rpms/stunnel
7
0
Fork 0
Code Issues Pull Requests Releases Activity

New upstream release 5.61

Browse Source 
Fixes #1887204.

Update the default TLS version patch to no longer include a large amount
of whitespace in its "Using the default TLS version as specified in its
OpenSSL crypto policies. Not setting explicitly." message. The
whitespace was caused by a line continuation, which is now replaced by
string literal concatenation.

Patch the FIPS tests to be skipped when stunnel is compiled against an
OpenSSL 3.x configured with enable-fips, but without the required
configuration that would be installed by a system administrator using
openssl fipsinstall. This matches the behavior when compiled against
OpenSSL 3.x configured without enable-fips.

Switch to package URL to https. Upstream has done the same in the spec
file in the tarball.

Add build dependencies for python3 and the openssl command line tool.
Both are used in tests now.

Drop a sed expression applied to the configure script that no longer
does anything and remove environment variables from testing that are no
longer required to make the tests pass.
This commit is contained in:
Clemens Lang 2022-01-12 12:09:33 +01:00
parent bf6a054f4b
commit 1c02cd025e
7 changed files with 147 additions and 89 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -118,3 +118,5 @@ stunnel-4.33.tar.gz.asc
/stunnel-5.57.tar.gz.asc /stunnel-5.57.tar.gz.asc
/stunnel-5.58.tar.gz /stunnel-5.58.tar.gz
/stunnel-5.58.tar.gz.asc /stunnel-5.58.tar.gz.asc
/stunnel-5.61.tar.gz
/stunnel-5.61.tar.gz.asc

4
sources
View File

@ -1,2 +1,2 @@
SHA512 (stunnel-5.58.tar.gz) = 6f62bf13bf53f174b2810ad6708a9dfdb70e9b4e2f60c0c9cf4df691169a63014901402ccbe2862010f4cee240c1a8eec34b70a7a3fcef36e7a2ca14a7f70ece SHA512 (stunnel-5.61.tar.gz) = e228d21fb39bba0175684a70d7323ed839c689810fccb84e9140619b22a7ce91c0ac2a38107c3c52ac9652a02d10918d087459673382ea4d00df8b3ad3abe6cc
SHA512 (stunnel-5.58.tar.gz.asc) = 0deb4f521e3683b5f74afd0493ddd950193ffc30159b759a5eb5d0f8a4fb2cccacceb12e202b2abc963718ed44704415f53cc705f46656b96721013cc2f6747b SHA512 (stunnel-5.61.tar.gz.asc) = ef7882d9a3a823f99edfa5c8ed8b44fa29a6b66d5ac02a5813b6addc98d1473dc02ff697631c3e4cb17292fd691832c12bb5b5675c87efe9e2be1fb2b668f23b

11
stunnel-5.50-systemd-service.patch
View File

@ -1,11 +0,0 @@
diff -up stunnel-5.50/tools/stunnel.service.in.systemd-service stunnel-5.50/tools/stunnel.service.in
--- stunnel-5.50/tools/stunnel.service.in.systemd-service 2019-01-14 12:17:15.826868965 +0100
+++ stunnel-5.50/tools/stunnel.service.in 2019-01-14 12:18:21.186753131 +0100
@@ -5,6 +5,7 @@ After=syslog.target network.target
[Service]
ExecStart=@bindir@/stunnel
Type=forking
+PrivateTmp=true
[Install]
WantedBy=multi-user.target

119
stunnel-5.56-default-tls-version.patch → stunnel-5.61-default-tls-version.patch
View File

@ -1,18 +1,50 @@
--- stunnel-5.56/src/prototypes.h.default-tls-version 2020-04-06 11:22:24.480280384 +0200 diff -up stunnel-5.61/src/ctx.c.default-tls-version stunnel-5.61/src/ctx.c
+++ stunnel-5.56/src/prototypes.h 2020-04-06 11:21:05.407597053 +0200 --- stunnel-5.61/src/ctx.c.default-tls-version 2021-12-13 09:43:22.000000000 +0100
@@ -897,6 +897,9 @@ ICON_IMAGE load_icon_default(ICON_TYPE); +++ stunnel-5.61/src/ctx.c 2022-01-10 19:27:49.913243127 +0100
ICON_IMAGE load_icon_file(const char *); @@ -149,18 +149,28 @@ int context_init(SERVICE_OPTIONS *sectio
#endif section->ctx=SSL_CTX_new(section->option.client ?
TLS_client_method() : TLS_server_method());
+#define USE_DEFAULT_TLS_VERSION ((int)-2) /* Use defaults in OpenSSL #endif /* OPENSSL_VERSION_NUMBER>=0x30000000L */
+ crypto policies */ - if(!SSL_CTX_set_min_proto_version(section->ctx,
+ - section->min_proto_version)) {
#endif /* defined PROTOTYPES_H */ - s_log(LOG_ERR, "Failed to set the minimum protocol version 0x%X",
- section->min_proto_version);
/* end of prototypes.h */ - return 1; /* FAILED */
--- stunnel-5.56/src/options.c.default-tls-version 2020-04-06 18:58:48.947214149 +0200 - }
+++ stunnel-5.56/src/options.c 2020-04-08 15:45:18.093520780 +0200 - if(!SSL_CTX_set_max_proto_version(section->ctx,
@@ -3123,8 +3123,9 @@ NOEXPORT char *parse_service_option(CMD - section->max_proto_version)) {
- s_log(LOG_ERR, "Failed to set the maximum protocol version 0x%X",
- section->max_proto_version);
- return 1; /* FAILED */
+ if (section->min_proto_version == USE_DEFAULT_TLS_VERSION) {
+ s_log(LOG_INFO, "Using the default TLS version as specified in "
+ "OpenSSL crypto policies. Not setting explicitly.");
+ } else {
+ if(!SSL_CTX_set_min_proto_version(section->ctx,
+ section->min_proto_version)) {
+ s_log(LOG_ERR, "Failed to set the minimum protocol version 0x%X",
+ section->min_proto_version);
+ return 1; /* FAILED */
+ }
}
+ if (section->max_proto_version == USE_DEFAULT_TLS_VERSION) {
+ s_log(LOG_INFO, "Using the default TLS version as specified in "
+ "OpenSSL crypto policies. Not setting explicitly");
+ } else {
+ if(!SSL_CTX_set_max_proto_version(section->ctx,
+ section->max_proto_version)) {
+ s_log(LOG_ERR, "Failed to set the maximum protocol version 0x%X",
+ section->max_proto_version);
+ return 1; /* FAILED */
+ }
+ }
#else /* OPENSSL_VERSION_NUMBER<0x10100000L */
if(section->option.client)
section->ctx=SSL_CTX_new(section->client_method);
diff -up stunnel-5.61/src/options.c.default-tls-version stunnel-5.61/src/options.c
--- stunnel-5.61/src/options.c.default-tls-version 2022-01-10 19:23:15.096254067 +0100
+++ stunnel-5.61/src/options.c 2022-01-10 19:23:15.098254103 +0100
@@ -3297,8 +3297,9 @@ NOEXPORT char *parse_service_option(CMD
return "Invalid protocol version"; return "Invalid protocol version";
return NULL; /* OK */ return NULL; /* OK */
case CMD_INITIALIZE: case CMD_INITIALIZE:
@ -24,7 +56,7 @@
return "Invalid protocol version range"; return "Invalid protocol version range";
break; break;
case CMD_PRINT_DEFAULTS: case CMD_PRINT_DEFAULTS:
@@ -3142,7 +3143,10 @@ NOEXPORT char *parse_service_option(CMD @@ -3316,7 +3317,10 @@ NOEXPORT char *parse_service_option(CMD
/* sslVersionMax */ /* sslVersionMax */
switch(cmd) { switch(cmd) {
case CMD_SET_DEFAULTS: case CMD_SET_DEFAULTS:
@ -36,7 +68,7 @@
break; break;
case CMD_SET_COPY: case CMD_SET_COPY:
section->max_proto_version=new_service_options.max_proto_version; section->max_proto_version=new_service_options.max_proto_version;
@@ -3173,7 +3177,10 @@ NOEXPORT char *parse_service_option(CMD @@ -3347,7 +3351,10 @@ NOEXPORT char *parse_service_option(CMD
/* sslVersionMin */ /* sslVersionMin */
switch(cmd) { switch(cmd) {
case CMD_SET_DEFAULTS: case CMD_SET_DEFAULTS:
@ -48,45 +80,16 @@
break; break;
case CMD_SET_COPY: case CMD_SET_COPY:
section->min_proto_version=new_service_options.min_proto_version; section->min_proto_version=new_service_options.min_proto_version;
--- stunnel-5.56/src/ctx.c.default-tls-version 2019-10-24 10:48:11.000000000 +0200 diff -up stunnel-5.61/src/prototypes.h.default-tls-version stunnel-5.61/src/prototypes.h
+++ stunnel-5.56/src/ctx.c 2020-04-06 11:16:48.406406794 +0200 --- stunnel-5.61/src/prototypes.h.default-tls-version 2021-12-13 09:43:22.000000000 +0100
@@ -143,17 +143,29 @@ int context_init(SERVICE_OPTIONS *sectio +++ stunnel-5.61/src/prototypes.h 2022-01-10 19:23:15.099254121 +0100
section->ctx=SSL_CTX_new(TLS_client_method()); @@ -932,6 +932,9 @@ ICON_IMAGE load_icon_default(ICON_TYPE);
else /* server mode */ ICON_IMAGE load_icon_file(const char *);
section->ctx=SSL_CTX_new(TLS_server_method()); #endif
- if(!SSL_CTX_set_min_proto_version(section->ctx,
- section->min_proto_version)) { +#define USE_DEFAULT_TLS_VERSION ((int)-2) /* Use defaults in OpenSSL
- s_log(LOG_ERR, "Failed to set the minimum protocol version 0x%X", + crypto policies */
- section->min_proto_version);
- return 1; /* FAILED */
+ +
+ if (section->min_proto_version == USE_DEFAULT_TLS_VERSION) { #endif /* defined PROTOTYPES_H */
+ s_log(LOG_INFO, "Using the default TLS version as specified in \
+ OpenSSL crypto policies. Not setting explicitly."); /* end of prototypes.h */
+ } else {
+ if(!SSL_CTX_set_min_proto_version(section->ctx,
+ section->min_proto_version)) {
+ s_log(LOG_ERR, "Failed to set the minimum protocol version 0x%X",
+ section->min_proto_version);
+ return 1; /* FAILED */
+ }
}
- if(!SSL_CTX_set_max_proto_version(section->ctx,
- section->max_proto_version)) {
- s_log(LOG_ERR, "Failed to set the maximum protocol version 0x%X",
- section->max_proto_version);
- return 1; /* FAILED */
+
+ if (section->max_proto_version == USE_DEFAULT_TLS_VERSION) {
+ s_log(LOG_INFO, "Using the default TLS version as specified in \
+ OpenSSL crypto policies. Not setting explicitly");
+ } else {
+ if(!SSL_CTX_set_max_proto_version(section->ctx,
+ section->max_proto_version)) {
+ s_log(LOG_ERR, "Failed to set the maximum protocol version 0x%X",
+ section->max_proto_version);
+ return 1; /* FAILED */
+ }
}
#else /* OPENSSL_VERSION_NUMBER<0x10100000L */
if(section->option.client)

58
stunnel-5.61-fips-test.patch Normal file
View File

@ -0,0 +1,58 @@
Skip FIPS tests if FIPS is unconfigured
When built against OpenSSL 3 with the enable-fips option, the FIPS
shared library can be loaded, but unless the system administrator has
run openssl fipsinstall and modified the OpenSSL configuration, FIPS
mode will still fail with an error message saying it is missing config
data.
Since this does not indicate a problem with stunnel's code, but with the
underlying OpenSSL setup, skip the test if this occurs. This is the same
behavior when running against a copy of OpenSSL 3.x that was not built with
'enable-fips'.
diff -up stunnel-5.61/tests/plugins/p10_fips.py.fips-tests stunnel-5.61/tests/plugins/p10_fips.py
--- stunnel-5.61/tests/plugins/p10_fips.py.fips-tests 2022-01-12 11:40:11.121241545 +0100
+++ stunnel-5.61/tests/plugins/p10_fips.py 2022-01-12 11:45:01.791364483 +0100
@@ -29,7 +29,8 @@ class FIPSTest(StunnelTest):
self.events.skip = [
"FIPS provider not available",
"fips mode not supported",
- r"FIPS PROVIDER.*could not load the shared library"
+ r"FIPS PROVIDER.*could not load the shared library",
+ r"FIPS PROVIDER.*missing config data"
]
self.events.failure = [
"peer did not return a certificate",
diff -up stunnel-5.61/tests/plugins/p11_fips_cipher.py.fips-tests stunnel-5.61/tests/plugins/p11_fips_cipher.py
--- stunnel-5.61/tests/plugins/p11_fips_cipher.py.fips-tests 2022-01-12 11:40:16.192330329 +0100
+++ stunnel-5.61/tests/plugins/p11_fips_cipher.py 2022-01-12 11:52:22.159227499 +0100
@@ -30,7 +30,8 @@ class FailureCipherFIPS(StunnelTest):
self.events.skip = [
"FIPS provider not available",
"fips mode not supported",
- r"FIPS PROVIDER.*could not load the shared library"
+ r"FIPS PROVIDER.*could not load the shared library",
+ r"FIPS PROVIDER.*missing config data"
]
self.events.count = 1
self.events.success = [
@@ -86,7 +87,8 @@ class FailureCiphersuitesFIPS(StunnelTes
self.events.skip = [
"FIPS provider not available",
"fips mode not supported",
- r"FIPS PROVIDER.*could not load the shared library"
+ r"FIPS PROVIDER.*could not load the shared library",
+ r"FIPS PROVIDER.*missing config data"
]
self.events.count = 1
self.events.success = [
@@ -145,7 +147,8 @@ class FailureEllipticCurveFIPS(StunnelTe
self.events.skip = [
"FIPS provider not available",
"fips mode not supported",
- r"FIPS PROVIDER.*could not load the shared library"
+ r"FIPS PROVIDER.*could not load the shared library",
+ r"FIPS PROVIDER.*missing config data"
]
self.events.count = 1
self.events.success = [

11
stunnel-5.61-systemd-service.patch Normal file
View File

@ -0,0 +1,11 @@
diff -up stunnel-5.61/tools/stunnel.service.in.systemd-service stunnel-5.61/tools/stunnel.service.in
--- stunnel-5.61/tools/stunnel.service.in.systemd-service 2022-01-10 19:16:30.973923459 +0100
+++ stunnel-5.61/tools/stunnel.service.in 2022-01-10 19:17:08.588605718 +0100
@@ -6,6 +6,7 @@ After=syslog.target network-online.targe
ExecStart=@bindir@/stunnel
ExecReload=/bin/kill -HUP $MAINPID
Type=forking
+PrivateTmp=true
[Install]
WantedBy=multi-user.target

31
stunnel.spec
View File

@ -9,10 +9,10 @@
Summary: A TLS-encrypting socket wrapper Summary: A TLS-encrypting socket wrapper
Name: stunnel Name: stunnel
Version: 5.58 Version: 5.61
Release: 4%{?dist} Release: 1%{?dist}
License: GPLv2 License: GPLv2
URL: http://www.stunnel.org/ URL: https://www.stunnel.org/
Source0: https://www.stunnel.org/downloads/stunnel-%{version}.tar.gz Source0: https://www.stunnel.org/downloads/stunnel-%{version}.tar.gz
Source1: https://www.stunnel.org/downloads/stunnel-%{version}.tar.gz.asc Source1: https://www.stunnel.org/downloads/stunnel-%{version}.tar.gz.asc
Source2: Certificate-Creation Source2: Certificate-Creation
@ -22,11 +22,12 @@ Source5: pop3-redirect.xinetd
Source6: stunnel-pop3s-client.conf Source6: stunnel-pop3s-client.conf
Source7: stunnel@.service Source7: stunnel@.service
Patch0: stunnel-5.50-authpriv.patch Patch0: stunnel-5.50-authpriv.patch
Patch1: stunnel-5.50-systemd-service.patch Patch1: stunnel-5.61-systemd-service.patch
Patch3: stunnel-5.56-system-ciphers.patch Patch3: stunnel-5.56-system-ciphers.patch
Patch4: stunnel-5.56-coverity.patch Patch4: stunnel-5.56-coverity.patch
Patch5: stunnel-5.56-default-tls-version.patch Patch5: stunnel-5.61-default-tls-version.patch
Patch6: stunnel-5.56-curves-doc-update.patch Patch6: stunnel-5.56-curves-doc-update.patch
Patch7: stunnel-5.61-fips-test.patch
# util-linux is needed for rename # util-linux is needed for rename
BuildRequires: make BuildRequires: make
BuildRequires: gcc BuildRequires: gcc
@ -39,6 +40,7 @@ BuildRequires: /usr/bin/pod2man
BuildRequires: /usr/bin/pod2html BuildRequires: /usr/bin/pod2html
# build test requirements # build test requirements
BuildRequires: /usr/bin/nc, /usr/bin/lsof, /usr/bin/ps BuildRequires: /usr/bin/nc, /usr/bin/lsof, /usr/bin/ps
BuildRequires: python3 openssl
BuildRequires: systemd BuildRequires: systemd
%{?systemd_requires} %{?systemd_requires}
@ -56,12 +58,10 @@ conjunction with imapd to create a TLS secure IMAP server.
%patch4 -p1 -b .coverity %patch4 -p1 -b .coverity
%patch5 -p1 -b .default-tls-version %patch5 -p1 -b .default-tls-version
%patch6 -p1 -b .curves-doc-update %patch6 -p1 -b .curves-doc-update
%patch7 -p1 -b .fips-test
# Fix the configure script output for FIPS mode and stack protector flag # Fix the stack protector flag
sed -i '/yes).*result: no/,+1{s/result: no/result: yes/;s/as_echo "no"/as_echo "yes"/};s/-fstack-protector/-fstack-protector-strong/' configure sed -i 's/-fstack-protector/-fstack-protector-strong/' configure
# Fix a testcase with system-ciphers support
sed -i '/client = yes/a \\ ciphers = PSK' tests/recipes/014_PSK_secrets
%build %build
#autoreconf -v #autoreconf -v
@ -98,14 +98,6 @@ cp %{SOURCE7} %{buildroot}%{_unitdir}/%{name}@.service
%endif %endif
%check %check
# For unknown reason the 042_inetd test fails in Koji. The failure is not reproducible
# in local build.
rm tests/recipes/042_inetd
# We override the security policy as it is too strict for the tests.
OPENSSL_SYSTEM_CIPHERS_OVERRIDE=xyz_nonexistent_file
export OPENSSL_SYSTEM_CIPHERS_OVERRIDE
OPENSSL_CONF=
export OPENSSL_CONF
make test || (for i in tests/logs/*.log ; do echo "$i": ; cat "$i" ; done) make test || (for i in tests/logs/*.log ; do echo "$i": ; cat "$i" ; done)
%files %files
@ -141,6 +133,9 @@ make test || (for i in tests/logs/*.log ; do echo "$i": ; cat "$i" ; done)
%systemd_postun_with_restart %{name}.service %systemd_postun_with_restart %{name}.service
%changelog %changelog
* Mon Jan 10 2022 Clemens Lang <cllang@redhat.com> - 5.61-1
- New upstream release 5.61
* Tue Sep 14 2021 Sahana Prasad <sahana@redhat.com> - 5.58-4 * Tue Sep 14 2021 Sahana Prasad <sahana@redhat.com> - 5.58-4
- Rebuilt with OpenSSL 3.0.0 - Rebuilt with OpenSSL 3.0.0