New upstream release 5.71

* Features
 - OCSP stapling is requested and verified in the client mode.
 - Using "verifyChain" automatically enables OCSP stapling in the client
   mode.
 - OCSP stapling is always available in the server mode.
 - An inconclusive OCSP verification breaks TLS negotiation. This can be
   disabled with "OCSPrequire = no".
 - Added the "TIMEOUTocsp" option to control the maximum time allowed
   for connecting an OCSP responder.
 - Added support for Red Hat OpenSSL 3.x patches.

Resolves: rhbz#2239740
Signed-off-by: Clemens Lang <cllang@redhat.com>
This commit is contained in:
Clemens Lang 2023-10-05 11:05:56 +02:00
parent a0c4ac9d12
commit c27f314594
5 changed files with 11 additions and 120 deletions

View File

@ -1,3 +1,7 @@
* Thu Oct 5 2023 Clemens Lang <cllang@redhat.com> - 5.71-1
- New upstream release 5.71
Resolves: rhbz#2239740
* Wed Aug 30 2023 Clemens Lang <cllang@redhat.com> - 5.70-3 * Wed Aug 30 2023 Clemens Lang <cllang@redhat.com> - 5.70-3
- migrated to SPDX license - migrated to SPDX license

View File

@ -1,2 +1,2 @@
SHA512 (stunnel-5.70.tar.gz) = f3fd1c248561d300932ebf64988f4de6596be898bbfe8f370566d9fd9eafef294704f85ed9699410377d7f1c4c27f8ba0edbaabccca87fac7d5a40ac90a3b837 SHA512 (stunnel-5.71.tar.gz) = c7004f48b93b3415305eec1193d51b7bf51a3bdd2cdc9f6ae588f563b32408b1ecde83b9f3f5b658f945ab5bcc5124390c38235394aad4471bf5b666081af2a2
SHA512 (stunnel-5.70.tar.gz.asc) = 453496109a4da4b931da6c202ec1db2bb959b6a2698789236bf00022d2f21f468dc7cf6464fc1132c7d91225c41a69e4a6a03f571e305297e8b2b265bf68bb2c SHA512 (stunnel-5.71.tar.gz.asc) = 513cd7bc9b46e92451ae1d48eb8dc7e64374c820cf8a3d86fcd04d365d673e632234af17880501ddc2e62e4d15e592e90ff308e47436b487b01160f905753ebc

View File

@ -1,40 +0,0 @@
From c705c47f486cff5b6d79ca3183a6faec015f3ac1 Mon Sep 17 00:00:00 2001
From: Sahana Prasad <sahana@redhat.com>
Date: Mon, 12 Sep 2022 11:07:38 +0200
Subject: [PATCH 4/8] Apply patch stunnel-5.56-coverity.patch
Patch-name: stunnel-5.56-coverity.patch
Patch-id: 4
From-dist-git-commit: 70b3076eb09912b3a11f371b8c523303114fffa3
---
src/str.c | 1 +
src/stunnel.c | 1 -
2 files changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/str.c b/src/str.c
index b9eca81..fd62db8 100644
--- a/src/str.c
+++ b/src/str.c
@@ -165,6 +165,7 @@ char *str_vprintf(const char *format, va_list start_ap) {
for(;;) {
va_copy(ap, start_ap);
n=vsnprintf(p, size, format, ap);
+ va_end(ap);
if(n>-1 && n<(int)size)
return p;
if(n>-1) /* glibc 2.1 */
diff --git a/src/stunnel.c b/src/stunnel.c
index 4ce906b..31115ea 100644
--- a/src/stunnel.c
+++ b/src/stunnel.c
@@ -445,7 +445,6 @@ NOEXPORT int accept_connection(SERVICE_OPTIONS *opt, unsigned i) {
#endif
if(create_client(fd, s, alloc_client_session(opt, s, s))) {
s_log(LOG_ERR, "Connection rejected: create_client failed");
- closesocket(s);
#ifndef USE_FORK
service_free(opt);
#endif
--
2.37.3

View File

@ -1,71 +0,0 @@
From 2043ed7c27e14310bec49e1df6348af3882db7bb Mon Sep 17 00:00:00 2001
From: Clemens Lang <cllang@redhat.com>
Date: Mon, 12 Sep 2022 11:07:38 +0200
Subject: [PATCH 8/8] Limit curves defaults in FIPS mode
Our copy of OpenSSL disables the X25519 and X448 curves in FIPS mode,
but stunnel defaults to enabling them and then fails to do so.
Patch-name: stunnel-5.62-disabled-curves.patch
Patch-status: Limit curves defaults in FIPS mode
Patch-id: 8
From-dist-git-commit: 70b3076eb09912b3a11f371b8c523303114fffa3
---
src/options.c | 23 +++++++++++++++++++++--
1 file changed, 21 insertions(+), 2 deletions(-)
diff --git a/src/options.c b/src/options.c
index 09d02bd..fe4e776 100644
--- a/src/options.c
+++ b/src/options.c
@@ -39,8 +39,10 @@
#if OPENSSL_VERSION_NUMBER >= 0x10101000L
#define DEFAULT_CURVES "X25519:P-256:X448:P-521:P-384"
+#define DEFAULT_CURVES_FIPS "P-256:P-521:P-384"
#else /* OpenSSL version < 1.1.1 */
#define DEFAULT_CURVES "prime256v1"
+#define DEFAULT_CURVES_FIPS "prime256v1"
#endif /* OpenSSL version >= 1.1.1 */
#if defined(_WIN32_WCE) && !defined(CONFDIR)
@@ -1847,7 +1849,7 @@ NOEXPORT const char *parse_service_option(CMD cmd, SERVICE_OPTIONS **section_ptr
/* curves */
switch(cmd) {
case CMD_SET_DEFAULTS:
- section->curves=str_dup_detached(DEFAULT_CURVES);
+ section->curves = NULL;
break;
case CMD_SET_COPY:
section->curves=str_dup_detached(new_service_options.curves);
@@ -1862,9 +1864,26 @@ NOEXPORT const char *parse_service_option(CMD cmd, SERVICE_OPTIONS **section_ptr
section->curves=str_dup_detached(arg);
return NULL; /* OK */
case CMD_INITIALIZE:
+ if(!section->curves) {
+ /* this is only executed for global options, because
+ * section->curves is no longer NULL in sections */
+#ifdef USE_FIPS
+ if(new_global_options.option.fips)
+ section->curves=str_dup_detached(DEFAULT_CURVES_FIPS);
+ else
+#endif /* USE_FIPS */
+ section->curves=str_dup_detached(DEFAULT_CURVES);
+ }
break;
case CMD_PRINT_DEFAULTS:
- s_log(LOG_NOTICE, "%-22s = %s", "curves", DEFAULT_CURVES);
+ if(fips_available()) {
+ s_log(LOG_NOTICE, "%-22s = %s %s", "curves",
+ DEFAULT_CURVES_FIPS, "(with \"fips = yes\")");
+ s_log(LOG_NOTICE, "%-22s = %s %s", "curves",
+ DEFAULT_CURVES, "(with \"fips = no\")");
+ } else {
+ s_log(LOG_NOTICE, "%-22s = %s", "curves", DEFAULT_CURVES);
+ }
break;
case CMD_PRINT_HELP:
s_log(LOG_NOTICE, "%-22s = ECDH curve names", "curves");
--
2.37.3

View File

@ -9,7 +9,7 @@
Summary: A TLS-encrypting socket wrapper Summary: A TLS-encrypting socket wrapper
Name: stunnel Name: stunnel
Version: 5.70 Version: 5.71
Release: %autorelease Release: %autorelease
License: GPL-2.0-or-later WITH stunnel-exception AND MIT License: GPL-2.0-or-later WITH stunnel-exception AND MIT
URL: https://www.stunnel.org/ URL: https://www.stunnel.org/
@ -22,7 +22,9 @@ Source5: pop3-redirect.xinetd
Source6: stunnel-pop3s-client.conf Source6: stunnel-pop3s-client.conf
Source7: stunnel@.service Source7: stunnel@.service
# Upstream release signing key # Upstream release signing key
Source99: https://www.stunnel.org/pgp.asc # Upstream source is https://www.stunnel.org/pgp.asc; using a local URL because
# the remote one makes packit source-git choke.
Source99: pgp.asc
# Apply patch stunnel-5.50-authpriv.patch # Apply patch stunnel-5.50-authpriv.patch
Patch0: stunnel-5.50-authpriv.patch Patch0: stunnel-5.50-authpriv.patch
# Apply patch stunnel-5.61-systemd-service.patch # Apply patch stunnel-5.61-systemd-service.patch
@ -34,14 +36,10 @@ Patch1: stunnel-5.61-systemd-service.patch
# platforms, OpenSSL supports the PROFILE=SYSTEM setting to use those # platforms, OpenSSL supports the PROFILE=SYSTEM setting to use those
# policies. Change stunnel to default to this setting. # policies. Change stunnel to default to this setting.
Patch3: stunnel-5.69-system-ciphers.patch Patch3: stunnel-5.69-system-ciphers.patch
# Apply patch stunnel-5.56-coverity.patch
Patch4: stunnel-5.56-coverity.patch
# Apply patch stunnel-5.69-default-tls-version.patch # Apply patch stunnel-5.69-default-tls-version.patch
Patch5: stunnel-5.69-default-tls-version.patch Patch5: stunnel-5.69-default-tls-version.patch
# Apply patch stunnel-5.56-curves-doc-update.patch # Apply patch stunnel-5.56-curves-doc-update.patch
Patch6: stunnel-5.56-curves-doc-update.patch Patch6: stunnel-5.56-curves-doc-update.patch
# Limit curves defaults in FIPS mode
Patch8: stunnel-5.62-disabled-curves.patch
# util-linux is needed for rename # util-linux is needed for rename
BuildRequires: make BuildRequires: make
BuildRequires: gcc BuildRequires: gcc
@ -55,7 +53,7 @@ BuildRequires: /usr/bin/pod2man
BuildRequires: /usr/bin/pod2html BuildRequires: /usr/bin/pod2html
# build test requirements # build test requirements
BuildRequires: /usr/bin/nc, /usr/bin/lsof, /usr/bin/ps BuildRequires: /usr/bin/nc, /usr/bin/lsof, /usr/bin/ps
BuildRequires: python3 openssl BuildRequires: python3 python3-cryptography openssl
BuildRequires: systemd systemd-devel BuildRequires: systemd systemd-devel
%{?systemd_requires} %{?systemd_requires}