New upstream release 5.69

Resolves: rhbz#2139207
Signed-off-by: Clemens Lang <cllang@redhat.com>
This commit is contained in:
Clemens Lang 2023-03-06 11:45:56 +01:00
parent 057127f700
commit 9d17847efb
7 changed files with 115 additions and 175 deletions

View File

@ -1,2 +1,2 @@
SHA512 (stunnel-5.66.tar.gz) = 7034f4de953df2a55a0837ff1b5bddcec0bc89a6c2bd33371d0cb59125f0a6abb1540456603e0079727821654e20657844f8e38e8e801f2bdf86bc1b6490c0aa
SHA512 (stunnel-5.66.tar.gz.asc) = 6c1cc73752bf7068b5b865bdc1f2073ca755fa290e7687186878091cf8ead425bcfa8249f2588298565a71f0dad037247dc46391561702f298c3044ffb58b383
SHA512 (stunnel-5.69.tar.gz) = 6ae7b3bc126d45a633e91a4c9e5841d321c8704753866c0e5d0e94cbb189288a5b699dfdbc4d0b26f0c39ca69bae2c8f96f26a3b2b4a7b626f457845e6a53d2d
SHA512 (stunnel-5.69.tar.gz.asc) = cc4d28be3eece53bf3d8413c1855c70548d8d3bfee9fce3a31bc3c00f12eb6a4905de23875cbbbad7d99356d3f767792d823e132ab4222f515fbf314617496c3

View File

@ -1,7 +1,7 @@
From 9cd8694f2b742e46370d38c34a53523c1aafae93 Mon Sep 17 00:00:00 2001
From cfbf803dd3338a915f41bdfded69b34e7f21403d Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tmraz@fedoraproject.org>
Date: Mon, 12 Sep 2022 11:07:38 +0200
Subject: [PATCH 1/8] Apply patch stunnel-5.50-authpriv.patch
Subject: [PATCH 1/7] Apply patch stunnel-5.50-authpriv.patch
Patch-name: stunnel-5.50-authpriv.patch
Patch-id: 0
@ -14,49 +14,49 @@ From-dist-git-commit: 70b3076eb09912b3a11f371b8c523303114fffa3
4 files changed, 7 insertions(+), 3 deletions(-)
diff --git a/doc/stunnel.8.in b/doc/stunnel.8.in
index d5de80b..a56f0b7 100644
index 8cd8bc0..b5d7d75 100644
--- a/doc/stunnel.8.in
+++ b/doc/stunnel.8.in
@@ -204,7 +204,7 @@ info (6), or debug (7). All logs for the specified level and
all levels numerically less than it will be shown. Use \fIdebug = debug\fR or
\&\fIdebug = 7\fR for greatest debugging output. The default is notice (5).
@@ -209,7 +209,7 @@ requested to do so by an stunnel developer, or when you intend to get confused.
.Sp
-The syslog facility 'daemon' will be used unless a facility name is supplied.
+The syslog facility 'authpriv' will be used unless a facility name is supplied.
The default logging level is notice (5).
.Sp
-The syslog 'daemon' facility will be used unless a facility name is supplied.
+The syslog 'authpriv' facility will be used unless a facility name is supplied.
(Facilities are not supported on Win32.)
.Sp
Case is ignored for both facilities and levels.
diff --git a/doc/stunnel.html.in b/doc/stunnel.html.in
index 4f84d5c..608afa9 100644
index a7931aa..cda5993 100644
--- a/doc/stunnel.html.in
+++ b/doc/stunnel.html.in
@@ -244,7 +244,7 @@
@@ -248,7 +248,7 @@
<p>Level is one of the syslog level names or numbers emerg (0), alert (1), crit (2), err (3), warning (4), notice (5), info (6), or debug (7). All logs for the specified level and all levels numerically less than it will be shown. Use <i>debug = debug</i> or <i>debug = 7</i> for greatest debugging output. The default is notice (5).</p>
<p>The default logging level is notice (5).</p>
-<p>The syslog facility &#39;daemon&#39; will be used unless a facility name is supplied. (Facilities are not supported on Win32.)</p>
+<p>The syslog facility &#39;authpriv&#39; will be used unless a facility name is supplied. (Facilities are not supported on Win32.)</p>
-<p>The syslog &#39;daemon&#39; facility will be used unless a facility name is supplied. (Facilities are not supported on Win32.)</p>
+<p>The syslog &#39;authpriv&#39; facility will be used unless a facility name is supplied. (Facilities are not supported on Win32.)</p>
<p>Case is ignored for both facilities and levels.</p>
diff --git a/doc/stunnel.pod.in b/doc/stunnel.pod.in
index 0246f82..840c708 100644
index a54b25d..f830cf3 100644
--- a/doc/stunnel.pod.in
+++ b/doc/stunnel.pod.in
@@ -192,7 +192,7 @@ info (6), or debug (7). All logs for the specified level and
all levels numerically less than it will be shown. Use I<debug = debug> or
I<debug = 7> for greatest debugging output. The default is notice (5).
@@ -197,7 +197,7 @@ requested to do so by an stunnel developer, or when you intend to get confused.
-The syslog facility 'daemon' will be used unless a facility name is supplied.
+The syslog facility 'authpriv' will be used unless a facility name is supplied.
The default logging level is notice (5).
-The syslog 'daemon' facility will be used unless a facility name is supplied.
+The syslog 'authpriv' facility will be used unless a facility name is supplied.
(Facilities are not supported on Win32.)
Case is ignored for both facilities and levels.
diff --git a/src/options.c b/src/options.c
index 9ac9c7e..5007f83 100644
index 5f8ad8b..6e4a18b 100644
--- a/src/options.c
+++ b/src/options.c
@@ -1878,7 +1878,11 @@ NOEXPORT const char *parse_service_option(CMD cmd, SERVICE_OPTIONS **section_ptr
@@ -1960,7 +1960,11 @@ NOEXPORT const char *parse_service_option(CMD cmd, SERVICE_OPTIONS **section_ptr
case CMD_SET_DEFAULTS:
section->log_level=LOG_NOTICE;
#if !defined (USE_WIN32) && !defined (__vms)
@ -69,5 +69,5 @@ index 9ac9c7e..5007f83 100644
break;
case CMD_SET_COPY:
--
2.37.3
2.39.2

View File

@ -1,30 +0,0 @@
From 41fcdaf237b2ba32de266d6935f8e4dc58e8bcb2 Mon Sep 17 00:00:00 2001
From: Sahana Prasad <sprasad@localhost.localdomain>
Date: Mon, 12 Sep 2022 11:07:38 +0200
Subject: [PATCH 3/8] Apply patch stunnel-5.56-system-ciphers.patch
Patch-name: stunnel-5.56-system-ciphers.patch
Patch-id: 3
From-dist-git-commit: 70b3076eb09912b3a11f371b8c523303114fffa3
---
src/options.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/options.c b/src/options.c
index 5007f83..418f25d 100644
--- a/src/options.c
+++ b/src/options.c
@@ -320,8 +320,8 @@ static SERVICE_OPTIONS new_service_options;
static const char *option_not_found=
"Specified option name is not valid here";
-static const char *stunnel_cipher_list=
- "HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK";
+static char *stunnel_cipher_list=
+ "PROFILE=SYSTEM";
#ifndef OPENSSL_NO_TLS1_3
static const char *stunnel_ciphersuites=
--
2.37.3

View File

@ -1,76 +0,0 @@
From ba3b7eace6f1fd5797be649dd7ba87b3ec988293 Mon Sep 17 00:00:00 2001
From: Clemens Lang <cllang@redhat.com>
Date: Mon, 12 Sep 2022 11:07:38 +0200
Subject: [PATCH 7/8] Skip FIPS tests if FIPS is unconfigured
When built against OpenSSL 3 with the enable-fips option, the FIPS
shared library can be loaded, but unless the system administrator has
run openssl fipsinstall and modified the OpenSSL configuration, FIPS
mode will still fail with an error message saying it is missing config
data.
Since this does not indicate a problem with stunnel's code, but with the
underlying OpenSSL setup, skip the test if this occurs. This is the same
behavior when running against a copy of OpenSSL 3.x that was not built
with 'enable-fips'.
Upstream-Status: Inappropriate [configuration]
Patch-status: Skip FIPS tests if FIPS is unconfigured
Patch-name: stunnel-5.61-fips-test.patch
Patch-id: 7
From-dist-git-commit: 70b3076eb09912b3a11f371b8c523303114fffa3
---
tests/plugins/p10_fips.py | 3 ++-
tests/plugins/p11_fips_cipher.py | 8 +++++---
2 files changed, 7 insertions(+), 4 deletions(-)
diff --git a/tests/plugins/p10_fips.py b/tests/plugins/p10_fips.py
index 5d2bc56..68680c0 100644
--- a/tests/plugins/p10_fips.py
+++ b/tests/plugins/p10_fips.py
@@ -29,7 +29,8 @@ class FIPSTest(StunnelTest):
self.events.skip = [
"FIPS provider not available",
"fips mode not supported",
- r"FIPS PROVIDER.*could not load the shared library"
+ r"FIPS PROVIDER.*could not load the shared library",
+ r"FIPS PROVIDER.*missing config data"
]
self.events.failure = [
"peer did not return a certificate",
diff --git a/tests/plugins/p11_fips_cipher.py b/tests/plugins/p11_fips_cipher.py
index 0280a1d..22eebd7 100644
--- a/tests/plugins/p11_fips_cipher.py
+++ b/tests/plugins/p11_fips_cipher.py
@@ -30,7 +30,8 @@ class FailureCipherFIPS(StunnelTest):
self.events.skip = [
"FIPS provider not available",
"fips mode not supported",
- r"FIPS PROVIDER.*could not load the shared library"
+ r"FIPS PROVIDER.*could not load the shared library",
+ r"FIPS PROVIDER.*missing config data"
]
self.events.count = 1
self.events.success = [
@@ -88,7 +89,7 @@ class FailureCiphersuitesFIPS(StunnelTest):
"FIPS provider not available",
"fips mode not supported",
r"FIPS PROVIDER.*could not load the shared library",
- "Specified option name is not valid here"
+ r"FIPS PROVIDER.*missing config data"
]
self.events.count = 1
self.events.success = [
@@ -147,7 +148,8 @@ class FailureEllipticCurveFIPS(StunnelTest):
self.events.skip = [
"FIPS provider not available",
"fips mode not supported",
- r"FIPS PROVIDER.*could not load the shared library"
+ r"FIPS PROVIDER.*could not load the shared library",
+ r"FIPS PROVIDER.*missing config data"
]
self.events.count = 1
self.events.success = [
--
2.37.3

View File

@ -1,66 +1,68 @@
From a8a49e5040e78200b6fb4220132c9e7c3aff1383 Mon Sep 17 00:00:00 2001
From 1d3349209f339e6a68312fce076e355bc767d76c Mon Sep 17 00:00:00 2001
From: Clemens Lang <cllang@redhat.com>
Date: Mon, 12 Sep 2022 11:07:38 +0200
Subject: [PATCH 5/8] Apply patch stunnel-5.61-default-tls-version.patch
Subject: [PATCH 5/7] Apply patch stunnel-5.69-default-tls-version.patch
Patch-name: stunnel-5.61-default-tls-version.patch
Patch-name: stunnel-5.69-default-tls-version.patch
Patch-id: 5
From-dist-git-commit: 70b3076eb09912b3a11f371b8c523303114fffa3
---
src/ctx.c | 32 +++++++++++++++++++++-----------
src/ctx.c | 34 ++++++++++++++++++++++------------
src/options.c | 15 +++++++++++----
src/prototypes.h | 3 +++
3 files changed, 35 insertions(+), 15 deletions(-)
3 files changed, 36 insertions(+), 16 deletions(-)
diff --git a/src/ctx.c b/src/ctx.c
index cc0806c..309ed91 100644
index 6a42a6b..cba24d9 100644
--- a/src/ctx.c
+++ b/src/ctx.c
@@ -152,18 +152,28 @@ int context_init(SERVICE_OPTIONS *section) { /* init TLS context */
@@ -152,19 +152,29 @@ int context_init(SERVICE_OPTIONS *section) { /* init TLS context */
section->ctx=SSL_CTX_new(section->option.client ?
TLS_client_method() : TLS_server_method());
#endif /* OPENSSL_VERSION_NUMBER>=0x30000000L */
- if(!SSL_CTX_set_min_proto_version(section->ctx,
- if(section->min_proto_version &&
- !SSL_CTX_set_min_proto_version(section->ctx,
- section->min_proto_version)) {
- s_log(LOG_ERR, "Failed to set the minimum protocol version 0x%X",
- section->min_proto_version);
- return 1; /* FAILED */
- }
- if(!SSL_CTX_set_max_proto_version(section->ctx,
- section->max_proto_version)) {
- s_log(LOG_ERR, "Failed to set the maximum protocol version 0x%X",
- section->max_proto_version);
- return 1; /* FAILED */
+ if (section->min_proto_version == USE_DEFAULT_TLS_VERSION) {
+ s_log(LOG_INFO, "Using the default TLS version as specified in "
+ "OpenSSL crypto policies. Not setting explicitly.");
+ s_log(LOG_INFO, "Using the default TLS minimum version as specified in"
+ " crypto policies. Not setting explicitly.");
+ } else {
+ if(!SSL_CTX_set_min_proto_version(section->ctx,
+ if(section->min_proto_version &&
+ !SSL_CTX_set_min_proto_version(section->ctx,
+ section->min_proto_version)) {
+ s_log(LOG_ERR, "Failed to set the minimum protocol version 0x%X",
+ section->min_proto_version);
+ return 1; /* FAILED */
+ }
}
- if(section->max_proto_version &&
- !SSL_CTX_set_max_proto_version(section->ctx,
- section->max_proto_version)) {
- s_log(LOG_ERR, "Failed to set the maximum protocol version 0x%X",
- section->max_proto_version);
- return 1; /* FAILED */
+ if (section->max_proto_version == USE_DEFAULT_TLS_VERSION) {
+ s_log(LOG_INFO, "Using the default TLS version as specified in "
+ "OpenSSL crypto policies. Not setting explicitly");
+ s_log(LOG_INFO, "Using the default TLS maximum version as specified in"
+ " crypto policies. Not setting explicitly");
+ } else {
+ if(!SSL_CTX_set_max_proto_version(section->ctx,
+ if(section->max_proto_version &&
+ !SSL_CTX_set_max_proto_version(section->ctx,
+ section->max_proto_version)) {
+ s_log(LOG_ERR, "Failed to set the maximum protocol version 0x%X",
+ section->max_proto_version);
+ return 1; /* FAILED */
+ }
+ }
}
#else /* OPENSSL_VERSION_NUMBER<0x10100000L */
if(section->option.client)
section->ctx=SSL_CTX_new(section->client_method);
diff --git a/src/options.c b/src/options.c
index 418f25d..09d02bd 100644
index 4d31815..2ec5934 100644
--- a/src/options.c
+++ b/src/options.c
@@ -3289,8 +3289,9 @@ NOEXPORT const char *parse_service_option(CMD cmd, SERVICE_OPTIONS **section_ptr
@@ -3371,8 +3371,9 @@ NOEXPORT const char *parse_service_option(CMD cmd, SERVICE_OPTIONS **section_ptr
return "Invalid protocol version";
return NULL; /* OK */
case CMD_INITIALIZE:
@ -72,7 +74,7 @@ index 418f25d..09d02bd 100644
return "Invalid protocol version range";
break;
case CMD_PRINT_DEFAULTS:
@@ -3308,7 +3309,10 @@ NOEXPORT const char *parse_service_option(CMD cmd, SERVICE_OPTIONS **section_ptr
@@ -3390,7 +3391,10 @@ NOEXPORT const char *parse_service_option(CMD cmd, SERVICE_OPTIONS **section_ptr
/* sslVersionMax */
switch(cmd) {
case CMD_SET_DEFAULTS:
@ -84,11 +86,11 @@ index 418f25d..09d02bd 100644
break;
case CMD_SET_COPY:
section->max_proto_version=new_service_options.max_proto_version;
@@ -3339,7 +3343,10 @@ NOEXPORT const char *parse_service_option(CMD cmd, SERVICE_OPTIONS **section_ptr
@@ -3421,7 +3425,10 @@ NOEXPORT const char *parse_service_option(CMD cmd, SERVICE_OPTIONS **section_ptr
/* sslVersionMin */
switch(cmd) {
case CMD_SET_DEFAULTS:
- section->min_proto_version=TLS1_VERSION;
- section->min_proto_version=0; /* lowest supported */
+ section->min_proto_version=USE_DEFAULT_TLS_VERSION; /* use defaults in
+ OpenSSL crypto
+ policies. Do not
@ -97,10 +99,10 @@ index 418f25d..09d02bd 100644
case CMD_SET_COPY:
section->min_proto_version=new_service_options.min_proto_version;
diff --git a/src/prototypes.h b/src/prototypes.h
index 89d77b8..23f6014 100644
index 0ecd719..a126c9e 100644
--- a/src/prototypes.h
+++ b/src/prototypes.h
@@ -930,6 +930,9 @@ ICON_IMAGE load_icon_default(ICON_TYPE);
@@ -940,6 +940,9 @@ ICON_IMAGE load_icon_default(ICON_TYPE);
ICON_IMAGE load_icon_file(const char *);
#endif
@ -111,5 +113,5 @@ index 89d77b8..23f6014 100644
/* end of prototypes.h */
--
2.37.3
2.39.2

View File

@ -0,0 +1,37 @@
From 6c8c4c8c85204943223b251d09ca1e93571a437a Mon Sep 17 00:00:00 2001
From: Sahana Prasad <sprasad@localhost.localdomain>
Date: Mon, 12 Sep 2022 11:07:38 +0200
Subject: [PATCH 3/7] Use cipher configuration from crypto-policies
On Fedora, CentOS and RHEL, the system's crypto policies are the best
source to determine which cipher suites to accept in TLS. On these
platforms, OpenSSL supports the PROFILE=SYSTEM setting to use those
policies. Change stunnel to default to this setting.
Co-Authored-by: Sahana Prasad <shebburn@redhat.com>
Patch-name: stunnel-5.69-system-ciphers.patch
Patch-id: 3
From-dist-git-commit: 70b3076eb09912b3a11f371b8c523303114fffa3
---
src/options.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/options.c b/src/options.c
index 6e4a18b..4d31815 100644
--- a/src/options.c
+++ b/src/options.c
@@ -321,9 +321,9 @@ static const char *option_not_found=
"Specified option name is not valid here";
static const char *stunnel_cipher_list=
- "HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK";
+ "PROFILE=SYSTEM";
static const char *fips_cipher_list=
- "FIPS:!DH:!kDHEPSK";
+ "PROFILE=SYSTEM";
#ifndef OPENSSL_NO_TLS1_3
static const char *stunnel_ciphersuites=
--
2.39.2

View File

@ -9,8 +9,8 @@
Summary: A TLS-encrypting socket wrapper
Name: stunnel
Version: 5.66
Release: 2%{?dist}
Version: 5.69
Release: 1%{?dist}
License: GPLv2
URL: https://www.stunnel.org/
Source0: https://www.stunnel.org/downloads/stunnel-%{version}.tar.gz
@ -27,16 +27,19 @@ Source99: https://www.stunnel.org/pgp.asc
Patch0: stunnel-5.50-authpriv.patch
# Apply patch stunnel-5.61-systemd-service.patch
Patch1: stunnel-5.61-systemd-service.patch
# Apply patch stunnel-5.56-system-ciphers.patch
Patch3: stunnel-5.56-system-ciphers.patch
# Use cipher configuration from crypto-policies
#
# On Fedora, CentOS and RHEL, the system's crypto policies are the best
# source to determine which cipher suites to accept in TLS. On these
# platforms, OpenSSL supports the PROFILE=SYSTEM setting to use those
# policies. Change stunnel to default to this setting.
Patch3: stunnel-5.69-system-ciphers.patch
# Apply patch stunnel-5.56-coverity.patch
Patch4: stunnel-5.56-coverity.patch
# Apply patch stunnel-5.61-default-tls-version.patch
Patch5: stunnel-5.61-default-tls-version.patch
# Apply patch stunnel-5.69-default-tls-version.patch
Patch5: stunnel-5.69-default-tls-version.patch
# Apply patch stunnel-5.56-curves-doc-update.patch
Patch6: stunnel-5.56-curves-doc-update.patch
# Skip FIPS tests if FIPS is unconfigured
Patch7: stunnel-5.61-fips-test.patch
# Limit curves defaults in FIPS mode
Patch8: stunnel-5.62-disabled-curves.patch
# util-linux is needed for rename
@ -143,6 +146,10 @@ fi
%systemd_postun_with_restart %{name}.service
%changelog
* Mon Mar 06 2023 Clemens Lang <cllang@redhat.com> - 5.69-1
- New upstream release 5.69
Resolves: rhbz#2139207
* Sat Jan 21 2023 Fedora Release Engineering <releng@fedoraproject.org> - 5.66-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild