Add X-Forwarded-For support via xforward useflag/patch, closes #306127

Package-Manager: portage-2.1.7.16/cvs/Linux x86_64

5 files changed, 341 insertions, 6 deletions

diff --git a/net-misc/stunnel/ChangeLog b/net-misc/stunnel/ChangeLog
index a836e8097a22..9bb42a3b4102 100644
--- a/net-misc/stunnel/ChangeLog
+++ b/net-misc/stunnel/ChangeLog
@@ -1,6 +1,13 @@
 # ChangeLog for net-misc/stunnel
 # Copyright 1999-2010 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/net-misc/stunnel/ChangeLog,v 1.110 2010/03/07 21:17:13 ramereth Exp $
+# $Header: /var/cvsroot/gentoo-x86/net-misc/stunnel/ChangeLog,v 1.111 2010/03/07 21:36:28 ramereth Exp $
+
+*stunnel-4.29-r1 (07 Mar 2010)
+
+  07 Mar 2010; Lance Albertson <ramereth@gentoo.org>
+  +stunnel-4.29-r1.ebuild, +files/stunnel-4.29-x-forwarded-for.patch,
+  metadata.xml:
+  Add X-Forwarded-For support via xforward useflag/patch, closes #306127
 
 *stunnel-4.31 (07 Mar 2010)
 
diff --git a/net-misc/stunnel/Manifest b/net-misc/stunnel/Manifest
index b35d71202ca1..3575f54a6672 100644
--- a/net-misc/stunnel/Manifest
+++ b/net-misc/stunnel/Manifest
@@ -3,6 +3,7 @@ Hash: SHA1
 
 AUX stunnel-3.26-gentoo.diff 941 RMD160 4ca4f85a8888c7c9dbeed9d1303bae182d19195d SHA1 5517c6e3395664d76c84548ea67ffd8fddddbdcd SHA256 e2a9fab361699b01ccd004ef598bb868d5f6f37bd40d05b7a16a97cd9ecee2f2
 AUX stunnel-4.21-libwrap.patch 380 RMD160 c5ed7c06c3612bc5930ca8c77cac8bf58ec403f3 SHA1 fa1bf6674f775fa1b5934f4707c9e7eafed0d8a9 SHA256 b22f56707b96df785ebc20b48faf9761fb52cf4a362be875c60071b0d4572be1
+AUX stunnel-4.29-x-forwarded-for.patch 10800 RMD160 2760938f49a6fb8c032b8647dba2a431dfd79bc9 SHA1 aef4eec3cf321ea2fa1959502f29973bcfc429ec SHA256 227c1f7071b5930dd0d04be05b2a6f8d97227f6ac78e3513e1f813fef29f98ea
 AUX stunnel.conf 1423 RMD160 606c53b0e241e44c8aabe423ca6772dc76aa69a9 SHA1 0b18a6dea836abc3c224c367f9ebd6fa30b931f2 SHA256 be8deb0e051f594e14c898c2ec8a4a6879adcd48a56286093653346d12c3f105
 AUX stunnel.initd 1758 RMD160 96506108f0d7cbd4337aec6fb62e026abdadddd4 SHA1 2ed4a796c155cd57e5d9ebcdcabccdbceab68c35 SHA256 b79ca05f3aae99394242bd086626bc6b84d3b9803ed6ddac4131739e927f46aa
 AUX stunnel.rc6 779 RMD160 3cb0ba8b6f90484a9cec951e3eb36eef45169f6d SHA1 7de8dc829e271b3ed248e3b44afb9b537621cc02 SHA256 b2128e3bfe38485ef4afad35b57d8711666281087f3fcf920d5d313642e06dea
@@ -15,14 +16,15 @@ EBUILD stunnel-3.26.ebuild 742 RMD160 828bcad3275266e52a5036f6670e0612c90e926a S
 EBUILD stunnel-4.25.ebuild 2377 RMD160 ba0d4c2d24962f5afe8df92c350560a8cc4a4487 SHA1 1e839c2596930e41930cfb977b72b2120e5fae2e SHA256 6f7f27d4cae7ed03b28be646d6b04fe1dc9524e0b016411712f691b44128da33
 EBUILD stunnel-4.27-r1.ebuild 2228 RMD160 01f222113b61221ed88f200a97b2039f57aabbc2 SHA1 c344d069208ec0f280b1dfa7732504508801108c SHA256 8cb4eaa091f088eac01a1c6dc8e29065cc69255d7f40c8bf647c98d7a70f529f
 EBUILD stunnel-4.27-r2.ebuild 2228 RMD160 b2924fabd71e24a11f7c469f2d962f4c9b6dedaa SHA1 fbe47ba5bc5f4f146138fc5d3efea0bf06a90c74 SHA256 182c42c2aec268cf73bcc3e25ac6a2ed5f53abd36f527f4f2160ca958dfa003f
+EBUILD stunnel-4.29-r1.ebuild 2244 RMD160 17267d07cd531fadc1afdcb045b5821409a44279 SHA1 638c82bc077c7015dfb26c8b20444c9437a5b49c SHA256 e89d5d74115d52ed5b3cf734c5818ace3f096ec72595a5ff7e2d7123c321a229
 EBUILD stunnel-4.29.ebuild 2203 RMD160 e051ef3e8178fdde86fcba8259d3766556e12c28 SHA1 7413d0098fda030db976ee36031bd254689a66d2 SHA256 5d0548e27acec8d2a764a9b38671626957cc3c667a22aec203a1e79173e026fa
 EBUILD stunnel-4.31.ebuild 2167 RMD160 fcc8010a59f9ac001b2b1351a1e8dfd847ad1c90 SHA1 254f0cf5f790d34817d9227de24d1f627272be96 SHA256 3dd261a5a8dfd09b0db50f70f7127e29627bc18cdcc483e6e98b788cd0cac257
-MISC ChangeLog 15577 RMD160 6ee7bfb066b9bb15d71fe23c361c6e7ad98bf4dc SHA1 7ba0c650d48eb8bc4a818325f50d6c7df3b3b1c8 SHA256 c0fad104c587a5fddbd9388b046c444ad027cefc2e6ab0fa84b98a6fbf54f855
-MISC metadata.xml 641 RMD160 7ad264c22b9e0705cf00b7985eee8d23c3383310 SHA1 c9314118d8fbc0644eb690f56f9d8859d3f7c578 SHA256 16e547775081b652662ac7156f0b6cfb7d1b8165865416cd154047c9ea6abebb
+MISC ChangeLog 15822 RMD160 4d146e4a1bd344fc6c7bd592e71b2d211612d706 SHA1 fd2acf093f0143811edd1f17210b7f4d168ec8a5 SHA256 bc207aa69d5411daad14b183ac830a82e88f85a70f1acbffb19a644651571401
+MISC metadata.xml 730 RMD160 bbd4ce0b27247c5969c171573a18d785b4893132 SHA1 eb5a0705fbb23a0c6cbbe61d2e03e0a14b601572 SHA256 e628cf7d971c59907c106bfc88a7e0fa1d313412cc306e160af7154aa804d64f
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.11 (GNU/Linux)
 
-iD8DBQFLlBdeQW+hXSf0t0IRApkGAKDbc3HeYFsZmSOlherJPzIK86cSEgCeNuei
-aiqHRWcBr7TEz5Lj9/Q6hZM=
-=C6Nv
+iD8DBQFLlBvgQW+hXSf0t0IRAuJ4AKCnnGRmTAgJKYlAIpN3pHh7exWbSACgxAJR
+rOyRTh8+GFjL+E8XGHj50QU=
+=cqLp
 -----END PGP SIGNATURE-----
diff --git a/net-misc/stunnel/files/stunnel-4.29-x-forwarded-for.patch b/net-misc/stunnel/files/stunnel-4.29-x-forwarded-for.patch
new file mode 100644
index 000000000000..40ff2f9dc094
--- /dev/null
+++ b/net-misc/stunnel/files/stunnel-4.29-x-forwarded-for.patch
@@ -0,0 +1,248 @@
+/* Patch rediffed against 4.29 by Stefan Behte */
+diff -ur stunnel-4.29-r1/doc/stunnel.8 stunnel-4.29/doc/stunnel.8
+--- stunnel-4.29-r1/doc/stunnel.8	2010-02-23 15:37:07.000000000 +0100
++++ stunnel-4.29/doc/stunnel.8	2010-02-23 15:37:54.000000000 +0100
+@@ -497,6 +497,10 @@
+ .IP "\fBtransparent\fR = yes | no (Unix only)" 4
+ .IX Item "transparent = yes | no (Unix only)"
+ transparent proxy mode
++.IP "\fBxforwardedfor\fR = yes | no" 4
++.IX Item "xforwardedfor = yes | no"
++append an 'X-Forwarded-For:' HTTP request header providing the
++client's IP address to the server.
+ .Sp
+ Re-write address to appear as if wrapped daemon is connecting
+ from the \s-1SSL\s0 client machine instead of the machine running \fBstunnel\fR.
+diff -ur stunnel-4.29-r1/doc/stunnel.fr.8 stunnel-4.29/doc/stunnel.fr.8
+--- stunnel-4.29-r1/doc/stunnel.fr.8	2010-02-23 15:37:07.000000000 +0100
++++ stunnel-4.29/doc/stunnel.fr.8	2010-02-23 15:37:54.000000000 +0100
+@@ -445,6 +445,10 @@
+ Négocie avec \s-1SSL\s0 selon le protocole indiqué
+ .Sp
+ Actuellement gérés\ : cifs, nntp, pop3, smtp
++.IP "\fBxforwardedfor\fR = yes | no" 4
++.IX Item "xforwardedfor = yes | no"
++Ajoute un en-t�te 'X-Forwarded-For:' dans la requ�te HTTP fournissant
++au serveur l'adresse IP du client.
+ .IP "\fBpty\fR = yes | no (Unix seulement)" 4
+ .IX Item "pty = yes | no (Unix seulement)"
+ Alloue un pseudo-terminal pour l'option «\ exec\ »
+diff -ur stunnel-4.29-r1/src/client.c stunnel-4.29/src/client.c
+--- stunnel-4.29-r1/src/client.c	2010-02-23 15:37:07.000000000 +0100
++++ stunnel-4.29/src/client.c	2010-02-23 15:37:54.000000000 +0100
+@@ -90,6 +90,12 @@
+         return NULL;
+     }
+     c->opt=opt;
++    /* some options need space to add some information */
++    if (c->opt->option.xforwardedfor)
++        c->buffsize = BUFFSIZE - BUFF_RESERVED;
++    else
++        c->buffsize = BUFFSIZE;
++    c->crlf_seen=0;
+     c->local_rfd.fd=rfd;
+     c->local_wfd.fd=wfd;
+     return c;
+@@ -381,6 +387,28 @@
+         print_cipher(c);
+     }
+ }
++ 
++/* Moves all data from the buffer <buffer> between positions <start> and <stop>
++ * to insert <string> of length <len>. <start> and <stop> are updated to their
++ * new respective values, and the number of characters inserted is returned.
++ * If <len> is too long, nothing is done and -1 is returned.
++ * Note that neither <string> nor <buffer> can be NULL.
++ */
++static int buffer_insert_with_len(char *buffer, int *start, int *stop, int limit, char *string, int len) {
++    if (len > limit - *stop)
++        return -1;
++    if (*start > *stop)
++        return -1;
++    memmove(buffer + *start + len, buffer + *start, *stop - *start);
++    memcpy(buffer + *start, string, len);
++    *start += len;
++    *stop += len;
++    return len;
++}
++
++static int buffer_insert(char *buffer, int *start, int *stop, int limit, char *string) {
++    return buffer_insert_with_len(buffer, start, stop, limit, string, strlen(string));
++}
+ 
+ /****************************** some defines for transfer() */
+ /* is socket/SSL open for read/write? */
+@@ -416,13 +444,13 @@
+         check_SSL_pending=0;
+ 
+         SSL_read_wants_read=
+-            ssl_rd && c->ssl_ptr<BUFFSIZE && !SSL_read_wants_write;
++            ssl_rd && c->ssl_ptr<c->buffsize && !SSL_read_wants_write;
+         SSL_write_wants_write=
+             ssl_wr && c->sock_ptr && !SSL_write_wants_read;
+ 
+         /****************************** setup c->fds structure */
+         s_poll_init(&c->fds); /* initialize the structure */
+-        if(sock_rd && c->sock_ptr<BUFFSIZE)
++        if(sock_rd && c->sock_ptr<c->buffsize)
+             s_poll_add(&c->fds, c->sock_rfd->fd, 1, 0);
+         if(SSL_read_wants_read ||
+                 SSL_write_wants_read ||
+@@ -521,7 +549,7 @@
+                 break;
+             default:
+                 memmove(c->ssl_buff, c->ssl_buff+num, c->ssl_ptr-num);
+-                if(c->ssl_ptr==BUFFSIZE) /* buffer was previously full */
++                if(c->ssl_ptr>=c->buffsize) /* buffer was previously full */
+                     check_SSL_pending=1; /* check for data buffered by SSL */
+                 c->ssl_ptr-=num;
+                 c->sock_bytes+=num;
+@@ -581,7 +609,7 @@
+         /****************************** read from socket */
+         if(sock_rd && sock_can_rd) {
+             num=readsocket(c->sock_rfd->fd,
+-                c->sock_buff+c->sock_ptr, BUFFSIZE-c->sock_ptr);
++                c->sock_buff+c->sock_ptr, c->buffsize-c->sock_ptr);
+             switch(num) {
+             case -1:
+                 parse_socket_error(c, "readsocket");
+@@ -601,10 +629,71 @@
+                 (SSL_read_wants_write && ssl_can_wr) ||
+                 (check_SSL_pending && SSL_pending(c->ssl))) {
+             SSL_read_wants_write=0;
+-            num=SSL_read(c->ssl, c->ssl_buff+c->ssl_ptr, BUFFSIZE-c->ssl_ptr);
++            num=SSL_read(c->ssl, c->ssl_buff+c->ssl_ptr, c->buffsize-c->ssl_ptr);
+             switch(err=SSL_get_error(c->ssl, num)) {
+             case SSL_ERROR_NONE:
+-                c->ssl_ptr+=num;
++                if (c->buffsize != BUFFSIZE && c->opt->option.xforwardedfor) { /* some work left to do */
++                    int last = c->ssl_ptr;
++                    c->ssl_ptr += num;
++
++                    /* Look for end of HTTP headers between last and ssl_ptr.
++                    * To achieve this reliably, we have to count the number of
++                    * successive [CR]LF and to memorize it in case it's spread
++                    * over multiple segments. --WT.
++                    */
++                    while (last < c->ssl_ptr) {
++                        if (c->ssl_buff[last] == '\n') {
++                            if (++c->crlf_seen == 2)
++                                break;
++                        } else if (last < c->ssl_ptr - 1 &&
++                                    c->ssl_buff[last] == '\r' &&
++                                    c->ssl_buff[last+1] == '\n') {
++                            if (++c->crlf_seen == 2)
++                                break;
++                            last++;
++                        } else if (c->ssl_buff[last] != '\r')
++                            /* don't refuse '\r' because we may get a '\n' on next read */
++                            c->crlf_seen = 0;
++                        last++;
++                    }
++                    if (c->crlf_seen >= 2) {
++                        /* We have all the HTTP headers now. We don't need to
++                        * reserve any space anymore. <ssl_ptr> points to the
++                        * first byte of unread data, and <last> points to the
++                        * exact location where we want to insert our headers,
++                        * which is right before the empty line.
++                        */
++                        c->buffsize = BUFFSIZE;
++
++                        if (c->opt->option.xforwardedfor) {
++                            /* X-Forwarded-For: xxxx \r\n\0 */
++                            char xforw[17 + IPLEN + 3];
++
++                            /* We will insert our X-Forwarded-For: header here.
++                            * We need to write the IP address, but if we use
++                            * sprintf, it will pad with the terminating 0.
++                            * So we will pass via a temporary buffer allocated
++                            * on the stack.
++                            */
++                            memcpy(xforw, "X-Forwarded-For: ", 17);
++                            if (getnameinfo(&c->peer_addr.addr[0].sa,
++                                    addr_len(c->peer_addr.addr[0]),
++                                    xforw + 17, IPLEN, NULL, 0,
++                                    NI_NUMERICHOST) == 0) {
++                                strcat(xforw + 17, "\r\n");
++                                buffer_insert(c->ssl_buff, &last, &c->ssl_ptr,
++                                            c->buffsize, xforw);
++                            }
++                            /* last still points to the \r\n and ssl_ptr to the
++                            * end of the buffer, so we may add as many headers
++                            * as wee need to.
++                            */
++                        }
++                    }
++                }
++                else
++                   c->ssl_ptr+=num;
++
+                 watchdog=0; /* reset watchdog */
+                 break;
+             case SSL_ERROR_WANT_WRITE:
+diff -ur stunnel-4.29-r1/src/common.h stunnel-4.29/src/common.h
+--- stunnel-4.29-r1/src/common.h	2010-02-23 15:37:07.000000000 +0100
++++ stunnel-4.29/src/common.h	2010-02-23 15:37:54.000000000 +0100
+@@ -53,6 +53,9 @@
+ /* I/O buffer size */
+ #define BUFFSIZE 16384
+ 
++/* maximum space reserved for header insertion in BUFFSIZE */
++#define BUFF_RESERVED 1024
++
+ /* Length of strings (including the terminating '\0' character) */
+ /* It can't be lower than 256 bytes or NTLM authentication will break */
+ #define STRLEN 256
+diff -ur stunnel-4.29-r1/src/options.c stunnel-4.29/src/options.c
+--- stunnel-4.29-r1/src/options.c	2010-02-23 15:37:07.000000000 +0100
++++ stunnel-4.29/src/options.c	2010-02-23 15:37:54.000000000 +0100
+@@ -781,6 +781,29 @@
+     }
+ #endif
+ 
++    /* xforwardedfor */
++    switch(cmd) {
++    case CMD_INIT:
++        section->option.xforwardedfor=0;
++        break;
++    case CMD_EXEC:
++        if(strcasecmp(opt, "xforwardedfor"))
++            break;
++        if(!strcasecmp(arg, "yes"))
++            section->option.xforwardedfor=1;
++        else if(!strcasecmp(arg, "no"))
++            section->option.xforwardedfor=0;
++        else
++            return "argument should be either 'yes' or 'no'";
++        return NULL; /* OK */
++    case CMD_DEFAULT:
++        break;
++    case CMD_HELP:
++        s_log(LOG_RAW, "%-15s = yes|no append an HTTP X-Forwarded-For header",
++            "xforwardedfor");
++        break;
++    }
++
+     /* exec */
+ #ifndef USE_WIN32
+     switch(cmd) {
+diff -ur stunnel-4.29-r1/src/prototypes.h stunnel-4.29/src/prototypes.h
+--- stunnel-4.29-r1/src/prototypes.h	2010-02-23 15:37:07.000000000 +0100
++++ stunnel-4.29/src/prototypes.h	2010-02-23 15:37:54.000000000 +0100
+@@ -227,6 +227,7 @@
+         unsigned int cert:1;
+         unsigned int client:1;
+         unsigned int delayed_lookup:1;
++        unsigned int xforwardedfor:1;
+         unsigned int accept:1;
+         unsigned int remote:1;
+         unsigned int retry:1; /* loop remote+program */
+@@ -334,6 +335,8 @@
+     FD *ssl_rfd, *ssl_wfd; /* Read and write SSL descriptors */
+     int sock_bytes, ssl_bytes; /* Bytes written to socket and ssl */
+     s_poll_set fds; /* File descriptors */
++    int buffsize;  /* current buffer size, may be lower than BUFFSIZE */
++    int crlf_seen; /* the number of successive CRLF seen */
+ } CLI;
+ 
+ extern int max_clients;
diff --git a/net-misc/stunnel/metadata.xml b/net-misc/stunnel/metadata.xml
index 9cb8a52aae3c..18e0ef850fd0 100644
--- a/net-misc/stunnel/metadata.xml
+++ b/net-misc/stunnel/metadata.xml
@@ -13,4 +13,7 @@
 		protocols (like POP, IMAP, LDAP, etc) by having Stunnel provide the
 		encryption, requiring no changes to the daemon's code.
 	</longdescription>
+	<use>
+		<flag name="xforward">Enable X-Forwarded-For support for Stunnel</flag>
+	</use>
 </pkgmetadata>
diff --git a/net-misc/stunnel/stunnel-4.29-r1.ebuild b/net-misc/stunnel/stunnel-4.29-r1.ebuild
new file mode 100644
index 000000000000..843a72cbe0c1
--- /dev/null
+++ b/net-misc/stunnel/stunnel-4.29-r1.ebuild
@@ -0,0 +1,75 @@
+# Copyright 1999-2010 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/net-misc/stunnel/stunnel-4.29-r1.ebuild,v 1.1 2010/03/07 21:36:28 ramereth Exp $
+
+EAPI="2"
+
+inherit autotools ssl-cert eutils
+
+DESCRIPTION="TLS/SSL - Port Wrapper"
+HOMEPAGE="http://stunnel.mirt.net/"
+SRC_URI="http://www.stunnel.org/download/stunnel/src/${P}.tar.gz"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~ppc ~ppc64 ~s390 ~sparc ~x86"
+IUSE="ipv6 selinux tcpd xforward"
+
+DEPEND="tcpd? ( sys-apps/tcp-wrappers )
+	>=dev-libs/openssl-0.9.8k"
+RDEPEND="${DEPEND}
+	selinux? ( sec-policy/selinux-stunnel )"
+
+pkg_setup() {
+	enewgroup stunnel
+	enewuser stunnel -1 -1 -1 stunnel
+}
+
+src_prepare() {
+	epatch "${FILESDIR}/${PN}-4.21-libwrap.patch"
+	use xforward && epatch "${FILESDIR}/${P}-x-forwarded-for.patch"
+	eautoreconf
+
+	# Hack away generation of certificate
+	sed -i -e "s/^install-data-local:/do-not-run-this:/" \
+		tools/Makefile.in || die "sed failed"
+}
+
+src_configure() {
+	econf $(use_enable ipv6) \
+		$(use_enable tcpd libwrap) || die "econf died"
+}
+
+src_install() {
+	emake DESTDIR="${D}" install || die "emake install failed"
+	rm -rf "${D}"/usr/share/doc/${PN}
+	rm -f "${D}"/etc/stunnel/stunnel.conf-sample "${D}"/usr/bin/stunnel3 \
+		"${D}"/usr/share/man/man8/stunnel.{fr,pl}.8
+
+	# The binary was moved to /usr/bin with 4.21,
+	# symlink for backwards compatibility
+	dosym ../bin/stunnel /usr/sbin/stunnel
+
+	dodoc AUTHORS BUGS CREDITS PORTS README TODO ChangeLog
+	dohtml doc/stunnel.html doc/en/VNC_StunnelHOWTO.html tools/ca.html \
+		tools/importCA.html
+
+	insinto /etc/stunnel
+	doins "${FILESDIR}"/stunnel.conf
+	newinitd "${FILESDIR}"/stunnel.initd stunnel
+
+	keepdir /var/run/stunnel
+	fowners stunnel:stunnel /var/run/stunnel
+}
+
+pkg_postinst() {
+	if [ ! -f "${ROOT}"/etc/stunnel/stunnel.key ]; then
+		install_cert /etc/stunnel/stunnel
+		chown stunnel:stunnel "${ROOT}"/etc/stunnel/stunnel.{crt,csr,key,pem}
+		chmod 0640 "${ROOT}"/etc/stunnel/stunnel.{crt,csr,key,pem}
+	fi
+
+	einfo "If you want to run multiple instances of stunnel, create a new config"
+	einfo "file ending with .conf in /etc/stunnel/. **Make sure** you change "
+	einfo "\'pid= \' with a unique filename."
+}