Imported Upstream version 5.42
This commit is contained in:
parent
74a62c14eb
commit
d419cab3c4
|
@ -0,0 +1,27 @@
|
|||
sudo: false
|
||||
|
||||
language: c
|
||||
|
||||
os:
|
||||
- linux
|
||||
- osx
|
||||
|
||||
compiler:
|
||||
- gcc
|
||||
- clang
|
||||
|
||||
env:
|
||||
- CONFIGURE_OPTIONS='--with-threads=pthread'
|
||||
- CONFIGURE_OPTIONS='--with-threads=fork'
|
||||
- CONFIGURE_OPTIONS='--with-threads=ucontext'
|
||||
- CONFIGURE_OPTIONS='--disable-ipv6 --disable-fips --disable-systemd --disable-libwrap'
|
||||
|
||||
addons:
|
||||
apt:
|
||||
packages:
|
||||
- libssl-dev
|
||||
- libwrap0-dev
|
||||
|
||||
before_script: autoreconf -fvi && touch src/dhparam.c
|
||||
|
||||
script: ./configure $CONFIGURE_OPTIONS && make && make test
|
2
AUTHORS
2
AUTHORS
|
@ -1,4 +1,4 @@
|
|||
stunnel authors
|
||||
|
||||
Michal Trojnara <Michal.Trojnara@mirt.net>
|
||||
Michal Trojnara <Michal.Trojnara@stunnel.org>
|
||||
|
||||
|
|
2
COPYING
2
COPYING
|
@ -1,6 +1,6 @@
|
|||
stunnel license (see COPYRIGHT.GPL for detailed GPL conditions)
|
||||
|
||||
Copyright (C) 1998-2013 Michal Trojnara
|
||||
Copyright (C) 1998-2017 Michal Trojnara
|
||||
|
||||
This program is free software; you can redistribute it and/or modify it under
|
||||
the terms of the GNU General Public License as published by the Free Software
|
||||
|
|
39
CREDITS
39
CREDITS
|
@ -1,9 +1,40 @@
|
|||
Special thx to:
|
||||
stunnel code contributions
|
||||
|
||||
|
||||
The code contributions are licensed as public domain unless stated otherwise.
|
||||
|
||||
Several Win32 and WCE improvements and bugfixes:
|
||||
* Pierre Delaage <delaage.pierre@free.fr>
|
||||
|
||||
systemd socket activation in version 5.05:
|
||||
Copyright (c) 2014 Mark Theunissen
|
||||
|
||||
Permission is hereby granted, free of charge, to any person obtaining a copy of
|
||||
this software and associated documentation files (the "Software"), to deal in
|
||||
the Software without restriction, including without limitation the rights to
|
||||
use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies
|
||||
of the Software, and to permit persons to whom the Software is furnished to do
|
||||
so, subject to the following conditions:
|
||||
|
||||
The above copyright notice and this permission notice shall be included in all
|
||||
copies or substantial portions of the Software.
|
||||
|
||||
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
||||
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
||||
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
||||
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
||||
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
||||
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
||||
SOFTWARE.
|
||||
|
||||
Several bugfixes and improvements mostly in versions 3.xx:
|
||||
* Brian Hatch <bri@stunnel.org>
|
||||
|
||||
Initial PTY support in version 3.05:
|
||||
* Dirk O. Siebnich <dok@vossnet.de>
|
||||
|
||||
Initial SSL support in versions 1.x:
|
||||
* Adam Hernik <adas@infocentrum.com>
|
||||
* Pawel Krawczyk <kravietz@ceti.com.pl>
|
||||
* Brian Hatch <bri@stunnel.org>
|
||||
* Dirk O. Siebnich <dok@vossnet.de> for PTY support
|
||||
|
||||
and many others...
|
||||
|
||||
|
|
670
ChangeLog
670
ChangeLog
|
@ -1,5 +1,670 @@
|
|||
stunnel change log
|
||||
|
||||
Version 5.42, 2017.07.16, urgency: HIGH
|
||||
* New features
|
||||
- "redirect" also supports "exec" and not only "connect".
|
||||
- PKCS#11 engine DLL updated to version 0.4.7.
|
||||
* Bugfixes
|
||||
- Fixed premature cron thread initialization causing hangs.
|
||||
- Fixed "verifyPeer = yes" on OpenSSL <= 1.0.1.
|
||||
- Fixed pthreads support on OpenSolaris.
|
||||
|
||||
Version 5.41, 2017.04.01, urgency: MEDIUM
|
||||
* New features
|
||||
- PKCS#11 engine DLL updated to version 0.4.5.
|
||||
- Default engine UI set with ENGINE_CTRL_SET_USER_INTERFACE.
|
||||
- Key file name added into the passphrase console prompt.
|
||||
- Performance optimization in memory leak detection.
|
||||
* Bugfixes
|
||||
- Fixed crashes with the OpenSSL 1.1.0 branch.
|
||||
- Fixed certificate verification with "verifyPeer = yes"
|
||||
and "verifyChain = no" (the default), while the peer
|
||||
only returns a single certificate.
|
||||
|
||||
Version 5.40, 2017.01.28, urgency: HIGH
|
||||
* Security bugfixes
|
||||
- OpenSSL DLLs updated to version 1.0.2k.
|
||||
https://www.openssl.org/news/secadv/20170126.txt
|
||||
* New features
|
||||
- DH ciphersuites are now disabled by default.
|
||||
- The daily server DH parameter regeneration is only performed if
|
||||
DH ciphersuites are enabled in the configuration file.
|
||||
- "checkHost" and "checkEmail" were modified to require either
|
||||
"verifyChain" or "verifyPeer" (thx to Małorzata Olszówka).
|
||||
* Bugfixes
|
||||
- Fixed setting default ciphers.
|
||||
|
||||
Version 5.39, 2017.01.01, urgency: LOW
|
||||
* New features
|
||||
- PKCS#11 engine (pkcs11.dll) added to the Win32 build.
|
||||
- Per-destination TLS session cache added for the client mode.
|
||||
- The new "logId" parameter "process" added to log PID values.
|
||||
- Added support for the new SSL_set_options() values.
|
||||
- Updated the manual page.
|
||||
- Obsolete references to "SSL" replaced with "TLS".
|
||||
* Bugfixes
|
||||
- Fixed "logId" parameter to also work in inetd mode.
|
||||
- "delay = yes" properly enforces "failover = prio".
|
||||
- Fixed fd_set allocation size on Win64.
|
||||
- Fixed reloading invalid configuration file on Win32.
|
||||
- Fixed resolving addresses with unconfigured network interfaces.
|
||||
|
||||
Version 5.38, 2016.11.26, urgency: MEDIUM
|
||||
* New features
|
||||
- "sni=" can be used to prevent sending the SNI extension.
|
||||
- The AI_ADDRCONFIG resolver flag is used when available.
|
||||
- Merged Debian 06-lfs.patch (thx to Peter Pentchev).
|
||||
* Bugfixes
|
||||
- Fixed a memory allocation bug causing crashes with OpenSSL 1.1.0.
|
||||
- Fixed error handling for mixed IPv4/IPv6 destinations.
|
||||
- Merged Debian 08-typos.patch (thx to Peter Pentchev).
|
||||
|
||||
Version 5.37, 2016.11.06, urgency: MEDIUM
|
||||
* Bugfixes
|
||||
- OpenSSL DLLs updated to version 1.0.2j (stops crashes).
|
||||
- The default SNI target (not handled by any slave service)
|
||||
is handled by the master service rather than rejected.
|
||||
- Removed thread synchronization in the FORK threading model.
|
||||
|
||||
Version 5.36, 2016.09.22, urgency: HIGH
|
||||
* Security bugfixes
|
||||
- OpenSSL DLLs updated to version 1.0.2i.
|
||||
https://www.openssl.org/news/secadv_20160922.txt
|
||||
* New features
|
||||
- Added support for OpenSSL 1.1.0 built with "no-deprecated".
|
||||
- Removed direct zlib dependency.
|
||||
|
||||
Version 5.35, 2016.07.18, urgency: HIGH
|
||||
* Bugfixes
|
||||
- Fixed incorrectly enforced client certificate requests.
|
||||
- Only default to SO_EXCLUSIVEADDRUSE on Vista and later.
|
||||
- Fixed thread safety of the configuration file reopening.
|
||||
|
||||
Version 5.34, 2016.07.05, urgency: HIGH
|
||||
* Security bugfixes
|
||||
- Fixed malfunctioning "verify = 4".
|
||||
* New features
|
||||
- Bind sockets with SO_EXCLUSIVEADDRUSE on WIN32.
|
||||
- Added three new service-level options: requireCert, verifyChain,
|
||||
and verifyPeer for fine-grained certificate verification control.
|
||||
- Improved compatibility with the current OpenSSL 1.1.0-dev tree.
|
||||
|
||||
Version 5.33, 2016.06.23, urgency: HIGH
|
||||
* New features
|
||||
- Improved memory leak detection performance and accuracy.
|
||||
- Improved compatibility with the current OpenSSL 1.1.0-dev tree.
|
||||
- SNI support also enabled on OpenSSL 0.9.8f and later (thx to
|
||||
Guillermo Rodriguez Garcia).
|
||||
- Added support for PKCS #12 (.p12/.pfx) certificates (thx to
|
||||
Dmitry Bakshaev).
|
||||
* Bugfixes
|
||||
- Fixed a TLS session caching memory leak (thx to Richard Kraemer).
|
||||
Before stunnel 5.27 this leak only emerged with sessiond enabled.
|
||||
- Yet another WinCE socket fix (thx to Richard Kraemer).
|
||||
- Fixed passphrase/pin dialogs in tstunnel.exe.
|
||||
- Fixed a FORK threading build regression bug.
|
||||
- OPENSSL_NO_DH compilation fix (thx to Brian Lin).
|
||||
|
||||
Version 5.32, 2016.05.03, urgency: HIGH
|
||||
* Security bugfixes
|
||||
- OpenSSL DLLs updated to version 1.0.2h.
|
||||
https://www.openssl.org/news/secadv_20160503.txt
|
||||
* New features
|
||||
- New "socket = a:IPV6_V6ONLY=yes" option to only bind IPv6.
|
||||
- Memory leak detection.
|
||||
- Improved compatibility with the current OpenSSL 1.1.0-dev tree.
|
||||
- Added/fixed Red Hat scripts (thx to Andrew Colin Kissa).
|
||||
* Bugfixes
|
||||
- Workaround for a WinCE sockets quirk (thx to Richard Kraemer).
|
||||
- Fixed data alignment on 64-bit MSVC (thx to Yuris W. Auzins).
|
||||
|
||||
Version 5.31, 2016.03.01, urgency: HIGH
|
||||
* Security bugfixes
|
||||
- OpenSSL DLLs updated to version 1.0.2g.
|
||||
https://www.openssl.org/news/secadv_20160301.txt
|
||||
* New features
|
||||
- Added logging the list of client CAs requested by the server.
|
||||
- Improved compatibility with the current OpenSSL 1.1.0-dev tree.
|
||||
* Bugfixes
|
||||
- Only reset the watchdog if some data was actually transferred.
|
||||
- A workaround implemented for the unexpected exceptfds set by
|
||||
select() on WinCE 6.0 (thx to Richard Kraemer).
|
||||
- Fixed logging an incorrect value of the round-robin starting
|
||||
point (thx to Jose Alf.).
|
||||
|
||||
Version 5.30, 2016.01.28, urgency: HIGH
|
||||
* Security bugfixes
|
||||
- OpenSSL DLLs updated to version 1.0.2f.
|
||||
https://www.openssl.org/news/secadv_20160128.txt
|
||||
* New features
|
||||
- Improved compatibility with the current OpenSSL 1.1.0-dev tree.
|
||||
- Added OpenSSL autodetection for the recent versions of Xcode.
|
||||
* Bugfixes
|
||||
- Fixed references to /etc removed from stunnel.init.in.
|
||||
- Stopped even trying -fstack-protector on unsupported platforms
|
||||
(thx to Rob Lockhart).
|
||||
|
||||
Version 5.29, 2016.01.08, urgency: LOW
|
||||
* New features
|
||||
- New WIN32 icons.
|
||||
- Performance improvement: rwlocks used for locking with pthreads.
|
||||
* Bugfixes
|
||||
- Compilation fix for *BSD.
|
||||
- Fixed configuration file reload for relative stunnel.conf path
|
||||
on Unix.
|
||||
- Fixed ignoring CRLfile unless CAfile was also specified (thx
|
||||
to Strukov Petr).
|
||||
|
||||
Version 5.28, 2015.12.11, urgency: HIGH
|
||||
* New features
|
||||
- Build matrix (.travis.yml) extended with ./configure options.
|
||||
- mingw.mak updated to build tstunnel.exe (thx to Jose Alf.).
|
||||
* Bugfixes
|
||||
- Fixed incomplete initialization.
|
||||
- Fixed UCONTEXT threading on OSX.
|
||||
- Fixed exit codes for information requests (as
|
||||
in "stunnel -version" or "stunnel -help").
|
||||
|
||||
Version 5.27, 2015.12.03, urgency: MEDIUM
|
||||
* Security bugfixes
|
||||
- OpenSSL DLLs updated to version 1.0.2e.
|
||||
https://www.openssl.org/news/secadv_20151203.txt
|
||||
* New features
|
||||
- Automated build testing configured with .travis.yml.
|
||||
- Added reading server certificates from hardware engines.
|
||||
For example: cert = id_45
|
||||
- Only attempt to use potentially harmful compiler or linker
|
||||
options if gcc was detected.
|
||||
- /opt/csw added to the OpenSSL directory lookup list.
|
||||
- mingw.mak updates (thx to Jose Alf.).
|
||||
- TODO list updated.
|
||||
|
||||
Version 5.26, 2015.11.06, urgency: MEDIUM
|
||||
* Bugfixes
|
||||
- Compilation fixes for OSX, *BSD and Solaris.
|
||||
|
||||
Version 5.25, 2015.11.02, urgency: MEDIUM
|
||||
* New features
|
||||
- SMTP client protocol negotiation support for
|
||||
"protocolUsername", "protocolPassword", and
|
||||
"protocolAuthentication" (thx to Douglas Harris).
|
||||
- New service-level option "config" to specify configuration
|
||||
commands introduced in OpenSSL 1.0.2 (thx to Stephen Wall).
|
||||
- The global option "foreground" now also accepts "quiet"
|
||||
parameter, which does not enable logging to stderr.
|
||||
- Manual page updated.
|
||||
- Obsolete OpenSSL engines removed from the Windows build:
|
||||
4758cca, aep, atalla, cswift, nuron, sureware.
|
||||
- Improved compatibility with the current OpenSSL 1.1.0-dev tree:
|
||||
gracefully handle symbols renamed from SSLeay* to OpenSSL*.
|
||||
* Bugfixes
|
||||
- Fixed the "s_poll_wait returned 1, but no descriptor
|
||||
is ready" internal error.
|
||||
- Fixed "exec" hangs due to incorrect thread-local
|
||||
storage handling (thx to Philip Craig).
|
||||
- Fixed PRNG initialization (thx to Philip Craig).
|
||||
- Setting socket options no longer performed on PTYs.
|
||||
- Fixed 64-bit Windows build.
|
||||
|
||||
Version 5.24, 2015.10.08, urgency: MEDIUM
|
||||
* New features
|
||||
- Custom CRL verification was replaced with the internal
|
||||
OpenSSL functionality.
|
||||
- *BSD support for "transparent = destination" and
|
||||
client-side "protocol = socks". This feature should
|
||||
work at least on FreeBSD, OpenBSD and OS X.
|
||||
- Added a new "protocolDomain" option for the NTLM
|
||||
authentication (thx to Andreas Botsikas).
|
||||
- Improved compatibility of the NTLM phase 1 message (thx
|
||||
to Andreas Botsikas).
|
||||
- "setuid" and "setgid" options are now also available
|
||||
in service sections. They can be used to set owner
|
||||
and group of the Unix socket specified with "accept".
|
||||
- Added support for the new OpenSSL 1.0.2 SSL options.
|
||||
- Added OPENSSL_NO_EGD support (thx to Bernard Spil).
|
||||
- VC autodetection added to makew32.bat (thx to Andreas
|
||||
Botsikas).
|
||||
* Bugfixes
|
||||
- Fixed the RESOLVE [F0] TOR extension support in SOCKS5.
|
||||
- Fixed the error code reported on the failed bind()
|
||||
requests.
|
||||
- Fixed the sequential log id with the FORK threading.
|
||||
- Restored the missing Microsoft.VC90.CRT.manifest file.
|
||||
|
||||
Version 5.23, 2015.09.02, urgency: LOW
|
||||
* New features
|
||||
- Client-side support for the SOCKS protocol.
|
||||
See https://www.stunnel.org/socksvpn.html for details.
|
||||
- Reject SOCKS requests to connect loopback addresses.
|
||||
- New service-level option "OCSPnonce".
|
||||
The default value is "OCSPnonce = no".
|
||||
- Win32 directory structure rearranged. The installer
|
||||
script provides automatic migration for common setups.
|
||||
- Added Win32 installer option to install stunnel for the
|
||||
current user only. This feature does not deploy the NT
|
||||
service, but it also does not require aministrative
|
||||
privileges to install and configure stunnel.
|
||||
- stunnel.cnf was renamed to openssl.cnf in order to
|
||||
to prevent users from mixing it up with stunnel.conf.
|
||||
- Win32 desktop is automatically refreshed when the icon
|
||||
is created or removed.
|
||||
- The ca-certs.pem file is now updated on stunnel upgrade.
|
||||
- Inactive ports were removed from the PORTS file.
|
||||
- Added IPv6 support to the transparent proxy code.
|
||||
* Bugfixes
|
||||
- Compilation fix for OpenSSL version older than 1.0.0.
|
||||
- Compilation fix for mingw.
|
||||
|
||||
Version 5.22, 2015.07.30, urgency: HIGH
|
||||
* New features
|
||||
- "OCSPaia = yes" added to the configuration file templates.
|
||||
- Improved double free detection.
|
||||
* Bugfixes
|
||||
- Fixed a number of OCSP bugs. The most severe of those
|
||||
bugs caused stunnel to treat OCSP responses that failed
|
||||
OCSP_basic_verify() checks as if they were successful.
|
||||
- Fixed the passive IPv6 resolver (broken in stunnel 5.21).
|
||||
|
||||
Version 5.21, 2015.07.27, urgency: MEDIUM
|
||||
* New features
|
||||
- Signal names are displayed instead of numbers.
|
||||
- First resolve IPv4 addresses on passive resolver requests.
|
||||
This speeds up stunnel startup on Win32 with a slow/defunct
|
||||
DNS service.
|
||||
- The "make check" target was modified to only build Win32
|
||||
executables when stunnel is built from a git repository (thx
|
||||
to Peter Pentchev).
|
||||
- More elaborate descriptions were added to the warning about
|
||||
using "verify = 2" without "checkHost" or "checkIP".
|
||||
- Performance optimization was performed on the debug code.
|
||||
* Bugfixes
|
||||
- Fixed the FORK and UCONTEXT threading support.
|
||||
- Fixed "failover=prio" (broken since stunnel 5.15).
|
||||
- Added a retry when sleep(3) was interrupted by a signal
|
||||
in the cron thread scheduler.
|
||||
|
||||
Version 5.20, 2015.07.09, urgency: HIGH
|
||||
* Security bugfixes
|
||||
- OpenSSL DLLs updated to version 1.0.2d.
|
||||
https://www.openssl.org/news/secadv_20150709.txt
|
||||
* New features
|
||||
- poll(2) re-enabled on MacOS X 10.5 and later.
|
||||
- Xcode SDK is automatically used on MacOS X if no other
|
||||
locally installed OpenSSL directory is found.
|
||||
- The SSL library detection algorithm was made a bit smarter.
|
||||
- Warnings about insecure authentication were modified to
|
||||
include the name of the affected service section.
|
||||
- A warning was added to stunnel.init if no pid file was
|
||||
specified in the configuration file (thx to Peter Pentchev).
|
||||
- Optional debugging symbols are included in the Win32 installer.
|
||||
- Documentation updates (closes Debian bug #781669).
|
||||
* Bugfixes
|
||||
- Signal pipe reinitialization added to prevent turning the
|
||||
main accepting thread into a busy wait loop when an external
|
||||
condition breaks the signal pipe. This bug was found to
|
||||
surface on Win32, but other platforms may also be affected.
|
||||
- Fixed removing the disabled taskbar icon.
|
||||
- Generated temporary DH parameters are used for configuration
|
||||
reload instead of the static defaults.
|
||||
- LSB compatibility fixes added to the stunnel.init script (thx
|
||||
to Peter Pentchev).
|
||||
- Fixed the manual page headers (thx to Gleydson Soares).
|
||||
|
||||
Version 5.19, 2015.06.16, urgency: MEDIUM:
|
||||
* New features
|
||||
- OpenSSL DLLs updated to version 1.0.2c.
|
||||
- Added a runtime check whether COMP_zlib() method is implemented
|
||||
in order to improve compatibility with the Debian OpenSSL build.
|
||||
* Bugfixes
|
||||
- Improved socket error handling.
|
||||
- Cron thread priority on Win32 platform changed to
|
||||
THREAD_PRIORITY_LOWEST to improve portability.
|
||||
- Makefile bugfixes for stunnel 5.18 regressions.
|
||||
- Fixed some typos in docs and scripts (thx to Peter Pentchev).
|
||||
- Fixed a log level check condition (thx to Peter Pentchev).
|
||||
|
||||
Version 5.18, 2015.06.12, urgency: MEDIUM:
|
||||
* New features
|
||||
- OpenSSL DLLs updated to version 1.0.2b.
|
||||
https://www.openssl.org/news/secadv_20150611.txt
|
||||
- Added "include" configuration file option to include all
|
||||
configuration file parts located in a specified directory.
|
||||
- Log file is reopened every 24 hours. With "log = overwrite"
|
||||
this feature can be used to prevent filling up disk space.
|
||||
- Temporary DH parameters are refreshed every 24 hours, unless
|
||||
static DH parameters were provided in the certificate file.
|
||||
- Unique initial DH parameters are distributed with each release.
|
||||
- Warnings are logged on potentially insecure authentication.
|
||||
- Improved compatibility with the current OpenSSL 1.1.0-dev tree:
|
||||
removed RLE compression support, etc.
|
||||
- Updated stunnel.spec (thx to Bill Quayle).
|
||||
* Bugfixes
|
||||
- Fixed handling of dynamic connect targets.
|
||||
- Fixed handling of trailing whitespaces in the Content-Length
|
||||
header of the NTLM authentication.
|
||||
- Fixed --sysconfdir and --localstatedir handling (thx to
|
||||
Dagobert Michelsen).
|
||||
|
||||
Version 5.17, 2015.04.29, urgency: HIGH:
|
||||
* Bugfixes
|
||||
- Fixed a NULL pointer dereference causing the service to crash.
|
||||
This bug was introduced in stunnel 5.15.
|
||||
|
||||
Version 5.16, 2015.04.19, urgency: MEDIUM:
|
||||
* Bugfixes
|
||||
- Fixed compilation with old versions of gcc.
|
||||
|
||||
Version 5.15, 2015.04.16, urgency: LOW:
|
||||
* New features
|
||||
- Added new service-level options "checkHost", "checkEmail" and
|
||||
"checkIP" for additional checks of the peer certificate subject.
|
||||
These options require OpenSSL version 1.0.2 or higher.
|
||||
- Win32 binary distribution now ships with the Mozilla root CA
|
||||
bundle. This bundle is intended be used together with the new
|
||||
"checkHost" option to validate server certs accepted by Mozilla.
|
||||
- New commandline options "-reload" to reload the configuration
|
||||
file and "-reopen" to reopen the log file of stunnel running
|
||||
as a Windows service (thx to Marc McLaughlin).
|
||||
- Added session persistence based on negotiated TLS sessions.
|
||||
https://en.wikipedia.org/wiki/Load_balancing_%28computing%29#Persistence
|
||||
The current implementation does not support external TLS
|
||||
session caching with sessiond.
|
||||
- MEDIUM ciphers (currently SEED and RC4) are removed from the
|
||||
default cipher list.
|
||||
- The "redirect" option was improved to not only redirect sessions
|
||||
established with an untrusted certificate, but also sessions
|
||||
established without a client certificate.
|
||||
- OpenSSL version checking modified to distinguish FIPS and
|
||||
non-FIPS builds.
|
||||
- Improved compatibility with the current OpenSSL 1.1.0-dev tree.
|
||||
- Removed support for OpenSSL versions older than 0.9.7.
|
||||
The final update for the OpenSSL 0.9.6 branch was 17 Mar 2004.
|
||||
- "sessiond" support improved to also work in OpenSSL 0.9.7.
|
||||
- Randomize the initial value of the round-robin counter.
|
||||
- New stunnel.conf templates are provided for Windows and Unix.
|
||||
* Bugfixes
|
||||
- Fixed compilation against old versions of OpenSSL.
|
||||
- Fixed memory leaks in certificate verification.
|
||||
|
||||
Version 5.14, 2015.03.25, urgency: HIGH:
|
||||
* Security bugfixes
|
||||
- The "redirect" option now also redirects clients on SSL session
|
||||
reuse. In stunnel versions 5.00 to 5.13 reused sessions were
|
||||
instead always connected hosts specified with the "connect"
|
||||
option regardless of their certificate verification result.
|
||||
This vulnerability was reported by Johan Olofsson.
|
||||
* New features
|
||||
- Windows service is automatically restarted after upgrade.
|
||||
* Bugfixes
|
||||
- Fixed a memory allocation error during Unix daemon shutdown.
|
||||
- Fixed handling multiple connect/redirect destinations.
|
||||
- OpenSSL FIPS builds are now correctly reported on startup.
|
||||
|
||||
Version 5.13, 2015.03.20, urgency: MEDIUM:
|
||||
* New features
|
||||
- The "service" option was modified to also control the syslog
|
||||
service name.
|
||||
* Bugfixes
|
||||
- Fixed Windows service crash.
|
||||
|
||||
Version 5.12, 2015.03.19, urgency: HIGH:
|
||||
* Security bugfixes
|
||||
- OpenSSL DLLs updated to version 1.0.2a.
|
||||
https://www.openssl.org/news/secadv_20150319.txt
|
||||
* New features
|
||||
- New service-level option "logId" to specify the
|
||||
connection identifier type. Currently supported types:
|
||||
"sequential" (default), "unique", and "thread".
|
||||
- New service-level option "debug" to individually control
|
||||
logging verbosity of defined services.
|
||||
* Bugfixes
|
||||
- OCSP fixed on Windows platform (thx to Alec Kosky).
|
||||
|
||||
Version 5.11, 2015.03.11, urgency: LOW:
|
||||
* New features
|
||||
- OpenSSL DLLs updated to version 1.0.2.
|
||||
- Removed dereferences of internal OpenSSL data structures.
|
||||
- PSK key lookup algorithm performance improved from
|
||||
O(N) (linear) to O(log N) (logarithmic).
|
||||
* Bugfixes
|
||||
- Fixed peer certificate list in the main window on Win32
|
||||
(thx to @fyer for reporting it).
|
||||
- Fixed console logging in tstunnel.exe.
|
||||
- _tputenv_s() replaced with more portable _tputenv() on Win32.
|
||||
|
||||
Version 5.10, 2015.01.22, urgency: LOW:
|
||||
* New features
|
||||
- OCSP AIA (Authority Information Access) support. This feature
|
||||
can be enabled with the new service-level option "OCSPaia".
|
||||
- Additional security features of the linker are enabled:
|
||||
"-z relro", "-z now", "-z noexecstack".
|
||||
* Bugfixes
|
||||
- OpenSSL DLLs updated to version 1.0.1l.
|
||||
https://www.openssl.org/news/secadv_20150108.txt
|
||||
- FIPS canister updated to version 2.0.9 in the Win32 binary
|
||||
build.
|
||||
|
||||
Version 5.09, 2015.01.02, urgency: LOW:
|
||||
* New features
|
||||
- Added PSK authentication with two new service-level
|
||||
configuration file options "PSKsecrets" and "PSKidentity".
|
||||
- Added additional security checks to the OpenSSL memory
|
||||
management functions.
|
||||
- Added support for the OPENSSL_NO_OCSP and OPENSSL_NO_ENGINE
|
||||
OpenSSL configuration flags.
|
||||
- Added compatibility with the current OpenSSL 1.1.0-dev tree.
|
||||
* Bugfixes
|
||||
- Removed defective s_poll_error() code occasionally causing
|
||||
connections to be prematurely closed (truncated).
|
||||
This bug was introduced in stunnel 4.34.
|
||||
- Fixed ./configure systemd detection (thx to Kip Walraven).
|
||||
- Fixed ./configure sysroot detection (thx to Kip Walraven).
|
||||
- Fixed compilation against old versions of OpenSSL.
|
||||
- Removed outdated French manual page.
|
||||
|
||||
Version 5.08, 2014.12.09, urgency: MEDIUM:
|
||||
* New features
|
||||
- Added SOCKS4/SOCKS4a protocol support.
|
||||
- Added SOCKS5 protocol support.
|
||||
- Added SOCKS RESOLVE [F0] TOR extension support.
|
||||
- Updated automake to version 1.14.1.
|
||||
- OpenSSL directory searching is now relative to the sysroot.
|
||||
* Bugfixes
|
||||
- Fixed improper hangup condition handling.
|
||||
- Fixed missing -pic linker option. This is required for
|
||||
Android 5.0 and improves security.
|
||||
|
||||
Version 5.07, 2014.11.01, urgency: MEDIUM:
|
||||
* New features
|
||||
- Several SMTP server protocol negotiation improvements.
|
||||
- Added UTF-8 byte order marks to stunnel.conf templates.
|
||||
- DH parameters are no longer generated by "make cert".
|
||||
The hardcoded DH parameters are sufficiently secure,
|
||||
and modern TLS implementations will use ECDH anyway.
|
||||
- Updated manual for the "options" configuration file option.
|
||||
- Added support for systemd 209 or later.
|
||||
- New --disable-systemd ./configure option.
|
||||
- setuid/setgid commented out in stunnel.conf-sample.
|
||||
* Bugfixes
|
||||
- Added support for UTF-8 byte order mark in stunnel.conf.
|
||||
- Compilation fix for OpenSSL with disabled SSLv2 or SSLv3.
|
||||
- Non-blocking mode set on inetd and systemd descriptors.
|
||||
- shfolder.h replaced with shlobj.h for compatibility
|
||||
with modern Microsoft compilers.
|
||||
|
||||
Version 5.06, 2014.10.15, urgency: HIGH:
|
||||
* Security bugfixes
|
||||
- OpenSSL DLLs updated to version 1.0.1j.
|
||||
https://www.openssl.org/news/secadv_20141015.txt
|
||||
- The insecure SSLv2 protocol is now disabled by default.
|
||||
It can be enabled with "options = -NO_SSLv2".
|
||||
- The insecure SSLv3 protocol is now disabled by default.
|
||||
It can be enabled with "options = -NO_SSLv3".
|
||||
- Default sslVersion changed to "all" (also in FIPS mode)
|
||||
to autonegotiate the highest supported TLS version.
|
||||
* New features
|
||||
- Added missing SSL options to match OpenSSL 1.0.1j.
|
||||
- New "-options" commandline option to display the list
|
||||
of supported SSL options.
|
||||
* Bugfixes
|
||||
- Fixed FORK threading build regression bug.
|
||||
- Fixed missing periodic Win32 GUI log updates.
|
||||
|
||||
Version 5.05, 2014.10.10, urgency: MEDIUM:
|
||||
* New features
|
||||
- Asynchronous communication with the GUI thread for faster
|
||||
logging on Win32.
|
||||
- systemd socket activation (thx to Mark Theunissen).
|
||||
- The parameter of "options" can now be prefixed with "-"
|
||||
to clear an SSL option, for example:
|
||||
"options = -LEGACY_SERVER_CONNECT".
|
||||
- Improved "transparent = destination" manual page (thx to
|
||||
Vadim Penzin).
|
||||
* Bugfixes
|
||||
- Fixed POLLIN|POLLHUP condition handling error resulting
|
||||
in prematurely closed (truncated) connection.
|
||||
- Fixed a null pointer dereference regression bug in the
|
||||
"transparent = destination" functionality (thx to
|
||||
Vadim Penzin). This bug was introduced in stunnel 5.00.
|
||||
- Fixed startup thread synchronization with Win32 GUI.
|
||||
- Fixed erroneously closed stdin/stdout/stderr if specified
|
||||
as the -fd commandline option parameter.
|
||||
- A number of minor Win32 GUI bugfixes and improvements.
|
||||
- Merged most of the Windows CE patches (thx to Pierre Delaage).
|
||||
- Fixed incorrect CreateService() error message on Win32.
|
||||
- Implemented a workaround for defective Cygwin file
|
||||
descriptor passing breaking the libwrap support:
|
||||
http://wiki.osdev.org/Cygwin_Issues#Passing_file_descriptors
|
||||
|
||||
Version 5.04, 2014.09.21, urgency: LOW:
|
||||
* New features
|
||||
- Support for local mode ("exec" option) on Win32.
|
||||
- Support for UTF-8 config file and log file.
|
||||
- Win32 UTF-16 build (thx to Pierre Delaage for support).
|
||||
- Support for Unicode file names on Win32.
|
||||
- A more explicit service description provided for the
|
||||
Windows SCM (thx to Pierre Delaage).
|
||||
- TCP/IP dependency added for NT service in order to prevent
|
||||
initialization failure at boot time.
|
||||
- FIPS canister updated to version 2.0.8 in the Win32 binary
|
||||
build.
|
||||
* Bugfixes
|
||||
- load_icon_default() modified to return copies of default icons
|
||||
instead of the original resources to prevent the resources
|
||||
from being destroyed.
|
||||
- Partially merged Windows CE patches (thx to Pierre Delaage).
|
||||
- Fixed typos in stunnel.init.in and vc.mak.
|
||||
- Fixed incorrect memory allocation statistics update in
|
||||
str_realloc().
|
||||
- Missing REMOTE_PORT environmental variable is provided to
|
||||
processes spawned with "exec" on Unix platforms.
|
||||
- Taskbar icon is no longer disabled for NT service.
|
||||
- Fixed taskbar icon initialization when commandline options are
|
||||
specified.
|
||||
- Reportedly more compatible values used for the dwDesiredAccess
|
||||
parameter of the CreateFile() function (thx to Pierre Delaage).
|
||||
- A number of minor Win32 GUI bugfixes and improvements.
|
||||
|
||||
Version 5.03, 2014.08.07, urgency: HIGH:
|
||||
* Security bugfixes
|
||||
- OpenSSL DLLs updated to version 1.0.1i.
|
||||
See https://www.openssl.org/news/secadv_20140806.txt
|
||||
* New features
|
||||
- FIPS autoconfiguration cleanup.
|
||||
- FIPS canister updated to version 2.0.6.
|
||||
- Improved SNI diagnostic logging.
|
||||
* Bugfixes
|
||||
- Compilation fixes for old versions of OpenSSL.
|
||||
- Fixed whitespace handling in the stunnel.init script.
|
||||
|
||||
Version 5.02, 2014.06.09, urgency: HIGH:
|
||||
* Security bugfixes
|
||||
- OpenSSL DLLs updated to version 1.0.1h.
|
||||
See https://www.openssl.org/news/secadv_20140605.txt
|
||||
* New features
|
||||
- Major rewrite of the protocol.c interface: it is now possible to add
|
||||
protocol negotiations at multiple connection phases, protocols can
|
||||
individually decide whether the remote connection will be
|
||||
established before or after SSL/TLS is negotiated.
|
||||
- Heap memory blocks are wiped before release. This only works for
|
||||
block allocated by stunnel, and not by OpenSSL or other libraries.
|
||||
- The safe_memcmp() function implemented with execution time not
|
||||
dependent on the compared data.
|
||||
- Updated the stunnel.conf and stunnel.init templates.
|
||||
- Added a client-mode example to the manual.
|
||||
* Bugfixes
|
||||
- Fixed "failover = rr" broken since version 5.00.
|
||||
- Fixed "taskbar = no" broken since version 5.00.
|
||||
- Compilation fix for missing SSL_OP_MSIE_SSLV2_RSA_PADDING option.
|
||||
|
||||
Version 5.01, 2014.04.08, urgency: HIGH:
|
||||
* Security bugfixes
|
||||
- OpenSSL DLLs updated to version 1.0.1g.
|
||||
This version mitigates TLS heartbeat read overrun (CVE-2014-0160).
|
||||
* New features
|
||||
- X.509 extensions added to the created self-signed stunnel.pem.
|
||||
- "FIPS = no" also allowed in non-FIPS builds of stunnel.
|
||||
- Search all certificates with the same subject name for a matching
|
||||
public key rather than only the first one (thx to Leon Winter).
|
||||
- Create logs in the local application data folder if stunnel folder
|
||||
is not writable on Win32.
|
||||
* Bugfixes
|
||||
- close_notify not sent when SSL still has some data buffered.
|
||||
- Protocol negotiation with server-side SNI fixed.
|
||||
- A Mac OS X missing symbols fixed.
|
||||
- Win32 configuration file reload crash fixed.
|
||||
- Added s_pool_free() on exec+connect service retires.
|
||||
- Line-buffering enforced on stderr output.
|
||||
|
||||
stunnel 5.00 disables some features previously enabled by default.
|
||||
Users should review whether the new defaults are appropriate for their
|
||||
particular deployments. Packages maintainers may consider prepending
|
||||
the old defaults for "fips" (if supported by their OpenSSL library),
|
||||
"pid" and "libwrap" to stunnel.conf during automated updates.
|
||||
|
||||
Version 5.00, 2014.03.06, urgency: HIGH:
|
||||
* Security bugfixes
|
||||
- Added PRNG state update in fork threading (CVE-2014-0016).
|
||||
* New global configuration file defaults
|
||||
- Default "fips" option value is now "no", as FIPS mode is only
|
||||
helpful for compliance, and never for actual security.
|
||||
- Default "pid" is now "", i.e. not to create a pid file at startup.
|
||||
* New service-level configuration file defaults
|
||||
- Default "ciphers" updated to "HIGH:MEDIUM:+3DES:+DH:!aNULL:!SSLv2"
|
||||
due to AlFBPPS attack and bad performance of DH ciphersuites.
|
||||
- Default "libwrap" setting is now "no" to improve performance.
|
||||
* New features
|
||||
- OpenSSL DLLs updated to version 1.0.1f.
|
||||
- zlib DLL updated to version 1.2.8.
|
||||
- autoconf scripts upgraded to version 2.69.
|
||||
- TLS 1.1 and TLS 1.2 are now allowed in the FIPS mode.
|
||||
- New service-level option "redirect" to redirect SSL client
|
||||
connections on authentication failures instead of rejecting them.
|
||||
- New global "engineDefault" configuration file option to control
|
||||
which OpenSSL tasks are delegated to the current engine.
|
||||
Available tasks: ALL, RSA, DSA, ECDH, ECDSA, DH, RAND, CIPHERS,
|
||||
DIGESTS, PKEY, PKEY_CRYPTO, PKEY_ASN1.
|
||||
- New service-level configuration file option "engineId" to select
|
||||
the engine by identifier, e.g. "engineId = capi".
|
||||
- New global configuration file option "log" to control whether to
|
||||
append (the default), or to overwrite log file while (re)opening.
|
||||
- Different taskbar icon colors to indicate the service state.
|
||||
- New global configuration file options "iconIdle", "iconActive",
|
||||
and "iconError" to select status icon on GUI taskbar.
|
||||
- Removed the limit of 63 stunnel.conf sections on Win32 platform.
|
||||
- Installation of a sample certificate was moved to a separate "cert"
|
||||
target in order to allow unattended (e.g. scripted) installations.
|
||||
- Reduced length of the logged thread identifier. It is still based
|
||||
on the OS thread ID, and thus not unique over long periods of time.
|
||||
- Improved readability of error messages printed when stunnel refuses
|
||||
to start due to a critical error.
|
||||
* Bugfixes
|
||||
- LD_PRELOAD Solaris compatibility bug fixed (thx to Norm Jacobs).
|
||||
- CRYPTO_NUM_LOCKS replaced with CRYPTO_num_locks() to improve binary
|
||||
compatibility with diverse builds of OpenSSL (thx to Norm Jacobs).
|
||||
- Corrected round-robin failover behavior under heavy load.
|
||||
- Numerous fixes in the engine support code.
|
||||
- On Win32 platform .rnd file moved from c:\ to the stunnel folder.
|
||||
|
||||
Version 4.57, 2015.04.01, urgency: HIGH:
|
||||
* Security bugfixes
|
||||
|
@ -116,6 +781,7 @@ Version 4.51, 2012.01.09, urgency: MEDIUM:
|
|||
- New "compression = deflate" global option to enable RFC 2246 compresion.
|
||||
For compatibility with previous versions "compression = zlib" and
|
||||
"compression = rle" also enable the deflate (RFC 2246) compression.
|
||||
- Compression is disabled by default.
|
||||
- Separate default ciphers and sslVersion for "fips = yes" and "fips = no".
|
||||
- UAC support for editing configuration file with Windows GUI.
|
||||
* Bugfixes
|
||||
|
@ -518,7 +1184,7 @@ Version 4.19, 2006.11.11, urgency: LOW/EXPERIMENTAL:
|
|||
- There are a lot of new features in this version. I recommend
|
||||
to test it well before upgrading your mission-critical systems.
|
||||
* New features
|
||||
- New service-level option to specify OCSP server flag:
|
||||
- New service-level option to specify an OCSP responder flag:
|
||||
OCSPflag = <flag>
|
||||
- "protocolCredentials" option changed to "protocolUsername"
|
||||
and "protocolPassword"
|
||||
|
@ -574,7 +1240,7 @@ Version 4.16, 2006.08.31, urgency: MEDIUM:
|
|||
- Default group is now detected by configure script.
|
||||
- Check for maximum number of defined services added.
|
||||
- OpenSSL_add_all_algorithms() added to SSL initialization.
|
||||
- configure script sections reordered to detect pthread library funcions.
|
||||
- configure script sections reordered to detect pthread library functions.
|
||||
- RFC 2487 autodetection improved. High resolution s_poll_wait()
|
||||
not currently supported by UCONTEXT threading.
|
||||
- More precise description of cert directory file names (thx to Muhammad
|
||||
|
|
378
INSTALL
378
INSTALL
|
@ -1,40 +1,370 @@
|
|||
stunnel Unix install notes
|
||||
Installation Instructions
|
||||
*************************
|
||||
|
||||
Copyright (C) 1994-1996, 1999-2002, 2004-2013 Free Software Foundation,
|
||||
Inc.
|
||||
|
||||
1. If your machine supports POSIX threads make sure your SSL
|
||||
library is compiled with -DTHREADS.
|
||||
Copying and distribution of this file, with or without modification,
|
||||
are permitted in any medium without royalty provided the copyright
|
||||
notice and this notice are preserved. This file is offered as-is,
|
||||
without warranty of any kind.
|
||||
|
||||
2. Compile the software:
|
||||
Basic Installation
|
||||
==================
|
||||
|
||||
./configure
|
||||
make
|
||||
make install
|
||||
Briefly, the shell command `./configure && make && make install'
|
||||
should configure, build, and install this package. The following
|
||||
more-detailed instructions are generic; see the `README' file for
|
||||
instructions specific to this package. Some packages provide this
|
||||
`INSTALL' file but do not implement all of the features documented
|
||||
below. The lack of an optional feature in a given package is not
|
||||
necessarily a bug. More recommendations for GNU packages can be found
|
||||
in *note Makefile Conventions: (standards)Makefile Conventions.
|
||||
|
||||
(see potential options for 'configure' at the end of this file)
|
||||
The `configure' shell script attempts to guess correct values for
|
||||
various system-dependent variables used during compilation. It uses
|
||||
those values to create a `Makefile' in each directory of the package.
|
||||
It may also create one or more `.h' files containing system-dependent
|
||||
definitions. Finally, it creates a shell script `config.status' that
|
||||
you can run in the future to recreate the current configuration, and a
|
||||
file `config.log' containing compiler output (useful mainly for
|
||||
debugging `configure').
|
||||
|
||||
3. Create stunnel configuration file (stunnel.conf).
|
||||
It can also use an optional file (typically called `config.cache'
|
||||
and enabled with `--cache-file=config.cache' or simply `-C') that saves
|
||||
the results of its tests to speed up reconfiguring. Caching is
|
||||
disabled by default to prevent problems with accidental use of stale
|
||||
cache files.
|
||||
|
||||
4. Add stunnel invocation to your system's startup files.
|
||||
For SysV-compatible init you can use stunnel.init script.
|
||||
If you need to do unusual things to compile the package, please try
|
||||
to figure out how `configure' could check whether to do them, and mail
|
||||
diffs or instructions to the address given in the `README' so they can
|
||||
be considered for the next release. If you are using the cache, and at
|
||||
some point `config.cache' contains results you don't want to keep, you
|
||||
may remove or edit it.
|
||||
|
||||
or
|
||||
The file `configure.ac' (or `configure.in') is used to create
|
||||
`configure' by a program called `autoconf'. You need `configure.ac' if
|
||||
you want to change it or regenerate `configure' using a newer version
|
||||
of `autoconf'.
|
||||
|
||||
Modify /etc/services and /etc/inetd.conf, restart inetd (inetd mode).
|
||||
The simplest way to compile this package is:
|
||||
|
||||
See the manual for details.
|
||||
1. `cd' to the directory containing the package's source code and type
|
||||
`./configure' to configure the package for your system.
|
||||
|
||||
5. There are a variety of compile-time options you may supply when
|
||||
running configure. Most commonly used are:
|
||||
Running `configure' might take a while. While running, it prints
|
||||
some messages telling which features it is checking for.
|
||||
|
||||
--with-ssl=DIR
|
||||
where your SSL libraries and include files are installed
|
||||
2. Type `make' to compile the package.
|
||||
|
||||
--with-random=FILE
|
||||
read randomness from FILE for PRNG seeding
|
||||
3. Optionally, type `make check' to run any self-tests that come with
|
||||
the package, generally using the just-built uninstalled binaries.
|
||||
|
||||
--with-egd-socket=FILE
|
||||
location of Entropy Gathering Daemon socket, if running EGD
|
||||
(for example on a machine that lacks a /dev/urandom device)
|
||||
4. Type `make install' to install the programs and any data files and
|
||||
documentation. When installing into a prefix owned by root, it is
|
||||
recommended that the package be configured and built as a regular
|
||||
user, and only the `make install' phase executed with root
|
||||
privileges.
|
||||
|
||||
Use `./configure --help' to see all the options.
|
||||
5. Optionally, type `make installcheck' to repeat any self-tests, but
|
||||
this time using the binaries in their final installed location.
|
||||
This target does not install anything. Running this target as a
|
||||
regular user, particularly if the prior `make install' required
|
||||
root privileges, verifies that the installation completed
|
||||
correctly.
|
||||
|
||||
6. You can remove the program binaries and object files from the
|
||||
source code directory by typing `make clean'. To also remove the
|
||||
files that `configure' created (so you can compile the package for
|
||||
a different kind of computer), type `make distclean'. There is
|
||||
also a `make maintainer-clean' target, but that is intended mainly
|
||||
for the package's developers. If you use it, you may have to get
|
||||
all sorts of other programs in order to regenerate files that came
|
||||
with the distribution.
|
||||
|
||||
7. Often, you can also type `make uninstall' to remove the installed
|
||||
files again. In practice, not all packages have tested that
|
||||
uninstallation works correctly, even though it is required by the
|
||||
GNU Coding Standards.
|
||||
|
||||
8. Some packages, particularly those that use Automake, provide `make
|
||||
distcheck', which can by used by developers to test that all other
|
||||
targets like `make install' and `make uninstall' work correctly.
|
||||
This target is generally not run by end users.
|
||||
|
||||
Compilers and Options
|
||||
=====================
|
||||
|
||||
Some systems require unusual options for compilation or linking that
|
||||
the `configure' script does not know about. Run `./configure --help'
|
||||
for details on some of the pertinent environment variables.
|
||||
|
||||
You can give `configure' initial values for configuration parameters
|
||||
by setting variables in the command line or in the environment. Here
|
||||
is an example:
|
||||
|
||||
./configure CC=c99 CFLAGS=-g LIBS=-lposix
|
||||
|
||||
*Note Defining Variables::, for more details.
|
||||
|
||||
Compiling For Multiple Architectures
|
||||
====================================
|
||||
|
||||
You can compile the package for more than one kind of computer at the
|
||||
same time, by placing the object files for each architecture in their
|
||||
own directory. To do this, you can use GNU `make'. `cd' to the
|
||||
directory where you want the object files and executables to go and run
|
||||
the `configure' script. `configure' automatically checks for the
|
||||
source code in the directory that `configure' is in and in `..'. This
|
||||
is known as a "VPATH" build.
|
||||
|
||||
With a non-GNU `make', it is safer to compile the package for one
|
||||
architecture at a time in the source code directory. After you have
|
||||
installed the package for one architecture, use `make distclean' before
|
||||
reconfiguring for another architecture.
|
||||
|
||||
On MacOS X 10.5 and later systems, you can create libraries and
|
||||
executables that work on multiple system types--known as "fat" or
|
||||
"universal" binaries--by specifying multiple `-arch' options to the
|
||||
compiler but only a single `-arch' option to the preprocessor. Like
|
||||
this:
|
||||
|
||||
./configure CC="gcc -arch i386 -arch x86_64 -arch ppc -arch ppc64" \
|
||||
CXX="g++ -arch i386 -arch x86_64 -arch ppc -arch ppc64" \
|
||||
CPP="gcc -E" CXXCPP="g++ -E"
|
||||
|
||||
This is not guaranteed to produce working output in all cases, you
|
||||
may have to build one architecture at a time and combine the results
|
||||
using the `lipo' tool if you have problems.
|
||||
|
||||
Installation Names
|
||||
==================
|
||||
|
||||
By default, `make install' installs the package's commands under
|
||||
`/usr/local/bin', include files under `/usr/local/include', etc. You
|
||||
can specify an installation prefix other than `/usr/local' by giving
|
||||
`configure' the option `--prefix=PREFIX', where PREFIX must be an
|
||||
absolute file name.
|
||||
|
||||
You can specify separate installation prefixes for
|
||||
architecture-specific files and architecture-independent files. If you
|
||||
pass the option `--exec-prefix=PREFIX' to `configure', the package uses
|
||||
PREFIX as the prefix for installing programs and libraries.
|
||||
Documentation and other data files still use the regular prefix.
|
||||
|
||||
In addition, if you use an unusual directory layout you can give
|
||||
options like `--bindir=DIR' to specify different values for particular
|
||||
kinds of files. Run `configure --help' for a list of the directories
|
||||
you can set and what kinds of files go in them. In general, the
|
||||
default for these options is expressed in terms of `${prefix}', so that
|
||||
specifying just `--prefix' will affect all of the other directory
|
||||
specifications that were not explicitly provided.
|
||||
|
||||
The most portable way to affect installation locations is to pass the
|
||||
correct locations to `configure'; however, many packages provide one or
|
||||
both of the following shortcuts of passing variable assignments to the
|
||||
`make install' command line to change installation locations without
|
||||
having to reconfigure or recompile.
|
||||
|
||||
The first method involves providing an override variable for each
|
||||
affected directory. For example, `make install
|
||||
prefix=/alternate/directory' will choose an alternate location for all
|
||||
directory configuration variables that were expressed in terms of
|
||||
`${prefix}'. Any directories that were specified during `configure',
|
||||
but not in terms of `${prefix}', must each be overridden at install
|
||||
time for the entire installation to be relocated. The approach of
|
||||
makefile variable overrides for each directory variable is required by
|
||||
the GNU Coding Standards, and ideally causes no recompilation.
|
||||
However, some platforms have known limitations with the semantics of
|
||||
shared libraries that end up requiring recompilation when using this
|
||||
method, particularly noticeable in packages that use GNU Libtool.
|
||||
|
||||
The second method involves providing the `DESTDIR' variable. For
|
||||
example, `make install DESTDIR=/alternate/directory' will prepend
|
||||
`/alternate/directory' before all installation names. The approach of
|
||||
`DESTDIR' overrides is not required by the GNU Coding Standards, and
|
||||
does not work on platforms that have drive letters. On the other hand,
|
||||
it does better at avoiding recompilation issues, and works well even
|
||||
when some directory options were not specified in terms of `${prefix}'
|
||||
at `configure' time.
|
||||
|
||||
Optional Features
|
||||
=================
|
||||
|
||||
If the package supports it, you can cause programs to be installed
|
||||
with an extra prefix or suffix on their names by giving `configure' the
|
||||
option `--program-prefix=PREFIX' or `--program-suffix=SUFFIX'.
|
||||
|
||||
Some packages pay attention to `--enable-FEATURE' options to
|
||||
`configure', where FEATURE indicates an optional part of the package.
|
||||
They may also pay attention to `--with-PACKAGE' options, where PACKAGE
|
||||
is something like `gnu-as' or `x' (for the X Window System). The
|
||||
`README' should mention any `--enable-' and `--with-' options that the
|
||||
package recognizes.
|
||||
|
||||
For packages that use the X Window System, `configure' can usually
|
||||
find the X include and library files automatically, but if it doesn't,
|
||||
you can use the `configure' options `--x-includes=DIR' and
|
||||
`--x-libraries=DIR' to specify their locations.
|
||||
|
||||
Some packages offer the ability to configure how verbose the
|
||||
execution of `make' will be. For these packages, running `./configure
|
||||
--enable-silent-rules' sets the default to minimal output, which can be
|
||||
overridden with `make V=1'; while running `./configure
|
||||
--disable-silent-rules' sets the default to verbose, which can be
|
||||
overridden with `make V=0'.
|
||||
|
||||
Particular systems
|
||||
==================
|
||||
|
||||
On HP-UX, the default C compiler is not ANSI C compatible. If GNU
|
||||
CC is not installed, it is recommended to use the following options in
|
||||
order to use an ANSI C compiler:
|
||||
|
||||
./configure CC="cc -Ae -D_XOPEN_SOURCE=500"
|
||||
|
||||
and if that doesn't work, install pre-built binaries of GCC for HP-UX.
|
||||
|
||||
HP-UX `make' updates targets which have the same time stamps as
|
||||
their prerequisites, which makes it generally unusable when shipped
|
||||
generated files such as `configure' are involved. Use GNU `make'
|
||||
instead.
|
||||
|
||||
On OSF/1 a.k.a. Tru64, some versions of the default C compiler cannot
|
||||
parse its `<wchar.h>' header file. The option `-nodtk' can be used as
|
||||
a workaround. If GNU CC is not installed, it is therefore recommended
|
||||
to try
|
||||
|
||||
./configure CC="cc"
|
||||
|
||||
and if that doesn't work, try
|
||||
|
||||
./configure CC="cc -nodtk"
|
||||
|
||||
On Solaris, don't put `/usr/ucb' early in your `PATH'. This
|
||||
directory contains several dysfunctional programs; working variants of
|
||||
these programs are available in `/usr/bin'. So, if you need `/usr/ucb'
|
||||
in your `PATH', put it _after_ `/usr/bin'.
|
||||
|
||||
On Haiku, software installed for all users goes in `/boot/common',
|
||||
not `/usr/local'. It is recommended to use the following options:
|
||||
|
||||
./configure --prefix=/boot/common
|
||||
|
||||
Specifying the System Type
|
||||
==========================
|
||||
|
||||
There may be some features `configure' cannot figure out
|
||||
automatically, but needs to determine by the type of machine the package
|
||||
will run on. Usually, assuming the package is built to be run on the
|
||||
_same_ architectures, `configure' can figure that out, but if it prints
|
||||
a message saying it cannot guess the machine type, give it the
|
||||
`--build=TYPE' option. TYPE can either be a short name for the system
|
||||
type, such as `sun4', or a canonical name which has the form:
|
||||
|
||||
CPU-COMPANY-SYSTEM
|
||||
|
||||
where SYSTEM can have one of these forms:
|
||||
|
||||
OS
|
||||
KERNEL-OS
|
||||
|
||||
See the file `config.sub' for the possible values of each field. If
|
||||
`config.sub' isn't included in this package, then this package doesn't
|
||||
need to know the machine type.
|
||||
|
||||
If you are _building_ compiler tools for cross-compiling, you should
|
||||
use the option `--target=TYPE' to select the type of system they will
|
||||
produce code for.
|
||||
|
||||
If you want to _use_ a cross compiler, that generates code for a
|
||||
platform different from the build platform, you should specify the
|
||||
"host" platform (i.e., that on which the generated programs will
|
||||
eventually be run) with `--host=TYPE'.
|
||||
|
||||
Sharing Defaults
|
||||
================
|
||||
|
||||
If you want to set default values for `configure' scripts to share,
|
||||
you can create a site shell script called `config.site' that gives
|
||||
default values for variables like `CC', `cache_file', and `prefix'.
|
||||
`configure' looks for `PREFIX/share/config.site' if it exists, then
|
||||
`PREFIX/etc/config.site' if it exists. Or, you can set the
|
||||
`CONFIG_SITE' environment variable to the location of the site script.
|
||||
A warning: not all `configure' scripts look for a site script.
|
||||
|
||||
Defining Variables
|
||||
==================
|
||||
|
||||
Variables not defined in a site shell script can be set in the
|
||||
environment passed to `configure'. However, some packages may run
|
||||
configure again during the build, and the customized values of these
|
||||
variables may be lost. In order to avoid this problem, you should set
|
||||
them in the `configure' command line, using `VAR=value'. For example:
|
||||
|
||||
./configure CC=/usr/local2/bin/gcc
|
||||
|
||||
causes the specified `gcc' to be used as the C compiler (unless it is
|
||||
overridden in the site shell script).
|
||||
|
||||
Unfortunately, this technique does not work for `CONFIG_SHELL' due to
|
||||
an Autoconf limitation. Until the limitation is lifted, you can use
|
||||
this workaround:
|
||||
|
||||
CONFIG_SHELL=/bin/bash ./configure CONFIG_SHELL=/bin/bash
|
||||
|
||||
`configure' Invocation
|
||||
======================
|
||||
|
||||
`configure' recognizes the following options to control how it
|
||||
operates.
|
||||
|
||||
`--help'
|
||||
`-h'
|
||||
Print a summary of all of the options to `configure', and exit.
|
||||
|
||||
`--help=short'
|
||||
`--help=recursive'
|
||||
Print a summary of the options unique to this package's
|
||||
`configure', and exit. The `short' variant lists options used
|
||||
only in the top level, while the `recursive' variant lists options
|
||||
also present in any nested packages.
|
||||
|
||||
`--version'
|
||||
`-V'
|
||||
Print the version of Autoconf used to generate the `configure'
|
||||
script, and exit.
|
||||
|
||||
`--cache-file=FILE'
|
||||
Enable the cache: use and save the results of the tests in FILE,
|
||||
traditionally `config.cache'. FILE defaults to `/dev/null' to
|
||||
disable caching.
|
||||
|
||||
`--config-cache'
|
||||
`-C'
|
||||
Alias for `--cache-file=config.cache'.
|
||||
|
||||
`--quiet'
|
||||
`--silent'
|
||||
`-q'
|
||||
Do not print messages saying which checks are being made. To
|
||||
suppress all normal output, redirect it to `/dev/null' (any error
|
||||
messages will still be shown).
|
||||
|
||||
`--srcdir=DIR'
|
||||
Look for the package's source code in directory DIR. Usually
|
||||
`configure' can determine that directory automatically.
|
||||
|
||||
`--prefix=DIR'
|
||||
Use DIR as the installation prefix. *note Installation Names::
|
||||
for more details, including other options available for fine-tuning
|
||||
the installation locations.
|
||||
|
||||
`--no-create'
|
||||
`-n'
|
||||
Run the configure checks, but stop before creating any output
|
||||
files.
|
||||
|
||||
`configure' also accepts some other, not widely useful, options. Run
|
||||
`configure --help' for more details.
|
||||
|
|
12
INSTALL.FIPS
12
INSTALL.FIPS
|
@ -2,10 +2,12 @@ stunnel FIPS install notes
|
|||
|
||||
|
||||
Unix HOWTO:
|
||||
FIPS mode is autodetected if possible. You can force it with:
|
||||
./configure --enable-fips
|
||||
or disable with:
|
||||
./configure --disable-fips
|
||||
* Only dynamic linking of the FIPS-enabled OpenSSL is currently supported,
|
||||
i.e. FIPS-enabled OpenSSL has to be configured with "shared" parameter.
|
||||
* FIPS mode is autodetected if possible. It can be forced with:
|
||||
./configure --enable-fips
|
||||
or disable with:
|
||||
./configure --disable-fips
|
||||
|
||||
WIN32 HOWTO:
|
||||
* On 32-bit Windows install one of the following compilers:
|
||||
|
@ -15,7 +17,7 @@ WIN32 HOWTO:
|
|||
- MSVC 8.0 (VS 2005) Standard or Professional Edition
|
||||
- MSVC 9.0 (VS 2008) Standard or Professional Edition
|
||||
* Build FIPS-compliant OpenSSL DLLS according to:
|
||||
http://www.openssl.org/docs/fips/UserGuide-1.2.pdf
|
||||
https://www.openssl.org/docs/fips/UserGuide-2.0.pdf
|
||||
* Build stunnel normally with MSVC or Mingw.
|
||||
Mingw build requires DLL stubs. Stubs can be built with:
|
||||
dlltool --def ms/libeay32.def --output-lib libcrypto.a
|
||||
|
|
79
INSTALL.W32
79
INSTALL.W32
|
@ -1,51 +1,66 @@
|
|||
stunnel Windows install notes
|
||||
|
||||
|
||||
Building stunnel from source (optional):
|
||||
Cross-compiling stunnel from source with MinGW (optional):
|
||||
|
||||
1) Install mingw32 cross-compiler o a Unix/Linux machine.
|
||||
In Debian all you need is:
|
||||
apt-get install gcc-mingw32
|
||||
Native compilation on a Windows machine is possible, but not supported.
|
||||
1) Install the mingw32 cross-compiler on a Unix/Linux machine.
|
||||
On Debian (and derivatives, including Ubuntu):
|
||||
sudo apt-get install gcc-mingw-w64-i686
|
||||
On Arch Linux:
|
||||
sudo pacman -S mingw-w64-gcc
|
||||
|
||||
2) Download the recent zlib from http://www.zlib.net/
|
||||
Update the following definitions in win32/Makefile.gcc file:
|
||||
SHARED_MODE=1
|
||||
PREFIX = i586-mingw32msvc-
|
||||
then build zlib with:
|
||||
make -f win32/Makefile.gcc
|
||||
and install it in mingw32 tree:
|
||||
sudo BINARY_PATH=~/ \
|
||||
INCLUDE_PATH=/usr/i586-mingw32msvc/include/ \
|
||||
LIBRARY_PATH=/usr/i586-mingw32msvc/lib/ \
|
||||
make -f win32/Makefile.gcc install
|
||||
|
||||
3) Download the recent OpenSSL in unpack it to /usr/src/ directory.
|
||||
cd /usr/src
|
||||
2) Download the recent OpenSSL and unpack it:
|
||||
tar zvxf ~/openssl-(version).tar.gz
|
||||
mv openssl-(version) openssl-(version)-i586
|
||||
mv openssl-(version) openssl-(version)-i686
|
||||
cd openssl-(version)-i686/
|
||||
|
||||
4) Build OpenSSL.
|
||||
./Configure --cross-compile-prefix=i586-mingw32msvc- mingw shared zlib-dynamic
|
||||
3) Build OpenSSL.
|
||||
For 32-bit Windows:
|
||||
./Configure \
|
||||
--cross-compile-prefix=i686-w64-mingw32- \
|
||||
--openssldir=/opt/openssl-mingw mingw shared
|
||||
make
|
||||
sudo make install
|
||||
sudo cp ms/applink.c /opt/openssl-mingw/include/openssl/
|
||||
For 64-bit Windows:
|
||||
./Configure \
|
||||
--cross-compile-prefix=x86_64-w64-mingw32- \
|
||||
--openssldir=/opt/openssl-mingw64 mingw64 shared
|
||||
make
|
||||
sudo make install
|
||||
sudo cp ms/applink.c /opt/openssl-mingw64/include/openssl/
|
||||
|
||||
5) Download and unpack stunnel-(version).tar.gz.
|
||||
4) Download and unpack stunnel-(version).tar.gz.
|
||||
|
||||
6) Configure stunnel.
|
||||
5) Configure stunnel:
|
||||
cd stunnel-(version)
|
||||
./configure --with-ssl=/path/to/openssl-(version)
|
||||
./configure
|
||||
|
||||
7) Build windows executable.
|
||||
6) Build Windows 32-bit and/or 64-bit executables:
|
||||
cd src
|
||||
make stunnel.exe
|
||||
make mingw
|
||||
make mingw64
|
||||
|
||||
|
||||
Building stunnel from source with MinGW (optional):
|
||||
|
||||
Building on a Windows machine is possible, but not currently supported.
|
||||
|
||||
|
||||
Building stunnel from source with Visual Studio (optional):
|
||||
|
||||
TODO
|
||||
|
||||
|
||||
Installing stunnel:
|
||||
|
||||
1) run installer to install precompiled binaries or copy stunnel.exe and
|
||||
OpenSSL DLLs into a directory
|
||||
1) Run installer to install the precompiled binaries, or
|
||||
copy the stunnel.exe or tstunnel.exe executable located in the
|
||||
/stunnel-(version)/bin/mingw/ directory into the destination
|
||||
directory on a Windows machine, and
|
||||
copy OpenSSL DLLs: libeay32.dll, libssp-0.dll and ssleay32.dll
|
||||
into the same directory, if necessary.
|
||||
|
||||
2) read the manual (stunnel.html)
|
||||
|
||||
3) create/edit stunnel.conf configuration file
|
||||
2) Read the manual (stunnel.html).
|
||||
|
||||
3) Create/edit the stunnel.conf configuration file.
|
||||
|
|
43
Makefile.am
43
Makefile.am
|
@ -1,4 +1,5 @@
|
|||
## Process this file with automake to produce Makefile.in
|
||||
# by Michal Trojnara 2015-2017
|
||||
|
||||
ACLOCAL_AMFLAGS = -I m4
|
||||
|
||||
|
@ -10,7 +11,7 @@ libtool: $(LIBTOOL_DEPS)
|
|||
|
||||
EXTRA_DIST = PORTS BUGS COPYRIGHT.GPL CREDITS
|
||||
EXTRA_DIST += INSTALL.W32 INSTALL.WCE INSTALL.FIPS
|
||||
EXTRA_DIST += build-android.sh
|
||||
EXTRA_DIST += build-android.sh .travis.yml
|
||||
|
||||
docdir = $(datadir)/doc/stunnel
|
||||
doc_DATA = INSTALL README TODO COPYING AUTHORS ChangeLog
|
||||
|
@ -21,19 +22,39 @@ distcleancheck_listfiles = find -type f -exec sh -c 'test -f $(srcdir)/{} || ech
|
|||
|
||||
distclean-local:
|
||||
rm -rf autom4te.cache
|
||||
rm -f $(distdir)-installer.exe
|
||||
# rm -f $(distdir)-win32-installer.exe
|
||||
|
||||
#dist-hook:
|
||||
# makensis -NOCD -DVERSION=${VERSION} -DSRCDIR=$(srcdir) \
|
||||
# -DOPENSSL=/usr/src/openssl-0.9.8u-fips/out32dll \
|
||||
# -DZLIB=/usr/src/zlib-1.2.6-i586 \
|
||||
# makensis -NOCD -DVERSION=${VERSION} \
|
||||
# -DSTUNNEL_DIR=$(srcdir) \
|
||||
# -DROOT_DIR=/usr/src \
|
||||
# $(srcdir)/tools/stunnel.nsi
|
||||
|
||||
# cp -f $(distdir)-installer.exe ../dist
|
||||
# gpg --yes --armor --detach-sign --force-v3-sigs ../dist/$(distdir)-installer.exe
|
||||
|
||||
sign: dist
|
||||
cp -f $(distdir).tar.gz ../dist
|
||||
gpg --yes --armor --detach-sign --force-v3-sigs ../dist/$(distdir).tar.gz
|
||||
sha256sum $(distdir).tar.gz | tee ../dist/$(distdir).tar.gz.sha256
|
||||
cp -f $(distdir).tar.gz $(distdir)-win32-installer.exe $(distdir)-android.zip ../dist
|
||||
gpg-agent --daemon /bin/sh -c "cd ../dist; gpg --yes --armor --detach-sign --force-v3-sigs $(distdir).tar.gz; gpg --yes --armor --detach-sign --force-v3-sigs $(distdir)-win32-installer.exe; gpg --yes --armor --detach-sign --force-v3-sigs $(distdir)-android.zip"
|
||||
sha256sum $(distdir).tar.gz >../dist/$(distdir).tar.gz.sha256
|
||||
sha256sum $(distdir)-win32-installer.exe >../dist/$(distdir)-win32-installer.exe.sha256
|
||||
sha256sum $(distdir)-android.zip >../dist/$(distdir)-android.zip.sha256
|
||||
cat ../dist/$(distdir)*.sha256 | tac
|
||||
|
||||
cert:
|
||||
$(MAKE) -C tools cert
|
||||
|
||||
test:
|
||||
$(abs_builddir)/src/stunnel -version
|
||||
@echo "No tests are currently implemented"
|
||||
|
||||
install-data-hook:
|
||||
@echo "*********************************************************"
|
||||
@echo "* Type 'make cert' to also install a sample certificate *"
|
||||
@echo "*********************************************************"
|
||||
|
||||
edit = sed \
|
||||
-e 's|@bindir[@]|$(bindir)|g' \
|
||||
-e 's|@sysconfdir[@]|$(sysconfdir)|g'
|
||||
|
||||
stunnel.pod: Makefile
|
||||
$(edit) '$(srcdir)/$@.in' >$@
|
||||
|
||||
stunnel.pod: $(srcdir)/stunnel.pod
|
||||
|
|
465
Makefile.in
465
Makefile.in
|
@ -1,9 +1,8 @@
|
|||
# Makefile.in generated by automake 1.11.1 from Makefile.am.
|
||||
# Makefile.in generated by automake 1.14.1 from Makefile.am.
|
||||
# @configure_input@
|
||||
|
||||
# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
|
||||
# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation,
|
||||
# Inc.
|
||||
# Copyright (C) 1994-2013 Free Software Foundation, Inc.
|
||||
|
||||
# This Makefile.in is free software; the Free Software Foundation
|
||||
# gives unlimited permission to copy and/or distribute it,
|
||||
# with or without modifications, as long as this notice is preserved.
|
||||
|
@ -15,7 +14,54 @@
|
|||
|
||||
@SET_MAKE@
|
||||
|
||||
# by Michal Trojnara 2015-2017
|
||||
|
||||
VPATH = @srcdir@
|
||||
am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
|
||||
am__make_running_with_option = \
|
||||
case $${target_option-} in \
|
||||
?) ;; \
|
||||
*) echo "am__make_running_with_option: internal error: invalid" \
|
||||
"target option '$${target_option-}' specified" >&2; \
|
||||
exit 1;; \
|
||||
esac; \
|
||||
has_opt=no; \
|
||||
sane_makeflags=$$MAKEFLAGS; \
|
||||
if $(am__is_gnu_make); then \
|
||||
sane_makeflags=$$MFLAGS; \
|
||||
else \
|
||||
case $$MAKEFLAGS in \
|
||||
*\\[\ \ ]*) \
|
||||
bs=\\; \
|
||||
sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \
|
||||
| sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \
|
||||
esac; \
|
||||
fi; \
|
||||
skip_next=no; \
|
||||
strip_trailopt () \
|
||||
{ \
|
||||
flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \
|
||||
}; \
|
||||
for flg in $$sane_makeflags; do \
|
||||
test $$skip_next = yes && { skip_next=no; continue; }; \
|
||||
case $$flg in \
|
||||
*=*|--*) continue;; \
|
||||
-*I) strip_trailopt 'I'; skip_next=yes;; \
|
||||
-*I?*) strip_trailopt 'I';; \
|
||||
-*O) strip_trailopt 'O'; skip_next=yes;; \
|
||||
-*O?*) strip_trailopt 'O';; \
|
||||
-*l) strip_trailopt 'l'; skip_next=yes;; \
|
||||
-*l?*) strip_trailopt 'l';; \
|
||||
-[dEDm]) skip_next=yes;; \
|
||||
-[JT]) skip_next=yes;; \
|
||||
esac; \
|
||||
case $$flg in \
|
||||
*$$target_option*) has_opt=yes; break;; \
|
||||
esac; \
|
||||
done; \
|
||||
test $$has_opt = yes
|
||||
am__make_dryrun = (target_option=n; $(am__make_running_with_option))
|
||||
am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
|
||||
pkgdatadir = $(datadir)/@PACKAGE@
|
||||
pkgincludedir = $(includedir)/@PACKAGE@
|
||||
pkglibdir = $(libdir)/@PACKAGE@
|
||||
|
@ -35,11 +81,14 @@ POST_UNINSTALL = :
|
|||
build_triplet = @build@
|
||||
host_triplet = @host@
|
||||
subdir = .
|
||||
DIST_COMMON = README $(am__configure_deps) $(srcdir)/Makefile.am \
|
||||
$(srcdir)/Makefile.in $(top_srcdir)/configure AUTHORS COPYING \
|
||||
ChangeLog INSTALL NEWS TODO auto/compile auto/config.guess \
|
||||
auto/config.sub auto/depcomp auto/install-sh auto/ltmain.sh \
|
||||
auto/missing
|
||||
DIST_COMMON = INSTALL NEWS README AUTHORS ChangeLog \
|
||||
$(srcdir)/Makefile.in $(srcdir)/Makefile.am \
|
||||
$(top_srcdir)/configure $(am__configure_deps) COPYING TODO \
|
||||
auto/compile auto/config.guess auto/config.sub auto/depcomp \
|
||||
auto/install-sh auto/missing auto/ltmain.sh \
|
||||
$(top_srcdir)/auto/compile $(top_srcdir)/auto/config.guess \
|
||||
$(top_srcdir)/auto/config.sub $(top_srcdir)/auto/install-sh \
|
||||
$(top_srcdir)/auto/ltmain.sh $(top_srcdir)/auto/missing
|
||||
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
|
||||
am__aclocal_m4_deps = $(top_srcdir)/m4/libtool.m4 \
|
||||
$(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \
|
||||
|
@ -53,15 +102,33 @@ mkinstalldirs = $(install_sh) -d
|
|||
CONFIG_HEADER = $(top_builddir)/src/config.h
|
||||
CONFIG_CLEAN_FILES =
|
||||
CONFIG_CLEAN_VPATH_FILES =
|
||||
AM_V_P = $(am__v_P_@AM_V@)
|
||||
am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
|
||||
am__v_P_0 = false
|
||||
am__v_P_1 = :
|
||||
AM_V_GEN = $(am__v_GEN_@AM_V@)
|
||||
am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
|
||||
am__v_GEN_0 = @echo " GEN " $@;
|
||||
am__v_GEN_1 =
|
||||
AM_V_at = $(am__v_at_@AM_V@)
|
||||
am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
|
||||
am__v_at_0 = @
|
||||
am__v_at_1 =
|
||||
SOURCES =
|
||||
DIST_SOURCES =
|
||||
RECURSIVE_TARGETS = all-recursive check-recursive dvi-recursive \
|
||||
html-recursive info-recursive install-data-recursive \
|
||||
install-dvi-recursive install-exec-recursive \
|
||||
install-html-recursive install-info-recursive \
|
||||
install-pdf-recursive install-ps-recursive install-recursive \
|
||||
installcheck-recursive installdirs-recursive pdf-recursive \
|
||||
ps-recursive uninstall-recursive
|
||||
RECURSIVE_TARGETS = all-recursive check-recursive cscopelist-recursive \
|
||||
ctags-recursive dvi-recursive html-recursive info-recursive \
|
||||
install-data-recursive install-dvi-recursive \
|
||||
install-exec-recursive install-html-recursive \
|
||||
install-info-recursive install-pdf-recursive \
|
||||
install-ps-recursive install-recursive installcheck-recursive \
|
||||
installdirs-recursive pdf-recursive ps-recursive \
|
||||
tags-recursive uninstall-recursive
|
||||
am__can_run_installinfo = \
|
||||
case $$AM_UPDATE_INFO_DIR in \
|
||||
n|no|NO) false;; \
|
||||
*) (install-info --version) >/dev/null 2>&1;; \
|
||||
esac
|
||||
am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
|
||||
am__vpath_adj = case $$p in \
|
||||
$(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
|
||||
|
@ -83,23 +150,53 @@ am__nobase_list = $(am__nobase_strip_setup); \
|
|||
am__base_list = \
|
||||
sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
|
||||
sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
|
||||
am__uninstall_files_from_dir = { \
|
||||
test -z "$$files" \
|
||||
|| { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
|
||||
|| { echo " ( cd '$$dir' && rm -f" $$files ")"; \
|
||||
$(am__cd) "$$dir" && rm -f $$files; }; \
|
||||
}
|
||||
am__installdirs = "$(DESTDIR)$(docdir)"
|
||||
DATA = $(doc_DATA)
|
||||
RECURSIVE_CLEAN_TARGETS = mostlyclean-recursive clean-recursive \
|
||||
distclean-recursive maintainer-clean-recursive
|
||||
AM_RECURSIVE_TARGETS = $(RECURSIVE_TARGETS:-recursive=) \
|
||||
$(RECURSIVE_CLEAN_TARGETS:-recursive=) tags TAGS ctags CTAGS \
|
||||
distdir dist dist-all distcheck
|
||||
am__recursive_targets = \
|
||||
$(RECURSIVE_TARGETS) \
|
||||
$(RECURSIVE_CLEAN_TARGETS) \
|
||||
$(am__extra_recursive_targets)
|
||||
AM_RECURSIVE_TARGETS = $(am__recursive_targets:-recursive=) TAGS CTAGS \
|
||||
cscope distdir dist dist-all distcheck
|
||||
am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
|
||||
# Read a list of newline-separated strings from the standard input,
|
||||
# and print each of them once, without duplicates. Input order is
|
||||
# *not* preserved.
|
||||
am__uniquify_input = $(AWK) '\
|
||||
BEGIN { nonempty = 0; } \
|
||||
{ items[$$0] = 1; nonempty = 1; } \
|
||||
END { if (nonempty) { for (i in items) print i; }; } \
|
||||
'
|
||||
# Make sure the list of sources is unique. This is necessary because,
|
||||
# e.g., the same source file might be shared among _SOURCES variables
|
||||
# for different programs/libraries.
|
||||
am__define_uniq_tagged_files = \
|
||||
list='$(am__tagged_files)'; \
|
||||
unique=`for i in $$list; do \
|
||||
if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
|
||||
done | $(am__uniquify_input)`
|
||||
ETAGS = etags
|
||||
CTAGS = ctags
|
||||
CSCOPE = cscope
|
||||
DIST_SUBDIRS = $(SUBDIRS)
|
||||
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
|
||||
distdir = $(PACKAGE)-$(VERSION)
|
||||
top_distdir = $(distdir)
|
||||
am__remove_distdir = \
|
||||
{ test ! -d "$(distdir)" \
|
||||
|| { find "$(distdir)" -type d ! -perm -200 -exec chmod u+w {} ';' \
|
||||
&& rm -fr "$(distdir)"; }; }
|
||||
if test -d "$(distdir)"; then \
|
||||
find "$(distdir)" -type d ! -perm -200 -exec chmod u+w {} ';' \
|
||||
&& rm -rf "$(distdir)" \
|
||||
|| { sleep 5 && rm -rf "$(distdir)"; }; \
|
||||
else :; fi
|
||||
am__post_remove_distdir = $(am__remove_distdir)
|
||||
am__relativize = \
|
||||
dir0=`pwd`; \
|
||||
sed_first='s,^\([^/]*\)/.*$$,\1,'; \
|
||||
|
@ -127,9 +224,13 @@ am__relativize = \
|
|||
reldir="$$dir2"
|
||||
DIST_ARCHIVES = $(distdir).tar.gz
|
||||
GZIP_ENV = --best
|
||||
DIST_TARGETS = dist-gzip
|
||||
distuninstallcheck_listfiles = find . -type f -print
|
||||
am__distuninstallcheck_listfiles = $(distuninstallcheck_listfiles) \
|
||||
| sed 's|^\./|$(prefix)/|' | grep -v '$(infodir)/dir$$'
|
||||
ACLOCAL = @ACLOCAL@
|
||||
AMTAR = @AMTAR@
|
||||
AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
|
||||
AR = @AR@
|
||||
AUTOCONF = @AUTOCONF@
|
||||
AUTOHEADER = @AUTOHEADER@
|
||||
|
@ -144,6 +245,7 @@ CYGPATH_W = @CYGPATH_W@
|
|||
DEFAULT_GROUP = @DEFAULT_GROUP@
|
||||
DEFS = @DEFS@
|
||||
DEPDIR = @DEPDIR@
|
||||
DLLTOOL = @DLLTOOL@
|
||||
DSYMUTIL = @DSYMUTIL@
|
||||
DUMPBIN = @DUMPBIN@
|
||||
ECHO_C = @ECHO_C@
|
||||
|
@ -168,6 +270,7 @@ LIPO = @LIPO@
|
|||
LN_S = @LN_S@
|
||||
LTLIBOBJS = @LTLIBOBJS@
|
||||
MAKEINFO = @MAKEINFO@
|
||||
MANIFEST_TOOL = @MANIFEST_TOOL@
|
||||
MKDIR_P = @MKDIR_P@
|
||||
NM = @NM@
|
||||
NMEDIT = @NMEDIT@
|
||||
|
@ -183,6 +286,9 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@
|
|||
PACKAGE_URL = @PACKAGE_URL@
|
||||
PACKAGE_VERSION = @PACKAGE_VERSION@
|
||||
PATH_SEPARATOR = @PATH_SEPARATOR@
|
||||
PTHREAD_CC = @PTHREAD_CC@
|
||||
PTHREAD_CFLAGS = @PTHREAD_CFLAGS@
|
||||
PTHREAD_LIBS = @PTHREAD_LIBS@
|
||||
RANDOM_FILE = @RANDOM_FILE@
|
||||
RANLIB = @RANLIB@
|
||||
SED = @SED@
|
||||
|
@ -195,6 +301,7 @@ abs_builddir = @abs_builddir@
|
|||
abs_srcdir = @abs_srcdir@
|
||||
abs_top_builddir = @abs_top_builddir@
|
||||
abs_top_srcdir = @abs_top_srcdir@
|
||||
ac_ct_AR = @ac_ct_AR@
|
||||
ac_ct_CC = @ac_ct_CC@
|
||||
ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
|
||||
am__include = @am__include@
|
||||
|
@ -202,6 +309,7 @@ am__leading_dot = @am__leading_dot@
|
|||
am__quote = @am__quote@
|
||||
am__tar = @am__tar@
|
||||
am__untar = @am__untar@
|
||||
ax_pthread_config = @ax_pthread_config@
|
||||
bindir = @bindir@
|
||||
build = @build@
|
||||
build_alias = @build_alias@
|
||||
|
@ -227,7 +335,6 @@ libdir = @libdir@
|
|||
libexecdir = @libexecdir@
|
||||
localedir = @localedir@
|
||||
localstatedir = @localstatedir@
|
||||
lt_ECHO = @lt_ECHO@
|
||||
mandir = @mandir@
|
||||
mkdir_p = @mkdir_p@
|
||||
oldincludedir = @oldincludedir@
|
||||
|
@ -235,12 +342,10 @@ pdfdir = @pdfdir@
|
|||
prefix = @prefix@
|
||||
program_transform_name = @program_transform_name@
|
||||
psdir = @psdir@
|
||||
runstatedir = @runstatedir@
|
||||
sbindir = @sbindir@
|
||||
sharedstatedir = @sharedstatedir@
|
||||
srcdir = @srcdir@
|
||||
stunnel_CFLAGS = @stunnel_CFLAGS@
|
||||
stunnel_LDFLAGF = @stunnel_LDFLAGF@
|
||||
stunnel_LDFLAGS = @stunnel_LDFLAGS@
|
||||
sysconfdir = @sysconfdir@
|
||||
target_alias = @target_alias@
|
||||
top_build_prefix = @top_build_prefix@
|
||||
|
@ -249,14 +354,18 @@ top_srcdir = @top_srcdir@
|
|||
ACLOCAL_AMFLAGS = -I m4
|
||||
SUBDIRS = src doc tools
|
||||
EXTRA_DIST = PORTS BUGS COPYRIGHT.GPL CREDITS INSTALL.W32 INSTALL.WCE \
|
||||
INSTALL.FIPS build-android.sh
|
||||
INSTALL.FIPS build-android.sh .travis.yml
|
||||
doc_DATA = INSTALL README TODO COPYING AUTHORS ChangeLog PORTS BUGS \
|
||||
COPYRIGHT.GPL CREDITS INSTALL.W32 INSTALL.WCE INSTALL.FIPS
|
||||
distcleancheck_listfiles = find -type f -exec sh -c 'test -f $(srcdir)/{} || echo {}' ';'
|
||||
edit = sed \
|
||||
-e 's|@bindir[@]|$(bindir)|g' \
|
||||
-e 's|@sysconfdir[@]|$(sysconfdir)|g'
|
||||
|
||||
all: all-recursive
|
||||
|
||||
.SUFFIXES:
|
||||
am--refresh:
|
||||
am--refresh: Makefile
|
||||
@:
|
||||
$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps)
|
||||
@for dep in $?; do \
|
||||
|
@ -301,8 +410,11 @@ distclean-libtool:
|
|||
-rm -f libtool config.lt
|
||||
install-docDATA: $(doc_DATA)
|
||||
@$(NORMAL_INSTALL)
|
||||
test -z "$(docdir)" || $(MKDIR_P) "$(DESTDIR)$(docdir)"
|
||||
@list='$(doc_DATA)'; test -n "$(docdir)" || list=; \
|
||||
if test -n "$$list"; then \
|
||||
echo " $(MKDIR_P) '$(DESTDIR)$(docdir)'"; \
|
||||
$(MKDIR_P) "$(DESTDIR)$(docdir)" || exit 1; \
|
||||
fi; \
|
||||
for p in $$list; do \
|
||||
if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
|
||||
echo "$$d$$p"; \
|
||||
|
@ -316,27 +428,28 @@ uninstall-docDATA:
|
|||
@$(NORMAL_UNINSTALL)
|
||||
@list='$(doc_DATA)'; test -n "$(docdir)" || list=; \
|
||||
files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
|
||||
test -n "$$files" || exit 0; \
|
||||
echo " ( cd '$(DESTDIR)$(docdir)' && rm -f" $$files ")"; \
|
||||
cd "$(DESTDIR)$(docdir)" && rm -f $$files
|
||||
dir='$(DESTDIR)$(docdir)'; $(am__uninstall_files_from_dir)
|
||||
|
||||
# This directory's subdirectories are mostly independent; you can cd
|
||||
# into them and run `make' without going through this Makefile.
|
||||
# To change the values of `make' variables: instead of editing Makefiles,
|
||||
# (1) if the variable is set in `config.status', edit `config.status'
|
||||
# (which will cause the Makefiles to be regenerated when you run `make');
|
||||
# (2) otherwise, pass the desired values on the `make' command line.
|
||||
$(RECURSIVE_TARGETS):
|
||||
@fail= failcom='exit 1'; \
|
||||
for f in x $$MAKEFLAGS; do \
|
||||
case $$f in \
|
||||
*=* | --[!k]*);; \
|
||||
*k*) failcom='fail=yes';; \
|
||||
esac; \
|
||||
done; \
|
||||
# into them and run 'make' without going through this Makefile.
|
||||
# To change the values of 'make' variables: instead of editing Makefiles,
|
||||
# (1) if the variable is set in 'config.status', edit 'config.status'
|
||||
# (which will cause the Makefiles to be regenerated when you run 'make');
|
||||
# (2) otherwise, pass the desired values on the 'make' command line.
|
||||
$(am__recursive_targets):
|
||||
@fail=; \
|
||||
if $(am__make_keepgoing); then \
|
||||
failcom='fail=yes'; \
|
||||
else \
|
||||
failcom='exit 1'; \
|
||||
fi; \
|
||||
dot_seen=no; \
|
||||
target=`echo $@ | sed s/-recursive//`; \
|
||||
list='$(SUBDIRS)'; for subdir in $$list; do \
|
||||
case "$@" in \
|
||||
distclean-* | maintainer-clean-*) list='$(DIST_SUBDIRS)' ;; \
|
||||
*) list='$(SUBDIRS)' ;; \
|
||||
esac; \
|
||||
for subdir in $$list; do \
|
||||
echo "Making $$target in $$subdir"; \
|
||||
if test "$$subdir" = "."; then \
|
||||
dot_seen=yes; \
|
||||
|
@ -351,57 +464,12 @@ $(RECURSIVE_TARGETS):
|
|||
$(MAKE) $(AM_MAKEFLAGS) "$$target-am" || exit 1; \
|
||||
fi; test -z "$$fail"
|
||||
|
||||
$(RECURSIVE_CLEAN_TARGETS):
|
||||
@fail= failcom='exit 1'; \
|
||||
for f in x $$MAKEFLAGS; do \
|
||||
case $$f in \
|
||||
*=* | --[!k]*);; \
|
||||
*k*) failcom='fail=yes';; \
|
||||
esac; \
|
||||
done; \
|
||||
dot_seen=no; \
|
||||
case "$@" in \
|
||||
distclean-* | maintainer-clean-*) list='$(DIST_SUBDIRS)' ;; \
|
||||
*) list='$(SUBDIRS)' ;; \
|
||||
esac; \
|
||||
rev=''; for subdir in $$list; do \
|
||||
if test "$$subdir" = "."; then :; else \
|
||||
rev="$$subdir $$rev"; \
|
||||
fi; \
|
||||
done; \
|
||||
rev="$$rev ."; \
|
||||
target=`echo $@ | sed s/-recursive//`; \
|
||||
for subdir in $$rev; do \
|
||||
echo "Making $$target in $$subdir"; \
|
||||
if test "$$subdir" = "."; then \
|
||||
local_target="$$target-am"; \
|
||||
else \
|
||||
local_target="$$target"; \
|
||||
fi; \
|
||||
($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \
|
||||
|| eval $$failcom; \
|
||||
done && test -z "$$fail"
|
||||
tags-recursive:
|
||||
list='$(SUBDIRS)'; for subdir in $$list; do \
|
||||
test "$$subdir" = . || ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) tags); \
|
||||
done
|
||||
ctags-recursive:
|
||||
list='$(SUBDIRS)'; for subdir in $$list; do \
|
||||
test "$$subdir" = . || ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) ctags); \
|
||||
done
|
||||
ID: $(am__tagged_files)
|
||||
$(am__define_uniq_tagged_files); mkid -fID $$unique
|
||||
tags: tags-recursive
|
||||
TAGS: tags
|
||||
|
||||
ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
|
||||
list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
|
||||
unique=`for i in $$list; do \
|
||||
if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
|
||||
done | \
|
||||
$(AWK) '{ files[$$0] = 1; nonempty = 1; } \
|
||||
END { if (nonempty) { for (i in files) print i; }; }'`; \
|
||||
mkid -fID $$unique
|
||||
tags: TAGS
|
||||
|
||||
TAGS: tags-recursive $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \
|
||||
$(TAGS_FILES) $(LISP)
|
||||
tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
|
||||
set x; \
|
||||
here=`pwd`; \
|
||||
if ($(ETAGS) --etags-include --version) >/dev/null 2>&1; then \
|
||||
|
@ -417,12 +485,7 @@ TAGS: tags-recursive $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \
|
|||
set "$$@" "$$include_option=$$here/$$subdir/TAGS"; \
|
||||
fi; \
|
||||
done; \
|
||||
list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
|
||||
unique=`for i in $$list; do \
|
||||
if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
|
||||
done | \
|
||||
$(AWK) '{ files[$$0] = 1; nonempty = 1; } \
|
||||
END { if (nonempty) { for (i in files) print i; }; }'`; \
|
||||
$(am__define_uniq_tagged_files); \
|
||||
shift; \
|
||||
if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
|
||||
test -n "$$unique" || unique=$$empty_fix; \
|
||||
|
@ -434,15 +497,11 @@ TAGS: tags-recursive $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \
|
|||
$$unique; \
|
||||
fi; \
|
||||
fi
|
||||
ctags: CTAGS
|
||||
CTAGS: ctags-recursive $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \
|
||||
$(TAGS_FILES) $(LISP)
|
||||
list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
|
||||
unique=`for i in $$list; do \
|
||||
if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
|
||||
done | \
|
||||
$(AWK) '{ files[$$0] = 1; nonempty = 1; } \
|
||||
END { if (nonempty) { for (i in files) print i; }; }'`; \
|
||||
ctags: ctags-recursive
|
||||
|
||||
CTAGS: ctags
|
||||
ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
|
||||
$(am__define_uniq_tagged_files); \
|
||||
test -z "$(CTAGS_ARGS)$$unique" \
|
||||
|| $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
|
||||
$$unique
|
||||
|
@ -451,9 +510,31 @@ GTAGS:
|
|||
here=`$(am__cd) $(top_builddir) && pwd` \
|
||||
&& $(am__cd) $(top_srcdir) \
|
||||
&& gtags -i $(GTAGS_ARGS) "$$here"
|
||||
cscope: cscope.files
|
||||
test ! -s cscope.files \
|
||||
|| $(CSCOPE) -b -q $(AM_CSCOPEFLAGS) $(CSCOPEFLAGS) -i cscope.files $(CSCOPE_ARGS)
|
||||
clean-cscope:
|
||||
-rm -f cscope.files
|
||||
cscope.files: clean-cscope cscopelist
|
||||
cscopelist: cscopelist-recursive
|
||||
|
||||
cscopelist-am: $(am__tagged_files)
|
||||
list='$(am__tagged_files)'; \
|
||||
case "$(srcdir)" in \
|
||||
[\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \
|
||||
*) sdir=$(subdir)/$(srcdir) ;; \
|
||||
esac; \
|
||||
for i in $$list; do \
|
||||
if test -f "$$i"; then \
|
||||
echo "$(subdir)/$$i"; \
|
||||
else \
|
||||
echo "$$sdir/$$i"; \
|
||||
fi; \
|
||||
done >> $(top_builddir)/cscope.files
|
||||
|
||||
distclean-tags:
|
||||
-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
|
||||
-rm -f cscope.out cscope.in.out cscope.po.out cscope.files
|
||||
|
||||
distdir: $(DISTFILES)
|
||||
$(am__remove_distdir)
|
||||
|
@ -489,13 +570,10 @@ distdir: $(DISTFILES)
|
|||
done
|
||||
@list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
|
||||
if test "$$subdir" = .; then :; else \
|
||||
test -d "$(distdir)/$$subdir" \
|
||||
|| $(MKDIR_P) "$(distdir)/$$subdir" \
|
||||
|| exit 1; \
|
||||
fi; \
|
||||
done
|
||||
@list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
|
||||
if test "$$subdir" = .; then :; else \
|
||||
$(am__make_dryrun) \
|
||||
|| test -d "$(distdir)/$$subdir" \
|
||||
|| $(MKDIR_P) "$(distdir)/$$subdir" \
|
||||
|| exit 1; \
|
||||
dir1=$$subdir; dir2="$(distdir)/$$subdir"; \
|
||||
$(am__relativize); \
|
||||
new_distdir=$$reldir; \
|
||||
|
@ -524,36 +602,42 @@ distdir: $(DISTFILES)
|
|||
|| chmod -R a+r "$(distdir)"
|
||||
dist-gzip: distdir
|
||||
tardir=$(distdir) && $(am__tar) | GZIP=$(GZIP_ENV) gzip -c >$(distdir).tar.gz
|
||||
$(am__remove_distdir)
|
||||
$(am__post_remove_distdir)
|
||||
|
||||
dist-bzip2: distdir
|
||||
tardir=$(distdir) && $(am__tar) | bzip2 -9 -c >$(distdir).tar.bz2
|
||||
$(am__remove_distdir)
|
||||
tardir=$(distdir) && $(am__tar) | BZIP2=$${BZIP2--9} bzip2 -c >$(distdir).tar.bz2
|
||||
$(am__post_remove_distdir)
|
||||
|
||||
dist-lzma: distdir
|
||||
tardir=$(distdir) && $(am__tar) | lzma -9 -c >$(distdir).tar.lzma
|
||||
$(am__remove_distdir)
|
||||
dist-lzip: distdir
|
||||
tardir=$(distdir) && $(am__tar) | lzip -c $${LZIP_OPT--9} >$(distdir).tar.lz
|
||||
$(am__post_remove_distdir)
|
||||
|
||||
dist-xz: distdir
|
||||
tardir=$(distdir) && $(am__tar) | xz -c >$(distdir).tar.xz
|
||||
$(am__remove_distdir)
|
||||
tardir=$(distdir) && $(am__tar) | XZ_OPT=$${XZ_OPT--e} xz -c >$(distdir).tar.xz
|
||||
$(am__post_remove_distdir)
|
||||
|
||||
dist-tarZ: distdir
|
||||
@echo WARNING: "Support for shar distribution archives is" \
|
||||
"deprecated." >&2
|
||||
@echo WARNING: "It will be removed altogether in Automake 2.0" >&2
|
||||
tardir=$(distdir) && $(am__tar) | compress -c >$(distdir).tar.Z
|
||||
$(am__remove_distdir)
|
||||
$(am__post_remove_distdir)
|
||||
|
||||
dist-shar: distdir
|
||||
@echo WARNING: "Support for distribution archives compressed with" \
|
||||
"legacy program 'compress' is deprecated." >&2
|
||||
@echo WARNING: "It will be removed altogether in Automake 2.0" >&2
|
||||
shar $(distdir) | GZIP=$(GZIP_ENV) gzip -c >$(distdir).shar.gz
|
||||
$(am__remove_distdir)
|
||||
$(am__post_remove_distdir)
|
||||
|
||||
dist-zip: distdir
|
||||
-rm -f $(distdir).zip
|
||||
zip -rq $(distdir).zip $(distdir)
|
||||
$(am__remove_distdir)
|
||||
$(am__post_remove_distdir)
|
||||
|
||||
dist dist-all: distdir
|
||||
tardir=$(distdir) && $(am__tar) | GZIP=$(GZIP_ENV) gzip -c >$(distdir).tar.gz
|
||||
$(am__remove_distdir)
|
||||
dist dist-all:
|
||||
$(MAKE) $(AM_MAKEFLAGS) $(DIST_TARGETS) am__post_remove_distdir='@:'
|
||||
$(am__post_remove_distdir)
|
||||
|
||||
# This target untars the dist file and tries a VPATH configuration. Then
|
||||
# it guarantees that the distribution is self-contained by making another
|
||||
|
@ -564,8 +648,8 @@ distcheck: dist
|
|||
GZIP=$(GZIP_ENV) gzip -dc $(distdir).tar.gz | $(am__untar) ;;\
|
||||
*.tar.bz2*) \
|
||||
bzip2 -dc $(distdir).tar.bz2 | $(am__untar) ;;\
|
||||
*.tar.lzma*) \
|
||||
lzma -dc $(distdir).tar.lzma | $(am__untar) ;;\
|
||||
*.tar.lz*) \
|
||||
lzip -dc $(distdir).tar.lz | $(am__untar) ;;\
|
||||
*.tar.xz*) \
|
||||
xz -dc $(distdir).tar.xz | $(am__untar) ;;\
|
||||
*.tar.Z*) \
|
||||
|
@ -575,17 +659,19 @@ distcheck: dist
|
|||
*.zip*) \
|
||||
unzip $(distdir).zip ;;\
|
||||
esac
|
||||
chmod -R a-w $(distdir); chmod u+w $(distdir)
|
||||
mkdir $(distdir)/_build
|
||||
mkdir $(distdir)/_inst
|
||||
chmod -R a-w $(distdir)
|
||||
chmod u+w $(distdir)
|
||||
mkdir $(distdir)/_build $(distdir)/_inst
|
||||
chmod a-w $(distdir)
|
||||
test -d $(distdir)/_build || exit 0; \
|
||||
dc_install_base=`$(am__cd) $(distdir)/_inst && pwd | sed -e 's,^[^:\\/]:[\\/],/,'` \
|
||||
&& dc_destdir="$${TMPDIR-/tmp}/am-dc-$$$$/" \
|
||||
&& am__cwd=`pwd` \
|
||||
&& $(am__cd) $(distdir)/_build \
|
||||
&& ../configure --srcdir=.. --prefix="$$dc_install_base" \
|
||||
&& ../configure \
|
||||
$(AM_DISTCHECK_CONFIGURE_FLAGS) \
|
||||
$(DISTCHECK_CONFIGURE_FLAGS) \
|
||||
--srcdir=.. --prefix="$$dc_install_base" \
|
||||
&& $(MAKE) $(AM_MAKEFLAGS) \
|
||||
&& $(MAKE) $(AM_MAKEFLAGS) dvi \
|
||||
&& $(MAKE) $(AM_MAKEFLAGS) check \
|
||||
|
@ -608,13 +694,21 @@ distcheck: dist
|
|||
&& $(MAKE) $(AM_MAKEFLAGS) distcleancheck \
|
||||
&& cd "$$am__cwd" \
|
||||
|| exit 1
|
||||
$(am__remove_distdir)
|
||||
$(am__post_remove_distdir)
|
||||
@(echo "$(distdir) archives ready for distribution: "; \
|
||||
list='$(DIST_ARCHIVES)'; for i in $$list; do echo $$i; done) | \
|
||||
sed -e 1h -e 1s/./=/g -e 1p -e 1x -e '$$p' -e '$$x'
|
||||
distuninstallcheck:
|
||||
@$(am__cd) '$(distuninstallcheck_dir)' \
|
||||
&& test `$(distuninstallcheck_listfiles) | wc -l` -le 1 \
|
||||
@test -n '$(distuninstallcheck_dir)' || { \
|
||||
echo 'ERROR: trying to run $@ with an empty' \
|
||||
'$$(distuninstallcheck_dir)' >&2; \
|
||||
exit 1; \
|
||||
}; \
|
||||
$(am__cd) '$(distuninstallcheck_dir)' || { \
|
||||
echo 'ERROR: cannot chdir into $(distuninstallcheck_dir)' >&2; \
|
||||
exit 1; \
|
||||
}; \
|
||||
test `$(am__distuninstallcheck_listfiles) | wc -l` -eq 0 \
|
||||
|| { echo "ERROR: files left after uninstall:" ; \
|
||||
if test -n "$(DESTDIR)"; then \
|
||||
echo " (check DESTDIR support)"; \
|
||||
|
@ -648,10 +742,15 @@ install-am: all-am
|
|||
|
||||
installcheck: installcheck-recursive
|
||||
install-strip:
|
||||
$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
|
||||
install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
|
||||
`test -z '$(STRIP)' || \
|
||||
echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
|
||||
if test -z '$(STRIP)'; then \
|
||||
$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
|
||||
install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
|
||||
install; \
|
||||
else \
|
||||
$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
|
||||
install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
|
||||
"INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
|
||||
fi
|
||||
mostlyclean-generic:
|
||||
|
||||
clean-generic:
|
||||
|
@ -686,7 +785,8 @@ info: info-recursive
|
|||
info-am:
|
||||
|
||||
install-data-am: install-docDATA
|
||||
|
||||
@$(NORMAL_INSTALL)
|
||||
$(MAKE) $(AM_MAKEFLAGS) install-data-hook
|
||||
install-dvi: install-dvi-recursive
|
||||
|
||||
install-dvi-am:
|
||||
|
@ -733,46 +833,63 @@ ps-am:
|
|||
|
||||
uninstall-am: uninstall-docDATA
|
||||
|
||||
.MAKE: $(RECURSIVE_CLEAN_TARGETS) $(RECURSIVE_TARGETS) ctags-recursive \
|
||||
install-am install-strip tags-recursive
|
||||
.MAKE: $(am__recursive_targets) install-am install-data-am \
|
||||
install-strip
|
||||
|
||||
.PHONY: $(RECURSIVE_CLEAN_TARGETS) $(RECURSIVE_TARGETS) CTAGS GTAGS \
|
||||
all all-am am--refresh check check-am clean clean-generic \
|
||||
clean-libtool ctags ctags-recursive dist dist-all dist-bzip2 \
|
||||
dist-gzip dist-lzma dist-shar dist-tarZ dist-xz dist-zip \
|
||||
distcheck distclean distclean-generic distclean-libtool \
|
||||
distclean-local distclean-tags distcleancheck distdir \
|
||||
distuninstallcheck dvi dvi-am html html-am info info-am \
|
||||
install install-am install-data install-data-am \
|
||||
install-docDATA install-dvi install-dvi-am install-exec \
|
||||
install-exec-am install-html install-html-am install-info \
|
||||
install-info-am install-man install-pdf install-pdf-am \
|
||||
install-ps install-ps-am install-strip installcheck \
|
||||
installcheck-am installdirs installdirs-am maintainer-clean \
|
||||
maintainer-clean-generic mostlyclean mostlyclean-generic \
|
||||
mostlyclean-libtool pdf pdf-am ps ps-am tags tags-recursive \
|
||||
uninstall uninstall-am uninstall-docDATA
|
||||
.PHONY: $(am__recursive_targets) CTAGS GTAGS TAGS all all-am \
|
||||
am--refresh check check-am clean clean-cscope clean-generic \
|
||||
clean-libtool cscope cscopelist-am ctags ctags-am dist \
|
||||
dist-all dist-bzip2 dist-gzip dist-lzip dist-shar dist-tarZ \
|
||||
dist-xz dist-zip distcheck distclean distclean-generic \
|
||||
distclean-libtool distclean-local distclean-tags \
|
||||
distcleancheck distdir distuninstallcheck dvi dvi-am html \
|
||||
html-am info info-am install install-am install-data \
|
||||
install-data-am install-data-hook install-docDATA install-dvi \
|
||||
install-dvi-am install-exec install-exec-am install-html \
|
||||
install-html-am install-info install-info-am install-man \
|
||||
install-pdf install-pdf-am install-ps install-ps-am \
|
||||
install-strip installcheck installcheck-am installdirs \
|
||||
installdirs-am maintainer-clean maintainer-clean-generic \
|
||||
mostlyclean mostlyclean-generic mostlyclean-libtool pdf pdf-am \
|
||||
ps ps-am tags tags-am uninstall uninstall-am uninstall-docDATA
|
||||
|
||||
libtool: $(LIBTOOL_DEPS)
|
||||
$(SHELL) ./config.status libtool
|
||||
|
||||
distclean-local:
|
||||
rm -rf autom4te.cache
|
||||
rm -f $(distdir)-installer.exe
|
||||
# rm -f $(distdir)-win32-installer.exe
|
||||
|
||||
#dist-hook:
|
||||
# makensis -NOCD -DVERSION=${VERSION} -DSRCDIR=$(srcdir) \
|
||||
# -DOPENSSL=/usr/src/openssl-0.9.8u-fips/out32dll \
|
||||
# -DZLIB=/usr/src/zlib-1.2.6-i586 \
|
||||
# makensis -NOCD -DVERSION=${VERSION} \
|
||||
# -DSTUNNEL_DIR=$(srcdir) \
|
||||
# -DROOT_DIR=/usr/src \
|
||||
# $(srcdir)/tools/stunnel.nsi
|
||||
|
||||
# cp -f $(distdir)-installer.exe ../dist
|
||||
# gpg --yes --armor --detach-sign --force-v3-sigs ../dist/$(distdir)-installer.exe
|
||||
|
||||
sign: dist
|
||||
cp -f $(distdir).tar.gz ../dist
|
||||
gpg --yes --armor --detach-sign --force-v3-sigs ../dist/$(distdir).tar.gz
|
||||
sha256sum $(distdir).tar.gz | tee ../dist/$(distdir).tar.gz.sha256
|
||||
cp -f $(distdir).tar.gz $(distdir)-win32-installer.exe $(distdir)-android.zip ../dist
|
||||
gpg-agent --daemon /bin/sh -c "cd ../dist; gpg --yes --armor --detach-sign --force-v3-sigs $(distdir).tar.gz; gpg --yes --armor --detach-sign --force-v3-sigs $(distdir)-win32-installer.exe; gpg --yes --armor --detach-sign --force-v3-sigs $(distdir)-android.zip"
|
||||
sha256sum $(distdir).tar.gz >../dist/$(distdir).tar.gz.sha256
|
||||
sha256sum $(distdir)-win32-installer.exe >../dist/$(distdir)-win32-installer.exe.sha256
|
||||
sha256sum $(distdir)-android.zip >../dist/$(distdir)-android.zip.sha256
|
||||
cat ../dist/$(distdir)*.sha256 | tac
|
||||
|
||||
cert:
|
||||
$(MAKE) -C tools cert
|
||||
|
||||
test:
|
||||
$(abs_builddir)/src/stunnel -version
|
||||
@echo "No tests are currently implemented"
|
||||
|
||||
install-data-hook:
|
||||
@echo "*********************************************************"
|
||||
@echo "* Type 'make cert' to also install a sample certificate *"
|
||||
@echo "*********************************************************"
|
||||
|
||||
stunnel.pod: Makefile
|
||||
$(edit) '$(srcdir)/$@.in' >$@
|
||||
|
||||
stunnel.pod: $(srcdir)/stunnel.pod
|
||||
|
||||
# Tell versions [3.59,3.63) of GNU make to not export all variables.
|
||||
# Otherwise a system limit (for SysV at least) may be exceeded.
|
||||
|
|
13
PORTS
13
PORTS
|
@ -1,22 +1,17 @@
|
|||
stunnel known port maintainers
|
||||
|
||||
|
||||
* AmigaOS
|
||||
- Diego Casorran <dcr8520@amiga.org>
|
||||
* Cygwin
|
||||
- Andrew Schulman <andrex@alumni.utexas.net>
|
||||
* Debian GNU/Linux
|
||||
- Luis Rodrigo Gallardo Cruz <rodrigo@nul-unu.com>
|
||||
- Peter Pentchev <roam@ringlet.net>
|
||||
* FreeBSD
|
||||
- Ryan Steinmetz <zi@FreeBSD.org>
|
||||
* NetBSD
|
||||
- Martti Kuparinen <martti.kuparinen@iki.fi>
|
||||
* OpenBSD
|
||||
- Jakob Schlyter <jakob@openbsd.org>
|
||||
* OpenSolaris
|
||||
- Mark Fenwick <Mark.Fenwick@sun.com>
|
||||
* OS/2
|
||||
- Paul Smedley <paul@smedley.info>
|
||||
- Gleydson Soares <gsoares@openbsd.org>
|
||||
* OpenCSW Solaris
|
||||
- Dagobert Michelsen <dam@opencsw.org>
|
||||
* RedHat Linux
|
||||
- Damien Miller <dmiller@ilogic.com.au>
|
||||
|
||||
|
|
55
TODO
55
TODO
|
@ -3,41 +3,48 @@ stunnel TODO
|
|||
|
||||
High priority features. They will likely be supported some day.
|
||||
A sponsor could allocate my time to get them faster.
|
||||
* Perform protocol negotiations after SSL negotiations if possible.
|
||||
* Command-line server control interface on both Unix and Windows.
|
||||
* Separate GUI process running as current user on Windows.
|
||||
* Add client certificate autoselection based on the list of accepted issuers:
|
||||
SSL_CTX_set_client_cert_cb(), SSL_get_client_CA_list().
|
||||
* Add an Apparmor profile.
|
||||
* Optional line-buffering of the log file.
|
||||
* etc/stunnel/conf.d/* files automatically processed while reading
|
||||
etc/stunnel/stunnel.conf
|
||||
* Android GUI.
|
||||
* Support for CryptoAPI certificates and private keys with OpenSSL CAPI
|
||||
engine (this feature is incompatible with FIPS support).
|
||||
* Indirect CRL support (RFC 3280, section 5).
|
||||
* Log rotation on Windows.
|
||||
* Configuration file option to limit the number of concurrent connections.
|
||||
* SOCKS 4 protocol support.
|
||||
http://archive.socks.permeo.com/protocol/socks4.protocol
|
||||
* Option to redirect instead of rejecting connections on failed authentication.
|
||||
|
||||
Low priority features. They will unlikely ever be supported.
|
||||
* Implement reference counting of the SERVICE_OPTIONS structure
|
||||
- Add 'leastconn' failover strategy to order defined 'connect' targets
|
||||
by the number of active connections.
|
||||
- Add '-status' command line option reporting the number of clients
|
||||
connected to each service.
|
||||
- Deallocate SERVICE_OPTIONS structure when the configuration file
|
||||
is reloaded *and* old connections are closed.
|
||||
* Command-line server control interface on both Unix and Windows.
|
||||
* Separate GUI process running as the current user on Windows.
|
||||
* An Android GUI.
|
||||
* OCSP stapling (tlsext_status).
|
||||
* Extend session tickets and/or sessiond to also serialize application
|
||||
data ("redirect" state and session persistence).
|
||||
* Indirect CRL support (RFC 3280, section 5).
|
||||
* Provide 64-bit Windows builds (besides 32-bit builds).
|
||||
This requires either Microsoft Visual Studio Standard Edition or Microsoft
|
||||
Visual Studio Professional Edition in order to retain FIPS compliance.
|
||||
* Service-level logging configuration (separate verbosity and destination).
|
||||
* Key renegotiation (re-handshake) for long connections.
|
||||
* MSI installer for Windows.
|
||||
* Add user-defined headers to CONNECT proxy requests.
|
||||
This can be used to impersonate other software (e.g. web browsers).
|
||||
|
||||
Low priority features. They will unlikely ever be supported.
|
||||
* Database and/or directory interface for retrieving PSK secrets.
|
||||
* Support static FIPS-enabled build.
|
||||
* Service-level logging destination.
|
||||
* Enforce key renegotiation (re-handshake) for long connections.
|
||||
* Logging to NT EventLog on Windows.
|
||||
* Log rotation on Windows.
|
||||
* Internationalization of logged messages (i18n).
|
||||
* Generic scripting engine instead or static protocol.c.
|
||||
|
||||
Features I won't support, unless convinced otherwise by a wealthy sponsor.
|
||||
* Protocol support *after* SSL is negotiated:
|
||||
- Support for adding X-Forwarded-For to HTTP request headers.
|
||||
This feature is less useful since PROXY protocol support is available.
|
||||
- Support for adding X-Forwarded-For to SMTP email headers.
|
||||
This feature is most likely to be implemented as a separate proxy.
|
||||
* Support for adding X-Forwarded-For to HTTP request headers.
|
||||
This feature is less useful since PROXY protocol support is available.
|
||||
* Support for adding X-Forwarded-For to SMTP email headers.
|
||||
This feature is most likely to be implemented as a separate proxy.
|
||||
* Additional certificate checks (including wildcard comparison) based on:
|
||||
- CN (Common Name);
|
||||
- SAN (Subject Alternative Name);
|
||||
- O (Organization), and
|
||||
- OU (Organizational Unit).
|
||||
* Set processes title that appear on the ps(1) and top(1) commands.
|
||||
|
|
File diff suppressed because it is too large
Load Diff
232
auto/compile
232
auto/compile
|
@ -1,10 +1,9 @@
|
|||
#! /bin/sh
|
||||
# Wrapper for compilers which do not understand `-c -o'.
|
||||
# Wrapper for compilers which do not understand '-c -o'.
|
||||
|
||||
scriptversion=2009-10-06.20; # UTC
|
||||
scriptversion=2012-10-14.11; # UTC
|
||||
|
||||
# Copyright (C) 1999, 2000, 2003, 2004, 2005, 2009 Free Software
|
||||
# Foundation, Inc.
|
||||
# Copyright (C) 1999-2013 Free Software Foundation, Inc.
|
||||
# Written by Tom Tromey <tromey@cygnus.com>.
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
|
@ -29,21 +28,224 @@ scriptversion=2009-10-06.20; # UTC
|
|||
# bugs to <bug-automake@gnu.org> or send patches to
|
||||
# <automake-patches@gnu.org>.
|
||||
|
||||
nl='
|
||||
'
|
||||
|
||||
# We need space, tab and new line, in precisely that order. Quoting is
|
||||
# there to prevent tools from complaining about whitespace usage.
|
||||
IFS=" "" $nl"
|
||||
|
||||
file_conv=
|
||||
|
||||
# func_file_conv build_file lazy
|
||||
# Convert a $build file to $host form and store it in $file
|
||||
# Currently only supports Windows hosts. If the determined conversion
|
||||
# type is listed in (the comma separated) LAZY, no conversion will
|
||||
# take place.
|
||||
func_file_conv ()
|
||||
{
|
||||
file=$1
|
||||
case $file in
|
||||
/ | /[!/]*) # absolute file, and not a UNC file
|
||||
if test -z "$file_conv"; then
|
||||
# lazily determine how to convert abs files
|
||||
case `uname -s` in
|
||||
MINGW*)
|
||||
file_conv=mingw
|
||||
;;
|
||||
CYGWIN*)
|
||||
file_conv=cygwin
|
||||
;;
|
||||
*)
|
||||
file_conv=wine
|
||||
;;
|
||||
esac
|
||||
fi
|
||||
case $file_conv/,$2, in
|
||||
*,$file_conv,*)
|
||||
;;
|
||||
mingw/*)
|
||||
file=`cmd //C echo "$file " | sed -e 's/"\(.*\) " *$/\1/'`
|
||||
;;
|
||||
cygwin/*)
|
||||
file=`cygpath -m "$file" || echo "$file"`
|
||||
;;
|
||||
wine/*)
|
||||
file=`winepath -w "$file" || echo "$file"`
|
||||
;;
|
||||
esac
|
||||
;;
|
||||
esac
|
||||
}
|
||||
|
||||
# func_cl_dashL linkdir
|
||||
# Make cl look for libraries in LINKDIR
|
||||
func_cl_dashL ()
|
||||
{
|
||||
func_file_conv "$1"
|
||||
if test -z "$lib_path"; then
|
||||
lib_path=$file
|
||||
else
|
||||
lib_path="$lib_path;$file"
|
||||
fi
|
||||
linker_opts="$linker_opts -LIBPATH:$file"
|
||||
}
|
||||
|
||||
# func_cl_dashl library
|
||||
# Do a library search-path lookup for cl
|
||||
func_cl_dashl ()
|
||||
{
|
||||
lib=$1
|
||||
found=no
|
||||
save_IFS=$IFS
|
||||
IFS=';'
|
||||
for dir in $lib_path $LIB
|
||||
do
|
||||
IFS=$save_IFS
|
||||
if $shared && test -f "$dir/$lib.dll.lib"; then
|
||||
found=yes
|
||||
lib=$dir/$lib.dll.lib
|
||||
break
|
||||
fi
|
||||
if test -f "$dir/$lib.lib"; then
|
||||
found=yes
|
||||
lib=$dir/$lib.lib
|
||||
break
|
||||
fi
|
||||
if test -f "$dir/lib$lib.a"; then
|
||||
found=yes
|
||||
lib=$dir/lib$lib.a
|
||||
break
|
||||
fi
|
||||
done
|
||||
IFS=$save_IFS
|
||||
|
||||
if test "$found" != yes; then
|
||||
lib=$lib.lib
|
||||
fi
|
||||
}
|
||||
|
||||
# func_cl_wrapper cl arg...
|
||||
# Adjust compile command to suit cl
|
||||
func_cl_wrapper ()
|
||||
{
|
||||
# Assume a capable shell
|
||||
lib_path=
|
||||
shared=:
|
||||
linker_opts=
|
||||
for arg
|
||||
do
|
||||
if test -n "$eat"; then
|
||||
eat=
|
||||
else
|
||||
case $1 in
|
||||
-o)
|
||||
# configure might choose to run compile as 'compile cc -o foo foo.c'.
|
||||
eat=1
|
||||
case $2 in
|
||||
*.o | *.[oO][bB][jJ])
|
||||
func_file_conv "$2"
|
||||
set x "$@" -Fo"$file"
|
||||
shift
|
||||
;;
|
||||
*)
|
||||
func_file_conv "$2"
|
||||
set x "$@" -Fe"$file"
|
||||
shift
|
||||
;;
|
||||
esac
|
||||
;;
|
||||
-I)
|
||||
eat=1
|
||||
func_file_conv "$2" mingw
|
||||
set x "$@" -I"$file"
|
||||
shift
|
||||
;;
|
||||
-I*)
|
||||
func_file_conv "${1#-I}" mingw
|
||||
set x "$@" -I"$file"
|
||||
shift
|
||||
;;
|
||||
-l)
|
||||
eat=1
|
||||
func_cl_dashl "$2"
|
||||
set x "$@" "$lib"
|
||||
shift
|
||||
;;
|
||||
-l*)
|
||||
func_cl_dashl "${1#-l}"
|
||||
set x "$@" "$lib"
|
||||
shift
|
||||
;;
|
||||
-L)
|
||||
eat=1
|
||||
func_cl_dashL "$2"
|
||||
;;
|
||||
-L*)
|
||||
func_cl_dashL "${1#-L}"
|
||||
;;
|
||||
-static)
|
||||
shared=false
|
||||
;;
|
||||
-Wl,*)
|
||||
arg=${1#-Wl,}
|
||||
save_ifs="$IFS"; IFS=','
|
||||
for flag in $arg; do
|
||||
IFS="$save_ifs"
|
||||
linker_opts="$linker_opts $flag"
|
||||
done
|
||||
IFS="$save_ifs"
|
||||
;;
|
||||
-Xlinker)
|
||||
eat=1
|
||||
linker_opts="$linker_opts $2"
|
||||
;;
|
||||
-*)
|
||||
set x "$@" "$1"
|
||||
shift
|
||||
;;
|
||||
*.cc | *.CC | *.cxx | *.CXX | *.[cC]++)
|
||||
func_file_conv "$1"
|
||||
set x "$@" -Tp"$file"
|
||||
shift
|
||||
;;
|
||||
*.c | *.cpp | *.CPP | *.lib | *.LIB | *.Lib | *.OBJ | *.obj | *.[oO])
|
||||
func_file_conv "$1" mingw
|
||||
set x "$@" "$file"
|
||||
shift
|
||||
;;
|
||||
*)
|
||||
set x "$@" "$1"
|
||||
shift
|
||||
;;
|
||||
esac
|
||||
fi
|
||||
shift
|
||||
done
|
||||
if test -n "$linker_opts"; then
|
||||
linker_opts="-link$linker_opts"
|
||||
fi
|
||||
exec "$@" $linker_opts
|
||||
exit 1
|
||||
}
|
||||
|
||||
eat=
|
||||
|
||||
case $1 in
|
||||
'')
|
||||
echo "$0: No command. Try \`$0 --help' for more information." 1>&2
|
||||
echo "$0: No command. Try '$0 --help' for more information." 1>&2
|
||||
exit 1;
|
||||
;;
|
||||
-h | --h*)
|
||||
cat <<\EOF
|
||||
Usage: compile [--help] [--version] PROGRAM [ARGS]
|
||||
|
||||
Wrapper for compilers which do not understand `-c -o'.
|
||||
Remove `-o dest.o' from ARGS, run PROGRAM with the remaining
|
||||
Wrapper for compilers which do not understand '-c -o'.
|
||||
Remove '-o dest.o' from ARGS, run PROGRAM with the remaining
|
||||
arguments, and rename the output as expected.
|
||||
|
||||
If you are trying to build a whole package this is not the
|
||||
right script to run: please start by reading the file `INSTALL'.
|
||||
right script to run: please start by reading the file 'INSTALL'.
|
||||
|
||||
Report bugs to <bug-automake@gnu.org>.
|
||||
EOF
|
||||
|
@ -53,11 +255,13 @@ EOF
|
|||
echo "compile $scriptversion"
|
||||
exit $?
|
||||
;;
|
||||
cl | *[/\\]cl | cl.exe | *[/\\]cl.exe )
|
||||
func_cl_wrapper "$@" # Doesn't return...
|
||||
;;
|
||||
esac
|
||||
|
||||
ofile=
|
||||
cfile=
|
||||
eat=
|
||||
|
||||
for arg
|
||||
do
|
||||
|
@ -66,8 +270,8 @@ do
|
|||
else
|
||||
case $1 in
|
||||
-o)
|
||||
# configure might choose to run compile as `compile cc -o foo foo.c'.
|
||||
# So we strip `-o arg' only if arg is an object.
|
||||
# configure might choose to run compile as 'compile cc -o foo foo.c'.
|
||||
# So we strip '-o arg' only if arg is an object.
|
||||
eat=1
|
||||
case $2 in
|
||||
*.o | *.obj)
|
||||
|
@ -94,10 +298,10 @@ do
|
|||
done
|
||||
|
||||
if test -z "$ofile" || test -z "$cfile"; then
|
||||
# If no `-o' option was seen then we might have been invoked from a
|
||||
# If no '-o' option was seen then we might have been invoked from a
|
||||
# pattern rule where we don't need one. That is ok -- this is a
|
||||
# normal compilation that the losing compiler can handle. If no
|
||||
# `.c' file was seen then we are probably linking. That is also
|
||||
# '.c' file was seen then we are probably linking. That is also
|
||||
# ok.
|
||||
exec "$@"
|
||||
fi
|
||||
|
@ -106,7 +310,7 @@ fi
|
|||
cofile=`echo "$cfile" | sed 's|^.*[\\/]||; s|^[a-zA-Z]:||; s/\.c$/.o/'`
|
||||
|
||||
# Create the lock directory.
|
||||
# Note: use `[/\\:.-]' here to ensure that we don't use the same name
|
||||
# Note: use '[/\\:.-]' here to ensure that we don't use the same name
|
||||
# that we are using for the .o file. Also, base the name on the expected
|
||||
# object file name, since that is what matters with a parallel build.
|
||||
lockdir=`echo "$cofile" | sed -e 's|[/\\:.-]|_|g'`.d
|
||||
|
|
|
@ -1,14 +1,12 @@
|
|||
#! /bin/sh
|
||||
# Attempt to guess a canonical system name.
|
||||
# Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999,
|
||||
# 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010,
|
||||
# 2011 Free Software Foundation, Inc.
|
||||
# Copyright 1992-2014 Free Software Foundation, Inc.
|
||||
|
||||
timestamp='2011-11-11'
|
||||
timestamp='2014-03-23'
|
||||
|
||||
# This file is free software; you can redistribute it and/or modify it
|
||||
# under the terms of the GNU General Public License as published by
|
||||
# the Free Software Foundation; either version 2 of the License, or
|
||||
# the Free Software Foundation; either version 3 of the License, or
|
||||
# (at your option) any later version.
|
||||
#
|
||||
# This program is distributed in the hope that it will be useful, but
|
||||
|
@ -17,26 +15,22 @@ timestamp='2011-11-11'
|
|||
# General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program; if not, write to the Free Software
|
||||
# Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA
|
||||
# 02110-1301, USA.
|
||||
# along with this program; if not, see <http://www.gnu.org/licenses/>.
|
||||
#
|
||||
# As a special exception to the GNU General Public License, if you
|
||||
# distribute this file as part of a program that contains a
|
||||
# configuration script generated by Autoconf, you may include it under
|
||||
# the same distribution terms that you use for the rest of that program.
|
||||
|
||||
|
||||
# Originally written by Per Bothner. Please send patches (context
|
||||
# diff format) to <config-patches@gnu.org> and include a ChangeLog
|
||||
# entry.
|
||||
# the same distribution terms that you use for the rest of that
|
||||
# program. This Exception is an additional permission under section 7
|
||||
# of the GNU General Public License, version 3 ("GPLv3").
|
||||
#
|
||||
# This script attempts to guess a canonical system name similar to
|
||||
# config.sub. If it succeeds, it prints the system name on stdout, and
|
||||
# exits with 0. Otherwise, it exits with 1.
|
||||
# Originally written by Per Bothner.
|
||||
#
|
||||
# You can get the latest version of this script from:
|
||||
# http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.guess;hb=HEAD
|
||||
#
|
||||
# Please send patches with a ChangeLog entry to config-patches@gnu.org.
|
||||
|
||||
|
||||
me=`echo "$0" | sed -e 's,.*/,,'`
|
||||
|
||||
|
@ -56,9 +50,7 @@ version="\
|
|||
GNU config.guess ($timestamp)
|
||||
|
||||
Originally written by Per Bothner.
|
||||
Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000,
|
||||
2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free
|
||||
Software Foundation, Inc.
|
||||
Copyright 1992-2014 Free Software Foundation, Inc.
|
||||
|
||||
This is free software; see the source for copying conditions. There is NO
|
||||
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE."
|
||||
|
@ -140,12 +132,33 @@ UNAME_RELEASE=`(uname -r) 2>/dev/null` || UNAME_RELEASE=unknown
|
|||
UNAME_SYSTEM=`(uname -s) 2>/dev/null` || UNAME_SYSTEM=unknown
|
||||
UNAME_VERSION=`(uname -v) 2>/dev/null` || UNAME_VERSION=unknown
|
||||
|
||||
case "${UNAME_SYSTEM}" in
|
||||
Linux|GNU|GNU/*)
|
||||
# If the system lacks a compiler, then just pick glibc.
|
||||
# We could probably try harder.
|
||||
LIBC=gnu
|
||||
|
||||
eval $set_cc_for_build
|
||||
cat <<-EOF > $dummy.c
|
||||
#include <features.h>
|
||||
#if defined(__UCLIBC__)
|
||||
LIBC=uclibc
|
||||
#elif defined(__dietlibc__)
|
||||
LIBC=dietlibc
|
||||
#else
|
||||
LIBC=gnu
|
||||
#endif
|
||||
EOF
|
||||
eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep '^LIBC' | sed 's, ,,g'`
|
||||
;;
|
||||
esac
|
||||
|
||||
# Note: order is significant - the case branches are not exclusive.
|
||||
|
||||
case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
|
||||
*:NetBSD:*:*)
|
||||
# NetBSD (nbsd) targets should (where applicable) match one or
|
||||
# more of the tupples: *-*-netbsdelf*, *-*-netbsdaout*,
|
||||
# more of the tuples: *-*-netbsdelf*, *-*-netbsdaout*,
|
||||
# *-*-netbsdecoff* and *-*-netbsd*. For targets that recently
|
||||
# switched to ELF, *-*-netbsd* would select the old
|
||||
# object file format. This provides both forward
|
||||
|
@ -202,6 +215,10 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
|
|||
# CPU_TYPE-MANUFACTURER-OPERATING_SYSTEM is used.
|
||||
echo "${machine}-${os}${release}"
|
||||
exit ;;
|
||||
*:Bitrig:*:*)
|
||||
UNAME_MACHINE_ARCH=`arch | sed 's/Bitrig.//'`
|
||||
echo ${UNAME_MACHINE_ARCH}-unknown-bitrig${UNAME_RELEASE}
|
||||
exit ;;
|
||||
*:OpenBSD:*:*)
|
||||
UNAME_MACHINE_ARCH=`arch | sed 's/OpenBSD.//'`
|
||||
echo ${UNAME_MACHINE_ARCH}-unknown-openbsd${UNAME_RELEASE}
|
||||
|
@ -304,7 +321,7 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
|
|||
arm:RISC*:1.[012]*:*|arm:riscix:1.[012]*:*)
|
||||
echo arm-acorn-riscix${UNAME_RELEASE}
|
||||
exit ;;
|
||||
arm:riscos:*:*|arm:RISCOS:*:*)
|
||||
arm*:riscos:*:*|arm*:RISCOS:*:*)
|
||||
echo arm-unknown-riscos
|
||||
exit ;;
|
||||
SR2?01:HI-UX/MPP:*:* | SR8000:HI-UX/MPP:*:*)
|
||||
|
@ -803,10 +820,13 @@ EOF
|
|||
i*:CYGWIN*:*)
|
||||
echo ${UNAME_MACHINE}-pc-cygwin
|
||||
exit ;;
|
||||
*:MINGW64*:*)
|
||||
echo ${UNAME_MACHINE}-pc-mingw64
|
||||
exit ;;
|
||||
*:MINGW*:*)
|
||||
echo ${UNAME_MACHINE}-pc-mingw32
|
||||
exit ;;
|
||||
i*:MSYS*:*)
|
||||
*:MSYS*:*)
|
||||
echo ${UNAME_MACHINE}-pc-msys
|
||||
exit ;;
|
||||
i*:windows32*:*)
|
||||
|
@ -854,15 +874,22 @@ EOF
|
|||
exit ;;
|
||||
*:GNU:*:*)
|
||||
# the GNU system
|
||||
echo `echo ${UNAME_MACHINE}|sed -e 's,[-/].*$,,'`-unknown-gnu`echo ${UNAME_RELEASE}|sed -e 's,/.*$,,'`
|
||||
echo `echo ${UNAME_MACHINE}|sed -e 's,[-/].*$,,'`-unknown-${LIBC}`echo ${UNAME_RELEASE}|sed -e 's,/.*$,,'`
|
||||
exit ;;
|
||||
*:GNU/*:*:*)
|
||||
# other systems with GNU libc and userland
|
||||
echo ${UNAME_MACHINE}-unknown-`echo ${UNAME_SYSTEM} | sed 's,^[^/]*/,,' | tr '[A-Z]' '[a-z]'``echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`-gnu
|
||||
echo ${UNAME_MACHINE}-unknown-`echo ${UNAME_SYSTEM} | sed 's,^[^/]*/,,' | tr '[A-Z]' '[a-z]'``echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`-${LIBC}
|
||||
exit ;;
|
||||
i*86:Minix:*:*)
|
||||
echo ${UNAME_MACHINE}-pc-minix
|
||||
exit ;;
|
||||
aarch64:Linux:*:*)
|
||||
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
|
||||
exit ;;
|
||||
aarch64_be:Linux:*:*)
|
||||
UNAME_MACHINE=aarch64_be
|
||||
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
|
||||
exit ;;
|
||||
alpha:Linux:*:*)
|
||||
case `sed -n '/^cpu model/s/^.*: \(.*\)/\1/p' < /proc/cpuinfo` in
|
||||
EV5) UNAME_MACHINE=alphaev5 ;;
|
||||
|
@ -874,59 +901,54 @@ EOF
|
|||
EV68*) UNAME_MACHINE=alphaev68 ;;
|
||||
esac
|
||||
objdump --private-headers /bin/sh | grep -q ld.so.1
|
||||
if test "$?" = 0 ; then LIBC="libc1" ; else LIBC="" ; fi
|
||||
echo ${UNAME_MACHINE}-unknown-linux-gnu${LIBC}
|
||||
if test "$?" = 0 ; then LIBC="gnulibc1" ; fi
|
||||
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
|
||||
exit ;;
|
||||
arc:Linux:*:* | arceb:Linux:*:*)
|
||||
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
|
||||
exit ;;
|
||||
arm*:Linux:*:*)
|
||||
eval $set_cc_for_build
|
||||
if echo __ARM_EABI__ | $CC_FOR_BUILD -E - 2>/dev/null \
|
||||
| grep -q __ARM_EABI__
|
||||
then
|
||||
echo ${UNAME_MACHINE}-unknown-linux-gnu
|
||||
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
|
||||
else
|
||||
if echo __ARM_PCS_VFP | $CC_FOR_BUILD -E - 2>/dev/null \
|
||||
| grep -q __ARM_PCS_VFP
|
||||
then
|
||||
echo ${UNAME_MACHINE}-unknown-linux-gnueabi
|
||||
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}eabi
|
||||
else
|
||||
echo ${UNAME_MACHINE}-unknown-linux-gnueabihf
|
||||
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}eabihf
|
||||
fi
|
||||
fi
|
||||
exit ;;
|
||||
avr32*:Linux:*:*)
|
||||
echo ${UNAME_MACHINE}-unknown-linux-gnu
|
||||
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
|
||||
exit ;;
|
||||
cris:Linux:*:*)
|
||||
echo cris-axis-linux-gnu
|
||||
echo ${UNAME_MACHINE}-axis-linux-${LIBC}
|
||||
exit ;;
|
||||
crisv32:Linux:*:*)
|
||||
echo crisv32-axis-linux-gnu
|
||||
echo ${UNAME_MACHINE}-axis-linux-${LIBC}
|
||||
exit ;;
|
||||
frv:Linux:*:*)
|
||||
echo frv-unknown-linux-gnu
|
||||
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
|
||||
exit ;;
|
||||
hexagon:Linux:*:*)
|
||||
echo hexagon-unknown-linux-gnu
|
||||
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
|
||||
exit ;;
|
||||
i*86:Linux:*:*)
|
||||
LIBC=gnu
|
||||
eval $set_cc_for_build
|
||||
sed 's/^ //' << EOF >$dummy.c
|
||||
#ifdef __dietlibc__
|
||||
LIBC=dietlibc
|
||||
#endif
|
||||
EOF
|
||||
eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep '^LIBC'`
|
||||
echo "${UNAME_MACHINE}-pc-linux-${LIBC}"
|
||||
echo ${UNAME_MACHINE}-pc-linux-${LIBC}
|
||||
exit ;;
|
||||
ia64:Linux:*:*)
|
||||
echo ${UNAME_MACHINE}-unknown-linux-gnu
|
||||
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
|
||||
exit ;;
|
||||
m32r*:Linux:*:*)
|
||||
echo ${UNAME_MACHINE}-unknown-linux-gnu
|
||||
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
|
||||
exit ;;
|
||||
m68*:Linux:*:*)
|
||||
echo ${UNAME_MACHINE}-unknown-linux-gnu
|
||||
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
|
||||
exit ;;
|
||||
mips:Linux:*:* | mips64:Linux:*:*)
|
||||
eval $set_cc_for_build
|
||||
|
@ -945,54 +967,63 @@ EOF
|
|||
#endif
|
||||
EOF
|
||||
eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep '^CPU'`
|
||||
test x"${CPU}" != x && { echo "${CPU}-unknown-linux-gnu"; exit; }
|
||||
test x"${CPU}" != x && { echo "${CPU}-unknown-linux-${LIBC}"; exit; }
|
||||
;;
|
||||
or32:Linux:*:*)
|
||||
echo or32-unknown-linux-gnu
|
||||
openrisc*:Linux:*:*)
|
||||
echo or1k-unknown-linux-${LIBC}
|
||||
exit ;;
|
||||
or32:Linux:*:* | or1k*:Linux:*:*)
|
||||
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
|
||||
exit ;;
|
||||
padre:Linux:*:*)
|
||||
echo sparc-unknown-linux-gnu
|
||||
echo sparc-unknown-linux-${LIBC}
|
||||
exit ;;
|
||||
parisc64:Linux:*:* | hppa64:Linux:*:*)
|
||||
echo hppa64-unknown-linux-gnu
|
||||
echo hppa64-unknown-linux-${LIBC}
|
||||
exit ;;
|
||||
parisc:Linux:*:* | hppa:Linux:*:*)
|
||||
# Look for CPU level
|
||||
case `grep '^cpu[^a-z]*:' /proc/cpuinfo 2>/dev/null | cut -d' ' -f2` in
|
||||
PA7*) echo hppa1.1-unknown-linux-gnu ;;
|
||||
PA8*) echo hppa2.0-unknown-linux-gnu ;;
|
||||
*) echo hppa-unknown-linux-gnu ;;
|
||||
PA7*) echo hppa1.1-unknown-linux-${LIBC} ;;
|
||||
PA8*) echo hppa2.0-unknown-linux-${LIBC} ;;
|
||||
*) echo hppa-unknown-linux-${LIBC} ;;
|
||||
esac
|
||||
exit ;;
|
||||
ppc64:Linux:*:*)
|
||||
echo powerpc64-unknown-linux-gnu
|
||||
echo powerpc64-unknown-linux-${LIBC}
|
||||
exit ;;
|
||||
ppc:Linux:*:*)
|
||||
echo powerpc-unknown-linux-gnu
|
||||
echo powerpc-unknown-linux-${LIBC}
|
||||
exit ;;
|
||||
ppc64le:Linux:*:*)
|
||||
echo powerpc64le-unknown-linux-${LIBC}
|
||||
exit ;;
|
||||
ppcle:Linux:*:*)
|
||||
echo powerpcle-unknown-linux-${LIBC}
|
||||
exit ;;
|
||||
s390:Linux:*:* | s390x:Linux:*:*)
|
||||
echo ${UNAME_MACHINE}-ibm-linux
|
||||
echo ${UNAME_MACHINE}-ibm-linux-${LIBC}
|
||||
exit ;;
|
||||
sh64*:Linux:*:*)
|
||||
echo ${UNAME_MACHINE}-unknown-linux-gnu
|
||||
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
|
||||
exit ;;
|
||||
sh*:Linux:*:*)
|
||||
echo ${UNAME_MACHINE}-unknown-linux-gnu
|
||||
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
|
||||
exit ;;
|
||||
sparc:Linux:*:* | sparc64:Linux:*:*)
|
||||
echo ${UNAME_MACHINE}-unknown-linux-gnu
|
||||
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
|
||||
exit ;;
|
||||
tile*:Linux:*:*)
|
||||
echo ${UNAME_MACHINE}-unknown-linux-gnu
|
||||
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
|
||||
exit ;;
|
||||
vax:Linux:*:*)
|
||||
echo ${UNAME_MACHINE}-dec-linux-gnu
|
||||
echo ${UNAME_MACHINE}-dec-linux-${LIBC}
|
||||
exit ;;
|
||||
x86_64:Linux:*:*)
|
||||
echo x86_64-unknown-linux-gnu
|
||||
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
|
||||
exit ;;
|
||||
xtensa*:Linux:*:*)
|
||||
echo ${UNAME_MACHINE}-unknown-linux-gnu
|
||||
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
|
||||
exit ;;
|
||||
i*86:DYNIX/ptx:4*:*)
|
||||
# ptx 4.0 does uname -s correctly, with DYNIX/ptx in there.
|
||||
|
@ -1196,6 +1227,9 @@ EOF
|
|||
BePC:Haiku:*:*) # Haiku running on Intel PC compatible.
|
||||
echo i586-pc-haiku
|
||||
exit ;;
|
||||
x86_64:Haiku:*:*)
|
||||
echo x86_64-unknown-haiku
|
||||
exit ;;
|
||||
SX-4:SUPER-UX:*:*)
|
||||
echo sx4-nec-superux${UNAME_RELEASE}
|
||||
exit ;;
|
||||
|
@ -1222,19 +1256,31 @@ EOF
|
|||
exit ;;
|
||||
*:Darwin:*:*)
|
||||
UNAME_PROCESSOR=`uname -p` || UNAME_PROCESSOR=unknown
|
||||
case $UNAME_PROCESSOR in
|
||||
i386)
|
||||
eval $set_cc_for_build
|
||||
if [ "$CC_FOR_BUILD" != 'no_compiler_found' ]; then
|
||||
if (echo '#ifdef __LP64__'; echo IS_64BIT_ARCH; echo '#endif') | \
|
||||
(CCOPTS= $CC_FOR_BUILD -E - 2>/dev/null) | \
|
||||
grep IS_64BIT_ARCH >/dev/null
|
||||
then
|
||||
UNAME_PROCESSOR="x86_64"
|
||||
fi
|
||||
fi ;;
|
||||
unknown) UNAME_PROCESSOR=powerpc ;;
|
||||
esac
|
||||
eval $set_cc_for_build
|
||||
if test "$UNAME_PROCESSOR" = unknown ; then
|
||||
UNAME_PROCESSOR=powerpc
|
||||
fi
|
||||
if test `echo "$UNAME_RELEASE" | sed -e 's/\..*//'` -le 10 ; then
|
||||
if [ "$CC_FOR_BUILD" != 'no_compiler_found' ]; then
|
||||
if (echo '#ifdef __LP64__'; echo IS_64BIT_ARCH; echo '#endif') | \
|
||||
(CCOPTS= $CC_FOR_BUILD -E - 2>/dev/null) | \
|
||||
grep IS_64BIT_ARCH >/dev/null
|
||||
then
|
||||
case $UNAME_PROCESSOR in
|
||||
i386) UNAME_PROCESSOR=x86_64 ;;
|
||||
powerpc) UNAME_PROCESSOR=powerpc64 ;;
|
||||
esac
|
||||
fi
|
||||
fi
|
||||
elif test "$UNAME_PROCESSOR" = i386 ; then
|
||||
# Avoid executing cc on OS X 10.9, as it ships with a stub
|
||||
# that puts up a graphical alert prompting to install
|
||||
# developer tools. Any system running Mac OS X 10.7 or
|
||||
# later (Darwin 11 and later) is required to have a 64-bit
|
||||
# processor. This is not true of the ARM version of Darwin
|
||||
# that Apple uses in portable devices.
|
||||
UNAME_PROCESSOR=x86_64
|
||||
fi
|
||||
echo ${UNAME_PROCESSOR}-apple-darwin${UNAME_RELEASE}
|
||||
exit ;;
|
||||
*:procnto*:*:* | *:QNX:[0123456789]*:*)
|
||||
|
@ -1251,7 +1297,7 @@ EOF
|
|||
NEO-?:NONSTOP_KERNEL:*:*)
|
||||
echo neo-tandem-nsk${UNAME_RELEASE}
|
||||
exit ;;
|
||||
NSE-?:NONSTOP_KERNEL:*:*)
|
||||
NSE-*:NONSTOP_KERNEL:*:*)
|
||||
echo nse-tandem-nsk${UNAME_RELEASE}
|
||||
exit ;;
|
||||
NSR-?:NONSTOP_KERNEL:*:*)
|
||||
|
@ -1320,159 +1366,11 @@ EOF
|
|||
i*86:AROS:*:*)
|
||||
echo ${UNAME_MACHINE}-pc-aros
|
||||
exit ;;
|
||||
x86_64:VMkernel:*:*)
|
||||
echo ${UNAME_MACHINE}-unknown-esx
|
||||
exit ;;
|
||||
esac
|
||||
|
||||
#echo '(No uname command or uname output not recognized.)' 1>&2
|
||||
#echo "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" 1>&2
|
||||
|
||||
eval $set_cc_for_build
|
||||
cat >$dummy.c <<EOF
|
||||
#ifdef _SEQUENT_
|
||||
# include <sys/types.h>
|
||||
# include <sys/utsname.h>
|
||||
#endif
|
||||
main ()
|
||||
{
|
||||
#if defined (sony)
|
||||
#if defined (MIPSEB)
|
||||
/* BFD wants "bsd" instead of "newsos". Perhaps BFD should be changed,
|
||||
I don't know.... */
|
||||
printf ("mips-sony-bsd\n"); exit (0);
|
||||
#else
|
||||
#include <sys/param.h>
|
||||
printf ("m68k-sony-newsos%s\n",
|
||||
#ifdef NEWSOS4
|
||||
"4"
|
||||
#else
|
||||
""
|
||||
#endif
|
||||
); exit (0);
|
||||
#endif
|
||||
#endif
|
||||
|
||||
#if defined (__arm) && defined (__acorn) && defined (__unix)
|
||||
printf ("arm-acorn-riscix\n"); exit (0);
|
||||
#endif
|
||||
|
||||
#if defined (hp300) && !defined (hpux)
|
||||
printf ("m68k-hp-bsd\n"); exit (0);
|
||||
#endif
|
||||
|
||||
#if defined (NeXT)
|
||||
#if !defined (__ARCHITECTURE__)
|
||||
#define __ARCHITECTURE__ "m68k"
|
||||
#endif
|
||||
int version;
|
||||
version=`(hostinfo | sed -n 's/.*NeXT Mach \([0-9]*\).*/\1/p') 2>/dev/null`;
|
||||
if (version < 4)
|
||||
printf ("%s-next-nextstep%d\n", __ARCHITECTURE__, version);
|
||||
else
|
||||
printf ("%s-next-openstep%d\n", __ARCHITECTURE__, version);
|
||||
exit (0);
|
||||
#endif
|
||||
|
||||
#if defined (MULTIMAX) || defined (n16)
|
||||
#if defined (UMAXV)
|
||||
printf ("ns32k-encore-sysv\n"); exit (0);
|
||||
#else
|
||||
#if defined (CMU)
|
||||
printf ("ns32k-encore-mach\n"); exit (0);
|
||||
#else
|
||||
printf ("ns32k-encore-bsd\n"); exit (0);
|
||||
#endif
|
||||
#endif
|
||||
#endif
|
||||
|
||||
#if defined (__386BSD__)
|
||||
printf ("i386-pc-bsd\n"); exit (0);
|
||||
#endif
|
||||
|
||||
#if defined (sequent)
|
||||
#if defined (i386)
|
||||
printf ("i386-sequent-dynix\n"); exit (0);
|
||||
#endif
|
||||
#if defined (ns32000)
|
||||
printf ("ns32k-sequent-dynix\n"); exit (0);
|
||||
#endif
|
||||
#endif
|
||||
|
||||
#if defined (_SEQUENT_)
|
||||
struct utsname un;
|
||||
|
||||
uname(&un);
|
||||
|
||||
if (strncmp(un.version, "V2", 2) == 0) {
|
||||
printf ("i386-sequent-ptx2\n"); exit (0);
|
||||
}
|
||||
if (strncmp(un.version, "V1", 2) == 0) { /* XXX is V1 correct? */
|
||||
printf ("i386-sequent-ptx1\n"); exit (0);
|
||||
}
|
||||
printf ("i386-sequent-ptx\n"); exit (0);
|
||||
|
||||
#endif
|
||||
|
||||
#if defined (vax)
|
||||
# if !defined (ultrix)
|
||||
# include <sys/param.h>
|
||||
# if defined (BSD)
|
||||
# if BSD == 43
|
||||
printf ("vax-dec-bsd4.3\n"); exit (0);
|
||||
# else
|
||||
# if BSD == 199006
|
||||
printf ("vax-dec-bsd4.3reno\n"); exit (0);
|
||||
# else
|
||||
printf ("vax-dec-bsd\n"); exit (0);
|
||||
# endif
|
||||
# endif
|
||||
# else
|
||||
printf ("vax-dec-bsd\n"); exit (0);
|
||||
# endif
|
||||
# else
|
||||
printf ("vax-dec-ultrix\n"); exit (0);
|
||||
# endif
|
||||
#endif
|
||||
|
||||
#if defined (alliant) && defined (i860)
|
||||
printf ("i860-alliant-bsd\n"); exit (0);
|
||||
#endif
|
||||
|
||||
exit (1);
|
||||
}
|
||||
EOF
|
||||
|
||||
$CC_FOR_BUILD -o $dummy $dummy.c 2>/dev/null && SYSTEM_NAME=`$dummy` &&
|
||||
{ echo "$SYSTEM_NAME"; exit; }
|
||||
|
||||
# Apollos put the system type in the environment.
|
||||
|
||||
test -d /usr/apollo && { echo ${ISP}-apollo-${SYSTYPE}; exit; }
|
||||
|
||||
# Convex versions that predate uname can use getsysinfo(1)
|
||||
|
||||
if [ -x /usr/convex/getsysinfo ]
|
||||
then
|
||||
case `getsysinfo -f cpu_type` in
|
||||
c1*)
|
||||
echo c1-convex-bsd
|
||||
exit ;;
|
||||
c2*)
|
||||
if getsysinfo -f scalar_acc
|
||||
then echo c32-convex-bsd
|
||||
else echo c2-convex-bsd
|
||||
fi
|
||||
exit ;;
|
||||
c34*)
|
||||
echo c34-convex-bsd
|
||||
exit ;;
|
||||
c38*)
|
||||
echo c38-convex-bsd
|
||||
exit ;;
|
||||
c4*)
|
||||
echo c4-convex-bsd
|
||||
exit ;;
|
||||
esac
|
||||
fi
|
||||
|
||||
cat >&2 <<EOF
|
||||
$0: unable to guess system type
|
||||
|
||||
|
|
|
@ -1,38 +1,31 @@
|
|||
#! /bin/sh
|
||||
# Configuration validation subroutine script.
|
||||
# Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999,
|
||||
# 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010,
|
||||
# 2011 Free Software Foundation, Inc.
|
||||
# Copyright 1992-2014 Free Software Foundation, Inc.
|
||||
|
||||
timestamp='2011-11-11'
|
||||
timestamp='2014-09-11'
|
||||
|
||||
# This file is (in principle) common to ALL GNU software.
|
||||
# The presence of a machine in this file suggests that SOME GNU software
|
||||
# can handle that machine. It does not imply ALL GNU software can.
|
||||
#
|
||||
# This file is free software; you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
# the Free Software Foundation; either version 2 of the License, or
|
||||
# This file is free software; you can redistribute it and/or modify it
|
||||
# under the terms of the GNU General Public License as published by
|
||||
# the Free Software Foundation; either version 3 of the License, or
|
||||
# (at your option) any later version.
|
||||
#
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
# This program is distributed in the hope that it will be useful, but
|
||||
# WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||
# General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program; if not, write to the Free Software
|
||||
# Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA
|
||||
# 02110-1301, USA.
|
||||
# along with this program; if not, see <http://www.gnu.org/licenses/>.
|
||||
#
|
||||
# As a special exception to the GNU General Public License, if you
|
||||
# distribute this file as part of a program that contains a
|
||||
# configuration script generated by Autoconf, you may include it under
|
||||
# the same distribution terms that you use for the rest of that program.
|
||||
# the same distribution terms that you use for the rest of that
|
||||
# program. This Exception is an additional permission under section 7
|
||||
# of the GNU General Public License, version 3 ("GPLv3").
|
||||
|
||||
|
||||
# Please send patches to <config-patches@gnu.org>. Submit a context
|
||||
# diff and a properly formatted GNU ChangeLog entry.
|
||||
# Please send patches with a ChangeLog entry to config-patches@gnu.org.
|
||||
#
|
||||
# Configuration subroutine to validate and canonicalize a configuration type.
|
||||
# Supply the specified configuration type as an argument.
|
||||
|
@ -75,9 +68,7 @@ Report bugs and patches to <config-patches@gnu.org>."
|
|||
version="\
|
||||
GNU config.sub ($timestamp)
|
||||
|
||||
Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000,
|
||||
2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free
|
||||
Software Foundation, Inc.
|
||||
Copyright 1992-2014 Free Software Foundation, Inc.
|
||||
|
||||
This is free software; see the source for copying conditions. There is NO
|
||||
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE."
|
||||
|
@ -125,13 +116,17 @@ esac
|
|||
maybe_os=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\2/'`
|
||||
case $maybe_os in
|
||||
nto-qnx* | linux-gnu* | linux-android* | linux-dietlibc | linux-newlib* | \
|
||||
linux-uclibc* | uclinux-uclibc* | uclinux-gnu* | kfreebsd*-gnu* | \
|
||||
linux-musl* | linux-uclibc* | uclinux-uclibc* | uclinux-gnu* | kfreebsd*-gnu* | \
|
||||
knetbsd*-gnu* | netbsd*-gnu* | \
|
||||
kopensolaris*-gnu* | \
|
||||
storm-chaos* | os2-emx* | rtmk-nova*)
|
||||
os=-$maybe_os
|
||||
basic_machine=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'`
|
||||
;;
|
||||
android-linux)
|
||||
os=-linux-android
|
||||
basic_machine=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'`-unknown
|
||||
;;
|
||||
*)
|
||||
basic_machine=`echo $1 | sed 's/-[^-]*$//'`
|
||||
if [ $basic_machine != $1 ]
|
||||
|
@ -154,7 +149,7 @@ case $os in
|
|||
-convergent* | -ncr* | -news | -32* | -3600* | -3100* | -hitachi* |\
|
||||
-c[123]* | -convex* | -sun | -crds | -omron* | -dg | -ultra | -tti* | \
|
||||
-harris | -dolphin | -highlevel | -gould | -cbm | -ns | -masscomp | \
|
||||
-apple | -axis | -knuth | -cray | -microblaze)
|
||||
-apple | -axis | -knuth | -cray | -microblaze*)
|
||||
os=
|
||||
basic_machine=$1
|
||||
;;
|
||||
|
@ -223,6 +218,12 @@ case $os in
|
|||
-isc*)
|
||||
basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
|
||||
;;
|
||||
-lynx*178)
|
||||
os=-lynxos178
|
||||
;;
|
||||
-lynx*5)
|
||||
os=-lynxos5
|
||||
;;
|
||||
-lynx*)
|
||||
os=-lynxos
|
||||
;;
|
||||
|
@ -247,13 +248,16 @@ case $basic_machine in
|
|||
# Some are omitted here because they have special meanings below.
|
||||
1750a | 580 \
|
||||
| a29k \
|
||||
| aarch64 | aarch64_be \
|
||||
| alpha | alphaev[4-8] | alphaev56 | alphaev6[78] | alphapca5[67] \
|
||||
| alpha64 | alpha64ev[4-8] | alpha64ev56 | alpha64ev6[78] | alpha64pca5[67] \
|
||||
| am33_2.0 \
|
||||
| arc | arm | arm[bl]e | arme[lb] | armv[2345] | armv[345][lb] | avr | avr32 \
|
||||
| be32 | be64 \
|
||||
| arc | arceb \
|
||||
| arm | arm[bl]e | arme[lb] | armv[2-8] | armv[3-8][lb] | armv7[arm] \
|
||||
| avr | avr32 \
|
||||
| be32 | be64 \
|
||||
| bfin \
|
||||
| c4x | clipper \
|
||||
| c4x | c8051 | clipper \
|
||||
| d10v | d30v | dlx | dsp16xx \
|
||||
| epiphany \
|
||||
| fido | fr30 | frv \
|
||||
|
@ -261,10 +265,11 @@ case $basic_machine in
|
|||
| hexagon \
|
||||
| i370 | i860 | i960 | ia64 \
|
||||
| ip2k | iq2000 \
|
||||
| k1om \
|
||||
| le32 | le64 \
|
||||
| lm32 \
|
||||
| m32c | m32r | m32rle | m68000 | m68k | m88k \
|
||||
| maxq | mb | microblaze | mcore | mep | metag \
|
||||
| maxq | mb | microblaze | microblazeel | mcore | mep | metag \
|
||||
| mips | mipsbe | mipseb | mipsel | mipsle \
|
||||
| mips16 \
|
||||
| mips64 | mips64el \
|
||||
|
@ -278,23 +283,26 @@ case $basic_machine in
|
|||
| mips64vr5900 | mips64vr5900el \
|
||||
| mipsisa32 | mipsisa32el \
|
||||
| mipsisa32r2 | mipsisa32r2el \
|
||||
| mipsisa32r6 | mipsisa32r6el \
|
||||
| mipsisa64 | mipsisa64el \
|
||||
| mipsisa64r2 | mipsisa64r2el \
|
||||
| mipsisa64r6 | mipsisa64r6el \
|
||||
| mipsisa64sb1 | mipsisa64sb1el \
|
||||
| mipsisa64sr71k | mipsisa64sr71kel \
|
||||
| mipsr5900 | mipsr5900el \
|
||||
| mipstx39 | mipstx39el \
|
||||
| mn10200 | mn10300 \
|
||||
| moxie \
|
||||
| mt \
|
||||
| msp430 \
|
||||
| nds32 | nds32le | nds32be \
|
||||
| nios | nios2 \
|
||||
| nios | nios2 | nios2eb | nios2el \
|
||||
| ns16k | ns32k \
|
||||
| open8 \
|
||||
| or32 \
|
||||
| open8 | or1k | or1knd | or32 \
|
||||
| pdp10 | pdp11 | pj | pjl \
|
||||
| powerpc | powerpc64 | powerpc64le | powerpcle \
|
||||
| pyramid \
|
||||
| riscv32 | riscv64 \
|
||||
| rl78 | rx \
|
||||
| score \
|
||||
| sh | sh[1234] | sh[24]a | sh[24]aeb | sh[23]e | sh[34]eb | sheb | shbe | shle | sh[1234]le | sh3ele \
|
||||
|
@ -319,8 +327,7 @@ case $basic_machine in
|
|||
c6x)
|
||||
basic_machine=tic6x-unknown
|
||||
;;
|
||||
m6811 | m68hc11 | m6812 | m68hc12 | picochip)
|
||||
# Motorola 68HC11/12.
|
||||
m6811 | m68hc11 | m6812 | m68hc12 | m68hcs12x | nvptx | picochip)
|
||||
basic_machine=$basic_machine-unknown
|
||||
os=-none
|
||||
;;
|
||||
|
@ -333,7 +340,10 @@ case $basic_machine in
|
|||
strongarm | thumb | xscale)
|
||||
basic_machine=arm-unknown
|
||||
;;
|
||||
|
||||
xgate)
|
||||
basic_machine=$basic_machine-unknown
|
||||
os=-none
|
||||
;;
|
||||
xscaleeb)
|
||||
basic_machine=armeb-unknown
|
||||
;;
|
||||
|
@ -356,15 +366,16 @@ case $basic_machine in
|
|||
# Recognize the basic CPU types with company name.
|
||||
580-* \
|
||||
| a29k-* \
|
||||
| aarch64-* | aarch64_be-* \
|
||||
| alpha-* | alphaev[4-8]-* | alphaev56-* | alphaev6[78]-* \
|
||||
| alpha64-* | alpha64ev[4-8]-* | alpha64ev56-* | alpha64ev6[78]-* \
|
||||
| alphapca5[67]-* | alpha64pca5[67]-* | arc-* \
|
||||
| alphapca5[67]-* | alpha64pca5[67]-* | arc-* | arceb-* \
|
||||
| arm-* | armbe-* | armle-* | armeb-* | armv*-* \
|
||||
| avr-* | avr32-* \
|
||||
| be32-* | be64-* \
|
||||
| bfin-* | bs2000-* \
|
||||
| c[123]* | c30-* | [cjt]90-* | c4x-* \
|
||||
| clipper-* | craynv-* | cydra-* \
|
||||
| c8051-* | clipper-* | craynv-* | cydra-* \
|
||||
| d10v-* | d30v-* | dlx-* \
|
||||
| elxsi-* \
|
||||
| f30[01]-* | f700-* | fido-* | fr30-* | frv-* | fx80-* \
|
||||
|
@ -373,11 +384,13 @@ case $basic_machine in
|
|||
| hexagon-* \
|
||||
| i*86-* | i860-* | i960-* | ia64-* \
|
||||
| ip2k-* | iq2000-* \
|
||||
| k1om-* \
|
||||
| le32-* | le64-* \
|
||||
| lm32-* \
|
||||
| m32c-* | m32r-* | m32rle-* \
|
||||
| m68000-* | m680[012346]0-* | m68360-* | m683?2-* | m68k-* \
|
||||
| m88110-* | m88k-* | maxq-* | mcore-* | metag-* | microblaze-* \
|
||||
| m88110-* | m88k-* | maxq-* | mcore-* | metag-* \
|
||||
| microblaze-* | microblazeel-* \
|
||||
| mips-* | mipsbe-* | mipseb-* | mipsel-* | mipsle-* \
|
||||
| mips16-* \
|
||||
| mips64-* | mips64el-* \
|
||||
|
@ -391,18 +404,22 @@ case $basic_machine in
|
|||
| mips64vr5900-* | mips64vr5900el-* \
|
||||
| mipsisa32-* | mipsisa32el-* \
|
||||
| mipsisa32r2-* | mipsisa32r2el-* \
|
||||
| mipsisa32r6-* | mipsisa32r6el-* \
|
||||
| mipsisa64-* | mipsisa64el-* \
|
||||
| mipsisa64r2-* | mipsisa64r2el-* \
|
||||
| mipsisa64r6-* | mipsisa64r6el-* \
|
||||
| mipsisa64sb1-* | mipsisa64sb1el-* \
|
||||
| mipsisa64sr71k-* | mipsisa64sr71kel-* \
|
||||
| mipsr5900-* | mipsr5900el-* \
|
||||
| mipstx39-* | mipstx39el-* \
|
||||
| mmix-* \
|
||||
| mt-* \
|
||||
| msp430-* \
|
||||
| nds32-* | nds32le-* | nds32be-* \
|
||||
| nios-* | nios2-* \
|
||||
| nios-* | nios2-* | nios2eb-* | nios2el-* \
|
||||
| none-* | np1-* | ns16k-* | ns32k-* \
|
||||
| open8-* \
|
||||
| or1k*-* \
|
||||
| orion-* \
|
||||
| pdp10-* | pdp11-* | pj-* | pjl-* | pn-* | power-* \
|
||||
| powerpc-* | powerpc64-* | powerpc64le-* | powerpcle-* \
|
||||
|
@ -719,7 +736,6 @@ case $basic_machine in
|
|||
i370-ibm* | ibm*)
|
||||
basic_machine=i370-ibm
|
||||
;;
|
||||
# I'm not sure what "Sysv32" means. Should this be sysv3.2?
|
||||
i*86v32)
|
||||
basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'`
|
||||
os=-sysv32
|
||||
|
@ -777,11 +793,15 @@ case $basic_machine in
|
|||
basic_machine=ns32k-utek
|
||||
os=-sysv
|
||||
;;
|
||||
microblaze)
|
||||
microblaze*)
|
||||
basic_machine=microblaze-xilinx
|
||||
;;
|
||||
mingw64)
|
||||
basic_machine=x86_64-pc
|
||||
os=-mingw64
|
||||
;;
|
||||
mingw32)
|
||||
basic_machine=i386-pc
|
||||
basic_machine=i686-pc
|
||||
os=-mingw32
|
||||
;;
|
||||
mingw32ce)
|
||||
|
@ -809,6 +829,10 @@ case $basic_machine in
|
|||
basic_machine=powerpc-unknown
|
||||
os=-morphos
|
||||
;;
|
||||
moxiebox)
|
||||
basic_machine=moxie-unknown
|
||||
os=-moxiebox
|
||||
;;
|
||||
msdos)
|
||||
basic_machine=i386-pc
|
||||
os=-msdos
|
||||
|
@ -817,7 +841,7 @@ case $basic_machine in
|
|||
basic_machine=`echo $basic_machine | sed -e 's/ms1-/mt-/'`
|
||||
;;
|
||||
msys)
|
||||
basic_machine=i386-pc
|
||||
basic_machine=i686-pc
|
||||
os=-msys
|
||||
;;
|
||||
mvs)
|
||||
|
@ -1008,7 +1032,11 @@ case $basic_machine in
|
|||
basic_machine=i586-unknown
|
||||
os=-pw32
|
||||
;;
|
||||
rdos)
|
||||
rdos | rdos64)
|
||||
basic_machine=x86_64-pc
|
||||
os=-rdos
|
||||
;;
|
||||
rdos32)
|
||||
basic_machine=i386-pc
|
||||
os=-rdos
|
||||
;;
|
||||
|
@ -1335,29 +1363,29 @@ case $os in
|
|||
-gnu* | -bsd* | -mach* | -minix* | -genix* | -ultrix* | -irix* \
|
||||
| -*vms* | -sco* | -esix* | -isc* | -aix* | -cnk* | -sunos | -sunos[34]*\
|
||||
| -hpux* | -unos* | -osf* | -luna* | -dgux* | -auroraux* | -solaris* \
|
||||
| -sym* | -kopensolaris* \
|
||||
| -sym* | -kopensolaris* | -plan9* \
|
||||
| -amigaos* | -amigados* | -msdos* | -newsos* | -unicos* | -aof* \
|
||||
| -aos* | -aros* \
|
||||
| -nindy* | -vxsim* | -vxworks* | -ebmon* | -hms* | -mvs* \
|
||||
| -clix* | -riscos* | -uniplus* | -iris* | -rtu* | -xenix* \
|
||||
| -hiux* | -386bsd* | -knetbsd* | -mirbsd* | -netbsd* \
|
||||
| -openbsd* | -solidbsd* \
|
||||
| -bitrig* | -openbsd* | -solidbsd* \
|
||||
| -ekkobsd* | -kfreebsd* | -freebsd* | -riscix* | -lynxos* \
|
||||
| -bosx* | -nextstep* | -cxux* | -aout* | -elf* | -oabi* \
|
||||
| -ptx* | -coff* | -ecoff* | -winnt* | -domain* | -vsta* \
|
||||
| -udi* | -eabi* | -lites* | -ieee* | -go32* | -aux* \
|
||||
| -chorusos* | -chorusrdb* | -cegcc* \
|
||||
| -cygwin* | -msys* | -pe* | -psos* | -moss* | -proelf* | -rtems* \
|
||||
| -mingw32* | -linux-gnu* | -linux-android* \
|
||||
| -linux-newlib* | -linux-uclibc* \
|
||||
| -uxpv* | -beos* | -mpeix* | -udk* \
|
||||
| -mingw32* | -mingw64* | -linux-gnu* | -linux-android* \
|
||||
| -linux-newlib* | -linux-musl* | -linux-uclibc* \
|
||||
| -uxpv* | -beos* | -mpeix* | -udk* | -moxiebox* \
|
||||
| -interix* | -uwin* | -mks* | -rhapsody* | -darwin* | -opened* \
|
||||
| -openstep* | -oskit* | -conix* | -pw32* | -nonstopux* \
|
||||
| -storm-chaos* | -tops10* | -tenex* | -tops20* | -its* \
|
||||
| -os2* | -vos* | -palmos* | -uclinux* | -nucleus* \
|
||||
| -morphos* | -superux* | -rtmk* | -rtmk-nova* | -windiss* \
|
||||
| -powermax* | -dnix* | -nx6 | -nx7 | -sei* | -dragonfly* \
|
||||
| -skyos* | -haiku* | -rdos* | -toppers* | -drops* | -es*)
|
||||
| -skyos* | -haiku* | -rdos* | -toppers* | -drops* | -es* | -tirtos*)
|
||||
# Remember, each alternative MUST END IN *, to match a version number.
|
||||
;;
|
||||
-qnx*)
|
||||
|
@ -1481,9 +1509,6 @@ case $os in
|
|||
-aros*)
|
||||
os=-aros
|
||||
;;
|
||||
-kaos*)
|
||||
os=-kaos
|
||||
;;
|
||||
-zvmoe)
|
||||
os=-zvmoe
|
||||
;;
|
||||
|
@ -1532,6 +1557,12 @@ case $basic_machine in
|
|||
c4x-* | tic4x-*)
|
||||
os=-coff
|
||||
;;
|
||||
c8051-*)
|
||||
os=-elf
|
||||
;;
|
||||
hexagon-*)
|
||||
os=-elf
|
||||
;;
|
||||
tic54x-*)
|
||||
os=-coff
|
||||
;;
|
||||
|
@ -1559,9 +1590,6 @@ case $basic_machine in
|
|||
;;
|
||||
m68000-sun)
|
||||
os=-sunos3
|
||||
# This also exists in the configure program, but was not the
|
||||
# default.
|
||||
# os=-sunos4
|
||||
;;
|
||||
m68*-cisco)
|
||||
os=-aout
|
||||
|
|
580
auto/depcomp
580
auto/depcomp
|
@ -1,10 +1,9 @@
|
|||
#! /bin/sh
|
||||
# depcomp - compile a program generating dependencies as side-effects
|
||||
|
||||
scriptversion=2007-03-29.01
|
||||
scriptversion=2013-05-30.07; # UTC
|
||||
|
||||
# Copyright (C) 1999, 2000, 2003, 2004, 2005, 2006, 2007 Free Software
|
||||
# Foundation, Inc.
|
||||
# Copyright (C) 1999-2013 Free Software Foundation, Inc.
|
||||
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
|
@ -17,9 +16,7 @@ scriptversion=2007-03-29.01
|
|||
# GNU General Public License for more details.
|
||||
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program; if not, write to the Free Software
|
||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
|
||||
# 02110-1301, USA.
|
||||
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
|
||||
# As a special exception to the GNU General Public License, if you
|
||||
# distribute this file as part of a program that contains a
|
||||
|
@ -30,9 +27,9 @@ scriptversion=2007-03-29.01
|
|||
|
||||
case $1 in
|
||||
'')
|
||||
echo "$0: No command. Try \`$0 --help' for more information." 1>&2
|
||||
exit 1;
|
||||
;;
|
||||
echo "$0: No command. Try '$0 --help' for more information." 1>&2
|
||||
exit 1;
|
||||
;;
|
||||
-h | --h*)
|
||||
cat <<\EOF
|
||||
Usage: depcomp [--help] [--version] PROGRAM [ARGS]
|
||||
|
@ -42,11 +39,11 @@ as side-effects.
|
|||
|
||||
Environment variables:
|
||||
depmode Dependency tracking mode.
|
||||
source Source file read by `PROGRAMS ARGS'.
|
||||
object Object file output by `PROGRAMS ARGS'.
|
||||
source Source file read by 'PROGRAMS ARGS'.
|
||||
object Object file output by 'PROGRAMS ARGS'.
|
||||
DEPDIR directory where to store dependencies.
|
||||
depfile Dependency file to output.
|
||||
tmpdepfile Temporary file to use when outputing dependencies.
|
||||
tmpdepfile Temporary file to use when outputting dependencies.
|
||||
libtool Whether libtool is used (yes/no).
|
||||
|
||||
Report bugs to <bug-automake@gnu.org>.
|
||||
|
@ -59,6 +56,66 @@ EOF
|
|||
;;
|
||||
esac
|
||||
|
||||
# Get the directory component of the given path, and save it in the
|
||||
# global variables '$dir'. Note that this directory component will
|
||||
# be either empty or ending with a '/' character. This is deliberate.
|
||||
set_dir_from ()
|
||||
{
|
||||
case $1 in
|
||||
*/*) dir=`echo "$1" | sed -e 's|/[^/]*$|/|'`;;
|
||||
*) dir=;;
|
||||
esac
|
||||
}
|
||||
|
||||
# Get the suffix-stripped basename of the given path, and save it the
|
||||
# global variable '$base'.
|
||||
set_base_from ()
|
||||
{
|
||||
base=`echo "$1" | sed -e 's|^.*/||' -e 's/\.[^.]*$//'`
|
||||
}
|
||||
|
||||
# If no dependency file was actually created by the compiler invocation,
|
||||
# we still have to create a dummy depfile, to avoid errors with the
|
||||
# Makefile "include basename.Plo" scheme.
|
||||
make_dummy_depfile ()
|
||||
{
|
||||
echo "#dummy" > "$depfile"
|
||||
}
|
||||
|
||||
# Factor out some common post-processing of the generated depfile.
|
||||
# Requires the auxiliary global variable '$tmpdepfile' to be set.
|
||||
aix_post_process_depfile ()
|
||||
{
|
||||
# If the compiler actually managed to produce a dependency file,
|
||||
# post-process it.
|
||||
if test -f "$tmpdepfile"; then
|
||||
# Each line is of the form 'foo.o: dependency.h'.
|
||||
# Do two passes, one to just change these to
|
||||
# $object: dependency.h
|
||||
# and one to simply output
|
||||
# dependency.h:
|
||||
# which is needed to avoid the deleted-header problem.
|
||||
{ sed -e "s,^.*\.[$lower]*:,$object:," < "$tmpdepfile"
|
||||
sed -e "s,^.*\.[$lower]*:[$tab ]*,," -e 's,$,:,' < "$tmpdepfile"
|
||||
} > "$depfile"
|
||||
rm -f "$tmpdepfile"
|
||||
else
|
||||
make_dummy_depfile
|
||||
fi
|
||||
}
|
||||
|
||||
# A tabulation character.
|
||||
tab=' '
|
||||
# A newline character.
|
||||
nl='
|
||||
'
|
||||
# Character ranges might be problematic outside the C locale.
|
||||
# These definitions help.
|
||||
upper=ABCDEFGHIJKLMNOPQRSTUVWXYZ
|
||||
lower=abcdefghijklmnopqrstuvwxyz
|
||||
digits=0123456789
|
||||
alpha=${upper}${lower}
|
||||
|
||||
if test -z "$depmode" || test -z "$source" || test -z "$object"; then
|
||||
echo "depcomp: Variables source, object and depmode must be set" 1>&2
|
||||
exit 1
|
||||
|
@ -71,6 +128,9 @@ tmpdepfile=${tmpdepfile-`echo "$depfile" | sed 's/\.\([^.]*\)$/.T\1/'`}
|
|||
|
||||
rm -f "$tmpdepfile"
|
||||
|
||||
# Avoid interferences from the environment.
|
||||
gccflag= dashmflag=
|
||||
|
||||
# Some modes work just like other modes, but use different flags. We
|
||||
# parameterize here, but still list the modes in the big case below,
|
||||
# to make depend.m4 easier to write. Note that we *cannot* use a case
|
||||
|
@ -82,9 +142,32 @@ if test "$depmode" = hp; then
|
|||
fi
|
||||
|
||||
if test "$depmode" = dashXmstdout; then
|
||||
# This is just like dashmstdout with a different argument.
|
||||
dashmflag=-xM
|
||||
depmode=dashmstdout
|
||||
# This is just like dashmstdout with a different argument.
|
||||
dashmflag=-xM
|
||||
depmode=dashmstdout
|
||||
fi
|
||||
|
||||
cygpath_u="cygpath -u -f -"
|
||||
if test "$depmode" = msvcmsys; then
|
||||
# This is just like msvisualcpp but w/o cygpath translation.
|
||||
# Just convert the backslash-escaped backslashes to single forward
|
||||
# slashes to satisfy depend.m4
|
||||
cygpath_u='sed s,\\\\,/,g'
|
||||
depmode=msvisualcpp
|
||||
fi
|
||||
|
||||
if test "$depmode" = msvc7msys; then
|
||||
# This is just like msvc7 but w/o cygpath translation.
|
||||
# Just convert the backslash-escaped backslashes to single forward
|
||||
# slashes to satisfy depend.m4
|
||||
cygpath_u='sed s,\\\\,/,g'
|
||||
depmode=msvc7
|
||||
fi
|
||||
|
||||
if test "$depmode" = xlc; then
|
||||
# IBM C/C++ Compilers xlc/xlC can output gcc-like dependency information.
|
||||
gccflag=-qmakedep=gcc,-MF
|
||||
depmode=gcc
|
||||
fi
|
||||
|
||||
case "$depmode" in
|
||||
|
@ -107,8 +190,7 @@ gcc3)
|
|||
done
|
||||
"$@"
|
||||
stat=$?
|
||||
if test $stat -eq 0; then :
|
||||
else
|
||||
if test $stat -ne 0; then
|
||||
rm -f "$tmpdepfile"
|
||||
exit $stat
|
||||
fi
|
||||
|
@ -116,13 +198,17 @@ gcc3)
|
|||
;;
|
||||
|
||||
gcc)
|
||||
## Note that this doesn't just cater to obsosete pre-3.x GCC compilers.
|
||||
## but also to in-use compilers like IMB xlc/xlC and the HP C compiler.
|
||||
## (see the conditional assignment to $gccflag above).
|
||||
## There are various ways to get dependency output from gcc. Here's
|
||||
## why we pick this rather obscure method:
|
||||
## - Don't want to use -MD because we'd like the dependencies to end
|
||||
## up in a subdir. Having to rename by hand is ugly.
|
||||
## (We might end up doing this anyway to support other compilers.)
|
||||
## - The DEPENDENCIES_OUTPUT environment variable makes gcc act like
|
||||
## -MM, not -M (despite what the docs say).
|
||||
## -MM, not -M (despite what the docs say). Also, it might not be
|
||||
## supported by the other compilers which use the 'gcc' depmode.
|
||||
## - Using -M directly means running the compiler twice (even worse
|
||||
## than renaming).
|
||||
if test -z "$gccflag"; then
|
||||
|
@ -130,31 +216,31 @@ gcc)
|
|||
fi
|
||||
"$@" -Wp,"$gccflag$tmpdepfile"
|
||||
stat=$?
|
||||
if test $stat -eq 0; then :
|
||||
else
|
||||
if test $stat -ne 0; then
|
||||
rm -f "$tmpdepfile"
|
||||
exit $stat
|
||||
fi
|
||||
rm -f "$depfile"
|
||||
echo "$object : \\" > "$depfile"
|
||||
alpha=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
|
||||
## The second -e expression handles DOS-style file names with drive letters.
|
||||
# The second -e expression handles DOS-style file names with drive
|
||||
# letters.
|
||||
sed -e 's/^[^:]*: / /' \
|
||||
-e 's/^['$alpha']:\/[^:]*: / /' < "$tmpdepfile" >> "$depfile"
|
||||
## This next piece of magic avoids the `deleted header file' problem.
|
||||
## This next piece of magic avoids the "deleted header file" problem.
|
||||
## The problem is that when a header file which appears in a .P file
|
||||
## is deleted, the dependency causes make to die (because there is
|
||||
## typically no way to rebuild the header). We avoid this by adding
|
||||
## dummy dependencies for each header file. Too bad gcc doesn't do
|
||||
## this for us directly.
|
||||
tr ' ' '
|
||||
' < "$tmpdepfile" |
|
||||
## Some versions of gcc put a space before the `:'. On the theory
|
||||
## Some versions of gcc put a space before the ':'. On the theory
|
||||
## that the space means something, we add a space to the output as
|
||||
## well.
|
||||
## well. hp depmode also adds that space, but also prefixes the VPATH
|
||||
## to the object. Take care to not repeat it in the output.
|
||||
## Some versions of the HPUX 10.20 sed can't process this invocation
|
||||
## correctly. Breaking it into two sed invocations is a workaround.
|
||||
sed -e 's/^\\$//' -e '/^$/d' -e '/:$/d' | sed -e 's/$/ :/' >> "$depfile"
|
||||
tr ' ' "$nl" < "$tmpdepfile" \
|
||||
| sed -e 's/^\\$//' -e '/^$/d' -e "s|.*$object$||" -e '/:$/d' \
|
||||
| sed -e 's/$/ :/' >> "$depfile"
|
||||
rm -f "$tmpdepfile"
|
||||
;;
|
||||
|
||||
|
@ -172,8 +258,7 @@ sgi)
|
|||
"$@" -MDupdate "$tmpdepfile"
|
||||
fi
|
||||
stat=$?
|
||||
if test $stat -eq 0; then :
|
||||
else
|
||||
if test $stat -ne 0; then
|
||||
rm -f "$tmpdepfile"
|
||||
exit $stat
|
||||
fi
|
||||
|
@ -181,43 +266,41 @@ sgi)
|
|||
|
||||
if test -f "$tmpdepfile"; then # yes, the sourcefile depend on other files
|
||||
echo "$object : \\" > "$depfile"
|
||||
|
||||
# Clip off the initial element (the dependent). Don't try to be
|
||||
# clever and replace this with sed code, as IRIX sed won't handle
|
||||
# lines with more than a fixed number of characters (4096 in
|
||||
# IRIX 6.2 sed, 8192 in IRIX 6.5). We also remove comment lines;
|
||||
# the IRIX cc adds comments like `#:fec' to the end of the
|
||||
# the IRIX cc adds comments like '#:fec' to the end of the
|
||||
# dependency line.
|
||||
tr ' ' '
|
||||
' < "$tmpdepfile" \
|
||||
| sed -e 's/^.*\.o://' -e 's/#.*$//' -e '/^$/ d' | \
|
||||
tr '
|
||||
' ' ' >> $depfile
|
||||
echo >> $depfile
|
||||
|
||||
tr ' ' "$nl" < "$tmpdepfile" \
|
||||
| sed -e 's/^.*\.o://' -e 's/#.*$//' -e '/^$/ d' \
|
||||
| tr "$nl" ' ' >> "$depfile"
|
||||
echo >> "$depfile"
|
||||
# The second pass generates a dummy entry for each header file.
|
||||
tr ' ' '
|
||||
' < "$tmpdepfile" \
|
||||
| sed -e 's/^.*\.o://' -e 's/#.*$//' -e '/^$/ d' -e 's/$/:/' \
|
||||
>> $depfile
|
||||
tr ' ' "$nl" < "$tmpdepfile" \
|
||||
| sed -e 's/^.*\.o://' -e 's/#.*$//' -e '/^$/ d' -e 's/$/:/' \
|
||||
>> "$depfile"
|
||||
else
|
||||
# The sourcefile does not contain any dependencies, so just
|
||||
# store a dummy comment line, to avoid errors with the Makefile
|
||||
# "include basename.Plo" scheme.
|
||||
echo "#dummy" > "$depfile"
|
||||
make_dummy_depfile
|
||||
fi
|
||||
rm -f "$tmpdepfile"
|
||||
;;
|
||||
|
||||
xlc)
|
||||
# This case exists only to let depend.m4 do its work. It works by
|
||||
# looking at the text of this script. This case will never be run,
|
||||
# since it is checked for above.
|
||||
exit 1
|
||||
;;
|
||||
|
||||
aix)
|
||||
# The C for AIX Compiler uses -M and outputs the dependencies
|
||||
# in a .u file. In older versions, this file always lives in the
|
||||
# current directory. Also, the AIX compiler puts `$object:' at the
|
||||
# current directory. Also, the AIX compiler puts '$object:' at the
|
||||
# start of each line; $object doesn't have directory information.
|
||||
# Version 6 uses the directory in both cases.
|
||||
dir=`echo "$object" | sed -e 's|/[^/]*$|/|'`
|
||||
test "x$dir" = "x$object" && dir=
|
||||
base=`echo "$object" | sed -e 's|^.*/||' -e 's/\.o$//' -e 's/\.lo$//'`
|
||||
set_dir_from "$object"
|
||||
set_base_from "$object"
|
||||
if test "$libtool" = yes; then
|
||||
tmpdepfile1=$dir$base.u
|
||||
tmpdepfile2=$base.u
|
||||
|
@ -230,9 +313,7 @@ aix)
|
|||
"$@" -M
|
||||
fi
|
||||
stat=$?
|
||||
|
||||
if test $stat -eq 0; then :
|
||||
else
|
||||
if test $stat -ne 0; then
|
||||
rm -f "$tmpdepfile1" "$tmpdepfile2" "$tmpdepfile3"
|
||||
exit $stat
|
||||
fi
|
||||
|
@ -241,44 +322,100 @@ aix)
|
|||
do
|
||||
test -f "$tmpdepfile" && break
|
||||
done
|
||||
if test -f "$tmpdepfile"; then
|
||||
# Each line is of the form `foo.o: dependent.h'.
|
||||
# Do two passes, one to just change these to
|
||||
# `$object: dependent.h' and one to simply `dependent.h:'.
|
||||
sed -e "s,^.*\.[a-z]*:,$object:," < "$tmpdepfile" > "$depfile"
|
||||
# That's a tab and a space in the [].
|
||||
sed -e 's,^.*\.[a-z]*:[ ]*,,' -e 's,$,:,' < "$tmpdepfile" >> "$depfile"
|
||||
else
|
||||
# The sourcefile does not contain any dependencies, so just
|
||||
# store a dummy comment line, to avoid errors with the Makefile
|
||||
# "include basename.Plo" scheme.
|
||||
echo "#dummy" > "$depfile"
|
||||
aix_post_process_depfile
|
||||
;;
|
||||
|
||||
tcc)
|
||||
# tcc (Tiny C Compiler) understand '-MD -MF file' since version 0.9.26
|
||||
# FIXME: That version still under development at the moment of writing.
|
||||
# Make that this statement remains true also for stable, released
|
||||
# versions.
|
||||
# It will wrap lines (doesn't matter whether long or short) with a
|
||||
# trailing '\', as in:
|
||||
#
|
||||
# foo.o : \
|
||||
# foo.c \
|
||||
# foo.h \
|
||||
#
|
||||
# It will put a trailing '\' even on the last line, and will use leading
|
||||
# spaces rather than leading tabs (at least since its commit 0394caf7
|
||||
# "Emit spaces for -MD").
|
||||
"$@" -MD -MF "$tmpdepfile"
|
||||
stat=$?
|
||||
if test $stat -ne 0; then
|
||||
rm -f "$tmpdepfile"
|
||||
exit $stat
|
||||
fi
|
||||
rm -f "$depfile"
|
||||
# Each non-empty line is of the form 'foo.o : \' or ' dep.h \'.
|
||||
# We have to change lines of the first kind to '$object: \'.
|
||||
sed -e "s|.*:|$object :|" < "$tmpdepfile" > "$depfile"
|
||||
# And for each line of the second kind, we have to emit a 'dep.h:'
|
||||
# dummy dependency, to avoid the deleted-header problem.
|
||||
sed -n -e 's|^ *\(.*\) *\\$|\1:|p' < "$tmpdepfile" >> "$depfile"
|
||||
rm -f "$tmpdepfile"
|
||||
;;
|
||||
|
||||
icc)
|
||||
# Intel's C compiler understands `-MD -MF file'. However on
|
||||
# icc -MD -MF foo.d -c -o sub/foo.o sub/foo.c
|
||||
# ICC 7.0 will fill foo.d with something like
|
||||
# foo.o: sub/foo.c
|
||||
# foo.o: sub/foo.h
|
||||
# which is wrong. We want:
|
||||
# sub/foo.o: sub/foo.c
|
||||
# sub/foo.o: sub/foo.h
|
||||
# sub/foo.c:
|
||||
# sub/foo.h:
|
||||
# ICC 7.1 will output
|
||||
## The order of this option in the case statement is important, since the
|
||||
## shell code in configure will try each of these formats in the order
|
||||
## listed in this file. A plain '-MD' option would be understood by many
|
||||
## compilers, so we must ensure this comes after the gcc and icc options.
|
||||
pgcc)
|
||||
# Portland's C compiler understands '-MD'.
|
||||
# Will always output deps to 'file.d' where file is the root name of the
|
||||
# source file under compilation, even if file resides in a subdirectory.
|
||||
# The object file name does not affect the name of the '.d' file.
|
||||
# pgcc 10.2 will output
|
||||
# foo.o: sub/foo.c sub/foo.h
|
||||
# and will wrap long lines using \ :
|
||||
# and will wrap long lines using '\' :
|
||||
# foo.o: sub/foo.c ... \
|
||||
# sub/foo.h ... \
|
||||
# ...
|
||||
set_dir_from "$object"
|
||||
# Use the source, not the object, to determine the base name, since
|
||||
# that's sadly what pgcc will do too.
|
||||
set_base_from "$source"
|
||||
tmpdepfile=$base.d
|
||||
|
||||
"$@" -MD -MF "$tmpdepfile"
|
||||
stat=$?
|
||||
if test $stat -eq 0; then :
|
||||
else
|
||||
# For projects that build the same source file twice into different object
|
||||
# files, the pgcc approach of using the *source* file root name can cause
|
||||
# problems in parallel builds. Use a locking strategy to avoid stomping on
|
||||
# the same $tmpdepfile.
|
||||
lockdir=$base.d-lock
|
||||
trap "
|
||||
echo '$0: caught signal, cleaning up...' >&2
|
||||
rmdir '$lockdir'
|
||||
exit 1
|
||||
" 1 2 13 15
|
||||
numtries=100
|
||||
i=$numtries
|
||||
while test $i -gt 0; do
|
||||
# mkdir is a portable test-and-set.
|
||||
if mkdir "$lockdir" 2>/dev/null; then
|
||||
# This process acquired the lock.
|
||||
"$@" -MD
|
||||
stat=$?
|
||||
# Release the lock.
|
||||
rmdir "$lockdir"
|
||||
break
|
||||
else
|
||||
# If the lock is being held by a different process, wait
|
||||
# until the winning process is done or we timeout.
|
||||
while test -d "$lockdir" && test $i -gt 0; do
|
||||
sleep 1
|
||||
i=`expr $i - 1`
|
||||
done
|
||||
fi
|
||||
i=`expr $i - 1`
|
||||
done
|
||||
trap - 1 2 13 15
|
||||
if test $i -le 0; then
|
||||
echo "$0: failed to acquire lock after $numtries attempts" >&2
|
||||
echo "$0: check lockdir '$lockdir'" >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if test $stat -ne 0; then
|
||||
rm -f "$tmpdepfile"
|
||||
exit $stat
|
||||
fi
|
||||
|
@ -290,8 +427,8 @@ icc)
|
|||
sed "s,^[^:]*:,$object :," < "$tmpdepfile" > "$depfile"
|
||||
# Some versions of the HPUX 10.20 sed can't process this invocation
|
||||
# correctly. Breaking it into two sed invocations is a workaround.
|
||||
sed 's,^[^:]*: \(.*\)$,\1,;s/^\\$//;/^$/d;/:$/d' < "$tmpdepfile" |
|
||||
sed -e 's/$/ :/' >> "$depfile"
|
||||
sed 's,^[^:]*: \(.*\)$,\1,;s/^\\$//;/^$/d;/:$/d' < "$tmpdepfile" \
|
||||
| sed -e 's/$/ :/' >> "$depfile"
|
||||
rm -f "$tmpdepfile"
|
||||
;;
|
||||
|
||||
|
@ -302,9 +439,8 @@ hp2)
|
|||
# 'foo.d', which lands next to the object file, wherever that
|
||||
# happens to be.
|
||||
# Much of this is similar to the tru64 case; see comments there.
|
||||
dir=`echo "$object" | sed -e 's|/[^/]*$|/|'`
|
||||
test "x$dir" = "x$object" && dir=
|
||||
base=`echo "$object" | sed -e 's|^.*/||' -e 's/\.o$//' -e 's/\.lo$//'`
|
||||
set_dir_from "$object"
|
||||
set_base_from "$object"
|
||||
if test "$libtool" = yes; then
|
||||
tmpdepfile1=$dir$base.d
|
||||
tmpdepfile2=$dir.libs/$base.d
|
||||
|
@ -315,8 +451,7 @@ hp2)
|
|||
"$@" +Maked
|
||||
fi
|
||||
stat=$?
|
||||
if test $stat -eq 0; then :
|
||||
else
|
||||
if test $stat -ne 0; then
|
||||
rm -f "$tmpdepfile1" "$tmpdepfile2"
|
||||
exit $stat
|
||||
fi
|
||||
|
@ -326,72 +461,107 @@ hp2)
|
|||
test -f "$tmpdepfile" && break
|
||||
done
|
||||
if test -f "$tmpdepfile"; then
|
||||
sed -e "s,^.*\.[a-z]*:,$object:," "$tmpdepfile" > "$depfile"
|
||||
# Add `dependent.h:' lines.
|
||||
sed -ne '2,${; s/^ *//; s/ \\*$//; s/$/:/; p;}' "$tmpdepfile" >> "$depfile"
|
||||
sed -e "s,^.*\.[$lower]*:,$object:," "$tmpdepfile" > "$depfile"
|
||||
# Add 'dependent.h:' lines.
|
||||
sed -ne '2,${
|
||||
s/^ *//
|
||||
s/ \\*$//
|
||||
s/$/:/
|
||||
p
|
||||
}' "$tmpdepfile" >> "$depfile"
|
||||
else
|
||||
echo "#dummy" > "$depfile"
|
||||
make_dummy_depfile
|
||||
fi
|
||||
rm -f "$tmpdepfile" "$tmpdepfile2"
|
||||
;;
|
||||
|
||||
tru64)
|
||||
# The Tru64 compiler uses -MD to generate dependencies as a side
|
||||
# effect. `cc -MD -o foo.o ...' puts the dependencies into `foo.o.d'.
|
||||
# At least on Alpha/Redhat 6.1, Compaq CCC V6.2-504 seems to put
|
||||
# dependencies in `foo.d' instead, so we check for that too.
|
||||
# Subdirectories are respected.
|
||||
dir=`echo "$object" | sed -e 's|/[^/]*$|/|'`
|
||||
test "x$dir" = "x$object" && dir=
|
||||
base=`echo "$object" | sed -e 's|^.*/||' -e 's/\.o$//' -e 's/\.lo$//'`
|
||||
# The Tru64 compiler uses -MD to generate dependencies as a side
|
||||
# effect. 'cc -MD -o foo.o ...' puts the dependencies into 'foo.o.d'.
|
||||
# At least on Alpha/Redhat 6.1, Compaq CCC V6.2-504 seems to put
|
||||
# dependencies in 'foo.d' instead, so we check for that too.
|
||||
# Subdirectories are respected.
|
||||
set_dir_from "$object"
|
||||
set_base_from "$object"
|
||||
|
||||
if test "$libtool" = yes; then
|
||||
# With Tru64 cc, shared objects can also be used to make a
|
||||
# static library. This mechanism is used in libtool 1.4 series to
|
||||
# handle both shared and static libraries in a single compilation.
|
||||
# With libtool 1.4, dependencies were output in $dir.libs/$base.lo.d.
|
||||
#
|
||||
# With libtool 1.5 this exception was removed, and libtool now
|
||||
# generates 2 separate objects for the 2 libraries. These two
|
||||
# compilations output dependencies in $dir.libs/$base.o.d and
|
||||
# in $dir$base.o.d. We have to check for both files, because
|
||||
# one of the two compilations can be disabled. We should prefer
|
||||
# $dir$base.o.d over $dir.libs/$base.o.d because the latter is
|
||||
# automatically cleaned when .libs/ is deleted, while ignoring
|
||||
# the former would cause a distcleancheck panic.
|
||||
tmpdepfile1=$dir.libs/$base.lo.d # libtool 1.4
|
||||
tmpdepfile2=$dir$base.o.d # libtool 1.5
|
||||
tmpdepfile3=$dir.libs/$base.o.d # libtool 1.5
|
||||
tmpdepfile4=$dir.libs/$base.d # Compaq CCC V6.2-504
|
||||
"$@" -Wc,-MD
|
||||
else
|
||||
tmpdepfile1=$dir$base.o.d
|
||||
tmpdepfile2=$dir$base.d
|
||||
tmpdepfile3=$dir$base.d
|
||||
tmpdepfile4=$dir$base.d
|
||||
"$@" -MD
|
||||
fi
|
||||
if test "$libtool" = yes; then
|
||||
# Libtool generates 2 separate objects for the 2 libraries. These
|
||||
# two compilations output dependencies in $dir.libs/$base.o.d and
|
||||
# in $dir$base.o.d. We have to check for both files, because
|
||||
# one of the two compilations can be disabled. We should prefer
|
||||
# $dir$base.o.d over $dir.libs/$base.o.d because the latter is
|
||||
# automatically cleaned when .libs/ is deleted, while ignoring
|
||||
# the former would cause a distcleancheck panic.
|
||||
tmpdepfile1=$dir$base.o.d # libtool 1.5
|
||||
tmpdepfile2=$dir.libs/$base.o.d # Likewise.
|
||||
tmpdepfile3=$dir.libs/$base.d # Compaq CCC V6.2-504
|
||||
"$@" -Wc,-MD
|
||||
else
|
||||
tmpdepfile1=$dir$base.d
|
||||
tmpdepfile2=$dir$base.d
|
||||
tmpdepfile3=$dir$base.d
|
||||
"$@" -MD
|
||||
fi
|
||||
|
||||
stat=$?
|
||||
if test $stat -eq 0; then :
|
||||
else
|
||||
rm -f "$tmpdepfile1" "$tmpdepfile2" "$tmpdepfile3" "$tmpdepfile4"
|
||||
exit $stat
|
||||
fi
|
||||
stat=$?
|
||||
if test $stat -ne 0; then
|
||||
rm -f "$tmpdepfile1" "$tmpdepfile2" "$tmpdepfile3"
|
||||
exit $stat
|
||||
fi
|
||||
|
||||
for tmpdepfile in "$tmpdepfile1" "$tmpdepfile2" "$tmpdepfile3" "$tmpdepfile4"
|
||||
do
|
||||
test -f "$tmpdepfile" && break
|
||||
done
|
||||
if test -f "$tmpdepfile"; then
|
||||
sed -e "s,^.*\.[a-z]*:,$object:," < "$tmpdepfile" > "$depfile"
|
||||
# That's a tab and a space in the [].
|
||||
sed -e 's,^.*\.[a-z]*:[ ]*,,' -e 's,$,:,' < "$tmpdepfile" >> "$depfile"
|
||||
else
|
||||
echo "#dummy" > "$depfile"
|
||||
fi
|
||||
rm -f "$tmpdepfile"
|
||||
;;
|
||||
for tmpdepfile in "$tmpdepfile1" "$tmpdepfile2" "$tmpdepfile3"
|
||||
do
|
||||
test -f "$tmpdepfile" && break
|
||||
done
|
||||
# Same post-processing that is required for AIX mode.
|
||||
aix_post_process_depfile
|
||||
;;
|
||||
|
||||
msvc7)
|
||||
if test "$libtool" = yes; then
|
||||
showIncludes=-Wc,-showIncludes
|
||||
else
|
||||
showIncludes=-showIncludes
|
||||
fi
|
||||
"$@" $showIncludes > "$tmpdepfile"
|
||||
stat=$?
|
||||
grep -v '^Note: including file: ' "$tmpdepfile"
|
||||
if test $stat -ne 0; then
|
||||
rm -f "$tmpdepfile"
|
||||
exit $stat
|
||||
fi
|
||||
rm -f "$depfile"
|
||||
echo "$object : \\" > "$depfile"
|
||||
# The first sed program below extracts the file names and escapes
|
||||
# backslashes for cygpath. The second sed program outputs the file
|
||||
# name when reading, but also accumulates all include files in the
|
||||
# hold buffer in order to output them again at the end. This only
|
||||
# works with sed implementations that can handle large buffers.
|
||||
sed < "$tmpdepfile" -n '
|
||||
/^Note: including file: *\(.*\)/ {
|
||||
s//\1/
|
||||
s/\\/\\\\/g
|
||||
p
|
||||
}' | $cygpath_u | sort -u | sed -n '
|
||||
s/ /\\ /g
|
||||
s/\(.*\)/'"$tab"'\1 \\/p
|
||||
s/.\(.*\) \\/\1:/
|
||||
H
|
||||
$ {
|
||||
s/.*/'"$tab"'/
|
||||
G
|
||||
p
|
||||
}' >> "$depfile"
|
||||
echo >> "$depfile" # make sure the fragment doesn't end with a backslash
|
||||
rm -f "$tmpdepfile"
|
||||
;;
|
||||
|
||||
msvc7msys)
|
||||
# This case exists only to let depend.m4 do its work. It works by
|
||||
# looking at the text of this script. This case will never be run,
|
||||
# since it is checked for above.
|
||||
exit 1
|
||||
;;
|
||||
|
||||
#nosideeffect)
|
||||
# This comment above is used by automake to tell side-effect
|
||||
|
@ -404,13 +574,13 @@ dashmstdout)
|
|||
|
||||
# Remove the call to Libtool.
|
||||
if test "$libtool" = yes; then
|
||||
while test $1 != '--mode=compile'; do
|
||||
while test "X$1" != 'X--mode=compile'; do
|
||||
shift
|
||||
done
|
||||
shift
|
||||
fi
|
||||
|
||||
# Remove `-o $object'.
|
||||
# Remove '-o $object'.
|
||||
IFS=" "
|
||||
for arg
|
||||
do
|
||||
|
@ -430,18 +600,18 @@ dashmstdout)
|
|||
done
|
||||
|
||||
test -z "$dashmflag" && dashmflag=-M
|
||||
# Require at least two characters before searching for `:'
|
||||
# Require at least two characters before searching for ':'
|
||||
# in the target name. This is to cope with DOS-style filenames:
|
||||
# a dependency such as `c:/foo/bar' could be seen as target `c' otherwise.
|
||||
# a dependency such as 'c:/foo/bar' could be seen as target 'c' otherwise.
|
||||
"$@" $dashmflag |
|
||||
sed 's:^[ ]*[^: ][^:][^:]*\:[ ]*:'"$object"'\: :' > "$tmpdepfile"
|
||||
sed "s|^[$tab ]*[^:$tab ][^:][^:]*:[$tab ]*|$object: |" > "$tmpdepfile"
|
||||
rm -f "$depfile"
|
||||
cat < "$tmpdepfile" > "$depfile"
|
||||
tr ' ' '
|
||||
' < "$tmpdepfile" | \
|
||||
## Some versions of the HPUX 10.20 sed can't process this invocation
|
||||
## correctly. Breaking it into two sed invocations is a workaround.
|
||||
sed -e 's/^\\$//' -e '/^$/d' -e '/:$/d' | sed -e 's/$/ :/' >> "$depfile"
|
||||
# Some versions of the HPUX 10.20 sed can't process this sed invocation
|
||||
# correctly. Breaking it into two sed invocations is a workaround.
|
||||
tr ' ' "$nl" < "$tmpdepfile" \
|
||||
| sed -e 's/^\\$//' -e '/^$/d' -e '/:$/d' \
|
||||
| sed -e 's/$/ :/' >> "$depfile"
|
||||
rm -f "$tmpdepfile"
|
||||
;;
|
||||
|
||||
|
@ -455,41 +625,51 @@ makedepend)
|
|||
"$@" || exit $?
|
||||
# Remove any Libtool call
|
||||
if test "$libtool" = yes; then
|
||||
while test $1 != '--mode=compile'; do
|
||||
while test "X$1" != 'X--mode=compile'; do
|
||||
shift
|
||||
done
|
||||
shift
|
||||
fi
|
||||
# X makedepend
|
||||
shift
|
||||
cleared=no
|
||||
for arg in "$@"; do
|
||||
cleared=no eat=no
|
||||
for arg
|
||||
do
|
||||
case $cleared in
|
||||
no)
|
||||
set ""; shift
|
||||
cleared=yes ;;
|
||||
esac
|
||||
if test $eat = yes; then
|
||||
eat=no
|
||||
continue
|
||||
fi
|
||||
case "$arg" in
|
||||
-D*|-I*)
|
||||
set fnord "$@" "$arg"; shift ;;
|
||||
# Strip any option that makedepend may not understand. Remove
|
||||
# the object too, otherwise makedepend will parse it as a source file.
|
||||
-arch)
|
||||
eat=yes ;;
|
||||
-*|$object)
|
||||
;;
|
||||
*)
|
||||
set fnord "$@" "$arg"; shift ;;
|
||||
esac
|
||||
done
|
||||
obj_suffix="`echo $object | sed 's/^.*\././'`"
|
||||
obj_suffix=`echo "$object" | sed 's/^.*\././'`
|
||||
touch "$tmpdepfile"
|
||||
${MAKEDEPEND-makedepend} -o"$obj_suffix" -f"$tmpdepfile" "$@"
|
||||
rm -f "$depfile"
|
||||
cat < "$tmpdepfile" > "$depfile"
|
||||
sed '1,2d' "$tmpdepfile" | tr ' ' '
|
||||
' | \
|
||||
## Some versions of the HPUX 10.20 sed can't process this invocation
|
||||
## correctly. Breaking it into two sed invocations is a workaround.
|
||||
sed -e 's/^\\$//' -e '/^$/d' -e '/:$/d' | sed -e 's/$/ :/' >> "$depfile"
|
||||
# makedepend may prepend the VPATH from the source file name to the object.
|
||||
# No need to regex-escape $object, excess matching of '.' is harmless.
|
||||
sed "s|^.*\($object *:\)|\1|" "$tmpdepfile" > "$depfile"
|
||||
# Some versions of the HPUX 10.20 sed can't process the last invocation
|
||||
# correctly. Breaking it into two sed invocations is a workaround.
|
||||
sed '1,2d' "$tmpdepfile" \
|
||||
| tr ' ' "$nl" \
|
||||
| sed -e 's/^\\$//' -e '/^$/d' -e '/:$/d' \
|
||||
| sed -e 's/$/ :/' >> "$depfile"
|
||||
rm -f "$tmpdepfile" "$tmpdepfile".bak
|
||||
;;
|
||||
|
||||
|
@ -500,13 +680,13 @@ cpp)
|
|||
|
||||
# Remove the call to Libtool.
|
||||
if test "$libtool" = yes; then
|
||||
while test $1 != '--mode=compile'; do
|
||||
while test "X$1" != 'X--mode=compile'; do
|
||||
shift
|
||||
done
|
||||
shift
|
||||
fi
|
||||
|
||||
# Remove `-o $object'.
|
||||
# Remove '-o $object'.
|
||||
IFS=" "
|
||||
for arg
|
||||
do
|
||||
|
@ -525,10 +705,10 @@ cpp)
|
|||
esac
|
||||
done
|
||||
|
||||
"$@" -E |
|
||||
sed -n -e '/^# [0-9][0-9]* "\([^"]*\)".*/ s:: \1 \\:p' \
|
||||
-e '/^#line [0-9][0-9]* "\([^"]*\)".*/ s:: \1 \\:p' |
|
||||
sed '$ s: \\$::' > "$tmpdepfile"
|
||||
"$@" -E \
|
||||
| sed -n -e '/^# [0-9][0-9]* "\([^"]*\)".*/ s:: \1 \\:p' \
|
||||
-e '/^#line [0-9][0-9]* "\([^"]*\)".*/ s:: \1 \\:p' \
|
||||
| sed '$ s: \\$::' > "$tmpdepfile"
|
||||
rm -f "$depfile"
|
||||
echo "$object : \\" > "$depfile"
|
||||
cat < "$tmpdepfile" >> "$depfile"
|
||||
|
@ -538,35 +718,56 @@ cpp)
|
|||
|
||||
msvisualcpp)
|
||||
# Important note: in order to support this mode, a compiler *must*
|
||||
# always write the preprocessed file to stdout, regardless of -o,
|
||||
# because we must use -o when running libtool.
|
||||
# always write the preprocessed file to stdout.
|
||||
"$@" || exit $?
|
||||
|
||||
# Remove the call to Libtool.
|
||||
if test "$libtool" = yes; then
|
||||
while test "X$1" != 'X--mode=compile'; do
|
||||
shift
|
||||
done
|
||||
shift
|
||||
fi
|
||||
|
||||
IFS=" "
|
||||
for arg
|
||||
do
|
||||
case "$arg" in
|
||||
-o)
|
||||
shift
|
||||
;;
|
||||
$object)
|
||||
shift
|
||||
;;
|
||||
"-Gm"|"/Gm"|"-Gi"|"/Gi"|"-ZI"|"/ZI")
|
||||
set fnord "$@"
|
||||
shift
|
||||
shift
|
||||
;;
|
||||
set fnord "$@"
|
||||
shift
|
||||
shift
|
||||
;;
|
||||
*)
|
||||
set fnord "$@" "$arg"
|
||||
shift
|
||||
shift
|
||||
;;
|
||||
set fnord "$@" "$arg"
|
||||
shift
|
||||
shift
|
||||
;;
|
||||
esac
|
||||
done
|
||||
"$@" -E |
|
||||
sed -n '/^#line [0-9][0-9]* "\([^"]*\)"/ s::echo "`cygpath -u \\"\1\\"`":p' | sort | uniq > "$tmpdepfile"
|
||||
"$@" -E 2>/dev/null |
|
||||
sed -n '/^#line [0-9][0-9]* "\([^"]*\)"/ s::\1:p' | $cygpath_u | sort -u > "$tmpdepfile"
|
||||
rm -f "$depfile"
|
||||
echo "$object : \\" > "$depfile"
|
||||
. "$tmpdepfile" | sed 's% %\\ %g' | sed -n '/^\(.*\)$/ s:: \1 \\:p' >> "$depfile"
|
||||
echo " " >> "$depfile"
|
||||
. "$tmpdepfile" | sed 's% %\\ %g' | sed -n '/^\(.*\)$/ s::\1\::p' >> "$depfile"
|
||||
sed < "$tmpdepfile" -n -e 's% %\\ %g' -e '/^\(.*\)$/ s::'"$tab"'\1 \\:p' >> "$depfile"
|
||||
echo "$tab" >> "$depfile"
|
||||
sed < "$tmpdepfile" -n -e 's% %\\ %g' -e '/^\(.*\)$/ s::\1\::p' >> "$depfile"
|
||||
rm -f "$tmpdepfile"
|
||||
;;
|
||||
|
||||
msvcmsys)
|
||||
# This case exists only to let depend.m4 do its work. It works by
|
||||
# looking at the text of this script. This case will never be run,
|
||||
# since it is checked for above.
|
||||
exit 1
|
||||
;;
|
||||
|
||||
none)
|
||||
exec "$@"
|
||||
;;
|
||||
|
@ -585,5 +786,6 @@ exit 0
|
|||
# eval: (add-hook 'write-file-hooks 'time-stamp)
|
||||
# time-stamp-start: "scriptversion="
|
||||
# time-stamp-format: "%:y-%02m-%02d.%02H"
|
||||
# time-stamp-end: "$"
|
||||
# time-stamp-time-zone: "UTC"
|
||||
# time-stamp-end: "; # UTC"
|
||||
# End:
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
#!/bin/sh
|
||||
# install - install a program, script, or datafile
|
||||
|
||||
scriptversion=2006-12-25.00
|
||||
scriptversion=2011-11-20.07; # UTC
|
||||
|
||||
# This originates from X11R5 (mit/util/scripts/install.sh), which was
|
||||
# later released in X11R6 (xc/config/util/install.sh) with the
|
||||
|
@ -35,7 +35,7 @@ scriptversion=2006-12-25.00
|
|||
# FSF changes to this file are in the public domain.
|
||||
#
|
||||
# Calling this script install-sh is preferred over install.sh, to prevent
|
||||
# `make' implicit rules from creating a file called install from it
|
||||
# 'make' implicit rules from creating a file called install from it
|
||||
# when there is no Makefile.
|
||||
#
|
||||
# This script is compatible with the BSD install script, but was written
|
||||
|
@ -156,6 +156,10 @@ while test $# -ne 0; do
|
|||
-s) stripcmd=$stripprog;;
|
||||
|
||||
-t) dst_arg=$2
|
||||
# Protect names problematic for 'test' and other utilities.
|
||||
case $dst_arg in
|
||||
-* | [=\(\)!]) dst_arg=./$dst_arg;;
|
||||
esac
|
||||
shift;;
|
||||
|
||||
-T) no_target_directory=true;;
|
||||
|
@ -186,6 +190,10 @@ if test $# -ne 0 && test -z "$dir_arg$dst_arg"; then
|
|||
fi
|
||||
shift # arg
|
||||
dst_arg=$arg
|
||||
# Protect names problematic for 'test' and other utilities.
|
||||
case $dst_arg in
|
||||
-* | [=\(\)!]) dst_arg=./$dst_arg;;
|
||||
esac
|
||||
done
|
||||
fi
|
||||
|
||||
|
@ -194,13 +202,17 @@ if test $# -eq 0; then
|
|||
echo "$0: no input file specified." >&2
|
||||
exit 1
|
||||
fi
|
||||
# It's OK to call `install-sh -d' without argument.
|
||||
# It's OK to call 'install-sh -d' without argument.
|
||||
# This can happen when creating conditional directories.
|
||||
exit 0
|
||||
fi
|
||||
|
||||
if test -z "$dir_arg"; then
|
||||
trap '(exit $?); exit' 1 2 13 15
|
||||
do_exit='(exit $ret); exit $ret'
|
||||
trap "ret=129; $do_exit" 1
|
||||
trap "ret=130; $do_exit" 2
|
||||
trap "ret=141; $do_exit" 13
|
||||
trap "ret=143; $do_exit" 15
|
||||
|
||||
# Set umask so as not to create temps with too-generous modes.
|
||||
# However, 'strip' requires both read and write access to temps.
|
||||
|
@ -228,9 +240,9 @@ fi
|
|||
|
||||
for src
|
||||
do
|
||||
# Protect names starting with `-'.
|
||||
# Protect names problematic for 'test' and other utilities.
|
||||
case $src in
|
||||
-*) src=./$src;;
|
||||
-* | [=\(\)!]) src=./$src;;
|
||||
esac
|
||||
|
||||
if test -n "$dir_arg"; then
|
||||
|
@ -252,12 +264,7 @@ do
|
|||
echo "$0: no destination specified." >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
dst=$dst_arg
|
||||
# Protect names starting with `-'.
|
||||
case $dst in
|
||||
-*) dst=./$dst;;
|
||||
esac
|
||||
|
||||
# If destination is a directory, append the input filename; won't work
|
||||
# if double slashes aren't ignored.
|
||||
|
@ -338,34 +345,41 @@ do
|
|||
# is incompatible with FreeBSD 'install' when (umask & 300) != 0.
|
||||
;;
|
||||
*)
|
||||
# $RANDOM is not portable (e.g. dash); use it when possible to
|
||||
# lower collision chance
|
||||
tmpdir=${TMPDIR-/tmp}/ins$RANDOM-$$
|
||||
trap 'ret=$?; rmdir "$tmpdir/d" "$tmpdir" 2>/dev/null; exit $ret' 0
|
||||
trap 'ret=$?; rmdir "$tmpdir/a/b" "$tmpdir/a" "$tmpdir" 2>/dev/null; exit $ret' 0
|
||||
|
||||
# As "mkdir -p" follows symlinks and we work in /tmp possibly; so
|
||||
# create the $tmpdir first (and fail if unsuccessful) to make sure
|
||||
# that nobody tries to guess the $tmpdir name.
|
||||
if (umask $mkdir_umask &&
|
||||
exec $mkdirprog $mkdir_mode -p -- "$tmpdir/d") >/dev/null 2>&1
|
||||
$mkdirprog $mkdir_mode "$tmpdir" &&
|
||||
exec $mkdirprog $mkdir_mode -p -- "$tmpdir/a/b") >/dev/null 2>&1
|
||||
then
|
||||
if test -z "$dir_arg" || {
|
||||
# Check for POSIX incompatibilities with -m.
|
||||
# HP-UX 11.23 and IRIX 6.5 mkdir -m -p sets group- or
|
||||
# other-writeable bit of parent directory when it shouldn't.
|
||||
# other-writable bit of parent directory when it shouldn't.
|
||||
# FreeBSD 6.1 mkdir -m -p sets mode of existing directory.
|
||||
ls_ld_tmpdir=`ls -ld "$tmpdir"`
|
||||
test_tmpdir="$tmpdir/a"
|
||||
ls_ld_tmpdir=`ls -ld "$test_tmpdir"`
|
||||
case $ls_ld_tmpdir in
|
||||
d????-?r-*) different_mode=700;;
|
||||
d????-?--*) different_mode=755;;
|
||||
*) false;;
|
||||
esac &&
|
||||
$mkdirprog -m$different_mode -p -- "$tmpdir" && {
|
||||
ls_ld_tmpdir_1=`ls -ld "$tmpdir"`
|
||||
$mkdirprog -m$different_mode -p -- "$test_tmpdir" && {
|
||||
ls_ld_tmpdir_1=`ls -ld "$test_tmpdir"`
|
||||
test "$ls_ld_tmpdir" = "$ls_ld_tmpdir_1"
|
||||
}
|
||||
}
|
||||
then posix_mkdir=:
|
||||
fi
|
||||
rmdir "$tmpdir/d" "$tmpdir"
|
||||
rmdir "$tmpdir/a/b" "$tmpdir/a" "$tmpdir"
|
||||
else
|
||||
# Remove any dirs left behind by ancient mkdir implementations.
|
||||
rmdir ./$mkdir_mode ./-p ./-- 2>/dev/null
|
||||
rmdir ./$mkdir_mode ./-p ./-- "$tmpdir" 2>/dev/null
|
||||
fi
|
||||
trap '' 0;;
|
||||
esac;;
|
||||
|
@ -385,7 +399,7 @@ do
|
|||
|
||||
case $dstdir in
|
||||
/*) prefix='/';;
|
||||
-*) prefix='./';;
|
||||
[-=\(\)!]*) prefix='./';;
|
||||
*) prefix='';;
|
||||
esac
|
||||
|
||||
|
@ -403,7 +417,7 @@ do
|
|||
|
||||
for d
|
||||
do
|
||||
test -z "$d" && continue
|
||||
test X"$d" = X && continue
|
||||
|
||||
prefix=$prefix$d
|
||||
if test -d "$prefix"; then
|
||||
|
@ -515,5 +529,6 @@ done
|
|||
# eval: (add-hook 'write-file-hooks 'time-stamp)
|
||||
# time-stamp-start: "scriptversion="
|
||||
# time-stamp-format: "%:y-%02m-%02d.%02H"
|
||||
# time-stamp-end: "$"
|
||||
# time-stamp-time-zone: "UTC"
|
||||
# time-stamp-end: "; # UTC"
|
||||
# End:
|
||||
|
|
File diff suppressed because it is too large
Load Diff
458
auto/missing
458
auto/missing
|
@ -1,11 +1,10 @@
|
|||
#! /bin/sh
|
||||
# Common stub for a few missing GNU programs while installing.
|
||||
# Common wrapper for a few potentially missing GNU programs.
|
||||
|
||||
scriptversion=2006-05-10.23
|
||||
scriptversion=2013-10-28.13; # UTC
|
||||
|
||||
# Copyright (C) 1996, 1997, 1999, 2000, 2002, 2003, 2004, 2005, 2006
|
||||
# Free Software Foundation, Inc.
|
||||
# Originally by Fran,cois Pinard <pinard@iro.umontreal.ca>, 1996.
|
||||
# Copyright (C) 1996-2013 Free Software Foundation, Inc.
|
||||
# Originally written by Fran,cois Pinard <pinard@iro.umontreal.ca>, 1996.
|
||||
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
|
@ -18,9 +17,7 @@ scriptversion=2006-05-10.23
|
|||
# GNU General Public License for more details.
|
||||
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program; if not, write to the Free Software
|
||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
|
||||
# 02110-1301, USA.
|
||||
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
|
||||
# As a special exception to the GNU General Public License, if you
|
||||
# distribute this file as part of a program that contains a
|
||||
|
@ -28,66 +25,40 @@ scriptversion=2006-05-10.23
|
|||
# the same distribution terms that you use for the rest of that program.
|
||||
|
||||
if test $# -eq 0; then
|
||||
echo 1>&2 "Try \`$0 --help' for more information"
|
||||
echo 1>&2 "Try '$0 --help' for more information"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
run=:
|
||||
sed_output='s/.* --output[ =]\([^ ]*\).*/\1/p'
|
||||
sed_minuso='s/.* -o \([^ ]*\).*/\1/p'
|
||||
|
||||
# In the cases where this matters, `missing' is being run in the
|
||||
# srcdir already.
|
||||
if test -f configure.ac; then
|
||||
configure_ac=configure.ac
|
||||
else
|
||||
configure_ac=configure.in
|
||||
fi
|
||||
|
||||
msg="missing on your system"
|
||||
|
||||
case $1 in
|
||||
--run)
|
||||
# Try to run requested program, and just exit if it succeeds.
|
||||
run=
|
||||
shift
|
||||
"$@" && exit 0
|
||||
# Exit code 63 means version mismatch. This often happens
|
||||
# when the user try to use an ancient version of a tool on
|
||||
# a file that requires a minimum version. In this case we
|
||||
# we should proceed has if the program had been absent, or
|
||||
# if --run hadn't been passed.
|
||||
if test $? = 63; then
|
||||
run=:
|
||||
msg="probably too old"
|
||||
fi
|
||||
;;
|
||||
|
||||
--is-lightweight)
|
||||
# Used by our autoconf macros to check whether the available missing
|
||||
# script is modern enough.
|
||||
exit 0
|
||||
;;
|
||||
|
||||
--run)
|
||||
# Back-compat with the calling convention used by older automake.
|
||||
shift
|
||||
;;
|
||||
|
||||
-h|--h|--he|--hel|--help)
|
||||
echo "\
|
||||
$0 [OPTION]... PROGRAM [ARGUMENT]...
|
||||
|
||||
Handle \`PROGRAM [ARGUMENT]...' for when PROGRAM is missing, or return an
|
||||
error status if there is no known handling for PROGRAM.
|
||||
Run 'PROGRAM [ARGUMENT]...', returning a proper advice when this fails due
|
||||
to PROGRAM being missing or too old.
|
||||
|
||||
Options:
|
||||
-h, --help display this help and exit
|
||||
-v, --version output version information and exit
|
||||
--run try to run the given command, and emulate it if it fails
|
||||
|
||||
Supported PROGRAM values:
|
||||
aclocal touch file \`aclocal.m4'
|
||||
autoconf touch file \`configure'
|
||||
autoheader touch file \`config.h.in'
|
||||
autom4te touch the output file, or create a stub one
|
||||
automake touch all \`Makefile.in' files
|
||||
bison create \`y.tab.[ch]', if possible, from existing .[ch]
|
||||
flex create \`lex.yy.c', if possible, from existing .c
|
||||
help2man touch the output file
|
||||
lex create \`lex.yy.c', if possible, from existing .c
|
||||
makeinfo touch the output file
|
||||
tar try tar, gnutar, gtar, then tar without non-portable flags
|
||||
yacc create \`y.tab.[ch]', if possible, from existing .[ch]
|
||||
aclocal autoconf autoheader autom4te automake makeinfo
|
||||
bison yacc flex lex help2man
|
||||
|
||||
Version suffixes to PROGRAM as well as the prefixes 'gnu-', 'gnu', and
|
||||
'g' are ignored when checking the name.
|
||||
|
||||
Send bug reports to <bug-automake@gnu.org>."
|
||||
exit $?
|
||||
|
@ -99,269 +70,146 @@ Send bug reports to <bug-automake@gnu.org>."
|
|||
;;
|
||||
|
||||
-*)
|
||||
echo 1>&2 "$0: Unknown \`$1' option"
|
||||
echo 1>&2 "Try \`$0 --help' for more information"
|
||||
echo 1>&2 "$0: unknown '$1' option"
|
||||
echo 1>&2 "Try '$0 --help' for more information"
|
||||
exit 1
|
||||
;;
|
||||
|
||||
esac
|
||||
|
||||
# Now exit if we have it, but it failed. Also exit now if we
|
||||
# don't have it and --version was passed (most likely to detect
|
||||
# the program).
|
||||
case $1 in
|
||||
lex|yacc)
|
||||
# Not GNU programs, they don't have --version.
|
||||
# Run the given program, remember its exit status.
|
||||
"$@"; st=$?
|
||||
|
||||
# If it succeeded, we are done.
|
||||
test $st -eq 0 && exit 0
|
||||
|
||||
# Also exit now if we it failed (or wasn't found), and '--version' was
|
||||
# passed; such an option is passed most likely to detect whether the
|
||||
# program is present and works.
|
||||
case $2 in --version|--help) exit $st;; esac
|
||||
|
||||
# Exit code 63 means version mismatch. This often happens when the user
|
||||
# tries to use an ancient version of a tool on a file that requires a
|
||||
# minimum version.
|
||||
if test $st -eq 63; then
|
||||
msg="probably too old"
|
||||
elif test $st -eq 127; then
|
||||
# Program was missing.
|
||||
msg="missing on your system"
|
||||
else
|
||||
# Program was found and executed, but failed. Give up.
|
||||
exit $st
|
||||
fi
|
||||
|
||||
perl_URL=http://www.perl.org/
|
||||
flex_URL=http://flex.sourceforge.net/
|
||||
gnu_software_URL=http://www.gnu.org/software
|
||||
|
||||
program_details ()
|
||||
{
|
||||
case $1 in
|
||||
aclocal|automake)
|
||||
echo "The '$1' program is part of the GNU Automake package:"
|
||||
echo "<$gnu_software_URL/automake>"
|
||||
echo "It also requires GNU Autoconf, GNU m4 and Perl in order to run:"
|
||||
echo "<$gnu_software_URL/autoconf>"
|
||||
echo "<$gnu_software_URL/m4/>"
|
||||
echo "<$perl_URL>"
|
||||
;;
|
||||
autoconf|autom4te|autoheader)
|
||||
echo "The '$1' program is part of the GNU Autoconf package:"
|
||||
echo "<$gnu_software_URL/autoconf/>"
|
||||
echo "It also requires GNU m4 and Perl in order to run:"
|
||||
echo "<$gnu_software_URL/m4/>"
|
||||
echo "<$perl_URL>"
|
||||
;;
|
||||
esac
|
||||
}
|
||||
|
||||
give_advice ()
|
||||
{
|
||||
# Normalize program name to check for.
|
||||
normalized_program=`echo "$1" | sed '
|
||||
s/^gnu-//; t
|
||||
s/^gnu//; t
|
||||
s/^g//; t'`
|
||||
|
||||
printf '%s\n' "'$1' is $msg."
|
||||
|
||||
configure_deps="'configure.ac' or m4 files included by 'configure.ac'"
|
||||
case $normalized_program in
|
||||
autoconf*)
|
||||
echo "You should only need it if you modified 'configure.ac',"
|
||||
echo "or m4 files included by it."
|
||||
program_details 'autoconf'
|
||||
;;
|
||||
autoheader*)
|
||||
echo "You should only need it if you modified 'acconfig.h' or"
|
||||
echo "$configure_deps."
|
||||
program_details 'autoheader'
|
||||
;;
|
||||
automake*)
|
||||
echo "You should only need it if you modified 'Makefile.am' or"
|
||||
echo "$configure_deps."
|
||||
program_details 'automake'
|
||||
;;
|
||||
aclocal*)
|
||||
echo "You should only need it if you modified 'acinclude.m4' or"
|
||||
echo "$configure_deps."
|
||||
program_details 'aclocal'
|
||||
;;
|
||||
autom4te*)
|
||||
echo "You might have modified some maintainer files that require"
|
||||
echo "the 'autom4te' program to be rebuilt."
|
||||
program_details 'autom4te'
|
||||
;;
|
||||
bison*|yacc*)
|
||||
echo "You should only need it if you modified a '.y' file."
|
||||
echo "You may want to install the GNU Bison package:"
|
||||
echo "<$gnu_software_URL/bison/>"
|
||||
;;
|
||||
lex*|flex*)
|
||||
echo "You should only need it if you modified a '.l' file."
|
||||
echo "You may want to install the Fast Lexical Analyzer package:"
|
||||
echo "<$flex_URL>"
|
||||
;;
|
||||
help2man*)
|
||||
echo "You should only need it if you modified a dependency" \
|
||||
"of a man page."
|
||||
echo "You may want to install the GNU Help2man package:"
|
||||
echo "<$gnu_software_URL/help2man/>"
|
||||
;;
|
||||
makeinfo*)
|
||||
echo "You should only need it if you modified a '.texi' file, or"
|
||||
echo "any other file indirectly affecting the aspect of the manual."
|
||||
echo "You might want to install the Texinfo package:"
|
||||
echo "<$gnu_software_URL/texinfo/>"
|
||||
echo "The spurious makeinfo call might also be the consequence of"
|
||||
echo "using a buggy 'make' (AIX, DU, IRIX), in which case you might"
|
||||
echo "want to install GNU make:"
|
||||
echo "<$gnu_software_URL/make/>"
|
||||
;;
|
||||
*)
|
||||
echo "You might have modified some files without having the proper"
|
||||
echo "tools for further handling them. Check the 'README' file, it"
|
||||
echo "often tells you about the needed prerequisites for installing"
|
||||
echo "this package. You may also peek at any GNU archive site, in"
|
||||
echo "case some other package contains this missing '$1' program."
|
||||
;;
|
||||
esac
|
||||
}
|
||||
|
||||
tar)
|
||||
if test -n "$run"; then
|
||||
echo 1>&2 "ERROR: \`tar' requires --run"
|
||||
exit 1
|
||||
elif test "x$2" = "x--version" || test "x$2" = "x--help"; then
|
||||
exit 1
|
||||
fi
|
||||
;;
|
||||
give_advice "$1" | sed -e '1s/^/WARNING: /' \
|
||||
-e '2,$s/^/ /' >&2
|
||||
|
||||
*)
|
||||
if test -z "$run" && ($1 --version) > /dev/null 2>&1; then
|
||||
# We have it, but it failed.
|
||||
exit 1
|
||||
elif test "x$2" = "x--version" || test "x$2" = "x--help"; then
|
||||
# Could not run --version or --help. This is probably someone
|
||||
# running `$TOOL --version' or `$TOOL --help' to check whether
|
||||
# $TOOL exists and not knowing $TOOL uses missing.
|
||||
exit 1
|
||||
fi
|
||||
;;
|
||||
esac
|
||||
|
||||
# If it does not exist, or fails to run (possibly an outdated version),
|
||||
# try to emulate it.
|
||||
case $1 in
|
||||
aclocal*)
|
||||
echo 1>&2 "\
|
||||
WARNING: \`$1' is $msg. You should only need it if
|
||||
you modified \`acinclude.m4' or \`${configure_ac}'. You might want
|
||||
to install the \`Automake' and \`Perl' packages. Grab them from
|
||||
any GNU archive site."
|
||||
touch aclocal.m4
|
||||
;;
|
||||
|
||||
autoconf)
|
||||
echo 1>&2 "\
|
||||
WARNING: \`$1' is $msg. You should only need it if
|
||||
you modified \`${configure_ac}'. You might want to install the
|
||||
\`Autoconf' and \`GNU m4' packages. Grab them from any GNU
|
||||
archive site."
|
||||
touch configure
|
||||
;;
|
||||
|
||||
autoheader)
|
||||
echo 1>&2 "\
|
||||
WARNING: \`$1' is $msg. You should only need it if
|
||||
you modified \`acconfig.h' or \`${configure_ac}'. You might want
|
||||
to install the \`Autoconf' and \`GNU m4' packages. Grab them
|
||||
from any GNU archive site."
|
||||
files=`sed -n 's/^[ ]*A[CM]_CONFIG_HEADER(\([^)]*\)).*/\1/p' ${configure_ac}`
|
||||
test -z "$files" && files="config.h"
|
||||
touch_files=
|
||||
for f in $files; do
|
||||
case $f in
|
||||
*:*) touch_files="$touch_files "`echo "$f" |
|
||||
sed -e 's/^[^:]*://' -e 's/:.*//'`;;
|
||||
*) touch_files="$touch_files $f.in";;
|
||||
esac
|
||||
done
|
||||
touch $touch_files
|
||||
;;
|
||||
|
||||
automake*)
|
||||
echo 1>&2 "\
|
||||
WARNING: \`$1' is $msg. You should only need it if
|
||||
you modified \`Makefile.am', \`acinclude.m4' or \`${configure_ac}'.
|
||||
You might want to install the \`Automake' and \`Perl' packages.
|
||||
Grab them from any GNU archive site."
|
||||
find . -type f -name Makefile.am -print |
|
||||
sed 's/\.am$/.in/' |
|
||||
while read f; do touch "$f"; done
|
||||
;;
|
||||
|
||||
autom4te)
|
||||
echo 1>&2 "\
|
||||
WARNING: \`$1' is needed, but is $msg.
|
||||
You might have modified some files without having the
|
||||
proper tools for further handling them.
|
||||
You can get \`$1' as part of \`Autoconf' from any GNU
|
||||
archive site."
|
||||
|
||||
file=`echo "$*" | sed -n "$sed_output"`
|
||||
test -z "$file" && file=`echo "$*" | sed -n "$sed_minuso"`
|
||||
if test -f "$file"; then
|
||||
touch $file
|
||||
else
|
||||
test -z "$file" || exec >$file
|
||||
echo "#! /bin/sh"
|
||||
echo "# Created by GNU Automake missing as a replacement of"
|
||||
echo "# $ $@"
|
||||
echo "exit 0"
|
||||
chmod +x $file
|
||||
exit 1
|
||||
fi
|
||||
;;
|
||||
|
||||
bison|yacc)
|
||||
echo 1>&2 "\
|
||||
WARNING: \`$1' $msg. You should only need it if
|
||||
you modified a \`.y' file. You may need the \`Bison' package
|
||||
in order for those modifications to take effect. You can get
|
||||
\`Bison' from any GNU archive site."
|
||||
rm -f y.tab.c y.tab.h
|
||||
if test $# -ne 1; then
|
||||
eval LASTARG="\${$#}"
|
||||
case $LASTARG in
|
||||
*.y)
|
||||
SRCFILE=`echo "$LASTARG" | sed 's/y$/c/'`
|
||||
if test -f "$SRCFILE"; then
|
||||
cp "$SRCFILE" y.tab.c
|
||||
fi
|
||||
SRCFILE=`echo "$LASTARG" | sed 's/y$/h/'`
|
||||
if test -f "$SRCFILE"; then
|
||||
cp "$SRCFILE" y.tab.h
|
||||
fi
|
||||
;;
|
||||
esac
|
||||
fi
|
||||
if test ! -f y.tab.h; then
|
||||
echo >y.tab.h
|
||||
fi
|
||||
if test ! -f y.tab.c; then
|
||||
echo 'main() { return 0; }' >y.tab.c
|
||||
fi
|
||||
;;
|
||||
|
||||
lex|flex)
|
||||
echo 1>&2 "\
|
||||
WARNING: \`$1' is $msg. You should only need it if
|
||||
you modified a \`.l' file. You may need the \`Flex' package
|
||||
in order for those modifications to take effect. You can get
|
||||
\`Flex' from any GNU archive site."
|
||||
rm -f lex.yy.c
|
||||
if test $# -ne 1; then
|
||||
eval LASTARG="\${$#}"
|
||||
case $LASTARG in
|
||||
*.l)
|
||||
SRCFILE=`echo "$LASTARG" | sed 's/l$/c/'`
|
||||
if test -f "$SRCFILE"; then
|
||||
cp "$SRCFILE" lex.yy.c
|
||||
fi
|
||||
;;
|
||||
esac
|
||||
fi
|
||||
if test ! -f lex.yy.c; then
|
||||
echo 'main() { return 0; }' >lex.yy.c
|
||||
fi
|
||||
;;
|
||||
|
||||
help2man)
|
||||
echo 1>&2 "\
|
||||
WARNING: \`$1' is $msg. You should only need it if
|
||||
you modified a dependency of a manual page. You may need the
|
||||
\`Help2man' package in order for those modifications to take
|
||||
effect. You can get \`Help2man' from any GNU archive site."
|
||||
|
||||
file=`echo "$*" | sed -n "$sed_output"`
|
||||
test -z "$file" && file=`echo "$*" | sed -n "$sed_minuso"`
|
||||
if test -f "$file"; then
|
||||
touch $file
|
||||
else
|
||||
test -z "$file" || exec >$file
|
||||
echo ".ab help2man is required to generate this page"
|
||||
exit 1
|
||||
fi
|
||||
;;
|
||||
|
||||
makeinfo)
|
||||
echo 1>&2 "\
|
||||
WARNING: \`$1' is $msg. You should only need it if
|
||||
you modified a \`.texi' or \`.texinfo' file, or any other file
|
||||
indirectly affecting the aspect of the manual. The spurious
|
||||
call might also be the consequence of using a buggy \`make' (AIX,
|
||||
DU, IRIX). You might want to install the \`Texinfo' package or
|
||||
the \`GNU make' package. Grab either from any GNU archive site."
|
||||
# The file to touch is that specified with -o ...
|
||||
file=`echo "$*" | sed -n "$sed_output"`
|
||||
test -z "$file" && file=`echo "$*" | sed -n "$sed_minuso"`
|
||||
if test -z "$file"; then
|
||||
# ... or it is the one specified with @setfilename ...
|
||||
infile=`echo "$*" | sed 's/.* \([^ ]*\) *$/\1/'`
|
||||
file=`sed -n '
|
||||
/^@setfilename/{
|
||||
s/.* \([^ ]*\) *$/\1/
|
||||
p
|
||||
q
|
||||
}' $infile`
|
||||
# ... or it is derived from the source name (dir/f.texi becomes f.info)
|
||||
test -z "$file" && file=`echo "$infile" | sed 's,.*/,,;s,.[^.]*$,,'`.info
|
||||
fi
|
||||
# If the file does not exist, the user really needs makeinfo;
|
||||
# let's fail without touching anything.
|
||||
test -f $file || exit 1
|
||||
touch $file
|
||||
;;
|
||||
|
||||
tar)
|
||||
shift
|
||||
|
||||
# We have already tried tar in the generic part.
|
||||
# Look for gnutar/gtar before invocation to avoid ugly error
|
||||
# messages.
|
||||
if (gnutar --version > /dev/null 2>&1); then
|
||||
gnutar "$@" && exit 0
|
||||
fi
|
||||
if (gtar --version > /dev/null 2>&1); then
|
||||
gtar "$@" && exit 0
|
||||
fi
|
||||
firstarg="$1"
|
||||
if shift; then
|
||||
case $firstarg in
|
||||
*o*)
|
||||
firstarg=`echo "$firstarg" | sed s/o//`
|
||||
tar "$firstarg" "$@" && exit 0
|
||||
;;
|
||||
esac
|
||||
case $firstarg in
|
||||
*h*)
|
||||
firstarg=`echo "$firstarg" | sed s/h//`
|
||||
tar "$firstarg" "$@" && exit 0
|
||||
;;
|
||||
esac
|
||||
fi
|
||||
|
||||
echo 1>&2 "\
|
||||
WARNING: I can't seem to be able to run \`tar' with the given arguments.
|
||||
You may want to install GNU tar or Free paxutils, or check the
|
||||
command line arguments."
|
||||
exit 1
|
||||
;;
|
||||
|
||||
*)
|
||||
echo 1>&2 "\
|
||||
WARNING: \`$1' is needed, and is $msg.
|
||||
You might have modified some files without having the
|
||||
proper tools for further handling them. Check the \`README' file,
|
||||
it often tells you about the needed prerequisites for installing
|
||||
this package. You may also peek at any GNU archive site, in case
|
||||
some other package would contain this missing \`$1' program."
|
||||
exit 1
|
||||
;;
|
||||
esac
|
||||
|
||||
exit 0
|
||||
# Propagate the correct exit status (expected to be 127 for a program
|
||||
# not found, 63 for a program that failed due to version mismatch).
|
||||
exit $st
|
||||
|
||||
# Local variables:
|
||||
# eval: (add-hook 'write-file-hooks 'time-stamp)
|
||||
# time-stamp-start: "scriptversion="
|
||||
# time-stamp-format: "%:y-%02m-%02d.%02H"
|
||||
# time-stamp-end: "$"
|
||||
# time-stamp-time-zone: "UTC"
|
||||
# time-stamp-end: "; # UTC"
|
||||
# End:
|
||||
|
|
|
@ -1,31 +1,25 @@
|
|||
#!/bin/sh
|
||||
set -ev
|
||||
VERSION=4.57
|
||||
VERSION=5.42
|
||||
DST=stunnel-$VERSION-android
|
||||
|
||||
# to build Zlib:
|
||||
# export CHOST=arm-linux-androideabi
|
||||
# ./configure --static --prefix=/opt/androideabi/sysroot
|
||||
# make
|
||||
# make install
|
||||
|
||||
# to build OpenSSL:
|
||||
# export CC=arm-linux-androideabi-gcc
|
||||
# ./Configure linux-armv4 threads no-shared zlib no-dso --openssldir=/opt/androideabi/sysroot
|
||||
# make
|
||||
# ./Configure threads no-shared no-dso --cross-compile-prefix=arm-linux-androideabi- --openssldir=/opt/androideabi/sysroot linux-armv4
|
||||
# make install
|
||||
|
||||
test -f Makefile && make distclean
|
||||
mkdir -p bin/android
|
||||
cd bin/android
|
||||
../../configure --build=i686-pc-linux-gnu --host=arm-linux-androideabi --prefix=/data/local --with-ssl=/opt/androideabi/sysroot
|
||||
../../configure --with-sysroot --build=i686-pc-linux-gnu --host=arm-linux-androideabi --prefix=/data/local
|
||||
make clean
|
||||
make
|
||||
cd ../..
|
||||
mkdir $DST
|
||||
cp bin/android/src/stunnel /opt/androideabi/sysroot/bin/openssl $DST
|
||||
cp bin/android/src/stunnel $DST
|
||||
# arm-linux-androideabi-strip $DST/stunnel $DST/openssl
|
||||
arm-linux-androideabi-strip $DST/openssl
|
||||
# cp /opt/androideabi/sysroot/bin/openssl $DST
|
||||
# arm-linux-androideabi-strip $DST/openssl
|
||||
zip -r $DST.zip $DST
|
||||
rm -rf $DST
|
||||
sha256sum $DST.zip
|
||||
mv $DST.zip ../dist/
|
||||
# sha256sum $DST.zip
|
||||
# mv $DST.zip ../dist/
|
||||
|
|
492
configure.ac
492
configure.ac
|
@ -1,14 +1,14 @@
|
|||
# Process this file with autoconf to produce a configure script.
|
||||
|
||||
AC_INIT([stunnel],[4.57])
|
||||
AC_INIT([stunnel],[5.42])
|
||||
AC_MSG_NOTICE([**************************************** initialization])
|
||||
AC_CONFIG_AUX_DIR(auto)
|
||||
AC_CONFIG_MACRO_DIR([m4])
|
||||
AM_INIT_AUTOMAKE(stunnel, 4.57)
|
||||
AC_CONFIG_HEADERS([src/config.h])
|
||||
AC_CONFIG_SRCDIR([src/stunnel.c])
|
||||
AC_DEFINE([_GNU_SOURCE], [1], [Use GNU source])
|
||||
AM_INIT_AUTOMAKE
|
||||
|
||||
AM_CONDITIONAL([AUTHOR_TESTS], [test -d ".git"])
|
||||
AC_CANONICAL_HOST
|
||||
AC_SUBST([host])
|
||||
AC_DEFINE_UNQUOTED([HOST], ["$host"], [Host description])
|
||||
|
@ -17,104 +17,116 @@ AC_DEFINE_UNQUOTED(esc(CPU_$host_cpu))
|
|||
AC_DEFINE_UNQUOTED(esc(VENDOR_$host_vendor))
|
||||
AC_DEFINE_UNQUOTED(esc(OS_$host_os))
|
||||
|
||||
case "$host_os" in
|
||||
*darwin*)
|
||||
# OSX does not declare ucontext without _XOPEN_SOURCE
|
||||
AC_DEFINE([_XOPEN_SOURCE], [500], [Use X/Open 5 with POSIX 1995])
|
||||
# OSX does not declare chroot() without _DARWIN_C_SOURCE
|
||||
AC_DEFINE([_DARWIN_C_SOURCE], [1], [Use Darwin source])
|
||||
;;
|
||||
*)
|
||||
AC_DEFINE([_GNU_SOURCE], [1], [Use GNU source])
|
||||
;;
|
||||
esac
|
||||
|
||||
AC_PROG_CC
|
||||
AM_PROG_CC_C_O
|
||||
AC_PROG_INSTALL
|
||||
AC_PROG_MAKE_SET
|
||||
# silent build by default
|
||||
ifdef([AM_SILENT_RULES], [AM_SILENT_RULES([yes])])
|
||||
|
||||
# Checks for typedefs, structures, and compiler characteristics
|
||||
# AC_C_CONST
|
||||
# AC_TYPE_SIZE_T
|
||||
# AC_TYPE_PID_T
|
||||
# AC_HEADER_TIME
|
||||
AC_MSG_NOTICE([**************************************** thread model])
|
||||
# thread detection should be done first, as it may change the CC variable
|
||||
|
||||
AC_ARG_WITH(threads,
|
||||
[ --with-threads=model select threading model (ucontext/pthread/fork)],
|
||||
[
|
||||
case "$withval" in
|
||||
ucontext)
|
||||
AC_MSG_NOTICE([UCONTEXT mode selected])
|
||||
AC_DEFINE([USE_UCONTEXT], [1], [Define to 1 to select UCONTEXT mode])
|
||||
;;
|
||||
pthread)
|
||||
AC_MSG_NOTICE([PTHREAD mode selected])
|
||||
AX_PTHREAD()
|
||||
LIBS="$PTHREAD_LIBS $LIBS"
|
||||
CFLAGS="$CFLAGS $PTHREAD_CFLAGS"
|
||||
CC="$PTHREAD_CC"
|
||||
AC_DEFINE([USE_PTHREAD], [1], [Define to 1 to select PTHREAD mode])
|
||||
;;
|
||||
fork)
|
||||
AC_MSG_NOTICE([FORK mode selected])
|
||||
AC_DEFINE([USE_FORK], [1], [Define to 1 to select FORK mode])
|
||||
;;
|
||||
*)
|
||||
AC_MSG_ERROR([Unknown thread model \"${withval}\"])
|
||||
;;
|
||||
esac
|
||||
], [
|
||||
# do not attempt to autodetect UCONTEXT threading
|
||||
AX_PTHREAD([
|
||||
AC_MSG_NOTICE([PTHREAD thread model detected])
|
||||
LIBS="$PTHREAD_LIBS $LIBS"
|
||||
CFLAGS="$CFLAGS $PTHREAD_CFLAGS"
|
||||
CC="$PTHREAD_CC"
|
||||
AC_DEFINE([USE_PTHREAD], [1], [Define to 1 to select PTHREAD mode])
|
||||
], [
|
||||
AC_MSG_NOTICE([FORK thread model detected])
|
||||
AC_DEFINE([USE_FORK], [1], [Define to 1 to select FORK mode])
|
||||
])
|
||||
])
|
||||
|
||||
AC_MSG_NOTICE([**************************************** compiler/linker flags])
|
||||
AC_SUBST([stunnel_LDFLAGS])
|
||||
|
||||
AC_MSG_CHECKING([whether $CC accepts -pthread])
|
||||
valid_CFLAGS="$CFLAGS"; CFLAGS="$CFLAGS -pthread"
|
||||
valid_LDFLAGS="$LDFLAGS"; LDFLAGS="$LDFLAGS -pthread"
|
||||
AC_LINK_IFELSE([int main() {return 0;}],
|
||||
[
|
||||
AC_MSG_RESULT([yes])
|
||||
AC_SUBST([stunnel_CFLAGS], ["$stunnel_CFLAGS -pthread"])
|
||||
AC_SUBST([stunnel_LDFLAGF], ["$stunnel_LDFLAGF -pthread"])
|
||||
], [
|
||||
AC_MSG_RESULT([no])
|
||||
])
|
||||
CFLAGS="$valid_CFLAGS"; LDFLAGS="$valid_LDFLAGS"
|
||||
|
||||
AC_MSG_CHECKING([whether $CC accepts -fstack-protector])
|
||||
valid_CFLAGS="$CFLAGS"; CFLAGS="$CFLAGS -fstack-protector"
|
||||
valid_LDFLAGS="$LDFLAGS"; LDFLAGS="$LDFLAGS -fstack-protector"
|
||||
AC_LINK_IFELSE([int main() {return 0;}],
|
||||
[
|
||||
AC_MSG_RESULT([yes])
|
||||
AC_SUBST([stunnel_CFLAGS], ["$stunnel_CFLAGS -fstack-protector"])
|
||||
AC_SUBST([stunnel_LDFLAGF], ["$stunnel_LDFLAGF -fstack-protector"])
|
||||
], [
|
||||
AC_MSG_RESULT([no])
|
||||
])
|
||||
CFLAGS="$valid_CFLAGS"; LDFLAGS="$valid_LDFLAGS"
|
||||
|
||||
AC_MSG_CHECKING([whether $CC accepts -pie])
|
||||
valid_CFLAGS="$CFLAGS"; CFLAGS="$CFLAGS -fPIE"
|
||||
valid_LDFLAGS="$LDFLAGS"; LDFLAGS="$LDFLAGS -pie -fPIE"
|
||||
AC_LINK_IFELSE([int main() {return 0;}],
|
||||
[
|
||||
AC_MSG_RESULT([yes])
|
||||
AC_SUBST([stunnel_CFLAGS], ["$stunnel_CFLAGS -fPIE"])
|
||||
AC_SUBST([stunnel_LDFLAGF], ["$stunnel_LDFLAGF -pie -fPIE"])
|
||||
], [
|
||||
AC_MSG_RESULT([no])
|
||||
])
|
||||
CFLAGS="$valid_CFLAGS"; LDFLAGS="$valid_LDFLAGS"
|
||||
|
||||
AC_MSG_CHECKING([whether $CC accepts -Wall])
|
||||
valid_CFLAGS="$CFLAGS"; CFLAGS="$CFLAGS -Wall"
|
||||
AC_LINK_IFELSE([int main() {return 0;}],
|
||||
[AC_MSG_RESULT([yes])],
|
||||
[AC_MSG_RESULT([no]); CFLAGS="$valid_CFLAGS"])
|
||||
|
||||
AC_MSG_CHECKING([whether $CC accepts -Wextra])
|
||||
valid_CFLAGS="$CFLAGS"; CFLAGS="$CFLAGS -Wextra"
|
||||
AC_LINK_IFELSE([int main() {return 0;}],
|
||||
[AC_MSG_RESULT([yes])],
|
||||
[AC_MSG_RESULT([no]); CFLAGS="$valid_CFLAGS"])
|
||||
|
||||
AC_MSG_CHECKING([whether $CC accepts -Wno-long-long])
|
||||
valid_CFLAGS="$CFLAGS"; CFLAGS="$CFLAGS -Wno-long-long"
|
||||
AC_LINK_IFELSE([int main() {return 0;}],
|
||||
[AC_MSG_RESULT([yes])],
|
||||
[AC_MSG_RESULT([no]); CFLAGS="$valid_CFLAGS"])
|
||||
|
||||
AC_MSG_CHECKING([whether $CC accepts -pedantic])
|
||||
valid_CFLAGS="$CFLAGS"; CFLAGS="$CFLAGS -pedantic"
|
||||
AC_LINK_IFELSE([int main() {return 0;}],
|
||||
[AC_MSG_RESULT([yes])],
|
||||
[AC_MSG_RESULT([no]); CFLAGS="$valid_CFLAGS"])
|
||||
if test "$GCC" = yes; then
|
||||
AX_APPEND_COMPILE_FLAGS([-Wall])
|
||||
AX_APPEND_COMPILE_FLAGS([-Wextra])
|
||||
AX_APPEND_COMPILE_FLAGS([-Wpedantic])
|
||||
AX_APPEND_COMPILE_FLAGS([-Wformat=2])
|
||||
AX_APPEND_COMPILE_FLAGS([-Wconversion])
|
||||
AX_APPEND_COMPILE_FLAGS([-Wno-long-long])
|
||||
AX_APPEND_COMPILE_FLAGS([-Wno-deprecated-declarations])
|
||||
AX_APPEND_COMPILE_FLAGS([-fPIE])
|
||||
case "${host}" in
|
||||
avr-*.* | powerpc-*-aix* | rl78-*.* | visium-*.*)
|
||||
;;
|
||||
*)
|
||||
AX_APPEND_COMPILE_FLAGS([-fstack-protector])
|
||||
;;
|
||||
esac
|
||||
AX_APPEND_LINK_FLAGS([-fPIE -pie])
|
||||
AX_APPEND_LINK_FLAGS([-Wl,-z,relro])
|
||||
AX_APPEND_LINK_FLAGS([-Wl,-z,now])
|
||||
AX_APPEND_LINK_FLAGS([-Wl,-z,noexecstack])
|
||||
fi
|
||||
AX_APPEND_COMPILE_FLAGS([-D_FORTIFY_SOURCE=2])
|
||||
|
||||
AC_MSG_NOTICE([**************************************** libtool])
|
||||
LT_INIT([disable-static])
|
||||
AC_SUBST([LIBTOOL_DEPS])
|
||||
|
||||
AC_MSG_NOTICE([**************************************** types])
|
||||
AC_CHECK_SIZEOF(unsigned char)
|
||||
AC_CHECK_SIZEOF(unsigned short)
|
||||
AC_CHECK_SIZEOF(unsigned int)
|
||||
AC_CHECK_SIZEOF(unsigned long)
|
||||
|
||||
AC_TYPE_INT8_T
|
||||
AC_TYPE_INT16_T
|
||||
AC_TYPE_INT32_T
|
||||
AC_TYPE_INT64_T
|
||||
AC_TYPE_UINT8_T
|
||||
AC_TYPE_UINT16_T
|
||||
AC_TYPE_UINT32_T
|
||||
AC_TYPE_UINT64_T
|
||||
AC_TYPE_SIZE_T
|
||||
AC_TYPE_SSIZE_T
|
||||
AC_TYPE_UID_T
|
||||
AC_MSG_CHECKING([for socklen_t])
|
||||
AC_EGREP_HEADER(socklen_t, sys/socket.h,
|
||||
AC_MSG_RESULT([yes]),
|
||||
AC_MSG_RESULT([no (defined as int)])
|
||||
AC_DEFINE([socklen_t], [int], [Type of socklen_t]))
|
||||
|
||||
AC_CHECK_TYPES([struct sockaddr_un], [], [], [#include <sys/un.h>])
|
||||
AC_CHECK_TYPES([struct addrinfo], [], [], [#include <netdb.h>])
|
||||
|
||||
AC_MSG_NOTICE([**************************************** PTY device files])
|
||||
if test "$cross_compiling" = "no"; then
|
||||
if test "x$cross_compiling" = "xno"; then
|
||||
AC_CHECK_FILE("/dev/ptmx", AC_DEFINE([HAVE_DEV_PTMX], [1],
|
||||
[Define to 1 if you have '/dev/ptmx' device.]))
|
||||
AC_CHECK_FILE("/dev/ptc", AC_DEFINE([HAVE_DEV_PTS_AND_PTC], [1],
|
||||
|
@ -125,13 +137,14 @@ fi
|
|||
|
||||
AC_MSG_NOTICE([**************************************** entropy sources])
|
||||
|
||||
if test "$cross_compiling" = "no"; then
|
||||
if test "x$cross_compiling" = "xno"; then
|
||||
AC_ARG_WITH(egd-socket,
|
||||
[ --with-egd-socket=FILE Entropy Gathering Daemon socket path],
|
||||
[EGD_SOCKET="$withval"]
|
||||
)
|
||||
if test -n "$EGD_SOCKET"; then
|
||||
AC_DEFINE_UNQUOTED([EGD_SOCKET], ["$EGD_SOCKET"], [Entropy Gathering Daemon socket path])
|
||||
AC_DEFINE_UNQUOTED([EGD_SOCKET], ["$EGD_SOCKET"],
|
||||
[Entropy Gathering Daemon socket path])
|
||||
fi
|
||||
|
||||
# Check for user-specified random device
|
||||
|
@ -153,7 +166,7 @@ fi
|
|||
|
||||
AC_MSG_NOTICE([**************************************** default group])
|
||||
DEFAULT_GROUP=nobody
|
||||
if test "$cross_compiling" = "no"; then
|
||||
if test "x$cross_compiling" = "xno"; then
|
||||
grep '^nogroup:' /etc/group >/dev/null && DEFAULT_GROUP=nogroup
|
||||
else
|
||||
AC_MSG_WARN([cross-compilation: assuming nogroup is not available])
|
||||
|
@ -162,12 +175,17 @@ AC_MSG_CHECKING([for default group])
|
|||
AC_MSG_RESULT([$DEFAULT_GROUP])
|
||||
AC_SUBST([DEFAULT_GROUP])
|
||||
|
||||
AC_SYS_LARGEFILE
|
||||
|
||||
AC_MSG_NOTICE([**************************************** header files])
|
||||
# AC_HEADER_DIRENT
|
||||
# AC_HEADER_STDC
|
||||
# AC_HEADER_SYS_WAIT
|
||||
AC_CHECK_HEADERS([malloc.h ucontext.h pthread.h poll.h tcpd.h stropts.h grp.h unistd.h util.h libutil.h pty.h])
|
||||
AC_CHECK_HEADERS([sys/types.h sys/select.h sys/poll.h sys/socket.h sys/un.h sys/ioctl.h sys/filio.h sys/resource.h sys/uio.h])
|
||||
AC_CHECK_HEADERS([stdint.h inttypes.h malloc.h ucontext.h pthread.h poll.h \
|
||||
tcpd.h stropts.h grp.h unistd.h util.h libutil.h pty.h limits.h])
|
||||
AC_CHECK_HEADERS([sys/types.h sys/select.h sys/poll.h sys/socket.h sys/un.h \
|
||||
sys/ioctl.h sys/filio.h sys/resource.h sys/uio.h sys/syscall.h])
|
||||
AC_CHECK_HEADERS([linux/sched.h])
|
||||
AC_CHECK_MEMBERS([struct msghdr.msg_control],
|
||||
[AC_DEFINE([HAVE_MSGHDR_MSG_CONTROL], [1],
|
||||
[Define to 1 if you have 'msghdr.msg_control' structure.])], [], [
|
||||
|
@ -188,102 +206,22 @@ AC_SEARCH_LIBS([gethostbyname], [nsl])
|
|||
AC_SEARCH_LIBS([yp_get_default_domain], [nsl])
|
||||
AC_SEARCH_LIBS([socket], [socket])
|
||||
AC_SEARCH_LIBS([openpty], [util])
|
||||
# Checks for dynamic loader and zlib needed by OpenSSL
|
||||
# Checks for dynamic loader needed by OpenSSL
|
||||
AC_SEARCH_LIBS([dlopen], [dl])
|
||||
AC_SEARCH_LIBS([shl_load], [dld])
|
||||
AC_SEARCH_LIBS([inflateEnd], [z])
|
||||
|
||||
# Add BeOS libraries
|
||||
if test "$host_os" = "beos"; then
|
||||
if test "x$host_os" = "xbeos"; then
|
||||
LIBS="$LIBS -lbe -lroot -lbind"
|
||||
fi
|
||||
|
||||
AC_MSG_NOTICE([**************************************** thread model])
|
||||
|
||||
checkpthreadlib() { :
|
||||
# 1. BSD hack: attempt to use alternative libc implementation if available
|
||||
AC_CHECK_LIB([c_r], [pthread_create],
|
||||
[
|
||||
LIBS="$LIBS -pthread"
|
||||
HAVE_LIBPTHREAD="yes"
|
||||
AC_DEFINE([HAVE_LIBPTHREAD], [1], [Define to 1 if you have 'libpthread' library.])
|
||||
]
|
||||
)
|
||||
|
||||
# 2. try to use from standard libc (required by Android and possibly other platforms)
|
||||
AC_CHECK_LIB([c], [pthread_create],
|
||||
[
|
||||
HAVE_LIBPTHREAD="yes"
|
||||
AC_DEFINE([HAVE_LIBPTHREAD], [1], [Define to 1 if you have 'libpthread' library.])
|
||||
]
|
||||
)
|
||||
|
||||
# 3. try libpthread: OSF hack instead of simple AC_CHECK_LIB here
|
||||
AC_MSG_CHECKING([for pthread_create in -lpthread])
|
||||
valid_LIBS="$LIBS"
|
||||
LIBS="$valid_LIBS -lpthread"
|
||||
AC_LINK_IFELSE(
|
||||
[AC_LANG_PROGRAM(
|
||||
[
|
||||
#include <pthread.h>
|
||||
],
|
||||
[
|
||||
pthread_create((void *)0, (void *)0, (void *)0, (void *)0)
|
||||
]
|
||||
)],
|
||||
[
|
||||
AC_MSG_RESULT([yes])
|
||||
HAVE_LIBPTHREAD="yes"
|
||||
AC_DEFINE([HAVE_LIBPTHREAD], [1], [Define to 1 if you have 'libpthread' library.])
|
||||
], [
|
||||
AC_MSG_RESULT([no])
|
||||
LIBS="$valid_LIBS"
|
||||
]
|
||||
)
|
||||
}
|
||||
|
||||
AC_ARG_WITH(threads,
|
||||
[ --with-threads=model select threading model (ucontext/pthread/fork)],
|
||||
[
|
||||
case "$withval" in
|
||||
ucontext)
|
||||
AC_MSG_NOTICE([UCONTEXT mode selected])
|
||||
AC_DEFINE([USE_UCONTEXT], [1], [Define to 1 to select UCONTEXT mode])
|
||||
;;
|
||||
pthread)
|
||||
checkpthreadlib
|
||||
AC_MSG_NOTICE([PTHREAD mode selected])
|
||||
AC_DEFINE([USE_PTHREAD], [1], [Define to 1 to select PTHREAD mode])
|
||||
;;
|
||||
fork)
|
||||
AC_MSG_NOTICE([FORK mode selected])
|
||||
AC_DEFINE([USE_FORK], [1], [Define to 1 to select FORK mode])
|
||||
;;
|
||||
*)
|
||||
AC_MSG_ERROR([Unknown thread model \"${withval}\"])
|
||||
;;
|
||||
esac
|
||||
], [
|
||||
checkpthreadlib
|
||||
if test "$HAVE_LIBPTHREAD" = "yes" -a "$ac_cv_header_pthread_h" = "yes"; then
|
||||
AC_MSG_NOTICE([PTHREAD thread model detected])
|
||||
AC_DEFINE([USE_PTHREAD], [1], [Define to 1 to select PTHREAD mode])
|
||||
elif test "$ac_cv_func_getcontext" = "yes" -a "$ac_cv_header_ucontext_h" = "yes"; then
|
||||
AC_MSG_NOTICE([UCONTEXT thread model detected])
|
||||
AC_DEFINE([USE_UCONTEXT], [1], [Define to 1 to select UCONTEXT mode])
|
||||
else
|
||||
AC_MSG_NOTICE([FORK thread model detected])
|
||||
AC_DEFINE([USE_FORK], [1], [Define to 1 to select FORK mode])
|
||||
fi
|
||||
])
|
||||
|
||||
AC_MSG_NOTICE([**************************************** library functions])
|
||||
# safe string operations
|
||||
AC_CHECK_FUNCS(snprintf vsnprintf)
|
||||
# pseudoterminal
|
||||
AC_CHECK_FUNCS(openpty _getpty)
|
||||
# Unix
|
||||
AC_CHECK_FUNCS(daemon waitpid wait4 setsid setgroups chroot)
|
||||
AC_CHECK_FUNCS(daemon waitpid wait4 setsid setgroups chroot realpath)
|
||||
# limits
|
||||
AC_CHECK_FUNCS(sysconf getrlimit)
|
||||
# threads/reentrant functions
|
||||
|
@ -316,10 +254,10 @@ getaddrinfo(NULL, NULL, NULL, NULL);
|
|||
[AC_MSG_RESULT([no])])
|
||||
;;
|
||||
esac
|
||||
# poll() is not recommended on Mac OS X <=10.3 and broken on Mac OS X >=10.4
|
||||
# poll() is not recommended on Mac OS X <= 10.3 and broken on Mac OS X 10.4
|
||||
AC_MSG_CHECKING([for broken poll() implementation])
|
||||
case "$host_os" in
|
||||
darwin*)
|
||||
darwin[0-8].*)
|
||||
AC_MSG_RESULT([yes (poll() disabled)])
|
||||
AC_DEFINE([BROKEN_POLL], [1], [Define to 1 if you have a broken 'poll' implementation.])
|
||||
;;
|
||||
|
@ -334,11 +272,12 @@ AC_MSG_NOTICE([**************************************** optional features])
|
|||
# Use IPv6?
|
||||
AC_MSG_CHECKING([whether to enable IPv6 support])
|
||||
AC_ARG_ENABLE(ipv6,
|
||||
[ --enable-ipv6 Enable IPv6 support],
|
||||
[ --disable-ipv6 disable IPv6 support],
|
||||
[
|
||||
case "$enableval" in
|
||||
yes) AC_MSG_RESULT([yes])
|
||||
AC_DEFINE([USE_IPv6], [1], [Define to 1 to enable IPv6 support])
|
||||
AC_DEFINE([USE_IPv6], [1],
|
||||
[Define to 1 to enable IPv6 support])
|
||||
;;
|
||||
no) AC_MSG_RESULT([no])
|
||||
;;
|
||||
|
@ -346,23 +285,86 @@ AC_ARG_ENABLE(ipv6,
|
|||
AC_MSG_ERROR([bad value \"${enableval}\"])
|
||||
;;
|
||||
esac
|
||||
], [
|
||||
AC_MSG_RESULT([yes (default)])
|
||||
AC_DEFINE([USE_IPv6], [1], [Define to 1 to enable IPv6 support])
|
||||
], [
|
||||
AC_MSG_RESULT([no])
|
||||
]
|
||||
)
|
||||
|
||||
# FIPS Mode
|
||||
AC_MSG_CHECKING([whether to enable FIPS support])
|
||||
AC_ARG_ENABLE(fips,
|
||||
[ --disable-fips disable OpenSSL FIPS support],
|
||||
[
|
||||
case "$enableval" in
|
||||
yes) AC_MSG_RESULT([no])
|
||||
use_fips="yes"
|
||||
AC_DEFINE([USE_FIPS], [1],
|
||||
[Define to 1 to enable OpenSSL FIPS support])
|
||||
;;
|
||||
no) AC_MSG_RESULT([no])
|
||||
use_fips="no"
|
||||
;;
|
||||
*) AC_MSG_RESULT([error])
|
||||
AC_MSG_ERROR([bad value \"${enableval}\"])
|
||||
;;
|
||||
esac
|
||||
],
|
||||
[AC_MSG_RESULT([yes]); AC_DEFINE([USE_IPv6], [1], [Define to 1 to enable IPv6 support])],
|
||||
[AC_MSG_RESULT([no])]
|
||||
[
|
||||
use_fips="auto"
|
||||
AC_MSG_RESULT([autodetecting])
|
||||
]
|
||||
)
|
||||
|
||||
# Disable systemd socket activation support
|
||||
AC_MSG_CHECKING([whether to enable systemd socket activation support])
|
||||
AC_ARG_ENABLE(systemd,
|
||||
[ --disable-systemd disable systemd socket activation support],
|
||||
[
|
||||
case "$enableval" in
|
||||
yes) AC_MSG_RESULT([yes])
|
||||
AC_SEARCH_LIBS([sd_listen_fds], [systemd systemd-daemon])
|
||||
AC_DEFINE([USE_SYSTEMD], [1],
|
||||
[Define to 1 to enable systemd socket activation])
|
||||
;;
|
||||
no) AC_MSG_RESULT([no])
|
||||
;;
|
||||
*) AC_MSG_RESULT([error])
|
||||
AC_MSG_ERROR([Bad value \"${enableval}\"])
|
||||
;;
|
||||
esac
|
||||
],
|
||||
[
|
||||
AC_MSG_RESULT([autodetecting])
|
||||
# the library name has changed to -lsystemd in systemd 209
|
||||
AC_SEARCH_LIBS([sd_listen_fds], [systemd systemd-daemon],
|
||||
[ AC_CHECK_HEADERS([systemd/sd-daemon.h], [
|
||||
AC_DEFINE([USE_SYSTEMD], [1],
|
||||
[Define to 1 to enable systemd socket activation])
|
||||
AC_MSG_NOTICE([systemd support enabled])
|
||||
], [
|
||||
AC_MSG_NOTICE([systemd header not found])
|
||||
]) ], [
|
||||
AC_MSG_NOTICE([systemd library not found])
|
||||
])
|
||||
]
|
||||
)
|
||||
|
||||
# Disable use of libwrap (TCP wrappers)
|
||||
# it should be the last check!
|
||||
AC_MSG_CHECKING([whether to disable TCP wrappers library support])
|
||||
AC_MSG_CHECKING([whether to enable TCP wrappers support])
|
||||
AC_ARG_ENABLE(libwrap,
|
||||
[ --disable-libwrap Disable TCP wrappers library support],
|
||||
[ --disable-libwrap disable TCP wrappers support],
|
||||
[
|
||||
case "$enableval" in
|
||||
yes) AC_MSG_RESULT([no])
|
||||
AC_DEFINE([HAVE_LIBWRAP], [1], [Define to 1 if you have 'libwrap' library.])
|
||||
yes) AC_MSG_RESULT([yes])
|
||||
AC_DEFINE([USE_LIBWRAP], [1],
|
||||
[Define to 1 to enable TCP wrappers support])
|
||||
LIBS="$LIBS -lwrap"
|
||||
;;
|
||||
no) AC_MSG_RESULT([yes])
|
||||
no) AC_MSG_RESULT([no])
|
||||
;;
|
||||
*) AC_MSG_RESULT([error])
|
||||
AC_MSG_ERROR([Bad value \"${enableval}\"])
|
||||
|
@ -375,106 +377,83 @@ AC_ARG_ENABLE(libwrap,
|
|||
valid_LIBS="$LIBS"
|
||||
LIBS="$valid_LIBS -lwrap"
|
||||
AC_LINK_IFELSE(
|
||||
[AC_LANG_PROGRAM(
|
||||
[
|
||||
int hosts_access(); int allow_severity, deny_severity;
|
||||
],
|
||||
[
|
||||
hosts_access()
|
||||
]
|
||||
)],
|
||||
[AC_MSG_RESULT([yes]); AC_DEFINE([HAVE_LIBWRAP], [1], [Define to 1 if you have 'libwrap' library.])],
|
||||
[AC_MSG_RESULT([no]); LIBS="$valid_LIBS"]
|
||||
[
|
||||
AC_LANG_PROGRAM(
|
||||
[int hosts_access(); int allow_severity, deny_severity;],
|
||||
[hosts_access()])
|
||||
], [
|
||||
AC_MSG_RESULT([yes]);
|
||||
AC_DEFINE([USE_LIBWRAP], [1],
|
||||
[Define to 1 to enable TCP wrappers support])
|
||||
AC_MSG_NOTICE([libwrap support enabled])
|
||||
], [
|
||||
AC_MSG_RESULT([no])
|
||||
LIBS="$valid_LIBS"
|
||||
AC_MSG_NOTICE([libwrap library not found])
|
||||
]
|
||||
)
|
||||
]
|
||||
)
|
||||
|
||||
# FIPS Mode
|
||||
AC_MSG_CHECKING([whether to enable FIPS mode support])
|
||||
AC_ARG_ENABLE(fips,
|
||||
[ --enable-fips Enable OpenSSL FIPS mode],
|
||||
[
|
||||
case "$enableval" in
|
||||
yes) AC_MSG_RESULT([yes])
|
||||
sub_dirs="/ssl/fips /ssl/fips-1.0 /"
|
||||
fips="yes"
|
||||
AC_DEFINE([USE_FIPS], [1], [Define to 1 to enable OpenSSL FIPS mode])
|
||||
;;
|
||||
no) AC_MSG_RESULT([no])
|
||||
sub_dirs="/ssl /openssl /"
|
||||
fips="no"
|
||||
;;
|
||||
*) AC_MSG_RESULT([error])
|
||||
AC_MSG_ERROR([bad value \"${enableval}\"])
|
||||
;;
|
||||
esac
|
||||
],
|
||||
[
|
||||
sub_dirs="/ssl/fips /ssl/fips-1.0 /ssl /openssl /"
|
||||
fips="auto"
|
||||
AC_MSG_RESULT([autodetecting])
|
||||
]
|
||||
)
|
||||
AC_MSG_NOTICE([**************************************** TLS])
|
||||
|
||||
AC_MSG_CHECKING([for compiler sysroot])
|
||||
if test "x$GCC" = "xyes"; then
|
||||
sysroot=`$CC --print-sysroot 2>/dev/null`
|
||||
fi
|
||||
if test -z "$sysroot" -o "x$sysroot" = "x/"; then
|
||||
sysroot=""
|
||||
AC_MSG_RESULT([/])
|
||||
else
|
||||
AC_MSG_RESULT([$sysroot])
|
||||
fi
|
||||
|
||||
AC_MSG_NOTICE([**************************************** SSL])
|
||||
check_ssl_dir() { :
|
||||
SSLDIR="$1"
|
||||
if test -f "$1/include/openssl/ssl.h"; then
|
||||
return 0
|
||||
fi
|
||||
return 1
|
||||
test -n "$1" -a -f "$1/include/openssl/ssl.h" && SSLDIR="$1"
|
||||
}
|
||||
|
||||
# Check for SSL directory
|
||||
AC_MSG_CHECKING([for SSL directory])
|
||||
AC_ARG_WITH(ssl,
|
||||
[ --with-ssl=DIR location of installed SSL libraries/include files],
|
||||
[
|
||||
check_ssl_dir "$withval"
|
||||
],
|
||||
[
|
||||
for main_dir in /usr/local /usr/lib /usr/pkg /opt/local /opt /usr; do
|
||||
for sub_dir in $sub_dirs; do
|
||||
check_ssl_dir "$main_dir$sub_dir" && break 2
|
||||
done
|
||||
find_ssl_dir() { :
|
||||
stunnel_prefix="$prefix"
|
||||
test "x$stunnel_prefix" = "xNONE" && stunnel_prefix=$ac_default_prefix
|
||||
for main_dir in "$stunnel_prefix" "/usr/local" "/usr/lib" "/usr/pkg" "/opt/local" "/opt" "/opt/csw" "/usr" ""; do
|
||||
for sub_dir in "/ssl" "/openssl" "/ossl" ""; do
|
||||
check_ssl_dir "$sysroot$main_dir$sub_dir" && return
|
||||
done
|
||||
]
|
||||
done
|
||||
if test -x "/usr/bin/xcrun"; then
|
||||
sdk_path=`/usr/bin/xcrun --sdk macosx --show-sdk-path`
|
||||
check_ssl_dir "$sdk_path/usr" && return
|
||||
fi
|
||||
check_ssl_dir "/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/swift-migrator/sdk/MacOSX.sdk/usr"
|
||||
}
|
||||
|
||||
SSLDIR=""
|
||||
AC_MSG_CHECKING([for TLS directory])
|
||||
AC_ARG_WITH(ssl,
|
||||
[ --with-ssl=DIR location of installed TLS libraries/include files],
|
||||
[check_ssl_dir "$withval"],
|
||||
[find_ssl_dir]
|
||||
)
|
||||
if test ! -d "$SSLDIR"; then
|
||||
if test -z "$SSLDIR"; then
|
||||
AC_MSG_RESULT([not found])
|
||||
AC_MSG_ERROR([
|
||||
Couldn't find your SSL library installation dir
|
||||
Could not find your TLS library installation dir
|
||||
Use --with-ssl option to fix this problem
|
||||
])
|
||||
fi
|
||||
AC_MSG_RESULT([$SSLDIR])
|
||||
AC_SUBST([SSLDIR])
|
||||
AC_DEFINE_UNQUOTED([SSLDIR], ["$SSLDIR"], [SSL directory])
|
||||
AC_DEFINE_UNQUOTED([SSLDIR], ["$SSLDIR"], [TLS directory])
|
||||
|
||||
valid_CPPFLAGS="$CPPFLAGS"; CPPFLAGS="$CPPFLAGS -I$SSLDIR/include"
|
||||
valid_LIBS="$LIBS"; LIBS="$LIBS -L$SSLDIR/lib64 -L$SSLDIR/lib -lssl -lcrypto"
|
||||
|
||||
AC_CHECK_HEADER([$SSLDIR/include/openssl/engine.h],
|
||||
[AC_DEFINE([HAVE_OSSL_ENGINE_H], [1],
|
||||
[Define to 1 if you have <engine.h> header file.])],
|
||||
[AC_MSG_WARN([OpenSSL engine header not found])])
|
||||
|
||||
AC_CHECK_HEADER([$SSLDIR/include/openssl/ocsp.h],
|
||||
[AC_DEFINE([HAVE_OSSL_OCSP_H], [1],
|
||||
[Define to 1 if you have <ocsp.h> header file.])],
|
||||
[AC_MSG_WARN([OpenSSL ocsp header not found])])
|
||||
|
||||
AC_CHECK_HEADER([$SSLDIR/include/openssl/fips.h],
|
||||
[AC_DEFINE([HAVE_OSSL_FIPS_H], [1],
|
||||
[Define to 1 if you have <fips.h> header file.])],
|
||||
[AC_MSG_WARN([OpenSSL fips header not found])])
|
||||
|
||||
if test "$fips" = "auto"; then
|
||||
if test "x$use_fips" = "xauto"; then
|
||||
AC_CHECK_FUNCS(FIPS_mode_set, [
|
||||
AC_DEFINE([USE_FIPS], [1], [Define to 1 to enable OpenSSL FIPS mode.])
|
||||
AC_MSG_NOTICE([FIPS mode detected])
|
||||
AC_DEFINE([USE_FIPS], [1], [Define to 1 to enable OpenSSL FIPS support])
|
||||
AC_MSG_NOTICE([FIPS support enabled])
|
||||
], [
|
||||
AC_MSG_NOTICE([FIPS mode not detected])
|
||||
AC_MSG_NOTICE([FIPS support not found])
|
||||
])
|
||||
fi
|
||||
|
||||
|
@ -482,8 +461,9 @@ CPPFLAGS="$valid_CPPFLAGS"
|
|||
LIBS="$valid_LIBS"
|
||||
|
||||
AC_MSG_NOTICE([**************************************** write the results])
|
||||
AC_CONFIG_FILES([Makefile src/Makefile src/stunnel3 doc/Makefile tools/Makefile tools/stunnel.conf-sample tools/stunnel.init tools/stunnel.service])
|
||||
AC_CONFIG_FILES([Makefile src/Makefile doc/Makefile tools/Makefile])
|
||||
AC_OUTPUT
|
||||
|
||||
AC_MSG_NOTICE([**************************************** success])
|
||||
# vim:ft=automake
|
||||
# End of configure.ac
|
||||
|
|
|
@ -1,21 +1,35 @@
|
|||
## Process this file with automake to produce Makefile.in
|
||||
# by Michal Trojnara 2015-2017
|
||||
|
||||
EXTRA_DIST = stunnel.pod stunnel.pl.pod stunnel.fr.pod \
|
||||
stunnel.8 stunnel.pl.8 stunnel.fr.8 \
|
||||
stunnel.html stunnel.pl.html stunnel.fr.html en pl
|
||||
EXTRA_DIST = stunnel.pod.in stunnel.8.in stunnel.html.in en
|
||||
EXTRA_DIST += stunnel.pl.pod.in stunnel.pl.8.in stunnel.pl.html.in pl
|
||||
|
||||
man_MANS = stunnel.8 stunnel.pl.8 stunnel.fr.8
|
||||
man_MANS = stunnel.8 stunnel.pl.8
|
||||
|
||||
docdir = $(datadir)/doc/stunnel
|
||||
doc_DATA = stunnel.html stunnel.pl.html stunnel.fr.html
|
||||
doc_DATA = stunnel.html stunnel.pl.html
|
||||
|
||||
SUFFIXES = .pod .8 .html
|
||||
CLEANFILES = $(man_MANS) $(doc_DATA)
|
||||
|
||||
.pod.8:
|
||||
pod2man -u --section=8 --release=$(VERSION) --center=stunnel \
|
||||
--date=`date +%Y.%m.%d` $< $@
|
||||
SUFFIXES = .pod.in .8.in .html.in
|
||||
|
||||
.pod.html:
|
||||
pod2html --noindex --title stunnel.8 --infile=$< --outfile=$@
|
||||
.pod.in.8.in:
|
||||
pod2man -u -n stunnel -s 8 -r $(VERSION) \
|
||||
-c "stunnel TLS Proxy" -d `date +%Y.%m.%d` $< $@
|
||||
|
||||
.pod.in.html.in:
|
||||
pod2html --index --backlink --header \
|
||||
--title "stunnel TLS Proxy" --infile=$< --outfile=$@
|
||||
rm -f pod2htmd.tmp pod2htmi.tmp
|
||||
|
||||
edit = sed \
|
||||
-e 's|@bindir[@]|$(bindir)|g' \
|
||||
-e 's|@sysconfdir[@]|$(sysconfdir)|g'
|
||||
|
||||
$(man_MANS) $(doc_DATA): Makefile
|
||||
$(edit) '$(srcdir)/$@.in' >$@
|
||||
|
||||
stunnel.8: $(srcdir)/stunnel.8.in
|
||||
stunnel.html: $(srcdir)/stunnel.html.in
|
||||
stunnel.pl.8: $(srcdir)/stunnel.pl.8.in
|
||||
stunnel.pl.html: $(srcdir)/stunnel.pl.html.in
|
||||
|
|
216
doc/Makefile.in
216
doc/Makefile.in
|
@ -1,9 +1,8 @@
|
|||
# Makefile.in generated by automake 1.11.1 from Makefile.am.
|
||||
# Makefile.in generated by automake 1.14.1 from Makefile.am.
|
||||
# @configure_input@
|
||||
|
||||
# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
|
||||
# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation,
|
||||
# Inc.
|
||||
# Copyright (C) 1994-2013 Free Software Foundation, Inc.
|
||||
|
||||
# This Makefile.in is free software; the Free Software Foundation
|
||||
# gives unlimited permission to copy and/or distribute it,
|
||||
# with or without modifications, as long as this notice is preserved.
|
||||
|
@ -15,7 +14,54 @@
|
|||
|
||||
@SET_MAKE@
|
||||
|
||||
# by Michal Trojnara 2015-2017
|
||||
|
||||
VPATH = @srcdir@
|
||||
am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
|
||||
am__make_running_with_option = \
|
||||
case $${target_option-} in \
|
||||
?) ;; \
|
||||
*) echo "am__make_running_with_option: internal error: invalid" \
|
||||
"target option '$${target_option-}' specified" >&2; \
|
||||
exit 1;; \
|
||||
esac; \
|
||||
has_opt=no; \
|
||||
sane_makeflags=$$MAKEFLAGS; \
|
||||
if $(am__is_gnu_make); then \
|
||||
sane_makeflags=$$MFLAGS; \
|
||||
else \
|
||||
case $$MAKEFLAGS in \
|
||||
*\\[\ \ ]*) \
|
||||
bs=\\; \
|
||||
sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \
|
||||
| sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \
|
||||
esac; \
|
||||
fi; \
|
||||
skip_next=no; \
|
||||
strip_trailopt () \
|
||||
{ \
|
||||
flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \
|
||||
}; \
|
||||
for flg in $$sane_makeflags; do \
|
||||
test $$skip_next = yes && { skip_next=no; continue; }; \
|
||||
case $$flg in \
|
||||
*=*|--*) continue;; \
|
||||
-*I) strip_trailopt 'I'; skip_next=yes;; \
|
||||
-*I?*) strip_trailopt 'I';; \
|
||||
-*O) strip_trailopt 'O'; skip_next=yes;; \
|
||||
-*O?*) strip_trailopt 'O';; \
|
||||
-*l) strip_trailopt 'l'; skip_next=yes;; \
|
||||
-*l?*) strip_trailopt 'l';; \
|
||||
-[dEDm]) skip_next=yes;; \
|
||||
-[JT]) skip_next=yes;; \
|
||||
esac; \
|
||||
case $$flg in \
|
||||
*$$target_option*) has_opt=yes; break;; \
|
||||
esac; \
|
||||
done; \
|
||||
test $$has_opt = yes
|
||||
am__make_dryrun = (target_option=n; $(am__make_running_with_option))
|
||||
am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
|
||||
pkgdatadir = $(datadir)/@PACKAGE@
|
||||
pkgincludedir = $(includedir)/@PACKAGE@
|
||||
pkglibdir = $(libdir)/@PACKAGE@
|
||||
|
@ -35,7 +81,7 @@ POST_UNINSTALL = :
|
|||
build_triplet = @build@
|
||||
host_triplet = @host@
|
||||
subdir = doc
|
||||
DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
|
||||
DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am
|
||||
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
|
||||
am__aclocal_m4_deps = $(top_srcdir)/m4/libtool.m4 \
|
||||
$(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \
|
||||
|
@ -47,8 +93,25 @@ mkinstalldirs = $(install_sh) -d
|
|||
CONFIG_HEADER = $(top_builddir)/src/config.h
|
||||
CONFIG_CLEAN_FILES =
|
||||
CONFIG_CLEAN_VPATH_FILES =
|
||||
AM_V_P = $(am__v_P_@AM_V@)
|
||||
am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
|
||||
am__v_P_0 = false
|
||||
am__v_P_1 = :
|
||||
AM_V_GEN = $(am__v_GEN_@AM_V@)
|
||||
am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
|
||||
am__v_GEN_0 = @echo " GEN " $@;
|
||||
am__v_GEN_1 =
|
||||
AM_V_at = $(am__v_at_@AM_V@)
|
||||
am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
|
||||
am__v_at_0 = @
|
||||
am__v_at_1 =
|
||||
SOURCES =
|
||||
DIST_SOURCES =
|
||||
am__can_run_installinfo = \
|
||||
case $$AM_UPDATE_INFO_DIR in \
|
||||
n|no|NO) false;; \
|
||||
*) (install-info --version) >/dev/null 2>&1;; \
|
||||
esac
|
||||
am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
|
||||
am__vpath_adj = case $$p in \
|
||||
$(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
|
||||
|
@ -70,14 +133,22 @@ am__nobase_list = $(am__nobase_strip_setup); \
|
|||
am__base_list = \
|
||||
sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
|
||||
sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
|
||||
am__uninstall_files_from_dir = { \
|
||||
test -z "$$files" \
|
||||
|| { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
|
||||
|| { echo " ( cd '$$dir' && rm -f" $$files ")"; \
|
||||
$(am__cd) "$$dir" && rm -f $$files; }; \
|
||||
}
|
||||
man8dir = $(mandir)/man8
|
||||
am__installdirs = "$(DESTDIR)$(man8dir)" "$(DESTDIR)$(docdir)"
|
||||
NROFF = nroff
|
||||
MANS = $(man_MANS)
|
||||
DATA = $(doc_DATA)
|
||||
am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
|
||||
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
|
||||
ACLOCAL = @ACLOCAL@
|
||||
AMTAR = @AMTAR@
|
||||
AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
|
||||
AR = @AR@
|
||||
AUTOCONF = @AUTOCONF@
|
||||
AUTOHEADER = @AUTOHEADER@
|
||||
|
@ -92,6 +163,7 @@ CYGPATH_W = @CYGPATH_W@
|
|||
DEFAULT_GROUP = @DEFAULT_GROUP@
|
||||
DEFS = @DEFS@
|
||||
DEPDIR = @DEPDIR@
|
||||
DLLTOOL = @DLLTOOL@
|
||||
DSYMUTIL = @DSYMUTIL@
|
||||
DUMPBIN = @DUMPBIN@
|
||||
ECHO_C = @ECHO_C@
|
||||
|
@ -116,6 +188,7 @@ LIPO = @LIPO@
|
|||
LN_S = @LN_S@
|
||||
LTLIBOBJS = @LTLIBOBJS@
|
||||
MAKEINFO = @MAKEINFO@
|
||||
MANIFEST_TOOL = @MANIFEST_TOOL@
|
||||
MKDIR_P = @MKDIR_P@
|
||||
NM = @NM@
|
||||
NMEDIT = @NMEDIT@
|
||||
|
@ -131,6 +204,9 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@
|
|||
PACKAGE_URL = @PACKAGE_URL@
|
||||
PACKAGE_VERSION = @PACKAGE_VERSION@
|
||||
PATH_SEPARATOR = @PATH_SEPARATOR@
|
||||
PTHREAD_CC = @PTHREAD_CC@
|
||||
PTHREAD_CFLAGS = @PTHREAD_CFLAGS@
|
||||
PTHREAD_LIBS = @PTHREAD_LIBS@
|
||||
RANDOM_FILE = @RANDOM_FILE@
|
||||
RANLIB = @RANLIB@
|
||||
SED = @SED@
|
||||
|
@ -143,6 +219,7 @@ abs_builddir = @abs_builddir@
|
|||
abs_srcdir = @abs_srcdir@
|
||||
abs_top_builddir = @abs_top_builddir@
|
||||
abs_top_srcdir = @abs_top_srcdir@
|
||||
ac_ct_AR = @ac_ct_AR@
|
||||
ac_ct_CC = @ac_ct_CC@
|
||||
ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
|
||||
am__include = @am__include@
|
||||
|
@ -150,6 +227,7 @@ am__leading_dot = @am__leading_dot@
|
|||
am__quote = @am__quote@
|
||||
am__tar = @am__tar@
|
||||
am__untar = @am__untar@
|
||||
ax_pthread_config = @ax_pthread_config@
|
||||
bindir = @bindir@
|
||||
build = @build@
|
||||
build_alias = @build_alias@
|
||||
|
@ -175,7 +253,6 @@ libdir = @libdir@
|
|||
libexecdir = @libexecdir@
|
||||
localedir = @localedir@
|
||||
localstatedir = @localstatedir@
|
||||
lt_ECHO = @lt_ECHO@
|
||||
mandir = @mandir@
|
||||
mkdir_p = @mkdir_p@
|
||||
oldincludedir = @oldincludedir@
|
||||
|
@ -183,28 +260,29 @@ pdfdir = @pdfdir@
|
|||
prefix = @prefix@
|
||||
program_transform_name = @program_transform_name@
|
||||
psdir = @psdir@
|
||||
runstatedir = @runstatedir@
|
||||
sbindir = @sbindir@
|
||||
sharedstatedir = @sharedstatedir@
|
||||
srcdir = @srcdir@
|
||||
stunnel_CFLAGS = @stunnel_CFLAGS@
|
||||
stunnel_LDFLAGF = @stunnel_LDFLAGF@
|
||||
stunnel_LDFLAGS = @stunnel_LDFLAGS@
|
||||
sysconfdir = @sysconfdir@
|
||||
target_alias = @target_alias@
|
||||
top_build_prefix = @top_build_prefix@
|
||||
top_builddir = @top_builddir@
|
||||
top_srcdir = @top_srcdir@
|
||||
EXTRA_DIST = stunnel.pod stunnel.pl.pod stunnel.fr.pod \
|
||||
stunnel.8 stunnel.pl.8 stunnel.fr.8 \
|
||||
stunnel.html stunnel.pl.html stunnel.fr.html en pl
|
||||
EXTRA_DIST = stunnel.pod.in stunnel.8.in stunnel.html.in en \
|
||||
stunnel.pl.pod.in stunnel.pl.8.in stunnel.pl.html.in pl
|
||||
man_MANS = stunnel.8 stunnel.pl.8
|
||||
doc_DATA = stunnel.html stunnel.pl.html
|
||||
CLEANFILES = $(man_MANS) $(doc_DATA)
|
||||
SUFFIXES = .pod.in .8.in .html.in
|
||||
edit = sed \
|
||||
-e 's|@bindir[@]|$(bindir)|g' \
|
||||
-e 's|@sysconfdir[@]|$(sysconfdir)|g'
|
||||
|
||||
man_MANS = stunnel.8 stunnel.pl.8 stunnel.fr.8
|
||||
doc_DATA = stunnel.html stunnel.pl.html stunnel.fr.html
|
||||
SUFFIXES = .pod .8 .html
|
||||
all: all-am
|
||||
|
||||
.SUFFIXES:
|
||||
.SUFFIXES: .pod .8 .html
|
||||
.SUFFIXES: .pod.in .8.in .html.in
|
||||
$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps)
|
||||
@for dep in $?; do \
|
||||
case '$(am__configure_deps)' in \
|
||||
|
@ -243,11 +321,18 @@ clean-libtool:
|
|||
-rm -rf .libs _libs
|
||||
install-man8: $(man_MANS)
|
||||
@$(NORMAL_INSTALL)
|
||||
test -z "$(man8dir)" || $(MKDIR_P) "$(DESTDIR)$(man8dir)"
|
||||
@list=''; test -n "$(man8dir)" || exit 0; \
|
||||
{ for i in $$list; do echo "$$i"; done; \
|
||||
l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done | \
|
||||
sed -n '/\.8[a-z]*$$/p'; \
|
||||
@list1=''; \
|
||||
list2='$(man_MANS)'; \
|
||||
test -n "$(man8dir)" \
|
||||
&& test -n "`echo $$list1$$list2`" \
|
||||
|| exit 0; \
|
||||
echo " $(MKDIR_P) '$(DESTDIR)$(man8dir)'"; \
|
||||
$(MKDIR_P) "$(DESTDIR)$(man8dir)" || exit 1; \
|
||||
{ for i in $$list1; do echo "$$i"; done; \
|
||||
if test -n "$$list2"; then \
|
||||
for i in $$list2; do echo "$$i"; done \
|
||||
| sed -n '/\.8[a-z]*$$/p'; \
|
||||
fi; \
|
||||
} | while read p; do \
|
||||
if test -f $$p; then d=; else d="$(srcdir)/"; fi; \
|
||||
echo "$$d$$p"; echo "$$p"; \
|
||||
|
@ -276,13 +361,14 @@ uninstall-man8:
|
|||
sed -n '/\.8[a-z]*$$/p'; \
|
||||
} | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \
|
||||
-e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \
|
||||
test -z "$$files" || { \
|
||||
echo " ( cd '$(DESTDIR)$(man8dir)' && rm -f" $$files ")"; \
|
||||
cd "$(DESTDIR)$(man8dir)" && rm -f $$files; }
|
||||
dir='$(DESTDIR)$(man8dir)'; $(am__uninstall_files_from_dir)
|
||||
install-docDATA: $(doc_DATA)
|
||||
@$(NORMAL_INSTALL)
|
||||
test -z "$(docdir)" || $(MKDIR_P) "$(DESTDIR)$(docdir)"
|
||||
@list='$(doc_DATA)'; test -n "$(docdir)" || list=; \
|
||||
if test -n "$$list"; then \
|
||||
echo " $(MKDIR_P) '$(DESTDIR)$(docdir)'"; \
|
||||
$(MKDIR_P) "$(DESTDIR)$(docdir)" || exit 1; \
|
||||
fi; \
|
||||
for p in $$list; do \
|
||||
if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
|
||||
echo "$$d$$p"; \
|
||||
|
@ -296,30 +382,15 @@ uninstall-docDATA:
|
|||
@$(NORMAL_UNINSTALL)
|
||||
@list='$(doc_DATA)'; test -n "$(docdir)" || list=; \
|
||||
files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
|
||||
test -n "$$files" || exit 0; \
|
||||
echo " ( cd '$(DESTDIR)$(docdir)' && rm -f" $$files ")"; \
|
||||
cd "$(DESTDIR)$(docdir)" && rm -f $$files
|
||||
tags: TAGS
|
||||
TAGS:
|
||||
dir='$(DESTDIR)$(docdir)'; $(am__uninstall_files_from_dir)
|
||||
tags TAGS:
|
||||
|
||||
ctags: CTAGS
|
||||
CTAGS:
|
||||
ctags CTAGS:
|
||||
|
||||
cscope cscopelist:
|
||||
|
||||
|
||||
distdir: $(DISTFILES)
|
||||
@list='$(MANS)'; if test -n "$$list"; then \
|
||||
list=`for p in $$list; do \
|
||||
if test -f $$p; then d=; else d="$(srcdir)/"; fi; \
|
||||
if test -f "$$d$$p"; then echo "$$d$$p"; else :; fi; done`; \
|
||||
if test -n "$$list" && \
|
||||
grep 'ab help2man is required to generate this page' $$list >/dev/null; then \
|
||||
echo "error: found man pages containing the \`missing help2man' replacement text:" >&2; \
|
||||
grep -l 'ab help2man is required to generate this page' $$list | sed 's/^/ /' >&2; \
|
||||
echo " to fix them, install help2man, remove and regenerate the man pages;" >&2; \
|
||||
echo " typically \`make maintainer-clean' will remove them" >&2; \
|
||||
exit 1; \
|
||||
else :; fi; \
|
||||
else :; fi
|
||||
@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
|
||||
topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
|
||||
list='$(DISTFILES)'; \
|
||||
|
@ -366,13 +437,19 @@ install-am: all-am
|
|||
|
||||
installcheck: installcheck-am
|
||||
install-strip:
|
||||
$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
|
||||
install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
|
||||
`test -z '$(STRIP)' || \
|
||||
echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
|
||||
if test -z '$(STRIP)'; then \
|
||||
$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
|
||||
install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
|
||||
install; \
|
||||
else \
|
||||
$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
|
||||
install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
|
||||
"INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
|
||||
fi
|
||||
mostlyclean-generic:
|
||||
|
||||
clean-generic:
|
||||
-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
|
||||
|
||||
distclean-generic:
|
||||
-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
|
||||
|
@ -452,27 +529,36 @@ uninstall-man: uninstall-man8
|
|||
.MAKE: install-am install-strip
|
||||
|
||||
.PHONY: all all-am check check-am clean clean-generic clean-libtool \
|
||||
distclean distclean-generic distclean-libtool distdir dvi \
|
||||
dvi-am html html-am info info-am install install-am \
|
||||
install-data install-data-am install-docDATA install-dvi \
|
||||
install-dvi-am install-exec install-exec-am install-html \
|
||||
install-html-am install-info install-info-am install-man \
|
||||
install-man8 install-pdf install-pdf-am install-ps \
|
||||
install-ps-am install-strip installcheck installcheck-am \
|
||||
installdirs maintainer-clean maintainer-clean-generic \
|
||||
mostlyclean mostlyclean-generic mostlyclean-libtool pdf pdf-am \
|
||||
ps ps-am uninstall uninstall-am uninstall-docDATA \
|
||||
uninstall-man uninstall-man8
|
||||
cscopelist-am ctags-am distclean distclean-generic \
|
||||
distclean-libtool distdir dvi dvi-am html html-am info info-am \
|
||||
install install-am install-data install-data-am \
|
||||
install-docDATA install-dvi install-dvi-am install-exec \
|
||||
install-exec-am install-html install-html-am install-info \
|
||||
install-info-am install-man install-man8 install-pdf \
|
||||
install-pdf-am install-ps install-ps-am install-strip \
|
||||
installcheck installcheck-am installdirs maintainer-clean \
|
||||
maintainer-clean-generic mostlyclean mostlyclean-generic \
|
||||
mostlyclean-libtool pdf pdf-am ps ps-am tags-am uninstall \
|
||||
uninstall-am uninstall-docDATA uninstall-man uninstall-man8
|
||||
|
||||
|
||||
.pod.8:
|
||||
pod2man -u --section=8 --release=$(VERSION) --center=stunnel \
|
||||
--date=`date +%Y.%m.%d` $< $@
|
||||
.pod.in.8.in:
|
||||
pod2man -u -n stunnel -s 8 -r $(VERSION) \
|
||||
-c "stunnel TLS Proxy" -d `date +%Y.%m.%d` $< $@
|
||||
|
||||
.pod.html:
|
||||
pod2html --noindex --title stunnel.8 --infile=$< --outfile=$@
|
||||
.pod.in.html.in:
|
||||
pod2html --index --backlink --header \
|
||||
--title "stunnel TLS Proxy" --infile=$< --outfile=$@
|
||||
rm -f pod2htmd.tmp pod2htmi.tmp
|
||||
|
||||
$(man_MANS) $(doc_DATA): Makefile
|
||||
$(edit) '$(srcdir)/$@.in' >$@
|
||||
|
||||
stunnel.8: $(srcdir)/stunnel.8.in
|
||||
stunnel.html: $(srcdir)/stunnel.html.in
|
||||
stunnel.pl.8: $(srcdir)/stunnel.pl.8.in
|
||||
stunnel.pl.html: $(srcdir)/stunnel.pl.html.in
|
||||
|
||||
# Tell versions [3.59,3.63) of GNU make to not export all variables.
|
||||
# Otherwise a system limit (for SysV at least) may be exceeded.
|
||||
.NOEXPORT:
|
||||
|
|
|
@ -36,8 +36,8 @@ HOWTO and then we'll look at the theory behind all this.</P>
|
|||
<P STYLE="margin-bottom: 0cm"><BR>
|
||||
</P>
|
||||
<OL>
|
||||
<LI><P STYLE="margin-bottom: 0cm">Download and install openSSL,
|
||||
SSLEay, and Stunnel on the Linux/Unix box. Download the modules.</P>
|
||||
<LI><P STYLE="margin-bottom: 0cm">Download and install OpenSSL,
|
||||
SSLeay, and Stunnel on the Linux/Unix box. Download the modules.</P>
|
||||
</OL>
|
||||
<P STYLE="margin-left: 0.5cm; margin-bottom: 0cm">a)
|
||||
[root@anthrax$]gunzip openssl-x.xx.tar.gz (repeat for all 3 the
|
||||
|
@ -52,7 +52,7 @@ modules)</P>
|
|||
save the file as VNCRegEdit.REG on the Windows 2000 box</P>
|
||||
</OL>
|
||||
<P STYLE="margin-left: 0.5cm; margin-bottom: 0cm">--cut here and copy
|
||||
to VNCRegEdit.REG the double click file to
|
||||
to VNCRegEdit.REG then double click the file to
|
||||
import--<BR>REGEDIT4<BR><BR>[HKEY_LOCAL_MACHINE\Software\ORL\WinVNC3]<BR>AllowLoopback=dword:00000001<BR><BR>[HKEY_LOCAL_MACHINE\Software\ORL\WinVNC3\Default]<BR>AllowLoopback=dword:00000001<BR>--stop
|
||||
here--<BR><BR>
|
||||
</P>
|
||||
|
@ -87,7 +87,7 @@ here--<BR><BR>
|
|||
execute the following command and let it run in its own terminal.</P>
|
||||
</OL>
|
||||
<P STYLE="margin-left: 0.5cm; margin-bottom: 0cm">stunnel -d 5900 -r
|
||||
unix.ip.adress:5900 -c</P>
|
||||
unix.ip.address:5900 -c</P>
|
||||
<P STYLE="margin-left: 0.5cm; margin-bottom: 0cm">.</P>
|
||||
<OL>
|
||||
<LI><P STYLE="margin-bottom: 0cm">And on the Windows 2000 machine
|
||||
|
@ -109,7 +109,7 @@ the window</P>
|
|||
2000 command as follows:
|
||||
</P>
|
||||
<P STYLE="margin-left: 0.5cm; margin-bottom: 0cm">stunnel -d 5902 -r
|
||||
unix.ip.adress:5902</P>
|
||||
unix.ip.address:5902</P>
|
||||
<P STYLE="margin-left: 0.5cm; margin-bottom: 0cm">and remember to
|
||||
start another vncserver on the Linux box for each VNC display</P>
|
||||
<P STYLE="margin-bottom: 0cm"><BR>
|
||||
|
@ -165,11 +165,11 @@ desired "display" number.</P>
|
|||
<P STYLE="margin-bottom: 0cm"><BR>
|
||||
</P>
|
||||
<P STYLE="margin-bottom: 0cm">To connect from the client machine you
|
||||
need to enter the client machines IP address and the "display"
|
||||
need to enter the client machine's IP address and the "display"
|
||||
(from the port conversion). But VNC will think that you are trying to
|
||||
connect to the local machine and does not allow this. To override
|
||||
this add the following to you registry.<BR><BR>--cut here and copy to
|
||||
anything.reg. the double click file to
|
||||
this add the following to your registry.<BR><BR>--cut here and copy to
|
||||
anything.reg. then double click the file to
|
||||
import--<BR>REGEDIT4<BR><BR>[HKEY_LOCAL_MACHINE\Software\ORL\WinVNC3]<BR>AllowLoopback=dword:00000001<BR><BR>[HKEY_LOCAL_MACHINE\Software\ORL\WinVNC3\Default]<BR>AllowLoopback=dword:00000001<BR>--stop
|
||||
here--<BR><BR>Now VNC will not complain. So you need to always run
|
||||
stunnel in client mode on the Windows machine and then connect with
|
||||
|
@ -182,9 +182,9 @@ way, *NIX doesn't complain about this. There is no setting needed if
|
|||
<P STYLE="margin-bottom: 0cm"><BR>
|
||||
</P>
|
||||
<P STYLE="margin-bottom: 0cm">Unfortunately this will not work well
|
||||
with the build in web version. If you did not known about it, try
|
||||
with the built-in web version. If you did not known about it, try
|
||||
http'ing into a machine running VNC server on it, to port 58XX (where
|
||||
XX is the display number), and the Java client will be loaded.<BR><BR>
|
||||
</P>
|
||||
</BODY>
|
||||
</HTML>
|
||||
</HTML>
|
||||
|
|
|
@ -93,7 +93,7 @@ private key</I>
|
|||
# private random number file</I>
|
||||
<BR><I> </I>
|
||||
<BR><I>x509_extensions = usr_cert
|
||||
# The extentions to add to the cert</I>
|
||||
# The extensions to add to the cert</I>
|
||||
<BR><I>crl_extensions = crl_ext
|
||||
# Extensions to add to CRL</I>
|
||||
<BR><I>default_days = 365
|
||||
|
@ -147,7 +147,7 @@ look</I>
|
|||
<BR><I>distinguished_name = req_distinguished_name</I>
|
||||
<BR><I>attributes
|
||||
= req_attributes</I>
|
||||
<BR><I>x509_extensions = v3_ca # The extentions to add to the self signed
|
||||
<BR><I>x509_extensions = v3_ca # The extensions to add to the self signed
|
||||
cert</I>
|
||||
<BR><I> </I>
|
||||
<BR><I>[ req_distinguished_name ]</I>
|
||||
|
|
993
doc/stunnel.8
993
doc/stunnel.8
|
@ -1,993 +0,0 @@
|
|||
.\" Automatically generated by Pod::Man 2.22 (Pod::Simple 3.07)
|
||||
.\"
|
||||
.\" Standard preamble:
|
||||
.\" ========================================================================
|
||||
.de Sp \" Vertical space (when we can't use .PP)
|
||||
.if t .sp .5v
|
||||
.if n .sp
|
||||
..
|
||||
.de Vb \" Begin verbatim text
|
||||
.ft CW
|
||||
.nf
|
||||
.ne \\$1
|
||||
..
|
||||
.de Ve \" End verbatim text
|
||||
.ft R
|
||||
.fi
|
||||
..
|
||||
.\" Set up some character translations and predefined strings. \*(-- will
|
||||
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
|
||||
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
|
||||
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
|
||||
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
|
||||
.\" nothing in troff, for use with C<>.
|
||||
.tr \(*W-
|
||||
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
|
||||
.ie n \{\
|
||||
. ds -- \(*W-
|
||||
. ds PI pi
|
||||
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
|
||||
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
|
||||
. ds L" ""
|
||||
. ds R" ""
|
||||
. ds C` ""
|
||||
. ds C' ""
|
||||
'br\}
|
||||
.el\{\
|
||||
. ds -- \|\(em\|
|
||||
. ds PI \(*p
|
||||
. ds L" ``
|
||||
. ds R" ''
|
||||
'br\}
|
||||
.\"
|
||||
.\" Escape single quotes in literal strings from groff's Unicode transform.
|
||||
.ie \n(.g .ds Aq \(aq
|
||||
.el .ds Aq '
|
||||
.\"
|
||||
.\" If the F register is turned on, we'll generate index entries on stderr for
|
||||
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
|
||||
.\" entries marked with X<> in POD. Of course, you'll have to process the
|
||||
.\" output yourself in some meaningful fashion.
|
||||
.ie \nF \{\
|
||||
. de IX
|
||||
. tm Index:\\$1\t\\n%\t"\\$2"
|
||||
..
|
||||
. nr % 0
|
||||
. rr F
|
||||
.\}
|
||||
.el \{\
|
||||
. de IX
|
||||
..
|
||||
.\}
|
||||
.\" ========================================================================
|
||||
.\"
|
||||
.IX Title "STUNNEL 8"
|
||||
.TH STUNNEL 8 "2013.03.20" "4.56" "stunnel"
|
||||
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
|
||||
.\" way too many mistakes in technical documents.
|
||||
.if n .ad l
|
||||
.nh
|
||||
.SH "NAME"
|
||||
stunnel \- universal SSL tunnel
|
||||
.SH "SYNOPSIS"
|
||||
.IX Header "SYNOPSIS"
|
||||
.IP "\fBUnix:\fR" 4
|
||||
.IX Item "Unix:"
|
||||
\&\fBstunnel\fR [<filename>] | \-fd n | \-help | \-version | \-sockets
|
||||
.IP "\fB\s-1WIN32:\s0\fR" 4
|
||||
.IX Item "WIN32:"
|
||||
\&\fBstunnel\fR [ [\-install | \-uninstall | \-start | \-stop] | \-exit]
|
||||
[\-quiet] [<filename>] ] | \-help | \-version | \-sockets
|
||||
.SH "DESCRIPTION"
|
||||
.IX Header "DESCRIPTION"
|
||||
The \fBstunnel\fR program is designed to work as \fI\s-1SSL\s0\fR encryption wrapper
|
||||
between remote clients and local (\fIinetd\fR\-startable) or remote
|
||||
servers. The concept is that having non-SSL aware daemons running on
|
||||
your system you can easily set them up to communicate with clients over
|
||||
secure \s-1SSL\s0 channels.
|
||||
.PP
|
||||
\&\fBstunnel\fR can be used to add \s-1SSL\s0 functionality to commonly used \fIInetd\fR
|
||||
daemons like \s-1POP\-2\s0, \s-1POP\-3\s0, and \s-1IMAP\s0 servers, to standalone daemons like
|
||||
\&\s-1NNTP\s0, \s-1SMTP\s0 and \s-1HTTP\s0, and in tunneling \s-1PPP\s0 over network sockets without
|
||||
changes to the source code.
|
||||
.PP
|
||||
This product includes cryptographic software written by
|
||||
Eric Young (eay@cryptsoft.com)
|
||||
.SH "OPTIONS"
|
||||
.IX Header "OPTIONS"
|
||||
.IP "<\fBfilename\fR>" 4
|
||||
.IX Item "<filename>"
|
||||
Use specified configuration file
|
||||
.IP "\fB\-fd n\fR (Unix only)" 4
|
||||
.IX Item "-fd n (Unix only)"
|
||||
Read the config file from specified file descriptor
|
||||
.IP "\fB\-help\fR" 4
|
||||
.IX Item "-help"
|
||||
Print \fBstunnel\fR help menu
|
||||
.IP "\fB\-version\fR" 4
|
||||
.IX Item "-version"
|
||||
Print \fBstunnel\fR version and compile time defaults
|
||||
.IP "\fB\-sockets\fR" 4
|
||||
.IX Item "-sockets"
|
||||
Print default socket options
|
||||
.IP "\fB\-install\fR (\s-1NT/2000/XP\s0 only)" 4
|
||||
.IX Item "-install (NT/2000/XP only)"
|
||||
Install \s-1NT\s0 Service
|
||||
.IP "\fB\-uninstall\fR (\s-1NT/2000/XP\s0 only)" 4
|
||||
.IX Item "-uninstall (NT/2000/XP only)"
|
||||
Uninstall \s-1NT\s0 Service
|
||||
.IP "\fB\-start\fR (\s-1NT/2000/XP\s0 only)" 4
|
||||
.IX Item "-start (NT/2000/XP only)"
|
||||
Start \s-1NT\s0 Service
|
||||
.IP "\fB\-stop\fR (\s-1NT/2000/XP\s0 only)" 4
|
||||
.IX Item "-stop (NT/2000/XP only)"
|
||||
Stop \s-1NT\s0 Service
|
||||
.IP "\fB\-exit\fR (Win32 only)" 4
|
||||
.IX Item "-exit (Win32 only)"
|
||||
Exit an already started stunnel
|
||||
.IP "\fB\-quiet\fR (\s-1NT/2000/XP\s0 only)" 4
|
||||
.IX Item "-quiet (NT/2000/XP only)"
|
||||
Don't display any message boxes
|
||||
.SH "CONFIGURATION FILE"
|
||||
.IX Header "CONFIGURATION FILE"
|
||||
Each line of the configuration file can be either:
|
||||
.IP "\(bu" 4
|
||||
An empty line (ignored).
|
||||
.IP "\(bu" 4
|
||||
A comment starting with ';' (ignored).
|
||||
.IP "\(bu" 4
|
||||
An 'option_name = option_value' pair.
|
||||
.IP "\(bu" 4
|
||||
\&'[service_name]' indicating a start of a service definition.
|
||||
.PP
|
||||
An address parameter of an option may be either:
|
||||
.IP "\(bu" 4
|
||||
A port number.
|
||||
.IP "\(bu" 4
|
||||
A colon-separated pair of \s-1IP\s0 address (either IPv4, IPv6, or domain name) and port number.
|
||||
.IP "\(bu" 4
|
||||
A Unix socket path (Unix only).
|
||||
.SS "\s-1GLOBAL\s0 \s-1OPTIONS\s0"
|
||||
.IX Subsection "GLOBAL OPTIONS"
|
||||
.IP "\fBchroot\fR = directory (Unix only)" 4
|
||||
.IX Item "chroot = directory (Unix only)"
|
||||
directory to chroot \fBstunnel\fR process
|
||||
.Sp
|
||||
\&\fBchroot\fR keeps \fBstunnel\fR in chrooted jail. \fICApath\fR, \fICRLpath\fR, \fIpid\fR
|
||||
and \fIexec\fR are located inside the jail and the patches have to be relative
|
||||
to the directory specified with \fBchroot\fR.
|
||||
.Sp
|
||||
Several functions of the operating system also need their files to be located within chroot jail, e.g.:
|
||||
.RS 4
|
||||
.IP "\(bu" 4
|
||||
Delayed resolver typically needs /etc/nsswitch.conf and /etc/resolv.conf.
|
||||
.IP "\(bu" 4
|
||||
Local time in log files needs /etc/timezone.
|
||||
.IP "\(bu" 4
|
||||
Some other functions may need devices, e.g. /dev/zero or /dev/null.
|
||||
.RE
|
||||
.RS 4
|
||||
.RE
|
||||
.IP "\fBcompression\fR = deflate | zlib | rle" 4
|
||||
.IX Item "compression = deflate | zlib | rle"
|
||||
select data compression algorithm
|
||||
.Sp
|
||||
default: no compression
|
||||
.Sp
|
||||
deflate is the standard compression method as described in \s-1RFC\s0 1951.
|
||||
.Sp
|
||||
zlib compression of \fBOpenSSL 0.9.8\fR or above is not backward compatible with
|
||||
\&\fBOpenSSL 0.9.7\fR.
|
||||
.Sp
|
||||
rle compression is currently not implemented by the \fBOpenSSL\fR library.
|
||||
.IP "\fBdebug\fR = [facility.]level" 4
|
||||
.IX Item "debug = [facility.]level"
|
||||
debugging level
|
||||
.Sp
|
||||
Level is a one of the syslog level names or numbers
|
||||
emerg (0), alert (1), crit (2), err (3), warning (4), notice (5),
|
||||
info (6), or debug (7). All logs for the specified level and
|
||||
all levels numerically less than it will be shown. Use \fIdebug = debug\fR or
|
||||
\&\fIdebug = 7\fR for greatest debugging output. The default is notice (5).
|
||||
.Sp
|
||||
The syslog facility 'daemon' will be used unless a facility name is supplied.
|
||||
(Facilities are not supported on Win32.)
|
||||
.Sp
|
||||
Case is ignored for both facilities and levels.
|
||||
.IP "\fB\s-1EGD\s0\fR = egd path (Unix only)" 4
|
||||
.IX Item "EGD = egd path (Unix only)"
|
||||
path to Entropy Gathering Daemon socket
|
||||
.Sp
|
||||
Entropy Gathering Daemon socket to use to feed \fBOpenSSL\fR random number
|
||||
generator. (Available only if compiled with \fBOpenSSL 0.9.5a\fR or higher)
|
||||
.IP "\fBengine\fR = auto | <engine id>" 4
|
||||
.IX Item "engine = auto | <engine id>"
|
||||
select hardware engine
|
||||
.Sp
|
||||
default: software-only cryptography
|
||||
.Sp
|
||||
Here is an example of advanced engine configuration to read private key from an
|
||||
OpenSC engine
|
||||
.Sp
|
||||
.Vb 7
|
||||
\& engine=dynamic
|
||||
\& engineCtrl=SO_PATH:/usr/lib/opensc/engine_pkcs11.so
|
||||
\& engineCtrl=ID:pkcs11
|
||||
\& engineCtrl=LIST_ADD:1
|
||||
\& engineCtrl=LOAD
|
||||
\& engineCtrl=MODULE_PATH:/usr/lib/pkcs11/opensc\-pkcs11.so
|
||||
\& engineCtrl=INIT
|
||||
\&
|
||||
\& [service]
|
||||
\& engineNum=1
|
||||
\& key=id_45
|
||||
.Ve
|
||||
.IP "\fBengineCtrl\fR = command[:parameter]" 4
|
||||
.IX Item "engineCtrl = command[:parameter]"
|
||||
control hardware engine
|
||||
.Sp
|
||||
Special commands \*(L"\s-1LOAD\s0\*(R" and \*(L"\s-1INIT\s0\*(R" can be used to load and initialize the
|
||||
engine cryptogaphic module.
|
||||
.IP "\fBfips\fR = yes | no" 4
|
||||
.IX Item "fips = yes | no"
|
||||
Enable or disable \s-1FIPS\s0 140\-2 mode.
|
||||
.Sp
|
||||
This option allows to disable entering \s-1FIPS\s0 mode if \fBstunnel\fR was compiled
|
||||
with \s-1FIPS\s0 140\-2 support.
|
||||
.Sp
|
||||
default: yes
|
||||
.IP "\fBforeground\fR = yes | no (Unix only)" 4
|
||||
.IX Item "foreground = yes | no (Unix only)"
|
||||
foreground mode
|
||||
.Sp
|
||||
Stay in foreground (don't fork) and log to stderr
|
||||
instead of via syslog (unless \fIoutput\fR is specified).
|
||||
.Sp
|
||||
default: background in daemon mode
|
||||
.IP "\fBoutput\fR = file" 4
|
||||
.IX Item "output = file"
|
||||
append log messages to a file
|
||||
.Sp
|
||||
/dev/stdout device can be used to send log messages to the standard
|
||||
output (for example to log them with daemontools splogger).
|
||||
.IP "\fBpid\fR = file (Unix only)" 4
|
||||
.IX Item "pid = file (Unix only)"
|
||||
pid file location
|
||||
.Sp
|
||||
If the argument is empty, then no pid file will be created.
|
||||
.Sp
|
||||
\&\fIpid\fR path is relative to \fIchroot\fR directory if specified.
|
||||
.IP "\fBRNDbytes\fR = bytes" 4
|
||||
.IX Item "RNDbytes = bytes"
|
||||
bytes to read from random seed files
|
||||
.Sp
|
||||
Number of bytes of data read from random seed files. With \s-1SSL\s0 versions less
|
||||
than \fB0.9.5a\fR, also determines how many bytes of data are considered
|
||||
sufficient to seed the \s-1PRNG\s0. More recent \fBOpenSSL\fR versions have a builtin
|
||||
function to determine when sufficient randomness is available.
|
||||
.IP "\fBRNDfile\fR = file" 4
|
||||
.IX Item "RNDfile = file"
|
||||
path to file with random seed data
|
||||
.Sp
|
||||
The \s-1SSL\s0 library will use data from this file first to seed the random
|
||||
number generator.
|
||||
.IP "\fBRNDoverwrite\fR = yes | no" 4
|
||||
.IX Item "RNDoverwrite = yes | no"
|
||||
overwrite the random seed files with new random data
|
||||
.Sp
|
||||
default: yes
|
||||
.IP "\fBservice\fR = servicename (Unix only)" 4
|
||||
.IX Item "service = servicename (Unix only)"
|
||||
use specified string as \fIinetd\fR mode service name for \s-1TCP\s0 Wrapper library
|
||||
.Sp
|
||||
default: stunnel
|
||||
.IP "\fBsetgid\fR = groupname (Unix only)" 4
|
||||
.IX Item "setgid = groupname (Unix only)"
|
||||
\&\fIsetgid()\fR to groupname in daemon mode and clears all other groups
|
||||
.IP "\fBsetuid\fR = username (Unix only)" 4
|
||||
.IX Item "setuid = username (Unix only)"
|
||||
\&\fIsetuid()\fR to username in daemon mode
|
||||
.IP "\fBsocket\fR = a|l|r:option=value[:value]" 4
|
||||
.IX Item "socket = a|l|r:option=value[:value]"
|
||||
Set an option on accept/local/remote socket
|
||||
.Sp
|
||||
The values for linger option are l_onof:l_linger.
|
||||
The values for time are tv_sec:tv_usec.
|
||||
.Sp
|
||||
Examples:
|
||||
.Sp
|
||||
.Vb 9
|
||||
\& socket = l:SO_LINGER=1:60
|
||||
\& set one minute timeout for closing local socket
|
||||
\& socket = r:SO_OOBINLINE=yes
|
||||
\& place out\-of\-band data directly into the
|
||||
\& receive data stream for remote sockets
|
||||
\& socket = a:SO_REUSEADDR=no
|
||||
\& disable address reuse (enabled by default)
|
||||
\& socket = a:SO_BINDTODEVICE=lo
|
||||
\& only accept connections on loopback interface
|
||||
.Ve
|
||||
.IP "\fBsyslog\fR = yes | no (Unix only)" 4
|
||||
.IX Item "syslog = yes | no (Unix only)"
|
||||
enable logging via syslog
|
||||
.Sp
|
||||
default: yes
|
||||
.IP "\fBtaskbar\fR = yes | no (\s-1WIN32\s0 only)" 4
|
||||
.IX Item "taskbar = yes | no (WIN32 only)"
|
||||
enable the taskbar icon
|
||||
.Sp
|
||||
default: yes
|
||||
.SS "SERVICE-LEVEL \s-1OPTIONS\s0"
|
||||
.IX Subsection "SERVICE-LEVEL OPTIONS"
|
||||
Each configuration section begins with service name in square brackets.
|
||||
The service name is used for libwrap (\s-1TCP\s0 Wrappers) access control and lets
|
||||
you distinguish \fBstunnel\fR services in your log files.
|
||||
.PP
|
||||
Note that if you wish to run \fBstunnel\fR in \fIinetd\fR mode (where it
|
||||
is provided a network socket by a server such as \fIinetd\fR, \fIxinetd\fR,
|
||||
or \fItcpserver\fR) then you should read the section entitled \fI\s-1INETD\s0 \s-1MODE\s0\fR
|
||||
below.
|
||||
.IP "\fBaccept\fR = address" 4
|
||||
.IX Item "accept = address"
|
||||
accept connections on specified address
|
||||
.Sp
|
||||
If no host specified, defaults to all IPv4 addresses for the local host.
|
||||
.Sp
|
||||
To listen on all IPv6 addresses use:
|
||||
.Sp
|
||||
.Vb 1
|
||||
\& connect = :::port
|
||||
.Ve
|
||||
.IP "\fBCApath\fR = directory" 4
|
||||
.IX Item "CApath = directory"
|
||||
Certificate Authority directory
|
||||
.Sp
|
||||
This is the directory in which \fBstunnel\fR will look for certificates when using
|
||||
the \fIverify\fR. Note that the certificates in this directory should be named
|
||||
\&\s-1XXXXXXXX\s0.0 where \s-1XXXXXXXX\s0 is the hash value of the \s-1DER\s0 encoded subject of the
|
||||
cert.
|
||||
.Sp
|
||||
The hash algorithm has been changed in \fBOpenSSL 1.0.0\fR. It is required to
|
||||
c_rehash the directory on upgrade from \fBOpenSSL 0.x.x\fR to \fBOpenSSL 1.x.x\fR.
|
||||
.Sp
|
||||
\&\fICApath\fR path is relative to \fIchroot\fR directory if specified.
|
||||
.IP "\fBCAfile\fR = certfile" 4
|
||||
.IX Item "CAfile = certfile"
|
||||
Certificate Authority file
|
||||
.Sp
|
||||
This file contains multiple \s-1CA\s0 certificates, used with the \fIverify\fR.
|
||||
.IP "\fBcert\fR = pemfile" 4
|
||||
.IX Item "cert = pemfile"
|
||||
certificate chain \s-1PEM\s0 file name
|
||||
.Sp
|
||||
A \s-1PEM\s0 is always needed in server mode.
|
||||
Specifying this flag in client mode will use this certificate chain
|
||||
as a client side certificate chain. Using client side certs is optional.
|
||||
The certificates must be in \s-1PEM\s0 format and must be sorted starting with the
|
||||
certificate to the highest level (root \s-1CA\s0).
|
||||
.IP "\fBciphers\fR = cipherlist" 4
|
||||
.IX Item "ciphers = cipherlist"
|
||||
Select permitted \s-1SSL\s0 ciphers
|
||||
.Sp
|
||||
A colon delimited list of the ciphers to allow in the \s-1SSL\s0 connection.
|
||||
For example \s-1DES\-CBC3\-SHA:IDEA\-CBC\-MD5\s0
|
||||
.IP "\fBclient\fR = yes | no" 4
|
||||
.IX Item "client = yes | no"
|
||||
client mode (remote service uses \s-1SSL\s0)
|
||||
.Sp
|
||||
default: no (server mode)
|
||||
.IP "\fBconnect\fR = address" 4
|
||||
.IX Item "connect = address"
|
||||
connect to a remote address
|
||||
.Sp
|
||||
If no host is specified, the host defaults to localhost.
|
||||
.Sp
|
||||
Multiple \fBconnect\fR options are allowed in a single service section.
|
||||
.Sp
|
||||
If host resolves to multiple addresses and/or if multiple \fIconnect\fR
|
||||
options are specified, then the remote address is chosen using a
|
||||
round-robin algorithm.
|
||||
.IP "\fBCRLpath\fR = directory" 4
|
||||
.IX Item "CRLpath = directory"
|
||||
Certificate Revocation Lists directory
|
||||
.Sp
|
||||
This is the directory in which \fBstunnel\fR will look for CRLs when
|
||||
using the \fIverify\fR. Note that the CRLs in this directory should
|
||||
be named \s-1XXXXXXXX\s0.r0 where \s-1XXXXXXXX\s0 is the hash value of the \s-1CRL\s0.
|
||||
.Sp
|
||||
The hash algorithm has been changed in \fBOpenSSL 1.0.0\fR. It is required to
|
||||
c_rehash the directory on upgrade from \fBOpenSSL 0.x.x\fR to \fBOpenSSL 1.x.x\fR.
|
||||
.Sp
|
||||
\&\fICRLpath\fR path is relative to \fIchroot\fR directory if specified.
|
||||
.IP "\fBCRLfile\fR = certfile" 4
|
||||
.IX Item "CRLfile = certfile"
|
||||
Certificate Revocation Lists file
|
||||
.Sp
|
||||
This file contains multiple CRLs, used with the \fIverify\fR.
|
||||
.IP "\fBcurve\fR = nid" 4
|
||||
.IX Item "curve = nid"
|
||||
specify \s-1ECDH\s0 curve name
|
||||
.Sp
|
||||
To get a list of supported cuves use:
|
||||
.Sp
|
||||
.Vb 1
|
||||
\& openssl ecparam \-list_curves
|
||||
.Ve
|
||||
.Sp
|
||||
default: prime256v1
|
||||
.IP "\fBdelay\fR = yes | no" 4
|
||||
.IX Item "delay = yes | no"
|
||||
delay \s-1DNS\s0 lookup for 'connect' option
|
||||
.Sp
|
||||
This option is useful for dynamic \s-1DNS\s0, or when \s-1DNS\s0 is not available during
|
||||
\&\fBstunnel\fR startup (road warrior \s-1VPN\s0, dial-up configurations).
|
||||
.IP "\fBengineNum\fR = engine number" 4
|
||||
.IX Item "engineNum = engine number"
|
||||
select engine number to read private key
|
||||
.Sp
|
||||
The engines are numbered starting from 1.
|
||||
.IP "\fBexec\fR = executable_path" 4
|
||||
.IX Item "exec = executable_path"
|
||||
execute local inetd-type program
|
||||
.Sp
|
||||
\&\fIexec\fR path is relative to \fIchroot\fR directory if specified.
|
||||
.ie n .IP "\fBexecargs\fR = $0 $1 $2 ..." 4
|
||||
.el .IP "\fBexecargs\fR = \f(CW$0\fR \f(CW$1\fR \f(CW$2\fR ..." 4
|
||||
.IX Item "execargs = $0 $1 $2 ..."
|
||||
arguments for \fIexec\fR including program name ($0)
|
||||
.Sp
|
||||
Quoting is currently not supported.
|
||||
Arguments are separated with arbitrary number of whitespaces.
|
||||
.IP "\fBfailover\fR = rr | prio" 4
|
||||
.IX Item "failover = rr | prio"
|
||||
Failover strategy for multiple \*(L"connect\*(R" targets.
|
||||
.Sp
|
||||
.Vb 2
|
||||
\& rr (round robin) \- fair load distribution
|
||||
\& prio (priority) \- use the order specified in config file
|
||||
.Ve
|
||||
.Sp
|
||||
default: rr
|
||||
.IP "\fBident\fR = username" 4
|
||||
.IX Item "ident = username"
|
||||
use \s-1IDENT\s0 (\s-1RFC\s0 1413) username checking
|
||||
.IP "\fBkey\fR = keyfile" 4
|
||||
.IX Item "key = keyfile"
|
||||
private key for certificate specified with \fIcert\fR option
|
||||
.Sp
|
||||
Private key is needed to authenticate certificate owner.
|
||||
Since this file should be kept secret it should only be readable
|
||||
to its owner. On Unix systems you can use the following command:
|
||||
.Sp
|
||||
.Vb 1
|
||||
\& chmod 600 keyfile
|
||||
.Ve
|
||||
.Sp
|
||||
default: value of \fIcert\fR option
|
||||
.IP "\fBlibwrap\fR = yes | no" 4
|
||||
.IX Item "libwrap = yes | no"
|
||||
Enable or disable the use of /etc/hosts.allow and /etc/hosts.deny.
|
||||
.Sp
|
||||
default: yes
|
||||
.IP "\fBlocal\fR = host" 4
|
||||
.IX Item "local = host"
|
||||
\&\s-1IP\s0 of the outgoing interface is used as source for remote connections.
|
||||
Use this option to bind a static local \s-1IP\s0 address, instead.
|
||||
.IP "\fBsni\fR = service_name:server_name_pattern (server mode)" 4
|
||||
.IX Item "sni = service_name:server_name_pattern (server mode)"
|
||||
Use the service as a slave service (a name-based virtual server) for Server
|
||||
Name Indication \s-1TLS\s0 extension (\s-1RFC\s0 3546).
|
||||
.Sp
|
||||
\&\fIservice_name\fR specifies the master service that accepts client connections
|
||||
with \fIaccept\fR option. \fIserver_name_pattern\fR specifies the host name to be
|
||||
redirected. The pattern may start with '*' character, e.g. '*.example.com'.
|
||||
Multiple slave services are normally specified for a single master service.
|
||||
\&\fIsni\fR option can also be specified more than once within a single slave
|
||||
service.
|
||||
.Sp
|
||||
This service, as well as the master service, may not be configured in client
|
||||
mode.
|
||||
.Sp
|
||||
\&\fIconnect\fR option of the slave service is ignored when \fIprotocol\fR option is
|
||||
specified, as \fIprotocol\fR connects remote host before \s-1TLS\s0 handshake.
|
||||
.Sp
|
||||
Libwrap checks (Unix only) are performed twice: with master service name after
|
||||
\&\s-1TCP\s0 connection is accepted, and with slave service name during \s-1TLS\s0 handshake.
|
||||
.Sp
|
||||
Option \fIsni\fR is only available when compiled with \fBOpenSSL 1.0.0\fR and later.
|
||||
.IP "\fBsni\fR = server_name (client mode)" 4
|
||||
.IX Item "sni = server_name (client mode)"
|
||||
Use the parameter as the value of \s-1TLS\s0 Server Name Indication (\s-1RFC\s0 3546)
|
||||
extension.
|
||||
.Sp
|
||||
Option \fIsni\fR is only available when compiled with \fBOpenSSL 1.0.0\fR and later.
|
||||
.IP "\fB\s-1OCSP\s0\fR = url" 4
|
||||
.IX Item "OCSP = url"
|
||||
select \s-1OCSP\s0 server for certificate verification
|
||||
.IP "\fBOCSPflag\fR = flag" 4
|
||||
.IX Item "OCSPflag = flag"
|
||||
specify \s-1OCSP\s0 server flag
|
||||
.Sp
|
||||
Several \fIOCSPflag\fR can be used to specify multiple flags.
|
||||
.Sp
|
||||
currently supported flags: \s-1NOCERTS\s0, \s-1NOINTERN\s0 \s-1NOSIGS\s0, \s-1NOCHAIN\s0, \s-1NOVERIFY\s0,
|
||||
\&\s-1NOEXPLICIT\s0, \s-1NOCASIGN\s0, \s-1NODELEGATED\s0, \s-1NOCHECKS\s0, \s-1TRUSTOTHER\s0, \s-1RESPID_KEY\s0, \s-1NOTIME\s0
|
||||
.IP "\fBoptions\fR = SSL_options" 4
|
||||
.IX Item "options = SSL_options"
|
||||
\&\fBOpenSSL\fR library options
|
||||
.Sp
|
||||
The parameter is the \fBOpenSSL\fR option name as described in the
|
||||
\&\fI\fISSL_CTX_set_options\fI\|(3ssl)\fR manual, but without \fI\s-1SSL_OP_\s0\fR prefix.
|
||||
Several \fIoptions\fR can be used to specify multiple options.
|
||||
.Sp
|
||||
For example for compatibility with erroneous Eudora \s-1SSL\s0 implementation
|
||||
the following option can be used:
|
||||
.Sp
|
||||
.Vb 1
|
||||
\& options = DONT_INSERT_EMPTY_FRAGMENTS
|
||||
.Ve
|
||||
.IP "\fBprotocol\fR = proto" 4
|
||||
.IX Item "protocol = proto"
|
||||
application protocol to negotiate \s-1SSL\s0
|
||||
.Sp
|
||||
This option enables initial, protocol-specific negotiation of the \s-1SSL/TLS\s0
|
||||
encryption.
|
||||
\&\fIprotocol\fR option should not be used with \s-1SSL\s0 encryption on a separate port.
|
||||
.Sp
|
||||
Currently supported protocols:
|
||||
.RS 4
|
||||
.IP "\fIcifs\fR" 4
|
||||
.IX Item "cifs"
|
||||
Proprietary (undocummented) extension of \s-1CIFS\s0 protocol implemented in Samba.
|
||||
Support for this extension was dropped in Samba 3.0.0.
|
||||
.IP "\fIconnect\fR" 4
|
||||
.IX Item "connect"
|
||||
Based on \s-1RFC\s0 2817 \- \fIUpgrading to \s-1TLS\s0 Within \s-1HTTP/1\s0.1\fR, section 5.2 \- \fIRequesting a Tunnel with \s-1CONNECT\s0\fR
|
||||
.Sp
|
||||
This protocol is only supported in client mode.
|
||||
.IP "\fIimap\fR" 4
|
||||
.IX Item "imap"
|
||||
Based on \s-1RFC\s0 2595 \- \fIUsing \s-1TLS\s0 with \s-1IMAP\s0, \s-1POP3\s0 and \s-1ACAP\s0\fR
|
||||
.IP "\fInntp\fR" 4
|
||||
.IX Item "nntp"
|
||||
Based on \s-1RFC\s0 4642 \- \fIUsing Transport Layer Security (\s-1TLS\s0) with Network News Transfer Protocol (\s-1NNTP\s0)\fR
|
||||
.Sp
|
||||
This protocol is only supported in client mode.
|
||||
.IP "\fIpgsql\fR" 4
|
||||
.IX Item "pgsql"
|
||||
Based on http://www.postgresql.org/docs/8.3/static/protocol\-flow.html#AEN73982
|
||||
.IP "\fIpop3\fR" 4
|
||||
.IX Item "pop3"
|
||||
Based on \s-1RFC\s0 2449 \- \fI\s-1POP3\s0 Extension Mechanism\fR
|
||||
.IP "\fIproxy\fR" 4
|
||||
.IX Item "proxy"
|
||||
Haproxy client \s-1IP\s0 address http://haproxy.1wt.eu/download/1.5/doc/proxy\-protocol.txt
|
||||
.IP "\fIsmtp\fR" 4
|
||||
.IX Item "smtp"
|
||||
Based on \s-1RFC\s0 2487 \- \fI\s-1SMTP\s0 Service Extension for Secure \s-1SMTP\s0 over \s-1TLS\s0\fR
|
||||
.RE
|
||||
.RS 4
|
||||
.RE
|
||||
.IP "\fBprotocolAuthentication\fR = auth_type" 4
|
||||
.IX Item "protocolAuthentication = auth_type"
|
||||
authentication type for protocol negotiations
|
||||
.Sp
|
||||
currently supported: basic, \s-1NTLM\s0
|
||||
.Sp
|
||||
Currently authentication type only applies to the 'connect' protocol.
|
||||
.Sp
|
||||
default: basic
|
||||
.IP "\fBprotocolHost\fR = host:port" 4
|
||||
.IX Item "protocolHost = host:port"
|
||||
destination address for protocol negotiations
|
||||
.Sp
|
||||
\&\fIprotocolHost\fR specifies the final \s-1SSL\s0 server to be connected by the proxy,
|
||||
and not the proxy server directly connected by \fBstunnel\fR.
|
||||
The proxy server should be specified with the 'connect' option.
|
||||
.Sp
|
||||
Currently protocol destination address only applies to 'connect' protocol.
|
||||
.IP "\fBprotocolPassword\fR = password" 4
|
||||
.IX Item "protocolPassword = password"
|
||||
password for protocol negotiations
|
||||
.IP "\fBprotocolUsername\fR = username" 4
|
||||
.IX Item "protocolUsername = username"
|
||||
username for protocol negotiations
|
||||
.IP "\fBpty\fR = yes | no (Unix only)" 4
|
||||
.IX Item "pty = yes | no (Unix only)"
|
||||
allocate pseudo terminal for 'exec' option
|
||||
.IP "\fBrenegotiation\fR = yes | no" 4
|
||||
.IX Item "renegotiation = yes | no"
|
||||
support \s-1SSL\s0 renegotiation
|
||||
.Sp
|
||||
Applications of the \s-1SSL\s0 renegotiation include some authentication scenarios,
|
||||
or re-keying long lasting connections.
|
||||
.Sp
|
||||
On the other hand this feature can facilitate a trivial CPU-exhaustion
|
||||
DoS attack:
|
||||
.Sp
|
||||
http://vincent.bernat.im/en/blog/2011\-ssl\-dos\-mitigation.html
|
||||
.Sp
|
||||
Please note that disabling \s-1SSL\s0 renegotiation does not fully mitigate
|
||||
this issue.
|
||||
.Sp
|
||||
default: yes (if supported by \fBOpenSSL\fR)
|
||||
.IP "\fBreset\fR = yes | no" 4
|
||||
.IX Item "reset = yes | no"
|
||||
attempt to use \s-1TCP\s0 \s-1RST\s0 flag to indicate an error
|
||||
.Sp
|
||||
This option is not supported on some platforms.
|
||||
.Sp
|
||||
default: yes
|
||||
.IP "\fBretry\fR = yes | no" 4
|
||||
.IX Item "retry = yes | no"
|
||||
reconnect a connect+exec section after it's disconnected
|
||||
.Sp
|
||||
default: no
|
||||
.IP "\fBsessionCacheSize\fR = size" 4
|
||||
.IX Item "sessionCacheSize = size"
|
||||
session cache size
|
||||
.Sp
|
||||
\&\fIsessionCacheSize\fR specifies the maximum number of the internal session cache
|
||||
entries.
|
||||
.Sp
|
||||
The value of 0 can be used for unlimited size. It is not recommended
|
||||
for production use due to the risk of memory exhaustion DoS attack.
|
||||
.IP "\fBsessionCacheTimeout\fR = timeout" 4
|
||||
.IX Item "sessionCacheTimeout = timeout"
|
||||
session cache timeout
|
||||
.Sp
|
||||
This is the number of seconds to keep cached \s-1SSL\s0 sessions.
|
||||
.IP "\fBsessiond\fR = host:port" 4
|
||||
.IX Item "sessiond = host:port"
|
||||
address of sessiond \s-1SSL\s0 cache server
|
||||
.IP "\fBsslVersion\fR = version" 4
|
||||
.IX Item "sslVersion = version"
|
||||
select version of \s-1SSL\s0 protocol
|
||||
.Sp
|
||||
Allowed options: all, SSLv2, SSLv3, TLSv1, TLSv1.1, TLSv1.2
|
||||
.IP "\fBstack\fR = bytes (except for \s-1FORK\s0 model)" 4
|
||||
.IX Item "stack = bytes (except for FORK model)"
|
||||
thread stack size
|
||||
.IP "\fBTIMEOUTbusy\fR = seconds" 4
|
||||
.IX Item "TIMEOUTbusy = seconds"
|
||||
time to wait for expected data
|
||||
.IP "\fBTIMEOUTclose\fR = seconds" 4
|
||||
.IX Item "TIMEOUTclose = seconds"
|
||||
time to wait for close_notify (set to 0 for buggy \s-1MSIE\s0)
|
||||
.IP "\fBTIMEOUTconnect\fR = seconds" 4
|
||||
.IX Item "TIMEOUTconnect = seconds"
|
||||
time to wait to connect a remote host
|
||||
.IP "\fBTIMEOUTidle\fR = seconds" 4
|
||||
.IX Item "TIMEOUTidle = seconds"
|
||||
time to keep an idle connection
|
||||
.IP "\fBtransparent\fR = none | source | destination | both (Unix only)" 4
|
||||
.IX Item "transparent = none | source | destination | both (Unix only)"
|
||||
enable transparent proxy support on selected platforms
|
||||
.Sp
|
||||
Supported values:
|
||||
.RS 4
|
||||
.IP "\fInone\fR" 4
|
||||
.IX Item "none"
|
||||
Disable transparent proxy support. This is the default.
|
||||
.IP "\fIsource\fR" 4
|
||||
.IX Item "source"
|
||||
Re-write address to appear as if wrapped daemon is connecting
|
||||
from the \s-1SSL\s0 client machine instead of the machine running \fBstunnel\fR.
|
||||
.Sp
|
||||
This option is currently available in:
|
||||
.RS 4
|
||||
.IP "Remote mode (\fIconnect\fR option) on \fILinux >=2.6.28\fR" 4
|
||||
.IX Item "Remote mode (connect option) on Linux >=2.6.28"
|
||||
This configuration requires \fBstunnel\fR to be executed as root and without
|
||||
\&\fIsetuid\fR option.
|
||||
.Sp
|
||||
This configuration requires the following setup for iptables and routing
|
||||
(possibly in /etc/rc.local or equivalent file):
|
||||
.Sp
|
||||
.Vb 7
|
||||
\& iptables \-t mangle \-N DIVERT
|
||||
\& iptables \-t mangle \-A PREROUTING \-p tcp \-m socket \-j DIVERT
|
||||
\& iptables \-t mangle \-A DIVERT \-j MARK \-\-set\-mark 1
|
||||
\& iptables \-t mangle \-A DIVERT \-j ACCEPT
|
||||
\& ip rule add fwmark 1 lookup 100
|
||||
\& ip route add local 0.0.0.0/0 dev lo table 100
|
||||
\& echo 0 >/proc/sys/net/ipv4/conf/lo/rp_filter
|
||||
.Ve
|
||||
.Sp
|
||||
\&\fBstunnel\fR must also to be executed as root and without \fIsetuid\fR option.
|
||||
.IP "Remote mode (\fIconnect\fR option) on \fILinux 2.2.x\fR" 4
|
||||
.IX Item "Remote mode (connect option) on Linux 2.2.x"
|
||||
This configuration requires kernel to be compiled with \fItransparent proxy\fR
|
||||
option.
|
||||
Connected service must be installed on a separate host.
|
||||
Routing towards the clients has to go through the \fBstunnel\fR box.
|
||||
.Sp
|
||||
\&\fBstunnel\fR must also to be executed as root and without \fIsetuid\fR option.
|
||||
.IP "Remote mode (\fIconnect\fR option) on \fIFreeBSD >=8.0\fR" 4
|
||||
.IX Item "Remote mode (connect option) on FreeBSD >=8.0"
|
||||
This configuration requires additional firewall and routing setup.
|
||||
\&\fBstunnel\fR must also to be executed as root and without \fIsetuid\fR option.
|
||||
.IP "Local mode (\fIexec\fR option)" 4
|
||||
.IX Item "Local mode (exec option)"
|
||||
This configuration works by pre-loading \fIlibstunnel.so\fR shared library.
|
||||
_RLD_LIST environment variable is used on Tru64, and \s-1LD_PRELOAD\s0 variable on
|
||||
other platforms.
|
||||
.RE
|
||||
.RS 4
|
||||
.RE
|
||||
.IP "\fIdestination\fR" 4
|
||||
.IX Item "destination"
|
||||
Original destination is used instead of \fIconnect\fR option.
|
||||
.Sp
|
||||
A service section for transparent destination may look like this:
|
||||
.Sp
|
||||
.Vb 4
|
||||
\& [transparent]
|
||||
\& client=yes
|
||||
\& accept=<stunnel_port>
|
||||
\& transparent=destination
|
||||
.Ve
|
||||
.Sp
|
||||
This configuration requires the following setup for iptables
|
||||
(possibly in /etc/rc.local or equivalent file):
|
||||
.Sp
|
||||
.Vb 2
|
||||
\& /sbin/iptables \-I INPUT \-i eth0 \-p tcp \-\-dport <stunnel_port> \-j ACCEPT
|
||||
\& /sbin/iptables \-t nat \-I PREROUTING \-i eth0 \-p tcp \-\-dport <redirected_port> \-j DNAT \-\-to\-destination <local_ip>:<stunnel_port>
|
||||
.Ve
|
||||
.Sp
|
||||
Transparent destination option is currently only supported on Linux.
|
||||
.IP "\fIboth\fR" 4
|
||||
.IX Item "both"
|
||||
Use both \fIsource\fR and \fIdestination\fR transparent proxy.
|
||||
.RE
|
||||
.RS 4
|
||||
.Sp
|
||||
Two legacy options are also supported for backward compatibility:
|
||||
.IP "\fIyes\fR" 4
|
||||
.IX Item "yes"
|
||||
This options has been renamed to \fIsource\fR.
|
||||
.IP "\fIno\fR" 4
|
||||
.IX Item "no"
|
||||
This options has been renamed to \fInone\fR.
|
||||
.RE
|
||||
.RS 4
|
||||
.RE
|
||||
.IP "\fBverify\fR = level" 4
|
||||
.IX Item "verify = level"
|
||||
verify peer certificate
|
||||
.RS 4
|
||||
.IP "level 0" 4
|
||||
.IX Item "level 0"
|
||||
Request and ignore peer certificate.
|
||||
.IP "level 1" 4
|
||||
.IX Item "level 1"
|
||||
Verify peer certificate if present.
|
||||
.IP "level 2" 4
|
||||
.IX Item "level 2"
|
||||
Verify peer certificate.
|
||||
.IP "level 3" 4
|
||||
.IX Item "level 3"
|
||||
Verify peer with locally installed certificate.
|
||||
.IP "level 4" 4
|
||||
.IX Item "level 4"
|
||||
Ignore \s-1CA\s0 chain and only verify peer certificate.
|
||||
.IP "default" 4
|
||||
.IX Item "default"
|
||||
No verify.
|
||||
.RE
|
||||
.RS 4
|
||||
.Sp
|
||||
It is important to understand, that this option was solely designed for access
|
||||
control and not for authorization. Specifically for level 2 every non-revoked
|
||||
certificate is accepted regardless of its Common Name. For this reason a
|
||||
dedicated \s-1CA\s0 should be used with level 2, and not a generic \s-1CA\s0 commonly used
|
||||
for webservers. Level 3 is preferred for point-to-point connections.
|
||||
.RE
|
||||
.SH "RETURN VALUE"
|
||||
.IX Header "RETURN VALUE"
|
||||
\&\fBstunnel\fR returns zero on success, non-zero on error.
|
||||
.SH "SIGNALS"
|
||||
.IX Header "SIGNALS"
|
||||
The following signals can be used to control \fBstunnel\fR in Unix environment:
|
||||
.IP "\s-1SIGHUP\s0" 4
|
||||
.IX Item "SIGHUP"
|
||||
Force a reload of the configuration file.
|
||||
.Sp
|
||||
Some global options will not be reloaded:
|
||||
.RS 4
|
||||
.IP "\(bu" 4
|
||||
chroot
|
||||
.IP "\(bu" 4
|
||||
foreground
|
||||
.IP "\(bu" 4
|
||||
pid
|
||||
.IP "\(bu" 4
|
||||
setgid
|
||||
.IP "\(bu" 4
|
||||
setuid
|
||||
.RE
|
||||
.RS 4
|
||||
.Sp
|
||||
The use of 'setuid' option will also prevent \fBstunnel\fR from binding privileged
|
||||
(<1024) ports during configuration reloading.
|
||||
.Sp
|
||||
When 'chroot' option is used, \fBstunnel\fR will look for all its files (including
|
||||
configuration file, certificates, log file and pid file) within the chroot
|
||||
jail.
|
||||
.RE
|
||||
.IP "\s-1SIGUSR1\s0" 4
|
||||
.IX Item "SIGUSR1"
|
||||
Close and reopen \fBstunnel\fR log file.
|
||||
This function can be used for log rotation.
|
||||
.IP "\s-1SIGTERM\s0, \s-1SIGQUIT\s0, \s-1SIGINT\s0" 4
|
||||
.IX Item "SIGTERM, SIGQUIT, SIGINT"
|
||||
Shut \fBstunnel\fR down.
|
||||
.PP
|
||||
The result of sending any other signals to the server is undefined.
|
||||
.SH "EXAMPLES"
|
||||
.IX Header "EXAMPLES"
|
||||
In order to provide \s-1SSL\s0 encapsulation to your local \fIimapd\fR service, use
|
||||
.PP
|
||||
.Vb 4
|
||||
\& [imapd]
|
||||
\& accept = 993
|
||||
\& exec = /usr/sbin/imapd
|
||||
\& execargs = imapd
|
||||
.Ve
|
||||
.PP
|
||||
If you want to provide tunneling to your \fIpppd\fR daemon on port 2020,
|
||||
use something like
|
||||
.PP
|
||||
.Vb 5
|
||||
\& [vpn]
|
||||
\& accept = 2020
|
||||
\& exec = /usr/sbin/pppd
|
||||
\& execargs = pppd local
|
||||
\& pty = yes
|
||||
.Ve
|
||||
.PP
|
||||
If you want to use \fBstunnel\fR in \fIinetd\fR mode to launch your imapd
|
||||
process, you'd use this \fIstunnel.conf\fR.
|
||||
Note there must be no \fI[service_name]\fR section.
|
||||
.PP
|
||||
.Vb 2
|
||||
\& exec = /usr/sbin/imapd
|
||||
\& execargs = imapd
|
||||
.Ve
|
||||
.SH "NOTES"
|
||||
.IX Header "NOTES"
|
||||
.SS "\s-1RESTRICTIONS\s0"
|
||||
.IX Subsection "RESTRICTIONS"
|
||||
\&\fBstunnel\fR cannot be used for the \s-1FTP\s0 daemon because of the nature
|
||||
of the \s-1FTP\s0 protocol which utilizes multiple ports for data transfers.
|
||||
There are available \s-1SSL\s0 enabled versions of \s-1FTP\s0 and telnet daemons, however.
|
||||
.SS "\s-1INETD\s0 \s-1MODE\s0"
|
||||
.IX Subsection "INETD MODE"
|
||||
The most common use of \fBstunnel\fR is to listen on a network
|
||||
port and establish communication with either a new port
|
||||
via the connect option, or a new program via the \fIexec\fR option.
|
||||
However there is a special case when you wish to have
|
||||
some other program accept incoming connections and
|
||||
launch \fBstunnel\fR, for example with \fIinetd\fR, \fIxinetd\fR,
|
||||
or \fItcpserver\fR.
|
||||
.PP
|
||||
For example, if you have the following line in \fIinetd.conf\fR:
|
||||
.PP
|
||||
.Vb 1
|
||||
\& imaps stream tcp nowait root /usr/bin/stunnel stunnel /etc/stunnel/imaps.conf
|
||||
.Ve
|
||||
.PP
|
||||
In these cases, the \fIinetd\fR\-style program is responsible
|
||||
for binding a network socket (\fIimaps\fR above) and handing
|
||||
it to \fBstunnel\fR when a connection is received.
|
||||
Thus you do not want \fBstunnel\fR to have any \fIaccept\fR option.
|
||||
All the \fIService Level Options\fR should be placed in the
|
||||
global options section, and no \fI[service_name]\fR section
|
||||
will be present. See the \fI\s-1EXAMPLES\s0\fR section for example
|
||||
configurations.
|
||||
.SS "\s-1CERTIFICATES\s0"
|
||||
.IX Subsection "CERTIFICATES"
|
||||
Each \s-1SSL\s0 enabled daemon needs to present a valid X.509 certificate
|
||||
to the peer. It also needs a private key to decrypt the incoming
|
||||
data. The easiest way to obtain a certificate and a key is to
|
||||
generate them with the free \fBOpenSSL\fR package. You can find more
|
||||
information on certificates generation on pages listed below.
|
||||
.PP
|
||||
The order of contents of the \fI.pem\fR file is important. It should contain the
|
||||
unencrypted private key first, then a signed certificate (not certificate
|
||||
request). There should be also empty lines after certificate and private key.
|
||||
Plaintext certificate information appended on the top of generated certificate
|
||||
should be discarded. So the file should look like this:
|
||||
.PP
|
||||
.Vb 8
|
||||
\& \-\-\-\-\-BEGIN RSA PRIVATE KEY\-\-\-\-\-
|
||||
\& [encoded key]
|
||||
\& \-\-\-\-\-END RSA PRIVATE KEY\-\-\-\-\-
|
||||
\& [empty line]
|
||||
\& \-\-\-\-\-BEGIN CERTIFICATE\-\-\-\-\-
|
||||
\& [encoded certificate]
|
||||
\& \-\-\-\-\-END CERTIFICATE\-\-\-\-\-
|
||||
\& [empty line]
|
||||
.Ve
|
||||
.SS "\s-1RANDOMNESS\s0"
|
||||
.IX Subsection "RANDOMNESS"
|
||||
\&\fBstunnel\fR needs to seed the \s-1PRNG\s0 (pseudo random number generator) in
|
||||
order for \s-1SSL\s0 to use good randomness. The following sources are loaded
|
||||
in order until sufficient random data has been gathered:
|
||||
.IP "\(bu" 4
|
||||
The file specified with the \fIRNDfile\fR flag.
|
||||
.IP "\(bu" 4
|
||||
The file specified by the \s-1RANDFILE\s0 environment variable, if set.
|
||||
.IP "\(bu" 4
|
||||
The file .rnd in your home directory, if \s-1RANDFILE\s0 not set.
|
||||
.IP "\(bu" 4
|
||||
The file specified with '\-\-with\-random' at compile time.
|
||||
.IP "\(bu" 4
|
||||
The contents of the screen if running on Windows.
|
||||
.IP "\(bu" 4
|
||||
The egd socket specified with the \fI\s-1EGD\s0\fR flag.
|
||||
.IP "\(bu" 4
|
||||
The egd socket specified with '\-\-with\-egd\-sock' at compile time.
|
||||
.IP "\(bu" 4
|
||||
The /dev/urandom device.
|
||||
.PP
|
||||
With recent (\fBOpenSSL 0.9.5a\fR or later) version of \s-1SSL\s0 it will stop loading
|
||||
random data automatically when sufficient entropy has been gathered. With
|
||||
previous versions it will continue to gather from all the above sources since
|
||||
no \s-1SSL\s0 function exists to tell when enough data is available.
|
||||
.PP
|
||||
Note that on Windows machines that do not have console user interaction
|
||||
(mouse movements, creating windows, etc.) the screen contents are not
|
||||
variable enough to be sufficient, and you should provide a random file
|
||||
for use with the \fIRNDfile\fR flag.
|
||||
.PP
|
||||
Note that the file specified with the \fIRNDfile\fR flag should contain
|
||||
random data \*(-- that means it should contain different information
|
||||
each time \fBstunnel\fR is run. This is handled automatically
|
||||
unless the \fIRNDoverwrite\fR flag is used. If you wish to update this file
|
||||
manually, the \fIopenssl rand\fR command in recent versions of \fBOpenSSL\fR,
|
||||
would be useful.
|
||||
.PP
|
||||
Important note: If /dev/urandom is available, \fBOpenSSL\fR often seeds the \s-1PRNG\s0
|
||||
with it while checking the random state. On systems with /dev/urandom
|
||||
\&\fBOpenSSL\fR is likely to use it even though it is listed at the very bottom of
|
||||
the list above. This is the behaviour of \fBOpenSSL\fR and not \fBstunnel\fR.
|
||||
.SS "\s-1DH\s0 \s-1PARAMETERS\s0"
|
||||
.IX Subsection "DH PARAMETERS"
|
||||
Stunnel 4.40 and later contains hardcoded 2048\-bit \s-1DH\s0 parameters.
|
||||
.PP
|
||||
It is also possible to specify \s-1DH\s0 parameters in the certificate file:
|
||||
.PP
|
||||
.Vb 1
|
||||
\& openssl dhparam 2048 >> stunnel.pem
|
||||
.Ve
|
||||
.PP
|
||||
\&\s-1DH\s0 parameter generation may take several minutes.
|
||||
.SH "FILES"
|
||||
.IX Header "FILES"
|
||||
.IP "\fIstunnel.conf\fR" 4
|
||||
.IX Item "stunnel.conf"
|
||||
\&\fBstunnel\fR configuration file
|
||||
.SH "BUGS"
|
||||
.IX Header "BUGS"
|
||||
Option \fIexecargs\fR and Win32 command line does not support quoting.
|
||||
.SH "SEE ALSO"
|
||||
.IX Header "SEE ALSO"
|
||||
.IP "\fItcpd\fR\|(8)" 4
|
||||
.IX Item "tcpd"
|
||||
access control facility for internet services
|
||||
.IP "\fIinetd\fR\|(8)" 4
|
||||
.IX Item "inetd"
|
||||
internet 'super\-server'
|
||||
.IP "\fIhttp://www.stunnel.org/\fR" 4
|
||||
.IX Item "http://www.stunnel.org/"
|
||||
\&\fBstunnel\fR homepage
|
||||
.IP "\fIhttp://www.openssl.org/\fR" 4
|
||||
.IX Item "http://www.openssl.org/"
|
||||
\&\fBOpenSSL\fR project website
|
||||
.SH "AUTHOR"
|
||||
.IX Header "AUTHOR"
|
||||
.IP "Michał Trojnara" 4
|
||||
.IX Item "Michał Trojnara"
|
||||
<\fIMichal.Trojnara@mirt.net\fR>
|
File diff suppressed because it is too large
Load Diff
574
doc/stunnel.fr.8
574
doc/stunnel.fr.8
|
@ -1,574 +0,0 @@
|
|||
.\" Automatically generated by Pod::Man 2.22 (Pod::Simple 3.07)
|
||||
.\"
|
||||
.\" Standard preamble:
|
||||
.\" ========================================================================
|
||||
.de Sp \" Vertical space (when we can't use .PP)
|
||||
.if t .sp .5v
|
||||
.if n .sp
|
||||
..
|
||||
.de Vb \" Begin verbatim text
|
||||
.ft CW
|
||||
.nf
|
||||
.ne \\$1
|
||||
..
|
||||
.de Ve \" End verbatim text
|
||||
.ft R
|
||||
.fi
|
||||
..
|
||||
.\" Set up some character translations and predefined strings. \*(-- will
|
||||
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
|
||||
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
|
||||
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
|
||||
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
|
||||
.\" nothing in troff, for use with C<>.
|
||||
.tr \(*W-
|
||||
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
|
||||
.ie n \{\
|
||||
. ds -- \(*W-
|
||||
. ds PI pi
|
||||
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
|
||||
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
|
||||
. ds L" ""
|
||||
. ds R" ""
|
||||
. ds C` ""
|
||||
. ds C' ""
|
||||
'br\}
|
||||
.el\{\
|
||||
. ds -- \|\(em\|
|
||||
. ds PI \(*p
|
||||
. ds L" ``
|
||||
. ds R" ''
|
||||
'br\}
|
||||
.\"
|
||||
.\" Escape single quotes in literal strings from groff's Unicode transform.
|
||||
.ie \n(.g .ds Aq \(aq
|
||||
.el .ds Aq '
|
||||
.\"
|
||||
.\" If the F register is turned on, we'll generate index entries on stderr for
|
||||
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
|
||||
.\" entries marked with X<> in POD. Of course, you'll have to process the
|
||||
.\" output yourself in some meaningful fashion.
|
||||
.ie \nF \{\
|
||||
. de IX
|
||||
. tm Index:\\$1\t\\n%\t"\\$2"
|
||||
..
|
||||
. nr % 0
|
||||
. rr F
|
||||
.\}
|
||||
.el \{\
|
||||
. de IX
|
||||
..
|
||||
.\}
|
||||
.\" ========================================================================
|
||||
.\"
|
||||
.IX Title "STUNNEL.FR 8"
|
||||
.TH STUNNEL.FR 8 "2013.03.19" "4.56" "stunnel"
|
||||
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
|
||||
.\" way too many mistakes in technical documents.
|
||||
.if n .ad l
|
||||
.nh
|
||||
.SH "NOM"
|
||||
.IX Header "NOM"
|
||||
stunnel \- tunnel \s-1SSL\s0 universel
|
||||
.SH "SYNOPSIS"
|
||||
.IX Header "SYNOPSIS"
|
||||
.IP "\fBUnix:\fR" 4
|
||||
.IX Item "Unix:"
|
||||
\&\fBstunnel\fR [fichier] | \-fd [n] | \-help | \-version | \-sockets
|
||||
.IP "\fB\s-1WIN32:\s0\fR" 4
|
||||
.IX Item "WIN32:"
|
||||
\&\fBstunnel\fR [fichier] | \-install | \-uninstall | \-help | \-version | \-sockets
|
||||
.SH "DESCRIPTION"
|
||||
.IX Header "DESCRIPTION"
|
||||
Le programme \fBstunnel\fR est conçu pour fonctionner comme une couche
|
||||
de chiffrement \fI\s-1SSL\s0\fR entre des clients distants et des serveurs locaux
|
||||
(\fIinetd\fR\-démarrables) ou distants. Le concept est qu'à partir de daemons
|
||||
non-SSL présents sur le système, on peut facilement les configurer pour
|
||||
communiquer avec des clients sur des liens sécurisés \s-1SSL\s0.
|
||||
.PP
|
||||
\&\fBstunnel\fR peut être utilisé pour ajouter des fonctionnalités \s-1SSL\s0 à des
|
||||
daemons classiques \fIInetd\fR tels que les serveurs \s-1POP\-2\s0, \s-1POP\-3\s0 et \s-1IMAP\s0,
|
||||
à d'autres autonomes tels que \s-1NNTP\s0, \s-1SMTP\s0 et \s-1HTTP\s0, ainsi que pour tunneliser
|
||||
\&\s-1PPP\s0 sur des sockets réseau sans modification du code source.
|
||||
.PP
|
||||
Ce produit inclut du code de chiffrement écrit par
|
||||
Eric Young (eay@cryptsoft.com)
|
||||
.SH "OPTIONS"
|
||||
.IX Header "OPTIONS"
|
||||
.IP "\fB[fichier]\fR" 4
|
||||
.IX Item "[fichier]"
|
||||
Utilisation du fichier de configuration spécifié.
|
||||
.IP "\fB\-fd [n]\fR (Unix seulement)" 4
|
||||
.IX Item "-fd [n] (Unix seulement)"
|
||||
Lecture du fichier de configuration depuis le descripteur de
|
||||
fichier indiqué.
|
||||
.IP "\fB\-help\fR" 4
|
||||
.IX Item "-help"
|
||||
Affiche le menu d'aide de \fBstunnel\fR.
|
||||
.IP "\fB\-version\fR" 4
|
||||
.IX Item "-version"
|
||||
Affiche la version de \fBstunnel\fR et les options de compilation.
|
||||
.IP "\fB\-sockets\fR" 4
|
||||
.IX Item "-sockets"
|
||||
Affiche les options socket par défaut.
|
||||
.IP "\fB\-install\fR (\s-1NT/2000/XP\s0 seulement)" 4
|
||||
.IX Item "-install (NT/2000/XP seulement)"
|
||||
Installe un service \s-1NT\s0.
|
||||
.IP "\fB\-uninstall\fR (\s-1NT/2000/XP\s0 only)" 4
|
||||
.IX Item "-uninstall (NT/2000/XP only)"
|
||||
Désinstalle un service \s-1NT\s0.
|
||||
.SH "FICHIER DE CONFIGURATION"
|
||||
.IX Header "FICHIER DE CONFIGURATION"
|
||||
Chaque ligne du fichier de configuration peut être soit :
|
||||
.IP "\(bu" 4
|
||||
une ligne vide (ignorée) ;
|
||||
.IP "\(bu" 4
|
||||
un commentaire commençant par « # » (ignoré) ;
|
||||
.IP "\(bu" 4
|
||||
une paire « option = valeur » ;
|
||||
.IP "\(bu" 4
|
||||
« [service_name] » indiquant le début de la définition d'un service ;
|
||||
.SS "\s-1OPTIONS\s0 \s-1GLOBALES\s0"
|
||||
.IX Subsection "OPTIONS GLOBALES"
|
||||
.IP "\fBCApath\fR = répertoire" 4
|
||||
.IX Item "CApath = répertoire"
|
||||
Répertoire des autorités de certification (\s-1CA\s0)
|
||||
.Sp
|
||||
C'est le répertoire dans lequel \fBstunnel\fR cherche les certificats si
|
||||
l'on utilise \fIverify\fR. Les certificats doivent être dénommés selon la
|
||||
forme \s-1XXXXXXXX\s0.0, où \s-1XXXXXXXX\s0 est la valeur de hachage du certificat.
|
||||
.Sp
|
||||
Le cas échéant, le répertoire \fICApath\fR est relatif au répertoire \fIchroot\fR.
|
||||
.IP "\fBCAfile\fR = fichier" 4
|
||||
.IX Item "CAfile = fichier"
|
||||
Fichier d'autorités de certification
|
||||
.Sp
|
||||
Ce fichier, utilisé avec \fIverify\fR, contient plusieurs certificats de \s-1CA\s0.
|
||||
.IP "\fBcert\fR = fichier" 4
|
||||
.IX Item "cert = fichier"
|
||||
Fichier de chaîne de certificats \s-1PEM\s0
|
||||
.Sp
|
||||
Une \s-1PEM\s0 est toujours nécessaire en mode serveur.
|
||||
En mode client, cette option utilise cette \s-1PEM\s0 comme une chaîne côté client.
|
||||
L'utilisation de certificats côté client est optionnelle. Les certificats
|
||||
doivent être au format \s-1PEM\s0 et triés par ordre de niveau décroissant (\s-1CA\s0 racine
|
||||
en premier).
|
||||
.IP "\fBchroot\fR = répertoire (Unix seulement)" 4
|
||||
.IX Item "chroot = répertoire (Unix seulement)"
|
||||
Répertoire de chroot du processus \fBstunnel\fR
|
||||
.Sp
|
||||
\&\fBchroot\fR enferme \fBstunnel\fR dans une cellule chroot. \fICApath\fR, \fICRLpath\fR, \fIpid\fR
|
||||
et \fIexec\fR sont situés à l'intérieur de la cellule et les répertoires doivent être
|
||||
relatifs au répertoire correspondant.
|
||||
.Sp
|
||||
Pour que le contrôle de libwrap (wrappeur \s-1TCP\s0) soit effectif dans un environnement
|
||||
chroot, il faut aussi y recopier leurs fichiers de configuration (/etc/hosts.allow et
|
||||
/etc/hosts.deny).
|
||||
.IP "\fBciphers\fR = listes de chiffre" 4
|
||||
.IX Item "ciphers = listes de chiffre"
|
||||
Sélection des chiffres \s-1SSL\s0 autorisés
|
||||
.Sp
|
||||
Liste délimitée par deux-points (« : ») des chiffres autorisés pour la connexion \s-1SSL\s0.
|
||||
Exemple : \s-1DES\-CBC3\-SHA:IDEA\-CBC\-MD5\s0
|
||||
.IP "\fBclient\fR = yes | no" 4
|
||||
.IX Item "client = yes | no"
|
||||
Mode client (Le service distant utilise \s-1SSL\s0)
|
||||
.Sp
|
||||
Par défaut : no (mode server)
|
||||
.IP "\fBCRLpath\fR = répertoire" 4
|
||||
.IX Item "CRLpath = répertoire"
|
||||
Répertoire des listes de révocation de certificats (\s-1CRL\s0)
|
||||
.Sp
|
||||
C'est le répertoire dans lequel \fBstunnel\fR recherche les \s-1CRL\s0 avec
|
||||
l'option \fIverify\fR. Les \s-1CRL\s0 doivent être dénommés selon la
|
||||
forme \s-1XXXXXXXX\s0.0 où \s-1XXXXXXXX\s0 est la valeur de hachage de la \s-1CRL\s0.
|
||||
.Sp
|
||||
Le cas échéant, le répertoire \fICRLpath\fR est relatif au répertoire \fIchroot\fR.
|
||||
.IP "\fBCRLfile\fR = fichier" 4
|
||||
.IX Item "CRLfile = fichier"
|
||||
Fichier de listes de révocation de certificats (\s-1CRL\s0)
|
||||
.Sp
|
||||
Ce fichier, utilisé avec \fIverify\fR, contient plusieurs \s-1CRL\s0.
|
||||
.IP "\fBdebug\fR = [facilité.]niveau" 4
|
||||
.IX Item "debug = [facilité.]niveau"
|
||||
niveau de déverminage
|
||||
.Sp
|
||||
Le niveau est un nom ou un numéro conforme à ceux de syslog :
|
||||
emerg (0), alert (1), crit (2), err (3), warning (4), notice (5),
|
||||
info (6) ou debug (7). Toutes les traces du niveau indiqué et des niveaux
|
||||
numériquement inférieurs seront affichées. \fBdebug = debug\fR ou
|
||||
\&\fBdebug = 7\fR donneront le maximum d'informations. La valeur par défaut
|
||||
est notice (5).
|
||||
.Sp
|
||||
La facilité syslog « daemon » est utilisée, sauf si un autre nom est spécifié
|
||||
(Win32 ne permet pas l'usage des facilités.)
|
||||
.Sp
|
||||
La casse est ignorée, aussi bien pour la facilité que pour le niveau.
|
||||
.IP "\fB\s-1EGD\s0\fR = chemin (Unix seulement)" 4
|
||||
.IX Item "EGD = chemin (Unix seulement)"
|
||||
Emplacement du socket du daemon de recueil d'entropie (\s-1EGD\s0 \- Entropy Gathering Daemon)
|
||||
.Sp
|
||||
Socket \s-1EGD\s0 à utiliser pour alimenter le générateur d'aléatoires de OpenSSL (disponible
|
||||
seulement si la compilation a été effectuée avec OpenSSL 0.9.5a ou supérieur).
|
||||
.IP "\fBforeground\fR = yes | no (Unix seulement)" 4
|
||||
.IX Item "foreground = yes | no (Unix seulement)"
|
||||
Mode avant-plan
|
||||
.Sp
|
||||
Reste en avant-plan (sans fork) et dirige la trace sur stderr
|
||||
au lieu de syslog (sauf si \fBoutput\fR est spécifié).
|
||||
.Sp
|
||||
Par défault : arrière\-plan en mode daemon.
|
||||
.IP "\fBkey\fR = fichier" 4
|
||||
.IX Item "key = fichier"
|
||||
Fichier de clef privée pour le certificat spécifié par \fIcert\fR
|
||||
.Sp
|
||||
La clef privée est nécessaire pour authentifier le titulaire du
|
||||
certificat.
|
||||
Puisque ce fichier doit rester secret, il ne doit être lisible que
|
||||
par son propriétaire. Sur les systèmes Unix, on peut utiliser la
|
||||
commande suivante :
|
||||
.Sp
|
||||
.Vb 1
|
||||
\& chmod 600 fichier
|
||||
.Ve
|
||||
.Sp
|
||||
Par défault : Valeur de \fIcert\fR
|
||||
.IP "\fBoptions\fR = Options_SSL" 4
|
||||
.IX Item "options = Options_SSL"
|
||||
Options de la bibliothèque OpenSSL
|
||||
.Sp
|
||||
Le paramètre est l'option OpenSSL décrite dans la page de man
|
||||
\&\fI\fISSL_CTX_set_options\fI\|(3ssl)\fR, débarassée du préfixe \fI\s-1SSL_OP_\s0\fR.
|
||||
Plusieurs \fIoptions\fR peuvent être spécifiées.
|
||||
.Sp
|
||||
Par exemple, pour la compatibilité avec l'implantation \s-1SSL\s0 défaillante
|
||||
d'Eudora, on peut utiliser :
|
||||
.Sp
|
||||
.Vb 1
|
||||
\& options = DONT_INSERT_EMPTY_FRAGMENTS
|
||||
.Ve
|
||||
.IP "\fBoutput\fR = fichier" 4
|
||||
.IX Item "output = fichier"
|
||||
Ajoute la trace à la fin d'un fichier au lieu d'utiliser syslog.
|
||||
.Sp
|
||||
/dev/stdout peut être utilisé pour afficher les traces sur la sortie standard
|
||||
(par exemple pour les traiter avec les outils splogger).
|
||||
.IP "\fBpid\fR = fichier (Unix seulement)" 4
|
||||
.IX Item "pid = fichier (Unix seulement)"
|
||||
Emplacement du fichier pid
|
||||
.Sp
|
||||
Si l'argument est vide, aucun fichier ne sera créé.
|
||||
.Sp
|
||||
Le cas échéant, le chemin \fIpid\fR est relatif au répertoire \fIchroot\fR.
|
||||
.IP "\fBRNDbytes\fR = nombre" 4
|
||||
.IX Item "RNDbytes = nombre"
|
||||
Nombre d'octets à lire depuis les fichiers de « sel » aléatoire
|
||||
.Sp
|
||||
Avec les \s-1SSL\s0 de version inférieure à 0.9.5a, détermine aussi le nombre
|
||||
d'octets considérés comme suffisants pour « saler » le \s-1PRNG\s0. Les versions plus
|
||||
récentes d'OpenSSL ont une fonction intégrée qui détermine lorsque l'aléatoire
|
||||
est suffisant.
|
||||
.IP "\fBRNDfile\fR = fichier" 4
|
||||
.IX Item "RNDfile = fichier"
|
||||
chemin du fichier de données de « sel » aléatoire
|
||||
.Sp
|
||||
La bibliothèque \s-1SSL\s0 utilise prioritairement les données de ce fichier pour
|
||||
« saler » le générateur d'aléatoire.
|
||||
.IP "\fBRNDoverwrite\fR = yes | no" 4
|
||||
.IX Item "RNDoverwrite = yes | no"
|
||||
Recouvre les fichiers de « sel » avec de nouvelles données aléatoires.
|
||||
.Sp
|
||||
Par défaut : yes
|
||||
.IP "\fBservice\fR = nom" 4
|
||||
.IX Item "service = nom"
|
||||
Définit le nom de service à utiliser
|
||||
.Sp
|
||||
\&\fBSous Unix :\fR nom de service du mode \fIinetd\fR pour la bibliothèque \s-1TCP\s0 Wrapper.
|
||||
.Sp
|
||||
Par défaut : stunnel
|
||||
.IP "\fBsession\fR = timeout" 4
|
||||
.IX Item "session = timeout"
|
||||
Timeout du cache de session
|
||||
.IP "\fBsetgid\fR = nom (Unix seulement)" 4
|
||||
.IX Item "setgid = nom (Unix seulement)"
|
||||
Nom de groupe utilisé en mode daemon (les éventuels autres noms de groupe attribués sont supprimés)
|
||||
.IP "\fBsetuid\fR = nom (Unix seulement)" 4
|
||||
.IX Item "setuid = nom (Unix seulement)"
|
||||
Nom d'utilisateur utilisé en mode daemon
|
||||
.IP "\fBsocket\fR = a|l|r:option=valeur[:valeur]" 4
|
||||
.IX Item "socket = a|l|r:option=valeur[:valeur]"
|
||||
Configure une option de socket accept (a), locale (l) ou distante (r)
|
||||
.Sp
|
||||
Les valeurs de l'option linger sont : l_onof:l_linger.
|
||||
Les valeurs de l'option time sont : tv_sec:tv_usec.
|
||||
.Sp
|
||||
Exemples :
|
||||
.Sp
|
||||
.Vb 9
|
||||
\& socket = l:SO_LINGER=1:60
|
||||
\& définit un délai d\*(Aqune minute pour la clôture des sockets locaux
|
||||
\& socket = r:SO_OOBINLINE=yes
|
||||
\& Place directement les données hors\-bande dans le flux de réception
|
||||
\& des sockets distants
|
||||
\& socket = a:SO_REUSEADDR=no
|
||||
\& désactive la réutilisation d\*(Aqadresses (activée par défaut)
|
||||
\& socket = a:SO_BINDTODEVICE=lo
|
||||
\& limite l\*(Aqacceptation des connexions sur la seule interface de bouclage
|
||||
.Ve
|
||||
.IP "\fBtaskbar\fR = yes | no (\s-1WIN32\s0 seulement)" 4
|
||||
.IX Item "taskbar = yes | no (WIN32 seulement)"
|
||||
active l'icône de la barre de tâches
|
||||
.Sp
|
||||
Par défaut : yes
|
||||
.IP "\fBverify\fR = niveau" 4
|
||||
.IX Item "verify = niveau"
|
||||
Vérifie le certificat du correspondant
|
||||
.Sp
|
||||
.Vb 3
|
||||
\& niveau 1 \- vérifie le certificat s\*(Aqil est présent
|
||||
\& niveau 2 \- vérifie le certificat
|
||||
\& niveau 3 \- contrôle le correspondant avec le certificat local
|
||||
.Ve
|
||||
.Sp
|
||||
Par défaut \- pas de vérification
|
||||
.SS "\s-1OPTIONS\s0 \s-1DE\s0 \s-1SERVICE\s0"
|
||||
.IX Subsection "OPTIONS DE SERVICE"
|
||||
Chaque section de configuration commence par le nom du service entre crochets.
|
||||
Celui-ci est utilisé par le contrôle d'accès de libwrap (\s-1TCP\s0 Wrappers) et sert
|
||||
à distinguer les services \fBstunnel\fR dans les fichiers de traces.
|
||||
.PP
|
||||
Si l'on souhaite utiliser \fBstunnel\fR en mode \fIinetd\fR (lorsqu'un socket lui est
|
||||
fourni par un serveur comme \fIinetd\fR, \fIxinetd\fR ou \fItcpserver\fR), il faut se
|
||||
reporter à la section \fI\s-1MODE\s0 \s-1INETD\s0\fR plus bas.
|
||||
.IP "\fBaccept\fR = [hôte:]port" 4
|
||||
.IX Item "accept = [hôte:]port"
|
||||
Accepte des connexions sur le port spécifié
|
||||
.Sp
|
||||
Si l'hôte n'est pas indiqué, le port est ouvert pour toutes les adresses \s-1IP\s0 de
|
||||
la machine locale.
|
||||
.IP "\fBconnect\fR = [hôte:]port" 4
|
||||
.IX Item "connect = [hôte:]port"
|
||||
Se connecte au port distant indiqué
|
||||
.Sp
|
||||
Par défaut, l'hôte est localhost.
|
||||
.IP "\fBdelay\fR = yes | no" 4
|
||||
.IX Item "delay = yes | no"
|
||||
Retarde la recherche \s-1DNS\s0 pour l'option « connect »
|
||||
.IP "\fBexec\fR = chemin_exécutable (Unix seulement)" 4
|
||||
.IX Item "exec = chemin_exécutable (Unix seulement)"
|
||||
Exécute un programme local de type inetd
|
||||
.Sp
|
||||
Le cas échéant, le chemin \fIexec\fR est relatif au répertoire \fIchroot\fR.
|
||||
.ie n .IP "\fBexecargs\fR = $0 $1 $2 ... (Unix seulement)" 4
|
||||
.el .IP "\fBexecargs\fR = \f(CW$0\fR \f(CW$1\fR \f(CW$2\fR ... (Unix seulement)" 4
|
||||
.IX Item "execargs = $0 $1 $2 ... (Unix seulement)"
|
||||
Arguments pour \fIexec\fR, y compris le nom du programme ($0)
|
||||
.Sp
|
||||
Les quotes ne peuvent actuellement pas être utilisées.
|
||||
Les arguments sont séparés par un nombre quelconque d'espaces.
|
||||
.IP "\fBident\fR = nom" 4
|
||||
.IX Item "ident = nom"
|
||||
Applique le contrôle d'identité d'utilisateur \s-1IDENT\s0 (\s-1RFC\s0 1413)
|
||||
.IP "\fBlocal\fR = hôte" 4
|
||||
.IX Item "local = hôte"
|
||||
Adresse \s-1IP\s0 de l'interface de sortie utilisée pour les connexions distantes.
|
||||
Cette option permet de relier une adresse statique locale.
|
||||
.IP "\fBprotocol\fR = protocole" 4
|
||||
.IX Item "protocol = protocole"
|
||||
Négocie avec \s-1SSL\s0 selon le protocole indiqué
|
||||
.Sp
|
||||
Actuellement gérés : cifs, nntp, pop3, smtp
|
||||
.IP "\fBpty\fR = yes | no (Unix seulement)" 4
|
||||
.IX Item "pty = yes | no (Unix seulement)"
|
||||
Alloue un pseudo-terminal pour l'option « exec »
|
||||
.IP "\fBTIMEOUTbusy\fR = secondes" 4
|
||||
.IX Item "TIMEOUTbusy = secondes"
|
||||
Durée d'attente de données
|
||||
.IP "\fBTIMEOUTclose\fR = secondes" 4
|
||||
.IX Item "TIMEOUTclose = secondes"
|
||||
Durée d'attente du close_notify (mis à 0 pour \s-1MSIE\s0 qui est bogué)
|
||||
.IP "\fBTIMEOUTidle\fR = secondes" 4
|
||||
.IX Item "TIMEOUTidle = secondes"
|
||||
Durée d'attente sur une connexion inactive
|
||||
.IP "\fBtransparent\fR = yes | no (Unix seulement)" 4
|
||||
.IX Item "transparent = yes | no (Unix seulement)"
|
||||
Mode mandataire transparent
|
||||
.Sp
|
||||
Ré\-écrit les adresses pour qu'elles apparaissent provenir de la
|
||||
machine client \s-1SSL\s0 plutôt que de celle qui exécute \fBstunnel\fR.
|
||||
Cette option n'est disponible en mode local (option \fIexec\fR) qu'avec
|
||||
la bibliothèque partagée LD_PRELOADing env.so shared library et en mode
|
||||
distant (option \fIconnect\fR) sur les noyaux Linux 2.2 compilés avec
|
||||
l'option \fItransparent proxy\fR et seulement en mode serveur. Cette
|
||||
option ne se combine pas au mode mandataire (\fIconnect\fR) sauf si la
|
||||
route par défaut du client vers la cible passe par l'hôte qui fait
|
||||
tourner \fBstunnel\fR, qui ne peut être localhost.
|
||||
.SH "VALEUR DE RETOUR"
|
||||
.IX Header "VALEUR DE RETOUR"
|
||||
\&\fBstunnel\fR renvoie zéro en cas de succès, une autre valeur en cas d'erreur.
|
||||
.SH "EXEMPLES"
|
||||
.IX Header "EXEMPLES"
|
||||
Pour encapsuler votre service \fIimapd\fR local avec \s-1SSL\s0 :
|
||||
.PP
|
||||
.Vb 4
|
||||
\& [imapd]
|
||||
\& accept = 993
|
||||
\& exec = /usr/sbin/imapd
|
||||
\& execargs = imapd
|
||||
.Ve
|
||||
.PP
|
||||
Pour tunneliser un daemon \fIpppd\fR sur le port 2020 :
|
||||
.PP
|
||||
.Vb 5
|
||||
\& [vpn]
|
||||
\& accept = 2020
|
||||
\& exec = /usr/sbin/pppd
|
||||
\& execargs = pppd local
|
||||
\& pty = yes
|
||||
.Ve
|
||||
.PP
|
||||
Configuration de \fIstunnel.conf\fR pour utiliser \fBstunnel\fR en mode \fIinetd\fR
|
||||
qui lance imapd à son tour (il ne doit pas y avoir de section \fI[service_name]\fR) :
|
||||
.PP
|
||||
.Vb 2
|
||||
\& exec = /usr/sbin/imapd
|
||||
\& execargs = imapd
|
||||
.Ve
|
||||
.SH "FICHIERS"
|
||||
.IX Header "FICHIERS"
|
||||
.IP "\fIstunnel.conf\fR" 4
|
||||
.IX Item "stunnel.conf"
|
||||
Fichier de configuration de \fBstunnel\fR
|
||||
.IP "\fIstunnel.pem\fR" 4
|
||||
.IX Item "stunnel.pem"
|
||||
Certificat et clef privée de \fBstunnel\fR
|
||||
.SH "BOGUES"
|
||||
.IX Header "BOGUES"
|
||||
L'option \fIexecargs\fR n'admet pas les quotes.
|
||||
.SH "RESTRICTIONS"
|
||||
.IX Header "RESTRICTIONS"
|
||||
\&\fBstunnel\fR ne peut être utilisé pour le daemon \s-1FTP\s0 en raison de la nature
|
||||
du protocole \s-1FTP\s0 qui utilise des ports multiples pour les transferts de données.
|
||||
Il existe cependant des versions \s-1SSL\s0 de \s-1FTP\s0 et de telnet.
|
||||
.SH "NOTES"
|
||||
.IX Header "NOTES"
|
||||
.SS "\s-1MODE\s0 \s-1INETD\s0"
|
||||
.IX Subsection "MODE INETD"
|
||||
L'utilisation la plus commune de \fBstunnel\fR consiste à écouter un port
|
||||
réseau et à établir une communication, soit avec un nouveau port
|
||||
avec l'option \fIconnect\fR, soit avec un programme avec l'option \fIexec\fR.
|
||||
On peut parfois cependant souhaiter qu'un autre programme reçoive les
|
||||
connexions entrantes et lance \fBstunnel\fR, par exemple avec \fIinetd\fR,
|
||||
\&\fIxinetd\fR ou \fItcpserver\fR.
|
||||
.PP
|
||||
Si, par exemple, la ligne suivante se trouve dans \fIinetd.conf\fR :
|
||||
.PP
|
||||
.Vb 1
|
||||
\& imaps stream tcp nowait root /usr/bin/stunnel stunnel /etc/stunnel/imaps.conf
|
||||
.Ve
|
||||
.PP
|
||||
Dans ces cas, c'est le programme du genre \fIinetd\fR\-style qui est
|
||||
responsable de l'établissement de la connexion (\fIimaps\fR ci-dessus) et de passer
|
||||
celle-ci à \fBstunnel\fR.
|
||||
Ainsi, \fBstunnel\fR ne doit alors avoir aucune option \fIaccept\fR.
|
||||
Toutes les \fIoptions de niveau service\fR doivent être placées dans
|
||||
la section des options globales et aucune section \fI[service_name]\fR ne doit
|
||||
être présente. Voir la section \fI\s-1EXEMPLES\s0\fR pour des exemples de configurations.
|
||||
.SS "\s-1CERTIFICATS\s0"
|
||||
.IX Subsection "CERTIFICATS"
|
||||
Chaque daemon à propriétés \s-1SSL\s0 doit présenter un certificat X.509
|
||||
valide à son interlocuteur. Il a aussi besoin d'une clef privé pour
|
||||
déchiffrer les données entrantes. La méthode la plus simple pour
|
||||
obtenir un certificat et une clef est d'engendrer celles-ci avec
|
||||
le paquetage libre \fIOpenSSL\fR. Plus d'informations sur la génération de
|
||||
certificats se trouvent dans les pages indiquées plus bas.
|
||||
.PP
|
||||
Deux choses importantes lors de la génération de paires certificat-clef
|
||||
pour \fBstunnel\fR :
|
||||
.IP "\(bu" 4
|
||||
la clef privée ne peut être chiffrée puisque le serveur n'a aucun moyen
|
||||
d'obtenir le mot de passe de l'utilisateur ; pour produire une clef non chiffrée,
|
||||
ajouter l'option \fI\-nodes\fR à la commande \fBreq\fR de \fIOpenSSL\fR ;
|
||||
.IP "\(bu" 4
|
||||
l'ordre du contenu du fichier \fI.pem\fR est significatif : il doit contenir d'abord
|
||||
une clef privée non chiffrée, puis un certificat signé (et non une demande de certificat).
|
||||
Il doit aussi y avoir des lignes vides après le certificat et après la clef privée.
|
||||
L'information textuelle ajoutée au début d'un certificat doit être supprimée afin que
|
||||
le fichier ait l'allure suivante :
|
||||
.Sp
|
||||
.Vb 8
|
||||
\& \-\-\-\-\-BEGIN RSA PRIVATE KEY\-\-\-\-\-
|
||||
\& [clef encodée]
|
||||
\& \-\-\-\-\-END RSA PRIVATE KEY\-\-\-\-\-
|
||||
\& [ligne vide]
|
||||
\& \-\-\-\-\-BEGIN CERTIFICATE\-\-\-\-\-
|
||||
\& [certificat encodé]
|
||||
\& \-\-\-\-\-END CERTIFICATE\-\-\-\-\-
|
||||
\& [ligne vide]
|
||||
.Ve
|
||||
.SS "\s-1ALEATOIRE\s0"
|
||||
.IX Subsection "ALEATOIRE"
|
||||
\&\fBstunnel\fR doit « saler » le générateur de pseudo\-aléatoires \s-1PRNG\s0 (pseudo random
|
||||
number generator) afin que \s-1SSL\s0 utilise un aléatoire de qualité. Les sources suivantes
|
||||
sont chargées dans l'ordre jusqu'à ce qu'une quantité suffisante de données soit lue :
|
||||
.IP "\(bu" 4
|
||||
le fichier spécifié par \fIRNDfile\fR ;
|
||||
.IP "\(bu" 4
|
||||
le fichier spécifié par la variable d'environnement \s-1RANDFILE\s0, à défaut
|
||||
le fichier .rnd du répertoire \f(CW$HOME\fR de l'utilisateur ;
|
||||
.IP "\(bu" 4
|
||||
le fichier spécifié par « \-\-with\-random » lors de la compilation ;
|
||||
.IP "\(bu" 4
|
||||
le contenu de l'écran (MS-Windows seulement) ;
|
||||
.IP "\(bu" 4
|
||||
le socket \s-1EGD\s0 spécifié par \fI\s-1EGD\s0\fR ;
|
||||
.IP "\(bu" 4
|
||||
le socket \s-1EGD\s0 spécifié par « \-\-with\-egd\-sock » lors de la compilation ;
|
||||
.IP "\(bu" 4
|
||||
le périphérique /dev/urandom.
|
||||
.PP
|
||||
Avec un OpenSSL récent (>=OpenSSL 0.9.5a) le chargement de données s'arrête
|
||||
automatiquement lorsqu'un niveau d'entropie suffisant est atteint.
|
||||
Les versions précédentes continuent à lire toutes les sources puisqu'aucune
|
||||
fonction \s-1SSL\s0 ne leur permet de savoir que suffisamment de données sont disponibles.
|
||||
.PP
|
||||
Sur les machines MS-Windows qui n'ont pas d'interaction utilisateur sur la console,
|
||||
(mouvements de souris, création de fenêtres, etc.), le contenu de l'écran n'est
|
||||
pas suffisamment changeant et il est nécessaire de fournir un fichier d'aléatoire
|
||||
par le biais de \fIRNDfile\fR.
|
||||
.PP
|
||||
Le fichier spécifié par \fIRNDfile\fR doit contenir des informations aléatoires \*(--
|
||||
c'est\-à\-dire des informations différentes à chaque lancement de \fBstunnel\fR.
|
||||
Cela est géré automatiquement sauf si l'option \fIRNDoverwrite\fR est utilisée.
|
||||
Si l'on souhaite procéder manuellement à la mise à jour de ce fichier, la
|
||||
commande \fIopenssl rand\fR des versions récentes d'OpenSSL sera sans doute utile.
|
||||
.PP
|
||||
Note importante : si /dev/urandom est disponible, OpenSSL a l'habitude d'utiliser
|
||||
celui-ci pour « saler » le \s-1PRNG\s0 même lorsqu'il contrôle l'état de l'aléatoire ;
|
||||
ainsi, même si /dev/urandom est dernier de la liste ci-dessus, il est vraisemblable
|
||||
qu'il soit utilisé s'il est présent.
|
||||
Ce n'est pas le comportement de \fBstunnel\fR, c'est celui d'OpenSSL.
|
||||
.SH "VOIR AUSSI"
|
||||
.IX Header "VOIR AUSSI"
|
||||
.IP "\fItcpd\fR\|(8)" 4
|
||||
.IX Item "tcpd"
|
||||
Service de contrôle d'accès pour les services internet
|
||||
.IP "\fIinetd\fR\|(8)" 4
|
||||
.IX Item "inetd"
|
||||
« super-serveur » internet
|
||||
.IP "\fIhttp://www.stunnel.org/\fR" 4
|
||||
.IX Item "http://www.stunnel.org/"
|
||||
Page de référence de \fBstunnel\fR
|
||||
.IP "\fIhttp://www.openssl.org/\fR" 4
|
||||
.IX Item "http://www.openssl.org/"
|
||||
Site web du projet OpenSSL
|
||||
.SH "AUTEUR"
|
||||
.IX Header "AUTEUR"
|
||||
.IP "Michał Trojnara" 4
|
||||
.IX Item "Michał Trojnara"
|
||||
<\fIMichal.Trojnara@mirt.net\fR>
|
||||
.SH "ADAPTATION FRANÇAISE"
|
||||
.IX Header "ADAPTATION FRANÇAISE"
|
||||
.IP "Bernard Choppy" 4
|
||||
.IX Item "Bernard Choppy"
|
||||
<\fIchoppy \s-1AT\s0 free \s-1POINT\s0 fr\fR>
|
|
@ -1,670 +0,0 @@
|
|||
<?xml version="1.0" ?>
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
|
||||
<html xmlns="http://www.w3.org/1999/xhtml">
|
||||
<head>
|
||||
<title>stunnel.8</title>
|
||||
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
|
||||
<link rev="made" href="mailto:root@localhost" />
|
||||
</head>
|
||||
|
||||
<body style="background-color: white">
|
||||
|
||||
|
||||
<!-- INDEX BEGIN -->
|
||||
<div name="index">
|
||||
<p><a name="__index__"></a></p>
|
||||
<!--
|
||||
|
||||
<ul>
|
||||
|
||||
<li><a href="#nom">NOM</a></li>
|
||||
<li><a href="#synopsis">SYNOPSIS</a></li>
|
||||
<li><a href="#description">DESCRIPTION</a></li>
|
||||
<li><a href="#options">OPTIONS</a></li>
|
||||
<li><a href="#fichier_de_configuration">FICHIER DE CONFIGURATION</a></li>
|
||||
<ul>
|
||||
|
||||
<li><a href="#options_globales">OPTIONS GLOBALES</a></li>
|
||||
<li><a href="#options_de_service">OPTIONS DE SERVICE</a></li>
|
||||
</ul>
|
||||
|
||||
<li><a href="#valeur_de_retour">VALEUR DE RETOUR</a></li>
|
||||
<li><a href="#exemples">EXEMPLES</a></li>
|
||||
<li><a href="#fichiers">FICHIERS</a></li>
|
||||
<li><a href="#bogues">BOGUES</a></li>
|
||||
<li><a href="#restrictions">RESTRICTIONS</a></li>
|
||||
<li><a href="#notes">NOTES</a></li>
|
||||
<ul>
|
||||
|
||||
<li><a href="#mode_inetd">MODE INETD</a></li>
|
||||
<li><a href="#certificats">CERTIFICATS</a></li>
|
||||
<li><a href="#aleatoire">ALEATOIRE</a></li>
|
||||
</ul>
|
||||
|
||||
<li><a href="#voir_aussi">VOIR AUSSI</a></li>
|
||||
<li><a href="#auteur">AUTEUR</a></li>
|
||||
<li><a href="#adaptation_fran__aise">ADAPTATION FRANÇAISE</a></li>
|
||||
</ul>
|
||||
|
||||
-->
|
||||
|
||||
|
||||
</div>
|
||||
<!-- INDEX END -->
|
||||
|
||||
<p>
|
||||
</p>
|
||||
<h1><a name="nom">NOM</a></h1>
|
||||
<p>stunnel - tunnel SSL universel</p>
|
||||
<p>
|
||||
</p>
|
||||
<hr />
|
||||
<h1><a name="synopsis">SYNOPSIS</a></h1>
|
||||
<dl>
|
||||
<dt><strong><a name="unix" class="item"><strong>Unix:</strong></a></strong></dt>
|
||||
|
||||
<dd>
|
||||
<p><strong>stunnel</strong> [fichier] | -fd [n] | -help | -version | -sockets</p>
|
||||
</dd>
|
||||
<dt><strong><a name="win32" class="item"><strong>WIN32:</strong></a></strong></dt>
|
||||
|
||||
<dd>
|
||||
<p><strong>stunnel</strong> [fichier] | -install | -uninstall | -help | -version | -sockets</p>
|
||||
</dd>
|
||||
</dl>
|
||||
<p>
|
||||
</p>
|
||||
<hr />
|
||||
<h1><a name="description">DESCRIPTION</a></h1>
|
||||
<p>Le programme <strong>stunnel</strong> est conçu pour fonctionner comme une couche
|
||||
de chiffrement <em>SSL</em> entre des clients distants et des serveurs locaux
|
||||
(<em>inetd</em>-démarrables) ou distants. Le concept est qu'à partir de daemons
|
||||
non-SSL présents sur le système, on peut facilement les configurer pour
|
||||
communiquer avec des clients sur des liens sécurisés SSL.</p>
|
||||
<p><strong>stunnel</strong> peut être utilisé pour ajouter des fonctionnalités SSL à des
|
||||
daemons classiques <em>Inetd</em> tels que les serveurs POP-2, POP-3 et IMAP,
|
||||
à d'autres autonomes tels que NNTP, SMTP et HTTP, ainsi que pour tunneliser
|
||||
PPP sur des sockets réseau sans modification du code source.</p>
|
||||
<p>Ce produit inclut du code de chiffrement écrit par
|
||||
Eric Young (<a href="mailto:eay@cryptsoft.com">eay@cryptsoft.com</a>)</p>
|
||||
<p>
|
||||
</p>
|
||||
<hr />
|
||||
<h1><a name="options">OPTIONS</a></h1>
|
||||
<dl>
|
||||
<dt><strong><a name="fichier" class="item"><strong>[fichier]</strong></a></strong></dt>
|
||||
|
||||
<dd>
|
||||
<p>Utilisation du fichier de configuration spécifié.</p>
|
||||
</dd>
|
||||
<dt><strong><a name="fd_n_unix_seulement" class="item"><strong>-fd [n]</strong> (Unix seulement)</a></strong></dt>
|
||||
|
||||
<dd>
|
||||
<p>Lecture du fichier de configuration depuis le descripteur de
|
||||
fichier indiqué.</p>
|
||||
</dd>
|
||||
<dt><strong><a name="help" class="item"><strong>-help</strong></a></strong></dt>
|
||||
|
||||
<dd>
|
||||
<p>Affiche le menu d'aide de <strong>stunnel</strong>.</p>
|
||||
</dd>
|
||||
<dt><strong><a name="version" class="item"><strong>-version</strong></a></strong></dt>
|
||||
|
||||
<dd>
|
||||
<p>Affiche la version de <strong>stunnel</strong> et les options de compilation.</p>
|
||||
</dd>
|
||||
<dt><strong><a name="sockets" class="item"><strong>-sockets</strong></a></strong></dt>
|
||||
|
||||
<dd>
|
||||
<p>Affiche les options socket par défaut.</p>
|
||||
</dd>
|
||||
<dt><strong><a name="install" class="item"><strong>-install</strong> (NT/2000/XP seulement)</a></strong></dt>
|
||||
|
||||
<dd>
|
||||
<p>Installe un service NT.</p>
|
||||
</dd>
|
||||
<dt><strong><a name="uninstall" class="item"><strong>-uninstall</strong> (NT/2000/XP only)</a></strong></dt>
|
||||
|
||||
<dd>
|
||||
<p>Désinstalle un service NT.</p>
|
||||
</dd>
|
||||
</dl>
|
||||
<p>
|
||||
</p>
|
||||
<hr />
|
||||
<h1><a name="fichier_de_configuration">FICHIER DE CONFIGURATION</a></h1>
|
||||
<p>Chaque ligne du fichier de configuration peut être soit :</p>
|
||||
<ul>
|
||||
<li>
|
||||
<p>une ligne vide (ignorée) ;</p>
|
||||
</li>
|
||||
<li>
|
||||
<p>un commentaire commençant par « # » (ignoré) ;</p>
|
||||
</li>
|
||||
<li>
|
||||
<p>une paire « option = valeur » ;</p>
|
||||
</li>
|
||||
<li>
|
||||
<p>« [service_name] » indiquant le début de la définition d'un service ;</p>
|
||||
</li>
|
||||
</ul>
|
||||
<p>
|
||||
</p>
|
||||
<h2><a name="options_globales">OPTIONS GLOBALES</a></h2>
|
||||
<dl>
|
||||
<dt><strong><a name="capath_r_pertoire" class="item"><strong>CApath</strong> = répertoire</a></strong></dt>
|
||||
|
||||
<dd>
|
||||
<p>Répertoire des autorités de certification (CA)</p>
|
||||
<p>C'est le répertoire dans lequel <strong>stunnel</strong> cherche les certificats si
|
||||
l'on utilise <em>verify</em>. Les certificats doivent être dénommés selon la
|
||||
forme XXXXXXXX.0, où XXXXXXXX est la valeur de hachage du certificat.</p>
|
||||
<p>Le cas échéant, le répertoire <em>CApath</em> est relatif au répertoire <em>chroot</em>.</p>
|
||||
</dd>
|
||||
<dt><strong><a name="cafile_fichier" class="item"><strong>CAfile</strong> = fichier</a></strong></dt>
|
||||
|
||||
<dd>
|
||||
<p>Fichier d'autorités de certification</p>
|
||||
<p>Ce fichier, utilisé avec <em>verify</em>, contient plusieurs certificats de CA.</p>
|
||||
</dd>
|
||||
<dt><strong><a name="cert_fichier" class="item"><strong>cert</strong> = fichier</a></strong></dt>
|
||||
|
||||
<dd>
|
||||
<p>Fichier de chaîne de certificats PEM</p>
|
||||
<p>Une PEM est toujours nécessaire en mode serveur.
|
||||
En mode client, cette option utilise cette PEM comme une chaîne côté client.
|
||||
L'utilisation de certificats côté client est optionnelle. Les certificats
|
||||
doivent être au format PEM et triés par ordre de niveau décroissant (CA racine
|
||||
en premier).</p>
|
||||
</dd>
|
||||
<dt><strong><a name="pertoire" class="item"><strong>chroot</strong> = répertoire (Unix seulement)</a></strong></dt>
|
||||
|
||||
<dd>
|
||||
<p>Répertoire de chroot du processus <strong>stunnel</strong></p>
|
||||
<p><strong>chroot</strong> enferme <strong>stunnel</strong> dans une cellule chroot. <em>CApath</em>, <em>CRLpath</em>, <em>pid</em>
|
||||
et <em>exec</em> sont situés à l'intérieur de la cellule et les répertoires doivent être
|
||||
relatifs au répertoire correspondant.</p>
|
||||
<p>Pour que le contrôle de libwrap (wrappeur TCP) soit effectif dans un environnement
|
||||
chroot, il faut aussi y recopier leurs fichiers de configuration (/etc/hosts.allow et
|
||||
/etc/hosts.deny).</p>
|
||||
</dd>
|
||||
<dt><strong><a name="ciphers_listes_de_chiffre" class="item"><strong>ciphers</strong> = listes de chiffre</a></strong></dt>
|
||||
|
||||
<dd>
|
||||
<p>Sélection des chiffres SSL autorisés</p>
|
||||
<p>Liste délimitée par deux-points (« : ») des chiffres autorisés pour la connexion SSL.
|
||||
Exemple : DES-CBC3-SHA:IDEA-CBC-MD5</p>
|
||||
</dd>
|
||||
<dt><strong><a name="client_yes_no" class="item"><strong>client</strong> = yes | no</a></strong></dt>
|
||||
|
||||
<dd>
|
||||
<p>Mode client (Le service distant utilise SSL)</p>
|
||||
<p>Par défaut : no (mode server)</p>
|
||||
</dd>
|
||||
<dt><strong><a name="crlpath_r_pertoire" class="item"><strong>CRLpath</strong> = répertoire</a></strong></dt>
|
||||
|
||||
<dd>
|
||||
<p>Répertoire des listes de révocation de certificats (CRL)</p>
|
||||
<p>C'est le répertoire dans lequel <strong>stunnel</strong> recherche les CRL avec
|
||||
l'option <em>verify</em>. Les CRL doivent être dénommés selon la
|
||||
forme XXXXXXXX.0 où XXXXXXXX est la valeur de hachage de la CRL.</p>
|
||||
<p>Le cas échéant, le répertoire <em>CRLpath</em> est relatif au répertoire <em>chroot</em>.</p>
|
||||
</dd>
|
||||
<dt><strong><a name="crlfile_fichier" class="item"><strong>CRLfile</strong> = fichier</a></strong></dt>
|
||||
|
||||
<dd>
|
||||
<p>Fichier de listes de révocation de certificats (CRL)</p>
|
||||
<p>Ce fichier, utilisé avec <em>verify</em>, contient plusieurs CRL.</p>
|
||||
</dd>
|
||||
<dt><strong><a name="debug_facilit_niveau" class="item"><strong>debug</strong> = [facilité.]niveau</a></strong></dt>
|
||||
|
||||
<dd>
|
||||
<p>niveau de déverminage</p>
|
||||
<p>Le niveau est un nom ou un numéro conforme à ceux de syslog :
|
||||
emerg (0), alert (1), crit (2), err (3), warning (4), notice (5),
|
||||
info (6) ou debug (7). Toutes les traces du niveau indiqué et des niveaux
|
||||
numériquement inférieurs seront affichées. <strong>debug = debug</strong> ou
|
||||
<strong>debug = 7</strong> donneront le maximum d'informations. La valeur par défaut
|
||||
est notice (5).</p>
|
||||
<p>La facilité syslog « daemon » est utilisée, sauf si un autre nom est spécifié
|
||||
(Win32 ne permet pas l'usage des facilités.)</p>
|
||||
<p>La casse est ignorée, aussi bien pour la facilité que pour le niveau.</p>
|
||||
</dd>
|
||||
<dt><strong><a name="chemin" class="item"><strong>EGD</strong> = chemin (Unix seulement)</a></strong></dt>
|
||||
|
||||
<dd>
|
||||
<p>Emplacement du socket du daemon de recueil d'entropie (EGD - Entropy Gathering Daemon)</p>
|
||||
<p>Socket EGD à utiliser pour alimenter le générateur d'aléatoires de OpenSSL (disponible
|
||||
seulement si la compilation a été effectuée avec OpenSSL 0.9.5a ou supérieur).</p>
|
||||
</dd>
|
||||
<dt><strong><a name="no" class="item"><strong>foreground</strong> = yes | no (Unix seulement)</a></strong></dt>
|
||||
|
||||
<dd>
|
||||
<p>Mode avant-plan</p>
|
||||
<p>Reste en avant-plan (sans fork) et dirige la trace sur stderr
|
||||
au lieu de syslog (sauf si <strong>output</strong> est spécifié).</p>
|
||||
<p>Par défault : arrière-plan en mode daemon.</p>
|
||||
</dd>
|
||||
<dt><strong><a name="key_fichier" class="item"><strong>key</strong> = fichier</a></strong></dt>
|
||||
|
||||
<dd>
|
||||
<p>Fichier de clef privée pour le certificat spécifié par <em>cert</em></p>
|
||||
<p>La clef privée est nécessaire pour authentifier le titulaire du
|
||||
certificat.
|
||||
Puisque ce fichier doit rester secret, il ne doit être lisible que
|
||||
par son propriétaire. Sur les systèmes Unix, on peut utiliser la
|
||||
commande suivante :</p>
|
||||
<pre>
|
||||
chmod 600 fichier</pre>
|
||||
<p>Par défault : Valeur de <em>cert</em></p>
|
||||
</dd>
|
||||
<dt><strong><a name="options_options_ssl" class="item"><strong>options</strong> = Options_SSL</a></strong></dt>
|
||||
|
||||
<dd>
|
||||
<p>Options de la bibliothèque OpenSSL</p>
|
||||
<p>Le paramètre est l'option OpenSSL décrite dans la page de man
|
||||
<em>SSL_CTX_set_options(3ssl)</em>, débarassée du préfixe <em>SSL_OP_</em>.
|
||||
Plusieurs <em>options</em> peuvent être spécifiées.</p>
|
||||
<p>Par exemple, pour la compatibilité avec l'implantation SSL défaillante
|
||||
d'Eudora, on peut utiliser :</p>
|
||||
<pre>
|
||||
options = DONT_INSERT_EMPTY_FRAGMENTS</pre>
|
||||
</dd>
|
||||
<dt><strong><a name="output_fichier" class="item"><strong>output</strong> = fichier</a></strong></dt>
|
||||
|
||||
<dd>
|
||||
<p>Ajoute la trace à la fin d'un fichier au lieu d'utiliser syslog.</p>
|
||||
<p>/dev/stdout peut être utilisé pour afficher les traces sur la sortie standard
|
||||
(par exemple pour les traiter avec les outils splogger).</p>
|
||||
</dd>
|
||||
<dt><strong><strong>pid</strong> = fichier (Unix seulement)</strong></dt>
|
||||
|
||||
<dd>
|
||||
<p>Emplacement du fichier pid</p>
|
||||
<p>Si l'argument est vide, aucun fichier ne sera créé.</p>
|
||||
<p>Le cas échéant, le chemin <em>pid</em> est relatif au répertoire <em>chroot</em>.</p>
|
||||
</dd>
|
||||
<dt><strong><a name="rndbytes_nombre" class="item"><strong>RNDbytes</strong> = nombre</a></strong></dt>
|
||||
|
||||
<dd>
|
||||
<p>Nombre d'octets à lire depuis les fichiers de « sel » aléatoire</p>
|
||||
<p>Avec les SSL de version inférieure à 0.9.5a, détermine aussi le nombre
|
||||
d'octets considérés comme suffisants pour « saler » le PRNG. Les versions plus
|
||||
récentes d'OpenSSL ont une fonction intégrée qui détermine lorsque l'aléatoire
|
||||
est suffisant.</p>
|
||||
</dd>
|
||||
<dt><strong><a name="rndfile_fichier" class="item"><strong>RNDfile</strong> = fichier</a></strong></dt>
|
||||
|
||||
<dd>
|
||||
<p>chemin du fichier de données de « sel » aléatoire</p>
|
||||
<p>La bibliothèque SSL utilise prioritairement les données de ce fichier pour
|
||||
« saler » le générateur d'aléatoire.</p>
|
||||
</dd>
|
||||
<dt><strong><a name="rndoverwrite_yes_no" class="item"><strong>RNDoverwrite</strong> = yes | no</a></strong></dt>
|
||||
|
||||
<dd>
|
||||
<p>Recouvre les fichiers de « sel » avec de nouvelles données aléatoires.</p>
|
||||
<p>Par défaut : yes</p>
|
||||
</dd>
|
||||
<dt><strong><a name="service_nom" class="item"><strong>service</strong> = nom</a></strong></dt>
|
||||
|
||||
<dd>
|
||||
<p>Définit le nom de service à utiliser</p>
|
||||
<p><strong>Sous Unix :</strong> nom de service du mode <em>inetd</em> pour la bibliothèque TCP Wrapper.</p>
|
||||
<p>Par défaut : stunnel</p>
|
||||
</dd>
|
||||
<dt><strong><a name="session_timeout" class="item"><strong>session</strong> = timeout</a></strong></dt>
|
||||
|
||||
<dd>
|
||||
<p>Timeout du cache de session</p>
|
||||
</dd>
|
||||
<dt><strong><a name="nom" class="item"><strong>setgid</strong> = nom (Unix seulement)</a></strong></dt>
|
||||
|
||||
<dd>
|
||||
<p>Nom de groupe utilisé en mode daemon (les éventuels autres noms de groupe attribués sont supprimés)</p>
|
||||
</dd>
|
||||
<dt><strong><strong>setuid</strong> = nom (Unix seulement)</strong></dt>
|
||||
|
||||
<dd>
|
||||
<p>Nom d'utilisateur utilisé en mode daemon</p>
|
||||
</dd>
|
||||
<dt><strong><a name="socket_a_l_r_option_valeur_valeur" class="item"><strong>socket</strong> = a|l|r:option=valeur[:valeur]</a></strong></dt>
|
||||
|
||||
<dd>
|
||||
<p>Configure une option de socket accept (a), locale (l) ou distante (r)</p>
|
||||
<p>Les valeurs de l'option linger sont : l_onof:l_linger.
|
||||
Les valeurs de l'option time sont : tv_sec:tv_usec.</p>
|
||||
<p>Exemples :</p>
|
||||
<pre>
|
||||
socket = l:SO_LINGER=1:60
|
||||
définit un délai d'une minute pour la clôture des sockets locaux
|
||||
socket = r:SO_OOBINLINE=yes
|
||||
Place directement les données hors-bande dans le flux de réception
|
||||
des sockets distants
|
||||
socket = a:SO_REUSEADDR=no
|
||||
désactive la réutilisation d'adresses (activée par défaut)
|
||||
socket = a:SO_BINDTODEVICE=lo
|
||||
limite l'acceptation des connexions sur la seule interface de bouclage</pre>
|
||||
</dd>
|
||||
<dt><strong><strong>taskbar</strong> = yes | no (WIN32 seulement)</strong></dt>
|
||||
|
||||
<dd>
|
||||
<p>active l'icône de la barre de tâches</p>
|
||||
<p>Par défaut : yes</p>
|
||||
</dd>
|
||||
<dt><strong><a name="verify_niveau" class="item"><strong>verify</strong> = niveau</a></strong></dt>
|
||||
|
||||
<dd>
|
||||
<p>Vérifie le certificat du correspondant</p>
|
||||
<pre>
|
||||
niveau 1 - vérifie le certificat s'il est présent
|
||||
niveau 2 - vérifie le certificat
|
||||
niveau 3 - contrôle le correspondant avec le certificat local</pre>
|
||||
<p>Par défaut - pas de vérification</p>
|
||||
</dd>
|
||||
</dl>
|
||||
<p>
|
||||
</p>
|
||||
<h2><a name="options_de_service">OPTIONS DE SERVICE</a></h2>
|
||||
<p>Chaque section de configuration commence par le nom du service entre crochets.
|
||||
Celui-ci est utilisé par le contrôle d'accès de libwrap (TCP Wrappers) et sert
|
||||
à distinguer les services <strong>stunnel</strong> dans les fichiers de traces.</p>
|
||||
<p>Si l'on souhaite utiliser <strong>stunnel</strong> en mode <em>inetd</em> (lorsqu'un socket lui est
|
||||
fourni par un serveur comme <em>inetd</em>, <em>xinetd</em> ou <em>tcpserver</em>), il faut se
|
||||
reporter à la section <em>MODE INETD</em> plus bas.</p>
|
||||
<dl>
|
||||
<dt><strong><a name="accept_h_te_port" class="item"><strong>accept</strong> = [hôte:]port</a></strong></dt>
|
||||
|
||||
<dd>
|
||||
<p>Accepte des connexions sur le port spécifié</p>
|
||||
<p>Si l'hôte n'est pas indiqué, le port est ouvert pour toutes les adresses IP de
|
||||
la machine locale.</p>
|
||||
</dd>
|
||||
<dt><strong><a name="connect_h_te_port" class="item"><strong>connect</strong> = [hôte:]port</a></strong></dt>
|
||||
|
||||
<dd>
|
||||
<p>Se connecte au port distant indiqué</p>
|
||||
<p>Par défaut, l'hôte est localhost.</p>
|
||||
</dd>
|
||||
<dt><strong><a name="delay_yes_no" class="item"><strong>delay</strong> = yes | no</a></strong></dt>
|
||||
|
||||
<dd>
|
||||
<p>Retarde la recherche DNS pour l'option « connect »</p>
|
||||
</dd>
|
||||
<dt><strong><a name="cutable" class="item"><strong>exec</strong> = chemin_exécutable (Unix seulement)</a></strong></dt>
|
||||
|
||||
<dd>
|
||||
<p>Exécute un programme local de type inetd</p>
|
||||
<p>Le cas échéant, le chemin <em>exec</em> est relatif au répertoire <em>chroot</em>.</p>
|
||||
</dd>
|
||||
<dt><strong><a name="execargs_0_1_2_unix_seulement" class="item"><strong>execargs</strong> = $0 $1 $2 ... (Unix seulement)</a></strong></dt>
|
||||
|
||||
<dd>
|
||||
<p>Arguments pour <em>exec</em>, y compris le nom du programme ($0)</p>
|
||||
<p>Les quotes ne peuvent actuellement pas être utilisées.
|
||||
Les arguments sont séparés par un nombre quelconque d'espaces.</p>
|
||||
</dd>
|
||||
<dt><strong><a name="ident_nom" class="item"><strong>ident</strong> = nom</a></strong></dt>
|
||||
|
||||
<dd>
|
||||
<p>Applique le contrôle d'identité d'utilisateur IDENT (<a href="http://www.ietf.org/rfc/rfc1413.txt" class="rfc">RFC 1413</a>)</p>
|
||||
</dd>
|
||||
<dt><strong><a name="local_h_te" class="item"><strong>local</strong> = hôte</a></strong></dt>
|
||||
|
||||
<dd>
|
||||
<p>Adresse IP de l'interface de sortie utilisée pour les connexions distantes.
|
||||
Cette option permet de relier une adresse statique locale.</p>
|
||||
</dd>
|
||||
<dt><strong><a name="protocol_protocole" class="item"><strong>protocol</strong> = protocole</a></strong></dt>
|
||||
|
||||
<dd>
|
||||
<p>Négocie avec SSL selon le protocole indiqué</p>
|
||||
<p>Actuellement gérés : cifs, nntp, pop3, smtp</p>
|
||||
</dd>
|
||||
<dt><strong><strong>pty</strong> = yes | no (Unix seulement)</strong></dt>
|
||||
|
||||
<dd>
|
||||
<p>Alloue un pseudo-terminal pour l'option « exec »</p>
|
||||
</dd>
|
||||
<dt><strong><a name="timeoutbusy_secondes" class="item"><strong>TIMEOUTbusy</strong> = secondes</a></strong></dt>
|
||||
|
||||
<dd>
|
||||
<p>Durée d'attente de données</p>
|
||||
</dd>
|
||||
<dt><strong><a name="timeoutclose_secondes" class="item"><strong>TIMEOUTclose</strong> = secondes</a></strong></dt>
|
||||
|
||||
<dd>
|
||||
<p>Durée d'attente du close_notify (mis à 0 pour MSIE qui est bogué)</p>
|
||||
</dd>
|
||||
<dt><strong><a name="timeoutidle_secondes" class="item"><strong>TIMEOUTidle</strong> = secondes</a></strong></dt>
|
||||
|
||||
<dd>
|
||||
<p>Durée d'attente sur une connexion inactive</p>
|
||||
</dd>
|
||||
<dt><strong><strong>transparent</strong> = yes | no (Unix seulement)</strong></dt>
|
||||
|
||||
<dd>
|
||||
<p>Mode mandataire transparent</p>
|
||||
<p>Ré-écrit les adresses pour qu'elles apparaissent provenir de la
|
||||
machine client SSL plutôt que de celle qui exécute <strong>stunnel</strong>.
|
||||
Cette option n'est disponible en mode local (option <em>exec</em>) qu'avec
|
||||
la bibliothèque partagée LD_PRELOADing env.so shared library et en mode
|
||||
distant (option <em>connect</em>) sur les noyaux Linux 2.2 compilés avec
|
||||
l'option <em>transparent proxy</em> et seulement en mode serveur. Cette
|
||||
option ne se combine pas au mode mandataire (<em>connect</em>) sauf si la
|
||||
route par défaut du client vers la cible passe par l'hôte qui fait
|
||||
tourner <strong>stunnel</strong>, qui ne peut être localhost.</p>
|
||||
</dd>
|
||||
</dl>
|
||||
<p>
|
||||
</p>
|
||||
<hr />
|
||||
<h1><a name="valeur_de_retour">VALEUR DE RETOUR</a></h1>
|
||||
<p><strong>stunnel</strong> renvoie zéro en cas de succès, une autre valeur en cas d'erreur.</p>
|
||||
<p>
|
||||
</p>
|
||||
<hr />
|
||||
<h1><a name="exemples">EXEMPLES</a></h1>
|
||||
<p>Pour encapsuler votre service <em>imapd</em> local avec SSL :</p>
|
||||
<pre>
|
||||
[imapd]
|
||||
accept = 993
|
||||
exec = /usr/sbin/imapd
|
||||
execargs = imapd</pre>
|
||||
<p>Pour tunneliser un daemon <em>pppd</em> sur le port 2020 :</p>
|
||||
<pre>
|
||||
[vpn]
|
||||
accept = 2020
|
||||
exec = /usr/sbin/pppd
|
||||
execargs = pppd local
|
||||
pty = yes</pre>
|
||||
<p>Configuration de <em>stunnel.conf</em> pour utiliser <strong>stunnel</strong> en mode <em>inetd</em>
|
||||
qui lance imapd à son tour (il ne doit pas y avoir de section <em>[service_name]</em>) :</p>
|
||||
<pre>
|
||||
exec = /usr/sbin/imapd
|
||||
execargs = imapd</pre>
|
||||
<p>
|
||||
</p>
|
||||
<hr />
|
||||
<h1><a name="fichiers">FICHIERS</a></h1>
|
||||
<dl>
|
||||
<dt><strong><a name="stunnel_conf" class="item"><em class="file">stunnel.conf</em></a></strong></dt>
|
||||
|
||||
<dd>
|
||||
<p>Fichier de configuration de <strong>stunnel</strong></p>
|
||||
</dd>
|
||||
<dt><strong><a name="stunnel_pem" class="item"><em class="file">stunnel.pem</em></a></strong></dt>
|
||||
|
||||
<dd>
|
||||
<p>Certificat et clef privée de <strong>stunnel</strong></p>
|
||||
</dd>
|
||||
</dl>
|
||||
<p>
|
||||
</p>
|
||||
<hr />
|
||||
<h1><a name="bogues">BOGUES</a></h1>
|
||||
<p>L'option <em>execargs</em> n'admet pas les quotes.</p>
|
||||
<p>
|
||||
</p>
|
||||
<hr />
|
||||
<h1><a name="restrictions">RESTRICTIONS</a></h1>
|
||||
<p><strong>stunnel</strong> ne peut être utilisé pour le daemon FTP en raison de la nature
|
||||
du protocole FTP qui utilise des ports multiples pour les transferts de données.
|
||||
Il existe cependant des versions SSL de FTP et de telnet.</p>
|
||||
<p>
|
||||
</p>
|
||||
<hr />
|
||||
<h1><a name="notes">NOTES</a></h1>
|
||||
<p>
|
||||
</p>
|
||||
<h2><a name="mode_inetd">MODE INETD</a></h2>
|
||||
<p>L'utilisation la plus commune de <strong>stunnel</strong> consiste à écouter un port
|
||||
réseau et à établir une communication, soit avec un nouveau port
|
||||
avec l'option <em>connect</em>, soit avec un programme avec l'option <em>exec</em>.
|
||||
On peut parfois cependant souhaiter qu'un autre programme reçoive les
|
||||
connexions entrantes et lance <strong>stunnel</strong>, par exemple avec <em>inetd</em>,
|
||||
<em>xinetd</em> ou <em>tcpserver</em>.</p>
|
||||
<p>Si, par exemple, la ligne suivante se trouve dans <em>inetd.conf</em> :</p>
|
||||
<pre>
|
||||
imaps stream tcp nowait root /usr/bin/stunnel stunnel /etc/stunnel/imaps.conf</pre>
|
||||
<p>Dans ces cas, c'est le programme du genre <em>inetd</em>-style qui est
|
||||
responsable de l'établissement de la connexion (<em>imaps</em> ci-dessus) et de passer
|
||||
celle-ci à <strong>stunnel</strong>.
|
||||
Ainsi, <strong>stunnel</strong> ne doit alors avoir aucune option <em>accept</em>.
|
||||
Toutes les <em>options de niveau service</em> doivent être placées dans
|
||||
la section des options globales et aucune section <em>[service_name]</em> ne doit
|
||||
être présente. Voir la section <em>EXEMPLES</em> pour des exemples de configurations.</p>
|
||||
<p>
|
||||
</p>
|
||||
<h2><a name="certificats">CERTIFICATS</a></h2>
|
||||
<p>Chaque daemon à propriétés SSL doit présenter un certificat X.509
|
||||
valide à son interlocuteur. Il a aussi besoin d'une clef privé pour
|
||||
déchiffrer les données entrantes. La méthode la plus simple pour
|
||||
obtenir un certificat et une clef est d'engendrer celles-ci avec
|
||||
le paquetage libre <em>OpenSSL</em>. Plus d'informations sur la génération de
|
||||
certificats se trouvent dans les pages indiquées plus bas.</p>
|
||||
<p>Deux choses importantes lors de la génération de paires certificat-clef
|
||||
pour <strong>stunnel</strong> :</p>
|
||||
<ul>
|
||||
<li>
|
||||
<p>la clef privée ne peut être chiffrée puisque le serveur n'a aucun moyen
|
||||
d'obtenir le mot de passe de l'utilisateur ; pour produire une clef non chiffrée,
|
||||
ajouter l'option <em>-nodes</em> à la commande <strong>req</strong> de <em>OpenSSL</em> ;</p>
|
||||
</li>
|
||||
<li>
|
||||
<p>l'ordre du contenu du fichier <em>.pem</em> est significatif : il doit contenir d'abord
|
||||
une clef privée non chiffrée, puis un certificat signé (et non une demande de certificat).
|
||||
Il doit aussi y avoir des lignes vides après le certificat et après la clef privée.
|
||||
L'information textuelle ajoutée au début d'un certificat doit être supprimée afin que
|
||||
le fichier ait l'allure suivante :</p>
|
||||
<pre>
|
||||
-----BEGIN RSA PRIVATE KEY-----
|
||||
[clef encodée]
|
||||
-----END RSA PRIVATE KEY-----
|
||||
[ligne vide]
|
||||
-----BEGIN CERTIFICATE-----
|
||||
[certificat encodé]
|
||||
-----END CERTIFICATE-----
|
||||
[ligne vide]</pre>
|
||||
</li>
|
||||
</ul>
|
||||
<p>
|
||||
</p>
|
||||
<h2><a name="aleatoire">ALEATOIRE</a></h2>
|
||||
<p><strong>stunnel</strong> doit « saler » le générateur de pseudo-aléatoires PRNG (pseudo random
|
||||
number generator) afin que SSL utilise un aléatoire de qualité. Les sources suivantes
|
||||
sont chargées dans l'ordre jusqu'à ce qu'une quantité suffisante de données soit lue :</p>
|
||||
<ul>
|
||||
<li>
|
||||
<p>le fichier spécifié par <em>RNDfile</em> ;</p>
|
||||
</li>
|
||||
<li>
|
||||
<p>le fichier spécifié par la variable d'environnement RANDFILE, à défaut
|
||||
le fichier .rnd du répertoire $HOME de l'utilisateur ;</p>
|
||||
</li>
|
||||
<li>
|
||||
<p>le fichier spécifié par « --with-random » lors de la compilation ;</p>
|
||||
</li>
|
||||
<li>
|
||||
<p>le contenu de l'écran (MS-Windows seulement) ;</p>
|
||||
</li>
|
||||
<li>
|
||||
<p>le socket EGD spécifié par <em>EGD</em> ;</p>
|
||||
</li>
|
||||
<li>
|
||||
<p>le socket EGD spécifié par « --with-egd-sock » lors de la compilation ;</p>
|
||||
</li>
|
||||
<li>
|
||||
<p>le périphérique /dev/urandom.</p>
|
||||
</li>
|
||||
</ul>
|
||||
<p>Avec un OpenSSL récent (>=OpenSSL 0.9.5a) le chargement de données s'arrête
|
||||
automatiquement lorsqu'un niveau d'entropie suffisant est atteint.
|
||||
Les versions précédentes continuent à lire toutes les sources puisqu'aucune
|
||||
fonction SSL ne leur permet de savoir que suffisamment de données sont disponibles.</p>
|
||||
<p>Sur les machines MS-Windows qui n'ont pas d'interaction utilisateur sur la console,
|
||||
(mouvements de souris, création de fenêtres, etc.), le contenu de l'écran n'est
|
||||
pas suffisamment changeant et il est nécessaire de fournir un fichier d'aléatoire
|
||||
par le biais de <em>RNDfile</em>.</p>
|
||||
<p>Le fichier spécifié par <em>RNDfile</em> doit contenir des informations aléatoires --
|
||||
c'est-à-dire des informations différentes à chaque lancement de <strong>stunnel</strong>.
|
||||
Cela est géré automatiquement sauf si l'option <em>RNDoverwrite</em> est utilisée.
|
||||
Si l'on souhaite procéder manuellement à la mise à jour de ce fichier, la
|
||||
commande <em>openssl rand</em> des versions récentes d'OpenSSL sera sans doute utile.</p>
|
||||
<p>Note importante : si /dev/urandom est disponible, OpenSSL a l'habitude d'utiliser
|
||||
celui-ci pour « saler » le PRNG même lorsqu'il contrôle l'état de l'aléatoire ;
|
||||
ainsi, même si /dev/urandom est dernier de la liste ci-dessus, il est vraisemblable
|
||||
qu'il soit utilisé s'il est présent.
|
||||
Ce n'est pas le comportement de <strong>stunnel</strong>, c'est celui d'OpenSSL.</p>
|
||||
<p>
|
||||
</p>
|
||||
<hr />
|
||||
<h1><a name="voir_aussi">VOIR AUSSI</a></h1>
|
||||
<dl>
|
||||
<dt><strong><a name="tcpd" class="item"><a href="#tcpd">tcpd(8)</a></a></strong></dt>
|
||||
|
||||
<dd>
|
||||
<p>Service de contrôle d'accès pour les services internet</p>
|
||||
</dd>
|
||||
<dt><strong><a name="inetd" class="item"><a href="#inetd">inetd(8)</a></a></strong></dt>
|
||||
|
||||
<dd>
|
||||
<p>« super-serveur » internet</p>
|
||||
</dd>
|
||||
<dt><strong><a name="http_www_stunnel_org" class="item"><em class="file"><a href="http://www.stunnel.org/">http://www.stunnel.org/</a></em></a></strong></dt>
|
||||
|
||||
<dd>
|
||||
<p>Page de référence de <strong>stunnel</strong></p>
|
||||
</dd>
|
||||
<dt><strong><a name="http_www_openssl_org" class="item"><em class="file"><a href="http://www.openssl.org/">http://www.openssl.org/</a></em></a></strong></dt>
|
||||
|
||||
<dd>
|
||||
<p>Site web du projet OpenSSL</p>
|
||||
</dd>
|
||||
</dl>
|
||||
<p>
|
||||
</p>
|
||||
<hr />
|
||||
<h1><a name="auteur">AUTEUR</a></h1>
|
||||
<dl>
|
||||
<dt><strong><a name="micha_trojnara" class="item">Michał Trojnara</a></strong></dt>
|
||||
|
||||
<dd>
|
||||
<p><<em class="file"><a href="mailto:Michal.Trojnara@mirt.net">Michal.Trojnara@mirt.net</a></em>></p>
|
||||
</dd>
|
||||
</dl>
|
||||
<p>
|
||||
</p>
|
||||
<hr />
|
||||
<h1><a name="adaptation_fran__aise">ADAPTATION FRANÇAISE</a></h1>
|
||||
<dl>
|
||||
<dt><strong><a name="bernard_choppy" class="item">Bernard Choppy</a></strong></dt>
|
||||
|
||||
<dd>
|
||||
<p><<em class="file">choppy AT free POINT fr</em>></p>
|
||||
</dd>
|
||||
</dl>
|
||||
|
||||
</body>
|
||||
|
||||
</html>
|
|
@ -1,636 +0,0 @@
|
|||
=head1 NOM
|
||||
|
||||
=encoding utf8
|
||||
|
||||
stunnel - tunnel SSL universel
|
||||
|
||||
=head1 SYNOPSIS
|
||||
|
||||
=over 4
|
||||
|
||||
=item B<Unix:>
|
||||
|
||||
B<stunnel> S<[fichier]> | S<-fd [n]> | S<-help> | S<-version> | S<-sockets>
|
||||
|
||||
=item B<WIN32:>
|
||||
|
||||
B<stunnel> S<[fichier]> | S<-install> | S<-uninstall> | S<-help> | S<-version> | S<-sockets>
|
||||
|
||||
=back
|
||||
|
||||
|
||||
=head1 DESCRIPTION
|
||||
|
||||
Le programme B<stunnel> est conçu pour fonctionner comme une couche
|
||||
de chiffrement I<SSL> entre des clients distants et des serveurs locaux
|
||||
(I<inetd>-démarrables) ou distants. Le concept est qu'à partir de daemons
|
||||
non-SSL présents sur le système, on peut facilement les configurer pour
|
||||
communiquer avec des clients sur des liens sécurisés SSL.
|
||||
|
||||
B<stunnel> peut être utilisé pour ajouter des fonctionnalités SSL à des
|
||||
daemons classiques I<Inetd> tels que les serveurs POP-2, POP-3 et IMAP,
|
||||
à d'autres autonomes tels que NNTP, SMTP et HTTP, ainsi que pour tunneliser
|
||||
PPP sur des sockets réseau sans modification du code source.
|
||||
|
||||
Ce produit inclut du code de chiffrement écrit par
|
||||
Eric Young (eay@cryptsoft.com)
|
||||
|
||||
|
||||
=head1 OPTIONS
|
||||
|
||||
=over 4
|
||||
|
||||
=item B<[fichier]>
|
||||
|
||||
Utilisation du fichier de configuration spécifié.
|
||||
|
||||
=item B<-fd [n]> (Unix seulement)
|
||||
|
||||
Lecture du fichier de configuration depuis le descripteur de
|
||||
fichier indiqué.
|
||||
|
||||
=item B<-help>
|
||||
|
||||
Affiche le menu d'aide de B<stunnel>.
|
||||
|
||||
=item B<-version>
|
||||
|
||||
Affiche la version de B<stunnel> et les options de compilation.
|
||||
|
||||
=item B<-sockets>
|
||||
|
||||
Affiche les options socket par défaut.
|
||||
|
||||
=item B<-install> (NT/2000/XP seulement)
|
||||
|
||||
Installe un service NT.
|
||||
|
||||
=item B<-uninstall> (NT/2000/XP only)
|
||||
|
||||
Désinstalle un service NT.
|
||||
|
||||
=back
|
||||
|
||||
|
||||
=head1 FICHIER DE CONFIGURATION
|
||||
|
||||
Chaque ligne du fichier de configuration peut être soitE<nbsp>:
|
||||
|
||||
=over 4
|
||||
|
||||
=item *
|
||||
|
||||
une ligne vide (ignorée)E<nbsp>;
|
||||
|
||||
=item *
|
||||
|
||||
un commentaire commençant par «E<nbsp>#E<nbsp>» (ignoré)E<nbsp>;
|
||||
|
||||
=item *
|
||||
|
||||
une paire «E<nbsp>option = valeurE<nbsp>»E<nbsp>;
|
||||
|
||||
=item *
|
||||
|
||||
«E<nbsp>[service_name]E<nbsp>» indiquant le début de la définition d'un serviceE<nbsp>;
|
||||
|
||||
=back
|
||||
|
||||
=head2 OPTIONS GLOBALES
|
||||
|
||||
=over 4
|
||||
|
||||
=item B<CApath> = répertoire
|
||||
|
||||
Répertoire des autorités de certification (CA)
|
||||
|
||||
C'est le répertoire dans lequel B<stunnel> cherche les certificats si
|
||||
l'on utilise I<verify>. Les certificats doivent être dénommés selon la
|
||||
forme XXXXXXXX.0, où XXXXXXXX est la valeur de hachage du certificat.
|
||||
|
||||
Le cas échéant, le répertoire I<CApath> est relatif au répertoire I<chroot>.
|
||||
|
||||
=item B<CAfile> = fichier
|
||||
|
||||
Fichier d'autorités de certification
|
||||
|
||||
Ce fichier, utilisé avec I<verify>, contient plusieurs certificats de CA.
|
||||
|
||||
=item B<cert> = fichier
|
||||
|
||||
Fichier de chaîne de certificats PEM
|
||||
|
||||
Une PEM est toujours nécessaire en mode serveur.
|
||||
En mode client, cette option utilise cette PEM comme une chaîne côté client.
|
||||
L'utilisation de certificats côté client est optionnelle. Les certificats
|
||||
doivent être au format PEM et triés par ordre de niveau décroissant (CA racine
|
||||
en premier).
|
||||
|
||||
=item B<chroot> = répertoire (Unix seulement)
|
||||
|
||||
Répertoire de chroot du processus B<stunnel>
|
||||
|
||||
B<chroot> enferme B<stunnel> dans une cellule chroot. I<CApath>, I<CRLpath>, I<pid>
|
||||
et I<exec> sont situés à l'intérieur de la cellule et les répertoires doivent être
|
||||
relatifs au répertoire correspondant.
|
||||
|
||||
Pour que le contrôle de libwrap (wrappeur TCP) soit effectif dans un environnement
|
||||
chroot, il faut aussi y recopier leurs fichiers de configuration (/etc/hosts.allow et
|
||||
/etc/hosts.deny).
|
||||
|
||||
=item B<ciphers> = listes de chiffre
|
||||
|
||||
Sélection des chiffres SSL autorisés
|
||||
|
||||
Liste délimitée par deux-points («E<nbsp>:E<nbsp>») des chiffres autorisés pour la connexion SSL.
|
||||
ExempleE<nbsp>: DES-CBC3-SHA:IDEA-CBC-MD5
|
||||
|
||||
=item B<client> = yes | no
|
||||
|
||||
Mode client (Le service distant utilise SSL)
|
||||
|
||||
Par défautE<nbsp>: no (mode server)
|
||||
|
||||
=item B<CRLpath> = répertoire
|
||||
|
||||
Répertoire des listes de révocation de certificats (CRL)
|
||||
|
||||
C'est le répertoire dans lequel B<stunnel> recherche les CRL avec
|
||||
l'option I<verify>. Les CRL doivent être dénommés selon la
|
||||
forme XXXXXXXX.0 où XXXXXXXX est la valeur de hachage de la CRL.
|
||||
|
||||
Le cas échéant, le répertoire I<CRLpath> est relatif au répertoire I<chroot>.
|
||||
|
||||
=item B<CRLfile> = fichier
|
||||
|
||||
Fichier de listes de révocation de certificats (CRL)
|
||||
|
||||
Ce fichier, utilisé avec I<verify>, contient plusieurs CRL.
|
||||
|
||||
=item B<debug> = [facilité.]niveau
|
||||
|
||||
niveau de déverminage
|
||||
|
||||
Le niveau est un nom ou un numéro conforme à ceux de syslogE<nbsp>:
|
||||
emerg (0), alert (1), crit (2), err (3), warning (4), notice (5),
|
||||
info (6) ou debug (7). Toutes les traces du niveau indiqué et des niveaux
|
||||
numériquement inférieurs seront affichées. B<debug = debug> ou
|
||||
B<debug = 7> donneront le maximum d'informations. La valeur par défaut
|
||||
est notice (5).
|
||||
|
||||
La facilité syslog «E<nbsp>daemonE<nbsp>» est utilisée, sauf si un autre nom est spécifié
|
||||
(Win32 ne permet pas l'usage des facilités.)
|
||||
|
||||
La casse est ignorée, aussi bien pour la facilité que pour le niveau.
|
||||
|
||||
=item B<EGD> = chemin (Unix seulement)
|
||||
|
||||
Emplacement du socket du daemon de recueil d'entropie (EGD - Entropy Gathering Daemon)
|
||||
|
||||
Socket EGD à utiliser pour alimenter le générateur d'aléatoires de OpenSSL (disponible
|
||||
seulement si la compilation a été effectuée avec OpenSSL 0.9.5a ou supérieur).
|
||||
|
||||
=item B<foreground> = yes | no (Unix seulement)
|
||||
|
||||
Mode avant-plan
|
||||
|
||||
Reste en avant-plan (sans fork) et dirige la trace sur stderr
|
||||
au lieu de syslog (sauf si B<output> est spécifié).
|
||||
|
||||
Par défaultE<nbsp>: arrière-plan en mode daemon.
|
||||
|
||||
=item B<key> = fichier
|
||||
|
||||
Fichier de clef privée pour le certificat spécifié par I<cert>
|
||||
|
||||
La clef privée est nécessaire pour authentifier le titulaire du
|
||||
certificat.
|
||||
Puisque ce fichier doit rester secret, il ne doit être lisible que
|
||||
par son propriétaire. Sur les systèmes Unix, on peut utiliser la
|
||||
commande suivanteE<nbsp>:
|
||||
|
||||
chmod 600 fichier
|
||||
|
||||
Par défaultE<nbsp>: Valeur de I<cert>
|
||||
|
||||
=item B<options> = Options_SSL
|
||||
|
||||
Options de la bibliothèque OpenSSL
|
||||
|
||||
Le paramètre est l'option OpenSSL décrite dans la page de man
|
||||
I<SSL_CTX_set_options(3ssl)>, débarassée du préfixe I<SSL_OP_>.
|
||||
Plusieurs I<options> peuvent être spécifiées.
|
||||
|
||||
Par exemple, pour la compatibilité avec l'implantation SSL défaillante
|
||||
d'Eudora, on peut utiliserE<nbsp>:
|
||||
|
||||
options = DONT_INSERT_EMPTY_FRAGMENTS
|
||||
|
||||
=item B<output> = fichier
|
||||
|
||||
Ajoute la trace à la fin d'un fichier au lieu d'utiliser syslog.
|
||||
|
||||
/dev/stdout peut être utilisé pour afficher les traces sur la sortie standard
|
||||
(par exemple pour les traiter avec les outils splogger).
|
||||
|
||||
=item B<pid> = fichier (Unix seulement)
|
||||
|
||||
Emplacement du fichier pid
|
||||
|
||||
Si l'argument est vide, aucun fichier ne sera créé.
|
||||
|
||||
Le cas échéant, le chemin I<pid> est relatif au répertoire I<chroot>.
|
||||
|
||||
=item B<RNDbytes> = nombre
|
||||
|
||||
Nombre d'octets à lire depuis les fichiers de «E<nbsp>selE<nbsp>» aléatoire
|
||||
|
||||
Avec les SSL de version inférieure à 0.9.5a, détermine aussi le nombre
|
||||
d'octets considérés comme suffisants pour «E<nbsp>salerE<nbsp>» le PRNG. Les versions plus
|
||||
récentes d'OpenSSL ont une fonction intégrée qui détermine lorsque l'aléatoire
|
||||
est suffisant.
|
||||
|
||||
=item B<RNDfile> = fichier
|
||||
|
||||
chemin du fichier de données de «E<nbsp>selE<nbsp>» aléatoire
|
||||
|
||||
La bibliothèque SSL utilise prioritairement les données de ce fichier pour
|
||||
«E<nbsp>salerE<nbsp>» le générateur d'aléatoire.
|
||||
|
||||
=item B<RNDoverwrite> = yes | no
|
||||
|
||||
Recouvre les fichiers de «E<nbsp>selE<nbsp>» avec de nouvelles données aléatoires.
|
||||
|
||||
Par défautE<nbsp>: yes
|
||||
|
||||
=item B<service> = nom
|
||||
|
||||
Définit le nom de service à utiliser
|
||||
|
||||
B<Sous UnixE<nbsp>:> nom de service du mode I<inetd> pour la bibliothèque TCP Wrapper.
|
||||
|
||||
Par défautE<nbsp>: stunnel
|
||||
|
||||
=item B<session> = timeout
|
||||
|
||||
Timeout du cache de session
|
||||
|
||||
=item B<setgid> = nom (Unix seulement)
|
||||
|
||||
Nom de groupe utilisé en mode daemon (les éventuels autres noms de groupe attribués sont supprimés)
|
||||
|
||||
=item B<setuid> = nom (Unix seulement)
|
||||
|
||||
Nom d'utilisateur utilisé en mode daemon
|
||||
|
||||
=item B<socket> = a|l|r:option=valeur[:valeur]
|
||||
|
||||
Configure une option de socket accept (a), locale (l) ou distante (r)
|
||||
|
||||
Les valeurs de l'option linger sontE<nbsp>: l_onof:l_linger.
|
||||
Les valeurs de l'option time sontE<nbsp>: tv_sec:tv_usec.
|
||||
|
||||
ExemplesE<nbsp>:
|
||||
|
||||
socket = l:SO_LINGER=1:60
|
||||
définit un délai d'une minute pour la clôture des sockets locaux
|
||||
socket = r:SO_OOBINLINE=yes
|
||||
Place directement les données hors-bande dans le flux de réception
|
||||
des sockets distants
|
||||
socket = a:SO_REUSEADDR=no
|
||||
désactive la réutilisation d'adresses (activée par défaut)
|
||||
socket = a:SO_BINDTODEVICE=lo
|
||||
limite l'acceptation des connexions sur la seule interface de bouclage
|
||||
|
||||
=item B<taskbar> = yes | no (WIN32 seulement)
|
||||
|
||||
active l'icône de la barre de tâches
|
||||
|
||||
Par défautE<nbsp>: yes
|
||||
|
||||
=item B<verify> = niveau
|
||||
|
||||
Vérifie le certificat du correspondant
|
||||
|
||||
niveau 1 - vérifie le certificat s'il est présent
|
||||
niveau 2 - vérifie le certificat
|
||||
niveau 3 - contrôle le correspondant avec le certificat local
|
||||
|
||||
Par défaut - pas de vérification
|
||||
|
||||
=back
|
||||
|
||||
|
||||
=head2 OPTIONS DE SERVICE
|
||||
|
||||
Chaque section de configuration commence par le nom du service entre crochets.
|
||||
Celui-ci est utilisé par le contrôle d'accès de libwrap (TCP Wrappers) et sert
|
||||
à distinguer les services B<stunnel> dans les fichiers de traces.
|
||||
|
||||
Si l'on souhaite utiliser B<stunnel> en mode I<inetd> (lorsqu'un socket lui est
|
||||
fourni par un serveur comme I<inetd>, I<xinetd> ou I<tcpserver>), il faut se
|
||||
reporter à la section I<MODE INETD> plus bas.
|
||||
|
||||
|
||||
=over 4
|
||||
|
||||
=item B<accept> = [hôte:]port
|
||||
|
||||
Accepte des connexions sur le port spécifié
|
||||
|
||||
Si l'hôte n'est pas indiqué, le port est ouvert pour toutes les adresses IP de
|
||||
la machine locale.
|
||||
|
||||
=item B<connect> = [hôte:]port
|
||||
|
||||
Se connecte au port distant indiqué
|
||||
|
||||
Par défaut, l'hôte est localhost.
|
||||
|
||||
=item B<delay> = yes | no
|
||||
|
||||
Retarde la recherche DNS pour l'option «E<nbsp>connectE<nbsp>»
|
||||
|
||||
=item B<exec> = chemin_exécutable (Unix seulement)
|
||||
|
||||
Exécute un programme local de type inetd
|
||||
|
||||
Le cas échéant, le chemin I<exec> est relatif au répertoire I<chroot>.
|
||||
|
||||
=item B<execargs> = $0 $1 $2 ... (Unix seulement)
|
||||
|
||||
Arguments pour I<exec>, y compris le nom du programme ($0)
|
||||
|
||||
Les quotes ne peuvent actuellement pas être utilisées.
|
||||
Les arguments sont séparés par un nombre quelconque d'espaces.
|
||||
|
||||
=item B<ident> = nom
|
||||
|
||||
Applique le contrôle d'identité d'utilisateur IDENT (RFC 1413)
|
||||
|
||||
=item B<local> = hôte
|
||||
|
||||
Adresse IP de l'interface de sortie utilisée pour les connexions distantes.
|
||||
Cette option permet de relier une adresse statique locale.
|
||||
|
||||
=item B<protocol> = protocole
|
||||
|
||||
Négocie avec SSL selon le protocole indiqué
|
||||
|
||||
Actuellement gérésE<nbsp>: cifs, nntp, pop3, smtp
|
||||
|
||||
=item B<pty> = yes | no (Unix seulement)
|
||||
|
||||
Alloue un pseudo-terminal pour l'option «E<nbsp>execE<nbsp>»
|
||||
|
||||
=item B<TIMEOUTbusy> = secondes
|
||||
|
||||
Durée d'attente de données
|
||||
|
||||
=item B<TIMEOUTclose> = secondes
|
||||
|
||||
Durée d'attente du close_notify (mis à 0 pour MSIE qui est bogué)
|
||||
|
||||
=item B<TIMEOUTidle> = secondes
|
||||
|
||||
Durée d'attente sur une connexion inactive
|
||||
|
||||
=item B<transparent> = yes | no (Unix seulement)
|
||||
|
||||
Mode mandataire transparent
|
||||
|
||||
Ré-écrit les adresses pour qu'elles apparaissent provenir de la
|
||||
machine client SSL plutôt que de celle qui exécute B<stunnel>.
|
||||
Cette option n'est disponible en mode local (option I<exec>) qu'avec
|
||||
la bibliothèque partagée LD_PRELOADing env.so shared library et en mode
|
||||
distant (option I<connect>) sur les noyaux Linux 2.2 compilés avec
|
||||
l'option I<transparent proxy> et seulement en mode serveur. Cette
|
||||
option ne se combine pas au mode mandataire (I<connect>) sauf si la
|
||||
route par défaut du client vers la cible passe par l'hôte qui fait
|
||||
tourner B<stunnel>, qui ne peut être localhost.
|
||||
|
||||
=back
|
||||
|
||||
|
||||
=head1 VALEUR DE RETOUR
|
||||
|
||||
B<stunnel> renvoie zéro en cas de succès, une autre valeur en cas d'erreur.
|
||||
|
||||
|
||||
=head1 EXEMPLES
|
||||
|
||||
Pour encapsuler votre service I<imapd> local avec SSLE<nbsp>:
|
||||
|
||||
[imapd]
|
||||
accept = 993
|
||||
exec = /usr/sbin/imapd
|
||||
execargs = imapd
|
||||
|
||||
Pour tunneliser un daemon I<pppd> sur le port 2020E<nbsp>:
|
||||
|
||||
[vpn]
|
||||
accept = 2020
|
||||
exec = /usr/sbin/pppd
|
||||
execargs = pppd local
|
||||
pty = yes
|
||||
|
||||
Configuration de I<stunnel.conf> pour utiliser B<stunnel> en mode I<inetd>
|
||||
qui lance imapd à son tour (il ne doit pas y avoir de section I<[service_name]>)E<nbsp>:
|
||||
|
||||
exec = /usr/sbin/imapd
|
||||
execargs = imapd
|
||||
|
||||
|
||||
=head1 FICHIERS
|
||||
|
||||
=over 4
|
||||
|
||||
=item F<stunnel.conf>
|
||||
|
||||
Fichier de configuration de B<stunnel>
|
||||
|
||||
=item F<stunnel.pem>
|
||||
|
||||
Certificat et clef privée de B<stunnel>
|
||||
|
||||
=back
|
||||
|
||||
|
||||
=head1 BOGUES
|
||||
|
||||
L'option I<execargs> n'admet pas les quotes.
|
||||
|
||||
|
||||
=head1 RESTRICTIONS
|
||||
|
||||
B<stunnel> ne peut être utilisé pour le daemon FTP en raison de la nature
|
||||
du protocole FTP qui utilise des ports multiples pour les transferts de données.
|
||||
Il existe cependant des versions SSL de FTP et de telnet.
|
||||
|
||||
|
||||
=head1 NOTES
|
||||
|
||||
=head2 MODE INETD
|
||||
|
||||
L'utilisation la plus commune de B<stunnel> consiste à écouter un port
|
||||
réseau et à établir une communication, soit avec un nouveau port
|
||||
avec l'option I<connect>, soit avec un programme avec l'option I<exec>.
|
||||
On peut parfois cependant souhaiter qu'un autre programme reçoive les
|
||||
connexions entrantes et lance B<stunnel>, par exemple avec I<inetd>,
|
||||
I<xinetd> ou I<tcpserver>.
|
||||
|
||||
Si, par exemple, la ligne suivante se trouve dans I<inetd.conf>E<nbsp>:
|
||||
|
||||
imaps stream tcp nowait root /usr/bin/stunnel stunnel /etc/stunnel/imaps.conf
|
||||
|
||||
Dans ces cas, c'est le programme du genre I<inetd>-style qui est
|
||||
responsable de l'établissement de la connexion (I<imaps> ci-dessus) et de passer
|
||||
celle-ci à B<stunnel>.
|
||||
Ainsi, B<stunnel> ne doit alors avoir aucune option I<accept>.
|
||||
Toutes les I<options de niveau service> doivent être placées dans
|
||||
la section des options globales et aucune section I<[service_name]> ne doit
|
||||
être présente. Voir la section I<EXEMPLES> pour des exemples de configurations.
|
||||
|
||||
=head2 CERTIFICATS
|
||||
|
||||
Chaque daemon à propriétés SSL doit présenter un certificat X.509
|
||||
valide à son interlocuteur. Il a aussi besoin d'une clef privé pour
|
||||
déchiffrer les données entrantes. La méthode la plus simple pour
|
||||
obtenir un certificat et une clef est d'engendrer celles-ci avec
|
||||
le paquetage libre I<OpenSSL>. Plus d'informations sur la génération de
|
||||
certificats se trouvent dans les pages indiquées plus bas.
|
||||
|
||||
Deux choses importantes lors de la génération de paires certificat-clef
|
||||
pour B<stunnel>E<nbsp>:
|
||||
|
||||
=over 4
|
||||
|
||||
=item *
|
||||
|
||||
la clef privée ne peut être chiffrée puisque le serveur n'a aucun moyen
|
||||
d'obtenir le mot de passe de l'utilisateurE<nbsp>; pour produire une clef non chiffrée,
|
||||
ajouter l'option I<-nodes> à la commande B<req> de I<OpenSSL>E<nbsp>;
|
||||
|
||||
=item *
|
||||
|
||||
l'ordre du contenu du fichier I<.pem> est significatifE<nbsp>: il doit contenir d'abord
|
||||
une clef privée non chiffrée, puis un certificat signé (et non une demande de certificat).
|
||||
Il doit aussi y avoir des lignes vides après le certificat et après la clef privée.
|
||||
L'information textuelle ajoutée au début d'un certificat doit être supprimée afin que
|
||||
le fichier ait l'allure suivanteE<nbsp>:
|
||||
|
||||
-----BEGIN RSA PRIVATE KEY-----
|
||||
[clef encodée]
|
||||
-----END RSA PRIVATE KEY-----
|
||||
[ligne vide]
|
||||
-----BEGIN CERTIFICATE-----
|
||||
[certificat encodé]
|
||||
-----END CERTIFICATE-----
|
||||
[ligne vide]
|
||||
|
||||
=back
|
||||
|
||||
=head2 ALEATOIRE
|
||||
|
||||
B<stunnel> doit «E<nbsp>salerE<nbsp>» le générateur de pseudo-aléatoires PRNG (pseudo random
|
||||
number generator) afin que SSL utilise un aléatoire de qualité. Les sources suivantes
|
||||
sont chargées dans l'ordre jusqu'à ce qu'une quantité suffisante de données soit lueE<nbsp>:
|
||||
|
||||
=over 4
|
||||
|
||||
=item *
|
||||
|
||||
le fichier spécifié par I<RNDfile>E<nbsp>;
|
||||
|
||||
=item *
|
||||
|
||||
le fichier spécifié par la variable d'environnement RANDFILE, à défaut
|
||||
le fichier .rnd du répertoire $HOME de l'utilisateurE<nbsp>;
|
||||
|
||||
=item *
|
||||
|
||||
le fichier spécifié par «E<nbsp>--with-randomE<nbsp>» lors de la compilationE<nbsp>;
|
||||
|
||||
=item *
|
||||
|
||||
le contenu de l'écran (MS-Windows seulement)E<nbsp>;
|
||||
|
||||
=item *
|
||||
|
||||
le socket EGD spécifié par I<EGD>E<nbsp>;
|
||||
|
||||
=item *
|
||||
|
||||
le socket EGD spécifié par «E<nbsp>--with-egd-sockE<nbsp>» lors de la compilationE<nbsp>;
|
||||
|
||||
=item *
|
||||
|
||||
le périphérique /dev/urandom.
|
||||
|
||||
=back
|
||||
|
||||
Avec un OpenSSL récent (>=OpenSSL 0.9.5a) le chargement de données s'arrête
|
||||
automatiquement lorsqu'un niveau d'entropie suffisant est atteint.
|
||||
Les versions précédentes continuent à lire toutes les sources puisqu'aucune
|
||||
fonction SSL ne leur permet de savoir que suffisamment de données sont disponibles.
|
||||
|
||||
Sur les machines MS-Windows qui n'ont pas d'interaction utilisateur sur la console,
|
||||
(mouvements de souris, création de fenêtres, etc.), le contenu de l'écran n'est
|
||||
pas suffisamment changeant et il est nécessaire de fournir un fichier d'aléatoire
|
||||
par le biais de I<RNDfile>.
|
||||
|
||||
Le fichier spécifié par I<RNDfile> doit contenir des informations aléatoires --
|
||||
c'est-à-dire des informations différentes à chaque lancement de B<stunnel>.
|
||||
Cela est géré automatiquement sauf si l'option I<RNDoverwrite> est utilisée.
|
||||
Si l'on souhaite procéder manuellement à la mise à jour de ce fichier, la
|
||||
commande I<openssl rand> des versions récentes d'OpenSSL sera sans doute utile.
|
||||
|
||||
Note importanteE<nbsp>: si /dev/urandom est disponible, OpenSSL a l'habitude d'utiliser
|
||||
celui-ci pour «E<nbsp>salerE<nbsp>» le PRNG même lorsqu'il contrôle l'état de l'aléatoireE<nbsp>;
|
||||
ainsi, même si /dev/urandom est dernier de la liste ci-dessus, il est vraisemblable
|
||||
qu'il soit utilisé s'il est présent.
|
||||
Ce n'est pas le comportement de B<stunnel>, c'est celui d'OpenSSL.
|
||||
|
||||
|
||||
=head1 VOIR AUSSI
|
||||
|
||||
=over 4
|
||||
|
||||
=item L<tcpd(8)>
|
||||
|
||||
Service de contrôle d'accès pour les services internet
|
||||
|
||||
=item L<inetd(8)>
|
||||
|
||||
«E<nbsp>super-serveurE<nbsp>» internet
|
||||
|
||||
=item F<http://www.stunnel.org/>
|
||||
|
||||
Page de référence de B<stunnel>
|
||||
|
||||
=item F<http://www.openssl.org/>
|
||||
|
||||
Site web du projet OpenSSL
|
||||
|
||||
=back
|
||||
|
||||
|
||||
=head1 AUTEUR
|
||||
|
||||
=over 4
|
||||
|
||||
=item Michał Trojnara
|
||||
|
||||
<F<Michal.Trojnara@mirt.net>>
|
||||
|
||||
=back
|
||||
|
||||
=head1 ADAPTATION FRANÇAISE
|
||||
|
||||
=over 4
|
||||
|
||||
=item Bernard Choppy
|
||||
|
||||
<F<choppy AT free POINT fr>>
|
||||
|
||||
=back
|
1120
doc/stunnel.html
1120
doc/stunnel.html
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
1158
doc/stunnel.pl.html
1158
doc/stunnel.pl.html
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
1124
doc/stunnel.pod
1124
doc/stunnel.pod
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
|
@ -1,13 +1,14 @@
|
|||
# Helper functions for option handling. -*- Autoconf -*-
|
||||
#
|
||||
# Copyright (C) 2004, 2005, 2007, 2008 Free Software Foundation, Inc.
|
||||
# Copyright (C) 2004, 2005, 2007, 2008, 2009 Free Software Foundation,
|
||||
# Inc.
|
||||
# Written by Gary V. Vaughan, 2004
|
||||
#
|
||||
# This file is free software; the Free Software Foundation gives
|
||||
# unlimited permission to copy and/or distribute it, with or without
|
||||
# modifications, as long as this notice is preserved.
|
||||
|
||||
# serial 6 ltoptions.m4
|
||||
# serial 7 ltoptions.m4
|
||||
|
||||
# This is to help aclocal find these macros, as it can't see m4_define.
|
||||
AC_DEFUN([LTOPTIONS_VERSION], [m4_if([1])])
|
||||
|
@ -125,7 +126,7 @@ LT_OPTION_DEFINE([LT_INIT], [win32-dll],
|
|||
[enable_win32_dll=yes
|
||||
|
||||
case $host in
|
||||
*-*-cygwin* | *-*-mingw* | *-*-pw32* | *-cegcc*)
|
||||
*-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-cegcc*)
|
||||
AC_CHECK_TOOL(AS, as, false)
|
||||
AC_CHECK_TOOL(DLLTOOL, dlltool, false)
|
||||
AC_CHECK_TOOL(OBJDUMP, objdump, false)
|
||||
|
@ -133,13 +134,13 @@ case $host in
|
|||
esac
|
||||
|
||||
test -z "$AS" && AS=as
|
||||
_LT_DECL([], [AS], [0], [Assembler program])dnl
|
||||
_LT_DECL([], [AS], [1], [Assembler program])dnl
|
||||
|
||||
test -z "$DLLTOOL" && DLLTOOL=dlltool
|
||||
_LT_DECL([], [DLLTOOL], [0], [DLL creation program])dnl
|
||||
_LT_DECL([], [DLLTOOL], [1], [DLL creation program])dnl
|
||||
|
||||
test -z "$OBJDUMP" && OBJDUMP=objdump
|
||||
_LT_DECL([], [OBJDUMP], [0], [Object dumper program])dnl
|
||||
_LT_DECL([], [OBJDUMP], [1], [Object dumper program])dnl
|
||||
])# win32-dll
|
||||
|
||||
AU_DEFUN([AC_LIBTOOL_WIN32_DLL],
|
||||
|
@ -325,9 +326,24 @@ dnl AC_DEFUN([AM_DISABLE_FAST_INSTALL], [])
|
|||
# MODE is either `yes' or `no'. If omitted, it defaults to `both'.
|
||||
m4_define([_LT_WITH_PIC],
|
||||
[AC_ARG_WITH([pic],
|
||||
[AS_HELP_STRING([--with-pic],
|
||||
[AS_HELP_STRING([--with-pic@<:@=PKGS@:>@],
|
||||
[try to use only PIC/non-PIC objects @<:@default=use both@:>@])],
|
||||
[pic_mode="$withval"],
|
||||
[lt_p=${PACKAGE-default}
|
||||
case $withval in
|
||||
yes|no) pic_mode=$withval ;;
|
||||
*)
|
||||
pic_mode=default
|
||||
# Look at the argument we got. We use all the common list separators.
|
||||
lt_save_ifs="$IFS"; IFS="${IFS}$PATH_SEPARATOR,"
|
||||
for lt_pkg in $withval; do
|
||||
IFS="$lt_save_ifs"
|
||||
if test "X$lt_pkg" = "X$lt_p"; then
|
||||
pic_mode=yes
|
||||
fi
|
||||
done
|
||||
IFS="$lt_save_ifs"
|
||||
;;
|
||||
esac],
|
||||
[pic_mode=default])
|
||||
|
||||
test -z "$pic_mode" && pic_mode=m4_default([$1], [default])
|
||||
|
|
|
@ -7,17 +7,17 @@
|
|||
# unlimited permission to copy and/or distribute it, with or without
|
||||
# modifications, as long as this notice is preserved.
|
||||
|
||||
# Generated from ltversion.in.
|
||||
# @configure_input@
|
||||
|
||||
# serial 3017 ltversion.m4
|
||||
# serial 3337 ltversion.m4
|
||||
# This file is part of GNU Libtool
|
||||
|
||||
m4_define([LT_PACKAGE_VERSION], [2.2.6b])
|
||||
m4_define([LT_PACKAGE_REVISION], [1.3017])
|
||||
m4_define([LT_PACKAGE_VERSION], [2.4.2])
|
||||
m4_define([LT_PACKAGE_REVISION], [1.3337])
|
||||
|
||||
AC_DEFUN([LTVERSION_VERSION],
|
||||
[macro_version='2.2.6b'
|
||||
macro_revision='1.3017'
|
||||
[macro_version='2.4.2'
|
||||
macro_revision='1.3337'
|
||||
_LT_DECL(, macro_version, 0, [Which release of libtool.m4 was used?])
|
||||
_LT_DECL(, macro_revision, 0)
|
||||
])
|
||||
|
|
|
@ -1,13 +1,13 @@
|
|||
# lt~obsolete.m4 -- aclocal satisfying obsolete definitions. -*-Autoconf-*-
|
||||
#
|
||||
# Copyright (C) 2004, 2005, 2007 Free Software Foundation, Inc.
|
||||
# Copyright (C) 2004, 2005, 2007, 2009 Free Software Foundation, Inc.
|
||||
# Written by Scott James Remnant, 2004.
|
||||
#
|
||||
# This file is free software; the Free Software Foundation gives
|
||||
# unlimited permission to copy and/or distribute it, with or without
|
||||
# modifications, as long as this notice is preserved.
|
||||
|
||||
# serial 4 lt~obsolete.m4
|
||||
# serial 5 lt~obsolete.m4
|
||||
|
||||
# These exist entirely to fool aclocal when bootstrapping libtool.
|
||||
#
|
||||
|
@ -77,7 +77,6 @@ m4_ifndef([AC_DISABLE_FAST_INSTALL], [AC_DEFUN([AC_DISABLE_FAST_INSTALL])])
|
|||
m4_ifndef([_LT_AC_LANG_CXX], [AC_DEFUN([_LT_AC_LANG_CXX])])
|
||||
m4_ifndef([_LT_AC_LANG_F77], [AC_DEFUN([_LT_AC_LANG_F77])])
|
||||
m4_ifndef([_LT_AC_LANG_GCJ], [AC_DEFUN([_LT_AC_LANG_GCJ])])
|
||||
m4_ifndef([AC_LIBTOOL_RC], [AC_DEFUN([AC_LIBTOOL_RC])])
|
||||
m4_ifndef([AC_LIBTOOL_LANG_C_CONFIG], [AC_DEFUN([AC_LIBTOOL_LANG_C_CONFIG])])
|
||||
m4_ifndef([_LT_AC_LANG_C_CONFIG], [AC_DEFUN([_LT_AC_LANG_C_CONFIG])])
|
||||
m4_ifndef([AC_LIBTOOL_LANG_CXX_CONFIG], [AC_DEFUN([AC_LIBTOOL_LANG_CXX_CONFIG])])
|
||||
|
@ -90,3 +89,10 @@ m4_ifndef([AC_LIBTOOL_LANG_RC_CONFIG], [AC_DEFUN([AC_LIBTOOL_LANG_RC_CONFIG])])
|
|||
m4_ifndef([_LT_AC_LANG_RC_CONFIG], [AC_DEFUN([_LT_AC_LANG_RC_CONFIG])])
|
||||
m4_ifndef([AC_LIBTOOL_CONFIG], [AC_DEFUN([AC_LIBTOOL_CONFIG])])
|
||||
m4_ifndef([_LT_AC_FILE_LTDLL_C], [AC_DEFUN([_LT_AC_FILE_LTDLL_C])])
|
||||
m4_ifndef([_LT_REQUIRED_DARWIN_CHECKS], [AC_DEFUN([_LT_REQUIRED_DARWIN_CHECKS])])
|
||||
m4_ifndef([_LT_AC_PROG_CXXCPP], [AC_DEFUN([_LT_AC_PROG_CXXCPP])])
|
||||
m4_ifndef([_LT_PREPARE_SED_QUOTE_VARS], [AC_DEFUN([_LT_PREPARE_SED_QUOTE_VARS])])
|
||||
m4_ifndef([_LT_PROG_ECHO_BACKSLASH], [AC_DEFUN([_LT_PROG_ECHO_BACKSLASH])])
|
||||
m4_ifndef([_LT_PROG_F77], [AC_DEFUN([_LT_PROG_F77])])
|
||||
m4_ifndef([_LT_PROG_FC], [AC_DEFUN([_LT_PROG_FC])])
|
||||
m4_ifndef([_LT_PROG_CXX], [AC_DEFUN([_LT_PROG_CXX])])
|
||||
|
|
111
src/Makefile.am
111
src/Makefile.am
|
@ -1,22 +1,41 @@
|
|||
## Process this file with automake to produce Makefile.in
|
||||
# by Michal Trojnara 2015-2017
|
||||
|
||||
###############################################################################
|
||||
# File lists #
|
||||
###############################################################################
|
||||
|
||||
# File lists
|
||||
common_headers = common.h prototypes.h version.h
|
||||
common_sources = str.c file.c client.c log.c options.c protocol.c network.c
|
||||
common_sources += resolver.c ssl.c ctx.c verify.c sthreads.c fd.c stunnel.c
|
||||
unix_sources = pty.c libwrap.c
|
||||
common_sources = tls.c str.c file.c client.c log.c options.c protocol.c
|
||||
common_sources += network.c resolver.c ssl.c ctx.c verify.c sthreads.c
|
||||
common_sources += fd.c dhparam.c cron.c stunnel.c
|
||||
unix_sources = pty.c libwrap.c ui_unix.c
|
||||
shared_sources = env.c
|
||||
win32_sources = gui.c resources.h resources.rc stunnel.ico
|
||||
win32_gui_sources = ui_win_gui.c resources.h resources.rc
|
||||
win32_gui_sources += stunnel.ico active.ico error.ico idle.ico
|
||||
win32_cli_sources = ui_win_cli.c
|
||||
|
||||
###############################################################################
|
||||
# Generate a new set of DH parameters for each version #
|
||||
###############################################################################
|
||||
|
||||
dhparam.c: version.h
|
||||
echo '#include "common.h"' >dhparam.c
|
||||
echo '#ifndef OPENSSL_NO_DH' >>dhparam.c
|
||||
echo '#define DN_new DH_new' >>dhparam.c
|
||||
openssl dhparam -noout -C 2048 >>dhparam.c
|
||||
echo '#endif /* OPENSSL_NO_DH */' >>dhparam.c
|
||||
|
||||
###############################################################################
|
||||
# Unix executables and shared library #
|
||||
###############################################################################
|
||||
|
||||
# Unix executables
|
||||
bin_PROGRAMS = stunnel
|
||||
stunnel_SOURCES = $(common_headers) $(common_sources) $(unix_sources)
|
||||
bin_SCRIPTS = stunnel3
|
||||
|
||||
# Unix shared library
|
||||
pkglib_LTLIBRARIES = libstunnel.la
|
||||
libstunnel_la_SOURCES = $(shared_sources)
|
||||
libstunnel_la_LDFLAGS = -avoid-version
|
||||
EXTRA_DIST = stunnel3.in
|
||||
CLEANFILES = stunnel3
|
||||
|
||||
# Red Hat "by design" bug #82369
|
||||
stunnel_CPPFLAGS = -I/usr/kerberos/include
|
||||
|
@ -25,55 +44,41 @@ stunnel_CPPFLAGS = -I/usr/kerberos/include
|
|||
stunnel_CPPFLAGS += -I$(SSLDIR)/include
|
||||
stunnel_CPPFLAGS += -DLIBDIR='"$(pkglibdir)"'
|
||||
stunnel_CPPFLAGS += -DCONFDIR='"$(sysconfdir)/stunnel"'
|
||||
stunnel_CPPFLAGS += -DPIDFILE='"$(localstatedir)/run/stunnel/stunnel.pid"'
|
||||
|
||||
# SSL library
|
||||
# TLS library
|
||||
stunnel_LDFLAGS = -L$(SSLDIR)/lib64 -L$(SSLDIR)/lib -lssl -lcrypto
|
||||
|
||||
# Win32 executable
|
||||
EXTRA_DIST = make.bat makece.bat makew32.bat
|
||||
EXTRA_DIST += mingw.mak evc.mak vc.mak os2.mak
|
||||
EXTRA_PROGRAMS = stunnel.exe tstunnel.exe
|
||||
stunnel_exe_SOURCES = $(common_headers) $(common_sources) $(win32_sources)
|
||||
tstunnel_exe_SOURCES = $(common_headers) $(common_sources) nogui.c
|
||||
# stunnel3 script
|
||||
edit = sed \
|
||||
-e 's|@bindir[@]|$(bindir)|g'
|
||||
stunnel3: Makefile
|
||||
$(edit) '$(srcdir)/$@.in' >$@
|
||||
stunnel3: $(srcdir)/stunnel3.in
|
||||
|
||||
# OPENSSLDIR = /usr/src/openssl-0.9.8u-fips
|
||||
# WINCPPFLAGS = -I$(OPENSSLDIR)/inc32
|
||||
OPENSSLDIR = /usr/src/openssl-1.0.2a-i686
|
||||
WINCPPFLAGS = -I$(OPENSSLDIR)/include
|
||||
WINCFLAGS = -mthreads -fstack-protector -O2 -Wall -Wextra -Wno-long-long -pedantic
|
||||
WINLDFLAGS = -mthreads -fstack-protector -s
|
||||
WINLIBS = -L$(OPENSSLDIR) -lcrypto -lssl -lpsapi -lws2_32 -lgdi32
|
||||
# WINLIBS = -L$(OPENSSLDIR) -lzdll -lcrypto.dll -lssl.dll -lpsapi -lws2_32 -lgdi32
|
||||
# WINLIBS = -L$(OPENSSLDIR) -lzdll -lcrypto -lssl -lpsapi -lws2_32 -lgdi32
|
||||
WINOBJ = str.obj file.obj client.obj log.obj options.obj protocol.obj
|
||||
WINOBJ += network.obj resolver.obj ssl.obj ctx.obj verify.obj sthreads.obj
|
||||
WINOBJ += fd.obj stunnel.obj
|
||||
WINGUIOBJ = $(WINOBJ) gui.obj resources.obj
|
||||
WINNOGUIOBJ = $(WINOBJ) nogui.obj
|
||||
WINPREFIX = i686-w64-mingw32-
|
||||
WINGCC = $(WINPREFIX)gcc
|
||||
WINDRES = $(WINPREFIX)windres
|
||||
# Unix shared library
|
||||
pkglib_LTLIBRARIES = libstunnel.la
|
||||
libstunnel_la_SOURCES = $(shared_sources)
|
||||
libstunnel_la_LDFLAGS = -avoid-version
|
||||
|
||||
dist-hook: stunnel.exe tstunnel.exe
|
||||
###############################################################################
|
||||
# Win32 executables #
|
||||
###############################################################################
|
||||
|
||||
distclean-local:
|
||||
rm -f stunnel.exe tstunnel.exe
|
||||
if AUTHOR_TESTS
|
||||
# Just check if the programs can be built, don't perform any actual tests
|
||||
check-local: mingw mingw64
|
||||
endif
|
||||
|
||||
# SUFFIXES = .c .rc .obj
|
||||
mingw:
|
||||
$(MAKE) -f $(srcdir)/mingw.mk srcdir=$(srcdir) win32_targetcpu=i686 win32_mingw=mingw
|
||||
mingw64:
|
||||
$(MAKE) -f $(srcdir)/mingw.mk srcdir=$(srcdir) win32_targetcpu=x86_64 win32_mingw=mingw64
|
||||
.PHONY: mingw mingw64
|
||||
|
||||
stunnel.exe: $(WINGUIOBJ)
|
||||
$(WINGCC) -mwindows $(WINLDFLAGS) -o stunnel.exe $(WINGUIOBJ) $(WINLIBS)
|
||||
|
||||
tstunnel.exe: $(WINNOGUIOBJ)
|
||||
$(WINGCC) $(WINLDFLAGS) -o tstunnel.exe $(WINNOGUIOBJ) $(WINLIBS)
|
||||
|
||||
%.obj: %.c $(common_headers)
|
||||
$(WINGCC) -c $(WINCPPFLAGS) $(WINCFLAGS) -o $@ $<
|
||||
|
||||
resources.obj: resources.rc resources.h version.h
|
||||
$(WINDRES) --include-dir $(srcdir) $< $@
|
||||
|
||||
mostlyclean-local:
|
||||
-rm -f *.obj
|
||||
clean-local:
|
||||
rm -rf ../obj ../bin
|
||||
|
||||
# Remaining files to be included
|
||||
EXTRA_DIST += $(win32_gui_sources) $(win32_cli_sources)
|
||||
EXTRA_DIST += make.bat makece.bat makew32.bat
|
||||
EXTRA_DIST += mingw.mk mingw.mak evc.mak vc.mak os2.mak
|
||||
|
|
818
src/Makefile.in
818
src/Makefile.in
File diff suppressed because it is too large
Load Diff
Binary file not shown.
After Width: | Height: | Size: 1.1 KiB |
1273
src/client.c
1273
src/client.c
File diff suppressed because it is too large
Load Diff
231
src/common.h
231
src/common.h
|
@ -1,24 +1,24 @@
|
|||
/*
|
||||
* stunnel Universal SSL tunnel
|
||||
* Copyright (C) 1998-2013 Michal Trojnara <Michal.Trojnara@mirt.net>
|
||||
* stunnel TLS offloading and load-balancing proxy
|
||||
* Copyright (C) 1998-2017 Michal Trojnara <Michal.Trojnara@stunnel.org>
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it
|
||||
* under the terms of the GNU General Public License as published by the
|
||||
* Free Software Foundation; either version 2 of the License, or (at your
|
||||
* option) any later version.
|
||||
*
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
|
||||
* See the GNU General Public License for more details.
|
||||
*
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License along
|
||||
* with this program; if not, see <http://www.gnu.org/licenses>.
|
||||
*
|
||||
*
|
||||
* Linking stunnel statically or dynamically with other modules is making
|
||||
* a combined work based on stunnel. Thus, the terms and conditions of
|
||||
* the GNU General Public License cover the whole combination.
|
||||
*
|
||||
*
|
||||
* In addition, as a special exception, the copyright holder of stunnel
|
||||
* gives you permission to combine stunnel with free software programs or
|
||||
* libraries that are released under the GNU LGPL and with code included
|
||||
|
@ -26,7 +26,7 @@
|
|||
* modified versions of such code, with unchanged license). You may copy
|
||||
* and distribute such a system following the terms of the GNU GPL for
|
||||
* stunnel and the licenses of the other code concerned.
|
||||
*
|
||||
*
|
||||
* Note that people who make modified versions of stunnel are not obligated
|
||||
* to grant this special exception for their modified versions; it is their
|
||||
* choice whether to do so. The GNU General Public License gives permission
|
||||
|
@ -40,7 +40,6 @@
|
|||
|
||||
#include "version.h"
|
||||
|
||||
|
||||
/**************************************** common constants */
|
||||
|
||||
#define LIBWRAP_CLIENTS 5
|
||||
|
@ -49,7 +48,7 @@
|
|||
#define DEFAULT_STACK_SIZE 65536
|
||||
/* #define DEBUG_STACK_SIZE */
|
||||
|
||||
/* I/O buffer size - 18432 is the maximum size of SSL record payload */
|
||||
/* I/O buffer size: 18432 (0x4800) is the maximum size of TLS record payload */
|
||||
#define BUFFSIZE 18432
|
||||
|
||||
/* how many bytes of random input to read from files for PRNG */
|
||||
|
@ -62,6 +61,12 @@
|
|||
/* additional diagnostic messages */
|
||||
/* #define DEBUG_FD_ALLOC */
|
||||
|
||||
#ifdef DEBUG_INFO
|
||||
#define NOEXPORT
|
||||
#else
|
||||
#define NOEXPORT static
|
||||
#endif
|
||||
|
||||
/**************************************** platform */
|
||||
|
||||
#ifdef _WIN32
|
||||
|
@ -70,20 +75,32 @@
|
|||
|
||||
#ifdef _WIN32_WCE
|
||||
#define USE_WIN32
|
||||
typedef int socklen_t;
|
||||
typedef int socklen_t;
|
||||
#endif
|
||||
|
||||
#ifdef USE_WIN32
|
||||
typedef signed char int8_t;
|
||||
typedef signed short int16_t;
|
||||
typedef signed int int32_t;
|
||||
typedef signed long long int64_t;
|
||||
typedef unsigned char uint8_t;
|
||||
typedef unsigned short uint16_t;
|
||||
typedef unsigned int uint32_t;
|
||||
typedef unsigned long long uint64_t;
|
||||
#ifndef __MINGW32__
|
||||
#ifdef _WIN64
|
||||
typedef __int64 ssize_t;
|
||||
#else /* _WIN64 */
|
||||
typedef int ssize_t;
|
||||
#endif /* _WIN64 */
|
||||
#endif /* !__MINGW32__ */
|
||||
#define PATH_MAX MAX_PATH
|
||||
#define USE_IPv6
|
||||
#define _CRT_SECURE_NO_DEPRECATE
|
||||
#define _CRT_NONSTDC_NO_DEPRECATE
|
||||
#define HAVE_OSSL_ENGINE_H
|
||||
#define HAVE_OSSL_OCSP_H
|
||||
/* prevent including wincrypt.h, as it defines it's own OCSP_RESPONSE */
|
||||
#define _CRT_NON_CONFORMING_SWPRINTFS
|
||||
/* prevent including wincrypt.h, as it defines its own OCSP_RESPONSE */
|
||||
#define __WINCRYPT_H__
|
||||
#endif
|
||||
|
||||
#ifdef USE_WIN32
|
||||
#define S_EADDRINUSE WSAEADDRINUSE
|
||||
/* winsock does not define WSAEAGAIN */
|
||||
/* in most (but not all!) BSD implementations EAGAIN==EWOULDBLOCK */
|
||||
|
@ -158,9 +175,17 @@ typedef int socklen_t;
|
|||
#include <pthread.h>
|
||||
#endif
|
||||
|
||||
/* TCP wrapper */
|
||||
#if defined HAVE_TCPD_H && defined HAVE_LIBWRAP
|
||||
#define USE_LIBWRAP 1
|
||||
/* systemd */
|
||||
#ifdef USE_SYSTEMD
|
||||
#include <systemd/sd-daemon.h>
|
||||
#endif
|
||||
|
||||
#ifdef HAVE_STDINT_H
|
||||
#include <stdint.h>
|
||||
#endif
|
||||
|
||||
#ifdef HAVE_INTTYPES_H
|
||||
#include <inttypes.h>
|
||||
#endif
|
||||
|
||||
/* must be included before sys/stat.h for Ultrix */
|
||||
|
@ -185,10 +210,6 @@ typedef int socklen_t;
|
|||
|
||||
#ifdef USE_WIN32
|
||||
|
||||
typedef unsigned char u8;
|
||||
typedef unsigned short u16;
|
||||
typedef unsigned long u32;
|
||||
|
||||
#define HAVE_STRUCT_ADDRINFO
|
||||
#define HAVE_SNPRINTF
|
||||
#define snprintf _snprintf
|
||||
|
@ -202,10 +223,9 @@ typedef unsigned long u32;
|
|||
#define set_last_socket_error(e) WSASetLastError(e)
|
||||
#define get_last_error() GetLastError()
|
||||
#define set_last_error(e) SetLastError(e)
|
||||
#define readsocket(s,b,n) recv((s),(b),(n),0)
|
||||
#define writesocket(s,b,n) send((s),(b),(n),0)
|
||||
#define readsocket(s,b,n) recv((s),(b),(int)(n),0)
|
||||
#define writesocket(s,b,n) send((s),(b),(int)(n),0)
|
||||
|
||||
/* #define FD_SETSIZE 4096 */
|
||||
/* #define Win32_Winsock */
|
||||
#define __USE_W32_SOCKETS
|
||||
|
||||
|
@ -216,6 +236,7 @@ typedef unsigned long u32;
|
|||
#include <windows.h>
|
||||
|
||||
#include <process.h> /* _beginthread */
|
||||
#include <shlobj.h> /* SHGetFolderPath */
|
||||
#include <tchar.h>
|
||||
|
||||
#include "resources.h"
|
||||
|
@ -224,22 +245,6 @@ typedef unsigned long u32;
|
|||
|
||||
#else /* USE_WIN32 */
|
||||
|
||||
#if SIZEOF_UNSIGNED_CHAR == 1
|
||||
typedef unsigned char u8;
|
||||
#endif
|
||||
|
||||
#if SIZEOF_UNSIGNED_SHORT == 2
|
||||
typedef unsigned short u16;
|
||||
#else
|
||||
typedef unsigned int u16;
|
||||
#endif
|
||||
|
||||
#if SIZEOF_UNSIGNED_INT == 4
|
||||
typedef unsigned int u32;
|
||||
#else
|
||||
typedef unsigned long u32;
|
||||
#endif
|
||||
|
||||
#ifdef __INNOTEK_LIBC__
|
||||
#define socklen_t __socklen_t
|
||||
#define strcasecmp stricmp
|
||||
|
@ -265,10 +270,12 @@ typedef unsigned long u32;
|
|||
#define ioctlsocket(a,b,c) ioctl((a),(b),(c))
|
||||
#endif
|
||||
|
||||
typedef int SOCKET;
|
||||
#define INVALID_SOCKET (-1)
|
||||
|
||||
/* OpenVMS compatibility */
|
||||
#ifdef __vms
|
||||
#define LIBDIR "__NA__"
|
||||
#define PIDFILE "SYS$LOGIN:STUNNEL.PID"
|
||||
#ifdef __alpha
|
||||
#define HOST "alpha-openvms"
|
||||
#else
|
||||
|
@ -283,6 +290,9 @@ typedef unsigned long u32;
|
|||
/* Unix-specific headers */
|
||||
#include <signal.h> /* signal */
|
||||
#include <sys/wait.h> /* wait */
|
||||
#ifdef HAVE_LIMITS_H
|
||||
#include <limits.h> /* INT_MAX */
|
||||
#endif
|
||||
#ifdef HAVE_SYS_RESOURCE_H
|
||||
#include <sys/resource.h> /* getrlimit */
|
||||
#endif
|
||||
|
@ -298,6 +308,7 @@ typedef unsigned long u32;
|
|||
#ifdef HAVE_SYS_SELECT_H
|
||||
#include <sys/select.h> /* for aix */
|
||||
#endif
|
||||
#include <dirent.h>
|
||||
|
||||
#if defined(HAVE_POLL) && !defined(BROKEN_POLL)
|
||||
#ifdef HAVE_POLL_H
|
||||
|
@ -326,6 +337,7 @@ typedef unsigned long u32;
|
|||
#include <sys/uio.h> /* struct iovec */
|
||||
#endif /* HAVE_SYS_UIO_H */
|
||||
|
||||
/* BSD sockets */
|
||||
#include <netinet/in.h> /* struct sockaddr_in */
|
||||
#include <sys/socket.h> /* getpeername */
|
||||
#include <arpa/inet.h> /* inet_ntoa */
|
||||
|
@ -383,83 +395,108 @@ extern char *sys_errlist[];
|
|||
#include <linux/netfilter_ipv4.h>
|
||||
#endif /* HAVE_LINUX_NETFILTER_IPV4_H */
|
||||
#endif /* __linux__ */
|
||||
#ifdef HAVE_SYS_SYSCALL_H
|
||||
#include <sys/syscall.h> /* SYS_gettid */
|
||||
#endif
|
||||
#ifdef HAVE_LINUX_SCHED_H
|
||||
#include <linux/sched.h> /* SCHED_BATCH */
|
||||
#endif
|
||||
|
||||
#endif /* USE_WIN32 */
|
||||
|
||||
#ifndef S_ISREG
|
||||
#define S_ISREG(m) (((m)&S_IFMT)==S_IFREG)
|
||||
#endif
|
||||
|
||||
/**************************************** OpenSSL headers */
|
||||
|
||||
#define OPENSSL_THREAD_DEFINES
|
||||
#include <openssl/opensslconf.h>
|
||||
#if defined(USE_PTHREAD) && !(defined(OPENSSL_THREADS) || \
|
||||
(OPENSSL_VERSION_NUMBER<0x0090700fL && defined(THREADS)))
|
||||
/* opensslv.h requires prior opensslconf.h to include -fips in version string */
|
||||
#include <openssl/opensslv.h>
|
||||
|
||||
#if OPENSSL_VERSION_NUMBER<0x0090700fL
|
||||
#error OpenSSL 0.9.7 or later is required
|
||||
#endif /* OpenSSL older than 0.9.7 */
|
||||
|
||||
#if defined(USE_PTHREAD) && !defined(OPENSSL_THREADS)
|
||||
#error OpenSSL library compiled without thread support
|
||||
#endif /* !OPENSSL_THREADS && USE_PTHREAD */
|
||||
|
||||
#if defined (USE_WIN32) && defined(OPENSSL_FIPS)
|
||||
#define USE_FIPS
|
||||
#endif
|
||||
|
||||
/* OpenSSL 0.9.6 comp.h needs ZLIB macro to declare COMP_zlib() */
|
||||
#define ZLIB
|
||||
|
||||
#include <openssl/lhash.h>
|
||||
#include <openssl/ssl.h>
|
||||
#include <openssl/err.h>
|
||||
#include <openssl/crypto.h> /* for CRYPTO_* and SSLeay_version */
|
||||
#include <openssl/rand.h>
|
||||
#ifndef OPENSSL_NO_MD4
|
||||
#include <openssl/md4.h>
|
||||
#endif
|
||||
#include <openssl/des.h>
|
||||
|
||||
#ifdef HAVE_OSSL_ENGINE_H
|
||||
#ifndef OPENSSL_NO_ENGINE
|
||||
#include <openssl/engine.h>
|
||||
#else
|
||||
#undef HAVE_OSSL_ENGINE_H
|
||||
#endif
|
||||
#endif /* HAVE_OSSL_ENGINE_H */
|
||||
#if OPENSSL_VERSION_NUMBER<0x0090800fL
|
||||
#define OPENSSL_NO_ECDH
|
||||
#define OPENSSL_NO_COMP
|
||||
#endif /* OpenSSL older than 0.9.8 */
|
||||
|
||||
/* non-blocking OCSP API is not available before OpenSSL 0.9.8h */
|
||||
#if OPENSSL_VERSION_NUMBER<0x00908080L
|
||||
#ifdef HAVE_OSSL_OCSP_H
|
||||
#undef HAVE_OSSL_OCSP_H
|
||||
#endif /* HAVE_OSSL_OCSP_H */
|
||||
#ifndef OPENSSL_NO_OCSP
|
||||
#define OPENSSL_NO_OCSP
|
||||
#endif /* !defined(OPENSSL_NO_OCSP) */
|
||||
#endif /* OpenSSL older than 0.9.8h */
|
||||
|
||||
#ifdef HAVE_OSSL_OCSP_H
|
||||
#include <openssl/ocsp.h>
|
||||
#endif /* HAVE_OSSL_OCSP_H */
|
||||
|
||||
#ifdef HAVE_OSSL_FIPS_H
|
||||
#include <openssl/fips.h>
|
||||
#include <openssl/fips_rand.h>
|
||||
#endif /* HAVE_OSSL_FIPS_H */
|
||||
|
||||
#if OPENSSL_VERSION_NUMBER<0x0090800fL
|
||||
#define OPENSSL_NO_ECDH
|
||||
#endif /* OpenSSL version < 0.8.0 */
|
||||
#if OPENSSL_VERSION_NUMBER<0x00908060L
|
||||
#define OPENSSL_NO_TLSEXT
|
||||
#endif /* OpenSSL older than 0.9.8f */
|
||||
|
||||
#if OPENSSL_VERSION_NUMBER<0x10000000L
|
||||
#define OPENSSL_NO_TLSEXT
|
||||
#endif /* OpenSSL version < 1.0.0 */
|
||||
#define OPENSSL_NO_PSK
|
||||
#endif /* OpenSSL older than 1.0.0 */
|
||||
|
||||
#if OPENSSL_VERSION_NUMBER<0x10001000L || defined(OPENSSL_NO_TLS1)
|
||||
#define OPENSSL_NO_TLS1_1
|
||||
#define OPENSSL_NO_TLS1_2
|
||||
#endif /* OpenSSL older than 1.0.1 || defined(OPENSSL_NO_TLS1) */
|
||||
|
||||
#if OPENSSL_VERSION_NUMBER>=0x10100000L
|
||||
#ifndef OPENSSL_NO_SSL2
|
||||
#define OPENSSL_NO_SSL2
|
||||
#endif /* !defined(OPENSSL_NO_SSL2) */
|
||||
#else /* OpenSSL older than 1.1.0 */
|
||||
#define X509_STORE_CTX_get0_chain(x) X509_STORE_CTX_get_chain(x)
|
||||
#endif /* OpenSSL 1.1.0 or newer */
|
||||
|
||||
#if defined(USE_WIN32) && defined(OPENSSL_FIPS)
|
||||
#define USE_FIPS
|
||||
#endif
|
||||
|
||||
#include <openssl/lhash.h>
|
||||
#include <openssl/ssl.h>
|
||||
#include <openssl/ui.h>
|
||||
#include <openssl/err.h>
|
||||
#include <openssl/crypto.h> /* for CRYPTO_* and SSLeay_version */
|
||||
#include <openssl/rand.h>
|
||||
#include <openssl/bn.h>
|
||||
#include <openssl/pkcs12.h>
|
||||
#ifndef OPENSSL_NO_MD4
|
||||
#include <openssl/md4.h>
|
||||
#endif /* !defined(OPENSSL_NO_MD4) */
|
||||
#include <openssl/des.h>
|
||||
#ifndef OPENSSL_NO_DH
|
||||
#include <openssl/dh.h>
|
||||
#if OPENSSL_VERSION_NUMBER<0x10100000L
|
||||
int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g);
|
||||
#endif /* OpenSSL older than 1.1.0 */
|
||||
#endif /* !defined(OPENSSL_NO_DH) */
|
||||
#ifndef OPENSSL_NO_ENGINE
|
||||
#include <openssl/engine.h>
|
||||
#endif /* !defined(OPENSSL_NO_ENGINE) */
|
||||
#ifndef OPENSSL_NO_OCSP
|
||||
#include <openssl/ocsp.h>
|
||||
#endif /* !defined(OPENSSL_NO_OCSP) */
|
||||
#ifndef OPENSSL_NO_COMP
|
||||
/* not defined in public headers before OpenSSL 0.9.8 */
|
||||
STACK_OF(SSL_COMP) *SSL_COMP_get_compression_methods(void);
|
||||
#endif /* OPENSSL_NO_COMP */
|
||||
#endif /* !defined(OPENSSL_NO_COMP) */
|
||||
|
||||
#ifndef OPENSSL_VERSION
|
||||
#define OPENSSL_VERSION SSLEAY_VERSION
|
||||
#define OpenSSL_version_num() SSLeay()
|
||||
#define OpenSSL_version(x) SSLeay_version(x)
|
||||
#endif
|
||||
|
||||
/**************************************** other defines */
|
||||
|
||||
/* change all non-printable characters to '.' */
|
||||
#define safestring(s) \
|
||||
do {unsigned char *p; for(p=(unsigned char *)(s); *p; p++) \
|
||||
if(!isprint((int)*p)) *p='.';} while(0)
|
||||
/* change all unsafe characters to '.' */
|
||||
#define safename(s) \
|
||||
do {unsigned char *p; for(p=(s); *p; p++) \
|
||||
if(!isalnum((int)*p)) *p='.';} while(0)
|
||||
|
||||
/* always use IPv4 defaults! */
|
||||
#define DEFAULT_LOOPBACK "127.0.0.1"
|
||||
#define DEFAULT_ANY "0.0.0.0"
|
||||
|
@ -480,7 +517,7 @@ STACK_OF(SSL_COMP) *SSL_COMP_get_compression_methods(void);
|
|||
#endif /* defined (USE_WIN32) || defined (__vms) */
|
||||
|
||||
#ifndef offsetof
|
||||
#define offsetof(T, F) ((unsigned int)((char *)&((T *)0L)->F - (char *)0L))
|
||||
#define offsetof(T, F) ((unsigned)((char *)&((T *)0L)->F - (char *)0L))
|
||||
#endif
|
||||
|
||||
#endif /* defined COMMON_H */
|
||||
|
|
139
src/config.h.in
139
src/config.h.in
|
@ -51,18 +51,18 @@
|
|||
/* Define to 1 if you have the <inttypes.h> header file. */
|
||||
#undef HAVE_INTTYPES_H
|
||||
|
||||
/* Define to 1 if you have 'libpthread' library. */
|
||||
#undef HAVE_LIBPTHREAD
|
||||
|
||||
/* Define to 1 if you have the <libutil.h> header file. */
|
||||
#undef HAVE_LIBUTIL_H
|
||||
|
||||
/* Define to 1 if you have 'libwrap' library. */
|
||||
#undef HAVE_LIBWRAP
|
||||
/* Define to 1 if you have the <limits.h> header file. */
|
||||
#undef HAVE_LIMITS_H
|
||||
|
||||
/* Define to 1 if you have the <linux/netfilter_ipv4.h> header file. */
|
||||
#undef HAVE_LINUX_NETFILTER_IPV4_H
|
||||
|
||||
/* Define to 1 if you have the <linux/sched.h> header file. */
|
||||
#undef HAVE_LINUX_SCHED_H
|
||||
|
||||
/* Define to 1 if you have the `localtime_r' function. */
|
||||
#undef HAVE_LOCALTIME_R
|
||||
|
||||
|
@ -78,15 +78,6 @@
|
|||
/* Define to 1 if you have the `openpty' function. */
|
||||
#undef HAVE_OPENPTY
|
||||
|
||||
/* Define to 1 if you have <engine.h> header file. */
|
||||
#undef HAVE_OSSL_ENGINE_H
|
||||
|
||||
/* Define to 1 if you have <fips.h> header file. */
|
||||
#undef HAVE_OSSL_FIPS_H
|
||||
|
||||
/* Define to 1 if you have <ocsp.h> header file. */
|
||||
#undef HAVE_OSSL_OCSP_H
|
||||
|
||||
/* Define to 1 if you have the `pipe2' function. */
|
||||
#undef HAVE_PIPE2
|
||||
|
||||
|
@ -96,15 +87,24 @@
|
|||
/* Define to 1 if you have the <poll.h> header file. */
|
||||
#undef HAVE_POLL_H
|
||||
|
||||
/* Define if you have POSIX threads libraries and header files. */
|
||||
#undef HAVE_PTHREAD
|
||||
|
||||
/* Define to 1 if you have the <pthread.h> header file. */
|
||||
#undef HAVE_PTHREAD_H
|
||||
|
||||
/* Have PTHREAD_PRIO_INHERIT. */
|
||||
#undef HAVE_PTHREAD_PRIO_INHERIT
|
||||
|
||||
/* Define to 1 if you have the `pthread_sigmask' function. */
|
||||
#undef HAVE_PTHREAD_SIGMASK
|
||||
|
||||
/* Define to 1 if you have the <pty.h> header file. */
|
||||
#undef HAVE_PTY_H
|
||||
|
||||
/* Define to 1 if you have the `realpath' function. */
|
||||
#undef HAVE_REALPATH
|
||||
|
||||
/* Define to 1 if you have the `setgroups' function. */
|
||||
#undef HAVE_SETGROUPS
|
||||
|
||||
|
@ -141,6 +141,9 @@
|
|||
/* Define to 1 if you have the `sysconf' function. */
|
||||
#undef HAVE_SYSCONF
|
||||
|
||||
/* Define to 1 if you have the <systemd/sd-daemon.h> header file. */
|
||||
#undef HAVE_SYSTEMD_SD_DAEMON_H
|
||||
|
||||
/* Define to 1 if you have the <sys/filio.h> header file. */
|
||||
#undef HAVE_SYS_FILIO_H
|
||||
|
||||
|
@ -162,6 +165,9 @@
|
|||
/* Define to 1 if you have the <sys/stat.h> header file. */
|
||||
#undef HAVE_SYS_STAT_H
|
||||
|
||||
/* Define to 1 if you have the <sys/syscall.h> header file. */
|
||||
#undef HAVE_SYS_SYSCALL_H
|
||||
|
||||
/* Define to 1 if you have the <sys/types.h> header file. */
|
||||
#undef HAVE_SYS_TYPES_H
|
||||
|
||||
|
@ -205,9 +211,6 @@
|
|||
*/
|
||||
#undef LT_OBJDIR
|
||||
|
||||
/* Define to 1 if your C compiler doesn't accept -c and -o together. */
|
||||
#undef NO_MINUS_C_MINUS_O
|
||||
|
||||
/* Name of package */
|
||||
#undef PACKAGE
|
||||
|
||||
|
@ -229,28 +232,20 @@
|
|||
/* Define to the version of this package. */
|
||||
#undef PACKAGE_VERSION
|
||||
|
||||
/* Define to necessary symbol if this constant uses a non-standard name on
|
||||
your system. */
|
||||
#undef PTHREAD_CREATE_JOINABLE
|
||||
|
||||
/* Random file path */
|
||||
#undef RANDOM_FILE
|
||||
|
||||
/* The size of `unsigned char', as computed by sizeof. */
|
||||
#undef SIZEOF_UNSIGNED_CHAR
|
||||
|
||||
/* The size of `unsigned int', as computed by sizeof. */
|
||||
#undef SIZEOF_UNSIGNED_INT
|
||||
|
||||
/* The size of `unsigned long', as computed by sizeof. */
|
||||
#undef SIZEOF_UNSIGNED_LONG
|
||||
|
||||
/* The size of `unsigned short', as computed by sizeof. */
|
||||
#undef SIZEOF_UNSIGNED_SHORT
|
||||
|
||||
/* SSL directory */
|
||||
/* TLS directory */
|
||||
#undef SSLDIR
|
||||
|
||||
/* Define to 1 if you have the ANSI C header files. */
|
||||
#undef STDC_HEADERS
|
||||
|
||||
/* Define to 1 to enable OpenSSL FIPS mode. */
|
||||
/* Define to 1 to enable OpenSSL FIPS support */
|
||||
#undef USE_FIPS
|
||||
|
||||
/* Define to 1 to select FORK mode */
|
||||
|
@ -259,17 +254,99 @@
|
|||
/* Define to 1 to enable IPv6 support */
|
||||
#undef USE_IPv6
|
||||
|
||||
/* Define to 1 to enable TCP wrappers support */
|
||||
#undef USE_LIBWRAP
|
||||
|
||||
/* Define to 1 to select PTHREAD mode */
|
||||
#undef USE_PTHREAD
|
||||
|
||||
/* Define to 1 to enable systemd socket activation */
|
||||
#undef USE_SYSTEMD
|
||||
|
||||
/* Define to 1 to select UCONTEXT mode */
|
||||
#undef USE_UCONTEXT
|
||||
|
||||
/* Version number of package */
|
||||
#undef VERSION
|
||||
|
||||
/* Use Darwin source */
|
||||
#undef _DARWIN_C_SOURCE
|
||||
|
||||
/* Enable large inode numbers on Mac OS X 10.5. */
|
||||
#ifndef _DARWIN_USE_64_BIT_INODE
|
||||
# define _DARWIN_USE_64_BIT_INODE 1
|
||||
#endif
|
||||
|
||||
/* Number of bits in a file offset, on hosts where this is settable. */
|
||||
#undef _FILE_OFFSET_BITS
|
||||
|
||||
/* Use GNU source */
|
||||
#undef _GNU_SOURCE
|
||||
|
||||
/* Define for large files, on AIX-style hosts. */
|
||||
#undef _LARGE_FILES
|
||||
|
||||
/* Define for Solaris 2.5.1 so the uint32_t typedef from <sys/synch.h>,
|
||||
<pthread.h>, or <semaphore.h> is not used. If the typedef were allowed, the
|
||||
#define below would cause a syntax error. */
|
||||
#undef _UINT32_T
|
||||
|
||||
/* Define for Solaris 2.5.1 so the uint64_t typedef from <sys/synch.h>,
|
||||
<pthread.h>, or <semaphore.h> is not used. If the typedef were allowed, the
|
||||
#define below would cause a syntax error. */
|
||||
#undef _UINT64_T
|
||||
|
||||
/* Define for Solaris 2.5.1 so the uint8_t typedef from <sys/synch.h>,
|
||||
<pthread.h>, or <semaphore.h> is not used. If the typedef were allowed, the
|
||||
#define below would cause a syntax error. */
|
||||
#undef _UINT8_T
|
||||
|
||||
/* Use X/Open 5 with POSIX 1995 */
|
||||
#undef _XOPEN_SOURCE
|
||||
|
||||
/* Define to `int' if <sys/types.h> doesn't define. */
|
||||
#undef gid_t
|
||||
|
||||
/* Define to the type of a signed integer type of width exactly 16 bits if
|
||||
such a type exists and the standard includes do not define it. */
|
||||
#undef int16_t
|
||||
|
||||
/* Define to the type of a signed integer type of width exactly 32 bits if
|
||||
such a type exists and the standard includes do not define it. */
|
||||
#undef int32_t
|
||||
|
||||
/* Define to the type of a signed integer type of width exactly 64 bits if
|
||||
such a type exists and the standard includes do not define it. */
|
||||
#undef int64_t
|
||||
|
||||
/* Define to the type of a signed integer type of width exactly 8 bits if such
|
||||
a type exists and the standard includes do not define it. */
|
||||
#undef int8_t
|
||||
|
||||
/* Define to `unsigned int' if <sys/types.h> does not define. */
|
||||
#undef size_t
|
||||
|
||||
/* Type of socklen_t */
|
||||
#undef socklen_t
|
||||
|
||||
/* Define to `int' if <sys/types.h> does not define. */
|
||||
#undef ssize_t
|
||||
|
||||
/* Define to `int' if <sys/types.h> doesn't define. */
|
||||
#undef uid_t
|
||||
|
||||
/* Define to the type of an unsigned integer type of width exactly 16 bits if
|
||||
such a type exists and the standard includes do not define it. */
|
||||
#undef uint16_t
|
||||
|
||||
/* Define to the type of an unsigned integer type of width exactly 32 bits if
|
||||
such a type exists and the standard includes do not define it. */
|
||||
#undef uint32_t
|
||||
|
||||
/* Define to the type of an unsigned integer type of width exactly 64 bits if
|
||||
such a type exists and the standard includes do not define it. */
|
||||
#undef uint64_t
|
||||
|
||||
/* Define to the type of an unsigned integer type of width exactly 8 bits if
|
||||
such a type exists and the standard includes do not define it. */
|
||||
#undef uint8_t
|
||||
|
|
|
@ -0,0 +1,201 @@
|
|||
/*
|
||||
* stunnel TLS offloading and load-balancing proxy
|
||||
* Copyright (C) 1998-2017 Michal Trojnara <Michal.Trojnara@stunnel.org>
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it
|
||||
* under the terms of the GNU General Public License as published by the
|
||||
* Free Software Foundation; either version 2 of the License, or (at your
|
||||
* option) any later version.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
|
||||
* See the GNU General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License along
|
||||
* with this program; if not, see <http://www.gnu.org/licenses>.
|
||||
*
|
||||
* Linking stunnel statically or dynamically with other modules is making
|
||||
* a combined work based on stunnel. Thus, the terms and conditions of
|
||||
* the GNU General Public License cover the whole combination.
|
||||
*
|
||||
* In addition, as a special exception, the copyright holder of stunnel
|
||||
* gives you permission to combine stunnel with free software programs or
|
||||
* libraries that are released under the GNU LGPL and with code included
|
||||
* in the standard release of OpenSSL under the OpenSSL License (or
|
||||
* modified versions of such code, with unchanged license). You may copy
|
||||
* and distribute such a system following the terms of the GNU GPL for
|
||||
* stunnel and the licenses of the other code concerned.
|
||||
*
|
||||
* Note that people who make modified versions of stunnel are not obligated
|
||||
* to grant this special exception for their modified versions; it is their
|
||||
* choice whether to do so. The GNU General Public License gives permission
|
||||
* to release a modified version without this exception; this exception
|
||||
* also makes it possible to release a modified version which carries
|
||||
* forward this exception.
|
||||
*/
|
||||
|
||||
#include "common.h"
|
||||
#include "prototypes.h"
|
||||
|
||||
#ifdef USE_PTHREAD
|
||||
NOEXPORT void *cron_thread(void *arg);
|
||||
#endif
|
||||
#ifdef USE_WIN32
|
||||
NOEXPORT void cron_thread(void *arg);
|
||||
#endif
|
||||
#if defined(USE_PTHREAD) || defined(USE_WIN32)
|
||||
NOEXPORT void cron_worker(void);
|
||||
NOEXPORT void cron_dh_param(void);
|
||||
#endif
|
||||
|
||||
#if defined(USE_PTHREAD)
|
||||
|
||||
int cron_init() {
|
||||
pthread_t thread;
|
||||
pthread_attr_t pth_attr;
|
||||
#if defined(HAVE_PTHREAD_SIGMASK) && !defined(__APPLE__)
|
||||
sigset_t new_set, old_set;
|
||||
#endif /* HAVE_PTHREAD_SIGMASK && !__APPLE__*/
|
||||
|
||||
#if defined(HAVE_PTHREAD_SIGMASK) && !defined(__APPLE__)
|
||||
sigfillset(&new_set);
|
||||
pthread_sigmask(SIG_SETMASK, &new_set, &old_set); /* block signals */
|
||||
#endif /* HAVE_PTHREAD_SIGMASK && !__APPLE__*/
|
||||
pthread_attr_init(&pth_attr);
|
||||
pthread_attr_setdetachstate(&pth_attr, PTHREAD_CREATE_DETACHED);
|
||||
if(pthread_create(&thread, &pth_attr, cron_thread, NULL))
|
||||
ioerror("pthread_create");
|
||||
pthread_attr_destroy(&pth_attr);
|
||||
#if defined(HAVE_PTHREAD_SIGMASK) && !defined(__APPLE__)
|
||||
pthread_sigmask(SIG_SETMASK, &old_set, NULL); /* unblock signals */
|
||||
#endif /* HAVE_PTHREAD_SIGMASK && !__APPLE__*/
|
||||
return 0;
|
||||
}
|
||||
|
||||
NOEXPORT void *cron_thread(void *arg) {
|
||||
#ifdef SCHED_BATCH
|
||||
struct sched_param param;
|
||||
#endif
|
||||
|
||||
(void)arg; /* squash the unused parameter warning */
|
||||
tls_alloc(NULL, NULL, "cron");
|
||||
#ifdef SCHED_BATCH
|
||||
param.sched_priority=0;
|
||||
if(pthread_setschedparam(pthread_self(), SCHED_BATCH, ¶m))
|
||||
ioerror("pthread_getschedparam");
|
||||
#endif
|
||||
cron_worker();
|
||||
return NULL; /* it should never be executed */
|
||||
}
|
||||
|
||||
#elif defined(USE_WIN32)
|
||||
|
||||
int cron_init() {
|
||||
if((long)_beginthread(cron_thread, 0, NULL)==-1)
|
||||
ioerror("_beginthread");
|
||||
return 0;
|
||||
}
|
||||
|
||||
NOEXPORT void cron_thread(void *arg) {
|
||||
(void)arg; /* squash the unused parameter warning */
|
||||
tls_alloc(NULL, NULL, "cron");
|
||||
if(!SetThreadPriority(GetCurrentThread(), THREAD_PRIORITY_LOWEST))
|
||||
ioerror("SetThreadPriority");
|
||||
cron_worker();
|
||||
_endthread(); /* it should never be executed */
|
||||
}
|
||||
|
||||
#else /* !defined(USE_PTHREAD) && !defined(USE_WIN32) */
|
||||
|
||||
int cron_init() {
|
||||
/* not implemented for now */
|
||||
return 0;
|
||||
}
|
||||
|
||||
#endif
|
||||
|
||||
/* run the cron job every 24 hours */
|
||||
#define CRON_PERIOD (24*60*60)
|
||||
|
||||
#if defined(USE_PTHREAD) || defined(USE_WIN32)
|
||||
|
||||
NOEXPORT void cron_worker(void) {
|
||||
time_t now, then;
|
||||
int delay;
|
||||
|
||||
s_log(LOG_DEBUG, "Cron thread initialized");
|
||||
sleep(60); /* allow the other services to start with idle CPU */
|
||||
time(&then);
|
||||
for(;;) {
|
||||
s_log(LOG_INFO, "Executing cron jobs");
|
||||
#ifndef OPENSSL_NO_DH
|
||||
cron_dh_param();
|
||||
#endif /* OPENSSL_NO_DH */
|
||||
time(&now);
|
||||
s_log(LOG_INFO, "Cron jobs completed in %d seconds", (int)(now-then));
|
||||
then+=CRON_PERIOD;
|
||||
if(then>now) {
|
||||
delay=(int)(then-now);
|
||||
} else {
|
||||
s_log(LOG_NOTICE, "Cron backlog cleared (possible hibernation)");
|
||||
delay=CRON_PERIOD-(int)(now-then)%CRON_PERIOD;
|
||||
then=now+delay;
|
||||
}
|
||||
s_log(LOG_DEBUG, "Waiting %d seconds", delay);
|
||||
do { /* retry sleep() if it was interrupted by a signal */
|
||||
sleep((unsigned)delay);
|
||||
time(&now);
|
||||
delay=(int)(then-now);
|
||||
} while(delay>0);
|
||||
s_log(LOG_INFO, "Reopening log file");
|
||||
signal_post(SIGNAL_REOPEN_LOG);
|
||||
}
|
||||
}
|
||||
|
||||
#ifndef OPENSSL_NO_DH
|
||||
NOEXPORT void cron_dh_param(void) {
|
||||
SERVICE_OPTIONS *opt;
|
||||
DH *dh;
|
||||
|
||||
if(!dh_needed)
|
||||
return;
|
||||
|
||||
s_log(LOG_NOTICE, "Updating DH parameters");
|
||||
#if OPENSSL_VERSION_NUMBER>=0x0090800fL
|
||||
/* generate 2048-bit DH parameters */
|
||||
dh=DH_new();
|
||||
if(!dh) {
|
||||
sslerror("DH_new");
|
||||
return;
|
||||
}
|
||||
if(!DH_generate_parameters_ex(dh, 2048, 2, NULL)) {
|
||||
DH_free(dh);
|
||||
sslerror("DH_generate_parameters_ex");
|
||||
return;
|
||||
}
|
||||
#else /* OpenSSL older than 0.9.8 */
|
||||
dh=DH_generate_parameters(2048, 2, NULL, NULL);
|
||||
if(!dh) {
|
||||
sslerror("DH_generate_parameters");
|
||||
return;
|
||||
}
|
||||
#endif
|
||||
|
||||
/* update global dh_params for future configuration reloads */
|
||||
stunnel_write_lock(&stunnel_locks[LOCK_DH]);
|
||||
DH_free(dh_params);
|
||||
dh_params=dh;
|
||||
stunnel_write_unlock(&stunnel_locks[LOCK_DH]);
|
||||
|
||||
/* set for all sections that require it */
|
||||
for(opt=service_options.next; opt; opt=opt->next)
|
||||
if(opt->option.dh_needed)
|
||||
SSL_CTX_set_tmp_dh(opt->ctx, dh);
|
||||
s_log(LOG_NOTICE, "DH parameters updated");
|
||||
}
|
||||
#endif /* OPENSSL_NO_DH */
|
||||
|
||||
#endif /* USE_PTHREAD || USE_WIN32 */
|
||||
|
||||
/* end of cron.c */
|
|
@ -0,0 +1,57 @@
|
|||
#include "common.h"
|
||||
#ifndef OPENSSL_NO_DH
|
||||
#define DN_new DH_new
|
||||
#ifndef HEADER_DH_H
|
||||
# include <openssl/dh.h>
|
||||
#endif
|
||||
|
||||
DH *get_dh2048()
|
||||
{
|
||||
static unsigned char dhp_2048[] = {
|
||||
0xE5, 0x09, 0xEB, 0x6B, 0x7E, 0xFF, 0x06, 0x2E, 0xE9, 0x8E,
|
||||
0xEB, 0xB8, 0x15, 0x2E, 0x83, 0xE9, 0x77, 0x6B, 0x98, 0x80,
|
||||
0xC2, 0x5B, 0xC7, 0x99, 0xEF, 0xD2, 0x3B, 0x75, 0x23, 0xD1,
|
||||
0xEF, 0x4D, 0x2C, 0xE6, 0xE5, 0xD3, 0x6A, 0x5E, 0x38, 0x4A,
|
||||
0x05, 0x15, 0x57, 0xFF, 0x46, 0x22, 0x0F, 0xDC, 0xC9, 0xF0,
|
||||
0xA0, 0x4C, 0x2B, 0x70, 0x91, 0x30, 0x32, 0x3A, 0x20, 0x38,
|
||||
0xB6, 0x62, 0xAE, 0x8C, 0x9E, 0x9B, 0x7A, 0x04, 0xCF, 0x9C,
|
||||
0x20, 0x0C, 0x9D, 0x34, 0xFC, 0xB5, 0x46, 0x9E, 0xB6, 0x56,
|
||||
0x94, 0x7A, 0x8E, 0x7B, 0xEA, 0x77, 0x3D, 0x1F, 0x57, 0xAD,
|
||||
0xB0, 0xB7, 0xD6, 0x2E, 0x95, 0x5B, 0xA7, 0x1E, 0xF1, 0x84,
|
||||
0x04, 0x7C, 0x77, 0x9B, 0x10, 0x8D, 0x5F, 0xA5, 0x2B, 0x0D,
|
||||
0xCB, 0xFB, 0xB9, 0x0A, 0xCB, 0xDD, 0x70, 0x9F, 0x85, 0xBA,
|
||||
0xE3, 0x6A, 0xD1, 0xE4, 0x83, 0x7B, 0x89, 0x66, 0xAC, 0x58,
|
||||
0x12, 0x43, 0x5B, 0xA8, 0x02, 0xC0, 0x5C, 0x27, 0x61, 0x97,
|
||||
0x5D, 0xEC, 0x94, 0x71, 0xB2, 0x13, 0x13, 0xAB, 0x30, 0x0C,
|
||||
0x54, 0x54, 0x8C, 0xE2, 0x9D, 0x07, 0xDE, 0xE7, 0x62, 0x70,
|
||||
0xDE, 0x6C, 0x48, 0xD7, 0x69, 0xDA, 0xBC, 0xDA, 0xB1, 0x82,
|
||||
0xE4, 0xD7, 0xE4, 0xFB, 0x6D, 0x36, 0x46, 0x55, 0x30, 0x63,
|
||||
0x18, 0x42, 0x82, 0x60, 0xE2, 0x76, 0x23, 0x56, 0x34, 0x25,
|
||||
0xA9, 0x6A, 0xF1, 0x06, 0xB1, 0x68, 0xAD, 0x7F, 0xCE, 0x06,
|
||||
0xEE, 0x85, 0xA5, 0x83, 0x85, 0x08, 0x45, 0x45, 0x09, 0xA7,
|
||||
0x3D, 0xC9, 0xAC, 0xE6, 0x3A, 0x98, 0x93, 0xBF, 0x98, 0x2E,
|
||||
0x4D, 0x00, 0x3B, 0x74, 0x62, 0x7B, 0x8D, 0xBD, 0x18, 0x6C,
|
||||
0xAC, 0x4B, 0xEF, 0xF5, 0xAD, 0x0E, 0x2E, 0x85, 0x60, 0xE6,
|
||||
0xF4, 0x3F, 0x25, 0xFE, 0xAE, 0xC3, 0x18, 0x9B, 0x04, 0x7B,
|
||||
0xC7, 0x48, 0xE8, 0xC1, 0x3C, 0x13
|
||||
};
|
||||
static unsigned char dhg_2048[] = {
|
||||
0x02
|
||||
};
|
||||
DH *dh = DH_new();
|
||||
BIGNUM *dhp_bn, *dhg_bn;
|
||||
|
||||
if (dh == NULL)
|
||||
return NULL;
|
||||
dhp_bn = BN_bin2bn(dhp_2048, sizeof (dhp_2048), NULL);
|
||||
dhg_bn = BN_bin2bn(dhg_2048, sizeof (dhg_2048), NULL);
|
||||
if (dhp_bn == NULL || dhg_bn == NULL
|
||||
|| !DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn)) {
|
||||
DH_free(dh);
|
||||
BN_free(dhp_bn);
|
||||
BN_free(dhg_bn);
|
||||
return NULL;
|
||||
}
|
||||
return dh;
|
||||
}
|
||||
#endif /* OPENSSL_NO_DH */
|
10
src/env.c
10
src/env.c
|
@ -1,6 +1,6 @@
|
|||
/*
|
||||
* stunnel Universal SSL tunnel
|
||||
* Copyright (C) 1998-2013 Michal Trojnara <Michal.Trojnara@mirt.net>
|
||||
* stunnel TLS offloading and load-balancing proxy
|
||||
* Copyright (C) 1998-2017 Michal Trojnara <Michal.Trojnara@stunnel.org>
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it
|
||||
* under the terms of the GNU General Public License as published by the
|
||||
|
@ -53,15 +53,15 @@
|
|||
int getpeername(int s, struct sockaddr_in *name, int *len) {
|
||||
char *value;
|
||||
|
||||
(void)s; /* skip warning about unused parameter */
|
||||
(void)len; /* skip warning about unused parameter */
|
||||
(void)s; /* squash the unused parameter warning */
|
||||
(void)len; /* squash the unused parameter warning */
|
||||
name->sin_family=AF_INET;
|
||||
if((value=getenv("REMOTE_HOST")))
|
||||
name->sin_addr.s_addr=inet_addr(value);
|
||||
else
|
||||
name->sin_addr.s_addr=htonl(INADDR_ANY);
|
||||
if((value=getenv("REMOTE_PORT")))
|
||||
name->sin_port=htons(atoi(value));
|
||||
name->sin_port=htons((uint16_t)atoi(value));
|
||||
else
|
||||
name->sin_port=htons(0); /* dynamic port allocation */
|
||||
return 0;
|
||||
|
|
Binary file not shown.
After Width: | Height: | Size: 1.1 KiB |
64
src/evc.mak
64
src/evc.mak
|
@ -1,8 +1,24 @@
|
|||
# wce.mak for stunnel.exe by Michal Trojnara 2006-2012
|
||||
# with help of Pierre Delaage <delaage.pierre@free.fr>
|
||||
# pdelaage 20140610 : added UNICODE optional FLAG, always ACTIVE on WCE because of poor ANSI support
|
||||
# pdelaage 20140610 : added _WIN32_WCE flag for RC compilation, to preprocess out "HELP" unsupported menu flag on WCE
|
||||
# pdelaage 20140610 : ws2 lib is required to get WSAGetLastError routine (absent from winsock lib)
|
||||
# pdelaage 20140610 : /Dx86 flag required for X86/Emulator targets, to get proper definition for InterlockedExchange
|
||||
# pdelaage 20140610 : /MT flag is NON-SENSE for X86-WCE platforms, it is only meaningful for X86-W32-Desktop.
|
||||
# for X86-WCE targets, although compiler "cl.exe" is REALLY the same as desktop W32 VS6 C++ compiler,
|
||||
# the MT flags relating to LIBCMT is useless BECAUSE LIBCMT does NOT exist on WCE. No msvcrt on WCE either...
|
||||
|
||||
# pdelaage 20140610 : Note on /MC flag
|
||||
# For other targets than X86/Emulator, /MC flag is redundant with "/nodefaultlib coredll.lib corelibc.lib" LD lib list.
|
||||
# For << X86 / Emulator >> target, as the cl.exe compiler IS the SAME as the standard VS6.0 C++ compiler for Desktop Pentium processor,
|
||||
# /MC flag is in fact NOT existing, thus requiring an explicit linking with core libs by using :
|
||||
# /NODEFAULTLIB coredll.lib corelibc.lib,
|
||||
# something that is correct for any WCE target, X86 and other, and leading /MC flag to be useless ALSO for other target than X86.
|
||||
|
||||
|
||||
#
|
||||
# DEFAULTLIB management: only 2 are necessary
|
||||
# defaultlibS as given for CLxxx in the MS doc ARE WRONG
|
||||
# defaultlibS, as given for CLxxx in the MS doc, ARE WRONG
|
||||
|
||||
# !!!!!!!!!!!!!!
|
||||
# CUSTOMIZE THIS according to your wcecompat and openssl directories
|
||||
|
@ -10,10 +26,10 @@
|
|||
|
||||
# Modify this to point to your actual openssl compile directory
|
||||
# (You did already compile openssl, didn't you???)
|
||||
SSLDIR=C:\Users\standard\Documents\Dvts\Contrib\openssl\v1.0.0a\patched3
|
||||
SSLDIR=C:\Users\pdelaage\Dvts\Contrib\openssl
|
||||
|
||||
# Note that we currently use a multi-target customized version of legacy Essemer/wcecompat lib
|
||||
COMPATDIR=C:\Users\standard\Documents\Dvts\Contrib\wcecompat\v12\patchedX86
|
||||
COMPATDIR=C:\Users\pdelaage\Dvts\Contrib\wcecompat\v12\patched3emu
|
||||
|
||||
WCEVER=420
|
||||
|
||||
|
@ -24,7 +40,8 @@ WCEVER=420
|
|||
!IF "$(TARGETCPU)"=="X86"
|
||||
WCETARGETCPU=_X86_
|
||||
LDTARGETCPU=X86
|
||||
MORECFLAGS=/MT
|
||||
#pdelaage 20140621 /Dx86 for inline defs of InterlockedExchange inline in winbase.h; no more /MT
|
||||
MORECFLAGS=/Dx86
|
||||
|
||||
# TODO: continue list for other targets : see wcecompat/wcedefs.mak for a good ref.
|
||||
# see also openssl/util/pl/vc-32.pl, also link /?
|
||||
|
@ -34,17 +51,20 @@ MORECFLAGS=/MT
|
|||
!ELSEIF "$(TARGETCPU)"=="emulator"
|
||||
WCETARGETCPU=_X86_
|
||||
LDTARGETCPU=X86
|
||||
MORECFLAGS=/MT
|
||||
#pdelaage 20140621 /Dx86 for inline defs of InterlockedExchange inline in winbase.h; no more /MT
|
||||
MORECFLAGS=/Dx86
|
||||
|
||||
!ELSEIF "$(TARGETCPU)"=="MIPS16" || "$(TARGETCPU)"=="MIPSII" || "$(TARGETCPU)"=="MIPSII_FP" || "$(TARGETCPU)"=="MIPSIV" || "$(TARGETCPU)"=="MIPSIV_FP"
|
||||
WCETARGETCPU=_MIPS_
|
||||
LDTARGETCPU=MIPS
|
||||
MORECFLAGS=/DMIPS /MC
|
||||
#pdelaage 20140621 no more /MC required
|
||||
MORECFLAGS=/DMIPS
|
||||
|
||||
!ELSEIF "$(TARGETCPU)"=="SH3" || "$(TARGETCPU)"=="SH4"
|
||||
WCETARGETCPU=SHx
|
||||
LDTARGETCPU=$(TARGETCPU)
|
||||
MORECFLAGS=/MC
|
||||
#pdelaage 20140621 no more /MC required
|
||||
MORECFLAGS=
|
||||
|
||||
!ELSE
|
||||
# default is ARM !
|
||||
|
@ -52,8 +72,8 @@ MORECFLAGS=/MC
|
|||
# the following flag is required by (eg) winnt.h, and is different from targetcpu (armV4)
|
||||
WCETARGETCPU=ARM
|
||||
LDTARGETCPU=ARM
|
||||
MORECFLAGS=/MC
|
||||
|
||||
#pdelaage 20140621 no more /MC required
|
||||
MORECFLAGS=
|
||||
!ENDIF
|
||||
|
||||
# ceutilsdir probably useless (nb : were tools from essemer; but ms delivers a cecopy anyway, see ms dld site)
|
||||
|
@ -65,12 +85,17 @@ SDKDIR=$(SDKROOT)\$(OSVERSION)\$(PLATFORM)
|
|||
INCLUDES=-I$(SSLDIR)\inc32 -I$(COMPATDIR)\include -I"$(SDKDIR)\include\$(TARGETCPU)"
|
||||
# for X86 and other it appears that /MC or /ML flags are absurd,
|
||||
# we always have to override runtime lib list to coredll and corelibc
|
||||
LIBS=/NODEFAULTLIB winsock.lib wcecompatex.lib libeay32.lib ssleay32.lib coredll.lib corelibc.lib
|
||||
#LIBS=/NODEFAULTLIB winsock.lib wcecompatex.lib libeay32.lib ssleay32.lib coredll.lib corelibc.lib
|
||||
LIBS=/NODEFAULTLIB ws2.lib wcecompatex.lib libeay32.lib ssleay32.lib coredll.lib corelibc.lib
|
||||
|
||||
DEFINES=/DHOST=\"$(TARGETCPU)-WCE-eVC-$(WCEVER)\"
|
||||
# pdelaage 20140610 added unicode flag : ALWAYS ACTIVE on WCE, because of poor ANSI support by the MS SDK
|
||||
UNICODEFLAGS=/DUNICODE -D_UNICODE
|
||||
# /O1 /Oi more correct vs MS doc
|
||||
CFLAGS=/nologo $(MORECFLAGS) /O1 /Oi /W3 /WX /GF /Gy $(DEFINES) /D$(WCETARGETCPU) /D$(TARGETCPU) /DUNDER_CE=$(WCEVER) /D_WIN32_WCE=$(WCEVER) /DUNICODE -D_UNICODE $(INCLUDES)
|
||||
RFLAGS=$(DEFINES) $(INCLUDES)
|
||||
CFLAGS=/nologo $(MORECFLAGS) /O1 /Oi /W3 /WX /GF /Gy $(DEFINES) /D$(WCETARGETCPU) /D$(TARGETCPU) /DUNDER_CE=$(WCEVER) /D_WIN32_WCE=$(WCEVER) $(UNICODEFLAGS) $(INCLUDES)
|
||||
# pdelaage 20140610 : RC compilation requires D_WIN32_WCE flag to comment out unsupported "HELP" flag in menu definition, in resources.rc file
|
||||
RFLAGS=$(DEFINES) /D_WIN32_WCE=$(WCEVER) $(INCLUDES)
|
||||
|
||||
# LDFLAGS: since openssl >> 098a (eg 098h) out32dll is out32dll_targetCPU for WCE
|
||||
# delaage added $(TARGETCPU) in legacy Essemer/wcecompat libpath
|
||||
# to ease multitarget compilation without recompiling everything
|
||||
|
@ -89,11 +114,12 @@ BIN=$(BINROOT)\$(TARGETCPU)
|
|||
|
||||
OBJS=$(OBJ)\stunnel.obj $(OBJ)\ssl.obj $(OBJ)\ctx.obj $(OBJ)\verify.obj \
|
||||
$(OBJ)\file.obj $(OBJ)\client.obj $(OBJ)\protocol.obj $(OBJ)\sthreads.obj \
|
||||
$(OBJ)\log.obj $(OBJ)\options.obj $(OBJ)\network.obj \
|
||||
$(OBJ)\resolver.obj $(OBJ)\str.obj $(OBJ)\fd.obj
|
||||
$(OBJ)\log.obj $(OBJ)\options.obj $(OBJ)\network.obj $(OBJ)\resolver.obj \
|
||||
$(OBJ)\str.obj $(OBJ)\tls.obj $(OBJ)\fd.obj $(OBJ)\dhparam.obj \
|
||||
$(OBJ)\cron.obj
|
||||
|
||||
GUIOBJS=$(OBJ)\gui.obj $(OBJ)\resources.res
|
||||
NOGUIOBJS=$(OBJ)\nogui.obj
|
||||
GUIOBJS=$(OBJ)\ui_win_gui.obj $(OBJ)\resources.res
|
||||
CLIOBJS=$(OBJ)\ui_win_cli.obj
|
||||
|
||||
{$(SRC)\}.c{$(OBJ)\}.obj:
|
||||
$(CC) $(CFLAGS) -Fo$@ -c $<
|
||||
|
@ -115,11 +141,11 @@ makedirs:
|
|||
$(BIN)\stunnel.exe:$(OBJS) $(GUIOBJS)
|
||||
link $(LDFLAGS) /out:$(BIN)\stunnel.exe $(LIBS) commctrl.lib $**
|
||||
|
||||
$(BIN)\tstunnel.exe:$(OBJS) $(NOGUIOBJS)
|
||||
$(BIN)\tstunnel.exe:$(OBJS) $(CLIOBJS)
|
||||
link $(LDFLAGS) /out:$(BIN)\tstunnel.exe $(LIBS) $**
|
||||
|
||||
$(OBJ)\resources.res: $(SRC)\resources.rc $(SRC)\resources.h $(SRC)\version.h
|
||||
$(OBJ)\gui.obj: $(SRC)\gui.c $(SRC)\version.h
|
||||
$(OBJ)\ui_win_gui.obj: $(SRC)\ui_win_gui.c $(SRC)\version.h
|
||||
$(OBJ)\stunnel.obj: $(SRC)\stunnel.c $(SRC)\version.h
|
||||
|
||||
# now list of openssl dll has more files,
|
||||
|
@ -136,6 +162,6 @@ install: stunnel.exe tstunnel.exe
|
|||
$(CEUTILSDIR)\cecopy $(SSLDIR)\out32dll_$(TARGETCPU)\ssleay32.dll $(DSTDIR)
|
||||
|
||||
clean:
|
||||
-@ IF NOT "$(TARGETCPU)"=="" del $(OBJS) $(GUIOBJS) $(NOGUIOBJS) $(BIN)\stunnel.exe $(BIN)\tstunnel.exe >NUL 2>&1
|
||||
-@ IF NOT "$(TARGETCPU)"=="" del $(OBJS) $(GUIOBJS) $(CLIOBJS) $(BIN)\stunnel.exe $(BIN)\tstunnel.exe >NUL 2>&1
|
||||
-@ IF NOT "$(TARGETCPU)"=="" rmdir $(OBJ) >NUL 2>&1
|
||||
-@ IF NOT "$(TARGETCPU)"=="" rmdir $(BIN) >NUL 2>&1
|
||||
|
|
53
src/fd.c
53
src/fd.c
|
@ -1,6 +1,6 @@
|
|||
/*
|
||||
* stunnel Universal SSL tunnel
|
||||
* Copyright (C) 1998-2013 Michal Trojnara <Michal.Trojnara@mirt.net>
|
||||
* stunnel TLS offloading and load-balancing proxy
|
||||
* Copyright (C) 1998-2017 Michal Trojnara <Michal.Trojnara@stunnel.org>
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it
|
||||
* under the terms of the GNU General Public License as published by the
|
||||
|
@ -49,19 +49,19 @@
|
|||
|
||||
/**************************************** prototypes */
|
||||
|
||||
static int setup_fd(int, int, char *);
|
||||
NOEXPORT SOCKET setup_fd(SOCKET, int, char *);
|
||||
|
||||
/**************************************** internal limit of file descriptors */
|
||||
|
||||
#ifndef USE_FORK
|
||||
|
||||
static int max_fds;
|
||||
static SOCKET max_fds;
|
||||
|
||||
void get_limits(void) { /* set max_fds and max_clients */
|
||||
/* start with current ulimit */
|
||||
#if defined(HAVE_SYSCONF)
|
||||
errno=0;
|
||||
max_fds=sysconf(_SC_OPEN_MAX);
|
||||
max_fds=(SOCKET)sysconf(_SC_OPEN_MAX);
|
||||
if(errno)
|
||||
ioerror("sysconf");
|
||||
if(max_fds<0)
|
||||
|
@ -84,13 +84,13 @@ void get_limits(void) { /* set max_fds and max_clients */
|
|||
max_fds=FD_SETSIZE; /* start with select() limit */
|
||||
#endif /* select() on Unix */
|
||||
|
||||
/* stunnel needs at least 16 file desriptors */
|
||||
/* stunnel needs at least 16 file descriptors */
|
||||
if(max_fds && max_fds<16)
|
||||
max_fds=16;
|
||||
|
||||
if(max_fds) {
|
||||
max_clients=max_fds>=256 ? max_fds*125/256 : (max_fds-6)/2;
|
||||
s_log(LOG_DEBUG, "Clients allowed=%d", max_clients);
|
||||
max_clients=(long)(max_fds>=256 ? max_fds*125/256 : (max_fds-6)/2);
|
||||
s_log(LOG_DEBUG, "Clients allowed=%ld", max_clients);
|
||||
} else {
|
||||
max_clients=0;
|
||||
s_log(LOG_DEBUG, "No limit detected for the number of clients");
|
||||
|
@ -101,18 +101,27 @@ void get_limits(void) { /* set max_fds and max_clients */
|
|||
|
||||
/**************************************** file descriptor validation */
|
||||
|
||||
int s_socket(int domain, int type, int protocol, int nonblock, char *msg) {
|
||||
SOCKET s_socket(int domain, int type, int protocol, int nonblock, char *msg) {
|
||||
SOCKET fd;
|
||||
|
||||
#ifdef USE_NEW_LINUX_API
|
||||
if(nonblock)
|
||||
type|=SOCK_NONBLOCK;
|
||||
type|=SOCK_CLOEXEC;
|
||||
#endif
|
||||
return setup_fd(socket(domain, type, protocol), nonblock, msg);
|
||||
#ifdef USE_WIN32
|
||||
/* http://stackoverflow.com/questions/4993119 */
|
||||
/* CreateProcess() needs a non-overlapped handle */
|
||||
fd=WSASocket(domain, type, protocol, NULL, 0, 0);
|
||||
#else /* USE_WIN32 */
|
||||
fd=socket(domain, type, protocol);
|
||||
#endif /* USE_WIN32 */
|
||||
return setup_fd(fd, nonblock, msg);
|
||||
}
|
||||
|
||||
int s_accept(int sockfd, struct sockaddr *addr, socklen_t *addrlen,
|
||||
SOCKET s_accept(SOCKET sockfd, struct sockaddr *addr, socklen_t *addrlen,
|
||||
int nonblock, char *msg) {
|
||||
int fd;
|
||||
SOCKET fd;
|
||||
|
||||
#ifdef USE_NEW_LINUX_API
|
||||
if(nonblock)
|
||||
|
@ -127,7 +136,7 @@ int s_accept(int sockfd, struct sockaddr *addr, socklen_t *addrlen,
|
|||
|
||||
#ifndef USE_WIN32
|
||||
|
||||
int s_socketpair(int domain, int type, int protocol, int sv[2],
|
||||
int s_socketpair(int domain, int type, int protocol, SOCKET sv[2],
|
||||
int nonblock, char *msg) {
|
||||
#ifdef USE_NEW_LINUX_API
|
||||
if(nonblock)
|
||||
|
@ -177,28 +186,28 @@ int s_pipe(int pipefd[2], int nonblock, char *msg) {
|
|||
|
||||
#endif /* USE_WIN32 */
|
||||
|
||||
static int setup_fd(int fd, int nonblock, char *msg) {
|
||||
NOEXPORT SOCKET setup_fd(SOCKET fd, int nonblock, char *msg) {
|
||||
#if !defined USE_NEW_LINUX_API && defined FD_CLOEXEC
|
||||
int err;
|
||||
#endif
|
||||
|
||||
if(fd<0) {
|
||||
if(fd==INVALID_SOCKET) {
|
||||
sockerror(msg);
|
||||
return -1;
|
||||
return INVALID_SOCKET;
|
||||
}
|
||||
#ifndef USE_FORK
|
||||
if(max_fds && fd>=max_fds) {
|
||||
s_log(LOG_ERR, "%s: FD=%d out of range (max %d)",
|
||||
msg, fd, max_fds);
|
||||
msg, (int)fd, (int)max_fds);
|
||||
closesocket(fd);
|
||||
return -1;
|
||||
return INVALID_SOCKET;
|
||||
}
|
||||
#endif
|
||||
|
||||
#ifdef USE_NEW_LINUX_API
|
||||
(void)nonblock; /* skip warning about unused parameter */
|
||||
(void)nonblock; /* squash the unused parameter warning */
|
||||
#else /* set O_NONBLOCK and F_SETFD */
|
||||
set_nonblock(fd, nonblock);
|
||||
set_nonblock(fd, (unsigned long)nonblock);
|
||||
#ifdef FD_CLOEXEC
|
||||
do {
|
||||
err=fcntl(fd, F_SETFD, FD_CLOEXEC);
|
||||
|
@ -216,7 +225,7 @@ static int setup_fd(int fd, int nonblock, char *msg) {
|
|||
return fd;
|
||||
}
|
||||
|
||||
void set_nonblock(int fd, unsigned long nonblock) {
|
||||
void set_nonblock(SOCKET fd, unsigned long nonblock) {
|
||||
#if defined F_GETFL && defined F_SETFL && defined O_NONBLOCK && !defined __INNOTEK_LIBC__
|
||||
int err, flags;
|
||||
|
||||
|
@ -237,7 +246,7 @@ void set_nonblock(int fd, unsigned long nonblock) {
|
|||
if(err<0)
|
||||
sockerror("fcntl SETFL"); /* non-critical */
|
||||
#else /* WIN32 or similar */
|
||||
if(ioctlsocket(fd, FIONBIO, &nonblock)<0)
|
||||
if(ioctlsocket(fd, (long)FIONBIO, &nonblock)<0)
|
||||
sockerror("ioctlsocket"); /* non-critical */
|
||||
#if 0
|
||||
else
|
||||
|
|
139
src/file.c
139
src/file.c
|
@ -1,6 +1,6 @@
|
|||
/*
|
||||
* stunnel Universal SSL tunnel
|
||||
* Copyright (C) 1998-2013 Michal Trojnara <Michal.Trojnara@mirt.net>
|
||||
* stunnel TLS offloading and load-balancing proxy
|
||||
* Copyright (C) 1998-2017 Michal Trojnara <Michal.Trojnara@stunnel.org>
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it
|
||||
* under the terms of the GNU General Public License as published by the
|
||||
|
@ -40,20 +40,37 @@
|
|||
|
||||
#ifdef USE_WIN32
|
||||
|
||||
DISK_FILE *file_open(char *name, int wr) {
|
||||
DISK_FILE *file_open(char *name, FILE_MODE mode) {
|
||||
DISK_FILE *df;
|
||||
LPTSTR tstr;
|
||||
LPTSTR tname;
|
||||
HANDLE fh;
|
||||
DWORD desired_access, creation_disposition;
|
||||
|
||||
/* open file */
|
||||
tstr=str2tstr(name);
|
||||
fh=CreateFile(tstr, wr ? GENERIC_WRITE : GENERIC_READ,
|
||||
FILE_SHARE_READ, NULL, wr ? OPEN_ALWAYS : OPEN_EXISTING,
|
||||
FILE_ATTRIBUTE_NORMAL, (HANDLE)NULL);
|
||||
str_free(tstr); /* str_free() overwrites GetLastError() value */
|
||||
switch(mode) {
|
||||
case FILE_MODE_READ:
|
||||
desired_access=GENERIC_READ;
|
||||
creation_disposition=OPEN_EXISTING;
|
||||
break;
|
||||
case FILE_MODE_APPEND:
|
||||
/* reportedly more compatible than FILE_APPEND_DATA */
|
||||
desired_access=GENERIC_WRITE;
|
||||
creation_disposition=OPEN_ALWAYS; /* keep the data */
|
||||
break;
|
||||
case FILE_MODE_OVERWRITE:
|
||||
desired_access=GENERIC_WRITE;
|
||||
creation_disposition=CREATE_ALWAYS; /* remove the data */
|
||||
break;
|
||||
default: /* invalid mode */
|
||||
return NULL;
|
||||
}
|
||||
tname=str2tstr(name);
|
||||
fh=CreateFile(tname, desired_access, FILE_SHARE_READ, NULL,
|
||||
creation_disposition, FILE_ATTRIBUTE_NORMAL, (HANDLE)NULL);
|
||||
str_free(tname); /* str_free() overwrites GetLastError() value */
|
||||
if(fh==INVALID_HANDLE_VALUE)
|
||||
return NULL;
|
||||
if(wr) /* append */
|
||||
if(mode==FILE_MODE_APPEND) /* workaround for FILE_APPEND_DATA */
|
||||
SetFilePointer(fh, 0, NULL, FILE_END);
|
||||
|
||||
/* setup df structure */
|
||||
|
@ -72,15 +89,24 @@ DISK_FILE *file_fdopen(int fd) {
|
|||
return df;
|
||||
}
|
||||
|
||||
DISK_FILE *file_open(char *name, int wr) {
|
||||
DISK_FILE *file_open(char *name, FILE_MODE mode) {
|
||||
DISK_FILE *df;
|
||||
int fd, flags;
|
||||
|
||||
/* open file */
|
||||
if(wr)
|
||||
flags=O_CREAT|O_WRONLY|O_APPEND;
|
||||
else
|
||||
switch(mode) {
|
||||
case FILE_MODE_READ:
|
||||
flags=O_RDONLY;
|
||||
break;
|
||||
case FILE_MODE_APPEND:
|
||||
flags=O_CREAT|O_WRONLY|O_APPEND;
|
||||
break;
|
||||
case FILE_MODE_OVERWRITE:
|
||||
flags=O_CREAT|O_WRONLY|O_TRUNC;
|
||||
break;
|
||||
default: /* invalid mode */
|
||||
return NULL;
|
||||
}
|
||||
#ifdef O_NONBLOCK
|
||||
flags|=O_NONBLOCK;
|
||||
#elif defined O_NDELAY
|
||||
|
@ -90,7 +116,7 @@ DISK_FILE *file_open(char *name, int wr) {
|
|||
flags|=O_CLOEXEC;
|
||||
#endif /* O_CLOEXEC */
|
||||
fd=open(name, flags, 0640);
|
||||
if(fd<0)
|
||||
if(fd==INVALID_SOCKET)
|
||||
return NULL;
|
||||
|
||||
/* setup df structure */
|
||||
|
@ -107,19 +133,20 @@ void file_close(DISK_FILE *df) {
|
|||
#ifdef USE_WIN32
|
||||
CloseHandle(df->fh);
|
||||
#else /* USE_WIN32 */
|
||||
close(df->fd);
|
||||
if(df->fd>2) /* never close stdin/stdout/stder */
|
||||
close(df->fd);
|
||||
#endif /* USE_WIN32 */
|
||||
str_free(df);
|
||||
}
|
||||
|
||||
int file_getline(DISK_FILE *df, char *line, int len) {
|
||||
ssize_t file_getline(DISK_FILE *df, char *line, int len) {
|
||||
/* this version is really slow, but performance is not important here */
|
||||
/* (no buffering is implemented) */
|
||||
int i;
|
||||
ssize_t i;
|
||||
#ifdef USE_WIN32
|
||||
DWORD num;
|
||||
#else /* USE_WIN32 */
|
||||
int num;
|
||||
ssize_t num;
|
||||
#endif /* USE_WIN32 */
|
||||
|
||||
if(!df) /* not opened */
|
||||
|
@ -146,13 +173,13 @@ int file_getline(DISK_FILE *df, char *line, int len) {
|
|||
return i;
|
||||
}
|
||||
|
||||
int file_putline(DISK_FILE *df, char *line) {
|
||||
int len;
|
||||
ssize_t file_putline(DISK_FILE *df, char *line) {
|
||||
char *buff;
|
||||
size_t len;
|
||||
#ifdef USE_WIN32
|
||||
DWORD num;
|
||||
#else /* USE_WIN32 */
|
||||
int num;
|
||||
ssize_t num;
|
||||
#endif /* USE_WIN32 */
|
||||
|
||||
len=strlen(line);
|
||||
|
@ -163,53 +190,73 @@ int file_putline(DISK_FILE *df, char *line) {
|
|||
#endif /* USE_WIN32 */
|
||||
buff[len++]='\n'; /* LF */
|
||||
#ifdef USE_WIN32
|
||||
WriteFile(df->fh, buff, len, &num, NULL);
|
||||
WriteFile(df->fh, buff, (DWORD)len, &num, NULL);
|
||||
#else /* USE_WIN32 */
|
||||
/* no file -> write to stderr */
|
||||
num=write(df ? df->fd : 2, buff, len);
|
||||
#endif /* USE_WIN32 */
|
||||
str_free(buff);
|
||||
return num;
|
||||
return (ssize_t)num;
|
||||
}
|
||||
|
||||
int file_permissions(const char *file_name) {
|
||||
#if !defined(USE_WIN32) && !defined(USE_OS2)
|
||||
struct stat sb; /* buffer for stat */
|
||||
|
||||
/* check permissions of the private key file */
|
||||
if(stat(file_name, &sb)) {
|
||||
ioerror(file_name);
|
||||
return 1; /* FAILED */
|
||||
}
|
||||
if(sb.st_mode & 7)
|
||||
s_log(LOG_WARNING,
|
||||
"Insecure file permissions on %s", file_name);
|
||||
#else
|
||||
(void)file_name; /* squash the unused parameter warning */
|
||||
#endif
|
||||
return 0;
|
||||
}
|
||||
|
||||
#ifdef USE_WIN32
|
||||
|
||||
LPTSTR str2tstr(const LPSTR in) {
|
||||
LPTSTR str2tstr(LPCSTR in) {
|
||||
LPTSTR out;
|
||||
#ifdef UNICODE
|
||||
int len;
|
||||
|
||||
#ifdef UNICODE
|
||||
len=MultiByteToWideChar(CP_ACP, 0, in, -1, NULL, 0);
|
||||
len=MultiByteToWideChar(CP_UTF8, 0, in, -1, NULL, 0);
|
||||
if(!len)
|
||||
return NULL;
|
||||
out=str_alloc((len+1)*sizeof(WCHAR));
|
||||
len=MultiByteToWideChar(CP_ACP, 0, in, -1, out, len);
|
||||
if(!len)
|
||||
return NULL;
|
||||
return str_tprintf(TEXT("MultiByteToWideChar() failed"));
|
||||
out=str_alloc(((size_t)len+1)*sizeof(WCHAR));
|
||||
len=MultiByteToWideChar(CP_UTF8, 0, in, -1, out, len);
|
||||
if(!len) {
|
||||
str_free(out);
|
||||
return str_tprintf(TEXT("MultiByteToWideChar() failed"));
|
||||
}
|
||||
#else
|
||||
len=strlen(in);
|
||||
out=str_alloc(len+1);
|
||||
strcpy(out, in);
|
||||
/* FIXME: convert UTF-8 to native codepage */
|
||||
out=str_dup(in);
|
||||
#endif
|
||||
return out;
|
||||
}
|
||||
|
||||
LPSTR tstr2str(const LPTSTR in) {
|
||||
LPSTR tstr2str(LPCTSTR in) {
|
||||
LPSTR out;
|
||||
#ifdef UNICODE
|
||||
int len;
|
||||
|
||||
#ifdef UNICODE
|
||||
len=WideCharToMultiByte(CP_ACP, 0, in, -1, NULL, 0, NULL, NULL);
|
||||
len=WideCharToMultiByte(CP_UTF8, 0, in, -1, NULL, 0, NULL, NULL);
|
||||
if(!len)
|
||||
return NULL;
|
||||
out=str_alloc(len+1);
|
||||
len=WideCharToMultiByte(CP_ACP, 0, in, -1, out, len, NULL, NULL);
|
||||
if(!len)
|
||||
return NULL;
|
||||
return str_printf("WideCharToMultiByte() failed");
|
||||
out=str_alloc((size_t)len+1);
|
||||
len=WideCharToMultiByte(CP_UTF8, 0, in, -1, out, len, NULL, NULL);
|
||||
if(!len) {
|
||||
str_free(out);
|
||||
return str_printf("WideCharToMultiByte() failed");
|
||||
}
|
||||
#else
|
||||
len=strlen(in);
|
||||
out=str_alloc(len+1);
|
||||
strcpy(out, in);
|
||||
/* FIXME: convert native codepage to UTF-8 */
|
||||
out=str_dup(in);
|
||||
#endif
|
||||
return out;
|
||||
}
|
||||
|
|
Binary file not shown.
After Width: | Height: | Size: 1.1 KiB |
|
@ -1,6 +1,6 @@
|
|||
/*
|
||||
* stunnel Universal SSL tunnel
|
||||
* Copyright (C) 1998-2013 Michal Trojnara <Michal.Trojnara@mirt.net>
|
||||
* stunnel TLS offloading and load-balancing proxy
|
||||
* Copyright (C) 1998-2017 Michal Trojnara <Michal.Trojnara@stunnel.org>
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it
|
||||
* under the terms of the GNU General Public License as published by the
|
||||
|
@ -42,23 +42,33 @@
|
|||
|
||||
#include <tcpd.h>
|
||||
|
||||
static int check(char *, int);
|
||||
#if defined(USE_PTHREAD) && !defined(__CYGWIN__)
|
||||
/* http://wiki.osdev.org/Cygwin_Issues#Passing_file_descriptors */
|
||||
#define USE_LIBWRAP_POOL
|
||||
#endif /* USE_PTHREAD && !__CYGWIN__ */
|
||||
|
||||
NOEXPORT int check(char *, int);
|
||||
|
||||
int allow_severity=LOG_NOTICE, deny_severity=LOG_WARNING;
|
||||
|
||||
#ifdef USE_PTHREAD
|
||||
#ifdef USE_LIBWRAP_POOL
|
||||
#define SERVNAME_LEN 256
|
||||
|
||||
static ssize_t read_fd(int, void *, size_t, int *);
|
||||
static ssize_t write_fd(int, void *, size_t, int);
|
||||
NOEXPORT ssize_t read_fd(int, void *, size_t, int *);
|
||||
NOEXPORT ssize_t write_fd(int, void *, size_t, int);
|
||||
|
||||
int num_processes=0;
|
||||
unsigned num_processes=0;
|
||||
static int *ipc_socket, *busy;
|
||||
#endif /* USE_PTHREAD */
|
||||
#endif /* USE_LIBWRAP_POOL */
|
||||
|
||||
#ifdef __GNUC__
|
||||
#pragma GCC diagnostic push
|
||||
#pragma GCC diagnostic ignored "-Wunused-result"
|
||||
#endif /* __GNUC__ */
|
||||
int libwrap_init() {
|
||||
#ifdef USE_PTHREAD
|
||||
int i, j, rfd, result;
|
||||
#ifdef USE_LIBWRAP_POOL
|
||||
unsigned i, j;
|
||||
int rfd, result;
|
||||
char servname[SERVNAME_LEN];
|
||||
static int initialized=0;
|
||||
SERVICE_OPTIONS *opt;
|
||||
|
@ -82,10 +92,11 @@ int libwrap_init() {
|
|||
ioerror("fork");
|
||||
return 1;
|
||||
case 0: /* child */
|
||||
tls_alloc(NULL, ui_tls, "libwrap");
|
||||
drop_privileges(0); /* libwrap processes are not chrooted */
|
||||
close(0); /* stdin */
|
||||
close(1); /* stdout */
|
||||
if(!global_options.option.foreground) /* for logging in read_fd */
|
||||
if(!global_options.option.log_stderr) /* for logging in read_fd */
|
||||
close(2); /* stderr */
|
||||
for(j=0; j<=i; ++j) /* close parent-side sockets created so far */
|
||||
close(ipc_socket[2*j]);
|
||||
|
@ -93,7 +104,7 @@ int libwrap_init() {
|
|||
if(read_fd(ipc_socket[2*i+1], servname, SERVNAME_LEN, &rfd)<=0)
|
||||
_exit(0);
|
||||
result=check(servname, rfd);
|
||||
write(ipc_socket[2*i+1], (u8 *)&result, sizeof result);
|
||||
write(ipc_socket[2*i+1], (uint8_t *)&result, sizeof result);
|
||||
if(rfd>=0)
|
||||
close(rfd);
|
||||
}
|
||||
|
@ -102,18 +113,22 @@ int libwrap_init() {
|
|||
}
|
||||
}
|
||||
initialized=1;
|
||||
#endif /* USE_PTHREAD */
|
||||
#endif /* USE_LIBWRAP_POOL */
|
||||
return 0;
|
||||
}
|
||||
#ifdef __GNUC__
|
||||
#pragma GCC diagnostic pop
|
||||
#endif /* __GNUC__ */
|
||||
|
||||
void libwrap_auth(CLI *c, char *accepted_address) {
|
||||
int result=0; /* deny by default */
|
||||
#ifdef USE_PTHREAD
|
||||
static volatile int num_busy=0, roundrobin=0;
|
||||
int retval, my_process;
|
||||
#ifdef USE_LIBWRAP_POOL
|
||||
static volatile unsigned num_busy=0, roundrobin=0;
|
||||
unsigned my_process;
|
||||
int retval;
|
||||
static pthread_mutex_t mutex=PTHREAD_MUTEX_INITIALIZER;
|
||||
static pthread_cond_t cond=PTHREAD_COND_INITIALIZER;
|
||||
#endif /* USE_PTHREAD */
|
||||
#endif /* USE_LIBWRAP_POOL */
|
||||
|
||||
if(!c->opt->option.libwrap) /* libwrap is disabled for this service */
|
||||
return; /* allow connection */
|
||||
|
@ -123,7 +138,7 @@ void libwrap_auth(CLI *c, char *accepted_address) {
|
|||
return;
|
||||
}
|
||||
#endif
|
||||
#ifdef USE_PTHREAD
|
||||
#ifdef USE_LIBWRAP_POOL
|
||||
if(num_processes) {
|
||||
s_log(LOG_DEBUG, "Waiting for a libwrap process");
|
||||
|
||||
|
@ -156,8 +171,8 @@ void libwrap_auth(CLI *c, char *accepted_address) {
|
|||
s_log(LOG_DEBUG, "Acquired libwrap process #%d", my_process);
|
||||
write_fd(ipc_socket[2*my_process], c->opt->servname,
|
||||
strlen(c->opt->servname)+1, c->local_rfd.fd);
|
||||
read_blocking(c, ipc_socket[2*my_process],
|
||||
(u8 *)&result, sizeof result);
|
||||
s_read(c, ipc_socket[2*my_process],
|
||||
(uint8_t *)&result, sizeof result);
|
||||
s_log(LOG_DEBUG, "Releasing libwrap process #%d", my_process);
|
||||
|
||||
retval=pthread_mutex_lock(&mutex);
|
||||
|
@ -183,11 +198,11 @@ void libwrap_auth(CLI *c, char *accepted_address) {
|
|||
|
||||
s_log(LOG_DEBUG, "Released libwrap process #%d", my_process);
|
||||
} else
|
||||
#endif /* USE_PTHREAD */
|
||||
#endif /* USE_LIBWRAP_POOL */
|
||||
{ /* use original, synchronous libwrap calls */
|
||||
enter_critical_section(CRIT_LIBWRAP);
|
||||
stunnel_write_lock(&stunnel_locks[LOCK_LIBWRAP]);
|
||||
result=check(c->opt->servname, c->local_rfd.fd);
|
||||
leave_critical_section(CRIT_LIBWRAP);
|
||||
stunnel_write_unlock(&stunnel_locks[LOCK_LIBWRAP]);
|
||||
}
|
||||
if(!result) {
|
||||
s_log(LOG_WARNING, "Service [%s] REFUSED by libwrap from %s",
|
||||
|
@ -199,7 +214,7 @@ void libwrap_auth(CLI *c, char *accepted_address) {
|
|||
c->opt->servname, accepted_address);
|
||||
}
|
||||
|
||||
static int check(char *name, int fd) {
|
||||
NOEXPORT int check(char *name, int fd) {
|
||||
struct request_info request;
|
||||
|
||||
request_init(&request, RQ_DAEMON, name, RQ_FILE, fd, 0);
|
||||
|
@ -207,9 +222,9 @@ static int check(char *name, int fd) {
|
|||
return hosts_access(&request);
|
||||
}
|
||||
|
||||
#ifdef USE_PTHREAD
|
||||
#ifdef USE_LIBWRAP_POOL
|
||||
|
||||
static ssize_t read_fd(int fd, void *ptr, size_t nbytes, int *recvfd) {
|
||||
NOEXPORT ssize_t read_fd(SOCKET fd, void *ptr, size_t nbytes, SOCKET *recvfd) {
|
||||
struct msghdr msg;
|
||||
struct iovec iov[1];
|
||||
ssize_t n;
|
||||
|
@ -238,7 +253,7 @@ static ssize_t read_fd(int fd, void *ptr, size_t nbytes, int *recvfd) {
|
|||
msg.msg_iov=iov;
|
||||
msg.msg_iovlen=1;
|
||||
|
||||
*recvfd=-1; /* descriptor was not passed */
|
||||
*recvfd=INVALID_SOCKET; /* descriptor was not passed */
|
||||
n=recvmsg(fd, &msg, 0);
|
||||
if(n<=0)
|
||||
return n;
|
||||
|
@ -264,7 +279,7 @@ static ssize_t read_fd(int fd, void *ptr, size_t nbytes, int *recvfd) {
|
|||
return n;
|
||||
}
|
||||
|
||||
static ssize_t write_fd(int fd, void *ptr, size_t nbytes, int sendfd) {
|
||||
NOEXPORT ssize_t write_fd(int fd, void *ptr, size_t nbytes, int sendfd) {
|
||||
struct msghdr msg;
|
||||
struct iovec iov[1];
|
||||
|
||||
|
@ -299,7 +314,7 @@ static ssize_t write_fd(int fd, void *ptr, size_t nbytes, int sendfd) {
|
|||
return sendmsg(fd, &msg, 0);
|
||||
}
|
||||
|
||||
#endif /* USE_PTHREAD */
|
||||
#endif /* USE_LIBWRAP_POOL */
|
||||
|
||||
#endif /* USE_LIBWRAP */
|
||||
|
||||
|
|
235
src/log.c
235
src/log.c
|
@ -1,6 +1,6 @@
|
|||
/*
|
||||
* stunnel Universal SSL tunnel
|
||||
* Copyright (C) 1998-2013 Michal Trojnara <Michal.Trojnara@mirt.net>
|
||||
* stunnel TLS offloading and load-balancing proxy
|
||||
* Copyright (C) 1998-2017 Michal Trojnara <Michal.Trojnara@stunnel.org>
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it
|
||||
* under the terms of the GNU General Public License as published by the
|
||||
|
@ -38,15 +38,18 @@
|
|||
#include "common.h"
|
||||
#include "prototypes.h"
|
||||
|
||||
static void log_raw(const int, const char *, const char *, const char *);
|
||||
NOEXPORT void log_raw(const SERVICE_OPTIONS *, const int,
|
||||
const char *, const char *, const char *);
|
||||
NOEXPORT void safestring(char *);
|
||||
|
||||
static DISK_FILE *outfile=NULL;
|
||||
static struct LIST { /* single-linked list of log lines */
|
||||
struct LIST *next;
|
||||
SERVICE_OPTIONS *opt;
|
||||
int level;
|
||||
char *stamp, *id, *text;
|
||||
} *head=NULL, *tail=NULL;
|
||||
static LOG_MODE mode=LOG_MODE_NONE;
|
||||
static LOG_MODE log_mode=LOG_MODE_BUFFER;
|
||||
|
||||
#if !defined(USE_WIN32) && !defined(__vms)
|
||||
|
||||
|
@ -54,18 +57,19 @@ static int syslog_opened=0;
|
|||
|
||||
void syslog_open(void) {
|
||||
syslog_close();
|
||||
if(global_options.option.syslog)
|
||||
if(global_options.option.log_syslog)
|
||||
#ifdef __ultrix__
|
||||
openlog("stunnel", 0);
|
||||
openlog(service_options.servname, 0);
|
||||
#else
|
||||
openlog("stunnel", LOG_CONS|LOG_NDELAY, global_options.facility);
|
||||
openlog(service_options.servname,
|
||||
LOG_CONS|LOG_NDELAY, global_options.log_facility);
|
||||
#endif /* __ultrix__ */
|
||||
syslog_opened=1;
|
||||
}
|
||||
|
||||
void syslog_close(void) {
|
||||
if(syslog_opened) {
|
||||
if(global_options.option.syslog)
|
||||
if(global_options.option.log_syslog)
|
||||
closelog();
|
||||
syslog_opened=0;
|
||||
}
|
||||
|
@ -75,11 +79,25 @@ void syslog_close(void) {
|
|||
|
||||
int log_open(void) {
|
||||
if(global_options.output_file) { /* 'output' option specified */
|
||||
outfile=file_open(global_options.output_file, 1);
|
||||
outfile=file_open(global_options.output_file,
|
||||
global_options.log_file_mode);
|
||||
#if defined(USE_WIN32) && !defined(_WIN32_WCE)
|
||||
if(!outfile) {
|
||||
char appdata[MAX_PATH], *path;
|
||||
if(SHGetFolderPathA(NULL, CSIDL_LOCAL_APPDATA|CSIDL_FLAG_CREATE,
|
||||
NULL, 0, appdata)==S_OK) {
|
||||
path=str_printf("%s\\%s", appdata, global_options.output_file);
|
||||
outfile=file_open(path, global_options.log_file_mode);
|
||||
if(outfile)
|
||||
s_log(LOG_NOTICE, "Logging to %s", path);
|
||||
str_free(path);
|
||||
}
|
||||
}
|
||||
#endif
|
||||
if(!outfile) {
|
||||
s_log(LOG_ERR, "Cannot open log file: %s",
|
||||
global_options.output_file);
|
||||
return 1;
|
||||
return 1;
|
||||
}
|
||||
}
|
||||
log_flush(LOG_MODE_CONFIGURED);
|
||||
|
@ -87,24 +105,28 @@ int log_open(void) {
|
|||
}
|
||||
|
||||
void log_close(void) {
|
||||
mode=LOG_MODE_NONE;
|
||||
/* prevent changing the mode while logging */
|
||||
stunnel_write_lock(&stunnel_locks[LOCK_LOG_MODE]);
|
||||
log_mode=LOG_MODE_BUFFER;
|
||||
if(outfile) {
|
||||
file_close(outfile);
|
||||
outfile=NULL;
|
||||
}
|
||||
stunnel_write_unlock(&stunnel_locks[LOCK_LOG_MODE]);
|
||||
}
|
||||
|
||||
void log_flush(LOG_MODE new_mode) {
|
||||
struct LIST *tmp;
|
||||
|
||||
stunnel_write_lock(&stunnel_locks[LOCK_LOG_MODE]);
|
||||
/* prevent changing LOG_MODE_CONFIGURED to LOG_MODE_ERROR
|
||||
* once stderr file descriptor is closed */
|
||||
if(mode!=LOG_MODE_CONFIGURED)
|
||||
mode=new_mode;
|
||||
|
||||
enter_critical_section(CRIT_LOG);
|
||||
if(log_mode!=LOG_MODE_CONFIGURED)
|
||||
log_mode=new_mode;
|
||||
/* log_raw() will use the new value of log_mode */
|
||||
stunnel_write_lock(&stunnel_locks[LOCK_LOG_BUFFER]);
|
||||
while(head) {
|
||||
log_raw(head->level, head->stamp, head->id, head->text);
|
||||
log_raw(head->opt, head->level, head->stamp, head->id, head->text);
|
||||
str_free(head->stamp);
|
||||
str_free(head->id);
|
||||
str_free(head->text);
|
||||
|
@ -112,28 +134,43 @@ void log_flush(LOG_MODE new_mode) {
|
|||
head=head->next;
|
||||
str_free(tmp);
|
||||
}
|
||||
leave_critical_section(CRIT_LOG);
|
||||
head=tail=NULL;
|
||||
stunnel_write_unlock(&stunnel_locks[LOCK_LOG_BUFFER]);
|
||||
stunnel_write_unlock(&stunnel_locks[LOCK_LOG_MODE]);
|
||||
}
|
||||
|
||||
void s_log(int level, const char *format, ...) {
|
||||
va_list ap;
|
||||
char *text, *stamp, *id;
|
||||
struct LIST *tmp;
|
||||
int libc_error, socket_error;
|
||||
#ifdef USE_WIN32
|
||||
DWORD libc_error;
|
||||
#else
|
||||
int libc_error;
|
||||
#endif
|
||||
int socket_error;
|
||||
time_t gmt;
|
||||
struct tm *timeptr;
|
||||
#if defined(HAVE_LOCALTIME_R) && defined(_REENTRANT)
|
||||
struct tm timestruct;
|
||||
#endif
|
||||
TLS_DATA *tls_data;
|
||||
|
||||
tls_data=tls_get();
|
||||
if(!tls_data) {
|
||||
tls_data=tls_alloc(NULL, NULL, "log");
|
||||
s_log(LOG_ERR, "INTERNAL ERROR: Uninitialized TLS at %s, line %d",
|
||||
__FILE__, __LINE__);
|
||||
}
|
||||
|
||||
/* performance optimization: skip the trivial case early */
|
||||
if(mode==LOG_MODE_CONFIGURED && level>global_options.debug_level)
|
||||
if(log_mode==LOG_MODE_CONFIGURED && level>tls_data->opt->log_level)
|
||||
return;
|
||||
|
||||
libc_error=get_last_error();
|
||||
socket_error=get_last_socket_error();
|
||||
|
||||
/* format the id to be logged */
|
||||
time(&gmt);
|
||||
#if defined(HAVE_LOCALTIME_R) && defined(_REENTRANT)
|
||||
timeptr=localtime_r(&gmt, ×truct);
|
||||
|
@ -143,17 +180,20 @@ void s_log(int level, const char *format, ...) {
|
|||
stamp=str_printf("%04d.%02d.%02d %02d:%02d:%02d",
|
||||
timeptr->tm_year+1900, timeptr->tm_mon+1, timeptr->tm_mday,
|
||||
timeptr->tm_hour, timeptr->tm_min, timeptr->tm_sec);
|
||||
id=str_printf("LOG%d[%lu:%lu]",
|
||||
level, stunnel_process_id(), stunnel_thread_id());
|
||||
id=str_printf("LOG%d[%s]", level, tls_data->id);
|
||||
|
||||
/* format the text to be logged */
|
||||
va_start(ap, format);
|
||||
text=str_vprintf(format, ap);
|
||||
va_end(ap);
|
||||
safestring(text);
|
||||
|
||||
if(mode==LOG_MODE_NONE) { /* save the text to log it later */
|
||||
enter_critical_section(CRIT_LOG);
|
||||
tmp=str_alloc(sizeof(struct LIST));
|
||||
str_detach(tmp);
|
||||
stunnel_read_lock(&stunnel_locks[LOCK_LOG_MODE]);
|
||||
if(log_mode==LOG_MODE_BUFFER) { /* save the text to log it later */
|
||||
stunnel_write_lock(&stunnel_locks[LOCK_LOG_BUFFER]);
|
||||
tmp=str_alloc_detached(sizeof(struct LIST));
|
||||
tmp->next=NULL;
|
||||
tmp->opt=tls_data->opt;
|
||||
tmp->level=level;
|
||||
tmp->stamp=stamp;
|
||||
str_detach(tmp->stamp);
|
||||
|
@ -166,94 +206,164 @@ void s_log(int level, const char *format, ...) {
|
|||
else
|
||||
head=tmp;
|
||||
tail=tmp;
|
||||
leave_critical_section(CRIT_LOG);
|
||||
stunnel_write_unlock(&stunnel_locks[LOCK_LOG_BUFFER]);
|
||||
} else { /* ready log the text directly */
|
||||
log_raw(level, stamp, id, text);
|
||||
log_raw(tls_data->opt, level, stamp, id, text);
|
||||
str_free(stamp);
|
||||
str_free(id);
|
||||
str_free(text);
|
||||
}
|
||||
stunnel_read_unlock(&stunnel_locks[LOCK_LOG_MODE]);
|
||||
|
||||
set_last_error(libc_error);
|
||||
set_last_socket_error(socket_error);
|
||||
}
|
||||
|
||||
static void log_raw(const int level, const char *stamp,
|
||||
NOEXPORT void log_raw(const SERVICE_OPTIONS *opt,
|
||||
const int level, const char *stamp,
|
||||
const char *id, const char *text) {
|
||||
char *line;
|
||||
|
||||
/* build the line and log it to syslog/file */
|
||||
if(mode==LOG_MODE_CONFIGURED) { /* configured */
|
||||
if(log_mode==LOG_MODE_CONFIGURED) { /* configured */
|
||||
line=str_printf("%s %s: %s", stamp, id, text);
|
||||
if(level<=global_options.debug_level) {
|
||||
if(level<=opt->log_level) {
|
||||
#if !defined(USE_WIN32) && !defined(__vms)
|
||||
if(global_options.option.syslog)
|
||||
if(global_options.option.log_syslog)
|
||||
syslog(level, "%s: %s", id, text);
|
||||
#endif /* USE_WIN32, __vms */
|
||||
if(outfile)
|
||||
file_putline(outfile, line); /* send log to file */
|
||||
}
|
||||
} else /* LOG_MODE_ERROR or LOG_MODE_INFO */
|
||||
} else if(log_mode==LOG_MODE_ERROR) {
|
||||
if(level>=0 && level<=7) /* just in case */
|
||||
line=str_printf("[%c] %s", "***!:. "[level], text);
|
||||
else
|
||||
line=str_printf("[?] %s", text);
|
||||
} else /* LOG_MODE_INFO */
|
||||
line=str_dup(text); /* don't log the time stamp in error mode */
|
||||
|
||||
/* log the line to GUI/stderr */
|
||||
#ifdef USE_WIN32
|
||||
if(mode==LOG_MODE_ERROR || /* always log to the GUI window */
|
||||
(mode==LOG_MODE_INFO && level<LOG_DEBUG) ||
|
||||
level<=global_options.debug_level)
|
||||
win_new_log(line);
|
||||
#else /* Unix */
|
||||
if(mode==LOG_MODE_ERROR || /* always log LOG_MODE_ERROR to stderr */
|
||||
(mode==LOG_MODE_INFO && level<LOG_DEBUG) ||
|
||||
(level<=global_options.debug_level &&
|
||||
global_options.option.foreground))
|
||||
fprintf(stderr, "%s\n", line); /* send log to stderr */
|
||||
/* log the line to the UI (GUI, stderr, etc.) */
|
||||
if(log_mode==LOG_MODE_ERROR ||
|
||||
(log_mode==LOG_MODE_INFO && level<LOG_DEBUG) ||
|
||||
#if defined(USE_WIN32) || defined(USE_JNI)
|
||||
level<=opt->log_level
|
||||
#else
|
||||
(level<=opt->log_level &&
|
||||
global_options.option.log_stderr)
|
||||
#endif
|
||||
)
|
||||
ui_new_log(line);
|
||||
|
||||
str_free(line);
|
||||
}
|
||||
|
||||
/* critical problem - str.c functions are not safe to use */
|
||||
void fatal_debug(char *error, char *file, int line) {
|
||||
char text[80];
|
||||
#ifdef __GNUC__
|
||||
#pragma GCC diagnostic push
|
||||
#pragma GCC diagnostic ignored "-Wformat"
|
||||
#pragma GCC diagnostic ignored "-Wformat-extra-args"
|
||||
#endif /* __GNUC__ */
|
||||
char *log_id(CLI *c) {
|
||||
const char table[62]=
|
||||
"0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
|
||||
unsigned char rnd[22];
|
||||
char *uniq;
|
||||
size_t i;
|
||||
unsigned long tid;
|
||||
|
||||
switch(c->opt->log_id) {
|
||||
case LOG_ID_SEQUENTIAL:
|
||||
return str_printf("%llu", c->seq);
|
||||
case LOG_ID_UNIQUE:
|
||||
if(RAND_bytes(rnd, sizeof rnd)<=0) /* log2(62^22)=130.99 */
|
||||
return str_dup("error");
|
||||
for(i=0; i<sizeof rnd; ++i) {
|
||||
rnd[i]&=63;
|
||||
while(rnd[i]>=62) {
|
||||
if(RAND_bytes(rnd+i, 1)<=0)
|
||||
return str_dup("error");
|
||||
rnd[i]&=63;
|
||||
}
|
||||
}
|
||||
uniq=str_alloc(sizeof rnd+1);
|
||||
for(i=0; i<sizeof rnd; ++i)
|
||||
uniq[i]=table[rnd[i]];
|
||||
uniq[sizeof rnd]='\0';
|
||||
return uniq;
|
||||
case LOG_ID_THREAD:
|
||||
tid=stunnel_thread_id();
|
||||
if(!tid) /* currently USE_FORK */
|
||||
tid=stunnel_process_id();
|
||||
return str_printf("%lu", tid);
|
||||
case LOG_ID_PROCESS:
|
||||
return str_printf("%lu", stunnel_process_id());
|
||||
}
|
||||
return str_dup("error");
|
||||
}
|
||||
#ifdef __GNUC__
|
||||
#pragma GCC diagnostic pop
|
||||
#endif /* __GNUC__ */
|
||||
|
||||
/* critical problem handling */
|
||||
/* str.c functions are not safe to use here */
|
||||
#ifdef __GNUC__
|
||||
#pragma GCC diagnostic push
|
||||
#pragma GCC diagnostic ignored "-Wunused-result"
|
||||
#endif /* __GNUC__ */
|
||||
void fatal_debug(char *txt, const char *file, int line) {
|
||||
char msg[80];
|
||||
#ifdef USE_WIN32
|
||||
DWORD num;
|
||||
#ifdef UNICODE
|
||||
TCHAR tmsg[80];
|
||||
#endif
|
||||
#endif /* USE_WIN32 */
|
||||
|
||||
snprintf(text, sizeof text, /* with newline */
|
||||
"INTERNAL ERROR: %s at %s, line %d\n", error, file, line);
|
||||
snprintf(msg, sizeof msg, /* with newline */
|
||||
"INTERNAL ERROR: %s at %s, line %d\n", txt, file, line);
|
||||
|
||||
if(outfile) {
|
||||
#ifdef USE_WIN32
|
||||
WriteFile(outfile->fh, text, strlen(text), &num, NULL);
|
||||
WriteFile(outfile->fh, msg, (DWORD)strlen(msg), &num, NULL);
|
||||
#else /* USE_WIN32 */
|
||||
/* no file -> write to stderr */
|
||||
write(outfile ? outfile->fd : 2, text, strlen(text));
|
||||
/* no meaningful way here to handle the result */
|
||||
write(outfile ? outfile->fd : 2, msg, strlen(msg));
|
||||
#endif /* USE_WIN32 */
|
||||
}
|
||||
|
||||
#ifndef USE_WIN32
|
||||
if(mode!=LOG_MODE_CONFIGURED || global_options.option.foreground)
|
||||
fputs(text, stderr);
|
||||
if(log_mode!=LOG_MODE_CONFIGURED || global_options.option.log_stderr) {
|
||||
fputs(msg, stderr);
|
||||
fflush(stderr);
|
||||
}
|
||||
#endif /* !USE_WIN32 */
|
||||
|
||||
snprintf(text, sizeof text, /* without newline */
|
||||
"INTERNAL ERROR: %s at %s, line %d", error, file, line);
|
||||
snprintf(msg, sizeof msg, /* without newline */
|
||||
"INTERNAL ERROR: %s at %s, line %d", txt, file, line);
|
||||
|
||||
#if !defined(USE_WIN32) && !defined(__vms)
|
||||
if(global_options.option.syslog)
|
||||
syslog(LOG_CRIT, "%s", text);
|
||||
if(global_options.option.log_syslog)
|
||||
syslog(LOG_CRIT, "%s", msg);
|
||||
#endif /* USE_WIN32, __vms */
|
||||
|
||||
#ifdef USE_WIN32
|
||||
message_box(text, MB_ICONERROR);
|
||||
#ifdef UNICODE
|
||||
if(MultiByteToWideChar(CP_UTF8, 0, msg, -1, tmsg, 80))
|
||||
message_box(tmsg, MB_ICONERROR);
|
||||
#else
|
||||
message_box(msg, MB_ICONERROR);
|
||||
#endif
|
||||
#endif /* USE_WIN32 */
|
||||
|
||||
abort();
|
||||
}
|
||||
#ifdef __GNUC__
|
||||
#pragma GCC diagnostic pop
|
||||
#endif /* __GNUC__ */
|
||||
|
||||
void ioerror(const char *txt) { /* input/output error */
|
||||
log_error(LOG_ERR, get_last_error(), txt);
|
||||
log_error(LOG_ERR, (int)get_last_error(), txt);
|
||||
}
|
||||
|
||||
void sockerror(const char *txt) { /* socket error */
|
||||
|
@ -377,4 +487,11 @@ char *s_strerror(int errnum) {
|
|||
}
|
||||
}
|
||||
|
||||
/* replace non-UTF-8 and non-printable control characters with '.' */
|
||||
NOEXPORT void safestring(char *c) {
|
||||
for(; *c; ++c)
|
||||
if(!(*c&0x80 || isprint((int)*c)))
|
||||
*c='.';
|
||||
}
|
||||
|
||||
/* end of log.c */
|
||||
|
|
|
@ -1,8 +1,8 @@
|
|||
@echo off
|
||||
:: pdelaage commented : make.exe -f mingw.mak %1 %2 %3 %4 %5 %6 %7 %8 %9
|
||||
:: on Windows, make is Borland make, but mingw.mak is NOW only compatible
|
||||
:: with gnu make (due to various improvments I made, for compatibility between
|
||||
:: linux and Windows host environments.
|
||||
:: with gnu make (due to various improvements I made, for compatibility between
|
||||
:: linux and Windows host environments).
|
||||
:: and echo OFF is the sign we are HERE on Windows, isn't it?...
|
||||
|
||||
mingw32-make.exe -f mingw.mak %1 %2 %3 %4 %5 %6 %7 %8 %9
|
||||
|
|
|
@ -1,18 +1,30 @@
|
|||
@echo off
|
||||
TITLE W32 STUNNEL
|
||||
::pdelaage 20101026: for use with MS VCexpress 2008 (v9)
|
||||
::some trick to avoid re-pollution of env vars as much as possible
|
||||
|
||||
:: In multitarget compilation environment, it is better to open a new cmd.exe window
|
||||
:: to avoid pollution of PATH from, eg, some previous WCE compilation attempts.
|
||||
:: In a multi-target compilation environment, it is better to open
|
||||
:: a new cmd.exe window in order to avoid PATH pollution
|
||||
:: (for example with some previous WCE compilation attempts)
|
||||
|
||||
set NEWTGTCPU=W32
|
||||
|
||||
rem Adjust MS VC env vars
|
||||
rem Adjust the MS VC environment variables
|
||||
rem ---------------------
|
||||
|
||||
rem Check MSenv vars against our ref values
|
||||
rem Detect the latest Visual Studio
|
||||
rem Visual Studio 2008
|
||||
if DEFINED VS90COMNTOOLS if exist "%VS90COMNTOOLS%..\..\vc\vcvarsall.bat" set vsTools=%VS90COMNTOOLS%
|
||||
rem Visual Studio 2010
|
||||
if DEFINED VS100COMNTOOLS if exist "%VS100COMNTOOLS%..\..\vc\vcvarsall.bat" set vsTools=%VS100COMNTOOLS%
|
||||
rem Visual Studio 2012
|
||||
if DEFINED VS110COMNTOOLS if exist "%VS110COMNTOOLS%..\..\vc\vcvarsall.bat" set vsTools=%VS110COMNTOOLS%
|
||||
rem Visual Studio 2013
|
||||
if DEFINED VS120COMNTOOLS if exist "%VS120COMNTOOLS%..\..\vc\vcvarsall.bat" set vsTools=%VS120COMNTOOLS%
|
||||
rem Visual Studio 2015
|
||||
if DEFINED VS140COMNTOOLS if exist "%VS140COMNTOOLS%..\..\vc\vcvarsall.bat" set vsTools=%VS140COMNTOOLS%
|
||||
|
||||
::rem Initialize the Visual Studio tools
|
||||
::call "%vsTools%..\..\vc\vcvarsall.bat"
|
||||
|
||||
rem Check the MSenv variables against our reference values
|
||||
set isenvok=0
|
||||
if NOT DEFINED TARGETCPU set TARGETCPU=XXXXX
|
||||
if "%NEWTGTCPU%"=="%TARGETCPU%" set /A "isenvok+=1"
|
||||
|
@ -20,26 +32,26 @@ if "%NEWTGTCPU%"=="%TARGETCPU%" set /A "isenvok+=1"
|
|||
if %isenvok%==1 echo W32 ENVIRONMENT OK
|
||||
if %isenvok%==1 goto envisok
|
||||
|
||||
:: useless since separated tgt folders
|
||||
:: Useless with separated target folders
|
||||
::echo W32 TARGET CPU changed, destroying every obj files
|
||||
::del .\*.obj
|
||||
|
||||
:: if env is NOT ok, adjust MS VC env vars to be used by MS VC
|
||||
:: if env is NOT ok, adjust the MS VC environment variables
|
||||
:: (this is to avoid repetitive pollution of PATH)
|
||||
|
||||
echo W32 ENVIRONMENT ADJUSTED
|
||||
|
||||
:: reset of INCLUDE needed because of accumulation of includes in vcvars32
|
||||
:: Reset of INCLUDE is needed because of accumulation of includes in vcvars32
|
||||
|
||||
set INCLUDE=
|
||||
|
||||
call "C:\Program Files\Microsoft Visual Studio 9.0\VC\bin\vcvars32.bat"
|
||||
call "%vsTools%..\..\vc\bin\vcvars32.bat"
|
||||
|
||||
set TARGETCPU=%NEWTGTCPU%
|
||||
|
||||
:envisok
|
||||
|
||||
rem make everything
|
||||
rem Make everything
|
||||
rem ---------------
|
||||
|
||||
nmake.exe -f vc.mak %1 %2 %3 %4 %5 %6 %7 %8 %9
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
# Simple Makefile.w32 for stunnel.exe by Michal Trojnara 1998-2007
|
||||
# Simple Makefile.w32 for stunnel.exe by Michal Trojnara 1998-2017
|
||||
#
|
||||
# Modified by Brian Hatch (bri@stunnel.org)
|
||||
# 20101030 pdelaage:
|
||||
|
@ -22,8 +22,21 @@
|
|||
|
||||
# Modify this to point to your actual openssl compile directory
|
||||
# (You did already compile openssl, didn't you???)
|
||||
SSLDIR=../openssl-1.0.0f
|
||||
#SSLDIR=C:/Users/standard/Documents/Dvts/Contrib/openssl/v1.0.0c/patched3
|
||||
#SSLDIR=../../openssl-0.9.8zh
|
||||
#SSLDIR=../../openssl-1.0.0t
|
||||
SSLDIR=../../openssl-1.0.1q
|
||||
|
||||
# For 0.9.8 mingw compiled openssl
|
||||
#SSLINC=$(SSLDIR)/outinc
|
||||
#SSLLIBS=-L$(SSLDIR)/out -leay32 -lssl32
|
||||
|
||||
# for 1.0.0/1.0.1 mingw (msys2) compiled
|
||||
SSLINC=$(SSLDIR)/include
|
||||
SSLLIBS=-L$(SSLDIR) -lcrypto.dll -lssl.dll
|
||||
|
||||
# For MSVC compiled openssl
|
||||
#SSLINC=$(SSLDIR)/inc32
|
||||
#SSLLIBS=-L$(SSLDIR)/out32dll -lssleay32 -llibeay32
|
||||
|
||||
# c:\, backslash is not correctly recognized by mingw32-make, produces some
|
||||
# "missing separator" issue.
|
||||
|
@ -34,17 +47,19 @@ SSLDIR=../openssl-1.0.0f
|
|||
# $(info is !MESSAGE in MS nmake or Borland make.
|
||||
|
||||
ifdef windir
|
||||
$(info host machine is a Windows machine )
|
||||
$(info host machine is a Windows machine )
|
||||
NULLDEV=NUL
|
||||
MKDIR="C:\Program Files\GnuWin32\bin\mkdir.exe"
|
||||
DELFILES="C:\Program Files\GnuWin32\bin\rm.exe" -f
|
||||
DELDIR="C:\Program Files\GnuWin32\bin\rm.exe" -rf
|
||||
COPYFILES="C:\Program Files\GnuWin32\bin\cp.exe" -f
|
||||
else
|
||||
$(info host machine is a linux machine )
|
||||
$(info host machine is a linux machine )
|
||||
NULLDEV=/dev/null
|
||||
MKDIR=mkdir
|
||||
DELFILES=rm -f
|
||||
DELDIR=rm -rf
|
||||
COPYFILES=cp -f
|
||||
endif
|
||||
|
||||
TARGETCPU=MGW32
|
||||
|
@ -57,7 +72,14 @@ BIN=$(BINROOT)/$(TARGETCPU)
|
|||
OBJS=$(OBJ)/stunnel.o $(OBJ)/ssl.o $(OBJ)/ctx.o $(OBJ)/verify.o \
|
||||
$(OBJ)/file.o $(OBJ)/client.o $(OBJ)/protocol.o $(OBJ)/sthreads.o \
|
||||
$(OBJ)/log.o $(OBJ)/options.o $(OBJ)/network.o $(OBJ)/resolver.o \
|
||||
$(OBJ)/gui.o $(OBJ)/resources.o $(OBJ)/str.o $(OBJ)/fd.o
|
||||
$(OBJ)/ui_win_gui.o $(OBJ)/resources.o $(OBJ)/str.o $(OBJ)/tls.o \
|
||||
$(OBJ)/fd.o $(OBJ)/dhparam.o $(OBJ)/cron.o
|
||||
|
||||
TOBJS=$(OBJ)/stunnel.o $(OBJ)/ssl.o $(OBJ)/ctx.o $(OBJ)/verify.o \
|
||||
$(OBJ)/file.o $(OBJ)/client.o $(OBJ)/protocol.o $(OBJ)/sthreads.o \
|
||||
$(OBJ)/log.o $(OBJ)/options.o $(OBJ)/network.o $(OBJ)/resolver.o \
|
||||
$(OBJ)/ui_win_cli.o $(OBJ)/str.o $(OBJ)/tls.o \
|
||||
$(OBJ)/fd.o $(OBJ)/dhparam.o $(OBJ)/cron.o
|
||||
|
||||
CC=gcc
|
||||
RC=windres
|
||||
|
@ -70,9 +92,7 @@ DEFINES=-D_WIN32_WINNT=0x0501
|
|||
|
||||
# some preprocessing debug : $(info DEFINES is $(DEFINES) )
|
||||
|
||||
#CFLAGS=-g -O2 -Wall $(DEFINES) -I$(SSLDIR)/outinc
|
||||
#pdelaage : outinc not correct, it is inc32!
|
||||
CFLAGS=-g -O2 -Wall $(DEFINES) -I$(SSLDIR)/inc32
|
||||
CFLAGS=-g -O2 -Wall $(DEFINES) -I$(SSLINC)
|
||||
|
||||
# RFLAGS, note of pdelaage: windres accepts -fo for compatibility with ms tools
|
||||
# default options : -J rc -O coff, input rc file, output coff file.
|
||||
|
@ -82,10 +102,8 @@ RFLAGS=-v --use-temp-file $(DEFINES)
|
|||
RFLAGS2=-v $(DEFINES)
|
||||
LDFLAGS=-s
|
||||
|
||||
# LIBS=-L$(SSLDIR)/out -lssl -lcrypto -lwsock32 -lgdi32 -lcrypt32
|
||||
#20101030 pdelaage fix winsock2 and BAD sslpath ! LIBS=-L$(SSLDIR)/out -lzdll -leay32 -lssl32 -lwsock32 -lgdi32 -lcrypt32
|
||||
# added libeay instead of eay, ssleay instead of ssl32, suppressed zdll useless.
|
||||
LIBS=-L$(SSLDIR)/out32dll -lssleay32 -llibeay32 -lws2_32 -lpsapi -lgdi32 -lcrypt32
|
||||
LIBS=$(SSLLIBS) -lws2_32 -lpsapi -lgdi32 -lcrypt32 -lkernel32
|
||||
TLIBS=$(SSLLIBS) -lws2_32 -lpsapi -lcrypt32 -lkernel32
|
||||
# IMPORTANT pdelaage : restore this if you need (but I do not see why) -lzdll
|
||||
|
||||
$(OBJ)/%.o: $(SRC)/%.c
|
||||
|
@ -113,12 +131,16 @@ $(OBJ)/%.o: $(OBJ)/%.rcp
|
|||
# in the system...
|
||||
# for debug of the preprocessed rcp file, because it is automatically deleted by gnu-make: cp $< $<.2
|
||||
|
||||
all: testenv makedirs $(BIN)/stunnel.exe
|
||||
all: testenv makedirs $(BIN)/stunnel.exe $(BIN)/tstunnel.exe
|
||||
|
||||
testopenssl:
|
||||
@if not exist $(SSLDIR) echo You mush have a compiled OpenSSL tree
|
||||
@if not exist $(SSLINC)/openssl/applink.c $(COPYFILES) $(SSLDIR)/ms/applink.c $(SSLINC)/openssl
|
||||
|
||||
#pdelaage : testenv purpose is to detect, on windows, whether Gnu-win32 has been properly installed...
|
||||
# a first call to "true" is made to detect availability, a second is made to stop the make process.
|
||||
ifdef windir
|
||||
testenv:
|
||||
testenv: testopenssl
|
||||
-@ echo OFF
|
||||
-@ true >$(NULLDEV) 2>&1 || echo You MUST install Gnu-Win32 coreutils \
|
||||
from http://gnuwin32.sourceforge.net/downlinks/coreutils.php \
|
||||
|
@ -133,8 +155,8 @@ endif
|
|||
clean:
|
||||
-@ $(DELFILES) $(OBJ)/*.o
|
||||
-@ $(DELFILES) $(BIN)/stunnel.exe >$(NULLDEV) 2>&1
|
||||
-@ $(DELDIR) $(OBJ) >$(NULLDEV) 2>&1
|
||||
-@ $(DELDIR) $(BIN) >$(NULLDEV) 2>&1
|
||||
-@ $(DELDIR) $(OBJ) >$(NULLDEV) 2>&1
|
||||
-@ $(DELDIR) $(BIN) >$(NULLDEV) 2>&1
|
||||
|
||||
makedirs:
|
||||
-@ $(MKDIR) $(OBJROOT) >$(NULLDEV) 2>&1
|
||||
|
@ -152,6 +174,9 @@ $(OBJS): *.h mingw.mak
|
|||
$(BIN)/stunnel.exe: $(OBJS)
|
||||
$(CC) $(LDFLAGS) -o $(BIN)/stunnel.exe $(OBJS) $(LIBS) -mwindows
|
||||
|
||||
$(BIN)/tstunnel.exe: $(TOBJS)
|
||||
$(CC) $(LDFLAGS) -o $(BIN)/tstunnel.exe $(TOBJS) $(TLIBS)
|
||||
|
||||
# "missing separator" issue with mingw32-make: tabs MUST BE TABS in your text
|
||||
# editor, and not set of spaces even if your development host is windows.
|
||||
# Some \ are badly tolerated by mingw32-make "!" directives, eg as !IF,
|
||||
|
|
|
@ -0,0 +1,54 @@
|
|||
## mingw/mingw64 Makefile
|
||||
# by Michal Trojnara 2015-2017
|
||||
|
||||
# 32-bit Windows
|
||||
#win32_targetcpu=i686
|
||||
#win32_mingw=mingw
|
||||
|
||||
# 64-bit Windows
|
||||
#win32_targetcpu=x86_64
|
||||
#win32_mingw=mingw64
|
||||
|
||||
bindir = ../bin/$(win32_mingw)
|
||||
objdir = ../obj/$(win32_mingw)
|
||||
|
||||
win32_ssl_dir = /opt/openssl-$(win32_mingw)
|
||||
win32_cppflags = -I$(win32_ssl_dir)/include
|
||||
win32_cflags = -mthreads -fstack-protector -O2
|
||||
win32_cflags += -Wall -Wextra -Wpedantic -Wformat=2 -Wconversion -Wno-long-long
|
||||
win32_cflags += -D_FORTIFY_SOURCE=2 -DUNICODE -D_UNICODE
|
||||
win32_ldflags = -mthreads -fstack-protector -s
|
||||
|
||||
win32_common_libs = -lws2_32 -lkernel32
|
||||
win32_ssl_libs = -L$(win32_ssl_dir)/lib -lcrypto -lssl
|
||||
win32_gui_libs = $(win32_common_libs) -lgdi32 -lpsapi $(win32_ssl_libs)
|
||||
win32_cli_libs = $(win32_common_libs) $(win32_ssl_libs)
|
||||
|
||||
win32_common = tls str file client log options protocol network resolver
|
||||
win32_common += ssl ctx verify sthreads fd dhparam cron stunnel
|
||||
win32_gui = ui_win_gui resources
|
||||
win32_cli = ui_win_cli
|
||||
win32_common_objs = $(addsuffix .o, $(addprefix $(objdir)/, $(win32_common)))
|
||||
win32_gui_objs = $(addsuffix .o, $(addprefix $(objdir)/, $(win32_gui)))
|
||||
win32_cli_objs = $(addsuffix .o, $(addprefix $(objdir)/, $(win32_cli)))
|
||||
|
||||
win32_prefix = $(win32_targetcpu)-w64-mingw32-
|
||||
win32_cc = $(win32_prefix)gcc
|
||||
win32_windres = $(win32_prefix)windres
|
||||
|
||||
all: mkdirs $(bindir)/stunnel.exe $(bindir)/tstunnel.exe
|
||||
|
||||
mkdirs:
|
||||
mkdir -p $(bindir) $(objdir)
|
||||
|
||||
$(bindir)/stunnel.exe: $(win32_common_objs) $(win32_gui_objs)
|
||||
$(win32_cc) -mwindows $(win32_ldflags) -o $(bindir)/stunnel.exe $(win32_common_objs) $(win32_gui_objs) $(win32_gui_libs)
|
||||
|
||||
$(bindir)/tstunnel.exe: $(win32_common_objs) $(win32_cli_objs)
|
||||
$(win32_cc) $(win32_ldflags) -o $(bindir)/tstunnel.exe $(win32_common_objs) $(win32_cli_objs) $(win32_cli_libs)
|
||||
|
||||
$(objdir)/%.o: $(srcdir)/%.c $(common_headers)
|
||||
$(win32_cc) -c $(win32_cppflags) $(win32_cflags) -o $@ $<
|
||||
|
||||
$(objdir)/resources.o: $(srcdir)/resources.rc $(srcdir)/resources.h $(srcdir)/version.h
|
||||
$(win32_windres) --include-dir $(srcdir) $< $@
|
554
src/network.c
554
src/network.c
|
@ -1,6 +1,6 @@
|
|||
/*
|
||||
* stunnel Universal SSL tunnel
|
||||
* Copyright (C) 1998-2013 Michal Trojnara <Michal.Trojnara@mirt.net>
|
||||
* stunnel TLS offloading and load-balancing proxy
|
||||
* Copyright (C) 1998-2017 Michal Trojnara <Michal.Trojnara@stunnel.org>
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it
|
||||
* under the terms of the GNU General Public License as published by the
|
||||
|
@ -35,12 +35,17 @@
|
|||
* forward this exception.
|
||||
*/
|
||||
|
||||
#if defined(_WIN32) || defined(_WIN32_WCE)
|
||||
/* bypass automatic index bound checks in the FD_SET() macro */
|
||||
#define FD_SETSIZE 1000000
|
||||
#endif
|
||||
|
||||
#include "common.h"
|
||||
#include "prototypes.h"
|
||||
|
||||
/* #define DEBUG_UCONTEXT */
|
||||
|
||||
static int get_socket_error(const int);
|
||||
NOEXPORT void s_poll_realloc(s_poll_set *);
|
||||
|
||||
/**************************************** s_poll functions */
|
||||
|
||||
|
@ -53,96 +58,138 @@ s_poll_set *s_poll_alloc() {
|
|||
|
||||
void s_poll_free(s_poll_set *fds) {
|
||||
if(fds) {
|
||||
if(fds->ufds)
|
||||
str_free(fds->ufds);
|
||||
str_free(fds->ufds);
|
||||
str_free(fds);
|
||||
}
|
||||
}
|
||||
|
||||
void s_poll_init(s_poll_set *fds) {
|
||||
fds->nfds=0;
|
||||
fds->allocated=4; /* prealloc 4 file desciptors */
|
||||
fds->ufds=str_realloc(fds->ufds, fds->allocated*sizeof(struct pollfd));
|
||||
fds->allocated=4; /* prealloc 4 file descriptors */
|
||||
s_poll_realloc(fds);
|
||||
}
|
||||
|
||||
void s_poll_add(s_poll_set *fds, int fd, int rd, int wr) {
|
||||
unsigned int i;
|
||||
void s_poll_add(s_poll_set *fds, SOCKET fd, int rd, int wr) {
|
||||
unsigned i;
|
||||
|
||||
for(i=0; i<fds->nfds && fds->ufds[i].fd!=fd; i++)
|
||||
;
|
||||
if(i==fds->nfds) {
|
||||
if(i==fds->nfds) { /* not found */
|
||||
if(i==fds->allocated) {
|
||||
fds->allocated=i+1;
|
||||
fds->ufds=str_realloc(fds->ufds, fds->allocated*sizeof(struct pollfd));
|
||||
s_poll_realloc(fds);
|
||||
}
|
||||
fds->ufds[i].fd=fd;
|
||||
fds->ufds[i].events=0;
|
||||
fds->nfds++;
|
||||
}
|
||||
if(rd)
|
||||
if(rd) {
|
||||
fds->ufds[i].events|=POLLIN;
|
||||
#ifdef POLLRDHUP
|
||||
fds->ufds[i].events|=POLLRDHUP;
|
||||
#endif
|
||||
}
|
||||
if(wr)
|
||||
fds->ufds[i].events|=POLLOUT;
|
||||
}
|
||||
|
||||
int s_poll_canread(s_poll_set *fds, int fd) {
|
||||
unsigned int i;
|
||||
void s_poll_remove(s_poll_set *fds, SOCKET fd) {
|
||||
unsigned i;
|
||||
|
||||
for(i=0; i<fds->nfds && fds->ufds[i].fd!=fd; i++)
|
||||
;
|
||||
if(i<fds->nfds) { /* found */
|
||||
memmove(fds->ufds+i, fds->ufds+i+1,
|
||||
(fds->nfds-i-1)*sizeof(struct pollfd));
|
||||
fds->nfds--;
|
||||
}
|
||||
}
|
||||
|
||||
int s_poll_canread(s_poll_set *fds, SOCKET fd) {
|
||||
unsigned i;
|
||||
|
||||
for(i=0; i<fds->nfds; i++)
|
||||
if(fds->ufds[i].fd==fd)
|
||||
return fds->ufds[i].revents&POLLIN;
|
||||
return fds->ufds[i].revents&(POLLIN|POLLERR);
|
||||
return 0; /* not listed in fds */
|
||||
}
|
||||
|
||||
int s_poll_canwrite(s_poll_set *fds, int fd) {
|
||||
unsigned int i;
|
||||
int s_poll_canwrite(s_poll_set *fds, SOCKET fd) {
|
||||
unsigned i;
|
||||
|
||||
for(i=0; i<fds->nfds; i++)
|
||||
if(fds->ufds[i].fd==fd)
|
||||
return fds->ufds[i].revents&POLLOUT;
|
||||
return fds->ufds[i].revents&(POLLOUT|POLLERR);
|
||||
return 0; /* not listed in fds */
|
||||
}
|
||||
|
||||
int s_poll_hup(s_poll_set *fds, int fd) {
|
||||
unsigned int i;
|
||||
/* best doc: http://lxr.free-electrons.com/source/net/ipv4/tcp.c#L456 */
|
||||
|
||||
int s_poll_hup(s_poll_set *fds, SOCKET fd) {
|
||||
unsigned i;
|
||||
|
||||
for(i=0; i<fds->nfds; i++)
|
||||
if(fds->ufds[i].fd==fd)
|
||||
return fds->ufds[i].revents&POLLHUP;
|
||||
return fds->ufds[i].revents&POLLHUP; /* read and write closed */
|
||||
return 0; /* not listed in fds */
|
||||
}
|
||||
|
||||
int s_poll_error(s_poll_set *fds, int fd) {
|
||||
unsigned int i;
|
||||
int s_poll_rdhup(s_poll_set *fds, SOCKET fd) {
|
||||
unsigned i;
|
||||
|
||||
for(i=0; i<fds->nfds; i++)
|
||||
if(fds->ufds[i].fd==fd)
|
||||
return fds->ufds[i].revents&(POLLERR|POLLNVAL) ?
|
||||
get_socket_error(fd) : 0;
|
||||
#ifdef POLLRDHUP
|
||||
return fds->ufds[i].revents&POLLRDHUP; /* read closed */
|
||||
#else
|
||||
return fds->ufds[i].revents&POLLHUP; /* read and write closed */
|
||||
#endif
|
||||
return 0; /* not listed in fds */
|
||||
}
|
||||
|
||||
int s_poll_err(s_poll_set *fds, SOCKET fd) {
|
||||
unsigned i;
|
||||
|
||||
for(i=0; i<fds->nfds; i++)
|
||||
if(fds->ufds[i].fd==fd)
|
||||
return fds->ufds[i].revents&POLLERR;
|
||||
return 0; /* not listed in fds */
|
||||
}
|
||||
|
||||
NOEXPORT void s_poll_realloc(s_poll_set *fds) {
|
||||
fds->ufds=str_realloc(fds->ufds, fds->allocated*sizeof(struct pollfd));
|
||||
}
|
||||
|
||||
void s_poll_dump(s_poll_set *fds, int level) {
|
||||
unsigned i;
|
||||
|
||||
for(i=0; i<fds->nfds; i++)
|
||||
s_log(level, "FD=%ld events=0x%X revents=0x%X",
|
||||
(long)fds->ufds[i].fd, fds->ufds[i].events, fds->ufds[i].revents);
|
||||
}
|
||||
|
||||
#ifdef USE_UCONTEXT
|
||||
|
||||
/* move ready contexts from waiting queue to ready queue */
|
||||
static void scan_waiting_queue(void) {
|
||||
NOEXPORT void scan_waiting_queue(void) {
|
||||
int retval;
|
||||
CONTEXT *context, *prev;
|
||||
int min_timeout;
|
||||
unsigned int nfds, i;
|
||||
unsigned nfds, i;
|
||||
time_t now;
|
||||
static unsigned int max_nfds=0;
|
||||
static unsigned max_nfds=0;
|
||||
static struct pollfd *ufds=NULL;
|
||||
|
||||
time(&now);
|
||||
/* count file descriptors */
|
||||
min_timeout=-1;
|
||||
min_timeout=-1; /* infinity */
|
||||
nfds=0;
|
||||
for(context=waiting_head; context; context=context->next) {
|
||||
nfds+=context->fds->nfds;
|
||||
if(context->finish>=0) /* finite time */
|
||||
if(min_timeout<0 || min_timeout>context->finish-now)
|
||||
min_timeout=context->finish-now<0 ? 0 : context->finish-now;
|
||||
min_timeout=
|
||||
(int)(context->finish-now<0 ? 0 : context->finish-now);
|
||||
}
|
||||
/* setup ufds structure */
|
||||
if(nfds>max_nfds) { /* need to allocate more memory */
|
||||
|
@ -177,13 +224,13 @@ static void scan_waiting_queue(void) {
|
|||
#ifdef DEBUG_UCONTEXT
|
||||
s_log(LOG_DEBUG, "CONTEXT %ld, FD=%d,%s%s ->%s%s%s%s%s",
|
||||
context->id, ufds[nfds].fd,
|
||||
ufds[nfds].events & POLLIN ? " IN" : "",
|
||||
ufds[nfds].events & POLLOUT ? " OUT" : "",
|
||||
ufds[nfds].revents & POLLIN ? " IN" : "",
|
||||
ufds[nfds].revents & POLLOUT ? " OUT" : "",
|
||||
ufds[nfds].revents & POLLERR ? " ERR" : "",
|
||||
ufds[nfds].revents & POLLHUP ? " HUP" : "",
|
||||
ufds[nfds].revents & POLLNVAL ? " NVAL" : "");
|
||||
(ufds[nfds].events & POLLIN) ? " IN" : "",
|
||||
(ufds[nfds].events & POLLOUT) ? " OUT" : "",
|
||||
(ufds[nfds].revents & POLLIN) ? " IN" : "",
|
||||
(ufds[nfds].revents & POLLOUT) ? " OUT" : "",
|
||||
(ufds[nfds].revents & POLLERR) ? " ERR" : "",
|
||||
(ufds[nfds].revents & POLLHUP) ? " HUP" : "",
|
||||
(ufds[nfds].revents & POLLNVAL) ? " NVAL" : "");
|
||||
#endif
|
||||
if(ufds[nfds].revents)
|
||||
context->ready++;
|
||||
|
@ -217,16 +264,16 @@ int s_poll_wait(s_poll_set *fds, int sec, int msec) {
|
|||
static CONTEXT *to_free=NULL; /* delayed memory deallocation */
|
||||
|
||||
/* FIXME: msec parameter is currently ignored with UCONTEXT threads */
|
||||
(void)msec; /* skip warning about unused parameter */
|
||||
(void)msec; /* squash the unused parameter warning */
|
||||
|
||||
/* remove the current context from ready queue */
|
||||
context=ready_head;
|
||||
ready_head=ready_head->next;
|
||||
if(!ready_head) /* the queue is empty */
|
||||
ready_tail=NULL;
|
||||
/* it it safe to s_log() after new ready_head is set */
|
||||
/* it is safe to s_log() after new ready_head is set */
|
||||
|
||||
/* it's illegal to deallocate the stack of the current context */
|
||||
/* it is illegal to deallocate the stack of the current context */
|
||||
if(to_free) { /* a delayed deallocation is scheduled */
|
||||
#ifdef DEBUG_UCONTEXT
|
||||
s_log(LOG_DEBUG, "Releasing context %ld", to_free->id);
|
||||
|
@ -300,58 +347,98 @@ s_poll_set *s_poll_alloc() {
|
|||
}
|
||||
|
||||
void s_poll_free(s_poll_set *fds) {
|
||||
if(fds)
|
||||
if(fds) {
|
||||
str_free(fds->irfds);
|
||||
str_free(fds->iwfds);
|
||||
str_free(fds->ixfds);
|
||||
str_free(fds->orfds);
|
||||
str_free(fds->owfds);
|
||||
str_free(fds->oxfds);
|
||||
str_free(fds);
|
||||
}
|
||||
}
|
||||
|
||||
void s_poll_init(s_poll_set *fds) {
|
||||
FD_ZERO(&fds->irfds);
|
||||
FD_ZERO(&fds->iwfds);
|
||||
FD_ZERO(&fds->ixfds);
|
||||
#ifdef USE_WIN32
|
||||
fds->allocated=4; /* prealloc 4 file descriptors */
|
||||
#endif
|
||||
s_poll_realloc(fds);
|
||||
FD_ZERO(fds->irfds);
|
||||
FD_ZERO(fds->iwfds);
|
||||
FD_ZERO(fds->ixfds);
|
||||
fds->max=0; /* no file descriptors */
|
||||
}
|
||||
|
||||
void s_poll_add(s_poll_set *fds, int fd, int rd, int wr) {
|
||||
void s_poll_add(s_poll_set *fds, SOCKET fd, int rd, int wr) {
|
||||
#ifdef USE_WIN32
|
||||
/* fds->ixfds contains union of fds->irfds and fds->iwfds */
|
||||
if(fds->ixfds->fd_count>=fds->allocated) {
|
||||
fds->allocated=fds->ixfds->fd_count+1;
|
||||
s_poll_realloc(fds);
|
||||
}
|
||||
#endif
|
||||
if(rd)
|
||||
FD_SET((unsigned int)fd, &fds->irfds);
|
||||
FD_SET(fd, fds->irfds);
|
||||
if(wr)
|
||||
FD_SET((unsigned int)fd, &fds->iwfds);
|
||||
FD_SET(fd, fds->iwfds);
|
||||
/* always expect errors (and the Spanish Inquisition) */
|
||||
FD_SET((unsigned int)fd, &fds->ixfds);
|
||||
FD_SET(fd, fds->ixfds);
|
||||
if(fd>fds->max)
|
||||
fds->max=fd;
|
||||
}
|
||||
|
||||
int s_poll_canread(s_poll_set *fds, int fd) {
|
||||
return FD_ISSET(fd, &fds->orfds);
|
||||
void s_poll_remove(s_poll_set *fds, SOCKET fd) {
|
||||
FD_CLR(fd, fds->irfds);
|
||||
FD_CLR(fd, fds->iwfds);
|
||||
FD_CLR(fd, fds->ixfds);
|
||||
}
|
||||
|
||||
int s_poll_canwrite(s_poll_set *fds, int fd) {
|
||||
return FD_ISSET(fd, &fds->owfds);
|
||||
int s_poll_canread(s_poll_set *fds, SOCKET fd) {
|
||||
/* ignore exception if there is no error (WinCE 6.0 anomaly) */
|
||||
return FD_ISSET(fd, fds->orfds) ||
|
||||
(FD_ISSET(fd, fds->oxfds) && get_socket_error(fd));
|
||||
}
|
||||
|
||||
int s_poll_hup(s_poll_set *fds, int fd) {
|
||||
(void)fds; /* skip warning about unused parameter */
|
||||
(void)fd; /* skip warning about unused parameter */
|
||||
return 0; /* FIXME: how to detect HUP condition with select()? */
|
||||
int s_poll_canwrite(s_poll_set *fds, SOCKET fd) {
|
||||
/* ignore exception if there is no error (WinCE 6.0 anomaly) */
|
||||
return FD_ISSET(fd, fds->owfds) ||
|
||||
(FD_ISSET(fd, fds->oxfds) && get_socket_error(fd));
|
||||
}
|
||||
|
||||
int s_poll_error(s_poll_set *fds, int fd) {
|
||||
/* error conditions are signaled as read, but apparently *not* in Winsock:
|
||||
* http://msdn.microsoft.com/en-us/library/windows/desktop/ms737625%28v=vs.85%29.aspx */
|
||||
if(!FD_ISSET(fd, &fds->orfds) && !FD_ISSET(fd, &fds->oxfds))
|
||||
return 0;
|
||||
return get_socket_error(fd); /* check if it's really an error */
|
||||
int s_poll_hup(s_poll_set *fds, SOCKET fd) {
|
||||
(void)fds; /* squash the unused parameter warning */
|
||||
(void)fd; /* squash the unused parameter warning */
|
||||
return 0; /* FIXME: how to detect the HUP condition with select()? */
|
||||
}
|
||||
|
||||
int s_poll_rdhup(s_poll_set *fds, SOCKET fd) {
|
||||
(void)fds; /* squash the unused parameter warning */
|
||||
(void)fd; /* squash the unused parameter warning */
|
||||
return 0; /* FIXME: how to detect the RDHUP condition with select()? */
|
||||
}
|
||||
|
||||
int s_poll_err(s_poll_set *fds, SOCKET fd) {
|
||||
return FD_ISSET(fd, fds->oxfds);
|
||||
}
|
||||
|
||||
#ifdef USE_WIN32
|
||||
#define FD_SIZE(fds) (8+(fds)->allocated*sizeof(SOCKET))
|
||||
#else
|
||||
#define FD_SIZE(fds) (sizeof(fd_set))
|
||||
#endif
|
||||
|
||||
int s_poll_wait(s_poll_set *fds, int sec, int msec) {
|
||||
int retval;
|
||||
struct timeval tv, *tv_ptr;
|
||||
|
||||
do { /* skip "Interrupted system call" errors */
|
||||
memcpy(&fds->orfds, &fds->irfds, sizeof(fd_set));
|
||||
memcpy(&fds->owfds, &fds->iwfds, sizeof(fd_set));
|
||||
memcpy(&fds->oxfds, &fds->ixfds, sizeof(fd_set));
|
||||
memcpy(fds->orfds, fds->irfds, FD_SIZE(fds));
|
||||
memcpy(fds->owfds, fds->iwfds, FD_SIZE(fds));
|
||||
#ifndef _WIN32_WCE
|
||||
memcpy(fds->oxfds, fds->ixfds, FD_SIZE(fds));
|
||||
#else /* WinCE reports unexpected permanent exceptions */
|
||||
FD_ZERO(fds->oxfds);
|
||||
#endif
|
||||
if(sec<0) { /* infinite timeout */
|
||||
tv_ptr=NULL;
|
||||
} else {
|
||||
|
@ -359,20 +446,48 @@ int s_poll_wait(s_poll_set *fds, int sec, int msec) {
|
|||
tv.tv_usec=1000*msec;
|
||||
tv_ptr=&tv;
|
||||
}
|
||||
retval=select(fds->max+1, &fds->orfds, &fds->owfds, &fds->oxfds, tv_ptr);
|
||||
retval=select((int)fds->max+1,
|
||||
fds->orfds, fds->owfds, fds->oxfds, tv_ptr);
|
||||
} while(retval<0 && get_last_socket_error()==S_EINTR);
|
||||
return retval;
|
||||
}
|
||||
|
||||
NOEXPORT void s_poll_realloc(s_poll_set *fds) {
|
||||
fds->irfds=str_realloc(fds->irfds, FD_SIZE(fds));
|
||||
fds->iwfds=str_realloc(fds->iwfds, FD_SIZE(fds));
|
||||
fds->ixfds=str_realloc(fds->ixfds, FD_SIZE(fds));
|
||||
fds->orfds=str_realloc(fds->orfds, FD_SIZE(fds));
|
||||
fds->owfds=str_realloc(fds->owfds, FD_SIZE(fds));
|
||||
fds->oxfds=str_realloc(fds->oxfds, FD_SIZE(fds));
|
||||
}
|
||||
|
||||
void s_poll_dump(s_poll_set *fds, int level) {
|
||||
SOCKET fd;
|
||||
int ir, iw, ix, or, ow, ox;
|
||||
|
||||
for(fd=0; fd<fds->max; fd++) {
|
||||
ir=FD_ISSET(fd, fds->irfds);
|
||||
iw=FD_ISSET(fd, fds->iwfds);
|
||||
ix=FD_ISSET(fd, fds->ixfds);
|
||||
or=FD_ISSET(fd, fds->orfds);
|
||||
ow=FD_ISSET(fd, fds->owfds);
|
||||
ox=FD_ISSET(fd, fds->oxfds);
|
||||
if(ir || iw || ix || or || ow || ox)
|
||||
s_log(level, "FD=%ld ifds=%c%c%c ofds=%c%c%c", (long)fd,
|
||||
ir?'r':'-', iw?'w':'-', ix?'x':'-',
|
||||
or?'r':'-', ow?'w':'-', ox?'x':'-');
|
||||
}
|
||||
}
|
||||
|
||||
#endif /* USE_POLL */
|
||||
|
||||
/**************************************** fd management */
|
||||
|
||||
int set_socket_options(int s, int type) {
|
||||
int set_socket_options(SOCKET s, int type) {
|
||||
SOCK_OPT *ptr;
|
||||
extern SOCK_OPT sock_opts[];
|
||||
extern SOCK_OPT *sock_opts;
|
||||
static char *type_str[3]={"accept", "local", "remote"};
|
||||
int opt_size;
|
||||
socklen_t opt_size;
|
||||
int retval=0; /* no error found */
|
||||
|
||||
for(ptr=sock_opts; ptr->opt_str; ptr++) {
|
||||
|
@ -386,7 +501,7 @@ int set_socket_options(int s, int type) {
|
|||
opt_size=sizeof(struct timeval);
|
||||
break;
|
||||
case TYPE_STRING:
|
||||
opt_size=strlen(ptr->opt_val[type]->c_val)+1;
|
||||
opt_size=(socklen_t)strlen(ptr->opt_val[type]->c_val)+1;
|
||||
break;
|
||||
default:
|
||||
opt_size=sizeof(int);
|
||||
|
@ -403,17 +518,15 @@ int set_socket_options(int s, int type) {
|
|||
retval=-1; /* failed to set this option */
|
||||
}
|
||||
}
|
||||
#ifdef DEBUG_FD_ALLOC
|
||||
else {
|
||||
s_log(LOG_DEBUG, "Option %s set on %s socket",
|
||||
ptr->opt_str, type_str[type]);
|
||||
}
|
||||
#endif /* DEBUG_FD_ALLOC */
|
||||
}
|
||||
return retval; /* returns 0 when all options succeeded */
|
||||
}
|
||||
|
||||
static int get_socket_error(const int fd) {
|
||||
int get_socket_error(const SOCKET fd) {
|
||||
int err;
|
||||
socklen_t optlen=sizeof err;
|
||||
|
||||
|
@ -424,56 +537,56 @@ static int get_socket_error(const int fd) {
|
|||
|
||||
/**************************************** simulate blocking I/O */
|
||||
|
||||
int connect_blocking(CLI *c, SOCKADDR_UNION *addr, socklen_t addrlen) {
|
||||
int s_connect(CLI *c, SOCKADDR_UNION *addr, socklen_t addrlen) {
|
||||
int error;
|
||||
char *dst;
|
||||
|
||||
dst=s_ntop(addr, addrlen);
|
||||
s_log(LOG_INFO, "connect_blocking: connecting %s", dst);
|
||||
s_log(LOG_INFO, "s_connect: connecting %s", dst);
|
||||
|
||||
if(!connect(c->fd, &addr->sa, addrlen)) {
|
||||
s_log(LOG_NOTICE, "connect_blocking: connected %s", dst);
|
||||
s_log(LOG_INFO, "s_connect: connected %s", dst);
|
||||
str_free(dst);
|
||||
return 0; /* no error -> success (on some OSes over the loopback) */
|
||||
}
|
||||
error=get_last_socket_error();
|
||||
if(error!=S_EINPROGRESS && error!=S_EWOULDBLOCK) {
|
||||
s_log(LOG_ERR, "connect_blocking: connect %s: %s (%d)",
|
||||
s_log(LOG_ERR, "s_connect: connect %s: %s (%d)",
|
||||
dst, s_strerror(error), error);
|
||||
str_free(dst);
|
||||
return -1;
|
||||
}
|
||||
|
||||
s_log(LOG_DEBUG, "connect_blocking: s_poll_wait %s: waiting %d seconds",
|
||||
s_log(LOG_DEBUG, "s_connect: s_poll_wait %s: waiting %d seconds",
|
||||
dst, c->opt->timeout_connect);
|
||||
s_poll_init(c->fds);
|
||||
s_poll_add(c->fds, c->fd, 1, 1);
|
||||
switch(s_poll_wait(c->fds, c->opt->timeout_connect, 0)) {
|
||||
case -1:
|
||||
error=get_last_socket_error();
|
||||
s_log(LOG_ERR, "connect_blocking: s_poll_wait %s: %s (%d)",
|
||||
s_log(LOG_ERR, "s_connect: s_poll_wait %s: %s (%d)",
|
||||
dst, s_strerror(error), error);
|
||||
str_free(dst);
|
||||
return -1;
|
||||
case 0:
|
||||
s_log(LOG_ERR, "connect_blocking: s_poll_wait %s:"
|
||||
s_log(LOG_ERR, "s_connect: s_poll_wait %s:"
|
||||
" TIMEOUTconnect exceeded", dst);
|
||||
str_free(dst);
|
||||
return -1;
|
||||
default:
|
||||
error=get_socket_error(c->fd);
|
||||
if(error) {
|
||||
s_log(LOG_ERR, "connect_blocking: connect %s: %s (%d)",
|
||||
s_log(LOG_ERR, "s_connect: connect %s: %s (%d)",
|
||||
dst, s_strerror(error), error);
|
||||
str_free(dst);
|
||||
return -1;
|
||||
}
|
||||
if(s_poll_canwrite(c->fds, c->fd)) {
|
||||
s_log(LOG_NOTICE, "connect_blocking: connected %s", dst);
|
||||
s_log(LOG_NOTICE, "s_connect: connected %s", dst);
|
||||
str_free(dst);
|
||||
return 0; /* success */
|
||||
}
|
||||
s_log(LOG_ERR, "connect_blocking: s_poll_wait %s: internal error",
|
||||
s_log(LOG_ERR, "s_connect: s_poll_wait %s: internal error",
|
||||
dst);
|
||||
str_free(dst);
|
||||
return -1;
|
||||
|
@ -481,147 +594,115 @@ int connect_blocking(CLI *c, SOCKADDR_UNION *addr, socklen_t addrlen) {
|
|||
return -1; /* should not be possible */
|
||||
}
|
||||
|
||||
void write_blocking(CLI *c, int fd, void *ptr, int len) {
|
||||
void s_write(CLI *c, SOCKET fd, const void *buf, size_t len) {
|
||||
/* simulate a blocking write */
|
||||
int num;
|
||||
uint8_t *ptr=(uint8_t *)buf;
|
||||
ssize_t num;
|
||||
|
||||
while(len>0) {
|
||||
s_poll_init(c->fds);
|
||||
s_poll_add(c->fds, fd, 0, 1); /* write */
|
||||
switch(s_poll_wait(c->fds, c->opt->timeout_busy, 0)) {
|
||||
case -1:
|
||||
sockerror("write_blocking: s_poll_wait");
|
||||
sockerror("s_write: s_poll_wait");
|
||||
longjmp(c->err, 1); /* error */
|
||||
case 0:
|
||||
s_log(LOG_INFO, "write_blocking: s_poll_wait:"
|
||||
s_log(LOG_INFO, "s_write: s_poll_wait:"
|
||||
" TIMEOUTbusy exceeded: sending reset");
|
||||
longjmp(c->err, 1); /* timeout */
|
||||
case 1:
|
||||
break; /* OK */
|
||||
default:
|
||||
s_log(LOG_ERR, "write_blocking: s_poll_wait: unknown result");
|
||||
s_log(LOG_ERR, "s_write: s_poll_wait: unknown result");
|
||||
longjmp(c->err, 1); /* error */
|
||||
}
|
||||
num=writesocket(fd, ptr, len);
|
||||
switch(num) {
|
||||
case -1: /* error */
|
||||
sockerror("writesocket (write_blocking)");
|
||||
num=writesocket(fd, (void *)ptr, len);
|
||||
if(num==-1) { /* error */
|
||||
sockerror("writesocket (s_write)");
|
||||
longjmp(c->err, 1);
|
||||
}
|
||||
ptr=(u8 *)ptr+num;
|
||||
len-=num;
|
||||
ptr+=(size_t)num;
|
||||
len-=(size_t)num;
|
||||
}
|
||||
}
|
||||
|
||||
void read_blocking(CLI *c, int fd, void *ptr, int len) {
|
||||
void s_read(CLI *c, SOCKET fd, void *ptr, size_t len) {
|
||||
/* simulate a blocking read */
|
||||
int num;
|
||||
ssize_t num;
|
||||
|
||||
while(len>0) {
|
||||
s_poll_init(c->fds);
|
||||
s_poll_add(c->fds, fd, 1, 0); /* read */
|
||||
switch(s_poll_wait(c->fds, c->opt->timeout_busy, 0)) {
|
||||
case -1:
|
||||
sockerror("read_blocking: s_poll_wait");
|
||||
sockerror("s_read: s_poll_wait");
|
||||
longjmp(c->err, 1); /* error */
|
||||
case 0:
|
||||
s_log(LOG_INFO, "read_blocking: s_poll_wait:"
|
||||
s_log(LOG_INFO, "s_read: s_poll_wait:"
|
||||
" TIMEOUTbusy exceeded: sending reset");
|
||||
longjmp(c->err, 1); /* timeout */
|
||||
case 1:
|
||||
break; /* OK */
|
||||
default:
|
||||
s_log(LOG_ERR, "read_blocking: s_poll_wait: unknown result");
|
||||
s_log(LOG_ERR, "s_read: s_poll_wait: unknown result");
|
||||
longjmp(c->err, 1); /* error */
|
||||
}
|
||||
num=readsocket(fd, ptr, len);
|
||||
switch(num) {
|
||||
case -1: /* error */
|
||||
sockerror("readsocket (read_blocking)");
|
||||
sockerror("readsocket (s_read)");
|
||||
longjmp(c->err, 1);
|
||||
case 0: /* EOF */
|
||||
s_log(LOG_ERR, "Unexpected socket close (read_blocking)");
|
||||
s_log(LOG_ERR, "Unexpected socket close (s_read)");
|
||||
longjmp(c->err, 1);
|
||||
}
|
||||
ptr=(u8 *)ptr+num;
|
||||
len-=num;
|
||||
ptr=(uint8_t *)ptr+num;
|
||||
len-=(size_t)num;
|
||||
}
|
||||
}
|
||||
|
||||
void fd_putline(CLI *c, int fd, const char *line) {
|
||||
void fd_putline(CLI *c, SOCKET fd, const char *line) {
|
||||
char *tmpline;
|
||||
const char crlf[]="\r\n";
|
||||
int len;
|
||||
size_t len;
|
||||
|
||||
tmpline=str_printf("%s%s", line, crlf);
|
||||
len=strlen(tmpline);
|
||||
write_blocking(c, fd, tmpline, len);
|
||||
tmpline[len-2]='\0'; /* remove CRLF */
|
||||
safestring(tmpline);
|
||||
s_log(LOG_DEBUG, " -> %s", tmpline);
|
||||
s_write(c, fd, tmpline, len);
|
||||
str_free(tmpline);
|
||||
s_log(LOG_DEBUG, " -> %s", line);
|
||||
}
|
||||
|
||||
char *fd_getline(CLI *c, int fd) {
|
||||
char *line, *tmpline;
|
||||
int ptr=0, allocated=32;
|
||||
char *fd_getline(CLI *c, SOCKET fd) {
|
||||
char *line;
|
||||
size_t ptr=0, allocated=32;
|
||||
|
||||
line=str_alloc(allocated);
|
||||
for(;;) {
|
||||
s_poll_init(c->fds);
|
||||
s_poll_add(c->fds, fd, 1, 0); /* read */
|
||||
switch(s_poll_wait(c->fds, c->opt->timeout_busy, 0)) {
|
||||
case -1:
|
||||
sockerror("fd_getline: s_poll_wait");
|
||||
if(ptr>65536) { /* >64KB --> DoS protection */
|
||||
s_log(LOG_ERR, "fd_getline: Line too long");
|
||||
str_free(line);
|
||||
longjmp(c->err, 1); /* error */
|
||||
case 0:
|
||||
s_log(LOG_INFO, "fd_getline: s_poll_wait:"
|
||||
" TIMEOUTbusy exceeded: sending reset");
|
||||
str_free(line);
|
||||
longjmp(c->err, 1); /* timeout */
|
||||
case 1:
|
||||
break; /* OK */
|
||||
default:
|
||||
s_log(LOG_ERR, "fd_getline: s_poll_wait: Unknown result");
|
||||
str_free(line);
|
||||
longjmp(c->err, 1); /* error */
|
||||
longjmp(c->err, 1);
|
||||
}
|
||||
if(allocated<ptr+1) {
|
||||
allocated*=2;
|
||||
line=str_realloc(line, allocated);
|
||||
}
|
||||
switch(readsocket(fd, line+ptr, 1)) {
|
||||
case -1: /* error */
|
||||
sockerror("fd_getline: readsocket");
|
||||
str_free(line);
|
||||
longjmp(c->err, 1);
|
||||
case 0: /* EOF */
|
||||
s_log(LOG_ERR, "fd_getline: Unexpected socket close");
|
||||
str_free(line);
|
||||
longjmp(c->err, 1);
|
||||
}
|
||||
s_read(c, fd, line+ptr, 1);
|
||||
if(line[ptr]=='\r')
|
||||
continue;
|
||||
if(line[ptr]=='\n')
|
||||
break;
|
||||
if(line[ptr]=='\0')
|
||||
break;
|
||||
if(++ptr>65536) { /* >64KB --> DoS protection */
|
||||
s_log(LOG_ERR, "fd_getline: Line too long");
|
||||
str_free(line);
|
||||
longjmp(c->err, 1);
|
||||
}
|
||||
++ptr;
|
||||
}
|
||||
line[ptr]='\0';
|
||||
tmpline=str_dup(line);
|
||||
safestring(tmpline);
|
||||
s_log(LOG_DEBUG, " <- %s", tmpline);
|
||||
str_free(tmpline);
|
||||
s_log(LOG_DEBUG, " <- %s", line);
|
||||
return line;
|
||||
}
|
||||
|
||||
void fd_printf(CLI *c, int fd, const char *format, ...) {
|
||||
void fd_printf(CLI *c, SOCKET fd, const char *format, ...) {
|
||||
va_list ap;
|
||||
char *line;
|
||||
|
||||
|
@ -636,27 +717,166 @@ void fd_printf(CLI *c, int fd, const char *format, ...) {
|
|||
str_free(line);
|
||||
}
|
||||
|
||||
void s_ssl_write(CLI *c, const void *buf, int len) {
|
||||
/* simulate a blocking SSL_write */
|
||||
uint8_t *ptr=(uint8_t *)buf;
|
||||
int num;
|
||||
|
||||
while(len>0) {
|
||||
s_poll_init(c->fds);
|
||||
s_poll_add(c->fds, c->ssl_wfd->fd, 0, 1); /* write */
|
||||
switch(s_poll_wait(c->fds, c->opt->timeout_busy, 0)) {
|
||||
case -1:
|
||||
sockerror("s_write: s_poll_wait");
|
||||
longjmp(c->err, 1); /* error */
|
||||
case 0:
|
||||
s_log(LOG_INFO, "s_write: s_poll_wait:"
|
||||
" TIMEOUTbusy exceeded: sending reset");
|
||||
longjmp(c->err, 1); /* timeout */
|
||||
case 1:
|
||||
break; /* OK */
|
||||
default:
|
||||
s_log(LOG_ERR, "s_write: s_poll_wait: unknown result");
|
||||
longjmp(c->err, 1); /* error */
|
||||
}
|
||||
num=SSL_write(c->ssl, (void *)ptr, len);
|
||||
if(num==-1) { /* error */
|
||||
sockerror("SSL_write (s_ssl_write)");
|
||||
longjmp(c->err, 1);
|
||||
}
|
||||
ptr+=num;
|
||||
len-=num;
|
||||
}
|
||||
}
|
||||
|
||||
void s_ssl_read(CLI *c, void *ptr, int len) {
|
||||
/* simulate a blocking SSL_read */
|
||||
int num;
|
||||
|
||||
while(len>0) {
|
||||
if(!SSL_pending(c->ssl)) {
|
||||
s_poll_init(c->fds);
|
||||
s_poll_add(c->fds, c->ssl_rfd->fd, 1, 0); /* read */
|
||||
switch(s_poll_wait(c->fds, c->opt->timeout_busy, 0)) {
|
||||
case -1:
|
||||
sockerror("s_read: s_poll_wait");
|
||||
longjmp(c->err, 1); /* error */
|
||||
case 0:
|
||||
s_log(LOG_INFO, "s_read: s_poll_wait:"
|
||||
" TIMEOUTbusy exceeded: sending reset");
|
||||
longjmp(c->err, 1); /* timeout */
|
||||
case 1:
|
||||
break; /* OK */
|
||||
default:
|
||||
s_log(LOG_ERR, "s_read: s_poll_wait: unknown result");
|
||||
longjmp(c->err, 1); /* error */
|
||||
}
|
||||
}
|
||||
num=SSL_read(c->ssl, ptr, len);
|
||||
switch(num) {
|
||||
case -1: /* error */
|
||||
sockerror("SSL_read (s_ssl_read)");
|
||||
longjmp(c->err, 1);
|
||||
case 0: /* EOF */
|
||||
s_log(LOG_ERR, "Unexpected socket close (s_ssl_read)");
|
||||
longjmp(c->err, 1);
|
||||
}
|
||||
ptr=(uint8_t *)ptr+num;
|
||||
len-=num;
|
||||
}
|
||||
}
|
||||
|
||||
char *ssl_getstring(CLI *c) { /* get null-terminated string */
|
||||
char *line;
|
||||
size_t ptr=0, allocated=32;
|
||||
|
||||
line=str_alloc(allocated);
|
||||
for(;;) {
|
||||
if(ptr>65536) { /* >64KB --> DoS protection */
|
||||
s_log(LOG_ERR, "ssl_getstring: Line too long");
|
||||
str_free(line);
|
||||
longjmp(c->err, 1);
|
||||
}
|
||||
if(allocated<ptr+1) {
|
||||
allocated*=2;
|
||||
line=str_realloc(line, allocated);
|
||||
}
|
||||
s_ssl_read(c, line+ptr, 1);
|
||||
if(line[ptr]=='\0')
|
||||
break;
|
||||
++ptr;
|
||||
}
|
||||
return line;
|
||||
}
|
||||
|
||||
char *ssl_getline(CLI *c) { /* get newline-terminated string */
|
||||
char *line;
|
||||
size_t ptr=0, allocated=32;
|
||||
|
||||
line=str_alloc(allocated);
|
||||
for(;;) {
|
||||
if(ptr>65536) { /* >64KB --> DoS protection */
|
||||
s_log(LOG_ERR, "ssl_getline: Line too long");
|
||||
str_free(line);
|
||||
longjmp(c->err, 1);
|
||||
}
|
||||
if(allocated<ptr+1) {
|
||||
allocated*=2;
|
||||
line=str_realloc(line, allocated);
|
||||
}
|
||||
s_ssl_read(c, line+ptr, 1);
|
||||
if(line[ptr]=='\r')
|
||||
continue;
|
||||
if(line[ptr]=='\n')
|
||||
break;
|
||||
if(line[ptr]=='\0')
|
||||
break;
|
||||
++ptr;
|
||||
}
|
||||
line[ptr]='\0';
|
||||
s_log(LOG_DEBUG, " <- %s", line);
|
||||
return line;
|
||||
}
|
||||
|
||||
void ssl_putline(CLI *c, const char *line) { /* put newline-terminated string */
|
||||
char *tmpline;
|
||||
const char crlf[]="\r\n";
|
||||
size_t len;
|
||||
|
||||
tmpline=str_printf("%s%s", line, crlf);
|
||||
len=strlen(tmpline);
|
||||
if(len>INT_MAX) { /* paranoia */
|
||||
s_log(LOG_ERR, "ssl_putline: Line too long");
|
||||
str_free(tmpline);
|
||||
longjmp(c->err, 1);
|
||||
}
|
||||
s_ssl_write(c, tmpline, (int)len);
|
||||
str_free(tmpline);
|
||||
s_log(LOG_DEBUG, " -> %s", line);
|
||||
}
|
||||
|
||||
/**************************************** network helpers */
|
||||
|
||||
#define INET_SOCKET_PAIR
|
||||
|
||||
int make_sockets(int fd[2]) { /* make a pair of connected ipv4 sockets */
|
||||
int make_sockets(SOCKET fd[2]) { /* make a pair of connected ipv4 sockets */
|
||||
#ifdef INET_SOCKET_PAIR
|
||||
struct sockaddr_in addr;
|
||||
socklen_t addrlen;
|
||||
int s; /* temporary socket awaiting for connection */
|
||||
SOCKET s; /* temporary socket awaiting for connection */
|
||||
|
||||
/* create two *blocking* sockets first */
|
||||
s=s_socket(AF_INET, SOCK_STREAM, 0, 0, "make_sockets: s_socket#1");
|
||||
if(s<0) {
|
||||
if(s==INVALID_SOCKET)
|
||||
return 1;
|
||||
}
|
||||
fd[1]=s_socket(AF_INET, SOCK_STREAM, 0, 0, "make_sockets: s_socket#2");
|
||||
if(fd[1]<0) {
|
||||
if(fd[1]==INVALID_SOCKET) {
|
||||
closesocket(s);
|
||||
return 1;
|
||||
}
|
||||
|
||||
addrlen=sizeof addr;
|
||||
memset(&addr, 0, addrlen);
|
||||
memset(&addr, 0, sizeof addr);
|
||||
addr.sin_family=AF_INET;
|
||||
addr.sin_addr.s_addr=htonl(INADDR_LOOPBACK);
|
||||
addr.sin_port=htons(0); /* dynamic port allocation */
|
||||
|
@ -685,7 +905,7 @@ int make_sockets(int fd[2]) { /* make a pair of connected ipv4 sockets */
|
|||
}
|
||||
fd[0]=s_accept(s, (struct sockaddr *)&addr, &addrlen, 1,
|
||||
"make_sockets: s_accept");
|
||||
if(fd[0]<0) {
|
||||
if(fd[0]==INVALID_SOCKET) {
|
||||
closesocket(s);
|
||||
closesocket(fd[1]);
|
||||
return 1;
|
||||
|
@ -700,4 +920,26 @@ int make_sockets(int fd[2]) { /* make a pair of connected ipv4 sockets */
|
|||
return 0;
|
||||
}
|
||||
|
||||
/* returns 0 on success, and -1 on error */
|
||||
int original_dst(const SOCKET fd, SOCKADDR_UNION *addr) {
|
||||
socklen_t addrlen;
|
||||
|
||||
memset(addr, 0, sizeof(SOCKADDR_UNION));
|
||||
addrlen=sizeof(SOCKADDR_UNION);
|
||||
#ifdef SO_ORIGINAL_DST
|
||||
#ifdef USE_IPv6
|
||||
if(!getsockopt(fd, SOL_IPV6, SO_ORIGINAL_DST, &addr->sa, &addrlen))
|
||||
return 0; /* succeeded */
|
||||
#endif /* USE_IPv6 */
|
||||
if(!getsockopt(fd, SOL_IP, SO_ORIGINAL_DST, &addr->sa, &addrlen))
|
||||
return 0; /* succeeded */
|
||||
sockerror("getsockopt SO_ORIGINAL_DST");
|
||||
#else /* SO_ORIGINAL_DST */
|
||||
if(!getsockname(fd, &addr->sa, &addrlen))
|
||||
return 0; /* succeeded */
|
||||
sockerror("getsockname");
|
||||
#endif /* SO_ORIGINAL_DST */
|
||||
return -1; /* failed */
|
||||
}
|
||||
|
||||
/* end of network.c */
|
||||
|
|
101
src/nogui.c
101
src/nogui.c
|
@ -1,101 +0,0 @@
|
|||
/*
|
||||
* stunnel Universal SSL tunnel
|
||||
* Copyright (C) 1998-2013 Michal Trojnara <Michal.Trojnara@mirt.net>
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it
|
||||
* under the terms of the GNU General Public License as published by the
|
||||
* Free Software Foundation; either version 2 of the License, or (at your
|
||||
* option) any later version.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
|
||||
* See the GNU General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License along
|
||||
* with this program; if not, see <http://www.gnu.org/licenses>.
|
||||
*
|
||||
* Linking stunnel statically or dynamically with other modules is making
|
||||
* a combined work based on stunnel. Thus, the terms and conditions of
|
||||
* the GNU General Public License cover the whole combination.
|
||||
*
|
||||
* In addition, as a special exception, the copyright holder of stunnel
|
||||
* gives you permission to combine stunnel with free software programs or
|
||||
* libraries that are released under the GNU LGPL and with code included
|
||||
* in the standard release of OpenSSL under the OpenSSL License (or
|
||||
* modified versions of such code, with unchanged license). You may copy
|
||||
* and distribute such a system following the terms of the GNU GPL for
|
||||
* stunnel and the licenses of the other code concerned.
|
||||
*
|
||||
* Note that people who make modified versions of stunnel are not obligated
|
||||
* to grant this special exception for their modified versions; it is their
|
||||
* choice whether to do so. The GNU General Public License gives permission
|
||||
* to release a modified version without this exception; this exception
|
||||
* also makes it possible to release a modified version which carries
|
||||
* forward this exception.
|
||||
*/
|
||||
|
||||
#include "common.h"
|
||||
#include "prototypes.h"
|
||||
|
||||
int main(int argc, char *argv[]) {
|
||||
static struct WSAData wsa_state;
|
||||
|
||||
str_init(); /* initialize per-thread string management */
|
||||
if(WSAStartup(MAKEWORD(1, 1), &wsa_state))
|
||||
return 1;
|
||||
resolver_init();
|
||||
main_initialize();
|
||||
if(!main_configure(argc>1 ? argv[1] : NULL, argc>2 ? argv[2] : NULL))
|
||||
daemon_loop();
|
||||
unbind_ports();
|
||||
log_flush(LOG_MODE_ERROR);
|
||||
return 0;
|
||||
}
|
||||
|
||||
void message_box(const LPSTR text, const UINT type) {
|
||||
LPTSTR tstr;
|
||||
|
||||
tstr=str2tstr(text);
|
||||
MessageBox(NULL, tstr, TEXT("stunnel"), type);
|
||||
str_free(tstr);
|
||||
}
|
||||
|
||||
void win_new_chain(int section_number) {
|
||||
(void)section_number; /* skip warning about unused parameter */
|
||||
}
|
||||
|
||||
void win_new_log(char *line) {
|
||||
#ifdef _WIN32_WCE
|
||||
/* log to Windows CE debug output stream */
|
||||
LPTSTR tstr;
|
||||
|
||||
tstr=str2tstr(line);
|
||||
RETAILMSG(TRUE, (TEXT("%s\r\n"), tstr));
|
||||
str_free(tstr);
|
||||
#else
|
||||
printf("%s\n", line);
|
||||
#endif
|
||||
}
|
||||
|
||||
void win_new_config(void) {
|
||||
/* no action */
|
||||
}
|
||||
|
||||
int passwd_cb(char *buf, int size, int rwflag, void *userdata) {
|
||||
(void)buf; /* skip warning about unused parameter */
|
||||
(void)size; /* skip warning about unused parameter */
|
||||
(void)rwflag; /* skip warning about unused parameter */
|
||||
(void)userdata; /* skip warning about unused parameter */
|
||||
return 0; /* not implemented */
|
||||
}
|
||||
|
||||
#ifdef HAVE_OSSL_ENGINE_H
|
||||
int pin_cb(UI *ui, UI_STRING *uis) {
|
||||
(void)ui; /* skip warning about unused parameter */
|
||||
(void)uis; /* skip warning about unused parameter */
|
||||
return 0; /* not implemented */
|
||||
}
|
||||
#endif
|
||||
|
||||
/* end of nogui.c */
|
2611
src/options.c
2611
src/options.c
File diff suppressed because it is too large
Load Diff
15
src/os2.mak
15
src/os2.mak
|
@ -1,11 +1,11 @@
|
|||
prefix=.
|
||||
DEFS = -DPACKAGE_NAME=\"stunnel\" \
|
||||
-DPACKAGE_TARNAME=\"stunnel\" \
|
||||
-DPACKAGE_VERSION=\"4.57\" \
|
||||
-DPACKAGE_STRING=\"stunnel\ 4.57\" \
|
||||
-DPACKAGE_VERSION=\"5.42\" \
|
||||
-DPACKAGE_STRING=\"stunnel\ 5.42\" \
|
||||
-DPACKAGE_BUGREPORT=\"\" \
|
||||
-DPACKAGE=\"stunnel\" \
|
||||
-DVERSION=\"4.57\" \
|
||||
-DVERSION=\"5.42\" \
|
||||
-DSTDC_HEADERS=1 \
|
||||
-DHAVE_SYS_TYPES_H=1 \
|
||||
-DHAVE_SYS_STAT_H=1 \
|
||||
|
@ -14,7 +14,6 @@ DEFS = -DPACKAGE_NAME=\"stunnel\" \
|
|||
-DHAVE_MEMORY_H=1 \
|
||||
-DHAVE_STRINGS_H=1 \
|
||||
-DHAVE_UNISTD_H=1 \
|
||||
-DHAVE_OSSL_ENGINE_H=1 \
|
||||
-DSSLDIR=\"/usr\" \
|
||||
-DHOST=\"i386-pc-os2-emx\" \
|
||||
-DHAVE_LIBSOCKET=1 \
|
||||
|
@ -34,8 +33,7 @@ DEFS = -DPACKAGE_NAME=\"stunnel\" \
|
|||
-DSIZEOF_UNSIGNED_INT=4 \
|
||||
-DSIZEOF_UNSIGNED_LONG=4 \
|
||||
-DLIBDIR=\"$(prefix)/lib\" \
|
||||
-DCONFDIR=\"$(prefix)/etc\" \
|
||||
-DPIDFILE=\"$(prefix)/stunnel.pid\"
|
||||
-DCONFDIR=\"$(prefix)/etc\"
|
||||
|
||||
CC = gcc
|
||||
.SUFFIXES = .c .o
|
||||
|
@ -43,7 +41,7 @@ OPENSSLDIR = u:/extras
|
|||
#SYSLOGDIR = /unixos2/workdir/syslog
|
||||
INCLUDES = -I$(OPENSSLDIR)/outinc
|
||||
LIBS = -lsocket -L$(OPENSSLDIR)/out -lssl -lcrypto -lz -lsyslog
|
||||
OBJS = file.o client.o log.o options.o protocol.o network.o ssl.o ctx.o verify.o sthreads.o stunnel.o pty.o resolver.o str.o fd.o
|
||||
OBJS = file.o client.o log.o options.o protocol.o network.o ssl.o ctx.o verify.o sthreads.o stunnel.o pty.o resolver.o str.o tls.o fd.o dhparam.o cron.o
|
||||
LIBDIR = .
|
||||
CFLAGS = -O2 -Wall -Wshadow -Wcast-align -Wpointer-arith
|
||||
|
||||
|
@ -70,7 +68,10 @@ sthreads.o: sthreads.c common.h prototypes.h
|
|||
stunnel.o: stunnel.c common.h prototypes.h
|
||||
resolver.o: resolver.c common.h prototypes.h
|
||||
str.o: str.c common.h prototypes.h
|
||||
tls.o: tls.c common.h prototypes.h
|
||||
fd.o: fd.c common.h prototypes.h
|
||||
dhparam.o: dhparam.c common.h prototypes.h
|
||||
cron.o: cron.c common.h prototypes.h
|
||||
|
||||
clean:
|
||||
rm -f *.o *.exe
|
||||
|
|
982
src/protocol.c
982
src/protocol.c
File diff suppressed because it is too large
Load Diff
616
src/prototypes.h
616
src/prototypes.h
|
@ -1,24 +1,24 @@
|
|||
/*
|
||||
* stunnel Universal SSL tunnel
|
||||
* Copyright (C) 1998-2013 Michal Trojnara <Michal.Trojnara@mirt.net>
|
||||
* stunnel TLS offloading and load-balancing proxy
|
||||
* Copyright (C) 1998-2017 Michal Trojnara <Michal.Trojnara@stunnel.org>
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it
|
||||
* under the terms of the GNU General Public License as published by the
|
||||
* Free Software Foundation; either version 2 of the License, or (at your
|
||||
* option) any later version.
|
||||
*
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
|
||||
* See the GNU General Public License for more details.
|
||||
*
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License along
|
||||
* with this program; if not, see <http://www.gnu.org/licenses>.
|
||||
*
|
||||
*
|
||||
* Linking stunnel statically or dynamically with other modules is making
|
||||
* a combined work based on stunnel. Thus, the terms and conditions of
|
||||
* the GNU General Public License cover the whole combination.
|
||||
*
|
||||
*
|
||||
* In addition, as a special exception, the copyright holder of stunnel
|
||||
* gives you permission to combine stunnel with free software programs or
|
||||
* libraries that are released under the GNU LGPL and with code included
|
||||
|
@ -26,7 +26,7 @@
|
|||
* modified versions of such code, with unchanged license). You may copy
|
||||
* and distribute such a system following the terms of the GNU GPL for
|
||||
* stunnel and the licenses of the other code concerned.
|
||||
*
|
||||
*
|
||||
* Note that people who make modified versions of stunnel are not obligated
|
||||
* to grant this special exception for their modified versions; it is their
|
||||
* choice whether to do so. The GNU General Public License gives permission
|
||||
|
@ -40,15 +40,45 @@
|
|||
|
||||
#include "common.h"
|
||||
|
||||
/**************************************** forward declarations */
|
||||
|
||||
typedef struct tls_data_struct TLS_DATA;
|
||||
|
||||
/**************************************** data structures */
|
||||
|
||||
#if defined (USE_WIN32)
|
||||
#define ICON_IMAGE HICON
|
||||
#elif defined(__APPLE__)
|
||||
#define ICON_IMAGE void *
|
||||
#endif
|
||||
|
||||
typedef enum {
|
||||
LOG_MODE_NONE,
|
||||
ICON_ERROR,
|
||||
ICON_IDLE,
|
||||
ICON_ACTIVE,
|
||||
ICON_NONE /* it has to be the last one */
|
||||
} ICON_TYPE;
|
||||
|
||||
typedef enum {
|
||||
LOG_MODE_BUFFER,
|
||||
LOG_MODE_ERROR,
|
||||
LOG_MODE_INFO,
|
||||
LOG_MODE_CONFIGURED
|
||||
} LOG_MODE;
|
||||
|
||||
typedef enum {
|
||||
LOG_ID_SEQUENTIAL,
|
||||
LOG_ID_UNIQUE,
|
||||
LOG_ID_THREAD,
|
||||
LOG_ID_PROCESS
|
||||
} LOG_ID;
|
||||
|
||||
typedef enum {
|
||||
FILE_MODE_READ,
|
||||
FILE_MODE_APPEND,
|
||||
FILE_MODE_OVERWRITE
|
||||
} FILE_MODE;
|
||||
|
||||
typedef union sockaddr_union {
|
||||
struct sockaddr sa;
|
||||
struct sockaddr_in in;
|
||||
|
@ -66,25 +96,29 @@ typedef struct name_list_struct {
|
|||
} NAME_LIST;
|
||||
|
||||
typedef struct sockaddr_list { /* list of addresses */
|
||||
SOCKADDR_UNION *addr; /* the list of addresses */
|
||||
u16 cur; /* current address for round-robin */
|
||||
u16 num; /* how many addresses are used */
|
||||
struct sockaddr_list *parent; /* used by copies to locate their parent */
|
||||
SOCKADDR_UNION *addr; /* array of resolved addresses */
|
||||
SSL_SESSION **session; /* array of cached client sessions */
|
||||
unsigned rr; /* current address for round-robin */
|
||||
unsigned num; /* how many addresses are used */
|
||||
int passive; /* listening socket */
|
||||
NAME_LIST *names; /* a list of unresolved names */
|
||||
} SOCKADDR_LIST;
|
||||
|
||||
#ifndef OPENSSL_NO_COMP
|
||||
typedef enum {
|
||||
COMP_NONE, COMP_DEFLATE, COMP_ZLIB, COMP_RLE
|
||||
COMP_NONE, COMP_DEFLATE, COMP_ZLIB
|
||||
} COMP_TYPE;
|
||||
#endif /* OPENSSL_NO_COMP */
|
||||
#endif /* !defined(OPENSSL_NO_COMP) */
|
||||
|
||||
typedef struct {
|
||||
/* some data for SSL initialization in ssl.c */
|
||||
/* some data for TLS initialization in ssl.c */
|
||||
#ifndef OPENSSL_NO_COMP
|
||||
COMP_TYPE compression; /* compression type */
|
||||
#endif /* OPENSSL_NO_COMP */
|
||||
#endif /* !defined(OPENSSL_NO_COMP) */
|
||||
char *egd_sock; /* entropy gathering daemon socket */
|
||||
char *rand_file; /* file with random data */
|
||||
int random_bytes; /* how many random bytes to read */
|
||||
long random_bytes; /* how many random bytes to read */
|
||||
|
||||
/* some global data for stunnel.c */
|
||||
#ifndef USE_WIN32
|
||||
|
@ -93,27 +127,32 @@ typedef struct {
|
|||
#endif
|
||||
unsigned long dpid;
|
||||
char *pidfile;
|
||||
int uid, gid;
|
||||
#endif
|
||||
|
||||
/* logging-support data for log.c */
|
||||
int debug_level; /* debug level for logging */
|
||||
#ifndef USE_WIN32
|
||||
int facility; /* debug facility for syslog */
|
||||
int log_facility; /* debug facility for syslog */
|
||||
#endif
|
||||
char *output_file;
|
||||
FILE_MODE log_file_mode;
|
||||
|
||||
/* user interface configuration */
|
||||
#ifdef ICON_IMAGE
|
||||
ICON_IMAGE icon[ICON_NONE]; /* user-specified GUI icons */
|
||||
#endif
|
||||
|
||||
/* on/off switches */
|
||||
struct {
|
||||
unsigned int rand_write:1; /* overwrite rand_file */
|
||||
unsigned rand_write:1; /* overwrite rand_file */
|
||||
#ifdef USE_WIN32
|
||||
unsigned int taskbar:1; /* enable the taskbar icon */
|
||||
unsigned taskbar:1; /* enable the taskbar icon */
|
||||
#else /* !USE_WIN32 */
|
||||
unsigned int foreground:1;
|
||||
unsigned int syslog:1;
|
||||
unsigned foreground:1;
|
||||
unsigned log_stderr:1;
|
||||
unsigned log_syslog:1;
|
||||
#endif
|
||||
#ifdef USE_FIPS
|
||||
unsigned int fips:1; /* enable FIPS 140-2 mode */
|
||||
unsigned fips:1; /* enable FIPS 140-2 mode */
|
||||
#endif
|
||||
} option;
|
||||
} GLOBAL_OPTIONS;
|
||||
|
@ -122,16 +161,39 @@ extern GLOBAL_OPTIONS global_options;
|
|||
|
||||
#ifndef OPENSSL_NO_TLSEXT
|
||||
typedef struct servername_list_struct SERVERNAME_LIST;/* forward declaration */
|
||||
#endif
|
||||
#endif /* !defined(OPENSSL_NO_TLSEXT) */
|
||||
|
||||
#ifndef OPENSSL_NO_PSK
|
||||
typedef struct psk_keys_struct {
|
||||
char *identity;
|
||||
unsigned char *key_val;
|
||||
size_t key_len;
|
||||
struct psk_keys_struct *next;
|
||||
} PSK_KEYS;
|
||||
typedef struct psk_table_struct {
|
||||
PSK_KEYS **val;
|
||||
size_t num;
|
||||
} PSK_TABLE;
|
||||
#endif /* !defined(OPENSSL_NO_PSK) */
|
||||
|
||||
typedef struct service_options_struct {
|
||||
struct service_options_struct *next; /* next node in the services list */
|
||||
SSL_CTX *ctx; /* SSL context */
|
||||
SSL_CTX *ctx; /* TLS context */
|
||||
char *servname; /* service name for logging & permission checking */
|
||||
|
||||
/* service-specific data for stunnel.c */
|
||||
#ifndef USE_WIN32
|
||||
uid_t uid;
|
||||
gid_t gid;
|
||||
#endif
|
||||
|
||||
/* service-specific data for log.c */
|
||||
int log_level; /* debug level for logging */
|
||||
LOG_ID log_id; /* logging session id type */
|
||||
|
||||
/* service-specific data for sthreads.c */
|
||||
#ifndef USE_FORK
|
||||
int stack_size; /* stack size for this thread */
|
||||
size_t stack_size; /* stack size for this thread */
|
||||
#endif
|
||||
|
||||
/* service-specific data for verify.c */
|
||||
|
@ -139,92 +201,109 @@ typedef struct service_options_struct {
|
|||
char *ca_file; /* file containing bunches of certs */
|
||||
char *crl_dir; /* directory for hashed CRLs */
|
||||
char *crl_file; /* file containing bunches of CRLs */
|
||||
int verify_level;
|
||||
X509_STORE *revocation_store; /* cert store for CRL checking */
|
||||
#ifdef HAVE_OSSL_OCSP_H
|
||||
SOCKADDR_UNION ocsp_addr;
|
||||
char *ocsp_path;
|
||||
#ifndef OPENSSL_NO_OCSP
|
||||
char *ocsp_url;
|
||||
unsigned long ocsp_flags;
|
||||
#endif
|
||||
#endif /* !defined(OPENSSL_NO_OCSP) */
|
||||
#if OPENSSL_VERSION_NUMBER>=0x10002000L
|
||||
NAME_LIST *check_host, *check_email, *check_ip; /* cert subject checks */
|
||||
NAME_LIST *config; /* OpenSSL CONF options */
|
||||
#endif /* OPENSSL_VERSION_NUMBER>=0x10002000L */
|
||||
|
||||
/* service-specific data for ctx.c */
|
||||
char *cipher_list;
|
||||
char *cert; /* cert filename */
|
||||
char *key; /* pem (priv key/cert) filename */
|
||||
long session_size, session_timeout;
|
||||
long ssl_options;
|
||||
long unsigned ssl_options_set;
|
||||
#if OPENSSL_VERSION_NUMBER>=0x009080dfL
|
||||
long unsigned ssl_options_clear;
|
||||
#endif /* OpenSSL 0.9.8m or later */
|
||||
SSL_METHOD *client_method, *server_method;
|
||||
SOCKADDR_UNION sessiond_addr;
|
||||
#ifndef OPENSSL_NO_TLSEXT
|
||||
char *sni;
|
||||
SERVERNAME_LIST *servername_list_head, *servername_list_tail;
|
||||
#endif
|
||||
#endif /* !defined(OPENSSL_NO_TLSEXT) */
|
||||
#ifndef OPENSSL_NO_PSK
|
||||
char *psk_identity;
|
||||
PSK_KEYS *psk_keys, *psk_selected;
|
||||
PSK_TABLE psk_sorted;
|
||||
#endif /* !defined(OPENSSL_NO_PSK) */
|
||||
#ifndef OPENSSL_NO_ECDH
|
||||
int curve;
|
||||
#endif
|
||||
#ifdef HAVE_OSSL_ENGINE_H
|
||||
#endif /* !defined(OPENSSL_NO_ECDH) */
|
||||
#ifndef OPENSSL_NO_ENGINE
|
||||
ENGINE *engine; /* engine to read the private key */
|
||||
#endif
|
||||
#endif /* !defined(OPENSSL_NO_ENGINE) */
|
||||
|
||||
/* service-specific data for client.c */
|
||||
int fd; /* file descriptor accepting connections for this service */
|
||||
SOCKET fd; /* file descriptor accepting connections for this service */
|
||||
SSL_SESSION *session; /* recently used session */
|
||||
char *execname; /* program name for local mode */
|
||||
char *exec_name; /* program name for local mode */
|
||||
#ifdef USE_WIN32
|
||||
char *execargs; /* program arguments for local mode */
|
||||
char *exec_args; /* program arguments for local mode */
|
||||
#else
|
||||
char **execargs; /* program arguments for local mode */
|
||||
char **exec_args; /* program arguments for local mode */
|
||||
#endif
|
||||
SOCKADDR_UNION local_addr, source_addr;
|
||||
SOCKADDR_LIST connect_addr;
|
||||
char *username;
|
||||
NAME_LIST *connect_list;
|
||||
SOCKADDR_LIST connect_addr, redirect_addr;
|
||||
int timeout_busy; /* maximum waiting for data time */
|
||||
int timeout_close; /* maximum close_notify time */
|
||||
int timeout_connect; /* maximum connect() time */
|
||||
int timeout_idle; /* maximum idle connection time */
|
||||
enum {FAILOVER_RR, FAILOVER_PRIO} failover; /* failover strategy */
|
||||
char *username;
|
||||
|
||||
/* service-specific data for protocol.c */
|
||||
int protocol;
|
||||
char * protocol;
|
||||
char *protocol_host;
|
||||
char *protocol_domain;
|
||||
char *protocol_username;
|
||||
char *protocol_password;
|
||||
char *protocol_authentication;
|
||||
|
||||
/* service-specific data for gui.c */
|
||||
/* service-specific data for ui_*.c */
|
||||
#ifdef USE_WIN32
|
||||
int section_number;
|
||||
LPTSTR file;
|
||||
char *help, *chain;
|
||||
LPTSTR file, help;
|
||||
#endif
|
||||
unsigned section_number;
|
||||
char *chain;
|
||||
|
||||
/* on/off switches */
|
||||
struct {
|
||||
unsigned int accept:1; /* endpoint: accept */
|
||||
unsigned int client:1;
|
||||
unsigned int delayed_lookup:1;
|
||||
unsigned request_cert:1; /* request a peer certificate */
|
||||
unsigned require_cert:1; /* require a client certificate */
|
||||
unsigned verify_chain:1; /* verify certificate chain */
|
||||
unsigned verify_peer:1; /* verify peer certificate */
|
||||
unsigned accept:1; /* endpoint: accept */
|
||||
unsigned client:1;
|
||||
unsigned delayed_lookup:1;
|
||||
#ifdef USE_LIBWRAP
|
||||
unsigned int libwrap:1;
|
||||
unsigned libwrap:1;
|
||||
#endif
|
||||
unsigned int local:1; /* outgoing interface specified */
|
||||
unsigned int remote:1; /* endpoint: connect */
|
||||
unsigned int retry:1; /* loop remote+program */
|
||||
unsigned int sessiond:1;
|
||||
unsigned int program:1; /* endpoint: exec */
|
||||
unsigned local:1; /* outgoing interface specified */
|
||||
unsigned retry:1; /* loop remote+program */
|
||||
unsigned sessiond:1;
|
||||
#ifndef OPENSSL_NO_TLSEXT
|
||||
unsigned int sni:1; /* endpoint: sni */
|
||||
#endif
|
||||
unsigned sni:1; /* endpoint: sni */
|
||||
#endif /* !defined(OPENSSL_NO_TLSEXT) */
|
||||
#ifndef USE_WIN32
|
||||
unsigned int pty:1;
|
||||
unsigned int transparent_src:1;
|
||||
unsigned int transparent_dst:1; /* endpoint: transparent destination */
|
||||
unsigned pty:1;
|
||||
unsigned transparent_src:1;
|
||||
#endif
|
||||
#ifdef HAVE_OSSL_OCSP_H
|
||||
unsigned int ocsp:1;
|
||||
#endif
|
||||
unsigned int reset:1; /* reset sockets on error */
|
||||
unsigned int renegotiation:1;
|
||||
unsigned transparent_dst:1; /* endpoint: transparent destination */
|
||||
unsigned protocol_endpoint:1; /* dynamic target from the protocol */
|
||||
unsigned reset:1; /* reset sockets on error */
|
||||
unsigned renegotiation:1;
|
||||
unsigned connect_before_ssl:1;
|
||||
#ifndef OPENSSL_NO_OCSP
|
||||
unsigned aia:1; /* Authority Information Access */
|
||||
unsigned nonce:1; /* send and verify OCSP nonce */
|
||||
#endif /* !defined(OPENSSL_NO_OCSP) */
|
||||
#ifndef OPENSSL_NO_DH
|
||||
unsigned dh_needed:1;
|
||||
#endif /* OPENSSL_NO_DH */
|
||||
} option;
|
||||
} SERVICE_OPTIONS;
|
||||
|
||||
|
@ -236,7 +315,7 @@ struct servername_list_struct {
|
|||
SERVICE_OPTIONS *opt;
|
||||
struct servername_list_struct *next;
|
||||
};
|
||||
#endif
|
||||
#endif /* !defined(OPENSSL_NO_TLSEXT) */
|
||||
|
||||
typedef enum {
|
||||
TYPE_NONE, TYPE_FLAG, TYPE_INT, TYPE_LINGER, TYPE_TIMEVAL, TYPE_STRING
|
||||
|
@ -267,11 +346,14 @@ typedef enum {
|
|||
typedef struct {
|
||||
#ifdef USE_POLL
|
||||
struct pollfd *ufds;
|
||||
unsigned int nfds;
|
||||
unsigned int allocated;
|
||||
unsigned nfds;
|
||||
unsigned allocated;
|
||||
#else /* select */
|
||||
fd_set irfds, iwfds, ixfds, orfds, owfds, oxfds;
|
||||
int max;
|
||||
fd_set *irfds, *iwfds, *ixfds, *orfds, *owfds, *oxfds;
|
||||
SOCKET max;
|
||||
#ifdef USE_WIN32
|
||||
unsigned allocated;
|
||||
#endif
|
||||
#endif
|
||||
} s_poll_set;
|
||||
|
||||
|
@ -281,47 +363,91 @@ typedef struct disk_file {
|
|||
#else
|
||||
int fd;
|
||||
#endif
|
||||
/* the inteface is prepared to easily implement buffering if needed */
|
||||
/* the interface is prepared to easily implement buffering if needed */
|
||||
} DISK_FILE;
|
||||
|
||||
/* FD definition for client.c */
|
||||
/* definitions for client.c */
|
||||
|
||||
typedef struct {
|
||||
int fd; /* file descriptor */
|
||||
SOCKET fd; /* file descriptor */
|
||||
int is_socket; /* file descriptor is a socket */
|
||||
} FD;
|
||||
|
||||
typedef enum {
|
||||
RENEG_INIT, /* initial state */
|
||||
RENEG_ESTABLISHED, /* initial handshake completed */
|
||||
RENEG_DETECTED /* renegotiation detected */
|
||||
} RENEG_STATE;
|
||||
|
||||
typedef struct {
|
||||
jmp_buf err; /* 64-bit platforms require jmp_buf to be 16-byte aligned */
|
||||
SSL *ssl; /* TLS connection */
|
||||
SERVICE_OPTIONS *opt;
|
||||
TLS_DATA *tls;
|
||||
|
||||
SOCKADDR_UNION peer_addr; /* peer address */
|
||||
socklen_t peer_addr_len;
|
||||
SOCKADDR_UNION *bind_addr; /* address to bind() the socket */
|
||||
SOCKADDR_LIST connect_addr; /* either copied or resolved dynamically */
|
||||
unsigned idx; /* actually connected address in connect_addr */
|
||||
FD local_rfd, local_wfd; /* read and write local descriptors */
|
||||
FD remote_fd; /* remote file descriptor */
|
||||
/* IP for explicit local bind or transparent proxy */
|
||||
unsigned long pid; /* PID of the local process */
|
||||
SOCKET fd; /* temporary file descriptor */
|
||||
RENEG_STATE reneg_state; /* used to track renegotiation attempts */
|
||||
unsigned long long seq; /* sequential thread number for logging */
|
||||
|
||||
/* data for transfer() function */
|
||||
char sock_buff[BUFFSIZE]; /* socket read buffer */
|
||||
char ssl_buff[BUFFSIZE]; /* TLS read buffer */
|
||||
size_t sock_ptr, ssl_ptr; /* index of the first unused byte */
|
||||
FD *sock_rfd, *sock_wfd; /* read and write socket descriptors */
|
||||
FD *ssl_rfd, *ssl_wfd; /* read and write TLS descriptors */
|
||||
uint64_t sock_bytes, ssl_bytes; /* bytes written to socket and TLS */
|
||||
s_poll_set *fds; /* file descriptors */
|
||||
} CLI;
|
||||
|
||||
/**************************************** prototypes for stunnel.c */
|
||||
|
||||
#ifndef USE_FORK
|
||||
extern int max_clients;
|
||||
extern volatile int num_clients;
|
||||
extern long max_clients;
|
||||
extern volatile long num_clients;
|
||||
#endif
|
||||
|
||||
void main_initialize(void);
|
||||
void main_init(void);
|
||||
int main_configure(char *, char *);
|
||||
void main_cleanup(void);
|
||||
int drop_privileges(int);
|
||||
void daemon_loop(void);
|
||||
void unbind_ports(void);
|
||||
int bind_ports(void);
|
||||
#if !defined (USE_WIN32) && !defined (__vms) && !defined(USE_OS2)
|
||||
int drop_privileges(int);
|
||||
#endif
|
||||
void signal_post(int);
|
||||
#if !defined(USE_WIN32) && !defined(USE_OS2)
|
||||
void child_status(void); /* dead libwrap or 'exec' process detected */
|
||||
#endif
|
||||
void stunnel_info(int);
|
||||
|
||||
/**************************************** prototypes for options.c */
|
||||
|
||||
extern char configuration_file[PATH_MAX];
|
||||
extern unsigned number_of_sections;
|
||||
|
||||
int options_cmdline(char *, char *);
|
||||
int options_parse(CONF_TYPE);
|
||||
void options_defaults(void);
|
||||
void options_apply(void);
|
||||
|
||||
/**************************************** prototypes for fd.c */
|
||||
|
||||
#ifndef USE_FORK
|
||||
void get_limits(void); /* setup global max_clients and max_fds */
|
||||
#endif
|
||||
int s_socket(int, int, int, int, char *);
|
||||
int s_pipe(int [2], int, char *);
|
||||
int s_socketpair(int, int, int, int [2], int, char *);
|
||||
int s_accept(int, struct sockaddr *, socklen_t *, int, char *);
|
||||
void set_nonblock(int, unsigned long);
|
||||
SOCKET s_socket(int, int, int, int, char *);
|
||||
int s_pipe(int[2], int, char *);
|
||||
int s_socketpair(int, int, int, SOCKET[2], int, char *);
|
||||
SOCKET s_accept(SOCKET, struct sockaddr *, socklen_t *, int, char *);
|
||||
void set_nonblock(SOCKET, unsigned long);
|
||||
|
||||
/**************************************** prototypes for log.c */
|
||||
|
||||
|
@ -338,7 +464,8 @@ void s_log(int, const char *, ...)
|
|||
#else
|
||||
;
|
||||
#endif
|
||||
void fatal_debug(char *, char *, int);
|
||||
char *log_id(CLI *);
|
||||
void fatal_debug(char *, const char *, int);
|
||||
#define fatal(a) fatal_debug((a), __FILE__, __LINE__)
|
||||
void ioerror(const char *);
|
||||
void sockerror(const char *);
|
||||
|
@ -349,44 +476,58 @@ char *s_strerror(int);
|
|||
|
||||
int pty_allocate(int *, int *, char *);
|
||||
|
||||
/**************************************** prototypes for dhparam.c */
|
||||
|
||||
DH *get_dh2048(void);
|
||||
|
||||
/**************************************** prototypes for cron.c */
|
||||
|
||||
int cron_init(void);
|
||||
|
||||
/**************************************** prototypes for ssl.c */
|
||||
|
||||
extern int cli_index, opt_index;
|
||||
extern int index_ssl_cli, index_ssl_ctx_opt;
|
||||
extern int index_session_authenticated, index_session_connect_address;
|
||||
|
||||
int ssl_init(void);
|
||||
int ssl_configure(GLOBAL_OPTIONS *);
|
||||
|
||||
/**************************************** prototypes for options.c */
|
||||
|
||||
int parse_commandline(char *, char *);
|
||||
int parse_conf(char *, CONF_TYPE);
|
||||
void apply_conf(void);
|
||||
|
||||
/**************************************** prototypes for ctx.c */
|
||||
|
||||
typedef struct {
|
||||
SERVICE_OPTIONS *section;
|
||||
char pass[PEM_BUFSIZE];
|
||||
} UI_DATA;
|
||||
extern SERVICE_OPTIONS *current_section;
|
||||
|
||||
#ifndef OPENSSL_NO_DH
|
||||
extern DH *dh_params;
|
||||
extern int dh_needed;
|
||||
#endif /* OPENSSL_NO_DH */
|
||||
|
||||
int context_init(SERVICE_OPTIONS *);
|
||||
#ifndef OPENSSL_NO_PSK
|
||||
void psk_sort(PSK_TABLE *, PSK_KEYS *);
|
||||
PSK_KEYS *psk_find(const PSK_TABLE *, const char *);
|
||||
#endif /* !defined(OPENSSL_NO_PSK) */
|
||||
void sslerror(char *);
|
||||
|
||||
/**************************************** prototypes for verify.c */
|
||||
|
||||
int verify_init(SERVICE_OPTIONS *);
|
||||
void print_client_CA_list(const STACK_OF(X509_NAME) *);
|
||||
char *X509_NAME2text(X509_NAME *);
|
||||
|
||||
/**************************************** prototypes for network.c */
|
||||
|
||||
s_poll_set *s_poll_alloc(void);
|
||||
void s_poll_free(s_poll_set *);
|
||||
void s_poll_init(s_poll_set *);
|
||||
void s_poll_add(s_poll_set *, int, int, int);
|
||||
int s_poll_canread(s_poll_set *, int);
|
||||
int s_poll_canwrite(s_poll_set *, int);
|
||||
int s_poll_hup(s_poll_set *, int);
|
||||
int s_poll_error(s_poll_set *, int);
|
||||
void s_poll_add(s_poll_set *, SOCKET, int, int);
|
||||
void s_poll_remove(s_poll_set *, SOCKET);
|
||||
int s_poll_canread(s_poll_set *, SOCKET);
|
||||
int s_poll_canwrite(s_poll_set *, SOCKET);
|
||||
int s_poll_hup(s_poll_set *, SOCKET);
|
||||
int s_poll_rdhup(s_poll_set *, SOCKET);
|
||||
int s_poll_err(s_poll_set *, SOCKET);
|
||||
int s_poll_wait(s_poll_set *, int, int);
|
||||
void s_poll_dump(s_poll_set *, int);
|
||||
|
||||
#ifdef USE_WIN32
|
||||
#define SIGNAL_RELOAD_CONFIG 1
|
||||
|
@ -398,80 +539,62 @@ int s_poll_wait(s_poll_set *, int, int);
|
|||
#define SIGNAL_TERMINATE SIGTERM
|
||||
#endif
|
||||
|
||||
int set_socket_options(int, int);
|
||||
int make_sockets(int [2]);
|
||||
int set_socket_options(SOCKET, int);
|
||||
int make_sockets(SOCKET[2]);
|
||||
int original_dst(const SOCKET, SOCKADDR_UNION *);
|
||||
|
||||
/**************************************** prototypes for client.c */
|
||||
|
||||
typedef enum {
|
||||
RENEG_INIT, /* initial state */
|
||||
RENEG_ESTABLISHED, /* initial handshake completed */
|
||||
RENEG_DETECTED /* renegotiation detected */
|
||||
} RENEG_STATE;
|
||||
|
||||
typedef struct {
|
||||
jmp_buf err; /* exception handler needs to be 16-byte aligned on Itanium */
|
||||
SSL *ssl; /* SSL connnection */
|
||||
SERVICE_OPTIONS *opt;
|
||||
|
||||
SOCKADDR_UNION peer_addr; /* peer address */
|
||||
socklen_t peer_addr_len;
|
||||
SOCKADDR_UNION *bind_addr; /* address to bind() the socket */
|
||||
SOCKADDR_LIST connect_addr; /* for dynamically assigned addresses */
|
||||
FD local_rfd, local_wfd; /* read and write local descriptors */
|
||||
FD remote_fd; /* remote file descriptor */
|
||||
/* IP for explicit local bind or transparent proxy */
|
||||
unsigned long pid; /* PID of the local process */
|
||||
int fd; /* temporary file descriptor */
|
||||
RENEG_STATE reneg_state; /* used to track renegotiation attempts */
|
||||
|
||||
/* data for transfer() function */
|
||||
char sock_buff[BUFFSIZE]; /* socket read buffer */
|
||||
char ssl_buff[BUFFSIZE]; /* SSL read buffer */
|
||||
int sock_ptr, ssl_ptr; /* index of first unused byte in buffer */
|
||||
FD *sock_rfd, *sock_wfd; /* read and write socket descriptors */
|
||||
FD *ssl_rfd, *ssl_wfd; /* read and write SSL descriptors */
|
||||
int sock_bytes, ssl_bytes; /* bytes written to socket and SSL */
|
||||
s_poll_set *fds; /* file descriptors */
|
||||
} CLI;
|
||||
|
||||
CLI *alloc_client_session(SERVICE_OPTIONS *, int, int);
|
||||
CLI *alloc_client_session(SERVICE_OPTIONS *, SOCKET, SOCKET);
|
||||
void *client_thread(void *);
|
||||
void client_main(CLI *);
|
||||
|
||||
/**************************************** prototypes for network.c */
|
||||
|
||||
int connect_blocking(CLI *, SOCKADDR_UNION *, socklen_t);
|
||||
void write_blocking(CLI *, int fd, void *, int);
|
||||
void read_blocking(CLI *, int fd, void *, int);
|
||||
void fd_putline(CLI *, int, const char *);
|
||||
char *fd_getline(CLI *, int);
|
||||
int get_socket_error(const SOCKET);
|
||||
int s_connect(CLI *, SOCKADDR_UNION *, socklen_t);
|
||||
void s_write(CLI *, SOCKET fd, const void *, size_t);
|
||||
void s_read(CLI *, SOCKET fd, void *, size_t);
|
||||
void fd_putline(CLI *, SOCKET, const char *);
|
||||
char *fd_getline(CLI *, SOCKET);
|
||||
/* descriptor versions of fprintf/fscanf */
|
||||
void fd_printf(CLI *, int, const char *, ...)
|
||||
void fd_printf(CLI *, SOCKET, const char *, ...)
|
||||
#ifdef __GNUC__
|
||||
__attribute__((format(printf, 3, 4)));
|
||||
#else
|
||||
;
|
||||
#endif
|
||||
void s_ssl_write(CLI *, const void *, int);
|
||||
void s_ssl_read(CLI *, void *, int);
|
||||
char *ssl_getstring(CLI *c);
|
||||
char *ssl_getline(CLI *c);
|
||||
void ssl_putline(CLI *c, const char *);
|
||||
|
||||
/**************************************** prototype for protocol.c */
|
||||
|
||||
typedef enum {
|
||||
PROTOCOL_NONE,
|
||||
PROTOCOL_PRE_CONNECT,
|
||||
PROTOCOL_PRE_SSL,
|
||||
PROTOCOL_POST_SSL
|
||||
} PROTOCOL_PHASE;
|
||||
PROTOCOL_CHECK,
|
||||
PROTOCOL_EARLY,
|
||||
PROTOCOL_MIDDLE,
|
||||
PROTOCOL_LATE
|
||||
} PHASE;
|
||||
|
||||
int find_protocol_id(const char *);
|
||||
void protocol(CLI *, const PROTOCOL_PHASE);
|
||||
char *protocol(CLI *, SERVICE_OPTIONS *opt, const PHASE);
|
||||
|
||||
/**************************************** prototypes for resolver.c */
|
||||
|
||||
void resolver_init();
|
||||
int name2addr(SOCKADDR_UNION *, char *, char *);
|
||||
int hostport2addr(SOCKADDR_UNION *, char *, char *);
|
||||
int namelist2addrlist(SOCKADDR_LIST *, NAME_LIST *, char *);
|
||||
|
||||
unsigned name2addr(SOCKADDR_UNION *, char *, int);
|
||||
unsigned hostport2addr(SOCKADDR_UNION *, char *, char *, int);
|
||||
|
||||
unsigned name2addrlist(SOCKADDR_LIST *, char *);
|
||||
unsigned hostport2addrlist(SOCKADDR_LIST *, char *, char *);
|
||||
|
||||
void addrlist_clear(SOCKADDR_LIST *, int);
|
||||
unsigned addrlist_dup(SOCKADDR_LIST *, const SOCKADDR_LIST *);
|
||||
unsigned addrlist_resolve(SOCKADDR_LIST *);
|
||||
|
||||
char *s_ntop(SOCKADDR_UNION *, socklen_t);
|
||||
socklen_t addr_len(const SOCKADDR_UNION *);
|
||||
const char *s_gai_strerror(int);
|
||||
|
@ -503,28 +626,78 @@ extern GETNAMEINFO s_getnameinfo;
|
|||
|
||||
#endif /* USE_WIN32 */
|
||||
|
||||
int getnameinfo(const struct sockaddr *, int, char *, int, char *, int, int);
|
||||
int getnameinfo(const struct sockaddr *, socklen_t,
|
||||
char *, size_t, char *, size_t, int);
|
||||
|
||||
#endif /* !defined HAVE_GETNAMEINFO */
|
||||
|
||||
/**************************************** prototypes for sthreads.c */
|
||||
|
||||
typedef enum {
|
||||
CRIT_CLIENTS, CRIT_SESSION, CRIT_SSL, /* client.c */
|
||||
CRIT_INET, /* resolver.c */
|
||||
#ifndef USE_WIN32
|
||||
CRIT_LIBWRAP, /* libwrap.c */
|
||||
#endif
|
||||
CRIT_LOG, /* log.c */
|
||||
CRIT_SECTIONS /* number of critical sections */
|
||||
} SECTION_CODE;
|
||||
#if defined(USE_PTHREAD) || defined(USE_WIN32)
|
||||
|
||||
struct CRYPTO_dynlock_value {
|
||||
#ifdef USE_PTHREAD
|
||||
pthread_rwlock_t rwlock;
|
||||
#endif
|
||||
#ifdef USE_WIN32
|
||||
CRITICAL_SECTION critical_section;
|
||||
#endif
|
||||
const char *init_file, *read_lock_file, *write_lock_file,
|
||||
*read_unlock_file, *write_unlock_file, *destroy_file;
|
||||
int init_line, read_lock_line, write_lock_line,
|
||||
read_unlock_line, write_unlock_line, destroy_line;
|
||||
};
|
||||
|
||||
typedef enum {
|
||||
LOCK_SESSION, LOCK_ADDR,
|
||||
LOCK_CLIENTS, LOCK_SSL, /* client.c */
|
||||
LOCK_INET, /* resolver.c */
|
||||
#ifndef USE_WIN32
|
||||
LOCK_LIBWRAP, /* libwrap.c */
|
||||
#endif
|
||||
LOCK_LOG_BUFFER, LOCK_LOG_MODE, /* log.c */
|
||||
LOCK_LEAK_HASH, LOCK_LEAK_RESULTS, /* str.c */
|
||||
#ifndef OPENSSL_NO_DH
|
||||
LOCK_DH, /* ctx.c */
|
||||
#endif /* OPENSSL_NO_DH */
|
||||
STUNNEL_LOCKS /* number of locks */
|
||||
} LOCK_TYPE;
|
||||
extern struct CRYPTO_dynlock_value stunnel_locks[STUNNEL_LOCKS];
|
||||
|
||||
void stunnel_rwlock_init_debug(struct CRYPTO_dynlock_value *, const char *, int);
|
||||
void stunnel_read_lock_debug(struct CRYPTO_dynlock_value *, const char *, int);
|
||||
void stunnel_write_lock_debug(struct CRYPTO_dynlock_value *, const char *, int);
|
||||
void stunnel_read_unlock_debug(struct CRYPTO_dynlock_value *, const char *, int);
|
||||
void stunnel_write_unlock_debug(struct CRYPTO_dynlock_value *, const char *, int);
|
||||
void stunnel_rwlock_destroy_debug(struct CRYPTO_dynlock_value *, const char *, int);
|
||||
|
||||
#define stunnel_rwlock_init(x) stunnel_rwlock_init_debug((x),__FILE__,__LINE__)
|
||||
#define stunnel_read_lock(x) stunnel_read_lock_debug((x),__FILE__,__LINE__)
|
||||
#define stunnel_write_lock(x) stunnel_write_lock_debug((x),__FILE__,__LINE__)
|
||||
#define stunnel_read_unlock(x) stunnel_read_unlock_debug((x),__FILE__,__LINE__)
|
||||
#define stunnel_write_unlock(x) stunnel_write_unlock_debug((x),__FILE__,__LINE__)
|
||||
#define stunnel_rwlock_destroy(x) stunnel_rwlock_destroy_debug((x),__FILE__,__LINE__)
|
||||
|
||||
#if OPENSSL_VERSION_NUMBER<0x10100004L
|
||||
#define CRYPTO_atomic_add(addr,amount,result,type) \
|
||||
*result = type ? CRYPTO_add(addr,amount,type) : (*addr+=amount)
|
||||
#endif
|
||||
|
||||
#else /* defined(USE_PTHREAD) || defined(USE_WIN32) */
|
||||
|
||||
#define stunnel_rwlock_init(x) {}
|
||||
#define stunnel_read_lock(x) {}
|
||||
#define stunnel_write_lock(x) {}
|
||||
#define stunnel_read_unlock(x) {}
|
||||
#define stunnel_write_unlock(x) {}
|
||||
#define stunnel_rwlock_destroy(x) {}
|
||||
|
||||
#endif /* defined(USE_PTHREAD) || defined(USE_WIN32) */
|
||||
|
||||
void enter_critical_section(SECTION_CODE);
|
||||
void leave_critical_section(SECTION_CODE);
|
||||
int sthreads_init(void);
|
||||
unsigned long stunnel_process_id(void);
|
||||
unsigned long stunnel_thread_id(void);
|
||||
int create_client(int, int, CLI *, void *(*)(void *));
|
||||
int create_client(SOCKET, SOCKET, CLI *, void *(*)(void *));
|
||||
#ifdef USE_UCONTEXT
|
||||
typedef struct CONTEXT_STRUCTURE {
|
||||
char *stack; /* CPU stack for this thread */
|
||||
|
@ -534,7 +707,7 @@ typedef struct CONTEXT_STRUCTURE {
|
|||
int ready; /* number of ready file descriptors */
|
||||
time_t finish; /* when to finish poll() for this context */
|
||||
struct CONTEXT_STRUCTURE *next; /* next context on a list */
|
||||
void *tls; /* thread local storage for str.c */
|
||||
void *tls; /* thread local storage for tls.c */
|
||||
} CONTEXT;
|
||||
extern CONTEXT *ready_head, *ready_tail;
|
||||
extern CONTEXT *waiting_head, *waiting_tail;
|
||||
|
@ -547,32 +720,20 @@ void _endthread(void);
|
|||
void stack_info(int);
|
||||
#endif
|
||||
|
||||
/**************************************** prototypes for gui.c */
|
||||
|
||||
#ifdef USE_WIN32
|
||||
void message_box(const LPSTR, const UINT);
|
||||
void win_new_chain(int);
|
||||
void win_new_log(char *);
|
||||
void win_new_config(void);
|
||||
int passwd_cb(char *, int, int, void *);
|
||||
#ifdef HAVE_OSSL_ENGINE_H
|
||||
int pin_cb(UI *, UI_STRING *);
|
||||
#endif
|
||||
#endif /* USE_WIN32 */
|
||||
|
||||
/**************************************** prototypes for file.c */
|
||||
|
||||
#ifndef USE_WIN32
|
||||
DISK_FILE *file_fdopen(int);
|
||||
#endif
|
||||
DISK_FILE *file_open(char *, int);
|
||||
DISK_FILE *file_open(char *, FILE_MODE mode);
|
||||
void file_close(DISK_FILE *);
|
||||
int file_getline(DISK_FILE *, char *, int);
|
||||
int file_putline(DISK_FILE *, char *);
|
||||
ssize_t file_getline(DISK_FILE *, char *, int);
|
||||
ssize_t file_putline(DISK_FILE *, char *);
|
||||
int file_permissions(const char *);
|
||||
|
||||
#ifdef USE_WIN32
|
||||
LPTSTR str2tstr(const LPSTR);
|
||||
LPSTR tstr2str(const LPTSTR);
|
||||
LPTSTR str2tstr(LPCSTR);
|
||||
LPSTR tstr2str(LPCTSTR);
|
||||
#endif
|
||||
|
||||
/**************************************** prototypes for libwrap.c */
|
||||
|
@ -580,21 +741,33 @@ LPSTR tstr2str(const LPTSTR);
|
|||
int libwrap_init();
|
||||
void libwrap_auth(CLI *, char *);
|
||||
|
||||
/**************************************** prototypes for tls.c */
|
||||
|
||||
extern volatile int tls_initialized;
|
||||
|
||||
void tls_init();
|
||||
TLS_DATA *tls_alloc(CLI *, TLS_DATA *, char *);
|
||||
void tls_cleanup();
|
||||
void tls_set(TLS_DATA *);
|
||||
TLS_DATA *tls_get();
|
||||
|
||||
/**************************************** prototypes for str.c */
|
||||
|
||||
void str_init();
|
||||
void str_canary_init();
|
||||
void str_cleanup();
|
||||
void str_stats();
|
||||
void *str_alloc_debug(size_t, char *, int);
|
||||
#define str_alloc(a) str_alloc_debug((a), __FILE__, __LINE__)
|
||||
void *str_realloc_debug(void *, size_t, char *, int);
|
||||
#define str_realloc(a, b) str_realloc_debug((a), (b), __FILE__, __LINE__)
|
||||
void str_detach_debug(void *, char *, int);
|
||||
#define str_detach(a) str_detach_debug((a), __FILE__, __LINE__)
|
||||
void str_free_debug(void *, char *, int);
|
||||
#define str_free(a) str_free_debug((a), __FILE__, __LINE__), (a)=NULL
|
||||
char *str_dup(const char *);
|
||||
extern TLS_DATA *ui_tls;
|
||||
typedef struct alloc_list_struct ALLOC_LIST;
|
||||
|
||||
struct tls_data_struct {
|
||||
ALLOC_LIST *alloc_head;
|
||||
size_t alloc_bytes, alloc_blocks;
|
||||
CLI *c;
|
||||
SERVICE_OPTIONS *opt;
|
||||
char *id;
|
||||
};
|
||||
|
||||
void str_init(TLS_DATA *);
|
||||
void str_cleanup(TLS_DATA *);
|
||||
char *str_dup_debug(const char *, const char *, int);
|
||||
#define str_dup(a) str_dup_debug((a), __FILE__, __LINE__)
|
||||
char *str_vprintf(const char *, va_list);
|
||||
char *str_printf(const char *, ...)
|
||||
#ifdef __GNUC__
|
||||
|
@ -602,6 +775,47 @@ char *str_printf(const char *, ...)
|
|||
#else
|
||||
;
|
||||
#endif
|
||||
#ifdef USE_WIN32
|
||||
LPTSTR str_tprintf(LPCTSTR, ...);
|
||||
#endif
|
||||
|
||||
void str_canary_init();
|
||||
void str_stats();
|
||||
void *str_alloc_debug(size_t, const char *, int);
|
||||
#define str_alloc(a) str_alloc_debug((a), __FILE__, __LINE__)
|
||||
void *str_alloc_detached_debug(size_t, const char *, int);
|
||||
#define str_alloc_detached(a) str_alloc_detached_debug((a), __FILE__, __LINE__)
|
||||
void *str_realloc_detached_debug(void *, size_t, const char *, int);
|
||||
void *str_realloc_debug(void *, size_t, const char *, int);
|
||||
#define str_realloc(a, b) str_realloc_debug((a), (b), __FILE__, __LINE__)
|
||||
void str_detach_debug(void *, const char *, int);
|
||||
#define str_detach(a) str_detach_debug((a), __FILE__, __LINE__)
|
||||
void str_free_debug(void *, const char *, int);
|
||||
#define str_free(a) str_free_debug((a), __FILE__, __LINE__), (a)=NULL
|
||||
#define str_free_expression(a) str_free_debug((a), __FILE__, __LINE__)
|
||||
|
||||
int safe_memcmp(const void *, const void *, size_t);
|
||||
|
||||
/**************************************** prototypes for ui_*.c */
|
||||
|
||||
void ui_config_reloaded(void);
|
||||
void ui_new_chain(const unsigned);
|
||||
void ui_clients(const long);
|
||||
|
||||
void ui_new_log(const char *);
|
||||
#ifdef USE_WIN32
|
||||
void message_box(LPCTSTR, const UINT);
|
||||
#endif /* USE_WIN32 */
|
||||
|
||||
int ui_passwd_cb(char *, int, int, void *);
|
||||
#ifndef OPENSSL_NO_ENGINE
|
||||
UI_METHOD *UI_stunnel(void);
|
||||
#endif /* !defined(OPENSSL_NO_ENGINE) */
|
||||
|
||||
#ifdef ICON_IMAGE
|
||||
ICON_IMAGE load_icon_default(ICON_TYPE);
|
||||
ICON_IMAGE load_icon_file(const char *);
|
||||
#endif
|
||||
|
||||
#endif /* defined PROTOTYPES_H */
|
||||
|
||||
|
|
10
src/pty.c
10
src/pty.c
|
@ -1,6 +1,6 @@
|
|||
/*
|
||||
* stunnel Universal SSL tunnel
|
||||
* Copyright (C) 1998-2013 Michal Trojnara <Michal.Trojnara@mirt.net>
|
||||
* stunnel TLS offloading and load-balancing proxy
|
||||
* Copyright (C) 1998-2017 Michal Trojnara <Michal.Trojnara@stunnel.org>
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it
|
||||
* under the terms of the GNU General Public License as published by the
|
||||
|
@ -177,11 +177,11 @@ int pty_allocate(int *ptyfd, int *ttyfd, char *namebuf) {
|
|||
#else /* HAVE_DEV_PTS_AND_PTC */
|
||||
/* BSD-style pty code. */
|
||||
char buf[64];
|
||||
int i;
|
||||
size_t i;
|
||||
const char *ptymajors="pqrstuvwxyzabcdefghijklmnoABCDEFGHIJKLMNOPQRSTUVWXYZ";
|
||||
const char *ptyminors="0123456789abcdef";
|
||||
int num_minors=strlen(ptyminors);
|
||||
int num_ptys=strlen(ptymajors)*num_minors;
|
||||
size_t num_minors=strlen(ptyminors);
|
||||
size_t num_ptys=strlen(ptymajors)*num_minors;
|
||||
|
||||
for(i=0; i<num_ptys; i++) {
|
||||
#ifdef HAVE_SNPRINTF
|
||||
|
|
337
src/resolver.c
337
src/resolver.c
|
@ -1,6 +1,6 @@
|
|||
/*
|
||||
* stunnel Universal SSL tunnel
|
||||
* Copyright (C) 1998-2013 Michal Trojnara <Michal.Trojnara@mirt.net>
|
||||
* stunnel TLS offloading and load-balancing proxy
|
||||
* Copyright (C) 1998-2017 Michal Trojnara <Michal.Trojnara@stunnel.org>
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it
|
||||
* under the terms of the GNU General Public License as published by the
|
||||
|
@ -40,8 +40,11 @@
|
|||
|
||||
/**************************************** prototypes */
|
||||
|
||||
static int name2addrlist(SOCKADDR_LIST *, char *, char *);
|
||||
static int hostport2addrlist(SOCKADDR_LIST *, char *, char *);
|
||||
#if defined(USE_WIN32) && !defined(_WIN32_WCE)
|
||||
NOEXPORT int get_ipv6(LPTSTR);
|
||||
#endif
|
||||
NOEXPORT void addrlist2addr(SOCKADDR_UNION *, SOCKADDR_LIST *);
|
||||
NOEXPORT void addrlist_reset(SOCKADDR_LIST *);
|
||||
|
||||
#ifndef HAVE_GETADDRINFO
|
||||
|
||||
|
@ -72,11 +75,15 @@ struct addrinfo {
|
|||
};
|
||||
#endif
|
||||
|
||||
static int getaddrinfo(const char *, const char *,
|
||||
#ifndef AI_PASSIVE
|
||||
#define AI_PASSIVE 1
|
||||
#endif
|
||||
|
||||
NOEXPORT int getaddrinfo(const char *, const char *,
|
||||
const struct addrinfo *, struct addrinfo **);
|
||||
static int alloc_addresses(struct hostent *, const struct addrinfo *,
|
||||
NOEXPORT int alloc_addresses(struct hostent *, const struct addrinfo *,
|
||||
u_short port, struct addrinfo **, struct addrinfo **);
|
||||
static void freeaddrinfo(struct addrinfo *);
|
||||
NOEXPORT void freeaddrinfo(struct addrinfo *);
|
||||
|
||||
#endif /* !defined HAVE_GETADDRINFO */
|
||||
|
||||
|
@ -90,75 +97,92 @@ GETNAMEINFO s_getnameinfo;
|
|||
|
||||
void resolver_init() {
|
||||
#if defined(USE_WIN32) && !defined(_WIN32_WCE)
|
||||
HINSTANCE handle;
|
||||
|
||||
handle=LoadLibrary("ws2_32.dll"); /* IPv6 in Windows XP or higher */
|
||||
if(handle) {
|
||||
s_getaddrinfo=(GETADDRINFO)GetProcAddress(handle, "getaddrinfo");
|
||||
s_freeaddrinfo=(FREEADDRINFO)GetProcAddress(handle, "freeaddrinfo");
|
||||
s_getnameinfo=(GETNAMEINFO)GetProcAddress(handle, "getnameinfo");
|
||||
if(s_getaddrinfo && s_freeaddrinfo && s_getnameinfo)
|
||||
return; /* IPv6 detected -> OK */
|
||||
FreeLibrary(handle);
|
||||
}
|
||||
handle=LoadLibrary("wship6.dll"); /* experimental IPv6 for Windows 2000 */
|
||||
if(handle) {
|
||||
s_getaddrinfo=(GETADDRINFO)GetProcAddress(handle, "getaddrinfo");
|
||||
s_freeaddrinfo=(FREEADDRINFO)GetProcAddress(handle, "freeaddrinfo");
|
||||
s_getnameinfo=(GETNAMEINFO)GetProcAddress(handle, "getnameinfo");
|
||||
if(s_getaddrinfo && s_freeaddrinfo && s_getnameinfo)
|
||||
return; /* IPv6 detected -> OK */
|
||||
FreeLibrary(handle);
|
||||
}
|
||||
s_getaddrinfo=NULL;
|
||||
s_freeaddrinfo=NULL;
|
||||
s_getnameinfo=NULL;
|
||||
if(get_ipv6(TEXT("ws2_32.dll"))) /* IPv6 in Windows XP or higher */
|
||||
return;
|
||||
if(get_ipv6(TEXT("wship6.dll"))) /* experimental IPv6 for Windows 2000 */
|
||||
return;
|
||||
/* fall back to the built-in emulation */
|
||||
#endif
|
||||
}
|
||||
|
||||
#if defined(USE_WIN32) && !defined(_WIN32_WCE)
|
||||
NOEXPORT int get_ipv6(LPTSTR file) {
|
||||
HINSTANCE handle;
|
||||
|
||||
handle=LoadLibrary(file);
|
||||
if(!handle)
|
||||
return 0;
|
||||
s_getaddrinfo=(GETADDRINFO)GetProcAddress(handle, "getaddrinfo");
|
||||
s_freeaddrinfo=(FREEADDRINFO)GetProcAddress(handle, "freeaddrinfo");
|
||||
s_getnameinfo=(GETNAMEINFO)GetProcAddress(handle, "getnameinfo");
|
||||
if(!s_getaddrinfo || !s_freeaddrinfo || !s_getnameinfo) {
|
||||
s_getaddrinfo=NULL;
|
||||
s_freeaddrinfo=NULL;
|
||||
s_getnameinfo=NULL;
|
||||
FreeLibrary(handle);
|
||||
return 0;
|
||||
}
|
||||
return 1; /* IPv6 detected -> OK */
|
||||
}
|
||||
#endif
|
||||
|
||||
/**************************************** stunnel resolver API */
|
||||
|
||||
int name2addr(SOCKADDR_UNION *addr, char *name, char *default_host) {
|
||||
SOCKADDR_LIST addr_list;
|
||||
int retval;
|
||||
unsigned name2addr(SOCKADDR_UNION *addr, char *name, int passive) {
|
||||
SOCKADDR_LIST *addr_list;
|
||||
unsigned retval;
|
||||
|
||||
addr_list.num=0;
|
||||
addr_list.addr=NULL;
|
||||
retval=name2addrlist(&addr_list, name, default_host);
|
||||
if(retval>0)
|
||||
memcpy(addr, &addr_list.addr[0], sizeof *addr);
|
||||
if(addr_list.addr)
|
||||
str_free(addr_list.addr);
|
||||
addr_list=str_alloc(sizeof(SOCKADDR_LIST));
|
||||
addrlist_clear(addr_list, passive);
|
||||
retval=name2addrlist(addr_list, name);
|
||||
if(retval)
|
||||
addrlist2addr(addr, addr_list);
|
||||
str_free(addr_list->addr);
|
||||
str_free(addr_list->session);
|
||||
str_free(addr_list);
|
||||
return retval;
|
||||
}
|
||||
|
||||
int hostport2addr(SOCKADDR_UNION *addr, char *hostname, char *portname) {
|
||||
SOCKADDR_LIST addr_list;
|
||||
int retval;
|
||||
unsigned hostport2addr(SOCKADDR_UNION *addr,
|
||||
char *host_name, char *port_name, int passive) {
|
||||
SOCKADDR_LIST *addr_list;
|
||||
unsigned num;
|
||||
|
||||
addr_list.num=0;
|
||||
addr_list.addr=NULL;
|
||||
retval=hostport2addrlist(&addr_list, hostname, portname);
|
||||
if(retval>0)
|
||||
memcpy(addr, &addr_list.addr[0], sizeof *addr);
|
||||
if(addr_list.addr)
|
||||
str_free(addr_list.addr);
|
||||
return retval;
|
||||
addr_list=str_alloc(sizeof(SOCKADDR_LIST));
|
||||
addrlist_clear(addr_list, passive);
|
||||
num=hostport2addrlist(addr_list, host_name, port_name);
|
||||
if(num)
|
||||
addrlist2addr(addr, addr_list);
|
||||
str_free(addr_list->addr);
|
||||
str_free(addr_list->session);
|
||||
str_free(addr_list);
|
||||
return num;
|
||||
}
|
||||
|
||||
int namelist2addrlist(SOCKADDR_LIST *addr_list, NAME_LIST *name_list, char *default_host) {
|
||||
/* recursive implementation to reverse the list */
|
||||
if(!name_list)
|
||||
return 0;
|
||||
return namelist2addrlist(addr_list, name_list->next, default_host) +
|
||||
name2addrlist(addr_list, name_list->name, default_host);
|
||||
NOEXPORT void addrlist2addr(SOCKADDR_UNION *addr, SOCKADDR_LIST *addr_list) {
|
||||
unsigned i;
|
||||
|
||||
for(i=0; i<addr_list->num; ++i) { /* find the first IPv4 address */
|
||||
if(addr_list->addr[i].in.sin_family==AF_INET) {
|
||||
memcpy(addr, &addr_list->addr[i], sizeof(SOCKADDR_UNION));
|
||||
return;
|
||||
}
|
||||
}
|
||||
#ifdef USE_IPv6
|
||||
for(i=0; i<addr_list->num; ++i) { /* find the first IPv6 address */
|
||||
if(addr_list->addr[i].in.sin_family==AF_INET6) {
|
||||
memcpy(addr, &addr_list->addr[i], sizeof(SOCKADDR_UNION));
|
||||
return;
|
||||
}
|
||||
}
|
||||
#endif
|
||||
/* copy the first address resolved (currently AF_UNIX) */
|
||||
memcpy(addr, &addr_list->addr[0], sizeof(SOCKADDR_UNION));
|
||||
}
|
||||
|
||||
static int name2addrlist(SOCKADDR_LIST *addr_list, char *name, char *default_host) {
|
||||
char *tmp, *hostname, *portname;
|
||||
int retval;
|
||||
|
||||
addr_list->cur=0; /* reset round-robin counter */
|
||||
unsigned name2addrlist(SOCKADDR_LIST *addr_list, char *name) {
|
||||
char *tmp, *host_name, *port_name;
|
||||
unsigned num;
|
||||
|
||||
/* first check if this is a UNIX socket */
|
||||
#ifdef HAVE_STRUCT_SOCKADDR_UN
|
||||
|
@ -172,58 +196,87 @@ static int name2addrlist(SOCKADDR_LIST *addr_list, char *name, char *default_hos
|
|||
(addr_list->num+1)*sizeof(SOCKADDR_UNION));
|
||||
addr_list->addr[addr_list->num].un.sun_family=AF_UNIX;
|
||||
strcpy(addr_list->addr[addr_list->num].un.sun_path, name);
|
||||
return ++(addr_list->num); /* ok - return the number of addresses */
|
||||
addr_list->session=str_realloc(addr_list->session,
|
||||
(addr_list->num+1)*sizeof(SSL_SESSION *));
|
||||
addr_list->session[addr_list->num]=NULL;
|
||||
++(addr_list->num);
|
||||
return 1; /* ok - return the number of new addresses */
|
||||
}
|
||||
#endif
|
||||
|
||||
/* set hostname and portname */
|
||||
/* setup host_name and port_name */
|
||||
tmp=str_dup(name);
|
||||
portname=strrchr(tmp, ':');
|
||||
if(portname) {
|
||||
hostname=tmp;
|
||||
*portname++='\0';
|
||||
port_name=strrchr(tmp, ':');
|
||||
if(port_name) {
|
||||
host_name=tmp;
|
||||
*port_name++='\0';
|
||||
} else { /* no ':' - use default host IP */
|
||||
hostname=default_host;
|
||||
portname=tmp;
|
||||
host_name=NULL;
|
||||
port_name=tmp;
|
||||
}
|
||||
|
||||
/* fill addr_list structure */
|
||||
retval=hostport2addrlist(addr_list, hostname, portname);
|
||||
num=hostport2addrlist(addr_list, host_name, port_name);
|
||||
str_free(tmp);
|
||||
return retval;
|
||||
return num; /* ok - return the number of new addresses */
|
||||
}
|
||||
|
||||
static int hostport2addrlist(SOCKADDR_LIST *addr_list,
|
||||
char *hostname, char *portname) {
|
||||
unsigned hostport2addrlist(SOCKADDR_LIST *addr_list,
|
||||
char *host_name, char *port_name) {
|
||||
struct addrinfo hints, *res=NULL, *cur;
|
||||
int err, retries=0;
|
||||
int err, retry=0;
|
||||
unsigned num=0;
|
||||
|
||||
memset(&hints, 0, sizeof hints);
|
||||
#if defined(USE_IPv6) || defined(USE_WIN32)
|
||||
hints.ai_family=PF_UNSPEC;
|
||||
hints.ai_family=AF_UNSPEC;
|
||||
#else
|
||||
hints.ai_family=PF_INET;
|
||||
hints.ai_family=AF_INET;
|
||||
#endif
|
||||
hints.ai_socktype=SOCK_STREAM;
|
||||
hints.ai_protocol=IPPROTO_TCP;
|
||||
for(;;) {
|
||||
err=getaddrinfo(hostname, portname, &hints, &res);
|
||||
if(err && res)
|
||||
freeaddrinfo(res);
|
||||
if(err!=EAI_AGAIN || ++retries>=3)
|
||||
break;
|
||||
s_log(LOG_DEBUG, "getaddrinfo: EAI_AGAIN received: retrying");
|
||||
sleep(1);
|
||||
hints.ai_flags=0;
|
||||
if(addr_list->passive) {
|
||||
hints.ai_family=AF_INET; /* first try IPv4 for passive requests */
|
||||
hints.ai_flags|=AI_PASSIVE;
|
||||
}
|
||||
switch(err) {
|
||||
case 0:
|
||||
break; /* success */
|
||||
case EAI_SERVICE:
|
||||
s_log(LOG_ERR, "Unknown TCP service '%s'", portname);
|
||||
#ifdef AI_ADDRCONFIG
|
||||
hints.ai_flags|=AI_ADDRCONFIG;
|
||||
#endif
|
||||
for(;;) {
|
||||
err=getaddrinfo(host_name, port_name, &hints, &res);
|
||||
if(!err)
|
||||
break;
|
||||
if(res)
|
||||
freeaddrinfo(res);
|
||||
if(err==EAI_AGAIN && ++retry<=3) {
|
||||
s_log(LOG_DEBUG, "getaddrinfo: EAI_AGAIN received: retrying");
|
||||
sleep(1);
|
||||
continue;
|
||||
}
|
||||
#ifdef AI_ADDRCONFIG
|
||||
if(hints.ai_flags&AI_ADDRCONFIG) {
|
||||
hints.ai_flags&=~AI_ADDRCONFIG;
|
||||
continue; /* retry for unconfigured network interfaces */
|
||||
}
|
||||
#endif
|
||||
#if defined(USE_IPv6) || defined(USE_WIN32)
|
||||
if(hints.ai_family==AF_INET) {
|
||||
hints.ai_family=AF_UNSPEC;
|
||||
continue; /* retry for non-IPv4 addresses */
|
||||
}
|
||||
#endif
|
||||
break;
|
||||
}
|
||||
if(err==EAI_SERVICE) {
|
||||
s_log(LOG_ERR, "Unknown TCP service \"%s\"", port_name);
|
||||
return 0; /* error */
|
||||
default:
|
||||
s_log(LOG_ERR, "Error resolving '%s': %s",
|
||||
hostname, s_gai_strerror(err));
|
||||
}
|
||||
if(err) {
|
||||
s_log(LOG_ERR, "Error resolving \"%s\": %s",
|
||||
host_name ? host_name :
|
||||
(addr_list->passive ? DEFAULT_ANY : DEFAULT_LOOPBACK),
|
||||
s_gai_strerror(err));
|
||||
return 0; /* error */
|
||||
}
|
||||
|
||||
|
@ -236,11 +289,65 @@ static int hostport2addrlist(SOCKADDR_LIST *addr_list,
|
|||
}
|
||||
addr_list->addr=str_realloc(addr_list->addr,
|
||||
(addr_list->num+1)*sizeof(SOCKADDR_UNION));
|
||||
memcpy(&addr_list->addr[addr_list->num], cur->ai_addr, cur->ai_addrlen);
|
||||
memcpy(&addr_list->addr[addr_list->num], cur->ai_addr,
|
||||
(size_t)cur->ai_addrlen);
|
||||
addr_list->session=str_realloc(addr_list->session,
|
||||
(addr_list->num+1)*sizeof(SSL_SESSION *));
|
||||
addr_list->session[addr_list->num]=NULL;
|
||||
++(addr_list->num);
|
||||
++num;
|
||||
}
|
||||
freeaddrinfo(res);
|
||||
return addr_list->num; /* ok - return the number of addresses */
|
||||
return num; /* ok - return the number of new addresses */
|
||||
}
|
||||
|
||||
/* initialize the structure */
|
||||
void addrlist_clear(SOCKADDR_LIST *addr_list, int passive) {
|
||||
addrlist_reset(addr_list);
|
||||
addr_list->names=NULL;
|
||||
addr_list->passive=passive;
|
||||
}
|
||||
|
||||
/* prepare the structure to resolve new hosts */
|
||||
NOEXPORT void addrlist_reset(SOCKADDR_LIST *addr_list) {
|
||||
addr_list->num=0;
|
||||
addr_list->addr=NULL;
|
||||
addr_list->session=NULL;
|
||||
addr_list->rr=0; /* reset the round-robin counter */
|
||||
addr_list->parent=addr_list; /* allow a copy to locate its parent */
|
||||
}
|
||||
|
||||
unsigned addrlist_dup(SOCKADDR_LIST *dst, const SOCKADDR_LIST *src) {
|
||||
memcpy(dst, src, sizeof(SOCKADDR_LIST));
|
||||
if(src->num) { /* already resolved */
|
||||
dst->addr=str_alloc(src->num*sizeof(SOCKADDR_UNION));
|
||||
memcpy(dst->addr, src->addr, src->num*sizeof(SOCKADDR_UNION));
|
||||
} else { /* delayed resolver */
|
||||
addrlist_resolve(dst);
|
||||
}
|
||||
/* we currently don't make a local copy of src->session */
|
||||
return dst->num;
|
||||
}
|
||||
|
||||
unsigned addrlist_resolve(SOCKADDR_LIST *addr_list) {
|
||||
unsigned num=0, rnd;
|
||||
NAME_LIST *host;
|
||||
|
||||
addrlist_reset(addr_list);
|
||||
for(host=addr_list->names; host; host=host->next)
|
||||
num+=name2addrlist(addr_list, host->name);
|
||||
switch(num) {
|
||||
case 0:
|
||||
case 1:
|
||||
addr_list->rr=0;
|
||||
break;
|
||||
default:
|
||||
/* randomize the initial value of round-robin counter */
|
||||
/* ignore the error value and the distribution bias */
|
||||
RAND_bytes((unsigned char *)&rnd, sizeof rnd);
|
||||
addr_list->rr=rnd%num;
|
||||
}
|
||||
return num;
|
||||
}
|
||||
|
||||
char *s_ntop(SOCKADDR_UNION *addr, socklen_t addrlen) {
|
||||
|
@ -283,7 +390,7 @@ socklen_t addr_len(const SOCKADDR_UNION *addr) {
|
|||
/* implementation is limited to functionality needed by stunnel */
|
||||
|
||||
#ifndef HAVE_GETADDRINFO
|
||||
static int getaddrinfo(const char *node, const char *service,
|
||||
NOEXPORT int getaddrinfo(const char *node, const char *service,
|
||||
const struct addrinfo *hints, struct addrinfo **res) {
|
||||
struct hostent *h;
|
||||
#ifndef _WIN32_WCE
|
||||
|
@ -294,6 +401,8 @@ static int getaddrinfo(const char *node, const char *service,
|
|||
int retval;
|
||||
char *tmpstr;
|
||||
|
||||
if(!node)
|
||||
node=(hints->ai_flags & AI_PASSIVE) ? DEFAULT_ANY : DEFAULT_LOOPBACK;
|
||||
#if defined(USE_WIN32) && !defined(_WIN32_WCE)
|
||||
if(s_getaddrinfo)
|
||||
return s_getaddrinfo(node, service, hints, res);
|
||||
|
@ -307,7 +416,7 @@ static int getaddrinfo(const char *node, const char *service,
|
|||
p=getservbyname(service, "tcp");
|
||||
if(!p)
|
||||
return EAI_NONAME;
|
||||
port=p->s_port;
|
||||
port=(u_short)p->s_port;
|
||||
#endif /* defined(_WIN32_WCE) */
|
||||
}
|
||||
|
||||
|
@ -320,7 +429,7 @@ static int getaddrinfo(const char *node, const char *service,
|
|||
#if defined(USE_IPv6) && !defined(USE_WIN32)
|
||||
ai->ai_family=AF_INET6;
|
||||
ai->ai_addrlen=sizeof(struct sockaddr_in6);
|
||||
ai->ai_addr=str_alloc(ai->ai_addrlen);
|
||||
ai->ai_addr=str_alloc((size_t)ai->ai_addrlen);
|
||||
ai->ai_addr->sa_family=AF_INET6;
|
||||
if(inet_pton(AF_INET6, node,
|
||||
&((struct sockaddr_in6 *)ai->ai_addr)->sin6_addr)>0) {
|
||||
|
@ -343,7 +452,7 @@ static int getaddrinfo(const char *node, const char *service,
|
|||
/* not numerical: need to call resolver library */
|
||||
*res=NULL;
|
||||
ai=NULL;
|
||||
enter_critical_section(CRIT_INET);
|
||||
stunnel_write_lock(&stunnel_locks[LOCK_INET]);
|
||||
#ifdef HAVE_GETHOSTBYNAME2
|
||||
h=gethostbyname2(node, AF_INET6);
|
||||
if(h) /* some IPv6 addresses found */
|
||||
|
@ -361,7 +470,7 @@ static int getaddrinfo(const char *node, const char *service,
|
|||
#ifdef HAVE_ENDHOSTENT
|
||||
endhostent();
|
||||
#endif
|
||||
leave_critical_section(CRIT_INET);
|
||||
stunnel_write_unlock(&stunnel_locks[LOCK_INET]);
|
||||
if(retval) { /* error: free allocated memory */
|
||||
freeaddrinfo(*res);
|
||||
*res=NULL;
|
||||
|
@ -369,7 +478,7 @@ static int getaddrinfo(const char *node, const char *service,
|
|||
return retval;
|
||||
}
|
||||
|
||||
static int alloc_addresses(struct hostent *h, const struct addrinfo *hints,
|
||||
NOEXPORT int alloc_addresses(struct hostent *h, const struct addrinfo *hints,
|
||||
u_short port, struct addrinfo **head, struct addrinfo **tail) {
|
||||
int i;
|
||||
struct addrinfo *ai;
|
||||
|
@ -391,25 +500,25 @@ static int alloc_addresses(struct hostent *h, const struct addrinfo *hints,
|
|||
#if defined(USE_IPv6)
|
||||
if(h->h_addrtype==AF_INET6) {
|
||||
ai->ai_addrlen=sizeof(struct sockaddr_in6);
|
||||
ai->ai_addr=str_alloc(ai->ai_addrlen);
|
||||
ai->ai_addr=str_alloc((size_t)ai->ai_addrlen);
|
||||
memcpy(&((struct sockaddr_in6 *)ai->ai_addr)->sin6_addr,
|
||||
h->h_addr_list[i], h->h_length);
|
||||
h->h_addr_list[i], (size_t)h->h_length);
|
||||
} else
|
||||
#endif
|
||||
{
|
||||
ai->ai_addrlen=sizeof(struct sockaddr_in);
|
||||
ai->ai_addr=str_alloc(ai->ai_addrlen);
|
||||
ai->ai_addr=str_alloc((size_t)ai->ai_addrlen);
|
||||
memcpy(&((struct sockaddr_in *)ai->ai_addr)->sin_addr,
|
||||
h->h_addr_list[i], h->h_length);
|
||||
h->h_addr_list[i], (size_t)h->h_length);
|
||||
}
|
||||
ai->ai_addr->sa_family=h->h_addrtype;
|
||||
ai->ai_addr->sa_family=(u_short)h->h_addrtype;
|
||||
/* offsets of sin_port and sin6_port should be the same */
|
||||
((struct sockaddr_in *)ai->ai_addr)->sin_port=port;
|
||||
}
|
||||
return 0; /* success */
|
||||
}
|
||||
|
||||
static void freeaddrinfo(struct addrinfo *current) {
|
||||
NOEXPORT void freeaddrinfo(struct addrinfo *current) {
|
||||
struct addrinfo *next;
|
||||
|
||||
#if defined(USE_WIN32) && !defined(_WIN32_WCE)
|
||||
|
@ -419,10 +528,8 @@ static void freeaddrinfo(struct addrinfo *current) {
|
|||
}
|
||||
#endif
|
||||
while(current) {
|
||||
if(current->ai_addr)
|
||||
str_free(current->ai_addr);
|
||||
if(current->ai_canonname)
|
||||
str_free(current->ai_canonname);
|
||||
str_free(current->ai_addr);
|
||||
str_free(current->ai_canonname);
|
||||
next=current->ai_next;
|
||||
str_free(current);
|
||||
current=next;
|
||||
|
@ -484,8 +591,8 @@ const char *s_gai_strerror(int err) {
|
|||
/* implementation is limited to functionality needed by stunnel */
|
||||
|
||||
#ifndef HAVE_GETNAMEINFO
|
||||
int getnameinfo(const struct sockaddr *sa, int salen,
|
||||
char *host, int hostlen, char *serv, int servlen, int flags) {
|
||||
int getnameinfo(const struct sockaddr *sa, socklen_t salen,
|
||||
char *host, size_t hostlen, char *serv, size_t servlen, int flags) {
|
||||
|
||||
#if defined(USE_WIN32) && !defined(_WIN32_WCE)
|
||||
if(s_getnameinfo)
|
||||
|
@ -498,10 +605,10 @@ int getnameinfo(const struct sockaddr *sa, int salen,
|
|||
(void *)&((struct sockaddr_in *)sa)->sin_addr,
|
||||
host, hostlen);
|
||||
#else /* USE_IPv6 */
|
||||
enter_critical_section(CRIT_INET); /* inet_ntoa is not mt-safe */
|
||||
stunnel_write_lock(&stunnel_locks[LOCK_INET]); /* inet_ntoa is not mt-safe */
|
||||
strncpy(host, inet_ntoa(((struct sockaddr_in *)sa)->sin_addr),
|
||||
hostlen);
|
||||
leave_critical_section(CRIT_INET);
|
||||
stunnel_write_unlock(&stunnel_locks[LOCK_INET]);
|
||||
host[hostlen-1]='\0';
|
||||
#endif /* USE_IPv6 */
|
||||
}
|
||||
|
|
|
@ -1,10 +1,15 @@
|
|||
#define WM_SYSTRAY (WM_USER+0)
|
||||
|
||||
#define WM_VALID_CONFIG (WM_APP+0)
|
||||
#define WM_INVALID_CONFIG (WM_APP+1)
|
||||
#define WM_LOG (WM_APP+2)
|
||||
#define WM_NEW_CHAIN (WM_APP+3)
|
||||
#define WM_CLIENTS (WM_APP+4)
|
||||
|
||||
#define IDI_MYICON 10
|
||||
#define IDI_STUNNEL_MAIN 10
|
||||
#define IDI_STUNNEL_ACTIVE 11
|
||||
#define IDI_STUNNEL_ERROR 12
|
||||
#define IDI_STUNNEL_IDLE 13
|
||||
|
||||
#define IDE_EDIT 20
|
||||
#define IDE_PASSEDIT 21
|
||||
|
@ -26,3 +31,6 @@
|
|||
#define IDM_HOMEPAGE 52
|
||||
|
||||
#define IDM_PEER_MENU 60
|
||||
|
||||
#define IDS_SERVICE_DESC 70
|
||||
|
||||
|
|
|
@ -4,7 +4,7 @@
|
|||
|
||||
VS_VERSION_INFO VERSIONINFO
|
||||
FILEVERSION STUNNEL_VERSION_FIELDS
|
||||
PRODUCTVERSION STUNNEL_VERSION_FIELDS
|
||||
PRODUCTVERSION STUNNEL_VERSION_FIELDS
|
||||
FILEFLAGSMASK VS_FFI_FILEFLAGSMASK
|
||||
FILEFLAGS 0
|
||||
FILEOS VOS__WINDOWS32
|
||||
|
@ -16,10 +16,10 @@ BEGIN
|
|||
BLOCK "040904E4"
|
||||
BEGIN
|
||||
VALUE "CompanyName", "Michal Trojnara"
|
||||
VALUE "FileDescription", "stunnel - multiplatform SSL tunneling proxy"
|
||||
VALUE "FileDescription", "stunnel - TLS offloading and load-balancing proxy"
|
||||
VALUE "FileVersion", STUNNEL_VERSION
|
||||
VALUE "InternalName", "stunnel"
|
||||
VALUE "LegalCopyright", "© by Michal Trojnara, 1998-2013"
|
||||
VALUE "LegalCopyright", "© by Michal Trojnara, 1998-2017"
|
||||
VALUE "OriginalFilename", "stunnel.exe"
|
||||
VALUE "ProductName", STUNNEL_PRODUCTNAME
|
||||
VALUE "ProductVersion", STUNNEL_VERSION
|
||||
|
@ -31,7 +31,10 @@ BEGIN
|
|||
END
|
||||
END
|
||||
|
||||
IDI_MYICON ICON "stunnel.ico"
|
||||
IDI_STUNNEL_MAIN ICON "stunnel.ico"
|
||||
IDI_STUNNEL_ACTIVE ICON "active.ico"
|
||||
IDI_STUNNEL_ERROR ICON "error.ico"
|
||||
IDI_STUNNEL_IDLE ICON "idle.ico"
|
||||
|
||||
IDM_MAINMENU MENU
|
||||
BEGIN
|
||||
|
@ -40,18 +43,28 @@ BEGIN
|
|||
MENUITEM "&Save Log As", IDM_SAVE_LOG
|
||||
MENUITEM "Reopen &Log File", IDM_REOPEN_LOG, GRAYED
|
||||
MENUITEM SEPARATOR
|
||||
MENUITEM "E&xit", IDM_EXIT
|
||||
MENUITEM SEPARATOR
|
||||
MENUITEM "&Close", IDM_CLOSE
|
||||
END
|
||||
#ifdef _WIN32_WCE
|
||||
POPUP "&Config"
|
||||
#else
|
||||
POPUP "&Configuration"
|
||||
#endif
|
||||
BEGIN
|
||||
MENUITEM "&Edit stunnel.conf", IDM_EDIT_CONFIG
|
||||
MENUITEM "&Reload stunnel.conf", IDM_RELOAD_CONFIG
|
||||
MENUITEM "&Edit Configuration", IDM_EDIT_CONFIG
|
||||
MENUITEM "&Reload Configuration", IDM_RELOAD_CONFIG
|
||||
END
|
||||
POPUP "&Save peer certificate"
|
||||
#ifdef _WIN32_WCE
|
||||
POPUP "&Save Peer Certs"
|
||||
#else
|
||||
POPUP "&Save Peer Certificate"
|
||||
#endif
|
||||
BEGIN
|
||||
MENUITEM "dummy", 0, GRAYED
|
||||
END
|
||||
POPUP "&Help", HELP
|
||||
POPUP "&Help"
|
||||
BEGIN
|
||||
MENUITEM "&About", IDM_ABOUT
|
||||
MENUITEM SEPARATOR
|
||||
|
@ -66,13 +79,13 @@ BEGIN
|
|||
BEGIN
|
||||
MENUITEM "Show Log &Window", IDM_SHOW_LOG
|
||||
MENUITEM SEPARATOR
|
||||
POPUP "&Save peer certificate"
|
||||
POPUP "&Save Peer Certificate"
|
||||
BEGIN
|
||||
MENUITEM "dummy", 0, GRAYED
|
||||
END
|
||||
MENUITEM SEPARATOR
|
||||
MENUITEM "&Edit stunnel.conf", IDM_EDIT_CONFIG
|
||||
MENUITEM "&Reload stunnel.conf", IDM_RELOAD_CONFIG
|
||||
MENUITEM "&Edit Configuration", IDM_EDIT_CONFIG
|
||||
MENUITEM "&Reload Configuration", IDM_RELOAD_CONFIG
|
||||
MENUITEM "Reopen &Log File", IDM_REOPEN_LOG, GRAYED
|
||||
MENUITEM SEPARATOR
|
||||
MENUITEM "&Homepage", IDM_HOMEPAGE
|
||||
|
@ -86,36 +99,44 @@ END
|
|||
ABOUTBOX DIALOG DISCARDABLE 0, 0, 140, 68
|
||||
STYLE DS_MODALFRAME|DS_CENTER|WS_POPUP|WS_CAPTION|WS_SYSMENU
|
||||
CAPTION "About stunnel"
|
||||
FONT 8, "MS Sans Serif"
|
||||
BEGIN
|
||||
ICON IDI_MYICON, -1, 9, 8, 18, 20
|
||||
LTEXT "stunnel version", -1, 30, 4, 52, 8
|
||||
LTEXT STUNNEL_VERSION, -1, 82, 4, 54, 8
|
||||
LTEXT "© by Michal Trojnara, 1998-2013", -1, 30, 12, 106, 8
|
||||
ICON IDI_STUNNEL_MAIN, -1, 6, 6, 20, 20
|
||||
LTEXT "stunnel version", -1, 30, 4, 49, 8
|
||||
LTEXT STUNNEL_VERSION, -1, 79, 4, 57, 8
|
||||
LTEXT "© by Michal Trojnara, 1998-2017", -1, 30, 12, 106, 8
|
||||
LTEXT "All Rights Reserved", -1, 30, 20, 106, 8
|
||||
LTEXT "Licensed under the GNU GPL version 2", -1, 4, 28, 132, 8
|
||||
LTEXT "with a special exception for OpenSSL", -1, 4, 36, 132, 8
|
||||
DEFPUSHBUTTON "OK",IDOK, 54, 48, 32, 14, WS_GROUP
|
||||
END
|
||||
|
||||
PASSBOX DIALOG DISCARDABLE 0, 0, 158, 51
|
||||
PASSBOX DIALOG DISCARDABLE 0, 0, 156, 51
|
||||
STYLE DS_MODALFRAME|DS_CENTER|WS_POPUP|WS_CAPTION|WS_SYSMENU
|
||||
CAPTION ""
|
||||
FONT 8, "MS Sans Serif"
|
||||
BEGIN
|
||||
ICON IDI_MYICON, -1, 8, 6, 18, 20
|
||||
LTEXT "Pass phrase:", -1, 33, 9, 50, 8
|
||||
EDITTEXT IDE_PASSEDIT, 86, 7, 65, 12, ES_PASSWORD|ES_AUTOHSCROLL
|
||||
DEFPUSHBUTTON "OK",IDOK, 7, 30, 50, 14
|
||||
PUSHBUTTON "Cancel",IDCANCEL, 101, 30, 50, 14
|
||||
ICON IDI_STUNNEL_MAIN, -1, 6, 6, 20, 20
|
||||
LTEXT "Key passphrase:", -1, 30, 13, 56, 8
|
||||
EDITTEXT IDE_PASSEDIT, 86, 11, 64, 12, ES_PASSWORD|ES_AUTOHSCROLL
|
||||
DEFPUSHBUTTON "OK",IDOK, 6, 30, 50, 14
|
||||
PUSHBUTTON "Cancel",IDCANCEL, 100, 30, 50, 14
|
||||
END
|
||||
|
||||
PINBOX DIALOG DISCARDABLE 0, 0, 158, 51
|
||||
PINBOX DIALOG DISCARDABLE 0, 0, 156, 51
|
||||
STYLE DS_MODALFRAME|DS_CENTER|WS_POPUP|WS_CAPTION|WS_SYSMENU
|
||||
CAPTION ""
|
||||
FONT 8, "MS Sans Serif"
|
||||
BEGIN
|
||||
ICON IDI_MYICON, -1, 8, 6, 18, 20
|
||||
LTEXT "SmartCard PIN:", -1, 33, 9, 50, 8
|
||||
EDITTEXT IDE_PINEDIT, 86, 7, 65, 12, ES_PASSWORD|ES_AUTOHSCROLL
|
||||
DEFPUSHBUTTON "OK",IDOK, 7, 30, 50, 14
|
||||
PUSHBUTTON "Cancel",IDCANCEL, 101, 30, 50, 14
|
||||
ICON IDI_STUNNEL_MAIN, -1, 6, 6, 20, 20
|
||||
LTEXT "SmartCard PIN:", -1, 30, 13, 56, 8
|
||||
EDITTEXT IDE_PINEDIT, 86, 11, 64, 12, ES_PASSWORD|ES_AUTOHSCROLL
|
||||
DEFPUSHBUTTON "OK",IDOK, 6, 30, 50, 14
|
||||
PUSHBUTTON "Cancel",IDCANCEL, 100, 30, 50, 14
|
||||
END
|
||||
|
||||
STRINGTABLE
|
||||
BEGIN
|
||||
IDS_SERVICE_DESC "TLS offloading and load-balancing proxy"
|
||||
END
|
||||
|
||||
|
|
198
src/ssl.c
198
src/ssl.c
|
@ -1,6 +1,6 @@
|
|||
/*
|
||||
* stunnel Universal SSL tunnel
|
||||
* Copyright (C) 1998-2013 Michal Trojnara <Michal.Trojnara@mirt.net>
|
||||
* stunnel TLS offloading and load-balancing proxy
|
||||
* Copyright (C) 1998-2017 Michal Trojnara <Michal.Trojnara@stunnel.org>
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it
|
||||
* under the terms of the GNU General Public License as published by the
|
||||
|
@ -38,54 +38,117 @@
|
|||
#include "common.h"
|
||||
#include "prototypes.h"
|
||||
|
||||
/* global OpenSSL initalization: compression, engine, entropy */
|
||||
static int init_compression(GLOBAL_OPTIONS *);
|
||||
static int init_prng(GLOBAL_OPTIONS *);
|
||||
static int add_rand_file(GLOBAL_OPTIONS *, const char *);
|
||||
/* global OpenSSL initialization: compression, engine, entropy */
|
||||
NOEXPORT void cb_free(void *parent, void *ptr, CRYPTO_EX_DATA *ad,
|
||||
int idx, long argl, void *argp);
|
||||
#ifndef OPENSSL_NO_COMP
|
||||
NOEXPORT int compression_init(GLOBAL_OPTIONS *);
|
||||
#endif
|
||||
NOEXPORT int prng_init(GLOBAL_OPTIONS *);
|
||||
NOEXPORT int add_rand_file(GLOBAL_OPTIONS *, const char *);
|
||||
|
||||
int cli_index, opt_index; /* to keep structure for callbacks */
|
||||
int index_ssl_cli, index_ssl_ctx_opt;
|
||||
int index_session_authenticated, index_session_connect_address;
|
||||
|
||||
int ssl_init(void) { /* init SSL before parsing configuration file */
|
||||
int ssl_init(void) { /* init TLS before parsing configuration file */
|
||||
#if OPENSSL_VERSION_NUMBER>=0x10100000L
|
||||
OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS |
|
||||
OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL);
|
||||
#else
|
||||
SSL_load_error_strings();
|
||||
SSL_library_init();
|
||||
cli_index=SSL_get_ex_new_index(0, "cli index", NULL, NULL, NULL);
|
||||
opt_index=SSL_CTX_get_ex_new_index(0, "opt index", NULL, NULL, NULL);
|
||||
if(cli_index<0 || opt_index<0)
|
||||
#endif
|
||||
index_ssl_cli=SSL_get_ex_new_index(0,
|
||||
"CLI pointer", NULL, NULL, NULL);
|
||||
index_ssl_ctx_opt=SSL_CTX_get_ex_new_index(0,
|
||||
"SERVICE_OPTIONS pointer", NULL, NULL, NULL);
|
||||
index_session_authenticated=SSL_SESSION_get_ex_new_index(0,
|
||||
"session authenticated", NULL, NULL, NULL);
|
||||
index_session_connect_address=SSL_SESSION_get_ex_new_index(0,
|
||||
"session connect address", NULL, NULL, cb_free);
|
||||
if(index_ssl_cli<0 || index_ssl_ctx_opt<0 ||
|
||||
index_session_authenticated<0 ||
|
||||
index_session_connect_address<0) {
|
||||
s_log(LOG_ERR, "Application specific data initialization failed");
|
||||
return 1;
|
||||
#ifdef HAVE_OSSL_ENGINE_H
|
||||
}
|
||||
#ifndef OPENSSL_NO_ENGINE
|
||||
ENGINE_load_builtin_engines();
|
||||
#endif
|
||||
#ifndef OPENSSL_NO_DH
|
||||
dh_params=get_dh2048();
|
||||
if(!dh_params) {
|
||||
s_log(LOG_ERR, "Failed to get default DH parameters");
|
||||
return 1;
|
||||
}
|
||||
#endif /* OPENSSL_NO_DH */
|
||||
return 0;
|
||||
}
|
||||
|
||||
int ssl_configure(GLOBAL_OPTIONS *global) { /* configure global SSL settings */
|
||||
#ifndef OPENSSL_NO_DH
|
||||
#if OPENSSL_VERSION_NUMBER<0x10100000L
|
||||
/* this is needed for dhparam.c generated with OpenSSL >= 1.1.0
|
||||
* to be linked against the older versions */
|
||||
int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g) {
|
||||
if(!p || !g) /* q is optional */
|
||||
return 0;
|
||||
BN_free(dh->p);
|
||||
BN_free(dh->q);
|
||||
BN_free(dh->g);
|
||||
dh->p = p;
|
||||
dh->q = q;
|
||||
dh->g = g;
|
||||
if(q)
|
||||
dh->length = BN_num_bits(q);
|
||||
return 1;
|
||||
}
|
||||
#endif
|
||||
#endif
|
||||
|
||||
NOEXPORT void cb_free(void *parent, void *ptr, CRYPTO_EX_DATA *ad,
|
||||
int idx, long argl, void *argp) {
|
||||
(void)parent; /* squash the unused parameter warning */
|
||||
(void)ad; /* squash the unused parameter warning */
|
||||
(void)idx; /* squash the unused parameter warning */
|
||||
(void)argl; /* squash the unused parameter warning */
|
||||
s_log(LOG_DEBUG, "Deallocating application specific data for %s",
|
||||
(char *)argp);
|
||||
str_free(ptr);
|
||||
}
|
||||
|
||||
int ssl_configure(GLOBAL_OPTIONS *global) { /* configure global TLS settings */
|
||||
#ifdef USE_FIPS
|
||||
if(FIPS_mode()!=global->option.fips) {
|
||||
RAND_set_rand_method(NULL); /* reset RAND methods */
|
||||
if(!FIPS_mode_set(global->option.fips)) {
|
||||
#if OPENSSL_VERSION_NUMBER>=0x10100000L
|
||||
OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL);
|
||||
#else
|
||||
ERR_load_crypto_strings();
|
||||
#endif
|
||||
sslerror("FIPS_mode_set");
|
||||
return 1;
|
||||
}
|
||||
}
|
||||
s_log(LOG_NOTICE, "FIPS mode is %s",
|
||||
s_log(LOG_NOTICE, "FIPS mode %s",
|
||||
global->option.fips ? "enabled" : "disabled");
|
||||
#endif /* USE_FIPS */
|
||||
if(init_compression(global))
|
||||
#ifndef OPENSSL_NO_COMP
|
||||
if(compression_init(global))
|
||||
return 1;
|
||||
if(init_prng(global))
|
||||
#endif /* OPENSSL_NO_COMP */
|
||||
if(prng_init(global))
|
||||
return 1;
|
||||
s_log(LOG_DEBUG, "PRNG seeded successfully");
|
||||
return 0; /* SUCCESS */
|
||||
}
|
||||
|
||||
static int init_compression(GLOBAL_OPTIONS *global) {
|
||||
#ifndef OPENSSL_NO_COMP
|
||||
SSL_COMP *comp;
|
||||
STACK_OF(SSL_COMP) *ssl_comp_methods;
|
||||
NOEXPORT int compression_init(GLOBAL_OPTIONS *global) {
|
||||
STACK_OF(SSL_COMP) *methods;
|
||||
|
||||
ssl_comp_methods=SSL_COMP_get_compression_methods();
|
||||
if(!ssl_comp_methods) {
|
||||
methods=SSL_COMP_get_compression_methods();
|
||||
if(!methods) {
|
||||
if(global->compression==COMP_NONE) {
|
||||
s_log(LOG_NOTICE, "Failed to get compression methods");
|
||||
return 0; /* ignore */
|
||||
|
@ -95,73 +158,47 @@ static int init_compression(GLOBAL_OPTIONS *global) {
|
|||
}
|
||||
}
|
||||
|
||||
/* delete OpenSSL defaults (empty the SSL_COMP stack) */
|
||||
/* cannot use sk_SSL_COMP_pop_free, as it also destroys the stack itself */
|
||||
while(sk_SSL_COMP_num(ssl_comp_methods))
|
||||
OPENSSL_free(sk_SSL_COMP_pop(ssl_comp_methods));
|
||||
if(global->compression==COMP_NONE ||
|
||||
OpenSSL_version_num()<0x00908051L /* 0.9.8e-beta1 */) {
|
||||
/* delete OpenSSL defaults (empty the SSL_COMP stack) */
|
||||
/* cannot use sk_SSL_COMP_pop_free,
|
||||
* as it also destroys the stack itself */
|
||||
/* only leave the standard RFC 1951 (DEFLATE) algorithm,
|
||||
* if any of the private algorithms is enabled */
|
||||
/* only allow DEFLATE with OpenSSL 0.9.8 or later
|
||||
* with OpenSSL #1468 zlib memory leak fixed */
|
||||
while(sk_SSL_COMP_num(methods))
|
||||
OPENSSL_free(sk_SSL_COMP_pop(methods));
|
||||
}
|
||||
|
||||
if(global->compression==COMP_NONE) {
|
||||
s_log(LOG_DEBUG, "Compression not enabled");
|
||||
s_log(LOG_DEBUG, "Compression disabled");
|
||||
return 0; /* success */
|
||||
}
|
||||
|
||||
/* insert RFC 1951 (DEFLATE) algoritm */
|
||||
if(SSLeay()>=0x00908051L) { /* 0.9.8e-beta1 */
|
||||
/* only allow DEFLATE with OpenSSL 0.9.8 or later
|
||||
with openssl #1468 zlib memory leak fixed */
|
||||
comp=(SSL_COMP *)OPENSSL_malloc(sizeof(SSL_COMP));
|
||||
if(!comp) {
|
||||
s_log(LOG_ERR, "OPENSSL_malloc filed");
|
||||
return 1;
|
||||
}
|
||||
comp->id=1; /* RFC 1951 */
|
||||
comp->method=COMP_zlib();
|
||||
if(!comp->method || comp->method->type==NID_undef) {
|
||||
OPENSSL_free(comp);
|
||||
s_log(LOG_ERR, "Failed to initialize compression method");
|
||||
return 1;
|
||||
}
|
||||
comp->name=comp->method->name;
|
||||
sk_SSL_COMP_push(ssl_comp_methods, comp);
|
||||
}
|
||||
|
||||
/* also insert one of obsolete (ZLIB/RLE) algoritms */
|
||||
comp=(SSL_COMP *)OPENSSL_malloc(sizeof(SSL_COMP));
|
||||
if(!comp) {
|
||||
s_log(LOG_ERR, "OPENSSL_malloc filed");
|
||||
return 1;
|
||||
}
|
||||
/* also insert the obsolete ZLIB algorithm */
|
||||
if(global->compression==COMP_ZLIB) {
|
||||
comp->id=0xe0; /* 224 - within private range (193 to 255) */
|
||||
comp->method=COMP_zlib();
|
||||
} else if(global->compression==COMP_RLE) {
|
||||
comp->id=0xe1; /* 225 - within private range (193 to 255) */
|
||||
comp->method=COMP_rle();
|
||||
} else {
|
||||
s_log(LOG_INFO, "Compression enabled: %d algorithm(s)",
|
||||
sk_SSL_COMP_num(ssl_comp_methods));
|
||||
OPENSSL_free(comp);
|
||||
return 0;
|
||||
/* 224 - within the private range (193 to 255) */
|
||||
COMP_METHOD *meth=COMP_zlib();
|
||||
#if OPENSSL_VERSION_NUMBER>=0x10100000L
|
||||
if(!meth || COMP_get_type(meth)==NID_undef) {
|
||||
#else
|
||||
if(!meth || meth->type==NID_undef) {
|
||||
#endif
|
||||
s_log(LOG_ERR, "ZLIB compression is not supported");
|
||||
return 1;
|
||||
}
|
||||
SSL_COMP_add_compression_method(0xe0, meth);
|
||||
}
|
||||
if(!comp->method || comp->method->type==NID_undef) {
|
||||
OPENSSL_free(comp);
|
||||
s_log(LOG_ERR, "Failed to initialize compression method");
|
||||
return 1;
|
||||
}
|
||||
comp->name=comp->method->name;
|
||||
sk_SSL_COMP_push(ssl_comp_methods, comp);
|
||||
s_log(LOG_INFO, "Compression enabled: %d algorithm(s)",
|
||||
sk_SSL_COMP_num(ssl_comp_methods));
|
||||
#endif /* OPENSSL_NO_COMP */
|
||||
s_log(LOG_INFO, "Compression enabled: %d method(s)",
|
||||
sk_SSL_COMP_num(methods));
|
||||
return 0; /* success */
|
||||
}
|
||||
#endif /* OPENSSL_NO_COMP */
|
||||
|
||||
static int init_prng(GLOBAL_OPTIONS *global) {
|
||||
NOEXPORT int prng_init(GLOBAL_OPTIONS *global) {
|
||||
int totbytes=0;
|
||||
char filename[256];
|
||||
int bytes;
|
||||
|
||||
bytes=0; /* avoid warning if #ifdef'd out for windows */
|
||||
|
||||
filename[0]='\0';
|
||||
|
||||
|
@ -195,8 +232,10 @@ static int init_prng(GLOBAL_OPTIONS *global) {
|
|||
}
|
||||
s_log(LOG_DEBUG, "RAND_screen failed to sufficiently seed PRNG");
|
||||
#else
|
||||
#ifndef OPENSSL_NO_EGD
|
||||
if(global->egd_sock) {
|
||||
if((bytes=RAND_egd(global->egd_sock))==-1) {
|
||||
int bytes=RAND_egd(global->egd_sock);
|
||||
if(bytes==-1) {
|
||||
s_log(LOG_WARNING, "EGD Socket %s failed", global->egd_sock);
|
||||
bytes=0;
|
||||
} else {
|
||||
|
@ -207,6 +246,7 @@ static int init_prng(GLOBAL_OPTIONS *global) {
|
|||
so no need to check if seeded sufficiently */
|
||||
}
|
||||
}
|
||||
#endif
|
||||
/* try the good-old default /dev/urandom, if available */
|
||||
totbytes+=add_rand_file(global, "/dev/urandom");
|
||||
if(RAND_status())
|
||||
|
@ -219,7 +259,7 @@ static int init_prng(GLOBAL_OPTIONS *global) {
|
|||
return 1; /* FAILED */
|
||||
}
|
||||
|
||||
static int add_rand_file(GLOBAL_OPTIONS *global, const char *filename) {
|
||||
NOEXPORT int add_rand_file(GLOBAL_OPTIONS *global, const char *filename) {
|
||||
int readbytes;
|
||||
int writebytes;
|
||||
struct stat sb;
|
||||
|
@ -233,7 +273,7 @@ static int add_rand_file(GLOBAL_OPTIONS *global, const char *filename) {
|
|||
s_log(LOG_INFO, "Cannot retrieve any random data from %s",
|
||||
filename);
|
||||
/* write new random data for future seeding if it's a regular file */
|
||||
if(global->option.rand_write && (sb.st_mode & S_IFREG)) {
|
||||
if(global->option.rand_write && S_ISREG(sb.st_mode)) {
|
||||
writebytes=RAND_write_file(filename);
|
||||
if(writebytes==-1)
|
||||
s_log(LOG_WARNING, "Failed to write strong random data to %s - "
|
||||
|
|
518
src/sthreads.c
518
src/sthreads.c
|
@ -1,6 +1,6 @@
|
|||
/*
|
||||
* stunnel Universal SSL tunnel
|
||||
* Copyright (C) 1998-2013 Michal Trojnara <Michal.Trojnara@mirt.net>
|
||||
* stunnel TLS offloading and load-balancing proxy
|
||||
* Copyright (C) 1998-2017 Michal Trojnara <Michal.Trojnara@stunnel.org>
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it
|
||||
* under the terms of the GNU General Public License as published by the
|
||||
|
@ -43,19 +43,256 @@
|
|||
#include "common.h"
|
||||
#include "prototypes.h"
|
||||
|
||||
/**************************************** thread ID callbacks */
|
||||
|
||||
#ifdef USE_UCONTEXT
|
||||
|
||||
unsigned long stunnel_process_id(void) {
|
||||
return (unsigned long)getpid();
|
||||
}
|
||||
|
||||
unsigned long stunnel_thread_id(void) {
|
||||
return ready_head ? ready_head->id : 0;
|
||||
}
|
||||
|
||||
#endif /* USE_UCONTEXT */
|
||||
|
||||
#ifdef USE_FORK
|
||||
|
||||
unsigned long stunnel_process_id(void) {
|
||||
return (unsigned long)getpid();
|
||||
}
|
||||
|
||||
unsigned long stunnel_thread_id(void) {
|
||||
return 0L;
|
||||
}
|
||||
|
||||
#endif /* USE_FORK */
|
||||
|
||||
#ifdef USE_PTHREAD
|
||||
|
||||
unsigned long stunnel_process_id(void) {
|
||||
return (unsigned long)getpid();
|
||||
}
|
||||
|
||||
unsigned long stunnel_thread_id(void) {
|
||||
#if defined(SYS_gettid) && defined(__linux__)
|
||||
return (unsigned long)syscall(SYS_gettid);
|
||||
#else
|
||||
return (unsigned long)pthread_self();
|
||||
#endif
|
||||
}
|
||||
|
||||
#endif /* USE_PTHREAD */
|
||||
|
||||
#ifdef USE_WIN32
|
||||
|
||||
unsigned long stunnel_process_id(void) {
|
||||
return GetCurrentProcessId() & 0x00ffffff;
|
||||
}
|
||||
|
||||
unsigned long stunnel_thread_id(void) {
|
||||
return GetCurrentThreadId() & 0x00ffffff;
|
||||
}
|
||||
|
||||
#endif /* USE_WIN32 */
|
||||
|
||||
#if OPENSSL_VERSION_NUMBER>=0x10000000L && OPENSSL_VERSION_NUMBER<0x10100004L
|
||||
NOEXPORT void threadid_func(CRYPTO_THREADID *tid) {
|
||||
CRYPTO_THREADID_set_numeric(tid, stunnel_thread_id());
|
||||
}
|
||||
#endif
|
||||
|
||||
void thread_id_init(void) {
|
||||
#if OPENSSL_VERSION_NUMBER>=0x10000000L && OPENSSL_VERSION_NUMBER<0x10100000L
|
||||
CRYPTO_THREADID_set_callback(threadid_func);
|
||||
#endif
|
||||
#if OPENSSL_VERSION_NUMBER<0x10000000L || !defined(OPENSSL_NO_DEPRECATED)
|
||||
CRYPTO_set_id_callback(stunnel_thread_id);
|
||||
#endif
|
||||
}
|
||||
|
||||
/**************************************** locking */
|
||||
|
||||
#ifdef USE_PTHREAD
|
||||
|
||||
void stunnel_rwlock_init_debug(struct CRYPTO_dynlock_value *lock,
|
||||
const char *file, int line) {
|
||||
pthread_rwlock_init(&lock->rwlock, NULL);
|
||||
lock->init_file=file;
|
||||
lock->init_line=line;
|
||||
}
|
||||
|
||||
void stunnel_read_lock_debug(struct CRYPTO_dynlock_value *lock,
|
||||
const char *file, int line) {
|
||||
pthread_rwlock_rdlock(&lock->rwlock);
|
||||
lock->read_lock_file=file;
|
||||
lock->read_lock_line=line;
|
||||
}
|
||||
|
||||
void stunnel_write_lock_debug(struct CRYPTO_dynlock_value *lock,
|
||||
const char *file, int line) {
|
||||
pthread_rwlock_wrlock(&lock->rwlock);
|
||||
lock->write_lock_file=file;
|
||||
lock->write_lock_line=line;
|
||||
}
|
||||
|
||||
void stunnel_read_unlock_debug(struct CRYPTO_dynlock_value *lock,
|
||||
const char *file, int line) {
|
||||
pthread_rwlock_unlock(&lock->rwlock);
|
||||
lock->read_unlock_file=file;
|
||||
lock->read_unlock_line=line;
|
||||
}
|
||||
|
||||
void stunnel_write_unlock_debug(struct CRYPTO_dynlock_value *lock,
|
||||
const char *file, int line) {
|
||||
pthread_rwlock_unlock(&lock->rwlock);
|
||||
lock->write_unlock_file=file;
|
||||
lock->write_unlock_line=line;
|
||||
}
|
||||
|
||||
void stunnel_rwlock_destroy_debug(struct CRYPTO_dynlock_value *lock,
|
||||
const char *file, int line) {
|
||||
pthread_rwlock_destroy(&lock->rwlock);
|
||||
lock->destroy_file=file;
|
||||
lock->destroy_line=line;
|
||||
str_free(lock);
|
||||
}
|
||||
|
||||
#endif /* USE_PTHREAD */
|
||||
|
||||
#ifdef USE_WIN32
|
||||
|
||||
/* Slim Reader/Writer (SRW) Lock would be better than CRITICAL_SECTION,
|
||||
* but it is unsupported on Windows XP (and earlier versions of Windows):
|
||||
* https://msdn.microsoft.com/en-us/library/windows/desktop/aa904937%28v=vs.85%29.aspx */
|
||||
|
||||
void stunnel_rwlock_init_debug(struct CRYPTO_dynlock_value *lock,
|
||||
const char *file, int line) {
|
||||
InitializeCriticalSection(&lock->critical_section);
|
||||
lock->init_file=file;
|
||||
lock->init_line=line;
|
||||
}
|
||||
|
||||
void stunnel_read_lock_debug(struct CRYPTO_dynlock_value *lock,
|
||||
const char *file, int line) {
|
||||
EnterCriticalSection(&lock->critical_section);
|
||||
lock->read_lock_file=file;
|
||||
lock->read_lock_line=line;
|
||||
}
|
||||
|
||||
void stunnel_write_lock_debug(struct CRYPTO_dynlock_value *lock,
|
||||
const char *file, int line) {
|
||||
EnterCriticalSection(&lock->critical_section);
|
||||
lock->write_lock_file=file;
|
||||
lock->write_lock_line=line;
|
||||
}
|
||||
|
||||
void stunnel_read_unlock_debug(struct CRYPTO_dynlock_value *lock,
|
||||
const char *file, int line) {
|
||||
LeaveCriticalSection(&lock->critical_section);
|
||||
lock->read_unlock_file=file;
|
||||
lock->read_unlock_line=line;
|
||||
}
|
||||
|
||||
void stunnel_write_unlock_debug(struct CRYPTO_dynlock_value *lock,
|
||||
const char *file, int line) {
|
||||
LeaveCriticalSection(&lock->critical_section);
|
||||
lock->write_unlock_file=file;
|
||||
lock->write_unlock_line=line;
|
||||
}
|
||||
|
||||
void stunnel_rwlock_destroy_debug(struct CRYPTO_dynlock_value *lock,
|
||||
const char *file, int line) {
|
||||
DeleteCriticalSection(&lock->critical_section);
|
||||
lock->destroy_file=file;
|
||||
lock->destroy_line=line;
|
||||
str_free(lock);
|
||||
}
|
||||
|
||||
#endif /* USE_WIN32 */
|
||||
|
||||
#if defined(USE_PTHREAD) || defined(USE_WIN32)
|
||||
|
||||
struct CRYPTO_dynlock_value stunnel_locks[STUNNEL_LOCKS];
|
||||
|
||||
#if OPENSSL_VERSION_NUMBER<0x10100004L
|
||||
#define CRYPTO_THREAD_lock_new() CRYPTO_get_new_dynlockid()
|
||||
#endif
|
||||
|
||||
#if OPENSSL_VERSION_NUMBER<0x10100004L
|
||||
|
||||
static struct CRYPTO_dynlock_value *lock_cs;
|
||||
|
||||
NOEXPORT struct CRYPTO_dynlock_value *dyn_create_function(const char *file,
|
||||
int line) {
|
||||
struct CRYPTO_dynlock_value *lock;
|
||||
|
||||
lock=str_alloc_detached(sizeof(struct CRYPTO_dynlock_value));
|
||||
stunnel_rwlock_init_debug(lock, file, line);
|
||||
return lock;
|
||||
}
|
||||
|
||||
NOEXPORT void dyn_lock_function(int mode, struct CRYPTO_dynlock_value *lock,
|
||||
const char *file, int line) {
|
||||
if(mode&CRYPTO_LOCK) {
|
||||
/* either CRYPTO_READ or CRYPTO_WRITE (but not both) are needed */
|
||||
if(!(mode&CRYPTO_READ)==!(mode&CRYPTO_WRITE))
|
||||
fatal("Invalid locking mode");
|
||||
if(mode&CRYPTO_WRITE)
|
||||
stunnel_write_lock_debug(lock, file, line);
|
||||
else
|
||||
stunnel_read_lock_debug(lock, file, line);
|
||||
} else
|
||||
stunnel_write_unlock_debug(lock, file, line);
|
||||
}
|
||||
|
||||
NOEXPORT void dyn_destroy_function(struct CRYPTO_dynlock_value *lock,
|
||||
const char *file, int line) {
|
||||
stunnel_rwlock_destroy_debug(lock, file, line);
|
||||
str_free(lock);
|
||||
}
|
||||
|
||||
NOEXPORT void locking_callback(int mode, int type, const char *file, int line) {
|
||||
dyn_lock_function(mode, lock_cs+type, file, line);
|
||||
}
|
||||
|
||||
#endif /* OPENSSL_VERSION_NUMBER<0x10100004L */
|
||||
|
||||
void locking_init(void) {
|
||||
size_t i;
|
||||
#if OPENSSL_VERSION_NUMBER<0x10100004L
|
||||
size_t num;
|
||||
#endif
|
||||
|
||||
/* initialize stunnel critical sections */
|
||||
for(i=0; i<STUNNEL_LOCKS; i++) /* all the mutexes */
|
||||
stunnel_rwlock_init(&stunnel_locks[i]);
|
||||
|
||||
#if OPENSSL_VERSION_NUMBER<0x10100004L
|
||||
/* initialize the OpenSSL static locking */
|
||||
num=(size_t)CRYPTO_num_locks();
|
||||
lock_cs=str_alloc_detached(num*sizeof(struct CRYPTO_dynlock_value));
|
||||
for(i=0; i<num; i++)
|
||||
stunnel_rwlock_init(&lock_cs[i]);
|
||||
|
||||
/* initialize the OpenSSL static locking callbacks */
|
||||
CRYPTO_set_locking_callback(locking_callback);
|
||||
|
||||
/* initialize the OpenSSL dynamic locking callbacks */
|
||||
CRYPTO_set_dynlock_create_callback(dyn_create_function);
|
||||
CRYPTO_set_dynlock_lock_callback(dyn_lock_function);
|
||||
CRYPTO_set_dynlock_destroy_callback(dyn_destroy_function);
|
||||
#endif
|
||||
}
|
||||
|
||||
#endif /* defined(USE_PTHREAD) || defined(USE_WIN32) */
|
||||
|
||||
/**************************************** creating a client */
|
||||
|
||||
#if defined(USE_UCONTEXT) || defined(USE_FORK)
|
||||
/* no need for critical sections */
|
||||
|
||||
void enter_critical_section(SECTION_CODE i) {
|
||||
(void)i; /* skip warning about unused parameter */
|
||||
/* empty */
|
||||
}
|
||||
|
||||
void leave_critical_section(SECTION_CODE i) {
|
||||
(void)i; /* skip warning about unused parameter */
|
||||
/* empty */
|
||||
}
|
||||
|
||||
#endif /* USE_UCONTEXT || USE_FORK */
|
||||
|
||||
#ifdef USE_UCONTEXT
|
||||
|
@ -79,21 +316,12 @@ void leave_critical_section(SECTION_CODE i) {
|
|||
CONTEXT *ready_head=NULL, *ready_tail=NULL; /* ready to execute */
|
||||
CONTEXT *waiting_head=NULL, *waiting_tail=NULL; /* waiting on poll() */
|
||||
|
||||
unsigned long stunnel_process_id(void) {
|
||||
return (unsigned long)getpid();
|
||||
}
|
||||
|
||||
unsigned long stunnel_thread_id(void) {
|
||||
return ready_head ? ready_head->id : 0;
|
||||
}
|
||||
|
||||
static CONTEXT *new_context(void) {
|
||||
static int next_id=1;
|
||||
NOEXPORT CONTEXT *new_context(void) {
|
||||
static unsigned long next_id=1;
|
||||
CONTEXT *context;
|
||||
|
||||
/* allocate and fill the CONTEXT structure */
|
||||
context=str_alloc(sizeof(CONTEXT));
|
||||
str_detach(context);
|
||||
context=str_alloc_detached(sizeof(CONTEXT));
|
||||
context->id=next_id++;
|
||||
context->fds=NULL;
|
||||
context->ready=0;
|
||||
|
@ -110,17 +338,20 @@ static CONTEXT *new_context(void) {
|
|||
}
|
||||
|
||||
int sthreads_init(void) {
|
||||
thread_id_init();
|
||||
/* create the first (listening) context and put it in the running queue */
|
||||
if(!new_context()) {
|
||||
s_log(LOG_ERR, "Cannot create the listening context");
|
||||
return 1;
|
||||
}
|
||||
/* update tls for newly allocated ready_head */
|
||||
ui_tls=tls_alloc(NULL, ui_tls, "ui");
|
||||
/* no need to initialize ucontext_t structure here
|
||||
it will be initialied with swapcontext() call */
|
||||
return 0;
|
||||
}
|
||||
|
||||
int create_client(int ls, int s, CLI *arg, void *(*cli)(void *)) {
|
||||
int create_client(SOCKET ls, SOCKET s, CLI *arg, void *(*cli)(void *)) {
|
||||
CONTEXT *context;
|
||||
|
||||
(void)ls; /* this parameter is only used with USE_FORK */
|
||||
|
@ -128,8 +359,7 @@ int create_client(int ls, int s, CLI *arg, void *(*cli)(void *)) {
|
|||
s_log(LOG_DEBUG, "Creating a new context");
|
||||
context=new_context();
|
||||
if(!context) {
|
||||
if(arg)
|
||||
str_free(arg);
|
||||
str_free(arg);
|
||||
if(s>=0)
|
||||
closesocket(s);
|
||||
return -1;
|
||||
|
@ -138,8 +368,7 @@ int create_client(int ls, int s, CLI *arg, void *(*cli)(void *)) {
|
|||
/* initialize context_t structure */
|
||||
if(getcontext(&context->context)<0) {
|
||||
str_free(context);
|
||||
if(arg)
|
||||
str_free(arg);
|
||||
str_free(arg);
|
||||
if(s>=0)
|
||||
closesocket(s);
|
||||
ioerror("getcontext");
|
||||
|
@ -148,8 +377,7 @@ int create_client(int ls, int s, CLI *arg, void *(*cli)(void *)) {
|
|||
context->context.uc_link=NULL; /* stunnel does not use uc_link */
|
||||
|
||||
/* create stack */
|
||||
context->stack=str_alloc(arg->opt->stack_size);
|
||||
str_detach(context->stack);
|
||||
context->stack=str_alloc_detached(arg->opt->stack_size);
|
||||
#if defined(__sgi) || ARGC==2 /* obsolete ss_sp semantics */
|
||||
context->context.uc_stack.ss_sp=context->stack+arg->opt->stack_size-8;
|
||||
#else
|
||||
|
@ -168,27 +396,19 @@ int create_client(int ls, int s, CLI *arg, void *(*cli)(void *)) {
|
|||
#ifdef USE_FORK
|
||||
|
||||
int sthreads_init(void) {
|
||||
thread_id_init();
|
||||
return 0;
|
||||
}
|
||||
|
||||
unsigned long stunnel_process_id(void) {
|
||||
return (unsigned long)getpid();
|
||||
}
|
||||
|
||||
unsigned long stunnel_thread_id(void) {
|
||||
return 0L;
|
||||
}
|
||||
|
||||
static void null_handler(int sig) {
|
||||
(void)sig; /* skip warning about unused parameter */
|
||||
NOEXPORT void null_handler(int sig) {
|
||||
(void)sig; /* squash the unused parameter warning */
|
||||
signal(SIGCHLD, null_handler);
|
||||
}
|
||||
|
||||
int create_client(int ls, int s, CLI *arg, void *(*cli)(void *)) {
|
||||
int create_client(SOCKET ls, SOCKET s, CLI *arg, void *(*cli)(void *)) {
|
||||
switch(fork()) {
|
||||
case -1: /* error */
|
||||
if(arg)
|
||||
str_free(arg);
|
||||
str_free(arg);
|
||||
if(s>=0)
|
||||
closesocket(s);
|
||||
return -1;
|
||||
|
@ -199,8 +419,7 @@ int create_client(int ls, int s, CLI *arg, void *(*cli)(void *)) {
|
|||
cli(arg);
|
||||
_exit(0);
|
||||
default: /* parent */
|
||||
if(arg)
|
||||
str_free(arg);
|
||||
str_free(arg);
|
||||
if(s>=0)
|
||||
closesocket(s);
|
||||
}
|
||||
|
@ -211,95 +430,18 @@ int create_client(int ls, int s, CLI *arg, void *(*cli)(void *)) {
|
|||
|
||||
#ifdef USE_PTHREAD
|
||||
|
||||
static pthread_mutex_t stunnel_cs[CRIT_SECTIONS];
|
||||
static pthread_mutex_t lock_cs[CRYPTO_NUM_LOCKS];
|
||||
|
||||
void enter_critical_section(SECTION_CODE i) {
|
||||
pthread_mutex_lock(stunnel_cs+i);
|
||||
}
|
||||
|
||||
void leave_critical_section(SECTION_CODE i) {
|
||||
pthread_mutex_unlock(stunnel_cs+i);
|
||||
}
|
||||
|
||||
static void locking_callback(int mode, int type, const char *file, int line) {
|
||||
(void)file; /* skip warning about unused parameter */
|
||||
(void)line; /* skip warning about unused parameter */
|
||||
if(mode&CRYPTO_LOCK)
|
||||
pthread_mutex_lock(lock_cs+type);
|
||||
else
|
||||
pthread_mutex_unlock(lock_cs+type);
|
||||
}
|
||||
|
||||
struct CRYPTO_dynlock_value {
|
||||
pthread_mutex_t mutex;
|
||||
};
|
||||
|
||||
static struct CRYPTO_dynlock_value *dyn_create_function(const char *file,
|
||||
int line) {
|
||||
struct CRYPTO_dynlock_value *value;
|
||||
|
||||
(void)file; /* skip warning about unused parameter */
|
||||
(void)line; /* skip warning about unused parameter */
|
||||
value=str_alloc(sizeof(struct CRYPTO_dynlock_value));
|
||||
str_detach(value);
|
||||
pthread_mutex_init(&value->mutex, NULL);
|
||||
return value;
|
||||
}
|
||||
|
||||
static void dyn_lock_function(int mode, struct CRYPTO_dynlock_value *value,
|
||||
const char *file, int line) {
|
||||
(void)file; /* skip warning about unused parameter */
|
||||
(void)line; /* skip warning about unused parameter */
|
||||
if(mode&CRYPTO_LOCK)
|
||||
pthread_mutex_lock(&value->mutex);
|
||||
else
|
||||
pthread_mutex_unlock(&value->mutex);
|
||||
}
|
||||
|
||||
static void dyn_destroy_function(struct CRYPTO_dynlock_value *value,
|
||||
const char *file, int line) {
|
||||
(void)file; /* skip warning about unused parameter */
|
||||
(void)line; /* skip warning about unused parameter */
|
||||
pthread_mutex_destroy(&value->mutex);
|
||||
str_free(value);
|
||||
}
|
||||
|
||||
unsigned long stunnel_process_id(void) {
|
||||
return (unsigned long)getpid();
|
||||
}
|
||||
|
||||
unsigned long stunnel_thread_id(void) {
|
||||
return (unsigned long)pthread_self();
|
||||
}
|
||||
|
||||
int sthreads_init(void) {
|
||||
int i;
|
||||
|
||||
/* initialize stunnel critical sections */
|
||||
for(i=0; i<CRIT_SECTIONS; i++)
|
||||
pthread_mutex_init(stunnel_cs+i, NULL);
|
||||
|
||||
/* initialize OpenSSL locking callback */
|
||||
for(i=0; i<CRYPTO_NUM_LOCKS; i++)
|
||||
pthread_mutex_init(lock_cs+i, NULL);
|
||||
CRYPTO_set_id_callback(stunnel_thread_id);
|
||||
CRYPTO_set_locking_callback(locking_callback);
|
||||
|
||||
/* initialize OpenSSL dynamic locks callbacks */
|
||||
CRYPTO_set_dynlock_create_callback(dyn_create_function);
|
||||
CRYPTO_set_dynlock_lock_callback(dyn_lock_function);
|
||||
CRYPTO_set_dynlock_destroy_callback(dyn_destroy_function);
|
||||
|
||||
thread_id_init();
|
||||
locking_init();
|
||||
return 0;
|
||||
}
|
||||
|
||||
int create_client(int ls, int s, CLI *arg, void *(*cli)(void *)) {
|
||||
int create_client(SOCKET ls, SOCKET s, CLI *arg, void *(*cli)(void *)) {
|
||||
pthread_t thread;
|
||||
pthread_attr_t pth_attr;
|
||||
int error;
|
||||
#if defined(HAVE_PTHREAD_SIGMASK) && !defined(__APPLE__)
|
||||
/* Disabled on OS X due to strange problems on Mac OS X 10.5
|
||||
/* disabled on OS X due to strange problems on Mac OS X 10.5
|
||||
it seems to restore signal mask somewhere (I couldn't find where)
|
||||
effectively blocking signals after first accepted connection */
|
||||
sigset_t new_set, old_set;
|
||||
|
@ -325,8 +467,7 @@ int create_client(int ls, int s, CLI *arg, void *(*cli)(void *)) {
|
|||
if(error) {
|
||||
errno=error;
|
||||
ioerror("pthread_create");
|
||||
if(arg)
|
||||
str_free(arg);
|
||||
str_free(arg);
|
||||
if(s>=0)
|
||||
closesocket(s);
|
||||
return -1;
|
||||
|
@ -338,96 +479,20 @@ int create_client(int ls, int s, CLI *arg, void *(*cli)(void *)) {
|
|||
|
||||
#ifdef USE_WIN32
|
||||
|
||||
static CRITICAL_SECTION stunnel_cs[CRIT_SECTIONS];
|
||||
static CRITICAL_SECTION lock_cs[CRYPTO_NUM_LOCKS];
|
||||
|
||||
void enter_critical_section(SECTION_CODE i) {
|
||||
EnterCriticalSection(stunnel_cs+i);
|
||||
}
|
||||
|
||||
void leave_critical_section(SECTION_CODE i) {
|
||||
LeaveCriticalSection(stunnel_cs+i);
|
||||
}
|
||||
|
||||
static void locking_callback(int mode, int type, const char *file, int line) {
|
||||
(void)file; /* skip warning about unused parameter */
|
||||
(void)line; /* skip warning about unused parameter */
|
||||
if(mode&CRYPTO_LOCK)
|
||||
EnterCriticalSection(lock_cs+type);
|
||||
else
|
||||
LeaveCriticalSection(lock_cs+type);
|
||||
}
|
||||
|
||||
struct CRYPTO_dynlock_value {
|
||||
CRITICAL_SECTION mutex;
|
||||
};
|
||||
|
||||
static struct CRYPTO_dynlock_value *dyn_create_function(const char *file,
|
||||
int line) {
|
||||
struct CRYPTO_dynlock_value *value;
|
||||
|
||||
(void)file; /* skip warning about unused parameter */
|
||||
(void)line; /* skip warning about unused parameter */
|
||||
value=str_alloc(sizeof(struct CRYPTO_dynlock_value));
|
||||
str_detach(value);
|
||||
InitializeCriticalSection(&value->mutex);
|
||||
return value;
|
||||
}
|
||||
|
||||
static void dyn_lock_function(int mode, struct CRYPTO_dynlock_value *value,
|
||||
const char *file, int line) {
|
||||
(void)file; /* skip warning about unused parameter */
|
||||
(void)line; /* skip warning about unused parameter */
|
||||
if(mode&CRYPTO_LOCK)
|
||||
EnterCriticalSection(&value->mutex);
|
||||
else
|
||||
LeaveCriticalSection(&value->mutex);
|
||||
}
|
||||
|
||||
static void dyn_destroy_function(struct CRYPTO_dynlock_value *value,
|
||||
const char *file, int line) {
|
||||
(void)file; /* skip warning about unused parameter */
|
||||
(void)line; /* skip warning about unused parameter */
|
||||
DeleteCriticalSection(&value->mutex);
|
||||
str_free(value);
|
||||
}
|
||||
|
||||
unsigned long stunnel_process_id(void) {
|
||||
return GetCurrentProcessId() & 0x00ffffff;
|
||||
}
|
||||
|
||||
unsigned long stunnel_thread_id(void) {
|
||||
return GetCurrentThreadId() & 0x00ffffff;
|
||||
}
|
||||
|
||||
int sthreads_init(void) {
|
||||
int i;
|
||||
|
||||
/* initialize stunnel critical sections */
|
||||
for(i=0; i<CRIT_SECTIONS; i++)
|
||||
InitializeCriticalSection(stunnel_cs+i);
|
||||
|
||||
/* initialize OpenSSL locking callback */
|
||||
for(i=0; i<CRYPTO_NUM_LOCKS; i++)
|
||||
InitializeCriticalSection(lock_cs+i);
|
||||
CRYPTO_set_locking_callback(locking_callback);
|
||||
|
||||
/* initialize OpenSSL dynamic locks callbacks */
|
||||
CRYPTO_set_dynlock_create_callback(dyn_create_function);
|
||||
CRYPTO_set_dynlock_lock_callback(dyn_lock_function);
|
||||
CRYPTO_set_dynlock_destroy_callback(dyn_destroy_function);
|
||||
|
||||
thread_id_init();
|
||||
locking_init();
|
||||
return 0;
|
||||
}
|
||||
|
||||
int create_client(int ls, int s, CLI *arg, void *(*cli)(void *)) {
|
||||
int create_client(SOCKET ls, SOCKET s, CLI *arg, void *(*cli)(void *)) {
|
||||
(void)ls; /* this parameter is only used with USE_FORK */
|
||||
s_log(LOG_DEBUG, "Creating a new thread");
|
||||
if((long)_beginthread((void(*)(void *))cli, arg->opt->stack_size, arg)==-1) {
|
||||
if((long)_beginthread((void(*)(void *))cli,
|
||||
(unsigned)arg->opt->stack_size, arg)==-1) {
|
||||
ioerror("_beginthread");
|
||||
if(arg)
|
||||
str_free(arg);
|
||||
if(s>=0)
|
||||
str_free(arg);
|
||||
if(s!=INVALID_SOCKET)
|
||||
closesocket(s);
|
||||
return -1;
|
||||
}
|
||||
|
@ -439,14 +504,6 @@ int create_client(int ls, int s, CLI *arg, void *(*cli)(void *)) {
|
|||
|
||||
#ifdef USE_OS2
|
||||
|
||||
void enter_critical_section(SECTION_CODE i) {
|
||||
DosEnterCritSec();
|
||||
}
|
||||
|
||||
void leave_critical_section(SECTION_CODE i) {
|
||||
DosExitCritSec();
|
||||
}
|
||||
|
||||
int sthreads_init(void) {
|
||||
return 0;
|
||||
}
|
||||
|
@ -463,13 +520,12 @@ unsigned long stunnel_thread_id(void) {
|
|||
return (unsigned long)ppib->pib_ulpid;
|
||||
}
|
||||
|
||||
int create_client(int ls, int s, CLI *arg, void *(*cli)(void *)) {
|
||||
int create_client(SOCKET ls, SOCKET s, CLI *arg, void *(*cli)(void *)) {
|
||||
(void)ls; /* this parameter is only used with USE_FORK */
|
||||
s_log(LOG_DEBUG, "Creating a new thread");
|
||||
if((long)_beginthread((void(*)(void *))cli, NULL, arg->opt->stack_size, arg)==-1L) {
|
||||
ioerror("_beginthread");
|
||||
if(arg)
|
||||
str_free(arg);
|
||||
str_free(arg);
|
||||
if(s>=0)
|
||||
closesocket(s);
|
||||
return -1;
|
||||
|
@ -505,12 +561,12 @@ void _endthread(void) {
|
|||
#ifdef DEBUG_STACK_SIZE
|
||||
|
||||
#define STACK_RESERVE (STACK_SIZE/8)
|
||||
#define VERIFY_AREA ((STACK_SIZE-STACK_RESERVE)/sizeof(u32))
|
||||
#define VERIFY_AREA ((STACK_SIZE-STACK_RESERVE)/sizeof(uint32_t))
|
||||
#define TEST_VALUE 0xdeadbeef
|
||||
|
||||
/* some heuristic to determine the usage of client stack size */
|
||||
void stack_info(int init) { /* 1-initialize, 0-display */
|
||||
u32 table[VERIFY_AREA];
|
||||
uint32_t table[VERIFY_AREA];
|
||||
int i, num;
|
||||
static int min_num=VERIFY_AREA;
|
||||
|
||||
|
@ -518,12 +574,12 @@ void stack_info(int init) { /* 1-initialize, 0-display */
|
|||
for(i=0; i<VERIFY_AREA; i++)
|
||||
table[i]=TEST_VALUE;
|
||||
} else {
|
||||
/* the stack is growing down */
|
||||
/* the stack grows down */
|
||||
for(i=0; i<VERIFY_AREA; i++)
|
||||
if(table[i]!=TEST_VALUE)
|
||||
break;
|
||||
num=i;
|
||||
/* the stack is growing up */
|
||||
/* the stack grows up */
|
||||
for(i=0; i<VERIFY_AREA; i++)
|
||||
if(table[VERIFY_AREA-i-1]!=TEST_VALUE)
|
||||
break;
|
||||
|
@ -538,10 +594,10 @@ void stack_info(int init) { /* 1-initialize, 0-display */
|
|||
s_log(LOG_NOTICE,
|
||||
"stack_info: size=%d, current=%d (%d%%), maximum=%d (%d%%)",
|
||||
STACK_SIZE,
|
||||
(int)((VERIFY_AREA-num)*sizeof(u32)),
|
||||
(int)((VERIFY_AREA-num)*sizeof(u32)*100/STACK_SIZE),
|
||||
(int)((VERIFY_AREA-min_num)*sizeof(u32)),
|
||||
(int)((VERIFY_AREA-min_num)*sizeof(u32)*100/STACK_SIZE));
|
||||
(int)((VERIFY_AREA-num)*sizeof(uint32_t)),
|
||||
(int)((VERIFY_AREA-num)*sizeof(uint32_t)*100/STACK_SIZE),
|
||||
(int)((VERIFY_AREA-min_num)*sizeof(uint32_t)),
|
||||
(int)((VERIFY_AREA-min_num)*sizeof(uint32_t)*100/STACK_SIZE));
|
||||
}
|
||||
}
|
||||
|
||||
|
|
554
src/str.c
554
src/str.c
|
@ -1,6 +1,6 @@
|
|||
/*
|
||||
* stunnel Universal SSL tunnel
|
||||
* Copyright (C) 1998-2013 Michal Trojnara <Michal.Trojnara@mirt.net>
|
||||
* stunnel TLS offloading and load-balancing proxy
|
||||
* Copyright (C) 1998-2017 Michal Trojnara <Michal.Trojnara@stunnel.org>
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it
|
||||
* under the terms of the GNU General Public License as published by the
|
||||
|
@ -38,6 +38,73 @@
|
|||
#include "common.h"
|
||||
#include "prototypes.h"
|
||||
|
||||
/* reportedly, malloc does not always return 16-byte aligned addresses
|
||||
* for 64-bit targets as specified by
|
||||
* https://msdn.microsoft.com/en-us/library/6ewkz86d.aspx */
|
||||
#ifdef USE_WIN32
|
||||
#define system_malloc(n) _aligned_malloc((n),16)
|
||||
#define system_realloc(p,n) _aligned_realloc((p),(n),16)
|
||||
#define system_free(p) _aligned_free(p)
|
||||
#else
|
||||
#define system_malloc(n) malloc(n)
|
||||
#define system_realloc(p,n) realloc((p),(n))
|
||||
#define system_free(p) free(p)
|
||||
#endif
|
||||
|
||||
#define CANARY_INITIALIZED 0x0000c0ded0000000LL
|
||||
#define CANARY_UNINTIALIZED 0x0000abadbabe0000LL
|
||||
#define MAGIC_ALLOCATED 0x0000a110c8ed0000LL
|
||||
#define MAGIC_DEALLOCATED 0x0000defec8ed0000LL
|
||||
|
||||
/* most platforms require allocations to be aligned */
|
||||
#ifdef _MSC_VER
|
||||
__declspec(align(16))
|
||||
#endif
|
||||
struct alloc_list_struct {
|
||||
ALLOC_LIST *prev, *next;
|
||||
TLS_DATA *tls;
|
||||
size_t size;
|
||||
const char *alloc_file, *free_file;
|
||||
int alloc_line, free_line;
|
||||
uint64_t valid_canary, magic;
|
||||
#ifdef __GNUC__
|
||||
} __attribute__((aligned(16)));
|
||||
#else
|
||||
#ifndef MSC_VER
|
||||
uint64_t :0; /* align the structure */
|
||||
#endif
|
||||
};
|
||||
#endif
|
||||
|
||||
#define LEAK_TABLE_SIZE 997
|
||||
typedef struct {
|
||||
const char *alloc_file;
|
||||
int alloc_line;
|
||||
int num, max;
|
||||
} LEAK_ENTRY;
|
||||
NOEXPORT LEAK_ENTRY leak_hash_table[LEAK_TABLE_SIZE],
|
||||
*leak_results[LEAK_TABLE_SIZE];
|
||||
NOEXPORT volatile int leak_result_num=0;
|
||||
|
||||
#ifdef USE_WIN32
|
||||
NOEXPORT LPTSTR str_vtprintf(LPCTSTR, va_list);
|
||||
#endif /* USE_WIN32 */
|
||||
|
||||
NOEXPORT void *str_realloc_internal_debug(void *, size_t, const char *, int);
|
||||
|
||||
NOEXPORT ALLOC_LIST *get_alloc_list_ptr(void *, const char *, int);
|
||||
NOEXPORT void str_leak_debug(const ALLOC_LIST *, int);
|
||||
|
||||
NOEXPORT LEAK_ENTRY *leak_search(const ALLOC_LIST *);
|
||||
NOEXPORT void leak_report();
|
||||
NOEXPORT long leak_threshold();
|
||||
|
||||
TLS_DATA *ui_tls;
|
||||
NOEXPORT uint8_t canary[10]; /* 80-bit canary value */
|
||||
NOEXPORT volatile uint64_t canary_initialized=CANARY_UNINTIALIZED;
|
||||
|
||||
/**************************************** string manipulation functions */
|
||||
|
||||
#ifndef va_copy
|
||||
#ifdef __va_copy
|
||||
#define va_copy(dst, src) __va_copy((dst), (src))
|
||||
|
@ -46,38 +113,10 @@
|
|||
#endif /* __va_copy */
|
||||
#endif /* va_copy */
|
||||
|
||||
static u8 canary[10]; /* 80-bit canary value */
|
||||
static volatile int canary_initialized=0;
|
||||
|
||||
typedef struct alloc_list_struct ALLOC_LIST;
|
||||
|
||||
typedef struct {
|
||||
ALLOC_LIST *head;
|
||||
size_t bytes, blocks;
|
||||
} ALLOC_TLS;
|
||||
|
||||
struct alloc_list_struct {
|
||||
ALLOC_LIST *prev, *next;
|
||||
ALLOC_TLS *tls;
|
||||
size_t size;
|
||||
int valid_canary;
|
||||
unsigned int magic;
|
||||
/* at least on IA64 allocations need to be aligned */
|
||||
#ifdef __GNUC__
|
||||
} __attribute__((aligned(16)));
|
||||
#else
|
||||
int padding[2]; /* the number of integers is architecture-specific */
|
||||
};
|
||||
#endif
|
||||
|
||||
static void set_alloc_tls(ALLOC_TLS *);
|
||||
static ALLOC_TLS *get_alloc_tls();
|
||||
static ALLOC_LIST *get_alloc_list_ptr(void *, char *, int);
|
||||
|
||||
char *str_dup(const char *str) {
|
||||
char *str_dup_debug(const char *str, const char *file, int line) {
|
||||
char *retval;
|
||||
|
||||
retval=str_alloc(strlen(str)+1);
|
||||
retval=str_alloc_debug(strlen(str)+1, file, line);
|
||||
strcpy(retval, str);
|
||||
return retval;
|
||||
}
|
||||
|
@ -92,203 +131,216 @@ char *str_printf(const char *format, ...) {
|
|||
return txt;
|
||||
}
|
||||
|
||||
#ifdef __GNUC__
|
||||
#pragma GCC diagnostic push
|
||||
#pragma GCC diagnostic ignored "-Wformat-nonliteral"
|
||||
#endif /* __GNUC__ */
|
||||
char *str_vprintf(const char *format, va_list start_ap) {
|
||||
int n, size=32;
|
||||
char *p, *np;
|
||||
int n;
|
||||
size_t size=32;
|
||||
char *p;
|
||||
va_list ap;
|
||||
|
||||
p=str_alloc(size);
|
||||
for(;;) {
|
||||
va_copy(ap, start_ap);
|
||||
n=vsnprintf(p, size, format, ap);
|
||||
if(n>-1 && n<size)
|
||||
if(n>-1 && n<(int)size)
|
||||
return p;
|
||||
if(n>-1) /* glibc 2.1 */
|
||||
size=n+1; /* precisely what is needed */
|
||||
else /* glibc 2.0, WIN32, etc. */
|
||||
size*=2; /* twice the old size */
|
||||
np=str_realloc(p, size);
|
||||
p=np; /* LOL */
|
||||
if(n>-1) /* glibc 2.1 */
|
||||
size=(size_t)n+1; /* precisely what is needed */
|
||||
else /* glibc 2.0, WIN32, etc. */
|
||||
size*=2; /* twice the old size */
|
||||
p=str_realloc(p, size);
|
||||
}
|
||||
}
|
||||
|
||||
#ifdef USE_UCONTEXT
|
||||
|
||||
static ALLOC_TLS *global_tls=NULL;
|
||||
|
||||
void str_init() {
|
||||
}
|
||||
|
||||
static void set_alloc_tls(ALLOC_TLS *tls) {
|
||||
if(ready_head)
|
||||
ready_head->tls=tls;
|
||||
else /* ucontext threads not initialized */
|
||||
global_tls=tls;
|
||||
}
|
||||
|
||||
static ALLOC_TLS *get_alloc_tls() {
|
||||
if(ready_head)
|
||||
return ready_head->tls;
|
||||
else /* ucontext threads not initialized */
|
||||
return global_tls;
|
||||
}
|
||||
|
||||
#endif /* USE_UCONTEXT */
|
||||
|
||||
#ifdef USE_FORK
|
||||
|
||||
static ALLOC_TLS *global_tls=NULL;
|
||||
|
||||
void str_init() {
|
||||
}
|
||||
|
||||
static void set_alloc_tls(ALLOC_TLS *tls) {
|
||||
global_tls=tls;
|
||||
}
|
||||
|
||||
static ALLOC_TLS *get_alloc_tls() {
|
||||
return global_tls;
|
||||
}
|
||||
|
||||
#endif /* USE_FORK */
|
||||
|
||||
#ifdef USE_PTHREAD
|
||||
|
||||
static pthread_key_t pthread_key;
|
||||
|
||||
void str_init() {
|
||||
pthread_key_create(&pthread_key, NULL);
|
||||
}
|
||||
|
||||
static void set_alloc_tls(ALLOC_TLS *tls) {
|
||||
pthread_setspecific(pthread_key, tls);
|
||||
}
|
||||
|
||||
static ALLOC_TLS *get_alloc_tls() {
|
||||
return pthread_getspecific(pthread_key);
|
||||
}
|
||||
|
||||
#endif /* USE_PTHREAD */
|
||||
#ifdef __GNUC__
|
||||
#pragma GCC diagnostic pop
|
||||
#endif /* __GNUC__ */
|
||||
|
||||
#ifdef USE_WIN32
|
||||
|
||||
static DWORD tls_index;
|
||||
LPTSTR str_tprintf(LPCTSTR format, ...) {
|
||||
LPTSTR txt;
|
||||
va_list arglist;
|
||||
|
||||
void str_init() {
|
||||
tls_index=TlsAlloc();
|
||||
va_start(arglist, format);
|
||||
txt=str_vtprintf(format, arglist);
|
||||
va_end(arglist);
|
||||
return txt;
|
||||
}
|
||||
|
||||
static void set_alloc_tls(ALLOC_TLS *alloc_tls) {
|
||||
TlsSetValue(tls_index, alloc_tls);
|
||||
NOEXPORT LPTSTR str_vtprintf(LPCTSTR format, va_list start_ap) {
|
||||
int n;
|
||||
size_t size=32;
|
||||
LPTSTR p;
|
||||
va_list ap;
|
||||
|
||||
p=str_alloc(size*sizeof(TCHAR));
|
||||
for(;;) {
|
||||
va_copy(ap, start_ap);
|
||||
n=_vsntprintf(p, size, format, ap);
|
||||
if(n>-1 && n<(int)size)
|
||||
return p;
|
||||
size*=2;
|
||||
p=str_realloc(p, size*sizeof(TCHAR));
|
||||
}
|
||||
}
|
||||
|
||||
static ALLOC_TLS *get_alloc_tls() {
|
||||
return TlsGetValue(tls_index);
|
||||
#endif
|
||||
|
||||
/**************************************** memory allocation wrappers */
|
||||
|
||||
void str_init(TLS_DATA *tls_data) {
|
||||
tls_data->alloc_head=NULL;
|
||||
tls_data->alloc_bytes=tls_data->alloc_blocks=0;
|
||||
}
|
||||
|
||||
#endif /* USE_WIN32 */
|
||||
void str_cleanup(TLS_DATA *tls_data) {
|
||||
/* free all attached allocations */
|
||||
while(tls_data->alloc_head) /* str_free macro requires an lvalue */
|
||||
str_free_expression(tls_data->alloc_head+1);
|
||||
}
|
||||
|
||||
void str_canary_init() {
|
||||
if(canary_initialized) /* prevent double initialization on config reload */
|
||||
return;
|
||||
RAND_bytes(canary, sizeof canary);
|
||||
canary_initialized=1; /* after RAND_bytes */
|
||||
}
|
||||
|
||||
void str_cleanup() {
|
||||
ALLOC_TLS *alloc_tls;
|
||||
|
||||
alloc_tls=get_alloc_tls();
|
||||
if(alloc_tls) {
|
||||
while(alloc_tls->head) /* str_free macro requires lvalue parameter */
|
||||
str_free_debug(alloc_tls->head+1, __FILE__, __LINE__);
|
||||
set_alloc_tls(NULL);
|
||||
free(alloc_tls);
|
||||
}
|
||||
if(canary_initialized!=CANARY_UNINTIALIZED)
|
||||
return; /* prevent double initialization on config reload */
|
||||
RAND_bytes(canary, (int)sizeof canary);
|
||||
/* an error would reduce the effectiveness of canaries */
|
||||
/* this is nothing critical, so the return value is ignored here */
|
||||
canary_initialized=CANARY_INITIALIZED; /* after RAND_bytes */
|
||||
}
|
||||
|
||||
void str_stats() {
|
||||
ALLOC_TLS *alloc_tls;
|
||||
TLS_DATA *tls_data;
|
||||
ALLOC_LIST *alloc_list;
|
||||
int i=0;
|
||||
|
||||
alloc_tls=get_alloc_tls();
|
||||
if(!alloc_tls) {
|
||||
s_log(LOG_DEBUG, "str_stats: alloc_tls not initialized");
|
||||
return;
|
||||
}
|
||||
if(!alloc_tls->blocks && !alloc_tls->bytes)
|
||||
if(!tls_initialized)
|
||||
fatal("str not initialized");
|
||||
leak_report();
|
||||
tls_data=tls_get();
|
||||
if(!tls_data || (!tls_data->alloc_blocks && !tls_data->alloc_bytes))
|
||||
return; /* skip if no data is allocated */
|
||||
s_log(LOG_DEBUG, "str_stats: %lu block(s), "
|
||||
"%lu data byte(s), %lu control byte(s)",
|
||||
(unsigned long int)alloc_tls->blocks,
|
||||
(unsigned long int)alloc_tls->bytes,
|
||||
(unsigned long int)(alloc_tls->blocks*
|
||||
(unsigned long)tls_data->alloc_blocks,
|
||||
(unsigned long)tls_data->alloc_bytes,
|
||||
(unsigned long)(tls_data->alloc_blocks*
|
||||
(sizeof(ALLOC_LIST)+sizeof canary)));
|
||||
for(alloc_list=tls_data->alloc_head; alloc_list; alloc_list=alloc_list->next) {
|
||||
if(++i>10) /* limit the number of results */
|
||||
break;
|
||||
s_log(LOG_DEBUG, "str_stats: %lu byte(s) at %s:%d",
|
||||
(unsigned long)alloc_list->size,
|
||||
alloc_list->alloc_file, alloc_list->alloc_line);
|
||||
}
|
||||
}
|
||||
|
||||
void *str_alloc_debug(size_t size, char *file, int line) {
|
||||
ALLOC_TLS *alloc_tls;
|
||||
void *str_alloc_debug(size_t size, const char *file, int line) {
|
||||
TLS_DATA *tls_data;
|
||||
ALLOC_LIST *alloc_list;
|
||||
|
||||
alloc_tls=get_alloc_tls();
|
||||
if(!alloc_tls) { /* first allocation in this thread */
|
||||
alloc_tls=calloc(1, sizeof(ALLOC_TLS));
|
||||
if(!alloc_tls)
|
||||
fatal_debug("Out of memory", file, line);
|
||||
alloc_tls->head=NULL;
|
||||
alloc_tls->bytes=alloc_tls->blocks=0;
|
||||
set_alloc_tls(alloc_tls);
|
||||
if(!tls_initialized)
|
||||
fatal_debug("str not initialized", file, line);
|
||||
tls_data=tls_get();
|
||||
if(!tls_data) {
|
||||
tls_data=tls_alloc(NULL, NULL, "alloc");
|
||||
s_log(LOG_ERR, "INTERNAL ERROR: Uninitialized TLS at %s, line %d",
|
||||
file, line);
|
||||
}
|
||||
alloc_list=calloc(1, sizeof(ALLOC_LIST)+size+sizeof canary);
|
||||
if(!alloc_list)
|
||||
fatal_debug("Out of memory", file, line);
|
||||
|
||||
alloc_list=(ALLOC_LIST *)str_alloc_detached_debug(size, file, line)-1;
|
||||
alloc_list->prev=NULL;
|
||||
alloc_list->next=alloc_tls->head;
|
||||
alloc_list->tls=alloc_tls;
|
||||
alloc_list->size=size;
|
||||
alloc_list->valid_canary=canary_initialized; /* before memcpy */
|
||||
memcpy((u8 *)(alloc_list+1)+size, canary, sizeof canary);
|
||||
alloc_list->magic=0xdeadbeef;
|
||||
|
||||
if(alloc_tls->head)
|
||||
alloc_tls->head->prev=alloc_list;
|
||||
alloc_tls->head=alloc_list;
|
||||
alloc_tls->bytes+=size;
|
||||
alloc_tls->blocks++;
|
||||
alloc_list->next=tls_data->alloc_head;
|
||||
alloc_list->tls=tls_data;
|
||||
if(tls_data->alloc_head)
|
||||
tls_data->alloc_head->prev=alloc_list;
|
||||
tls_data->alloc_head=alloc_list;
|
||||
tls_data->alloc_bytes+=size;
|
||||
tls_data->alloc_blocks++;
|
||||
|
||||
return alloc_list+1;
|
||||
}
|
||||
|
||||
void *str_realloc_debug(void *ptr, size_t size, char *file, int line) {
|
||||
ALLOC_LIST *previous_alloc_list, *alloc_list;
|
||||
void *str_alloc_detached_debug(size_t size, const char *file, int line) {
|
||||
ALLOC_LIST *alloc_list;
|
||||
|
||||
if(!ptr)
|
||||
return str_alloc(size);
|
||||
previous_alloc_list=get_alloc_list_ptr(ptr, file, line);
|
||||
alloc_list=realloc(previous_alloc_list,
|
||||
sizeof(ALLOC_LIST)+size+sizeof canary);
|
||||
#if 0
|
||||
printf("allocating %lu bytes at %s:%d\n", (unsigned long)size, file, line);
|
||||
#endif
|
||||
alloc_list=system_malloc(sizeof(ALLOC_LIST)+size+sizeof canary);
|
||||
if(!alloc_list)
|
||||
fatal_debug("Out of memory", file, line);
|
||||
memset(alloc_list, 0, sizeof(ALLOC_LIST)+size+sizeof canary);
|
||||
alloc_list->prev=NULL; /* for debugging */
|
||||
alloc_list->next=NULL; /* for debugging */
|
||||
alloc_list->tls=NULL;
|
||||
alloc_list->size=size;
|
||||
alloc_list->alloc_file=file;
|
||||
alloc_list->alloc_line=line;
|
||||
alloc_list->free_file="none";
|
||||
alloc_list->free_line=0;
|
||||
alloc_list->valid_canary=canary_initialized; /* before memcpy */
|
||||
memcpy((uint8_t *)(alloc_list+1)+size, canary, sizeof canary);
|
||||
alloc_list->magic=MAGIC_ALLOCATED;
|
||||
str_leak_debug(alloc_list, 1);
|
||||
|
||||
return alloc_list+1;
|
||||
}
|
||||
|
||||
void *str_realloc_debug(void *ptr, size_t size, const char *file, int line) {
|
||||
if(ptr)
|
||||
return str_realloc_internal_debug(ptr, size, file, line);
|
||||
else
|
||||
return str_alloc_debug(size, file, line);
|
||||
}
|
||||
|
||||
void *str_realloc_detached_debug(void *ptr, size_t size, const char *file, int line) {
|
||||
if(ptr)
|
||||
return str_realloc_internal_debug(ptr, size, file, line);
|
||||
else
|
||||
return str_alloc_detached_debug(size, file, line);
|
||||
}
|
||||
|
||||
NOEXPORT void *str_realloc_internal_debug(void *ptr, size_t size, const char *file, int line) {
|
||||
ALLOC_LIST *prev_alloc_list, *alloc_list;
|
||||
|
||||
prev_alloc_list=get_alloc_list_ptr(ptr, file, line);
|
||||
str_leak_debug(prev_alloc_list, -1);
|
||||
if(prev_alloc_list->size>size) /* shrinking the allocation */
|
||||
memset((uint8_t *)ptr+size, 0, prev_alloc_list->size-size); /* paranoia */
|
||||
alloc_list=system_realloc(prev_alloc_list, sizeof(ALLOC_LIST)+size+sizeof canary);
|
||||
if(!alloc_list)
|
||||
fatal_debug("Out of memory", file, line);
|
||||
ptr=alloc_list+1;
|
||||
if(size>alloc_list->size) /* growing the allocation */
|
||||
memset((uint8_t *)ptr+alloc_list->size, 0, size-alloc_list->size);
|
||||
if(alloc_list->tls) { /* not detached */
|
||||
/* refresh possibly invalidated linked list pointers */
|
||||
if(alloc_list->tls->head==previous_alloc_list)
|
||||
alloc_list->tls->head=alloc_list;
|
||||
if(alloc_list->tls->alloc_head==prev_alloc_list)
|
||||
alloc_list->tls->alloc_head=alloc_list;
|
||||
if(alloc_list->next)
|
||||
alloc_list->next->prev=alloc_list;
|
||||
if(alloc_list->prev)
|
||||
alloc_list->prev->next=alloc_list;
|
||||
/* update statistics */
|
||||
alloc_list->tls->bytes+=size-alloc_list->size;
|
||||
/* update statistics while the old size is still available */
|
||||
alloc_list->tls->alloc_bytes+=size-alloc_list->size;
|
||||
}
|
||||
alloc_list->size=size;
|
||||
alloc_list->alloc_file=file;
|
||||
alloc_list->alloc_line=line;
|
||||
alloc_list->free_file="none";
|
||||
alloc_list->free_line=0;
|
||||
alloc_list->valid_canary=canary_initialized; /* before memcpy */
|
||||
memcpy((u8 *)(alloc_list+1)+size, canary, sizeof canary);
|
||||
return alloc_list+1;
|
||||
memcpy((uint8_t *)ptr+size, canary, sizeof canary);
|
||||
str_leak_debug(alloc_list, 1);
|
||||
return ptr;
|
||||
}
|
||||
|
||||
/* detach from thread automatic deallocation list */
|
||||
/* it has no effect if the allocation is already detached */
|
||||
void str_detach_debug(void *ptr, char *file, int line) {
|
||||
void str_detach_debug(void *ptr, const char *file, int line) {
|
||||
ALLOC_LIST *alloc_list;
|
||||
|
||||
if(!ptr) /* do not attempt to free null pointers */
|
||||
|
@ -296,15 +348,15 @@ void str_detach_debug(void *ptr, char *file, int line) {
|
|||
alloc_list=get_alloc_list_ptr(ptr, file, line);
|
||||
if(alloc_list->tls) { /* not detached */
|
||||
/* remove from linked list */
|
||||
if(alloc_list->tls->head==alloc_list)
|
||||
alloc_list->tls->head=alloc_list->next;
|
||||
if(alloc_list->tls->alloc_head==alloc_list)
|
||||
alloc_list->tls->alloc_head=alloc_list->next;
|
||||
if(alloc_list->next)
|
||||
alloc_list->next->prev=alloc_list->prev;
|
||||
if(alloc_list->prev)
|
||||
alloc_list->prev->next=alloc_list->next;
|
||||
/* update statistics */
|
||||
alloc_list->tls->bytes-=alloc_list->size;
|
||||
alloc_list->tls->blocks--;
|
||||
alloc_list->tls->alloc_bytes-=alloc_list->size;
|
||||
alloc_list->tls->alloc_blocks--;
|
||||
/* clear pointers */
|
||||
alloc_list->next=NULL;
|
||||
alloc_list->prev=NULL;
|
||||
|
@ -312,33 +364,155 @@ void str_detach_debug(void *ptr, char *file, int line) {
|
|||
}
|
||||
}
|
||||
|
||||
void str_free_debug(void *ptr, char *file, int line) {
|
||||
void str_free_debug(void *ptr, const char *file, int line) {
|
||||
ALLOC_LIST *alloc_list;
|
||||
|
||||
if(!ptr) /* do not attempt to free null pointers */
|
||||
return;
|
||||
str_detach_debug(ptr, file, line);
|
||||
alloc_list=(ALLOC_LIST *)ptr-1;
|
||||
alloc_list->magic=0xdefec8ed; /* to detect double free attempts */
|
||||
free(alloc_list);
|
||||
if(alloc_list->magic==MAGIC_DEALLOCATED) { /* double free */
|
||||
/* this may (unlikely) log garbage instead of file names */
|
||||
s_log(LOG_CRIT,
|
||||
"Double free attempt: ptr=%p alloc=%s:%d free#1=%s:%d free#2=%s:%d",
|
||||
ptr,
|
||||
alloc_list->alloc_file, alloc_list->alloc_line,
|
||||
alloc_list->free_file, alloc_list->free_line,
|
||||
file, line);
|
||||
return;
|
||||
}
|
||||
str_detach_debug(ptr, file, line);
|
||||
str_leak_debug(alloc_list, -1);
|
||||
alloc_list->free_file=file;
|
||||
alloc_list->free_line=line;
|
||||
alloc_list->magic=MAGIC_DEALLOCATED; /* detect double free attempts */
|
||||
memset(ptr, 0, alloc_list->size+sizeof canary); /* paranoia */
|
||||
system_free(alloc_list);
|
||||
}
|
||||
|
||||
static ALLOC_LIST *get_alloc_list_ptr(void *ptr, char *file, int line) {
|
||||
NOEXPORT ALLOC_LIST *get_alloc_list_ptr(void *ptr, const char *file, int line) {
|
||||
ALLOC_LIST *alloc_list;
|
||||
|
||||
if(!tls_initialized)
|
||||
fatal_debug("str not initialized", file, line);
|
||||
alloc_list=(ALLOC_LIST *)ptr-1;
|
||||
if(alloc_list->magic!=0xdeadbeef) { /* not allocated by str_alloc() */
|
||||
if(alloc_list->magic==0xdefec8ed)
|
||||
fatal_debug("Double free attempt", file, line);
|
||||
else
|
||||
fatal_debug("Bad magic", file, line); /* LOL */
|
||||
}
|
||||
if(alloc_list->tls /* not detached */ && alloc_list->tls!=get_alloc_tls())
|
||||
if(alloc_list->magic!=MAGIC_ALLOCATED) /* not allocated by str_alloc() */
|
||||
fatal_debug("Bad magic", file, line); /* LOL */
|
||||
if(alloc_list->tls /* not detached */ && alloc_list->tls!=tls_get())
|
||||
fatal_debug("Memory allocated in a different thread", file, line);
|
||||
if(alloc_list->valid_canary &&
|
||||
memcmp((u8 *)ptr+alloc_list->size, canary, sizeof canary))
|
||||
if(alloc_list->valid_canary!=CANARY_UNINTIALIZED &&
|
||||
safe_memcmp((uint8_t *)ptr+alloc_list->size, canary, sizeof canary))
|
||||
fatal_debug("Dead canary", file, line); /* LOL */
|
||||
return alloc_list;
|
||||
}
|
||||
|
||||
/**************************************** memory leak detection */
|
||||
|
||||
NOEXPORT void str_leak_debug(const ALLOC_LIST *alloc_list, int change) {
|
||||
static size_t entries=0;
|
||||
LEAK_ENTRY *entry;
|
||||
int new_entry, allocations;
|
||||
|
||||
#if defined(USE_PTHREAD) || defined(USE_WIN32)
|
||||
if(!&stunnel_locks[STUNNEL_LOCKS-1]) /* threads not initialized */
|
||||
return;
|
||||
#endif /* defined(USE_PTHREAD) || defined(USE_WIN32) */
|
||||
if(!number_of_sections) /* configuration file not initialized */
|
||||
return;
|
||||
|
||||
entry=leak_search(alloc_list);
|
||||
/* the race condition may lead to false positives, which is handled later */
|
||||
new_entry=entry->alloc_line!=alloc_list->alloc_line ||
|
||||
entry->alloc_file!=alloc_list->alloc_file;
|
||||
|
||||
if(new_entry) { /* the file:line pair was encountered for the first time */
|
||||
stunnel_write_lock(&stunnel_locks[LOCK_LEAK_HASH]);
|
||||
entry=leak_search(alloc_list); /* the list may have changed */
|
||||
if(entry->alloc_line==0) {
|
||||
if(entries>LEAK_TABLE_SIZE-100) { /* this should never happen */
|
||||
stunnel_write_unlock(&stunnel_locks[LOCK_LEAK_HASH]);
|
||||
return;
|
||||
}
|
||||
entries++;
|
||||
entry->alloc_line=alloc_list->alloc_line;
|
||||
entry->alloc_file=alloc_list->alloc_file;
|
||||
}
|
||||
stunnel_write_unlock(&stunnel_locks[LOCK_LEAK_HASH]);
|
||||
}
|
||||
|
||||
#ifdef PRECISE_LEAK_ALLOCATON_COUNTERS
|
||||
/* this is *really* slow in OpenSSL < 1.1.0 */
|
||||
CRYPTO_atomic_add(&entry->num, change, &allocations,
|
||||
&stunnel_locks[LOCK_LEAK_HASH]);
|
||||
#else
|
||||
allocations=(entry->num+=change); /* we just need an estimate... */
|
||||
#endif
|
||||
|
||||
if(allocations<=leak_threshold()) /* leak not detected */
|
||||
return;
|
||||
if(allocations<=entry->max) /* not the biggest leak for this entry */
|
||||
return;
|
||||
if(entry->max) { /* not the first time we found a leak for this entry */
|
||||
entry->max=allocations; /* just update the value */
|
||||
return;
|
||||
}
|
||||
/* we *may* need to allocate a new leak_results entry */
|
||||
/* locking is slow, so we try to avoid it if possible */
|
||||
stunnel_write_lock(&stunnel_locks[LOCK_LEAK_RESULTS]);
|
||||
if(entry->max==0) { /* the table may have changed */
|
||||
leak_results[leak_result_num]=entry;
|
||||
entry->max=allocations;
|
||||
++leak_result_num; /* at the end to avoid a lock in leak_report() */
|
||||
} else { /* gracefully handle the race condition */
|
||||
entry->max=allocations;
|
||||
}
|
||||
stunnel_write_unlock(&stunnel_locks[LOCK_LEAK_RESULTS]);
|
||||
}
|
||||
|
||||
/* O(1) hash table lookup */
|
||||
NOEXPORT LEAK_ENTRY *leak_search(const ALLOC_LIST *alloc_list) {
|
||||
int i=alloc_list->alloc_line%LEAK_TABLE_SIZE;
|
||||
|
||||
while(!(leak_hash_table[i].alloc_line==0 ||
|
||||
(leak_hash_table[i].alloc_line==alloc_list->alloc_line &&
|
||||
leak_hash_table[i].alloc_file==alloc_list->alloc_file)))
|
||||
i=(i+1)%LEAK_TABLE_SIZE;
|
||||
return leak_hash_table+i;
|
||||
}
|
||||
|
||||
/* report identified leaks */
|
||||
NOEXPORT void leak_report() {
|
||||
int i;
|
||||
long limit;
|
||||
|
||||
limit=leak_threshold();
|
||||
for(i=0; i<leak_result_num; ++i)
|
||||
if(leak_results[i] /* an officious compiler could reorder code */ &&
|
||||
leak_results[i]->max>limit /* the limit could have changed */)
|
||||
s_log(LOG_WARNING, "Possible memory leak at %s:%d: %d allocations",
|
||||
leak_results[i]->alloc_file, leak_results[i]->alloc_line,
|
||||
leak_results[i]->max);
|
||||
}
|
||||
|
||||
NOEXPORT long leak_threshold() {
|
||||
long limit;
|
||||
|
||||
limit=10000*((int)number_of_sections+1);
|
||||
#ifndef USE_FORK
|
||||
limit+=100*num_clients;
|
||||
#endif
|
||||
return limit;
|
||||
}
|
||||
|
||||
/**************************************** memcmp() replacement */
|
||||
|
||||
/* a version of memcmp() with execution time not dependent on data values */
|
||||
/* it does *not* allow testing whether s1 is greater or lesser than s2 */
|
||||
int safe_memcmp(const void *s1, const void *s2, size_t n) {
|
||||
uint8_t *p1=(uint8_t *)s1, *p2=(uint8_t *)s2;
|
||||
int r=0;
|
||||
while(n--)
|
||||
r|=(*p1++)^(*p2++);
|
||||
return r;
|
||||
}
|
||||
|
||||
/* end of str.c */
|
||||
|
|
828
src/stunnel.c
828
src/stunnel.c
File diff suppressed because it is too large
Load Diff
BIN
src/stunnel.ico
BIN
src/stunnel.ico
Binary file not shown.
Before Width: | Height: | Size: 4.6 KiB After Width: | Height: | Size: 15 KiB |
|
@ -1,7 +1,7 @@
|
|||
#!/usr/bin/perl
|
||||
#
|
||||
# stunnel3 Perl wrapper to use stunnel 3.x syntax in stunnel >=4.05
|
||||
# Copyright (C) 2004-2012 Michal Trojnara <Michal.Trojnara@mirt.net>
|
||||
# Copyright (C) 2004-2012 Michal Trojnara <Michal.Trojnara@stunnel.org>
|
||||
# Version: 2.03
|
||||
# Date: 2011.10.22
|
||||
#
|
||||
|
@ -22,7 +22,7 @@ use POSIX;
|
|||
use Getopt::Std;
|
||||
|
||||
# Configuration - path to stunnel (version >=4.05)
|
||||
$stunnel_bin='@prefix@/bin/stunnel';
|
||||
$stunnel_bin='@bindir@/stunnel';
|
||||
|
||||
# stunnel3 script body begins here
|
||||
($read_fd, $write_fd)=POSIX::pipe();
|
||||
|
@ -67,7 +67,7 @@ print("setgid = $opt_g\n") if defined $opt_g;
|
|||
print("pid = $opt_P\n") if defined $opt_P;
|
||||
print("connect = $opt_r\n") if defined $opt_r;
|
||||
print("pty = yes\n"), $opt_l=$opt_L if defined $opt_L;
|
||||
print("exec = $opt_l\nexecargs = " . join(' ', $opt_l, @ARGV) . "\n") if defined $opt_l;
|
||||
print("exec = $opt_l\nexecArgs = " . join(' ', $opt_l, @ARGV) . "\n") if defined $opt_l;
|
||||
print("[stunnel3]\n") if defined $opt_d;
|
||||
|
||||
close(STUNNEL);
|
||||
|
|
|
@ -0,0 +1,195 @@
|
|||
/*
|
||||
* stunnel TLS offloading and load-balancing proxy
|
||||
* Copyright (C) 1998-2017 Michal Trojnara <Michal.Trojnara@stunnel.org>
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it
|
||||
* under the terms of the GNU General Public License as published by the
|
||||
* Free Software Foundation; either version 2 of the License, or (at your
|
||||
* option) any later version.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
|
||||
* See the GNU General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License along
|
||||
* with this program; if not, see <http://www.gnu.org/licenses>.
|
||||
*
|
||||
* Linking stunnel statically or dynamically with other modules is making
|
||||
* a combined work based on stunnel. Thus, the terms and conditions of
|
||||
* the GNU General Public License cover the whole combination.
|
||||
*
|
||||
* In addition, as a special exception, the copyright holder of stunnel
|
||||
* gives you permission to combine stunnel with free software programs or
|
||||
* libraries that are released under the GNU LGPL and with code included
|
||||
* in the standard release of OpenSSL under the OpenSSL License (or
|
||||
* modified versions of such code, with unchanged license). You may copy
|
||||
* and distribute such a system following the terms of the GNU GPL for
|
||||
* stunnel and the licenses of the other code concerned.
|
||||
*
|
||||
* Note that people who make modified versions of stunnel are not obligated
|
||||
* to grant this special exception for their modified versions; it is their
|
||||
* choice whether to do so. The GNU General Public License gives permission
|
||||
* to release a modified version without this exception; this exception
|
||||
* also makes it possible to release a modified version which carries
|
||||
* forward this exception.
|
||||
*/
|
||||
|
||||
#include "common.h"
|
||||
#include "prototypes.h"
|
||||
|
||||
volatile int tls_initialized=0;
|
||||
|
||||
NOEXPORT void tls_platform_init();
|
||||
#if OPENSSL_VERSION_NUMBER<0x10100000L
|
||||
NOEXPORT void free_function(void *);
|
||||
#endif
|
||||
|
||||
/**************************************** thread local storage */
|
||||
|
||||
/* this has to be the first function called from ui_*.c */
|
||||
void tls_init() {
|
||||
tls_platform_init();
|
||||
tls_initialized=1;
|
||||
ui_tls=tls_alloc(NULL, NULL, "ui");
|
||||
#if OPENSSL_VERSION_NUMBER>=0x10100000L
|
||||
CRYPTO_set_mem_functions(str_alloc_detached_debug,
|
||||
str_realloc_detached_debug, str_free_debug);
|
||||
#else
|
||||
CRYPTO_set_mem_ex_functions(str_alloc_detached_debug,
|
||||
str_realloc_detached_debug, free_function);
|
||||
#endif
|
||||
}
|
||||
|
||||
/* this has to be the first function called by a new thread */
|
||||
TLS_DATA *tls_alloc(CLI *c, TLS_DATA *inherited, char *txt) {
|
||||
TLS_DATA *tls_data;
|
||||
|
||||
if(inherited) { /* reuse the thread-local storage after fork() */
|
||||
tls_data=inherited;
|
||||
str_free(tls_data->id);
|
||||
} else {
|
||||
tls_data=calloc(1, sizeof(TLS_DATA));
|
||||
if(!tls_data)
|
||||
fatal("Out of memory");
|
||||
if(c)
|
||||
c->tls=tls_data;
|
||||
str_init(tls_data);
|
||||
tls_data->c=c;
|
||||
tls_data->opt=c?c->opt:&service_options;
|
||||
}
|
||||
tls_data->id="unconfigured";
|
||||
tls_set(tls_data);
|
||||
|
||||
/* str.c functions can be used below this point */
|
||||
if(txt) {
|
||||
tls_data->id=str_dup(txt);
|
||||
str_detach(tls_data->id); /* it is deallocated after str_stats() */
|
||||
} else if(c) {
|
||||
tls_data->id=log_id(c);
|
||||
str_detach(tls_data->id); /* it is deallocated after str_stats() */
|
||||
}
|
||||
|
||||
return tls_data;
|
||||
}
|
||||
|
||||
/* per-thread thread-local storage cleanup */
|
||||
void tls_cleanup() {
|
||||
TLS_DATA *tls_data;
|
||||
|
||||
tls_data=tls_get();
|
||||
if(!tls_data)
|
||||
return;
|
||||
str_cleanup(tls_data);
|
||||
str_free(tls_data->id); /* detached allocation */
|
||||
tls_set(NULL);
|
||||
free(tls_data);
|
||||
}
|
||||
|
||||
#ifdef USE_UCONTEXT
|
||||
|
||||
static TLS_DATA *global_tls=NULL;
|
||||
|
||||
NOEXPORT void tls_platform_init() {
|
||||
}
|
||||
|
||||
void tls_set(TLS_DATA *tls_data) {
|
||||
if(ready_head)
|
||||
ready_head->tls=tls_data;
|
||||
else /* ucontext threads not initialized */
|
||||
global_tls=tls_data;
|
||||
}
|
||||
|
||||
TLS_DATA *tls_get() {
|
||||
if(ready_head)
|
||||
return ready_head->tls;
|
||||
else /* ucontext threads not initialized */
|
||||
return global_tls;
|
||||
}
|
||||
|
||||
#endif /* USE_UCONTEXT */
|
||||
|
||||
#ifdef USE_FORK
|
||||
|
||||
static TLS_DATA *global_tls=NULL;
|
||||
|
||||
NOEXPORT void tls_platform_init() {
|
||||
}
|
||||
|
||||
void tls_set(TLS_DATA *tls_data) {
|
||||
global_tls=tls_data;
|
||||
}
|
||||
|
||||
TLS_DATA *tls_get() {
|
||||
return global_tls;
|
||||
}
|
||||
|
||||
#endif /* USE_FORK */
|
||||
|
||||
#ifdef USE_PTHREAD
|
||||
|
||||
static pthread_key_t pthread_key;
|
||||
|
||||
NOEXPORT void tls_platform_init() {
|
||||
pthread_key_create(&pthread_key, NULL);
|
||||
}
|
||||
|
||||
void tls_set(TLS_DATA *tls_data) {
|
||||
pthread_setspecific(pthread_key, tls_data);
|
||||
}
|
||||
|
||||
TLS_DATA *tls_get() {
|
||||
return pthread_getspecific(pthread_key);
|
||||
}
|
||||
|
||||
#endif /* USE_PTHREAD */
|
||||
|
||||
#ifdef USE_WIN32
|
||||
|
||||
static DWORD tls_index;
|
||||
|
||||
NOEXPORT void tls_platform_init() {
|
||||
tls_index=TlsAlloc();
|
||||
}
|
||||
|
||||
void tls_set(TLS_DATA *tls_data) {
|
||||
TlsSetValue(tls_index, tls_data);
|
||||
}
|
||||
|
||||
TLS_DATA *tls_get() {
|
||||
return TlsGetValue(tls_index);
|
||||
}
|
||||
|
||||
#endif /* USE_WIN32 */
|
||||
|
||||
/**************************************** OpenSSL allocator hook */
|
||||
|
||||
#if OPENSSL_VERSION_NUMBER<0x10100000L
|
||||
NOEXPORT void free_function(void *ptr) {
|
||||
/* CRYPTO_set_mem_ex_functions() needs a function rather than a macro */
|
||||
/* unfortunately, OpenSSL provides no file:line information here */
|
||||
str_free_debug(ptr, "OpenSSL", 0);
|
||||
}
|
||||
#endif
|
||||
|
||||
/* end of tls.c */
|
|
@ -0,0 +1,268 @@
|
|||
/*
|
||||
* stunnel TLS offloading and load-balancing proxy
|
||||
* Copyright (C) 1998-2017 Michal Trojnara <Michal.Trojnara@stunnel.org>
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it
|
||||
* under the terms of the GNU General Public License as published by the
|
||||
* Free Software Foundation; either version 2 of the License, or (at your
|
||||
* option) any later version.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
|
||||
* See the GNU General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License along
|
||||
* with this program; if not, see <http://www.gnu.org/licenses>.
|
||||
*
|
||||
* Linking stunnel statically or dynamically with other modules is making
|
||||
* a combined work based on stunnel. Thus, the terms and conditions of
|
||||
* the GNU General Public License cover the whole combination.
|
||||
*
|
||||
* In addition, as a special exception, the copyright holder of stunnel
|
||||
* gives you permission to combine stunnel with free software programs or
|
||||
* libraries that are released under the GNU LGPL and with code included
|
||||
* in the standard release of OpenSSL under the OpenSSL License (or
|
||||
* modified versions of such code, with unchanged license). You may copy
|
||||
* and distribute such a system following the terms of the GNU GPL for
|
||||
* stunnel and the licenses of the other code concerned.
|
||||
*
|
||||
* Note that people who make modified versions of stunnel are not obligated
|
||||
* to grant this special exception for their modified versions; it is their
|
||||
* choice whether to do so. The GNU General Public License gives permission
|
||||
* to release a modified version without this exception; this exception
|
||||
* also makes it possible to release a modified version which carries
|
||||
* forward this exception.
|
||||
*/
|
||||
|
||||
#include "common.h"
|
||||
#include "prototypes.h"
|
||||
|
||||
NOEXPORT int main_unix(int, char*[]);
|
||||
#if !defined(__vms) && !defined(USE_OS2)
|
||||
NOEXPORT int daemonize(int);
|
||||
NOEXPORT int create_pid(void);
|
||||
NOEXPORT void delete_pid(void);
|
||||
#endif
|
||||
#ifndef USE_OS2
|
||||
NOEXPORT void signal_handler(int);
|
||||
#endif
|
||||
|
||||
int main(int argc, char* argv[]) { /* execution begins here 8-) */
|
||||
int retval;
|
||||
|
||||
#ifdef M_MMAP_THRESHOLD
|
||||
mallopt(M_MMAP_THRESHOLD, 4096);
|
||||
#endif
|
||||
tls_init(); /* initialize thread-local storage */
|
||||
retval=main_unix(argc, argv);
|
||||
main_cleanup();
|
||||
return retval;
|
||||
}
|
||||
|
||||
NOEXPORT int main_unix(int argc, char* argv[]) {
|
||||
int configure_status;
|
||||
|
||||
#if !defined(__vms) && !defined(USE_OS2)
|
||||
int fd;
|
||||
|
||||
fd=open("/dev/null", O_RDWR); /* open /dev/null before chroot */
|
||||
if(fd==INVALID_SOCKET)
|
||||
fatal("Could not open /dev/null");
|
||||
#endif
|
||||
main_init();
|
||||
configure_status=main_configure(argc>1 ? argv[1] : NULL,
|
||||
argc>2 ? argv[2] : NULL);
|
||||
switch(configure_status) {
|
||||
case 1: /* error -> exit with 1 to indicate error */
|
||||
close(fd);
|
||||
return 1;
|
||||
case 2: /* information printed -> exit with 0 to indicate success */
|
||||
close(fd);
|
||||
return 0;
|
||||
}
|
||||
if(service_options.next) { /* there are service sections -> daemon mode */
|
||||
#if !defined(__vms) && !defined(USE_OS2)
|
||||
if(daemonize(fd)) {
|
||||
close(fd);
|
||||
return 1;
|
||||
}
|
||||
close(fd);
|
||||
/* create_pid() must be called after drop_privileges()
|
||||
* or it won't be possible to remove the file on exit */
|
||||
/* create_pid() must be called after daemonize()
|
||||
* since the final pid is not known beforehand */
|
||||
if(create_pid())
|
||||
return 1;
|
||||
#endif
|
||||
#ifndef USE_OS2
|
||||
signal(SIGCHLD, signal_handler); /* handle dead children */
|
||||
signal(SIGHUP, signal_handler); /* configuration reload */
|
||||
signal(SIGUSR1, signal_handler); /* log reopen */
|
||||
signal(SIGPIPE, SIG_IGN); /* ignore broken pipe */
|
||||
if(signal(SIGTERM, SIG_IGN)!=SIG_IGN)
|
||||
signal(SIGTERM, signal_handler); /* fatal */
|
||||
if(signal(SIGQUIT, SIG_IGN)!=SIG_IGN)
|
||||
signal(SIGQUIT, signal_handler); /* fatal */
|
||||
if(signal(SIGINT, SIG_IGN)!=SIG_IGN)
|
||||
signal(SIGINT, signal_handler); /* fatal */
|
||||
#endif
|
||||
daemon_loop();
|
||||
} else { /* inetd mode */
|
||||
CLI *c;
|
||||
#if !defined(__vms) && !defined(USE_OS2)
|
||||
close(fd);
|
||||
#endif /* standard Unix */
|
||||
#ifndef USE_OS2
|
||||
signal(SIGCHLD, SIG_IGN); /* ignore dead children */
|
||||
signal(SIGPIPE, SIG_IGN); /* ignore broken pipe */
|
||||
#endif
|
||||
set_nonblock(0, 1); /* stdin */
|
||||
set_nonblock(1, 1); /* stdout */
|
||||
c=alloc_client_session(&service_options, 0, 1);
|
||||
tls_alloc(c, ui_tls, NULL);
|
||||
client_main(c);
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
#ifndef USE_OS2
|
||||
NOEXPORT void signal_handler(int sig) {
|
||||
int saved_errno;
|
||||
|
||||
saved_errno=errno;
|
||||
signal_post(sig);
|
||||
signal(sig, signal_handler);
|
||||
errno=saved_errno;
|
||||
}
|
||||
#endif
|
||||
|
||||
#if !defined(__vms) && !defined(USE_OS2)
|
||||
|
||||
NOEXPORT int daemonize(int fd) { /* go to background */
|
||||
if(global_options.option.foreground)
|
||||
return 0;
|
||||
dup2(fd, 0);
|
||||
dup2(fd, 1);
|
||||
dup2(fd, 2);
|
||||
#if defined(HAVE_DAEMON) && !defined(__BEOS__)
|
||||
/* set noclose option when calling daemon() function,
|
||||
* so it does not require /dev/null device in the chrooted directory */
|
||||
if(daemon(0, 1)==-1) {
|
||||
ioerror("daemon");
|
||||
return 1;
|
||||
}
|
||||
#else
|
||||
chdir("/");
|
||||
switch(fork()) {
|
||||
case -1: /* fork failed */
|
||||
ioerror("fork");
|
||||
return 1;
|
||||
case 0: /* child */
|
||||
break;
|
||||
default: /* parent */
|
||||
exit(0);
|
||||
}
|
||||
#endif
|
||||
tls_alloc(NULL, ui_tls, "main"); /* reuse thread-local storage */
|
||||
#ifdef HAVE_SETSID
|
||||
setsid(); /* ignore the error */
|
||||
#endif
|
||||
return 0;
|
||||
}
|
||||
|
||||
NOEXPORT int create_pid(void) {
|
||||
int pf;
|
||||
char *pid;
|
||||
|
||||
if(!global_options.pidfile) {
|
||||
s_log(LOG_DEBUG, "No pid file being created");
|
||||
return 0;
|
||||
}
|
||||
if(global_options.pidfile[0]!='/') {
|
||||
/* to prevent creating pid file relative to '/' after daemonize() */
|
||||
s_log(LOG_ERR, "Pid file (%s) must be full path name", global_options.pidfile);
|
||||
return 1;
|
||||
}
|
||||
global_options.dpid=(unsigned long)getpid();
|
||||
|
||||
/* silently remove old pid file */
|
||||
unlink(global_options.pidfile);
|
||||
pf=open(global_options.pidfile, O_WRONLY|O_CREAT|O_TRUNC|O_EXCL, 0644);
|
||||
if(pf==-1) {
|
||||
s_log(LOG_ERR, "Cannot create pid file %s", global_options.pidfile);
|
||||
ioerror("create");
|
||||
return 1;
|
||||
}
|
||||
pid=str_printf("%lu\n", global_options.dpid);
|
||||
if(write(pf, pid, strlen(pid))<(int)strlen(pid)) {
|
||||
s_log(LOG_ERR, "Cannot write pid file %s", global_options.pidfile);
|
||||
ioerror("write");
|
||||
return 1;
|
||||
}
|
||||
str_free(pid);
|
||||
close(pf);
|
||||
s_log(LOG_DEBUG, "Created pid file %s", global_options.pidfile);
|
||||
atexit(delete_pid);
|
||||
return 0;
|
||||
}
|
||||
|
||||
NOEXPORT void delete_pid(void) {
|
||||
if((unsigned long)getpid()!=global_options.dpid)
|
||||
return; /* current process is not main daemon process */
|
||||
s_log(LOG_DEBUG, "removing pid file %s", global_options.pidfile);
|
||||
if(unlink(global_options.pidfile)<0)
|
||||
ioerror(global_options.pidfile); /* not critical */
|
||||
}
|
||||
|
||||
#endif /* standard Unix */
|
||||
|
||||
/**************************************** options callbacks */
|
||||
|
||||
void ui_config_reloaded(void) {
|
||||
/* no action */
|
||||
}
|
||||
|
||||
#ifdef ICON_IMAGE
|
||||
|
||||
ICON_IMAGE load_icon_default(ICON_TYPE icon) {
|
||||
(void)icon; /* squash the unused parameter warning */
|
||||
return (ICON_IMAGE)0;
|
||||
}
|
||||
|
||||
ICON_IMAGE load_icon_file(const char *file) {
|
||||
(void)file; /* squash the unused parameter warning */
|
||||
return (ICON_IMAGE)0;
|
||||
}
|
||||
|
||||
#endif
|
||||
|
||||
/**************************************** client callbacks */
|
||||
|
||||
void ui_new_chain(const unsigned section_number) {
|
||||
(void)section_number; /* squash the unused parameter warning */
|
||||
}
|
||||
|
||||
void ui_clients(const long num) {
|
||||
(void)num; /* squash the unused parameter warning */
|
||||
}
|
||||
|
||||
/**************************************** s_log callbacks */
|
||||
|
||||
void ui_new_log(const char *line) {
|
||||
fprintf(stderr, "%s\n", line);
|
||||
}
|
||||
|
||||
/**************************************** ctx callbacks */
|
||||
|
||||
int ui_passwd_cb(char *buf, int size, int rwflag, void *userdata) {
|
||||
return PEM_def_callback(buf, size, rwflag, userdata);
|
||||
}
|
||||
|
||||
#ifndef OPENSSL_NO_ENGINE
|
||||
UI_METHOD *UI_stunnel() {
|
||||
return UI_OpenSSL();
|
||||
}
|
||||
#endif
|
||||
|
||||
/* end of ui_unix.c */
|
|
@ -0,0 +1,138 @@
|
|||
/*
|
||||
* stunnel TLS offloading and load-balancing proxy
|
||||
* Copyright (C) 1998-2017 Michal Trojnara <Michal.Trojnara@stunnel.org>
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it
|
||||
* under the terms of the GNU General Public License as published by the
|
||||
* Free Software Foundation; either version 2 of the License, or (at your
|
||||
* option) any later version.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
|
||||
* See the GNU General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License along
|
||||
* with this program; if not, see <http://www.gnu.org/licenses>.
|
||||
*
|
||||
* Linking stunnel statically or dynamically with other modules is making
|
||||
* a combined work based on stunnel. Thus, the terms and conditions of
|
||||
* the GNU General Public License cover the whole combination.
|
||||
*
|
||||
* In addition, as a special exception, the copyright holder of stunnel
|
||||
* gives you permission to combine stunnel with free software programs or
|
||||
* libraries that are released under the GNU LGPL and with code included
|
||||
* in the standard release of OpenSSL under the OpenSSL License (or
|
||||
* modified versions of such code, with unchanged license). You may copy
|
||||
* and distribute such a system following the terms of the GNU GPL for
|
||||
* stunnel and the licenses of the other code concerned.
|
||||
*
|
||||
* Note that people who make modified versions of stunnel are not obligated
|
||||
* to grant this special exception for their modified versions; it is their
|
||||
* choice whether to do so. The GNU General Public License gives permission
|
||||
* to release a modified version without this exception; this exception
|
||||
* also makes it possible to release a modified version which carries
|
||||
* forward this exception.
|
||||
*/
|
||||
|
||||
#include "common.h"
|
||||
#include "prototypes.h"
|
||||
|
||||
int main(int argc, char *argv[]) {
|
||||
static struct WSAData wsa_state;
|
||||
TCHAR *c, stunnel_exe_path[MAX_PATH];
|
||||
|
||||
tls_init(); /* initialize thread-local storage */
|
||||
|
||||
/* set current working directory and engine path */
|
||||
GetModuleFileName(0, stunnel_exe_path, MAX_PATH);
|
||||
c=_tcsrchr(stunnel_exe_path, TEXT('\\')); /* last backslash */
|
||||
if(c) { /* found */
|
||||
*c=TEXT('\0'); /* truncate the program name */
|
||||
c=_tcsrchr(stunnel_exe_path, TEXT('\\')); /* previous backslash */
|
||||
if(c && !_tcscmp(c+1, TEXT("bin")))
|
||||
*c=TEXT('\0'); /* truncate "bin" */
|
||||
}
|
||||
#ifndef _WIN32_WCE
|
||||
if(!SetCurrentDirectory(stunnel_exe_path)) {
|
||||
/* log to stderr, as s_log() is not initialized */
|
||||
_ftprintf(stderr, TEXT("Cannot set directory to %s"),
|
||||
stunnel_exe_path);
|
||||
return 1;
|
||||
}
|
||||
/* try to enter the "config" subdirectory, ignore the result */
|
||||
SetCurrentDirectory(TEXT("config"));
|
||||
#endif
|
||||
_tputenv(str_tprintf(TEXT("OPENSSL_ENGINES=%s\\engines"),
|
||||
stunnel_exe_path));
|
||||
|
||||
if(WSAStartup(MAKEWORD(1, 1), &wsa_state))
|
||||
return 1;
|
||||
resolver_init();
|
||||
main_init();
|
||||
if(!main_configure(argc>1 ? argv[1] : NULL, argc>2 ? argv[2] : NULL))
|
||||
daemon_loop();
|
||||
main_cleanup();
|
||||
return 0;
|
||||
}
|
||||
|
||||
/**************************************** options callbacks */
|
||||
|
||||
void ui_config_reloaded(void) {
|
||||
/* no action */
|
||||
}
|
||||
|
||||
ICON_IMAGE load_icon_default(ICON_TYPE type) {
|
||||
(void)type; /* squash the unused parameter warning */
|
||||
return NULL;
|
||||
}
|
||||
|
||||
ICON_IMAGE load_icon_file(const char *name) {
|
||||
(void)name; /* squash the unused parameter warning */
|
||||
return NULL;
|
||||
}
|
||||
|
||||
/**************************************** client callbacks */
|
||||
|
||||
void ui_new_chain(const unsigned section_number) {
|
||||
(void)section_number; /* squash the unused parameter warning */
|
||||
}
|
||||
|
||||
void ui_clients(const long num) {
|
||||
(void)num; /* squash the unused parameter warning */
|
||||
}
|
||||
|
||||
/**************************************** s_log callbacks */
|
||||
|
||||
void message_box(LPCTSTR text, const UINT type) {
|
||||
MessageBox(NULL, text, TEXT("stunnel"), type);
|
||||
}
|
||||
|
||||
void ui_new_log(const char *line) {
|
||||
LPTSTR tstr;
|
||||
|
||||
tstr=str2tstr(line);
|
||||
#ifdef _WIN32_WCE
|
||||
/* log to Windows CE debug output stream */
|
||||
RETAILMSG(TRUE, (TEXT("%s\r\n"), tstr));
|
||||
#else
|
||||
/* use UTF-16 or native codepage rather than UTF-8 */
|
||||
_ftprintf(stderr, TEXT("%s\r\n"), tstr);
|
||||
fflush(stderr);
|
||||
#endif
|
||||
str_free(tstr);
|
||||
}
|
||||
|
||||
/**************************************** ctx callbacks */
|
||||
|
||||
int ui_passwd_cb(char *buf, int size, int rwflag, void *userdata) {
|
||||
return PEM_def_callback(buf, size, rwflag, userdata);
|
||||
}
|
||||
|
||||
#ifndef OPENSSL_NO_ENGINE
|
||||
UI_METHOD *UI_stunnel() {
|
||||
return UI_OpenSSL();
|
||||
}
|
||||
#endif
|
||||
|
||||
/* end of ui_win_cli.c */
|
File diff suppressed because it is too large
Load Diff
66
src/vc.mak
66
src/vc.mak
|
@ -1,4 +1,4 @@
|
|||
# vc.mak by Michal Trojnara 1998-2013
|
||||
# vc.mak by Michal Trojnara 1998-2017
|
||||
# with help of David Gillingham <dgillingham@gmail.com>
|
||||
# with help of Pierre Delaage <delaage.pierre@free.fr>
|
||||
|
||||
|
@ -8,49 +8,51 @@
|
|||
# - Visual C++ 2005 Professional Edition
|
||||
# - Visual C++ 2008 Express Edition
|
||||
|
||||
!IF [ml64.exe /help >NUL 2>&1]
|
||||
TARGET=win32
|
||||
!ELSE
|
||||
TARGET=win64
|
||||
!ENDIF
|
||||
!MESSAGE Detected target: $(TARGET)
|
||||
!MESSAGE
|
||||
|
||||
# modify this to point to your OpenSSL directory
|
||||
# either install a precompiled version (*not* the "Light" one) from
|
||||
# http://www.slproweb.com/products/Win32OpenSSL.html
|
||||
#SSLDIR=C:\OpenSSL-Win32
|
||||
#INCDIR=$(SSLDIR)\include
|
||||
#FIPSDIR=$(SSLDIR)\include
|
||||
#LIBDIR=$(SSLDIR)\lib
|
||||
# or compile one yourself
|
||||
#SSLDIR=..\..\openssl-1.0.1e
|
||||
#INCDIR=$(SSLDIR)\inc32
|
||||
#FIPSDIR=$(SSLDIR)\inc32
|
||||
#LIBDIR=$(SSLDIR)\out32dll
|
||||
SSLDIR=\devel\$(TARGET)\openssl
|
||||
# or simply install with "nmake -f ms\ntdll.mak install"
|
||||
SSLDIR=\usr\local\ssl
|
||||
#SSLDIR=\usr\local\ssl
|
||||
|
||||
INCDIR=$(SSLDIR)\include
|
||||
FIPSDIR=$(SSLDIR)\fips-2.0\include
|
||||
LIBDIR=$(SSLDIR)\lib
|
||||
|
||||
TARGETCPU=W32
|
||||
SRC=..\src
|
||||
OBJROOT=..\obj
|
||||
OBJ=$(OBJROOT)\$(TARGETCPU)
|
||||
OBJ=$(OBJROOT)\$(TARGET)
|
||||
BINROOT=..\bin
|
||||
BIN=$(BINROOT)\$(TARGETCPU)
|
||||
BIN=$(BINROOT)\$(TARGET)
|
||||
|
||||
SHAREDOBJS=$(OBJ)\stunnel.obj $(OBJ)\ssl.obj $(OBJ)\ctx.obj \
|
||||
$(OBJ)\verify.obj $(OBJ)\file.obj $(OBJ)\client.obj \
|
||||
$(OBJ)\protocol.obj $(OBJ)\sthreads.obj $(OBJ)\log.obj \
|
||||
$(OBJ)\options.obj $(OBJ)\network.obj $(OBJ)\resolver.obj \
|
||||
$(OBJ)\str.obj $(OBJ)/fd.obj
|
||||
GUIOBJS=$(OBJ)\gui.obj $(OBJ)\resources.res
|
||||
NOGUIOBJS=$(OBJ)\nogui.obj
|
||||
|
||||
$(OBJ)\str.obj $(OBJ)\tls.obj $(OBJ)\fd.obj $(OBJ)\dhparam.obj \
|
||||
$(OBJ)\cron.obj
|
||||
GUIOBJS=$(OBJ)\ui_win_gui.obj $(OBJ)\resources.res
|
||||
CLIOBJS=$(OBJ)\ui_win_cli.obj
|
||||
|
||||
CC=cl
|
||||
LINK=link
|
||||
|
||||
CFLAGS=/MD /W3 /O2 /nologo /I"$(INCDIR)" /I"$(FIPSDIR)"
|
||||
LDFLAGS=/NOLOGO
|
||||
UNICODEFLAGS=/DUNICODE /D_UNICODE
|
||||
CFLAGS=/MD /W3 /O2 /nologo /I"$(INCDIR)" $(UNICODEFLAGS)
|
||||
LDFLAGS=/NOLOGO /DEBUG
|
||||
|
||||
SHAREDLIBS=ws2_32.lib user32.lib
|
||||
GUILIBS=advapi32.lib comdlg32.lib crypt32.lib gdi32.lib \
|
||||
psapi.lib shell32.lib
|
||||
NOGUILIBS=
|
||||
SHAREDLIBS=ws2_32.lib user32.lib shell32.lib kernel32.lib
|
||||
GUILIBS=advapi32.lib comdlg32.lib crypt32.lib gdi32.lib psapi.lib
|
||||
CLILIBS=
|
||||
SSLLIBS=/LIBPATH:"$(LIBDIR)" libeay32.lib ssleay32.lib
|
||||
# static linking:
|
||||
# /LIBPATH:"$(LIBDIR)\VC\static" libeay32MD.lib ssleay32MD.lib
|
||||
|
@ -60,13 +62,15 @@ SSLLIBS=/LIBPATH:"$(LIBDIR)" libeay32.lib ssleay32.lib
|
|||
|
||||
{$(SRC)\}.rc{$(OBJ)\}.res:
|
||||
$(RC) -fo$@ -r $<
|
||||
|
||||
all: makedirs $(BIN)\stunnel.exe $(BIN)\tstunnel.exe
|
||||
|
||||
all: build
|
||||
|
||||
build: makedirs $(BIN)\stunnel.exe $(BIN)\tstunnel.exe
|
||||
|
||||
clean:
|
||||
-@ del $(SHAREDOBJS) >NUL 2>&1
|
||||
-@ del $(GUIBJS) >NUL 2>&1
|
||||
-@ del $(NOGUIBJS) >NUL 2>&1
|
||||
-@ del $(GUIOBJS) >NUL 2>&1
|
||||
-@ del $(CLIOBJS) >NUL 2>&1
|
||||
# -@ del *.manifest >NUL 2>&1
|
||||
-@ del $(BIN)\stunnel.exe >NUL 2>&1
|
||||
-@ del $(BIN)\stunnel.exe.manifest >NUL 2>&1
|
||||
|
@ -75,7 +79,7 @@ clean:
|
|||
-@ rmdir $(OBJ) >NUL 2>&1
|
||||
-@ rmdir $(BIN) >NUL 2>&1
|
||||
|
||||
makedirs:
|
||||
makedirs:
|
||||
-@ IF NOT EXIST $(OBJROOT) mkdir $(OBJROOT) >NUL 2>&1
|
||||
-@ IF NOT EXIST $(OBJ) mkdir $(OBJ) >NUL 2>&1
|
||||
-@ IF NOT EXIST $(BINROOT) mkdir $(BINROOT) >NUL 2>&1
|
||||
|
@ -83,15 +87,15 @@ makedirs:
|
|||
|
||||
$(SHAREDOBJS): *.h vc.mak
|
||||
$(GUIOBJS): *.h vc.mak
|
||||
$(NOGUIOBJS): *.h vc.mak
|
||||
$(CLIOBJS): *.h vc.mak
|
||||
|
||||
$(BIN)\stunnel.exe: $(SHAREDOBJS) $(GUIOBJS)
|
||||
$(LINK) $(LDFLAGS) $(SHAREDLIBS) $(GUILIBS) $(SSLLIBS) /OUT:$@ $**
|
||||
IF EXIST $@.manifest \
|
||||
mt -nologo -manifest $@.manifest -outputresource:$@;1
|
||||
|
||||
$(BIN)\tstunnel.exe: $(SHAREDOBJS) $(NOGUIOBJS)
|
||||
$(LINK) $(LDFLAGS) $(SHAREDLIBS) $(NOGUILIBS) $(SSLLIBS) /OUT:$@ $**
|
||||
$(BIN)\tstunnel.exe: $(SHAREDOBJS) $(CLIOBJS)
|
||||
$(LINK) $(LDFLAGS) $(SHAREDLIBS) $(CLILIBS) $(SSLLIBS) /OUT:$@ $**
|
||||
IF EXIST $@.manifest \
|
||||
mt -nologo -manifest $@.manifest -outputresource:$@;1
|
||||
|
||||
|
|
836
src/verify.c
836
src/verify.c
File diff suppressed because it is too large
Load Diff
183
src/version.h
183
src/version.h
|
@ -1,88 +1,95 @@
|
|||
/*
|
||||
* stunnel Universal SSL tunnel
|
||||
* Copyright (C) 1998-2013 Michal Trojnara <Michal.Trojnara@mirt.net>
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it
|
||||
* under the terms of the GNU General Public License as published by the
|
||||
* Free Software Foundation; either version 2 of the License, or (at your
|
||||
* option) any later version.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
|
||||
* See the GNU General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License along
|
||||
* with this program; if not, see <http://www.gnu.org/licenses>.
|
||||
*
|
||||
* Linking stunnel statically or dynamically with other modules is making
|
||||
* a combined work based on stunnel. Thus, the terms and conditions of
|
||||
* the GNU General Public License cover the whole combination.
|
||||
*
|
||||
* In addition, as a special exception, the copyright holder of stunnel
|
||||
* gives you permission to combine stunnel with free software programs or
|
||||
* libraries that are released under the GNU LGPL and with code included
|
||||
* in the standard release of OpenSSL under the OpenSSL License (or
|
||||
* modified versions of such code, with unchanged license). You may copy
|
||||
* and distribute such a system following the terms of the GNU GPL for
|
||||
* stunnel and the licenses of the other code concerned.
|
||||
*
|
||||
* Note that people who make modified versions of stunnel are not obligated
|
||||
* to grant this special exception for their modified versions; it is their
|
||||
* choice whether to do so. The GNU General Public License gives permission
|
||||
* to release a modified version without this exception; this exception
|
||||
* also makes it possible to release a modified version which carries
|
||||
* forward this exception.
|
||||
*/
|
||||
|
||||
#ifndef VERSION_MAJOR
|
||||
|
||||
#ifdef HAVE_CONFIG_H
|
||||
#include "config.h"
|
||||
#endif /* HAVE_CONFIG_H */
|
||||
|
||||
/* HOST may be undefined on Win32 platform */
|
||||
#ifndef HOST
|
||||
#ifdef __MINGW32__
|
||||
#define HOST "x86-pc-mingw32-gnu"
|
||||
#else /* __MINGW32__ */
|
||||
#ifdef _MSC_VER
|
||||
#define _QUOTEME(x) #x
|
||||
#define QUOTEME(x) _QUOTEME(x)
|
||||
#define HOST "x86-pc-msvc-" ## QUOTEME(_MSC_VER)
|
||||
#else /* _MSC_VER */
|
||||
#define HOST "x86-pc-unknown"
|
||||
#endif /* _MSC_VER */
|
||||
#endif /* __MINGW32__ */
|
||||
#endif /* HOST */
|
||||
|
||||
/* START CUSTOMIZE */
|
||||
#define VERSION_MAJOR 4
|
||||
#define VERSION_MINOR 57
|
||||
/* END CUSTOMIZE */
|
||||
|
||||
/* all the following macros are ABSOLUTELY NECESSARY to have proper string
|
||||
* construction with VARIOUS C preprocessors (EVC, VC, BCC, GCC) */
|
||||
#define STRINGIZE0(x) #x
|
||||
#define STRINGIZE(x) STRINGIZE0(x)
|
||||
#define STRZCONCAT30(a,b,c) a##b##c
|
||||
#define STRZCONCAT3(a,b,c) STRZCONCAT30(a,b,c)
|
||||
|
||||
/* for resource.rc, stunnel.c, gui.c */
|
||||
#define STUNNEL_VERSION0 STRZCONCAT3(VERSION_MAJOR, . , VERSION_MINOR)
|
||||
#define STUNNEL_VERSION STRINGIZE(STUNNEL_VERSION0)
|
||||
|
||||
/* for resources.rc */
|
||||
#define STUNNEL_VERSION_FIELDS VERSION_MAJOR,VERSION_MINOR,0,0
|
||||
#define STUNNEL_PRODUCTNAME "stunnel " STUNNEL_VERSION " for " HOST
|
||||
|
||||
/* some useful tricks for preprocessing debugging */
|
||||
#if 0
|
||||
#pragma message ( "VERSION.H: STUNNEL_VERSION is " STUNNEL_VERSION )
|
||||
#pragma message ( "VERSION.H: HOST is " HOST )
|
||||
#pragma message ( "VERSION.H: STUNNEL_PRODUCTNAME is " STUNNEL_PRODUCTNAME )
|
||||
#endif
|
||||
|
||||
#endif /* VERSION_MAJOR */
|
||||
|
||||
/* end of version.h */
|
||||
/*
|
||||
* stunnel TLS offloading and load-balancing proxy
|
||||
* Copyright (C) 1998-2017 Michal Trojnara <Michal.Trojnara@stunnel.org>
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it
|
||||
* under the terms of the GNU General Public License as published by the
|
||||
* Free Software Foundation; either version 2 of the License, or (at your
|
||||
* option) any later version.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
|
||||
* See the GNU General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License along
|
||||
* with this program; if not, see <http://www.gnu.org/licenses>.
|
||||
*
|
||||
* Linking stunnel statically or dynamically with other modules is making
|
||||
* a combined work based on stunnel. Thus, the terms and conditions of
|
||||
* the GNU General Public License cover the whole combination.
|
||||
*
|
||||
* In addition, as a special exception, the copyright holder of stunnel
|
||||
* gives you permission to combine stunnel with free software programs or
|
||||
* libraries that are released under the GNU LGPL and with code included
|
||||
* in the standard release of OpenSSL under the OpenSSL License (or
|
||||
* modified versions of such code, with unchanged license). You may copy
|
||||
* and distribute such a system following the terms of the GNU GPL for
|
||||
* stunnel and the licenses of the other code concerned.
|
||||
*
|
||||
* Note that people who make modified versions of stunnel are not obligated
|
||||
* to grant this special exception for their modified versions; it is their
|
||||
* choice whether to do so. The GNU General Public License gives permission
|
||||
* to release a modified version without this exception; this exception
|
||||
* also makes it possible to release a modified version which carries
|
||||
* forward this exception.
|
||||
*/
|
||||
|
||||
#ifndef VERSION_MAJOR
|
||||
|
||||
#ifdef HAVE_CONFIG_H
|
||||
#include "config.h"
|
||||
#endif /* HAVE_CONFIG_H */
|
||||
|
||||
/* HOST may be undefined on Win32 platform */
|
||||
#ifndef HOST
|
||||
#if defined(_WIN64)
|
||||
#define PLATFORM "x64"
|
||||
#elif defined(_WIN32)
|
||||
#define PLATFORM "x86"
|
||||
#else /* although MSDN claims that _WIN32 is always defined */
|
||||
#define PLATFORM "unknown"
|
||||
#endif
|
||||
#ifdef __MINGW32__
|
||||
#define HOST PLATFORM "-pc-mingw32-gnu"
|
||||
#else /* __MINGW32__ */
|
||||
#ifdef _MSC_VER
|
||||
#define xstr(a) str(a)
|
||||
#define str(a) #a
|
||||
#define HOST PLATFORM "-pc-msvc-" xstr(_MSC_VER)
|
||||
#else /* _MSC_VER */
|
||||
#define HOST PLATFORM "-pc-unknown"
|
||||
#endif /* _MSC_VER */
|
||||
#endif /* __MINGW32__ */
|
||||
#endif /* HOST */
|
||||
|
||||
/* START CUSTOMIZE */
|
||||
#define VERSION_MAJOR 5
|
||||
#define VERSION_MINOR 42
|
||||
/* END CUSTOMIZE */
|
||||
|
||||
/* all the following macros are ABSOLUTELY NECESSARY to have proper string
|
||||
* construction with VARIOUS C preprocessors (EVC, VC, BCC, GCC) */
|
||||
#define STRINGIZE0(x) #x
|
||||
#define STRINGIZE(x) STRINGIZE0(x)
|
||||
#define STRZCONCAT30(a,b,c) a##b##c
|
||||
#define STRZCONCAT3(a,b,c) STRZCONCAT30(a,b,c)
|
||||
|
||||
/* for resource.rc, stunnel.c, gui.c */
|
||||
#define STUNNEL_VERSION0 STRZCONCAT3(VERSION_MAJOR, . , VERSION_MINOR)
|
||||
#define STUNNEL_VERSION STRINGIZE(STUNNEL_VERSION0)
|
||||
|
||||
/* for resources.rc */
|
||||
#define STUNNEL_VERSION_FIELDS VERSION_MAJOR,VERSION_MINOR,0,0
|
||||
#define STUNNEL_PRODUCTNAME "stunnel " STUNNEL_VERSION " for " HOST
|
||||
|
||||
/* some useful tricks for preprocessing debugging */
|
||||
#if 0
|
||||
#pragma message ( "VERSION.H: STUNNEL_VERSION is " STUNNEL_VERSION )
|
||||
#pragma message ( "VERSION.H: HOST is " HOST )
|
||||
#pragma message ( "VERSION.H: STUNNEL_PRODUCTNAME is " STUNNEL_PRODUCTNAME )
|
||||
#endif
|
||||
|
||||
#endif /* VERSION_MAJOR */
|
||||
|
||||
/* end of version.h */
|
||||
|
|
|
@ -1,36 +1,41 @@
|
|||
## Process this file with automake to produce Makefile.in
|
||||
# by Michal Trojnara 2015-2017
|
||||
|
||||
EXTRA_DIST = ca.html ca.pl importCA.html importCA.sh script.sh \
|
||||
stunnel.spec stunnel.cnf stunnel.nsi stunnel.license stunnel.conf
|
||||
EXTRA_DIST = ca.html ca.pl importCA.html importCA.sh script.sh makecert.sh
|
||||
EXTRA_DIST += openssl.cnf stunnel.nsi stunnel.license stunnel.conf
|
||||
EXTRA_DIST += stunnel.conf-sample.in stunnel.init.in stunnel.service.in
|
||||
EXTRA_DIST += stunnel.logrotate stunnel.rh.init stunnel.spec
|
||||
|
||||
confdir = $(sysconfdir)/stunnel
|
||||
conf_DATA = stunnel.conf-sample
|
||||
|
||||
docdir = $(datadir)/doc/stunnel
|
||||
examplesdir = $(docdir)/examples
|
||||
examples_DATA = ca.html ca.pl importCA.html importCA.sh script.sh \
|
||||
stunnel.spec stunnel.init stunnel.service
|
||||
examples_DATA = stunnel.init stunnel.service
|
||||
examples_DATA += stunnel.logrotate stunnel.rh.init stunnel.spec
|
||||
examples_DATA += ca.html ca.pl importCA.html importCA.sh script.sh
|
||||
|
||||
CLEANFILES = stunnel.conf-sample stunnel.init stunnel.service
|
||||
|
||||
OPENSSL=$(SSLDIR)/bin/openssl
|
||||
install-data-local:
|
||||
if test ! -r $(DESTDIR)$(confdir)/stunnel.pem; then \
|
||||
if test -r "$(RANDOM_FILE)"; then \
|
||||
dd if="$(RANDOM_FILE)" of=stunnel.rnd bs=256 count=1; \
|
||||
RND="-rand stunnel.rnd"; \
|
||||
else \
|
||||
RND=""; \
|
||||
fi; \
|
||||
$(OPENSSL) req -new -x509 -days 365 $$RND \
|
||||
-config $(srcdir)/stunnel.cnf \
|
||||
-out stunnel.pem -keyout stunnel.pem; \
|
||||
$(OPENSSL) gendh $$RND 1024 >> stunnel.pem; \
|
||||
$(OPENSSL) x509 -subject -dates -fingerprint -noout -in stunnel.pem; \
|
||||
${INSTALL} -m 600 stunnel.pem $(DESTDIR)$(confdir)/stunnel.pem; \
|
||||
rm stunnel.pem; \
|
||||
fi
|
||||
${INSTALL} -d -m 1770 $(DESTDIR)$(localstatedir)/lib/stunnel
|
||||
-chgrp $(DEFAULT_GROUP) $(DESTDIR)$(localstatedir)/lib/stunnel
|
||||
|
||||
clean-local:
|
||||
-rm -f stunnel.rnd
|
||||
cert:
|
||||
$(srcdir)/makecert.sh $(srcdir) $(SSLDIR) $(RANDOM_FILE)
|
||||
${INSTALL} -b -m 600 stunnel.pem $(DESTDIR)$(confdir)/stunnel.pem
|
||||
rm -f stunnel.pem
|
||||
|
||||
edit = sed \
|
||||
-e 's|@prefix[@]|$(prefix)|g' \
|
||||
-e 's|@bindir[@]|$(bindir)|g' \
|
||||
-e 's|@localstatedir[@]|$(localstatedir)|g' \
|
||||
-e 's|@sysconfdir[@]|$(sysconfdir)|g' \
|
||||
-e 's|@DEFAULT_GROUP[@]|$(DEFAULT_GROUP)|g'
|
||||
|
||||
stunnel.conf-sample stunnel.init stunnel.service: Makefile
|
||||
$(edit) '$(srcdir)/$@.in' >$@
|
||||
|
||||
stunnel.conf-sample: $(srcdir)/stunnel.conf-sample.in
|
||||
stunnel.init: $(srcdir)/stunnel.init.in
|
||||
stunnel.service: $(srcdir)/stunnel.service.in
|
||||
|
|
|
@ -1,9 +1,8 @@
|
|||
# Makefile.in generated by automake 1.11.1 from Makefile.am.
|
||||
# Makefile.in generated by automake 1.14.1 from Makefile.am.
|
||||
# @configure_input@
|
||||
|
||||
# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
|
||||
# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation,
|
||||
# Inc.
|
||||
# Copyright (C) 1994-2013 Free Software Foundation, Inc.
|
||||
|
||||
# This Makefile.in is free software; the Free Software Foundation
|
||||
# gives unlimited permission to copy and/or distribute it,
|
||||
# with or without modifications, as long as this notice is preserved.
|
||||
|
@ -15,7 +14,54 @@
|
|||
|
||||
@SET_MAKE@
|
||||
|
||||
# by Michal Trojnara 2015-2017
|
||||
|
||||
VPATH = @srcdir@
|
||||
am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
|
||||
am__make_running_with_option = \
|
||||
case $${target_option-} in \
|
||||
?) ;; \
|
||||
*) echo "am__make_running_with_option: internal error: invalid" \
|
||||
"target option '$${target_option-}' specified" >&2; \
|
||||
exit 1;; \
|
||||
esac; \
|
||||
has_opt=no; \
|
||||
sane_makeflags=$$MAKEFLAGS; \
|
||||
if $(am__is_gnu_make); then \
|
||||
sane_makeflags=$$MFLAGS; \
|
||||
else \
|
||||
case $$MAKEFLAGS in \
|
||||
*\\[\ \ ]*) \
|
||||
bs=\\; \
|
||||
sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \
|
||||
| sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \
|
||||
esac; \
|
||||
fi; \
|
||||
skip_next=no; \
|
||||
strip_trailopt () \
|
||||
{ \
|
||||
flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \
|
||||
}; \
|
||||
for flg in $$sane_makeflags; do \
|
||||
test $$skip_next = yes && { skip_next=no; continue; }; \
|
||||
case $$flg in \
|
||||
*=*|--*) continue;; \
|
||||
-*I) strip_trailopt 'I'; skip_next=yes;; \
|
||||
-*I?*) strip_trailopt 'I';; \
|
||||
-*O) strip_trailopt 'O'; skip_next=yes;; \
|
||||
-*O?*) strip_trailopt 'O';; \
|
||||
-*l) strip_trailopt 'l'; skip_next=yes;; \
|
||||
-*l?*) strip_trailopt 'l';; \
|
||||
-[dEDm]) skip_next=yes;; \
|
||||
-[JT]) skip_next=yes;; \
|
||||
esac; \
|
||||
case $$flg in \
|
||||
*$$target_option*) has_opt=yes; break;; \
|
||||
esac; \
|
||||
done; \
|
||||
test $$has_opt = yes
|
||||
am__make_dryrun = (target_option=n; $(am__make_running_with_option))
|
||||
am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
|
||||
pkgdatadir = $(datadir)/@PACKAGE@
|
||||
pkgincludedir = $(includedir)/@PACKAGE@
|
||||
pkglibdir = $(libdir)/@PACKAGE@
|
||||
|
@ -35,9 +81,7 @@ POST_UNINSTALL = :
|
|||
build_triplet = @build@
|
||||
host_triplet = @host@
|
||||
subdir = tools
|
||||
DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in \
|
||||
$(srcdir)/stunnel.conf-sample.in $(srcdir)/stunnel.init.in \
|
||||
$(srcdir)/stunnel.service.in
|
||||
DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am
|
||||
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
|
||||
am__aclocal_m4_deps = $(top_srcdir)/m4/libtool.m4 \
|
||||
$(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \
|
||||
|
@ -47,10 +91,27 @@ am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
|
|||
$(ACLOCAL_M4)
|
||||
mkinstalldirs = $(install_sh) -d
|
||||
CONFIG_HEADER = $(top_builddir)/src/config.h
|
||||
CONFIG_CLEAN_FILES = stunnel.conf-sample stunnel.init stunnel.service
|
||||
CONFIG_CLEAN_FILES =
|
||||
CONFIG_CLEAN_VPATH_FILES =
|
||||
AM_V_P = $(am__v_P_@AM_V@)
|
||||
am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
|
||||
am__v_P_0 = false
|
||||
am__v_P_1 = :
|
||||
AM_V_GEN = $(am__v_GEN_@AM_V@)
|
||||
am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
|
||||
am__v_GEN_0 = @echo " GEN " $@;
|
||||
am__v_GEN_1 =
|
||||
AM_V_at = $(am__v_at_@AM_V@)
|
||||
am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
|
||||
am__v_at_0 = @
|
||||
am__v_at_1 =
|
||||
SOURCES =
|
||||
DIST_SOURCES =
|
||||
am__can_run_installinfo = \
|
||||
case $$AM_UPDATE_INFO_DIR in \
|
||||
n|no|NO) false;; \
|
||||
*) (install-info --version) >/dev/null 2>&1;; \
|
||||
esac
|
||||
am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
|
||||
am__vpath_adj = case $$p in \
|
||||
$(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
|
||||
|
@ -72,11 +133,19 @@ am__nobase_list = $(am__nobase_strip_setup); \
|
|||
am__base_list = \
|
||||
sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
|
||||
sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
|
||||
am__uninstall_files_from_dir = { \
|
||||
test -z "$$files" \
|
||||
|| { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
|
||||
|| { echo " ( cd '$$dir' && rm -f" $$files ")"; \
|
||||
$(am__cd) "$$dir" && rm -f $$files; }; \
|
||||
}
|
||||
am__installdirs = "$(DESTDIR)$(confdir)" "$(DESTDIR)$(examplesdir)"
|
||||
DATA = $(conf_DATA) $(examples_DATA)
|
||||
am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
|
||||
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
|
||||
ACLOCAL = @ACLOCAL@
|
||||
AMTAR = @AMTAR@
|
||||
AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
|
||||
AR = @AR@
|
||||
AUTOCONF = @AUTOCONF@
|
||||
AUTOHEADER = @AUTOHEADER@
|
||||
|
@ -91,6 +160,7 @@ CYGPATH_W = @CYGPATH_W@
|
|||
DEFAULT_GROUP = @DEFAULT_GROUP@
|
||||
DEFS = @DEFS@
|
||||
DEPDIR = @DEPDIR@
|
||||
DLLTOOL = @DLLTOOL@
|
||||
DSYMUTIL = @DSYMUTIL@
|
||||
DUMPBIN = @DUMPBIN@
|
||||
ECHO_C = @ECHO_C@
|
||||
|
@ -115,6 +185,7 @@ LIPO = @LIPO@
|
|||
LN_S = @LN_S@
|
||||
LTLIBOBJS = @LTLIBOBJS@
|
||||
MAKEINFO = @MAKEINFO@
|
||||
MANIFEST_TOOL = @MANIFEST_TOOL@
|
||||
MKDIR_P = @MKDIR_P@
|
||||
NM = @NM@
|
||||
NMEDIT = @NMEDIT@
|
||||
|
@ -130,6 +201,9 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@
|
|||
PACKAGE_URL = @PACKAGE_URL@
|
||||
PACKAGE_VERSION = @PACKAGE_VERSION@
|
||||
PATH_SEPARATOR = @PATH_SEPARATOR@
|
||||
PTHREAD_CC = @PTHREAD_CC@
|
||||
PTHREAD_CFLAGS = @PTHREAD_CFLAGS@
|
||||
PTHREAD_LIBS = @PTHREAD_LIBS@
|
||||
RANDOM_FILE = @RANDOM_FILE@
|
||||
RANLIB = @RANLIB@
|
||||
SED = @SED@
|
||||
|
@ -142,6 +216,7 @@ abs_builddir = @abs_builddir@
|
|||
abs_srcdir = @abs_srcdir@
|
||||
abs_top_builddir = @abs_top_builddir@
|
||||
abs_top_srcdir = @abs_top_srcdir@
|
||||
ac_ct_AR = @ac_ct_AR@
|
||||
ac_ct_CC = @ac_ct_CC@
|
||||
ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
|
||||
am__include = @am__include@
|
||||
|
@ -149,6 +224,7 @@ am__leading_dot = @am__leading_dot@
|
|||
am__quote = @am__quote@
|
||||
am__tar = @am__tar@
|
||||
am__untar = @am__untar@
|
||||
ax_pthread_config = @ax_pthread_config@
|
||||
bindir = @bindir@
|
||||
build = @build@
|
||||
build_alias = @build_alias@
|
||||
|
@ -174,7 +250,6 @@ libdir = @libdir@
|
|||
libexecdir = @libexecdir@
|
||||
localedir = @localedir@
|
||||
localstatedir = @localstatedir@
|
||||
lt_ECHO = @lt_ECHO@
|
||||
mandir = @mandir@
|
||||
mkdir_p = @mkdir_p@
|
||||
oldincludedir = @oldincludedir@
|
||||
|
@ -182,27 +257,34 @@ pdfdir = @pdfdir@
|
|||
prefix = @prefix@
|
||||
program_transform_name = @program_transform_name@
|
||||
psdir = @psdir@
|
||||
runstatedir = @runstatedir@
|
||||
sbindir = @sbindir@
|
||||
sharedstatedir = @sharedstatedir@
|
||||
srcdir = @srcdir@
|
||||
stunnel_CFLAGS = @stunnel_CFLAGS@
|
||||
stunnel_LDFLAGF = @stunnel_LDFLAGF@
|
||||
stunnel_LDFLAGS = @stunnel_LDFLAGS@
|
||||
sysconfdir = @sysconfdir@
|
||||
target_alias = @target_alias@
|
||||
top_build_prefix = @top_build_prefix@
|
||||
top_builddir = @top_builddir@
|
||||
top_srcdir = @top_srcdir@
|
||||
EXTRA_DIST = ca.html ca.pl importCA.html importCA.sh script.sh \
|
||||
stunnel.spec stunnel.cnf stunnel.nsi stunnel.license stunnel.conf
|
||||
|
||||
makecert.sh openssl.cnf stunnel.nsi stunnel.license \
|
||||
stunnel.conf stunnel.conf-sample.in stunnel.init.in \
|
||||
stunnel.service.in stunnel.logrotate stunnel.rh.init \
|
||||
stunnel.spec
|
||||
confdir = $(sysconfdir)/stunnel
|
||||
conf_DATA = stunnel.conf-sample
|
||||
examplesdir = $(docdir)/examples
|
||||
examples_DATA = ca.html ca.pl importCA.html importCA.sh script.sh \
|
||||
stunnel.spec stunnel.init stunnel.service
|
||||
examples_DATA = stunnel.init stunnel.service stunnel.logrotate \
|
||||
stunnel.rh.init stunnel.spec ca.html ca.pl importCA.html \
|
||||
importCA.sh script.sh
|
||||
CLEANFILES = stunnel.conf-sample stunnel.init stunnel.service
|
||||
edit = sed \
|
||||
-e 's|@prefix[@]|$(prefix)|g' \
|
||||
-e 's|@bindir[@]|$(bindir)|g' \
|
||||
-e 's|@localstatedir[@]|$(localstatedir)|g' \
|
||||
-e 's|@sysconfdir[@]|$(sysconfdir)|g' \
|
||||
-e 's|@DEFAULT_GROUP[@]|$(DEFAULT_GROUP)|g'
|
||||
|
||||
OPENSSL = $(SSLDIR)/bin/openssl
|
||||
all: all-am
|
||||
|
||||
.SUFFIXES:
|
||||
|
@ -236,12 +318,6 @@ $(top_srcdir)/configure: $(am__configure_deps)
|
|||
$(ACLOCAL_M4): $(am__aclocal_m4_deps)
|
||||
cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
|
||||
$(am__aclocal_m4_deps):
|
||||
stunnel.conf-sample: $(top_builddir)/config.status $(srcdir)/stunnel.conf-sample.in
|
||||
cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@
|
||||
stunnel.init: $(top_builddir)/config.status $(srcdir)/stunnel.init.in
|
||||
cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@
|
||||
stunnel.service: $(top_builddir)/config.status $(srcdir)/stunnel.service.in
|
||||
cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@
|
||||
|
||||
mostlyclean-libtool:
|
||||
-rm -f *.lo
|
||||
|
@ -250,8 +326,11 @@ clean-libtool:
|
|||
-rm -rf .libs _libs
|
||||
install-confDATA: $(conf_DATA)
|
||||
@$(NORMAL_INSTALL)
|
||||
test -z "$(confdir)" || $(MKDIR_P) "$(DESTDIR)$(confdir)"
|
||||
@list='$(conf_DATA)'; test -n "$(confdir)" || list=; \
|
||||
if test -n "$$list"; then \
|
||||
echo " $(MKDIR_P) '$(DESTDIR)$(confdir)'"; \
|
||||
$(MKDIR_P) "$(DESTDIR)$(confdir)" || exit 1; \
|
||||
fi; \
|
||||
for p in $$list; do \
|
||||
if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
|
||||
echo "$$d$$p"; \
|
||||
|
@ -265,13 +344,14 @@ uninstall-confDATA:
|
|||
@$(NORMAL_UNINSTALL)
|
||||
@list='$(conf_DATA)'; test -n "$(confdir)" || list=; \
|
||||
files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
|
||||
test -n "$$files" || exit 0; \
|
||||
echo " ( cd '$(DESTDIR)$(confdir)' && rm -f" $$files ")"; \
|
||||
cd "$(DESTDIR)$(confdir)" && rm -f $$files
|
||||
dir='$(DESTDIR)$(confdir)'; $(am__uninstall_files_from_dir)
|
||||
install-examplesDATA: $(examples_DATA)
|
||||
@$(NORMAL_INSTALL)
|
||||
test -z "$(examplesdir)" || $(MKDIR_P) "$(DESTDIR)$(examplesdir)"
|
||||
@list='$(examples_DATA)'; test -n "$(examplesdir)" || list=; \
|
||||
if test -n "$$list"; then \
|
||||
echo " $(MKDIR_P) '$(DESTDIR)$(examplesdir)'"; \
|
||||
$(MKDIR_P) "$(DESTDIR)$(examplesdir)" || exit 1; \
|
||||
fi; \
|
||||
for p in $$list; do \
|
||||
if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
|
||||
echo "$$d$$p"; \
|
||||
|
@ -285,14 +365,12 @@ uninstall-examplesDATA:
|
|||
@$(NORMAL_UNINSTALL)
|
||||
@list='$(examples_DATA)'; test -n "$(examplesdir)" || list=; \
|
||||
files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
|
||||
test -n "$$files" || exit 0; \
|
||||
echo " ( cd '$(DESTDIR)$(examplesdir)' && rm -f" $$files ")"; \
|
||||
cd "$(DESTDIR)$(examplesdir)" && rm -f $$files
|
||||
tags: TAGS
|
||||
TAGS:
|
||||
dir='$(DESTDIR)$(examplesdir)'; $(am__uninstall_files_from_dir)
|
||||
tags TAGS:
|
||||
|
||||
ctags: CTAGS
|
||||
CTAGS:
|
||||
ctags CTAGS:
|
||||
|
||||
cscope cscopelist:
|
||||
|
||||
|
||||
distdir: $(DISTFILES)
|
||||
|
@ -342,13 +420,19 @@ install-am: all-am
|
|||
|
||||
installcheck: installcheck-am
|
||||
install-strip:
|
||||
$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
|
||||
install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
|
||||
`test -z '$(STRIP)' || \
|
||||
echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
|
||||
if test -z '$(STRIP)'; then \
|
||||
$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
|
||||
install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
|
||||
install; \
|
||||
else \
|
||||
$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
|
||||
install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
|
||||
"INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
|
||||
fi
|
||||
mostlyclean-generic:
|
||||
|
||||
clean-generic:
|
||||
-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
|
||||
|
||||
distclean-generic:
|
||||
-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
|
||||
|
@ -359,7 +443,7 @@ maintainer-clean-generic:
|
|||
@echo "it deletes files that may require special tools to rebuild."
|
||||
clean: clean-am
|
||||
|
||||
clean-am: clean-generic clean-libtool clean-local mostlyclean-am
|
||||
clean-am: clean-generic clean-libtool mostlyclean-am
|
||||
|
||||
distclean: distclean-am
|
||||
-rm -f Makefile
|
||||
|
@ -427,40 +511,35 @@ uninstall-am: uninstall-confDATA uninstall-examplesDATA
|
|||
.MAKE: install-am install-strip
|
||||
|
||||
.PHONY: all all-am check check-am clean clean-generic clean-libtool \
|
||||
clean-local distclean distclean-generic distclean-libtool \
|
||||
distdir dvi dvi-am html html-am info info-am install \
|
||||
install-am install-confDATA install-data install-data-am \
|
||||
install-data-local install-dvi install-dvi-am \
|
||||
cscopelist-am ctags-am distclean distclean-generic \
|
||||
distclean-libtool distdir dvi dvi-am html html-am info info-am \
|
||||
install install-am install-confDATA install-data \
|
||||
install-data-am install-data-local install-dvi install-dvi-am \
|
||||
install-examplesDATA install-exec install-exec-am install-html \
|
||||
install-html-am install-info install-info-am install-man \
|
||||
install-pdf install-pdf-am install-ps install-ps-am \
|
||||
install-strip installcheck installcheck-am installdirs \
|
||||
maintainer-clean maintainer-clean-generic mostlyclean \
|
||||
mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
|
||||
uninstall uninstall-am uninstall-confDATA \
|
||||
tags-am uninstall uninstall-am uninstall-confDATA \
|
||||
uninstall-examplesDATA
|
||||
|
||||
|
||||
install-data-local:
|
||||
if test ! -r $(DESTDIR)$(confdir)/stunnel.pem; then \
|
||||
if test -r "$(RANDOM_FILE)"; then \
|
||||
dd if="$(RANDOM_FILE)" of=stunnel.rnd bs=256 count=1; \
|
||||
RND="-rand stunnel.rnd"; \
|
||||
else \
|
||||
RND=""; \
|
||||
fi; \
|
||||
$(OPENSSL) req -new -x509 -days 365 $$RND \
|
||||
-config $(srcdir)/stunnel.cnf \
|
||||
-out stunnel.pem -keyout stunnel.pem; \
|
||||
$(OPENSSL) gendh $$RND 1024 >> stunnel.pem; \
|
||||
$(OPENSSL) x509 -subject -dates -fingerprint -noout -in stunnel.pem; \
|
||||
${INSTALL} -m 600 stunnel.pem $(DESTDIR)$(confdir)/stunnel.pem; \
|
||||
rm stunnel.pem; \
|
||||
fi
|
||||
${INSTALL} -d -m 1770 $(DESTDIR)$(localstatedir)/lib/stunnel
|
||||
-chgrp $(DEFAULT_GROUP) $(DESTDIR)$(localstatedir)/lib/stunnel
|
||||
|
||||
clean-local:
|
||||
-rm -f stunnel.rnd
|
||||
cert:
|
||||
$(srcdir)/makecert.sh $(srcdir) $(SSLDIR) $(RANDOM_FILE)
|
||||
${INSTALL} -b -m 600 stunnel.pem $(DESTDIR)$(confdir)/stunnel.pem
|
||||
rm -f stunnel.pem
|
||||
|
||||
stunnel.conf-sample stunnel.init stunnel.service: Makefile
|
||||
$(edit) '$(srcdir)/$@.in' >$@
|
||||
|
||||
stunnel.conf-sample: $(srcdir)/stunnel.conf-sample.in
|
||||
stunnel.init: $(srcdir)/stunnel.init.in
|
||||
stunnel.service: $(srcdir)/stunnel.service.in
|
||||
|
||||
# Tell versions [3.59,3.63) of GNU make to not export all variables.
|
||||
# Otherwise a system limit (for SysV at least) may be exceeded.
|
||||
|
|
|
@ -61,5 +61,5 @@ sub ReadForm {
|
|||
|
||||
sub Error {
|
||||
print "Content-type: text/html\n\n";
|
||||
print "<P><P><center><H1>Cant open file</H1></center>\n";
|
||||
print "<P><P><center><H1>Can't open file</H1></center>\n";
|
||||
}
|
||||
|
|
|
@ -0,0 +1,29 @@
|
|||
#!/bin/sh
|
||||
|
||||
if test -n "$1"; then
|
||||
CONF="$1/openssl.cnf"
|
||||
else
|
||||
CONF="openssl.cnf"
|
||||
fi
|
||||
|
||||
if test -n "$2"; then
|
||||
OPENSSL="$2/bin/openssl"
|
||||
else
|
||||
OPENSSL=openssl
|
||||
fi
|
||||
|
||||
if test -n "$3"; then
|
||||
RAND="$3"
|
||||
else
|
||||
RAND="/dev/urandom"
|
||||
fi
|
||||
|
||||
dd if="$RAND" of=stunnel.rnd bs=256 count=1
|
||||
$OPENSSL req -new -x509 -days 1461 -rand stunnel.rnd -config $CONF \
|
||||
-out stunnel.pem -keyout stunnel.pem
|
||||
rm -f stunnel.rnd
|
||||
|
||||
echo
|
||||
echo "Certificate details:"
|
||||
$OPENSSL x509 -subject -dates -fingerprint -noout -in stunnel.pem
|
||||
echo
|
|
@ -1,15 +1,23 @@
|
|||
# OpenSSL configuration file to create a server certificate
|
||||
# by Michal Trojnara 1998-2013
|
||||
# by Michal Trojnara 1998-2017
|
||||
|
||||
[ req ]
|
||||
# the default key length is secure and quite fast - do not change it
|
||||
default_bits = 2048
|
||||
# comment out the next line to protect the private key with a passphrase
|
||||
encrypt_key = no
|
||||
distinguished_name = req_dn
|
||||
x509_extensions = cert_type
|
||||
# the default key length is secure and quite fast - do not change it
|
||||
default_bits = 2048
|
||||
default_md = sha1
|
||||
x509_extensions = stunnel_extensions
|
||||
distinguished_name = stunnel_dn
|
||||
|
||||
[ req_dn ]
|
||||
[ stunnel_extensions ]
|
||||
nsCertType = server
|
||||
basicConstraints = CA:TRUE,pathlen:0
|
||||
keyUsage = keyCertSign
|
||||
extendedKeyUsage = serverAuth
|
||||
nsComment = "stunnel self-signed certificate"
|
||||
|
||||
[ stunnel_dn ]
|
||||
countryName = Country Name (2 letter code)
|
||||
countryName_default = PL
|
||||
countryName_min = 2
|
||||
|
@ -37,6 +45,3 @@ organizationalUnitName_default = Provisional CA
|
|||
# See http://home.netscape.com/eng/security/ssl_2.0_certificate.html
|
||||
# to see how Netscape understands commonName.
|
||||
|
||||
[ cert_type ]
|
||||
nsCertType = server
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
; Sample stunnel configuration file for Win32 by Michal Trojnara 2002-2012
|
||||
; Sample stunnel configuration file for Win32 by Michal Trojnara 2002-2017
|
||||
; Some options used here may be inadequate for your particular configuration
|
||||
; This sample file does *not* represent stunnel.conf defaults
|
||||
; Please consult the manual for detailed description of available options
|
||||
|
@ -7,85 +7,129 @@
|
|||
; * Global options *
|
||||
; **************************************************************************
|
||||
|
||||
; Debugging stuff (may useful for troubleshooting)
|
||||
;debug = 7
|
||||
; Debugging stuff (may be useful for troubleshooting)
|
||||
;debug = info
|
||||
;output = stunnel.log
|
||||
|
||||
; Disable FIPS mode to allow non-approved protocols and algorithms
|
||||
;fips = no
|
||||
; Enable FIPS 140-2 mode if needed for compliance
|
||||
;fips = yes
|
||||
|
||||
; Microsoft CryptoAPI engine allows for authentication with private keys
|
||||
; stored in the Windows certificate store
|
||||
; Each section using this feature also needs the "engineId = capi" option
|
||||
;engine = capi
|
||||
|
||||
; The pkcs11 engine allows for authentication with cryptographic
|
||||
; keys isolated in a hardware or software token
|
||||
; MODULE_PATH specifies the path to the pkcs11 module shared library,
|
||||
; e.g. softhsm2.dll or opensc-pkcs11.so
|
||||
; Each section using this feature also needs the "engineId = pkcs11" option
|
||||
;engine = pkcs11
|
||||
;engineCtrl = MODULE_PATH:softhsm2.dll
|
||||
;engineCtrl = PIN:1234
|
||||
|
||||
; **************************************************************************
|
||||
; * Service defaults may also be specified in individual service sections *
|
||||
; **************************************************************************
|
||||
|
||||
; Certificate/key is needed in server mode and optional in client mode
|
||||
cert = stunnel.pem
|
||||
;key = stunnel.pem
|
||||
|
||||
; Authentication stuff needs to be configured to prevent MITM attacks
|
||||
; It is not enabled by default!
|
||||
;verify = 2
|
||||
; Don't forget to c_rehash CApath
|
||||
;CApath = certs
|
||||
; It's often easier to use CAfile
|
||||
;CAfile = certs.pem
|
||||
; Don't forget to c_rehash CRLpath
|
||||
;CRLpath = crls
|
||||
; Alternatively CRLfile can be used
|
||||
;CRLfile = crls.pem
|
||||
|
||||
; Disable support for insecure SSLv2 protocol
|
||||
options = NO_SSLv2
|
||||
; Workaround for Eudora bug
|
||||
;options = DONT_INSERT_EMPTY_FRAGMENTS
|
||||
; Enable support for the insecure SSLv3 protocol
|
||||
;options = -NO_SSLv3
|
||||
|
||||
; These options provide additional security at some performance degradation
|
||||
;options = SINGLE_ECDH_USE
|
||||
;options = SINGLE_DH_USE
|
||||
|
||||
; **************************************************************************
|
||||
; * Include all configuration file fragments from the specified folder *
|
||||
; **************************************************************************
|
||||
|
||||
;include = conf.d
|
||||
|
||||
; **************************************************************************
|
||||
; * Service definitions (at least one service has to be defined) *
|
||||
; **************************************************************************
|
||||
|
||||
; Example SSL server mode services
|
||||
; ***************************************** Example TLS client mode services
|
||||
|
||||
[pop3s]
|
||||
accept = 995
|
||||
connect = 110
|
||||
[gmail-pop3]
|
||||
client = yes
|
||||
accept = 127.0.0.1:110
|
||||
connect = pop.gmail.com:995
|
||||
verifyChain = yes
|
||||
CAfile = ca-certs.pem
|
||||
checkHost = pop.gmail.com
|
||||
OCSPaia = yes
|
||||
|
||||
[imaps]
|
||||
accept = 993
|
||||
connect = 143
|
||||
[gmail-imap]
|
||||
client = yes
|
||||
accept = 127.0.0.1:143
|
||||
connect = imap.gmail.com:993
|
||||
verifyChain = yes
|
||||
CAfile = ca-certs.pem
|
||||
checkHost = imap.gmail.com
|
||||
OCSPaia = yes
|
||||
|
||||
[ssmtp]
|
||||
accept = 465
|
||||
connect = 25
|
||||
[gmail-smtp]
|
||||
client = yes
|
||||
accept = 127.0.0.1:25
|
||||
connect = smtp.gmail.com:465
|
||||
verifyChain = yes
|
||||
CAfile = ca-certs.pem
|
||||
checkHost = smtp.gmail.com
|
||||
OCSPaia = yes
|
||||
|
||||
; Example SSL client mode services
|
||||
|
||||
;[gmail-pop3]
|
||||
; Encrypted HTTP proxy authenticated with a client certificate
|
||||
; located in the Windows certificate store
|
||||
;[example-proxy]
|
||||
;client = yes
|
||||
;accept = 127.0.0.1:110
|
||||
;connect = pop.gmail.com:995
|
||||
;accept = 127.0.0.1:8080
|
||||
;connect = example.com:8443
|
||||
;engineId = capi
|
||||
|
||||
;[gmail-imap]
|
||||
; Encrypted HTTP proxy authenticated with a client certificate
|
||||
; located in a cryptographic token
|
||||
;[example-pkcs11]
|
||||
;client = yes
|
||||
;accept = 127.0.0.1:143
|
||||
;connect = imap.gmail.com:993
|
||||
;accept = 127.0.0.1:8080
|
||||
;connect = example.com:8443
|
||||
;engineId = pkcs11
|
||||
;cert = pkcs11:token=MyToken;object=MyCert
|
||||
;key = pkcs11:token=MyToken;object=MyKey
|
||||
|
||||
;[gmail-smtp]
|
||||
;client = yes
|
||||
;accept = 127.0.0.1:25
|
||||
;connect = smtp.gmail.com:465
|
||||
; ***************************************** Example TLS server mode services
|
||||
|
||||
; Example SSL front-end to a web server
|
||||
;[pop3s]
|
||||
;accept = 995
|
||||
;connect = 110
|
||||
;cert = stunnel.pem
|
||||
|
||||
;[imaps]
|
||||
;accept = 993
|
||||
;connect = 143
|
||||
;cert = stunnel.pem
|
||||
|
||||
;[ssmtp]
|
||||
;accept = 465
|
||||
;connect = 25
|
||||
;cert = stunnel.pem
|
||||
|
||||
; TLS front-end to a web server
|
||||
;[https]
|
||||
;accept = 443
|
||||
;connect = 80
|
||||
; "TIMEOUTclose = 0" is a workaround for a design flaw in Microsoft SSL
|
||||
; Microsoft implementations do not use SSL close-notify alert and thus
|
||||
; they are vulnerable to truncation attacks
|
||||
;cert = stunnel.pem
|
||||
; "TIMEOUTclose = 0" is a workaround for a design flaw in Microsoft SChannel
|
||||
; Microsoft implementations do not use TLS close-notify alert and thus they
|
||||
; are vulnerable to truncation attacks
|
||||
;TIMEOUTclose = 0
|
||||
|
||||
; Remote cmd.exe protected with PSK-authenticated TLS
|
||||
; Create "secrets.txt" containing IDENTITY:KEY pairs
|
||||
;[cmd]
|
||||
;accept = 1337
|
||||
;exec = c:\windows\system32\cmd.exe
|
||||
;execArgs = cmd.exe
|
||||
;ciphers = PSK
|
||||
;PSKsecrets = secrets.txt
|
||||
|
||||
; vim:ft=dosini
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
; Sample stunnel configuration file for Unix by Michal Trojnara 2002-2013
|
||||
; Sample stunnel configuration file for Unix by Michal Trojnara 2002-2017
|
||||
; Some options used here may be inadequate for your particular configuration
|
||||
; This sample file does *not* represent stunnel.conf defaults
|
||||
; Please consult the manual for detailed description of available options
|
||||
|
@ -7,94 +7,135 @@
|
|||
; * Global options *
|
||||
; **************************************************************************
|
||||
|
||||
; A copy of some devices and system files is needed within the chroot jail
|
||||
; Chroot conflicts with configuration file reload and many other features
|
||||
chroot = @prefix@/var/lib/stunnel/
|
||||
; Chroot jail can be escaped if setuid option is not used
|
||||
setuid = nobody
|
||||
setgid = @DEFAULT_GROUP@
|
||||
; It is recommended to drop root privileges if stunnel is started by root
|
||||
;setuid = nobody
|
||||
;setgid = @DEFAULT_GROUP@
|
||||
|
||||
; PID is created inside the chroot jail
|
||||
pid = /stunnel.pid
|
||||
; PID file is created inside the chroot jail (if enabled)
|
||||
;pid = @localstatedir@/run/stunnel.pid
|
||||
|
||||
; Debugging stuff (may useful for troubleshooting)
|
||||
;debug = 7
|
||||
;output = stunnel.log
|
||||
; Debugging stuff (may be useful for troubleshooting)
|
||||
;foreground = yes
|
||||
;debug = info
|
||||
;output = @localstatedir@/log/stunnel.log
|
||||
|
||||
; Enable FIPS 140-2 mode if needed for compliance
|
||||
;fips = yes
|
||||
|
||||
; The pkcs11 engine allows for authentication with cryptographic
|
||||
; keys isolated in a hardware or software token
|
||||
; MODULE_PATH specifies the path to the pkcs11 module shared library,
|
||||
; e.g. softhsm2.dll or opensc-pkcs11.so
|
||||
; Each section using this feature also needs the "engineId = pkcs11" option
|
||||
;engine = pkcs11
|
||||
;engineCtrl = MODULE_PATH:/usr/lib/softhsm/libsofthsm2.so
|
||||
;engineCtrl = PIN:1234
|
||||
|
||||
; **************************************************************************
|
||||
; * Service defaults may also be specified in individual service sections *
|
||||
; **************************************************************************
|
||||
|
||||
; Certificate/key is needed in server mode and optional in client mode
|
||||
cert = @prefix@/etc/stunnel/mail.pem
|
||||
;key = @prefix@/etc/stunnel/mail.pem
|
||||
|
||||
; Authentication stuff needs to be configured to prevent MITM attacks
|
||||
; It is not enabled by default!
|
||||
;verify = 2
|
||||
; Don't forget to c_rehash CApath
|
||||
; CApath is located inside chroot jail
|
||||
;CApath = /certs
|
||||
; It's often easier to use CAfile
|
||||
;CAfile = @prefix@/etc/stunnel/certs.pem
|
||||
; Don't forget to c_rehash CRLpath
|
||||
; CRLpath is located inside chroot jail
|
||||
;CRLpath = /crls
|
||||
; Alternatively CRLfile can be used
|
||||
;CRLfile = @prefix@/etc/stunnel/crls.pem
|
||||
|
||||
; Disable support for insecure SSLv2 protocol
|
||||
options = NO_SSLv2
|
||||
; Workaround for Eudora bug
|
||||
;options = DONT_INSERT_EMPTY_FRAGMENTS
|
||||
; Enable support for the insecure SSLv3 protocol
|
||||
;options = -NO_SSLv3
|
||||
|
||||
; These options provide additional security at some performance degradation
|
||||
;options = SINGLE_ECDH_USE
|
||||
;options = SINGLE_DH_USE
|
||||
|
||||
; **************************************************************************
|
||||
; * Include all configuration file fragments from the specified folder *
|
||||
; **************************************************************************
|
||||
|
||||
;include = @sysconfdir@/stunnel/conf.d
|
||||
|
||||
; **************************************************************************
|
||||
; * Service definitions (remove all services for inetd mode) *
|
||||
; **************************************************************************
|
||||
|
||||
; Example SSL server mode services
|
||||
; ***************************************** Example TLS client mode services
|
||||
|
||||
[pop3s]
|
||||
accept = 995
|
||||
connect = 110
|
||||
; The following examples use /etc/ssl/certs, which is the common location
|
||||
; of a hashed directory containing trusted CA certificates. This is not
|
||||
; a hardcoded path of the stunnel package, as it is not related to the
|
||||
; stunnel configuration in @sysconfdir@/stunnel/.
|
||||
|
||||
[imaps]
|
||||
accept = 993
|
||||
connect = 143
|
||||
[gmail-pop3]
|
||||
client = yes
|
||||
accept = 127.0.0.1:110
|
||||
connect = pop.gmail.com:995
|
||||
verifyChain = yes
|
||||
CApath = /etc/ssl/certs
|
||||
checkHost = pop.gmail.com
|
||||
OCSPaia = yes
|
||||
|
||||
[ssmtp]
|
||||
accept = 465
|
||||
connect = 25
|
||||
[gmail-imap]
|
||||
client = yes
|
||||
accept = 127.0.0.1:143
|
||||
connect = imap.gmail.com:993
|
||||
verifyChain = yes
|
||||
CApath = /etc/ssl/certs
|
||||
checkHost = imap.gmail.com
|
||||
OCSPaia = yes
|
||||
|
||||
; Example SSL client mode services
|
||||
[gmail-smtp]
|
||||
client = yes
|
||||
accept = 127.0.0.1:25
|
||||
connect = smtp.gmail.com:465
|
||||
verifyChain = yes
|
||||
CApath = /etc/ssl/certs
|
||||
checkHost = smtp.gmail.com
|
||||
OCSPaia = yes
|
||||
|
||||
;[gmail-pop3]
|
||||
; Encrypted HTTP proxy authenticated with a client certificate
|
||||
; located in a cryptographic token
|
||||
;[example-pkcs11]
|
||||
;client = yes
|
||||
;accept = 127.0.0.1:110
|
||||
;connect = pop.gmail.com:995
|
||||
;accept = 127.0.0.1:8080
|
||||
;connect = example.com:8443
|
||||
;engineId = pkcs11
|
||||
;cert = pkcs11:token=MyToken;object=MyCert
|
||||
;key = pkcs11:token=MyToken;object=MyKey
|
||||
|
||||
;[gmail-imap]
|
||||
;client = yes
|
||||
;accept = 127.0.0.1:143
|
||||
;connect = imap.gmail.com:993
|
||||
; ***************************************** Example TLS server mode services
|
||||
|
||||
;[gmail-smtp]
|
||||
;client = yes
|
||||
;accept = 127.0.0.1:25
|
||||
;connect = smtp.gmail.com:465
|
||||
;[pop3s]
|
||||
;accept = 995
|
||||
;connect = 110
|
||||
;cert = @sysconfdir@/stunnel/stunnel.pem
|
||||
|
||||
; Example SSL front-end to a web server
|
||||
;[imaps]
|
||||
;accept = 993
|
||||
;connect = 143
|
||||
;cert = @sysconfdir@/stunnel/stunnel.pem
|
||||
|
||||
;[ssmtp]
|
||||
;accept = 465
|
||||
;connect = 25
|
||||
;cert = @sysconfdir@/stunnel/stunnel.pem
|
||||
|
||||
; TLS front-end to a web server
|
||||
;[https]
|
||||
;accept = 443
|
||||
;connect = 80
|
||||
; "TIMEOUTclose = 0" is a workaround for a design flaw in Microsoft SSL
|
||||
; Microsoft implementations do not use SSL close-notify alert and thus
|
||||
; they are vulnerable to truncation attacks
|
||||
;cert = @sysconfdir@/stunnel/stunnel.pem
|
||||
; "TIMEOUTclose = 0" is a workaround for a design flaw in Microsoft SChannel
|
||||
; Microsoft implementations do not use TLS close-notify alert and thus they
|
||||
; are vulnerable to truncation attacks
|
||||
;TIMEOUTclose = 0
|
||||
|
||||
; Remote shell protected with PSK-authenticated TLS
|
||||
; Create "@sysconfdir@/stunnel/secrets.txt" containing IDENTITY:KEY pairs
|
||||
;[shell]
|
||||
;accept = 1337
|
||||
;exec = /bin/sh
|
||||
;execArgs = sh -i
|
||||
;ciphers = PSK
|
||||
;PSKsecrets = @sysconfdir@/stunnel/secrets.txt
|
||||
|
||||
; Non-standard MySQL-over-TLS encapsulation connecting the Unix socket
|
||||
;[mysql]
|
||||
;cert = @sysconfdir@/stunnel/stunnel.pem
|
||||
;accept = 3307
|
||||
;connect = /run/mysqld/mysqld.sock
|
||||
|
||||
; vim:ft=dosini
|
||||
|
|
|
@ -7,112 +7,203 @@
|
|||
# Should-Stop: $syslog
|
||||
# Default-Start: 2 3 4 5
|
||||
# Default-Stop: 0 1 6
|
||||
# Short-Description: Start or stop stunnel 4.x (SSL tunnel for network daemons)
|
||||
# Short-Description: Start or stop stunnel 4.x (TLS tunnel for network daemons)
|
||||
# Description: Starts or stops all configured TLS network tunnels. Each *.conf file in
|
||||
# @sysconfdir@/stunnel/ will spawn a separate stunnel process. The list of files
|
||||
# can be overridden in @sysconfdir@/default/stunnel, and that same file can be used
|
||||
# to completely disable *all* tunnels.
|
||||
### END INIT INFO
|
||||
|
||||
# Author / upstream maintainer note:
|
||||
# With the planned introduction of a control interface (conceptually similar to
|
||||
# apache2ctl), running separate processes for each *.conf will become obsolete.
|
||||
# Please add "include = @sysconfdir@/stunnel/conf.d" to stunnel.conf instead.
|
||||
|
||||
. /lib/lsb/init-functions
|
||||
|
||||
DEFAULTPIDFILE="/var/run/stunnel.pid"
|
||||
DAEMON=@prefix@/bin/stunnel
|
||||
DAEMON=@bindir@/stunnel
|
||||
NAME=stunnel
|
||||
DESC="SSL tunnels"
|
||||
FILES="/etc/stunnel/*.conf"
|
||||
DESC="TLS tunnels"
|
||||
OPTIONS=""
|
||||
ENABLED=0
|
||||
|
||||
get_pids() {
|
||||
local file=$1
|
||||
if test -f $file; then
|
||||
CHROOT=`grep "^chroot" $file|sed "s;.*= *;;"`
|
||||
PIDFILE=`grep "^pid" $file|sed "s;.*= *;;"`
|
||||
if [ "$PIDFILE" = "" ]; then
|
||||
PIDFILE=$DEFAULTPIDFILE
|
||||
fi
|
||||
if test -f $CHROOT/$PIDFILE; then
|
||||
cat $CHROOT/$PIDFILE
|
||||
fi
|
||||
fi
|
||||
get_opt() {
|
||||
sed -e "s;^[[:space:]]*;;" -e "s;[[:space:]]*$;;" \
|
||||
-e "s;[[:space:]]*=[[:space:]]*;=;" "$1" |
|
||||
grep -i "^$2=" | sed -e "s;^[^=]*=;;"
|
||||
}
|
||||
|
||||
get_pidfile() {
|
||||
local file=$1
|
||||
if [ -f $file ]; then
|
||||
CHROOT=`get_opt $file chroot`
|
||||
PIDFILE=`get_opt $file pid`
|
||||
if [ "$PIDFILE" = "" ]; then
|
||||
PIDFILE=$DEFAULTPIDFILE
|
||||
fi
|
||||
echo "$CHROOT/$PIDFILE"
|
||||
fi
|
||||
}
|
||||
|
||||
startdaemons() {
|
||||
local res file args pidfile warn status
|
||||
|
||||
if ! [ -d /var/run/stunnel ]; then
|
||||
rm -rf /var/run/stunnel
|
||||
install -d -o stunnel -g stunnel /var/run/stunnel
|
||||
fi
|
||||
if [ -n "$RLIMITS" ]; then
|
||||
ulimit $RLIMITS
|
||||
fi
|
||||
res=0
|
||||
for file in $FILES; do
|
||||
if test -f $file; then
|
||||
ARGS="$file $OPTIONS"
|
||||
PROCLIST=`get_pids $file`
|
||||
if [ "$PROCLIST" ] && kill -s 0 $PROCLIST 2>/dev/null; then
|
||||
echo -n "[Already running: $file] "
|
||||
elif $DAEMON $ARGS; then
|
||||
echo -n "[Started: $file] "
|
||||
if [ -f $file ]; then
|
||||
echo -n " $file: "
|
||||
args="$file $OPTIONS"
|
||||
pidfile=`get_pidfile $file`
|
||||
if egrep -qe '^pid[[:space:]]*=' "$file"; then
|
||||
warn=''
|
||||
else
|
||||
echo "[Failed: $file]"
|
||||
echo "You should check that you have specified the pid= in you configuration file"
|
||||
exit 1
|
||||
warn=' (no pid=pidfile specified!)'
|
||||
fi
|
||||
status=0
|
||||
start_daemon -p "$pidfile" "$DAEMON" $args || status=$?
|
||||
if [ "$status" -eq 0 ]; then
|
||||
echo -n "started$warn"
|
||||
else
|
||||
echo "failed$warn"
|
||||
echo "You should check that you have specified the pid= in you configuration file"
|
||||
res=1
|
||||
fi
|
||||
fi
|
||||
done;
|
||||
echo ''
|
||||
return "$res"
|
||||
}
|
||||
|
||||
killdaemons()
|
||||
{
|
||||
SIGNAL=${1:-TERM}
|
||||
local sig file pidfile status
|
||||
|
||||
sig=${1:-TERM}
|
||||
res=0
|
||||
for file in $FILES; do
|
||||
PROCLIST=`get_pids $file`
|
||||
if [ "$PROCLIST" ] && kill -s 0 $PROCLIST 2>/dev/null; then
|
||||
kill -s $SIGNAL $PROCLIST
|
||||
echo -n "[stopped: $file] "
|
||||
echo -n " $file: "
|
||||
pidfile=`get_pidfile $file`
|
||||
if [ ! -e "$pidfile" ]; then
|
||||
echo -n "no pid file"
|
||||
else
|
||||
status=0
|
||||
killproc -p "$pidfile" "$DAEMON" "$sig" || status=$?
|
||||
if [ "$status" -eq 0 ]; then
|
||||
echo -n 'stopped'
|
||||
else
|
||||
echo -n 'failed'
|
||||
res=1
|
||||
fi
|
||||
fi
|
||||
done
|
||||
echo ''
|
||||
return "$res"
|
||||
}
|
||||
|
||||
querydaemons()
|
||||
{
|
||||
local res file pidfile status
|
||||
|
||||
res=0
|
||||
for file in $FILES; do
|
||||
echo -n " $file: "
|
||||
pidfile=`get_pidfile "$file"`
|
||||
if [ ! -e "$pidfile" ]; then
|
||||
echo -n 'no pid file'
|
||||
res=1
|
||||
else
|
||||
status=0
|
||||
pidofproc -p "$pidfile" "$DAEMON" >/dev/null || status="$?"
|
||||
if [ "$status" = 0 ]; then
|
||||
echo -n 'running'
|
||||
elif [ "$status" = 4 ]; then
|
||||
echo "cannot access the pid file $pidfile"
|
||||
res=1
|
||||
else
|
||||
echo -n 'stopped'
|
||||
res=1
|
||||
fi
|
||||
fi
|
||||
done
|
||||
echo ''
|
||||
exit "$res"
|
||||
}
|
||||
|
||||
if [ "x$OPTIONS" != "x" ]; then
|
||||
OPTIONS="-- $OPTIONS"
|
||||
fi
|
||||
|
||||
test -f /etc/default/stunnel && . /etc/default/stunnel
|
||||
[ -f @sysconfdir@/default/stunnel ] && . @sysconfdir@/default/stunnel
|
||||
if [ "$ENABLED" = "0" ] ; then
|
||||
echo "$DESC disabled, see /etc/default/stunnel"
|
||||
echo "$DESC disabled, see @sysconfdir@/default/stunnel"
|
||||
exit 0
|
||||
fi
|
||||
|
||||
test -x $DAEMON || exit 0
|
||||
# If the user want to manage a single tunnel, the conf file's name
|
||||
# is in $2. Otherwise, respect @sysconfdir@/default/stunnel4 setting.
|
||||
# If no setting there, use @sysconfdir@/stunnel/*.conf.
|
||||
if [ -n "${2:-}" ]; then
|
||||
if [ -e "@sysconfdir@/stunnel/$2.conf" ]; then
|
||||
FILES="@sysconfdir@/stunnel/$2.conf"
|
||||
else
|
||||
echo >&2 "@sysconfdir@/stunnel/$2.conf does not exist."
|
||||
exit 1
|
||||
fi
|
||||
else
|
||||
if [ -z "$FILES" ]; then
|
||||
FILES="@sysconfdir@/stunnel/*.conf"
|
||||
fi
|
||||
fi
|
||||
|
||||
[ -x $DAEMON ] || exit 0
|
||||
|
||||
set -e
|
||||
|
||||
res=0
|
||||
case "$1" in
|
||||
start)
|
||||
echo -n "Starting $DESC: "
|
||||
startdaemons
|
||||
echo "$NAME."
|
||||
;;
|
||||
echo -n "Starting $DESC:"
|
||||
startdaemons
|
||||
res=$?
|
||||
;;
|
||||
stop)
|
||||
echo -n "Stopping $DESC: "
|
||||
killdaemons
|
||||
echo "$NAME."
|
||||
;;
|
||||
echo -n "Stopping $DESC:"
|
||||
killdaemons
|
||||
res=$?
|
||||
;;
|
||||
reopen-logs)
|
||||
echo -n "Reopening log files $DESC: "
|
||||
killdaemons USR1
|
||||
echo "$NAME."
|
||||
;;
|
||||
echo -n "Reopening log files $DESC:"
|
||||
killdaemons USR1
|
||||
res=$?
|
||||
;;
|
||||
force-reload|reload)
|
||||
echo -n "Reloading configuration $DESC: "
|
||||
killdaemons HUP
|
||||
echo "$NAME."
|
||||
;;
|
||||
echo -n "Reloading configuration $DESC:"
|
||||
killdaemons HUP
|
||||
res=$?
|
||||
;;
|
||||
restart)
|
||||
echo -n "Restarting $DESC: "
|
||||
killdaemons
|
||||
sleep 5
|
||||
startdaemons
|
||||
echo "$NAME."
|
||||
;;
|
||||
echo -n "Restarting $DESC:"
|
||||
killdaemons && startdaemons
|
||||
res=$?
|
||||
;;
|
||||
status)
|
||||
echo -n "$DESC status:"
|
||||
querydaemons
|
||||
res=$?
|
||||
;;
|
||||
*)
|
||||
N=/etc/init.d/$NAME
|
||||
echo "Usage: $N {start|stop|reload|reopen-logs|restart}" >&2
|
||||
exit 1
|
||||
;;
|
||||
N=@sysconfdir@/init.d/$NAME
|
||||
echo "Usage: $N {start|stop|status|reload|reopen-logs|restart} [<stunnel instance>]" >&2
|
||||
res=1
|
||||
;;
|
||||
esac
|
||||
|
||||
exit 0
|
||||
exit "$res"
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
Copyright (C) 1998-2013 Michal Trojnara
|
||||
Copyright (C) 1998-2017 Michal Trojnara
|
||||
|
||||
This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
|
||||
|
||||
|
|
|
@ -0,0 +1,9 @@
|
|||
/var/log/stunnel/*.log {
|
||||
weekly
|
||||
rotate 10
|
||||
copytruncate
|
||||
delaycompress
|
||||
compress
|
||||
notifempty
|
||||
missingok
|
||||
}
|
|
@ -1,289 +1,556 @@
|
|||
# NSIS stunnel installer by Michal Trojnara 1998-2013
|
||||
# NSIS stunnel installer by Michal Trojnara 1998-2017
|
||||
|
||||
!define /ifndef VERSION testing
|
||||
!define /ifndef ARCH win32
|
||||
|
||||
!define REGKEY_INSTALL "Software\NSIS_stunnel"
|
||||
!define REGKEY_UNINST \
|
||||
"Software\Microsoft\Windows\CurrentVersion\Uninstall\stunnel"
|
||||
!define SHORTCUTS "stunnel $MultiUser.InstallMode"
|
||||
|
||||
SetCompressor /SOLID LZMA
|
||||
Name "stunnel ${VERSION}"
|
||||
OutFile "stunnel-${VERSION}-${ARCH}-installer.exe"
|
||||
BrandingText "Author: Michal Trojnara"
|
||||
|
||||
# MultiUser
|
||||
!define MULTIUSER_EXECUTIONLEVEL Highest
|
||||
!define MULTIUSER_MUI
|
||||
!define MULTIUSER_INSTALLMODE_COMMANDLINE
|
||||
!define MULTIUSER_INSTALLMODE_INSTDIR "stunnel"
|
||||
!define MULTIUSER_INSTALLMODE_INSTDIR_REGISTRY_KEY "${REGKEY_INSTALL}"
|
||||
!define MULTIUSER_INSTALLMODE_INSTDIR_REGISTRY_VALUENAME "Install_Dir"
|
||||
!define MULTIUSER_INSTALLMODE_DEFAULT_REGISTRY_KEY "${REGKEY_INSTALL}"
|
||||
!define MULTIUSER_INSTALLMODE_DEFAULT_REGISTRY_VALUENAME "Install_Mode"
|
||||
!include MultiUser.nsh
|
||||
# Modern UI
|
||||
!define MUI_FINISHPAGE_RUN "$INSTDIR\bin\stunnel.exe"
|
||||
!define MUI_FINISHPAGE_RUN_TEXT "Start stunnel after installation"
|
||||
!define MUI_FINISHPAGE_RUN_NOTCHECKED
|
||||
!include "MUI2.nsh"
|
||||
# define SF_SELECTED
|
||||
!include "Sections.nsh"
|
||||
|
||||
!ifndef VERSION
|
||||
!define VERSION 4.57
|
||||
!endif
|
||||
|
||||
!ifndef ZLIBDIR
|
||||
!define ZLIBDIR zlib-1.2.7
|
||||
!endif
|
||||
|
||||
!ifndef OPENSSLDIR
|
||||
!define OPENSSLDIR openssl-1.0.1e
|
||||
!endif
|
||||
|
||||
# additional plugins
|
||||
!addplugindir "plugins/SimpleFC"
|
||||
!addplugindir "plugins/ShellLink/Plugins"
|
||||
|
||||
Name "stunnel ${VERSION}"
|
||||
OutFile "stunnel-${VERSION}-installer.exe"
|
||||
InstallDir "$PROGRAMFILES\stunnel"
|
||||
BrandingText "Author: Michal Trojnara"
|
||||
LicenseData "stunnel.license"
|
||||
SetCompressor /SOLID LZMA
|
||||
InstallDirRegKey HKLM "Software\NSIS_stunnel" "Install_Dir"
|
||||
!define /ifndef ROOT_DIR \devel
|
||||
|
||||
RequestExecutionLevel admin
|
||||
!define /ifndef STUNNEL_DIR ${ROOT_DIR}\src\stunnel
|
||||
!define /ifndef STUNNEL_BIN_DIR ${STUNNEL_DIR}\bin\${ARCH}
|
||||
!define /ifndef STUNNEL_TOOLS_DIR ${STUNNEL_DIR}\tools
|
||||
!define /ifndef STUNNEL_DOC_DIR ${STUNNEL_DIR}\doc
|
||||
!define /ifndef STUNNEL_SRC_DIR ${STUNNEL_DIR}\src
|
||||
|
||||
Page license
|
||||
Page components
|
||||
Page directory
|
||||
Page instfiles
|
||||
!define /ifndef BIN_DIR ${ROOT_DIR}\${ARCH}
|
||||
!define /ifndef OPENSSL_DIR ${BIN_DIR}\openssl
|
||||
!define /ifndef OPENSSL_BIN_DIR ${OPENSSL_DIR}\bin
|
||||
!define /ifndef OPENSSL_ENGINES_DIR ${OPENSSL_DIR}\lib\engines
|
||||
!define /ifndef ZLIB_DIR ${BIN_DIR}\zlib
|
||||
!define /ifndef REDIST_DIR ${BIN_DIR}\redist
|
||||
|
||||
UninstPage uninstConfirm
|
||||
UninstPage instfiles
|
||||
!define /ifndef LIBP11_DIR ${ROOT_DIR}\src\libp11-0.4.7\src
|
||||
|
||||
Section "Stunnel Core Files (required)"
|
||||
SectionIn RO
|
||||
SetOutPath "$INSTDIR"
|
||||
!define MUI_ICON ${STUNNEL_SRC_DIR}\stunnel.ico
|
||||
|
||||
# stop the service, exit stunnel
|
||||
ReadRegStr $R0 HKLM \
|
||||
"Software\Microsoft\Windows NT\CurrentVersion" CurrentVersion
|
||||
IfErrors skip_service_stop
|
||||
ExecWait '"$INSTDIR\stunnel.exe" -stop -quiet'
|
||||
skip_service_stop:
|
||||
ExecWait '"$INSTDIR\stunnel.exe" -exit -quiet'
|
||||
!insertmacro MUI_PAGE_LICENSE "stunnel.license"
|
||||
!insertmacro MULTIUSER_PAGE_INSTALLMODE
|
||||
!insertmacro MUI_PAGE_COMPONENTS
|
||||
!insertmacro MUI_PAGE_DIRECTORY
|
||||
!insertmacro MUI_PAGE_INSTFILES
|
||||
!insertmacro MUI_PAGE_FINISH
|
||||
|
||||
# write files
|
||||
SetOverwrite off
|
||||
File "stunnel.conf"
|
||||
SetOverwrite on
|
||||
!cd ".."
|
||||
!cd "doc"
|
||||
File "stunnel.html"
|
||||
!cd ".."
|
||||
!cd "bin"
|
||||
!cd "W32"
|
||||
File "stunnel.exe"
|
||||
File "stunnel.exe.manifest"
|
||||
!cd ".."
|
||||
!cd ".."
|
||||
!cd ".."
|
||||
!cd "${ZLIBDIR}"
|
||||
File "zlib1.dll"
|
||||
File "zlib1.dll.manifest"
|
||||
!cd ".."
|
||||
!cd "${OPENSSLDIR}"
|
||||
!cd "out32dll"
|
||||
File "*.dll"
|
||||
File "*.dll.manifest"
|
||||
!cd ".."
|
||||
!cd ".."
|
||||
!cd "redist"
|
||||
File "msvcr90.dll"
|
||||
File "Microsoft.VC90.CRT.manifest"
|
||||
!cd ".."
|
||||
!cd "stunnel"
|
||||
!cd "tools"
|
||||
!insertmacro MUI_UNPAGE_CONFIRM
|
||||
!insertmacro MUI_UNPAGE_INSTFILES
|
||||
|
||||
# add firewall rule
|
||||
SimpleFC::AddApplication "stunnel (GUI Version)" \
|
||||
"$INSTDIR\stunnel.exe" 0 2 "" 1
|
||||
Pop $0 # returns error(1)/success(0)
|
||||
DetailPrint "SimpleFC::AddApplication: $0"
|
||||
!insertmacro MUI_LANGUAGE "English"
|
||||
|
||||
# write uninstaller and its registry entries
|
||||
WriteUninstaller "uninstall.exe"
|
||||
WriteRegStr HKLM "Software\NSIS_stunnel" "Install_Dir" "$INSTDIR"
|
||||
WriteRegStr HKLM \
|
||||
"Software\Microsoft\Windows\CurrentVersion\Uninstall\stunnel" \
|
||||
"DisplayName" "stunnel"
|
||||
WriteRegStr HKLM \
|
||||
"Software\Microsoft\Windows\CurrentVersion\Uninstall\stunnel" \
|
||||
"UninstallString" '"$INSTDIR\uninstall.exe"'
|
||||
WriteRegDWORD HKLM \
|
||||
"Software\Microsoft\Windows\CurrentVersion\Uninstall\stunnel" \
|
||||
"NoModify" 1
|
||||
WriteRegDWORD HKLM \
|
||||
"Software\Microsoft\Windows\CurrentVersion\Uninstall\stunnel" \
|
||||
"NoRepair" 1
|
||||
SectionEnd
|
||||
!macro MoveFiles src dst pattern
|
||||
FindFirst $0 $1 "${src}\${pattern}"
|
||||
!define MoveFilesId ${__LINE__}
|
||||
loop_${MoveFilesId}:
|
||||
StrCmp $1 "" done_${MoveFilesId}
|
||||
Rename "${src}\$1" "${dst}\$1"
|
||||
FindNext $0 $1
|
||||
Goto loop_${MoveFilesId}
|
||||
done_${MoveFilesId}:
|
||||
FindClose $0
|
||||
!undef MoveFilesId
|
||||
!macroend
|
||||
|
||||
Section "Self-signed Certificate Tools" sectionCA
|
||||
SetOutPath "$INSTDIR"
|
||||
!cd ".."
|
||||
!cd ".."
|
||||
!cd "${OPENSSLDIR}"
|
||||
!cd "out32dll"
|
||||
File "openssl.exe"
|
||||
File "openssl.exe.manifest"
|
||||
!cd ".."
|
||||
!cd ".."
|
||||
!cd "stunnel"
|
||||
!cd "tools"
|
||||
File "stunnel.cnf"
|
||||
IfSilent lbl_skip_new_pem
|
||||
IfFileExists "$INSTDIR\stunnel.pem" lbl_skip_new_pem
|
||||
ExecWait '"$INSTDIR\openssl.exe" req -new -x509 -days 365 -config stunnel.cnf -out stunnel.pem -keyout stunnel.pem'
|
||||
lbl_skip_new_pem:
|
||||
SectionEnd
|
||||
!macro DetailError message
|
||||
# pop the error and log the failure
|
||||
!define DetailErrorId ${__LINE__}
|
||||
Pop $0 # returns error(-1)/success(0)
|
||||
IntCmp $0 0 done_${DetailErrorId}
|
||||
DetailPrint "${message}"
|
||||
done_${DetailErrorId}:
|
||||
!undef DetailErrorId
|
||||
!macroend
|
||||
|
||||
Section "Terminal Version of stunnel" sectionTERM
|
||||
SetOutPath "$INSTDIR"
|
||||
!cd ".."
|
||||
!cd "bin"
|
||||
!cd "W32"
|
||||
File "tstunnel.exe"
|
||||
File "tstunnel.exe.manifest"
|
||||
!cd ".."
|
||||
!cd ".."
|
||||
!cd "tools"
|
||||
# add firewall rule
|
||||
SimpleFC::AddApplication "stunnel (Terminal Version)" \
|
||||
"$INSTDIR\tstunnel.exe" 0 2 "" 1
|
||||
Pop $0 # returns error(1)/success(0)
|
||||
DetailPrint "SimpleFC::AddApplication: $0"
|
||||
SectionEnd
|
||||
!macro SetRunAsAdmin path
|
||||
# run the link as administrator if InstallMode is AllUsers
|
||||
!define SetRunAsAdminId ${__LINE__}
|
||||
StrCmp $MultiUser.InstallMode "CurrentUser" done_${SetRunAsAdminId}
|
||||
ShellLink::SetRunAsAdministrator "$SMPROGRAMS\${SHORTCUTS}\${path}.lnk"
|
||||
!insertmacro DetailError "ShellLink::SetRunAsAdministrator failed for ${path}"
|
||||
done_${SetRunAsAdminId}:
|
||||
!undef SetRunAsAdminId
|
||||
!macroend
|
||||
|
||||
Section "Start Menu Shortcuts"
|
||||
SetShellVarContext all
|
||||
CreateDirectory "$SMPROGRAMS\stunnel"
|
||||
Var /GLOBAL gui_restart
|
||||
Var /GLOBAL service_restart
|
||||
Var /GLOBAL service_reinstall
|
||||
Var /GLOBAL exe
|
||||
|
||||
# remove old links
|
||||
Delete "$SMPROGRAMS\stunnel\*.lnk"
|
||||
Delete "$SMPROGRAMS\stunnel\*.url"
|
||||
|
||||
# main link
|
||||
CreateShortCut "$SMPROGRAMS\stunnel\stunnel GUI Start.lnk" \
|
||||
"$INSTDIR\stunnel.exe" "" "$INSTDIR\stunnel.exe" 0
|
||||
CreateShortCut "$SMPROGRAMS\stunnel\stunnel GUI Stop.lnk" \
|
||||
"$INSTDIR\stunnel.exe" "-exit" "$INSTDIR\stunnel.exe" 0
|
||||
|
||||
# tstunnel
|
||||
SectionGetFlags ${sectionTERM} $0
|
||||
IntOp $0 $0 & ${SF_SELECTED}
|
||||
IntCmp $0 0 lbl_noTERM
|
||||
CreateShortCut "$SMPROGRAMS\stunnel\stunnel Terminal Start.lnk" \
|
||||
"$INSTDIR\tstunnel.exe" "" "$INSTDIR\tstunnel.exe" 0
|
||||
lbl_noTERM:
|
||||
|
||||
# NT service
|
||||
!macro TerminateStunnel
|
||||
# initialize with nonzero values: do not restart/reinstall
|
||||
StrCpy $service_restart 1
|
||||
StrCpy $service_reinstall 1
|
||||
# find the old stunnel executable
|
||||
StrCpy $exe "$INSTDIR\bin\stunnel.exe"
|
||||
IfFileExists "$exe" found
|
||||
StrCpy $exe "$INSTDIR\stunnel.exe"
|
||||
IfFileExists "$exe" found done
|
||||
found:
|
||||
# exit the stunnel GUI
|
||||
ExecWait '"$exe" -exit -quiet' $gui_restart
|
||||
# stop and uninstall the stunnel service
|
||||
# setup $service_restart and $service_reinstall
|
||||
StrCmp $MultiUser.InstallMode "CurrentUser" done
|
||||
ClearErrors
|
||||
ReadRegStr $R0 HKLM \
|
||||
"Software\Microsoft\Windows NT\CurrentVersion" CurrentVersion
|
||||
IfErrors skip_service_links
|
||||
IfErrors done
|
||||
ExecWait '"$exe" -stop -quiet' $service_restart
|
||||
IntCmp $service_restart 0 0 not_stopped not_stopped
|
||||
DetailPrint "Service stopped"
|
||||
not_stopped:
|
||||
StrCmp "$exe" "$INSTDIR\bin\stunnel.exe" done # no need to uninstall
|
||||
ExecWait '"$exe" -uninstall -quiet' $service_reinstall
|
||||
IntCmp $service_reinstall 0 0 done done
|
||||
DetailPrint "Service uninstalled"
|
||||
done:
|
||||
!macroend
|
||||
|
||||
CreateShortCut "$SMPROGRAMS\stunnel\stunnel Service Install.lnk" \
|
||||
"$INSTDIR\stunnel.exe" "-install" "$INSTDIR\stunnel.exe" 0
|
||||
ShellLink::SetRunAsAdministrator \
|
||||
"$SMPROGRAMS\stunnel\stunnel Service Install.lnk"
|
||||
Pop $0 # returns error(-1)/success(0)
|
||||
DetailPrint "ShellLink::SetRunAsAdministrator: $0"
|
||||
!macro RestartStunnel
|
||||
# install the service if $service_reinstall is 0
|
||||
IntCmp $service_reinstall 0 0 no_service_reinstall no_service_reinstall
|
||||
ExecWait '"$INSTDIR\bin\stunnel.exe" -install -quiet' $service_reinstall
|
||||
IntCmp $service_reinstall 0 0 no_service_reinstall no_service_reinstall
|
||||
DetailPrint "Service installed"
|
||||
no_service_reinstall:
|
||||
# start the service if $service_restart is 0
|
||||
IntCmp $service_restart 0 0 no_service_restart no_service_restart
|
||||
ExecWait '"$INSTDIR\bin\stunnel.exe" -start -quiet' $service_restart
|
||||
IntCmp $service_restart 0 0 no_service_restart no_service_restart
|
||||
DetailPrint "Service started"
|
||||
no_service_restart:
|
||||
# start the gui if $gui_restart is 0
|
||||
# it does not work against stunnel older than 5.23 due to a bug
|
||||
# IntCmp $gui_restart 0 0 no_gui_restart no_gui_restart
|
||||
# Exec '"$INSTDIR\bin\stunnel.exe"'
|
||||
# no_gui_restart:
|
||||
!macroend
|
||||
|
||||
CreateShortCut "$SMPROGRAMS\stunnel\stunnel Service Uninstall.lnk" \
|
||||
"$INSTDIR\stunnel.exe" "-uninstall" "$INSTDIR\stunnel.exe" 0
|
||||
ShellLink::SetRunAsAdministrator \
|
||||
"$SMPROGRAMS\stunnel\stunnel Service Uninstall.lnk"
|
||||
Pop $0 # returns error(-1)/success(0)
|
||||
DetailPrint "ShellLink::SetRunAsAdministrator: $0"
|
||||
!macro CleanupStunnelFiles
|
||||
# current versions
|
||||
Delete "$INSTDIR\config\openssl.cnf"
|
||||
|
||||
CreateShortCut "$SMPROGRAMS\stunnel\stunnel Service Start.lnk" \
|
||||
"$INSTDIR\stunnel.exe" "-start" "$INSTDIR\stunnel.exe" 0
|
||||
ShellLink::SetRunAsAdministrator \
|
||||
"$SMPROGRAMS\stunnel\stunnel Service Start.lnk"
|
||||
Pop $0 # returns error(-1)/success(0)
|
||||
DetailPrint "ShellLink::SetRunAsAdministrator: $0"
|
||||
Delete "$INSTDIR\bin\stunnel.exe"
|
||||
Delete "$INSTDIR\bin\stunnel.pdb"
|
||||
Delete "$INSTDIR\bin\tstunnel.exe"
|
||||
Delete "$INSTDIR\bin\tstunnel.pdb"
|
||||
Delete "$INSTDIR\bin\openssl.exe"
|
||||
Delete "$INSTDIR\bin\openssl.pdb"
|
||||
Delete "$INSTDIR\bin\libeay32.dll"
|
||||
Delete "$INSTDIR\bin\libeay32.pdb"
|
||||
Delete "$INSTDIR\bin\ssleay32.dll"
|
||||
Delete "$INSTDIR\bin\ssleay32.pdb"
|
||||
Delete "$INSTDIR\bin\zlib1.dll"
|
||||
Delete "$INSTDIR\bin\zlib1.pdb"
|
||||
Delete "$INSTDIR\bin\msvcr90.dll"
|
||||
Delete "$INSTDIR\bin\Microsoft.VC90.CRT.Manifest"
|
||||
RMDir "$INSTDIR\bin"
|
||||
|
||||
CreateShortCut "$SMPROGRAMS\stunnel\stunnel Service Stop.lnk" \
|
||||
"$INSTDIR\stunnel.exe" "-stop" "$INSTDIR\stunnel.exe" 0
|
||||
ShellLink::SetRunAsAdministrator \
|
||||
"$SMPROGRAMS\stunnel\stunnel Service Stop.lnk"
|
||||
Pop $0 # returns error(-1)/success(0)
|
||||
DetailPrint "ShellLink::SetRunAsAdministrator: $0"
|
||||
skip_service_links:
|
||||
Delete "$INSTDIR\engines\capi.dll"
|
||||
Delete "$INSTDIR\engines\capi.pdb"
|
||||
Delete "$INSTDIR\engines\chil.dll"
|
||||
Delete "$INSTDIR\engines\chil.pdb"
|
||||
Delete "$INSTDIR\engines\gmp.dll"
|
||||
Delete "$INSTDIR\engines\gmp.pdb"
|
||||
Delete "$INSTDIR\engines\gost.dll"
|
||||
Delete "$INSTDIR\engines\gost.pdb"
|
||||
Delete "$INSTDIR\engines\padlock.dll"
|
||||
Delete "$INSTDIR\engines\padlock.pdb"
|
||||
Delete "$INSTDIR\engines\ubsec.dll"
|
||||
Delete "$INSTDIR\engines\ubsec.pdb"
|
||||
Delete "$INSTDIR\engines\pkcs11.dll"
|
||||
Delete "$INSTDIR\engines\pkcs11.pdb"
|
||||
RMDir "$INSTDIR\engines"
|
||||
|
||||
# edit config file
|
||||
CreateShortCut "$SMPROGRAMS\stunnel\Edit stunnel.conf.lnk" \
|
||||
"notepad.exe" "$INSTDIR\stunnel.conf" "notepad.exe" 0
|
||||
ShellLink::SetRunAsAdministrator \
|
||||
"$SMPROGRAMS\stunnel\Edit stunnel.conf.lnk"
|
||||
Pop $0 # returns error(-1)/success(0)
|
||||
DetailPrint "ShellLink::SetRunAsAdministrator: $0"
|
||||
Delete "$INSTDIR\doc\*.html"
|
||||
RMDir "$INSTDIR\doc"
|
||||
|
||||
SectionGetFlags ${sectionCA} $0
|
||||
IntOp $0 $0 & ${SF_SELECTED}
|
||||
IntCmp $0 0 lbl_noCA
|
||||
# menu and desktop shortcuts
|
||||
Delete "$SMPROGRAMS\${SHORTCUTS}\*.lnk"
|
||||
Delete "$SMPROGRAMS\${SHORTCUTS}\*.url"
|
||||
RMDir "$SMPROGRAMS\${SHORTCUTS}"
|
||||
Delete "$DESKTOP\${SHORTCUTS}.lnk"
|
||||
|
||||
# OpenSSL shell
|
||||
CreateShortCut "$SMPROGRAMS\stunnel\OpenSSL Shell.lnk" \
|
||||
"$INSTDIR\openssl.exe" "" "$INSTDIR\openssl.exe" 0
|
||||
|
||||
# make stunnel.pem
|
||||
CreateShortCut "$SMPROGRAMS\stunnel\Build Self-signed stunnel.pem.lnk" \
|
||||
"$INSTDIR\openssl.exe" \
|
||||
"req -new -x509 -days 365 -config stunnel.cnf -out stunnel.pem -keyout stunnel.pem"
|
||||
ShellLink::SetRunAsAdministrator \
|
||||
"$SMPROGRAMS\stunnel\\Build Self-signed stunnel.pem.lnk"
|
||||
Pop $0 # returns error(-1)/success(0)
|
||||
DetailPrint "ShellLink::SetRunAsAdministrator: $0"
|
||||
|
||||
lbl_noCA:
|
||||
|
||||
# help/uninstall
|
||||
WriteINIStr "$SMPROGRAMS\stunnel\Manual.url" "InternetShortcut" \
|
||||
"URL" "file://$INSTDIR/stunnel.html"
|
||||
CreateShortCut "$SMPROGRAMS\stunnel\Uninstall stunnel.lnk" \
|
||||
"$INSTDIR\uninstall.exe" "" "$INSTDIR\uninstall.exe" 0
|
||||
SectionEnd
|
||||
|
||||
Section "Desktop Shortcut"
|
||||
SetShellVarContext all
|
||||
Delete "$DESKTOP\stunnel.lnk"
|
||||
CreateShortCut "$DESKTOP\stunnel.lnk" \
|
||||
"$INSTDIR\stunnel.exe" "" "$INSTDIR\stunnel.exe" 0
|
||||
SectionEnd
|
||||
|
||||
Section "Uninstall"
|
||||
ClearErrors
|
||||
|
||||
# stop and remove the service, exit stunnel
|
||||
ReadRegStr $R0 HKLM \
|
||||
"Software\Microsoft\Windows NT\CurrentVersion" CurrentVersion
|
||||
IfErrors skip_service_uninstall
|
||||
ExecWait '"$INSTDIR\stunnel.exe" -stop -quiet'
|
||||
ExecWait '"$INSTDIR\stunnel.exe" -uninstall -quiet'
|
||||
skip_service_uninstall:
|
||||
ExecWait '"$INSTDIR\stunnel.exe" -exit -quiet'
|
||||
|
||||
# remove stunnel folder
|
||||
Delete "$INSTDIR\stunnel.conf"
|
||||
Delete "$INSTDIR\stunnel.pem"
|
||||
# obsolete versions
|
||||
Delete "$INSTDIR\stunnel.exe"
|
||||
Delete "$INSTDIR\stunnel.exe.manifest"
|
||||
Delete "$INSTDIR\stunnel.pdb"
|
||||
Delete "$INSTDIR\tstunnel.exe"
|
||||
Delete "$INSTDIR\tstunnel.exe.manifest"
|
||||
Delete "$INSTDIR\stunnel.cnf"
|
||||
Delete "$INSTDIR\tstunnel.pdb"
|
||||
Delete "$INSTDIR\openssl.exe"
|
||||
Delete "$INSTDIR\openssl.exe.manifest"
|
||||
Delete "$INSTDIR\*.dll"
|
||||
Delete "$INSTDIR\*.dll.manifest"
|
||||
Delete "$INSTDIR\Microsoft.VC90.CRT.manifest"
|
||||
Delete "$INSTDIR\stunnel.html"
|
||||
Delete "$INSTDIR\uninstall.exe"
|
||||
RMDir "$INSTDIR"
|
||||
Delete "$INSTDIR\openssl.pdb"
|
||||
Delete "$INSTDIR\libeay32.dll"
|
||||
Delete "$INSTDIR\libeay32.pdb"
|
||||
Delete "$INSTDIR\ssleay32.dll"
|
||||
Delete "$INSTDIR\ssleay32.pdb"
|
||||
Delete "$INSTDIR\zlib1.dll"
|
||||
Delete "$INSTDIR\zlib1.pdb"
|
||||
Delete "$INSTDIR\msvcr90.dll"
|
||||
|
||||
# remove menu shortcuts
|
||||
SetShellVarContext all
|
||||
Delete "$DESKTOP\stunnel.lnk"
|
||||
Delete "$INSTDIR\openssl.cnf"
|
||||
Delete "$INSTDIR\stunnel.html"
|
||||
|
||||
Delete "$INSTDIR\stunnel.cnf"
|
||||
Delete "$INSTDIR\stunnel.exe.manifest"
|
||||
Delete "$INSTDIR\tstunnel.exe.manifest"
|
||||
Delete "$INSTDIR\openssl.exe.manifest"
|
||||
Delete "$INSTDIR\libeay32.dll.manifest"
|
||||
Delete "$INSTDIR\ssleay32.dll.manifest"
|
||||
Delete "$INSTDIR\zlib1.dll.manifest"
|
||||
Delete "$INSTDIR\Microsoft.VC90.CRT.Manifest"
|
||||
|
||||
Delete "$INSTDIR\4758cca.dll"
|
||||
Delete "$INSTDIR\4758cca.dll.manifest"
|
||||
Delete "$INSTDIR\4758cca.pdb"
|
||||
Delete "$INSTDIR\aep.dll"
|
||||
Delete "$INSTDIR\aep.dll.manifest"
|
||||
Delete "$INSTDIR\aep.pdb"
|
||||
Delete "$INSTDIR\atalla.dll"
|
||||
Delete "$INSTDIR\atalla.dll.manifest"
|
||||
Delete "$INSTDIR\atalla.pdb"
|
||||
Delete "$INSTDIR\capi.dll"
|
||||
Delete "$INSTDIR\capi.dll.manifest"
|
||||
Delete "$INSTDIR\capi.pdb"
|
||||
Delete "$INSTDIR\chil.dll"
|
||||
Delete "$INSTDIR\chil.dll.manifest"
|
||||
Delete "$INSTDIR\chil.pdb"
|
||||
Delete "$INSTDIR\cswift.dll"
|
||||
Delete "$INSTDIR\cswift.dll.manifest"
|
||||
Delete "$INSTDIR\cswift.pdb"
|
||||
Delete "$INSTDIR\gmp.dll"
|
||||
Delete "$INSTDIR\gmp.dll.manifest"
|
||||
Delete "$INSTDIR\gmp.pdb"
|
||||
Delete "$INSTDIR\gost.dll"
|
||||
Delete "$INSTDIR\gost.dll.manifest"
|
||||
Delete "$INSTDIR\gost.pdb"
|
||||
Delete "$INSTDIR\nuron.dll"
|
||||
Delete "$INSTDIR\nuron.dll.manifest"
|
||||
Delete "$INSTDIR\nuron.pdb"
|
||||
Delete "$INSTDIR\padlock.dll"
|
||||
Delete "$INSTDIR\padlock.dll.manifest"
|
||||
Delete "$INSTDIR\padlock.pdb"
|
||||
Delete "$INSTDIR\sureware.dll"
|
||||
Delete "$INSTDIR\sureware.dll.manifest"
|
||||
Delete "$INSTDIR\sureware.pdb"
|
||||
Delete "$INSTDIR\ubsec.dll"
|
||||
Delete "$INSTDIR\ubsec.dll.manifest"
|
||||
Delete "$INSTDIR\ubsec.pdb"
|
||||
|
||||
# obsolete menu and desktop shortcuts
|
||||
Delete "$SMPROGRAMS\stunnel\*.lnk"
|
||||
Delete "$SMPROGRAMS\stunnel\*.url"
|
||||
RMDir "$SMPROGRAMS\stunnel"
|
||||
Delete "$DESKTOP\stunnel.lnk"
|
||||
|
||||
# remove firewall rules
|
||||
SimpleFC::RemoveApplication "$INSTDIR\stunnel.exe"
|
||||
Pop $0 # returns error(1)/success(0)
|
||||
DetailPrint "SimpleFC::RemoveApplication: $0"
|
||||
SimpleFC::RemoveApplication "$INSTDIR\tstunnel.exe"
|
||||
Pop $0 # returns error(1)/success(0)
|
||||
DetailPrint "SimpleFC::RemoveApplication: $0"
|
||||
# refresh the screen
|
||||
System::Call 'Shell32::SHChangeNotify(i 0x8000000, i 0, i 0, i 0)'
|
||||
!macroend
|
||||
|
||||
# remove uninstaller registry entires
|
||||
DeleteRegKey HKLM \
|
||||
"Software\Microsoft\Windows\CurrentVersion\Uninstall\stunnel"
|
||||
DeleteRegKey HKLM "Software\NSIS_stunnel"
|
||||
Function .onInit
|
||||
!insertmacro MULTIUSER_INIT
|
||||
FunctionEnd
|
||||
|
||||
Function un.onInit
|
||||
!insertmacro MULTIUSER_UNINIT
|
||||
FunctionEnd
|
||||
|
||||
Section "Core Files" sectionCORE
|
||||
SectionIn RO
|
||||
|
||||
# save the installer configuration
|
||||
WriteRegStr SHCTX "${REGKEY_INSTALL}" "Install_Dir" "$INSTDIR"
|
||||
WriteRegStr SHCTX "${REGKEY_INSTALL}" "Install_Mode" "$MultiUser.InstallMode"
|
||||
|
||||
!insertmacro TerminateStunnel
|
||||
!insertmacro CleanupStunnelFiles
|
||||
|
||||
# update the configuration (migrate the old one if available)
|
||||
SetOutPath "$INSTDIR\config" # this also creates the directory
|
||||
!insertmacro MoveFiles "$INSTDIR" "$INSTDIR\config" "*.conf"
|
||||
!insertmacro MoveFiles "$INSTDIR" "$INSTDIR\config" "*.pem"
|
||||
!insertmacro MoveFiles "$INSTDIR" "$INSTDIR\config" "*.crt"
|
||||
!insertmacro MoveFiles "$INSTDIR" "$INSTDIR\config" "*.key"
|
||||
SetOverwrite off
|
||||
File "${STUNNEL_TOOLS_DIR}\stunnel.conf"
|
||||
SetOverwrite on
|
||||
File "${STUNNEL_TOOLS_DIR}\ca-certs.pem"
|
||||
|
||||
# write new executables/libraries files
|
||||
SetOutPath "$INSTDIR\bin"
|
||||
File "${STUNNEL_BIN_DIR}\stunnel.exe"
|
||||
File "${OPENSSL_BIN_DIR}\libeay32.dll"
|
||||
File "${OPENSSL_BIN_DIR}\ssleay32.dll"
|
||||
!if ${ARCH} == win32
|
||||
File "${ZLIB_DIR}\zlib1.dll"
|
||||
File "${REDIST_DIR}\msvcr90.dll"
|
||||
File "${REDIST_DIR}\Microsoft.VC90.CRT.Manifest"
|
||||
# MINGW builds requires libssp-0.dll instead of msvcr90.dll
|
||||
!else
|
||||
File "${REDIST_DIR}\vcruntime140.dll"
|
||||
!endif
|
||||
|
||||
# write new engine libraries
|
||||
SetOutPath "$INSTDIR\engines"
|
||||
File "${OPENSSL_ENGINES_DIR}\capi.dll"
|
||||
File "${OPENSSL_ENGINES_DIR}\chil.dll"
|
||||
File "${OPENSSL_ENGINES_DIR}\gmp.dll"
|
||||
File "${OPENSSL_ENGINES_DIR}\gost.dll"
|
||||
File "${OPENSSL_ENGINES_DIR}\padlock.dll"
|
||||
File "${OPENSSL_ENGINES_DIR}\ubsec.dll"
|
||||
File "${LIBP11_DIR}\pkcs11.dll"
|
||||
|
||||
# write new documentation
|
||||
SetOutPath "$INSTDIR\doc"
|
||||
File "${STUNNEL_DOC_DIR}\stunnel.html"
|
||||
|
||||
# add firewall rule
|
||||
SimpleFC::AddApplication "stunnel (GUI Version)" \
|
||||
"$INSTDIR\bin\stunnel.exe" 0 2 "" 1
|
||||
!insertmacro DetailError "SimpleFC::AddApplication failed for stunnel.exe"
|
||||
|
||||
# write uninstaller and its registry entries
|
||||
WriteUninstaller "uninstall.exe"
|
||||
WriteRegStr SHCTX "${REGKEY_UNINST}" "DisplayName" \
|
||||
"stunnel installed for $MultiUser.InstallMode"
|
||||
WriteRegStr SHCTX "${REGKEY_UNINST}" "DisplayVersion" "${VERSION}"
|
||||
WriteRegStr SHCTX "${REGKEY_UNINST}" "DisplayIcon" "$INSTDIR\bin\stunnel.exe"
|
||||
WriteRegStr SHCTX "${REGKEY_UNINST}" "Publisher" "Michal Trojnara"
|
||||
WriteRegStr SHCTX "${REGKEY_UNINST}" \
|
||||
"UninstallString" '"$INSTDIR\uninstall.exe" /$MultiUser.InstallMode'
|
||||
WriteRegDWORD SHCTX "${REGKEY_UNINST}" "NoModify" 1
|
||||
WriteRegDWORD SHCTX "${REGKEY_UNINST}" "NoRepair" 1
|
||||
SectionEnd
|
||||
|
||||
SectionGroup "Tools" groupTOOLS
|
||||
|
||||
Section "openssl.exe" sectionOPENSSL
|
||||
SetOutPath "$INSTDIR\bin"
|
||||
File "${OPENSSL_BIN_DIR}\openssl.exe"
|
||||
SetOutPath "$INSTDIR\config"
|
||||
File "${STUNNEL_TOOLS_DIR}\openssl.cnf"
|
||||
|
||||
# create stunnel.pem
|
||||
IfSilent no_new_pem
|
||||
IfFileExists "$INSTDIR\config\stunnel.pem" no_new_pem
|
||||
# set HOME for the .rnd file
|
||||
ReadEnvStr $0 "HOME"
|
||||
StrCmp $0 "" home_defined
|
||||
System::Call 'Kernel32::SetEnvironmentVariable(t, t) i("HOME", "$INSTDIR\config").r0'
|
||||
home_defined:
|
||||
ExecWait '"$INSTDIR\bin\openssl.exe" req -new -x509 -days 365 -config "$INSTDIR\config\openssl.cnf" -out "$INSTDIR\config\stunnel.pem" -keyout "$INSTDIR\config\stunnel.pem"'
|
||||
no_new_pem:
|
||||
SectionEnd
|
||||
|
||||
Section "tstunnel.exe" sectionTSTUNNEL
|
||||
SetOutPath "$INSTDIR\bin"
|
||||
File "${STUNNEL_BIN_DIR}\tstunnel.exe"
|
||||
# add firewall rule
|
||||
SimpleFC::AddApplication "stunnel (Terminal Version)" \
|
||||
"$INSTDIR\bin\tstunnel.exe" 0 2 "" 1
|
||||
!insertmacro DetailError "SimpleFC::AddApplication failed for tstunnel.exe"
|
||||
SectionEnd
|
||||
|
||||
SectionGroupEnd
|
||||
|
||||
SectionGroup "Shortcuts" groupSHORTCUTS
|
||||
|
||||
Section "Start Menu" sectionMENU
|
||||
CreateDirectory "$SMPROGRAMS\${SHORTCUTS}"
|
||||
|
||||
# the core links
|
||||
CreateShortCut "$SMPROGRAMS\${SHORTCUTS}\stunnel GUI Start.lnk" \
|
||||
"$INSTDIR\bin\stunnel.exe" "" "$INSTDIR\bin\stunnel.exe"
|
||||
CreateShortCut "$SMPROGRAMS\${SHORTCUTS}\stunnel GUI Stop.lnk" \
|
||||
"$INSTDIR\bin\stunnel.exe" "-exit" "$INSTDIR\bin\stunnel.exe"
|
||||
|
||||
# tstunnel
|
||||
SectionGetFlags ${sectionTSTUNNEL} $0
|
||||
IntOp $0 $0 & ${SF_SELECTED}
|
||||
IntCmp $0 0 no_tstunnel_shortcut
|
||||
CreateShortCut "$SMPROGRAMS\${SHORTCUTS}\stunnel Terminal Start.lnk" \
|
||||
"$INSTDIR\bin\tstunnel.exe" "" "$INSTDIR\bin\tstunnel.exe"
|
||||
no_tstunnel_shortcut:
|
||||
|
||||
# NT service management
|
||||
ClearErrors
|
||||
ReadRegStr $R0 HKLM \
|
||||
"Software\Microsoft\Windows NT\CurrentVersion" CurrentVersion
|
||||
IfErrors no_service_shortcuts
|
||||
StrCmp $MultiUser.InstallMode "CurrentUser" no_service_shortcuts
|
||||
CreateShortCut "$SMPROGRAMS\${SHORTCUTS}\stunnel Service Install.lnk" \
|
||||
"$INSTDIR\bin\stunnel.exe" "-install" "$INSTDIR\bin\stunnel.exe"
|
||||
!insertmacro SetRunAsAdmin "stunnel Service Install"
|
||||
CreateShortCut "$SMPROGRAMS\${SHORTCUTS}\stunnel Service Uninstall.lnk" \
|
||||
"$INSTDIR\bin\stunnel.exe" "-uninstall" "$INSTDIR\bin\stunnel.exe"
|
||||
!insertmacro SetRunAsAdmin "stunnel Service Uninstall"
|
||||
CreateShortCut "$SMPROGRAMS\${SHORTCUTS}\stunnel Service Start.lnk" \
|
||||
"$INSTDIR\bin\stunnel.exe" "-start" "$INSTDIR\bin\stunnel.exe"
|
||||
!insertmacro SetRunAsAdmin "stunnel Service Start"
|
||||
CreateShortCut "$SMPROGRAMS\${SHORTCUTS}\stunnel Service Stop.lnk" \
|
||||
"$INSTDIR\bin\stunnel.exe" "-stop" "$INSTDIR\bin\stunnel.exe"
|
||||
!insertmacro SetRunAsAdmin "stunnel Service Stop"
|
||||
CreateShortCut "$SMPROGRAMS\${SHORTCUTS}\stunnel Service Configuration File Reload.lnk" \
|
||||
"$INSTDIR\bin\stunnel.exe" "-reload" "$INSTDIR\bin\stunnel.exe"
|
||||
!insertmacro SetRunAsAdmin "stunnel Service Configuration File Reload"
|
||||
CreateShortCut "$SMPROGRAMS\${SHORTCUTS}\stunnel Service Log File Reopen.lnk" \
|
||||
"$INSTDIR\bin\stunnel.exe" "-reopen" "$INSTDIR\bin\stunnel.exe"
|
||||
!insertmacro SetRunAsAdmin "stunnel Service Log File Reopen"
|
||||
no_service_shortcuts:
|
||||
|
||||
# edit config file
|
||||
CreateShortCut "$SMPROGRAMS\${SHORTCUTS}\Edit stunnel.conf.lnk" \
|
||||
"notepad.exe" "$INSTDIR\config\stunnel.conf" "notepad.exe"
|
||||
!insertmacro SetRunAsAdmin "Edit stunnel.conf"
|
||||
|
||||
SectionGetFlags ${sectionOPENSSL} $0
|
||||
IntOp $0 $0 & ${SF_SELECTED}
|
||||
IntCmp $0 0 no_openssl_shortcuts
|
||||
# OpenSSL shell
|
||||
CreateShortCut "$SMPROGRAMS\${SHORTCUTS}\OpenSSL Shell.lnk" \
|
||||
"$INSTDIR\bin\openssl.exe" "" "$INSTDIR\bin\openssl.exe"
|
||||
# make stunnel.pem
|
||||
CreateShortCut "$SMPROGRAMS\${SHORTCUTS}\Build a Self-signed stunnel.pem.lnk" \
|
||||
"$INSTDIR\bin\openssl.exe" \
|
||||
'req -new -x509 -days 365 -config "$INSTDIR\config\openssl.cnf" -out "$INSTDIR\config\stunnel.pem" -keyout "$INSTDIR\config\stunnel.pem"'
|
||||
!insertmacro SetRunAsAdmin "Build a Self-signed stunnel.pem"
|
||||
no_openssl_shortcuts:
|
||||
|
||||
# the fine manual
|
||||
WriteINIStr "$SMPROGRAMS\${SHORTCUTS}\stunnel Manual Page.url" \
|
||||
"InternetShortcut" "URL" "file://$INSTDIR\doc\stunnel.html"
|
||||
|
||||
# uninstall
|
||||
CreateShortCut "$SMPROGRAMS\${SHORTCUTS}\Uninstall stunnel.lnk" \
|
||||
"$INSTDIR\uninstall.exe" "/$MultiUser.InstallMode" \
|
||||
"$INSTDIR\uninstall.exe"
|
||||
SectionEnd
|
||||
|
||||
Section "Desktop" sectionDESKTOP
|
||||
# create the link
|
||||
CreateShortCut "$DESKTOP\${SHORTCUTS}.lnk" \
|
||||
"$INSTDIR\bin\stunnel.exe" "" "$INSTDIR\bin\stunnel.exe"
|
||||
|
||||
# refresh the screen
|
||||
System::Call 'Shell32::SHChangeNotify(i 0x8000000, i 0, i 0, i 0)'
|
||||
SectionEnd
|
||||
|
||||
SectionGroupEnd
|
||||
|
||||
Section /o "Debugging Symbols" sectionDEBUG
|
||||
SetOutPath "$INSTDIR\bin"
|
||||
|
||||
# core components
|
||||
File "${STUNNEL_BIN_DIR}\stunnel.pdb"
|
||||
File "${OPENSSL_BIN_DIR}\libeay32.pdb"
|
||||
File "${OPENSSL_BIN_DIR}\ssleay32.pdb"
|
||||
!if ${ARCH} == win32
|
||||
File "${ZLIB_DIR}\zlib1.pdb"
|
||||
!endif
|
||||
|
||||
# optional tstunnel.exe
|
||||
SectionGetFlags ${sectionTSTUNNEL} $0
|
||||
IntOp $0 $0 & ${SF_SELECTED}
|
||||
IntCmp $0 0 no_tstunnel_pdb
|
||||
File "${STUNNEL_BIN_DIR}\tstunnel.pdb"
|
||||
no_tstunnel_pdb:
|
||||
|
||||
# optional openssl.exe
|
||||
SectionGetFlags ${sectionOPENSSL} $0
|
||||
IntOp $0 $0 & ${SF_SELECTED}
|
||||
IntCmp $0 0 no_openssl_pdb
|
||||
File "${OPENSSL_BIN_DIR}\openssl.pdb"
|
||||
no_openssl_pdb:
|
||||
|
||||
# engines
|
||||
SetOutPath "$INSTDIR\engines"
|
||||
File "${OPENSSL_ENGINES_DIR}\capi.pdb"
|
||||
File "${OPENSSL_ENGINES_DIR}\chil.pdb"
|
||||
File "${OPENSSL_ENGINES_DIR}\gmp.pdb"
|
||||
File "${OPENSSL_ENGINES_DIR}\gost.pdb"
|
||||
File "${OPENSSL_ENGINES_DIR}\padlock.pdb"
|
||||
File "${OPENSSL_ENGINES_DIR}\ubsec.pdb"
|
||||
# File "${LIBP11_DIR}\pkcs11.pdb"
|
||||
SetOutPath "$INSTDIR"
|
||||
SectionEnd
|
||||
|
||||
Section
|
||||
!insertmacro RestartStunnel
|
||||
SectionEnd
|
||||
|
||||
Section "Uninstall"
|
||||
!insertmacro TerminateStunnel
|
||||
!insertmacro CleanupStunnelFiles
|
||||
|
||||
# remove the stunnel directory
|
||||
Delete "$INSTDIR\config\stunnel.pem"
|
||||
Delete "$INSTDIR\config\stunnel.conf"
|
||||
RMDir "$INSTDIR\config"
|
||||
Delete "$INSTDIR\uninstall.exe"
|
||||
RMDir "$INSTDIR"
|
||||
|
||||
# remove firewall rules
|
||||
SimpleFC::RemoveApplication "$INSTDIR\bin\stunnel.exe"
|
||||
!insertmacro DetailError "SimpleFC::RemoveApplication failed for stunnel.exe"
|
||||
SimpleFC::RemoveApplication "$INSTDIR\bin\tstunnel.exe"
|
||||
!insertmacro DetailError "SimpleFC::RemoveApplication failed for tstunnel.exe"
|
||||
|
||||
# remove the installer and uninstaller registry entires
|
||||
DeleteRegKey SHCTX "${REGKEY_INSTALL}"
|
||||
DeleteRegKey SHCTX "${REGKEY_UNINST}"
|
||||
SectionEnd
|
||||
|
||||
LangString DESC_sectionCORE ${LANG_ENGLISH} \
|
||||
"Installs the stunnel executable and the required libraries.$\r$\nThis component also creates a sample stunnel.conf if no such file exists."
|
||||
LangString DESC_sectionOPENSSL ${LANG_ENGLISH} \
|
||||
"Installs openssl.exe, the OpenSSL command-line tool.$\r$\nThis component also builds a self-signed stunnel.pem file if no such file exists."
|
||||
LangString DESC_sectionTSTUNNEL ${LANG_ENGLISH} \
|
||||
"Installs tstunnel.exe, the command-line version of stunnel.$\r$\ntstunnel.exe is often used for scripting."
|
||||
LangString DESC_sectionMENU ${LANG_ENGLISH} \
|
||||
"Installs the Start Menu shortcuts for managing stunnel."
|
||||
LangString DESC_sectionDESKTOP ${LANG_ENGLISH} \
|
||||
"Installs the Desktop shortcut for stunnel."
|
||||
LangString DESC_sectionDEBUG ${LANG_ENGLISH} \
|
||||
"Installs the .PDB (program database) files for the executables and libraries."
|
||||
LangString DESC_groupTOOLS ${LANG_ENGLISH} \
|
||||
"Installs optional (but useful) tools."
|
||||
LangString DESC_groupSHORTCUTS ${LANG_ENGLISH} \
|
||||
"Installs menu and desktop shortcuts."
|
||||
|
||||
!insertmacro MUI_FUNCTION_DESCRIPTION_BEGIN
|
||||
!insertmacro MUI_DESCRIPTION_TEXT ${sectionCORE} $(DESC_sectionCORE)
|
||||
!insertmacro MUI_DESCRIPTION_TEXT ${sectionOPENSSL} $(DESC_sectionOPENSSL)
|
||||
!insertmacro MUI_DESCRIPTION_TEXT ${sectionTSTUNNEL} $(DESC_sectionTSTUNNEL)
|
||||
!insertmacro MUI_DESCRIPTION_TEXT ${sectionMENU} $(DESC_sectionMENU)
|
||||
!insertmacro MUI_DESCRIPTION_TEXT ${sectionDESKTOP} $(DESC_sectionDESKTOP)
|
||||
!insertmacro MUI_DESCRIPTION_TEXT ${sectionDEBUG} $(DESC_sectionDEBUG)
|
||||
!insertmacro MUI_DESCRIPTION_TEXT ${groupTOOLS} $(DESC_groupTOOLS)
|
||||
!insertmacro MUI_DESCRIPTION_TEXT ${groupSHORTCUTS} $(DESC_groupSHORTCUTS)
|
||||
!insertmacro MUI_FUNCTION_DESCRIPTION_END
|
||||
|
||||
# end of stunnel.nsi
|
||||
|
|
|
@ -0,0 +1,106 @@
|
|||
#!/bin/sh
|
||||
#
|
||||
# stunnel Starts or stops Stunnel daemon
|
||||
#
|
||||
# chkconfig: - 48 52
|
||||
# description: Starts or stops Stunnel daemon
|
||||
#
|
||||
### BEGIN INIT INFO
|
||||
# Provides: stunnel
|
||||
# Required-Start: $local_fs $remote_fs
|
||||
# Required-Stop: $local_fs $remote_fs
|
||||
# Should-Start: $syslog
|
||||
# Should-Stop: $syslog
|
||||
# Default-Start:
|
||||
# Default-Stop: 0 1 2 3 4 5 6
|
||||
# Short-Description: Start or stop stunnel 4.x (TLS tunnel for network daemons)
|
||||
# Description: Starts or stops all configured TLS network tunnels. Each *.conf file in
|
||||
# /etc/stunnel/ will spawn a separate stunnel process. The list of files
|
||||
# can be overridden in /etc/sysconfig/stunnel, and that same file can be used
|
||||
# to completely disable *all* tunnels.
|
||||
### END INIT INFO
|
||||
|
||||
# Source function library.
|
||||
. /etc/rc.d/init.d/functions
|
||||
|
||||
exec="/usr/bin/stunnel"
|
||||
prog="stunnel"
|
||||
config="/etc/stunnel/stunnel.conf"
|
||||
|
||||
[ -e /etc/sysconfig/$prog ] && . /etc/sysconfig/$prog
|
||||
|
||||
lockfile=/var/lock/subsys/$prog
|
||||
|
||||
start() {
|
||||
[ -x $exec ] || exit 5
|
||||
[ -f $config ] || exit 6
|
||||
echo -n $"Starting $prog: "
|
||||
daemon ${exec} ${config}
|
||||
retval=$?
|
||||
echo
|
||||
[ $retval -eq 0 ] && touch $lockfile
|
||||
return $retval
|
||||
}
|
||||
|
||||
stop() {
|
||||
echo -n $"Stopping $prog: "
|
||||
killproc ${prog}
|
||||
retval=$?
|
||||
echo
|
||||
[ $retval -eq 0 ] && rm -f $lockfile
|
||||
return $retval
|
||||
}
|
||||
|
||||
restart() {
|
||||
stop
|
||||
start
|
||||
}
|
||||
|
||||
reload() {
|
||||
restart
|
||||
}
|
||||
|
||||
force_reload() {
|
||||
restart
|
||||
}
|
||||
|
||||
rh_status() {
|
||||
status $prog
|
||||
}
|
||||
|
||||
rh_status_q() {
|
||||
rh_status >/dev/null 2>&1
|
||||
}
|
||||
|
||||
|
||||
case "$1" in
|
||||
start)
|
||||
rh_status_q && exit 0
|
||||
$1
|
||||
;;
|
||||
stop)
|
||||
rh_status_q || exit 0
|
||||
$1
|
||||
;;
|
||||
restart)
|
||||
$1
|
||||
;;
|
||||
reload)
|
||||
rh_status_q || exit 7
|
||||
$1
|
||||
;;
|
||||
force-reload)
|
||||
force_reload
|
||||
;;
|
||||
status)
|
||||
rh_status
|
||||
;;
|
||||
condrestart|try-restart)
|
||||
rh_status_q || exit 0
|
||||
restart
|
||||
;;
|
||||
*)
|
||||
echo $"Usage: $0 {start|stop|status|restart|condrestart|try-restart|reload|force-reload}"
|
||||
exit 2
|
||||
esac
|
||||
exit $?
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue