diff --git a/.cvsignore b/.cvsignore index a28b499..a57e816 100644 --- a/.cvsignore +++ b/.cvsignore @@ -1,3 +1,2 @@ stunnel-4.20.tar.gz stunnel-4.20.tar.gz.asc -nss_compat_ossl-0.9.1.tar.gz diff --git a/README.NSS b/README.NSS deleted file mode 100644 index 5c97e3e..0000000 --- a/README.NSS +++ /dev/null @@ -1,12 +0,0 @@ -To convert an existing stunnel set up to NSS, at minimum it is necessary to: -- create a NSS database directory, $SSL_DIR - $ certutil -d $SSL_DIR -N -- import server and CA certificates: - $ certutil -d $SSL_DIR -A -n server_cert_nickname -i server_cert.pem -- import server private key: - $ openssl pkcs12 -export -in server_key.pem -out server_key.pfx - $ pk12util -d $SSL_DIR -i server_key.pfx -- modify stunnel.conf to use "server_cert_nickname" instead of path to - "server_cert.pem" in "cert" -- when starting stunnel, make sure $SSL_DIR is present in the - environment diff --git a/nss_compat_ossl-0.9.1-stunnel.patch b/nss_compat_ossl-0.9.1-stunnel.patch deleted file mode 100644 index 208b2d0..0000000 --- a/nss_compat_ossl-0.9.1-stunnel.patch +++ /dev/null @@ -1,418 +0,0 @@ -Index: src/Makefile.am -=================================================================== -RCS file: /cvs/dirsec/nss_compat_ossl/src/Makefile.am,v -retrieving revision 1.1.1.1 -diff -u -r1.1.1.1 Makefile.am ---- src/Makefile.am 20 Apr 2007 22:33:27 -0000 1.1.1.1 -+++ src/Makefile.am 26 Aug 2007 23:22:35 -0000 -@@ -4,7 +4,7 @@ - INCLUDES = @nspr_inc@ @nss_inc@ - LIBS = @nspr_lib@ @nss_lib@ -lssl3 -lsmime3 -lnss3 -lsoftokn3 -lplc4 -lplds4 -lnspr4 - --libnss_compat_ossl_la_SOURCES = ssl.c log.c rand.c -+libnss_compat_ossl_la_SOURCES = ssl.c algo.c log.c rand.c - - pkginclude_HEADERS = nss_compat_ossl.h - -Index: src/algo.c -=================================================================== -RCS file: src/algo.c -diff -N src/algo.c ---- /dev/null 1 Jan 1970 00:00:00 -0000 -+++ src/algo.c 26 Aug 2007 23:22:35 -0000 -@@ -0,0 +1,101 @@ -+/* -+ * Copyright (C) 2007 Red Hat, Inc. -+ * -+ * This library is free software; you can redistribute it and/or -+ * modify it under the terms of the GNU Lesser General Public -+ * License as published by the Free Software Foundation; either -+ * version 2.1 of the License, or (at your option) any later version. -+ * -+ * This library is distributed in the hope that it will be useful, -+ * but WITHOUT ANY WARRANTY; without even the implied warranty of -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -+ * Lesser General Public License for more details. -+ * -+ * You should have received a copy of the GNU Lesser General Public -+ * License along with this library; if not, write to the Free Software -+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA -+*/ -+ -+#include -+ -+#include "nss_compat_ossl.h" -+ -+/* FIXME: is some error handling possible? */ -+ -+ -+void DES_set_odd_parity(DES_cblock *key) -+{ -+ size_t i; -+ -+ for (i = 0; i < sizeof (*key)/sizeof (**key); i++) { -+ unsigned char val, b; -+ -+ val = (*key)[i]; -+ b = val; -+ b ^= (b >> 4); /* (b & 0x0F) == (b & 0x0F) ^ ((b & 0xF0) >> 4) */ -+ b ^= (b >> 2); /* Likewise ... */ -+ b ^= (b >> 1); /* (b & 0x01) == XOR (bits of b) */ -+ if ((b & 0x01) == 0) -+ (*key)[i] = val ^ 0x01; -+ } -+} -+ -+void DES_set_key_unchecked(const_DES_cblock *key, DES_key_schedule *schedule) -+{ -+ assert (sizeof (schedule->key) == sizeof (*key)); -+ memcpy (schedule->key, *key, sizeof (schedule->key)); -+} -+ -+void DES_ecb_encrypt(const_DES_cblock *input, DES_cblock *output, -+ DES_key_schedule *ks, int enc) -+{ -+ static const CK_MECHANISM_TYPE mechanism = CKM_DES_ECB; -+ -+ PK11SlotInfo *slot; -+ PK11Origin origin; -+ PK11SymKey *sym_key; -+ PK11Context *ctx; -+ SECItem key_item; -+ int out_len1; -+ unsigned out_len2; -+ /* FIXME: input and output may overlap */ -+ -+ slot = PK11_GetBestSlot(mechanism, NULL); -+ if (slot == NULL) -+ abort(); -+ origin = enc != DES_DECRYPT ? CKA_ENCRYPT : CKA_DECRYPT, -+ key_item.data = ks->key; -+ key_item.len = sizeof (ks->key); -+ sym_key = PK11_ImportSymKey(slot, mechanism, PK11_OriginUnwrap, origin, -+ &key_item, NULL); -+ ctx = PK11_CreateContextBySymKey(mechanism, origin, sym_key, NULL); -+ (void)PK11_CipherOp(ctx, *output, &out_len1, sizeof (*output), *input, -+ sizeof (*input)); -+ (void)PK11_DigestFinal(ctx, *output + out_len1, &out_len2, -+ sizeof (*output) - out_len1); -+ assert (out_len1 + out_len2 == sizeof (*output)); -+ PK11_DestroyContext(ctx, PR_TRUE); -+ PK11_FreeSymKey(sym_key); -+ PK11_FreeSlot(slot); -+} -+ -+ -+void MD4_Init(MD4_CTX *c) -+{ -+ *c = PK11_CreateDigestContext(SEC_OID_MD4); -+ (void)PK11_DigestBegin(*c); -+} -+ -+void MD4_Update(MD4_CTX *c, const void *data, size_t len) -+{ -+ (void)PK11_DigestOp(*c, data, len); -+} -+ -+void MD4_Final(unsigned char *md, MD4_CTX *c) -+{ -+ unsigned len; -+ -+ (void)PK11_DigestFinal(*c, md, &len, 16); -+ assert (len == 16); -+ PK11_DestroyContext(*c, PR_TRUE); -+} -Index: src/nss_compat_ossl.h -=================================================================== -RCS file: /cvs/dirsec/nss_compat_ossl/src/nss_compat_ossl.h,v -retrieving revision 1.4 -diff -u -r1.4 nss_compat_ossl.h ---- src/nss_compat_ossl.h 11 May 2007 21:25:00 -0000 1.4 -+++ src/nss_compat_ossl.h 26 Aug 2007 23:22:35 -0000 -@@ -44,6 +44,8 @@ - #define NO_RSA 1 /* FIXME: ? */ - #define USE_NSS 1 /* FIXME: autoconf? */ - -+#define PEM_BUFSIZE 1024 -+ - /* FIXME: need to map from SSL -> SSL_CTX */ - #define OSSL_SSL2CTX(x) ((SSL_CTX *)NULL) - #define OSSL_X509_STORE_CTX2CERT(x) NULL -@@ -167,7 +169,14 @@ - #define X509_OBJECT SECItem - #define X509_LOOKUP SECItem - #define X509_LOOKUP_METHOD SECItem --#define X509_STORE_CTX CERTCertificate -+ -+typedef struct -+{ -+ X509 *current_cert; -+ SSL *ssl__; -+ int error; -+} X509_STORE_CTX; -+ - #define X509_STORE SECItem - #define X509_NAME CERTName - #define X509_REVOKED SECItem -@@ -304,6 +313,7 @@ - long SSL_CTX_set_mode(SSL_CTX *ctx, long mode); - void SSL_CTX_set_default_passwd_cb(SSL_CTX *ctx, pem_password_cb *cb); - void SSL_CTX_set_default_passwd_cb_userdata(SSL_CTX *ctx, void *u); -+int PEM_def_callback(char *buf, int num, int w, void *key); - - /* SSL context statistics */ - -@@ -367,6 +377,7 @@ - SSL_METHOD *SSLv3_client_method(void); - SSL_METHOD *SSLv23_client_method(void); - SSL_METHOD *TLSv1_client_method(void); -+SSL_METHOD *SSLv2_server_method(void); - SSL_METHOD *SSLv23_server_method(void); - SSL_METHOD *SSLv3_server_method(void); - SSL_METHOD *TLSv1_server_method(void); -@@ -392,6 +403,8 @@ - #define X509_L_FILE_LOAD 1 - #define X509_L_ADD_DIR 2 - -+#define X509_LU_X509 1 -+ - X509 *d2i_X509(void *reserved, unsigned char **data, int len); - X509_NAME *X509_get_issuer_name(X509 *x); - X509_NAME *X509_get_subject_name(X509 *x); -@@ -412,6 +425,10 @@ - X509_LOOKUP_ctrl((x),X509_L_ADD_DIR,(name),(long)(type),NULL) - - X509 * X509_STORE_CTX_get_current_cert(X509_STORE_CTX *ctx); -+int X509_STORE_get_by_subject(X509_STORE_CTX *vs, int type, X509_NAME *name, -+ X509_OBJECT *ret); -+int SSL_get_ex_data_X509_STORE_CTX_idx(void); -+void *X509_STORE_CTX_get_ex_data(X509_STORE_CTX *ctx, int idx); - - /* Other */ - -@@ -489,12 +506,11 @@ - const char *SSL_alert_type_string_long(int value); - const char *SSL_alert_desc_string_long(int value); - --#if 0 - const char *SSL_state_string_long(const SSL *s); --#endif - - void CRYPTO_set_id_callback(unsigned long (*func)(void)); --void CRYPTO_set_locking_callback(void (*func)(int mode,int type, int line)); -+void CRYPTO_set_locking_callback(void (*func)(int mode,int type, -+ const char *file, int line)); - - /* RNG */ - -@@ -510,6 +526,24 @@ - - const char *nss_error(int error); - -+/* Encryption functions */ -+#define DES_DECRYPT 0 -+#define DES_ENCRYPT 1 -+typedef unsigned char DES_cblock[8], const_DES_cblock[8]; -+typedef struct { DES_cblock key; } DES_key_schedule; -+ -+void DES_set_odd_parity(DES_cblock *key); -+void DES_set_key_unchecked(const_DES_cblock *key, DES_key_schedule *schedule); -+void DES_ecb_encrypt(const_DES_cblock *input, DES_cblock *output, -+ DES_key_schedule *ks, int enc); -+ -+/* Hash functions */ -+typedef PK11Context *MD4_CTX; -+ -+void MD4_Init(MD4_CTX *c); -+void MD4_Update(MD4_CTX *c, const void *data, size_t len); -+void MD4_Final(unsigned char *md, MD4_CTX *c); -+ - /* ASN1 funcs */ - unsigned char * ASN1_STRING_data(ASN1_STRING *x); - int ASN1_STRING_type(ASN1_STRING *x); -Index: src/rand.c -=================================================================== -RCS file: /cvs/dirsec/nss_compat_ossl/src/rand.c,v -retrieving revision 1.2 -diff -u -r1.2 rand.c ---- src/rand.c 23 Apr 2007 18:00:35 -0000 1.2 -+++ src/rand.c 26 Aug 2007 23:22:35 -0000 -@@ -78,27 +78,17 @@ - - int RAND_write_file(const char *file) - { -- char buf[RAND_WRITE_BYTES]; -+ unsigned char buf[RAND_WRITE_BYTES]; - int total = 0; -- int size; - FILE *fp; - - if ((fp = fopen(file, "wb")) != NULL) { -- while (total < RAND_WRITE_BYTES) { -- /* PR_GetRandomNoise is not guaranteed to return the number of -- * requested bytes so we'll keep trying */ -- size = PR_GetRandomNoise(buf, RAND_WRITE_BYTES - total); -- if (size == 0 && total == 0) { -- /* PR_GetRandomNoise not implemented */ -- fclose(fp); -- return 0; -- } -- fwrite(buf, 1, size, fp); -- total += size; -- } -+ if (PK11_GenerateRandom(buf, sizeof (buf)) == SECSuccess) { -+ total = sizeof (buf); -+ fwrite(buf, 1, total, fp); -+ } -+ fclose(fp); - } -- fclose(fp); -- - return total; - } - -Index: src/ssl.c -=================================================================== -RCS file: /cvs/dirsec/nss_compat_ossl/src/ssl.c,v -retrieving revision 1.12 -diff -u -r1.12 ssl.c ---- src/ssl.c 29 May 2007 22:00:19 -0000 1.12 -+++ src/ssl.c 26 Aug 2007 23:22:35 -0000 -@@ -429,9 +429,14 @@ - * use it. Otherwise fall back to the one provided by NSS. - */ - if (ossl->verify_cb != NULL) { -+ X509_STORE_CTX ctx; -+ - verify_callback = ossl->verify_cb; - -- rv = verify_callback((status == SECSuccess) ? 1 : 0, (X509_STORE_CTX *)ssl); -+ ctx.current_cert = SSL_get_peer_certificate(ssl); -+ ctx.error = PORT_GetError(); -+ rv = verify_callback((status == SECSuccess) ? 1 : 0, &ctx); -+ X509_free(ctx.current_cert); - - if (rv == 1) { - ossl->verify_result = X509_V_OK; -@@ -1492,6 +1497,11 @@ - return create_context(PR_FALSE, PR_FALSE, PR_TRUE, PR_FALSE); - } - -+SSL_METHOD *SSLv2_server_method(void) -+{ -+ return create_context(PR_TRUE, PR_FALSE, PR_FALSE, PR_TRUE); -+} -+ - SSL_METHOD *SSLv23_server_method(void) - { - return create_context(PR_TRUE, PR_TRUE, PR_FALSE, PR_TRUE); -@@ -1890,6 +1900,9 @@ - if (ssl) - cert = SSL_PeerCertificate(ssl); - -+ if (cert == NULL) -+ return NULL; -+ - x = (X509 *)malloc(sizeof(X509)); - - x->cert = cert; -@@ -2146,8 +2159,8 @@ - - value = CERT_NameToAscii(x); - -- if (len) -- s = PL_strncpyz(s, value, len); -+ if (s) -+ s = PL_strncpyz(s, value, len); - else - s = PORT_ArenaStrdup(x->arena, value); - -@@ -2815,7 +2828,7 @@ - const char *SSL_state_string_long(const SSL *s) - { - /* We have no visibility into the current NSS handshake state */ -- return (NULL); -+ return "Unknown"; - } - - void SSL_CTX_set_info_callback(SSL_CTX *ctx, void(*cb)()) -@@ -2860,6 +2873,13 @@ - return; - } - -+/* SSL_CTX_set_default_passwd_cb* is ignored */ -+int PEM_def_callback(char *buf, int num, int w, void *key) -+{ -+ *buf = 0; -+ return 0; -+} -+ - long SSL_session_reused(SSL *s) - { - return 0; -@@ -2867,19 +2887,59 @@ - - X509 * X509_STORE_CTX_get_current_cert(X509_STORE_CTX *ctx) - { -- X509 * x; -- -- /* Is it really the peer cert we want? Docs are slim on this */ -- x = SSL_get_peer_certificate((SSL *)ctx); -+ return ctx->current_cert; -+} - -- return x; -+#define X509_STORE_CTX_EX_DATA_SSL_IDX 42 -+int SSL_get_ex_data_X509_STORE_CTX_idx(void) -+{ -+ return X509_STORE_CTX_EX_DATA_SSL_IDX; - } - -+void *X509_STORE_CTX_get_ex_data(X509_STORE_CTX *ctx, int idx) -+{ -+ if (idx == X509_STORE_CTX_EX_DATA_SSL_IDX) -+ return ctx->ssl__; -+ return NULL; -+} -+ -+ -+int X509_STORE_get_by_subject(X509_STORE_CTX *vs, int type, X509_NAME *name, -+ X509_OBJECT *ret) -+{ -+ PRArenaPool *arena; -+ CERTCertificate * cert; -+ SECItem *subject; -+ -+ (void)vs; -+ if (type != X509_LU_X509) -+ return 0; -+ -+ arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); -+ if (arena == NULL) -+ return 0; -+ subject = SEC_ASN1EncodeItem(arena, NULL, name, CERT_NameTemplate); -+ cert = NULL; -+ if (subject != NULL) -+ cert = CERT_FindCertByName(CERT_GetDefaultCertDB(), subject); -+ PORT_FreeArena(arena, PR_FALSE); -+ if (cert == NULL) -+ return 0; -+ /* FIXME: a more useful representation of the certificate, e.g. one that -+ does not leak? */ -+ ret->type = siBuffer; -+ ret->data = (unsigned char *)cert; -+ ret->len = sizeof (*cert); -+ return 1; -+} -+ -+ - void CRYPTO_set_id_callback(unsigned long (*func)(void)) - { - } - --void CRYPTO_set_locking_callback(void (*func)(int mode,int type, int line)) -+void CRYPTO_set_locking_callback(void (*func)(int mode,int type, -+ const char *file, int line)) - { - } - diff --git a/sources b/sources index 2e5d307..18e24ec 100644 --- a/sources +++ b/sources @@ -1,3 +1,2 @@ cf9940395d3503018f721c962528d2ec stunnel-4.20.tar.gz ad7cb2c30d0e073ea9d75354b76c5aee stunnel-4.20.tar.gz.asc -765c1426fc61b5c67c17fca0a87405cb nss_compat_ossl-0.9.1.tar.gz diff --git a/stunnel-4.20-nss.patch b/stunnel-4.20-nss.patch deleted file mode 100644 index 6970c89..0000000 --- a/stunnel-4.20-nss.patch +++ /dev/null @@ -1,909 +0,0 @@ ---- stunnel-4.20/doc/stunnel.8.nss 2007-08-28 16:29:18.000000000 +0200 -+++ stunnel-4.20/doc/stunnel.8 2007-08-28 16:42:23.000000000 +0200 -@@ -156,6 +156,16 @@ changes to the source code. - .PP - This product includes cryptographic software written by - Eric Young (eay@cryptsoft.com) -+ -+.SH NOTE -+This version of stunnel was modified to use NSS. -+Some options that configured in stunnel are now configured in the NSS database. -+Please see -+.B README.NSS -+in the package documentation for more information. -+Please report bugs at \fBbugzilla.redhat.com\fR, -+not at the upstream bug tracking system. -+ - .SH "OPTIONS" - .IX Header "OPTIONS" - .IP "<\fBfilename\fR>" 4 -@@ -212,11 +222,6 @@ to the directory specified with \fBchroo - To have libwrap (\s-1TCP\s0 Wrappers) control effective in a chrooted environment - you also have to copy its configuration files (/etc/hosts.allow and - /etc/hosts.deny) there. --.IP "\fBcompression\fR = zlib | rle" 4 --.IX Item "compression = zlib | rle" --select data compression algorithm --.Sp --default: no compression - .IP "\fBdebug\fR = [facility.]level" 4 - .IX Item "debug = [facility.]level" - debugging level -@@ -231,25 +236,6 @@ The syslog facility 'authpriv' will be u - (Facilities are not supported on Win32.) - .Sp - Case is ignored for both facilities and levels. --.IP "\fB\s-1EGD\s0\fR = egd path (Unix only)" 4 --.IX Item "EGD = egd path (Unix only)" --path to Entropy Gathering Daemon socket --.Sp --Entropy Gathering Daemon socket to use to feed OpenSSL random number --generator. (Available only if compiled with OpenSSL 0.9.5a or higher) --.IP "\fBengine\fR = auto | " 4 --.IX Item "engine = auto | " --select hardware engine --.Sp --default: software-only cryptography --.Sp --There's an example in '\s-1EXAMPLES\s0' section. --.IP "\fBengineCtrl\fR = command[:parameter]" 4 --.IX Item "engineCtrl = command[:parameter]" --control hardware engine --.Sp --Special commands \*(L"\s-1LOAD\s0\*(R" and \*(L"\s-1INIT\s0\*(R" can be used to load and initialize the --engine cryptogaphic module. - .IP "\fBforeground\fR = yes | no (Unix only)" 4 - .IX Item "foreground = yes | no (Unix only)" - foreground mode -@@ -351,26 +337,18 @@ If no host specified, defaults to all \s - .IX Item "CApath = directory" - Certificate Authority directory - .Sp --This is the directory in which \fBstunnel\fR will look for certificates when using --the \fIverify\fR. Note that the certificates in this directory should be named --\&\s-1XXXXXXXX\s0.0 where \s-1XXXXXXXX\s0 is the hash value of the \s-1DER\s0 encoded subject of the --cert (the first 4 bytes of the \s-1MD5\s0 hash in least significant byte order). --.Sp --\&\fICApath\fR path is relative to \fIchroot\fR directory if specified. --.IP "\fBCAfile\fR = certfile" 4 --.IX Item "CAfile = certfile" --Certificate Authority file --.Sp --This file contains multiple \s-1CA\s0 certificates, used with the \fIverify\fR. --.IP "\fBcert\fR = pemfile" 4 --.IX Item "cert = pemfile" --certificate chain \s-1PEM\s0 file name --.Sp --A \s-1PEM\s0 is always needed in server mode. --Specifying this flag in client mode will use this certificate chain --as a client side certificate chain. Using client side certs is optional. --The certificates must be in \s-1PEM\s0 format and must be sorted starting with the --certificate to the highest level (root \s-1CA\s0). -+This option is currently ignored. -+Store CA certificates in the NSS database instead. -+.IP "\fBCAfile\fR = certnick" 4 -+.IX Item "CAfile = certnick" -+Certificate Authority certificate nickname. -+Store CA certificates in the NSS database instead. -+.IX Item "cert = certnick" -+certificate nickname in the NSS database -+.Sp -+A certificate is always needed in server mode. -+Specifying this flag in client mode will use this certificate -+as a client side certificate. Using client side certs is optional. - .IP "\fBciphers\fR = cipherlist" 4 - .IX Item "ciphers = cipherlist" - Select permitted \s-1SSL\s0 ciphers -@@ -387,28 +365,9 @@ default: no (server mode) - connect to remote host:port - .Sp - If no host specified, defaults to localhost. --.IP "\fBCRLpath\fR = directory" 4 --.IX Item "CRLpath = directory" --Certificate Revocation Lists directory --.Sp --This is the directory in which \fBstunnel\fR will look for CRLs when --using the \fIverify\fR. Note that the CRLs in this directory should --be named \s-1XXXXXXXX\s0.0 where \s-1XXXXXXXX\s0 is the hash value of the \s-1CRL\s0. --.Sp --\&\fICRLpath\fR path is relative to \fIchroot\fR directory if specified. --.IP "\fBCRLfile\fR = certfile" 4 --.IX Item "CRLfile = certfile" --Certificate Revocation Lists file --.Sp --This file contains multiple CRLs, used with the \fIverify\fR. - .IP "\fBdelay\fR = yes | no" 4 - .IX Item "delay = yes | no" - delay \s-1DNS\s0 lookup for 'connect' option --.IP "\fBengineNum\fR = engine number" 4 --.IX Item "engineNum = engine number" --select engine number to read private key --.Sp --The engines are numbered starting from 1. - .IP "\fBexec\fR = executable_path (Unix only)" 4 - .IX Item "exec = executable_path (Unix only)" - execute local inetd-type program -@@ -426,51 +385,18 @@ Arguments are separated with arbitrary n - use \s-1IDENT\s0 (\s-1RFC\s0 1413) username checking - .IP "\fBkey\fR = keyfile" 4 - .IX Item "key = keyfile" --private key for certificate specified with \fIcert\fR option --.Sp --Private key is needed to authenticate certificate owner. --Since this file should be kept secret it should only be readable --to its owner. On Unix systems you can use the following command: --.Sp --.Vb 1 --\& chmod 600 keyfile --.Ve --.Sp --default: value of \fIcert\fR option -+private key for certificate specified with \fIcert\fR option. -+This option is currently ignored. -+Store private keys in the NSS database instead. - .IP "\fBlocal\fR = host" 4 - .IX Item "local = host" - \&\s-1IP\s0 of the outgoing interface is used as source for remote connections. - Use this option to bind a static local \s-1IP\s0 address, instead. --.IP "\fB\s-1OCSP\s0\fR = url" 4 --.IX Item "OCSP = url" --select \s-1OCSP\s0 server for certificate verification --.IP "\fBOCSPflag\fR = flag" 4 --.IX Item "OCSPflag = flag" --specify \s-1OCSP\s0 server flag --.Sp --Several \fIOCSPflag\fR can be used to specify multiple flags. --.Sp --currently supported flags: \s-1NOCERTS\s0, \s-1NOINTERN\s0 \s-1NOSIGS\s0, \s-1NOCHAIN\s0, \s-1NOVERIFY\s0, --\&\s-1NOEXPLICIT\s0, \s-1NOCASIGN\s0, \s-1NODELEGATED\s0, \s-1NOCHECKS\s0, \s-1TRUSTOTHER\s0, \s-1RESPID_KEY\s0, \s-1NOTIME\s0 --.IP "\fBoptions\fR = SSL_options" 4 --.IX Item "options = SSL_options" --OpenSSL library options --.Sp --The parameter is the OpenSSL option name as described in the --\&\fI\fISSL_CTX_set_options\fI\|(3ssl)\fR manual, but without \fI\s-1SSL_OP_\s0\fR prefix. --Several \fIoptions\fR can be used to specify multiple options. --.Sp --For example for compatibility with erroneous Eudora \s-1SSL\s0 implementation --the following option can be used: --.Sp --.Vb 1 --\& options = DONT_INSERT_EMPTY_FRAGMENTS --.Ve - .IP "\fBprotocol\fR = proto" 4 - .IX Item "protocol = proto" - application protocol to negotiate \s-1SSL\s0 - .Sp --currently supported: cifs, connect, imap, nntp, pop3, smtp -+currently supported: cifs, imap, nntp, pop3, smtp - .IP "\fBprotocolAuthentication\fR = auth_type" 4 - .IX Item "protocolAuthentication = auth_type" - authentication type for protocol negotiations ---- stunnel-4.20/configure.ac.nss 2006-11-11 15:58:01.000000000 +0100 -+++ stunnel-4.20/configure.ac 2007-08-28 16:06:24.000000000 +0200 -@@ -48,12 +48,24 @@ AC_MSG_NOTICE([************************* - AC_CHECK_FILE("/dev/ptmx", AC_DEFINE(HAVE_DEV_PTMX)) - AC_CHECK_FILE("/dev/ptc", AC_DEFINE(HAVE_DEV_PTS_AND_PTC)) - -+# Crypto implementation -+AC_ARG_WITH([nss], -+ [ --with-nss Use nss_compat_ossl instead of OpenSSL], -+ [], [with_nss=no]) -+if test "x$with_nss" != xno -+then AC_DEFINE([WITH_NSS], [1], [Define to 1 if you are using nss_compat_ossl]) -+ PKG_CHECK_MODULES([NSS], [nss]) -+ LIBS="$LIBS -lnss_compat_ossl" -+fi -+ - AC_MSG_NOTICE([**************************************** entropy]) - --AC_ARG_WITH(egd-socket, -- [ --with-egd-socket=FILE Entropy Gathering Daemon socket pathname], -- [EGD_SOCKET="$withval"] --) -+if test "x$with_nss" = xno -+then AC_ARG_WITH(egd-socket, -+ [ --with-egd-socket=FILE Entropy Gathering Daemon socket pathname], -+ [EGD_SOCKET="$withval"] -+ ) -+fi - if test -n "$EGD_SOCKET" - then AC_DEFINE_UNQUOTED(EGD_SOCKET, "$EGD_SOCKET") - fi -@@ -227,69 +239,79 @@ checkssldir() { : - return 1 - } - --# Check for SSL directory --AC_MSG_CHECKING([for SSL directory]) --AC_ARG_WITH(ssl, --[ --with-ssl=DIR location of installed SSL libraries/include files], -- [ -- # Check the specified localtion only -- checkssldir "$withval" -- ], -- [ -- # Search default localtions of SSL library -- for maindir in /usr/local /usr/lib /usr/pkg /usr /var/ssl /opt; do -- for dir in $maindir $maindir/openssl $maindir/ssl; do -- checkssldir $dir && break 2 -- done -- done -- ] --) --if test -z "$ssldir" --then AC_MSG_RESULT([Not found]) -- echo -- echo "Couldn't find your SSL library installation dir" -- echo "Use --with-ssl option to fix this problem" -- echo -- exit 1 --fi --AC_MSG_RESULT([$ssldir]) --AC_SUBST(ssldir) --AC_DEFINE_UNQUOTED(ssldir, "$ssldir") -- --# Add SSL includes and libraries --CFLAGS="$CFLAGS -I$ssldir/include" --LIBS="$LIBS -L$ssldir/lib -lssl -lcrypto" -- --# Check for obsolete RSAref library --AC_MSG_CHECKING([for obsolete RSAref library]) --saved_LIBS="$LIBS" --LIBS="$saved_LIBS -lRSAglue -L$prefix/lib -lrsaref" --AC_LINK_IFELSE( -- [AC_LANG_PROGRAM([[]], [[]])], -- [AC_MSG_RESULT([yes])], -- [AC_MSG_RESULT([no]); LIBS="$saved_LIBS"] --) -+if test "x$with_nss" = "xno" -+then -+ # Check for SSL directory -+ AC_MSG_CHECKING([for SSL directory]) -+ AC_ARG_WITH(ssl, -+ [ --with-ssl=DIR location of installed SSL libraries/include files], -+ [ -+ # Check the specified localtion only -+ checkssldir "$withval" -+ ], -+ [ -+ # Search default localtions of SSL library -+ for maindir in /usr/local /usr/lib /usr/pkg /usr /var/ssl /opt; do -+ for dir in $maindir $maindir/openssl $maindir/ssl; do -+ checkssldir $dir && break 2 -+ done -+ done -+ ] -+ ) -+ if test -z "$ssldir" -+ then AC_MSG_RESULT([Not found]) -+ echo -+ echo "Couldn't find your SSL library installation dir" -+ echo "Use --with-ssl option to fix this problem" -+ echo -+ exit 1 -+ fi -+ AC_MSG_RESULT([$ssldir]) -+ AC_SUBST(ssldir) -+ AC_DEFINE_UNQUOTED(ssldir, "$ssldir") -+ -+ # Add SSL includes and libraries -+ CFLAGS="$CFLAGS -I$ssldir/include" -+ LIBS="$LIBS -L$ssldir/lib -lssl -lcrypto" - --AC_CHECK_HEADER([$ssldir/include/openssl/engine.h], -- [AC_DEFINE([HAVE_OSSL_ENGINE_H])], -- [AC_MSG_WARN([Openssl engine header not found])]) -+ # Check for obsolete RSAref library -+ AC_MSG_CHECKING([for obsolete RSAref library]) -+ saved_LIBS="$LIBS" -+ LIBS="$saved_LIBS -lRSAglue -L$prefix/lib -lrsaref" -+ AC_LINK_IFELSE( -+ [AC_LANG_PROGRAM([[]], [[]])], -+ [AC_MSG_RESULT([yes])], -+ [AC_MSG_RESULT([no]); LIBS="$saved_LIBS"] -+ ) -+ -+ AC_CHECK_HEADER([$ssldir/include/openssl/engine.h], -+ [AC_DEFINE([HAVE_OSSL_ENGINE_H])], -+ [AC_MSG_WARN([Openssl engine header not found])]) -+fi - - AC_MSG_NOTICE([**************************************** optional features]) - # Use RSA? --AC_MSG_CHECKING([whether to disable RSA support]) --AC_ARG_ENABLE(rsa, --[ --disable-rsa Disable RSA support], -- [AC_MSG_RESULT([yes]); AC_DEFINE(NO_RSA)], -- [AC_MSG_RESULT([no])] --) -+if test "x$with_nss" != xno -+then AC_DEFINE([NO_RSA]) -+else -+ AC_MSG_CHECKING([whether to disable RSA support]) -+ AC_ARG_ENABLE(rsa, -+ [ --disable-rsa Disable RSA support], -+ [AC_MSG_RESULT([yes]); AC_DEFINE(NO_RSA)], -+ [AC_MSG_RESULT([no])] -+ ) -+fi - - # Use DH? --AC_MSG_CHECKING([whether to enable DH support]) --AC_ARG_ENABLE(dh, --[ --enable-dh Enable DH support], -- [AC_MSG_RESULT([yes]); USE_DH=1; AC_DEFINE(USE_DH)], -- [AC_MSG_RESULT([no])] --) -+if test "x$with_nss" = xno -+then -+ AC_MSG_CHECKING([whether to enable DH support]) -+ AC_ARG_ENABLE(dh, -+ [ --enable-dh Enable DH support], -+ [AC_MSG_RESULT([yes]); USE_DH=1; AC_DEFINE(USE_DH)], -+ [AC_MSG_RESULT([no])] -+ ) -+fi - AC_SUBST(USE_DH) - - # Use IPv6? ---- stunnel-4.20/src/options.c.nss 2007-08-28 16:06:24.000000000 +0200 -+++ stunnel-4.20/src/options.c 2007-08-28 16:06:24.000000000 +0200 -@@ -51,12 +51,16 @@ static char **argalloc(char *); - #endif - - static int parse_debug_level(char *); -+#ifndef WITH_NSS - static int parse_ssl_option(char *); -+#endif - static int print_socket_options(void); - static void print_option(char *, int, OPT_UNION *); - static int parse_socket_option(char *); -+#if !defined(WITH_NSS) && SSLEAY_VERSION_NUMBER >= 0x00907000L - static char *parse_ocsp_url(LOCAL_OPTIONS *, char *); - static unsigned long parse_ocsp_flag(char *); -+#endif /* !WITH_NSS && OpenSSL-0.9.7 */ - - GLOBAL_OPTIONS options; - LOCAL_OPTIONS local_options; -@@ -72,8 +76,6 @@ static char *option_not_found= - "Specified option name is not valid here"; - - static char *global_options(CMD cmd, char *opt, char *arg) { -- char *tmpstr; -- - if(cmd==CMD_DEFAULT || cmd==CMD_HELP) { - log_raw("Global options"); - } -@@ -98,6 +100,7 @@ static char *global_options(CMD cmd, cha - #endif /* HAVE_CHROOT */ - - /* compression */ -+#ifndef WITH_NSS - switch(cmd) { - case CMD_INIT: - options.compression=COMP_NONE; -@@ -119,6 +122,7 @@ static char *global_options(CMD cmd, cha - "compression"); - break; - } -+#endif - - /* debug */ - switch(cmd) { -@@ -147,7 +151,7 @@ static char *global_options(CMD cmd, cha - } - - /* EGD is only supported when compiled with OpenSSL 0.9.5a or later */ --#if SSLEAY_VERSION_NUMBER >= 0x0090581fL -+#if !defined(WITH_NSS) && SSLEAY_VERSION_NUMBER >= 0x0090581fL - switch(cmd) { - case CMD_INIT: - options.egd_sock=NULL; -@@ -166,7 +170,7 @@ static char *global_options(CMD cmd, cha - log_raw("%-15s = path to Entropy Gathering Daemon socket", "EGD"); - break; - } --#endif /* OpenSSL 0.9.5a */ -+#endif /* !WITH_NSS && OpenSSL 0.9.5a */ - - #ifdef HAVE_OSSL_ENGINE_H - /* engine */ -@@ -188,6 +192,8 @@ static char *global_options(CMD cmd, cha - - /* engineCtrl */ - switch(cmd) { -+ char *tmpstr; -+ - case CMD_INIT: - break; - case CMD_EXEC: -@@ -449,8 +455,6 @@ static char *global_options(CMD cmd, cha - - static char *service_options(CMD cmd, LOCAL_OPTIONS *section, - char *opt, char *arg) { -- int tmpnum; -- - if(cmd==CMD_DEFAULT || cmd==CMD_HELP) { - log_raw(" "); - log_raw("Service-level options"); -@@ -624,6 +628,7 @@ static char *service_options(CMD cmd, LO - break; - } - -+#ifndef WITH_NSS - /* CRLpath */ - switch(cmd) { - case CMD_INIT: -@@ -663,6 +668,7 @@ static char *service_options(CMD cmd, LO - log_raw("%-15s = CRL file", "CRLfile"); - break; - } -+#endif - - /* delay */ - switch(cmd) { -@@ -805,7 +811,7 @@ static char *service_options(CMD cmd, LO - break; - } - --#if SSLEAY_VERSION_NUMBER >= 0x00907000L -+#if !defined(WITH_NSS) && SSLEAY_VERSION_NUMBER >= 0x00907000L - /* OCSP */ - switch(cmd) { - case CMD_INIT: -@@ -830,7 +836,9 @@ static char *service_options(CMD cmd, LO - case CMD_INIT: - section->ocsp_flags=0; - break; -- case CMD_EXEC: -+ case CMD_EXEC: { -+ int tmpnum; -+ - if(strcasecmp(opt, "OCSPflag")) - break; - tmpnum=parse_ocsp_flag(arg); -@@ -838,20 +846,24 @@ static char *service_options(CMD cmd, LO - return "Illegal OCSP flag"; - section->ocsp_flags|=tmpnum; - return NULL; -+ } - case CMD_DEFAULT: - break; - case CMD_HELP: - log_raw("%-15s = OCSP server flags", "OCSPflag"); - break; - } --#endif /* OpenSSL-0.9.7 */ -+#endif /* !WITH_NSS && OpenSSL-0.9.7 */ - - /* options */ -+#ifndef WITH_NSS - switch(cmd) { - case CMD_INIT: - section->ssl_options=0; - break; -- case CMD_EXEC: -+ case CMD_EXEC: { -+ int tmpnum; -+ - if(strcasecmp(opt, "options")) - break; - tmpnum=parse_ssl_option(arg); -@@ -859,6 +871,7 @@ static char *service_options(CMD cmd, LO - return "Illegal SSL option"; - section->ssl_options|=tmpnum; - return NULL; /* OK */ -+ } - case CMD_DEFAULT: - break; - case CMD_HELP: -@@ -866,6 +879,7 @@ static char *service_options(CMD cmd, LO - log_raw("%18sset an SSL option", ""); - break; - } -+#endif - - /* protocol */ - switch(cmd) { -@@ -1537,6 +1551,7 @@ static int parse_debug_level(char *arg) - return 1; /* OK */ - } - -+#ifndef WITH_NSS - /* Parse out SSL options stuff */ - - static int parse_ssl_option(char *arg) { -@@ -1580,6 +1595,7 @@ static int parse_ssl_option(char *arg) { - return option->value; - return 0; /* FAILED */ - } -+#endif /* !WITH_NSS */ - - /* Parse out the socket options stuff */ - -@@ -1757,6 +1773,8 @@ static int parse_socket_option(char *arg - return 0; /* FAILED */ - } - -+ -+#if !defined(WITH_NSS) && SSLEAY_VERSION_NUMBER >= 0x00907000L - /* Parse out OCSP URL */ - - static char *parse_ocsp_url(LOCAL_OPTIONS *section, char *arg) { -@@ -1807,5 +1825,6 @@ static unsigned long parse_ocsp_flag(cha - return option->value; - return 0; /* FAILED */ - } -+#endif /* !WITH_NSS && OpenSSL-0.9.7 */ - - /* End of options.c */ ---- stunnel-4.20/src/ssl.c.nss 2006-11-05 14:04:58.000000000 +0100 -+++ stunnel-4.20/src/ssl.c 2007-08-28 16:06:24.000000000 +0200 -@@ -32,7 +32,9 @@ - #include "prototypes.h" - - /* Global OpenSSL initalization: compression, engine, entropy */ -+#ifndef WITH_NSS - static void init_compression(void); -+#endif - static int init_prng(void); - static int prng_seeded(int); - static int add_rand_file(char *); -@@ -55,12 +57,15 @@ void ssl_init(void) { /* init SSL before - } - - void ssl_configure(void) { /* configure global SSL settings */ -+#ifndef WITH_NSS - if(options.compression!=COMP_NONE) - init_compression(); -+#endif - if(!init_prng()) - s_log(LOG_DEBUG, "PRNG seeded successfully"); - } - -+#ifndef WITH_NSS - static void init_compression(void) { - int id=0; - COMP_METHOD *cm=NULL; -@@ -91,6 +96,7 @@ static void init_compression(void) { - } - s_log(LOG_INFO, "Compression enabled using %s method", name); - } -+#endif - - static int init_prng(void) { - int totbytes=0; -@@ -133,7 +139,7 @@ static int init_prng(void) { - s_log(LOG_DEBUG, "RAND_screen failed to sufficiently seed PRNG"); - #else - --#if SSLEAY_VERSION_NUMBER>=0x0090581fL -+#if !defined(WITH_NSS) && SSLEAY_VERSION_NUMBER>=0x0090581fL - if(options.egd_sock) { - if((bytes=RAND_egd(options.egd_sock))==-1) { - s_log(LOG_WARNING, "EGD Socket %s failed", options.egd_sock); -@@ -157,7 +163,7 @@ static int init_prng(void) { - } - #endif /* EGD_SOCKET */ - --#endif /* OpenSSL-0.9.5a */ -+#endif /* !WITH_NSS && OpenSSL-0.9.5a */ - #endif /* USE_WIN32 */ - - /* Try the good-old default /dev/urandom, if available */ ---- stunnel-4.20/src/ctx.c.nss 2006-11-15 19:54:18.000000000 +0100 -+++ stunnel-4.20/src/ctx.c 2007-08-28 16:18:51.000000000 +0200 -@@ -68,15 +68,16 @@ static void sslerror_stack(void); - /**************************************** initialize section->ctx */ - - void context_init(LOCAL_OPTIONS *section) { /* init SSL context */ -- struct stat st; /* buffer for stat */ -- - /* check if certificate exists */ - if(!section->key) /* key file not specified */ - section->key=section->cert; -+#ifndef WITH_NSS - #ifdef HAVE_OSSL_ENGINE_H - if(!section->engine) - #endif - if(section->option.cert) { -+ struct stat st; /* buffer for stat */ -+ - if(stat(section->key, &st)) { - ioerror(section->key); - exit(1); -@@ -86,6 +87,7 @@ void context_init(LOCAL_OPTIONS *section - s_log(LOG_WARNING, "Wrong permissions on %s", section->key); - #endif /* defined USE_WIN32 */ - } -+#endif /* !WITH_NSS */ - /* create SSL context */ - if(section->option.client) { - section->ctx=SSL_CTX_new(section->client_method()); -@@ -99,12 +101,14 @@ void context_init(LOCAL_OPTIONS *section - s_log(LOG_WARNING, "Diffie-Hellman initialization failed"); - #endif /* USE_DH */ - } -+#ifndef WITH_NSS - if(section->ssl_options) { - s_log(LOG_DEBUG, "Configuration SSL options: 0x%08lX", - section->ssl_options); - s_log(LOG_DEBUG, "SSL options set: 0x%08lX", - SSL_CTX_set_options(section->ctx, section->ssl_options)); - } -+#endif - if(section->cipher_list) { - if (!SSL_CTX_set_cipher_list(section->ctx, section->cipher_list)) { - sslerror("SSL_CTX_set_cipher_list"); -@@ -366,8 +370,13 @@ static void info_callback(SSL *s, int wh - where & SSL_CB_READ ? "read" : "write", - SSL_alert_type_string_long(ret), - SSL_alert_desc_string_long(ret)); -- else if(where==SSL_CB_HANDSHAKE_DONE) -+ else if(where==SSL_CB_HANDSHAKE_DONE) { -+#ifndef WITH_NSS - print_stats(s->ctx); -+#else -+ print_stats(s); -+#endif -+ } - } - - static void print_stats(SSL_CTX *ctx) { /* print statistics */ ---- stunnel-4.20/src/sthreads.c.nss 2006-09-26 09:59:08.000000000 +0200 -+++ stunnel-4.20/src/sthreads.c 2007-08-28 16:06:24.000000000 +0200 -@@ -197,7 +197,7 @@ void leave_critical_section(SECTION_CODE - } - - static void locking_callback(int mode, int type, --#ifdef HAVE_OPENSSL -+#if defined(HAVE_OPENSSL) || defined(WITH_NSS) - const /* Callback definition has been changed in openssl 0.9.3 */ - #endif - char *file, int line) { ---- stunnel-4.20/src/verify.c.nss 2006-11-01 15:59:16.000000000 +0100 -+++ stunnel-4.20/src/verify.c 2007-08-28 16:06:24.000000000 +0200 -@@ -34,14 +34,20 @@ - /**************************************** prototypes */ - - /* verify initialization */ -+#ifndef WITH_NSS - static void load_file_lookup(X509_STORE *, char *); - static void add_dir_lookup(X509_STORE *, char *); -+#endif /* !WITH_NSS */ - - /* verify callback */ - static int verify_callback(int, X509_STORE_CTX *); - static int cert_check(CLI *c, X509_STORE_CTX *, char *, int); -+#ifndef WITH_NSS - static int crl_check(CLI *c, X509_STORE_CTX *, char *); -+#endif -+#if !defined(WITH_NSS) && SSLEAY_VERSION_NUMBER >= 0x00907000L - static int ocsp_check(CLI *c, X509_STORE_CTX *, char *); -+#endif /* !WITH_NSS && OpenSSL-0.9.7 */ - - /**************************************** verify initialization */ - -@@ -55,11 +61,13 @@ void verify_init(LOCAL_OPTIONS *section) - exit(1); - } - -+#ifndef WITH_NSS - section->revocation_store=X509_STORE_new(); - if(!section->revocation_store) { - sslerror("X509_STORE_new"); - exit(1); - } -+#endif - - if(section->ca_file) { - if(!SSL_CTX_load_verify_locations(section->ctx, -@@ -75,7 +83,9 @@ void verify_init(LOCAL_OPTIONS *section) - #endif - s_log(LOG_DEBUG, "Loaded verify certificates from %s", - section->ca_file); -+#ifndef WITH_NSS - load_file_lookup(section->revocation_store, section->ca_file); -+#endif - } - - if(section->ca_dir) { -@@ -87,9 +97,12 @@ void verify_init(LOCAL_OPTIONS *section) - exit(1); - } - s_log(LOG_DEBUG, "Verify directory set to %s", section->ca_dir); -+#ifndef WITH_NSS - add_dir_lookup(section->revocation_store, section->ca_dir); -+#endif - } - -+#ifndef WITH_NSS - if(section->crl_file) - load_file_lookup(section->revocation_store, section->crl_file); - -@@ -97,6 +110,7 @@ void verify_init(LOCAL_OPTIONS *section) - section->revocation_store->cache=0; /* don't cache CRLs */ - add_dir_lookup(section->revocation_store, section->crl_dir); - } -+#endif /* !WITH_NSS */ - - SSL_CTX_set_verify(section->ctx, section->verify_level==SSL_VERIFY_NONE ? - SSL_VERIFY_PEER : section->verify_level, verify_callback); -@@ -105,6 +119,7 @@ void verify_init(LOCAL_OPTIONS *section) - s_log(LOG_NOTICE, "Peer certificate location %s", section->ca_dir); - } - -+#ifndef WITH_NSS - static void load_file_lookup(X509_STORE *store, char *name) { - X509_LOOKUP *lookup; - -@@ -136,6 +151,7 @@ static void add_dir_lookup(X509_STORE *s - } - s_log(LOG_DEBUG, "Added %s revocation lookup directory", name); - } -+#endif /* !WITH_NSS */ - - /**************************************** verify callback */ - -@@ -157,16 +173,17 @@ static int verify_callback(int preverify - - if(!cert_check(c, callback_ctx, subject_name, preverify_ok)) - return 0; /* reject connection */ -+#ifndef WITH_NSS - if(!crl_check(c, callback_ctx, subject_name)) - return 0; /* reject connection */ --#if SSLEAY_VERSION_NUMBER >= 0x00907000L -+#endif /* !WITH_NSS */ -+#if !defined(WITH_NSS) && SSLEAY_VERSION_NUMBER >= 0x00907000L - if(c->opt->option.ocsp && !ocsp_check(c, callback_ctx, subject_name)) - return 0; /* reject connection */ --#endif /* OpenSSL-0.9.7 */ -+#endif /* !WITH_NSS && OpenSSL-0.9.7 */ - - /* errnum=X509_STORE_CTX_get_error(ctx); */ -- s_log(LOG_NOTICE, "VERIFY OK: depth=%d, %s", -- callback_ctx->error_depth, subject_name); -+ s_log(LOG_NOTICE, "VERIFY OK: %s", subject_name); - return 1; /* accept connection */ - } - -@@ -177,19 +194,21 @@ static int cert_check(CLI *c, X509_STORE - X509_OBJECT ret; - - if(c->opt->verify_level==SSL_VERIFY_NONE) { -- s_log(LOG_NOTICE, "VERIFY IGNORE: depth=%d, %s", -- callback_ctx->error_depth, subject_name); -+ s_log(LOG_NOTICE, "VERIFY IGNORE: %s", subject_name); - return 1; /* accept connection */ - } - if(!preverify_ok) { - /* remote site specified a certificate, but it's not correct */ -- s_log(LOG_WARNING, "VERIFY ERROR: depth=%d, error=%s: %s", -- callback_ctx->error_depth, -+ s_log(LOG_WARNING, "VERIFY ERROR: error=%s: %s", - X509_verify_cert_error_string (callback_ctx->error), - subject_name); - return 0; /* reject connection */ - } -- if(c->opt->verify_use_only_my && callback_ctx->error_depth==0 && -+ /* FIXME: test this */ -+ if(c->opt->verify_use_only_my && -+#ifndef WITH_NSS -+ callback_ctx->error_depth==0 && -+#endif - X509_STORE_get_by_subject(callback_ctx, X509_LU_X509, - X509_get_subject_name(callback_ctx->current_cert), &ret)!=1) { - s_log(LOG_WARNING, "VERIFY ERROR ONLY MY: no cert for %s", -@@ -201,6 +220,7 @@ static int cert_check(CLI *c, X509_STORE - - /**************************************** CRL checking */ - -+#ifndef WITH_NSS - /* based on BSD-style licensed code of mod_ssl */ - static int crl_check(CLI *c, X509_STORE_CTX *callback_ctx, - char *subject_name) { -@@ -318,10 +338,11 @@ static int crl_check(CLI *c, X509_STORE_ - } - return 1; /* accept connection */ - } -+#endif /* !WITH_NSS */ - - /**************************************** OCSP checking */ - --#if SSLEAY_VERSION_NUMBER >= 0x00907000L -+#if !defined(WITH_NSS) && SSLEAY_VERSION_NUMBER >= 0x00907000L - static int ocsp_check(CLI *c, X509_STORE_CTX *callback_ctx, - char *subject_name) { - int error, retval=0; -@@ -442,6 +463,6 @@ cleanup: - c->fd=-1; /* avoid double close on cleanup */ - return retval; - } --#endif /* OpenSSL-0.9.7 */ -+#endif /* !WITH_NSS && OpenSSL-0.9.7 */ - - /* End of verify.c */ ---- stunnel-4.20/src/Makefile.am.nss 2006-11-04 23:23:22.000000000 +0100 -+++ stunnel-4.20/src/Makefile.am 2007-08-28 16:06:24.000000000 +0200 -@@ -27,7 +27,8 @@ INCLUDES = -I/usr/kerberos/include - - # Additional compiler flags - --AM_CPPFLAGS = -DLIBDIR='"$(libdir)"' -DCONFDIR='"$(sysconfdir)/stunnel"' -DPIDFILE='"$(prefix)/var/run/stunnel/stunnel.pid"' -+AM_CPPFLAGS = -DLIBDIR='"$(libdir)"' -DCONFDIR='"$(sysconfdir)/stunnel"' -DPIDFILE='"$(prefix)/var/run/stunnel/stunnel.pid"' $(NSS_CFLAGS) -+AM_LDFLAGS = $(NSS_LIBS) - - # Win32 executable - ---- stunnel-4.20/src/common.h.nss 2006-11-17 10:03:18.000000000 +0100 -+++ stunnel-4.20/src/common.h 2007-08-28 16:06:24.000000000 +0200 -@@ -307,7 +307,9 @@ extern char *sys_errlist[]; - - /**************************************** OpenSSL headers */ - --#ifdef HAVE_OPENSSL -+#ifdef WITH_NSS -+#include -+#elif defined(HAVE_OPENSSL) - #include - #include - #include ---- stunnel-4.20/src/protocol.c.nss 2006-11-11 12:02:51.000000000 +0100 -+++ stunnel-4.20/src/protocol.c 2007-08-28 16:06:24.000000000 +0200 -@@ -30,6 +30,9 @@ - - #include "common.h" - #include "prototypes.h" -+#ifdef WITH_NSS -+#include -+#endif - - /* \n is not a character expected in the string */ - #define LINE "%[^\n]" -@@ -70,8 +73,10 @@ void negotiate(CLI *c) { - imap_client(c); - else if(!strcmp(c->opt->protocol, "nntp")) - nntp_client(c); -+#ifndef WITH_NSS - else if(!strcmp(c->opt->protocol, "connect")) - connect_client(c); -+#endif - else { - s_log(LOG_ERR, "Protocol %s not supported in client mode", - c->opt->protocol); -@@ -511,8 +516,9 @@ static void crypt_DES(DES_cblock dst, co - } - - static char *base64(int encode, char *in, int len) { -- BIO *bio, *b64; - char *out; -+#ifndef WITH_NSS -+ BIO *bio, *b64; - - b64=BIO_new(BIO_f_base64()); - BIO_set_flags(b64, BIO_FLAGS_BASE64_NO_NL); -@@ -535,6 +541,23 @@ static char *base64(int encode, char *in - } - BIO_read(bio, out, len); - BIO_free_all(bio); -+#else -+ if (encode) { -+ out = calloc(((len + 2) / 3) * 4 + 1, 1); -+ if (!out) { -+ log_raw("Fatal memory allocation error"); -+ exit(2); -+ } -+ PL_Base64Encode(in, len, out); -+ } else { -+ out = calloc(((len * 3 + 3) / 4) + 1, 1); -+ if (!out) { -+ log_raw("Fatal memory allocation error"); -+ exit(2); -+ } -+ PL_Base64Decode(in, len, out); -+ } -+#endif - return out; - } - diff --git a/stunnel.spec b/stunnel.spec index 67fa79c..0fb36c6 100644 --- a/stunnel.spec +++ b/stunnel.spec @@ -1,7 +1,7 @@ Summary: An SSL-encrypting socket wrapper Name: stunnel Version: 4.20 -Release: 3.nss +Release: 4 License: GPLv2 Group: Applications/Internet URL: http://stunnel.mirt.net/ @@ -12,16 +12,11 @@ Source3: sfinger.xinetd Source4: stunnel-sfinger.conf Source5: pop3-redirect.xinetd Source6: stunnel-pop3s-client.conf -Source7: README.NSS -Source8: nss_compat_ossl-0.9.1.tar.gz Patch0: stunnel-4.08-authpriv.patch Patch1: stunnel-4.18-sample.patch -Patch2: stunnel-4.20-nss.patch -Patch3: nss_compat_ossl-0.9.1-stunnel.patch Buildroot: %{_tmppath}/stunnel-root # util-linux is needed for rename -BuildRequires: nss-devel, pkgconfig, tcp_wrappers-devel, util-linux -BuildRequires: autoconf automake libtool +BuildRequires: openssl-devel, pkgconfig, tcp_wrappers-devel, util-linux %description Stunnel is a socket wrapper which can provide SSL (Secure Sockets @@ -29,36 +24,22 @@ Layer) support to ordinary applications. For example, it can be used in conjunction with imapd to create an SSL secure IMAP server. %prep -%setup -q -a 8 +%setup -q %patch0 -p1 -b .authpriv %patch1 -p1 -b .sample -%patch2 -p1 -b .nss -pushd nss_compat_ossl-0.9.1 -%patch3 -p0 -b .stunnel -autoreconf -popd iconv -f iso-8859-1 -t utf-8 < doc/stunnel.fr.8 > doc/stunnel.fr.8_ mv doc/stunnel.fr.8_ doc/stunnel.fr.8 iconv -f iso-8859-2 -t utf-8 < doc/stunnel.pl.8 > doc/stunnel.pl.8_ mv doc/stunnel.pl.8_ doc/stunnel.pl.8 -# For patch2 -autoreconf - %build CFLAGS="$RPM_OPT_FLAGS -fPIC"; export CFLAGS - -pushd nss_compat_ossl-0.9.1 -autoreconf -./configure --prefix=$(pwd)/p --libdir=$(pwd)/p/lib \ - --disable-shared --enable-static -make all install -popd - -CFLAGS="-I$(pwd)/nss_compat_ossl-0.9.1/p/include $CFLAGS" -export LDFLAGS="-L$(pwd)/nss_compat_ossl-0.9.1/p/lib" -%configure --with-nss --enable-ipv6 \ +if pkg-config openssl ; then + CFLAGS="$CFLAGS `pkg-config --cflags openssl`"; + LDFLAGS="`pkg-config --libs-only-L openssl`"; export LDFLAGS +fi +%configure --enable-ipv6 \ CPPFLAGS="-UPIDFILE -DPIDFILE='\"%{_localstatedir}/run/stunnel.pid\"'" make LDADD="-pie -Wl,-z,defs,-z,relro" @@ -76,7 +57,7 @@ for lang in fr pl ; do done mkdir srpm-docs -cp %{SOURCE2} %{SOURCE3} %{SOURCE4} %{SOURCE5} %{SOURCE6} %{SOURCE7} srpm-docs +cp %{SOURCE2} %{SOURCE3} %{SOURCE4} %{SOURCE5} %{SOURCE6} srpm-docs %post -p /sbin/ldconfig @@ -96,13 +77,20 @@ rm -rf $RPM_BUILD_ROOT %{_libdir}/libstunnel.so %exclude %{_libdir}/libstunnel.la %{_mandir}/man8/stunnel.8* -%{_mandir}/*/man8/stunnel.8* +%lang(fr) %{_mandir}/fr/man8/stunnel.8* +%lang(pl) %{_mandir}/pl/man8/stunnel.8* %{_sbindir}/stunnel %{_sbindir}/stunnel3 %dir %{_sysconfdir}/%{name} %exclude %{_sysconfdir}/stunnel/* %changelog +* Tue Oct 16 2007 Miloslav Trmač - 4.20-4 +- Revert the port to NSS, wait for NSS-based stunnel 5.x instead + Resolves: #301971 +- Mark localized man pages with %%lang (patch by Ville Skyttä) + Resolves: #322281 + * Tue Aug 28 2007 Miloslav Trmač - 4.20-3.nss - Port to NSS