From 9d17847efb3d36af0fbb122b753479e91c4d6b65 Mon Sep 17 00:00:00 2001 From: Clemens Lang Date: Mon, 6 Mar 2023 11:45:56 +0100 Subject: [PATCH] New upstream release 5.69 Resolves: rhbz#2139207 Signed-off-by: Clemens Lang --- sources | 4 +- stunnel-5.50-authpriv.patch | 44 +++++------ stunnel-5.56-system-ciphers.patch | 30 -------- stunnel-5.61-fips-test.patch | 76 ------------------- ... => stunnel-5.69-default-tls-version.patch | 76 ++++++++++--------- stunnel-5.69-system-ciphers.patch | 37 +++++++++ stunnel.spec | 23 ++++-- 7 files changed, 115 insertions(+), 175 deletions(-) delete mode 100644 stunnel-5.56-system-ciphers.patch delete mode 100644 stunnel-5.61-fips-test.patch rename stunnel-5.61-default-tls-version.patch => stunnel-5.69-default-tls-version.patch (68%) create mode 100644 stunnel-5.69-system-ciphers.patch diff --git a/sources b/sources index 831378e..d3758b5 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (stunnel-5.66.tar.gz) = 7034f4de953df2a55a0837ff1b5bddcec0bc89a6c2bd33371d0cb59125f0a6abb1540456603e0079727821654e20657844f8e38e8e801f2bdf86bc1b6490c0aa -SHA512 (stunnel-5.66.tar.gz.asc) = 6c1cc73752bf7068b5b865bdc1f2073ca755fa290e7687186878091cf8ead425bcfa8249f2588298565a71f0dad037247dc46391561702f298c3044ffb58b383 +SHA512 (stunnel-5.69.tar.gz) = 6ae7b3bc126d45a633e91a4c9e5841d321c8704753866c0e5d0e94cbb189288a5b699dfdbc4d0b26f0c39ca69bae2c8f96f26a3b2b4a7b626f457845e6a53d2d +SHA512 (stunnel-5.69.tar.gz.asc) = cc4d28be3eece53bf3d8413c1855c70548d8d3bfee9fce3a31bc3c00f12eb6a4905de23875cbbbad7d99356d3f767792d823e132ab4222f515fbf314617496c3 diff --git a/stunnel-5.50-authpriv.patch b/stunnel-5.50-authpriv.patch index bcd91d1..dbb3b43 100644 --- a/stunnel-5.50-authpriv.patch +++ b/stunnel-5.50-authpriv.patch @@ -1,7 +1,7 @@ -From 9cd8694f2b742e46370d38c34a53523c1aafae93 Mon Sep 17 00:00:00 2001 +From cfbf803dd3338a915f41bdfded69b34e7f21403d Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Mon, 12 Sep 2022 11:07:38 +0200 -Subject: [PATCH 1/8] Apply patch stunnel-5.50-authpriv.patch +Subject: [PATCH 1/7] Apply patch stunnel-5.50-authpriv.patch Patch-name: stunnel-5.50-authpriv.patch Patch-id: 0 @@ -14,49 +14,49 @@ From-dist-git-commit: 70b3076eb09912b3a11f371b8c523303114fffa3 4 files changed, 7 insertions(+), 3 deletions(-) diff --git a/doc/stunnel.8.in b/doc/stunnel.8.in -index d5de80b..a56f0b7 100644 +index 8cd8bc0..b5d7d75 100644 --- a/doc/stunnel.8.in +++ b/doc/stunnel.8.in -@@ -204,7 +204,7 @@ info (6), or debug (7). All logs for the specified level and - all levels numerically less than it will be shown. Use \fIdebug = debug\fR or - \&\fIdebug = 7\fR for greatest debugging output. The default is notice (5). +@@ -209,7 +209,7 @@ requested to do so by an stunnel developer, or when you intend to get confused. .Sp --The syslog facility 'daemon' will be used unless a facility name is supplied. -+The syslog facility 'authpriv' will be used unless a facility name is supplied. + The default logging level is notice (5). + .Sp +-The syslog 'daemon' facility will be used unless a facility name is supplied. ++The syslog 'authpriv' facility will be used unless a facility name is supplied. (Facilities are not supported on Win32.) .Sp Case is ignored for both facilities and levels. diff --git a/doc/stunnel.html.in b/doc/stunnel.html.in -index 4f84d5c..608afa9 100644 +index a7931aa..cda5993 100644 --- a/doc/stunnel.html.in +++ b/doc/stunnel.html.in -@@ -244,7 +244,7 @@ +@@ -248,7 +248,7 @@ -

Level is one of the syslog level names or numbers emerg (0), alert (1), crit (2), err (3), warning (4), notice (5), info (6), or debug (7). All logs for the specified level and all levels numerically less than it will be shown. Use debug = debug or debug = 7 for greatest debugging output. The default is notice (5).

+

The default logging level is notice (5).

--

The syslog facility 'daemon' will be used unless a facility name is supplied. (Facilities are not supported on Win32.)

-+

The syslog facility 'authpriv' will be used unless a facility name is supplied. (Facilities are not supported on Win32.)

+-

The syslog 'daemon' facility will be used unless a facility name is supplied. (Facilities are not supported on Win32.)

++

The syslog 'authpriv' facility will be used unless a facility name is supplied. (Facilities are not supported on Win32.)

Case is ignored for both facilities and levels.

diff --git a/doc/stunnel.pod.in b/doc/stunnel.pod.in -index 0246f82..840c708 100644 +index a54b25d..f830cf3 100644 --- a/doc/stunnel.pod.in +++ b/doc/stunnel.pod.in -@@ -192,7 +192,7 @@ info (6), or debug (7). All logs for the specified level and - all levels numerically less than it will be shown. Use I or - I for greatest debugging output. The default is notice (5). +@@ -197,7 +197,7 @@ requested to do so by an stunnel developer, or when you intend to get confused. --The syslog facility 'daemon' will be used unless a facility name is supplied. -+The syslog facility 'authpriv' will be used unless a facility name is supplied. + The default logging level is notice (5). + +-The syslog 'daemon' facility will be used unless a facility name is supplied. ++The syslog 'authpriv' facility will be used unless a facility name is supplied. (Facilities are not supported on Win32.) Case is ignored for both facilities and levels. diff --git a/src/options.c b/src/options.c -index 9ac9c7e..5007f83 100644 +index 5f8ad8b..6e4a18b 100644 --- a/src/options.c +++ b/src/options.c -@@ -1878,7 +1878,11 @@ NOEXPORT const char *parse_service_option(CMD cmd, SERVICE_OPTIONS **section_ptr +@@ -1960,7 +1960,11 @@ NOEXPORT const char *parse_service_option(CMD cmd, SERVICE_OPTIONS **section_ptr case CMD_SET_DEFAULTS: section->log_level=LOG_NOTICE; #if !defined (USE_WIN32) && !defined (__vms) @@ -69,5 +69,5 @@ index 9ac9c7e..5007f83 100644 break; case CMD_SET_COPY: -- -2.37.3 +2.39.2 diff --git a/stunnel-5.56-system-ciphers.patch b/stunnel-5.56-system-ciphers.patch deleted file mode 100644 index 557e33c..0000000 --- a/stunnel-5.56-system-ciphers.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 41fcdaf237b2ba32de266d6935f8e4dc58e8bcb2 Mon Sep 17 00:00:00 2001 -From: Sahana Prasad -Date: Mon, 12 Sep 2022 11:07:38 +0200 -Subject: [PATCH 3/8] Apply patch stunnel-5.56-system-ciphers.patch - -Patch-name: stunnel-5.56-system-ciphers.patch -Patch-id: 3 -From-dist-git-commit: 70b3076eb09912b3a11f371b8c523303114fffa3 ---- - src/options.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/options.c b/src/options.c -index 5007f83..418f25d 100644 ---- a/src/options.c -+++ b/src/options.c -@@ -320,8 +320,8 @@ static SERVICE_OPTIONS new_service_options; - static const char *option_not_found= - "Specified option name is not valid here"; - --static const char *stunnel_cipher_list= -- "HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK"; -+static char *stunnel_cipher_list= -+ "PROFILE=SYSTEM"; - - #ifndef OPENSSL_NO_TLS1_3 - static const char *stunnel_ciphersuites= --- -2.37.3 - diff --git a/stunnel-5.61-fips-test.patch b/stunnel-5.61-fips-test.patch deleted file mode 100644 index cd052e8..0000000 --- a/stunnel-5.61-fips-test.patch +++ /dev/null @@ -1,76 +0,0 @@ -From ba3b7eace6f1fd5797be649dd7ba87b3ec988293 Mon Sep 17 00:00:00 2001 -From: Clemens Lang -Date: Mon, 12 Sep 2022 11:07:38 +0200 -Subject: [PATCH 7/8] Skip FIPS tests if FIPS is unconfigured - -When built against OpenSSL 3 with the enable-fips option, the FIPS -shared library can be loaded, but unless the system administrator has -run openssl fipsinstall and modified the OpenSSL configuration, FIPS -mode will still fail with an error message saying it is missing config -data. - -Since this does not indicate a problem with stunnel's code, but with the -underlying OpenSSL setup, skip the test if this occurs. This is the same -behavior when running against a copy of OpenSSL 3.x that was not built -with 'enable-fips'. - -Upstream-Status: Inappropriate [configuration] -Patch-status: Skip FIPS tests if FIPS is unconfigured -Patch-name: stunnel-5.61-fips-test.patch -Patch-id: 7 -From-dist-git-commit: 70b3076eb09912b3a11f371b8c523303114fffa3 ---- - tests/plugins/p10_fips.py | 3 ++- - tests/plugins/p11_fips_cipher.py | 8 +++++--- - 2 files changed, 7 insertions(+), 4 deletions(-) - -diff --git a/tests/plugins/p10_fips.py b/tests/plugins/p10_fips.py -index 5d2bc56..68680c0 100644 ---- a/tests/plugins/p10_fips.py -+++ b/tests/plugins/p10_fips.py -@@ -29,7 +29,8 @@ class FIPSTest(StunnelTest): - self.events.skip = [ - "FIPS provider not available", - "fips mode not supported", -- r"FIPS PROVIDER.*could not load the shared library" -+ r"FIPS PROVIDER.*could not load the shared library", -+ r"FIPS PROVIDER.*missing config data" - ] - self.events.failure = [ - "peer did not return a certificate", -diff --git a/tests/plugins/p11_fips_cipher.py b/tests/plugins/p11_fips_cipher.py -index 0280a1d..22eebd7 100644 ---- a/tests/plugins/p11_fips_cipher.py -+++ b/tests/plugins/p11_fips_cipher.py -@@ -30,7 +30,8 @@ class FailureCipherFIPS(StunnelTest): - self.events.skip = [ - "FIPS provider not available", - "fips mode not supported", -- r"FIPS PROVIDER.*could not load the shared library" -+ r"FIPS PROVIDER.*could not load the shared library", -+ r"FIPS PROVIDER.*missing config data" - ] - self.events.count = 1 - self.events.success = [ -@@ -88,7 +89,7 @@ class FailureCiphersuitesFIPS(StunnelTest): - "FIPS provider not available", - "fips mode not supported", - r"FIPS PROVIDER.*could not load the shared library", -- "Specified option name is not valid here" -+ r"FIPS PROVIDER.*missing config data" - ] - self.events.count = 1 - self.events.success = [ -@@ -147,7 +148,8 @@ class FailureEllipticCurveFIPS(StunnelTest): - self.events.skip = [ - "FIPS provider not available", - "fips mode not supported", -- r"FIPS PROVIDER.*could not load the shared library" -+ r"FIPS PROVIDER.*could not load the shared library", -+ r"FIPS PROVIDER.*missing config data" - ] - self.events.count = 1 - self.events.success = [ --- -2.37.3 - diff --git a/stunnel-5.61-default-tls-version.patch b/stunnel-5.69-default-tls-version.patch similarity index 68% rename from stunnel-5.61-default-tls-version.patch rename to stunnel-5.69-default-tls-version.patch index 23ed909..36ac353 100644 --- a/stunnel-5.61-default-tls-version.patch +++ b/stunnel-5.69-default-tls-version.patch @@ -1,66 +1,68 @@ -From a8a49e5040e78200b6fb4220132c9e7c3aff1383 Mon Sep 17 00:00:00 2001 +From 1d3349209f339e6a68312fce076e355bc767d76c Mon Sep 17 00:00:00 2001 From: Clemens Lang Date: Mon, 12 Sep 2022 11:07:38 +0200 -Subject: [PATCH 5/8] Apply patch stunnel-5.61-default-tls-version.patch +Subject: [PATCH 5/7] Apply patch stunnel-5.69-default-tls-version.patch -Patch-name: stunnel-5.61-default-tls-version.patch +Patch-name: stunnel-5.69-default-tls-version.patch Patch-id: 5 From-dist-git-commit: 70b3076eb09912b3a11f371b8c523303114fffa3 --- - src/ctx.c | 32 +++++++++++++++++++++----------- + src/ctx.c | 34 ++++++++++++++++++++++------------ src/options.c | 15 +++++++++++---- src/prototypes.h | 3 +++ - 3 files changed, 35 insertions(+), 15 deletions(-) + 3 files changed, 36 insertions(+), 16 deletions(-) diff --git a/src/ctx.c b/src/ctx.c -index cc0806c..309ed91 100644 +index 6a42a6b..cba24d9 100644 --- a/src/ctx.c +++ b/src/ctx.c -@@ -152,18 +152,28 @@ int context_init(SERVICE_OPTIONS *section) { /* init TLS context */ +@@ -152,19 +152,29 @@ int context_init(SERVICE_OPTIONS *section) { /* init TLS context */ section->ctx=SSL_CTX_new(section->option.client ? TLS_client_method() : TLS_server_method()); #endif /* OPENSSL_VERSION_NUMBER>=0x30000000L */ -- if(!SSL_CTX_set_min_proto_version(section->ctx, +- if(section->min_proto_version && +- !SSL_CTX_set_min_proto_version(section->ctx, - section->min_proto_version)) { - s_log(LOG_ERR, "Failed to set the minimum protocol version 0x%X", - section->min_proto_version); - return 1; /* FAILED */ -- } -- if(!SSL_CTX_set_max_proto_version(section->ctx, ++ if (section->min_proto_version == USE_DEFAULT_TLS_VERSION) { ++ s_log(LOG_INFO, "Using the default TLS minimum version as specified in" ++ " crypto policies. Not setting explicitly."); ++ } else { ++ if(section->min_proto_version && ++ !SSL_CTX_set_min_proto_version(section->ctx, ++ section->min_proto_version)) { ++ s_log(LOG_ERR, "Failed to set the minimum protocol version 0x%X", ++ section->min_proto_version); ++ return 1; /* FAILED */ ++ } + } +- if(section->max_proto_version && +- !SSL_CTX_set_max_proto_version(section->ctx, - section->max_proto_version)) { - s_log(LOG_ERR, "Failed to set the maximum protocol version 0x%X", - section->max_proto_version); - return 1; /* FAILED */ -+ if (section->min_proto_version == USE_DEFAULT_TLS_VERSION) { -+ s_log(LOG_INFO, "Using the default TLS version as specified in " -+ "OpenSSL crypto policies. Not setting explicitly."); ++ if (section->max_proto_version == USE_DEFAULT_TLS_VERSION) { ++ s_log(LOG_INFO, "Using the default TLS maximum version as specified in" ++ " crypto policies. Not setting explicitly"); + } else { -+ if(!SSL_CTX_set_min_proto_version(section->ctx, -+ section->min_proto_version)) { -+ s_log(LOG_ERR, "Failed to set the minimum protocol version 0x%X", -+ section->min_proto_version); ++ if(section->max_proto_version && ++ !SSL_CTX_set_max_proto_version(section->ctx, ++ section->max_proto_version)) { ++ s_log(LOG_ERR, "Failed to set the maximum protocol version 0x%X", ++ section->max_proto_version); + return 1; /* FAILED */ + } } -+ if (section->max_proto_version == USE_DEFAULT_TLS_VERSION) { -+ s_log(LOG_INFO, "Using the default TLS version as specified in " -+ "OpenSSL crypto policies. Not setting explicitly"); -+ } else { -+ if(!SSL_CTX_set_max_proto_version(section->ctx, -+ section->max_proto_version)) { -+ s_log(LOG_ERR, "Failed to set the maximum protocol version 0x%X", -+ section->max_proto_version); -+ return 1; /* FAILED */ -+ } -+ } #else /* OPENSSL_VERSION_NUMBER<0x10100000L */ if(section->option.client) - section->ctx=SSL_CTX_new(section->client_method); diff --git a/src/options.c b/src/options.c -index 418f25d..09d02bd 100644 +index 4d31815..2ec5934 100644 --- a/src/options.c +++ b/src/options.c -@@ -3289,8 +3289,9 @@ NOEXPORT const char *parse_service_option(CMD cmd, SERVICE_OPTIONS **section_ptr +@@ -3371,8 +3371,9 @@ NOEXPORT const char *parse_service_option(CMD cmd, SERVICE_OPTIONS **section_ptr return "Invalid protocol version"; return NULL; /* OK */ case CMD_INITIALIZE: @@ -72,7 +74,7 @@ index 418f25d..09d02bd 100644 return "Invalid protocol version range"; break; case CMD_PRINT_DEFAULTS: -@@ -3308,7 +3309,10 @@ NOEXPORT const char *parse_service_option(CMD cmd, SERVICE_OPTIONS **section_ptr +@@ -3390,7 +3391,10 @@ NOEXPORT const char *parse_service_option(CMD cmd, SERVICE_OPTIONS **section_ptr /* sslVersionMax */ switch(cmd) { case CMD_SET_DEFAULTS: @@ -84,11 +86,11 @@ index 418f25d..09d02bd 100644 break; case CMD_SET_COPY: section->max_proto_version=new_service_options.max_proto_version; -@@ -3339,7 +3343,10 @@ NOEXPORT const char *parse_service_option(CMD cmd, SERVICE_OPTIONS **section_ptr +@@ -3421,7 +3425,10 @@ NOEXPORT const char *parse_service_option(CMD cmd, SERVICE_OPTIONS **section_ptr /* sslVersionMin */ switch(cmd) { case CMD_SET_DEFAULTS: -- section->min_proto_version=TLS1_VERSION; +- section->min_proto_version=0; /* lowest supported */ + section->min_proto_version=USE_DEFAULT_TLS_VERSION; /* use defaults in + OpenSSL crypto + policies. Do not @@ -97,10 +99,10 @@ index 418f25d..09d02bd 100644 case CMD_SET_COPY: section->min_proto_version=new_service_options.min_proto_version; diff --git a/src/prototypes.h b/src/prototypes.h -index 89d77b8..23f6014 100644 +index 0ecd719..a126c9e 100644 --- a/src/prototypes.h +++ b/src/prototypes.h -@@ -930,6 +930,9 @@ ICON_IMAGE load_icon_default(ICON_TYPE); +@@ -940,6 +940,9 @@ ICON_IMAGE load_icon_default(ICON_TYPE); ICON_IMAGE load_icon_file(const char *); #endif @@ -111,5 +113,5 @@ index 89d77b8..23f6014 100644 /* end of prototypes.h */ -- -2.37.3 +2.39.2 diff --git a/stunnel-5.69-system-ciphers.patch b/stunnel-5.69-system-ciphers.patch new file mode 100644 index 0000000..c7be57d --- /dev/null +++ b/stunnel-5.69-system-ciphers.patch @@ -0,0 +1,37 @@ +From 6c8c4c8c85204943223b251d09ca1e93571a437a Mon Sep 17 00:00:00 2001 +From: Sahana Prasad +Date: Mon, 12 Sep 2022 11:07:38 +0200 +Subject: [PATCH 3/7] Use cipher configuration from crypto-policies + +On Fedora, CentOS and RHEL, the system's crypto policies are the best +source to determine which cipher suites to accept in TLS. On these +platforms, OpenSSL supports the PROFILE=SYSTEM setting to use those +policies. Change stunnel to default to this setting. + +Co-Authored-by: Sahana Prasad +Patch-name: stunnel-5.69-system-ciphers.patch +Patch-id: 3 +From-dist-git-commit: 70b3076eb09912b3a11f371b8c523303114fffa3 +--- + src/options.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/options.c b/src/options.c +index 6e4a18b..4d31815 100644 +--- a/src/options.c ++++ b/src/options.c +@@ -321,9 +321,9 @@ static const char *option_not_found= + "Specified option name is not valid here"; + + static const char *stunnel_cipher_list= +- "HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK"; ++ "PROFILE=SYSTEM"; + static const char *fips_cipher_list= +- "FIPS:!DH:!kDHEPSK"; ++ "PROFILE=SYSTEM"; + + #ifndef OPENSSL_NO_TLS1_3 + static const char *stunnel_ciphersuites= +-- +2.39.2 + diff --git a/stunnel.spec b/stunnel.spec index 697a716..c553357 100644 --- a/stunnel.spec +++ b/stunnel.spec @@ -9,8 +9,8 @@ Summary: A TLS-encrypting socket wrapper Name: stunnel -Version: 5.66 -Release: 2%{?dist} +Version: 5.69 +Release: 1%{?dist} License: GPLv2 URL: https://www.stunnel.org/ Source0: https://www.stunnel.org/downloads/stunnel-%{version}.tar.gz @@ -27,16 +27,19 @@ Source99: https://www.stunnel.org/pgp.asc Patch0: stunnel-5.50-authpriv.patch # Apply patch stunnel-5.61-systemd-service.patch Patch1: stunnel-5.61-systemd-service.patch -# Apply patch stunnel-5.56-system-ciphers.patch -Patch3: stunnel-5.56-system-ciphers.patch +# Use cipher configuration from crypto-policies +# +# On Fedora, CentOS and RHEL, the system's crypto policies are the best +# source to determine which cipher suites to accept in TLS. On these +# platforms, OpenSSL supports the PROFILE=SYSTEM setting to use those +# policies. Change stunnel to default to this setting. +Patch3: stunnel-5.69-system-ciphers.patch # Apply patch stunnel-5.56-coverity.patch Patch4: stunnel-5.56-coverity.patch -# Apply patch stunnel-5.61-default-tls-version.patch -Patch5: stunnel-5.61-default-tls-version.patch +# Apply patch stunnel-5.69-default-tls-version.patch +Patch5: stunnel-5.69-default-tls-version.patch # Apply patch stunnel-5.56-curves-doc-update.patch Patch6: stunnel-5.56-curves-doc-update.patch -# Skip FIPS tests if FIPS is unconfigured -Patch7: stunnel-5.61-fips-test.patch # Limit curves defaults in FIPS mode Patch8: stunnel-5.62-disabled-curves.patch # util-linux is needed for rename @@ -143,6 +146,10 @@ fi %systemd_postun_with_restart %{name}.service %changelog +* Mon Mar 06 2023 Clemens Lang - 5.69-1 +- New upstream release 5.69 + Resolves: rhbz#2139207 + * Sat Jan 21 2023 Fedora Release Engineering - 5.66-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild