diff options
| author | V3n3RiX <venerix@redcorelinux.org> | 2017-10-09 18:53:29 +0100 |
|---|---|---|
| committer | V3n3RiX <venerix@redcorelinux.org> | 2017-10-09 18:53:29 +0100 |
| commit | 4f2d7949f03e1c198bc888f2d05f421d35c57e21 (patch) | |
| tree | ba5f07bf3f9d22d82e54a462313f5d244036c768 /net-misc/stunnel/files | |
reinit the tree, so we can have metadata
Diffstat (limited to 'net-misc/stunnel/files')
| -rw-r--r-- | net-misc/stunnel/files/stunnel | 42 | ||||
| -rw-r--r-- | net-misc/stunnel/files/stunnel-5.39-compat-libressl.patch | 132 | ||||
| -rw-r--r-- | net-misc/stunnel/files/stunnel-compat-libressl.patch | 42 | ||||
| -rw-r--r-- | net-misc/stunnel/files/stunnel-r1 | 50 | ||||
| -rw-r--r-- | net-misc/stunnel/files/stunnel.conf | 61 | ||||
| -rw-r--r-- | net-misc/stunnel/files/stunnel.tmpfiles.conf | 1 |
6 files changed, 328 insertions, 0 deletions
diff --git a/net-misc/stunnel/files/stunnel b/net-misc/stunnel/files/stunnel new file mode 100644 index 000000000000..13887f911332 --- /dev/null +++ b/net-misc/stunnel/files/stunnel @@ -0,0 +1,42 @@ +#!/sbin/openrc-run +# Copyright 1999-2014 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +SERVICENAME=${SVCNAME#*.} +SERVICENAME=${SERVICENAME:-stunnel} +STUNNEL_CONFIGFILE=${STUNNEL_CONFIGFILE:-/etc/stunnel/${SERVICENAME}.conf} + +depend() { + need net + before logger +} + +get_config() { + if [ ! -e ${STUNNEL_CONFIGFILE} ] ; then + eerror "You need to create ${STUNNEL_CONFIGFILE} first." + return 1 + fi + CHROOT=$(grep "^chroot" ${STUNNEL_CONFIGFILE} | sed "s;.*= *;;") + [ -n "${CHROOT}" ] && CHROOT="--chroot ${CHROOT}" + PIDFILE=$(grep "^pid" ${STUNNEL_CONFIGFILE} | sed "s;.*= *;;") + PIDFILE=${PIDFILE:-/run/stunnel/${SERVICENAME}.pid} +} + +start() { + get_config || return 1 + checkpath -d -m 0775 -o root:stunnel /run/stunnel + if [ "$(dirname ${PIDFILE})" != "/run" ]; then + checkpath -d -m 0755 -o stunnel:stunnel -q $(dirname ${PIDFILE}) + fi + ebegin "Starting ${SVCNAME}" + start-stop-daemon --start --pidfile "${PIDFILE}" ${CHROOT} \ + --exec /usr/bin/stunnel -- ${STUNNEL_CONFIGFILE} ${STUNNEL_OPTIONS} + eend $? "Failed to start ${SVCNAME}" +} + +stop() { + get_config || return 1 + ebegin "Stopping ${SVCNAME}" + start-stop-daemon --stop --quiet --pidfile ${PIDFILE} + eend $? "Failed to stop ${SVCNAME}" +} diff --git a/net-misc/stunnel/files/stunnel-5.39-compat-libressl.patch b/net-misc/stunnel/files/stunnel-5.39-compat-libressl.patch new file mode 100644 index 000000000000..7c4f74351838 --- /dev/null +++ b/net-misc/stunnel/files/stunnel-5.39-compat-libressl.patch @@ -0,0 +1,132 @@ +diff -Naur stunnel-5.30.orig/src/ctx.c stunnel-5.30/src/ctx.c +--- stunnel-5.30.orig/src/ctx.c 2016-01-15 16:45:23.000000000 +0000 ++++ stunnel-5.30/src/ctx.c 2016-05-14 15:16:47.392859450 +0000 +@@ -359,7 +359,7 @@ + /**************************************** initialize OpenSSL CONF */ + + NOEXPORT int conf_init(SERVICE_OPTIONS *section) { +-#if OPENSSL_VERSION_NUMBER>=0x10002000L ++#if OPENSSL_VERSION_NUMBER>=0x10002000L && !defined(LIBRESSL_VERSION_NUMBER) + SSL_CONF_CTX *cctx; + NAME_LIST *curr; + char *cmd, *param; +diff -Naur stunnel-5.30.orig/src/verify.c stunnel-5.30/src/verify.c +--- stunnel-5.30.orig/src/verify.c 2016-01-15 16:45:23.000000000 +0000 ++++ stunnel-5.30/src/verify.c 2016-05-14 15:16:10.369860180 +0000 +@@ -51,7 +51,7 @@ + NOEXPORT int verify_callback(int, X509_STORE_CTX *); + NOEXPORT int verify_checks(CLI *, int, X509_STORE_CTX *); + NOEXPORT int cert_check(CLI *, X509_STORE_CTX *, int); +-#if OPENSSL_VERSION_NUMBER>=0x10002000L ++#if OPENSSL_VERSION_NUMBER>=0x10002000L && !defined(LIBRESSL_VERSION_NUMBER) + NOEXPORT int cert_check_subject(CLI *, X509_STORE_CTX *); + #endif /* OPENSSL_VERSION_NUMBER>=0x10002000L */ + NOEXPORT int cert_check_local(X509_STORE_CTX *); +@@ -280,7 +280,7 @@ + } + + if(depth==0) { /* additional peer certificate checks */ +-#if OPENSSL_VERSION_NUMBER>=0x10002000L ++#if OPENSSL_VERSION_NUMBER>=0x10002000L && !defined(LIBRESSL_VERSION_NUMBER) + if(!cert_check_subject(c, callback_ctx)) + return 0; /* reject */ + #endif /* OPENSSL_VERSION_NUMBER>=0x10002000L */ +@@ -291,7 +291,7 @@ + return 1; /* accept */ + } + +-#if OPENSSL_VERSION_NUMBER>=0x10002000L ++#if OPENSSL_VERSION_NUMBER>=0x10002000L && !defined(LIBRESSL_VERSION_NUMBER) + NOEXPORT int cert_check_subject(CLI *c, X509_STORE_CTX *callback_ctx) { + X509 *cert=X509_STORE_CTX_get_current_cert(callback_ctx); + NAME_LIST *ptr; +diff --git a/src/common.h b/src/common.h +index 93f165e..491d9de 100644 +--- a/src/common.h ++++ b/src/common.h +@@ -448,7 +448,7 @@ extern char *sys_errlist[]; + #define OPENSSL_NO_TLS1_2 + #endif /* OpenSSL older than 1.0.1 || defined(OPENSSL_NO_TLS1) */ + +-#if OPENSSL_VERSION_NUMBER>=0x10100000L ++#if OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) + #ifndef OPENSSL_NO_SSL2 + #define OPENSSL_NO_SSL2 + #endif /* !defined(OPENSSL_NO_SSL2) */ +@@ -474,7 +474,7 @@ extern char *sys_errlist[]; + #include <openssl/des.h> + #ifndef OPENSSL_NO_DH + #include <openssl/dh.h> +-#if OPENSSL_VERSION_NUMBER<0x10100000L ++#if OPENSSL_VERSION_NUMBER<0x10100000L || defined(LIBRESSL_VERSION_NUMBER) + int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g); + #endif /* OpenSSL older than 1.1.0 */ + #endif /* !defined(OPENSSL_NO_DH) */ +diff --git a/src/prototypes.h b/src/prototypes.h +index 303ff77..ae22598 100644 +--- a/src/prototypes.h ++++ b/src/prototypes.h +@@ -664,13 +664,13 @@ typedef enum { + #endif /* OPENSSL_NO_DH */ + STUNNEL_LOCKS /* number of locks */ + } LOCK_TYPE; +-#if OPENSSL_VERSION_NUMBER < 0x10100004L ++#if OPENSSL_VERSION_NUMBER < 0x10100004L || defined(LIBRESSL_VERSION_NUMBER) + typedef int STUNNEL_RWLOCK; + #else + typedef CRYPTO_RWLOCK *STUNNEL_RWLOCK; + #endif + extern STUNNEL_RWLOCK stunnel_locks[STUNNEL_LOCKS]; +-#if OPENSSL_VERSION_NUMBER>=0x10100004L ++#if OPENSSL_VERSION_NUMBER>=0x10100004L && !defined(LIBRESSL_VERSION_NUMBER) + #define CRYPTO_THREAD_read_unlock(type) CRYPTO_THREAD_unlock(type) + #define CRYPTO_THREAD_write_unlock(type) CRYPTO_THREAD_unlock(type) + #else +diff --git a/src/ssl.c b/src/ssl.c +index a7af7e6..1483734 100644 +--- a/src/ssl.c ++++ b/src/ssl.c +@@ -50,7 +50,7 @@ NOEXPORT int add_rand_file(GLOBAL_OPTIONS *, const char *); + int index_cli, index_opt, index_redirect, index_addr; + + int ssl_init(void) { /* init TLS before parsing configuration file */ +-#if OPENSSL_VERSION_NUMBER>=0x10100000L ++#if OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS | + OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL); + #else +@@ -83,7 +83,7 @@ int ssl_init(void) { /* init TLS before parsing configuration file */ + } + + #ifndef OPENSSL_NO_DH +-#if OPENSSL_VERSION_NUMBER<0x10100000L ++#if OPENSSL_VERSION_NUMBER<0x10100000L || defined(LIBRESSL_VERSION_NUMBER) + /* this is needed for dhparam.c generated with OpenSSL >= 1.1.0 + * to be linked against the older versions */ + int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g) { +diff --git a/src/sthreads.c b/src/sthreads.c +index 59c24a2..04fb256 100644 +--- a/src/sthreads.c ++++ b/src/sthreads.c +@@ -47,7 +47,7 @@ + STUNNEL_RWLOCK stunnel_locks[STUNNEL_LOCKS]; + #endif + +-#if OPENSSL_VERSION_NUMBER<0x10100004L ++#if OPENSSL_VERSION_NUMBER<0x10100004L || defined(LIBRESSL_VERSION_NUMBER) + #define CRYPTO_THREAD_lock_new() CRYPTO_get_new_dynlockid() + #endif + +diff --git a/src/verify.c b/src/verify.c +index ac1c3ee..3e3bda4 100644 +--- a/src/verify.c ++++ b/src/verify.c +@@ -348,7 +348,7 @@ NOEXPORT int cert_check_local(X509_STORE_CTX *callback_ctx) { + cert=X509_STORE_CTX_get_current_cert(callback_ctx); + subject=X509_get_subject_name(cert); + +-#if OPENSSL_VERSION_NUMBER>=0x10000000L ++#if OPENSSL_VERSION_NUMBER>=0x10000000L && !defined(LIBRESSL_VERSION_NUMBER) + #if OPENSSL_VERSION_NUMBER<0x10100006L + #define X509_STORE_CTX_get1_certs X509_STORE_get1_certs + #endif diff --git a/net-misc/stunnel/files/stunnel-compat-libressl.patch b/net-misc/stunnel/files/stunnel-compat-libressl.patch new file mode 100644 index 000000000000..1349484bf3df --- /dev/null +++ b/net-misc/stunnel/files/stunnel-compat-libressl.patch @@ -0,0 +1,42 @@ +diff -Naur stunnel-5.30.orig/src/ctx.c stunnel-5.30/src/ctx.c +--- stunnel-5.30.orig/src/ctx.c 2016-01-15 16:45:23.000000000 +0000 ++++ stunnel-5.30/src/ctx.c 2016-05-14 15:16:47.392859450 +0000 +@@ -359,7 +359,7 @@ + /**************************************** initialize OpenSSL CONF */ + + NOEXPORT int conf_init(SERVICE_OPTIONS *section) { +-#if OPENSSL_VERSION_NUMBER>=0x10002000L ++#if OPENSSL_VERSION_NUMBER>=0x10002000L && !defined(LIBRESSL_VERSION_NUMBER) + SSL_CONF_CTX *cctx; + NAME_LIST *curr; + char *cmd, *param; +diff -Naur stunnel-5.30.orig/src/verify.c stunnel-5.30/src/verify.c +--- stunnel-5.30.orig/src/verify.c 2016-01-15 16:45:23.000000000 +0000 ++++ stunnel-5.30/src/verify.c 2016-05-14 15:16:10.369860180 +0000 +@@ -51,7 +51,7 @@ + NOEXPORT int verify_callback(int, X509_STORE_CTX *); + NOEXPORT int verify_checks(CLI *, int, X509_STORE_CTX *); + NOEXPORT int cert_check(CLI *, X509_STORE_CTX *, int); +-#if OPENSSL_VERSION_NUMBER>=0x10002000L ++#if OPENSSL_VERSION_NUMBER>=0x10002000L && !defined(LIBRESSL_VERSION_NUMBER) + NOEXPORT int cert_check_subject(CLI *, X509_STORE_CTX *); + #endif /* OPENSSL_VERSION_NUMBER>=0x10002000L */ + NOEXPORT int cert_check_local(X509_STORE_CTX *); +@@ -280,7 +280,7 @@ + } + + if(depth==0) { /* additional peer certificate checks */ +-#if OPENSSL_VERSION_NUMBER>=0x10002000L ++#if OPENSSL_VERSION_NUMBER>=0x10002000L && !defined(LIBRESSL_VERSION_NUMBER) + if(!cert_check_subject(c, callback_ctx)) + return 0; /* reject */ + #endif /* OPENSSL_VERSION_NUMBER>=0x10002000L */ +@@ -291,7 +291,7 @@ + return 1; /* accept */ + } + +-#if OPENSSL_VERSION_NUMBER>=0x10002000L ++#if OPENSSL_VERSION_NUMBER>=0x10002000L && !defined(LIBRESSL_VERSION_NUMBER) + NOEXPORT int cert_check_subject(CLI *c, X509_STORE_CTX *callback_ctx) { + X509 *cert=X509_STORE_CTX_get_current_cert(callback_ctx); + NAME_LIST *ptr; diff --git a/net-misc/stunnel/files/stunnel-r1 b/net-misc/stunnel/files/stunnel-r1 new file mode 100644 index 000000000000..a73527ed57e7 --- /dev/null +++ b/net-misc/stunnel/files/stunnel-r1 @@ -0,0 +1,50 @@ +#!/sbin/openrc-run +# Copyright 1999-2014 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +extra_started_commands="reload" +SERVICENAME=${SVCNAME#*.} +SERVICENAME=${SERVICENAME:-stunnel} +STUNNEL_CONFIGFILE=${STUNNEL_CONFIGFILE:-/etc/stunnel/${SERVICENAME}.conf} + +depend() { + need net + before logger +} + +get_config() { + if [ ! -e ${STUNNEL_CONFIGFILE} ] ; then + eerror "You need to create ${STUNNEL_CONFIGFILE} first." + return 1 + fi + CHROOT=$(grep "^chroot" ${STUNNEL_CONFIGFILE} | sed "s;.*= *;;") + [ -n "${CHROOT}" ] && CHROOT="--chroot ${CHROOT}" + PIDFILE=$(grep "^pid" ${STUNNEL_CONFIGFILE} | sed "s;.*= *;;") + PIDFILE=${PIDFILE:-/run/stunnel/${SERVICENAME}.pid} +} + +start() { + get_config || return 1 + checkpath -d -m 0775 -o root:stunnel /run/stunnel + if [ "$(dirname ${PIDFILE})" != "/run" ]; then + checkpath -d -m 0755 -o stunnel:stunnel -q $(dirname ${PIDFILE}) + fi + ebegin "Starting ${SVCNAME}" + start-stop-daemon --start --pidfile "${PIDFILE}" ${CHROOT} \ + --exec /usr/bin/stunnel -- ${STUNNEL_CONFIGFILE} ${STUNNEL_OPTIONS} + eend $? "Failed to start ${SVCNAME}" +} + +stop() { + get_config || return 1 + ebegin "Stopping ${SVCNAME}" + start-stop-daemon --stop --quiet --pidfile ${PIDFILE} + eend $? "Failed to stop ${SVCNAME}" +} + +reload() { + get_config || return 1 + ebegin "Reloading ${SVCNAME}" + start-stop-daemon --signal HUP --pidfile ${PIDFILE} --name stunnel + eend $? +} diff --git a/net-misc/stunnel/files/stunnel.conf b/net-misc/stunnel/files/stunnel.conf new file mode 100644 index 000000000000..547ee963e4d1 --- /dev/null +++ b/net-misc/stunnel/files/stunnel.conf @@ -0,0 +1,61 @@ +# Sample stunnel configuration file by Michal Trojnara 2002-2005 +# Some options used here may not be adequate for your particular configuration +# Please make sure you understand them (especially the effect of chroot jail) + +# Certificate/key is needed in server mode and optional in client mode +# cert = /etc/stunnel/stunnel.pem +# key = /etc/stunnel/stunnel.pem + +# Some security enhancements for UNIX systems - comment them out on Win32 +# chroot = /chroot/stunnel/ +setuid = stunnel +setgid = stunnel +# PID is created inside chroot jail +pid = /run/stunnel/stunnel.pid + +# Some performance tunings +socket = l:TCP_NODELAY=1 +socket = r:TCP_NODELAY=1 +#compression = rle + +# Workaround for Eudora bug +#options = DONT_INSERT_EMPTY_FRAGMENTS + +# Authentication stuff +#verify = 2 +# Don't forget to c_rehash CApath +# CApath is located inside chroot jail: +#CApath = /certs +# It's often easier to use CAfile: +#CAfile = /etc/stunnel/certs.pem +# Don't forget to c_rehash CRLpath +# CRLpath is located inside chroot jail: +#CRLpath = /crls +# Alternatively you can use CRLfile: +#CRLfile = /etc/stunnel/crls.pem + +# Some debugging stuff useful for troubleshooting +#debug = 7 +#output = stunnel.log + +# Use it for client mode +#client = yes + +# Service-level configuration + +#[pop3s] +#accept = 995 +#connect = 110 + +#[imaps] +#accept = 993 +#connect = 143 + +#[ssmtp] +#accept = 465 +#connect = 25 + +#[https] +#accept = 443 +#connect = 80 +#TIMEOUTclose = 0 diff --git a/net-misc/stunnel/files/stunnel.tmpfiles.conf b/net-misc/stunnel/files/stunnel.tmpfiles.conf new file mode 100644 index 000000000000..4433c8a75664 --- /dev/null +++ b/net-misc/stunnel/files/stunnel.tmpfiles.conf @@ -0,0 +1 @@ +d /run/stunnel 0770 stunnel stunnel - |