From f6927350e4f5aedd9870a65923ceff232bd10bf3 Mon Sep 17 00:00:00 2001 From: Michael Haas Date: Tue, 10 Mar 2015 09:54:17 +0100 Subject: [PATCH] stunnel: Bring it back at v5.10 From: Michael Haas * init script no longer creates certificates (consider client mode as use case) * patches/010_fix_getnameinfo.patch: Fix getnameinfo signature * patches/011_disable_ssp_linking.patch: Disable -fstack-protector as it is not always available in OpenWRT * old patches (in oldpackages) no longer necessary * remove libwrap dependency * remove libpthread dependency * respect CONFIG_IPV6 * init script uses procd * sample stunnel.conf runs in client mode - prevents start failure, does not require cert Possible enhancement: automatically generate certificate as done in uhttpd. However, as client mode is a possible use case, I'd rather not. Additionally, stunnel may use several certs with user-defined locations and we can't easily set a cert location via command-line args. The package is based on https://sites.google.com/site/twisteroidambassador/openwrt/stunnel Signed-off-by: Michael Haas --- net/stunnel/Makefile | 77 ++++++++++ net/stunnel/files/stunnel.conf | 45 ++++++ net/stunnel/files/stunnel.init | 12 ++ net/stunnel/patches/010_fix_getnameinfo.patch | 25 ++++ .../patches/011_disable_ssp_linking.patch | 140 ++++++++++++++++++ 5 files changed, 299 insertions(+) create mode 100644 net/stunnel/Makefile create mode 100644 net/stunnel/files/stunnel.conf create mode 100644 net/stunnel/files/stunnel.init create mode 100644 net/stunnel/patches/010_fix_getnameinfo.patch create mode 100644 net/stunnel/patches/011_disable_ssp_linking.patch diff --git a/net/stunnel/Makefile b/net/stunnel/Makefile new file mode 100644 index 0000000000..9238331d77 --- /dev/null +++ b/net/stunnel/Makefile @@ -0,0 +1,77 @@ +# +# Copyright (C) 2006-2014 OpenWrt.org +# +# This is free software, licensed under the GNU General Public License v2. +# See /LICENSE for more information. +# + +include $(TOPDIR)/rules.mk + +PKG_NAME:=stunnel +PKG_VERSION:=5.10 +PKG_RELEASE:=1 + +PKG_LICENSE:=GPL-2.0+ +PKG_MAINTAINER:=Michael Haas +PKG_LICENSE_FILES:=COPYING COPYRIGHT.GPL + +PKG_SOURCE_URL:=http://stunnel.cybermirror.org/archive/5.x/ +PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz +PKG_MD5SUM:=a0edda805eb7d6ea600a230fb0979ea1 + +PKG_FIXUP:=autoreconf +PKG_INSTALL:=1 + +include $(INCLUDE_DIR)/package.mk + +define Package/stunnel + SECTION:=net + CATEGORY:=Network + DEPENDS:=+libopenssl + TITLE:=SSL TCP Wrapper + URL:=http://www.stunnel.org/ +endef + +define Package/stunnel/description + Stunnel is a program that allows you to encrypt arbitrary TCP + connections inside SSL (Secure Sockets Layer) available on both Unix + and Windows. Stunnel can allow you to secure non-SSL aware daemons and + protocols (like POP, IMAP, LDAP, etc) by having Stunnel provide the + encryption, requiring no changes to the daemon's code. +endef + +define Package/stunnel/conffiles +/etc/stunnel/stunnel.conf +endef + + +CONFIGURE_ARGS+= \ + --with-random=/dev/urandom \ + --with-threads=fork \ + --with-ssl=$(STAGING_DIR)/usr \ + --disable-libwrap \ + --disable-systemd + +ifeq ($(CONFIG_IPV6),n) +CONFIGURE_ARGS+= \ + --disable-ipv6 +endif + +define Build/Compile + mkdir -p $(PKG_INSTALL_DIR)/etc/stunnel + echo '#dummy' > $(PKG_INSTALL_DIR)/etc/stunnel/stunnel.pem + $(call Build/Compile/Default) +endef + +define Package/stunnel/install + $(INSTALL_DIR) $(1)/usr/bin + $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/stunnel $(1)/usr/bin/ + $(INSTALL_DIR) $(1)/usr/lib/stunnel + $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/stunnel/libstunnel.so $(1)/usr/lib/stunnel/ + $(INSTALL_DIR) $(1)/etc/stunnel + $(INSTALL_CONF) ./files/stunnel.conf $(1)/etc/stunnel/stunnel.conf + $(INSTALL_DIR) $(1)/etc/init.d + $(INSTALL_BIN) ./files/stunnel.init $(1)/etc/init.d/stunnel +endef + +$(eval $(call BuildPackage,stunnel)) diff --git a/net/stunnel/files/stunnel.conf b/net/stunnel/files/stunnel.conf new file mode 100644 index 0000000000..2f10800b9d --- /dev/null +++ b/net/stunnel/files/stunnel.conf @@ -0,0 +1,45 @@ +; Drop privileges +setuid = nobody +setgid = nogroup + +; When running under procd, stay in foreground +foreground = yes + +; Don't log to stderr, use syslog +syslog = yes + +; 1-7. Use 7 for greatest verbosity +;debug = 5 + +; Starting here, enter your services or uncomment the examples + +; Example: +; If your local httpd does not support HTTPS, use stunnel in remote +; mode to forward TLS connections coming in on port 443 to non-TLS +; on port 80. +; Make sure that the cert is available. +;[httpd] +;accept = 443 +;connect = 127.0.0.1:80 +;cert = /etc/stunnel/stunnel.pem + +; Example: +; If your local email client does not support TLS, +; use stunnel in client mode to forward non-TLS connections on +; port 143 to TLS-enabled servername:993. +;[imap] +;client = yes +;accept = 143 +;connect = servername:993 +; Disable peer verification - be sure to understand the limitations of peer +; verification in stunnel when enabling. +;verify = 0 + +; Default client section: +; stunnel requires at least one section to start successfully. +; You can safely remove this section once you have configured +; your own. We use client mode here as server requires a certificate. +[dummy] +client = yes +accept = localhost:6000 +connect = localhost:6001 diff --git a/net/stunnel/files/stunnel.init b/net/stunnel/files/stunnel.init new file mode 100644 index 0000000000..e622205b83 --- /dev/null +++ b/net/stunnel/files/stunnel.init @@ -0,0 +1,12 @@ +#!/bin/sh /etc/rc.common +# Copyright (C) 2006-2008 OpenWrt.org + +START=90 +USE_PROCD=1 + +start_service() { + procd_open_instance + procd_set_param command /usr/bin/stunnel /etc/stunnel/stunnel.conf + procd_set_param respawn # respawn automatically if something died + procd_close_instance +} diff --git a/net/stunnel/patches/010_fix_getnameinfo.patch b/net/stunnel/patches/010_fix_getnameinfo.patch new file mode 100644 index 0000000000..f0a9faa7b5 --- /dev/null +++ b/net/stunnel/patches/010_fix_getnameinfo.patch @@ -0,0 +1,25 @@ +--- a/src/prototypes.h ++++ b/src/prototypes.h +@@ -559,7 +559,7 @@ extern GETNAMEINFO s_getnameinfo; + + #endif /* USE_WIN32 */ + +-int getnameinfo(const struct sockaddr *, int, char *, int, char *, int, int); ++int getnameinfo(const struct sockaddr *, socklen_t, char *, socklen_t, char *, socklen_t, unsigned int); + + #endif /* !defined HAVE_GETNAMEINFO */ + +--- a/src/resolver.c ++++ b/src/resolver.c +@@ -535,8 +535,9 @@ const char *s_gai_strerror(int err) { + /* implementation is limited to functionality needed by stunnel */ + + #ifndef HAVE_GETNAMEINFO +-int getnameinfo(const struct sockaddr *sa, int salen, +- char *host, int hostlen, char *serv, int servlen, int flags) { ++int getnameinfo(const struct sockaddr *sa, socklen_t salen, ++ char *host, socklen_t hostlen, char *serv, socklen_t servlen, ++ unsigned int flags) { + + #if defined(USE_WIN32) && !defined(_WIN32_WCE) + if(s_getnameinfo) diff --git a/net/stunnel/patches/011_disable_ssp_linking.patch b/net/stunnel/patches/011_disable_ssp_linking.patch new file mode 100644 index 0000000000..459c016da9 --- /dev/null +++ b/net/stunnel/patches/011_disable_ssp_linking.patch @@ -0,0 +1,140 @@ +--- a/configure ++++ b/configure +@@ -5646,66 +5646,66 @@ done + + + +-for flag in -fstack-protector; do +- as_CACHEVAR=`$as_echo "ax_cv_check_cflags__$flag" | $as_tr_sh` +-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts $flag" >&5 +-$as_echo_n "checking whether C compiler accepts $flag... " >&6; } +-if eval \${$as_CACHEVAR+:} false; then : +- $as_echo_n "(cached) " >&6 +-else +- +- ax_check_save_flags=$CFLAGS +- CFLAGS="$CFLAGS $flag" +- cat confdefs.h - <<_ACEOF >conftest.$ac_ext +-/* end confdefs.h. */ +- +-int +-main () +-{ +- +- ; +- return 0; +-} +-_ACEOF +-if ac_fn_c_try_compile "$LINENO"; then : +- eval "$as_CACHEVAR=yes" +-else +- eval "$as_CACHEVAR=no" +-fi +-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +- CFLAGS=$ax_check_save_flags +-fi +-eval ac_res=\$$as_CACHEVAR +- { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 +-$as_echo "$ac_res" >&6; } +-if test x"`eval 'as_val=${'$as_CACHEVAR'};$as_echo "$as_val"'`" = xyes; then : +- if ${CFLAGS+:} false; then : +- case " $CFLAGS " in +- *" $flag "*) +- { { $as_echo "$as_me:${as_lineno-$LINENO}: : CFLAGS already contains \$flag"; } >&5 +- (: CFLAGS already contains $flag) 2>&5 +- ac_status=$? +- $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 +- test $ac_status = 0; } +- ;; +- *) +- { { $as_echo "$as_me:${as_lineno-$LINENO}: : CFLAGS=\"\$CFLAGS \$flag\""; } >&5 +- (: CFLAGS="$CFLAGS $flag") 2>&5 +- ac_status=$? +- $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 +- test $ac_status = 0; } +- CFLAGS="$CFLAGS $flag" +- ;; +- esac +-else +- CFLAGS="$flag" +-fi +- +-else +- : +-fi +- +-done ++#for flag in -fstack-protector; do ++# as_CACHEVAR=`$as_echo "ax_cv_check_cflags__$flag" | $as_tr_sh` ++#{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts $flag" >&5 ++#$as_echo_n "checking whether C compiler accepts $flag... " >&6; } ++#if eval \${$as_CACHEVAR+:} false; then : ++# $as_echo_n "(cached) " >&6 ++#else ++# ++# ax_check_save_flags=$CFLAGS ++# CFLAGS="$CFLAGS $flag" ++# cat confdefs.h - <<_ACEOF >conftest.$ac_ext ++#/* end confdefs.h. */ ++ ++#int ++#main () ++#{ ++# ++# ; ++# return 0; ++#} ++#_ACEOF ++#if ac_fn_c_try_compile "$LINENO"; then : ++# eval "$as_CACHEVAR=yes" ++#else ++# eval "$as_CACHEVAR=no" ++#fi ++#rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext ++# CFLAGS=$ax_check_save_flags ++#fi ++#eval ac_res=\$$as_CACHEVAR ++# { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 ++#$as_echo "$ac_res" >&6; } ++#if test x"`eval 'as_val=${'$as_CACHEVAR'};$as_echo "$as_val"'`" = xyes; then : ++# if ${CFLAGS+:} false; then : ++# case " $CFLAGS " in ++# *" $flag "*) ++# { { $as_echo "$as_me:${as_lineno-$LINENO}: : CFLAGS already contains \$flag"; } >&5 ++# (: CFLAGS already contains $flag) 2>&5 ++# ac_status=$? ++# $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 ++# test $ac_status = 0; } ++# ;; ++# *) ++# { { $as_echo "$as_me:${as_lineno-$LINENO}: : CFLAGS=\"\$CFLAGS \$flag\""; } >&5 ++# (: CFLAGS="$CFLAGS $flag") 2>&5 ++# ac_status=$? ++# $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 ++# test $ac_status = 0; } ++# CFLAGS="$CFLAGS $flag" ++# ;; ++# esac ++#else ++# CFLAGS="$flag" ++#fi ++# ++#else ++# : ++#fi ++# ++#done + + + +--- a/configure.ac ++++ b/configure.ac +@@ -71,7 +71,7 @@ AX_APPEND_COMPILE_FLAGS([-Wformat=2]) + AX_APPEND_COMPILE_FLAGS([-Wconversion]) + AX_APPEND_COMPILE_FLAGS([-Wno-long-long]) + AX_APPEND_COMPILE_FLAGS([-Wno-deprecated-declarations]) +-AX_APPEND_COMPILE_FLAGS([-fstack-protector]) ++#AX_APPEND_COMPILE_FLAGS([-fstack-protector]) + AX_APPEND_COMPILE_FLAGS([-fPIE]) + AX_APPEND_COMPILE_FLAGS([-D_FORTIFY_SOURCE=2]) + AX_APPEND_LINK_FLAGS([-fPIE -pie]) -- 2.30.2