From eca3c22e535b2c30e04108aa5a9cce7c691aa5f1 Mon Sep 17 00:00:00 2001
From: Clemens Lang <cllang@redhat.com>
Date: Fri, 4 Feb 2022 15:44:10 +0100
Subject: [PATCH] Fix stunnel in FIPS mode (w/upcoming OpenSSL changes)

Related: rhbz#2050617
Signed-off-by: Clemens Lang <cllang@redhat.com>
---
 stunnel-5.61-fips-test.patch       |  2 ++
 stunnel-5.62-disabled-curves.patch | 57 ++++++++++++++++++++++++++++++
 stunnel.spec                       |  8 ++++-
 3 files changed, 66 insertions(+), 1 deletion(-)
 create mode 100644 stunnel-5.62-disabled-curves.patch

diff --git a/stunnel-5.61-fips-test.patch b/stunnel-5.61-fips-test.patch
index ad6ace1..9ee96be 100644
--- a/stunnel-5.61-fips-test.patch
+++ b/stunnel-5.61-fips-test.patch
@@ -10,6 +10,8 @@ Since this does not indicate a problem with stunnel's code, but with the
 underlying OpenSSL setup, skip the test if this occurs. This is the same
 behavior when running against a copy of OpenSSL 3.x that was not built with
 'enable-fips'.
+
+Upstream-Status: Inappropriate [configuration]
 diff -up stunnel-5.61/tests/plugins/p10_fips.py.fips-tests stunnel-5.61/tests/plugins/p10_fips.py
 --- stunnel-5.61/tests/plugins/p10_fips.py.fips-tests	2022-01-12 11:40:11.121241545 +0100
 +++ stunnel-5.61/tests/plugins/p10_fips.py	2022-01-12 11:45:01.791364483 +0100
diff --git a/stunnel-5.62-disabled-curves.patch b/stunnel-5.62-disabled-curves.patch
new file mode 100644
index 0000000..075ccec
--- /dev/null
+++ b/stunnel-5.62-disabled-curves.patch
@@ -0,0 +1,57 @@
+Limit curves defaults in FIPS mode
+
+Our copy of OpenSSL disables the X25519 and X448 curves in FIPS mode,
+but stunnel defaults to enabling them and then fails to do so.
+
+Upstream-Status: Inappropriate [caused by a downstream patch to openssl]
+diff -up stunnel-5.62/src/options.c.disabled-curves stunnel-5.62/src/options.c
+--- stunnel-5.62/src/options.c.disabled-curves	2022-02-04 13:46:45.936884124 +0100
++++ stunnel-5.62/src/options.c	2022-02-04 13:53:16.346725153 +0100
+@@ -40,8 +40,10 @@
+ 
+ #if OPENSSL_VERSION_NUMBER >= 0x10101000L
+ #define DEFAULT_CURVES "X25519:P-256:X448:P-521:P-384"
++#define DEFAULT_CURVES_FIPS "P-256:P-521:P-384"
+ #else /* OpenSSL version < 1.1.1 */
+ #define DEFAULT_CURVES "prime256v1"
++#define DEFAULT_CURVES_FIPS "prime256v1"
+ #endif /* OpenSSL version >= 1.1.1 */
+ 
+ #if defined(_WIN32_WCE) && !defined(CONFDIR)
+@@ -1855,7 +1857,7 @@ NOEXPORT char *parse_service_option(CMD
+     /* curves */
+     switch(cmd) {
+     case CMD_SET_DEFAULTS:
+-        section->curves=str_dup_detached(DEFAULT_CURVES);
++        section->curves = NULL;
+         break;
+     case CMD_SET_COPY:
+         section->curves=str_dup_detached(new_service_options.curves);
+@@ -1870,9 +1872,26 @@ NOEXPORT char *parse_service_option(CMD
+         section->curves=str_dup_detached(arg);
+         return NULL; /* OK */
+     case CMD_INITIALIZE:
++        if(!section->curves) {
++            /* this is only executed for global options, because
++             * section->curves is no longer NULL in sections */
++#ifdef USE_FIPS
++            if(new_global_options.option.fips)
++                section->curves=str_dup_detached(DEFAULT_CURVES_FIPS);
++            else
++#endif /* USE_FIPS */
++                section->curves=str_dup_detached(DEFAULT_CURVES);
++        }
+         break;
+     case CMD_PRINT_DEFAULTS:
+-        s_log(LOG_NOTICE, "%-22s = %s", "curves", DEFAULT_CURVES);
++        if(fips_available()) {
++            s_log(LOG_NOTICE, "%-22s = %s %s", "curves",
++                DEFAULT_CURVES_FIPS, "(with \"fips = yes\")");
++            s_log(LOG_NOTICE, "%-22s = %s %s", "curves",
++                DEFAULT_CURVES, "(with \"fips = no\")");
++        } else {
++            s_log(LOG_NOTICE, "%-22s = %s", "curves", DEFAULT_CURVES);
++        }
+         break;
+     case CMD_PRINT_HELP:
+         s_log(LOG_NOTICE, "%-22s = ECDH curve names", "curves");
diff --git a/stunnel.spec b/stunnel.spec
index a7388d8..abd54ae 100644
--- a/stunnel.spec
+++ b/stunnel.spec
@@ -10,7 +10,7 @@
 Summary: A TLS-encrypting socket wrapper
 Name: stunnel
 Version: 5.62
-Release: 2%{?dist}
+Release: 3%{?dist}
 License: GPLv2
 URL: https://www.stunnel.org/
 Source0: https://www.stunnel.org/downloads/stunnel-%{version}.tar.gz
@@ -28,6 +28,7 @@ Patch4: stunnel-5.56-coverity.patch
 Patch5: stunnel-5.61-default-tls-version.patch
 Patch6: stunnel-5.56-curves-doc-update.patch
 Patch7: stunnel-5.61-fips-test.patch
+Patch8: stunnel-5.62-disabled-curves.patch
 # util-linux is needed for rename
 BuildRequires: make
 BuildRequires: gcc
@@ -59,6 +60,7 @@ conjunction with imapd to create a TLS secure IMAP server.
 %patch5 -p1 -b .default-tls-version
 %patch6 -p1 -b .curves-doc-update
 %patch7 -p1 -b .fips-test
+%patch8 -p1 -b .disabled-curves
 
 # Fix the stack protector flag
 sed -i 's/-fstack-protector/-fstack-protector-strong/' configure
@@ -134,6 +136,10 @@ make test || (for i in tests/logs/*.log ; do echo "$i": ; cat "$i" ; done)
 %systemd_postun_with_restart %{name}.service
 
 %changelog
+* Fri Feb 04 2022 Clemens Lang <cllang@redhat.com> - 5.62-3
+- Fix stunnel in FIPS mode (with upcoming OpenSSL changes)
+  Related: rhbz#2050617
+
 * Sat Jan 22 2022 Fedora Release Engineering <releng@fedoraproject.org> - 5.62-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild