summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorBertrand Jacquin <beber@meleeweb.net>2010-02-20 23:51:59 +0100
committerBertrand Jacquin <beber@meleeweb.net>2010-02-20 23:51:59 +0100
commitb7aa961a3cb899f2b6f9e0c0be6d7fb736436e6f (patch)
treec71f0e0965b0a82b861f9d3f447c549c7dc3d40f
parentthttpd-2.25: Add fix for glibc 2.10 (getline redefinition) (diff)
downloadpatches-b7aa961a3cb899f2b6f9e0c0be6d7fb736436e6f.tar.gz
Patch for adding X-Forwarded-For support for stunnel 4.29, originally
picked-up from Willy Tarreau at http://haproxy.1wt.eu/download/patches/stunnel-4.15-xforwarded-for.diff
-rw-r--r--stunnel/stunnel-4.29-xforwarded-for.diff246
1 files changed, 246 insertions, 0 deletions
diff --git a/stunnel/stunnel-4.29-xforwarded-for.diff b/stunnel/stunnel-4.29-xforwarded-for.diff
new file mode 100644
index 0000000..ba9703b
--- /dev/null
+++ b/stunnel/stunnel-4.29-xforwarded-for.diff
@@ -0,0 +1,246 @@
+diff -Npru --exclude '*.rej' --exclude '*.orig' stunnel-4.29.ori/doc/stunnel.8 stunnel-4.29/doc/stunnel.8
+--- stunnel-4.29.ori/doc/stunnel.8 2010-02-20 23:20:35.304305310 +0100
++++ stunnel-4.29/doc/stunnel.8 2010-02-20 23:23:02.984316555 +0100
+@@ -442,6 +442,10 @@ the following option can be used:
+ application protocol to negotiate \s-1SSL\s0
+ .Sp
+ currently supported: cifs, connect, imap, nntp, pop3, smtp, pgsql
++.IP "\fBxforwardedfor\fR = yes | no" 4
++.IX Item "xforwardedfor = yes | no"
++append an 'X-Forwarded-For:' HTTP request header providing the
++client's IP address to the server
+ .IP "\fBprotocolAuthentication\fR = auth_type" 4
+ .IX Item "protocolAuthentication = auth_type"
+ authentication type for protocol negotiations
+diff -Npru --exclude '*.rej' --exclude '*.orig' stunnel-4.29.ori/doc/stunnel.fr.8 stunnel-4.29/doc/stunnel.fr.8
+--- stunnel-4.29.ori/doc/stunnel.fr.8 2010-02-20 23:20:35.304305310 +0100
++++ stunnel-4.29/doc/stunnel.fr.8 2010-02-20 23:21:17.254318509 +0100
+@@ -445,6 +445,10 @@ Cette option permet de relier une adress
+ Négocie avec \s-1SSL\s0 selon le protocole indiqué
+ .Sp
+ Actuellement gérés\ : cifs, nntp, pop3, smtp
++.IP "\fBxforwardedfor\fR = yes | no" 4
++.IX Item "xforwardedfor = yes | no"
++Ajoute un en-tête 'X-Forwarded-For:' dans la requête HTTP fournissant
++au serveur l'adresse IP du client.
+ .IP "\fBpty\fR = yes | no (Unix seulement)" 4
+ .IX Item "pty = yes | no (Unix seulement)"
+ Alloue un pseudo-terminal pour l'option «\ exec\ »
+diff -Npru --exclude '*.rej' --exclude '*.orig' stunnel-4.29.ori/src/client.c stunnel-4.29/src/client.c
+--- stunnel-4.29.ori/src/client.c 2010-02-20 23:20:35.304305310 +0100
++++ stunnel-4.29/src/client.c 2010-02-20 23:30:35.824311395 +0100
+@@ -90,6 +90,12 @@ CLI *alloc_client_session(LOCAL_OPTIONS
+ return NULL;
+ }
+ c->opt=opt;
++ /* some options need space to add some information */
++ if (c->opt->option.xforwardedfor)
++ c->buffsize = BUFFSIZE - BUFF_RESERVED;
++ else
++ c->buffsize = BUFFSIZE;
++ c->crlf_seen=0;
+ c->local_rfd.fd=rfd;
+ c->local_wfd.fd=wfd;
+ return c;
+@@ -382,6 +388,28 @@ static void init_ssl(CLI *c) {
+ }
+ }
+
++/* Moves all data from the buffer <buffer> between positions <start> and <stop>
++ * to insert <string> of length <len>. <start> and <stop> are updated to their
++ * new respective values, and the number of characters inserted is returned.
++ * If <len> is too long, nothing is done and -1 is returned.
++ * Note that neither <string> nor <buffer> can be NULL.
++ */
++static int buffer_insert_with_len(char *buffer, int *start, int *stop, int limit, char *string, int len) {
++ if (len > limit - *stop)
++ return -1;
++ if (*start > *stop)
++ return -1;
++ memmove(buffer + *start + len, buffer + *start, *stop - *start);
++ memcpy(buffer + *start, string, len);
++ *start += len;
++ *stop += len;
++ return len;
++}
++
++static int buffer_insert(char *buffer, int *start, int *stop, int limit, char *string) {
++ return buffer_insert_with_len(buffer, start, stop, limit, string, strlen(string));
++}
++
+ /****************************** some defines for transfer() */
+ /* is socket/SSL open for read/write? */
+ #define sock_rd (c->sock_rfd->rd)
+@@ -416,13 +444,13 @@ static void transfer(CLI *c) {
+ check_SSL_pending=0;
+
+ SSL_read_wants_read=
+- ssl_rd && c->ssl_ptr<BUFFSIZE && !SSL_read_wants_write;
++ ssl_rd && c->ssl_ptr<c->buffsize && !SSL_read_wants_write;
+ SSL_write_wants_write=
+ ssl_wr && c->sock_ptr && !SSL_write_wants_read;
+
+ /****************************** setup c->fds structure */
+ s_poll_init(&c->fds); /* initialize the structure */
+- if(sock_rd && c->sock_ptr<BUFFSIZE)
++ if(sock_rd && c->sock_ptr<c->buffsize)
+ s_poll_add(&c->fds, c->sock_rfd->fd, 1, 0);
+ if(SSL_read_wants_read ||
+ SSL_write_wants_read ||
+@@ -521,7 +549,7 @@ static void transfer(CLI *c) {
+ break;
+ default:
+ memmove(c->ssl_buff, c->ssl_buff+num, c->ssl_ptr-num);
+- if(c->ssl_ptr==BUFFSIZE) /* buffer was previously full */
++ if(c->ssl_ptr>=c->buffsize) /* buffer was previously full */
+ check_SSL_pending=1; /* check for data buffered by SSL */
+ c->ssl_ptr-=num;
+ c->sock_bytes+=num;
+@@ -581,7 +609,7 @@ static void transfer(CLI *c) {
+ /****************************** read from socket */
+ if(sock_rd && sock_can_rd) {
+ num=readsocket(c->sock_rfd->fd,
+- c->sock_buff+c->sock_ptr, BUFFSIZE-c->sock_ptr);
++ c->sock_buff+c->sock_ptr, c->buffsize-c->sock_ptr);
+ switch(num) {
+ case -1:
+ parse_socket_error(c, "readsocket");
+@@ -601,10 +629,70 @@ static void transfer(CLI *c) {
+ (SSL_read_wants_write && ssl_can_wr) ||
+ (check_SSL_pending && SSL_pending(c->ssl))) {
+ SSL_read_wants_write=0;
+- num=SSL_read(c->ssl, c->ssl_buff+c->ssl_ptr, BUFFSIZE-c->ssl_ptr);
++ num=SSL_read(c->ssl, c->ssl_buff+c->ssl_ptr, c->buffsize-c->ssl_ptr);
+ switch(err=SSL_get_error(c->ssl, num)) {
+ case SSL_ERROR_NONE:
+- c->ssl_ptr+=num;
++ if (c->buffsize != BUFFSIZE) { /* some work left to do */
++ int last = c->ssl_ptr;
++ c->ssl_ptr += num;
++
++ /* Look for end of HTTP headers between last and ssl_ptr.
++ * To achieve this reliably, we have to count the number of
++ * successive [CR]LF and to memorize it in case it's spread
++ * over multiple segments. --WT.
++ */
++ while (last < c->ssl_ptr) {
++ if (c->ssl_buff[last] == '\n') {
++ if (++c->crlf_seen == 2)
++ break;
++ } else if (last < c->ssl_ptr - 1 &&
++ c->ssl_buff[last] == '\r' &&
++ c->ssl_buff[last+1] == '\n') {
++ if (++c->crlf_seen == 2)
++ break;
++ last++;
++ } else if (c->ssl_buff[last] != '\r')
++ /* don't refuse '\r' because we may get a '\n' on next read */
++ c->crlf_seen = 0;
++ last++;
++ }
++ if (c->crlf_seen >= 2) {
++ /* We have all the HTTP headers now. We don't need to
++ * reserve any space anymore. <ssl_ptr> points to the
++ * first byte of unread data, and <last> points to the
++ * exact location where we want to insert our headers,
++ * which is right before the empty line.
++ */
++ c->buffsize = BUFFSIZE;
++
++ if (c->opt->option.xforwardedfor) {
++ /* X-Forwarded-For: xxxx \r\n\0 */
++ char xforw[17 + IPLEN + 3];
++
++ /* We will insert our X-Forwarded-For: header here.
++ * We need to write the IP address, but if we use
++ * sprintf, it will pad with the terminating 0.
++ * So we will pass via a temporary buffer allocated
++ * on the stack.
++ */
++ memcpy(xforw, "X-Forwarded-For: ", 17);
++ if (getnameinfo(&c->peer_addr.addr[0].sa,
++ addr_len(c->peer_addr.addr[0]),
++ xforw + 17, IPLEN, NULL, 0,
++ NI_NUMERICHOST) == 0) {
++ strcat(xforw + 17, "\r\n");
++ buffer_insert(c->ssl_buff, &last, &c->ssl_ptr,
++ c->buffsize, xforw);
++ }
++ /* last still points to the \r\n and ssl_ptr to the
++ * end of the buffer, so we may add as many headers
++ * as wee need to.
++ */
++ }
++ }
++ }
++ else
++ c->ssl_ptr+=num;
+ watchdog=0; /* reset watchdog */
+ break;
+ case SSL_ERROR_WANT_WRITE:
+diff -Npru --exclude '*.rej' --exclude '*.orig' stunnel-4.29.ori/src/common.h stunnel-4.29/src/common.h
+--- stunnel-4.29.ori/src/common.h 2010-02-20 23:20:35.304305310 +0100
++++ stunnel-4.29/src/common.h 2010-02-20 23:21:17.254318509 +0100
+@@ -53,6 +53,9 @@
+ /* I/O buffer size */
+ #define BUFFSIZE 16384
+
++/* maximum space reserved for header insertion in BUFFSIZE */
++#define BUFF_RESERVED 1024
++
+ /* Length of strings (including the terminating '\0' character) */
+ /* It can't be lower than 256 bytes or NTLM authentication will break */
+ #define STRLEN 256
+diff -Npru --exclude '*.rej' --exclude '*.orig' stunnel-4.29.ori/src/options.c stunnel-4.29/src/options.c
+--- stunnel-4.29.ori/src/options.c 2010-02-20 23:20:35.304305310 +0100
++++ stunnel-4.29/src/options.c 2010-02-20 23:39:27.664316438 +0100
+@@ -781,6 +781,29 @@ static char *service_options(CMD cmd, LO
+ }
+ #endif
+
++ /* xforwardedfor */
++ switch(cmd) {
++ case CMD_INIT:
++ section->option.xforwardedfor=0;
++ break;
++ case CMD_EXEC:
++ if(strcasecmp(opt, "xforwardedfor"))
++ break;
++ if(!strcasecmp(arg, "yes"))
++ section->option.xforwardedfor=1;
++ else if(!strcasecmp(arg, "no"))
++ section->option.xforwardedfor=0;
++ else
++ return "argument should be either 'yes' or 'no'";
++ return NULL; /* OK */
++ case CMD_DEFAULT:
++ break;
++ case CMD_HELP:
++ s_log("%-15s = yes|no append an HTTP X-Forwarded-For header",
++ "xforwardedfor");
++ break;
++ }
++
+ /* exec */
+ #ifndef USE_WIN32
+ switch(cmd) {
+diff -Npru --exclude '*.rej' --exclude '*.orig' stunnel-4.29.ori/src/prototypes.h stunnel-4.29/src/prototypes.h
+--- stunnel-4.29.ori/src/prototypes.h 2010-02-20 23:20:35.304305310 +0100
++++ stunnel-4.29/src/prototypes.h 2010-02-20 23:33:11.984312629 +0100
+@@ -229,6 +229,7 @@ typedef struct local_options {
+ unsigned int delayed_lookup:1;
+ unsigned int accept:1;
+ unsigned int remote:1;
++ unsigned int xforwardedfor:1;
+ unsigned int retry:1; /* loop remote+program */
+ unsigned int sessiond:1;
+ #ifndef USE_WIN32
+@@ -334,6 +335,8 @@ typedef struct {
+ FD *ssl_rfd, *ssl_wfd; /* Read and write SSL descriptors */
+ int sock_bytes, ssl_bytes; /* Bytes written to socket and ssl */
+ s_poll_set fds; /* File descriptors */
++ int buffsize; /* current buffer size, may be lower than BUFFSIZE */
++ int crlf_seen; /* the number of successive CRLF seen */
+ } CLI;
+
+ extern int max_clients;