From 1c02cd025e4ed91c1636097f55e3e92a7035c728 Mon Sep 17 00:00:00 2001 From: Clemens Lang Date: Wed, 12 Jan 2022 12:09:33 +0100 Subject: [PATCH] New upstream release 5.61 Fixes #1887204. Update the default TLS version patch to no longer include a large amount of whitespace in its "Using the default TLS version as specified in its OpenSSL crypto policies. Not setting explicitly." message. The whitespace was caused by a line continuation, which is now replaced by string literal concatenation. Patch the FIPS tests to be skipped when stunnel is compiled against an OpenSSL 3.x configured with enable-fips, but without the required configuration that would be installed by a system administrator using openssl fipsinstall. This matches the behavior when compiled against OpenSSL 3.x configured without enable-fips. Switch to package URL to https. Upstream has done the same in the spec file in the tarball. Add build dependencies for python3 and the openssl command line tool. Both are used in tests now. Drop a sed expression applied to the configure script that no longer does anything and remove environment variables from testing that are no longer required to make the tests pass. --- .gitignore | 2 + sources | 4 +- stunnel-5.50-systemd-service.patch | 11 -- ... => stunnel-5.61-default-tls-version.patch | 119 +++++++++--------- stunnel-5.61-fips-test.patch | 58 +++++++++ stunnel-5.61-systemd-service.patch | 11 ++ stunnel.spec | 31 ++--- 7 files changed, 147 insertions(+), 89 deletions(-) delete mode 100644 stunnel-5.50-systemd-service.patch rename stunnel-5.56-default-tls-version.patch => stunnel-5.61-default-tls-version.patch (70%) create mode 100644 stunnel-5.61-fips-test.patch create mode 100644 stunnel-5.61-systemd-service.patch diff --git a/.gitignore b/.gitignore index cad0b38..c3a8e75 100644 --- a/.gitignore +++ b/.gitignore @@ -118,3 +118,5 @@ stunnel-4.33.tar.gz.asc /stunnel-5.57.tar.gz.asc /stunnel-5.58.tar.gz /stunnel-5.58.tar.gz.asc +/stunnel-5.61.tar.gz +/stunnel-5.61.tar.gz.asc diff --git a/sources b/sources index 16495eb..81f4370 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (stunnel-5.58.tar.gz) = 6f62bf13bf53f174b2810ad6708a9dfdb70e9b4e2f60c0c9cf4df691169a63014901402ccbe2862010f4cee240c1a8eec34b70a7a3fcef36e7a2ca14a7f70ece -SHA512 (stunnel-5.58.tar.gz.asc) = 0deb4f521e3683b5f74afd0493ddd950193ffc30159b759a5eb5d0f8a4fb2cccacceb12e202b2abc963718ed44704415f53cc705f46656b96721013cc2f6747b +SHA512 (stunnel-5.61.tar.gz) = e228d21fb39bba0175684a70d7323ed839c689810fccb84e9140619b22a7ce91c0ac2a38107c3c52ac9652a02d10918d087459673382ea4d00df8b3ad3abe6cc +SHA512 (stunnel-5.61.tar.gz.asc) = ef7882d9a3a823f99edfa5c8ed8b44fa29a6b66d5ac02a5813b6addc98d1473dc02ff697631c3e4cb17292fd691832c12bb5b5675c87efe9e2be1fb2b668f23b diff --git a/stunnel-5.50-systemd-service.patch b/stunnel-5.50-systemd-service.patch deleted file mode 100644 index 9fc170b..0000000 --- a/stunnel-5.50-systemd-service.patch +++ /dev/null @@ -1,11 +0,0 @@ -diff -up stunnel-5.50/tools/stunnel.service.in.systemd-service stunnel-5.50/tools/stunnel.service.in ---- stunnel-5.50/tools/stunnel.service.in.systemd-service 2019-01-14 12:17:15.826868965 +0100 -+++ stunnel-5.50/tools/stunnel.service.in 2019-01-14 12:18:21.186753131 +0100 -@@ -5,6 +5,7 @@ After=syslog.target network.target - [Service] - ExecStart=@bindir@/stunnel - Type=forking -+PrivateTmp=true - - [Install] - WantedBy=multi-user.target diff --git a/stunnel-5.56-default-tls-version.patch b/stunnel-5.61-default-tls-version.patch similarity index 70% rename from stunnel-5.56-default-tls-version.patch rename to stunnel-5.61-default-tls-version.patch index b66753e..f779e4e 100644 --- a/stunnel-5.56-default-tls-version.patch +++ b/stunnel-5.61-default-tls-version.patch @@ -1,18 +1,50 @@ ---- stunnel-5.56/src/prototypes.h.default-tls-version 2020-04-06 11:22:24.480280384 +0200 -+++ stunnel-5.56/src/prototypes.h 2020-04-06 11:21:05.407597053 +0200 -@@ -897,6 +897,9 @@ ICON_IMAGE load_icon_default(ICON_TYPE); - ICON_IMAGE load_icon_file(const char *); - #endif - -+#define USE_DEFAULT_TLS_VERSION ((int)-2) /* Use defaults in OpenSSL -+ crypto policies */ -+ - #endif /* defined PROTOTYPES_H */ - - /* end of prototypes.h */ ---- stunnel-5.56/src/options.c.default-tls-version 2020-04-06 18:58:48.947214149 +0200 -+++ stunnel-5.56/src/options.c 2020-04-08 15:45:18.093520780 +0200 -@@ -3123,8 +3123,9 @@ NOEXPORT char *parse_service_option(CMD +diff -up stunnel-5.61/src/ctx.c.default-tls-version stunnel-5.61/src/ctx.c +--- stunnel-5.61/src/ctx.c.default-tls-version 2021-12-13 09:43:22.000000000 +0100 ++++ stunnel-5.61/src/ctx.c 2022-01-10 19:27:49.913243127 +0100 +@@ -149,18 +149,28 @@ int context_init(SERVICE_OPTIONS *sectio + section->ctx=SSL_CTX_new(section->option.client ? + TLS_client_method() : TLS_server_method()); + #endif /* OPENSSL_VERSION_NUMBER>=0x30000000L */ +- if(!SSL_CTX_set_min_proto_version(section->ctx, +- section->min_proto_version)) { +- s_log(LOG_ERR, "Failed to set the minimum protocol version 0x%X", +- section->min_proto_version); +- return 1; /* FAILED */ +- } +- if(!SSL_CTX_set_max_proto_version(section->ctx, +- section->max_proto_version)) { +- s_log(LOG_ERR, "Failed to set the maximum protocol version 0x%X", +- section->max_proto_version); +- return 1; /* FAILED */ ++ if (section->min_proto_version == USE_DEFAULT_TLS_VERSION) { ++ s_log(LOG_INFO, "Using the default TLS version as specified in " ++ "OpenSSL crypto policies. Not setting explicitly."); ++ } else { ++ if(!SSL_CTX_set_min_proto_version(section->ctx, ++ section->min_proto_version)) { ++ s_log(LOG_ERR, "Failed to set the minimum protocol version 0x%X", ++ section->min_proto_version); ++ return 1; /* FAILED */ ++ } + } ++ if (section->max_proto_version == USE_DEFAULT_TLS_VERSION) { ++ s_log(LOG_INFO, "Using the default TLS version as specified in " ++ "OpenSSL crypto policies. Not setting explicitly"); ++ } else { ++ if(!SSL_CTX_set_max_proto_version(section->ctx, ++ section->max_proto_version)) { ++ s_log(LOG_ERR, "Failed to set the maximum protocol version 0x%X", ++ section->max_proto_version); ++ return 1; /* FAILED */ ++ } ++ } + #else /* OPENSSL_VERSION_NUMBER<0x10100000L */ + if(section->option.client) + section->ctx=SSL_CTX_new(section->client_method); +diff -up stunnel-5.61/src/options.c.default-tls-version stunnel-5.61/src/options.c +--- stunnel-5.61/src/options.c.default-tls-version 2022-01-10 19:23:15.096254067 +0100 ++++ stunnel-5.61/src/options.c 2022-01-10 19:23:15.098254103 +0100 +@@ -3297,8 +3297,9 @@ NOEXPORT char *parse_service_option(CMD return "Invalid protocol version"; return NULL; /* OK */ case CMD_INITIALIZE: @@ -24,7 +56,7 @@ return "Invalid protocol version range"; break; case CMD_PRINT_DEFAULTS: -@@ -3142,7 +3143,10 @@ NOEXPORT char *parse_service_option(CMD +@@ -3316,7 +3317,10 @@ NOEXPORT char *parse_service_option(CMD /* sslVersionMax */ switch(cmd) { case CMD_SET_DEFAULTS: @@ -36,7 +68,7 @@ break; case CMD_SET_COPY: section->max_proto_version=new_service_options.max_proto_version; -@@ -3173,7 +3177,10 @@ NOEXPORT char *parse_service_option(CMD +@@ -3347,7 +3351,10 @@ NOEXPORT char *parse_service_option(CMD /* sslVersionMin */ switch(cmd) { case CMD_SET_DEFAULTS: @@ -48,45 +80,16 @@ break; case CMD_SET_COPY: section->min_proto_version=new_service_options.min_proto_version; ---- stunnel-5.56/src/ctx.c.default-tls-version 2019-10-24 10:48:11.000000000 +0200 -+++ stunnel-5.56/src/ctx.c 2020-04-06 11:16:48.406406794 +0200 -@@ -143,17 +143,29 @@ int context_init(SERVICE_OPTIONS *sectio - section->ctx=SSL_CTX_new(TLS_client_method()); - else /* server mode */ - section->ctx=SSL_CTX_new(TLS_server_method()); -- if(!SSL_CTX_set_min_proto_version(section->ctx, -- section->min_proto_version)) { -- s_log(LOG_ERR, "Failed to set the minimum protocol version 0x%X", -- section->min_proto_version); -- return 1; /* FAILED */ +diff -up stunnel-5.61/src/prototypes.h.default-tls-version stunnel-5.61/src/prototypes.h +--- stunnel-5.61/src/prototypes.h.default-tls-version 2021-12-13 09:43:22.000000000 +0100 ++++ stunnel-5.61/src/prototypes.h 2022-01-10 19:23:15.099254121 +0100 +@@ -932,6 +932,9 @@ ICON_IMAGE load_icon_default(ICON_TYPE); + ICON_IMAGE load_icon_file(const char *); + #endif + ++#define USE_DEFAULT_TLS_VERSION ((int)-2) /* Use defaults in OpenSSL ++ crypto policies */ + -+ if (section->min_proto_version == USE_DEFAULT_TLS_VERSION) { -+ s_log(LOG_INFO, "Using the default TLS version as specified in \ -+ OpenSSL crypto policies. Not setting explicitly."); -+ } else { -+ if(!SSL_CTX_set_min_proto_version(section->ctx, -+ section->min_proto_version)) { -+ s_log(LOG_ERR, "Failed to set the minimum protocol version 0x%X", -+ section->min_proto_version); -+ return 1; /* FAILED */ -+ } - } -- if(!SSL_CTX_set_max_proto_version(section->ctx, -- section->max_proto_version)) { -- s_log(LOG_ERR, "Failed to set the maximum protocol version 0x%X", -- section->max_proto_version); -- return 1; /* FAILED */ -+ -+ if (section->max_proto_version == USE_DEFAULT_TLS_VERSION) { -+ s_log(LOG_INFO, "Using the default TLS version as specified in \ -+ OpenSSL crypto policies. Not setting explicitly"); -+ } else { -+ if(!SSL_CTX_set_max_proto_version(section->ctx, -+ section->max_proto_version)) { -+ s_log(LOG_ERR, "Failed to set the maximum protocol version 0x%X", -+ section->max_proto_version); -+ return 1; /* FAILED */ -+ } - } - #else /* OPENSSL_VERSION_NUMBER<0x10100000L */ - if(section->option.client) + #endif /* defined PROTOTYPES_H */ + + /* end of prototypes.h */ diff --git a/stunnel-5.61-fips-test.patch b/stunnel-5.61-fips-test.patch new file mode 100644 index 0000000..ad6ace1 --- /dev/null +++ b/stunnel-5.61-fips-test.patch @@ -0,0 +1,58 @@ +Skip FIPS tests if FIPS is unconfigured + +When built against OpenSSL 3 with the enable-fips option, the FIPS +shared library can be loaded, but unless the system administrator has +run openssl fipsinstall and modified the OpenSSL configuration, FIPS +mode will still fail with an error message saying it is missing config +data. + +Since this does not indicate a problem with stunnel's code, but with the +underlying OpenSSL setup, skip the test if this occurs. This is the same +behavior when running against a copy of OpenSSL 3.x that was not built with +'enable-fips'. +diff -up stunnel-5.61/tests/plugins/p10_fips.py.fips-tests stunnel-5.61/tests/plugins/p10_fips.py +--- stunnel-5.61/tests/plugins/p10_fips.py.fips-tests 2022-01-12 11:40:11.121241545 +0100 ++++ stunnel-5.61/tests/plugins/p10_fips.py 2022-01-12 11:45:01.791364483 +0100 +@@ -29,7 +29,8 @@ class FIPSTest(StunnelTest): + self.events.skip = [ + "FIPS provider not available", + "fips mode not supported", +- r"FIPS PROVIDER.*could not load the shared library" ++ r"FIPS PROVIDER.*could not load the shared library", ++ r"FIPS PROVIDER.*missing config data" + ] + self.events.failure = [ + "peer did not return a certificate", +diff -up stunnel-5.61/tests/plugins/p11_fips_cipher.py.fips-tests stunnel-5.61/tests/plugins/p11_fips_cipher.py +--- stunnel-5.61/tests/plugins/p11_fips_cipher.py.fips-tests 2022-01-12 11:40:16.192330329 +0100 ++++ stunnel-5.61/tests/plugins/p11_fips_cipher.py 2022-01-12 11:52:22.159227499 +0100 +@@ -30,7 +30,8 @@ class FailureCipherFIPS(StunnelTest): + self.events.skip = [ + "FIPS provider not available", + "fips mode not supported", +- r"FIPS PROVIDER.*could not load the shared library" ++ r"FIPS PROVIDER.*could not load the shared library", ++ r"FIPS PROVIDER.*missing config data" + ] + self.events.count = 1 + self.events.success = [ +@@ -86,7 +87,8 @@ class FailureCiphersuitesFIPS(StunnelTes + self.events.skip = [ + "FIPS provider not available", + "fips mode not supported", +- r"FIPS PROVIDER.*could not load the shared library" ++ r"FIPS PROVIDER.*could not load the shared library", ++ r"FIPS PROVIDER.*missing config data" + ] + self.events.count = 1 + self.events.success = [ +@@ -145,7 +147,8 @@ class FailureEllipticCurveFIPS(StunnelTe + self.events.skip = [ + "FIPS provider not available", + "fips mode not supported", +- r"FIPS PROVIDER.*could not load the shared library" ++ r"FIPS PROVIDER.*could not load the shared library", ++ r"FIPS PROVIDER.*missing config data" + ] + self.events.count = 1 + self.events.success = [ diff --git a/stunnel-5.61-systemd-service.patch b/stunnel-5.61-systemd-service.patch new file mode 100644 index 0000000..c204e3f --- /dev/null +++ b/stunnel-5.61-systemd-service.patch @@ -0,0 +1,11 @@ +diff -up stunnel-5.61/tools/stunnel.service.in.systemd-service stunnel-5.61/tools/stunnel.service.in +--- stunnel-5.61/tools/stunnel.service.in.systemd-service 2022-01-10 19:16:30.973923459 +0100 ++++ stunnel-5.61/tools/stunnel.service.in 2022-01-10 19:17:08.588605718 +0100 +@@ -6,6 +6,7 @@ After=syslog.target network-online.targe + ExecStart=@bindir@/stunnel + ExecReload=/bin/kill -HUP $MAINPID + Type=forking ++PrivateTmp=true + + [Install] + WantedBy=multi-user.target diff --git a/stunnel.spec b/stunnel.spec index 95694ab..300e6c6 100644 --- a/stunnel.spec +++ b/stunnel.spec @@ -9,10 +9,10 @@ Summary: A TLS-encrypting socket wrapper Name: stunnel -Version: 5.58 -Release: 4%{?dist} +Version: 5.61 +Release: 1%{?dist} License: GPLv2 -URL: http://www.stunnel.org/ +URL: https://www.stunnel.org/ Source0: https://www.stunnel.org/downloads/stunnel-%{version}.tar.gz Source1: https://www.stunnel.org/downloads/stunnel-%{version}.tar.gz.asc Source2: Certificate-Creation @@ -22,11 +22,12 @@ Source5: pop3-redirect.xinetd Source6: stunnel-pop3s-client.conf Source7: stunnel@.service Patch0: stunnel-5.50-authpriv.patch -Patch1: stunnel-5.50-systemd-service.patch +Patch1: stunnel-5.61-systemd-service.patch Patch3: stunnel-5.56-system-ciphers.patch Patch4: stunnel-5.56-coverity.patch -Patch5: stunnel-5.56-default-tls-version.patch +Patch5: stunnel-5.61-default-tls-version.patch Patch6: stunnel-5.56-curves-doc-update.patch +Patch7: stunnel-5.61-fips-test.patch # util-linux is needed for rename BuildRequires: make BuildRequires: gcc @@ -39,6 +40,7 @@ BuildRequires: /usr/bin/pod2man BuildRequires: /usr/bin/pod2html # build test requirements BuildRequires: /usr/bin/nc, /usr/bin/lsof, /usr/bin/ps +BuildRequires: python3 openssl BuildRequires: systemd %{?systemd_requires} @@ -56,12 +58,10 @@ conjunction with imapd to create a TLS secure IMAP server. %patch4 -p1 -b .coverity %patch5 -p1 -b .default-tls-version %patch6 -p1 -b .curves-doc-update +%patch7 -p1 -b .fips-test -# Fix the configure script output for FIPS mode and stack protector flag -sed -i '/yes).*result: no/,+1{s/result: no/result: yes/;s/as_echo "no"/as_echo "yes"/};s/-fstack-protector/-fstack-protector-strong/' configure - -# Fix a testcase with system-ciphers support -sed -i '/client = yes/a \\ ciphers = PSK' tests/recipes/014_PSK_secrets +# Fix the stack protector flag +sed -i 's/-fstack-protector/-fstack-protector-strong/' configure %build #autoreconf -v @@ -98,14 +98,6 @@ cp %{SOURCE7} %{buildroot}%{_unitdir}/%{name}@.service %endif %check -# For unknown reason the 042_inetd test fails in Koji. The failure is not reproducible -# in local build. -rm tests/recipes/042_inetd -# We override the security policy as it is too strict for the tests. -OPENSSL_SYSTEM_CIPHERS_OVERRIDE=xyz_nonexistent_file -export OPENSSL_SYSTEM_CIPHERS_OVERRIDE -OPENSSL_CONF= -export OPENSSL_CONF make test || (for i in tests/logs/*.log ; do echo "$i": ; cat "$i" ; done) %files @@ -141,6 +133,9 @@ make test || (for i in tests/logs/*.log ; do echo "$i": ; cat "$i" ; done) %systemd_postun_with_restart %{name}.service %changelog +* Mon Jan 10 2022 Clemens Lang - 5.61-1 +- New upstream release 5.61 + * Tue Sep 14 2021 Sahana Prasad - 5.58-4 - Rebuilt with OpenSSL 3.0.0