stunnel: Bring it back at v5.10

From: Michael Haas <haas@computerlinguist.org>

* init script no longer creates certificates (consider client mode as use
  case)
* patches/010_fix_getnameinfo.patch: Fix getnameinfo signature
* patches/011_disable_ssp_linking.patch: Disable -fstack-protector as it
  is not always available in OpenWRT
* old patches (in oldpackages) no longer necessary
* remove libwrap dependency
* remove libpthread dependency
* respect CONFIG_IPV6
* init script uses procd
* sample stunnel.conf runs in client mode - prevents start failure,
  does not require cert

Possible enhancement: automatically generate certificate as done in
uhttpd. However, as client mode is a possible use case, I'd rather not.
Additionally, stunnel may use several certs with user-defined locations
and we can't easily set a cert location via command-line args.

The package is based on
https://sites.google.com/site/twisteroidambassador/openwrt/stunnel

Signed-off-by: Michael Haas <haas@computerlinguist.org>

net/stunnel/Makefile

@@ -0,0 +1,77 @@
+#
+# Copyright (C) 2006-2014 OpenWrt.org
+#
+# This is free software, licensed under the GNU General Public License v2.
+# See /LICENSE for more information.
+#
+
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=stunnel
+PKG_VERSION:=5.10
+PKG_RELEASE:=1
+
+PKG_LICENSE:=GPL-2.0+
+PKG_MAINTAINER:=Michael Haas <haas@computerlinguist.org>
+PKG_LICENSE_FILES:=COPYING COPYRIGHT.GPL
+
+PKG_SOURCE_URL:=http://stunnel.cybermirror.org/archive/5.x/
+PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
+PKG_MD5SUM:=a0edda805eb7d6ea600a230fb0979ea1
+
+PKG_FIXUP:=autoreconf
+PKG_INSTALL:=1
+
+include $(INCLUDE_DIR)/package.mk
+
+define Package/stunnel
+  SECTION:=net
+  CATEGORY:=Network
+  DEPENDS:=+libopenssl
+  TITLE:=SSL TCP Wrapper
+  URL:=http://www.stunnel.org/
+endef
+
+define Package/stunnel/description
+	Stunnel is a program that allows you to encrypt arbitrary TCP
+	connections inside SSL (Secure Sockets Layer) available on both Unix
+	and Windows. Stunnel can allow you to secure non-SSL aware daemons and
+	protocols (like POP, IMAP, LDAP, etc) by having Stunnel provide the
+	encryption, requiring no changes to the daemon's code.
+endef
+
+define Package/stunnel/conffiles
+/etc/stunnel/stunnel.conf
+endef
+
+
+CONFIGURE_ARGS+= \
+	--with-random=/dev/urandom \
+	--with-threads=fork \
+	--with-ssl=$(STAGING_DIR)/usr \
+	--disable-libwrap \
+	--disable-systemd
+
+ifeq ($(CONFIG_IPV6),n)
+CONFIGURE_ARGS+= \
+	--disable-ipv6
+endif
+
+define Build/Compile
+	mkdir -p $(PKG_INSTALL_DIR)/etc/stunnel
+	echo '#dummy' > $(PKG_INSTALL_DIR)/etc/stunnel/stunnel.pem
+	$(call Build/Compile/Default)
+endef
+
+define Package/stunnel/install
+	$(INSTALL_DIR) $(1)/usr/bin
+	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/stunnel $(1)/usr/bin/
+	$(INSTALL_DIR) $(1)/usr/lib/stunnel
+	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/stunnel/libstunnel.so $(1)/usr/lib/stunnel/
+	$(INSTALL_DIR) $(1)/etc/stunnel
+	$(INSTALL_CONF) ./files/stunnel.conf $(1)/etc/stunnel/stunnel.conf
+	$(INSTALL_DIR) $(1)/etc/init.d
+	$(INSTALL_BIN) ./files/stunnel.init $(1)/etc/init.d/stunnel
+endef
+
+$(eval $(call BuildPackage,stunnel))

net/stunnel/files/stunnel.conf

@@ -0,0 +1,45 @@
+; Drop privileges
+setuid = nobody 
+setgid = nogroup
+
+; When running under procd, stay in foreground
+foreground = yes
+
+; Don't log to stderr, use syslog
+syslog = yes
+
+; 1-7. Use 7 for greatest verbosity
+;debug = 5
+
+; Starting here, enter your services or uncomment the examples
+
+; Example:
+; If your local httpd does not support HTTPS, use stunnel in remote
+; mode to forward TLS connections coming in on port 443 to non-TLS
+; on port 80.
+; Make sure that the cert is available.
+;[httpd]
+;accept = 443
+;connect = 127.0.0.1:80
+;cert = /etc/stunnel/stunnel.pem
+
+; Example:
+; If your local email client does not support TLS,
+; use stunnel in client mode to forward non-TLS connections on
+; port 143 to TLS-enabled servername:993.
+;[imap]
+;client = yes
+;accept = 143
+;connect = servername:993
+; Disable peer verification - be sure to understand the limitations of peer
+; verification in stunnel when enabling.
+;verify = 0
+
+; Default client section:
+; stunnel requires at least one section to start successfully.
+; You can safely remove this section once you have configured
+; your own. We use client mode here as server requires a certificate.
+[dummy]
+client = yes
+accept = localhost:6000
+connect = localhost:6001

net/stunnel/files/stunnel.init

@@ -0,0 +1,12 @@
+#!/bin/sh /etc/rc.common
+# Copyright (C) 2006-2008 OpenWrt.org
+
+START=90
+USE_PROCD=1
+
+start_service() {
+	procd_open_instance
+	procd_set_param command /usr/bin/stunnel /etc/stunnel/stunnel.conf
+	procd_set_param respawn # respawn automatically if something died
+	procd_close_instance
+}

net/stunnel/patches/010_fix_getnameinfo.patch

@@ -0,0 +1,25 @@
+--- a/src/prototypes.h
++++ b/src/prototypes.h
+@@ -559,7 +559,7 @@ extern GETNAMEINFO s_getnameinfo;
+ 
+ #endif /* USE_WIN32 */
+ 
+-int getnameinfo(const struct sockaddr *, int, char *, int, char *, int, int);
++int getnameinfo(const struct sockaddr *, socklen_t, char *, socklen_t, char *, socklen_t, unsigned int);
+ 
+ #endif /* !defined HAVE_GETNAMEINFO */
+ 
+--- a/src/resolver.c
++++ b/src/resolver.c
+@@ -535,8 +535,9 @@ const char *s_gai_strerror(int err) {
+ /* implementation is limited to functionality needed by stunnel */
+ 
+ #ifndef HAVE_GETNAMEINFO
+-int getnameinfo(const struct sockaddr *sa, int salen,
+-    char *host, int hostlen, char *serv, int servlen, int flags) {
++int getnameinfo(const struct sockaddr *sa, socklen_t salen,
++    char *host, socklen_t hostlen, char *serv, socklen_t servlen,
++    unsigned int flags) {
+ 
+ #if defined(USE_WIN32) && !defined(_WIN32_WCE)
+     if(s_getnameinfo)

net/stunnel/patches/011_disable_ssp_linking.patch

@@ -0,0 +1,140 @@
+--- a/configure
++++ b/configure
+@@ -5646,66 +5646,66 @@ done
+ 
+ 
+ 
+-for flag in -fstack-protector; do
+-  as_CACHEVAR=`$as_echo "ax_cv_check_cflags__$flag" | $as_tr_sh`
+-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts $flag" >&5
+-$as_echo_n "checking whether C compiler accepts $flag... " >&6; }
+-if eval \${$as_CACHEVAR+:} false; then :
+-  $as_echo_n "(cached) " >&6
+-else
+-
+-  ax_check_save_flags=$CFLAGS
+-  CFLAGS="$CFLAGS  $flag"
+-  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+-/* end confdefs.h.  */
+-
+-int
+-main ()
+-{
+-
+-  ;
+-  return 0;
+-}
+-_ACEOF
+-if ac_fn_c_try_compile "$LINENO"; then :
+-  eval "$as_CACHEVAR=yes"
+-else
+-  eval "$as_CACHEVAR=no"
+-fi
+-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+-  CFLAGS=$ax_check_save_flags
+-fi
+-eval ac_res=\$$as_CACHEVAR
+-	       { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5
+-$as_echo "$ac_res" >&6; }
+-if test x"`eval 'as_val=${'$as_CACHEVAR'};$as_echo "$as_val"'`" = xyes; then :
+-  if ${CFLAGS+:} false; then :
+-  case " $CFLAGS " in
+-    *" $flag "*)
+-      { { $as_echo "$as_me:${as_lineno-$LINENO}: : CFLAGS already contains \$flag"; } >&5
+-  (: CFLAGS already contains $flag) 2>&5
+-  ac_status=$?
+-  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+-  test $ac_status = 0; }
+-      ;;
+-    *)
+-      { { $as_echo "$as_me:${as_lineno-$LINENO}: : CFLAGS=\"\$CFLAGS \$flag\""; } >&5
+-  (: CFLAGS="$CFLAGS $flag") 2>&5
+-  ac_status=$?
+-  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+-  test $ac_status = 0; }
+-      CFLAGS="$CFLAGS $flag"
+-      ;;
+-   esac
+-else
+-  CFLAGS="$flag"
+-fi
+-
+-else
+-  :
+-fi
+-
+-done
++#for flag in -fstack-protector; do
++#  as_CACHEVAR=`$as_echo "ax_cv_check_cflags__$flag" | $as_tr_sh`
++#{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts $flag" >&5
++#$as_echo_n "checking whether C compiler accepts $flag... " >&6; }
++#if eval \${$as_CACHEVAR+:} false; then :
++#  $as_echo_n "(cached) " >&6
++#else
++#
++#  ax_check_save_flags=$CFLAGS
++#  CFLAGS="$CFLAGS  $flag"
++#  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
++#/* end confdefs.h.  */
++
++#int
++#main ()
++#{
++#
++#  ;
++#  return 0;
++#}
++#_ACEOF
++#if ac_fn_c_try_compile "$LINENO"; then :
++#  eval "$as_CACHEVAR=yes"
++#else
++#  eval "$as_CACHEVAR=no"
++#fi
++#rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
++#  CFLAGS=$ax_check_save_flags
++#fi
++#eval ac_res=\$$as_CACHEVAR
++#	       { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5
++#$as_echo "$ac_res" >&6; }
++#if test x"`eval 'as_val=${'$as_CACHEVAR'};$as_echo "$as_val"'`" = xyes; then :
++#  if ${CFLAGS+:} false; then :
++#  case " $CFLAGS " in
++#    *" $flag "*)
++#      { { $as_echo "$as_me:${as_lineno-$LINENO}: : CFLAGS already contains \$flag"; } >&5
++#  (: CFLAGS already contains $flag) 2>&5
++#  ac_status=$?
++#  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
++#  test $ac_status = 0; }
++#      ;;
++#    *)
++#      { { $as_echo "$as_me:${as_lineno-$LINENO}: : CFLAGS=\"\$CFLAGS \$flag\""; } >&5
++#  (: CFLAGS="$CFLAGS $flag") 2>&5
++#  ac_status=$?
++#  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
++#  test $ac_status = 0; }
++#      CFLAGS="$CFLAGS $flag"
++#      ;;
++#   esac
++#else
++#  CFLAGS="$flag"
++#fi
++#
++#else
++#  :
++#fi
++#
++#done
+ 
+ 
+ 
+--- a/configure.ac
++++ b/configure.ac
+@@ -71,7 +71,7 @@ AX_APPEND_COMPILE_FLAGS([-Wformat=2])
+ AX_APPEND_COMPILE_FLAGS([-Wconversion])
+ AX_APPEND_COMPILE_FLAGS([-Wno-long-long])
+ AX_APPEND_COMPILE_FLAGS([-Wno-deprecated-declarations])
+-AX_APPEND_COMPILE_FLAGS([-fstack-protector])
++#AX_APPEND_COMPILE_FLAGS([-fstack-protector])
+ AX_APPEND_COMPILE_FLAGS([-fPIE])
+ AX_APPEND_COMPILE_FLAGS([-D_FORTIFY_SOURCE=2])
+ AX_APPEND_LINK_FLAGS([-fPIE -pie])