From 732200177182ab98af809b0329ac27e8abf2bc51 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 3 Nov 2020 06:43:19 -0500 Subject: [PATCH] import stunnel-5.56-4.el8 --- .gitignore | 2 +- .stunnel.metadata | 2 +- SOURCES/stunnel-5.40-systemd-service.patch | 17 ---- SOURCES/stunnel-5.46-system-ciphers.patch | 12 --- SOURCES/stunnel-5.48-coverity.patch | 55 ----------- SOURCES/stunnel-5.48.tar.gz.asc | 18 ---- ...priv.patch => stunnel-5.50-authpriv.patch} | 40 ++++---- SOURCES/stunnel-5.50-systemd-service.patch | 11 +++ SOURCES/stunnel-5.56-coverity.patch | 22 +++++ SOURCES/stunnel-5.56-curves-doc-update.patch | 66 +++++++++++++ .../stunnel-5.56-default-tls-version.patch | 92 +++++++++++++++++++ SOURCES/stunnel-5.56-system-ciphers.patch | 12 +++ SOURCES/stunnel-5.56.tar.gz.asc | 18 ++++ SPECS/stunnel.spec | 30 ++++-- 14 files changed, 264 insertions(+), 133 deletions(-) delete mode 100644 SOURCES/stunnel-5.40-systemd-service.patch delete mode 100644 SOURCES/stunnel-5.46-system-ciphers.patch delete mode 100644 SOURCES/stunnel-5.48-coverity.patch delete mode 100644 SOURCES/stunnel-5.48.tar.gz.asc rename SOURCES/{stunnel-5.40-authpriv.patch => stunnel-5.50-authpriv.patch} (59%) create mode 100644 SOURCES/stunnel-5.50-systemd-service.patch create mode 100644 SOURCES/stunnel-5.56-coverity.patch create mode 100644 SOURCES/stunnel-5.56-curves-doc-update.patch create mode 100644 SOURCES/stunnel-5.56-default-tls-version.patch create mode 100644 SOURCES/stunnel-5.56-system-ciphers.patch create mode 100644 SOURCES/stunnel-5.56.tar.gz.asc diff --git a/.gitignore b/.gitignore index fdea1fe..413edf9 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/stunnel-5.48.tar.gz +SOURCES/stunnel-5.56.tar.gz diff --git a/.stunnel.metadata b/.stunnel.metadata index 00869cd..01414ab 100644 --- a/.stunnel.metadata +++ b/.stunnel.metadata @@ -1 +1 @@ -8e8576abf9b143c7ef1b7390c35b46c4cf878ca0 SOURCES/stunnel-5.48.tar.gz +a7fa3fb55d698f50f3d54e4fc08588a119f21cad SOURCES/stunnel-5.56.tar.gz diff --git a/SOURCES/stunnel-5.40-systemd-service.patch b/SOURCES/stunnel-5.40-systemd-service.patch deleted file mode 100644 index 10ad1bb..0000000 --- a/SOURCES/stunnel-5.40-systemd-service.patch +++ /dev/null @@ -1,17 +0,0 @@ -diff --git a/tools/stunnel.service.in b/tools/stunnel.service.in -index 53ad3e7..620a0e7 100644 ---- a/tools/stunnel.service.in -+++ b/tools/stunnel.service.in -@@ -1,10 +1,11 @@ - [Unit] - Description=TLS tunnel for network daemons --After=syslog.target -+After=syslog.target network.target - - [Service] - ExecStart=@bindir@/stunnel - Type=forking -+PrivateTmp=true - - [Install] - WantedBy=multi-user.target diff --git a/SOURCES/stunnel-5.46-system-ciphers.patch b/SOURCES/stunnel-5.46-system-ciphers.patch deleted file mode 100644 index 869c162..0000000 --- a/SOURCES/stunnel-5.46-system-ciphers.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -up stunnel-5.46/src/options.c.system-ciphers stunnel-5.46/src/options.c ---- stunnel-5.46/src/options.c.system-ciphers 2018-05-29 08:58:03.601089886 +0200 -+++ stunnel-5.46/src/options.c 2018-05-29 08:59:00.880244728 +0200 -@@ -252,7 +252,7 @@ static char *option_not_found= - "Specified option name is not valid here"; - - static char *stunnel_cipher_list= -- "HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK"; -+ "PROFILE=SYSTEM"; - - /**************************************** parse commandline parameters */ - diff --git a/SOURCES/stunnel-5.48-coverity.patch b/SOURCES/stunnel-5.48-coverity.patch deleted file mode 100644 index 7d2f63f..0000000 --- a/SOURCES/stunnel-5.48-coverity.patch +++ /dev/null @@ -1,55 +0,0 @@ -diff -up stunnel-5.48/src/file.c.coverity stunnel-5.48/src/file.c ---- stunnel-5.48/src/file.c.coverity 2018-04-06 16:25:10.000000000 +0200 -+++ stunnel-5.48/src/file.c 2018-09-04 17:24:08.948928882 +0200 -@@ -120,7 +120,7 @@ DISK_FILE *file_open(char *name, FILE_MO - return NULL; - - /* setup df structure */ -- df=str_alloc(sizeof df); -+ df=str_alloc(sizeof *df); - df->fd=fd; - return df; - } -diff -up stunnel-5.48/src/options.c.coverity stunnel-5.48/src/options.c ---- stunnel-5.48/src/options.c.coverity 2018-09-04 17:24:08.946928836 +0200 -+++ stunnel-5.48/src/options.c 2018-09-04 18:47:03.135083884 +0200 -@@ -515,8 +515,7 @@ NOEXPORT int options_include(char *direc - "%s/%s", - #endif - directory, namelist[i]->d_name); -- stat(name, &sb); -- if(S_ISREG(sb.st_mode)) -+ if(stat(name, &sb) == 0 && S_ISREG(sb.st_mode)) - err=options_file(name, CONF_FILE, section); - else - s_log(LOG_DEBUG, "\"%s\" is not a file", name); -@@ -3773,6 +3772,7 @@ NOEXPORT PSK_KEYS *psk_dup(PSK_KEYS *src - else - head=curr; - tail=curr; -+ src=src->next; - } - return head; - } -diff -up stunnel-5.48/src/str.c.coverity stunnel-5.48/src/str.c ---- stunnel-5.48/src/str.c.coverity 2018-07-02 23:30:10.000000000 +0200 -+++ stunnel-5.48/src/str.c 2018-09-04 17:24:08.949928906 +0200 -@@ -165,6 +165,7 @@ char *str_vprintf(const char *format, va - for(;;) { - va_copy(ap, start_ap); - n=vsnprintf(p, size, format, ap); -+ va_end(ap); - if(n>-1 && n<(int)size) - return p; - if(n>-1) /* glibc 2.1 */ -diff -up stunnel-5.48/src/stunnel.c.coverity stunnel-5.48/src/stunnel.c ---- stunnel-5.48/src/stunnel.c.coverity 2018-07-02 23:30:10.000000000 +0200 -+++ stunnel-5.48/src/stunnel.c 2018-09-04 17:24:08.949928906 +0200 -@@ -364,7 +364,6 @@ NOEXPORT int accept_connection(SERVICE_O - #endif - if(create_client(fd, s, alloc_client_session(opt, s, s))) { - s_log(LOG_ERR, "Connection rejected: create_client failed"); -- closesocket(s); - #ifndef USE_FORK - service_free(opt); - #endif diff --git a/SOURCES/stunnel-5.48.tar.gz.asc b/SOURCES/stunnel-5.48.tar.gz.asc deleted file mode 100644 index 86a5b06..0000000 --- a/SOURCES/stunnel-5.48.tar.gz.asc +++ /dev/null @@ -1,18 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQKTBAABCgB9FiEEK8fk5n48wMG+py+MLvx/8NQW4BQFAls6m2RfFIAAAAAALgAo -aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDJC -QzdFNEU2N0UzQ0MwQzFCRUE3MkY4QzJFRkM3RkYwRDQxNkUwMTQACgkQLvx/8NQW -4BTksRAAiWO5DWBpHrnDKy1jon+4lG/OPHe92nWxc6yH2HVeB064tXYeXYjRnnR4 -mItaO4wCJICd94+5EUO6DUfut4+7SIAWNPUnZd5OgFkgmGd0YEF6tEfM9z6BhMc3 -T8ZwKCP/hhU5oxqQyDO/esk2+Opps5ddsQLx84iUsylFwq8gK8BkVZrx2yLBX/fz -wGpP1YnxLdx+rQQx/BkHd52nQAR3gqrGcZtMgchhTBsfZ4jgnr4Xr4XgXJPfe0Di -xGCD7/sy+N8sNu4S6RER4qNV6PLBcZ6Bjp+VqMpODdoXlD0EQXundgbrg8Nuq8HR -TTbL1pItHo0vy5QetFILJqlrdLw3sIG5Wy1+k87X485DKhJuvZqU0nKixYmaujB9 -as1YNccDb2FwF7Rzq4hF1J0IwYUsyfgbd58k1VdmtPp5TSUyd1lp+tpX0tEJePk6 -g1X3NecNVbw8p66gPiUadlTYkkUQdqDHnGxD9EKG7BwRE8lPR5CTJD1w8xEOzLMw -tVKSBgcHeIA7Sn9mJtOFOJ7Y+aUccMIliprgk34P3+4bFFBxLQaRQycfLVIyRy4t -3QRk+vsMxfuAVainN/yVU7hCtiL09ZHm3g8AnDZFKmtZzYcBbb24RWhONt0bz9j1 -fnYKvguL78ptBpsmPmXjwBY+qxmJx4LAWFxE7TUgqsaASJYWSH4= -=KMsG ------END PGP SIGNATURE----- diff --git a/SOURCES/stunnel-5.40-authpriv.patch b/SOURCES/stunnel-5.50-authpriv.patch similarity index 59% rename from SOURCES/stunnel-5.40-authpriv.patch rename to SOURCES/stunnel-5.50-authpriv.patch index 4100df5..13c1e9c 100644 --- a/SOURCES/stunnel-5.40-authpriv.patch +++ b/SOURCES/stunnel-5.50-authpriv.patch @@ -1,8 +1,7 @@ -diff --git a/doc/stunnel.8.in b/doc/stunnel.8.in -index a00cc78..85a0123 100644 ---- a/doc/stunnel.8.in -+++ b/doc/stunnel.8.in -@@ -204,7 +204,7 @@ info (6), or debug (7). All logs for the specified level and +diff -up stunnel-5.50/doc/stunnel.8.in.authpriv stunnel-5.50/doc/stunnel.8.in +--- stunnel-5.50/doc/stunnel.8.in.authpriv 2018-12-02 23:47:20.000000000 +0100 ++++ stunnel-5.50/doc/stunnel.8.in 2019-01-14 12:15:05.135100163 +0100 +@@ -200,7 +200,7 @@ info (6), or debug (7). All logs for th all levels numerically less than it will be shown. Use \fIdebug = debug\fR or \&\fIdebug = 7\fR for greatest debugging output. The default is notice (5). .Sp @@ -11,10 +10,9 @@ index a00cc78..85a0123 100644 (Facilities are not supported on Win32.) .Sp Case is ignored for both facilities and levels. -diff --git a/doc/stunnel.html.in b/doc/stunnel.html.in -index b7a0663..6bb01cd 100644 ---- a/doc/stunnel.html.in -+++ b/doc/stunnel.html.in +diff -up stunnel-5.50/doc/stunnel.html.in.authpriv stunnel-5.50/doc/stunnel.html.in +--- stunnel-5.50/doc/stunnel.html.in.authpriv 2018-12-02 23:47:21.000000000 +0100 ++++ stunnel-5.50/doc/stunnel.html.in 2019-01-14 12:15:05.136100146 +0100 @@ -244,7 +244,7 @@

Level is one of the syslog level names or numbers emerg (0), alert (1), crit (2), err (3), warning (4), notice (5), info (6), or debug (7). All logs for the specified level and all levels numerically less than it will be shown. Use debug = debug or debug = 7 for greatest debugging output. The default is notice (5).

@@ -24,11 +22,10 @@ index b7a0663..6bb01cd 100644

Case is ignored for both facilities and levels.

-diff --git a/doc/stunnel.pod.in b/doc/stunnel.pod.in -index 42d3a33..3806b5a 100644 ---- a/doc/stunnel.pod.in -+++ b/doc/stunnel.pod.in -@@ -192,7 +192,7 @@ info (6), or debug (7). All logs for the specified level and +diff -up stunnel-5.50/doc/stunnel.pod.in.authpriv stunnel-5.50/doc/stunnel.pod.in +--- stunnel-5.50/doc/stunnel.pod.in.authpriv 2018-12-02 23:47:18.000000000 +0100 ++++ stunnel-5.50/doc/stunnel.pod.in 2019-01-14 12:15:05.136100146 +0100 +@@ -192,7 +192,7 @@ info (6), or debug (7). All logs for th all levels numerically less than it will be shown. Use I or I for greatest debugging output. The default is notice (5). @@ -37,12 +34,11 @@ index 42d3a33..3806b5a 100644 (Facilities are not supported on Win32.) Case is ignored for both facilities and levels. -diff --git a/src/options.c b/src/options.c -index 5881486..345d274 100644 ---- a/src/options.c -+++ b/src/options.c -@@ -1554,8 +1554,12 @@ NOEXPORT char *parse_service_option(CMD cmd, SERVICE_OPTIONS *section, - case CMD_BEGIN: +diff -up stunnel-5.50/src/options.c.authpriv stunnel-5.50/src/options.c +--- stunnel-5.50/src/options.c.authpriv 2019-01-14 12:15:05.136100146 +0100 ++++ stunnel-5.50/src/options.c 2019-01-14 12:16:25.537727511 +0100 +@@ -1745,8 +1745,12 @@ NOEXPORT char *parse_service_option(CMD + case CMD_SET_DEFAULTS: section->log_level=LOG_NOTICE; #if !defined (USE_WIN32) && !defined (__vms) +#if defined(LOG_AUTHPRIV) @@ -52,5 +48,5 @@ index 5881486..345d274 100644 #endif +#endif break; - case CMD_EXEC: - if(strcasecmp(opt, "debug")) + case CMD_SET_COPY: + section->log_level=new_service_options.log_level; diff --git a/SOURCES/stunnel-5.50-systemd-service.patch b/SOURCES/stunnel-5.50-systemd-service.patch new file mode 100644 index 0000000..9fc170b --- /dev/null +++ b/SOURCES/stunnel-5.50-systemd-service.patch @@ -0,0 +1,11 @@ +diff -up stunnel-5.50/tools/stunnel.service.in.systemd-service stunnel-5.50/tools/stunnel.service.in +--- stunnel-5.50/tools/stunnel.service.in.systemd-service 2019-01-14 12:17:15.826868965 +0100 ++++ stunnel-5.50/tools/stunnel.service.in 2019-01-14 12:18:21.186753131 +0100 +@@ -5,6 +5,7 @@ After=syslog.target network.target + [Service] + ExecStart=@bindir@/stunnel + Type=forking ++PrivateTmp=true + + [Install] + WantedBy=multi-user.target diff --git a/SOURCES/stunnel-5.56-coverity.patch b/SOURCES/stunnel-5.56-coverity.patch new file mode 100644 index 0000000..526f7f0 --- /dev/null +++ b/SOURCES/stunnel-5.56-coverity.patch @@ -0,0 +1,22 @@ +diff -up stunnel-5.48/src/str.c.coverity stunnel-5.48/src/str.c +--- stunnel-5.48/src/str.c.coverity 2018-07-02 23:30:10.000000000 +0200 ++++ stunnel-5.48/src/str.c 2018-09-04 17:24:08.949928906 +0200 +@@ -165,6 +165,7 @@ char *str_vprintf(const char *format, va + for(;;) { + va_copy(ap, start_ap); + n=vsnprintf(p, size, format, ap); ++ va_end(ap); + if(n>-1 && n<(int)size) + return p; + if(n>-1) /* glibc 2.1 */ +diff -up stunnel-5.48/src/stunnel.c.coverity stunnel-5.48/src/stunnel.c +--- stunnel-5.48/src/stunnel.c.coverity 2018-07-02 23:30:10.000000000 +0200 ++++ stunnel-5.48/src/stunnel.c 2018-09-04 17:24:08.949928906 +0200 +@@ -364,7 +364,6 @@ NOEXPORT int accept_connection(SERVICE_O + #endif + if(create_client(fd, s, alloc_client_session(opt, s, s))) { + s_log(LOG_ERR, "Connection rejected: create_client failed"); +- closesocket(s); + #ifndef USE_FORK + service_free(opt); + #endif diff --git a/SOURCES/stunnel-5.56-curves-doc-update.patch b/SOURCES/stunnel-5.56-curves-doc-update.patch new file mode 100644 index 0000000..84a01a3 --- /dev/null +++ b/SOURCES/stunnel-5.56-curves-doc-update.patch @@ -0,0 +1,66 @@ +--- stunnel-5.56/doc/stunnel.8.in.curves-doc-update 2020-04-16 17:12:48.171590017 +0200 ++++ stunnel-5.56/doc/stunnel.8.in 2020-04-16 17:16:07.001603122 +0200 +@@ -473,6 +473,8 @@ This file contains multiple CRLs, used w + .IX Item "curves = list" + \&\s-1ECDH\s0 curves separated with ':' + .Sp ++Note: This option is supported for server mode sockets only. ++.Sp + Only a single curve name is allowed for OpenSSL older than 1.1.0. + .Sp + To get a list of supported curves use: +--- stunnel-5.56/doc/stunnel.html.in.curves-doc-update 2020-04-16 17:13:25.664962696 +0200 ++++ stunnel-5.56/doc/stunnel.html.in 2020-04-16 17:16:55.897111302 +0200 +@@ -568,6 +568,8 @@ + +

ECDH curves separated with ':'

+ ++

Note: This option is supported for server mode sockets only.

++ +

Only a single curve name is allowed for OpenSSL older than 1.1.0.

+ +

To get a list of supported curves use:

+--- stunnel-5.56/doc/stunnel.pod.in.curves-doc-update 2020-04-16 17:13:43.412139122 +0200 ++++ stunnel-5.56/doc/stunnel.pod.in 2020-04-16 17:17:25.414418073 +0200 +@@ -499,6 +499,8 @@ I options. + + ECDH curves separated with ':' + ++Note: This option is supported for server mode sockets only. ++ + Only a single curve name is allowed for OpenSSL older than 1.1.0. + + To get a list of supported curves use: +--- stunnel-5.56/doc/stunnel.pl.pod.in.curves-doc-update 2020-04-16 17:25:22.631934496 +0200 ++++ stunnel-5.56/doc/stunnel.pl.pod.in 2020-04-16 17:47:46.872353210 +0200 +@@ -507,6 +507,8 @@ przez opcje I i Ikrzywe ECDH odddzielone ':'

+ ++

Uwaga: ta opcja wpływa tylko na gniazda w trybie serwera.

++ +

Wersje OpenSSL starsze niż 1.1.0 pozwalają na użycie tylko jednej krzywej.

+ +

Listę dostępnych krzywych można uzyskać poleceniem:

+--- stunnel-5.56/doc/stunnel.pl.8.in.curves-doc-update 2020-04-16 17:24:25.665369474 +0200 ++++ stunnel-5.56/doc/stunnel.pl.8.in 2020-04-16 17:45:14.141792786 +0200 +@@ -483,6 +483,8 @@ przez opcje \fIverifyChain\fR i \fIverif + .IX Item "curves = lista" + krzywe \s-1ECDH\s0 odddzielone ':' + .Sp ++Uwaga: ta opcja wpływa tylko na gniazda w trybie serwera. ++.Sp + Wersje OpenSSL starsze niż 1.1.0 pozwalają na użycie tylko jednej krzywej. + .Sp + Listę dostępnych krzywych można uzyskać poleceniem: diff --git a/SOURCES/stunnel-5.56-default-tls-version.patch b/SOURCES/stunnel-5.56-default-tls-version.patch new file mode 100644 index 0000000..2515ee6 --- /dev/null +++ b/SOURCES/stunnel-5.56-default-tls-version.patch @@ -0,0 +1,92 @@ +--- stunnel-5.56/src/prototypes.h.default-tls-version 2020-04-06 11:22:24.480280384 +0200 ++++ stunnel-5.56/src/prototypes.h 2020-04-06 11:21:05.407597053 +0200 +@@ -897,6 +897,9 @@ ICON_IMAGE load_icon_default(ICON_TYPE); + ICON_IMAGE load_icon_file(const char *); + #endif + ++#define USE_DEFAULT_TLS_VERSION ((int)-2) /* Use defaults in OpenSSL ++ crypto policies */ ++ + #endif /* defined PROTOTYPES_H */ + + /* end of prototypes.h */ +--- stunnel-5.56/src/options.c.default-tls-version 2020-04-06 18:58:48.947214149 +0200 ++++ stunnel-5.56/src/options.c 2020-04-08 15:45:18.093520780 +0200 +@@ -3123,8 +3123,9 @@ NOEXPORT char *parse_service_option(CMD + return "Invalid protocol version"; + return NULL; /* OK */ + case CMD_INITIALIZE: +- if(section->max_proto_version && section->min_proto_version && +- section->max_proto_versionmin_proto_version) ++ if(section->max_proto_version != USE_DEFAULT_TLS_VERSION ++ && section->min_proto_version != USE_DEFAULT_TLS_VERSION ++ && section->max_proto_versionmin_proto_version) + return "Invalid protocol version range"; + break; + case CMD_PRINT_DEFAULTS: +@@ -3142,7 +3143,10 @@ NOEXPORT char *parse_service_option(CMD + /* sslVersionMax */ + switch(cmd) { + case CMD_SET_DEFAULTS: +- section->max_proto_version=0; /* highest supported */ ++ section->max_proto_version=USE_DEFAULT_TLS_VERSION; /* use defaults in ++ OpenSSL crypto ++ policies.Do not ++ override it */ + break; + case CMD_SET_COPY: + section->max_proto_version=new_service_options.max_proto_version; +@@ -3173,7 +3177,10 @@ NOEXPORT char *parse_service_option(CMD + /* sslVersionMin */ + switch(cmd) { + case CMD_SET_DEFAULTS: +- section->min_proto_version=TLS1_VERSION; ++ section->min_proto_version=USE_DEFAULT_TLS_VERSION; /* use defaults in ++ OpenSSL crypto ++ policies. Do not ++ override it */ + break; + case CMD_SET_COPY: + section->min_proto_version=new_service_options.min_proto_version; +--- stunnel-5.56/src/ctx.c.default-tls-version 2019-10-24 10:48:11.000000000 +0200 ++++ stunnel-5.56/src/ctx.c 2020-04-06 11:16:48.406406794 +0200 +@@ -143,17 +143,29 @@ int context_init(SERVICE_OPTIONS *sectio + section->ctx=SSL_CTX_new(TLS_client_method()); + else /* server mode */ + section->ctx=SSL_CTX_new(TLS_server_method()); +- if(!SSL_CTX_set_min_proto_version(section->ctx, +- section->min_proto_version)) { +- s_log(LOG_ERR, "Failed to set the minimum protocol version 0x%X", +- section->min_proto_version); +- return 1; /* FAILED */ ++ ++ if (section->min_proto_version == USE_DEFAULT_TLS_VERSION) { ++ s_log(LOG_INFO, "Using the default TLS version as specified in \ ++ OpenSSL crypto policies. Not setting explicitly."); ++ } else { ++ if(!SSL_CTX_set_min_proto_version(section->ctx, ++ section->min_proto_version)) { ++ s_log(LOG_ERR, "Failed to set the minimum protocol version 0x%X", ++ section->min_proto_version); ++ return 1; /* FAILED */ ++ } + } +- if(!SSL_CTX_set_max_proto_version(section->ctx, +- section->max_proto_version)) { +- s_log(LOG_ERR, "Failed to set the maximum protocol version 0x%X", +- section->max_proto_version); +- return 1; /* FAILED */ ++ ++ if (section->max_proto_version == USE_DEFAULT_TLS_VERSION) { ++ s_log(LOG_INFO, "Using the default TLS version as specified in \ ++ OpenSSL crypto policies. Not setting explicitly"); ++ } else { ++ if(!SSL_CTX_set_max_proto_version(section->ctx, ++ section->max_proto_version)) { ++ s_log(LOG_ERR, "Failed to set the maximum protocol version 0x%X", ++ section->max_proto_version); ++ return 1; /* FAILED */ ++ } + } + #else /* OPENSSL_VERSION_NUMBER<0x10100000L */ + if(section->option.client) diff --git a/SOURCES/stunnel-5.56-system-ciphers.patch b/SOURCES/stunnel-5.56-system-ciphers.patch new file mode 100644 index 0000000..de8679c --- /dev/null +++ b/SOURCES/stunnel-5.56-system-ciphers.patch @@ -0,0 +1,12 @@ +diff -up stunnel-5.55/src/options.c.system-ciphers stunnel-5.55/src/options.c +--- stunnel-5.55/src/options.c.system-ciphers 2019-09-19 14:43:00.631059024 +0200 ++++ stunnel-5.55/src/options.c 2019-09-19 14:51:02.120053849 +0200 +@@ -277,7 +277,7 @@ static char *option_not_found= + "Specified option name is not valid here"; + + static char *stunnel_cipher_list= +- "HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK"; ++ "PROFILE=SYSTEM"; + + #ifndef OPENSSL_NO_TLS1_3 + static char *stunnel_ciphersuites= diff --git a/SOURCES/stunnel-5.56.tar.gz.asc b/SOURCES/stunnel-5.56.tar.gz.asc new file mode 100644 index 0000000..6142f0f --- /dev/null +++ b/SOURCES/stunnel-5.56.tar.gz.asc @@ -0,0 +1,18 @@ +-----BEGIN PGP SIGNATURE----- + +iQKTBAABCgB9FiEEK8fk5n48wMG+py+MLvx/8NQW4BQFAl3YIPhfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDJC +QzdFNEU2N0UzQ0MwQzFCRUE3MkY4QzJFRkM3RkYwRDQxNkUwMTQACgkQLvx/8NQW +4BTuMw//R+LJhCo2prR6RIxEsYbfzIwkl9NwcE5EPTKse2umTOHsMRfVMpZiKjCl +5UC1tLbqUzSjAydQiFwdvcHZAJLWblr84p+CC5hEaS/rwX4PL221gqqrC8Ut7ap3 +n/v5gCJ8iqnpgZSgHPSGqucG3x1KlZotPnny1RVIjCSHPvoUtocAwJNSChRkyUT0 +ym8qhUPyOmRhYQZew1haxFJa26yc017dN5QZy+H3uo0zPLXaWJpPjJG/1pBtden4 +mL+mg8phZZ9MtBtEOK2NTA+4K24vcM+aHoEyMI/dcmi4NN256N5CJZ13tF3LgHNV +j0vp1a75p5aAMeRTv7zShegZGvJJciyYJKwRnOAUnHVFDhnsgd05VQHeWC1aFKjM +cXwrvHgGn+TG0V29ahnzR7NdVhkuP3etcqx6FuIgcj2omp0Bj4zFRlKSl4x+hY56 +MTvwksIXZTItHvffiE49ExGPA8OQW3S9Sr+lPFk98xjVuTU/P8GIVNp2kof4ezYN +Yhav4mA/KAkMX0fb+Cw6eyZl0aZEPx76hhkKhh2OmR8w3k5X2hetGcXX1/UFEHCm +uNCvWwV5Ry6Kc8Zpr8p6fUOh0Se4cNi59c1FKEwMX1hTgLklbIZioiFM/fR0RLOJ +PU/Cq+NbaZ3O8Cup7PsVjCDgXTcKcQAdQTOxgfW6f+szmTo5Qx4= +=RhpX +-----END PGP SIGNATURE----- diff --git a/SPECS/stunnel.spec b/SPECS/stunnel.spec index a8660d6..619dc00 100644 --- a/SPECS/stunnel.spec +++ b/SPECS/stunnel.spec @@ -9,8 +9,8 @@ Summary: A TLS-encrypting socket wrapper Name: stunnel -Version: 5.48 -Release: 5%{?dist} +Version: 5.56 +Release: 4%{?dist} License: GPLv2 Group: Applications/Internet URL: http://www.stunnel.org/ @@ -22,10 +22,12 @@ Source4: stunnel-sfinger.conf Source5: pop3-redirect.xinetd Source6: stunnel-pop3s-client.conf Source7: stunnel@.service -Patch0: stunnel-5.40-authpriv.patch -Patch1: stunnel-5.40-systemd-service.patch -Patch3: stunnel-5.46-system-ciphers.patch -Patch4: stunnel-5.48-coverity.patch +Patch0: stunnel-5.50-authpriv.patch +Patch1: stunnel-5.50-systemd-service.patch +Patch3: stunnel-5.56-system-ciphers.patch +Patch4: stunnel-5.56-coverity.patch +Patch5: stunnel-5.56-default-tls-version.patch +Patch6: stunnel-5.56-curves-doc-update.patch # util-linux is needed for rename BuildRequires: gcc BuildRequires: openssl-devel, pkgconfig, util-linux @@ -52,6 +54,8 @@ conjunction with imapd to create a TLS secure IMAP server. %patch1 -p1 -b .systemd-service %patch3 -p1 -b .system-ciphers %patch4 -p1 -b .coverity +%patch5 -p1 -b .default-tls-version +%patch6 -p1 -b .curves-doc-update # Fix the configure script output for FIPS mode and stack protector flag sed -i '/yes).*result: no/,+1{s/result: no/result: yes/;s/as_echo "no"/as_echo "yes"/};s/-fstack-protector/-fstack-protector-strong/' configure @@ -106,7 +110,7 @@ make test %files %{!?_licensedir:%global license %%doc} -%doc AUTHORS BUGS ChangeLog CREDITS PORTS README TODO +%doc AUTHORS.md BUGS.md CREDITS.md PORTS.md README.md TODO.md %doc tools/stunnel.conf-sample %doc srpm-docs/* %license COPY* @@ -137,6 +141,18 @@ make test %systemd_postun_with_restart %{name}.service %changelog +* Thu Apr 16 2020 Sahana Prasad - 5.56-4 +- Updates documentation to specify that the option "curves" can be used in server mode only. + +* Wed Apr 08 2020 Sahana Prasad - 5.56-3 +- Fixes default tls version patch to handle default values from OpenSSL crypto policies + +* Mon Apr 06 2020 Sahana Prasad - 5.56-2 +- Adds default tls version patch to comply with OpenSSL crypto policies + +* Fri Apr 03 2020 Sahana Prasad - 5.56-1 +- New upstream release 5.56 + * Tue Sep 4 2018 Tomáš Mráz - 5.48-5 - Fix -fstack-protector-strong build flag application - Fix bugs from Coverity scan