Fix stunnel in FIPS mode (w/upcoming OpenSSL changes)

Related: rhbz#2050617 Signed-off-by: Clemens Lang <cllang@redhat.com>
2022-02-04 15:44:10 +01:00 · 2022-02-04 15:44:10 +01:00 · eca3c22e53
commit eca3c22e53
parent b9bbe00355
3 changed files with 66 additions and 1 deletions
--- a/stunnel-5.61-fips-test.patch
+++ b/stunnel-5.61-fips-test.patch
@ -10,6 +10,8 @@ Since this does not indicate a problem with stunnel's code, but with the
 underlying OpenSSL setup, skip the test if this occurs. This is the same
 behavior when running against a copy of OpenSSL 3.x that was not built with
 'enable-fips'.
+
+Upstream-Status: Inappropriate [configuration]
 diff -up stunnel-5.61/tests/plugins/p10_fips.py.fips-tests stunnel-5.61/tests/plugins/p10_fips.py
 --- stunnel-5.61/tests/plugins/p10_fips.py.fips-tests	2022-01-12 11:40:11.121241545 +0100
 +++ stunnel-5.61/tests/plugins/p10_fips.py	2022-01-12 11:45:01.791364483 +0100
--- a/stunnel-5.62-disabled-curves.patch
+++ b/stunnel-5.62-disabled-curves.patch
@ -0,0 +1,57 @@
+Limit curves defaults in FIPS mode
+
+Our copy of OpenSSL disables the X25519 and X448 curves in FIPS mode,
+but stunnel defaults to enabling them and then fails to do so.
+
+Upstream-Status: Inappropriate [caused by a downstream patch to openssl]
+diff -up stunnel-5.62/src/options.c.disabled-curves stunnel-5.62/src/options.c
+--- stunnel-5.62/src/options.c.disabled-curves	2022-02-04 13:46:45.936884124 +0100
+++ stunnel-5.62/src/options.c	2022-02-04 13:53:16.346725153 +0100
+@@ -40,8 +40,10 @@
+ 
+ #if OPENSSL_VERSION_NUMBER >= 0x10101000L
+ #define DEFAULT_CURVES "X25519:P-256:X448:P-521:P-384"
+#define DEFAULT_CURVES_FIPS "P-256:P-521:P-384"
+ #else /* OpenSSL version < 1.1.1 */
+ #define DEFAULT_CURVES "prime256v1"
+#define DEFAULT_CURVES_FIPS "prime256v1"
+ #endif /* OpenSSL version >= 1.1.1 */
+ 
+ #if defined(_WIN32_WCE) && !defined(CONFDIR)
+@@ -1855,7 +1857,7 @@ NOEXPORT char *parse_service_option(CMD
+     /* curves */
+     switch(cmd) {
+     case CMD_SET_DEFAULTS:
+-        section->curves=str_dup_detached(DEFAULT_CURVES);
+        section->curves = NULL;
+         break;
+     case CMD_SET_COPY:
+         section->curves=str_dup_detached(new_service_options.curves);
+@@ -1870,9 +1872,26 @@ NOEXPORT char *parse_service_option(CMD
+         section->curves=str_dup_detached(arg);
+         return NULL; /* OK */
+     case CMD_INITIALIZE:
+        if(!section->curves) {
+            /* this is only executed for global options, because
+             * section->curves is no longer NULL in sections */
+#ifdef USE_FIPS
+            if(new_global_options.option.fips)
+                section->curves=str_dup_detached(DEFAULT_CURVES_FIPS);
+            else
+#endif /* USE_FIPS */
+                section->curves=str_dup_detached(DEFAULT_CURVES);
+        }
+         break;
+     case CMD_PRINT_DEFAULTS:
+-        s_log(LOG_NOTICE, "%-22s = %s", "curves", DEFAULT_CURVES);
+        if(fips_available()) {
+            s_log(LOG_NOTICE, "%-22s = %s %s", "curves",
+                DEFAULT_CURVES_FIPS, "(with \"fips = yes\")");
+            s_log(LOG_NOTICE, "%-22s = %s %s", "curves",
+                DEFAULT_CURVES, "(with \"fips = no\")");
+        } else {
+            s_log(LOG_NOTICE, "%-22s = %s", "curves", DEFAULT_CURVES);
+        }
+         break;
+     case CMD_PRINT_HELP:
+         s_log(LOG_NOTICE, "%-22s = ECDH curve names", "curves");
--- a/stunnel.spec
+++ b/stunnel.spec
@ -10,7 +10,7 @@
 Summary: A TLS-encrypting socket wrapper
 Name: stunnel
 Version: 5.62
-Release: 2%{?dist}
+Release: 3%{?dist}
 License: GPLv2
 URL: https://www.stunnel.org/
 Source0: https://www.stunnel.org/downloads/stunnel-%{version}.tar.gz
@ -28,6 +28,7 @@ Patch4: stunnel-5.56-coverity.patch
 Patch5: stunnel-5.61-default-tls-version.patch
 Patch6: stunnel-5.56-curves-doc-update.patch
 Patch7: stunnel-5.61-fips-test.patch
+Patch8: stunnel-5.62-disabled-curves.patch
 # util-linux is needed for rename
 BuildRequires: make
 BuildRequires: gcc
@ -59,6 +60,7 @@ conjunction with imapd to create a TLS secure IMAP server.
 %patch5 -p1 -b .default-tls-version
 %patch6 -p1 -b .curves-doc-update
 %patch7 -p1 -b .fips-test
+%patch8 -p1 -b .disabled-curves

 # Fix the stack protector flag
 sed -i 's/-fstack-protector/-fstack-protector-strong/' configure
@ -134,6 +136,10 @@ make test || (for i in tests/logs/*.log ; do echo "$i": ; cat "$i" ; done)
 %systemd_postun_with_restart %{name}.service

 %changelog
+* Fri Feb 04 2022 Clemens Lang <cllang@redhat.com> - 5.62-3
+- Fix stunnel in FIPS mode (with upcoming OpenSSL changes)
+  Related: rhbz#2050617
+
 * Sat Jan 22 2022 Fedora Release Engineering <releng@fedoraproject.org> - 5.62-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild