From a8562d5d836bcd10e8e2790bfb6a5e10046ecf99 Mon Sep 17 00:00:00 2001 From: Bertrand Jacquin Date: Wed, 16 Jun 2010 14:14:52 +0200 Subject: stunnel + x-forwarded-for patch adaptation from Willy --- net-misc/stunnel/Manifest | 8 + net-misc/stunnel/files/stunnel-3.26-gentoo.diff | 29 +++ .../stunnel/files/stunnel-4.15-xforwarded-for.diff | 246 +++++++++++++++++++++ net-misc/stunnel/files/stunnel-4.21-libwrap.patch | 10 + net-misc/stunnel/files/stunnel.conf | 61 +++++ net-misc/stunnel/files/stunnel.initd | 68 ++++++ net-misc/stunnel/files/stunnel.rc6 | 34 +++ net-misc/stunnel/stunnel-4.29.ebuild | 76 +++++++ 8 files changed, 532 insertions(+) create mode 100644 net-misc/stunnel/Manifest create mode 100644 net-misc/stunnel/files/stunnel-3.26-gentoo.diff create mode 100644 net-misc/stunnel/files/stunnel-4.15-xforwarded-for.diff create mode 100644 net-misc/stunnel/files/stunnel-4.21-libwrap.patch create mode 100644 net-misc/stunnel/files/stunnel.conf create mode 100644 net-misc/stunnel/files/stunnel.initd create mode 100644 net-misc/stunnel/files/stunnel.rc6 create mode 100644 net-misc/stunnel/stunnel-4.29.ebuild (limited to 'net-misc') diff --git a/net-misc/stunnel/Manifest b/net-misc/stunnel/Manifest new file mode 100644 index 00000000..20f29671 --- /dev/null +++ b/net-misc/stunnel/Manifest @@ -0,0 +1,8 @@ +AUX stunnel-3.26-gentoo.diff 941 RMD160 4ca4f85a8888c7c9dbeed9d1303bae182d19195d SHA1 5517c6e3395664d76c84548ea67ffd8fddddbdcd SHA256 e2a9fab361699b01ccd004ef598bb868d5f6f37bd40d05b7a16a97cd9ecee2f2 +AUX stunnel-4.15-xforwarded-for.diff 11338 RMD160 787c7ef334339db372e75f384c5d5fe575409ccf SHA1 87bc04bc61b370f572db461b77885c3f9ce9f366 SHA256 5183c09797db4f440367ff47986dd6b3d10c1618ea01ad7f22a5c80d99ed3423 +AUX stunnel-4.21-libwrap.patch 380 RMD160 c5ed7c06c3612bc5930ca8c77cac8bf58ec403f3 SHA1 fa1bf6674f775fa1b5934f4707c9e7eafed0d8a9 SHA256 b22f56707b96df785ebc20b48faf9761fb52cf4a362be875c60071b0d4572be1 +AUX stunnel.conf 1423 RMD160 606c53b0e241e44c8aabe423ca6772dc76aa69a9 SHA1 0b18a6dea836abc3c224c367f9ebd6fa30b931f2 SHA256 be8deb0e051f594e14c898c2ec8a4a6879adcd48a56286093653346d12c3f105 +AUX stunnel.initd 1758 RMD160 96506108f0d7cbd4337aec6fb62e026abdadddd4 SHA1 2ed4a796c155cd57e5d9ebcdcabccdbceab68c35 SHA256 b79ca05f3aae99394242bd086626bc6b84d3b9803ed6ddac4131739e927f46aa +AUX stunnel.rc6 779 RMD160 3cb0ba8b6f90484a9cec951e3eb36eef45169f6d SHA1 7de8dc829e271b3ed248e3b44afb9b537621cc02 SHA256 b2128e3bfe38485ef4afad35b57d8711666281087f3fcf920d5d313642e06dea +DIST stunnel-4.29.tar.gz 544292 RMD160 7861b38da0c9b1bf5c3aa8c1e9a654d7cedec5ba SHA1 f93ac9054c62b1db0dcf44f668d323d82cc0f413 SHA256 018064e852a2a125bcfb4b81baa77b5701ccf6aabe6a47564bfc046b18d11f9b +EBUILD stunnel-4.29.ebuild 2256 RMD160 e6b724cbaff2f57604376b3e5a0d9d4bf2117ae2 SHA1 d5aa6ff6535d02a3b0a32333aabb632144458e94 SHA256 9b72309d3fcb46d9cddc44027f660ed1b6d8bb5c4e73051f1945abfcb43e2373 diff --git a/net-misc/stunnel/files/stunnel-3.26-gentoo.diff b/net-misc/stunnel/files/stunnel-3.26-gentoo.diff new file mode 100644 index 00000000..a6d0faa6 --- /dev/null +++ b/net-misc/stunnel/files/stunnel-3.26-gentoo.diff @@ -0,0 +1,29 @@ +--- Makefile.in Sun Dec 23 12:03:25 2001 ++++ Makefile.in Thu Jan 17 12:28:22 2002 +@@ -9,7 +9,7 @@ + sbindir=@sbindir@ + libdir=@libdir@ + man8dir=@mandir@/man8 +-piddir=@localstatedir@/stunnel/ ++piddir=/var/run + ssldir=@ssldir@ + openssl=$(ssldir)/bin/openssl + PEM_DIR=@PEM_DIR@ +@@ -24,7 +24,7 @@ + LIBS=@LIBS@ + HEADERS=common.h prototypes.h client.h + OBJS=client.o stunnel.o ssl.o protocol.o sthreads.o pty.o log.o options.o +-DESTFILES=$(sbindir)/stunnel $(libdir)/stunnel.so $(man8dir)/stunnel.8 $(PEM_DIR)/stunnel.pem ++DESTFILES=$(sbindir)/stunnel $(libdir)/stunnel.so $(man8dir)/stunnel.8 + + WINGCC=i386-mingw32msvc-gcc + WINCFLAGS=-O2 -Wall -DUSE_WIN32=1 -DHAVE_OPENSSL=1 -DFD_SETSIZE=4096 -DVERSION=\"@VERSION@\" -I../openssl-0.9.6b/outinc +@@ -33,7 +33,7 @@ + + # standard external rules + +-all: stunnel stunnel.8 stunnel.html stunnel.so stunnel.pem ++all: stunnel stunnel.8 stunnel.html stunnel.so + + install: all installdirs $(DESTFILES) + diff --git a/net-misc/stunnel/files/stunnel-4.15-xforwarded-for.diff b/net-misc/stunnel/files/stunnel-4.15-xforwarded-for.diff new file mode 100644 index 00000000..ba9703bb --- /dev/null +++ b/net-misc/stunnel/files/stunnel-4.15-xforwarded-for.diff @@ -0,0 +1,246 @@ +diff -Npru --exclude '*.rej' --exclude '*.orig' stunnel-4.29.ori/doc/stunnel.8 stunnel-4.29/doc/stunnel.8 +--- stunnel-4.29.ori/doc/stunnel.8 2010-02-20 23:20:35.304305310 +0100 ++++ stunnel-4.29/doc/stunnel.8 2010-02-20 23:23:02.984316555 +0100 +@@ -442,6 +442,10 @@ the following option can be used: + application protocol to negotiate \s-1SSL\s0 + .Sp + currently supported: cifs, connect, imap, nntp, pop3, smtp, pgsql ++.IP "\fBxforwardedfor\fR = yes | no" 4 ++.IX Item "xforwardedfor = yes | no" ++append an 'X-Forwarded-For:' HTTP request header providing the ++client's IP address to the server + .IP "\fBprotocolAuthentication\fR = auth_type" 4 + .IX Item "protocolAuthentication = auth_type" + authentication type for protocol negotiations +diff -Npru --exclude '*.rej' --exclude '*.orig' stunnel-4.29.ori/doc/stunnel.fr.8 stunnel-4.29/doc/stunnel.fr.8 +--- stunnel-4.29.ori/doc/stunnel.fr.8 2010-02-20 23:20:35.304305310 +0100 ++++ stunnel-4.29/doc/stunnel.fr.8 2010-02-20 23:21:17.254318509 +0100 +@@ -445,6 +445,10 @@ Cette option permet de relier une adress + Négocie avec \s-1SSL\s0 selon le protocole indiqué + .Sp + Actuellement gérés\ : cifs, nntp, pop3, smtp ++.IP "\fBxforwardedfor\fR = yes | no" 4 ++.IX Item "xforwardedfor = yes | no" ++Ajoute un en-tête 'X-Forwarded-For:' dans la requête HTTP fournissant ++au serveur l'adresse IP du client. + .IP "\fBpty\fR = yes | no (Unix seulement)" 4 + .IX Item "pty = yes | no (Unix seulement)" + Alloue un pseudo-terminal pour l'option «\ exec\ » +diff -Npru --exclude '*.rej' --exclude '*.orig' stunnel-4.29.ori/src/client.c stunnel-4.29/src/client.c +--- stunnel-4.29.ori/src/client.c 2010-02-20 23:20:35.304305310 +0100 ++++ stunnel-4.29/src/client.c 2010-02-20 23:30:35.824311395 +0100 +@@ -90,6 +90,12 @@ CLI *alloc_client_session(LOCAL_OPTIONS + return NULL; + } + c->opt=opt; ++ /* some options need space to add some information */ ++ if (c->opt->option.xforwardedfor) ++ c->buffsize = BUFFSIZE - BUFF_RESERVED; ++ else ++ c->buffsize = BUFFSIZE; ++ c->crlf_seen=0; + c->local_rfd.fd=rfd; + c->local_wfd.fd=wfd; + return c; +@@ -382,6 +388,28 @@ static void init_ssl(CLI *c) { + } + } + ++/* Moves all data from the buffer between positions and ++ * to insert of length . and are updated to their ++ * new respective values, and the number of characters inserted is returned. ++ * If is too long, nothing is done and -1 is returned. ++ * Note that neither nor can be NULL. ++ */ ++static int buffer_insert_with_len(char *buffer, int *start, int *stop, int limit, char *string, int len) { ++ if (len > limit - *stop) ++ return -1; ++ if (*start > *stop) ++ return -1; ++ memmove(buffer + *start + len, buffer + *start, *stop - *start); ++ memcpy(buffer + *start, string, len); ++ *start += len; ++ *stop += len; ++ return len; ++} ++ ++static int buffer_insert(char *buffer, int *start, int *stop, int limit, char *string) { ++ return buffer_insert_with_len(buffer, start, stop, limit, string, strlen(string)); ++} ++ + /****************************** some defines for transfer() */ + /* is socket/SSL open for read/write? */ + #define sock_rd (c->sock_rfd->rd) +@@ -416,13 +444,13 @@ static void transfer(CLI *c) { + check_SSL_pending=0; + + SSL_read_wants_read= +- ssl_rd && c->ssl_ptrssl_ptrbuffsize && !SSL_read_wants_write; + SSL_write_wants_write= + ssl_wr && c->sock_ptr && !SSL_write_wants_read; + + /****************************** setup c->fds structure */ + s_poll_init(&c->fds); /* initialize the structure */ +- if(sock_rd && c->sock_ptrsock_ptrbuffsize) + s_poll_add(&c->fds, c->sock_rfd->fd, 1, 0); + if(SSL_read_wants_read || + SSL_write_wants_read || +@@ -521,7 +549,7 @@ static void transfer(CLI *c) { + break; + default: + memmove(c->ssl_buff, c->ssl_buff+num, c->ssl_ptr-num); +- if(c->ssl_ptr==BUFFSIZE) /* buffer was previously full */ ++ if(c->ssl_ptr>=c->buffsize) /* buffer was previously full */ + check_SSL_pending=1; /* check for data buffered by SSL */ + c->ssl_ptr-=num; + c->sock_bytes+=num; +@@ -581,7 +609,7 @@ static void transfer(CLI *c) { + /****************************** read from socket */ + if(sock_rd && sock_can_rd) { + num=readsocket(c->sock_rfd->fd, +- c->sock_buff+c->sock_ptr, BUFFSIZE-c->sock_ptr); ++ c->sock_buff+c->sock_ptr, c->buffsize-c->sock_ptr); + switch(num) { + case -1: + parse_socket_error(c, "readsocket"); +@@ -601,10 +629,70 @@ static void transfer(CLI *c) { + (SSL_read_wants_write && ssl_can_wr) || + (check_SSL_pending && SSL_pending(c->ssl))) { + SSL_read_wants_write=0; +- num=SSL_read(c->ssl, c->ssl_buff+c->ssl_ptr, BUFFSIZE-c->ssl_ptr); ++ num=SSL_read(c->ssl, c->ssl_buff+c->ssl_ptr, c->buffsize-c->ssl_ptr); + switch(err=SSL_get_error(c->ssl, num)) { + case SSL_ERROR_NONE: +- c->ssl_ptr+=num; ++ if (c->buffsize != BUFFSIZE) { /* some work left to do */ ++ int last = c->ssl_ptr; ++ c->ssl_ptr += num; ++ ++ /* Look for end of HTTP headers between last and ssl_ptr. ++ * To achieve this reliably, we have to count the number of ++ * successive [CR]LF and to memorize it in case it's spread ++ * over multiple segments. --WT. ++ */ ++ while (last < c->ssl_ptr) { ++ if (c->ssl_buff[last] == '\n') { ++ if (++c->crlf_seen == 2) ++ break; ++ } else if (last < c->ssl_ptr - 1 && ++ c->ssl_buff[last] == '\r' && ++ c->ssl_buff[last+1] == '\n') { ++ if (++c->crlf_seen == 2) ++ break; ++ last++; ++ } else if (c->ssl_buff[last] != '\r') ++ /* don't refuse '\r' because we may get a '\n' on next read */ ++ c->crlf_seen = 0; ++ last++; ++ } ++ if (c->crlf_seen >= 2) { ++ /* We have all the HTTP headers now. We don't need to ++ * reserve any space anymore. points to the ++ * first byte of unread data, and points to the ++ * exact location where we want to insert our headers, ++ * which is right before the empty line. ++ */ ++ c->buffsize = BUFFSIZE; ++ ++ if (c->opt->option.xforwardedfor) { ++ /* X-Forwarded-For: xxxx \r\n\0 */ ++ char xforw[17 + IPLEN + 3]; ++ ++ /* We will insert our X-Forwarded-For: header here. ++ * We need to write the IP address, but if we use ++ * sprintf, it will pad with the terminating 0. ++ * So we will pass via a temporary buffer allocated ++ * on the stack. ++ */ ++ memcpy(xforw, "X-Forwarded-For: ", 17); ++ if (getnameinfo(&c->peer_addr.addr[0].sa, ++ addr_len(c->peer_addr.addr[0]), ++ xforw + 17, IPLEN, NULL, 0, ++ NI_NUMERICHOST) == 0) { ++ strcat(xforw + 17, "\r\n"); ++ buffer_insert(c->ssl_buff, &last, &c->ssl_ptr, ++ c->buffsize, xforw); ++ } ++ /* last still points to the \r\n and ssl_ptr to the ++ * end of the buffer, so we may add as many headers ++ * as wee need to. ++ */ ++ } ++ } ++ } ++ else ++ c->ssl_ptr+=num; + watchdog=0; /* reset watchdog */ + break; + case SSL_ERROR_WANT_WRITE: +diff -Npru --exclude '*.rej' --exclude '*.orig' stunnel-4.29.ori/src/common.h stunnel-4.29/src/common.h +--- stunnel-4.29.ori/src/common.h 2010-02-20 23:20:35.304305310 +0100 ++++ stunnel-4.29/src/common.h 2010-02-20 23:21:17.254318509 +0100 +@@ -53,6 +53,9 @@ + /* I/O buffer size */ + #define BUFFSIZE 16384 + ++/* maximum space reserved for header insertion in BUFFSIZE */ ++#define BUFF_RESERVED 1024 ++ + /* Length of strings (including the terminating '\0' character) */ + /* It can't be lower than 256 bytes or NTLM authentication will break */ + #define STRLEN 256 +diff -Npru --exclude '*.rej' --exclude '*.orig' stunnel-4.29.ori/src/options.c stunnel-4.29/src/options.c +--- stunnel-4.29.ori/src/options.c 2010-02-20 23:20:35.304305310 +0100 ++++ stunnel-4.29/src/options.c 2010-02-20 23:39:27.664316438 +0100 +@@ -781,6 +781,29 @@ static char *service_options(CMD cmd, LO + } + #endif + ++ /* xforwardedfor */ ++ switch(cmd) { ++ case CMD_INIT: ++ section->option.xforwardedfor=0; ++ break; ++ case CMD_EXEC: ++ if(strcasecmp(opt, "xforwardedfor")) ++ break; ++ if(!strcasecmp(arg, "yes")) ++ section->option.xforwardedfor=1; ++ else if(!strcasecmp(arg, "no")) ++ section->option.xforwardedfor=0; ++ else ++ return "argument should be either 'yes' or 'no'"; ++ return NULL; /* OK */ ++ case CMD_DEFAULT: ++ break; ++ case CMD_HELP: ++ s_log("%-15s = yes|no append an HTTP X-Forwarded-For header", ++ "xforwardedfor"); ++ break; ++ } ++ + /* exec */ + #ifndef USE_WIN32 + switch(cmd) { +diff -Npru --exclude '*.rej' --exclude '*.orig' stunnel-4.29.ori/src/prototypes.h stunnel-4.29/src/prototypes.h +--- stunnel-4.29.ori/src/prototypes.h 2010-02-20 23:20:35.304305310 +0100 ++++ stunnel-4.29/src/prototypes.h 2010-02-20 23:33:11.984312629 +0100 +@@ -229,6 +229,7 @@ typedef struct local_options { + unsigned int delayed_lookup:1; + unsigned int accept:1; + unsigned int remote:1; ++ unsigned int xforwardedfor:1; + unsigned int retry:1; /* loop remote+program */ + unsigned int sessiond:1; + #ifndef USE_WIN32 +@@ -334,6 +335,8 @@ typedef struct { + FD *ssl_rfd, *ssl_wfd; /* Read and write SSL descriptors */ + int sock_bytes, ssl_bytes; /* Bytes written to socket and ssl */ + s_poll_set fds; /* File descriptors */ ++ int buffsize; /* current buffer size, may be lower than BUFFSIZE */ ++ int crlf_seen; /* the number of successive CRLF seen */ + } CLI; + + extern int max_clients; diff --git a/net-misc/stunnel/files/stunnel-4.21-libwrap.patch b/net-misc/stunnel/files/stunnel-4.21-libwrap.patch new file mode 100644 index 00000000..c64f8e6c --- /dev/null +++ b/net-misc/stunnel/files/stunnel-4.21-libwrap.patch @@ -0,0 +1,10 @@ +--- stunnel-4.21/configure.ac 2007-08-09 00:43:10.000000000 +0200 ++++ stunnel-4.21.new/configure.ac 2007-11-02 16:16:11.000000000 +0100 +@@ -343,6 +343,7 @@ + case "$enableval" in + yes) AC_MSG_RESULT([no]) + AC_DEFINE(HAVE_LIBWRAP) ++ LIBS="$LIBS -lwrap" + ;; + no) AC_MSG_RESULT([yes]) + ;; diff --git a/net-misc/stunnel/files/stunnel.conf b/net-misc/stunnel/files/stunnel.conf new file mode 100644 index 00000000..4aa8b8c5 --- /dev/null +++ b/net-misc/stunnel/files/stunnel.conf @@ -0,0 +1,61 @@ +# Sample stunnel configuration file by Michal Trojnara 2002-2005 +# Some options used here may not be adequate for your particular configuration +# Please make sure you understand them (especially the effect of chroot jail) + +# Certificate/key is needed in server mode and optional in client mode +# cert = /etc/stunnel/stunnel.pem +# key = /etc/stunnel/stunnel.pem + +# Some security enhancements for UNIX systems - comment them out on Win32 +# chroot = /chroot/stunnel/ +setuid = stunnel +setgid = stunnel +# PID is created inside chroot jail +pid = /var/run/stunnel/stunnel.pid + +# Some performance tunings +socket = l:TCP_NODELAY=1 +socket = r:TCP_NODELAY=1 +#compression = rle + +# Workaround for Eudora bug +#options = DONT_INSERT_EMPTY_FRAGMENTS + +# Authentication stuff +#verify = 2 +# Don't forget to c_rehash CApath +# CApath is located inside chroot jail: +#CApath = /certs +# It's often easier to use CAfile: +#CAfile = /etc/stunnel/certs.pem +# Don't forget to c_rehash CRLpath +# CRLpath is located inside chroot jail: +#CRLpath = /crls +# Alternatively you can use CRLfile: +#CRLfile = /etc/stunnel/crls.pem + +# Some debugging stuff useful for troubleshooting +#debug = 7 +#output = stunnel.log + +# Use it for client mode +#client = yes + +# Service-level configuration + +#[pop3s] +#accept = 995 +#connect = 110 + +#[imaps] +#accept = 993 +#connect = 143 + +#[ssmtp] +#accept = 465 +#connect = 25 + +#[https] +#accept = 443 +#connect = 80 +#TIMEOUTclose = 0 diff --git a/net-misc/stunnel/files/stunnel.initd b/net-misc/stunnel/files/stunnel.initd new file mode 100644 index 00000000..e5bb3f0c --- /dev/null +++ b/net-misc/stunnel/files/stunnel.initd @@ -0,0 +1,68 @@ +#!/sbin/runscript +# Copyright 1999-2009 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +# Default pidfile location +DEFAULT_PIDFILE="/var/run/stunnel/stunnel.pid" +FILES="/etc/stunnel/*.conf" +DAEMON="/usr/sbin/stunnel" + +depend() { + need net + before logger +} + +get_pids() { + local file=${1} + if test -f ${file} ; then + CHROOT=$(grep "^chroot" ${file} | sed "s;.*= *;;") + PIDFILE=$(grep "^pid" ${file} | sed "s;.*= *;;") + if [ "${PIDFILE}" == "" ] ; then + PIDFILE="${DEFAULT_PIDFILE}" + fi + if test -f ${CHROOT}/${PIDFILE} ; then + cat ${CHROOT}/${PIDFILE} + fi + fi +} + +start() { + rm -rf /var/run/stunnel/*.pid + ebegin "Starting stunnel" + for file in ${FILES} ; do + if test -f "${file}" ; then + ARGS="${file} ${STUNNEL_OPTIONS}" + PROCLIST="$(get_pids ${file})" + CHROOT=$(grep "^chroot" ${file} | sed "s;.*= *;;") + PIDFILE=$(grep "^pid" ${file} | sed "s;.*= *;;") + if [ "${PROCLIST}" ] && kill -0 ${PROCLIST} 2> /dev/null ; then + ewarn " already running: ${file} " + elif ${DAEMON} ${ARGS} ; then + if test -f ${CHROOT}/${PIDFILE} ; then + einfo " ${file}" + else + eerror " error starting: ${file}" + fi + fi + fi + done + eend $? +} + +stop() { + ebegin "Stopping stunnel" + for file in ${FILES} ; do + PROCLIST=$(get_pids ${file}) + if [ "${PROCLIST}" ] && kill -0 ${PROCLIST} 2> /dev/null ; then + kill ${PROCLIST} + einfo " ${file} " + fi + done + eend $? +} + +restart() { + svc_stop + sleep 1 + svc_start +} diff --git a/net-misc/stunnel/files/stunnel.rc6 b/net-misc/stunnel/files/stunnel.rc6 new file mode 100644 index 00000000..3708a1c0 --- /dev/null +++ b/net-misc/stunnel/files/stunnel.rc6 @@ -0,0 +1,34 @@ +#!/sbin/runscript +# Copyright 1999-2007 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +# Default pidfile location +PIDFILE="/var/run/stunnel/stunnel.pid" + +checkconfig() { + # To ensure backwards compatibility + if grep -q /etc/stunnel/stunnel.pid /etc/stunnel/stunnel.conf; then + ewarn "Please update your stunnel.conf!" + ewarn "pid should point to /var/run/stunnel/stunnel.pid" + PIDFILE="/etc/stunnel/stunnel.pid" + fi +} + +depend() { + need net +} + +start() { + checkconfig + ebegin "Starting stunnel" + start-stop-daemon --start --quiet --pidfile "${PIDFILE}" \ + --exec /usr/bin/stunnel -- /etc/stunnel/stunnel.conf + eend $? +} + +stop() { + checkconfig + ebegin "Stopping stunnel" + start-stop-daemon --stop --quiet --pidfile "${PIDFILE}" + eend $? +} diff --git a/net-misc/stunnel/stunnel-4.29.ebuild b/net-misc/stunnel/stunnel-4.29.ebuild new file mode 100644 index 00000000..a2a91678 --- /dev/null +++ b/net-misc/stunnel/stunnel-4.29.ebuild @@ -0,0 +1,76 @@ +# Copyright 1999-2010 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/net-misc/stunnel/stunnel-4.29.ebuild,v 1.2 2010/01/15 20:19:33 ramereth Exp $ + +inherit autotools ssl-cert eutils + +DESCRIPTION="TLS/SSL - Port Wrapper" +HOMEPAGE="http://stunnel.mirt.net/" +SRC_URI="http://www.stunnel.org/download/stunnel/src/${P}.tar.gz" + +LICENSE="GPL-2" +SLOT="0" +KEYWORDS="~alpha amd64 ~arm ~hppa ~ia64 ~ppc ~ppc64 ~s390 ~sparc x86" +IUSE="ipv6 selinux tcpd" + +DEPEND="tcpd? ( sys-apps/tcp-wrappers ) + >=dev-libs/openssl-0.9.8k" +RDEPEND="${DEPEND} + selinux? ( sec-policy/selinux-stunnel )" + +pkg_setup() { + enewgroup stunnel + enewuser stunnel -1 -1 -1 stunnel +} + +src_unpack() { + unpack ${A} + cd "${S}" + epatch "${FILESDIR}/${PN}-4.21-libwrap.patch" + epatch "${FILESDIR}/${PN}-4.15-xforwarded-for.diff" + eautoreconf + + # Hack away generation of certificate + sed -i -e "s/^install-data-local:/do-not-run-this:/" \ + tools/Makefile.in || die "sed failed" +} + +src_compile() { + econf $(use_enable ipv6) \ + $(use_enable tcpd libwrap) || die "econf died" + emake || die "emake died" +} + +src_install() { + emake DESTDIR="${D}" install || die "emake install failed" + rm -rf "${D}"/usr/share/doc/${PN} + rm -f "${D}"/etc/stunnel/stunnel.conf-sample "${D}"/usr/bin/stunnel3 \ + "${D}"/usr/share/man/man8/stunnel.{fr,pl}.8 + + # The binary was moved to /usr/bin with 4.21, + # symlink for backwards compatibility + dosym ../bin/stunnel /usr/sbin/stunnel + + dodoc AUTHORS BUGS CREDITS PORTS README TODO ChangeLog + dohtml doc/stunnel.html doc/en/VNC_StunnelHOWTO.html tools/ca.html \ + tools/importCA.html + + insinto /etc/stunnel + doins "${FILESDIR}"/stunnel.conf + newinitd "${FILESDIR}"/stunnel.initd stunnel + + keepdir /var/run/stunnel + fowners stunnel:stunnel /var/run/stunnel +} + +pkg_postinst() { + if [ ! -f "${ROOT}"/etc/stunnel/stunnel.key ]; then + install_cert /etc/stunnel/stunnel + chown stunnel:stunnel "${ROOT}"/etc/stunnel/stunnel.{crt,csr,key,pem} + chmod 0640 "${ROOT}"/etc/stunnel/stunnel.{crt,csr,key,pem} + fi + + einfo "If you want to run multiple instances of stunnel, create a new config" + einfo "file ending with .conf in /etc/stunnel/. **Make sure** you change " + einfo "\'pid= \' with a unique filename." +} -- cgit v1.2.3