Fix stunnel in FIPS mode (w/upcoming OpenSSL changes)

Related: rhbz#2050617
Signed-off-by: Clemens Lang <cllang@redhat.com>
This commit is contained in:
Clemens Lang 2022-02-04 15:44:10 +01:00
parent b9bbe00355
commit eca3c22e53
3 changed files with 66 additions and 1 deletions

View File

@ -10,6 +10,8 @@ Since this does not indicate a problem with stunnel's code, but with the
underlying OpenSSL setup, skip the test if this occurs. This is the same underlying OpenSSL setup, skip the test if this occurs. This is the same
behavior when running against a copy of OpenSSL 3.x that was not built with behavior when running against a copy of OpenSSL 3.x that was not built with
'enable-fips'. 'enable-fips'.
Upstream-Status: Inappropriate [configuration]
diff -up stunnel-5.61/tests/plugins/p10_fips.py.fips-tests stunnel-5.61/tests/plugins/p10_fips.py diff -up stunnel-5.61/tests/plugins/p10_fips.py.fips-tests stunnel-5.61/tests/plugins/p10_fips.py
--- stunnel-5.61/tests/plugins/p10_fips.py.fips-tests 2022-01-12 11:40:11.121241545 +0100 --- stunnel-5.61/tests/plugins/p10_fips.py.fips-tests 2022-01-12 11:40:11.121241545 +0100
+++ stunnel-5.61/tests/plugins/p10_fips.py 2022-01-12 11:45:01.791364483 +0100 +++ stunnel-5.61/tests/plugins/p10_fips.py 2022-01-12 11:45:01.791364483 +0100

View File

@ -0,0 +1,57 @@
Limit curves defaults in FIPS mode
Our copy of OpenSSL disables the X25519 and X448 curves in FIPS mode,
but stunnel defaults to enabling them and then fails to do so.
Upstream-Status: Inappropriate [caused by a downstream patch to openssl]
diff -up stunnel-5.62/src/options.c.disabled-curves stunnel-5.62/src/options.c
--- stunnel-5.62/src/options.c.disabled-curves 2022-02-04 13:46:45.936884124 +0100
+++ stunnel-5.62/src/options.c 2022-02-04 13:53:16.346725153 +0100
@@ -40,8 +40,10 @@
#if OPENSSL_VERSION_NUMBER >= 0x10101000L
#define DEFAULT_CURVES "X25519:P-256:X448:P-521:P-384"
+#define DEFAULT_CURVES_FIPS "P-256:P-521:P-384"
#else /* OpenSSL version < 1.1.1 */
#define DEFAULT_CURVES "prime256v1"
+#define DEFAULT_CURVES_FIPS "prime256v1"
#endif /* OpenSSL version >= 1.1.1 */
#if defined(_WIN32_WCE) && !defined(CONFDIR)
@@ -1855,7 +1857,7 @@ NOEXPORT char *parse_service_option(CMD
/* curves */
switch(cmd) {
case CMD_SET_DEFAULTS:
- section->curves=str_dup_detached(DEFAULT_CURVES);
+ section->curves = NULL;
break;
case CMD_SET_COPY:
section->curves=str_dup_detached(new_service_options.curves);
@@ -1870,9 +1872,26 @@ NOEXPORT char *parse_service_option(CMD
section->curves=str_dup_detached(arg);
return NULL; /* OK */
case CMD_INITIALIZE:
+ if(!section->curves) {
+ /* this is only executed for global options, because
+ * section->curves is no longer NULL in sections */
+#ifdef USE_FIPS
+ if(new_global_options.option.fips)
+ section->curves=str_dup_detached(DEFAULT_CURVES_FIPS);
+ else
+#endif /* USE_FIPS */
+ section->curves=str_dup_detached(DEFAULT_CURVES);
+ }
break;
case CMD_PRINT_DEFAULTS:
- s_log(LOG_NOTICE, "%-22s = %s", "curves", DEFAULT_CURVES);
+ if(fips_available()) {
+ s_log(LOG_NOTICE, "%-22s = %s %s", "curves",
+ DEFAULT_CURVES_FIPS, "(with \"fips = yes\")");
+ s_log(LOG_NOTICE, "%-22s = %s %s", "curves",
+ DEFAULT_CURVES, "(with \"fips = no\")");
+ } else {
+ s_log(LOG_NOTICE, "%-22s = %s", "curves", DEFAULT_CURVES);
+ }
break;
case CMD_PRINT_HELP:
s_log(LOG_NOTICE, "%-22s = ECDH curve names", "curves");

View File

@ -10,7 +10,7 @@
Summary: A TLS-encrypting socket wrapper Summary: A TLS-encrypting socket wrapper
Name: stunnel Name: stunnel
Version: 5.62 Version: 5.62
Release: 2%{?dist} Release: 3%{?dist}
License: GPLv2 License: GPLv2
URL: https://www.stunnel.org/ URL: https://www.stunnel.org/
Source0: https://www.stunnel.org/downloads/stunnel-%{version}.tar.gz Source0: https://www.stunnel.org/downloads/stunnel-%{version}.tar.gz
@ -28,6 +28,7 @@ Patch4: stunnel-5.56-coverity.patch
Patch5: stunnel-5.61-default-tls-version.patch Patch5: stunnel-5.61-default-tls-version.patch
Patch6: stunnel-5.56-curves-doc-update.patch Patch6: stunnel-5.56-curves-doc-update.patch
Patch7: stunnel-5.61-fips-test.patch Patch7: stunnel-5.61-fips-test.patch
Patch8: stunnel-5.62-disabled-curves.patch
# util-linux is needed for rename # util-linux is needed for rename
BuildRequires: make BuildRequires: make
BuildRequires: gcc BuildRequires: gcc
@ -59,6 +60,7 @@ conjunction with imapd to create a TLS secure IMAP server.
%patch5 -p1 -b .default-tls-version %patch5 -p1 -b .default-tls-version
%patch6 -p1 -b .curves-doc-update %patch6 -p1 -b .curves-doc-update
%patch7 -p1 -b .fips-test %patch7 -p1 -b .fips-test
%patch8 -p1 -b .disabled-curves
# Fix the stack protector flag # Fix the stack protector flag
sed -i 's/-fstack-protector/-fstack-protector-strong/' configure sed -i 's/-fstack-protector/-fstack-protector-strong/' configure
@ -134,6 +136,10 @@ make test || (for i in tests/logs/*.log ; do echo "$i": ; cat "$i" ; done)
%systemd_postun_with_restart %{name}.service %systemd_postun_with_restart %{name}.service
%changelog %changelog
* Fri Feb 04 2022 Clemens Lang <cllang@redhat.com> - 5.62-3
- Fix stunnel in FIPS mode (with upcoming OpenSSL changes)
Related: rhbz#2050617
* Sat Jan 22 2022 Fedora Release Engineering <releng@fedoraproject.org> - 5.62-2 * Sat Jan 22 2022 Fedora Release Engineering <releng@fedoraproject.org> - 5.62-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild - Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild