From 2d198dbd79a0ea2db4d379e62d0432f52d2b6892 Mon Sep 17 00:00:00 2001 From: Hauke Mehrtens Date: Mon, 13 Jul 2015 19:42:35 +0000 Subject: [PATCH] stunnel: moved to github Signed-off-by: Hauke Mehrtens SVN-Revision: 46325 --- net/stunnel/Makefile | 65 ----- net/stunnel/files/stunnel.init | 34 --- net/stunnel/patches/100-cross-compile.patch | 126 --------- net/stunnel/patches/101-no-comp.patch | 28 -- net/stunnel/patches/102-no-ssl2.patch | 13 - net/stunnel/patches/103-no-zlib-link.patch | 12 - net/stunnel/patches/104-fix-paths.patch | 42 --- net/stunnel/patches/105-stunnel-conf.patch | 54 ---- .../patches/106-stunnel-xforwardedfor.patch | 248 ------------------ 9 files changed, 622 deletions(-) delete mode 100644 net/stunnel/Makefile delete mode 100644 net/stunnel/files/stunnel.init delete mode 100644 net/stunnel/patches/100-cross-compile.patch delete mode 100644 net/stunnel/patches/101-no-comp.patch delete mode 100644 net/stunnel/patches/102-no-ssl2.patch delete mode 100644 net/stunnel/patches/103-no-zlib-link.patch delete mode 100644 net/stunnel/patches/104-fix-paths.patch delete mode 100644 net/stunnel/patches/105-stunnel-conf.patch delete mode 100644 net/stunnel/patches/106-stunnel-xforwardedfor.patch diff --git a/net/stunnel/Makefile b/net/stunnel/Makefile deleted file mode 100644 index f124b350b..000000000 --- a/net/stunnel/Makefile +++ /dev/null @@ -1,65 +0,0 @@ -# -# Copyright (C) 2006-2010 OpenWrt.org -# -# This is free software, licensed under the GNU General Public License v2. -# See /LICENSE for more information. -# - -include $(TOPDIR)/rules.mk - -PKG_NAME:=stunnel -PKG_VERSION:=4.33 -PKG_RELEASE:=1 - -PKG_SOURCE_URL:=http://www.stunnel.org/download/stunnel/src/ -PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz -PKG_MD5SUM:=559a864066d8cc4afd8a97682c90d41c - -PKG_FIXUP:=autoreconf -PKG_INSTALL:=1 - -include $(INCLUDE_DIR)/package.mk - -define Package/stunnel - SECTION:=net - CATEGORY:=Network - DEPENDS:=+libopenssl +libwrap - TITLE:=SSL TCP Wrapper - URL:=http://www.stunnel.org/ -endef - -define Package/stunnel/description - Stunnel is a program that allows you to encrypt arbitrary TCP - connections inside SSL (Secure Sockets Layer) available on both Unix - and Windows. Stunnel can allow you to secure non-SSL aware daemons and - protocols (like POP, IMAP, LDAP, etc) by having Stunnel provide the - encryption, requiring no changes to the daemon's code. -endef - -define Package/stunnel/conffiles -/etc/stunnel/stunnel.conf -endef - -CONFIGURE_ARGS+= \ - --with-random=/dev/urandom \ - --with-threads=fork \ - --with-ssl=$(STAGING_DIR)/usr \ - -define Build/Compile - mkdir -p $(PKG_INSTALL_DIR)/etc/stunnel - echo '#dummy' > $(PKG_INSTALL_DIR)/etc/stunnel/stunnel.pem - $(call Build/Compile/Default) -endef - -define Package/stunnel/install - $(INSTALL_DIR) $(1)/usr/bin - $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/stunnel $(1)/usr/bin/ - $(INSTALL_DIR) $(1)/usr/lib/stunnel - $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/stunnel/libstunnel.so $(1)/usr/lib/stunnel/ - $(INSTALL_DIR) $(1)/etc/stunnel - $(INSTALL_CONF) $(PKG_INSTALL_DIR)/etc/stunnel/stunnel.conf-sample $(1)/etc/stunnel/stunnel.conf - $(INSTALL_DIR) $(1)/etc/init.d - $(INSTALL_BIN) ./files/stunnel.init $(1)/etc/init.d/stunnel -endef - -$(eval $(call BuildPackage,stunnel)) diff --git a/net/stunnel/files/stunnel.init b/net/stunnel/files/stunnel.init deleted file mode 100644 index a3ea1037f..000000000 --- a/net/stunnel/files/stunnel.init +++ /dev/null @@ -1,34 +0,0 @@ -#!/bin/sh /etc/rc.common -# Copyright (C) 2006-2008 OpenWrt.org - -START=90 -RUN_D=/var -PID_F=$RUN_D/stunnel.pid - -start() { - if [ -s "/etc/stunnel/stunnel.pem" ]; then - chmod og-rwx /etc/stunnel/stunnel.pem - [ ! -f $PID_F ] && stunnel - else - [ -e /etc/stunnel/config ] && \ - . /etc/stunnel/config - - X509_CN=${X509_CN:-"router"} - X509_O=${X509_O:-"openwrt.org"} - X509_OU=${X509_OU:-"open-source firmware"} - - [ -x /sbin/keygen ] && { - (keygen "$X509_CN" "$X509_O" "$X509_OU" > /etc/stunnel/stunnel.pem; - chmod og-rwx /etc/stunnel/stunnel.pem; - stunnel) & - } - fi -} - -stop() { - [ -f $PID_F ] && { - kill $(cat $PID_F) - kill -9 $(cat $PID_F) - rm -f $PID_F - } -} diff --git a/net/stunnel/patches/100-cross-compile.patch b/net/stunnel/patches/100-cross-compile.patch deleted file mode 100644 index 5ce3c357c..000000000 --- a/net/stunnel/patches/100-cross-compile.patch +++ /dev/null @@ -1,126 +0,0 @@ ---- a/configure -+++ b/configure -@@ -21552,56 +21552,56 @@ _ACEOF - fi - rm -f conftest* - -- --{ echo "$as_me:$LINENO: **************************************** PTY device files" >&5 --echo "$as_me: **************************************** PTY device files" >&6;} --{ echo "$as_me:$LINENO: checking for \"/dev/ptmx\"" >&5 --echo $ECHO_N "checking for \"/dev/ptmx\"... $ECHO_C" >&6; } --if test "${ac_cv_file___dev_ptmx_+set}" = set; then -- echo $ECHO_N "(cached) $ECHO_C" >&6 --else -- test "$cross_compiling" = yes && -- { { echo "$as_me:$LINENO: error: cannot check for file existence when cross compiling" >&5 --echo "$as_me: error: cannot check for file existence when cross compiling" >&2;} -- { (exit 1); exit 1; }; } --if test -r ""/dev/ptmx""; then -- ac_cv_file___dev_ptmx_=yes --else -- ac_cv_file___dev_ptmx_=no --fi --fi --{ echo "$as_me:$LINENO: result: $ac_cv_file___dev_ptmx_" >&5 --echo "${ECHO_T}$ac_cv_file___dev_ptmx_" >&6; } --if test $ac_cv_file___dev_ptmx_ = yes; then -+# -+#{ echo "$as_me:$LINENO: **************************************** PTY device files" >&5 -+#echo "$as_me: **************************************** PTY device files" >&6;} -+#{ echo "$as_me:$LINENO: checking for \"/dev/ptmx\"" >&5 -+#echo $ECHO_N "checking for \"/dev/ptmx\"... $ECHO_C" >&6; } -+#if test "${ac_cv_file___dev_ptmx_+set}" = set; then -+# echo $ECHO_N "(cached) $ECHO_C" >&6 -+#else -+# test "$cross_compiling" = yes && -+# { { echo "$as_me:$LINENO: error: cannot check for file existence when cross compiling" >&5 -+#echo "$as_me: error: cannot check for file existence when cross compiling" >&2;} -+# { (exit 1); exit 1; }; } -+#if test -r ""/dev/ptmx""; then -+# ac_cv_file___dev_ptmx_=yes -+#else -+# ac_cv_file___dev_ptmx_=no -+#fi -+#fi -+#{ echo "$as_me:$LINENO: result: $ac_cv_file___dev_ptmx_" >&5 -+#echo "${ECHO_T}$ac_cv_file___dev_ptmx_" >&6; } -+#if test $ac_cv_file___dev_ptmx_ = yes; then - cat >>confdefs.h <<\_ACEOF --#define HAVE_DEV_PTMX 1 -+#define HAVE_DEV_PTMX 0 - _ACEOF - --fi -+#fi - --{ echo "$as_me:$LINENO: checking for \"/dev/ptc\"" >&5 --echo $ECHO_N "checking for \"/dev/ptc\"... $ECHO_C" >&6; } --if test "${ac_cv_file___dev_ptc_+set}" = set; then -- echo $ECHO_N "(cached) $ECHO_C" >&6 --else -- test "$cross_compiling" = yes && -- { { echo "$as_me:$LINENO: error: cannot check for file existence when cross compiling" >&5 --echo "$as_me: error: cannot check for file existence when cross compiling" >&2;} -- { (exit 1); exit 1; }; } --if test -r ""/dev/ptc""; then -- ac_cv_file___dev_ptc_=yes --else -- ac_cv_file___dev_ptc_=no --fi --fi --{ echo "$as_me:$LINENO: result: $ac_cv_file___dev_ptc_" >&5 --echo "${ECHO_T}$ac_cv_file___dev_ptc_" >&6; } --if test $ac_cv_file___dev_ptc_ = yes; then -+#{ echo "$as_me:$LINENO: checking for \"/dev/ptc\"" >&5 -+#echo $ECHO_N "checking for \"/dev/ptc\"... $ECHO_C" >&6; } -+#if test "${ac_cv_file___dev_ptc_+set}" = set; then -+# echo $ECHO_N "(cached) $ECHO_C" >&6 -+#else -+# test "$cross_compiling" = yes && -+# { { echo "$as_me:$LINENO: error: cannot check for file existence when cross compiling" >&5 -+#echo "$as_me: error: cannot check for file existence when cross compiling" >&2;} -+# { (exit 1); exit 1; }; } -+#if test -r ""/dev/ptc""; then -+# ac_cv_file___dev_ptc_=yes -+#else -+# ac_cv_file___dev_ptc_=no -+#fi -+#fi -+#{ echo "$as_me:$LINENO: result: $ac_cv_file___dev_ptc_" >&5 -+#echo "${ECHO_T}$ac_cv_file___dev_ptc_" >&6; } -+#if test $ac_cv_file___dev_ptc_ = yes; then - cat >>confdefs.h <<\_ACEOF --#define HAVE_DEV_PTS_AND_PTC 1 -+#define HAVE_DEV_PTS_AND_PTC 0 - _ACEOF - --fi -+#fi - - - { echo "$as_me:$LINENO: **************************************** entropy" >&5 -@@ -24049,8 +24049,8 @@ _ACEOF - - - # Add SSL includes and libraries --CFLAGS="$CFLAGS -I$ssldir/include" --LIBS="$LIBS -L$ssldir/lib -lssl -lcrypto" -+CFLAGS="$CFLAGS" -+LIBS="$LIBS -lssl -lcrypto" - - # Check for obsolete RSAref library - { echo "$as_me:$LINENO: checking for obsolete RSAref library" >&5 ---- a/configure.ac -+++ b/configure.ac -@@ -44,10 +44,6 @@ AC_EGREP_HEADER(socklen_t, sys/socket.h, - AC_MSG_RESULT([no (defined as int)]) - AC_DEFINE(socklen_t, int)) - --AC_MSG_NOTICE([**************************************** PTY device files]) --AC_CHECK_FILE("/dev/ptmx", AC_DEFINE(HAVE_DEV_PTMX)) --AC_CHECK_FILE("/dev/ptc", AC_DEFINE(HAVE_DEV_PTS_AND_PTC)) -- - AC_MSG_NOTICE([**************************************** entropy]) - - AC_ARG_WITH(egd-socket, diff --git a/net/stunnel/patches/101-no-comp.patch b/net/stunnel/patches/101-no-comp.patch deleted file mode 100644 index 9fbe22c9e..000000000 --- a/net/stunnel/patches/101-no-comp.patch +++ /dev/null @@ -1,28 +0,0 @@ ---- a/src/ssl.c -+++ b/src/ssl.c -@@ -72,14 +72,17 @@ int ssl_configure(void) { /* configure g - s_log(LOG_NOTICE, "FIPS mode %s", - global_options.option.fips ? "enabled" : "disabled"); - #endif /* USE_FIPS */ -+#ifndef OPENSSL_NO_COMP - if(global_options.compression!=COMP_NONE && !init_compression()) - return 0; -+#endif - if(!init_prng()) - return 0; - s_log(LOG_DEBUG, "PRNG seeded successfully"); - return 1; /* SUCCESS */ - } - -+#ifndef OPENSSL_NO_COMP - static int init_compression(void) { - int id=0; - COMP_METHOD *cm=NULL; -@@ -111,6 +114,7 @@ static int init_compression(void) { - s_log(LOG_INFO, "Compression enabled using %s method", name); - return 1; - } -+#endif - - static int init_prng(void) { - int totbytes=0; diff --git a/net/stunnel/patches/102-no-ssl2.patch b/net/stunnel/patches/102-no-ssl2.patch deleted file mode 100644 index e94184b04..000000000 --- a/net/stunnel/patches/102-no-ssl2.patch +++ /dev/null @@ -1,13 +0,0 @@ ---- a/src/options.c -+++ b/src/options.c -@@ -1234,8 +1234,10 @@ static char *parse_service_option(CMD cm - section->client_method=(SSL_METHOD *)SSLv23_client_method(); - section->server_method=(SSL_METHOD *)SSLv23_server_method(); - } else if(!strcasecmp(arg, "SSLv2")) { -+#ifndef OPENSSL_NO_SSL2 - section->client_method=(SSL_METHOD *)SSLv2_client_method(); - section->server_method=(SSL_METHOD *)SSLv2_server_method(); -+#endif - } else if(!strcasecmp(arg, "SSLv3")) { - section->client_method=(SSL_METHOD *)SSLv3_client_method(); - section->server_method=(SSL_METHOD *)SSLv3_server_method(); diff --git a/net/stunnel/patches/103-no-zlib-link.patch b/net/stunnel/patches/103-no-zlib-link.patch deleted file mode 100644 index f627c53c8..000000000 --- a/net/stunnel/patches/103-no-zlib-link.patch +++ /dev/null @@ -1,12 +0,0 @@ -Avoid linking with zlib, which is a dependency of openssl, not ours. ---- a/configure -+++ b/configure -@@ -23017,7 +23017,7 @@ if test $ac_cv_lib_z_inflateEnd = yes; t - #define HAVE_LIBZ 1 - _ACEOF - -- LIBS="-lz $LIBS" -+# LIBS="-lz $LIBS" - - fi - diff --git a/net/stunnel/patches/104-fix-paths.patch b/net/stunnel/patches/104-fix-paths.patch deleted file mode 100644 index aad310b94..000000000 --- a/net/stunnel/patches/104-fix-paths.patch +++ /dev/null @@ -1,42 +0,0 @@ -## Do several path fixups, removing unneeded @prefix@s ---- a/tools/stunnel.conf-sample.in -+++ b/tools/stunnel.conf-sample.in -@@ -4,15 +4,15 @@ - ; please read the manual and make sure you understand them - - ; certificate/key is needed in server mode and optional in client mode --cert = @prefix@/etc/stunnel/mail.pem --;key = @prefix@/etc/stunnel/mail.pem -+cert = @sysconfdir@/stunnel/stunnel.pem -+;key = @sysconfdir@/stunnel/stunnel.pem - - ; protocol version (all, SSLv2, SSLv3, TLSv1) - sslVersion = SSLv3 - - ; security enhancements for UNIX systems - comment them out on Win32 - ; for chroot a copy of some devices and files is needed within the jail --chroot = @prefix@/var/lib/stunnel/ -+chroot = @localstatedir@ - setuid = nobody - setgid = @DEFAULT_GROUP@ - ; PID is created inside the chroot jail -@@ -33,16 +33,16 @@ socket = r:TCP_NODELAY=1 - ; CApath is located inside chroot jail - ;CApath = /certs - ; it's often easier to use CAfile --;CAfile = @prefix@/etc/stunnel/certs.pem -+;CAfile = @sysconfdir@/stunnel/certs.pem - ; don't forget to c_rehash CRLpath - ; CRLpath is located inside chroot jail - ;CRLpath = /crls - ; alternatively CRLfile can be used --;CRLfile = @prefix@/etc/stunnel/crls.pem -+;CRLfile = @sysconfdir@/stunnel/crls.pem - - ; debugging stuff (may useful for troubleshooting) - ;debug = 7 --;output = stunnel.log -+;output = @localstatedir@/log/stunnel.log - - ; SSL client mode - ;client = yes diff --git a/net/stunnel/patches/105-stunnel-conf.patch b/net/stunnel/patches/105-stunnel-conf.patch deleted file mode 100644 index c22e0b441..000000000 --- a/net/stunnel/patches/105-stunnel-conf.patch +++ /dev/null @@ -1,54 +0,0 @@ ---- a/tools/stunnel.conf-sample.in -+++ b/tools/stunnel.conf-sample.in -@@ -8,7 +8,7 @@ cert = @sysconfdir@/stunnel/stunnel.pem - ;key = @sysconfdir@/stunnel/stunnel.pem - - ; protocol version (all, SSLv2, SSLv3, TLSv1) --sslVersion = SSLv3 -+sslVersion = all - - ; security enhancements for UNIX systems - comment them out on Win32 - ; for chroot a copy of some devices and files is needed within the jail -@@ -49,21 +49,26 @@ socket = r:TCP_NODELAY=1 - - ; service-level configuration - --[pop3s] --accept = 995 --connect = 110 -- --[imaps] --accept = 993 --connect = 143 -- --[ssmtp] --accept = 465 --connect = 25 -- --;[https] --;accept = 443 --;connect = 80 --;TIMEOUTclose = 0 -+;[pop3s] -+;accept = 995 -+;connect = 110 -+ -+;[imaps] -+;accept = 993 -+;connect = 143 -+ -+;[ssmtp] -+;accept = 465 -+;connect = 25 -+ -+[https] -+accept = 443 -+connect = 80 -+TIMEOUTclose = 0 -+ -+[chilli] -+accept = 3443 -+connect = 3442 -+TIMEOUTclose = 0 - - ; vim:ft=dosini diff --git a/net/stunnel/patches/106-stunnel-xforwardedfor.patch b/net/stunnel/patches/106-stunnel-xforwardedfor.patch deleted file mode 100644 index 497ff6d53..000000000 --- a/net/stunnel/patches/106-stunnel-xforwardedfor.patch +++ /dev/null @@ -1,248 +0,0 @@ ---- a/doc/stunnel.8 -+++ b/doc/stunnel.8 -@@ -504,7 +504,10 @@ time to keep an idle connection - .IP "\fBtransparent\fR = yes | no (Unix only)" 4 - .IX Item "transparent = yes | no (Unix only)" - transparent proxy mode --.Sp -+.IP "\fBxforwardedfor\fR = yes | no" 4 -+.IX Item "xforwardedfor = yes | no" -+append an 'X-Forwarded-For:' HTTP request header providing the -+client's IP address to the server. - Re-write address to appear as if wrapped daemon is connecting - from the \s-1SSL\s0 client machine instead of the machine running \fBstunnel\fR. - .Sp ---- a/doc/stunnel.fr.8 -+++ b/doc/stunnel.fr.8 -@@ -445,6 +445,10 @@ Cette option permet de relier une adress - Négocie avec \s-1SSL\s0 selon le protocole indiqué - .Sp - Actuellement gérés\ : cifs, nntp, pop3, smtp -+.IP "\fBxforwardedfor\fR = yes | no" 4 -+.IX Item "xforwardedfor = yes | no" -+Ajoute un en-tête 'X-Forwarded-For:' dans la requête HTTP fournissant -+au serveur l'adresse IP du client. - .IP "\fBpty\fR = yes | no (Unix seulement)" 4 - .IX Item "pty = yes | no (Unix seulement)" - Alloue un pseudo-terminal pour l'option «\ exec\ » ---- a/src/client.c -+++ b/src/client.c -@@ -86,6 +86,12 @@ CLI *alloc_client_session(SERVICE_OPTION - return NULL; - } - c->opt=opt; -+ /* some options need space to add some information */ -+ if (c->opt->option.xforwardedfor) -+ c->buffsize = BUFFSIZE - BUFF_RESERVED; -+ else -+ c->buffsize = BUFFSIZE; -+ c->crlf_seen=0; - c->local_rfd.fd=rfd; - c->local_wfd.fd=wfd; - return c; -@@ -376,6 +382,29 @@ static void init_ssl(CLI *c) { - } - } - -+/* Moves all data from the buffer between positions and -+ * to insert of length . and are updated to their -+ * new respective values, and the number of characters inserted is returned. -+ * If is too long, nothing is done and -1 is returned. -+ * Note that neither nor can be NULL. -+*/ -+static int buffer_insert_with_len(char *buffer, int *start, int *stop, int limit, char *string, int len) { -+ if (len > limit - *stop) -+ return -1; -+ if (*start > *stop) -+ return -1; -+ memmove(buffer + *start + len, buffer + *start, *stop - *start); -+ memcpy(buffer + *start, string, len); -+ *start += len; -+ *stop += len; -+ return len; -+} -+ -+static int buffer_insert(char *buffer, int *start, int *stop, int limit, char *string) { -+ return buffer_insert_with_len(buffer, start, stop, limit, string, strlen(string)); -+} -+ -+ - /****************************** some defines for transfer() */ - /* is socket/SSL open for read/write? */ - #define sock_rd (c->sock_rfd->rd) -@@ -410,13 +439,16 @@ static void transfer(CLI *c) { - check_SSL_pending=0; - - SSL_read_wants_read= -- ssl_rd && c->ssl_ptrssl_ptrssl_ptrbuffsize && !SSL_read_wants_write; -+ - SSL_write_wants_write= - ssl_wr && c->sock_ptr && !SSL_write_wants_read; - - /****************************** setup c->fds structure */ - s_poll_init(&c->fds); /* initialize the structure */ -- if(sock_rd && c->sock_ptrsock_ptrsock_ptrbuffsize) - s_poll_add(&c->fds, c->sock_rfd->fd, 1, 0); - if(SSL_read_wants_read || - SSL_write_wants_read || -@@ -515,7 +547,8 @@ static void transfer(CLI *c) { - break; - default: - memmove(c->ssl_buff, c->ssl_buff+num, c->ssl_ptr-num); -- if(c->ssl_ptr==BUFFSIZE) /* buffer was previously full */ -+ //if(c->ssl_ptr==BUFFSIZE) /* buffer was previously full */ -+ if(c->ssl_ptr>=c->buffsize) /* buffer was previously full */ - check_SSL_pending=1; /* check for data buffered by SSL */ - c->ssl_ptr-=num; - c->sock_bytes+=num; -@@ -577,7 +610,8 @@ static void transfer(CLI *c) { - /****************************** read from socket */ - if(sock_rd && sock_can_rd) { - num=readsocket(c->sock_rfd->fd, -- c->sock_buff+c->sock_ptr, BUFFSIZE-c->sock_ptr); -+ //c->sock_buff+c->sock_ptr, BUFFSIZE-c->sock_ptr); -+ c->sock_buff+c->sock_ptr, c->buffsize-c->sock_ptr); - switch(num) { - case -1: - parse_socket_error(c, "readsocket"); -@@ -597,10 +631,73 @@ static void transfer(CLI *c) { - (SSL_read_wants_write && ssl_can_wr) || - (check_SSL_pending && SSL_pending(c->ssl))) { - SSL_read_wants_write=0; -- num=SSL_read(c->ssl, c->ssl_buff+c->ssl_ptr, BUFFSIZE-c->ssl_ptr); -+ //num=SSL_read(c->ssl, c->ssl_buff+c->ssl_ptr, BUFFSIZE-c->ssl_ptr); -+ num=SSL_read(c->ssl, c->ssl_buff+c->ssl_ptr, c->buffsize-c->ssl_ptr); - switch(err=SSL_get_error(c->ssl, num)) { - case SSL_ERROR_NONE: -+ //c->ssl_ptr+=num; -+ if (c->buffsize != BUFFSIZE && c->opt->option.xforwardedfor) { /* some work left to do */ -+ int last = c->ssl_ptr; -+ c->ssl_ptr += num; -+ -+ /* Look for end of HTTP headers between last and ssl_ptr. -+ * To achieve this reliably, we have to count the number of -+ * successive [CR]LF and to memorize it in case it's spread -+ * over multiple segments. --WT. -+ */ -+ while (last < c->ssl_ptr) { -+ if (c->ssl_buff[last] == '\n') { -+ if (++c->crlf_seen == 2) -+ break; -+ } else if (last < c->ssl_ptr - 1 && -+ c->ssl_buff[last] == '\r' && -+ c->ssl_buff[last+1] == '\n') { -+ if (++c->crlf_seen == 2) -+ break; -+ last++; -+ } else if (c->ssl_buff[last] != '\r') -+ /* don't refuse '\r' because we may get a '\n' on next read */ -+ c->crlf_seen = 0; -+ last++; -+ } -+ if (c->crlf_seen >= 2) { -+ /* We have all the HTTP headers now. We don't need to -+ * reserve any space anymore. points to the -+ * first byte of unread data, and points to the -+ * exact location where we want to insert our headers, -+ * which is right before the empty line. -+ */ -+ c->buffsize = BUFFSIZE; -+ -+ if (c->opt->option.xforwardedfor) { -+ /* X-Forwarded-For: xxxx \r\n\0 */ -+ char xforw[17 + IPLEN + 3]; -+ -+ /* We will insert our X-Forwarded-For: header here. -+ * We need to write the IP address, but if we use -+ * sprintf, it will pad with the terminating 0. -+ * So we will pass via a temporary buffer allocated -+ * on the stack. -+ */ -+ memcpy(xforw, "X-Forwarded-For: ", 17); -+ if (getnameinfo(&c->peer_addr.addr[0].sa, -+ addr_len(c->peer_addr.addr[0]), -+ xforw + 17, IPLEN, NULL, 0, -+ NI_NUMERICHOST) == 0) { -+ strcat(xforw + 17, "\r\n"); -+ buffer_insert(c->ssl_buff, &last, &c->ssl_ptr, -+ c->buffsize, xforw); -+ } -+ /* last still points to the \r\n and ssl_ptr to the -+ * end of the buffer, so we may add as many headers -+ * as wee need to. -+ */ -+ } -+ } -+ } -+ else - c->ssl_ptr+=num; -+ - watchdog=0; /* reset watchdog */ - break; - case SSL_ERROR_WANT_WRITE: ---- a/src/common.h -+++ b/src/common.h -@@ -53,6 +53,9 @@ - /* I/O buffer size */ - #define BUFFSIZE 16384 - -+/* maximum space reserved for header insertion in BUFFSIZE */ -+#define BUFF_RESERVED 1024 -+ - /* length of strings (including the terminating '\0' character) */ - /* it can't be lower than 256 bytes or NTLM authentication will break */ - #define STRLEN 256 ---- a/src/options.c -+++ b/src/options.c -@@ -792,6 +792,28 @@ static char *parse_service_option(CMD cm - } - #endif - -+ /* xforwardedfor */ -+ switch(cmd) { -+ case CMD_INIT: -+ section->option.xforwardedfor=0; -+ break; -+ case CMD_EXEC: -+ if(strcasecmp(opt, "xforwardedfor")) -+ break; -+ if(!strcasecmp(arg, "yes")) -+ section->option.xforwardedfor=1; -+ else if(!strcasecmp(arg, "no")) -+ section->option.xforwardedfor=0; -+ else -+ return "argument should be either 'yes' or 'no'"; -+ return NULL; /* OK */ -+ case CMD_DEFAULT: -+ break; -+ case CMD_HELP: -+ s_log("%-15s = yes|no append an HTTP X-Forwarded-For header","xforwardedfor"); -+ break; -+ } -+ - /* exec */ - switch(cmd) { - case CMD_INIT: ---- a/src/prototypes.h -+++ b/src/prototypes.h -@@ -177,6 +177,7 @@ typedef struct service_options_struct { - unsigned int remote:1; - unsigned int retry:1; /* loop remote+program */ - unsigned int sessiond:1; -+ unsigned int xforwardedfor:1; - unsigned int program:1; - #ifndef USE_WIN32 - unsigned int pty:1; -@@ -351,6 +352,8 @@ typedef struct { - FD *ssl_rfd, *ssl_wfd; /* read and write SSL descriptors */ - int sock_bytes, ssl_bytes; /* bytes written to socket and ssl */ - s_poll_set fds; /* file descriptors */ -+ int buffsize; /* current buffer size, may be lower than BUFFSIZE */ -+ int crlf_seen; /* the number of successive CRLF seen */ - } CLI; - - extern int max_fds, max_clients; -- 2.30.2