From 1553017a050a643239d2f36fbfc07468816232d4 Mon Sep 17 00:00:00 2001 From: Tim Yardley Date: Tue, 21 Nov 2006 00:33:42 +0000 Subject: [PATCH] stunnel for kamikaze, contributed by coova, cleaned up by me. note: this requires V=99 so that you can specify cert params.. still ick, better option? put the variables as menu options? sorta ick too. SVN-Revision: 5596 --- net/stunnel/Makefile | 52 +++++++++ net/stunnel/files/stunnel.conf | 60 ++++++++++ net/stunnel/files/stunnel.init | 15 +++ net/stunnel/patches/100-cross-compile.patch | 117 ++++++++++++++++++++ net/stunnel/patches/101-no-comp.patch | 28 +++++ net/stunnel/patches/102-no-ssl2.patch | 14 +++ 6 files changed, 286 insertions(+) create mode 100644 net/stunnel/Makefile create mode 100644 net/stunnel/files/stunnel.conf create mode 100755 net/stunnel/files/stunnel.init create mode 100644 net/stunnel/patches/100-cross-compile.patch create mode 100644 net/stunnel/patches/101-no-comp.patch create mode 100644 net/stunnel/patches/102-no-ssl2.patch diff --git a/net/stunnel/Makefile b/net/stunnel/Makefile new file mode 100644 index 0000000000..c2a34e1a1c --- /dev/null +++ b/net/stunnel/Makefile @@ -0,0 +1,52 @@ +# $Id: Makefile 1146 2005-06-05 13:32:28Z nbd $ + +include $(TOPDIR)/rules.mk + +PKG_NAME:=stunnel +PKG_VERSION:=4.16 +PKG_RELEASE:=1 +PKG_MD5SUM:=8ea5cae3eeaacc0271b766506b4b9d4a +PKG_SOURCE_URL:=http://www.stunnel.org/download/stunnel/src/ +PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz +PKG_CAT:=zcat + +PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION) +PKG_INSTALL_DIR:=$(PKG_BUILD_DIR)/ipkg-install + +include $(INCLUDE_DIR)/package.mk + +define Package/stunnel + SECTION:=net + CATEGORY:=Network + DEPENDS:=+libopenssl +libwrap + TITLE:=SSL TCP Wrapper + DESCRIPTION:=\ + Open source SSL TCP Wrapper + URL:=http://stunnel.org +endef + + +define Build/Configure + $(call Build/Configure/Default, \ + --with-random=/dev/urandom \ + --with-threads=fork \ + ) +endef + +define Build/Compile + $(MAKE) -C $(PKG_BUILD_DIR) \ + DESTDIR="$(PKG_INSTALL_DIR)" \ + all install +endef + +define Package/stunnel/install + install -d -m0755 $(1)/usr/sbin $(1)/usr/lib $(1)/usr/stunnel + install -d -m0755 $(1)/etc/stunnel $(1)/etc/init.d + $(CP) $(PKG_INSTALL_DIR)/usr/sbin/stunnel $(1)/usr/sbin/ + $(CP) $(PKG_INSTALL_DIR)/usr/lib/libstunnel.so $(1)/usr/sbin/ + $(CP) $(PKG_INSTALL_DIR)/etc/stunnel/stunnel.pem $(1)/etc/stunnel/ + $(CP) ./files/stunnel.conf $(1)/etc/stunnel/stunnel.conf + $(CP) ./files/stunnel.init $(1)/etc/init.d/S90stunnel +endef + +$(eval $(call BuildPackage,stunnel)) diff --git a/net/stunnel/files/stunnel.conf b/net/stunnel/files/stunnel.conf new file mode 100644 index 0000000000..ec590832c4 --- /dev/null +++ b/net/stunnel/files/stunnel.conf @@ -0,0 +1,60 @@ + +; Certificate/key is needed in server mode and optional in client mode +cert = /etc/stunnel/stunnel.pem +;key = /usr/etc/stunnel/mail.pem + +; Protocol version (all, SSLv2, SSLv3, TLSv1) +sslVersion = all + +; Some security enhancements for UNIX systems - comment them out on Win32 +chroot = /tmp +setuid = nobody +;setgid = nobody +pid = /stunnel.pid + +; Some performance tunings +socket = l:TCP_NODELAY=1 +socket = r:TCP_NODELAY=1 +;compression = rle + +; Workaround for Eudora bug +;options = DONT_INSERT_EMPTY_FRAGMENTS + +;verify = 2 +;CApath = /certs +;CAfile = /usr/etc/stunnel/certs.pem +;CRLpath = /crls +;CRLfile = /usr/etc/stunnel/crls.pem + +; Some debugging stuff useful for troubleshooting +;debug = 7 +;output = stunnel.log + +; Use it for client mode +;client = yes + +; Service-level configuration + +;[pop3s] +;accept = 995 +;connect = 110 +; +;[imaps] +;accept = 993 +;connect = 143 +; +;[ssmtp] +;accept = 465 +;connect = 25 + +[https] +accept = 443 +connect = 80 +TIMEOUTclose = 0 + +[chilli] +accept = 3443 +connect = 3442 +TIMEOUTclose = 0 + +; vim:ft=dosini diff --git a/net/stunnel/files/stunnel.init b/net/stunnel/files/stunnel.init new file mode 100755 index 0000000000..c26e87dae0 --- /dev/null +++ b/net/stunnel/files/stunnel.init @@ -0,0 +1,15 @@ +#!/bin/sh + +case "$1" in + start|boot) + # reasons for starting + [ -e "/etc/stunnel/stunnel.pem" ] && { + chmod og-rwx /etc/stunnel/stunnel.pem + stunnel + } + ;; + stop) + killall stunnel + killall -9 stunnel + ;; +esac diff --git a/net/stunnel/patches/100-cross-compile.patch b/net/stunnel/patches/100-cross-compile.patch new file mode 100644 index 0000000000..8a2196084b --- /dev/null +++ b/net/stunnel/patches/100-cross-compile.patch @@ -0,0 +1,117 @@ +diff -baurN stunnel-4.16.orig/configure stunnel-4.16/configure +--- stunnel-4.16.orig/configure 2006-11-03 16:33:56.000000000 +0100 ++++ stunnel-4.16/configure 2006-11-03 16:36:48.000000000 +0100 +@@ -20850,56 +20850,56 @@ + fi + rm -f conftest* + +- +-{ echo "$as_me:$LINENO: **************************************** PTY device files" >&5 +-echo "$as_me: **************************************** PTY device files" >&6;} +-echo "$as_me:$LINENO: checking for \"/dev/ptmx\"" >&5 +-echo $ECHO_N "checking for \"/dev/ptmx\"... $ECHO_C" >&6 +-if test "${ac_cv_file___dev_ptmx_+set}" = set; then +- echo $ECHO_N "(cached) $ECHO_C" >&6 +-else +- test "$cross_compiling" = yes && +- { { echo "$as_me:$LINENO: error: cannot check for file existence when cross compiling" >&5 +-echo "$as_me: error: cannot check for file existence when cross compiling" >&2;} +- { (exit 1); exit 1; }; } +-if test -r ""/dev/ptmx""; then +- ac_cv_file___dev_ptmx_=yes +-else +- ac_cv_file___dev_ptmx_=no +-fi +-fi +-echo "$as_me:$LINENO: result: $ac_cv_file___dev_ptmx_" >&5 +-echo "${ECHO_T}$ac_cv_file___dev_ptmx_" >&6 +-if test $ac_cv_file___dev_ptmx_ = yes; then ++# ++#{ echo "$as_me:$LINENO: **************************************** PTY device files" >&5 ++#echo "$as_me: **************************************** PTY device files" >&6;} ++#echo "$as_me:$LINENO: checking for \"/dev/ptmx\"" >&5 ++#echo $ECHO_N "checking for \"/dev/ptmx\"... $ECHO_C" >&6 ++#if test "${ac_cv_file___dev_ptmx_+set}" = set; then ++# echo $ECHO_N "(cached) $ECHO_C" >&6 ++#else ++# test "$cross_compiling" = yes && ++# { { echo "$as_me:$LINENO: error: cannot check for file existence when cross compiling" >&5 ++#echo "$as_me: error: cannot check for file existence when cross compiling" >&2;} ++# { (exit 1); exit 1; }; } ++#if test -r ""/dev/ptmx""; then ++# ac_cv_file___dev_ptmx_=yes ++#else ++# ac_cv_file___dev_ptmx_=no ++#fi ++#fi ++#echo "$as_me:$LINENO: result: $ac_cv_file___dev_ptmx_" >&5 ++#echo "${ECHO_T}$ac_cv_file___dev_ptmx_" >&6 ++#if test $ac_cv_file___dev_ptmx_ = yes; then + cat >>confdefs.h <<\_ACEOF +-#define HAVE_DEV_PTMX 1 ++#define HAVE_DEV_PTMX 0 + _ACEOF + +-fi ++#fi + +-echo "$as_me:$LINENO: checking for \"/dev/ptc\"" >&5 +-echo $ECHO_N "checking for \"/dev/ptc\"... $ECHO_C" >&6 +-if test "${ac_cv_file___dev_ptc_+set}" = set; then +- echo $ECHO_N "(cached) $ECHO_C" >&6 +-else +- test "$cross_compiling" = yes && +- { { echo "$as_me:$LINENO: error: cannot check for file existence when cross compiling" >&5 +-echo "$as_me: error: cannot check for file existence when cross compiling" >&2;} +- { (exit 1); exit 1; }; } +-if test -r ""/dev/ptc""; then +- ac_cv_file___dev_ptc_=yes +-else +- ac_cv_file___dev_ptc_=no +-fi +-fi +-echo "$as_me:$LINENO: result: $ac_cv_file___dev_ptc_" >&5 +-echo "${ECHO_T}$ac_cv_file___dev_ptc_" >&6 +-if test $ac_cv_file___dev_ptc_ = yes; then ++#echo "$as_me:$LINENO: checking for \"/dev/ptc\"" >&5 ++#echo $ECHO_N "checking for \"/dev/ptc\"... $ECHO_C" >&6 ++#if test "${ac_cv_file___dev_ptc_+set}" = set; then ++# echo $ECHO_N "(cached) $ECHO_C" >&6 ++#else ++# test "$cross_compiling" = yes && ++# { { echo "$as_me:$LINENO: error: cannot check for file existence when cross compiling" >&5 ++#echo "$as_me: error: cannot check for file existence when cross compiling" >&2;} ++# { (exit 1); exit 1; }; } ++#if test -r ""/dev/ptc""; then ++# ac_cv_file___dev_ptc_=yes ++#else ++# ac_cv_file___dev_ptc_=no ++#fi ++#fi ++#echo "$as_me:$LINENO: result: $ac_cv_file___dev_ptc_" >&5 ++#echo "${ECHO_T}$ac_cv_file___dev_ptc_" >&6 ++#if test $ac_cv_file___dev_ptc_ = yes; then + cat >>confdefs.h <<\_ACEOF +-#define HAVE_DEV_PTS_AND_PTC 1 ++#define HAVE_DEV_PTS_AND_PTC 0 + _ACEOF + +-fi ++#fi + + + { echo "$as_me:$LINENO: **************************************** entropy" >&5 +diff -baurN stunnel-4.16.orig/configure stunnel-4.16/configure +--- stunnel-4.16.orig/configure 2006-11-03 16:45:32.000000000 +0100 ++++ stunnel-4.16/configure 2006-11-03 16:46:42.000000000 +0100 +@@ -23157,8 +23157,8 @@ + + + # Add SSL includes and libraries +-CFLAGS="$CFLAGS -I$ssldir/include" +-LIBS="$LIBS -L$ssldir/lib -lssl -lcrypto" ++CFLAGS="$CFLAGS " ++LIBS="$LIBS -lssl -lcrypto" + + # Check for obsolete RSAref library + echo "$as_me:$LINENO: checking for obsolete RSAref library" >&5 diff --git a/net/stunnel/patches/101-no-comp.patch b/net/stunnel/patches/101-no-comp.patch new file mode 100644 index 0000000000..8435b22686 --- /dev/null +++ b/net/stunnel/patches/101-no-comp.patch @@ -0,0 +1,28 @@ +diff -baurN stunnel-4.16.orig/src/ssl.c stunnel-4.16/src/ssl.c +--- stunnel-4.16.orig/src/ssl.c 2006-11-03 16:49:02.000000000 +0100 ++++ stunnel-4.16/src/ssl.c 2006-11-03 16:50:16.000000000 +0100 +@@ -55,13 +55,16 @@ + } + + void ssl_configure(void) { /* configure global SSL settings */ ++#ifndef OPENSSL_NO_COMP + if(options.compression!=COMP_NONE) + init_compression(); ++#endif + if(!init_prng()) + s_log(LOG_DEBUG, "PRNG seeded successfully"); + } + + static void init_compression(void) { ++#ifndef OPENSSL_NO_COMP + int id=0; + COMP_METHOD *cm=NULL; + char *name="unknown"; +@@ -90,6 +93,7 @@ + exit(1); + } + s_log(LOG_INFO, "Compression enabled using %s method", name); ++#endif + } + + static int init_prng(void) { diff --git a/net/stunnel/patches/102-no-ssl2.patch b/net/stunnel/patches/102-no-ssl2.patch new file mode 100644 index 0000000000..2d074d9a69 --- /dev/null +++ b/net/stunnel/patches/102-no-ssl2.patch @@ -0,0 +1,14 @@ +diff -baurN stunnel-4.16.orig/src/options.c stunnel-4.16/src/options.c +--- stunnel-4.16.orig/src/options.c 2006-11-03 16:50:59.000000000 +0100 ++++ stunnel-4.16/src/options.c 2006-11-03 16:51:47.000000000 +0100 +@@ -957,8 +957,10 @@ + section->client_method=SSLv23_client_method; + section->server_method=SSLv23_server_method; + } else if(!strcasecmp(arg, "SSLv2")) { ++#ifndef OPENSSL_NO_SSL2 + section->client_method=SSLv2_client_method; + section->server_method=SSLv2_server_method; ++#endif + } else if(!strcasecmp(arg, "SSLv3")) { + section->client_method=SSLv3_client_method; + section->server_method=SSLv3_server_method; -- 2.30.2