stunnel: moved to github
authorhauke <hauke@3c298f89-4303-0410-b956-a3cf2f4a3e73>
Mon, 13 Jul 2015 19:42:35 +0000 (19:42 +0000)
committerhauke <hauke@3c298f89-4303-0410-b956-a3cf2f4a3e73>
Mon, 13 Jul 2015 19:42:35 +0000 (19:42 +0000)
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
git-svn-id: svn://svn.openwrt.org/openwrt/packages@46325 3c298f89-4303-0410-b956-a3cf2f4a3e73

net/stunnel/Makefile [deleted file]
net/stunnel/files/stunnel.init [deleted file]
net/stunnel/patches/100-cross-compile.patch [deleted file]
net/stunnel/patches/101-no-comp.patch [deleted file]
net/stunnel/patches/102-no-ssl2.patch [deleted file]
net/stunnel/patches/103-no-zlib-link.patch [deleted file]
net/stunnel/patches/104-fix-paths.patch [deleted file]
net/stunnel/patches/105-stunnel-conf.patch [deleted file]
net/stunnel/patches/106-stunnel-xforwardedfor.patch [deleted file]

diff --git a/net/stunnel/Makefile b/net/stunnel/Makefile
deleted file mode 100644 (file)
index f124b35..0000000
+++ /dev/null
@@ -1,65 +0,0 @@
-#
-# Copyright (C) 2006-2010 OpenWrt.org
-#
-# This is free software, licensed under the GNU General Public License v2.
-# See /LICENSE for more information.
-#
-
-include $(TOPDIR)/rules.mk
-
-PKG_NAME:=stunnel
-PKG_VERSION:=4.33
-PKG_RELEASE:=1
-
-PKG_SOURCE_URL:=http://www.stunnel.org/download/stunnel/src/
-PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
-PKG_MD5SUM:=559a864066d8cc4afd8a97682c90d41c
-
-PKG_FIXUP:=autoreconf
-PKG_INSTALL:=1
-
-include $(INCLUDE_DIR)/package.mk
-
-define Package/stunnel
-  SECTION:=net
-  CATEGORY:=Network
-  DEPENDS:=+libopenssl +libwrap
-  TITLE:=SSL TCP Wrapper
-  URL:=http://www.stunnel.org/
-endef
-
-define Package/stunnel/description
-       Stunnel is a program that allows you to encrypt arbitrary TCP
-       connections inside SSL (Secure Sockets Layer) available on both Unix
-       and Windows. Stunnel can allow you to secure non-SSL aware daemons and
-       protocols (like POP, IMAP, LDAP, etc) by having Stunnel provide the
-       encryption, requiring no changes to the daemon's code.
-endef
-
-define Package/stunnel/conffiles
-/etc/stunnel/stunnel.conf
-endef
-
-CONFIGURE_ARGS+= \
-       --with-random=/dev/urandom \
-       --with-threads=fork \
-       --with-ssl=$(STAGING_DIR)/usr \
-
-define Build/Compile
-       mkdir -p $(PKG_INSTALL_DIR)/etc/stunnel
-       echo '#dummy' > $(PKG_INSTALL_DIR)/etc/stunnel/stunnel.pem
-       $(call Build/Compile/Default)
-endef
-
-define Package/stunnel/install
-       $(INSTALL_DIR) $(1)/usr/bin
-       $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/stunnel $(1)/usr/bin/
-       $(INSTALL_DIR) $(1)/usr/lib/stunnel
-       $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/stunnel/libstunnel.so $(1)/usr/lib/stunnel/
-       $(INSTALL_DIR) $(1)/etc/stunnel
-       $(INSTALL_CONF) $(PKG_INSTALL_DIR)/etc/stunnel/stunnel.conf-sample $(1)/etc/stunnel/stunnel.conf
-       $(INSTALL_DIR) $(1)/etc/init.d
-       $(INSTALL_BIN) ./files/stunnel.init $(1)/etc/init.d/stunnel
-endef
-
-$(eval $(call BuildPackage,stunnel))
diff --git a/net/stunnel/files/stunnel.init b/net/stunnel/files/stunnel.init
deleted file mode 100644 (file)
index a3ea103..0000000
+++ /dev/null
@@ -1,34 +0,0 @@
-#!/bin/sh /etc/rc.common
-# Copyright (C) 2006-2008 OpenWrt.org
-
-START=90
-RUN_D=/var
-PID_F=$RUN_D/stunnel.pid
-
-start() {
-       if [ -s "/etc/stunnel/stunnel.pem" ]; then
-               chmod og-rwx /etc/stunnel/stunnel.pem
-               [ ! -f $PID_F ] && stunnel
-       else
-               [ -e /etc/stunnel/config ] && \
-               . /etc/stunnel/config
-
-               X509_CN=${X509_CN:-"router"}
-               X509_O=${X509_O:-"openwrt.org"}
-               X509_OU=${X509_OU:-"open-source firmware"}
-
-               [ -x /sbin/keygen ] && {
-               (keygen "$X509_CN" "$X509_O" "$X509_OU" > /etc/stunnel/stunnel.pem;
-                       chmod og-rwx /etc/stunnel/stunnel.pem;
-                       stunnel) &
-               }
-       fi
-}
-
-stop() {
-       [ -f $PID_F ] && {
-               kill $(cat $PID_F)
-               kill -9 $(cat $PID_F)
-               rm -f $PID_F
-       }
-}
diff --git a/net/stunnel/patches/100-cross-compile.patch b/net/stunnel/patches/100-cross-compile.patch
deleted file mode 100644 (file)
index 5ce3c35..0000000
+++ /dev/null
@@ -1,126 +0,0 @@
---- a/configure
-+++ b/configure
-@@ -21552,56 +21552,56 @@ _ACEOF
- fi
- rm -f conftest*
--
--{ echo "$as_me:$LINENO: **************************************** PTY device files" >&5
--echo "$as_me: **************************************** PTY device files" >&6;}
--{ echo "$as_me:$LINENO: checking for \"/dev/ptmx\"" >&5
--echo $ECHO_N "checking for \"/dev/ptmx\"... $ECHO_C" >&6; }
--if test "${ac_cv_file___dev_ptmx_+set}" = set; then
--  echo $ECHO_N "(cached) $ECHO_C" >&6
--else
--  test "$cross_compiling" = yes &&
--  { { echo "$as_me:$LINENO: error: cannot check for file existence when cross compiling" >&5
--echo "$as_me: error: cannot check for file existence when cross compiling" >&2;}
--   { (exit 1); exit 1; }; }
--if test -r ""/dev/ptmx""; then
--  ac_cv_file___dev_ptmx_=yes
--else
--  ac_cv_file___dev_ptmx_=no
--fi
--fi
--{ echo "$as_me:$LINENO: result: $ac_cv_file___dev_ptmx_" >&5
--echo "${ECHO_T}$ac_cv_file___dev_ptmx_" >&6; }
--if test $ac_cv_file___dev_ptmx_ = yes; then
-+#
-+#{ echo "$as_me:$LINENO: **************************************** PTY device files" >&5
-+#echo "$as_me: **************************************** PTY device files" >&6;}
-+#{ echo "$as_me:$LINENO: checking for \"/dev/ptmx\"" >&5
-+#echo $ECHO_N "checking for \"/dev/ptmx\"... $ECHO_C" >&6; }
-+#if test "${ac_cv_file___dev_ptmx_+set}" = set; then
-+#  echo $ECHO_N "(cached) $ECHO_C" >&6
-+#else
-+#  test "$cross_compiling" = yes &&
-+#  { { echo "$as_me:$LINENO: error: cannot check for file existence when cross compiling" >&5
-+#echo "$as_me: error: cannot check for file existence when cross compiling" >&2;}
-+#   { (exit 1); exit 1; }; }
-+#if test -r ""/dev/ptmx""; then
-+#  ac_cv_file___dev_ptmx_=yes
-+#else
-+#  ac_cv_file___dev_ptmx_=no
-+#fi
-+#fi
-+#{ echo "$as_me:$LINENO: result: $ac_cv_file___dev_ptmx_" >&5
-+#echo "${ECHO_T}$ac_cv_file___dev_ptmx_" >&6; }
-+#if test $ac_cv_file___dev_ptmx_ = yes; then
-   cat >>confdefs.h <<\_ACEOF
--#define HAVE_DEV_PTMX 1
-+#define HAVE_DEV_PTMX 0
- _ACEOF
--fi
-+#fi
--{ echo "$as_me:$LINENO: checking for \"/dev/ptc\"" >&5
--echo $ECHO_N "checking for \"/dev/ptc\"... $ECHO_C" >&6; }
--if test "${ac_cv_file___dev_ptc_+set}" = set; then
--  echo $ECHO_N "(cached) $ECHO_C" >&6
--else
--  test "$cross_compiling" = yes &&
--  { { echo "$as_me:$LINENO: error: cannot check for file existence when cross compiling" >&5
--echo "$as_me: error: cannot check for file existence when cross compiling" >&2;}
--   { (exit 1); exit 1; }; }
--if test -r ""/dev/ptc""; then
--  ac_cv_file___dev_ptc_=yes
--else
--  ac_cv_file___dev_ptc_=no
--fi
--fi
--{ echo "$as_me:$LINENO: result: $ac_cv_file___dev_ptc_" >&5
--echo "${ECHO_T}$ac_cv_file___dev_ptc_" >&6; }
--if test $ac_cv_file___dev_ptc_ = yes; then
-+#{ echo "$as_me:$LINENO: checking for \"/dev/ptc\"" >&5
-+#echo $ECHO_N "checking for \"/dev/ptc\"... $ECHO_C" >&6; }
-+#if test "${ac_cv_file___dev_ptc_+set}" = set; then
-+#  echo $ECHO_N "(cached) $ECHO_C" >&6
-+#else
-+#  test "$cross_compiling" = yes &&
-+#  { { echo "$as_me:$LINENO: error: cannot check for file existence when cross compiling" >&5
-+#echo "$as_me: error: cannot check for file existence when cross compiling" >&2;}
-+#   { (exit 1); exit 1; }; }
-+#if test -r ""/dev/ptc""; then
-+#  ac_cv_file___dev_ptc_=yes
-+#else
-+#  ac_cv_file___dev_ptc_=no
-+#fi
-+#fi
-+#{ echo "$as_me:$LINENO: result: $ac_cv_file___dev_ptc_" >&5
-+#echo "${ECHO_T}$ac_cv_file___dev_ptc_" >&6; }
-+#if test $ac_cv_file___dev_ptc_ = yes; then
-   cat >>confdefs.h <<\_ACEOF
--#define HAVE_DEV_PTS_AND_PTC 1
-+#define HAVE_DEV_PTS_AND_PTC 0
- _ACEOF
--fi
-+#fi
- { echo "$as_me:$LINENO: **************************************** entropy" >&5
-@@ -24049,8 +24049,8 @@ _ACEOF
- # Add SSL includes and libraries
--CFLAGS="$CFLAGS -I$ssldir/include"
--LIBS="$LIBS -L$ssldir/lib -lssl -lcrypto"
-+CFLAGS="$CFLAGS"
-+LIBS="$LIBS -lssl -lcrypto"
- # Check for obsolete RSAref library
- { echo "$as_me:$LINENO: checking for obsolete RSAref library" >&5
---- a/configure.ac
-+++ b/configure.ac
-@@ -44,10 +44,6 @@ AC_EGREP_HEADER(socklen_t, sys/socket.h,
-     AC_MSG_RESULT([no (defined as int)])
-     AC_DEFINE(socklen_t, int))
--AC_MSG_NOTICE([**************************************** PTY device files])
--AC_CHECK_FILE("/dev/ptmx", AC_DEFINE(HAVE_DEV_PTMX))
--AC_CHECK_FILE("/dev/ptc", AC_DEFINE(HAVE_DEV_PTS_AND_PTC))
--
- AC_MSG_NOTICE([**************************************** entropy])
- AC_ARG_WITH(egd-socket,
diff --git a/net/stunnel/patches/101-no-comp.patch b/net/stunnel/patches/101-no-comp.patch
deleted file mode 100644 (file)
index 9fbe22c..0000000
+++ /dev/null
@@ -1,28 +0,0 @@
---- a/src/ssl.c
-+++ b/src/ssl.c
-@@ -72,14 +72,17 @@ int ssl_configure(void) { /* configure g
-     s_log(LOG_NOTICE, "FIPS mode %s",
-         global_options.option.fips ? "enabled" : "disabled");
- #endif /* USE_FIPS */
-+#ifndef OPENSSL_NO_COMP   
-     if(global_options.compression!=COMP_NONE && !init_compression())
-         return 0;
-+#endif
-     if(!init_prng())
-         return 0;
-     s_log(LOG_DEBUG, "PRNG seeded successfully");
-     return 1; /* SUCCESS */
- }
-+#ifndef OPENSSL_NO_COMP
- static int init_compression(void) {
-     int id=0;
-     COMP_METHOD *cm=NULL;
-@@ -111,6 +114,7 @@ static int init_compression(void) {
-     s_log(LOG_INFO, "Compression enabled using %s method", name);
-     return 1;
- }
-+#endif
- static int init_prng(void) {
-     int totbytes=0;
diff --git a/net/stunnel/patches/102-no-ssl2.patch b/net/stunnel/patches/102-no-ssl2.patch
deleted file mode 100644 (file)
index e94184b..0000000
+++ /dev/null
@@ -1,13 +0,0 @@
---- a/src/options.c
-+++ b/src/options.c
-@@ -1234,8 +1234,10 @@ static char *parse_service_option(CMD cm
-             section->client_method=(SSL_METHOD *)SSLv23_client_method();
-             section->server_method=(SSL_METHOD *)SSLv23_server_method();
-         } else if(!strcasecmp(arg, "SSLv2")) {
-+#ifndef OPENSSL_NO_SSL2
-             section->client_method=(SSL_METHOD *)SSLv2_client_method();
-             section->server_method=(SSL_METHOD *)SSLv2_server_method();
-+#endif
-         } else if(!strcasecmp(arg, "SSLv3")) {
-             section->client_method=(SSL_METHOD *)SSLv3_client_method();
-             section->server_method=(SSL_METHOD *)SSLv3_server_method();
diff --git a/net/stunnel/patches/103-no-zlib-link.patch b/net/stunnel/patches/103-no-zlib-link.patch
deleted file mode 100644 (file)
index f627c53..0000000
+++ /dev/null
@@ -1,12 +0,0 @@
-Avoid linking with zlib, which is a dependency of openssl, not ours.
---- a/configure
-+++ b/configure
-@@ -23017,7 +23017,7 @@ if test $ac_cv_lib_z_inflateEnd = yes; t
- #define HAVE_LIBZ 1
- _ACEOF
--  LIBS="-lz $LIBS"
-+#  LIBS="-lz $LIBS"
- fi
diff --git a/net/stunnel/patches/104-fix-paths.patch b/net/stunnel/patches/104-fix-paths.patch
deleted file mode 100644 (file)
index aad310b..0000000
+++ /dev/null
@@ -1,42 +0,0 @@
-## Do several path fixups, removing unneeded @prefix@s
---- a/tools/stunnel.conf-sample.in
-+++ b/tools/stunnel.conf-sample.in
-@@ -4,15 +4,15 @@
- ; please read the manual and make sure you understand them
- ; certificate/key is needed in server mode and optional in client mode
--cert = @prefix@/etc/stunnel/mail.pem
--;key = @prefix@/etc/stunnel/mail.pem
-+cert = @sysconfdir@/stunnel/stunnel.pem
-+;key = @sysconfdir@/stunnel/stunnel.pem
- ; protocol version (all, SSLv2, SSLv3, TLSv1)
- sslVersion = SSLv3
- ; security enhancements for UNIX systems - comment them out on Win32
- ; for chroot a copy of some devices and files is needed within the jail
--chroot = @prefix@/var/lib/stunnel/
-+chroot = @localstatedir@
- setuid = nobody
- setgid = @DEFAULT_GROUP@
- ; PID is created inside the chroot jail
-@@ -33,16 +33,16 @@ socket = r:TCP_NODELAY=1
- ; CApath is located inside chroot jail
- ;CApath = /certs
- ; it's often easier to use CAfile
--;CAfile = @prefix@/etc/stunnel/certs.pem
-+;CAfile = @sysconfdir@/stunnel/certs.pem
- ; don't forget to c_rehash CRLpath
- ; CRLpath is located inside chroot jail
- ;CRLpath = /crls
- ; alternatively CRLfile can be used
--;CRLfile = @prefix@/etc/stunnel/crls.pem
-+;CRLfile = @sysconfdir@/stunnel/crls.pem
- ; debugging stuff (may useful for troubleshooting)
- ;debug = 7
--;output = stunnel.log
-+;output = @localstatedir@/log/stunnel.log
- ; SSL client mode
- ;client = yes
diff --git a/net/stunnel/patches/105-stunnel-conf.patch b/net/stunnel/patches/105-stunnel-conf.patch
deleted file mode 100644 (file)
index c22e0b4..0000000
+++ /dev/null
@@ -1,54 +0,0 @@
---- a/tools/stunnel.conf-sample.in
-+++ b/tools/stunnel.conf-sample.in
-@@ -8,7 +8,7 @@ cert = @sysconfdir@/stunnel/stunnel.pem
- ;key = @sysconfdir@/stunnel/stunnel.pem
- ; protocol version (all, SSLv2, SSLv3, TLSv1)
--sslVersion = SSLv3
-+sslVersion = all
- ; security enhancements for UNIX systems - comment them out on Win32
- ; for chroot a copy of some devices and files is needed within the jail
-@@ -49,21 +49,26 @@ socket = r:TCP_NODELAY=1
- ; service-level configuration
--[pop3s]
--accept  = 995
--connect = 110
--
--[imaps]
--accept  = 993
--connect = 143
--
--[ssmtp]
--accept  = 465
--connect = 25
--
--;[https]
--;accept  = 443
--;connect = 80
--;TIMEOUTclose = 0
-+;[pop3s]
-+;accept  = 995
-+;connect = 110
-+
-+;[imaps]
-+;accept  = 993
-+;connect = 143
-+
-+;[ssmtp]
-+;accept  = 465
-+;connect = 25
-+
-+[https]
-+accept  = 443
-+connect = 80
-+TIMEOUTclose = 0
-+
-+[chilli]
-+accept  = 3443
-+connect = 3442
-+TIMEOUTclose = 0
- ; vim:ft=dosini
diff --git a/net/stunnel/patches/106-stunnel-xforwardedfor.patch b/net/stunnel/patches/106-stunnel-xforwardedfor.patch
deleted file mode 100644 (file)
index 497ff6d..0000000
+++ /dev/null
@@ -1,248 +0,0 @@
---- a/doc/stunnel.8
-+++ b/doc/stunnel.8
-@@ -504,7 +504,10 @@ time to keep an idle connection
- .IP "\fBtransparent\fR = yes | no (Unix only)" 4
- .IX Item "transparent = yes | no (Unix only)"
- transparent proxy mode
--.Sp
-+.IP "\fBxforwardedfor\fR = yes | no" 4
-+.IX Item "xforwardedfor = yes | no"
-+append an 'X-Forwarded-For:' HTTP request header providing the
-+client's IP address to the server.
- Re-write address to appear as if wrapped daemon is connecting
- from the \s-1SSL\s0 client machine instead of the machine running \fBstunnel\fR.
- .Sp
---- a/doc/stunnel.fr.8
-+++ b/doc/stunnel.fr.8
-@@ -445,6 +445,10 @@ Cette option permet de relier une adress
- Négocie avec \s-1SSL\s0 selon le protocole indiqué
- .Sp
- Actuellement gérés\ : cifs, nntp, pop3, smtp
-+.IP "\fBxforwardedfor\fR = yes | no" 4
-+.IX Item "xforwardedfor = yes | no"
-+Ajoute un en-tête 'X-Forwarded-For:' dans la requête HTTP fournissant
-+au serveur l'adresse IP du client.
- .IP "\fBpty\fR = yes | no (Unix seulement)" 4
- .IX Item "pty = yes | no (Unix seulement)"
- Alloue un pseudo-terminal pour l'option «\ exec\ »
---- a/src/client.c
-+++ b/src/client.c
-@@ -86,6 +86,12 @@ CLI *alloc_client_session(SERVICE_OPTION
-         return NULL;
-     }
-     c->opt=opt;
-+    /* some options need space to add some information */
-+    if (c->opt->option.xforwardedfor)
-+        c->buffsize = BUFFSIZE - BUFF_RESERVED;
-+    else
-+        c->buffsize = BUFFSIZE;
-+    c->crlf_seen=0;
-     c->local_rfd.fd=rfd;
-     c->local_wfd.fd=wfd;
-     return c;
-@@ -376,6 +382,29 @@ static void init_ssl(CLI *c) {
-     }
- }
-+/* Moves all data from the buffer <buffer> between positions <start> and <stop>
-+ * to insert <string> of length <len>. <start> and <stop> are updated to their
-+ * new respective values, and the number of characters inserted is returned.
-+ * If <len> is too long, nothing is done and -1 is returned.
-+ * Note that neither <string> nor <buffer> can be NULL.
-+*/
-+static int buffer_insert_with_len(char *buffer, int *start, int *stop, int limit, char *string, int len) {
-+    if (len > limit - *stop)
-+      return -1;
-+    if (*start > *stop)
-+      return -1;
-+    memmove(buffer + *start + len, buffer + *start, *stop - *start);
-+    memcpy(buffer + *start, string, len);
-+    *start += len;
-+    *stop += len;
-+    return len;
-+}
-+
-+static int buffer_insert(char *buffer, int *start, int *stop, int limit, char *string) {
-+    return buffer_insert_with_len(buffer, start, stop, limit, string, strlen(string));
-+}
-+
-+
- /****************************** some defines for transfer() */
- /* is socket/SSL open for read/write? */
- #define sock_rd (c->sock_rfd->rd)
-@@ -410,13 +439,16 @@ static void transfer(CLI *c) {
-         check_SSL_pending=0;
-         SSL_read_wants_read=
--            ssl_rd && c->ssl_ptr<BUFFSIZE && !SSL_read_wants_write;
-+            //ssl_rd && c->ssl_ptr<BUFFSIZE && !SSL_read_wants_write;
-+            ssl_rd && c->ssl_ptr<c->buffsize && !SSL_read_wants_write;
-+            
-         SSL_write_wants_write=
-             ssl_wr && c->sock_ptr && !SSL_write_wants_read;
-         /****************************** setup c->fds structure */
-         s_poll_init(&c->fds); /* initialize the structure */
--        if(sock_rd && c->sock_ptr<BUFFSIZE)
-+        //if(sock_rd && c->sock_ptr<BUFFSIZE)
-+        if(sock_rd && c->sock_ptr<c->buffsize)
-             s_poll_add(&c->fds, c->sock_rfd->fd, 1, 0);
-         if(SSL_read_wants_read ||
-                 SSL_write_wants_read ||
-@@ -515,7 +547,8 @@ static void transfer(CLI *c) {
-                 break;
-             default:
-                 memmove(c->ssl_buff, c->ssl_buff+num, c->ssl_ptr-num);
--                if(c->ssl_ptr==BUFFSIZE) /* buffer was previously full */
-+                //if(c->ssl_ptr==BUFFSIZE) /* buffer was previously full */
-+                if(c->ssl_ptr>=c->buffsize) /* buffer was previously full */
-                     check_SSL_pending=1; /* check for data buffered by SSL */
-                 c->ssl_ptr-=num;
-                 c->sock_bytes+=num;
-@@ -577,7 +610,8 @@ static void transfer(CLI *c) {
-         /****************************** read from socket */
-         if(sock_rd && sock_can_rd) {
-             num=readsocket(c->sock_rfd->fd,
--                c->sock_buff+c->sock_ptr, BUFFSIZE-c->sock_ptr);
-+                //c->sock_buff+c->sock_ptr, BUFFSIZE-c->sock_ptr);
-+                c->sock_buff+c->sock_ptr, c->buffsize-c->sock_ptr);
-             switch(num) {
-             case -1:
-                 parse_socket_error(c, "readsocket");
-@@ -597,10 +631,73 @@ static void transfer(CLI *c) {
-                 (SSL_read_wants_write && ssl_can_wr) ||
-                 (check_SSL_pending && SSL_pending(c->ssl))) {
-             SSL_read_wants_write=0;
--            num=SSL_read(c->ssl, c->ssl_buff+c->ssl_ptr, BUFFSIZE-c->ssl_ptr);
-+            //num=SSL_read(c->ssl, c->ssl_buff+c->ssl_ptr, BUFFSIZE-c->ssl_ptr);
-+            num=SSL_read(c->ssl, c->ssl_buff+c->ssl_ptr, c->buffsize-c->ssl_ptr);
-             switch(err=SSL_get_error(c->ssl, num)) {
-             case SSL_ERROR_NONE:
-+                //c->ssl_ptr+=num;
-+                if (c->buffsize != BUFFSIZE && c->opt->option.xforwardedfor) { /* some work left to do */
-+                    int last = c->ssl_ptr;
-+                    c->ssl_ptr += num;
-+             
-+                    /* Look for end of HTTP headers between last and ssl_ptr.
-+                     * To achieve this reliably, we have to count the number of
-+                     * successive [CR]LF and to memorize it in case it's spread
-+                     * over multiple segments. --WT.
-+                     */
-+                    while (last < c->ssl_ptr) {
-+                  if (c->ssl_buff[last] == '\n') {
-+                      if (++c->crlf_seen == 2)
-+                    break;
-+                  } else if (last < c->ssl_ptr - 1 &&
-+                             c->ssl_buff[last] == '\r' &&
-+                       c->ssl_buff[last+1] == '\n') {
-+                      if (++c->crlf_seen == 2)
-+                    break;
-+                      last++;
-+                  } else if (c->ssl_buff[last] != '\r')
-+                      /* don't refuse '\r' because we may get a '\n' on next read */
-+                      c->crlf_seen = 0;
-+                  last++;
-+                    }
-+                    if (c->crlf_seen >= 2) {
-+                  /* We have all the HTTP headers now. We don't need to
-+                   * reserve any space anymore. <ssl_ptr> points to the
-+                   * first byte of unread data, and <last> points to the
-+                   * exact location where we want to insert our headers,
-+                   * which is right before the empty line.
-+                   */
-+                  c->buffsize = BUFFSIZE;
-+             
-+                  if (c->opt->option.xforwardedfor) {
-+                      /* X-Forwarded-For: xxxx \r\n\0 */
-+                      char xforw[17 + IPLEN + 3];
-+             
-+                      /* We will insert our X-Forwarded-For: header here.
-+                       * We need to write the IP address, but if we use
-+                       * sprintf, it will pad with the terminating 0.
-+                       * So we will pass via a temporary buffer allocated
-+                       * on the stack.
-+                       */
-+                      memcpy(xforw, "X-Forwarded-For: ", 17);
-+                      if (getnameinfo(&c->peer_addr.addr[0].sa,
-+                          addr_len(c->peer_addr.addr[0]),
-+                          xforw + 17, IPLEN, NULL, 0,
-+                          NI_NUMERICHOST) == 0) {
-+                    strcat(xforw + 17, "\r\n");
-+                    buffer_insert(c->ssl_buff, &last, &c->ssl_ptr,
-+                            c->buffsize, xforw);
-+                      }
-+                      /* last still points to the \r\n and ssl_ptr to the
-+                       * end of the buffer, so we may add as many headers
-+                       * as wee need to.
-+                       */
-+                  }                   
-+                    }
-+                }
-+                else
-                 c->ssl_ptr+=num;
-+
-                 watchdog=0; /* reset watchdog */
-                 break;
-             case SSL_ERROR_WANT_WRITE:
---- a/src/common.h
-+++ b/src/common.h
-@@ -53,6 +53,9 @@
- /* I/O buffer size */
- #define BUFFSIZE 16384
-+/* maximum space reserved for header insertion in BUFFSIZE */
-+#define BUFF_RESERVED  1024
-+
- /* length of strings (including the terminating '\0' character) */
- /* it can't be lower than 256 bytes or NTLM authentication will break */
- #define STRLEN 256
---- a/src/options.c
-+++ b/src/options.c
-@@ -792,6 +792,28 @@ static char *parse_service_option(CMD cm
-     }
- #endif
-+    /* xforwardedfor */
-+    switch(cmd) {
-+    case CMD_INIT:
-+        section->option.xforwardedfor=0;
-+        break;
-+    case CMD_EXEC:
-+        if(strcasecmp(opt, "xforwardedfor"))
-+            break;
-+        if(!strcasecmp(arg, "yes"))
-+            section->option.xforwardedfor=1;
-+        else if(!strcasecmp(arg, "no"))
-+            section->option.xforwardedfor=0;
-+        else
-+            return "argument should be either 'yes' or 'no'";
-+        return NULL; /* OK */
-+    case CMD_DEFAULT:
-+        break;
-+    case CMD_HELP:
-+        s_log("%-15s = yes|no append an HTTP X-Forwarded-For header","xforwardedfor");
-+        break;
-+    }
-+
-     /* exec */
-     switch(cmd) {
-     case CMD_INIT:
---- a/src/prototypes.h
-+++ b/src/prototypes.h
-@@ -177,6 +177,7 @@ typedef struct service_options_struct {
-         unsigned int remote:1;
-         unsigned int retry:1; /* loop remote+program */
-         unsigned int sessiond:1;
-+        unsigned int xforwardedfor:1;
-         unsigned int program:1;
- #ifndef USE_WIN32
-         unsigned int pty:1;
-@@ -351,6 +352,8 @@ typedef struct {
-     FD *ssl_rfd, *ssl_wfd; /* read and write SSL descriptors */
-     int sock_bytes, ssl_bytes; /* bytes written to socket and ssl */
-     s_poll_set fds; /* file descriptors */
-+    int buffsize;  /* current buffer size, may be lower than BUFFSIZE */
-+    int crlf_seen; /* the number of successive CRLF seen */
- } CLI;
- extern int max_fds, max_clients;