New upstream release 5.71

* Features
 - OCSP stapling is requested and verified in the client mode.
 - Using "verifyChain" automatically enables OCSP stapling in the client
   mode.
 - OCSP stapling is always available in the server mode.
 - An inconclusive OCSP verification breaks TLS negotiation. This can be
   disabled with "OCSPrequire = no".
 - Added the "TIMEOUTocsp" option to control the maximum time allowed
   for connecting an OCSP responder.
 - Added support for Red Hat OpenSSL 3.x patches.

Resolves: rhbz#2239740
Signed-off-by: Clemens Lang <cllang@redhat.com>

changelog

@@ -1,3 +1,7 @@
+* Thu Oct 5 2023 Clemens Lang <cllang@redhat.com> - 5.71-1
+- New upstream release 5.71
+  Resolves: rhbz#2239740
+
 * Wed Aug 30 2023 Clemens Lang <cllang@redhat.com> - 5.70-3
 - migrated to SPDX license
 

sources

@@ -1,2 +1,2 @@
-SHA512 (stunnel-5.70.tar.gz) = f3fd1c248561d300932ebf64988f4de6596be898bbfe8f370566d9fd9eafef294704f85ed9699410377d7f1c4c27f8ba0edbaabccca87fac7d5a40ac90a3b837
+SHA512 (stunnel-5.71.tar.gz) = c7004f48b93b3415305eec1193d51b7bf51a3bdd2cdc9f6ae588f563b32408b1ecde83b9f3f5b658f945ab5bcc5124390c38235394aad4471bf5b666081af2a2
-SHA512 (stunnel-5.70.tar.gz.asc) = 453496109a4da4b931da6c202ec1db2bb959b6a2698789236bf00022d2f21f468dc7cf6464fc1132c7d91225c41a69e4a6a03f571e305297e8b2b265bf68bb2c
+SHA512 (stunnel-5.71.tar.gz.asc) = 513cd7bc9b46e92451ae1d48eb8dc7e64374c820cf8a3d86fcd04d365d673e632234af17880501ddc2e62e4d15e592e90ff308e47436b487b01160f905753ebc

stunnel-5.56-coverity.patch

@@ -1,40 +0,0 @@
-From c705c47f486cff5b6d79ca3183a6faec015f3ac1 Mon Sep 17 00:00:00 2001
-From: Sahana Prasad <sahana@redhat.com>
-Date: Mon, 12 Sep 2022 11:07:38 +0200
-Subject: [PATCH 4/8] Apply patch stunnel-5.56-coverity.patch
-
-Patch-name: stunnel-5.56-coverity.patch
-Patch-id: 4
-From-dist-git-commit: 70b3076eb09912b3a11f371b8c523303114fffa3
----
- src/str.c     | 1 +
- src/stunnel.c | 1 -
- 2 files changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/str.c b/src/str.c
-index b9eca81..fd62db8 100644
---- a/src/str.c
-+++ b/src/str.c
-@@ -165,6 +165,7 @@ char *str_vprintf(const char *format, va_list start_ap) {
-     for(;;) {
-         va_copy(ap, start_ap);
-         n=vsnprintf(p, size, format, ap);
-+        va_end(ap);
-         if(n>-1 && n<(int)size)
-             return p;
-         if(n>-1)                /* glibc 2.1 */
-diff --git a/src/stunnel.c b/src/stunnel.c
-index 4ce906b..31115ea 100644
---- a/src/stunnel.c
-+++ b/src/stunnel.c
-@@ -445,7 +445,6 @@ NOEXPORT int accept_connection(SERVICE_OPTIONS *opt, unsigned i) {
- #endif
-     if(create_client(fd, s, alloc_client_session(opt, s, s))) {
-         s_log(LOG_ERR, "Connection rejected: create_client failed");
--        closesocket(s);
- #ifndef USE_FORK
-         service_free(opt);
- #endif
--- 
-2.37.3
-

stunnel-5.62-disabled-curves.patch

@@ -1,71 +0,0 @@
-From 2043ed7c27e14310bec49e1df6348af3882db7bb Mon Sep 17 00:00:00 2001
-From: Clemens Lang <cllang@redhat.com>
-Date: Mon, 12 Sep 2022 11:07:38 +0200
-Subject: [PATCH 8/8] Limit curves defaults in FIPS mode
-
-Our copy of OpenSSL disables the X25519 and X448 curves in FIPS mode,
-but stunnel defaults to enabling them and then fails to do so.
-
-Patch-name: stunnel-5.62-disabled-curves.patch
-Patch-status: Limit curves defaults in FIPS mode
-Patch-id: 8
-From-dist-git-commit: 70b3076eb09912b3a11f371b8c523303114fffa3
----
- src/options.c | 23 +++++++++++++++++++++--
- 1 file changed, 21 insertions(+), 2 deletions(-)
-
-diff --git a/src/options.c b/src/options.c
-index 09d02bd..fe4e776 100644
---- a/src/options.c
-+++ b/src/options.c
-@@ -39,8 +39,10 @@
- 
- #if OPENSSL_VERSION_NUMBER >= 0x10101000L
- #define DEFAULT_CURVES "X25519:P-256:X448:P-521:P-384"
-+#define DEFAULT_CURVES_FIPS "P-256:P-521:P-384"
- #else /* OpenSSL version < 1.1.1 */
- #define DEFAULT_CURVES "prime256v1"
-+#define DEFAULT_CURVES_FIPS "prime256v1"
- #endif /* OpenSSL version >= 1.1.1 */
- 
- #if defined(_WIN32_WCE) && !defined(CONFDIR)
-@@ -1847,7 +1849,7 @@ NOEXPORT const char *parse_service_option(CMD cmd, SERVICE_OPTIONS **section_ptr
-     /* curves */
-     switch(cmd) {
-     case CMD_SET_DEFAULTS:
--        section->curves=str_dup_detached(DEFAULT_CURVES);
-+        section->curves = NULL;
-         break;
-     case CMD_SET_COPY:
-         section->curves=str_dup_detached(new_service_options.curves);
-@@ -1862,9 +1864,26 @@ NOEXPORT const char *parse_service_option(CMD cmd, SERVICE_OPTIONS **section_ptr
-         section->curves=str_dup_detached(arg);
-         return NULL; /* OK */
-     case CMD_INITIALIZE:
-+        if(!section->curves) {
-+            /* this is only executed for global options, because
-+             * section->curves is no longer NULL in sections */
-+#ifdef USE_FIPS
-+            if(new_global_options.option.fips)
-+                section->curves=str_dup_detached(DEFAULT_CURVES_FIPS);
-+            else
-+#endif /* USE_FIPS */
-+                section->curves=str_dup_detached(DEFAULT_CURVES);
-+        }
-         break;
-     case CMD_PRINT_DEFAULTS:
--        s_log(LOG_NOTICE, "%-22s = %s", "curves", DEFAULT_CURVES);
-+        if(fips_available()) {
-+            s_log(LOG_NOTICE, "%-22s = %s %s", "curves",
-+                DEFAULT_CURVES_FIPS, "(with \"fips = yes\")");
-+            s_log(LOG_NOTICE, "%-22s = %s %s", "curves",
-+                DEFAULT_CURVES, "(with \"fips = no\")");
-+        } else {
-+            s_log(LOG_NOTICE, "%-22s = %s", "curves", DEFAULT_CURVES);
-+        }
-         break;
-     case CMD_PRINT_HELP:
-         s_log(LOG_NOTICE, "%-22s = ECDH curve names", "curves");
--- 
-2.37.3
-

stunnel.spec

@@ -9,7 +9,7 @@
 
 Summary: A TLS-encrypting socket wrapper
 Name: stunnel
-Version: 5.70
+Version: 5.71
 Release: %autorelease
 License: GPL-2.0-or-later WITH stunnel-exception AND MIT
 URL: https://www.stunnel.org/
@@ -22,7 +22,9 @@ Source5: pop3-redirect.xinetd
 Source6: stunnel-pop3s-client.conf
 Source7: stunnel@.service
 # Upstream release signing key
-Source99: https://www.stunnel.org/pgp.asc
+# Upstream source is https://www.stunnel.org/pgp.asc; using a local URL because
+# the remote one makes packit source-git choke.
+Source99: pgp.asc
 # Apply patch stunnel-5.50-authpriv.patch
 Patch0:   stunnel-5.50-authpriv.patch
 # Apply patch stunnel-5.61-systemd-service.patch
@@ -34,14 +36,10 @@ Patch1:   stunnel-5.61-systemd-service.patch
 # platforms, OpenSSL supports the PROFILE=SYSTEM setting to use those
 # policies. Change stunnel to default to this setting.
 Patch3:   stunnel-5.69-system-ciphers.patch
-# Apply patch stunnel-5.56-coverity.patch
-Patch4:   stunnel-5.56-coverity.patch
 # Apply patch stunnel-5.69-default-tls-version.patch
 Patch5:   stunnel-5.69-default-tls-version.patch
 # Apply patch stunnel-5.56-curves-doc-update.patch
 Patch6:   stunnel-5.56-curves-doc-update.patch
-# Limit curves defaults in FIPS mode
-Patch8:   stunnel-5.62-disabled-curves.patch
 # util-linux is needed for rename
 BuildRequires: make
 BuildRequires: gcc
@@ -55,7 +53,7 @@ BuildRequires: /usr/bin/pod2man
 BuildRequires: /usr/bin/pod2html
 # build test requirements
 BuildRequires: /usr/bin/nc, /usr/bin/lsof, /usr/bin/ps
-BuildRequires: python3 openssl
+BuildRequires: python3 python3-cryptography openssl
 BuildRequires: systemd systemd-devel
 %{?systemd_requires}