parent
c853862314
commit
7322001771
@ -1 +1 @@
|
||||
SOURCES/stunnel-5.48.tar.gz
|
||||
SOURCES/stunnel-5.56.tar.gz
|
||||
|
@ -1 +1 @@
|
||||
8e8576abf9b143c7ef1b7390c35b46c4cf878ca0 SOURCES/stunnel-5.48.tar.gz
|
||||
a7fa3fb55d698f50f3d54e4fc08588a119f21cad SOURCES/stunnel-5.56.tar.gz
|
||||
|
@ -1,17 +0,0 @@
|
||||
diff --git a/tools/stunnel.service.in b/tools/stunnel.service.in
|
||||
index 53ad3e7..620a0e7 100644
|
||||
--- a/tools/stunnel.service.in
|
||||
+++ b/tools/stunnel.service.in
|
||||
@@ -1,10 +1,11 @@
|
||||
[Unit]
|
||||
Description=TLS tunnel for network daemons
|
||||
-After=syslog.target
|
||||
+After=syslog.target network.target
|
||||
|
||||
[Service]
|
||||
ExecStart=@bindir@/stunnel
|
||||
Type=forking
|
||||
+PrivateTmp=true
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
@ -1,12 +0,0 @@
|
||||
diff -up stunnel-5.46/src/options.c.system-ciphers stunnel-5.46/src/options.c
|
||||
--- stunnel-5.46/src/options.c.system-ciphers 2018-05-29 08:58:03.601089886 +0200
|
||||
+++ stunnel-5.46/src/options.c 2018-05-29 08:59:00.880244728 +0200
|
||||
@@ -252,7 +252,7 @@ static char *option_not_found=
|
||||
"Specified option name is not valid here";
|
||||
|
||||
static char *stunnel_cipher_list=
|
||||
- "HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK";
|
||||
+ "PROFILE=SYSTEM";
|
||||
|
||||
/**************************************** parse commandline parameters */
|
||||
|
@ -1,55 +0,0 @@
|
||||
diff -up stunnel-5.48/src/file.c.coverity stunnel-5.48/src/file.c
|
||||
--- stunnel-5.48/src/file.c.coverity 2018-04-06 16:25:10.000000000 +0200
|
||||
+++ stunnel-5.48/src/file.c 2018-09-04 17:24:08.948928882 +0200
|
||||
@@ -120,7 +120,7 @@ DISK_FILE *file_open(char *name, FILE_MO
|
||||
return NULL;
|
||||
|
||||
/* setup df structure */
|
||||
- df=str_alloc(sizeof df);
|
||||
+ df=str_alloc(sizeof *df);
|
||||
df->fd=fd;
|
||||
return df;
|
||||
}
|
||||
diff -up stunnel-5.48/src/options.c.coverity stunnel-5.48/src/options.c
|
||||
--- stunnel-5.48/src/options.c.coverity 2018-09-04 17:24:08.946928836 +0200
|
||||
+++ stunnel-5.48/src/options.c 2018-09-04 18:47:03.135083884 +0200
|
||||
@@ -515,8 +515,7 @@ NOEXPORT int options_include(char *direc
|
||||
"%s/%s",
|
||||
#endif
|
||||
directory, namelist[i]->d_name);
|
||||
- stat(name, &sb);
|
||||
- if(S_ISREG(sb.st_mode))
|
||||
+ if(stat(name, &sb) == 0 && S_ISREG(sb.st_mode))
|
||||
err=options_file(name, CONF_FILE, section);
|
||||
else
|
||||
s_log(LOG_DEBUG, "\"%s\" is not a file", name);
|
||||
@@ -3773,6 +3772,7 @@ NOEXPORT PSK_KEYS *psk_dup(PSK_KEYS *src
|
||||
else
|
||||
head=curr;
|
||||
tail=curr;
|
||||
+ src=src->next;
|
||||
}
|
||||
return head;
|
||||
}
|
||||
diff -up stunnel-5.48/src/str.c.coverity stunnel-5.48/src/str.c
|
||||
--- stunnel-5.48/src/str.c.coverity 2018-07-02 23:30:10.000000000 +0200
|
||||
+++ stunnel-5.48/src/str.c 2018-09-04 17:24:08.949928906 +0200
|
||||
@@ -165,6 +165,7 @@ char *str_vprintf(const char *format, va
|
||||
for(;;) {
|
||||
va_copy(ap, start_ap);
|
||||
n=vsnprintf(p, size, format, ap);
|
||||
+ va_end(ap);
|
||||
if(n>-1 && n<(int)size)
|
||||
return p;
|
||||
if(n>-1) /* glibc 2.1 */
|
||||
diff -up stunnel-5.48/src/stunnel.c.coverity stunnel-5.48/src/stunnel.c
|
||||
--- stunnel-5.48/src/stunnel.c.coverity 2018-07-02 23:30:10.000000000 +0200
|
||||
+++ stunnel-5.48/src/stunnel.c 2018-09-04 17:24:08.949928906 +0200
|
||||
@@ -364,7 +364,6 @@ NOEXPORT int accept_connection(SERVICE_O
|
||||
#endif
|
||||
if(create_client(fd, s, alloc_client_session(opt, s, s))) {
|
||||
s_log(LOG_ERR, "Connection rejected: create_client failed");
|
||||
- closesocket(s);
|
||||
#ifndef USE_FORK
|
||||
service_free(opt);
|
||||
#endif
|
@ -1,18 +0,0 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQKTBAABCgB9FiEEK8fk5n48wMG+py+MLvx/8NQW4BQFAls6m2RfFIAAAAAALgAo
|
||||
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDJC
|
||||
QzdFNEU2N0UzQ0MwQzFCRUE3MkY4QzJFRkM3RkYwRDQxNkUwMTQACgkQLvx/8NQW
|
||||
4BTksRAAiWO5DWBpHrnDKy1jon+4lG/OPHe92nWxc6yH2HVeB064tXYeXYjRnnR4
|
||||
mItaO4wCJICd94+5EUO6DUfut4+7SIAWNPUnZd5OgFkgmGd0YEF6tEfM9z6BhMc3
|
||||
T8ZwKCP/hhU5oxqQyDO/esk2+Opps5ddsQLx84iUsylFwq8gK8BkVZrx2yLBX/fz
|
||||
wGpP1YnxLdx+rQQx/BkHd52nQAR3gqrGcZtMgchhTBsfZ4jgnr4Xr4XgXJPfe0Di
|
||||
xGCD7/sy+N8sNu4S6RER4qNV6PLBcZ6Bjp+VqMpODdoXlD0EQXundgbrg8Nuq8HR
|
||||
TTbL1pItHo0vy5QetFILJqlrdLw3sIG5Wy1+k87X485DKhJuvZqU0nKixYmaujB9
|
||||
as1YNccDb2FwF7Rzq4hF1J0IwYUsyfgbd58k1VdmtPp5TSUyd1lp+tpX0tEJePk6
|
||||
g1X3NecNVbw8p66gPiUadlTYkkUQdqDHnGxD9EKG7BwRE8lPR5CTJD1w8xEOzLMw
|
||||
tVKSBgcHeIA7Sn9mJtOFOJ7Y+aUccMIliprgk34P3+4bFFBxLQaRQycfLVIyRy4t
|
||||
3QRk+vsMxfuAVainN/yVU7hCtiL09ZHm3g8AnDZFKmtZzYcBbb24RWhONt0bz9j1
|
||||
fnYKvguL78ptBpsmPmXjwBY+qxmJx4LAWFxE7TUgqsaASJYWSH4=
|
||||
=KMsG
|
||||
-----END PGP SIGNATURE-----
|
@ -0,0 +1,11 @@
|
||||
diff -up stunnel-5.50/tools/stunnel.service.in.systemd-service stunnel-5.50/tools/stunnel.service.in
|
||||
--- stunnel-5.50/tools/stunnel.service.in.systemd-service 2019-01-14 12:17:15.826868965 +0100
|
||||
+++ stunnel-5.50/tools/stunnel.service.in 2019-01-14 12:18:21.186753131 +0100
|
||||
@@ -5,6 +5,7 @@ After=syslog.target network.target
|
||||
[Service]
|
||||
ExecStart=@bindir@/stunnel
|
||||
Type=forking
|
||||
+PrivateTmp=true
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
@ -0,0 +1,22 @@
|
||||
diff -up stunnel-5.48/src/str.c.coverity stunnel-5.48/src/str.c
|
||||
--- stunnel-5.48/src/str.c.coverity 2018-07-02 23:30:10.000000000 +0200
|
||||
+++ stunnel-5.48/src/str.c 2018-09-04 17:24:08.949928906 +0200
|
||||
@@ -165,6 +165,7 @@ char *str_vprintf(const char *format, va
|
||||
for(;;) {
|
||||
va_copy(ap, start_ap);
|
||||
n=vsnprintf(p, size, format, ap);
|
||||
+ va_end(ap);
|
||||
if(n>-1 && n<(int)size)
|
||||
return p;
|
||||
if(n>-1) /* glibc 2.1 */
|
||||
diff -up stunnel-5.48/src/stunnel.c.coverity stunnel-5.48/src/stunnel.c
|
||||
--- stunnel-5.48/src/stunnel.c.coverity 2018-07-02 23:30:10.000000000 +0200
|
||||
+++ stunnel-5.48/src/stunnel.c 2018-09-04 17:24:08.949928906 +0200
|
||||
@@ -364,7 +364,6 @@ NOEXPORT int accept_connection(SERVICE_O
|
||||
#endif
|
||||
if(create_client(fd, s, alloc_client_session(opt, s, s))) {
|
||||
s_log(LOG_ERR, "Connection rejected: create_client failed");
|
||||
- closesocket(s);
|
||||
#ifndef USE_FORK
|
||||
service_free(opt);
|
||||
#endif
|
@ -0,0 +1,66 @@
|
||||
--- stunnel-5.56/doc/stunnel.8.in.curves-doc-update 2020-04-16 17:12:48.171590017 +0200
|
||||
+++ stunnel-5.56/doc/stunnel.8.in 2020-04-16 17:16:07.001603122 +0200
|
||||
@@ -473,6 +473,8 @@ This file contains multiple CRLs, used w
|
||||
.IX Item "curves = list"
|
||||
\&\s-1ECDH\s0 curves separated with ':'
|
||||
.Sp
|
||||
+Note: This option is supported for server mode sockets only.
|
||||
+.Sp
|
||||
Only a single curve name is allowed for OpenSSL older than 1.1.0.
|
||||
.Sp
|
||||
To get a list of supported curves use:
|
||||
--- stunnel-5.56/doc/stunnel.html.in.curves-doc-update 2020-04-16 17:13:25.664962696 +0200
|
||||
+++ stunnel-5.56/doc/stunnel.html.in 2020-04-16 17:16:55.897111302 +0200
|
||||
@@ -568,6 +568,8 @@
|
||||
|
||||
<p>ECDH curves separated with ':'</p>
|
||||
|
||||
+<p>Note: This option is supported for server mode sockets only.</p>
|
||||
+
|
||||
<p>Only a single curve name is allowed for OpenSSL older than 1.1.0.</p>
|
||||
|
||||
<p>To get a list of supported curves use:</p>
|
||||
--- stunnel-5.56/doc/stunnel.pod.in.curves-doc-update 2020-04-16 17:13:43.412139122 +0200
|
||||
+++ stunnel-5.56/doc/stunnel.pod.in 2020-04-16 17:17:25.414418073 +0200
|
||||
@@ -499,6 +499,8 @@ I<verifyPeer> options.
|
||||
|
||||
ECDH curves separated with ':'
|
||||
|
||||
+Note: This option is supported for server mode sockets only.
|
||||
+
|
||||
Only a single curve name is allowed for OpenSSL older than 1.1.0.
|
||||
|
||||
To get a list of supported curves use:
|
||||
--- stunnel-5.56/doc/stunnel.pl.pod.in.curves-doc-update 2020-04-16 17:25:22.631934496 +0200
|
||||
+++ stunnel-5.56/doc/stunnel.pl.pod.in 2020-04-16 17:47:46.872353210 +0200
|
||||
@@ -507,6 +507,8 @@ przez opcje I<verifyChain> i I<verifyPee
|
||||
|
||||
krzywe ECDH odddzielone ':'
|
||||
|
||||
+Uwaga: ta opcja wpływa tylko na gniazda w trybie serwera.
|
||||
+
|
||||
Wersje OpenSSL starsze niż 1.1.0 pozwalają na użycie tylko jednej krzywej.
|
||||
|
||||
Listę dostępnych krzywych można uzyskać poleceniem:
|
||||
--- stunnel-5.56/doc/stunnel.pl.html.in.curves-doc-update 2020-04-16 17:24:46.857579674 +0200
|
||||
+++ stunnel-5.56/doc/stunnel.pl.html.in 2020-04-16 17:46:13.385404626 +0200
|
||||
@@ -564,6 +564,8 @@
|
||||
|
||||
<p>krzywe ECDH odddzielone ':'</p>
|
||||
|
||||
+<p>Uwaga: ta opcja wpływa tylko na gniazda w trybie serwera.</p>
|
||||
+
|
||||
<p>Wersje OpenSSL starsze niż 1.1.0 pozwalają na użycie tylko jednej krzywej.</p>
|
||||
|
||||
<p>Listę dostępnych krzywych można uzyskać poleceniem:</p>
|
||||
--- stunnel-5.56/doc/stunnel.pl.8.in.curves-doc-update 2020-04-16 17:24:25.665369474 +0200
|
||||
+++ stunnel-5.56/doc/stunnel.pl.8.in 2020-04-16 17:45:14.141792786 +0200
|
||||
@@ -483,6 +483,8 @@ przez opcje \fIverifyChain\fR i \fIverif
|
||||
.IX Item "curves = lista"
|
||||
krzywe \s-1ECDH\s0 odddzielone ':'
|
||||
.Sp
|
||||
+Uwaga: ta opcja wpływa tylko na gniazda w trybie serwera.
|
||||
+.Sp
|
||||
Wersje OpenSSL starsze niż 1.1.0 pozwalają na użycie tylko jednej krzywej.
|
||||
.Sp
|
||||
Listę dostępnych krzywych można uzyskać poleceniem:
|
@ -0,0 +1,92 @@
|
||||
--- stunnel-5.56/src/prototypes.h.default-tls-version 2020-04-06 11:22:24.480280384 +0200
|
||||
+++ stunnel-5.56/src/prototypes.h 2020-04-06 11:21:05.407597053 +0200
|
||||
@@ -897,6 +897,9 @@ ICON_IMAGE load_icon_default(ICON_TYPE);
|
||||
ICON_IMAGE load_icon_file(const char *);
|
||||
#endif
|
||||
|
||||
+#define USE_DEFAULT_TLS_VERSION ((int)-2) /* Use defaults in OpenSSL
|
||||
+ crypto policies */
|
||||
+
|
||||
#endif /* defined PROTOTYPES_H */
|
||||
|
||||
/* end of prototypes.h */
|
||||
--- stunnel-5.56/src/options.c.default-tls-version 2020-04-06 18:58:48.947214149 +0200
|
||||
+++ stunnel-5.56/src/options.c 2020-04-08 15:45:18.093520780 +0200
|
||||
@@ -3123,8 +3123,9 @@ NOEXPORT char *parse_service_option(CMD
|
||||
return "Invalid protocol version";
|
||||
return NULL; /* OK */
|
||||
case CMD_INITIALIZE:
|
||||
- if(section->max_proto_version && section->min_proto_version &&
|
||||
- section->max_proto_version<section->min_proto_version)
|
||||
+ if(section->max_proto_version != USE_DEFAULT_TLS_VERSION
|
||||
+ && section->min_proto_version != USE_DEFAULT_TLS_VERSION
|
||||
+ && section->max_proto_version<section->min_proto_version)
|
||||
return "Invalid protocol version range";
|
||||
break;
|
||||
case CMD_PRINT_DEFAULTS:
|
||||
@@ -3142,7 +3143,10 @@ NOEXPORT char *parse_service_option(CMD
|
||||
/* sslVersionMax */
|
||||
switch(cmd) {
|
||||
case CMD_SET_DEFAULTS:
|
||||
- section->max_proto_version=0; /* highest supported */
|
||||
+ section->max_proto_version=USE_DEFAULT_TLS_VERSION; /* use defaults in
|
||||
+ OpenSSL crypto
|
||||
+ policies.Do not
|
||||
+ override it */
|
||||
break;
|
||||
case CMD_SET_COPY:
|
||||
section->max_proto_version=new_service_options.max_proto_version;
|
||||
@@ -3173,7 +3177,10 @@ NOEXPORT char *parse_service_option(CMD
|
||||
/* sslVersionMin */
|
||||
switch(cmd) {
|
||||
case CMD_SET_DEFAULTS:
|
||||
- section->min_proto_version=TLS1_VERSION;
|
||||
+ section->min_proto_version=USE_DEFAULT_TLS_VERSION; /* use defaults in
|
||||
+ OpenSSL crypto
|
||||
+ policies. Do not
|
||||
+ override it */
|
||||
break;
|
||||
case CMD_SET_COPY:
|
||||
section->min_proto_version=new_service_options.min_proto_version;
|
||||
--- stunnel-5.56/src/ctx.c.default-tls-version 2019-10-24 10:48:11.000000000 +0200
|
||||
+++ stunnel-5.56/src/ctx.c 2020-04-06 11:16:48.406406794 +0200
|
||||
@@ -143,17 +143,29 @@ int context_init(SERVICE_OPTIONS *sectio
|
||||
section->ctx=SSL_CTX_new(TLS_client_method());
|
||||
else /* server mode */
|
||||
section->ctx=SSL_CTX_new(TLS_server_method());
|
||||
- if(!SSL_CTX_set_min_proto_version(section->ctx,
|
||||
- section->min_proto_version)) {
|
||||
- s_log(LOG_ERR, "Failed to set the minimum protocol version 0x%X",
|
||||
- section->min_proto_version);
|
||||
- return 1; /* FAILED */
|
||||
+
|
||||
+ if (section->min_proto_version == USE_DEFAULT_TLS_VERSION) {
|
||||
+ s_log(LOG_INFO, "Using the default TLS version as specified in \
|
||||
+ OpenSSL crypto policies. Not setting explicitly.");
|
||||
+ } else {
|
||||
+ if(!SSL_CTX_set_min_proto_version(section->ctx,
|
||||
+ section->min_proto_version)) {
|
||||
+ s_log(LOG_ERR, "Failed to set the minimum protocol version 0x%X",
|
||||
+ section->min_proto_version);
|
||||
+ return 1; /* FAILED */
|
||||
+ }
|
||||
}
|
||||
- if(!SSL_CTX_set_max_proto_version(section->ctx,
|
||||
- section->max_proto_version)) {
|
||||
- s_log(LOG_ERR, "Failed to set the maximum protocol version 0x%X",
|
||||
- section->max_proto_version);
|
||||
- return 1; /* FAILED */
|
||||
+
|
||||
+ if (section->max_proto_version == USE_DEFAULT_TLS_VERSION) {
|
||||
+ s_log(LOG_INFO, "Using the default TLS version as specified in \
|
||||
+ OpenSSL crypto policies. Not setting explicitly");
|
||||
+ } else {
|
||||
+ if(!SSL_CTX_set_max_proto_version(section->ctx,
|
||||
+ section->max_proto_version)) {
|
||||
+ s_log(LOG_ERR, "Failed to set the maximum protocol version 0x%X",
|
||||
+ section->max_proto_version);
|
||||
+ return 1; /* FAILED */
|
||||
+ }
|
||||
}
|
||||
#else /* OPENSSL_VERSION_NUMBER<0x10100000L */
|
||||
if(section->option.client)
|
@ -0,0 +1,12 @@
|
||||
diff -up stunnel-5.55/src/options.c.system-ciphers stunnel-5.55/src/options.c
|
||||
--- stunnel-5.55/src/options.c.system-ciphers 2019-09-19 14:43:00.631059024 +0200
|
||||
+++ stunnel-5.55/src/options.c 2019-09-19 14:51:02.120053849 +0200
|
||||
@@ -277,7 +277,7 @@ static char *option_not_found=
|
||||
"Specified option name is not valid here";
|
||||
|
||||
static char *stunnel_cipher_list=
|
||||
- "HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK";
|
||||
+ "PROFILE=SYSTEM";
|
||||
|
||||
#ifndef OPENSSL_NO_TLS1_3
|
||||
static char *stunnel_ciphersuites=
|
@ -0,0 +1,18 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQKTBAABCgB9FiEEK8fk5n48wMG+py+MLvx/8NQW4BQFAl3YIPhfFIAAAAAALgAo
|
||||
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDJC
|
||||
QzdFNEU2N0UzQ0MwQzFCRUE3MkY4QzJFRkM3RkYwRDQxNkUwMTQACgkQLvx/8NQW
|
||||
4BTuMw//R+LJhCo2prR6RIxEsYbfzIwkl9NwcE5EPTKse2umTOHsMRfVMpZiKjCl
|
||||
5UC1tLbqUzSjAydQiFwdvcHZAJLWblr84p+CC5hEaS/rwX4PL221gqqrC8Ut7ap3
|
||||
n/v5gCJ8iqnpgZSgHPSGqucG3x1KlZotPnny1RVIjCSHPvoUtocAwJNSChRkyUT0
|
||||
ym8qhUPyOmRhYQZew1haxFJa26yc017dN5QZy+H3uo0zPLXaWJpPjJG/1pBtden4
|
||||
mL+mg8phZZ9MtBtEOK2NTA+4K24vcM+aHoEyMI/dcmi4NN256N5CJZ13tF3LgHNV
|
||||
j0vp1a75p5aAMeRTv7zShegZGvJJciyYJKwRnOAUnHVFDhnsgd05VQHeWC1aFKjM
|
||||
cXwrvHgGn+TG0V29ahnzR7NdVhkuP3etcqx6FuIgcj2omp0Bj4zFRlKSl4x+hY56
|
||||
MTvwksIXZTItHvffiE49ExGPA8OQW3S9Sr+lPFk98xjVuTU/P8GIVNp2kof4ezYN
|
||||
Yhav4mA/KAkMX0fb+Cw6eyZl0aZEPx76hhkKhh2OmR8w3k5X2hetGcXX1/UFEHCm
|
||||
uNCvWwV5Ry6Kc8Zpr8p6fUOh0Se4cNi59c1FKEwMX1hTgLklbIZioiFM/fR0RLOJ
|
||||
PU/Cq+NbaZ3O8Cup7PsVjCDgXTcKcQAdQTOxgfW6f+szmTo5Qx4=
|
||||
=RhpX
|
||||
-----END PGP SIGNATURE-----
|
Loading…
Reference in New Issue