Compare commits
10 Commits
774321a4a6
...
ccd246ae66
Author | SHA1 | Date |
---|---|---|
Clemens Lang | ccd246ae66 | |
Clemens Lang | c97482468c | |
Clemens Lang | ecdba103e6 | |
Clemens Lang | a7cc901333 | |
Mohan Boddu | 8e36d91cb1 | |
Dmitry Belyavskiy | 6f7d71c02c | |
Aleksandra Fedorova | 764b0e31e9 | |
Dmitry Belyavskiy | befa250b4d | |
Mohan Boddu | 74e2723cf4 | |
Mohan Boddu | c7930c45c5 |
|
@ -118,3 +118,7 @@ stunnel-4.33.tar.gz.asc
|
|||
/stunnel-5.57.tar.gz.asc
|
||||
/stunnel-5.58.tar.gz
|
||||
/stunnel-5.58.tar.gz.asc
|
||||
/stunnel-5.61.tar.gz
|
||||
/stunnel-5.61.tar.gz.asc
|
||||
/stunnel-5.62.tar.gz
|
||||
/stunnel-5.62.tar.gz.asc
|
||||
|
|
|
@ -0,0 +1,2 @@
|
|||
e18be56bfee006f5e58de044fda7bdcfaa425b3f stunnel-5.62.tar.gz
|
||||
0593d29e550ac6a99dd56297be4b52a08a1e8f88 stunnel-5.62.tar.gz.asc
|
|
@ -0,0 +1,7 @@
|
|||
--- !Policy
|
||||
product_versions:
|
||||
- rhel-9
|
||||
decision_context: osci_compose_gate
|
||||
rules:
|
||||
- !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier1.functional}
|
||||
- !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tedude.validation}
|
4
sources
4
sources
|
@ -1,2 +1,2 @@
|
|||
SHA512 (stunnel-5.58.tar.gz) = 6f62bf13bf53f174b2810ad6708a9dfdb70e9b4e2f60c0c9cf4df691169a63014901402ccbe2862010f4cee240c1a8eec34b70a7a3fcef36e7a2ca14a7f70ece
|
||||
SHA512 (stunnel-5.58.tar.gz.asc) = 0deb4f521e3683b5f74afd0493ddd950193ffc30159b759a5eb5d0f8a4fb2cccacceb12e202b2abc963718ed44704415f53cc705f46656b96721013cc2f6747b
|
||||
SHA512 (stunnel-5.62.tar.gz) = 4ce03faa27e417b49fbdf0fbac91befb2c05ce64694b4b6fd2fc482031ee4a229299627133a47ff3efdfdffce751e1300d95d0a8ac1f1858c7c96f0b067170de
|
||||
SHA512 (stunnel-5.62.tar.gz.asc) = 983b41100e7ef6dba5a9b7e7cd64e50b1f6860a6bf18ca393e14d65680bfed951475e6f7f4ec9e8da036aaa86e0668f65e3df7025220eda7315de4d110a24ac5
|
||||
|
|
|
@ -1,11 +0,0 @@
|
|||
diff -up stunnel-5.50/tools/stunnel.service.in.systemd-service stunnel-5.50/tools/stunnel.service.in
|
||||
--- stunnel-5.50/tools/stunnel.service.in.systemd-service 2019-01-14 12:17:15.826868965 +0100
|
||||
+++ stunnel-5.50/tools/stunnel.service.in 2019-01-14 12:18:21.186753131 +0100
|
||||
@@ -5,6 +5,7 @@ After=syslog.target network.target
|
||||
[Service]
|
||||
ExecStart=@bindir@/stunnel
|
||||
Type=forking
|
||||
+PrivateTmp=true
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
|
@ -1,18 +1,50 @@
|
|||
--- stunnel-5.56/src/prototypes.h.default-tls-version 2020-04-06 11:22:24.480280384 +0200
|
||||
+++ stunnel-5.56/src/prototypes.h 2020-04-06 11:21:05.407597053 +0200
|
||||
@@ -897,6 +897,9 @@ ICON_IMAGE load_icon_default(ICON_TYPE);
|
||||
ICON_IMAGE load_icon_file(const char *);
|
||||
#endif
|
||||
|
||||
+#define USE_DEFAULT_TLS_VERSION ((int)-2) /* Use defaults in OpenSSL
|
||||
+ crypto policies */
|
||||
+
|
||||
#endif /* defined PROTOTYPES_H */
|
||||
|
||||
/* end of prototypes.h */
|
||||
--- stunnel-5.56/src/options.c.default-tls-version 2020-04-06 18:58:48.947214149 +0200
|
||||
+++ stunnel-5.56/src/options.c 2020-04-08 15:45:18.093520780 +0200
|
||||
@@ -3123,8 +3123,9 @@ NOEXPORT char *parse_service_option(CMD
|
||||
diff -up stunnel-5.61/src/ctx.c.default-tls-version stunnel-5.61/src/ctx.c
|
||||
--- stunnel-5.61/src/ctx.c.default-tls-version 2021-12-13 09:43:22.000000000 +0100
|
||||
+++ stunnel-5.61/src/ctx.c 2022-01-10 19:27:49.913243127 +0100
|
||||
@@ -149,18 +149,28 @@ int context_init(SERVICE_OPTIONS *sectio
|
||||
section->ctx=SSL_CTX_new(section->option.client ?
|
||||
TLS_client_method() : TLS_server_method());
|
||||
#endif /* OPENSSL_VERSION_NUMBER>=0x30000000L */
|
||||
- if(!SSL_CTX_set_min_proto_version(section->ctx,
|
||||
- section->min_proto_version)) {
|
||||
- s_log(LOG_ERR, "Failed to set the minimum protocol version 0x%X",
|
||||
- section->min_proto_version);
|
||||
- return 1; /* FAILED */
|
||||
- }
|
||||
- if(!SSL_CTX_set_max_proto_version(section->ctx,
|
||||
- section->max_proto_version)) {
|
||||
- s_log(LOG_ERR, "Failed to set the maximum protocol version 0x%X",
|
||||
- section->max_proto_version);
|
||||
- return 1; /* FAILED */
|
||||
+ if (section->min_proto_version == USE_DEFAULT_TLS_VERSION) {
|
||||
+ s_log(LOG_INFO, "Using the default TLS version as specified in "
|
||||
+ "OpenSSL crypto policies. Not setting explicitly.");
|
||||
+ } else {
|
||||
+ if(!SSL_CTX_set_min_proto_version(section->ctx,
|
||||
+ section->min_proto_version)) {
|
||||
+ s_log(LOG_ERR, "Failed to set the minimum protocol version 0x%X",
|
||||
+ section->min_proto_version);
|
||||
+ return 1; /* FAILED */
|
||||
+ }
|
||||
}
|
||||
+ if (section->max_proto_version == USE_DEFAULT_TLS_VERSION) {
|
||||
+ s_log(LOG_INFO, "Using the default TLS version as specified in "
|
||||
+ "OpenSSL crypto policies. Not setting explicitly");
|
||||
+ } else {
|
||||
+ if(!SSL_CTX_set_max_proto_version(section->ctx,
|
||||
+ section->max_proto_version)) {
|
||||
+ s_log(LOG_ERR, "Failed to set the maximum protocol version 0x%X",
|
||||
+ section->max_proto_version);
|
||||
+ return 1; /* FAILED */
|
||||
+ }
|
||||
+ }
|
||||
#else /* OPENSSL_VERSION_NUMBER<0x10100000L */
|
||||
if(section->option.client)
|
||||
section->ctx=SSL_CTX_new(section->client_method);
|
||||
diff -up stunnel-5.61/src/options.c.default-tls-version stunnel-5.61/src/options.c
|
||||
--- stunnel-5.61/src/options.c.default-tls-version 2022-01-10 19:23:15.096254067 +0100
|
||||
+++ stunnel-5.61/src/options.c 2022-01-10 19:23:15.098254103 +0100
|
||||
@@ -3297,8 +3297,9 @@ NOEXPORT char *parse_service_option(CMD
|
||||
return "Invalid protocol version";
|
||||
return NULL; /* OK */
|
||||
case CMD_INITIALIZE:
|
||||
|
@ -24,7 +56,7 @@
|
|||
return "Invalid protocol version range";
|
||||
break;
|
||||
case CMD_PRINT_DEFAULTS:
|
||||
@@ -3142,7 +3143,10 @@ NOEXPORT char *parse_service_option(CMD
|
||||
@@ -3316,7 +3317,10 @@ NOEXPORT char *parse_service_option(CMD
|
||||
/* sslVersionMax */
|
||||
switch(cmd) {
|
||||
case CMD_SET_DEFAULTS:
|
||||
|
@ -36,7 +68,7 @@
|
|||
break;
|
||||
case CMD_SET_COPY:
|
||||
section->max_proto_version=new_service_options.max_proto_version;
|
||||
@@ -3173,7 +3177,10 @@ NOEXPORT char *parse_service_option(CMD
|
||||
@@ -3347,7 +3351,10 @@ NOEXPORT char *parse_service_option(CMD
|
||||
/* sslVersionMin */
|
||||
switch(cmd) {
|
||||
case CMD_SET_DEFAULTS:
|
||||
|
@ -48,45 +80,16 @@
|
|||
break;
|
||||
case CMD_SET_COPY:
|
||||
section->min_proto_version=new_service_options.min_proto_version;
|
||||
--- stunnel-5.56/src/ctx.c.default-tls-version 2019-10-24 10:48:11.000000000 +0200
|
||||
+++ stunnel-5.56/src/ctx.c 2020-04-06 11:16:48.406406794 +0200
|
||||
@@ -143,17 +143,29 @@ int context_init(SERVICE_OPTIONS *sectio
|
||||
section->ctx=SSL_CTX_new(TLS_client_method());
|
||||
else /* server mode */
|
||||
section->ctx=SSL_CTX_new(TLS_server_method());
|
||||
- if(!SSL_CTX_set_min_proto_version(section->ctx,
|
||||
- section->min_proto_version)) {
|
||||
- s_log(LOG_ERR, "Failed to set the minimum protocol version 0x%X",
|
||||
- section->min_proto_version);
|
||||
- return 1; /* FAILED */
|
||||
diff -up stunnel-5.61/src/prototypes.h.default-tls-version stunnel-5.61/src/prototypes.h
|
||||
--- stunnel-5.61/src/prototypes.h.default-tls-version 2021-12-13 09:43:22.000000000 +0100
|
||||
+++ stunnel-5.61/src/prototypes.h 2022-01-10 19:23:15.099254121 +0100
|
||||
@@ -932,6 +932,9 @@ ICON_IMAGE load_icon_default(ICON_TYPE);
|
||||
ICON_IMAGE load_icon_file(const char *);
|
||||
#endif
|
||||
|
||||
+#define USE_DEFAULT_TLS_VERSION ((int)-2) /* Use defaults in OpenSSL
|
||||
+ crypto policies */
|
||||
+
|
||||
+ if (section->min_proto_version == USE_DEFAULT_TLS_VERSION) {
|
||||
+ s_log(LOG_INFO, "Using the default TLS version as specified in \
|
||||
+ OpenSSL crypto policies. Not setting explicitly.");
|
||||
+ } else {
|
||||
+ if(!SSL_CTX_set_min_proto_version(section->ctx,
|
||||
+ section->min_proto_version)) {
|
||||
+ s_log(LOG_ERR, "Failed to set the minimum protocol version 0x%X",
|
||||
+ section->min_proto_version);
|
||||
+ return 1; /* FAILED */
|
||||
+ }
|
||||
}
|
||||
- if(!SSL_CTX_set_max_proto_version(section->ctx,
|
||||
- section->max_proto_version)) {
|
||||
- s_log(LOG_ERR, "Failed to set the maximum protocol version 0x%X",
|
||||
- section->max_proto_version);
|
||||
- return 1; /* FAILED */
|
||||
+
|
||||
+ if (section->max_proto_version == USE_DEFAULT_TLS_VERSION) {
|
||||
+ s_log(LOG_INFO, "Using the default TLS version as specified in \
|
||||
+ OpenSSL crypto policies. Not setting explicitly");
|
||||
+ } else {
|
||||
+ if(!SSL_CTX_set_max_proto_version(section->ctx,
|
||||
+ section->max_proto_version)) {
|
||||
+ s_log(LOG_ERR, "Failed to set the maximum protocol version 0x%X",
|
||||
+ section->max_proto_version);
|
||||
+ return 1; /* FAILED */
|
||||
+ }
|
||||
}
|
||||
#else /* OPENSSL_VERSION_NUMBER<0x10100000L */
|
||||
if(section->option.client)
|
||||
#endif /* defined PROTOTYPES_H */
|
||||
|
||||
/* end of prototypes.h */
|
|
@ -0,0 +1,19 @@
|
|||
tests: Adapt to OpenSSL 3.x FIPS mode
|
||||
|
||||
In OpenSSL 3.0 with FIPS enabled, this test no longer fails with
|
||||
a human-readable error message (such as "no ciphers available"), but
|
||||
instead causes an internal error. Extend the success regex list to also
|
||||
accept this result.
|
||||
diff -up stunnel-5.61/tests/plugins/p11_fips_cipher.py.openssl30 stunnel-5.61/tests/plugins/p11_fips_cipher.py
|
||||
--- stunnel-5.61/tests/plugins/p11_fips_cipher.py.openssl30 2022-01-12 15:15:03.211690650 +0100
|
||||
+++ stunnel-5.61/tests/plugins/p11_fips_cipher.py 2022-01-12 15:15:20.937008173 +0100
|
||||
@@ -91,7 +91,8 @@ class FailureCiphersuitesFIPS(StunnelTes
|
||||
self.events.count = 1
|
||||
self.events.success = [
|
||||
"disabled for FIPS",
|
||||
- "no ciphers available"
|
||||
+ "no ciphers available",
|
||||
+ "TLS alert \\(write\\): fatal: internal error"
|
||||
]
|
||||
self.events.failure = [
|
||||
"peer did not return a certificate",
|
|
@ -0,0 +1,11 @@
|
|||
diff -up stunnel-5.61/tools/stunnel.service.in.systemd-service stunnel-5.61/tools/stunnel.service.in
|
||||
--- stunnel-5.61/tools/stunnel.service.in.systemd-service 2022-01-12 14:48:32.474150329 +0100
|
||||
+++ stunnel-5.61/tools/stunnel.service.in 2022-01-12 14:50:15.253984639 +0100
|
||||
@@ -6,6 +6,7 @@ After=syslog.target network-online.targe
|
||||
ExecStart=@bindir@/stunnel
|
||||
ExecReload=/bin/kill -HUP $MAINPID
|
||||
Type=forking
|
||||
+PrivateTmp=true
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
|
@ -0,0 +1,57 @@
|
|||
Limit curves defaults in FIPS mode
|
||||
|
||||
Our copy of OpenSSL disables the X25519 and X448 curves in FIPS mode,
|
||||
but stunnel defaults to enabling them and then fails to do so.
|
||||
|
||||
Upstream-Status: Inappropriate [caused by a downstream patch to openssl]
|
||||
diff -up stunnel-5.62/src/options.c.disabled-curves stunnel-5.62/src/options.c
|
||||
--- stunnel-5.62/src/options.c.disabled-curves 2022-02-04 13:46:45.936884124 +0100
|
||||
+++ stunnel-5.62/src/options.c 2022-02-04 13:53:16.346725153 +0100
|
||||
@@ -40,8 +40,10 @@
|
||||
|
||||
#if OPENSSL_VERSION_NUMBER >= 0x10101000L
|
||||
#define DEFAULT_CURVES "X25519:P-256:X448:P-521:P-384"
|
||||
+#define DEFAULT_CURVES_FIPS "P-256:P-521:P-384"
|
||||
#else /* OpenSSL version < 1.1.1 */
|
||||
#define DEFAULT_CURVES "prime256v1"
|
||||
+#define DEFAULT_CURVES_FIPS "prime256v1"
|
||||
#endif /* OpenSSL version >= 1.1.1 */
|
||||
|
||||
#if defined(_WIN32_WCE) && !defined(CONFDIR)
|
||||
@@ -1855,7 +1857,7 @@ NOEXPORT char *parse_service_option(CMD
|
||||
/* curves */
|
||||
switch(cmd) {
|
||||
case CMD_SET_DEFAULTS:
|
||||
- section->curves=str_dup_detached(DEFAULT_CURVES);
|
||||
+ section->curves = NULL;
|
||||
break;
|
||||
case CMD_SET_COPY:
|
||||
section->curves=str_dup_detached(new_service_options.curves);
|
||||
@@ -1870,9 +1872,26 @@ NOEXPORT char *parse_service_option(CMD
|
||||
section->curves=str_dup_detached(arg);
|
||||
return NULL; /* OK */
|
||||
case CMD_INITIALIZE:
|
||||
+ if(!section->curves) {
|
||||
+ /* this is only executed for global options, because
|
||||
+ * section->curves is no longer NULL in sections */
|
||||
+#ifdef USE_FIPS
|
||||
+ if(new_global_options.option.fips)
|
||||
+ section->curves=str_dup_detached(DEFAULT_CURVES_FIPS);
|
||||
+ else
|
||||
+#endif /* USE_FIPS */
|
||||
+ section->curves=str_dup_detached(DEFAULT_CURVES);
|
||||
+ }
|
||||
break;
|
||||
case CMD_PRINT_DEFAULTS:
|
||||
- s_log(LOG_NOTICE, "%-22s = %s", "curves", DEFAULT_CURVES);
|
||||
+ if(fips_available()) {
|
||||
+ s_log(LOG_NOTICE, "%-22s = %s %s", "curves",
|
||||
+ DEFAULT_CURVES_FIPS, "(with \"fips = yes\")");
|
||||
+ s_log(LOG_NOTICE, "%-22s = %s %s", "curves",
|
||||
+ DEFAULT_CURVES, "(with \"fips = no\")");
|
||||
+ } else {
|
||||
+ s_log(LOG_NOTICE, "%-22s = %s", "curves", DEFAULT_CURVES);
|
||||
+ }
|
||||
break;
|
||||
case CMD_PRINT_HELP:
|
||||
s_log(LOG_NOTICE, "%-22s = ECDH curve names", "curves");
|
|
@ -0,0 +1,140 @@
|
|||
From 6baa5762ea5edb192ec003333d62b1d0e56509bf Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Micha=C5=82=20Trojnara?= <Michal.Trojnara@stunnel.org>
|
||||
Date: Sun, 11 Sep 2022 23:52:18 +0200
|
||||
Subject: [PATCH] stunnel-5.66
|
||||
|
||||
---
|
||||
src/common.h | 6 +++++-
|
||||
src/ctx.c | 58 +++++++++++++++++++++++++++++++++++++++++++---------
|
||||
2 files changed, 53 insertions(+), 11 deletions(-)
|
||||
|
||||
diff --git a/src/common.h b/src/common.h
|
||||
index bc37eb5..997e66e 100644
|
||||
--- a/src/common.h
|
||||
+++ b/src/common.h
|
||||
@@ -491,7 +491,7 @@ extern char *sys_errlist[];
|
||||
#include <openssl/dh.h>
|
||||
#if OPENSSL_VERSION_NUMBER<0x10100000L
|
||||
int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g);
|
||||
-#endif /* OpenSSL older than 1.1.0 */
|
||||
+#endif /* OPENSSL_VERSION_NUMBER<0x10100000L */
|
||||
#endif /* !defined(OPENSSL_NO_DH) */
|
||||
#ifndef OPENSSL_NO_ENGINE
|
||||
#include <openssl/engine.h>
|
||||
@@ -503,8 +503,12 @@ int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g);
|
||||
/* not defined in public headers before OpenSSL 0.9.8 */
|
||||
STACK_OF(SSL_COMP) *SSL_COMP_get_compression_methods(void);
|
||||
#endif /* !defined(OPENSSL_NO_COMP) */
|
||||
+#if OPENSSL_VERSION_NUMBER>=0x10101000L
|
||||
+#include <openssl/storeerr.h>
|
||||
+#endif /* OPENSSL_VERSION_NUMBER>=0x10101000L */
|
||||
#if OPENSSL_VERSION_NUMBER>=0x30000000L
|
||||
#include <openssl/provider.h>
|
||||
+#include <openssl/proverr.h>
|
||||
#endif /* OPENSSL_VERSION_NUMBER>=0x30000000L */
|
||||
|
||||
#ifndef OPENSSL_VERSION
|
||||
diff --git a/src/ctx.c b/src/ctx.c
|
||||
index a2202b7..cc0806c 100644
|
||||
--- a/src/ctx.c
|
||||
+++ b/src/ctx.c
|
||||
@@ -1001,30 +1001,41 @@ NOEXPORT int ui_retry() {
|
||||
unsigned long err=ERR_peek_error();
|
||||
|
||||
switch(ERR_GET_LIB(err)) {
|
||||
- case ERR_LIB_ASN1:
|
||||
- return 1;
|
||||
- case ERR_LIB_PKCS12:
|
||||
+ case ERR_LIB_EVP: /* 6 */
|
||||
switch(ERR_GET_REASON(err)) {
|
||||
- case PKCS12_R_MAC_VERIFY_FAILURE:
|
||||
+ case EVP_R_BAD_DECRYPT:
|
||||
return 1;
|
||||
default:
|
||||
+ s_log(LOG_ERR, "Unhandled ERR_LIB_EVP error reason: %d",
|
||||
+ ERR_GET_REASON(err));
|
||||
return 0;
|
||||
}
|
||||
- case ERR_LIB_EVP:
|
||||
+ case ERR_LIB_PEM: /* 9 */
|
||||
switch(ERR_GET_REASON(err)) {
|
||||
- case EVP_R_BAD_DECRYPT:
|
||||
+ case PEM_R_BAD_PASSWORD_READ:
|
||||
+ case PEM_R_BAD_DECRYPT:
|
||||
return 1;
|
||||
default:
|
||||
+ s_log(LOG_ERR, "Unhandled ERR_LIB_PEM error reason: %d",
|
||||
+ ERR_GET_REASON(err));
|
||||
return 0;
|
||||
}
|
||||
- case ERR_LIB_PEM:
|
||||
+ case ERR_LIB_ASN1: /* 13 */
|
||||
+ return 1;
|
||||
+ case ERR_LIB_PKCS12: /* 35 */
|
||||
switch(ERR_GET_REASON(err)) {
|
||||
- case PEM_R_BAD_PASSWORD_READ:
|
||||
+ case PKCS12_R_MAC_VERIFY_FAILURE:
|
||||
return 1;
|
||||
default:
|
||||
+ s_log(LOG_ERR, "Unhandled ERR_LIB_PKCS12 error reason: %d",
|
||||
+ ERR_GET_REASON(err));
|
||||
return 0;
|
||||
}
|
||||
- case ERR_LIB_UI:
|
||||
+#ifdef ERR_LIB_DSO /* 37 */
|
||||
+ case ERR_LIB_DSO:
|
||||
+ return 1;
|
||||
+#endif
|
||||
+ case ERR_LIB_UI: /* 40 */
|
||||
switch(ERR_GET_REASON(err)) {
|
||||
case UI_R_RESULT_TOO_LARGE:
|
||||
case UI_R_RESULT_TOO_SMALL:
|
||||
@@ -1033,17 +1044,44 @@ NOEXPORT int ui_retry() {
|
||||
#endif
|
||||
return 1;
|
||||
default:
|
||||
+ s_log(LOG_ERR, "Unhandled ERR_LIB_UI error reason: %d",
|
||||
+ ERR_GET_REASON(err));
|
||||
+ return 0;
|
||||
+ }
|
||||
+#ifdef ERR_LIB_OSSL_STORE
|
||||
+ case ERR_LIB_OSSL_STORE: /* 44 - added in OpenSSL 1.1.1 */
|
||||
+ switch(ERR_GET_REASON(err)) {
|
||||
+ case OSSL_STORE_R_BAD_PASSWORD_READ:
|
||||
+ return 1;
|
||||
+ default:
|
||||
+ s_log(LOG_ERR, "Unhandled ERR_LIB_OSSL_STORE error reason: %d",
|
||||
+ ERR_GET_REASON(err));
|
||||
+ return 0;
|
||||
+ }
|
||||
+#endif
|
||||
+#ifdef ERR_LIB_PROV
|
||||
+ case ERR_LIB_PROV: /* 57 - added in OpenSSL 3.0 */
|
||||
+ switch(ERR_GET_REASON(err)) {
|
||||
+ case PROV_R_BAD_DECRYPT:
|
||||
+ return 1;
|
||||
+ default:
|
||||
+ s_log(LOG_ERR, "Unhandled ERR_LIB_PROV error reason: %d",
|
||||
+ ERR_GET_REASON(err));
|
||||
return 0;
|
||||
}
|
||||
- case ERR_LIB_USER: /* PKCS#11 hacks */
|
||||
+#endif
|
||||
+ case ERR_LIB_USER: /* 128 - PKCS#11 hacks */
|
||||
switch(ERR_GET_REASON(err)) {
|
||||
case 7UL: /* CKR_ARGUMENTS_BAD */
|
||||
case 0xa0UL: /* CKR_PIN_INCORRECT */
|
||||
return 1;
|
||||
default:
|
||||
+ s_log(LOG_ERR, "Unhandled ERR_LIB_USER error reason: %d",
|
||||
+ ERR_GET_REASON(err));
|
||||
return 0;
|
||||
}
|
||||
default:
|
||||
+ s_log(LOG_ERR, "Unhandled error library: %d", ERR_GET_LIB(err));
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
--
|
||||
2.38.1
|
||||
|
74
stunnel.spec
74
stunnel.spec
|
@ -9,10 +9,10 @@
|
|||
|
||||
Summary: A TLS-encrypting socket wrapper
|
||||
Name: stunnel
|
||||
Version: 5.58
|
||||
Release: 1%{?dist}
|
||||
Version: 5.62
|
||||
Release: 3%{?dist}
|
||||
License: GPLv2
|
||||
URL: http://www.stunnel.org/
|
||||
URL: https://www.stunnel.org/
|
||||
Source0: https://www.stunnel.org/downloads/stunnel-%{version}.tar.gz
|
||||
Source1: https://www.stunnel.org/downloads/stunnel-%{version}.tar.gz.asc
|
||||
Source2: Certificate-Creation
|
||||
|
@ -22,11 +22,14 @@ Source5: pop3-redirect.xinetd
|
|||
Source6: stunnel-pop3s-client.conf
|
||||
Source7: stunnel@.service
|
||||
Patch0: stunnel-5.50-authpriv.patch
|
||||
Patch1: stunnel-5.50-systemd-service.patch
|
||||
Patch1: stunnel-5.61-systemd-service.patch
|
||||
Patch3: stunnel-5.56-system-ciphers.patch
|
||||
Patch4: stunnel-5.56-coverity.patch
|
||||
Patch5: stunnel-5.56-default-tls-version.patch
|
||||
Patch5: stunnel-5.61-default-tls-version.patch
|
||||
Patch6: stunnel-5.56-curves-doc-update.patch
|
||||
Patch7: stunnel-5.61-openssl30-fips.patch
|
||||
Patch8: stunnel-5.62-disabled-curves.patch
|
||||
Patch9: stunnel-5.62-openssl3-error-handling.patch
|
||||
# util-linux is needed for rename
|
||||
BuildRequires: make
|
||||
BuildRequires: gcc
|
||||
|
@ -39,6 +42,7 @@ BuildRequires: /usr/bin/pod2man
|
|||
BuildRequires: /usr/bin/pod2html
|
||||
# build test requirements
|
||||
BuildRequires: /usr/bin/nc, /usr/bin/lsof, /usr/bin/ps
|
||||
BuildRequires: python3 openssl
|
||||
BuildRequires: systemd
|
||||
%{?systemd_requires}
|
||||
|
||||
|
@ -56,12 +60,12 @@ conjunction with imapd to create a TLS secure IMAP server.
|
|||
%patch4 -p1 -b .coverity
|
||||
%patch5 -p1 -b .default-tls-version
|
||||
%patch6 -p1 -b .curves-doc-update
|
||||
%patch7 -p1 -b .openssl30-fips
|
||||
%patch8 -p1 -b .disabled-curves
|
||||
%patch9 -p1 -b .openssl3-error-handling
|
||||
|
||||
# Fix the configure script output for FIPS mode and stack protector flag
|
||||
sed -i '/yes).*result: no/,+1{s/result: no/result: yes/;s/as_echo "no"/as_echo "yes"/};s/-fstack-protector/-fstack-protector-strong/' configure
|
||||
|
||||
# Fix a testcase with system-ciphers support
|
||||
sed -i '/client = yes/a \\ ciphers = PSK' tests/recipes/014_PSK_secrets
|
||||
# Fix the stack protector flag
|
||||
sed -i 's/-fstack-protector/-fstack-protector-strong/' configure
|
||||
|
||||
%build
|
||||
#autoreconf -v
|
||||
|
@ -98,15 +102,13 @@ cp %{SOURCE7} %{buildroot}%{_unitdir}/%{name}@.service
|
|||
%endif
|
||||
|
||||
%check
|
||||
# For unknown reason the 042_inetd test fails in Koji. The failure is not reproducible
|
||||
# in local build.
|
||||
rm tests/recipes/042_inetd
|
||||
# We override the security policy as it is too strict for the tests.
|
||||
OPENSSL_SYSTEM_CIPHERS_OVERRIDE=xyz_nonexistent_file
|
||||
export OPENSSL_SYSTEM_CIPHERS_OVERRIDE
|
||||
OPENSSL_CONF=
|
||||
export OPENSSL_CONF
|
||||
make test || (for i in tests/logs/*.log ; do echo "$i": ; cat "$i" ; done)
|
||||
if ! make test; then
|
||||
for i in tests/logs/*.log; do
|
||||
echo "$i":
|
||||
cat "$i"
|
||||
done
|
||||
exit 1
|
||||
fi
|
||||
|
||||
%files
|
||||
%{!?_licensedir:%global license %%doc}
|
||||
|
@ -128,6 +130,7 @@ make test || (for i in tests/logs/*.log ; do echo "$i": ; cat "$i" ; done)
|
|||
%if 0%{?fedora} >= 15 || 0%{?rhel} >= 7
|
||||
%{_unitdir}/%{name}*.service
|
||||
%endif
|
||||
%{_datadir}/bash-completion/completions/%{name}.bash
|
||||
|
||||
%post
|
||||
/sbin/ldconfig
|
||||
|
@ -141,6 +144,39 @@ make test || (for i in tests/logs/*.log ; do echo "$i": ; cat "$i" ; done)
|
|||
%systemd_postun_with_restart %{name}.service
|
||||
|
||||
%changelog
|
||||
* Thu Dec 08 2022 Clemens Lang <cllang@redhat.com> - 5.62-3
|
||||
- Fix use of encrypted key files and password retry with OpenSSL 3
|
||||
Resolves: rhbz#2151888
|
||||
|
||||
* Fri Feb 04 2022 Clemens Lang <cllang@redhat.com> - 5.62-2
|
||||
- Fix stunnel in FIPS mode
|
||||
Resolves: rhbz#2050617
|
||||
- Fail build if tests fail
|
||||
Resolves: rhbz#2051083
|
||||
|
||||
* Tue Jan 18 2022 Clemens Lang <cllang@redhat.com> - 5.62-1
|
||||
- New upstream release 5.62
|
||||
Resolves: rhbz#2039299
|
||||
|
||||
* Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 5.58-6
|
||||
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
|
||||
Related: rhbz#1991688
|
||||
|
||||
* Tue Aug 03 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 5.58-5
|
||||
- Stunnel cannot use an encrypted private key being built against OpenSSL 3.0
|
||||
- Resolves: rhbz#1976854
|
||||
|
||||
* Wed Jul 28 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 5.58-4
|
||||
- Stunnel cannot use an encrypted private key being built against OpenSSL 3.0
|
||||
- Resolves: rhbz#1976854
|
||||
|
||||
* Wed Jun 16 2021 Mohan Boddu <mboddu@redhat.com> - 5.58-3
|
||||
- Rebuilt for RHEL 9 BETA for openssl 3.0
|
||||
Related: rhbz#1971065
|
||||
|
||||
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 5.58-2
|
||||
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
|
||||
|
||||
* Mon Feb 22 2021 Sahana Prasad <sahana@redhat.com> - 5.58-1
|
||||
- New upstream release 5.58
|
||||
|
||||
|
|
Loading…
Reference in New Issue