Respin x-forwarded-for and listen-queue patches.
authorRobin H. Johnson <robbat2@gentoo.org>
Tue, 11 Oct 2011 21:00:16 +0000 (21:00 +0000)
committerRobin H. Johnson <robbat2@gentoo.org>
Tue, 11 Oct 2011 21:00:16 +0000 (21:00 +0000)
Package-Manager: portage-2.2.0_alpha60/cvs/Linux x86_64

net-misc/stunnel/ChangeLog
net-misc/stunnel/Manifest
net-misc/stunnel/files/stunnel-4.44-listen-queue.diff [new file with mode: 0644]
net-misc/stunnel/files/stunnel-4.44-xforwarded-for.diff [new file with mode: 0644]
net-misc/stunnel/stunnel-4.44.ebuild

index d23e91d5dac20b17e37edda8f2eacfac2fd843ec..5950e33655c505ba99d4462340fa5c4990081d33 100644 (file)
@@ -1,6 +1,11 @@
 # ChangeLog for net-misc/stunnel
 # Copyright 1999-2011 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/net-misc/stunnel/ChangeLog,v 1.121 2011/10/11 20:40:43 robbat2 Exp $
+# $Header: /var/cvsroot/gentoo-x86/net-misc/stunnel/ChangeLog,v 1.122 2011/10/11 21:00:16 robbat2 Exp $
+
+  11 Oct 2011; Robin H. Johnson <robbat2@gentoo.org> stunnel-4.44.ebuild,
+  +files/stunnel-4.44-listen-queue.diff,
+  +files/stunnel-4.44-xforwarded-for.diff:
+  Respin x-forwarded-for and listen-queue patches.
 
 *stunnel-4.44 (11 Oct 2011)
 
index 68d80ef777dbaa31ee40741ea509e8e451b9eea4..c765a3ab9f506b71703cbf024b78d5a56624e5c7 100644 (file)
@@ -6,6 +6,8 @@ AUX stunnel-4.35-libwrap.patch 376 RMD160 15f315eb2781b77b2bb60a8f9325f8914ffb07
 AUX stunnel-4.35-xforwarded-for.diff 11107 RMD160 6ace7ec8453c8b407c144e9828700ad5e00f1ed7 SHA1 685e65c67cf40497f13ab8f94e160eb176204ca7 SHA256 f5c96080dce032cc15bca3ceea14cf79a55f0512096d8651533f2313f95eac37
 AUX stunnel-4.36-listen-queue.diff 2021 RMD160 c44ba206ea12ddfd8e15d0fc6e082af9b4ed9bd3 SHA1 d83c55aa831e7d8428574725a4a2bc7596e02ada SHA256 079ea18938d35247624b00111f77730ff2589b64f8c04917d8d9ec0454e8c017
 AUX stunnel-4.36-xforwarded-for.diff 11016 RMD160 8ccc0eaf03a5ea661e901ff946cd421d4c24ac8d SHA1 6605733462fcd399b270cd6ef6ce02fe1f021728 SHA256 46d390028a4476bf7fbec5f4d9d82a8cbf7e8f74a47848982f3c0ca3b016fdd6
+AUX stunnel-4.44-listen-queue.diff 2205 RMD160 36148a313fb3176e7823cfe64adb4e119d66308c SHA1 8a4d689593b5d371d07595b82ef553d3d080afac SHA256 5b94f4b1b2e1daec6a4f28fccf2bbc738581fdb7efcf700d9394af71e5d734fa
+AUX stunnel-4.44-xforwarded-for.diff 11232 RMD160 a61bc8ab437daa2f76749667e54c09bb87b8b945 SHA1 9ce729ea0461398ea18a4ba792c9647b593f031d SHA256 0bdef230b03c2086992bc0e4e8e11bd625695bafc56f222d3a3ed69de34706ee
 AUX stunnel.conf 1423 RMD160 606c53b0e241e44c8aabe423ca6772dc76aa69a9 SHA1 0b18a6dea836abc3c224c367f9ebd6fa30b931f2 SHA256 be8deb0e051f594e14c898c2ec8a4a6879adcd48a56286093653346d12c3f105
 AUX stunnel.initd 1986 RMD160 66b0631d02a665a0fadca460502c7c09fa5c7b9c SHA1 5330e325d2f82896e0d7dc374a7b3c1f840fb2ef SHA256 4f97093f81b854099851ba32552b36036906933933f7a794c7b1e6aa1c006e3b
 AUX stunnel.rc6 779 RMD160 3cb0ba8b6f90484a9cec951e3eb36eef45169f6d SHA1 7de8dc829e271b3ed248e3b44afb9b537621cc02 SHA256 b2128e3bfe38485ef4afad35b57d8711666281087f3fcf920d5d313642e06dea
@@ -20,6 +22,6 @@ EBUILD stunnel-4.25.ebuild 2377 RMD160 ba0d4c2d24962f5afe8df92c350560a8cc4a4487
 EBUILD stunnel-4.33.ebuild 2245 RMD160 3267a54d1c4140e032cc0693390501f17563c79a SHA1 efd7487f1ac3aa47eb0a5e33b0a6287d0d8cb34f SHA256 9cfc4d7ef2f71530f96ffb8889f31adccdedc6740eb9a9dfa45dccce5c971310
 EBUILD stunnel-4.35.ebuild 2309 RMD160 c4a6d8136303b8db186ca90a71462a3690ef61fd SHA1 158273189062c86b50bf14dab76b1efc28277200 SHA256 89931c8f7a07d390aa09ced4bd6b5fd6b95bdc62c16e3fa9f8bdb6d3e32a1313
 EBUILD stunnel-4.36.ebuild 2272 RMD160 ee2aca759976e5d396ee8bf113f140de8336d814 SHA1 24b92d9e3a9ddeeca774bba04421160701454810 SHA256 5b089686d0251f593b367b1169953706117b870630b59f13c7c292c67e9f4f37
-EBUILD stunnel-4.44.ebuild 2271 RMD160 e7995baa0173ed0aff0b15705c32c49b7b2783b7 SHA1 e627a27c2dd5b861109b9004ec7204c02d982593 SHA256 3b99485ccfcc34bb39728fe2befe9933178f19908c58447ab932ead1507fa54f
-MISC ChangeLog 17812 RMD160 e3d683389c2257ad486df201a4cf43aed25bcfeb SHA1 773b0d072f478bf9148002ac5c2a21648eeb8a85 SHA256 a04a2e70fbc663a8643f0bc33a31f04d01cbc2dbbf05c71b37d9020617dc59b0
+EBUILD stunnel-4.44.ebuild 2271 RMD160 2a5fb817eb42f5514d19e0a152b9d2a8ddf13f93 SHA1 8604bd6783cf302f05ff5e35c452095a0709db1f SHA256 f073839ea8057e76aa860ed0dbed777f00089bafc144a6f4e9263a612c909b41
+MISC ChangeLog 18022 RMD160 4f3a17707e93ddb678e1139ce5fccc29d2c666c1 SHA1 2939dc4fc6547da1321ffc3ba3c7ee58e0de3747 SHA256 225b21ef4750382e4e56207b5dba1f682c16d88158c24cdbf8cec330d3bd164e
 MISC metadata.xml 784 RMD160 89e67398f37eaab7e716f336e9a48834aa533e44 SHA1 257a543cc1a3f69230e15a575ea8b402b4f05bbe SHA256 e2ed38541831cdd5b54a060003b85c5b0b1cd92c22161f4aa72261cdfc365077
diff --git a/net-misc/stunnel/files/stunnel-4.44-listen-queue.diff b/net-misc/stunnel/files/stunnel-4.44-listen-queue.diff
new file mode 100644 (file)
index 0000000..8f97e4d
--- /dev/null
@@ -0,0 +1,51 @@
+diff -Nuar --exclude '*.orig' stunnel-4.44.orig/src/options.c stunnel-4.44/src/options.c
+--- stunnel-4.44.orig/src/options.c    2011-09-10 16:44:16.000000000 +0000
++++ stunnel-4.44/src/options.c 2011-10-11 20:52:51.207293970 +0000
+@@ -1508,6 +1508,24 @@
+         break;
+     }
++    /* listenqueue */
++    switch(cmd) {
++    case CMD_INIT:
++        section->listenqueue=SOMAXCONN;
++        break;
++    case CMD_EXEC:
++        if(strcasecmp(opt, "listenqueue"))
++            break;
++        section->listenqueue=atoi(arg);
++        return (section->listenqueue?NULL:"Bad verify level");
++    case CMD_DEFAULT:
++        s_log(LOG_NOTICE, "%-15s = %d", "listenqueue", SOMAXCONN);
++        break;
++    case CMD_HELP:
++        s_log(LOG_NOTICE, "%-15s = defines the maximum length the queue of pending connections may grow to", "listenqueue");
++        break;
++    }
++
+     if(cmd==CMD_EXEC)
+         return option_not_found;
+     return NULL; /* OK */
+diff -Nuar --exclude '*.orig' stunnel-4.44.orig/src/prototypes.h stunnel-4.44/src/prototypes.h
+--- stunnel-4.44.orig/src/prototypes.h 2011-09-13 13:36:52.000000000 +0000
++++ stunnel-4.44/src/prototypes.h      2011-10-11 20:54:02.054127819 +0000
+@@ -164,6 +164,7 @@
+     int timeout_close;                          /* maximum close_notify time */
+     int timeout_connect;                           /* maximum connect() time */
+     int timeout_idle;                        /* maximum idle connection time */
++    int listenqueue;                                                                          /* Listen baklog */
+     enum {FAILOVER_RR, FAILOVER_PRIO} failover;         /* failover strategy */
+         /* service-specific data for protocol.c */
+diff -Nuar --exclude '*.orig' stunnel-4.44.orig/src/stunnel.c stunnel-4.44/src/stunnel.c
+--- stunnel-4.44.orig/src/stunnel.c    2011-09-08 20:20:46.000000000 +0000
++++ stunnel-4.44/src/stunnel.c 2011-10-11 20:53:34.037394788 +0000
+@@ -249,7 +249,7 @@
+             }
+             s_log(LOG_DEBUG, "Service %s bound to %s",
+                 opt->servname, local_address);
+-            if(listen(opt->fd, SOMAXCONN)) {
++            if(listen(opt->fd, opt->listenqueue)) {
+                 sockerror("listen");
+                 closesocket(opt->fd);
+                 return 1;
diff --git a/net-misc/stunnel/files/stunnel-4.44-xforwarded-for.diff b/net-misc/stunnel/files/stunnel-4.44-xforwarded-for.diff
new file mode 100644 (file)
index 0000000..bd6ce9e
--- /dev/null
@@ -0,0 +1,249 @@
+diff -Nuar --exclude '*.orig' --exclude '*.rej' stunnel-4.44.orig/doc/stunnel.8 stunnel-4.44/doc/stunnel.8
+--- stunnel-4.44.orig/doc/stunnel.8    2011-09-07 20:21:06.000000000 +0000
++++ stunnel-4.44/doc/stunnel.8 2011-10-11 20:57:06.327897530 +0000
+@@ -578,6 +578,10 @@
+ .IP "\fBTIMEOUTidle\fR = seconds" 4
+ .IX Item "TIMEOUTidle = seconds"
+ time to keep an idle connection
++.IP "\fBxforwardedfor\fR = yes | no" 4
++.IX Item "xforwardedfor = yes | no"
++append an 'X-Forwarded-For:' HTTP request header providing the
++client's IP address to the server.
+ .IP "\fBtransparent\fR = none | source | destination | both (Unix only)" 4
+ .IX Item "transparent = none | source | destination | both (Unix only)"
+ enable transparent proxy support on selected platforms
+diff -Nuar --exclude '*.orig' --exclude '*.rej' stunnel-4.44.orig/doc/stunnel.fr.8 stunnel-4.44/doc/stunnel.fr.8
+--- stunnel-4.44.orig/doc/stunnel.fr.8 2011-09-07 20:21:06.000000000 +0000
++++ stunnel-4.44/doc/stunnel.fr.8      2011-10-11 20:57:06.327897530 +0000
+@@ -390,6 +390,10 @@
+ .IP "\fBTIMEOUTidle\fR = secondes" 4
+ .IX Item "TIMEOUTidle = secondes"
+ Durée d'attente sur une connexion inactive
++.IP "\fBxforwardedfor\fR = yes | no" 4
++.IX Item "xforwardedfor = yes | no"
++Ajoute un en-tête 'X-Forwarded-For:' dans la requête HTTP fournissant
++au serveur l'adresse IP du client.
+ .IP "\fBtransparent\fR = yes | no (Unix seulement)" 4
+ .IX Item "transparent = yes | no (Unix seulement)"
+ Mode mandataire transparent
+diff -Nuar --exclude '*.orig' --exclude '*.rej' stunnel-4.44.orig/src/client.c stunnel-4.44/src/client.c
+--- stunnel-4.44.orig/src/client.c     2011-09-07 20:00:10.000000000 +0000
++++ stunnel-4.44/src/client.c  2011-10-11 20:57:06.327897530 +0000
+@@ -81,6 +81,12 @@
+     }
+     str_detach(c);
+     c->opt=opt;
++    /* some options need space to add some information */
++    if (c->opt->option.xforwardedfor)
++        c->buffsize = BUFFSIZE - BUFF_RESERVED;
++    else
++        c->buffsize = BUFFSIZE;
++    c->crlf_seen=0;
+     c->local_rfd.fd=rfd;
+     c->local_wfd.fd=wfd;
+     return c;
+@@ -383,6 +389,28 @@
+     }
+ }
++/* Moves all data from the buffer <buffer> between positions <start> and <stop>
++ * to insert <string> of length <len>. <start> and <stop> are updated to their
++ * new respective values, and the number of characters inserted is returned.
++ * If <len> is too long, nothing is done and -1 is returned.
++ * Note that neither <string> nor <buffer> can be NULL.
++ */
++static int buffer_insert_with_len(char *buffer, int *start, int *stop, int limit, char *string, int len) {
++    if (len > limit - *stop)
++        return -1;
++    if (*start > *stop)
++        return -1;
++    memmove(buffer + *start + len, buffer + *start, *stop - *start);
++    memcpy(buffer + *start, string, len);
++    *start += len;
++    *stop += len;
++    return len;
++}
++
++static int buffer_insert(char *buffer, int *start, int *stop, int limit, char *string) {
++    return buffer_insert_with_len(buffer, start, stop, limit, string, strlen(string));
++}
++
+ /****************************** transfer data */
+ static void transfer(CLI *c) {
+     int watchdog=0; /* a counter to detect an infinite loop */
+@@ -401,7 +429,7 @@
+     do { /* main loop of client data transfer */
+         /****************************** initialize *_wants_* */
+         read_wants_read=
+-            ssl_open_rd && c->ssl_ptr<BUFFSIZE && !read_wants_write;
++            ssl_open_rd && c->ssl_ptr<c->buffsize && !read_wants_write;
+         write_wants_write=
+             ssl_open_wr && c->sock_ptr && !write_wants_read;
+@@ -410,7 +438,7 @@
+         /* for plain socket open data strem = open file descriptor */
+         /* make sure to add each open socket to receive exceptions! */
+         if(sock_open_rd)
+-            s_poll_add(&c->fds, c->sock_rfd->fd, c->sock_ptr<BUFFSIZE, 0);
++            s_poll_add(&c->fds, c->sock_rfd->fd, c->sock_ptr<c->buffsize, 0);
+         if(sock_open_wr)
+             s_poll_add(&c->fds, c->sock_wfd->fd, 0, c->ssl_ptr);
+         /* for SSL assume that sockets are open if there any pending requests */
+@@ -544,7 +572,7 @@
+         /****************************** read from socket */
+         if(sock_open_rd && sock_can_rd) {
+             num=readsocket(c->sock_rfd->fd,
+-                c->sock_buff+c->sock_ptr, BUFFSIZE-c->sock_ptr);
++                c->sock_buff+c->sock_ptr, c->buffsize-c->sock_ptr);
+             switch(num) {
+             case -1:
+                 parse_socket_error(c, "readsocket");
+@@ -580,7 +608,7 @@
+         /****************************** update *_wants_* based on new *_ptr */
+         /* this update is also required for SSL_pending() to be used */
+         read_wants_read=
+-            ssl_open_rd && c->ssl_ptr<BUFFSIZE && !read_wants_write;
++            ssl_open_rd && c->ssl_ptr<c->buffsize && !read_wants_write;
+         write_wants_write=
+             ssl_open_wr && c->sock_ptr && !write_wants_read;
+@@ -590,10 +618,71 @@
+                  * writesocket() above made some room in c->ssl_buff */
+                 (read_wants_write && ssl_can_wr)) {
+             read_wants_write=0;
+-            num=SSL_read(c->ssl, c->ssl_buff+c->ssl_ptr, BUFFSIZE-c->ssl_ptr);
++            num=SSL_read(c->ssl, c->ssl_buff+c->ssl_ptr, c->buffsize-c->ssl_ptr);
+             switch(err=SSL_get_error(c->ssl, num)) {
+             case SSL_ERROR_NONE:
+-                c->ssl_ptr+=num;
++                if (c->buffsize != BUFFSIZE && c->opt->option.xforwardedfor) { /* some work left to do */
++                    int last = c->ssl_ptr;
++                    c->ssl_ptr += num;
++
++                    /* Look for end of HTTP headers between last and ssl_ptr.
++                    * To achieve this reliably, we have to count the number of
++                    * successive [CR]LF and to memorize it in case it's spread
++                    * over multiple segments. --WT.
++                    */
++                    while (last < c->ssl_ptr) {
++                        if (c->ssl_buff[last] == '\n') {
++                            if (++c->crlf_seen == 2)
++                                break;
++                        } else if (last < c->ssl_ptr - 1 &&
++                                    c->ssl_buff[last] == '\r' &&
++                                    c->ssl_buff[last+1] == '\n') {
++                            if (++c->crlf_seen == 2)
++                                break;
++                            last++;
++                        } else if (c->ssl_buff[last] != '\r')
++                            /* don't refuse '\r' because we may get a '\n' on next read */
++                            c->crlf_seen = 0;
++                        last++;
++                    }
++                    if (c->crlf_seen >= 2) {
++                        /* We have all the HTTP headers now. We don't need to
++                        * reserve any space anymore. <ssl_ptr> points to the
++                        * first byte of unread data, and <last> points to the
++                        * exact location where we want to insert our headers,
++                        * which is right before the empty line.
++                        */
++                        c->buffsize = BUFFSIZE;
++
++                        if (c->opt->option.xforwardedfor) {
++                            /* X-Forwarded-For: xxxx \r\n\0 */
++                            char xforw[17 + IPLEN + 3];
++
++                            /* We will insert our X-Forwarded-For: header here.
++                            * We need to write the IP address, but if we use
++                            * sprintf, it will pad with the terminating 0.
++                            * So we will pass via a temporary buffer allocated
++                            * on the stack.
++                            */
++                            memcpy(xforw, "X-Forwarded-For: ", 17);
++                            if (getnameinfo(&c->peer_addr.addr[0].sa,
++                                    addr_len(c->peer_addr.addr[0]),
++                                    xforw + 17, IPLEN, NULL, 0,
++                                    NI_NUMERICHOST) == 0) {
++                                strcat(xforw + 17, "\r\n");
++                                buffer_insert(c->ssl_buff, &last, &c->ssl_ptr,
++                                            c->buffsize, xforw);
++                            }
++                            /* last still points to the \r\n and ssl_ptr to the
++                            * end of the buffer, so we may add as many headers
++                            * as wee need to.
++                            */
++                        }
++                    }
++                }
++                else
++                   c->ssl_ptr+=num;
++
+                 watchdog=0; /* reset watchdog */
+                 break;
+             case SSL_ERROR_WANT_WRITE:
+diff -Nuar --exclude '*.orig' --exclude '*.rej' stunnel-4.44.orig/src/common.h stunnel-4.44/src/common.h
+--- stunnel-4.44.orig/src/common.h     2011-09-10 18:26:34.000000000 +0000
++++ stunnel-4.44/src/common.h  2011-10-11 20:57:06.327897530 +0000
+@@ -52,6 +52,9 @@
+ /* I/O buffer size */
+ #define BUFFSIZE 16384
++/* maximum space reserved for header insertion in BUFFSIZE */
++#define BUFF_RESERVED 1024
++
+ /* IP address and TCP port textual representation length */
+ #define IPLEN 128
+diff -Nuar --exclude '*.orig' --exclude '*.rej' stunnel-4.44.orig/src/options.c stunnel-4.44/src/options.c
+--- stunnel-4.44.orig/src/options.c    2011-09-10 16:44:16.000000000 +0000
++++ stunnel-4.44/src/options.c 2011-10-11 20:57:06.331230851 +0000
+@@ -811,6 +811,29 @@
+     }
+ #endif
++    /* xforwardedfor */
++    switch(cmd) {
++    case CMD_INIT:
++        section->option.xforwardedfor=0;
++        break;
++    case CMD_EXEC:
++        if(strcasecmp(opt, "xforwardedfor"))
++            break;
++        if(!strcasecmp(arg, "yes"))
++            section->option.xforwardedfor=1;
++        else if(!strcasecmp(arg, "no"))
++            section->option.xforwardedfor=0;
++        else
++            return "argument should be either 'yes' or 'no'";
++        return NULL; /* OK */
++    case CMD_DEFAULT:
++        break;
++    case CMD_HELP:
++        s_log(LOG_NOTICE, "%-15s = yes|no append an HTTP X-Forwarded-For header",
++            "xforwardedfor");
++        break;
++    }
++
+     /* exec */
+     switch(cmd) {
+     case CMD_INIT:
+diff -Nuar --exclude '*.orig' --exclude '*.rej' stunnel-4.44.orig/src/prototypes.h stunnel-4.44/src/prototypes.h
+--- stunnel-4.44.orig/src/prototypes.h 2011-09-13 13:36:52.000000000 +0000
++++ stunnel-4.44/src/prototypes.h      2011-10-11 20:57:33.687962098 +0000
+@@ -183,6 +183,7 @@
+         unsigned int accept:1;          /* endpoint: accept */
+         unsigned int client:1;
+         unsigned int delayed_lookup:1;
++        unsigned int xforwardedfor:1;
+ #ifdef USE_LIBWRAP
+         unsigned int libwrap:1;
+ #endif
+@@ -385,6 +386,8 @@
+     FD *ssl_rfd, *ssl_wfd; /* read and write SSL descriptors */
+     int sock_bytes, ssl_bytes; /* bytes written to socket and SSL */
+     s_poll_set fds; /* file descriptors */
++    int buffsize;  /* current buffer size, may be lower than BUFFSIZE */
++    int crlf_seen; /* the number of successive CRLF seen */
+ } CLI;
+ CLI *alloc_client_session(SERVICE_OPTIONS *, int, int);
index 595261b58f461f56060d9bec7ca84c3e3478448f..0f7bd5161bc3d36e73fc012c76651e938e0c80e5 100644 (file)
@@ -1,6 +1,6 @@
 # Copyright 1999-2011 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/net-misc/stunnel/stunnel-4.44.ebuild,v 1.1 2011/10/11 20:40:43 robbat2 Exp $
+# $Header: /var/cvsroot/gentoo-x86/net-misc/stunnel/stunnel-4.44.ebuild,v 1.2 2011/10/11 21:00:16 robbat2 Exp $
 
 EAPI="2"
 
@@ -26,8 +26,8 @@ pkg_setup() {
 }
 
 src_prepare() {
-       use xforward && epatch "${FILESDIR}/stunnel-4.36-xforwarded-for.diff"
-       use listen-queue && epatch "${FILESDIR}/stunnel-4.36-listen-queue.diff"
+       use xforward && epatch "${FILESDIR}/stunnel-4.44-xforwarded-for.diff"
+       use listen-queue && epatch "${FILESDIR}/stunnel-4.44-listen-queue.diff"
        eautoreconf
 
        # Hack away generation of certificate