Remove demos/tunala
authorGeoff Thorpe <geoff@openssl.org>
Mon, 21 Jul 2014 13:27:54 +0000 (09:27 -0400)
committerGeoff Thorpe <geoff@openssl.org>
Tue, 22 Jul 2014 19:16:30 +0000 (15:16 -0400)
This has been unmaintained for a long time. If it's still of interest
to anyone, it can be obtained easily enough by reverting this commit.
(It could join other demo code in some other repository, perhaps.) In
any case we don't want it taking up space in the baseline source
package, so <snip>.

Signed-off-by: Geoff Thorpe <geoff@openssl.org>
19 files changed:
demos/tunala/.cvsignore [deleted file]
demos/tunala/A-client.pem [deleted file]
demos/tunala/A-server.pem [deleted file]
demos/tunala/CA.pem [deleted file]
demos/tunala/INSTALL [deleted file]
demos/tunala/Makefile [deleted file]
demos/tunala/Makefile.am [deleted file]
demos/tunala/README [deleted file]
demos/tunala/autogunk.sh [deleted file]
demos/tunala/autoungunk.sh [deleted file]
demos/tunala/breakage.c [deleted file]
demos/tunala/buffer.c [deleted file]
demos/tunala/cb.c [deleted file]
demos/tunala/configure.in [deleted file]
demos/tunala/ip.c [deleted file]
demos/tunala/sm.c [deleted file]
demos/tunala/test.sh [deleted file]
demos/tunala/tunala.c [deleted file]
demos/tunala/tunala.h [deleted file]

diff --git a/demos/tunala/.cvsignore b/demos/tunala/.cvsignore
deleted file mode 100644 (file)
index f9eca98..0000000
+++ /dev/null
@@ -1,4 +0,0 @@
-tunala
-
-*.flc
-semantic.cache
diff --git a/demos/tunala/A-client.pem b/demos/tunala/A-client.pem
deleted file mode 100644 (file)
index a4caf6e..0000000
+++ /dev/null
@@ -1,84 +0,0 @@
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number: 2 (0x2)
-        Signature Algorithm: md5WithRSAEncryption
-        Issuer: C=NZ, L=Wellington, O=Really Irresponsible Authorisation Authority (RIAA), OU=Cert-stamping, CN=Jackov al-Trades/Email=none@fake.domain
-        Validity
-            Not Before: Jan 16 05:19:30 2002 GMT
-            Not After : Jan 14 05:19:30 2012 GMT
-        Subject: C=NZ, L=Auckland, O=Mordor, OU=SSL grunt things, CN=tunala-client/Email=client@fake.domain
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-            RSA Public Key: (1024 bit)
-                Modulus (1024 bit):
-                    00:b0:d3:56:5c:c8:7f:fb:f4:95:9d:04:84:4f:82:
-                    b7:a2:75:5c:81:48:8c:56:5d:52:ee:38:e1:5c:c8:
-                    9a:70:8e:72:f2:00:1c:17:ef:df:b7:06:59:82:04:
-                    f1:f6:49:11:12:a6:4d:cb:1e:ed:ac:59:1c:4a:d0:
-                    3d:de:e6:f2:8d:cd:39:c2:0f:e0:46:2f:db:cb:9f:
-                    47:f7:56:e7:f8:16:5f:68:71:fb:3a:e3:ab:d2:e5:
-                    05:b7:da:65:61:fe:6d:30:e4:12:a8:b5:c1:71:24:
-                    6b:aa:80:05:41:17:a0:8b:6e:8b:e6:04:cf:85:7b:
-                    2a:ac:a1:79:7d:f4:96:6e:77
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Basic Constraints: 
-                CA:FALSE
-            Netscape Comment: 
-                OpenSSL Generated Certificate
-            X509v3 Subject Key Identifier: 
-                F8:43:CB:4F:4D:4F:BC:6E:52:1A:FD:F9:7B:E1:12:3F:A7:A3:BA:93
-            X509v3 Authority Key Identifier: 
-                keyid:49:FB:45:72:12:C4:CC:E1:45:A1:D3:08:9E:95:C4:2C:6D:55:3F:17
-                DirName:/C=NZ/L=Wellington/O=Really Irresponsible Authorisation Authority (RIAA)/OU=Cert-stamping/CN=Jackov al-Trades/Email=none@fake.domain
-                serial:00
-
-    Signature Algorithm: md5WithRSAEncryption
-        8f:5f:0e:43:da:9d:61:43:7e:03:38:9a:e6:50:9d:42:e8:95:
-        34:49:75:ec:04:8d:5c:85:99:94:70:a0:e7:1f:1e:a0:8b:0f:
-        d6:e2:cb:f7:35:d9:96:72:bd:a6:e9:8d:4e:b1:e2:ac:97:7f:
-        2f:70:01:9d:aa:04:bc:d4:01:2b:63:77:a5:de:63:3c:a8:f5:
-        f2:72:af:ec:11:12:c0:d4:70:cf:71:a6:fb:e9:1d:b3:27:07:
-        aa:f2:b1:f3:87:d6:ab:8b:ce:c2:08:1b:3c:f9:ba:ff:77:71:
-        86:09:ef:9e:4e:04:06:63:44:e9:93:20:90:c7:2d:50:c6:50:
-        f8:66
------BEGIN CERTIFICATE-----
-MIID9TCCA16gAwIBAgIBAjANBgkqhkiG9w0BAQQFADCBtDELMAkGA1UEBhMCTlox
-EzARBgNVBAcTCldlbGxpbmd0b24xPDA6BgNVBAoTM1JlYWxseSBJcnJlc3BvbnNp
-YmxlIEF1dGhvcmlzYXRpb24gQXV0aG9yaXR5IChSSUFBKTEWMBQGA1UECxMNQ2Vy
-dC1zdGFtcGluZzEZMBcGA1UEAxMQSmFja292IGFsLVRyYWRlczEfMB0GCSqGSIb3
-DQEJARYQbm9uZUBmYWtlLmRvbWFpbjAeFw0wMjAxMTYwNTE5MzBaFw0xMjAxMTQw
-NTE5MzBaMIGHMQswCQYDVQQGEwJOWjERMA8GA1UEBxMIQXVja2xhbmQxDzANBgNV
-BAoTBk1vcmRvcjEZMBcGA1UECxMQU1NMIGdydW50IHRoaW5nczEWMBQGA1UEAxMN
-dHVuYWxhLWNsaWVudDEhMB8GCSqGSIb3DQEJARYSY2xpZW50QGZha2UuZG9tYWlu
-MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCw01ZcyH/79JWdBIRPgreidVyB
-SIxWXVLuOOFcyJpwjnLyABwX79+3BlmCBPH2SRESpk3LHu2sWRxK0D3e5vKNzTnC
-D+BGL9vLn0f3Vuf4Fl9ocfs646vS5QW32mVh/m0w5BKotcFxJGuqgAVBF6CLbovm
-BM+FeyqsoXl99JZudwIDAQABo4IBQDCCATwwCQYDVR0TBAIwADAsBglghkgBhvhC
-AQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFPhD
-y09NT7xuUhr9+XvhEj+no7qTMIHhBgNVHSMEgdkwgdaAFEn7RXISxMzhRaHTCJ6V
-xCxtVT8XoYG6pIG3MIG0MQswCQYDVQQGEwJOWjETMBEGA1UEBxMKV2VsbGluZ3Rv
-bjE8MDoGA1UEChMzUmVhbGx5IElycmVzcG9uc2libGUgQXV0aG9yaXNhdGlvbiBB
-dXRob3JpdHkgKFJJQUEpMRYwFAYDVQQLEw1DZXJ0LXN0YW1waW5nMRkwFwYDVQQD
-ExBKYWNrb3YgYWwtVHJhZGVzMR8wHQYJKoZIhvcNAQkBFhBub25lQGZha2UuZG9t
-YWluggEAMA0GCSqGSIb3DQEBBAUAA4GBAI9fDkPanWFDfgM4muZQnULolTRJdewE
-jVyFmZRwoOcfHqCLD9biy/c12ZZyvabpjU6x4qyXfy9wAZ2qBLzUAStjd6XeYzyo
-9fJyr+wREsDUcM9xpvvpHbMnB6rysfOH1quLzsIIGzz5uv93cYYJ755OBAZjROmT
-IJDHLVDGUPhm
------END CERTIFICATE-----
------BEGIN RSA PRIVATE KEY-----
-MIICXgIBAAKBgQCw01ZcyH/79JWdBIRPgreidVyBSIxWXVLuOOFcyJpwjnLyABwX
-79+3BlmCBPH2SRESpk3LHu2sWRxK0D3e5vKNzTnCD+BGL9vLn0f3Vuf4Fl9ocfs6
-46vS5QW32mVh/m0w5BKotcFxJGuqgAVBF6CLbovmBM+FeyqsoXl99JZudwIDAQAB
-AoGAU4chbqbPvkclPYzaq2yGLlneHrwUft+KwzlfS6L/QVgo+CQRIUWQmjaHpaGM
-YtjVFcg1S1QK1bUqZjTEZT0XKhfbYmqW8yYTfbcDEbnY7esoYlvIlW8qRlPRlTBE
-utKrtZafmVhLgoNawYGD0aLZofPqpYjbGUlrC7nrem2vNJECQQDVLD3Qb+OlEMET
-73ApnJhYsK3e+G2LTrtjrS8y5zS4+Xv61XUqvdV7ogzRl0tpvSAmMOItVyoYadkB
-S3xSIWX9AkEA1Fm1FhkQSZwGG5rf4c6gMN71jJ6JE3/kocdVa0sUjRevIupo4XQ2
-Vkykxi84MRP8cfHqyjewq7Ozv3op2MGWgwJBAKemsb66IJjzAkaBav7u70nhOf0/
-+Dc1Zl7QF2y7NVW8sGrnccx5m+ot2lMD4AV6/kvK6jaqdKrapBZGnbGiHqkCQQDI
-T1r33mqz1R8Z2S2Jtzz6/McKf930a/dC+GLGVEutkILf39lRmytKmv/wB0jtWtoO
-rlJ5sLDSNzC+1cE1u997AkEAu3IrtGmLKiuS6kDj6W47m+iiTIsuSJtTJb1SbUaK
-fIoBNFxbvJYW6rUU9+PxpMRaEhzh5s24/jBOE+mlb17mRQ==
------END RSA PRIVATE KEY-----
diff --git a/demos/tunala/A-server.pem b/demos/tunala/A-server.pem
deleted file mode 100644 (file)
index e9f37b1..0000000
+++ /dev/null
@@ -1,84 +0,0 @@
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number: 1 (0x1)
-        Signature Algorithm: md5WithRSAEncryption
-        Issuer: C=NZ, L=Wellington, O=Really Irresponsible Authorisation Authority (RIAA), OU=Cert-stamping, CN=Jackov al-Trades/Email=none@fake.domain
-        Validity
-            Not Before: Jan 16 05:14:06 2002 GMT
-            Not After : Jan 14 05:14:06 2012 GMT
-        Subject: C=NZ, L=Wellington, O=Middle Earth, OU=SSL dev things, CN=tunala-server/Email=server@fake.domain
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-            RSA Public Key: (1024 bit)
-                Modulus (1024 bit):
-                    00:a9:3e:62:87:97:13:6b:de:8f:bc:1d:0a:3f:65:
-                    0c:f9:76:a3:53:ce:97:30:27:0d:c6:df:72:1f:8d:
-                    5a:ce:58:23:6a:65:e5:e3:72:1a:8d:7f:fe:90:01:
-                    ea:42:f1:9f:6e:7b:0a:bd:eb:52:15:7b:f4:3d:9c:
-                    4e:db:74:29:2b:d1:81:9d:b9:9e:18:2b:87:e1:da:
-                    50:20:3c:59:6c:c9:83:3e:2c:11:0b:78:1e:03:f4:
-                    56:3a:db:95:6a:75:33:85:a9:7b:cc:3c:4a:67:96:
-                    f2:24:b2:a0:cb:2e:cc:52:18:16:6f:44:d9:29:64:
-                    07:2e:fb:56:cc:7c:dc:a2:d7
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Basic Constraints: 
-                CA:FALSE
-            Netscape Comment: 
-                OpenSSL Generated Certificate
-            X509v3 Subject Key Identifier: 
-                70:AC:7A:B5:6E:97:C2:82:AF:11:9E:32:CB:8D:48:49:93:B7:DC:22
-            X509v3 Authority Key Identifier: 
-                keyid:49:FB:45:72:12:C4:CC:E1:45:A1:D3:08:9E:95:C4:2C:6D:55:3F:17
-                DirName:/C=NZ/L=Wellington/O=Really Irresponsible Authorisation Authority (RIAA)/OU=Cert-stamping/CN=Jackov al-Trades/Email=none@fake.domain
-                serial:00
-
-    Signature Algorithm: md5WithRSAEncryption
-        2e:cb:a3:cd:6d:a8:9d:d1:dc:e5:f0:e0:27:7e:4b:5a:90:a8:
-        85:43:f0:05:f7:04:43:d7:5f:d1:a5:8f:5c:58:eb:fc:da:c6:
-        7c:e0:0b:2b:98:72:95:f6:79:48:96:7a:fa:0c:6b:09:ec:c6:
-        8c:91:74:45:9f:8f:0f:16:78:e3:66:14:fa:1e:f4:f0:23:ec:
-        cd:a9:52:77:20:4d:c5:05:2c:52:b6:7b:f3:42:33:fd:90:1f:
-        3e:88:6f:9b:23:61:c8:80:3b:e6:57:84:2e:f7:26:c7:35:ed:
-        00:8b:08:30:9b:aa:21:83:b6:6d:b8:7c:8a:9b:2a:ef:79:3d:
-        96:31
------BEGIN CERTIFICATE-----
-MIID+zCCA2SgAwIBAgIBATANBgkqhkiG9w0BAQQFADCBtDELMAkGA1UEBhMCTlox
-EzARBgNVBAcTCldlbGxpbmd0b24xPDA6BgNVBAoTM1JlYWxseSBJcnJlc3BvbnNp
-YmxlIEF1dGhvcmlzYXRpb24gQXV0aG9yaXR5IChSSUFBKTEWMBQGA1UECxMNQ2Vy
-dC1zdGFtcGluZzEZMBcGA1UEAxMQSmFja292IGFsLVRyYWRlczEfMB0GCSqGSIb3
-DQEJARYQbm9uZUBmYWtlLmRvbWFpbjAeFw0wMjAxMTYwNTE0MDZaFw0xMjAxMTQw
-NTE0MDZaMIGNMQswCQYDVQQGEwJOWjETMBEGA1UEBxMKV2VsbGluZ3RvbjEVMBMG
-A1UEChMMTWlkZGxlIEVhcnRoMRcwFQYDVQQLEw5TU0wgZGV2IHRoaW5nczEWMBQG
-A1UEAxMNdHVuYWxhLXNlcnZlcjEhMB8GCSqGSIb3DQEJARYSc2VydmVyQGZha2Uu
-ZG9tYWluMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpPmKHlxNr3o+8HQo/
-ZQz5dqNTzpcwJw3G33IfjVrOWCNqZeXjchqNf/6QAepC8Z9uewq961IVe/Q9nE7b
-dCkr0YGduZ4YK4fh2lAgPFlsyYM+LBELeB4D9FY625VqdTOFqXvMPEpnlvIksqDL
-LsxSGBZvRNkpZAcu+1bMfNyi1wIDAQABo4IBQDCCATwwCQYDVR0TBAIwADAsBglg
-hkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0O
-BBYEFHCserVul8KCrxGeMsuNSEmTt9wiMIHhBgNVHSMEgdkwgdaAFEn7RXISxMzh
-RaHTCJ6VxCxtVT8XoYG6pIG3MIG0MQswCQYDVQQGEwJOWjETMBEGA1UEBxMKV2Vs
-bGluZ3RvbjE8MDoGA1UEChMzUmVhbGx5IElycmVzcG9uc2libGUgQXV0aG9yaXNh
-dGlvbiBBdXRob3JpdHkgKFJJQUEpMRYwFAYDVQQLEw1DZXJ0LXN0YW1waW5nMRkw
-FwYDVQQDExBKYWNrb3YgYWwtVHJhZGVzMR8wHQYJKoZIhvcNAQkBFhBub25lQGZh
-a2UuZG9tYWluggEAMA0GCSqGSIb3DQEBBAUAA4GBAC7Lo81tqJ3R3OXw4Cd+S1qQ
-qIVD8AX3BEPXX9Glj1xY6/zaxnzgCyuYcpX2eUiWevoMawnsxoyRdEWfjw8WeONm
-FPoe9PAj7M2pUncgTcUFLFK2e/NCM/2QHz6Ib5sjYciAO+ZXhC73Jsc17QCLCDCb
-qiGDtm24fIqbKu95PZYx
------END CERTIFICATE-----
------BEGIN RSA PRIVATE KEY-----
-MIICXAIBAAKBgQCpPmKHlxNr3o+8HQo/ZQz5dqNTzpcwJw3G33IfjVrOWCNqZeXj
-chqNf/6QAepC8Z9uewq961IVe/Q9nE7bdCkr0YGduZ4YK4fh2lAgPFlsyYM+LBEL
-eB4D9FY625VqdTOFqXvMPEpnlvIksqDLLsxSGBZvRNkpZAcu+1bMfNyi1wIDAQAB
-AoGANCwqHZhiAU/TyW6+WPqivEhpYw19p/dyFMuPF9DwnEmpaUROUQY8z0AUznn4
-qHhp6Jn/nrprTHowucl0ucweYIYVxZoUiUDFpxdFUbzMdFvo6HcyV1Pe4Rt81HaY
-KYWrTZ6PaPtN65hLms8NhPEdGcGAFlY1owYv4QNGq2bU1JECQQDd32LM0NSfyGmK
-4ziajqGcvzK9NO2XyV/nJsGlJZNgMh2zm1t7yR28l/6Q2uyU49cCN+2aYULZCAfs
-taNvxBspAkEAw0alNub+xj2AVQvaxOB1sGfKzsJjHCzKIxUXn/tJi3j0+2asmkBZ
-Umx1MWr9jKQBnCMciCRUbnMEZiElOxCN/wJAfAeQl6Z19gx206lJzzzEo3dOye54
-k02DSxijT8q9pBzf9bN3ZK987BybtiZr8p+bZiYVsSOF1wViSLURdD1QYQJAIaMU
-qH1n24wShBPTrmAfxbBLTgxL+Dl65Eoo1KT7iSvfv0JzbuqwuDL4iPeuD0DdCiE+
-M/FWHeRwGIuTFzaFzwJBANKwx0jZS/h093w9g0Clw6UzeA1P5VcAt9y+qMC9hO3c
-4KXwIxQAt9yRaFLpiIR9do5bjjKNnMguf3aO/XRSDQM=
------END RSA PRIVATE KEY-----
diff --git a/demos/tunala/CA.pem b/demos/tunala/CA.pem
deleted file mode 100644 (file)
index 7a55b54..0000000
+++ /dev/null
@@ -1,24 +0,0 @@
------BEGIN CERTIFICATE-----
-MIID9zCCA2CgAwIBAgIBADANBgkqhkiG9w0BAQQFADCBtDELMAkGA1UEBhMCTlox
-EzARBgNVBAcTCldlbGxpbmd0b24xPDA6BgNVBAoTM1JlYWxseSBJcnJlc3BvbnNp
-YmxlIEF1dGhvcmlzYXRpb24gQXV0aG9yaXR5IChSSUFBKTEWMBQGA1UECxMNQ2Vy
-dC1zdGFtcGluZzEZMBcGA1UEAxMQSmFja292IGFsLVRyYWRlczEfMB0GCSqGSIb3
-DQEJARYQbm9uZUBmYWtlLmRvbWFpbjAeFw0wMjAxMTYwNTA5NTlaFw0xMjAxMTQw
-NTA5NTlaMIG0MQswCQYDVQQGEwJOWjETMBEGA1UEBxMKV2VsbGluZ3RvbjE8MDoG
-A1UEChMzUmVhbGx5IElycmVzcG9uc2libGUgQXV0aG9yaXNhdGlvbiBBdXRob3Jp
-dHkgKFJJQUEpMRYwFAYDVQQLEw1DZXJ0LXN0YW1waW5nMRkwFwYDVQQDExBKYWNr
-b3YgYWwtVHJhZGVzMR8wHQYJKoZIhvcNAQkBFhBub25lQGZha2UuZG9tYWluMIGf
-MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC7QdDfFIrJn3X24hKmpkyk3TG0Ivxd
-K2wWmDPXq1wjr8lUTwrA6hM5Ba9N36jLieWpXhviLOWu9DBza5GmtgCuXloATKTC
-94xOdKHlciTVujG3wDlLDB5e710Kar84nnj6VueL1RyZ0bmP5PANa4mbGW9Tqc7J
-CkBTTW2y9d0SgQIDAQABo4IBFTCCAREwHQYDVR0OBBYEFEn7RXISxMzhRaHTCJ6V
-xCxtVT8XMIHhBgNVHSMEgdkwgdaAFEn7RXISxMzhRaHTCJ6VxCxtVT8XoYG6pIG3
-MIG0MQswCQYDVQQGEwJOWjETMBEGA1UEBxMKV2VsbGluZ3RvbjE8MDoGA1UEChMz
-UmVhbGx5IElycmVzcG9uc2libGUgQXV0aG9yaXNhdGlvbiBBdXRob3JpdHkgKFJJ
-QUEpMRYwFAYDVQQLEw1DZXJ0LXN0YW1waW5nMRkwFwYDVQQDExBKYWNrb3YgYWwt
-VHJhZGVzMR8wHQYJKoZIhvcNAQkBFhBub25lQGZha2UuZG9tYWluggEAMAwGA1Ud
-EwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYQo95V/NY+eKxYxkhibZiUQygph+
-gTfgbDG20MsnH6+8//w5ArHauFCgDrf0P2VyACgq+N4pBTWFGaAaLwbjKy9HCe2E
-j9C91tO1CqDS4MJkDB5AP13FTkK6fP1ZCiTQranOAp3DlGWTTWsFVyW5kVfQ9diS
-ZOyJZ9Fit5XM2X0=
------END CERTIFICATE-----
diff --git a/demos/tunala/INSTALL b/demos/tunala/INSTALL
deleted file mode 100644 (file)
index a65bbeb..0000000
+++ /dev/null
@@ -1,107 +0,0 @@
-There are two ways to build this code;
-
-(1) Manually
-
-(2) Using all-singing all-dancing (all-confusing) autotools, ie. autoconf,
-automake, and their little friends (autoheader, etc).
-
-=================
-Building Manually
-=================
-
-There is a basic "Makefile" in this directory that gets moved out of the way and
-ignored when building with autoconf et al. This Makefile is suitable for
-building tunala on Linux using gcc. Any other platform probably requires some
-tweaking. Here are the various bits you might need to do if you want to build
-this way and the default Makefile isn't sufficient;
-
-* Compiler: Edit the "CC" definition in Makefile
-
-* Headers, features: tunala.h controls what happens in the non-autoconf world.
-  It, by default, assumes the system has *everything* (except autoconf's
-  "config.h") so if a target system is missing something it must define the
-  appropriate "NO_***" symbols in CFLAGS. These include;
-
-  - NO_HAVE_UNISTD_H, NO_HAVE_FCNTL_H, NO_HAVE_LIMITS_H
-    Indicates the compiling system doesn't have (or need) these header files.
-  - NO_HAVE_STRSTR, NO_HAVE_STRTOUL
-    Indicates the compiling system doesn't have these functions. Replacements
-    are compiled and used in breakage.c
-  - NO_HAVE_SELECT, NO_HAVE_SOCKET
-    Pointless symbols - these indicate select() and/or socket() are missing in
-    which case the program won't compile anyway.
-
-  If you want to specify any of these, add them with "-D" prefixed to each in
-  the CFLAGS definition in Makefile.
-
-* Compilation flags: edit DEBUG_FLAGS and/or CFLAGS directly to control the
-  flags passed to the compiler. This can also be used to change the degree of
-  optimisation.
-
-* Linker flags: some systems (eg. Solaris) require extra linker flags such as;
-  -ldl, -lsocket, -lnsl, etc. If unsure, bring up the man page for whichever
-  function is "undefined" when the linker fails - that usually indicates what
-  you need to add. Make changes to the LINK_FLAGS symbol.
-
-* Linker command: if a different linker syntax or even a different program is
-  required to link, edit the linker line directly in the "tunala:" target
-  definition - it currently assumes the "CC" (compiler) program is used to link.
-
-======================
-Building Automagically
-======================
-
-Automagic building is handled courtesy of autoconf, automake, etc. There are in
-fact two steps required to build, and only the first has to be done on a system
-with these tools installed (and if I was prepared to bloat out the CVS
-repository, I could store these extra files, but I'm not).
-
-First step: "autogunk.sh"
--------------------------
-
-The "./autogunk.sh" script will call all the necessary autotool commands to
-create missing files and run automake and autoconf. The result is that a
-"./configure" script should be generated and a "Makefile.in" generated from the
-supplied "Makefile.am". NB: This script also moves the "manual" Makefile (see
-above) out of the way and calls it "Makefile.plain" - the "ungunk" script
-reverses this to leave the directory it was previously.
-
-Once "ungunk" has been run, the resulting directory should be able to build on
-other systems without autoconf, automake, or libtool. Which is what the second
-step describes;
-
-Second step: "./configure"
---------------------------
-
-The second step is to run the generated "./configure" script to create a
-config.h header for your system and to generate a "Makefile" (generated from
-"Makefile.in") tweaked to compile on your system. This is the standard sort of
-thing you see in GNU packages, for example, and the standard tricks also work.
-Eg. to override "configure"'s choice of compiler, set the CC environment
-variable prior to running configure, eg.
-
-    CC=gcc ./configure
-
-would cause "gcc" to be used even if there is an otherwise preferable (to
-autoconf) native compiler on your system.
-
-After this run "make" and it should build the "tunala" executable.
-
-Notes
------
-
-- Some versions of autoconf (or automake?) generate a Makefile syntax that gives
-  trouble to some "make" programs on some systems (eg. OpenBSD). If this
-  happens, either build 'Manually' (see above) or use "gmake" instead of "make".
-  I don't like this either but like even less the idea of sifting into all the
-  script magic crud that's involved.
-
-- On a solaris system I tried, the "configure" script specified some broken
-  compiler flags in the resulting Makefile that don't even get echoed to
-  stdout/err when the error happens (evil!). If this happens, go into the
-  generated Makefile, find the two affected targets ("%.o:" and "%.lo"), and
-  remove the offending hidden option in the $(COMPILE) line all the sludge after
-  the two first lines of script (ie. after the "echo" and the "COMPILE" lines).
-  NB: This will probably only function if "--disable-shared" was used, otherwise
-  who knows what would result ...
-
diff --git a/demos/tunala/Makefile b/demos/tunala/Makefile
deleted file mode 100644 (file)
index bef1704..0000000
+++ /dev/null
@@ -1,41 +0,0 @@
-# Edit these to suit
-#
-# Oh yeah, and please read the README too.
-
-
-SSL_HOMEDIR=../..
-SSL_INCLUDEDIR=$(SSL_HOMEDIR)/include
-SSL_LIBDIR=$(SSL_HOMEDIR)
-
-RM=rm -f
-CC=gcc
-DEBUG_FLAGS=-g -ggdb3 -Wall -Wshadow
-INCLUDE_FLAGS=-I$(SSL_INCLUDEDIR)
-CFLAGS=$(DEBUG_FLAGS) $(INCLUDE_FLAGS) -DNO_CONFIG_H
-COMPILE=$(CC) $(CFLAGS) -c
-
-# Edit, particularly the "-ldl" if not building with "dlfcn" support
-LINK_FLAGS=-L$(SSL_LIBDIR) -lssl -lcrypto -ldl
-
-SRCS=buffer.c cb.c ip.c sm.c tunala.c breakage.c
-OBJS=buffer.o cb.o ip.o sm.o tunala.o breakage.o
-
-TARGETS=tunala
-
-default: $(TARGETS)
-
-clean:
-       $(RM) $(OBJS) $(TARGETS) *.bak core
-
-.c.o:
-       $(COMPILE) $<
-
-tunala: $(OBJS)
-       $(CC) -o tunala $(OBJS) $(LINK_FLAGS)
-
-# Extra dependencies, should really use makedepend
-buffer.o: buffer.c tunala.h
-cb.o: cb.c tunala.h
-ip.o: ip.c tunala.h
-sm.o: sm.c tunala.h
-tunala.o: tunala.c tunala.h
diff --git a/demos/tunala/Makefile.am b/demos/tunala/Makefile.am
deleted file mode 100644 (file)
index 706c780..0000000
+++ /dev/null
@@ -1,7 +0,0 @@
-# Our includes come from the OpenSSL build-tree we're in
-INCLUDES               = -I$(top_builddir)/../../include
-
-bin_PROGRAMS           = tunala
-
-tunala_SOURCES         = tunala.c buffer.c cb.c ip.c sm.c breakage.c
-tunala_LDADD           = -L$(top_builddir)/../.. -lssl -lcrypto
diff --git a/demos/tunala/README b/demos/tunala/README
deleted file mode 100644 (file)
index 1569008..0000000
+++ /dev/null
@@ -1,233 +0,0 @@
-This is intended to be an example of a state-machine driven SSL application. It
-acts as an SSL tunneler (functioning as either the server or client half,
-depending on command-line arguments). *PLEASE* read the comments in tunala.h
-before you treat this stuff as anything more than a curiosity - YOU HAVE BEEN
-WARNED!! There, that's the draconian bit out of the way ...
-
-
-Why "tunala"??
---------------
-
-I thought I asked you to read tunala.h?? :-)
-
-
-Show me
--------
-
-If you want to simply see it running, skip to the end and see some example
-command-line arguments to demonstrate with.
-
-
-Where to look and what to do?
------------------------------
-
-The code is split up roughly coinciding with the detaching of an "abstract" SSL
-state machine (which is the purpose of all this) and its surrounding application
-specifics. This is primarily to make it possible for me to know when I could cut
-corners and when I needed to be rigorous (or at least maintain the pretense as
-such :-).
-
-Network stuff:
-
-Basically, the network part of all this is what is supposed to be abstracted out
-of the way. The intention is to illustrate one way to stick OpenSSL's mechanisms
-inside a little memory-driven sandbox and operate it like a pure state-machine.
-So, the network code is inside both ip.c (general utility functions and gory
-IPv4 details) and tunala.c itself, which takes care of application specifics
-like the main select() loop. The connectivity between the specifics of this
-application (TCP/IP tunneling and the associated network code) and the
-underlying abstract SSL state machine stuff is through the use of the "buffer_t"
-type, declared in tunala.h and implemented in buffer.c.
-
-State machine:
-
-Which leaves us, generally speaking, with the abstract "state machine" code left
-over and this is sitting inside sm.c, with declarations inside tunala.h. As can
-be seen by the definition of the state_machine_t structure and the associated
-functions to manipulate it, there are the 3 OpenSSL "handles" plus 4 buffer_t
-structures dealing with IO on both the encrypted and unencrypted sides ("dirty"
-and "clean" respectively). The "SSL" handle is what facilitates the reading and
-writing of the unencrypted (tunneled) data. The two "BIO" handles act as the
-read and write channels for encrypted tunnel traffic - in other applications
-these are often socket BIOs so that the OpenSSL framework operates with the
-network layer directly. In this example, those two BIOs are memory BIOs
-(BIO_s_mem()) so that the sending and receiving of the tunnel traffic stays
-within the state-machine, and we can handle where this gets send to (or read
-from) ourselves.
-
-
-Why?
-----
-
-If you take a look at the "state_machine_t" section of tunala.h and the code in
-sm.c, you will notice that nothing related to the concept of 'transport' is
-involved. The binding to TCP/IP networking occurs in tunala.c, specifically
-within the "tunala_item_t" structure that associates a state_machine_t object
-with 4 file-descriptors. The way to best see where the bridge between the
-outside world (TCP/IP reads, writes, select()s, file-descriptors, etc) and the
-state machine is, is to examine the "tunala_item_io()" function in tunala.c.
-This is currently around lines 641-732 but of course could be subject to change.
-
-
-And...?
--------
-
-Well, although that function is around 90 lines of code, it could easily have
-been a lot less only I was trying to address an easily missed "gotcha" (item (2)
-below). The main() code that drives the select/accept/IO loop initialises new
-tunala_item_t structures when connections arrive, and works out which
-file-descriptors go where depending on whether we're an SSL client or server
-(client --> accepted connection is clean and proxied is dirty, server -->
-accepted connection is dirty and proxied is clean). What that tunala_item_io()
-function is attempting to do is 2 things;
-
-  (1) Perform all reads and writes on the network directly into the
-      state_machine_t's buffers (based on a previous select() result), and only
-      then allow the abstact state_machine_t to "churn()" using those buffers.
-      This will cause the SSL machine to consume as much input data from the two
-      "IN" buffers as possible, and generate as much output data into the two
-      "OUT" buffers as possible. Back up in the main() function, the next main
-      loop loop will examine these output buffers and select() for writability
-      on the corresponding sockets if the buffers are non-empty.
-
-  (2) Handle the complicated tunneling-specific issue of cascading "close"s.
-      This is the reason for most of the complexity in the logic - if one side
-      of the tunnel is closed, you can't simply close the other side and throw
-      away the whole thing - (a) there may still be outgoing data on the other
-      side of the tunnel that hasn't been sent yet, (b) the close (or things
-      happening during the close) may cause more data to be generated that needs
-      sending on the other side. Of course, this logic is complicated yet futher
-      by the fact that it's different depending on which side closes first :-)
-      state_machine_close_clean() will indicate to the state machine that the
-      unencrypted side of the tunnel has closed, so any existing outgoing data
-      needs to be flushed, and the SSL stream needs to be closed down using the
-      appropriate shutdown sequence. state_machine_close_dirty() is simpler
-      because it indicates that the SSL stream has been disconnected, so all
-      that remains before closing the other side is to flush out anything that
-      remains and wait for it to all be sent.
-
-Anyway, with those things in mind, the code should be a little easier to follow
-in terms of "what is *this* bit supposed to achieve??!!".
-
-
-How might this help?
---------------------
-
-Well, the reason I wrote this is that there seemed to be rather a flood of
-questions of late on the openssl-dev and openssl-users lists about getting this
-whole IO logic thing sorted out, particularly by those who were trying to either
-use non-blocking IO, or wanted SSL in an environment where "something else" was
-handling the network already and they needed to operate in memory only. This
-code is loosely based on some other stuff I've been working on, although that
-stuff is far more complete, far more dependant on a whole slew of other
-network/framework code I don't want to incorporate here, and far harder to look
-at for 5 minutes and follow where everything is going. I will be trying over
-time to suck in a few things from that into this demo in the hopes it might be
-more useful, and maybe to even make this demo usable as a utility of its own.
-Possible things include:
-
-  * controlling multiple processes/threads - this can be used to combat
-    latencies and get passed file-descriptor limits on some systems, and it uses
-    a "controller" process/thread that maintains IPC links with the
-    processes/threads doing the real work.
-
-  * cert verification rules - having some say over which certs get in or out :-)
-
-  * control over SSL protocols and cipher suites
-
-  * A few other things you can already do in s_client and s_server :-)
-
-  * Support (and control over) session resuming, particularly when functioning
-    as an SSL client.
-
-If you have a particular environment where this model might work to let you "do
-SSL" without having OpenSSL be aware of the transport, then you should find you
-could use the state_machine_t structure (or your own variant thereof) and hook
-it up to your transport stuff in much the way tunala.c matches it up with those
-4 file-descriptors. The state_machine_churn(), state_machine_close_clean(), and
-state_machine_close_dirty() functions are the main things to understand - after
-that's done, you just have to ensure you're feeding and bleeding the 4
-state_machine buffers in a logical fashion. This state_machine loop handles not
-only handshakes and normal streaming, but also renegotiates - there's no special
-handling required beyond keeping an eye on those 4 buffers and keeping them in
-sync with your outer "loop" logic. Ie. if one of the OUT buffers is not empty,
-you need to find an opportunity to try and forward its data on. If one of the IN
-buffers is not full, you should keep an eye out for data arriving that should be
-placed there.
-
-This approach could hopefully also allow you to run the SSL protocol in very
-different environments. As an example, you could support encrypted event-driven
-IPC where threads/processes pass messages to each other inside an SSL layer;
-each IPC-message's payload would be in fact the "dirty" content, and the "clean"
-payload coming out of the tunnel at each end would be the real intended message.
-Likewise, this could *easily* be made to work across unix domain sockets, or
-even entirely different network/comms protocols.
-
-This is also a quick and easy way to do VPN if you (and the remote network's
-gateway) support virtual network devices that are encapsulted in a single
-network connection, perhaps PPP going through an SSL tunnel?
-
-
-Suggestions
------------
-
-Please let me know if you find this useful, or if there's anything wrong or
-simply too confusing about it. Patches are also welcome, but please attach a
-description of what it changes and why, and "diff -urN" format is preferred.
-Mail to geoff@openssl.org should do the trick.
-
-
-Example
--------
-
-Here is an example of how to use "tunala" ...
-
-First, it's assumed that OpenSSL has already built, and that you are building
-inside the ./demos/tunala/ directory. If not - please correct the paths and
-flags inside the Makefile. Likewise, if you want to tweak the building, it's
-best to try and do so in the makefile (eg. removing the debug flags and adding
-optimisation flags).
-
-Secondly, this code has mostly only been tested on Linux. However, some
-autoconf/etc support has been added and the code has been compiled on openbsd
-and solaris using that.
-
-Thirdly, if you are Win32, you probably need to do some *major* rewriting of
-ip.c to stand a hope in hell. Good luck, and please mail me the diff if you do
-this, otherwise I will take a look at another time. It can certainly be done,
-but it's very non-POSIXy.
-
-See the INSTALL document for details on building.
-
-Now, if you don't have an executable "tunala" compiled, go back to "First,...".
-Rinse and repeat.
-
-Inside one console, try typing;
-
-(i)  ./tunala -listen localhost:8080 -proxy localhost:8081 -cacert CA.pem \
-              -cert A-client.pem -out_totals -v_peer -v_strict
-
-In another console, type;
-
-(ii) ./tunala -listen localhost:8081 -proxy localhost:23 -cacert CA.pem \
-              -cert A-server.pem -server 1 -out_totals -v_peer -v_strict
-
-Now if you open another console and "telnet localhost 8080", you should be
-tunneled through to the telnet service on your local machine (if it's running -
-you could change it to port "22" and tunnel ssh instead if you so desired). When
-you logout of the telnet session, the tunnel should cleanly shutdown and show
-you some traffic stats in both consoles. Feel free to experiment. :-)
-
-Notes:
-
- - the format for the "-listen" argument can skip the host part (eg. "-listen
-   8080" is fine). If you do, the listening socket will listen on all interfaces
-   so you can connect from other machines for example. Using the "localhost"
-   form listens only on 127.0.0.1 so you can only connect locally (unless, of
-   course, you've set up weird stuff with your networking in which case probably
-   none of the above applies).
-
- - ./tunala -? gives you a list of other command-line options, but tunala.c is
-   also a good place to look :-)
-
-
diff --git a/demos/tunala/autogunk.sh b/demos/tunala/autogunk.sh
deleted file mode 100755 (executable)
index c9783c6..0000000
+++ /dev/null
@@ -1,25 +0,0 @@
-#!/bin/sh
-
-# This script tries to follow the "GNU way" w.r.t. the autobits.
-# This does of course generate a number of irritating files.
-# Try to get over it (I am getting there myself).
-
-# This should generate any missing crud, and then run autoconf which should turn
-# configure.in into a "./configure" script and "Makefile.am" into a
-# "Makefile.in". Then running "./configure" should turn "Makefile.in" into
-# "Makefile" and should generate the config.h containing your systems various
-# settings. I know ... what a hassle ...
-
-# Also, sometimes these autobits things generate bizarre output (looking like
-# errors). So I direct everything "elsewhere" ...
-
-(aclocal
-autoheader
-libtoolize --copy --force
-automake --foreign --add-missing --copy
-autoconf) 1> /dev/null 2>&1
-
-# Move the "no-autotools" Makefile out of the way
-if test ! -f Makefile.plain; then
-       mv Makefile Makefile.plain
-fi
diff --git a/demos/tunala/autoungunk.sh b/demos/tunala/autoungunk.sh
deleted file mode 100755 (executable)
index 2179088..0000000
+++ /dev/null
@@ -1,19 +0,0 @@
-#!/bin/sh
-
-# This script tries to clean up as much as is possible from whatever diabolical
-# mess has been left in the directory thanks to autoconf, automake, and their
-# friends.
-
-if test -f Makefile.plain; then
-       if test -f Makefile; then
-               make distclean
-       fi
-       mv Makefile.plain Makefile
-else
-       make clean
-fi
-
-rm -f aclocal.m4 config.* configure install-sh \
-       missing mkinstalldirs stamp-h.* Makefile.in \
-       ltconfig ltmain.sh depcomp
-rm -rf autom4te.cache
diff --git a/demos/tunala/breakage.c b/demos/tunala/breakage.c
deleted file mode 100644 (file)
index dcdd64b..0000000
+++ /dev/null
@@ -1,66 +0,0 @@
-#include "tunala.h"
-
-int int_strtoul(const char *str, unsigned long *val)
-{
-#ifdef HAVE_STRTOUL
-       char *tmp;
-       unsigned long ret = strtoul(str, &tmp, 10);
-       if((str == tmp) || (*tmp != '\0'))
-               /* The value didn't parse cleanly */
-               return 0;
-       if(ret == ULONG_MAX)
-               /* We hit a limit */
-               return 0;
-       *val = ret;
-       return 1;
-#else
-       char buf[2];
-       unsigned long ret = 0;
-       buf[1] = '\0';
-       if(str == '\0')
-               /* An empty string ... */
-               return 0;
-       while(*str != '\0') {
-               /* We have to multiply 'ret' by 10 before absorbing the next
-                * digit. If this will overflow, catch it now. */
-               if(ret && (((ULONG_MAX + 10) / ret) < 10))
-                       return 0;
-               ret *= 10;
-               if(!isdigit(*str))
-                       return 0;
-               buf[0] = *str;
-               ret += atoi(buf);
-               str++;
-       }
-       *val = ret;
-       return 1;
-#endif
-}
-
-#ifndef HAVE_STRSTR
-char *int_strstr(const char *haystack, const char *needle)
-{
-       const char *sub_haystack = haystack, *sub_needle = needle;
-       unsigned int offset = 0;
-       if(!needle)
-               return haystack;
-       if(!haystack)
-               return NULL;
-       while((*sub_haystack != '\0') && (*sub_needle != '\0')) {
-               if(sub_haystack[offset] == sub_needle) {
-                       /* sub_haystack is still a candidate */
-                       offset++;
-                       sub_needle++;
-               } else {
-                       /* sub_haystack is no longer a possibility */
-                       sub_haystack++;
-                       offset = 0;
-                       sub_needle = needle;
-               }
-       }
-       if(*sub_haystack == '\0')
-               /* Found nothing */
-               return NULL;
-       return sub_haystack;
-}
-#endif
diff --git a/demos/tunala/buffer.c b/demos/tunala/buffer.c
deleted file mode 100644 (file)
index c5cd004..0000000
+++ /dev/null
@@ -1,205 +0,0 @@
-#include "tunala.h"
-
-#ifndef NO_BUFFER
-
-void buffer_init(buffer_t *buf)
-{
-       buf->used = 0;
-       buf->total_in = buf->total_out = 0;
-}
-
-void buffer_close(buffer_t *buf)
-{
-       /* Our data is static - nothing needs "release", just reset it */
-       buf->used = 0;
-}
-
-/* Code these simple ones in compact form */
-unsigned int buffer_used(buffer_t *buf) {
-       return buf->used; }
-unsigned int buffer_unused(buffer_t *buf) {
-       return (MAX_DATA_SIZE - buf->used); }
-int buffer_full(buffer_t *buf) {
-       return (buf->used == MAX_DATA_SIZE ? 1 : 0); }
-int buffer_notfull(buffer_t *buf) {
-       return (buf->used < MAX_DATA_SIZE ? 1 : 0); }
-int buffer_empty(buffer_t *buf) {
-       return (buf->used == 0 ? 1 : 0); }
-int buffer_notempty(buffer_t *buf) {
-       return (buf->used > 0 ? 1 : 0); }
-unsigned long buffer_total_in(buffer_t *buf) {
-       return buf->total_in; }
-unsigned long buffer_total_out(buffer_t *buf) {
-       return buf->total_out; }
-
-/* These 3 static (internal) functions don't adjust the "total" variables as
- * it's not sure when they're called how it should be interpreted. Only the
- * higher-level "buffer_[to|from]_[fd|SSL|BIO]" functions should alter these
- * values. */
-#if 0 /* To avoid "unused" warnings */
-static unsigned int buffer_adddata(buffer_t *buf, const unsigned char *ptr,
-               unsigned int size)
-{
-       unsigned int added = MAX_DATA_SIZE - buf->used;
-       if(added > size)
-               added = size;
-       if(added == 0)
-               return 0;
-       memcpy(buf->data + buf->used, ptr, added);
-       buf->used += added;
-       buf->total_in += added;
-       return added;
-}
-
-static unsigned int buffer_tobuffer(buffer_t *to, buffer_t *from, int cap)
-{
-       unsigned int moved, tomove = from->used;
-       if((int)tomove > cap)
-               tomove = cap;
-       if(tomove == 0)
-               return 0;
-       moved = buffer_adddata(to, from->data, tomove);
-       if(moved == 0)
-               return 0;
-       buffer_takedata(from, NULL, moved);
-       return moved;
-}
-#endif
-
-static unsigned int buffer_takedata(buffer_t *buf, unsigned char *ptr,
-               unsigned int size)
-{
-       unsigned int taken = buf->used;
-       if(taken > size)
-               taken = size;
-       if(taken == 0)
-               return 0;
-       if(ptr)
-               memcpy(ptr, buf->data, taken);
-       buf->used -= taken;
-       /* Do we have to scroll? */
-       if(buf->used > 0)
-               memmove(buf->data, buf->data + taken, buf->used);
-       return taken;
-}
-
-#ifndef NO_IP
-
-int buffer_from_fd(buffer_t *buf, int fd)
-{
-       int toread = buffer_unused(buf);
-       if(toread == 0)
-               /* Shouldn't be called in this case! */
-               abort();
-       toread = read(fd, buf->data + buf->used, toread);
-       if(toread > 0) {
-               buf->used += toread;
-               buf->total_in += toread;
-       }
-       return toread;
-}
-
-int buffer_to_fd(buffer_t *buf, int fd)
-{
-       int towrite = buffer_used(buf);
-       if(towrite == 0)
-               /* Shouldn't be called in this case! */
-               abort();
-       towrite = write(fd, buf->data, towrite);
-       if(towrite > 0) {
-               buffer_takedata(buf, NULL, towrite);
-               buf->total_out += towrite;
-       }
-       return towrite;
-}
-
-#endif /* !defined(NO_IP) */
-
-#ifndef NO_OPENSSL
-
-static void int_ssl_check(SSL *s, int ret)
-{
-       int e = SSL_get_error(s, ret);
-       switch(e) {
-               /* These seem to be harmless and already "dealt with" by our
-                * non-blocking environment. NB: "ZERO_RETURN" is the clean
-                * "error" indicating a successfully closed SSL tunnel. We let
-                * this happen because our IO loop should not appear to have
-                * broken on this condition - and outside the IO loop, the
-                * "shutdown" state is checked. */
-       case SSL_ERROR_NONE:
-       case SSL_ERROR_WANT_READ:
-       case SSL_ERROR_WANT_WRITE:
-       case SSL_ERROR_WANT_X509_LOOKUP:
-       case SSL_ERROR_ZERO_RETURN:
-               return;
-               /* These seem to be indications of a genuine error that should
-                * result in the SSL tunnel being regarded as "dead". */
-       case SSL_ERROR_SYSCALL:
-       case SSL_ERROR_SSL:
-               SSL_set_app_data(s, (char *)1);
-               return;
-       default:
-               break;
-       }
-       /* For any other errors that (a) exist, and (b) crop up - we need to
-        * interpret what to do with them - so "politely inform" the caller that
-        * the code needs updating here. */
-       abort();
-}
-
-void buffer_from_SSL(buffer_t *buf, SSL *ssl)
-{
-       int ret;
-       if(!ssl || buffer_full(buf))
-               return;
-       ret = SSL_read(ssl, buf->data + buf->used, buffer_unused(buf));
-       if(ret > 0) {
-               buf->used += ret;
-               buf->total_in += ret;
-       }
-       if(ret < 0)
-               int_ssl_check(ssl, ret);
-}
-
-void buffer_to_SSL(buffer_t *buf, SSL *ssl)
-{
-       int ret;
-       if(!ssl || buffer_empty(buf))
-               return;
-       ret = SSL_write(ssl, buf->data, buf->used);
-       if(ret > 0) {
-               buffer_takedata(buf, NULL, ret);
-               buf->total_out += ret;
-       }
-       if(ret < 0)
-               int_ssl_check(ssl, ret);
-}
-
-void buffer_from_BIO(buffer_t *buf, BIO *bio)
-{
-       int ret;
-       if(!bio || buffer_full(buf))
-               return;
-       ret = BIO_read(bio, buf->data + buf->used, buffer_unused(buf));
-       if(ret > 0) {
-               buf->used += ret;
-               buf->total_in += ret;
-       }
-}
-
-void buffer_to_BIO(buffer_t *buf, BIO *bio)
-{
-       int ret;
-       if(!bio || buffer_empty(buf))
-               return;
-       ret = BIO_write(bio, buf->data, buf->used);
-       if(ret > 0) {
-               buffer_takedata(buf, NULL, ret);
-               buf->total_out += ret;
-       }
-}
-
-#endif /* !defined(NO_OPENSSL) */
-
-#endif /* !defined(NO_BUFFER) */
diff --git a/demos/tunala/cb.c b/demos/tunala/cb.c
deleted file mode 100644 (file)
index f6e452a..0000000
+++ /dev/null
@@ -1,162 +0,0 @@
-#include "tunala.h"
-
-#ifndef NO_OPENSSL
-
-/* For callbacks generating output, here are their file-descriptors. */
-static FILE *fp_cb_ssl_info = NULL;
-static FILE *fp_cb_ssl_verify = NULL;
-/* Output level:
- *     0 = nothing,
- *     1 = minimal, just errors,
- *     2 = minimal, all steps,
- *     3 = detail, all steps */
-static unsigned int cb_ssl_verify_level = 1;
-
-/* Other static rubbish (to mirror s_cb.c where required) */
-static int int_verify_depth = 10;
-
-/* This function is largely borrowed from the one used in OpenSSL's "s_client"
- * and "s_server" utilities. */
-void cb_ssl_info(const SSL *s, int where, int ret)
-{
-       const char *str1, *str2;
-       int w;
-
-       if(!fp_cb_ssl_info)
-               return;
-
-       w = where & ~SSL_ST_MASK;
-       str1 = (w & SSL_ST_CONNECT ? "SSL_connect" : (w & SSL_ST_ACCEPT ?
-                               "SSL_accept" : "undefined")),
-       str2 = SSL_state_string_long(s);
-
-       if (where & SSL_CB_LOOP)
-               fprintf(fp_cb_ssl_info, "(%s) %s\n", str1, str2);
-       else if (where & SSL_CB_EXIT) {
-               if (ret == 0)
-                       fprintf(fp_cb_ssl_info, "(%s) failed in %s\n", str1, str2);
-/* In a non-blocking model, we get a few of these "error"s simply because we're
- * calling "reads" and "writes" on the state-machine that are virtual NOPs
- * simply to avoid wasting the time seeing if we *should* call them. Removing
- * this case makes the "-out_state" output a lot easier on the eye. */
-#if 0
-               else if (ret < 0)
-                       fprintf(fp_cb_ssl_info, "%s:error in %s\n", str1, str2);
-#endif
-       }
-}
-
-void cb_ssl_info_set_output(FILE *fp)
-{
-       fp_cb_ssl_info = fp;
-}
-
-static const char *int_reason_no_issuer = "X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT";
-static const char *int_reason_not_yet = "X509_V_ERR_CERT_NOT_YET_VALID";
-static const char *int_reason_before = "X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD";
-static const char *int_reason_expired = "X509_V_ERR_CERT_HAS_EXPIRED";
-static const char *int_reason_after = "X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD";
-
-/* Stolen wholesale from apps/s_cb.c :-) And since then, mutilated ... */
-int cb_ssl_verify(int ok, X509_STORE_CTX *ctx)
-{
-       char buf1[256]; /* Used for the subject name */
-       char buf2[256]; /* Used for the issuer name */
-       const char *reason = NULL; /* Error reason (if any) */
-       X509 *err_cert;
-       int err, depth;
-
-       if(!fp_cb_ssl_verify || (cb_ssl_verify_level == 0))
-               return ok;
-       err_cert = X509_STORE_CTX_get_current_cert(ctx);
-       err = X509_STORE_CTX_get_error(ctx);
-       depth = X509_STORE_CTX_get_error_depth(ctx);
-
-       buf1[0] = buf2[0] = '\0';
-       /* Fill buf1 */
-       X509_NAME_oneline(X509_get_subject_name(err_cert), buf1, 256);
-       /* Fill buf2 */
-       X509_NAME_oneline(X509_get_issuer_name(ctx->current_cert), buf2, 256);
-       switch (ctx->error) {
-       case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
-               reason = int_reason_no_issuer;
-               break;
-       case X509_V_ERR_CERT_NOT_YET_VALID:
-               reason = int_reason_not_yet;
-               break;
-       case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
-               reason = int_reason_before;
-               break;
-       case X509_V_ERR_CERT_HAS_EXPIRED:
-               reason = int_reason_expired;
-               break;
-       case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
-               reason = int_reason_after;
-               break;
-       }
-
-       if((cb_ssl_verify_level == 1) && ok)
-               return ok;
-       fprintf(fp_cb_ssl_verify, "chain-depth=%d, ", depth);
-       if(reason)
-               fprintf(fp_cb_ssl_verify, "error=%s\n", reason);
-       else
-               fprintf(fp_cb_ssl_verify, "error=%d\n", err);
-       if(cb_ssl_verify_level < 3)
-               return ok;
-       fprintf(fp_cb_ssl_verify, "--> subject = %s\n", buf1);
-       fprintf(fp_cb_ssl_verify, "--> issuer  = %s\n", buf2);
-       if(!ok)
-               fprintf(fp_cb_ssl_verify,"--> verify error:num=%d:%s\n",err,
-                       X509_verify_cert_error_string(err));
-       fprintf(fp_cb_ssl_verify, "--> verify return:%d\n",ok);
-       return ok;
-}
-
-void cb_ssl_verify_set_output(FILE *fp)
-{
-       fp_cb_ssl_verify = fp;
-}
-
-void cb_ssl_verify_set_depth(unsigned int verify_depth)
-{
-       int_verify_depth = verify_depth;
-}
-
-void cb_ssl_verify_set_level(unsigned int level)
-{
-       if(level < 4)
-               cb_ssl_verify_level = level;
-}
-
-RSA *cb_generate_tmp_rsa(SSL *s, int is_export, int keylength)
-{
-       /* TODO: Perhaps make it so our global key can be generated on-the-fly
-        * after certain intervals? */
-       static RSA *rsa_tmp = NULL;
-       BIGNUM *bn = NULL;
-       int ok = 1;
-       if(!rsa_tmp) {
-               ok = 0;
-               if(!(bn = BN_new()))
-                       goto end;
-               if(!BN_set_word(bn, RSA_F4))
-                       goto end;
-               if(!(rsa_tmp = RSA_new()))
-                       goto end;
-               if(!RSA_generate_key_ex(rsa_tmp, keylength, bn, NULL))
-                       goto end;
-               ok = 1;
-       }
-end:
-       if(bn)
-               BN_free(bn);
-       if(!ok) {
-               RSA_free(rsa_tmp);
-               rsa_tmp = NULL;
-       }
-       return rsa_tmp;
-}
-
-#endif /* !defined(NO_OPENSSL) */
-
diff --git a/demos/tunala/configure.in b/demos/tunala/configure.in
deleted file mode 100644 (file)
index 590cdbf..0000000
+++ /dev/null
@@ -1,29 +0,0 @@
-dnl Process this file with autoconf to produce a configure script.
-AC_INIT(tunala.c)
-AM_CONFIG_HEADER(config.h)
-AM_INIT_AUTOMAKE(tunala, 0.0.1-dev)
-
-dnl Checks for programs. (Though skip libtool)
-AC_PROG_CC
-dnl AC_PROG_LIBTOOL
-dnl AM_PROG_LIBTOOL
-
-dnl Checks for libraries.
-AC_CHECK_LIB(dl, dlopen)
-AC_CHECK_LIB(z, inflate)
-AC_CHECK_LIB(socket, socket)
-AC_CHECK_LIB(nsl, gethostbyname)
-
-dnl Checks for header files.
-AC_HEADER_STDC
-AC_CHECK_HEADERS(fcntl.h limits.h unistd.h)
-
-dnl Checks for typedefs, structures, and compiler characteristics.
-AC_C_CONST
-
-dnl Checks for library functions.
-AC_CHECK_FUNCS(strstr strtoul)
-AC_CHECK_FUNCS(select socket)
-AC_CHECK_FUNCS(dlopen)
-
-AC_OUTPUT(Makefile)
diff --git a/demos/tunala/ip.c b/demos/tunala/ip.c
deleted file mode 100644 (file)
index 96ef4e6..0000000
+++ /dev/null
@@ -1,146 +0,0 @@
-#include "tunala.h"
-
-#ifndef NO_IP
-
-#define IP_LISTENER_BACKLOG 511 /* So if it gets masked by 256 or some other
-                                  such value it'll still be respectable */
-
-/* Any IP-related initialisations. For now, this means blocking SIGPIPE */
-int ip_initialise(void)
-{
-       struct sigaction sa;
-
-       sa.sa_handler = SIG_IGN;
-       sa.sa_flags = 0;
-       sigemptyset(&sa.sa_mask);
-       if(sigaction(SIGPIPE, &sa, NULL) != 0)
-               return 0;
-       return 1;
-}
-
-int ip_create_listener_split(const char *ip, unsigned short port)
-{
-       struct sockaddr_in in_addr;
-       int fd = -1;
-       int reuseVal = 1;
-
-       /* Create the socket */
-       if((fd = socket(PF_INET, SOCK_STREAM, 0)) == -1)
-               goto err;
-       /* Set the SO_REUSEADDR flag - servers act weird without it */
-       if(setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, (char *)(&reuseVal),
-                               sizeof(reuseVal)) != 0)
-               goto err;
-       /* Prepare the listen address stuff */
-       in_addr.sin_family = AF_INET;
-       memcpy(&in_addr.sin_addr.s_addr, ip, 4);
-       in_addr.sin_port = htons(port);
-       /* Bind to the required port/address/interface */
-       if(bind(fd, (struct sockaddr *)&in_addr, sizeof(struct sockaddr_in)) != 0)
-               goto err;
-       /* Start "listening" */
-       if(listen(fd, IP_LISTENER_BACKLOG) != 0)
-               goto err;
-       return fd;
-err:
-       if(fd != -1)
-               close(fd);
-       return -1;
-}
-
-int ip_create_connection_split(const char *ip, unsigned short port)
-{
-       struct sockaddr_in in_addr;
-       int flags, fd = -1;
-
-       /* Create the socket */
-       if((fd = socket(PF_INET, SOCK_STREAM, 0)) == -1)
-               goto err;
-       /* Make it non-blocking */
-       if(((flags = fcntl(fd, F_GETFL, 0)) < 0) ||
-                       (fcntl(fd, F_SETFL, flags | O_NONBLOCK) < 0))
-               goto err;
-       /* Prepare the connection address stuff */
-       in_addr.sin_family = AF_INET;
-       memcpy(&in_addr.sin_addr.s_addr, ip, 4);
-       in_addr.sin_port = htons(port);
-       /* Start a connect (non-blocking, in all likelihood) */
-       if((connect(fd, (struct sockaddr *)&in_addr,
-                       sizeof(struct sockaddr_in)) != 0) &&
-                       (errno != EINPROGRESS))
-               goto err;
-       return fd;
-err:
-       if(fd != -1)
-               close(fd);
-       return -1;
-}
-
-static char all_local_ip[] = {0x00,0x00,0x00,0x00};
-
-int ip_parse_address(const char *address, const char **parsed_ip,
-               unsigned short *parsed_port, int accept_all_ip)
-{
-       char buf[256];
-       struct hostent *lookup;
-       unsigned long port;
-       const char *ptr = strstr(address, ":");
-       const char *ip = all_local_ip;
-
-       if(!ptr) {
-               /* We assume we're listening on all local interfaces and have
-                * only specified a port. */
-               if(!accept_all_ip)
-                       return 0;
-               ptr = address;
-               goto determine_port;
-       }
-       if((ptr - address) > 255)
-               return 0;
-       memset(buf, 0, 256);
-       memcpy(buf, address, ptr - address);
-       ptr++;
-       if((lookup = gethostbyname(buf)) == NULL) {
-               /* Spit a message to differentiate between lookup failures and
-                * bad strings. */
-               fprintf(stderr, "hostname lookup for '%s' failed\n", buf);
-               return 0;
-       }
-       ip = lookup->h_addr_list[0];
-determine_port:
-       if(strlen(ptr) < 1)
-               return 0;
-       if(!int_strtoul(ptr, &port) || (port > 65535))
-               return 0;
-       *parsed_ip = ip;
-       *parsed_port = (unsigned short)port;
-       return 1;
-}
-
-int ip_create_listener(const char *address)
-{
-       const char *ip;
-       unsigned short port;
-
-       if(!ip_parse_address(address, &ip, &port, 1))
-               return -1;
-       return ip_create_listener_split(ip, port);
-}
-
-int ip_create_connection(const char *address)
-{
-       const char *ip;
-       unsigned short port;
-
-       if(!ip_parse_address(address, &ip, &port, 0))
-               return -1;
-       return ip_create_connection_split(ip, port);
-}
-
-int ip_accept_connection(int listen_fd)
-{
-       return accept(listen_fd, NULL, NULL);
-}
-
-#endif /* !defined(NO_IP) */
-
diff --git a/demos/tunala/sm.c b/demos/tunala/sm.c
deleted file mode 100644 (file)
index 25359e6..0000000
+++ /dev/null
@@ -1,151 +0,0 @@
-#include "tunala.h"
-
-#ifndef NO_TUNALA
-
-void state_machine_init(state_machine_t *machine)
-{
-       machine->ssl = NULL;
-       machine->bio_intossl = machine->bio_fromssl = NULL;
-       buffer_init(&machine->clean_in);
-       buffer_init(&machine->clean_out);
-       buffer_init(&machine->dirty_in);
-       buffer_init(&machine->dirty_out);
-}
-
-void state_machine_close(state_machine_t *machine)
-{
-       if(machine->ssl)
-               SSL_free(machine->ssl);
-/* SSL_free seems to decrement the reference counts already so doing this goes
- * kaboom. */
-#if 0
-       if(machine->bio_intossl)
-               BIO_free(machine->bio_intossl);
-       if(machine->bio_fromssl)
-               BIO_free(machine->bio_fromssl);
-#endif
-       buffer_close(&machine->clean_in);
-       buffer_close(&machine->clean_out);
-       buffer_close(&machine->dirty_in);
-       buffer_close(&machine->dirty_out);
-       state_machine_init(machine);
-}
-
-buffer_t *state_machine_get_buffer(state_machine_t *machine, sm_buffer_t type)
-{
-       switch(type) {
-       case SM_CLEAN_IN:
-               return &machine->clean_in;
-       case SM_CLEAN_OUT:
-               return &machine->clean_out;
-       case SM_DIRTY_IN:
-               return &machine->dirty_in;
-       case SM_DIRTY_OUT:
-               return &machine->dirty_out;
-       default:
-               break;
-       }
-       /* Should never get here */
-       abort();
-       return NULL;
-}
-
-SSL *state_machine_get_SSL(state_machine_t *machine)
-{
-       return machine->ssl;
-}
-
-int state_machine_set_SSL(state_machine_t *machine, SSL *ssl, int is_server)
-{
-       if(machine->ssl)
-               /* Shouldn't ever be set twice */
-               abort();
-       machine->ssl = ssl;
-       /* Create the BIOs to handle the dirty side of the SSL */
-       if((machine->bio_intossl = BIO_new(BIO_s_mem())) == NULL)
-               abort();
-       if((machine->bio_fromssl = BIO_new(BIO_s_mem())) == NULL)
-               abort();
-       /* Hook up the BIOs on the dirty side of the SSL */
-       SSL_set_bio(machine->ssl, machine->bio_intossl, machine->bio_fromssl);
-       if(is_server)
-               SSL_set_accept_state(machine->ssl);
-       else
-               SSL_set_connect_state(machine->ssl);
-       /* If we're the first one to generate traffic - do it now otherwise we
-        * go into the next select empty-handed and our peer will not send data
-        * but will similarly wait for us. */
-       return state_machine_churn(machine);
-}
-
-/* Performs the data-IO loop and returns zero if the machine should close */
-int state_machine_churn(state_machine_t *machine)
-{
-       unsigned int loop;
-       if(machine->ssl == NULL) {
-               if(buffer_empty(&machine->clean_out))
-                       /* Time to close this state-machine altogether */
-                       return 0;
-               else
-                       /* Still buffered data on the clean side to go out */
-                       return 1;
-       }
-       /* Do this loop twice to cover any dependencies about which precise
-        * order of reads and writes is required. */
-       for(loop = 0; loop < 2; loop++) {
-               buffer_to_SSL(&machine->clean_in, machine->ssl);
-               buffer_to_BIO(&machine->dirty_in, machine->bio_intossl);
-               buffer_from_SSL(&machine->clean_out, machine->ssl);
-               buffer_from_BIO(&machine->dirty_out, machine->bio_fromssl);
-       }
-       /* We close on the SSL side if the info callback noticed some problems
-        * or an SSL shutdown was underway and shutdown traffic had all been
-        * sent. */
-       if(SSL_get_app_data(machine->ssl) || (SSL_get_shutdown(machine->ssl) &&
-                               buffer_empty(&machine->dirty_out))) {
-               /* Great, we can seal off the dirty side completely */
-               if(!state_machine_close_dirty(machine))
-                       return 0;
-       }
-       /* Either the SSL is alive and well, or the closing process still has
-        * outgoing data waiting to be sent */
-       return 1;
-}
-
-/* Called when the clean side of the SSL has lost its connection */
-int state_machine_close_clean(state_machine_t *machine)
-{
-       /* Well, first thing to do is null out the clean-side buffers - they're
-        * no use any more. */
-       buffer_close(&machine->clean_in);
-       buffer_close(&machine->clean_out);
-       /* And start an SSL shutdown */
-       if(machine->ssl)
-               SSL_shutdown(machine->ssl);
-       /* This is an "event", so flush the SSL of any generated traffic */
-       state_machine_churn(machine);
-       if(buffer_empty(&machine->dirty_in) &&
-                       buffer_empty(&machine->dirty_out))
-               return 0;
-       return 1;
-}
-
-/* Called when the dirty side of the SSL has lost its connection. This is pretty
- * terminal as all that can be left to do is send any buffered output on the
- * clean side - after that, we're done. */
-int state_machine_close_dirty(state_machine_t *machine)
-{
-       buffer_close(&machine->dirty_in);
-       buffer_close(&machine->dirty_out);
-       buffer_close(&machine->clean_in);
-       if(machine->ssl)
-               SSL_free(machine->ssl);
-       machine->ssl = NULL;
-       machine->bio_intossl = machine->bio_fromssl = NULL;
-       if(buffer_empty(&machine->clean_out))
-               return 0;
-       return 1;
-}
-
-#endif /* !defined(NO_TUNALA) */
-
diff --git a/demos/tunala/test.sh b/demos/tunala/test.sh
deleted file mode 100755 (executable)
index 105b447..0000000
+++ /dev/null
@@ -1,107 +0,0 @@
-#!/bin/sh
-
-HTTP="localhost:8080"
-CLIENT_PORT="9020"
-SERVER_PORT="9021"
-
-sub_test ()
-{
-       echo "STARTING - $VER $CIPHER"
-       ./tunala -listen localhost:$CLIENT_PORT -proxy localhost:$SERVER_PORT \
-               -cacert CA.pem -cert A-client.pem -server 0 \
-               -dh_special standard -v_peer -v_strict \
-               $VER -cipher $CIPHER 1> tc1.txt 2> tc2.txt &
-       ./tunala -listen localhost:$SERVER_PORT -proxy $HTTP \
-               -cacert CA.pem -cert A-server.pem -server 1 \
-               -dh_special standard -v_peer -v_strict \
-               $VER -cipher $CIPHER 1> ts1.txt 2> ts2.txt &
-       # Wait for the servers to be listening before starting the wget test
-       DONE="no"
-       while [ "$DONE" != "yes" ]; do
-               L1=`netstat -a | egrep "LISTEN[\t ]*$" | grep ":$CLIENT_PORT"`
-               L2=`netstat -a | egrep "LISTEN[\t ]*$" | grep ":$SERVER_PORT"`
-               if [ "x$L1" != "x" ]; then
-                       DONE="yes"
-               elif [ "x$L2" != "x" ]; then
-                       DONE="yes"
-               else
-                       sleep 1
-               fi
-       done
-       HTML=`wget -O - -T 1 http://localhost:$CLIENT_PORT 2> /dev/null | grep "<HTML>"`
-       if [ "x$HTML" != "x" ]; then
-               echo "OK - $CIPHER ($VER)"
-       else
-               echo "FAIL - $CIPHER ($VER)"
-               killall tunala
-               exit 1
-       fi
-       killall tunala
-       # Wait for the servers to stop before returning - otherwise the next
-       # test my fail to start ... (fscking race conditions)
-       DONE="yes"
-       while [ "$DONE" != "no" ]; do
-               L1=`netstat -a | egrep "LISTEN[\t ]*$" | grep ":$CLIENT_PORT"`
-               L2=`netstat -a | egrep "LISTEN[\t ]*$" | grep ":$SERVER_PORT"`
-               if [ "x$L1" != "x" ]; then
-                       DONE="yes"
-               elif [ "x$L2" != "x" ]; then
-                       DONE="yes"
-               else
-                       DONE="no"
-               fi
-       done
-       exit 0
-}
-
-run_test ()
-{
-       (sub_test 1> /dev/null) || exit 1
-}
-
-run_ssl_test ()
-{
-killall tunala 1> /dev/null 2> /dev/null
-echo ""
-echo "Starting all $PRETTY tests"
-if [ "$PRETTY" != "SSLv2" ]; then
-       if [ "$PRETTY" != "SSLv3" ]; then
-               export VER="-no_ssl2 -no_ssl3"
-               export OSSL="-tls1"
-       else
-               export VER="-no_ssl2 -no_tls1"
-               export OSSL="-ssl3"
-       fi
-else
-       export VER="-no_ssl3 -no_tls1"
-       export OSSL="-ssl2"
-fi
-LIST="`../../apps/openssl ciphers $OSSL | sed -e 's/:/ /g'`"
-#echo "$LIST"
-for i in $LIST; do \
-       DSS=`echo "$i" | grep "DSS"`
-       if [ "x$DSS" != "x" ]; then
-               echo "---- skipping $i (no DSA cert/keys) ----"
-       else
-               export CIPHER=$i
-               run_test
-               echo "SUCCESS: $i"
-       fi
-done;
-}
-
-# Welcome the user
-echo "Tests will assume an http server running at $HTTP"
-
-# TLSv1 test
-export PRETTY="TLSv1"
-run_ssl_test
-
-# SSLv3 test
-export PRETTY="SSLv3"
-run_ssl_test
-
-# SSLv2 test
-export PRETTY="SSLv2"
-run_ssl_test
-
diff --git a/demos/tunala/tunala.c b/demos/tunala/tunala.c
deleted file mode 100644 (file)
index ec49d3e..0000000
+++ /dev/null
@@ -1,1109 +0,0 @@
-#if defined(NO_BUFFER) || defined(NO_IP) || defined(NO_OPENSSL)
-#error "Badness, NO_BUFFER, NO_IP or NO_OPENSSL is defined, turn them *off*"
-#endif
-
-/* Include our bits'n'pieces */
-#include "tunala.h"
-
-
-/********************************************/
-/* Our local types that specify our "world" */
-/********************************************/
-
-/* These represent running "tunnels". Eg. if you wanted to do SSL in a
- * "message-passing" scanario, the "int" file-descriptors might be replaced by
- * thread or process IDs, and the "select" code might be replaced by message
- * handling code. Whatever. */
-typedef struct _tunala_item_t {
-       /* The underlying SSL state machine. This is a data-only processing unit
-        * and we communicate with it by talking to its four "buffers". */
-       state_machine_t sm;
-       /* The file-descriptors for the "dirty" (encrypted) side of the SSL
-        * setup. In actuality, this is typically a socket and both values are
-        * identical. */
-       int dirty_read, dirty_send;
-       /* The file-descriptors for the "clean" (unencrypted) side of the SSL
-        * setup. These could be stdin/stdout, a socket (both values the same),
-        * or whatever you like. */
-       int clean_read, clean_send;
-} tunala_item_t;
-
-/* This structure is used as the data for running the main loop. Namely, in a
- * network format such as this, it is stuff for select() - but as pointed out,
- * when moving the real-world to somewhere else, this might be replaced by
- * something entirely different. It's basically the stuff that controls when
- * it's time to do some "work". */
-typedef struct _select_sets_t {
-       int max; /* As required as the first argument to select() */
-       fd_set reads, sends, excepts; /* As passed to select() */
-} select_sets_t;
-typedef struct _tunala_selector_t {
-       select_sets_t last_selected; /* Results of the last select() */
-       select_sets_t next_select; /* What we'll next select on */
-} tunala_selector_t;
-
-/* This structure is *everything*. We do it to avoid the use of globals so that,
- * for example, it would be easier to shift things around between async-IO,
- * thread-based, or multi-fork()ed (or combinations thereof). */
-typedef struct _tunala_world_t {
-       /* The file-descriptor we "listen" on for new connections */
-       int listen_fd;
-       /* The array of tunnels */
-       tunala_item_t *tunnels;
-       /* the number of tunnels in use and allocated, respectively */
-       unsigned int tunnels_used, tunnels_size;
-       /* Our outside "loop" context stuff */
-       tunala_selector_t selector;
-       /* Our SSL_CTX, which is configured as the SSL client or server and has
-        * the various cert-settings and callbacks configured. */
-       SSL_CTX *ssl_ctx;
-       /* Simple flag with complex logic :-) Indicates whether we're an SSL
-        * server or an SSL client. */
-       int server_mode;
-} tunala_world_t;
-
-/*****************************/
-/* Internal static functions */
-/*****************************/
-
-static SSL_CTX *initialise_ssl_ctx(int server_mode, const char *engine_id,
-               const char *CAfile, const char *cert, const char *key,
-               const char *dcert, const char *dkey, const char *cipher_list,
-               const char *dh_file, const char *dh_special, int tmp_rsa,
-               int ctx_options, int out_state, int out_verify, int verify_mode,
-               unsigned int verify_depth);
-static void selector_init(tunala_selector_t *selector);
-static void selector_add_listener(tunala_selector_t *selector, int fd);
-static void selector_add_tunala(tunala_selector_t *selector, tunala_item_t *t);
-static int selector_select(tunala_selector_t *selector);
-/* This returns -1 for error, 0 for no new connections, or 1 for success, in
- * which case *newfd is populated. */
-static int selector_get_listener(tunala_selector_t *selector, int fd, int *newfd);
-static int tunala_world_new_item(tunala_world_t *world, int fd,
-               const char *ip, unsigned short port, int flipped);
-static void tunala_world_del_item(tunala_world_t *world, unsigned int idx);
-static int tunala_item_io(tunala_selector_t *selector, tunala_item_t *item);
-
-/*********************************************/
-/* MAIN FUNCTION (and its utility functions) */
-/*********************************************/
-
-static const char *def_proxyhost = "127.0.0.1:443";
-static const char *def_listenhost = "127.0.0.1:8080";
-static int def_max_tunnels = 50;
-static const char *def_cacert = NULL;
-static const char *def_cert = NULL;
-static const char *def_key = NULL;
-static const char *def_dcert = NULL;
-static const char *def_dkey = NULL;
-static const char *def_engine_id = NULL;
-static int def_server_mode = 0;
-static int def_flipped = 0;
-static const char *def_cipher_list = NULL;
-static const char *def_dh_file = NULL;
-static const char *def_dh_special = NULL;
-static int def_tmp_rsa = 1;
-static int def_ctx_options = 0;
-static int def_verify_mode = 0;
-static unsigned int def_verify_depth = 10;
-static int def_out_state = 0;
-static unsigned int def_out_verify = 0;
-static int def_out_totals = 0;
-static int def_out_conns = 0;
-
-static const char *helpstring =
-"\n'Tunala' (A tunneler with a New Zealand accent)\n"
-"Usage: tunala [options], where options are from;\n"
-" -listen [host:]<port>  (default = 127.0.0.1:8080)\n"
-" -proxy <host>:<port>   (default = 127.0.0.1:443)\n"
-" -maxtunnels <num>      (default = 50)\n"
-" -cacert <path|NULL>    (default = NULL)\n"
-" -cert <path|NULL>      (default = NULL)\n"
-" -key <path|NULL>       (default = whatever '-cert' is)\n"
-" -dcert <path|NULL>     (usually for DSA, default = NULL)\n"
-" -dkey <path|NULL>      (usually for DSA, default = whatever '-dcert' is)\n"
-" -engine <id|NULL>      (default = NULL)\n"
-" -server <0|1>          (default = 0, ie. an SSL client)\n"
-" -flipped <0|1>         (makes SSL servers be network clients, and vice versa)\n"
-" -cipher <list>         (specifies cipher list to use)\n"
-" -dh_file <path>        (a PEM file containing DH parameters to use)\n"
-" -dh_special <NULL|generate|standard> (see below: def=NULL)\n"
-" -no_tmp_rsa            (don't generate temporary RSA keys)\n"
-" -no_ssl2               (disable SSLv2)\n"
-" -no_ssl3               (disable SSLv3)\n"
-" -no_tls1               (disable TLSv1)\n"
-" -v_peer                (verify the peer certificate)\n"
-" -v_strict              (do not continue if peer doesn't authenticate)\n"
-" -v_once                (no verification in renegotiates)\n"
-" -v_depth <num>         (limit certificate chain depth, default = 10)\n"
-" -out_conns             (prints client connections and disconnections)\n"
-" -out_state             (prints SSL handshake states)\n"
-" -out_verify <0|1|2|3>  (prints certificate verification states: def=1)\n"
-" -out_totals            (prints out byte-totals when a tunnel closes)\n"
-" -<h|help|?>            (displays this help screen)\n"
-"Notes:\n"
-"(1) It is recommended to specify a cert+key when operating as an SSL server.\n"
-"    If you only specify '-cert', the same file must contain a matching\n"
-"    private key.\n"
-"(2) Either dh_file or dh_special can be used to specify where DH parameters\n"
-"    will be obtained from (or '-dh_special NULL' for the default choice) but\n"
-"    you cannot specify both. For dh_special, 'generate' will create new DH\n"
-"    parameters on startup, and 'standard' will use embedded parameters\n"
-"    instead.\n"
-"(3) Normally an ssl client connects to an ssl server - so that an 'ssl client\n"
-"    tunala' listens for 'clean' client connections and proxies ssl, and an\n"
-"    'ssl server tunala' listens for ssl connections and proxies 'clean'. With\n"
-"    '-flipped 1', this behaviour is reversed so that an 'ssl server tunala'\n"
-"    listens for clean client connections and proxies ssl (but participating\n"
-"    as an ssl *server* in the SSL/TLS protocol), and an 'ssl client tunala'\n"
-"    listens for ssl connections (participating as an ssl *client* in the\n"
-"    SSL/TLS protocol) and proxies 'clean' to the end destination. This can\n"
-"    be useful for allowing network access to 'servers' where only the server\n"
-"    needs to authenticate the client (ie. the other way is not required).\n"
-"    Even with client and server authentication, this 'technique' mitigates\n"
-"    some DoS (denial-of-service) potential as it will be the network client\n"
-"    having to perform the first private key operation rather than the other\n"
-"    way round.\n"
-"(4) The 'technique' used by setting '-flipped 1' is probably compatible with\n"
-"    absolutely nothing except another complimentary instance of 'tunala'\n"
-"    running with '-flipped 1'. :-)\n";
-
-/* Default DH parameters for use with "-dh_special standard" ... stolen striaght
- * from s_server. */
-static unsigned char dh512_p[]={
-       0xDA,0x58,0x3C,0x16,0xD9,0x85,0x22,0x89,0xD0,0xE4,0xAF,0x75,
-       0x6F,0x4C,0xCA,0x92,0xDD,0x4B,0xE5,0x33,0xB8,0x04,0xFB,0x0F,
-       0xED,0x94,0xEF,0x9C,0x8A,0x44,0x03,0xED,0x57,0x46,0x50,0xD3,
-       0x69,0x99,0xDB,0x29,0xD7,0x76,0x27,0x6B,0xA2,0xD3,0xD4,0x12,
-       0xE2,0x18,0xF4,0xDD,0x1E,0x08,0x4C,0xF6,0xD8,0x00,0x3E,0x7C,
-       0x47,0x74,0xE8,0x33,
-       };
-static unsigned char dh512_g[]={
-       0x02,
-       };
-
-/* And the function that parses the above "standard" parameters, again, straight
- * out of s_server. */
-static DH *get_dh512(void)
-       {
-       DH *dh=NULL;
-
-       if ((dh=DH_new()) == NULL) return(NULL);
-       dh->p=BN_bin2bn(dh512_p,sizeof(dh512_p),NULL);
-       dh->g=BN_bin2bn(dh512_g,sizeof(dh512_g),NULL);
-       if ((dh->p == NULL) || (dh->g == NULL))
-               return(NULL);
-       return(dh);
-       }
-
-/* Various help/error messages used by main() */
-static int usage(const char *errstr, int isunknownarg)
-{
-       if(isunknownarg)
-               fprintf(stderr, "Error: unknown argument '%s'\n", errstr);
-       else
-               fprintf(stderr, "Error: %s\n", errstr);
-       fprintf(stderr, "%s\n", helpstring);
-       return 1;
-}
-
-static int err_str0(const char *str0)
-{
-       fprintf(stderr, "%s\n", str0);
-       return 1;
-}
-
-static int err_str1(const char *fmt, const char *str1)
-{
-       fprintf(stderr, fmt, str1);
-       fprintf(stderr, "\n");
-       return 1;
-}
-
-static int parse_max_tunnels(const char *s, unsigned int *maxtunnels)
-{
-       unsigned long l;
-       if(!int_strtoul(s, &l) || (l < 1) || (l > 1024)) {
-               fprintf(stderr, "Error, '%s' is an invalid value for "
-                               "maxtunnels\n", s);
-               return 0;
-       }
-       *maxtunnels = (unsigned int)l;
-       return 1;
-}
-
-static int parse_server_mode(const char *s, int *servermode)
-{
-       unsigned long l;
-       if(!int_strtoul(s, &l) || (l > 1)) {
-               fprintf(stderr, "Error, '%s' is an invalid value for the "
-                               "server mode\n", s);
-               return 0;
-       }
-       *servermode = (int)l;
-       return 1;
-}
-
-static int parse_dh_special(const char *s, const char **dh_special)
-{
-       if((strcmp(s, "NULL") == 0) || (strcmp(s, "generate") == 0) ||
-                       (strcmp(s, "standard") == 0)) {
-               *dh_special = s;
-               return 1;
-       }
-       fprintf(stderr, "Error, '%s' is an invalid value for 'dh_special'\n", s);
-       return 0;
-}
-
-static int parse_verify_level(const char *s, unsigned int *verify_level)
-{
-       unsigned long l;
-       if(!int_strtoul(s, &l) || (l > 3)) {
-               fprintf(stderr, "Error, '%s' is an invalid value for "
-                               "out_verify\n", s);
-               return 0;
-       }
-       *verify_level = (unsigned int)l;
-       return 1;
-}
-
-static int parse_verify_depth(const char *s, unsigned int *verify_depth)
-{
-       unsigned long l;
-       if(!int_strtoul(s, &l) || (l < 1) || (l > 50)) {
-               fprintf(stderr, "Error, '%s' is an invalid value for "
-                               "verify_depth\n", s);
-               return 0;
-       }
-       *verify_depth = (unsigned int)l;
-       return 1;
-}
-
-/* Some fprintf format strings used when tunnels close */
-static const char *io_stats_dirty =
-"    SSL traffic;   %8lu bytes in, %8lu bytes out\n";
-static const char *io_stats_clean =
-"    clear traffic; %8lu bytes in, %8lu bytes out\n";
-
-int main(int argc, char *argv[])
-{
-       unsigned int loop;
-       int newfd;
-       tunala_world_t world;
-       tunala_item_t *t_item;
-       const char *proxy_ip;
-       unsigned short proxy_port;
-       /* Overridables */
-       const char *proxyhost = def_proxyhost;
-       const char *listenhost = def_listenhost;
-       unsigned int max_tunnels = def_max_tunnels;
-       const char *cacert = def_cacert;
-       const char *cert = def_cert;
-       const char *key = def_key;
-       const char *dcert = def_dcert;
-       const char *dkey = def_dkey;
-       const char *engine_id = def_engine_id;
-       int server_mode = def_server_mode;
-       int flipped = def_flipped;
-       const char *cipher_list = def_cipher_list;
-       const char *dh_file = def_dh_file;
-       const char *dh_special = def_dh_special;
-       int tmp_rsa = def_tmp_rsa;
-       int ctx_options = def_ctx_options;
-       int verify_mode = def_verify_mode;
-       unsigned int verify_depth = def_verify_depth;
-       int out_state = def_out_state;
-       unsigned int out_verify = def_out_verify;
-       int out_totals = def_out_totals;
-       int out_conns = def_out_conns;
-
-/* Parse command-line arguments */
-next_arg:
-       argc--; argv++;
-       if(argc > 0) {
-               if(strcmp(*argv, "-listen") == 0) {
-                       if(argc < 2)
-                               return usage("-listen requires an argument", 0);
-                       argc--; argv++;
-                       listenhost = *argv;
-                       goto next_arg;
-               } else if(strcmp(*argv, "-proxy") == 0) {
-                       if(argc < 2)
-                               return usage("-proxy requires an argument", 0);
-                       argc--; argv++;
-                       proxyhost = *argv;
-                       goto next_arg;
-               } else if(strcmp(*argv, "-maxtunnels") == 0) {
-                       if(argc < 2)
-                               return usage("-maxtunnels requires an argument", 0);
-                       argc--; argv++;
-                       if(!parse_max_tunnels(*argv, &max_tunnels))
-                               return 1;
-                       goto next_arg;
-               } else if(strcmp(*argv, "-cacert") == 0) {
-                       if(argc < 2)
-                               return usage("-cacert requires an argument", 0);
-                       argc--; argv++;
-                       if(strcmp(*argv, "NULL") == 0)
-                               cacert = NULL;
-                       else
-                               cacert = *argv;
-                       goto next_arg;
-               } else if(strcmp(*argv, "-cert") == 0) {
-                       if(argc < 2)
-                               return usage("-cert requires an argument", 0);
-                       argc--; argv++;
-                       if(strcmp(*argv, "NULL") == 0)
-                               cert = NULL;
-                       else
-                               cert = *argv;
-                       goto next_arg;
-               } else if(strcmp(*argv, "-key") == 0) {
-                       if(argc < 2)
-                               return usage("-key requires an argument", 0);
-                       argc--; argv++;
-                       if(strcmp(*argv, "NULL") == 0)
-                               key = NULL;
-                       else
-                               key = *argv;
-                       goto next_arg;
-               } else if(strcmp(*argv, "-dcert") == 0) {
-                       if(argc < 2)
-                               return usage("-dcert requires an argument", 0);
-                       argc--; argv++;
-                       if(strcmp(*argv, "NULL") == 0)
-                               dcert = NULL;
-                       else
-                               dcert = *argv;
-                       goto next_arg;
-               } else if(strcmp(*argv, "-dkey") == 0) {
-                       if(argc < 2)
-                               return usage("-dkey requires an argument", 0);
-                       argc--; argv++;
-                       if(strcmp(*argv, "NULL") == 0)
-                               dkey = NULL;
-                       else
-                               dkey = *argv;
-                       goto next_arg;
-               } else if(strcmp(*argv, "-engine") == 0) {
-                       if(argc < 2)
-                               return usage("-engine requires an argument", 0);
-                       argc--; argv++;
-                       engine_id = *argv;
-                       goto next_arg;
-               } else if(strcmp(*argv, "-server") == 0) {
-                       if(argc < 2)
-                               return usage("-server requires an argument", 0);
-                       argc--; argv++;
-                       if(!parse_server_mode(*argv, &server_mode))
-                               return 1;
-                       goto next_arg;
-               } else if(strcmp(*argv, "-flipped") == 0) {
-                       if(argc < 2)
-                               return usage("-flipped requires an argument", 0);
-                       argc--; argv++;
-                       if(!parse_server_mode(*argv, &flipped))
-                               return 1;
-                       goto next_arg;
-               } else if(strcmp(*argv, "-cipher") == 0) {
-                       if(argc < 2)
-                               return usage("-cipher requires an argument", 0);
-                       argc--; argv++;
-                       cipher_list = *argv;
-                       goto next_arg;
-               } else if(strcmp(*argv, "-dh_file") == 0) {
-                       if(argc < 2)
-                               return usage("-dh_file requires an argument", 0);
-                       if(dh_special)
-                               return usage("cannot mix -dh_file with "
-                                               "-dh_special", 0);
-                       argc--; argv++;
-                       dh_file = *argv;
-                       goto next_arg;
-               } else if(strcmp(*argv, "-dh_special") == 0) {
-                       if(argc < 2)
-                               return usage("-dh_special requires an argument", 0);
-                       if(dh_file)
-                               return usage("cannot mix -dh_file with "
-                                               "-dh_special", 0);
-                       argc--; argv++;
-                       if(!parse_dh_special(*argv, &dh_special))
-                               return 1;
-                       goto next_arg;
-               } else if(strcmp(*argv, "-no_tmp_rsa") == 0) {
-                       tmp_rsa = 0;
-                       goto next_arg;
-               } else if(strcmp(*argv, "-no_ssl2") == 0) {
-                       ctx_options |= SSL_OP_NO_SSLv2;
-                       goto next_arg;
-               } else if(strcmp(*argv, "-no_ssl3") == 0) {
-                       ctx_options |= SSL_OP_NO_SSLv3;
-                       goto next_arg;
-               } else if(strcmp(*argv, "-no_tls1") == 0) {
-                       ctx_options |= SSL_OP_NO_TLSv1;
-                       goto next_arg;
-               } else if(strcmp(*argv, "-v_peer") == 0) {
-                       verify_mode |= SSL_VERIFY_PEER;
-                       goto next_arg;
-               } else if(strcmp(*argv, "-v_strict") == 0) {
-                       verify_mode |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
-                       goto next_arg;
-               } else if(strcmp(*argv, "-v_once") == 0) {
-                       verify_mode |= SSL_VERIFY_CLIENT_ONCE;
-                       goto next_arg;
-               } else if(strcmp(*argv, "-v_depth") == 0) {
-                       if(argc < 2)
-                               return usage("-v_depth requires an argument", 0);
-                       argc--; argv++;
-                       if(!parse_verify_depth(*argv, &verify_depth))
-                               return 1;
-                       goto next_arg;
-               } else if(strcmp(*argv, "-out_state") == 0) {
-                       out_state = 1;
-                       goto next_arg;
-               } else if(strcmp(*argv, "-out_verify") == 0) {
-                       if(argc < 2)
-                               return usage("-out_verify requires an argument", 0);
-                       argc--; argv++;
-                       if(!parse_verify_level(*argv, &out_verify))
-                               return 1;
-                       goto next_arg;
-               } else if(strcmp(*argv, "-out_totals") == 0) {
-                       out_totals = 1;
-                       goto next_arg;
-               } else if(strcmp(*argv, "-out_conns") == 0) {
-                       out_conns = 1;
-                       goto next_arg;
-               } else if((strcmp(*argv, "-h") == 0) ||
-                               (strcmp(*argv, "-help") == 0) ||
-                               (strcmp(*argv, "-?") == 0)) {
-                       fprintf(stderr, "%s\n", helpstring);
-                       return 0;
-               } else
-                       return usage(*argv, 1);
-       }
-       /* Run any sanity checks we want here */
-       if(!cert && !dcert && server_mode)
-               fprintf(stderr, "WARNING: you are running an SSL server without "
-                               "a certificate - this may not work!\n");
-
-       /* Initialise network stuff */
-       if(!ip_initialise())
-               return err_str0("ip_initialise failed");
-       /* Create the SSL_CTX */
-       if((world.ssl_ctx = initialise_ssl_ctx(server_mode, engine_id,
-                       cacert, cert, key, dcert, dkey, cipher_list, dh_file,
-                       dh_special, tmp_rsa, ctx_options, out_state, out_verify,
-                       verify_mode, verify_depth)) == NULL)
-               return err_str1("initialise_ssl_ctx(engine_id=%s) failed",
-                       (engine_id == NULL) ? "NULL" : engine_id);
-       if(engine_id)
-               fprintf(stderr, "Info, engine '%s' initialised\n", engine_id);
-       /* Create the listener */
-       if((world.listen_fd = ip_create_listener(listenhost)) == -1)
-               return err_str1("ip_create_listener(%s) failed", listenhost);
-       fprintf(stderr, "Info, listening on '%s'\n", listenhost);
-       if(!ip_parse_address(proxyhost, &proxy_ip, &proxy_port, 0))
-               return err_str1("ip_parse_address(%s) failed", proxyhost);
-       fprintf(stderr, "Info, proxying to '%s' (%d.%d.%d.%d:%d)\n", proxyhost,
-                       (int)proxy_ip[0], (int)proxy_ip[1],
-                       (int)proxy_ip[2], (int)proxy_ip[3], (int)proxy_port);
-       fprintf(stderr, "Info, set maxtunnels to %d\n", (int)max_tunnels);
-       fprintf(stderr, "Info, set to operate as an SSL %s\n",
-                       (server_mode ? "server" : "client"));
-       /* Initialise the rest of the stuff */
-       world.tunnels_used = world.tunnels_size = 0;
-       world.tunnels = NULL;
-       world.server_mode = server_mode;
-       selector_init(&world.selector);
-
-/* We're ready to loop */
-main_loop:
-       /* Should we listen for *new* tunnels? */
-       if(world.tunnels_used < max_tunnels)
-               selector_add_listener(&world.selector, world.listen_fd);
-       /* We should add in our existing tunnels */
-       for(loop = 0; loop < world.tunnels_used; loop++)
-               selector_add_tunala(&world.selector, world.tunnels + loop);
-       /* Now do the select */
-       switch(selector_select(&world.selector)) {
-       case -1:
-               if(errno != EINTR) {
-                       fprintf(stderr, "selector_select returned a "
-                                       "badness error.\n");
-                       goto shouldnt_happen;
-               }
-               fprintf(stderr, "Warn, selector interrupted by a signal\n");
-               goto main_loop;
-       case 0:
-               fprintf(stderr, "Warn, selector_select returned 0 - signal?""?\n");
-               goto main_loop;
-       default:
-               break;
-       }
-       /* Accept new connection if we should and can */
-       if((world.tunnels_used < max_tunnels) && (selector_get_listener(
-                                       &world.selector, world.listen_fd,
-                                       &newfd) == 1)) {
-               /* We have a new connection */
-               if(!tunala_world_new_item(&world, newfd, proxy_ip,
-                                               proxy_port, flipped))
-                       fprintf(stderr, "tunala_world_new_item failed\n");
-               else if(out_conns)
-                       fprintf(stderr, "Info, new tunnel opened, now up to "
-                                       "%d\n", world.tunnels_used);
-       }
-       /* Give each tunnel its moment, note the while loop is because it makes
-        * the logic easier than with "for" to deal with an array that may shift
-        * because of deletes. */
-       loop = 0;
-       t_item = world.tunnels;
-       while(loop < world.tunnels_used) {
-               if(!tunala_item_io(&world.selector, t_item)) {
-                       /* We're closing whether for reasons of an error or a
-                        * natural close. Don't increment loop or t_item because
-                        * the next item is moving to us! */
-                       if(!out_totals)
-                               goto skip_totals;
-                       fprintf(stderr, "Tunnel closing, traffic stats follow\n");
-                       /* Display the encrypted (over the network) stats */
-                       fprintf(stderr, io_stats_dirty,
-                               buffer_total_in(state_machine_get_buffer(
-                                               &t_item->sm,SM_DIRTY_IN)),
-                               buffer_total_out(state_machine_get_buffer(
-                                               &t_item->sm,SM_DIRTY_OUT)));
-                       /* Display the local (tunnelled) stats. NB: Data we
-                        * *receive* is data sent *out* of the state_machine on
-                        * its 'clean' side. Hence the apparent back-to-front
-                        * OUT/IN mixup here :-) */
-                       fprintf(stderr, io_stats_clean,
-                               buffer_total_out(state_machine_get_buffer(
-                                               &t_item->sm,SM_CLEAN_OUT)),
-                               buffer_total_in(state_machine_get_buffer(
-                                               &t_item->sm,SM_CLEAN_IN)));
-skip_totals:
-                       tunala_world_del_item(&world, loop);
-                       if(out_conns)
-                               fprintf(stderr, "Info, tunnel closed, down to %d\n",
-                                       world.tunnels_used);
-               }
-               else {
-                       /* Move to the next item */
-                       loop++;
-                       t_item++;
-               }
-       }
-       goto main_loop;
-       /* Should never get here */
-shouldnt_happen:
-       abort();
-       return 1;
-}
-
-/****************/
-/* OpenSSL bits */
-/****************/
-
-static int ctx_set_cert(SSL_CTX *ctx, const char *cert, const char *key)
-{
-       FILE *fp = NULL;
-       X509 *x509 = NULL;
-       EVP_PKEY *pkey = NULL;
-       int toret = 0; /* Assume an error */
-
-       /* cert */
-       if(cert) {
-               if((fp = fopen(cert, "r")) == NULL) {
-                       fprintf(stderr, "Error opening cert file '%s'\n", cert);
-                       goto err;
-               }
-               if(!PEM_read_X509(fp, &x509, NULL, NULL)) {
-                       fprintf(stderr, "Error reading PEM cert from '%s'\n",
-                                       cert);
-                       goto err;
-               }
-               if(!SSL_CTX_use_certificate(ctx, x509)) {
-                       fprintf(stderr, "Error, cert in '%s' can not be used\n",
-                                       cert);
-                       goto err;
-               }
-               /* Clear the FILE* for reuse in the "key" code */
-               fclose(fp);
-               fp = NULL;
-               fprintf(stderr, "Info, operating with cert in '%s'\n", cert);
-               /* If a cert was given without matching key, we assume the same
-                * file contains the required key. */
-               if(!key)
-                       key = cert;
-       } else {
-               if(key)
-                       fprintf(stderr, "Error, can't specify a key without a "
-                                       "corresponding certificate\n");
-               else
-                       fprintf(stderr, "Error, ctx_set_cert called with "
-                                       "NULLs!\n");
-               goto err;
-       }
-       /* key */
-       if(key) {
-               if((fp = fopen(key, "r")) == NULL) {
-                       fprintf(stderr, "Error opening key file '%s'\n", key);
-                       goto err;
-               }
-               if(!PEM_read_PrivateKey(fp, &pkey, NULL, NULL)) {
-                       fprintf(stderr, "Error reading PEM key from '%s'\n",
-                                       key);
-                       goto err;
-               }
-               if(!SSL_CTX_use_PrivateKey(ctx, pkey)) {
-                       fprintf(stderr, "Error, key in '%s' can not be used\n",
-                                       key);
-                       goto err;
-               }
-               fprintf(stderr, "Info, operating with key in '%s'\n", key);
-       } else
-               fprintf(stderr, "Info, operating without a cert or key\n");
-       /* Success */
-       toret = 1; err:
-       if(x509)
-               X509_free(x509);
-       if(pkey)
-               EVP_PKEY_free(pkey);
-       if(fp)
-               fclose(fp);
-       return toret;
-}
-
-static int ctx_set_dh(SSL_CTX *ctx, const char *dh_file, const char *dh_special)
-{
-       DH *dh = NULL;
-       FILE *fp = NULL;
-
-       if(dh_special) {
-               if(strcmp(dh_special, "NULL") == 0)
-                       return 1;
-               if(strcmp(dh_special, "standard") == 0) {
-                       if((dh = get_dh512()) == NULL) {
-                               fprintf(stderr, "Error, can't parse 'standard'"
-                                               " DH parameters\n");
-                               return 0;
-                       }
-                       fprintf(stderr, "Info, using 'standard' DH parameters\n");
-                       goto do_it;
-               }
-               if(strcmp(dh_special, "generate") != 0)
-                       /* This shouldn't happen - screening values is handled
-                        * in main(). */
-                       abort();
-               fprintf(stderr, "Info, generating DH parameters ... ");
-               fflush(stderr);
-               if(!(dh = DH_new()) || !DH_generate_parameters_ex(dh, 512,
-                                       DH_GENERATOR_5, NULL)) {
-                       fprintf(stderr, "error!\n");
-                       if(dh)
-                               DH_free(dh);
-                       return 0;
-               }
-               fprintf(stderr, "complete\n");
-               goto do_it;
-       }
-       /* So, we're loading dh_file */
-       if((fp = fopen(dh_file, "r")) == NULL) {
-               fprintf(stderr, "Error, couldn't open '%s' for DH parameters\n",
-                               dh_file);
-               return 0;
-       }
-       dh = PEM_read_DHparams(fp, NULL, NULL, NULL);
-       fclose(fp);
-       if(dh == NULL) {
-               fprintf(stderr, "Error, could not parse DH parameters from '%s'\n",
-                               dh_file);
-               return 0;
-       }
-       fprintf(stderr, "Info, using DH parameters from file '%s'\n", dh_file);
-do_it:
-       SSL_CTX_set_tmp_dh(ctx, dh);
-       DH_free(dh);
-       return 1;
-}
-
-static SSL_CTX *initialise_ssl_ctx(int server_mode, const char *engine_id,
-               const char *CAfile, const char *cert, const char *key,
-               const char *dcert, const char *dkey, const char *cipher_list,
-               const char *dh_file, const char *dh_special, int tmp_rsa,
-               int ctx_options, int out_state, int out_verify, int verify_mode,
-               unsigned int verify_depth)
-{
-       SSL_CTX *ctx = NULL, *ret = NULL;
-       const SSL_METHOD *meth;
-       ENGINE *e = NULL;
-
-        OpenSSL_add_ssl_algorithms();
-        SSL_load_error_strings();
-
-       meth = (server_mode ? SSLv23_server_method() : SSLv23_client_method());
-       if(meth == NULL)
-               goto err;
-       if(engine_id) {
-               ENGINE_load_builtin_engines();
-               if((e = ENGINE_by_id(engine_id)) == NULL) {
-                       fprintf(stderr, "Error obtaining '%s' engine, openssl "
-                                       "errors follow\n", engine_id);
-                       goto err;
-               }
-               if(!ENGINE_set_default(e, ENGINE_METHOD_ALL)) {
-                       fprintf(stderr, "Error assigning '%s' engine, openssl "
-                                       "errors follow\n", engine_id);
-                       goto err;
-               }
-               ENGINE_free(e);
-       }
-       if((ctx = SSL_CTX_new(meth)) == NULL)
-               goto err;
-       /* cacert */
-       if(CAfile) {
-               if(!X509_STORE_load_locations(SSL_CTX_get_cert_store(ctx),
-                                       CAfile, NULL)) {
-                       fprintf(stderr, "Error loading CA cert(s) in '%s'\n",
-                                       CAfile);
-                       goto err;
-               }
-               fprintf(stderr, "Info, operating with CA cert(s) in '%s'\n",
-                               CAfile);
-       } else
-               fprintf(stderr, "Info, operating without a CA cert(-list)\n");
-       if(!SSL_CTX_set_default_verify_paths(ctx)) {
-               fprintf(stderr, "Error setting default verify paths\n");
-               goto err;
-       }
-
-       /* cert and key */
-       if((cert || key) && !ctx_set_cert(ctx, cert, key))
-               goto err;
-       /* dcert and dkey */
-       if((dcert || dkey) && !ctx_set_cert(ctx, dcert, dkey))
-               goto err;
-       /* temporary RSA key generation */
-       if(tmp_rsa)
-               SSL_CTX_set_tmp_rsa_callback(ctx, cb_generate_tmp_rsa);
-
-       /* cipher_list */
-       if(cipher_list) {
-               if(!SSL_CTX_set_cipher_list(ctx, cipher_list)) {
-                       fprintf(stderr, "Error setting cipher list '%s'\n",
-                                       cipher_list);
-                       goto err;
-               }
-               fprintf(stderr, "Info, set cipher list '%s'\n", cipher_list);
-       } else
-               fprintf(stderr, "Info, operating with default cipher list\n");
-
-       /* dh_file & dh_special */
-       if((dh_file || dh_special) && !ctx_set_dh(ctx, dh_file, dh_special))
-               goto err;
-
-       /* ctx_options */
-       SSL_CTX_set_options(ctx, ctx_options);
-
-       /* out_state (output of SSL handshake states to screen). */
-       if(out_state)
-               cb_ssl_info_set_output(stderr);
-
-       /* out_verify */
-       if(out_verify > 0) {
-               cb_ssl_verify_set_output(stderr);
-               cb_ssl_verify_set_level(out_verify);
-       }
-
-       /* verify_depth */
-       cb_ssl_verify_set_depth(verify_depth);
-
-       /* Success! (includes setting verify_mode) */
-       SSL_CTX_set_info_callback(ctx, cb_ssl_info);
-       SSL_CTX_set_verify(ctx, verify_mode, cb_ssl_verify);
-       ret = ctx;
-err:
-       if(!ret) {
-               ERR_print_errors_fp(stderr);
-               if(ctx)
-                       SSL_CTX_free(ctx);
-       }
-       return ret;
-}
-
-/*****************/
-/* Selector bits */
-/*****************/
-
-static void selector_sets_init(select_sets_t *s)
-{
-       s->max = 0;
-       FD_ZERO(&s->reads);
-       FD_ZERO(&s->sends);
-       FD_ZERO(&s->excepts);
-}
-static void selector_init(tunala_selector_t *selector)
-{
-       selector_sets_init(&selector->last_selected);
-       selector_sets_init(&selector->next_select);
-}
-
-#define SEL_EXCEPTS 0x00
-#define SEL_READS   0x01
-#define SEL_SENDS   0x02
-static void selector_add_raw_fd(tunala_selector_t *s, int fd, int flags)
-{
-       FD_SET(fd, &s->next_select.excepts);
-       if(flags & SEL_READS)
-               FD_SET(fd, &s->next_select.reads);
-       if(flags & SEL_SENDS)
-               FD_SET(fd, &s->next_select.sends);
-       /* Adjust "max" */
-       if(s->next_select.max < (fd + 1))
-               s->next_select.max = fd + 1;
-}
-
-static void selector_add_listener(tunala_selector_t *selector, int fd)
-{
-       selector_add_raw_fd(selector, fd, SEL_READS);
-}
-
-static void selector_add_tunala(tunala_selector_t *s, tunala_item_t *t)
-{
-       /* Set clean read if sm.clean_in is not full */
-       if(t->clean_read != -1) {
-               selector_add_raw_fd(s, t->clean_read,
-                       (buffer_full(state_machine_get_buffer(&t->sm,
-                               SM_CLEAN_IN)) ? SEL_EXCEPTS : SEL_READS));
-       }
-       /* Set clean send if sm.clean_out is not empty */
-       if(t->clean_send != -1) {
-               selector_add_raw_fd(s, t->clean_send,
-                       (buffer_empty(state_machine_get_buffer(&t->sm,
-                               SM_CLEAN_OUT)) ? SEL_EXCEPTS : SEL_SENDS));
-       }
-       /* Set dirty read if sm.dirty_in is not full */
-       if(t->dirty_read != -1) {
-               selector_add_raw_fd(s, t->dirty_read,
-                       (buffer_full(state_machine_get_buffer(&t->sm,
-                               SM_DIRTY_IN)) ? SEL_EXCEPTS : SEL_READS));
-       }
-       /* Set dirty send if sm.dirty_out is not empty */
-       if(t->dirty_send != -1) {
-               selector_add_raw_fd(s, t->dirty_send,
-                       (buffer_empty(state_machine_get_buffer(&t->sm,
-                               SM_DIRTY_OUT)) ? SEL_EXCEPTS : SEL_SENDS));
-       }
-}
-
-static int selector_select(tunala_selector_t *selector)
-{
-       memcpy(&selector->last_selected, &selector->next_select,
-                       sizeof(select_sets_t));
-       selector_sets_init(&selector->next_select);
-       return select(selector->last_selected.max,
-                       &selector->last_selected.reads,
-                       &selector->last_selected.sends,
-                       &selector->last_selected.excepts, NULL);
-}
-
-/* This returns -1 for error, 0 for no new connections, or 1 for success, in
- * which case *newfd is populated. */
-static int selector_get_listener(tunala_selector_t *selector, int fd, int *newfd)
-{
-       if(FD_ISSET(fd, &selector->last_selected.excepts))
-               return -1;
-       if(!FD_ISSET(fd, &selector->last_selected.reads))
-               return 0;
-       if((*newfd = ip_accept_connection(fd)) == -1)
-               return -1;
-       return 1;
-}
-
-/************************/
-/* "Tunala" world stuff */
-/************************/
-
-static int tunala_world_make_room(tunala_world_t *world)
-{
-       unsigned int newsize;
-       tunala_item_t *newarray;
-
-       if(world->tunnels_used < world->tunnels_size)
-               return 1;
-       newsize = (world->tunnels_size == 0 ? 16 :
-                       ((world->tunnels_size * 3) / 2));
-       if((newarray = malloc(newsize * sizeof(tunala_item_t))) == NULL)
-               return 0;
-       memset(newarray, 0, newsize * sizeof(tunala_item_t));
-       if(world->tunnels_used > 0)
-               memcpy(newarray, world->tunnels,
-                       world->tunnels_used * sizeof(tunala_item_t));
-       if(world->tunnels_size > 0)
-               free(world->tunnels);
-       /* migrate */
-       world->tunnels = newarray;
-       world->tunnels_size = newsize;
-       return 1;
-}
-
-static int tunala_world_new_item(tunala_world_t *world, int fd,
-               const char *ip, unsigned short port, int flipped)
-{
-       tunala_item_t *item;
-       int newfd;
-       SSL *new_ssl = NULL;
-
-       if(!tunala_world_make_room(world))
-               return 0;
-       if((new_ssl = SSL_new(world->ssl_ctx)) == NULL) {
-               fprintf(stderr, "Error creating new SSL\n");
-               ERR_print_errors_fp(stderr);
-               return 0;
-       }
-       item = world->tunnels + (world->tunnels_used++);
-       state_machine_init(&item->sm);
-       item->clean_read = item->clean_send =
-               item->dirty_read = item->dirty_send = -1;
-       if((newfd = ip_create_connection_split(ip, port)) == -1)
-               goto err;
-       /* Which way round? If we're a server, "fd" is the dirty side and the
-        * connection we open is the clean one. For a client, it's the other way
-        * around. Unless, of course, we're "flipped" in which case everything
-        * gets reversed. :-) */
-       if((world->server_mode && !flipped) ||
-                       (!world->server_mode && flipped)) {
-               item->dirty_read = item->dirty_send = fd;
-               item->clean_read = item->clean_send = newfd;
-       } else {
-               item->clean_read = item->clean_send = fd;
-               item->dirty_read = item->dirty_send = newfd;
-       }
-       /* We use the SSL's "app_data" to indicate a call-back induced "kill" */
-       SSL_set_app_data(new_ssl, NULL);
-       if(!state_machine_set_SSL(&item->sm, new_ssl, world->server_mode))
-               goto err;
-       return 1;
-err:
-       tunala_world_del_item(world, world->tunnels_used - 1);
-       return 0;
-
-}
-
-static void tunala_world_del_item(tunala_world_t *world, unsigned int idx)
-{
-       tunala_item_t *item = world->tunnels + idx;
-       if(item->clean_read != -1)
-               close(item->clean_read);
-       if(item->clean_send != item->clean_read)
-               close(item->clean_send);
-       item->clean_read = item->clean_send = -1;
-       if(item->dirty_read != -1)
-               close(item->dirty_read);
-       if(item->dirty_send != item->dirty_read)
-               close(item->dirty_send);
-       item->dirty_read = item->dirty_send = -1;
-       state_machine_close(&item->sm);
-       /* OK, now we fix the item array */
-       if(idx + 1 < world->tunnels_used)
-               /* We need to scroll entries to the left */
-               memmove(world->tunnels + idx,
-                               world->tunnels + (idx + 1),
-                               (world->tunnels_used - (idx + 1)) *
-                                       sizeof(tunala_item_t));
-       world->tunnels_used--;
-}
-
-static int tunala_item_io(tunala_selector_t *selector, tunala_item_t *item)
-{
-       int c_r, c_s, d_r, d_s; /* Four boolean flags */
-
-       /* Take ourselves out of the gene-pool if there was an except */
-       if((item->clean_read != -1) && FD_ISSET(item->clean_read,
-                               &selector->last_selected.excepts))
-               return 0;
-       if((item->clean_send != -1) && FD_ISSET(item->clean_send,
-                               &selector->last_selected.excepts))
-               return 0;
-       if((item->dirty_read != -1) && FD_ISSET(item->dirty_read,
-                               &selector->last_selected.excepts))
-               return 0;
-       if((item->dirty_send != -1) && FD_ISSET(item->dirty_send,
-                               &selector->last_selected.excepts))
-               return 0;
-       /* Grab our 4 IO flags */
-       c_r = c_s = d_r = d_s = 0;
-       if(item->clean_read != -1)
-               c_r = FD_ISSET(item->clean_read, &selector->last_selected.reads);
-       if(item->clean_send != -1)
-               c_s = FD_ISSET(item->clean_send, &selector->last_selected.sends);
-       if(item->dirty_read != -1)
-               d_r = FD_ISSET(item->dirty_read, &selector->last_selected.reads);
-       if(item->dirty_send != -1)
-               d_s = FD_ISSET(item->dirty_send, &selector->last_selected.sends);
-       /* If no IO has happened for us, skip needless data looping */
-       if(!c_r && !c_s && !d_r && !d_s)
-               return 1;
-       if(c_r)
-               c_r = (buffer_from_fd(state_machine_get_buffer(&item->sm,
-                               SM_CLEAN_IN), item->clean_read) <= 0);
-       if(c_s)
-               c_s = (buffer_to_fd(state_machine_get_buffer(&item->sm,
-                               SM_CLEAN_OUT), item->clean_send) <= 0);
-       if(d_r)
-               d_r = (buffer_from_fd(state_machine_get_buffer(&item->sm,
-                               SM_DIRTY_IN), item->dirty_read) <= 0);
-       if(d_s)
-               d_s = (buffer_to_fd(state_machine_get_buffer(&item->sm,
-                               SM_DIRTY_OUT), item->dirty_send) <= 0);
-       /* If any of the flags is non-zero, that means they need closing */
-       if(c_r) {
-               close(item->clean_read);
-               if(item->clean_send == item->clean_read)
-                       item->clean_send = -1;
-               item->clean_read = -1;
-       }
-       if(c_s && (item->clean_send != -1)) {
-               close(item->clean_send);
-               if(item->clean_send == item->clean_read)
-                       item->clean_read = -1;
-               item->clean_send = -1;
-       }
-       if(d_r) {
-               close(item->dirty_read);
-               if(item->dirty_send == item->dirty_read)
-                       item->dirty_send = -1;
-               item->dirty_read = -1;
-       }
-       if(d_s && (item->dirty_send != -1)) {
-               close(item->dirty_send);
-               if(item->dirty_send == item->dirty_read)
-                       item->dirty_read = -1;
-               item->dirty_send = -1;
-       }
-       /* This function name is attributed to the term donated by David
-        * Schwartz on openssl-dev, message-ID:
-        * <NCBBLIEPOCNJOAEKBEAKEEDGLIAA.davids@webmaster.com>. :-) */
-       if(!state_machine_churn(&item->sm))
-               /* If the SSL closes, it will also zero-out the _in buffers
-                * and will in future process just outgoing data. As and
-                * when the outgoing data has gone, it will return zero
-                * here to tell us to bail out. */
-               return 0;
-       /* Otherwise, we return zero if both sides are dead. */
-       if(((item->clean_read == -1) || (item->clean_send == -1)) &&
-                       ((item->dirty_read == -1) || (item->dirty_send == -1)))
-               return 0;
-       /* If only one side closed, notify the SSL of this so it can take
-        * appropriate action. */
-       if((item->clean_read == -1) || (item->clean_send == -1)) {
-               if(!state_machine_close_clean(&item->sm))
-                       return 0;
-       }
-       if((item->dirty_read == -1) || (item->dirty_send == -1)) {
-               if(!state_machine_close_dirty(&item->sm))
-                       return 0;
-       }
-       return 1;
-}
-
diff --git a/demos/tunala/tunala.h b/demos/tunala/tunala.h
deleted file mode 100644 (file)
index 3a752f2..0000000
+++ /dev/null
@@ -1,215 +0,0 @@
-/* Tunala ("Tunneler with a New Zealand accent")
- *
- * Written by Geoff Thorpe, but endorsed/supported by noone. Please use this is
- * if it's useful or informative to you, but it's only here as a scratchpad for
- * ideas about how you might (or might not) program with OpenSSL. If you deploy
- * this is in a mission-critical environment, and have not read, understood,
- * audited, and modified this code to your satisfaction, and the result is that
- * all hell breaks loose and you are looking for a new employer, then it proves
- * nothing except perhaps that Darwinism is alive and well. Let's just say, *I*
- * don't use this in a mission-critical environment, so it would be stupid for
- * anyone to assume that it is solid and/or tested enough when even its author
- * doesn't place that much trust in it. You have been warned.
- *
- * With thanks to Cryptographic Appliances, Inc.
- */
-
-#ifndef _TUNALA_H
-#define _TUNALA_H
-
-/* pull in autoconf fluff */
-#ifndef NO_CONFIG_H
-#include "config.h"
-#else
-/* We don't have autoconf, we have to set all of these unless a tweaked Makefile
- * tells us not to ... */
-/* headers */
-#ifndef NO_HAVE_SELECT
-#define HAVE_SELECT
-#endif
-#ifndef NO_HAVE_SOCKET
-#define HAVE_SOCKET
-#endif
-#ifndef NO_HAVE_UNISTD_H
-#define HAVE_UNISTD_H
-#endif
-#ifndef NO_HAVE_FCNTL_H
-#define HAVE_FCNTL_H
-#endif
-#ifndef NO_HAVE_LIMITS_H
-#define HAVE_LIMITS_H
-#endif
-/* features */
-#ifndef NO_HAVE_STRSTR
-#define HAVE_STRSTR
-#endif
-#ifndef NO_HAVE_STRTOUL
-#define HAVE_STRTOUL
-#endif
-#endif
-
-#if !defined(HAVE_SELECT) || !defined(HAVE_SOCKET)
-#error "can't build without some network basics like select() and socket()"
-#endif
-
-#include <stdlib.h>
-#ifndef NO_SYSTEM_H
-#include <string.h>
-#ifdef HAVE_UNISTD_H
-#include <unistd.h>
-#endif
-#ifdef HAVE_FCNTL_H
-#include <fcntl.h>
-#endif
-#ifdef HAVE_LIMITS_H
-#include <limits.h>
-#endif
-#include <netdb.h>
-#include <signal.h>
-#include <sys/socket.h>
-#include <sys/types.h>
-#include <netinet/in.h>
-#endif /* !defined(NO_SYSTEM_H) */
-
-#ifndef NO_OPENSSL
-#include <openssl/err.h>
-#include <openssl/engine.h>
-#include <openssl/ssl.h>
-#endif /* !defined(NO_OPENSSL) */
-
-#ifndef OPENSSL_NO_BUFFER
-/* This is the generic "buffer" type that is used when feeding the
- * state-machine. It's basically a FIFO with respect to the "adddata" &
- * "takedata" type functions that operate on it. */
-#define MAX_DATA_SIZE 16384
-typedef struct _buffer_t {
-       unsigned char data[MAX_DATA_SIZE];
-       unsigned int used;
-       /* Statistical values - counts the total number of bytes read in and
-        * read out (respectively) since "buffer_init()" */
-       unsigned long total_in, total_out;
-} buffer_t;
-
-/* Initialise a buffer structure before use */
-void buffer_init(buffer_t *buf);
-/* Cleanup a buffer structure - presently not needed, but if buffer_t is
- * converted to using dynamic allocation, this would be required - so should be
- * called to protect against an explosion of memory leaks later if the change is
- * made. */
-void buffer_close(buffer_t *buf);
-
-/* Basic functions to manipulate buffers */
-
-unsigned int buffer_used(buffer_t *buf); /* How much data in the buffer */
-unsigned int buffer_unused(buffer_t *buf); /* How much space in the buffer */
-int buffer_full(buffer_t *buf); /* Boolean, is it full? */
-int buffer_notfull(buffer_t *buf); /* Boolean, is it not full? */
-int buffer_empty(buffer_t *buf); /* Boolean, is it empty? */
-int buffer_notempty(buffer_t *buf); /* Boolean, is it not empty? */
-unsigned long buffer_total_in(buffer_t *buf); /* Total bytes written to buffer */
-unsigned long buffer_total_out(buffer_t *buf); /* Total bytes read from buffer */
-
-#if 0 /* Currently used only within buffer.c - better to expose only
-       * higher-level functions anyway */
-/* Add data to the tail of the buffer, returns the amount that was actually
- * added (so, you need to check if return value is less than size) */
-unsigned int buffer_adddata(buffer_t *buf, const unsigned char *ptr,
-               unsigned int size);
-
-/* Take data from the front of the buffer (and scroll the rest forward). If
- * "ptr" is NULL, this just removes data off the front of the buffer. Return
- * value is the amount actually removed (can be less than size if the buffer has
- * too little data). */
-unsigned int buffer_takedata(buffer_t *buf, unsigned char *ptr,
-               unsigned int size);
-
-/* Flushes as much data as possible out of the "from" buffer into the "to"
- * buffer. Return value is the amount moved. The amount moved can be restricted
- * to a maximum by specifying "cap" - setting it to -1 means no limit. */
-unsigned int buffer_tobuffer(buffer_t *to, buffer_t *from, int cap);
-#endif
-
-#ifndef NO_IP
-/* Read or write between a file-descriptor and a buffer */
-int buffer_from_fd(buffer_t *buf, int fd);
-int buffer_to_fd(buffer_t *buf, int fd);
-#endif /* !defined(NO_IP) */
-
-#ifndef NO_OPENSSL
-/* Read or write between an SSL or BIO and a buffer */
-void buffer_from_SSL(buffer_t *buf, SSL *ssl);
-void buffer_to_SSL(buffer_t *buf, SSL *ssl);
-void buffer_from_BIO(buffer_t *buf, BIO *bio);
-void buffer_to_BIO(buffer_t *buf, BIO *bio);
-
-/* Callbacks */
-void cb_ssl_info(const SSL *s, int where, int ret);
-void cb_ssl_info_set_output(FILE *fp); /* Called if output should be sent too */
-int cb_ssl_verify(int ok, X509_STORE_CTX *ctx);
-void cb_ssl_verify_set_output(FILE *fp);
-void cb_ssl_verify_set_depth(unsigned int verify_depth);
-void cb_ssl_verify_set_level(unsigned int level);
-RSA *cb_generate_tmp_rsa(SSL *s, int is_export, int keylength);
-#endif /* !defined(NO_OPENSSL) */
-#endif /* !defined(OPENSSL_NO_BUFFER) */
-
-#ifndef NO_TUNALA
-#ifdef OPENSSL_NO_BUFFER
-#error "TUNALA section of tunala.h requires BUFFER support"
-#endif
-typedef struct _state_machine_t {
-       SSL *ssl;
-       BIO *bio_intossl;
-       BIO *bio_fromssl;
-       buffer_t clean_in, clean_out;
-       buffer_t dirty_in, dirty_out;
-} state_machine_t;
-typedef enum {
-       SM_CLEAN_IN, SM_CLEAN_OUT,
-       SM_DIRTY_IN, SM_DIRTY_OUT
-} sm_buffer_t;
-void state_machine_init(state_machine_t *machine);
-void state_machine_close(state_machine_t *machine);
-buffer_t *state_machine_get_buffer(state_machine_t *machine, sm_buffer_t type);
-SSL *state_machine_get_SSL(state_machine_t *machine);
-int state_machine_set_SSL(state_machine_t *machine, SSL *ssl, int is_server);
-/* Performs the data-IO loop and returns zero if the machine should close */
-int state_machine_churn(state_machine_t *machine);
-/* Is used to handle closing conditions - namely when one side of the tunnel has
- * closed but the other should finish flushing. */
-int state_machine_close_clean(state_machine_t *machine);
-int state_machine_close_dirty(state_machine_t *machine);
-#endif /* !defined(NO_TUNALA) */
-
-#ifndef NO_IP
-/* Initialise anything related to the networking. This includes blocking pesky
- * SIGPIPE signals. */
-int ip_initialise(void);
-/* ip is the 4-byte ip address (eg. 127.0.0.1 is {0x7F,0x00,0x00,0x01}), port is
- * the port to listen on (host byte order), and the return value is the
- * file-descriptor or -1 on error. */
-int ip_create_listener_split(const char *ip, unsigned short port);
-/* Same semantics as above. */
-int ip_create_connection_split(const char *ip, unsigned short port);
-/* Converts a string into the ip/port before calling the above */
-int ip_create_listener(const char *address);
-int ip_create_connection(const char *address);
-/* Just does a string conversion on its own. NB: If accept_all_ip is non-zero,
- * then the address string could be just a port. Ie. it's suitable for a
- * listening address but not a connecting address. */
-int ip_parse_address(const char *address, const char **parsed_ip,
-               unsigned short *port, int accept_all_ip);
-/* Accepts an incoming connection through the listener. Assumes selects and
- * what-not have deemed it an appropriate thing to do. */
-int ip_accept_connection(int listen_fd);
-#endif /* !defined(NO_IP) */
-
-/* These functions wrap up things that can be portability hassles. */
-int int_strtoul(const char *str, unsigned long *val);
-#ifdef HAVE_STRSTR
-#define int_strstr strstr
-#else
-char *int_strstr(const char *haystack, const char *needle);
-#endif
-
-#endif /* !defined(_TUNALA_H) */