New upstream release 5.71
Drop patches that are no longer needed, sync patches from Fedora. Backport spec file improvements from Fedora. Resolves: RHEL-2468 Signed-off-by: Clemens Lang <cllang@redhat.com>
This commit is contained in:
Clemens Lang
parent
6e12981e3c
commit
6c91664a3d
2
.gitignore
vendored
2
.gitignore
vendored
@ -122,3 +122,5 @@ stunnel-4.33.tar.gz.asc
|
||||
/stunnel-5.61.tar.gz.asc
|
||||
/stunnel-5.62.tar.gz
|
||||
/stunnel-5.62.tar.gz.asc
|
||||
/stunnel-5.71.tar.gz
|
||||
/stunnel-5.71.tar.gz.asc
|
||||
|
||||
125
pgp.asc
Normal file
125
pgp.asc
Normal file
@ -0,0 +1,125 @@
|
||||
-----BEGIN PGP PUBLIC KEY BLOCK-----
|
||||
|
||||
mQINBFTU6YwBEAC6PP7E4J6cRZQsJlFE+o3zdQYo7Mg2sVxDR6K9Cha52wn7P0t0
|
||||
hHUd0CSmWyfjmYUy3/7jYjgKe4oiGzeSCVK8b3TiX3ylHi/nW3mixwpDPwFmr5Cf
|
||||
ce55Ro3TdIeslRGigK8Hl+/l4n9c9z/AiTvcdAEQ34BJhERce4/KFx+/omiaxe7S
|
||||
fzzU/+52zy+v4FfnclgRQrzrD8sxNag6CQOaQ8lTMczNkBkDlhQTOPYkfNf76PUY
|
||||
kbWpcH7n9N50nddjEaLf7DPjOETc4OH/g5a99FSEJL7jyEgn+C8RX7RpbbAxCNlX
|
||||
1231NZoresLmxSulB6fRWLmhJ8pES3sRxE1IfwUfPpUZuTPzwXEFJY6StY5OCVy8
|
||||
rNFpkYlEePuVn74XkGbvv7dkkisq4Hp59zfIUaNVRod0Xk2rM8Rx8d5IK801Ywsn
|
||||
RyzCE02zt3N2O4IdXI1qQ1gMJNyaE/k2Qk8buh8BsKJzZca34WGocHOxz2O5s7FN
|
||||
Q1pLNpLmuHZIdyvYqcsenLz5EV8X2LztRmJ3Se4ag/XyXPYwS6lXX1YUGVxZpk0E
|
||||
sQDRdJvYCsGcUy253w+W7Nm/BtjKi6/PJmjEEU7ieHppR9Yp+LI3lyzNBeZAIVqk
|
||||
4Hco05l4GUKtEDFfOQ58sULDqJWmpH4T72DHeCpfRB0guaPa5TYY7B0umQARAQAB
|
||||
tC5NaWNoYcWCIFRyb2puYXJhIDxNaWNoYWwuVHJvam5hcmFAc3R1bm5lbC5vcmc+
|
||||
iQJSBBMBCAA8AhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgBYhBKyRXqMGRdnT
|
||||
1Nrk/rEEiTLdOqqjBQJiemhbAhkBAAoJELEEiTLdOqqjH/YP/i5fQuvTvwSHZAwK
|
||||
JgSUijxD4z2jCtYvXIa7BPNiu8mnyupPAdoZE7BNehuvAc7kYj4dNmC/cY+CRcan
|
||||
OW05ByU/N+RObQYs6dkSLuyzOfqdnA2SZgcPreOZyLe/Yz9nSh5BVigSyiNY+clT
|
||||
JMfISdvfAxlxkVxyfJ293ePECZ7VKfzp18ntDBIY5yos4K0FXKpFVhhWHT9SlsQe
|
||||
tAKTOm6WdJx852y53TvZYzPEVznZhLSj//yYWG7TVQ47oSrsUW5pGaQybtYNIwGa
|
||||
sHGj0SFscYb8IBF4gOaTFPiwKJykmwfF0F7A6wO+oSs7By1o4fEoVr1y3UWO/ATx
|
||||
RF3GyX/6NHTu2OwTmtWozTKkd4agGPmQgn+ApueaBq7Tn9EA+5e83hRY8/c0xOvu
|
||||
XRHrB+PTp4HT3yPcVbGP6vRkpPsRIxtzzw+G1AdwIcMULg/J5qKilRyKLbN12cmc
|
||||
Jjtk6Ii7cskgj/3iYVRy/Xtw9Q2+9aMPPs1H4QklimDuR/KWCqyd61e1ct+Y4XGq
|
||||
HM93/GQuku1sGA6YsfUpDWv3rjwoGejyif3lyHjERaGh1BCYD6Olhe2QtCEuOvuA
|
||||
G2qPT0gZ1q33JVN3wNJfD6JreG7HubG0le+iwLoQTXa3qjhF8DeAgOC+yLKYv3iD
|
||||
ms49fpkKFScmRCmWU0C/2zqe0/GetCtNaWNoYcWCIFRyb2puYXJhIDxNaWNoYWwu
|
||||
VHJvam5hcmFAbWlydC5uZXQ+iQJPBBMBCAA5AhsDBgsJCAcDAgYVCAIJCgsEFgID
|
||||
AQIeAQIXgBYhBKyRXqMGRdnT1Nrk/rEEiTLdOqqjBQJiemhbAAoJELEEiTLdOqqj
|
||||
k5UP/1G8u1Hpr0Ie4YXn1ru1hQaauEqTXGfgcsSuuqvS4GCgY93+Q0jv0YV1Owxs
|
||||
pJWmN3aYKtsj86EAEkOcz23HkhwwvTKkhrZWCATQzhpGZfFWECPm+CycNksc+pkq
|
||||
eykg5RN00DecGpG5x0p2twrRI4j+K4OKSGJvx8vjxBMGoGAoHtBl73nhwuY9CsqL
|
||||
CnCn3lohv03GPvvlO6dhOordBI4U50ky5ZZsQ/qMD7vAGFktbJMyhYJ96ASdVqfG
|
||||
L0DTQ6E1QwS4PQlyEt6PBCtt6T3kU7i9mYy+TQtI+wH3r2hx+UEQaC+9hzY4FZwH
|
||||
xOdH7zumOthMu/uBGK2uMkj7mVpHEGU/69EvROYzf0HtN2vs2yCMirtrlbfQ0bez
|
||||
YyXiTd8+ka0vTWM2rE6rav5RIRDmD7U3u4fPwnpSRTDxCHJglIisymLd01W0Qh8l
|
||||
qCyHOOsRHu2k3RfdILd+F26Ii31073kAaga5iDlKrPyVV38upLIPy/G9QJ8rdYBR
|
||||
EvF0VaYQW+rwsInE8mYfWgcwKT3ZeWop0dD7NFurbHZxfTkL1QCEo+EurrFxBLCm
|
||||
qfPEbQwoMwS5hCAcGRjXDpt0ZZe55VdLXaW9E/GINHPVoM+dMqmmYxEOCvuOez4c
|
||||
MMmt6a5kFPPtWo2o7dcBpDG7ZX3UkUGVAmQuSENIY3yXqYcXtC9NaWNoYcWCIFRy
|
||||
b2puYXJhIDxNaWNoYWwuVHJvam5hcmFAbW9iaS1jb20ubmV0PokCTwQTAQgAOQIb
|
||||
AwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AWIQSskV6jBkXZ09Ta5P6xBIky3Tqq
|
||||
owUCYnpoUQAKCRCxBIky3Tqqo7cBD/sFjmAnOyuEvlVKXEihLmABFBeWjKiGaR4U
|
||||
0+V8ZPvBEzHVQ5e2ywqa68xgFK66JlapnZlAeOoUZYc/uj0xzNwzS4sdnc/ejWn+
|
||||
B0gM9ZLYs1BeYib2k4Bf0c8ccjjCX5r8+Uio8aCB4hSyckmyD+svfmnrzyMEEAZN
|
||||
d+0uiwmmHNEDHqIg76xo7DO+DvV2+sEkLEtdKCfTws94qEWQHGHYwpcbDngSamVZ
|
||||
zML48L4liQX0l7Dz8j09Tf1EYg2DRSvn4s2bzyrFIsnz6yrlf8K0hCYkaTLKnCSx
|
||||
Bj7ESXj/bOQY4fBAHNy2gRXq3ELgdliCQHeT+9TD5JI58rWQBY48QGF7CAxMcC3H
|
||||
3nI/Zq/DSaakOVwianqY2VJDFAYXogmEOR/kWE3lPerp6qum+n4WcDiteQXJMHmV
|
||||
t/JYAZ3zbOhmu9F2NI7Ce4uZe8rQ0PG5Jgb5wE76i9zrCwFACPKhJVim4kWIOPf8
|
||||
eT1LCC4adpyeUMrH342CVb2xpS+gQ89V7sTt9uFPp9wTl5QvsD3uTWKzGkRV9s7b
|
||||
rnFuJYGDRM/EN0nFZF8D0RbrwYNK5KXSZ0VOTrud9ZcEsJQeISqLX4QBMrSl/Nst
|
||||
r9MTUuBf6N3b5zDRmHJQ6+myyE/8cgHwEsmOIJCSEcQjkYsUruQhuW2Et1EZtrcb
|
||||
/KHFRhRjP7RATWljaGHFgiBUcm9qbmFyYSAoYXV4aWxpYXJ5IGFkZHJlc3MpIDxN
|
||||
aWNoYWwuVHJvam5hcmFAZ21haWwuY29tPokCTgQTAQgAOAIbAwULCQgHAgYVCgkI
|
||||
CwIEFgIDAQIeAQIXgBYhBKyRXqMGRdnT1Nrk/rEEiTLdOqqjBQJiemhDAAoJELEE
|
||||
iTLdOqqjWfkQALjs436L79R26iQc8aWu3IWAZ8FOv8VqbTcGH3fQ16DcJ+OaBQkl
|
||||
qHTWsbs9Bhq49lU6WiZLIJWTp8bl6fdC5XbJYFYW7fMBSyUFpSqQFACY6EF3vdDS
|
||||
bcVcT6aModzq1mG9CFuU5wt0GrZOy4v0pXvJK0Y+CzY3Rm/Nev0Ou3HUFWgsOpHZ
|
||||
jnCCkNyQ1C1jJ9mDid55dID8byLvkmS8Z3pVhFQ3Ko9gZv47GeeNjG26rbNmsVwZ
|
||||
Ki7c9iJM/RbCgr+LVElFVtFyJP2WUxHjl2RbrJIJB9YUNY1N7z0tDnqN1FCPbFkj
|
||||
zkMuuj0yPp9CqGZge+A5tT5NfytGYPMSOD9up4SXVr+ejOtUL5riW3LsnewjTJuM
|
||||
f2qP1h52FAduB9SfGTf0XlLlKJkjkw3Q9WmrOndJcEsKRGarfcWFPMOml3xmcoAM
|
||||
9jU0H9P1ZAHlKON0eL1vKBgS5XL0s4pVvwsYZ+dfDcNU+bUCrTRLc0uccsIzDrio
|
||||
bbaz7VtUzEsWqPozW6CTozDWDSfKRuWuB2vAYfqKJN8ZAkvOu00ZKwT/DiCpLQ6e
|
||||
GQ8tcAvum9Sd9jydwqs89UNhKNkovwMwALjLITaZ72ILgYo3Mo57fT6MpVspxJ23
|
||||
+6RP8+MAM+HhJYfODuGvNHR3n5aO0WnwM8YoH14hjHUKtr7z83iivhSOuQINBFTU
|
||||
68MBEADyAgLrjV0rpqn1bUrcSSpGfTPrOLN1Uav+O9/zEVd5Sr5q7GLFnS0Rjo0z
|
||||
kIFLJrkEIr0gZVaYk1trPJZRriWUDoS+ZTFxN4YTumlADgqXVvO9Srm6mj7z7RW6
|
||||
q8sL9tXPQNScVJYlgcBms9n7I7TIyry9oZOjmTAqLFDg2L437USIAspl7HWDpRb1
|
||||
3QcBxgRr+VNaHPcnRXXLJjhWi/fSC2ijrsqRIL9KzBnMhHTQJAavPe3CUa4HvdKb
|
||||
Vh+oOptjx1Asl7JTSi8h5T3lUjlxAXoPUfxh1oxZCboy1UB8hflYygf56rgCeT2G
|
||||
KVF4YA2QhY1KozbUOt27dytsYhiJk8Rp0p8bHCq7C9ENMSAPiCOoy8R3EDZbqzhZ
|
||||
HfpLAyR460RKPbUyJHZgNxsjMhtSH2nQ/wNka9BxWHjmMKB05wvm2H1HTvqelcef
|
||||
wUh7Yh8BmdfU6emwqf9ionTA0WEZhbFX/JkDXQ1sUoVeEPUUaqs7PqVKqaoPPTS1
|
||||
eh8XjfZp77s/NM/2fhyKPiTRJgbWX8tOGc5gvdI1QIbesIBJ5aheaHEJhEaLRfDc
|
||||
gmtylU2Y1AP5IstONUH3gCUONKXHWrRX73KaEYeLnXCwFJqMzAN7FpIj9YzXL2VE
|
||||
7CXt54APjV88CvNOV4CpPz1qRYt69MEta+Pn2aS729kBbbr/VQARAQABiQIfBBgB
|
||||
AgAJBQJU1OvDAhsMAAoJELEEiTLdOqqjY0IQAIcnt7SXw2FLiyV/N6PUABc7AvXA
|
||||
N7Gfq2GmB7EDKpkshqJuqEjJuFKjUs4vU1j/nnK2xxs5Avs2WJEBdU3oX2Vx6v6r
|
||||
PEvkmDHNRTp2vJqk1lizTq7fB+vxm1Ju8gA43/Dz22b20fGg1QhhllRlE4UFbp+f
|
||||
xGSFuhCzSEkXFZ9aCE7GFLRNcnz8xnhhx8PL4TDosgDKbcDVdj777ZUwQeopzKFT
|
||||
3lbmyoCx87kyRFZrQT0lNLZ1ZO141NY+ifLAkZf+ZJVUxmA5kXqjfZVv0tOcHrvp
|
||||
hBo+IyW7aqD69GREz/PIaO8/HuGKV/rwJbFlwgeyV+nmAlXpG+2Ur6a4S8iRKY1j
|
||||
KLyFCnVjkLq5Zv0la3/0hIn5fP6f7mcAcRTNb8t4QPKGNWVL286gADLXyvjuZDJv
|
||||
MnarbM4ej3OXd8o4nZLhIUEoYe4iE87EbYKu6HE31Tn5HBMOooQJ64JlE4xhAvOW
|
||||
Yg/a8z824VWFCbyI2FtO8R6eHiZYPgi44cmSq/MorMBeWWiy5QrgHSRuWHgZo5WY
|
||||
SNpcbDzvz2s6VDMPnnrpKAo8M1S2ibn94hzLr9RgGgV3uUuW0hVJIIDVVQxTgxYm
|
||||
CPBr2CTozGg17x1wnX3uhAx+Fk2MnzRLkL5rZqXjCtHa8v/eFeHLYzaQbvdEtLPE
|
||||
SJWgmwb6FvM218hruQINBFTU7lkBEADWkatDVXdgxcXcPPC8D+5Zv3XanCpS8wAA
|
||||
q9gIOIQsg4/Ttzfb7PTg39s5eOJnYlvwC4gKPi/3a1cDKC1/XzPHChTwA5eK5Jw/
|
||||
fDLVmmsHDyTvV03LReYRduJfu2Quh7Q7NaUJo1NqNJdMQtP6dgdM6QGysLhP7LsD
|
||||
Bi55AlhRpGQlH/lNzrxSdFI7b3mmAl3sShZYCTLdt0f5Mo3QyxqAInBr5GtcUa0g
|
||||
qNTRcAqx11PFArHZJQYXRBV01n/XgO6jvdu2he0eAHSjF7CeyImnlcpZibntFI0u
|
||||
/UsqvbqJJS1QzUIAhkAu4YwDJBdUSjs6bO5mY3TJFgzsVKekbisgOcPFiENNpr7F
|
||||
ZvvfxXy4tANkBWcC4ESGrVFAQOtEz9ctuJu9UHOl34kj1ad40SnR6GrmwQLoVspj
|
||||
PQepWTZIfUOlvS2Cu3HPdzus+zu9F2YUzFO5hy1LO6o0ekpf4LquDIBbazEQoPTK
|
||||
zw5gRreG+tAVIDOcz+Pdfx2B7UOuIchB38O3j4sx09yxCTe+3LuljFkgNFr2GXue
|
||||
Bp6xBJn/s9X9yPtTuqJ5OvW6U7UZzkZzJLYe7g/3XT0dfW0ERC8Yelup70tzZ3RU
|
||||
qAdWMb28MusTWH+pcpuafQsXVhHh2Noz6xgJ9g475bNkpQAI90yrcuJ3/ehDvWnp
|
||||
42C7qVByAQARAQABiQQ+BBgBAgAJBQJU1O5ZAhsCAikJELEEiTLdOqqjwV0gBBkB
|
||||
AgAGBQJU1O5ZAAoJEC78f/DUFuAU3HoQAJHsIoHcy/aU1pFGtpVHCM2u6bI4Oqyd
|
||||
f+h7eVp3TiIIFv0nEbI3JMYXSzq16hqhxfEh5nnRsXsa5hyd6kwameIwKQTbKaUz
|
||||
qu4U01NRgLTYWyujApBugLtLkM3aXuVvieWDINfuc6U4yaFNzcP9Cx24zJL0fmSM
|
||||
UUq3Mtg7BERX9Ecj/BBTJPLN7yqz8HGlPf8exIm4ZnJstJ39+Z4zjfGCFx18OApN
|
||||
oaQWSGFbtRaC06FC1jGvRUPgcTDgL6czKSyooAgUwGMkCq2y5Z5KBq9WttTwqvOV
|
||||
wkUdKui9ns+LSYoxgcaiY+y1lxnHCvXm3cGEO+iAxJGxxTWYtSKAsQaJbE9XG1CW
|
||||
YdNl8yezgLLThLuMrgaLHQ83heL/2s5wsUJvnN11wtWuqK5P523879M8pQodO8sv
|
||||
WAXgOXKlu7xNBa07vENI/LvBJ09ZQ3kYGOzFtl9WVam+9UyYZS7KAiXQuSsksobG
|
||||
TfoCc2kQ+qxD171GyC7l0/2UY/PeKDETen5SWFajl6ompnAB8QVv7Q9DMpJDrMgV
|
||||
AB/nR5Ij+lZ/5en1c5Pjt3jLxpbMcDtP+Nr21vJ356DvVk6o4W1U/zMVa+Y+eiiz
|
||||
GsFHuor9EFjn89cqF8bXTIRhdKNNqnh2azLjfSXwxy6qjnmKLGBPm/Fl9N7IWNOM
|
||||
eaO4cPWtNN+leTgP/0Yj1wh+tZzOGttY3wGg/roiYxelWFnMO3pLm710dI0l2qK8
|
||||
PMKSS1v+mxcgu++7eouZvWcluw3M30Ymbouh27MInhKpqh2OEyQ2L9Nz3l3HSfZw
|
||||
I/ZGH+O/OjvOupA7T1zxq3+kUSIXwuBSVzlBoH8Y2FcGomiDbI7NQ8YqrQ4zL/C2
|
||||
1bjZMJ7tX4nx+efXrF8aGdXCaJZFBqp0KIUNjYiI4eGdHB8lUA2t11+5T8Any9jx
|
||||
dfOvEjthkvjdXnfRaJyHVUHTRcsVTxqPTwWyN0W9HvsADEVT4J3qwfrKrqOxFeml
|
||||
DQE47XlpH7CikS+0rAN1G7dNrB4LVcwstDhe431CXRswfR3rbq4wbbNR9kY7WM1M
|
||||
5LixSESomwiZuwv+GA0Mpi9+jTBIc9aZCj2ePDtobwx7Lvsjd8vUQuP9N9rzqeM+
|
||||
kn+2YUwtX2e1YAJxb9ze2iN1w/bvytPD/jOT5KvZm/7ds/XKMl3TPgHeBhjPYFRh
|
||||
NTt3KIDjUqCThl9XWfY1QDFAljO8QgBlwwRYDes5Nv4CNwFVdfz0aTQETKRWYD0b
|
||||
zTy1uYj7gNR3Zz/53XF659vjdMY6LAqrBj46z2J7LcVuyehi7Mo+x3ksHIkUS51s
|
||||
wHXnaH3m783KxozQCML7I+2WlItQhoNRbvlUCVAo9aPUCDm5WlzZJwwSN69B
|
||||
=EgcU
|
||||
-----END PGP PUBLIC KEY BLOCK-----
|
||||
4
sources
4
sources
@ -1,2 +1,2 @@
|
||||
SHA512 (stunnel-5.62.tar.gz) = 4ce03faa27e417b49fbdf0fbac91befb2c05ce64694b4b6fd2fc482031ee4a229299627133a47ff3efdfdffce751e1300d95d0a8ac1f1858c7c96f0b067170de
|
||||
SHA512 (stunnel-5.62.tar.gz.asc) = 983b41100e7ef6dba5a9b7e7cd64e50b1f6860a6bf18ca393e14d65680bfed951475e6f7f4ec9e8da036aaa86e0668f65e3df7025220eda7315de4d110a24ac5
|
||||
SHA512 (stunnel-5.71.tar.gz) = c7004f48b93b3415305eec1193d51b7bf51a3bdd2cdc9f6ae588f563b32408b1ecde83b9f3f5b658f945ab5bcc5124390c38235394aad4471bf5b666081af2a2
|
||||
SHA512 (stunnel-5.71.tar.gz.asc) = 513cd7bc9b46e92451ae1d48eb8dc7e64374c820cf8a3d86fcd04d365d673e632234af17880501ddc2e62e4d15e592e90ff308e47436b487b01160f905753ebc
|
||||
|
||||
@ -1,43 +1,62 @@
|
||||
diff -up stunnel-5.50/doc/stunnel.8.in.authpriv stunnel-5.50/doc/stunnel.8.in
|
||||
--- stunnel-5.50/doc/stunnel.8.in.authpriv 2018-12-02 23:47:20.000000000 +0100
|
||||
+++ stunnel-5.50/doc/stunnel.8.in 2019-01-14 12:15:05.135100163 +0100
|
||||
@@ -200,7 +200,7 @@ info (6), or debug (7). All logs for th
|
||||
all levels numerically less than it will be shown. Use \fIdebug = debug\fR or
|
||||
\&\fIdebug = 7\fR for greatest debugging output. The default is notice (5).
|
||||
From cfbf803dd3338a915f41bdfded69b34e7f21403d Mon Sep 17 00:00:00 2001
|
||||
From: Tomas Mraz <tmraz@fedoraproject.org>
|
||||
Date: Mon, 12 Sep 2022 11:07:38 +0200
|
||||
Subject: [PATCH 1/7] Apply patch stunnel-5.50-authpriv.patch
|
||||
|
||||
Patch-name: stunnel-5.50-authpriv.patch
|
||||
Patch-id: 0
|
||||
From-dist-git-commit: 70b3076eb09912b3a11f371b8c523303114fffa3
|
||||
---
|
||||
doc/stunnel.8.in | 2 +-
|
||||
doc/stunnel.html.in | 2 +-
|
||||
doc/stunnel.pod.in | 2 +-
|
||||
src/options.c | 4 ++++
|
||||
4 files changed, 7 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/doc/stunnel.8.in b/doc/stunnel.8.in
|
||||
index 8cd8bc0..b5d7d75 100644
|
||||
--- a/doc/stunnel.8.in
|
||||
+++ b/doc/stunnel.8.in
|
||||
@@ -209,7 +209,7 @@ requested to do so by an stunnel developer, or when you intend to get confused.
|
||||
.Sp
|
||||
-The syslog facility 'daemon' will be used unless a facility name is supplied.
|
||||
+The syslog facility 'authpriv' will be used unless a facility name is supplied.
|
||||
The default logging level is notice (5).
|
||||
.Sp
|
||||
-The syslog 'daemon' facility will be used unless a facility name is supplied.
|
||||
+The syslog 'authpriv' facility will be used unless a facility name is supplied.
|
||||
(Facilities are not supported on Win32.)
|
||||
.Sp
|
||||
Case is ignored for both facilities and levels.
|
||||
diff -up stunnel-5.50/doc/stunnel.html.in.authpriv stunnel-5.50/doc/stunnel.html.in
|
||||
--- stunnel-5.50/doc/stunnel.html.in.authpriv 2018-12-02 23:47:21.000000000 +0100
|
||||
+++ stunnel-5.50/doc/stunnel.html.in 2019-01-14 12:15:05.136100146 +0100
|
||||
@@ -244,7 +244,7 @@
|
||||
diff --git a/doc/stunnel.html.in b/doc/stunnel.html.in
|
||||
index a7931aa..cda5993 100644
|
||||
--- a/doc/stunnel.html.in
|
||||
+++ b/doc/stunnel.html.in
|
||||
@@ -248,7 +248,7 @@
|
||||
|
||||
<p>Level is one of the syslog level names or numbers emerg (0), alert (1), crit (2), err (3), warning (4), notice (5), info (6), or debug (7). All logs for the specified level and all levels numerically less than it will be shown. Use <i>debug = debug</i> or <i>debug = 7</i> for greatest debugging output. The default is notice (5).</p>
|
||||
<p>The default logging level is notice (5).</p>
|
||||
|
||||
-<p>The syslog facility 'daemon' will be used unless a facility name is supplied. (Facilities are not supported on Win32.)</p>
|
||||
+<p>The syslog facility 'authpriv' will be used unless a facility name is supplied. (Facilities are not supported on Win32.)</p>
|
||||
-<p>The syslog 'daemon' facility will be used unless a facility name is supplied. (Facilities are not supported on Win32.)</p>
|
||||
+<p>The syslog 'authpriv' facility will be used unless a facility name is supplied. (Facilities are not supported on Win32.)</p>
|
||||
|
||||
<p>Case is ignored for both facilities and levels.</p>
|
||||
|
||||
diff -up stunnel-5.50/doc/stunnel.pod.in.authpriv stunnel-5.50/doc/stunnel.pod.in
|
||||
--- stunnel-5.50/doc/stunnel.pod.in.authpriv 2018-12-02 23:47:18.000000000 +0100
|
||||
+++ stunnel-5.50/doc/stunnel.pod.in 2019-01-14 12:15:05.136100146 +0100
|
||||
@@ -192,7 +192,7 @@ info (6), or debug (7). All logs for th
|
||||
all levels numerically less than it will be shown. Use I<debug = debug> or
|
||||
I<debug = 7> for greatest debugging output. The default is notice (5).
|
||||
diff --git a/doc/stunnel.pod.in b/doc/stunnel.pod.in
|
||||
index a54b25d..f830cf3 100644
|
||||
--- a/doc/stunnel.pod.in
|
||||
+++ b/doc/stunnel.pod.in
|
||||
@@ -197,7 +197,7 @@ requested to do so by an stunnel developer, or when you intend to get confused.
|
||||
|
||||
-The syslog facility 'daemon' will be used unless a facility name is supplied.
|
||||
+The syslog facility 'authpriv' will be used unless a facility name is supplied.
|
||||
The default logging level is notice (5).
|
||||
|
||||
-The syslog 'daemon' facility will be used unless a facility name is supplied.
|
||||
+The syslog 'authpriv' facility will be used unless a facility name is supplied.
|
||||
(Facilities are not supported on Win32.)
|
||||
|
||||
Case is ignored for both facilities and levels.
|
||||
diff -up stunnel-5.50/src/options.c.authpriv stunnel-5.50/src/options.c
|
||||
--- stunnel-5.50/src/options.c.authpriv 2019-01-14 12:15:05.136100146 +0100
|
||||
+++ stunnel-5.50/src/options.c 2019-01-14 12:16:25.537727511 +0100
|
||||
@@ -1745,8 +1745,12 @@ NOEXPORT char *parse_service_option(CMD
|
||||
diff --git a/src/options.c b/src/options.c
|
||||
index 5f8ad8b..6e4a18b 100644
|
||||
--- a/src/options.c
|
||||
+++ b/src/options.c
|
||||
@@ -1960,7 +1960,11 @@ NOEXPORT const char *parse_service_option(CMD cmd, SERVICE_OPTIONS **section_ptr
|
||||
case CMD_SET_DEFAULTS:
|
||||
section->log_level=LOG_NOTICE;
|
||||
#if !defined (USE_WIN32) && !defined (__vms)
|
||||
@ -45,8 +64,10 @@ diff -up stunnel-5.50/src/options.c.authpriv stunnel-5.50/src/options.c
|
||||
+ new_global_options.log_facility=LOG_AUTHPRIV;
|
||||
+#else
|
||||
new_global_options.log_facility=LOG_DAEMON;
|
||||
#endif
|
||||
+#endif
|
||||
#endif
|
||||
break;
|
||||
case CMD_SET_COPY:
|
||||
section->log_level=new_service_options.log_level;
|
||||
--
|
||||
2.39.2
|
||||
|
||||
|
||||
@ -1,22 +0,0 @@
|
||||
diff -up stunnel-5.48/src/str.c.coverity stunnel-5.48/src/str.c
|
||||
--- stunnel-5.48/src/str.c.coverity 2018-07-02 23:30:10.000000000 +0200
|
||||
+++ stunnel-5.48/src/str.c 2018-09-04 17:24:08.949928906 +0200
|
||||
@@ -165,6 +165,7 @@ char *str_vprintf(const char *format, va
|
||||
for(;;) {
|
||||
va_copy(ap, start_ap);
|
||||
n=vsnprintf(p, size, format, ap);
|
||||
+ va_end(ap);
|
||||
if(n>-1 && n<(int)size)
|
||||
return p;
|
||||
if(n>-1) /* glibc 2.1 */
|
||||
diff -up stunnel-5.48/src/stunnel.c.coverity stunnel-5.48/src/stunnel.c
|
||||
--- stunnel-5.48/src/stunnel.c.coverity 2018-07-02 23:30:10.000000000 +0200
|
||||
+++ stunnel-5.48/src/stunnel.c 2018-09-04 17:24:08.949928906 +0200
|
||||
@@ -364,7 +364,6 @@ NOEXPORT int accept_connection(SERVICE_O
|
||||
#endif
|
||||
if(create_client(fd, s, alloc_client_session(opt, s, s))) {
|
||||
s_log(LOG_ERR, "Connection rejected: create_client failed");
|
||||
- closesocket(s);
|
||||
#ifndef USE_FORK
|
||||
service_free(opt);
|
||||
#endif
|
||||
@ -1,6 +1,25 @@
|
||||
--- stunnel-5.56/doc/stunnel.8.in.curves-doc-update 2020-04-16 17:12:48.171590017 +0200
|
||||
+++ stunnel-5.56/doc/stunnel.8.in 2020-04-16 17:16:07.001603122 +0200
|
||||
@@ -473,6 +473,8 @@ This file contains multiple CRLs, used w
|
||||
From e951a8a7edc87dbd608043f8aab67ef12979e3ca Mon Sep 17 00:00:00 2001
|
||||
From: Sahana Prasad <sahana@redhat.com>
|
||||
Date: Mon, 12 Sep 2022 11:07:38 +0200
|
||||
Subject: [PATCH 6/8] Apply patch stunnel-5.56-curves-doc-update.patch
|
||||
|
||||
Patch-name: stunnel-5.56-curves-doc-update.patch
|
||||
Patch-id: 6
|
||||
From-dist-git-commit: 70b3076eb09912b3a11f371b8c523303114fffa3
|
||||
---
|
||||
doc/stunnel.8.in | 2 ++
|
||||
doc/stunnel.html.in | 2 ++
|
||||
doc/stunnel.pl.8.in | 2 ++
|
||||
doc/stunnel.pl.html.in | 2 ++
|
||||
doc/stunnel.pl.pod.in | 2 ++
|
||||
doc/stunnel.pod.in | 2 ++
|
||||
6 files changed, 12 insertions(+)
|
||||
|
||||
diff --git a/doc/stunnel.8.in b/doc/stunnel.8.in
|
||||
index a56f0b7..977a1a4 100644
|
||||
--- a/doc/stunnel.8.in
|
||||
+++ b/doc/stunnel.8.in
|
||||
@@ -475,6 +475,8 @@ This file contains multiple CRLs, used with the \fIverifyChain\fR and
|
||||
.IX Item "curves = list"
|
||||
\&\s-1ECDH\s0 curves separated with ':'
|
||||
.Sp
|
||||
@ -9,9 +28,11 @@
|
||||
Only a single curve name is allowed for OpenSSL older than 1.1.1.
|
||||
.Sp
|
||||
To get a list of supported curves use:
|
||||
--- stunnel-5.56/doc/stunnel.html.in.curves-doc-update 2020-04-16 17:13:25.664962696 +0200
|
||||
+++ stunnel-5.56/doc/stunnel.html.in 2020-04-16 17:16:55.897111302 +0200
|
||||
@@ -568,6 +568,8 @@
|
||||
diff --git a/doc/stunnel.html.in b/doc/stunnel.html.in
|
||||
index 608afa9..cecc81a 100644
|
||||
--- a/doc/stunnel.html.in
|
||||
+++ b/doc/stunnel.html.in
|
||||
@@ -570,6 +570,8 @@
|
||||
|
||||
<p>ECDH curves separated with ':'</p>
|
||||
|
||||
@ -20,42 +41,11 @@
|
||||
<p>Only a single curve name is allowed for OpenSSL older than 1.1.1.</p>
|
||||
|
||||
<p>To get a list of supported curves use:</p>
|
||||
--- stunnel-5.56/doc/stunnel.pod.in.curves-doc-update 2020-04-16 17:13:43.412139122 +0200
|
||||
+++ stunnel-5.56/doc/stunnel.pod.in 2020-04-16 17:17:25.414418073 +0200
|
||||
@@ -499,6 +499,8 @@ I<verifyPeer> options.
|
||||
|
||||
ECDH curves separated with ':'
|
||||
|
||||
+Note: This option is supported for server mode sockets only.
|
||||
+
|
||||
Only a single curve name is allowed for OpenSSL older than 1.1.1.
|
||||
|
||||
To get a list of supported curves use:
|
||||
--- stunnel-5.56/doc/stunnel.pl.pod.in.curves-doc-update 2020-04-16 17:25:22.631934496 +0200
|
||||
+++ stunnel-5.56/doc/stunnel.pl.pod.in 2020-04-16 17:47:46.872353210 +0200
|
||||
@@ -507,6 +507,8 @@ przez opcje I<verifyChain> i I<verifyPee
|
||||
|
||||
krzywe ECDH odddzielone ':'
|
||||
|
||||
+Uwaga: ta opcja wpływa tylko na gniazda w trybie serwera.
|
||||
+
|
||||
Wersje OpenSSL starsze niż 1.1.1 pozwalają na użycie tylko jednej krzywej.
|
||||
|
||||
Listę dostępnych krzywych można uzyskać poleceniem:
|
||||
--- stunnel-5.56/doc/stunnel.pl.html.in.curves-doc-update 2020-04-16 17:24:46.857579674 +0200
|
||||
+++ stunnel-5.56/doc/stunnel.pl.html.in 2020-04-16 17:46:13.385404626 +0200
|
||||
@@ -564,6 +564,8 @@
|
||||
|
||||
<p>krzywe ECDH odddzielone ':'</p>
|
||||
|
||||
+<p>Uwaga: ta opcja wpływa tylko na gniazda w trybie serwera.</p>
|
||||
+
|
||||
<p>Wersje OpenSSL starsze niż 1.1.1 pozwalają na użycie tylko jednej krzywej.</p>
|
||||
|
||||
<p>Listę dostępnych krzywych można uzyskać poleceniem:</p>
|
||||
--- stunnel-5.56/doc/stunnel.pl.8.in.curves-doc-update 2020-04-16 17:24:25.665369474 +0200
|
||||
+++ stunnel-5.56/doc/stunnel.pl.8.in 2020-04-16 17:45:14.141792786 +0200
|
||||
@@ -483,6 +483,8 @@ przez opcje \fIverifyChain\fR i \fIverif
|
||||
diff --git a/doc/stunnel.pl.8.in b/doc/stunnel.pl.8.in
|
||||
index e2e6622..eae88f8 100644
|
||||
--- a/doc/stunnel.pl.8.in
|
||||
+++ b/doc/stunnel.pl.8.in
|
||||
@@ -492,6 +492,8 @@ przez opcje \fIverifyChain\fR i \fIverifyPeer\fR.
|
||||
.IX Item "curves = lista"
|
||||
krzywe \s-1ECDH\s0 odddzielone ':'
|
||||
.Sp
|
||||
@ -64,3 +54,45 @@
|
||||
Wersje OpenSSL starsze niż 1.1.1 pozwalają na użycie tylko jednej krzywej.
|
||||
.Sp
|
||||
Listę dostępnych krzywych można uzyskać poleceniem:
|
||||
diff --git a/doc/stunnel.pl.html.in b/doc/stunnel.pl.html.in
|
||||
index 7be87f1..7fd7a7c 100644
|
||||
--- a/doc/stunnel.pl.html.in
|
||||
+++ b/doc/stunnel.pl.html.in
|
||||
@@ -568,6 +568,8 @@
|
||||
|
||||
<p>krzywe ECDH odddzielone ':'</p>
|
||||
|
||||
+<p>Uwaga: ta opcja wpływa tylko na gniazda w trybie serwera.</p>
|
||||
+
|
||||
<p>Wersje OpenSSL starsze niż 1.1.1 pozwalają na użycie tylko jednej krzywej.</p>
|
||||
|
||||
<p>Listę dostępnych krzywych można uzyskać poleceniem:</p>
|
||||
diff --git a/doc/stunnel.pl.pod.in b/doc/stunnel.pl.pod.in
|
||||
index dc6b255..712f751 100644
|
||||
--- a/doc/stunnel.pl.pod.in
|
||||
+++ b/doc/stunnel.pl.pod.in
|
||||
@@ -516,6 +516,8 @@ przez opcje I<verifyChain> i I<verifyPeer>.
|
||||
|
||||
krzywe ECDH odddzielone ':'
|
||||
|
||||
+Uwaga: ta opcja wpływa tylko na gniazda w trybie serwera.
|
||||
+
|
||||
Wersje OpenSSL starsze niż 1.1.1 pozwalają na użycie tylko jednej krzywej.
|
||||
|
||||
Listę dostępnych krzywych można uzyskać poleceniem:
|
||||
diff --git a/doc/stunnel.pod.in b/doc/stunnel.pod.in
|
||||
index 840c708..85cc199 100644
|
||||
--- a/doc/stunnel.pod.in
|
||||
+++ b/doc/stunnel.pod.in
|
||||
@@ -501,6 +501,8 @@ I<verifyPeer> options.
|
||||
|
||||
ECDH curves separated with ':'
|
||||
|
||||
+Note: This option is supported for server mode sockets only.
|
||||
+
|
||||
Only a single curve name is allowed for OpenSSL older than 1.1.1.
|
||||
|
||||
To get a list of supported curves use:
|
||||
--
|
||||
2.37.3
|
||||
|
||||
|
||||
@ -1,12 +0,0 @@
|
||||
diff -up stunnel-5.55/src/options.c.system-ciphers stunnel-5.55/src/options.c
|
||||
--- stunnel-5.55/src/options.c.system-ciphers 2019-09-19 14:43:00.631059024 +0200
|
||||
+++ stunnel-5.55/src/options.c 2019-09-19 14:51:02.120053849 +0200
|
||||
@@ -277,7 +277,7 @@ static char *option_not_found=
|
||||
"Specified option name is not valid here";
|
||||
|
||||
static char *stunnel_cipher_list=
|
||||
- "HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK";
|
||||
+ "PROFILE=SYSTEM";
|
||||
|
||||
#ifndef OPENSSL_NO_TLS1_3
|
||||
static char *stunnel_ciphersuites=
|
||||
@ -1,19 +0,0 @@
|
||||
tests: Adapt to OpenSSL 3.x FIPS mode
|
||||
|
||||
In OpenSSL 3.0 with FIPS enabled, this test no longer fails with
|
||||
a human-readable error message (such as "no ciphers available"), but
|
||||
instead causes an internal error. Extend the success regex list to also
|
||||
accept this result.
|
||||
diff -up stunnel-5.61/tests/plugins/p11_fips_cipher.py.openssl30 stunnel-5.61/tests/plugins/p11_fips_cipher.py
|
||||
--- stunnel-5.61/tests/plugins/p11_fips_cipher.py.openssl30 2022-01-12 15:15:03.211690650 +0100
|
||||
+++ stunnel-5.61/tests/plugins/p11_fips_cipher.py 2022-01-12 15:15:20.937008173 +0100
|
||||
@@ -91,7 +91,8 @@ class FailureCiphersuitesFIPS(StunnelTes
|
||||
self.events.count = 1
|
||||
self.events.success = [
|
||||
"disabled for FIPS",
|
||||
- "no ciphers available"
|
||||
+ "no ciphers available",
|
||||
+ "TLS alert \\(write\\): fatal: internal error"
|
||||
]
|
||||
self.events.failure = [
|
||||
"peer did not return a certificate",
|
||||
@ -1,7 +1,20 @@
|
||||
diff -up stunnel-5.61/tools/stunnel.service.in.systemd-service stunnel-5.61/tools/stunnel.service.in
|
||||
--- stunnel-5.61/tools/stunnel.service.in.systemd-service 2022-01-12 14:48:32.474150329 +0100
|
||||
+++ stunnel-5.61/tools/stunnel.service.in 2022-01-12 14:50:15.253984639 +0100
|
||||
@@ -6,6 +6,7 @@ After=syslog.target network-online.targe
|
||||
From 6cb73d824ac204f5680e469b0474855aaa6b8ddc Mon Sep 17 00:00:00 2001
|
||||
From: Clemens Lang <cllang@redhat.com>
|
||||
Date: Mon, 12 Sep 2022 11:07:38 +0200
|
||||
Subject: [PATCH 2/8] Apply patch stunnel-5.61-systemd-service.patch
|
||||
|
||||
Patch-name: stunnel-5.61-systemd-service.patch
|
||||
Patch-id: 1
|
||||
From-dist-git-commit: 70b3076eb09912b3a11f371b8c523303114fffa3
|
||||
---
|
||||
tools/stunnel.service.in | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/tools/stunnel.service.in b/tools/stunnel.service.in
|
||||
index fa98996..0c5a216 100644
|
||||
--- a/tools/stunnel.service.in
|
||||
+++ b/tools/stunnel.service.in
|
||||
@@ -6,6 +6,7 @@ After=syslog.target network-online.target
|
||||
ExecStart=@bindir@/stunnel
|
||||
ExecReload=/bin/kill -HUP $MAINPID
|
||||
Type=forking
|
||||
@ -9,3 +22,6 @@ diff -up stunnel-5.61/tools/stunnel.service.in.systemd-service stunnel-5.61/tool
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
--
|
||||
2.37.3
|
||||
|
||||
|
||||
@ -1,57 +0,0 @@
|
||||
Limit curves defaults in FIPS mode
|
||||
|
||||
Our copy of OpenSSL disables the X25519 and X448 curves in FIPS mode,
|
||||
but stunnel defaults to enabling them and then fails to do so.
|
||||
|
||||
Upstream-Status: Inappropriate [caused by a downstream patch to openssl]
|
||||
diff -up stunnel-5.62/src/options.c.disabled-curves stunnel-5.62/src/options.c
|
||||
--- stunnel-5.62/src/options.c.disabled-curves 2022-02-04 13:46:45.936884124 +0100
|
||||
+++ stunnel-5.62/src/options.c 2022-02-04 13:53:16.346725153 +0100
|
||||
@@ -40,8 +40,10 @@
|
||||
|
||||
#if OPENSSL_VERSION_NUMBER >= 0x10101000L
|
||||
#define DEFAULT_CURVES "X25519:P-256:X448:P-521:P-384"
|
||||
+#define DEFAULT_CURVES_FIPS "P-256:P-521:P-384"
|
||||
#else /* OpenSSL version < 1.1.1 */
|
||||
#define DEFAULT_CURVES "prime256v1"
|
||||
+#define DEFAULT_CURVES_FIPS "prime256v1"
|
||||
#endif /* OpenSSL version >= 1.1.1 */
|
||||
|
||||
#if defined(_WIN32_WCE) && !defined(CONFDIR)
|
||||
@@ -1855,7 +1857,7 @@ NOEXPORT char *parse_service_option(CMD
|
||||
/* curves */
|
||||
switch(cmd) {
|
||||
case CMD_SET_DEFAULTS:
|
||||
- section->curves=str_dup_detached(DEFAULT_CURVES);
|
||||
+ section->curves = NULL;
|
||||
break;
|
||||
case CMD_SET_COPY:
|
||||
section->curves=str_dup_detached(new_service_options.curves);
|
||||
@@ -1870,9 +1872,26 @@ NOEXPORT char *parse_service_option(CMD
|
||||
section->curves=str_dup_detached(arg);
|
||||
return NULL; /* OK */
|
||||
case CMD_INITIALIZE:
|
||||
+ if(!section->curves) {
|
||||
+ /* this is only executed for global options, because
|
||||
+ * section->curves is no longer NULL in sections */
|
||||
+#ifdef USE_FIPS
|
||||
+ if(new_global_options.option.fips)
|
||||
+ section->curves=str_dup_detached(DEFAULT_CURVES_FIPS);
|
||||
+ else
|
||||
+#endif /* USE_FIPS */
|
||||
+ section->curves=str_dup_detached(DEFAULT_CURVES);
|
||||
+ }
|
||||
break;
|
||||
case CMD_PRINT_DEFAULTS:
|
||||
- s_log(LOG_NOTICE, "%-22s = %s", "curves", DEFAULT_CURVES);
|
||||
+ if(fips_available()) {
|
||||
+ s_log(LOG_NOTICE, "%-22s = %s %s", "curves",
|
||||
+ DEFAULT_CURVES_FIPS, "(with \"fips = yes\")");
|
||||
+ s_log(LOG_NOTICE, "%-22s = %s %s", "curves",
|
||||
+ DEFAULT_CURVES, "(with \"fips = no\")");
|
||||
+ } else {
|
||||
+ s_log(LOG_NOTICE, "%-22s = %s", "curves", DEFAULT_CURVES);
|
||||
+ }
|
||||
break;
|
||||
case CMD_PRINT_HELP:
|
||||
s_log(LOG_NOTICE, "%-22s = ECDH curve names", "curves");
|
||||
@ -1,140 +0,0 @@
|
||||
From 6baa5762ea5edb192ec003333d62b1d0e56509bf Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Micha=C5=82=20Trojnara?= <Michal.Trojnara@stunnel.org>
|
||||
Date: Sun, 11 Sep 2022 23:52:18 +0200
|
||||
Subject: [PATCH] stunnel-5.66
|
||||
|
||||
---
|
||||
src/common.h | 6 +++++-
|
||||
src/ctx.c | 58 +++++++++++++++++++++++++++++++++++++++++++---------
|
||||
2 files changed, 53 insertions(+), 11 deletions(-)
|
||||
|
||||
diff --git a/src/common.h b/src/common.h
|
||||
index bc37eb5..997e66e 100644
|
||||
--- a/src/common.h
|
||||
+++ b/src/common.h
|
||||
@@ -491,7 +491,7 @@ extern char *sys_errlist[];
|
||||
#include <openssl/dh.h>
|
||||
#if OPENSSL_VERSION_NUMBER<0x10100000L
|
||||
int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g);
|
||||
-#endif /* OpenSSL older than 1.1.0 */
|
||||
+#endif /* OPENSSL_VERSION_NUMBER<0x10100000L */
|
||||
#endif /* !defined(OPENSSL_NO_DH) */
|
||||
#ifndef OPENSSL_NO_ENGINE
|
||||
#include <openssl/engine.h>
|
||||
@@ -503,8 +503,12 @@ int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g);
|
||||
/* not defined in public headers before OpenSSL 0.9.8 */
|
||||
STACK_OF(SSL_COMP) *SSL_COMP_get_compression_methods(void);
|
||||
#endif /* !defined(OPENSSL_NO_COMP) */
|
||||
+#if OPENSSL_VERSION_NUMBER>=0x10101000L
|
||||
+#include <openssl/storeerr.h>
|
||||
+#endif /* OPENSSL_VERSION_NUMBER>=0x10101000L */
|
||||
#if OPENSSL_VERSION_NUMBER>=0x30000000L
|
||||
#include <openssl/provider.h>
|
||||
+#include <openssl/proverr.h>
|
||||
#endif /* OPENSSL_VERSION_NUMBER>=0x30000000L */
|
||||
|
||||
#ifndef OPENSSL_VERSION
|
||||
diff --git a/src/ctx.c b/src/ctx.c
|
||||
index a2202b7..cc0806c 100644
|
||||
--- a/src/ctx.c
|
||||
+++ b/src/ctx.c
|
||||
@@ -1001,30 +1001,41 @@ NOEXPORT int ui_retry() {
|
||||
unsigned long err=ERR_peek_error();
|
||||
|
||||
switch(ERR_GET_LIB(err)) {
|
||||
- case ERR_LIB_ASN1:
|
||||
- return 1;
|
||||
- case ERR_LIB_PKCS12:
|
||||
+ case ERR_LIB_EVP: /* 6 */
|
||||
switch(ERR_GET_REASON(err)) {
|
||||
- case PKCS12_R_MAC_VERIFY_FAILURE:
|
||||
+ case EVP_R_BAD_DECRYPT:
|
||||
return 1;
|
||||
default:
|
||||
+ s_log(LOG_ERR, "Unhandled ERR_LIB_EVP error reason: %d",
|
||||
+ ERR_GET_REASON(err));
|
||||
return 0;
|
||||
}
|
||||
- case ERR_LIB_EVP:
|
||||
+ case ERR_LIB_PEM: /* 9 */
|
||||
switch(ERR_GET_REASON(err)) {
|
||||
- case EVP_R_BAD_DECRYPT:
|
||||
+ case PEM_R_BAD_PASSWORD_READ:
|
||||
+ case PEM_R_BAD_DECRYPT:
|
||||
return 1;
|
||||
default:
|
||||
+ s_log(LOG_ERR, "Unhandled ERR_LIB_PEM error reason: %d",
|
||||
+ ERR_GET_REASON(err));
|
||||
return 0;
|
||||
}
|
||||
- case ERR_LIB_PEM:
|
||||
+ case ERR_LIB_ASN1: /* 13 */
|
||||
+ return 1;
|
||||
+ case ERR_LIB_PKCS12: /* 35 */
|
||||
switch(ERR_GET_REASON(err)) {
|
||||
- case PEM_R_BAD_PASSWORD_READ:
|
||||
+ case PKCS12_R_MAC_VERIFY_FAILURE:
|
||||
return 1;
|
||||
default:
|
||||
+ s_log(LOG_ERR, "Unhandled ERR_LIB_PKCS12 error reason: %d",
|
||||
+ ERR_GET_REASON(err));
|
||||
return 0;
|
||||
}
|
||||
- case ERR_LIB_UI:
|
||||
+#ifdef ERR_LIB_DSO /* 37 */
|
||||
+ case ERR_LIB_DSO:
|
||||
+ return 1;
|
||||
+#endif
|
||||
+ case ERR_LIB_UI: /* 40 */
|
||||
switch(ERR_GET_REASON(err)) {
|
||||
case UI_R_RESULT_TOO_LARGE:
|
||||
case UI_R_RESULT_TOO_SMALL:
|
||||
@@ -1033,17 +1044,44 @@ NOEXPORT int ui_retry() {
|
||||
#endif
|
||||
return 1;
|
||||
default:
|
||||
+ s_log(LOG_ERR, "Unhandled ERR_LIB_UI error reason: %d",
|
||||
+ ERR_GET_REASON(err));
|
||||
+ return 0;
|
||||
+ }
|
||||
+#ifdef ERR_LIB_OSSL_STORE
|
||||
+ case ERR_LIB_OSSL_STORE: /* 44 - added in OpenSSL 1.1.1 */
|
||||
+ switch(ERR_GET_REASON(err)) {
|
||||
+ case OSSL_STORE_R_BAD_PASSWORD_READ:
|
||||
+ return 1;
|
||||
+ default:
|
||||
+ s_log(LOG_ERR, "Unhandled ERR_LIB_OSSL_STORE error reason: %d",
|
||||
+ ERR_GET_REASON(err));
|
||||
+ return 0;
|
||||
+ }
|
||||
+#endif
|
||||
+#ifdef ERR_LIB_PROV
|
||||
+ case ERR_LIB_PROV: /* 57 - added in OpenSSL 3.0 */
|
||||
+ switch(ERR_GET_REASON(err)) {
|
||||
+ case PROV_R_BAD_DECRYPT:
|
||||
+ return 1;
|
||||
+ default:
|
||||
+ s_log(LOG_ERR, "Unhandled ERR_LIB_PROV error reason: %d",
|
||||
+ ERR_GET_REASON(err));
|
||||
return 0;
|
||||
}
|
||||
- case ERR_LIB_USER: /* PKCS#11 hacks */
|
||||
+#endif
|
||||
+ case ERR_LIB_USER: /* 128 - PKCS#11 hacks */
|
||||
switch(ERR_GET_REASON(err)) {
|
||||
case 7UL: /* CKR_ARGUMENTS_BAD */
|
||||
case 0xa0UL: /* CKR_PIN_INCORRECT */
|
||||
return 1;
|
||||
default:
|
||||
+ s_log(LOG_ERR, "Unhandled ERR_LIB_USER error reason: %d",
|
||||
+ ERR_GET_REASON(err));
|
||||
return 0;
|
||||
}
|
||||
default:
|
||||
+ s_log(LOG_ERR, "Unhandled error library: %d", ERR_GET_LIB(err));
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
--
|
||||
2.38.1
|
||||
|
||||
@ -1,50 +1,68 @@
|
||||
diff -up stunnel-5.61/src/ctx.c.default-tls-version stunnel-5.61/src/ctx.c
|
||||
--- stunnel-5.61/src/ctx.c.default-tls-version 2021-12-13 09:43:22.000000000 +0100
|
||||
+++ stunnel-5.61/src/ctx.c 2022-01-10 19:27:49.913243127 +0100
|
||||
@@ -149,18 +149,28 @@ int context_init(SERVICE_OPTIONS *sectio
|
||||
From 1d3349209f339e6a68312fce076e355bc767d76c Mon Sep 17 00:00:00 2001
|
||||
From: Clemens Lang <cllang@redhat.com>
|
||||
Date: Mon, 12 Sep 2022 11:07:38 +0200
|
||||
Subject: [PATCH 5/7] Apply patch stunnel-5.69-default-tls-version.patch
|
||||
|
||||
Patch-name: stunnel-5.69-default-tls-version.patch
|
||||
Patch-id: 5
|
||||
From-dist-git-commit: 70b3076eb09912b3a11f371b8c523303114fffa3
|
||||
---
|
||||
src/ctx.c | 34 ++++++++++++++++++++++------------
|
||||
src/options.c | 15 +++++++++++----
|
||||
src/prototypes.h | 3 +++
|
||||
3 files changed, 36 insertions(+), 16 deletions(-)
|
||||
|
||||
diff --git a/src/ctx.c b/src/ctx.c
|
||||
index 6a42a6b..cba24d9 100644
|
||||
--- a/src/ctx.c
|
||||
+++ b/src/ctx.c
|
||||
@@ -152,19 +152,29 @@ int context_init(SERVICE_OPTIONS *section) { /* init TLS context */
|
||||
section->ctx=SSL_CTX_new(section->option.client ?
|
||||
TLS_client_method() : TLS_server_method());
|
||||
#endif /* OPENSSL_VERSION_NUMBER>=0x30000000L */
|
||||
- if(!SSL_CTX_set_min_proto_version(section->ctx,
|
||||
- if(section->min_proto_version &&
|
||||
- !SSL_CTX_set_min_proto_version(section->ctx,
|
||||
- section->min_proto_version)) {
|
||||
- s_log(LOG_ERR, "Failed to set the minimum protocol version 0x%X",
|
||||
- section->min_proto_version);
|
||||
- return 1; /* FAILED */
|
||||
- }
|
||||
- if(!SSL_CTX_set_max_proto_version(section->ctx,
|
||||
+ if (section->min_proto_version == USE_DEFAULT_TLS_VERSION) {
|
||||
+ s_log(LOG_INFO, "Using the default TLS minimum version as specified in"
|
||||
+ " crypto policies. Not setting explicitly.");
|
||||
+ } else {
|
||||
+ if(section->min_proto_version &&
|
||||
+ !SSL_CTX_set_min_proto_version(section->ctx,
|
||||
+ section->min_proto_version)) {
|
||||
+ s_log(LOG_ERR, "Failed to set the minimum protocol version 0x%X",
|
||||
+ section->min_proto_version);
|
||||
+ return 1; /* FAILED */
|
||||
+ }
|
||||
}
|
||||
- if(section->max_proto_version &&
|
||||
- !SSL_CTX_set_max_proto_version(section->ctx,
|
||||
- section->max_proto_version)) {
|
||||
- s_log(LOG_ERR, "Failed to set the maximum protocol version 0x%X",
|
||||
- section->max_proto_version);
|
||||
- return 1; /* FAILED */
|
||||
+ if (section->min_proto_version == USE_DEFAULT_TLS_VERSION) {
|
||||
+ s_log(LOG_INFO, "Using the default TLS version as specified in "
|
||||
+ "OpenSSL crypto policies. Not setting explicitly.");
|
||||
+ if (section->max_proto_version == USE_DEFAULT_TLS_VERSION) {
|
||||
+ s_log(LOG_INFO, "Using the default TLS maximum version as specified in"
|
||||
+ " crypto policies. Not setting explicitly");
|
||||
+ } else {
|
||||
+ if(!SSL_CTX_set_min_proto_version(section->ctx,
|
||||
+ section->min_proto_version)) {
|
||||
+ s_log(LOG_ERR, "Failed to set the minimum protocol version 0x%X",
|
||||
+ section->min_proto_version);
|
||||
+ if(section->max_proto_version &&
|
||||
+ !SSL_CTX_set_max_proto_version(section->ctx,
|
||||
+ section->max_proto_version)) {
|
||||
+ s_log(LOG_ERR, "Failed to set the maximum protocol version 0x%X",
|
||||
+ section->max_proto_version);
|
||||
+ return 1; /* FAILED */
|
||||
+ }
|
||||
}
|
||||
+ if (section->max_proto_version == USE_DEFAULT_TLS_VERSION) {
|
||||
+ s_log(LOG_INFO, "Using the default TLS version as specified in "
|
||||
+ "OpenSSL crypto policies. Not setting explicitly");
|
||||
+ } else {
|
||||
+ if(!SSL_CTX_set_max_proto_version(section->ctx,
|
||||
+ section->max_proto_version)) {
|
||||
+ s_log(LOG_ERR, "Failed to set the maximum protocol version 0x%X",
|
||||
+ section->max_proto_version);
|
||||
+ return 1; /* FAILED */
|
||||
+ }
|
||||
+ }
|
||||
#else /* OPENSSL_VERSION_NUMBER<0x10100000L */
|
||||
if(section->option.client)
|
||||
section->ctx=SSL_CTX_new(section->client_method);
|
||||
diff -up stunnel-5.61/src/options.c.default-tls-version stunnel-5.61/src/options.c
|
||||
--- stunnel-5.61/src/options.c.default-tls-version 2022-01-10 19:23:15.096254067 +0100
|
||||
+++ stunnel-5.61/src/options.c 2022-01-10 19:23:15.098254103 +0100
|
||||
@@ -3297,8 +3297,9 @@ NOEXPORT char *parse_service_option(CMD
|
||||
diff --git a/src/options.c b/src/options.c
|
||||
index 4d31815..2ec5934 100644
|
||||
--- a/src/options.c
|
||||
+++ b/src/options.c
|
||||
@@ -3371,8 +3371,9 @@ NOEXPORT const char *parse_service_option(CMD cmd, SERVICE_OPTIONS **section_ptr
|
||||
return "Invalid protocol version";
|
||||
return NULL; /* OK */
|
||||
case CMD_INITIALIZE:
|
||||
@ -56,7 +74,7 @@ diff -up stunnel-5.61/src/options.c.default-tls-version stunnel-5.61/src/options
|
||||
return "Invalid protocol version range";
|
||||
break;
|
||||
case CMD_PRINT_DEFAULTS:
|
||||
@@ -3316,7 +3317,10 @@ NOEXPORT char *parse_service_option(CMD
|
||||
@@ -3390,7 +3391,10 @@ NOEXPORT const char *parse_service_option(CMD cmd, SERVICE_OPTIONS **section_ptr
|
||||
/* sslVersionMax */
|
||||
switch(cmd) {
|
||||
case CMD_SET_DEFAULTS:
|
||||
@ -68,11 +86,11 @@ diff -up stunnel-5.61/src/options.c.default-tls-version stunnel-5.61/src/options
|
||||
break;
|
||||
case CMD_SET_COPY:
|
||||
section->max_proto_version=new_service_options.max_proto_version;
|
||||
@@ -3347,7 +3351,10 @@ NOEXPORT char *parse_service_option(CMD
|
||||
@@ -3421,7 +3425,10 @@ NOEXPORT const char *parse_service_option(CMD cmd, SERVICE_OPTIONS **section_ptr
|
||||
/* sslVersionMin */
|
||||
switch(cmd) {
|
||||
case CMD_SET_DEFAULTS:
|
||||
- section->min_proto_version=TLS1_VERSION;
|
||||
- section->min_proto_version=0; /* lowest supported */
|
||||
+ section->min_proto_version=USE_DEFAULT_TLS_VERSION; /* use defaults in
|
||||
+ OpenSSL crypto
|
||||
+ policies. Do not
|
||||
@ -80,10 +98,11 @@ diff -up stunnel-5.61/src/options.c.default-tls-version stunnel-5.61/src/options
|
||||
break;
|
||||
case CMD_SET_COPY:
|
||||
section->min_proto_version=new_service_options.min_proto_version;
|
||||
diff -up stunnel-5.61/src/prototypes.h.default-tls-version stunnel-5.61/src/prototypes.h
|
||||
--- stunnel-5.61/src/prototypes.h.default-tls-version 2021-12-13 09:43:22.000000000 +0100
|
||||
+++ stunnel-5.61/src/prototypes.h 2022-01-10 19:23:15.099254121 +0100
|
||||
@@ -932,6 +932,9 @@ ICON_IMAGE load_icon_default(ICON_TYPE);
|
||||
diff --git a/src/prototypes.h b/src/prototypes.h
|
||||
index 0ecd719..a126c9e 100644
|
||||
--- a/src/prototypes.h
|
||||
+++ b/src/prototypes.h
|
||||
@@ -940,6 +940,9 @@ ICON_IMAGE load_icon_default(ICON_TYPE);
|
||||
ICON_IMAGE load_icon_file(const char *);
|
||||
#endif
|
||||
|
||||
@ -93,3 +112,6 @@ diff -up stunnel-5.61/src/prototypes.h.default-tls-version stunnel-5.61/src/prot
|
||||
#endif /* defined PROTOTYPES_H */
|
||||
|
||||
/* end of prototypes.h */
|
||||
--
|
||||
2.39.2
|
||||
|
||||
37
stunnel-5.69-system-ciphers.patch
Normal file
37
stunnel-5.69-system-ciphers.patch
Normal file
@ -0,0 +1,37 @@
|
||||
From 6c8c4c8c85204943223b251d09ca1e93571a437a Mon Sep 17 00:00:00 2001
|
||||
From: Sahana Prasad <sprasad@localhost.localdomain>
|
||||
Date: Mon, 12 Sep 2022 11:07:38 +0200
|
||||
Subject: [PATCH 3/7] Use cipher configuration from crypto-policies
|
||||
|
||||
On Fedora, CentOS and RHEL, the system's crypto policies are the best
|
||||
source to determine which cipher suites to accept in TLS. On these
|
||||
platforms, OpenSSL supports the PROFILE=SYSTEM setting to use those
|
||||
policies. Change stunnel to default to this setting.
|
||||
|
||||
Co-Authored-by: Sahana Prasad <shebburn@redhat.com>
|
||||
Patch-name: stunnel-5.69-system-ciphers.patch
|
||||
Patch-id: 3
|
||||
From-dist-git-commit: 70b3076eb09912b3a11f371b8c523303114fffa3
|
||||
---
|
||||
src/options.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/options.c b/src/options.c
|
||||
index 6e4a18b..4d31815 100644
|
||||
--- a/src/options.c
|
||||
+++ b/src/options.c
|
||||
@@ -321,9 +321,9 @@ static const char *option_not_found=
|
||||
"Specified option name is not valid here";
|
||||
|
||||
static const char *stunnel_cipher_list=
|
||||
- "HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK";
|
||||
+ "PROFILE=SYSTEM";
|
||||
static const char *fips_cipher_list=
|
||||
- "FIPS:!DH:!kDHEPSK";
|
||||
+ "PROFILE=SYSTEM";
|
||||
|
||||
#ifndef OPENSSL_NO_TLS1_3
|
||||
static const char *stunnel_ciphersuites=
|
||||
--
|
||||
2.39.2
|
||||
|
||||
40
stunnel.spec
40
stunnel.spec
@ -1,7 +1,7 @@
|
||||
# Do not generate provides for private libraries
|
||||
%global __provides_exclude_from ^%{_libdir}/stunnel/.*$
|
||||
|
||||
%if 0%{?fedora} > 27 || 0%{?rhel} > 7
|
||||
%if 0%{?fedora} || 0%{?rhel} > 7
|
||||
%bcond_with libwrap
|
||||
%else
|
||||
%bcond_without libwrap
|
||||
@ -9,8 +9,8 @@
|
||||
|
||||
Summary: A TLS-encrypting socket wrapper
|
||||
Name: stunnel
|
||||
Version: 5.62
|
||||
Release: 3%{?dist}
|
||||
Version: 5.71
|
||||
Release: 1%{?dist}
|
||||
License: GPLv2
|
||||
URL: https://www.stunnel.org/
|
||||
Source0: https://www.stunnel.org/downloads/stunnel-%{version}.tar.gz
|
||||
@ -21,18 +21,19 @@ Source4: stunnel-sfinger.conf
|
||||
Source5: pop3-redirect.xinetd
|
||||
Source6: stunnel-pop3s-client.conf
|
||||
Source7: stunnel@.service
|
||||
# Upstream release signing key
|
||||
# Upstream source is https://www.stunnel.org/pgp.asc; using a local URL because
|
||||
# the remote one makes packit source-git choke.
|
||||
Source99: pgp.asc
|
||||
Patch0: stunnel-5.50-authpriv.patch
|
||||
Patch1: stunnel-5.61-systemd-service.patch
|
||||
Patch3: stunnel-5.56-system-ciphers.patch
|
||||
Patch4: stunnel-5.56-coverity.patch
|
||||
Patch5: stunnel-5.61-default-tls-version.patch
|
||||
Patch3: stunnel-5.69-system-ciphers.patch
|
||||
Patch5: stunnel-5.69-default-tls-version.patch
|
||||
Patch6: stunnel-5.56-curves-doc-update.patch
|
||||
Patch7: stunnel-5.61-openssl30-fips.patch
|
||||
Patch8: stunnel-5.62-disabled-curves.patch
|
||||
Patch9: stunnel-5.62-openssl3-error-handling.patch
|
||||
# util-linux is needed for rename
|
||||
BuildRequires: make
|
||||
BuildRequires: gcc
|
||||
BuildRequires: gnupg2
|
||||
BuildRequires: openssl-devel, pkgconfig, util-linux
|
||||
BuildRequires: autoconf automake libtool
|
||||
%if %{with libwrap}
|
||||
@ -42,8 +43,8 @@ BuildRequires: /usr/bin/pod2man
|
||||
BuildRequires: /usr/bin/pod2html
|
||||
# build test requirements
|
||||
BuildRequires: /usr/bin/nc, /usr/bin/lsof, /usr/bin/ps
|
||||
BuildRequires: python3 openssl
|
||||
BuildRequires: systemd
|
||||
BuildRequires: python3 python3-cryptography openssl
|
||||
BuildRequires: systemd systemd-devel
|
||||
%{?systemd_requires}
|
||||
|
||||
%description
|
||||
@ -53,16 +54,13 @@ to ordinary applications. For example, it can be used in
|
||||
conjunction with imapd to create a TLS secure IMAP server.
|
||||
|
||||
%prep
|
||||
%{gpgverify} --keyring='%{SOURCE99}' --signature='%{SOURCE1}' --data='%{SOURCE0}'
|
||||
%setup -q
|
||||
%patch0 -p1 -b .authpriv
|
||||
%patch1 -p1 -b .systemd-service
|
||||
%patch3 -p1 -b .system-ciphers
|
||||
%patch4 -p1 -b .coverity
|
||||
%patch5 -p1 -b .default-tls-version
|
||||
%patch6 -p1 -b .curves-doc-update
|
||||
%patch7 -p1 -b .openssl30-fips
|
||||
%patch8 -p1 -b .disabled-curves
|
||||
%patch9 -p1 -b .openssl3-error-handling
|
||||
|
||||
# Fix the stack protector flag
|
||||
sed -i 's/-fstack-protector/-fstack-protector-strong/' configure
|
||||
@ -80,6 +78,7 @@ fi
|
||||
%else
|
||||
--disable-libwrap \
|
||||
%endif
|
||||
--with-bashcompdir=%{_datadir}/bash-completion/completions \
|
||||
CPPFLAGS="-UPIDFILE -DPIDFILE='\"%{_localstatedir}/run/stunnel.pid\"'"
|
||||
make V=1 LDADD="-pie -Wl,-z,defs,-z,relro,-z,now"
|
||||
|
||||
@ -95,11 +94,9 @@ for lang in pl ; do
|
||||
done
|
||||
mkdir srpm-docs
|
||||
cp %{SOURCE2} %{SOURCE3} %{SOURCE4} %{SOURCE5} %{SOURCE6} srpm-docs
|
||||
%if 0%{?fedora} >= 15 || 0%{?rhel} >= 7
|
||||
mkdir -p %{buildroot}%{_unitdir}
|
||||
cp %{buildroot}%{_datadir}/doc/stunnel/examples/%{name}.service %{buildroot}%{_unitdir}/%{name}.service
|
||||
cp %{SOURCE7} %{buildroot}%{_unitdir}/%{name}@.service
|
||||
%endif
|
||||
|
||||
%check
|
||||
if ! make test; then
|
||||
@ -127,9 +124,7 @@ fi
|
||||
%lang(pl) %{_mandir}/pl/man8/stunnel.8*
|
||||
%dir %{_sysconfdir}/%{name}
|
||||
%exclude %{_sysconfdir}/stunnel/*
|
||||
%if 0%{?fedora} >= 15 || 0%{?rhel} >= 7
|
||||
%{_unitdir}/%{name}*.service
|
||||
%endif
|
||||
%{_datadir}/bash-completion/completions/%{name}.bash
|
||||
|
||||
%post
|
||||
@ -144,6 +139,13 @@ fi
|
||||
%systemd_postun_with_restart %{name}.service
|
||||
|
||||
%changelog
|
||||
* Thu Oct 05 2023 Clemens Lang <cllang@redhat.com> - 5.71-1
|
||||
- New upstream release 5.71
|
||||
Resolves: RHEL-2468
|
||||
- Enable socket activation support
|
||||
- verify upstream source in %%prep
|
||||
- clean up stale conditionals
|
||||
|
||||
* Thu Dec 08 2022 Clemens Lang <cllang@redhat.com> - 5.62-3
|
||||
- Fix use of encrypted key files and password retry with OpenSSL 3
|
||||
Resolves: rhbz#2151888
|
||||
|
||||
Loading…
Reference in New Issue
Block a user