unique
tags: TAGS
TAGS: tags-recursive $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \
$(TAGS_FILES) $(LISP)
tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
set x; \
here=`pwd`; \
if ($(ETAGS) --etags-include --version) >/dev/null 2>&1; then \
@ -417,12 +485,7 @@ TAGS: tags-recursive $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \
set "$$@" "$$include_option=$$here/$$subdir/TAGS"; \
fi; \
done; \
list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
unique=`for i in $$list; do \
if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
done | \
$(AWK) '{ files[$$0] = 1; nonempty = 1; } \
END { if (nonempty) { for (i in files) print i; }; }'`; \
$(am__define_uniq_tagged_files); \
shift; \
if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
test -n "$$unique" || unique=$$empty_fix; \
@ -434,15 +497,11 @@ TAGS: tags-recursive $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \
$$unique; \
fi; \
fi
ctags: CTAGS
CTAGS: ctags-recursive $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \
$(TAGS_FILES) $(LISP)
list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
unique=`for i in $$list; do \
if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
done | \
$(AWK) '{ files[$$0] = 1; nonempty = 1; } \
END { if (nonempty) { for (i in files) print i; }; }'`; \
ctags: ctags-recursive
CTAGS: ctags
ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
$(am__define_uniq_tagged_files); \
test -z "$(CTAGS_ARGS)$$unique" \
|| $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
$$unique
@ -451,9 +510,31 @@ GTAGS:
here=`$(am__cd) $(top_builddir) && pwd` \
&& $(am__cd) $(top_srcdir) \
&& gtags -i $(GTAGS_ARGS) "$$here"
cscope: cscope.files
test ! -s cscope.files \
|| $(CSCOPE) -b -q $(AM_CSCOPEFLAGS) $(CSCOPEFLAGS) -i cscope.files $(CSCOPE_ARGS)
clean-cscope:
-rm -f cscope.files
cscope.files: clean-cscope cscopelist
cscopelist: cscopelist-recursive
cscopelist-am: $(am__tagged_files)
list='$(am__tagged_files)'; \
case "$(srcdir)" in \
[\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \
*) sdir=$(subdir)/$(srcdir) ;; \
esac; \
for i in $$list; do \
if test -f "$$i"; then \
echo "$(subdir)/$$i"; \
else \
echo "$$sdir/$$i"; \
fi; \
done >> $(top_builddir)/cscope.files
distclean-tags:
-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
-rm -f cscope.out cscope.in.out cscope.po.out cscope.files
distdir: $(DISTFILES)
$(am__remove_distdir)
@ -489,13 +570,10 @@ distdir: $(DISTFILES)
done
@list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
if test "$$subdir" = .; then :; else \
test -d "$(distdir)/$$subdir" \
|| $(MKDIR_P) "$(distdir)/$$subdir" \
|| exit 1; \
fi; \
done
@list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
if test "$$subdir" = .; then :; else \
$(am__make_dryrun) \
|| test -d "$(distdir)/$$subdir" \
|| $(MKDIR_P) "$(distdir)/$$subdir" \
|| exit 1; \
dir1=$$subdir; dir2="$(distdir)/$$subdir"; \
$(am__relativize); \
new_distdir=$$reldir; \
@ -524,36 +602,42 @@ distdir: $(DISTFILES)
|| chmod -R a+r "$(distdir)"
dist-gzip: distdir
tardir=$(distdir) && $(am__tar) | GZIP=$(GZIP_ENV) gzip -c >$(distdir).tar.gz
$(am__remove_distdir)
$(am__post_remove_distdir)
dist-bzip2: distdir
tardir=$(distdir) && $(am__tar) | bzip2 -9 -c >$(distdir).tar.bz2
$(am__remove_distdir)
tardir=$(distdir) && $(am__tar) | BZIP2=$${BZIP2--9} bzip2 -c >$(distdir).tar.bz2
$(am__post_remove_distdir)
dist-lzma: distdir
tardir=$(distdir) && $(am__tar) | lzma -9 -c >$(distdir).tar.lzma
$(am__remove_distdir)
dist-lzip: distdir
tardir=$(distdir) && $(am__tar) | lzip -c $${LZIP_OPT--9} >$(distdir).tar.lz
$(am__post_remove_distdir)
dist-xz: distdir
tardir=$(distdir) && $(am__tar) | xz -c >$(distdir).tar.xz
$(am__remove_distdir)
tardir=$(distdir) && $(am__tar) | XZ_OPT=$${XZ_OPT--e} xz -c >$(distdir).tar.xz
$(am__post_remove_distdir)
dist-tarZ: distdir
@echo WARNING: "Support for shar distribution archives is" \
"deprecated." >&2
@echo WARNING: "It will be removed altogether in Automake 2.0" >&2
tardir=$(distdir) && $(am__tar) | compress -c >$(distdir).tar.Z
$(am__remove_distdir)
$(am__post_remove_distdir)
dist-shar: distdir
@echo WARNING: "Support for distribution archives compressed with" \
"legacy program 'compress' is deprecated." >&2
@echo WARNING: "It will be removed altogether in Automake 2.0" >&2
shar $(distdir) | GZIP=$(GZIP_ENV) gzip -c >$(distdir).shar.gz
$(am__remove_distdir)
$(am__post_remove_distdir)
dist-zip: distdir
-rm -f $(distdir).zip
zip -rq $(distdir).zip $(distdir)
$(am__remove_distdir)
$(am__post_remove_distdir)
dist dist-all: distdir
tardir=$(distdir) && $(am__tar) | GZIP=$(GZIP_ENV) gzip -c >$(distdir).tar.gz
$(am__remove_distdir)
dist dist-all:
$(MAKE) $(AM_MAKEFLAGS) $(DIST_TARGETS) am__post_remove_distdir='@:'
$(am__post_remove_distdir)
# This target untars the dist file and tries a VPATH configuration. Then
# it guarantees that the distribution is self-contained by making another
@ -564,8 +648,8 @@ distcheck: dist
GZIP=$(GZIP_ENV) gzip -dc $(distdir).tar.gz | $(am__untar) ;;\
*.tar.bz2*) \
bzip2 -dc $(distdir).tar.bz2 | $(am__untar) ;;\
*.tar.lzma*) \
lzma -dc $(distdir).tar.lzma | $(am__untar) ;;\
*.tar.lz*) \
lzip -dc $(distdir).tar.lz | $(am__untar) ;;\
*.tar.xz*) \
xz -dc $(distdir).tar.xz | $(am__untar) ;;\
*.tar.Z*) \
@ -575,17 +659,19 @@ distcheck: dist
*.zip*) \
unzip $(distdir).zip ;;\
esac
chmod -R a-w $(distdir); chmod u+w $(distdir)
mkdir $(distdir)/_build
mkdir $(distdir)/_inst
chmod -R a-w $(distdir)
chmod u+w $(distdir)
mkdir $(distdir)/_build $(distdir)/_inst
chmod a-w $(distdir)
test -d $(distdir)/_build || exit 0; \
dc_install_base=`$(am__cd) $(distdir)/_inst && pwd | sed -e 's,^[^:\\/]:[\\/],/,'` \
&& dc_destdir="$${TMPDIR-/tmp}/am-dc-$$$$/" \
&& am__cwd=`pwd` \
&& $(am__cd) $(distdir)/_build \
&& ../configure --srcdir=.. --prefix="$$dc_install_base" \
&& ../configure \
$(AM_DISTCHECK_CONFIGURE_FLAGS) \
$(DISTCHECK_CONFIGURE_FLAGS) \
--srcdir=.. --prefix="$$dc_install_base" \
&& $(MAKE) $(AM_MAKEFLAGS) \
&& $(MAKE) $(AM_MAKEFLAGS) dvi \
&& $(MAKE) $(AM_MAKEFLAGS) check \
@ -608,13 +694,21 @@ distcheck: dist
&& $(MAKE) $(AM_MAKEFLAGS) distcleancheck \
&& cd "$$am__cwd" \
|| exit 1
$(am__remove_distdir)
$(am__post_remove_distdir)
@(echo "$(distdir) archives ready for distribution: "; \
list='$(DIST_ARCHIVES)'; for i in $$list; do echo $$i; done) | \
sed -e 1h -e 1s/./=/g -e 1p -e 1x -e '$$p' -e '$$x'
distuninstallcheck:
@$(am__cd) '$(distuninstallcheck_dir)' \
&& test `$(distuninstallcheck_listfiles) | wc -l` -le 1 \
@test -n '$(distuninstallcheck_dir)' || { \
echo 'ERROR: trying to run $@ with an empty' \
'$$(distuninstallcheck_dir)' >&2; \
exit 1; \
}; \
$(am__cd) '$(distuninstallcheck_dir)' || { \
echo 'ERROR: cannot chdir into $(distuninstallcheck_dir)' >&2; \
exit 1; \
}; \
test `$(am__distuninstallcheck_listfiles) | wc -l` -eq 0 \
|| { echo "ERROR: files left after uninstall:" ; \
if test -n "$(DESTDIR)"; then \
echo " (check DESTDIR support)"; \
@ -648,10 +742,15 @@ install-am: all-am
installcheck: installcheck-recursive
install-strip:
$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
`test -z '$(STRIP)' || \
echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
if test -z '$(STRIP)'; then \
$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
install; \
else \
$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
"INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
fi
mostlyclean-generic:
clean-generic:
@ -686,7 +785,8 @@ info: info-recursive
info-am:
install-data-am: install-docDATA
@$(NORMAL_INSTALL)
$(MAKE) $(AM_MAKEFLAGS) install-data-hook
install-dvi: install-dvi-recursive
install-dvi-am:
@ -733,46 +833,63 @@ ps-am:
uninstall-am: uninstall-docDATA
.MAKE: $(RECURSIVE_CLEAN_TARGETS) $(RECURSIVE_TARGETS) ctags-recursive \
install-am install-strip tags-recursive
.MAKE: $(am__recursive_targets) install-am install-data-am \
install-strip
.PHONY: $(RECURSIVE_CLEAN_TARGETS) $(RECURSIVE_TARGETS) CTAGS GTAGS \
all all-am am--refresh check check-am clean clean-generic \
clean-libtool ctags ctags-recursive dist dist-all dist-bzip2 \
dist-gzip dist-lzma dist-shar dist-tarZ dist-xz dist-zip \
distcheck distclean distclean-generic distclean-libtool \
distclean-local distclean-tags distcleancheck distdir \
distuninstallcheck dvi dvi-am html html-am info info-am \
install install-am install-data install-data-am \
install-docDATA install-dvi install-dvi-am install-exec \
install-exec-am install-html install-html-am install-info \
install-info-am install-man install-pdf install-pdf-am \
install-ps install-ps-am install-strip installcheck \
installcheck-am installdirs installdirs-am maintainer-clean \
maintainer-clean-generic mostlyclean mostlyclean-generic \
mostlyclean-libtool pdf pdf-am ps ps-am tags tags-recursive \
uninstall uninstall-am uninstall-docDATA
.PHONY: $(am__recursive_targets) CTAGS GTAGS TAGS all all-am \
am--refresh check check-am clean clean-cscope clean-generic \
clean-libtool cscope cscopelist-am ctags ctags-am dist \
dist-all dist-bzip2 dist-gzip dist-lzip dist-shar dist-tarZ \
dist-xz dist-zip distcheck distclean distclean-generic \
distclean-libtool distclean-local distclean-tags \
distcleancheck distdir distuninstallcheck dvi dvi-am html \
html-am info info-am install install-am install-data \
install-data-am install-data-hook install-docDATA install-dvi \
install-dvi-am install-exec install-exec-am install-html \
install-html-am install-info install-info-am install-man \
install-pdf install-pdf-am install-ps install-ps-am \
install-strip installcheck installcheck-am installdirs \
installdirs-am maintainer-clean maintainer-clean-generic \
mostlyclean mostlyclean-generic mostlyclean-libtool pdf pdf-am \
ps ps-am tags tags-am uninstall uninstall-am uninstall-docDATA
libtool: $(LIBTOOL_DEPS)
$(SHELL) ./config.status libtool
distclean-local:
rm -rf autom4te.cache
rm -f $(distdir)-installer.exe
# rm -f $(distdir)-win32-installer.exe
#dist-hook:
# makensis -NOCD -DVERSION=${VERSION} -DSRCDIR=$(srcdir) \
# -DOPENSSL=/usr/src/openssl-0.9.8u-fips/out32dll \
# -DZLIB=/usr/src/zlib-1.2.6-i586 \
# makensis -NOCD -DVERSION=${VERSION} \
# -DSTUNNEL_DIR=$(srcdir) \
# -DROOT_DIR=/usr/src \
# $(srcdir)/tools/stunnel.nsi
# cp -f $(distdir)-installer.exe ../dist
# gpg --yes --armor --detach-sign --force-v3-sigs ../dist/$(distdir)-installer.exe
sign: dist
cp -f $(distdir).tar.gz ../dist
gpg --yes --armor --detach-sign --force-v3-sigs ../dist/$(distdir).tar.gz
sha256sum $(distdir).tar.gz | tee ../dist/$(distdir).tar.gz.sha256
cp -f $(distdir).tar.gz $(distdir)-win32-installer.exe $(distdir)-android.zip ../dist
gpg-agent --daemon /bin/sh -c "cd ../dist; gpg --yes --armor --detach-sign --force-v3-sigs $(distdir).tar.gz; gpg --yes --armor --detach-sign --force-v3-sigs $(distdir)-win32-installer.exe; gpg --yes --armor --detach-sign --force-v3-sigs $(distdir)-android.zip"
sha256sum $(distdir).tar.gz >../dist/$(distdir).tar.gz.sha256
sha256sum $(distdir)-win32-installer.exe >../dist/$(distdir)-win32-installer.exe.sha256
sha256sum $(distdir)-android.zip >../dist/$(distdir)-android.zip.sha256
cat ../dist/$(distdir)*.sha256 | tac
cert:
$(MAKE) -C tools cert
test:
$(abs_builddir)/src/stunnel -version
@echo "No tests are currently implemented"
install-data-hook:
@echo "*********************************************************"
@echo "* Type 'make cert' to also install a sample certificate *"
@echo "*********************************************************"
stunnel.pod: Makefile
$(edit) '$(srcdir)/$@.in' >$@
stunnel.pod: $(srcdir)/stunnel.pod
# Tell versions [3.59,3.63) of GNU make to not export all variables.
# Otherwise a system limit (for SysV at least) may be exceeded.

13
PORTS
View File

@ -1,22 +1,17 @@
stunnel known port maintainers
* AmigaOS
- Diego Casorran <dcr8520@amiga.org>
* Cygwin
- Andrew Schulman <andrex@alumni.utexas.net>
* Debian GNU/Linux
- Luis Rodrigo Gallardo Cruz <rodrigo@nul-unu.com>
- Peter Pentchev <roam@ringlet.net>
* FreeBSD
- Ryan Steinmetz <zi@FreeBSD.org>
* NetBSD
- Martti Kuparinen <martti.kuparinen@iki.fi>
* OpenBSD
- Jakob Schlyter <jakob@openbsd.org>
* OpenSolaris
- Mark Fenwick <Mark.Fenwick@sun.com>
* OS/2
- Paul Smedley <paul@smedley.info>
- Gleydson Soares <gsoares@openbsd.org>
* OpenCSW Solaris
- Dagobert Michelsen <dam@opencsw.org>
* RedHat Linux
- Damien Miller <dmiller@ilogic.com.au>

55
TODO
View File

@ -3,41 +3,48 @@ stunnel TODO
High priority features. They will likely be supported some day.
A sponsor could allocate my time to get them faster.
* Perform protocol negotiations after SSL negotiations if possible.
* Command-line server control interface on both Unix and Windows.
* Separate GUI process running as current user on Windows.
* Add client certificate autoselection based on the list of accepted issuers:
SSL_CTX_set_client_cert_cb(), SSL_get_client_CA_list().
* Add an Apparmor profile.
* Optional line-buffering of the log file.
* etc/stunnel/conf.d/* files automatically processed while reading
etc/stunnel/stunnel.conf
* Android GUI.
* Support for CryptoAPI certificates and private keys with OpenSSL CAPI
engine (this feature is incompatible with FIPS support).
* Indirect CRL support (RFC 3280, section 5).
* Log rotation on Windows.
* Configuration file option to limit the number of concurrent connections.
* SOCKS 4 protocol support.
http://archive.socks.permeo.com/protocol/socks4.protocol
* Option to redirect instead of rejecting connections on failed authentication.
Low priority features. They will unlikely ever be supported.
* Implement reference counting of the SERVICE_OPTIONS structure
- Add 'leastconn' failover strategy to order defined 'connect' targets
by the number of active connections.
- Add '-status' command line option reporting the number of clients
connected to each service.
- Deallocate SERVICE_OPTIONS structure when the configuration file
is reloaded *and* old connections are closed.
* Command-line server control interface on both Unix and Windows.
* Separate GUI process running as the current user on Windows.
* An Android GUI.
* OCSP stapling (tlsext_status).
* Extend session tickets and/or sessiond to also serialize application
data ("redirect" state and session persistence).
* Indirect CRL support (RFC 3280, section 5).
* Provide 64-bit Windows builds (besides 32-bit builds).
This requires either Microsoft Visual Studio Standard Edition or Microsoft
Visual Studio Professional Edition in order to retain FIPS compliance.
* Service-level logging configuration (separate verbosity and destination).
* Key renegotiation (re-handshake) for long connections.
* MSI installer for Windows.
* Add user-defined headers to CONNECT proxy requests.
This can be used to impersonate other software (e.g. web browsers).
Low priority features. They will unlikely ever be supported.
* Database and/or directory interface for retrieving PSK secrets.
* Support static FIPS-enabled build.
* Service-level logging destination.
* Enforce key renegotiation (re-handshake) for long connections.
* Logging to NT EventLog on Windows.
* Log rotation on Windows.
* Internationalization of logged messages (i18n).
* Generic scripting engine instead or static protocol.c.
Features I won't support, unless convinced otherwise by a wealthy sponsor.
* Protocol support *after* SSL is negotiated:
- Support for adding X-Forwarded-For to HTTP request headers.
This feature is less useful since PROXY protocol support is available.
- Support for adding X-Forwarded-For to SMTP email headers.
This feature is most likely to be implemented as a separate proxy.
* Support for adding X-Forwarded-For to HTTP request headers.
This feature is less useful since PROXY protocol support is available.
* Support for adding X-Forwarded-For to SMTP email headers.
This feature is most likely to be implemented as a separate proxy.
* Additional certificate checks (including wildcard comparison) based on:
- CN (Common Name);
- SAN (Subject Alternative Name);
- O (Organization), and
- OU (Organizational Unit).
* Set processes title that appear on the ps(1) and top(1) commands.

1451
aclocal.m4 vendored
View File

File diff suppressed because it is too large Load Diff

232
auto/compile
View File

@ -1,10 +1,9 @@
#! /bin/sh
# Wrapper for compilers which do not understand `-c -o'.
# Wrapper for compilers which do not understand '-c -o'.
scriptversion=2009-10-06.20; # UTC
scriptversion=2012-10-14.11; # UTC
# Copyright (C) 1999, 2000, 2003, 2004, 2005, 2009 Free Software
# Foundation, Inc.
# Copyright (C) 1999-2013 Free Software Foundation, Inc.
# Written by Tom Tromey <tromey@cygnus.com>.
#
# This program is free software; you can redistribute it and/or modify
@ -29,21 +28,224 @@ scriptversion=2009-10-06.20; # UTC
# bugs to <bug-automake@gnu.org> or send patches to
# <automake-patches@gnu.org>.
nl='
'
# We need space, tab and new line, in precisely that order. Quoting is
# there to prevent tools from complaining about whitespace usage.
IFS=" "" $nl"
file_conv=
# func_file_conv build_file lazy
# Convert a $build file to $host form and store it in $file
# Currently only supports Windows hosts. If the determined conversion
# type is listed in (the comma separated) LAZY, no conversion will
# take place.
func_file_conv ()
{
file=$1
case $file in
/ | /[!/]*) # absolute file, and not a UNC file
if test -z "$file_conv"; then
# lazily determine how to convert abs files
case `uname -s` in
MINGW*)
file_conv=mingw
;;
CYGWIN*)
file_conv=cygwin
;;
*)
file_conv=wine
;;
esac
fi
case $file_conv/,$2, in
*,$file_conv,*)
;;
mingw/*)
file=`cmd //C echo "$file " | sed -e 's/"\(.*\) " *$/\1/'`
;;
cygwin/*)
file=`cygpath -m "$file" || echo "$file"`
;;
wine/*)
file=`winepath -w "$file" || echo "$file"`
;;
esac
;;
esac
}
# func_cl_dashL linkdir
# Make cl look for libraries in LINKDIR
func_cl_dashL ()
{
func_file_conv "$1"
if test -z "$lib_path"; then
lib_path=$file
else
lib_path="$lib_path;$file"
fi
linker_opts="$linker_opts -LIBPATH:$file"
}
# func_cl_dashl library
# Do a library search-path lookup for cl
func_cl_dashl ()
{
lib=$1
found=no
save_IFS=$IFS
IFS=';'
for dir in $lib_path $LIB
do
IFS=$save_IFS
if $shared && test -f "$dir/$lib.dll.lib"; then
found=yes
lib=$dir/$lib.dll.lib
break
fi
if test -f "$dir/$lib.lib"; then
found=yes
lib=$dir/$lib.lib
break
fi
if test -f "$dir/lib$lib.a"; then
found=yes
lib=$dir/lib$lib.a
break
fi
done
IFS=$save_IFS
if test "$found" != yes; then
lib=$lib.lib
fi
}
# func_cl_wrapper cl arg...
# Adjust compile command to suit cl
func_cl_wrapper ()
{
# Assume a capable shell
lib_path=
shared=:
linker_opts=
for arg
do
if test -n "$eat"; then
eat=
else
case $1 in
-o)
# configure might choose to run compile as 'compile cc -o foo foo.c'.
eat=1
case $2 in
*.o | *.[oO][bB][jJ])
func_file_conv "$2"
set x "$@" -Fo"$file"
shift
;;
*)
func_file_conv "$2"
set x "$@" -Fe"$file"
shift
;;
esac
;;
-I)
eat=1
func_file_conv "$2" mingw
set x "$@" -I"$file"
shift
;;
-I*)
func_file_conv "${1#-I}" mingw
set x "$@" -I"$file"
shift
;;
-l)
eat=1
func_cl_dashl "$2"
set x "$@" "$lib"
shift
;;
-l*)
func_cl_dashl "${1#-l}"
set x "$@" "$lib"
shift
;;
-L)
eat=1
func_cl_dashL "$2"
;;
-L*)
func_cl_dashL "${1#-L}"
;;
-static)
shared=false
;;
-Wl,*)
arg=${1#-Wl,}
save_ifs="$IFS"; IFS=','
for flag in $arg; do
IFS="$save_ifs"
linker_opts="$linker_opts $flag"
done
IFS="$save_ifs"
;;
-Xlinker)
eat=1
linker_opts="$linker_opts $2"
;;
-*)
set x "$@" "$1"
shift
;;
*.cc | *.CC | *.cxx | *.CXX | *.[cC]++)
func_file_conv "$1"
set x "$@" -Tp"$file"
shift
;;
*.c | *.cpp | *.CPP | *.lib | *.LIB | *.Lib | *.OBJ | *.obj | *.[oO])
func_file_conv "$1" mingw
set x "$@" "$file"
shift
;;
*)
set x "$@" "$1"
shift
;;
esac
fi
shift
done
if test -n "$linker_opts"; then
linker_opts="-link$linker_opts"
fi
exec "$@" $linker_opts
exit 1
}
eat=
case $1 in
'')
echo "$0: No command. Try \`$0 --help' for more information." 1>&2
echo "$0: No command. Try '$0 --help' for more information." 1>&2
exit 1;
;;
-h | --h*)
cat <<\EOF
Usage: compile [--help] [--version] PROGRAM [ARGS]
Wrapper for compilers which do not understand `-c -o'.
Remove `-o dest.o' from ARGS, run PROGRAM with the remaining
Wrapper for compilers which do not understand '-c -o'.
Remove '-o dest.o' from ARGS, run PROGRAM with the remaining
arguments, and rename the output as expected.
If you are trying to build a whole package this is not the
right script to run: please start by reading the file `INSTALL'.
right script to run: please start by reading the file 'INSTALL'.
Report bugs to <bug-automake@gnu.org>.
EOF
@ -53,11 +255,13 @@ EOF
echo "compile $scriptversion"
exit $?
;;
cl | *[/\\]cl | cl.exe | *[/\\]cl.exe )
func_cl_wrapper "$@" # Doesn't return...
;;
esac
ofile=
cfile=
eat=
for arg
do
@ -66,8 +270,8 @@ do
else
case $1 in
-o)
# configure might choose to run compile as `compile cc -o foo foo.c'.
# So we strip `-o arg' only if arg is an object.
# configure might choose to run compile as 'compile cc -o foo foo.c'.
# So we strip '-o arg' only if arg is an object.
eat=1
case $2 in
*.o | *.obj)
@ -94,10 +298,10 @@ do
done
if test -z "$ofile" || test -z "$cfile"; then
# If no `-o' option was seen then we might have been invoked from a
# If no '-o' option was seen then we might have been invoked from a
# pattern rule where we don't need one. That is ok -- this is a
# normal compilation that the losing compiler can handle. If no
# `.c' file was seen then we are probably linking. That is also
# '.c' file was seen then we are probably linking. That is also
# ok.
exec "$@"
fi
@ -106,7 +310,7 @@ fi
cofile=`echo "$cfile" | sed 's|^.*[\\/]||; s|^[a-zA-Z]:||; s/\.c$/.o/'`
# Create the lock directory.
# Note: use `[/\\:.-]' here to ensure that we don't use the same name
# Note: use '[/\\:.-]' here to ensure that we don't use the same name
# that we are using for the .o file. Also, base the name on the expected
# object file name, since that is what matters with a parallel build.
lockdir=`echo "$cofile" | sed -e 's|[/\\:.-]|_|g'`.d

358
auto/config.guess vendored Normal file → Executable file
View File

@ -1,14 +1,12 @@
#! /bin/sh
# Attempt to guess a canonical system name.
# Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999,
# 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010,
# 2011 Free Software Foundation, Inc.
# Copyright 1992-2014 Free Software Foundation, Inc.
timestamp='2011-11-11'
timestamp='2014-03-23'
# This file is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# the Free Software Foundation; either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful, but
@ -17,26 +15,22 @@ timestamp='2011-11-11'
# General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA
# 02110-1301, USA.
# along with this program; if not, see <http://www.gnu.org/licenses/>.
#
# As a special exception to the GNU General Public License, if you
# distribute this file as part of a program that contains a
# configuration script generated by Autoconf, you may include it under
# the same distribution terms that you use for the rest of that program.
# Originally written by Per Bothner. Please send patches (context
# diff format) to <config-patches@gnu.org> and include a ChangeLog
# entry.
# the same distribution terms that you use for the rest of that
# program. This Exception is an additional permission under section 7
# of the GNU General Public License, version 3 ("GPLv3").
#
# This script attempts to guess a canonical system name similar to
# config.sub. If it succeeds, it prints the system name on stdout, and
# exits with 0. Otherwise, it exits with 1.
# Originally written by Per Bothner.
#
# You can get the latest version of this script from:
# http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.guess;hb=HEAD
#
# Please send patches with a ChangeLog entry to config-patches@gnu.org.
me=`echo "$0" | sed -e 's,.*/,,'`
@ -56,9 +50,7 @@ version="\
GNU config.guess ($timestamp)
Originally written by Per Bothner.
Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000,
2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free
Software Foundation, Inc.
Copyright 1992-2014 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE."
@ -140,12 +132,33 @@ UNAME_RELEASE=`(uname -r) 2>/dev/null` || UNAME_RELEASE=unknown
UNAME_SYSTEM=`(uname -s) 2>/dev/null` || UNAME_SYSTEM=unknown
UNAME_VERSION=`(uname -v) 2>/dev/null` || UNAME_VERSION=unknown
case "${UNAME_SYSTEM}" in
Linux|GNU|GNU/*)
# If the system lacks a compiler, then just pick glibc.
# We could probably try harder.
LIBC=gnu
eval $set_cc_for_build
cat <<-EOF > $dummy.c
#include <features.h>
#if defined(__UCLIBC__)
LIBC=uclibc
#elif defined(__dietlibc__)
LIBC=dietlibc
#else
LIBC=gnu
#endif
EOF
eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep '^LIBC' | sed 's, ,,g'`
;;
esac
# Note: order is significant - the case branches are not exclusive.
case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
*:NetBSD:*:*)
# NetBSD (nbsd) targets should (where applicable) match one or
# more of the tupples: *-*-netbsdelf*, *-*-netbsdaout*,
# more of the tuples: *-*-netbsdelf*, *-*-netbsdaout*,
# *-*-netbsdecoff* and *-*-netbsd*. For targets that recently
# switched to ELF, *-*-netbsd* would select the old
# object file format. This provides both forward
@ -202,6 +215,10 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
# CPU_TYPE-MANUFACTURER-OPERATING_SYSTEM is used.
echo "${machine}-${os}${release}"
exit ;;
*:Bitrig:*:*)
UNAME_MACHINE_ARCH=`arch | sed 's/Bitrig.//'`
echo ${UNAME_MACHINE_ARCH}-unknown-bitrig${UNAME_RELEASE}
exit ;;
*:OpenBSD:*:*)
UNAME_MACHINE_ARCH=`arch | sed 's/OpenBSD.//'`
echo ${UNAME_MACHINE_ARCH}-unknown-openbsd${UNAME_RELEASE}
@ -304,7 +321,7 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
arm:RISC*:1.[012]*:*|arm:riscix:1.[012]*:*)
echo arm-acorn-riscix${UNAME_RELEASE}
exit ;;
arm:riscos:*:*|arm:RISCOS:*:*)
arm*:riscos:*:*|arm*:RISCOS:*:*)
echo arm-unknown-riscos
exit ;;
SR2?01:HI-UX/MPP:*:* | SR8000:HI-UX/MPP:*:*)
@ -803,10 +820,13 @@ EOF
i*:CYGWIN*:*)
echo ${UNAME_MACHINE}-pc-cygwin
exit ;;
*:MINGW64*:*)
echo ${UNAME_MACHINE}-pc-mingw64
exit ;;
*:MINGW*:*)
echo ${UNAME_MACHINE}-pc-mingw32
exit ;;
i*:MSYS*:*)
*:MSYS*:*)
echo ${UNAME_MACHINE}-pc-msys
exit ;;
i*:windows32*:*)
@ -854,15 +874,22 @@ EOF
exit ;;
*:GNU:*:*)
# the GNU system
echo `echo ${UNAME_MACHINE}|sed -e 's,[-/].*$,,'`-unknown-gnu`echo ${UNAME_RELEASE}|sed -e 's,/.*$,,'`
echo `echo ${UNAME_MACHINE}|sed -e 's,[-/].*$,,'`-unknown-${LIBC}`echo ${UNAME_RELEASE}|sed -e 's,/.*$,,'`
exit ;;
*:GNU/*:*:*)
# other systems with GNU libc and userland
echo ${UNAME_MACHINE}-unknown-`echo ${UNAME_SYSTEM} | sed 's,^[^/]*/,,' | tr '[A-Z]' '[a-z]'``echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`-gnu
echo ${UNAME_MACHINE}-unknown-`echo ${UNAME_SYSTEM} | sed 's,^[^/]*/,,' | tr '[A-Z]' '[a-z]'``echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`-${LIBC}
exit ;;
i*86:Minix:*:*)
echo ${UNAME_MACHINE}-pc-minix
exit ;;
aarch64:Linux:*:*)
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
exit ;;
aarch64_be:Linux:*:*)
UNAME_MACHINE=aarch64_be
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
exit ;;
alpha:Linux:*:*)
case `sed -n '/^cpu model/s/^.*: \(.*\)/\1/p' < /proc/cpuinfo` in
EV5) UNAME_MACHINE=alphaev5 ;;
@ -874,59 +901,54 @@ EOF
EV68*) UNAME_MACHINE=alphaev68 ;;
esac
objdump --private-headers /bin/sh | grep -q ld.so.1
if test "$?" = 0 ; then LIBC="libc1" ; else LIBC="" ; fi
echo ${UNAME_MACHINE}-unknown-linux-gnu${LIBC}
if test "$?" = 0 ; then LIBC="gnulibc1" ; fi
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
exit ;;
arc:Linux:*:* | arceb:Linux:*:*)
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
exit ;;
arm*:Linux:*:*)
eval $set_cc_for_build
if echo __ARM_EABI__ | $CC_FOR_BUILD -E - 2>/dev/null \
| grep -q __ARM_EABI__
then
echo ${UNAME_MACHINE}-unknown-linux-gnu
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
else
if echo __ARM_PCS_VFP | $CC_FOR_BUILD -E - 2>/dev/null \
| grep -q __ARM_PCS_VFP
then
echo ${UNAME_MACHINE}-unknown-linux-gnueabi
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}eabi
else
echo ${UNAME_MACHINE}-unknown-linux-gnueabihf
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}eabihf
fi
fi
exit ;;
avr32*:Linux:*:*)
echo ${UNAME_MACHINE}-unknown-linux-gnu
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
exit ;;
cris:Linux:*:*)
echo cris-axis-linux-gnu
echo ${UNAME_MACHINE}-axis-linux-${LIBC}
exit ;;
crisv32:Linux:*:*)
echo crisv32-axis-linux-gnu
echo ${UNAME_MACHINE}-axis-linux-${LIBC}
exit ;;
frv:Linux:*:*)
echo frv-unknown-linux-gnu
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
exit ;;
hexagon:Linux:*:*)
echo hexagon-unknown-linux-gnu
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
exit ;;
i*86:Linux:*:*)
LIBC=gnu
eval $set_cc_for_build
sed 's/^ //' << EOF >$dummy.c
#ifdef __dietlibc__
LIBC=dietlibc
#endif
EOF
eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep '^LIBC'`
echo "${UNAME_MACHINE}-pc-linux-${LIBC}"
echo ${UNAME_MACHINE}-pc-linux-${LIBC}
exit ;;
ia64:Linux:*:*)
echo ${UNAME_MACHINE}-unknown-linux-gnu
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
exit ;;
m32r*:Linux:*:*)
echo ${UNAME_MACHINE}-unknown-linux-gnu
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
exit ;;
m68*:Linux:*:*)
echo ${UNAME_MACHINE}-unknown-linux-gnu
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
exit ;;
mips:Linux:*:* | mips64:Linux:*:*)
eval $set_cc_for_build
@ -945,54 +967,63 @@ EOF
#endif
EOF
eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep '^CPU'`
test x"${CPU}" != x && { echo "${CPU}-unknown-linux-gnu"; exit; }
test x"${CPU}" != x && { echo "${CPU}-unknown-linux-${LIBC}"; exit; }
;;
or32:Linux:*:*)
echo or32-unknown-linux-gnu
openrisc*:Linux:*:*)
echo or1k-unknown-linux-${LIBC}
exit ;;
or32:Linux:*:* | or1k*:Linux:*:*)
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
exit ;;
padre:Linux:*:*)
echo sparc-unknown-linux-gnu
echo sparc-unknown-linux-${LIBC}
exit ;;
parisc64:Linux:*:* | hppa64:Linux:*:*)
echo hppa64-unknown-linux-gnu
echo hppa64-unknown-linux-${LIBC}
exit ;;
parisc:Linux:*:* | hppa:Linux:*:*)
# Look for CPU level
case `grep '^cpu[^a-z]*:' /proc/cpuinfo 2>/dev/null | cut -d' ' -f2` in
PA7*) echo hppa1.1-unknown-linux-gnu ;;
PA8*) echo hppa2.0-unknown-linux-gnu ;;
*) echo hppa-unknown-linux-gnu ;;
PA7*) echo hppa1.1-unknown-linux-${LIBC} ;;
PA8*) echo hppa2.0-unknown-linux-${LIBC} ;;
*) echo hppa-unknown-linux-${LIBC} ;;
esac
exit ;;
ppc64:Linux:*:*)
echo powerpc64-unknown-linux-gnu
echo powerpc64-unknown-linux-${LIBC}
exit ;;
ppc:Linux:*:*)
echo powerpc-unknown-linux-gnu
echo powerpc-unknown-linux-${LIBC}
exit ;;
ppc64le:Linux:*:*)
echo powerpc64le-unknown-linux-${LIBC}
exit ;;
ppcle:Linux:*:*)
echo powerpcle-unknown-linux-${LIBC}
exit ;;
s390:Linux:*:* | s390x:Linux:*:*)
echo ${UNAME_MACHINE}-ibm-linux
echo ${UNAME_MACHINE}-ibm-linux-${LIBC}
exit ;;
sh64*:Linux:*:*)
echo ${UNAME_MACHINE}-unknown-linux-gnu
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
exit ;;
sh*:Linux:*:*)
echo ${UNAME_MACHINE}-unknown-linux-gnu
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
exit ;;
sparc:Linux:*:* | sparc64:Linux:*:*)
echo ${UNAME_MACHINE}-unknown-linux-gnu
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
exit ;;
tile*:Linux:*:*)
echo ${UNAME_MACHINE}-unknown-linux-gnu
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
exit ;;
vax:Linux:*:*)
echo ${UNAME_MACHINE}-dec-linux-gnu
echo ${UNAME_MACHINE}-dec-linux-${LIBC}
exit ;;
x86_64:Linux:*:*)
echo x86_64-unknown-linux-gnu
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
exit ;;
xtensa*:Linux:*:*)
echo ${UNAME_MACHINE}-unknown-linux-gnu
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
exit ;;
i*86:DYNIX/ptx:4*:*)
# ptx 4.0 does uname -s correctly, with DYNIX/ptx in there.
@ -1196,6 +1227,9 @@ EOF
BePC:Haiku:*:*) # Haiku running on Intel PC compatible.
echo i586-pc-haiku
exit ;;
x86_64:Haiku:*:*)
echo x86_64-unknown-haiku
exit ;;
SX-4:SUPER-UX:*:*)
echo sx4-nec-superux${UNAME_RELEASE}
exit ;;
@ -1222,19 +1256,31 @@ EOF
exit ;;
*:Darwin:*:*)
UNAME_PROCESSOR=`uname -p` || UNAME_PROCESSOR=unknown
case $UNAME_PROCESSOR in
i386)
eval $set_cc_for_build
if [ "$CC_FOR_BUILD" != 'no_compiler_found' ]; then
if (echo '#ifdef __LP64__'; echo IS_64BIT_ARCH; echo '#endif') | \
(CCOPTS= $CC_FOR_BUILD -E - 2>/dev/null) | \
grep IS_64BIT_ARCH >/dev/null
then
UNAME_PROCESSOR="x86_64"
fi
fi ;;
unknown) UNAME_PROCESSOR=powerpc ;;
esac
eval $set_cc_for_build
if test "$UNAME_PROCESSOR" = unknown ; then
UNAME_PROCESSOR=powerpc
fi
if test `echo "$UNAME_RELEASE" | sed -e 's/\..*//'` -le 10 ; then
if [ "$CC_FOR_BUILD" != 'no_compiler_found' ]; then
if (echo '#ifdef __LP64__'; echo IS_64BIT_ARCH; echo '#endif') | \
(CCOPTS= $CC_FOR_BUILD -E - 2>/dev/null) | \
grep IS_64BIT_ARCH >/dev/null
then
case $UNAME_PROCESSOR in
i386) UNAME_PROCESSOR=x86_64 ;;
powerpc) UNAME_PROCESSOR=powerpc64 ;;
esac
fi
fi
elif test "$UNAME_PROCESSOR" = i386 ; then
# Avoid executing cc on OS X 10.9, as it ships with a stub
# that puts up a graphical alert prompting to install
# developer tools. Any system running Mac OS X 10.7 or
# later (Darwin 11 and later) is required to have a 64-bit
# processor. This is not true of the ARM version of Darwin
# that Apple uses in portable devices.
UNAME_PROCESSOR=x86_64
fi
echo ${UNAME_PROCESSOR}-apple-darwin${UNAME_RELEASE}
exit ;;
*:procnto*:*:* | *:QNX:[0123456789]*:*)
@ -1251,7 +1297,7 @@ EOF
NEO-?:NONSTOP_KERNEL:*:*)
echo neo-tandem-nsk${UNAME_RELEASE}
exit ;;
NSE-?:NONSTOP_KERNEL:*:*)
NSE-*:NONSTOP_KERNEL:*:*)
echo nse-tandem-nsk${UNAME_RELEASE}
exit ;;
NSR-?:NONSTOP_KERNEL:*:*)
@ -1320,159 +1366,11 @@ EOF
i*86:AROS:*:*)
echo ${UNAME_MACHINE}-pc-aros
exit ;;
x86_64:VMkernel:*:*)
echo ${UNAME_MACHINE}-unknown-esx
exit ;;
esac
#echo '(No uname command or uname output not recognized.)' 1>&2
#echo "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" 1>&2
eval $set_cc_for_build
cat >$dummy.c <<EOF
#ifdef _SEQUENT_
# include <sys/types.h>
# include <sys/utsname.h>
#endif
main ()
{
#if defined (sony)
#if defined (MIPSEB)
/* BFD wants "bsd" instead of "newsos". Perhaps BFD should be changed,
I don't know.... */
printf ("mips-sony-bsd\n"); exit (0);
#else
#include <sys/param.h>
printf ("m68k-sony-newsos%s\n",
#ifdef NEWSOS4
"4"
#else
""
#endif
); exit (0);
#endif
#endif
#if defined (__arm) && defined (__acorn) && defined (__unix)
printf ("arm-acorn-riscix\n"); exit (0);
#endif
#if defined (hp300) && !defined (hpux)
printf ("m68k-hp-bsd\n"); exit (0);
#endif
#if defined (NeXT)
#if !defined (__ARCHITECTURE__)
#define __ARCHITECTURE__ "m68k"
#endif
int version;
version=`(hostinfo | sed -n 's/.*NeXT Mach \([0-9]*\).*/\1/p') 2>/dev/null`;
if (version < 4)
printf ("%s-next-nextstep%d\n", __ARCHITECTURE__, version);
else
printf ("%s-next-openstep%d\n", __ARCHITECTURE__, version);
exit (0);
#endif
#if defined (MULTIMAX) || defined (n16)
#if defined (UMAXV)
printf ("ns32k-encore-sysv\n"); exit (0);
#else
#if defined (CMU)
printf ("ns32k-encore-mach\n"); exit (0);
#else
printf ("ns32k-encore-bsd\n"); exit (0);
#endif
#endif
#endif
#if defined (__386BSD__)
printf ("i386-pc-bsd\n"); exit (0);
#endif
#if defined (sequent)
#if defined (i386)
printf ("i386-sequent-dynix\n"); exit (0);
#endif
#if defined (ns32000)
printf ("ns32k-sequent-dynix\n"); exit (0);
#endif
#endif
#if defined (_SEQUENT_)
struct utsname un;
uname(&un);
if (strncmp(un.version, "V2", 2) == 0) {
printf ("i386-sequent-ptx2\n"); exit (0);
}
if (strncmp(un.version, "V1", 2) == 0) { /* XXX is V1 correct? */
printf ("i386-sequent-ptx1\n"); exit (0);
}
printf ("i386-sequent-ptx\n"); exit (0);
#endif
#if defined (vax)
# if !defined (ultrix)
# include <sys/param.h>
# if defined (BSD)
# if BSD == 43
printf ("vax-dec-bsd4.3\n"); exit (0);
# else
# if BSD == 199006
printf ("vax-dec-bsd4.3reno\n"); exit (0);
# else
printf ("vax-dec-bsd\n"); exit (0);
# endif
# endif
# else
printf ("vax-dec-bsd\n"); exit (0);
# endif
# else
printf ("vax-dec-ultrix\n"); exit (0);
# endif
#endif
#if defined (alliant) && defined (i860)
printf ("i860-alliant-bsd\n"); exit (0);
#endif
exit (1);
}
EOF
$CC_FOR_BUILD -o $dummy $dummy.c 2>/dev/null && SYSTEM_NAME=`$dummy` &&
{ echo "$SYSTEM_NAME"; exit; }
# Apollos put the system type in the environment.
test -d /usr/apollo && { echo ${ISP}-apollo-${SYSTYPE}; exit; }
# Convex versions that predate uname can use getsysinfo(1)
if [ -x /usr/convex/getsysinfo ]
then
case `getsysinfo -f cpu_type` in
c1*)
echo c1-convex-bsd
exit ;;
c2*)
if getsysinfo -f scalar_acc
then echo c32-convex-bsd
else echo c2-convex-bsd
fi
exit ;;
c34*)
echo c34-convex-bsd
exit ;;
c38*)
echo c38-convex-bsd
exit ;;
c4*)
echo c4-convex-bsd
exit ;;
esac
fi
cat >&2 <<EOF
$0: unable to guess system type

142
auto/config.sub vendored Normal file → Executable file
View File

@ -1,38 +1,31 @@
#! /bin/sh
# Configuration validation subroutine script.
# Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999,
# 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010,
# 2011 Free Software Foundation, Inc.
# Copyright 1992-2014 Free Software Foundation, Inc.
timestamp='2011-11-11'
timestamp='2014-09-11'
# This file is (in principle) common to ALL GNU software.
# The presence of a machine in this file suggests that SOME GNU software
# can handle that machine. It does not imply ALL GNU software can.
#
# This file is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# This file is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA
# 02110-1301, USA.
# along with this program; if not, see <http://www.gnu.org/licenses/>.
#
# As a special exception to the GNU General Public License, if you
# distribute this file as part of a program that contains a
# configuration script generated by Autoconf, you may include it under
# the same distribution terms that you use for the rest of that program.
# the same distribution terms that you use for the rest of that
# program. This Exception is an additional permission under section 7
# of the GNU General Public License, version 3 ("GPLv3").
# Please send patches to <config-patches@gnu.org>. Submit a context
# diff and a properly formatted GNU ChangeLog entry.
# Please send patches with a ChangeLog entry to config-patches@gnu.org.
#
# Configuration subroutine to validate and canonicalize a configuration type.
# Supply the specified configuration type as an argument.
@ -75,9 +68,7 @@ Report bugs and patches to <config-patches@gnu.org>."
version="\
GNU config.sub ($timestamp)
Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000,
2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free
Software Foundation, Inc.
Copyright 1992-2014 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE."
@ -125,13 +116,17 @@ esac
maybe_os=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\2/'`
case $maybe_os in
nto-qnx* | linux-gnu* | linux-android* | linux-dietlibc | linux-newlib* | \
linux-uclibc* | uclinux-uclibc* | uclinux-gnu* | kfreebsd*-gnu* | \
linux-musl* | linux-uclibc* | uclinux-uclibc* | uclinux-gnu* | kfreebsd*-gnu* | \
knetbsd*-gnu* | netbsd*-gnu* | \
kopensolaris*-gnu* | \
storm-chaos* | os2-emx* | rtmk-nova*)
os=-$maybe_os
basic_machine=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'`
;;
android-linux)
os=-linux-android
basic_machine=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'`-unknown
;;
*)
basic_machine=`echo $1 | sed 's/-[^-]*$//'`
if [ $basic_machine != $1 ]
@ -154,7 +149,7 @@ case $os in
-convergent* | -ncr* | -news | -32* | -3600* | -3100* | -hitachi* |\
-c[123]* | -convex* | -sun | -crds | -omron* | -dg | -ultra | -tti* | \
-harris | -dolphin | -highlevel | -gould | -cbm | -ns | -masscomp | \
-apple | -axis | -knuth | -cray | -microblaze)
-apple | -axis | -knuth | -cray | -microblaze*)
os=
basic_machine=$1
;;
@ -223,6 +218,12 @@ case $os in
-isc*)
basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
;;
-lynx*178)
os=-lynxos178
;;
-lynx*5)
os=-lynxos5
;;
-lynx*)
os=-lynxos
;;
@ -247,13 +248,16 @@ case $basic_machine in
# Some are omitted here because they have special meanings below.
1750a | 580 \
| a29k \
| aarch64 | aarch64_be \
| alpha | alphaev[4-8] | alphaev56 | alphaev6[78] | alphapca5[67] \
| alpha64 | alpha64ev[4-8] | alpha64ev56 | alpha64ev6[78] | alpha64pca5[67] \
| am33_2.0 \
| arc | arm | arm[bl]e | arme[lb] | armv[2345] | armv[345][lb] | avr | avr32 \
| be32 | be64 \
| arc | arceb \
| arm | arm[bl]e | arme[lb] | armv[2-8] | armv[3-8][lb] | armv7[arm] \
| avr | avr32 \
| be32 | be64 \
| bfin \
| c4x | clipper \
| c4x | c8051 | clipper \
| d10v | d30v | dlx | dsp16xx \
| epiphany \
| fido | fr30 | frv \
@ -261,10 +265,11 @@ case $basic_machine in
| hexagon \
| i370 | i860 | i960 | ia64 \
| ip2k | iq2000 \
| k1om \
| le32 | le64 \
| lm32 \
| m32c | m32r | m32rle | m68000 | m68k | m88k \
| maxq | mb | microblaze | mcore | mep | metag \
| maxq | mb | microblaze | microblazeel | mcore | mep | metag \
| mips | mipsbe | mipseb | mipsel | mipsle \
| mips16 \
| mips64 | mips64el \
@ -278,23 +283,26 @@ case $basic_machine in
| mips64vr5900 | mips64vr5900el \
| mipsisa32 | mipsisa32el \
| mipsisa32r2 | mipsisa32r2el \
| mipsisa32r6 | mipsisa32r6el \
| mipsisa64 | mipsisa64el \
| mipsisa64r2 | mipsisa64r2el \
| mipsisa64r6 | mipsisa64r6el \
| mipsisa64sb1 | mipsisa64sb1el \
| mipsisa64sr71k | mipsisa64sr71kel \
| mipsr5900 | mipsr5900el \
| mipstx39 | mipstx39el \
| mn10200 | mn10300 \
| moxie \
| mt \
| msp430 \
| nds32 | nds32le | nds32be \
| nios | nios2 \
| nios | nios2 | nios2eb | nios2el \
| ns16k | ns32k \
| open8 \
| or32 \
| open8 | or1k | or1knd | or32 \
| pdp10 | pdp11 | pj | pjl \
| powerpc | powerpc64 | powerpc64le | powerpcle \
| pyramid \
| riscv32 | riscv64 \
| rl78 | rx \
| score \
| sh | sh[1234] | sh[24]a | sh[24]aeb | sh[23]e | sh[34]eb | sheb | shbe | shle | sh[1234]le | sh3ele \
@ -319,8 +327,7 @@ case $basic_machine in
c6x)
basic_machine=tic6x-unknown
;;
m6811 | m68hc11 | m6812 | m68hc12 | picochip)
# Motorola 68HC11/12.
m6811 | m68hc11 | m6812 | m68hc12 | m68hcs12x | nvptx | picochip)
basic_machine=$basic_machine-unknown
os=-none
;;
@ -333,7 +340,10 @@ case $basic_machine in
strongarm | thumb | xscale)
basic_machine=arm-unknown
;;
xgate)
basic_machine=$basic_machine-unknown
os=-none
;;
xscaleeb)
basic_machine=armeb-unknown
;;
@ -356,15 +366,16 @@ case $basic_machine in
# Recognize the basic CPU types with company name.
580-* \
| a29k-* \
| aarch64-* | aarch64_be-* \
| alpha-* | alphaev[4-8]-* | alphaev56-* | alphaev6[78]-* \
| alpha64-* | alpha64ev[4-8]-* | alpha64ev56-* | alpha64ev6[78]-* \
| alphapca5[67]-* | alpha64pca5[67]-* | arc-* \
| alphapca5[67]-* | alpha64pca5[67]-* | arc-* | arceb-* \
| arm-* | armbe-* | armle-* | armeb-* | armv*-* \
| avr-* | avr32-* \
| be32-* | be64-* \
| bfin-* | bs2000-* \
| c[123]* | c30-* | [cjt]90-* | c4x-* \
| clipper-* | craynv-* | cydra-* \
| c8051-* | clipper-* | craynv-* | cydra-* \
| d10v-* | d30v-* | dlx-* \
| elxsi-* \
| f30[01]-* | f700-* | fido-* | fr30-* | frv-* | fx80-* \
@ -373,11 +384,13 @@ case $basic_machine in
| hexagon-* \
| i*86-* | i860-* | i960-* | ia64-* \
| ip2k-* | iq2000-* \
| k1om-* \
| le32-* | le64-* \
| lm32-* \
| m32c-* | m32r-* | m32rle-* \
| m68000-* | m680[012346]0-* | m68360-* | m683?2-* | m68k-* \
| m88110-* | m88k-* | maxq-* | mcore-* | metag-* | microblaze-* \
| m88110-* | m88k-* | maxq-* | mcore-* | metag-* \
| microblaze-* | microblazeel-* \
| mips-* | mipsbe-* | mipseb-* | mipsel-* | mipsle-* \
| mips16-* \
| mips64-* | mips64el-* \
@ -391,18 +404,22 @@ case $basic_machine in
| mips64vr5900-* | mips64vr5900el-* \
| mipsisa32-* | mipsisa32el-* \
| mipsisa32r2-* | mipsisa32r2el-* \
| mipsisa32r6-* | mipsisa32r6el-* \
| mipsisa64-* | mipsisa64el-* \
| mipsisa64r2-* | mipsisa64r2el-* \
| mipsisa64r6-* | mipsisa64r6el-* \
| mipsisa64sb1-* | mipsisa64sb1el-* \
| mipsisa64sr71k-* | mipsisa64sr71kel-* \
| mipsr5900-* | mipsr5900el-* \
| mipstx39-* | mipstx39el-* \
| mmix-* \
| mt-* \
| msp430-* \
| nds32-* | nds32le-* | nds32be-* \
| nios-* | nios2-* \
| nios-* | nios2-* | nios2eb-* | nios2el-* \
| none-* | np1-* | ns16k-* | ns32k-* \
| open8-* \
| or1k*-* \
| orion-* \
| pdp10-* | pdp11-* | pj-* | pjl-* | pn-* | power-* \
| powerpc-* | powerpc64-* | powerpc64le-* | powerpcle-* \
@ -719,7 +736,6 @@ case $basic_machine in
i370-ibm* | ibm*)
basic_machine=i370-ibm
;;
# I'm not sure what "Sysv32" means. Should this be sysv3.2?
i*86v32)
basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'`
os=-sysv32
@ -777,11 +793,15 @@ case $basic_machine in
basic_machine=ns32k-utek
os=-sysv
;;
microblaze)
microblaze*)
basic_machine=microblaze-xilinx
;;
mingw64)
basic_machine=x86_64-pc
os=-mingw64
;;
mingw32)
basic_machine=i386-pc
basic_machine=i686-pc
os=-mingw32
;;
mingw32ce)
@ -809,6 +829,10 @@ case $basic_machine in
basic_machine=powerpc-unknown
os=-morphos
;;
moxiebox)
basic_machine=moxie-unknown
os=-moxiebox
;;
msdos)
basic_machine=i386-pc
os=-msdos
@ -817,7 +841,7 @@ case $basic_machine in
basic_machine=`echo $basic_machine | sed -e 's/ms1-/mt-/'`
;;
msys)
basic_machine=i386-pc
basic_machine=i686-pc
os=-msys
;;
mvs)
@ -1008,7 +1032,11 @@ case $basic_machine in
basic_machine=i586-unknown
os=-pw32
;;
rdos)
rdos | rdos64)
basic_machine=x86_64-pc
os=-rdos
;;
rdos32)
basic_machine=i386-pc
os=-rdos
;;
@ -1335,29 +1363,29 @@ case $os in
-gnu* | -bsd* | -mach* | -minix* | -genix* | -ultrix* | -irix* \
| -*vms* | -sco* | -esix* | -isc* | -aix* | -cnk* | -sunos | -sunos[34]*\
| -hpux* | -unos* | -osf* | -luna* | -dgux* | -auroraux* | -solaris* \
| -sym* | -kopensolaris* \
| -sym* | -kopensolaris* | -plan9* \
| -amigaos* | -amigados* | -msdos* | -newsos* | -unicos* | -aof* \
| -aos* | -aros* \
| -nindy* | -vxsim* | -vxworks* | -ebmon* | -hms* | -mvs* \
| -clix* | -riscos* | -uniplus* | -iris* | -rtu* | -xenix* \
| -hiux* | -386bsd* | -knetbsd* | -mirbsd* | -netbsd* \
| -openbsd* | -solidbsd* \
| -bitrig* | -openbsd* | -solidbsd* \
| -ekkobsd* | -kfreebsd* | -freebsd* | -riscix* | -lynxos* \
| -bosx* | -nextstep* | -cxux* | -aout* | -elf* | -oabi* \
| -ptx* | -coff* | -ecoff* | -winnt* | -domain* | -vsta* \
| -udi* | -eabi* | -lites* | -ieee* | -go32* | -aux* \
| -chorusos* | -chorusrdb* | -cegcc* \
| -cygwin* | -msys* | -pe* | -psos* | -moss* | -proelf* | -rtems* \
| -mingw32* | -linux-gnu* | -linux-android* \
| -linux-newlib* | -linux-uclibc* \
| -uxpv* | -beos* | -mpeix* | -udk* \
| -mingw32* | -mingw64* | -linux-gnu* | -linux-android* \
| -linux-newlib* | -linux-musl* | -linux-uclibc* \
| -uxpv* | -beos* | -mpeix* | -udk* | -moxiebox* \
| -interix* | -uwin* | -mks* | -rhapsody* | -darwin* | -opened* \
| -openstep* | -oskit* | -conix* | -pw32* | -nonstopux* \
| -storm-chaos* | -tops10* | -tenex* | -tops20* | -its* \
| -os2* | -vos* | -palmos* | -uclinux* | -nucleus* \
| -morphos* | -superux* | -rtmk* | -rtmk-nova* | -windiss* \
| -powermax* | -dnix* | -nx6 | -nx7 | -sei* | -dragonfly* \
| -skyos* | -haiku* | -rdos* | -toppers* | -drops* | -es*)
| -skyos* | -haiku* | -rdos* | -toppers* | -drops* | -es* | -tirtos*)
# Remember, each alternative MUST END IN *, to match a version number.
;;
-qnx*)
@ -1481,9 +1509,6 @@ case $os in
-aros*)
os=-aros
;;
-kaos*)
os=-kaos
;;
-zvmoe)
os=-zvmoe
;;
@ -1532,6 +1557,12 @@ case $basic_machine in
c4x-* | tic4x-*)
os=-coff
;;
c8051-*)
os=-elf
;;
hexagon-*)
os=-elf
;;
tic54x-*)
os=-coff
;;
@ -1559,9 +1590,6 @@ case $basic_machine in
;;
m68000-sun)
os=-sunos3
# This also exists in the configure program, but was not the
# default.
# os=-sunos4
;;
m68*-cisco)
os=-aout

580
auto/depcomp
View File

@ -1,10 +1,9 @@
#! /bin/sh
# depcomp - compile a program generating dependencies as side-effects
scriptversion=2007-03-29.01
scriptversion=2013-05-30.07; # UTC
# Copyright (C) 1999, 2000, 2003, 2004, 2005, 2006, 2007 Free Software
# Foundation, Inc.
# Copyright (C) 1999-2013 Free Software Foundation, Inc.
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@ -17,9 +16,7 @@ scriptversion=2007-03-29.01
# GNU General Public License for more details.
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
# 02110-1301, USA.
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# As a special exception to the GNU General Public License, if you
# distribute this file as part of a program that contains a
@ -30,9 +27,9 @@ scriptversion=2007-03-29.01
case $1 in
'')
echo "$0: No command. Try \`$0 --help' for more information." 1>&2
exit 1;
;;
echo "$0: No command. Try '$0 --help' for more information." 1>&2
exit 1;
;;
-h | --h*)
cat <<\EOF
Usage: depcomp [--help] [--version] PROGRAM [ARGS]
@ -42,11 +39,11 @@ as side-effects.
Environment variables:
depmode Dependency tracking mode.
source Source file read by `PROGRAMS ARGS'.
object Object file output by `PROGRAMS ARGS'.
source Source file read by 'PROGRAMS ARGS'.
object Object file output by 'PROGRAMS ARGS'.
DEPDIR directory where to store dependencies.
depfile Dependency file to output.
tmpdepfile Temporary file to use when outputing dependencies.
tmpdepfile Temporary file to use when outputting dependencies.
libtool Whether libtool is used (yes/no).
Report bugs to <bug-automake@gnu.org>.
@ -59,6 +56,66 @@ EOF
;;
esac
# Get the directory component of the given path, and save it in the
# global variables '$dir'. Note that this directory component will
# be either empty or ending with a '/' character. This is deliberate.
set_dir_from ()
{
case $1 in
*/*) dir=`echo "$1" | sed -e 's|/[^/]*$|/|'`;;
*) dir=;;
esac
}
# Get the suffix-stripped basename of the given path, and save it the
# global variable '$base'.
set_base_from ()
{
base=`echo "$1" | sed -e 's|^.*/||' -e 's/\.[^.]*$//'`
}
# If no dependency file was actually created by the compiler invocation,
# we still have to create a dummy depfile, to avoid errors with the
# Makefile "include basename.Plo" scheme.
make_dummy_depfile ()
{
echo "#dummy" > "$depfile"
}
# Factor out some common post-processing of the generated depfile.
# Requires the auxiliary global variable '$tmpdepfile' to be set.
aix_post_process_depfile ()
{
# If the compiler actually managed to produce a dependency file,
# post-process it.
if test -f "$tmpdepfile"; then
# Each line is of the form 'foo.o: dependency.h'.
# Do two passes, one to just change these to
# $object: dependency.h
# and one to simply output
# dependency.h:
# which is needed to avoid the deleted-header problem.
{ sed -e "s,^.*\.[$lower]*:,$object:," < "$tmpdepfile"
sed -e "s,^.*\.[$lower]*:[$tab ]*,," -e 's,$,:,' < "$tmpdepfile"
} > "$depfile"
rm -f "$tmpdepfile"
else
make_dummy_depfile
fi
}
# A tabulation character.
tab=' '
# A newline character.
nl='
'
# Character ranges might be problematic outside the C locale.
# These definitions help.
upper=ABCDEFGHIJKLMNOPQRSTUVWXYZ
lower=abcdefghijklmnopqrstuvwxyz
digits=0123456789
alpha=${upper}${lower}
if test -z "$depmode" || test -z "$source" || test -z "$object"; then
echo "depcomp: Variables source, object and depmode must be set" 1>&2
exit 1
@ -71,6 +128,9 @@ tmpdepfile=${tmpdepfile-`echo "$depfile" | sed 's/\.\([^.]*\)$/.T\1/'`}
rm -f "$tmpdepfile"
# Avoid interferences from the environment.
gccflag= dashmflag=
# Some modes work just like other modes, but use different flags. We
# parameterize here, but still list the modes in the big case below,
# to make depend.m4 easier to write. Note that we *cannot* use a case
@ -82,9 +142,32 @@ if test "$depmode" = hp; then
fi
if test "$depmode" = dashXmstdout; then
# This is just like dashmstdout with a different argument.
dashmflag=-xM
depmode=dashmstdout
# This is just like dashmstdout with a different argument.
dashmflag=-xM
depmode=dashmstdout
fi
cygpath_u="cygpath -u -f -"
if test "$depmode" = msvcmsys; then
# This is just like msvisualcpp but w/o cygpath translation.
# Just convert the backslash-escaped backslashes to single forward
# slashes to satisfy depend.m4
cygpath_u='sed s,\\\\,/,g'
depmode=msvisualcpp
fi
if test "$depmode" = msvc7msys; then
# This is just like msvc7 but w/o cygpath translation.
# Just convert the backslash-escaped backslashes to single forward
# slashes to satisfy depend.m4
cygpath_u='sed s,\\\\,/,g'
depmode=msvc7
fi
if test "$depmode" = xlc; then
# IBM C/C++ Compilers xlc/xlC can output gcc-like dependency information.
gccflag=-qmakedep=gcc,-MF
depmode=gcc
fi
case "$depmode" in
@ -107,8 +190,7 @@ gcc3)
done
"$@"
stat=$?
if test $stat -eq 0; then :
else
if test $stat -ne 0; then
rm -f "$tmpdepfile"
exit $stat
fi
@ -116,13 +198,17 @@ gcc3)
;;
gcc)
## Note that this doesn't just cater to obsosete pre-3.x GCC compilers.
## but also to in-use compilers like IMB xlc/xlC and the HP C compiler.
## (see the conditional assignment to $gccflag above).
## There are various ways to get dependency output from gcc. Here's
## why we pick this rather obscure method:
## - Don't want to use -MD because we'd like the dependencies to end
## up in a subdir. Having to rename by hand is ugly.
## (We might end up doing this anyway to support other compilers.)
## - The DEPENDENCIES_OUTPUT environment variable makes gcc act like
## -MM, not -M (despite what the docs say).
## -MM, not -M (despite what the docs say). Also, it might not be
## supported by the other compilers which use the 'gcc' depmode.
## - Using -M directly means running the compiler twice (even worse
## than renaming).
if test -z "$gccflag"; then
@ -130,31 +216,31 @@ gcc)
fi
"$@" -Wp,"$gccflag$tmpdepfile"
stat=$?
if test $stat -eq 0; then :
else
if test $stat -ne 0; then
rm -f "$tmpdepfile"
exit $stat
fi
rm -f "$depfile"
echo "$object : \\" > "$depfile"
alpha=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
## The second -e expression handles DOS-style file names with drive letters.
# The second -e expression handles DOS-style file names with drive
# letters.
sed -e 's/^[^:]*: / /' \
-e 's/^['$alpha']:\/[^:]*: / /' < "$tmpdepfile" >> "$depfile"
## This next piece of magic avoids the `deleted header file' problem.
## This next piece of magic avoids the "deleted header file" problem.
## The problem is that when a header file which appears in a .P file
## is deleted, the dependency causes make to die (because there is
## typically no way to rebuild the header). We avoid this by adding
## dummy dependencies for each header file. Too bad gcc doesn't do
## this for us directly.
tr ' ' '
' < "$tmpdepfile" |
## Some versions of gcc put a space before the `:'. On the theory
## Some versions of gcc put a space before the ':'. On the theory
## that the space means something, we add a space to the output as
## well.
## well. hp depmode also adds that space, but also prefixes the VPATH
## to the object. Take care to not repeat it in the output.
## Some versions of the HPUX 10.20 sed can't process this invocation
## correctly. Breaking it into two sed invocations is a workaround.
sed -e 's/^\\$//' -e '/^$/d' -e '/:$/d' | sed -e 's/$/ :/' >> "$depfile"
tr ' ' "$nl" < "$tmpdepfile" \
| sed -e 's/^\\$//' -e '/^$/d' -e "s|.*$object$||" -e '/:$/d' \
| sed -e 's/$/ :/' >> "$depfile"
rm -f "$tmpdepfile"
;;
@ -172,8 +258,7 @@ sgi)
"$@" -MDupdate "$tmpdepfile"
fi
stat=$?
if test $stat -eq 0; then :
else
if test $stat -ne 0; then
rm -f "$tmpdepfile"
exit $stat
fi
@ -181,43 +266,41 @@ sgi)
if test -f "$tmpdepfile"; then # yes, the sourcefile depend on other files
echo "$object : \\" > "$depfile"
# Clip off the initial element (the dependent). Don't try to be
# clever and replace this with sed code, as IRIX sed won't handle
# lines with more than a fixed number of characters (4096 in
# IRIX 6.2 sed, 8192 in IRIX 6.5). We also remove comment lines;
# the IRIX cc adds comments like `#:fec' to the end of the
# the IRIX cc adds comments like '#:fec' to the end of the
# dependency line.
tr ' ' '
' < "$tmpdepfile" \
| sed -e 's/^.*\.o://' -e 's/#.*$//' -e '/^$/ d' | \
tr '
' ' ' >> $depfile
echo >> $depfile
tr ' ' "$nl" < "$tmpdepfile" \
| sed -e 's/^.*\.o://' -e 's/#.*$//' -e '/^$/ d' \
| tr "$nl" ' ' >> "$depfile"
echo >> "$depfile"
# The second pass generates a dummy entry for each header file.
tr ' ' '
' < "$tmpdepfile" \
| sed -e 's/^.*\.o://' -e 's/#.*$//' -e '/^$/ d' -e 's/$/:/' \
>> $depfile
tr ' ' "$nl" < "$tmpdepfile" \
| sed -e 's/^.*\.o://' -e 's/#.*$//' -e '/^$/ d' -e 's/$/:/' \
>> "$depfile"
else
# The sourcefile does not contain any dependencies, so just
# store a dummy comment line, to avoid errors with the Makefile
# "include basename.Plo" scheme.
echo "#dummy" > "$depfile"
make_dummy_depfile
fi
rm -f "$tmpdepfile"
;;
xlc)
# This case exists only to let depend.m4 do its work. It works by
# looking at the text of this script. This case will never be run,
# since it is checked for above.
exit 1
;;
aix)
# The C for AIX Compiler uses -M and outputs the dependencies
# in a .u file. In older versions, this file always lives in the
# current directory. Also, the AIX compiler puts `$object:' at the
# current directory. Also, the AIX compiler puts '$object:' at the
# start of each line; $object doesn't have directory information.
# Version 6 uses the directory in both cases.
dir=`echo "$object" | sed -e 's|/[^/]*$|/|'`
test "x$dir" = "x$object" && dir=
base=`echo "$object" | sed -e 's|^.*/||' -e 's/\.o$//' -e 's/\.lo$//'`
set_dir_from "$object"
set_base_from "$object"
if test "$libtool" = yes; then
tmpdepfile1=$dir$base.u
tmpdepfile2=$base.u
@ -230,9 +313,7 @@ aix)
"$@" -M
fi
stat=$?
if test $stat -eq 0; then :
else
if test $stat -ne 0; then
rm -f "$tmpdepfile1" "$tmpdepfile2" "$tmpdepfile3"
exit $stat
fi
@ -241,44 +322,100 @@ aix)
do
test -f "$tmpdepfile" && break
done
if test -f "$tmpdepfile"; then
# Each line is of the form `foo.o: dependent.h'.
# Do two passes, one to just change these to
# `$object: dependent.h' and one to simply `dependent.h:'.
sed -e "s,^.*\.[a-z]*:,$object:," < "$tmpdepfile" > "$depfile"
# That's a tab and a space in the [].
sed -e 's,^.*\.[a-z]*:[ ]*,,' -e 's,$,:,' < "$tmpdepfile" >> "$depfile"
else
# The sourcefile does not contain any dependencies, so just
# store a dummy comment line, to avoid errors with the Makefile
# "include basename.Plo" scheme.
echo "#dummy" > "$depfile"
aix_post_process_depfile
;;
tcc)
# tcc (Tiny C Compiler) understand '-MD -MF file' since version 0.9.26
# FIXME: That version still under development at the moment of writing.
# Make that this statement remains true also for stable, released
# versions.
# It will wrap lines (doesn't matter whether long or short) with a
# trailing '\', as in:
#
# foo.o : \
# foo.c \
# foo.h \
#
# It will put a trailing '\' even on the last line, and will use leading
# spaces rather than leading tabs (at least since its commit 0394caf7
# "Emit spaces for -MD").
"$@" -MD -MF "$tmpdepfile"
stat=$?
if test $stat -ne 0; then
rm -f "$tmpdepfile"
exit $stat
fi
rm -f "$depfile"
# Each non-empty line is of the form 'foo.o : \' or ' dep.h \'.
# We have to change lines of the first kind to '$object: \'.
sed -e "s|.*:|$object :|" < "$tmpdepfile" > "$depfile"
# And for each line of the second kind, we have to emit a 'dep.h:'
# dummy dependency, to avoid the deleted-header problem.
sed -n -e 's|^ *\(.*\) *\\$|\1:|p' < "$tmpdepfile" >> "$depfile"
rm -f "$tmpdepfile"
;;
icc)
# Intel's C compiler understands `-MD -MF file'. However on
# icc -MD -MF foo.d -c -o sub/foo.o sub/foo.c
# ICC 7.0 will fill foo.d with something like
# foo.o: sub/foo.c
# foo.o: sub/foo.h
# which is wrong. We want:
# sub/foo.o: sub/foo.c
# sub/foo.o: sub/foo.h
# sub/foo.c:
# sub/foo.h:
# ICC 7.1 will output
## The order of this option in the case statement is important, since the
## shell code in configure will try each of these formats in the order
## listed in this file. A plain '-MD' option would be understood by many
## compilers, so we must ensure this comes after the gcc and icc options.
pgcc)
# Portland's C compiler understands '-MD'.
# Will always output deps to 'file.d' where file is the root name of the
# source file under compilation, even if file resides in a subdirectory.
# The object file name does not affect the name of the '.d' file.
# pgcc 10.2 will output
# foo.o: sub/foo.c sub/foo.h
# and will wrap long lines using \ :
# and will wrap long lines using '\' :
# foo.o: sub/foo.c ... \
# sub/foo.h ... \
# ...
set_dir_from "$object"
# Use the source, not the object, to determine the base name, since
# that's sadly what pgcc will do too.
set_base_from "$source"
tmpdepfile=$base.d
"$@" -MD -MF "$tmpdepfile"
stat=$?
if test $stat -eq 0; then :
else
# For projects that build the same source file twice into different object
# files, the pgcc approach of using the *source* file root name can cause
# problems in parallel builds. Use a locking strategy to avoid stomping on
# the same $tmpdepfile.
lockdir=$base.d-lock
trap "
echo '$0: caught signal, cleaning up...' >&2
rmdir '$lockdir'
exit 1
" 1 2 13 15
numtries=100
i=$numtries
while test $i -gt 0; do
# mkdir is a portable test-and-set.
if mkdir "$lockdir" 2>/dev/null; then
# This process acquired the lock.
"$@" -MD
stat=$?
# Release the lock.
rmdir "$lockdir"
break
else
# If the lock is being held by a different process, wait
# until the winning process is done or we timeout.
while test -d "$lockdir" && test $i -gt 0; do
sleep 1
i=`expr $i - 1`
done
fi
i=`expr $i - 1`
done
trap - 1 2 13 15
if test $i -le 0; then
echo "$0: failed to acquire lock after $numtries attempts" >&2
echo "$0: check lockdir '$lockdir'" >&2
exit 1
fi
if test $stat -ne 0; then
rm -f "$tmpdepfile"
exit $stat
fi
@ -290,8 +427,8 @@ icc)
sed "s,^[^:]*:,$object :," < "$tmpdepfile" > "$depfile"
# Some versions of the HPUX 10.20 sed can't process this invocation
# correctly. Breaking it into two sed invocations is a workaround.
sed 's,^[^:]*: \(.*\)$,\1,;s/^\\$//;/^$/d;/:$/d' < "$tmpdepfile" |
sed -e 's/$/ :/' >> "$depfile"
sed 's,^[^:]*: \(.*\)$,\1,;s/^\\$//;/^$/d;/:$/d' < "$tmpdepfile" \
| sed -e 's/$/ :/' >> "$depfile"
rm -f "$tmpdepfile"
;;
@ -302,9 +439,8 @@ hp2)
# 'foo.d', which lands next to the object file, wherever that
# happens to be.
# Much of this is similar to the tru64 case; see comments there.
dir=`echo "$object" | sed -e 's|/[^/]*$|/|'`
test "x$dir" = "x$object" && dir=
base=`echo "$object" | sed -e 's|^.*/||' -e 's/\.o$//' -e 's/\.lo$//'`
set_dir_from "$object"
set_base_from "$object"
if test "$libtool" = yes; then
tmpdepfile1=$dir$base.d
tmpdepfile2=$dir.libs/$base.d
@ -315,8 +451,7 @@ hp2)
"$@" +Maked
fi
stat=$?
if test $stat -eq 0; then :
else
if test $stat -ne 0; then
rm -f "$tmpdepfile1" "$tmpdepfile2"
exit $stat
fi
@ -326,72 +461,107 @@ hp2)
test -f "$tmpdepfile" && break
done
if test -f "$tmpdepfile"; then
sed -e "s,^.*\.[a-z]*:,$object:," "$tmpdepfile" > "$depfile"
# Add `dependent.h:' lines.
sed -ne '2,${; s/^ *//; s/ \\*$//; s/$/:/; p;}' "$tmpdepfile" >> "$depfile"
sed -e "s,^.*\.[$lower]*:,$object:," "$tmpdepfile" > "$depfile"
# Add 'dependent.h:' lines.
sed -ne '2,${
s/^ *//
s/ \\*$//
s/$/:/
p
}' "$tmpdepfile" >> "$depfile"
else
echo "#dummy" > "$depfile"
make_dummy_depfile
fi
rm -f "$tmpdepfile" "$tmpdepfile2"
;;
tru64)
# The Tru64 compiler uses -MD to generate dependencies as a side
# effect. `cc -MD -o foo.o ...' puts the dependencies into `foo.o.d'.
# At least on Alpha/Redhat 6.1, Compaq CCC V6.2-504 seems to put
# dependencies in `foo.d' instead, so we check for that too.
# Subdirectories are respected.
dir=`echo "$object" | sed -e 's|/[^/]*$|/|'`
test "x$dir" = "x$object" && dir=
base=`echo "$object" | sed -e 's|^.*/||' -e 's/\.o$//' -e 's/\.lo$//'`
# The Tru64 compiler uses -MD to generate dependencies as a side
# effect. 'cc -MD -o foo.o ...' puts the dependencies into 'foo.o.d'.
# At least on Alpha/Redhat 6.1, Compaq CCC V6.2-504 seems to put
# dependencies in 'foo.d' instead, so we check for that too.
# Subdirectories are respected.
set_dir_from "$object"
set_base_from "$object"
if test "$libtool" = yes; then
# With Tru64 cc, shared objects can also be used to make a
# static library. This mechanism is used in libtool 1.4 series to
# handle both shared and static libraries in a single compilation.
# With libtool 1.4, dependencies were output in $dir.libs/$base.lo.d.
#
# With libtool 1.5 this exception was removed, and libtool now
# generates 2 separate objects for the 2 libraries. These two
# compilations output dependencies in $dir.libs/$base.o.d and
# in $dir$base.o.d. We have to check for both files, because
# one of the two compilations can be disabled. We should prefer
# $dir$base.o.d over $dir.libs/$base.o.d because the latter is
# automatically cleaned when .libs/ is deleted, while ignoring
# the former would cause a distcleancheck panic.
tmpdepfile1=$dir.libs/$base.lo.d # libtool 1.4
tmpdepfile2=$dir$base.o.d # libtool 1.5
tmpdepfile3=$dir.libs/$base.o.d # libtool 1.5
tmpdepfile4=$dir.libs/$base.d # Compaq CCC V6.2-504
"$@" -Wc,-MD
else
tmpdepfile1=$dir$base.o.d
tmpdepfile2=$dir$base.d
tmpdepfile3=$dir$base.d
tmpdepfile4=$dir$base.d
"$@" -MD
fi
if test "$libtool" = yes; then
# Libtool generates 2 separate objects for the 2 libraries. These
# two compilations output dependencies in $dir.libs/$base.o.d and
# in $dir$base.o.d. We have to check for both files, because
# one of the two compilations can be disabled. We should prefer
# $dir$base.o.d over $dir.libs/$base.o.d because the latter is
# automatically cleaned when .libs/ is deleted, while ignoring
# the former would cause a distcleancheck panic.
tmpdepfile1=$dir$base.o.d # libtool 1.5
tmpdepfile2=$dir.libs/$base.o.d # Likewise.
tmpdepfile3=$dir.libs/$base.d # Compaq CCC V6.2-504
"$@" -Wc,-MD
else
tmpdepfile1=$dir$base.d
tmpdepfile2=$dir$base.d
tmpdepfile3=$dir$base.d
"$@" -MD
fi
stat=$?
if test $stat -eq 0; then :
else
rm -f "$tmpdepfile1" "$tmpdepfile2" "$tmpdepfile3" "$tmpdepfile4"
exit $stat
fi
stat=$?
if test $stat -ne 0; then
rm -f "$tmpdepfile1" "$tmpdepfile2" "$tmpdepfile3"
exit $stat
fi
for tmpdepfile in "$tmpdepfile1" "$tmpdepfile2" "$tmpdepfile3" "$tmpdepfile4"
do
test -f "$tmpdepfile" && break
done
if test -f "$tmpdepfile"; then
sed -e "s,^.*\.[a-z]*:,$object:," < "$tmpdepfile" > "$depfile"
# That's a tab and a space in the [].
sed -e 's,^.*\.[a-z]*:[ ]*,,' -e 's,$,:,' < "$tmpdepfile" >> "$depfile"
else
echo "#dummy" > "$depfile"
fi
rm -f "$tmpdepfile"
;;
for tmpdepfile in "$tmpdepfile1" "$tmpdepfile2" "$tmpdepfile3"
do
test -f "$tmpdepfile" && break
done
# Same post-processing that is required for AIX mode.
aix_post_process_depfile
;;
msvc7)
if test "$libtool" = yes; then
showIncludes=-Wc,-showIncludes
else
showIncludes=-showIncludes
fi
"$@" $showIncludes > "$tmpdepfile"
stat=$?
grep -v '^Note: including file: ' "$tmpdepfile"
if test $stat -ne 0; then
rm -f "$tmpdepfile"
exit $stat
fi
rm -f "$depfile"
echo "$object : \\" > "$depfile"
# The first sed program below extracts the file names and escapes
# backslashes for cygpath. The second sed program outputs the file
# name when reading, but also accumulates all include files in the
# hold buffer in order to output them again at the end. This only
# works with sed implementations that can handle large buffers.
sed < "$tmpdepfile" -n '
/^Note: including file: *\(.*\)/ {
s//\1/
s/\\/\\\\/g
p
}' | $cygpath_u | sort -u | sed -n '
s/ /\\ /g
s/\(.*\)/'"$tab"'\1 \\/p
s/.\(.*\) \\/\1:/
H
$ {
s/.*/'"$tab"'/
G
p
}' >> "$depfile"
echo >> "$depfile" # make sure the fragment doesn't end with a backslash
rm -f "$tmpdepfile"
;;
msvc7msys)
# This case exists only to let depend.m4 do its work. It works by
# looking at the text of this script. This case will never be run,
# since it is checked for above.
exit 1
;;
#nosideeffect)
# This comment above is used by automake to tell side-effect
@ -404,13 +574,13 @@ dashmstdout)
# Remove the call to Libtool.
if test "$libtool" = yes; then
while test $1 != '--mode=compile'; do
while test "X$1" != 'X--mode=compile'; do
shift
done
shift
fi
# Remove `-o $object'.
# Remove '-o $object'.
IFS=" "
for arg
do
@ -430,18 +600,18 @@ dashmstdout)
done
test -z "$dashmflag" && dashmflag=-M
# Require at least two characters before searching for `:'
# Require at least two characters before searching for ':'
# in the target name. This is to cope with DOS-style filenames:
# a dependency such as `c:/foo/bar' could be seen as target `c' otherwise.
# a dependency such as 'c:/foo/bar' could be seen as target 'c' otherwise.
"$@" $dashmflag |
sed 's:^[ ]*[^: ][^:][^:]*\:[ ]*:'"$object"'\: :' > "$tmpdepfile"
sed "s|^[$tab ]*[^:$tab ][^:][^:]*:[$tab ]*|$object: |" > "$tmpdepfile"
rm -f "$depfile"
cat < "$tmpdepfile" > "$depfile"
tr ' ' '
' < "$tmpdepfile" | \
## Some versions of the HPUX 10.20 sed can't process this invocation
## correctly. Breaking it into two sed invocations is a workaround.
sed -e 's/^\\$//' -e '/^$/d' -e '/:$/d' | sed -e 's/$/ :/' >> "$depfile"
# Some versions of the HPUX 10.20 sed can't process this sed invocation
# correctly. Breaking it into two sed invocations is a workaround.
tr ' ' "$nl" < "$tmpdepfile" \
| sed -e 's/^\\$//' -e '/^$/d' -e '/:$/d' \
| sed -e 's/$/ :/' >> "$depfile"
rm -f "$tmpdepfile"
;;
@ -455,41 +625,51 @@ makedepend)
"$@" || exit $?
# Remove any Libtool call
if test "$libtool" = yes; then
while test $1 != '--mode=compile'; do
while test "X$1" != 'X--mode=compile'; do
shift
done
shift
fi
# X makedepend
shift
cleared=no
for arg in "$@"; do
cleared=no eat=no
for arg
do
case $cleared in
no)
set ""; shift
cleared=yes ;;
esac
if test $eat = yes; then
eat=no
continue
fi
case "$arg" in
-D*|-I*)
set fnord "$@" "$arg"; shift ;;
# Strip any option that makedepend may not understand. Remove
# the object too, otherwise makedepend will parse it as a source file.
-arch)
eat=yes ;;
-*|$object)
;;
*)
set fnord "$@" "$arg"; shift ;;
esac
done
obj_suffix="`echo $object | sed 's/^.*\././'`"
obj_suffix=`echo "$object" | sed 's/^.*\././'`
touch "$tmpdepfile"
${MAKEDEPEND-makedepend} -o"$obj_suffix" -f"$tmpdepfile" "$@"
rm -f "$depfile"
cat < "$tmpdepfile" > "$depfile"
sed '1,2d' "$tmpdepfile" | tr ' ' '
' | \
## Some versions of the HPUX 10.20 sed can't process this invocation
## correctly. Breaking it into two sed invocations is a workaround.
sed -e 's/^\\$//' -e '/^$/d' -e '/:$/d' | sed -e 's/$/ :/' >> "$depfile"
# makedepend may prepend the VPATH from the source file name to the object.
# No need to regex-escape $object, excess matching of '.' is harmless.
sed "s|^.*\($object *:\)|\1|" "$tmpdepfile" > "$depfile"
# Some versions of the HPUX 10.20 sed can't process the last invocation
# correctly. Breaking it into two sed invocations is a workaround.
sed '1,2d' "$tmpdepfile" \
| tr ' ' "$nl" \
| sed -e 's/^\\$//' -e '/^$/d' -e '/:$/d' \
| sed -e 's/$/ :/' >> "$depfile"
rm -f "$tmpdepfile" "$tmpdepfile".bak
;;
@ -500,13 +680,13 @@ cpp)
# Remove the call to Libtool.
if test "$libtool" = yes; then
while test $1 != '--mode=compile'; do
while test "X$1" != 'X--mode=compile'; do
shift
done
shift
fi
# Remove `-o $object'.
# Remove '-o $object'.
IFS=" "
for arg
do
@ -525,10 +705,10 @@ cpp)
esac
done
"$@" -E |
sed -n -e '/^# [0-9][0-9]* "\([^"]*\)".*/ s:: \1 \\:p' \
-e '/^#line [0-9][0-9]* "\([^"]*\)".*/ s:: \1 \\:p' |
sed '$ s: \\$::' > "$tmpdepfile"
"$@" -E \
| sed -n -e '/^# [0-9][0-9]* "\([^"]*\)".*/ s:: \1 \\:p' \
-e '/^#line [0-9][0-9]* "\([^"]*\)".*/ s:: \1 \\:p' \
| sed '$ s: \\$::' > "$tmpdepfile"
rm -f "$depfile"
echo "$object : \\" > "$depfile"
cat < "$tmpdepfile" >> "$depfile"
@ -538,35 +718,56 @@ cpp)
msvisualcpp)
# Important note: in order to support this mode, a compiler *must*
# always write the preprocessed file to stdout, regardless of -o,
# because we must use -o when running libtool.
# always write the preprocessed file to stdout.
"$@" || exit $?
# Remove the call to Libtool.
if test "$libtool" = yes; then
while test "X$1" != 'X--mode=compile'; do
shift
done
shift
fi
IFS=" "
for arg
do
case "$arg" in
-o)
shift
;;
$object)
shift
;;
"-Gm"|"/Gm"|"-Gi"|"/Gi"|"-ZI"|"/ZI")
set fnord "$@"
shift
shift
;;
set fnord "$@"
shift
shift
;;
*)
set fnord "$@" "$arg"
shift
shift
;;
set fnord "$@" "$arg"
shift
shift
;;
esac
done
"$@" -E |
sed -n '/^#line [0-9][0-9]* "\([^"]*\)"/ s::echo "`cygpath -u \\"\1\\"`":p' | sort | uniq > "$tmpdepfile"
"$@" -E 2>/dev/null |
sed -n '/^#line [0-9][0-9]* "\([^"]*\)"/ s::\1:p' | $cygpath_u | sort -u > "$tmpdepfile"
rm -f "$depfile"
echo "$object : \\" > "$depfile"
. "$tmpdepfile" | sed 's% %\\ %g' | sed -n '/^\(.*\)$/ s:: \1 \\:p' >> "$depfile"
echo " " >> "$depfile"
. "$tmpdepfile" | sed 's% %\\ %g' | sed -n '/^\(.*\)$/ s::\1\::p' >> "$depfile"
sed < "$tmpdepfile" -n -e 's% %\\ %g' -e '/^\(.*\)$/ s::'"$tab"'\1 \\:p' >> "$depfile"
echo "$tab" >> "$depfile"
sed < "$tmpdepfile" -n -e 's% %\\ %g' -e '/^\(.*\)$/ s::\1\::p' >> "$depfile"
rm -f "$tmpdepfile"
;;
msvcmsys)
# This case exists only to let depend.m4 do its work. It works by
# looking at the text of this script. This case will never be run,
# since it is checked for above.
exit 1
;;
none)
exec "$@"
;;
@ -585,5 +786,6 @@ exit 0
# eval: (add-hook 'write-file-hooks 'time-stamp)
# time-stamp-start: "scriptversion="
# time-stamp-format: "%:y-%02m-%02d.%02H"
# time-stamp-end: "$"
# time-stamp-time-zone: "UTC"
# time-stamp-end: "; # UTC"
# End:

59
auto/install-sh
View File

@ -1,7 +1,7 @@
#!/bin/sh
# install - install a program, script, or datafile
scriptversion=2006-12-25.00
scriptversion=2011-11-20.07; # UTC
# This originates from X11R5 (mit/util/scripts/install.sh), which was
# later released in X11R6 (xc/config/util/install.sh) with the
@ -35,7 +35,7 @@ scriptversion=2006-12-25.00
# FSF changes to this file are in the public domain.
#
# Calling this script install-sh is preferred over install.sh, to prevent
# `make' implicit rules from creating a file called install from it
# 'make' implicit rules from creating a file called install from it
# when there is no Makefile.
#
# This script is compatible with the BSD install script, but was written
@ -156,6 +156,10 @@ while test $# -ne 0; do
-s) stripcmd=$stripprog;;
-t) dst_arg=$2
# Protect names problematic for 'test' and other utilities.
case $dst_arg in
-* | [=\(\)!]) dst_arg=./$dst_arg;;
esac
shift;;
-T) no_target_directory=true;;
@ -186,6 +190,10 @@ if test $# -ne 0 && test -z "$dir_arg$dst_arg"; then
fi
shift # arg
dst_arg=$arg
# Protect names problematic for 'test' and other utilities.
case $dst_arg in
-* | [=\(\)!]) dst_arg=./$dst_arg;;
esac
done
fi
@ -194,13 +202,17 @@ if test $# -eq 0; then
echo "$0: no input file specified." >&2
exit 1
fi
# It's OK to call `install-sh -d' without argument.
# It's OK to call 'install-sh -d' without argument.
# This can happen when creating conditional directories.
exit 0
fi
if test -z "$dir_arg"; then
trap '(exit $?); exit' 1 2 13 15
do_exit='(exit $ret); exit $ret'
trap "ret=129; $do_exit" 1
trap "ret=130; $do_exit" 2
trap "ret=141; $do_exit" 13
trap "ret=143; $do_exit" 15
# Set umask so as not to create temps with too-generous modes.
# However, 'strip' requires both read and write access to temps.
@ -228,9 +240,9 @@ fi
for src
do
# Protect names starting with `-'.
# Protect names problematic for 'test' and other utilities.
case $src in
-*) src=./$src;;
-* | [=\(\)!]) src=./$src;;
esac
if test -n "$dir_arg"; then
@ -252,12 +264,7 @@ do
echo "$0: no destination specified." >&2
exit 1
fi
dst=$dst_arg
# Protect names starting with `-'.
case $dst in
-*) dst=./$dst;;
esac
# If destination is a directory, append the input filename; won't work
# if double slashes aren't ignored.
@ -338,34 +345,41 @@ do
# is incompatible with FreeBSD 'install' when (umask & 300) != 0.
;;
*)
# $RANDOM is not portable (e.g. dash); use it when possible to
# lower collision chance
tmpdir=${TMPDIR-/tmp}/ins$RANDOM-$$
trap 'ret=$?; rmdir "$tmpdir/d" "$tmpdir" 2>/dev/null; exit $ret' 0
trap 'ret=$?; rmdir "$tmpdir/a/b" "$tmpdir/a" "$tmpdir" 2>/dev/null; exit $ret' 0
# As "mkdir -p" follows symlinks and we work in /tmp possibly; so
# create the $tmpdir first (and fail if unsuccessful) to make sure
# that nobody tries to guess the $tmpdir name.
if (umask $mkdir_umask &&
exec $mkdirprog $mkdir_mode -p -- "$tmpdir/d") >/dev/null 2>&1
$mkdirprog $mkdir_mode "$tmpdir" &&
exec $mkdirprog $mkdir_mode -p -- "$tmpdir/a/b") >/dev/null 2>&1
then
if test -z "$dir_arg" || {
# Check for POSIX incompatibilities with -m.
# HP-UX 11.23 and IRIX 6.5 mkdir -m -p sets group- or
# other-writeable bit of parent directory when it shouldn't.
# other-writable bit of parent directory when it shouldn't.
# FreeBSD 6.1 mkdir -m -p sets mode of existing directory.
ls_ld_tmpdir=`ls -ld "$tmpdir"`
test_tmpdir="$tmpdir/a"
ls_ld_tmpdir=`ls -ld "$test_tmpdir"`
case $ls_ld_tmpdir in
d????-?r-*) different_mode=700;;
d????-?--*) different_mode=755;;
*) false;;
esac &&
$mkdirprog -m$different_mode -p -- "$tmpdir" && {
ls_ld_tmpdir_1=`ls -ld "$tmpdir"`
$mkdirprog -m$different_mode -p -- "$test_tmpdir" && {
ls_ld_tmpdir_1=`ls -ld "$test_tmpdir"`
test "$ls_ld_tmpdir" = "$ls_ld_tmpdir_1"
}
}
then posix_mkdir=:
fi
rmdir "$tmpdir/d" "$tmpdir"
rmdir "$tmpdir/a/b" "$tmpdir/a" "$tmpdir"
else
# Remove any dirs left behind by ancient mkdir implementations.
rmdir ./$mkdir_mode ./-p ./-- 2>/dev/null
rmdir ./$mkdir_mode ./-p ./-- "$tmpdir" 2>/dev/null
fi
trap '' 0;;
esac;;
@ -385,7 +399,7 @@ do
case $dstdir in
/*) prefix='/';;
-*) prefix='./';;
[-=\(\)!]*) prefix='./';;
*) prefix='';;
esac
@ -403,7 +417,7 @@ do
for d
do
test -z "$d" && continue
test X"$d" = X && continue
prefix=$prefix$d
if test -d "$prefix"; then
@ -515,5 +529,6 @@ done
# eval: (add-hook 'write-file-hooks 'time-stamp)
# time-stamp-start: "scriptversion="
# time-stamp-format: "%:y-%02m-%02d.%02H"
# time-stamp-end: "$"
# time-stamp-time-zone: "UTC"
# time-stamp-end: "; # UTC"
# End:

4036
auto/ltmain.sh Executable file → Normal file
View File

File diff suppressed because it is too large Load Diff

458
auto/missing
View File

@ -1,11 +1,10 @@
#! /bin/sh
# Common stub for a few missing GNU programs while installing.
# Common wrapper for a few potentially missing GNU programs.
scriptversion=2006-05-10.23
scriptversion=2013-10-28.13; # UTC
# Copyright (C) 1996, 1997, 1999, 2000, 2002, 2003, 2004, 2005, 2006
# Free Software Foundation, Inc.
# Originally by Fran,cois Pinard <pinard@iro.umontreal.ca>, 1996.
# Copyright (C) 1996-2013 Free Software Foundation, Inc.
# Originally written by Fran,cois Pinard <pinard@iro.umontreal.ca>, 1996.
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@ -18,9 +17,7 @@ scriptversion=2006-05-10.23
# GNU General Public License for more details.
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
# 02110-1301, USA.
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# As a special exception to the GNU General Public License, if you
# distribute this file as part of a program that contains a
@ -28,66 +25,40 @@ scriptversion=2006-05-10.23
# the same distribution terms that you use for the rest of that program.
if test $# -eq 0; then
echo 1>&2 "Try \`$0 --help' for more information"
echo 1>&2 "Try '$0 --help' for more information"
exit 1
fi
run=:
sed_output='s/.* --output[ =]\([^ ]*\).*/\1/p'
sed_minuso='s/.* -o \([^ ]*\).*/\1/p'
# In the cases where this matters, `missing' is being run in the
# srcdir already.
if test -f configure.ac; then
configure_ac=configure.ac
else
configure_ac=configure.in
fi
msg="missing on your system"
case $1 in
--run)
# Try to run requested program, and just exit if it succeeds.
run=
shift
"$@" && exit 0
# Exit code 63 means version mismatch. This often happens
# when the user try to use an ancient version of a tool on
# a file that requires a minimum version. In this case we
# we should proceed has if the program had been absent, or
# if --run hadn't been passed.
if test $? = 63; then
run=:
msg="probably too old"
fi
;;
--is-lightweight)
# Used by our autoconf macros to check whether the available missing
# script is modern enough.
exit 0
;;
--run)
# Back-compat with the calling convention used by older automake.
shift
;;
-h|--h|--he|--hel|--help)
echo "\
$0 [OPTION]... PROGRAM [ARGUMENT]...
Handle \`PROGRAM [ARGUMENT]...' for when PROGRAM is missing, or return an
error status if there is no known handling for PROGRAM.
Run 'PROGRAM [ARGUMENT]...', returning a proper advice when this fails due
to PROGRAM being missing or too old.
Options:
-h, --help display this help and exit
-v, --version output version information and exit
--run try to run the given command, and emulate it if it fails
Supported PROGRAM values:
aclocal touch file \`aclocal.m4'
autoconf touch file \`configure'
autoheader touch file \`config.h.in'
autom4te touch the output file, or create a stub one
automake touch all \`Makefile.in' files
bison create \`y.tab.[ch]', if possible, from existing .[ch]
flex create \`lex.yy.c', if possible, from existing .c
help2man touch the output file
lex create \`lex.yy.c', if possible, from existing .c
makeinfo touch the output file
tar try tar, gnutar, gtar, then tar without non-portable flags
yacc create \`y.tab.[ch]', if possible, from existing .[ch]
aclocal autoconf autoheader autom4te automake makeinfo
bison yacc flex lex help2man
Version suffixes to PROGRAM as well as the prefixes 'gnu-', 'gnu', and
'g' are ignored when checking the name.
Send bug reports to <bug-automake@gnu.org>."
exit $?
@ -99,269 +70,146 @@ Send bug reports to <bug-automake@gnu.org>."
;;
-*)
echo 1>&2 "$0: Unknown \`$1' option"
echo 1>&2 "Try \`$0 --help' for more information"
echo 1>&2 "$0: unknown '$1' option"
echo 1>&2 "Try '$0 --help' for more information"
exit 1
;;
esac
# Now exit if we have it, but it failed. Also exit now if we
# don't have it and --version was passed (most likely to detect
# the program).
case $1 in
lex|yacc)
# Not GNU programs, they don't have --version.
# Run the given program, remember its exit status.
"$@"; st=$?
# If it succeeded, we are done.
test $st -eq 0 && exit 0
# Also exit now if we it failed (or wasn't found), and '--version' was
# passed; such an option is passed most likely to detect whether the
# program is present and works.
case $2 in --version|--help) exit $st;; esac
# Exit code 63 means version mismatch. This often happens when the user
# tries to use an ancient version of a tool on a file that requires a
# minimum version.
if test $st -eq 63; then
msg="probably too old"
elif test $st -eq 127; then
# Program was missing.
msg="missing on your system"
else
# Program was found and executed, but failed. Give up.
exit $st
fi
perl_URL=http://www.perl.org/
flex_URL=http://flex.sourceforge.net/
gnu_software_URL=http://www.gnu.org/software
program_details ()
{
case $1 in
aclocal|automake)
echo "The '$1' program is part of the GNU Automake package:"
echo "<$gnu_software_URL/automake>"
echo "It also requires GNU Autoconf, GNU m4 and Perl in order to run:"
echo "<$gnu_software_URL/autoconf>"
echo "<$gnu_software_URL/m4/>"
echo "<$perl_URL>"
;;
autoconf|autom4te|autoheader)
echo "The '$1' program is part of the GNU Autoconf package:"
echo "<$gnu_software_URL/autoconf/>"
echo "It also requires GNU m4 and Perl in order to run:"
echo "<$gnu_software_URL/m4/>"
echo "<$perl_URL>"
;;
esac
}
give_advice ()
{
# Normalize program name to check for.
normalized_program=`echo "$1" | sed '
s/^gnu-//; t
s/^gnu//; t
s/^g//; t'`
printf '%s\n' "'$1' is $msg."
configure_deps="'configure.ac' or m4 files included by 'configure.ac'"
case $normalized_program in
autoconf*)
echo "You should only need it if you modified 'configure.ac',"
echo "or m4 files included by it."
program_details 'autoconf'
;;
autoheader*)
echo "You should only need it if you modified 'acconfig.h' or"
echo "$configure_deps."
program_details 'autoheader'
;;
automake*)
echo "You should only need it if you modified 'Makefile.am' or"
echo "$configure_deps."
program_details 'automake'
;;
aclocal*)
echo "You should only need it if you modified 'acinclude.m4' or"
echo "$configure_deps."
program_details 'aclocal'
;;
autom4te*)
echo "You might have modified some maintainer files that require"
echo "the 'autom4te' program to be rebuilt."
program_details 'autom4te'
;;
bison*|yacc*)
echo "You should only need it if you modified a '.y' file."
echo "You may want to install the GNU Bison package:"
echo "<$gnu_software_URL/bison/>"
;;
lex*|flex*)
echo "You should only need it if you modified a '.l' file."
echo "You may want to install the Fast Lexical Analyzer package:"
echo "<$flex_URL>"
;;
help2man*)
echo "You should only need it if you modified a dependency" \
"of a man page."
echo "You may want to install the GNU Help2man package:"
echo "<$gnu_software_URL/help2man/>"
;;
makeinfo*)
echo "You should only need it if you modified a '.texi' file, or"
echo "any other file indirectly affecting the aspect of the manual."
echo "You might want to install the Texinfo package:"
echo "<$gnu_software_URL/texinfo/>"
echo "The spurious makeinfo call might also be the consequence of"
echo "using a buggy 'make' (AIX, DU, IRIX), in which case you might"
echo "want to install GNU make:"
echo "<$gnu_software_URL/make/>"
;;
*)
echo "You might have modified some files without having the proper"
echo "tools for further handling them. Check the 'README' file, it"
echo "often tells you about the needed prerequisites for installing"
echo "this package. You may also peek at any GNU archive site, in"
echo "case some other package contains this missing '$1' program."
;;
esac
}
tar)
if test -n "$run"; then
echo 1>&2 "ERROR: \`tar' requires --run"
exit 1
elif test "x$2" = "x--version" || test "x$2" = "x--help"; then
exit 1
fi
;;
give_advice "$1" | sed -e '1s/^/WARNING: /' \
-e '2,$s/^/ /' >&2
*)
if test -z "$run" && ($1 --version) > /dev/null 2>&1; then
# We have it, but it failed.
exit 1
elif test "x$2" = "x--version" || test "x$2" = "x--help"; then
# Could not run --version or --help. This is probably someone
# running `$TOOL --version' or `$TOOL --help' to check whether
# $TOOL exists and not knowing $TOOL uses missing.
exit 1
fi
;;
esac
# If it does not exist, or fails to run (possibly an outdated version),
# try to emulate it.
case $1 in
aclocal*)
echo 1>&2 "\
WARNING: \`$1' is $msg. You should only need it if
you modified \`acinclude.m4' or \`${configure_ac}'. You might want
to install the \`Automake' and \`Perl' packages. Grab them from
any GNU archive site."
touch aclocal.m4
;;
autoconf)
echo 1>&2 "\
WARNING: \`$1' is $msg. You should only need it if
you modified \`${configure_ac}'. You might want to install the
\`Autoconf' and \`GNU m4' packages. Grab them from any GNU
archive site."
touch configure
;;
autoheader)
echo 1>&2 "\
WARNING: \`$1' is $msg. You should only need it if
you modified \`acconfig.h' or \`${configure_ac}'. You might want
to install the \`Autoconf' and \`GNU m4' packages. Grab them
from any GNU archive site."
files=`sed -n 's/^[ ]*A[CM]_CONFIG_HEADER(\([^)]*\)).*/\1/p' ${configure_ac}`
test -z "$files" && files="config.h"
touch_files=
for f in $files; do
case $f in
*:*) touch_files="$touch_files "`echo "$f" |
sed -e 's/^[^:]*://' -e 's/:.*//'`;;
*) touch_files="$touch_files $f.in";;
esac
done
touch $touch_files
;;
automake*)
echo 1>&2 "\
WARNING: \`$1' is $msg. You should only need it if
you modified \`Makefile.am', \`acinclude.m4' or \`${configure_ac}'.
You might want to install the \`Automake' and \`Perl' packages.
Grab them from any GNU archive site."
find . -type f -name Makefile.am -print |
sed 's/\.am$/.in/' |
while read f; do touch "$f"; done
;;
autom4te)
echo 1>&2 "\
WARNING: \`$1' is needed, but is $msg.
You might have modified some files without having the
proper tools for further handling them.
You can get \`$1' as part of \`Autoconf' from any GNU
archive site."
file=`echo "$*" | sed -n "$sed_output"`
test -z "$file" && file=`echo "$*" | sed -n "$sed_minuso"`
if test -f "$file"; then
touch $file
else
test -z "$file" || exec >$file
echo "#! /bin/sh"
echo "# Created by GNU Automake missing as a replacement of"
echo "# $ $@"
echo "exit 0"
chmod +x $file
exit 1
fi
;;
bison|yacc)
echo 1>&2 "\
WARNING: \`$1' $msg. You should only need it if
you modified a \`.y' file. You may need the \`Bison' package
in order for those modifications to take effect. You can get
\`Bison' from any GNU archive site."
rm -f y.tab.c y.tab.h
if test $# -ne 1; then
eval LASTARG="\${$#}"
case $LASTARG in
*.y)
SRCFILE=`echo "$LASTARG" | sed 's/y$/c/'`
if test -f "$SRCFILE"; then
cp "$SRCFILE" y.tab.c
fi
SRCFILE=`echo "$LASTARG" | sed 's/y$/h/'`
if test -f "$SRCFILE"; then
cp "$SRCFILE" y.tab.h
fi
;;
esac
fi
if test ! -f y.tab.h; then
echo >y.tab.h
fi
if test ! -f y.tab.c; then
echo 'main() { return 0; }' >y.tab.c
fi
;;
lex|flex)
echo 1>&2 "\
WARNING: \`$1' is $msg. You should only need it if
you modified a \`.l' file. You may need the \`Flex' package
in order for those modifications to take effect. You can get
\`Flex' from any GNU archive site."
rm -f lex.yy.c
if test $# -ne 1; then
eval LASTARG="\${$#}"
case $LASTARG in
*.l)
SRCFILE=`echo "$LASTARG" | sed 's/l$/c/'`
if test -f "$SRCFILE"; then
cp "$SRCFILE" lex.yy.c
fi
;;
esac
fi
if test ! -f lex.yy.c; then
echo 'main() { return 0; }' >lex.yy.c
fi
;;
help2man)
echo 1>&2 "\
WARNING: \`$1' is $msg. You should only need it if
you modified a dependency of a manual page. You may need the
\`Help2man' package in order for those modifications to take
effect. You can get \`Help2man' from any GNU archive site."
file=`echo "$*" | sed -n "$sed_output"`
test -z "$file" && file=`echo "$*" | sed -n "$sed_minuso"`
if test -f "$file"; then
touch $file
else
test -z "$file" || exec >$file
echo ".ab help2man is required to generate this page"
exit 1
fi
;;
makeinfo)
echo 1>&2 "\
WARNING: \`$1' is $msg. You should only need it if
you modified a \`.texi' or \`.texinfo' file, or any other file
indirectly affecting the aspect of the manual. The spurious
call might also be the consequence of using a buggy \`make' (AIX,
DU, IRIX). You might want to install the \`Texinfo' package or
the \`GNU make' package. Grab either from any GNU archive site."
# The file to touch is that specified with -o ...
file=`echo "$*" | sed -n "$sed_output"`
test -z "$file" && file=`echo "$*" | sed -n "$sed_minuso"`
if test -z "$file"; then
# ... or it is the one specified with @setfilename ...
infile=`echo "$*" | sed 's/.* \([^ ]*\) *$/\1/'`
file=`sed -n '
/^@setfilename/{
s/.* \([^ ]*\) *$/\1/
p
q
}' $infile`
# ... or it is derived from the source name (dir/f.texi becomes f.info)
test -z "$file" && file=`echo "$infile" | sed 's,.*/,,;s,.[^.]*$,,'`.info
fi
# If the file does not exist, the user really needs makeinfo;
# let's fail without touching anything.
test -f $file || exit 1
touch $file
;;
tar)
shift
# We have already tried tar in the generic part.
# Look for gnutar/gtar before invocation to avoid ugly error
# messages.
if (gnutar --version > /dev/null 2>&1); then
gnutar "$@" && exit 0
fi
if (gtar --version > /dev/null 2>&1); then
gtar "$@" && exit 0
fi
firstarg="$1"
if shift; then
case $firstarg in
*o*)
firstarg=`echo "$firstarg" | sed s/o//`
tar "$firstarg" "$@" && exit 0
;;
esac
case $firstarg in
*h*)
firstarg=`echo "$firstarg" | sed s/h//`
tar "$firstarg" "$@" && exit 0
;;
esac
fi
echo 1>&2 "\
WARNING: I can't seem to be able to run \`tar' with the given arguments.
You may want to install GNU tar or Free paxutils, or check the
command line arguments."
exit 1
;;
*)
echo 1>&2 "\
WARNING: \`$1' is needed, and is $msg.
You might have modified some files without having the
proper tools for further handling them. Check the \`README' file,
it often tells you about the needed prerequisites for installing
this package. You may also peek at any GNU archive site, in case
some other package would contain this missing \`$1' program."
exit 1
;;
esac
exit 0
# Propagate the correct exit status (expected to be 127 for a program
# not found, 63 for a program that failed due to version mismatch).
exit $st
# Local variables:
# eval: (add-hook 'write-file-hooks 'time-stamp)
# time-stamp-start: "scriptversion="
# time-stamp-format: "%:y-%02m-%02d.%02H"
# time-stamp-end: "$"
# time-stamp-time-zone: "UTC"
# time-stamp-end: "; # UTC"
# End:

24
build-android.sh
View File

@ -1,31 +1,25 @@
#!/bin/sh
set -ev
VERSION=4.57
VERSION=5.42
DST=stunnel-$VERSION-android
# to build Zlib:
# export CHOST=arm-linux-androideabi
# ./configure --static --prefix=/opt/androideabi/sysroot
# make
# make install
# to build OpenSSL:
# export CC=arm-linux-androideabi-gcc
# ./Configure linux-armv4 threads no-shared zlib no-dso --openssldir=/opt/androideabi/sysroot
# make
# ./Configure threads no-shared no-dso --cross-compile-prefix=arm-linux-androideabi- --openssldir=/opt/androideabi/sysroot linux-armv4
# make install
test -f Makefile && make distclean
mkdir -p bin/android
cd bin/android
../../configure --build=i686-pc-linux-gnu --host=arm-linux-androideabi --prefix=/data/local --with-ssl=/opt/androideabi/sysroot
../../configure --with-sysroot --build=i686-pc-linux-gnu --host=arm-linux-androideabi --prefix=/data/local
make clean
make
cd ../..
mkdir $DST
cp bin/android/src/stunnel /opt/androideabi/sysroot/bin/openssl $DST
cp bin/android/src/stunnel $DST
# arm-linux-androideabi-strip $DST/stunnel $DST/openssl
arm-linux-androideabi-strip $DST/openssl
# cp /opt/androideabi/sysroot/bin/openssl $DST
# arm-linux-androideabi-strip $DST/openssl
zip -r $DST.zip $DST
rm -rf $DST
sha256sum $DST.zip
mv $DST.zip ../dist/
# sha256sum $DST.zip
# mv $DST.zip ../dist/

6351
configure vendored
View File

File diff suppressed because it is too large Load Diff

492
configure.ac
View File

@ -1,14 +1,14 @@
# Process this file with autoconf to produce a configure script.
AC_INIT([stunnel],[4.57])
AC_INIT([stunnel],[5.42])
AC_MSG_NOTICE([**************************************** initialization])
AC_CONFIG_AUX_DIR(auto)
AC_CONFIG_MACRO_DIR([m4])
AM_INIT_AUTOMAKE(stunnel, 4.57)
AC_CONFIG_HEADERS([src/config.h])
AC_CONFIG_SRCDIR([src/stunnel.c])
AC_DEFINE([_GNU_SOURCE], [1], [Use GNU source])
AM_INIT_AUTOMAKE
AM_CONDITIONAL([AUTHOR_TESTS], [test -d ".git"])
AC_CANONICAL_HOST
AC_SUBST([host])
AC_DEFINE_UNQUOTED([HOST], ["$host"], [Host description])
@ -17,104 +17,116 @@ AC_DEFINE_UNQUOTED(esc(CPU_$host_cpu))
AC_DEFINE_UNQUOTED(esc(VENDOR_$host_vendor))
AC_DEFINE_UNQUOTED(esc(OS_$host_os))
case "$host_os" in
*darwin*)
# OSX does not declare ucontext without _XOPEN_SOURCE
AC_DEFINE([_XOPEN_SOURCE], [500], [Use X/Open 5 with POSIX 1995])
# OSX does not declare chroot() without _DARWIN_C_SOURCE
AC_DEFINE([_DARWIN_C_SOURCE], [1], [Use Darwin source])
;;
*)
AC_DEFINE([_GNU_SOURCE], [1], [Use GNU source])
;;
esac
AC_PROG_CC
AM_PROG_CC_C_O
AC_PROG_INSTALL
AC_PROG_MAKE_SET
# silent build by default
ifdef([AM_SILENT_RULES], [AM_SILENT_RULES([yes])])
# Checks for typedefs, structures, and compiler characteristics
# AC_C_CONST
# AC_TYPE_SIZE_T
# AC_TYPE_PID_T
# AC_HEADER_TIME
AC_MSG_NOTICE([**************************************** thread model])
# thread detection should be done first, as it may change the CC variable
AC_ARG_WITH(threads,
[ --with-threads=model select threading model (ucontext/pthread/fork)],
[
case "$withval" in
ucontext)
AC_MSG_NOTICE([UCONTEXT mode selected])
AC_DEFINE([USE_UCONTEXT], [1], [Define to 1 to select UCONTEXT mode])
;;
pthread)
AC_MSG_NOTICE([PTHREAD mode selected])
AX_PTHREAD()
LIBS="$PTHREAD_LIBS $LIBS"
CFLAGS="$CFLAGS $PTHREAD_CFLAGS"
CC="$PTHREAD_CC"
AC_DEFINE([USE_PTHREAD], [1], [Define to 1 to select PTHREAD mode])
;;
fork)
AC_MSG_NOTICE([FORK mode selected])
AC_DEFINE([USE_FORK], [1], [Define to 1 to select FORK mode])
;;
*)
AC_MSG_ERROR([Unknown thread model \"${withval}\"])
;;
esac
], [
# do not attempt to autodetect UCONTEXT threading
AX_PTHREAD([
AC_MSG_NOTICE([PTHREAD thread model detected])
LIBS="$PTHREAD_LIBS $LIBS"
CFLAGS="$CFLAGS $PTHREAD_CFLAGS"
CC="$PTHREAD_CC"
AC_DEFINE([USE_PTHREAD], [1], [Define to 1 to select PTHREAD mode])
], [
AC_MSG_NOTICE([FORK thread model detected])
AC_DEFINE([USE_FORK], [1], [Define to 1 to select FORK mode])
])
])
AC_MSG_NOTICE([**************************************** compiler/linker flags])
AC_SUBST([stunnel_LDFLAGS])
AC_MSG_CHECKING([whether $CC accepts -pthread])
valid_CFLAGS="$CFLAGS"; CFLAGS="$CFLAGS -pthread"
valid_LDFLAGS="$LDFLAGS"; LDFLAGS="$LDFLAGS -pthread"
AC_LINK_IFELSE([int main() {return 0;}],
[
AC_MSG_RESULT([yes])
AC_SUBST([stunnel_CFLAGS], ["$stunnel_CFLAGS -pthread"])
AC_SUBST([stunnel_LDFLAGF], ["$stunnel_LDFLAGF -pthread"])
], [
AC_MSG_RESULT([no])
])
CFLAGS="$valid_CFLAGS"; LDFLAGS="$valid_LDFLAGS"
AC_MSG_CHECKING([whether $CC accepts -fstack-protector])
valid_CFLAGS="$CFLAGS"; CFLAGS="$CFLAGS -fstack-protector"
valid_LDFLAGS="$LDFLAGS"; LDFLAGS="$LDFLAGS -fstack-protector"
AC_LINK_IFELSE([int main() {return 0;}],
[
AC_MSG_RESULT([yes])
AC_SUBST([stunnel_CFLAGS], ["$stunnel_CFLAGS -fstack-protector"])
AC_SUBST([stunnel_LDFLAGF], ["$stunnel_LDFLAGF -fstack-protector"])
], [
AC_MSG_RESULT([no])
])
CFLAGS="$valid_CFLAGS"; LDFLAGS="$valid_LDFLAGS"
AC_MSG_CHECKING([whether $CC accepts -pie])
valid_CFLAGS="$CFLAGS"; CFLAGS="$CFLAGS -fPIE"
valid_LDFLAGS="$LDFLAGS"; LDFLAGS="$LDFLAGS -pie -fPIE"
AC_LINK_IFELSE([int main() {return 0;}],
[
AC_MSG_RESULT([yes])
AC_SUBST([stunnel_CFLAGS], ["$stunnel_CFLAGS -fPIE"])
AC_SUBST([stunnel_LDFLAGF], ["$stunnel_LDFLAGF -pie -fPIE"])
], [
AC_MSG_RESULT([no])
])
CFLAGS="$valid_CFLAGS"; LDFLAGS="$valid_LDFLAGS"
AC_MSG_CHECKING([whether $CC accepts -Wall])
valid_CFLAGS="$CFLAGS"; CFLAGS="$CFLAGS -Wall"
AC_LINK_IFELSE([int main() {return 0;}],
[AC_MSG_RESULT([yes])],
[AC_MSG_RESULT([no]); CFLAGS="$valid_CFLAGS"])
AC_MSG_CHECKING([whether $CC accepts -Wextra])
valid_CFLAGS="$CFLAGS"; CFLAGS="$CFLAGS -Wextra"
AC_LINK_IFELSE([int main() {return 0;}],
[AC_MSG_RESULT([yes])],
[AC_MSG_RESULT([no]); CFLAGS="$valid_CFLAGS"])
AC_MSG_CHECKING([whether $CC accepts -Wno-long-long])
valid_CFLAGS="$CFLAGS"; CFLAGS="$CFLAGS -Wno-long-long"
AC_LINK_IFELSE([int main() {return 0;}],
[AC_MSG_RESULT([yes])],
[AC_MSG_RESULT([no]); CFLAGS="$valid_CFLAGS"])
AC_MSG_CHECKING([whether $CC accepts -pedantic])
valid_CFLAGS="$CFLAGS"; CFLAGS="$CFLAGS -pedantic"
AC_LINK_IFELSE([int main() {return 0;}],
[AC_MSG_RESULT([yes])],
[AC_MSG_RESULT([no]); CFLAGS="$valid_CFLAGS"])
if test "$GCC" = yes; then
AX_APPEND_COMPILE_FLAGS([-Wall])
AX_APPEND_COMPILE_FLAGS([-Wextra])
AX_APPEND_COMPILE_FLAGS([-Wpedantic])
AX_APPEND_COMPILE_FLAGS([-Wformat=2])
AX_APPEND_COMPILE_FLAGS([-Wconversion])
AX_APPEND_COMPILE_FLAGS([-Wno-long-long])
AX_APPEND_COMPILE_FLAGS([-Wno-deprecated-declarations])
AX_APPEND_COMPILE_FLAGS([-fPIE])
case "${host}" in
avr-*.* | powerpc-*-aix* | rl78-*.* | visium-*.*)
;;
*)
AX_APPEND_COMPILE_FLAGS([-fstack-protector])
;;
esac
AX_APPEND_LINK_FLAGS([-fPIE -pie])
AX_APPEND_LINK_FLAGS([-Wl,-z,relro])
AX_APPEND_LINK_FLAGS([-Wl,-z,now])
AX_APPEND_LINK_FLAGS([-Wl,-z,noexecstack])
fi
AX_APPEND_COMPILE_FLAGS([-D_FORTIFY_SOURCE=2])
AC_MSG_NOTICE([**************************************** libtool])
LT_INIT([disable-static])
AC_SUBST([LIBTOOL_DEPS])
AC_MSG_NOTICE([**************************************** types])
AC_CHECK_SIZEOF(unsigned char)
AC_CHECK_SIZEOF(unsigned short)
AC_CHECK_SIZEOF(unsigned int)
AC_CHECK_SIZEOF(unsigned long)
AC_TYPE_INT8_T
AC_TYPE_INT16_T
AC_TYPE_INT32_T
AC_TYPE_INT64_T
AC_TYPE_UINT8_T
AC_TYPE_UINT16_T
AC_TYPE_UINT32_T
AC_TYPE_UINT64_T
AC_TYPE_SIZE_T
AC_TYPE_SSIZE_T
AC_TYPE_UID_T
AC_MSG_CHECKING([for socklen_t])
AC_EGREP_HEADER(socklen_t, sys/socket.h,
AC_MSG_RESULT([yes]),
AC_MSG_RESULT([no (defined as int)])
AC_DEFINE([socklen_t], [int], [Type of socklen_t]))
AC_CHECK_TYPES([struct sockaddr_un], [], [], [#include <sys/un.h>])
AC_CHECK_TYPES([struct addrinfo], [], [], [#include <netdb.h>])
AC_MSG_NOTICE([**************************************** PTY device files])
if test "$cross_compiling" = "no"; then
if test "x$cross_compiling" = "xno"; then
AC_CHECK_FILE("/dev/ptmx", AC_DEFINE([HAVE_DEV_PTMX], [1],
[Define to 1 if you have '/dev/ptmx' device.]))
AC_CHECK_FILE("/dev/ptc", AC_DEFINE([HAVE_DEV_PTS_AND_PTC], [1],
@ -125,13 +137,14 @@ fi
AC_MSG_NOTICE([**************************************** entropy sources])
if test "$cross_compiling" = "no"; then
if test "x$cross_compiling" = "xno"; then
AC_ARG_WITH(egd-socket,
[ --with-egd-socket=FILE Entropy Gathering Daemon socket path],
[EGD_SOCKET="$withval"]
)
if test -n "$EGD_SOCKET"; then
AC_DEFINE_UNQUOTED([EGD_SOCKET], ["$EGD_SOCKET"], [Entropy Gathering Daemon socket path])
AC_DEFINE_UNQUOTED([EGD_SOCKET], ["$EGD_SOCKET"],
[Entropy Gathering Daemon socket path])
fi
# Check for user-specified random device
@ -153,7 +166,7 @@ fi
AC_MSG_NOTICE([**************************************** default group])
DEFAULT_GROUP=nobody
if test "$cross_compiling" = "no"; then
if test "x$cross_compiling" = "xno"; then
grep '^nogroup:' /etc/group >/dev/null && DEFAULT_GROUP=nogroup
else
AC_MSG_WARN([cross-compilation: assuming nogroup is not available])
@ -162,12 +175,17 @@ AC_MSG_CHECKING([for default group])
AC_MSG_RESULT([$DEFAULT_GROUP])
AC_SUBST([DEFAULT_GROUP])
AC_SYS_LARGEFILE
AC_MSG_NOTICE([**************************************** header files])
# AC_HEADER_DIRENT
# AC_HEADER_STDC
# AC_HEADER_SYS_WAIT
AC_CHECK_HEADERS([malloc.h ucontext.h pthread.h poll.h tcpd.h stropts.h grp.h unistd.h util.h libutil.h pty.h])
AC_CHECK_HEADERS([sys/types.h sys/select.h sys/poll.h sys/socket.h sys/un.h sys/ioctl.h sys/filio.h sys/resource.h sys/uio.h])
AC_CHECK_HEADERS([stdint.h inttypes.h malloc.h ucontext.h pthread.h poll.h \
tcpd.h stropts.h grp.h unistd.h util.h libutil.h pty.h limits.h])
AC_CHECK_HEADERS([sys/types.h sys/select.h sys/poll.h sys/socket.h sys/un.h \
sys/ioctl.h sys/filio.h sys/resource.h sys/uio.h sys/syscall.h])
AC_CHECK_HEADERS([linux/sched.h])
AC_CHECK_MEMBERS([struct msghdr.msg_control],
[AC_DEFINE([HAVE_MSGHDR_MSG_CONTROL], [1],
[Define to 1 if you have 'msghdr.msg_control' structure.])], [], [
@ -188,102 +206,22 @@ AC_SEARCH_LIBS([gethostbyname], [nsl])
AC_SEARCH_LIBS([yp_get_default_domain], [nsl])
AC_SEARCH_LIBS([socket], [socket])
AC_SEARCH_LIBS([openpty], [util])
# Checks for dynamic loader and zlib needed by OpenSSL
# Checks for dynamic loader needed by OpenSSL
AC_SEARCH_LIBS([dlopen], [dl])
AC_SEARCH_LIBS([shl_load], [dld])
AC_SEARCH_LIBS([inflateEnd], [z])
# Add BeOS libraries
if test "$host_os" = "beos"; then
if test "x$host_os" = "xbeos"; then
LIBS="$LIBS -lbe -lroot -lbind"
fi
AC_MSG_NOTICE([**************************************** thread model])
checkpthreadlib() { :
# 1. BSD hack: attempt to use alternative libc implementation if available
AC_CHECK_LIB([c_r], [pthread_create],
[
LIBS="$LIBS -pthread"
HAVE_LIBPTHREAD="yes"
AC_DEFINE([HAVE_LIBPTHREAD], [1], [Define to 1 if you have 'libpthread' library.])
]
)
# 2. try to use from standard libc (required by Android and possibly other platforms)
AC_CHECK_LIB([c], [pthread_create],
[
HAVE_LIBPTHREAD="yes"
AC_DEFINE([HAVE_LIBPTHREAD], [1], [Define to 1 if you have 'libpthread' library.])
]
)
# 3. try libpthread: OSF hack instead of simple AC_CHECK_LIB here
AC_MSG_CHECKING([for pthread_create in -lpthread])
valid_LIBS="$LIBS"
LIBS="$valid_LIBS -lpthread"
AC_LINK_IFELSE(
[AC_LANG_PROGRAM(
[
#include <pthread.h>
],
[
pthread_create((void *)0, (void *)0, (void *)0, (void *)0)
]
)],
[
AC_MSG_RESULT([yes])
HAVE_LIBPTHREAD="yes"
AC_DEFINE([HAVE_LIBPTHREAD], [1], [Define to 1 if you have 'libpthread' library.])
], [
AC_MSG_RESULT([no])
LIBS="$valid_LIBS"
]
)
}
AC_ARG_WITH(threads,
[ --with-threads=model select threading model (ucontext/pthread/fork)],
[
case "$withval" in
ucontext)
AC_MSG_NOTICE([UCONTEXT mode selected])
AC_DEFINE([USE_UCONTEXT], [1], [Define to 1 to select UCONTEXT mode])
;;
pthread)
checkpthreadlib
AC_MSG_NOTICE([PTHREAD mode selected])
AC_DEFINE([USE_PTHREAD], [1], [Define to 1 to select PTHREAD mode])
;;
fork)
AC_MSG_NOTICE([FORK mode selected])
AC_DEFINE([USE_FORK], [1], [Define to 1 to select FORK mode])
;;
*)
AC_MSG_ERROR([Unknown thread model \"${withval}\"])
;;
esac
], [
checkpthreadlib
if test "$HAVE_LIBPTHREAD" = "yes" -a "$ac_cv_header_pthread_h" = "yes"; then
AC_MSG_NOTICE([PTHREAD thread model detected])
AC_DEFINE([USE_PTHREAD], [1], [Define to 1 to select PTHREAD mode])
elif test "$ac_cv_func_getcontext" = "yes" -a "$ac_cv_header_ucontext_h" = "yes"; then
AC_MSG_NOTICE([UCONTEXT thread model detected])
AC_DEFINE([USE_UCONTEXT], [1], [Define to 1 to select UCONTEXT mode])
else
AC_MSG_NOTICE([FORK thread model detected])
AC_DEFINE([USE_FORK], [1], [Define to 1 to select FORK mode])
fi
])
AC_MSG_NOTICE([**************************************** library functions])
# safe string operations
AC_CHECK_FUNCS(snprintf vsnprintf)
# pseudoterminal
AC_CHECK_FUNCS(openpty _getpty)
# Unix
AC_CHECK_FUNCS(daemon waitpid wait4 setsid setgroups chroot)
AC_CHECK_FUNCS(daemon waitpid wait4 setsid setgroups chroot realpath)
# limits
AC_CHECK_FUNCS(sysconf getrlimit)
# threads/reentrant functions
@ -316,10 +254,10 @@ getaddrinfo(NULL, NULL, NULL, NULL);
[AC_MSG_RESULT([no])])
;;
esac
# poll() is not recommended on Mac OS X <=10.3 and broken on Mac OS X >=10.4
# poll() is not recommended on Mac OS X <= 10.3 and broken on Mac OS X 10.4
AC_MSG_CHECKING([for broken poll() implementation])
case "$host_os" in
darwin*)
darwin[0-8].*)
AC_MSG_RESULT([yes (poll() disabled)])
AC_DEFINE([BROKEN_POLL], [1], [Define to 1 if you have a broken 'poll' implementation.])
;;
@ -334,11 +272,12 @@ AC_MSG_NOTICE([**************************************** optional features])
# Use IPv6?
AC_MSG_CHECKING([whether to enable IPv6 support])
AC_ARG_ENABLE(ipv6,
[ --enable-ipv6 Enable IPv6 support],
[ --disable-ipv6 disable IPv6 support],
[
case "$enableval" in
yes) AC_MSG_RESULT([yes])
AC_DEFINE([USE_IPv6], [1], [Define to 1 to enable IPv6 support])
AC_DEFINE([USE_IPv6], [1],
[Define to 1 to enable IPv6 support])
;;
no) AC_MSG_RESULT([no])
;;
@ -346,23 +285,86 @@ AC_ARG_ENABLE(ipv6,
AC_MSG_ERROR([bad value \"${enableval}\"])
;;
esac
], [
AC_MSG_RESULT([yes (default)])
AC_DEFINE([USE_IPv6], [1], [Define to 1 to enable IPv6 support])
], [
AC_MSG_RESULT([no])
]
)
# FIPS Mode
AC_MSG_CHECKING([whether to enable FIPS support])
AC_ARG_ENABLE(fips,
[ --disable-fips disable OpenSSL FIPS support],
[
case "$enableval" in
yes) AC_MSG_RESULT([no])
use_fips="yes"
AC_DEFINE([USE_FIPS], [1],
[Define to 1 to enable OpenSSL FIPS support])
;;
no) AC_MSG_RESULT([no])
use_fips="no"
;;
*) AC_MSG_RESULT([error])
AC_MSG_ERROR([bad value \"${enableval}\"])
;;
esac
],
[AC_MSG_RESULT([yes]); AC_DEFINE([USE_IPv6], [1], [Define to 1 to enable IPv6 support])],
[AC_MSG_RESULT([no])]
[
use_fips="auto"
AC_MSG_RESULT([autodetecting])
]
)
# Disable systemd socket activation support
AC_MSG_CHECKING([whether to enable systemd socket activation support])
AC_ARG_ENABLE(systemd,
[ --disable-systemd disable systemd socket activation support],
[
case "$enableval" in
yes) AC_MSG_RESULT([yes])
AC_SEARCH_LIBS([sd_listen_fds], [systemd systemd-daemon])
AC_DEFINE([USE_SYSTEMD], [1],
[Define to 1 to enable systemd socket activation])
;;
no) AC_MSG_RESULT([no])
;;
*) AC_MSG_RESULT([error])
AC_MSG_ERROR([Bad value \"${enableval}\"])
;;
esac
],
[
AC_MSG_RESULT([autodetecting])
# the library name has changed to -lsystemd in systemd 209
AC_SEARCH_LIBS([sd_listen_fds], [systemd systemd-daemon],
[ AC_CHECK_HEADERS([systemd/sd-daemon.h], [
AC_DEFINE([USE_SYSTEMD], [1],
[Define to 1 to enable systemd socket activation])
AC_MSG_NOTICE([systemd support enabled])
], [
AC_MSG_NOTICE([systemd header not found])
]) ], [
AC_MSG_NOTICE([systemd library not found])
])
]
)
# Disable use of libwrap (TCP wrappers)
# it should be the last check!
AC_MSG_CHECKING([whether to disable TCP wrappers library support])
AC_MSG_CHECKING([whether to enable TCP wrappers support])
AC_ARG_ENABLE(libwrap,
[ --disable-libwrap Disable TCP wrappers library support],
[ --disable-libwrap disable TCP wrappers support],
[
case "$enableval" in
yes) AC_MSG_RESULT([no])
AC_DEFINE([HAVE_LIBWRAP], [1], [Define to 1 if you have 'libwrap' library.])
yes) AC_MSG_RESULT([yes])
AC_DEFINE([USE_LIBWRAP], [1],
[Define to 1 to enable TCP wrappers support])
LIBS="$LIBS -lwrap"
;;
no) AC_MSG_RESULT([yes])
no) AC_MSG_RESULT([no])
;;
*) AC_MSG_RESULT([error])
AC_MSG_ERROR([Bad value \"${enableval}\"])
@ -375,106 +377,83 @@ AC_ARG_ENABLE(libwrap,
valid_LIBS="$LIBS"
LIBS="$valid_LIBS -lwrap"
AC_LINK_IFELSE(
[AC_LANG_PROGRAM(
[
int hosts_access(); int allow_severity, deny_severity;
],
[
hosts_access()
]
)],
[AC_MSG_RESULT([yes]); AC_DEFINE([HAVE_LIBWRAP], [1], [Define to 1 if you have 'libwrap' library.])],
[AC_MSG_RESULT([no]); LIBS="$valid_LIBS"]
[
AC_LANG_PROGRAM(
[int hosts_access(); int allow_severity, deny_severity;],
[hosts_access()])
], [
AC_MSG_RESULT([yes]);
AC_DEFINE([USE_LIBWRAP], [1],
[Define to 1 to enable TCP wrappers support])
AC_MSG_NOTICE([libwrap support enabled])
], [
AC_MSG_RESULT([no])
LIBS="$valid_LIBS"
AC_MSG_NOTICE([libwrap library not found])
]
)
]
)
# FIPS Mode
AC_MSG_CHECKING([whether to enable FIPS mode support])
AC_ARG_ENABLE(fips,
[ --enable-fips Enable OpenSSL FIPS mode],
[
case "$enableval" in
yes) AC_MSG_RESULT([yes])
sub_dirs="/ssl/fips /ssl/fips-1.0 /"
fips="yes"
AC_DEFINE([USE_FIPS], [1], [Define to 1 to enable OpenSSL FIPS mode])
;;
no) AC_MSG_RESULT([no])
sub_dirs="/ssl /openssl /"
fips="no"
;;
*) AC_MSG_RESULT([error])
AC_MSG_ERROR([bad value \"${enableval}\"])
;;
esac
],
[
sub_dirs="/ssl/fips /ssl/fips-1.0 /ssl /openssl /"
fips="auto"
AC_MSG_RESULT([autodetecting])
]
)
AC_MSG_NOTICE([**************************************** TLS])
AC_MSG_CHECKING([for compiler sysroot])
if test "x$GCC" = "xyes"; then
sysroot=`$CC --print-sysroot 2>/dev/null`
fi
if test -z "$sysroot" -o "x$sysroot" = "x/"; then
sysroot=""
AC_MSG_RESULT([/])
else
AC_MSG_RESULT([$sysroot])
fi
AC_MSG_NOTICE([**************************************** SSL])
check_ssl_dir() { :
SSLDIR="$1"
if test -f "$1/include/openssl/ssl.h"; then
return 0
fi
return 1
test -n "$1" -a -f "$1/include/openssl/ssl.h" && SSLDIR="$1"
}
# Check for SSL directory
AC_MSG_CHECKING([for SSL directory])
AC_ARG_WITH(ssl,
[ --with-ssl=DIR location of installed SSL libraries/include files],
[
check_ssl_dir "$withval"
],
[
for main_dir in /usr/local /usr/lib /usr/pkg /opt/local /opt /usr; do
for sub_dir in $sub_dirs; do
check_ssl_dir "$main_dir$sub_dir" && break 2
done
find_ssl_dir() { :
stunnel_prefix="$prefix"
test "x$stunnel_prefix" = "xNONE" && stunnel_prefix=$ac_default_prefix
for main_dir in "$stunnel_prefix" "/usr/local" "/usr/lib" "/usr/pkg" "/opt/local" "/opt" "/opt/csw" "/usr" ""; do
for sub_dir in "/ssl" "/openssl" "/ossl" ""; do
check_ssl_dir "$sysroot$main_dir$sub_dir" && return
done
]
done
if test -x "/usr/bin/xcrun"; then
sdk_path=`/usr/bin/xcrun --sdk macosx --show-sdk-path`
check_ssl_dir "$sdk_path/usr" && return
fi
check_ssl_dir "/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/swift-migrator/sdk/MacOSX.sdk/usr"
}
SSLDIR=""
AC_MSG_CHECKING([for TLS directory])
AC_ARG_WITH(ssl,
[ --with-ssl=DIR location of installed TLS libraries/include files],
[check_ssl_dir "$withval"],
[find_ssl_dir]
)
if test ! -d "$SSLDIR"; then
if test -z "$SSLDIR"; then
AC_MSG_RESULT([not found])
AC_MSG_ERROR([
Couldn't find your SSL library installation dir
Could not find your TLS library installation dir
Use --with-ssl option to fix this problem
])
fi
AC_MSG_RESULT([$SSLDIR])
AC_SUBST([SSLDIR])
AC_DEFINE_UNQUOTED([SSLDIR], ["$SSLDIR"], [SSL directory])
AC_DEFINE_UNQUOTED([SSLDIR], ["$SSLDIR"], [TLS directory])
valid_CPPFLAGS="$CPPFLAGS"; CPPFLAGS="$CPPFLAGS -I$SSLDIR/include"
valid_LIBS="$LIBS"; LIBS="$LIBS -L$SSLDIR/lib64 -L$SSLDIR/lib -lssl -lcrypto"
AC_CHECK_HEADER([$SSLDIR/include/openssl/engine.h],
[AC_DEFINE([HAVE_OSSL_ENGINE_H], [1],
[Define to 1 if you have <engine.h> header file.])],
[AC_MSG_WARN([OpenSSL engine header not found])])
AC_CHECK_HEADER([$SSLDIR/include/openssl/ocsp.h],
[AC_DEFINE([HAVE_OSSL_OCSP_H], [1],
[Define to 1 if you have <ocsp.h> header file.])],
[AC_MSG_WARN([OpenSSL ocsp header not found])])
AC_CHECK_HEADER([$SSLDIR/include/openssl/fips.h],
[AC_DEFINE([HAVE_OSSL_FIPS_H], [1],
[Define to 1 if you have <fips.h> header file.])],
[AC_MSG_WARN([OpenSSL fips header not found])])
if test "$fips" = "auto"; then
if test "x$use_fips" = "xauto"; then
AC_CHECK_FUNCS(FIPS_mode_set, [
AC_DEFINE([USE_FIPS], [1], [Define to 1 to enable OpenSSL FIPS mode.])
AC_MSG_NOTICE([FIPS mode detected])
AC_DEFINE([USE_FIPS], [1], [Define to 1 to enable OpenSSL FIPS support])
AC_MSG_NOTICE([FIPS support enabled])
], [
AC_MSG_NOTICE([FIPS mode not detected])
AC_MSG_NOTICE([FIPS support not found])
])
fi
@ -482,8 +461,9 @@ CPPFLAGS="$valid_CPPFLAGS"
LIBS="$valid_LIBS"
AC_MSG_NOTICE([**************************************** write the results])
AC_CONFIG_FILES([Makefile src/Makefile src/stunnel3 doc/Makefile tools/Makefile tools/stunnel.conf-sample tools/stunnel.init tools/stunnel.service])
AC_CONFIG_FILES([Makefile src/Makefile doc/Makefile tools/Makefile])
AC_OUTPUT
AC_MSG_NOTICE([**************************************** success])
# vim:ft=automake
# End of configure.ac

23
debian/README.Debian vendored
View File

@ -11,19 +11,6 @@ syntax and calls stunnel4 with appropriate options. It appears to
support every stunnel3 option *except* -S (which controls the defaults
used for certificate sources).
To simplify migration, /usr/bin/stunnel is a symlink to the wrapper
script. A future version will make the link point to stunnel4.
* Changes from previous versions
Upstream versions 4.20 and earlier used to ship binaries in /usr/sbin
by default. If you are upgrading from a hand compiled version or from an
ancient Debian package you will need to update your scripts to refer
to /usr/bin.
This change was made in order to be FHS compliant (stunnel can be used by
normal users, and not only by admins).
* Basic configuration
After installation, you should :
@ -83,12 +70,14 @@ Read the manual page for openssl for more info on the various options.
* FIPS
stunnel 4.21 includes support for OpenSSL's FIPS mode. However, using
it requieres stunnel to be compiled statically against OpenSSL and all
Since version 4.21 stunnel includes support for OpenSSL's FIPS mode. However,
using it requires stunnel to be compiled statically against OpenSSL and all
supporting libraries. Thus, this option is disabled in the Debian package.
See the OpenSSL FIPS FAQ at
http://oss-institute.org/fips-faq.html
See the OpenSSL FIPS User Guide at
https://www.openssl.org/docs/fips/UserGuide-2.0.pdf
and the OpenSSL notes about FIPS 140-2 at
https://www.openssl.org/docs/fips/fipsnotes.html
- Julien LEMOINE <speedblue@debian.org>, Sun, 19 Feb 2006 17:31:24 +0100

57
debian/README.source vendored
View File

@ -1,57 +0,0 @@
This package uses quilt to manage all modifications to the upstream
source. Changes are stored in the source package as diffs in
debian/patches and applied during the build.
To configure quilt to use debian/patches instead of patches, you want
either to export QUILT_PATCHES=debian/patches in your environment
or use this snippet in your ~/.quiltrc:
for where in ./ ../ ../../ ../../../ ../../../../ ../../../../../; do
if [ -e ${where}debian/rules -a -d ${where}debian/patches ]; then
export QUILT_PATCHES=debian/patches
fi
done
To get the fully patched source after unpacking the source package, cd to
the root level of the source package and run:
quilt push -a
The last patch listed in debian/patches/series will become the current
patch.
To add a new set of changes, first run quilt push -a, and then run:
quilt new <patch>
where <patch> is a descriptive name for the patch, used as the filename in
debian/patches. Then, for every file that will be modified by this patch,
run:
quilt add <file>
before editing those files. You must tell quilt with quilt add what files
will be part of the patch before making changes or quilt will not work
properly. After editing the files, run:
quilt refresh
to save the results as a patch.
Alternately, if you already have an external patch and you just want to
add it to the build system, run quilt push -a and then:
quilt import -P <patch> /path/to/patch
quilt push -a
(add -p 0 to quilt import if needed). <patch> as above is the filename to
use in debian/patches. The last quilt push -a will apply the patch to
make sure it works properly.
To remove an existing patch from the list of patches that will be applied,
run:
quilt delete <patch>
You may need to run quilt pop -a to unapply patches first before running
this command.

371
debian/changelog vendored
View File

@ -1,8 +1,373 @@
stunnel4 (3:4.57-4) UNRELEASED; urgency=medium
stunnel4 (3:5.42-1) unstable; urgency=medium
* Bump
* Add a simple autopkgtest suite.
* Declare compliance with Debian Policy 4.1.0:
- do not install documentation files if the "nodoc" build option is
set or the "nodoc" build profile is active.
- add the 09-try-restart patch to implement the "try-restart" action
in the SysV init script.
* New upstream version:
- drop the 08-session-free patch, fixed upstream in a better way
- refresh the 02-rename-binary, 04-restore-pidfile-default, and
07-path-max patches
- add a Lintian override because "CAs" is not a typo for this package
- add a build dependency on autoconf-archive
- bump the year in the upstream copyright notice
* Drop the sdf build dependency, it does not seem to be needed any more.
-- Mario Fetka <mario.fetka@gmail.com> Tue, 28 Mar 2017 10:19:14 +0200
-- Peter Pentchev <roam@ringlet.net> Sat, 23 Sep 2017 16:25:21 +0300
stunnel4 (3:5.39-2) unstable; urgency=medium
* Add the 08-session-free patch to avoid freeing the SSL session
twice, which will either be detected by the OpenSSL library and
crash the stunnel process, or cause use-after-free problems that
may lead to even worse results later. Closes: #850292
-- Peter Pentchev <roam@ringlet.net> Sun, 08 Jan 2017 17:30:12 +0200
stunnel4 (3:5.39-1) unstable; urgency=medium
* New upstream version:
- drop the 08-dh-openssl-1.1 patch, dhparam.c was regenerated with
OpenSSL 1.1 again
- refresh the rest of the patches
* Remove the cybermirror sites from the watch file; their stunnel
mirror has been "undergoing maintenance" for at least three months.
* Bump the year of my debian/* copyright notice.
-- Peter Pentchev <roam@ringlet.net> Tue, 03 Jan 2017 12:29:16 +0200
stunnel4 (3:5.38-1) unstable; urgency=medium
* New upstream release:
- drop the 06-lfs, 08-typos, and 09-realloc patches, included upstream
- add the 08-dh-openssl-1.1.patch to fix the build with OpenSSL 1.1
-- Peter Pentchev <roam@ringlet.net> Sun, 27 Nov 2016 03:31:13 +0200
stunnel4 (3:5.37-2) unstable; urgency=medium
* Add the 09-realloc patch to fix a reallocation / double-free bug.
Closes: #843988; thanks, Sebastian Andrzej Siewior and gregor
herrmann!
-- Peter Pentchev <roam@ringlet.net> Wed, 16 Nov 2016 20:50:08 +0200
stunnel4 (3:5.37-1) unstable; urgency=medium
* Reformat the build and runtime dependency lists in the control file.
* Add a runtime dependency on lsb-base for /lib/lsb/init-functions.
* Drop the dh_installinit override: --restart-after-upgrade is already
the default behavior in debhelper compatibility level 10.
* Update the watch file a bit:
- replace pgpmode=auto with pgpsigurlmangle - the former will not
fail on a missing upstream signature file
- make the version regular expression a bit more sane
- use v4's @ARCHIVE_EXT@ substitution variable
* Add another correction to the typos patch.
* New upstream release.
* Correct the download webpage's URL in the copyright file.
* Correct the project homepage's URL in the stunnel3 manual page.
* Use the HTTPS scheme for various upstream URLs.
-- Peter Pentchev <roam@ringlet.net> Thu, 10 Nov 2016 02:57:28 +0200
stunnel4 (3:5.36-1) unstable; urgency=medium
* Add the 24-typos patch to fix some typographical errors.
* New upstream version:
- drop the 10-no-zlib-compression patch, integrated upstream
* Bump the debhelper B-D to 10 and drop the Lintian override.
* Rename the patch files to "reindex" sequentially.
-- Peter Pentchev <roam@ringlet.net> Sun, 25 Sep 2016 12:43:20 +0300
stunnel4 (3:5.35-1) unstable; urgency=medium
* New upstream release:
- drop the 24-ssl23 patch, integrated upstream
- refresh the other patches
-- Peter Pentchev <roam@ringlet.net> Mon, 18 Jul 2016 10:45:04 +0300
stunnel4 (3:5.33-1) unstable; urgency=medium
* Switch the bugs.debian.org URL in a patch to HTTPS.
* Switch the copyright format URL to HTTPS.
* New upstream version:
- fix the build with OpenSSL-1.1; Closes: #828562
- refresh the 12-restore-pidfile-default and 23-path-max patches
* Add the 24-ssl23.h patch to further fix the OpenSSL 1.1 build -
the ssl23.h file was removed.
-- Peter Pentchev <roam@ringlet.net> Mon, 27 Jun 2016 13:51:43 +0300
stunnel4 (3:5.32-1) unstable; urgency=medium
* Declare compliance with Debian Policy 3.9.8 with no changes.
* Remove the Breaks/Replaces relations for the old "stunnel" package;
it is not even present in oldstable.
* Update the watch file:
- switch to the HTTPS scheme for the upstream downloads page
- re-enable the ftp://ftp.stunnel.org/stunnel/archive/5.x/ location
and use FTP passive mode to access it
- actually include upstream's signing subkey in the key file!
- update to the watch file format 4 and use pgpmode=auto
* Use Autoconf's AC_SYS_LARGEFILE for Large File Support.
* New upstream release:
- update the upstream author's e-mail address in the copyright file,
the upstream metadata file, and the stunnel3.8 manual page
- refresh the 02-rename-binary patch
* Bump the debhelper compatibility level to 10:
- override the Lintian debhelper warning as it itself suggests
- let debhelper handle the parallel building and autoreconf by itself
* Add the 23-path-max patch to allocate the configuration filename
dynamically and avoid the use of the possibly undefined PATH_MAX.
-- Peter Pentchev <roam@ringlet.net> Wed, 04 May 2016 14:54:45 +0300
stunnel4 (3:5.31-1) unstable; urgency=medium
* New upstream release.
* Declare compliance with Debian Policy 3.9.7 with no changes.
-- Peter Pentchev <roam@ringlet.net> Wed, 02 Mar 2016 11:29:06 +0200
stunnel4 (3:5.30-1) unstable; urgency=medium
* New upstream release:
- bump the upstream copyright years
- refresh the 02-rename-binary patch
- refresh the 10-no-zlib-compression patch (line numbers only)
* Bump the year on my debian/* copyright notice.
-- Peter Pentchev <roam@ringlet.net> Sun, 31 Jan 2016 15:40:22 +0200
stunnel4 (3:5.29-1) unstable; urgency=medium
* New upstream release, refresh the patches' line numbers.
-- Peter Pentchev <roam@ringlet.net> Fri, 08 Jan 2016 20:59:02 +0200
stunnel4 (3:5.28-1) unstable; urgency=high
* New upstream release:
- high urgency: fix a bug introduced in 3:5.27-1: if an OpenSSL
engine is used, the SSL library's initialization would not be
performed completely, skipping, for instance, the proper
initialization of the pseudo-random number generator
- refresh the patches
-- Peter Pentchev <roam@ringlet.net> Fri, 11 Dec 2015 23:24:40 +0200
stunnel4 (3:5.27-1) unstable; urgency=medium
* New upstream release:
- refresh the patches
- drop the 19-typos patch, applied upstream
-- Peter Pentchev <roam@ringlet.net> Fri, 04 Dec 2015 00:34:30 +0200
stunnel4 (3:5.26-1) unstable; urgency=medium
* New upstream version:
- drop the 14-lsb-init-functions, 18-lsb-startup, and 20-comparison
patches, applied upstream
- rework the 02-rename-binary and 10-no-zlib-compression patches
- update the 19-typos patch: the fixes within it were applied
upstream, but a couple of new typos were introduced
- refresh patches
- add the 21-author-tests patch to make the building of the Win32
binaries conditional on an environment variable and not on
the presence of the .git directory
- update the upstream copyright notice in debian/copyright
* Drop the perl-modules dependency - "perl", brought in by perl:Depends,
ought to be enough.
* Run the build in all of the source directories. Closes: #804292
* Use an https:// URL for Vcs-Git.
-- Peter Pentchev <roam@ringlet.net> Thu, 19 Nov 2015 20:44:33 +0200
stunnel4 (3:5.18-1) unstable; urgency=medium
* Add the 17-upstream-hangup patch to fix prematurely closed
connections when there is still data to be written.
Thanks to Joachim Falk for backporting the patch!
Closes: #771241
* Add the 18-lsb-startup patch to make the daemons' startup consistent
with the way things are done in Debian.
Among other things, Closes: #782030
* Rework the patches a bit:
- update the description of 01-fix-paths
- move the tools/script.sh chunk from 01-fix-paths to 02-rename-binary
- drop 08-client-example: it was actually applied upstream, no need
to add the same text twice
- drop 11-no-rle-compression: the OpenSSL bug has been fixed
somewhere in the 1.x release timeframe
* Add the 19-typos patch to fix some minor documentation typos and
rework the 02-rename-binary patch to make the change in the manual page
during the stunnel.pod -> stunnel.8 rebuild
* Add the 20-comparison patch to fix a minor logging bug.
* Remove ${misc:Pre-Depends} as explained in debhelper's #783898.
* Bump the year on my debian/* copyright notice.
* Add --parallel to the debhelper invocation.
* New upstream version:
- rework the 01-fix-paths and the 10-zlib-compression patches to
catch up with upstream updates
- refresh patches
- drop the 05-logrotate-warning-in-sample-conf patch, applied upstream
- drop the 15-upstream-systemd-libs, 16-upstream-sslv23-method, and
17-upstream-hangup patches since they were cherry-picked from
upstream to begin with
- remove handling for the dropped French manual page
-- Peter Pentchev <roam@ringlet.net> Sun, 14 Jun 2015 04:13:02 +0300
stunnel4 (3:5.06-2) unstable; urgency=medium
* Limit the systemd build dependency to Linux architectures only,
so that we actually give Stunnel a chance to build on kFreeBSD
or the Hurd.
* Add debian/upstream/metadata.
-- Peter Pentchev <roam@ringlet.net> Mon, 20 Oct 2014 11:49:05 +0300
stunnel4 (3:5.06-1) unstable; urgency=medium
* New upstream release:
- refresh patches
- drop 13-init-script-typo.patch, included upstream
* Update Standards-Version to 3.9.6.
[ Santiago Vila <sanvila@unex.es> ]
* Fix logrotate typo (closes: #762242).
[ Peter Pentchev ]
* Disable the autodetection of zlib in the configure script,
it will most probably not be used at all later.
* Fix the DEP-3 format of the 01-fix-paths, 02-rename-binary, and
03-runas-user patches - use multiple "Author" headers.
* Switch to the cgit frontend for Vcs-Browser.
* New upstream release:
- refresh the patches
- add a build dependency on libsystemd-dev for the systemd socket
activation support
- add the 15-upstream-systemd-libs patch to fix the build with
the systemd version in unstable/testing
- add a news blurb about the disabled SSLv2 and SSLv3 protocols
and the configuration options to enable them
- add the 16-upstream-sslv23-method patch to fix the build for
OpenSSL with disabled SSLv2 and SSLv3
- add Mark Theunissen's copyright notice for the systemd socket
activation code
* Drop an ancient README.Debian note about upgrading from 4.20 or
earlier, it has not even been in oldstable for quite some time now.
* Switch the /usr/bin/stunnel symlink from stunnel3 to stunnel4,
as README.Debian has threatened for ages. Add a news blurb.
* Add perl:Depends to the binary package.
-- Peter Pentchev <roam@ringlet.net> Fri, 17 Oct 2014 12:04:50 +0300
stunnel4 (3:5.03-1) unstable; urgency=medium
* New upstream version:
- refresh the 02-rename-binary, 10-no-zlib-compression, and
12-restore-pidfile-default patches
- drop the 09-init-script-ulimits patch, it was actually
included upstream in 5.02
- add the 13-init-script-typo patch to remove a stray quote
* Add the 14-lsb-init-functions patch to source /lib/lsb/init-functions,
although the init script does not use anything there yet.
-- Peter Pentchev <roam@ringlet.net> Sun, 10 Aug 2014 01:55:32 +0300
stunnel4 (3:5.02-1) unstable; urgency=medium
* New upstream version:
- drop the 04-selective-tunnel-restart, 06-init-script-description,
and 07-init-script-status patches, applied upstream
- refresh the 01-fix-paths, 02-rename-binary, 03-runas-user,
05-logrotate-warning-in-sample-conf, 08-client-example,
09-init-script-ulimits, and 12-restore-pidfile-default patches
- augment the 01-fix-paths patch to also move the pidfile to
/var/run/ and not /usr/var/run/.
-- Peter Pentchev <roam@ringlet.net> Tue, 10 Jun 2014 17:23:32 +0300
stunnel4 (3:5.01-3) unstable; urgency=medium
* Add the 12-restore-pidfile-default patch to restore stunnel's
"create the pid file by default" behavior, since the init script
has no way of monitoring the started stunnel4 processes otherwise.
The init script now warns about configurations with no "pid"
setting; in a future version it will refuse to start stunnel for
these configurations. Closes: #744851
-- Peter Pentchev <roam@ringlet.net> Fri, 18 Apr 2014 14:37:42 +0300
stunnel4 (3:5.01-2) unstable; urgency=medium
* Add the 11-no-rle-compression patch to disable RLE compression since
OpenSSL does not really implement it. Closes: #744350
* Modify the 10-no-zlib-compression patch to not even allow starting
a tunnel configured with "zlib" or "deflate" compression.
-- Peter Pentchev <roam@ringlet.net> Mon, 14 Apr 2014 15:24:25 +0300
stunnel4 (3:5.01-1) unstable; urgency=medium
* New maintainer. Closes: #738093
* A new upload should fix the build with newer OpenSSL.
Closes: #737517
* Add DEP-3 headers to the patch files.
* Switch to debhelper override rules.
* Use dh-autoreconf and retarget the rename-binary patch.
Closes: #727511
* Canonicalize the Vcs-Git and Vcs-Browser source control fields.
* Update the watch file a bit:
- watch a mirror in addition to the main site, at least temporarily
until the main FTP site is fixed
- watch for 5.x versions, too
- add Michal Trojnara's PGP key
* Convert the copyright file to the 1.0 format and add my notice.
* Remove the README.source file, unnecessary in the 3.0 (quilt) format.
* Bump Standards-Version to 3.9.5 with no further changes.
* Bump the debhelper compatibility level to 9 with multiarch:
- let debhelper set the build environment variables
- add misc:Pre-Depends to the binary package
- remove the libtool .la file in the multiarch lib directory
* Drop the versions from the libssl-dev and openssl build dependencies.
* Drop two automatically-created directories from debian/dirs
* New upstream release:
- Closes: #723781 (package new upstream version)
- a fix for CVE-2014-0016 was included. Closes: #740802
- refresh the rename-binary patch
- drop the CVE-2013-1762 patch, it was taken from stunnel-4.55
- add a stunnel4.NEWS item to note the newly disabled by default
pidfile and libwrap options
- update the copyright file
* Build with Large File Support - no problems there, since stunnel
never really uses the position or the size of any open files.
* Add the init_script_status patch to support the 'status' command.
Closes: #548974
* Rename the Debian patches following a number sequence.
* Modify the debian/stunnel3.8 and add the 08-client-example patch
to add a client configuration example to the English manual page.
Closes: #644398, although this one shall have to be referred to
upstream for inclusion in the rest of the documentation, too.
* Reword the note about FIPS support in README.Debian, fix a typo
and correct the URLs to the OpenSSL FIPS User Guide.
Closes: #642440
* Optionally set resource limits on startup. Closes: #599138
- add the RLIMITS variable to /etc/default/stunnel4
- add the 09-init-script-ulimits patch to honor it
* Add the 10-no-zlib-compression patch to disable the hardcoded
addition of zlib as a compression algorithm for OpenSSL 0.9.8 and
later; the Debian OpenSSL package is compiled without support for
zlib compression since version 1.0.1e-5.
-- Peter Pentchev <roam@ringlet.net> Tue, 08 Apr 2014 22:48:48 +0300
stunnel4 (3:4.53-1.1) unstable; urgency=high

6
debian/clean vendored Normal file
View File

@ -0,0 +1,6 @@
build-stamp
debian/stunnel4.init
doc/stunnel.8
doc/stunnel.html
doc/stunnel4.8
doc/stunnel4.pl.8

2
debian/compat vendored
View File

@ -1 +1 @@
7
10

30
debian/control vendored
View File

@ -1,20 +1,30 @@
Source: stunnel4
Section: net
Priority: optional
Build-Depends: debhelper (>=7), libssl1.0-dev (>= 1.0.1) | libssl-dev (>= 0.9.8),
openssl (>= 0.9.8), libwrap0-dev, sdf, autotools-dev
Maintainer: Luis Rodrigo Gallardo Cruz <rodrigo@debian.org>
Standards-Version: 3.9.3
Vcs-Browser: http://git.debian.org/?p=collab-maint/stunnel.git
Vcs-Git: git://git.debian.org/git/collab-maint/stunnel.git
Homepage: http://www.stunnel.org/
Build-Depends:
debhelper (>= 10),
autoconf-archive,
libssl-dev,
libsystemd-dev [linux-any],
libwrap0-dev,
openssl
Maintainer: Peter Pentchev <roam@ringlet.net>
Uploaders: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Standards-Version: 4.1.0
Vcs-Browser: https://anonscm.debian.org/cgit/collab-maint/stunnel.git
Vcs-Git: https://anonscm.debian.org/git/collab-maint/stunnel.git
Homepage: https://www.stunnel.org/
Package: stunnel4
Architecture: any
Breaks: stunnel (<< 3:4.20-3)
Provides: stunnel
Replaces: stunnel
Depends: ${shlibs:Depends}, ${misc:Depends}, openssl, netbase, perl-modules
Depends:
${shlibs:Depends},
${misc:Depends},
${perl:Depends},
lsb-base,
netbase,
openssl
Pre-Depends: adduser
Suggests: logcheck-database
Description: Universal SSL tunnel for network daemons

96
debian/copyright vendored
View File

@ -1,47 +1,59 @@
This package was dowloaded from http://www.stunnel.org/download/source.html
and debianized by Paolo Molaro <lupus@debian.org>.
Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
Upstream-Name: stunnel
Upstream-Contact: Michal Trojnara <Michal.Trojnara@stunnel.org>
Source: https://www.stunnel.org/downloads.html
License: GPL-2+-openssl
Copyright (C) 1998-2012 Michal Trojnara <Michal.Trojnara@mirt.net>
Files: *
Copyright:
(C) 1998-2017 Michal Trojnara <Michal.Trojnara@stunnel.org>
(c) 2014 Mark Theunissen
License: GPL-2+-openssl
src/pty.c is based on a Public Domain code by Tatu Ylonen <ylo@cs.hut.fi>
Files: src/stunnel3.in
Copyright: (C) 2004-2012 Michal Trojnara <Michal.Trojnara@stunnel.org>
License: GPL-2+
src/vc.mak contains modifications by David Gillingham <dgillingham@gmail.com>
Files: debian/*
Copyright:
(C) 1998-2001 Paolo Molaro <lupus@debian.org>
(C) 2003-2007 Julien Lemoine <speedblue@debian.org>
(C) 2007-2012 Luis Rodrigo Gallardo Cruz <rodrigo@debian.org>
(C) 2013 Salvatore Bonaccorso <carnil@debian.org>
(C) 2014-2017 Peter Pentchev <roam@ringlet.net>
License: GPL-2+-openssl
src/mingw.mak contains modifications by Brian Hatch <bri@stunnel.org>
French documentation translation by Bernard Choppy <choppy@free.fr>
StunnelConf-0.1.pl is copyright (C) 2004 Sergio Rua <srua@debian.org>
The Debian packaging itself is
Copyright (C) 1998-2001 Paolo Molaro <lupus@debian.org>
Copyright (C) 2003-2007 Julien Lemoine <speedblue@debian.org>
Copyright (C) 2007-2012 Rodrigo Gallardo <rodrigo@debian.org>
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA.
*
* In addition, as a special exception, Michal Trojnara gives
* permission to link the code of this program with the OpenSSL
* library (or with modified versions of OpenSSL that use the same
* license as OpenSSL), and distribute linked combinations including
* the two. You must obey the GNU General Public License in all
* respects for all of the code used other than OpenSSL. If you modify
* this file, you may extend this exception to your version of the
* file, but you are not obligated to do so. If you do not wish to
* do so, delete this exception statement from your version.
On Debian systems, the complete text of the GNU General Public
License can be found in /usr/share/common-licenses/GPL file.
License: GPL-2+-openssl
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
.
On Debian systems, the complete text of the GNU General Public License
can be found in file "/usr/share/common-licenses/GPL-2".
.
Linking stunnel statically or dynamically with other modules is making
a combined work based on stunnel. Thus, the terms and conditions of the
GNU General Public License cover the whole combination.
.
In addition, as a special exception, the copyright holder of stunnel gives you
permission to combine stunnel with free software programs or libraries that
are released under the GNU LGPL and with code included in the standard release
of OpenSSL under the OpenSSL License (or modified versions of such code, with
unchanged license). You may copy and distribute such a system following the
terms of the GNU GPL for stunnel and the licenses of the other code concerned.
.
Note that people who make modified versions of stunnel are not obligated to
grant this special exception for their modified versions; it is their choice
whether to do so. The GNU General Public License gives permission to release
a modified version without this exception; this exception also makes it
possible to release a modified version which carries forward this exception.
License: GPL-2+
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
.
On Debian systems, the complete text of the GNU General Public License
can be found in file "/usr/share/common-licenses/GPL-2".

2
debian/dirs vendored
View File

@ -1,3 +1 @@
usr/bin
etc/stunnel
usr/share/doc/

38
debian/patches/01-fix-paths.patch vendored Normal file
View File

@ -0,0 +1,38 @@
Description: Update the installation directories.
Change @prefix@/... to @localstatedir@ or @sysconfdir@ as appropriate
to comply with the FHS
Forwarded: not-needed
Author: Paolo Molaro <lupus@debian.org>
Author: Julien Lemoine <speedblue@debian.org>
Author: Luis Rodrigo Gallardo Cruz <rodrigo@debian.org>
Last-Update: 2016-07-06
--- a/tools/stunnel.conf-sample.in
+++ b/tools/stunnel.conf-sample.in
@@ -64,7 +64,7 @@
accept = 127.0.0.1:110
connect = pop.gmail.com:995
verifyChain = yes
-CApath = /etc/ssl/certs
+CApath = @sysconfdir/ssl/certs
checkHost = pop.gmail.com
OCSPaia = yes
@@ -73,7 +73,7 @@
accept = 127.0.0.1:143
connect = imap.gmail.com:993
verifyChain = yes
-CApath = /etc/ssl/certs
+CApath = @sysconfdir/ssl/certs
checkHost = imap.gmail.com
OCSPaia = yes
@@ -82,7 +82,7 @@
accept = 127.0.0.1:25
connect = smtp.gmail.com:465
verifyChain = yes
-CApath = /etc/ssl/certs
+CApath = @sysconfdir/ssl/certs
checkHost = smtp.gmail.com
OCSPaia = yes

103
debian/patches/02-rename-binary.patch vendored Normal file
View File

@ -0,0 +1,103 @@
Description: Change references to the binary from stunnel to stunnel4
Forwarded: not-needed
Author: Julien Lemoine <speedblue@debian.org>
Author: Luis Rodrigo Gallardo Cruz <rodrigo@debian.org>
Last-Update: 2017-09-23
--- a/src/stunnel3.in
+++ b/src/stunnel3.in
@@ -22,7 +22,7 @@
use Getopt::Std;
# Configuration - path to stunnel (version >=4.05)
-$stunnel_bin='@bindir@/stunnel';
+$stunnel_bin='@bindir@/stunnel4';
# stunnel3 script body begins here
($read_fd, $write_fd)=POSIX::pipe();
--- a/tools/stunnel.init.in
+++ b/tools/stunnel.init.in
@@ -1,6 +1,6 @@
#! /bin/sh -e
### BEGIN INIT INFO
-# Provides: stunnel
+# Provides: stunnel4
# Required-Start: $local_fs $remote_fs
# Required-Stop: $local_fs $remote_fs
# Should-Start: $syslog
@@ -21,8 +21,8 @@
. /lib/lsb/init-functions
-DEFAULTPIDFILE="/var/run/stunnel.pid"
-DAEMON=@bindir@/stunnel
+DEFAULTPIDFILE="/var/run/stunnel4.pid"
+DAEMON=@bindir@/stunnel4
NAME=stunnel
DESC="TLS tunnels"
OPTIONS=""
@@ -49,9 +49,9 @@
startdaemons() {
local res file args pidfile warn status
- if ! [ -d /var/run/stunnel ]; then
- rm -rf /var/run/stunnel
- install -d -o stunnel -g stunnel /var/run/stunnel
+ if ! [ -d /var/run/stunnel4 ]; then
+ rm -rf /var/run/stunnel4
+ install -d -o stunnel4 -g stunnel4 /var/run/stunnel4
fi
if [ -n "$RLIMITS" ]; then
ulimit $RLIMITS
@@ -141,9 +141,9 @@
OPTIONS="-- $OPTIONS"
fi
-[ -f @sysconfdir@/default/stunnel ] && . @sysconfdir@/default/stunnel
+[ -f @sysconfdir@/default/stunnel4 ] && . @sysconfdir@/default/stunnel4
if [ "$ENABLED" = "0" ] ; then
- echo "$DESC disabled, see @sysconfdir@/default/stunnel"
+ echo "$DESC disabled, see @sysconfdir@/default/stunnel4"
exit 0
fi
--- a/tools/script.sh
+++ b/tools/script.sh
@@ -2,7 +2,7 @@
REMOTE_HOST="www.mirt.net:443"
echo "client script connecting $REMOTE_HOST"
-/usr/local/bin/stunnel -fd 10 \
+/usr/bin/stunnel4 -fd 10 \
11<&0 <<EOT 10<&0 0<&11 11<&-
client=yes
connect=$REMOTE_HOST
--- a/doc/Makefile.am
+++ b/doc/Makefile.am
@@ -15,11 +15,11 @@
.pod.in.8.in:
pod2man -u -n stunnel -s 8 -r $(VERSION) \
- -c "stunnel TLS Proxy" -d `date +%Y.%m.%d` $< $@
+ -c "stunnel4 TLS Proxy" -d `date +%Y.%m.%d` $< $@
.pod.in.html.in:
pod2html --index --backlink --header \
- --title "stunnel TLS Proxy" --infile=$< --outfile=$@
+ --title "stunnel4 TLS Proxy" --infile=$< --outfile=$@
rm -f pod2htmd.tmp pod2htmi.tmp
edit = sed \
--- a/doc/stunnel.pl.8.in
+++ b/doc/stunnel.pl.8.in
@@ -70,8 +70,8 @@
.rr rF
.\" ========================================================================
.\"
-.IX Title "stunnel 8"
-.TH stunnel 8 "2017.04.01" "5.42" "stunnel TLS Proxy"
+.IX Title "stunnel4 8"
+.TH stunnel 8 "2017.04.01" "5.42" "stunnel4 TLS Proxy"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l

19
debian/patches/03-runas-user.patch vendored Normal file
View File

@ -0,0 +1,19 @@
Description: Change the default user the binary will run as to stunnel4
Forwarded: not-needed
Author: Julien Lemoine <speedblue@debian.org>
Author: Luis Rodrigo Gallardo Cruz <rodrigo@debian.org>
Last-Update: 2015-06-13
--- a/tools/stunnel.conf-sample.in
+++ b/tools/stunnel.conf-sample.in
@@ -8,8 +8,8 @@
; **************************************************************************
; It is recommended to drop root privileges if stunnel is started by root
-;setuid = nobody
-;setgid = @DEFAULT_GROUP@
+;setuid = stunnel4
+;setgid = stunnel4
; PID file is created inside the chroot jail (if enabled)
;pid = @localstatedir@/run/stunnel.pid

44
debian/patches/04-restore-pidfile-default.patch vendored Normal file
View File

@ -0,0 +1,44 @@
Description: Temporarily restore the pid file creation by default.
The init script will not be able to monitor the automatically-started
instances of stunnel if there is no pid file. For the present for the
upgrade from 4.53 the "create the pid file by default" behavior is
restored and the init script warns about configuration files that have
no "pid" setting. The intention is that in a future version the init
script will refuse to start stunnel for these configurations.
Forwarded: not-needed
Author: Peter Pentchev <roam@ringlet.net>
Bug-Debian: https://bugs.debian.org/744851
Last-Update: 2017-07-03
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -44,6 +44,7 @@
stunnel_CPPFLAGS += -I$(SSLDIR)/include
stunnel_CPPFLAGS += -DLIBDIR='"$(pkglibdir)"'
stunnel_CPPFLAGS += -DCONFDIR='"$(sysconfdir)/stunnel"'
+stunnel_CPPFLAGS += -DPIDFILE='"$(localstatedir)/run/stunnel4.pid"'
# TLS library
stunnel_LDFLAGS = -L$(SSLDIR)/lib64 -L$(SSLDIR)/lib -lssl -lcrypto
--- a/src/options.c
+++ b/src/options.c
@@ -917,7 +917,7 @@
#ifndef USE_WIN32
switch(cmd) {
case CMD_BEGIN:
- new_global_options.pidfile=NULL; /* do not create a pid file */
+ new_global_options.pidfile=PIDFILE;
break;
case CMD_EXEC:
if(strcasecmp(opt, "pid"))
@@ -932,9 +932,10 @@
case CMD_FREE:
break;
case CMD_DEFAULT:
+ s_log(LOG_NOTICE, "%-22s = %s", "pid", PIDFILE);
break;
case CMD_HELP:
- s_log(LOG_NOTICE, "%-22s = pid file", "pid");
+ s_log(LOG_NOTICE, "%-22s = pid file (empty to disable creating)", "pid");
break;
}
#endif

16
debian/patches/05-author-tests.patch vendored Normal file
View File

@ -0,0 +1,16 @@
Description: Only build the Win32 executables if requested.
Author: Peter Pentchev <roam@ringlet.net>
Forwarded: not yet
Last-Update: 2015-11-11
--- a/configure.ac
+++ b/configure.ac
@@ -8,7 +8,7 @@
AC_CONFIG_SRCDIR([src/stunnel.c])
AM_INIT_AUTOMAKE
-AM_CONDITIONAL([AUTHOR_TESTS], [test -d ".git"])
+AM_CONDITIONAL([AUTHOR_TESTS], [test -n "$AUTHOR_TESTS"])
AC_CANONICAL_HOST
AC_SUBST([host])
AC_DEFINE_UNQUOTED([HOST], ["$host"], [Host description])

71
debian/patches/07-path-max.patch vendored Normal file
View File

@ -0,0 +1,71 @@
Description: Allocate the config filename dynamically.
Avoid the use of PATH_MAX which may not be defined.
Forwarded: not-yet
Author: Peter Pentchev <roam@ringlet.net>
Last-Update: 2017-07-03
--- a/src/common.h
+++ b/src/common.h
@@ -94,7 +94,6 @@
typedef int ssize_t;
#endif /* _WIN64 */
#endif /* !__MINGW32__ */
-#define PATH_MAX MAX_PATH
#define USE_IPv6
#define _CRT_SECURE_NO_DEPRECATE
#define _CRT_NONSTDC_NO_DEPRECATE
--- a/src/options.c
+++ b/src/options.c
@@ -211,7 +211,7 @@
NOEXPORT char **argalloc(char *);
#endif
-char configuration_file[PATH_MAX];
+char *configuration_file;
GLOBAL_OPTIONS global_options;
SERVICE_OPTIONS service_options;
@@ -289,17 +289,27 @@
}
#ifdef HAVE_REALPATH
+ char *nconf;
if(type==CONF_FILE) {
- if(!realpath(name, configuration_file)) {
+ nconf = realpath(name, NULL);
+ if(nconf == NULL) {
s_log(LOG_ERR, "Invalid configuration file name \"%s\"", name);
ioerror("realpath");
return 1;
}
- return options_parse(type);
- }
+ free(configuration_file);
+ } else
#endif
- strncpy(configuration_file, name, PATH_MAX-1);
- configuration_file[PATH_MAX-1]='\0';
+ {
+ size_t sz = strlen(name) + 1;
+ nconf = realloc(configuration_file, sz);
+ if(nconf == NULL) {
+ s_log(LOG_ERR, "Could not allocate memory");
+ return 1;
+ }
+ snprintf(nconf, sz, "%s", name);
+ }
+ configuration_file = nconf;
return options_parse(type);
}
--- a/src/prototypes.h
+++ b/src/prototypes.h
@@ -430,7 +430,7 @@
/**************************************** prototypes for options.c */
-extern char configuration_file[PATH_MAX];
+extern char *configuration_file;
extern unsigned number_of_sections;
int options_cmdline(char *, char *);

76
debian/patches/09-try-restart.patch vendored Normal file
View File

@ -0,0 +1,76 @@
Description: Implement try-restart in the SysV init script.
Forwarded: not-yet
Author: Peter Pentchev <roam@ringlet.net>
Last-Update: 2017-07-03
--- a/tools/stunnel.init.in
+++ b/tools/stunnel.init.in
@@ -137,6 +137,47 @@
exit "$res"
}
+restartrunningdaemons()
+{
+ local res file pidfile status args
+
+ res=0
+ for file in $FILES; do
+ echo -n " $file: "
+ pidfile=`get_pidfile "$file"`
+ if [ ! -e "$pidfile" ]; then
+ echo -n 'no pid file'
+ else
+ status=0
+ pidofproc -p "$pidfile" "$DAEMON" >/dev/null || status="$?"
+ if [ "$status" = 0 ]; then
+ echo -n 'stopping'
+ killproc -p "$pidfile" "$DAEMON" "$sig" || status="$?"
+ if [ "$status" -eq 0 ]; then
+ echo -n ' starting'
+ args="$file $OPTIONS"
+ start_daemon -p "$pidfile" "$DAEMON" $args || status="$?"
+ if [ "$status" -eq 0 ]; then
+ echo -n ' started'
+ else
+ echo ' failed'
+ res=1
+ fi
+ else
+ echo -n ' failed'
+ res=1
+ fi
+ elif [ "$status" = 4 ]; then
+ echo "cannot access the pid file $pidfile"
+ else
+ echo -n 'stopped'
+ fi
+ fi
+ done
+ echo ''
+ exit "$res"
+}
+
if [ "x$OPTIONS" != "x" ]; then
OPTIONS="-- $OPTIONS"
fi
@@ -194,6 +235,11 @@
killdaemons && startdaemons
res=$?
;;
+ try-restart)
+ echo -n "Restarting $DESC if running:"
+ restartrunningdaemons
+ res=$?
+ ;;
status)
echo -n "$DESC status:"
querydaemons
@@ -201,7 +247,7 @@
;;
*)
N=@sysconfdir@/init.d/$NAME
- echo "Usage: $N {start|stop|status|reload|reopen-logs|restart} [<stunnel instance>]" >&2
+ echo "Usage: $N {start|stop|status|reload|reopen-logs|restart|try-restart} [<stunnel instance>]" >&2
res=1
;;
esac

56
debian/patches/CVE-2013-1762.patch vendored
View File

@ -1,56 +0,0 @@
Description: Fix CVE-2013-1762
buffer overflow in NTLM authentication of the CONNECT protocol
negotiation
Origin: vendor
Bug-Debian: http://bugs.debian.org/702267
Forwarded: no
Author: Salvatore Bonaccorso <carnil@debian.org>
Last-Update: 2013-04-22
--- a/src/protocol.c
+++ b/src/protocol.c
@@ -566,7 +566,7 @@
#define s_min(a, b) ((a)>(b)?(b):(a))
static void ntlm(CLI *c) {
- char *line, buf[BUFSIZ], *ntlm1_txt, *ntlm2_txt, *ntlm3_txt;
+ char *line, buf[BUFSIZ], *ntlm1_txt, *ntlm2_txt, *ntlm3_txt, *tmpstr;
long content_length=0; /* no HTTP content */
/* send Proxy-Authorization (phase 1) */
@@ -582,8 +582,8 @@
line=fd_getline(c, c->remote_fd.fd);
/* receive Proxy-Authenticate (phase 2) */
- if(line[9]!='4' || line[10]!='0' || line[11]!='7') { /* code 407 */
- s_log(LOG_ERR, "NTLM authorization request rejected");
+ if(!isprefix(line, "HTTP/1.0 407") && !isprefix(line, "HTTP/1.1 407")) {
+ s_log(LOG_ERR, "Proxy-Authenticate: NTLM authorization request rejected");
do { /* read all headers */
line=fd_getline(c, c->remote_fd.fd);
} while(*line);
@@ -594,8 +594,13 @@
line=fd_getline(c, c->remote_fd.fd);
if(isprefix(line, "Proxy-Authenticate: NTLM "))
ntlm2_txt=str_dup(line+25);
- else if(isprefix(line, "Content-Length: "))
- content_length=atol(line+16);
+ else if(isprefix(line, "Content-Length: ")) {
+ content_length=strtol(line+16, &tmpstr, 10);
+ if(tmpstr==line+16 || *tmpstr || content_length<0) {
+ s_log(LOG_ERR, "Proxy-Authenticate: Invalid Content-Length");
+ longjmp(c->err, 1);
+ }
+ }
} while(*line);
if(!ntlm2_txt) { /* no Proxy-Authenticate: NTLM header */
s_log(LOG_ERR, "Proxy-Authenticate: NTLM header not found");
@@ -603,7 +608,7 @@
}
/* read and ignore HTTP content (if any) */
- while(content_length) {
+ while(content_length>0) {
read_blocking(c, c->remote_fd.fd, buf, s_min(content_length, BUFSIZ));
content_length-=s_min(content_length, BUFSIZ);
}

62
debian/patches/fix-paths vendored
View File

@ -1,62 +0,0 @@
## Do several path fixups, removing unneeded @prefix@s and changing
## binaries install location from sbin to bin, to comply with the FHS
Index: stunnel4/tools/stunnel.conf-sample.in
===================================================================
--- stunnel4.orig/tools/stunnel.conf-sample.in
+++ stunnel4/tools/stunnel.conf-sample.in
@@ -9,7 +9,7 @@
; A copy of some devices and system files is needed within the chroot jail
; Chroot conflicts with configuration file reload and many other features
-chroot = @prefix@/var/lib/stunnel/
+chroot = @localstatedir@/lib/stunnel/
; Chroot jail can be escaped if setuid option is not used
setuid = nobody
setgid = @DEFAULT_GROUP@
@@ -19,15 +19,15 @@
; Debugging stuff (may useful for troubleshooting)
;debug = 7
-;output = stunnel.log
+;output = @localstatedir@/log/stunnel/stunnel.log
; **************************************************************************
; * Service defaults may also be specified in individual service sections *
; **************************************************************************
; Certificate/key is needed in server mode and optional in client mode
-cert = @prefix@/etc/stunnel/mail.pem
-;key = @prefix@/etc/stunnel/mail.pem
+cert = @sysconfdir@/stunnel/mail.pem
+;key = @sysconfdir@/stunnel/mail.pem
; Authentication stuff needs to be configured to prevent MITM attacks
; It is not enabled by default!
@@ -36,12 +36,12 @@
; CApath is located inside chroot jail
;CApath = /certs
; It's often easier to use CAfile
-;CAfile = @prefix@/etc/stunnel/certs.pem
+;CAfile = @sysconfdir@/stunnel/certs.pem
; Don't forget to c_rehash CRLpath
; CRLpath is located inside chroot jail
;CRLpath = /crls
; Alternatively CRLfile can be used
-;CRLfile = @prefix@/etc/stunnel/crls.pem
+;CRLfile = @sysconfdir@/stunnel/crls.pem
; Disable support for insecure SSLv2 protocol
options = NO_SSLv2
Index: stunnel4/tools/script.sh
===================================================================
--- stunnel4.orig/tools/script.sh
+++ stunnel4/tools/script.sh
@@ -2,7 +2,7 @@
REMOTE_HOST="www.mirt.net:443"
echo "client script connecting $REMOTE_HOST"
-/usr/local/bin/stunnel -fd 10 \
+/usr/bin/stunnel -fd 10 \
11<&0 <<EOT 10<&0 0<&11 11<&-
client=yes
connect=$REMOTE_HOST

17
debian/patches/init_script_description vendored
View File

@ -1,17 +0,0 @@
Add Description: LSB header to init script.
Index: stunnel4/tools/stunnel.init.in
===================================================================
--- stunnel4.orig/tools/stunnel.init.in
+++ stunnel4/tools/stunnel.init.in
@@ -8,6 +8,10 @@
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Start or stop stunnel 4.x (SSL tunnel for network daemons)
+# Description: Starts or stops all configured SSL network tunnels. Each *.conf file in
+# /etc/stunnel/ will spawn a separate stunnel process. The list of files
+# can be overriden in /etc/default/stunnel, and that same file can be used
+# to completely disable *all* tunnels.
### END INIT INFO
DEFAULTPIDFILE="/var/run/stunnel4.pid"

26
debian/patches/logrotate_warning_in_sample_conf vendored
View File

@ -1,26 +0,0 @@
Disable chroot setting from default sample config. Using this requires more
tought from te user, including the logrotate configuration, and so it is
misleading to have it on as default.
This does not affect any current instalation, as this is only shipped as a
sample for users.
Index: stunnel4/tools/stunnel.conf-sample.in
===================================================================
--- stunnel4.orig/tools/stunnel.conf-sample.in
+++ stunnel4/tools/stunnel.conf-sample.in
@@ -9,10 +9,11 @@
; A copy of some devices and system files is needed within the chroot jail
; Chroot conflicts with configuration file reload and many other features
-chroot = @localstatedir@/lib/stunnel4/
+; Remember also to update the logrotate configuration.
+;chroot = @localstatedir@/lib/stunnel4/
; Chroot jail can be escaped if setuid option is not used
-setuid = stunnel4
-setgid = stunnel4
+;setuid = stunnel4
+;setgid = stunnel4
; PID is created inside the chroot jail
pid = /stunnel4.pid

149
debian/patches/rename-binary vendored
View File

@ -1,149 +0,0 @@
diff -uNr stunnel-4.57.orig/doc/stunnel.8 stunnel-4.57/doc/stunnel.8
--- stunnel-4.57.orig/doc/stunnel.8 2013-03-20 07:51:10.000000000 +0100
+++ stunnel-4.57/doc/stunnel.8 2017-03-28 10:45:27.312000000 +0200
@@ -61,8 +61,8 @@
.\}
.\" ========================================================================
.\"
-.IX Title "STUNNEL 8"
-.TH STUNNEL 8 "2013.03.20" "4.56" "stunnel"
+.IX Title "STUNNEL4 8"
+.TH STUNNEL 8 "2013.03.20" "4.56" "stunnel4"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
diff -uNr stunnel-4.57.orig/doc/stunnel.fr.8 stunnel-4.57/doc/stunnel.fr.8
--- stunnel-4.57.orig/doc/stunnel.fr.8 2013-03-19 13:35:53.000000000 +0100
+++ stunnel-4.57/doc/stunnel.fr.8 2017-03-28 10:45:27.316000000 +0200
@@ -61,8 +61,8 @@
.\}
.\" ========================================================================
.\"
-.IX Title "STUNNEL.FR 8"
-.TH STUNNEL.FR 8 "2013.03.19" "4.56" "stunnel"
+.IX Title "STUNNEL4.FR 8"
+.TH STUNNEL.FR 8 "2013.03.19" "4.56" "stunnel4"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
diff -uNr stunnel-4.57.orig/doc/stunnel.pl.8 stunnel-4.57/doc/stunnel.pl.8
--- stunnel-4.57.orig/doc/stunnel.pl.8 2013-03-22 23:23:04.000000000 +0100
+++ stunnel-4.57/doc/stunnel.pl.8 2017-03-28 10:45:27.316000000 +0200
@@ -61,8 +61,8 @@
.\}
.\" ========================================================================
.\"
-.IX Title "STUNNEL.PL 8"
-.TH STUNNEL.PL 8 "2013.03.22" "4.56" "stunnel"
+.IX Title "STUNNEL4.PL 8"
+.TH STUNNEL.PL 8 "2013.03.22" "4.56" "stunnel4"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
diff -uNr stunnel-4.57.orig/src/Makefile.am stunnel-4.57/src/Makefile.am
--- stunnel-4.57.orig/src/Makefile.am 2015-04-01 16:01:42.000000000 +0200
+++ stunnel-4.57/src/Makefile.am 2017-03-28 10:45:27.316000000 +0200
@@ -25,7 +25,7 @@
stunnel_CPPFLAGS += -I$(SSLDIR)/include
stunnel_CPPFLAGS += -DLIBDIR='"$(pkglibdir)"'
stunnel_CPPFLAGS += -DCONFDIR='"$(sysconfdir)/stunnel"'
-stunnel_CPPFLAGS += -DPIDFILE='"$(localstatedir)/run/stunnel/stunnel.pid"'
+stunnel_CPPFLAGS += -DPIDFILE='"$(localstatedir)/run/stunnel4.pid"'
# SSL library
stunnel_LDFLAGS = -L$(SSLDIR)/lib64 -L$(SSLDIR)/lib -lssl -lcrypto
diff -uNr stunnel-4.57.orig/src/Makefile.in stunnel-4.57/src/Makefile.in
--- stunnel-4.57.orig/src/Makefile.in 2015-04-01 16:01:42.000000000 +0200
+++ stunnel-4.57/src/Makefile.in 2017-03-28 10:45:27.316000000 +0200
@@ -277,7 +277,7 @@
# Additional preprocesor definitions
stunnel_CPPFLAGS = -I/usr/kerberos/include -I$(SSLDIR)/include \
-DLIBDIR='"$(pkglibdir)"' -DCONFDIR='"$(sysconfdir)/stunnel"' \
- -DPIDFILE='"$(localstatedir)/run/stunnel/stunnel.pid"'
+ -DPIDFILE='"$(localstatedir)/run/stunnel4.pid"'
# Win32 executable
EXTRA_DIST = make.bat makece.bat makew32.bat mingw.mak evc.mak vc.mak \
diff -uNr stunnel-4.57.orig/src/stunnel3.in stunnel-4.57/src/stunnel3.in
--- stunnel-4.57.orig/src/stunnel3.in 2012-01-01 22:46:06.000000000 +0100
+++ stunnel-4.57/src/stunnel3.in 2017-03-28 10:45:27.320000000 +0200
@@ -22,7 +22,7 @@
use Getopt::Std;
# Configuration - path to stunnel (version >=4.05)
-$stunnel_bin='@prefix@/bin/stunnel';
+$stunnel_bin='@prefix@/bin/stunnel4';
# stunnel3 script body begins here
($read_fd, $write_fd)=POSIX::pipe();
diff -uNr stunnel-4.57.orig/tools/stunnel.conf-sample.in stunnel-4.57/tools/stunnel.conf-sample.in
--- stunnel-4.57.orig/tools/stunnel.conf-sample.in 2017-03-28 10:45:15.200000000 +0200
+++ stunnel-4.57/tools/stunnel.conf-sample.in 2017-03-28 10:46:03.116000000 +0200
@@ -9,17 +9,17 @@
; A copy of some devices and system files is needed within the chroot jail
; Chroot conflicts with configuration file reload and many other features
-chroot = @localstatedir@/lib/stunnel/
+chroot = @localstatedir@/lib/stunnel4/
; Chroot jail can be escaped if setuid option is not used
setuid = nobody
setgid = @DEFAULT_GROUP@
; PID is created inside the chroot jail
-pid = /stunnel.pid
+pid = /stunnel4.pid
; Debugging stuff (may useful for troubleshooting)
;debug = 7
-;output = @localstatedir@/log/stunnel/stunnel.log
+;output = @localstatedir@/log/stunnel4/stunnel.log
; **************************************************************************
; * Service defaults may also be specified in individual service sections *
diff -uNr stunnel-4.57.orig/tools/stunnel.init.in stunnel-4.57/tools/stunnel.init.in
--- stunnel-4.57.orig/tools/stunnel.init.in 2011-03-09 09:56:25.000000000 +0100
+++ stunnel-4.57/tools/stunnel.init.in 2017-03-28 10:45:27.320000000 +0200
@@ -1,6 +1,6 @@
#! /bin/sh -e
### BEGIN INIT INFO
-# Provides: stunnel
+# Provides: stunnel4
# Required-Start: $local_fs $remote_fs
# Required-Stop: $local_fs $remote_fs
# Should-Start: $syslog
@@ -10,8 +10,8 @@
# Short-Description: Start or stop stunnel 4.x (SSL tunnel for network daemons)
### END INIT INFO
-DEFAULTPIDFILE="/var/run/stunnel.pid"
-DAEMON=@prefix@/bin/stunnel
+DEFAULTPIDFILE="/var/run/stunnel4.pid"
+DAEMON=@prefix@/bin/stunnel4
NAME=stunnel
DESC="SSL tunnels"
FILES="/etc/stunnel/*.conf"
@@ -33,9 +33,9 @@
}
startdaemons() {
- if ! [ -d /var/run/stunnel ]; then
- rm -rf /var/run/stunnel
- install -d -o stunnel -g stunnel /var/run/stunnel
+ if ! [ -d /var/run/stunnel4 ]; then
+ rm -rf /var/run/stunnel4
+ install -d -o stunnel4 -g stunnel4 /var/run/stunnel4
fi
for file in $FILES; do
if test -f $file; then
@@ -70,9 +70,9 @@
OPTIONS="-- $OPTIONS"
fi
-test -f /etc/default/stunnel && . /etc/default/stunnel
+test -f /etc/default/stunnel4 && . /etc/default/stunnel4
if [ "$ENABLED" = "0" ] ; then
- echo "$DESC disabled, see /etc/default/stunnel"
+ echo "$DESC disabled, see /etc/default/stunnel4"
exit 0
fi

16
debian/patches/runas-user vendored
View File

@ -1,16 +0,0 @@
# Change the default user the binary will run as to stunnel4
Index: stunnel4/tools/stunnel.conf-sample.in
===================================================================
--- stunnel4.orig/tools/stunnel.conf-sample.in
+++ stunnel4/tools/stunnel.conf-sample.in
@@ -11,8 +11,8 @@
; Chroot conflicts with configuration file reload and many other features
chroot = @localstatedir@/lib/stunnel4/
; Chroot jail can be escaped if setuid option is not used
-setuid = nobody
-setgid = @DEFAULT_GROUP@
+setuid = stunnel4
+setgid = stunnel4
; PID is created inside the chroot jail
pid = /stunnel4.pid

48
debian/patches/selective_tunnel_restart vendored
View File

@ -1,48 +0,0 @@
Subject: Support restarting only selected stunnel instances.
Author: Peter Palfrader <weasel@debian.org>
Bug-Debian: http://bugs.debian.org/627765
Index: stunnel4/tools/stunnel.init.in
===================================================================
--- stunnel4.orig/tools/stunnel.init.in
+++ stunnel4/tools/stunnel.init.in
@@ -14,7 +14,6 @@
DAEMON=@prefix@/bin/stunnel4
NAME=stunnel
DESC="SSL tunnels"
-FILES="/etc/stunnel/*.conf"
OPTIONS=""
ENABLED=0
@@ -76,6 +75,22 @@
exit 0
fi
+# If the user want to manage a single tunnel, the conf file's name
+# is in $2. Otherwise, respect /etc/default/stunnel4 setting. If no
+# setting there, use /etc/stunnel/*.conf
+if [ -n "${2:-}" ]; then
+ if [ -e "/etc/stunnel/$2.conf" ]; then
+ FILES="/etc/stunnel/$2.conf"
+ else
+ echo >&2 "/etc/stunnel/$2.conf does not exist."
+ exit 1
+ fi
+else
+ if [ -z "$FILES" ]; then
+ FILES="/etc/stunnel/*.conf"
+ fi
+fi
+
test -x $DAEMON || exit 0
set -e
@@ -110,7 +125,7 @@
;;
*)
N=/etc/init.d/$NAME
- echo "Usage: $N {start|stop|reload|reopen-logs|restart}" >&2
+ echo "Usage: $N {start|stop|reload|reopen-logs|restart} [<stunnel instance>]" >&2
exit 1
;;
esac

13
debian/patches/series vendored
View File

@ -1,6 +1,7 @@
fix-paths
rename-binary
runas-user
selective_tunnel_restart
logrotate_warning_in_sample_conf
init_script_description
01-fix-paths.patch
02-rename-binary.patch
03-runas-user.patch
04-restore-pidfile-default.patch
05-author-tests.patch
07-path-max.patch
09-try-restart.patch

136
debian/rules vendored
View File

@ -1,113 +1,79 @@
#!/usr/bin/make -f
# -*- makefile -*-
# debian/rules file for the Debian/GNU Linux stunnel package
# Copyright 2003 by Julien LEMOINE <speedblue@debian.org>
# -*- makefile -*-
DEB_HOST_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_HOST_GNU_TYPE)
DEB_BUILD_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_BUILD_GNU_TYPE)
ifeq ($(DEB_BUILD_GNU_TYPE),$(DEB_HOST_GNU_TYPE))
SYSTEM = --build $(DEB_HOST_GNU_TYPE)
# Uncomment this to turn on verbose mode.
#export DH_VERBOSE=1
# debian/rules file for the Debian GNU/Linux stunnel package
# Copyright 2003 by Julien LEMOINE <speedblue@debian.org>
# Copyright 2014 by Peter Pentchev <roam@ringlet.net>
ifeq (,$(filter nodoc,$(DEB_BUILD_OPTIONS) $(DEB_BUILD_PROFILES)))
DEB_NODOC=0
else
SYSTEM = --build $(DEB_BUILD_GNU_TYPE) --host $(DEB_HOST_GNU_TYPE)
DEB_NODOC=1
endif
export DEB_BUILD_MAINT_OPTIONS = hardening=+all
export DEB_CFLAGS_MAINT_APPEND=-Wall
build: build-arch build-indep
multiarch_path= $(shell dpkg-architecture -qDEB_HOST_MULTIARCH)
build-arch: build-stamp
build-indep: build-stamp
build-stamp:
dh_testdir
ifneq "$(wildcard /usr/share/misc/config.sub)" ""
cp -f /usr/share/misc/config.sub config.sub
endif
ifneq "$(wildcard /usr/share/misc/config.guess)" ""
cp -f /usr/share/misc/config.guess config.guess
endif
./configure --prefix=/usr $(SYSTEM) \
$(shell dpkg-buildflags --export=configure) \
--localstatedir=/var --sysconfdir=/etc \
override_dh_auto_configure:
dh_auto_configure -- \
--enable-ipv6 --with-threads=pthread
$(MAKE) -C src
$(MAKE) -C doc
touch build-stamp
clean:
dh_testdir
dh_testroot
dh_clean build-stamp debian/stunnel4.init doc/stunnel4.8 doc/stunnel4.fr.8 doc/stunnel4.pl.8
[ ! -f Makefile ] || $(MAKE) distclean
rm -f config.guess config.sub
install: build-stamp
dh_testdir
dh_testroot
dh_prep
dh_installdirs
$(MAKE) -C src install prefix=$(CURDIR)/debian/stunnel4/usr
$(MAKE) -C doc install prefix=$(CURDIR)/debian/stunnel4/usr
override_dh_auto_install:
dh_auto_install -- -C src
ifeq ($(DEB_NODOC),0)
dh_auto_install -- -C doc
endif
# .la file is useless
rm $(CURDIR)/debian/stunnel4/usr/lib/stunnel/libstunnel.la
ln doc/stunnel.8 doc/stunnel4.8
ln doc/stunnel.fr.8 doc/stunnel4.fr.8
ln doc/stunnel.pl.8 doc/stunnel4.pl.8
# Manpages will be installed by dh_installman
rm -rf $(CURDIR)/debian/stunnel4/usr/share/man
rm $(CURDIR)/debian/stunnel4/usr/lib/$(multiarch_path)/stunnel/libstunnel.la
# Rename binary
mv $(CURDIR)/debian/stunnel4/usr/bin/stunnel \
$(CURDIR)/debian/stunnel4/usr/bin/stunnel4
# Move docs into propper dir
mv $(CURDIR)/debian/stunnel4/usr/share/doc/stunnel \
$(CURDIR)/debian/stunnel4/usr/share/doc/stunnel4
# Copy sample init script into place for dh_installinit
cp $(CURDIR)/tools/stunnel.init $(CURDIR)/debian/stunnel4.init
ifeq ($(DEB_NODOC),0)
ln doc/stunnel.8 doc/stunnel4.8
ln doc/stunnel.pl.8 doc/stunnel4.pl.8
# Manpages will be installed by dh_installman
rm -rf $(CURDIR)/debian/stunnel4/usr/share/man
# Move docs into proper dir
mv $(CURDIR)/debian/stunnel4/usr/share/doc/stunnel \
$(CURDIR)/debian/stunnel4/usr/share/doc/stunnel4
# Basic docs for the user on how to create an initial configuration
install -p -m 0644 $(CURDIR)/debian/stunnel4.conf.README \
$(CURDIR)/debian/stunnel4/etc/stunnel/README
endif
[ ! -s debian/lintian.overrides ] || \
install -p -m 0644 -D $(CURDIR)/debian/lintian.overrides \
$(CURDIR)/debian/stunnel4/usr/share/lintian/overrides/stunnel4
ifeq ($(DEB_NODOC),1)
override_dh_installdocs:
mkdir -p $(CURDIR)/debian/stunnel4/usr/share/doc/stunnel4
install -c -o root -g root -m 644 $(CURDIR)/debian/copyright $(CURDIR)/debian/stunnel4/usr/share/doc/stunnel4/
binary-indep:
# There are no binary independent packages
override_dh_installman:
binary-arch: install
dh_testdir
dh_testroot
dh_installdocs -a
dh_installexamples -a
dh_installman -a
dh_installchangelogs -a ChangeLog
dh_installinit -a --restart-after-upgrade -- defaults
dh_installppp -a --name=0stunnel4
dh_installlogrotate -a
dh_install -a debian/StunnelConf-0.1.pl usr/share/doc/stunnel4/contrib
dh_link -a
dh_strip -a
dh_compress -a --exclude=StunnelConf-0.1.pl
dh_fixperms -a
dh_makeshlibs -a
dh_installdeb -a
dh_shlibdeps -a
dh_gencontrol -a
dh_md5sums -a
dh_builddeb -a
override_dh_link:
dh_link
rm $(CURDIR)/debian/stunnel4/usr/share/man/man8/stunnel.8.gz
rmdir $(CURDIR)/debian/stunnel4/usr/share/man/man8
rmdir $(CURDIR)/debian/stunnel4/usr/share/man
endif
binary: binary-indep binary-arch
.PHONY: build clean binary-indep binary-arch binary install
override_dh_installppp:
dh_installppp --name=0stunnel4
override_dh_compress:
dh_compress --exclude=StunnelConf-0.1.pl
%:
dh $@

21
debian/stunnel3.8 vendored
View File

@ -364,6 +364,14 @@ use
\& stunnel \-d 993 \-l /usr/sbin/imapd \-\- imapd
.Ve
.PP
In order to let your local e-mail client connect to a \s-1SSL\s0-enabled
\fIimapd\fR service on another server, configure the e-mail client to connect to
localhost on port 119 and use:
.PP
.Vb 1
\& stunnel \-c \-d 143 \-r servername:993
.Ve
.PP
If you want to provide tunneling to your \fIpppd\fR daemon on port 2020,
use something like
.PP
@ -482,14 +490,11 @@ access control facility for internet services
.IP "\fIinetd\fR\|(8)" 8
.IX Item "inetd"
internet ``super\-server''
.IP "\fIhttp://stunnel.mirt.net/\fR" 8
.IX Item "http://stunnel.mirt.net/"
.IP "\fIhttps://www.stunnel.org/\fR" 8
.IX Item "https://www.stunnel.org/"
Stunnel homepage
.IP "\fIhttp://www.stunnel.org/\fR" 8
.IX Item "http://www.stunnel.org/"
Stunnel Frequently Asked Questions
.IP "\fIhttp://www.openssl.org/\fR" 8
.IX Item "http://www.openssl.org/"
.IP "\fIhttps://www.openssl.org/\fR" 8
.IX Item "https://www.openssl.org/"
OpenSSL project website
.RE
.RS 4
@ -499,7 +504,7 @@ OpenSSL project website
.RS 4
.IP "Michal Trojnara" 8
.IX Item "Michal Trojnara"
<\fIMichal.Trojnara@mirt.net\fR>
<\fIMichal.Trojnara@stunnel.org\fR>
.RE
.RS 4
.RE

67
debian/stunnel4.NEWS vendored
View File

@ -1,3 +1,70 @@
stunnel4 (3:5.06-1) unstable; urgency=medium
There are two major changes in this version of stunnel.
First, the /usr/bin/stunnel symlink has been switched from stunnel3
to stunnel4. This should not affect any tools that invoke stunnel
using the stunnel4 name, and it should not affect any Debian packages
that use stunnel. However, any local tools that invoke stunnel with
3.x-style command-line options instead of a 4.x-style configuration
file should make sure that they use the stunnel3 executable name and
not simply stunnel any more, or they should be converted to use
a 4.x-style configuration file (there is no need to create an actual
file on the filesystem, the configuration may be passed to stunnel
on its standard input using the "-fd 0" command-line option).
Second, this version DISABLES support for the SSLv2 and SSLv3 protocols!
If needed, it may be re-enabled by editing the stunnel configuration
file and adding "-NO_SSLv2" or "-NO_SSLv3" respectively to
the "options" setting; see /etc/stunnel/README for an example.
-- Peter Pentchev <roam@ringlet.net> Thu, 16 Oct 2014 13:56:35 +0300
stunnel4 (3:5.01-3) unstable; urgency=medium
This version temporarily brings back the creation of a default pid
file, /var/run/stunnel4.pid, if there is no "pid" setting in
the configuration file. The reason for this is that the init script
cannot monitor the started stunnel processes if there is no pid file
at all.
The init script now warns about configuration files that have no
"pid" setting and will thus use the default pid file location.
In the future it will refuse to start with such configurations, so
it would be best to add the "pid" setting to all the *.conf files in
the /etc/stunnel/ directory.
-- Peter Pentchev <roam@ringlet.net> Fri, 18 Apr 2014 14:37:42 +0300
stunnel (3:5.01-2) unstable; urgency=medium
This version DISABLES the RLE compression method, too. This means
that stunnel currently has no compression methods available at all,
since the underlying OpenSSL library does not have any, either.
Tunnel configurations that explicitly set "compression" will NEED
to be modified.
-- Peter Pentchev <roam@ringlet.net> Mon, 14 Apr 2014 15:04:56 +0300
stunnel (3:5.01-1) unstable; urgency=medium
This version DISABLES the creation of the process ID file and
the use of TCP wrappers for access control by default!
Tunnel configurations that use PID files (e.g. for monitoring) or
TCP wrappers (/etc/hosts.allow, /etc/hosts.deny) will NEED to be
modified to explicitly specify the 'pidfile' global option or
the 'libwrap' service-level option respectively.
This version also DISABLES the "zlib" and "deflate" compression
algorithms because they are not supported in the Debian OpenSSL
package since version 1.0.1e-5. The only supported compression
algorithm is "rle". Tunnel configurations that explicitly set
"compression" to something other than "rle" will NEED to be modified.
-- Peter Pentchev <roam@ringlet.net> Tue, 25 Mar 2014 18:05:11 +0200
stunnel (3:4.33-1) experimental; urgency=low
This version introduces support for reloading the configuration file

7
debian/stunnel4.default vendored
View File

@ -9,3 +9,10 @@ OPTIONS=""
# Change to one to enable ppp restart scripts
PPP_RESTART=0
# Change to enable the setting of limits on the stunnel instances
# For example, to set a large limit on file descriptors (to enable
# more simultaneous client connections), set RLIMITS="-n 4096"
# More than one resource limit may be modified at the same time,
# e.g. RLIMITS="-n 4096 -d unlimited"
RLIMITS=""

2
debian/stunnel4.examples vendored
View File

@ -2,5 +2,5 @@ tools/ca.html
tools/ca.pl
tools/importCA.html
tools/importCA.sh
tools/stunnel.cnf
tools/openssl.cnf
tools/stunnel.conf-sample

1
debian/stunnel4.install vendored Normal file
View File

@ -0,0 +1 @@
debian/StunnelConf-0.1.pl usr/share/doc/stunnel4/contrib

4
debian/stunnel4.links vendored
View File

@ -1,2 +1,2 @@
/usr/bin/stunnel3 /usr/bin/stunnel
/usr/share/man/man8/stunnel3.8.gz /usr/share/man/man8/stunnel.8.gz
/usr/bin/stunnel4 /usr/bin/stunnel
/usr/share/man/man8/stunnel4.8.gz /usr/share/man/man8/stunnel.8.gz

3
debian/lintian.overrides → debian/stunnel4.lintian-overrides vendored
View File

@ -1,2 +1,5 @@
# No character arrays anywhere in this .so
stunnel4: hardening-no-stackprotector usr/lib/stunnel/libstunnel.so
# Not a typo at all.
stunnel4: spelling-error-in-manpage usr/share/man/man8/stunnel4.8.gz CAs Case

2
debian/stunnel4.logrotate vendored
View File

@ -1,7 +1,7 @@
/var/log/stunnel4/*.log {
daily
missingok
rotate 356
rotate 365
compress
delaycompress
notifempty

1
debian/stunnel4.manpages vendored
View File

@ -1,4 +1,3 @@
doc/stunnel4.8
doc/stunnel4.fr.8
doc/stunnel4.pl.8
debian/stunnel3.8

21
debian/tests/certs/certificate.pem vendored Normal file
View File

@ -0,0 +1,21 @@
-----BEGIN CERTIFICATE-----
MIIDfDCCAmSgAwIBAgIJAPFcHvXjRYbZMA0GCSqGSIb3DQEBCwUAMFMxCzAJBgNV
BAYTAkJHMQ4wDAYDVQQIDAVTb2ZpYTEOMAwGA1UEBwwFU29maWExEDAOBgNVBAoM
B1JpbmdsZXQxEjAQBgNVBAMMCWxvY2FsaG9zdDAeFw0xNzA2MTIyMzAzMjdaFw0y
NzA2MTAyMzAzMjdaMFMxCzAJBgNVBAYTAkJHMQ4wDAYDVQQIDAVTb2ZpYTEOMAwG
A1UEBwwFU29maWExEDAOBgNVBAoMB1JpbmdsZXQxEjAQBgNVBAMMCWxvY2FsaG9z
dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMp0QYS6IZ1To2h68NcZ
zmnAQfzodFcD7Lhp2CcDOBXRrKfPq1NUqUXMGvcHcPbmT84W2OGGfh11MKvksuof
4+juU4+1uujPJoOmREi7WjVzEVWUftvFUqeTigFz96EMsVui4UbTUxX6ACIsXXwg
v1b/rpyVZJvTucKsyP5ml5OXaPFe5mXUQtdaJsjpV4ikq4O9vcYdMt0Y8IVbxpCO
5CryW3KUHzBUS7uqO2nbLXZBOkJHCgxDawAlTeDRW/uJOl7nnSUgo0HiojG4qhY6
spYmQ9ijtj1vX5H2tsf97rZCbU5JMFqX8XcJgTWKTYHlxkBYbB6QkPyhiOXDo/M/
oJ8CAwEAAaNTMFEwHQYDVR0OBBYEFPwfXq4qd8stmvstPC3QdFL716XRMB8GA1Ud
IwQYMBaAFPwfXq4qd8stmvstPC3QdFL716XRMA8GA1UdEwEB/wQFMAMBAf8wDQYJ
KoZIhvcNAQELBQADggEBADkuMAUB2Uyx23oN9ZxZsAWOdJoSUIWs4qxc5eQ/qjj7
64zm62ZaVc8F6AyMYxHZvOKxvN/Pg19dSZelvTpgSqXLbirstRgsBCIXO2q6UYo2
BUpZovZ4DOll+sAbmrZJRDiVO1XeCqqjr0v0I7NfJ5r31K1tfaZxGovUdC+M3xJ6
yRrFWfF+EdlvVRFQt97mZXtcTDFWk7+CT6fgfLnCxTuMcSNtzM60FCBS5wz0MPSA
BGje1qXUMzwN2T0aDyxWNRdvFGMHC8Z23EOa3roK+NybS2PVAu7MpxDTBZdHSGtG
5wqY6fq5kww8OI9AlPNYVtqXrFrF6Lj5m/jhUHcAIUU=
-----END CERTIFICATE-----

28
debian/tests/certs/key.pem vendored Normal file
View File

@ -0,0 +1,28 @@
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDKdEGEuiGdU6No
evDXGc5pwEH86HRXA+y4adgnAzgV0aynz6tTVKlFzBr3B3D25k/OFtjhhn4ddTCr
5LLqH+Po7lOPtbrozyaDpkRIu1o1cxFVlH7bxVKnk4oBc/ehDLFbouFG01MV+gAi
LF18IL9W/66clWSb07nCrMj+ZpeTl2jxXuZl1ELXWibI6VeIpKuDvb3GHTLdGPCF
W8aQjuQq8ltylB8wVEu7qjtp2y12QTpCRwoMQ2sAJU3g0Vv7iTpe550lIKNB4qIx
uKoWOrKWJkPYo7Y9b1+R9rbH/e62Qm1OSTBal/F3CYE1ik2B5cZAWGwekJD8oYjl
w6PzP6CfAgMBAAECggEAf+TrUuamv5WLoEAyDyCdVg7/YL6UaDfxfhpXU2XkM1xu
vuAg8haEjLRAwJdx1HdwKNgkEGx/FSroIV7ra53Tw11zalC6j8H1KauKbYv1k9hq
Ne8GKN3Btl0tDHfvEk1LaYE+4Rg036g8F1qBgB3L4jDJZN+3W/1n10SCALxcuv4G
XMJOcrhW3KBlEJpIBhz+ROPeiZX8VwB2iK7jg0Bebh7XuNFCFOiFqq6UfFRNeGBi
Ca9rZdUP0YmxNPEXzGu1TEv1edX0Nf3jRKERQrZ3Sg6ogPcqQSQ1VP052Hc0Tqpl
akrRrVMfbbQQIMc9JrxJmXb7/OHeS1R50Ci5x7weoQKBgQDwYSGSypJl6lWpgrm6
5HuIem0AK9gmOAyiR0UdjMwVybeHhcldK8ABFcsdUt7v84+kCKkRhEX//QWjowMF
0OJ2i7Y1VbdyNd7exPW5zmYAiBX+oR3JKMekjPRCUamg5P2fSrVqDHvz7WU7hoQb
0jcIu8kwtPjw5uz13OWWbmEjTwKBgQDXnDZ0nQoXUO8VkNYaWQzukIcKdB71v2DZ
KiaJvPFjTGPUwwd/kEcU7/wMet4UKff4XjOaX+f2tFZm+vrYs6RfqnLlRFlkhKJZ
HColltm8KV6w+LnwkPUuY4HnDJepU6eBC2wtGPU1n1YXCwgDL+MTIpLFuveQ9w/N
wTRP3USZsQKBgDy9Tm55IWT/QYYDskq3UT+7L6/LZGLD5u1adOxyl18qCWYFOEyC
sZGUoC5YslyPfsxEI/R5J/b3SGWA21Ks5Yxu4Su47RG+6wH/YtgAf2XC/UvKCmy6
EThTJaVcXTB6rFuD1TNm1Cte4SWZZ+hfxeg/CydzkzPMJjQ6DQll+sWhAoGBAKJj
tV//JyqIeonznE4b4/GKSStGaksM6RSm+n+jHut7DXWhrnQVZnQOi/eaUsk9Etat
nJAYy8yz5p+JSIUOSC8FYaPr5qgefWhAHj5Rb4yYXAlOTD0z8HYP3Db49QFDUFWR
FNiig4zvhRe150L/PjebQpBKUUuNyQlfCtdb/98BAoGARMZNl+0FEzw714ataoWk
1IPoe7oIzaoYTqPcpQT0AGOdfYRS3ffJFe2Foa0K7MVyxNA/OjyheYVtD2IgmoTv
WkRr6xM4nphza595yB5q+psKwOdQvP5XsyiJOXDixzn+yFIqrdQlmBNZHT1z/jwr
oBRWtTVO2aX5pBUjvBu3eQ0=
-----END PRIVATE KEY-----

3
debian/tests/control vendored Normal file
View File

@ -0,0 +1,3 @@
Test-Command: env TEST_STUNNEL=/usr/bin/stunnel4 debian/tests/runtime.pl
Depends: @, perl, libanyevent-perl, libnet-ssleay-perl, libpath-tiny-perl
Restrictions: allow-stderr

647
debian/tests/runtime.pl vendored Executable file
View File

@ -0,0 +1,647 @@
#!/usr/bin/perl
use v5.14;
use strict;
use warnings;
use AnyEvent;
use AnyEvent::Handle;
use AnyEvent::Socket qw(tcp_connect tcp_server);
use AnyEvent::Util qw(portable_socketpair);
use Fcntl qw(F_GETFD F_SETFD FD_CLOEXEC);
use IO::Handle;
use Path::Tiny 0.097;
use POSIX qw(WNOHANG);
use Socket;
# AnyEvent's TLS support seems to require this...
use threads;
my %children;
my $child_reaper_w;
my $greeting = 'Well hello there!';
sub reap_leftover_children();
sub child_reaper();
sub register_child_reaper()
{
$child_reaper_w = AnyEvent->signal(
signal => 'CHLD',
cb => \&child_reaper,
);
$SIG{__DIE__} = sub {
my ($msg) = @_;
warn "__DIE__ handler invoked: ".($msg =~ s/[\r\n]*$//sr)."\n";
reap_leftover_children;
};
}
sub unregister_child_reaper()
{
undef $child_reaper_w;
}
sub child_reaper()
{
while (1) {
my $pid = waitpid -1, WNOHANG;
my $status = $?;
if (!defined $pid) {
die "Could not waitpid() in a SIGCHLD handler: $!\n";
} elsif ($pid == 0 || $pid == -1) {
last;
} else {
$children{$pid}{cv} //= AnyEvent->condvar;
$children{$pid}{cv}->send($status);
}
}
}
sub register_child($ $)
{
my ($pid, $desc) = @_;
# Weird, but we want it to be at least reasonably atomic-like
$children{$pid}{cv} //= AnyEvent->condvar;
my $ch = $children{$pid};
$ch->{pid} = $pid;
$ch->{desc} = $desc;
}
sub dump_children()
{
join '', map {
my $ch = $children{$_};
"\t$ch->{pid}\t".
($ch->{cv}->ready
? $ch->{cv}->recv
: '(none)'
).
"\t$ch->{desc}\n"
} sort { $a <=> $b } keys %children
}
sub wait_for_child($)
{
my ($pid) = @_;
if (!defined $children{$pid}) {
die "Internal error: wait_for_child() invoked for ".
"unregistered pid $pid\n".dump_children;
}
my $status = $children{$pid}{cv}->recv;
delete $children{$pid};
return $status;
}
sub reap_leftover_children()
{
say 'Oof, let us see if there are any children left';
if (!%children) {
say 'Everyone has been accounted for; great!';
return;
}
for my $pid (keys %children) {
my $ch = $children{$pid};
if ($ch->{cv}->ready) {
my $status = wait_for_child $pid;
say "Hm, child $pid seems to have finished already, status $status";
}
}
if (!%children) {
say 'Everyone has actually been accounted for; great!';
return;
}
for my $pid (keys %children) {
say "Pffth, sending a SIGKILL to $pid";
kill 'KILL', $pid;
}
for my $pid (keys %children) {
my $ch = $children{$pid};
if ($ch->{cv}->ready) {
wait_for_child $pid;
say "OK, $pid done";
}
}
# Bah, figure out some way to let the loop run even if we're within the loop...
if (%children) {
say 'Some children remaining, laying low for a second...';
sleep 1;
for my $pid (keys %children) {
say "- waiting for $pid ($children{$pid}{desc})";
wait_for_child $pid;
say "- OK, $pid done";
}
}
if (%children) {
say 'Something really weird happened, why are there still children around?';
say dump_children;
}
}
sub close_on_exec($ $)
{
my ($fh, $close) = @_;
my $flags = fcntl $fh, F_GETFD, 0 or
die "Could not obtain a file descriptor's flags: $!\n";
my $nflags = $close
? ($flags | FD_CLOEXEC)
: ($flags & ~FD_CLOEXEC);
fcntl $fh, F_SETFD, $nflags or
die "Could not set a file descriptor's flags: $!\n";
}
sub anyevent_socketpair($)
{
my ($name) = @_;
my ($fh1, $fh2) = portable_socketpair;
if (!defined $fh1) {
die "Could not create the $name socketpair: $!\n";
}
$fh1->autoflush(1);
$fh2->autoflush(1);
return (AnyEvent::Handle->new(fh => $fh1), AnyEvent::Handle->new(fh => $fh2));
}
sub find_listening_port($ $ $ $ $)
{
my ($address, $port_start, $step, $count, $cb) = @_;
my $res;
my $port = $port_start;
for (1..$count) {
eval {
$res = tcp_server $address, $port, $cb;
};
last if $res;
say "Could not listen on $address:$port: $@";
$port += $step;
}
if (!defined $res) {
die "Could not find a listening port on $address\n";
}
return ($port, $res);
}
my %conns;
sub register_client_connection($)
{
my ($fh) = @_;
my $sockaddr = getsockname $fh;
if (!defined $sockaddr) {
die "Could not obtain the local address of the just-connected socket: $!\n";
}
my ($port, $addr_num) = sockaddr_in $sockaddr;
if (!defined $port || !defined $addr_num) {
die "Could not decode the address and port from a sockaddr_in structure: $!\n";
}
my $addr = inet_ntoa $addr_num;
if (!defined $addr) {
die "Could not decode a numeric address: $!\n";
}
my $id = "$addr:$port";
$conns{$id}{cv} //= AnyEvent->condvar;
$conns{$id}{fh} //= $fh;
return $id;
}
sub await_client_connection($ $; $)
{
my ($lis_main, $cv, $skip_register) = @_;
my $die = sub {
warn "@_";
$cv->send(undef);
};
$lis_main->rtimeout(10);
$lis_main->on_rtimeout(sub { $die->("The listener's accept message timed out\n") });
$lis_main->push_read(line => sub {
my ($handle, $line) = @_;
if ($line !~ m{^ accept \s+ (?<id> \S+ ) $}x) {
return $die->("The accept server did not send an 'accept' message: $line\n");
}
my ($id) = $+{id};
$conns{$id}{cv} //= AnyEvent->condvar unless $skip_register;
$lis_main->rtimeout(10);
$lis_main->on_rtimeout(sub { $die->("The listener's close message timed out\n") });
$lis_main->push_read(line => sub {
my ($handle, $line) = @_;
if ($line !~ m{^ close \s+ (?<id> \S+ ) $}x) {
return $die->("The accept server did not send an 'close' message: $line\n");
}
my ($cid) = $+{id};
if ($cid ne $id) {
return $die->("The accept server's 'close' message had id '$cid' instead of the accepted one '$id'\n");
}
$lis_main->rtimeout(0);
$cv->send($id);
});
});
}
sub adopt_client_connection($ $)
{
my ($id, $opts) = @_;
my $w;
my $do_close = sub {
my ($err) = @_;
$w->push_shutdown;
$w->destroy;
undef $w;
undef $conns{$id}{handle};
#close $conns{$id}{fh};
if (defined $err) {
warn "$err\n";
$conns{$id}{cv}->send(undef);
} else {
$conns{$id}{cv}->send(1);
}
};
$w = AnyEvent::Handle->new(
fh => $conns{$id}{fh},
%{$opts}, # TLS or something?
on_error => sub {
my ($handle, $fatal, $message) = @_;
if (!$fatal) {
warn "A non-fatal error occurred reading from the $id connection: $message\n";
} else {
$do_close->("A fatal error occurred reading from the $id connection: $message");
}
},
rtimeout => 10,
on_rtimeout => sub {
$do_close->("Reading from the $id connection timed out");
},
);
$w->push_read(line => sub {
my ($handle, $line) = @_;
$w->rtimeout(0);
if ($line ne $greeting) {
$do_close->("The $id connection sent us a line that was not the greeting: expected '$greeting', got '$line'");
} else {
$do_close->(undef);
}
});
$conns{$id}{handle} = $w;
}
sub client_connect($ $ $)
{
my ($address, $port, $cv) = @_;
return tcp_connect $address, $port, sub {
my ($fh) = @_;
if (!defined $fh) {
die "Could not connect to the cleartext listening socket on $address:$port: $!\n";
}
my $id = register_client_connection $fh;
say "Connected to $address:$port, local $id";
$cv->send($id);
adopt_client_connection($id, {});
};
}
MAIN:
{
my $stunnel = $ENV{TEST_STUNNEL} // 'stunnel4';
my $test_done = AnyEvent->condvar;
my ($certsdir, $certfile, $keyfile);
for my $name (qw(certs debian/tests/certs)) {
my $dir = path($name);
if (-d $dir) {
$certfile = $dir->child('certificate.pem');
$keyfile = $dir->child('key.pem');
if (-f $certfile && -f $keyfile) {
$certsdir = path($dir);
last;
}
}
}
die "Could not locate the test certificates directory\n" unless defined $certsdir;
say "Found the certificate at $certfile and the private key at $keyfile";
my $tempdir = Path::Tiny->tempdir;
say "Using the $tempdir temporary directory";
register_child_reaper;
{
say 'About to get the stunnel version information';
pipe my $s_in, my $s_out or die "Could not create an fd pair: $!\n";
close_on_exec $s_in, 0;
close_on_exec $s_out, 0;
my $pid = fork;
if (!defined $pid) {
die "Could not fork for stunnel: $!\n";
} elsif ($pid == 0) {
open STDERR, '>&', $s_out or
die "Could not reopen stderr in the child process: $!\n";
close STDIN or
die "Could not close stdin in the child process: $!\n";
close STDOUT or
die "Could not close stdout in the child process: $!\n";
close $s_in or
die "Could not close the reader fd in the child process: $!\n";
exec $stunnel, '-version';
die "Could not execute '$stunnel': $!\n";
}
register_child $pid, "$stunnel -version";
close $s_out or
die "Could not close the writer fd in the parent process: $!\n";
my ($got_version, $before_version) = (undef, '');
my $eof = AnyEvent->condvar;
my $f_out = AnyEvent->io(
fh => $s_in,
poll => 'r',
cb => sub {
my $line = <$s_in>;
if (!defined $line) {
$eof->send($got_version);
} elsif (!$got_version) {
if ($line =~ m{^
stunnel \s+
(?<version> \d+ \. \S+)
\s+ on \s+
}x) {
$got_version = $+{version};
} else {
$before_version .= $line;
}
}
});
$eof->recv;
if ($before_version ne '') {
warn "stunnel produced output before the version number:\n$before_version\n";
}
if (!defined $got_version) {
die "Could not get the stunnel version number\n";
}
say "Got stunnel version $got_version";
my $status = wait_for_child $pid;
if ($status != 0) {
die "stunnel -version did not exit successfully, status $status\n";
}
}
my ($lis_listener, $lis_main) = anyevent_socketpair 'listener';
my $listen_address = '127.0.0.1';
my %listen_clear_conns;
my ($listen_clear_port, $listen_clear) = find_listening_port $listen_address, 6502, 200, 100, sub {
my ($fh, $host, $port) = @_;
my $id = "$host:$port";
say "Accepted a connection from $id";
$lis_listener->push_write("accept $id\n");
my $w;
my $do_close = sub {
$w->destroy;
delete $listen_clear_conns{$id};
};
$w = AnyEvent::Handle->new(
fh => $fh,
on_error => sub {
my ($handle, $fatal, $message) = @_;
warn "A ".($fatal ? 'fatal' : 'non-fatal').
"error occurred writing to the $id connection: $message\n";
$do_close->();
},
timeout => 10,
on_timeout => sub {
my ($handle) = @_;
warn "Writing to the $id connection timed out\n";
$do_close->();
},
on_read => sub {
my ($handle) = @_;
warn "The $id connection sent data to the server?!\n";
$do_close->();
},
on_eof => sub {
my ($handle) = @_;
say "Got an eof from $id, all seems well";
$do_close->();
$lis_listener->push_write("close $id\n");
},
);
$w->push_write("$greeting\n");
$w->push_shutdown;
$listen_clear_conns{$id} = $w;
};
say "Listening for cleartext connections on $listen_address:$listen_clear_port";
{
my $listener_test_id_cv = AnyEvent->condvar;
my $check_listen_clear = client_connect $listen_address, $listen_clear_port, $listener_test_id_cv;
my $id = $listener_test_id_cv->recv;
if (!defined $id) {
die "Could not connect to the cleartext server\n";
}
say "Got a local connection id $id";
my $listener_test_done = AnyEvent->condvar;
await_client_connection $lis_main, $listener_test_done;
say 'Waiting for the server to acknowledge a completed client connection';
my $sid = $listener_test_done->recv;
if (!defined $sid) {
die "The listener did not acknowledge the connection\n";
} elsif ($sid ne $id) {
die "The listener did not acknowledge the same connection: expected '$id', got '$sid'\n";
}
say 'Waiting for the client connection itself to report completion';
my $res = $conns{$id}{cv}->recv;
if (!defined $res) {
die "The client connection did not complete the chat with the cleartext server\n";
}
say 'Looks like we are done with the test cleartext connection!';
}
my $st_server_port;
{
my $dummy;
($st_server_port, $dummy) = find_listening_port $listen_address, 8086, 200, 100, sub {
my ($fh) = @_;
say "Eh, we really didn't expect a connection here, did we now...";
$fh->close;
};
say "Got listening port $st_server_port for the stunnel server";
undef $dummy;
say 'Let us hope this was enough to get stunnel to listen there...';
}
my ($st_pid, $st_logfile);
{
my $st_config = $tempdir->child('stunnel.conf');
$st_logfile = $tempdir->child('stunnel.log');
my $st_pidfile = $tempdir->child('stunnel.pid');
$st_config->spew_utf8(<<"EOCONF") or die "Could not create the $st_config stunnel config file: $!\n";
pid = $st_pidfile
foreground = yes
output = $st_logfile
cert = $certfile
key = $keyfile
[test]
accept = $listen_address:$st_server_port
connect = $listen_address:$listen_clear_port
EOCONF
say "Created the stunnel config file $st_config:\n======\n".$st_config->slurp_utf8.'======';
$st_pid = fork;
if (!defined $st_pid) {
die "Could not fork for the stunnel server: $!\n";
} elsif ($st_pid == 0) {
my @cmd = ($stunnel, $st_config);
exec { $cmd[0] } @cmd;
die "Could not execute '@cmd': $!\n";
}
say "Started the stunnel server, pid $st_pid";
register_child $st_pid, "stunnel server ($listen_address:$st_server_port)";
}
{
for my $iter (1..10) {
say "Trying a connection through stunnel, iteration $iter";
my $st_conn_cv = AnyEvent->condvar;
my $st_conn;
{
my $st_conn_attempts = 10;
my $st_conn_timer;
$st_conn_timer = AnyEvent->timer(after => 0.1, interval => 1, cb => sub {
say "Trying to connect to the stunnel server at $listen_address:$st_server_port";
$st_conn = tcp_connect $listen_address, $st_server_port, sub {
my ($fh) = @_;
if (!defined $fh) {
# FIXME: Eh, well, reschedule, right?
say "Could not connect to $listen_address:$st_server_port: $!";
if ($children{$st_pid}{cv}->ready) {
say 'Err, the stunnel process seems to have terminated';
undef $st_conn_timer;
$st_conn_cv->send(undef);
return;
}
$st_conn_attempts--;
if ($st_conn_attempts == 0) {
say 'Time after time...';
undef $st_conn_timer;
$st_conn_cv->send(undef);
return;
}
say 'Will retry in a little while';
return;
}
say '...connected!';
$st_conn_timer = undef;
$st_conn_cv->send($fh);
};
});
}
my $st_conn_fh = $st_conn_cv->recv;
if (!defined $st_conn_fh) {
my $log_text = (-f $st_logfile)
? "$st_logfile contents:\n".$st_logfile->slurp_utf8
: "(no log information)";
$log_text .= "\n" unless $log_text =~ /\n\Z/ms;
die "Could not connect to the stunnel service:\n$log_text";
}
my $id = register_client_connection $st_conn_fh;
say "Registered a client connection as $id";
adopt_client_connection $id, { tls => 'connect', };
say 'Waiting for the cleartext listener to receive this connection';
my $stunnel_test_done = AnyEvent->condvar;
await_client_connection $lis_main, $stunnel_test_done, 1;
my $sid = $stunnel_test_done->recv;
if (!defined $sid) {
die "The listener did not acknowledge the connection\n";
} elsif ($sid eq $id) {
die "The listener reported the same connection ID '$id'?!\n";
}
say "The server reported a completed connection: $sid";
my $res = $conns{$id}{cv}->recv;
if (!defined $res) {
die "The connection to stunnel did not report a successful chat\n";
}
say "The stunnel connection seems to have gone through for iteration $iter";
}
}
{
say "Trying to stop stunnel at pid $st_pid";
kill 'TERM', $st_pid or
die "Could not send a terminate signal to the stunnel at pid $st_pid: $!\n";
my $status = wait_for_child $st_pid;
if ($status != 0) {
die "The stunnel process terminated with exit status $status\n";
} else {
say 'The stunnel process terminated successfully';
}
}
{
say 'Checking for leftover children';
if (%children) {
# Our 'die' handler will kill and reap them.
die "Child processes left over:\n".
dump_children;
} else {
say 'No child processes left over';
}
unregister_child_reaper;
};
{
say 'Making sure the AnyEvent loop is still sane';
if ($test_done->ready) {
die "The AnyEvent loop raised the flag prematurely\n";
}
$test_done->send(42);
my $res = $test_done->recv;
if ($res != 42) {
die "The AnyEvent loop does not seem to be quite alive and sane, got a result of '$res' instead of 42\n";
}
say 'Fine!';
};
}

5
debian/upstream/metadata vendored Normal file
View File

@ -0,0 +1,5 @@
Name: stunnel
Bug-Submit: https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
Contact: https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
FAQ: https://www.stunnel.org/faq.html
Security-Contact: Michal Trojnara <Michal.Trojnara@stunnel.org>

111
debian/upstream/signing-key.asc vendored Normal file
View File

@ -0,0 +1,111 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1
mQINBFTU6YwBEAC6PP7E4J6cRZQsJlFE+o3zdQYo7Mg2sVxDR6K9Cha52wn7P0t0
hHUd0CSmWyfjmYUy3/7jYjgKe4oiGzeSCVK8b3TiX3ylHi/nW3mixwpDPwFmr5Cf
ce55Ro3TdIeslRGigK8Hl+/l4n9c9z/AiTvcdAEQ34BJhERce4/KFx+/omiaxe7S
fzzU/+52zy+v4FfnclgRQrzrD8sxNag6CQOaQ8lTMczNkBkDlhQTOPYkfNf76PUY
kbWpcH7n9N50nddjEaLf7DPjOETc4OH/g5a99FSEJL7jyEgn+C8RX7RpbbAxCNlX
1231NZoresLmxSulB6fRWLmhJ8pES3sRxE1IfwUfPpUZuTPzwXEFJY6StY5OCVy8
rNFpkYlEePuVn74XkGbvv7dkkisq4Hp59zfIUaNVRod0Xk2rM8Rx8d5IK801Ywsn
RyzCE02zt3N2O4IdXI1qQ1gMJNyaE/k2Qk8buh8BsKJzZca34WGocHOxz2O5s7FN
Q1pLNpLmuHZIdyvYqcsenLz5EV8X2LztRmJ3Se4ag/XyXPYwS6lXX1YUGVxZpk0E
sQDRdJvYCsGcUy253w+W7Nm/BtjKi6/PJmjEEU7ieHppR9Yp+LI3lyzNBeZAIVqk
4Hco05l4GUKtEDFfOQ58sULDqJWmpH4T72DHeCpfRB0guaPa5TYY7B0umQARAQAB
tC5NaWNoYcWCIFRyb2puYXJhIDxNaWNoYWwuVHJvam5hcmFAc3R1bm5lbC5vcmc+
iQI4BBMBAgAiBQJU1Q1lAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRCx
BIky3Tqqo71TEACWO31ZIOrknCsgmE90Q0yBPYD8CA8aM9OLO9qVYRR+SKQ6VAFn
/qWCoG/z3aMOUJJFDMmBDTSiGZ43jReQVc1PvoNUKFXkD13vrDNGg+IMr+jefjy/
RkFC5rdIAOzl6nMRFH5D/KDtvuXUGfjaN9NorCyv5acOa6GinTFANHYW79DSvt0d
aTG0RFimVTKtAh8oxxBGGUvZ/60SJT5I3pwKKX5t6t+LaUgUz/55p5j36dyhZTmk
X6jVyczkfjBwy9i2jD8kZ1w+EQOPGy1hHCHaaN5ku3Bh4hiZrlh8ncpipOMeOJ5Y
71Cze/JROyu3jkR/59LuPJLbUkwNPZXuMM+D4EY19NWKqWFgcsjaF5juS36xgblQ
odAOXBZcnzH14bxlRElWNLhMib+piIL0BaK2cpplwJ+bzQRkyWzqrl5xu/AeE/fQ
BdeRxL1jg4e9Ozei4Pkz0acoxIg2mdR6b36UpOWKvBQYZ8m4TbsWBRrDjcxKeul7
ObsodFoGTteRxqN9glhNd+n5bJAesGzUN86e3NmCoxCUQMaKlrMEVUMwaaSOVWYN
CfwXSe42dK2ZrV4psIYIwfktTkF60N3KeBbTs7/HhS/R229+lQCL90bcKRiv2Szc
vqR6v78xnbnANm0SX/b6M7xNBf8lWXwS9TlR9AzA4XC7FqNLYTMGV56TmLQrTWlj
aGHFgiBUcm9qbmFyYSA8TWljaGFsLlRyb2puYXJhQG1pcnQubmV0PokCOAQTAQIA
IgUCVNTpjAIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQsQSJMt06qqOP
9Q/+MNv7sHcx1y4xH4iysPmjL+ABTonZeUIW/j1Mlgve8jxta7ApuDm0WIgMQd/p
WgjG88g/2hSs1DRmuo67pP+v3l+HgmhQaqQe9XoaQHyygfrDwGEKAjA5++6hg88X
F5GNuchUoY2wHCLByuxdaaT9wDSUGHzj+VlQYcaVqry/u8+wRhuxr89avh7nebj2
Dw1qkIuR6+wuaYAU19mazzmdnDLh/3rYHT7vVJt751JHyx4fnJtKI7eDWxpSGfhc
K63SWtHToJKg4jbdIZMORVVvOetpRbPvF8qoR32LZSfF/rPJtNhWgcsLUCpZn6Ey
G6jigx8mhY2WupRNHutSES+qKNffCMi7fbpQfl4wJqzlNxJJK1zGu2ox255l+fXJ
eQJh7fvvcNieuQApKhOL+mOz1fyRnUhx/GjGncOmCgZldTLEF8DeHuuluXgFlDXJ
cX6poh7vyt3uJ14SCyiV1cLnXmCoxXRmQNlb4zTGoAvfOw/DFH3EzQ44dK/Z1HOI
fJeYILxe+JP2E8TNXUvr/wck12yQ8kaqFzHSQBcV+0S49+pIpoK475LVrOs6S9Jj
hMt4WVfX4PY+IE8wGnZyJw1gvPXdk1P98lHR/Fv0WG/kWiemrDXPM1tjnIas6EGm
zxT/iywGF4tdsVHviETVgRGpKHgEtB/hwsCeGUTAmHDbXQS0L01pY2hhxYIgVHJv
am5hcmEgPE1pY2hhbC5Ucm9qbmFyYUBtb2JpLWNvbS5uZXQ+iQI4BBMBAgAiBQJU
1Q03AhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRCxBIky3TqqoyVkEACt
MHa7x5PQ0ZNJ8TrvVd/VrT5USuHwwFwnnsYUNzSc95gSwSEaPC3xwgs9cX3VRmOw
b3IiCQQ7R0EamH/ydmZnlesbCsnamLl6dEmzS284lnnMd5X0wep2qq3SlS1z+5wW
4ZnoodX98E7RyecjMYPLH+uAqGqg3nHG8eOpoSDMvIOJtOIvDc9Y6tbNsBbeKbOC
yB7A08TMzVqayQvXzm6QShHTicra69oqIzhmu2zII3ZWVwkfEGweuN0vdocoXiqr
entcyF3KLUX/LooDzdCAxuoJdovg41E69rXEWF//IP5XBT0LUDTzqwmBe7nOfoJF
2RAHn3ySogdL6WNSGaH5B5NK1jGflj/Hr/HBHIYYx820P4aEXSyxbLQW1F0HWlAA
Q9+EmjJssbv7cIq2DV2Ls3AOeY0GAWhTdvUVdVpOG+TuWRUi61XwjWPfvrJDH8ME
oLRb2MhNRffle8hSdF8TP4CO1TCxtSFs0NXT1I/HazvacHzvbXspFDJvbYJsy+pR
vOsf2QCcY5xb633duU60+IHJ9GMOV/ZqQR744wAxu+e/ZHpa2+mpI9VpTMuBTMFC
OQKbiLacsDJtFqsenZAyhcTU4DPFa0bkMO67Gwl0skuk2x8/0R3EgJ9JvNlsEz6v
BaHpWhEddU1m6FMKKZkfo0xnyFr/WPT6zti9iKTnIbkCDQRU1OvDARAA8gIC641d
K6ap9W1K3EkqRn0z6zizdVGr/jvf8xFXeUq+auxixZ0tEY6NM5CBSya5BCK9IGVW
mJNbazyWUa4llA6EvmUxcTeGE7ppQA4Kl1bzvUq5upo+8+0VuqvLC/bVz0DUnFSW
JYHAZrPZ+yO0yMq8vaGTo5kwKixQ4Ni+N+1EiALKZex1g6UW9d0HAcYEa/lTWhz3
J0V1yyY4Vov30gtoo67KkSC/SswZzIR00CQGrz3twlGuB73Sm1YfqDqbY8dQLJey
U0ovIeU95VI5cQF6D1H8YdaMWQm6MtVAfIX5WMoH+eq4Ank9hilReGANkIWNSqM2
1Drdu3crbGIYiZPEadKfGxwquwvRDTEgD4gjqMvEdxA2W6s4WR36SwMkeOtESj21
MiR2YDcbIzIbUh9p0P8DZGvQcVh45jCgdOcL5th9R076npXHn8FIe2IfAZnX1Onp
sKn/YqJ0wNFhGYWxV/yZA10NbFKFXhD1FGqrOz6lSqmqDz00tXofF432ae+7PzTP
9n4cij4k0SYG1l/LThnOYL3SNUCG3rCASeWoXmhxCYRGi0Xw3IJrcpVNmNQD+SLL
TjVB94AlDjSlx1q0V+9ymhGHi51wsBSajMwDexaSI/WM1y9lROwl7eeAD41fPArz
TleAqT89akWLevTBLWvj59mku9vZAW26/1UAEQEAAYkCHwQYAQIACQUCVNTrwwIb
DAAKCRCxBIky3Tqqo2NCEACHJ7e0l8NhS4slfzej1AAXOwL1wDexn6thpgexAyqZ
LIaibqhIybhSo1LOL1NY/55ytscbOQL7NliRAXVN6F9lcer+qzxL5JgxzUU6drya
pNZYs06u3wfr8ZtSbvIAON/w89tm9tHxoNUIYZZUZROFBW6fn8RkhboQs0hJFxWf
WghOxhS0TXJ8/MZ4YcfDy+Ew6LIAym3A1XY+++2VMEHqKcyhU95W5sqAsfO5MkRW
a0E9JTS2dWTteNTWPonywJGX/mSVVMZgOZF6o32Vb9LTnB676YQaPiMlu2qg+vRk
RM/zyGjvPx7hilf68CWxZcIHslfp5gJV6RvtlK+muEvIkSmNYyi8hQp1Y5C6uWb9
JWt/9ISJ+Xz+n+5nAHEUzW/LeEDyhjVlS9vOoAAy18r47mQybzJ2q2zOHo9zl3fK
OJ2S4SFBKGHuIhPOxG2CruhxN9U5+RwTDqKECeuCZROMYQLzlmIP2vM/NuFVhQm8
iNhbTvEenh4mWD4IuOHJkqvzKKzAXllosuUK4B0kblh4GaOVmEjaXGw8789rOlQz
D5566SgKPDNUtom5/eIcy6/UYBoFd7lLltIVSSCA1VUMU4MWJgjwa9gk6MxoNe8d
cJ197oQMfhZNjJ80S5C+a2al4wrR2vL/3hXhy2M2kG73RLSzxEiVoJsG+hbzNtfI
a7kCDQRU1O5ZARAA1pGrQ1V3YMXF3DzwvA/uWb912pwqUvMAAKvYCDiELIOP07c3
2+z04N/bOXjiZ2Jb8AuICj4v92tXAygtf18zxwoU8AOXiuScP3wy1ZprBw8k71dN
y0XmEXbiX7tkLoe0OzWlCaNTajSXTELT+nYHTOkBsrC4T+y7AwYueQJYUaRkJR/5
Tc68UnRSO295pgJd7EoWWAky3bdH+TKN0MsagCJwa+RrXFGtIKjU0XAKsddTxQKx
2SUGF0QVdNZ/14Duo73btoXtHgB0oxewnsiJp5XKWYm57RSNLv1LKr26iSUtUM1C
AIZALuGMAyQXVEo7OmzuZmN0yRYM7FSnpG4rIDnDxYhDTaa+xWb738V8uLQDZAVn
AuBEhq1RQEDrRM/XLbibvVBzpd+JI9WneNEp0ehq5sEC6FbKYz0HqVk2SH1Dpb0t
grtxz3c7rPs7vRdmFMxTuYctSzuqNHpKX+C6rgyAW2sxEKD0ys8OYEa3hvrQFSAz
nM/j3X8dge1DriHIQd/Dt4+LMdPcsQk3vty7pYxZIDRa9hl7ngaesQSZ/7PV/cj7
U7qieTr1ulO1Gc5GcyS2Hu4P9109HX1tBEQvGHpbqe9Lc2d0VKgHVjG9vDLrE1h/
qXKbmn0LF1YR4djaM+sYCfYOO+WzZKUACPdMq3Lid/3oQ71p6eNgu6lQcgEAEQEA
AYkEPgQYAQIACQUCVNTuWQIbAgIpCRCxBIky3Tqqo8FdIAQZAQIABgUCVNTuWQAK
CRAu/H/w1BbgFNx6EACR7CKB3Mv2lNaRRraVRwjNrumyODqsnX/oe3lad04iCBb9
JxGyNyTGF0s6teoaocXxIeZ50bF7GuYcnepMGpniMCkE2ymlM6ruFNNTUYC02Fsr
owKQboC7S5DN2l7lb4nlgyDX7nOlOMmhTc3D/QsduMyS9H5kjFFKtzLYOwREV/RH
I/wQUyTyze8qs/BxpT3/HsSJuGZybLSd/fmeM43xghcdfDgKTaGkFkhhW7UWgtOh
QtYxr0VD4HEw4C+nMyksqKAIFMBjJAqtsuWeSgavVrbU8KrzlcJFHSrovZ7Pi0mK
MYHGomPstZcZxwr15t3BhDvogMSRscU1mLUigLEGiWxPVxtQlmHTZfMns4Cy04S7
jK4Gix0PN4Xi/9rOcLFCb5zddcLVrqiuT+dt/O/TPKUKHTvLL1gF4Dlypbu8TQWt
O7xDSPy7wSdPWUN5GBjsxbZfVlWpvvVMmGUuygIl0LkrJLKGxk36AnNpEPqsQ9e9
Rsgu5dP9lGPz3igxE3p+UlhWo5eqJqZwAfEFb+0PQzKSQ6zIFQAf50eSI/pWf+Xp
9XOT47d4y8aWzHA7T/ja9tbyd+eg71ZOqOFtVP8zFWvmPnoosxrBR7qK/RBY5/PX
KhfG10yEYXSjTap4dmsy430l8Mcuqo55iixgT5vxZfTeyFjTjHmjuHD1rTTfpXk4
D/9GI9cIfrWczhrbWN8BoP66ImMXpVhZzDt6S5u9dHSNJdqivDzCkktb/psXILvv
u3qLmb1nJbsNzN9GJm6LoduzCJ4SqaodjhMkNi/Tc95dx0n2cCP2Rh/jvzo7zrqQ
O09c8at/pFEiF8LgUlc5QaB/GNhXBqJog2yOzUPGKq0OMy/wttW42TCe7V+J8fnn
16xfGhnVwmiWRQaqdCiFDY2IiOHhnRwfJVANrddfuU/AJ8vY8XXzrxI7YZL43V53
0Wich1VB00XLFU8aj08FsjdFvR77AAxFU+Cd6sH6yq6jsRXppQ0BOO15aR+wopEv
tKwDdRu3TaweC1XMLLQ4XuN9Ql0bMH0d626uMG2zUfZGO1jNTOS4sUhEqJsImbsL
/hgNDKYvfo0wSHPWmQo9njw7aG8Mey77I3fL1ELj/Tfa86njPpJ/tmFMLV9ntWAC
cW/c3tojdcP278rTw/4zk+Sr2Zv+3bP1yjJd0z4B3gYYz2BUYTU7dyiA41Kgk4Zf
V1n2NUAxQJYzvEIAZcMEWA3rOTb+AjcBVXX89Gk0BEykVmA9G808tbmI+4DUd2c/
+d1xeufb43TGOiwKqwY+Os9iey3FbsnoYuzKPsd5LByJFEudbMB152h95u/NysaM
0AjC+yPtlpSLUIaDUW75VAlQKPWj1Ag5uVpc2ScMEjevQQ==
=muMw
-----END PGP PUBLIC KEY BLOCK-----

10
debian/watch vendored
View File

@ -1,8 +1,8 @@
version=3
version=4
# Latest version is directly at /stunnel
ftp://ftp.stunnel.org/stunnel/stunnel-(4).([\d]+)+\.tar\.gz debian
# Any previous versions are at /stunnel/obsolete/4.x
ftp://ftp.stunnel.org/stunnel/archive/4.x/stunnel-(4).([\d]+)+\.tar\.gz debian
opts=pgpsigurlmangle=s/$/.asc/ \
https://www.stunnel.org/downloads.html downloads/stunnel-([\d.]+)@ARCHIVE_EXT@ debian
opts=pgpsigurlmangle=s/$/.asc/,pasv \
ftp://ftp.stunnel.org/stunnel/archive/5.x/stunnel-([\d.]+)@ARCHIVE_EXT@

36
doc/Makefile.am
View File

@ -1,21 +1,35 @@
## Process this file with automake to produce Makefile.in
# by Michal Trojnara 2015-2017
EXTRA_DIST = stunnel.pod stunnel.pl.pod stunnel.fr.pod \
stunnel.8 stunnel.pl.8 stunnel.fr.8 \
stunnel.html stunnel.pl.html stunnel.fr.html en pl
EXTRA_DIST = stunnel.pod.in stunnel.8.in stunnel.html.in en
EXTRA_DIST += stunnel.pl.pod.in stunnel.pl.8.in stunnel.pl.html.in pl
man_MANS = stunnel.8 stunnel.pl.8 stunnel.fr.8
man_MANS = stunnel.8 stunnel.pl.8
docdir = $(datadir)/doc/stunnel
doc_DATA = stunnel.html stunnel.pl.html stunnel.fr.html
doc_DATA = stunnel.html stunnel.pl.html
SUFFIXES = .pod .8 .html
CLEANFILES = $(man_MANS) $(doc_DATA)
.pod.8:
pod2man -u --section=8 --release=$(VERSION) --center=stunnel \
--date=`date +%Y.%m.%d` $< $@
SUFFIXES = .pod.in .8.in .html.in
.pod.html:
pod2html --noindex --title stunnel.8 --infile=$< --outfile=$@
.pod.in.8.in:
pod2man -u -n stunnel -s 8 -r $(VERSION) \
-c "stunnel TLS Proxy" -d `date +%Y.%m.%d` $< $@
.pod.in.html.in:
pod2html --index --backlink --header \
--title "stunnel TLS Proxy" --infile=$< --outfile=$@
rm -f pod2htmd.tmp pod2htmi.tmp
edit = sed \
-e 's|@bindir[@]|$(bindir)|g' \
-e 's|@sysconfdir[@]|$(sysconfdir)|g'
$(man_MANS) $(doc_DATA): Makefile
$(edit) '$(srcdir)/$@.in' >$@
stunnel.8: $(srcdir)/stunnel.8.in
stunnel.html: $(srcdir)/stunnel.html.in
stunnel.pl.8: $(srcdir)/stunnel.pl.8.in
stunnel.pl.html: $(srcdir)/stunnel.pl.html.in

216
doc/Makefile.in
View File

@ -1,9 +1,8 @@
# Makefile.in generated by automake 1.11.1 from Makefile.am.
# Makefile.in generated by automake 1.14.1 from Makefile.am.
# @configure_input@
# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation,
# Inc.
# Copyright (C) 1994-2013 Free Software Foundation, Inc.
# This Makefile.in is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
# with or without modifications, as long as this notice is preserved.
@ -15,7 +14,54 @@
@SET_MAKE@
# by Michal Trojnara 2015-2017
VPATH = @srcdir@
am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
am__make_running_with_option = \
case $${target_option-} in \
?) ;; \
*) echo "am__make_running_with_option: internal error: invalid" \
"target option '$${target_option-}' specified" >&2; \
exit 1;; \
esac; \
has_opt=no; \
sane_makeflags=$$MAKEFLAGS; \
if $(am__is_gnu_make); then \
sane_makeflags=$$MFLAGS; \
else \
case $$MAKEFLAGS in \
*\\[\ \ ]*) \
bs=\\; \
sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \
| sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \
esac; \
fi; \
skip_next=no; \
strip_trailopt () \
{ \
flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \
}; \
for flg in $$sane_makeflags; do \
test $$skip_next = yes && { skip_next=no; continue; }; \
case $$flg in \
*=*|--*) continue;; \
-*I) strip_trailopt 'I'; skip_next=yes;; \
-*I?*) strip_trailopt 'I';; \
-*O) strip_trailopt 'O'; skip_next=yes;; \
-*O?*) strip_trailopt 'O';; \
-*l) strip_trailopt 'l'; skip_next=yes;; \
-*l?*) strip_trailopt 'l';; \
-[dEDm]) skip_next=yes;; \
-[JT]) skip_next=yes;; \
esac; \
case $$flg in \
*$$target_option*) has_opt=yes; break;; \
esac; \
done; \
test $$has_opt = yes
am__make_dryrun = (target_option=n; $(am__make_running_with_option))
am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
pkgdatadir = $(datadir)/@PACKAGE@
pkgincludedir = $(includedir)/@PACKAGE@
pkglibdir = $(libdir)/@PACKAGE@
@ -35,7 +81,7 @@ POST_UNINSTALL = :
build_triplet = @build@
host_triplet = @host@
subdir = doc
DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
am__aclocal_m4_deps = $(top_srcdir)/m4/libtool.m4 \
$(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \
@ -47,8 +93,25 @@ mkinstalldirs = $(install_sh) -d
CONFIG_HEADER = $(top_builddir)/src/config.h
CONFIG_CLEAN_FILES =
CONFIG_CLEAN_VPATH_FILES =
AM_V_P = $(am__v_P_@AM_V@)
am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
am__v_P_0 = false
am__v_P_1 = :
AM_V_GEN = $(am__v_GEN_@AM_V@)
am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
am__v_GEN_0 = @echo " GEN " $@;
am__v_GEN_1 =
AM_V_at = $(am__v_at_@AM_V@)
am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
am__v_at_0 = @
am__v_at_1 =
SOURCES =
DIST_SOURCES =
am__can_run_installinfo = \
case $$AM_UPDATE_INFO_DIR in \
n|no|NO) false;; \
*) (install-info --version) >/dev/null 2>&1;; \
esac
am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
am__vpath_adj = case $$p in \
$(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
@ -70,14 +133,22 @@ am__nobase_list = $(am__nobase_strip_setup); \
am__base_list = \
sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
am__uninstall_files_from_dir = { \
test -z "$$files" \
|| { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
|| { echo " ( cd '$$dir' && rm -f" $$files ")"; \
$(am__cd) "$$dir" && rm -f $$files; }; \
}
man8dir = $(mandir)/man8
am__installdirs = "$(DESTDIR)$(man8dir)" "$(DESTDIR)$(docdir)"
NROFF = nroff
MANS = $(man_MANS)
DATA = $(doc_DATA)
am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
AMTAR = @AMTAR@
AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
AR = @AR@
AUTOCONF = @AUTOCONF@
AUTOHEADER = @AUTOHEADER@
@ -92,6 +163,7 @@ CYGPATH_W = @CYGPATH_W@
DEFAULT_GROUP = @DEFAULT_GROUP@
DEFS = @DEFS@
DEPDIR = @DEPDIR@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
ECHO_C = @ECHO_C@
@ -116,6 +188,7 @@ LIPO = @LIPO@
LN_S = @LN_S@
LTLIBOBJS = @LTLIBOBJS@
MAKEINFO = @MAKEINFO@
MANIFEST_TOOL = @MANIFEST_TOOL@
MKDIR_P = @MKDIR_P@
NM = @NM@
NMEDIT = @NMEDIT@
@ -131,6 +204,9 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@
PACKAGE_URL = @PACKAGE_URL@
PACKAGE_VERSION = @PACKAGE_VERSION@
PATH_SEPARATOR = @PATH_SEPARATOR@
PTHREAD_CC = @PTHREAD_CC@
PTHREAD_CFLAGS = @PTHREAD_CFLAGS@
PTHREAD_LIBS = @PTHREAD_LIBS@
RANDOM_FILE = @RANDOM_FILE@
RANLIB = @RANLIB@
SED = @SED@
@ -143,6 +219,7 @@ abs_builddir = @abs_builddir@
abs_srcdir = @abs_srcdir@
abs_top_builddir = @abs_top_builddir@
abs_top_srcdir = @abs_top_srcdir@
ac_ct_AR = @ac_ct_AR@
ac_ct_CC = @ac_ct_CC@
ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
am__include = @am__include@
@ -150,6 +227,7 @@ am__leading_dot = @am__leading_dot@
am__quote = @am__quote@
am__tar = @am__tar@
am__untar = @am__untar@
ax_pthread_config = @ax_pthread_config@
bindir = @bindir@
build = @build@
build_alias = @build_alias@
@ -175,7 +253,6 @@ libdir = @libdir@
libexecdir = @libexecdir@
localedir = @localedir@
localstatedir = @localstatedir@
lt_ECHO = @lt_ECHO@
mandir = @mandir@
mkdir_p = @mkdir_p@
oldincludedir = @oldincludedir@
@ -183,28 +260,29 @@ pdfdir = @pdfdir@
prefix = @prefix@
program_transform_name = @program_transform_name@
psdir = @psdir@
runstatedir = @runstatedir@
sbindir = @sbindir@
sharedstatedir = @sharedstatedir@
srcdir = @srcdir@
stunnel_CFLAGS = @stunnel_CFLAGS@
stunnel_LDFLAGF = @stunnel_LDFLAGF@
stunnel_LDFLAGS = @stunnel_LDFLAGS@
sysconfdir = @sysconfdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
top_srcdir = @top_srcdir@
EXTRA_DIST = stunnel.pod stunnel.pl.pod stunnel.fr.pod \
stunnel.8 stunnel.pl.8 stunnel.fr.8 \
stunnel.html stunnel.pl.html stunnel.fr.html en pl
EXTRA_DIST = stunnel.pod.in stunnel.8.in stunnel.html.in en \
stunnel.pl.pod.in stunnel.pl.8.in stunnel.pl.html.in pl
man_MANS = stunnel.8 stunnel.pl.8
doc_DATA = stunnel.html stunnel.pl.html
CLEANFILES = $(man_MANS) $(doc_DATA)
SUFFIXES = .pod.in .8.in .html.in
edit = sed \
-e 's|@bindir[@]|$(bindir)|g' \
-e 's|@sysconfdir[@]|$(sysconfdir)|g'
man_MANS = stunnel.8 stunnel.pl.8 stunnel.fr.8
doc_DATA = stunnel.html stunnel.pl.html stunnel.fr.html
SUFFIXES = .pod .8 .html
all: all-am
.SUFFIXES:
.SUFFIXES: .pod .8 .html
.SUFFIXES: .pod.in .8.in .html.in
$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps)
@for dep in $?; do \
case '$(am__configure_deps)' in \
@ -243,11 +321,18 @@ clean-libtool:
-rm -rf .libs _libs
install-man8: $(man_MANS)
@$(NORMAL_INSTALL)
test -z "$(man8dir)" || $(MKDIR_P) "$(DESTDIR)$(man8dir)"
@list=''; test -n "$(man8dir)" || exit 0; \
{ for i in $$list; do echo "$$i"; done; \
l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done | \
sed -n '/\.8[a-z]*$$/p'; \
@list1=''; \
list2='$(man_MANS)'; \
test -n "$(man8dir)" \
&& test -n "`echo $$list1$$list2`" \
|| exit 0; \
echo " $(MKDIR_P) '$(DESTDIR)$(man8dir)'"; \
$(MKDIR_P) "$(DESTDIR)$(man8dir)" || exit 1; \
{ for i in $$list1; do echo "$$i"; done; \
if test -n "$$list2"; then \
for i in $$list2; do echo "$$i"; done \
| sed -n '/\.8[a-z]*$$/p'; \
fi; \
} | while read p; do \
if test -f $$p; then d=; else d="$(srcdir)/"; fi; \
echo "$$d$$p"; echo "$$p"; \
@ -276,13 +361,14 @@ uninstall-man8:
sed -n '/\.8[a-z]*$$/p'; \
} | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \
-e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \
test -z "$$files" || { \
echo " ( cd '$(DESTDIR)$(man8dir)' && rm -f" $$files ")"; \
cd "$(DESTDIR)$(man8dir)" && rm -f $$files; }
dir='$(DESTDIR)$(man8dir)'; $(am__uninstall_files_from_dir)
install-docDATA: $(doc_DATA)
@$(NORMAL_INSTALL)
test -z "$(docdir)" || $(MKDIR_P) "$(DESTDIR)$(docdir)"
@list='$(doc_DATA)'; test -n "$(docdir)" || list=; \
if test -n "$$list"; then \
echo " $(MKDIR_P) '$(DESTDIR)$(docdir)'"; \
$(MKDIR_P) "$(DESTDIR)$(docdir)" || exit 1; \
fi; \
for p in $$list; do \
if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
echo "$$d$$p"; \
@ -296,30 +382,15 @@ uninstall-docDATA:
@$(NORMAL_UNINSTALL)
@list='$(doc_DATA)'; test -n "$(docdir)" || list=; \
files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
test -n "$$files" || exit 0; \
echo " ( cd '$(DESTDIR)$(docdir)' && rm -f" $$files ")"; \
cd "$(DESTDIR)$(docdir)" && rm -f $$files
tags: TAGS
TAGS:
dir='$(DESTDIR)$(docdir)'; $(am__uninstall_files_from_dir)
tags TAGS:
ctags: CTAGS
CTAGS:
ctags CTAGS:
cscope cscopelist:
distdir: $(DISTFILES)
@list='$(MANS)'; if test -n "$$list"; then \
list=`for p in $$list; do \
if test -f $$p; then d=; else d="$(srcdir)/"; fi; \
if test -f "$$d$$p"; then echo "$$d$$p"; else :; fi; done`; \
if test -n "$$list" && \
grep 'ab help2man is required to generate this page' $$list >/dev/null; then \
echo "error: found man pages containing the \`missing help2man' replacement text:" >&2; \
grep -l 'ab help2man is required to generate this page' $$list | sed 's/^/ /' >&2; \
echo " to fix them, install help2man, remove and regenerate the man pages;" >&2; \
echo " typically \`make maintainer-clean' will remove them" >&2; \
exit 1; \
else :; fi; \
else :; fi
@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
list='$(DISTFILES)'; \
@ -366,13 +437,19 @@ install-am: all-am
installcheck: installcheck-am
install-strip:
$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
`test -z '$(STRIP)' || \
echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
if test -z '$(STRIP)'; then \
$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
install; \
else \
$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
"INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
fi
mostlyclean-generic:
clean-generic:
-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
distclean-generic:
-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
@ -452,27 +529,36 @@ uninstall-man: uninstall-man8
.MAKE: install-am install-strip
.PHONY: all all-am check check-am clean clean-generic clean-libtool \
distclean distclean-generic distclean-libtool distdir dvi \
dvi-am html html-am info info-am install install-am \
install-data install-data-am install-docDATA install-dvi \
install-dvi-am install-exec install-exec-am install-html \
install-html-am install-info install-info-am install-man \
install-man8 install-pdf install-pdf-am install-ps \
install-ps-am install-strip installcheck installcheck-am \
installdirs maintainer-clean maintainer-clean-generic \
mostlyclean mostlyclean-generic mostlyclean-libtool pdf pdf-am \
ps ps-am uninstall uninstall-am uninstall-docDATA \
uninstall-man uninstall-man8
cscopelist-am ctags-am distclean distclean-generic \
distclean-libtool distdir dvi dvi-am html html-am info info-am \
install install-am install-data install-data-am \
install-docDATA install-dvi install-dvi-am install-exec \
install-exec-am install-html install-html-am install-info \
install-info-am install-man install-man8 install-pdf \
install-pdf-am install-ps install-ps-am install-strip \
installcheck installcheck-am installdirs maintainer-clean \
maintainer-clean-generic mostlyclean mostlyclean-generic \
mostlyclean-libtool pdf pdf-am ps ps-am tags-am uninstall \
uninstall-am uninstall-docDATA uninstall-man uninstall-man8
.pod.8:
pod2man -u --section=8 --release=$(VERSION) --center=stunnel \
--date=`date +%Y.%m.%d` $< $@
.pod.in.8.in:
pod2man -u -n stunnel -s 8 -r $(VERSION) \
-c "stunnel TLS Proxy" -d `date +%Y.%m.%d` $< $@
.pod.html:
pod2html --noindex --title stunnel.8 --infile=$< --outfile=$@
.pod.in.html.in:
pod2html --index --backlink --header \
--title "stunnel TLS Proxy" --infile=$< --outfile=$@
rm -f pod2htmd.tmp pod2htmi.tmp
$(man_MANS) $(doc_DATA): Makefile
$(edit) '$(srcdir)/$@.in' >$@
stunnel.8: $(srcdir)/stunnel.8.in
stunnel.html: $(srcdir)/stunnel.html.in
stunnel.pl.8: $(srcdir)/stunnel.pl.8.in
stunnel.pl.html: $(srcdir)/stunnel.pl.html.in
# Tell versions [3.59,3.63) of GNU make to not export all variables.
# Otherwise a system limit (for SysV at least) may be exceeded.
.NOEXPORT:

20
doc/en/VNC_StunnelHOWTO.html
View File

@ -36,8 +36,8 @@ HOWTO and then we'll look at the theory behind all this.</P>
<P STYLE="margin-bottom: 0cm"><BR>
</P>
<OL>
<LI><P STYLE="margin-bottom: 0cm">Download and install openSSL,
SSLEay, and Stunnel on the Linux/Unix box. Download the modules.</P>
<LI><P STYLE="margin-bottom: 0cm">Download and install OpenSSL,
SSLeay, and Stunnel on the Linux/Unix box. Download the modules.</P>
</OL>
<P STYLE="margin-left: 0.5cm; margin-bottom: 0cm">a)
[root@anthrax$]gunzip openssl-x.xx.tar.gz (repeat for all 3 the
@ -52,7 +52,7 @@ modules)</P>
save the file as VNCRegEdit.REG on the Windows 2000 box</P>
</OL>
<P STYLE="margin-left: 0.5cm; margin-bottom: 0cm">--cut here and copy
to VNCRegEdit.REG the double click file to
to VNCRegEdit.REG then double click the file to
import--<BR>REGEDIT4<BR><BR>[HKEY_LOCAL_MACHINE\Software\ORL\WinVNC3]<BR>AllowLoopback=dword:00000001<BR><BR>[HKEY_LOCAL_MACHINE\Software\ORL\WinVNC3\Default]<BR>AllowLoopback=dword:00000001<BR>--stop
here--<BR><BR>
</P>
@ -87,7 +87,7 @@ here--<BR><BR>
execute the following command and let it run in its own terminal.</P>
</OL>
<P STYLE="margin-left: 0.5cm; margin-bottom: 0cm">stunnel -d 5900 -r
unix.ip.adress:5900 -c</P>
unix.ip.address:5900 -c</P>
<P STYLE="margin-left: 0.5cm; margin-bottom: 0cm">.</P>
<OL>
<LI><P STYLE="margin-bottom: 0cm">And on the Windows 2000 machine
@ -109,7 +109,7 @@ the window</P>
2000 command as follows:
</P>
<P STYLE="margin-left: 0.5cm; margin-bottom: 0cm">stunnel -d 5902 -r
unix.ip.adress:5902</P>
unix.ip.address:5902</P>
<P STYLE="margin-left: 0.5cm; margin-bottom: 0cm">and remember to
start another vncserver on the Linux box for each VNC display</P>
<P STYLE="margin-bottom: 0cm"><BR>
@ -165,11 +165,11 @@ desired &quot;display&quot; number.</P>
<P STYLE="margin-bottom: 0cm"><BR>
</P>
<P STYLE="margin-bottom: 0cm">To connect from the client machine you
need to enter the client machines IP address and the &quot;display&quot;
need to enter the client machine's IP address and the &quot;display&quot;
(from the port conversion). But VNC will think that you are trying to
connect to the local machine and does not allow this. To override
this add the following to you registry.<BR><BR>--cut here and copy to
anything.reg. the double click file to
this add the following to your registry.<BR><BR>--cut here and copy to
anything.reg. then double click the file to
import--<BR>REGEDIT4<BR><BR>[HKEY_LOCAL_MACHINE\Software\ORL\WinVNC3]<BR>AllowLoopback=dword:00000001<BR><BR>[HKEY_LOCAL_MACHINE\Software\ORL\WinVNC3\Default]<BR>AllowLoopback=dword:00000001<BR>--stop
here--<BR><BR>Now VNC will not complain. So you need to always run
stunnel in client mode on the Windows machine and then connect with
@ -182,9 +182,9 @@ way, *NIX doesn't complain about this. There is no setting needed if
<P STYLE="margin-bottom: 0cm"><BR>
</P>
<P STYLE="margin-bottom: 0cm">Unfortunately this will not work well
with the build in web version. If you did not known about it, try
with the built-in web version. If you did not known about it, try
http'ing into a machine running VNC server on it, to port 58XX (where
XX is the display number), and the Java client will be loaded.<BR><BR>
</P>
</BODY>
</HTML>
</HTML>

4
doc/pl/tworzenie_certyfikatow.html
View File

@ -93,7 +93,7 @@ private key</I>
# private random number file</I>
<BR><I>&nbsp;</I>
<BR><I>x509_extensions = usr_cert&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
# The extentions to add to the cert</I>
# The extensions to add to the cert</I>
<BR><I>crl_extensions&nbsp; = crl_ext&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
# Extensions to add to CRL</I>
<BR><I>default_days&nbsp;&nbsp;&nbsp; = 365&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
@ -147,7 +147,7 @@ look</I>
<BR><I>distinguished_name&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; = req_distinguished_name</I>
<BR><I>attributes&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
= req_attributes</I>
<BR><I>x509_extensions = v3_ca # The extentions to add to the self signed
<BR><I>x509_extensions = v3_ca # The extensions to add to the self signed
cert</I>
<BR><I>&nbsp;</I>
<BR><I>[ req_distinguished_name ]</I>

993
doc/stunnel.8
View File

@ -1,993 +0,0 @@
.\" Automatically generated by Pod::Man 2.22 (Pod::Simple 3.07)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is turned on, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.ie \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. nr % 0
. rr F
.\}
.el \{\
. de IX
..
.\}
.\" ========================================================================
.\"
.IX Title "STUNNEL 8"
.TH STUNNEL 8 "2013.03.20" "4.56" "stunnel"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
stunnel \- universal SSL tunnel
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.IP "\fBUnix:\fR" 4
.IX Item "Unix:"
\&\fBstunnel\fR [<filename>] | \-fd n | \-help | \-version | \-sockets
.IP "\fB\s-1WIN32:\s0\fR" 4
.IX Item "WIN32:"
\&\fBstunnel\fR [ [\-install | \-uninstall | \-start | \-stop] | \-exit]
[\-quiet] [<filename>] ] | \-help | \-version | \-sockets
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The \fBstunnel\fR program is designed to work as \fI\s-1SSL\s0\fR encryption wrapper
between remote clients and local (\fIinetd\fR\-startable) or remote
servers. The concept is that having non-SSL aware daemons running on
your system you can easily set them up to communicate with clients over
secure \s-1SSL\s0 channels.
.PP
\&\fBstunnel\fR can be used to add \s-1SSL\s0 functionality to commonly used \fIInetd\fR
daemons like \s-1POP\-2\s0, \s-1POP\-3\s0, and \s-1IMAP\s0 servers, to standalone daemons like
\&\s-1NNTP\s0, \s-1SMTP\s0 and \s-1HTTP\s0, and in tunneling \s-1PPP\s0 over network sockets without
changes to the source code.
.PP
This product includes cryptographic software written by
Eric Young (eay@cryptsoft.com)
.SH "OPTIONS"
.IX Header "OPTIONS"
.IP "<\fBfilename\fR>" 4
.IX Item "<filename>"
Use specified configuration file
.IP "\fB\-fd n\fR (Unix only)" 4
.IX Item "-fd n (Unix only)"
Read the config file from specified file descriptor
.IP "\fB\-help\fR" 4
.IX Item "-help"
Print \fBstunnel\fR help menu
.IP "\fB\-version\fR" 4
.IX Item "-version"
Print \fBstunnel\fR version and compile time defaults
.IP "\fB\-sockets\fR" 4
.IX Item "-sockets"
Print default socket options
.IP "\fB\-install\fR (\s-1NT/2000/XP\s0 only)" 4
.IX Item "-install (NT/2000/XP only)"
Install \s-1NT\s0 Service
.IP "\fB\-uninstall\fR (\s-1NT/2000/XP\s0 only)" 4
.IX Item "-uninstall (NT/2000/XP only)"
Uninstall \s-1NT\s0 Service
.IP "\fB\-start\fR (\s-1NT/2000/XP\s0 only)" 4
.IX Item "-start (NT/2000/XP only)"
Start \s-1NT\s0 Service
.IP "\fB\-stop\fR (\s-1NT/2000/XP\s0 only)" 4
.IX Item "-stop (NT/2000/XP only)"
Stop \s-1NT\s0 Service
.IP "\fB\-exit\fR (Win32 only)" 4
.IX Item "-exit (Win32 only)"
Exit an already started stunnel
.IP "\fB\-quiet\fR (\s-1NT/2000/XP\s0 only)" 4
.IX Item "-quiet (NT/2000/XP only)"
Don't display any message boxes
.SH "CONFIGURATION FILE"
.IX Header "CONFIGURATION FILE"
Each line of the configuration file can be either:
.IP "\(bu" 4
An empty line (ignored).
.IP "\(bu" 4
A comment starting with ';' (ignored).
.IP "\(bu" 4
An 'option_name = option_value' pair.
.IP "\(bu" 4
\&'[service_name]' indicating a start of a service definition.
.PP
An address parameter of an option may be either:
.IP "\(bu" 4
A port number.
.IP "\(bu" 4
A colon-separated pair of \s-1IP\s0 address (either IPv4, IPv6, or domain name) and port number.
.IP "\(bu" 4
A Unix socket path (Unix only).
.SS "\s-1GLOBAL\s0 \s-1OPTIONS\s0"
.IX Subsection "GLOBAL OPTIONS"
.IP "\fBchroot\fR = directory (Unix only)" 4
.IX Item "chroot = directory (Unix only)"
directory to chroot \fBstunnel\fR process
.Sp
\&\fBchroot\fR keeps \fBstunnel\fR in chrooted jail. \fICApath\fR, \fICRLpath\fR, \fIpid\fR
and \fIexec\fR are located inside the jail and the patches have to be relative
to the directory specified with \fBchroot\fR.
.Sp
Several functions of the operating system also need their files to be located within chroot jail, e.g.:
.RS 4
.IP "\(bu" 4
Delayed resolver typically needs /etc/nsswitch.conf and /etc/resolv.conf.
.IP "\(bu" 4
Local time in log files needs /etc/timezone.
.IP "\(bu" 4
Some other functions may need devices, e.g. /dev/zero or /dev/null.
.RE
.RS 4
.RE
.IP "\fBcompression\fR = deflate | zlib | rle" 4
.IX Item "compression = deflate | zlib | rle"
select data compression algorithm
.Sp
default: no compression
.Sp
deflate is the standard compression method as described in \s-1RFC\s0 1951.
.Sp
zlib compression of \fBOpenSSL 0.9.8\fR or above is not backward compatible with
\&\fBOpenSSL 0.9.7\fR.
.Sp
rle compression is currently not implemented by the \fBOpenSSL\fR library.
.IP "\fBdebug\fR = [facility.]level" 4
.IX Item "debug = [facility.]level"
debugging level
.Sp
Level is a one of the syslog level names or numbers
emerg (0), alert (1), crit (2), err (3), warning (4), notice (5),
info (6), or debug (7). All logs for the specified level and
all levels numerically less than it will be shown. Use \fIdebug = debug\fR or
\&\fIdebug = 7\fR for greatest debugging output. The default is notice (5).
.Sp
The syslog facility 'daemon' will be used unless a facility name is supplied.
(Facilities are not supported on Win32.)
.Sp
Case is ignored for both facilities and levels.
.IP "\fB\s-1EGD\s0\fR = egd path (Unix only)" 4
.IX Item "EGD = egd path (Unix only)"
path to Entropy Gathering Daemon socket
.Sp
Entropy Gathering Daemon socket to use to feed \fBOpenSSL\fR random number
generator. (Available only if compiled with \fBOpenSSL 0.9.5a\fR or higher)
.IP "\fBengine\fR = auto | <engine id>" 4
.IX Item "engine = auto | <engine id>"
select hardware engine
.Sp
default: software-only cryptography
.Sp
Here is an example of advanced engine configuration to read private key from an
OpenSC engine
.Sp
.Vb 7
\& engine=dynamic
\& engineCtrl=SO_PATH:/usr/lib/opensc/engine_pkcs11.so
\& engineCtrl=ID:pkcs11
\& engineCtrl=LIST_ADD:1
\& engineCtrl=LOAD
\& engineCtrl=MODULE_PATH:/usr/lib/pkcs11/opensc\-pkcs11.so
\& engineCtrl=INIT
\&
\& [service]
\& engineNum=1
\& key=id_45
.Ve
.IP "\fBengineCtrl\fR = command[:parameter]" 4
.IX Item "engineCtrl = command[:parameter]"
control hardware engine
.Sp
Special commands \*(L"\s-1LOAD\s0\*(R" and \*(L"\s-1INIT\s0\*(R" can be used to load and initialize the
engine cryptogaphic module.
.IP "\fBfips\fR = yes | no" 4
.IX Item "fips = yes | no"
Enable or disable \s-1FIPS\s0 140\-2 mode.
.Sp
This option allows to disable entering \s-1FIPS\s0 mode if \fBstunnel\fR was compiled
with \s-1FIPS\s0 140\-2 support.
.Sp
default: yes
.IP "\fBforeground\fR = yes | no (Unix only)" 4
.IX Item "foreground = yes | no (Unix only)"
foreground mode
.Sp
Stay in foreground (don't fork) and log to stderr
instead of via syslog (unless \fIoutput\fR is specified).
.Sp
default: background in daemon mode
.IP "\fBoutput\fR = file" 4
.IX Item "output = file"
append log messages to a file
.Sp
/dev/stdout device can be used to send log messages to the standard
output (for example to log them with daemontools splogger).
.IP "\fBpid\fR = file (Unix only)" 4
.IX Item "pid = file (Unix only)"
pid file location
.Sp
If the argument is empty, then no pid file will be created.
.Sp
\&\fIpid\fR path is relative to \fIchroot\fR directory if specified.
.IP "\fBRNDbytes\fR = bytes" 4
.IX Item "RNDbytes = bytes"
bytes to read from random seed files
.Sp
Number of bytes of data read from random seed files. With \s-1SSL\s0 versions less
than \fB0.9.5a\fR, also determines how many bytes of data are considered
sufficient to seed the \s-1PRNG\s0. More recent \fBOpenSSL\fR versions have a builtin
function to determine when sufficient randomness is available.
.IP "\fBRNDfile\fR = file" 4
.IX Item "RNDfile = file"
path to file with random seed data
.Sp
The \s-1SSL\s0 library will use data from this file first to seed the random
number generator.
.IP "\fBRNDoverwrite\fR = yes | no" 4
.IX Item "RNDoverwrite = yes | no"
overwrite the random seed files with new random data
.Sp
default: yes
.IP "\fBservice\fR = servicename (Unix only)" 4
.IX Item "service = servicename (Unix only)"
use specified string as \fIinetd\fR mode service name for \s-1TCP\s0 Wrapper library
.Sp
default: stunnel
.IP "\fBsetgid\fR = groupname (Unix only)" 4
.IX Item "setgid = groupname (Unix only)"
\&\fIsetgid()\fR to groupname in daemon mode and clears all other groups
.IP "\fBsetuid\fR = username (Unix only)" 4
.IX Item "setuid = username (Unix only)"
\&\fIsetuid()\fR to username in daemon mode
.IP "\fBsocket\fR = a|l|r:option=value[:value]" 4
.IX Item "socket = a|l|r:option=value[:value]"
Set an option on accept/local/remote socket
.Sp
The values for linger option are l_onof:l_linger.
The values for time are tv_sec:tv_usec.
.Sp
Examples:
.Sp
.Vb 9
\& socket = l:SO_LINGER=1:60
\& set one minute timeout for closing local socket
\& socket = r:SO_OOBINLINE=yes
\& place out\-of\-band data directly into the
\& receive data stream for remote sockets
\& socket = a:SO_REUSEADDR=no
\& disable address reuse (enabled by default)
\& socket = a:SO_BINDTODEVICE=lo
\& only accept connections on loopback interface
.Ve
.IP "\fBsyslog\fR = yes | no (Unix only)" 4
.IX Item "syslog = yes | no (Unix only)"
enable logging via syslog
.Sp
default: yes
.IP "\fBtaskbar\fR = yes | no (\s-1WIN32\s0 only)" 4
.IX Item "taskbar = yes | no (WIN32 only)"
enable the taskbar icon
.Sp
default: yes
.SS "SERVICE-LEVEL \s-1OPTIONS\s0"
.IX Subsection "SERVICE-LEVEL OPTIONS"
Each configuration section begins with service name in square brackets.
The service name is used for libwrap (\s-1TCP\s0 Wrappers) access control and lets
you distinguish \fBstunnel\fR services in your log files.
.PP
Note that if you wish to run \fBstunnel\fR in \fIinetd\fR mode (where it
is provided a network socket by a server such as \fIinetd\fR, \fIxinetd\fR,
or \fItcpserver\fR) then you should read the section entitled \fI\s-1INETD\s0 \s-1MODE\s0\fR
below.
.IP "\fBaccept\fR = address" 4
.IX Item "accept = address"
accept connections on specified address
.Sp
If no host specified, defaults to all IPv4 addresses for the local host.
.Sp
To listen on all IPv6 addresses use:
.Sp
.Vb 1
\& connect = :::port
.Ve
.IP "\fBCApath\fR = directory" 4
.IX Item "CApath = directory"
Certificate Authority directory
.Sp
This is the directory in which \fBstunnel\fR will look for certificates when using
the \fIverify\fR. Note that the certificates in this directory should be named
\&\s-1XXXXXXXX\s0.0 where \s-1XXXXXXXX\s0 is the hash value of the \s-1DER\s0 encoded subject of the
cert.
.Sp
The hash algorithm has been changed in \fBOpenSSL 1.0.0\fR. It is required to
c_rehash the directory on upgrade from \fBOpenSSL 0.x.x\fR to \fBOpenSSL 1.x.x\fR.
.Sp
\&\fICApath\fR path is relative to \fIchroot\fR directory if specified.
.IP "\fBCAfile\fR = certfile" 4
.IX Item "CAfile = certfile"
Certificate Authority file
.Sp
This file contains multiple \s-1CA\s0 certificates, used with the \fIverify\fR.
.IP "\fBcert\fR = pemfile" 4
.IX Item "cert = pemfile"
certificate chain \s-1PEM\s0 file name
.Sp
A \s-1PEM\s0 is always needed in server mode.
Specifying this flag in client mode will use this certificate chain
as a client side certificate chain. Using client side certs is optional.
The certificates must be in \s-1PEM\s0 format and must be sorted starting with the
certificate to the highest level (root \s-1CA\s0).
.IP "\fBciphers\fR = cipherlist" 4
.IX Item "ciphers = cipherlist"
Select permitted \s-1SSL\s0 ciphers
.Sp
A colon delimited list of the ciphers to allow in the \s-1SSL\s0 connection.
For example \s-1DES\-CBC3\-SHA:IDEA\-CBC\-MD5\s0
.IP "\fBclient\fR = yes | no" 4
.IX Item "client = yes | no"
client mode (remote service uses \s-1SSL\s0)
.Sp
default: no (server mode)
.IP "\fBconnect\fR = address" 4
.IX Item "connect = address"
connect to a remote address
.Sp
If no host is specified, the host defaults to localhost.
.Sp
Multiple \fBconnect\fR options are allowed in a single service section.
.Sp
If host resolves to multiple addresses and/or if multiple \fIconnect\fR
options are specified, then the remote address is chosen using a
round-robin algorithm.
.IP "\fBCRLpath\fR = directory" 4
.IX Item "CRLpath = directory"
Certificate Revocation Lists directory
.Sp
This is the directory in which \fBstunnel\fR will look for CRLs when
using the \fIverify\fR. Note that the CRLs in this directory should
be named \s-1XXXXXXXX\s0.r0 where \s-1XXXXXXXX\s0 is the hash value of the \s-1CRL\s0.
.Sp
The hash algorithm has been changed in \fBOpenSSL 1.0.0\fR. It is required to
c_rehash the directory on upgrade from \fBOpenSSL 0.x.x\fR to \fBOpenSSL 1.x.x\fR.
.Sp
\&\fICRLpath\fR path is relative to \fIchroot\fR directory if specified.
.IP "\fBCRLfile\fR = certfile" 4
.IX Item "CRLfile = certfile"
Certificate Revocation Lists file
.Sp
This file contains multiple CRLs, used with the \fIverify\fR.
.IP "\fBcurve\fR = nid" 4
.IX Item "curve = nid"
specify \s-1ECDH\s0 curve name
.Sp
To get a list of supported cuves use:
.Sp
.Vb 1
\& openssl ecparam \-list_curves
.Ve
.Sp
default: prime256v1
.IP "\fBdelay\fR = yes | no" 4
.IX Item "delay = yes | no"
delay \s-1DNS\s0 lookup for 'connect' option
.Sp
This option is useful for dynamic \s-1DNS\s0, or when \s-1DNS\s0 is not available during
\&\fBstunnel\fR startup (road warrior \s-1VPN\s0, dial-up configurations).
.IP "\fBengineNum\fR = engine number" 4
.IX Item "engineNum = engine number"
select engine number to read private key
.Sp
The engines are numbered starting from 1.
.IP "\fBexec\fR = executable_path" 4
.IX Item "exec = executable_path"
execute local inetd-type program
.Sp
\&\fIexec\fR path is relative to \fIchroot\fR directory if specified.
.ie n .IP "\fBexecargs\fR = $0 $1 $2 ..." 4
.el .IP "\fBexecargs\fR = \f(CW$0\fR \f(CW$1\fR \f(CW$2\fR ..." 4
.IX Item "execargs = $0 $1 $2 ..."
arguments for \fIexec\fR including program name ($0)
.Sp
Quoting is currently not supported.
Arguments are separated with arbitrary number of whitespaces.
.IP "\fBfailover\fR = rr | prio" 4
.IX Item "failover = rr | prio"
Failover strategy for multiple \*(L"connect\*(R" targets.
.Sp
.Vb 2
\& rr (round robin) \- fair load distribution
\& prio (priority) \- use the order specified in config file
.Ve
.Sp
default: rr
.IP "\fBident\fR = username" 4
.IX Item "ident = username"
use \s-1IDENT\s0 (\s-1RFC\s0 1413) username checking
.IP "\fBkey\fR = keyfile" 4
.IX Item "key = keyfile"
private key for certificate specified with \fIcert\fR option
.Sp
Private key is needed to authenticate certificate owner.
Since this file should be kept secret it should only be readable
to its owner. On Unix systems you can use the following command:
.Sp
.Vb 1
\& chmod 600 keyfile
.Ve
.Sp
default: value of \fIcert\fR option
.IP "\fBlibwrap\fR = yes | no" 4
.IX Item "libwrap = yes | no"
Enable or disable the use of /etc/hosts.allow and /etc/hosts.deny.
.Sp
default: yes
.IP "\fBlocal\fR = host" 4
.IX Item "local = host"
\&\s-1IP\s0 of the outgoing interface is used as source for remote connections.
Use this option to bind a static local \s-1IP\s0 address, instead.
.IP "\fBsni\fR = service_name:server_name_pattern (server mode)" 4
.IX Item "sni = service_name:server_name_pattern (server mode)"
Use the service as a slave service (a name-based virtual server) for Server
Name Indication \s-1TLS\s0 extension (\s-1RFC\s0 3546).
.Sp
\&\fIservice_name\fR specifies the master service that accepts client connections
with \fIaccept\fR option. \fIserver_name_pattern\fR specifies the host name to be
redirected. The pattern may start with '*' character, e.g. '*.example.com'.
Multiple slave services are normally specified for a single master service.
\&\fIsni\fR option can also be specified more than once within a single slave
service.
.Sp
This service, as well as the master service, may not be configured in client
mode.
.Sp
\&\fIconnect\fR option of the slave service is ignored when \fIprotocol\fR option is
specified, as \fIprotocol\fR connects remote host before \s-1TLS\s0 handshake.
.Sp
Libwrap checks (Unix only) are performed twice: with master service name after
\&\s-1TCP\s0 connection is accepted, and with slave service name during \s-1TLS\s0 handshake.
.Sp
Option \fIsni\fR is only available when compiled with \fBOpenSSL 1.0.0\fR and later.
.IP "\fBsni\fR = server_name (client mode)" 4
.IX Item "sni = server_name (client mode)"
Use the parameter as the value of \s-1TLS\s0 Server Name Indication (\s-1RFC\s0 3546)
extension.
.Sp
Option \fIsni\fR is only available when compiled with \fBOpenSSL 1.0.0\fR and later.
.IP "\fB\s-1OCSP\s0\fR = url" 4
.IX Item "OCSP = url"
select \s-1OCSP\s0 server for certificate verification
.IP "\fBOCSPflag\fR = flag" 4
.IX Item "OCSPflag = flag"
specify \s-1OCSP\s0 server flag
.Sp
Several \fIOCSPflag\fR can be used to specify multiple flags.
.Sp
currently supported flags: \s-1NOCERTS\s0, \s-1NOINTERN\s0 \s-1NOSIGS\s0, \s-1NOCHAIN\s0, \s-1NOVERIFY\s0,
\&\s-1NOEXPLICIT\s0, \s-1NOCASIGN\s0, \s-1NODELEGATED\s0, \s-1NOCHECKS\s0, \s-1TRUSTOTHER\s0, \s-1RESPID_KEY\s0, \s-1NOTIME\s0
.IP "\fBoptions\fR = SSL_options" 4
.IX Item "options = SSL_options"
\&\fBOpenSSL\fR library options
.Sp
The parameter is the \fBOpenSSL\fR option name as described in the
\&\fI\fISSL_CTX_set_options\fI\|(3ssl)\fR manual, but without \fI\s-1SSL_OP_\s0\fR prefix.
Several \fIoptions\fR can be used to specify multiple options.
.Sp
For example for compatibility with erroneous Eudora \s-1SSL\s0 implementation
the following option can be used:
.Sp
.Vb 1
\& options = DONT_INSERT_EMPTY_FRAGMENTS
.Ve
.IP "\fBprotocol\fR = proto" 4
.IX Item "protocol = proto"
application protocol to negotiate \s-1SSL\s0
.Sp
This option enables initial, protocol-specific negotiation of the \s-1SSL/TLS\s0
encryption.
\&\fIprotocol\fR option should not be used with \s-1SSL\s0 encryption on a separate port.
.Sp
Currently supported protocols:
.RS 4
.IP "\fIcifs\fR" 4
.IX Item "cifs"
Proprietary (undocummented) extension of \s-1CIFS\s0 protocol implemented in Samba.
Support for this extension was dropped in Samba 3.0.0.
.IP "\fIconnect\fR" 4
.IX Item "connect"
Based on \s-1RFC\s0 2817 \- \fIUpgrading to \s-1TLS\s0 Within \s-1HTTP/1\s0.1\fR, section 5.2 \- \fIRequesting a Tunnel with \s-1CONNECT\s0\fR
.Sp
This protocol is only supported in client mode.
.IP "\fIimap\fR" 4
.IX Item "imap"
Based on \s-1RFC\s0 2595 \- \fIUsing \s-1TLS\s0 with \s-1IMAP\s0, \s-1POP3\s0 and \s-1ACAP\s0\fR
.IP "\fInntp\fR" 4
.IX Item "nntp"
Based on \s-1RFC\s0 4642 \- \fIUsing Transport Layer Security (\s-1TLS\s0) with Network News Transfer Protocol (\s-1NNTP\s0)\fR
.Sp
This protocol is only supported in client mode.
.IP "\fIpgsql\fR" 4
.IX Item "pgsql"
Based on http://www.postgresql.org/docs/8.3/static/protocol\-flow.html#AEN73982
.IP "\fIpop3\fR" 4
.IX Item "pop3"
Based on \s-1RFC\s0 2449 \- \fI\s-1POP3\s0 Extension Mechanism\fR
.IP "\fIproxy\fR" 4
.IX Item "proxy"
Haproxy client \s-1IP\s0 address http://haproxy.1wt.eu/download/1.5/doc/proxy\-protocol.txt
.IP "\fIsmtp\fR" 4
.IX Item "smtp"
Based on \s-1RFC\s0 2487 \- \fI\s-1SMTP\s0 Service Extension for Secure \s-1SMTP\s0 over \s-1TLS\s0\fR
.RE
.RS 4
.RE
.IP "\fBprotocolAuthentication\fR = auth_type" 4
.IX Item "protocolAuthentication = auth_type"
authentication type for protocol negotiations
.Sp
currently supported: basic, \s-1NTLM\s0
.Sp
Currently authentication type only applies to the 'connect' protocol.
.Sp
default: basic
.IP "\fBprotocolHost\fR = host:port" 4
.IX Item "protocolHost = host:port"
destination address for protocol negotiations
.Sp
\&\fIprotocolHost\fR specifies the final \s-1SSL\s0 server to be connected by the proxy,
and not the proxy server directly connected by \fBstunnel\fR.
The proxy server should be specified with the 'connect' option.
.Sp
Currently protocol destination address only applies to 'connect' protocol.
.IP "\fBprotocolPassword\fR = password" 4
.IX Item "protocolPassword = password"
password for protocol negotiations
.IP "\fBprotocolUsername\fR = username" 4
.IX Item "protocolUsername = username"
username for protocol negotiations
.IP "\fBpty\fR = yes | no (Unix only)" 4
.IX Item "pty = yes | no (Unix only)"
allocate pseudo terminal for 'exec' option
.IP "\fBrenegotiation\fR = yes | no" 4
.IX Item "renegotiation = yes | no"
support \s-1SSL\s0 renegotiation
.Sp
Applications of the \s-1SSL\s0 renegotiation include some authentication scenarios,
or re-keying long lasting connections.
.Sp
On the other hand this feature can facilitate a trivial CPU-exhaustion
DoS attack:
.Sp
http://vincent.bernat.im/en/blog/2011\-ssl\-dos\-mitigation.html
.Sp
Please note that disabling \s-1SSL\s0 renegotiation does not fully mitigate
this issue.
.Sp
default: yes (if supported by \fBOpenSSL\fR)
.IP "\fBreset\fR = yes | no" 4
.IX Item "reset = yes | no"
attempt to use \s-1TCP\s0 \s-1RST\s0 flag to indicate an error
.Sp
This option is not supported on some platforms.
.Sp
default: yes
.IP "\fBretry\fR = yes | no" 4
.IX Item "retry = yes | no"
reconnect a connect+exec section after it's disconnected
.Sp
default: no
.IP "\fBsessionCacheSize\fR = size" 4
.IX Item "sessionCacheSize = size"
session cache size
.Sp
\&\fIsessionCacheSize\fR specifies the maximum number of the internal session cache
entries.
.Sp
The value of 0 can be used for unlimited size. It is not recommended
for production use due to the risk of memory exhaustion DoS attack.
.IP "\fBsessionCacheTimeout\fR = timeout" 4
.IX Item "sessionCacheTimeout = timeout"
session cache timeout
.Sp
This is the number of seconds to keep cached \s-1SSL\s0 sessions.
.IP "\fBsessiond\fR = host:port" 4
.IX Item "sessiond = host:port"
address of sessiond \s-1SSL\s0 cache server
.IP "\fBsslVersion\fR = version" 4
.IX Item "sslVersion = version"
select version of \s-1SSL\s0 protocol
.Sp
Allowed options: all, SSLv2, SSLv3, TLSv1, TLSv1.1, TLSv1.2
.IP "\fBstack\fR = bytes (except for \s-1FORK\s0 model)" 4
.IX Item "stack = bytes (except for FORK model)"
thread stack size
.IP "\fBTIMEOUTbusy\fR = seconds" 4
.IX Item "TIMEOUTbusy = seconds"
time to wait for expected data
.IP "\fBTIMEOUTclose\fR = seconds" 4
.IX Item "TIMEOUTclose = seconds"
time to wait for close_notify (set to 0 for buggy \s-1MSIE\s0)
.IP "\fBTIMEOUTconnect\fR = seconds" 4
.IX Item "TIMEOUTconnect = seconds"
time to wait to connect a remote host
.IP "\fBTIMEOUTidle\fR = seconds" 4
.IX Item "TIMEOUTidle = seconds"
time to keep an idle connection
.IP "\fBtransparent\fR = none | source | destination | both (Unix only)" 4
.IX Item "transparent = none | source | destination | both (Unix only)"
enable transparent proxy support on selected platforms
.Sp
Supported values:
.RS 4
.IP "\fInone\fR" 4
.IX Item "none"
Disable transparent proxy support. This is the default.
.IP "\fIsource\fR" 4
.IX Item "source"
Re-write address to appear as if wrapped daemon is connecting
from the \s-1SSL\s0 client machine instead of the machine running \fBstunnel\fR.
.Sp
This option is currently available in:
.RS 4
.IP "Remote mode (\fIconnect\fR option) on \fILinux >=2.6.28\fR" 4
.IX Item "Remote mode (connect option) on Linux >=2.6.28"
This configuration requires \fBstunnel\fR to be executed as root and without
\&\fIsetuid\fR option.
.Sp
This configuration requires the following setup for iptables and routing
(possibly in /etc/rc.local or equivalent file):
.Sp
.Vb 7
\& iptables \-t mangle \-N DIVERT
\& iptables \-t mangle \-A PREROUTING \-p tcp \-m socket \-j DIVERT
\& iptables \-t mangle \-A DIVERT \-j MARK \-\-set\-mark 1
\& iptables \-t mangle \-A DIVERT \-j ACCEPT
\& ip rule add fwmark 1 lookup 100
\& ip route add local 0.0.0.0/0 dev lo table 100
\& echo 0 >/proc/sys/net/ipv4/conf/lo/rp_filter
.Ve
.Sp
\&\fBstunnel\fR must also to be executed as root and without \fIsetuid\fR option.
.IP "Remote mode (\fIconnect\fR option) on \fILinux 2.2.x\fR" 4
.IX Item "Remote mode (connect option) on Linux 2.2.x"
This configuration requires kernel to be compiled with \fItransparent proxy\fR
option.
Connected service must be installed on a separate host.
Routing towards the clients has to go through the \fBstunnel\fR box.
.Sp
\&\fBstunnel\fR must also to be executed as root and without \fIsetuid\fR option.
.IP "Remote mode (\fIconnect\fR option) on \fIFreeBSD >=8.0\fR" 4
.IX Item "Remote mode (connect option) on FreeBSD >=8.0"
This configuration requires additional firewall and routing setup.
\&\fBstunnel\fR must also to be executed as root and without \fIsetuid\fR option.
.IP "Local mode (\fIexec\fR option)" 4
.IX Item "Local mode (exec option)"
This configuration works by pre-loading \fIlibstunnel.so\fR shared library.
_RLD_LIST environment variable is used on Tru64, and \s-1LD_PRELOAD\s0 variable on
other platforms.
.RE
.RS 4
.RE
.IP "\fIdestination\fR" 4
.IX Item "destination"
Original destination is used instead of \fIconnect\fR option.
.Sp
A service section for transparent destination may look like this:
.Sp
.Vb 4
\& [transparent]
\& client=yes
\& accept=<stunnel_port>
\& transparent=destination
.Ve
.Sp
This configuration requires the following setup for iptables
(possibly in /etc/rc.local or equivalent file):
.Sp
.Vb 2
\& /sbin/iptables \-I INPUT \-i eth0 \-p tcp \-\-dport <stunnel_port> \-j ACCEPT
\& /sbin/iptables \-t nat \-I PREROUTING \-i eth0 \-p tcp \-\-dport <redirected_port> \-j DNAT \-\-to\-destination <local_ip>:<stunnel_port>
.Ve
.Sp
Transparent destination option is currently only supported on Linux.
.IP "\fIboth\fR" 4
.IX Item "both"
Use both \fIsource\fR and \fIdestination\fR transparent proxy.
.RE
.RS 4
.Sp
Two legacy options are also supported for backward compatibility:
.IP "\fIyes\fR" 4
.IX Item "yes"
This options has been renamed to \fIsource\fR.
.IP "\fIno\fR" 4
.IX Item "no"
This options has been renamed to \fInone\fR.
.RE
.RS 4
.RE
.IP "\fBverify\fR = level" 4
.IX Item "verify = level"
verify peer certificate
.RS 4
.IP "level 0" 4
.IX Item "level 0"
Request and ignore peer certificate.
.IP "level 1" 4
.IX Item "level 1"
Verify peer certificate if present.
.IP "level 2" 4
.IX Item "level 2"
Verify peer certificate.
.IP "level 3" 4
.IX Item "level 3"
Verify peer with locally installed certificate.
.IP "level 4" 4
.IX Item "level 4"
Ignore \s-1CA\s0 chain and only verify peer certificate.
.IP "default" 4
.IX Item "default"
No verify.
.RE
.RS 4
.Sp
It is important to understand, that this option was solely designed for access
control and not for authorization. Specifically for level 2 every non-revoked
certificate is accepted regardless of its Common Name. For this reason a
dedicated \s-1CA\s0 should be used with level 2, and not a generic \s-1CA\s0 commonly used
for webservers. Level 3 is preferred for point-to-point connections.
.RE
.SH "RETURN VALUE"
.IX Header "RETURN VALUE"
\&\fBstunnel\fR returns zero on success, non-zero on error.
.SH "SIGNALS"
.IX Header "SIGNALS"
The following signals can be used to control \fBstunnel\fR in Unix environment:
.IP "\s-1SIGHUP\s0" 4
.IX Item "SIGHUP"
Force a reload of the configuration file.
.Sp
Some global options will not be reloaded:
.RS 4
.IP "\(bu" 4
chroot
.IP "\(bu" 4
foreground
.IP "\(bu" 4
pid
.IP "\(bu" 4
setgid
.IP "\(bu" 4
setuid
.RE
.RS 4
.Sp
The use of 'setuid' option will also prevent \fBstunnel\fR from binding privileged
(<1024) ports during configuration reloading.
.Sp
When 'chroot' option is used, \fBstunnel\fR will look for all its files (including
configuration file, certificates, log file and pid file) within the chroot
jail.
.RE
.IP "\s-1SIGUSR1\s0" 4
.IX Item "SIGUSR1"
Close and reopen \fBstunnel\fR log file.
This function can be used for log rotation.
.IP "\s-1SIGTERM\s0, \s-1SIGQUIT\s0, \s-1SIGINT\s0" 4
.IX Item "SIGTERM, SIGQUIT, SIGINT"
Shut \fBstunnel\fR down.
.PP
The result of sending any other signals to the server is undefined.
.SH "EXAMPLES"
.IX Header "EXAMPLES"
In order to provide \s-1SSL\s0 encapsulation to your local \fIimapd\fR service, use
.PP
.Vb 4
\& [imapd]
\& accept = 993
\& exec = /usr/sbin/imapd
\& execargs = imapd
.Ve
.PP
If you want to provide tunneling to your \fIpppd\fR daemon on port 2020,
use something like
.PP
.Vb 5
\& [vpn]
\& accept = 2020
\& exec = /usr/sbin/pppd
\& execargs = pppd local
\& pty = yes
.Ve
.PP
If you want to use \fBstunnel\fR in \fIinetd\fR mode to launch your imapd
process, you'd use this \fIstunnel.conf\fR.
Note there must be no \fI[service_name]\fR section.
.PP
.Vb 2
\& exec = /usr/sbin/imapd
\& execargs = imapd
.Ve
.SH "NOTES"
.IX Header "NOTES"
.SS "\s-1RESTRICTIONS\s0"
.IX Subsection "RESTRICTIONS"
\&\fBstunnel\fR cannot be used for the \s-1FTP\s0 daemon because of the nature
of the \s-1FTP\s0 protocol which utilizes multiple ports for data transfers.
There are available \s-1SSL\s0 enabled versions of \s-1FTP\s0 and telnet daemons, however.
.SS "\s-1INETD\s0 \s-1MODE\s0"
.IX Subsection "INETD MODE"
The most common use of \fBstunnel\fR is to listen on a network
port and establish communication with either a new port
via the connect option, or a new program via the \fIexec\fR option.
However there is a special case when you wish to have
some other program accept incoming connections and
launch \fBstunnel\fR, for example with \fIinetd\fR, \fIxinetd\fR,
or \fItcpserver\fR.
.PP
For example, if you have the following line in \fIinetd.conf\fR:
.PP
.Vb 1
\& imaps stream tcp nowait root /usr/bin/stunnel stunnel /etc/stunnel/imaps.conf
.Ve
.PP
In these cases, the \fIinetd\fR\-style program is responsible
for binding a network socket (\fIimaps\fR above) and handing
it to \fBstunnel\fR when a connection is received.
Thus you do not want \fBstunnel\fR to have any \fIaccept\fR option.
All the \fIService Level Options\fR should be placed in the
global options section, and no \fI[service_name]\fR section
will be present. See the \fI\s-1EXAMPLES\s0\fR section for example
configurations.
.SS "\s-1CERTIFICATES\s0"
.IX Subsection "CERTIFICATES"
Each \s-1SSL\s0 enabled daemon needs to present a valid X.509 certificate
to the peer. It also needs a private key to decrypt the incoming
data. The easiest way to obtain a certificate and a key is to
generate them with the free \fBOpenSSL\fR package. You can find more
information on certificates generation on pages listed below.
.PP
The order of contents of the \fI.pem\fR file is important. It should contain the
unencrypted private key first, then a signed certificate (not certificate
request). There should be also empty lines after certificate and private key.
Plaintext certificate information appended on the top of generated certificate
should be discarded. So the file should look like this:
.PP
.Vb 8
\& \-\-\-\-\-BEGIN RSA PRIVATE KEY\-\-\-\-\-
\& [encoded key]
\& \-\-\-\-\-END RSA PRIVATE KEY\-\-\-\-\-
\& [empty line]
\& \-\-\-\-\-BEGIN CERTIFICATE\-\-\-\-\-
\& [encoded certificate]
\& \-\-\-\-\-END CERTIFICATE\-\-\-\-\-
\& [empty line]
.Ve
.SS "\s-1RANDOMNESS\s0"
.IX Subsection "RANDOMNESS"
\&\fBstunnel\fR needs to seed the \s-1PRNG\s0 (pseudo random number generator) in
order for \s-1SSL\s0 to use good randomness. The following sources are loaded
in order until sufficient random data has been gathered:
.IP "\(bu" 4
The file specified with the \fIRNDfile\fR flag.
.IP "\(bu" 4
The file specified by the \s-1RANDFILE\s0 environment variable, if set.
.IP "\(bu" 4
The file .rnd in your home directory, if \s-1RANDFILE\s0 not set.
.IP "\(bu" 4
The file specified with '\-\-with\-random' at compile time.
.IP "\(bu" 4
The contents of the screen if running on Windows.
.IP "\(bu" 4
The egd socket specified with the \fI\s-1EGD\s0\fR flag.
.IP "\(bu" 4
The egd socket specified with '\-\-with\-egd\-sock' at compile time.
.IP "\(bu" 4
The /dev/urandom device.
.PP
With recent (\fBOpenSSL 0.9.5a\fR or later) version of \s-1SSL\s0 it will stop loading
random data automatically when sufficient entropy has been gathered. With
previous versions it will continue to gather from all the above sources since
no \s-1SSL\s0 function exists to tell when enough data is available.
.PP
Note that on Windows machines that do not have console user interaction
(mouse movements, creating windows, etc.) the screen contents are not
variable enough to be sufficient, and you should provide a random file
for use with the \fIRNDfile\fR flag.
.PP
Note that the file specified with the \fIRNDfile\fR flag should contain
random data \*(-- that means it should contain different information
each time \fBstunnel\fR is run. This is handled automatically
unless the \fIRNDoverwrite\fR flag is used. If you wish to update this file
manually, the \fIopenssl rand\fR command in recent versions of \fBOpenSSL\fR,
would be useful.
.PP
Important note: If /dev/urandom is available, \fBOpenSSL\fR often seeds the \s-1PRNG\s0
with it while checking the random state. On systems with /dev/urandom
\&\fBOpenSSL\fR is likely to use it even though it is listed at the very bottom of
the list above. This is the behaviour of \fBOpenSSL\fR and not \fBstunnel\fR.
.SS "\s-1DH\s0 \s-1PARAMETERS\s0"
.IX Subsection "DH PARAMETERS"
Stunnel 4.40 and later contains hardcoded 2048\-bit \s-1DH\s0 parameters.
.PP
It is also possible to specify \s-1DH\s0 parameters in the certificate file:
.PP
.Vb 1
\& openssl dhparam 2048 >> stunnel.pem
.Ve
.PP
\&\s-1DH\s0 parameter generation may take several minutes.
.SH "FILES"
.IX Header "FILES"
.IP "\fIstunnel.conf\fR" 4
.IX Item "stunnel.conf"
\&\fBstunnel\fR configuration file
.SH "BUGS"
.IX Header "BUGS"
Option \fIexecargs\fR and Win32 command line does not support quoting.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
.IP "\fItcpd\fR\|(8)" 4
.IX Item "tcpd"
access control facility for internet services
.IP "\fIinetd\fR\|(8)" 4
.IX Item "inetd"
internet 'super\-server'
.IP "\fIhttp://www.stunnel.org/\fR" 4
.IX Item "http://www.stunnel.org/"
\&\fBstunnel\fR homepage
.IP "\fIhttp://www.openssl.org/\fR" 4
.IX Item "http://www.openssl.org/"
\&\fBOpenSSL\fR project website
.SH "AUTHOR"
.IX Header "AUTHOR"
.IP "Michał Trojnara" 4
.IX Item "Michał Trojnara"
<\fIMichal.Trojnara@mirt.net\fR>

1395
doc/stunnel.8.in Normal file
View File

File diff suppressed because it is too large Load Diff

574
doc/stunnel.fr.8
View File

@ -1,574 +0,0 @@
.\" Automatically generated by Pod::Man 2.22 (Pod::Simple 3.07)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is turned on, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.ie \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. nr % 0
. rr F
.\}
.el \{\
. de IX
..
.\}
.\" ========================================================================
.\"
.IX Title "STUNNEL.FR 8"
.TH STUNNEL.FR 8 "2013.03.19" "4.56" "stunnel"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NOM"
.IX Header "NOM"
stunnel \- tunnel \s-1SSL\s0 universel
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.IP "\fBUnix:\fR" 4
.IX Item "Unix:"
\&\fBstunnel\fR [fichier] | \-fd [n] | \-help | \-version | \-sockets
.IP "\fB\s-1WIN32:\s0\fR" 4
.IX Item "WIN32:"
\&\fBstunnel\fR [fichier] | \-install | \-uninstall | \-help | \-version | \-sockets
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
Le programme \fBstunnel\fR est conçu pour fonctionner comme une couche
de chiffrement \fI\s-1SSL\s0\fR entre des clients distants et des serveurs locaux
(\fIinetd\fR\-démarrables) ou distants. Le concept est qu'à partir de daemons
non-SSL présents sur le système, on peut facilement les configurer pour
communiquer avec des clients sur des liens sécurisés \s-1SSL\s0.
.PP
\&\fBstunnel\fR peut être utilisé pour ajouter des fonctionnalités \s-1SSL\s0 à des
daemons classiques \fIInetd\fR tels que les serveurs \s-1POP\-2\s0, \s-1POP\-3\s0 et \s-1IMAP\s0,
à d'autres autonomes tels que \s-1NNTP\s0, \s-1SMTP\s0 et \s-1HTTP\s0, ainsi que pour tunneliser
\&\s-1PPP\s0 sur des sockets réseau sans modification du code source.
.PP
Ce produit inclut du code de chiffrement écrit par
Eric Young (eay@cryptsoft.com)
.SH "OPTIONS"
.IX Header "OPTIONS"
.IP "\fB[fichier]\fR" 4
.IX Item "[fichier]"
Utilisation du fichier de configuration spécifié.
.IP "\fB\-fd [n]\fR (Unix seulement)" 4
.IX Item "-fd [n] (Unix seulement)"
Lecture du fichier de configuration depuis le descripteur de
fichier indiqué.
.IP "\fB\-help\fR" 4
.IX Item "-help"
Affiche le menu d'aide de \fBstunnel\fR.
.IP "\fB\-version\fR" 4
.IX Item "-version"
Affiche la version de \fBstunnel\fR et les options de compilation.
.IP "\fB\-sockets\fR" 4
.IX Item "-sockets"
Affiche les options socket par défaut.
.IP "\fB\-install\fR (\s-1NT/2000/XP\s0 seulement)" 4
.IX Item "-install (NT/2000/XP seulement)"
Installe un service \s-1NT\s0.
.IP "\fB\-uninstall\fR (\s-1NT/2000/XP\s0 only)" 4
.IX Item "-uninstall (NT/2000/XP only)"
Désinstalle un service \s-1NT\s0.
.SH "FICHIER DE CONFIGURATION"
.IX Header "FICHIER DE CONFIGURATION"
Chaque ligne du fichier de configuration peut être soit :
.IP "\(bu" 4
une ligne vide (ignorée) ;
.IP "\(bu" 4
un commentaire commençant par « # » (ignoré) ;
.IP "\(bu" 4
une paire « option = valeur » ;
.IP "\(bu" 4
« [service_name] » indiquant le début de la définition d'un service ;
.SS "\s-1OPTIONS\s0 \s-1GLOBALES\s0"
.IX Subsection "OPTIONS GLOBALES"
.IP "\fBCApath\fR = répertoire" 4
.IX Item "CApath = répertoire"
Répertoire des autorités de certification (\s-1CA\s0)
.Sp
C'est le répertoire dans lequel \fBstunnel\fR cherche les certificats si
l'on utilise \fIverify\fR. Les certificats doivent être dénommés selon la
forme \s-1XXXXXXXX\s0.0, où \s-1XXXXXXXX\s0 est la valeur de hachage du certificat.
.Sp
Le cas échéant, le répertoire \fICApath\fR est relatif au répertoire \fIchroot\fR.
.IP "\fBCAfile\fR = fichier" 4
.IX Item "CAfile = fichier"
Fichier d'autorités de certification
.Sp
Ce fichier, utilisé avec \fIverify\fR, contient plusieurs certificats de \s-1CA\s0.
.IP "\fBcert\fR = fichier" 4
.IX Item "cert = fichier"
Fichier de chaîne de certificats \s-1PEM\s0
.Sp
Une \s-1PEM\s0 est toujours nécessaire en mode serveur.
En mode client, cette option utilise cette \s-1PEM\s0 comme une chaîne côté client.
L'utilisation de certificats côté client est optionnelle. Les certificats
doivent être au format \s-1PEM\s0 et triés par ordre de niveau décroissant (\s-1CA\s0 racine
en premier).
.IP "\fBchroot\fR = répertoire (Unix seulement)" 4
.IX Item "chroot = répertoire (Unix seulement)"
Répertoire de chroot du processus \fBstunnel\fR
.Sp
\&\fBchroot\fR enferme \fBstunnel\fR dans une cellule chroot. \fICApath\fR, \fICRLpath\fR, \fIpid\fR
et \fIexec\fR sont situés à l'intérieur de la cellule et les répertoires doivent être
relatifs au répertoire correspondant.
.Sp
Pour que le contrôle de libwrap (wrappeur \s-1TCP\s0) soit effectif dans un environnement
chroot, il faut aussi y recopier leurs fichiers de configuration (/etc/hosts.allow et
/etc/hosts.deny).
.IP "\fBciphers\fR = listes de chiffre" 4
.IX Item "ciphers = listes de chiffre"
Sélection des chiffres \s-1SSL\s0 autorisés
.Sp
Liste délimitée par deux-points (« : ») des chiffres autorisés pour la connexion \s-1SSL\s0.
Exemple : \s-1DES\-CBC3\-SHA:IDEA\-CBC\-MD5\s0
.IP "\fBclient\fR = yes | no" 4
.IX Item "client = yes | no"
Mode client (Le service distant utilise \s-1SSL\s0)
.Sp
Par défaut : no (mode server)
.IP "\fBCRLpath\fR = répertoire" 4
.IX Item "CRLpath = répertoire"
Répertoire des listes de révocation de certificats (\s-1CRL\s0)
.Sp
C'est le répertoire dans lequel \fBstunnel\fR recherche les \s-1CRL\s0 avec
l'option \fIverify\fR. Les \s-1CRL\s0 doivent être dénommés selon la
forme \s-1XXXXXXXX\s0.0 où \s-1XXXXXXXX\s0 est la valeur de hachage de la \s-1CRL\s0.
.Sp
Le cas échéant, le répertoire \fICRLpath\fR est relatif au répertoire \fIchroot\fR.
.IP "\fBCRLfile\fR = fichier" 4
.IX Item "CRLfile = fichier"
Fichier de listes de révocation de certificats (\s-1CRL\s0)
.Sp
Ce fichier, utilisé avec \fIverify\fR, contient plusieurs \s-1CRL\s0.
.IP "\fBdebug\fR = [facilité.]niveau" 4
.IX Item "debug = [facilité.]niveau"
niveau de déverminage
.Sp
Le niveau est un nom ou un numéro conforme à ceux de syslog :
emerg (0), alert (1), crit (2), err (3), warning (4), notice (5),
info (6) ou debug (7). Toutes les traces du niveau indiqué et des niveaux
numériquement inférieurs seront affichées. \fBdebug = debug\fR ou
\&\fBdebug = 7\fR donneront le maximum d'informations. La valeur par défaut
est notice (5).
.Sp
La facilité syslog « daemon » est utilisée, sauf si un autre nom est spécifié
(Win32 ne permet pas l'usage des facilités.)
.Sp
La casse est ignorée, aussi bien pour la facilité que pour le niveau.
.IP "\fB\s-1EGD\s0\fR = chemin (Unix seulement)" 4
.IX Item "EGD = chemin (Unix seulement)"
Emplacement du socket du daemon de recueil d'entropie (\s-1EGD\s0 \- Entropy Gathering Daemon)
.Sp
Socket \s-1EGD\s0 à utiliser pour alimenter le générateur d'aléatoires de OpenSSL (disponible
seulement si la compilation a été effectuée avec OpenSSL 0.9.5a ou supérieur).
.IP "\fBforeground\fR = yes | no (Unix seulement)" 4
.IX Item "foreground = yes | no (Unix seulement)"
Mode avant-plan
.Sp
Reste en avant-plan (sans fork) et dirige la trace sur stderr
au lieu de syslog (sauf si \fBoutput\fR est spécifié).
.Sp
Par défault : arrière\-plan en mode daemon.
.IP "\fBkey\fR = fichier" 4
.IX Item "key = fichier"
Fichier de clef privée pour le certificat spécifié par \fIcert\fR
.Sp
La clef privée est nécessaire pour authentifier le titulaire du
certificat.
Puisque ce fichier doit rester secret, il ne doit être lisible que
par son propriétaire. Sur les systèmes Unix, on peut utiliser la
commande suivante :
.Sp
.Vb 1
\& chmod 600 fichier
.Ve
.Sp
Par défault : Valeur de \fIcert\fR
.IP "\fBoptions\fR = Options_SSL" 4
.IX Item "options = Options_SSL"
Options de la bibliothèque OpenSSL
.Sp
Le paramètre est l'option OpenSSL décrite dans la page de man
\&\fI\fISSL_CTX_set_options\fI\|(3ssl)\fR, débarassée du préfixe \fI\s-1SSL_OP_\s0\fR.
Plusieurs \fIoptions\fR peuvent être spécifiées.
.Sp
Par exemple, pour la compatibilité avec l'implantation \s-1SSL\s0 défaillante
d'Eudora, on peut utiliser :
.Sp
.Vb 1
\& options = DONT_INSERT_EMPTY_FRAGMENTS
.Ve
.IP "\fBoutput\fR = fichier" 4
.IX Item "output = fichier"
Ajoute la trace à la fin d'un fichier au lieu d'utiliser syslog.
.Sp
/dev/stdout peut être utilisé pour afficher les traces sur la sortie standard
(par exemple pour les traiter avec les outils splogger).
.IP "\fBpid\fR = fichier (Unix seulement)" 4
.IX Item "pid = fichier (Unix seulement)"
Emplacement du fichier pid
.Sp
Si l'argument est vide, aucun fichier ne sera créé.
.Sp
Le cas échéant, le chemin \fIpid\fR est relatif au répertoire \fIchroot\fR.
.IP "\fBRNDbytes\fR = nombre" 4
.IX Item "RNDbytes = nombre"
Nombre d'octets à lire depuis les fichiers de « sel » aléatoire
.Sp
Avec les \s-1SSL\s0 de version inférieure à 0.9.5a, détermine aussi le nombre
d'octets considérés comme suffisants pour « saler » le \s-1PRNG\s0. Les versions plus
récentes d'OpenSSL ont une fonction intégrée qui détermine lorsque l'aléatoire
est suffisant.
.IP "\fBRNDfile\fR = fichier" 4
.IX Item "RNDfile = fichier"
chemin du fichier de données de « sel » aléatoire
.Sp
La bibliothèque \s-1SSL\s0 utilise prioritairement les données de ce fichier pour
« saler » le générateur d'aléatoire.
.IP "\fBRNDoverwrite\fR = yes | no" 4
.IX Item "RNDoverwrite = yes | no"
Recouvre les fichiers de « sel » avec de nouvelles données aléatoires.
.Sp
Par défaut : yes
.IP "\fBservice\fR = nom" 4
.IX Item "service = nom"
Définit le nom de service à utiliser
.Sp
\&\fBSous Unix :\fR nom de service du mode \fIinetd\fR pour la bibliothèque \s-1TCP\s0 Wrapper.
.Sp
Par défaut : stunnel
.IP "\fBsession\fR = timeout" 4
.IX Item "session = timeout"
Timeout du cache de session
.IP "\fBsetgid\fR = nom (Unix seulement)" 4
.IX Item "setgid = nom (Unix seulement)"
Nom de groupe utilisé en mode daemon (les éventuels autres noms de groupe attribués sont supprimés)
.IP "\fBsetuid\fR = nom (Unix seulement)" 4
.IX Item "setuid = nom (Unix seulement)"
Nom d'utilisateur utilisé en mode daemon
.IP "\fBsocket\fR = a|l|r:option=valeur[:valeur]" 4
.IX Item "socket = a|l|r:option=valeur[:valeur]"
Configure une option de socket accept (a), locale (l) ou distante (r)
.Sp
Les valeurs de l'option linger sont : l_onof:l_linger.
Les valeurs de l'option time sont : tv_sec:tv_usec.
.Sp
Exemples :
.Sp
.Vb 9
\& socket = l:SO_LINGER=1:60
\& définit un délai d\*(Aqune minute pour la clôture des sockets locaux
\& socket = r:SO_OOBINLINE=yes
\& Place directement les données hors\-bande dans le flux de réception
\& des sockets distants
\& socket = a:SO_REUSEADDR=no
\& désactive la réutilisation d\*(Aqadresses (activée par défaut)
\& socket = a:SO_BINDTODEVICE=lo
\& limite l\*(Aqacceptation des connexions sur la seule interface de bouclage
.Ve
.IP "\fBtaskbar\fR = yes | no (\s-1WIN32\s0 seulement)" 4
.IX Item "taskbar = yes | no (WIN32 seulement)"
active l'icône de la barre de tâches
.Sp
Par défaut : yes
.IP "\fBverify\fR = niveau" 4
.IX Item "verify = niveau"
Vérifie le certificat du correspondant
.Sp
.Vb 3
\& niveau 1 \- vérifie le certificat s\*(Aqil est présent
\& niveau 2 \- vérifie le certificat
\& niveau 3 \- contrôle le correspondant avec le certificat local
.Ve
.Sp
Par défaut \- pas de vérification
.SS "\s-1OPTIONS\s0 \s-1DE\s0 \s-1SERVICE\s0"
.IX Subsection "OPTIONS DE SERVICE"
Chaque section de configuration commence par le nom du service entre crochets.
Celui-ci est utilisé par le contrôle d'accès de libwrap (\s-1TCP\s0 Wrappers) et sert
à distinguer les services \fBstunnel\fR dans les fichiers de traces.
.PP
Si l'on souhaite utiliser \fBstunnel\fR en mode \fIinetd\fR (lorsqu'un socket lui est
fourni par un serveur comme \fIinetd\fR, \fIxinetd\fR ou \fItcpserver\fR), il faut se
reporter à la section \fI\s-1MODE\s0 \s-1INETD\s0\fR plus bas.
.IP "\fBaccept\fR = [hôte:]port" 4
.IX Item "accept = [hôte:]port"
Accepte des connexions sur le port spécifié
.Sp
Si l'hôte n'est pas indiqué, le port est ouvert pour toutes les adresses \s-1IP\s0 de
la machine locale.
.IP "\fBconnect\fR = [hôte:]port" 4
.IX Item "connect = [hôte:]port"
Se connecte au port distant indiqué
.Sp
Par défaut, l'hôte est localhost.
.IP "\fBdelay\fR = yes | no" 4
.IX Item "delay = yes | no"
Retarde la recherche \s-1DNS\s0 pour l'option « connect »
.IP "\fBexec\fR = chemin_exécutable (Unix seulement)" 4
.IX Item "exec = chemin_exécutable (Unix seulement)"
Exécute un programme local de type inetd
.Sp
Le cas échéant, le chemin \fIexec\fR est relatif au répertoire \fIchroot\fR.
.ie n .IP "\fBexecargs\fR = $0 $1 $2 ... (Unix seulement)" 4
.el .IP "\fBexecargs\fR = \f(CW$0\fR \f(CW$1\fR \f(CW$2\fR ... (Unix seulement)" 4
.IX Item "execargs = $0 $1 $2 ... (Unix seulement)"
Arguments pour \fIexec\fR, y compris le nom du programme ($0)
.Sp
Les quotes ne peuvent actuellement pas être utilisées.
Les arguments sont séparés par un nombre quelconque d'espaces.
.IP "\fBident\fR = nom" 4
.IX Item "ident = nom"
Applique le contrôle d'identité d'utilisateur \s-1IDENT\s0 (\s-1RFC\s0 1413)
.IP "\fBlocal\fR = hôte" 4
.IX Item "local = hôte"
Adresse \s-1IP\s0 de l'interface de sortie utilisée pour les connexions distantes.
Cette option permet de relier une adresse statique locale.
.IP "\fBprotocol\fR = protocole" 4
.IX Item "protocol = protocole"
Négocie avec \s-1SSL\s0 selon le protocole indiqué
.Sp
Actuellement gérés : cifs, nntp, pop3, smtp
.IP "\fBpty\fR = yes | no (Unix seulement)" 4
.IX Item "pty = yes | no (Unix seulement)"
Alloue un pseudo-terminal pour l'option « exec »
.IP "\fBTIMEOUTbusy\fR = secondes" 4
.IX Item "TIMEOUTbusy = secondes"
Durée d'attente de données
.IP "\fBTIMEOUTclose\fR = secondes" 4
.IX Item "TIMEOUTclose = secondes"
Durée d'attente du close_notify (mis à 0 pour \s-1MSIE\s0 qui est bogué)
.IP "\fBTIMEOUTidle\fR = secondes" 4
.IX Item "TIMEOUTidle = secondes"
Durée d'attente sur une connexion inactive
.IP "\fBtransparent\fR = yes | no (Unix seulement)" 4
.IX Item "transparent = yes | no (Unix seulement)"
Mode mandataire transparent
.Sp
\-écrit les adresses pour qu'elles apparaissent provenir de la
machine client \s-1SSL\s0 plutôt que de celle qui exécute \fBstunnel\fR.
Cette option n'est disponible en mode local (option \fIexec\fR) qu'avec
la bibliothèque partagée LD_PRELOADing env.so shared library et en mode
distant (option \fIconnect\fR) sur les noyaux Linux 2.2 compilés avec
l'option \fItransparent proxy\fR et seulement en mode serveur. Cette
option ne se combine pas au mode mandataire (\fIconnect\fR) sauf si la
route par défaut du client vers la cible passe par l'hôte qui fait
tourner \fBstunnel\fR, qui ne peut être localhost.
.SH "VALEUR DE RETOUR"
.IX Header "VALEUR DE RETOUR"
\&\fBstunnel\fR renvoie zéro en cas de succès, une autre valeur en cas d'erreur.
.SH "EXEMPLES"
.IX Header "EXEMPLES"
Pour encapsuler votre service \fIimapd\fR local avec \s-1SSL\s0 :
.PP
.Vb 4
\& [imapd]
\& accept = 993
\& exec = /usr/sbin/imapd
\& execargs = imapd
.Ve
.PP
Pour tunneliser un daemon \fIpppd\fR sur le port 2020 :
.PP
.Vb 5
\& [vpn]
\& accept = 2020
\& exec = /usr/sbin/pppd
\& execargs = pppd local
\& pty = yes
.Ve
.PP
Configuration de \fIstunnel.conf\fR pour utiliser \fBstunnel\fR en mode \fIinetd\fR
qui lance imapd à son tour (il ne doit pas y avoir de section \fI[service_name]\fR) :
.PP
.Vb 2
\& exec = /usr/sbin/imapd
\& execargs = imapd
.Ve
.SH "FICHIERS"
.IX Header "FICHIERS"
.IP "\fIstunnel.conf\fR" 4
.IX Item "stunnel.conf"
Fichier de configuration de \fBstunnel\fR
.IP "\fIstunnel.pem\fR" 4
.IX Item "stunnel.pem"
Certificat et clef privée de \fBstunnel\fR
.SH "BOGUES"
.IX Header "BOGUES"
L'option \fIexecargs\fR n'admet pas les quotes.
.SH "RESTRICTIONS"
.IX Header "RESTRICTIONS"
\&\fBstunnel\fR ne peut être utilisé pour le daemon \s-1FTP\s0 en raison de la nature
du protocole \s-1FTP\s0 qui utilise des ports multiples pour les transferts de données.
Il existe cependant des versions \s-1SSL\s0 de \s-1FTP\s0 et de telnet.
.SH "NOTES"
.IX Header "NOTES"
.SS "\s-1MODE\s0 \s-1INETD\s0"
.IX Subsection "MODE INETD"
L'utilisation la plus commune de \fBstunnel\fR consiste à écouter un port
réseau et à établir une communication, soit avec un nouveau port
avec l'option \fIconnect\fR, soit avec un programme avec l'option \fIexec\fR.
On peut parfois cependant souhaiter qu'un autre programme reçoive les
connexions entrantes et lance \fBstunnel\fR, par exemple avec \fIinetd\fR,
\&\fIxinetd\fR ou \fItcpserver\fR.
.PP
Si, par exemple, la ligne suivante se trouve dans \fIinetd.conf\fR :
.PP
.Vb 1
\& imaps stream tcp nowait root /usr/bin/stunnel stunnel /etc/stunnel/imaps.conf
.Ve
.PP
Dans ces cas, c'est le programme du genre \fIinetd\fR\-style qui est
responsable de l'établissement de la connexion (\fIimaps\fR ci-dessus) et de passer
celle-ci à \fBstunnel\fR.
Ainsi, \fBstunnel\fR ne doit alors avoir aucune option \fIaccept\fR.
Toutes les \fIoptions de niveau service\fR doivent être placées dans
la section des options globales et aucune section \fI[service_name]\fR ne doit
être présente. Voir la section \fI\s-1EXEMPLES\s0\fR pour des exemples de configurations.
.SS "\s-1CERTIFICATS\s0"
.IX Subsection "CERTIFICATS"
Chaque daemon à propriétés \s-1SSL\s0 doit présenter un certificat X.509
valide à son interlocuteur. Il a aussi besoin d'une clef privé pour
déchiffrer les données entrantes. La méthode la plus simple pour
obtenir un certificat et une clef est d'engendrer celles-ci avec
le paquetage libre \fIOpenSSL\fR. Plus d'informations sur la génération de
certificats se trouvent dans les pages indiquées plus bas.
.PP
Deux choses importantes lors de la génération de paires certificat-clef
pour \fBstunnel\fR :
.IP "\(bu" 4
la clef privée ne peut être chiffrée puisque le serveur n'a aucun moyen
d'obtenir le mot de passe de l'utilisateur ; pour produire une clef non chiffrée,
ajouter l'option \fI\-nodes\fR à la commande \fBreq\fR de \fIOpenSSL\fR ;
.IP "\(bu" 4
l'ordre du contenu du fichier \fI.pem\fR est significatif : il doit contenir d'abord
une clef privée non chiffrée, puis un certificat signé (et non une demande de certificat).
Il doit aussi y avoir des lignes vides après le certificat et après la clef privée.
L'information textuelle ajoutée au début d'un certificat doit être supprimée afin que
le fichier ait l'allure suivante :
.Sp
.Vb 8
\& \-\-\-\-\-BEGIN RSA PRIVATE KEY\-\-\-\-\-
\& [clef encodée]
\& \-\-\-\-\-END RSA PRIVATE KEY\-\-\-\-\-
\& [ligne vide]
\& \-\-\-\-\-BEGIN CERTIFICATE\-\-\-\-\-
\& [certificat encodé]
\& \-\-\-\-\-END CERTIFICATE\-\-\-\-\-
\& [ligne vide]
.Ve
.SS "\s-1ALEATOIRE\s0"
.IX Subsection "ALEATOIRE"
\&\fBstunnel\fR doit « saler » le générateur de pseudo\-aléatoires \s-1PRNG\s0 (pseudo random
number generator) afin que \s-1SSL\s0 utilise un aléatoire de qualité. Les sources suivantes
sont chargées dans l'ordre jusqu'à ce qu'une quantité suffisante de données soit lue :
.IP "\(bu" 4
le fichier spécifié par \fIRNDfile\fR ;
.IP "\(bu" 4
le fichier spécifié par la variable d'environnement \s-1RANDFILE\s0, à défaut
le fichier .rnd du répertoire \f(CW$HOME\fR de l'utilisateur ;
.IP "\(bu" 4
le fichier spécifié par « \-\-with\-random » lors de la compilation ;
.IP "\(bu" 4
le contenu de l'écran (MS-Windows seulement) ;
.IP "\(bu" 4
le socket \s-1EGD\s0 spécifié par \fI\s-1EGD\s0\fR ;
.IP "\(bu" 4
le socket \s-1EGD\s0 spécifié par « \-\-with\-egd\-sock » lors de la compilation ;
.IP "\(bu" 4
le périphérique /dev/urandom.
.PP
Avec un OpenSSL récent (>=OpenSSL 0.9.5a) le chargement de données s'arrête
automatiquement lorsqu'un niveau d'entropie suffisant est atteint.
Les versions précédentes continuent à lire toutes les sources puisqu'aucune
fonction \s-1SSL\s0 ne leur permet de savoir que suffisamment de données sont disponibles.
.PP
Sur les machines MS-Windows qui n'ont pas d'interaction utilisateur sur la console,
(mouvements de souris, création de fenêtres, etc.), le contenu de l'écran n'est
pas suffisamment changeant et il est nécessaire de fournir un fichier d'aléatoire
par le biais de \fIRNDfile\fR.
.PP
Le fichier spécifié par \fIRNDfile\fR doit contenir des informations aléatoires \*(--
c'est\-à\-dire des informations différentes à chaque lancement de \fBstunnel\fR.
Cela est géré automatiquement sauf si l'option \fIRNDoverwrite\fR est utilisée.
Si l'on souhaite procéder manuellement à la mise à jour de ce fichier, la
commande \fIopenssl rand\fR des versions récentes d'OpenSSL sera sans doute utile.
.PP
Note importante : si /dev/urandom est disponible, OpenSSL a l'habitude d'utiliser
celui-ci pour « saler » le \s-1PRNG\s0 même lorsqu'il contrôle l'état de l'aléatoire ;
ainsi, même si /dev/urandom est dernier de la liste ci-dessus, il est vraisemblable
qu'il soit utilisé s'il est présent.
Ce n'est pas le comportement de \fBstunnel\fR, c'est celui d'OpenSSL.
.SH "VOIR AUSSI"
.IX Header "VOIR AUSSI"
.IP "\fItcpd\fR\|(8)" 4
.IX Item "tcpd"
Service de contrôle d'accès pour les services internet
.IP "\fIinetd\fR\|(8)" 4
.IX Item "inetd"
« super-serveur » internet
.IP "\fIhttp://www.stunnel.org/\fR" 4
.IX Item "http://www.stunnel.org/"
Page de référence de \fBstunnel\fR
.IP "\fIhttp://www.openssl.org/\fR" 4
.IX Item "http://www.openssl.org/"
Site web du projet OpenSSL
.SH "AUTEUR"
.IX Header "AUTEUR"
.IP "Michał Trojnara" 4
.IX Item "Michał Trojnara"
<\fIMichal.Trojnara@mirt.net\fR>
.SH "ADAPTATION FRANÇAISE"
.IX Header "ADAPTATION FRANÇAISE"
.IP "Bernard Choppy" 4
.IX Item "Bernard Choppy"
<\fIchoppy \s-1AT\s0 free \s-1POINT\s0 fr\fR>

670
doc/stunnel.fr.html
View File

@ -1,670 +0,0 @@
<?xml version="1.0" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>stunnel.8</title>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<link rev="made" href="mailto:root@localhost" />
</head>
<body style="background-color: white">
<!-- INDEX BEGIN -->
<div name="index">
<p><a name="__index__"></a></p>
<!--
<ul>
<li><a href="#nom">NOM</a></li>
<li><a href="#synopsis">SYNOPSIS</a></li>
<li><a href="#description">DESCRIPTION</a></li>
<li><a href="#options">OPTIONS</a></li>
<li><a href="#fichier_de_configuration">FICHIER DE CONFIGURATION</a></li>
<ul>
<li><a href="#options_globales">OPTIONS GLOBALES</a></li>
<li><a href="#options_de_service">OPTIONS DE SERVICE</a></li>
</ul>
<li><a href="#valeur_de_retour">VALEUR DE RETOUR</a></li>
<li><a href="#exemples">EXEMPLES</a></li>
<li><a href="#fichiers">FICHIERS</a></li>
<li><a href="#bogues">BOGUES</a></li>
<li><a href="#restrictions">RESTRICTIONS</a></li>
<li><a href="#notes">NOTES</a></li>
<ul>
<li><a href="#mode_inetd">MODE INETD</a></li>
<li><a href="#certificats">CERTIFICATS</a></li>
<li><a href="#aleatoire">ALEATOIRE</a></li>
</ul>
<li><a href="#voir_aussi">VOIR AUSSI</a></li>
<li><a href="#auteur">AUTEUR</a></li>
<li><a href="#adaptation_fran__aise">ADAPTATION FRANÇAISE</a></li>
</ul>
-->
</div>
<!-- INDEX END -->
<p>
</p>
<h1><a name="nom">NOM</a></h1>
<p>stunnel - tunnel SSL universel</p>
<p>
</p>
<hr />
<h1><a name="synopsis">SYNOPSIS</a></h1>
<dl>
<dt><strong><a name="unix" class="item"><strong>Unix:</strong></a></strong></dt>
<dd>
<p><strong>stunnel</strong> [fichier] | -fd&nbsp;[n] | -help | -version | -sockets</p>
</dd>
<dt><strong><a name="win32" class="item"><strong>WIN32:</strong></a></strong></dt>
<dd>
<p><strong>stunnel</strong> [fichier] | -install | -uninstall | -help | -version | -sockets</p>
</dd>
</dl>
<p>
</p>
<hr />
<h1><a name="description">DESCRIPTION</a></h1>
<p>Le programme <strong>stunnel</strong> est conçu pour fonctionner comme une couche
de chiffrement <em>SSL</em> entre des clients distants et des serveurs locaux
(<em>inetd</em>-démarrables) ou distants. Le concept est qu'à partir de daemons
non-SSL présents sur le système, on peut facilement les configurer pour
communiquer avec des clients sur des liens sécurisés SSL.</p>
<p><strong>stunnel</strong> peut être utilisé pour ajouter des fonctionnalités SSL à des
daemons classiques <em>Inetd</em> tels que les serveurs POP-2, POP-3 et IMAP,
à d'autres autonomes tels que NNTP, SMTP et HTTP, ainsi que pour tunneliser
PPP sur des sockets réseau sans modification du code source.</p>
<p>Ce produit inclut du code de chiffrement écrit par
Eric Young (<a href="mailto:eay@cryptsoft.com">eay@cryptsoft.com</a>)</p>
<p>
</p>
<hr />
<h1><a name="options">OPTIONS</a></h1>
<dl>
<dt><strong><a name="fichier" class="item"><strong>[fichier]</strong></a></strong></dt>
<dd>
<p>Utilisation du fichier de configuration spécifié.</p>
</dd>
<dt><strong><a name="fd_n_unix_seulement" class="item"><strong>-fd [n]</strong> (Unix seulement)</a></strong></dt>
<dd>
<p>Lecture du fichier de configuration depuis le descripteur de
fichier indiqué.</p>
</dd>
<dt><strong><a name="help" class="item"><strong>-help</strong></a></strong></dt>
<dd>
<p>Affiche le menu d'aide de <strong>stunnel</strong>.</p>
</dd>
<dt><strong><a name="version" class="item"><strong>-version</strong></a></strong></dt>
<dd>
<p>Affiche la version de <strong>stunnel</strong> et les options de compilation.</p>
</dd>
<dt><strong><a name="sockets" class="item"><strong>-sockets</strong></a></strong></dt>
<dd>
<p>Affiche les options socket par défaut.</p>
</dd>
<dt><strong><a name="install" class="item"><strong>-install</strong> (NT/2000/XP seulement)</a></strong></dt>
<dd>
<p>Installe un service NT.</p>
</dd>
<dt><strong><a name="uninstall" class="item"><strong>-uninstall</strong> (NT/2000/XP only)</a></strong></dt>
<dd>
<p>Désinstalle un service NT.</p>
</dd>
</dl>
<p>
</p>
<hr />
<h1><a name="fichier_de_configuration">FICHIER DE CONFIGURATION</a></h1>
<p>Chaque ligne du fichier de configuration peut être soit&nbsp;:</p>
<ul>
<li>
<p>une ligne vide (ignorée)&nbsp;;</p>
</li>
<li>
<p>un commentaire commençant par «&nbsp;#&nbsp;» (ignoré)&nbsp;;</p>
</li>
<li>
<p>une paire «&nbsp;option = valeur&nbsp;»&nbsp;;</p>
</li>
<li>
<p>«&nbsp;[service_name]&nbsp;» indiquant le début de la définition d'un service&nbsp;;</p>
</li>
</ul>
<p>
</p>
<h2><a name="options_globales">OPTIONS GLOBALES</a></h2>
<dl>
<dt><strong><a name="capath_r_pertoire" class="item"><strong>CApath</strong> = répertoire</a></strong></dt>
<dd>
<p>Répertoire des autorités de certification (CA)</p>
<p>C'est le répertoire dans lequel <strong>stunnel</strong> cherche les certificats si
l'on utilise <em>verify</em>. Les certificats doivent être dénommés selon la
forme XXXXXXXX.0, où XXXXXXXX est la valeur de hachage du certificat.</p>
<p>Le cas échéant, le répertoire <em>CApath</em> est relatif au répertoire <em>chroot</em>.</p>
</dd>
<dt><strong><a name="cafile_fichier" class="item"><strong>CAfile</strong> = fichier</a></strong></dt>
<dd>
<p>Fichier d'autorités de certification</p>
<p>Ce fichier, utilisé avec <em>verify</em>, contient plusieurs certificats de CA.</p>
</dd>
<dt><strong><a name="cert_fichier" class="item"><strong>cert</strong> = fichier</a></strong></dt>
<dd>
<p>Fichier de chaîne de certificats PEM</p>
<p>Une PEM est toujours nécessaire en mode serveur.
En mode client, cette option utilise cette PEM comme une chaîne côté client.
L'utilisation de certificats côté client est optionnelle. Les certificats
doivent être au format PEM et triés par ordre de niveau décroissant (CA racine
en premier).</p>
</dd>
<dt><strong><a name="pertoire" class="item"><strong>chroot</strong> = répertoire (Unix seulement)</a></strong></dt>
<dd>
<p>Répertoire de chroot du processus <strong>stunnel</strong></p>
<p><strong>chroot</strong> enferme <strong>stunnel</strong> dans une cellule chroot. <em>CApath</em>, <em>CRLpath</em>, <em>pid</em>
et <em>exec</em> sont situés à l'intérieur de la cellule et les répertoires doivent être
relatifs au répertoire correspondant.</p>
<p>Pour que le contrôle de libwrap (wrappeur TCP) soit effectif dans un environnement
chroot, il faut aussi y recopier leurs fichiers de configuration (/etc/hosts.allow et
/etc/hosts.deny).</p>
</dd>
<dt><strong><a name="ciphers_listes_de_chiffre" class="item"><strong>ciphers</strong> = listes de chiffre</a></strong></dt>
<dd>
<p>Sélection des chiffres SSL autorisés</p>
<p>Liste délimitée par deux-points («&nbsp;:&nbsp;») des chiffres autorisés pour la connexion SSL.
Exemple&nbsp;: DES-CBC3-SHA:IDEA-CBC-MD5</p>
</dd>
<dt><strong><a name="client_yes_no" class="item"><strong>client</strong> = yes | no</a></strong></dt>
<dd>
<p>Mode client (Le service distant utilise SSL)</p>
<p>Par défaut&nbsp;: no (mode server)</p>
</dd>
<dt><strong><a name="crlpath_r_pertoire" class="item"><strong>CRLpath</strong> = répertoire</a></strong></dt>
<dd>
<p>Répertoire des listes de révocation de certificats (CRL)</p>
<p>C'est le répertoire dans lequel <strong>stunnel</strong> recherche les CRL avec
l'option <em>verify</em>. Les CRL doivent être dénommés selon la
forme XXXXXXXX.0 où XXXXXXXX est la valeur de hachage de la CRL.</p>
<p>Le cas échéant, le répertoire <em>CRLpath</em> est relatif au répertoire <em>chroot</em>.</p>
</dd>
<dt><strong><a name="crlfile_fichier" class="item"><strong>CRLfile</strong> = fichier</a></strong></dt>
<dd>
<p>Fichier de listes de révocation de certificats (CRL)</p>
<p>Ce fichier, utilisé avec <em>verify</em>, contient plusieurs CRL.</p>
</dd>
<dt><strong><a name="debug_facilit_niveau" class="item"><strong>debug</strong> = [facilité.]niveau</a></strong></dt>
<dd>
<p>niveau de déverminage</p>
<p>Le niveau est un nom ou un numéro conforme à ceux de syslog&nbsp;:
emerg (0), alert (1), crit (2), err (3), warning (4), notice (5),
info (6) ou debug (7). Toutes les traces du niveau indiqué et des niveaux
numériquement inférieurs seront affichées. <strong>debug = debug</strong> ou
<strong>debug = 7</strong> donneront le maximum d'informations. La valeur par défaut
est notice (5).</p>
<p>La facilité syslog «&nbsp;daemon&nbsp;» est utilisée, sauf si un autre nom est spécifié
(Win32 ne permet pas l'usage des facilités.)</p>
<p>La casse est ignorée, aussi bien pour la facilité que pour le niveau.</p>
</dd>
<dt><strong><a name="chemin" class="item"><strong>EGD</strong> = chemin (Unix seulement)</a></strong></dt>
<dd>
<p>Emplacement du socket du daemon de recueil d'entropie (EGD - Entropy Gathering Daemon)</p>
<p>Socket EGD à utiliser pour alimenter le générateur d'aléatoires de OpenSSL (disponible
seulement si la compilation a été effectuée avec OpenSSL 0.9.5a ou supérieur).</p>
</dd>
<dt><strong><a name="no" class="item"><strong>foreground</strong> = yes | no (Unix seulement)</a></strong></dt>
<dd>
<p>Mode avant-plan</p>
<p>Reste en avant-plan (sans fork) et dirige la trace sur stderr
au lieu de syslog (sauf si <strong>output</strong> est spécifié).</p>
<p>Par défault&nbsp;: arrière-plan en mode daemon.</p>
</dd>
<dt><strong><a name="key_fichier" class="item"><strong>key</strong> = fichier</a></strong></dt>
<dd>
<p>Fichier de clef privée pour le certificat spécifié par <em>cert</em></p>
<p>La clef privée est nécessaire pour authentifier le titulaire du
certificat.
Puisque ce fichier doit rester secret, il ne doit être lisible que
par son propriétaire. Sur les systèmes Unix, on peut utiliser la
commande suivante&nbsp;:</p>
<pre>
chmod 600 fichier</pre>
<p>Par défault&nbsp;: Valeur de <em>cert</em></p>
</dd>
<dt><strong><a name="options_options_ssl" class="item"><strong>options</strong> = Options_SSL</a></strong></dt>
<dd>
<p>Options de la bibliothèque OpenSSL</p>
<p>Le paramètre est l'option OpenSSL décrite dans la page de man
<em>SSL_CTX_set_options(3ssl)</em>, débarassée du préfixe <em>SSL_OP_</em>.
Plusieurs <em>options</em> peuvent être spécifiées.</p>
<p>Par exemple, pour la compatibilité avec l'implantation SSL défaillante
d'Eudora, on peut utiliser&nbsp;:</p>
<pre>
options = DONT_INSERT_EMPTY_FRAGMENTS</pre>
</dd>
<dt><strong><a name="output_fichier" class="item"><strong>output</strong> = fichier</a></strong></dt>
<dd>
<p>Ajoute la trace à la fin d'un fichier au lieu d'utiliser syslog.</p>
<p>/dev/stdout peut être utilisé pour afficher les traces sur la sortie standard
(par exemple pour les traiter avec les outils splogger).</p>
</dd>
<dt><strong><strong>pid</strong> = fichier (Unix seulement)</strong></dt>
<dd>
<p>Emplacement du fichier pid</p>
<p>Si l'argument est vide, aucun fichier ne sera créé.</p>
<p>Le cas échéant, le chemin <em>pid</em> est relatif au répertoire <em>chroot</em>.</p>
</dd>
<dt><strong><a name="rndbytes_nombre" class="item"><strong>RNDbytes</strong> = nombre</a></strong></dt>
<dd>
<p>Nombre d'octets à lire depuis les fichiers de «&nbsp;sel&nbsp;» aléatoire</p>
<p>Avec les SSL de version inférieure à 0.9.5a, détermine aussi le nombre
d'octets considérés comme suffisants pour «&nbsp;saler&nbsp;» le PRNG. Les versions plus
récentes d'OpenSSL ont une fonction intégrée qui détermine lorsque l'aléatoire
est suffisant.</p>
</dd>
<dt><strong><a name="rndfile_fichier" class="item"><strong>RNDfile</strong> = fichier</a></strong></dt>
<dd>
<p>chemin du fichier de données de «&nbsp;sel&nbsp;» aléatoire</p>
<p>La bibliothèque SSL utilise prioritairement les données de ce fichier pour
«&nbsp;saler&nbsp;» le générateur d'aléatoire.</p>
</dd>
<dt><strong><a name="rndoverwrite_yes_no" class="item"><strong>RNDoverwrite</strong> = yes | no</a></strong></dt>
<dd>
<p>Recouvre les fichiers de «&nbsp;sel&nbsp;» avec de nouvelles données aléatoires.</p>
<p>Par défaut&nbsp;: yes</p>
</dd>
<dt><strong><a name="service_nom" class="item"><strong>service</strong> = nom</a></strong></dt>
<dd>
<p>Définit le nom de service à utiliser</p>
<p><strong>Sous Unix&nbsp;:</strong> nom de service du mode <em>inetd</em> pour la bibliothèque TCP Wrapper.</p>
<p>Par défaut&nbsp;: stunnel</p>
</dd>
<dt><strong><a name="session_timeout" class="item"><strong>session</strong> = timeout</a></strong></dt>
<dd>
<p>Timeout du cache de session</p>
</dd>
<dt><strong><a name="nom" class="item"><strong>setgid</strong> = nom (Unix seulement)</a></strong></dt>
<dd>
<p>Nom de groupe utilisé en mode daemon (les éventuels autres noms de groupe attribués sont supprimés)</p>
</dd>
<dt><strong><strong>setuid</strong> = nom (Unix seulement)</strong></dt>
<dd>
<p>Nom d'utilisateur utilisé en mode daemon</p>
</dd>
<dt><strong><a name="socket_a_l_r_option_valeur_valeur" class="item"><strong>socket</strong> = a|l|r:option=valeur[:valeur]</a></strong></dt>
<dd>
<p>Configure une option de socket accept (a), locale (l) ou distante (r)</p>
<p>Les valeurs de l'option linger sont&nbsp;: l_onof:l_linger.
Les valeurs de l'option time sont&nbsp;: tv_sec:tv_usec.</p>
<p>Exemples&nbsp;:</p>
<pre>
socket = l:SO_LINGER=1:60
définit un délai d'une minute pour la clôture des sockets locaux
socket = r:SO_OOBINLINE=yes
Place directement les données hors-bande dans le flux de réception
des sockets distants
socket = a:SO_REUSEADDR=no
désactive la réutilisation d'adresses (activée par défaut)
socket = a:SO_BINDTODEVICE=lo
limite l'acceptation des connexions sur la seule interface de bouclage</pre>
</dd>
<dt><strong><strong>taskbar</strong> = yes | no (WIN32 seulement)</strong></dt>
<dd>
<p>active l'icône de la barre de tâches</p>
<p>Par défaut&nbsp;: yes</p>
</dd>
<dt><strong><a name="verify_niveau" class="item"><strong>verify</strong> = niveau</a></strong></dt>
<dd>
<p>Vérifie le certificat du correspondant</p>
<pre>
niveau 1 - vérifie le certificat s'il est présent
niveau 2 - vérifie le certificat
niveau 3 - contrôle le correspondant avec le certificat local</pre>
<p>Par défaut - pas de vérification</p>
</dd>
</dl>
<p>
</p>
<h2><a name="options_de_service">OPTIONS DE SERVICE</a></h2>
<p>Chaque section de configuration commence par le nom du service entre crochets.
Celui-ci est utilisé par le contrôle d'accès de libwrap (TCP Wrappers) et sert
à distinguer les services <strong>stunnel</strong> dans les fichiers de traces.</p>
<p>Si l'on souhaite utiliser <strong>stunnel</strong> en mode <em>inetd</em> (lorsqu'un socket lui est
fourni par un serveur comme <em>inetd</em>, <em>xinetd</em> ou <em>tcpserver</em>), il faut se
reporter à la section <em>MODE INETD</em> plus bas.</p>
<dl>
<dt><strong><a name="accept_h_te_port" class="item"><strong>accept</strong> = [hôte:]port</a></strong></dt>
<dd>
<p>Accepte des connexions sur le port spécifié</p>
<p>Si l'hôte n'est pas indiqué, le port est ouvert pour toutes les adresses IP de
la machine locale.</p>
</dd>
<dt><strong><a name="connect_h_te_port" class="item"><strong>connect</strong> = [hôte:]port</a></strong></dt>
<dd>
<p>Se connecte au port distant indiqué</p>
<p>Par défaut, l'hôte est localhost.</p>
</dd>
<dt><strong><a name="delay_yes_no" class="item"><strong>delay</strong> = yes | no</a></strong></dt>
<dd>
<p>Retarde la recherche DNS pour l'option «&nbsp;connect&nbsp;»</p>
</dd>
<dt><strong><a name="cutable" class="item"><strong>exec</strong> = chemin_exécutable (Unix seulement)</a></strong></dt>
<dd>
<p>Exécute un programme local de type inetd</p>
<p>Le cas échéant, le chemin <em>exec</em> est relatif au répertoire <em>chroot</em>.</p>
</dd>
<dt><strong><a name="execargs_0_1_2_unix_seulement" class="item"><strong>execargs</strong> = $0 $1 $2 ... (Unix seulement)</a></strong></dt>
<dd>
<p>Arguments pour <em>exec</em>, y compris le nom du programme ($0)</p>
<p>Les quotes ne peuvent actuellement pas être utilisées.
Les arguments sont séparés par un nombre quelconque d'espaces.</p>
</dd>
<dt><strong><a name="ident_nom" class="item"><strong>ident</strong> = nom</a></strong></dt>
<dd>
<p>Applique le contrôle d'identité d'utilisateur IDENT (<a href="http://www.ietf.org/rfc/rfc1413.txt" class="rfc">RFC 1413</a>)</p>
</dd>
<dt><strong><a name="local_h_te" class="item"><strong>local</strong> = hôte</a></strong></dt>
<dd>
<p>Adresse IP de l'interface de sortie utilisée pour les connexions distantes.
Cette option permet de relier une adresse statique locale.</p>
</dd>
<dt><strong><a name="protocol_protocole" class="item"><strong>protocol</strong> = protocole</a></strong></dt>
<dd>
<p>Négocie avec SSL selon le protocole indiqué</p>
<p>Actuellement gérés&nbsp;: cifs, nntp, pop3, smtp</p>
</dd>
<dt><strong><strong>pty</strong> = yes | no (Unix seulement)</strong></dt>
<dd>
<p>Alloue un pseudo-terminal pour l'option «&nbsp;exec&nbsp;»</p>
</dd>
<dt><strong><a name="timeoutbusy_secondes" class="item"><strong>TIMEOUTbusy</strong> = secondes</a></strong></dt>
<dd>
<p>Durée d'attente de données</p>
</dd>
<dt><strong><a name="timeoutclose_secondes" class="item"><strong>TIMEOUTclose</strong> = secondes</a></strong></dt>
<dd>
<p>Durée d'attente du close_notify (mis à 0 pour MSIE qui est bogué)</p>
</dd>
<dt><strong><a name="timeoutidle_secondes" class="item"><strong>TIMEOUTidle</strong> = secondes</a></strong></dt>
<dd>
<p>Durée d'attente sur une connexion inactive</p>
</dd>
<dt><strong><strong>transparent</strong> = yes | no (Unix seulement)</strong></dt>
<dd>
<p>Mode mandataire transparent</p>
<p>Ré-écrit les adresses pour qu'elles apparaissent provenir de la
machine client SSL plutôt que de celle qui exécute <strong>stunnel</strong>.
Cette option n'est disponible en mode local (option <em>exec</em>) qu'avec
la bibliothèque partagée LD_PRELOADing env.so shared library et en mode
distant (option <em>connect</em>) sur les noyaux Linux 2.2 compilés avec
l'option <em>transparent proxy</em> et seulement en mode serveur. Cette
option ne se combine pas au mode mandataire (<em>connect</em>) sauf si la
route par défaut du client vers la cible passe par l'hôte qui fait
tourner <strong>stunnel</strong>, qui ne peut être localhost.</p>
</dd>
</dl>
<p>
</p>
<hr />
<h1><a name="valeur_de_retour">VALEUR DE RETOUR</a></h1>
<p><strong>stunnel</strong> renvoie zéro en cas de succès, une autre valeur en cas d'erreur.</p>
<p>
</p>
<hr />
<h1><a name="exemples">EXEMPLES</a></h1>
<p>Pour encapsuler votre service <em>imapd</em> local avec SSL&nbsp;:</p>
<pre>
[imapd]
accept = 993
exec = /usr/sbin/imapd
execargs = imapd</pre>
<p>Pour tunneliser un daemon <em>pppd</em> sur le port 2020&nbsp;:</p>
<pre>
[vpn]
accept = 2020
exec = /usr/sbin/pppd
execargs = pppd local
pty = yes</pre>
<p>Configuration de <em>stunnel.conf</em> pour utiliser <strong>stunnel</strong> en mode <em>inetd</em>
qui lance imapd à son tour (il ne doit pas y avoir de section <em>[service_name]</em>)&nbsp;:</p>
<pre>
exec = /usr/sbin/imapd
execargs = imapd</pre>
<p>
</p>
<hr />
<h1><a name="fichiers">FICHIERS</a></h1>
<dl>
<dt><strong><a name="stunnel_conf" class="item"><em class="file">stunnel.conf</em></a></strong></dt>
<dd>
<p>Fichier de configuration de <strong>stunnel</strong></p>
</dd>
<dt><strong><a name="stunnel_pem" class="item"><em class="file">stunnel.pem</em></a></strong></dt>
<dd>
<p>Certificat et clef privée de <strong>stunnel</strong></p>
</dd>
</dl>
<p>
</p>
<hr />
<h1><a name="bogues">BOGUES</a></h1>
<p>L'option <em>execargs</em> n'admet pas les quotes.</p>
<p>
</p>
<hr />
<h1><a name="restrictions">RESTRICTIONS</a></h1>
<p><strong>stunnel</strong> ne peut être utilisé pour le daemon FTP en raison de la nature
du protocole FTP qui utilise des ports multiples pour les transferts de données.
Il existe cependant des versions SSL de FTP et de telnet.</p>
<p>
</p>
<hr />
<h1><a name="notes">NOTES</a></h1>
<p>
</p>
<h2><a name="mode_inetd">MODE INETD</a></h2>
<p>L'utilisation la plus commune de <strong>stunnel</strong> consiste à écouter un port
réseau et à établir une communication, soit avec un nouveau port
avec l'option <em>connect</em>, soit avec un programme avec l'option <em>exec</em>.
On peut parfois cependant souhaiter qu'un autre programme reçoive les
connexions entrantes et lance <strong>stunnel</strong>, par exemple avec <em>inetd</em>,
<em>xinetd</em> ou <em>tcpserver</em>.</p>
<p>Si, par exemple, la ligne suivante se trouve dans <em>inetd.conf</em>&nbsp;:</p>
<pre>
imaps stream tcp nowait root /usr/bin/stunnel stunnel /etc/stunnel/imaps.conf</pre>
<p>Dans ces cas, c'est le programme du genre <em>inetd</em>-style qui est
responsable de l'établissement de la connexion (<em>imaps</em> ci-dessus) et de passer
celle-ci à <strong>stunnel</strong>.
Ainsi, <strong>stunnel</strong> ne doit alors avoir aucune option <em>accept</em>.
Toutes les <em>options de niveau service</em> doivent être placées dans
la section des options globales et aucune section <em>[service_name]</em> ne doit
être présente. Voir la section <em>EXEMPLES</em> pour des exemples de configurations.</p>
<p>
</p>
<h2><a name="certificats">CERTIFICATS</a></h2>
<p>Chaque daemon à propriétés SSL doit présenter un certificat X.509
valide à son interlocuteur. Il a aussi besoin d'une clef privé pour
déchiffrer les données entrantes. La méthode la plus simple pour
obtenir un certificat et une clef est d'engendrer celles-ci avec
le paquetage libre <em>OpenSSL</em>. Plus d'informations sur la génération de
certificats se trouvent dans les pages indiquées plus bas.</p>
<p>Deux choses importantes lors de la génération de paires certificat-clef
pour <strong>stunnel</strong>&nbsp;:</p>
<ul>
<li>
<p>la clef privée ne peut être chiffrée puisque le serveur n'a aucun moyen
d'obtenir le mot de passe de l'utilisateur&nbsp;; pour produire une clef non chiffrée,
ajouter l'option <em>-nodes</em> à la commande <strong>req</strong> de <em>OpenSSL</em>&nbsp;;</p>
</li>
<li>
<p>l'ordre du contenu du fichier <em>.pem</em> est significatif&nbsp;: il doit contenir d'abord
une clef privée non chiffrée, puis un certificat signé (et non une demande de certificat).
Il doit aussi y avoir des lignes vides après le certificat et après la clef privée.
L'information textuelle ajoutée au début d'un certificat doit être supprimée afin que
le fichier ait l'allure suivante&nbsp;:</p>
<pre>
-----BEGIN RSA PRIVATE KEY-----
[clef encodée]
-----END RSA PRIVATE KEY-----
[ligne vide]
-----BEGIN CERTIFICATE-----
[certificat encodé]
-----END CERTIFICATE-----
[ligne vide]</pre>
</li>
</ul>
<p>
</p>
<h2><a name="aleatoire">ALEATOIRE</a></h2>
<p><strong>stunnel</strong> doit «&nbsp;saler&nbsp;» le générateur de pseudo-aléatoires PRNG (pseudo random
number generator) afin que SSL utilise un aléatoire de qualité. Les sources suivantes
sont chargées dans l'ordre jusqu'à ce qu'une quantité suffisante de données soit lue&nbsp;:</p>
<ul>
<li>
<p>le fichier spécifié par <em>RNDfile</em>&nbsp;;</p>
</li>
<li>
<p>le fichier spécifié par la variable d'environnement RANDFILE, à défaut
le fichier .rnd du répertoire $HOME de l'utilisateur&nbsp;;</p>
</li>
<li>
<p>le fichier spécifié par «&nbsp;--with-random&nbsp;» lors de la compilation&nbsp;;</p>
</li>
<li>
<p>le contenu de l'écran (MS-Windows seulement)&nbsp;;</p>
</li>
<li>
<p>le socket EGD spécifié par <em>EGD</em>&nbsp;;</p>
</li>
<li>
<p>le socket EGD spécifié par «&nbsp;--with-egd-sock&nbsp;» lors de la compilation&nbsp;;</p>
</li>
<li>
<p>le périphérique /dev/urandom.</p>
</li>
</ul>
<p>Avec un OpenSSL récent (&gt;=OpenSSL 0.9.5a) le chargement de données s'arrête
automatiquement lorsqu'un niveau d'entropie suffisant est atteint.
Les versions précédentes continuent à lire toutes les sources puisqu'aucune
fonction SSL ne leur permet de savoir que suffisamment de données sont disponibles.</p>
<p>Sur les machines MS-Windows qui n'ont pas d'interaction utilisateur sur la console,
(mouvements de souris, création de fenêtres, etc.), le contenu de l'écran n'est
pas suffisamment changeant et il est nécessaire de fournir un fichier d'aléatoire
par le biais de <em>RNDfile</em>.</p>
<p>Le fichier spécifié par <em>RNDfile</em> doit contenir des informations aléatoires --
c'est-à-dire des informations différentes à chaque lancement de <strong>stunnel</strong>.
Cela est géré automatiquement sauf si l'option <em>RNDoverwrite</em> est utilisée.
Si l'on souhaite procéder manuellement à la mise à jour de ce fichier, la
commande <em>openssl rand</em> des versions récentes d'OpenSSL sera sans doute utile.</p>
<p>Note importante&nbsp;: si /dev/urandom est disponible, OpenSSL a l'habitude d'utiliser
celui-ci pour «&nbsp;saler&nbsp;» le PRNG même lorsqu'il contrôle l'état de l'aléatoire&nbsp;;
ainsi, même si /dev/urandom est dernier de la liste ci-dessus, il est vraisemblable
qu'il soit utilisé s'il est présent.
Ce n'est pas le comportement de <strong>stunnel</strong>, c'est celui d'OpenSSL.</p>
<p>
</p>
<hr />
<h1><a name="voir_aussi">VOIR AUSSI</a></h1>
<dl>
<dt><strong><a name="tcpd" class="item"><a href="#tcpd">tcpd(8)</a></a></strong></dt>
<dd>
<p>Service de contrôle d'accès pour les services internet</p>
</dd>
<dt><strong><a name="inetd" class="item"><a href="#inetd">inetd(8)</a></a></strong></dt>
<dd>
<p>«&nbsp;super-serveur&nbsp;» internet</p>
</dd>
<dt><strong><a name="http_www_stunnel_org" class="item"><em class="file"><a href="http://www.stunnel.org/">http://www.stunnel.org/</a></em></a></strong></dt>
<dd>
<p>Page de référence de <strong>stunnel</strong></p>
</dd>
<dt><strong><a name="http_www_openssl_org" class="item"><em class="file"><a href="http://www.openssl.org/">http://www.openssl.org/</a></em></a></strong></dt>
<dd>
<p>Site web du projet OpenSSL</p>
</dd>
</dl>
<p>
</p>
<hr />
<h1><a name="auteur">AUTEUR</a></h1>
<dl>
<dt><strong><a name="micha_trojnara" class="item">Michał Trojnara</a></strong></dt>
<dd>
<p>&lt;<em class="file"><a href="mailto:Michal.Trojnara@mirt.net">Michal.Trojnara@mirt.net</a></em>&gt;</p>
</dd>
</dl>
<p>
</p>
<hr />
<h1><a name="adaptation_fran__aise">ADAPTATION FRANÇAISE</a></h1>
<dl>
<dt><strong><a name="bernard_choppy" class="item">Bernard Choppy</a></strong></dt>
<dd>
<p>&lt;<em class="file">choppy AT free POINT fr</em>&gt;</p>
</dd>
</dl>
</body>
</html>

636
doc/stunnel.fr.pod
View File

@ -1,636 +0,0 @@
=head1 NOM
=encoding utf8
stunnel - tunnel SSL universel
=head1 SYNOPSIS
=over 4
=item B<Unix:>
B<stunnel> S<[fichier]> | S<-fd [n]> | S<-help> | S<-version> | S<-sockets>
=item B<WIN32:>
B<stunnel> S<[fichier]> | S<-install> | S<-uninstall> | S<-help> | S<-version> | S<-sockets>
=back
=head1 DESCRIPTION
Le programme B<stunnel> est conçu pour fonctionner comme une couche
de chiffrement I<SSL> entre des clients distants et des serveurs locaux
(I<inetd>-démarrables) ou distants. Le concept est qu'à partir de daemons
non-SSL présents sur le système, on peut facilement les configurer pour
communiquer avec des clients sur des liens sécurisés SSL.
B<stunnel> peut être utilisé pour ajouter des fonctionnalités SSL à des
daemons classiques I<Inetd> tels que les serveurs POP-2, POP-3 et IMAP,
à d'autres autonomes tels que NNTP, SMTP et HTTP, ainsi que pour tunneliser
PPP sur des sockets réseau sans modification du code source.
Ce produit inclut du code de chiffrement écrit par
Eric Young (eay@cryptsoft.com)
=head1 OPTIONS
=over 4
=item B<[fichier]>
Utilisation du fichier de configuration spécifié.
=item B<-fd [n]> (Unix seulement)
Lecture du fichier de configuration depuis le descripteur de
fichier indiqué.
=item B<-help>
Affiche le menu d'aide de B<stunnel>.
=item B<-version>
Affiche la version de B<stunnel> et les options de compilation.
=item B<-sockets>
Affiche les options socket par défaut.
=item B<-install> (NT/2000/XP seulement)
Installe un service NT.
=item B<-uninstall> (NT/2000/XP only)
Désinstalle un service NT.
=back
=head1 FICHIER DE CONFIGURATION
Chaque ligne du fichier de configuration peut être soitE<nbsp>:
=over 4
=item *
une ligne vide (ignorée)E<nbsp>;
=item *
un commentaire commençant par «E<nbsp>#E<nbsp>» (ignoré)E<nbsp>;
=item *
une paire «E<nbsp>option = valeurE<nbsp>»E<nbsp>;
=item *
«E<nbsp>[service_name]E<nbsp>» indiquant le début de la définition d'un serviceE<nbsp>;
=back
=head2 OPTIONS GLOBALES
=over 4
=item B<CApath> = répertoire
Répertoire des autorités de certification (CA)
C'est le répertoire dans lequel B<stunnel> cherche les certificats si
l'on utilise I<verify>. Les certificats doivent être dénommés selon la
forme XXXXXXXX.0, où XXXXXXXX est la valeur de hachage du certificat.
Le cas échéant, le répertoire I<CApath> est relatif au répertoire I<chroot>.
=item B<CAfile> = fichier
Fichier d'autorités de certification
Ce fichier, utilisé avec I<verify>, contient plusieurs certificats de CA.
=item B<cert> = fichier
Fichier de chaîne de certificats PEM
Une PEM est toujours nécessaire en mode serveur.
En mode client, cette option utilise cette PEM comme une chaîne côté client.
L'utilisation de certificats côté client est optionnelle. Les certificats
doivent être au format PEM et triés par ordre de niveau décroissant (CA racine
en premier).
=item B<chroot> = répertoire (Unix seulement)
Répertoire de chroot du processus B<stunnel>
B<chroot> enferme B<stunnel> dans une cellule chroot. I<CApath>, I<CRLpath>, I<pid>
et I<exec> sont situés à l'intérieur de la cellule et les répertoires doivent être
relatifs au répertoire correspondant.
Pour que le contrôle de libwrap (wrappeur TCP) soit effectif dans un environnement
chroot, il faut aussi y recopier leurs fichiers de configuration (/etc/hosts.allow et
/etc/hosts.deny).
=item B<ciphers> = listes de chiffre
Sélection des chiffres SSL autorisés
Liste délimitée par deux-points («E<nbsp>:E<nbsp>») des chiffres autorisés pour la connexion SSL.
ExempleE<nbsp>: DES-CBC3-SHA:IDEA-CBC-MD5
=item B<client> = yes | no
Mode client (Le service distant utilise SSL)
Par défautE<nbsp>: no (mode server)
=item B<CRLpath> = répertoire
Répertoire des listes de révocation de certificats (CRL)
C'est le répertoire dans lequel B<stunnel> recherche les CRL avec
l'option I<verify>. Les CRL doivent être dénommés selon la
forme XXXXXXXX.0 où XXXXXXXX est la valeur de hachage de la CRL.
Le cas échéant, le répertoire I<CRLpath> est relatif au répertoire I<chroot>.
=item B<CRLfile> = fichier
Fichier de listes de révocation de certificats (CRL)
Ce fichier, utilisé avec I<verify>, contient plusieurs CRL.
=item B<debug> = [facilité.]niveau
niveau de déverminage
Le niveau est un nom ou un numéro conforme à ceux de syslogE<nbsp>:
emerg (0), alert (1), crit (2), err (3), warning (4), notice (5),
info (6) ou debug (7). Toutes les traces du niveau indiqué et des niveaux
numériquement inférieurs seront affichées. B<debug = debug> ou
B<debug = 7> donneront le maximum d'informations. La valeur par défaut
est notice (5).
La facilité syslog «E<nbsp>daemonE<nbsp>» est utilisée, sauf si un autre nom est spécifié
(Win32 ne permet pas l'usage des facilités.)
La casse est ignorée, aussi bien pour la facilité que pour le niveau.
=item B<EGD> = chemin (Unix seulement)
Emplacement du socket du daemon de recueil d'entropie (EGD - Entropy Gathering Daemon)
Socket EGD à utiliser pour alimenter le générateur d'aléatoires de OpenSSL (disponible
seulement si la compilation a été effectuée avec OpenSSL 0.9.5a ou supérieur).
=item B<foreground> = yes | no (Unix seulement)
Mode avant-plan
Reste en avant-plan (sans fork) et dirige la trace sur stderr
au lieu de syslog (sauf si B<output> est spécifié).
Par défaultE<nbsp>: arrière-plan en mode daemon.
=item B<key> = fichier
Fichier de clef privée pour le certificat spécifié par I<cert>
La clef privée est nécessaire pour authentifier le titulaire du
certificat.
Puisque ce fichier doit rester secret, il ne doit être lisible que
par son propriétaire. Sur les systèmes Unix, on peut utiliser la
commande suivanteE<nbsp>:
chmod 600 fichier
Par défaultE<nbsp>: Valeur de I<cert>
=item B<options> = Options_SSL
Options de la bibliothèque OpenSSL
Le paramètre est l'option OpenSSL décrite dans la page de man
I<SSL_CTX_set_options(3ssl)>, débarassée du préfixe I<SSL_OP_>.
Plusieurs I<options> peuvent être spécifiées.
Par exemple, pour la compatibilité avec l'implantation SSL défaillante
d'Eudora, on peut utiliserE<nbsp>:
options = DONT_INSERT_EMPTY_FRAGMENTS
=item B<output> = fichier
Ajoute la trace à la fin d'un fichier au lieu d'utiliser syslog.
/dev/stdout peut être utilisé pour afficher les traces sur la sortie standard
(par exemple pour les traiter avec les outils splogger).
=item B<pid> = fichier (Unix seulement)
Emplacement du fichier pid
Si l'argument est vide, aucun fichier ne sera créé.
Le cas échéant, le chemin I<pid> est relatif au répertoire I<chroot>.
=item B<RNDbytes> = nombre
Nombre d'octets à lire depuis les fichiers de «E<nbsp>selE<nbsp>» aléatoire
Avec les SSL de version inférieure à 0.9.5a, détermine aussi le nombre
d'octets considérés comme suffisants pour «E<nbsp>salerE<nbsp>» le PRNG. Les versions plus
récentes d'OpenSSL ont une fonction intégrée qui détermine lorsque l'aléatoire
est suffisant.
=item B<RNDfile> = fichier
chemin du fichier de données de «E<nbsp>selE<nbsp>» aléatoire
La bibliothèque SSL utilise prioritairement les données de ce fichier pour
«E<nbsp>salerE<nbsp>» le générateur d'aléatoire.
=item B<RNDoverwrite> = yes | no
Recouvre les fichiers de «E<nbsp>selE<nbsp>» avec de nouvelles données aléatoires.
Par défautE<nbsp>: yes
=item B<service> = nom
Définit le nom de service à utiliser
B<Sous UnixE<nbsp>:> nom de service du mode I<inetd> pour la bibliothèque TCP Wrapper.
Par défautE<nbsp>: stunnel
=item B<session> = timeout
Timeout du cache de session
=item B<setgid> = nom (Unix seulement)
Nom de groupe utilisé en mode daemon (les éventuels autres noms de groupe attribués sont supprimés)
=item B<setuid> = nom (Unix seulement)
Nom d'utilisateur utilisé en mode daemon
=item B<socket> = a|l|r:option=valeur[:valeur]
Configure une option de socket accept (a), locale (l) ou distante (r)
Les valeurs de l'option linger sontE<nbsp>: l_onof:l_linger.
Les valeurs de l'option time sontE<nbsp>: tv_sec:tv_usec.
ExemplesE<nbsp>:
socket = l:SO_LINGER=1:60
définit un délai d'une minute pour la clôture des sockets locaux
socket = r:SO_OOBINLINE=yes
Place directement les données hors-bande dans le flux de réception
des sockets distants
socket = a:SO_REUSEADDR=no
désactive la réutilisation d'adresses (activée par défaut)
socket = a:SO_BINDTODEVICE=lo
limite l'acceptation des connexions sur la seule interface de bouclage
=item B<taskbar> = yes | no (WIN32 seulement)
active l'icône de la barre de tâches
Par défautE<nbsp>: yes
=item B<verify> = niveau
Vérifie le certificat du correspondant
niveau 1 - vérifie le certificat s'il est présent
niveau 2 - vérifie le certificat
niveau 3 - contrôle le correspondant avec le certificat local
Par défaut - pas de vérification
=back
=head2 OPTIONS DE SERVICE
Chaque section de configuration commence par le nom du service entre crochets.
Celui-ci est utilisé par le contrôle d'accès de libwrap (TCP Wrappers) et sert
à distinguer les services B<stunnel> dans les fichiers de traces.
Si l'on souhaite utiliser B<stunnel> en mode I<inetd> (lorsqu'un socket lui est
fourni par un serveur comme I<inetd>, I<xinetd> ou I<tcpserver>), il faut se
reporter à la section I<MODE INETD> plus bas.
=over 4
=item B<accept> = [hôte:]port
Accepte des connexions sur le port spécifié
Si l'hôte n'est pas indiqué, le port est ouvert pour toutes les adresses IP de
la machine locale.
=item B<connect> = [hôte:]port
Se connecte au port distant indiqué
Par défaut, l'hôte est localhost.
=item B<delay> = yes | no
Retarde la recherche DNS pour l'option «E<nbsp>connectE<nbsp>»
=item B<exec> = chemin_exécutable (Unix seulement)
Exécute un programme local de type inetd
Le cas échéant, le chemin I<exec> est relatif au répertoire I<chroot>.
=item B<execargs> = $0 $1 $2 ... (Unix seulement)
Arguments pour I<exec>, y compris le nom du programme ($0)
Les quotes ne peuvent actuellement pas être utilisées.
Les arguments sont séparés par un nombre quelconque d'espaces.
=item B<ident> = nom
Applique le contrôle d'identité d'utilisateur IDENT (RFC 1413)
=item B<local> = hôte
Adresse IP de l'interface de sortie utilisée pour les connexions distantes.
Cette option permet de relier une adresse statique locale.
=item B<protocol> = protocole
Négocie avec SSL selon le protocole indiqué
Actuellement gérésE<nbsp>: cifs, nntp, pop3, smtp
=item B<pty> = yes | no (Unix seulement)
Alloue un pseudo-terminal pour l'option «E<nbsp>execE<nbsp>»
=item B<TIMEOUTbusy> = secondes
Durée d'attente de données
=item B<TIMEOUTclose> = secondes
Durée d'attente du close_notify (mis à 0 pour MSIE qui est bogué)
=item B<TIMEOUTidle> = secondes
Durée d'attente sur une connexion inactive
=item B<transparent> = yes | no (Unix seulement)
Mode mandataire transparent
Ré-écrit les adresses pour qu'elles apparaissent provenir de la
machine client SSL plutôt que de celle qui exécute B<stunnel>.
Cette option n'est disponible en mode local (option I<exec>) qu'avec
la bibliothèque partagée LD_PRELOADing env.so shared library et en mode
distant (option I<connect>) sur les noyaux Linux 2.2 compilés avec
l'option I<transparent proxy> et seulement en mode serveur. Cette
option ne se combine pas au mode mandataire (I<connect>) sauf si la
route par défaut du client vers la cible passe par l'hôte qui fait
tourner B<stunnel>, qui ne peut être localhost.
=back
=head1 VALEUR DE RETOUR
B<stunnel> renvoie zéro en cas de succès, une autre valeur en cas d'erreur.
=head1 EXEMPLES
Pour encapsuler votre service I<imapd> local avec SSLE<nbsp>:
[imapd]
accept = 993
exec = /usr/sbin/imapd
execargs = imapd
Pour tunneliser un daemon I<pppd> sur le port 2020E<nbsp>:
[vpn]
accept = 2020
exec = /usr/sbin/pppd
execargs = pppd local
pty = yes
Configuration de I<stunnel.conf> pour utiliser B<stunnel> en mode I<inetd>
qui lance imapd à son tour (il ne doit pas y avoir de section I<[service_name]>)E<nbsp>:
exec = /usr/sbin/imapd
execargs = imapd
=head1 FICHIERS
=over 4
=item F<stunnel.conf>
Fichier de configuration de B<stunnel>
=item F<stunnel.pem>
Certificat et clef privée de B<stunnel>
=back
=head1 BOGUES
L'option I<execargs> n'admet pas les quotes.
=head1 RESTRICTIONS
B<stunnel> ne peut être utilisé pour le daemon FTP en raison de la nature
du protocole FTP qui utilise des ports multiples pour les transferts de données.
Il existe cependant des versions SSL de FTP et de telnet.
=head1 NOTES
=head2 MODE INETD
L'utilisation la plus commune de B<stunnel> consiste à écouter un port
réseau et à établir une communication, soit avec un nouveau port
avec l'option I<connect>, soit avec un programme avec l'option I<exec>.
On peut parfois cependant souhaiter qu'un autre programme reçoive les
connexions entrantes et lance B<stunnel>, par exemple avec I<inetd>,
I<xinetd> ou I<tcpserver>.
Si, par exemple, la ligne suivante se trouve dans I<inetd.conf>E<nbsp>:
imaps stream tcp nowait root /usr/bin/stunnel stunnel /etc/stunnel/imaps.conf
Dans ces cas, c'est le programme du genre I<inetd>-style qui est
responsable de l'établissement de la connexion (I<imaps> ci-dessus) et de passer
celle-ci à B<stunnel>.
Ainsi, B<stunnel> ne doit alors avoir aucune option I<accept>.
Toutes les I<options de niveau service> doivent être placées dans
la section des options globales et aucune section I<[service_name]> ne doit
être présente. Voir la section I<EXEMPLES> pour des exemples de configurations.
=head2 CERTIFICATS
Chaque daemon à propriétés SSL doit présenter un certificat X.509
valide à son interlocuteur. Il a aussi besoin d'une clef privé pour
déchiffrer les données entrantes. La méthode la plus simple pour
obtenir un certificat et une clef est d'engendrer celles-ci avec
le paquetage libre I<OpenSSL>. Plus d'informations sur la génération de
certificats se trouvent dans les pages indiquées plus bas.
Deux choses importantes lors de la génération de paires certificat-clef
pour B<stunnel>E<nbsp>:
=over 4
=item *
la clef privée ne peut être chiffrée puisque le serveur n'a aucun moyen
d'obtenir le mot de passe de l'utilisateurE<nbsp>; pour produire une clef non chiffrée,
ajouter l'option I<-nodes> à la commande B<req> de I<OpenSSL>E<nbsp>;
=item *
l'ordre du contenu du fichier I<.pem> est significatifE<nbsp>: il doit contenir d'abord
une clef privée non chiffrée, puis un certificat signé (et non une demande de certificat).
Il doit aussi y avoir des lignes vides après le certificat et après la clef privée.
L'information textuelle ajoutée au début d'un certificat doit être supprimée afin que
le fichier ait l'allure suivanteE<nbsp>:
-----BEGIN RSA PRIVATE KEY-----
[clef encodée]
-----END RSA PRIVATE KEY-----
[ligne vide]
-----BEGIN CERTIFICATE-----
[certificat encodé]
-----END CERTIFICATE-----
[ligne vide]
=back
=head2 ALEATOIRE
B<stunnel> doit «E<nbsp>salerE<nbsp>» le générateur de pseudo-aléatoires PRNG (pseudo random
number generator) afin que SSL utilise un aléatoire de qualité. Les sources suivantes
sont chargées dans l'ordre jusqu'à ce qu'une quantité suffisante de données soit lueE<nbsp>:
=over 4
=item *
le fichier spécifié par I<RNDfile>E<nbsp>;
=item *
le fichier spécifié par la variable d'environnement RANDFILE, à défaut
le fichier .rnd du répertoire $HOME de l'utilisateurE<nbsp>;
=item *
le fichier spécifié par «E<nbsp>--with-randomE<nbsp>» lors de la compilationE<nbsp>;
=item *
le contenu de l'écran (MS-Windows seulement)E<nbsp>;
=item *
le socket EGD spécifié par I<EGD>E<nbsp>;
=item *
le socket EGD spécifié par «E<nbsp>--with-egd-sockE<nbsp>» lors de la compilationE<nbsp>;
=item *
le périphérique /dev/urandom.
=back
Avec un OpenSSL récent (>=OpenSSL 0.9.5a) le chargement de données s'arrête
automatiquement lorsqu'un niveau d'entropie suffisant est atteint.
Les versions précédentes continuent à lire toutes les sources puisqu'aucune
fonction SSL ne leur permet de savoir que suffisamment de données sont disponibles.
Sur les machines MS-Windows qui n'ont pas d'interaction utilisateur sur la console,
(mouvements de souris, création de fenêtres, etc.), le contenu de l'écran n'est
pas suffisamment changeant et il est nécessaire de fournir un fichier d'aléatoire
par le biais de I<RNDfile>.
Le fichier spécifié par I<RNDfile> doit contenir des informations aléatoires --
c'est-à-dire des informations différentes à chaque lancement de B<stunnel>.
Cela est géré automatiquement sauf si l'option I<RNDoverwrite> est utilisée.
Si l'on souhaite procéder manuellement à la mise à jour de ce fichier, la
commande I<openssl rand> des versions récentes d'OpenSSL sera sans doute utile.
Note importanteE<nbsp>: si /dev/urandom est disponible, OpenSSL a l'habitude d'utiliser
celui-ci pour «E<nbsp>salerE<nbsp>» le PRNG même lorsqu'il contrôle l'état de l'aléatoireE<nbsp>;
ainsi, même si /dev/urandom est dernier de la liste ci-dessus, il est vraisemblable
qu'il soit utilisé s'il est présent.
Ce n'est pas le comportement de B<stunnel>, c'est celui d'OpenSSL.
=head1 VOIR AUSSI
=over 4
=item L<tcpd(8)>
Service de contrôle d'accès pour les services internet
=item L<inetd(8)>
«E<nbsp>super-serveurE<nbsp>» internet
=item F<http://www.stunnel.org/>
Page de référence de B<stunnel>
=item F<http://www.openssl.org/>
Site web du projet OpenSSL
=back
=head1 AUTEUR
=over 4
=item Michał Trojnara
<F<Michal.Trojnara@mirt.net>>
=back
=head1 ADAPTATION FRANÇAISE
=over 4
=item Bernard Choppy
<F<choppy AT free POINT fr>>
=back

1120
doc/stunnel.html
View File

File diff suppressed because it is too large Load Diff

1625
doc/stunnel.html.in Normal file
View File

File diff suppressed because it is too large Load Diff

1129
doc/stunnel.pl.8 → doc/stunnel.pl.8.in
View File

File diff suppressed because it is too large Load Diff

1158
doc/stunnel.pl.html
View File

File diff suppressed because it is too large Load Diff

1626
doc/stunnel.pl.html.in Normal file
View File

File diff suppressed because it is too large Load Diff

810
doc/stunnel.pl.pod → doc/stunnel.pl.pod.in
View File

File diff suppressed because it is too large Load Diff

1124
doc/stunnel.pod
View File

File diff suppressed because it is too large Load Diff

1529
doc/stunnel.pod.in Normal file
View File

File diff suppressed because it is too large Load Diff

2290
m4/libtool.m4 vendored
View File

File diff suppressed because it is too large Load Diff

32
m4/ltoptions.m4 vendored
View File

@ -1,13 +1,14 @@
# Helper functions for option handling. -*- Autoconf -*-
#
# Copyright (C) 2004, 2005, 2007, 2008 Free Software Foundation, Inc.
# Copyright (C) 2004, 2005, 2007, 2008, 2009 Free Software Foundation,
# Inc.
# Written by Gary V. Vaughan, 2004
#
# This file is free software; the Free Software Foundation gives
# unlimited permission to copy and/or distribute it, with or without
# modifications, as long as this notice is preserved.
# serial 6 ltoptions.m4
# serial 7 ltoptions.m4
# This is to help aclocal find these macros, as it can't see m4_define.
AC_DEFUN([LTOPTIONS_VERSION], [m4_if([1])])
@ -125,7 +126,7 @@ LT_OPTION_DEFINE([LT_INIT], [win32-dll],
[enable_win32_dll=yes
case $host in
*-*-cygwin* | *-*-mingw* | *-*-pw32* | *-cegcc*)
*-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-cegcc*)
AC_CHECK_TOOL(AS, as, false)
AC_CHECK_TOOL(DLLTOOL, dlltool, false)
AC_CHECK_TOOL(OBJDUMP, objdump, false)
@ -133,13 +134,13 @@ case $host in
esac
test -z "$AS" && AS=as
_LT_DECL([], [AS], [0], [Assembler program])dnl
_LT_DECL([], [AS], [1], [Assembler program])dnl
test -z "$DLLTOOL" && DLLTOOL=dlltool
_LT_DECL([], [DLLTOOL], [0], [DLL creation program])dnl
_LT_DECL([], [DLLTOOL], [1], [DLL creation program])dnl
test -z "$OBJDUMP" && OBJDUMP=objdump
_LT_DECL([], [OBJDUMP], [0], [Object dumper program])dnl
_LT_DECL([], [OBJDUMP], [1], [Object dumper program])dnl
])# win32-dll
AU_DEFUN([AC_LIBTOOL_WIN32_DLL],
@ -325,9 +326,24 @@ dnl AC_DEFUN([AM_DISABLE_FAST_INSTALL], [])
# MODE is either `yes' or `no'. If omitted, it defaults to `both'.
m4_define([_LT_WITH_PIC],
[AC_ARG_WITH([pic],
[AS_HELP_STRING([--with-pic],
[AS_HELP_STRING([--with-pic@<:@=PKGS@:>@],
[try to use only PIC/non-PIC objects @<:@default=use both@:>@])],
[pic_mode="$withval"],
[lt_p=${PACKAGE-default}
case $withval in
yes|no) pic_mode=$withval ;;
*)
pic_mode=default
# Look at the argument we got. We use all the common list separators.
lt_save_ifs="$IFS"; IFS="${IFS}$PATH_SEPARATOR,"
for lt_pkg in $withval; do
IFS="$lt_save_ifs"
if test "X$lt_pkg" = "X$lt_p"; then
pic_mode=yes
fi
done
IFS="$lt_save_ifs"
;;
esac],
[pic_mode=default])
test -z "$pic_mode" && pic_mode=m4_default([$1], [default])

12
m4/ltversion.m4 vendored
View File

@ -7,17 +7,17 @@
# unlimited permission to copy and/or distribute it, with or without
# modifications, as long as this notice is preserved.
# Generated from ltversion.in.
# @configure_input@
# serial 3017 ltversion.m4
# serial 3337 ltversion.m4
# This file is part of GNU Libtool
m4_define([LT_PACKAGE_VERSION], [2.2.6b])
m4_define([LT_PACKAGE_REVISION], [1.3017])
m4_define([LT_PACKAGE_VERSION], [2.4.2])
m4_define([LT_PACKAGE_REVISION], [1.3337])
AC_DEFUN([LTVERSION_VERSION],
[macro_version='2.2.6b'
macro_revision='1.3017'
[macro_version='2.4.2'
macro_revision='1.3337'
_LT_DECL(, macro_version, 0, [Which release of libtool.m4 was used?])
_LT_DECL(, macro_revision, 0)
])

12
m4/lt~obsolete.m4 vendored
View File

@ -1,13 +1,13 @@
# lt~obsolete.m4 -- aclocal satisfying obsolete definitions. -*-Autoconf-*-
#
# Copyright (C) 2004, 2005, 2007 Free Software Foundation, Inc.
# Copyright (C) 2004, 2005, 2007, 2009 Free Software Foundation, Inc.
# Written by Scott James Remnant, 2004.
#
# This file is free software; the Free Software Foundation gives
# unlimited permission to copy and/or distribute it, with or without
# modifications, as long as this notice is preserved.
# serial 4 lt~obsolete.m4
# serial 5 lt~obsolete.m4
# These exist entirely to fool aclocal when bootstrapping libtool.
#
@ -77,7 +77,6 @@ m4_ifndef([AC_DISABLE_FAST_INSTALL], [AC_DEFUN([AC_DISABLE_FAST_INSTALL])])
m4_ifndef([_LT_AC_LANG_CXX], [AC_DEFUN([_LT_AC_LANG_CXX])])
m4_ifndef([_LT_AC_LANG_F77], [AC_DEFUN([_LT_AC_LANG_F77])])
m4_ifndef([_LT_AC_LANG_GCJ], [AC_DEFUN([_LT_AC_LANG_GCJ])])
m4_ifndef([AC_LIBTOOL_RC], [AC_DEFUN([AC_LIBTOOL_RC])])
m4_ifndef([AC_LIBTOOL_LANG_C_CONFIG], [AC_DEFUN([AC_LIBTOOL_LANG_C_CONFIG])])
m4_ifndef([_LT_AC_LANG_C_CONFIG], [AC_DEFUN([_LT_AC_LANG_C_CONFIG])])
m4_ifndef([AC_LIBTOOL_LANG_CXX_CONFIG], [AC_DEFUN([AC_LIBTOOL_LANG_CXX_CONFIG])])
@ -90,3 +89,10 @@ m4_ifndef([AC_LIBTOOL_LANG_RC_CONFIG], [AC_DEFUN([AC_LIBTOOL_LANG_RC_CONFIG])])
m4_ifndef([_LT_AC_LANG_RC_CONFIG], [AC_DEFUN([_LT_AC_LANG_RC_CONFIG])])
m4_ifndef([AC_LIBTOOL_CONFIG], [AC_DEFUN([AC_LIBTOOL_CONFIG])])
m4_ifndef([_LT_AC_FILE_LTDLL_C], [AC_DEFUN([_LT_AC_FILE_LTDLL_C])])
m4_ifndef([_LT_REQUIRED_DARWIN_CHECKS], [AC_DEFUN([_LT_REQUIRED_DARWIN_CHECKS])])
m4_ifndef([_LT_AC_PROG_CXXCPP], [AC_DEFUN([_LT_AC_PROG_CXXCPP])])
m4_ifndef([_LT_PREPARE_SED_QUOTE_VARS], [AC_DEFUN([_LT_PREPARE_SED_QUOTE_VARS])])
m4_ifndef([_LT_PROG_ECHO_BACKSLASH], [AC_DEFUN([_LT_PROG_ECHO_BACKSLASH])])
m4_ifndef([_LT_PROG_F77], [AC_DEFUN([_LT_PROG_F77])])
m4_ifndef([_LT_PROG_FC], [AC_DEFUN([_LT_PROG_FC])])
m4_ifndef([_LT_PROG_CXX], [AC_DEFUN([_LT_PROG_CXX])])

111
src/Makefile.am
View File

@ -1,22 +1,41 @@
## Process this file with automake to produce Makefile.in
# by Michal Trojnara 2015-2017
###############################################################################
# File lists #
###############################################################################
# File lists
common_headers = common.h prototypes.h version.h
common_sources = str.c file.c client.c log.c options.c protocol.c network.c
common_sources += resolver.c ssl.c ctx.c verify.c sthreads.c fd.c stunnel.c
unix_sources = pty.c libwrap.c
common_sources = tls.c str.c file.c client.c log.c options.c protocol.c
common_sources += network.c resolver.c ssl.c ctx.c verify.c sthreads.c
common_sources += fd.c dhparam.c cron.c stunnel.c
unix_sources = pty.c libwrap.c ui_unix.c
shared_sources = env.c
win32_sources = gui.c resources.h resources.rc stunnel.ico
win32_gui_sources = ui_win_gui.c resources.h resources.rc
win32_gui_sources += stunnel.ico active.ico error.ico idle.ico
win32_cli_sources = ui_win_cli.c
###############################################################################
# Generate a new set of DH parameters for each version #
###############################################################################
dhparam.c: version.h
echo '#include "common.h"' >dhparam.c
echo '#ifndef OPENSSL_NO_DH' >>dhparam.c
echo '#define DN_new DH_new' >>dhparam.c
openssl dhparam -noout -C 2048 >>dhparam.c
echo '#endif /* OPENSSL_NO_DH */' >>dhparam.c
###############################################################################
# Unix executables and shared library #
###############################################################################
# Unix executables
bin_PROGRAMS = stunnel
stunnel_SOURCES = $(common_headers) $(common_sources) $(unix_sources)
bin_SCRIPTS = stunnel3
# Unix shared library
pkglib_LTLIBRARIES = libstunnel.la
libstunnel_la_SOURCES = $(shared_sources)
libstunnel_la_LDFLAGS = -avoid-version
EXTRA_DIST = stunnel3.in
CLEANFILES = stunnel3
# Red Hat "by design" bug #82369
stunnel_CPPFLAGS = -I/usr/kerberos/include
@ -25,55 +44,41 @@ stunnel_CPPFLAGS = -I/usr/kerberos/include
stunnel_CPPFLAGS += -I$(SSLDIR)/include
stunnel_CPPFLAGS += -DLIBDIR='"$(pkglibdir)"'
stunnel_CPPFLAGS += -DCONFDIR='"$(sysconfdir)/stunnel"'
stunnel_CPPFLAGS += -DPIDFILE='"$(localstatedir)/run/stunnel/stunnel.pid"'
# SSL library
# TLS library
stunnel_LDFLAGS = -L$(SSLDIR)/lib64 -L$(SSLDIR)/lib -lssl -lcrypto
# Win32 executable
EXTRA_DIST = make.bat makece.bat makew32.bat
EXTRA_DIST += mingw.mak evc.mak vc.mak os2.mak
EXTRA_PROGRAMS = stunnel.exe tstunnel.exe
stunnel_exe_SOURCES = $(common_headers) $(common_sources) $(win32_sources)
tstunnel_exe_SOURCES = $(common_headers) $(common_sources) nogui.c
# stunnel3 script
edit = sed \
-e 's|@bindir[@]|$(bindir)|g'
stunnel3: Makefile
$(edit) '$(srcdir)/$@.in' >$@
stunnel3: $(srcdir)/stunnel3.in
# OPENSSLDIR = /usr/src/openssl-0.9.8u-fips
# WINCPPFLAGS = -I$(OPENSSLDIR)/inc32
OPENSSLDIR = /usr/src/openssl-1.0.2a-i686
WINCPPFLAGS = -I$(OPENSSLDIR)/include
WINCFLAGS = -mthreads -fstack-protector -O2 -Wall -Wextra -Wno-long-long -pedantic
WINLDFLAGS = -mthreads -fstack-protector -s
WINLIBS = -L$(OPENSSLDIR) -lcrypto -lssl -lpsapi -lws2_32 -lgdi32
# WINLIBS = -L$(OPENSSLDIR) -lzdll -lcrypto.dll -lssl.dll -lpsapi -lws2_32 -lgdi32
# WINLIBS = -L$(OPENSSLDIR) -lzdll -lcrypto -lssl -lpsapi -lws2_32 -lgdi32
WINOBJ = str.obj file.obj client.obj log.obj options.obj protocol.obj
WINOBJ += network.obj resolver.obj ssl.obj ctx.obj verify.obj sthreads.obj
WINOBJ += fd.obj stunnel.obj
WINGUIOBJ = $(WINOBJ) gui.obj resources.obj
WINNOGUIOBJ = $(WINOBJ) nogui.obj
WINPREFIX = i686-w64-mingw32-
WINGCC = $(WINPREFIX)gcc
WINDRES = $(WINPREFIX)windres
# Unix shared library
pkglib_LTLIBRARIES = libstunnel.la
libstunnel_la_SOURCES = $(shared_sources)
libstunnel_la_LDFLAGS = -avoid-version
dist-hook: stunnel.exe tstunnel.exe
###############################################################################
# Win32 executables #
###############################################################################
distclean-local:
rm -f stunnel.exe tstunnel.exe
if AUTHOR_TESTS
# Just check if the programs can be built, don't perform any actual tests
check-local: mingw mingw64
endif
# SUFFIXES = .c .rc .obj
mingw:
$(MAKE) -f $(srcdir)/mingw.mk srcdir=$(srcdir) win32_targetcpu=i686 win32_mingw=mingw
mingw64:
$(MAKE) -f $(srcdir)/mingw.mk srcdir=$(srcdir) win32_targetcpu=x86_64 win32_mingw=mingw64
.PHONY: mingw mingw64
stunnel.exe: $(WINGUIOBJ)
$(WINGCC) -mwindows $(WINLDFLAGS) -o stunnel.exe $(WINGUIOBJ) $(WINLIBS)
tstunnel.exe: $(WINNOGUIOBJ)
$(WINGCC) $(WINLDFLAGS) -o tstunnel.exe $(WINNOGUIOBJ) $(WINLIBS)
%.obj: %.c $(common_headers)
$(WINGCC) -c $(WINCPPFLAGS) $(WINCFLAGS) -o $@ $<
resources.obj: resources.rc resources.h version.h
$(WINDRES) --include-dir $(srcdir) $< $@
mostlyclean-local:
-rm -f *.obj
clean-local:
rm -rf ../obj ../bin
# Remaining files to be included
EXTRA_DIST += $(win32_gui_sources) $(win32_cli_sources)
EXTRA_DIST += make.bat makece.bat makew32.bat
EXTRA_DIST += mingw.mk mingw.mak evc.mak vc.mak os2.mak

818
src/Makefile.in
View File

File diff suppressed because it is too large Load Diff

BIN
src/active.ico Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 1.1 KiB

1273
src/client.c
View File

File diff suppressed because it is too large Load Diff

231
src/common.h
View File

@ -1,24 +1,24 @@
/*
* stunnel Universal SSL tunnel
* Copyright (C) 1998-2013 Michal Trojnara <Michal.Trojnara@mirt.net>
* stunnel TLS offloading and load-balancing proxy
* Copyright (C) 1998-2017 Michal Trojnara <Michal.Trojnara@stunnel.org>
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version.
*
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
* See the GNU General Public License for more details.
*
*
* You should have received a copy of the GNU General Public License along
* with this program; if not, see <http://www.gnu.org/licenses>.
*
*
* Linking stunnel statically or dynamically with other modules is making
* a combined work based on stunnel. Thus, the terms and conditions of
* the GNU General Public License cover the whole combination.
*
*
* In addition, as a special exception, the copyright holder of stunnel
* gives you permission to combine stunnel with free software programs or
* libraries that are released under the GNU LGPL and with code included
@ -26,7 +26,7 @@
* modified versions of such code, with unchanged license). You may copy
* and distribute such a system following the terms of the GNU GPL for
* stunnel and the licenses of the other code concerned.
*
*
* Note that people who make modified versions of stunnel are not obligated
* to grant this special exception for their modified versions; it is their
* choice whether to do so. The GNU General Public License gives permission
@ -40,7 +40,6 @@
#include "version.h"
/**************************************** common constants */
#define LIBWRAP_CLIENTS 5
@ -49,7 +48,7 @@
#define DEFAULT_STACK_SIZE 65536
/* #define DEBUG_STACK_SIZE */
/* I/O buffer size - 18432 is the maximum size of SSL record payload */
/* I/O buffer size: 18432 (0x4800) is the maximum size of TLS record payload */
#define BUFFSIZE 18432
/* how many bytes of random input to read from files for PRNG */
@ -62,6 +61,12 @@
/* additional diagnostic messages */
/* #define DEBUG_FD_ALLOC */
#ifdef DEBUG_INFO
#define NOEXPORT
#else
#define NOEXPORT static
#endif
/**************************************** platform */
#ifdef _WIN32
@ -70,20 +75,32 @@
#ifdef _WIN32_WCE
#define USE_WIN32
typedef int socklen_t;
typedef int socklen_t;
#endif
#ifdef USE_WIN32
typedef signed char int8_t;
typedef signed short int16_t;
typedef signed int int32_t;
typedef signed long long int64_t;
typedef unsigned char uint8_t;
typedef unsigned short uint16_t;
typedef unsigned int uint32_t;
typedef unsigned long long uint64_t;
#ifndef __MINGW32__
#ifdef _WIN64
typedef __int64 ssize_t;
#else /* _WIN64 */
typedef int ssize_t;
#endif /* _WIN64 */
#endif /* !__MINGW32__ */
#define PATH_MAX MAX_PATH
#define USE_IPv6
#define _CRT_SECURE_NO_DEPRECATE
#define _CRT_NONSTDC_NO_DEPRECATE
#define HAVE_OSSL_ENGINE_H
#define HAVE_OSSL_OCSP_H
/* prevent including wincrypt.h, as it defines it's own OCSP_RESPONSE */
#define _CRT_NON_CONFORMING_SWPRINTFS
/* prevent including wincrypt.h, as it defines its own OCSP_RESPONSE */
#define __WINCRYPT_H__
#endif
#ifdef USE_WIN32
#define S_EADDRINUSE WSAEADDRINUSE
/* winsock does not define WSAEAGAIN */
/* in most (but not all!) BSD implementations EAGAIN==EWOULDBLOCK */
@ -158,9 +175,17 @@ typedef int socklen_t;
#include <pthread.h>
#endif
/* TCP wrapper */
#if defined HAVE_TCPD_H && defined HAVE_LIBWRAP
#define USE_LIBWRAP 1
/* systemd */
#ifdef USE_SYSTEMD
#include <systemd/sd-daemon.h>
#endif
#ifdef HAVE_STDINT_H
#include <stdint.h>
#endif
#ifdef HAVE_INTTYPES_H
#include <inttypes.h>
#endif
/* must be included before sys/stat.h for Ultrix */
@ -185,10 +210,6 @@ typedef int socklen_t;
#ifdef USE_WIN32
typedef unsigned char u8;
typedef unsigned short u16;
typedef unsigned long u32;
#define HAVE_STRUCT_ADDRINFO
#define HAVE_SNPRINTF
#define snprintf _snprintf
@ -202,10 +223,9 @@ typedef unsigned long u32;
#define set_last_socket_error(e) WSASetLastError(e)
#define get_last_error() GetLastError()
#define set_last_error(e) SetLastError(e)
#define readsocket(s,b,n) recv((s),(b),(n),0)
#define writesocket(s,b,n) send((s),(b),(n),0)
#define readsocket(s,b,n) recv((s),(b),(int)(n),0)
#define writesocket(s,b,n) send((s),(b),(int)(n),0)
/* #define FD_SETSIZE 4096 */
/* #define Win32_Winsock */
#define __USE_W32_SOCKETS
@ -216,6 +236,7 @@ typedef unsigned long u32;
#include <windows.h>
#include <process.h> /* _beginthread */
#include <shlobj.h> /* SHGetFolderPath */
#include <tchar.h>
#include "resources.h"
@ -224,22 +245,6 @@ typedef unsigned long u32;
#else /* USE_WIN32 */
#if SIZEOF_UNSIGNED_CHAR == 1
typedef unsigned char u8;
#endif
#if SIZEOF_UNSIGNED_SHORT == 2
typedef unsigned short u16;
#else
typedef unsigned int u16;
#endif
#if SIZEOF_UNSIGNED_INT == 4
typedef unsigned int u32;
#else
typedef unsigned long u32;
#endif
#ifdef __INNOTEK_LIBC__
#define socklen_t __socklen_t
#define strcasecmp stricmp
@ -265,10 +270,12 @@ typedef unsigned long u32;
#define ioctlsocket(a,b,c) ioctl((a),(b),(c))
#endif
typedef int SOCKET;
#define INVALID_SOCKET (-1)
/* OpenVMS compatibility */
#ifdef __vms
#define LIBDIR "__NA__"
#define PIDFILE "SYS$LOGIN:STUNNEL.PID"
#ifdef __alpha
#define HOST "alpha-openvms"
#else
@ -283,6 +290,9 @@ typedef unsigned long u32;
/* Unix-specific headers */
#include <signal.h> /* signal */
#include <sys/wait.h> /* wait */
#ifdef HAVE_LIMITS_H
#include <limits.h> /* INT_MAX */
#endif
#ifdef HAVE_SYS_RESOURCE_H
#include <sys/resource.h> /* getrlimit */
#endif
@ -298,6 +308,7 @@ typedef unsigned long u32;
#ifdef HAVE_SYS_SELECT_H
#include <sys/select.h> /* for aix */
#endif
#include <dirent.h>
#if defined(HAVE_POLL) && !defined(BROKEN_POLL)
#ifdef HAVE_POLL_H
@ -326,6 +337,7 @@ typedef unsigned long u32;
#include <sys/uio.h> /* struct iovec */
#endif /* HAVE_SYS_UIO_H */
/* BSD sockets */
#include <netinet/in.h> /* struct sockaddr_in */
#include <sys/socket.h> /* getpeername */
#include <arpa/inet.h> /* inet_ntoa */
@ -383,83 +395,108 @@ extern char *sys_errlist[];
#include <linux/netfilter_ipv4.h>
#endif /* HAVE_LINUX_NETFILTER_IPV4_H */
#endif /* __linux__ */
#ifdef HAVE_SYS_SYSCALL_H
#include <sys/syscall.h> /* SYS_gettid */
#endif
#ifdef HAVE_LINUX_SCHED_H
#include <linux/sched.h> /* SCHED_BATCH */
#endif
#endif /* USE_WIN32 */
#ifndef S_ISREG
#define S_ISREG(m) (((m)&S_IFMT)==S_IFREG)
#endif
/**************************************** OpenSSL headers */
#define OPENSSL_THREAD_DEFINES
#include <openssl/opensslconf.h>
#if defined(USE_PTHREAD) && !(defined(OPENSSL_THREADS) || \
(OPENSSL_VERSION_NUMBER<0x0090700fL && defined(THREADS)))
/* opensslv.h requires prior opensslconf.h to include -fips in version string */
#include <openssl/opensslv.h>
#if OPENSSL_VERSION_NUMBER<0x0090700fL
#error OpenSSL 0.9.7 or later is required
#endif /* OpenSSL older than 0.9.7 */
#if defined(USE_PTHREAD) && !defined(OPENSSL_THREADS)
#error OpenSSL library compiled without thread support
#endif /* !OPENSSL_THREADS && USE_PTHREAD */
#if defined (USE_WIN32) && defined(OPENSSL_FIPS)
#define USE_FIPS
#endif
/* OpenSSL 0.9.6 comp.h needs ZLIB macro to declare COMP_zlib() */
#define ZLIB
#include <openssl/lhash.h>
#include <openssl/ssl.h>
#include <openssl/err.h>
#include <openssl/crypto.h> /* for CRYPTO_* and SSLeay_version */
#include <openssl/rand.h>
#ifndef OPENSSL_NO_MD4
#include <openssl/md4.h>
#endif
#include <openssl/des.h>
#ifdef HAVE_OSSL_ENGINE_H
#ifndef OPENSSL_NO_ENGINE
#include <openssl/engine.h>
#else
#undef HAVE_OSSL_ENGINE_H
#endif
#endif /* HAVE_OSSL_ENGINE_H */
#if OPENSSL_VERSION_NUMBER<0x0090800fL
#define OPENSSL_NO_ECDH
#define OPENSSL_NO_COMP
#endif /* OpenSSL older than 0.9.8 */
/* non-blocking OCSP API is not available before OpenSSL 0.9.8h */
#if OPENSSL_VERSION_NUMBER<0x00908080L
#ifdef HAVE_OSSL_OCSP_H
#undef HAVE_OSSL_OCSP_H
#endif /* HAVE_OSSL_OCSP_H */
#ifndef OPENSSL_NO_OCSP
#define OPENSSL_NO_OCSP
#endif /* !defined(OPENSSL_NO_OCSP) */
#endif /* OpenSSL older than 0.9.8h */
#ifdef HAVE_OSSL_OCSP_H
#include <openssl/ocsp.h>
#endif /* HAVE_OSSL_OCSP_H */
#ifdef HAVE_OSSL_FIPS_H
#include <openssl/fips.h>
#include <openssl/fips_rand.h>
#endif /* HAVE_OSSL_FIPS_H */
#if OPENSSL_VERSION_NUMBER<0x0090800fL
#define OPENSSL_NO_ECDH
#endif /* OpenSSL version < 0.8.0 */
#if OPENSSL_VERSION_NUMBER<0x00908060L
#define OPENSSL_NO_TLSEXT
#endif /* OpenSSL older than 0.9.8f */
#if OPENSSL_VERSION_NUMBER<0x10000000L
#define OPENSSL_NO_TLSEXT
#endif /* OpenSSL version < 1.0.0 */
#define OPENSSL_NO_PSK
#endif /* OpenSSL older than 1.0.0 */
#if OPENSSL_VERSION_NUMBER<0x10001000L || defined(OPENSSL_NO_TLS1)
#define OPENSSL_NO_TLS1_1
#define OPENSSL_NO_TLS1_2
#endif /* OpenSSL older than 1.0.1 || defined(OPENSSL_NO_TLS1) */
#if OPENSSL_VERSION_NUMBER>=0x10100000L
#ifndef OPENSSL_NO_SSL2
#define OPENSSL_NO_SSL2
#endif /* !defined(OPENSSL_NO_SSL2) */
#else /* OpenSSL older than 1.1.0 */
#define X509_STORE_CTX_get0_chain(x) X509_STORE_CTX_get_chain(x)
#endif /* OpenSSL 1.1.0 or newer */
#if defined(USE_WIN32) && defined(OPENSSL_FIPS)
#define USE_FIPS
#endif
#include <openssl/lhash.h>
#include <openssl/ssl.h>
#include <openssl/ui.h>
#include <openssl/err.h>
#include <openssl/crypto.h> /* for CRYPTO_* and SSLeay_version */
#include <openssl/rand.h>
#include <openssl/bn.h>
#include <openssl/pkcs12.h>
#ifndef OPENSSL_NO_MD4
#include <openssl/md4.h>
#endif /* !defined(OPENSSL_NO_MD4) */
#include <openssl/des.h>
#ifndef OPENSSL_NO_DH
#include <openssl/dh.h>
#if OPENSSL_VERSION_NUMBER<0x10100000L
int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g);
#endif /* OpenSSL older than 1.1.0 */
#endif /* !defined(OPENSSL_NO_DH) */
#ifndef OPENSSL_NO_ENGINE
#include <openssl/engine.h>
#endif /* !defined(OPENSSL_NO_ENGINE) */
#ifndef OPENSSL_NO_OCSP
#include <openssl/ocsp.h>
#endif /* !defined(OPENSSL_NO_OCSP) */
#ifndef OPENSSL_NO_COMP
/* not defined in public headers before OpenSSL 0.9.8 */
STACK_OF(SSL_COMP) *SSL_COMP_get_compression_methods(void);
#endif /* OPENSSL_NO_COMP */
#endif /* !defined(OPENSSL_NO_COMP) */
#ifndef OPENSSL_VERSION
#define OPENSSL_VERSION SSLEAY_VERSION
#define OpenSSL_version_num() SSLeay()
#define OpenSSL_version(x) SSLeay_version(x)
#endif
/**************************************** other defines */
/* change all non-printable characters to '.' */
#define safestring(s) \
do {unsigned char *p; for(p=(unsigned char *)(s); *p; p++) \
if(!isprint((int)*p)) *p='.';} while(0)
/* change all unsafe characters to '.' */
#define safename(s) \
do {unsigned char *p; for(p=(s); *p; p++) \
if(!isalnum((int)*p)) *p='.';} while(0)
/* always use IPv4 defaults! */
#define DEFAULT_LOOPBACK "127.0.0.1"
#define DEFAULT_ANY "0.0.0.0"
@ -480,7 +517,7 @@ STACK_OF(SSL_COMP) *SSL_COMP_get_compression_methods(void);
#endif /* defined (USE_WIN32) || defined (__vms) */
#ifndef offsetof
#define offsetof(T, F) ((unsigned int)((char *)&((T *)0L)->F - (char *)0L))
#define offsetof(T, F) ((unsigned)((char *)&((T *)0L)->F - (char *)0L))
#endif
#endif /* defined COMMON_H */

139
src/config.h.in
View File

@ -51,18 +51,18 @@
/* Define to 1 if you have the <inttypes.h> header file. */
#undef HAVE_INTTYPES_H
/* Define to 1 if you have 'libpthread' library. */
#undef HAVE_LIBPTHREAD
/* Define to 1 if you have the <libutil.h> header file. */
#undef HAVE_LIBUTIL_H
/* Define to 1 if you have 'libwrap' library. */
#undef HAVE_LIBWRAP
/* Define to 1 if you have the <limits.h> header file. */
#undef HAVE_LIMITS_H
/* Define to 1 if you have the <linux/netfilter_ipv4.h> header file. */
#undef HAVE_LINUX_NETFILTER_IPV4_H
/* Define to 1 if you have the <linux/sched.h> header file. */
#undef HAVE_LINUX_SCHED_H
/* Define to 1 if you have the `localtime_r' function. */
#undef HAVE_LOCALTIME_R
@ -78,15 +78,6 @@
/* Define to 1 if you have the `openpty' function. */
#undef HAVE_OPENPTY
/* Define to 1 if you have <engine.h> header file. */
#undef HAVE_OSSL_ENGINE_H
/* Define to 1 if you have <fips.h> header file. */
#undef HAVE_OSSL_FIPS_H
/* Define to 1 if you have <ocsp.h> header file. */
#undef HAVE_OSSL_OCSP_H
/* Define to 1 if you have the `pipe2' function. */
#undef HAVE_PIPE2
@ -96,15 +87,24 @@
/* Define to 1 if you have the <poll.h> header file. */
#undef HAVE_POLL_H
/* Define if you have POSIX threads libraries and header files. */
#undef HAVE_PTHREAD
/* Define to 1 if you have the <pthread.h> header file. */
#undef HAVE_PTHREAD_H
/* Have PTHREAD_PRIO_INHERIT. */
#undef HAVE_PTHREAD_PRIO_INHERIT
/* Define to 1 if you have the `pthread_sigmask' function. */
#undef HAVE_PTHREAD_SIGMASK
/* Define to 1 if you have the <pty.h> header file. */
#undef HAVE_PTY_H
/* Define to 1 if you have the `realpath' function. */
#undef HAVE_REALPATH
/* Define to 1 if you have the `setgroups' function. */
#undef HAVE_SETGROUPS
@ -141,6 +141,9 @@
/* Define to 1 if you have the `sysconf' function. */
#undef HAVE_SYSCONF
/* Define to 1 if you have the <systemd/sd-daemon.h> header file. */
#undef HAVE_SYSTEMD_SD_DAEMON_H
/* Define to 1 if you have the <sys/filio.h> header file. */
#undef HAVE_SYS_FILIO_H
@ -162,6 +165,9 @@
/* Define to 1 if you have the <sys/stat.h> header file. */
#undef HAVE_SYS_STAT_H
/* Define to 1 if you have the <sys/syscall.h> header file. */
#undef HAVE_SYS_SYSCALL_H
/* Define to 1 if you have the <sys/types.h> header file. */
#undef HAVE_SYS_TYPES_H
@ -205,9 +211,6 @@
*/
#undef LT_OBJDIR
/* Define to 1 if your C compiler doesn't accept -c and -o together. */
#undef NO_MINUS_C_MINUS_O
/* Name of package */
#undef PACKAGE
@ -229,28 +232,20 @@
/* Define to the version of this package. */
#undef PACKAGE_VERSION
/* Define to necessary symbol if this constant uses a non-standard name on
your system. */
#undef PTHREAD_CREATE_JOINABLE
/* Random file path */
#undef RANDOM_FILE
/* The size of `unsigned char', as computed by sizeof. */
#undef SIZEOF_UNSIGNED_CHAR
/* The size of `unsigned int', as computed by sizeof. */
#undef SIZEOF_UNSIGNED_INT
/* The size of `unsigned long', as computed by sizeof. */
#undef SIZEOF_UNSIGNED_LONG
/* The size of `unsigned short', as computed by sizeof. */
#undef SIZEOF_UNSIGNED_SHORT
/* SSL directory */
/* TLS directory */
#undef SSLDIR
/* Define to 1 if you have the ANSI C header files. */
#undef STDC_HEADERS
/* Define to 1 to enable OpenSSL FIPS mode. */
/* Define to 1 to enable OpenSSL FIPS support */
#undef USE_FIPS
/* Define to 1 to select FORK mode */
@ -259,17 +254,99 @@
/* Define to 1 to enable IPv6 support */
#undef USE_IPv6
/* Define to 1 to enable TCP wrappers support */
#undef USE_LIBWRAP
/* Define to 1 to select PTHREAD mode */
#undef USE_PTHREAD
/* Define to 1 to enable systemd socket activation */
#undef USE_SYSTEMD
/* Define to 1 to select UCONTEXT mode */
#undef USE_UCONTEXT
/* Version number of package */
#undef VERSION
/* Use Darwin source */
#undef _DARWIN_C_SOURCE
/* Enable large inode numbers on Mac OS X 10.5. */
#ifndef _DARWIN_USE_64_BIT_INODE
# define _DARWIN_USE_64_BIT_INODE 1
#endif
/* Number of bits in a file offset, on hosts where this is settable. */
#undef _FILE_OFFSET_BITS
/* Use GNU source */
#undef _GNU_SOURCE
/* Define for large files, on AIX-style hosts. */
#undef _LARGE_FILES
/* Define for Solaris 2.5.1 so the uint32_t typedef from <sys/synch.h>,
<pthread.h>, or <semaphore.h> is not used. If the typedef were allowed, the
#define below would cause a syntax error. */
#undef _UINT32_T
/* Define for Solaris 2.5.1 so the uint64_t typedef from <sys/synch.h>,
<pthread.h>, or <semaphore.h> is not used. If the typedef were allowed, the
#define below would cause a syntax error. */
#undef _UINT64_T
/* Define for Solaris 2.5.1 so the uint8_t typedef from <sys/synch.h>,
<pthread.h>, or <semaphore.h> is not used. If the typedef were allowed, the
#define below would cause a syntax error. */
#undef _UINT8_T
/* Use X/Open 5 with POSIX 1995 */
#undef _XOPEN_SOURCE
/* Define to `int' if <sys/types.h> doesn't define. */
#undef gid_t
/* Define to the type of a signed integer type of width exactly 16 bits if
such a type exists and the standard includes do not define it. */
#undef int16_t
/* Define to the type of a signed integer type of width exactly 32 bits if
such a type exists and the standard includes do not define it. */
#undef int32_t
/* Define to the type of a signed integer type of width exactly 64 bits if
such a type exists and the standard includes do not define it. */
#undef int64_t
/* Define to the type of a signed integer type of width exactly 8 bits if such
a type exists and the standard includes do not define it. */
#undef int8_t
/* Define to `unsigned int' if <sys/types.h> does not define. */
#undef size_t
/* Type of socklen_t */
#undef socklen_t
/* Define to `int' if <sys/types.h> does not define. */
#undef ssize_t
/* Define to `int' if <sys/types.h> doesn't define. */
#undef uid_t
/* Define to the type of an unsigned integer type of width exactly 16 bits if
such a type exists and the standard includes do not define it. */
#undef uint16_t
/* Define to the type of an unsigned integer type of width exactly 32 bits if
such a type exists and the standard includes do not define it. */
#undef uint32_t
/* Define to the type of an unsigned integer type of width exactly 64 bits if
such a type exists and the standard includes do not define it. */
#undef uint64_t
/* Define to the type of an unsigned integer type of width exactly 8 bits if
such a type exists and the standard includes do not define it. */
#undef uint8_t

201
src/cron.c Normal file
View File

@ -0,0 +1,201 @@
/*
* stunnel TLS offloading and load-balancing proxy
* Copyright (C) 1998-2017 Michal Trojnara <Michal.Trojnara@stunnel.org>
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
* See the GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License along
* with this program; if not, see <http://www.gnu.org/licenses>.
*
* Linking stunnel statically or dynamically with other modules is making
* a combined work based on stunnel. Thus, the terms and conditions of
* the GNU General Public License cover the whole combination.
*
* In addition, as a special exception, the copyright holder of stunnel
* gives you permission to combine stunnel with free software programs or
* libraries that are released under the GNU LGPL and with code included
* in the standard release of OpenSSL under the OpenSSL License (or
* modified versions of such code, with unchanged license). You may copy
* and distribute such a system following the terms of the GNU GPL for
* stunnel and the licenses of the other code concerned.
*
* Note that people who make modified versions of stunnel are not obligated
* to grant this special exception for their modified versions; it is their
* choice whether to do so. The GNU General Public License gives permission
* to release a modified version without this exception; this exception
* also makes it possible to release a modified version which carries
* forward this exception.
*/
#include "common.h"
#include "prototypes.h"
#ifdef USE_PTHREAD
NOEXPORT void *cron_thread(void *arg);
#endif
#ifdef USE_WIN32
NOEXPORT void cron_thread(void *arg);
#endif
#if defined(USE_PTHREAD) || defined(USE_WIN32)
NOEXPORT void cron_worker(void);
NOEXPORT void cron_dh_param(void);
#endif
#if defined(USE_PTHREAD)
int cron_init() {
pthread_t thread;
pthread_attr_t pth_attr;
#if defined(HAVE_PTHREAD_SIGMASK) && !defined(__APPLE__)
sigset_t new_set, old_set;
#endif /* HAVE_PTHREAD_SIGMASK && !__APPLE__*/
#if defined(HAVE_PTHREAD_SIGMASK) && !defined(__APPLE__)
sigfillset(&new_set);
pthread_sigmask(SIG_SETMASK, &new_set, &old_set); /* block signals */
#endif /* HAVE_PTHREAD_SIGMASK && !__APPLE__*/
pthread_attr_init(&pth_attr);
pthread_attr_setdetachstate(&pth_attr, PTHREAD_CREATE_DETACHED);
if(pthread_create(&thread, &pth_attr, cron_thread, NULL))
ioerror("pthread_create");
pthread_attr_destroy(&pth_attr);
#if defined(HAVE_PTHREAD_SIGMASK) && !defined(__APPLE__)
pthread_sigmask(SIG_SETMASK, &old_set, NULL); /* unblock signals */
#endif /* HAVE_PTHREAD_SIGMASK && !__APPLE__*/
return 0;
}
NOEXPORT void *cron_thread(void *arg) {
#ifdef SCHED_BATCH
struct sched_param param;
#endif
(void)arg; /* squash the unused parameter warning */
tls_alloc(NULL, NULL, "cron");
#ifdef SCHED_BATCH
param.sched_priority=0;
if(pthread_setschedparam(pthread_self(), SCHED_BATCH, &param))
ioerror("pthread_getschedparam");
#endif
cron_worker();
return NULL; /* it should never be executed */
}
#elif defined(USE_WIN32)
int cron_init() {
if((long)_beginthread(cron_thread, 0, NULL)==-1)
ioerror("_beginthread");
return 0;
}
NOEXPORT void cron_thread(void *arg) {
(void)arg; /* squash the unused parameter warning */
tls_alloc(NULL, NULL, "cron");
if(!SetThreadPriority(GetCurrentThread(), THREAD_PRIORITY_LOWEST))
ioerror("SetThreadPriority");
cron_worker();
_endthread(); /* it should never be executed */
}
#else /* !defined(USE_PTHREAD) && !defined(USE_WIN32) */
int cron_init() {
/* not implemented for now */
return 0;
}
#endif
/* run the cron job every 24 hours */
#define CRON_PERIOD (24*60*60)
#if defined(USE_PTHREAD) || defined(USE_WIN32)
NOEXPORT void cron_worker(void) {
time_t now, then;
int delay;
s_log(LOG_DEBUG, "Cron thread initialized");
sleep(60); /* allow the other services to start with idle CPU */
time(&then);
for(;;) {
s_log(LOG_INFO, "Executing cron jobs");
#ifndef OPENSSL_NO_DH
cron_dh_param();
#endif /* OPENSSL_NO_DH */
time(&now);
s_log(LOG_INFO, "Cron jobs completed in %d seconds", (int)(now-then));
then+=CRON_PERIOD;
if(then>now) {
delay=(int)(then-now);
} else {
s_log(LOG_NOTICE, "Cron backlog cleared (possible hibernation)");
delay=CRON_PERIOD-(int)(now-then)%CRON_PERIOD;
then=now+delay;
}
s_log(LOG_DEBUG, "Waiting %d seconds", delay);
do { /* retry sleep() if it was interrupted by a signal */
sleep((unsigned)delay);
time(&now);
delay=(int)(then-now);
} while(delay>0);
s_log(LOG_INFO, "Reopening log file");
signal_post(SIGNAL_REOPEN_LOG);
}
}
#ifndef OPENSSL_NO_DH
NOEXPORT void cron_dh_param(void) {
SERVICE_OPTIONS *opt;
DH *dh;
if(!dh_needed)
return;
s_log(LOG_NOTICE, "Updating DH parameters");
#if OPENSSL_VERSION_NUMBER>=0x0090800fL
/* generate 2048-bit DH parameters */
dh=DH_new();
if(!dh) {
sslerror("DH_new");
return;
}
if(!DH_generate_parameters_ex(dh, 2048, 2, NULL)) {
DH_free(dh);
sslerror("DH_generate_parameters_ex");
return;
}
#else /* OpenSSL older than 0.9.8 */
dh=DH_generate_parameters(2048, 2, NULL, NULL);
if(!dh) {
sslerror("DH_generate_parameters");
return;
}
#endif
/* update global dh_params for future configuration reloads */
stunnel_write_lock(&stunnel_locks[LOCK_DH]);
DH_free(dh_params);
dh_params=dh;
stunnel_write_unlock(&stunnel_locks[LOCK_DH]);
/* set for all sections that require it */
for(opt=service_options.next; opt; opt=opt->next)
if(opt->option.dh_needed)
SSL_CTX_set_tmp_dh(opt->ctx, dh);
s_log(LOG_NOTICE, "DH parameters updated");
}
#endif /* OPENSSL_NO_DH */
#endif /* USE_PTHREAD || USE_WIN32 */
/* end of cron.c */

1181
src/ctx.c
View File

File diff suppressed because it is too large Load Diff

57
src/dhparam.c Normal file
View File

@ -0,0 +1,57 @@
#include "common.h"
#ifndef OPENSSL_NO_DH
#define DN_new DH_new
#ifndef HEADER_DH_H
# include <openssl/dh.h>
#endif
DH *get_dh2048()
{
static unsigned char dhp_2048[] = {
0xE5, 0x09, 0xEB, 0x6B, 0x7E, 0xFF, 0x06, 0x2E, 0xE9, 0x8E,
0xEB, 0xB8, 0x15, 0x2E, 0x83, 0xE9, 0x77, 0x6B, 0x98, 0x80,
0xC2, 0x5B, 0xC7, 0x99, 0xEF, 0xD2, 0x3B, 0x75, 0x23, 0xD1,
0xEF, 0x4D, 0x2C, 0xE6, 0xE5, 0xD3, 0x6A, 0x5E, 0x38, 0x4A,
0x05, 0x15, 0x57, 0xFF, 0x46, 0x22, 0x0F, 0xDC, 0xC9, 0xF0,
0xA0, 0x4C, 0x2B, 0x70, 0x91, 0x30, 0x32, 0x3A, 0x20, 0x38,
0xB6, 0x62, 0xAE, 0x8C, 0x9E, 0x9B, 0x7A, 0x04, 0xCF, 0x9C,
0x20, 0x0C, 0x9D, 0x34, 0xFC, 0xB5, 0x46, 0x9E, 0xB6, 0x56,
0x94, 0x7A, 0x8E, 0x7B, 0xEA, 0x77, 0x3D, 0x1F, 0x57, 0xAD,
0xB0, 0xB7, 0xD6, 0x2E, 0x95, 0x5B, 0xA7, 0x1E, 0xF1, 0x84,
0x04, 0x7C, 0x77, 0x9B, 0x10, 0x8D, 0x5F, 0xA5, 0x2B, 0x0D,
0xCB, 0xFB, 0xB9, 0x0A, 0xCB, 0xDD, 0x70, 0x9F, 0x85, 0xBA,
0xE3, 0x6A, 0xD1, 0xE4, 0x83, 0x7B, 0x89, 0x66, 0xAC, 0x58,
0x12, 0x43, 0x5B, 0xA8, 0x02, 0xC0, 0x5C, 0x27, 0x61, 0x97,
0x5D, 0xEC, 0x94, 0x71, 0xB2, 0x13, 0x13, 0xAB, 0x30, 0x0C,
0x54, 0x54, 0x8C, 0xE2, 0x9D, 0x07, 0xDE, 0xE7, 0x62, 0x70,
0xDE, 0x6C, 0x48, 0xD7, 0x69, 0xDA, 0xBC, 0xDA, 0xB1, 0x82,
0xE4, 0xD7, 0xE4, 0xFB, 0x6D, 0x36, 0x46, 0x55, 0x30, 0x63,
0x18, 0x42, 0x82, 0x60, 0xE2, 0x76, 0x23, 0x56, 0x34, 0x25,
0xA9, 0x6A, 0xF1, 0x06, 0xB1, 0x68, 0xAD, 0x7F, 0xCE, 0x06,
0xEE, 0x85, 0xA5, 0x83, 0x85, 0x08, 0x45, 0x45, 0x09, 0xA7,
0x3D, 0xC9, 0xAC, 0xE6, 0x3A, 0x98, 0x93, 0xBF, 0x98, 0x2E,
0x4D, 0x00, 0x3B, 0x74, 0x62, 0x7B, 0x8D, 0xBD, 0x18, 0x6C,
0xAC, 0x4B, 0xEF, 0xF5, 0xAD, 0x0E, 0x2E, 0x85, 0x60, 0xE6,
0xF4, 0x3F, 0x25, 0xFE, 0xAE, 0xC3, 0x18, 0x9B, 0x04, 0x7B,
0xC7, 0x48, 0xE8, 0xC1, 0x3C, 0x13
};
static unsigned char dhg_2048[] = {
0x02
};
DH *dh = DH_new();
BIGNUM *dhp_bn, *dhg_bn;
if (dh == NULL)
return NULL;
dhp_bn = BN_bin2bn(dhp_2048, sizeof (dhp_2048), NULL);
dhg_bn = BN_bin2bn(dhg_2048, sizeof (dhg_2048), NULL);
if (dhp_bn == NULL || dhg_bn == NULL
|| !DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn)) {
DH_free(dh);
BN_free(dhp_bn);
BN_free(dhg_bn);
return NULL;
}
return dh;
}
#endif /* OPENSSL_NO_DH */

10
src/env.c
View File

@ -1,6 +1,6 @@
/*
* stunnel Universal SSL tunnel
* Copyright (C) 1998-2013 Michal Trojnara <Michal.Trojnara@mirt.net>
* stunnel TLS offloading and load-balancing proxy
* Copyright (C) 1998-2017 Michal Trojnara <Michal.Trojnara@stunnel.org>
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
@ -53,15 +53,15 @@
int getpeername(int s, struct sockaddr_in *name, int *len) {
char *value;
(void)s; /* skip warning about unused parameter */
(void)len; /* skip warning about unused parameter */
(void)s; /* squash the unused parameter warning */
(void)len; /* squash the unused parameter warning */
name->sin_family=AF_INET;
if((value=getenv("REMOTE_HOST")))
name->sin_addr.s_addr=inet_addr(value);
else
name->sin_addr.s_addr=htonl(INADDR_ANY);
if((value=getenv("REMOTE_PORT")))
name->sin_port=htons(atoi(value));
name->sin_port=htons((uint16_t)atoi(value));
else
name->sin_port=htons(0); /* dynamic port allocation */
return 0;

BIN
src/error.ico Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 1.1 KiB

64
src/evc.mak
View File

@ -1,8 +1,24 @@
# wce.mak for stunnel.exe by Michal Trojnara 2006-2012
# with help of Pierre Delaage <delaage.pierre@free.fr>
# pdelaage 20140610 : added UNICODE optional FLAG, always ACTIVE on WCE because of poor ANSI support
# pdelaage 20140610 : added _WIN32_WCE flag for RC compilation, to preprocess out "HELP" unsupported menu flag on WCE
# pdelaage 20140610 : ws2 lib is required to get WSAGetLastError routine (absent from winsock lib)
# pdelaage 20140610 : /Dx86 flag required for X86/Emulator targets, to get proper definition for InterlockedExchange
# pdelaage 20140610 : /MT flag is NON-SENSE for X86-WCE platforms, it is only meaningful for X86-W32-Desktop.
# for X86-WCE targets, although compiler "cl.exe" is REALLY the same as desktop W32 VS6 C++ compiler,
# the MT flags relating to LIBCMT is useless BECAUSE LIBCMT does NOT exist on WCE. No msvcrt on WCE either...
# pdelaage 20140610 : Note on /MC flag
# For other targets than X86/Emulator, /MC flag is redundant with "/nodefaultlib coredll.lib corelibc.lib" LD lib list.
# For << X86 / Emulator >> target, as the cl.exe compiler IS the SAME as the standard VS6.0 C++ compiler for Desktop Pentium processor,
# /MC flag is in fact NOT existing, thus requiring an explicit linking with core libs by using :
# /NODEFAULTLIB coredll.lib corelibc.lib,
# something that is correct for any WCE target, X86 and other, and leading /MC flag to be useless ALSO for other target than X86.
#
# DEFAULTLIB management: only 2 are necessary
# defaultlibS as given for CLxxx in the MS doc ARE WRONG
# defaultlibS, as given for CLxxx in the MS doc, ARE WRONG
# !!!!!!!!!!!!!!
# CUSTOMIZE THIS according to your wcecompat and openssl directories
@ -10,10 +26,10 @@
# Modify this to point to your actual openssl compile directory
# (You did already compile openssl, didn't you???)
SSLDIR=C:\Users\standard\Documents\Dvts\Contrib\openssl\v1.0.0a\patched3
SSLDIR=C:\Users\pdelaage\Dvts\Contrib\openssl
# Note that we currently use a multi-target customized version of legacy Essemer/wcecompat lib
COMPATDIR=C:\Users\standard\Documents\Dvts\Contrib\wcecompat\v12\patchedX86
COMPATDIR=C:\Users\pdelaage\Dvts\Contrib\wcecompat\v12\patched3emu
WCEVER=420
@ -24,7 +40,8 @@ WCEVER=420
!IF "$(TARGETCPU)"=="X86"
WCETARGETCPU=_X86_
LDTARGETCPU=X86
MORECFLAGS=/MT
#pdelaage 20140621 /Dx86 for inline defs of InterlockedExchange inline in winbase.h; no more /MT
MORECFLAGS=/Dx86
# TODO: continue list for other targets : see wcecompat/wcedefs.mak for a good ref.
# see also openssl/util/pl/vc-32.pl, also link /?
@ -34,17 +51,20 @@ MORECFLAGS=/MT
!ELSEIF "$(TARGETCPU)"=="emulator"
WCETARGETCPU=_X86_
LDTARGETCPU=X86
MORECFLAGS=/MT
#pdelaage 20140621 /Dx86 for inline defs of InterlockedExchange inline in winbase.h; no more /MT
MORECFLAGS=/Dx86
!ELSEIF "$(TARGETCPU)"=="MIPS16" || "$(TARGETCPU)"=="MIPSII" || "$(TARGETCPU)"=="MIPSII_FP" || "$(TARGETCPU)"=="MIPSIV" || "$(TARGETCPU)"=="MIPSIV_FP"
WCETARGETCPU=_MIPS_
LDTARGETCPU=MIPS
MORECFLAGS=/DMIPS /MC
#pdelaage 20140621 no more /MC required
MORECFLAGS=/DMIPS
!ELSEIF "$(TARGETCPU)"=="SH3" || "$(TARGETCPU)"=="SH4"
WCETARGETCPU=SHx
LDTARGETCPU=$(TARGETCPU)
MORECFLAGS=/MC
#pdelaage 20140621 no more /MC required
MORECFLAGS=
!ELSE
# default is ARM !
@ -52,8 +72,8 @@ MORECFLAGS=/MC
# the following flag is required by (eg) winnt.h, and is different from targetcpu (armV4)
WCETARGETCPU=ARM
LDTARGETCPU=ARM
MORECFLAGS=/MC
#pdelaage 20140621 no more /MC required
MORECFLAGS=
!ENDIF
# ceutilsdir probably useless (nb : were tools from essemer; but ms delivers a cecopy anyway, see ms dld site)
@ -65,12 +85,17 @@ SDKDIR=$(SDKROOT)\$(OSVERSION)\$(PLATFORM)
INCLUDES=-I$(SSLDIR)\inc32 -I$(COMPATDIR)\include -I"$(SDKDIR)\include\$(TARGETCPU)"
# for X86 and other it appears that /MC or /ML flags are absurd,
# we always have to override runtime lib list to coredll and corelibc
LIBS=/NODEFAULTLIB winsock.lib wcecompatex.lib libeay32.lib ssleay32.lib coredll.lib corelibc.lib
#LIBS=/NODEFAULTLIB winsock.lib wcecompatex.lib libeay32.lib ssleay32.lib coredll.lib corelibc.lib
LIBS=/NODEFAULTLIB ws2.lib wcecompatex.lib libeay32.lib ssleay32.lib coredll.lib corelibc.lib
DEFINES=/DHOST=\"$(TARGETCPU)-WCE-eVC-$(WCEVER)\"
# pdelaage 20140610 added unicode flag : ALWAYS ACTIVE on WCE, because of poor ANSI support by the MS SDK
UNICODEFLAGS=/DUNICODE -D_UNICODE
# /O1 /Oi more correct vs MS doc
CFLAGS=/nologo $(MORECFLAGS) /O1 /Oi /W3 /WX /GF /Gy $(DEFINES) /D$(WCETARGETCPU) /D$(TARGETCPU) /DUNDER_CE=$(WCEVER) /D_WIN32_WCE=$(WCEVER) /DUNICODE -D_UNICODE $(INCLUDES)
RFLAGS=$(DEFINES) $(INCLUDES)
CFLAGS=/nologo $(MORECFLAGS) /O1 /Oi /W3 /WX /GF /Gy $(DEFINES) /D$(WCETARGETCPU) /D$(TARGETCPU) /DUNDER_CE=$(WCEVER) /D_WIN32_WCE=$(WCEVER) $(UNICODEFLAGS) $(INCLUDES)
# pdelaage 20140610 : RC compilation requires D_WIN32_WCE flag to comment out unsupported "HELP" flag in menu definition, in resources.rc file
RFLAGS=$(DEFINES) /D_WIN32_WCE=$(WCEVER) $(INCLUDES)
# LDFLAGS: since openssl >> 098a (eg 098h) out32dll is out32dll_targetCPU for WCE
# delaage added $(TARGETCPU) in legacy Essemer/wcecompat libpath
# to ease multitarget compilation without recompiling everything
@ -89,11 +114,12 @@ BIN=$(BINROOT)\$(TARGETCPU)
OBJS=$(OBJ)\stunnel.obj $(OBJ)\ssl.obj $(OBJ)\ctx.obj $(OBJ)\verify.obj \
$(OBJ)\file.obj $(OBJ)\client.obj $(OBJ)\protocol.obj $(OBJ)\sthreads.obj \
$(OBJ)\log.obj $(OBJ)\options.obj $(OBJ)\network.obj \
$(OBJ)\resolver.obj $(OBJ)\str.obj $(OBJ)\fd.obj
$(OBJ)\log.obj $(OBJ)\options.obj $(OBJ)\network.obj $(OBJ)\resolver.obj \
$(OBJ)\str.obj $(OBJ)\tls.obj $(OBJ)\fd.obj $(OBJ)\dhparam.obj \
$(OBJ)\cron.obj
GUIOBJS=$(OBJ)\gui.obj $(OBJ)\resources.res
NOGUIOBJS=$(OBJ)\nogui.obj
GUIOBJS=$(OBJ)\ui_win_gui.obj $(OBJ)\resources.res
CLIOBJS=$(OBJ)\ui_win_cli.obj
{$(SRC)\}.c{$(OBJ)\}.obj:
$(CC) $(CFLAGS) -Fo$@ -c $<
@ -115,11 +141,11 @@ makedirs:
$(BIN)\stunnel.exe:$(OBJS) $(GUIOBJS)
link $(LDFLAGS) /out:$(BIN)\stunnel.exe $(LIBS) commctrl.lib $**
$(BIN)\tstunnel.exe:$(OBJS) $(NOGUIOBJS)
$(BIN)\tstunnel.exe:$(OBJS) $(CLIOBJS)
link $(LDFLAGS) /out:$(BIN)\tstunnel.exe $(LIBS) $**
$(OBJ)\resources.res: $(SRC)\resources.rc $(SRC)\resources.h $(SRC)\version.h
$(OBJ)\gui.obj: $(SRC)\gui.c $(SRC)\version.h
$(OBJ)\ui_win_gui.obj: $(SRC)\ui_win_gui.c $(SRC)\version.h
$(OBJ)\stunnel.obj: $(SRC)\stunnel.c $(SRC)\version.h
# now list of openssl dll has more files,
@ -136,6 +162,6 @@ install: stunnel.exe tstunnel.exe
$(CEUTILSDIR)\cecopy $(SSLDIR)\out32dll_$(TARGETCPU)\ssleay32.dll $(DSTDIR)
clean:
-@ IF NOT "$(TARGETCPU)"=="" del $(OBJS) $(GUIOBJS) $(NOGUIOBJS) $(BIN)\stunnel.exe $(BIN)\tstunnel.exe >NUL 2>&1
-@ IF NOT "$(TARGETCPU)"=="" del $(OBJS) $(GUIOBJS) $(CLIOBJS) $(BIN)\stunnel.exe $(BIN)\tstunnel.exe >NUL 2>&1
-@ IF NOT "$(TARGETCPU)"=="" rmdir $(OBJ) >NUL 2>&1
-@ IF NOT "$(TARGETCPU)"=="" rmdir $(BIN) >NUL 2>&1

53
src/fd.c
View File

@ -1,6 +1,6 @@
/*
* stunnel Universal SSL tunnel
* Copyright (C) 1998-2013 Michal Trojnara <Michal.Trojnara@mirt.net>
* stunnel TLS offloading and load-balancing proxy
* Copyright (C) 1998-2017 Michal Trojnara <Michal.Trojnara@stunnel.org>
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
@ -49,19 +49,19 @@
/**************************************** prototypes */
static int setup_fd(int, int, char *);
NOEXPORT SOCKET setup_fd(SOCKET, int, char *);
/**************************************** internal limit of file descriptors */
#ifndef USE_FORK
static int max_fds;
static SOCKET max_fds;
void get_limits(void) { /* set max_fds and max_clients */
/* start with current ulimit */
#if defined(HAVE_SYSCONF)
errno=0;
max_fds=sysconf(_SC_OPEN_MAX);
max_fds=(SOCKET)sysconf(_SC_OPEN_MAX);
if(errno)
ioerror("sysconf");
if(max_fds<0)
@ -84,13 +84,13 @@ void get_limits(void) { /* set max_fds and max_clients */
max_fds=FD_SETSIZE; /* start with select() limit */
#endif /* select() on Unix */
/* stunnel needs at least 16 file desriptors */
/* stunnel needs at least 16 file descriptors */
if(max_fds && max_fds<16)
max_fds=16;
if(max_fds) {
max_clients=max_fds>=256 ? max_fds*125/256 : (max_fds-6)/2;
s_log(LOG_DEBUG, "Clients allowed=%d", max_clients);
max_clients=(long)(max_fds>=256 ? max_fds*125/256 : (max_fds-6)/2);
s_log(LOG_DEBUG, "Clients allowed=%ld", max_clients);
} else {
max_clients=0;
s_log(LOG_DEBUG, "No limit detected for the number of clients");
@ -101,18 +101,27 @@ void get_limits(void) { /* set max_fds and max_clients */
/**************************************** file descriptor validation */
int s_socket(int domain, int type, int protocol, int nonblock, char *msg) {
SOCKET s_socket(int domain, int type, int protocol, int nonblock, char *msg) {
SOCKET fd;
#ifdef USE_NEW_LINUX_API
if(nonblock)
type|=SOCK_NONBLOCK;
type|=SOCK_CLOEXEC;
#endif
return setup_fd(socket(domain, type, protocol), nonblock, msg);
#ifdef USE_WIN32
/* http://stackoverflow.com/questions/4993119 */
/* CreateProcess() needs a non-overlapped handle */
fd=WSASocket(domain, type, protocol, NULL, 0, 0);
#else /* USE_WIN32 */
fd=socket(domain, type, protocol);
#endif /* USE_WIN32 */
return setup_fd(fd, nonblock, msg);
}
int s_accept(int sockfd, struct sockaddr *addr, socklen_t *addrlen,
SOCKET s_accept(SOCKET sockfd, struct sockaddr *addr, socklen_t *addrlen,
int nonblock, char *msg) {
int fd;
SOCKET fd;
#ifdef USE_NEW_LINUX_API
if(nonblock)
@ -127,7 +136,7 @@ int s_accept(int sockfd, struct sockaddr *addr, socklen_t *addrlen,
#ifndef USE_WIN32
int s_socketpair(int domain, int type, int protocol, int sv[2],
int s_socketpair(int domain, int type, int protocol, SOCKET sv[2],
int nonblock, char *msg) {
#ifdef USE_NEW_LINUX_API
if(nonblock)
@ -177,28 +186,28 @@ int s_pipe(int pipefd[2], int nonblock, char *msg) {
#endif /* USE_WIN32 */
static int setup_fd(int fd, int nonblock, char *msg) {
NOEXPORT SOCKET setup_fd(SOCKET fd, int nonblock, char *msg) {
#if !defined USE_NEW_LINUX_API && defined FD_CLOEXEC
int err;
#endif
if(fd<0) {
if(fd==INVALID_SOCKET) {
sockerror(msg);
return -1;
return INVALID_SOCKET;
}
#ifndef USE_FORK
if(max_fds && fd>=max_fds) {
s_log(LOG_ERR, "%s: FD=%d out of range (max %d)",
msg, fd, max_fds);
msg, (int)fd, (int)max_fds);
closesocket(fd);
return -1;
return INVALID_SOCKET;
}
#endif
#ifdef USE_NEW_LINUX_API
(void)nonblock; /* skip warning about unused parameter */
(void)nonblock; /* squash the unused parameter warning */
#else /* set O_NONBLOCK and F_SETFD */
set_nonblock(fd, nonblock);
set_nonblock(fd, (unsigned long)nonblock);
#ifdef FD_CLOEXEC
do {
err=fcntl(fd, F_SETFD, FD_CLOEXEC);
@ -216,7 +225,7 @@ static int setup_fd(int fd, int nonblock, char *msg) {
return fd;
}
void set_nonblock(int fd, unsigned long nonblock) {
void set_nonblock(SOCKET fd, unsigned long nonblock) {
#if defined F_GETFL && defined F_SETFL && defined O_NONBLOCK && !defined __INNOTEK_LIBC__
int err, flags;
@ -237,7 +246,7 @@ void set_nonblock(int fd, unsigned long nonblock) {
if(err<0)
sockerror("fcntl SETFL"); /* non-critical */
#else /* WIN32 or similar */
if(ioctlsocket(fd, FIONBIO, &nonblock)<0)
if(ioctlsocket(fd, (long)FIONBIO, &nonblock)<0)
sockerror("ioctlsocket"); /* non-critical */
#if 0
else

139
src/file.c
View File

@ -1,6 +1,6 @@
/*
* stunnel Universal SSL tunnel
* Copyright (C) 1998-2013 Michal Trojnara <Michal.Trojnara@mirt.net>
* stunnel TLS offloading and load-balancing proxy
* Copyright (C) 1998-2017 Michal Trojnara <Michal.Trojnara@stunnel.org>
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
@ -40,20 +40,37 @@
#ifdef USE_WIN32
DISK_FILE *file_open(char *name, int wr) {
DISK_FILE *file_open(char *name, FILE_MODE mode) {
DISK_FILE *df;
LPTSTR tstr;
LPTSTR tname;
HANDLE fh;
DWORD desired_access, creation_disposition;
/* open file */
tstr=str2tstr(name);
fh=CreateFile(tstr, wr ? GENERIC_WRITE : GENERIC_READ,
FILE_SHARE_READ, NULL, wr ? OPEN_ALWAYS : OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL, (HANDLE)NULL);
str_free(tstr); /* str_free() overwrites GetLastError() value */
switch(mode) {
case FILE_MODE_READ:
desired_access=GENERIC_READ;
creation_disposition=OPEN_EXISTING;
break;
case FILE_MODE_APPEND:
/* reportedly more compatible than FILE_APPEND_DATA */
desired_access=GENERIC_WRITE;
creation_disposition=OPEN_ALWAYS; /* keep the data */
break;
case FILE_MODE_OVERWRITE:
desired_access=GENERIC_WRITE;
creation_disposition=CREATE_ALWAYS; /* remove the data */
break;
default: /* invalid mode */
return NULL;
}
tname=str2tstr(name);
fh=CreateFile(tname, desired_access, FILE_SHARE_READ, NULL,
creation_disposition, FILE_ATTRIBUTE_NORMAL, (HANDLE)NULL);
str_free(tname); /* str_free() overwrites GetLastError() value */
if(fh==INVALID_HANDLE_VALUE)
return NULL;
if(wr) /* append */
if(mode==FILE_MODE_APPEND) /* workaround for FILE_APPEND_DATA */
SetFilePointer(fh, 0, NULL, FILE_END);
/* setup df structure */
@ -72,15 +89,24 @@ DISK_FILE *file_fdopen(int fd) {
return df;
}
DISK_FILE *file_open(char *name, int wr) {
DISK_FILE *file_open(char *name, FILE_MODE mode) {
DISK_FILE *df;
int fd, flags;
/* open file */
if(wr)
flags=O_CREAT|O_WRONLY|O_APPEND;
else
switch(mode) {
case FILE_MODE_READ:
flags=O_RDONLY;
break;
case FILE_MODE_APPEND:
flags=O_CREAT|O_WRONLY|O_APPEND;
break;
case FILE_MODE_OVERWRITE:
flags=O_CREAT|O_WRONLY|O_TRUNC;
break;
default: /* invalid mode */
return NULL;
}
#ifdef O_NONBLOCK
flags|=O_NONBLOCK;
#elif defined O_NDELAY
@ -90,7 +116,7 @@ DISK_FILE *file_open(char *name, int wr) {
flags|=O_CLOEXEC;
#endif /* O_CLOEXEC */
fd=open(name, flags, 0640);
if(fd<0)
if(fd==INVALID_SOCKET)
return NULL;
/* setup df structure */
@ -107,19 +133,20 @@ void file_close(DISK_FILE *df) {
#ifdef USE_WIN32
CloseHandle(df->fh);
#else /* USE_WIN32 */
close(df->fd);
if(df->fd>2) /* never close stdin/stdout/stder */
close(df->fd);
#endif /* USE_WIN32 */
str_free(df);
}
int file_getline(DISK_FILE *df, char *line, int len) {
ssize_t file_getline(DISK_FILE *df, char *line, int len) {
/* this version is really slow, but performance is not important here */
/* (no buffering is implemented) */
int i;
ssize_t i;
#ifdef USE_WIN32
DWORD num;
#else /* USE_WIN32 */
int num;
ssize_t num;
#endif /* USE_WIN32 */
if(!df) /* not opened */
@ -146,13 +173,13 @@ int file_getline(DISK_FILE *df, char *line, int len) {
return i;
}
int file_putline(DISK_FILE *df, char *line) {
int len;
ssize_t file_putline(DISK_FILE *df, char *line) {
char *buff;
size_t len;
#ifdef USE_WIN32
DWORD num;
#else /* USE_WIN32 */
int num;
ssize_t num;
#endif /* USE_WIN32 */
len=strlen(line);
@ -163,53 +190,73 @@ int file_putline(DISK_FILE *df, char *line) {
#endif /* USE_WIN32 */
buff[len++]='\n'; /* LF */
#ifdef USE_WIN32
WriteFile(df->fh, buff, len, &num, NULL);
WriteFile(df->fh, buff, (DWORD)len, &num, NULL);
#else /* USE_WIN32 */
/* no file -> write to stderr */
num=write(df ? df->fd : 2, buff, len);
#endif /* USE_WIN32 */
str_free(buff);
return num;
return (ssize_t)num;
}
int file_permissions(const char *file_name) {
#if !defined(USE_WIN32) && !defined(USE_OS2)
struct stat sb; /* buffer for stat */
/* check permissions of the private key file */
if(stat(file_name, &sb)) {
ioerror(file_name);
return 1; /* FAILED */
}
if(sb.st_mode & 7)
s_log(LOG_WARNING,
"Insecure file permissions on %s", file_name);
#else
(void)file_name; /* squash the unused parameter warning */
#endif
return 0;
}
#ifdef USE_WIN32
LPTSTR str2tstr(const LPSTR in) {
LPTSTR str2tstr(LPCSTR in) {
LPTSTR out;
#ifdef UNICODE
int len;
#ifdef UNICODE
len=MultiByteToWideChar(CP_ACP, 0, in, -1, NULL, 0);
len=MultiByteToWideChar(CP_UTF8, 0, in, -1, NULL, 0);
if(!len)
return NULL;
out=str_alloc((len+1)*sizeof(WCHAR));
len=MultiByteToWideChar(CP_ACP, 0, in, -1, out, len);
if(!len)
return NULL;
return str_tprintf(TEXT("MultiByteToWideChar() failed"));
out=str_alloc(((size_t)len+1)*sizeof(WCHAR));
len=MultiByteToWideChar(CP_UTF8, 0, in, -1, out, len);
if(!len) {
str_free(out);
return str_tprintf(TEXT("MultiByteToWideChar() failed"));
}
#else
len=strlen(in);
out=str_alloc(len+1);
strcpy(out, in);
/* FIXME: convert UTF-8 to native codepage */
out=str_dup(in);
#endif
return out;
}
LPSTR tstr2str(const LPTSTR in) {
LPSTR tstr2str(LPCTSTR in) {
LPSTR out;
#ifdef UNICODE
int len;
#ifdef UNICODE
len=WideCharToMultiByte(CP_ACP, 0, in, -1, NULL, 0, NULL, NULL);
len=WideCharToMultiByte(CP_UTF8, 0, in, -1, NULL, 0, NULL, NULL);
if(!len)
return NULL;
out=str_alloc(len+1);
len=WideCharToMultiByte(CP_ACP, 0, in, -1, out, len, NULL, NULL);
if(!len)
return NULL;
return str_printf("WideCharToMultiByte() failed");
out=str_alloc((size_t)len+1);
len=WideCharToMultiByte(CP_UTF8, 0, in, -1, out, len, NULL, NULL);
if(!len) {
str_free(out);
return str_printf("WideCharToMultiByte() failed");
}
#else
len=strlen(in);
out=str_alloc(len+1);
strcpy(out, in);
/* FIXME: convert native codepage to UTF-8 */
out=str_dup(in);
#endif
return out;
}

BIN
src/idle.ico Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 1.1 KiB

73
src/libwrap.c
View File

@ -1,6 +1,6 @@
/*
* stunnel Universal SSL tunnel
* Copyright (C) 1998-2013 Michal Trojnara <Michal.Trojnara@mirt.net>
* stunnel TLS offloading and load-balancing proxy
* Copyright (C) 1998-2017 Michal Trojnara <Michal.Trojnara@stunnel.org>
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
@ -42,23 +42,33 @@
#include <tcpd.h>
static int check(char *, int);
#if defined(USE_PTHREAD) && !defined(__CYGWIN__)
/* http://wiki.osdev.org/Cygwin_Issues#Passing_file_descriptors */
#define USE_LIBWRAP_POOL
#endif /* USE_PTHREAD && !__CYGWIN__ */
NOEXPORT int check(char *, int);
int allow_severity=LOG_NOTICE, deny_severity=LOG_WARNING;
#ifdef USE_PTHREAD
#ifdef USE_LIBWRAP_POOL
#define SERVNAME_LEN 256
static ssize_t read_fd(int, void *, size_t, int *);
static ssize_t write_fd(int, void *, size_t, int);
NOEXPORT ssize_t read_fd(int, void *, size_t, int *);
NOEXPORT ssize_t write_fd(int, void *, size_t, int);
int num_processes=0;
unsigned num_processes=0;
static int *ipc_socket, *busy;
#endif /* USE_PTHREAD */
#endif /* USE_LIBWRAP_POOL */
#ifdef __GNUC__
#pragma GCC diagnostic push
#pragma GCC diagnostic ignored "-Wunused-result"
#endif /* __GNUC__ */
int libwrap_init() {
#ifdef USE_PTHREAD
int i, j, rfd, result;
#ifdef USE_LIBWRAP_POOL
unsigned i, j;
int rfd, result;
char servname[SERVNAME_LEN];
static int initialized=0;
SERVICE_OPTIONS *opt;
@ -82,10 +92,11 @@ int libwrap_init() {
ioerror("fork");
return 1;
case 0: /* child */
tls_alloc(NULL, ui_tls, "libwrap");
drop_privileges(0); /* libwrap processes are not chrooted */
close(0); /* stdin */
close(1); /* stdout */
if(!global_options.option.foreground) /* for logging in read_fd */
if(!global_options.option.log_stderr) /* for logging in read_fd */
close(2); /* stderr */
for(j=0; j<=i; ++j) /* close parent-side sockets created so far */
close(ipc_socket[2*j]);
@ -93,7 +104,7 @@ int libwrap_init() {
if(read_fd(ipc_socket[2*i+1], servname, SERVNAME_LEN, &rfd)<=0)
_exit(0);
result=check(servname, rfd);
write(ipc_socket[2*i+1], (u8 *)&result, sizeof result);
write(ipc_socket[2*i+1], (uint8_t *)&result, sizeof result);
if(rfd>=0)
close(rfd);
}
@ -102,18 +113,22 @@ int libwrap_init() {
}
}
initialized=1;
#endif /* USE_PTHREAD */
#endif /* USE_LIBWRAP_POOL */
return 0;
}
#ifdef __GNUC__
#pragma GCC diagnostic pop
#endif /* __GNUC__ */
void libwrap_auth(CLI *c, char *accepted_address) {
int result=0; /* deny by default */
#ifdef USE_PTHREAD
static volatile int num_busy=0, roundrobin=0;
int retval, my_process;
#ifdef USE_LIBWRAP_POOL
static volatile unsigned num_busy=0, roundrobin=0;
unsigned my_process;
int retval;
static pthread_mutex_t mutex=PTHREAD_MUTEX_INITIALIZER;
static pthread_cond_t cond=PTHREAD_COND_INITIALIZER;
#endif /* USE_PTHREAD */
#endif /* USE_LIBWRAP_POOL */
if(!c->opt->option.libwrap) /* libwrap is disabled for this service */
return; /* allow connection */
@ -123,7 +138,7 @@ void libwrap_auth(CLI *c, char *accepted_address) {
return;
}
#endif
#ifdef USE_PTHREAD
#ifdef USE_LIBWRAP_POOL
if(num_processes) {
s_log(LOG_DEBUG, "Waiting for a libwrap process");
@ -156,8 +171,8 @@ void libwrap_auth(CLI *c, char *accepted_address) {
s_log(LOG_DEBUG, "Acquired libwrap process #%d", my_process);
write_fd(ipc_socket[2*my_process], c->opt->servname,
strlen(c->opt->servname)+1, c->local_rfd.fd);
read_blocking(c, ipc_socket[2*my_process],
(u8 *)&result, sizeof result);
s_read(c, ipc_socket[2*my_process],
(uint8_t *)&result, sizeof result);
s_log(LOG_DEBUG, "Releasing libwrap process #%d", my_process);
retval=pthread_mutex_lock(&mutex);
@ -183,11 +198,11 @@ void libwrap_auth(CLI *c, char *accepted_address) {
s_log(LOG_DEBUG, "Released libwrap process #%d", my_process);
} else
#endif /* USE_PTHREAD */
#endif /* USE_LIBWRAP_POOL */
{ /* use original, synchronous libwrap calls */
enter_critical_section(CRIT_LIBWRAP);
stunnel_write_lock(&stunnel_locks[LOCK_LIBWRAP]);
result=check(c->opt->servname, c->local_rfd.fd);
leave_critical_section(CRIT_LIBWRAP);
stunnel_write_unlock(&stunnel_locks[LOCK_LIBWRAP]);
}
if(!result) {
s_log(LOG_WARNING, "Service [%s] REFUSED by libwrap from %s",
@ -199,7 +214,7 @@ void libwrap_auth(CLI *c, char *accepted_address) {
c->opt->servname, accepted_address);
}
static int check(char *name, int fd) {
NOEXPORT int check(char *name, int fd) {
struct request_info request;
request_init(&request, RQ_DAEMON, name, RQ_FILE, fd, 0);
@ -207,9 +222,9 @@ static int check(char *name, int fd) {
return hosts_access(&request);
}
#ifdef USE_PTHREAD
#ifdef USE_LIBWRAP_POOL
static ssize_t read_fd(int fd, void *ptr, size_t nbytes, int *recvfd) {
NOEXPORT ssize_t read_fd(SOCKET fd, void *ptr, size_t nbytes, SOCKET *recvfd) {
struct msghdr msg;
struct iovec iov[1];
ssize_t n;
@ -238,7 +253,7 @@ static ssize_t read_fd(int fd, void *ptr, size_t nbytes, int *recvfd) {
msg.msg_iov=iov;
msg.msg_iovlen=1;
*recvfd=-1; /* descriptor was not passed */
*recvfd=INVALID_SOCKET; /* descriptor was not passed */
n=recvmsg(fd, &msg, 0);
if(n<=0)
return n;
@ -264,7 +279,7 @@ static ssize_t read_fd(int fd, void *ptr, size_t nbytes, int *recvfd) {
return n;
}
static ssize_t write_fd(int fd, void *ptr, size_t nbytes, int sendfd) {
NOEXPORT ssize_t write_fd(int fd, void *ptr, size_t nbytes, int sendfd) {
struct msghdr msg;
struct iovec iov[1];
@ -299,7 +314,7 @@ static ssize_t write_fd(int fd, void *ptr, size_t nbytes, int sendfd) {
return sendmsg(fd, &msg, 0);
}
#endif /* USE_PTHREAD */
#endif /* USE_LIBWRAP_POOL */
#endif /* USE_LIBWRAP */

Some files were not shown because too many files have changed in this diff Show More