From c27f3145945f310c54f023d8b36fb3f9465ab903 Mon Sep 17 00:00:00 2001 From: Clemens Lang Date: Thu, 5 Oct 2023 11:05:56 +0200 Subject: [PATCH] New upstream release 5.71 * Features - OCSP stapling is requested and verified in the client mode. - Using "verifyChain" automatically enables OCSP stapling in the client mode. - OCSP stapling is always available in the server mode. - An inconclusive OCSP verification breaks TLS negotiation. This can be disabled with "OCSPrequire = no". - Added the "TIMEOUTocsp" option to control the maximum time allowed for connecting an OCSP responder. - Added support for Red Hat OpenSSL 3.x patches. Resolves: rhbz#2239740 Signed-off-by: Clemens Lang --- changelog | 4 ++ sources | 4 +- stunnel-5.56-coverity.patch | 40 ----------------- stunnel-5.62-disabled-curves.patch | 71 ------------------------------ stunnel.spec | 12 +++-- 5 files changed, 11 insertions(+), 120 deletions(-) delete mode 100644 stunnel-5.56-coverity.patch delete mode 100644 stunnel-5.62-disabled-curves.patch diff --git a/changelog b/changelog index 32b18fc..0aa902c 100644 --- a/changelog +++ b/changelog @@ -1,3 +1,7 @@ +* Thu Oct 5 2023 Clemens Lang - 5.71-1 +- New upstream release 5.71 + Resolves: rhbz#2239740 + * Wed Aug 30 2023 Clemens Lang - 5.70-3 - migrated to SPDX license diff --git a/sources b/sources index 169a300..2b51b59 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (stunnel-5.70.tar.gz) = f3fd1c248561d300932ebf64988f4de6596be898bbfe8f370566d9fd9eafef294704f85ed9699410377d7f1c4c27f8ba0edbaabccca87fac7d5a40ac90a3b837 -SHA512 (stunnel-5.70.tar.gz.asc) = 453496109a4da4b931da6c202ec1db2bb959b6a2698789236bf00022d2f21f468dc7cf6464fc1132c7d91225c41a69e4a6a03f571e305297e8b2b265bf68bb2c +SHA512 (stunnel-5.71.tar.gz) = c7004f48b93b3415305eec1193d51b7bf51a3bdd2cdc9f6ae588f563b32408b1ecde83b9f3f5b658f945ab5bcc5124390c38235394aad4471bf5b666081af2a2 +SHA512 (stunnel-5.71.tar.gz.asc) = 513cd7bc9b46e92451ae1d48eb8dc7e64374c820cf8a3d86fcd04d365d673e632234af17880501ddc2e62e4d15e592e90ff308e47436b487b01160f905753ebc diff --git a/stunnel-5.56-coverity.patch b/stunnel-5.56-coverity.patch deleted file mode 100644 index 0fc8c98..0000000 --- a/stunnel-5.56-coverity.patch +++ /dev/null @@ -1,40 +0,0 @@ -From c705c47f486cff5b6d79ca3183a6faec015f3ac1 Mon Sep 17 00:00:00 2001 -From: Sahana Prasad -Date: Mon, 12 Sep 2022 11:07:38 +0200 -Subject: [PATCH 4/8] Apply patch stunnel-5.56-coverity.patch - -Patch-name: stunnel-5.56-coverity.patch -Patch-id: 4 -From-dist-git-commit: 70b3076eb09912b3a11f371b8c523303114fffa3 ---- - src/str.c | 1 + - src/stunnel.c | 1 - - 2 files changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/str.c b/src/str.c -index b9eca81..fd62db8 100644 ---- a/src/str.c -+++ b/src/str.c -@@ -165,6 +165,7 @@ char *str_vprintf(const char *format, va_list start_ap) { - for(;;) { - va_copy(ap, start_ap); - n=vsnprintf(p, size, format, ap); -+ va_end(ap); - if(n>-1 && n<(int)size) - return p; - if(n>-1) /* glibc 2.1 */ -diff --git a/src/stunnel.c b/src/stunnel.c -index 4ce906b..31115ea 100644 ---- a/src/stunnel.c -+++ b/src/stunnel.c -@@ -445,7 +445,6 @@ NOEXPORT int accept_connection(SERVICE_OPTIONS *opt, unsigned i) { - #endif - if(create_client(fd, s, alloc_client_session(opt, s, s))) { - s_log(LOG_ERR, "Connection rejected: create_client failed"); -- closesocket(s); - #ifndef USE_FORK - service_free(opt); - #endif --- -2.37.3 - diff --git a/stunnel-5.62-disabled-curves.patch b/stunnel-5.62-disabled-curves.patch deleted file mode 100644 index 4f0e5a8..0000000 --- a/stunnel-5.62-disabled-curves.patch +++ /dev/null @@ -1,71 +0,0 @@ -From 2043ed7c27e14310bec49e1df6348af3882db7bb Mon Sep 17 00:00:00 2001 -From: Clemens Lang -Date: Mon, 12 Sep 2022 11:07:38 +0200 -Subject: [PATCH 8/8] Limit curves defaults in FIPS mode - -Our copy of OpenSSL disables the X25519 and X448 curves in FIPS mode, -but stunnel defaults to enabling them and then fails to do so. - -Patch-name: stunnel-5.62-disabled-curves.patch -Patch-status: Limit curves defaults in FIPS mode -Patch-id: 8 -From-dist-git-commit: 70b3076eb09912b3a11f371b8c523303114fffa3 ---- - src/options.c | 23 +++++++++++++++++++++-- - 1 file changed, 21 insertions(+), 2 deletions(-) - -diff --git a/src/options.c b/src/options.c -index 09d02bd..fe4e776 100644 ---- a/src/options.c -+++ b/src/options.c -@@ -39,8 +39,10 @@ - - #if OPENSSL_VERSION_NUMBER >= 0x10101000L - #define DEFAULT_CURVES "X25519:P-256:X448:P-521:P-384" -+#define DEFAULT_CURVES_FIPS "P-256:P-521:P-384" - #else /* OpenSSL version < 1.1.1 */ - #define DEFAULT_CURVES "prime256v1" -+#define DEFAULT_CURVES_FIPS "prime256v1" - #endif /* OpenSSL version >= 1.1.1 */ - - #if defined(_WIN32_WCE) && !defined(CONFDIR) -@@ -1847,7 +1849,7 @@ NOEXPORT const char *parse_service_option(CMD cmd, SERVICE_OPTIONS **section_ptr - /* curves */ - switch(cmd) { - case CMD_SET_DEFAULTS: -- section->curves=str_dup_detached(DEFAULT_CURVES); -+ section->curves = NULL; - break; - case CMD_SET_COPY: - section->curves=str_dup_detached(new_service_options.curves); -@@ -1862,9 +1864,26 @@ NOEXPORT const char *parse_service_option(CMD cmd, SERVICE_OPTIONS **section_ptr - section->curves=str_dup_detached(arg); - return NULL; /* OK */ - case CMD_INITIALIZE: -+ if(!section->curves) { -+ /* this is only executed for global options, because -+ * section->curves is no longer NULL in sections */ -+#ifdef USE_FIPS -+ if(new_global_options.option.fips) -+ section->curves=str_dup_detached(DEFAULT_CURVES_FIPS); -+ else -+#endif /* USE_FIPS */ -+ section->curves=str_dup_detached(DEFAULT_CURVES); -+ } - break; - case CMD_PRINT_DEFAULTS: -- s_log(LOG_NOTICE, "%-22s = %s", "curves", DEFAULT_CURVES); -+ if(fips_available()) { -+ s_log(LOG_NOTICE, "%-22s = %s %s", "curves", -+ DEFAULT_CURVES_FIPS, "(with \"fips = yes\")"); -+ s_log(LOG_NOTICE, "%-22s = %s %s", "curves", -+ DEFAULT_CURVES, "(with \"fips = no\")"); -+ } else { -+ s_log(LOG_NOTICE, "%-22s = %s", "curves", DEFAULT_CURVES); -+ } - break; - case CMD_PRINT_HELP: - s_log(LOG_NOTICE, "%-22s = ECDH curve names", "curves"); --- -2.37.3 - diff --git a/stunnel.spec b/stunnel.spec index 55c0924..252d2dd 100644 --- a/stunnel.spec +++ b/stunnel.spec @@ -9,7 +9,7 @@ Summary: A TLS-encrypting socket wrapper Name: stunnel -Version: 5.70 +Version: 5.71 Release: %autorelease License: GPL-2.0-or-later WITH stunnel-exception AND MIT URL: https://www.stunnel.org/ @@ -22,7 +22,9 @@ Source5: pop3-redirect.xinetd Source6: stunnel-pop3s-client.conf Source7: stunnel@.service # Upstream release signing key -Source99: https://www.stunnel.org/pgp.asc +# Upstream source is https://www.stunnel.org/pgp.asc; using a local URL because +# the remote one makes packit source-git choke. +Source99: pgp.asc # Apply patch stunnel-5.50-authpriv.patch Patch0: stunnel-5.50-authpriv.patch # Apply patch stunnel-5.61-systemd-service.patch @@ -34,14 +36,10 @@ Patch1: stunnel-5.61-systemd-service.patch # platforms, OpenSSL supports the PROFILE=SYSTEM setting to use those # policies. Change stunnel to default to this setting. Patch3: stunnel-5.69-system-ciphers.patch -# Apply patch stunnel-5.56-coverity.patch -Patch4: stunnel-5.56-coverity.patch # Apply patch stunnel-5.69-default-tls-version.patch Patch5: stunnel-5.69-default-tls-version.patch # Apply patch stunnel-5.56-curves-doc-update.patch Patch6: stunnel-5.56-curves-doc-update.patch -# Limit curves defaults in FIPS mode -Patch8: stunnel-5.62-disabled-curves.patch # util-linux is needed for rename BuildRequires: make BuildRequires: gcc @@ -55,7 +53,7 @@ BuildRequires: /usr/bin/pod2man BuildRequires: /usr/bin/pod2html # build test requirements BuildRequires: /usr/bin/nc, /usr/bin/lsof, /usr/bin/ps -BuildRequires: python3 openssl +BuildRequires: python3 python3-cryptography openssl BuildRequires: systemd systemd-devel %{?systemd_requires}