rpms/stunnel
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Fix bind to localhost (patch backport by Christian Kujau) (#1542361)

Browse Source
This commit is contained in:
Tomas Mraz 2018-03-02 15:54:00 +01:00
parent 7207ece1f3
commit 405b6492dc
2 changed files with 133 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

123
stunnel-5.44-bind.patch Normal file
View File

@ -0,0 +1,123 @@
diff -Nrup stunnel-5.44/src/resolver.c stunnel-5.45/src/resolver.c
--- stunnel-5.44/src/resolver.c 2017-10-16 11:38:47.000000000 -0700
+++ stunnel-5.45/src/resolver.c 2018-02-08 01:54:31.000000000 -0800
@@ -241,10 +241,8 @@ unsigned hostport2addrlist(SOCKADDR_LIST
hints.ai_socktype=SOCK_STREAM;
hints.ai_protocol=IPPROTO_TCP;
hints.ai_flags=0;
- if(addr_list->passive) {
- hints.ai_family=AF_INET; /* first try IPv4 for passive requests */
+ if(addr_list->passive)
hints.ai_flags|=AI_PASSIVE;
- }
#ifdef AI_ADDRCONFIG
hints.ai_flags|=AI_ADDRCONFIG;
#endif
@@ -265,12 +263,6 @@ unsigned hostport2addrlist(SOCKADDR_LIST
continue; /* retry for unconfigured network interfaces */
}
#endif
-#if defined(USE_IPv6) || defined(USE_WIN32)
- if(hints.ai_family==AF_INET) {
- hints.ai_family=AF_UNSPEC;
- continue; /* retry for non-IPv4 addresses */
- }
-#endif
break;
}
if(err==EAI_SERVICE) {
diff -Nrup stunnel-5.44/src/stunnel.c stunnel-5.45/src/stunnel.c
--- stunnel-5.44/src/stunnel.c 2017-10-07 07:23:08.000000000 -0700
+++ stunnel-5.45/src/stunnel.c 2018-02-07 03:08:16.000000000 -0800
@@ -299,10 +299,13 @@ void daemon_loop(void) {
break; /* terminate daemon_loop */
for(opt=service_options.next; opt; opt=opt->next) {
unsigned i;
- for(i=0; i<opt->local_addr.num; ++i)
- if(s_poll_canread(fds, opt->local_addr.fd[i]))
- if(accept_connection(opt, i))
- temporary_lack_of_resources=1;
+ for(i=0; i<opt->local_addr.num; ++i) {
+ SOCKET fd=opt->local_addr.fd[i];
+ if(fd!=INVALID_SOCKET &&
+ s_poll_canread(fds, fd) &&
+ accept_connection(opt, i))
+ temporary_lack_of_resources=1;
+ }
}
} else {
log_error(LOG_NOTICE, get_last_socket_error(),
@@ -459,15 +462,22 @@ int bind_ports(void) {
listening_section=0;
for(opt=service_options.next; opt; opt=opt->next) {
- unsigned i;
+ unsigned i, bound_ports=0;
+ if(!opt->local_addr.num)
+ continue; /* no ports to bind for this service */
s_log(LOG_DEBUG, "Binding service [%s]", opt->servname);
for(i=0; i<opt->local_addr.num; ++i) {
SOCKET fd;
fd=bind_port(opt, listening_section, i);
- if(fd==INVALID_SOCKET)
- return 1;
- s_poll_add(fds, fd, 1, 0);
opt->local_addr.fd[i]=fd;
+ if(fd!=INVALID_SOCKET) {
+ s_poll_add(fds, fd, 1, 0);
+ ++bound_ports;
+ }
+ }
+ if(!bound_ports) {
+ s_log(LOG_ERR, "Could not bind any accepting port");
+ return 1;
}
if(opt->local_addr.num)
++listening_section;
diff -Nrup stunnel-5.44/tests/recipes/020_IPv6 stunnel-5.45/tests/recipes/020_IPv6
--- stunnel-5.44/tests/recipes/020_IPv6 2017-11-26 13:50:09.000000000 -0800
+++ stunnel-5.45/tests/recipes/020_IPv6 2018-02-08 04:30:54.000000000 -0800
@@ -11,10 +11,10 @@ start() {
[https client]
client = yes
accept = 127.0.0.1:${http1}
- connect = :::${https}
+ connect = ::1:${https}
[https server]
- accept = :::${https}
+ accept = ::1:${https}
connect = 127.0.0.1:${http2}
cert = ${script_path}/certs/stunnel.pem
EOT
diff -Nrup stunnel-5.44/tests/recipes/022_bind stunnel-5.45/tests/recipes/022_bind
--- stunnel-5.44/tests/recipes/022_bind 1969-12-31 16:00:00.000000000 -0800
+++ stunnel-5.45/tests/recipes/022_bind 2018-02-07 11:20:07.000000000 -0800
@@ -0,0 +1,27 @@
+#!/bin/sh
+. $(dirname $0)/../test_library
+
+start() {
+ ../../src/stunnel -fd 0 <<EOT
+ debug = debug
+ syslog = no
+ pid = ${result_path}/stunnel.pid
+ output = ${result_path}/stunnel.log
+
+ [https client]
+ client = yes
+ accept = 127.0.0.1:${http1}
+ connect = ${https}
+
+ [https server]
+ accept = 127.0.0.1:${https}
+ accept = 127.0.0.1:${https}
+ connect = ${http2}
+ cert = ${script_path}/certs/server_cert.pem
+EOT
+}
+
+check_ports "022_bind"
+start 2> "error.log"
+test_log_for "022_bind" "success" "$1" 2>> "stderr.log"
+exit $?

12
stunnel.spec
View File

@ -10,7 +10,7 @@
Summary: A TLS-encrypting socket wrapper Summary: A TLS-encrypting socket wrapper
Name: stunnel Name: stunnel
Version: 5.44 Version: 5.44
Release: 4%{?dist} Release: 5%{?dist}
License: GPLv2 License: GPLv2
Group: Applications/Internet Group: Applications/Internet
URL: http://www.stunnel.org/ URL: http://www.stunnel.org/
@ -25,7 +25,9 @@ Source7: stunnel@.service
Patch0: stunnel-5.40-authpriv.patch Patch0: stunnel-5.40-authpriv.patch
Patch1: stunnel-5.40-systemd-service.patch Patch1: stunnel-5.40-systemd-service.patch
Patch3: stunnel-5.42-system-ciphers.patch Patch3: stunnel-5.42-system-ciphers.patch
Patch4: stunnel-5.44-bind.patch
# util-linux is needed for rename # util-linux is needed for rename
BuildRequires: gcc
BuildRequires: openssl-devel, pkgconfig, util-linux BuildRequires: openssl-devel, pkgconfig, util-linux
BuildRequires: autoconf automake libtool BuildRequires: autoconf automake libtool
%if %{with libwrap} %if %{with libwrap}
@ -47,6 +49,7 @@ conjunction with imapd to create a TLS secure IMAP server.
%patch0 -p1 -b .authpriv %patch0 -p1 -b .authpriv
%patch1 -p1 -b .systemd-service %patch1 -p1 -b .systemd-service
%patch3 -p1 -b .system-ciphers %patch3 -p1 -b .system-ciphers
%patch4 -p1 -b .bind
# Fix the configure script output for FIPS mode # Fix the configure script output for FIPS mode
sed -i '/yes).*result: no/,+1{s/result: no/result: yes/;s/as_echo "no"/as_echo "yes"/}' configure sed -i '/yes).*result: no/,+1{s/result: no/result: yes/;s/as_echo "no"/as_echo "yes"/}' configure
@ -68,7 +71,6 @@ fi
make V=1 LDADD="-pie -Wl,-z,defs,-z,relro,-z,now" make V=1 LDADD="-pie -Wl,-z,defs,-z,relro,-z,now"
%install %install
#rm -rf %{buildroot}
make install DESTDIR=%{buildroot} make install DESTDIR=%{buildroot}
# Move the translated man pages to the right subdirectories, and strip off the # Move the translated man pages to the right subdirectories, and strip off the
# language suffixes. # language suffixes.
@ -86,6 +88,9 @@ cp %{buildroot}%{_datadir}/doc/stunnel/examples/%{name}.service %{buildroot}%{_u
cp %{SOURCE7} %{buildroot}%{_unitdir}/%{name}@.service cp %{SOURCE7} %{buildroot}%{_unitdir}/%{name}@.service
%endif %endif
%check
make test
%files %files
%{!?_licensedir:%global license %%doc} %{!?_licensedir:%global license %%doc}
%doc AUTHORS BUGS ChangeLog CREDITS PORTS README TODO %doc AUTHORS BUGS ChangeLog CREDITS PORTS README TODO
@ -119,6 +124,9 @@ cp %{SOURCE7} %{buildroot}%{_unitdir}/%{name}@.service
%systemd_postun_with_restart %{name}.service %systemd_postun_with_restart %{name}.service
%changelog %changelog
* Fri Mar 2 2018 Tomáš Mráz <tmraz@redhat.com> - 5.44-5
- Fix bind to localhost (patch backport by Christian Kujau) (#1542361)
* Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 5.44-4 * Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 5.44-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild