CryptoPro
/
stunnel-msspi
зеркало из https://github.com/CryptoPro/stunnel-msspi.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

stunnel-4.21

This commit is contained in:
Michal Trojnara 2015-07-29 16:17:17 +02:00
Родитель b571c3b292
Коммит 39928510b1
54 изменённых файлов: 10353 добавлений и 9118 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

4
COPYRIGHT.GPL
Просмотреть файл

@ -2,7 +2,7 @@
Version 2, June 1991
Copyright (C) 1989, 1991 Free Software Foundation, Inc.
675 Mass Ave, Cambridge, MA 02139, USA
51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA.
Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed.
@ -305,7 +305,7 @@ the "copyright" line and a pointer to where the full notice is found.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA.
Also add information on how to contact you by electronic and paper mail.

29
ChangeLog
Просмотреть файл

@ -1,11 +1,38 @@
stunnel Universal SSL tunnel
Version 4.21, 2007.10.27, urgency: LOW/EXPERIMENTAL:
* New features sponsored by Open-Source Software Institute
- Initial FIPS 140-2 support (see INSTALL.FIPS for details).
Win32 platform is not currently supported.
* New features
- Experimental fast support for non-MT-safe libwrap is provided
with pre-spawned processes.
- Stunnel binary moved from /usr/local/sbin to /usr/local/bin
in order to meet FHS and LSB requirements.
Please delete the /usr/local/sbin/stunnel when upgrading.
- Added code to disallow compiling stunnel with pthreads when
OpenSSL is compiled without threads support.
- Win32 DLLs for OpenSSL 0.9.8g.
- Minor manual update.
- TODO file updated.
* Bugfixes
- Dynamic locking callbacks added (needed by some engines to work).
- AC_ARG_ENABLE fixed in configure.am to accept yes/no arguments.
- On some systems libwrap requires yp_get_default_domain from libnsl,
additional checking was added.
- Sending a list of trusted CAs for the client to choose the right
certificate restored.
- Some compatibility issues with NTLM authentication fixed.
- Taskbar icon (unless there is a config file parsing error) and
"Save As" disabled in the service mode for local Win32 security
(it's much like Yeti -- some people claim they have seen it).
Version 4.20, 2006.11.30, urgency: MEDIUM:
* Release notes
- The new transfer() function has been well tested.
I recommend upgrading any previous version with this one.
* Bugfixes
- Fixed support for encrypted passphases (broken in 4.19).
- Fixed support for encrypted passphases on Unix (broken in 4.19).
- Reduced amount of debug logs.
- A minor man page update.

14
INSTALL.FIPS Normal file
Просмотреть файл

@ -0,0 +1,14 @@
stunnel Universal SSL tunnel
FIPS support status:
- Unix platforms are currently supported.
More testing is still required.
- Win32 platform is currently unsupported due to some
problems with linking FIPS-enabled OpenSSL DLLs.
FIPS mode is autodetected if possible. You can force it with:
./configure --enable-fips
or disable with:
./configure --disable-fips

7
Makefile.am
Просмотреть файл

@ -2,11 +2,12 @@
SUBDIRS = src doc tools
EXTRA_DIST = PORTS BUGS COPYRIGHT.GPL CREDITS INSTALL.W32 INSTALL.WCE
EXTRA_DIST = PORTS BUGS COPYRIGHT.GPL CREDITS INSTALL.W32 INSTALL.WCE INSTALL.FIPS
docdir = $(datadir)/doc/stunnel
doc_DATA = AUTHORS BUGS ChangeLog COPYING COPYRIGHT.GPL CREDITS \
INSTALL INSTALL.W32 INSTALL.WCE NEWS PORTS README TODO
doc_DATA = INSTALL README COPYING AUTHORS ChangeLog \
INSTALL.W32 INSTALL.WCE INSTALL.FIPS \
BUGS PORTS COPYRIGHT.GPL CREDITS TODO
distcleancheck_listfiles = \
find -type f -exec sh -c 'test -f $(srcdir)/{} || echo {}' ';'

22
Makefile.in
Просмотреть файл

@ -1,4 +1,4 @@
# Makefile.in generated by automake 1.9.5 from Makefile.am.
# Makefile.in generated by automake 1.9.6 from Makefile.am.
# @configure_input@
# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@ -91,6 +91,7 @@ AUTOMAKE = @AUTOMAKE@
AWK = @AWK@
CC = @CC@
CCDEPMODE = @CCDEPMODE@
CCLD = @CCLD@
CFLAGS = @CFLAGS@
CPP = @CPP@
CPPFLAGS = @CPPFLAGS@
@ -110,6 +111,7 @@ EGREP = @EGREP@
EXEEXT = @EXEEXT@
F77 = @F77@
FFLAGS = @FFLAGS@
GREP = @GREP@
INSTALL_DATA = @INSTALL_DATA@
INSTALL_PROGRAM = @INSTALL_PROGRAM@
INSTALL_SCRIPT = @INSTALL_SCRIPT@
@ -136,12 +138,9 @@ SHELL = @SHELL@
STRIP = @STRIP@
USE_DH = @USE_DH@
VERSION = @VERSION@
ac_ct_AR = @ac_ct_AR@
ac_ct_CC = @ac_ct_CC@
ac_ct_CXX = @ac_ct_CXX@
ac_ct_F77 = @ac_ct_F77@
ac_ct_RANLIB = @ac_ct_RANLIB@
ac_ct_STRIP = @ac_ct_STRIP@
am__fastdepCC_FALSE = @am__fastdepCC_FALSE@
am__fastdepCC_TRUE = @am__fastdepCC_TRUE@
am__fastdepCXX_FALSE = @am__fastdepCXX_FALSE@
@ -158,33 +157,40 @@ build_cpu = @build_cpu@
build_os = @build_os@
build_vendor = @build_vendor@
datadir = @datadir@
datarootdir = @datarootdir@
docdir = $(datadir)/doc/stunnel
dvidir = @dvidir@
exec_prefix = @exec_prefix@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
host_os = @host_os@
host_vendor = @host_vendor@
htmldir = @htmldir@
includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
libdir = @libdir@
libexecdir = @libexecdir@
localedir = @localedir@
localstatedir = @localstatedir@
mandir = @mandir@
mkdir_p = @mkdir_p@
oldincludedir = @oldincludedir@
pdfdir = @pdfdir@
prefix = @prefix@
program_transform_name = @program_transform_name@
psdir = @psdir@
sbindir = @sbindir@
sharedstatedir = @sharedstatedir@
ssldir = @ssldir@
sysconfdir = @sysconfdir@
target_alias = @target_alias@
SUBDIRS = src doc tools
EXTRA_DIST = PORTS BUGS COPYRIGHT.GPL CREDITS INSTALL.W32 INSTALL.WCE
docdir = $(datadir)/doc/stunnel
doc_DATA = AUTHORS BUGS ChangeLog COPYING COPYRIGHT.GPL CREDITS \
INSTALL INSTALL.W32 INSTALL.WCE NEWS PORTS README TODO
EXTRA_DIST = PORTS BUGS COPYRIGHT.GPL CREDITS INSTALL.W32 INSTALL.WCE INSTALL.FIPS
doc_DATA = INSTALL README COPYING AUTHORS ChangeLog \
INSTALL.W32 INSTALL.WCE INSTALL.FIPS \
BUGS PORTS COPYRIGHT.GPL CREDITS TODO
distcleancheck_listfiles = \
find -type f -exec sh -c 'test -f $(srcdir)/{} || echo {}' ';'

24
NEWS
Просмотреть файл

@ -1,23 +1 @@
stunnel Universal SSL tunnel
New features in stunnel 4.0
* New features sponsored by MAXIMUS http://www.maximus.com/
- New user interface (config file).
- Single daemon can listen on multiple ports, now.
- Native Win32 GUI added.
- Native NT/2000/XP service added.
- Delayed DNS lookup added.
* Other new features
- All the timeouts are now configurable including
TIMEOUTclose that can be set to 0 for MSIE and other
buggy clients that do not send close_notify.
- Stunnel process can be chrooted in a specified directory.
- Numerical values for setuid() and setgid() are allowed, now.
- Confusing code for setting certificate defaults introduced in
version 3.8p3 was removed to simplify stunnel setup.
There are no built-in defaults for CApath and CAfile options.
- Private key file for a certificate can be kept in a separate
file. Default remains to keep it in the cert file.
- Manual page updated.
See the ChangeLog file for the latest news.

15
PORTS
Просмотреть файл

@ -2,12 +2,11 @@ stunnel Universal SSL tunnel
Stunnel ports maintainers:
FreeBSD:
Martti Kuparinen <martti.kuparinen@iki.fi>
Debian Linux:
Paolo Molaro <lupus@debian.org>
RedHat Linux:
Damien Miller <dmiller@ilogic.com.au>
AmigaOS Diego Casorran <dcr8520@amiga.org>
OpenBSD Jakob Schlyter <jakob@openbsd.org>
FreeBSD Peter Pentchev <roam@FreeBSD.org>
NetBSD Martti Kuparinen <martti.kuparinen@iki.fi>
Cygwin Andrew Schulman <andrex@alumni.utexas.net>
Debian Julien Lemoine <speedblue@debian.org>
RedHat Damien Miller <dmiller@ilogic.com.au>

13
TODO
Просмотреть файл

@ -3,27 +3,26 @@ stunnel Universal SSL tunnel
* High priority features I'm going to support (sponsorship welcomed):
- Add service-level logging.
- Optional use of syslog in foreground mode.
- Log file rotation with a signal on Unix and with GUI on Windows.
- Graceful configuration reload with a signal on Unix and with GUI on Windows.
- Provide transparent proxy for Linux 2.6.x with TPROXY patch.
http://www.balabit.com/products/oss/tproxy/
- In transparent proxy mode bind source port (not only IP).
- In transparent proxy mode add an option to connect destination address
of the the original connection instead of a fixed IP list.
- Modify ./configure to support cross-compilation.
* Low priority features I'm going to support (sponsorship welcomed):
- Replace protocol.c with a scripting engine.
- Add some scripting capabilities *after* SSL negotiations.
- Log file rotation on a signal.
- Key renegotiation (re-handshake) for long connections.
- Internationalization of logged messages (i18n).
- Logging to NT eventlog.
- IMAP protocol support (RFC 2595).
http://www.ietf.org/rfc/rfc2595.txt
- SOCKS 4 protocol support.
http://archive.socks.permeo.com/protocol/socks4.protocol
- Graceful configuration reload with a signal on Unix and with GUI on Windows.
- Modify ./configure to support cross-compilation.
* Features I'd prefer NOT to support (waiting for a wealthy sponsor):
- HTTP protocol support (X-Forwarded-For header).
- SMTP protocol support (X-Forwarded-For header).
- HTTP protocol support (adding X-Forwarded-For header to each request,
URL rewriting).
- SMTP protocol support (adding X-Forwarded-For header to each email).

1643
aclocal.m4 поставляемый
Просмотреть файл

Разница между файлами не показана из-за своего большого размера Загрузить разницу

14672
configure поставляемый
Просмотреть файл

Разница между файлами не показана из-за своего большого размера Загрузить разницу

94
configure.ac
Просмотреть файл

@ -1,9 +1,9 @@
# Process this file with autoconf to produce a configure script.
AC_INIT([stunnel], [4.20])
AC_INIT([stunnel],[4.21])
AC_MSG_NOTICE([**************************************** initialization])
AC_CONFIG_AUX_DIR(auto)
AM_INIT_AUTOMAKE(stunnel, 4.20)
AM_INIT_AUTOMAKE(stunnel, 4.21)
AC_CONFIG_SRCDIR(src/stunnel.c)
AC_CANONICAL_HOST
@ -91,6 +91,7 @@ AC_CHECK_HEADERS(grp.h unistd.h util.h libutil.h sys/resource.h pty.h)
AC_MSG_NOTICE([**************************************** libraries])
# Checks for standard libraries
AC_SEARCH_LIBS(gethostbyname, nsl)
AC_SEARCH_LIBS(yp_get_default_domain, nsl)
AC_CHECK_LIB(socket, socket)
AC_CHECK_LIB(util, openpty)
# Checks for dynamic loader and zlib needed by OpenSSL
@ -279,7 +280,17 @@ AC_MSG_NOTICE([**************************************** optional features])
AC_MSG_CHECKING([whether to disable RSA support])
AC_ARG_ENABLE(rsa,
[ --disable-rsa Disable RSA support],
[AC_MSG_RESULT([yes]); AC_DEFINE(NO_RSA)],
[
case "$enableval" in
yes) AC_MSG_RESULT([no])
;;
no) AC_MSG_RESULT([yes])
AC_DEFINE(NO_RSA)
;;
*) AC_MSG_ERROR([bad value ${enableval}])
;;
esac
],
[AC_MSG_RESULT([no])]
)
@ -287,7 +298,19 @@ AC_ARG_ENABLE(rsa,
AC_MSG_CHECKING([whether to enable DH support])
AC_ARG_ENABLE(dh,
[ --enable-dh Enable DH support],
[AC_MSG_RESULT([yes]); USE_DH=1; AC_DEFINE(USE_DH)],
[
case "$enableval" in
yes)
AC_MSG_RESULT([yes])
USE_DH=1
AC_DEFINE(USE_DH)
;;
no) AC_MSG_RESULT([no])
;;
*) AC_MSG_ERROR([bad value ${enableval}])
;;
esac
],
[AC_MSG_RESULT([no])]
)
AC_SUBST(USE_DH)
@ -296,6 +319,17 @@ AC_SUBST(USE_DH)
AC_MSG_CHECKING([whether to enable IPv6 support])
AC_ARG_ENABLE(ipv6,
[ --enable-ipv6 Enable IPv6 support],
[
case "$enableval" in
yes) AC_MSG_RESULT([yes])
AC_DEFINE(USE_IPv6)
;;
no) AC_MSG_RESULT([no])
;;
*) AC_MSG_ERROR([bad value ${enableval}])
;;
esac
],
[AC_MSG_RESULT([yes]); AC_DEFINE(USE_IPv6)],
[AC_MSG_RESULT([no])]
)
@ -305,9 +339,19 @@ AC_ARG_ENABLE(ipv6,
AC_MSG_CHECKING([whether to disable TCP wrappers library support])
AC_ARG_ENABLE(libwrap,
[ --disable-libwrap Disable TCP wrappers library support],
[AC_MSG_RESULT([yes])],
[
AC_MSG_RESULT([no (autodetecting)])
case "$enableval" in
yes) AC_MSG_RESULT([no])
AC_DEFINE(HAVE_LIBWRAP)
;;
no) AC_MSG_RESULT([yes])
;;
*) AC_MSG_ERROR([bad value ${enableval}])
;;
esac
],
[
AC_MSG_RESULT([autodetecting])
AC_MSG_CHECKING([for hosts_access in -lwrap])
saved_LIBS="$LIBS"
LIBS="$saved_LIBS -lwrap"
@ -322,6 +366,44 @@ AC_ARG_ENABLE(libwrap,
]
)
# FIPS Mode
AC_MSG_CHECKING([whether to enable FIPS mode support])
AC_ARG_ENABLE(fips,
[ --enable-fips Enable OpenSSL FIPS mode],
[
case "$enableval" in
yes) AC_MSG_RESULT([yes])
CCLD="FIPSLD_CC=$CC $ssldir/bin/fipsld"
AC_DEFINE(USE_FIPS)
;;
no) AC_MSG_RESULT([no])
CCLD="$CC"
;;
*) AC_MSG_ERROR([bad value ${enableval}])
;;
esac
],
[
AC_MSG_RESULT([autodetecting])
AC_MSG_CHECKING([for FIPS_mode_set])
INCLUDES="=l$ssldir/include"
AC_LINK_IFELSE(
[AC_LANG_PROGRAM(
[[#include <openssl/fips.h>]],
[[FIPS_mode_set(1);]],
)],
[AC_MSG_RESULT([yes])
CCLD="FIPSLD_CC=$CC $ssldir/bin/fipsld"
AC_DEFINE(USE_FIPS)
], [
AC_MSG_RESULT([no])
CCLD="$CC"
]
)
]
)
AC_SUBST(CCLD)
AC_MSG_NOTICE([**************************************** write the results])
AC_CONFIG_FILES([Makefile src/Makefile src/stunnel3 doc/Makefile tools/Makefile tools/stunnel.conf-sample tools/stunnel.init])
AC_OUTPUT

15
doc/Makefile.in
Просмотреть файл

@ -1,4 +1,4 @@
# Makefile.in generated by automake 1.9.5 from Makefile.am.
# Makefile.in generated by automake 1.9.6 from Makefile.am.
# @configure_input@
# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@ -70,6 +70,7 @@ AUTOMAKE = @AUTOMAKE@
AWK = @AWK@
CC = @CC@
CCDEPMODE = @CCDEPMODE@
CCLD = @CCLD@
CFLAGS = @CFLAGS@
CPP = @CPP@
CPPFLAGS = @CPPFLAGS@
@ -89,6 +90,7 @@ EGREP = @EGREP@
EXEEXT = @EXEEXT@
F77 = @F77@
FFLAGS = @FFLAGS@
GREP = @GREP@
INSTALL_DATA = @INSTALL_DATA@
INSTALL_PROGRAM = @INSTALL_PROGRAM@
INSTALL_SCRIPT = @INSTALL_SCRIPT@
@ -115,12 +117,9 @@ SHELL = @SHELL@
STRIP = @STRIP@
USE_DH = @USE_DH@
VERSION = @VERSION@
ac_ct_AR = @ac_ct_AR@
ac_ct_CC = @ac_ct_CC@
ac_ct_CXX = @ac_ct_CXX@
ac_ct_F77 = @ac_ct_F77@
ac_ct_RANLIB = @ac_ct_RANLIB@
ac_ct_STRIP = @ac_ct_STRIP@
am__fastdepCC_FALSE = @am__fastdepCC_FALSE@
am__fastdepCC_TRUE = @am__fastdepCC_TRUE@
am__fastdepCXX_FALSE = @am__fastdepCXX_FALSE@
@ -137,23 +136,30 @@ build_cpu = @build_cpu@
build_os = @build_os@
build_vendor = @build_vendor@
datadir = @datadir@
datarootdir = @datarootdir@
docdir = $(datadir)/doc/stunnel
dvidir = @dvidir@
exec_prefix = @exec_prefix@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
host_os = @host_os@
host_vendor = @host_vendor@
htmldir = @htmldir@
includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
libdir = @libdir@
libexecdir = @libexecdir@
localedir = @localedir@
localstatedir = @localstatedir@
mandir = @mandir@
mkdir_p = @mkdir_p@
oldincludedir = @oldincludedir@
pdfdir = @pdfdir@
prefix = @prefix@
program_transform_name = @program_transform_name@
psdir = @psdir@
sbindir = @sbindir@
sharedstatedir = @sharedstatedir@
ssldir = @ssldir@
@ -164,7 +170,6 @@ EXTRA_DIST = stunnel.pod stunnel.pl.pod stunnel.fr.pod \
stunnel.html stunnel.pl.html stunnel.fr.html en pl
man_MANS = stunnel.8 stunnel.pl.8 stunnel.fr.8
docdir = $(datadir)/doc/stunnel
doc_DATA = stunnel.html stunnel.pl.html stunnel.fr.html
SUFFIXES = .pod .8 .html
all: all-am

26
doc/stunnel.8
Просмотреть файл

@ -1,4 +1,4 @@
.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.14
.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.32
.\"
.\" Standard preamble:
.\" ========================================================================
@ -25,11 +25,11 @@
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. | will give a
.\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used to
.\" do unbreakable dashes and therefore won't be available. \*(C` and \*(C'
.\" expand to `' in nroff, nothing in troff, for use with C<>.
.tr \(*W-|\(bv\*(Tr
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
@ -129,7 +129,7 @@
.\" ========================================================================
.\"
.IX Title "STUNNEL 8"
.TH STUNNEL 8 "2006.11.15" "4.08" "stunnel"
.TH STUNNEL 8 "2007.09.23" "4.08" "stunnel"
.SH "NAME"
stunnel \- universal SSL tunnel
.SH "SYNOPSIS"
@ -384,9 +384,15 @@ client mode (remote service uses \s-1SSL\s0)
default: no (server mode)
.IP "\fBconnect\fR = [host:]port" 4
.IX Item "connect = [host:]port"
connect to remote host:port
connect to a remote host:port
.Sp
If no host specified, defaults to localhost.
If no host is specified, the host defaults to localhost.
.Sp
Multiple \fBconnect\fR options are allowed in a single service section.
.Sp
If host resolves to multiple addresses and/or if multiple \fBconnect\fR
options are specified, then the remote address is chosen using a
round-robin algorithm.
.IP "\fBCRLpath\fR = directory" 4
.IX Item "CRLpath = directory"
Certificate Revocation Lists directory
@ -622,7 +628,7 @@ or \fItcpserver\fR.
For example, if you have the following line in \fIinetd.conf\fR:
.PP
.Vb 1
\& imaps stream tcp nowait root /usr/sbin/stunnel stunnel /etc/stunnel/imaps.conf
\& imaps stream tcp nowait root /usr/bin/stunnel stunnel /etc/stunnel/imaps.conf
.Ve
.PP
In these cases, the \fIinetd\fR\-style program is responsible

32
doc/stunnel.fr.8
Просмотреть файл

@ -1,4 +1,4 @@
.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.14
.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.32
.\"
.\" Standard preamble:
.\" ========================================================================
@ -25,11 +25,11 @@
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. | will give a
.\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used to
.\" do unbreakable dashes and therefore won't be available. \*(C` and \*(C'
.\" expand to `' in nroff, nothing in troff, for use with C<>.
.tr \(*W-|\(bv\*(Tr
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
@ -129,7 +129,7 @@
.\" ========================================================================
.\"
.IX Title "STUNNEL.FR 8"
.TH STUNNEL.FR 8 "2005.01.15" "4.08" "stunnel"
.TH STUNNEL.FR 8 "2007.09.23" "4.08" "stunnel"
.SH "NOM"
.IX Header "NOM"
stunnel \- tunnel \s-1SSL\s0 universel
@ -375,7 +375,7 @@ Exemples\ :
\& socket = r:TCP_NODELAY=1
\& désactive l'algorithme Nagle pour les sockets distants
\& socket = r:SO_OOBINLINE=1
\& Place directement les données hors-bande dans le flux de réception
\& Place directement les données hors\-bande dans le flux de réception
\& des sockets distants
\& socket = a:SO_REUSEADDR=0
\& désactive la réutilisation d'adresses (activée par défaut)
@ -392,9 +392,9 @@ Par d
Vérifie le certificat du correspondant
.Sp
.Vb 3
\& niveau 1 - vérifie le certificat s'il est présent
\& niveau 2 - vérifie le certificat
\& niveau 3 - contrôle le correspondant avec le certificat local
\& niveau 1 \- vérifie le certificat s'il est présent
\& niveau 2 \- vérifie le certificat
\& niveau 3 \- contrôle le correspondant avec le certificat local
.Ve
.Sp
Par défaut \- pas de vérification
@ -531,7 +531,7 @@ connexions entrantes et lance \fBstunnel\fR, par exemple avec \fIinetd\fR,
Si, par exemple, la ligne suivante se trouve dans \fIinetd.conf\fR\ :
.PP
.Vb 1
\& imaps stream tcp nowait root /usr/sbin/stunnel stunnel /etc/stunnel/imaps.conf
\& imaps stream tcp nowait root /usr/bin/stunnel stunnel /etc/stunnel/imaps.conf
.Ve
.PP
Dans ces cas, c'est le programme du genre \fIinetd\fR\-style qui est
@ -564,13 +564,13 @@ L'information textuelle ajout
le fichier ait l'allure suivante\ :
.Sp
.Vb 8
\& -----BEGIN RSA PRIVATE KEY-----
\& \-\-\-\-\-BEGIN RSA PRIVATE KEY\-\-\-\-\-
\& [clef encodée]
\& -----END RSA PRIVATE KEY-----
\& \-\-\-\-\-END RSA PRIVATE KEY\-\-\-\-\-
\& [ligne vide]
\& -----BEGIN CERTIFICATE-----
\& \-\-\-\-\-BEGIN CERTIFICATE\-\-\-\-\-
\& [certificat encodé]
\& -----END CERTIFICATE-----
\& \-\-\-\-\-END CERTIFICATE\-\-\-\-\-
\& [ligne vide]
.Ve
.Sh "\s-1ALEATOIRE\s0"

551
doc/stunnel.fr.html
Просмотреть файл

@ -1,8 +1,10 @@
<?xml version="1.0" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv=content-type content="text/html; charset=ISO-8859-1">
<title>stunnel.8</title>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<link rev="made" href="mailto:root@localhost" />
</head>
@ -53,18 +55,19 @@
<hr />
<h1><a name="synopsis">SYNOPSIS</a></h1>
<dl>
<dt><strong><a name="item_unix_3a"><strong>Unix:</strong></a></strong><br />
</dt>
<dt><strong><a name="item_unix_3a"><strong>Unix:</strong></a></strong>
<dd>
<strong>stunnel</strong> [fichier] | -fd&nbsp;[n] | -help | -version | -sockets
<p><strong>stunnel</strong> [fichier] | -fd&nbsp;[n] | -help | -version | -sockets</p>
</dd>
<p></p>
<dt><strong><a name="item_win32_3a"><strong>WIN32:</strong></a></strong><br />
</dt>
</li>
<dt><strong><a name="item_win32_3a"><strong>WIN32:</strong></a></strong>
<dd>
<strong>stunnel</strong> [fichier] | -install | -uninstall | -help | -version | -sockets
<p><strong>stunnel</strong> [fichier] | -install | -uninstall | -help | -version | -sockets</p>
</dd>
<p></p></dl>
</li>
</dl>
<p>
</p>
<hr />
@ -85,75 +88,77 @@ Eric Young (<a href="mailto:eay@cryptsoft.com">eay@cryptsoft.com</a>)</p>
<hr />
<h1><a name="options">OPTIONS</a></h1>
<dl>
<dt><strong><a name="item__5bfichier_5d"><strong>[fichier]</strong></a></strong><br />
</dt>
<dt><strong><a name="item__5bfichier_5d"><strong>[fichier]</strong></a></strong>
<dd>
Utilisation du fichier de configuration spécifié.
<p>Utilisation du fichier de configuration spécifié.</p>
</dd>
<p></p>
<dt><strong><a name="item__2dfd__5bn_5d__28unix_seulement_29"><strong>-fd [n]</strong> (Unix seulement)</a></strong><br />
</dt>
</li>
<dt><strong><a name="item__2dfd__5bn_5d__28unix_seulement_29"><strong>-fd [n]</strong> (Unix seulement)</a></strong>
<dd>
Lecture du fichier de configuration depuis le descripteur de
fichier indiqué.
<p>Lecture du fichier de configuration depuis le descripteur de
fichier indiqué.</p>
</dd>
<p></p>
<dt><strong><a name="item__2dhelp"><strong>-help</strong></a></strong><br />
</dt>
</li>
<dt><strong><a name="item__2dhelp"><strong>-help</strong></a></strong>
<dd>
Affiche le menu d'aide de <strong>stunnel</strong>.
<p>Affiche le menu d'aide de <strong>stunnel</strong>.</p>
</dd>
<p></p>
<dt><strong><a name="item__2dversion"><strong>-version</strong></a></strong><br />
</dt>
</li>
<dt><strong><a name="item__2dversion"><strong>-version</strong></a></strong>
<dd>
Affiche la version de <strong>stunnel</strong> et les options de compilation.
<p>Affiche la version de <strong>stunnel</strong> et les options de compilation.</p>
</dd>
<p></p>
<dt><strong><a name="item__2dsockets"><strong>-sockets</strong></a></strong><br />
</dt>
</li>
<dt><strong><a name="item__2dsockets"><strong>-sockets</strong></a></strong>
<dd>
Affiche les options socket par défaut.
<p>Affiche les options socket par défaut.</p>
</dd>
<p></p>
<dt><strong><a name="item_install"><strong>-install</strong> (NT/2000/XP seulement)</a></strong><br />
</dt>
</li>
<dt><strong><a name="item_install"><strong>-install</strong> (NT/2000/XP seulement)</a></strong>
<dd>
Installe un service NT.
<p>Installe un service NT.</p>
</dd>
<p></p>
<dt><strong><a name="item_uninstall"><strong>-uninstall</strong> (NT/2000/XP only)</a></strong><br />
</dt>
</li>
<dt><strong><a name="item_uninstall"><strong>-uninstall</strong> (NT/2000/XP only)</a></strong>
<dd>
Désinstalle un service NT.
<p>Désinstalle un service NT.</p>
</dd>
<p></p></dl>
</li>
</dl>
<p>
</p>
<hr />
<h1><a name="fichier_de_configuration">FICHIER DE CONFIGURATION</a></h1>
<p>Chaque ligne du fichier de configuration peut être soit&nbsp;:</p>
<ul>
<li></li>
une ligne vide (ignorée)&nbsp;;
<p></p>
<li></li>
un commentaire commençant par «&nbsp;#&nbsp;» (ignoré)&nbsp;;
<p></p>
<li></li>
une paire «&nbsp;option = valeur&nbsp;»&nbsp;;
<p></p>
<li></li>
«&nbsp;[service_name]&nbsp;» indiquant le début de la définition d'un service&nbsp;;
<p></p></ul>
<li>
<p>une ligne vide (ignorée)&nbsp;;</p>
</li>
<li>
<p>un commentaire commençant par «&nbsp;#&nbsp;» (ignoré)&nbsp;;</p>
</li>
<li>
<p>une paire «&nbsp;option = valeur&nbsp;»&nbsp;;</p>
</li>
<li>
<p>«&nbsp;[service_name]&nbsp;» indiquant le début de la définition d'un service&nbsp;;</p>
</li>
</ul>
<p>
</p>
<h2><a name="options_globales">OPTIONS GLOBALES</a></h2>
<dl>
<dt><strong><a name="item_capath__3d_r_e9pertoire"><strong>CApath</strong> = répertoire</a></strong><br />
</dt>
<dt><strong><a name="item_capath__3d_r_e9pertoire"><strong>CApath</strong> = répertoire</a></strong>
<dd>
Répertoire des autorités de certification (CA)
<p>Répertoire des autorités de certification (CA)</p>
</dd>
<dd>
<p>C'est le répertoire dans lequel <strong>stunnel</strong> cherche les certificats si
@ -163,20 +168,20 @@ forme XXXXXXXX.0, o
<dd>
<p>Le cas échéant, le répertoire <em>CApath</em> est relatif au répertoire <em>chroot</em>.</p>
</dd>
<p></p>
<dt><strong><a name="item_cafile__3d_fichier"><strong>CAfile</strong> = fichier</a></strong><br />
</dt>
</li>
<dt><strong><a name="item_cafile__3d_fichier"><strong>CAfile</strong> = fichier</a></strong>
<dd>
Fichier d'autorités de certification
<p>Fichier d'autorités de certification</p>
</dd>
<dd>
<p>Ce fichier, utilisé avec <em>verify</em>, contient plusieurs certificats de CA.</p>
</dd>
<p></p>
<dt><strong><a name="item_cert__3d_fichier"><strong>cert</strong> = fichier</a></strong><br />
</dt>
</li>
<dt><strong><a name="item_cert__3d_fichier"><strong>cert</strong> = fichier</a></strong>
<dd>
Fichier de chaîne de certificats PEM
<p>Fichier de chaîne de certificats PEM</p>
</dd>
<dd>
<p>Une PEM est toujours nécessaire en mode serveur.
@ -185,11 +190,11 @@ L'utilisation de certificats c
doivent être au format PEM et triés par ordre de niveau décroissant (CA racine
en premier).</p>
</dd>
<p></p>
<dt><strong><a name="item_pertoire"><strong>chroot</strong> = répertoire (Unix seulement)</a></strong><br />
</dt>
</li>
<dt><strong><a name="item_pertoire"><strong>chroot</strong> = répertoire (Unix seulement)</a></strong>
<dd>
Répertoire de chroot du processus <strong>stunnel</strong>
<p>Répertoire de chroot du processus <strong>stunnel</strong></p>
</dd>
<dd>
<p><strong>chroot</strong> enferme <strong>stunnel</strong> dans une cellule chroot. <em>CApath</em>, <em>CRLpath</em>, <em>pid</em>
@ -201,30 +206,30 @@ relatifs au r
chroot, il faut aussi y recopier leurs fichiers de configuration (/etc/hosts.allow et
/etc/hosts.deny).</p>
</dd>
<p></p>
<dt><strong><a name="item_ciphers__3d_listes_de_chiffre"><strong>ciphers</strong> = listes de chiffre</a></strong><br />
</dt>
</li>
<dt><strong><a name="item_ciphers__3d_listes_de_chiffre"><strong>ciphers</strong> = listes de chiffre</a></strong>
<dd>
Sélection des chiffres SSL autorisés
<p>Sélection des chiffres SSL autorisés</p>
</dd>
<dd>
<p>Liste délimitée par deux-points («&nbsp;:&nbsp;») des chiffres autorisés pour la connexion SSL.
Exemple&nbsp;: DES-CBC3-SHA:IDEA-CBC-MD5</p>
</dd>
<p></p>
<dt><strong><a name="item_client__3d_yes__7c_no"><strong>client</strong> = yes | no</a></strong><br />
</dt>
</li>
<dt><strong><a name="item_client__3d_yes__7c_no"><strong>client</strong> = yes | no</a></strong>
<dd>
Mode client (Le service distant utilise SSL)
<p>Mode client (Le service distant utilise SSL)</p>
</dd>
<dd>
<p>Par défaut&nbsp;: no (mode server)</p>
</dd>
<p></p>
<dt><strong><a name="item_crlpath__3d_r_e9pertoire"><strong>CRLpath</strong> = répertoire</a></strong><br />
</dt>
</li>
<dt><strong><a name="item_crlpath__3d_r_e9pertoire"><strong>CRLpath</strong> = répertoire</a></strong>
<dd>
Répertoire des listes de révocation de certificats (CRL)
<p>Répertoire des listes de révocation de certificats (CRL)</p>
</dd>
<dd>
<p>C'est le répertoire dans lequel <strong>stunnel</strong> recherche les CRL avec
@ -234,20 +239,20 @@ forme XXXXXXXX.0 o
<dd>
<p>Le cas échéant, le répertoire <em>CRLpath</em> est relatif au répertoire <em>chroot</em>.</p>
</dd>
<p></p>
<dt><strong><a name="item_crlfile__3d_fichier"><strong>CRLfile</strong> = fichier</a></strong><br />
</dt>
</li>
<dt><strong><a name="item_crlfile__3d_fichier"><strong>CRLfile</strong> = fichier</a></strong>
<dd>
Fichier de listes de révocation de certificats (CRL)
<p>Fichier de listes de révocation de certificats (CRL)</p>
</dd>
<dd>
<p>Ce fichier, utilisé avec <em>verify</em>, contient plusieurs CRL.</p>
</dd>
<p></p>
<dt><strong><a name="item_debug__3d__5bfacilit_e9_2e_5dniveau"><strong>debug</strong> = [facilité.]niveau</a></strong><br />
</dt>
</li>
<dt><strong><a name="item_debug__3d__5bfacilit_e9_2e_5dniveau"><strong>debug</strong> = [facilité.]niveau</a></strong>
<dd>
niveau de déverminage
<p>niveau de déverminage</p>
</dd>
<dd>
<p>Le niveau est un nom ou un numéro conforme à ceux de syslog&nbsp;:
@ -264,21 +269,21 @@ est notice (5).</p>
<dd>
<p>La casse est ignorée, aussi bien pour la facilité que pour le niveau.</p>
</dd>
<p></p>
<dt><strong><a name="item_chemin"><strong>EGD</strong> = chemin (Unix seulement)</a></strong><br />
</dt>
</li>
<dt><strong><a name="item_chemin"><strong>EGD</strong> = chemin (Unix seulement)</a></strong>
<dd>
Emplacement du socket du daemon de recueil d'entropie (EGD - Entropy Gathering Daemon)
<p>Emplacement du socket du daemon de recueil d'entropie (EGD - Entropy Gathering Daemon)</p>
</dd>
<dd>
<p>Socket EGD à utiliser pour alimenter le générateur d'aléatoires de OpenSSL (disponible
seulement si la compilation a été effectuée avec OpenSSL 0.9.5a ou supérieur).</p>
</dd>
<p></p>
<dt><strong><a name="item_no"><strong>foreground</strong> = yes | no (Unix seulement)</a></strong><br />
</dt>
</li>
<dt><strong><a name="item_no"><strong>foreground</strong> = yes | no (Unix seulement)</a></strong>
<dd>
Mode avant-plan
<p>Mode avant-plan</p>
</dd>
<dd>
<p>Reste en avant-plan (sans fork) et dirige la trace sur stderr
@ -287,11 +292,11 @@ au lieu de syslog (sauf si <strong>output</strong> est sp
<dd>
<p>Par défault&nbsp;: arrière-plan en mode daemon.</p>
</dd>
<p></p>
<dt><strong><a name="item_key__3d_fichier"><strong>key</strong> = fichier</a></strong><br />
</dt>
</li>
<dt><strong><a name="item_key__3d_fichier"><strong>key</strong> = fichier</a></strong>
<dd>
Fichier de clef privée pour le certificat spécifié par <em>cert</em>
<p>Fichier de clef privée pour le certificat spécifié par <em>cert</em></p>
</dd>
<dd>
<p>La clef privée est nécessaire pour authentifier le titulaire du
@ -307,11 +312,11 @@ commande suivante&nbsp;:</p>
<dd>
<p>Par défault&nbsp;: Valeur de <em>cert</em></p>
</dd>
<p></p>
<dt><strong><a name="item_options__3d_options_ssl"><strong>options</strong> = Options_SSL</a></strong><br />
</dt>
</li>
<dt><strong><a name="item_options__3d_options_ssl"><strong>options</strong> = Options_SSL</a></strong>
<dd>
Options de la bibliothèque OpenSSL
<p>Options de la bibliothèque OpenSSL</p>
</dd>
<dd>
<p>Le paramètre est l'option OpenSSL décrite dans la page de man
@ -326,21 +331,21 @@ d'Eudora, on peut utiliser&nbsp;:</p>
<pre>
options = DONT_INSERT_EMPTY_FRAGMENTS</pre>
</dd>
<p></p>
<dt><strong><a name="item_output__3d_fichier"><strong>output</strong> = fichier</a></strong><br />
</dt>
</li>
<dt><strong><a name="item_output__3d_fichier"><strong>output</strong> = fichier</a></strong>
<dd>
Ajoute la trace à la fin d'un fichier au lieu d'utiliser syslog.
<p>Ajoute la trace à la fin d'un fichier au lieu d'utiliser syslog.</p>
</dd>
<dd>
<p>/dev/stdout peut être utilisé pour afficher les traces sur la sortie standard
(par exemple pour les traiter avec les outils splogger).</p>
</dd>
<p></p>
<dt><strong><a name="item_fichier"><strong>pid</strong> = fichier (Unix seulement)</a></strong><br />
</dt>
</li>
<dt><strong><a name="item_fichier"><strong>pid</strong> = fichier (Unix seulement)</a></strong>
<dd>
Emplacement du fichier pid
<p>Emplacement du fichier pid</p>
</dd>
<dd>
<p>Si l'argument est vide, aucun fichier ne sera créé.</p>
@ -348,11 +353,11 @@ Emplacement du fichier pid
<dd>
<p>Le cas échéant, le chemin <em>pid</em> est relatif au répertoire <em>chroot</em>.</p>
</dd>
<p></p>
<dt><strong><a name="item_rndbytes__3d_nombre"><strong>RNDbytes</strong> = nombre</a></strong><br />
</dt>
</li>
<dt><strong><a name="item_rndbytes__3d_nombre"><strong>RNDbytes</strong> = nombre</a></strong>
<dd>
Nombre d'octets à lire depuis les fichiers de «&nbsp;sel&nbsp;» aléatoire
<p>Nombre d'octets à lire depuis les fichiers de «&nbsp;sel&nbsp;» aléatoire</p>
</dd>
<dd>
<p>Avec les SSL de version inférieure à 0.9.5a, détermine aussi le nombre
@ -360,30 +365,30 @@ d'octets consid
récentes d'OpenSSL ont une fonction intégrée qui détermine lorsque l'aléatoire
est suffisant.</p>
</dd>
<p></p>
<dt><strong><a name="item_rndfile__3d_fichier"><strong>RNDfile</strong> = fichier</a></strong><br />
</dt>
</li>
<dt><strong><a name="item_rndfile__3d_fichier"><strong>RNDfile</strong> = fichier</a></strong>
<dd>
chemin du fichier de données de «&nbsp;sel&nbsp;» aléatoire
<p>chemin du fichier de données de «&nbsp;sel&nbsp;» aléatoire</p>
</dd>
<dd>
<p>La bibliothèque SSL utilise prioritairement les données de ce fichier pour
«&nbsp;saler&nbsp;» le générateur d'aléatoire.</p>
</dd>
<p></p>
<dt><strong><a name="item_rndoverwrite__3d_yes__7c_no"><strong>RNDoverwrite</strong> = yes | no</a></strong><br />
</dt>
</li>
<dt><strong><a name="item_rndoverwrite__3d_yes__7c_no"><strong>RNDoverwrite</strong> = yes | no</a></strong>
<dd>
Recouvre les fichiers de «&nbsp;sel&nbsp;» avec de nouvelles données aléatoires.
<p>Recouvre les fichiers de «&nbsp;sel&nbsp;» avec de nouvelles données aléatoires.</p>
</dd>
<dd>
<p>Par défaut&nbsp;: yes</p>
</dd>
<p></p>
<dt><strong><a name="item_service__3d_nom"><strong>service</strong> = nom</a></strong><br />
</dt>
</li>
<dt><strong><a name="item_service__3d_nom"><strong>service</strong> = nom</a></strong>
<dd>
Définit le nom de service à utiliser
<p>Définit le nom de service à utiliser</p>
</dd>
<dd>
<p><strong>Sous Unix&nbsp;:</strong> nom de service du mode <em>inetd</em> pour la bibliothèque TCP Wrapper.</p>
@ -394,29 +399,29 @@ D
<dd>
<p>Par défaut&nbsp;: stunnel</p>
</dd>
<p></p>
<dt><strong><a name="item_session__3d_timeout"><strong>session</strong> = timeout</a></strong><br />
</dt>
</li>
<dt><strong><a name="item_session__3d_timeout"><strong>session</strong> = timeout</a></strong>
<dd>
Timeout du cache de session
<p>Timeout du cache de session</p>
</dd>
<p></p>
<dt><strong><a name="item_nom"><strong>setgid</strong> = nom (Unix seulement)</a></strong><br />
</dt>
</li>
<dt><strong><a name="item_nom"><strong>setgid</strong> = nom (Unix seulement)</a></strong>
<dd>
Nom de groupe utilisé en mode daemon (les éventuels autres noms de groupe attribués sont supprimés)
<p>Nom de groupe utilisé en mode daemon (les éventuels autres noms de groupe attribués sont supprimés)</p>
</dd>
<p></p>
<dt><strong><strong>setuid</strong> = nom (Unix seulement)</strong><br />
</dt>
</li>
<dt><strong><strong>setuid</strong> = nom (Unix seulement)</strong>
<dd>
Nom d'utilisateur utilisé en mode daemon
<p>Nom d'utilisateur utilisé en mode daemon</p>
</dd>
<p></p>
<dt><strong><a name="item_socket__3d_a_7cl_7cr_3aoption_3dvaleur_5b_3avaleur"><strong>socket</strong> = a|l|r:option=valeur[:valeur]</a></strong><br />
</dt>
</li>
<dt><strong><a name="item_socket__3d_a_7cl_7cr_3aoption_3dvaleur_5b_3avaleur"><strong>socket</strong> = a|l|r:option=valeur[:valeur]</a></strong>
<dd>
Configure une option de socket accept (a), locale (l) ou distante (r)
<p>Configure une option de socket accept (a), locale (l) ou distante (r)</p>
</dd>
<dd>
<p>Les valeurs de l'option linger sont&nbsp;: l_onof:l_linger.
@ -439,20 +444,20 @@ Les valeurs de l'option time sont&nbsp;: tv_sec:tv_usec.</p>
socket = a:SO_BINDTODEVICE=lo
limite l'acceptation des connexions sur la seule interface de bouclage</pre>
</dd>
<p></p>
<dt><strong><strong>taskbar</strong> = yes | no (WIN32 seulement)</strong><br />
</dt>
</li>
<dt><strong><strong>taskbar</strong> = yes | no (WIN32 seulement)</strong>
<dd>
active l'icône de la barre de tâches
<p>active l'icône de la barre de tâches</p>
</dd>
<dd>
<p>Par défaut&nbsp;: yes</p>
</dd>
<p></p>
<dt><strong><a name="item_verify__3d_niveau"><strong>verify</strong> = niveau</a></strong><br />
</dt>
</li>
<dt><strong><a name="item_verify__3d_niveau"><strong>verify</strong> = niveau</a></strong>
<dd>
Vérifie le certificat du correspondant
<p>Vérifie le certificat du correspondant</p>
</dd>
<dd>
<pre>
@ -463,7 +468,8 @@ V
<dd>
<p>Par défaut - pas de vérification</p>
</dd>
<p></p></dl>
</li>
</dl>
<p>
</p>
<h2><a name="options_de_service">OPTIONS DE SERVICE</a></h2>
@ -474,100 +480,100 @@ Celui-ci est utilis
fourni par un serveur comme <em>inetd</em>, <em>xinetd</em> ou <em>tcpserver</em>), il faut se
reporter à la section <em>MODE INETD</em> plus bas.</p>
<dl>
<dt><strong><a name="item_accept__3d__5bh_f4te_3a_5dport"><strong>accept</strong> = [hôte:]port</a></strong><br />
</dt>
<dt><strong><a name="item_accept__3d__5bh_f4te_3a_5dport"><strong>accept</strong> = [hôte:]port</a></strong>
<dd>
Accepte des connexions sur le port spécifié
<p>Accepte des connexions sur le port spécifié</p>
</dd>
<dd>
<p>Si l'hôte n'est pas indiqué, le port est ouvert pour toutes les adresses IP de
la machine locale.</p>
</dd>
<p></p>
<dt><strong><a name="item_connect__3d__5bh_f4te_3a_5dport"><strong>connect</strong> = [hôte:]port</a></strong><br />
</dt>
</li>
<dt><strong><a name="item_connect__3d__5bh_f4te_3a_5dport"><strong>connect</strong> = [hôte:]port</a></strong>
<dd>
Se connecte au port distant indiqué
<p>Se connecte au port distant indiqué</p>
</dd>
<dd>
<p>Par défaut, l'hôte est localhost.</p>
</dd>
<p></p>
<dt><strong><a name="item_delay__3d_yes__7c_no"><strong>delay</strong> = yes | no</a></strong><br />
</dt>
</li>
<dt><strong><a name="item_delay__3d_yes__7c_no"><strong>delay</strong> = yes | no</a></strong>
<dd>
Retarde la recherche DNS pour l'option «&nbsp;connect&nbsp;»
<p>Retarde la recherche DNS pour l'option «&nbsp;connect&nbsp;»</p>
</dd>
<p></p>
<dt><strong><a name="item_cutable"><strong>exec</strong> = chemin_exécutable (Unix seulement)</a></strong><br />
</dt>
</li>
<dt><strong><a name="item_cutable"><strong>exec</strong> = chemin_exécutable (Unix seulement)</a></strong>
<dd>
Exécute un programme local de type inetd
<p>Exécute un programme local de type inetd</p>
</dd>
<dd>
<p>Le cas échéant, le chemin <em>exec</em> est relatif au répertoire <em>chroot</em>.</p>
</dd>
<p></p>
<dt><strong><a name="item_execargs__3d__240__241__242__2e_2e_2e__28unix_seul"><strong>execargs</strong> = $0 $1 $2 ... (Unix seulement)</a></strong><br />
</dt>
</li>
<dt><strong><a name="item_execargs__3d__240__241__242__2e_2e_2e__28unix_seul"><strong>execargs</strong> = $0 $1 $2 ... (Unix seulement)</a></strong>
<dd>
Arguments pour <em>exec</em>, y compris le nom du programme ($0)
<p>Arguments pour <em>exec</em>, y compris le nom du programme ($0)</p>
</dd>
<dd>
<p>Les quotes ne peuvent actuellement pas être utilisées.
Les arguments sont séparés par un nombre quelconque d'espaces.</p>
</dd>
<p></p>
<dt><strong><a name="item_ident__3d_nom"><strong>ident</strong> = nom</a></strong><br />
</dt>
</li>
<dt><strong><a name="item_ident__3d_nom"><strong>ident</strong> = nom</a></strong>
<dd>
Applique le contrôle d'identité d'utilisateur IDENT (RFC 1413)
<p>Applique le contrôle d'identité d'utilisateur IDENT (RFC 1413)</p>
</dd>
<p></p>
<dt><strong><a name="item_local__3d_h_f4te"><strong>local</strong> = hôte</a></strong><br />
</dt>
</li>
<dt><strong><a name="item_local__3d_h_f4te"><strong>local</strong> = hôte</a></strong>
<dd>
Adresse IP de l'interface de sortie utilisée pour les connexions distantes.
Cette option permet de relier une adresse statique locale.
<p>Adresse IP de l'interface de sortie utilisée pour les connexions distantes.
Cette option permet de relier une adresse statique locale.</p>
</dd>
<p></p>
<dt><strong><a name="item_protocol__3d_protocole"><strong>protocol</strong> = protocole</a></strong><br />
</dt>
</li>
<dt><strong><a name="item_protocol__3d_protocole"><strong>protocol</strong> = protocole</a></strong>
<dd>
Négocie avec SSL selon le protocole indiqué
<p>Négocie avec SSL selon le protocole indiqué</p>
</dd>
<dd>
<p>Actuellement gérés&nbsp;: cifs, nntp, pop3, smtp</p>
</dd>
<p></p>
<dt><strong><strong>pty</strong> = yes | no (Unix seulement)</strong><br />
</dt>
</li>
<dt><strong><strong>pty</strong> = yes | no (Unix seulement)</strong>
<dd>
Alloue un pseudo-terminal pour l'option «&nbsp;exec&nbsp;»
<p>Alloue un pseudo-terminal pour l'option «&nbsp;exec&nbsp;»</p>
</dd>
<p></p>
<dt><strong><a name="item_timeoutbusy__3d_secondes"><strong>TIMEOUTbusy</strong> = secondes</a></strong><br />
</dt>
</li>
<dt><strong><a name="item_timeoutbusy__3d_secondes"><strong>TIMEOUTbusy</strong> = secondes</a></strong>
<dd>
Durée d'attente de données
<p>Durée d'attente de données</p>
</dd>
<p></p>
<dt><strong><a name="item_timeoutclose__3d_secondes"><strong>TIMEOUTclose</strong> = secondes</a></strong><br />
</dt>
</li>
<dt><strong><a name="item_timeoutclose__3d_secondes"><strong>TIMEOUTclose</strong> = secondes</a></strong>
<dd>
Durée d'attente du close_notify (mis à 0 pour MSIE qui est bogué)
<p>Durée d'attente du close_notify (mis à 0 pour MSIE qui est bogué)</p>
</dd>
<p></p>
<dt><strong><a name="item_timeoutidle__3d_secondes"><strong>TIMEOUTidle</strong> = secondes</a></strong><br />
</dt>
</li>
<dt><strong><a name="item_timeoutidle__3d_secondes"><strong>TIMEOUTidle</strong> = secondes</a></strong>
<dd>
Durée d'attente sur une connexion inactive
<p>Durée d'attente sur une connexion inactive</p>
</dd>
<p></p>
<dt><strong><strong>transparent</strong> = yes | no (Unix seulement)</strong><br />
</dt>
</li>
<dt><strong><strong>transparent</strong> = yes | no (Unix seulement)</strong>
<dd>
Mode mandataire transparent
<p>Mode mandataire transparent</p>
</dd>
<dd>
<p>Ré-écrit les adresses pour qu'elles apparaissent provenir de la
@ -580,7 +586,8 @@ option ne se combine pas au mode mandataire (<em>connect</em>) sauf si la
route par défaut du client vers la cible passe par l'hôte qui fait
tourner <strong>stunnel</strong>, qui ne peut être localhost.</p>
</dd>
<p></p></dl>
</li>
</dl>
<p>
</p>
<hr />
@ -613,18 +620,19 @@ qui lance imapd
<hr />
<h1><a name="fichiers">FICHIERS</a></h1>
<dl>
<dt><strong><a name="item_stunnel_2econf"><em>stunnel.conf</em></a></strong><br />
</dt>
<dt><strong><a name="item_stunnel_2econf"><em>stunnel.conf</em></a></strong>
<dd>
Fichier de configuration de <strong>stunnel</strong>
<p>Fichier de configuration de <strong>stunnel</strong></p>
</dd>
<p></p>
<dt><strong><a name="item_stunnel_2epem"><em>stunnel.pem</em></a></strong><br />
</dt>
</li>
<dt><strong><a name="item_stunnel_2epem"><em>stunnel.pem</em></a></strong>
<dd>
Certificat et clef privée de <strong>stunnel</strong>
<p>Certificat et clef privée de <strong>stunnel</strong></p>
</dd>
<p></p></dl>
</li>
</dl>
<p>
</p>
<hr />
@ -652,7 +660,7 @@ connexions entrantes et lance <strong>stunnel</strong>, par exemple avec <em>ine
<em>xinetd</em> ou <em>tcpserver</em>.</p>
<p>Si, par exemple, la ligne suivante se trouve dans <em>inetd.conf</em>&nbsp;:</p>
<pre>
imaps stream tcp nowait root /usr/sbin/stunnel stunnel /etc/stunnel/imaps.conf</pre>
imaps stream tcp nowait root /usr/bin/stunnel stunnel /etc/stunnel/imaps.conf</pre>
<p>Dans ces cas, c'est le programme du genre <em>inetd</em>-style qui est
responsable de l'établissement de la connexion (<em>imaps</em> ci-dessus) et de passer
celle-ci à <strong>stunnel</strong>.
@ -672,17 +680,17 @@ certificats se trouvent dans les pages indiqu
<p>Deux choses importantes lors de la génération de paires certificat-clef
pour <strong>stunnel</strong>&nbsp;:</p>
<ul>
<li></li>
la clef privée ne peut être chiffrée puisque le serveur n'a aucun moyen
<li>
<p>la clef privée ne peut être chiffrée puisque le serveur n'a aucun moyen
d'obtenir le mot de passe de l'utilisateur&nbsp;; pour produire une clef non chiffrée,
ajouter l'option <em>-nodes</em> à la commande <strong>req</strong> de <em>OpenSSL</em>&nbsp;;
<p></p>
<li></li>
l'ordre du contenu du fichier <em>.pem</em> est significatif&nbsp;: il doit contenir d'abord
ajouter l'option <em>-nodes</em> à la commande <strong>req</strong> de <em>OpenSSL</em>&nbsp;;</p>
</li>
<li>
<p>l'ordre du contenu du fichier <em>.pem</em> est significatif&nbsp;: il doit contenir d'abord
une clef privée non chiffrée, puis un certificat signé (et non une demande de certificat).
Il doit aussi y avoir des lignes vides après le certificat et après la clef privée.
L'information textuelle ajoutée au début d'un certificat doit être supprimée afin que
le fichier ait l'allure suivante&nbsp;:
le fichier ait l'allure suivante&nbsp;:</p>
<pre>
-----BEGIN RSA PRIVATE KEY-----
[clef encodée]
@ -692,7 +700,8 @@ le fichier ait l'allure suivante&nbsp;:
[certificat encodé]
-----END CERTIFICATE-----
[ligne vide]</pre>
<p></p></ul>
</li>
</ul>
<p>
</p>
<h2><a name="aleatoire">ALEATOIRE</a></h2>
@ -700,28 +709,29 @@ le fichier ait l'allure suivante&nbsp;:
number generator) afin que SSL utilise un aléatoire de qualité. Les sources suivantes
sont chargées dans l'ordre jusqu'à ce qu'une quantité suffisante de données soit lue&nbsp;:</p>
<ul>
<li></li>
le fichier spécifié par <em>RNDfile</em>&nbsp;;
<p></p>
<li></li>
le fichier spécifié par la variable d'environnement RANDFILE, à défaut
le fichier .rnd du répertoire $HOME de l'utilisateur&nbsp;;
<p></p>
<li></li>
le fichier spécifié par «&nbsp;--with-random&nbsp;» lors de la compilation&nbsp;;
<p></p>
<li></li>
le contenu de l'écran (MS-Windows seulement)&nbsp;;
<p></p>
<li></li>
le socket EGD spécifié par <em>EGD</em>&nbsp;;
<p></p>
<li></li>
le socket EGD spécifié par «&nbsp;--with-egd-sock&nbsp;» lors de la compilation&nbsp;;
<p></p>
<li></li>
le périphérique /dev/urandom.
<p></p></ul>
<li>
<p>le fichier spécifié par <em>RNDfile</em>&nbsp;;</p>
</li>
<li>
<p>le fichier spécifié par la variable d'environnement RANDFILE, à défaut
le fichier .rnd du répertoire $HOME de l'utilisateur&nbsp;;</p>
</li>
<li>
<p>le fichier spécifié par «&nbsp;--with-random&nbsp;» lors de la compilation&nbsp;;</p>
</li>
<li>
<p>le contenu de l'écran (MS-Windows seulement)&nbsp;;</p>
</li>
<li>
<p>le socket EGD spécifié par <em>EGD</em>&nbsp;;</p>
</li>
<li>
<p>le socket EGD spécifié par «&nbsp;--with-egd-sock&nbsp;» lors de la compilation&nbsp;;</p>
</li>
<li>
<p>le périphérique /dev/urandom.</p>
</li>
</ul>
<p>Avec un OpenSSL récent (&gt;=OpenSSL 0.9.5a) le chargement de données s'arrête
automatiquement lorsqu'un niveau d'entropie suffisant est atteint.
Les versions précédentes continuent à lire toutes les sources puisqu'aucune
@ -745,58 +755,61 @@ Ce n'est pas le comportement de <strong>stunnel</strong>, c'est celui d'OpenSSL.
<hr />
<h1><a name="voir_aussi">VOIR AUSSI</a></h1>
<dl>
<dt><strong><a name="item_tcpd"><a href="#item_tcpd">tcpd(8)</a></a></strong><br />
</dt>
<dt><strong><a name="item_tcpd"><a href="#item_tcpd">tcpd(8)</a></a></strong>
<dd>
Service de contrôle d'accès pour les services internet
<p>Service de contrôle d'accès pour les services internet</p>
</dd>
<p></p>
<dt><strong><a name="item_inetd"><a href="#item_inetd">inetd(8)</a></a></strong><br />
</dt>
</li>
<dt><strong><a name="item_inetd"><a href="#item_inetd">inetd(8)</a></a></strong>
<dd>
«&nbsp;super-serveur&nbsp;» internet
<p>«&nbsp;super-serveur&nbsp;» internet</p>
</dd>
<p></p>
<dt><strong><a name="item_http_3a_2f_2fstunnel_2emirt_2enet_2f"><em><a href="http://stunnel.mirt.net/">http://stunnel.mirt.net/</a></em></a></strong><br />
</dt>
</li>
<dt><strong><a name="item_http_3a_2f_2fstunnel_2emirt_2enet_2f"><em><a href="http://stunnel.mirt.net/">http://stunnel.mirt.net/</a></em></a></strong>
<dd>
Page de référence de <strong>stunnel</strong>
<p>Page de référence de <strong>stunnel</strong></p>
</dd>
<p></p>
<dt><strong><a name="item_http_3a_2f_2fwww_2estunnel_2eorg_2f"><em><a href="http://www.stunnel.org/">http://www.stunnel.org/</a></em></a></strong><br />
</dt>
</li>
<dt><strong><a name="item_http_3a_2f_2fwww_2estunnel_2eorg_2f"><em><a href="http://www.stunnel.org/">http://www.stunnel.org/</a></em></a></strong>
<dd>
Foire aux questions <strong>stunnel</strong>
<p>Foire aux questions <strong>stunnel</strong></p>
</dd>
<p></p>
<dt><strong><a name="item_http_3a_2f_2fwww_2eopenssl_2eorg_2f"><em><a href="http://www.openssl.org/">http://www.openssl.org/</a></em></a></strong><br />
</dt>
</li>
<dt><strong><a name="item_http_3a_2f_2fwww_2eopenssl_2eorg_2f"><em><a href="http://www.openssl.org/">http://www.openssl.org/</a></em></a></strong>
<dd>
Site web du projet OpenSSL
<p>Site web du projet OpenSSL</p>
</dd>
<p></p></dl>
</li>
</dl>
<p>
</p>
<hr />
<h1><a name="auteur">AUTEUR</a></h1>
<dl>
<dt><strong><a name="item_michal_trojnara">Michal Trojnara</a></strong><br />
</dt>
<dt><strong><a name="item_michal_trojnara">Michal Trojnara</a></strong>
<dd>
&lt;<em><a href="mailto:Michal.Trojnara@mirt.net">Michal.Trojnara@mirt.net</a></em>&gt;
<p>&lt;<em><a href="mailto:Michal.Trojnara@mirt.net">Michal.Trojnara@mirt.net</a></em>&gt;</p>
</dd>
<p></p></dl>
</li>
</dl>
<p>
</p>
<hr />
<h1><a name="adaptation_fran_aise">ADAPTATION FRANÇAISE</a></h1>
<dl>
<dt><strong><a name="item_bernard_choppy">Bernard Choppy</a></strong><br />
</dt>
<dt><strong><a name="item_bernard_choppy">Bernard Choppy</a></strong>
<dd>
&lt;<em>choppy AT free POINT fr</em>&gt;
<p>&lt;<em>choppy AT free POINT fr</em>&gt;</p>
</dd>
<p></p></dl>
</li>
</dl>
</body>

2
doc/stunnel.fr.pod
Просмотреть файл

@ -483,7 +483,7 @@ I<xinetd> ou I<tcpserver>.
Si, par exemple, la ligne suivante se trouve dans I<inetd.conf>E<nbsp>:
imaps stream tcp nowait root /usr/sbin/stunnel stunnel /etc/stunnel/imaps.conf
imaps stream tcp nowait root /usr/bin/stunnel stunnel /etc/stunnel/imaps.conf
Dans ces cas, c'est le programme du genre I<inetd>-style qui est
responsable de l'établissement de la connexion (I<imaps> ci-dessus) et de passer

667
doc/stunnel.html
Просмотреть файл

Разница между файлами не показана из-за своего большого размера Загрузить разницу

20
doc/stunnel.pl.8
Просмотреть файл

@ -1,4 +1,4 @@
.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.14
.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.32
.\"
.\" Standard preamble:
.\" ========================================================================
@ -25,11 +25,11 @@
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. | will give a
.\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used to
.\" do unbreakable dashes and therefore won't be available. \*(C` and \*(C'
.\" expand to `' in nroff, nothing in troff, for use with C<>.
.tr \(*W-|\(bv\*(Tr
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
@ -129,7 +129,7 @@
.\" ========================================================================
.\"
.IX Title "STUNNEL.PL 8"
.TH STUNNEL.PL 8 "2006.11.15" "4.08" "stunnel"
.TH STUNNEL.PL 8 "2007.09.23" "4.08" "stunnel"
.SH "NAZWA"
.IX Header "NAZWA"
stunnel \- uniwersalny tunel protokołu \s-1SSL\s0
@ -405,6 +405,10 @@ po
.Sp
Jeżeli nie został podany adres, \fIstunnel\fR domyślnie łączy się
z lokalnym serwerem.
.Sp
Komenda mo¿e byc u¿yta wielokrotnie w pojedynczej sekcji
celem zapewnienia wysokiej niezawodno¶ci lub roz³o¿enia
ruchu pomiêdzy wiele serwerów.
.IP "\fBCRLpath\fR = katalog_CRL" 4
.IX Item "CRLpath = katalog_CRL"
katalog List Odwołanych Certyfikatów (\s-1CRL\s0)
@ -658,7 +662,7 @@ program
Przykładowa linia pliku /etc/inetd.conf może wyglądać tak:
.PP
.Vb 2
\& imaps stream tcp nowait root /usr/sbin/stunnel
\& imaps stream tcp nowait root /usr/bin/stunnel
\& stunnel /etc/stunnel/imaps.conf
.Ve
.PP

666
doc/stunnel.pl.html
Просмотреть файл

Разница между файлами не показана из-за своего большого размера Загрузить разницу

6
doc/stunnel.pl.pod
Просмотреть файл

@ -342,6 +342,10 @@ po
Jeżeli nie został podany adres, I<stunnel> domyślnie łączy się
z lokalnym serwerem.
Komenda mo瞠 byc u篡ta wielokrotnie w pojedynczej sekcji
celem zapewnienia wysokiej niezawodno軼i lub roz這瞠nia
ruchu pomi璠zy wiele serwer闚.
=item B<CRLpath> = katalog_CRL
katalog List Odwołanych Certyfikatów (CRL)
@ -620,7 +624,7 @@ program
Przykładowa linia pliku /etc/inetd.conf może wyglądać tak:
imaps stream tcp nowait root /usr/sbin/stunnel
imaps stream tcp nowait root /usr/bin/stunnel
stunnel /etc/stunnel/imaps.conf
Ponieważ w takich przypadkach połączenie na zdefiniowanym porcie

12
doc/stunnel.pod
Просмотреть файл

@ -322,9 +322,15 @@ default: no (server mode)
=item B<connect> = [host:]port
connect to remote host:port
connect to a remote host:port
If no host specified, defaults to localhost.
If no host is specified, the host defaults to localhost.
Multiple B<connect> options are allowed in a single service section.
If host resolves to multiple addresses and/or if multiple B<connect>
options are specified, then the remote address is chosen using a
round-robin algorithm.
=item B<CRLpath> = directory
@ -588,7 +594,7 @@ or I<tcpserver>.
For example, if you have the following line in I<inetd.conf>:
imaps stream tcp nowait root /usr/sbin/stunnel stunnel /etc/stunnel/imaps.conf
imaps stream tcp nowait root /usr/bin/stunnel stunnel /etc/stunnel/imaps.conf
In these cases, the I<inetd>-style program is responsible
for binding a network socket (I<imaps> above) and handing

24
src/Makefile.am
Просмотреть файл

@ -4,20 +4,20 @@
common_headers = common.h prototypes.h
common_sources = file.c client.c log.c options.c protocol.c network.c resolver.c ssl.c ctx.c verify.c sthreads.c stunnel.c
unix_sources = pty.c
unix_sources = pty.c libwrap.c
shared_sources = env.c
win32_sources = gui.c resources.h resources.rc stunnel.ico
# Unix executable
sbin_PROGRAMS = stunnel
bin_PROGRAMS = stunnel
stunnel_SOURCES = $(common_headers) $(common_sources) $(unix_sources)
sbin_SCRIPTS = stunnel3
bin_SCRIPTS = stunnel3
# Unix shared library
lib_LTLIBRARIES = libstunnel.la
pkglib_LTLIBRARIES = libstunnel.la
libstunnel_la_SOURCES = $(shared_sources)
libstunnel_la_LDFLAGS = -avoid-version
@ -27,7 +27,7 @@ INCLUDES = -I/usr/kerberos/include
# Additional compiler flags
AM_CPPFLAGS = -DLIBDIR='"$(libdir)"' -DCONFDIR='"$(sysconfdir)/stunnel"' -DPIDFILE='"$(prefix)/var/run/stunnel/stunnel.pid"'
AM_CPPFLAGS = -DLIBDIR='"$(pkglibdir)"' -DCONFDIR='"$(sysconfdir)/stunnel"' -DPIDFILE='"$(prefix)/var/run/stunnel/stunnel.pid"'
# Win32 executable
@ -35,9 +35,17 @@ EXTRA_DIST = stunnel.exe make.bat mingw.mak makece.bat evc.mak vc.mak nogui.c os
EXTRA_PROGRAMS = stunnel.exe
stunnel_exe_SOURCES = $(common_headers) $(common_sources) $(win32_sources)
OPENSSLDIR=/usr/src/openssl-0.9.8d
WINCFLAGS=-O2 -Wall -I$(OPENSSLDIR)/outinc -DUSE_WIN32=1 -DVERSION=\"@VERSION@\"
WINLIBS=-L$(OPENSSLDIR)/out -lzdll -leay32 -lssl32 -lws2_32 -lgdi32 -mwindows
OPENSSLDIR=/usr/src/openssl-0.9.8g
WINCFLAGS=-O2 -Wall -I$(OPENSSLDIR)/include -DUSE_WIN32=1 -DVERSION=\"@VERSION@\"
WINLIBS=-L$(OPENSSLDIR) -lzdll -leay32 -lssl32 -lws2_32 -lgdi32 -mwindows
# OPENSSLDIR=/usr/src/openssl-0.9.7m-fips
# WINCFLAGS=-O2 -Wall -I$(OPENSSLDIR)/include -DUSE_WIN32=1 -DVERSION=\"@VERSION@\"
# WINLIBS=-L$(OPENSSLDIR) -lzdll -lcrypto -lssl -lws2_32 -lgdi32 -mwindows
# WINCFLAGS=-O2 -Wall -I/usr/src/openssl-0.9.7m/include -DUSE_WIN32=1 -DVERSION=\"@VERSION@\"
# WINLIBS=-L../../FIPS -leay32 -lssl32 -lws2_32 -lgdi32 -mwindows
WINOBJ=file.obj client.obj log.obj options.obj protocol.obj network.obj resolver.obj ssl.obj ctx.obj verify.obj sthreads.obj stunnel.obj gui.obj resources.obj
WINPREFIX=i586-mingw32msvc-
WINGCC=$(WINPREFIX)gcc

159
src/Makefile.in
Просмотреть файл

@ -1,4 +1,4 @@
# Makefile.in generated by automake 1.9.5 from Makefile.am.
# Makefile.in generated by automake 1.9.6 from Makefile.am.
# @configure_input@
# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@ -18,8 +18,6 @@
SOURCES = $(libstunnel_la_SOURCES) $(stunnel_SOURCES) $(stunnel_exe_SOURCES)
srcdir = @srcdir@
top_srcdir = @top_srcdir@
VPATH = @srcdir@
@ -42,7 +40,7 @@ PRE_UNINSTALL = :
POST_UNINSTALL = :
build_triplet = @build@
host_triplet = @host@
sbin_PROGRAMS = stunnel$(EXEEXT)
bin_PROGRAMS = stunnel$(EXEEXT)
EXTRA_PROGRAMS = stunnel.exe$(EXEEXT)
subdir = src
DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in \
@ -59,22 +57,22 @@ am__vpath_adj = case $$p in \
*) f=$$p;; \
esac;
am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
am__installdirs = "$(DESTDIR)$(libdir)" "$(DESTDIR)$(sbindir)" \
"$(DESTDIR)$(sbindir)"
libLTLIBRARIES_INSTALL = $(INSTALL)
LTLIBRARIES = $(lib_LTLIBRARIES)
am__installdirs = "$(DESTDIR)$(pkglibdir)" "$(DESTDIR)$(bindir)" \
"$(DESTDIR)$(bindir)"
pkglibLTLIBRARIES_INSTALL = $(INSTALL)
LTLIBRARIES = $(pkglib_LTLIBRARIES)
libstunnel_la_LIBADD =
am__objects_1 = env.lo
am_libstunnel_la_OBJECTS = $(am__objects_1)
libstunnel_la_OBJECTS = $(am_libstunnel_la_OBJECTS)
sbinPROGRAMS_INSTALL = $(INSTALL_PROGRAM)
PROGRAMS = $(sbin_PROGRAMS)
binPROGRAMS_INSTALL = $(INSTALL_PROGRAM)
PROGRAMS = $(bin_PROGRAMS)
am__objects_2 =
am__objects_3 = file.$(OBJEXT) client.$(OBJEXT) log.$(OBJEXT) \
options.$(OBJEXT) protocol.$(OBJEXT) network.$(OBJEXT) \
resolver.$(OBJEXT) ssl.$(OBJEXT) ctx.$(OBJEXT) \
verify.$(OBJEXT) sthreads.$(OBJEXT) stunnel.$(OBJEXT)
am__objects_4 = pty.$(OBJEXT)
am__objects_4 = pty.$(OBJEXT) libwrap.$(OBJEXT)
am_stunnel_OBJECTS = $(am__objects_2) $(am__objects_3) \
$(am__objects_4)
stunnel_OBJECTS = $(am_stunnel_OBJECTS)
@ -84,8 +82,8 @@ am_stunnel_exe_OBJECTS = $(am__objects_2) $(am__objects_3) \
$(am__objects_5)
stunnel_exe_OBJECTS = $(am_stunnel_exe_OBJECTS)
stunnel_exe_LDADD = $(LDADD)
sbinSCRIPT_INSTALL = $(INSTALL_SCRIPT)
SCRIPTS = $(sbin_SCRIPTS)
binSCRIPT_INSTALL = $(INSTALL_SCRIPT)
SCRIPTS = $(bin_SCRIPTS)
DEFAULT_INCLUDES = -I. -I$(srcdir)
depcomp = $(SHELL) $(top_srcdir)/auto/depcomp
am__depfiles_maybe = depfiles
@ -94,7 +92,6 @@ COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
LTCOMPILE = $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) \
$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
$(AM_CFLAGS) $(CFLAGS)
CCLD = $(CC)
LINK = $(LIBTOOL) --tag=CC --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
$(AM_LDFLAGS) $(LDFLAGS) -o $@
SOURCES = $(libstunnel_la_SOURCES) $(stunnel_SOURCES) \
@ -115,6 +112,7 @@ AUTOMAKE = @AUTOMAKE@
AWK = @AWK@
CC = @CC@
CCDEPMODE = @CCDEPMODE@
CCLD = @CCLD@
CFLAGS = @CFLAGS@
CPP = @CPP@
CPPFLAGS = @CPPFLAGS@
@ -134,6 +132,7 @@ EGREP = @EGREP@
EXEEXT = @EXEEXT@
F77 = @F77@
FFLAGS = @FFLAGS@
GREP = @GREP@
INSTALL_DATA = @INSTALL_DATA@
INSTALL_PROGRAM = @INSTALL_PROGRAM@
INSTALL_SCRIPT = @INSTALL_SCRIPT@
@ -160,12 +159,9 @@ SHELL = @SHELL@
STRIP = @STRIP@
USE_DH = @USE_DH@
VERSION = @VERSION@
ac_ct_AR = @ac_ct_AR@
ac_ct_CC = @ac_ct_CC@
ac_ct_CXX = @ac_ct_CXX@
ac_ct_F77 = @ac_ct_F77@
ac_ct_RANLIB = @ac_ct_RANLIB@
ac_ct_STRIP = @ac_ct_STRIP@
am__fastdepCC_FALSE = @am__fastdepCC_FALSE@
am__fastdepCC_TRUE = @am__fastdepCC_TRUE@
am__fastdepCXX_FALSE = @am__fastdepCXX_FALSE@
@ -182,23 +178,30 @@ build_cpu = @build_cpu@
build_os = @build_os@
build_vendor = @build_vendor@
datadir = @datadir@
datarootdir = @datarootdir@
docdir = @docdir@
dvidir = @dvidir@
exec_prefix = @exec_prefix@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
host_os = @host_os@
host_vendor = @host_vendor@
htmldir = @htmldir@
includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
libdir = @libdir@
libexecdir = @libexecdir@
localedir = @localedir@
localstatedir = @localstatedir@
mandir = @mandir@
mkdir_p = @mkdir_p@
oldincludedir = @oldincludedir@
pdfdir = @pdfdir@
prefix = @prefix@
program_transform_name = @program_transform_name@
psdir = @psdir@
sbindir = @sbindir@
sharedstatedir = @sharedstatedir@
ssldir = @ssldir@
@ -206,14 +209,14 @@ sysconfdir = @sysconfdir@
target_alias = @target_alias@
common_headers = common.h prototypes.h
common_sources = file.c client.c log.c options.c protocol.c network.c resolver.c ssl.c ctx.c verify.c sthreads.c stunnel.c
unix_sources = pty.c
unix_sources = pty.c libwrap.c
shared_sources = env.c
win32_sources = gui.c resources.h resources.rc stunnel.ico
stunnel_SOURCES = $(common_headers) $(common_sources) $(unix_sources)
sbin_SCRIPTS = stunnel3
bin_SCRIPTS = stunnel3
# Unix shared library
lib_LTLIBRARIES = libstunnel.la
pkglib_LTLIBRARIES = libstunnel.la
libstunnel_la_SOURCES = $(shared_sources)
libstunnel_la_LDFLAGS = -avoid-version
@ -221,14 +224,21 @@ libstunnel_la_LDFLAGS = -avoid-version
INCLUDES = -I/usr/kerberos/include
# Additional compiler flags
AM_CPPFLAGS = -DLIBDIR='"$(libdir)"' -DCONFDIR='"$(sysconfdir)/stunnel"' -DPIDFILE='"$(prefix)/var/run/stunnel/stunnel.pid"'
AM_CPPFLAGS = -DLIBDIR='"$(pkglibdir)"' -DCONFDIR='"$(sysconfdir)/stunnel"' -DPIDFILE='"$(prefix)/var/run/stunnel/stunnel.pid"'
# Win32 executable
EXTRA_DIST = stunnel.exe make.bat mingw.mak makece.bat evc.mak vc.mak nogui.c os2.mak
stunnel_exe_SOURCES = $(common_headers) $(common_sources) $(win32_sources)
OPENSSLDIR = /usr/src/openssl-0.9.8d
WINCFLAGS = -O2 -Wall -I$(OPENSSLDIR)/outinc -DUSE_WIN32=1 -DVERSION=\"@VERSION@\"
WINLIBS = -L$(OPENSSLDIR)/out -lzdll -leay32 -lssl32 -lws2_32 -lgdi32 -mwindows
OPENSSLDIR = /usr/src/openssl-0.9.8g
WINCFLAGS = -O2 -Wall -I$(OPENSSLDIR)/include -DUSE_WIN32=1 -DVERSION=\"@VERSION@\"
WINLIBS = -L$(OPENSSLDIR) -lzdll -leay32 -lssl32 -lws2_32 -lgdi32 -mwindows
# OPENSSLDIR=/usr/src/openssl-0.9.7m-fips
# WINCFLAGS=-O2 -Wall -I$(OPENSSLDIR)/include -DUSE_WIN32=1 -DVERSION=\"@VERSION@\"
# WINLIBS=-L$(OPENSSLDIR) -lzdll -lcrypto -lssl -lws2_32 -lgdi32 -mwindows
# WINCFLAGS=-O2 -Wall -I/usr/src/openssl-0.9.7m/include -DUSE_WIN32=1 -DVERSION=\"@VERSION@\"
# WINLIBS=-L../../FIPS -leay32 -lssl32 -lws2_32 -lgdi32 -mwindows
WINOBJ = file.obj client.obj log.obj options.obj protocol.obj network.obj resolver.obj ssl.obj ctx.obj verify.obj sthreads.obj stunnel.obj gui.obj resources.obj
WINPREFIX = i586-mingw32msvc-
WINGCC = $(WINPREFIX)gcc
@ -269,59 +279,59 @@ $(ACLOCAL_M4): $(am__aclocal_m4_deps)
cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
stunnel3: $(top_builddir)/config.status $(srcdir)/stunnel3.in
cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@
install-libLTLIBRARIES: $(lib_LTLIBRARIES)
install-pkglibLTLIBRARIES: $(pkglib_LTLIBRARIES)
@$(NORMAL_INSTALL)
test -z "$(libdir)" || $(mkdir_p) "$(DESTDIR)$(libdir)"
@list='$(lib_LTLIBRARIES)'; for p in $$list; do \
test -z "$(pkglibdir)" || $(mkdir_p) "$(DESTDIR)$(pkglibdir)"
@list='$(pkglib_LTLIBRARIES)'; for p in $$list; do \
if test -f $$p; then \
f=$(am__strip_dir) \
echo " $(LIBTOOL) --mode=install $(libLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(libdir)/$$f'"; \
$(LIBTOOL) --mode=install $(libLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(libdir)/$$f"; \
echo " $(LIBTOOL) --mode=install $(pkglibLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(pkglibdir)/$$f'"; \
$(LIBTOOL) --mode=install $(pkglibLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(pkglibdir)/$$f"; \
else :; fi; \
done
uninstall-libLTLIBRARIES:
uninstall-pkglibLTLIBRARIES:
@$(NORMAL_UNINSTALL)
@set -x; list='$(lib_LTLIBRARIES)'; for p in $$list; do \
@set -x; list='$(pkglib_LTLIBRARIES)'; for p in $$list; do \
p=$(am__strip_dir) \
echo " $(LIBTOOL) --mode=uninstall rm -f '$(DESTDIR)$(libdir)/$$p'"; \
$(LIBTOOL) --mode=uninstall rm -f "$(DESTDIR)$(libdir)/$$p"; \
echo " $(LIBTOOL) --mode=uninstall rm -f '$(DESTDIR)$(pkglibdir)/$$p'"; \
$(LIBTOOL) --mode=uninstall rm -f "$(DESTDIR)$(pkglibdir)/$$p"; \
done
clean-libLTLIBRARIES:
-test -z "$(lib_LTLIBRARIES)" || rm -f $(lib_LTLIBRARIES)
@list='$(lib_LTLIBRARIES)'; for p in $$list; do \
clean-pkglibLTLIBRARIES:
-test -z "$(pkglib_LTLIBRARIES)" || rm -f $(pkglib_LTLIBRARIES)
@list='$(pkglib_LTLIBRARIES)'; for p in $$list; do \
dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
test "$$dir" != "$$p" || dir=.; \
echo "rm -f \"$${dir}/so_locations\""; \
rm -f "$${dir}/so_locations"; \
done
libstunnel.la: $(libstunnel_la_OBJECTS) $(libstunnel_la_DEPENDENCIES)
$(LINK) -rpath $(libdir) $(libstunnel_la_LDFLAGS) $(libstunnel_la_OBJECTS) $(libstunnel_la_LIBADD) $(LIBS)
install-sbinPROGRAMS: $(sbin_PROGRAMS)
$(LINK) -rpath $(pkglibdir) $(libstunnel_la_LDFLAGS) $(libstunnel_la_OBJECTS) $(libstunnel_la_LIBADD) $(LIBS)
install-binPROGRAMS: $(bin_PROGRAMS)
@$(NORMAL_INSTALL)
test -z "$(sbindir)" || $(mkdir_p) "$(DESTDIR)$(sbindir)"
@list='$(sbin_PROGRAMS)'; for p in $$list; do \
test -z "$(bindir)" || $(mkdir_p) "$(DESTDIR)$(bindir)"
@list='$(bin_PROGRAMS)'; for p in $$list; do \
p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \
if test -f $$p \
|| test -f $$p1 \
; then \
f=`echo "$$p1" | sed 's,^.*/,,;$(transform);s/$$/$(EXEEXT)/'`; \
echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(sbinPROGRAMS_INSTALL) '$$p' '$(DESTDIR)$(sbindir)/$$f'"; \
$(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(sbinPROGRAMS_INSTALL) "$$p" "$(DESTDIR)$(sbindir)/$$f" || exit 1; \
echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(binPROGRAMS_INSTALL) '$$p' '$(DESTDIR)$(bindir)/$$f'"; \
$(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(binPROGRAMS_INSTALL) "$$p" "$(DESTDIR)$(bindir)/$$f" || exit 1; \
else :; fi; \
done
uninstall-sbinPROGRAMS:
uninstall-binPROGRAMS:
@$(NORMAL_UNINSTALL)
@list='$(sbin_PROGRAMS)'; for p in $$list; do \
@list='$(bin_PROGRAMS)'; for p in $$list; do \
f=`echo "$$p" | sed 's,^.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \
echo " rm -f '$(DESTDIR)$(sbindir)/$$f'"; \
rm -f "$(DESTDIR)$(sbindir)/$$f"; \
echo " rm -f '$(DESTDIR)$(bindir)/$$f'"; \
rm -f "$(DESTDIR)$(bindir)/$$f"; \
done
clean-sbinPROGRAMS:
@list='$(sbin_PROGRAMS)'; for p in $$list; do \
clean-binPROGRAMS:
@list='$(bin_PROGRAMS)'; for p in $$list; do \
f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \
echo " rm -f $$p $$f"; \
rm -f $$p $$f ; \
@ -329,24 +339,24 @@ clean-sbinPROGRAMS:
stunnel$(EXEEXT): $(stunnel_OBJECTS) $(stunnel_DEPENDENCIES)
@rm -f stunnel$(EXEEXT)
$(LINK) $(stunnel_LDFLAGS) $(stunnel_OBJECTS) $(stunnel_LDADD) $(LIBS)
install-sbinSCRIPTS: $(sbin_SCRIPTS)
install-binSCRIPTS: $(bin_SCRIPTS)
@$(NORMAL_INSTALL)
test -z "$(sbindir)" || $(mkdir_p) "$(DESTDIR)$(sbindir)"
@list='$(sbin_SCRIPTS)'; for p in $$list; do \
test -z "$(bindir)" || $(mkdir_p) "$(DESTDIR)$(bindir)"
@list='$(bin_SCRIPTS)'; for p in $$list; do \
if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
if test -f $$d$$p; then \
f=`echo "$$p" | sed 's|^.*/||;$(transform)'`; \
echo " $(sbinSCRIPT_INSTALL) '$$d$$p' '$(DESTDIR)$(sbindir)/$$f'"; \
$(sbinSCRIPT_INSTALL) "$$d$$p" "$(DESTDIR)$(sbindir)/$$f"; \
echo " $(binSCRIPT_INSTALL) '$$d$$p' '$(DESTDIR)$(bindir)/$$f'"; \
$(binSCRIPT_INSTALL) "$$d$$p" "$(DESTDIR)$(bindir)/$$f"; \
else :; fi; \
done
uninstall-sbinSCRIPTS:
uninstall-binSCRIPTS:
@$(NORMAL_UNINSTALL)
@list='$(sbin_SCRIPTS)'; for p in $$list; do \
@list='$(bin_SCRIPTS)'; for p in $$list; do \
f=`echo "$$p" | sed 's|^.*/||;$(transform)'`; \
echo " rm -f '$(DESTDIR)$(sbindir)/$$f'"; \
rm -f "$(DESTDIR)$(sbindir)/$$f"; \
echo " rm -f '$(DESTDIR)$(bindir)/$$f'"; \
rm -f "$(DESTDIR)$(bindir)/$$f"; \
done
mostlyclean-compile:
@ -360,6 +370,7 @@ distclean-compile:
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/env.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/file.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/gui.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libwrap.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/log.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/network.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/options.Po@am__quote@
@ -481,7 +492,7 @@ check-am: all-am
check: check-am
all-am: Makefile $(LTLIBRARIES) $(PROGRAMS) $(SCRIPTS)
installdirs:
for dir in "$(DESTDIR)$(libdir)" "$(DESTDIR)$(sbindir)" "$(DESTDIR)$(sbindir)"; do \
for dir in "$(DESTDIR)$(pkglibdir)" "$(DESTDIR)$(bindir)" "$(DESTDIR)$(bindir)"; do \
test -z "$$dir" || $(mkdir_p) "$$dir"; \
done
install: install-am
@ -510,8 +521,8 @@ maintainer-clean-generic:
@echo "it deletes files that may require special tools to rebuild."
clean: clean-am
clean-am: clean-generic clean-libLTLIBRARIES clean-libtool \
clean-sbinPROGRAMS mostlyclean-am
clean-am: clean-binPROGRAMS clean-generic clean-libtool \
clean-pkglibLTLIBRARIES mostlyclean-am
distclean: distclean-am
-rm -rf ./$(DEPDIR)
@ -531,8 +542,8 @@ info-am:
install-data-am:
install-exec-am: install-libLTLIBRARIES install-sbinPROGRAMS \
install-sbinSCRIPTS
install-exec-am: install-binPROGRAMS install-binSCRIPTS \
install-pkglibLTLIBRARIES
install-info: install-info-am
@ -558,23 +569,23 @@ ps: ps-am
ps-am:
uninstall-am: uninstall-info-am uninstall-libLTLIBRARIES \
uninstall-sbinPROGRAMS uninstall-sbinSCRIPTS
uninstall-am: uninstall-binPROGRAMS uninstall-binSCRIPTS \
uninstall-info-am uninstall-pkglibLTLIBRARIES
.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
clean-libLTLIBRARIES clean-libtool clean-sbinPROGRAMS ctags \
.PHONY: CTAGS GTAGS all all-am check check-am clean clean-binPROGRAMS \
clean-generic clean-libtool clean-pkglibLTLIBRARIES ctags \
distclean distclean-compile distclean-generic \
distclean-libtool distclean-tags distdir dvi dvi-am html \
html-am info info-am install install-am install-data \
install-data-am install-exec install-exec-am install-info \
install-info-am install-libLTLIBRARIES install-man \
install-sbinPROGRAMS install-sbinSCRIPTS install-strip \
installcheck installcheck-am installdirs maintainer-clean \
html-am info info-am install install-am install-binPROGRAMS \
install-binSCRIPTS install-data install-data-am install-exec \
install-exec-am install-info install-info-am install-man \
install-pkglibLTLIBRARIES install-strip installcheck \
installcheck-am installdirs maintainer-clean \
maintainer-clean-generic mostlyclean mostlyclean-compile \
mostlyclean-generic mostlyclean-libtool mostlyclean-local pdf \
pdf-am ps ps-am tags uninstall uninstall-am uninstall-info-am \
uninstall-libLTLIBRARIES uninstall-sbinPROGRAMS \
uninstall-sbinSCRIPTS
pdf-am ps ps-am tags uninstall uninstall-am \
uninstall-binPROGRAMS uninstall-binSCRIPTS uninstall-info-am \
uninstall-pkglibLTLIBRARIES
stunnel.exe: $(WINOBJ)

77
src/client.c
Просмотреть файл

@ -1,6 +1,6 @@
/*
* stunnel Universal SSL tunnel
* Copyright (c) 1998-2006 Michal Trojnara <Michal.Trojnara@mirt.net>
* Copyright (c) 1998-2007 Michal Trojnara <Michal.Trojnara@mirt.net>
* All Rights Reserved
*
* This program is free software; you can redistribute it and/or modify
@ -15,7 +15,7 @@
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA.
*
* In addition, as a special exception, Michal Trojnara gives
* permission to link the code of this program with the OpenSSL
@ -44,13 +44,6 @@
#define SHUT_RDWR 2
#endif
/* TCP wrapper */
#ifdef USE_LIBWRAP
#include <tcpd.h>
int allow_severity=LOG_NOTICE;
int deny_severity=LOG_WARNING;
#endif
#if SSLEAY_VERSION_NUMBER >= 0x0922
static char *sid_ctx="stunnel SID";
/* const allowed here */
@ -65,7 +58,6 @@ static void transfer(CLI *);
static void parse_socket_error(CLI *, const char *);
static void print_cipher(CLI *);
static void auth_libwrap(CLI *);
static void auth_user(CLI *);
static int connect_local(CLI *);
#ifndef USE_WIN32
@ -238,7 +230,9 @@ static void init_local(CLI *c) {
/* It's a socket: lets setup options */
if(set_socket_options(c->local_rfd.fd, 1)<0)
longjmp(c->err, 1);
#ifdef USE_LIBWRAP
auth_libwrap(c);
#endif /* USE_LIBWRAP */
auth_user(c);
s_log(LOG_NOTICE, "%s accepted connection from %s",
c->opt->servname, c->accepted_address);
@ -278,6 +272,9 @@ static void init_remote(CLI *c) {
static void init_ssl(CLI *c) {
int i, err;
SSL_SESSION *old_session;
#ifdef USE_FIPS
const unsigned char key[8]={0, 0, 0, 0, 0, 0, 0, 0};
#endif /* USE_FIPS */
if(!(c->ssl=SSL_new(c->opt->ctx))) {
sslerror("SSL_new");
@ -319,10 +316,21 @@ static void init_ssl(CLI *c) {
}
while(1) {
/* There are two reasons for a critical section here:
* 1. SSL_accept session negotiation has some MT-safety problems
* 2. openssl-fips-1.1.1 has a nasty bug in PRNG initialization
* and the workaround must be inside a critical section */
enter_critical_section(CRIT_SSL);
#ifdef USE_FIPS
/* workaround for openssl-fips-1.1.1 bug */
FIPS_set_prng_key(key, key); /* doesn't it break PRNG security? */
FIPS_rand_seed(NULL, 0);
#endif /* USE_FIPS */
if(c->opt->option.client)
i=SSL_connect(c->ssl);
else
i=SSL_accept(c->ssl);
leave_critical_section(CRIT_SSL);
err=SSL_get_error(c->ssl, i);
if(err==SSL_ERROR_NONE)
break; /* ok -> done */
@ -719,55 +727,6 @@ static void print_cipher(CLI *c) { /* print negotiated cipher */
#endif
}
static void auth_libwrap(CLI *c) {
#ifdef USE_LIBWRAP
struct request_info request;
int fd[2];
int result=0; /* deny by default */
if(pipe(fd)<0) {
ioerror("pipe");
longjmp(c->err, 1);
}
if(alloc_fd(fd[0]) || alloc_fd(fd[1]))
longjmp(c->err, 1);
switch(fork()) {
case -1: /* error */
close(fd[0]);
close(fd[1]);
ioerror("fork");
longjmp(c->err, 1);
case 0: /* child */
close(fd[0]); /* read side */
request_init(&request,
RQ_DAEMON, c->opt->servname, RQ_FILE, c->local_rfd.fd, 0);
fromhost(&request);
result=hosts_access(&request);
write_blocking(c, fd[1], (u8 *)&result, sizeof(result));
/* ignore the returned error */
close(fd[1]); /* write side */
_exit(0);
default: /* parent */
close(fd[1]); /* write side */
read_blocking(c, fd[0], (u8 *)&result, sizeof(result));
/* ignore the returned error */
close(fd[0]); /* read side */
/* no need to wait() for zombies here:
* - in UCONTEXT/PTHREAD mode they're removed using the signal pipe
* - in FORK mode they're removed with the client process */
}
if(!result) {
s_log(LOG_WARNING, "Connection from %s REFUSED by libwrap",
c->accepted_address);
s_log(LOG_DEBUG, "See hosts_access(5) manual for details");
longjmp(c->err, 1);
}
s_log(LOG_DEBUG, "Connection from %s permitted by libwrap",
c->accepted_address);
#endif
}
static void auth_user(CLI *c) {
#ifndef _WIN32_WCE
struct servent *s_ent; /* structure for getservbyname */

30
src/common.h
Просмотреть файл

@ -1,6 +1,6 @@
/*
* stunnel Universal SSL tunnel
* Copyright (c) 1998-2006 Michal Trojnara <Michal.Trojnara@mirt.net>
* Copyright (c) 1998-2007 Michal Trojnara <Michal.Trojnara@mirt.net>
* All Rights Reserved
*
* This program is free software; you can redistribute it and/or modify
@ -15,7 +15,7 @@
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA.
*/
#ifndef COMMON_H
@ -27,6 +27,8 @@
#define VERSION "undefined"
#endif
#define LIBWRAP_CLIENTS 5
#ifdef OPTIMIZE_SCALABILITY
/* CPU stack size */
@ -64,6 +66,7 @@
#ifdef USE_WIN32
#define USE_IPv6
/* #define USE_FIPS */
#endif
#ifdef _WIN32_WCE
@ -308,6 +311,13 @@ extern char *sys_errlist[];
/**************************************** OpenSSL headers */
#ifdef HAVE_OPENSSL
#define OPENSSL_THREAD_DEFINES
#include <openssl/opensslconf.h>
#if !defined(OPENSSL_THREADS) && defined(USE_PTHREAD)
#error OpenSSL library compiled without thread support
#endif /* !OPENSSL_THREADS && USE_PTHREAD */
#include <openssl/lhash.h>
#include <openssl/ssl.h>
#include <openssl/err.h>
@ -315,19 +325,29 @@ extern char *sys_errlist[];
#include <openssl/rand.h>
#include <openssl/md4.h>
#include <openssl/des.h>
#ifdef HAVE_OSSL_ENGINE_H
#include <openssl/engine.h>
#endif
#endif /* HAVE_OSSL_ENGINE_H */
#if SSLEAY_VERSION_NUMBER >= 0x00907000L
#include <openssl/ocsp.h>
#endif /* OpenSSL-0.9.7 */
#ifdef USE_FIPS
#include <openssl/fips.h>
#include <openssl/fips_rand.h>
#endif /* USE_FIPS */
#else /* HAVE_OPENSSL */
#include <lhash.h>
#include <ssl.h>
#include <err.h>
#include <crypto.h> /* for CRYPTO_* and SSLeay_version */
#include <crypto.h>
#include <md4.h>
#include <des.h>
#endif /* HAVE_OPENSSL */
/**************************************** Other defines */
@ -339,7 +359,7 @@ extern char *sys_errlist[];
(dst[STRLEN-1]='\0', strncat((dst), (src), STRLEN-strlen(dst)-1))
/* change all non-printable characters to '.' */
#define safestring(s) \
do {unsigned char *p; for(p=(s); *p; p++) \
do {unsigned char *p; for(p=(unsigned char *)(s); *p; p++) \
if(!isprint((int)*p)) *p='.';} while(0)
/* change all unsafe characters to '.' */
#define safename(s) \

5
src/ctx.c
Просмотреть файл

@ -1,6 +1,6 @@
/*
* stunnel Universal SSL tunnel
* Copyright (c) 1998-2006 Michal Trojnara <Michal.Trojnara@mirt.net>
* Copyright (c) 1998-2007 Michal Trojnara <Michal.Trojnara@mirt.net>
* All Rights Reserved
*
* This program is free software; you can redistribute it and/or modify
@ -15,7 +15,7 @@
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA.
*
* In addition, as a special exception, Michal Trojnara gives
* permission to link the code of this program with the OpenSSL
@ -123,7 +123,6 @@ void context_init(LOCAL_OPTIONS *section) { /* init SSL context */
load_certificate(section);
verify_init(section); /* initialize certificate verification */
SSL_CTX_set_info_callback(section->ctx, info_callback);
s_log(LOG_DEBUG, "SSL context initialized for service %s",
section->servname);

4
src/env.c
Просмотреть файл

@ -1,6 +1,6 @@
/*
* stunnel Universal SSL tunnel
* Copyright (c) 1998-2006 Michal Trojnara <Michal.Trojnara@mirt.net>
* Copyright (c) 1998-2007 Michal Trojnara <Michal.Trojnara@mirt.net>
* All Rights Reserved
*
* This program is free software; you can redistribute it and/or modify
@ -15,7 +15,7 @@
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA.
*
* In addition, as a special exception, Michal Trojnara gives
* permission to link the code of this program with the OpenSSL

2
src/evc.mak
Просмотреть файл

@ -5,7 +5,7 @@ WCEVER=300
# Modify this to point to your actual openssl compile directory
# (You did already compile openssl, didn't you???)
SSLDIR=..\..\build\openssl-0.9.8d
SSLDIR=..\..\build\openssl-0.9.8e
COMPATDIR=..\..\build\wcecompat
CEUTILSDIR=..\..\ceutils
DSTDIR=ce:\stunnel

4
src/file.c
Просмотреть файл

@ -1,6 +1,6 @@
/*
* stunnel Universal SSL tunnel
* Copyright (c) 1998-2006 Michal Trojnara <Michal.Trojnara@mirt.net>
* Copyright (c) 1998-2007 Michal Trojnara <Michal.Trojnara@mirt.net>
* All Rights Reserved
*
* This program is free software; you can redistribute it and/or modify
@ -15,7 +15,7 @@
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA.
*
* In addition, as a special exception, Michal Trojnara gives
* permission to link the code of this program with the OpenSSL

21
src/gui.c
Просмотреть файл

@ -1,6 +1,6 @@
/*
* stunnel Universal SSL tunnel
* Copyright (c) 1998-2006 Michal Trojnara <Michal.Trojnara@mirt.net>
* Copyright (c) 1998-2007 Michal Trojnara <Michal.Trojnara@mirt.net>
* All Rights Reserved
*
* This program is free software; you can redistribute it and/or modify
@ -15,7 +15,7 @@
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA.
*
* In addition, as a special exception, Michal Trojnara gives
* permission to link the code of this program with the OpenSSL
@ -72,7 +72,7 @@ static struct LIST {
} *head=NULL, *tail=NULL;
static HINSTANCE ghInst;
static HWND EditControl=NULL;
static HMENU htraymenu;
static HMENU htraymenu=NULL;
#ifndef _WIN32_WCE
static HMENU hmainmenu;
#endif
@ -297,7 +297,7 @@ static int win_main(HINSTANCE hInstance, HINSTANCE hPrevInstance,
#endif
/* create main window */
if(options.option.taskbar) {/* save menu resources */
if(options.option.taskbar) { /* save menu resources */
htraymenu=LoadMenu(ghInst, MAKEINTRESOURCE(IDM_TRAYMENU));
hpopup=GetSubMenu(htraymenu, 0);
}
@ -313,12 +313,15 @@ static int win_main(HINSTANCE hInstance, HINSTANCE hPrevInstance,
NULL, hmainmenu, hInstance, NULL);
#endif
if(cmdline.service) /* do not allow to save file in the service mode */
EnableMenuItem(hmainmenu, IDM_SAVEAS, MF_GRAYED);
if(error_mode) /* log window is hidden by default */
set_visible(1);
else /* create the main thread */
_beginthread(ThreadFunc, 0, NULL);
while (GetMessage(&msg, NULL, 0, 0)) {
while(GetMessage(&msg, NULL, 0, 0)) {
TranslateMessage(&msg);
DispatchMessage(&msg);
}
@ -367,9 +370,9 @@ static LRESULT CALLBACK wndProc(HWND hwnd, UINT message, WPARAM wParam, LPARAM l
if(message!=WM_CTLCOLORSTATIC && message!=WM_TIMER)
s_log(LOG_DEBUG, "Window message: %d", message);
#endif
switch (message) {
switch(message) {
case WM_CREATE:
if (options.option.taskbar) /* taskbar update enabled? */
if(options.option.taskbar) /* taskbar update enabled? */
SetTimer(hwnd, 0x29a, 1000, NULL); /* 1-second timer */
#ifdef _WIN32_WCE
@ -586,6 +589,9 @@ static void save_file(HWND hwnd) {
LPSTR str;
DWORD nWritten;
if(cmdline.service) /* do not allow to save file in the service mode */
return;
ZeroMemory(&ofn, sizeof(ofn));
szFileName[0]='\0';
@ -728,6 +734,7 @@ static int service_initialize(void) {
{0, 0}
};
options.option.taskbar=0; /* disable taskbar for security */
if(!StartServiceCtrlDispatcher(serviceTable)) {
error_box(TEXT("StartServiceCtrlDispatcher"));
return 1;

248
src/libwrap.c Normal file
Просмотреть файл

@ -0,0 +1,248 @@
/*
* stunnel Universal SSL tunnel
* Copyright (c) 1998-2007 Michal Trojnara <Michal.Trojnara@mirt.net>
* All Rights Reserved
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA.
*
* In addition, as a special exception, Michal Trojnara gives
* permission to link the code of this program with the OpenSSL
* library (or with modified versions of OpenSSL that use the same
* license as OpenSSL), and distribute linked combinations including
* the two. You must obey the GNU General Public License in all
* respects for all of the code used other than OpenSSL. If you modify
* this file, you may extend this exception to your version of the
* file, but you are not obligated to do so. If you do not wish to
* do so, delete this exception statement from your version.
*/
#include "common.h"
#include "prototypes.h"
#ifdef USE_LIBWRAP
#include <tcpd.h>
static int check_libwrap(char *, int);
int allow_severity=LOG_NOTICE, deny_severity=LOG_WARNING;
#ifdef USE_PTHREAD
static ssize_t read_fd(int, void *, size_t, int *);
static ssize_t write_fd(int, void *, size_t, int);
int nproc=0;
static int *ipc_socket, *busy;
#endif /* USE_PTHREAD */
#define HAVE_MSGHDR_MSG_CONTROL 1
void libwrap_init(int num) {
#ifdef USE_PTHREAD
int i, rfd, result;
char servname[STRLEN];
nproc=num;
if(!nproc) /* no extra processes to spawn */
return;
ipc_socket=calloc(2*nproc, sizeof(int));
busy=calloc(nproc, sizeof(int));
if(!ipc_socket || !busy) {
s_log(LOG_ERR, "Memory allocation failed");
exit(1);
}
for(i=0; i<nproc; ++i) { /* spawn a child */
if(socketpair(AF_UNIX, SOCK_STREAM, 0, ipc_socket+2*i)) {
sockerror("socketpair");
exit(1);
}
switch(fork()) {
case -1: /* error */
ioerror("fork");
exit(1);
case 0: /* child */
close(ipc_socket[2*i]); /* server side */
while(1) { /* main libwrap client loop */
read_fd(ipc_socket[2*i+1], servname, STRLEN, &rfd);
result=check_libwrap(servname, rfd);
write(ipc_socket[2*i+1], (u8 *)&result, sizeof(result));
if(rfd>=0)
close(rfd);
}
default: /* parent */
#ifdef FD_CLOEXEC
fcntl(ipc_socket[2*i], F_SETFD, FD_CLOEXEC); /* server side */
#endif
close(ipc_socket[2*i+1]); /* client side */
}
}
#endif /* USE_PTHREAD */
}
void auth_libwrap(CLI *c) {
int result=0; /* deny by default */
#ifdef USE_PTHREAD
static int num_busy=0, rr=0;
static pthread_mutex_t mutex=PTHREAD_MUTEX_INITIALIZER;
static pthread_cond_t cond=PTHREAD_COND_INITIALIZER;
if(nproc) {
s_log(LOG_DEBUG, "Waiting for a libwrap process");
pthread_mutex_lock(&mutex);
while(num_busy>=nproc) /* all child processes are busy */
pthread_cond_wait(&cond, &mutex);
while(busy[rr]) /* find a free child process */
rr=(rr+1)%nproc;
++num_busy; /* the child process has been allocated */
busy[rr]=1; /* mark the child process as busy */
pthread_mutex_unlock(&mutex);
s_log(LOG_DEBUG, "Acquired libwrap process #%d", rr);
write_fd(ipc_socket[2*rr], c->opt->servname,
strlen(c->opt->servname)+1, c->local_rfd.fd);
read_blocking(c, ipc_socket[2*rr], (u8 *)&result, sizeof(result));
s_log(LOG_DEBUG, "Releasing libwrap process #%d", rr);
pthread_mutex_lock(&mutex);
busy[rr]=0; /* mark the child process as free */
--num_busy; /* the child process has been released */
pthread_cond_signal(&cond); /* signal other waiting threads */
pthread_mutex_unlock(&mutex);
s_log(LOG_DEBUG, "Released libwrap process #%d", rr);
} else
#endif /* USE_PTHREAD */
{ /* use original, synchronous libwrap calls */
enter_critical_section(CRIT_LIBWRAP);
result=check_libwrap(c->opt->servname, c->local_rfd.fd);
leave_critical_section(CRIT_LIBWRAP);
}
if(!result) {
s_log(LOG_WARNING, "%s REFUSED by libwrap from %s",
c->opt->servname, c->accepted_address);
s_log(LOG_DEBUG, "See hosts_access(5) manual for details");
longjmp(c->err, 1);
}
s_log(LOG_DEBUG, "%s permitted by libwrap from %s",
c->opt->servname, c->accepted_address);
}
static int check_libwrap(char *name, int fd) {
struct request_info request;
request_init(&request, RQ_DAEMON, name, RQ_FILE, fd, 0);
fromhost(&request);
return hosts_access(&request);
}
#ifdef USE_PTHREAD
static ssize_t read_fd(int fd, void *ptr, size_t nbytes, int *recvfd) {
struct msghdr msg;
struct iovec iov[1];
ssize_t n;
#ifdef HAVE_MSGHDR_MSG_CONTROL
union {
struct cmsghdr cm;
char control[CMSG_SPACE(sizeof(int))];
} control_un;
struct cmsghdr *cmptr;
msg.msg_control=control_un.control;
msg.msg_controllen=sizeof(control_un.control);
#else
int newfd;
msg.msg_accrights=(caddr_t)&newfd;
msg.msg_accrightslen=sizeof(int);
#endif
msg.msg_name=NULL;
msg.msg_namelen=0;
iov[0].iov_base=ptr;
iov[0].iov_len=nbytes;
msg.msg_iov=iov;
msg.msg_iovlen=1;
*recvfd=-1; /* descriptor was not passed */
n=recvmsg(fd, &msg, 0);
if(n<=0)
return n;
#ifdef HAVE_MSGHDR_MSG_CONTROL
cmptr=CMSG_FIRSTHDR(&msg);
if(!cmptr || cmptr->cmsg_len!=CMSG_LEN(sizeof(int)))
return n;
if(cmptr->cmsg_level!=SOL_SOCKET) {
s_log(LOG_ERR, "control level != SOL_SOCKET");
return -1;
}
if(cmptr->cmsg_type!=SCM_RIGHTS) {
s_log(LOG_ERR, "control type != SCM_RIGHTS");
return -1;
}
*recvfd=*((int *)CMSG_DATA(cmptr));
#else
if(msg.msg_accrightslen==sizeof(int))
*recvfd=newfd;
#endif
return n;
}
static ssize_t write_fd(int fd, void *ptr, size_t nbytes, int sendfd) {
struct msghdr msg;
struct iovec iov[1];
#ifdef HAVE_MSGHDR_MSG_CONTROL
union {
struct cmsghdr cm;
char control[CMSG_SPACE(sizeof(int))];
} control_un;
struct cmsghdr *cmptr;
msg.msg_control=control_un.control;
msg.msg_controllen=sizeof(control_un.control);
cmptr=CMSG_FIRSTHDR(&msg);
cmptr->cmsg_len=CMSG_LEN(sizeof(int));
cmptr->cmsg_level=SOL_SOCKET;
cmptr->cmsg_type=SCM_RIGHTS;
*((int *)CMSG_DATA(cmptr))=sendfd;
#else
msg.msg_accrights=(caddr_t)&sendfd;
msg.msg_accrightslen=sizeof(int);
#endif
msg.msg_name=NULL;
msg.msg_namelen=0;
iov[0].iov_base=ptr;
iov[0].iov_len=nbytes;
msg.msg_iov=iov;
msg.msg_iovlen=1;
return sendmsg(fd, &msg, 0);
}
#endif /* USE_PTHREAD */
#endif /* USE_LIBWRAP */
/* End of libwrap.c */

4
src/log.c
Просмотреть файл

@ -1,6 +1,6 @@
/*
* stunnel Universal SSL tunnel
* Copyright (c) 1998-2006 Michal Trojnara <Michal.Trojnara@mirt.net>
* Copyright (c) 1998-2007 Michal Trojnara <Michal.Trojnara@mirt.net>
* All Rights Reserved
*
* This program is free software; you can redistribute it and/or modify
@ -15,7 +15,7 @@
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA.
*
* In addition, as a special exception, Michal Trojnara gives
* permission to link the code of this program with the OpenSSL

4
src/mingw.mak
Просмотреть файл

@ -1,4 +1,4 @@
# Simple Makefile.w32 for stunnel.exe by Michal Trojnara 1998-2006
# Simple Makefile.w32 for stunnel.exe by Michal Trojnara 1998-2007
#
# Modified by Brian Hatch (bri@stunnel.org)
@ -8,7 +8,7 @@
# Modify this to point to your actual openssl compile directory
# (You did already compile openssl, didn't you???)
SSLDIR=../openssl-0.9.8d
SSLDIR=../openssl-0.9.8e
DEFINES=-DUSE_WIN32 -DHAVE_OPENSSL

4
src/network.c
Просмотреть файл

@ -1,6 +1,6 @@
/*
* stunnel Universal SSL tunnel
* Copyright (c) 1998-2006 Michal Trojnara <Michal.Trojnara@mirt.net>
* Copyright (c) 1998-2007 Michal Trojnara <Michal.Trojnara@mirt.net>
* All Rights Reserved
*
* This program is free software; you can redistribute it and/or modify
@ -15,7 +15,7 @@
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA.
*
* In addition, as a special exception, Michal Trojnara gives
* permission to link the code of this program with the OpenSSL

4
src/nogui.c
Просмотреть файл

@ -1,6 +1,6 @@
/*
* stunnel Universal SSL tunnel
* Copyright (c) 1998-2006 Michal Trojnara <Michal.Trojnara@mirt.net>
* Copyright (c) 1998-2007 Michal Trojnara <Michal.Trojnara@mirt.net>
* All Rights Reserved
*
* This program is free software; you can redistribute it and/or modify
@ -15,7 +15,7 @@
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA.
*
* In addition, as a special exception, Michal Trojnara gives
* permission to link the code of this program with the OpenSSL

44
src/options.c
Просмотреть файл

@ -1,6 +1,6 @@
/*
* stunnel Universal SSL tunnel
* Copyright (c) 1998-2006 Michal Trojnara <Michal.Trojnara@mirt.net>
* Copyright (c) 1998-2007 Michal Trojnara <Michal.Trojnara@mirt.net>
* All Rights Reserved
*
* This program is free software; you can redistribute it and/or modify
@ -15,7 +15,7 @@
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA.
*
* In addition, as a special exception, Michal Trojnara gives
* permission to link the code of this program with the OpenSSL
@ -203,6 +203,31 @@ static char *global_options(CMD cmd, char *opt, char *arg) {
}
#endif
/* fips */
#ifdef USE_FIPS
switch(cmd) {
case CMD_INIT:
options.option.fips=1;
break;
case CMD_EXEC:
if(strcasecmp(opt, "fips"))
break;
if(!strcasecmp(arg, "yes"))
options.option.fips=1;
else if(!strcasecmp(arg, "no"))
options.option.fips=0;
else
return "Argument should be either 'yes' or 'no'";
return NULL; /* OK */
case CMD_DEFAULT:
break;
case CMD_HELP:
log_raw("%-15s = yes|no FIPS 140-2 mode",
"fips");
break;
}
#endif /* USE_FIPS */
/* foreground */
#ifndef USE_WIN32
switch(cmd) {
@ -554,9 +579,14 @@ static char *service_options(CMD cmd, LOCAL_OPTIONS *section,
}
/* ciphers */
#ifdef USE_FIPS
#define STUNNEL_DEFAULT_CIPHER_LIST "FIPS"
#else
#define STUNNEL_DEFAULT_CIPHER_LIST SSL_DEFAULT_CIPHER_LIST
#endif /* USE_FIPS */
switch(cmd) {
case CMD_INIT:
section->cipher_list=SSL_DEFAULT_CIPHER_LIST;
section->cipher_list=STUNNEL_DEFAULT_CIPHER_LIST;
break;
case CMD_EXEC:
if(strcasecmp(opt, "ciphers"))
@ -564,7 +594,7 @@ static char *service_options(CMD cmd, LOCAL_OPTIONS *section,
section->cipher_list=stralloc(arg);
return NULL; /* OK */
case CMD_DEFAULT:
log_raw("%-15s = %s", "ciphers", SSL_DEFAULT_CIPHER_LIST);
log_raw("%-15s = %s", "ciphers", STUNNEL_DEFAULT_CIPHER_LIST);
break;
case CMD_HELP:
log_raw("%-15s = list of permitted SSL ciphers", "ciphers");
@ -1043,7 +1073,7 @@ static char *service_options(CMD cmd, LOCAL_OPTIONS *section,
} else if(!strcasecmp(arg, "SSLv3")) {
section->client_method=SSLv3_client_method;
section->server_method=SSLv3_server_method;
} else if(!strcasecmp(arg, "TLSv1")) {
} else if(!strcasecmp(arg, "TLSv1")) {
section->client_method=TLSv1_client_method;
section->server_method=TLSv1_server_method;
} else
@ -1217,11 +1247,11 @@ static void syntax(char *confname) {
#endif
"[-quiet] "
#endif
"[<filename>] ] "
"[<filename>] ] "
#ifndef USE_WIN32
"-fd <n> "
#endif
"| -help | -version | -sockets");
"| -help | -version | -sockets");
log_raw(" <filename> - use specified config file instead of %s",
confname);
#ifdef USE_WIN32

6
src/os2.mak
Просмотреть файл

@ -1,11 +1,11 @@
prefix=.
DEFS = -DPACKAGE_NAME=\"stunnel\" \
-DPACKAGE_TARNAME=\"stunnel\" \
-DPACKAGE_VERSION=\"4.20\" \
-DPACKAGE_STRING=\"stunnel\ 4.20\" \
-DPACKAGE_VERSION=\"4.21\" \
-DPACKAGE_STRING=\"stunnel\ 4.21\" \
-DPACKAGE_BUGREPORT=\"\" \
-DPACKAGE=\"stunnel\" \
-DVERSION=\"4.20\" \
-DVERSION=\"4.21\" \
-DSTDC_HEADERS=1 \
-DHAVE_SYS_TYPES_H=1 \
-DHAVE_SYS_STAT_H=1 \

36
src/protocol.c
Просмотреть файл

@ -1,6 +1,6 @@
/*
* stunnel Universal SSL tunnel
* Copyright (c) 1998-2006 Michal Trojnara <Michal.Trojnara@mirt.net>
* Copyright (c) 1998-2007 Michal Trojnara <Michal.Trojnara@mirt.net>
* All Rights Reserved
*
* This program is free software; you can redistribute it and/or modify
@ -15,7 +15,7 @@
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA.
*
* In addition, as a special exception, Michal Trojnara gives
* permission to link the code of this program with the OpenSSL
@ -33,8 +33,8 @@
/* \n is not a character expected in the string */
#define LINE "%[^\n]"
#define isprefix(a, b) (strncasecmp((a), (b), strlen(b))==0)
#define s_min(a, b) ((a)>(b)?(b):(a))
/* protocol-specific function prototypes */
static void cifs_client(CLI *);
@ -357,6 +357,8 @@ static void nntp_client(CLI *c) {
static void connect_client(CLI *c) {
char line[STRLEN], ntlm2[STRLEN], *encoded;
long content_length;
char buf[BUFSIZ];
if(!c->opt->protocol_host) {
s_log(LOG_ERR, "protocolHost not specified");
@ -369,6 +371,7 @@ static void connect_client(CLI *c) {
if(!strcasecmp(c->opt->protocol_authentication, "NTLM")) {
/* send Proxy-Authorization (phase 1) */
fdprintf(c, c->remote_fd.fd, "Proxy-Connection: keep-alive");
fdprintf(c, c->remote_fd.fd, "Proxy-Authorization: NTLM %s",
ntlm1());
fdputline(c, c->remote_fd.fd, ""); /* empty line */
@ -383,12 +386,22 @@ static void connect_client(CLI *c) {
longjmp(c->err, 1);
}
*ntlm2='\0';
content_length=0; /* no HTTP content */
do { /* read all headers */
fdgetline(c, c->remote_fd.fd, line);
if(isprefix(line, "Proxy-Authenticate: NTLM "))
safecopy(ntlm2, line+25);
else if(isprefix(line, "Content-Length: "))
content_length=atol(line+16);
} while(*line);
/* read and ignore HTTP content (if any) */
while(content_length) {
read_blocking(c, c->remote_fd.fd, buf,
s_min(content_length, BUFSIZ));
content_length-=s_min(content_length, BUFSIZ);
}
/* send Proxy-Authorization (phase 3) */
fdprintf(c, c->remote_fd.fd, "CONNECT %s HTTP/1.1",
c->opt->protocol_host);
@ -441,15 +454,13 @@ static char *ntlm1() {
return base64(1, phase1, sizeof(phase1)); /* encode */
}
#define s_min(a, b) ((a)>(b)?(b):(a))
static char *ntlm3(char *username, char *password, char *phase2) {
MD4_CTX md4;
char *decoded; /* decoded reply from proxy */
char phase3[146];
char md4_hash[21];
unsigned char md4_hash[21];
int userlen=strlen(username);
int phase3len=s_min(88+userlen, sizeof(phase3));
MD4_CTX md4;
/* setup phase3 structure */
memset(phase3, 0, sizeof(phase3));
@ -479,9 +490,12 @@ static char *ntlm3(char *username, char *password, char *phase2) {
/* decode challenge and calculate response */
decoded=base64(0, phase2, strlen(phase2)); /* decode */
crypt_DES(phase3+64, decoded+24, md4_hash);
crypt_DES(phase3+72, decoded+24, md4_hash+7);
crypt_DES(phase3+80, decoded+24, md4_hash+14);
crypt_DES((unsigned char *)phase3+64,
(unsigned char *)decoded+24, md4_hash);
crypt_DES((unsigned char *)phase3+72,
(unsigned char *)decoded+24, md4_hash+7);
crypt_DES((unsigned char *)phase3+80,
(unsigned char *)decoded+24, md4_hash+14);
free(decoded);
strncpy(phase3+88, username, sizeof(phase3)-88);
@ -520,7 +534,7 @@ static char *base64(int encode, char *in, int len) {
if(encode)
bio=BIO_push(b64, bio);
BIO_write(bio, in, len);
BIO_flush(bio);
(void)BIO_flush(bio); /* ignore the error if any */
if(encode) {
bio=BIO_pop(bio);
BIO_free(b64);

15
src/prototypes.h
Просмотреть файл

@ -1,6 +1,6 @@
/*
* stunnel Universal SSL tunnel
* Copyright (c) 1998-2006 Michal Trojnara <Michal.Trojnara@mirt.net>
* Copyright (c) 1998-2007 Michal Trojnara <Michal.Trojnara@mirt.net>
* All Rights Reserved
*
* This program is free software; you can redistribute it and/or modify
@ -15,7 +15,7 @@
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA.
*/
#ifndef PROTOTYPES_H
@ -57,6 +57,7 @@ extern volatile int num_clients;
void main_initialize(char *, char *);
void main_execute(void);
void stunnel_info(int);
void drop_privileges(void);
/**************************************** Prototypes for log.c */
@ -144,6 +145,9 @@ typedef struct {
unsigned int rand_write:1; /* overwrite rand_file */
#ifdef USE_WIN32
unsigned int taskbar:1; /* enable the taskbar icon */
#endif
#ifdef USE_FIPS
unsigned int fips:1; /* enable FIPS 140-2 mode */
#endif
} option;
} GLOBAL_OPTIONS;
@ -355,7 +359,7 @@ char *s_ntop(char *, SOCKADDR_UNION *);
typedef enum {
CRIT_KEYGEN, CRIT_INET, CRIT_CLIENTS, CRIT_WIN_LOG, CRIT_SESSION,
CRIT_SECTIONS
CRIT_LIBWRAP, CRIT_SSL, CRIT_SECTIONS
} SECTION_CODE;
void enter_critical_section(SECTION_CODE);
@ -436,6 +440,11 @@ LPTSTR str2tstr(const LPSTR);
LPSTR tstr2str(const LPTSTR);
#endif
/**************************************** Prototypes for libwrap.c */
void libwrap_init(int);
void auth_libwrap(CLI *);
#endif /* defined PROTOTYPES_H */
/* End of prototypes.h */

4
src/pty.c
Просмотреть файл

@ -1,6 +1,6 @@
/*
* stunnel Universal SSL tunnel
* Copyright (c) 1998-2006 Michal Trojnara <Michal.Trojnara@mirt.net>
* Copyright (c) 1998-2007 Michal Trojnara <Michal.Trojnara@mirt.net>
* All Rights Reserved
*
* Based on a Public Domain code by Tatu Ylonen <ylo@cs.hut.fi>
@ -17,7 +17,7 @@
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA.
*
* In addition, as a special exception, Michal Trojnara gives
* permission to link the code of this program with the OpenSSL

10
src/resolver.c
Просмотреть файл

@ -1,6 +1,6 @@
/*
* stunnel Universal SSL tunnel
* Copyright (c) 1998-2006 Michal Trojnara <Michal.Trojnara@mirt.net>
* Copyright (c) 1998-2007 Michal Trojnara <Michal.Trojnara@mirt.net>
* All Rights Reserved
*
* This program is free software; you can redistribute it and/or modify
@ -15,7 +15,7 @@
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA.
*
* In addition, as a special exception, Michal Trojnara gives
* permission to link the code of this program with the OpenSSL
@ -72,10 +72,10 @@ static const char *s_gai_strerror(int);
#ifndef HAVE_GETNAMEINFO
#ifndef NI_NUMERICHOST
#define NI_NUMERICHOST 2
#define NI_NUMERICHOST 2
#endif
#ifndef NI_NUMERICSERV
#define NI_NUMERICSERV 8
#define NI_NUMERICSERV 8
#endif
static int getnameinfo(const struct sockaddr *, int,
char *, int , char *, int , int );
@ -306,7 +306,7 @@ static void freeaddrinfo(struct addrinfo *current) {
#if defined(USE_WIN32) && !defined(_WIN32_WCE)
if(s_freeaddrinfo) {
s_freeaddrinfo(current);
return;
return;
}
#endif
while(current) {

2
src/resources.rc
Просмотреть файл

@ -35,7 +35,7 @@ CAPTION "About stunnel"
BEGIN
ICON IDI_MYICON,-1,9,8,18,20
LTEXT "stunnel version " VERSION,-1,30,4,104,8
LTEXT "© by Michal Trojnara 2006",-1,30,12,104,8
LTEXT "© by Michal Trojnara 2007",-1,30,12,104,8
LTEXT "All Rights Reserved",-1,30,20,104,8
LTEXT "Licensed under the GNU GPL version 2",-1,4,28,130,8
DEFPUSHBUTTON "OK",IDOK,52,40,32,14,WS_GROUP

4
src/ssl.c
Просмотреть файл

@ -1,6 +1,6 @@
/*
* stunnel Universal SSL tunnel
* Copyright (c) 1998-2006 Michal Trojnara <Michal.Trojnara@mirt.net>
* Copyright (c) 1998-2007 Michal Trojnara <Michal.Trojnara@mirt.net>
* All Rights Reserved
*
* This program is free software; you can redistribute it and/or modify
@ -15,7 +15,7 @@
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA.
*
* In addition, as a special exception, Michal Trojnara gives
* permission to link the code of this program with the OpenSSL

103
src/sthreads.c
Просмотреть файл

@ -1,6 +1,6 @@
/*
* stunnel Universal SSL tunnel
* Copyright (c) 1998-2006 Michal Trojnara <Michal.Trojnara@mirt.net>
* Copyright (c) 1998-2007 Michal Trojnara <Michal.Trojnara@mirt.net>
* All Rights Reserved
*
* This program is free software; you can redistribute it and/or modify
@ -15,7 +15,7 @@
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA.
*
* In addition, as a special exception, Michal Trojnara gives
* permission to link the code of this program with the OpenSSL
@ -207,6 +207,43 @@ static void locking_callback(int mode, int type,
pthread_mutex_unlock(lock_cs+type);
}
struct CRYPTO_dynlock_value {
pthread_mutex_t mutex;
};
static struct CRYPTO_dynlock_value *dyn_create_function(const char *file,
int line) {
struct CRYPTO_dynlock_value *value;
value=malloc(sizeof(struct CRYPTO_dynlock_value));
if(!value)
return NULL;
pthread_mutex_init(&value->mutex, NULL);
return value;
}
static void dyn_lock_function(int mode, struct CRYPTO_dynlock_value *value,
const char *file, int line) {
if(mode&CRYPTO_LOCK)
pthread_mutex_lock(&value->mutex);
else
pthread_mutex_unlock(&value->mutex);
}
static void dyn_destroy_function(struct CRYPTO_dynlock_value *value,
const char *file, int line) {
pthread_mutex_destroy(&value->mutex);
free(value);
}
unsigned long stunnel_process_id(void) {
return (unsigned long)getpid();
}
unsigned long stunnel_thread_id(void) {
return (unsigned long)pthread_self();
}
void sthreads_init(void) {
int i;
@ -220,19 +257,17 @@ void sthreads_init(void) {
CRYPTO_set_id_callback(stunnel_thread_id);
CRYPTO_set_locking_callback(locking_callback);
/* Initialize OpenSSL dynamic locks callbacks */
CRYPTO_set_dynlock_create_callback(dyn_create_function);
CRYPTO_set_dynlock_lock_callback(dyn_lock_function);
CRYPTO_set_dynlock_destroy_callback(dyn_destroy_function);
/* Initialize attributes for creating new threads */
pthread_attr_init(&pth_attr);
pthread_attr_setdetachstate(&pth_attr, PTHREAD_CREATE_DETACHED);
pthread_attr_setstacksize(&pth_attr, STACK_SIZE);
}
unsigned long stunnel_process_id(void) {
return (unsigned long)getpid();
}
unsigned long stunnel_thread_id(void) {
return (unsigned long)pthread_self();
}
int create_client(int ls, int s, void *arg, void *(*cli)(void *)) {
pthread_t thread;
#ifdef HAVE_PTHREAD_SIGMASK
@ -288,6 +323,43 @@ static void locking_callback(int mode, int type,
LeaveCriticalSection(lock_cs+type);
}
struct CRYPTO_dynlock_value {
CRITICAL_SECTION mutex;
};
static struct CRYPTO_dynlock_value *dyn_create_function(const char *file,
int line) {
struct CRYPTO_dynlock_value *value;
value=malloc(sizeof(struct CRYPTO_dynlock_value));
if(!value)
return NULL;
InitializeCriticalSection(&value->mutex);
return value;
}
static void dyn_lock_function(int mode, struct CRYPTO_dynlock_value *value,
const char *file, int line) {
if(mode&CRYPTO_LOCK)
EnterCriticalSection(&value->mutex);
else
LeaveCriticalSection(&value->mutex);
}
static void dyn_destroy_function(struct CRYPTO_dynlock_value *value,
const char *file, int line) {
DeleteCriticalSection(&value->mutex);
free(value);
}
unsigned long stunnel_process_id(void) {
return GetCurrentProcessId() & 0x00ffffff;
}
unsigned long stunnel_thread_id(void) {
return GetCurrentThreadId() & 0x00ffffff;
}
void sthreads_init(void) {
int i;
@ -299,14 +371,11 @@ void sthreads_init(void) {
for(i=0; i<CRYPTO_NUM_LOCKS; i++)
InitializeCriticalSection(lock_cs+i);
CRYPTO_set_locking_callback(locking_callback);
}
unsigned long stunnel_process_id(void) {
return GetCurrentProcessId() & 0x00ffffff;
}
unsigned long stunnel_thread_id(void) {
return GetCurrentThreadId() & 0x00ffffff;
/* Initialize OpenSSL dynamic locks callbacks */
CRYPTO_set_dynlock_create_callback(dyn_create_function);
CRYPTO_set_dynlock_lock_callback(dyn_lock_function);
CRYPTO_set_dynlock_destroy_callback(dyn_destroy_function);
}
int create_client(int ls, int s, void *arg, void *(*cli)(void *)) {

77
src/stunnel.c
Просмотреть файл

@ -1,10 +1,10 @@
/*
* stunnel Universal SSL tunnel
* Copyright (c) 1998-2006 Michal Trojnara <Michal.Trojnara@mirt.net>
* Copyright (c) 1998-2007 Michal Trojnara <Michal.Trojnara@mirt.net>
* All Rights Reserved
*
* Version: 4.20 (stunnel.c)
* Date: 2006.11.30
* Version: 4.21 (stunnel.c)
* Date: 2007.10.27
*
* Author: Michal Trojnara <Michal.Trojnara@mirt.net>
*
@ -20,7 +20,7 @@
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA.
*
* In addition, as a special exception, Michal Trojnara gives
* permission to link the code of this program with the OpenSSL
@ -41,7 +41,7 @@ static void daemon_loop(void);
static void accept_connection(LOCAL_OPTIONS *);
static void get_limits(void); /* setup global max_clients and max_fds */
#if !defined (USE_WIN32) && !defined (__vms)
static void drop_privileges(void);
static void make_chroot(void);
static void daemonize(void);
static void create_pid(void);
static void delete_pid(void);
@ -82,7 +82,25 @@ void main_initialize(char *arg1, char *arg2) {
ssl_init(); /* initialize SSL library */
sthreads_init(); /* initialize critical sections & SSL callbacks */
parse_config(arg1, arg2);
#ifdef USE_FIPS
if(options.option.fips) {
if(!FIPS_mode_set(1)) {
ERR_load_crypto_strings();
sslerror("FIPS_mode_set");
exit(1);
} else
s_log(LOG_NOTICE, "stunnel is in FIPS mode");
} else
s_log(LOG_DEBUG, "FIPS mode not compiled");
#endif /* USE_FIPS */
log_open();
#ifdef USE_LIBWRAP
/* LIBWRAP_CLIENTS extra processes in daemon mode,
* no extra processes in inetd mode */
libwrap_init(local_options.next ? LIBWRAP_CLIENTS : 0);
#endif /* USE_LIBWRAP */
stunnel_info(0);
}
@ -93,6 +111,9 @@ void main_execute(void) {
} else { /* inetd mode */
#if !defined (USE_WIN32) && !defined (__vms)&&!defined(USE_OS2)
max_fds=FD_SETSIZE; /* just in case */
#ifdef HAVE_CHROOT
make_chroot();
#endif /* HAVE_CHROOT */
drop_privileges();
#endif
num_clients=1;
@ -150,6 +171,9 @@ static void daemon_loop(void) {
#if !defined (USE_WIN32) && !defined (__vms) && !defined(USE_OS2)
if(!(options.option.foreground))
daemonize();
#ifdef HAVE_CHROOT
make_chroot();
#endif /* HAVE_CHROOT */
drop_privileges();
create_pid();
#endif /* !defined USE_WIN32 && !defined (__vms) */
@ -275,9 +299,24 @@ static void get_limits(void) {
#endif
}
#ifdef HAVE_CHROOT
static void make_chroot(void) {
if(options.chroot_dir) {
if(chroot(options.chroot_dir)) {
sockerror("chroot");
exit(1);
}
if(chdir("/")) {
sockerror("chdir");
exit(1);
}
}
}
#endif /* HAVE_CHROOT */
#if !defined (USE_WIN32) && !defined (__vms)
/* chroot and set process user and group(s) id */
static void drop_privileges(void) {
/* set process user and group(s) id */
void drop_privileges(void) {
int uid=0, gid=0;
struct group *gr;
#ifdef HAVE_SETGROUPS
@ -311,20 +350,6 @@ static void drop_privileges(void) {
}
}
#ifdef HAVE_CHROOT
/* chroot */
if(options.chroot_dir) {
if(chroot(options.chroot_dir)) {
sockerror("chroot");
exit(1);
}
if(chdir("/")) {
sockerror("chdir");
exit(1);
}
}
#endif /* HAVE_CHROOT */
/* Set uid and gid */
if(gid) {
if(setgid(gid)) {
@ -443,9 +468,15 @@ void stunnel_info(int raw) {
safeconcat(line, "FORK");
#endif
safeconcat(line, " SSL:");
#ifdef HAVE_OSSL_ENGINE_H
safeconcat(line, " SSL:ENGINE");
#endif
safeconcat(line, "ENGINE");
#else /* defined(HAVE_OSSL_ENGINE_H) */
safeconcat(line, "NOENGINE");
#endif /* defined(HAVE_OSSL_ENGINE_H) */
#ifdef USE_FIPS
safeconcat(line, ",FIPS");
#endif /* USE_FIPS */
safeconcat(line, " Sockets:");
#ifdef USE_POLL

Двоичные данные
src/stunnel.exe
Просмотреть файл

Двоичный файл не отображается.

4
src/stunnel3.in
Просмотреть файл

@ -20,14 +20,14 @@
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA.
#
use POSIX;
use Getopt::Std;
# Configuration - path to stunnel (version >=4.05)
$stunnel_bin='@prefix@/sbin/stunnel';
$stunnel_bin='@prefix@/bin/stunnel';
# stunnel3 script body begins here
($read_fd, $write_fd)=POSIX::pipe();

4
src/vc.mak
Просмотреть файл

@ -1,11 +1,11 @@
# Simple Makefile.w32 for stunnel.exe by Michal Trojnara 1998-2006
# Simple Makefile.w32 for stunnel.exe by Michal Trojnara 1998-2007
#
# Modified by David Gillingham (dgillingham@gmail.com) for Visual
# Studio
# Modify this to point to your actual openssl compile directory
# (You did already compile openssl, didn't you???)
SSLDIR=..\openssl-0.9.8d
SSLDIR=..\openssl-0.9.8e
OBJS=stunnel.obj ssl.obj ctx.obj verify.obj file.obj client.obj \
protocol.obj sthreads.obj log.obj options.obj network.obj \

7
src/verify.c
Просмотреть файл

@ -1,6 +1,6 @@
/*
* stunnel Universal SSL tunnel
* Copyright (c) 1998-2006 Michal Trojnara <Michal.Trojnara@mirt.net>
* Copyright (c) 1998-2007 Michal Trojnara <Michal.Trojnara@mirt.net>
* All Rights Reserved
*
* This program is free software; you can redistribute it and/or modify
@ -15,7 +15,7 @@
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA.
*
* In addition, as a special exception, Michal Trojnara gives
* permission to link the code of this program with the OpenSSL
@ -69,10 +69,9 @@ void verify_init(LOCAL_OPTIONS *section) {
sslerror("SSL_CTX_load_verify_locations");
exit(1);
}
#if 0
/* list of trusted CAs for the client to choose the right cert */
SSL_CTX_set_client_CA_list(section->ctx,
SSL_load_client_CA_file(section->ca_file));
#endif
s_log(LOG_DEBUG, "Loaded verify certificates from %s",
section->ca_file);
load_file_lookup(section->revocation_store, section->ca_file);

15
tools/Makefile.in
Просмотреть файл

@ -1,4 +1,4 @@
# Makefile.in generated by automake 1.9.5 from Makefile.am.
# Makefile.in generated by automake 1.9.6 from Makefile.am.
# @configure_input@
# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@ -69,6 +69,7 @@ AUTOMAKE = @AUTOMAKE@
AWK = @AWK@
CC = @CC@
CCDEPMODE = @CCDEPMODE@
CCLD = @CCLD@
CFLAGS = @CFLAGS@
CPP = @CPP@
CPPFLAGS = @CPPFLAGS@
@ -88,6 +89,7 @@ EGREP = @EGREP@
EXEEXT = @EXEEXT@
F77 = @F77@
FFLAGS = @FFLAGS@
GREP = @GREP@
INSTALL_DATA = @INSTALL_DATA@
INSTALL_PROGRAM = @INSTALL_PROGRAM@
INSTALL_SCRIPT = @INSTALL_SCRIPT@
@ -114,12 +116,9 @@ SHELL = @SHELL@
STRIP = @STRIP@
USE_DH = @USE_DH@
VERSION = @VERSION@
ac_ct_AR = @ac_ct_AR@
ac_ct_CC = @ac_ct_CC@
ac_ct_CXX = @ac_ct_CXX@
ac_ct_F77 = @ac_ct_F77@
ac_ct_RANLIB = @ac_ct_RANLIB@
ac_ct_STRIP = @ac_ct_STRIP@
am__fastdepCC_FALSE = @am__fastdepCC_FALSE@
am__fastdepCC_TRUE = @am__fastdepCC_TRUE@
am__fastdepCXX_FALSE = @am__fastdepCXX_FALSE@
@ -136,23 +135,30 @@ build_cpu = @build_cpu@
build_os = @build_os@
build_vendor = @build_vendor@
datadir = @datadir@
datarootdir = @datarootdir@
docdir = $(datadir)/doc/stunnel
dvidir = @dvidir@
exec_prefix = @exec_prefix@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
host_os = @host_os@
host_vendor = @host_vendor@
htmldir = @htmldir@
includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
libdir = @libdir@
libexecdir = @libexecdir@
localedir = @localedir@
localstatedir = @localstatedir@
mandir = @mandir@
mkdir_p = @mkdir_p@
oldincludedir = @oldincludedir@
pdfdir = @pdfdir@
prefix = @prefix@
program_transform_name = @program_transform_name@
psdir = @psdir@
sbindir = @sbindir@
sharedstatedir = @sharedstatedir@
ssldir = @ssldir@
@ -163,7 +169,6 @@ EXTRA_DIST = ca.html ca.pl importCA.html importCA.sh script.sh \
confdir = $(sysconfdir)/stunnel
conf_DATA = stunnel.conf-sample
docdir = $(datadir)/doc/stunnel
examplesdir = $(docdir)/examples
examples_DATA = ca.html ca.pl importCA.html importCA.sh script.sh \
stunnel.spec stunnel.init

2
tools/script.sh
Просмотреть файл

@ -2,7 +2,7 @@
REMOTE_HOST="www.mirt.net:443"
echo "client script connecting $REMOTE_HOST"
/usr/local/sbin/stunnel -fd 10 \
/usr/local/bin/stunnel -fd 10 \
11<&0 <<EOT 10<&0 0<&11 11<&-
client=yes
connect=$REMOTE_HOST

4
tools/stunnel.init.in
Просмотреть файл

@ -1,10 +1,10 @@
#!/bin/sh
# Sample stunnel SysV startup file
# Copyright by Michal Trojnara 2002
# Copyright by Michal Trojnara 2002,2007
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
PREFIX=@prefix@
DAEMON=$PREFIX/sbin/stunnel
DAEMON=$PREFIX/bin/stunnel
PIDFILE=$PREFIX/var/stunnel/stunnel.pid
test -f $DAEMON || exit 0

8
tools/stunnel.nsi
Просмотреть файл

@ -1,5 +1,7 @@
!define VERSION "4.20"
!define DLLS "/home/ftp/stunnel/openssl/binary-0.9.8d-zdll/"
!define VERSION "4.21"
!define DLLS "/home/ftp/openssl/binary-0.9.8g-zdll/"
# !define DLLS "../FIPS/"
# !define DLLS "/usr/src/openssl-0.9.7m-fips/"
!define WIN32 "/home/ftp/stunnel/obsolete/"
Name "stunnel ${VERSION}"
@ -27,6 +29,8 @@ Section "stunnel (required)"
File "${WIN32}stunnel.pem"
SetOverwrite on
File "src/stunnel.exe"
# File "${DLLS}cryptoeay32.dll"
# File "${DLLS}ssleay32.dll"
File "${DLLS}libeay32.dll"
File "${DLLS}libssl32.dll"
File "${DLLS}zlib1.dll"

2
tools/stunnel.spec
Просмотреть файл

@ -3,7 +3,7 @@
Summary: Program that wraps normal socket connections with SSL/TLS
Name: stunnel
Version: 4.20
Version: 4.21
Release: 1
Copyright: GPL
Group: Applications/Networking