stunnel: Bring it back at v5.10

From: Michael Haas <haas@computerlinguist.org> * init script no longer creates certificates (consider client mode as use case) * patches/010_fix_getnameinfo.patch: Fix getnameinfo signature * patches/011_disable_ssp_linking.patch: Disable -fstack-protector as it is not always available in OpenWRT * old patches (in oldpackages) no longer necessary * remove libwrap dependency * remove libpthread dependency * respect CONFIG_IPV6 * init script uses procd * sample stunnel.conf runs in client mode - prevents start failure, does not require cert Possible enhancement: automatically generate certificate as done in uhttpd. However, as client mode is a possible use case, I'd rather not. Additionally, stunnel may use several certs with user-defined locations and we can't easily set a cert location via command-line args. The package is based on https://sites.google.com/site/twisteroidambassador/openwrt/stunnel Signed-off-by: Michael Haas <haas@computerlinguist.org>
10 years ago · f6927350e4
--- a/net/stunnel/Makefile
+++ b/net/stunnel/Makefile
@ -0,0 +1,77 @@
 #
 # Copyright (C) 2006-2014 OpenWrt.org
 #
 # This is free software, licensed under the GNU General Public License v2.
 # See /LICENSE for more information.
 #
 include $(TOPDIR)/rules.mk
 PKG_NAME:=stunnel
 PKG_VERSION:=5.10
 PKG_RELEASE:=1
 PKG_LICENSE:=GPL-2.0+
 PKG_MAINTAINER:=Michael Haas <haas@computerlinguist.org>
 PKG_LICENSE_FILES:=COPYING COPYRIGHT.GPL
 PKG_SOURCE_URL:=http://stunnel.cybermirror.org/archive/5.x/
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_MD5SUM:=a0edda805eb7d6ea600a230fb0979ea1
 PKG_FIXUP:=autoreconf
 PKG_INSTALL:=1
 include $(INCLUDE_DIR)/package.mk
 define Package/stunnel
  SECTION:=net
  CATEGORY:=Network
  DEPENDS:=+libopenssl
  TITLE:=SSL TCP Wrapper
  URL:=http://www.stunnel.org/
 endef
 define Package/stunnel/description
 	Stunnel is a program that allows you to encrypt arbitrary TCP
 	connections inside SSL (Secure Sockets Layer) available on both Unix
 	and Windows. Stunnel can allow you to secure non-SSL aware daemons and
 	protocols (like POP, IMAP, LDAP, etc) by having Stunnel provide the
 	encryption, requiring no changes to the daemon's code.
 endef
 define Package/stunnel/conffiles
 /etc/stunnel/stunnel.conf
 endef
 CONFIGURE_ARGS+= \
 	--with-random=/dev/urandom \
 	--with-threads=fork \
 	--with-ssl=$(STAGING_DIR)/usr \
 	--disable-libwrap \
 	--disable-systemd
 ifeq ($(CONFIG_IPV6),n)
 CONFIGURE_ARGS+= \
 	--disable-ipv6
 endif
 define Build/Compile
 	mkdir -p $(PKG_INSTALL_DIR)/etc/stunnel
 	echo '#dummy' > $(PKG_INSTALL_DIR)/etc/stunnel/stunnel.pem
 	$(call Build/Compile/Default)
 endef
 define Package/stunnel/install
 	$(INSTALL_DIR) $(1)/usr/bin
 	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/stunnel $(1)/usr/bin/
 	$(INSTALL_DIR) $(1)/usr/lib/stunnel
 	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/stunnel/libstunnel.so $(1)/usr/lib/stunnel/
 	$(INSTALL_DIR) $(1)/etc/stunnel
 	$(INSTALL_CONF) ./files/stunnel.conf $(1)/etc/stunnel/stunnel.conf
 	$(INSTALL_DIR) $(1)/etc/init.d
 	$(INSTALL_BIN) ./files/stunnel.init $(1)/etc/init.d/stunnel
 endef
 $(eval $(call BuildPackage,stunnel))
--- a/net/stunnel/files/stunnel.conf
+++ b/net/stunnel/files/stunnel.conf
@ -0,0 +1,45 @@
 ; Drop privileges
 setuid = nobody 
 setgid = nogroup
 ; When running under procd, stay in foreground
 foreground = yes
 ; Don't log to stderr, use syslog
 syslog = yes
 ; 1-7. Use 7 for greatest verbosity
 ;debug = 5
 ; Starting here, enter your services or uncomment the examples
 ; Example:
 ; If your local httpd does not support HTTPS, use stunnel in remote
 ; mode to forward TLS connections coming in on port 443 to non-TLS
 ; on port 80.
 ; Make sure that the cert is available.
 ;[httpd]
 ;accept = 443
 ;connect = 127.0.0.1:80
 ;cert = /etc/stunnel/stunnel.pem
 ; Example:
 ; If your local email client does not support TLS,
 ; use stunnel in client mode to forward non-TLS connections on
 ; port 143 to TLS-enabled servername:993.
 ;[imap]
 ;client = yes
 ;accept = 143
 ;connect = servername:993
 ; Disable peer verification - be sure to understand the limitations of peer
 ; verification in stunnel when enabling.
 ;verify = 0
 ; Default client section:
 ; stunnel requires at least one section to start successfully.
 ; You can safely remove this section once you have configured
 ; your own. We use client mode here as server requires a certificate.
 [dummy]
 client = yes
 accept = localhost:6000
 connect = localhost:6001
--- a/net/stunnel/files/stunnel.init
+++ b/net/stunnel/files/stunnel.init
@ -0,0 +1,12 @@
 #!/bin/sh /etc/rc.common
 # Copyright (C) 2006-2008 OpenWrt.org
 START=90
 USE_PROCD=1
 start_service() {
 	procd_open_instance
 	procd_set_param command /usr/bin/stunnel /etc/stunnel/stunnel.conf
 	procd_set_param respawn # respawn automatically if something died
 	procd_close_instance
 }
--- a/net/stunnel/patches/010_fix_getnameinfo.patch
+++ b/net/stunnel/patches/010_fix_getnameinfo.patch
@ -0,0 +1,25 @@
 --- a/src/prototypes.h
 +++ b/src/prototypes.h
@@ -559,7 +559,7 @@ extern GETNAMEINFO s_getnameinfo;
 #endif /* USE_WIN32 */
 -int getnameinfo(const struct sockaddr *, int, char *, int, char *, int, int);
 +int getnameinfo(const struct sockaddr *, socklen_t, char *, socklen_t, char *, socklen_t, unsigned int);
 #endif /* !defined HAVE_GETNAMEINFO */
 --- a/src/resolver.c
 +++ b/src/resolver.c
@@ -535,8 +535,9 @@ const char *s_gai_strerror(int err) {
 /* implementation is limited to functionality needed by stunnel */
 #ifndef HAVE_GETNAMEINFO
 -int getnameinfo(const struct sockaddr *sa, int salen,
 -    char *host, int hostlen, char *serv, int servlen, int flags) {
 +int getnameinfo(const struct sockaddr *sa, socklen_t salen,
 +    char *host, socklen_t hostlen, char *serv, socklen_t servlen,
 +    unsigned int flags) {
 #if defined(USE_WIN32) && !defined(_WIN32_WCE)
     if(s_getnameinfo)
--- a/net/stunnel/patches/011_disable_ssp_linking.patch
+++ b/net/stunnel/patches/011_disable_ssp_linking.patch
@ -0,0 +1,140 @@
 --- a/configure
 +++ b/configure
@@ -5646,66 +5646,66 @@ done
 -for flag in -fstack-protector; do
 -  as_CACHEVAR=`$as_echo "ax_cv_check_cflags__$flag" | $as_tr_sh`
 -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts $flag" >&5
 -$as_echo_n "checking whether C compiler accepts $flag... " >&6; }
 -if eval \${$as_CACHEVAR+:} false; then :
 -  $as_echo_n "(cached) " >&6
 -else
 -
 -  ax_check_save_flags=$CFLAGS
 -  CFLAGS="$CFLAGS  $flag"
 -  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 -/* end confdefs.h.  */
 -
 -int
 -main ()
 -{
 -
 -  ;
 -  return 0;
 -}
 -_ACEOF
 -if ac_fn_c_try_compile "$LINENO"; then :
 -  eval "$as_CACHEVAR=yes"
 -else
 -  eval "$as_CACHEVAR=no"
 -fi
 -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 -  CFLAGS=$ax_check_save_flags
 -fi
 -eval ac_res=\$$as_CACHEVAR
 -	       { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5
 -$as_echo "$ac_res" >&6; }
 -if test x"`eval 'as_val=${'$as_CACHEVAR'};$as_echo "$as_val"'`" = xyes; then :
 -  if ${CFLAGS+:} false; then :
 -  case " $CFLAGS " in
 -    *" $flag "*)
 -      { { $as_echo "$as_me:${as_lineno-$LINENO}: : CFLAGS already contains \$flag"; } >&5
 -  (: CFLAGS already contains $flag) 2>&5
 -  ac_status=$?
 -  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
 -  test $ac_status = 0; }
 -      ;;
 -    *)
 -      { { $as_echo "$as_me:${as_lineno-$LINENO}: : CFLAGS=\"\$CFLAGS \$flag\""; } >&5
 -  (: CFLAGS="$CFLAGS $flag") 2>&5
 -  ac_status=$?
 -  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
 -  test $ac_status = 0; }
 -      CFLAGS="$CFLAGS $flag"
 -      ;;
 -   esac
 -else
 -  CFLAGS="$flag"
 -fi
 -
 -else
 -  :
 -fi
 -
 -done
 +#for flag in -fstack-protector; do
 +#  as_CACHEVAR=`$as_echo "ax_cv_check_cflags__$flag" | $as_tr_sh`
 +#{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts $flag" >&5
 +#$as_echo_n "checking whether C compiler accepts $flag... " >&6; }
 +#if eval \${$as_CACHEVAR+:} false; then :
 +#  $as_echo_n "(cached) " >&6
 +#else
 +#
 +#  ax_check_save_flags=$CFLAGS
 +#  CFLAGS="$CFLAGS  $flag"
 +#  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 +#/* end confdefs.h.  */
 +
 +#int
 +#main ()
 +#{
 +#
 +#  ;
 +#  return 0;
 +#}
 +#_ACEOF
 +#if ac_fn_c_try_compile "$LINENO"; then :
 +#  eval "$as_CACHEVAR=yes"
 +#else
 +#  eval "$as_CACHEVAR=no"
 +#fi
 +#rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 +#  CFLAGS=$ax_check_save_flags
 +#fi
 +#eval ac_res=\$$as_CACHEVAR
 +#	       { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5
 +#$as_echo "$ac_res" >&6; }
 +#if test x"`eval 'as_val=${'$as_CACHEVAR'};$as_echo "$as_val"'`" = xyes; then :
 +#  if ${CFLAGS+:} false; then :
 +#  case " $CFLAGS " in
 +#    *" $flag "*)
 +#      { { $as_echo "$as_me:${as_lineno-$LINENO}: : CFLAGS already contains \$flag"; } >&5
 +#  (: CFLAGS already contains $flag) 2>&5
 +#  ac_status=$?
 +#  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
 +#  test $ac_status = 0; }
 +#      ;;
 +#    *)
 +#      { { $as_echo "$as_me:${as_lineno-$LINENO}: : CFLAGS=\"\$CFLAGS \$flag\""; } >&5
 +#  (: CFLAGS="$CFLAGS $flag") 2>&5
 +#  ac_status=$?
 +#  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
 +#  test $ac_status = 0; }
 +#      CFLAGS="$CFLAGS $flag"
 +#      ;;
 +#   esac
 +#else
 +#  CFLAGS="$flag"
 +#fi
 +#
 +#else
 +#  :
 +#fi
 +#
 +#done
 --- a/configure.ac
 +++ b/configure.ac
@@ -71,7 +71,7 @@ AX_APPEND_COMPILE_FLAGS([-Wformat=2])
 AX_APPEND_COMPILE_FLAGS([-Wconversion])
 AX_APPEND_COMPILE_FLAGS([-Wno-long-long])
 AX_APPEND_COMPILE_FLAGS([-Wno-deprecated-declarations])
 -AX_APPEND_COMPILE_FLAGS([-fstack-protector])
 +#AX_APPEND_COMPILE_FLAGS([-fstack-protector])
 AX_APPEND_COMPILE_FLAGS([-fPIE])
 AX_APPEND_COMPILE_FLAGS([-D_FORTIFY_SOURCE=2])
 AX_APPEND_LINK_FLAGS([-fPIE -pie])