rpms/stunnel
6
0
Fork 0
Code Issues Pull Requests Releases Activity

- Port to NSS

Browse Source
This commit is contained in:
Miloslav Trmac 2007-08-28 15:02:14 +00:00
parent ba87541e0c
commit 69617d0344
6 changed files with 1373 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.cvsignore
View File

@ -1,2 +1,3 @@
stunnel-4.20.tar.gz stunnel-4.20.tar.gz
stunnel-4.20.tar.gz.asc stunnel-4.20.tar.gz.asc
nss_compat_ossl-0.9.1.tar.gz

12
README.NSS Normal file
View File

@ -0,0 +1,12 @@
To convert an existing stunnel set up to NSS, at minimum it is necessary to:
- create a NSS database directory, $SSL_DIR
$ certutil -d $SSL_DIR -N
- import server and CA certificates:
$ certutil -d $SSL_DIR -A -n server_cert_nickname -i server_cert.pem
- import server private key:
$ openssl pkcs12 -export -in server_key.pem -out server_key.pfx
$ pk12util -d $SSL_DIR -i server_key.pfx
- modify stunnel.conf to use "server_cert_nickname" instead of path to
"server_cert.pem" in "cert"
- when starting stunnel, make sure $SSL_DIR is present in the
environment

418
nss_compat_ossl-0.9.1-stunnel.patch Normal file
View File

@ -0,0 +1,418 @@
Index: src/Makefile.am
===================================================================
RCS file: /cvs/dirsec/nss_compat_ossl/src/Makefile.am,v
retrieving revision 1.1.1.1
diff -u -r1.1.1.1 Makefile.am
--- src/Makefile.am 20 Apr 2007 22:33:27 -0000 1.1.1.1
+++ src/Makefile.am 26 Aug 2007 23:22:35 -0000
@@ -4,7 +4,7 @@
INCLUDES = @nspr_inc@ @nss_inc@
LIBS = @nspr_lib@ @nss_lib@ -lssl3 -lsmime3 -lnss3 -lsoftokn3 -lplc4 -lplds4 -lnspr4
-libnss_compat_ossl_la_SOURCES = ssl.c log.c rand.c
+libnss_compat_ossl_la_SOURCES = ssl.c algo.c log.c rand.c
pkginclude_HEADERS = nss_compat_ossl.h
Index: src/algo.c
===================================================================
RCS file: src/algo.c
diff -N src/algo.c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ src/algo.c 26 Aug 2007 23:22:35 -0000
@@ -0,0 +1,101 @@
+/*
+ * Copyright (C) 2007 Red Hat, Inc.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+*/
+
+#include <assert.h>
+
+#include "nss_compat_ossl.h"
+
+/* FIXME: is some error handling possible? */
+
+
+void DES_set_odd_parity(DES_cblock *key)
+{
+ size_t i;
+
+ for (i = 0; i < sizeof (*key)/sizeof (**key); i++) {
+ unsigned char val, b;
+
+ val = (*key)[i];
+ b = val;
+ b ^= (b >> 4); /* (b & 0x0F) == (b & 0x0F) ^ ((b & 0xF0) >> 4) */
+ b ^= (b >> 2); /* Likewise ... */
+ b ^= (b >> 1); /* (b & 0x01) == XOR (bits of b) */
+ if ((b & 0x01) == 0)
+ (*key)[i] = val ^ 0x01;
+ }
+}
+
+void DES_set_key_unchecked(const_DES_cblock *key, DES_key_schedule *schedule)
+{
+ assert (sizeof (schedule->key) == sizeof (*key));
+ memcpy (schedule->key, *key, sizeof (schedule->key));
+}
+
+void DES_ecb_encrypt(const_DES_cblock *input, DES_cblock *output,
+ DES_key_schedule *ks, int enc)
+{
+ static const CK_MECHANISM_TYPE mechanism = CKM_DES_ECB;
+
+ PK11SlotInfo *slot;
+ PK11Origin origin;
+ PK11SymKey *sym_key;
+ PK11Context *ctx;
+ SECItem key_item;
+ int out_len1;
+ unsigned out_len2;
+ /* FIXME: input and output may overlap */
+
+ slot = PK11_GetBestSlot(mechanism, NULL);
+ if (slot == NULL)
+ abort();
+ origin = enc != DES_DECRYPT ? CKA_ENCRYPT : CKA_DECRYPT,
+ key_item.data = ks->key;
+ key_item.len = sizeof (ks->key);
+ sym_key = PK11_ImportSymKey(slot, mechanism, PK11_OriginUnwrap, origin,
+ &key_item, NULL);
+ ctx = PK11_CreateContextBySymKey(mechanism, origin, sym_key, NULL);
+ (void)PK11_CipherOp(ctx, *output, &out_len1, sizeof (*output), *input,
+ sizeof (*input));
+ (void)PK11_DigestFinal(ctx, *output + out_len1, &out_len2,
+ sizeof (*output) - out_len1);
+ assert (out_len1 + out_len2 == sizeof (*output));
+ PK11_DestroyContext(ctx, PR_TRUE);
+ PK11_FreeSymKey(sym_key);
+ PK11_FreeSlot(slot);
+}
+
+
+void MD4_Init(MD4_CTX *c)
+{
+ *c = PK11_CreateDigestContext(SEC_OID_MD4);
+ (void)PK11_DigestBegin(*c);
+}
+
+void MD4_Update(MD4_CTX *c, const void *data, size_t len)
+{
+ (void)PK11_DigestOp(*c, data, len);
+}
+
+void MD4_Final(unsigned char *md, MD4_CTX *c)
+{
+ unsigned len;
+
+ (void)PK11_DigestFinal(*c, md, &len, 16);
+ assert (len == 16);
+ PK11_DestroyContext(*c, PR_TRUE);
+}
Index: src/nss_compat_ossl.h
===================================================================
RCS file: /cvs/dirsec/nss_compat_ossl/src/nss_compat_ossl.h,v
retrieving revision 1.4
diff -u -r1.4 nss_compat_ossl.h
--- src/nss_compat_ossl.h 11 May 2007 21:25:00 -0000 1.4
+++ src/nss_compat_ossl.h 26 Aug 2007 23:22:35 -0000
@@ -44,6 +44,8 @@
#define NO_RSA 1 /* FIXME: ? */
#define USE_NSS 1 /* FIXME: autoconf? */
+#define PEM_BUFSIZE 1024
+
/* FIXME: need to map from SSL -> SSL_CTX */
#define OSSL_SSL2CTX(x) ((SSL_CTX *)NULL)
#define OSSL_X509_STORE_CTX2CERT(x) NULL
@@ -167,7 +169,14 @@
#define X509_OBJECT SECItem
#define X509_LOOKUP SECItem
#define X509_LOOKUP_METHOD SECItem
-#define X509_STORE_CTX CERTCertificate
+
+typedef struct
+{
+ X509 *current_cert;
+ SSL *ssl__;
+ int error;
+} X509_STORE_CTX;
+
#define X509_STORE SECItem
#define X509_NAME CERTName
#define X509_REVOKED SECItem
@@ -304,6 +313,7 @@
long SSL_CTX_set_mode(SSL_CTX *ctx, long mode);
void SSL_CTX_set_default_passwd_cb(SSL_CTX *ctx, pem_password_cb *cb);
void SSL_CTX_set_default_passwd_cb_userdata(SSL_CTX *ctx, void *u);
+int PEM_def_callback(char *buf, int num, int w, void *key);
/* SSL context statistics */
@@ -367,6 +377,7 @@
SSL_METHOD *SSLv3_client_method(void);
SSL_METHOD *SSLv23_client_method(void);
SSL_METHOD *TLSv1_client_method(void);
+SSL_METHOD *SSLv2_server_method(void);
SSL_METHOD *SSLv23_server_method(void);
SSL_METHOD *SSLv3_server_method(void);
SSL_METHOD *TLSv1_server_method(void);
@@ -392,6 +403,8 @@
#define X509_L_FILE_LOAD 1
#define X509_L_ADD_DIR 2
+#define X509_LU_X509 1
+
X509 *d2i_X509(void *reserved, unsigned char **data, int len);
X509_NAME *X509_get_issuer_name(X509 *x);
X509_NAME *X509_get_subject_name(X509 *x);
@@ -412,6 +425,10 @@
X509_LOOKUP_ctrl((x),X509_L_ADD_DIR,(name),(long)(type),NULL)
X509 * X509_STORE_CTX_get_current_cert(X509_STORE_CTX *ctx);
+int X509_STORE_get_by_subject(X509_STORE_CTX *vs, int type, X509_NAME *name,
+ X509_OBJECT *ret);
+int SSL_get_ex_data_X509_STORE_CTX_idx(void);
+void *X509_STORE_CTX_get_ex_data(X509_STORE_CTX *ctx, int idx);
/* Other */
@@ -489,12 +506,11 @@
const char *SSL_alert_type_string_long(int value);
const char *SSL_alert_desc_string_long(int value);
-#if 0
const char *SSL_state_string_long(const SSL *s);
-#endif
void CRYPTO_set_id_callback(unsigned long (*func)(void));
-void CRYPTO_set_locking_callback(void (*func)(int mode,int type, int line));
+void CRYPTO_set_locking_callback(void (*func)(int mode,int type,
+ const char *file, int line));
/* RNG */
@@ -510,6 +526,24 @@
const char *nss_error(int error);
+/* Encryption functions */
+#define DES_DECRYPT 0
+#define DES_ENCRYPT 1
+typedef unsigned char DES_cblock[8], const_DES_cblock[8];
+typedef struct { DES_cblock key; } DES_key_schedule;
+
+void DES_set_odd_parity(DES_cblock *key);
+void DES_set_key_unchecked(const_DES_cblock *key, DES_key_schedule *schedule);
+void DES_ecb_encrypt(const_DES_cblock *input, DES_cblock *output,
+ DES_key_schedule *ks, int enc);
+
+/* Hash functions */
+typedef PK11Context *MD4_CTX;
+
+void MD4_Init(MD4_CTX *c);
+void MD4_Update(MD4_CTX *c, const void *data, size_t len);
+void MD4_Final(unsigned char *md, MD4_CTX *c);
+
/* ASN1 funcs */
unsigned char * ASN1_STRING_data(ASN1_STRING *x);
int ASN1_STRING_type(ASN1_STRING *x);
Index: src/rand.c
===================================================================
RCS file: /cvs/dirsec/nss_compat_ossl/src/rand.c,v
retrieving revision 1.2
diff -u -r1.2 rand.c
--- src/rand.c 23 Apr 2007 18:00:35 -0000 1.2
+++ src/rand.c 26 Aug 2007 23:22:35 -0000
@@ -78,27 +78,17 @@
int RAND_write_file(const char *file)
{
- char buf[RAND_WRITE_BYTES];
+ unsigned char buf[RAND_WRITE_BYTES];
int total = 0;
- int size;
FILE *fp;
if ((fp = fopen(file, "wb")) != NULL) {
- while (total < RAND_WRITE_BYTES) {
- /* PR_GetRandomNoise is not guaranteed to return the number of
- * requested bytes so we'll keep trying */
- size = PR_GetRandomNoise(buf, RAND_WRITE_BYTES - total);
- if (size == 0 && total == 0) {
- /* PR_GetRandomNoise not implemented */
- fclose(fp);
- return 0;
- }
- fwrite(buf, 1, size, fp);
- total += size;
- }
+ if (PK11_GenerateRandom(buf, sizeof (buf)) == SECSuccess) {
+ total = sizeof (buf);
+ fwrite(buf, 1, total, fp);
+ }
+ fclose(fp);
}
- fclose(fp);
-
return total;
}
Index: src/ssl.c
===================================================================
RCS file: /cvs/dirsec/nss_compat_ossl/src/ssl.c,v
retrieving revision 1.12
diff -u -r1.12 ssl.c
--- src/ssl.c 29 May 2007 22:00:19 -0000 1.12
+++ src/ssl.c 26 Aug 2007 23:22:35 -0000
@@ -429,9 +429,14 @@
* use it. Otherwise fall back to the one provided by NSS.
*/
if (ossl->verify_cb != NULL) {
+ X509_STORE_CTX ctx;
+
verify_callback = ossl->verify_cb;
- rv = verify_callback((status == SECSuccess) ? 1 : 0, (X509_STORE_CTX *)ssl);
+ ctx.current_cert = SSL_get_peer_certificate(ssl);
+ ctx.error = PORT_GetError();
+ rv = verify_callback((status == SECSuccess) ? 1 : 0, &ctx);
+ X509_free(ctx.current_cert);
if (rv == 1) {
ossl->verify_result = X509_V_OK;
@@ -1492,6 +1497,11 @@
return create_context(PR_FALSE, PR_FALSE, PR_TRUE, PR_FALSE);
}
+SSL_METHOD *SSLv2_server_method(void)
+{
+ return create_context(PR_TRUE, PR_FALSE, PR_FALSE, PR_TRUE);
+}
+
SSL_METHOD *SSLv23_server_method(void)
{
return create_context(PR_TRUE, PR_TRUE, PR_FALSE, PR_TRUE);
@@ -1890,6 +1900,9 @@
if (ssl)
cert = SSL_PeerCertificate(ssl);
+ if (cert == NULL)
+ return NULL;
+
x = (X509 *)malloc(sizeof(X509));
x->cert = cert;
@@ -2146,8 +2159,8 @@
value = CERT_NameToAscii(x);
- if (len)
- s = PL_strncpyz(s, value, len);
+ if (s)
+ s = PL_strncpyz(s, value, len);
else
s = PORT_ArenaStrdup(x->arena, value);
@@ -2815,7 +2828,7 @@
const char *SSL_state_string_long(const SSL *s)
{
/* We have no visibility into the current NSS handshake state */
- return (NULL);
+ return "Unknown";
}
void SSL_CTX_set_info_callback(SSL_CTX *ctx, void(*cb)())
@@ -2860,6 +2873,13 @@
return;
}
+/* SSL_CTX_set_default_passwd_cb* is ignored */
+int PEM_def_callback(char *buf, int num, int w, void *key)
+{
+ *buf = 0;
+ return 0;
+}
+
long SSL_session_reused(SSL *s)
{
return 0;
@@ -2867,19 +2887,59 @@
X509 * X509_STORE_CTX_get_current_cert(X509_STORE_CTX *ctx)
{
- X509 * x;
-
- /* Is it really the peer cert we want? Docs are slim on this */
- x = SSL_get_peer_certificate((SSL *)ctx);
+ return ctx->current_cert;
+}
- return x;
+#define X509_STORE_CTX_EX_DATA_SSL_IDX 42
+int SSL_get_ex_data_X509_STORE_CTX_idx(void)
+{
+ return X509_STORE_CTX_EX_DATA_SSL_IDX;
}
+void *X509_STORE_CTX_get_ex_data(X509_STORE_CTX *ctx, int idx)
+{
+ if (idx == X509_STORE_CTX_EX_DATA_SSL_IDX)
+ return ctx->ssl__;
+ return NULL;
+}
+
+
+int X509_STORE_get_by_subject(X509_STORE_CTX *vs, int type, X509_NAME *name,
+ X509_OBJECT *ret)
+{
+ PRArenaPool *arena;
+ CERTCertificate * cert;
+ SECItem *subject;
+
+ (void)vs;
+ if (type != X509_LU_X509)
+ return 0;
+
+ arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+ if (arena == NULL)
+ return 0;
+ subject = SEC_ASN1EncodeItem(arena, NULL, name, CERT_NameTemplate);
+ cert = NULL;
+ if (subject != NULL)
+ cert = CERT_FindCertByName(CERT_GetDefaultCertDB(), subject);
+ PORT_FreeArena(arena, PR_FALSE);
+ if (cert == NULL)
+ return 0;
+ /* FIXME: a more useful representation of the certificate, e.g. one that
+ does not leak? */
+ ret->type = siBuffer;
+ ret->data = (unsigned char *)cert;
+ ret->len = sizeof (*cert);
+ return 1;
+}
+
+
void CRYPTO_set_id_callback(unsigned long (*func)(void))
{
}
-void CRYPTO_set_locking_callback(void (*func)(int mode,int type, int line))
+void CRYPTO_set_locking_callback(void (*func)(int mode,int type,
+ const char *file, int line))
{
}

1
sources
View File

@ -1,2 +1,3 @@
cf9940395d3503018f721c962528d2ec stunnel-4.20.tar.gz cf9940395d3503018f721c962528d2ec stunnel-4.20.tar.gz
ad7cb2c30d0e073ea9d75354b76c5aee stunnel-4.20.tar.gz.asc ad7cb2c30d0e073ea9d75354b76c5aee stunnel-4.20.tar.gz.asc
765c1426fc61b5c67c17fca0a87405cb nss_compat_ossl-0.9.1.tar.gz

909
stunnel-4.20-nss.patch Normal file
View File

@ -0,0 +1,909 @@
--- stunnel-4.20/doc/stunnel.8.nss 2007-08-28 16:29:18.000000000 +0200
+++ stunnel-4.20/doc/stunnel.8 2007-08-28 16:42:23.000000000 +0200
@@ -156,6 +156,16 @@ changes to the source code.
.PP
This product includes cryptographic software written by
Eric Young (eay@cryptsoft.com)
+
+.SH NOTE
+This version of stunnel was modified to use NSS.
+Some options that configured in stunnel are now configured in the NSS database.
+Please see
+.B README.NSS
+in the package documentation for more information.
+Please report bugs at \fBbugzilla.redhat.com\fR,
+not at the upstream bug tracking system.
+
.SH "OPTIONS"
.IX Header "OPTIONS"
.IP "<\fBfilename\fR>" 4
@@ -212,11 +222,6 @@ to the directory specified with \fBchroo
To have libwrap (\s-1TCP\s0 Wrappers) control effective in a chrooted environment
you also have to copy its configuration files (/etc/hosts.allow and
/etc/hosts.deny) there.
-.IP "\fBcompression\fR = zlib | rle" 4
-.IX Item "compression = zlib | rle"
-select data compression algorithm
-.Sp
-default: no compression
.IP "\fBdebug\fR = [facility.]level" 4
.IX Item "debug = [facility.]level"
debugging level
@@ -231,25 +236,6 @@ The syslog facility 'authpriv' will be u
(Facilities are not supported on Win32.)
.Sp
Case is ignored for both facilities and levels.
-.IP "\fB\s-1EGD\s0\fR = egd path (Unix only)" 4
-.IX Item "EGD = egd path (Unix only)"
-path to Entropy Gathering Daemon socket
-.Sp
-Entropy Gathering Daemon socket to use to feed OpenSSL random number
-generator. (Available only if compiled with OpenSSL 0.9.5a or higher)
-.IP "\fBengine\fR = auto | <engine id>" 4
-.IX Item "engine = auto | <engine id>"
-select hardware engine
-.Sp
-default: software-only cryptography
-.Sp
-There's an example in '\s-1EXAMPLES\s0' section.
-.IP "\fBengineCtrl\fR = command[:parameter]" 4
-.IX Item "engineCtrl = command[:parameter]"
-control hardware engine
-.Sp
-Special commands \*(L"\s-1LOAD\s0\*(R" and \*(L"\s-1INIT\s0\*(R" can be used to load and initialize the
-engine cryptogaphic module.
.IP "\fBforeground\fR = yes | no (Unix only)" 4
.IX Item "foreground = yes | no (Unix only)"
foreground mode
@@ -351,26 +337,18 @@ If no host specified, defaults to all \s
.IX Item "CApath = directory"
Certificate Authority directory
.Sp
-This is the directory in which \fBstunnel\fR will look for certificates when using
-the \fIverify\fR. Note that the certificates in this directory should be named
-\&\s-1XXXXXXXX\s0.0 where \s-1XXXXXXXX\s0 is the hash value of the \s-1DER\s0 encoded subject of the
-cert (the first 4 bytes of the \s-1MD5\s0 hash in least significant byte order).
-.Sp
-\&\fICApath\fR path is relative to \fIchroot\fR directory if specified.
-.IP "\fBCAfile\fR = certfile" 4
-.IX Item "CAfile = certfile"
-Certificate Authority file
-.Sp
-This file contains multiple \s-1CA\s0 certificates, used with the \fIverify\fR.
-.IP "\fBcert\fR = pemfile" 4
-.IX Item "cert = pemfile"
-certificate chain \s-1PEM\s0 file name
-.Sp
-A \s-1PEM\s0 is always needed in server mode.
-Specifying this flag in client mode will use this certificate chain
-as a client side certificate chain. Using client side certs is optional.
-The certificates must be in \s-1PEM\s0 format and must be sorted starting with the
-certificate to the highest level (root \s-1CA\s0).
+This option is currently ignored.
+Store CA certificates in the NSS database instead.
+.IP "\fBCAfile\fR = certnick" 4
+.IX Item "CAfile = certnick"
+Certificate Authority certificate nickname.
+Store CA certificates in the NSS database instead.
+.IX Item "cert = certnick"
+certificate nickname in the NSS database
+.Sp
+A certificate is always needed in server mode.
+Specifying this flag in client mode will use this certificate
+as a client side certificate. Using client side certs is optional.
.IP "\fBciphers\fR = cipherlist" 4
.IX Item "ciphers = cipherlist"
Select permitted \s-1SSL\s0 ciphers
@@ -387,28 +365,9 @@ default: no (server mode)
connect to remote host:port
.Sp
If no host specified, defaults to localhost.
-.IP "\fBCRLpath\fR = directory" 4
-.IX Item "CRLpath = directory"
-Certificate Revocation Lists directory
-.Sp
-This is the directory in which \fBstunnel\fR will look for CRLs when
-using the \fIverify\fR. Note that the CRLs in this directory should
-be named \s-1XXXXXXXX\s0.0 where \s-1XXXXXXXX\s0 is the hash value of the \s-1CRL\s0.
-.Sp
-\&\fICRLpath\fR path is relative to \fIchroot\fR directory if specified.
-.IP "\fBCRLfile\fR = certfile" 4
-.IX Item "CRLfile = certfile"
-Certificate Revocation Lists file
-.Sp
-This file contains multiple CRLs, used with the \fIverify\fR.
.IP "\fBdelay\fR = yes | no" 4
.IX Item "delay = yes | no"
delay \s-1DNS\s0 lookup for 'connect' option
-.IP "\fBengineNum\fR = engine number" 4
-.IX Item "engineNum = engine number"
-select engine number to read private key
-.Sp
-The engines are numbered starting from 1.
.IP "\fBexec\fR = executable_path (Unix only)" 4
.IX Item "exec = executable_path (Unix only)"
execute local inetd-type program
@@ -426,51 +385,18 @@ Arguments are separated with arbitrary n
use \s-1IDENT\s0 (\s-1RFC\s0 1413) username checking
.IP "\fBkey\fR = keyfile" 4
.IX Item "key = keyfile"
-private key for certificate specified with \fIcert\fR option
-.Sp
-Private key is needed to authenticate certificate owner.
-Since this file should be kept secret it should only be readable
-to its owner. On Unix systems you can use the following command:
-.Sp
-.Vb 1
-\& chmod 600 keyfile
-.Ve
-.Sp
-default: value of \fIcert\fR option
+private key for certificate specified with \fIcert\fR option.
+This option is currently ignored.
+Store private keys in the NSS database instead.
.IP "\fBlocal\fR = host" 4
.IX Item "local = host"
\&\s-1IP\s0 of the outgoing interface is used as source for remote connections.
Use this option to bind a static local \s-1IP\s0 address, instead.
-.IP "\fB\s-1OCSP\s0\fR = url" 4
-.IX Item "OCSP = url"
-select \s-1OCSP\s0 server for certificate verification
-.IP "\fBOCSPflag\fR = flag" 4
-.IX Item "OCSPflag = flag"
-specify \s-1OCSP\s0 server flag
-.Sp
-Several \fIOCSPflag\fR can be used to specify multiple flags.
-.Sp
-currently supported flags: \s-1NOCERTS\s0, \s-1NOINTERN\s0 \s-1NOSIGS\s0, \s-1NOCHAIN\s0, \s-1NOVERIFY\s0,
-\&\s-1NOEXPLICIT\s0, \s-1NOCASIGN\s0, \s-1NODELEGATED\s0, \s-1NOCHECKS\s0, \s-1TRUSTOTHER\s0, \s-1RESPID_KEY\s0, \s-1NOTIME\s0
-.IP "\fBoptions\fR = SSL_options" 4
-.IX Item "options = SSL_options"
-OpenSSL library options
-.Sp
-The parameter is the OpenSSL option name as described in the
-\&\fI\fISSL_CTX_set_options\fI\|(3ssl)\fR manual, but without \fI\s-1SSL_OP_\s0\fR prefix.
-Several \fIoptions\fR can be used to specify multiple options.
-.Sp
-For example for compatibility with erroneous Eudora \s-1SSL\s0 implementation
-the following option can be used:
-.Sp
-.Vb 1
-\& options = DONT_INSERT_EMPTY_FRAGMENTS
-.Ve
.IP "\fBprotocol\fR = proto" 4
.IX Item "protocol = proto"
application protocol to negotiate \s-1SSL\s0
.Sp
-currently supported: cifs, connect, imap, nntp, pop3, smtp
+currently supported: cifs, imap, nntp, pop3, smtp
.IP "\fBprotocolAuthentication\fR = auth_type" 4
.IX Item "protocolAuthentication = auth_type"
authentication type for protocol negotiations
--- stunnel-4.20/configure.ac.nss 2006-11-11 15:58:01.000000000 +0100
+++ stunnel-4.20/configure.ac 2007-08-28 16:06:24.000000000 +0200
@@ -48,12 +48,24 @@ AC_MSG_NOTICE([*************************
AC_CHECK_FILE("/dev/ptmx", AC_DEFINE(HAVE_DEV_PTMX))
AC_CHECK_FILE("/dev/ptc", AC_DEFINE(HAVE_DEV_PTS_AND_PTC))
+# Crypto implementation
+AC_ARG_WITH([nss],
+ [ --with-nss Use nss_compat_ossl instead of OpenSSL],
+ [], [with_nss=no])
+if test "x$with_nss" != xno
+then AC_DEFINE([WITH_NSS], [1], [Define to 1 if you are using nss_compat_ossl])
+ PKG_CHECK_MODULES([NSS], [nss])
+ LIBS="$LIBS -lnss_compat_ossl"
+fi
+
AC_MSG_NOTICE([**************************************** entropy])
-AC_ARG_WITH(egd-socket,
- [ --with-egd-socket=FILE Entropy Gathering Daemon socket pathname],
- [EGD_SOCKET="$withval"]
-)
+if test "x$with_nss" = xno
+then AC_ARG_WITH(egd-socket,
+ [ --with-egd-socket=FILE Entropy Gathering Daemon socket pathname],
+ [EGD_SOCKET="$withval"]
+ )
+fi
if test -n "$EGD_SOCKET"
then AC_DEFINE_UNQUOTED(EGD_SOCKET, "$EGD_SOCKET")
fi
@@ -227,69 +239,79 @@ checkssldir() { :
return 1
}
-# Check for SSL directory
-AC_MSG_CHECKING([for SSL directory])
-AC_ARG_WITH(ssl,
-[ --with-ssl=DIR location of installed SSL libraries/include files],
- [
- # Check the specified localtion only
- checkssldir "$withval"
- ],
- [
- # Search default localtions of SSL library
- for maindir in /usr/local /usr/lib /usr/pkg /usr /var/ssl /opt; do
- for dir in $maindir $maindir/openssl $maindir/ssl; do
- checkssldir $dir && break 2
- done
- done
- ]
-)
-if test -z "$ssldir"
-then AC_MSG_RESULT([Not found])
- echo
- echo "Couldn't find your SSL library installation dir"
- echo "Use --with-ssl option to fix this problem"
- echo
- exit 1
-fi
-AC_MSG_RESULT([$ssldir])
-AC_SUBST(ssldir)
-AC_DEFINE_UNQUOTED(ssldir, "$ssldir")
-
-# Add SSL includes and libraries
-CFLAGS="$CFLAGS -I$ssldir/include"
-LIBS="$LIBS -L$ssldir/lib -lssl -lcrypto"
-
-# Check for obsolete RSAref library
-AC_MSG_CHECKING([for obsolete RSAref library])
-saved_LIBS="$LIBS"
-LIBS="$saved_LIBS -lRSAglue -L$prefix/lib -lrsaref"
-AC_LINK_IFELSE(
- [AC_LANG_PROGRAM([[]], [[]])],
- [AC_MSG_RESULT([yes])],
- [AC_MSG_RESULT([no]); LIBS="$saved_LIBS"]
-)
+if test "x$with_nss" = "xno"
+then
+ # Check for SSL directory
+ AC_MSG_CHECKING([for SSL directory])
+ AC_ARG_WITH(ssl,
+ [ --with-ssl=DIR location of installed SSL libraries/include files],
+ [
+ # Check the specified localtion only
+ checkssldir "$withval"
+ ],
+ [
+ # Search default localtions of SSL library
+ for maindir in /usr/local /usr/lib /usr/pkg /usr /var/ssl /opt; do
+ for dir in $maindir $maindir/openssl $maindir/ssl; do
+ checkssldir $dir && break 2
+ done
+ done
+ ]
+ )
+ if test -z "$ssldir"
+ then AC_MSG_RESULT([Not found])
+ echo
+ echo "Couldn't find your SSL library installation dir"
+ echo "Use --with-ssl option to fix this problem"
+ echo
+ exit 1
+ fi
+ AC_MSG_RESULT([$ssldir])
+ AC_SUBST(ssldir)
+ AC_DEFINE_UNQUOTED(ssldir, "$ssldir")
+
+ # Add SSL includes and libraries
+ CFLAGS="$CFLAGS -I$ssldir/include"
+ LIBS="$LIBS -L$ssldir/lib -lssl -lcrypto"
-AC_CHECK_HEADER([$ssldir/include/openssl/engine.h],
- [AC_DEFINE([HAVE_OSSL_ENGINE_H])],
- [AC_MSG_WARN([Openssl engine header not found])])
+ # Check for obsolete RSAref library
+ AC_MSG_CHECKING([for obsolete RSAref library])
+ saved_LIBS="$LIBS"
+ LIBS="$saved_LIBS -lRSAglue -L$prefix/lib -lrsaref"
+ AC_LINK_IFELSE(
+ [AC_LANG_PROGRAM([[]], [[]])],
+ [AC_MSG_RESULT([yes])],
+ [AC_MSG_RESULT([no]); LIBS="$saved_LIBS"]
+ )
+
+ AC_CHECK_HEADER([$ssldir/include/openssl/engine.h],
+ [AC_DEFINE([HAVE_OSSL_ENGINE_H])],
+ [AC_MSG_WARN([Openssl engine header not found])])
+fi
AC_MSG_NOTICE([**************************************** optional features])
# Use RSA?
-AC_MSG_CHECKING([whether to disable RSA support])
-AC_ARG_ENABLE(rsa,
-[ --disable-rsa Disable RSA support],
- [AC_MSG_RESULT([yes]); AC_DEFINE(NO_RSA)],
- [AC_MSG_RESULT([no])]
-)
+if test "x$with_nss" != xno
+then AC_DEFINE([NO_RSA])
+else
+ AC_MSG_CHECKING([whether to disable RSA support])
+ AC_ARG_ENABLE(rsa,
+ [ --disable-rsa Disable RSA support],
+ [AC_MSG_RESULT([yes]); AC_DEFINE(NO_RSA)],
+ [AC_MSG_RESULT([no])]
+ )
+fi
# Use DH?
-AC_MSG_CHECKING([whether to enable DH support])
-AC_ARG_ENABLE(dh,
-[ --enable-dh Enable DH support],
- [AC_MSG_RESULT([yes]); USE_DH=1; AC_DEFINE(USE_DH)],
- [AC_MSG_RESULT([no])]
-)
+if test "x$with_nss" = xno
+then
+ AC_MSG_CHECKING([whether to enable DH support])
+ AC_ARG_ENABLE(dh,
+ [ --enable-dh Enable DH support],
+ [AC_MSG_RESULT([yes]); USE_DH=1; AC_DEFINE(USE_DH)],
+ [AC_MSG_RESULT([no])]
+ )
+fi
AC_SUBST(USE_DH)
# Use IPv6?
--- stunnel-4.20/src/options.c.nss 2007-08-28 16:06:24.000000000 +0200
+++ stunnel-4.20/src/options.c 2007-08-28 16:06:24.000000000 +0200
@@ -51,12 +51,16 @@ static char **argalloc(char *);
#endif
static int parse_debug_level(char *);
+#ifndef WITH_NSS
static int parse_ssl_option(char *);
+#endif
static int print_socket_options(void);
static void print_option(char *, int, OPT_UNION *);
static int parse_socket_option(char *);
+#if !defined(WITH_NSS) && SSLEAY_VERSION_NUMBER >= 0x00907000L
static char *parse_ocsp_url(LOCAL_OPTIONS *, char *);
static unsigned long parse_ocsp_flag(char *);
+#endif /* !WITH_NSS && OpenSSL-0.9.7 */
GLOBAL_OPTIONS options;
LOCAL_OPTIONS local_options;
@@ -72,8 +76,6 @@ static char *option_not_found=
"Specified option name is not valid here";
static char *global_options(CMD cmd, char *opt, char *arg) {
- char *tmpstr;
-
if(cmd==CMD_DEFAULT || cmd==CMD_HELP) {
log_raw("Global options");
}
@@ -98,6 +100,7 @@ static char *global_options(CMD cmd, cha
#endif /* HAVE_CHROOT */
/* compression */
+#ifndef WITH_NSS
switch(cmd) {
case CMD_INIT:
options.compression=COMP_NONE;
@@ -119,6 +122,7 @@ static char *global_options(CMD cmd, cha
"compression");
break;
}
+#endif
/* debug */
switch(cmd) {
@@ -147,7 +151,7 @@ static char *global_options(CMD cmd, cha
}
/* EGD is only supported when compiled with OpenSSL 0.9.5a or later */
-#if SSLEAY_VERSION_NUMBER >= 0x0090581fL
+#if !defined(WITH_NSS) && SSLEAY_VERSION_NUMBER >= 0x0090581fL
switch(cmd) {
case CMD_INIT:
options.egd_sock=NULL;
@@ -166,7 +170,7 @@ static char *global_options(CMD cmd, cha
log_raw("%-15s = path to Entropy Gathering Daemon socket", "EGD");
break;
}
-#endif /* OpenSSL 0.9.5a */
+#endif /* !WITH_NSS && OpenSSL 0.9.5a */
#ifdef HAVE_OSSL_ENGINE_H
/* engine */
@@ -188,6 +192,8 @@ static char *global_options(CMD cmd, cha
/* engineCtrl */
switch(cmd) {
+ char *tmpstr;
+
case CMD_INIT:
break;
case CMD_EXEC:
@@ -449,8 +455,6 @@ static char *global_options(CMD cmd, cha
static char *service_options(CMD cmd, LOCAL_OPTIONS *section,
char *opt, char *arg) {
- int tmpnum;
-
if(cmd==CMD_DEFAULT || cmd==CMD_HELP) {
log_raw(" ");
log_raw("Service-level options");
@@ -624,6 +628,7 @@ static char *service_options(CMD cmd, LO
break;
}
+#ifndef WITH_NSS
/* CRLpath */
switch(cmd) {
case CMD_INIT:
@@ -663,6 +668,7 @@ static char *service_options(CMD cmd, LO
log_raw("%-15s = CRL file", "CRLfile");
break;
}
+#endif
/* delay */
switch(cmd) {
@@ -805,7 +811,7 @@ static char *service_options(CMD cmd, LO
break;
}
-#if SSLEAY_VERSION_NUMBER >= 0x00907000L
+#if !defined(WITH_NSS) && SSLEAY_VERSION_NUMBER >= 0x00907000L
/* OCSP */
switch(cmd) {
case CMD_INIT:
@@ -830,7 +836,9 @@ static char *service_options(CMD cmd, LO
case CMD_INIT:
section->ocsp_flags=0;
break;
- case CMD_EXEC:
+ case CMD_EXEC: {
+ int tmpnum;
+
if(strcasecmp(opt, "OCSPflag"))
break;
tmpnum=parse_ocsp_flag(arg);
@@ -838,20 +846,24 @@ static char *service_options(CMD cmd, LO
return "Illegal OCSP flag";
section->ocsp_flags|=tmpnum;
return NULL;
+ }
case CMD_DEFAULT:
break;
case CMD_HELP:
log_raw("%-15s = OCSP server flags", "OCSPflag");
break;
}
-#endif /* OpenSSL-0.9.7 */
+#endif /* !WITH_NSS && OpenSSL-0.9.7 */
/* options */
+#ifndef WITH_NSS
switch(cmd) {
case CMD_INIT:
section->ssl_options=0;
break;
- case CMD_EXEC:
+ case CMD_EXEC: {
+ int tmpnum;
+
if(strcasecmp(opt, "options"))
break;
tmpnum=parse_ssl_option(arg);
@@ -859,6 +871,7 @@ static char *service_options(CMD cmd, LO
return "Illegal SSL option";
section->ssl_options|=tmpnum;
return NULL; /* OK */
+ }
case CMD_DEFAULT:
break;
case CMD_HELP:
@@ -866,6 +879,7 @@ static char *service_options(CMD cmd, LO
log_raw("%18sset an SSL option", "");
break;
}
+#endif
/* protocol */
switch(cmd) {
@@ -1537,6 +1551,7 @@ static int parse_debug_level(char *arg)
return 1; /* OK */
}
+#ifndef WITH_NSS
/* Parse out SSL options stuff */
static int parse_ssl_option(char *arg) {
@@ -1580,6 +1595,7 @@ static int parse_ssl_option(char *arg) {
return option->value;
return 0; /* FAILED */
}
+#endif /* !WITH_NSS */
/* Parse out the socket options stuff */
@@ -1757,6 +1773,8 @@ static int parse_socket_option(char *arg
return 0; /* FAILED */
}
+
+#if !defined(WITH_NSS) && SSLEAY_VERSION_NUMBER >= 0x00907000L
/* Parse out OCSP URL */
static char *parse_ocsp_url(LOCAL_OPTIONS *section, char *arg) {
@@ -1807,5 +1825,6 @@ static unsigned long parse_ocsp_flag(cha
return option->value;
return 0; /* FAILED */
}
+#endif /* !WITH_NSS && OpenSSL-0.9.7 */
/* End of options.c */
--- stunnel-4.20/src/ssl.c.nss 2006-11-05 14:04:58.000000000 +0100
+++ stunnel-4.20/src/ssl.c 2007-08-28 16:06:24.000000000 +0200
@@ -32,7 +32,9 @@
#include "prototypes.h"
/* Global OpenSSL initalization: compression, engine, entropy */
+#ifndef WITH_NSS
static void init_compression(void);
+#endif
static int init_prng(void);
static int prng_seeded(int);
static int add_rand_file(char *);
@@ -55,12 +57,15 @@ void ssl_init(void) { /* init SSL before
}
void ssl_configure(void) { /* configure global SSL settings */
+#ifndef WITH_NSS
if(options.compression!=COMP_NONE)
init_compression();
+#endif
if(!init_prng())
s_log(LOG_DEBUG, "PRNG seeded successfully");
}
+#ifndef WITH_NSS
static void init_compression(void) {
int id=0;
COMP_METHOD *cm=NULL;
@@ -91,6 +96,7 @@ static void init_compression(void) {
}
s_log(LOG_INFO, "Compression enabled using %s method", name);
}
+#endif
static int init_prng(void) {
int totbytes=0;
@@ -133,7 +139,7 @@ static int init_prng(void) {
s_log(LOG_DEBUG, "RAND_screen failed to sufficiently seed PRNG");
#else
-#if SSLEAY_VERSION_NUMBER>=0x0090581fL
+#if !defined(WITH_NSS) && SSLEAY_VERSION_NUMBER>=0x0090581fL
if(options.egd_sock) {
if((bytes=RAND_egd(options.egd_sock))==-1) {
s_log(LOG_WARNING, "EGD Socket %s failed", options.egd_sock);
@@ -157,7 +163,7 @@ static int init_prng(void) {
}
#endif /* EGD_SOCKET */
-#endif /* OpenSSL-0.9.5a */
+#endif /* !WITH_NSS && OpenSSL-0.9.5a */
#endif /* USE_WIN32 */
/* Try the good-old default /dev/urandom, if available */
--- stunnel-4.20/src/ctx.c.nss 2006-11-15 19:54:18.000000000 +0100
+++ stunnel-4.20/src/ctx.c 2007-08-28 16:18:51.000000000 +0200
@@ -68,15 +68,16 @@ static void sslerror_stack(void);
/**************************************** initialize section->ctx */
void context_init(LOCAL_OPTIONS *section) { /* init SSL context */
- struct stat st; /* buffer for stat */
-
/* check if certificate exists */
if(!section->key) /* key file not specified */
section->key=section->cert;
+#ifndef WITH_NSS
#ifdef HAVE_OSSL_ENGINE_H
if(!section->engine)
#endif
if(section->option.cert) {
+ struct stat st; /* buffer for stat */
+
if(stat(section->key, &st)) {
ioerror(section->key);
exit(1);
@@ -86,6 +87,7 @@ void context_init(LOCAL_OPTIONS *section
s_log(LOG_WARNING, "Wrong permissions on %s", section->key);
#endif /* defined USE_WIN32 */
}
+#endif /* !WITH_NSS */
/* create SSL context */
if(section->option.client) {
section->ctx=SSL_CTX_new(section->client_method());
@@ -99,12 +101,14 @@ void context_init(LOCAL_OPTIONS *section
s_log(LOG_WARNING, "Diffie-Hellman initialization failed");
#endif /* USE_DH */
}
+#ifndef WITH_NSS
if(section->ssl_options) {
s_log(LOG_DEBUG, "Configuration SSL options: 0x%08lX",
section->ssl_options);
s_log(LOG_DEBUG, "SSL options set: 0x%08lX",
SSL_CTX_set_options(section->ctx, section->ssl_options));
}
+#endif
if(section->cipher_list) {
if (!SSL_CTX_set_cipher_list(section->ctx, section->cipher_list)) {
sslerror("SSL_CTX_set_cipher_list");
@@ -366,8 +370,13 @@ static void info_callback(SSL *s, int wh
where & SSL_CB_READ ? "read" : "write",
SSL_alert_type_string_long(ret),
SSL_alert_desc_string_long(ret));
- else if(where==SSL_CB_HANDSHAKE_DONE)
+ else if(where==SSL_CB_HANDSHAKE_DONE) {
+#ifndef WITH_NSS
print_stats(s->ctx);
+#else
+ print_stats(s);
+#endif
+ }
}
static void print_stats(SSL_CTX *ctx) { /* print statistics */
--- stunnel-4.20/src/sthreads.c.nss 2006-09-26 09:59:08.000000000 +0200
+++ stunnel-4.20/src/sthreads.c 2007-08-28 16:06:24.000000000 +0200
@@ -197,7 +197,7 @@ void leave_critical_section(SECTION_CODE
}
static void locking_callback(int mode, int type,
-#ifdef HAVE_OPENSSL
+#if defined(HAVE_OPENSSL) || defined(WITH_NSS)
const /* Callback definition has been changed in openssl 0.9.3 */
#endif
char *file, int line) {
--- stunnel-4.20/src/verify.c.nss 2006-11-01 15:59:16.000000000 +0100
+++ stunnel-4.20/src/verify.c 2007-08-28 16:06:24.000000000 +0200
@@ -34,14 +34,20 @@
/**************************************** prototypes */
/* verify initialization */
+#ifndef WITH_NSS
static void load_file_lookup(X509_STORE *, char *);
static void add_dir_lookup(X509_STORE *, char *);
+#endif /* !WITH_NSS */
/* verify callback */
static int verify_callback(int, X509_STORE_CTX *);
static int cert_check(CLI *c, X509_STORE_CTX *, char *, int);
+#ifndef WITH_NSS
static int crl_check(CLI *c, X509_STORE_CTX *, char *);
+#endif
+#if !defined(WITH_NSS) && SSLEAY_VERSION_NUMBER >= 0x00907000L
static int ocsp_check(CLI *c, X509_STORE_CTX *, char *);
+#endif /* !WITH_NSS && OpenSSL-0.9.7 */
/**************************************** verify initialization */
@@ -55,11 +61,13 @@ void verify_init(LOCAL_OPTIONS *section)
exit(1);
}
+#ifndef WITH_NSS
section->revocation_store=X509_STORE_new();
if(!section->revocation_store) {
sslerror("X509_STORE_new");
exit(1);
}
+#endif
if(section->ca_file) {
if(!SSL_CTX_load_verify_locations(section->ctx,
@@ -75,7 +83,9 @@ void verify_init(LOCAL_OPTIONS *section)
#endif
s_log(LOG_DEBUG, "Loaded verify certificates from %s",
section->ca_file);
+#ifndef WITH_NSS
load_file_lookup(section->revocation_store, section->ca_file);
+#endif
}
if(section->ca_dir) {
@@ -87,9 +97,12 @@ void verify_init(LOCAL_OPTIONS *section)
exit(1);
}
s_log(LOG_DEBUG, "Verify directory set to %s", section->ca_dir);
+#ifndef WITH_NSS
add_dir_lookup(section->revocation_store, section->ca_dir);
+#endif
}
+#ifndef WITH_NSS
if(section->crl_file)
load_file_lookup(section->revocation_store, section->crl_file);
@@ -97,6 +110,7 @@ void verify_init(LOCAL_OPTIONS *section)
section->revocation_store->cache=0; /* don't cache CRLs */
add_dir_lookup(section->revocation_store, section->crl_dir);
}
+#endif /* !WITH_NSS */
SSL_CTX_set_verify(section->ctx, section->verify_level==SSL_VERIFY_NONE ?
SSL_VERIFY_PEER : section->verify_level, verify_callback);
@@ -105,6 +119,7 @@ void verify_init(LOCAL_OPTIONS *section)
s_log(LOG_NOTICE, "Peer certificate location %s", section->ca_dir);
}
+#ifndef WITH_NSS
static void load_file_lookup(X509_STORE *store, char *name) {
X509_LOOKUP *lookup;
@@ -136,6 +151,7 @@ static void add_dir_lookup(X509_STORE *s
}
s_log(LOG_DEBUG, "Added %s revocation lookup directory", name);
}
+#endif /* !WITH_NSS */
/**************************************** verify callback */
@@ -157,16 +173,17 @@ static int verify_callback(int preverify
if(!cert_check(c, callback_ctx, subject_name, preverify_ok))
return 0; /* reject connection */
+#ifndef WITH_NSS
if(!crl_check(c, callback_ctx, subject_name))
return 0; /* reject connection */
-#if SSLEAY_VERSION_NUMBER >= 0x00907000L
+#endif /* !WITH_NSS */
+#if !defined(WITH_NSS) && SSLEAY_VERSION_NUMBER >= 0x00907000L
if(c->opt->option.ocsp && !ocsp_check(c, callback_ctx, subject_name))
return 0; /* reject connection */
-#endif /* OpenSSL-0.9.7 */
+#endif /* !WITH_NSS && OpenSSL-0.9.7 */
/* errnum=X509_STORE_CTX_get_error(ctx); */
- s_log(LOG_NOTICE, "VERIFY OK: depth=%d, %s",
- callback_ctx->error_depth, subject_name);
+ s_log(LOG_NOTICE, "VERIFY OK: %s", subject_name);
return 1; /* accept connection */
}
@@ -177,19 +194,21 @@ static int cert_check(CLI *c, X509_STORE
X509_OBJECT ret;
if(c->opt->verify_level==SSL_VERIFY_NONE) {
- s_log(LOG_NOTICE, "VERIFY IGNORE: depth=%d, %s",
- callback_ctx->error_depth, subject_name);
+ s_log(LOG_NOTICE, "VERIFY IGNORE: %s", subject_name);
return 1; /* accept connection */
}
if(!preverify_ok) {
/* remote site specified a certificate, but it's not correct */
- s_log(LOG_WARNING, "VERIFY ERROR: depth=%d, error=%s: %s",
- callback_ctx->error_depth,
+ s_log(LOG_WARNING, "VERIFY ERROR: error=%s: %s",
X509_verify_cert_error_string (callback_ctx->error),
subject_name);
return 0; /* reject connection */
}
- if(c->opt->verify_use_only_my && callback_ctx->error_depth==0 &&
+ /* FIXME: test this */
+ if(c->opt->verify_use_only_my &&
+#ifndef WITH_NSS
+ callback_ctx->error_depth==0 &&
+#endif
X509_STORE_get_by_subject(callback_ctx, X509_LU_X509,
X509_get_subject_name(callback_ctx->current_cert), &ret)!=1) {
s_log(LOG_WARNING, "VERIFY ERROR ONLY MY: no cert for %s",
@@ -201,6 +220,7 @@ static int cert_check(CLI *c, X509_STORE
/**************************************** CRL checking */
+#ifndef WITH_NSS
/* based on BSD-style licensed code of mod_ssl */
static int crl_check(CLI *c, X509_STORE_CTX *callback_ctx,
char *subject_name) {
@@ -318,10 +338,11 @@ static int crl_check(CLI *c, X509_STORE_
}
return 1; /* accept connection */
}
+#endif /* !WITH_NSS */
/**************************************** OCSP checking */
-#if SSLEAY_VERSION_NUMBER >= 0x00907000L
+#if !defined(WITH_NSS) && SSLEAY_VERSION_NUMBER >= 0x00907000L
static int ocsp_check(CLI *c, X509_STORE_CTX *callback_ctx,
char *subject_name) {
int error, retval=0;
@@ -442,6 +463,6 @@ cleanup:
c->fd=-1; /* avoid double close on cleanup */
return retval;
}
-#endif /* OpenSSL-0.9.7 */
+#endif /* !WITH_NSS && OpenSSL-0.9.7 */
/* End of verify.c */
--- stunnel-4.20/src/Makefile.am.nss 2006-11-04 23:23:22.000000000 +0100
+++ stunnel-4.20/src/Makefile.am 2007-08-28 16:06:24.000000000 +0200
@@ -27,7 +27,8 @@ INCLUDES = -I/usr/kerberos/include
# Additional compiler flags
-AM_CPPFLAGS = -DLIBDIR='"$(libdir)"' -DCONFDIR='"$(sysconfdir)/stunnel"' -DPIDFILE='"$(prefix)/var/run/stunnel/stunnel.pid"'
+AM_CPPFLAGS = -DLIBDIR='"$(libdir)"' -DCONFDIR='"$(sysconfdir)/stunnel"' -DPIDFILE='"$(prefix)/var/run/stunnel/stunnel.pid"' $(NSS_CFLAGS)
+AM_LDFLAGS = $(NSS_LIBS)
# Win32 executable
--- stunnel-4.20/src/common.h.nss 2006-11-17 10:03:18.000000000 +0100
+++ stunnel-4.20/src/common.h 2007-08-28 16:06:24.000000000 +0200
@@ -307,7 +307,9 @@ extern char *sys_errlist[];
/**************************************** OpenSSL headers */
-#ifdef HAVE_OPENSSL
+#ifdef WITH_NSS
+#include <nss_compat_ossl/nss_compat_ossl.h>
+#elif defined(HAVE_OPENSSL)
#include <openssl/lhash.h>
#include <openssl/ssl.h>
#include <openssl/err.h>
--- stunnel-4.20/src/protocol.c.nss 2006-11-11 12:02:51.000000000 +0100
+++ stunnel-4.20/src/protocol.c 2007-08-28 16:06:24.000000000 +0200
@@ -30,6 +30,9 @@
#include "common.h"
#include "prototypes.h"
+#ifdef WITH_NSS
+#include <plbase64.h>
+#endif
/* \n is not a character expected in the string */
#define LINE "%[^\n]"
@@ -70,8 +73,10 @@ void negotiate(CLI *c) {
imap_client(c);
else if(!strcmp(c->opt->protocol, "nntp"))
nntp_client(c);
+#ifndef WITH_NSS
else if(!strcmp(c->opt->protocol, "connect"))
connect_client(c);
+#endif
else {
s_log(LOG_ERR, "Protocol %s not supported in client mode",
c->opt->protocol);
@@ -511,8 +516,9 @@ static void crypt_DES(DES_cblock dst, co
}
static char *base64(int encode, char *in, int len) {
- BIO *bio, *b64;
char *out;
+#ifndef WITH_NSS
+ BIO *bio, *b64;
b64=BIO_new(BIO_f_base64());
BIO_set_flags(b64, BIO_FLAGS_BASE64_NO_NL);
@@ -535,6 +541,23 @@ static char *base64(int encode, char *in
}
BIO_read(bio, out, len);
BIO_free_all(bio);
+#else
+ if (encode) {
+ out = calloc(((len + 2) / 3) * 4 + 1, 1);
+ if (!out) {
+ log_raw("Fatal memory allocation error");
+ exit(2);
+ }
+ PL_Base64Encode(in, len, out);
+ } else {
+ out = calloc(((len * 3 + 3) / 4) + 1, 1);
+ if (!out) {
+ log_raw("Fatal memory allocation error");
+ exit(2);
+ }
+ PL_Base64Decode(in, len, out);
+ }
+#endif
return out;
}

42
stunnel.spec
View File

@ -1,8 +1,8 @@
Summary: An SSL-encrypting socket wrapper Summary: An SSL-encrypting socket wrapper
Name: stunnel Name: stunnel
Version: 4.20 Version: 4.20
Release: 2 Release: 3.nss
License: GPL License: GPLv2
Group: Applications/Internet Group: Applications/Internet
URL: http://stunnel.mirt.net/ URL: http://stunnel.mirt.net/
Source0: ftp://stunnel.mirt.net/stunnel/stunnel-%{version}.tar.gz Source0: ftp://stunnel.mirt.net/stunnel/stunnel-%{version}.tar.gz
@ -12,11 +12,16 @@ Source3: sfinger.xinetd
Source4: stunnel-sfinger.conf Source4: stunnel-sfinger.conf
Source5: pop3-redirect.xinetd Source5: pop3-redirect.xinetd
Source6: stunnel-pop3s-client.conf Source6: stunnel-pop3s-client.conf
Source7: README.NSS
Source8: nss_compat_ossl-0.9.1.tar.gz
Patch0: stunnel-4.08-authpriv.patch Patch0: stunnel-4.08-authpriv.patch
Patch1: stunnel-4.18-sample.patch Patch1: stunnel-4.18-sample.patch
Patch2: stunnel-4.20-nss.patch
Patch3: nss_compat_ossl-0.9.1-stunnel.patch
Buildroot: %{_tmppath}/stunnel-root Buildroot: %{_tmppath}/stunnel-root
# util-linux is needed for rename # util-linux is needed for rename
BuildRequires: openssl-devel, pkgconfig, tcp_wrappers-devel, util-linux BuildRequires: nss-devel, pkgconfig, tcp_wrappers-devel, util-linux
BuildRequires: autoconf automake libtool
%description %description
Stunnel is a socket wrapper which can provide SSL (Secure Sockets Stunnel is a socket wrapper which can provide SSL (Secure Sockets
@ -24,22 +29,36 @@ Layer) support to ordinary applications. For example, it can be used
in conjunction with imapd to create an SSL secure IMAP server. in conjunction with imapd to create an SSL secure IMAP server.
%prep %prep
%setup -q %setup -q -a 8
%patch0 -p1 -b .authpriv %patch0 -p1 -b .authpriv
%patch1 -p1 -b .sample %patch1 -p1 -b .sample
%patch2 -p1 -b .nss
pushd nss_compat_ossl-0.9.1
%patch3 -p0 -b .stunnel
autoreconf
popd
iconv -f iso-8859-1 -t utf-8 < doc/stunnel.fr.8 > doc/stunnel.fr.8_ iconv -f iso-8859-1 -t utf-8 < doc/stunnel.fr.8 > doc/stunnel.fr.8_
mv doc/stunnel.fr.8_ doc/stunnel.fr.8 mv doc/stunnel.fr.8_ doc/stunnel.fr.8
iconv -f iso-8859-2 -t utf-8 < doc/stunnel.pl.8 > doc/stunnel.pl.8_ iconv -f iso-8859-2 -t utf-8 < doc/stunnel.pl.8 > doc/stunnel.pl.8_
mv doc/stunnel.pl.8_ doc/stunnel.pl.8 mv doc/stunnel.pl.8_ doc/stunnel.pl.8
# For patch2
autoreconf
%build %build
CFLAGS="$RPM_OPT_FLAGS -fPIC"; export CFLAGS CFLAGS="$RPM_OPT_FLAGS -fPIC"; export CFLAGS
if pkg-config openssl ; then
CFLAGS="$CFLAGS `pkg-config --cflags openssl`"; pushd nss_compat_ossl-0.9.1
LDFLAGS="`pkg-config --libs-only-L openssl`"; export LDFLAGS autoreconf
fi ./configure --prefix=$(pwd)/p --libdir=$(pwd)/p/lib \
%configure --enable-ipv6 \ --disable-shared --enable-static
make all install
popd
CFLAGS="-I$(pwd)/nss_compat_ossl-0.9.1/p/include $CFLAGS"
export LDFLAGS="-L$(pwd)/nss_compat_ossl-0.9.1/p/lib"
%configure --with-nss --enable-ipv6 \
CPPFLAGS="-UPIDFILE -DPIDFILE='\"%{_localstatedir}/run/stunnel.pid\"'" CPPFLAGS="-UPIDFILE -DPIDFILE='\"%{_localstatedir}/run/stunnel.pid\"'"
make LDADD="-pie -Wl,-z,defs,-z,relro" make LDADD="-pie -Wl,-z,defs,-z,relro"
@ -57,7 +76,7 @@ for lang in fr pl ; do
done done
mkdir srpm-docs mkdir srpm-docs
cp %{SOURCE2} %{SOURCE3} %{SOURCE4} %{SOURCE5} %{SOURCE6} srpm-docs cp %{SOURCE2} %{SOURCE3} %{SOURCE4} %{SOURCE5} %{SOURCE6} %{SOURCE7} srpm-docs
%post -p /sbin/ldconfig %post -p /sbin/ldconfig
@ -84,6 +103,9 @@ rm -rf $RPM_BUILD_ROOT
%exclude %{_sysconfdir}/stunnel/* %exclude %{_sysconfdir}/stunnel/*
%changelog %changelog
* Tue Aug 28 2007 Miloslav Trmač <mitr@redhat.com> - 4.20-3.nss
- Port to NSS
* Mon Dec 4 2006 Miloslav Trmac <mitr@redhat.com> - 4.20-2 * Mon Dec 4 2006 Miloslav Trmac <mitr@redhat.com> - 4.20-2
- Update BuildRequires for the separate tcp_wrappers-devel package - Update BuildRequires for the separate tcp_wrappers-devel package