diff --git a/.gitignore b/.gitignore index cad0b38..60e73c6 100644 --- a/.gitignore +++ b/.gitignore @@ -118,3 +118,7 @@ stunnel-4.33.tar.gz.asc /stunnel-5.57.tar.gz.asc /stunnel-5.58.tar.gz /stunnel-5.58.tar.gz.asc +/stunnel-5.61.tar.gz +/stunnel-5.61.tar.gz.asc +/stunnel-5.62.tar.gz +/stunnel-5.62.tar.gz.asc diff --git a/sources b/sources index 16495eb..19d6aea 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (stunnel-5.58.tar.gz) = 6f62bf13bf53f174b2810ad6708a9dfdb70e9b4e2f60c0c9cf4df691169a63014901402ccbe2862010f4cee240c1a8eec34b70a7a3fcef36e7a2ca14a7f70ece -SHA512 (stunnel-5.58.tar.gz.asc) = 0deb4f521e3683b5f74afd0493ddd950193ffc30159b759a5eb5d0f8a4fb2cccacceb12e202b2abc963718ed44704415f53cc705f46656b96721013cc2f6747b +SHA512 (stunnel-5.62.tar.gz) = 4ce03faa27e417b49fbdf0fbac91befb2c05ce64694b4b6fd2fc482031ee4a229299627133a47ff3efdfdffce751e1300d95d0a8ac1f1858c7c96f0b067170de +SHA512 (stunnel-5.62.tar.gz.asc) = 983b41100e7ef6dba5a9b7e7cd64e50b1f6860a6bf18ca393e14d65680bfed951475e6f7f4ec9e8da036aaa86e0668f65e3df7025220eda7315de4d110a24ac5 diff --git a/stunnel-5.50-systemd-service.patch b/stunnel-5.50-systemd-service.patch deleted file mode 100644 index 9fc170b..0000000 --- a/stunnel-5.50-systemd-service.patch +++ /dev/null @@ -1,11 +0,0 @@ -diff -up stunnel-5.50/tools/stunnel.service.in.systemd-service stunnel-5.50/tools/stunnel.service.in ---- stunnel-5.50/tools/stunnel.service.in.systemd-service 2019-01-14 12:17:15.826868965 +0100 -+++ stunnel-5.50/tools/stunnel.service.in 2019-01-14 12:18:21.186753131 +0100 -@@ -5,6 +5,7 @@ After=syslog.target network.target - [Service] - ExecStart=@bindir@/stunnel - Type=forking -+PrivateTmp=true - - [Install] - WantedBy=multi-user.target diff --git a/stunnel-5.58-openssl30.patch b/stunnel-5.58-openssl30.patch deleted file mode 100644 index f786bd2..0000000 --- a/stunnel-5.58-openssl30.patch +++ /dev/null @@ -1,11 +0,0 @@ -diff -up stunnel-5.58/src/ctx.c.openssl30 stunnel-5.58/src/ctx.c ---- stunnel-5.58/src/ctx.c.openssl30 2021-08-03 16:02:24.687409192 +0200 -+++ stunnel-5.58/src/ctx.c 2021-08-03 16:03:36.889009510 +0200 -@@ -1011,6 +1011,7 @@ NOEXPORT int ui_retry() { - switch(ERR_GET_REASON(err)) { - case UI_R_RESULT_TOO_LARGE: - case UI_R_RESULT_TOO_SMALL: -+ case UI_R_PROCESSING_ERROR: - return 1; - default: - return 0; diff --git a/stunnel-5.56-default-tls-version.patch b/stunnel-5.61-default-tls-version.patch similarity index 70% rename from stunnel-5.56-default-tls-version.patch rename to stunnel-5.61-default-tls-version.patch index b66753e..f779e4e 100644 --- a/stunnel-5.56-default-tls-version.patch +++ b/stunnel-5.61-default-tls-version.patch @@ -1,18 +1,50 @@ ---- stunnel-5.56/src/prototypes.h.default-tls-version 2020-04-06 11:22:24.480280384 +0200 -+++ stunnel-5.56/src/prototypes.h 2020-04-06 11:21:05.407597053 +0200 -@@ -897,6 +897,9 @@ ICON_IMAGE load_icon_default(ICON_TYPE); - ICON_IMAGE load_icon_file(const char *); - #endif - -+#define USE_DEFAULT_TLS_VERSION ((int)-2) /* Use defaults in OpenSSL -+ crypto policies */ -+ - #endif /* defined PROTOTYPES_H */ - - /* end of prototypes.h */ ---- stunnel-5.56/src/options.c.default-tls-version 2020-04-06 18:58:48.947214149 +0200 -+++ stunnel-5.56/src/options.c 2020-04-08 15:45:18.093520780 +0200 -@@ -3123,8 +3123,9 @@ NOEXPORT char *parse_service_option(CMD +diff -up stunnel-5.61/src/ctx.c.default-tls-version stunnel-5.61/src/ctx.c +--- stunnel-5.61/src/ctx.c.default-tls-version 2021-12-13 09:43:22.000000000 +0100 ++++ stunnel-5.61/src/ctx.c 2022-01-10 19:27:49.913243127 +0100 +@@ -149,18 +149,28 @@ int context_init(SERVICE_OPTIONS *sectio + section->ctx=SSL_CTX_new(section->option.client ? + TLS_client_method() : TLS_server_method()); + #endif /* OPENSSL_VERSION_NUMBER>=0x30000000L */ +- if(!SSL_CTX_set_min_proto_version(section->ctx, +- section->min_proto_version)) { +- s_log(LOG_ERR, "Failed to set the minimum protocol version 0x%X", +- section->min_proto_version); +- return 1; /* FAILED */ +- } +- if(!SSL_CTX_set_max_proto_version(section->ctx, +- section->max_proto_version)) { +- s_log(LOG_ERR, "Failed to set the maximum protocol version 0x%X", +- section->max_proto_version); +- return 1; /* FAILED */ ++ if (section->min_proto_version == USE_DEFAULT_TLS_VERSION) { ++ s_log(LOG_INFO, "Using the default TLS version as specified in " ++ "OpenSSL crypto policies. Not setting explicitly."); ++ } else { ++ if(!SSL_CTX_set_min_proto_version(section->ctx, ++ section->min_proto_version)) { ++ s_log(LOG_ERR, "Failed to set the minimum protocol version 0x%X", ++ section->min_proto_version); ++ return 1; /* FAILED */ ++ } + } ++ if (section->max_proto_version == USE_DEFAULT_TLS_VERSION) { ++ s_log(LOG_INFO, "Using the default TLS version as specified in " ++ "OpenSSL crypto policies. Not setting explicitly"); ++ } else { ++ if(!SSL_CTX_set_max_proto_version(section->ctx, ++ section->max_proto_version)) { ++ s_log(LOG_ERR, "Failed to set the maximum protocol version 0x%X", ++ section->max_proto_version); ++ return 1; /* FAILED */ ++ } ++ } + #else /* OPENSSL_VERSION_NUMBER<0x10100000L */ + if(section->option.client) + section->ctx=SSL_CTX_new(section->client_method); +diff -up stunnel-5.61/src/options.c.default-tls-version stunnel-5.61/src/options.c +--- stunnel-5.61/src/options.c.default-tls-version 2022-01-10 19:23:15.096254067 +0100 ++++ stunnel-5.61/src/options.c 2022-01-10 19:23:15.098254103 +0100 +@@ -3297,8 +3297,9 @@ NOEXPORT char *parse_service_option(CMD return "Invalid protocol version"; return NULL; /* OK */ case CMD_INITIALIZE: @@ -24,7 +56,7 @@ return "Invalid protocol version range"; break; case CMD_PRINT_DEFAULTS: -@@ -3142,7 +3143,10 @@ NOEXPORT char *parse_service_option(CMD +@@ -3316,7 +3317,10 @@ NOEXPORT char *parse_service_option(CMD /* sslVersionMax */ switch(cmd) { case CMD_SET_DEFAULTS: @@ -36,7 +68,7 @@ break; case CMD_SET_COPY: section->max_proto_version=new_service_options.max_proto_version; -@@ -3173,7 +3177,10 @@ NOEXPORT char *parse_service_option(CMD +@@ -3347,7 +3351,10 @@ NOEXPORT char *parse_service_option(CMD /* sslVersionMin */ switch(cmd) { case CMD_SET_DEFAULTS: @@ -48,45 +80,16 @@ break; case CMD_SET_COPY: section->min_proto_version=new_service_options.min_proto_version; ---- stunnel-5.56/src/ctx.c.default-tls-version 2019-10-24 10:48:11.000000000 +0200 -+++ stunnel-5.56/src/ctx.c 2020-04-06 11:16:48.406406794 +0200 -@@ -143,17 +143,29 @@ int context_init(SERVICE_OPTIONS *sectio - section->ctx=SSL_CTX_new(TLS_client_method()); - else /* server mode */ - section->ctx=SSL_CTX_new(TLS_server_method()); -- if(!SSL_CTX_set_min_proto_version(section->ctx, -- section->min_proto_version)) { -- s_log(LOG_ERR, "Failed to set the minimum protocol version 0x%X", -- section->min_proto_version); -- return 1; /* FAILED */ +diff -up stunnel-5.61/src/prototypes.h.default-tls-version stunnel-5.61/src/prototypes.h +--- stunnel-5.61/src/prototypes.h.default-tls-version 2021-12-13 09:43:22.000000000 +0100 ++++ stunnel-5.61/src/prototypes.h 2022-01-10 19:23:15.099254121 +0100 +@@ -932,6 +932,9 @@ ICON_IMAGE load_icon_default(ICON_TYPE); + ICON_IMAGE load_icon_file(const char *); + #endif + ++#define USE_DEFAULT_TLS_VERSION ((int)-2) /* Use defaults in OpenSSL ++ crypto policies */ + -+ if (section->min_proto_version == USE_DEFAULT_TLS_VERSION) { -+ s_log(LOG_INFO, "Using the default TLS version as specified in \ -+ OpenSSL crypto policies. Not setting explicitly."); -+ } else { -+ if(!SSL_CTX_set_min_proto_version(section->ctx, -+ section->min_proto_version)) { -+ s_log(LOG_ERR, "Failed to set the minimum protocol version 0x%X", -+ section->min_proto_version); -+ return 1; /* FAILED */ -+ } - } -- if(!SSL_CTX_set_max_proto_version(section->ctx, -- section->max_proto_version)) { -- s_log(LOG_ERR, "Failed to set the maximum protocol version 0x%X", -- section->max_proto_version); -- return 1; /* FAILED */ -+ -+ if (section->max_proto_version == USE_DEFAULT_TLS_VERSION) { -+ s_log(LOG_INFO, "Using the default TLS version as specified in \ -+ OpenSSL crypto policies. Not setting explicitly"); -+ } else { -+ if(!SSL_CTX_set_max_proto_version(section->ctx, -+ section->max_proto_version)) { -+ s_log(LOG_ERR, "Failed to set the maximum protocol version 0x%X", -+ section->max_proto_version); -+ return 1; /* FAILED */ -+ } - } - #else /* OPENSSL_VERSION_NUMBER<0x10100000L */ - if(section->option.client) + #endif /* defined PROTOTYPES_H */ + + /* end of prototypes.h */ diff --git a/stunnel-5.61-openssl30-fips.patch b/stunnel-5.61-openssl30-fips.patch new file mode 100644 index 0000000..faaeef9 --- /dev/null +++ b/stunnel-5.61-openssl30-fips.patch @@ -0,0 +1,19 @@ +tests: Adapt to OpenSSL 3.x FIPS mode + +In OpenSSL 3.0 with FIPS enabled, this test no longer fails with +a human-readable error message (such as "no ciphers available"), but +instead causes an internal error. Extend the success regex list to also +accept this result. +diff -up stunnel-5.61/tests/plugins/p11_fips_cipher.py.openssl30 stunnel-5.61/tests/plugins/p11_fips_cipher.py +--- stunnel-5.61/tests/plugins/p11_fips_cipher.py.openssl30 2022-01-12 15:15:03.211690650 +0100 ++++ stunnel-5.61/tests/plugins/p11_fips_cipher.py 2022-01-12 15:15:20.937008173 +0100 +@@ -91,7 +91,8 @@ class FailureCiphersuitesFIPS(StunnelTes + self.events.count = 1 + self.events.success = [ + "disabled for FIPS", +- "no ciphers available" ++ "no ciphers available", ++ "TLS alert \\(write\\): fatal: internal error" + ] + self.events.failure = [ + "peer did not return a certificate", diff --git a/stunnel-5.61-systemd-service.patch b/stunnel-5.61-systemd-service.patch new file mode 100644 index 0000000..8c82221 --- /dev/null +++ b/stunnel-5.61-systemd-service.patch @@ -0,0 +1,11 @@ +diff -up stunnel-5.61/tools/stunnel.service.in.systemd-service stunnel-5.61/tools/stunnel.service.in +--- stunnel-5.61/tools/stunnel.service.in.systemd-service 2022-01-12 14:48:32.474150329 +0100 ++++ stunnel-5.61/tools/stunnel.service.in 2022-01-12 14:50:15.253984639 +0100 +@@ -6,6 +6,7 @@ After=syslog.target network-online.targe + ExecStart=@bindir@/stunnel + ExecReload=/bin/kill -HUP $MAINPID + Type=forking ++PrivateTmp=true + + [Install] + WantedBy=multi-user.target diff --git a/stunnel.spec b/stunnel.spec index 24c057f..c168626 100644 --- a/stunnel.spec +++ b/stunnel.spec @@ -9,10 +9,10 @@ Summary: A TLS-encrypting socket wrapper Name: stunnel -Version: 5.58 -Release: 6%{?dist} +Version: 5.62 +Release: 1%{?dist} License: GPLv2 -URL: http://www.stunnel.org/ +URL: https://www.stunnel.org/ Source0: https://www.stunnel.org/downloads/stunnel-%{version}.tar.gz Source1: https://www.stunnel.org/downloads/stunnel-%{version}.tar.gz.asc Source2: Certificate-Creation @@ -22,12 +22,12 @@ Source5: pop3-redirect.xinetd Source6: stunnel-pop3s-client.conf Source7: stunnel@.service Patch0: stunnel-5.50-authpriv.patch -Patch1: stunnel-5.50-systemd-service.patch +Patch1: stunnel-5.61-systemd-service.patch Patch3: stunnel-5.56-system-ciphers.patch Patch4: stunnel-5.56-coverity.patch -Patch5: stunnel-5.56-default-tls-version.patch +Patch5: stunnel-5.61-default-tls-version.patch Patch6: stunnel-5.56-curves-doc-update.patch -Patch7: stunnel-5.58-openssl30.patch +Patch7: stunnel-5.61-openssl30-fips.patch # util-linux is needed for rename BuildRequires: make BuildRequires: gcc @@ -40,6 +40,7 @@ BuildRequires: /usr/bin/pod2man BuildRequires: /usr/bin/pod2html # build test requirements BuildRequires: /usr/bin/nc, /usr/bin/lsof, /usr/bin/ps +BuildRequires: python3 openssl BuildRequires: systemd %{?systemd_requires} @@ -57,13 +58,10 @@ conjunction with imapd to create a TLS secure IMAP server. %patch4 -p1 -b .coverity %patch5 -p1 -b .default-tls-version %patch6 -p1 -b .curves-doc-update -%patch7 -p1 -b .openssl30 +%patch7 -p1 -b .openssl30-fips -# Fix the configure script output for FIPS mode and stack protector flag -sed -i '/yes).*result: no/,+1{s/result: no/result: yes/;s/as_echo "no"/as_echo "yes"/};s/-fstack-protector/-fstack-protector-strong/' configure - -# Fix a testcase with system-ciphers support -sed -i '/client = yes/a \\ ciphers = PSK' tests/recipes/014_PSK_secrets +# Fix the stack protector flag +sed -i 's/-fstack-protector/-fstack-protector-strong/' configure %build #autoreconf -v @@ -100,14 +98,6 @@ cp %{SOURCE7} %{buildroot}%{_unitdir}/%{name}@.service %endif %check -# For unknown reason the 042_inetd test fails in Koji. The failure is not reproducible -# in local build. -rm tests/recipes/042_inetd -# We override the security policy as it is too strict for the tests. -OPENSSL_SYSTEM_CIPHERS_OVERRIDE=xyz_nonexistent_file -export OPENSSL_SYSTEM_CIPHERS_OVERRIDE -OPENSSL_CONF= -export OPENSSL_CONF make test || (for i in tests/logs/*.log ; do echo "$i": ; cat "$i" ; done) %files @@ -130,6 +120,7 @@ make test || (for i in tests/logs/*.log ; do echo "$i": ; cat "$i" ; done) %if 0%{?fedora} >= 15 || 0%{?rhel} >= 7 %{_unitdir}/%{name}*.service %endif +%{_datadir}/bash-completion/completions/%{name}.bash %post /sbin/ldconfig @@ -143,6 +134,10 @@ make test || (for i in tests/logs/*.log ; do echo "$i": ; cat "$i" ; done) %systemd_postun_with_restart %{name}.service %changelog +* Tue Jan 18 2022 Clemens Lang - 5.62-1 +- New upstream release 5.62 + Resolves: rhbz#2039299 + * Tue Aug 10 2021 Mohan Boddu - 5.58-6 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags Related: rhbz#1991688