rpms/stunnel
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import stunnel-5.62-2.el9

Browse Source
This commit is contained in:
CentOS Sources 2022-03-01 07:39:47 -05:00 committed by Stepan Oksanichenko
parent 232bd89be3
commit 4566cf2f2a
11 changed files with 198 additions and 121 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/stunnel-5.58.tar.gz
SOURCES/stunnel-5.62.tar.gz

2
.stunnel.metadata
View File

@ -1 +1 @@
7e9bd07267f9ff6505a68f5b7034ed0154651ab2 SOURCES/stunnel-5.58.tar.gz
e18be56bfee006f5e58de044fda7bdcfaa425b3f SOURCES/stunnel-5.62.tar.gz

11
SOURCES/stunnel-5.50-systemd-service.patch
View File

@ -1,11 +0,0 @@
diff -up stunnel-5.50/tools/stunnel.service.in.systemd-service stunnel-5.50/tools/stunnel.service.in
--- stunnel-5.50/tools/stunnel.service.in.systemd-service 2019-01-14 12:17:15.826868965 +0100
+++ stunnel-5.50/tools/stunnel.service.in 2019-01-14 12:18:21.186753131 +0100
@@ -5,6 +5,7 @@ After=syslog.target network.target
[Service]
ExecStart=@bindir@/stunnel
Type=forking
+PrivateTmp=true
[Install]
WantedBy=multi-user.target

11
SOURCES/stunnel-5.58-openssl30.patch
View File

@ -1,11 +0,0 @@
diff -up stunnel-5.58/src/ctx.c.openssl30 stunnel-5.58/src/ctx.c
--- stunnel-5.58/src/ctx.c.openssl30 2021-08-03 16:02:24.687409192 +0200
+++ stunnel-5.58/src/ctx.c 2021-08-03 16:03:36.889009510 +0200
@@ -1011,6 +1011,7 @@ NOEXPORT int ui_retry() {
switch(ERR_GET_REASON(err)) {
case UI_R_RESULT_TOO_LARGE:
case UI_R_RESULT_TOO_SMALL:
+ case UI_R_PROCESSING_ERROR:
return 1;
default:
return 0;

18
SOURCES/stunnel-5.58.tar.gz.asc
View File

@ -1,18 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQKTBAABCgB9FiEEK8fk5n48wMG+py+MLvx/8NQW4BQFAmAxUhNfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDJC
QzdFNEU2N0UzQ0MwQzFCRUE3MkY4QzJFRkM3RkYwRDQxNkUwMTQACgkQLvx/8NQW
4BTjnw//WxZJR4No++ri5S4amhfYpLPY3Zr9qUGQ5hepESCWTYf/K+b24fPtKsiU
x/qn1jneQWw/dzPsD1e3UuPH+4d4ryzLzxVW9T8T+6cFQlaU89m5h0Epdd/LjwhF
YECEawGU3dA+pgrNrumgyUTzYtsWGCAkylS02eDrD3auYL3mllarAuXmOpjFxIRB
zod4HILm5fKggZ9++GsIeTFLz+q8Q1Y6QdELLje5p9wrqgP/N2Misc6yrYN8ZdOV
HvFirN/M/Zb0AYknYNe6GHu06u8SM5bZpbwqrrMGaY95mL0lYDn5mi8quel0dnBv
sI9rrflo1G9NMymSPN1knV9UeTKSnpSSr9HFxl1Y5eH2DcLIhfQZ9STBzrRPivxb
JC0gNE51K36Komd4VhfYA2RPtih+YeGi7bADSMoH3UOZDsMJ9YitO9NAsFS/MaY7
EkxKcqisfccZ69ruykHVxfYHujdby/EOXIUZVmmkrV7BWudhnDmukFg6k6uOq7LT
k1ABoNhqfQx3f/daR0oluNgdOPz6bkt/9fa1RjFHqVLo+YOMBrHAEUv6eSQ2V0z5
Lh5UCQQmPk7M6JWta1Bs9Ftv+H+CR6k6Ix9oF3lMjAjcJu4oj7zeRN4yH4KlGltP
SfWgOEK0SqwZZL8yE7Fp61WiDlTW3b02U7iESj/OJK6Z1CpCxtE=
=EoHl
-----END PGP SIGNATURE-----

119
SOURCES/stunnel-5.56-default-tls-version.patch → SOURCES/stunnel-5.61-default-tls-version.patch
View File

@ -1,18 +1,50 @@
--- stunnel-5.56/src/prototypes.h.default-tls-version 2020-04-06 11:22:24.480280384 +0200
+++ stunnel-5.56/src/prototypes.h 2020-04-06 11:21:05.407597053 +0200
@@ -897,6 +897,9 @@ ICON_IMAGE load_icon_default(ICON_TYPE);
ICON_IMAGE load_icon_file(const char *);
#endif
+#define USE_DEFAULT_TLS_VERSION ((int)-2) /* Use defaults in OpenSSL
+ crypto policies */
+
#endif /* defined PROTOTYPES_H */
/* end of prototypes.h */
--- stunnel-5.56/src/options.c.default-tls-version 2020-04-06 18:58:48.947214149 +0200
+++ stunnel-5.56/src/options.c 2020-04-08 15:45:18.093520780 +0200
@@ -3123,8 +3123,9 @@ NOEXPORT char *parse_service_option(CMD
diff -up stunnel-5.61/src/ctx.c.default-tls-version stunnel-5.61/src/ctx.c
--- stunnel-5.61/src/ctx.c.default-tls-version 2021-12-13 09:43:22.000000000 +0100
+++ stunnel-5.61/src/ctx.c 2022-01-10 19:27:49.913243127 +0100
@@ -149,18 +149,28 @@ int context_init(SERVICE_OPTIONS *sectio
section->ctx=SSL_CTX_new(section->option.client ?
TLS_client_method() : TLS_server_method());
#endif /* OPENSSL_VERSION_NUMBER>=0x30000000L */
- if(!SSL_CTX_set_min_proto_version(section->ctx,
- section->min_proto_version)) {
- s_log(LOG_ERR, "Failed to set the minimum protocol version 0x%X",
- section->min_proto_version);
- return 1; /* FAILED */
- }
- if(!SSL_CTX_set_max_proto_version(section->ctx,
- section->max_proto_version)) {
- s_log(LOG_ERR, "Failed to set the maximum protocol version 0x%X",
- section->max_proto_version);
- return 1; /* FAILED */
+ if (section->min_proto_version == USE_DEFAULT_TLS_VERSION) {
+ s_log(LOG_INFO, "Using the default TLS version as specified in "
+ "OpenSSL crypto policies. Not setting explicitly.");
+ } else {
+ if(!SSL_CTX_set_min_proto_version(section->ctx,
+ section->min_proto_version)) {
+ s_log(LOG_ERR, "Failed to set the minimum protocol version 0x%X",
+ section->min_proto_version);
+ return 1; /* FAILED */
+ }
}
+ if (section->max_proto_version == USE_DEFAULT_TLS_VERSION) {
+ s_log(LOG_INFO, "Using the default TLS version as specified in "
+ "OpenSSL crypto policies. Not setting explicitly");
+ } else {
+ if(!SSL_CTX_set_max_proto_version(section->ctx,
+ section->max_proto_version)) {
+ s_log(LOG_ERR, "Failed to set the maximum protocol version 0x%X",
+ section->max_proto_version);
+ return 1; /* FAILED */
+ }
+ }
#else /* OPENSSL_VERSION_NUMBER<0x10100000L */
if(section->option.client)
section->ctx=SSL_CTX_new(section->client_method);
diff -up stunnel-5.61/src/options.c.default-tls-version stunnel-5.61/src/options.c
--- stunnel-5.61/src/options.c.default-tls-version 2022-01-10 19:23:15.096254067 +0100
+++ stunnel-5.61/src/options.c 2022-01-10 19:23:15.098254103 +0100
@@ -3297,8 +3297,9 @@ NOEXPORT char *parse_service_option(CMD
return "Invalid protocol version";
return NULL; /* OK */
case CMD_INITIALIZE:
@ -24,7 +56,7 @@
return "Invalid protocol version range";
break;
case CMD_PRINT_DEFAULTS:
@@ -3142,7 +3143,10 @@ NOEXPORT char *parse_service_option(CMD
@@ -3316,7 +3317,10 @@ NOEXPORT char *parse_service_option(CMD
/* sslVersionMax */
switch(cmd) {
case CMD_SET_DEFAULTS:
@ -36,7 +68,7 @@
break;
case CMD_SET_COPY:
section->max_proto_version=new_service_options.max_proto_version;
@@ -3173,7 +3177,10 @@ NOEXPORT char *parse_service_option(CMD
@@ -3347,7 +3351,10 @@ NOEXPORT char *parse_service_option(CMD
/* sslVersionMin */
switch(cmd) {
case CMD_SET_DEFAULTS:
@ -48,45 +80,16 @@
break;
case CMD_SET_COPY:
section->min_proto_version=new_service_options.min_proto_version;
--- stunnel-5.56/src/ctx.c.default-tls-version 2019-10-24 10:48:11.000000000 +0200
+++ stunnel-5.56/src/ctx.c 2020-04-06 11:16:48.406406794 +0200
@@ -143,17 +143,29 @@ int context_init(SERVICE_OPTIONS *sectio
section->ctx=SSL_CTX_new(TLS_client_method());
else /* server mode */
section->ctx=SSL_CTX_new(TLS_server_method());
- if(!SSL_CTX_set_min_proto_version(section->ctx,
- section->min_proto_version)) {
- s_log(LOG_ERR, "Failed to set the minimum protocol version 0x%X",
- section->min_proto_version);
- return 1; /* FAILED */
diff -up stunnel-5.61/src/prototypes.h.default-tls-version stunnel-5.61/src/prototypes.h
--- stunnel-5.61/src/prototypes.h.default-tls-version 2021-12-13 09:43:22.000000000 +0100
+++ stunnel-5.61/src/prototypes.h 2022-01-10 19:23:15.099254121 +0100
@@ -932,6 +932,9 @@ ICON_IMAGE load_icon_default(ICON_TYPE);
ICON_IMAGE load_icon_file(const char *);
#endif
+#define USE_DEFAULT_TLS_VERSION ((int)-2) /* Use defaults in OpenSSL
+ crypto policies */
+
+ if (section->min_proto_version == USE_DEFAULT_TLS_VERSION) {
+ s_log(LOG_INFO, "Using the default TLS version as specified in \
+ OpenSSL crypto policies. Not setting explicitly.");
+ } else {
+ if(!SSL_CTX_set_min_proto_version(section->ctx,
+ section->min_proto_version)) {
+ s_log(LOG_ERR, "Failed to set the minimum protocol version 0x%X",
+ section->min_proto_version);
+ return 1; /* FAILED */
+ }
}
- if(!SSL_CTX_set_max_proto_version(section->ctx,
- section->max_proto_version)) {
- s_log(LOG_ERR, "Failed to set the maximum protocol version 0x%X",
- section->max_proto_version);
- return 1; /* FAILED */
+
+ if (section->max_proto_version == USE_DEFAULT_TLS_VERSION) {
+ s_log(LOG_INFO, "Using the default TLS version as specified in \
+ OpenSSL crypto policies. Not setting explicitly");
+ } else {
+ if(!SSL_CTX_set_max_proto_version(section->ctx,
+ section->max_proto_version)) {
+ s_log(LOG_ERR, "Failed to set the maximum protocol version 0x%X",
+ section->max_proto_version);
+ return 1; /* FAILED */
+ }
}
#else /* OPENSSL_VERSION_NUMBER<0x10100000L */
if(section->option.client)
#endif /* defined PROTOTYPES_H */
/* end of prototypes.h */

19
SOURCES/stunnel-5.61-openssl30-fips.patch Normal file
View File

@ -0,0 +1,19 @@
tests: Adapt to OpenSSL 3.x FIPS mode
In OpenSSL 3.0 with FIPS enabled, this test no longer fails with
a human-readable error message (such as "no ciphers available"), but
instead causes an internal error. Extend the success regex list to also
accept this result.
diff -up stunnel-5.61/tests/plugins/p11_fips_cipher.py.openssl30 stunnel-5.61/tests/plugins/p11_fips_cipher.py
--- stunnel-5.61/tests/plugins/p11_fips_cipher.py.openssl30 2022-01-12 15:15:03.211690650 +0100
+++ stunnel-5.61/tests/plugins/p11_fips_cipher.py 2022-01-12 15:15:20.937008173 +0100
@@ -91,7 +91,8 @@ class FailureCiphersuitesFIPS(StunnelTes
self.events.count = 1
self.events.success = [
"disabled for FIPS",
- "no ciphers available"
+ "no ciphers available",
+ "TLS alert \\(write\\): fatal: internal error"
]
self.events.failure = [
"peer did not return a certificate",

11
SOURCES/stunnel-5.61-systemd-service.patch Normal file
View File

@ -0,0 +1,11 @@
diff -up stunnel-5.61/tools/stunnel.service.in.systemd-service stunnel-5.61/tools/stunnel.service.in
--- stunnel-5.61/tools/stunnel.service.in.systemd-service 2022-01-12 14:48:32.474150329 +0100
+++ stunnel-5.61/tools/stunnel.service.in 2022-01-12 14:50:15.253984639 +0100
@@ -6,6 +6,7 @@ After=syslog.target network-online.targe
ExecStart=@bindir@/stunnel
ExecReload=/bin/kill -HUP $MAINPID
Type=forking
+PrivateTmp=true
[Install]
WantedBy=multi-user.target

57
SOURCES/stunnel-5.62-disabled-curves.patch Normal file
View File

@ -0,0 +1,57 @@
Limit curves defaults in FIPS mode
Our copy of OpenSSL disables the X25519 and X448 curves in FIPS mode,
but stunnel defaults to enabling them and then fails to do so.
Upstream-Status: Inappropriate [caused by a downstream patch to openssl]
diff -up stunnel-5.62/src/options.c.disabled-curves stunnel-5.62/src/options.c
--- stunnel-5.62/src/options.c.disabled-curves 2022-02-04 13:46:45.936884124 +0100
+++ stunnel-5.62/src/options.c 2022-02-04 13:53:16.346725153 +0100
@@ -40,8 +40,10 @@
#if OPENSSL_VERSION_NUMBER >= 0x10101000L
#define DEFAULT_CURVES "X25519:P-256:X448:P-521:P-384"
+#define DEFAULT_CURVES_FIPS "P-256:P-521:P-384"
#else /* OpenSSL version < 1.1.1 */
#define DEFAULT_CURVES "prime256v1"
+#define DEFAULT_CURVES_FIPS "prime256v1"
#endif /* OpenSSL version >= 1.1.1 */
#if defined(_WIN32_WCE) && !defined(CONFDIR)
@@ -1855,7 +1857,7 @@ NOEXPORT char *parse_service_option(CMD
/* curves */
switch(cmd) {
case CMD_SET_DEFAULTS:
- section->curves=str_dup_detached(DEFAULT_CURVES);
+ section->curves = NULL;
break;
case CMD_SET_COPY:
section->curves=str_dup_detached(new_service_options.curves);
@@ -1870,9 +1872,26 @@ NOEXPORT char *parse_service_option(CMD
section->curves=str_dup_detached(arg);
return NULL; /* OK */
case CMD_INITIALIZE:
+ if(!section->curves) {
+ /* this is only executed for global options, because
+ * section->curves is no longer NULL in sections */
+#ifdef USE_FIPS
+ if(new_global_options.option.fips)
+ section->curves=str_dup_detached(DEFAULT_CURVES_FIPS);
+ else
+#endif /* USE_FIPS */
+ section->curves=str_dup_detached(DEFAULT_CURVES);
+ }
break;
case CMD_PRINT_DEFAULTS:
- s_log(LOG_NOTICE, "%-22s = %s", "curves", DEFAULT_CURVES);
+ if(fips_available()) {
+ s_log(LOG_NOTICE, "%-22s = %s %s", "curves",
+ DEFAULT_CURVES_FIPS, "(with \"fips = yes\")");
+ s_log(LOG_NOTICE, "%-22s = %s %s", "curves",
+ DEFAULT_CURVES, "(with \"fips = no\")");
+ } else {
+ s_log(LOG_NOTICE, "%-22s = %s", "curves", DEFAULT_CURVES);
+ }
break;
case CMD_PRINT_HELP:
s_log(LOG_NOTICE, "%-22s = ECDH curve names", "curves");

18
SOURCES/stunnel-5.62.tar.gz.asc Normal file
View File

@ -0,0 +1,18 @@
-----BEGIN PGP SIGNATURE-----
iQKTBAABCgB9FiEEK8fk5n48wMG+py+MLvx/8NQW4BQFAmHlyoBfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDJC
QzdFNEU2N0UzQ0MwQzFCRUE3MkY4QzJFRkM3RkYwRDQxNkUwMTQACgkQLvx/8NQW
4BRqiw//dzBO+CqezKNlkVT5sePEfriVPk0iYa7IyGQ2xclohI3X3A0NaLHhwysa
2pFo+myUn5h2qVM6jfuPbXHxDSgDQIcRoEEWpLbVEnVy5vMpVsB5wY4fwfyd3crM
2J24XPdODE8H2mB28JXHyQdXehMtzOAMJ57ugUbrU4drNOR8sCRbp+sBChI8JK9Q
IYvUoMPMCukFXws0KFEYjRom/FyQlde2Wz9ZPiluRzj6RWPQvQht8EiB7IfPrq2m
fiPmOxUnB+Ry6/eaSp7JLlrnL4q5Zhw0HS/pMbWpiB9nPb9SLoKufJ9hYQs5X2h9
L85VPMAAAStQ4PcvFYWt/nV03p3agImdMLrwlaMi/Bb95+tk7OoNLu7yz9RQ9QAo
SPamduORs4/KhtlMzRf2G8utIQRa4fI47KDOO1+1qRfTH4t/Bf3Fr/gI34AW24ZZ
hu2nHqr+UxGkU42HJEhsL9tAvBFr/mBI64sHtAI41e25CkqBQSqD+FxUw5snbVgP
XxiM9tNo/UUZpCMnmkAZUqVFKYT10VSFTDo6/LcoMYZf1zzCWch3wJTtf2ZPUJYG
6kNpdCEzsXYileL6iCof9+J5hNaNGpsgTi+ljz1jujzOHWGw6hyIWUiYTBGmRAbl
Pehbx5RYqQe9gX0nFRRs3o9y9p8B4MLMAvJdhx6vqxgd2H1SDJA=
=MLHM
-----END PGP SIGNATURE-----

51
SPECS/stunnel.spec
View File

@ -9,10 +9,10 @@
Summary: A TLS-encrypting socket wrapper
Name: stunnel
Version: 5.58
Release: 6%{?dist}
Version: 5.62
Release: 2%{?dist}
License: GPLv2
URL: http://www.stunnel.org/
URL: https://www.stunnel.org/
Source0: https://www.stunnel.org/downloads/stunnel-%{version}.tar.gz
Source1: https://www.stunnel.org/downloads/stunnel-%{version}.tar.gz.asc
Source2: Certificate-Creation
@ -22,12 +22,13 @@ Source5: pop3-redirect.xinetd
Source6: stunnel-pop3s-client.conf
Source7: stunnel@.service
Patch0: stunnel-5.50-authpriv.patch
Patch1: stunnel-5.50-systemd-service.patch
Patch1: stunnel-5.61-systemd-service.patch
Patch3: stunnel-5.56-system-ciphers.patch
Patch4: stunnel-5.56-coverity.patch
Patch5: stunnel-5.56-default-tls-version.patch
Patch5: stunnel-5.61-default-tls-version.patch
Patch6: stunnel-5.56-curves-doc-update.patch
Patch7: stunnel-5.58-openssl30.patch
Patch7: stunnel-5.61-openssl30-fips.patch
Patch8: stunnel-5.62-disabled-curves.patch
# util-linux is needed for rename
BuildRequires: make
BuildRequires: gcc
@ -40,6 +41,7 @@ BuildRequires: /usr/bin/pod2man
BuildRequires: /usr/bin/pod2html
# build test requirements
BuildRequires: /usr/bin/nc, /usr/bin/lsof, /usr/bin/ps
BuildRequires: python3 openssl
BuildRequires: systemd
%{?systemd_requires}
@ -57,13 +59,11 @@ conjunction with imapd to create a TLS secure IMAP server.
%patch4 -p1 -b .coverity
%patch5 -p1 -b .default-tls-version
%patch6 -p1 -b .curves-doc-update
%patch7 -p1 -b .openssl30
%patch7 -p1 -b .openssl30-fips
%patch8 -p1 -b .disabled-curves
# Fix the configure script output for FIPS mode and stack protector flag
sed -i '/yes).*result: no/,+1{s/result: no/result: yes/;s/as_echo "no"/as_echo "yes"/};s/-fstack-protector/-fstack-protector-strong/' configure
# Fix a testcase with system-ciphers support
sed -i '/client = yes/a \\ ciphers = PSK' tests/recipes/014_PSK_secrets
# Fix the stack protector flag
sed -i 's/-fstack-protector/-fstack-protector-strong/' configure
%build
#autoreconf -v
@ -100,15 +100,13 @@ cp %{SOURCE7} %{buildroot}%{_unitdir}/%{name}@.service
%endif
%check
# For unknown reason the 042_inetd test fails in Koji. The failure is not reproducible
# in local build.
rm tests/recipes/042_inetd
# We override the security policy as it is too strict for the tests.
OPENSSL_SYSTEM_CIPHERS_OVERRIDE=xyz_nonexistent_file
export OPENSSL_SYSTEM_CIPHERS_OVERRIDE
OPENSSL_CONF=
export OPENSSL_CONF
make test || (for i in tests/logs/*.log ; do echo "$i": ; cat "$i" ; done)
if ! make test; then
for i in tests/logs/*.log; do
echo "$i":
cat "$i"
done
exit 1
fi
%files
%{!?_licensedir:%global license %%doc}
@ -130,6 +128,7 @@ make test || (for i in tests/logs/*.log ; do echo "$i": ; cat "$i" ; done)
%if 0%{?fedora} >= 15 || 0%{?rhel} >= 7
%{_unitdir}/%{name}*.service
%endif
%{_datadir}/bash-completion/completions/%{name}.bash
%post
/sbin/ldconfig
@ -143,6 +142,16 @@ make test || (for i in tests/logs/*.log ; do echo "$i": ; cat "$i" ; done)
%systemd_postun_with_restart %{name}.service
%changelog
* Fri Feb 04 2022 Clemens Lang <cllang@redhat.com> - 5.62-2
- Fix stunnel in FIPS mode
Resolves: rhbz#2050617
- Fail build if tests fail
Resolves: rhbz#2051083
* Tue Jan 18 2022 Clemens Lang <cllang@redhat.com> - 5.62-1
- New upstream release 5.62
Resolves: rhbz#2039299
* Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 5.58-6
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688