Przeglądaj źródła

stunnel: Bring it back at v5.10

From: Michael Haas <haas@computerlinguist.org>

* init script no longer creates certificates (consider client mode as use
  case)
* patches/010_fix_getnameinfo.patch: Fix getnameinfo signature
* patches/011_disable_ssp_linking.patch: Disable -fstack-protector as it
  is not always available in OpenWRT
* old patches (in oldpackages) no longer necessary
* remove libwrap dependency
* remove libpthread dependency
* respect CONFIG_IPV6
* init script uses procd
* sample stunnel.conf runs in client mode - prevents start failure,
  does not require cert

Possible enhancement: automatically generate certificate as done in
uhttpd. However, as client mode is a possible use case, I'd rather not.
Additionally, stunnel may use several certs with user-defined locations
and we can't easily set a cert location via command-line args.

The package is based on
https://sites.google.com/site/twisteroidambassador/openwrt/stunnel

Signed-off-by: Michael Haas <haas@computerlinguist.org>
Michael Haas 9 lat temu
rodzic
commit
f6927350e4

+ 77
- 0
net/stunnel/Makefile Wyświetl plik

@@ -0,0 +1,77 @@
1
+#
2
+# Copyright (C) 2006-2014 OpenWrt.org
3
+#
4
+# This is free software, licensed under the GNU General Public License v2.
5
+# See /LICENSE for more information.
6
+#
7
+
8
+include $(TOPDIR)/rules.mk
9
+
10
+PKG_NAME:=stunnel
11
+PKG_VERSION:=5.10
12
+PKG_RELEASE:=1
13
+
14
+PKG_LICENSE:=GPL-2.0+
15
+PKG_MAINTAINER:=Michael Haas <haas@computerlinguist.org>
16
+PKG_LICENSE_FILES:=COPYING COPYRIGHT.GPL
17
+
18
+PKG_SOURCE_URL:=http://stunnel.cybermirror.org/archive/5.x/
19
+PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
20
+PKG_MD5SUM:=a0edda805eb7d6ea600a230fb0979ea1
21
+
22
+PKG_FIXUP:=autoreconf
23
+PKG_INSTALL:=1
24
+
25
+include $(INCLUDE_DIR)/package.mk
26
+
27
+define Package/stunnel
28
+  SECTION:=net
29
+  CATEGORY:=Network
30
+  DEPENDS:=+libopenssl
31
+  TITLE:=SSL TCP Wrapper
32
+  URL:=http://www.stunnel.org/
33
+endef
34
+
35
+define Package/stunnel/description
36
+	Stunnel is a program that allows you to encrypt arbitrary TCP
37
+	connections inside SSL (Secure Sockets Layer) available on both Unix
38
+	and Windows. Stunnel can allow you to secure non-SSL aware daemons and
39
+	protocols (like POP, IMAP, LDAP, etc) by having Stunnel provide the
40
+	encryption, requiring no changes to the daemon's code.
41
+endef
42
+
43
+define Package/stunnel/conffiles
44
+/etc/stunnel/stunnel.conf
45
+endef
46
+
47
+
48
+CONFIGURE_ARGS+= \
49
+	--with-random=/dev/urandom \
50
+	--with-threads=fork \
51
+	--with-ssl=$(STAGING_DIR)/usr \
52
+	--disable-libwrap \
53
+	--disable-systemd
54
+
55
+ifeq ($(CONFIG_IPV6),n)
56
+CONFIGURE_ARGS+= \
57
+	--disable-ipv6
58
+endif
59
+
60
+define Build/Compile
61
+	mkdir -p $(PKG_INSTALL_DIR)/etc/stunnel
62
+	echo '#dummy' > $(PKG_INSTALL_DIR)/etc/stunnel/stunnel.pem
63
+	$(call Build/Compile/Default)
64
+endef
65
+
66
+define Package/stunnel/install
67
+	$(INSTALL_DIR) $(1)/usr/bin
68
+	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/stunnel $(1)/usr/bin/
69
+	$(INSTALL_DIR) $(1)/usr/lib/stunnel
70
+	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/stunnel/libstunnel.so $(1)/usr/lib/stunnel/
71
+	$(INSTALL_DIR) $(1)/etc/stunnel
72
+	$(INSTALL_CONF) ./files/stunnel.conf $(1)/etc/stunnel/stunnel.conf
73
+	$(INSTALL_DIR) $(1)/etc/init.d
74
+	$(INSTALL_BIN) ./files/stunnel.init $(1)/etc/init.d/stunnel
75
+endef
76
+
77
+$(eval $(call BuildPackage,stunnel))

+ 45
- 0
net/stunnel/files/stunnel.conf Wyświetl plik

@@ -0,0 +1,45 @@
1
+; Drop privileges
2
+setuid = nobody 
3
+setgid = nogroup
4
+
5
+; When running under procd, stay in foreground
6
+foreground = yes
7
+
8
+; Don't log to stderr, use syslog
9
+syslog = yes
10
+
11
+; 1-7. Use 7 for greatest verbosity
12
+;debug = 5
13
+
14
+; Starting here, enter your services or uncomment the examples
15
+
16
+; Example:
17
+; If your local httpd does not support HTTPS, use stunnel in remote
18
+; mode to forward TLS connections coming in on port 443 to non-TLS
19
+; on port 80.
20
+; Make sure that the cert is available.
21
+;[httpd]
22
+;accept = 443
23
+;connect = 127.0.0.1:80
24
+;cert = /etc/stunnel/stunnel.pem
25
+
26
+; Example:
27
+; If your local email client does not support TLS,
28
+; use stunnel in client mode to forward non-TLS connections on
29
+; port 143 to TLS-enabled servername:993.
30
+;[imap]
31
+;client = yes
32
+;accept = 143
33
+;connect = servername:993
34
+; Disable peer verification - be sure to understand the limitations of peer
35
+; verification in stunnel when enabling.
36
+;verify = 0
37
+
38
+; Default client section:
39
+; stunnel requires at least one section to start successfully.
40
+; You can safely remove this section once you have configured
41
+; your own. We use client mode here as server requires a certificate.
42
+[dummy]
43
+client = yes
44
+accept = localhost:6000
45
+connect = localhost:6001

+ 12
- 0
net/stunnel/files/stunnel.init Wyświetl plik

@@ -0,0 +1,12 @@
1
+#!/bin/sh /etc/rc.common
2
+# Copyright (C) 2006-2008 OpenWrt.org
3
+
4
+START=90
5
+USE_PROCD=1
6
+
7
+start_service() {
8
+	procd_open_instance
9
+	procd_set_param command /usr/bin/stunnel /etc/stunnel/stunnel.conf
10
+	procd_set_param respawn # respawn automatically if something died
11
+	procd_close_instance
12
+}

+ 25
- 0
net/stunnel/patches/010_fix_getnameinfo.patch Wyświetl plik

@@ -0,0 +1,25 @@
1
+--- a/src/prototypes.h
2
++++ b/src/prototypes.h
3
+@@ -559,7 +559,7 @@ extern GETNAMEINFO s_getnameinfo;
4
+ 
5
+ #endif /* USE_WIN32 */
6
+ 
7
+-int getnameinfo(const struct sockaddr *, int, char *, int, char *, int, int);
8
++int getnameinfo(const struct sockaddr *, socklen_t, char *, socklen_t, char *, socklen_t, unsigned int);
9
+ 
10
+ #endif /* !defined HAVE_GETNAMEINFO */
11
+ 
12
+--- a/src/resolver.c
13
++++ b/src/resolver.c
14
+@@ -535,8 +535,9 @@ const char *s_gai_strerror(int err) {
15
+ /* implementation is limited to functionality needed by stunnel */
16
+ 
17
+ #ifndef HAVE_GETNAMEINFO
18
+-int getnameinfo(const struct sockaddr *sa, int salen,
19
+-    char *host, int hostlen, char *serv, int servlen, int flags) {
20
++int getnameinfo(const struct sockaddr *sa, socklen_t salen,
21
++    char *host, socklen_t hostlen, char *serv, socklen_t servlen,
22
++    unsigned int flags) {
23
+ 
24
+ #if defined(USE_WIN32) && !defined(_WIN32_WCE)
25
+     if(s_getnameinfo)

+ 140
- 0
net/stunnel/patches/011_disable_ssp_linking.patch Wyświetl plik

@@ -0,0 +1,140 @@
1
+--- a/configure
2
++++ b/configure
3
+@@ -5646,66 +5646,66 @@ done
4
+ 
5
+ 
6
+ 
7
+-for flag in -fstack-protector; do
8
+-  as_CACHEVAR=`$as_echo "ax_cv_check_cflags__$flag" | $as_tr_sh`
9
+-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts $flag" >&5
10
+-$as_echo_n "checking whether C compiler accepts $flag... " >&6; }
11
+-if eval \${$as_CACHEVAR+:} false; then :
12
+-  $as_echo_n "(cached) " >&6
13
+-else
14
+-
15
+-  ax_check_save_flags=$CFLAGS
16
+-  CFLAGS="$CFLAGS  $flag"
17
+-  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
18
+-/* end confdefs.h.  */
19
+-
20
+-int
21
+-main ()
22
+-{
23
+-
24
+-  ;
25
+-  return 0;
26
+-}
27
+-_ACEOF
28
+-if ac_fn_c_try_compile "$LINENO"; then :
29
+-  eval "$as_CACHEVAR=yes"
30
+-else
31
+-  eval "$as_CACHEVAR=no"
32
+-fi
33
+-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
34
+-  CFLAGS=$ax_check_save_flags
35
+-fi
36
+-eval ac_res=\$$as_CACHEVAR
37
+-	       { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5
38
+-$as_echo "$ac_res" >&6; }
39
+-if test x"`eval 'as_val=${'$as_CACHEVAR'};$as_echo "$as_val"'`" = xyes; then :
40
+-  if ${CFLAGS+:} false; then :
41
+-  case " $CFLAGS " in
42
+-    *" $flag "*)
43
+-      { { $as_echo "$as_me:${as_lineno-$LINENO}: : CFLAGS already contains \$flag"; } >&5
44
+-  (: CFLAGS already contains $flag) 2>&5
45
+-  ac_status=$?
46
+-  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
47
+-  test $ac_status = 0; }
48
+-      ;;
49
+-    *)
50
+-      { { $as_echo "$as_me:${as_lineno-$LINENO}: : CFLAGS=\"\$CFLAGS \$flag\""; } >&5
51
+-  (: CFLAGS="$CFLAGS $flag") 2>&5
52
+-  ac_status=$?
53
+-  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
54
+-  test $ac_status = 0; }
55
+-      CFLAGS="$CFLAGS $flag"
56
+-      ;;
57
+-   esac
58
+-else
59
+-  CFLAGS="$flag"
60
+-fi
61
+-
62
+-else
63
+-  :
64
+-fi
65
+-
66
+-done
67
++#for flag in -fstack-protector; do
68
++#  as_CACHEVAR=`$as_echo "ax_cv_check_cflags__$flag" | $as_tr_sh`
69
++#{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts $flag" >&5
70
++#$as_echo_n "checking whether C compiler accepts $flag... " >&6; }
71
++#if eval \${$as_CACHEVAR+:} false; then :
72
++#  $as_echo_n "(cached) " >&6
73
++#else
74
++#
75
++#  ax_check_save_flags=$CFLAGS
76
++#  CFLAGS="$CFLAGS  $flag"
77
++#  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
78
++#/* end confdefs.h.  */
79
++
80
++#int
81
++#main ()
82
++#{
83
++#
84
++#  ;
85
++#  return 0;
86
++#}
87
++#_ACEOF
88
++#if ac_fn_c_try_compile "$LINENO"; then :
89
++#  eval "$as_CACHEVAR=yes"
90
++#else
91
++#  eval "$as_CACHEVAR=no"
92
++#fi
93
++#rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
94
++#  CFLAGS=$ax_check_save_flags
95
++#fi
96
++#eval ac_res=\$$as_CACHEVAR
97
++#	       { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5
98
++#$as_echo "$ac_res" >&6; }
99
++#if test x"`eval 'as_val=${'$as_CACHEVAR'};$as_echo "$as_val"'`" = xyes; then :
100
++#  if ${CFLAGS+:} false; then :
101
++#  case " $CFLAGS " in
102
++#    *" $flag "*)
103
++#      { { $as_echo "$as_me:${as_lineno-$LINENO}: : CFLAGS already contains \$flag"; } >&5
104
++#  (: CFLAGS already contains $flag) 2>&5
105
++#  ac_status=$?
106
++#  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
107
++#  test $ac_status = 0; }
108
++#      ;;
109
++#    *)
110
++#      { { $as_echo "$as_me:${as_lineno-$LINENO}: : CFLAGS=\"\$CFLAGS \$flag\""; } >&5
111
++#  (: CFLAGS="$CFLAGS $flag") 2>&5
112
++#  ac_status=$?
113
++#  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
114
++#  test $ac_status = 0; }
115
++#      CFLAGS="$CFLAGS $flag"
116
++#      ;;
117
++#   esac
118
++#else
119
++#  CFLAGS="$flag"
120
++#fi
121
++#
122
++#else
123
++#  :
124
++#fi
125
++#
126
++#done
127
+ 
128
+ 
129
+ 
130
+--- a/configure.ac
131
++++ b/configure.ac
132
+@@ -71,7 +71,7 @@ AX_APPEND_COMPILE_FLAGS([-Wformat=2])
133
+ AX_APPEND_COMPILE_FLAGS([-Wconversion])
134
+ AX_APPEND_COMPILE_FLAGS([-Wno-long-long])
135
+ AX_APPEND_COMPILE_FLAGS([-Wno-deprecated-declarations])
136
+-AX_APPEND_COMPILE_FLAGS([-fstack-protector])
137
++#AX_APPEND_COMPILE_FLAGS([-fstack-protector])
138
+ AX_APPEND_COMPILE_FLAGS([-fPIE])
139
+ AX_APPEND_COMPILE_FLAGS([-D_FORTIFY_SOURCE=2])
140
+ AX_APPEND_LINK_FLAGS([-fPIE -pie])