rpms
/
stunnel
7
0
Fork 0
Code Issues Pull Requests Releases Activity

New upstream release 5.62 

Update the default TLS version patch to no longer include a large amount
of whitespace in its "Using the default TLS version as specified in its
OpenSSL crypto policies. Not setting explicitly." message. The
whitespace was caused by a line continuation, which is now replaced by
string literal concatenation.

Patch one of the FIPS tests to address changed error behavior when
a cipher suite is not available in OpenSSL 3.

Switch to package URL to https. Upstream has done the same in the spec
file in the tarball.

Add build dependencies for python3 and the openssl command line tool.
Both are used in tests now.

Drop a sed expression applied to the configure script that no longer
does anything and remove environment variables from testing that are no
longer required to make the tests pass.

Resolves: rhbz#2039299
Signed-off-by: Clemens Lang <cllang@redhat.com>
This commit is contained in:
Clemens Lang 2022-01-12 15:58:11 +01:00
parent 8e36d91cb1
commit a7cc901333
8 changed files with 112 additions and 102 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
.gitignore vendored
View File

@ -118,3 +118,7 @@ stunnel-4.33.tar.gz.asc
/stunnel-5.57.tar.gz.asc
/stunnel-5.58.tar.gz
/stunnel-5.58.tar.gz.asc
/stunnel-5.61.tar.gz
/stunnel-5.61.tar.gz.asc
/stunnel-5.62.tar.gz
/stunnel-5.62.tar.gz.asc

4
sources
View File

@ -1,2 +1,2 @@
SHA512 (stunnel-5.58.tar.gz) = 6f62bf13bf53f174b2810ad6708a9dfdb70e9b4e2f60c0c9cf4df691169a63014901402ccbe2862010f4cee240c1a8eec34b70a7a3fcef36e7a2ca14a7f70ece
SHA512 (stunnel-5.58.tar.gz.asc) = 0deb4f521e3683b5f74afd0493ddd950193ffc30159b759a5eb5d0f8a4fb2cccacceb12e202b2abc963718ed44704415f53cc705f46656b96721013cc2f6747b
SHA512 (stunnel-5.62.tar.gz) = 4ce03faa27e417b49fbdf0fbac91befb2c05ce64694b4b6fd2fc482031ee4a229299627133a47ff3efdfdffce751e1300d95d0a8ac1f1858c7c96f0b067170de
SHA512 (stunnel-5.62.tar.gz.asc) = 983b41100e7ef6dba5a9b7e7cd64e50b1f6860a6bf18ca393e14d65680bfed951475e6f7f4ec9e8da036aaa86e0668f65e3df7025220eda7315de4d110a24ac5

11
stunnel-5.50-systemd-service.patch
View File

@ -1,11 +0,0 @@
diff -up stunnel-5.50/tools/stunnel.service.in.systemd-service stunnel-5.50/tools/stunnel.service.in
--- stunnel-5.50/tools/stunnel.service.in.systemd-service 2019-01-14 12:17:15.826868965 +0100
+++ stunnel-5.50/tools/stunnel.service.in 2019-01-14 12:18:21.186753131 +0100
@@ -5,6 +5,7 @@ After=syslog.target network.target
[Service]
ExecStart=@bindir@/stunnel
Type=forking
+PrivateTmp=true
[Install]
WantedBy=multi-user.target

11
stunnel-5.58-openssl30.patch
View File

@ -1,11 +0,0 @@
diff -up stunnel-5.58/src/ctx.c.openssl30 stunnel-5.58/src/ctx.c
--- stunnel-5.58/src/ctx.c.openssl30 2021-08-03 16:02:24.687409192 +0200
+++ stunnel-5.58/src/ctx.c 2021-08-03 16:03:36.889009510 +0200
@@ -1011,6 +1011,7 @@ NOEXPORT int ui_retry() {
switch(ERR_GET_REASON(err)) {
case UI_R_RESULT_TOO_LARGE:
case UI_R_RESULT_TOO_SMALL:
+ case UI_R_PROCESSING_ERROR:
return 1;
default:
return 0;

119
stunnel-5.56-default-tls-version.patch → stunnel-5.61-default-tls-version.patch
View File

@ -1,18 +1,50 @@
--- stunnel-5.56/src/prototypes.h.default-tls-version 2020-04-06 11:22:24.480280384 +0200
+++ stunnel-5.56/src/prototypes.h 2020-04-06 11:21:05.407597053 +0200
@@ -897,6 +897,9 @@ ICON_IMAGE load_icon_default(ICON_TYPE);
ICON_IMAGE load_icon_file(const char *);
#endif
+#define USE_DEFAULT_TLS_VERSION ((int)-2) /* Use defaults in OpenSSL
+ crypto policies */
+
#endif /* defined PROTOTYPES_H */
/* end of prototypes.h */
--- stunnel-5.56/src/options.c.default-tls-version 2020-04-06 18:58:48.947214149 +0200
+++ stunnel-5.56/src/options.c 2020-04-08 15:45:18.093520780 +0200
@@ -3123,8 +3123,9 @@ NOEXPORT char *parse_service_option(CMD
diff -up stunnel-5.61/src/ctx.c.default-tls-version stunnel-5.61/src/ctx.c
--- stunnel-5.61/src/ctx.c.default-tls-version 2021-12-13 09:43:22.000000000 +0100
+++ stunnel-5.61/src/ctx.c 2022-01-10 19:27:49.913243127 +0100
@@ -149,18 +149,28 @@ int context_init(SERVICE_OPTIONS *sectio
section->ctx=SSL_CTX_new(section->option.client ?
TLS_client_method() : TLS_server_method());
#endif /* OPENSSL_VERSION_NUMBER>=0x30000000L */
- if(!SSL_CTX_set_min_proto_version(section->ctx,
- section->min_proto_version)) {
- s_log(LOG_ERR, "Failed to set the minimum protocol version 0x%X",
- section->min_proto_version);
- return 1; /* FAILED */
- }
- if(!SSL_CTX_set_max_proto_version(section->ctx,
- section->max_proto_version)) {
- s_log(LOG_ERR, "Failed to set the maximum protocol version 0x%X",
- section->max_proto_version);
- return 1; /* FAILED */
+ if (section->min_proto_version == USE_DEFAULT_TLS_VERSION) {
+ s_log(LOG_INFO, "Using the default TLS version as specified in "
+ "OpenSSL crypto policies. Not setting explicitly.");
+ } else {
+ if(!SSL_CTX_set_min_proto_version(section->ctx,
+ section->min_proto_version)) {
+ s_log(LOG_ERR, "Failed to set the minimum protocol version 0x%X",
+ section->min_proto_version);
+ return 1; /* FAILED */
+ }
}
+ if (section->max_proto_version == USE_DEFAULT_TLS_VERSION) {
+ s_log(LOG_INFO, "Using the default TLS version as specified in "
+ "OpenSSL crypto policies. Not setting explicitly");
+ } else {
+ if(!SSL_CTX_set_max_proto_version(section->ctx,
+ section->max_proto_version)) {
+ s_log(LOG_ERR, "Failed to set the maximum protocol version 0x%X",
+ section->max_proto_version);
+ return 1; /* FAILED */
+ }
+ }
#else /* OPENSSL_VERSION_NUMBER<0x10100000L */
if(section->option.client)
section->ctx=SSL_CTX_new(section->client_method);
diff -up stunnel-5.61/src/options.c.default-tls-version stunnel-5.61/src/options.c
--- stunnel-5.61/src/options.c.default-tls-version 2022-01-10 19:23:15.096254067 +0100
+++ stunnel-5.61/src/options.c 2022-01-10 19:23:15.098254103 +0100
@@ -3297,8 +3297,9 @@ NOEXPORT char *parse_service_option(CMD
return "Invalid protocol version";
return NULL; /* OK */
case CMD_INITIALIZE:
@ -24,7 +56,7 @@
return "Invalid protocol version range";
break;
case CMD_PRINT_DEFAULTS:
@@ -3142,7 +3143,10 @@ NOEXPORT char *parse_service_option(CMD
@@ -3316,7 +3317,10 @@ NOEXPORT char *parse_service_option(CMD
/* sslVersionMax */
switch(cmd) {
case CMD_SET_DEFAULTS:
@ -36,7 +68,7 @@
break;
case CMD_SET_COPY:
section->max_proto_version=new_service_options.max_proto_version;
@@ -3173,7 +3177,10 @@ NOEXPORT char *parse_service_option(CMD
@@ -3347,7 +3351,10 @@ NOEXPORT char *parse_service_option(CMD
/* sslVersionMin */
switch(cmd) {
case CMD_SET_DEFAULTS:
@ -48,45 +80,16 @@
break;
case CMD_SET_COPY:
section->min_proto_version=new_service_options.min_proto_version;
--- stunnel-5.56/src/ctx.c.default-tls-version 2019-10-24 10:48:11.000000000 +0200
+++ stunnel-5.56/src/ctx.c 2020-04-06 11:16:48.406406794 +0200
@@ -143,17 +143,29 @@ int context_init(SERVICE_OPTIONS *sectio
section->ctx=SSL_CTX_new(TLS_client_method());
else /* server mode */
section->ctx=SSL_CTX_new(TLS_server_method());
- if(!SSL_CTX_set_min_proto_version(section->ctx,
- section->min_proto_version)) {
- s_log(LOG_ERR, "Failed to set the minimum protocol version 0x%X",
- section->min_proto_version);
- return 1; /* FAILED */
diff -up stunnel-5.61/src/prototypes.h.default-tls-version stunnel-5.61/src/prototypes.h
--- stunnel-5.61/src/prototypes.h.default-tls-version 2021-12-13 09:43:22.000000000 +0100
+++ stunnel-5.61/src/prototypes.h 2022-01-10 19:23:15.099254121 +0100
@@ -932,6 +932,9 @@ ICON_IMAGE load_icon_default(ICON_TYPE);
ICON_IMAGE load_icon_file(const char *);
#endif
+#define USE_DEFAULT_TLS_VERSION ((int)-2) /* Use defaults in OpenSSL
+ crypto policies */
+
+ if (section->min_proto_version == USE_DEFAULT_TLS_VERSION) {
+ s_log(LOG_INFO, "Using the default TLS version as specified in \
+ OpenSSL crypto policies. Not setting explicitly.");
+ } else {
+ if(!SSL_CTX_set_min_proto_version(section->ctx,
+ section->min_proto_version)) {
+ s_log(LOG_ERR, "Failed to set the minimum protocol version 0x%X",
+ section->min_proto_version);
+ return 1; /* FAILED */
+ }
}
- if(!SSL_CTX_set_max_proto_version(section->ctx,
- section->max_proto_version)) {
- s_log(LOG_ERR, "Failed to set the maximum protocol version 0x%X",
- section->max_proto_version);
- return 1; /* FAILED */
+
+ if (section->max_proto_version == USE_DEFAULT_TLS_VERSION) {
+ s_log(LOG_INFO, "Using the default TLS version as specified in \
+ OpenSSL crypto policies. Not setting explicitly");
+ } else {
+ if(!SSL_CTX_set_max_proto_version(section->ctx,
+ section->max_proto_version)) {
+ s_log(LOG_ERR, "Failed to set the maximum protocol version 0x%X",
+ section->max_proto_version);
+ return 1; /* FAILED */
+ }
}
#else /* OPENSSL_VERSION_NUMBER<0x10100000L */
if(section->option.client)
#endif /* defined PROTOTYPES_H */
/* end of prototypes.h */

19
stunnel-5.61-openssl30-fips.patch Normal file
View File

@ -0,0 +1,19 @@
tests: Adapt to OpenSSL 3.x FIPS mode
In OpenSSL 3.0 with FIPS enabled, this test no longer fails with
a human-readable error message (such as "no ciphers available"), but
instead causes an internal error. Extend the success regex list to also
accept this result.
diff -up stunnel-5.61/tests/plugins/p11_fips_cipher.py.openssl30 stunnel-5.61/tests/plugins/p11_fips_cipher.py
--- stunnel-5.61/tests/plugins/p11_fips_cipher.py.openssl30 2022-01-12 15:15:03.211690650 +0100
+++ stunnel-5.61/tests/plugins/p11_fips_cipher.py 2022-01-12 15:15:20.937008173 +0100
@@ -91,7 +91,8 @@ class FailureCiphersuitesFIPS(StunnelTes
self.events.count = 1
self.events.success = [
"disabled for FIPS",
- "no ciphers available"
+ "no ciphers available",
+ "TLS alert \\(write\\): fatal: internal error"
]
self.events.failure = [
"peer did not return a certificate",

11
stunnel-5.61-systemd-service.patch Normal file
View File

@ -0,0 +1,11 @@
diff -up stunnel-5.61/tools/stunnel.service.in.systemd-service stunnel-5.61/tools/stunnel.service.in
--- stunnel-5.61/tools/stunnel.service.in.systemd-service 2022-01-12 14:48:32.474150329 +0100
+++ stunnel-5.61/tools/stunnel.service.in 2022-01-12 14:50:15.253984639 +0100
@@ -6,6 +6,7 @@ After=syslog.target network-online.targe
ExecStart=@bindir@/stunnel
ExecReload=/bin/kill -HUP $MAINPID
Type=forking
+PrivateTmp=true
[Install]
WantedBy=multi-user.target

35
stunnel.spec
View File

@ -9,10 +9,10 @@
Summary: A TLS-encrypting socket wrapper
Name: stunnel
Version: 5.58
Release: 6%{?dist}
Version: 5.62
Release: 1%{?dist}
License: GPLv2
URL: http://www.stunnel.org/
URL: https://www.stunnel.org/
Source0: https://www.stunnel.org/downloads/stunnel-%{version}.tar.gz
Source1: https://www.stunnel.org/downloads/stunnel-%{version}.tar.gz.asc
Source2: Certificate-Creation
@ -22,12 +22,12 @@ Source5: pop3-redirect.xinetd
Source6: stunnel-pop3s-client.conf
Source7: stunnel@.service
Patch0: stunnel-5.50-authpriv.patch
Patch1: stunnel-5.50-systemd-service.patch
Patch1: stunnel-5.61-systemd-service.patch
Patch3: stunnel-5.56-system-ciphers.patch
Patch4: stunnel-5.56-coverity.patch
Patch5: stunnel-5.56-default-tls-version.patch
Patch5: stunnel-5.61-default-tls-version.patch
Patch6: stunnel-5.56-curves-doc-update.patch
Patch7: stunnel-5.58-openssl30.patch
Patch7: stunnel-5.61-openssl30-fips.patch
# util-linux is needed for rename
BuildRequires: make
BuildRequires: gcc
@ -40,6 +40,7 @@ BuildRequires: /usr/bin/pod2man
BuildRequires: /usr/bin/pod2html
# build test requirements
BuildRequires: /usr/bin/nc, /usr/bin/lsof, /usr/bin/ps
BuildRequires: python3 openssl
BuildRequires: systemd
%{?systemd_requires}
@ -57,13 +58,10 @@ conjunction with imapd to create a TLS secure IMAP server.
%patch4 -p1 -b .coverity
%patch5 -p1 -b .default-tls-version
%patch6 -p1 -b .curves-doc-update
%patch7 -p1 -b .openssl30
%patch7 -p1 -b .openssl30-fips
# Fix the configure script output for FIPS mode and stack protector flag
sed -i '/yes).*result: no/,+1{s/result: no/result: yes/;s/as_echo "no"/as_echo "yes"/};s/-fstack-protector/-fstack-protector-strong/' configure
# Fix a testcase with system-ciphers support
sed -i '/client = yes/a \\ ciphers = PSK' tests/recipes/014_PSK_secrets
# Fix the stack protector flag
sed -i 's/-fstack-protector/-fstack-protector-strong/' configure
%build
#autoreconf -v
@ -100,14 +98,6 @@ cp %{SOURCE7} %{buildroot}%{_unitdir}/%{name}@.service
%endif
%check
# For unknown reason the 042_inetd test fails in Koji. The failure is not reproducible
# in local build.
rm tests/recipes/042_inetd
# We override the security policy as it is too strict for the tests.
OPENSSL_SYSTEM_CIPHERS_OVERRIDE=xyz_nonexistent_file
export OPENSSL_SYSTEM_CIPHERS_OVERRIDE
OPENSSL_CONF=
export OPENSSL_CONF
make test || (for i in tests/logs/*.log ; do echo "$i": ; cat "$i" ; done)
%files
@ -130,6 +120,7 @@ make test || (for i in tests/logs/*.log ; do echo "$i": ; cat "$i" ; done)
%if 0%{?fedora} >= 15 || 0%{?rhel} >= 7
%{_unitdir}/%{name}*.service
%endif
%{_datadir}/bash-completion/completions/%{name}.bash
%post
/sbin/ldconfig
@ -143,6 +134,10 @@ make test || (for i in tests/logs/*.log ; do echo "$i": ; cat "$i" ; done)
%systemd_postun_with_restart %{name}.service
%changelog
* Tue Jan 18 2022 Clemens Lang <cllang@redhat.com> - 5.62-1
- New upstream release 5.62
Resolves: rhbz#2039299
* Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 5.58-6
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688