From ecdba103e6b9a8f3cc443c6f615775cc7ef87baa Mon Sep 17 00:00:00 2001 From: Clemens Lang Date: Fri, 4 Feb 2022 15:46:47 +0100 Subject: [PATCH] Fix stunnel in FIPS mode Resolves: rhbz#2050617 Signed-off-by: Clemens Lang --- stunnel-5.62-disabled-curves.patch | 57 ++++++++++++++++++++++++++++++ stunnel.spec | 8 ++++- 2 files changed, 64 insertions(+), 1 deletion(-) create mode 100644 stunnel-5.62-disabled-curves.patch diff --git a/stunnel-5.62-disabled-curves.patch b/stunnel-5.62-disabled-curves.patch new file mode 100644 index 0000000..075ccec --- /dev/null +++ b/stunnel-5.62-disabled-curves.patch @@ -0,0 +1,57 @@ +Limit curves defaults in FIPS mode + +Our copy of OpenSSL disables the X25519 and X448 curves in FIPS mode, +but stunnel defaults to enabling them and then fails to do so. + +Upstream-Status: Inappropriate [caused by a downstream patch to openssl] +diff -up stunnel-5.62/src/options.c.disabled-curves stunnel-5.62/src/options.c +--- stunnel-5.62/src/options.c.disabled-curves 2022-02-04 13:46:45.936884124 +0100 ++++ stunnel-5.62/src/options.c 2022-02-04 13:53:16.346725153 +0100 +@@ -40,8 +40,10 @@ + + #if OPENSSL_VERSION_NUMBER >= 0x10101000L + #define DEFAULT_CURVES "X25519:P-256:X448:P-521:P-384" ++#define DEFAULT_CURVES_FIPS "P-256:P-521:P-384" + #else /* OpenSSL version < 1.1.1 */ + #define DEFAULT_CURVES "prime256v1" ++#define DEFAULT_CURVES_FIPS "prime256v1" + #endif /* OpenSSL version >= 1.1.1 */ + + #if defined(_WIN32_WCE) && !defined(CONFDIR) +@@ -1855,7 +1857,7 @@ NOEXPORT char *parse_service_option(CMD + /* curves */ + switch(cmd) { + case CMD_SET_DEFAULTS: +- section->curves=str_dup_detached(DEFAULT_CURVES); ++ section->curves = NULL; + break; + case CMD_SET_COPY: + section->curves=str_dup_detached(new_service_options.curves); +@@ -1870,9 +1872,26 @@ NOEXPORT char *parse_service_option(CMD + section->curves=str_dup_detached(arg); + return NULL; /* OK */ + case CMD_INITIALIZE: ++ if(!section->curves) { ++ /* this is only executed for global options, because ++ * section->curves is no longer NULL in sections */ ++#ifdef USE_FIPS ++ if(new_global_options.option.fips) ++ section->curves=str_dup_detached(DEFAULT_CURVES_FIPS); ++ else ++#endif /* USE_FIPS */ ++ section->curves=str_dup_detached(DEFAULT_CURVES); ++ } + break; + case CMD_PRINT_DEFAULTS: +- s_log(LOG_NOTICE, "%-22s = %s", "curves", DEFAULT_CURVES); ++ if(fips_available()) { ++ s_log(LOG_NOTICE, "%-22s = %s %s", "curves", ++ DEFAULT_CURVES_FIPS, "(with \"fips = yes\")"); ++ s_log(LOG_NOTICE, "%-22s = %s %s", "curves", ++ DEFAULT_CURVES, "(with \"fips = no\")"); ++ } else { ++ s_log(LOG_NOTICE, "%-22s = %s", "curves", DEFAULT_CURVES); ++ } + break; + case CMD_PRINT_HELP: + s_log(LOG_NOTICE, "%-22s = ECDH curve names", "curves"); diff --git a/stunnel.spec b/stunnel.spec index c168626..fc847ae 100644 --- a/stunnel.spec +++ b/stunnel.spec @@ -10,7 +10,7 @@ Summary: A TLS-encrypting socket wrapper Name: stunnel Version: 5.62 -Release: 1%{?dist} +Release: 2%{?dist} License: GPLv2 URL: https://www.stunnel.org/ Source0: https://www.stunnel.org/downloads/stunnel-%{version}.tar.gz @@ -28,6 +28,7 @@ Patch4: stunnel-5.56-coverity.patch Patch5: stunnel-5.61-default-tls-version.patch Patch6: stunnel-5.56-curves-doc-update.patch Patch7: stunnel-5.61-openssl30-fips.patch +Patch8: stunnel-5.62-disabled-curves.patch # util-linux is needed for rename BuildRequires: make BuildRequires: gcc @@ -59,6 +60,7 @@ conjunction with imapd to create a TLS secure IMAP server. %patch5 -p1 -b .default-tls-version %patch6 -p1 -b .curves-doc-update %patch7 -p1 -b .openssl30-fips +%patch8 -p1 -b .disabled-curves # Fix the stack protector flag sed -i 's/-fstack-protector/-fstack-protector-strong/' configure @@ -134,6 +136,10 @@ make test || (for i in tests/logs/*.log ; do echo "$i": ; cat "$i" ; done) %systemd_postun_with_restart %{name}.service %changelog +* Fri Feb 04 2022 Clemens Lang - 5.62-2 +- Fix stunnel in FIPS mode + Resolves: rhbz#2050617 + * Tue Jan 18 2022 Clemens Lang - 5.62-1 - New upstream release 5.62 Resolves: rhbz#2039299