1 |
vip-ire |
1.1 |
diff -u stunnel-3.22/client.c stunnel-3.22-sg/client.c |
2 |
|
|
--- stunnel-3.22/client.c Sun Dec 23 14:41:32 2001 |
3 |
|
|
+++ stunnel-3.22-sg/client.c Wed May 29 02:51:34 2002 |
4 |
|
|
@@ -220,7 +220,9 @@ |
5 |
|
|
else |
6 |
|
|
c->ip=0; |
7 |
|
|
/* Setup c->remote_fd, now */ |
8 |
|
|
- if(options.option&OPT_REMOTE) |
9 |
|
|
+ if (options.option&OPT_FDS) |
10 |
|
|
+ fd=options.use_fd; |
11 |
|
|
+ else if(options.option&OPT_REMOTE) |
12 |
|
|
fd=connect_remote(c); |
13 |
|
|
else /* NOT in remote mode */ |
14 |
|
|
fd=connect_local(c); |
15 |
|
|
@@ -845,9 +847,9 @@ |
16 |
|
|
|
17 |
|
|
int fdprintf(int fd, char *format, ...) { |
18 |
|
|
va_list arglist; |
19 |
|
|
- char line[STRLEN], logline[STRLEN]; |
20 |
|
|
+ char line[STRLEN]; |
21 |
|
|
+ int len; |
22 |
|
|
char crlf[]="\r\n"; |
23 |
|
|
- int len, ptr, written, towrite; |
24 |
|
|
|
25 |
|
|
va_start(arglist, format); |
26 |
|
|
#ifdef HAVE_VSNPRINTF |
27 |
|
|
@@ -858,58 +860,87 @@ |
28 |
|
|
va_end(arglist); |
29 |
|
|
safeconcat(line, crlf); |
30 |
|
|
len+=2; |
31 |
|
|
- for(ptr=0, towrite=len; towrite>0; ptr+=written, towrite-=written) { |
32 |
|
|
- switch(waitforsocket(fd, 1 /* write */)) { |
33 |
|
|
- case -1: /* Error */ |
34 |
|
|
- sockerror("select"); |
35 |
|
|
- return -1; |
36 |
|
|
- case 0: /* Timeout */ |
37 |
|
|
- log(LOG_ERR, "Select timeout (fdprintf)"); |
38 |
|
|
- return -1; |
39 |
|
|
- } |
40 |
|
|
- written=writesocket(fd, line+ptr, towrite); |
41 |
|
|
- if(written<0) { |
42 |
|
|
- sockerror("writesocket (fdprintf)"); |
43 |
|
|
- return -1; |
44 |
|
|
- } |
45 |
|
|
- } |
46 |
|
|
- safecopy(logline, line); |
47 |
|
|
- safestring(logline); |
48 |
|
|
- log(LOG_DEBUG, " -> %s", logline); |
49 |
|
|
- return len; |
50 |
|
|
+ if (fdwrite(fd,line,len) < 0) |
51 |
|
|
+ return -1; |
52 |
|
|
+ else |
53 |
|
|
+ return len; |
54 |
|
|
} |
55 |
|
|
|
56 |
|
|
-int fdscanf(int fd, char *format, char *buffer) { |
57 |
|
|
- char line[STRLEN], logline[STRLEN]; |
58 |
|
|
+int fdputs(int fd, char *line) { |
59 |
|
|
+ char crlf[]="\r\n"; |
60 |
|
|
+ |
61 |
|
|
+ if (fdwrite(fd, line, strlen(line)) < 0) |
62 |
|
|
+ return -1; |
63 |
|
|
+ return fdwrite(fd,crlf,strlen(crlf)); |
64 |
|
|
+} |
65 |
|
|
+ |
66 |
|
|
+int fdwrite(int fd, char *buffer, int len) { |
67 |
|
|
+ char logline[STRLEN]; |
68 |
|
|
+ int ptr, written, towrite; |
69 |
|
|
+ |
70 |
|
|
+ for(ptr=0, towrite=len; towrite>0; ptr+=written, towrite-=written) { |
71 |
|
|
+ switch(waitforsocket(fd, 1 /* write */)) { |
72 |
|
|
+ case -1: /* Error */ |
73 |
|
|
+ sockerror("select"); |
74 |
|
|
+ return -1; |
75 |
|
|
+ case 0: /* Timeout */ |
76 |
|
|
+ log(LOG_ERR, "Select timeout (fdwrite)"); |
77 |
|
|
+ return -1; |
78 |
|
|
+ } |
79 |
|
|
+ |
80 |
|
|
+ written=writesocket(fd, buffer+ptr, towrite); |
81 |
|
|
+ if(written<0) { |
82 |
|
|
+ sockerror("writesocket (fdwrite)"); |
83 |
|
|
+ return -1; |
84 |
|
|
+ } |
85 |
|
|
+ } |
86 |
|
|
+ safecopy(logline, buffer); |
87 |
|
|
+ safestring(logline); |
88 |
|
|
+ log(LOG_DEBUG, " -> %s", logline); |
89 |
|
|
+ return 0; |
90 |
|
|
+} |
91 |
|
|
+ |
92 |
|
|
+int fdgets(int fd, char *buffer) { |
93 |
|
|
+ char logline[STRLEN]; |
94 |
|
|
int ptr; |
95 |
|
|
|
96 |
|
|
- for(ptr=0; ptr<STRLEN-1; ptr++) { |
97 |
|
|
+ for(ptr=0; ptr<STRLEN-1;) { |
98 |
|
|
switch(waitforsocket(fd, 0 /* read */)) { |
99 |
|
|
case -1: /* Error */ |
100 |
|
|
sockerror("select"); |
101 |
|
|
return -1; |
102 |
|
|
case 0: /* Timeout */ |
103 |
|
|
- log(LOG_ERR, "Select timeout (fdscanf)"); |
104 |
|
|
+ log(LOG_ERR, "Select timeout (fdgets)"); |
105 |
|
|
return -1; |
106 |
|
|
} |
107 |
|
|
- switch(readsocket(fd, line+ptr, 1)) { |
108 |
|
|
+ switch(readsocket(fd, buffer+ptr, 1)) { |
109 |
|
|
case -1: /* error */ |
110 |
|
|
- sockerror("readsocket (fdscanf)"); |
111 |
|
|
+ sockerror("readsocket (fdgets)"); |
112 |
|
|
return -1; |
113 |
|
|
case 0: /* EOF */ |
114 |
|
|
- log(LOG_ERR, "Unexpected socket close (fdscanf)"); |
115 |
|
|
+ log(LOG_ERR, "Unexpected socket close (fdgets)"); |
116 |
|
|
return -1; |
117 |
|
|
} |
118 |
|
|
- if(line[ptr]=='\r') |
119 |
|
|
+ if(buffer[ptr]=='\r') |
120 |
|
|
continue; |
121 |
|
|
- if(line[ptr]=='\n') |
122 |
|
|
+ if(buffer[ptr]=='\n') |
123 |
|
|
break; |
124 |
|
|
+ ptr++; |
125 |
|
|
} |
126 |
|
|
- line[ptr]='\0'; |
127 |
|
|
- safecopy(logline, line); |
128 |
|
|
+ buffer[ptr]='\0'; |
129 |
|
|
+ safecopy(logline, buffer); |
130 |
|
|
safestring(logline); |
131 |
|
|
log(LOG_DEBUG, " <- %s", logline); |
132 |
|
|
- return sscanf(line, format, buffer); |
133 |
|
|
+ return 0; |
134 |
|
|
+} |
135 |
|
|
+ |
136 |
|
|
+int fdscanf(int fd, char *format, char *buffer) { |
137 |
|
|
+ char line[STRLEN]; |
138 |
|
|
+ |
139 |
|
|
+ if (fdgets(fd, line) < 0) |
140 |
|
|
+ return -1; |
141 |
|
|
+ |
142 |
|
|
+ return sscanf(line, format, buffer); |
143 |
|
|
} |
144 |
|
|
|
145 |
|
|
static int waitforsocket(int fd, int dir) { |
146 |
|
|
diff -u stunnel-3.22/options.c stunnel-3.22-sg/options.c |
147 |
|
|
--- stunnel-3.22/options.c Sun Dec 23 15:08:51 2001 |
148 |
|
|
+++ stunnel-3.22-sg/options.c Wed May 15 03:55:41 2002 |
149 |
|
|
@@ -84,8 +84,13 @@ |
150 |
|
|
options.random_bytes=RANDOM_BYTES; |
151 |
|
|
options.output_file=NULL; |
152 |
|
|
options.local_ip=NULL; |
153 |
|
|
+ options.chroot_dir=NULL; |
154 |
|
|
opterr=0; |
155 |
|
|
- while ((c = getopt(argc, argv, "A:a:cp:v:d:fTl:L:r:s:g:t:u:n:N:hC:D:O:E:R:WB:VP:S:o:I:")) != EOF) |
156 |
|
|
+ while ((c = getopt(argc, argv, "A:a:cp:v:d:fTl:L:r:s:g:t:u:n:N:hC:D:O:E:R:WB:VP:S:o:I:" |
157 |
|
|
+ "F:" |
158 |
|
|
+ "/:" |
159 |
|
|
+ "i" |
160 |
|
|
+ )) != EOF) |
161 |
|
|
switch (c) { |
162 |
|
|
case 'A': |
163 |
|
|
safecopy(options.cert_file,optarg); |
164 |
|
|
@@ -140,6 +145,16 @@ |
165 |
|
|
case 'f': |
166 |
|
|
options.option|=OPT_FOREGROUND; |
167 |
|
|
break; |
168 |
|
|
+ case 'F': |
169 |
|
|
+ options.option|=OPT_FDS; |
170 |
|
|
+ options.use_fd=atoi(optarg); |
171 |
|
|
+ break; |
172 |
|
|
+ case 'i': |
173 |
|
|
+ options.option|=OPT_SUID_FIRST; |
174 |
|
|
+ break; |
175 |
|
|
+ case '/': |
176 |
|
|
+ options.chroot_dir=optarg; |
177 |
|
|
+ break; |
178 |
|
|
case 'T': |
179 |
|
|
options.option|=OPT_TRANSPARENT; |
180 |
|
|
break; |
181 |
|
|
@@ -257,8 +272,8 @@ |
182 |
|
|
print_info(); |
183 |
|
|
} |
184 |
|
|
#endif |
185 |
|
|
- if(!(options.option&(OPT_REMOTE|OPT_PROGRAM))) { |
186 |
|
|
- log(LOG_ERR, "Either -r, -l (or -L) option must be used"); |
187 |
|
|
+ if(!(options.option&(OPT_REMOTE|OPT_PROGRAM|OPT_FDS))) { |
188 |
|
|
+ log(LOG_ERR, "Either -r, -l (or -L), or -F option must be used"); |
189 |
|
|
print_info(); |
190 |
|
|
} |
191 |
|
|
if((options.option&OPT_REMOTE) && (options.option&OPT_PROGRAM) |
192 |
|
|
@@ -331,9 +346,12 @@ |
193 |
|
|
"[-S sources] " |
194 |
|
|
"[-t timeout] " |
195 |
|
|
"\n\t" |
196 |
|
|
- "[-u ident_username] " |
197 |
|
|
"[-s setuid_user] " |
198 |
|
|
"[-g setgid_group] " |
199 |
|
|
+ "[-i] " |
200 |
|
|
+ "[-/ chroot-dir] " |
201 |
|
|
+ "\n\t" |
202 |
|
|
+ "[-u ident_username] " |
203 |
|
|
"[-n protocol]" |
204 |
|
|
"\n\t" |
205 |
|
|
"[-R randfile] " |
206 |
|
|
@@ -345,7 +363,7 @@ |
207 |
|
|
#ifndef USE_WIN32 |
208 |
|
|
"[-P { dir/ | filename | none } ] " |
209 |
|
|
"\n\t[-d [host:]port [-f] ] " |
210 |
|
|
- "\n\t[-r [host:]port | { -l | -L } program [-- args] ] " |
211 |
|
|
+ "\n\t[-r [host:]port | { -l | -L } program [-- args] | -F fd-num ] " |
212 |
|
|
#else |
213 |
|
|
"\n\t-d [host:]port -r [host:]port" |
214 |
|
|
#endif |
215 |
|
|
@@ -360,6 +378,7 @@ |
216 |
|
|
#ifndef USE_WIN32 |
217 |
|
|
"\n -l program\texecute local inetd-type program" |
218 |
|
|
"\n -L program\topen local pty and execute program" |
219 |
|
|
+ "\n -F fd-num\tuse the already-open socket on file descriptor fd-num" |
220 |
|
|
#endif |
221 |
|
|
"\n" |
222 |
|
|
"\n -c\t\tclient mode (remote service uses SSL)" |
223 |
|
|
@@ -388,6 +407,8 @@ |
224 |
|
|
#ifndef USE_WIN32 |
225 |
|
|
"\n -s username\tsetuid() to username in daemon mode" |
226 |
|
|
"\n -g groupname\tsetgid() to groupname in daemon mode" |
227 |
|
|
+ "\n -i\t\tsetuid() and/or setgid() immediately" |
228 |
|
|
+ "\n -/ chroot-dir\tchroot() to chroot-dir immediately after starting" |
229 |
|
|
"\n -P arg\tspecify pid file { dir/ | filename | none }" |
230 |
|
|
#endif |
231 |
|
|
"\n -C list\tset permitted SSL ciphers" |
232 |
|
|
diff -u stunnel-3.22/protocol.c stunnel-3.22-sg/protocol.c |
233 |
|
|
--- stunnel-3.22/protocol.c Thu Dec 20 02:52:37 2001 |
234 |
|
|
+++ stunnel-3.22-sg/protocol.c Wed May 29 03:33:35 2002 |
235 |
|
|
@@ -36,9 +36,11 @@ |
236 |
|
|
static int smb_client(CLI *); |
237 |
|
|
static int smb_server(CLI *); |
238 |
|
|
static int smtp_client(CLI *); |
239 |
|
|
-static int smtp_server(CLI *); |
240 |
|
|
+static int smtp_server(CLI *, int allow_downgrade); |
241 |
|
|
static int pop3_client(CLI *); |
242 |
|
|
-static int pop3_server(CLI *); |
243 |
|
|
+static int pop3_server(CLI *, int allow_downgrade); |
244 |
|
|
+static int imap_client(CLI *); |
245 |
|
|
+static int imap_server(CLI *, int allow_downgrade); |
246 |
|
|
static int nntp_client(CLI *); |
247 |
|
|
static int nntp_server(CLI *); |
248 |
|
|
static int telnet_client(CLI *); |
249 |
|
|
@@ -58,17 +60,35 @@ |
250 |
|
|
else |
251 |
|
|
return smb_server(c); |
252 |
|
|
} |
253 |
|
|
- if(!strcmp(protocol, "smtp")) { |
254 |
|
|
+ if(!strncmp(protocol, "smtp",4)) { |
255 |
|
|
if(client) |
256 |
|
|
return smtp_client(c); |
257 |
|
|
- else |
258 |
|
|
- return smtp_server(c); |
259 |
|
|
+ else { |
260 |
|
|
+ if (protocol[4] == '-') |
261 |
|
|
+ return smtp_server(c,1); |
262 |
|
|
+ else if (protocol[4] == '\0') |
263 |
|
|
+ return smtp_server(c,0); |
264 |
|
|
+ } |
265 |
|
|
} |
266 |
|
|
- if(!strcmp(protocol, "pop3")) { |
267 |
|
|
+ if(!strncmp(protocol, "pop3",4)) { |
268 |
|
|
if(client) |
269 |
|
|
return pop3_client(c); |
270 |
|
|
- else |
271 |
|
|
- return pop3_server(c); |
272 |
|
|
+ else { |
273 |
|
|
+ if (protocol[4] == '-') |
274 |
|
|
+ return pop3_server(c,1); |
275 |
|
|
+ else if (protocol[4] == '\0') |
276 |
|
|
+ return pop3_server(c,0); |
277 |
|
|
+ } |
278 |
|
|
+ } |
279 |
|
|
+ if(!strncmp(protocol, "imap",4)) { |
280 |
|
|
+ if(client) |
281 |
|
|
+ return imap_client(c); |
282 |
|
|
+ else { |
283 |
|
|
+ if (protocol[4] == '-') |
284 |
|
|
+ return imap_server(c,1); |
285 |
|
|
+ else if (protocol[4] == '\0') |
286 |
|
|
+ return imap_server(c,0); |
287 |
|
|
+ } |
288 |
|
|
} |
289 |
|
|
if(!strcmp(protocol, "nntp")) { |
290 |
|
|
if(client) |
291 |
|
|
@@ -131,33 +151,181 @@ |
292 |
|
|
return 0; |
293 |
|
|
} |
294 |
|
|
|
295 |
|
|
-static int smtp_server(CLI *c) { |
296 |
|
|
+#define PP_BUFSIZE 8192 |
297 |
|
|
+static int plaintext_proxy(CLI *c) |
298 |
|
|
+{ |
299 |
|
|
+ fd_set rd_set, wr_set; |
300 |
|
|
+ char rbuf[PP_BUFSIZE]; |
301 |
|
|
+ int rbufend,rdone; |
302 |
|
|
+ char lbuf[PP_BUFSIZE]; |
303 |
|
|
+ int lbufend,ldone; |
304 |
|
|
+ struct timeval tv; |
305 |
|
|
+ int ready; |
306 |
|
|
+ int fdmax; |
307 |
|
|
+ int howmuch, sofar; |
308 |
|
|
+ |
309 |
|
|
+ fdmax = c->remote_fd; |
310 |
|
|
+ if (c->local_wfd > fdmax) |
311 |
|
|
+ fdmax = c->local_wfd; |
312 |
|
|
+ if (c->local_rfd > fdmax) |
313 |
|
|
+ fdmax = c->local_rfd; |
314 |
|
|
+ fdmax++; |
315 |
|
|
+ |
316 |
|
|
+ lbufend = rbufend = 0; |
317 |
|
|
+ rdone = ldone = 0; |
318 |
|
|
+ |
319 |
|
|
+ tv.tv_sec = 86400; |
320 |
|
|
+ tv.tv_usec = 0; |
321 |
|
|
+ while( !( (rdone || ldone) && (!rbufend && !lbufend) ) ) { |
322 |
|
|
+ log(LOG_DEBUG,"rdone=%d, ldone=%d, rbufend=%d, lbufend=%d",rdone,ldone,rbufend,lbufend); |
323 |
|
|
+ FD_ZERO(&rd_set); |
324 |
|
|
+ FD_ZERO(&wr_set); |
325 |
|
|
+ if (rbufend) |
326 |
|
|
+ FD_SET((c->local_wfd),&wr_set); |
327 |
|
|
+ else if (!rdone) |
328 |
|
|
+ FD_SET(c->remote_fd,&rd_set); |
329 |
|
|
+ |
330 |
|
|
+ if (lbufend) |
331 |
|
|
+ FD_SET(c->remote_fd,&wr_set); |
332 |
|
|
+ else if (!ldone) |
333 |
|
|
+ FD_SET(c->local_rfd,&rd_set); |
334 |
|
|
+ |
335 |
|
|
+ do { /* Skip "Interrupted system call" errors */ |
336 |
|
|
+ ready=select(fdmax, &rd_set, &wr_set, NULL, &tv); |
337 |
|
|
+ } while(ready<0 && get_last_socket_error()==EINTR); |
338 |
|
|
+ |
339 |
|
|
+ if(ready<0) { /* Break the connection for others */ |
340 |
|
|
+ sockerror("select"); |
341 |
|
|
+ c->error=1; |
342 |
|
|
+ return 1; |
343 |
|
|
+ } |
344 |
|
|
+ if(!ready) { /* Timeout */ |
345 |
|
|
+ log(LOG_DEBUG, "select timeout - connection reset"); |
346 |
|
|
+ c->error=1; |
347 |
|
|
+ return 1; |
348 |
|
|
+ } |
349 |
|
|
+ |
350 |
|
|
+ if (lbufend > 0) { |
351 |
|
|
+ if (FD_ISSET(c->remote_fd,&wr_set)) |
352 |
|
|
+ { |
353 |
|
|
+ sofar = 0; |
354 |
|
|
+ while (sofar < lbufend) { |
355 |
|
|
+ if ((howmuch=write(c->remote_fd,lbuf+sofar,lbufend-sofar)) < 0) { |
356 |
|
|
+ sockerror("write"); |
357 |
|
|
+ c->error=1; |
358 |
|
|
+ return 1; |
359 |
|
|
+ } |
360 |
|
|
+ sofar += howmuch; |
361 |
|
|
+ } |
362 |
|
|
+ lbufend = 0; |
363 |
|
|
+ } |
364 |
|
|
+ } else { |
365 |
|
|
+ if (FD_ISSET(c->local_rfd,&rd_set)) { |
366 |
|
|
+ if ( (lbufend = read(c->local_rfd,lbuf,PP_BUFSIZE)) < 0) { |
367 |
|
|
+ sockerror("read"); |
368 |
|
|
+ c->error = 1; |
369 |
|
|
+ return 1; |
370 |
|
|
+ } |
371 |
|
|
+ if (lbufend == 0) /* EOF */ |
372 |
|
|
+ { |
373 |
|
|
+ log(LOG_DEBUG,"EOF reading from local"); |
374 |
|
|
+ ldone=1; |
375 |
|
|
+ } |
376 |
|
|
+ } |
377 |
|
|
+ } |
378 |
|
|
+ |
379 |
|
|
+ if (rbufend > 0) { |
380 |
|
|
+ if (FD_ISSET(c->local_wfd, &wr_set)) { |
381 |
|
|
+ sofar = 0; |
382 |
|
|
+ while (sofar < rbufend) { |
383 |
|
|
+ if ( (howmuch = write(c->local_wfd, rbuf + sofar, rbufend - sofar)) < 0) { |
384 |
|
|
+ sockerror("write"); |
385 |
|
|
+ c->error=1; |
386 |
|
|
+ return 1; |
387 |
|
|
+ } |
388 |
|
|
+ sofar += howmuch; |
389 |
|
|
+ } |
390 |
|
|
+ rbufend = 0; |
391 |
|
|
+ } |
392 |
|
|
+ } else { |
393 |
|
|
+ if (FD_ISSET(c->remote_fd,&rd_set)) { |
394 |
|
|
+ if ( (rbufend = read(c->remote_fd,rbuf,PP_BUFSIZE)) < 0) { |
395 |
|
|
+ sockerror("read"); |
396 |
|
|
+ c->error = 1; |
397 |
|
|
+ return 1; |
398 |
|
|
+ } |
399 |
|
|
+ if (rbufend == 0) /* EOF */ { |
400 |
|
|
+ log(LOG_DEBUG,"EOF reading from remote"); |
401 |
|
|
+ rdone=1; |
402 |
|
|
+ } |
403 |
|
|
+ } |
404 |
|
|
+ } |
405 |
|
|
+ } |
406 |
|
|
+ |
407 |
|
|
+ log(LOG_DEBUG, "plaintext_proxy finished normally."); |
408 |
|
|
+ return 0; |
409 |
|
|
+} |
410 |
|
|
+ |
411 |
|
|
+static int smtp_server(CLI *c, int allow_downgrade) { |
412 |
|
|
char line[STRLEN]; |
413 |
|
|
+ int read_ret; |
414 |
|
|
|
415 |
|
|
if(RFC2487(c->local_rfd)==0) |
416 |
|
|
return 0; /* Return if RFC 2487 is not used */ |
417 |
|
|
|
418 |
|
|
- if(fdscanf(c->remote_fd, "220%[^\n]", line)!=1) { |
419 |
|
|
+ if(fdscanf(c->remote_fd, "220%[^\r\n]", line)!=1) { |
420 |
|
|
log(LOG_ERR, "Unknown server welcome"); |
421 |
|
|
return -1; |
422 |
|
|
} |
423 |
|
|
if(fdprintf(c->local_wfd, "220%s + stunnel", line)<0) |
424 |
|
|
return -1; |
425 |
|
|
- if(fdscanf(c->local_rfd, "EHLO %[^\n]", line)!=1) { |
426 |
|
|
- log(LOG_ERR, "Unknown client EHLO"); |
427 |
|
|
- return -1; |
428 |
|
|
- } |
429 |
|
|
- if(fdprintf(c->local_wfd, "250-%s Welcome", line)<0) |
430 |
|
|
- return -1; |
431 |
|
|
- if(fdprintf(c->local_wfd, "250 STARTTLS")<0) |
432 |
|
|
- return -1; |
433 |
|
|
- if(fdscanf(c->local_rfd, "STARTTLS", line)<0) { |
434 |
|
|
- log(LOG_ERR, "STARTTLS expected"); |
435 |
|
|
- return -1; |
436 |
|
|
+ |
437 |
|
|
+ /* See if we get an EHLO command */ |
438 |
|
|
+ if (((read_ret=fdgets(c->local_rfd, line)) >= 0) && |
439 |
|
|
+ (strlen(line) >= 4) && |
440 |
|
|
+ (!line[4] || isspace(line[4])) && |
441 |
|
|
+ (strncasecmp(line,"ehlo",4) == 0) ) { |
442 |
|
|
+ if (fdputs(c->remote_fd,line) < 0) |
443 |
|
|
+ return -1; |
444 |
|
|
+ while ( (fdgets(c->remote_fd, line) >= 0) |
445 |
|
|
+ && (line[3] == '-') ) { |
446 |
|
|
+ if (fdputs(c->local_wfd,line) < 0) |
447 |
|
|
+ return -1; |
448 |
|
|
+ } |
449 |
|
|
+ line[3] = '-'; |
450 |
|
|
+ if (fdputs(c->local_wfd,line) < 0) |
451 |
|
|
+ return -1; |
452 |
|
|
+ if (fdputs(c->local_wfd,"250 STARTTLS") < 0) |
453 |
|
|
+ return -1; |
454 |
|
|
+ |
455 |
|
|
+ /* See if we get a STARTTLS command */ |
456 |
|
|
+ if (((read_ret=fdgets(c->local_rfd, line)) >= 0) && |
457 |
|
|
+ (strlen(line) >= 8) && |
458 |
|
|
+ (!line[8] || isspace(line[8])) && |
459 |
|
|
+ (strncasecmp(line,"starttls",8) == 0) ) { |
460 |
|
|
+ if (!line[8]) { |
461 |
|
|
+ /* Technically, we should shut down the SMTP connection and get |
462 |
|
|
+ * a new one, but screw it for now. */ |
463 |
|
|
+ if(fdputs(c->local_wfd, "220 Go ahead") >= 0) |
464 |
|
|
+ return 0; |
465 |
|
|
+ } else { |
466 |
|
|
+ fdputs(c->local_wfd,"501 Syntax error (no parameters allowed; STARTTLS disabled) (#5.5.4)"); |
467 |
|
|
+ return -1; |
468 |
|
|
+ } |
469 |
|
|
+ |
470 |
|
|
+ } |
471 |
|
|
+ } |
472 |
|
|
+ if (read_ret < 0) |
473 |
|
|
+ return -1; |
474 |
|
|
+ if (allow_downgrade) { |
475 |
|
|
+ if (fdputs(c->remote_fd,line) < 0) |
476 |
|
|
+ return -1; |
477 |
|
|
+ exit(plaintext_proxy(c)); |
478 |
|
|
+ } |
479 |
|
|
+ else { |
480 |
|
|
+ fdputs(c->local_wfd,"421 Encryption required; must use STARTTLS"); |
481 |
|
|
+ return -1; |
482 |
|
|
} |
483 |
|
|
- if(fdprintf(c->local_wfd, "220 Go ahead", line)<0) |
484 |
|
|
- return -1; |
485 |
|
|
- return 0; |
486 |
|
|
} |
487 |
|
|
|
488 |
|
|
static int pop3_client(CLI *c) { |
489 |
|
|
@@ -182,31 +350,157 @@ |
490 |
|
|
return 0; |
491 |
|
|
} |
492 |
|
|
|
493 |
|
|
-static int pop3_server(CLI *c) { |
494 |
|
|
+static int pop3_server(CLI *c, int allow_downgrade) { |
495 |
|
|
char line[STRLEN]; |
496 |
|
|
|
497 |
|
|
- if(fdscanf(c->remote_fd, "%[^\n]", line)<0) |
498 |
|
|
- return -1; |
499 |
|
|
+ if(fdscanf(c->remote_fd, "%[^\r\n]", line)<0) |
500 |
|
|
+ return -1; |
501 |
|
|
+ |
502 |
|
|
if(fdprintf(c->local_wfd, "%s + stunnel", line)<0) |
503 |
|
|
return -1; |
504 |
|
|
- if(fdscanf(c->local_rfd, "%[^\n]", line)<0) |
505 |
|
|
+ |
506 |
|
|
+ while(1) { |
507 |
|
|
+ if(fdgets(c->local_rfd, line)<0) |
508 |
|
|
return -1; |
509 |
|
|
- if(!strncmp(line, "CAPA", 4)) { /* Client wants RFC 2449 extensions */ |
510 |
|
|
- if(fdprintf(c->local_wfd, "-ERR Stunnel does not support capabilities")<0) |
511 |
|
|
- return -1; |
512 |
|
|
- if(fdscanf(c->local_rfd, "%[^\n]", line)<0) |
513 |
|
|
- return -1; |
514 |
|
|
+ if(strncasecmp(line, "CAPA", 4) == 0) { /* Client wants RFC 2449 extensions */ |
515 |
|
|
+ fdputs(c->remote_fd,line); |
516 |
|
|
+ if (fdgets(c->remote_fd,line) < 0) |
517 |
|
|
+ return -1; |
518 |
|
|
+ if (line[0] == '+') { |
519 |
|
|
+ if (fdputs(c->local_wfd,line) < 0) |
520 |
|
|
+ return -1; |
521 |
|
|
+ while ( (fdgets(c->remote_fd,line) >= 0) |
522 |
|
|
+ && ( (strlen(line) > 1) || (line[0] != '.') ) ) { |
523 |
|
|
+ if (fdputs(c->local_wfd,line) < 0) |
524 |
|
|
+ return -1; |
525 |
|
|
+ } |
526 |
|
|
+ } else { |
527 |
|
|
+ if (fdputs(c->local_wfd,"+OK Stunnel capability list follows") < 0) |
528 |
|
|
+ return -1; |
529 |
|
|
+ } |
530 |
|
|
+ if (fdputs(c->local_wfd,"STLS") < 0) |
531 |
|
|
+ return -1; |
532 |
|
|
+ if (fdputs(c->local_wfd,".") < 0) |
533 |
|
|
+ return -1; |
534 |
|
|
+ } else if (strncasecmp(line, "STLS", 4) == 0) { |
535 |
|
|
+ if(fdputs(c->local_wfd, "+OK stunnel starting TLS negotiation")<0) |
536 |
|
|
+ return -1; |
537 |
|
|
+ return 0; |
538 |
|
|
+ } |
539 |
|
|
+ else { |
540 |
|
|
+ if (fdputs(c->remote_fd,line) < 0) |
541 |
|
|
+ return -1; |
542 |
|
|
+ if (allow_downgrade) |
543 |
|
|
+ exit(plaintext_proxy(c)); |
544 |
|
|
+ else { |
545 |
|
|
+ fdputs(c->local_wfd,"-Encryption required; must use STLS"); |
546 |
|
|
+ return -1; |
547 |
|
|
+ } |
548 |
|
|
+ } |
549 |
|
|
} |
550 |
|
|
- if(strncmp(line, "STLS", 4)) { |
551 |
|
|
- log(LOG_ERR, "Client does not want TLS"); |
552 |
|
|
+} |
553 |
|
|
+ |
554 |
|
|
+static int imap_client(CLI *c) { |
555 |
|
|
+ char line[STRLEN]; |
556 |
|
|
+ |
557 |
|
|
+ if(fdgets(c->remote_fd, line)<0) |
558 |
|
|
+ return -1; |
559 |
|
|
+ if(strncasecmp(line,"* OK ",4)) { |
560 |
|
|
+ log(LOG_ERR, "Unknown server welcome"); |
561 |
|
|
return -1; |
562 |
|
|
} |
563 |
|
|
- if(fdprintf(c->local_wfd, "+OK Stunnel starts TLS negotiation")<0) |
564 |
|
|
+ if(fdputs(c->local_wfd, line)<0) |
565 |
|
|
return -1; |
566 |
|
|
- |
567 |
|
|
+ if(fdprintf(c->remote_fd, "a STARTTLS")<0) |
568 |
|
|
+ return -1; |
569 |
|
|
+ if(fdgets(c->remote_fd, line)<0) |
570 |
|
|
+ return -1; |
571 |
|
|
+ if(strncasecmp(line,"a OK ",5)) { |
572 |
|
|
+ log(LOG_ERR, "Server does not support TLS"); |
573 |
|
|
+ return -1; |
574 |
|
|
+ } |
575 |
|
|
return 0; |
576 |
|
|
} |
577 |
|
|
|
578 |
|
|
+static int imap_server(CLI *c, int allow_downgrade) { |
579 |
|
|
+ char line[STRLEN]; |
580 |
|
|
+ char procline[STRLEN]; |
581 |
|
|
+ char *tag, *cmd; |
582 |
|
|
+ int do_if_fail = 0; |
583 |
|
|
+ |
584 |
|
|
+ if (fdgets(c->remote_fd,line) < 0) |
585 |
|
|
+ return -1; |
586 |
|
|
+ |
587 |
|
|
+ if(fdprintf(c->local_wfd, "%s + stunnel", line)<0) |
588 |
|
|
+ return -1; |
589 |
|
|
+ |
590 |
|
|
+ while(1) { |
591 |
|
|
+ if(fdgets(c->local_rfd, line)<0) |
592 |
|
|
+ return -1; |
593 |
|
|
+ safecopy(procline, line); |
594 |
|
|
+ tag = procline; |
595 |
|
|
+ if (!(cmd=strchr(procline,' '))) { |
596 |
|
|
+ do_if_fail = 1; |
597 |
|
|
+ break; |
598 |
|
|
+ } |
599 |
|
|
+ *cmd='\0'; |
600 |
|
|
+ cmd++; |
601 |
|
|
+ if(strncasecmp(cmd, "CAPABILITY", 11) == 0) { |
602 |
|
|
+ fdputs(c->remote_fd,line); |
603 |
|
|
+ if (fdgets(c->remote_fd,line) < 0) |
604 |
|
|
+ return -1; |
605 |
|
|
+ if (strncasecmp(line,"* CAPABILITY",12) == 0) { |
606 |
|
|
+ safeconcat(line," STARTTLS"); |
607 |
|
|
+ fdputs(c->local_wfd,line); |
608 |
|
|
+ } else { |
609 |
|
|
+ do_if_fail = 2; |
610 |
|
|
+ break; |
611 |
|
|
+ } |
612 |
|
|
+ if (fdgets(c->remote_fd,line) < 0) |
613 |
|
|
+ return -1; |
614 |
|
|
+ if ( (strncasecmp(line,tag,strlen(tag)) != 0) || |
615 |
|
|
+ (line[strlen(tag)] != ' ') || |
616 |
|
|
+ (strncasecmp(line+strlen(tag)+1,"OK",2) != 0) ) |
617 |
|
|
+ { |
618 |
|
|
+ do_if_fail = 2; |
619 |
|
|
+ break; |
620 |
|
|
+ } |
621 |
|
|
+ if (fdputs(c->local_wfd,line) < 0) |
622 |
|
|
+ return -1; |
623 |
|
|
+ } |
624 |
|
|
+ else if (strncasecmp(cmd, "STARTTLS", 8) == 0) { |
625 |
|
|
+ if (fdwrite(c->local_wfd,tag,strlen(tag)) < 0) |
626 |
|
|
+ return -1; |
627 |
|
|
+ if (fdwrite(c->local_wfd," ",1) < 0) |
628 |
|
|
+ return -1; |
629 |
|
|
+ if (fdputs(c->local_wfd,"OK Begin TLS negotiation now") < 0) |
630 |
|
|
+ return -1; |
631 |
|
|
+ |
632 |
|
|
+ return 0; |
633 |
|
|
+ } else { |
634 |
|
|
+ do_if_fail = 1; |
635 |
|
|
+ break; |
636 |
|
|
+ } |
637 |
|
|
+ } |
638 |
|
|
+ |
639 |
|
|
+ if (allow_downgrade) { |
640 |
|
|
+ if (do_if_fail == 1) { |
641 |
|
|
+ if (fdputs(c->remote_fd,line) < 0) |
642 |
|
|
+ return -1; |
643 |
|
|
+ } else if (do_if_fail == 2) { |
644 |
|
|
+ if (fdputs(c->local_wfd,line) < 0) |
645 |
|
|
+ return -1; |
646 |
|
|
+ } |
647 |
|
|
+ exit(plaintext_proxy(c)); |
648 |
|
|
+ } |
649 |
|
|
+ else { |
650 |
|
|
+ fdputs(c->local_wfd,"-Encryption required; must use STLS"); |
651 |
|
|
+ return -1; |
652 |
|
|
+ } |
653 |
|
|
+ |
654 |
|
|
+} |
655 |
|
|
+ |
656 |
|
|
+ |
657 |
|
|
static int nntp_client(CLI *c) { |
658 |
|
|
char line[STRLEN]; |
659 |
|
|
|
660 |
|
|
diff -u stunnel-3.22/prototypes.h stunnel-3.22-sg/prototypes.h |
661 |
|
|
--- stunnel-3.22/prototypes.h Sun Nov 11 14:16:01 2001 |
662 |
|
|
+++ stunnel-3.22-sg/prototypes.h Wed May 29 02:15:43 2002 |
663 |
|
|
@@ -41,7 +41,10 @@ |
664 |
|
|
/* Prototypes for client.c */ |
665 |
|
|
void *client(void *); |
666 |
|
|
/* descriptor versions of fprintf/fscanf */ |
667 |
|
|
+int fdwrite(int fd, char *buffer, int len); |
668 |
|
|
+int fdputs(int fd, char *line); |
669 |
|
|
int fdprintf(int, char *, ...); |
670 |
|
|
+int fdgets(int fd, char *buffer); |
671 |
|
|
int fdscanf(int, char *, char *); |
672 |
|
|
|
673 |
|
|
/* Prototypes for log.c */ |
674 |
|
|
@@ -79,6 +82,8 @@ |
675 |
|
|
#define OPT_REMOTE 0x20 |
676 |
|
|
#define OPT_TRANSPARENT 0x40 |
677 |
|
|
#define OPT_PTY 0x80 |
678 |
|
|
+#define OPT_FDS 0x100 |
679 |
|
|
+#define OPT_SUID_FIRST 0x200 |
680 |
|
|
|
681 |
|
|
typedef struct { |
682 |
|
|
char pem[STRLEN]; /* pem (priv key/cert) filename */ |
683 |
|
|
@@ -111,6 +116,8 @@ |
684 |
|
|
int cert_defaults; |
685 |
|
|
char *output_file; |
686 |
|
|
u32 *local_ip; |
687 |
|
|
+ int use_fd; |
688 |
|
|
+ char *chroot_dir; |
689 |
|
|
} server_options; |
690 |
|
|
|
691 |
|
|
typedef enum { |
692 |
|
|
Only in stunnel-3.22-sg: prototypes.h~ |
693 |
|
|
Only in stunnel-3.22-sg: pty.o |
694 |
|
|
diff -u stunnel-3.22/ssl.c stunnel-3.22-sg/ssl.c |
695 |
|
|
--- stunnel-3.22/ssl.c Sun Dec 23 14:46:03 2001 |
696 |
|
|
+++ stunnel-3.22-sg/ssl.c Wed May 15 03:54:39 2002 |
697 |
|
|
@@ -46,6 +46,7 @@ |
698 |
|
|
#include <openssl/ssl.h> |
699 |
|
|
#include <openssl/err.h> |
700 |
|
|
#include <openssl/rand.h> |
701 |
|
|
+#include <openssl/conf.h> |
702 |
|
|
#else |
703 |
|
|
#include <lhash.h> |
704 |
|
|
#include <ssl.h> |
705 |
|
|
@@ -71,7 +72,6 @@ |
706 |
|
|
SSL_CTX *ctx; /* global SSL context */ |
707 |
|
|
|
708 |
|
|
void context_init() { /* init SSL */ |
709 |
|
|
- |
710 |
|
|
if(!init_prng()) |
711 |
|
|
log(LOG_INFO, "PRNG seeded successfully"); |
712 |
|
|
SSLeay_add_ssl_algorithms(); |
713 |
|
|
Only in stunnel-3.22-sg: ssl.c~ |
714 |
|
|
Only in stunnel-3.22-sg: ssl.o |
715 |
|
|
Only in stunnel-3.22-sg: sthreads.o |
716 |
|
|
Only in stunnel-3.22-sg: stunnel |
717 |
|
|
diff -u stunnel-3.22/stunnel.c stunnel-3.22-sg/stunnel.c |
718 |
|
|
--- stunnel-3.22/stunnel.c Thu Dec 20 02:53:54 2001 |
719 |
|
|
+++ stunnel-3.22-sg/stunnel.c Tue May 28 04:03:39 2002 |
720 |
|
|
@@ -54,6 +54,8 @@ |
721 |
|
|
static void create_pid(); |
722 |
|
|
static void delete_pid(); |
723 |
|
|
#endif |
724 |
|
|
+void do_setugid(char *user, char *group); |
725 |
|
|
+int is_alldigits(char *s); |
726 |
|
|
|
727 |
|
|
/* Socket functions */ |
728 |
|
|
static int listen_local(); |
729 |
|
|
@@ -119,6 +121,24 @@ |
730 |
|
|
if(!(options.option&OPT_FOREGROUND)) |
731 |
|
|
options.foreground=0; |
732 |
|
|
log_open(); |
733 |
|
|
+ if (options.chroot_dir) |
734 |
|
|
+ { |
735 |
|
|
+ log(LOG_DEBUG,"chroot(%s)",options.chroot_dir); |
736 |
|
|
+ if (chroot(options.chroot_dir) < 0) |
737 |
|
|
+ { |
738 |
|
|
+ ioerror("chroot"); |
739 |
|
|
+ exit(1); |
740 |
|
|
+ } |
741 |
|
|
+ |
742 |
|
|
+ if (chdir("/") < 0) |
743 |
|
|
+ { |
744 |
|
|
+ ioerror("chdir"); |
745 |
|
|
+ exit(1); |
746 |
|
|
+ } |
747 |
|
|
+ } |
748 |
|
|
+ if ( options.option&OPT_SUID_FIRST && |
749 |
|
|
+ (options.setuid_user || options.setgid_group)) |
750 |
|
|
+ do_setugid(options.setuid_user,options.setgid_group); |
751 |
|
|
log(LOG_NOTICE, "Using '%s' as tcpwrapper service name", options.servname); |
752 |
|
|
|
753 |
|
|
/* check if certificate exists */ |
754 |
|
|
@@ -371,49 +391,9 @@ |
755 |
|
|
exit(1); |
756 |
|
|
} |
757 |
|
|
|
758 |
|
|
-#ifndef USE_WIN32 |
759 |
|
|
- if(options.setgid_group) { |
760 |
|
|
- struct group *gr; |
761 |
|
|
- gid_t gr_list[1]; |
762 |
|
|
- |
763 |
|
|
- gr=getgrnam(options.setgid_group); |
764 |
|
|
- if(!gr) { |
765 |
|
|
- log(LOG_ERR, "Failed to get GID for group %s", |
766 |
|
|
- options.setgid_group); |
767 |
|
|
- exit(1); |
768 |
|
|
- } |
769 |
|
|
- if(setgid(gr->gr_gid)) { |
770 |
|
|
- sockerror("setgid"); |
771 |
|
|
- exit(1); |
772 |
|
|
- } |
773 |
|
|
- gr_list[0]=gr->gr_gid; |
774 |
|
|
- if(setgroups(1, gr_list)) { |
775 |
|
|
- sockerror("setgroups"); |
776 |
|
|
- exit(1); |
777 |
|
|
- } |
778 |
|
|
- } |
779 |
|
|
- |
780 |
|
|
- if(options.setuid_user) { |
781 |
|
|
- struct passwd *pw; |
782 |
|
|
- |
783 |
|
|
- pw=getpwnam(options.setuid_user); |
784 |
|
|
- if(!pw) { |
785 |
|
|
- log(LOG_ERR, "Failed to get UID for user %s", |
786 |
|
|
- options.setuid_user); |
787 |
|
|
- exit(1); |
788 |
|
|
- } |
789 |
|
|
-#ifndef USE_WIN32 |
790 |
|
|
- /* gotta chown that pid file, or we can't remove it. */ |
791 |
|
|
- if ( options.pidfile[0] && chown( options.pidfile, pw->pw_uid, -1) ) { |
792 |
|
|
- log(LOG_ERR, "Failed to chown pidfile %s", options.pidfile); |
793 |
|
|
- } |
794 |
|
|
-#endif |
795 |
|
|
- if(setuid(pw->pw_uid)) { |
796 |
|
|
- sockerror("setuid"); |
797 |
|
|
- exit(1); |
798 |
|
|
- } |
799 |
|
|
- } |
800 |
|
|
-#endif /* USE_WIN32 */ |
801 |
|
|
+ if (!(options.option&OPT_SUID_FIRST) && |
802 |
|
|
+ (options.setuid_user || options.setgid_group)) |
803 |
|
|
+ do_setugid(options.setuid_user,options.setgid_group); |
804 |
|
|
|
805 |
|
|
return ls; |
806 |
|
|
} |
807 |
|
|
@@ -682,4 +662,79 @@ |
808 |
|
|
return retval; |
809 |
|
|
} |
810 |
|
|
|
811 |
|
|
+void do_setugid(char *user, char *group) |
812 |
|
|
+ { |
813 |
|
|
+ uid_t uid; |
814 |
|
|
+ gid_t gid; |
815 |
|
|
+ |
816 |
|
|
+#ifndef USE_WIN32 |
817 |
|
|
+ if(group) { |
818 |
|
|
+ struct group *gr; |
819 |
|
|
+ gid_t gr_list[1]; |
820 |
|
|
+ |
821 |
|
|
+ if (is_alldigits(group)) |
822 |
|
|
+ { |
823 |
|
|
+ gid=atoi(group); |
824 |
|
|
+ } |
825 |
|
|
+ else |
826 |
|
|
+ { |
827 |
|
|
+ gr=getgrnam(group); |
828 |
|
|
+ if(!gr) { |
829 |
|
|
+ log(LOG_ERR, "Failed to get GID for group %s", |
830 |
|
|
+ group); |
831 |
|
|
+ exit(1); |
832 |
|
|
+ } |
833 |
|
|
+ gid = gr->gr_gid; |
834 |
|
|
+ } |
835 |
|
|
+ |
836 |
|
|
+ if(setgid(gid)) { |
837 |
|
|
+ sockerror("setgid"); |
838 |
|
|
+ exit(1); |
839 |
|
|
+ } |
840 |
|
|
+ gr_list[0]=gid; |
841 |
|
|
+ if(setgroups(1, gr_list)) { |
842 |
|
|
+ sockerror("setgroups"); |
843 |
|
|
+ exit(1); |
844 |
|
|
+ } |
845 |
|
|
+ } |
846 |
|
|
+#endif |
847 |
|
|
+ |
848 |
|
|
+ if(user) { |
849 |
|
|
+ struct passwd *pw; |
850 |
|
|
+ |
851 |
|
|
+ if (is_alldigits(user)) |
852 |
|
|
+ { |
853 |
|
|
+ uid = atoi(user); |
854 |
|
|
+ } |
855 |
|
|
+ else |
856 |
|
|
+ { |
857 |
|
|
+ pw=getpwnam(user); |
858 |
|
|
+ if(!pw) { |
859 |
|
|
+ log(LOG_ERR, "Failed to get UID for user %s", |
860 |
|
|
+ user); |
861 |
|
|
+ exit(1); |
862 |
|
|
+ } |
863 |
|
|
+ uid=pw->pw_uid; |
864 |
|
|
+ } |
865 |
|
|
+ |
866 |
|
|
+#ifndef USE_WIN32 |
867 |
|
|
+ /* gotta chown that pid file, or we can't remove it. */ |
868 |
|
|
+ if ( options.pidfile[0] && chown( options.pidfile, uid, -1) ) { |
869 |
|
|
+ log(LOG_ERR, "Failed to chown pidfile %s", options.pidfile); |
870 |
|
|
+ } |
871 |
|
|
+#endif |
872 |
|
|
+ if(setuid(uid)) { |
873 |
|
|
+ sockerror("setuid"); |
874 |
|
|
+ exit(1); |
875 |
|
|
+ } |
876 |
|
|
+ } |
877 |
|
|
+ } |
878 |
|
|
+ |
879 |
|
|
+int is_alldigits(char *s) { |
880 |
|
|
+ while (*s) |
881 |
|
|
+ if (!isdigit(*s++)) |
882 |
|
|
+ return 0; |
883 |
|
|
+ return 1; |
884 |
|
|
+} |
885 |
|
|
+ |
886 |
|
|
/* End of stunnel.c */ |