New upstream release 5.66

From-source-git-commit: cdddaac47cf2c136edd1fcd572d286425263de4d Signed-off-by: Clemens Lang <cllang@redhat.com>
2022-09-12 12:11:10 +02:00 · 2022-09-12 12:11:10 +02:00 · 87c3c6d11e
commit 87c3c6d11e
parent 70b3076eb0
10 changed files with 299 additions and 131 deletions
--- a/4
+++ b/4
@ -1,2 +1,2 @@
-SHA512 (stunnel-5.62.tar.gz) = 4ce03faa27e417b49fbdf0fbac91befb2c05ce64694b4b6fd2fc482031ee4a229299627133a47ff3efdfdffce751e1300d95d0a8ac1f1858c7c96f0b067170de
+SHA512 (stunnel-5.66.tar.gz) = 7034f4de953df2a55a0837ff1b5bddcec0bc89a6c2bd33371d0cb59125f0a6abb1540456603e0079727821654e20657844f8e38e8e801f2bdf86bc1b6490c0aa
-SHA512 (stunnel-5.62.tar.gz.asc) = 983b41100e7ef6dba5a9b7e7cd64e50b1f6860a6bf18ca393e14d65680bfed951475e6f7f4ec9e8da036aaa86e0668f65e3df7025220eda7315de4d110a24ac5
+SHA512 (stunnel-5.66.tar.gz.asc) = 6c1cc73752bf7068b5b865bdc1f2073ca755fa290e7687186878091cf8ead425bcfa8249f2588298565a71f0dad037247dc46391561702f298c3044ffb58b383
--- a/stunnel-5.50-authpriv.patch
+++ b/stunnel-5.50-authpriv.patch
@ -1,7 +1,23 @@
-diff -up stunnel-5.50/doc/stunnel.8.in.authpriv stunnel-5.50/doc/stunnel.8.in
+From 9cd8694f2b742e46370d38c34a53523c1aafae93 Mon Sep 17 00:00:00 2001
--- stunnel-5.50/doc/stunnel.8.in.authpriv	2018-12-02 23:47:20.000000000 +0100
+From: Tomas Mraz <tmraz@fedoraproject.org>
-+++ stunnel-5.50/doc/stunnel.8.in	2019-01-14 12:15:05.135100163 +0100
+Date: Mon, 12 Sep 2022 11:07:38 +0200
-@@ -200,7 +200,7 @@ info (6), or debug (7).  All logs for th
+Subject: [PATCH 1/8] Apply patch stunnel-5.50-authpriv.patch
 Patch-name: stunnel-5.50-authpriv.patch
 Patch-id: 0
 From-dist-git-commit: 70b3076eb09912b3a11f371b8c523303114fffa3
 ---
 doc/stunnel.8.in    | 2 +-
 doc/stunnel.html.in | 2 +-
 doc/stunnel.pod.in  | 2 +-
 src/options.c       | 4 ++++
 4 files changed, 7 insertions(+), 3 deletions(-)
 diff --git a/doc/stunnel.8.in b/doc/stunnel.8.in
 index d5de80b..a56f0b7 100644
 --- a/doc/stunnel.8.in
 +++ b/doc/stunnel.8.in
@@ -204,7 +204,7 @@ info (6), or debug (7).  All logs for the specified level and
 all levels numerically less than it will be shown.  Use \fIdebug = debug\fR or
 \&\fIdebug = 7\fR for greatest debugging output.  The default is notice (5).
 .Sp
@ -10,9 +26,10 @@ diff -up stunnel-5.50/doc/stunnel.8.in.authpriv stunnel-5.50/doc/stunnel.8.in
 (Facilities are not supported on Win32.)
 .Sp
 Case is ignored for both facilities and levels.
-diff -up stunnel-5.50/doc/stunnel.html.in.authpriv stunnel-5.50/doc/stunnel.html.in
+diff --git a/doc/stunnel.html.in b/doc/stunnel.html.in
--- stunnel-5.50/doc/stunnel.html.in.authpriv	2018-12-02 23:47:21.000000000 +0100
+index 4f84d5c..608afa9 100644
-+++ stunnel-5.50/doc/stunnel.html.in	2019-01-14 12:15:05.136100146 +0100
+--- a/doc/stunnel.html.in
 +++ b/doc/stunnel.html.in
@@ -244,7 +244,7 @@
 <p>Level is one of the syslog level names or numbers emerg (0), alert (1), crit (2), err (3), warning (4), notice (5), info (6), or debug (7). All logs for the specified level and all levels numerically less than it will be shown. Use <i>debug = debug</i> or <i>debug = 7</i> for greatest debugging output. The default is notice (5).</p>
@ -22,10 +39,11 @@ diff -up stunnel-5.50/doc/stunnel.html.in.authpriv stunnel-5.50/doc/stunnel.html
 <p>Case is ignored for both facilities and levels.</p>
-diff -up stunnel-5.50/doc/stunnel.pod.in.authpriv stunnel-5.50/doc/stunnel.pod.in
+diff --git a/doc/stunnel.pod.in b/doc/stunnel.pod.in
--- stunnel-5.50/doc/stunnel.pod.in.authpriv	2018-12-02 23:47:18.000000000 +0100
+index 0246f82..840c708 100644
-+++ stunnel-5.50/doc/stunnel.pod.in	2019-01-14 12:15:05.136100146 +0100
+--- a/doc/stunnel.pod.in
-@@ -192,7 +192,7 @@ info (6), or debug (7).  All logs for th
+++ b/doc/stunnel.pod.in
@@ -192,7 +192,7 @@ info (6), or debug (7).  All logs for the specified level and
 all levels numerically less than it will be shown.  Use I<debug = debug> or
 I<debug = 7> for greatest debugging output.  The default is notice (5).
@ -34,10 +52,11 @@ diff -up stunnel-5.50/doc/stunnel.pod.in.authpriv stunnel-5.50/doc/stunnel.pod.i
 (Facilities are not supported on Win32.)
 Case is ignored for both facilities and levels.
-diff -up stunnel-5.50/src/options.c.authpriv stunnel-5.50/src/options.c
+diff --git a/src/options.c b/src/options.c
--- stunnel-5.50/src/options.c.authpriv	2019-01-14 12:15:05.136100146 +0100
+index 9ac9c7e..5007f83 100644
-+++ stunnel-5.50/src/options.c	2019-01-14 12:16:25.537727511 +0100
+--- a/src/options.c
-@@ -1745,8 +1745,12 @@ NOEXPORT char *parse_service_option(CMD
+++ b/src/options.c
@@ -1878,7 +1878,11 @@ NOEXPORT const char *parse_service_option(CMD cmd, SERVICE_OPTIONS **section_ptr
     case CMD_SET_DEFAULTS:
         section->log_level=LOG_NOTICE;
 #if !defined (USE_WIN32) && !defined (__vms)
@ -45,8 +64,10 @@ diff -up stunnel-5.50/src/options.c.authpriv stunnel-5.50/src/options.c
 +        new_global_options.log_facility=LOG_AUTHPRIV;
 +#else
         new_global_options.log_facility=LOG_DAEMON;
 #endif
 +#endif
 #endif
         break;
     case CMD_SET_COPY:
-         section->log_level=new_service_options.log_level;
+-- 
 2.37.3
--- a/stunnel-5.56-coverity.patch
+++ b/stunnel-5.56-coverity.patch
@ -1,7 +1,21 @@
-diff -up stunnel-5.48/src/str.c.coverity stunnel-5.48/src/str.c
+From c705c47f486cff5b6d79ca3183a6faec015f3ac1 Mon Sep 17 00:00:00 2001
--- stunnel-5.48/src/str.c.coverity	2018-07-02 23:30:10.000000000 +0200
+From: Sahana Prasad <sahana@redhat.com>
-+++ stunnel-5.48/src/str.c	2018-09-04 17:24:08.949928906 +0200
+Date: Mon, 12 Sep 2022 11:07:38 +0200
-@@ -165,6 +165,7 @@ char *str_vprintf(const char *format, va
+Subject: [PATCH 4/8] Apply patch stunnel-5.56-coverity.patch
 Patch-name: stunnel-5.56-coverity.patch
 Patch-id: 4
 From-dist-git-commit: 70b3076eb09912b3a11f371b8c523303114fffa3
 ---
 src/str.c     | 1 +
 src/stunnel.c | 1 -
 2 files changed, 1 insertion(+), 1 deletion(-)
 diff --git a/src/str.c b/src/str.c
 index b9eca81..fd62db8 100644
 --- a/src/str.c
 +++ b/src/str.c
@@ -165,6 +165,7 @@ char *str_vprintf(const char *format, va_list start_ap) {
     for(;;) {
         va_copy(ap, start_ap);
         n=vsnprintf(p, size, format, ap);
@ -9,10 +23,11 @@ diff -up stunnel-5.48/src/str.c.coverity stunnel-5.48/src/str.c
         if(n>-1 && n<(int)size)
             return p;
         if(n>-1)                /* glibc 2.1 */
-diff -up stunnel-5.48/src/stunnel.c.coverity stunnel-5.48/src/stunnel.c
+diff --git a/src/stunnel.c b/src/stunnel.c
--- stunnel-5.48/src/stunnel.c.coverity	2018-07-02 23:30:10.000000000 +0200
+index 4ce906b..31115ea 100644
-+++ stunnel-5.48/src/stunnel.c	2018-09-04 17:24:08.949928906 +0200
+--- a/src/stunnel.c
-@@ -364,7 +364,6 @@ NOEXPORT int accept_connection(SERVICE_O
+++ b/src/stunnel.c
@@ -445,7 +445,6 @@ NOEXPORT int accept_connection(SERVICE_OPTIONS *opt, unsigned i) {
 #endif
     if(create_client(fd, s, alloc_client_session(opt, s, s))) {
         s_log(LOG_ERR, "Connection rejected: create_client failed");
@ -20,3 +35,6 @@ diff -up stunnel-5.48/src/stunnel.c.coverity stunnel-5.48/src/stunnel.c
 #ifndef USE_FORK
         service_free(opt);
 #endif
 -- 
 2.37.3
--- a/stunnel-5.56-curves-doc-update.patch
+++ b/stunnel-5.56-curves-doc-update.patch
@ -1,6 +1,25 @@
--- stunnel-5.56/doc/stunnel.8.in.curves-doc-update	2020-04-16 17:12:48.171590017 +0200
+From e951a8a7edc87dbd608043f8aab67ef12979e3ca Mon Sep 17 00:00:00 2001
-+++ stunnel-5.56/doc/stunnel.8.in	2020-04-16 17:16:07.001603122 +0200
+From: Sahana Prasad <sahana@redhat.com>
-@@ -473,6 +473,8 @@ This file contains multiple CRLs, used w
+Date: Mon, 12 Sep 2022 11:07:38 +0200
 Subject: [PATCH 6/8] Apply patch stunnel-5.56-curves-doc-update.patch
 Patch-name: stunnel-5.56-curves-doc-update.patch
 Patch-id: 6
 From-dist-git-commit: 70b3076eb09912b3a11f371b8c523303114fffa3
 ---
 doc/stunnel.8.in       | 2 ++
 doc/stunnel.html.in    | 2 ++
 doc/stunnel.pl.8.in    | 2 ++
 doc/stunnel.pl.html.in | 2 ++
 doc/stunnel.pl.pod.in  | 2 ++
 doc/stunnel.pod.in     | 2 ++
 6 files changed, 12 insertions(+)
 diff --git a/doc/stunnel.8.in b/doc/stunnel.8.in
 index a56f0b7..977a1a4 100644
 --- a/doc/stunnel.8.in
 +++ b/doc/stunnel.8.in
@@ -475,6 +475,8 @@ This file contains multiple CRLs, used with the \fIverifyChain\fR and
 .IX Item "curves = list"
 \&\s-1ECDH\s0 curves separated with ':'
 .Sp
@ -9,9 +28,11 @@
 Only a single curve name is allowed for OpenSSL older than 1.1.1.
 .Sp
 To get a list of supported curves use:
--- stunnel-5.56/doc/stunnel.html.in.curves-doc-update	2020-04-16 17:13:25.664962696 +0200
+diff --git a/doc/stunnel.html.in b/doc/stunnel.html.in
-+++ stunnel-5.56/doc/stunnel.html.in	2020-04-16 17:16:55.897111302 +0200
+index 608afa9..cecc81a 100644
-@@ -568,6 +568,8 @@
+--- a/doc/stunnel.html.in
 +++ b/doc/stunnel.html.in
@@ -570,6 +570,8 @@
 <p>ECDH curves separated with &#39;:&#39;</p>
@ -20,42 +41,11 @@
 <p>Only a single curve name is allowed for OpenSSL older than 1.1.1.</p>
 <p>To get a list of supported curves use:</p>
--- stunnel-5.56/doc/stunnel.pod.in.curves-doc-update	2020-04-16 17:13:43.412139122 +0200
+diff --git a/doc/stunnel.pl.8.in b/doc/stunnel.pl.8.in
-+++ stunnel-5.56/doc/stunnel.pod.in	2020-04-16 17:17:25.414418073 +0200
+index e2e6622..eae88f8 100644
-@@ -499,6 +499,8 @@ I<verifyPeer> options.
+--- a/doc/stunnel.pl.8.in
- 
+++ b/doc/stunnel.pl.8.in
- ECDH curves separated with ':'
+@@ -492,6 +492,8 @@ przez opcje \fIverifyChain\fR i \fIverifyPeer\fR.
 +Note: This option is supported for server mode sockets only.
 +
 Only a single curve name is allowed for OpenSSL older than 1.1.1.
 To get a list of supported curves use:
 --- stunnel-5.56/doc/stunnel.pl.pod.in.curves-doc-update	2020-04-16 17:25:22.631934496 +0200
 +++ stunnel-5.56/doc/stunnel.pl.pod.in	2020-04-16 17:47:46.872353210 +0200
@@ -507,6 +507,8 @@ przez opcje I<verifyChain> i I<verifyPee
 krzywe ECDH odddzielone ':'
 +Uwaga: ta opcja wpływa tylko na gniazda w trybie serwera.
 +
 Wersje OpenSSL starsze niż 1.1.1 pozwalają na użycie tylko jednej krzywej.
 Listę dostępnych krzywych można uzyskać poleceniem:
 --- stunnel-5.56/doc/stunnel.pl.html.in.curves-doc-update	2020-04-16 17:24:46.857579674 +0200
 +++ stunnel-5.56/doc/stunnel.pl.html.in	2020-04-16 17:46:13.385404626 +0200
@@ -564,6 +564,8 @@
 <p>krzywe ECDH odddzielone &#39;:&#39;</p>
 +<p>Uwaga: ta opcja wpływa tylko na gniazda w trybie serwera.</p>
 +
 <p>Wersje OpenSSL starsze ni&#x17C; 1.1.1 pozwalaj&#x105; na u&#x17C;ycie tylko jednej krzywej.</p>
 <p>List&#x119; dost&#x119;pnych krzywych mo&#x17C;na uzyska&#x107; poleceniem:</p>
 --- stunnel-5.56/doc/stunnel.pl.8.in.curves-doc-update	2020-04-16 17:24:25.665369474 +0200
 +++ stunnel-5.56/doc/stunnel.pl.8.in	2020-04-16 17:45:14.141792786 +0200
@@ -483,6 +483,8 @@ przez opcje \fIverifyChain\fR i \fIverif
 .IX Item "curves = lista"
 krzywe \s-1ECDH\s0 odddzielone ':'
 .Sp
@ -64,3 +54,45 @@
 Wersje OpenSSL starsze niż 1.1.1 pozwalają na użycie tylko jednej krzywej.
 .Sp
 Listę dostępnych krzywych można uzyskać poleceniem:
 diff --git a/doc/stunnel.pl.html.in b/doc/stunnel.pl.html.in
 index 7be87f1..7fd7a7c 100644
 --- a/doc/stunnel.pl.html.in
 +++ b/doc/stunnel.pl.html.in
@@ -568,6 +568,8 @@
 <p>krzywe ECDH odddzielone &#39;:&#39;</p>
 +<p>Uwaga: ta opcja wpływa tylko na gniazda w trybie serwera.</p>
 +
 <p>Wersje OpenSSL starsze ni&#x17C; 1.1.1 pozwalaj&#x105; na u&#x17C;ycie tylko jednej krzywej.</p>
 <p>List&#x119; dost&#x119;pnych krzywych mo&#x17C;na uzyska&#x107; poleceniem:</p>
 diff --git a/doc/stunnel.pl.pod.in b/doc/stunnel.pl.pod.in
 index dc6b255..712f751 100644
 --- a/doc/stunnel.pl.pod.in
 +++ b/doc/stunnel.pl.pod.in
@@ -516,6 +516,8 @@ przez opcje I<verifyChain> i I<verifyPeer>.
 krzywe ECDH odddzielone ':'
 +Uwaga: ta opcja wpływa tylko na gniazda w trybie serwera.
 +
 Wersje OpenSSL starsze niż 1.1.1 pozwalają na użycie tylko jednej krzywej.
 Listę dostępnych krzywych można uzyskać poleceniem:
 diff --git a/doc/stunnel.pod.in b/doc/stunnel.pod.in
 index 840c708..85cc199 100644
 --- a/doc/stunnel.pod.in
 +++ b/doc/stunnel.pod.in
@@ -501,6 +501,8 @@ I<verifyPeer> options.
 ECDH curves separated with ':'
 +Note: This option is supported for server mode sockets only.
 +
 Only a single curve name is allowed for OpenSSL older than 1.1.1.
 To get a list of supported curves use:
 -- 
 2.37.3
--- a/stunnel-5.56-system-ciphers.patch
+++ b/stunnel-5.56-system-ciphers.patch
@ -1,12 +1,30 @@
-diff -up stunnel-5.55/src/options.c.system-ciphers stunnel-5.55/src/options.c
+From 41fcdaf237b2ba32de266d6935f8e4dc58e8bcb2 Mon Sep 17 00:00:00 2001
--- stunnel-5.55/src/options.c.system-ciphers	2019-09-19 14:43:00.631059024 +0200
+From: Sahana Prasad <sprasad@localhost.localdomain>
-+++ stunnel-5.55/src/options.c	2019-09-19 14:51:02.120053849 +0200
+Date: Mon, 12 Sep 2022 11:07:38 +0200
-@@ -277,7 +277,7 @@ static char *option_not_found=
+Subject: [PATCH 3/8] Apply patch stunnel-5.56-system-ciphers.patch
 Patch-name: stunnel-5.56-system-ciphers.patch
 Patch-id: 3
 From-dist-git-commit: 70b3076eb09912b3a11f371b8c523303114fffa3
 ---
 src/options.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 diff --git a/src/options.c b/src/options.c
 index 5007f83..418f25d 100644
 --- a/src/options.c
 +++ b/src/options.c
@@ -320,8 +320,8 @@ static SERVICE_OPTIONS new_service_options;
 static const char *option_not_found=
     "Specified option name is not valid here";
- static char *stunnel_cipher_list=
+-static const char *stunnel_cipher_list=
 -    "HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK";
 +static char *stunnel_cipher_list=
 +   "PROFILE=SYSTEM";
 #ifndef OPENSSL_NO_TLS1_3
- static char *stunnel_ciphersuites=
+ static const char *stunnel_ciphersuites=
 -- 
 2.37.3
--- a/stunnel-5.61-default-tls-version.patch
+++ b/stunnel-5.61-default-tls-version.patch
@ -1,7 +1,22 @@
-diff -up stunnel-5.61/src/ctx.c.default-tls-version stunnel-5.61/src/ctx.c
+From a8a49e5040e78200b6fb4220132c9e7c3aff1383 Mon Sep 17 00:00:00 2001
--- stunnel-5.61/src/ctx.c.default-tls-version	2021-12-13 09:43:22.000000000 +0100
+From: Clemens Lang <cllang@redhat.com>
-+++ stunnel-5.61/src/ctx.c	2022-01-10 19:27:49.913243127 +0100
+Date: Mon, 12 Sep 2022 11:07:38 +0200
-@@ -149,18 +149,28 @@ int context_init(SERVICE_OPTIONS *sectio
+Subject: [PATCH 5/8] Apply patch stunnel-5.61-default-tls-version.patch
 Patch-name: stunnel-5.61-default-tls-version.patch
 Patch-id: 5
 From-dist-git-commit: 70b3076eb09912b3a11f371b8c523303114fffa3
 ---
 src/ctx.c        | 32 +++++++++++++++++++++-----------
 src/options.c    | 15 +++++++++++----
 src/prototypes.h |  3 +++
 3 files changed, 35 insertions(+), 15 deletions(-)
 diff --git a/src/ctx.c b/src/ctx.c
 index cc0806c..309ed91 100644
 --- a/src/ctx.c
 +++ b/src/ctx.c
@@ -152,18 +152,28 @@ int context_init(SERVICE_OPTIONS *section) { /* init TLS context */
     section->ctx=SSL_CTX_new(section->option.client ?
         TLS_client_method() : TLS_server_method());
 #endif /* OPENSSL_VERSION_NUMBER>=0x30000000L */
@ -41,10 +56,11 @@ diff -up stunnel-5.61/src/ctx.c.default-tls-version stunnel-5.61/src/ctx.c
 #else /* OPENSSL_VERSION_NUMBER<0x10100000L */
     if(section->option.client)
         section->ctx=SSL_CTX_new(section->client_method);
-diff -up stunnel-5.61/src/options.c.default-tls-version stunnel-5.61/src/options.c
+diff --git a/src/options.c b/src/options.c
--- stunnel-5.61/src/options.c.default-tls-version	2022-01-10 19:23:15.096254067 +0100
+index 418f25d..09d02bd 100644
-+++ stunnel-5.61/src/options.c	2022-01-10 19:23:15.098254103 +0100
+--- a/src/options.c
-@@ -3297,8 +3297,9 @@ NOEXPORT char *parse_service_option(CMD
+++ b/src/options.c
@@ -3289,8 +3289,9 @@ NOEXPORT const char *parse_service_option(CMD cmd, SERVICE_OPTIONS **section_ptr
             return "Invalid protocol version";
         return NULL; /* OK */
     case CMD_INITIALIZE:
@ -56,7 +72,7 @@ diff -up stunnel-5.61/src/options.c.default-tls-version stunnel-5.61/src/options
             return "Invalid protocol version range";
         break;
     case CMD_PRINT_DEFAULTS:
-@@ -3316,7 +3317,10 @@ NOEXPORT char *parse_service_option(CMD
+@@ -3308,7 +3309,10 @@ NOEXPORT const char *parse_service_option(CMD cmd, SERVICE_OPTIONS **section_ptr
     /* sslVersionMax */
     switch(cmd) {
     case CMD_SET_DEFAULTS:
@ -68,7 +84,7 @@ diff -up stunnel-5.61/src/options.c.default-tls-version stunnel-5.61/src/options
         break;
     case CMD_SET_COPY:
         section->max_proto_version=new_service_options.max_proto_version;
-@@ -3347,7 +3351,10 @@ NOEXPORT char *parse_service_option(CMD
+@@ -3339,7 +3343,10 @@ NOEXPORT const char *parse_service_option(CMD cmd, SERVICE_OPTIONS **section_ptr
     /* sslVersionMin */
     switch(cmd) {
     case CMD_SET_DEFAULTS:
@ -80,10 +96,11 @@ diff -up stunnel-5.61/src/options.c.default-tls-version stunnel-5.61/src/options
         break;
     case CMD_SET_COPY:
         section->min_proto_version=new_service_options.min_proto_version;
-diff -up stunnel-5.61/src/prototypes.h.default-tls-version stunnel-5.61/src/prototypes.h
+diff --git a/src/prototypes.h b/src/prototypes.h
--- stunnel-5.61/src/prototypes.h.default-tls-version	2021-12-13 09:43:22.000000000 +0100
+index 89d77b8..23f6014 100644
-+++ stunnel-5.61/src/prototypes.h	2022-01-10 19:23:15.099254121 +0100
+--- a/src/prototypes.h
-@@ -932,6 +932,9 @@ ICON_IMAGE load_icon_default(ICON_TYPE);
+++ b/src/prototypes.h
@@ -930,6 +930,9 @@ ICON_IMAGE load_icon_default(ICON_TYPE);
 ICON_IMAGE load_icon_file(const char *);
 #endif
@ -93,3 +110,6 @@ diff -up stunnel-5.61/src/prototypes.h.default-tls-version stunnel-5.61/src/prot
 #endif /* defined PROTOTYPES_H */
 /* end of prototypes.h */
 -- 
 2.37.3
--- a/stunnel-5.61-fips-test.patch
+++ b/stunnel-5.61-fips-test.patch
@ -1,4 +1,7 @@
-Skip FIPS tests if FIPS is unconfigured
+From ba3b7eace6f1fd5797be649dd7ba87b3ec988293 Mon Sep 17 00:00:00 2001
 From: Clemens Lang <cllang@redhat.com>
 Date: Mon, 12 Sep 2022 11:07:38 +0200
 Subject: [PATCH 7/8] Skip FIPS tests if FIPS is unconfigured
 When built against OpenSSL 3 with the enable-fips option, the FIPS
 shared library can be loaded, but unless the system administrator has
@ -8,13 +11,23 @@ data.
 Since this does not indicate a problem with stunnel's code, but with the
 underlying OpenSSL setup, skip the test if this occurs. This is the same
-behavior when running against a copy of OpenSSL 3.x that was not built with
+behavior when running against a copy of OpenSSL 3.x that was not built
-'enable-fips'.
+with 'enable-fips'.
 Upstream-Status: Inappropriate [configuration]
-diff -up stunnel-5.61/tests/plugins/p10_fips.py.fips-tests stunnel-5.61/tests/plugins/p10_fips.py
+Patch-status: Skip FIPS tests if FIPS is unconfigured
--- stunnel-5.61/tests/plugins/p10_fips.py.fips-tests	2022-01-12 11:40:11.121241545 +0100
+Patch-name: stunnel-5.61-fips-test.patch
-+++ stunnel-5.61/tests/plugins/p10_fips.py	2022-01-12 11:45:01.791364483 +0100
+Patch-id: 7
 From-dist-git-commit: 70b3076eb09912b3a11f371b8c523303114fffa3
 ---
 tests/plugins/p10_fips.py        | 3 ++-
 tests/plugins/p11_fips_cipher.py | 8 +++++---
 2 files changed, 7 insertions(+), 4 deletions(-)
 diff --git a/tests/plugins/p10_fips.py b/tests/plugins/p10_fips.py
 index 5d2bc56..68680c0 100644
 --- a/tests/plugins/p10_fips.py
 +++ b/tests/plugins/p10_fips.py
@@ -29,7 +29,8 @@ class FIPSTest(StunnelTest):
         self.events.skip = [
             "FIPS provider not available",
@ -25,9 +38,10 @@ diff -up stunnel-5.61/tests/plugins/p10_fips.py.fips-tests stunnel-5.61/tests/pl
         ]
         self.events.failure = [
             "peer did not return a certificate",
-diff -up stunnel-5.61/tests/plugins/p11_fips_cipher.py.fips-tests stunnel-5.61/tests/plugins/p11_fips_cipher.py
+diff --git a/tests/plugins/p11_fips_cipher.py b/tests/plugins/p11_fips_cipher.py
--- stunnel-5.61/tests/plugins/p11_fips_cipher.py.fips-tests	2022-01-12 11:40:16.192330329 +0100
+index 0280a1d..22eebd7 100644
-+++ stunnel-5.61/tests/plugins/p11_fips_cipher.py	2022-01-12 11:52:22.159227499 +0100
+--- a/tests/plugins/p11_fips_cipher.py
 +++ b/tests/plugins/p11_fips_cipher.py
@@ -30,7 +30,8 @@ class FailureCipherFIPS(StunnelTest):
         self.events.skip = [
             "FIPS provider not available",
@ -38,17 +52,16 @@ diff -up stunnel-5.61/tests/plugins/p11_fips_cipher.py.fips-tests stunnel-5.61/t
         ]
         self.events.count = 1
         self.events.success = [
-@@ -86,7 +87,8 @@ class FailureCiphersuitesFIPS(StunnelTes
+@@ -88,7 +89,7 @@ class FailureCiphersuitesFIPS(StunnelTest):
-         self.events.skip = [
+             "FIPS provider not available",
-             "FIPS provider not available",
+             "fips mode not supported",
-             "fips mode not supported",
+             r"FIPS PROVIDER.*could not load the shared library",
-            r"FIPS PROVIDER.*could not load the shared library"
+-            "Specified option name is not valid here"
-+            r"FIPS PROVIDER.*could not load the shared library",
+            r"FIPS PROVIDER.*missing config data"
-+            r"FIPS PROVIDER.*missing config data"
+         ]
-         ]
+         self.events.count = 1
-         self.events.count = 1
+         self.events.success = [
-         self.events.success = [
+@@ -147,7 +148,8 @@ class FailureEllipticCurveFIPS(StunnelTest):
@@ -145,7 +147,8 @@ class FailureEllipticCurveFIPS(StunnelTe
         self.events.skip = [
             "FIPS provider not available",
             "fips mode not supported",
@ -58,3 +71,6 @@ diff -up stunnel-5.61/tests/plugins/p11_fips_cipher.py.fips-tests stunnel-5.61/t
         ]
         self.events.count = 1
         self.events.success = [
 -- 
 2.37.3
--- a/stunnel-5.61-systemd-service.patch
+++ b/stunnel-5.61-systemd-service.patch
@ -1,7 +1,20 @@
-diff -up stunnel-5.61/tools/stunnel.service.in.systemd-service stunnel-5.61/tools/stunnel.service.in
+From 6cb73d824ac204f5680e469b0474855aaa6b8ddc Mon Sep 17 00:00:00 2001
--- stunnel-5.61/tools/stunnel.service.in.systemd-service	2022-01-10 19:16:30.973923459 +0100
+From: Clemens Lang <cllang@redhat.com>
-+++ stunnel-5.61/tools/stunnel.service.in	2022-01-10 19:17:08.588605718 +0100
+Date: Mon, 12 Sep 2022 11:07:38 +0200
-@@ -6,6 +6,7 @@ After=syslog.target network-online.targe
+Subject: [PATCH 2/8] Apply patch stunnel-5.61-systemd-service.patch
 Patch-name: stunnel-5.61-systemd-service.patch
 Patch-id: 1
 From-dist-git-commit: 70b3076eb09912b3a11f371b8c523303114fffa3
 ---
 tools/stunnel.service.in | 1 +
 1 file changed, 1 insertion(+)
 diff --git a/tools/stunnel.service.in b/tools/stunnel.service.in
 index fa98996..0c5a216 100644
 --- a/tools/stunnel.service.in
 +++ b/tools/stunnel.service.in
@@ -6,6 +6,7 @@ After=syslog.target network-online.target
 ExecStart=@bindir@/stunnel
 ExecReload=/bin/kill -HUP $MAINPID
 Type=forking
@ -9,3 +22,6 @@ diff -up stunnel-5.61/tools/stunnel.service.in.systemd-service stunnel-5.61/tool
 [Install]
 WantedBy=multi-user.target
 -- 
 2.37.3
--- a/stunnel-5.62-disabled-curves.patch
+++ b/stunnel-5.62-disabled-curves.patch
@ -1,13 +1,24 @@
-Limit curves defaults in FIPS mode
+From 2043ed7c27e14310bec49e1df6348af3882db7bb Mon Sep 17 00:00:00 2001
 From: Clemens Lang <cllang@redhat.com>
 Date: Mon, 12 Sep 2022 11:07:38 +0200
 Subject: [PATCH 8/8] Limit curves defaults in FIPS mode
 Our copy of OpenSSL disables the X25519 and X448 curves in FIPS mode,
 but stunnel defaults to enabling them and then fails to do so.
-Upstream-Status: Inappropriate [caused by a downstream patch to openssl]
+Patch-name: stunnel-5.62-disabled-curves.patch
-diff -up stunnel-5.62/src/options.c.disabled-curves stunnel-5.62/src/options.c
+Patch-status: Limit curves defaults in FIPS mode
--- stunnel-5.62/src/options.c.disabled-curves	2022-02-04 13:46:45.936884124 +0100
+Patch-id: 8
-+++ stunnel-5.62/src/options.c	2022-02-04 13:53:16.346725153 +0100
+From-dist-git-commit: 70b3076eb09912b3a11f371b8c523303114fffa3
-@@ -40,8 +40,10 @@
+---
 src/options.c | 23 +++++++++++++++++++++--
 1 file changed, 21 insertions(+), 2 deletions(-)
 diff --git a/src/options.c b/src/options.c
 index 09d02bd..fe4e776 100644
 --- a/src/options.c
 +++ b/src/options.c
@@ -39,8 +39,10 @@
 #if OPENSSL_VERSION_NUMBER >= 0x10101000L
 #define DEFAULT_CURVES "X25519:P-256:X448:P-521:P-384"
@ -18,7 +29,7 @@ diff -up stunnel-5.62/src/options.c.disabled-curves stunnel-5.62/src/options.c
 #endif /* OpenSSL version >= 1.1.1 */
 #if defined(_WIN32_WCE) && !defined(CONFDIR)
-@@ -1855,7 +1857,7 @@ NOEXPORT char *parse_service_option(CMD
+@@ -1847,7 +1849,7 @@ NOEXPORT const char *parse_service_option(CMD cmd, SERVICE_OPTIONS **section_ptr
     /* curves */
     switch(cmd) {
     case CMD_SET_DEFAULTS:
@ -27,7 +38,7 @@ diff -up stunnel-5.62/src/options.c.disabled-curves stunnel-5.62/src/options.c
         break;
     case CMD_SET_COPY:
         section->curves=str_dup_detached(new_service_options.curves);
-@@ -1870,9 +1872,26 @@ NOEXPORT char *parse_service_option(CMD
+@@ -1862,9 +1864,26 @@ NOEXPORT const char *parse_service_option(CMD cmd, SERVICE_OPTIONS **section_ptr
         section->curves=str_dup_detached(arg);
         return NULL; /* OK */
     case CMD_INITIALIZE:
@ -55,3 +66,6 @@ diff -up stunnel-5.62/src/options.c.disabled-curves stunnel-5.62/src/options.c
         break;
     case CMD_PRINT_HELP:
         s_log(LOG_NOTICE, "%-22s = ECDH curve names", "curves");
 -- 
 2.37.3
--- a/stunnel.spec
+++ b/stunnel.spec
@ -9,8 +9,8 @@
 Summary: A TLS-encrypting socket wrapper
 Name: stunnel
-Version: 5.62
+Version: 5.66
-Release: 5%{?dist}
+Release: 1%{?dist}
 License: GPLv2
 URL: https://www.stunnel.org/
 Source0: https://www.stunnel.org/downloads/stunnel-%{version}.tar.gz
@ -23,14 +23,22 @@ Source6: stunnel-pop3s-client.conf
 Source7: stunnel@.service
 # Upstream release signing key
 Source99: https://www.stunnel.org/pgp.asc
-Patch0: stunnel-5.50-authpriv.patch
+# Apply patch stunnel-5.50-authpriv.patch
-Patch1: stunnel-5.61-systemd-service.patch
+Patch0:   stunnel-5.50-authpriv.patch
-Patch3: stunnel-5.56-system-ciphers.patch
+# Apply patch stunnel-5.61-systemd-service.patch
-Patch4: stunnel-5.56-coverity.patch
+Patch1:   stunnel-5.61-systemd-service.patch
-Patch5: stunnel-5.61-default-tls-version.patch
+# Apply patch stunnel-5.56-system-ciphers.patch
-Patch6: stunnel-5.56-curves-doc-update.patch
+Patch3:   stunnel-5.56-system-ciphers.patch
-Patch7: stunnel-5.61-fips-test.patch
+# Apply patch stunnel-5.56-coverity.patch
-Patch8: stunnel-5.62-disabled-curves.patch
+Patch4:   stunnel-5.56-coverity.patch
 # Apply patch stunnel-5.61-default-tls-version.patch
 Patch5:   stunnel-5.61-default-tls-version.patch
 # Apply patch stunnel-5.56-curves-doc-update.patch
 Patch6:   stunnel-5.56-curves-doc-update.patch
 # Skip FIPS tests if FIPS is unconfigured
 Patch7:   stunnel-5.61-fips-test.patch
 # Limit curves defaults in FIPS mode
 Patch8:   stunnel-5.62-disabled-curves.patch
 # util-linux is needed for rename
 BuildRequires: make
 BuildRequires: gcc
@ -74,6 +82,7 @@ fi
 %else
 --disable-libwrap \
 %endif
 	--with-bashcompdir=%{_datadir}/bash-completion/completions \
 	CPPFLAGS="-UPIDFILE -DPIDFILE='\"%{_localstatedir}/run/stunnel.pid\"'"
 make V=1 LDADD="-pie -Wl,-z,defs,-z,relro,-z,now"
@ -134,6 +143,10 @@ fi
 %systemd_postun_with_restart %{name}.service
 %changelog
 * Mon Sep 12 2022 Clemens Lang <cllang@redhat.com> - 5.66-1
 - New upstream release 5.66
  Resolves: rhbz#2125932
 * Sat Jul 23 2022 Todd Zullinger <tmz@pobox.com> - 5.62-5
 - verify upstream source in %%prep
 - clean up stale conditionals
`@ -1,2 +1,2 @@`
	`SHA512 (stunnel-5.62.tar.gz) = 4ce03faa27e417b49fbdf0fbac91befb2c05ce64694b4b6fd2fc482031ee4a229299627133a47ff3efdfdffce751e1300d95d0a8ac1f1858c7c96f0b067170de`	`SHA512 (stunnel-5.66.tar.gz) = 7034f4de953df2a55a0837ff1b5bddcec0bc89a6c2bd33371d0cb59125f0a6abb1540456603e0079727821654e20657844f8e38e8e801f2bdf86bc1b6490c0aa`
	`SHA512 (stunnel-5.62.tar.gz.asc) = 983b41100e7ef6dba5a9b7e7cd64e50b1f6860a6bf18ca393e14d65680bfed951475e6f7f4ec9e8da036aaa86e0668f65e3df7025220eda7315de4d110a24ac5`	`SHA512 (stunnel-5.66.tar.gz.asc) = 6c1cc73752bf7068b5b865bdc1f2073ca755fa290e7687186878091cf8ead425bcfa8249f2588298565a71f0dad037247dc46391561702f298c3044ffb58b383`