From patchwork Tue Apr 23 17:06:06 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: ummeegge <ummeegge@ipfire.org>
X-Patchwork-Id: 2208
Return-Path: <development-bounces@lists.ipfire.org>
Received: from mail01.ipfire.org (mail01.i.ipfire.org [172.28.1.200])
	(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256
	bits)) (Client CN "mail01.ipfire.org",
	Issuer "Let's Encrypt Authority X3" (verified OK))
	by web07.i.ipfire.org (Postfix) with ESMTPS id 6508A85BD82
	for <patchwork@web07.i.ipfire.org>;
	Tue, 23 Apr 2019 08:06:19 +0100 (BST)
Received: from mail01.i.ipfire.org (localhost [IPv6:::1])
	by mail01.ipfire.org (Postfix) with ESMTP id 44pDy22yd9z5H9PM;
	Tue, 23 Apr 2019 08:06:18 +0100 (BST)
Received: from ipfire-server.local (i59F4F98D.versanet.de [89.244.249.141])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (Client did not present a certificate)
	by mail01.ipfire.org (Postfix) with ESMTPSA id 44pDxz3q0Sz5H9Nj;
	Tue, 23 Apr 2019 08:06:15 +0100 (BST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org;
	s=201904rsa;
	t=1556003175; h=from:from:sender:reply-to:subject:subject:date:date:
	message-id:message-id:to:to:cc:cc:mime-version:content-type:
	content-transfer-encoding:in-reply-to:references:openpgp:autocrypt;
	bh=ILS+coh1xZhX4LdaYeZ3qMZJGX6zIWWuhJy40YxJer8=;
	b=kDefNm2Qycb6DSLaF4JfI94lH8jh49TqzTe+kC8j7p03ahreoeJjoW8EUi8Ry3byoMBN75
	e7xsQO7QPLQ1Y/VatOuQViIIuslweYyqMUp7wwdkHxVpMP92epR5QOU7JcywOkEeZfY/TA
	hChouT49QvyW5y7OK0VE3zdXdxMJjdqsfAAMAvlgWJ7Ejw/nOyBQ0+eBg4Tf6VX+uokRJ/
	fc/7y9ssLnw6md7UcUTYmcXYAf8i7KT0xVUw2wy21hMNjynmNcb64MiSWeJKYHut8GEn+w
	kX+lBRzR3bW0+Fu2kK+M2J+DL81JFbX3BQlvH5OIGiGltN2EdfUZBDWtE0xPjw==
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org;
	s=201904ed25519; t=1556003175;
	h=from:from:sender:reply-to:subject:subject:date:date:
	message-id:message-id:to:to:cc:cc:mime-version:content-type:
	content-transfer-encoding:in-reply-to:references:openpgp:autocrypt;
	bh=ILS+coh1xZhX4LdaYeZ3qMZJGX6zIWWuhJy40YxJer8=;
	b=kTHr7HsBf5BGUbxFAOC7G7HJ4Z+VyXh3MV5gN9cQZNExre3kkZHghmqI57sBj/buUI5Nem
	uH7nsSckXma0puCQ==
From: Erik Kapfer <ummeegge@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH] sslh: Update to version 1.20
Date: Tue, 23 Apr 2019 09:06:06 +0200
Message-Id: <20190423070606.5642-1-ummeegge@ipfire.org>
X-Mailer: git-send-email 2.12.2
Authentication-Results: mail01.ipfire.org;
	auth=pass smtp.auth=ummeegge smtp.mailfrom=ummeegge@ipfire.org
X-BeenThere: development@lists.ipfire.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IPFire development talk <development.lists.ipfire.org>
List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>,
	<mailto:development-request@lists.ipfire.org?subject=unsubscribe>
List-Archive: <https://lists.ipfire.org/pipermail/development/>
List-Post: <mailto:development@lists.ipfire.org>
List-Help: <mailto:development-request@lists.ipfire.org?subject=help>
List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>,
	<mailto:development-request@lists.ipfire.org?subject=subscribe>
Errors-To: development-bounces@lists.ipfire.org
Sender: "Development" <development-bounces@lists.ipfire.org>

- Added USELIBCAP=1 to enable the possibility for transparent option.
- Wrote configuration directives in initscript into variable for better overview.
- Introduce chroot directive in start parameter.
- Added new user and group sslh (will be deleted if uninstall).
- Changed EXTERNAL_IP_FUNCT to serve data also for configuration block but use it also as check as before.
- Added symlinks in sslh paks since the initscripts LFS do not serves it in old installation (a reboot does not started sslh again).
- Deleted sslh symlinks in initscripts LFS since they are served via sslh paks and are not needed anymore.

Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
---
 lfs/initscripts               |  3 --
 lfs/sslh                      | 12 ++++----
 src/initscripts/packages/sslh | 65 +++++++++++++++++++++++++++++++++----------
 src/paks/sslh/install.sh      | 13 +++++++++
 src/paks/sslh/uninstall.sh    |  9 ++++++
 5 files changed, 79 insertions(+), 23 deletions(-)

diff --git a/lfs/initscripts b/lfs/initscripts
index 055e106d0..3173a04e4 100644
--- a/lfs/initscripts
+++ b/lfs/initscripts
@@ -136,9 +136,6 @@ $(TARGET) :
 	ln -sf ../init.d/client175   /etc/rc.d/rc0.d/K34client175
 	ln -sf ../init.d/client175   /etc/rc.d/rc3.d/S66client175
 	ln -sf ../init.d/client175   /etc/rc.d/rc6.d/K34client175
-	ln -sf ../init.d/sslh        /etc/rc.d/rc3.d/S98sslh
-	ln -sf ../init.d/sslh        /etc/rc.d/rc0.d/K02sslh
-	ln -sf ../init.d/sslh        /etc/rc.d/rc6.d/K02sslh
 	ln -sf ../init.d/vdradmin    /etc/rc.d/rc3.d/S99vdradmin
 	ln -sf ../init.d/vdradmin    /etc/rc.d/rc0.d/K01vdradmin
 	ln -sf ../init.d/vdradmin    /etc/rc.d/rc6.d/K01vdradmin
diff --git a/lfs/sslh b/lfs/sslh
index 100cec065..dedd10272 100644
--- a/lfs/sslh
+++ b/lfs/sslh
@@ -1,7 +1,7 @@
 ###############################################################################
 #                                                                             #
 # IPFire.org - A linux based firewall                                         #
-# Copyright (C) 2007-2018  IPFire Team  <info@ipfire.org>                     #
+# Copyright (C) 2007-2019  IPFire Team  <info@ipfire.org>                     #
 #                                                                             #
 # This program is free software: you can redistribute it and/or modify        #
 # it under the terms of the GNU General Public License as published by        #
@@ -24,7 +24,7 @@
 
 include Config
 
-VER        = 1.7a
+VER        = 1.20
 
 THISAPP    = sslh-$(VER)
 DL_FILE    = $(THISAPP).tar.gz
@@ -32,7 +32,7 @@ DL_FROM    = $(URL_IPFIRE)
 DIR_APP    = $(DIR_SRC)/$(THISAPP)
 TARGET     = $(DIR_INFO)/$(THISAPP)
 PROG       = sslh
-PAK_VER    = 5
+PAK_VER    = 6
 
 DEPS       = ""
 
@@ -44,7 +44,7 @@ objects = $(DL_FILE)
 
 $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
 
-$(DL_FILE)_MD5 = ee124654412198a5e11fe28acf10634d
+$(DL_FILE)_MD5 = 0db26ed2825b1ef6c83959a988279912
 
 install : $(TARGET)
 
@@ -77,8 +77,8 @@ $(subst %,%_MD5,$(objects)) :
 $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	@$(PREBUILD)
 	@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
-	cd $(DIR_APP) && make CFLAGS="$(CFLAGS)" $(MAKETUNING) USELIBWRAP=
-	cd $(DIR_APP) && install -v -m 755 sslh /usr/sbin
+	cd $(DIR_APP) && make CFLAGS="$(CFLAGS)" $(MAKETUNING) USELIBCAP=1 USELIBWRAP=
+	cd $(DIR_APP) && install -v -m 755 sslh-fork /usr/sbin/sslh
 
 	#install initscripts
 	$(call INSTALL_INITSCRIPT,sslh)
diff --git a/src/initscripts/packages/sslh b/src/initscripts/packages/sslh
index 43e58f392..0935b1114 100644
--- a/src/initscripts/packages/sslh
+++ b/src/initscripts/packages/sslh
@@ -3,31 +3,68 @@
 
 # Based on sysklogd script from LFS-3.1 and earlier.
 # Rewritten by Gerard Beekmans  - gerard@linuxfromscratch.org
+#
+# $LastChangedBy: ummeegge - ummeegge@ipfire.org $
+# $Date: 2019-04-04 04:35:09 -0500 (Thu, 04 Apr 2019) $
+#
+#############################################################
+#
 
 . /etc/sysconfig/rc
 . $rc_functions
 
+DAEMON="/usr/sbin/sslh"
+
+# Check for external IP address and provide it to listening option
+EXTERNAL_IP_ADDRESS="$(</var/ipfire/red/local-ipaddress)"
+EXTERNAL_IP_FUNCT() {
+        if [ -z "${EXTERNAL_IP_ADDRESS}" ]; then
+                echo_failure
+                boot_mesg -n "FAILURE:\n\nCould not determine" ${FAILURE}
+                boot_mesg -n " your external IP address."
+                boot_mesg "" ${NORMAL}
+                exit 1
+        fi
+}
+
+# Loopback interface
+LO="127.0.0.1"
+# Used TCP ports
+LISTENPORT="443"
+SSHPORT="222"
+TLSPORT="444"
+OPENVPNPORT="1194"
+
+# Configuration options
+DAEMON_OPTS="
+--user sslh
+--listen ${EXTERNAL_IP_ADDRESS}:${LISTENPORT}
+--ssh ${LO}:${SSHPORT}
+--tls ${LO}:${TLSPORT}
+--openvpn ${LO}:${OPENVPNPORT}
+--pidfile /var/run/sslh.pid
+-C /var/empty
+"
+
+# Check for binary
+if ! [ -x "$(command -v ${DAEMON})" ]; then
+	echo "Error: could not find ${DAEMON}" >&2
+	exit 1
+fi
+
+# Check for external IP
+EXTERNAL_IP_FUNCT
+
 case "$1" in
 	start)
 		boot_mesg "Starting SSLH Deamon..."
-
-		LOCAL_IP_ADDRESS="$(</var/ipfire/red/local-ipaddress)"
-		if [ -z "${LOCAL_IP_ADDRESS}" ]; then
-			echo_failure
-			boot_mesg -n "FAILURE:\n\nCould not determine" ${FAILURE}
-			boot_mesg -n " your external IP address."
-			boot_mesg "" ${NORMAL}
-			exit 1
-		fi
-
-		loadproc /usr/sbin/sslh -u nobody \
-			-p "${LOCAL_IP_ADDRESS}:443" -s localhost:222 -l localhost:444
+		loadproc ${DAEMON} ${DAEMON_OPTS}
 		evaluate_retval
 		;;
 
 	stop)
 		boot_mesg "Stopping SSLH Deamon..."
-		killproc /usr/sbin/sslh
+		killproc ${DAEMON}
 		evaluate_retval
 		;;
 
@@ -38,7 +75,7 @@ case "$1" in
 		;;
 
 	status)
-		statusproc /usr/sbin/sslh
+		statusproc ${DAEMON}
 		;;
 
 	*)
diff --git a/src/paks/sslh/install.sh b/src/paks/sslh/install.sh
index 626884bdd..df7cafc78 100644
--- a/src/paks/sslh/install.sh
+++ b/src/paks/sslh/install.sh
@@ -23,5 +23,18 @@
 #
 . /opt/pakfire/lib/functions.sh
 extract_files
+
+# Add user and group for sslh if not already done
+if ! grep -q sslh /etc/passwd; then
+    groupadd sslh;
+    useradd -g sslh -M -s /sbin/nologin sslh
+fi
+
 ln -s /etc/init.d/sslh /etc/rc.d/init.d/networking/red.up/50-sslh
+
+# Set symlink for runlevels
+ln -svf ../init.d/sslh /etc/rc.d/rc0.d/K02sslh
+ln -svf ../init.d/sslh /etc/rc.d/rc3.d/S98sslh
+ln -svf ../init.d/sslh /etc/rc.d/rc6.d/K02sslh
+
 start_service --background ${NAME}
diff --git a/src/paks/sslh/uninstall.sh b/src/paks/sslh/uninstall.sh
index dca34ccbd..05bb27945 100644
--- a/src/paks/sslh/uninstall.sh
+++ b/src/paks/sslh/uninstall.sh
@@ -23,5 +23,14 @@
 #
 . /opt/pakfire/lib/functions.sh
 stop_service ${NAME}
+
+# Delete user and group sslh
+if grep -q sslh /etc/passwd; then
+	userdel sslh
+	groupdel sslh
+fi
+
 remove_files
 rm -f /etc/rc.d/init.d/networking/red.up/50-sslh
+# Delete initscript symlinks
+rm -f /etc/rc.d/rc?.d/???sslh