--- stunnel4-4.050.orig/tools/stunnel.conf-sample.in +++ stunnel4-4.050/tools/stunnel.conf-sample.in @@ -3,10 +3,9 @@ #cert = /etc/stunnel/mail.pem #chroot = /var/run/stunnel/ -# PID is created inside chroot jail -#pid = /var/run/stunnel4/stunnel.pid -#setuid = nobody -#setgid = nogroup +pid = /var/run/stunnel4/stunnel.pid +setuid = stunnel4 +setgid = stunnel4 # Workaround for Eudora bug #options = DONT_INSERT_EMPTY_FRAGMENTS @@ -24,11 +23,11 @@ #CRLfile = /etc/stunnel/crls.pem # Some debugging stuff -#debug = 7 -#output = stunnel.log +debug = 7 +output = /var/log/stunnel4/stunnel.log # Use it for client mode -#client = yes +client = yes # Service-level configuration --- stunnel4-4.050.orig/debian/dirs +++ stunnel4-4.050/debian/dirs @@ -0,0 +1,3 @@ +usr/sbin +etc/stunnel +usr/share/doc/stunnel4 --- stunnel4-4.050.orig/debian/docs +++ stunnel4-4.050/debian/docs @@ -0,0 +1,6 @@ +BUGS +NEWS +README +TODO +doc/en/transproxy.txt +debian/StunnelConf-0.1.pl --- stunnel4-4.050.orig/debian/control +++ stunnel4-4.050/debian/control @@ -0,0 +1,21 @@ +Source: stunnel4 +Section: net +Priority: optional +Build-Depends: debhelper(>=4), libssl-dev, openssl, libwrap0-dev, sdf +Maintainer: Julien Lemoine +Standards-Version: 3.6.1 + +Package: stunnel4 +Architecture: any +Replaces: stunnel +Depends: ${shlibs:Depends}, openssl, netbase +Description: Universal SSL tunnel for network daemons + The stunnel program is designed to work as SSL encryption + wrapper between remote client and local (inetd-startable) or + remote server. The concept is that having non-SSL aware daemons + running on your system you can easily setup them to + communicate with clients over secure SSL channel. + . + stunnel can be used to add SSL functionality to commonly + used inetd daemons like POP-2, POP-3 and IMAP servers + without any changes in the programs' code. --- stunnel4-4.050.orig/debian/stunnel4.default +++ stunnel4-4.050/debian/stunnel4.default @@ -0,0 +1,8 @@ +# /etc/default/stunnel +# Julien LEMOINE +# September 2003 + +# Change to one to enable stunnel +ENABLED=0 +FILES="/etc/stunnel/*.conf" +OPTIONS="" --- stunnel4-4.050.orig/debian/rules +++ stunnel4-4.050/debian/rules @@ -0,0 +1,85 @@ +#!/usr/bin/make -f +# -*- makefile -*- +# debian/rules file for the Debian/GNU Linux stunnel package +# Copyright 2003 by Julien LEMOINE + +DEB_HOST_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_HOST_GNU_TYPE) +DEB_BUILD_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_BUILD_GNU_TYPE) +PROXY_CONNECT = debian/connect-proxy_dunbar.patch +CFLAGS = -Wall -g +ifneq (,$(findstring noopt,$(DEB_BUILD_OPTIONS))) + CFLAGS += -O0 +else + CFLAGS += -O2 +endif + +build: build-stamp +build-stamp: + dh_testdir + cat $(PROXY_CONNECT) | patch -p1 + touch patched + CFLAGS="$(CFLAGS)" ./configure --prefix=/usr \ + --host=$(DEB_HOST_GNU_TYPE) --build=$(DEB_BUILD_GNU_TYPE) \ + --localstatedir=/var --enable-ssllib-cs \ + --with-cert-dir=/etc/ssl/certs --with-pem-dir=/etc/ssl/certs + cd src; $(MAKE) + cd doc; $(MAKE) + touch build-stamp + +clean: + dh_testdir + dh_testroot + if test -f patched; then cat $(PROXY_CONNECT) | patch -p1 -R; fi + rm -rf build-stamp config.cache stunnel.rnd src/stunnel.exe \ + doc/stunnel4.8 config.log config.status src/stunnel src/.libs \ + src/*.o src/*.lo src/*.la src/Makefile doc/Makefile \ + tools/Makefile tools/stunnel.conf-sample tools/stunnel.init \ + Makefile libtool patched + -$(MAKE) clean + -$(MAKE) distclean + dh_clean + +install: + dh_testdir + dh_testroot + dh_clean -k + dh_installdirs + cd src; $(MAKE) install prefix=$(CURDIR)/debian/stunnel4/usr + cd doc; $(MAKE) install prefix=$(CURDIR)/debian/stunnel4/usr + install -p -m 0644 tools/stunnel.conf-sample \ + $(CURDIR)/debian/stunnel4/etc/stunnel/stunnel.conf + rm -rf $(CURDIR)/debian/stunnel4/man + rm -rf $(CURDIR)/debian/stunnel4/usr/man + cp doc/stunnel.8 doc/stunnel4.8 + mv $(CURDIR)/debian/stunnel4/usr/sbin/stunnel \ + $(CURDIR)/debian/stunnel4/usr/sbin/stunnel4 + mv $(CURDIR)/debian/stunnel4/usr/share/doc/stunnel/* \ + $(CURDIR)/debian/stunnel4/usr/share/doc/stunnel4 + rm -rf $(CURDIR)/debian/stunnel4/usr/share/doc/stunnel + +binary-indep: build install + +binary-arch: build install + dh_testdir + dh_testroot + dh_installdocs + dh_installexamples tools/ca.html tools/ca.pl tools/importCA.html\ + tools/importCA.sh tools/stunnel.cnf tools/stunnel.conf-sample \ + tools/stunnel.init + dh_installman doc/stunnel4.8 + dh_installchangelogs + dh_installinit -- defaults + dh_installppp --name=0stunnel4 + dh_installlogrotate + dh_link + dh_strip + dh_compress + dh_fixperms + dh_installdeb + dh_shlibdeps + dh_gencontrol + dh_md5sums + dh_builddeb + +binary: binary-indep binary-arch +.PHONY: build clean binary-indep binary-arch binary install --- stunnel4-4.050.orig/debian/changelog +++ stunnel4-4.050/debian/changelog @@ -0,0 +1,324 @@ +stunnel4 (2:4.050-4) unstable; urgency=low + + * Restart connection instead of stop when ppp is down. It is possible to + use stunnel for eth interfaces. (Closes: 271006) + + -- Julien Lemoine Sun, 26 Sep 2004 18:12:36 +0200 + +stunnel4 (2:4.050-3) unstable; urgency=low + + * Added proxy-connect patch (Closes: #267533) + * Create directory /var/log/stunnel in postinst (Closes: #267093) + * Create user and group stunnel4 (Closes: #266339) + * Uncomment some line in default configuration file : + o Use /var/log/stunnel4/stunnel.log as default log file + o Use stunnel4 user and group as default + o Use /var/run/stunnel4/stunnel.pid as default pid file + + -- Julien Lemoine Wed, 1 Sep 2004 22:19:28 +0200 + +stunnel4 (2:4.050-2) unstable; urgency=low + + * Fixed stoping problem in init.d script (Closes: #265449) + Thanks to Wilfried Goesgens + * Added stunnel4 in logrotate (Closes: #265437) + Thanks to Wilfried Goesgens + + -- Julien Lemoine Fri, 13 Aug 2004 21:42:23 +0200 + +stunnel4 (2:4.050-1) unstable; urgency=low + + * By default, store pidfile in /var/run/stunnel4/stunnel.pid with + /var/run/stunnel4 owned by nobody:nogroup + * Oops, stunnel4 was a debian native package + + -- Julien Lemoine Mon, 7 Jun 2004 21:23:37 +0200 + +stunnel4 (2:4.05-1) unstable; urgency=low + + * New upstream release + + -- Julien Lemoine Wed, 7 Apr 2004 22:08:42 +0200 + +stunnel4 (2:4.04.0-10) unstable; urgency=low + + * Shut down stunnel4 in postinst (Closes: #234498) + + -- Julien Lemoine Tue, 24 Feb 2004 21:50:03 +0100 + +stunnel4 (2:4.04.0-9) unstable; urgency=low + + * Added configuration script from "Sergio Rua" + + -- Julien Lemoine Sun, 22 Feb 2004 23:26:38 +0100 + +stunnel4 (2:4.04.0-8) unstable; urgency=low + + * Added ppp ip-up and ip-down scripts + (Closes: #227678) + + -- Julien Lemoine Sun, 22 Feb 2004 22:52:31 +0100 + +stunnel4 (2:4.04.0-7) unstable; urgency=low + + * Fix problem in init.d script (was not sh compatible) + (Closes: #214818, #214823) + + -- Julien Lemoine Fri, 10 Oct 2003 00:47:57 +0200 + +stunnel4 (2:4.04.0-6) unstable; urgency=low + + * Rewrite of /etc/init.d/stunnel4 : + o does not use kill -9, thus giving a chance to stunnel4 to clean up + puts common code in functions + o avoids calling ps twice + o uses fgrep + o does not print the conf file name if no processes exist for it + o corrects the `stoped' typo + Thanks to Francesco Potorti` (Closes: #214562) + + -- Julien LEMOINE Tue, 7 Oct 2003 16:37:12 +0200 + +stunnel4 (2:4.04.0-5) unstable; urgency=low + + * /etc/init.d/stunnel4 can load more than one configuration file. + It loads /etc/stunnel/*.conf. You can have a configuration file for + server mode and one for client mode. (Closes: #211870) + + -- Julien LEMOINE Thu, 25 Sep 2003 18:05:01 +0200 + +stunnel4 (2:4.04.0-4) unstable; urgency=low + + * Put stunnel.html in /usr/share/doc/stunnel4/ instead of + /usr/share/doc/stunnel + * Updated to Standards-Version 3.6.1 + + -- Julien LEMOINE Thu, 4 Sep 2003 13:39:51 +0200 + +stunnel4 (2:4.04.0-3) unstable; urgency=low + + * Fixed wrong path search for stunnel.conf + (Closes: Bug#202931) + + -- Julien LEMOINE Sat, 26 Jul 2003 11:00:46 +0200 + +stunnel4 (2:4.04.0-2) unstable; urgency=low + + * Fixed stunnel.conf problems, file must be commented by default. + (Closes: #202693) + + -- Julien LEMOINE Fri, 25 Jul 2003 11:38:47 +0200 + +stunnel4 (2:4.04.0-1) unstable; urgency=low + + * Oops, stunnel4 is not a native package -> reupload it with a diff.gz + * Does not install stunnel.so since it is not used + * Updated clean rules to have a clean diff + * Updated to Standards-Version 3.6.0 + + -- Julien LEMOINE Sat, 19 Jul 2003 20:12:51 +0200 + +stunnel4 (2:4.04-2) unstable; urgency=low + + * Fixed compilation errors (removed binary in clean rule) + * removed libstunnel.so since it is not used + + -- Julien LEMOINE Sun, 13 Jul 2003 02:45:05 +0200 + +stunnel4 (2:4.04-1) unstable; urgency=low + + * Stunnel versions 4.x are now in stunnel4 package and stunnel versions 3.x + are in stunnel package to keep backward compatibility. + + -- Julien LEMOINE Fri, 4 Jul 2003 18:24:21 +0200 + +stunnel (4.04-5) unstable; urgency=low + + * The "I need to sleep more to avoid making typos" release. + * Fixed typos in default/init file (ENABLED instead of ENABLE) + (Closes: #197958) + * Commented all stunnel.conf file, client=no is the default value + (Closes: #197961) + + -- Julien LEMOINE Thu, 19 Jun 2003 00:40:28 +0200 + +stunnel (4.04-4) unstable; urgency=low + + * Added /etc/default/stunnel with a variable ENABLE. + ENABLE=0 by default since stunnel segv on some computer when all lines + are commented (Closes: #197663, #197615) + + -- Julien LEMOINE Mon, 16 Jun 2003 22:04:17 +0200 + +stunnel (4.04-3) unstable; urgency=low + + * comment ldap sample (Closes: #197566) + + -- Julien LEMOINE Mon, 9 Jun 2003 15:03:41 +0200 + +stunnel (4.04-2) unstable; urgency=low + + * Fixed typo in init.d script (Closes: #197499) + * Added a commented example in stunnel.conf from Craig Sanders + + -- Julien LEMOINE Sun, 15 Jun 2003 18:06:07 +0200 + +stunnel (4.04-1) unstable; urgency=low + + * New upstream release (Closes: #177532, Closes: 188137) + * New maintainer + * Stunnel has no more -L option (Closes: #120265) + * Stunnel has no more -l option (Closes: #175844) + * Shutdown(1) problem was fixed (Closes: #111125) + * Problem with large data resolved (tested with a 5Mo file) + (Closes: #112287) + * Licence is now GPL version 2 with agreement to link with openssl + (Closes: #147665) + * stunnel can execute command (Closes: #147537) + * added a lintian overwrite for libstunnel.so since it is compiled with + -avoid-version + * Fixed problem with path (/etc/ instead of $(prefix)/etc, ...) + * Include default configuration file in /etc + * Upgraded to debian policy 3.5.10 + * Added init.d file + + -- Julien LEMOINE Sat, 24 May 2003 02:30:20 +0200 + +stunnel (3.22-1) unstable; urgency=high + + * New upstream release (closes: bug#126627). + * Typo fix in postinst (closes: bug#120199, bug#121904) + + -- Paolo Molaro Sun, 30 Dec 2001 10:31:46 +0100 + +stunnel (3.21.c-1) unstable; urgency=low + + * New upstream release (Closes: bug#111139, bug#102834, bug#61427). + * Avoid generating automatically the initial stunnel.pem, openssl cannot be + reliably used in a non-interactive way (Closes: bug#60776, bug#98445). Info + on how to generate the certificate is now included in README.Debian. + * There is support for (re)setting OOB data handling in the new upstream + version (Closes: bug#107503). + * Include the sample /etc/iniy.d/stunnel file as an example in the package + (Closes: bug#114669). + + -- Paolo Molaro Sat, 17 Nov 2001 12:31:04 +0100 + +stunnel (3.14-1) unstable; urgency=low + + * New upstream release + * Actually compile it against the new libssl (Closes: #86916). + + -- Paolo Molaro Fri, 23 Feb 2001 18:57:18 +0100 + +stunnel (3.13-1) unstable; urgency=low + + * New upstream release. + * Recompile with and depend on libssl096 (Closes: #85000, #86385, #83857, #82500). + * Already fixed in previous aborted upload (Closes: #82105, #77227, #80079, #76576). + + -- Paolo Molaro Sun, 18 Feb 2001 21:30:50 +0100 + +stunnel (3.10-1) unstable; urgency=high + + * New upstream release. + + -- Paolo Molaro Wed, 20 Dec 2000 15:14:08 +0100 + +stunnel (3.10-0potato1) stable; urgency=high + + * New upstream release. + + -- Paolo Molaro Wed, 20 Dec 2000 13:07:35 +0100 + +stunnel (3.9-0potato1) stable; urgency=high + + * New upstream release: security fix (Closes: #80079, #76576). + * Use correct dir for pid (Closes: #77227). + + -- Paolo Molaro Wed, 20 Dec 2000 11:24:18 +0100 + +stunnel (3.8-1) unstable; urgency=low + + * New upstream version (Closes: #75117, #67010). + * Read 1k of random data in a temp file (Closes: #69808). + * Added a note in postrm about the stunnel.pem file that + is left in /etc/ssl/certs: it is safer if the user deals with + it since it may have been create by him and not stunnel (Closes: #57648). + + -- Paolo Molaro Wed, 5 Jul 2000 16:43:07 +0000 + +stunnel (3.4a-6) unstable; urgency=low + + * Depends on openssl 0.9.4 (closes: bug#53947). + + -- Paolo Molaro Tue, 4 Jan 2000 12:37:24 +0100 + +stunnel (3.4a-5) unstable; urgency=medium + + * Include upstream download info in copyright (closes: bug#53301). + * Include example from Steve Haslam to make stunnel run from a + init script (closes: bug#53300). + + -- Paolo Molaro Thu, 23 Dec 1999 16:49:38 +0100 + +stunnel (3.4a-4) unstable; urgency=medium + + * Depends on openssl instead of Suggests (Closes: bug#49238). + + -- Paolo Molaro Sat, 13 Nov 1999 12:44:35 +0100 + +stunnel (3.4a-3) unstable; urgency=high + + * Fixes security problem with the certificate. + + -- Paolo Molaro Thu, 4 Nov 1999 17:33:52 +0100 + +stunnel (3.4a-2) unstable; urgency=low + + * Suggest openssl instead of ssleay. (Closes: bug#47712) + + -- Paolo Molaro Wed, 27 Oct 1999 18:24:27 +0200 + +stunnel (3.4a-1) unstable; urgency=low + + * New upstream release. + * Put cert in /etc/ssl/certs (closes:#41099). I think this is + neither an openssl nor stunnel bug, but a dpkg one (other + similar bugs are already filed against dpkg). + + -- Paolo Molaro Thu, 22 Jul 1999 16:50:32 +0200 + +stunnel (3.3-1) unstable; urgency=low + + * New upstream release. + + -- Paolo Molaro Fri, 18 Jun 1999 16:43:05 +0200 + +stunnel (3.2-2) unstable; urgency=low + + * Fixed stupid coding error. + + -- Paolo Molaro Sat, 29 May 1999 13:01:17 +0200 + +stunnel (3.2-1) unstable; urgency=low + + * Recompilation with new ssl lib. + * New upstream release. + + -- Paolo Molaro Mon, 24 May 1999 12:09:58 +0200 + +stunnel (2.1-2) unstable; urgency=low + + * Added libwrap support (/etc/hosts.{allow,deny}). + * Recompilation with newer libc6. + * Better stunnel-config script. + + -- Paolo Molaro Fri, 11 Dec 1998 11:57:52 +0100 + +stunnel (2.1-1) unstable; urgency=low + + * Initial release. + + -- Paolo Molaro Mon, 30 Nov 1998 11:41:29 +0100 + --- stunnel4-4.050.orig/debian/compat +++ stunnel4-4.050/debian/compat @@ -0,0 +1 @@ +4 --- stunnel4-4.050.orig/debian/README.Debian +++ stunnel4-4.050/debian/README.Debian @@ -0,0 +1,51 @@ +stunnel4 package for Debian. + +"Sergio Rua" made a perl front-end for the stunnel +configuration. It is very simple and only includes a couple of configuration +options. This script is located in : +/usr/share/doc/stunnel4/StunnelConf-0.1.pl +Requirements are libgnome2-perl and libgtk2-perl. + +After installation, you should : + - edit /etc/default/stunnel and set ENABLE=1 + - edit /etc/stunnel/stunnel.conf + - generate a certificate for use with stunnel if you want to use server mode : + +The certificates default directory is /etc/ssl/certs, so cd into that dir +and issue the command: + +openssl req -new -x509 -nodes -days 365 -out stunnel.pem -keyout stunnel.pem + +Fill in the info requested. Note: change 'stunnel.pem' to the name of the +certificate you need to create: stunnel.pem will be used by default by stunnel, +but you want to create different certificates for different services you run +with stunnel. +Make sure only root can read the file (or only the user that needs to read it, +if stunnel is run as that user): + +chmod 600 stunnel.pem + +Now you need to append the DH parameters to the certificate. +First you need to generate some amount of random data: + +dd if=/dev/urandom of=temp_file count=2 + +Use /dev/random if you want a more secure source of data, but make sure you have +enough entropy on you system (the output file should be at least 512 bytes long). + +And now make openssl generate the DH parameters and append them to the certificate file: + +openssl dhparam -rand temp_file 512 >> stunnel.pem + +You also want to link the certificate to its hash name so that openssl +can find it also by that means: + +ln -sf stunnel.pem `openssl x509 -noout -hash < stunnel.pem`.0 + +Read the manual page for openssl for more info on the various options. + +Julien LEMOINE +speedblue@debian.org + + + -- Julien Lemoine , Sun Feb 22 23:29:26 2004 --- stunnel4-4.050.orig/debian/postrm +++ stunnel4-4.050/debian/postrm @@ -0,0 +1,10 @@ +#!/bin/sh + +set -e + +if [ x$1 = "xpurge" ]; then + echo You may want to delete the generated stunnel.pem file + echo in /etc/ssl/certs. +fi + +#DEBHELPER# --- stunnel4-4.050.orig/debian/copyright +++ stunnel4-4.050/debian/copyright @@ -0,0 +1,22 @@ +This package was dowloaded from http://www.stunnel.org/ +and debianized by Paolo Molaro . + +It was downloaded from http://www.stunnel.org/download/source.html + +Upstream author: Michal Trojnara + +Copyright: +You are free to distribute this software under the terms of +the GNU General Public License. +On Debian systems, the complete text of the GNU General Public +License can be found in /usr/share/common-licenses/GPL file. + +In addition, as a special exception, Michal Trojnara gives +permission to link the code of this program with the OpenSSL +library (or with modified versions of OpenSSL that use the same +license as OpenSSL), and distribute linked combinations including +the two. You must obey the GNU General Public License in all +respects for all of the code used other than OpenSSL. If you modify +this file, you may extend this exception to your version of the +file, but you are not obligated to do so. If you do not wish to +do so, delete this exception statement from your version. --- stunnel4-4.050.orig/debian/stunnel4.init +++ stunnel4-4.050/debian/stunnel4.init @@ -0,0 +1,86 @@ +#! /bin/sh +# +# stunnel init.d file +# +# Based on the skeleton init.d file +# written by Miquel van Smoorenburg . +# Modified for Debian GNU/Linux +# by Julien LEMOINE . +# + +DAEMON=/usr/sbin/stunnel4 +NAME=stunnel +DESC="SSL tunnels" +FILES="/etc/stunnel/*.conf" +OPTIONS="" +ENABLED=0 + +startdaemons() { + for file in $FILES; do + if test -f $file; then + ARGS="$file $OPTIONS" + $DAEMON $ARGS + echo -n "[started: $file] " + fi + done; +} + +killdaemons() +{ + for file in $FILES; do + if test -f $file; then + CHROOT=`grep "^chroot" $file|sed "s;.*= *;;"` + PIDFILE=`grep "^pid" $file|sed "s;.*= *;;"` + if [ "$PIDFILE" = "" ]; then + PIDFILE=/var/run/stunnel4/stunnel.pid + fi + if test -f $CHROOT/$PIDFILE; then + PROCLIST=`cat $CHROOT/$PIDFILE` + if [ "$PROCLIST" ]; then + kill $PROCLIST + echo -n "[stopped: $file] " + fi + fi + fi + done +} + +if [ "x$OPTIONS" != "x" ]; then + OPTIONS="-- $OPTIONS" +fi + +test -f /etc/default/stunnel4 && . /etc/default/stunnel4 +test "$ENABLED" != "0" || exit 0 + +test -x $DAEMON || exit 0 + +set -e + +case "$1" in + start) + echo -n "Starting $DESC: " + startdaemons + echo "$NAME." + ;; + stop) + echo -n "Stopping $DESC: " + killdaemons + echo "$NAME." + ;; +#force-reload does not send a SIGHUP, since SIGHUP is interpreted as a +#quit signal by stunnel. I reported this problem to upstream authors. + force-reload|restart) + echo -n "Restarting $DESC: " + killdaemons + sleep 5 + startdaemons + echo "$NAME." + ;; + *) + N=/etc/init.d/$NAME + echo "Usage: $N {start|stop|force-reload|restart}" >&2 + exit 1 + ;; +esac + +exit 0 --- stunnel4-4.050.orig/debian/doc-base +++ stunnel4-4.050/debian/doc-base @@ -0,0 +1,13 @@ +Document: stunnel4 +Title: Stunnel documentation +Author: Michal Trojnara +Abstract: This manual documents stunnel, a SSL-enhanced client and + server wrapper. +Section: Apps/Net + +Format: HTML +Index: /usr/share/doc/stunnel4/stunnel.html +Files: /usr/share/doc/stunnel4/stunnel.html + +Format: text +Files: /usr/share/doc/stunnel4/transproxy.txt --- stunnel4-4.050.orig/debian/stunnel4.0stunnel4.ppp.ip-down +++ stunnel4-4.050/debian/stunnel4.0stunnel4.ppp.ip-down @@ -0,0 +1,5 @@ +#!/bin/sh +# if this script gets called, we assume that the machine has lost +# IPv4 connectivity -> restart stunnel (do not stop it, it is possible +# to have a eth connection) +/etc/init.d/stunnel4 restart --- stunnel4-4.050.orig/debian/stunnel4.0stunnel4.ppp.ip-up +++ stunnel4-4.050/debian/stunnel4.0stunnel4.ppp.ip-up @@ -0,0 +1,2 @@ +#!/bin/sh +/etc/init.d/stunnel4 restart --- stunnel4-4.050.orig/debian/StunnelConf-0.1.pl +++ stunnel4-4.050/debian/StunnelConf-0.1.pl @@ -0,0 +1,477 @@ +#!/usr/bin/perl + +# Copyright (C) 2004 Sergio Rua + +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2, or (at your option) +# any later version. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. + +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA +# 02111-1307, USA. +# +# On Debian GNU/Linux systems, the complete text of the GNU General +# Public License can be found in `/usr/share/common-licenses/GPL'. + +use strict; +use Gtk2; +use Gnome2; +use Gtk2::SimpleList; + +use constant TRUE => 1; +use constant FALSE => 0; +# Please configure if necessary! +my $cfgfile = "/etc/stunnel/stunnel.conf"; +my $backup_cfg = 1; +my $base_cfg_dir = $cfgfile;$base_cfg_dir=~s/\/stunnel\.conf//g; + +# global variables +my $ekey; +my $ecert; +my $verify; +my $app; +my $elog; +my $clientmode; +my $debuglevel; +my $capath; +my $list; + + +sub mydie +{ + my ($msg)=@_; + + print "$msg\n"; + Gtk2->main_quit; + exit (-1); +} + + +sub sel_file +{ + my ($title,$entry,$isfile)=@_; + + my $fsel=Gtk2::FileSelection->new($title); + $fsel->ok_button->signal_connect("clicked",sub { + print "OK: ". $fsel->get_filename."\n"; + $entry->set_text($fsel->get_filename); + $fsel->destroy; + }); + $fsel->cancel_button->signal_connect("clicked",sub { $fsel->destroy; }); + + $fsel->show; +} + +sub add_connection +{ + my $win = new Gtk2::Window("toplevel"); + $win->set_position("center"); + + my $vbox = new Gtk2::VBox( 0, 2 ); + $win->add($vbox); + $vbox->show; + my $druid = new Gnome2::Druid; + $druid->signal_connect("cancel", sub { $win->destroy; } ); + $vbox->pack_start($druid,0,0,0); + my $druid_start = new Gnome2::DruidPageEdge("GNOME_EDGE_START"); + $druid_start->set_title("Connections setup"); + $druid_start->set_text("Please follow this configuration wizard to ". + "configure your connections\n"); +# $druid_start->set_watermark($logo); + $druid_start->show; + $druid->append_page($druid_start); + +# Second Step: accepting connections + my $druid_name = new Gnome2::DruidPageStandard(); + $druid_name->set_title("Connection name"); + my $dvbox=new Gtk2::VBox(2,2); + my $dtable=new Gtk2::Table(2,2,FALSE); + $dvbox->pack_start($dtable,FALSE,FALSE,0); + + my $label=new Gtk2::Label("Enter this connection name"); + $dtable->attach($label,0,1,0,1,["fill"],["fill"],0,0); + my $ename=new Gtk2::Entry(); + $dtable->attach($ename,1,2,0,1,["fill"],["fill"],0,0); + $druid_name->append_item("",$dvbox,""); + $druid_name->show_all; + # add page to the druid + $druid->append_page($druid_name); + + +# Second Step: accepting connections + my $druid_accept = new Gnome2::DruidPageStandard(); + $druid_accept->set_title("Accepting connections"); + my $dvbox=new Gtk2::VBox(2,2); + my $dtable=new Gtk2::Table(2,2,FALSE); + $dvbox->pack_start($dtable,FALSE,FALSE,0); + + my $accept_error=new Gtk2::Label(""); + $dtable->attach($accept_error,0,1,0,1,["fill"],["fill"],0,0); + my $label=new Gtk2::Label("IP or hostname"); + $dtable->attach($label,0,1,1,2,["fill"],["fill"],0,0); + my $eip=new Gtk2::Entry(); + $dtable->attach($eip,1,2,1,2,["fill"],["fill"],0,0); + + my $label=new Gtk2::Label("Port number"); + $dtable->attach($label,0,1,2,3,["fill"],["fill"],0,0); + my $eport=new Gtk2::Entry(); + $dtable->attach($eport,1,2,2,3,["fill"],["fill"],0,0); + + $druid_accept->append_item("",$dvbox,""); + $druid_accept->show_all; + # add page to the druid + $druid->append_page($druid_accept); + +# Third Step: connecting to... + my $druid_connect = new Gnome2::DruidPageStandard(); + $druid_connect->set_title("Connection To..."); + my $dvbox=new Gtk2::VBox(2,2); + my $dtable=new Gtk2::Table(2,2,FALSE); + $dvbox->pack_start($dtable,FALSE,FALSE,0); + + my $label=new Gtk2::Label("IP or hostname"); + $dtable->attach($label,0,1,0,1,["fill"],["fill"],0,0); + my $etoip=new Gtk2::Entry(); + $dtable->attach($etoip,1,2,0,1,["fill"],["fill"],0,0); + + my $label=new Gtk2::Label("Port number"); + $dtable->attach($label,0,1,1,2,["fill"],["fill"],0,0); + my $etoport=new Gtk2::Entry(); + $dtable->attach($etoport,1,2,1,2,["fill"],["fill"],0,0); + + $druid_connect->append_item("",$dvbox,""); + $druid_connect->show_all; + # add page to the druid + $druid->append_page($druid_connect); + + +# Finishing and adding connection + my $druid_finish = new Gnome2::DruidPageEdge("GNOME_EDGE_FINISH"); + $druid_finish->set_title("Configuration Finished."); + $druid_finish->set_text("The configuration has been finished. Click to either save or cancel"); +# $druid_finish->set_logo($logo2); + $druid_finish->signal_connect("finish", sub { + my $acip=$eip->get_text(); + my $acport=$eport->get_text(); + my $coip=$etoip->get_text(); + my $coport=$etoport->get_text(); + + my $dslist = $list->{data}; + push @$dslist, [ $ename->get_text(), $acip.":".$acport, $coip.":".$coport ]; + + + $win->destroy; + }); + $druid_finish->show; + $druid->append_page($druid_finish); + $druid->show; + $win->show; +} + +sub load_config_file +{ + my $con=$list->{data}; + my $name=""; + my $accept=""; + my $connect=""; + + if (! -s $cfgfile) { + print "Config file not found. Starting from scratch!\n"; + return (0); + } + + open F, "<$cfgfile" or die "$cfgfile: $!\n"; + + while () { + $_=~s/\n//g; + if ($_=~/^cert.*=.*/) { + (undef,my $value) = split "=",$_; + $value=~s/(\ |\t)//g; + $ecert->set_text($value); + } elsif ($_=~/^key.*=.*/) { + (undef,my $value) = split "=",$_; + $value=~s/(\ |\t)//g; + $ekey->set_text($value); + } elsif ($_=~/^verify.*=.*/) { + (undef,my $value) = split "=",$_; + $value=~s/(\ |\t)//g; + if ($value==1) { + $verify->entry->set_text("verify peer certificate if present"); + } elsif ($value==2) { + $verify->entry->set_text("verify peer certificate"); + } elsif ($value==3) { + $verify->entry->set_text("verify peer with locally installed certificate"); + } else { + $verify->entry->set_text("no verify"); + } + } elsif ($_=~/^client.*=.*/) { + (undef,my $value) = split "=",$_; + $value=~s/(\ |\t)//g; + $clientmode->entry->set_text($value); + } elsif ($_=~/^(capath|CApath).*=.*/) { + (undef,my $value) = split "=",$_; + $value=~s/(\ |\t)//g; + $capath->set_text($value); + } elsif ($_=~/^debug.*=.*/) { + (undef,my $value) = split "=",$_; + $value=~s/(\ |\t)//g; + $debuglevel->entry->set_text($value); + } elsif ($_=~/^output.*=.*/) { + (undef,my $value) = split "=",$_; + $value=~s/(\ |\t)//g; + $elog->set_text($value); + } elsif ($_=~/^\[.*/) { + $_=~s/\[//g; + $_=~s/\]//g; + $name=$_; + } elsif ($_=~/^accept.*=.*/) { + (undef,$accept) = split "=",$_; + $accept=~s/(\ |\t)//g; + } elsif ($_=~/^connect.*=.*/) { + (undef,$connect) = split "=",$_; + $connect=~s/(\ |\t)//g; + } + + # load connection + if (($accept) && ($name) && ($connect)) { + push @$con, [ $name, $accept, $connect ]; + $name=$connect=$accept=""; + } + } + close F; + +} + +sub save_config_file +{ + if ($backup_cfg) { + chdir ($base_cfg_dir); + rename($cfgfile,$cfgfile.".$$") or + print "Error at \n$cfgfile: $!\nNo backup made!\n"; + } + open O, ">$cfgfile" or + mydie "Cannot open config file: $!\n"; + + print "Saving $cfgfile\n\n\n"; + print O "# Configuration file created by \"stunnelconf\" by ". + "Sergio Rua \n\n"; + if ($ekey->get_text()) { + print O "key = ".$ekey->get_text()."\n"; + } + if ($ecert->get_text()) { + print O "cert = ".$ecert->get_text()."\n"; + } + print O "verify = ".$verify->entry->get_text()."\n"; + print O "output = ".$elog->get_text()."\n"; + print O "client = ".$clientmode->entry->get_text()."\n"; + print O "debug = ".$debuglevel->entry->get_text()."\n"; + print O "CApath = ".$capath->get_text()."\n"; + print O "\n\n"; # just some spaces + + my @rowref = @{$list->{data}}; + my $i=0; + + for $i (0 .. $#rowref) { + print O "[".$rowref[$i][0] . "]\n"; + # if no hostname, ugly ":" to be removed + $rowref[$i][1]=~s/^://g; + $rowref[$i][2]=~s/^://g; + print O "accept = ".$rowref[$i][1] . "\n"; + print O "connect = ".$rowref[$i][2] . "\n"; + print O "\n"; # just some spaces + } + + close O; + Gtk2->main_quit; + return 0; +} + + +sub create_main_win +{ + $app = Gnome2::App->new ("stunnel-conf"); + $app->set_default_size(470,410); + $app->signal_connect( 'destroy' => sub { Gtk2->main_quit; } ); + $app->set_title("Stunnel Configuration"); + + my $vbox=Gtk2::VBox->new(FALSE,0); + my $frame=Gtk2::Frame->new("Common options"); + $vbox->pack_start($frame,TRUE, TRUE, 0); + + my $table=Gtk2::Table->new(6, 2, FALSE); + $frame->add($table); + + my $label0=Gtk2::Label->new("Private Key"); + $table->attach($label0,0,1,0,1,["fill"],["fill"],0,0); + my $label1=Gtk2::Label->new("Certificate"); + $table->attach($label1,0,1,1,2,["fill"],["fill"],0,0); + my $label2=Gtk2::Label->new("Verify level"); + $table->attach($label2,0,1,2,3,["fill"],["fill"],0,0); + my $label3=Gtk2::Label->new("Log output"); + $table->attach($label3,0,1,3,4,["fill"],["fill"],0,0); + my $label4=Gtk2::Label->new("Client mode"); + $table->attach($label4,0,1,4,5,["fill"],["fill"],0,0); + my $label5=Gtk2::Label->new("Debug level"); + $table->attach($label5,0,1,5,6,["fill"],["fill"],0,0); + my $label6=Gtk2::Label->new("Certificates path"); + $table->attach($label6,0,1,6,7,["fill"],["fill"],0,0); + + # Private Key + my $hbox0=Gtk2::HBox->new(FALSE,0); + $table->attach($hbox0,1,2,0,1,["fill"],["fill"],0,0); + + $ekey=Gtk2::Entry->new(); + $hbox0->pack_start($ekey,TRUE,TRUE,0); + + my $bkey=Gtk2::Button->new_from_stock("gtk-open"); + $bkey->signal_connect("clicked",sub { + sel_file("Select private key",$ekey); + }); + $hbox0->pack_start($bkey,FALSE,FALSE,0); + + # Certificate + my $hbox1=Gtk2::HBox->new(FALSE,0); + $table->attach($hbox1,1,2,1,2,["fill"],["fill"],0,0); + + $ecert=Gtk2::Entry->new(); + $hbox1->pack_start($ecert,TRUE,TRUE,0); + + my $bcert=Gtk2::Button->new_from_stock("gtk-open"); + $bcert->signal_connect("clicked",sub { + sel_file("Select certificate",$ecert); + }); + $hbox1->pack_start($bcert,FALSE,FALSE,0); + + # Auth level - verify + $verify = Gtk2::Combo->new(); + $verify->entry->set_text("no verify"); + $verify->set_popdown_strings(("no verify", + "verify peer certificate if present", + "verify peer certificate", + "verify peer with locally installed certificate")); + $table->attach($verify,1,2,2,3,["fill"],["fill"],0,0); + + # Log output + my $hbox2=Gtk2::HBox->new(FALSE,0); + $table->attach($hbox2,1,2,3,4,["fill"],["fill"],0,0); + + $elog=Gtk2::Entry->new(); + $hbox2->pack_start($elog,TRUE,TRUE,0); + + my $blog=Gtk2::Button->new_from_stock("gtk-open"); + $blog->signal_connect("clicked",sub { + sel_file("Select log file",$elog); + }); + $hbox2->pack_start($blog,FALSE,FALSE,0); + + # Client mode + $clientmode = Gtk2::Combo->new(); + $clientmode->entry->set_text("no verify"); + $clientmode->set_popdown_strings(("yes","no")); + $table->attach($clientmode,1,2,4,5,["fill"],["fill"],0,0); + + # Debug level + $debuglevel = Gtk2::Combo->new(); + $debuglevel->entry->set_text("no verify"); + $debuglevel->set_popdown_strings(("0","1","5","7")); + $table->attach($debuglevel,1,2,5,6,["fill"],["fill"],0,0); + + # CA path + my $hbox3=Gtk2::HBox->new(FALSE,0); + $table->attach($hbox3,1,2,6,7,["fill"],["fill"],0,0); + + $capath=Gtk2::Entry->new(); + $hbox3->pack_start($capath,TRUE,TRUE,0); + +# my $bcapath=Gtk2::Button->new_from_stock("gtk-open"); +# $bcapath->signal_connect("clicked",sub { +# sel_file("Select Certificates Path",$capath); +# }); +# $hbox3->pack_start($bcapath,FALSE,FALSE,0); + + # connections section + my $frame2=Gtk2::Frame->new("Connections"); + $vbox->pack_start($frame2,TRUE, TRUE, 0); + + my $hbox4=Gtk2::HBox->new(FALSE,0); + $list=Gtk2::SimpleList->new ( + 'Name' => 'text', + 'Accept' => 'text', + 'Connect' => 'text', + ); +# $list->get_selection->set_mode ('multiple'); + my $scwin = Gtk2::ScrolledWindow->new; + $scwin->set_policy (qw/automatic automatic/); + $scwin->add($list); + + $hbox4->pack_start($scwin,TRUE,TRUE,0); + + # list buttons + my $vbbox=Gtk2::VButtonBox->new(); + $vbbox->set_layout('spread'); + my $badd = Gtk2::Button->new_from_stock('gtk-add'); + $badd->signal_connect( 'clicked' => sub { add_connection; } ); + $vbbox->add($badd); + + +# my $bedit = Gtk2::Button->new_from_stock('gtk-properties'); +# $bedit->signal_connect( 'clicked' => sub { +# print "Edit\n"; +# } ); +# $vbbox->add($bedit); + + + my $brem = Gtk2::Button->new_from_stock('gtk-remove'); + $brem->signal_connect( 'clicked' => sub { + my @sel = $list->get_selected_indices; + print @sel; + foreach my $i (@sel) { + delete $list->{data}[$i]; + } + } ); + $vbbox->add($brem); + + $hbox4->pack_start($vbbox,FALSE,FALSE,0); + + # main buttons!!! + my $bbox=Gtk2::HButtonBox->new(); + $bbox->set_layout('spread'); + + my $bok = Gtk2::Button->new_from_stock('gtk-ok'); + $bok->signal_connect( 'clicked' => sub { save_config_file; } ); + $bbox->add($bok); + + my $bcancel = Gtk2::Button->new_from_stock('gtk-cancel'); + $bcancel->signal_connect( 'clicked' => sub { Gtk2->main_quit;} ); + $bbox->add($bcancel); + + $vbox->pack_start($bbox,FALSE,FALSE,0); + $frame2->add($hbox4); + + +# App contents and show them + $app->set_contents($vbox); + $app->show_all; +} + +# +# MAIN MAIN MAIN +# + + +# +Gnome2::Program->init ("stunnelconf", "0.1"); +$app=create_main_win; +load_config_file; + +Gtk2->main; + +exit 0; + --- stunnel4-4.050.orig/debian/postinst +++ stunnel4-4.050/debian/postinst @@ -0,0 +1,61 @@ +#!/bin/sh + +set -e + +USER="stunnel4" +CHOWN="/bin/chown" +USERDEL="/usr/sbin/userdel" +ADDUSER="/usr/sbin/adduser" +ID="/usr/bin/id" +GROUPMOD="/usr/sbin/groupmod" +GROUPDEL="/usr/sbin/groupdel" + +if ! test -d /var/run/stunnel4; then + rm -rf /var/run/stunnel4; + mkdir /var/run/stunnel4 +fi + +### +# 1. get current stunnel uid and gid if user exists. +set -e +if $ID $USER > /dev/null 2>&1; then + IUID=`$ID --user $USER` + IGID=`$ID --group $USER` +else + IUID="NONE" + IGID="NONE" +fi + +### +# 2. Ensure that no standard account or group will remain before adding the +# new user +if [ "$IUID" != "NONE" ]; then # remove existing user + $USERDEL $USER +fi + +if $GROUPMOD $USER > /dev/null 2>&1; then + $GROUPDEL $USER; +fi + +$ADDUSER --system --disabled-password --disabled-login \ + --home /var/run/stunnel4 \ + --no-create-home --group $USER + +$CHOWN $USER:$USER /var/run/stunnel4 || /bin/true +if ! test -d /var/log/stunnel4; then + rm -rf /var/log/stunnel4; + mkdir /var/log/stunnel4 +fi +touch /var/log/stunnel4/stunnel.log +$CHOWN -R $USER:$USER /var/log/stunnel4 +$CHOWN -R $USER:$USER /var/run/stunnel4 + +if [ -x "/etc/init.d/stunnel4" ]; then + if [ -x /usr/sbin/invoke-rc.d ] ; then + invoke-rc.d stunnel4 stop + else + /etc/init.d/stunnel4 stop + fi +fi + +#DEBHELPER# --- stunnel4-4.050.orig/debian/stunnel4.logrotate +++ stunnel4-4.050/debian/stunnel4.logrotate @@ -0,0 +1,13 @@ +/var/log/stunnel4/*.log { + daily + missingok + rotate 356 + compress + delaycompress + notifempty + create 640 root adm + sharedscripts + postrotate + /etc/init.d/stunnel4 restart > /dev/null + endscript +} --- stunnel4-4.050.orig/debian/connect-proxy_dunbar.patch +++ stunnel4-4.050/debian/connect-proxy_dunbar.patch @@ -0,0 +1,399 @@ +diff -urN stunnel-4.05.orig/src/client.c stunnel-4.05/src/client.c +--- stunnel-4.05.orig/src/client.c 2004-02-10 19:17:54.000000000 +0000 ++++ stunnel-4.05/src/client.c 2004-03-08 18:39:51.000000000 +0000 +@@ -74,6 +74,7 @@ + #endif + static int connect_remote(CLI *c); + static void reset(int, char *); ++int connect_to_finaldest(CLI *c, int s); + + int max_clients; + #ifndef USE_WIN32 +@@ -911,7 +912,8 @@ + safe_ntoa(c->connecting_address, addr.sin_addr); + log(LOG_DEBUG, "%s connecting %s:%d", c->opt->servname, + c->connecting_address, ntohs(addr.sin_port)); +- if(!connect(s, (struct sockaddr *)&addr, sizeof(addr))) ++ if(!connect(s, (struct sockaddr *)&addr, sizeof(addr)) ++ && !connect_to_finaldest(c, s)) + return s; /* no error -> success */ + error=get_last_socket_error(); + switch(error) { +@@ -936,7 +938,8 @@ + } + + /* try to connect for the 2nd time */ +- if(!connect(s, (struct sockaddr *)&addr, sizeof(addr))) ++ if(!connect(s, (struct sockaddr *)&addr, sizeof(addr)) ++ && !connect_to_finaldest(c, s)) + return s; /* no error -> success */ + error=get_last_socket_error(); + switch(error) { +@@ -965,4 +968,245 @@ + log_error(LOG_DEBUG, get_last_socket_error(), txt); + } + ++/* ++ * Base 64 encoding algorithm from: Bob Deblier ++ * Modified by Daniel Savard to accept char * ++ */ ++static const char* to_b64 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"; ++char* b64enc(const char* data) { ++ int div = strlen(data) / 3; ++ int rem = strlen(data) % 3; ++ int chars = div*4 + rem + 1; ++ char* string = (char*) malloc(chars + 1); ++ ++ if (string) { ++ register char* buf = string; ++ chars = 0; ++ while (div > 0) { ++ buf[0] = to_b64[ (data[0] >> 2) & 0x3f]; ++ buf[1] = to_b64[((data[0] << 4) & 0x30) + ((data[1] >> 4) & 0xf)]; ++ buf[2] = to_b64[((data[1] << 2) & 0x3c) + ((data[2] >> 6) & 0x3)]; ++ buf[3] = to_b64[ data[2] & 0x3f]; ++ data += 3; ++ buf += 4; ++ div--; ++ chars += 4; ++ } ++ ++ switch (rem) { ++ case 2: ++ buf[0] = to_b64[ (data[0] >> 2) & 0x3f]; ++ buf[1] = to_b64[((data[0] << 4) & 0x30) + ((data[1] >> 4) & 0xf)]; ++ buf[2] = to_b64[ (data[1] << 2) & 0x3c]; ++ buf[3] = '='; ++ buf += 4; ++ chars += 4; ++ break; ++ case 1: ++ buf[0] = to_b64[ (data[0] >> 2) & 0x3f]; ++ buf[1] = to_b64[ (data[0] << 4) & 0x30]; ++ buf[2] = '='; ++ buf[3] = '='; ++ buf += 4; ++ chars += 4; ++ break; ++ } ++ ++ *buf = '\0'; ++ } ++ ++return string; ++} ++ ++/* ++ * Base 64 decoding algorithm from: Bob Deblier ++ * Modified by Daniel Savard to return char * ++ */ ++char* b64dec(const char* string) ++{ ++ /* return a decoded char string, or a null pointer in case of failure */ ++ char* data = NULL; ++ ++ if (string) { ++ register int length = strlen(string); ++ ++ /* do a format verification first */ ++ if (length > 0) { ++ register int count = 0, rem = 0; ++ register const char* tmp = string; ++ ++ while (length > 0) { ++ register int skip = strspn(tmp, to_b64); ++ count += skip; ++ length -= skip; ++ tmp += skip; ++ if (length > 0) { ++ register int i, vrfy = strcspn(tmp, to_b64); ++ ++ for (i = 0; i < vrfy; i++) { ++ if (isspace(tmp[i])) ++ continue; ++ ++ if (tmp[i] == '=') { ++ /* we should check if we're close to the end of the string */ ++ rem = count % 4; ++ ++ /* rem must be either 2 or 3, otherwise no '=' should be here */ ++ if (rem < 2) ++ return NULL; ++ ++ /* end-of-message recognized */ ++ break; ++ } else { ++ /* Transmission error; RFC tells us to ignore this, but: ++ * - the rest of the message is going to even more corrupt since we're sliding bits out of place ++ * If a message is corrupt, it should be dropped. Period. ++ */ ++ return NULL; ++ } ++ } ++ ++ length -= vrfy; ++ tmp += vrfy; ++ } ++ } ++ ++ data = (unsigned char *)malloc((count / 4) * 3 + (rem ? (rem - 1) : 0)); ++ ++ if (data) { ++ if (count > 0) { ++ register int i, qw = 0, tw = 0; ++ ++ length = strlen(tmp = string); ++ ++ for (i = 0; i < length; i++) { ++ register char ch = string[i]; ++ register char bits = 0; ++ ++ if (isspace(ch)) ++ continue; ++ ++ if ((ch >= 'A') && (ch <= 'Z')) { ++ bits = (ch - 'A'); ++ } else if ((ch >= 'a') && (ch <= 'z')) { ++ bits = (ch - 'a' + 26); ++ } else if ((ch >= '0') && (ch <= '9')) { ++ bits = (ch - '0' + 52); ++ } else if (ch == '=') { ++ break; ++ } ++ ++ switch (qw++) { ++ case 0: ++ data[tw+0] = (bits << 2) & 0xfc; ++ break; ++ case 1: ++ data[tw+0] |= (bits >> 4) & 0x03; ++ data[tw+1] = (bits << 4) & 0xf0; ++ break; ++ case 2: ++ data[tw+1] |= (bits >> 2) & 0x0f; ++ data[tw+2] = (bits << 6) & 0xc0; ++ break; ++ case 3: ++ data[tw+2] |= bits & 0x3f; ++ break; ++ } ++ ++ if (qw == 4) { ++ qw = 0; ++ tw += 3; ++ } ++ } ++ ++ data[tw] = '\0'; ++ } ++ } ++ } ++ } ++ ++return data; ++} ++ ++/* ++ * Original https proxy algorithm from: Tan Swee Heng ++ * Modified by Daniel Savard to support basic authentication ++ */ ++int connect_to_finaldest(CLI *c, int s) { ++ char buff[STRLEN]; ++ int len, code; ++ char httpsproxy_auth[STRLEN] = ""; ++ char httpsproxy_useragent[STRLEN] = ""; ++ ++ if (!c->opt->option.httpsproxy) ++ return 0; ++ ++ if (c->opt->httpsproxy_auth != NULL) { ++ if (strchr(c->opt->httpsproxy_auth,':')) { ++ /* httpsproxy_auth in the form name:password' */ ++ char *base64_auth = b64enc(c->opt->httpsproxy_auth); ++ log(LOG_DEBUG,"proxy: authenticate with '%s' -> '%s'\n",c->opt->httpsproxy_auth,base64_auth); ++ sprintf(httpsproxy_auth,"Proxy-Authorization: Basic %s\r\n",base64_auth); ++ free(base64_auth); ++ } else { ++ /* httpsproxy_auth already base64 encoded */ ++ char *normal_auth = b64dec(c->opt->httpsproxy_auth); ++ log(LOG_DEBUG,"proxy: authenticate with '%s' -> '%s'\n",normal_auth,c->opt->httpsproxy_auth); ++ sprintf(httpsproxy_auth,"Proxy-Authorization: Basic %s\r\n",c->opt->httpsproxy_auth); ++ free(normal_auth); ++ } ++ } else { ++ log(LOG_DEBUG,"proxy: no authentication specified"); ++ } ++ ++ if (c->opt->httpsproxy_useragent != NULL) { ++ log(LOG_DEBUG,"proxy: useragent '%s' -> '%s'\n",c->opt->httpsproxy_useragent); ++ sprintf(httpsproxy_useragent,"User-Agent: %s\r\n",c->opt->httpsproxy_useragent); ++ } else { ++ log(LOG_DEBUG,"proxy: no useragent specified"); ++ } ++ ++#ifdef HAVE_SNPRINTF ++ len=snprintf(buff, STRLEN, ++#else ++ len=sprintf(buff, ++#endif ++ "CONNECT %s HTTP/1.0\r\n%s%s\r\n", ++ c->opt->httpsproxy_dest_address, ++ httpsproxy_auth, ++ httpsproxy_useragent); ++ ++ len=writesocket(s, buff, len); ++ if(len<0) { ++ sockerror("writesocket (httpsproxy)"); ++ closesocket(s); ++ return -1; ++ } ++ log(LOG_DEBUG, "me ---> proxy: %s", buff); ++ ++ waitforsocket(s, 0, c->opt->timeout_busy); ++ len=readsocket(s, buff, STRLEN-1); ++ ++ if(len<0) { ++ sockerror("readsocket (httpsproxy)"); ++ closesocket(s); ++ return -1; ++ } ++ buff[len]='\0'; ++ log(LOG_DEBUG, "proxy ---> me: %s", buff); ++ ++ code = 0; ++ if(sscanf(buff, "HTTP/%*s %d %*s", &code) != 1) { ++ log(LOG_ERR, "error: %s", buff); ++ return -1; ++ } ++ ++ if(code != 200) { ++ log(LOG_WARNING, "return code not 200: %s", buff); ++ return -1; ++ } ++ ++ return 0; ++} ++ + /* End of client.c */ +diff -urN stunnel-4.05.orig/src/options.c stunnel-4.05/src/options.c +--- stunnel-4.05.orig/src/options.c 2004-03-08 17:34:41.000000000 +0000 ++++ stunnel-4.05/src/options.c 2004-03-08 18:36:33.000000000 +0000 +@@ -770,6 +770,82 @@ + } + #endif + ++ /* Daniel Savard ++ * httpsproxy_auth ++ * Optional parameter to httpsproxy_dest to specify authentication ++ * credential to the https proxy. Value must be in form name:password ++ * or the base64 encoded value of the preceding form. ++ */ ++ switch(cmd) { ++ case CMD_INIT: ++ section->httpsproxy_auth=NULL; ++ break; ++ case CMD_EXEC: ++ if(strcasecmp(opt, "httpsproxy_auth")) ++ break; ++ section->httpsproxy_auth=stralloc(arg); ++ return NULL; /* OK */ ++ case CMD_DEFAULT: ++ break; ++ case CMD_HELP: ++ log_raw("%-15s = authentication for 'httpsproxy' must be userid:password", ++ "httpsproxy_auth"); ++ break; ++ } ++ ++ /* Daniel Savard ++ * httpsproxy_dest ++ * When specified, the connect parameter will specify the name of a https ++ * proxy server and this parameter will be the final destination. ++ */ ++ switch(cmd) { ++ case CMD_INIT: ++ section->option.httpsproxy=0; ++ section->httpsproxy_dest_address=NULL; ++ section->httpsproxy_dest_names=NULL; ++ section->httpsproxy_dest_port=0; ++ break; ++ case CMD_EXEC: ++ if(strcasecmp(opt, "httpsproxy_dest")) ++ break; ++ section->option.httpsproxy=1; ++ section->httpsproxy_dest_address=stralloc(arg); ++ if(!section->option.delayed_lookup && !name2nums(arg, "127.0.0.1", ++ §ion->httpsproxy_dest_names, §ion->httpsproxy_dest_port)) { ++ log_raw("Cannot resolve '%s' - delaying DNS lookup", arg); ++ section->option.delayed_lookup=1; ++ } ++ return NULL; /* OK */ ++ case CMD_DEFAULT: ++ break; ++ case CMD_HELP: ++ log_raw("%-15s = [host:]port https proxy connect destination host:port", ++ "httpsproxy_dest"); ++ break; ++ } ++ ++ /* Daniel Savard ++ * httpsproxy_useragent ++ * Optional parameter to httpsproxy_dest. When specified, the specified ++ * user-agent will be sent to the proxy ++ */ ++ switch(cmd) { ++ case CMD_INIT: ++ section->httpsproxy_useragent=NULL; ++ break; ++ case CMD_EXEC: ++ if(strcasecmp(opt, "httpsproxy_useragent")) ++ break; ++ section->httpsproxy_useragent=stralloc(arg); ++ return NULL; /* OK */ ++ case CMD_DEFAULT: ++ break; ++ case CMD_HELP: ++ log_raw("%-15s = useragent for 'httpsproxy'", ++ "httpsproxy_useragent"); ++ break; ++ } ++ + /* ident */ + switch(cmd) { + case CMD_INIT: +@@ -884,7 +960,7 @@ + else + return "Illegal close timeout"; + return NULL; /* OK */ +- case CMD_DEFAULT: ++ case CMD_DEFAULT: + log_raw("%-15s = %d seconds", "TIMEOUTclose", section->timeout_close); + break; + case CMD_HELP: +diff -urN stunnel-4.05.orig/src/prototypes.h stunnel-4.05/src/prototypes.h +--- stunnel-4.05.orig/src/prototypes.h 2004-03-08 17:34:41.000000000 +0000 ++++ stunnel-4.05/src/prototypes.h 2004-03-08 18:40:48.000000000 +0000 +@@ -161,12 +161,13 @@ + + /* service-specific data for client.c */ + int fd; /* file descriptor accepting connections for this service */ +- unsigned short localport, remoteport; ++ unsigned short localport, remoteport, httpsproxy_dest_port; + char *execname, **execargs; /* program name and arguments for local mode */ +- u32 *localnames, *remotenames; ++ u32 *localnames, *remotenames, *httpsproxy_dest_names; + u32 *local_ip; + char *username; + char *remote_address; ++ char *httpsproxy_dest_address, *httpsproxy_auth, *httpsproxy_useragent; + int timeout_busy; /* Maximum waiting for data time */ + int timeout_idle; /* Maximum idle connection time */ + int timeout_close; /* Maximum close_notify time */ +@@ -179,6 +180,7 @@ + unsigned int delayed_lookup:1; + unsigned int accept:1; + unsigned int remote:1; ++ unsigned int httpsproxy:1; + #ifndef USE_WIN32 + unsigned int program:1; + unsigned int pty:1;