Last active
December 28, 2018 14:44
-
-
Save grantc/bbaa657f00191be1e88b to your computer and use it in GitHub Desktop.
X-Forwarded-For patch for Stunnel 5.22
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
diff -rupN stunnel-5.22.orig/doc/stunnel.8.in stunnel-5.22/doc/stunnel.8.in | |
--- stunnel-5.22.orig/doc/stunnel.8.in 2015-07-27 09:54:55.000000000 +0000 | |
+++ stunnel-5.22/doc/stunnel.8.in 2015-08-18 09:25:06.868928121 +0000 | |
@@ -964,6 +964,10 @@ This option has been renamed to \fInone\ | |
.RE | |
.RS 4 | |
.RE | |
+.IP "\fBxforwardedfor\fR = yes | no" 4 | |
+.IX Item "xforwardedfor = yes | no" | |
+append an 'X-Forwarded-For:' HTTP request header providing the | |
+client's IP address to the server. | |
.IP "\fBverify\fR = \s-1LEVEL\s0" 4 | |
.IX Item "verify = LEVEL" | |
verify the peer certificate | |
diff -rupN stunnel-5.22.orig/src/client.c stunnel-5.22/src/client.c | |
--- stunnel-5.22.orig/src/client.c 2015-07-22 13:24:31.000000000 +0000 | |
+++ stunnel-5.22/src/client.c 2015-08-18 09:25:06.868928121 +0000 | |
@@ -48,6 +48,8 @@ | |
#define SHUT_RDWR 2 | |
#endif | |
+#define IPLEN 40 | |
+ | |
NOEXPORT void client_try(CLI *); | |
NOEXPORT void client_run(CLI *); | |
NOEXPORT void local_start(CLI *); | |
@@ -74,6 +76,12 @@ CLI *alloc_client_session(SERVICE_OPTION | |
c=str_alloc_detached(sizeof(CLI)); | |
c->opt=opt; | |
+ /* some options need space to add some information */ | |
+ if (c->opt->option.xforwardedfor) | |
+ c->buffsize = BUFFSIZE - BUFF_RESERVED; | |
+ else | |
+ c->buffsize = BUFFSIZE; | |
+ c->crlf_seen=0; | |
c->local_rfd.fd=rfd; | |
c->local_wfd.fd=wfd; | |
c->redirect=REDIRECT_OFF; | |
@@ -525,6 +533,28 @@ NOEXPORT void new_chain(CLI *c) { | |
s_log(LOG_DEBUG, "Peer certificate was cached (%d bytes)", len); | |
} | |
+/** Moves all data from the buffer <buffer> between positions <start> and <stop> | |
+ * to insert <string> of length <len>. <start> and <stop> are updated to their | |
+ * new respective values, and the number of characters inserted is returned. | |
+ * If <len> is too long, nothing is done and -1 is returned. | |
+ * Note that neither <string> nor <buffer> can be NULL. | |
+ */ | |
+static int buffer_insert_with_len(char *buffer, int *start, int *stop, int limit, char *string, int len) { | |
+ if (len > limit - *stop) | |
+ return -1; | |
+ if (*start > *stop) | |
+ return -1; | |
+ memmove(buffer + *start + len, buffer + *start, *stop - *start); | |
+ memcpy(buffer + *start, string, len); | |
+ *start += len; | |
+ *stop += len; | |
+ return len; | |
+} | |
+ | |
+static int buffer_insert(char *buffer, int *start, int *stop, int limit, char *string) { | |
+ return buffer_insert_with_len(buffer, start, stop, limit, string, strlen(string)); | |
+} | |
+ | |
/****************************** transfer data */ | |
NOEXPORT void transfer(CLI *c) { | |
int watchdog=0; /* a counter to detect an infinite loop */ | |
@@ -549,7 +579,7 @@ NOEXPORT void transfer(CLI *c) { | |
do { /* main loop of client data transfer */ | |
/****************************** initialize *_wants_* */ | |
read_wants_read|=!(SSL_get_shutdown(c->ssl)&SSL_RECEIVED_SHUTDOWN) | |
- && c->ssl_ptr<BUFFSIZE && !read_wants_write; | |
+ && c->ssl_ptr<c->buffsize && !read_wants_write; | |
write_wants_write|=!(SSL_get_shutdown(c->ssl)&SSL_SENT_SHUTDOWN) | |
&& c->sock_ptr && !write_wants_read; | |
@@ -558,7 +588,7 @@ NOEXPORT void transfer(CLI *c) { | |
/* for plain socket open data strem = open file descriptor */ | |
/* make sure to add each open socket to receive exceptions! */ | |
if(sock_open_rd) /* only poll if the read file descriptor is open */ | |
- s_poll_add(c->fds, c->sock_rfd->fd, c->sock_ptr<BUFFSIZE, 0); | |
+ s_poll_add(c->fds, c->sock_rfd->fd, c->sock_ptr<c->buffsize, 0); | |
if(sock_open_wr) /* only poll if the write file descriptor is open */ | |
s_poll_add(c->fds, c->sock_wfd->fd, 0, c->ssl_ptr>0); | |
/* poll SSL file descriptors unless SSL shutdown was completed */ | |
@@ -673,7 +703,7 @@ NOEXPORT void transfer(CLI *c) { | |
/****************************** read from socket */ | |
if(sock_open_rd && sock_can_rd) { | |
num=readsocket(c->sock_rfd->fd, | |
- c->sock_buff+c->sock_ptr, BUFFSIZE-c->sock_ptr); | |
+ c->sock_buff+c->sock_ptr, c->buffsize-c->sock_ptr); | |
switch(num) { | |
case -1: | |
if(parse_socket_error(c, "readsocket")) | |
@@ -693,7 +723,7 @@ NOEXPORT void transfer(CLI *c) { | |
/****************************** update *_wants_* based on new *_ptr */ | |
/* this update is also required for SSL_pending() to be used */ | |
read_wants_read|=!(SSL_get_shutdown(c->ssl)&SSL_RECEIVED_SHUTDOWN) | |
- && c->ssl_ptr<BUFFSIZE && !read_wants_write; | |
+ && c->ssl_ptr<c->buffsize && !read_wants_write; | |
write_wants_write|=!(SSL_get_shutdown(c->ssl)&SSL_SENT_SHUTDOWN) | |
&& c->sock_ptr && !write_wants_read; | |
diff -rupN stunnel-5.22.orig/src/common.h stunnel-5.22/src/common.h | |
--- stunnel-5.22.orig/src/common.h 2015-06-01 14:25:32.000000000 +0000 | |
+++ stunnel-5.22/src/common.h 2015-08-18 09:25:06.869928114 +0000 | |
@@ -51,6 +51,9 @@ | |
/* I/O buffer size: 18432 (0x4800) is the maximum size of SSL record payload */ | |
#define BUFFSIZE 18432 | |
+/* maximum space reserved for header insertion in BUFFSIZE */ | |
+#define BUFF_RESERVED 1024 | |
+ | |
/* how many bytes of random input to read from files for PRNG */ | |
/* OpenSSL likes at least 128 bits, so 64 bytes seems plenty. */ | |
#define RANDOM_BYTES 64 | |
diff -rupN stunnel-5.22.orig/src/options.c stunnel-5.22/src/options.c | |
--- stunnel-5.22.orig/src/options.c 2015-07-16 11:19:07.000000000 +0000 | |
+++ stunnel-5.22/src/options.c 2015-08-18 09:25:06.870928107 +0000 | |
@@ -1658,6 +1658,33 @@ NOEXPORT char *parse_service_option(CMD | |
#endif /* !defined(OPENSSL_NO_ENGINE) */ | |
+ /* xforwardedfor */ | |
+ switch(cmd) { | |
+ case CMD_BEGIN: | |
+ section->option.xforwardedfor=0; | |
+ break; | |
+ case CMD_EXEC: | |
+ if(strcasecmp(opt, "xforwardedfor")) | |
+ break; | |
+ if(!strcasecmp(arg, "yes")) | |
+ section->option.xforwardedfor=1; | |
+ else if(!strcasecmp(arg, "no")) | |
+ section->option.xforwardedfor=0; | |
+ else | |
+ return "argument should be either 'yes' or 'no'"; | |
+ return NULL; /* OK */ | |
+ case CMD_END: | |
+ break; | |
+ case CMD_FREE: | |
+ break; | |
+ case CMD_DEFAULT: | |
+ break; | |
+ case CMD_HELP: | |
+ s_log(LOG_NOTICE, "%-22s = yes|no append an HTTP X-Forwarded-For header", | |
+ "xforwardedfor"); | |
+ break; | |
+ } | |
+ | |
/* exec */ | |
switch(cmd) { | |
case CMD_BEGIN: | |
diff -rupN stunnel-5.22.orig/src/prototypes.h stunnel-5.22/src/prototypes.h | |
--- stunnel-5.22.orig/src/prototypes.h 2015-07-22 13:24:31.000000000 +0000 | |
+++ stunnel-5.22/src/prototypes.h 2015-08-18 09:25:06.871928100 +0000 | |
@@ -271,6 +271,7 @@ typedef struct service_options_struct { | |
unsigned accept:1; /* endpoint: accept */ | |
unsigned client:1; | |
unsigned delayed_lookup:1; | |
+ unsigned int xforwardedfor:1; | |
#ifdef USE_LIBWRAP | |
unsigned libwrap:1; | |
#endif | |
@@ -395,6 +396,8 @@ typedef struct { | |
uint64_t sock_bytes, ssl_bytes; /* bytes written to socket and SSL */ | |
s_poll_set *fds; /* file descriptors */ | |
uintptr_t redirect; /* redirect to another destination after failed auth */ | |
+ int buffsize; /* current buffer size, may be lower than BUFFSIZE */ | |
+ int crlf_seen; /* the number of successive CRLF seen */ | |
} CLI; | |
/**************************************** prototypes for stunnel.c */ | |
diff -rupN stunnel-5.22.orig/tools/stunnel.init.redhat stunnel-5.22/tools/stunnel.init.redhat | |
--- stunnel-5.22.orig/tools/stunnel.init.redhat 1970-01-01 00:00:00.000000000 +0000 | |
+++ stunnel-5.22/tools/stunnel.init.redhat 2015-08-18 09:35:40.848726158 +0000 | |
@@ -0,0 +1,72 @@ | |
+#!/bin/sh | |
+# | |
+# stunnel Start/Stop the stunnel daemons | |
+# | |
+# description: stunnel is a script that runs stunnel daemons | |
+# version 1.00 | |
+# | |
+# chkconfig: 345 40 60 | |
+# | |
+# processname: stunnel | |
+# pidfile: /var/run/stunnel/stunnel.pid | |
+# | |
+ | |
+# Source function library. | |
+. /etc/rc.d/init.d/functions | |
+ | |
+servicename=stunnel | |
+processname=stunnel | |
+pidfile=/var/run/stunnel/stunnel.pid | |
+ | |
+RETVAL=0 | |
+ | |
+start() { | |
+ | |
+ echo -n "Starting stunnel services: " | |
+ daemon --check $servicename '/usr/sbin/stunnel /etc/stunnel/stunnel.conf &>/dev/null' | |
+ RETVAL=$? | |
+ echo | |
+ [ $RETVAL -eq 0 ] && touch /var/lock/subsys/$servicename | |
+ | |
+} | |
+ | |
+stop() { | |
+ | |
+ echo -n "Stopping stunnel services: " | |
+ killproc -p $pidfile $servicename | |
+ RETVAL=$? | |
+ echo | |
+ [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/$servicename | |
+ | |
+} | |
+ | |
+# See how we were called. | |
+case "$1" in | |
+ start) | |
+ start | |
+ ;; | |
+ stop) | |
+ stop | |
+ ;; | |
+ status) | |
+ status -p $pidfile $processname | |
+ RETVAL=$? | |
+ ;; | |
+ restart) | |
+ stop | |
+ start | |
+ ;; | |
+ condrestart) | |
+ if [ -f /var/lock/subsys/$servicename ]; then | |
+ stop | |
+ start | |
+ fi | |
+ ;; | |
+ *) | |
+ echo $"Usage: $0 {start|stop|status|restart|condrestart}" | |
+ RETVAL=1 | |
+ ;; | |
+esac | |
+ | |
+exit $RETVAL | |
+ | |
diff -rupN stunnel-5.22.orig/tools/stunnel.spec stunnel-5.22/tools/stunnel.spec | |
--- stunnel-5.22.orig/tools/stunnel.spec 2015-07-27 09:51:20.000000000 +0000 | |
+++ stunnel-5.22/tools/stunnel.spec 2015-08-18 10:54:37.765604102 +0000 | |
@@ -7,11 +7,13 @@ Version: 5.22 | |
Release: 1 | |
License: GPL with an OpenSSL exception | |
Group: Applications/Networking | |
-Source: stunnel-%{version}.tar.gz | |
+Source0: stunnel-%{version}.tar.gz | |
+Source1: stunnel.init.redhat | |
Packager: Bill Quayle <Bill.Quayle@citadel.com> | |
Requires: openssl >= 0.9.7 | |
BuildRequires: openssl-devel >= 0.9.7 | |
Buildroot: /var/tmp/stunnel-%{version}-root | |
+Patch0: stunnel-5.22.xforwardfor.patch | |
%description | |
The stunnel program is designed to work as SSL encryption wrapper | |
@@ -27,6 +29,7 @@ changes to the source code. | |
%prep | |
%setup -n stunnel-%{version} | |
+%patch0 -p1 | |
%build | |
if [ ! -x ./configure ]; then | |
@@ -51,7 +54,7 @@ CFLAGS="%{optflags}" ./configure --prefi | |
%{__install} -m755 src/.libs/libstunnel.la %{buildroot}%{_libdir} | |
%{__install} -m644 doc/stunnel.8 %{buildroot}%{_mandir}/man8/stunnel.8 | |
%{__install} -m644 tools/stunnel.conf-sample %{buildroot}%{_sysconfdir}/stunnel | |
-%{__install} -m500 tools/stunnel.init %{buildroot}%{_initrddir}/stunnel | |
+%{__install} -m500 %SOURCE1 %{buildroot}%{_initrddir}/stunnel | |
%clean | |
%{__rm} -rf %{buildroot} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
it seems that this part is missing?