--- /dev/null
+--- a/doc/stunnel.8
++++ b/doc/stunnel.8
+@@ -497,7 +497,10 @@ time to keep an idle connection
+ .IP "\fBtransparent\fR = yes | no (Unix only)" 4
+ .IX Item "transparent = yes | no (Unix only)"
+ transparent proxy mode
+-.Sp
++.IP "\fBxforwardedfor\fR = yes | no" 4
++.IX Item "xforwardedfor = yes | no"
++append an 'X-Forwarded-For:' HTTP request header providing the
++client's IP address to the server.
+ Re-write address to appear as if wrapped daemon is connecting
+ from the \s-1SSL\s0 client machine instead of the machine running \fBstunnel\fR.
+ .Sp
+--- /dev/null
++++ b/doc/stunnel.8.orig
+@@ -0,0 +1,729 @@
++.\" Automatically generated by Pod::Man 2.1801 (Pod::Simple 3.05)
++.\"
++.\" Standard preamble:
++.\" ========================================================================
++.de Sp \" Vertical space (when we can't use .PP)
++.if t .sp .5v
++.if n .sp
++..
++.de Vb \" Begin verbatim text
++.ft CW
++.nf
++.ne \\$1
++..
++.de Ve \" End verbatim text
++.ft R
++.fi
++..
++.\" Set up some character translations and predefined strings. \*(-- will
++.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
++.\" double quote, and \*(R" will give a right double quote. \*(C+ will
++.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
++.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
++.\" nothing in troff, for use with C<>.
++.tr \(*W-
++.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
++.ie n \{\
++. ds -- \(*W-
++. ds PI pi
++. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
++. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
++. ds L" ""
++. ds R" ""
++. ds C` ""
++. ds C' ""
++'br\}
++.el\{\
++. ds -- \|\(em\|
++. ds PI \(*p
++. ds L" ``
++. ds R" ''
++'br\}
++.\"
++.\" Escape single quotes in literal strings from groff's Unicode transform.
++.ie \n(.g .ds Aq \(aq
++.el .ds Aq '
++.\"
++.\" If the F register is turned on, we'll generate index entries on stderr for
++.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
++.\" entries marked with X<> in POD. Of course, you'll have to process the
++.\" output yourself in some meaningful fashion.
++.ie \nF \{\
++. de IX
++. tm Index:\\$1\t\\n%\t"\\$2"
++..
++. nr % 0
++. rr F
++.\}
++.el \{\
++. de IX
++..
++.\}
++.\" ========================================================================
++.\"
++.IX Title "STUNNEL 8"
++.TH STUNNEL 8 "2009.11.20" "4.29" "stunnel"
++.\" For nroff, turn off justification. Always turn off hyphenation; it makes
++.\" way too many mistakes in technical documents.
++.if n .ad l
++.nh
++.SH "NAME"
++stunnel \- universal SSL tunnel
++.SH "SYNOPSIS"
++.IX Header "SYNOPSIS"
++.IP "\fBUnix:\fR" 4
++.IX Item "Unix:"
++\&\fBstunnel\fR [<filename>] | \-fd n | \-help | \-version | \-sockets
++.IP "\fB\s-1WIN32:\s0\fR" 4
++.IX Item "WIN32:"
++\&\fBstunnel\fR [ [\-install | \-uninstall | \-start | \-stop]
++ [\-quiet] [<filename>] ] | \-help | \-version | \-sockets
++.SH "DESCRIPTION"
++.IX Header "DESCRIPTION"
++The \fBstunnel\fR program is designed to work as \fI\s-1SSL\s0\fR encryption wrapper
++between remote clients and local (\fIinetd\fR\-startable) or remote
++servers. The concept is that having non-SSL aware daemons running on
++your system you can easily set them up to communicate with clients over
++secure \s-1SSL\s0 channels.
++.PP
++\&\fBstunnel\fR can be used to add \s-1SSL\s0 functionality to commonly used \fIInetd\fR
++daemons like \s-1POP\-2\s0, \s-1POP\-3\s0, and \s-1IMAP\s0 servers, to standalone daemons like
++\&\s-1NNTP\s0, \s-1SMTP\s0 and \s-1HTTP\s0, and in tunneling \s-1PPP\s0 over network sockets without
++changes to the source code.
++.PP
++This product includes cryptographic software written by
++Eric Young (eay@cryptsoft.com)
++.SH "OPTIONS"
++.IX Header "OPTIONS"
++.IP "<\fBfilename\fR>" 4
++.IX Item "<filename>"
++Use specified configuration file
++.IP "\fB\-fd n\fR (Unix only)" 4
++.IX Item "-fd n (Unix only)"
++Read the config file from specified file descriptor
++.IP "\fB\-help\fR" 4
++.IX Item "-help"
++Print \fBstunnel\fR help menu
++.IP "\fB\-version\fR" 4
++.IX Item "-version"
++Print \fBstunnel\fR version and compile time defaults
++.IP "\fB\-sockets\fR" 4
++.IX Item "-sockets"
++Print default socket options
++.IP "\fB\-install\fR (\s-1NT/2000/XP\s0 only)" 4
++.IX Item "-install (NT/2000/XP only)"
++Install \s-1NT\s0 Service
++.IP "\fB\-uninstall\fR (\s-1NT/2000/XP\s0 only)" 4
++.IX Item "-uninstall (NT/2000/XP only)"
++Uninstall \s-1NT\s0 Service
++.IP "\fB\-start\fR (\s-1NT/2000/XP\s0 only)" 4
++.IX Item "-start (NT/2000/XP only)"
++Start \s-1NT\s0 Service
++.IP "\fB\-stop\fR (\s-1NT/2000/XP\s0 only)" 4
++.IX Item "-stop (NT/2000/XP only)"
++Stop \s-1NT\s0 Service
++.IP "\fB\-quiet\fR (\s-1NT/2000/XP\s0 only)" 4
++.IX Item "-quiet (NT/2000/XP only)"
++Don't display a message box when successfully installed or uninstalled \s-1NT\s0 service
++.SH "CONFIGURATION FILE"
++.IX Header "CONFIGURATION FILE"
++Each line of the configuration file can be either:
++.IP "\(bu" 4
++an empty line (ignored)
++.IP "\(bu" 4
++a comment starting with ';' (ignored)
++.IP "\(bu" 4
++an 'option_name = option_value' pair
++.IP "\(bu" 4
++\&'[service_name]' indicating a start of a service definition
++.SS "\s-1GLOBAL\s0 \s-1OPTIONS\s0"
++.IX Subsection "GLOBAL OPTIONS"
++.IP "\fBchroot\fR = directory (Unix only)" 4
++.IX Item "chroot = directory (Unix only)"
++directory to chroot \fBstunnel\fR process
++.Sp
++\&\fBchroot\fR keeps \fBstunnel\fR in chrooted jail. \fICApath\fR, \fICRLpath\fR, \fIpid\fR
++and \fIexec\fR are located inside the jail and the patches have to be relative
++to the directory specified with \fBchroot\fR.
++.Sp
++To have libwrap (\s-1TCP\s0 Wrappers) control effective in a chrooted environment
++you also have to copy its configuration files (/etc/hosts.allow and
++/etc/hosts.deny) there.
++.IP "\fBcompression\fR = zlib | rle" 4
++.IX Item "compression = zlib | rle"
++select data compression algorithm
++.Sp
++default: no compression
++.Sp
++zlib compression of OpenSSL 0.9.8 or above is not backward compatible with
++OpenSSL 0.9.7.
++.Sp
++rle compression is currently not implemented by the OpenSSL library.
++.IP "\fBdebug\fR = [facility.]level" 4
++.IX Item "debug = [facility.]level"
++debugging level
++.Sp
++Level is a one of the syslog level names or numbers
++emerg (0), alert (1), crit (2), err (3), warning (4), notice (5),
++info (6), or debug (7). All logs for the specified level and
++all levels numerically less than it will be shown. Use \fBdebug = debug\fR or
++\&\fBdebug = 7\fR for greatest debugging output. The default is notice (5).
++.Sp
++The syslog facility 'daemon' will be used unless a facility name is supplied.
++(Facilities are not supported on Win32.)
++.Sp
++Case is ignored for both facilities and levels.
++.IP "\fB\s-1EGD\s0\fR = egd path (Unix only)" 4
++.IX Item "EGD = egd path (Unix only)"
++path to Entropy Gathering Daemon socket
++.Sp
++Entropy Gathering Daemon socket to use to feed OpenSSL random number
++generator. (Available only if compiled with OpenSSL 0.9.5a or higher)
++.IP "\fBengine\fR = auto | <engine id>" 4
++.IX Item "engine = auto | <engine id>"
++select hardware engine
++.Sp
++default: software-only cryptography
++.Sp
++There's an example in '\s-1EXAMPLES\s0' section.
++.IP "\fBengineCtrl\fR = command[:parameter]" 4
++.IX Item "engineCtrl = command[:parameter]"
++control hardware engine
++.Sp
++Special commands \*(L"\s-1LOAD\s0\*(R" and \*(L"\s-1INIT\s0\*(R" can be used to load and initialize the
++engine cryptogaphic module.
++.IP "\fBfips\fR = yes | no" 4
++.IX Item "fips = yes | no"
++Enable or disable \s-1FIPS\s0 140\-2 mode.
++.Sp
++This option allows to disable entering \s-1FIPS\s0 mode if stunnel was compiled with
++\&\s-1FIPS\s0 140\-2 support.
++.Sp
++default: yes
++.IP "\fBforeground\fR = yes | no (Unix only)" 4
++.IX Item "foreground = yes | no (Unix only)"
++foreground mode
++.Sp
++Stay in foreground (don't fork) and log to stderr
++instead of via syslog (unless \fBoutput\fR is specified).
++.Sp
++default: background in daemon mode
++.IP "\fBoutput\fR = file" 4
++.IX Item "output = file"
++append log messages to a file instead of using syslog
++.Sp
++/dev/stdout device can be used to redirect log messages to the standard
++output (for example to log them with daemontools splogger).
++.IP "\fBpid\fR = file (Unix only)" 4
++.IX Item "pid = file (Unix only)"
++pid file location
++.Sp
++If the argument is empty, then no pid file will be created.
++.Sp
++\&\fIpid\fR path is relative to \fIchroot\fR directory if specified.
++.IP "\fBRNDbytes\fR = bytes" 4
++.IX Item "RNDbytes = bytes"
++bytes to read from random seed files
++.Sp
++Number of bytes of data read from random seed files. With \s-1SSL\s0 versions
++less than 0.9.5a, also determines how many bytes of data are considered
++sufficient to seed the \s-1PRNG\s0. More recent OpenSSL versions have a builtin
++function to determine when sufficient randomness is available.
++.IP "\fBRNDfile\fR = file" 4
++.IX Item "RNDfile = file"
++path to file with random seed data
++.Sp
++The \s-1SSL\s0 library will use data from this file first to seed the random
++number generator.
++.IP "\fBRNDoverwrite\fR = yes | no" 4
++.IX Item "RNDoverwrite = yes | no"
++overwrite the random seed files with new random data
++.Sp
++default: yes
++.IP "\fBservice\fR = servicename" 4
++.IX Item "service = servicename"
++use specified string as the service name
++.Sp
++\&\fBOn Unix:\fR \fIinetd\fR mode service name for \s-1TCP\s0 Wrapper library.
++.Sp
++\&\fBOn \s-1NT/2000/XP:\s0\fR \s-1NT\s0 service name in the Control Panel.
++.Sp
++default: stunnel
++.IP "\fBsetgid\fR = groupname (Unix only)" 4
++.IX Item "setgid = groupname (Unix only)"
++\&\fIsetgid()\fR to groupname in daemon mode and clears all other groups
++.IP "\fBsetuid\fR = username (Unix only)" 4
++.IX Item "setuid = username (Unix only)"
++\&\fIsetuid()\fR to username in daemon mode
++.IP "\fBsocket\fR = a|l|r:option=value[:value]" 4
++.IX Item "socket = a|l|r:option=value[:value]"
++Set an option on accept/local/remote socket
++.Sp
++The values for linger option are l_onof:l_linger.
++The values for time are tv_sec:tv_usec.
++.Sp
++Examples:
++.Sp
++.Vb 11
++\& socket = l:SO_LINGER=1:60
++\& set one minute timeout for closing local socket
++\& socket = r:TCP_NODELAY=1
++\& turn off the Nagle algorithm for remote sockets
++\& socket = r:SO_OOBINLINE=1
++\& place out\-of\-band data directly into the
++\& receive data stream for remote sockets
++\& socket = a:SO_REUSEADDR=0
++\& disable address reuse (enabled by default)
++\& socket = a:SO_BINDTODEVICE=lo
++\& only accept connections on loopback interface
++.Ve
++.IP "\fBsyslog\fR = yes | no (Unix only)" 4
++.IX Item "syslog = yes | no (Unix only)"
++enable logging via syslog
++.Sp
++default: yes
++.IP "\fBtaskbar\fR = yes | no (\s-1WIN32\s0 only)" 4
++.IX Item "taskbar = yes | no (WIN32 only)"
++enable the taskbar icon
++.Sp
++default: yes
++.SS "SERVICE-LEVEL \s-1OPTIONS\s0"
++.IX Subsection "SERVICE-LEVEL OPTIONS"
++Each configuration section begins with service name in square brackets.
++The service name is used for libwrap (\s-1TCP\s0 Wrappers) access control and lets
++you distinguish \fBstunnel\fR services in your log files.
++.PP
++Note that if you wish to run \fBstunnel\fR in \fIinetd\fR mode (where it
++is provided a network socket by a server such as \fIinetd\fR, \fIxinetd\fR,
++or \fItcpserver\fR) then you should read the section entitled \fI\s-1INETD\s0 \s-1MODE\s0\fR
++below.
++.IP "\fBaccept\fR = [host:]port" 4
++.IX Item "accept = [host:]port"
++accept connections on specified host:port
++.Sp
++If no host specified, defaults to all \s-1IP\s0 addresses for the local host.
++.IP "\fBCApath\fR = directory" 4
++.IX Item "CApath = directory"
++Certificate Authority directory
++.Sp
++This is the directory in which \fBstunnel\fR will look for certificates when using
++the \fIverify\fR. Note that the certificates in this directory should be named
++\&\s-1XXXXXXXX\s0.0 where \s-1XXXXXXXX\s0 is the hash value of the \s-1DER\s0 encoded subject of the
++cert (the first 4 bytes of the \s-1MD5\s0 hash in least significant byte order).
++.Sp
++\&\fICApath\fR path is relative to \fIchroot\fR directory if specified.
++.IP "\fBCAfile\fR = certfile" 4
++.IX Item "CAfile = certfile"
++Certificate Authority file
++.Sp
++This file contains multiple \s-1CA\s0 certificates, used with the \fIverify\fR.
++.IP "\fBcert\fR = pemfile" 4
++.IX Item "cert = pemfile"
++certificate chain \s-1PEM\s0 file name
++.Sp
++A \s-1PEM\s0 is always needed in server mode.
++Specifying this flag in client mode will use this certificate chain
++as a client side certificate chain. Using client side certs is optional.
++The certificates must be in \s-1PEM\s0 format and must be sorted starting with the
++certificate to the highest level (root \s-1CA\s0).
++.IP "\fBciphers\fR = cipherlist" 4
++.IX Item "ciphers = cipherlist"
++Select permitted \s-1SSL\s0 ciphers
++.Sp
++A colon delimited list of the ciphers to allow in the \s-1SSL\s0 connection.
++For example \s-1DES\-CBC3\-SHA:IDEA\-CBC\-MD5\s0
++.IP "\fBclient\fR = yes | no" 4
++.IX Item "client = yes | no"
++client mode (remote service uses \s-1SSL\s0)
++.Sp
++default: no (server mode)
++.IP "\fBconnect\fR = [host:]port" 4
++.IX Item "connect = [host:]port"
++connect to a remote host:port
++.Sp
++If no host is specified, the host defaults to localhost.
++.Sp
++Multiple \fBconnect\fR options are allowed in a single service section.
++.Sp
++If host resolves to multiple addresses and/or if multiple \fBconnect\fR
++options are specified, then the remote address is chosen using a
++round-robin algorithm.
++.IP "\fBCRLpath\fR = directory" 4
++.IX Item "CRLpath = directory"
++Certificate Revocation Lists directory
++.Sp
++This is the directory in which \fBstunnel\fR will look for CRLs when
++using the \fIverify\fR. Note that the CRLs in this directory should
++be named \s-1XXXXXXXX\s0.0 where \s-1XXXXXXXX\s0 is the hash value of the \s-1CRL\s0.
++.Sp
++\&\fICRLpath\fR path is relative to \fIchroot\fR directory if specified.
++.IP "\fBCRLfile\fR = certfile" 4
++.IX Item "CRLfile = certfile"
++Certificate Revocation Lists file
++.Sp
++This file contains multiple CRLs, used with the \fIverify\fR.
++.IP "\fBdelay\fR = yes | no" 4
++.IX Item "delay = yes | no"
++delay \s-1DNS\s0 lookup for 'connect' option
++.IP "\fBengineNum\fR = engine number" 4
++.IX Item "engineNum = engine number"
++select engine number to read private key
++.Sp
++The engines are numbered starting from 1.
++.IP "\fBexec\fR = executable_path (Unix only)" 4
++.IX Item "exec = executable_path (Unix only)"
++execute local inetd-type program
++.Sp
++\&\fIexec\fR path is relative to \fIchroot\fR directory if specified.
++.ie n .IP "\fBexecargs\fR = $0 $1 $2 ... (Unix only)" 4
++.el .IP "\fBexecargs\fR = \f(CW$0\fR \f(CW$1\fR \f(CW$2\fR ... (Unix only)" 4
++.IX Item "execargs = $0 $1 $2 ... (Unix only)"
++arguments for \fIexec\fR including program name ($0)
++.Sp
++Quoting is currently not supported.
++Arguments are separated with arbitrary number of whitespaces.
++.IP "\fBfailover\fR = rr | prio" 4
++.IX Item "failover = rr | prio"
++Failover strategy for multiple \*(L"connect\*(R" targets.
++.Sp
++.Vb 2
++\& rr (round robin) \- fair load distribution
++\& prio (priority) \- use the order specified in config file
++.Ve
++.Sp
++default: rr
++.IP "\fBident\fR = username" 4
++.IX Item "ident = username"
++use \s-1IDENT\s0 (\s-1RFC\s0 1413) username checking
++.IP "\fBkey\fR = keyfile" 4
++.IX Item "key = keyfile"
++private key for certificate specified with \fIcert\fR option
++.Sp
++Private key is needed to authenticate certificate owner.
++Since this file should be kept secret it should only be readable
++to its owner. On Unix systems you can use the following command:
++.Sp
++.Vb 1
++\& chmod 600 keyfile
++.Ve
++.Sp
++default: value of \fIcert\fR option
++.IP "\fBlocal\fR = host" 4
++.IX Item "local = host"
++\&\s-1IP\s0 of the outgoing interface is used as source for remote connections.
++Use this option to bind a static local \s-1IP\s0 address, instead.
++.IP "\fB\s-1OCSP\s0\fR = url" 4
++.IX Item "OCSP = url"
++select \s-1OCSP\s0 server for certificate verification
++.IP "\fBOCSPflag\fR = flag" 4
++.IX Item "OCSPflag = flag"
++specify \s-1OCSP\s0 server flag
++.Sp
++Several \fIOCSPflag\fR can be used to specify multiple flags.
++.Sp
++currently supported flags: \s-1NOCERTS\s0, \s-1NOINTERN\s0 \s-1NOSIGS\s0, \s-1NOCHAIN\s0, \s-1NOVERIFY\s0,
++\&\s-1NOEXPLICIT\s0, \s-1NOCASIGN\s0, \s-1NODELEGATED\s0, \s-1NOCHECKS\s0, \s-1TRUSTOTHER\s0, \s-1RESPID_KEY\s0, \s-1NOTIME\s0
++.IP "\fBoptions\fR = SSL_options" 4
++.IX Item "options = SSL_options"
++OpenSSL library options
++.Sp
++The parameter is the OpenSSL option name as described in the
++\&\fI\fISSL_CTX_set_options\fI\|(3ssl)\fR manual, but without \fI\s-1SSL_OP_\s0\fR prefix.
++Several \fIoptions\fR can be used to specify multiple options.
++.Sp
++For example for compatibility with erroneous Eudora \s-1SSL\s0 implementation
++the following option can be used:
++.Sp
++.Vb 1
++\& options = DONT_INSERT_EMPTY_FRAGMENTS
++.Ve
++.IP "\fBprotocol\fR = proto" 4
++.IX Item "protocol = proto"
++application protocol to negotiate \s-1SSL\s0
++.Sp
++currently supported: cifs, connect, imap, nntp, pop3, smtp, pgsql
++.IP "\fBprotocolAuthentication\fR = auth_type" 4
++.IX Item "protocolAuthentication = auth_type"
++authentication type for protocol negotiations
++.Sp
++currently supported: basic, \s-1NTLM\s0
++.Sp
++Currently authentication type only applies to 'connect' protocol.
++.Sp
++default: basic
++.IP "\fBprotocolHost\fR = host:port" 4
++.IX Item "protocolHost = host:port"
++destination address for protocol negotiations
++.IP "\fBprotocolPassword\fR = password" 4
++.IX Item "protocolPassword = password"
++password for protocol negotiations
++.IP "\fBprotocolUsername\fR = username" 4
++.IX Item "protocolUsername = username"
++username for protocol negotiations
++.IP "\fBpty\fR = yes | no (Unix only)" 4
++.IX Item "pty = yes | no (Unix only)"
++allocate pseudo terminal for 'exec' option
++.IP "\fBretry\fR = yes | no (Unix only)" 4
++.IX Item "retry = yes | no (Unix only)"
++reconnect a connect+exec section after it's disconnected
++.Sp
++default: no
++.IP "\fBsession\fR = timeout" 4
++.IX Item "session = timeout"
++session cache timeout
++.IP "\fBsessiond\fR = host:port" 4
++.IX Item "sessiond = host:port"
++address of sessiond \s-1SSL\s0 cache server
++.IP "\fBsslVersion\fR = version" 4
++.IX Item "sslVersion = version"
++select version of \s-1SSL\s0 protocol
++.Sp
++Allowed options: all, SSLv2, SSLv3, TLSv1
++.IP "\fBstack\fR = bytes (except for \s-1FORK\s0 model)" 4
++.IX Item "stack = bytes (except for FORK model)"
++thread stack size
++.IP "\fBTIMEOUTbusy\fR = seconds" 4
++.IX Item "TIMEOUTbusy = seconds"
++time to wait for expected data
++.IP "\fBTIMEOUTclose\fR = seconds" 4
++.IX Item "TIMEOUTclose = seconds"
++time to wait for close_notify (set to 0 for buggy \s-1MSIE\s0)
++.IP "\fBTIMEOUTconnect\fR = seconds" 4
++.IX Item "TIMEOUTconnect = seconds"
++time to wait to connect a remote host
++.IP "\fBTIMEOUTidle\fR = seconds" 4
++.IX Item "TIMEOUTidle = seconds"
++time to keep an idle connection
++.IP "\fBtransparent\fR = yes | no (Unix only)" 4
++.IX Item "transparent = yes | no (Unix only)"
++transparent proxy mode
++.Sp
++Re-write address to appear as if wrapped daemon is connecting
++from the \s-1SSL\s0 client machine instead of the machine running \fBstunnel\fR.
++.Sp
++This option is currently available in:
++.Sp
++.Vb 3
++\& remote mode (I<connect> option) on Linux >=2.6.28
++\& remote mode (I<connect> option) 2.2.x
++\& local mode (I<exec> option)
++.Ve
++.Sp
++\&\fBRemote mode\fR (either 2.2.x and >=2.6.28) requires stunnel to be executed as
++root. \fBsetuid\fR option will also break this functionality.
++.Sp
++\&\fBLinux >=2.6.28\fR requires the following setup for iptables and routing
++(possibly in /etc/rc.local or equivalent file):
++.Sp
++.Vb 6
++\& iptables \-t mangle \-N DIVERT
++\& iptables \-t mangle \-A PREROUTING \-p tcp \-m socket \-j DIVERT
++\& iptables \-t mangle \-A DIVERT \-j MARK \-\-set\-mark 1
++\& iptables \-t mangle \-A DIVERT \-j ACCEPT
++\& ip rule add fwmark 1 lookup 100
++\& ip route add local 0.0.0.0/0 dev lo table 100
++.Ve
++.Sp
++\&\fBLinux 2.2.x\fR requires kernel to be compiled with \fItransparent proxy\fR option.
++Connected service must be installed on a separate host.
++Routing towards the clients has to go through the stunnel box.
++.Sp
++\&\fBLocal mode\fR works by LD_PRELOADing env.so shared library.
++.IP "\fBverify\fR = level" 4
++.IX Item "verify = level"
++verify peer certificate
++.Sp
++.Vb 4
++\& level 1 \- verify peer certificate if present
++\& level 2 \- verify peer certificate
++\& level 3 \- verify peer with locally installed certificate
++\& default \- no verify
++.Ve
++.Sp
++It is important to understand, that this option was solely designed for access
++control and not for authorization. Specifically for level 2 every non-revoked
++certificate is accepted regardless of its Common Name. For this reason a
++dedicated \s-1CA\s0 should be used with level 2, and not a generic \s-1CA\s0 commonly used
++for webservers. Level 3 is preferred for point-to-point connections.
++.SH "RETURN VALUE"
++.IX Header "RETURN VALUE"
++\&\fBstunnel\fR returns zero on success, non-zero on error.
++.SH "EXAMPLES"
++.IX Header "EXAMPLES"
++In order to provide \s-1SSL\s0 encapsulation to your local \fIimapd\fR service, use
++.PP
++.Vb 4
++\& [imapd]
++\& accept = 993
++\& exec = /usr/sbin/imapd
++\& execargs = imapd
++.Ve
++.PP
++If you want to provide tunneling to your \fIpppd\fR daemon on port 2020,
++use something like
++.PP
++.Vb 5
++\& [vpn]
++\& accept = 2020
++\& exec = /usr/sbin/pppd
++\& execargs = pppd local
++\& pty = yes
++.Ve
++.PP
++If you want to use \fBstunnel\fR in \fIinetd\fR mode to launch your imapd
++process, you'd use this \fIstunnel.conf\fR.
++Note there must be no \fI[service_name]\fR section.
++.PP
++.Vb 2
++\& exec = /usr/sbin/imapd
++\& execargs = imapd
++.Ve
++.PP
++Here is an example of advanced engine configuration to read private key from an
++OpenSC engine
++.PP
++.Vb 7
++\& engine=dynamic
++\& engineCtrl=SO_PATH:/usr/lib/opensc/engine_pkcs11.so
++\& engineCtrl=ID:pkcs11
++\& engineCtrl=LIST_ADD:1
++\& engineCtrl=LOAD
++\& engineCtrl=MODULE_PATH:/usr/lib/pkcs11/opensc\-pkcs11.so
++\& engineCtrl=INIT
++\&
++\& [service]
++\& engineNum=1
++\& key=id_45
++.Ve
++.SH "FILES"
++.IX Header "FILES"
++.IP "\fIstunnel.conf\fR" 4
++.IX Item "stunnel.conf"
++\&\fBstunnel\fR configuration file
++.IP "\fIstunnel.pem\fR" 4
++.IX Item "stunnel.pem"
++\&\fBstunnel\fR certificate and private key
++.SH "BUGS"
++.IX Header "BUGS"
++Option \fIexecargs\fR does not support quoting.
++.SH "RESTRICTIONS"
++.IX Header "RESTRICTIONS"
++\&\fBstunnel\fR cannot be used for the \s-1FTP\s0 daemon because of the nature
++of the \s-1FTP\s0 protocol which utilizes multiple ports for data transfers.
++There are available \s-1SSL\s0 enabled versions of \s-1FTP\s0 and telnet daemons, however.
++.SH "NOTES"
++.IX Header "NOTES"
++.SS "\s-1INETD\s0 \s-1MODE\s0"
++.IX Subsection "INETD MODE"
++The most common use of \fBstunnel\fR is to listen on a network
++port and establish communication with either a new port
++via the connect option, or a new program via the \fIexec\fR option.
++However there is a special case when you wish to have
++some other program accept incoming connections and
++launch \fBstunnel\fR, for example with \fIinetd\fR, \fIxinetd\fR,
++or \fItcpserver\fR.
++.PP
++For example, if you have the following line in \fIinetd.conf\fR:
++.PP
++.Vb 1
++\& imaps stream tcp nowait root /usr/bin/stunnel stunnel /etc/stunnel/imaps.conf
++.Ve
++.PP
++In these cases, the \fIinetd\fR\-style program is responsible
++for binding a network socket (\fIimaps\fR above) and handing
++it to \fBstunnel\fR when a connection is received.
++Thus you do not want \fBstunnel\fR to have any \fIaccept\fR option.
++All the \fIService Level Options\fR should be placed in the
++global options section, and no \fI[service_name]\fR section
++will be present. See the \fI\s-1EXAMPLES\s0\fR section for example
++configurations.
++.SS "\s-1CERTIFICATES\s0"
++.IX Subsection "CERTIFICATES"
++Each \s-1SSL\s0 enabled daemon needs to present a valid X.509 certificate
++to the peer. It also needs a private key to decrypt the incoming
++data. The easiest way to obtain a certificate and a key is to
++generate them with the free \fIOpenSSL\fR package. You can find more
++information on certificates generation on pages listed below.
++.PP
++The order of contents of the \fI.pem\fR file is important. It should contain the
++unencrypted private key first, then a signed certificate (not certificate
++request). There should be also empty lines after certificate and private key.
++Plaintext certificate information appended on the top of generated certificate
++should be discarded. So the file should look like this:
++.PP
++.Vb 8
++\& \-\-\-\-\-BEGIN RSA PRIVATE KEY\-\-\-\-\-
++\& [encoded key]
++\& \-\-\-\-\-END RSA PRIVATE KEY\-\-\-\-\-
++\& [empty line]
++\& \-\-\-\-\-BEGIN CERTIFICATE\-\-\-\-\-
++\& [encoded certificate]
++\& \-\-\-\-\-END CERTIFICATE\-\-\-\-\-
++\& [empty line]
++.Ve
++.SS "\s-1RANDOMNESS\s0"
++.IX Subsection "RANDOMNESS"
++\&\fBstunnel\fR needs to seed the \s-1PRNG\s0 (pseudo random number generator) in
++order for \s-1SSL\s0 to use good randomness. The following sources are loaded
++in order until sufficient random data has been gathered:
++.IP "\(bu" 4
++The file specified with the \fIRNDfile\fR flag.
++.IP "\(bu" 4
++The file specified by the \s-1RANDFILE\s0 environment variable, if set.
++.IP "\(bu" 4
++The file .rnd in your home directory, if \s-1RANDFILE\s0 not set.
++.IP "\(bu" 4
++The file specified with '\-\-with\-random' at compile time.
++.IP "\(bu" 4
++The contents of the screen if running on Windows.
++.IP "\(bu" 4
++The egd socket specified with the \fI\s-1EGD\s0\fR flag.
++.IP "\(bu" 4
++The egd socket specified with '\-\-with\-egd\-sock' at compile time.
++.IP "\(bu" 4
++The /dev/urandom device.
++.PP
++With recent (>=OpenSSL 0.9.5a) version of \s-1SSL\s0 it will stop loading
++random data automatically when sufficient entropy has been gathered.
++With previous versions it will continue to gather from all the above
++sources since no \s-1SSL\s0 function exists to tell when enough data is available.
++.PP
++Note that on Windows machines that do not have console user interaction
++(mouse movements, creating windows, etc) the screen contents are not
++variable enough to be sufficient, and you should provide a random file
++for use with the \fIRNDfile\fR flag.
++.PP
++Note that the file specified with the \fIRNDfile\fR flag should contain
++random data \*(-- that means it should contain different information
++each time \fBstunnel\fR is run. This is handled automatically
++unless the \fIRNDoverwrite\fR flag is used. If you wish to update this file
++manually, the \fIopenssl rand\fR command in recent versions of OpenSSL,
++would be useful.
++.PP
++One important note \*(-- if /dev/urandom is available, OpenSSL has a habit of
++seeding the \s-1PRNG\s0 with it even when checking the random state, so on
++systems with /dev/urandom you're likely to use it even though it's listed
++at the very bottom of the list above. This isn't \fBstunnel's\fR behaviour, it's
++OpenSSLs.
++.SH "SEE ALSO"
++.IX Header "SEE ALSO"
++.IP "\fItcpd\fR\|(8)" 4
++.IX Item "tcpd"
++access control facility for internet services
++.IP "\fIinetd\fR\|(8)" 4
++.IX Item "inetd"
++internet 'super\-server'
++.IP "\fIhttp://stunnel.mirt.net/\fR" 4
++.IX Item "http://stunnel.mirt.net/"
++\&\fBstunnel\fR homepage
++.IP "\fIhttp://www.stunnel.org/\fR" 4
++.IX Item "http://www.stunnel.org/"
++\&\fBstunnel\fR Frequently Asked Questions
++.IP "\fIhttp://www.openssl.org/\fR" 4
++.IX Item "http://www.openssl.org/"
++OpenSSL project website
++.SH "AUTHOR"
++.IX Header "AUTHOR"
++.IP "Michal Trojnara" 4
++.IX Item "Michal Trojnara"
++<\fIMichal.Trojnara@mirt.net\fR>
+--- a/doc/stunnel.fr.8
++++ b/doc/stunnel.fr.8
+@@ -445,6 +445,10 @@ Cette option permet de relier une adress
+ Négocie avec \s-1SSL\s0 selon le protocole indiqué
+ .Sp
+ Actuellement gérés\ : cifs, nntp, pop3, smtp
++.IP "\fBxforwardedfor\fR = yes | no" 4
++.IX Item "xforwardedfor = yes | no"
++Ajoute un en-tête 'X-Forwarded-For:' dans la requête HTTP fournissant
++au serveur l'adresse IP du client.
+ .IP "\fBpty\fR = yes | no (Unix seulement)" 4
+ .IX Item "pty = yes | no (Unix seulement)"
+ Alloue un pseudo-terminal pour l'option «\ exec\ »
+--- a/src/client.c
++++ b/src/client.c
+@@ -90,6 +90,12 @@ CLI *alloc_client_session(LOCAL_OPTIONS
+ return NULL;
+ }
+ c->opt=opt;
++ /* some options need space to add some information */
++ if (c->opt->option.xforwardedfor)
++ c->buffsize = BUFFSIZE - BUFF_RESERVED;
++ else
++ c->buffsize = BUFFSIZE;
++ c->crlf_seen=0;
+ c->local_rfd.fd=rfd;
+ c->local_wfd.fd=wfd;
+ return c;
+@@ -382,6 +388,29 @@ static void init_ssl(CLI *c) {
+ }
+ }
+
++/* Moves all data from the buffer <buffer> between positions <start> and <stop>
++ * to insert <string> of length <len>. <start> and <stop> are updated to their
++ * new respective values, and the number of characters inserted is returned.
++ * If <len> is too long, nothing is done and -1 is returned.
++ * Note that neither <string> nor <buffer> can be NULL.
++*/
++static int buffer_insert_with_len(char *buffer, int *start, int *stop, int limit, char *string, int len) {
++ if (len > limit - *stop)
++ return -1;
++ if (*start > *stop)
++ return -1;
++ memmove(buffer + *start + len, buffer + *start, *stop - *start);
++ memcpy(buffer + *start, string, len);
++ *start += len;
++ *stop += len;
++ return len;
++}
++
++static int buffer_insert(char *buffer, int *start, int *stop, int limit, char *string) {
++ return buffer_insert_with_len(buffer, start, stop, limit, string, strlen(string));
++}
++
++
+ /****************************** some defines for transfer() */
+ /* is socket/SSL open for read/write? */
+ #define sock_rd (c->sock_rfd->rd)
+@@ -416,13 +445,16 @@ static void transfer(CLI *c) {
+ check_SSL_pending=0;
+
+ SSL_read_wants_read=
+- ssl_rd && c->ssl_ptr<BUFFSIZE && !SSL_read_wants_write;
++ //ssl_rd && c->ssl_ptr<BUFFSIZE && !SSL_read_wants_write;
++ ssl_rd && c->ssl_ptr<c->buffsize && !SSL_read_wants_write;
++
+ SSL_write_wants_write=
+ ssl_wr && c->sock_ptr && !SSL_write_wants_read;
+
+ /****************************** setup c->fds structure */
+ s_poll_init(&c->fds); /* initialize the structure */
+- if(sock_rd && c->sock_ptr<BUFFSIZE)
++ //if(sock_rd && c->sock_ptr<BUFFSIZE)
++ if(sock_rd && c->sock_ptr<c->buffsize)
+ s_poll_add(&c->fds, c->sock_rfd->fd, 1, 0);
+ if(SSL_read_wants_read ||
+ SSL_write_wants_read ||
+@@ -521,7 +553,8 @@ static void transfer(CLI *c) {
+ break;
+ default:
+ memmove(c->ssl_buff, c->ssl_buff+num, c->ssl_ptr-num);
+- if(c->ssl_ptr==BUFFSIZE) /* buffer was previously full */
++ //if(c->ssl_ptr==BUFFSIZE) /* buffer was previously full */
++ if(c->ssl_ptr>=c->buffsize) /* buffer was previously full */
+ check_SSL_pending=1; /* check for data buffered by SSL */
+ c->ssl_ptr-=num;
+ c->sock_bytes+=num;
+@@ -581,7 +614,8 @@ static void transfer(CLI *c) {
+ /****************************** read from socket */
+ if(sock_rd && sock_can_rd) {
+ num=readsocket(c->sock_rfd->fd,
+- c->sock_buff+c->sock_ptr, BUFFSIZE-c->sock_ptr);
++ //c->sock_buff+c->sock_ptr, BUFFSIZE-c->sock_ptr);
++ c->sock_buff+c->sock_ptr, c->buffsize-c->sock_ptr);
+ switch(num) {
+ case -1:
+ parse_socket_error(c, "readsocket");
+@@ -601,10 +635,73 @@ static void transfer(CLI *c) {
+ (SSL_read_wants_write && ssl_can_wr) ||
+ (check_SSL_pending && SSL_pending(c->ssl))) {
+ SSL_read_wants_write=0;
+- num=SSL_read(c->ssl, c->ssl_buff+c->ssl_ptr, BUFFSIZE-c->ssl_ptr);
++ //num=SSL_read(c->ssl, c->ssl_buff+c->ssl_ptr, BUFFSIZE-c->ssl_ptr);
++ num=SSL_read(c->ssl, c->ssl_buff+c->ssl_ptr, c->buffsize-c->ssl_ptr);
+ switch(err=SSL_get_error(c->ssl, num)) {
+ case SSL_ERROR_NONE:
++ //c->ssl_ptr+=num;
++ if (c->buffsize != BUFFSIZE && c->opt->option.xforwardedfor) { /* some work left to do */
++ int last = c->ssl_ptr;
++ c->ssl_ptr += num;
++
++ /* Look for end of HTTP headers between last and ssl_ptr.
++ * To achieve this reliably, we have to count the number of
++ * successive [CR]LF and to memorize it in case it's spread
++ * over multiple segments. --WT.
++ */
++ while (last < c->ssl_ptr) {
++ if (c->ssl_buff[last] == '\n') {
++ if (++c->crlf_seen == 2)
++ break;
++ } else if (last < c->ssl_ptr - 1 &&
++ c->ssl_buff[last] == '\r' &&
++ c->ssl_buff[last+1] == '\n') {
++ if (++c->crlf_seen == 2)
++ break;
++ last++;
++ } else if (c->ssl_buff[last] != '\r')
++ /* don't refuse '\r' because we may get a '\n' on next read */
++ c->crlf_seen = 0;
++ last++;
++ }
++ if (c->crlf_seen >= 2) {
++ /* We have all the HTTP headers now. We don't need to
++ * reserve any space anymore. <ssl_ptr> points to the
++ * first byte of unread data, and <last> points to the
++ * exact location where we want to insert our headers,
++ * which is right before the empty line.
++ */
++ c->buffsize = BUFFSIZE;
++
++ if (c->opt->option.xforwardedfor) {
++ /* X-Forwarded-For: xxxx \r\n\0 */
++ char xforw[17 + IPLEN + 3];
++
++ /* We will insert our X-Forwarded-For: header here.
++ * We need to write the IP address, but if we use
++ * sprintf, it will pad with the terminating 0.
++ * So we will pass via a temporary buffer allocated
++ * on the stack.
++ */
++ memcpy(xforw, "X-Forwarded-For: ", 17);
++ if (getnameinfo(&c->peer_addr.addr[0].sa,
++ addr_len(c->peer_addr.addr[0]),
++ xforw + 17, IPLEN, NULL, 0,
++ NI_NUMERICHOST) == 0) {
++ strcat(xforw + 17, "\r\n");
++ buffer_insert(c->ssl_buff, &last, &c->ssl_ptr,
++ c->buffsize, xforw);
++ }
++ /* last still points to the \r\n and ssl_ptr to the
++ * end of the buffer, so we may add as many headers
++ * as wee need to.
++ */
++ }
++ }
++ }
++ else
+ c->ssl_ptr+=num;
++
+ watchdog=0; /* reset watchdog */
+ break;
+ case SSL_ERROR_WANT_WRITE:
+--- /dev/null
++++ b/src/client.c.orig
+@@ -0,0 +1,1042 @@
++/*
++ * stunnel Universal SSL tunnel
++ * Copyright (C) 1998-2009 Michal Trojnara <Michal.Trojnara@mirt.net>
++ *
++ * This program is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License as published by the
++ * Free Software Foundation; either version 2 of the License, or (at your
++ * option) any later version.
++ *
++ * This program is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
++ * See the GNU General Public License for more details.
++ *
++ * You should have received a copy of the GNU General Public License along
++ * with this program; if not, see <http://www.gnu.org/licenses>.
++ *
++ * Linking stunnel statically or dynamically with other modules is making
++ * a combined work based on stunnel. Thus, the terms and conditions of
++ * the GNU General Public License cover the whole combination.
++ *
++ * In addition, as a special exception, the copyright holder of stunnel
++ * gives you permission to combine stunnel with free software programs or
++ * libraries that are released under the GNU LGPL and with code included
++ * in the standard release of OpenSSL under the OpenSSL License (or
++ * modified versions of such code, with unchanged license). You may copy
++ * and distribute such a system following the terms of the GNU GPL for
++ * stunnel and the licenses of the other code concerned.
++ *
++ * Note that people who make modified versions of stunnel are not obligated
++ * to grant this special exception for their modified versions; it is their
++ * choice whether to do so. The GNU General Public License gives permission
++ * to release a modified version without this exception; this exception
++ * also makes it possible to release a modified version which carries
++ * forward this exception.
++ */
++
++/* Undefine if you have problems with make_sockets() */
++#define INET_SOCKET_PAIR
++
++#include "common.h"
++#include "prototypes.h"
++
++#ifndef SHUT_RD
++#define SHUT_RD 0
++#endif
++#ifndef SHUT_WR
++#define SHUT_WR 1
++#endif
++#ifndef SHUT_RDWR
++#define SHUT_RDWR 2
++#endif
++
++#if SSLEAY_VERSION_NUMBER >= 0x0922
++static char *sid_ctx="stunnel SID";
++ /* const allowed here */
++#endif
++
++static void do_client(CLI *);
++static void run_client(CLI *);
++static void init_local(CLI *);
++static void init_remote(CLI *);
++static void init_ssl(CLI *);
++static void transfer(CLI *);
++static void parse_socket_error(CLI *, const char *);
++
++static void print_cipher(CLI *);
++static void auth_user(CLI *);
++static int connect_local(CLI *);
++#ifndef USE_WIN32
++static void make_sockets(CLI *, int [2]);
++#endif
++static int connect_remote(CLI *);
++static void local_bind(CLI *c);
++static void print_bound_address(CLI *);
++static void reset(int, char *);
++
++int max_clients;
++#ifndef USE_WIN32
++int max_fds;
++#endif
++
++/* Allocate local data structure for the new thread */
++CLI *alloc_client_session(LOCAL_OPTIONS *opt, int rfd, int wfd) {
++ CLI *c;
++
++ c=calloc(1, sizeof(CLI));
++ if(!c) {
++ s_log(LOG_ERR, "Memory allocation failed");
++ return NULL;
++ }
++ c->opt=opt;
++ c->local_rfd.fd=rfd;
++ c->local_wfd.fd=wfd;
++ return c;
++}
++
++void *client(void *arg) {
++ CLI *c=arg;
++
++#ifdef DEBUG_STACK_SIZE
++ stack_info(1); /* initialize */
++#endif
++ s_log(LOG_DEBUG, "%s started", c->opt->servname);
++#ifndef USE_WIN32
++ if(c->opt->option.remote && c->opt->option.program) {
++ /* connect and exec options specified together */
++ /* -> spawn a local program instead of stdio */
++ while((c->local_rfd.fd=c->local_wfd.fd=connect_local(c))>=0) {
++ run_client(c);
++ if(!c->opt->option.retry)
++ break;
++ sleep(1); /* FIXME: not a good idea in ucontext threading */
++ }
++ } else
++#endif
++ {
++ if(alloc_fd(c->local_rfd.fd))
++ return NULL;
++ if(c->local_wfd.fd!=c->local_rfd.fd)
++ if(alloc_fd(c->local_wfd.fd))
++ return NULL;
++ run_client(c);
++ }
++ free(c);
++#ifdef DEBUG_STACK_SIZE
++ stack_info(0); /* display computed value */
++#endif
++#if defined(USE_WIN32) && !defined(_WIN32_WCE)
++ _endthread();
++#endif
++#ifdef USE_UCONTEXT
++ s_log(LOG_DEBUG, "Context %ld closed", ready_head->id);
++ s_poll_wait(NULL, 0, 0); /* wait on poll() */
++ s_log(LOG_ERR, "INTERNAL ERROR: failed to drop context");
++#endif
++ return NULL;
++}
++
++static void run_client(CLI *c) {
++ int error;
++
++ c->remote_fd.fd=-1;
++ c->fd=-1;
++ c->ssl=NULL;
++ c->sock_bytes=c->ssl_bytes=0;
++
++ error=setjmp(c->err);
++ if(!error)
++ do_client(c);
++
++ s_log(LOG_NOTICE,
++ "Connection %s: %d bytes sent to SSL, %d bytes sent to socket",
++ error==1 ? "reset" : "closed", c->ssl_bytes, c->sock_bytes);
++
++ /* Cleanup IDENT socket */
++ if(c->fd>=0)
++ closesocket(c->fd);
++
++ /* Cleanup SSL */
++ if(c->ssl) { /* SSL initialized */
++ SSL_set_shutdown(c->ssl, SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN);
++ SSL_free(c->ssl);
++ ERR_remove_state(0);
++ }
++
++ /* Cleanup remote socket */
++ if(c->remote_fd.fd>=0) { /* Remote socket initialized */
++ if(error==1 && c->remote_fd.is_socket)
++ reset(c->remote_fd.fd, "linger (remote)");
++ closesocket(c->remote_fd.fd);
++ }
++
++ /* Cleanup local socket */
++ if(c->local_rfd.fd>=0) { /* Local socket initialized */
++ if(c->local_rfd.fd==c->local_wfd.fd) {
++ if(error==1 && c->local_rfd.is_socket)
++ reset(c->local_rfd.fd, "linger (local)");
++ closesocket(c->local_rfd.fd);
++ } else { /* STDIO */
++ if(error==1 && c->local_rfd.is_socket)
++ reset(c->local_rfd.fd, "linger (local_rfd)");
++ if(error==1 && c->local_wfd.is_socket)
++ reset(c->local_wfd.fd, "linger (local_wfd)");
++ }
++ }
++#ifdef USE_FORK
++ if(!c->opt->option.remote) /* 'exec' specified */
++ child_status(); /* null SIGCHLD handler was used */
++#else
++ enter_critical_section(CRIT_CLIENTS); /* for multi-cpu machines */
++ s_log(LOG_DEBUG, "%s finished (%d left)", c->opt->servname,
++ --num_clients);
++ leave_critical_section(CRIT_CLIENTS);
++#endif
++}
++
++static void do_client(CLI *c) {
++ init_local(c);
++ if(!c->opt->option.client && !c->opt->protocol) {
++ /* Server mode and no protocol negotiation needed */
++ init_ssl(c);
++ init_remote(c);
++ } else {
++ init_remote(c);
++ negotiate(c);
++ init_ssl(c);
++ }
++ transfer(c);
++}
++
++static void init_local(CLI *c) {
++ SOCKADDR_UNION addr;
++ socklen_t addrlen;
++
++ addrlen=sizeof addr;
++ if(getpeername(c->local_rfd.fd, &addr.sa, &addrlen)<0) {
++ strcpy(c->accepted_address, "NOT A SOCKET");
++ c->local_rfd.is_socket=0;
++ c->local_wfd.is_socket=0; /* TODO: It's not always true */
++#ifdef USE_WIN32
++ if(get_last_socket_error()!=ENOTSOCK) {
++#else
++ if(c->opt->option.transparent || get_last_socket_error()!=ENOTSOCK) {
++#endif
++ sockerror("getpeerbyname");
++ longjmp(c->err, 1);
++ }
++ /* Ignore ENOTSOCK error so 'local' doesn't have to be a socket */
++ } else { /* success */
++ /* copy addr to c->peer_addr */
++ memcpy(&c->peer_addr.addr[0], &addr, sizeof addr);
++ c->peer_addr.num=1;
++ s_ntop(c->accepted_address, &c->peer_addr.addr[0]);
++ c->local_rfd.is_socket=1;
++ c->local_wfd.is_socket=1; /* TODO: It's not always true */
++ /* It's a socket: lets setup options */
++ if(set_socket_options(c->local_rfd.fd, 1)<0)
++ longjmp(c->err, 1);
++#ifdef USE_LIBWRAP
++ auth_libwrap(c);
++#endif /* USE_LIBWRAP */
++ auth_user(c);
++ s_log(LOG_NOTICE, "%s accepted connection from %s",
++ c->opt->servname, c->accepted_address);
++ }
++}
++
++static void init_remote(CLI *c) {
++ /* create connection to host/service */
++ if(c->opt->source_addr.num)
++ memcpy(&c->bind_addr, &c->opt->source_addr, sizeof(SOCKADDR_LIST));
++#ifndef USE_WIN32
++ else if(c->opt->option.transparent)
++ memcpy(&c->bind_addr, &c->peer_addr, sizeof(SOCKADDR_LIST));
++#endif
++ else {
++ c->bind_addr.num=0; /* don't bind connecting socket */
++ }
++
++ /* setup c->remote_fd, now */
++ if(c->opt->option.remote) {
++ c->remote_fd.fd=connect_remote(c);
++ } else /* NOT in remote mode */
++ c->remote_fd.fd=connect_local(c);
++ c->remote_fd.is_socket=1; /* Always! */
++#ifndef USE_WIN32
++ if(c->remote_fd.fd>=max_fds) {
++ s_log(LOG_ERR, "Remote file descriptor out of range (%d>=%d)",
++ c->remote_fd.fd, max_fds);
++ longjmp(c->err, 1);
++ }
++#endif
++ s_log(LOG_DEBUG, "Remote FD=%d initialized", c->remote_fd.fd);
++ if(set_socket_options(c->remote_fd.fd, 2)<0)
++ longjmp(c->err, 1);
++}
++
++static void init_ssl(CLI *c) {
++ int i, err;
++ SSL_SESSION *old_session;
++
++ if(!(c->ssl=SSL_new(c->opt->ctx))) {
++ sslerror("SSL_new");
++ longjmp(c->err, 1);
++ }
++ SSL_set_ex_data(c->ssl, cli_index, c); /* for callbacks */
++#if SSLEAY_VERSION_NUMBER >= 0x0922
++ SSL_set_session_id_context(c->ssl, (unsigned char *)sid_ctx,
++ strlen(sid_ctx));
++#endif
++ if(c->opt->option.client) {
++ if(c->opt->session) {
++ enter_critical_section(CRIT_SESSION);
++ SSL_set_session(c->ssl, c->opt->session);
++ leave_critical_section(CRIT_SESSION);
++ }
++ SSL_set_fd(c->ssl, c->remote_fd.fd);
++ SSL_set_connect_state(c->ssl);
++ } else {
++ if(c->local_rfd.fd==c->local_wfd.fd)
++ SSL_set_fd(c->ssl, c->local_rfd.fd);
++ else {
++ /* Does it make sence to have SSL on STDIN/STDOUT? */
++ SSL_set_rfd(c->ssl, c->local_rfd.fd);
++ SSL_set_wfd(c->ssl, c->local_wfd.fd);
++ }
++ SSL_set_accept_state(c->ssl);
++ }
++
++ /* Setup some values for transfer() function */
++ if(c->opt->option.client) {
++ c->sock_rfd=&(c->local_rfd);
++ c->sock_wfd=&(c->local_wfd);
++ c->ssl_rfd=c->ssl_wfd=&(c->remote_fd);
++ } else {
++ c->sock_rfd=c->sock_wfd=&(c->remote_fd);
++ c->ssl_rfd=&(c->local_rfd);
++ c->ssl_wfd=&(c->local_wfd);
++ }
++
++ while(1) {
++ /* crude workaround for random MT-safety problems in OpenSSL */
++ /* performance penalty is not huge, as it's a non-blocking code */
++ enter_critical_section(CRIT_SSL);
++ if(c->opt->option.client)
++ i=SSL_connect(c->ssl);
++ else
++ i=SSL_accept(c->ssl);
++ leave_critical_section(CRIT_SSL);
++ err=SSL_get_error(c->ssl, i);
++ if(err==SSL_ERROR_NONE)
++ break; /* ok -> done */
++ if(err==SSL_ERROR_WANT_READ || err==SSL_ERROR_WANT_WRITE) {
++ s_poll_init(&c->fds);
++ s_poll_add(&c->fds, c->ssl_rfd->fd,
++ err==SSL_ERROR_WANT_READ,
++ err==SSL_ERROR_WANT_WRITE);
++ switch(s_poll_wait(&c->fds, c->opt->timeout_busy, 0)) {
++ case -1:
++ sockerror("init_ssl: s_poll_wait");
++ longjmp(c->err, 1);
++ case 0:
++ s_log(LOG_INFO, "init_ssl: s_poll_wait timeout");
++ longjmp(c->err, 1);
++ case 1:
++ break; /* OK */
++ default:
++ s_log(LOG_ERR, "init_ssl: s_poll_wait unknown result");
++ longjmp(c->err, 1);
++ }
++ continue; /* ok -> retry */
++ }
++ if(err==SSL_ERROR_SYSCALL) {
++ switch(get_last_socket_error()) {
++ case EINTR:
++ case EAGAIN:
++ continue;
++ }
++ }
++ if(c->opt->option.client)
++ sslerror("SSL_connect");
++ else
++ sslerror("SSL_accept");
++ longjmp(c->err, 1);
++ }
++ if(SSL_session_reused(c->ssl)) {
++ s_log(LOG_INFO, "SSL %s: previous session reused",
++ c->opt->option.client ? "connected" : "accepted");
++ } else { /* a new session was negotiated */
++ if(c->opt->option.client) {
++ s_log(LOG_INFO, "SSL connected: new session negotiated");
++ enter_critical_section(CRIT_SESSION);
++ old_session=c->opt->session;
++ c->opt->session=SSL_get1_session(c->ssl); /* store it */
++ if(old_session)
++ SSL_SESSION_free(old_session); /* release the old one */
++ leave_critical_section(CRIT_SESSION);
++ } else
++ s_log(LOG_INFO, "SSL accepted: new session negotiated");
++ print_cipher(c);
++ }
++}
++
++/****************************** some defines for transfer() */
++/* is socket/SSL open for read/write? */
++#define sock_rd (c->sock_rfd->rd)
++#define sock_wr (c->sock_wfd->wr)
++#define ssl_rd (c->ssl_rfd->rd)
++#define ssl_wr (c->ssl_wfd->wr)
++/* NOTE: above defines are related to the logical data stream,
++ * not the underlying file descriptors */
++
++/* is socket/SSL ready for read/write? */
++#define sock_can_rd (s_poll_canread(&c->fds, c->sock_rfd->fd))
++#define sock_can_wr (s_poll_canwrite(&c->fds, c->sock_wfd->fd))
++#define ssl_can_rd (s_poll_canread(&c->fds, c->ssl_rfd->fd))
++#define ssl_can_wr (s_poll_canwrite(&c->fds, c->ssl_wfd->fd))
++
++/****************************** transfer data */
++static void transfer(CLI *c) {
++ int watchdog=0; /* a counter to detect an infinite loop */
++ int error;
++ socklen_t optlen;
++ int num, err, check_SSL_pending;
++ int SSL_shutdown_wants_read=0, SSL_shutdown_wants_write=0;
++ int SSL_write_wants_read=0, SSL_write_wants_write=0;
++ int SSL_read_wants_read=0, SSL_read_wants_write=0;
++
++ c->sock_ptr=c->ssl_ptr=0;
++ sock_rd=sock_wr=ssl_rd=ssl_wr=1;
++
++ do { /* main loop */
++ /* set flag to try and read any buffered SSL data
++ * if we made room in the buffer by writing to the socket */
++ check_SSL_pending=0;
++
++ SSL_read_wants_read=
++ ssl_rd && c->ssl_ptr<BUFFSIZE && !SSL_read_wants_write;
++ SSL_write_wants_write=
++ ssl_wr && c->sock_ptr && !SSL_write_wants_read;
++
++ /****************************** setup c->fds structure */
++ s_poll_init(&c->fds); /* initialize the structure */
++ if(sock_rd && c->sock_ptr<BUFFSIZE)
++ s_poll_add(&c->fds, c->sock_rfd->fd, 1, 0);
++ if(SSL_read_wants_read ||
++ SSL_write_wants_read ||
++ SSL_shutdown_wants_read)
++ s_poll_add(&c->fds, c->ssl_rfd->fd, 1, 0);
++ if(sock_wr && c->ssl_ptr)
++ s_poll_add(&c->fds, c->sock_wfd->fd, 0, 1);
++ if(SSL_read_wants_write ||
++ SSL_write_wants_write ||
++ SSL_shutdown_wants_write)
++ s_poll_add(&c->fds, c->ssl_wfd->fd, 0, 1);
++
++ /****************************** wait for an event */
++ err=s_poll_wait(&c->fds, (sock_rd && ssl_rd) /* both peers open */ ||
++ c->ssl_ptr /* data buffered to write to socket */ ||
++ c->sock_ptr /* data buffered to write to SSL */ ?
++ c->opt->timeout_idle : c->opt->timeout_close, 0);
++ switch(err) {
++ case -1:
++ sockerror("transfer: s_poll_wait");
++ longjmp(c->err, 1);
++ case 0: /* timeout */
++ if((sock_rd && ssl_rd) || c->ssl_ptr || c->sock_ptr) {
++ s_log(LOG_INFO, "s_poll_wait timeout: connection reset");
++ longjmp(c->err, 1);
++ } else { /* already closing connection */
++ s_log(LOG_INFO, "s_poll_wait timeout: connection close");
++ return; /* OK */
++ }
++ }
++ if(!(sock_can_rd || sock_can_wr || ssl_can_rd || ssl_can_wr)) {
++ s_log(LOG_ERR, "INTERNAL ERROR: "
++ "s_poll_wait returned %d, but no descriptor is ready", err);
++ longjmp(c->err, 1);
++ }
++ if(!sock_rd && sock_can_rd) {
++ optlen=sizeof error;
++ if(getsockopt(c->sock_rfd->fd, SOL_SOCKET, SO_ERROR,
++ (void *)&error, &optlen))
++ error=get_last_socket_error(); /* failed -> ask why */
++ if(error) { /* really an error? */
++ s_log(LOG_ERR, "Closed socket ready to read: %s (%d)",
++ my_strerror(error), error);
++ longjmp(c->err, 1);
++ }
++ if(c->ssl_ptr) { /* anything left to write */
++ s_log(LOG_ERR, "Closed socket ready to read - reset");
++ longjmp(c->err, 1);
++ }
++ s_log(LOG_INFO, "Closed socket ready to read - write close");
++ sock_wr=0; /* no further write allowed */
++ shutdown(c->sock_wfd->fd, SHUT_WR); /* send TCP FIN */
++ }
++
++ /****************************** send SSL close_notify message */
++ if(SSL_shutdown_wants_read || SSL_shutdown_wants_write) {
++ SSL_shutdown_wants_read=SSL_shutdown_wants_write=0;
++ num=SSL_shutdown(c->ssl); /* send close_notify */
++ if(num<0) /* -1 - not completed */
++ err=SSL_get_error(c->ssl, num);
++ else /* 0 or 1 - success */
++ err=SSL_ERROR_NONE;
++ switch(err) {
++ case SSL_ERROR_NONE: /* the shutdown was successfully completed */
++ s_log(LOG_INFO, "SSL_shutdown successfully sent close_notify");
++ break;
++ case SSL_ERROR_WANT_WRITE:
++ s_log(LOG_DEBUG, "SSL_shutdown returned WANT_WRITE: retrying");
++ SSL_shutdown_wants_write=1;
++ break;
++ case SSL_ERROR_WANT_READ:
++ s_log(LOG_DEBUG, "SSL_shutdown returned WANT_READ: retrying");
++ SSL_shutdown_wants_read=1;
++ break;
++ case SSL_ERROR_SYSCALL: /* socket error */
++ parse_socket_error(c, "SSL_shutdown");
++ break;
++ case SSL_ERROR_SSL: /* SSL error */
++ sslerror("SSL_shutdown");
++ longjmp(c->err, 1);
++ default:
++ s_log(LOG_ERR, "SSL_shutdown/SSL_get_error returned %d", err);
++ longjmp(c->err, 1);
++ }
++ }
++
++ /****************************** write to socket */
++ if(sock_wr && sock_can_wr) {
++ num=writesocket(c->sock_wfd->fd, c->ssl_buff, c->ssl_ptr);
++ switch(num) {
++ case -1: /* error */
++ parse_socket_error(c, "writesocket");
++ break;
++ case 0:
++ s_log(LOG_DEBUG, "No data written to the socket: retrying");
++ break;
++ default:
++ memmove(c->ssl_buff, c->ssl_buff+num, c->ssl_ptr-num);
++ if(c->ssl_ptr==BUFFSIZE) /* buffer was previously full */
++ check_SSL_pending=1; /* check for data buffered by SSL */
++ c->ssl_ptr-=num;
++ c->sock_bytes+=num;
++ watchdog=0; /* reset watchdog */
++ }
++ }
++
++ /****************************** write to SSL */
++ if((SSL_write_wants_read && ssl_can_rd) ||
++ (SSL_write_wants_write && ssl_can_wr)) {
++ SSL_write_wants_read=0;
++ num=SSL_write(c->ssl, c->sock_buff, c->sock_ptr);
++ switch(err=SSL_get_error(c->ssl, num)) {
++ case SSL_ERROR_NONE:
++ memmove(c->sock_buff, c->sock_buff+num, c->sock_ptr-num);
++ c->sock_ptr-=num;
++ c->ssl_bytes+=num;
++ watchdog=0; /* reset watchdog */
++ break;
++ case SSL_ERROR_WANT_WRITE: /* nothing unexpected */
++ break;
++ case SSL_ERROR_WANT_READ:
++ s_log(LOG_DEBUG, "SSL_write returned WANT_READ: retrying");
++ SSL_write_wants_read=1;
++ break;
++ case SSL_ERROR_WANT_X509_LOOKUP:
++ s_log(LOG_DEBUG,
++ "SSL_write returned WANT_X509_LOOKUP: retrying");
++ break;
++ case SSL_ERROR_SYSCALL: /* socket error */
++ if(!num) { /* EOF */
++ if(c->sock_ptr) {
++ s_log(LOG_ERR,
++ "SSL socket closed on SSL_write "
++ "with %d byte(s) in buffer",
++ c->sock_ptr);
++ longjmp(c->err, 1); /* reset the socket */
++ }
++ s_log(LOG_DEBUG, "SSL socket closed on SSL_write");
++ ssl_rd=ssl_wr=0; /* buggy or SSLv2 peer: no close_notify */
++ } else
++ parse_socket_error(c, "SSL_write");
++ break;
++ case SSL_ERROR_ZERO_RETURN: /* close_notify received */
++ s_log(LOG_DEBUG, "SSL closed on SSL_write");
++ ssl_rd=0;
++ break;
++ case SSL_ERROR_SSL:
++ sslerror("SSL_write");
++ longjmp(c->err, 1);
++ default:
++ s_log(LOG_ERR, "SSL_write/SSL_get_error returned %d", err);
++ longjmp(c->err, 1);
++ }
++ }
++
++ /****************************** read from socket */
++ if(sock_rd && sock_can_rd) {
++ num=readsocket(c->sock_rfd->fd,
++ c->sock_buff+c->sock_ptr, BUFFSIZE-c->sock_ptr);
++ switch(num) {
++ case -1:
++ parse_socket_error(c, "readsocket");
++ break;
++ case 0: /* close */
++ s_log(LOG_DEBUG, "Socket closed on read");
++ sock_rd=0;
++ break;
++ default:
++ c->sock_ptr+=num;
++ watchdog=0; /* reset watchdog */
++ }
++ }
++
++ /****************************** read from SSL */
++ if((SSL_read_wants_read && ssl_can_rd) ||
++ (SSL_read_wants_write && ssl_can_wr) ||
++ (check_SSL_pending && SSL_pending(c->ssl))) {
++ SSL_read_wants_write=0;
++ num=SSL_read(c->ssl, c->ssl_buff+c->ssl_ptr, BUFFSIZE-c->ssl_ptr);
++ switch(err=SSL_get_error(c->ssl, num)) {
++ case SSL_ERROR_NONE:
++ c->ssl_ptr+=num;
++ watchdog=0; /* reset watchdog */
++ break;
++ case SSL_ERROR_WANT_WRITE:
++ s_log(LOG_DEBUG, "SSL_read returned WANT_WRITE: retrying");
++ SSL_read_wants_write=1;
++ break;
++ case SSL_ERROR_WANT_READ: /* nothing unexpected */
++ break;
++ case SSL_ERROR_WANT_X509_LOOKUP:
++ s_log(LOG_DEBUG,
++ "SSL_read returned WANT_X509_LOOKUP: retrying");
++ break;
++ case SSL_ERROR_SYSCALL:
++ if(!num) { /* EOF */
++ if(c->sock_ptr) {
++ s_log(LOG_ERR,
++ "SSL socket closed on SSL_read "
++ "with %d byte(s) in buffer",
++ c->sock_ptr);
++ longjmp(c->err, 1); /* reset the socket */
++ }
++ s_log(LOG_DEBUG, "SSL socket closed on SSL_read");
++ ssl_rd=ssl_wr=0; /* buggy or SSLv2 peer: no close_notify */
++ } else
++ parse_socket_error(c, "SSL_read");
++ break;
++ case SSL_ERROR_ZERO_RETURN: /* close_notify received */
++ s_log(LOG_DEBUG, "SSL closed on SSL_read");
++ ssl_rd=0;
++ break;
++ case SSL_ERROR_SSL:
++ sslerror("SSL_read");
++ longjmp(c->err, 1);
++ default:
++ s_log(LOG_ERR, "SSL_read/SSL_get_error returned %d", err);
++ longjmp(c->err, 1);
++ }
++ }
++
++ /****************************** check write shutdown conditions */
++ if(sock_wr && !ssl_rd && !c->ssl_ptr) {
++ s_log(LOG_DEBUG, "Socket write shutdown");
++ sock_wr=0; /* no further write allowed */
++ shutdown(c->sock_wfd->fd, SHUT_WR); /* send TCP FIN */
++ }
++ if(ssl_wr && !sock_rd && !c->sock_ptr) {
++ s_log(LOG_DEBUG, "SSL write shutdown");
++ ssl_wr=0; /* no further write allowed */
++ if(strcmp(SSL_get_version(c->ssl), "SSLv2")) { /* SSLv3, TLSv1 */
++ SSL_shutdown_wants_write=1; /* initiate close_notify */
++ } else { /* no alerts in SSLv2 including close_notify alert */
++ shutdown(c->sock_rfd->fd, SHUT_RD); /* notify the kernel */
++ shutdown(c->sock_wfd->fd, SHUT_WR); /* send TCP FIN */
++ SSL_set_shutdown(c->ssl, /* notify the OpenSSL library */
++ SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN);
++ ssl_rd=0; /* no further read allowed */
++ }
++ }
++
++ /****************************** check watchdog */
++ if(++watchdog>100) { /* loop executes without transferring any data */
++ s_log(LOG_ERR,
++ "transfer() loop executes not transferring any data");
++ s_log(LOG_ERR,
++ "please report the problem to Michal.Trojnara@mirt.net");
++ s_log(LOG_ERR, "socket open: rd=%s wr=%s, ssl open: rd=%s wr=%s",
++ sock_rd ? "yes" : "no", sock_wr ? "yes" : "no",
++ ssl_rd ? "yes" : "no", ssl_wr ? "yes" : "no");
++ s_log(LOG_ERR, "socket ready: rd=%s wr=%s, ssl ready: rd=%s wr=%s",
++ sock_can_rd ? "yes" : "no", sock_can_wr ? "yes" : "no",
++ ssl_can_rd ? "yes" : "no", ssl_can_wr ? "yes" : "no");
++ s_log(LOG_ERR,
++ "wants: SSL_read rd=%s wr=%s, "
++ "SSL_write rd=%s wr=%s, "
++ "SSL_shutdown rd=%s wr=%s",
++ SSL_read_wants_read ? "yes" : "no",
++ SSL_read_wants_write ? "yes" : "no",
++ SSL_write_wants_read ? "yes" : "no",
++ SSL_write_wants_write ? "yes" : "no",
++ SSL_shutdown_wants_read ? "yes" : "no",
++ SSL_shutdown_wants_write ? "yes" : "no");
++ s_log(LOG_ERR, "socket input buffer: %d byte(s), "
++ "ssl input buffer: %d byte(s)", c->sock_ptr, c->ssl_ptr);
++ s_log(LOG_ERR, "check_SSL_pending=%d", check_SSL_pending);
++ longjmp(c->err, 1);
++ }
++
++ } while(sock_wr || ssl_wr ||
++ SSL_shutdown_wants_read || SSL_shutdown_wants_write);
++}
++
++static void parse_socket_error(CLI *c, const char *text) {
++ switch(get_last_socket_error()) {
++ case EINTR:
++ s_log(LOG_DEBUG, "%s interrupted by a signal: retrying", text);
++ return;
++ case EWOULDBLOCK:
++ s_log(LOG_NOTICE, "%s would block: retrying", text);
++ sleep(1); /* Microsoft bug KB177346 */
++ return;
++#if EAGAIN!=EWOULDBLOCK
++ case EAGAIN:
++ s_log(LOG_DEBUG, "%s temporary lack of resources: retrying", text);
++ return;
++#endif
++ default:
++ sockerror(text);
++ longjmp(c->err, 1);
++ }
++}
++
++static void print_cipher(CLI *c) { /* print negotiated cipher */
++#if SSLEAY_VERSION_NUMBER <= 0x0800
++ s_log(LOG_INFO, "%s opened with SSLv%d, cipher %s",
++ c->opt->servname, ssl->session->ssl_version, SSL_get_cipher(c->ssl));
++#else
++ SSL_CIPHER *cipher;
++ char buf[STRLEN], *i, *j;
++
++ cipher=(SSL_CIPHER *)SSL_get_current_cipher(c->ssl);
++ SSL_CIPHER_description(cipher, buf, STRLEN);
++ i=j=buf;
++ do {
++ switch(*i) {
++ case ' ':
++ *j++=' ';
++ while(i[1]==' ')
++ ++i;
++ break;
++ case '\n':
++ break;
++ default:
++ *j++=*i;
++ }
++ } while(*i++);
++ s_log(LOG_INFO, "Negotiated ciphers: %s", buf);
++#endif
++}
++
++static void auth_user(CLI *c) {
++#ifndef _WIN32_WCE
++ struct servent *s_ent; /* structure for getservbyname */
++#endif
++ SOCKADDR_UNION ident; /* IDENT socket name */
++ char name[STRLEN];
++
++ if(!c->opt->username)
++ return; /* -u option not specified */
++ if((c->fd=
++ socket(c->peer_addr.addr[0].sa.sa_family, SOCK_STREAM, 0))<0) {
++ sockerror("socket (auth_user)");
++ longjmp(c->err, 1);
++ }
++ if(alloc_fd(c->fd))
++ longjmp(c->err, 1);
++ memcpy(&ident, &c->peer_addr.addr[0], sizeof ident);
++#ifndef _WIN32_WCE
++ s_ent=getservbyname("auth", "tcp");
++ if(s_ent) {
++ ident.in.sin_port=s_ent->s_port;
++ } else
++#endif
++ {
++ s_log(LOG_WARNING, "Unknown service 'auth': using default 113");
++ ident.in.sin_port=htons(113);
++ }
++ if(connect_blocking(c, &ident, addr_len(ident)))
++ longjmp(c->err, 1);
++ s_log(LOG_DEBUG, "IDENT server connected");
++ fdprintf(c, c->fd, "%u , %u",
++ ntohs(c->peer_addr.addr[0].in.sin_port),
++ ntohs(c->opt->local_addr.addr[0].in.sin_port));
++ if(fdscanf(c, c->fd, "%*[^:]: USERID :%*[^:]:%s", name)!=1) {
++ s_log(LOG_ERR, "Incorrect data from IDENT server");
++ longjmp(c->err, 1);
++ }
++ closesocket(c->fd);
++ c->fd=-1; /* avoid double close on cleanup */
++ if(strcmp(name, c->opt->username)) {
++ safestring(name);
++ s_log(LOG_WARNING, "Connection from %s REFUSED by IDENT (user %s)",
++ c->accepted_address, name);
++ longjmp(c->err, 1);
++ }
++ s_log(LOG_INFO, "IDENT authentication passed");
++}
++
++static int connect_local(CLI *c) { /* spawn local process */
++#if defined (USE_WIN32) || defined (__vms)
++ s_log(LOG_ERR, "LOCAL MODE NOT SUPPORTED ON WIN32 and OpenVMS PLATFORM");
++ longjmp(c->err, 1);
++ return -1; /* some C compilers require a return value */
++#else /* USE_WIN32, __vms */
++ char env[3][STRLEN], name[STRLEN], *portname;
++ int fd[2], pid;
++ X509 *peer;
++#ifdef HAVE_PTHREAD_SIGMASK
++ sigset_t newmask;
++#endif
++
++ if (c->opt->option.pty) {
++ char tty[STRLEN];
++
++ if(pty_allocate(fd, fd+1, tty, STRLEN))
++ longjmp(c->err, 1);
++ s_log(LOG_DEBUG, "%s allocated", tty);
++ } else
++ make_sockets(c, fd);
++ pid=fork();
++ c->pid=(unsigned long)pid;
++ switch(pid) {
++ case -1: /* error */
++ closesocket(fd[0]);
++ closesocket(fd[1]);
++ ioerror("fork");
++ longjmp(c->err, 1);
++ case 0: /* child */
++ closesocket(fd[0]);
++ dup2(fd[1], 0);
++ dup2(fd[1], 1);
++ if(!options.option.foreground)
++ dup2(fd[1], 2);
++ closesocket(fd[1]);
++ safecopy(env[0], "REMOTE_HOST=");
++ safeconcat(env[0], c->accepted_address);
++ portname=strrchr(env[0], ':');
++ if(portname) /* strip the port name */
++ *portname='\0';
++ putenv(env[0]);
++ if(c->opt->option.transparent) {
++ putenv("LD_PRELOAD=" LIBDIR "/libstunnel.so");
++ /* For Tru64 _RLD_LIST is used instead */
++ putenv("_RLD_LIST=" LIBDIR "/libstunnel.so:DEFAULT");
++ }
++ if(c->ssl) {
++ peer=SSL_get_peer_certificate(c->ssl);
++ if(peer) {
++ safecopy(env[1], "SSL_CLIENT_DN=");
++ X509_NAME_oneline(X509_get_subject_name(peer), name, STRLEN);
++ safestring(name);
++ safeconcat(env[1], name);
++ putenv(env[1]);
++ safecopy(env[2], "SSL_CLIENT_I_DN=");
++ X509_NAME_oneline(X509_get_issuer_name(peer), name, STRLEN);
++ safestring(name);
++ safeconcat(env[2], name);
++ putenv(env[2]);
++ X509_free(peer);
++ }
++ }
++#ifdef HAVE_PTHREAD_SIGMASK
++ sigemptyset(&newmask);
++ sigprocmask(SIG_SETMASK, &newmask, NULL);
++#endif
++ execvp(c->opt->execname, c->opt->execargs);
++ ioerror(c->opt->execname); /* execv failed */
++ _exit(1);
++ default:
++ break;
++ }
++ /* parent */
++ s_log(LOG_INFO, "Local mode child started (PID=%lu)", c->pid);
++ closesocket(fd[1]);
++#ifdef FD_CLOEXEC
++ fcntl(fd[0], F_SETFD, FD_CLOEXEC);
++#endif
++ return fd[0];
++#endif /* USE_WIN32,__vms */
++}
++
++#ifndef USE_WIN32
++
++static void make_sockets(CLI *c, int fd[2]) { /* make a pair of connected sockets */
++#ifdef INET_SOCKET_PAIR
++ SOCKADDR_UNION addr;
++ socklen_t addrlen;
++ int s; /* temporary socket awaiting for connection */
++
++ if((s=socket(AF_INET, SOCK_STREAM, 0))<0) {
++ sockerror("socket#1");
++ longjmp(c->err, 1);
++ }
++ if((fd[1]=socket(AF_INET, SOCK_STREAM, 0))<0) {
++ sockerror("socket#2");
++ longjmp(c->err, 1);
++ }
++ addrlen=sizeof addr;
++ memset(&addr, 0, addrlen);
++ addr.in.sin_family=AF_INET;
++ addr.in.sin_addr.s_addr=htonl(INADDR_LOOPBACK);
++ addr.in.sin_port=htons(0); /* dynamic port allocation */
++ if(bind(s, &addr.sa, addrlen))
++ log_error(LOG_DEBUG, get_last_socket_error(), "bind#1");
++ if(bind(fd[1], &addr.sa, addrlen))
++ log_error(LOG_DEBUG, get_last_socket_error(), "bind#2");
++ if(listen(s, 5)) {
++ sockerror("listen");
++ longjmp(c->err, 1);
++ }
++ if(getsockname(s, &addr.sa, &addrlen)) {
++ sockerror("getsockname");
++ longjmp(c->err, 1);
++ }
++ if(connect(fd[1], &addr.sa, addrlen)) {
++ sockerror("connect");
++ longjmp(c->err, 1);
++ }
++ if((fd[0]=accept(s, &addr.sa, &addrlen))<0) {
++ sockerror("accept");
++ longjmp(c->err, 1);
++ }
++ closesocket(s); /* don't care about the result */
++#else
++ if(socketpair(AF_UNIX, SOCK_STREAM, 0, fd)) {
++ sockerror("socketpair");
++ longjmp(c->err, 1);
++ }
++#endif
++}
++#endif
++
++static int connect_remote(CLI *c) { /* connect to remote host */
++ SOCKADDR_UNION addr;
++ SOCKADDR_LIST resolved_list, *address_list;
++ int fd, ind_try, ind_cur;
++
++ /* setup address_list */
++ if(c->opt->option.delayed_lookup) {
++ resolved_list.num=0;
++ if(!name2addrlist(&resolved_list,
++ c->opt->remote_address, DEFAULT_LOOPBACK)) {
++ s_log(LOG_ERR, "No host resolved");
++ longjmp(c->err, 1);
++ }
++ address_list=&resolved_list;
++ } else /* use pre-resolved addresses */
++ address_list=&c->opt->remote_addr;
++
++ /* try to connect each host from the list */
++ for(ind_try=0; ind_try<address_list->num; ind_try++) {
++ if(c->opt->failover==FAILOVER_RR) {
++ ind_cur=address_list->cur;
++ /* the race condition here can be safely ignored */
++ address_list->cur=(ind_cur+1)%address_list->num;
++ } else { /* FAILOVER_PRIO */
++ ind_cur=ind_try; /* ignore address_list->cur */
++ }
++ memcpy(&addr, address_list->addr+ind_cur, sizeof addr);
++
++ if((c->fd=socket(addr.sa.sa_family, SOCK_STREAM, 0))<0) {
++ sockerror("remote socket");
++ longjmp(c->err, 1);
++ }
++ if(alloc_fd(c->fd))
++ longjmp(c->err, 1);
++
++ if(c->bind_addr.num) /* explicit local bind or transparent proxy */
++ local_bind(c);
++
++ if(connect_blocking(c, &addr, addr_len(addr))) {
++ closesocket(c->fd);
++ c->fd=-1;
++ continue; /* next IP */
++ }
++ print_bound_address(c);
++ fd=c->fd;
++ c->fd=-1;
++ return fd; /* success! */
++ }
++ longjmp(c->err, 1);
++ return -1; /* some C compilers require a return value */
++}
++
++static void local_bind(CLI *c) {
++ SOCKADDR_UNION addr;
++
++#ifdef IP_TRANSPARENT
++ int on=1;
++ if(setsockopt(c->fd, SOL_IP, IP_TRANSPARENT, &on, sizeof on))
++ sockerror("setsockopt IP_TRANSPARENT");
++ /* ignore the error to retain Linux 2.2 compatibility */
++ /* the error will be handled by bind(), anyway */
++#endif /* IP_TRANSPARENT */
++
++ memcpy(&addr, &c->bind_addr.addr[0], sizeof addr);
++ if(ntohs(addr.in.sin_port)>=1024) { /* security check */
++ if(!bind(c->fd, &addr.sa, addr_len(addr))) {
++ s_log(LOG_INFO, "local_bind succeeded on the original port");
++ return; /* success */
++ }
++ if(get_last_socket_error()!=EADDRINUSE
++#ifndef USE_WIN32
++ || !c->opt->option.transparent
++#endif /* USE_WIN32 */
++ ) {
++ sockerror("local_bind (original port)");
++ longjmp(c->err, 1);
++ }
++ }
++
++ addr.in.sin_port=htons(0); /* retry with ephemeral port */
++ if(!bind(c->fd, &addr.sa, addr_len(addr))) {
++ s_log(LOG_INFO, "local_bind succeeded on an ephemeral port");
++ return; /* success */
++ }
++ sockerror("local_bind (ephemeral port)");
++ longjmp(c->err, 1);
++}
++
++static void print_bound_address(CLI *c) {
++ char txt[IPLEN];
++ SOCKADDR_UNION addr;
++ socklen_t addrlen=sizeof addr;
++
++ memset(&addr, 0, addrlen);
++ if(getsockname(c->fd, (struct sockaddr *)&addr, &addrlen)) {
++ sockerror("getsockname");
++ } else {
++ s_ntop(txt, &addr);
++ s_log(LOG_NOTICE,"%s connected remote server from %s",
++ c->opt->servname, txt);
++ }
++}
++
++static void reset(int fd, char *txt) {
++ /* Set lingering on a socket if needed*/
++ struct linger l;
++
++ l.l_onoff=1;
++ l.l_linger=0;
++ if(setsockopt(fd, SOL_SOCKET, SO_LINGER, (void *)&l, sizeof l))
++ log_error(LOG_DEBUG, get_last_socket_error(), txt);
++}
++
++/* End of client.c */
+--- a/src/common.h
++++ b/src/common.h
+@@ -53,6 +53,9 @@
+ /* I/O buffer size */
+ #define BUFFSIZE 16384
+
++/* maximum space reserved for header insertion in BUFFSIZE */
++#define BUFF_RESERVED 1024
++
+ /* Length of strings (including the terminating '\0' character) */
+ /* It can't be lower than 256 bytes or NTLM authentication will break */
+ #define STRLEN 256
+--- /dev/null
++++ b/src/common.h.orig
+@@ -0,0 +1,429 @@
++/*
++ * stunnel Universal SSL tunnel
++ * Copyright (C) 1998-2009 Michal Trojnara <Michal.Trojnara@mirt.net>
++ *
++ * This program is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License as published by the
++ * Free Software Foundation; either version 2 of the License, or (at your
++ * option) any later version.
++ *
++ * This program is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
++ * See the GNU General Public License for more details.
++ *
++ * You should have received a copy of the GNU General Public License along
++ * with this program; if not, see <http://www.gnu.org/licenses>.
++ *
++ * Linking stunnel statically or dynamically with other modules is making
++ * a combined work based on stunnel. Thus, the terms and conditions of
++ * the GNU General Public License cover the whole combination.
++ *
++ * In addition, as a special exception, the copyright holder of stunnel
++ * gives you permission to combine stunnel with free software programs or
++ * libraries that are released under the GNU LGPL and with code included
++ * in the standard release of OpenSSL under the OpenSSL License (or
++ * modified versions of such code, with unchanged license). You may copy
++ * and distribute such a system following the terms of the GNU GPL for
++ * stunnel and the licenses of the other code concerned.
++ *
++ * Note that people who make modified versions of stunnel are not obligated
++ * to grant this special exception for their modified versions; it is their
++ * choice whether to do so. The GNU General Public License gives permission
++ * to release a modified version without this exception; this exception
++ * also makes it possible to release a modified version which carries
++ * forward this exception.
++ */
++
++#ifndef COMMON_H
++#define COMMON_H
++
++#ifndef VERSION
++#define VERSION "unknown"
++#endif
++
++/**************************************** Common constants */
++
++#define LIBWRAP_CLIENTS 5
++
++/* CPU stack size */
++#define DEFAULT_STACK_SIZE 65536
++/* #define DEBUG_STACK_SIZE */
++
++/* I/O buffer size */
++#define BUFFSIZE 16384
++
++/* Length of strings (including the terminating '\0' character) */
++/* It can't be lower than 256 bytes or NTLM authentication will break */
++#define STRLEN 256
++
++/* IP address and TCP port textual representation length */
++#define IPLEN 128
++
++/* How many bytes of random input to read from files for PRNG */
++/* OpenSSL likes at least 128 bits, so 64 bytes seems plenty. */
++#define RANDOM_BYTES 64
++
++/* For FormatGuard */
++/* #define __NO_FORMATGUARD_ */
++
++/**************************************** Platform */
++
++#ifdef USE_WIN32
++#define USE_IPv6
++/* #define USE_FIPS */
++#endif
++
++#ifdef _WIN32_WCE
++#define USE_WIN32
++typedef int socklen_t;
++#define EINTR WSAEINTR
++#define EMFILE WSAEMFILE
++#endif
++
++#ifdef USE_WIN32
++#define HAVE_OPENSSL
++#define HAVE_OSSL_ENGINE_H
++/* prevent including wincrypt.h, as it defines it's own OCSP_RESPONSE */
++#define __WINCRYPT_H__
++#endif
++
++/**************************************** Generic headers */
++
++#ifdef __vms
++#include <starlet.h>
++#endif /* __vms */
++
++/* For nsr-tandem-nsk architecture */
++#ifdef __TANDEM
++#include <floss.h>
++#endif
++
++/* threads model */
++#ifdef USE_UCONTEXT
++#define __MAKECONTEXT_V2_SOURCE
++#include <ucontext.h>
++#endif
++
++#ifdef USE_PTHREAD
++#define THREADS
++#define _REENTRANT
++#define _THREAD_SAFE
++#include <pthread.h>
++#endif
++
++/* TCP wrapper */
++#if HAVE_TCPD_H && HAVE_LIBWRAP
++#define USE_LIBWRAP
++#endif
++
++/* Must be included before sys/stat.h for Ultrix */
++#include <sys/types.h> /* u_short, u_long */
++/* General headers */
++#include <stdio.h>
++/* Must be included before sys/stat.h for Ultrix */
++#ifndef _WIN32_WCE
++#include <errno.h>
++#endif
++#include <stdlib.h>
++#include <stdarg.h> /* va_ */
++#include <string.h>
++#include <ctype.h> /* isalnum */
++#include <time.h>
++#include <sys/stat.h> /* stat */
++#include <setjmp.h>
++
++/**************************************** WIN32 headers */
++
++#ifdef USE_WIN32
++
++#ifndef HOST
++#ifdef __MINGW32__
++#define HOST "x86-pc-mingw32-gnu"
++#else
++#ifdef _MSC_VER
++#define _QUOTEME(x) #x
++#define QUOTEME(x) _QUOTEME(x)
++#define HOST "x86-pc-msvc-" ## QUOTEME(_MSC_VER)
++#else
++#define HOST "x86-pc-unknown"
++#endif
++#endif
++#endif
++
++typedef unsigned char u8;
++typedef unsigned short u16;
++typedef unsigned long u32;
++
++#define HAVE_SNPRINTF
++#define snprintf _snprintf
++#define HAVE_VSNPRINTF
++#define vsnprintf _vsnprintf
++#define strcasecmp _stricmp
++#define strncasecmp _strnicmp
++#define sleep(c) Sleep(1000*(c))
++
++#define get_last_socket_error() WSAGetLastError()
++#define get_last_error() GetLastError()
++#define readsocket(s,b,n) recv((s),(b),(n),0)
++#define writesocket(s,b,n) send((s),(b),(n),0)
++
++/* #define FD_SETSIZE 4096 */
++/* #define Win32_Winsock */
++#define __USE_W32_SOCKETS
++
++/* Winsock2 header for IPv6 definitions */
++#ifdef _WIN32_WCE
++#include <winsock.h>
++#else
++#include <winsock2.h>
++#include <ws2tcpip.h>
++#endif
++#include <windows.h>
++
++#define ECONNRESET WSAECONNRESET
++#define ENOTSOCK WSAENOTSOCK
++#define ENOPROTOOPT WSAENOPROTOOPT
++#define EINPROGRESS WSAEINPROGRESS
++#define EWOULDBLOCK WSAEWOULDBLOCK
++#define EISCONN WSAEISCONN
++#define EADDRINUSE WSAEADDRINUSE
++
++#ifdef EINVAL
++#undef EINVAL
++#endif
++#define EINVAL WSAEINVAL
++
++#include <process.h> /* _beginthread */
++#include <tchar.h>
++
++#define NO_IDEA
++#define OPENSSL_NO_IDEA
++
++/**************************************** non-WIN32 headers */
++
++#else /* USE_WIN32 */
++
++#if SIZEOF_UNSIGNED_CHAR == 1
++typedef unsigned char u8;
++#endif
++
++#if SIZEOF_UNSIGNED_SHORT == 2
++typedef unsigned short u16;
++#else
++typedef unsigned int u16;
++#endif
++
++#if SIZEOF_UNSIGNED_INT == 4
++typedef unsigned int u32;
++#else
++typedef unsigned long u32;
++#endif
++
++#ifdef __INNOTEK_LIBC__
++# define get_last_socket_error() sock_errno()
++# define get_last_error() errno
++# define readsocket(s,b,n) recv((s),(b),(n),0)
++# define writesocket(s,b,n) send((s),(b),(n),0)
++# define closesocket(s) close(s)
++# define ioctlsocket(a,b,c) so_ioctl((a),(b),(c))
++#else
++#define get_last_socket_error() errno
++#define get_last_error() errno
++#define readsocket(s,b,n) read((s),(b),(n))
++#define writesocket(s,b,n) write((s),(b),(n))
++#define closesocket(s) close(s)
++#define ioctlsocket(a,b,c) ioctl((a),(b),(c))
++#endif
++ /* OpenVMS compatibility */
++#ifdef __vms
++#define libdir "__NA__"
++#define PIDFILE "SYS$LOGIN:STUNNEL.PID"
++#ifdef __alpha
++#define HOST "alpha-openvms"
++#else
++#define HOST "vax-openvms"
++#endif
++#include <inet.h>
++#include <unistd.h>
++#else /* __vms */
++#include <syslog.h>
++#endif /* __vms */
++
++ /* Unix-specific headers */
++#include <signal.h> /* signal */
++#include <sys/wait.h> /* wait */
++#ifdef HAVE_SYS_RESOURCE_H
++#include <sys/resource.h> /* getrlimit */
++#endif
++#ifdef HAVE_UNISTD_H
++#include <unistd.h> /* getpid, fork, execvp, exit */
++#endif
++#ifdef HAVE_STROPTS_H
++#include <stropts.h>
++#endif
++#ifdef HAVE_SYS_SELECT_H
++#include <sys/select.h> /* for aix */
++#endif
++
++#ifndef BROKEN_POLL
++#ifdef HAVE_POLL_H
++#include <poll.h>
++#define USE_POLL
++#else /* HAVE_POLL_H */
++#ifdef HAVE_SYS_POLL_H
++#include <sys/poll.h>
++#define USE_POLL
++#endif /* HAVE_SYS_POLL_H */
++#endif /* HAVE_POLL_H */
++#endif /* BROKEN_POLL */
++
++#ifdef HAVE_SYS_FILIO_H
++#include <sys/filio.h> /* for FIONBIO */
++#endif
++#include <pwd.h>
++#ifdef HAVE_GRP_H
++#include <grp.h>
++#endif
++#ifdef __BEOS__
++#include <posix/grp.h>
++#endif
++#include <fcntl.h>
++
++#include <netinet/in.h> /* struct sockaddr_in */
++#include <sys/socket.h> /* getpeername */
++#include <arpa/inet.h> /* inet_ntoa */
++#include <sys/time.h> /* select */
++#include <sys/ioctl.h> /* ioctl */
++#include <netinet/tcp.h>
++#include <netdb.h>
++#ifndef INADDR_ANY
++#define INADDR_ANY (u32)0x00000000
++#endif
++#ifndef INADDR_LOOPBACK
++#define INADDR_LOOPBACK (u32)0x7F000001
++#endif
++
++#if defined(HAVE_WAITPID)
++/* For SYSV systems */
++#define wait_for_pid(a, b, c) waitpid((a), (b), (c))
++#define HAVE_WAIT_FOR_PID 1
++#elif defined(HAVE_WAIT4)
++/* For BSD systems */
++#define wait_for_pid(a, b, c) wait4((a), (b), (c), NULL)
++#define HAVE_WAIT_FOR_PID 1
++#endif
++
++/* SunOS 4 */
++#if defined(sun) && !defined(__svr4__) && !defined(__SVR4)
++#define atexit(a) on_exit((a), NULL)
++extern int sys_nerr;
++extern char *sys_errlist[];
++#define strerror(num) ((num)==0 ? "No error" : \
++ ((num)>=sys_nerr ? "Unknown error" : sys_errlist[num]))
++#endif /* SunOS 4 */
++
++/* AIX does not have SOL_TCP defined */
++#ifndef SOL_TCP
++#define SOL_TCP SOL_SOCKET
++#endif /* SOL_TCP */
++
++/* Linux */
++#ifdef __linux__
++#ifndef IP_TRANSPARENT
++/* old kernel headers without IP_TRANSPARENT definition */
++#define IP_TRANSPARENT 19
++#endif /* IP_TRANSPARENT */
++#endif /* __linux__ */
++
++#endif /* USE_WIN32 */
++
++/**************************************** OpenSSL headers */
++
++#ifdef HAVE_OPENSSL
++
++#define OPENSSL_THREAD_DEFINES
++#include <openssl/opensslconf.h>
++#if !defined(OPENSSL_THREADS) && defined(USE_PTHREAD)
++#error OpenSSL library compiled without thread support
++#endif /* !OPENSSL_THREADS && USE_PTHREAD */
++
++#include <openssl/lhash.h>
++#include <openssl/ssl.h>
++#include <openssl/err.h>
++#include <openssl/crypto.h> /* for CRYPTO_* and SSLeay_version */
++#include <openssl/rand.h>
++#include <openssl/md4.h>
++#include <openssl/des.h>
++
++#ifdef HAVE_OSSL_ENGINE_H
++#include <openssl/engine.h>
++#endif /* HAVE_OSSL_ENGINE_H */
++
++#if SSLEAY_VERSION_NUMBER >= 0x00907000L
++#include <openssl/ocsp.h>
++#endif /* OpenSSL-0.9.7 */
++
++#ifdef USE_FIPS
++#include <openssl/fips.h>
++#include <openssl/fips_rand.h>
++#endif /* USE_FIPS */
++
++#else /* HAVE_OPENSSL */
++
++#include <lhash.h>
++#include <ssl.h>
++#include <err.h>
++#include <crypto.h>
++#include <md4.h>
++#include <des.h>
++
++#endif /* HAVE_OPENSSL */
++
++/**************************************** Other defines */
++
++/* Safe copy for strings declarated as char[STRLEN] */
++#define safecopy(dst, src) \
++ (dst[STRLEN-1]='\0', strncpy((dst), (src), STRLEN-1))
++#define safeconcat(dst, src) \
++ (dst[STRLEN-1]='\0', strncat((dst), (src), STRLEN-strlen(dst)-1))
++/* change all non-printable characters to '.' */
++#define safestring(s) \
++ do {unsigned char *p; for(p=(unsigned char *)(s); *p; p++) \
++ if(!isprint((int)*p)) *p='.';} while(0)
++/* change all unsafe characters to '.' */
++#define safename(s) \
++ do {unsigned char *p; for(p=(s); *p; p++) \
++ if(!isalnum((int)*p)) *p='.';} while(0)
++
++/* Some definitions for IPv6 support */
++#if defined(USE_IPv6)
++#define addr_len(x) ((x).sa.sa_family==AF_INET ? \
++ sizeof(struct sockaddr_in) : sizeof(struct sockaddr_in6))
++#else
++#define addr_len(x) (sizeof(struct sockaddr_in))
++#endif
++
++/* Always use IPv4 defaults! */
++#define DEFAULT_LOOPBACK "127.0.0.1"
++#define DEFAULT_ANY "0.0.0.0"
++#if 0
++#define DEFAULT_LOOPBACK "::1"
++#define DEFAULT_ANY "::"
++#endif
++
++#if defined (USE_WIN32) || defined (__vms)
++#define LOG_EMERG 0
++#define LOG_ALERT 1
++#define LOG_CRIT 2
++#define LOG_ERR 3
++#define LOG_WARNING 4
++#define LOG_NOTICE 5
++#define LOG_INFO 6
++#define LOG_DEBUG 7
++#endif /* defined (USE_WIN32) || defined (__vms) */
++#define LOG_RAW -1
++
++#endif /* defined COMMON_H */
++
++/* End of common.h */
+--- a/src/options.c
++++ b/src/options.c
+@@ -781,6 +781,28 @@ static char *service_options(CMD cmd, LO
+ }
+ #endif
+
++ /* xforwardedfor */
++ switch(cmd) {
++ case CMD_INIT:
++ section->option.xforwardedfor=0;
++ break;
++ case CMD_EXEC:
++ if(strcasecmp(opt, "xforwardedfor"))
++ break;
++ if(!strcasecmp(arg, "yes"))
++ section->option.xforwardedfor=1;
++ else if(!strcasecmp(arg, "no"))
++ section->option.xforwardedfor=0;
++ else
++ return "argument should be either 'yes' or 'no'";
++ return NULL; /* OK */
++ case CMD_DEFAULT:
++ break;
++ case CMD_HELP:
++ s_log("%-15s = yes|no append an HTTP X-Forwarded-For header","xforwardedfor");
++ break;
++ }
++
+ /* exec */
+ #ifndef USE_WIN32
+ switch(cmd) {
+--- /dev/null
++++ b/src/options.c.orig
+@@ -0,0 +1,1994 @@
++/*
++ * stunnel Universal SSL tunnel
++ * Copyright (C) 1998-2009 Michal Trojnara <Michal.Trojnara@mirt.net>
++ *
++ * This program is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License as published by the
++ * Free Software Foundation; either version 2 of the License, or (at your
++ * option) any later version.
++ *
++ * This program is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
++ * See the GNU General Public License for more details.
++ *
++ * You should have received a copy of the GNU General Public License along
++ * with this program; if not, see <http://www.gnu.org/licenses>.
++ *
++ * Linking stunnel statically or dynamically with other modules is making
++ * a combined work based on stunnel. Thus, the terms and conditions of
++ * the GNU General Public License cover the whole combination.
++ *
++ * In addition, as a special exception, the copyright holder of stunnel
++ * gives you permission to combine stunnel with free software programs or
++ * libraries that are released under the GNU LGPL and with code included
++ * in the standard release of OpenSSL under the OpenSSL License (or
++ * modified versions of such code, with unchanged license). You may copy
++ * and distribute such a system following the terms of the GNU GPL for
++ * stunnel and the licenses of the other code concerned.
++ *
++ * Note that people who make modified versions of stunnel are not obligated
++ * to grant this special exception for their modified versions; it is their
++ * choice whether to do so. The GNU General Public License gives permission
++ * to release a modified version without this exception; this exception
++ * also makes it possible to release a modified version which carries
++ * forward this exception.
++ */
++
++#include "common.h"
++#include "prototypes.h"
++
++#if defined(_WIN32_WCE) && !defined(CONFDIR)
++#define CONFDIR "\\stunnel"
++#endif
++
++#ifdef USE_WIN32
++#define CONFSEPARATOR "\\"
++#else
++#define CONFSEPARATOR "/"
++#endif
++
++#define CONFLINELEN (16*1024)
++
++static void section_validate(char *, int, LOCAL_OPTIONS *, int);
++static void config_error(char *, int, char *);
++static char *stralloc(char *);
++#ifndef USE_WIN32
++static char **argalloc(char *);
++#endif
++
++static int parse_debug_level(char *);
++static int parse_ssl_option(char *);
++static int print_socket_options(void);
++static void print_option(char *, int, OPT_UNION *);
++static int parse_socket_option(char *);
++static char *parse_ocsp_url(LOCAL_OPTIONS *, char *);
++static unsigned long parse_ocsp_flag(char *);
++
++GLOBAL_OPTIONS options;
++LOCAL_OPTIONS local_options;
++
++typedef enum {
++ CMD_INIT, /* initialize */
++ CMD_EXEC,
++ CMD_DEFAULT,
++ CMD_HELP
++} CMD;
++
++static char *option_not_found=
++ "Specified option name is not valid here";
++
++static char *global_options(CMD cmd, char *opt, char *arg) {
++ char *tmpstr;
++#ifndef USE_WIN32
++ struct group *gr;
++ struct passwd *pw;
++#endif
++
++ if(cmd==CMD_DEFAULT || cmd==CMD_HELP) {
++ s_log(LOG_RAW, "Global options");
++ }
++
++ /* chroot */
++#ifdef HAVE_CHROOT
++ switch(cmd) {
++ case CMD_INIT:
++ options.chroot_dir=NULL;
++ break;
++ case CMD_EXEC:
++ if(strcasecmp(opt, "chroot"))
++ break;
++ options.chroot_dir=stralloc(arg);
++ return NULL; /* OK */
++ case CMD_DEFAULT:
++ break;
++ case CMD_HELP:
++ s_log(LOG_RAW, "%-15s = directory to chroot stunnel process", "chroot");
++ break;
++ }
++#endif /* HAVE_CHROOT */
++
++ /* compression */
++ switch(cmd) {
++ case CMD_INIT:
++ options.compression=COMP_NONE;
++ break;
++ case CMD_EXEC:
++ if(strcasecmp(opt, "compression"))
++ break;
++ if(!strcasecmp(arg, "zlib"))
++ options.compression=COMP_ZLIB;
++ else if(!strcasecmp(arg, "rle"))
++ options.compression=COMP_RLE;
++ else
++ return "Compression type should be either 'zlib' or 'rle'";
++ return NULL; /* OK */
++ case CMD_DEFAULT:
++ break;
++ case CMD_HELP:
++ s_log(LOG_RAW, "%-15s = zlib|rle compression type",
++ "compression");
++ break;
++ }
++
++ /* debug */
++ switch(cmd) {
++ case CMD_INIT:
++ options.debug_level=5;
++#if !defined (USE_WIN32) && !defined (__vms)
++ options.facility=LOG_DAEMON;
++#endif
++ break;
++ case CMD_EXEC:
++ if(strcasecmp(opt, "debug"))
++ break;
++ if(!parse_debug_level(arg))
++ return "Illegal debug argument";
++ return NULL; /* OK */
++ case CMD_DEFAULT:
++ s_log(LOG_RAW, "%-15s = %d", "debug", options.debug_level);
++ break;
++ case CMD_HELP:
++ s_log(LOG_RAW, "%-15s = [facility].level (e.g. daemon.info)", "debug");
++ break;
++ }
++
++ /* EGD is only supported when compiled with OpenSSL 0.9.5a or later */
++#if SSLEAY_VERSION_NUMBER >= 0x0090581fL
++ switch(cmd) {
++ case CMD_INIT:
++ options.egd_sock=NULL;
++ break;
++ case CMD_EXEC:
++ if(strcasecmp(opt, "EGD"))
++ break;
++ options.egd_sock=stralloc(arg);
++ return NULL; /* OK */
++ case CMD_DEFAULT:
++#ifdef EGD_SOCKET
++ s_log(LOG_RAW, "%-15s = %s", "EGD", EGD_SOCKET);
++#endif
++ break;
++ case CMD_HELP:
++ s_log(LOG_RAW, "%-15s = path to Entropy Gathering Daemon socket", "EGD");
++ break;
++ }
++#endif /* OpenSSL 0.9.5a */
++
++#ifdef HAVE_OSSL_ENGINE_H
++ /* engine */
++ switch(cmd) {
++ case CMD_INIT:
++ break;
++ case CMD_EXEC:
++ if(strcasecmp(opt, "engine"))
++ break;
++ open_engine(arg);
++ return NULL; /* OK */
++ case CMD_DEFAULT:
++ break;
++ case CMD_HELP:
++ s_log(LOG_RAW, "%-15s = auto|engine_id",
++ "engine");
++ break;
++ }
++
++ /* engineCtrl */
++ switch(cmd) {
++ case CMD_INIT:
++ break;
++ case CMD_EXEC:
++ if(strcasecmp(opt, "engineCtrl"))
++ break;
++ tmpstr=strchr(arg, ':');
++ if(tmpstr)
++ *tmpstr++='\0';
++ ctrl_engine(arg, tmpstr);
++ return NULL; /* OK */
++ case CMD_DEFAULT:
++ break;
++ case CMD_HELP:
++ s_log(LOG_RAW, "%-15s = cmd[:arg]",
++ "engineCtrl");
++ break;
++ }
++#endif
++
++ /* fips */
++#ifdef USE_FIPS
++ switch(cmd) {
++ case CMD_INIT:
++ options.option.fips=1;
++ break;
++ case CMD_EXEC:
++ if(strcasecmp(opt, "fips"))
++ break;
++ if(!strcasecmp(arg, "yes"))
++ options.option.fips=1;
++ else if(!strcasecmp(arg, "no"))
++ options.option.fips=0;
++ else
++ return "Argument should be either 'yes' or 'no'";
++ return NULL; /* OK */
++ case CMD_DEFAULT:
++ break;
++ case CMD_HELP:
++ s_log(LOG_RAW, "%-15s = yes|no FIPS 140-2 mode",
++ "fips");
++ break;
++ }
++#endif /* USE_FIPS */
++
++ /* foreground */
++#ifndef USE_WIN32
++ switch(cmd) {
++ case CMD_INIT:
++ options.option.foreground=0;
++ break;
++ case CMD_EXEC:
++ if(strcasecmp(opt, "foreground"))
++ break;
++ if(!strcasecmp(arg, "yes"))
++ options.option.foreground=1;
++ else if(!strcasecmp(arg, "no"))
++ options.option.foreground=0;
++ else
++ return "Argument should be either 'yes' or 'no'";
++ return NULL; /* OK */
++ case CMD_DEFAULT:
++ break;
++ case CMD_HELP:
++ s_log(LOG_RAW, "%-15s = yes|no foreground mode (don't fork, log to stderr)",
++ "foreground");
++ break;
++ }
++#endif
++
++ /* output */
++ switch(cmd) {
++ case CMD_INIT:
++ options.output_file=NULL;
++ break;
++ case CMD_EXEC:
++ if(strcasecmp(opt, "output"))
++ break;
++ options.output_file=stralloc(arg);
++ return NULL; /* OK */
++ case CMD_DEFAULT:
++ break;
++ case CMD_HELP:
++ s_log(LOG_RAW, "%-15s = file to append log messages", "output");
++ break;
++ }
++
++ /* pid */
++#ifndef USE_WIN32
++ switch(cmd) {
++ case CMD_INIT:
++ options.pidfile=PIDFILE;
++ break;
++ case CMD_EXEC:
++ if(strcasecmp(opt, "pid"))
++ break;
++ if(arg[0]) /* is argument not empty? */
++ options.pidfile=stralloc(arg);
++ else
++ options.pidfile=NULL; /* empty -> do not create a pid file */
++ return NULL; /* OK */
++ case CMD_DEFAULT:
++ s_log(LOG_RAW, "%-15s = %s", "pid", PIDFILE);
++ break;
++ case CMD_HELP:
++ s_log(LOG_RAW, "%-15s = pid file (empty to disable creating)", "pid");
++ break;
++ }
++#endif
++
++ /* RNDbytes */
++ switch(cmd) {
++ case CMD_INIT:
++ options.random_bytes=RANDOM_BYTES;
++ break;
++ case CMD_EXEC:
++ if(strcasecmp(opt, "RNDbytes"))
++ break;
++ options.random_bytes=atoi(arg);
++ return NULL; /* OK */
++ case CMD_DEFAULT:
++ s_log(LOG_RAW, "%-15s = %d", "RNDbytes", RANDOM_BYTES);
++ break;
++ case CMD_HELP:
++ s_log(LOG_RAW, "%-15s = bytes to read from random seed files", "RNDbytes");
++ break;
++ }
++
++ /* RNDfile */
++ switch(cmd) {
++ case CMD_INIT:
++ options.rand_file=NULL;
++ break;
++ case CMD_EXEC:
++ if(strcasecmp(opt, "RNDfile"))
++ break;
++ options.rand_file=stralloc(arg);
++ return NULL; /* OK */
++ case CMD_DEFAULT:
++#ifdef RANDOM_FILE
++ s_log(LOG_RAW, "%-15s = %s", "RNDfile", RANDOM_FILE);
++#endif
++ break;
++ case CMD_HELP:
++ s_log(LOG_RAW, "%-15s = path to file with random seed data", "RNDfile");
++ break;
++ }
++
++ /* RNDoverwrite */
++ switch(cmd) {
++ case CMD_INIT:
++ options.option.rand_write=1;
++ break;
++ case CMD_EXEC:
++ if(strcasecmp(opt, "RNDoverwrite"))
++ break;
++ if(!strcasecmp(arg, "yes"))
++ options.option.rand_write=1;
++ else if(!strcasecmp(arg, "no"))
++ options.option.rand_write=0;
++ else
++ return "Argument should be either 'yes' or 'no'";
++ return NULL; /* OK */
++ case CMD_DEFAULT:
++ s_log(LOG_RAW, "%-15s = yes", "RNDoverwrite");
++ break;
++ case CMD_HELP:
++ s_log(LOG_RAW, "%-15s = yes|no overwrite seed datafiles with new random data",
++ "RNDoverwrite");
++ break;
++ }
++
++ /* service */
++ switch(cmd) {
++ case CMD_INIT:
++ local_options.servname=stralloc("stunnel");
++#if defined(USE_WIN32) && !defined(_WIN32_WCE)
++ options.win32_service="stunnel";
++#endif
++ break;
++ case CMD_EXEC:
++ if(strcasecmp(opt, "service"))
++ break;
++ local_options.servname=stralloc(arg);
++#if defined(USE_WIN32) && !defined(_WIN32_WCE)
++ options.win32_service=stralloc(arg);
++#endif
++ return NULL; /* OK */
++ case CMD_DEFAULT:
++#if defined(USE_WIN32) && !defined(_WIN32_WCE)
++ s_log(LOG_RAW, "%-15s = %s", "service", options.win32_service);
++#endif
++ break;
++ case CMD_HELP:
++ s_log(LOG_RAW, "%-15s = service name", "service");
++ break;
++ }
++
++#ifndef USE_WIN32
++ /* setgid */
++ switch(cmd) {
++ case CMD_INIT:
++ options.gid=0;
++ break;
++ case CMD_EXEC:
++ if(strcasecmp(opt, "setgid"))
++ break;
++ gr=getgrnam(arg);
++ if(gr)
++ options.gid=gr->gr_gid;
++ else if(atoi(arg)) /* numerical? */
++ options.gid=atoi(arg);
++ else
++ return "Illegal GID";
++ return NULL; /* OK */
++ case CMD_DEFAULT:
++ break;
++ case CMD_HELP:
++ s_log(LOG_RAW, "%-15s = groupname for setgid()", "setgid");
++ break;
++ }
++#endif
++
++#ifndef USE_WIN32
++ /* setuid */
++ switch(cmd) {
++ case CMD_INIT:
++ options.uid=0;
++ break;
++ case CMD_EXEC:
++ if(strcasecmp(opt, "setuid"))
++ break;
++ pw=getpwnam(arg);
++ if(pw)
++ options.uid=pw->pw_uid;
++ else if(atoi(arg)) /* numerical? */
++ options.uid=atoi(arg);
++ else
++ return "Illegal UID";
++ return NULL; /* OK */
++ case CMD_DEFAULT:
++ break;
++ case CMD_HELP:
++ s_log(LOG_RAW, "%-15s = username for setuid()", "setuid");
++ break;
++ }
++#endif
++
++ /* socket */
++ switch(cmd) {
++ case CMD_INIT:
++ break;
++ case CMD_EXEC:
++ if(strcasecmp(opt, "socket"))
++ break;
++ if(!parse_socket_option(arg))
++ return "Illegal socket option";
++ return NULL; /* OK */
++ case CMD_DEFAULT:
++ break;
++ case CMD_HELP:
++ s_log(LOG_RAW, "%-15s = a|l|r:option=value[:value]", "socket");
++ s_log(LOG_RAW, "%18sset an option on accept/local/remote socket", "");
++ break;
++ }
++
++ /* syslog */
++#ifndef USE_WIN32
++ switch(cmd) {
++ case CMD_INIT:
++ options.option.syslog=1;
++ break;
++ case CMD_EXEC:
++ if(strcasecmp(opt, "syslog"))
++ break;
++ if(!strcasecmp(arg, "yes"))
++ options.option.syslog=1;
++ else if(!strcasecmp(arg, "no"))
++ options.option.syslog=0;
++ else
++ return "Argument should be either 'yes' or 'no'";
++ return NULL; /* OK */
++ case CMD_DEFAULT:
++ break;
++ case CMD_HELP:
++ s_log(LOG_RAW, "%-15s = yes|no send logging messages to syslog",
++ "syslog");
++ break;
++ }
++#endif
++
++ /* taskbar */
++#ifdef USE_WIN32
++ switch(cmd) {
++ case CMD_INIT:
++ options.option.taskbar=1;
++ break;
++ case CMD_EXEC:
++ if(strcasecmp(opt, "taskbar"))
++ break;
++ if(!strcasecmp(arg, "yes"))
++ options.option.taskbar=1;
++ else if(!strcasecmp(arg, "no"))
++ options.option.taskbar=0;
++ else
++ return "Argument should be either 'yes' or 'no'";
++ return NULL; /* OK */
++ case CMD_DEFAULT:
++ s_log(LOG_RAW, "%-15s = yes", "taskbar");
++ break;
++ case CMD_HELP:
++ s_log(LOG_RAW, "%-15s = yes|no enable the taskbar icon", "taskbar");
++ break;
++ }
++#endif
++
++ if(cmd==CMD_EXEC)
++ return option_not_found;
++ return NULL; /* OK */
++}
++
++static char *service_options(CMD cmd, LOCAL_OPTIONS *section,
++ char *opt, char *arg) {
++ int tmpnum;
++
++ if(cmd==CMD_DEFAULT || cmd==CMD_HELP) {
++ s_log(LOG_RAW, " ");
++ s_log(LOG_RAW, "Service-level options");
++ }
++
++ /* accept */
++ switch(cmd) {
++ case CMD_INIT:
++ section->option.accept=0;
++ memset(§ion->local_addr, 0, sizeof(SOCKADDR_LIST));
++ section->local_addr.addr[0].in.sin_family=AF_INET;
++ break;
++ case CMD_EXEC:
++ if(strcasecmp(opt, "accept"))
++ break;
++ section->option.accept=1;
++ if(!name2addrlist(§ion->local_addr, arg, DEFAULT_ANY))
++ return "Failed to resolve accepting address";
++ return NULL; /* OK */
++ case CMD_DEFAULT:
++ break;
++ case CMD_HELP:
++ s_log(LOG_RAW, "%-15s = [host:]port accept connections on specified host:port",
++ "accept");
++ break;
++ }
++
++ /* CApath */
++ switch(cmd) {
++ case CMD_INIT:
++#if 0
++ section->ca_dir=(char *)X509_get_default_cert_dir();
++#endif
++ section->ca_dir=NULL;
++ break;
++ case CMD_EXEC:
++ if(strcasecmp(opt, "CApath"))
++ break;
++ if(arg[0]) /* not empty */
++ section->ca_dir=stralloc(arg);
++ else
++ section->ca_dir=NULL;
++ return NULL; /* OK */
++ case CMD_DEFAULT:
++#if 0
++ s_log(LOG_RAW, "%-15s = %s", "CApath",
++ section->ca_dir ? section->ca_dir : "(none)");
++#endif
++ break;
++ case CMD_HELP:
++ s_log(LOG_RAW, "%-15s = CA certificate directory for 'verify' option",
++ "CApath");
++ break;
++ }
++
++ /* CAfile */
++ switch(cmd) {
++ case CMD_INIT:
++#if 0
++ section->ca_file=(char *)X509_get_default_certfile();
++#endif
++ section->ca_file=NULL;
++ break;
++ case CMD_EXEC:
++ if(strcasecmp(opt, "CAfile"))
++ break;
++ if(arg[0]) /* not empty */
++ section->ca_file=stralloc(arg);
++ else
++ section->ca_file=NULL;
++ return NULL; /* OK */
++ case CMD_DEFAULT:
++#if 0
++ s_log(LOG_RAW, "%-15s = %s", "CAfile",
++ section->ca_file ? section->ca_file : "(none)");
++#endif
++ break;
++ case CMD_HELP:
++ s_log(LOG_RAW, "%-15s = CA certificate file for 'verify' option",
++ "CAfile");
++ break;
++ }
++
++ /* cert */
++ switch(cmd) {
++ case CMD_INIT:
++#ifdef CONFDIR
++ section->cert=CONFDIR CONFSEPARATOR "stunnel.pem";
++#else
++ section->cert="stunnel.pem";
++#endif
++ break;
++ case CMD_EXEC:
++ if(strcasecmp(opt, "cert"))
++ break;
++ section->cert=stralloc(arg);
++ section->option.cert=1;
++ return NULL; /* OK */
++ case CMD_DEFAULT:
++ s_log(LOG_RAW, "%-15s = %s", "cert", section->cert);
++ break;
++ case CMD_HELP:
++ s_log(LOG_RAW, "%-15s = certificate chain", "cert");
++ break;
++ }
++
++ /* ciphers */
++#ifdef USE_FIPS
++#define STUNNEL_DEFAULT_CIPHER_LIST "FIPS"
++#else
++#define STUNNEL_DEFAULT_CIPHER_LIST SSL_DEFAULT_CIPHER_LIST
++#endif /* USE_FIPS */
++ switch(cmd) {
++ case CMD_INIT:
++ section->cipher_list=STUNNEL_DEFAULT_CIPHER_LIST;
++ break;
++ case CMD_EXEC:
++ if(strcasecmp(opt, "ciphers"))
++ break;
++ section->cipher_list=stralloc(arg);
++ return NULL; /* OK */
++ case CMD_DEFAULT:
++ s_log(LOG_RAW, "%-15s = %s", "ciphers", STUNNEL_DEFAULT_CIPHER_LIST);
++ break;
++ case CMD_HELP:
++ s_log(LOG_RAW, "%-15s = list of permitted SSL ciphers", "ciphers");
++ break;
++ }
++
++ /* client */
++ switch(cmd) {
++ case CMD_INIT:
++ section->option.client=0;
++ break;
++ case CMD_EXEC:
++ if(strcasecmp(opt, "client"))
++ break;
++ if(!strcasecmp(arg, "yes"))
++ section->option.client=1;
++ else if(!strcasecmp(arg, "no"))
++ section->option.client=0;
++ else
++ return "Argument should be either 'yes' or 'no'";
++ return NULL; /* OK */
++ case CMD_DEFAULT:
++ break;
++ case CMD_HELP:
++ s_log(LOG_RAW, "%-15s = yes|no client mode (remote service uses SSL)",
++ "client");
++ break;
++ }
++
++ /* connect */
++ switch(cmd) {
++ case CMD_INIT:
++ section->option.remote=0;
++ section->remote_address=NULL;
++ section->remote_addr.num=0;
++ break;
++ case CMD_EXEC:
++ if(strcasecmp(opt, "connect"))
++ break;
++ section->option.remote=1;
++ section->remote_address=stralloc(arg);
++ if(!section->option.delayed_lookup &&
++ !name2addrlist(§ion->remote_addr, arg, DEFAULT_LOOPBACK)) {
++ s_log(LOG_RAW, "Cannot resolve '%s' - delaying DNS lookup", arg);
++ section->option.delayed_lookup=1;
++ }
++ return NULL; /* OK */
++ case CMD_DEFAULT:
++ break;
++ case CMD_HELP:
++ s_log(LOG_RAW, "%-15s = [host:]port connect remote host:port",
++ "connect");
++ break;
++ }
++
++ /* CRLpath */
++ switch(cmd) {
++ case CMD_INIT:
++ section->crl_dir=NULL;
++ break;
++ case CMD_EXEC:
++ if(strcasecmp(opt, "CRLpath"))
++ break;
++ if(arg[0]) /* not empty */
++ section->crl_dir=stralloc(arg);
++ else
++ section->crl_dir=NULL;
++ return NULL; /* OK */
++ case CMD_DEFAULT:
++ break;
++ case CMD_HELP:
++ s_log(LOG_RAW, "%-15s = CRL directory", "CRLpath");
++ break;
++ }
++
++ /* CRLfile */
++ switch(cmd) {
++ case CMD_INIT:
++ section->crl_file=NULL;
++ break;
++ case CMD_EXEC:
++ if(strcasecmp(opt, "CRLfile"))
++ break;
++ if(arg[0]) /* not empty */
++ section->crl_file=stralloc(arg);
++ else
++ section->crl_file=NULL;
++ return NULL; /* OK */
++ case CMD_DEFAULT:
++ break;
++ case CMD_HELP:
++ s_log(LOG_RAW, "%-15s = CRL file", "CRLfile");
++ break;
++ }
++
++ /* delay */
++ switch(cmd) {
++ case CMD_INIT:
++ section->option.delayed_lookup=0;
++ break;
++ case CMD_EXEC:
++ if(strcasecmp(opt, "delay"))
++ break;
++ if(!strcasecmp(arg, "yes"))
++ section->option.delayed_lookup=1;
++ else if(!strcasecmp(arg, "no"))
++ section->option.delayed_lookup=0;
++ else
++ return "Argument should be either 'yes' or 'no'";
++ return NULL; /* OK */
++ case CMD_DEFAULT:
++ break;
++ case CMD_HELP:
++ s_log(LOG_RAW, "%-15s = yes|no delay DNS lookup for 'connect' option",
++ "delay");
++ break;
++ }
++
++#ifdef HAVE_OSSL_ENGINE_H
++ /* engineNum */
++ switch(cmd) {
++ case CMD_INIT:
++ break;
++ case CMD_EXEC:
++ if(strcasecmp(opt, "engineNum"))
++ break;
++ section->engine=get_engine(atoi(arg));
++ if(!section->engine)
++ return "Illegal engine number";
++ return NULL; /* OK */
++ case CMD_DEFAULT:
++ break;
++ case CMD_HELP:
++ s_log(LOG_RAW, "%-15s = number of engine to read the key from",
++ "engineNum");
++ break;
++ }
++#endif
++
++ /* exec */
++#ifndef USE_WIN32
++ switch(cmd) {
++ case CMD_INIT:
++ section->option.program=0;
++ section->execname=NULL;
++ break;
++ case CMD_EXEC:
++ if(strcasecmp(opt, "exec"))
++ break;
++ section->option.program=1;
++ section->execname=stralloc(arg);
++ if(!section->execargs) {
++ section->execargs=calloc(2, sizeof(char *));
++ section->execargs[0]=section->execname;
++ section->execargs[1]=NULL; /* to show that it's null-terminated */
++ }
++ return NULL; /* OK */
++ case CMD_DEFAULT:
++ break;
++ case CMD_HELP:
++ s_log(LOG_RAW, "%-15s = file execute local inetd-type program",
++ "exec");
++ break;
++ }
++#endif
++
++ /* execargs */
++#ifndef USE_WIN32
++ switch(cmd) {
++ case CMD_INIT:
++ section->execargs=NULL;
++ break;
++ case CMD_EXEC:
++ if(strcasecmp(opt, "execargs"))
++ break;
++ section->execargs=argalloc(arg);
++ return NULL; /* OK */
++ case CMD_DEFAULT:
++ break;
++ case CMD_HELP:
++ s_log(LOG_RAW, "%-15s = arguments for 'exec' (including $0)",
++ "execargs");
++ break;
++ }
++#endif
++
++ /* failover */
++ switch(cmd) {
++ case CMD_INIT:
++ section->failover=FAILOVER_RR;
++ break;
++ case CMD_EXEC:
++ if(strcasecmp(opt, "failover"))
++ break;
++ if(!strcasecmp(arg, "rr"))
++ section->failover=FAILOVER_RR;
++ else if(!strcasecmp(arg, "prio"))
++ section->failover=FAILOVER_PRIO;
++ else
++ return "Argument should be either 'rr' or 'prio'";
++ return NULL; /* OK */
++ case CMD_DEFAULT:
++ break;
++ case CMD_HELP:
++ s_log(LOG_RAW, "%-15s = rr|prio chose failover strategy",
++ "failover");
++ break;
++ }
++
++ /* ident */
++ switch(cmd) {
++ case CMD_INIT:
++ section->username=NULL;
++ break;
++ case CMD_EXEC:
++ if(strcasecmp(opt, "ident"))
++ break;
++ section->username=stralloc(arg);
++ return NULL; /* OK */
++ case CMD_DEFAULT:
++ break;
++ case CMD_HELP:
++ s_log(LOG_RAW, "%-15s = username for IDENT (RFC 1413) checking", "ident");
++ break;
++ }
++
++ /* key */
++ switch(cmd) {
++ case CMD_INIT:
++ section->key=NULL;
++ break;
++ case CMD_EXEC:
++ if(strcasecmp(opt, "key"))
++ break;
++ section->key=stralloc(arg);
++ return NULL; /* OK */
++ case CMD_DEFAULT:
++ s_log(LOG_RAW, "%-15s = %s", "key", section->cert); /* set in stunnel.c */
++ break;
++ case CMD_HELP:
++ s_log(LOG_RAW, "%-15s = certificate private key", "key");
++ break;
++ }
++
++ /* local */
++ switch(cmd) {
++ case CMD_INIT:
++ memset(§ion->source_addr, 0, sizeof(SOCKADDR_LIST));
++ section->source_addr.addr[0].in.sin_family=AF_INET;
++ break;
++ case CMD_EXEC:
++ if(strcasecmp(opt, "local"))
++ break;
++ if(!hostport2addrlist(§ion->source_addr, arg, "0"))
++ return "Failed to resolve local address";
++ return NULL; /* OK */
++ case CMD_DEFAULT:
++ break;
++ case CMD_HELP:
++ s_log(LOG_RAW, "%-15s = IP address to be used as source for remote"
++ " connections", "local");
++ break;
++ }
++
++#if SSLEAY_VERSION_NUMBER >= 0x00907000L
++ /* OCSP */
++ switch(cmd) {
++ case CMD_INIT:
++ section->option.ocsp=0;
++ memset(§ion->ocsp_addr, 0, sizeof(SOCKADDR_LIST));
++ section->ocsp_addr.addr[0].in.sin_family=AF_INET;
++ break;
++ case CMD_EXEC:
++ if(strcasecmp(opt, "ocsp"))
++ break;
++ section->option.ocsp=1;
++ return parse_ocsp_url(section, arg);
++ case CMD_DEFAULT:
++ break;
++ case CMD_HELP:
++ s_log(LOG_RAW, "%-15s = OCSP server URL", "ocsp");
++ break;
++ }
++
++ /* OCSPflag */
++ switch(cmd) {
++ case CMD_INIT:
++ section->ocsp_flags=0;
++ break;
++ case CMD_EXEC:
++ if(strcasecmp(opt, "OCSPflag"))
++ break;
++ tmpnum=parse_ocsp_flag(arg);
++ if(!tmpnum)
++ return "Illegal OCSP flag";
++ section->ocsp_flags|=tmpnum;
++ return NULL;
++ case CMD_DEFAULT:
++ break;
++ case CMD_HELP:
++ s_log(LOG_RAW, "%-15s = OCSP server flags", "OCSPflag");
++ break;
++ }
++#endif /* OpenSSL-0.9.7 */
++
++ /* options */
++ switch(cmd) {
++ case CMD_INIT:
++ section->ssl_options=0;
++ break;
++ case CMD_EXEC:
++ if(strcasecmp(opt, "options"))
++ break;
++ tmpnum=parse_ssl_option(arg);
++ if(!tmpnum)
++ return "Illegal SSL option";
++ section->ssl_options|=tmpnum;
++ return NULL; /* OK */
++ case CMD_DEFAULT:
++ break;
++ case CMD_HELP:
++ s_log(LOG_RAW, "%-15s = SSL option", "options");
++ s_log(LOG_RAW, "%18sset an SSL option", "");
++ break;
++ }
++
++ /* protocol */
++ switch(cmd) {
++ case CMD_INIT:
++ section->protocol=NULL;
++ break;
++ case CMD_EXEC:
++ if(strcasecmp(opt, "protocol"))
++ break;
++ section->protocol=stralloc(arg);
++ return NULL; /* OK */
++ case CMD_DEFAULT:
++ break;
++ case CMD_HELP:
++ s_log(LOG_RAW, "%-15s = protocol to negotiate before SSL initialization",
++ "protocol");
++ s_log(LOG_RAW, "%18scurrently supported: cifs, connect, nntp, pop3, smtp", "");
++ break;
++ }
++
++ /* protocolAuthentication */
++ switch(cmd) {
++ case CMD_INIT:
++ section->protocol_authentication="basic";
++ break;
++ case CMD_EXEC:
++ if(strcasecmp(opt, "protocolAuthentication"))
++ break;
++ section->protocol_authentication=stralloc(arg);
++ return NULL; /* OK */
++ case CMD_DEFAULT:
++ break;
++ case CMD_HELP:
++ s_log(LOG_RAW, "%-15s = authentication type for protocol negotiations",
++ "protocolAuthentication");
++ break;
++ }
++
++ /* protocolHost */
++ switch(cmd) {
++ case CMD_INIT:
++ section->protocol_host=NULL;
++ break;
++ case CMD_EXEC:
++ if(strcasecmp(opt, "protocolHost"))
++ break;
++ section->protocol_host=stralloc(arg);
++ return NULL; /* OK */
++ case CMD_DEFAULT:
++ break;
++ case CMD_HELP:
++ s_log(LOG_RAW, "%-15s = host:port for protocol negotiations",
++ "protocolHost");
++ break;
++ }
++
++ /* protocolPassword */
++ switch(cmd) {
++ case CMD_INIT:
++ section->protocol_password=NULL;
++ break;
++ case CMD_EXEC:
++ if(strcasecmp(opt, "protocolPassword"))
++ break;
++ section->protocol_password=stralloc(arg);
++ return NULL; /* OK */
++ case CMD_DEFAULT:
++ break;
++ case CMD_HELP:
++ s_log(LOG_RAW, "%-15s = password for protocol negotiations",
++ "protocolPassword");
++ break;
++ }
++
++ /* protocolUsername */
++ switch(cmd) {
++ case CMD_INIT:
++ section->protocol_username=NULL;
++ break;
++ case CMD_EXEC:
++ if(strcasecmp(opt, "protocolUsername"))
++ break;
++ section->protocol_username=stralloc(arg);
++ return NULL; /* OK */
++ case CMD_DEFAULT:
++ break;
++ case CMD_HELP:
++ s_log(LOG_RAW, "%-15s = username for protocol negotiations",
++ "protocolUsername");
++ break;
++ }
++
++ /* pty */
++#ifndef USE_WIN32
++ switch(cmd) {
++ case CMD_INIT:
++ section->option.pty=0;
++ break;
++ case CMD_EXEC:
++ if(strcasecmp(opt, "pty"))
++ break;
++ if(!strcasecmp(arg, "yes"))
++ section->option.pty=1;
++ else if(!strcasecmp(arg, "no"))
++ section->option.pty=0;
++ else
++ return "Argument should be either 'yes' or 'no'";
++ return NULL; /* OK */
++ case CMD_DEFAULT:
++ break;
++ case CMD_HELP:
++ s_log(LOG_RAW, "%-15s = yes|no allocate pseudo terminal for 'exec' option",
++ "pty");
++ break;
++ }
++#endif
++
++ /* retry */
++#ifndef USE_WIN32
++ switch(cmd) {
++ case CMD_INIT:
++ section->option.retry=0;
++ break;
++ case CMD_EXEC:
++ if(strcasecmp(opt, "retry"))
++ break;
++ if(!strcasecmp(arg, "yes"))
++ section->option.retry=1;
++ else if(!strcasecmp(arg, "no"))
++ section->option.retry=0;
++ else
++ return "Argument should be either 'yes' or 'no'";
++ return NULL; /* OK */
++ case CMD_DEFAULT:
++ break;
++ case CMD_HELP:
++ s_log(LOG_RAW, "%-15s = yes|no retry connect+exec section",
++ "retry");
++ break;
++ }
++#endif
++
++ /* session */
++ switch(cmd) {
++ case CMD_INIT:
++ section->session_timeout=300;
++ break;
++ case CMD_EXEC:
++ if(strcasecmp(opt, "session"))
++ break;
++ if(atoi(arg)>0)
++ section->session_timeout=atoi(arg);
++ else
++ return "Illegal session timeout";
++ return NULL; /* OK */
++ case CMD_DEFAULT:
++ s_log(LOG_RAW, "%-15s = %ld seconds", "session", section->session_timeout);
++ break;
++ case CMD_HELP:
++ s_log(LOG_RAW, "%-15s = session cache timeout (in seconds)", "session");
++ break;
++ }
++
++ /* sessiond */
++ switch(cmd) {
++ case CMD_INIT:
++ section->option.sessiond=0;
++ memset(§ion->sessiond_addr, 0, sizeof(SOCKADDR_LIST));
++ section->sessiond_addr.addr[0].in.sin_family=AF_INET;
++ break;
++ case CMD_EXEC:
++ if(strcasecmp(opt, "sessiond"))
++ break;
++ section->option.sessiond=1;
++#ifdef SSL_OP_NO_TICKET
++ /* disable RFC4507 support introduced in OpenSSL 0.9.8f */
++ /* this prevents session callbacks from beeing executed */
++ section->ssl_options|=SSL_OP_NO_TICKET;
++#endif
++ if(!name2addrlist(§ion->sessiond_addr, arg, DEFAULT_LOOPBACK))
++ return "Failed to resolve sessiond server address";
++ return NULL; /* OK */
++ case CMD_DEFAULT:
++ break;
++ case CMD_HELP:
++ s_log(LOG_RAW, "%-15s = [host:]port use sessiond at host:port",
++ "sessiond");
++ break;
++ }
++
++#ifndef USE_FORK
++ /* stack */
++ switch(cmd) {
++ case CMD_INIT:
++ section->stack_size=DEFAULT_STACK_SIZE;
++ break;
++ case CMD_EXEC:
++ if(strcasecmp(opt, "stack"))
++ break;
++ if(atoi(arg)>0)
++ section->stack_size=atoi(arg);
++ else
++ return "Illegal thread stack size";
++ return NULL; /* OK */
++ case CMD_DEFAULT:
++ s_log(LOG_RAW, "%-15s = %d bytes", "stack", section->stack_size);
++ break;
++ case CMD_HELP:
++ s_log(LOG_RAW, "%-15s = thread stack size (in bytes)", "stack");
++ break;
++ }
++#endif
++
++ /* sslVersion */
++ switch(cmd) {
++ case CMD_INIT:
++#ifdef USE_FIPS
++ section->client_method=(SSL_METHOD *)TLSv1_client_method();
++ section->server_method=(SSL_METHOD *)TLSv1_server_method();
++#else
++ section->client_method=(SSL_METHOD *)SSLv3_client_method();
++ section->server_method=(SSL_METHOD *)SSLv23_server_method();
++#endif
++ break;
++ case CMD_EXEC:
++ if(strcasecmp(opt, "sslVersion"))
++ break;
++ if(!strcasecmp(arg, "all")) {
++ section->client_method=(SSL_METHOD *)SSLv23_client_method();
++ section->server_method=(SSL_METHOD *)SSLv23_server_method();
++ } else if(!strcasecmp(arg, "SSLv2")) {
++ section->client_method=(SSL_METHOD *)SSLv2_client_method();
++ section->server_method=(SSL_METHOD *)SSLv2_server_method();
++ } else if(!strcasecmp(arg, "SSLv3")) {
++ section->client_method=(SSL_METHOD *)SSLv3_client_method();
++ section->server_method=(SSL_METHOD *)SSLv3_server_method();
++ } else if(!strcasecmp(arg, "TLSv1")) {
++ section->client_method=(SSL_METHOD *)TLSv1_client_method();
++ section->server_method=(SSL_METHOD *)TLSv1_server_method();
++ } else
++ return "Incorrect version of SSL protocol";
++ return NULL; /* OK */
++ case CMD_DEFAULT:
++#ifdef USE_FIPS
++ s_log(LOG_RAW, "%-15s = TLSv1", "sslVersion");
++#else
++ s_log(LOG_RAW, "%-15s = SSLv3 for client, all for server", "sslVersion");
++#endif
++ break;
++ case CMD_HELP:
++ s_log(LOG_RAW, "%-15s = all|SSLv2|SSLv3|TLSv1 SSL method", "sslVersion");
++ break;
++ }
++
++ /* TIMEOUTbusy */
++ switch(cmd) {
++ case CMD_INIT:
++ section->timeout_busy=300; /* 5 minutes */
++ break;
++ case CMD_EXEC:
++ if(strcasecmp(opt, "TIMEOUTbusy"))
++ break;
++ if(atoi(arg)>0)
++ section->timeout_busy=atoi(arg);
++ else
++ return "Illegal busy timeout";
++ return NULL; /* OK */
++ case CMD_DEFAULT:
++ s_log(LOG_RAW, "%-15s = %d seconds", "TIMEOUTbusy", section->timeout_busy);
++ break;
++ case CMD_HELP:
++ s_log(LOG_RAW, "%-15s = seconds to wait for expected data", "TIMEOUTbusy");
++ break;
++ }
++
++ /* TIMEOUTclose */
++ switch(cmd) {
++ case CMD_INIT:
++ section->timeout_close=60; /* 1 minute */
++ break;
++ case CMD_EXEC:
++ if(strcasecmp(opt, "TIMEOUTclose"))
++ break;
++ if(atoi(arg)>0 || !strcmp(arg, "0"))
++ section->timeout_close=atoi(arg);
++ else
++ return "Illegal close timeout";
++ return NULL; /* OK */
++ case CMD_DEFAULT:
++ s_log(LOG_RAW, "%-15s = %d seconds", "TIMEOUTclose", section->timeout_close);
++ break;
++ case CMD_HELP:
++ s_log(LOG_RAW, "%-15s = seconds to wait for close_notify"
++ " (set to 0 for buggy MSIE)", "TIMEOUTclose");
++ break;
++ }
++
++ /* TIMEOUTconnect */
++ switch(cmd) {
++ case CMD_INIT:
++ section->timeout_connect=10; /* 10 seconds */
++ break;
++ case CMD_EXEC:
++ if(strcasecmp(opt, "TIMEOUTconnect"))
++ break;
++ if(atoi(arg)>0 || !strcmp(arg, "0"))
++ section->timeout_connect=atoi(arg);
++ else
++ return "Illegal connect timeout";
++ return NULL; /* OK */
++ case CMD_DEFAULT:
++ s_log(LOG_RAW, "%-15s = %d seconds", "TIMEOUTconnect",
++ section->timeout_connect);
++ break;
++ case CMD_HELP:
++ s_log(LOG_RAW, "%-15s = seconds to connect remote host", "TIMEOUTconnect");
++ break;
++ }
++
++ /* TIMEOUTidle */
++ switch(cmd) {
++ case CMD_INIT:
++ section->timeout_idle=43200; /* 12 hours */
++ break;
++ case CMD_EXEC:
++ if(strcasecmp(opt, "TIMEOUTidle"))
++ break;
++ if(atoi(arg)>0)
++ section->timeout_idle=atoi(arg);
++ else
++ return "Illegal idle timeout";
++ return NULL; /* OK */
++ case CMD_DEFAULT:
++ s_log(LOG_RAW, "%-15s = %d seconds", "TIMEOUTidle", section->timeout_idle);
++ break;
++ case CMD_HELP:
++ s_log(LOG_RAW, "%-15s = seconds to keep an idle connection", "TIMEOUTidle");
++ break;
++ }
++
++ /* transparent */
++#ifndef USE_WIN32
++ switch(cmd) {
++ case CMD_INIT:
++ section->option.transparent=0;
++ break;
++ case CMD_EXEC:
++ if(strcasecmp(opt, "transparent"))
++ break;
++ if(!strcasecmp(arg, "yes"))
++ section->option.transparent=1;
++ else if(!strcasecmp(arg, "no"))
++ section->option.transparent=0;
++ else
++ return "Argument should be either 'yes' or 'no'";
++ return NULL; /* OK */
++ case CMD_DEFAULT:
++ break;
++ case CMD_HELP:
++ s_log(LOG_RAW, "%-15s = yes|no transparent proxy mode",
++ "transparent");
++ break;
++ }
++#endif
++
++ /* verify */
++ switch(cmd) {
++ case CMD_INIT:
++ section->verify_level=-1;
++ section->verify_use_only_my=0;
++ break;
++ case CMD_EXEC:
++ if(strcasecmp(opt, "verify"))
++ break;
++ section->verify_level=SSL_VERIFY_NONE;
++ switch(atoi(arg)) {
++ case 3:
++ section->verify_use_only_my=1;
++ case 2:
++ section->verify_level|=SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
++ case 1:
++ section->verify_level|=SSL_VERIFY_PEER;
++ case 0:
++ return NULL; /* OK */
++ default:
++ return "Bad verify level";
++ }
++ case CMD_DEFAULT:
++ s_log(LOG_RAW, "%-15s = none", "verify");
++ break;
++ case CMD_HELP:
++ s_log(LOG_RAW, "%-15s = level of peer certificate verification", "verify");
++ s_log(LOG_RAW, "%18slevel 1 - verify peer certificate if present", "");
++ s_log(LOG_RAW, "%18slevel 2 - require valid peer certificate always", "");
++ s_log(LOG_RAW, "%18slevel 3 - verify peer with locally installed certificate",
++ "");
++ break;
++ }
++
++ if(cmd==CMD_EXEC)
++ return option_not_found;
++ return NULL; /* OK */
++}
++
++static void syntax(char *confname) {
++ s_log(LOG_RAW, " ");
++ s_log(LOG_RAW, "Syntax:");
++ s_log(LOG_RAW, "stunnel "
++#ifdef USE_WIN32
++#ifndef _WIN32_WCE
++ "[ [-install | -uninstall] "
++#endif
++ "[-quiet] "
++#endif
++ "[<filename>] ] "
++#ifndef USE_WIN32
++ "-fd <n> "
++#endif
++ "| -help | -version | -sockets");
++ s_log(LOG_RAW, " <filename> - use specified config file instead of %s",
++ confname);
++#ifdef USE_WIN32
++#ifndef _WIN32_WCE
++ s_log(LOG_RAW, " -install - install NT service");
++ s_log(LOG_RAW, " -uninstall - uninstall NT service");
++#endif
++ s_log(LOG_RAW, " -quiet - don't display a message box on success");
++#else
++ s_log(LOG_RAW, " -fd <n> - read the config file from a file descriptor");
++#endif
++ s_log(LOG_RAW, " -help - get config file help");
++ s_log(LOG_RAW, " -version - display version and defaults");
++ s_log(LOG_RAW, " -sockets - display default socket options");
++ die(1);
++}
++
++void parse_config(char *name, char *parameter) {
++#ifdef CONFDIR
++ char *default_config_file=CONFDIR CONFSEPARATOR "stunnel.conf";
++#else
++ char *default_config_file="stunnel.conf";
++#endif
++ DISK_FILE *df;
++ char confline[CONFLINELEN], *arg, *opt, *errstr, *filename;
++ int line_number, i;
++#ifdef MAX_FD
++ int sections=0;
++#endif
++ LOCAL_OPTIONS *section, *new_section;
++
++ memset(&options, 0, sizeof(GLOBAL_OPTIONS)); /* reset global options */
++
++ memset(&local_options, 0, sizeof(LOCAL_OPTIONS)); /* reset local options */
++ local_options.next=NULL;
++ section=&local_options;
++
++ global_options(CMD_INIT, NULL, NULL);
++ service_options(CMD_INIT, section, NULL, NULL);
++ if(!name)
++ name=default_config_file;
++ if(!strcasecmp(name, "-help")) {
++ global_options(CMD_HELP, NULL, NULL);
++ service_options(CMD_HELP, section, NULL, NULL);
++ die(1);
++ }
++ if(!strcasecmp(name, "-version")) {
++ stunnel_info(1);
++ s_log(LOG_RAW, " ");
++ global_options(CMD_DEFAULT, NULL, NULL);
++ service_options(CMD_DEFAULT, section, NULL, NULL);
++ die(1);
++ }
++ if(!strcasecmp(name, "-sockets")) {
++ print_socket_options();
++ die(1);
++ }
++#ifndef USE_WIN32
++ if(!strcasecmp(name, "-fd")) {
++ if(!parameter) {
++ s_log(LOG_RAW, "No file descriptor specified");
++ syntax(default_config_file);
++ }
++ for(arg=parameter, i=0; *arg; ++arg) {
++ if(*arg<'0' || *arg>'9') {
++ s_log(LOG_RAW, "Invalid file descriptor %s", parameter);
++ syntax(default_config_file);
++ }
++ i=10*i+*arg-'0';
++ }
++ df=file_fdopen(i);
++ if(!df) {
++ s_log(LOG_RAW, "Invalid file descriptor %s", parameter);
++ syntax(default_config_file);
++ }
++ filename="descriptor";
++ } else
++#endif
++ {
++ df=file_open(name, 0);
++ if(!df)
++ syntax(default_config_file);
++ filename=name;
++ }
++ line_number=0;
++ while(file_getline(df, confline, CONFLINELEN)) {
++ ++line_number;
++ opt=confline;
++ while(isspace((unsigned char)*opt))
++ ++opt; /* remove initial whitespaces */
++ for(i=strlen(opt)-1; i>=0 && isspace((unsigned char)opt[i]); --i)
++ opt[i]='\0'; /* remove trailing whitespaces */
++ if(opt[0]=='\0' || opt[0]=='#' || opt[0]==';') /* empty or comment */
++ continue;
++ if(opt[0]=='[' && opt[strlen(opt)-1]==']') { /* new section */
++ section_validate(filename, line_number, section, 0);
++ ++opt;
++ opt[strlen(opt)-1]='\0';
++ new_section=calloc(1, sizeof(LOCAL_OPTIONS));
++ if(!new_section) {
++ s_log(LOG_RAW, "Fatal memory allocation error");
++ die(2);
++ }
++ memcpy(new_section, &local_options, sizeof(LOCAL_OPTIONS));
++ new_section->servname=stralloc(opt);
++ new_section->session=NULL;
++ new_section->next=NULL;
++ section->next=new_section;
++ section=new_section;
++#ifdef MAX_FD
++ if(++sections>MAX_FD)
++ config_error(filename, line_number, "Too many sections");
++#endif
++ continue;
++ }
++ arg=strchr(confline, '=');
++ if(!arg)
++ config_error(filename, line_number, "No '=' found");
++ *arg++='\0'; /* split into option name and argument value */
++ for(i=strlen(opt)-1; i>=0 && isspace((unsigned char)opt[i]); --i)
++ opt[i]='\0'; /* remove trailing whitespaces */
++ while(isspace((unsigned char)*arg))
++ ++arg; /* remove initial whitespaces */
++ errstr=service_options(CMD_EXEC, section, opt, arg);
++ if(section==&local_options && errstr==option_not_found)
++ errstr=global_options(CMD_EXEC, opt, arg);
++ config_error(filename, line_number, errstr);
++ }
++ section_validate(filename, line_number, section, 1);
++ file_close(df);
++ if(!local_options.next) { /* inetd mode */
++ if (section->option.accept) {
++ s_log(LOG_RAW, "accept option is not allowed in inetd mode");
++ s_log(LOG_RAW, "remove accept option or define a [section]");
++ die(1);
++ }
++ if (!section->option.remote && !section->execname) {
++ s_log(LOG_RAW, "inetd mode must define a remote host or an executable");
++ die(1);
++ }
++ }
++}
++
++static void section_validate(char *filename, int line_number,
++ LOCAL_OPTIONS *section, int final) {
++ if(section==&local_options) { /* global options just configured */
++#ifdef HAVE_OSSL_ENGINE_H
++ close_engine();
++#endif
++ ssl_configure(); /* configure global SSL settings */
++ if(!final) /* no need to validate defaults */
++ return;
++ }
++ if(!section->option.client)
++ section->option.cert=1; /* Server always needs a certificate */
++ context_init(section); /* initialize SSL context */
++
++ if(section==&local_options) { /* inetd mode */
++ if(section->option.accept)
++ config_error(filename, line_number,
++ "accept is not allowed in inetd mode");
++ /* TODO: some additional checks could be useful
++ if((unsigned int)section->option.program +
++ (unsigned int)section->option.remote != 1)
++ config_error(filename, line_number,
++ "Single endpoint is required in inetd mode");
++ */
++ return;
++ }
++
++ /* standalone mode */
++#ifdef USE_WIN32
++ if(!section->option.accept || !section->option.remote)
++#else
++ if((unsigned int)section->option.accept +
++ (unsigned int)section->option.program +
++ (unsigned int)section->option.remote != 2)
++#endif
++ config_error(filename, line_number,
++ "Each service section must define exactly two endpoints");
++ return; /* All tests passed -- continue program execution */
++}
++
++static void config_error(char *name, int num, char *str) {
++ if(!str) /* NULL -> no error */
++ return;
++ s_log(LOG_RAW, "file %s line %d: %s", name, num, str);
++ die(1);
++}
++
++static char *stralloc(char *str) { /* Allocate static string */
++ char *retval;
++
++ retval=calloc(strlen(str)+1, 1);
++ if(!retval) {
++ s_log(LOG_RAW, "Fatal memory allocation error");
++ die(2);
++ }
++ strcpy(retval, str);
++ return retval;
++}
++
++#ifndef USE_WIN32
++static char **argalloc(char *str) { /* Allocate 'exec' argumets */
++ int max_arg, i;
++ char *ptr, **retval;
++
++ max_arg=strlen(str)/2+1;
++ ptr=stralloc(str);
++ retval=calloc(max_arg+1, sizeof(char *));
++ if(!retval) {
++ s_log(LOG_RAW, "Fatal memory allocation error");
++ die(2);
++ }
++ i=0;
++ while(*ptr && i<max_arg) {
++ retval[i++]=ptr;
++ while(*ptr && !isspace((unsigned char)*ptr))
++ ++ptr;
++ while(*ptr && isspace((unsigned char)*ptr))
++ *ptr++='\0';
++ }
++ retval[i]=NULL; /* to show that it's null-terminated */
++ return retval;
++}
++#endif
++
++/* Parse out the facility/debug level stuff */
++
++typedef struct {
++ char *name;
++ int value;
++} facilitylevel;
++
++static int parse_debug_level(char *arg) {
++ char arg_copy[STRLEN];
++ char *string;
++ facilitylevel *fl;
++
++/* Facilities only make sense on unix */
++#if !defined (USE_WIN32) && !defined (__vms)
++ facilitylevel facilities[] = {
++ {"auth", LOG_AUTH}, {"cron", LOG_CRON}, {"daemon", LOG_DAEMON},
++ {"kern", LOG_KERN}, {"lpr", LOG_LPR}, {"mail", LOG_MAIL},
++ {"news", LOG_NEWS}, {"syslog", LOG_SYSLOG}, {"user", LOG_USER},
++ {"uucp", LOG_UUCP}, {"local0", LOG_LOCAL0}, {"local1", LOG_LOCAL1},
++ {"local2", LOG_LOCAL2}, {"local3", LOG_LOCAL3}, {"local4", LOG_LOCAL4},
++ {"local5", LOG_LOCAL5}, {"local6", LOG_LOCAL6}, {"local7", LOG_LOCAL7},
++
++ /* Some that are not on all unicies */
++#ifdef LOG_AUTHPRIV
++ {"authpriv", LOG_AUTHPRIV},
++#endif
++#ifdef LOG_FTP
++ {"ftp", LOG_FTP},
++#endif
++#ifdef LOG_NTP
++ {"ntp", LOG_NTP},
++#endif
++ {NULL, 0}
++ };
++#endif /* USE_WIN32, __vms */
++
++ facilitylevel levels[] = {
++ {"emerg", LOG_EMERG}, {"alert", LOG_ALERT},
++ {"crit", LOG_CRIT}, {"err", LOG_ERR},
++ {"warning", LOG_WARNING}, {"notice", LOG_NOTICE},
++ {"info", LOG_INFO}, {"debug", LOG_DEBUG},
++ {NULL, -1}
++ };
++
++ safecopy(arg_copy, arg);
++ string = arg_copy;
++
++/* Facilities only make sense on Unix */
++#if !defined (USE_WIN32) && !defined (__vms)
++ if(strchr(string, '.')) { /* We have a facility specified */
++ options.facility=-1;
++ string=strtok(arg_copy, "."); /* break it up */
++
++ for(fl=facilities; fl->name; ++fl) {
++ if(!strcasecmp(fl->name, string)) {
++ options.facility = fl->value;
++ break;
++ }
++ }
++ if(options.facility==-1)
++ return 0; /* FAILED */
++ string=strtok(NULL, "."); /* set to the remainder */
++ }
++#endif /* USE_WIN32, __vms */
++
++ /* Time to check the syslog level */
++ if(string && strlen(string)==1 && *string>='0' && *string<='7') {
++ options.debug_level=*string-'0';
++ return 1; /* OK */
++ }
++ options.debug_level=8; /* illegal level */
++ for(fl=levels; fl->name; ++fl) {
++ if(!strcasecmp(fl->name, string)) {
++ options.debug_level=fl->value;
++ break;
++ }
++ }
++ if (options.debug_level==8)
++ return 0; /* FAILED */
++ return 1; /* OK */
++}
++
++/* Parse out SSL options stuff */
++
++static int parse_ssl_option(char *arg) {
++ struct {
++ char *name;
++ long value;
++ } ssl_opts[] = {
++ {"MICROSOFT_SESS_ID_BUG", SSL_OP_MICROSOFT_SESS_ID_BUG},
++ {"NETSCAPE_CHALLENGE_BUG", SSL_OP_NETSCAPE_CHALLENGE_BUG},
++ {"NETSCAPE_REUSE_CIPHER_CHANGE_BUG",
++ SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG},
++ {"SSLREF2_REUSE_CERT_TYPE_BUG", SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG},
++ {"MICROSOFT_BIG_SSLV3_BUFFER", SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER},
++ {"MSIE_SSLV2_RSA_PADDING", SSL_OP_MSIE_SSLV2_RSA_PADDING},
++ {"SSLEAY_080_CLIENT_DH_BUG", SSL_OP_SSLEAY_080_CLIENT_DH_BUG},
++ {"TLS_D5_BUG", SSL_OP_TLS_D5_BUG},
++ {"TLS_BLOCK_PADDING_BUG", SSL_OP_TLS_BLOCK_PADDING_BUG},
++ {"DONT_INSERT_EMPTY_FRAGMENTS", SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS},
++#ifdef SSL_OP_NO_QUERY_MTU
++ {"NO_QUERY_MTU", SSL_OP_NO_QUERY_MTU},
++#endif
++#ifdef SSL_OP_COOKIE_EXCHANGE
++ {"COOKIE_EXCHANGE", SSL_OP_COOKIE_EXCHANGE},
++#endif
++#ifdef SSL_OP_NO_TICKET
++ {"NO_TICKET", SSL_OP_NO_TICKET},
++#endif
++ {"NO_SESSION_RESUMPTION_ON_RENEGOTIATION",
++ SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION},
++#ifdef SSL_OP_NO_COMPRESSION
++ {"NO_COMPRESSION", SSL_OP_NO_COMPRESSION},
++#endif
++#ifdef SSL_OP_SINGLE_ECDH_USE
++ {"SINGLE_ECDH_USE", SSL_OP_SINGLE_ECDH_USE},
++#endif
++ {"SINGLE_DH_USE", SSL_OP_SINGLE_DH_USE},
++ {"EPHEMERAL_RSA", SSL_OP_EPHEMERAL_RSA},
++ {"CIPHER_SERVER_PREFERENCE", SSL_OP_CIPHER_SERVER_PREFERENCE},
++ {"TLS_ROLLBACK_BUG", SSL_OP_TLS_ROLLBACK_BUG},
++ {"NO_SSLv2", SSL_OP_NO_SSLv2},
++ {"NO_SSLv3", SSL_OP_NO_SSLv3},
++ {"NO_TLSv1", SSL_OP_NO_TLSv1},
++ {"PKCS1_CHECK_1", SSL_OP_PKCS1_CHECK_1},
++ {"PKCS1_CHECK_2", SSL_OP_PKCS1_CHECK_2},
++ {"NETSCAPE_CA_DN_BUG", SSL_OP_NETSCAPE_CA_DN_BUG},
++ {"NETSCAPE_DEMO_CIPHER_CHANGE_BUG",
++ SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG},
++#ifdef SSL_OP_CRYPTOPRO_TLSEXT_BUG
++ {"CRYPTOPRO_TLSEXT_BUG", SSL_OP_CRYPTOPRO_TLSEXT_BUG},
++#endif
++ {"ALL", SSL_OP_ALL},
++ {NULL, 0}
++ }, *option;
++
++ for(option=ssl_opts; option->name; ++option)
++ if(!strcasecmp(option->name, arg))
++ return option->value;
++ return 0; /* FAILED */
++}
++
++/* Parse out the socket options stuff */
++
++static int on=1;
++
++#define DEF_VALS {NULL, NULL, NULL}
++#define DEF_ACCEPT {(void *)&on, NULL, NULL}
++
++SOCK_OPT sock_opts[] = {
++ {"SO_DEBUG", SOL_SOCKET, SO_DEBUG, TYPE_FLAG, DEF_VALS},
++ {"SO_DONTROUTE", SOL_SOCKET, SO_DONTROUTE, TYPE_FLAG, DEF_VALS},
++ {"SO_KEEPALIVE", SOL_SOCKET, SO_KEEPALIVE, TYPE_FLAG, DEF_VALS},
++ {"SO_LINGER", SOL_SOCKET, SO_LINGER, TYPE_LINGER, DEF_VALS},
++ {"SO_OOBINLINE", SOL_SOCKET, SO_OOBINLINE, TYPE_FLAG, DEF_VALS},
++ {"SO_RCVBUF", SOL_SOCKET, SO_RCVBUF, TYPE_INT, DEF_VALS},
++ {"SO_SNDBUF", SOL_SOCKET, SO_SNDBUF, TYPE_INT, DEF_VALS},
++#ifdef SO_RCVLOWAT
++ {"SO_RCVLOWAT", SOL_SOCKET, SO_RCVLOWAT, TYPE_INT, DEF_VALS},
++#endif
++#ifdef SO_SNDLOWAT
++ {"SO_SNDLOWAT", SOL_SOCKET, SO_SNDLOWAT, TYPE_INT, DEF_VALS},
++#endif
++#ifdef SO_RCVTIMEO
++ {"SO_RCVTIMEO", SOL_SOCKET, SO_RCVTIMEO, TYPE_TIMEVAL, DEF_VALS},
++#endif
++#ifdef SO_SNDTIMEO
++ {"SO_SNDTIMEO", SOL_SOCKET, SO_SNDTIMEO, TYPE_TIMEVAL, DEF_VALS},
++#endif
++ {"SO_REUSEADDR", SOL_SOCKET, SO_REUSEADDR, TYPE_FLAG, DEF_ACCEPT},
++#ifdef SO_BINDTODEVICE
++ {"SO_BINDTODEVICE", SOL_SOCKET, SO_BINDTODEVICE, TYPE_STRING, DEF_VALS},
++#endif
++#ifdef TCP_KEEPCNT
++ {"TCP_KEEPCNT", SOL_TCP, TCP_KEEPCNT, TYPE_INT, DEF_VALS},
++#endif
++#ifdef TCP_KEEPIDLE
++ {"TCP_KEEPIDLE", SOL_TCP, TCP_KEEPIDLE, TYPE_INT, DEF_VALS},
++#endif
++#ifdef TCP_KEEPINTVL
++ {"TCP_KEEPINTVL", SOL_TCP, TCP_KEEPINTVL, TYPE_INT, DEF_VALS},
++#endif
++#ifdef IP_TOS
++ {"IP_TOS", IPPROTO_IP, IP_TOS, TYPE_INT, DEF_VALS},
++#endif
++#ifdef IP_TTL
++ {"IP_TTL", IPPROTO_IP, IP_TTL, TYPE_INT, DEF_VALS},
++#endif
++#ifdef IP_MAXSEG
++ {"TCP_MAXSEG", IPPROTO_TCP, TCP_MAXSEG, TYPE_INT, DEF_VALS},
++#endif
++ {"TCP_NODELAY", IPPROTO_TCP, TCP_NODELAY, TYPE_FLAG, DEF_VALS},
++ {NULL, 0, 0, TYPE_NONE, DEF_VALS}
++};
++
++static int print_socket_options(void) {
++ int fd;
++ socklen_t optlen;
++ SOCK_OPT *ptr;
++ OPT_UNION val;
++ char line[STRLEN];
++
++ fd=socket(AF_INET, SOCK_STREAM, 0);
++
++ s_log(LOG_RAW, "Socket option defaults:");
++ s_log(LOG_RAW, " %-16s%-10s%-10s%-10s%-10s",
++ "Option", "Accept", "Local", "Remote", "OS default");
++ for(ptr=sock_opts; ptr->opt_str; ++ptr) {
++ /* display option name */
++ sprintf(line, " %-16s", ptr->opt_str);
++ /* display stunnel default values */
++ print_option(line, ptr->opt_type, ptr->opt_val[0]);
++ print_option(line, ptr->opt_type, ptr->opt_val[1]);
++ print_option(line, ptr->opt_type, ptr->opt_val[2]);
++ /* display OS default value */
++ optlen=sizeof val;
++ if(getsockopt(fd, ptr->opt_level,
++ ptr->opt_name, (void *)&val, &optlen)) {
++ if(get_last_socket_error()!=ENOPROTOOPT) {
++ s_log(LOG_RAW, "%s", line); /* dump the name and assigned values */
++ sockerror("getsockopt");
++ return 0; /* FAILED */
++ }
++ safeconcat(line, " -- "); /* write-only value */
++ } else
++ print_option(line, ptr->opt_type, &val);
++ s_log(LOG_RAW, "%s", line);
++ }
++ return 1; /* OK */
++}
++
++static void print_option(char *line, int type, OPT_UNION *val) {
++ char text[STRLEN];
++
++ if(!val) {
++ safecopy(text, " -- ");
++ } else {
++ switch(type) {
++ case TYPE_FLAG:
++ case TYPE_INT:
++ sprintf(text, "%10d", val->i_val);
++ break;
++ case TYPE_LINGER:
++ sprintf(text, "%d:%-8d",
++ val->linger_val.l_onoff, val->linger_val.l_linger);
++ break;
++ case TYPE_TIMEVAL:
++ sprintf(text, "%6d:%-3d",
++ (int)val->timeval_val.tv_sec, (int)val->timeval_val.tv_usec);
++ break;
++ case TYPE_STRING:
++ sprintf(text, "%10s", val->c_val);
++ break;
++ default:
++ safecopy(text, " Ooops? "); /* Internal error? */
++ }
++ }
++ safeconcat(line, text);
++}
++
++static int parse_socket_option(char *arg) {
++ int socket_type; /* 0-accept, 1-local, 2-remote */
++ char *opt_val_str, *opt_val2_str;
++ SOCK_OPT *ptr;
++
++ if(arg[1]!=':')
++ return 0; /* FAILED */
++ switch(arg[0]) {
++ case 'a':
++ socket_type=0; break;
++ case 'l':
++ socket_type=1; break;
++ case 'r':
++ socket_type=2; break;
++ default:
++ return 0; /* FAILED */
++ }
++ arg+=2;
++ opt_val_str=strchr(arg, '=');
++ if(!opt_val_str) /* No '='? */
++ return 0; /* FAILED */
++ *opt_val_str++='\0';
++ ptr=sock_opts;
++ for(;;) {
++ if(!ptr->opt_str)
++ return 0; /* FAILED */
++ if(!strcmp(arg, ptr->opt_str))
++ break; /* option name found */
++ ++ptr;
++ }
++ ptr->opt_val[socket_type]=calloc(1, sizeof(OPT_UNION));
++ switch(ptr->opt_type) {
++ case TYPE_FLAG:
++ case TYPE_INT:
++ ptr->opt_val[socket_type]->i_val=atoi(opt_val_str);
++ return 1; /* OK */
++ case TYPE_LINGER:
++ opt_val2_str=strchr(opt_val_str, ':');
++ if(opt_val2_str) {
++ *opt_val2_str++='\0';
++ ptr->opt_val[socket_type]->linger_val.l_linger=atoi(opt_val2_str);
++ } else {
++ ptr->opt_val[socket_type]->linger_val.l_linger=0;
++ }
++ ptr->opt_val[socket_type]->linger_val.l_onoff=atoi(opt_val_str);
++ return 1; /* OK */
++ case TYPE_TIMEVAL:
++ opt_val2_str=strchr(opt_val_str, ':');
++ if(opt_val2_str) {
++ *opt_val2_str++='\0';
++ ptr->opt_val[socket_type]->timeval_val.tv_usec=atoi(opt_val2_str);
++ } else {
++ ptr->opt_val[socket_type]->timeval_val.tv_usec=0;
++ }
++ ptr->opt_val[socket_type]->timeval_val.tv_sec=atoi(opt_val_str);
++ return 1; /* OK */
++ case TYPE_STRING:
++ if(strlen(opt_val_str)+1>sizeof(OPT_UNION))
++ return 0; /* FAILED */
++ strcpy(ptr->opt_val[socket_type]->c_val, opt_val_str);
++ return 1; /* OK */
++ default:
++ ; /* ANSI C compiler needs it */
++ }
++ return 0; /* FAILED */
++}
++
++/* Parse out OCSP URL */
++
++static char *parse_ocsp_url(LOCAL_OPTIONS *section, char *arg) {
++ char *host, *port, *path;
++ int ssl;
++
++ if(!OCSP_parse_url(arg, &host, &port, &path, &ssl))
++ return "Failed to parse OCSP URL";
++ if(ssl)
++ return "SSL not supported for OCSP"
++ " - additional stunnel service needs to be defined";
++ if(!hostport2addrlist(§ion->ocsp_addr, host, port))
++ return "Failed to resolve OCSP server address";
++ section->ocsp_path=stralloc(path);
++ if(host)
++ OPENSSL_free(host);
++ if(port)
++ OPENSSL_free(port);
++ if(path)
++ OPENSSL_free(path);
++ return NULL; /* OK! */
++}
++
++/* Parse out OCSP flags stuff */
++
++static unsigned long parse_ocsp_flag(char *arg) {
++ struct {
++ char *name;
++ unsigned long value;
++ } ocsp_opts[] = {
++ {"NOCERTS", OCSP_NOCERTS},
++ {"NOINTERN", OCSP_NOINTERN},
++ {"NOSIGS", OCSP_NOSIGS},
++ {"NOCHAIN", OCSP_NOCHAIN},
++ {"NOVERIFY", OCSP_NOVERIFY},
++ {"NOEXPLICIT", OCSP_NOEXPLICIT},
++ {"NOCASIGN", OCSP_NOCASIGN},
++ {"NODELEGATED", OCSP_NODELEGATED},
++ {"NOCHECKS", OCSP_NOCHECKS},
++ {"TRUSTOTHER", OCSP_TRUSTOTHER},
++ {"RESPID_KEY", OCSP_RESPID_KEY},
++ {"NOTIME", OCSP_NOTIME},
++ {NULL, 0}
++ }, *option;
++
++ for(option=ocsp_opts; option->name; ++option)
++ if(!strcasecmp(option->name, arg))
++ return option->value;
++ return 0; /* FAILED */
++}
++
++/* End of options.c */
+--- a/src/prototypes.h
++++ b/src/prototypes.h
+@@ -231,6 +231,7 @@ typedef struct local_options {
+ unsigned int remote:1;
+ unsigned int retry:1; /* loop remote+program */
+ unsigned int sessiond:1;
++ unsigned int xforwardedfor:1;
+ #ifndef USE_WIN32
+ unsigned int program:1;
+ unsigned int pty:1;
+@@ -334,6 +335,8 @@ typedef struct {
+ FD *ssl_rfd, *ssl_wfd; /* Read and write SSL descriptors */
+ int sock_bytes, ssl_bytes; /* Bytes written to socket and ssl */
+ s_poll_set fds; /* File descriptors */
++ int buffsize; /* current buffer size, may be lower than BUFFSIZE */
++ int crlf_seen; /* the number of successive CRLF seen */
+ } CLI;
+
+ extern int max_clients;
+--- /dev/null
++++ b/src/prototypes.h.orig
+@@ -0,0 +1,470 @@
++/*
++ * stunnel Universal SSL tunnel
++ * Copyright (C) 1998-2009 Michal Trojnara <Michal.Trojnara@mirt.net>
++ *
++ * This program is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License as published by the
++ * Free Software Foundation; either version 2 of the License, or (at your
++ * option) any later version.
++ *
++ * This program is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
++ * See the GNU General Public License for more details.
++ *
++ * You should have received a copy of the GNU General Public License along
++ * with this program; if not, see <http://www.gnu.org/licenses>.
++ *
++ * Linking stunnel statically or dynamically with other modules is making
++ * a combined work based on stunnel. Thus, the terms and conditions of
++ * the GNU General Public License cover the whole combination.
++ *
++ * In addition, as a special exception, the copyright holder of stunnel
++ * gives you permission to combine stunnel with free software programs or
++ * libraries that are released under the GNU LGPL and with code included
++ * in the standard release of OpenSSL under the OpenSSL License (or
++ * modified versions of such code, with unchanged license). You may copy
++ * and distribute such a system following the terms of the GNU GPL for
++ * stunnel and the licenses of the other code concerned.
++ *
++ * Note that people who make modified versions of stunnel are not obligated
++ * to grant this special exception for their modified versions; it is their
++ * choice whether to do so. The GNU General Public License gives permission
++ * to release a modified version without this exception; this exception
++ * also makes it possible to release a modified version which carries
++ * forward this exception.
++ */
++
++#ifndef PROTOTYPES_H
++#define PROTOTYPES_H
++
++#include "common.h"
++
++/**************************************** Network data structure */
++
++#define MAX_HOSTS 16
++
++typedef union sockaddr_union {
++ struct sockaddr sa;
++ struct sockaddr_in in;
++#if defined(USE_IPv6)
++ struct sockaddr_in6 in6;
++#endif
++} SOCKADDR_UNION;
++
++typedef struct sockaddr_list { /* list of addresses */
++ SOCKADDR_UNION addr[MAX_HOSTS]; /* the list of addresses */
++ u16 cur; /* current address for round-robin */
++ u16 num; /* how many addresses are used */
++} SOCKADDR_LIST;
++
++#ifdef __INNOTEK_LIBC__
++#define socklen_t __socklen_t
++#define strcasecmp stricmp
++#define strncasecmp strnicmp
++#define NI_NUMERICHOST 1
++#define NI_NUMERICSERV 2
++#endif
++
++
++/**************************************** Prototypes for stunnel.c */
++
++extern volatile int num_clients;
++
++void main_initialize(char *, char *);
++void main_execute(void);
++#if !defined (USE_WIN32) && !defined (__vms) && !defined(USE_OS2)
++void drop_privileges(void);
++#endif
++void stunnel_info(int);
++void die(int);
++
++/**************************************** Prototypes for log.c */
++
++void log_open(void);
++void log_close(void);
++void log_flush(void);
++void s_log(int, const char *, ...)
++#ifdef __GNUC__
++ __attribute__ ((format (printf, 2, 3)));
++#else
++ ;
++#endif
++void ioerror(const char *);
++void sockerror(const char *);
++void log_error(int, int, const char *);
++char *my_strerror(int);
++
++/**************************************** Prototypes for pty.c */
++/* Based on Public Domain code by Tatu Ylonen <ylo@cs.hut.fi> */
++
++int pty_allocate(int *, int *, char *, int);
++#if 0
++void pty_release(char *);
++void pty_make_controlling_tty(int *, char *);
++#endif
++
++/**************************************** Prototypes for ssl.c */
++
++typedef enum {
++ COMP_NONE, COMP_ZLIB, COMP_RLE
++} COMP_TYPE;
++
++extern int cli_index, opt_index;;
++
++void ssl_init(void);
++void ssl_configure(void);
++#ifdef HAVE_OSSL_ENGINE_H
++void open_engine(const char *);
++void ctrl_engine(const char *, const char *);
++void close_engine(void);
++ENGINE *get_engine(int);
++#endif
++
++/**************************************** Prototypes for options.c */
++
++typedef struct {
++ /* some data for SSL initialization in ssl.c */
++ COMP_TYPE compression; /* compression type */
++ char *egd_sock; /* entropy gathering daemon socket */
++ char *rand_file; /* file with random data */
++ int random_bytes; /* how many random bytes to read */
++
++ /* some global data for stunnel.c */
++#ifndef USE_WIN32
++#ifdef HAVE_CHROOT
++ char *chroot_dir;
++#endif
++ unsigned long dpid;
++ char *pidfile;
++ int uid, gid;
++#endif
++
++ /* Win32 specific data for gui.c */
++#if defined(USE_WIN32) && !defined(_WIN32_WCE)
++ char *win32_service;
++#endif
++
++ /* logging-support data for log.c */
++ int debug_level; /* debug level for logging */
++#ifndef USE_WIN32
++ int facility; /* debug facility for syslog */
++#endif
++ char *output_file;
++
++ /* on/off switches */
++ struct {
++ unsigned int rand_write:1; /* overwrite rand_file */
++#ifdef USE_WIN32
++ unsigned int taskbar:1; /* enable the taskbar icon */
++#else /* !USE_WIN32 */
++ unsigned int foreground:1;
++ unsigned int syslog:1;
++#endif
++#ifdef USE_FIPS
++ unsigned int fips:1; /* enable FIPS 140-2 mode */
++#endif
++ } option;
++} GLOBAL_OPTIONS;
++
++extern GLOBAL_OPTIONS options;
++
++typedef struct local_options {
++ SSL_CTX *ctx; /* SSL context */
++ X509_STORE *revocation_store; /* cert store for CRL checking */
++#ifdef HAVE_OSSL_ENGINE_H
++ ENGINE *engine; /* engine to read the private key */
++#endif
++ struct local_options *next; /* next node in the services list */
++ char *servname; /* service name for logging & permission checking */
++ SSL_SESSION *session; /* jecently used session */
++ char local_address[IPLEN]; /* dotted-decimal address to bind */
++#ifndef USE_FORK
++ int stack_size; /* stack size for this thread */
++#endif
++
++ /* service-specific data for ctx.c */
++ char *ca_dir; /* directory for hashed certs */
++ char *ca_file; /* file containing bunches of certs */
++ char *crl_dir; /* directory for hashed CRLs */
++ char *crl_file; /* file containing bunches of CRLs */
++ char *cipher_list;
++ char *cert; /* cert filename */
++ char *key; /* pem (priv key/cert) filename */
++ long session_timeout;
++ int verify_level;
++ int verify_use_only_my;
++ long ssl_options;
++#if SSLEAY_VERSION_NUMBER >= 0x00907000L
++ SOCKADDR_LIST ocsp_addr;
++ char *ocsp_path;
++ unsigned long ocsp_flags;
++#endif /* OpenSSL-0.9.7 */
++ SSL_METHOD *client_method, *server_method;
++ SOCKADDR_LIST sessiond_addr;
++
++ /* service-specific data for client.c */
++ int fd; /* file descriptor accepting connections for this service */
++ char *execname, **execargs; /* program name and arguments for local mode */
++ SOCKADDR_LIST local_addr, remote_addr, source_addr;
++ char *username;
++ char *remote_address;
++ int timeout_busy; /* maximum waiting for data time */
++ int timeout_close; /* maximum close_notify time */
++ int timeout_connect; /* maximum connect() time */
++ int timeout_idle; /* maximum idle connection time */
++ enum {FAILOVER_RR, FAILOVER_PRIO} failover; /* failover strategy */
++
++ /* protocol name for protocol.c */
++ char *protocol;
++ char *protocol_host;
++ char *protocol_username;
++ char *protocol_password;
++ char *protocol_authentication;
++
++ /* on/off switches */
++ struct {
++ unsigned int cert:1;
++ unsigned int client:1;
++ unsigned int delayed_lookup:1;
++ unsigned int accept:1;
++ unsigned int remote:1;
++ unsigned int retry:1; /* loop remote+program */
++ unsigned int sessiond:1;
++#ifndef USE_WIN32
++ unsigned int program:1;
++ unsigned int pty:1;
++ unsigned int transparent:1;
++#endif
++#if SSLEAY_VERSION_NUMBER >= 0x00907000L
++ unsigned int ocsp:1;
++#endif
++ } option;
++} LOCAL_OPTIONS;
++
++extern LOCAL_OPTIONS local_options;
++
++typedef enum {
++ TYPE_NONE, TYPE_FLAG, TYPE_INT, TYPE_LINGER, TYPE_TIMEVAL, TYPE_STRING
++} VAL_TYPE;
++
++typedef union {
++ int i_val;
++ long l_val;
++ char c_val[16];
++ struct linger linger_val;
++ struct timeval timeval_val;
++} OPT_UNION;
++
++typedef struct {
++ char *opt_str;
++ int opt_level;
++ int opt_name;
++ VAL_TYPE opt_type;
++ OPT_UNION *opt_val[3];
++} SOCK_OPT;
++
++void parse_config(char *, char *);
++
++/**************************************** Prototypes for ctx.c */
++
++void context_init(LOCAL_OPTIONS *);
++void sslerror(char *);
++
++/**************************************** Prototypes for verify.c */
++
++void verify_init(LOCAL_OPTIONS *);
++
++/**************************************** Prototypes for network.c */
++
++#ifdef USE_POLL
++#define MAX_FD 256
++#endif
++
++typedef struct {
++#ifdef USE_POLL
++ struct pollfd ufds[MAX_FD];
++ unsigned int nfds;
++#else
++ fd_set irfds, iwfds, orfds, owfds;
++ int max;
++#endif
++} s_poll_set;
++
++void s_poll_init(s_poll_set *);
++void s_poll_add(s_poll_set *, int, int, int);
++int s_poll_canread(s_poll_set *, int);
++int s_poll_canwrite(s_poll_set *, int);
++int s_poll_wait(s_poll_set *, int, int);
++
++#ifndef USE_WIN32
++int signal_pipe_init(void);
++void child_status(void); /* dead libwrap or 'exec' process detected */
++#endif
++int set_socket_options(int, int);
++int alloc_fd(int);
++void setnonblock(int, unsigned long);
++
++/**************************************** Prototypes for client.c */
++
++typedef struct {
++ int fd; /* File descriptor */
++ int rd; /* Open for read */
++ int wr; /* Open for write */
++ int is_socket; /* File descriptor is a socket */
++} FD;
++
++typedef struct {
++ LOCAL_OPTIONS *opt;
++ char accepted_address[IPLEN]; /* text */
++ SOCKADDR_LIST peer_addr; /* Peer address */
++ FD local_rfd, local_wfd; /* Read and write local descriptors */
++ FD remote_fd; /* Remote file descriptor */
++ SSL *ssl; /* SSL Connection */
++ SOCKADDR_LIST bind_addr;
++ /* IP for explicit local bind or transparent proxy */
++ unsigned long pid; /* PID of local process */
++ int fd; /* Temporary file descriptor */
++ jmp_buf err;
++
++ char sock_buff[BUFFSIZE]; /* Socket read buffer */
++ char ssl_buff[BUFFSIZE]; /* SSL read buffer */
++ int sock_ptr, ssl_ptr; /* Index of first unused byte in buffer */
++ FD *sock_rfd, *sock_wfd; /* Read and write socket descriptors */
++ FD *ssl_rfd, *ssl_wfd; /* Read and write SSL descriptors */
++ int sock_bytes, ssl_bytes; /* Bytes written to socket and ssl */
++ s_poll_set fds; /* File descriptors */
++} CLI;
++
++extern int max_clients;
++#ifndef USE_WIN32
++extern int max_fds;
++#endif
++
++CLI *alloc_client_session(LOCAL_OPTIONS *, int, int);
++void *client(void *);
++
++/**************************************** Prototypes for network.c */
++
++int connect_blocking(CLI *, SOCKADDR_UNION *, socklen_t);
++void write_blocking(CLI *, int fd, void *, int);
++void read_blocking(CLI *, int fd, void *, int);
++void fdputline(CLI *, int, const char *);
++void fdgetline(CLI *, int, char *);
++/* descriptor versions of fprintf/fscanf */
++int fdprintf(CLI *, int, const char *, ...)
++#ifdef __GNUC__
++ __attribute__ ((format (printf, 3, 4)));
++#else
++ ;
++#endif
++int fdscanf(CLI *, int, const char *, char *)
++#ifdef __GNUC__
++ __attribute__ ((format (scanf, 3, 0)));
++#else
++ ;
++#endif
++
++/**************************************** Prototype for protocol.c */
++
++void negotiate(CLI *c);
++
++/**************************************** Prototypes for resolver.c */
++
++int name2addrlist(SOCKADDR_LIST *, char *, char *);
++int hostport2addrlist(SOCKADDR_LIST *, char *, char *);
++char *s_ntop(char *, SOCKADDR_UNION *);
++
++/**************************************** Prototypes for sthreads.c */
++
++typedef enum {
++ CRIT_KEYGEN, CRIT_INET, CRIT_CLIENTS, CRIT_WIN_LOG, CRIT_SESSION,
++ CRIT_LIBWRAP, CRIT_SSL, CRIT_SECTIONS
++} SECTION_CODE;
++
++void enter_critical_section(SECTION_CODE);
++void leave_critical_section(SECTION_CODE);
++void sthreads_init(void);
++unsigned long stunnel_process_id(void);
++unsigned long stunnel_thread_id(void);
++int create_client(int, int, CLI *, void *(*)(void *));
++#ifdef USE_UCONTEXT
++typedef struct CONTEXT_STRUCTURE {
++ char *stack; /* CPU stack for this thread */
++ unsigned long id;
++ ucontext_t ctx;
++ s_poll_set *fds;
++ int ready; /* number of ready file descriptors */
++ time_t finish; /* when to finish poll() for this context */
++ struct CONTEXT_STRUCTURE *next; /* next context on a list */
++} CONTEXT;
++extern CONTEXT *ready_head, *ready_tail;
++extern CONTEXT *waiting_head, *waiting_tail;
++#endif
++#ifdef _WIN32_WCE
++int _beginthread(void (*)(void *), int, void *);
++void _endthread(void);
++#endif
++#ifdef DEBUG_STACK_SIZE
++void stack_info(int);
++#endif
++
++/**************************************** Prototypes for gui.c */
++
++typedef struct {
++ LOCAL_OPTIONS *section;
++ char pass[PEM_BUFSIZE];
++} UI_DATA;
++
++#ifdef USE_WIN32
++void win_log(char *);
++void exit_win32(int);
++int passwd_cb(char *, int, int, void *);
++#ifdef HAVE_OSSL_ENGINE_H
++int pin_cb(UI *, UI_STRING *);
++#endif
++
++#ifndef _WIN32_WCE
++typedef int (CALLBACK * GETADDRINFO) (const char *,
++ const char *, const struct addrinfo *, struct addrinfo **);
++typedef void (CALLBACK * FREEADDRINFO) (struct addrinfo FAR *);
++typedef int (CALLBACK * GETNAMEINFO) (const struct sockaddr *, socklen_t,
++ char *, size_t, char *, size_t, int);
++extern GETADDRINFO s_getaddrinfo;
++extern FREEADDRINFO s_freeaddrinfo;
++extern GETNAMEINFO s_getnameinfo;
++#endif /* ! _WIN32_WCE */
++#endif /* USE_WIN32 */
++
++/**************************************** Prototypes for file.c */
++
++typedef struct disk_file {
++#ifdef USE_WIN32
++ HANDLE fh;
++#else
++ int fd;
++#endif
++ /* the inteface is prepared to easily implement buffering if needed */
++} DISK_FILE;
++
++#ifndef USE_WIN32
++DISK_FILE *file_fdopen(int);
++#endif
++DISK_FILE *file_open(char *, int);
++void file_close(DISK_FILE *);
++int file_getline(DISK_FILE *, char *, int);
++int file_putline(DISK_FILE *, char *);
++
++#ifdef USE_WIN32
++LPTSTR str2tstr(const LPSTR);
++LPSTR tstr2str(const LPTSTR);
++#endif
++
++/**************************************** Prototypes for libwrap.c */
++
++void libwrap_init(int);
++void auth_libwrap(CLI *);
++
++#endif /* defined PROTOTYPES_H */
++
++/* End of prototypes.h */