| 1 |
ramereth 11/03/02 06:16:12 |
| 2 |
|
| 3 |
Added: stunnel-4.35-libwrap.patch |
| 4 |
stunnel-4.35-xforwarded-for.diff |
| 5 |
stunnel-4.34-listen-queue.diff |
| 6 |
Log: |
| 7 |
Version bump, resolves #344117 |
| 8 |
|
| 9 |
(Portage version: 2.1.9.25/cvs/Linux x86_64) |
| 10 |
|
| 11 |
Revision Changes Path |
| 12 |
1.1 net-misc/stunnel/files/stunnel-4.35-libwrap.patch |
| 13 |
|
| 14 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-misc/stunnel/files/stunnel-4.35-libwrap.patch?rev=1.1&view=markup |
| 15 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-misc/stunnel/files/stunnel-4.35-libwrap.patch?rev=1.1&content-type=text/plain |
| 16 |
|
| 17 |
Index: stunnel-4.35-libwrap.patch |
| 18 |
=================================================================== |
| 19 |
--- stunnel-4.35/configure.ac 2011-02-07 16:28:03.000000000 +0100 |
| 20 |
+++ stunnel-4.35/configure.ac 2011-02-07 16:31:23.000000000 +0100 |
| 21 |
@@ -357,6 +357,7 @@ |
| 22 |
case "$enableval" in |
| 23 |
yes) AC_MSG_RESULT([no]) |
| 24 |
AC_DEFINE(HAVE_LIBWRAP) |
| 25 |
+ LIBS="$LIBS -lwrap" |
| 26 |
;; |
| 27 |
no) AC_MSG_RESULT([yes]) |
| 28 |
;; |
| 29 |
|
| 30 |
|
| 31 |
|
| 32 |
1.1 net-misc/stunnel/files/stunnel-4.35-xforwarded-for.diff |
| 33 |
|
| 34 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-misc/stunnel/files/stunnel-4.35-xforwarded-for.diff?rev=1.1&view=markup |
| 35 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-misc/stunnel/files/stunnel-4.35-xforwarded-for.diff?rev=1.1&content-type=text/plain |
| 36 |
|
| 37 |
Index: stunnel-4.35-xforwarded-for.diff |
| 38 |
=================================================================== |
| 39 |
--- stunnel-4.35/doc/stunnel.fr.8.ori 2011-02-07 17:21:07.000000000 +0100 |
| 40 |
+++ stunnel-4.35-xforwarded-for/doc/stunnel.fr.8 2011-02-07 17:21:31.000000000 +0100 |
| 41 |
@@ -394,6 +394,10 @@ |
| 42 |
.IP "\fBTIMEOUTidle\fR = secondes" 4 |
| 43 |
.IX Item "TIMEOUTidle = secondes" |
| 44 |
Durée d'attente sur une connexion inactive |
| 45 |
+.IP "\fBxforwardedfor\fR = yes | no" 4 |
| 46 |
+.IX Item "xforwardedfor = yes | no" |
| 47 |
+Ajoute un en-tête 'X-Forwarded-For:' dans la requête HTTP fournissant |
| 48 |
+au serveur l'adresse IP du client. |
| 49 |
.IP "\fBtransparent\fR = yes | no (Unix seulement)" 4 |
| 50 |
.IX Item "transparent = yes | no (Unix seulement)" |
| 51 |
Mode mandataire transparent |
| 52 |
diff -ru stunnel-4.35/doc/stunnel.8 stunnel-4.35-xforwarded-for/doc/stunnel.8 |
| 53 |
--- stunnel-4.35/doc/stunnel.8 2010-09-15 09:11:21.000000000 +0200 |
| 54 |
+++ stunnel-4.35-xforwarded-for/doc/stunnel.8 2010-12-06 21:56:08.770829792 +0100 |
| 55 |
@@ -527,6 +527,10 @@ |
| 56 |
.IP "\fBTIMEOUTidle\fR = seconds" 4 |
| 57 |
.IX Item "TIMEOUTidle = seconds" |
| 58 |
time to keep an idle connection |
| 59 |
+.IP "\fBxforwardedfor\fR = yes | no" 4 |
| 60 |
+.IX Item "xforwardedfor = yes | no" |
| 61 |
+append an 'X-Forwarded-For:' HTTP request header providing the |
| 62 |
+client's IP address to the server. |
| 63 |
.IP "\fBtransparent\fR = none | source | destination | both (Unix only)" 4 |
| 64 |
.IX Item "transparent = none | source | destination | both (Unix only)" |
| 65 |
enable transparent proxy support on selected platforms |
| 66 |
diff -ru stunnel-4.35/src/client.c stunnel-4.35-xforwarded-for/src/client.c |
| 67 |
--- stunnel-4.35/src/client.c 2010-09-14 17:03:43.000000000 +0200 |
| 68 |
+++ stunnel-4.35-xforwarded-for/src/client.c 2010-12-06 21:56:08.770829792 +0100 |
| 69 |
@@ -84,6 +84,12 @@ |
| 70 |
return NULL; |
| 71 |
} |
| 72 |
c->opt=opt; |
| 73 |
+ /* some options need space to add some information */ |
| 74 |
+ if (c->opt->option.xforwardedfor) |
| 75 |
+ c->buffsize = BUFFSIZE - BUFF_RESERVED; |
| 76 |
+ else |
| 77 |
+ c->buffsize = BUFFSIZE; |
| 78 |
+ c->crlf_seen=0; |
| 79 |
c->local_rfd.fd=rfd; |
| 80 |
c->local_wfd.fd=wfd; |
| 81 |
return c; |
| 82 |
@@ -372,6 +378,28 @@ |
| 83 |
} |
| 84 |
} |
| 85 |
|
| 86 |
+/* Moves all data from the buffer <buffer> between positions <start> and <stop> |
| 87 |
+ * to insert <string> of length <len>. <start> and <stop> are updated to their |
| 88 |
+ * new respective values, and the number of characters inserted is returned. |
| 89 |
+ * If <len> is too long, nothing is done and -1 is returned. |
| 90 |
+ * Note that neither <string> nor <buffer> can be NULL. |
| 91 |
+ */ |
| 92 |
+static int buffer_insert_with_len(char *buffer, int *start, int *stop, int limit, char *string, int len) { |
| 93 |
+ if (len > limit - *stop) |
| 94 |
+ return -1; |
| 95 |
+ if (*start > *stop) |
| 96 |
+ return -1; |
| 97 |
+ memmove(buffer + *start + len, buffer + *start, *stop - *start); |
| 98 |
+ memcpy(buffer + *start, string, len); |
| 99 |
+ *start += len; |
| 100 |
+ *stop += len; |
| 101 |
+ return len; |
| 102 |
+} |
| 103 |
+ |
| 104 |
+static int buffer_insert(char *buffer, int *start, int *stop, int limit, char *string) { |
| 105 |
+ return buffer_insert_with_len(buffer, start, stop, limit, string, strlen(string)); |
| 106 |
+} |
| 107 |
+ |
| 108 |
/****************************** transfer data */ |
| 109 |
static void transfer(CLI *c) { |
| 110 |
int watchdog=0; /* a counter to detect an infinite loop */ |
| 111 |
@@ -390,7 +418,7 @@ |
| 112 |
do { /* main loop of client data transfer */ |
| 113 |
/****************************** initialize *_wants_* */ |
| 114 |
read_wants_read= |
| 115 |
- ssl_open_rd && c->ssl_ptr<BUFFSIZE && !read_wants_write; |
| 116 |
+ ssl_open_rd && c->ssl_ptr<c->buffsize && !read_wants_write; |
| 117 |
write_wants_write= |
| 118 |
ssl_open_wr && c->sock_ptr && !write_wants_read; |
| 119 |
|
| 120 |
@@ -399,7 +427,7 @@ |
| 121 |
/* for plain socket open data strem = open file descriptor */ |
| 122 |
/* make sure to add each open socket to receive exceptions! */ |
| 123 |
if(sock_open_rd) |
| 124 |
- s_poll_add(&c->fds, c->sock_rfd->fd, c->sock_ptr<BUFFSIZE, 0); |
| 125 |
+ s_poll_add(&c->fds, c->sock_rfd->fd, c->sock_ptr<c->buffsize, 0); |
| 126 |
if(sock_open_wr) |
| 127 |
s_poll_add(&c->fds, c->sock_wfd->fd, 0, c->ssl_ptr); |
| 128 |
/* for SSL assume that sockets are open if there any pending requests */ |
| 129 |
@@ -531,7 +559,7 @@ |
| 130 |
/****************************** read from socket */ |
| 131 |
if(sock_open_rd && sock_can_rd) { |
| 132 |
num=readsocket(c->sock_rfd->fd, |
| 133 |
- c->sock_buff+c->sock_ptr, BUFFSIZE-c->sock_ptr); |
| 134 |
+ c->sock_buff+c->sock_ptr, c->buffsize-c->sock_ptr); |
| 135 |
switch(num) { |
| 136 |
case -1: |
| 137 |
parse_socket_error(c, "readsocket"); |
| 138 |
@@ -567,7 +595,7 @@ |
| 139 |
/****************************** update *_wants_* based on new *_ptr */ |
| 140 |
/* this update is also required for SSL_pending() to be used */ |
| 141 |
read_wants_read= |
| 142 |
- ssl_open_rd && c->ssl_ptr<BUFFSIZE && !read_wants_write; |
| 143 |
+ ssl_open_rd && c->ssl_ptr<c->buffsize && !read_wants_write; |
| 144 |
write_wants_write= |
| 145 |
ssl_open_wr && c->sock_ptr && !write_wants_read; |
| 146 |
|
| 147 |
@@ -577,10 +605,71 @@ |
| 148 |
* writesocket() above made some room in c->ssl_buff */ |
| 149 |
(read_wants_write && ssl_can_wr)) { |
| 150 |
read_wants_write=0; |
| 151 |
- num=SSL_read(c->ssl, c->ssl_buff+c->ssl_ptr, BUFFSIZE-c->ssl_ptr); |
| 152 |
+ num=SSL_read(c->ssl, c->ssl_buff+c->ssl_ptr, c->buffsize-c->ssl_ptr); |
| 153 |
switch(err=SSL_get_error(c->ssl, num)) { |
| 154 |
case SSL_ERROR_NONE: |
| 155 |
- c->ssl_ptr+=num; |
| 156 |
+ if (c->buffsize != BUFFSIZE && c->opt->option.xforwardedfor) { /* some work left to do */ |
| 157 |
+ int last = c->ssl_ptr; |
| 158 |
+ c->ssl_ptr += num; |
| 159 |
+ |
| 160 |
+ /* Look for end of HTTP headers between last and ssl_ptr. |
| 161 |
+ * To achieve this reliably, we have to count the number of |
| 162 |
+ * successive [CR]LF and to memorize it in case it's spread |
| 163 |
+ * over multiple segments. --WT. |
| 164 |
+ */ |
| 165 |
+ while (last < c->ssl_ptr) { |
| 166 |
+ if (c->ssl_buff[last] == '\n') { |
| 167 |
+ if (++c->crlf_seen == 2) |
| 168 |
+ break; |
| 169 |
+ } else if (last < c->ssl_ptr - 1 && |
| 170 |
+ c->ssl_buff[last] == '\r' && |
| 171 |
+ c->ssl_buff[last+1] == '\n') { |
| 172 |
+ if (++c->crlf_seen == 2) |
| 173 |
+ break; |
| 174 |
+ last++; |
| 175 |
+ } else if (c->ssl_buff[last] != '\r') |
| 176 |
+ /* don't refuse '\r' because we may get a '\n' on next read */ |
| 177 |
+ c->crlf_seen = 0; |
| 178 |
+ last++; |
| 179 |
+ } |
| 180 |
+ if (c->crlf_seen >= 2) { |
| 181 |
+ /* We have all the HTTP headers now. We don't need to |
| 182 |
+ * reserve any space anymore. <ssl_ptr> points to the |
| 183 |
+ * first byte of unread data, and <last> points to the |
| 184 |
+ * exact location where we want to insert our headers, |
| 185 |
+ * which is right before the empty line. |
| 186 |
+ */ |
| 187 |
+ c->buffsize = BUFFSIZE; |
| 188 |
+ |
| 189 |
+ if (c->opt->option.xforwardedfor) { |
| 190 |
+ /* X-Forwarded-For: xxxx \r\n\0 */ |
| 191 |
+ char xforw[17 + IPLEN + 3]; |
| 192 |
+ |
| 193 |
+ /* We will insert our X-Forwarded-For: header here. |
| 194 |
+ * We need to write the IP address, but if we use |
| 195 |
+ * sprintf, it will pad with the terminating 0. |
| 196 |
+ * So we will pass via a temporary buffer allocated |
| 197 |
+ * on the stack. |
| 198 |
+ */ |
| 199 |
+ memcpy(xforw, "X-Forwarded-For: ", 17); |
| 200 |
+ if (getnameinfo(&c->peer_addr.addr[0].sa, |
| 201 |
+ addr_len(c->peer_addr.addr[0]), |
| 202 |
+ xforw + 17, IPLEN, NULL, 0, |
| 203 |
+ NI_NUMERICHOST) == 0) { |
| 204 |
+ strcat(xforw + 17, "\r\n"); |
| 205 |
+ buffer_insert(c->ssl_buff, &last, &c->ssl_ptr, |
| 206 |
+ c->buffsize, xforw); |
| 207 |
+ } |
| 208 |
+ /* last still points to the \r\n and ssl_ptr to the |
| 209 |
+ * end of the buffer, so we may add as many headers |
| 210 |
+ * as wee need to. |
| 211 |
+ */ |
| 212 |
+ } |
| 213 |
+ } |
| 214 |
+ } |
| 215 |
+ else |
| 216 |
+ c->ssl_ptr+=num; |
| 217 |
+ |
| 218 |
watchdog=0; /* reset watchdog */ |
| 219 |
break; |
| 220 |
case SSL_ERROR_WANT_WRITE: |
| 221 |
diff -ru stunnel-4.35/src/common.h stunnel-4.35-xforwarded-for/src/common.h |
| 222 |
--- stunnel-4.35/src/common.h 2010-09-14 17:00:36.000000000 +0200 |
| 223 |
+++ stunnel-4.35-xforwarded-for/src/common.h 2010-12-06 21:56:08.770829792 +0100 |
| 224 |
@@ -53,6 +53,9 @@ |
| 225 |
/* I/O buffer size */ |
| 226 |
#define BUFFSIZE 16384 |
| 227 |
|
| 228 |
+/* maximum space reserved for header insertion in BUFFSIZE */ |
| 229 |
+#define BUFF_RESERVED 1024 |
| 230 |
+ |
| 231 |
/* length of strings (including the terminating '\0' character) */ |
| 232 |
/* it can't be lower than 256 bytes or NTLM authentication will break */ |
| 233 |
#define STRLEN 256 |
| 234 |
diff -ru stunnel-4.35/src/options.c stunnel-4.35-xforwarded-for/src/options.c |
| 235 |
--- stunnel-4.35/src/options.c 2010-09-14 17:09:36.000000000 +0200 |
| 236 |
+++ stunnel-4.35-xforwarded-for/src/options.c 2010-12-06 21:56:08.774829832 +0100 |
| 237 |
@@ -818,6 +818,29 @@ |
| 238 |
} |
| 239 |
#endif |
| 240 |
|
| 241 |
+ /* xforwardedfor */ |
| 242 |
+ switch(cmd) { |
| 243 |
+ case CMD_INIT: |
| 244 |
+ section->option.xforwardedfor=0; |
| 245 |
+ break; |
| 246 |
+ case CMD_EXEC: |
| 247 |
+ if(strcasecmp(opt, "xforwardedfor")) |
| 248 |
+ break; |
| 249 |
+ if(!strcasecmp(arg, "yes")) |
| 250 |
+ section->option.xforwardedfor=1; |
| 251 |
+ else if(!strcasecmp(arg, "no")) |
| 252 |
+ section->option.xforwardedfor=0; |
| 253 |
+ else |
| 254 |
+ return "argument should be either 'yes' or 'no'"; |
| 255 |
+ return NULL; /* OK */ |
| 256 |
+ case CMD_DEFAULT: |
| 257 |
+ break; |
| 258 |
+ case CMD_HELP: |
| 259 |
+ s_log(LOG_NOTICE, "%-15s = yes|no append an HTTP X-Forwarded-For header", |
| 260 |
+ "xforwardedfor"); |
| 261 |
+ break; |
| 262 |
+ } |
| 263 |
+ |
| 264 |
/* exec */ |
| 265 |
switch(cmd) { |
| 266 |
case CMD_INIT: |
| 267 |
diff -ru stunnel-4.35/src/prototypes.h stunnel-4.35-xforwarded-for/src/prototypes.h |
| 268 |
--- stunnel-4.35/src/prototypes.h 2010-09-14 17:09:50.000000000 +0200 |
| 269 |
+++ stunnel-4.35-xforwarded-for/src/prototypes.h 2010-12-06 21:56:08.774829832 +0100 |
| 270 |
@@ -171,6 +171,7 @@ |
| 271 |
struct { |
| 272 |
unsigned int client:1; |
| 273 |
unsigned int delayed_lookup:1; |
| 274 |
+ unsigned int xforwardedfor:1; |
| 275 |
unsigned int accept:1; |
| 276 |
unsigned int remote:1; |
| 277 |
unsigned int retry:1; /* loop remote+program */ |
| 278 |
@@ -346,6 +347,8 @@ |
| 279 |
FD *ssl_rfd, *ssl_wfd; /* read and write SSL descriptors */ |
| 280 |
int sock_bytes, ssl_bytes; /* bytes written to socket and ssl */ |
| 281 |
s_poll_set fds; /* file descriptors */ |
| 282 |
+ int buffsize; /* current buffer size, may be lower than BUFFSIZE */ |
| 283 |
+ int crlf_seen; /* the number of successive CRLF seen */ |
| 284 |
} CLI; |
| 285 |
|
| 286 |
extern int max_fds, max_clients; |
| 287 |
|
| 288 |
|
| 289 |
|
| 290 |
1.1 net-misc/stunnel/files/stunnel-4.34-listen-queue.diff |
| 291 |
|
| 292 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-misc/stunnel/files/stunnel-4.34-listen-queue.diff?rev=1.1&view=markup |
| 293 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-misc/stunnel/files/stunnel-4.34-listen-queue.diff?rev=1.1&content-type=text/plain |
| 294 |
|
| 295 |
Index: stunnel-4.34-listen-queue.diff |
| 296 |
=================================================================== |
| 297 |
Patch by Thomas Franco, rediffed for 4.34. |
| 298 |
|
| 299 |
diff -ru stunnel-4.34/src/options.c stunnel-4.34-listen-queue/src/options.c |
| 300 |
--- stunnel-4.34/src/options.c 2010-09-14 17:09:36.000000000 +0200 |
| 301 |
+++ stunnel-4.34-listen-queue/src/options.c 2010-12-06 22:14:15.610223090 +0100 |
| 302 |
@@ -1473,6 +1473,24 @@ |
| 303 |
break; |
| 304 |
} |
| 305 |
|
| 306 |
+ /* listenqueue */ |
| 307 |
+ switch(cmd) { |
| 308 |
+ case CMD_INIT: |
| 309 |
+ section->listenqueue=SOMAXCONN; |
| 310 |
+ break; |
| 311 |
+ case CMD_EXEC: |
| 312 |
+ if(strcasecmp(opt, "listenqueue")) |
| 313 |
+ break; |
| 314 |
+ section->listenqueue=atoi(arg); |
| 315 |
+ return (section->listenqueue?NULL:"Bad verify level"); |
| 316 |
+ case CMD_DEFAULT: |
| 317 |
+ s_log(LOG_NOTICE, "%-15s = %d", "listenqueue", SOMAXCONN); |
| 318 |
+ break; |
| 319 |
+ case CMD_HELP: |
| 320 |
+ s_log(LOG_NOTICE, "%-15s = defines the maximum length the queue of pending connections may grow to", "listenqueue"); |
| 321 |
+ break; |
| 322 |
+ } |
| 323 |
+ |
| 324 |
if(cmd==CMD_EXEC) |
| 325 |
return option_not_found; |
| 326 |
return NULL; /* OK */ |
| 327 |
diff -ru stunnel-4.34/src/prototypes.h stunnel-4.34-listen-queue/src/prototypes.h |
| 328 |
--- stunnel-4.34/src/prototypes.h 2010-09-14 17:09:50.000000000 +0200 |
| 329 |
+++ stunnel-4.34-listen-queue/src/prototypes.h 2010-12-06 22:06:39.217327586 +0100 |
| 330 |
@@ -158,6 +158,7 @@ |
| 331 |
int timeout_close; /* maximum close_notify time */ |
| 332 |
int timeout_connect; /* maximum connect() time */ |
| 333 |
int timeout_idle; /* maximum idle connection time */ |
| 334 |
+ int listenqueue; /* Listen baklog */ |
| 335 |
enum {FAILOVER_RR, FAILOVER_PRIO} failover; /* failover strategy */ |
| 336 |
|
| 337 |
/* protocol name for protocol.c */ |
| 338 |
Seulement dans stunnel-4.34-listen-queue/src: prototypes.h~ |
| 339 |
diff -ru stunnel-4.34/src/stunnel.c stunnel-4.34-listen-queue/src/stunnel.c |
| 340 |
--- stunnel-4.34/src/stunnel.c 2010-08-20 11:01:35.000000000 +0200 |
| 341 |
+++ stunnel-4.34-listen-queue/src/stunnel.c 2010-12-06 22:05:54.732885327 +0100 |
| 342 |
@@ -204,7 +204,7 @@ |
| 343 |
} |
| 344 |
s_log(LOG_DEBUG, "Service %s bound to %s", |
| 345 |
opt->servname, opt->local_address); |
| 346 |
- if(listen(opt->fd, 5)) { |
| 347 |
+ if(listen(opt->fd, opt->listenqueue)) { |
| 348 |
sockerror("listen"); |
| 349 |
return 0; |
| 350 |
} |
| 351 |
Seulement dans stunnel-4.34-listen-queue/src: stunnel.c~ |
Archives