From c31f290bc501ea44502a5676311ddd7a0c99d690 Mon Sep 17 00:00:00 2001 From: Florian Fainelli Date: Tue, 8 Dec 2009 19:42:55 +0000 Subject: [PATCH] [package] update stunnel to 4.29 (#6324) SVN-Revision: 18703 --- net/stunnel/Makefile | 9 ++-- net/stunnel/files/stunnel.conf | 60 ---------------------- net/stunnel/files/stunnel.init | 9 ++-- net/stunnel/patches/101-no-comp.patch | 4 +- net/stunnel/patches/102-no-ssl2.patch | 2 +- net/stunnel/patches/103-no-zlib-link.patch | 12 +++++ net/stunnel/patches/104-fix-paths.patch | 41 +++++++++++++++ net/stunnel/patches/105-stunnel-conf.patch | 54 +++++++++++++++++++ 8 files changed, 121 insertions(+), 70 deletions(-) delete mode 100644 net/stunnel/files/stunnel.conf create mode 100644 net/stunnel/patches/103-no-zlib-link.patch create mode 100644 net/stunnel/patches/104-fix-paths.patch create mode 100644 net/stunnel/patches/105-stunnel-conf.patch diff --git a/net/stunnel/Makefile b/net/stunnel/Makefile index ec01f399fe..ff16727c2a 100644 --- a/net/stunnel/Makefile +++ b/net/stunnel/Makefile @@ -2,9 +2,9 @@ include $(TOPDIR)/rules.mk PKG_NAME:=stunnel -PKG_VERSION:=4.27 +PKG_VERSION:=4.29 PKG_RELEASE:=1 -PKG_MD5SUM:=3c655d815576f50046a1c28744b88681 +PKG_MD5SUM:=14dc3f8412947f0548975cbce74d6863 PKG_SOURCE_URL:=http://www.stunnel.org/download/stunnel/src/ PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz @@ -26,6 +26,9 @@ define Package/stunnel/description encryption, requiring no changes to the daemon's code. endef +define Package/stunnel/conffiles +/etc/stunnel/stunnel.conf +endef define Build/Configure $(call Build/Configure/Default, \ @@ -49,7 +52,7 @@ define Package/stunnel/install $(INSTALL_DIR) $(1)/usr/lib/stunnel $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/stunnel/libstunnel.so $(1)/usr/lib/stunnel/ $(INSTALL_DIR) $(1)/etc/stunnel - $(INSTALL_CONF) ./files/stunnel.conf $(1)/etc/stunnel/stunnel.conf + $(INSTALL_CONF) $(PKG_INSTALL_DIR)/etc/stunnel/stunnel.conf-sample $(1)/etc/stunnel/stunnel.conf $(INSTALL_DIR) $(1)/etc/init.d $(INSTALL_BIN) ./files/stunnel.init $(1)/etc/init.d/stunnel endef diff --git a/net/stunnel/files/stunnel.conf b/net/stunnel/files/stunnel.conf deleted file mode 100644 index ec590832c4..0000000000 --- a/net/stunnel/files/stunnel.conf +++ /dev/null @@ -1,60 +0,0 @@ - -; Certificate/key is needed in server mode and optional in client mode -cert = /etc/stunnel/stunnel.pem -;key = /usr/etc/stunnel/mail.pem - -; Protocol version (all, SSLv2, SSLv3, TLSv1) -sslVersion = all - -; Some security enhancements for UNIX systems - comment them out on Win32 -chroot = /tmp -setuid = nobody -;setgid = nobody -pid = /stunnel.pid - -; Some performance tunings -socket = l:TCP_NODELAY=1 -socket = r:TCP_NODELAY=1 -;compression = rle - -; Workaround for Eudora bug -;options = DONT_INSERT_EMPTY_FRAGMENTS - -;verify = 2 -;CApath = /certs -;CAfile = /usr/etc/stunnel/certs.pem -;CRLpath = /crls -;CRLfile = /usr/etc/stunnel/crls.pem - -; Some debugging stuff useful for troubleshooting -;debug = 7 -;output = stunnel.log - -; Use it for client mode -;client = yes - -; Service-level configuration - -;[pop3s] -;accept = 995 -;connect = 110 -; -;[imaps] -;accept = 993 -;connect = 143 -; -;[ssmtp] -;accept = 465 -;connect = 25 - -[https] -accept = 443 -connect = 80 -TIMEOUTclose = 0 - -[chilli] -accept = 3443 -connect = 3442 -TIMEOUTclose = 0 - -; vim:ft=dosini diff --git a/net/stunnel/files/stunnel.init b/net/stunnel/files/stunnel.init index 3929335ded..f74ff680fb 100644 --- a/net/stunnel/files/stunnel.init +++ b/net/stunnel/files/stunnel.init @@ -2,11 +2,13 @@ # Copyright (C) 2006-2008 OpenWrt.org START=90 +RUN_D=/var +PID_F=$RUN_D/stunnel.pid start() { if [ -s "/etc/stunnel/stunnel.pem" ]; then chmod og-rwx /etc/stunnel/stunnel.pem - stunnel + [ ! -f $PID_F ] && stunnel else [ -e /etc/stunnel/config ] && \ . /etc/stunnel/config @@ -14,7 +16,7 @@ start() { X509_CN=${X509_CN:-"router"} X509_O=${X509_O:-"openwrt.org"} X509_OU=${X509_OU:-"open-source firmware"} - + [ -x /sbin/keygen ] && { (keygen "$X509_CN" "$X509_O" "$X509_OU" > /etc/stunnel/stunnel.pem; chmod og-rwx /etc/stunnel/stunnel.pem; @@ -24,6 +26,5 @@ start() { } stop() { - killall stunnel - killall -9 stunnel + [ -f $PID_F ] && kill -9 $(cat $PID_F) && rm -f $PID_F } diff --git a/net/stunnel/patches/101-no-comp.patch b/net/stunnel/patches/101-no-comp.patch index d9950359f9..640bd89482 100644 --- a/net/stunnel/patches/101-no-comp.patch +++ b/net/stunnel/patches/101-no-comp.patch @@ -1,6 +1,6 @@ --- a/src/ssl.c +++ b/src/ssl.c -@@ -62,13 +62,16 @@ void ssl_init(void) { /* init SSL before +@@ -63,13 +63,16 @@ void ssl_init(void) { /* init SSL before } void ssl_configure(void) { /* configure global SSL settings */ @@ -17,7 +17,7 @@ int id=0; COMP_METHOD *cm=NULL; char *name="unknown"; -@@ -97,6 +100,7 @@ static void init_compression(void) { +@@ -98,6 +101,7 @@ static void init_compression(void) { die(1); } s_log(LOG_INFO, "Compression enabled using %s method", name); diff --git a/net/stunnel/patches/102-no-ssl2.patch b/net/stunnel/patches/102-no-ssl2.patch index c7dca9ea34..9ebd4243a0 100644 --- a/net/stunnel/patches/102-no-ssl2.patch +++ b/net/stunnel/patches/102-no-ssl2.patch @@ -1,6 +1,6 @@ --- a/src/options.c +++ b/src/options.c -@@ -1166,8 +1166,10 @@ static char *service_options(CMD cmd, LO +@@ -1198,8 +1198,10 @@ static char *service_options(CMD cmd, LO section->client_method=(SSL_METHOD *)SSLv23_client_method(); section->server_method=(SSL_METHOD *)SSLv23_server_method(); } else if(!strcasecmp(arg, "SSLv2")) { diff --git a/net/stunnel/patches/103-no-zlib-link.patch b/net/stunnel/patches/103-no-zlib-link.patch new file mode 100644 index 0000000000..6e2a45651d --- /dev/null +++ b/net/stunnel/patches/103-no-zlib-link.patch @@ -0,0 +1,12 @@ +Avoid linking with zlib, which is a dependency of openssl, not ours. +--- a/configure ++++ b/configure +@@ -23001,7 +23001,7 @@ if test $ac_cv_lib_z_inflateEnd = yes; t + #define HAVE_LIBZ 1 + _ACEOF + +- LIBS="-lz $LIBS" ++# LIBS="-lz $LIBS" + + fi + diff --git a/net/stunnel/patches/104-fix-paths.patch b/net/stunnel/patches/104-fix-paths.patch new file mode 100644 index 0000000000..3c9966794b --- /dev/null +++ b/net/stunnel/patches/104-fix-paths.patch @@ -0,0 +1,41 @@ +## Do several path fixups, removing unneeded @prefix@s +--- a/tools/stunnel.conf-sample.in ++++ b/tools/stunnel.conf-sample.in +@@ -3,14 +3,14 @@ + ; Please make sure you understand them (especially the effect of the chroot jail) + + ; Certificate/key is needed in server mode and optional in client mode +-cert = @prefix@/etc/stunnel/mail.pem +-;key = @prefix@/etc/stunnel/mail.pem ++cert = @sysconfdir@/stunnel/stunnel.pem ++;key = @sysconfdir@/stunnel/stunnel.pem + + ; Protocol version (all, SSLv2, SSLv3, TLSv1) + sslVersion = SSLv3 + + ; Some security enhancements for UNIX systems - comment them out on Win32 +-chroot = @prefix@/var/lib/stunnel/ ++chroot = @localstatedir@ + setuid = nobody + setgid = @DEFAULT_GROUP@ + ; PID is created inside the chroot jail +@@ -30,16 +30,16 @@ socket = r:TCP_NODELAY=1 + ; CApath is located inside chroot jail + ;CApath = /certs + ; It's often easier to use CAfile +-;CAfile = @prefix@/etc/stunnel/certs.pem ++;CAfile = @sysconfdir@/stunnel/certs.pem + ; Don't forget to c_rehash CRLpath + ; CRLpath is located inside chroot jail + ;CRLpath = /crls + ; Alternatively you can use CRLfile +-;CRLfile = @prefix@/etc/stunnel/crls.pem ++;CRLfile = @sysconfdir@/stunnel/crls.pem + + ; Some debugging stuff useful for troubleshooting + ;debug = 7 +-;output = stunnel.log ++;output = @localstatedir@/log/stunnel.log + + ; Use it for client mode + ;client = yes diff --git a/net/stunnel/patches/105-stunnel-conf.patch b/net/stunnel/patches/105-stunnel-conf.patch new file mode 100644 index 0000000000..3f213cee83 --- /dev/null +++ b/net/stunnel/patches/105-stunnel-conf.patch @@ -0,0 +1,54 @@ +--- a/tools/stunnel.conf-sample.in ++++ b/tools/stunnel.conf-sample.in +@@ -7,7 +7,7 @@ cert = @sysconfdir@/stunnel/stunnel.pem + ;key = @sysconfdir@/stunnel/stunnel.pem + + ; Protocol version (all, SSLv2, SSLv3, TLSv1) +-sslVersion = SSLv3 ++sslVersion = all + + ; Some security enhancements for UNIX systems - comment them out on Win32 + chroot = @localstatedir@ +@@ -46,21 +46,26 @@ socket = r:TCP_NODELAY=1 + + ; Service-level configuration + +-[pop3s] +-accept = 995 +-connect = 110 +- +-[imaps] +-accept = 993 +-connect = 143 +- +-[ssmtp] +-accept = 465 +-connect = 25 +- +-;[https] +-;accept = 443 +-;connect = 80 +-;TIMEOUTclose = 0 ++;[pop3s] ++;accept = 995 ++;connect = 110 ++ ++;[imaps] ++;accept = 993 ++;connect = 143 ++ ++;[ssmtp] ++;accept = 465 ++;connect = 25 ++ ++[https] ++accept = 443 ++connect = 80 ++TIMEOUTclose = 0 ++ ++[chilli] ++accept = 3443 ++connect = 3442 ++TIMEOUTclose = 0 + + ; vim:ft=dosini -- 2.30.2