diff --git a/.gitignore b/.gitignore index 84378ef..a0c6578 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/stunnel-5.62.tar.gz +SOURCES/stunnel-5.71.tar.gz diff --git a/.stunnel.metadata b/.stunnel.metadata index beea5ac..f05f04b 100644 --- a/.stunnel.metadata +++ b/.stunnel.metadata @@ -1 +1 @@ -e18be56bfee006f5e58de044fda7bdcfaa425b3f SOURCES/stunnel-5.62.tar.gz +dab534acc28f389f98bf8724d9f42ad9ca472691 SOURCES/stunnel-5.71.tar.gz diff --git a/SOURCES/pgp.asc b/SOURCES/pgp.asc new file mode 100644 index 0000000..69e2e4e --- /dev/null +++ b/SOURCES/pgp.asc @@ -0,0 +1,125 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBFTU6YwBEAC6PP7E4J6cRZQsJlFE+o3zdQYo7Mg2sVxDR6K9Cha52wn7P0t0 +hHUd0CSmWyfjmYUy3/7jYjgKe4oiGzeSCVK8b3TiX3ylHi/nW3mixwpDPwFmr5Cf +ce55Ro3TdIeslRGigK8Hl+/l4n9c9z/AiTvcdAEQ34BJhERce4/KFx+/omiaxe7S +fzzU/+52zy+v4FfnclgRQrzrD8sxNag6CQOaQ8lTMczNkBkDlhQTOPYkfNf76PUY +kbWpcH7n9N50nddjEaLf7DPjOETc4OH/g5a99FSEJL7jyEgn+C8RX7RpbbAxCNlX +1231NZoresLmxSulB6fRWLmhJ8pES3sRxE1IfwUfPpUZuTPzwXEFJY6StY5OCVy8 +rNFpkYlEePuVn74XkGbvv7dkkisq4Hp59zfIUaNVRod0Xk2rM8Rx8d5IK801Ywsn +RyzCE02zt3N2O4IdXI1qQ1gMJNyaE/k2Qk8buh8BsKJzZca34WGocHOxz2O5s7FN +Q1pLNpLmuHZIdyvYqcsenLz5EV8X2LztRmJ3Se4ag/XyXPYwS6lXX1YUGVxZpk0E +sQDRdJvYCsGcUy253w+W7Nm/BtjKi6/PJmjEEU7ieHppR9Yp+LI3lyzNBeZAIVqk +4Hco05l4GUKtEDFfOQ58sULDqJWmpH4T72DHeCpfRB0guaPa5TYY7B0umQARAQAB +tC5NaWNoYcWCIFRyb2puYXJhIDxNaWNoYWwuVHJvam5hcmFAc3R1bm5lbC5vcmc+ +iQJSBBMBCAA8AhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgBYhBKyRXqMGRdnT +1Nrk/rEEiTLdOqqjBQJiemhbAhkBAAoJELEEiTLdOqqjH/YP/i5fQuvTvwSHZAwK +JgSUijxD4z2jCtYvXIa7BPNiu8mnyupPAdoZE7BNehuvAc7kYj4dNmC/cY+CRcan +OW05ByU/N+RObQYs6dkSLuyzOfqdnA2SZgcPreOZyLe/Yz9nSh5BVigSyiNY+clT +JMfISdvfAxlxkVxyfJ293ePECZ7VKfzp18ntDBIY5yos4K0FXKpFVhhWHT9SlsQe +tAKTOm6WdJx852y53TvZYzPEVznZhLSj//yYWG7TVQ47oSrsUW5pGaQybtYNIwGa +sHGj0SFscYb8IBF4gOaTFPiwKJykmwfF0F7A6wO+oSs7By1o4fEoVr1y3UWO/ATx +RF3GyX/6NHTu2OwTmtWozTKkd4agGPmQgn+ApueaBq7Tn9EA+5e83hRY8/c0xOvu +XRHrB+PTp4HT3yPcVbGP6vRkpPsRIxtzzw+G1AdwIcMULg/J5qKilRyKLbN12cmc +Jjtk6Ii7cskgj/3iYVRy/Xtw9Q2+9aMPPs1H4QklimDuR/KWCqyd61e1ct+Y4XGq +HM93/GQuku1sGA6YsfUpDWv3rjwoGejyif3lyHjERaGh1BCYD6Olhe2QtCEuOvuA +G2qPT0gZ1q33JVN3wNJfD6JreG7HubG0le+iwLoQTXa3qjhF8DeAgOC+yLKYv3iD +ms49fpkKFScmRCmWU0C/2zqe0/GetCtNaWNoYcWCIFRyb2puYXJhIDxNaWNoYWwu +VHJvam5hcmFAbWlydC5uZXQ+iQJPBBMBCAA5AhsDBgsJCAcDAgYVCAIJCgsEFgID +AQIeAQIXgBYhBKyRXqMGRdnT1Nrk/rEEiTLdOqqjBQJiemhbAAoJELEEiTLdOqqj +k5UP/1G8u1Hpr0Ie4YXn1ru1hQaauEqTXGfgcsSuuqvS4GCgY93+Q0jv0YV1Owxs +pJWmN3aYKtsj86EAEkOcz23HkhwwvTKkhrZWCATQzhpGZfFWECPm+CycNksc+pkq +eykg5RN00DecGpG5x0p2twrRI4j+K4OKSGJvx8vjxBMGoGAoHtBl73nhwuY9CsqL +CnCn3lohv03GPvvlO6dhOordBI4U50ky5ZZsQ/qMD7vAGFktbJMyhYJ96ASdVqfG +L0DTQ6E1QwS4PQlyEt6PBCtt6T3kU7i9mYy+TQtI+wH3r2hx+UEQaC+9hzY4FZwH +xOdH7zumOthMu/uBGK2uMkj7mVpHEGU/69EvROYzf0HtN2vs2yCMirtrlbfQ0bez +YyXiTd8+ka0vTWM2rE6rav5RIRDmD7U3u4fPwnpSRTDxCHJglIisymLd01W0Qh8l +qCyHOOsRHu2k3RfdILd+F26Ii31073kAaga5iDlKrPyVV38upLIPy/G9QJ8rdYBR +EvF0VaYQW+rwsInE8mYfWgcwKT3ZeWop0dD7NFurbHZxfTkL1QCEo+EurrFxBLCm +qfPEbQwoMwS5hCAcGRjXDpt0ZZe55VdLXaW9E/GINHPVoM+dMqmmYxEOCvuOez4c +MMmt6a5kFPPtWo2o7dcBpDG7ZX3UkUGVAmQuSENIY3yXqYcXtC9NaWNoYcWCIFRy +b2puYXJhIDxNaWNoYWwuVHJvam5hcmFAbW9iaS1jb20ubmV0PokCTwQTAQgAOQIb +AwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AWIQSskV6jBkXZ09Ta5P6xBIky3Tqq +owUCYnpoUQAKCRCxBIky3Tqqo7cBD/sFjmAnOyuEvlVKXEihLmABFBeWjKiGaR4U +0+V8ZPvBEzHVQ5e2ywqa68xgFK66JlapnZlAeOoUZYc/uj0xzNwzS4sdnc/ejWn+ +B0gM9ZLYs1BeYib2k4Bf0c8ccjjCX5r8+Uio8aCB4hSyckmyD+svfmnrzyMEEAZN +d+0uiwmmHNEDHqIg76xo7DO+DvV2+sEkLEtdKCfTws94qEWQHGHYwpcbDngSamVZ +zML48L4liQX0l7Dz8j09Tf1EYg2DRSvn4s2bzyrFIsnz6yrlf8K0hCYkaTLKnCSx +Bj7ESXj/bOQY4fBAHNy2gRXq3ELgdliCQHeT+9TD5JI58rWQBY48QGF7CAxMcC3H +3nI/Zq/DSaakOVwianqY2VJDFAYXogmEOR/kWE3lPerp6qum+n4WcDiteQXJMHmV +t/JYAZ3zbOhmu9F2NI7Ce4uZe8rQ0PG5Jgb5wE76i9zrCwFACPKhJVim4kWIOPf8 +eT1LCC4adpyeUMrH342CVb2xpS+gQ89V7sTt9uFPp9wTl5QvsD3uTWKzGkRV9s7b +rnFuJYGDRM/EN0nFZF8D0RbrwYNK5KXSZ0VOTrud9ZcEsJQeISqLX4QBMrSl/Nst +r9MTUuBf6N3b5zDRmHJQ6+myyE/8cgHwEsmOIJCSEcQjkYsUruQhuW2Et1EZtrcb +/KHFRhRjP7RATWljaGHFgiBUcm9qbmFyYSAoYXV4aWxpYXJ5IGFkZHJlc3MpIDxN +aWNoYWwuVHJvam5hcmFAZ21haWwuY29tPokCTgQTAQgAOAIbAwULCQgHAgYVCgkI +CwIEFgIDAQIeAQIXgBYhBKyRXqMGRdnT1Nrk/rEEiTLdOqqjBQJiemhDAAoJELEE +iTLdOqqjWfkQALjs436L79R26iQc8aWu3IWAZ8FOv8VqbTcGH3fQ16DcJ+OaBQkl +qHTWsbs9Bhq49lU6WiZLIJWTp8bl6fdC5XbJYFYW7fMBSyUFpSqQFACY6EF3vdDS +bcVcT6aModzq1mG9CFuU5wt0GrZOy4v0pXvJK0Y+CzY3Rm/Nev0Ou3HUFWgsOpHZ +jnCCkNyQ1C1jJ9mDid55dID8byLvkmS8Z3pVhFQ3Ko9gZv47GeeNjG26rbNmsVwZ +Ki7c9iJM/RbCgr+LVElFVtFyJP2WUxHjl2RbrJIJB9YUNY1N7z0tDnqN1FCPbFkj +zkMuuj0yPp9CqGZge+A5tT5NfytGYPMSOD9up4SXVr+ejOtUL5riW3LsnewjTJuM +f2qP1h52FAduB9SfGTf0XlLlKJkjkw3Q9WmrOndJcEsKRGarfcWFPMOml3xmcoAM +9jU0H9P1ZAHlKON0eL1vKBgS5XL0s4pVvwsYZ+dfDcNU+bUCrTRLc0uccsIzDrio +bbaz7VtUzEsWqPozW6CTozDWDSfKRuWuB2vAYfqKJN8ZAkvOu00ZKwT/DiCpLQ6e +GQ8tcAvum9Sd9jydwqs89UNhKNkovwMwALjLITaZ72ILgYo3Mo57fT6MpVspxJ23 ++6RP8+MAM+HhJYfODuGvNHR3n5aO0WnwM8YoH14hjHUKtr7z83iivhSOuQINBFTU +68MBEADyAgLrjV0rpqn1bUrcSSpGfTPrOLN1Uav+O9/zEVd5Sr5q7GLFnS0Rjo0z +kIFLJrkEIr0gZVaYk1trPJZRriWUDoS+ZTFxN4YTumlADgqXVvO9Srm6mj7z7RW6 +q8sL9tXPQNScVJYlgcBms9n7I7TIyry9oZOjmTAqLFDg2L437USIAspl7HWDpRb1 +3QcBxgRr+VNaHPcnRXXLJjhWi/fSC2ijrsqRIL9KzBnMhHTQJAavPe3CUa4HvdKb +Vh+oOptjx1Asl7JTSi8h5T3lUjlxAXoPUfxh1oxZCboy1UB8hflYygf56rgCeT2G +KVF4YA2QhY1KozbUOt27dytsYhiJk8Rp0p8bHCq7C9ENMSAPiCOoy8R3EDZbqzhZ +HfpLAyR460RKPbUyJHZgNxsjMhtSH2nQ/wNka9BxWHjmMKB05wvm2H1HTvqelcef +wUh7Yh8BmdfU6emwqf9ionTA0WEZhbFX/JkDXQ1sUoVeEPUUaqs7PqVKqaoPPTS1 +eh8XjfZp77s/NM/2fhyKPiTRJgbWX8tOGc5gvdI1QIbesIBJ5aheaHEJhEaLRfDc +gmtylU2Y1AP5IstONUH3gCUONKXHWrRX73KaEYeLnXCwFJqMzAN7FpIj9YzXL2VE +7CXt54APjV88CvNOV4CpPz1qRYt69MEta+Pn2aS729kBbbr/VQARAQABiQIfBBgB +AgAJBQJU1OvDAhsMAAoJELEEiTLdOqqjY0IQAIcnt7SXw2FLiyV/N6PUABc7AvXA +N7Gfq2GmB7EDKpkshqJuqEjJuFKjUs4vU1j/nnK2xxs5Avs2WJEBdU3oX2Vx6v6r +PEvkmDHNRTp2vJqk1lizTq7fB+vxm1Ju8gA43/Dz22b20fGg1QhhllRlE4UFbp+f +xGSFuhCzSEkXFZ9aCE7GFLRNcnz8xnhhx8PL4TDosgDKbcDVdj777ZUwQeopzKFT +3lbmyoCx87kyRFZrQT0lNLZ1ZO141NY+ifLAkZf+ZJVUxmA5kXqjfZVv0tOcHrvp +hBo+IyW7aqD69GREz/PIaO8/HuGKV/rwJbFlwgeyV+nmAlXpG+2Ur6a4S8iRKY1j +KLyFCnVjkLq5Zv0la3/0hIn5fP6f7mcAcRTNb8t4QPKGNWVL286gADLXyvjuZDJv +MnarbM4ej3OXd8o4nZLhIUEoYe4iE87EbYKu6HE31Tn5HBMOooQJ64JlE4xhAvOW +Yg/a8z824VWFCbyI2FtO8R6eHiZYPgi44cmSq/MorMBeWWiy5QrgHSRuWHgZo5WY +SNpcbDzvz2s6VDMPnnrpKAo8M1S2ibn94hzLr9RgGgV3uUuW0hVJIIDVVQxTgxYm +CPBr2CTozGg17x1wnX3uhAx+Fk2MnzRLkL5rZqXjCtHa8v/eFeHLYzaQbvdEtLPE +SJWgmwb6FvM218hruQINBFTU7lkBEADWkatDVXdgxcXcPPC8D+5Zv3XanCpS8wAA +q9gIOIQsg4/Ttzfb7PTg39s5eOJnYlvwC4gKPi/3a1cDKC1/XzPHChTwA5eK5Jw/ +fDLVmmsHDyTvV03LReYRduJfu2Quh7Q7NaUJo1NqNJdMQtP6dgdM6QGysLhP7LsD +Bi55AlhRpGQlH/lNzrxSdFI7b3mmAl3sShZYCTLdt0f5Mo3QyxqAInBr5GtcUa0g +qNTRcAqx11PFArHZJQYXRBV01n/XgO6jvdu2he0eAHSjF7CeyImnlcpZibntFI0u +/UsqvbqJJS1QzUIAhkAu4YwDJBdUSjs6bO5mY3TJFgzsVKekbisgOcPFiENNpr7F +ZvvfxXy4tANkBWcC4ESGrVFAQOtEz9ctuJu9UHOl34kj1ad40SnR6GrmwQLoVspj +PQepWTZIfUOlvS2Cu3HPdzus+zu9F2YUzFO5hy1LO6o0ekpf4LquDIBbazEQoPTK +zw5gRreG+tAVIDOcz+Pdfx2B7UOuIchB38O3j4sx09yxCTe+3LuljFkgNFr2GXue +Bp6xBJn/s9X9yPtTuqJ5OvW6U7UZzkZzJLYe7g/3XT0dfW0ERC8Yelup70tzZ3RU +qAdWMb28MusTWH+pcpuafQsXVhHh2Noz6xgJ9g475bNkpQAI90yrcuJ3/ehDvWnp +42C7qVByAQARAQABiQQ+BBgBAgAJBQJU1O5ZAhsCAikJELEEiTLdOqqjwV0gBBkB +AgAGBQJU1O5ZAAoJEC78f/DUFuAU3HoQAJHsIoHcy/aU1pFGtpVHCM2u6bI4Oqyd +f+h7eVp3TiIIFv0nEbI3JMYXSzq16hqhxfEh5nnRsXsa5hyd6kwameIwKQTbKaUz +qu4U01NRgLTYWyujApBugLtLkM3aXuVvieWDINfuc6U4yaFNzcP9Cx24zJL0fmSM +UUq3Mtg7BERX9Ecj/BBTJPLN7yqz8HGlPf8exIm4ZnJstJ39+Z4zjfGCFx18OApN +oaQWSGFbtRaC06FC1jGvRUPgcTDgL6czKSyooAgUwGMkCq2y5Z5KBq9WttTwqvOV +wkUdKui9ns+LSYoxgcaiY+y1lxnHCvXm3cGEO+iAxJGxxTWYtSKAsQaJbE9XG1CW +YdNl8yezgLLThLuMrgaLHQ83heL/2s5wsUJvnN11wtWuqK5P523879M8pQodO8sv +WAXgOXKlu7xNBa07vENI/LvBJ09ZQ3kYGOzFtl9WVam+9UyYZS7KAiXQuSsksobG +TfoCc2kQ+qxD171GyC7l0/2UY/PeKDETen5SWFajl6ompnAB8QVv7Q9DMpJDrMgV +AB/nR5Ij+lZ/5en1c5Pjt3jLxpbMcDtP+Nr21vJ356DvVk6o4W1U/zMVa+Y+eiiz +GsFHuor9EFjn89cqF8bXTIRhdKNNqnh2azLjfSXwxy6qjnmKLGBPm/Fl9N7IWNOM +eaO4cPWtNN+leTgP/0Yj1wh+tZzOGttY3wGg/roiYxelWFnMO3pLm710dI0l2qK8 +PMKSS1v+mxcgu++7eouZvWcluw3M30Ymbouh27MInhKpqh2OEyQ2L9Nz3l3HSfZw +I/ZGH+O/OjvOupA7T1zxq3+kUSIXwuBSVzlBoH8Y2FcGomiDbI7NQ8YqrQ4zL/C2 +1bjZMJ7tX4nx+efXrF8aGdXCaJZFBqp0KIUNjYiI4eGdHB8lUA2t11+5T8Any9jx +dfOvEjthkvjdXnfRaJyHVUHTRcsVTxqPTwWyN0W9HvsADEVT4J3qwfrKrqOxFeml +DQE47XlpH7CikS+0rAN1G7dNrB4LVcwstDhe431CXRswfR3rbq4wbbNR9kY7WM1M +5LixSESomwiZuwv+GA0Mpi9+jTBIc9aZCj2ePDtobwx7Lvsjd8vUQuP9N9rzqeM+ +kn+2YUwtX2e1YAJxb9ze2iN1w/bvytPD/jOT5KvZm/7ds/XKMl3TPgHeBhjPYFRh +NTt3KIDjUqCThl9XWfY1QDFAljO8QgBlwwRYDes5Nv4CNwFVdfz0aTQETKRWYD0b +zTy1uYj7gNR3Zz/53XF659vjdMY6LAqrBj46z2J7LcVuyehi7Mo+x3ksHIkUS51s +wHXnaH3m783KxozQCML7I+2WlItQhoNRbvlUCVAo9aPUCDm5WlzZJwwSN69B +=EgcU +-----END PGP PUBLIC KEY BLOCK----- diff --git a/SOURCES/stunnel-5.50-authpriv.patch b/SOURCES/stunnel-5.50-authpriv.patch index 13c1e9c..dbb3b43 100644 --- a/SOURCES/stunnel-5.50-authpriv.patch +++ b/SOURCES/stunnel-5.50-authpriv.patch @@ -1,43 +1,62 @@ -diff -up stunnel-5.50/doc/stunnel.8.in.authpriv stunnel-5.50/doc/stunnel.8.in ---- stunnel-5.50/doc/stunnel.8.in.authpriv 2018-12-02 23:47:20.000000000 +0100 -+++ stunnel-5.50/doc/stunnel.8.in 2019-01-14 12:15:05.135100163 +0100 -@@ -200,7 +200,7 @@ info (6), or debug (7). All logs for th - all levels numerically less than it will be shown. Use \fIdebug = debug\fR or - \&\fIdebug = 7\fR for greatest debugging output. The default is notice (5). +From cfbf803dd3338a915f41bdfded69b34e7f21403d Mon Sep 17 00:00:00 2001 +From: Tomas Mraz +Date: Mon, 12 Sep 2022 11:07:38 +0200 +Subject: [PATCH 1/7] Apply patch stunnel-5.50-authpriv.patch + +Patch-name: stunnel-5.50-authpriv.patch +Patch-id: 0 +From-dist-git-commit: 70b3076eb09912b3a11f371b8c523303114fffa3 +--- + doc/stunnel.8.in | 2 +- + doc/stunnel.html.in | 2 +- + doc/stunnel.pod.in | 2 +- + src/options.c | 4 ++++ + 4 files changed, 7 insertions(+), 3 deletions(-) + +diff --git a/doc/stunnel.8.in b/doc/stunnel.8.in +index 8cd8bc0..b5d7d75 100644 +--- a/doc/stunnel.8.in ++++ b/doc/stunnel.8.in +@@ -209,7 +209,7 @@ requested to do so by an stunnel developer, or when you intend to get confused. .Sp --The syslog facility 'daemon' will be used unless a facility name is supplied. -+The syslog facility 'authpriv' will be used unless a facility name is supplied. + The default logging level is notice (5). + .Sp +-The syslog 'daemon' facility will be used unless a facility name is supplied. ++The syslog 'authpriv' facility will be used unless a facility name is supplied. (Facilities are not supported on Win32.) .Sp Case is ignored for both facilities and levels. -diff -up stunnel-5.50/doc/stunnel.html.in.authpriv stunnel-5.50/doc/stunnel.html.in ---- stunnel-5.50/doc/stunnel.html.in.authpriv 2018-12-02 23:47:21.000000000 +0100 -+++ stunnel-5.50/doc/stunnel.html.in 2019-01-14 12:15:05.136100146 +0100 -@@ -244,7 +244,7 @@ +diff --git a/doc/stunnel.html.in b/doc/stunnel.html.in +index a7931aa..cda5993 100644 +--- a/doc/stunnel.html.in ++++ b/doc/stunnel.html.in +@@ -248,7 +248,7 @@ -

Level is one of the syslog level names or numbers emerg (0), alert (1), crit (2), err (3), warning (4), notice (5), info (6), or debug (7). All logs for the specified level and all levels numerically less than it will be shown. Use debug = debug or debug = 7 for greatest debugging output. The default is notice (5).

+

The default logging level is notice (5).

--

The syslog facility 'daemon' will be used unless a facility name is supplied. (Facilities are not supported on Win32.)

-+

The syslog facility 'authpriv' will be used unless a facility name is supplied. (Facilities are not supported on Win32.)

+-

The syslog 'daemon' facility will be used unless a facility name is supplied. (Facilities are not supported on Win32.)

++

The syslog 'authpriv' facility will be used unless a facility name is supplied. (Facilities are not supported on Win32.)

Case is ignored for both facilities and levels.

-diff -up stunnel-5.50/doc/stunnel.pod.in.authpriv stunnel-5.50/doc/stunnel.pod.in ---- stunnel-5.50/doc/stunnel.pod.in.authpriv 2018-12-02 23:47:18.000000000 +0100 -+++ stunnel-5.50/doc/stunnel.pod.in 2019-01-14 12:15:05.136100146 +0100 -@@ -192,7 +192,7 @@ info (6), or debug (7). All logs for th - all levels numerically less than it will be shown. Use I or - I for greatest debugging output. The default is notice (5). +diff --git a/doc/stunnel.pod.in b/doc/stunnel.pod.in +index a54b25d..f830cf3 100644 +--- a/doc/stunnel.pod.in ++++ b/doc/stunnel.pod.in +@@ -197,7 +197,7 @@ requested to do so by an stunnel developer, or when you intend to get confused. --The syslog facility 'daemon' will be used unless a facility name is supplied. -+The syslog facility 'authpriv' will be used unless a facility name is supplied. + The default logging level is notice (5). + +-The syslog 'daemon' facility will be used unless a facility name is supplied. ++The syslog 'authpriv' facility will be used unless a facility name is supplied. (Facilities are not supported on Win32.) Case is ignored for both facilities and levels. -diff -up stunnel-5.50/src/options.c.authpriv stunnel-5.50/src/options.c ---- stunnel-5.50/src/options.c.authpriv 2019-01-14 12:15:05.136100146 +0100 -+++ stunnel-5.50/src/options.c 2019-01-14 12:16:25.537727511 +0100 -@@ -1745,8 +1745,12 @@ NOEXPORT char *parse_service_option(CMD +diff --git a/src/options.c b/src/options.c +index 5f8ad8b..6e4a18b 100644 +--- a/src/options.c ++++ b/src/options.c +@@ -1960,7 +1960,11 @@ NOEXPORT const char *parse_service_option(CMD cmd, SERVICE_OPTIONS **section_ptr case CMD_SET_DEFAULTS: section->log_level=LOG_NOTICE; #if !defined (USE_WIN32) && !defined (__vms) @@ -45,8 +64,10 @@ diff -up stunnel-5.50/src/options.c.authpriv stunnel-5.50/src/options.c + new_global_options.log_facility=LOG_AUTHPRIV; +#else new_global_options.log_facility=LOG_DAEMON; - #endif +#endif + #endif break; case CMD_SET_COPY: - section->log_level=new_service_options.log_level; +-- +2.39.2 + diff --git a/SOURCES/stunnel-5.56-coverity.patch b/SOURCES/stunnel-5.56-coverity.patch deleted file mode 100644 index 526f7f0..0000000 --- a/SOURCES/stunnel-5.56-coverity.patch +++ /dev/null @@ -1,22 +0,0 @@ -diff -up stunnel-5.48/src/str.c.coverity stunnel-5.48/src/str.c ---- stunnel-5.48/src/str.c.coverity 2018-07-02 23:30:10.000000000 +0200 -+++ stunnel-5.48/src/str.c 2018-09-04 17:24:08.949928906 +0200 -@@ -165,6 +165,7 @@ char *str_vprintf(const char *format, va - for(;;) { - va_copy(ap, start_ap); - n=vsnprintf(p, size, format, ap); -+ va_end(ap); - if(n>-1 && n<(int)size) - return p; - if(n>-1) /* glibc 2.1 */ -diff -up stunnel-5.48/src/stunnel.c.coverity stunnel-5.48/src/stunnel.c ---- stunnel-5.48/src/stunnel.c.coverity 2018-07-02 23:30:10.000000000 +0200 -+++ stunnel-5.48/src/stunnel.c 2018-09-04 17:24:08.949928906 +0200 -@@ -364,7 +364,6 @@ NOEXPORT int accept_connection(SERVICE_O - #endif - if(create_client(fd, s, alloc_client_session(opt, s, s))) { - s_log(LOG_ERR, "Connection rejected: create_client failed"); -- closesocket(s); - #ifndef USE_FORK - service_free(opt); - #endif diff --git a/SOURCES/stunnel-5.56-curves-doc-update.patch b/SOURCES/stunnel-5.56-curves-doc-update.patch index 2ebf10f..c61263e 100644 --- a/SOURCES/stunnel-5.56-curves-doc-update.patch +++ b/SOURCES/stunnel-5.56-curves-doc-update.patch @@ -1,6 +1,25 @@ ---- stunnel-5.56/doc/stunnel.8.in.curves-doc-update 2020-04-16 17:12:48.171590017 +0200 -+++ stunnel-5.56/doc/stunnel.8.in 2020-04-16 17:16:07.001603122 +0200 -@@ -473,6 +473,8 @@ This file contains multiple CRLs, used w +From e951a8a7edc87dbd608043f8aab67ef12979e3ca Mon Sep 17 00:00:00 2001 +From: Sahana Prasad +Date: Mon, 12 Sep 2022 11:07:38 +0200 +Subject: [PATCH 6/8] Apply patch stunnel-5.56-curves-doc-update.patch + +Patch-name: stunnel-5.56-curves-doc-update.patch +Patch-id: 6 +From-dist-git-commit: 70b3076eb09912b3a11f371b8c523303114fffa3 +--- + doc/stunnel.8.in | 2 ++ + doc/stunnel.html.in | 2 ++ + doc/stunnel.pl.8.in | 2 ++ + doc/stunnel.pl.html.in | 2 ++ + doc/stunnel.pl.pod.in | 2 ++ + doc/stunnel.pod.in | 2 ++ + 6 files changed, 12 insertions(+) + +diff --git a/doc/stunnel.8.in b/doc/stunnel.8.in +index a56f0b7..977a1a4 100644 +--- a/doc/stunnel.8.in ++++ b/doc/stunnel.8.in +@@ -475,6 +475,8 @@ This file contains multiple CRLs, used with the \fIverifyChain\fR and .IX Item "curves = list" \&\s-1ECDH\s0 curves separated with ':' .Sp @@ -9,9 +28,11 @@ Only a single curve name is allowed for OpenSSL older than 1.1.1. .Sp To get a list of supported curves use: ---- stunnel-5.56/doc/stunnel.html.in.curves-doc-update 2020-04-16 17:13:25.664962696 +0200 -+++ stunnel-5.56/doc/stunnel.html.in 2020-04-16 17:16:55.897111302 +0200 -@@ -568,6 +568,8 @@ +diff --git a/doc/stunnel.html.in b/doc/stunnel.html.in +index 608afa9..cecc81a 100644 +--- a/doc/stunnel.html.in ++++ b/doc/stunnel.html.in +@@ -570,6 +570,8 @@

ECDH curves separated with ':'

@@ -20,42 +41,11 @@

Only a single curve name is allowed for OpenSSL older than 1.1.1.

To get a list of supported curves use:

---- stunnel-5.56/doc/stunnel.pod.in.curves-doc-update 2020-04-16 17:13:43.412139122 +0200 -+++ stunnel-5.56/doc/stunnel.pod.in 2020-04-16 17:17:25.414418073 +0200 -@@ -499,6 +499,8 @@ I options. - - ECDH curves separated with ':' - -+Note: This option is supported for server mode sockets only. -+ - Only a single curve name is allowed for OpenSSL older than 1.1.1. - - To get a list of supported curves use: ---- stunnel-5.56/doc/stunnel.pl.pod.in.curves-doc-update 2020-04-16 17:25:22.631934496 +0200 -+++ stunnel-5.56/doc/stunnel.pl.pod.in 2020-04-16 17:47:46.872353210 +0200 -@@ -507,6 +507,8 @@ przez opcje I i Ikrzywe ECDH odddzielone ':'

- -+

Uwaga: ta opcja wpływa tylko na gniazda w trybie serwera.

-+ -

Wersje OpenSSL starsze niż 1.1.1 pozwalają na użycie tylko jednej krzywej.

- -

Listę dostępnych krzywych można uzyskać poleceniem:

---- stunnel-5.56/doc/stunnel.pl.8.in.curves-doc-update 2020-04-16 17:24:25.665369474 +0200 -+++ stunnel-5.56/doc/stunnel.pl.8.in 2020-04-16 17:45:14.141792786 +0200 -@@ -483,6 +483,8 @@ przez opcje \fIverifyChain\fR i \fIverif +diff --git a/doc/stunnel.pl.8.in b/doc/stunnel.pl.8.in +index e2e6622..eae88f8 100644 +--- a/doc/stunnel.pl.8.in ++++ b/doc/stunnel.pl.8.in +@@ -492,6 +492,8 @@ przez opcje \fIverifyChain\fR i \fIverifyPeer\fR. .IX Item "curves = lista" krzywe \s-1ECDH\s0 odddzielone ':' .Sp @@ -64,3 +54,45 @@ Wersje OpenSSL starsze niż 1.1.1 pozwalają na użycie tylko jednej krzywej. .Sp Listę dostępnych krzywych można uzyskać poleceniem: +diff --git a/doc/stunnel.pl.html.in b/doc/stunnel.pl.html.in +index 7be87f1..7fd7a7c 100644 +--- a/doc/stunnel.pl.html.in ++++ b/doc/stunnel.pl.html.in +@@ -568,6 +568,8 @@ + +

krzywe ECDH odddzielone ':'

+ ++

Uwaga: ta opcja wpływa tylko na gniazda w trybie serwera.

++ +

Wersje OpenSSL starsze niż 1.1.1 pozwalają na użycie tylko jednej krzywej.

+ +

Listę dostępnych krzywych można uzyskać poleceniem:

+diff --git a/doc/stunnel.pl.pod.in b/doc/stunnel.pl.pod.in +index dc6b255..712f751 100644 +--- a/doc/stunnel.pl.pod.in ++++ b/doc/stunnel.pl.pod.in +@@ -516,6 +516,8 @@ przez opcje I i I. + + krzywe ECDH odddzielone ':' + ++Uwaga: ta opcja wpływa tylko na gniazda w trybie serwera. ++ + Wersje OpenSSL starsze niż 1.1.1 pozwalają na użycie tylko jednej krzywej. + + Listę dostępnych krzywych można uzyskać poleceniem: +diff --git a/doc/stunnel.pod.in b/doc/stunnel.pod.in +index 840c708..85cc199 100644 +--- a/doc/stunnel.pod.in ++++ b/doc/stunnel.pod.in +@@ -501,6 +501,8 @@ I options. + + ECDH curves separated with ':' + ++Note: This option is supported for server mode sockets only. ++ + Only a single curve name is allowed for OpenSSL older than 1.1.1. + + To get a list of supported curves use: +-- +2.37.3 + diff --git a/SOURCES/stunnel-5.56-system-ciphers.patch b/SOURCES/stunnel-5.56-system-ciphers.patch deleted file mode 100644 index de8679c..0000000 --- a/SOURCES/stunnel-5.56-system-ciphers.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -up stunnel-5.55/src/options.c.system-ciphers stunnel-5.55/src/options.c ---- stunnel-5.55/src/options.c.system-ciphers 2019-09-19 14:43:00.631059024 +0200 -+++ stunnel-5.55/src/options.c 2019-09-19 14:51:02.120053849 +0200 -@@ -277,7 +277,7 @@ static char *option_not_found= - "Specified option name is not valid here"; - - static char *stunnel_cipher_list= -- "HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK"; -+ "PROFILE=SYSTEM"; - - #ifndef OPENSSL_NO_TLS1_3 - static char *stunnel_ciphersuites= diff --git a/SOURCES/stunnel-5.61-openssl30-fips.patch b/SOURCES/stunnel-5.61-openssl30-fips.patch deleted file mode 100644 index faaeef9..0000000 --- a/SOURCES/stunnel-5.61-openssl30-fips.patch +++ /dev/null @@ -1,19 +0,0 @@ -tests: Adapt to OpenSSL 3.x FIPS mode - -In OpenSSL 3.0 with FIPS enabled, this test no longer fails with -a human-readable error message (such as "no ciphers available"), but -instead causes an internal error. Extend the success regex list to also -accept this result. -diff -up stunnel-5.61/tests/plugins/p11_fips_cipher.py.openssl30 stunnel-5.61/tests/plugins/p11_fips_cipher.py ---- stunnel-5.61/tests/plugins/p11_fips_cipher.py.openssl30 2022-01-12 15:15:03.211690650 +0100 -+++ stunnel-5.61/tests/plugins/p11_fips_cipher.py 2022-01-12 15:15:20.937008173 +0100 -@@ -91,7 +91,8 @@ class FailureCiphersuitesFIPS(StunnelTes - self.events.count = 1 - self.events.success = [ - "disabled for FIPS", -- "no ciphers available" -+ "no ciphers available", -+ "TLS alert \\(write\\): fatal: internal error" - ] - self.events.failure = [ - "peer did not return a certificate", diff --git a/SOURCES/stunnel-5.61-systemd-service.patch b/SOURCES/stunnel-5.61-systemd-service.patch index 8c82221..a7831d8 100644 --- a/SOURCES/stunnel-5.61-systemd-service.patch +++ b/SOURCES/stunnel-5.61-systemd-service.patch @@ -1,7 +1,20 @@ -diff -up stunnel-5.61/tools/stunnel.service.in.systemd-service stunnel-5.61/tools/stunnel.service.in ---- stunnel-5.61/tools/stunnel.service.in.systemd-service 2022-01-12 14:48:32.474150329 +0100 -+++ stunnel-5.61/tools/stunnel.service.in 2022-01-12 14:50:15.253984639 +0100 -@@ -6,6 +6,7 @@ After=syslog.target network-online.targe +From 6cb73d824ac204f5680e469b0474855aaa6b8ddc Mon Sep 17 00:00:00 2001 +From: Clemens Lang +Date: Mon, 12 Sep 2022 11:07:38 +0200 +Subject: [PATCH 2/8] Apply patch stunnel-5.61-systemd-service.patch + +Patch-name: stunnel-5.61-systemd-service.patch +Patch-id: 1 +From-dist-git-commit: 70b3076eb09912b3a11f371b8c523303114fffa3 +--- + tools/stunnel.service.in | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/tools/stunnel.service.in b/tools/stunnel.service.in +index fa98996..0c5a216 100644 +--- a/tools/stunnel.service.in ++++ b/tools/stunnel.service.in +@@ -6,6 +6,7 @@ After=syslog.target network-online.target ExecStart=@bindir@/stunnel ExecReload=/bin/kill -HUP $MAINPID Type=forking @@ -9,3 +22,6 @@ diff -up stunnel-5.61/tools/stunnel.service.in.systemd-service stunnel-5.61/tool [Install] WantedBy=multi-user.target +-- +2.37.3 + diff --git a/SOURCES/stunnel-5.62-disabled-curves.patch b/SOURCES/stunnel-5.62-disabled-curves.patch deleted file mode 100644 index 075ccec..0000000 --- a/SOURCES/stunnel-5.62-disabled-curves.patch +++ /dev/null @@ -1,57 +0,0 @@ -Limit curves defaults in FIPS mode - -Our copy of OpenSSL disables the X25519 and X448 curves in FIPS mode, -but stunnel defaults to enabling them and then fails to do so. - -Upstream-Status: Inappropriate [caused by a downstream patch to openssl] -diff -up stunnel-5.62/src/options.c.disabled-curves stunnel-5.62/src/options.c ---- stunnel-5.62/src/options.c.disabled-curves 2022-02-04 13:46:45.936884124 +0100 -+++ stunnel-5.62/src/options.c 2022-02-04 13:53:16.346725153 +0100 -@@ -40,8 +40,10 @@ - - #if OPENSSL_VERSION_NUMBER >= 0x10101000L - #define DEFAULT_CURVES "X25519:P-256:X448:P-521:P-384" -+#define DEFAULT_CURVES_FIPS "P-256:P-521:P-384" - #else /* OpenSSL version < 1.1.1 */ - #define DEFAULT_CURVES "prime256v1" -+#define DEFAULT_CURVES_FIPS "prime256v1" - #endif /* OpenSSL version >= 1.1.1 */ - - #if defined(_WIN32_WCE) && !defined(CONFDIR) -@@ -1855,7 +1857,7 @@ NOEXPORT char *parse_service_option(CMD - /* curves */ - switch(cmd) { - case CMD_SET_DEFAULTS: -- section->curves=str_dup_detached(DEFAULT_CURVES); -+ section->curves = NULL; - break; - case CMD_SET_COPY: - section->curves=str_dup_detached(new_service_options.curves); -@@ -1870,9 +1872,26 @@ NOEXPORT char *parse_service_option(CMD - section->curves=str_dup_detached(arg); - return NULL; /* OK */ - case CMD_INITIALIZE: -+ if(!section->curves) { -+ /* this is only executed for global options, because -+ * section->curves is no longer NULL in sections */ -+#ifdef USE_FIPS -+ if(new_global_options.option.fips) -+ section->curves=str_dup_detached(DEFAULT_CURVES_FIPS); -+ else -+#endif /* USE_FIPS */ -+ section->curves=str_dup_detached(DEFAULT_CURVES); -+ } - break; - case CMD_PRINT_DEFAULTS: -- s_log(LOG_NOTICE, "%-22s = %s", "curves", DEFAULT_CURVES); -+ if(fips_available()) { -+ s_log(LOG_NOTICE, "%-22s = %s %s", "curves", -+ DEFAULT_CURVES_FIPS, "(with \"fips = yes\")"); -+ s_log(LOG_NOTICE, "%-22s = %s %s", "curves", -+ DEFAULT_CURVES, "(with \"fips = no\")"); -+ } else { -+ s_log(LOG_NOTICE, "%-22s = %s", "curves", DEFAULT_CURVES); -+ } - break; - case CMD_PRINT_HELP: - s_log(LOG_NOTICE, "%-22s = ECDH curve names", "curves"); diff --git a/SOURCES/stunnel-5.62-openssl3-error-handling.patch b/SOURCES/stunnel-5.62-openssl3-error-handling.patch deleted file mode 100644 index b8c26ff..0000000 --- a/SOURCES/stunnel-5.62-openssl3-error-handling.patch +++ /dev/null @@ -1,140 +0,0 @@ -From 6baa5762ea5edb192ec003333d62b1d0e56509bf Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Micha=C5=82=20Trojnara?= -Date: Sun, 11 Sep 2022 23:52:18 +0200 -Subject: [PATCH] stunnel-5.66 - ---- - src/common.h | 6 +++++- - src/ctx.c | 58 +++++++++++++++++++++++++++++++++++++++++++--------- - 2 files changed, 53 insertions(+), 11 deletions(-) - -diff --git a/src/common.h b/src/common.h -index bc37eb5..997e66e 100644 ---- a/src/common.h -+++ b/src/common.h -@@ -491,7 +491,7 @@ extern char *sys_errlist[]; - #include - #if OPENSSL_VERSION_NUMBER<0x10100000L - int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g); --#endif /* OpenSSL older than 1.1.0 */ -+#endif /* OPENSSL_VERSION_NUMBER<0x10100000L */ - #endif /* !defined(OPENSSL_NO_DH) */ - #ifndef OPENSSL_NO_ENGINE - #include -@@ -503,8 +503,12 @@ int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g); - /* not defined in public headers before OpenSSL 0.9.8 */ - STACK_OF(SSL_COMP) *SSL_COMP_get_compression_methods(void); - #endif /* !defined(OPENSSL_NO_COMP) */ -+#if OPENSSL_VERSION_NUMBER>=0x10101000L -+#include -+#endif /* OPENSSL_VERSION_NUMBER>=0x10101000L */ - #if OPENSSL_VERSION_NUMBER>=0x30000000L - #include -+#include - #endif /* OPENSSL_VERSION_NUMBER>=0x30000000L */ - - #ifndef OPENSSL_VERSION -diff --git a/src/ctx.c b/src/ctx.c -index a2202b7..cc0806c 100644 ---- a/src/ctx.c -+++ b/src/ctx.c -@@ -1001,30 +1001,41 @@ NOEXPORT int ui_retry() { - unsigned long err=ERR_peek_error(); - - switch(ERR_GET_LIB(err)) { -- case ERR_LIB_ASN1: -- return 1; -- case ERR_LIB_PKCS12: -+ case ERR_LIB_EVP: /* 6 */ - switch(ERR_GET_REASON(err)) { -- case PKCS12_R_MAC_VERIFY_FAILURE: -+ case EVP_R_BAD_DECRYPT: - return 1; - default: -+ s_log(LOG_ERR, "Unhandled ERR_LIB_EVP error reason: %d", -+ ERR_GET_REASON(err)); - return 0; - } -- case ERR_LIB_EVP: -+ case ERR_LIB_PEM: /* 9 */ - switch(ERR_GET_REASON(err)) { -- case EVP_R_BAD_DECRYPT: -+ case PEM_R_BAD_PASSWORD_READ: -+ case PEM_R_BAD_DECRYPT: - return 1; - default: -+ s_log(LOG_ERR, "Unhandled ERR_LIB_PEM error reason: %d", -+ ERR_GET_REASON(err)); - return 0; - } -- case ERR_LIB_PEM: -+ case ERR_LIB_ASN1: /* 13 */ -+ return 1; -+ case ERR_LIB_PKCS12: /* 35 */ - switch(ERR_GET_REASON(err)) { -- case PEM_R_BAD_PASSWORD_READ: -+ case PKCS12_R_MAC_VERIFY_FAILURE: - return 1; - default: -+ s_log(LOG_ERR, "Unhandled ERR_LIB_PKCS12 error reason: %d", -+ ERR_GET_REASON(err)); - return 0; - } -- case ERR_LIB_UI: -+#ifdef ERR_LIB_DSO /* 37 */ -+ case ERR_LIB_DSO: -+ return 1; -+#endif -+ case ERR_LIB_UI: /* 40 */ - switch(ERR_GET_REASON(err)) { - case UI_R_RESULT_TOO_LARGE: - case UI_R_RESULT_TOO_SMALL: -@@ -1033,17 +1044,44 @@ NOEXPORT int ui_retry() { - #endif - return 1; - default: -+ s_log(LOG_ERR, "Unhandled ERR_LIB_UI error reason: %d", -+ ERR_GET_REASON(err)); -+ return 0; -+ } -+#ifdef ERR_LIB_OSSL_STORE -+ case ERR_LIB_OSSL_STORE: /* 44 - added in OpenSSL 1.1.1 */ -+ switch(ERR_GET_REASON(err)) { -+ case OSSL_STORE_R_BAD_PASSWORD_READ: -+ return 1; -+ default: -+ s_log(LOG_ERR, "Unhandled ERR_LIB_OSSL_STORE error reason: %d", -+ ERR_GET_REASON(err)); -+ return 0; -+ } -+#endif -+#ifdef ERR_LIB_PROV -+ case ERR_LIB_PROV: /* 57 - added in OpenSSL 3.0 */ -+ switch(ERR_GET_REASON(err)) { -+ case PROV_R_BAD_DECRYPT: -+ return 1; -+ default: -+ s_log(LOG_ERR, "Unhandled ERR_LIB_PROV error reason: %d", -+ ERR_GET_REASON(err)); - return 0; - } -- case ERR_LIB_USER: /* PKCS#11 hacks */ -+#endif -+ case ERR_LIB_USER: /* 128 - PKCS#11 hacks */ - switch(ERR_GET_REASON(err)) { - case 7UL: /* CKR_ARGUMENTS_BAD */ - case 0xa0UL: /* CKR_PIN_INCORRECT */ - return 1; - default: -+ s_log(LOG_ERR, "Unhandled ERR_LIB_USER error reason: %d", -+ ERR_GET_REASON(err)); - return 0; - } - default: -+ s_log(LOG_ERR, "Unhandled error library: %d", ERR_GET_LIB(err)); - return 0; - } - } --- -2.38.1 - diff --git a/SOURCES/stunnel-5.62.tar.gz.asc b/SOURCES/stunnel-5.62.tar.gz.asc deleted file mode 100644 index 194a431..0000000 --- a/SOURCES/stunnel-5.62.tar.gz.asc +++ /dev/null @@ -1,18 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQKTBAABCgB9FiEEK8fk5n48wMG+py+MLvx/8NQW4BQFAmHlyoBfFIAAAAAALgAo -aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDJC -QzdFNEU2N0UzQ0MwQzFCRUE3MkY4QzJFRkM3RkYwRDQxNkUwMTQACgkQLvx/8NQW -4BRqiw//dzBO+CqezKNlkVT5sePEfriVPk0iYa7IyGQ2xclohI3X3A0NaLHhwysa -2pFo+myUn5h2qVM6jfuPbXHxDSgDQIcRoEEWpLbVEnVy5vMpVsB5wY4fwfyd3crM -2J24XPdODE8H2mB28JXHyQdXehMtzOAMJ57ugUbrU4drNOR8sCRbp+sBChI8JK9Q -IYvUoMPMCukFXws0KFEYjRom/FyQlde2Wz9ZPiluRzj6RWPQvQht8EiB7IfPrq2m -fiPmOxUnB+Ry6/eaSp7JLlrnL4q5Zhw0HS/pMbWpiB9nPb9SLoKufJ9hYQs5X2h9 -L85VPMAAAStQ4PcvFYWt/nV03p3agImdMLrwlaMi/Bb95+tk7OoNLu7yz9RQ9QAo -SPamduORs4/KhtlMzRf2G8utIQRa4fI47KDOO1+1qRfTH4t/Bf3Fr/gI34AW24ZZ -hu2nHqr+UxGkU42HJEhsL9tAvBFr/mBI64sHtAI41e25CkqBQSqD+FxUw5snbVgP -XxiM9tNo/UUZpCMnmkAZUqVFKYT10VSFTDo6/LcoMYZf1zzCWch3wJTtf2ZPUJYG -6kNpdCEzsXYileL6iCof9+J5hNaNGpsgTi+ljz1jujzOHWGw6hyIWUiYTBGmRAbl -Pehbx5RYqQe9gX0nFRRs3o9y9p8B4MLMAvJdhx6vqxgd2H1SDJA= -=MLHM ------END PGP SIGNATURE----- diff --git a/SOURCES/stunnel-5.61-default-tls-version.patch b/SOURCES/stunnel-5.69-default-tls-version.patch similarity index 56% rename from SOURCES/stunnel-5.61-default-tls-version.patch rename to SOURCES/stunnel-5.69-default-tls-version.patch index f779e4e..36ac353 100644 --- a/SOURCES/stunnel-5.61-default-tls-version.patch +++ b/SOURCES/stunnel-5.69-default-tls-version.patch @@ -1,50 +1,68 @@ -diff -up stunnel-5.61/src/ctx.c.default-tls-version stunnel-5.61/src/ctx.c ---- stunnel-5.61/src/ctx.c.default-tls-version 2021-12-13 09:43:22.000000000 +0100 -+++ stunnel-5.61/src/ctx.c 2022-01-10 19:27:49.913243127 +0100 -@@ -149,18 +149,28 @@ int context_init(SERVICE_OPTIONS *sectio +From 1d3349209f339e6a68312fce076e355bc767d76c Mon Sep 17 00:00:00 2001 +From: Clemens Lang +Date: Mon, 12 Sep 2022 11:07:38 +0200 +Subject: [PATCH 5/7] Apply patch stunnel-5.69-default-tls-version.patch + +Patch-name: stunnel-5.69-default-tls-version.patch +Patch-id: 5 +From-dist-git-commit: 70b3076eb09912b3a11f371b8c523303114fffa3 +--- + src/ctx.c | 34 ++++++++++++++++++++++------------ + src/options.c | 15 +++++++++++---- + src/prototypes.h | 3 +++ + 3 files changed, 36 insertions(+), 16 deletions(-) + +diff --git a/src/ctx.c b/src/ctx.c +index 6a42a6b..cba24d9 100644 +--- a/src/ctx.c ++++ b/src/ctx.c +@@ -152,19 +152,29 @@ int context_init(SERVICE_OPTIONS *section) { /* init TLS context */ section->ctx=SSL_CTX_new(section->option.client ? TLS_client_method() : TLS_server_method()); #endif /* OPENSSL_VERSION_NUMBER>=0x30000000L */ -- if(!SSL_CTX_set_min_proto_version(section->ctx, +- if(section->min_proto_version && +- !SSL_CTX_set_min_proto_version(section->ctx, - section->min_proto_version)) { - s_log(LOG_ERR, "Failed to set the minimum protocol version 0x%X", - section->min_proto_version); - return 1; /* FAILED */ -- } -- if(!SSL_CTX_set_max_proto_version(section->ctx, ++ if (section->min_proto_version == USE_DEFAULT_TLS_VERSION) { ++ s_log(LOG_INFO, "Using the default TLS minimum version as specified in" ++ " crypto policies. Not setting explicitly."); ++ } else { ++ if(section->min_proto_version && ++ !SSL_CTX_set_min_proto_version(section->ctx, ++ section->min_proto_version)) { ++ s_log(LOG_ERR, "Failed to set the minimum protocol version 0x%X", ++ section->min_proto_version); ++ return 1; /* FAILED */ ++ } + } +- if(section->max_proto_version && +- !SSL_CTX_set_max_proto_version(section->ctx, - section->max_proto_version)) { - s_log(LOG_ERR, "Failed to set the maximum protocol version 0x%X", - section->max_proto_version); - return 1; /* FAILED */ -+ if (section->min_proto_version == USE_DEFAULT_TLS_VERSION) { -+ s_log(LOG_INFO, "Using the default TLS version as specified in " -+ "OpenSSL crypto policies. Not setting explicitly."); ++ if (section->max_proto_version == USE_DEFAULT_TLS_VERSION) { ++ s_log(LOG_INFO, "Using the default TLS maximum version as specified in" ++ " crypto policies. Not setting explicitly"); + } else { -+ if(!SSL_CTX_set_min_proto_version(section->ctx, -+ section->min_proto_version)) { -+ s_log(LOG_ERR, "Failed to set the minimum protocol version 0x%X", -+ section->min_proto_version); ++ if(section->max_proto_version && ++ !SSL_CTX_set_max_proto_version(section->ctx, ++ section->max_proto_version)) { ++ s_log(LOG_ERR, "Failed to set the maximum protocol version 0x%X", ++ section->max_proto_version); + return 1; /* FAILED */ + } } -+ if (section->max_proto_version == USE_DEFAULT_TLS_VERSION) { -+ s_log(LOG_INFO, "Using the default TLS version as specified in " -+ "OpenSSL crypto policies. Not setting explicitly"); -+ } else { -+ if(!SSL_CTX_set_max_proto_version(section->ctx, -+ section->max_proto_version)) { -+ s_log(LOG_ERR, "Failed to set the maximum protocol version 0x%X", -+ section->max_proto_version); -+ return 1; /* FAILED */ -+ } -+ } #else /* OPENSSL_VERSION_NUMBER<0x10100000L */ if(section->option.client) - section->ctx=SSL_CTX_new(section->client_method); -diff -up stunnel-5.61/src/options.c.default-tls-version stunnel-5.61/src/options.c ---- stunnel-5.61/src/options.c.default-tls-version 2022-01-10 19:23:15.096254067 +0100 -+++ stunnel-5.61/src/options.c 2022-01-10 19:23:15.098254103 +0100 -@@ -3297,8 +3297,9 @@ NOEXPORT char *parse_service_option(CMD +diff --git a/src/options.c b/src/options.c +index 4d31815..2ec5934 100644 +--- a/src/options.c ++++ b/src/options.c +@@ -3371,8 +3371,9 @@ NOEXPORT const char *parse_service_option(CMD cmd, SERVICE_OPTIONS **section_ptr return "Invalid protocol version"; return NULL; /* OK */ case CMD_INITIALIZE: @@ -56,7 +74,7 @@ diff -up stunnel-5.61/src/options.c.default-tls-version stunnel-5.61/src/options return "Invalid protocol version range"; break; case CMD_PRINT_DEFAULTS: -@@ -3316,7 +3317,10 @@ NOEXPORT char *parse_service_option(CMD +@@ -3390,7 +3391,10 @@ NOEXPORT const char *parse_service_option(CMD cmd, SERVICE_OPTIONS **section_ptr /* sslVersionMax */ switch(cmd) { case CMD_SET_DEFAULTS: @@ -68,11 +86,11 @@ diff -up stunnel-5.61/src/options.c.default-tls-version stunnel-5.61/src/options break; case CMD_SET_COPY: section->max_proto_version=new_service_options.max_proto_version; -@@ -3347,7 +3351,10 @@ NOEXPORT char *parse_service_option(CMD +@@ -3421,7 +3425,10 @@ NOEXPORT const char *parse_service_option(CMD cmd, SERVICE_OPTIONS **section_ptr /* sslVersionMin */ switch(cmd) { case CMD_SET_DEFAULTS: -- section->min_proto_version=TLS1_VERSION; +- section->min_proto_version=0; /* lowest supported */ + section->min_proto_version=USE_DEFAULT_TLS_VERSION; /* use defaults in + OpenSSL crypto + policies. Do not @@ -80,10 +98,11 @@ diff -up stunnel-5.61/src/options.c.default-tls-version stunnel-5.61/src/options break; case CMD_SET_COPY: section->min_proto_version=new_service_options.min_proto_version; -diff -up stunnel-5.61/src/prototypes.h.default-tls-version stunnel-5.61/src/prototypes.h ---- stunnel-5.61/src/prototypes.h.default-tls-version 2021-12-13 09:43:22.000000000 +0100 -+++ stunnel-5.61/src/prototypes.h 2022-01-10 19:23:15.099254121 +0100 -@@ -932,6 +932,9 @@ ICON_IMAGE load_icon_default(ICON_TYPE); +diff --git a/src/prototypes.h b/src/prototypes.h +index 0ecd719..a126c9e 100644 +--- a/src/prototypes.h ++++ b/src/prototypes.h +@@ -940,6 +940,9 @@ ICON_IMAGE load_icon_default(ICON_TYPE); ICON_IMAGE load_icon_file(const char *); #endif @@ -93,3 +112,6 @@ diff -up stunnel-5.61/src/prototypes.h.default-tls-version stunnel-5.61/src/prot #endif /* defined PROTOTYPES_H */ /* end of prototypes.h */ +-- +2.39.2 + diff --git a/SOURCES/stunnel-5.69-system-ciphers.patch b/SOURCES/stunnel-5.69-system-ciphers.patch new file mode 100644 index 0000000..c7be57d --- /dev/null +++ b/SOURCES/stunnel-5.69-system-ciphers.patch @@ -0,0 +1,37 @@ +From 6c8c4c8c85204943223b251d09ca1e93571a437a Mon Sep 17 00:00:00 2001 +From: Sahana Prasad +Date: Mon, 12 Sep 2022 11:07:38 +0200 +Subject: [PATCH 3/7] Use cipher configuration from crypto-policies + +On Fedora, CentOS and RHEL, the system's crypto policies are the best +source to determine which cipher suites to accept in TLS. On these +platforms, OpenSSL supports the PROFILE=SYSTEM setting to use those +policies. Change stunnel to default to this setting. + +Co-Authored-by: Sahana Prasad +Patch-name: stunnel-5.69-system-ciphers.patch +Patch-id: 3 +From-dist-git-commit: 70b3076eb09912b3a11f371b8c523303114fffa3 +--- + src/options.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/options.c b/src/options.c +index 6e4a18b..4d31815 100644 +--- a/src/options.c ++++ b/src/options.c +@@ -321,9 +321,9 @@ static const char *option_not_found= + "Specified option name is not valid here"; + + static const char *stunnel_cipher_list= +- "HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK"; ++ "PROFILE=SYSTEM"; + static const char *fips_cipher_list= +- "FIPS:!DH:!kDHEPSK"; ++ "PROFILE=SYSTEM"; + + #ifndef OPENSSL_NO_TLS1_3 + static const char *stunnel_ciphersuites= +-- +2.39.2 + diff --git a/SOURCES/stunnel-5.71.tar.gz.asc b/SOURCES/stunnel-5.71.tar.gz.asc new file mode 100644 index 0000000..6c33f21 --- /dev/null +++ b/SOURCES/stunnel-5.71.tar.gz.asc @@ -0,0 +1,18 @@ +-----BEGIN PGP SIGNATURE----- + +iQKTBAABCgB9FiEEK8fk5n48wMG+py+MLvx/8NQW4BQFAmUKA7NfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDJC +QzdFNEU2N0UzQ0MwQzFCRUE3MkY4QzJFRkM3RkYwRDQxNkUwMTQACgkQLvx/8NQW +4BS9ZxAAxK9dNbFrL3ZOmW18OT82LKza1Zli9grdiEx4GY6s+atY6DgrWiOfJi5A +NQtwoeYRWcEkMgWKRev28zMEPzGkUzYyaBUbqDDisAziDXyyKfriqmkbG4jl8Gv+ +qY+SgrM2ElhZxTnvRtUvzG6dogBeA1iWcNANAYgYVxH2yOFcNB0HYA25aBrPpmO4 +37h7ZRc94Yn2fK4zdR7D8DxYEAkmrZJxMydytTwp4EHu2t3lmw+vJdzIS7RtJoRL +Apd/Fh8USZB++Xx+4vFiuDcydGz5xdUNCB9jXYJoTCxFUP9mQsyR05Q8uscPunk9 +SfCd7pbzextsoFF5gOoee3tvwgwlhI7SR9eS585ni0oXyNaFUMwXS0qBVN1f86fr +iAl3j8pGVnqJpmiZ8o4xGj3/g5Nvp14Ts/qXlRvqvzoU6Ka6MEefH2sMxzm5RCQr +tAcrDROGUyN0HJcdy8TAWobqX0HWQqwlGjyeZAJAtFcmno00Au6FYnkn+dLkvxIx +bsEaaG7QrP9p6JpEnQhsLLEKAgD9olmPWzFLCeeE1PZg/klSbVG4qmHv113ixlDy +6smwnHDnb+UysgosKyAzWqlrLUhPYqca83Y8DFbpS9wi1AG6OjCuJ3jtdRq+HAjn +l5PRZhWOTUi+weLWSpmGO2py5JfJm010grKdzA9d9YMR9YspSOU= +=6RnW +-----END PGP SIGNATURE----- diff --git a/SPECS/stunnel.spec b/SPECS/stunnel.spec index 63f6834..db51d78 100644 --- a/SPECS/stunnel.spec +++ b/SPECS/stunnel.spec @@ -1,7 +1,7 @@ # Do not generate provides for private libraries %global __provides_exclude_from ^%{_libdir}/stunnel/.*$ -%if 0%{?fedora} > 27 || 0%{?rhel} > 7 +%if 0%{?fedora} || 0%{?rhel} > 7 %bcond_with libwrap %else %bcond_without libwrap @@ -9,8 +9,8 @@ Summary: A TLS-encrypting socket wrapper Name: stunnel -Version: 5.62 -Release: 3%{?dist} +Version: 5.71 +Release: 1%{?dist} License: GPLv2 URL: https://www.stunnel.org/ Source0: https://www.stunnel.org/downloads/stunnel-%{version}.tar.gz @@ -21,18 +21,19 @@ Source4: stunnel-sfinger.conf Source5: pop3-redirect.xinetd Source6: stunnel-pop3s-client.conf Source7: stunnel@.service +# Upstream release signing key +# Upstream source is https://www.stunnel.org/pgp.asc; using a local URL because +# the remote one makes packit source-git choke. +Source99: pgp.asc Patch0: stunnel-5.50-authpriv.patch Patch1: stunnel-5.61-systemd-service.patch -Patch3: stunnel-5.56-system-ciphers.patch -Patch4: stunnel-5.56-coverity.patch -Patch5: stunnel-5.61-default-tls-version.patch +Patch3: stunnel-5.69-system-ciphers.patch +Patch5: stunnel-5.69-default-tls-version.patch Patch6: stunnel-5.56-curves-doc-update.patch -Patch7: stunnel-5.61-openssl30-fips.patch -Patch8: stunnel-5.62-disabled-curves.patch -Patch9: stunnel-5.62-openssl3-error-handling.patch # util-linux is needed for rename BuildRequires: make BuildRequires: gcc +BuildRequires: gnupg2 BuildRequires: openssl-devel, pkgconfig, util-linux BuildRequires: autoconf automake libtool %if %{with libwrap} @@ -42,8 +43,8 @@ BuildRequires: /usr/bin/pod2man BuildRequires: /usr/bin/pod2html # build test requirements BuildRequires: /usr/bin/nc, /usr/bin/lsof, /usr/bin/ps -BuildRequires: python3 openssl -BuildRequires: systemd +BuildRequires: python3 python3-cryptography openssl +BuildRequires: systemd systemd-devel %{?systemd_requires} %description @@ -53,16 +54,13 @@ to ordinary applications. For example, it can be used in conjunction with imapd to create a TLS secure IMAP server. %prep +%{gpgverify} --keyring='%{SOURCE99}' --signature='%{SOURCE1}' --data='%{SOURCE0}' %setup -q %patch0 -p1 -b .authpriv %patch1 -p1 -b .systemd-service %patch3 -p1 -b .system-ciphers -%patch4 -p1 -b .coverity %patch5 -p1 -b .default-tls-version %patch6 -p1 -b .curves-doc-update -%patch7 -p1 -b .openssl30-fips -%patch8 -p1 -b .disabled-curves -%patch9 -p1 -b .openssl3-error-handling # Fix the stack protector flag sed -i 's/-fstack-protector/-fstack-protector-strong/' configure @@ -80,6 +78,7 @@ fi %else --disable-libwrap \ %endif + --with-bashcompdir=%{_datadir}/bash-completion/completions \ CPPFLAGS="-UPIDFILE -DPIDFILE='\"%{_localstatedir}/run/stunnel.pid\"'" make V=1 LDADD="-pie -Wl,-z,defs,-z,relro,-z,now" @@ -95,11 +94,9 @@ for lang in pl ; do done mkdir srpm-docs cp %{SOURCE2} %{SOURCE3} %{SOURCE4} %{SOURCE5} %{SOURCE6} srpm-docs -%if 0%{?fedora} >= 15 || 0%{?rhel} >= 7 mkdir -p %{buildroot}%{_unitdir} cp %{buildroot}%{_datadir}/doc/stunnel/examples/%{name}.service %{buildroot}%{_unitdir}/%{name}.service cp %{SOURCE7} %{buildroot}%{_unitdir}/%{name}@.service -%endif %check if ! make test; then @@ -127,9 +124,7 @@ fi %lang(pl) %{_mandir}/pl/man8/stunnel.8* %dir %{_sysconfdir}/%{name} %exclude %{_sysconfdir}/stunnel/* -%if 0%{?fedora} >= 15 || 0%{?rhel} >= 7 %{_unitdir}/%{name}*.service -%endif %{_datadir}/bash-completion/completions/%{name}.bash %post @@ -144,6 +139,13 @@ fi %systemd_postun_with_restart %{name}.service %changelog +* Thu Oct 05 2023 Clemens Lang - 5.71-1 +- New upstream release 5.71 + Resolves: RHEL-2468 +- Enable socket activation support +- verify upstream source in %%prep +- clean up stale conditionals + * Thu Dec 08 2022 Clemens Lang - 5.62-3 - Fix use of encrypted key files and password retry with OpenSSL 3 Resolves: rhbz#2151888