stunnel: Bring it back at v5.10

From: Michael Haas <haas@computerlinguist.org> * init script no longer creates certificates (consider client mode as use case) * patches/010_fix_getnameinfo.patch: Fix getnameinfo signature * patches/011_disable_ssp_linking.patch: Disable -fstack-protector as it is not always available in OpenWRT * old patches (in oldpackages) no longer necessary * remove libwrap dependency * remove libpthread dependency * respect CONFIG_IPV6 * init script uses procd * sample stunnel.conf runs in client mode - prevents start failure, does not require cert Possible enhancement: automatically generate certificate as done in uhttpd. However, as client mode is a possible use case, I'd rather not. Additionally, stunnel may use several certs with user-defined locations and we can't easily set a cert location via command-line args. The package is based on https://sites.google.com/site/twisteroidambassador/openwrt/stunnel Signed-off-by: Michael Haas <haas@computerlinguist.org>
2015-03-10 09:54:17 +01:00 · 2015-03-10 09:54:17 +01:00 · f6927350e4
commit f6927350e4
parent b59def2299
5 changed files with 299 additions and 0 deletions
--- a/net/stunnel/Makefile
+++ b/net/stunnel/Makefile
@ -0,0 +1,77 @@
+#
+# Copyright (C) 2006-2014 OpenWrt.org
+#
+# This is free software, licensed under the GNU General Public License v2.
+# See /LICENSE for more information.
+#
+
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=stunnel
+PKG_VERSION:=5.10
+PKG_RELEASE:=1
+
+PKG_LICENSE:=GPL-2.0+
+PKG_MAINTAINER:=Michael Haas <haas@computerlinguist.org>
+PKG_LICENSE_FILES:=COPYING COPYRIGHT.GPL
+
+PKG_SOURCE_URL:=http://stunnel.cybermirror.org/archive/5.x/
+PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
+PKG_MD5SUM:=a0edda805eb7d6ea600a230fb0979ea1
+
+PKG_FIXUP:=autoreconf
+PKG_INSTALL:=1
+
+include $(INCLUDE_DIR)/package.mk
+
+define Package/stunnel
+  SECTION:=net
+  CATEGORY:=Network
+  DEPENDS:=+libopenssl
+  TITLE:=SSL TCP Wrapper
+  URL:=http://www.stunnel.org/
+endef
+
+define Package/stunnel/description
+	Stunnel is a program that allows you to encrypt arbitrary TCP
+	connections inside SSL (Secure Sockets Layer) available on both Unix
+	and Windows. Stunnel can allow you to secure non-SSL aware daemons and
+	protocols (like POP, IMAP, LDAP, etc) by having Stunnel provide the
+	encryption, requiring no changes to the daemon's code.
+endef
+
+define Package/stunnel/conffiles
+/etc/stunnel/stunnel.conf
+endef
+
+
+CONFIGURE_ARGS+= \
+	--with-random=/dev/urandom \
+	--with-threads=fork \
+	--with-ssl=$(STAGING_DIR)/usr \
+	--disable-libwrap \
+	--disable-systemd
+
+ifeq ($(CONFIG_IPV6),n)
+CONFIGURE_ARGS+= \
+	--disable-ipv6
+endif
+
+define Build/Compile
+	mkdir -p $(PKG_INSTALL_DIR)/etc/stunnel
+	echo '#dummy' > $(PKG_INSTALL_DIR)/etc/stunnel/stunnel.pem
+	$(call Build/Compile/Default)
+endef
+
+define Package/stunnel/install
+	$(INSTALL_DIR) $(1)/usr/bin
+	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/stunnel $(1)/usr/bin/
+	$(INSTALL_DIR) $(1)/usr/lib/stunnel
+	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/stunnel/libstunnel.so $(1)/usr/lib/stunnel/
+	$(INSTALL_DIR) $(1)/etc/stunnel
+	$(INSTALL_CONF) ./files/stunnel.conf $(1)/etc/stunnel/stunnel.conf
+	$(INSTALL_DIR) $(1)/etc/init.d
+	$(INSTALL_BIN) ./files/stunnel.init $(1)/etc/init.d/stunnel
+endef
+
+$(eval $(call BuildPackage,stunnel))
--- a/net/stunnel/files/stunnel.conf
+++ b/net/stunnel/files/stunnel.conf
@ -0,0 +1,45 @@
+; Drop privileges
+setuid = nobody 
+setgid = nogroup
+
+; When running under procd, stay in foreground
+foreground = yes
+
+; Don't log to stderr, use syslog
+syslog = yes
+
+; 1-7. Use 7 for greatest verbosity
+;debug = 5
+
+; Starting here, enter your services or uncomment the examples
+
+; Example:
+; If your local httpd does not support HTTPS, use stunnel in remote
+; mode to forward TLS connections coming in on port 443 to non-TLS
+; on port 80.
+; Make sure that the cert is available.
+;[httpd]
+;accept = 443
+;connect = 127.0.0.1:80
+;cert = /etc/stunnel/stunnel.pem
+
+; Example:
+; If your local email client does not support TLS,
+; use stunnel in client mode to forward non-TLS connections on
+; port 143 to TLS-enabled servername:993.
+;[imap]
+;client = yes
+;accept = 143
+;connect = servername:993
+; Disable peer verification - be sure to understand the limitations of peer
+; verification in stunnel when enabling.
+;verify = 0
+
+; Default client section:
+; stunnel requires at least one section to start successfully.
+; You can safely remove this section once you have configured
+; your own. We use client mode here as server requires a certificate.
+[dummy]
+client = yes
+accept = localhost:6000
+connect = localhost:6001
--- a/net/stunnel/files/stunnel.init
+++ b/net/stunnel/files/stunnel.init
@ -0,0 +1,12 @@
+#!/bin/sh /etc/rc.common
+# Copyright (C) 2006-2008 OpenWrt.org
+
+START=90
+USE_PROCD=1
+
+start_service() {
+	procd_open_instance
+	procd_set_param command /usr/bin/stunnel /etc/stunnel/stunnel.conf
+	procd_set_param respawn # respawn automatically if something died
+	procd_close_instance
+}
--- a/net/stunnel/patches/010_fix_getnameinfo.patch
+++ b/net/stunnel/patches/010_fix_getnameinfo.patch
@ -0,0 +1,25 @@
+--- a/src/prototypes.h
+++ b/src/prototypes.h
+@@ -559,7 +559,7 @@ extern GETNAMEINFO s_getnameinfo;
+ 
+ #endif /* USE_WIN32 */
+ 
+-int getnameinfo(const struct sockaddr *, int, char *, int, char *, int, int);
+int getnameinfo(const struct sockaddr *, socklen_t, char *, socklen_t, char *, socklen_t, unsigned int);
+ 
+ #endif /* !defined HAVE_GETNAMEINFO */
+ 
+--- a/src/resolver.c
+++ b/src/resolver.c
+@@ -535,8 +535,9 @@ const char *s_gai_strerror(int err) {
+ /* implementation is limited to functionality needed by stunnel */
+ 
+ #ifndef HAVE_GETNAMEINFO
+-int getnameinfo(const struct sockaddr *sa, int salen,
+-    char *host, int hostlen, char *serv, int servlen, int flags) {
+int getnameinfo(const struct sockaddr *sa, socklen_t salen,
+    char *host, socklen_t hostlen, char *serv, socklen_t servlen,
+    unsigned int flags) {
+ 
+ #if defined(USE_WIN32) && !defined(_WIN32_WCE)
+     if(s_getnameinfo)
--- a/net/stunnel/patches/011_disable_ssp_linking.patch
+++ b/net/stunnel/patches/011_disable_ssp_linking.patch
@ -0,0 +1,140 @@
+--- a/configure
+++ b/configure
+@@ -5646,66 +5646,66 @@ done
+ 
+ 
+ 
+-for flag in -fstack-protector; do
+-  as_CACHEVAR=`$as_echo "ax_cv_check_cflags__$flag" | $as_tr_sh`
+-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts $flag" >&5
+-$as_echo_n "checking whether C compiler accepts $flag... " >&6; }
+-if eval \${$as_CACHEVAR+:} false; then :
+-  $as_echo_n "(cached) " >&6
+-else
+-
+-  ax_check_save_flags=$CFLAGS
+-  CFLAGS="$CFLAGS  $flag"
+-  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+-/* end confdefs.h.  */
+-
+-int
+-main ()
+-{
+-
+-  ;
+-  return 0;
+-}
+-_ACEOF
+-if ac_fn_c_try_compile "$LINENO"; then :
+-  eval "$as_CACHEVAR=yes"
+-else
+-  eval "$as_CACHEVAR=no"
+-fi
+-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+-  CFLAGS=$ax_check_save_flags
+-fi
+-eval ac_res=\$$as_CACHEVAR
+-	       { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5
+-$as_echo "$ac_res" >&6; }
+-if test x"`eval 'as_val=${'$as_CACHEVAR'};$as_echo "$as_val"'`" = xyes; then :
+-  if ${CFLAGS+:} false; then :
+-  case " $CFLAGS " in
+-    *" $flag "*)
+-      { { $as_echo "$as_me:${as_lineno-$LINENO}: : CFLAGS already contains \$flag"; } >&5
+-  (: CFLAGS already contains $flag) 2>&5
+-  ac_status=$?
+-  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+-  test $ac_status = 0; }
+-      ;;
+-    *)
+-      { { $as_echo "$as_me:${as_lineno-$LINENO}: : CFLAGS=\"\$CFLAGS \$flag\""; } >&5
+-  (: CFLAGS="$CFLAGS $flag") 2>&5
+-  ac_status=$?
+-  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+-  test $ac_status = 0; }
+-      CFLAGS="$CFLAGS $flag"
+-      ;;
+-   esac
+-else
+-  CFLAGS="$flag"
+-fi
+-
+-else
+-  :
+-fi
+-
+-done
+#for flag in -fstack-protector; do
+#  as_CACHEVAR=`$as_echo "ax_cv_check_cflags__$flag" | $as_tr_sh`
+#{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts $flag" >&5
+#$as_echo_n "checking whether C compiler accepts $flag... " >&6; }
+#if eval \${$as_CACHEVAR+:} false; then :
+#  $as_echo_n "(cached) " >&6
+#else
+#
+#  ax_check_save_flags=$CFLAGS
+#  CFLAGS="$CFLAGS  $flag"
+#  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+#/* end confdefs.h.  */
+
+#int
+#main ()
+#{
+#
+#  ;
+#  return 0;
+#}
+#_ACEOF
+#if ac_fn_c_try_compile "$LINENO"; then :
+#  eval "$as_CACHEVAR=yes"
+#else
+#  eval "$as_CACHEVAR=no"
+#fi
+#rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+#  CFLAGS=$ax_check_save_flags
+#fi
+#eval ac_res=\$$as_CACHEVAR
+#	       { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5
+#$as_echo "$ac_res" >&6; }
+#if test x"`eval 'as_val=${'$as_CACHEVAR'};$as_echo "$as_val"'`" = xyes; then :
+#  if ${CFLAGS+:} false; then :
+#  case " $CFLAGS " in
+#    *" $flag "*)
+#      { { $as_echo "$as_me:${as_lineno-$LINENO}: : CFLAGS already contains \$flag"; } >&5
+#  (: CFLAGS already contains $flag) 2>&5
+#  ac_status=$?
+#  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+#  test $ac_status = 0; }
+#      ;;
+#    *)
+#      { { $as_echo "$as_me:${as_lineno-$LINENO}: : CFLAGS=\"\$CFLAGS \$flag\""; } >&5
+#  (: CFLAGS="$CFLAGS $flag") 2>&5
+#  ac_status=$?
+#  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+#  test $ac_status = 0; }
+#      CFLAGS="$CFLAGS $flag"
+#      ;;
+#   esac
+#else
+#  CFLAGS="$flag"
+#fi
+#
+#else
+#  :
+#fi
+#
+#done
+ 
+ 
+ 
+--- a/configure.ac
+++ b/configure.ac
+@@ -71,7 +71,7 @@ AX_APPEND_COMPILE_FLAGS([-Wformat=2])
+ AX_APPEND_COMPILE_FLAGS([-Wconversion])
+ AX_APPEND_COMPILE_FLAGS([-Wno-long-long])
+ AX_APPEND_COMPILE_FLAGS([-Wno-deprecated-declarations])
+-AX_APPEND_COMPILE_FLAGS([-fstack-protector])
+#AX_APPEND_COMPILE_FLAGS([-fstack-protector])
+ AX_APPEND_COMPILE_FLAGS([-fPIE])
+ AX_APPEND_COMPILE_FLAGS([-D_FORTIFY_SOURCE=2])
+ AX_APPEND_LINK_FLAGS([-fPIE -pie])