import stunnel-5.56-5.el8_3

2021-02-22 04:56:14 -05:00 · 2021-02-22 04:56:14 -05:00 · a6f25d7dac
commit a6f25d7dac
parent 7322001771
2 changed files with 226 additions and 1 deletions
--- a/SOURCES/stunnel-5.56-verify-chain.patch
+++ b/SOURCES/stunnel-5.56-verify-chain.patch
@ -0,0 +1,219 @@
 diff -up stunnel-5.56/src/ssl.c.verify-chain stunnel-5.56/src/ssl.c
 --- stunnel-5.56/src/ssl.c.verify-chain	2021-02-17 00:37:28.950981672 +0100
 +++ stunnel-5.56/src/ssl.c	2021-02-17 00:37:36.047053139 +0100
@@ -1,6 +1,6 @@
 /*
  *   stunnel       TLS offloading and load-balancing proxy
 - *   Copyright (C) 1998-2019 Michal Trojnara <Michal.Trojnara@stunnel.org>
 + *   Copyright (C) 1998-2020 Michal Trojnara <Michal.Trojnara@stunnel.org>
  *
  *   This program is free software; you can redistribute it and/or modify it
  *   under the terms of the GNU General Public License as published by the
@@ -39,7 +39,12 @@
 #include "prototypes.h"
     /* global OpenSSL initialization: compression, engine, entropy */
 -#if OPENSSL_VERSION_NUMBER>=0x10100000L
 +NOEXPORT void cb_new_auth(void *parent, void *ptr, CRYPTO_EX_DATA *ad,
 +        int idx, long argl, void *argp);
 +#if OPENSSL_VERSION_NUMBER>=0x30000000L
 +NOEXPORT int cb_dup_addr(CRYPTO_EX_DATA *to, const CRYPTO_EX_DATA *from,
 +    void **from_d, int idx, long argl, void *argp);
 +#elif OPENSSL_VERSION_NUMBER>=0x10100000L
 NOEXPORT int cb_dup_addr(CRYPTO_EX_DATA *to, const CRYPTO_EX_DATA *from,
     void *from_d, int idx, long argl, void *argp);
 #else
@@ -72,7 +77,7 @@ int ssl_init(void) { /* init TLS before
     index_ssl_ctx_opt=SSL_CTX_get_ex_new_index(0,
         "SERVICE_OPTIONS pointer", NULL, NULL, NULL);
     index_session_authenticated=SSL_SESSION_get_ex_new_index(0,
 -        "session authenticated", NULL, NULL, NULL);
 +        "session authenticated", cb_new_auth, NULL, NULL);
     index_session_connect_address=SSL_SESSION_get_ex_new_index(0,
         "session connect address", NULL, cb_dup_addr, cb_free_addr);
     if(index_ssl_cli<0 || index_ssl_ctx_opt<0 ||
@@ -104,17 +109,31 @@ int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNU
     BN_free(dh->p);
     BN_free(dh->q);
     BN_free(dh->g);
 -    dh->p = p;
 -    dh->q = q;
 -    dh->g = g;
 +    dh->p=p;
 +    dh->q=q;
 +    dh->g=g;
     if(q)
 -        dh->length = BN_num_bits(q);
 +        dh->length=BN_num_bits(q);
     return 1;
 }
 #endif
 #endif
 -#if OPENSSL_VERSION_NUMBER>=0x10100000L
 +NOEXPORT void cb_new_auth(void *parent, void *ptr, CRYPTO_EX_DATA *ad,
 +        int idx, long argl, void *argp) {
 +    (void)parent; /* squash the unused parameter warning */
 +    (void)ptr; /* squash the unused parameter warning */
 +    (void)argl; /* squash the unused parameter warning */
 +    s_log(LOG_DEBUG, "Initializing application specific data for %s",
 +        (char *)argp);
 +    if(!CRYPTO_set_ex_data(ad, idx, (void *)(-1)))
 +        sslerror("CRYPTO_set_ex_data");
 +}
 +
 +#if OPENSSL_VERSION_NUMBER>=0x30000000L
 +NOEXPORT int cb_dup_addr(CRYPTO_EX_DATA *to, const CRYPTO_EX_DATA *from,
 +        void **from_d, int idx, long argl, void *argp) {
 +#elif OPENSSL_VERSION_NUMBER>=0x10100000L
 NOEXPORT int cb_dup_addr(CRYPTO_EX_DATA *to, const CRYPTO_EX_DATA *from,
         void *from_d, int idx, long argl, void *argp) {
 #else
 diff -up stunnel-5.56/src/verify.c.verify-chain stunnel-5.56/src/verify.c
 --- stunnel-5.56/src/verify.c.verify-chain	2021-02-17 00:37:11.577806692 +0100
 +++ stunnel-5.56/src/verify.c	2021-02-17 00:37:42.542118546 +0100
@@ -1,6 +1,6 @@
 /*
  *   stunnel       TLS offloading and load-balancing proxy
 - *   Copyright (C) 1998-2019 Michal Trojnara <Michal.Trojnara@stunnel.org>
 + *   Copyright (C) 1998-2020 Michal Trojnara <Michal.Trojnara@stunnel.org>
  *
  *   This program is free software; you can redistribute it and/or modify it
  *   under the terms of the GNU General Public License as published by the
@@ -214,11 +214,15 @@ NOEXPORT int verify_callback(int preveri
         s_log(LOG_INFO, "Certificate verification disabled");
         return 1; /* accept */
     }
 -    if(verify_checks(c, preverify_ok, callback_ctx)) {
 +    if(verify_checks(c, preverify_ok, callback_ctx))
 +        return 1; /* accept */
 +    if(c->opt->option.client || c->opt->protocol)
 +        return 0; /* reject */
 +    if(c->opt->redirect_addr.names) {
         SSL_SESSION *sess=SSL_get1_session(c->ssl);
         if(sess) {
 -            int ok=SSL_SESSION_set_ex_data(sess, index_session_authenticated,
 -                (void *)(-1));
 +            int ok=SSL_SESSION_set_ex_data(sess,
 +                index_session_authenticated, NULL);
             SSL_SESSION_free(sess);
             if(!ok) {
                 sslerror("SSL_SESSION_set_ex_data");
@@ -227,10 +231,6 @@ NOEXPORT int verify_callback(int preveri
         }
         return 1; /* accept */
     }
 -    if(c->opt->option.client || c->opt->protocol)
 -        return 0; /* reject */
 -    if(c->opt->redirect_addr.names)
 -        return 1; /* accept */
     return 0; /* reject */
 }
 diff -up stunnel-5.56/tests/recipes/028_redirect_chain.verify-chain stunnel-5.56/tests/recipes/028_redirect_chain
 --- stunnel-5.56/tests/recipes/028_redirect_chain.verify-chain	2021-02-17 00:38:44.823745781 +0100
 +++ stunnel-5.56/tests/recipes/028_redirect_chain	2021-02-17 00:38:16.143456937 +0100
@@ -0,0 +1,50 @@
 +#!/bin/sh
 +
 +# Redirect TLS client connections on certificate-based authentication failures.
 +# [client_1] -> [server_1] -> [client_2] -> [server_2]
 +# The success is expected because the client presents the *wrong* certificate
 +# and the client connection is redirected.
 +# Checking if the verifyChain option verifies the peer certificate starting from the root CA.
 +
 +. $(dirname $0)/../test_library
 +
 +start() {
 +  ../../src/stunnel -fd 0 <<EOT
 +  debug = debug
 +  syslog = no
 +  pid = ${result_path}/stunnel.pid
 +  output = ${result_path}/stunnel.log
 +
 +  [client_1]
 +  client = yes
 +  accept = 127.0.0.1:${http1}
 +  connect = 127.0.0.1:${https1}
 +  ;cert = ${script_path}/certs/client_cert.pem
 +;wrong self signed certificate
 +  cert = ${script_path}/certs/stunnel.pem
 +
 +  [client_2]
 +  client = yes
 +  accept = 127.0.0.1:${http2}
 +  connect = 127.0.0.1:${https2}
 +
 +  [server_1]
 +  accept = 127.0.0.1:${https1}
 +  exec = ${script_path}/execute
 +  execArgs = execute 028_redirect_chain_error
 +  redirect = ${http2}
 +  cert = ${script_path}/certs/server_cert.pem
 +  verifyChain = yes
 +  CAfile = ${script_path}/certs/CACert.pem
 +
 +  [server_2]
 +  accept = 127.0.0.1:${https2}
 +  cert = ${script_path}/certs/server_cert.pem
 +  exec = ${script_path}/execute
 +  execArgs = execute 028_redirect_chain
 +
 +EOT
 +}
 +
 +test_log_for "028_redirect_chain" "execute" "0" "$1" "$2" "$3" 2>> "stderr.log"
 +exit $?
 diff -up stunnel-5.56/tests/recipes/029_no_redirect_chain.verify-chain stunnel-5.56/tests/recipes/029_no_redirect_chain
 --- stunnel-5.56/tests/recipes/029_no_redirect_chain.verify-chain	2021-02-17 00:38:57.819876672 +0100
 +++ stunnel-5.56/tests/recipes/029_no_redirect_chain	2021-02-17 00:38:24.895545080 +0100
@@ -0,0 +1,49 @@
 +#!/bin/sh
 +
 +# Do not redirect TLS client connections on certificate-based authentication success.
 +# [client_1] -> [server_1]
 +# The success is expected because the client presents the *correct* certificate
 +# and the client connection isn't redirected.
 +# Checking if the verifyChain option verifies the peer certificate starting from the root CA.
 +
 +. $(dirname $0)/../test_library
 +
 +start() {
 +  ../../src/stunnel -fd 0 <<EOT
 +  debug = debug
 +  syslog = no
 +  pid = ${result_path}/stunnel.pid
 +  output = ${result_path}/stunnel.log
 +
 +  [client_1]
 +  client = yes
 +  accept = 127.0.0.1:${http1}
 +  connect = 127.0.0.1:${https1}
 +;correct certificate
 +  cert = ${script_path}/certs/client_cert.pem
 +
 +  [client_2]
 +  client = yes
 +  accept = 127.0.0.1:${http2}
 +  connect = 127.0.0.1:${https2}
 +
 +  [server_1]
 +  accept = 127.0.0.1:${https1}
 +  exec = ${script_path}/execute
 +  execArgs = execute 029_no_redirect_chain
 +  redirect = ${http2}
 +  cert = ${script_path}/certs/server_cert.pem
 +  verifyChain = yes
 +  CAfile = ${script_path}/certs/CACert.pem
 +
 +  [server_2]
 +  accept = 127.0.0.1:${https2}
 +  cert = ${script_path}/certs/server_cert.pem
 +  exec = ${script_path}/execute
 +  execArgs = execute 029_no_redirect_chain_error
 +
 +EOT
 +}
 +
 +test_log_for "029_no_redirect_chain" "execute" "0" "$1" "$2" "$3" 2>> "stderr.log"
 +exit $?
--- a/SPECS/stunnel.spec
+++ b/SPECS/stunnel.spec
@ -10,7 +10,7 @@
 Summary: A TLS-encrypting socket wrapper
 Name: stunnel
 Version: 5.56
-Release: 4%{?dist}
+Release: 5%{?dist}
 License: GPLv2
 Group: Applications/Internet
 URL: http://www.stunnel.org/
@ -28,6 +28,7 @@ Patch3: stunnel-5.56-system-ciphers.patch
 Patch4: stunnel-5.56-coverity.patch
 Patch5: stunnel-5.56-default-tls-version.patch
 Patch6: stunnel-5.56-curves-doc-update.patch
 Patch7: stunnel-5.56-verify-chain.patch
 # util-linux is needed for rename
 BuildRequires: gcc
 BuildRequires: openssl-devel, pkgconfig, util-linux
@ -56,6 +57,7 @@ conjunction with imapd to create a TLS secure IMAP server.
 %patch4 -p1 -b .coverity
 %patch5 -p1 -b .default-tls-version
 %patch6 -p1 -b .curves-doc-update
 %patch7 -p1 -b .verify-chain
 # Fix the configure script output for FIPS mode and stack protector flag
 sed -i '/yes).*result: no/,+1{s/result: no/result: yes/;s/as_echo "no"/as_echo "yes"/};s/-fstack-protector/-fstack-protector-strong/' configure
@ -141,6 +143,10 @@ make test
 %systemd_postun_with_restart %{name}.service
 %changelog
 * Tue Feb 16 2021 Sahana Prasad <sahana@redhat.com> - 5.56-5
 - Fix CVE-2021-20230 stunnel: client certificate not
  correctly verified when redirect and verifyChain options are used.
 * Thu Apr 16 2020 Sahana Prasad <sahana@redhat.com> - 5.56-4
 - Updates documentation to specify that the option "curves" can be used in server mode only.