From 405b6492dce31a46add7177659d2edde9dcca3c7 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Fri, 2 Mar 2018 15:54:00 +0100 Subject: [PATCH] Fix bind to localhost (patch backport by Christian Kujau) (#1542361) --- stunnel-5.44-bind.patch | 123 ++++++++++++++++++++++++++++++++++++++++ stunnel.spec | 12 +++- 2 files changed, 133 insertions(+), 2 deletions(-) create mode 100644 stunnel-5.44-bind.patch diff --git a/stunnel-5.44-bind.patch b/stunnel-5.44-bind.patch new file mode 100644 index 0000000..bfe54ad --- /dev/null +++ b/stunnel-5.44-bind.patch @@ -0,0 +1,123 @@ +diff -Nrup stunnel-5.44/src/resolver.c stunnel-5.45/src/resolver.c +--- stunnel-5.44/src/resolver.c 2017-10-16 11:38:47.000000000 -0700 ++++ stunnel-5.45/src/resolver.c 2018-02-08 01:54:31.000000000 -0800 +@@ -241,10 +241,8 @@ unsigned hostport2addrlist(SOCKADDR_LIST + hints.ai_socktype=SOCK_STREAM; + hints.ai_protocol=IPPROTO_TCP; + hints.ai_flags=0; +- if(addr_list->passive) { +- hints.ai_family=AF_INET; /* first try IPv4 for passive requests */ ++ if(addr_list->passive) + hints.ai_flags|=AI_PASSIVE; +- } + #ifdef AI_ADDRCONFIG + hints.ai_flags|=AI_ADDRCONFIG; + #endif +@@ -265,12 +263,6 @@ unsigned hostport2addrlist(SOCKADDR_LIST + continue; /* retry for unconfigured network interfaces */ + } + #endif +-#if defined(USE_IPv6) || defined(USE_WIN32) +- if(hints.ai_family==AF_INET) { +- hints.ai_family=AF_UNSPEC; +- continue; /* retry for non-IPv4 addresses */ +- } +-#endif + break; + } + if(err==EAI_SERVICE) { +diff -Nrup stunnel-5.44/src/stunnel.c stunnel-5.45/src/stunnel.c +--- stunnel-5.44/src/stunnel.c 2017-10-07 07:23:08.000000000 -0700 ++++ stunnel-5.45/src/stunnel.c 2018-02-07 03:08:16.000000000 -0800 +@@ -299,10 +299,13 @@ void daemon_loop(void) { + break; /* terminate daemon_loop */ + for(opt=service_options.next; opt; opt=opt->next) { + unsigned i; +- for(i=0; ilocal_addr.num; ++i) +- if(s_poll_canread(fds, opt->local_addr.fd[i])) +- if(accept_connection(opt, i)) +- temporary_lack_of_resources=1; ++ for(i=0; ilocal_addr.num; ++i) { ++ SOCKET fd=opt->local_addr.fd[i]; ++ if(fd!=INVALID_SOCKET && ++ s_poll_canread(fds, fd) && ++ accept_connection(opt, i)) ++ temporary_lack_of_resources=1; ++ } + } + } else { + log_error(LOG_NOTICE, get_last_socket_error(), +@@ -459,15 +462,22 @@ int bind_ports(void) { + + listening_section=0; + for(opt=service_options.next; opt; opt=opt->next) { +- unsigned i; ++ unsigned i, bound_ports=0; ++ if(!opt->local_addr.num) ++ continue; /* no ports to bind for this service */ + s_log(LOG_DEBUG, "Binding service [%s]", opt->servname); + for(i=0; ilocal_addr.num; ++i) { + SOCKET fd; + fd=bind_port(opt, listening_section, i); +- if(fd==INVALID_SOCKET) +- return 1; +- s_poll_add(fds, fd, 1, 0); + opt->local_addr.fd[i]=fd; ++ if(fd!=INVALID_SOCKET) { ++ s_poll_add(fds, fd, 1, 0); ++ ++bound_ports; ++ } ++ } ++ if(!bound_ports) { ++ s_log(LOG_ERR, "Could not bind any accepting port"); ++ return 1; + } + if(opt->local_addr.num) + ++listening_section; +diff -Nrup stunnel-5.44/tests/recipes/020_IPv6 stunnel-5.45/tests/recipes/020_IPv6 +--- stunnel-5.44/tests/recipes/020_IPv6 2017-11-26 13:50:09.000000000 -0800 ++++ stunnel-5.45/tests/recipes/020_IPv6 2018-02-08 04:30:54.000000000 -0800 +@@ -11,10 +11,10 @@ start() { + [https client] + client = yes + accept = 127.0.0.1:${http1} +- connect = :::${https} ++ connect = ::1:${https} + + [https server] +- accept = :::${https} ++ accept = ::1:${https} + connect = 127.0.0.1:${http2} + cert = ${script_path}/certs/stunnel.pem + EOT +diff -Nrup stunnel-5.44/tests/recipes/022_bind stunnel-5.45/tests/recipes/022_bind +--- stunnel-5.44/tests/recipes/022_bind 1969-12-31 16:00:00.000000000 -0800 ++++ stunnel-5.45/tests/recipes/022_bind 2018-02-07 11:20:07.000000000 -0800 +@@ -0,0 +1,27 @@ ++#!/bin/sh ++. $(dirname $0)/../test_library ++ ++start() { ++ ../../src/stunnel -fd 0 < "error.log" ++test_log_for "022_bind" "success" "$1" 2>> "stderr.log" ++exit $? diff --git a/stunnel.spec b/stunnel.spec index dacad12..3d1b24d 100644 --- a/stunnel.spec +++ b/stunnel.spec @@ -10,7 +10,7 @@ Summary: A TLS-encrypting socket wrapper Name: stunnel Version: 5.44 -Release: 4%{?dist} +Release: 5%{?dist} License: GPLv2 Group: Applications/Internet URL: http://www.stunnel.org/ @@ -25,7 +25,9 @@ Source7: stunnel@.service Patch0: stunnel-5.40-authpriv.patch Patch1: stunnel-5.40-systemd-service.patch Patch3: stunnel-5.42-system-ciphers.patch +Patch4: stunnel-5.44-bind.patch # util-linux is needed for rename +BuildRequires: gcc BuildRequires: openssl-devel, pkgconfig, util-linux BuildRequires: autoconf automake libtool %if %{with libwrap} @@ -47,6 +49,7 @@ conjunction with imapd to create a TLS secure IMAP server. %patch0 -p1 -b .authpriv %patch1 -p1 -b .systemd-service %patch3 -p1 -b .system-ciphers +%patch4 -p1 -b .bind # Fix the configure script output for FIPS mode sed -i '/yes).*result: no/,+1{s/result: no/result: yes/;s/as_echo "no"/as_echo "yes"/}' configure @@ -68,7 +71,6 @@ fi make V=1 LDADD="-pie -Wl,-z,defs,-z,relro,-z,now" %install -#rm -rf %{buildroot} make install DESTDIR=%{buildroot} # Move the translated man pages to the right subdirectories, and strip off the # language suffixes. @@ -86,6 +88,9 @@ cp %{buildroot}%{_datadir}/doc/stunnel/examples/%{name}.service %{buildroot}%{_u cp %{SOURCE7} %{buildroot}%{_unitdir}/%{name}@.service %endif +%check +make test + %files %{!?_licensedir:%global license %%doc} %doc AUTHORS BUGS ChangeLog CREDITS PORTS README TODO @@ -119,6 +124,9 @@ cp %{SOURCE7} %{buildroot}%{_unitdir}/%{name}@.service %systemd_postun_with_restart %{name}.service %changelog +* Fri Mar 2 2018 Tomáš Mráz - 5.44-5 +- Fix bind to localhost (patch backport by Christian Kujau) (#1542361) + * Fri Feb 09 2018 Fedora Release Engineering - 5.44-4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild