import stunnel-5.56-5.el8_3
This commit is contained in:
parent
7322001771
commit
a6f25d7dac
219
SOURCES/stunnel-5.56-verify-chain.patch
Normal file
219
SOURCES/stunnel-5.56-verify-chain.patch
Normal file
@ -0,0 +1,219 @@
|
|||||||
|
diff -up stunnel-5.56/src/ssl.c.verify-chain stunnel-5.56/src/ssl.c
|
||||||
|
--- stunnel-5.56/src/ssl.c.verify-chain 2021-02-17 00:37:28.950981672 +0100
|
||||||
|
+++ stunnel-5.56/src/ssl.c 2021-02-17 00:37:36.047053139 +0100
|
||||||
|
@@ -1,6 +1,6 @@
|
||||||
|
/*
|
||||||
|
* stunnel TLS offloading and load-balancing proxy
|
||||||
|
- * Copyright (C) 1998-2019 Michal Trojnara <Michal.Trojnara@stunnel.org>
|
||||||
|
+ * Copyright (C) 1998-2020 Michal Trojnara <Michal.Trojnara@stunnel.org>
|
||||||
|
*
|
||||||
|
* This program is free software; you can redistribute it and/or modify it
|
||||||
|
* under the terms of the GNU General Public License as published by the
|
||||||
|
@@ -39,7 +39,12 @@
|
||||||
|
#include "prototypes.h"
|
||||||
|
|
||||||
|
/* global OpenSSL initialization: compression, engine, entropy */
|
||||||
|
-#if OPENSSL_VERSION_NUMBER>=0x10100000L
|
||||||
|
+NOEXPORT void cb_new_auth(void *parent, void *ptr, CRYPTO_EX_DATA *ad,
|
||||||
|
+ int idx, long argl, void *argp);
|
||||||
|
+#if OPENSSL_VERSION_NUMBER>=0x30000000L
|
||||||
|
+NOEXPORT int cb_dup_addr(CRYPTO_EX_DATA *to, const CRYPTO_EX_DATA *from,
|
||||||
|
+ void **from_d, int idx, long argl, void *argp);
|
||||||
|
+#elif OPENSSL_VERSION_NUMBER>=0x10100000L
|
||||||
|
NOEXPORT int cb_dup_addr(CRYPTO_EX_DATA *to, const CRYPTO_EX_DATA *from,
|
||||||
|
void *from_d, int idx, long argl, void *argp);
|
||||||
|
#else
|
||||||
|
@@ -72,7 +77,7 @@ int ssl_init(void) { /* init TLS before
|
||||||
|
index_ssl_ctx_opt=SSL_CTX_get_ex_new_index(0,
|
||||||
|
"SERVICE_OPTIONS pointer", NULL, NULL, NULL);
|
||||||
|
index_session_authenticated=SSL_SESSION_get_ex_new_index(0,
|
||||||
|
- "session authenticated", NULL, NULL, NULL);
|
||||||
|
+ "session authenticated", cb_new_auth, NULL, NULL);
|
||||||
|
index_session_connect_address=SSL_SESSION_get_ex_new_index(0,
|
||||||
|
"session connect address", NULL, cb_dup_addr, cb_free_addr);
|
||||||
|
if(index_ssl_cli<0 || index_ssl_ctx_opt<0 ||
|
||||||
|
@@ -104,17 +109,31 @@ int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNU
|
||||||
|
BN_free(dh->p);
|
||||||
|
BN_free(dh->q);
|
||||||
|
BN_free(dh->g);
|
||||||
|
- dh->p = p;
|
||||||
|
- dh->q = q;
|
||||||
|
- dh->g = g;
|
||||||
|
+ dh->p=p;
|
||||||
|
+ dh->q=q;
|
||||||
|
+ dh->g=g;
|
||||||
|
if(q)
|
||||||
|
- dh->length = BN_num_bits(q);
|
||||||
|
+ dh->length=BN_num_bits(q);
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
#endif
|
||||||
|
|
||||||
|
-#if OPENSSL_VERSION_NUMBER>=0x10100000L
|
||||||
|
+NOEXPORT void cb_new_auth(void *parent, void *ptr, CRYPTO_EX_DATA *ad,
|
||||||
|
+ int idx, long argl, void *argp) {
|
||||||
|
+ (void)parent; /* squash the unused parameter warning */
|
||||||
|
+ (void)ptr; /* squash the unused parameter warning */
|
||||||
|
+ (void)argl; /* squash the unused parameter warning */
|
||||||
|
+ s_log(LOG_DEBUG, "Initializing application specific data for %s",
|
||||||
|
+ (char *)argp);
|
||||||
|
+ if(!CRYPTO_set_ex_data(ad, idx, (void *)(-1)))
|
||||||
|
+ sslerror("CRYPTO_set_ex_data");
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+#if OPENSSL_VERSION_NUMBER>=0x30000000L
|
||||||
|
+NOEXPORT int cb_dup_addr(CRYPTO_EX_DATA *to, const CRYPTO_EX_DATA *from,
|
||||||
|
+ void **from_d, int idx, long argl, void *argp) {
|
||||||
|
+#elif OPENSSL_VERSION_NUMBER>=0x10100000L
|
||||||
|
NOEXPORT int cb_dup_addr(CRYPTO_EX_DATA *to, const CRYPTO_EX_DATA *from,
|
||||||
|
void *from_d, int idx, long argl, void *argp) {
|
||||||
|
#else
|
||||||
|
diff -up stunnel-5.56/src/verify.c.verify-chain stunnel-5.56/src/verify.c
|
||||||
|
--- stunnel-5.56/src/verify.c.verify-chain 2021-02-17 00:37:11.577806692 +0100
|
||||||
|
+++ stunnel-5.56/src/verify.c 2021-02-17 00:37:42.542118546 +0100
|
||||||
|
@@ -1,6 +1,6 @@
|
||||||
|
/*
|
||||||
|
* stunnel TLS offloading and load-balancing proxy
|
||||||
|
- * Copyright (C) 1998-2019 Michal Trojnara <Michal.Trojnara@stunnel.org>
|
||||||
|
+ * Copyright (C) 1998-2020 Michal Trojnara <Michal.Trojnara@stunnel.org>
|
||||||
|
*
|
||||||
|
* This program is free software; you can redistribute it and/or modify it
|
||||||
|
* under the terms of the GNU General Public License as published by the
|
||||||
|
@@ -214,11 +214,15 @@ NOEXPORT int verify_callback(int preveri
|
||||||
|
s_log(LOG_INFO, "Certificate verification disabled");
|
||||||
|
return 1; /* accept */
|
||||||
|
}
|
||||||
|
- if(verify_checks(c, preverify_ok, callback_ctx)) {
|
||||||
|
+ if(verify_checks(c, preverify_ok, callback_ctx))
|
||||||
|
+ return 1; /* accept */
|
||||||
|
+ if(c->opt->option.client || c->opt->protocol)
|
||||||
|
+ return 0; /* reject */
|
||||||
|
+ if(c->opt->redirect_addr.names) {
|
||||||
|
SSL_SESSION *sess=SSL_get1_session(c->ssl);
|
||||||
|
if(sess) {
|
||||||
|
- int ok=SSL_SESSION_set_ex_data(sess, index_session_authenticated,
|
||||||
|
- (void *)(-1));
|
||||||
|
+ int ok=SSL_SESSION_set_ex_data(sess,
|
||||||
|
+ index_session_authenticated, NULL);
|
||||||
|
SSL_SESSION_free(sess);
|
||||||
|
if(!ok) {
|
||||||
|
sslerror("SSL_SESSION_set_ex_data");
|
||||||
|
@@ -227,10 +231,6 @@ NOEXPORT int verify_callback(int preveri
|
||||||
|
}
|
||||||
|
return 1; /* accept */
|
||||||
|
}
|
||||||
|
- if(c->opt->option.client || c->opt->protocol)
|
||||||
|
- return 0; /* reject */
|
||||||
|
- if(c->opt->redirect_addr.names)
|
||||||
|
- return 1; /* accept */
|
||||||
|
return 0; /* reject */
|
||||||
|
}
|
||||||
|
|
||||||
|
diff -up stunnel-5.56/tests/recipes/028_redirect_chain.verify-chain stunnel-5.56/tests/recipes/028_redirect_chain
|
||||||
|
--- stunnel-5.56/tests/recipes/028_redirect_chain.verify-chain 2021-02-17 00:38:44.823745781 +0100
|
||||||
|
+++ stunnel-5.56/tests/recipes/028_redirect_chain 2021-02-17 00:38:16.143456937 +0100
|
||||||
|
@@ -0,0 +1,50 @@
|
||||||
|
+#!/bin/sh
|
||||||
|
+
|
||||||
|
+# Redirect TLS client connections on certificate-based authentication failures.
|
||||||
|
+# [client_1] -> [server_1] -> [client_2] -> [server_2]
|
||||||
|
+# The success is expected because the client presents the *wrong* certificate
|
||||||
|
+# and the client connection is redirected.
|
||||||
|
+# Checking if the verifyChain option verifies the peer certificate starting from the root CA.
|
||||||
|
+
|
||||||
|
+. $(dirname $0)/../test_library
|
||||||
|
+
|
||||||
|
+start() {
|
||||||
|
+ ../../src/stunnel -fd 0 <<EOT
|
||||||
|
+ debug = debug
|
||||||
|
+ syslog = no
|
||||||
|
+ pid = ${result_path}/stunnel.pid
|
||||||
|
+ output = ${result_path}/stunnel.log
|
||||||
|
+
|
||||||
|
+ [client_1]
|
||||||
|
+ client = yes
|
||||||
|
+ accept = 127.0.0.1:${http1}
|
||||||
|
+ connect = 127.0.0.1:${https1}
|
||||||
|
+ ;cert = ${script_path}/certs/client_cert.pem
|
||||||
|
+;wrong self signed certificate
|
||||||
|
+ cert = ${script_path}/certs/stunnel.pem
|
||||||
|
+
|
||||||
|
+ [client_2]
|
||||||
|
+ client = yes
|
||||||
|
+ accept = 127.0.0.1:${http2}
|
||||||
|
+ connect = 127.0.0.1:${https2}
|
||||||
|
+
|
||||||
|
+ [server_1]
|
||||||
|
+ accept = 127.0.0.1:${https1}
|
||||||
|
+ exec = ${script_path}/execute
|
||||||
|
+ execArgs = execute 028_redirect_chain_error
|
||||||
|
+ redirect = ${http2}
|
||||||
|
+ cert = ${script_path}/certs/server_cert.pem
|
||||||
|
+ verifyChain = yes
|
||||||
|
+ CAfile = ${script_path}/certs/CACert.pem
|
||||||
|
+
|
||||||
|
+ [server_2]
|
||||||
|
+ accept = 127.0.0.1:${https2}
|
||||||
|
+ cert = ${script_path}/certs/server_cert.pem
|
||||||
|
+ exec = ${script_path}/execute
|
||||||
|
+ execArgs = execute 028_redirect_chain
|
||||||
|
+
|
||||||
|
+EOT
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+test_log_for "028_redirect_chain" "execute" "0" "$1" "$2" "$3" 2>> "stderr.log"
|
||||||
|
+exit $?
|
||||||
|
diff -up stunnel-5.56/tests/recipes/029_no_redirect_chain.verify-chain stunnel-5.56/tests/recipes/029_no_redirect_chain
|
||||||
|
--- stunnel-5.56/tests/recipes/029_no_redirect_chain.verify-chain 2021-02-17 00:38:57.819876672 +0100
|
||||||
|
+++ stunnel-5.56/tests/recipes/029_no_redirect_chain 2021-02-17 00:38:24.895545080 +0100
|
||||||
|
@@ -0,0 +1,49 @@
|
||||||
|
+#!/bin/sh
|
||||||
|
+
|
||||||
|
+# Do not redirect TLS client connections on certificate-based authentication success.
|
||||||
|
+# [client_1] -> [server_1]
|
||||||
|
+# The success is expected because the client presents the *correct* certificate
|
||||||
|
+# and the client connection isn't redirected.
|
||||||
|
+# Checking if the verifyChain option verifies the peer certificate starting from the root CA.
|
||||||
|
+
|
||||||
|
+. $(dirname $0)/../test_library
|
||||||
|
+
|
||||||
|
+start() {
|
||||||
|
+ ../../src/stunnel -fd 0 <<EOT
|
||||||
|
+ debug = debug
|
||||||
|
+ syslog = no
|
||||||
|
+ pid = ${result_path}/stunnel.pid
|
||||||
|
+ output = ${result_path}/stunnel.log
|
||||||
|
+
|
||||||
|
+ [client_1]
|
||||||
|
+ client = yes
|
||||||
|
+ accept = 127.0.0.1:${http1}
|
||||||
|
+ connect = 127.0.0.1:${https1}
|
||||||
|
+;correct certificate
|
||||||
|
+ cert = ${script_path}/certs/client_cert.pem
|
||||||
|
+
|
||||||
|
+ [client_2]
|
||||||
|
+ client = yes
|
||||||
|
+ accept = 127.0.0.1:${http2}
|
||||||
|
+ connect = 127.0.0.1:${https2}
|
||||||
|
+
|
||||||
|
+ [server_1]
|
||||||
|
+ accept = 127.0.0.1:${https1}
|
||||||
|
+ exec = ${script_path}/execute
|
||||||
|
+ execArgs = execute 029_no_redirect_chain
|
||||||
|
+ redirect = ${http2}
|
||||||
|
+ cert = ${script_path}/certs/server_cert.pem
|
||||||
|
+ verifyChain = yes
|
||||||
|
+ CAfile = ${script_path}/certs/CACert.pem
|
||||||
|
+
|
||||||
|
+ [server_2]
|
||||||
|
+ accept = 127.0.0.1:${https2}
|
||||||
|
+ cert = ${script_path}/certs/server_cert.pem
|
||||||
|
+ exec = ${script_path}/execute
|
||||||
|
+ execArgs = execute 029_no_redirect_chain_error
|
||||||
|
+
|
||||||
|
+EOT
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+test_log_for "029_no_redirect_chain" "execute" "0" "$1" "$2" "$3" 2>> "stderr.log"
|
||||||
|
+exit $?
|
@ -10,7 +10,7 @@
|
|||||||
Summary: A TLS-encrypting socket wrapper
|
Summary: A TLS-encrypting socket wrapper
|
||||||
Name: stunnel
|
Name: stunnel
|
||||||
Version: 5.56
|
Version: 5.56
|
||||||
Release: 4%{?dist}
|
Release: 5%{?dist}
|
||||||
License: GPLv2
|
License: GPLv2
|
||||||
Group: Applications/Internet
|
Group: Applications/Internet
|
||||||
URL: http://www.stunnel.org/
|
URL: http://www.stunnel.org/
|
||||||
@ -28,6 +28,7 @@ Patch3: stunnel-5.56-system-ciphers.patch
|
|||||||
Patch4: stunnel-5.56-coverity.patch
|
Patch4: stunnel-5.56-coverity.patch
|
||||||
Patch5: stunnel-5.56-default-tls-version.patch
|
Patch5: stunnel-5.56-default-tls-version.patch
|
||||||
Patch6: stunnel-5.56-curves-doc-update.patch
|
Patch6: stunnel-5.56-curves-doc-update.patch
|
||||||
|
Patch7: stunnel-5.56-verify-chain.patch
|
||||||
# util-linux is needed for rename
|
# util-linux is needed for rename
|
||||||
BuildRequires: gcc
|
BuildRequires: gcc
|
||||||
BuildRequires: openssl-devel, pkgconfig, util-linux
|
BuildRequires: openssl-devel, pkgconfig, util-linux
|
||||||
@ -56,6 +57,7 @@ conjunction with imapd to create a TLS secure IMAP server.
|
|||||||
%patch4 -p1 -b .coverity
|
%patch4 -p1 -b .coverity
|
||||||
%patch5 -p1 -b .default-tls-version
|
%patch5 -p1 -b .default-tls-version
|
||||||
%patch6 -p1 -b .curves-doc-update
|
%patch6 -p1 -b .curves-doc-update
|
||||||
|
%patch7 -p1 -b .verify-chain
|
||||||
|
|
||||||
# Fix the configure script output for FIPS mode and stack protector flag
|
# Fix the configure script output for FIPS mode and stack protector flag
|
||||||
sed -i '/yes).*result: no/,+1{s/result: no/result: yes/;s/as_echo "no"/as_echo "yes"/};s/-fstack-protector/-fstack-protector-strong/' configure
|
sed -i '/yes).*result: no/,+1{s/result: no/result: yes/;s/as_echo "no"/as_echo "yes"/};s/-fstack-protector/-fstack-protector-strong/' configure
|
||||||
@ -141,6 +143,10 @@ make test
|
|||||||
%systemd_postun_with_restart %{name}.service
|
%systemd_postun_with_restart %{name}.service
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Feb 16 2021 Sahana Prasad <sahana@redhat.com> - 5.56-5
|
||||||
|
- Fix CVE-2021-20230 stunnel: client certificate not
|
||||||
|
correctly verified when redirect and verifyChain options are used.
|
||||||
|
|
||||||
* Thu Apr 16 2020 Sahana Prasad <sahana@redhat.com> - 5.56-4
|
* Thu Apr 16 2020 Sahana Prasad <sahana@redhat.com> - 5.56-4
|
||||||
- Updates documentation to specify that the option "curves" can be used in server mode only.
|
- Updates documentation to specify that the option "curves" can be used in server mode only.
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user