New upstream release 5.62
Update the default TLS version patch to no longer include a large amount of whitespace in its "Using the default TLS version as specified in its OpenSSL crypto policies. Not setting explicitly." message. The whitespace was caused by a line continuation, which is now replaced by string literal concatenation. Patch one of the FIPS tests to address changed error behavior when a cipher suite is not available in OpenSSL 3. Switch to package URL to https. Upstream has done the same in the spec file in the tarball. Add build dependencies for python3 and the openssl command line tool. Both are used in tests now. Drop a sed expression applied to the configure script that no longer does anything and remove environment variables from testing that are no longer required to make the tests pass. Resolves: rhbz#2039299 Signed-off-by: Clemens Lang <cllang@redhat.com>
This commit is contained in:
parent
8e36d91cb1
commit
a7cc901333
4
.gitignore
vendored
4
.gitignore
vendored
@ -118,3 +118,7 @@ stunnel-4.33.tar.gz.asc
|
||||
/stunnel-5.57.tar.gz.asc
|
||||
/stunnel-5.58.tar.gz
|
||||
/stunnel-5.58.tar.gz.asc
|
||||
/stunnel-5.61.tar.gz
|
||||
/stunnel-5.61.tar.gz.asc
|
||||
/stunnel-5.62.tar.gz
|
||||
/stunnel-5.62.tar.gz.asc
|
||||
|
4
sources
4
sources
@ -1,2 +1,2 @@
|
||||
SHA512 (stunnel-5.58.tar.gz) = 6f62bf13bf53f174b2810ad6708a9dfdb70e9b4e2f60c0c9cf4df691169a63014901402ccbe2862010f4cee240c1a8eec34b70a7a3fcef36e7a2ca14a7f70ece
|
||||
SHA512 (stunnel-5.58.tar.gz.asc) = 0deb4f521e3683b5f74afd0493ddd950193ffc30159b759a5eb5d0f8a4fb2cccacceb12e202b2abc963718ed44704415f53cc705f46656b96721013cc2f6747b
|
||||
SHA512 (stunnel-5.62.tar.gz) = 4ce03faa27e417b49fbdf0fbac91befb2c05ce64694b4b6fd2fc482031ee4a229299627133a47ff3efdfdffce751e1300d95d0a8ac1f1858c7c96f0b067170de
|
||||
SHA512 (stunnel-5.62.tar.gz.asc) = 983b41100e7ef6dba5a9b7e7cd64e50b1f6860a6bf18ca393e14d65680bfed951475e6f7f4ec9e8da036aaa86e0668f65e3df7025220eda7315de4d110a24ac5
|
||||
|
@ -1,11 +0,0 @@
|
||||
diff -up stunnel-5.50/tools/stunnel.service.in.systemd-service stunnel-5.50/tools/stunnel.service.in
|
||||
--- stunnel-5.50/tools/stunnel.service.in.systemd-service 2019-01-14 12:17:15.826868965 +0100
|
||||
+++ stunnel-5.50/tools/stunnel.service.in 2019-01-14 12:18:21.186753131 +0100
|
||||
@@ -5,6 +5,7 @@ After=syslog.target network.target
|
||||
[Service]
|
||||
ExecStart=@bindir@/stunnel
|
||||
Type=forking
|
||||
+PrivateTmp=true
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
@ -1,11 +0,0 @@
|
||||
diff -up stunnel-5.58/src/ctx.c.openssl30 stunnel-5.58/src/ctx.c
|
||||
--- stunnel-5.58/src/ctx.c.openssl30 2021-08-03 16:02:24.687409192 +0200
|
||||
+++ stunnel-5.58/src/ctx.c 2021-08-03 16:03:36.889009510 +0200
|
||||
@@ -1011,6 +1011,7 @@ NOEXPORT int ui_retry() {
|
||||
switch(ERR_GET_REASON(err)) {
|
||||
case UI_R_RESULT_TOO_LARGE:
|
||||
case UI_R_RESULT_TOO_SMALL:
|
||||
+ case UI_R_PROCESSING_ERROR:
|
||||
return 1;
|
||||
default:
|
||||
return 0;
|
@ -1,18 +1,50 @@
|
||||
--- stunnel-5.56/src/prototypes.h.default-tls-version 2020-04-06 11:22:24.480280384 +0200
|
||||
+++ stunnel-5.56/src/prototypes.h 2020-04-06 11:21:05.407597053 +0200
|
||||
@@ -897,6 +897,9 @@ ICON_IMAGE load_icon_default(ICON_TYPE);
|
||||
ICON_IMAGE load_icon_file(const char *);
|
||||
#endif
|
||||
|
||||
+#define USE_DEFAULT_TLS_VERSION ((int)-2) /* Use defaults in OpenSSL
|
||||
+ crypto policies */
|
||||
+
|
||||
#endif /* defined PROTOTYPES_H */
|
||||
|
||||
/* end of prototypes.h */
|
||||
--- stunnel-5.56/src/options.c.default-tls-version 2020-04-06 18:58:48.947214149 +0200
|
||||
+++ stunnel-5.56/src/options.c 2020-04-08 15:45:18.093520780 +0200
|
||||
@@ -3123,8 +3123,9 @@ NOEXPORT char *parse_service_option(CMD
|
||||
diff -up stunnel-5.61/src/ctx.c.default-tls-version stunnel-5.61/src/ctx.c
|
||||
--- stunnel-5.61/src/ctx.c.default-tls-version 2021-12-13 09:43:22.000000000 +0100
|
||||
+++ stunnel-5.61/src/ctx.c 2022-01-10 19:27:49.913243127 +0100
|
||||
@@ -149,18 +149,28 @@ int context_init(SERVICE_OPTIONS *sectio
|
||||
section->ctx=SSL_CTX_new(section->option.client ?
|
||||
TLS_client_method() : TLS_server_method());
|
||||
#endif /* OPENSSL_VERSION_NUMBER>=0x30000000L */
|
||||
- if(!SSL_CTX_set_min_proto_version(section->ctx,
|
||||
- section->min_proto_version)) {
|
||||
- s_log(LOG_ERR, "Failed to set the minimum protocol version 0x%X",
|
||||
- section->min_proto_version);
|
||||
- return 1; /* FAILED */
|
||||
- }
|
||||
- if(!SSL_CTX_set_max_proto_version(section->ctx,
|
||||
- section->max_proto_version)) {
|
||||
- s_log(LOG_ERR, "Failed to set the maximum protocol version 0x%X",
|
||||
- section->max_proto_version);
|
||||
- return 1; /* FAILED */
|
||||
+ if (section->min_proto_version == USE_DEFAULT_TLS_VERSION) {
|
||||
+ s_log(LOG_INFO, "Using the default TLS version as specified in "
|
||||
+ "OpenSSL crypto policies. Not setting explicitly.");
|
||||
+ } else {
|
||||
+ if(!SSL_CTX_set_min_proto_version(section->ctx,
|
||||
+ section->min_proto_version)) {
|
||||
+ s_log(LOG_ERR, "Failed to set the minimum protocol version 0x%X",
|
||||
+ section->min_proto_version);
|
||||
+ return 1; /* FAILED */
|
||||
+ }
|
||||
}
|
||||
+ if (section->max_proto_version == USE_DEFAULT_TLS_VERSION) {
|
||||
+ s_log(LOG_INFO, "Using the default TLS version as specified in "
|
||||
+ "OpenSSL crypto policies. Not setting explicitly");
|
||||
+ } else {
|
||||
+ if(!SSL_CTX_set_max_proto_version(section->ctx,
|
||||
+ section->max_proto_version)) {
|
||||
+ s_log(LOG_ERR, "Failed to set the maximum protocol version 0x%X",
|
||||
+ section->max_proto_version);
|
||||
+ return 1; /* FAILED */
|
||||
+ }
|
||||
+ }
|
||||
#else /* OPENSSL_VERSION_NUMBER<0x10100000L */
|
||||
if(section->option.client)
|
||||
section->ctx=SSL_CTX_new(section->client_method);
|
||||
diff -up stunnel-5.61/src/options.c.default-tls-version stunnel-5.61/src/options.c
|
||||
--- stunnel-5.61/src/options.c.default-tls-version 2022-01-10 19:23:15.096254067 +0100
|
||||
+++ stunnel-5.61/src/options.c 2022-01-10 19:23:15.098254103 +0100
|
||||
@@ -3297,8 +3297,9 @@ NOEXPORT char *parse_service_option(CMD
|
||||
return "Invalid protocol version";
|
||||
return NULL; /* OK */
|
||||
case CMD_INITIALIZE:
|
||||
@ -24,7 +56,7 @@
|
||||
return "Invalid protocol version range";
|
||||
break;
|
||||
case CMD_PRINT_DEFAULTS:
|
||||
@@ -3142,7 +3143,10 @@ NOEXPORT char *parse_service_option(CMD
|
||||
@@ -3316,7 +3317,10 @@ NOEXPORT char *parse_service_option(CMD
|
||||
/* sslVersionMax */
|
||||
switch(cmd) {
|
||||
case CMD_SET_DEFAULTS:
|
||||
@ -36,7 +68,7 @@
|
||||
break;
|
||||
case CMD_SET_COPY:
|
||||
section->max_proto_version=new_service_options.max_proto_version;
|
||||
@@ -3173,7 +3177,10 @@ NOEXPORT char *parse_service_option(CMD
|
||||
@@ -3347,7 +3351,10 @@ NOEXPORT char *parse_service_option(CMD
|
||||
/* sslVersionMin */
|
||||
switch(cmd) {
|
||||
case CMD_SET_DEFAULTS:
|
||||
@ -48,45 +80,16 @@
|
||||
break;
|
||||
case CMD_SET_COPY:
|
||||
section->min_proto_version=new_service_options.min_proto_version;
|
||||
--- stunnel-5.56/src/ctx.c.default-tls-version 2019-10-24 10:48:11.000000000 +0200
|
||||
+++ stunnel-5.56/src/ctx.c 2020-04-06 11:16:48.406406794 +0200
|
||||
@@ -143,17 +143,29 @@ int context_init(SERVICE_OPTIONS *sectio
|
||||
section->ctx=SSL_CTX_new(TLS_client_method());
|
||||
else /* server mode */
|
||||
section->ctx=SSL_CTX_new(TLS_server_method());
|
||||
- if(!SSL_CTX_set_min_proto_version(section->ctx,
|
||||
- section->min_proto_version)) {
|
||||
- s_log(LOG_ERR, "Failed to set the minimum protocol version 0x%X",
|
||||
- section->min_proto_version);
|
||||
- return 1; /* FAILED */
|
||||
diff -up stunnel-5.61/src/prototypes.h.default-tls-version stunnel-5.61/src/prototypes.h
|
||||
--- stunnel-5.61/src/prototypes.h.default-tls-version 2021-12-13 09:43:22.000000000 +0100
|
||||
+++ stunnel-5.61/src/prototypes.h 2022-01-10 19:23:15.099254121 +0100
|
||||
@@ -932,6 +932,9 @@ ICON_IMAGE load_icon_default(ICON_TYPE);
|
||||
ICON_IMAGE load_icon_file(const char *);
|
||||
#endif
|
||||
|
||||
+#define USE_DEFAULT_TLS_VERSION ((int)-2) /* Use defaults in OpenSSL
|
||||
+ crypto policies */
|
||||
+
|
||||
+ if (section->min_proto_version == USE_DEFAULT_TLS_VERSION) {
|
||||
+ s_log(LOG_INFO, "Using the default TLS version as specified in \
|
||||
+ OpenSSL crypto policies. Not setting explicitly.");
|
||||
+ } else {
|
||||
+ if(!SSL_CTX_set_min_proto_version(section->ctx,
|
||||
+ section->min_proto_version)) {
|
||||
+ s_log(LOG_ERR, "Failed to set the minimum protocol version 0x%X",
|
||||
+ section->min_proto_version);
|
||||
+ return 1; /* FAILED */
|
||||
+ }
|
||||
}
|
||||
- if(!SSL_CTX_set_max_proto_version(section->ctx,
|
||||
- section->max_proto_version)) {
|
||||
- s_log(LOG_ERR, "Failed to set the maximum protocol version 0x%X",
|
||||
- section->max_proto_version);
|
||||
- return 1; /* FAILED */
|
||||
+
|
||||
+ if (section->max_proto_version == USE_DEFAULT_TLS_VERSION) {
|
||||
+ s_log(LOG_INFO, "Using the default TLS version as specified in \
|
||||
+ OpenSSL crypto policies. Not setting explicitly");
|
||||
+ } else {
|
||||
+ if(!SSL_CTX_set_max_proto_version(section->ctx,
|
||||
+ section->max_proto_version)) {
|
||||
+ s_log(LOG_ERR, "Failed to set the maximum protocol version 0x%X",
|
||||
+ section->max_proto_version);
|
||||
+ return 1; /* FAILED */
|
||||
+ }
|
||||
}
|
||||
#else /* OPENSSL_VERSION_NUMBER<0x10100000L */
|
||||
if(section->option.client)
|
||||
#endif /* defined PROTOTYPES_H */
|
||||
|
||||
/* end of prototypes.h */
|
19
stunnel-5.61-openssl30-fips.patch
Normal file
19
stunnel-5.61-openssl30-fips.patch
Normal file
@ -0,0 +1,19 @@
|
||||
tests: Adapt to OpenSSL 3.x FIPS mode
|
||||
|
||||
In OpenSSL 3.0 with FIPS enabled, this test no longer fails with
|
||||
a human-readable error message (such as "no ciphers available"), but
|
||||
instead causes an internal error. Extend the success regex list to also
|
||||
accept this result.
|
||||
diff -up stunnel-5.61/tests/plugins/p11_fips_cipher.py.openssl30 stunnel-5.61/tests/plugins/p11_fips_cipher.py
|
||||
--- stunnel-5.61/tests/plugins/p11_fips_cipher.py.openssl30 2022-01-12 15:15:03.211690650 +0100
|
||||
+++ stunnel-5.61/tests/plugins/p11_fips_cipher.py 2022-01-12 15:15:20.937008173 +0100
|
||||
@@ -91,7 +91,8 @@ class FailureCiphersuitesFIPS(StunnelTes
|
||||
self.events.count = 1
|
||||
self.events.success = [
|
||||
"disabled for FIPS",
|
||||
- "no ciphers available"
|
||||
+ "no ciphers available",
|
||||
+ "TLS alert \\(write\\): fatal: internal error"
|
||||
]
|
||||
self.events.failure = [
|
||||
"peer did not return a certificate",
|
11
stunnel-5.61-systemd-service.patch
Normal file
11
stunnel-5.61-systemd-service.patch
Normal file
@ -0,0 +1,11 @@
|
||||
diff -up stunnel-5.61/tools/stunnel.service.in.systemd-service stunnel-5.61/tools/stunnel.service.in
|
||||
--- stunnel-5.61/tools/stunnel.service.in.systemd-service 2022-01-12 14:48:32.474150329 +0100
|
||||
+++ stunnel-5.61/tools/stunnel.service.in 2022-01-12 14:50:15.253984639 +0100
|
||||
@@ -6,6 +6,7 @@ After=syslog.target network-online.targe
|
||||
ExecStart=@bindir@/stunnel
|
||||
ExecReload=/bin/kill -HUP $MAINPID
|
||||
Type=forking
|
||||
+PrivateTmp=true
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
35
stunnel.spec
35
stunnel.spec
@ -9,10 +9,10 @@
|
||||
|
||||
Summary: A TLS-encrypting socket wrapper
|
||||
Name: stunnel
|
||||
Version: 5.58
|
||||
Release: 6%{?dist}
|
||||
Version: 5.62
|
||||
Release: 1%{?dist}
|
||||
License: GPLv2
|
||||
URL: http://www.stunnel.org/
|
||||
URL: https://www.stunnel.org/
|
||||
Source0: https://www.stunnel.org/downloads/stunnel-%{version}.tar.gz
|
||||
Source1: https://www.stunnel.org/downloads/stunnel-%{version}.tar.gz.asc
|
||||
Source2: Certificate-Creation
|
||||
@ -22,12 +22,12 @@ Source5: pop3-redirect.xinetd
|
||||
Source6: stunnel-pop3s-client.conf
|
||||
Source7: stunnel@.service
|
||||
Patch0: stunnel-5.50-authpriv.patch
|
||||
Patch1: stunnel-5.50-systemd-service.patch
|
||||
Patch1: stunnel-5.61-systemd-service.patch
|
||||
Patch3: stunnel-5.56-system-ciphers.patch
|
||||
Patch4: stunnel-5.56-coverity.patch
|
||||
Patch5: stunnel-5.56-default-tls-version.patch
|
||||
Patch5: stunnel-5.61-default-tls-version.patch
|
||||
Patch6: stunnel-5.56-curves-doc-update.patch
|
||||
Patch7: stunnel-5.58-openssl30.patch
|
||||
Patch7: stunnel-5.61-openssl30-fips.patch
|
||||
# util-linux is needed for rename
|
||||
BuildRequires: make
|
||||
BuildRequires: gcc
|
||||
@ -40,6 +40,7 @@ BuildRequires: /usr/bin/pod2man
|
||||
BuildRequires: /usr/bin/pod2html
|
||||
# build test requirements
|
||||
BuildRequires: /usr/bin/nc, /usr/bin/lsof, /usr/bin/ps
|
||||
BuildRequires: python3 openssl
|
||||
BuildRequires: systemd
|
||||
%{?systemd_requires}
|
||||
|
||||
@ -57,13 +58,10 @@ conjunction with imapd to create a TLS secure IMAP server.
|
||||
%patch4 -p1 -b .coverity
|
||||
%patch5 -p1 -b .default-tls-version
|
||||
%patch6 -p1 -b .curves-doc-update
|
||||
%patch7 -p1 -b .openssl30
|
||||
%patch7 -p1 -b .openssl30-fips
|
||||
|
||||
# Fix the configure script output for FIPS mode and stack protector flag
|
||||
sed -i '/yes).*result: no/,+1{s/result: no/result: yes/;s/as_echo "no"/as_echo "yes"/};s/-fstack-protector/-fstack-protector-strong/' configure
|
||||
|
||||
# Fix a testcase with system-ciphers support
|
||||
sed -i '/client = yes/a \\ ciphers = PSK' tests/recipes/014_PSK_secrets
|
||||
# Fix the stack protector flag
|
||||
sed -i 's/-fstack-protector/-fstack-protector-strong/' configure
|
||||
|
||||
%build
|
||||
#autoreconf -v
|
||||
@ -100,14 +98,6 @@ cp %{SOURCE7} %{buildroot}%{_unitdir}/%{name}@.service
|
||||
%endif
|
||||
|
||||
%check
|
||||
# For unknown reason the 042_inetd test fails in Koji. The failure is not reproducible
|
||||
# in local build.
|
||||
rm tests/recipes/042_inetd
|
||||
# We override the security policy as it is too strict for the tests.
|
||||
OPENSSL_SYSTEM_CIPHERS_OVERRIDE=xyz_nonexistent_file
|
||||
export OPENSSL_SYSTEM_CIPHERS_OVERRIDE
|
||||
OPENSSL_CONF=
|
||||
export OPENSSL_CONF
|
||||
make test || (for i in tests/logs/*.log ; do echo "$i": ; cat "$i" ; done)
|
||||
|
||||
%files
|
||||
@ -130,6 +120,7 @@ make test || (for i in tests/logs/*.log ; do echo "$i": ; cat "$i" ; done)
|
||||
%if 0%{?fedora} >= 15 || 0%{?rhel} >= 7
|
||||
%{_unitdir}/%{name}*.service
|
||||
%endif
|
||||
%{_datadir}/bash-completion/completions/%{name}.bash
|
||||
|
||||
%post
|
||||
/sbin/ldconfig
|
||||
@ -143,6 +134,10 @@ make test || (for i in tests/logs/*.log ; do echo "$i": ; cat "$i" ; done)
|
||||
%systemd_postun_with_restart %{name}.service
|
||||
|
||||
%changelog
|
||||
* Tue Jan 18 2022 Clemens Lang <cllang@redhat.com> - 5.62-1
|
||||
- New upstream release 5.62
|
||||
Resolves: rhbz#2039299
|
||||
|
||||
* Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 5.58-6
|
||||
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
|
||||
Related: rhbz#1991688
|
||||
|
Loading…
Reference in New Issue
Block a user