Fix stunnel in FIPS mode

Resolves: rhbz#2050617
Signed-off-by: Clemens Lang <cllang@redhat.com>

stunnel-5.62-disabled-curves.patch

@@ -0,0 +1,57 @@
+Limit curves defaults in FIPS mode
+
+Our copy of OpenSSL disables the X25519 and X448 curves in FIPS mode,
+but stunnel defaults to enabling them and then fails to do so.
+
+Upstream-Status: Inappropriate [caused by a downstream patch to openssl]
+diff -up stunnel-5.62/src/options.c.disabled-curves stunnel-5.62/src/options.c
+--- stunnel-5.62/src/options.c.disabled-curves	2022-02-04 13:46:45.936884124 +0100
++++ stunnel-5.62/src/options.c	2022-02-04 13:53:16.346725153 +0100
+@@ -40,8 +40,10 @@
+ 
+ #if OPENSSL_VERSION_NUMBER >= 0x10101000L
+ #define DEFAULT_CURVES "X25519:P-256:X448:P-521:P-384"
++#define DEFAULT_CURVES_FIPS "P-256:P-521:P-384"
+ #else /* OpenSSL version < 1.1.1 */
+ #define DEFAULT_CURVES "prime256v1"
++#define DEFAULT_CURVES_FIPS "prime256v1"
+ #endif /* OpenSSL version >= 1.1.1 */
+ 
+ #if defined(_WIN32_WCE) && !defined(CONFDIR)
+@@ -1855,7 +1857,7 @@ NOEXPORT char *parse_service_option(CMD
+     /* curves */
+     switch(cmd) {
+     case CMD_SET_DEFAULTS:
+-        section->curves=str_dup_detached(DEFAULT_CURVES);
++        section->curves = NULL;
+         break;
+     case CMD_SET_COPY:
+         section->curves=str_dup_detached(new_service_options.curves);
+@@ -1870,9 +1872,26 @@ NOEXPORT char *parse_service_option(CMD
+         section->curves=str_dup_detached(arg);
+         return NULL; /* OK */
+     case CMD_INITIALIZE:
++        if(!section->curves) {
++            /* this is only executed for global options, because
++             * section->curves is no longer NULL in sections */
++#ifdef USE_FIPS
++            if(new_global_options.option.fips)
++                section->curves=str_dup_detached(DEFAULT_CURVES_FIPS);
++            else
++#endif /* USE_FIPS */
++                section->curves=str_dup_detached(DEFAULT_CURVES);
++        }
+         break;
+     case CMD_PRINT_DEFAULTS:
+-        s_log(LOG_NOTICE, "%-22s = %s", "curves", DEFAULT_CURVES);
++        if(fips_available()) {
++            s_log(LOG_NOTICE, "%-22s = %s %s", "curves",
++                DEFAULT_CURVES_FIPS, "(with \"fips = yes\")");
++            s_log(LOG_NOTICE, "%-22s = %s %s", "curves",
++                DEFAULT_CURVES, "(with \"fips = no\")");
++        } else {
++            s_log(LOG_NOTICE, "%-22s = %s", "curves", DEFAULT_CURVES);
++        }
+         break;
+     case CMD_PRINT_HELP:
+         s_log(LOG_NOTICE, "%-22s = ECDH curve names", "curves");

stunnel.spec

@@ -10,7 +10,7 @@
 Summary: A TLS-encrypting socket wrapper
 Name: stunnel
 Version: 5.62
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: GPLv2
 URL: https://www.stunnel.org/
 Source0: https://www.stunnel.org/downloads/stunnel-%{version}.tar.gz
@@ -28,6 +28,7 @@ Patch4: stunnel-5.56-coverity.patch
 Patch5: stunnel-5.61-default-tls-version.patch
 Patch6: stunnel-5.56-curves-doc-update.patch
 Patch7: stunnel-5.61-openssl30-fips.patch
+Patch8: stunnel-5.62-disabled-curves.patch
 # util-linux is needed for rename
 BuildRequires: make
 BuildRequires: gcc
@@ -59,6 +60,7 @@ conjunction with imapd to create a TLS secure IMAP server.
 %patch5 -p1 -b .default-tls-version
 %patch6 -p1 -b .curves-doc-update
 %patch7 -p1 -b .openssl30-fips
+%patch8 -p1 -b .disabled-curves
 
 # Fix the stack protector flag
 sed -i 's/-fstack-protector/-fstack-protector-strong/' configure
@@ -134,6 +136,10 @@ make test || (for i in tests/logs/*.log ; do echo "$i": ; cat "$i" ; done)
 %systemd_postun_with_restart %{name}.service
 
 %changelog
+* Fri Feb 04 2022 Clemens Lang <cllang@redhat.com> - 5.62-2
+- Fix stunnel in FIPS mode
+  Resolves: rhbz#2050617
+
 * Tue Jan 18 2022 Clemens Lang <cllang@redhat.com> - 5.62-1
 - New upstream release 5.62
   Resolves: rhbz#2039299