Fix stunnel in FIPS mode (w/upcoming OpenSSL changes)
Related: rhbz#2050617 Signed-off-by: Clemens Lang <cllang@redhat.com>
This commit is contained in:
parent
b9bbe00355
commit
eca3c22e53
@ -10,6 +10,8 @@ Since this does not indicate a problem with stunnel's code, but with the
|
|||||||
underlying OpenSSL setup, skip the test if this occurs. This is the same
|
underlying OpenSSL setup, skip the test if this occurs. This is the same
|
||||||
behavior when running against a copy of OpenSSL 3.x that was not built with
|
behavior when running against a copy of OpenSSL 3.x that was not built with
|
||||||
'enable-fips'.
|
'enable-fips'.
|
||||||
|
|
||||||
|
Upstream-Status: Inappropriate [configuration]
|
||||||
diff -up stunnel-5.61/tests/plugins/p10_fips.py.fips-tests stunnel-5.61/tests/plugins/p10_fips.py
|
diff -up stunnel-5.61/tests/plugins/p10_fips.py.fips-tests stunnel-5.61/tests/plugins/p10_fips.py
|
||||||
--- stunnel-5.61/tests/plugins/p10_fips.py.fips-tests 2022-01-12 11:40:11.121241545 +0100
|
--- stunnel-5.61/tests/plugins/p10_fips.py.fips-tests 2022-01-12 11:40:11.121241545 +0100
|
||||||
+++ stunnel-5.61/tests/plugins/p10_fips.py 2022-01-12 11:45:01.791364483 +0100
|
+++ stunnel-5.61/tests/plugins/p10_fips.py 2022-01-12 11:45:01.791364483 +0100
|
||||||
|
57
stunnel-5.62-disabled-curves.patch
Normal file
57
stunnel-5.62-disabled-curves.patch
Normal file
@ -0,0 +1,57 @@
|
|||||||
|
Limit curves defaults in FIPS mode
|
||||||
|
|
||||||
|
Our copy of OpenSSL disables the X25519 and X448 curves in FIPS mode,
|
||||||
|
but stunnel defaults to enabling them and then fails to do so.
|
||||||
|
|
||||||
|
Upstream-Status: Inappropriate [caused by a downstream patch to openssl]
|
||||||
|
diff -up stunnel-5.62/src/options.c.disabled-curves stunnel-5.62/src/options.c
|
||||||
|
--- stunnel-5.62/src/options.c.disabled-curves 2022-02-04 13:46:45.936884124 +0100
|
||||||
|
+++ stunnel-5.62/src/options.c 2022-02-04 13:53:16.346725153 +0100
|
||||||
|
@@ -40,8 +40,10 @@
|
||||||
|
|
||||||
|
#if OPENSSL_VERSION_NUMBER >= 0x10101000L
|
||||||
|
#define DEFAULT_CURVES "X25519:P-256:X448:P-521:P-384"
|
||||||
|
+#define DEFAULT_CURVES_FIPS "P-256:P-521:P-384"
|
||||||
|
#else /* OpenSSL version < 1.1.1 */
|
||||||
|
#define DEFAULT_CURVES "prime256v1"
|
||||||
|
+#define DEFAULT_CURVES_FIPS "prime256v1"
|
||||||
|
#endif /* OpenSSL version >= 1.1.1 */
|
||||||
|
|
||||||
|
#if defined(_WIN32_WCE) && !defined(CONFDIR)
|
||||||
|
@@ -1855,7 +1857,7 @@ NOEXPORT char *parse_service_option(CMD
|
||||||
|
/* curves */
|
||||||
|
switch(cmd) {
|
||||||
|
case CMD_SET_DEFAULTS:
|
||||||
|
- section->curves=str_dup_detached(DEFAULT_CURVES);
|
||||||
|
+ section->curves = NULL;
|
||||||
|
break;
|
||||||
|
case CMD_SET_COPY:
|
||||||
|
section->curves=str_dup_detached(new_service_options.curves);
|
||||||
|
@@ -1870,9 +1872,26 @@ NOEXPORT char *parse_service_option(CMD
|
||||||
|
section->curves=str_dup_detached(arg);
|
||||||
|
return NULL; /* OK */
|
||||||
|
case CMD_INITIALIZE:
|
||||||
|
+ if(!section->curves) {
|
||||||
|
+ /* this is only executed for global options, because
|
||||||
|
+ * section->curves is no longer NULL in sections */
|
||||||
|
+#ifdef USE_FIPS
|
||||||
|
+ if(new_global_options.option.fips)
|
||||||
|
+ section->curves=str_dup_detached(DEFAULT_CURVES_FIPS);
|
||||||
|
+ else
|
||||||
|
+#endif /* USE_FIPS */
|
||||||
|
+ section->curves=str_dup_detached(DEFAULT_CURVES);
|
||||||
|
+ }
|
||||||
|
break;
|
||||||
|
case CMD_PRINT_DEFAULTS:
|
||||||
|
- s_log(LOG_NOTICE, "%-22s = %s", "curves", DEFAULT_CURVES);
|
||||||
|
+ if(fips_available()) {
|
||||||
|
+ s_log(LOG_NOTICE, "%-22s = %s %s", "curves",
|
||||||
|
+ DEFAULT_CURVES_FIPS, "(with \"fips = yes\")");
|
||||||
|
+ s_log(LOG_NOTICE, "%-22s = %s %s", "curves",
|
||||||
|
+ DEFAULT_CURVES, "(with \"fips = no\")");
|
||||||
|
+ } else {
|
||||||
|
+ s_log(LOG_NOTICE, "%-22s = %s", "curves", DEFAULT_CURVES);
|
||||||
|
+ }
|
||||||
|
break;
|
||||||
|
case CMD_PRINT_HELP:
|
||||||
|
s_log(LOG_NOTICE, "%-22s = ECDH curve names", "curves");
|
@ -10,7 +10,7 @@
|
|||||||
Summary: A TLS-encrypting socket wrapper
|
Summary: A TLS-encrypting socket wrapper
|
||||||
Name: stunnel
|
Name: stunnel
|
||||||
Version: 5.62
|
Version: 5.62
|
||||||
Release: 2%{?dist}
|
Release: 3%{?dist}
|
||||||
License: GPLv2
|
License: GPLv2
|
||||||
URL: https://www.stunnel.org/
|
URL: https://www.stunnel.org/
|
||||||
Source0: https://www.stunnel.org/downloads/stunnel-%{version}.tar.gz
|
Source0: https://www.stunnel.org/downloads/stunnel-%{version}.tar.gz
|
||||||
@ -28,6 +28,7 @@ Patch4: stunnel-5.56-coverity.patch
|
|||||||
Patch5: stunnel-5.61-default-tls-version.patch
|
Patch5: stunnel-5.61-default-tls-version.patch
|
||||||
Patch6: stunnel-5.56-curves-doc-update.patch
|
Patch6: stunnel-5.56-curves-doc-update.patch
|
||||||
Patch7: stunnel-5.61-fips-test.patch
|
Patch7: stunnel-5.61-fips-test.patch
|
||||||
|
Patch8: stunnel-5.62-disabled-curves.patch
|
||||||
# util-linux is needed for rename
|
# util-linux is needed for rename
|
||||||
BuildRequires: make
|
BuildRequires: make
|
||||||
BuildRequires: gcc
|
BuildRequires: gcc
|
||||||
@ -59,6 +60,7 @@ conjunction with imapd to create a TLS secure IMAP server.
|
|||||||
%patch5 -p1 -b .default-tls-version
|
%patch5 -p1 -b .default-tls-version
|
||||||
%patch6 -p1 -b .curves-doc-update
|
%patch6 -p1 -b .curves-doc-update
|
||||||
%patch7 -p1 -b .fips-test
|
%patch7 -p1 -b .fips-test
|
||||||
|
%patch8 -p1 -b .disabled-curves
|
||||||
|
|
||||||
# Fix the stack protector flag
|
# Fix the stack protector flag
|
||||||
sed -i 's/-fstack-protector/-fstack-protector-strong/' configure
|
sed -i 's/-fstack-protector/-fstack-protector-strong/' configure
|
||||||
@ -134,6 +136,10 @@ make test || (for i in tests/logs/*.log ; do echo "$i": ; cat "$i" ; done)
|
|||||||
%systemd_postun_with_restart %{name}.service
|
%systemd_postun_with_restart %{name}.service
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri Feb 04 2022 Clemens Lang <cllang@redhat.com> - 5.62-3
|
||||||
|
- Fix stunnel in FIPS mode (with upcoming OpenSSL changes)
|
||||||
|
Related: rhbz#2050617
|
||||||
|
|
||||||
* Sat Jan 22 2022 Fedora Release Engineering <releng@fedoraproject.org> - 5.62-2
|
* Sat Jan 22 2022 Fedora Release Engineering <releng@fedoraproject.org> - 5.62-2
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user