Remove USE_SSL switch, change code to always build with SSL support.

Building without SSL support was not possible anyway, due to NTLM requiring it.
This commit is contained in:
Sven Geuer 2026-05-11 16:00:27 +02:00
parent bc74c7ef46
commit 4078a9fe72
No known key found for this signature in database
GPG key ID: ADF50EDAF8ADD585
6 changed files with 1 additions and 61 deletions

View file

@ -11,9 +11,6 @@ CFLAGS ?= -Wall -O2 -ggdb
# Comment on non-gnu systems
OPTFLAGS += -DHAVE_GETOPT_LONG
# Comment if you don't have/want ssl
OPTFLAGS += -DUSE_SSL
# MSYS/CYGWIN
# The current version of gcc from MSYS defines __MSYS__ and __CYGWIN__, from CYGWIN defines __CYGWIN__.
# To avoid to change the code, simply define CYGWIN additionally.

View file

@ -56,14 +56,11 @@ void cmdline_parser_print_help (void) {
" -p, --proxy=STRING Local proxy host:port combination\n"
" -r, --remproxy=STRING Remote proxy host:port combination (using 2 proxies)\n"
" -d, --dest=STRING Destination host:port combination\n"
#ifdef USE_SSL
" -e, --encrypt SSL encrypt data between local proxy and destination\n"
" -E, --encrypt-proxy SSL encrypt data between client and local proxy\n"
" -X, --encrypt-remproxy SSL encrypt data between local and remote proxy\n"
#endif
"\n"
"Additional options for specific features:\n"
#ifdef USE_SSL
" -W, --wa-bug-29744 Workaround ASF Bugzilla 29744: if SSL is active\n"
" stop using it after CONNECT (might not work on all\n"
" setups)\n"
@ -73,16 +70,13 @@ void cmdline_parser_print_help (void) {
" -T, --no-ssl3 Do not connect using SSLv3 (legacy)\n"*/
" -z, --no-check-certificate Don't verify server SSL certificate\n"
" -C, --cacert=STRING Path to trusted CA certificate or directory\n"
#endif
" -4, --ipv4 Enforce IPv4 connection to local proxy\n"
" -6, --ipv6 Enforce IPv6 connection to local proxy\n"
" -F, --passfile=STRING File with credentials for proxy authentication\n"
" -P, --proxyauth=STRING Proxy auth credentials user:pass combination\n"
" -R, --remproxyauth=STRING Remote proxy auth credentials user:pass combination\n"
#ifdef USE_SSL
" -c, --cert=FILENAME client SSL certificate (chain)\n"
" -k, --key=FILENAME client SSL key\n"
#endif
// " -u, --user=STRING Username for proxy authentication\n"
// " -s, --pass=STRING Password for proxy authentication\n"
// " -U, --uservar=STRING Environment variable that holds username\n"
@ -90,11 +84,7 @@ void cmdline_parser_print_help (void) {
" -N, --ntlm Use NTLM based authentication\n"
" -t, --domain=STRING NTLM domain (default: autodetect)\n"
" -H, --header=STRING Add additional HTTP headers to send to proxy\n"
#ifdef USE_SSL
" -o, --host=STRING Send custom Host Header/SNI\n"
#else
" -o, --host=STRING Send custom Host Header\n"
#endif
#ifdef SETPROCTITLE
" -x, --proctitle=STRING Use a different process title\n"
#endif
@ -270,8 +260,6 @@ int cmdline_parser( int argc, char * const *argv, struct gengetopt_args_info *ar
clear_args ();
cmdline_parser_print_help ();
exit(0);
#ifdef USE_SSL
case 'e': /* Turn on SSL encryption */
args_info->encrypt_flag = !(args_info->encrypt_flag);
if( args_info->verbose_flag )
@ -316,8 +304,6 @@ int cmdline_parser( int argc, char * const *argv, struct gengetopt_args_info *ar
if( args_info->verbose_flag )
message("SSL client to proxy enabled, only until CONNECT\n");
break;
#endif
case 'i': /* Run from inetd. */
if ( args_info->standalone_arg > 0 ) {
fprintf( stderr, "%s: '--inetd' ('-i') conflicts with '--standalone' ('-a')\n", PACKAGE );

View file

@ -3,7 +3,7 @@
set-proc-title ? true,
pkgs,
}: let
optflags = "-DUSE_SSL ${
optflags = "${
if gnu-system
then "-DHAVE_GETOPT_LONG"
else ""

View file

@ -357,20 +357,16 @@ void do_daemon()
sd = tunnel_connect();
stunnel = stream_open(sd, sd);
#ifdef USE_SSL
/* If --encrypt-proxy is specified, connect to the proxy using SSL */
if ( args_info.encryptproxy_flag )
stream_enable_ssl(stunnel, args_info.proxy_arg);
#endif /* USE_SSL */
/* Open the tunnel */
proxy_protocol(stunnel);
#ifdef USE_SSL
/* If --encrypt is specified, wrap all traffic after the proxy handoff in SSL */
if( args_info.encrypt_flag )
stream_enable_ssl(stunnel, args_info.dest_arg);
#endif /* USE_SSL */
#ifdef SETPROCTITLE
if( ! args_info.proctitle_given )
@ -483,19 +479,15 @@ int main( int argc, char *argv[] ) {
stunnel = stream_open(sd, sd);
/* If --encrypt-proxy is specified, connect to the proxy using SSL */
#ifdef USE_SSL
if ( args_info.encryptproxy_flag )
stream_enable_ssl(stunnel, args_info.proxy_arg);
#endif /* USE_SSL */
/* Open the tunnel */
proxy_protocol(stunnel);
/* If --encrypt is specified, wrap all traffic after the proxy handoff in SSL */
#ifdef USE_SSL
if( args_info.encrypt_flag )
stream_enable_ssl(stunnel, args_info.dest_arg);
#endif /* USE_SSL */
#ifdef SETPROCTITLE
if( ! args_info.proctitle_given )

View file

@ -50,14 +50,12 @@ PTSTREAM *stream_open(int incoming_fd, int outgoing_fd) {
/* Close a stream */
int stream_close(PTSTREAM *pts) {
#ifdef USE_SSL
/* Destroy the SSL context */
if (pts->ssl) {
SSL_shutdown (pts->ssl);
SSL_free (pts->ssl);
SSL_CTX_free (pts->ctx);
}
#endif /* USE_SSL */
/* Close the incoming fd */
close(pts->incoming_fd);
@ -81,13 +79,8 @@ int stream_read(PTSTREAM *pts, void *buf, size_t len) {
/* For a non-SSL stream... */
bytes_read = read(pts->incoming_fd, buf, len);
} else {
#ifdef USE_SSL
/* For an SSL stream... */
bytes_read = SSL_read(pts->ssl, buf, len);
#else
/* No SSL support, so must use a non-SSL stream */
bytes_read = read(pts->incoming_fd, buf, len);
#endif /* USE_SSL */
}
return bytes_read;
@ -107,17 +100,10 @@ int stream_write(PTSTREAM *pts, void *buf, size_t len) {
buf + total_bytes_written,
len - total_bytes_written);
} else {
#ifdef USE_SSL
/* For an SSL stream... */
bytes_written = SSL_write(pts->ssl,
buf + total_bytes_written,
len - total_bytes_written);
#else
/* No SSL support, so must use a non-SSL stream */
bytes_written = write(pts->outgoing_fd,
buf + total_bytes_written,
len - total_bytes_written);
#endif /* USE_SSL */
}
if (bytes_written <= 0) {
@ -186,7 +172,6 @@ int check_cert_names(X509 *cert, char *peer_host) {
/* Initiate an SSL handshake on this stream and encrypt all subsequent data */
int stream_enable_ssl(PTSTREAM *pts, const char *proxy_arg) {
#ifdef USE_SSL
const SSL_METHOD *meth;
SSL *ssl;
SSL_CTX *ctx;
@ -315,18 +300,13 @@ int stream_enable_ssl(PTSTREAM *pts, const char *proxy_arg) {
/* Store ssl and ctx parameters */
pts->ssl = ssl;
pts->ctx = ctx;
#else
message("Warning: stream_open(): SSL stream requested but no SSL support available; using unencrypted connection");
#endif /* USE_SSL */
return 1;
fail:
#ifdef USE_SSL
if (cert != NULL) {
X509_free(cert);
}
#endif /* USE_SSL */
exit(1);
}
@ -337,11 +317,7 @@ int stream_get_incoming_fd(PTSTREAM *pts) {
if (!pts->ssl)
return pts->incoming_fd;
else
#ifdef USE_SSL
return SSL_get_rfd(pts->ssl);
#else
return pts->incoming_fd;
#endif /* USE_SSL */
}
/* Return the outgoing_fd for a given stream */
@ -349,11 +325,7 @@ int stream_get_outgoing_fd(PTSTREAM *pts) {
if (!pts->ssl)
return pts->outgoing_fd;
else
#ifdef USE_SSL
return SSL_get_wfd(pts->ssl);
#else
return pts->outgoing_fd;
#endif /* USE_SSL */
}
// vim:noexpandtab:ts=4

View file

@ -20,24 +20,17 @@
/* ptstream.h */
#include <stddef.h>
#ifdef USE_SSL
#include <openssl/opensslv.h>
#include <openssl/crypto.h>
#include <openssl/x509.h>
#include <openssl/pem.h>
#include <openssl/ssl.h>
#endif
typedef struct ptstream {
int incoming_fd;
int outgoing_fd;
#ifdef USE_SSL
SSL *ssl;
SSL_CTX *ctx;
#else
void *ssl;
void *ctx;
#endif
} PTSTREAM;