From b78e1173ecee90cb5a9ea11bd310cfc2e331c8fe Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Mar 01 2022 12:39:47 +0000 Subject: import stunnel-5.62-2.el9 --- diff --git a/.gitignore b/.gitignore index 169d686..84378ef 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/stunnel-5.58.tar.gz +SOURCES/stunnel-5.62.tar.gz diff --git a/.stunnel.metadata b/.stunnel.metadata index 3a90b86..beea5ac 100644 --- a/.stunnel.metadata +++ b/.stunnel.metadata @@ -1 +1 @@ -7e9bd07267f9ff6505a68f5b7034ed0154651ab2 SOURCES/stunnel-5.58.tar.gz +e18be56bfee006f5e58de044fda7bdcfaa425b3f SOURCES/stunnel-5.62.tar.gz diff --git a/SOURCES/stunnel-5.50-systemd-service.patch b/SOURCES/stunnel-5.50-systemd-service.patch deleted file mode 100644 index 9fc170b..0000000 --- a/SOURCES/stunnel-5.50-systemd-service.patch +++ /dev/null @@ -1,11 +0,0 @@ -diff -up stunnel-5.50/tools/stunnel.service.in.systemd-service stunnel-5.50/tools/stunnel.service.in ---- stunnel-5.50/tools/stunnel.service.in.systemd-service 2019-01-14 12:17:15.826868965 +0100 -+++ stunnel-5.50/tools/stunnel.service.in 2019-01-14 12:18:21.186753131 +0100 -@@ -5,6 +5,7 @@ After=syslog.target network.target - [Service] - ExecStart=@bindir@/stunnel - Type=forking -+PrivateTmp=true - - [Install] - WantedBy=multi-user.target diff --git a/SOURCES/stunnel-5.56-default-tls-version.patch b/SOURCES/stunnel-5.56-default-tls-version.patch deleted file mode 100644 index b66753e..0000000 --- a/SOURCES/stunnel-5.56-default-tls-version.patch +++ /dev/null @@ -1,92 +0,0 @@ ---- stunnel-5.56/src/prototypes.h.default-tls-version 2020-04-06 11:22:24.480280384 +0200 -+++ stunnel-5.56/src/prototypes.h 2020-04-06 11:21:05.407597053 +0200 -@@ -897,6 +897,9 @@ ICON_IMAGE load_icon_default(ICON_TYPE); - ICON_IMAGE load_icon_file(const char *); - #endif - -+#define USE_DEFAULT_TLS_VERSION ((int)-2) /* Use defaults in OpenSSL -+ crypto policies */ -+ - #endif /* defined PROTOTYPES_H */ - - /* end of prototypes.h */ ---- stunnel-5.56/src/options.c.default-tls-version 2020-04-06 18:58:48.947214149 +0200 -+++ stunnel-5.56/src/options.c 2020-04-08 15:45:18.093520780 +0200 -@@ -3123,8 +3123,9 @@ NOEXPORT char *parse_service_option(CMD - return "Invalid protocol version"; - return NULL; /* OK */ - case CMD_INITIALIZE: -- if(section->max_proto_version && section->min_proto_version && -- section->max_proto_versionmin_proto_version) -+ if(section->max_proto_version != USE_DEFAULT_TLS_VERSION -+ && section->min_proto_version != USE_DEFAULT_TLS_VERSION -+ && section->max_proto_versionmin_proto_version) - return "Invalid protocol version range"; - break; - case CMD_PRINT_DEFAULTS: -@@ -3142,7 +3143,10 @@ NOEXPORT char *parse_service_option(CMD - /* sslVersionMax */ - switch(cmd) { - case CMD_SET_DEFAULTS: -- section->max_proto_version=0; /* highest supported */ -+ section->max_proto_version=USE_DEFAULT_TLS_VERSION; /* use defaults in -+ OpenSSL crypto -+ policies.Do not -+ override it */ - break; - case CMD_SET_COPY: - section->max_proto_version=new_service_options.max_proto_version; -@@ -3173,7 +3177,10 @@ NOEXPORT char *parse_service_option(CMD - /* sslVersionMin */ - switch(cmd) { - case CMD_SET_DEFAULTS: -- section->min_proto_version=TLS1_VERSION; -+ section->min_proto_version=USE_DEFAULT_TLS_VERSION; /* use defaults in -+ OpenSSL crypto -+ policies. Do not -+ override it */ - break; - case CMD_SET_COPY: - section->min_proto_version=new_service_options.min_proto_version; ---- stunnel-5.56/src/ctx.c.default-tls-version 2019-10-24 10:48:11.000000000 +0200 -+++ stunnel-5.56/src/ctx.c 2020-04-06 11:16:48.406406794 +0200 -@@ -143,17 +143,29 @@ int context_init(SERVICE_OPTIONS *sectio - section->ctx=SSL_CTX_new(TLS_client_method()); - else /* server mode */ - section->ctx=SSL_CTX_new(TLS_server_method()); -- if(!SSL_CTX_set_min_proto_version(section->ctx, -- section->min_proto_version)) { -- s_log(LOG_ERR, "Failed to set the minimum protocol version 0x%X", -- section->min_proto_version); -- return 1; /* FAILED */ -+ -+ if (section->min_proto_version == USE_DEFAULT_TLS_VERSION) { -+ s_log(LOG_INFO, "Using the default TLS version as specified in \ -+ OpenSSL crypto policies. Not setting explicitly."); -+ } else { -+ if(!SSL_CTX_set_min_proto_version(section->ctx, -+ section->min_proto_version)) { -+ s_log(LOG_ERR, "Failed to set the minimum protocol version 0x%X", -+ section->min_proto_version); -+ return 1; /* FAILED */ -+ } - } -- if(!SSL_CTX_set_max_proto_version(section->ctx, -- section->max_proto_version)) { -- s_log(LOG_ERR, "Failed to set the maximum protocol version 0x%X", -- section->max_proto_version); -- return 1; /* FAILED */ -+ -+ if (section->max_proto_version == USE_DEFAULT_TLS_VERSION) { -+ s_log(LOG_INFO, "Using the default TLS version as specified in \ -+ OpenSSL crypto policies. Not setting explicitly"); -+ } else { -+ if(!SSL_CTX_set_max_proto_version(section->ctx, -+ section->max_proto_version)) { -+ s_log(LOG_ERR, "Failed to set the maximum protocol version 0x%X", -+ section->max_proto_version); -+ return 1; /* FAILED */ -+ } - } - #else /* OPENSSL_VERSION_NUMBER<0x10100000L */ - if(section->option.client) diff --git a/SOURCES/stunnel-5.58-openssl30.patch b/SOURCES/stunnel-5.58-openssl30.patch deleted file mode 100644 index f786bd2..0000000 --- a/SOURCES/stunnel-5.58-openssl30.patch +++ /dev/null @@ -1,11 +0,0 @@ -diff -up stunnel-5.58/src/ctx.c.openssl30 stunnel-5.58/src/ctx.c ---- stunnel-5.58/src/ctx.c.openssl30 2021-08-03 16:02:24.687409192 +0200 -+++ stunnel-5.58/src/ctx.c 2021-08-03 16:03:36.889009510 +0200 -@@ -1011,6 +1011,7 @@ NOEXPORT int ui_retry() { - switch(ERR_GET_REASON(err)) { - case UI_R_RESULT_TOO_LARGE: - case UI_R_RESULT_TOO_SMALL: -+ case UI_R_PROCESSING_ERROR: - return 1; - default: - return 0; diff --git a/SOURCES/stunnel-5.58.tar.gz.asc b/SOURCES/stunnel-5.58.tar.gz.asc deleted file mode 100644 index 9809494..0000000 --- a/SOURCES/stunnel-5.58.tar.gz.asc +++ /dev/null @@ -1,18 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQKTBAABCgB9FiEEK8fk5n48wMG+py+MLvx/8NQW4BQFAmAxUhNfFIAAAAAALgAo -aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDJC -QzdFNEU2N0UzQ0MwQzFCRUE3MkY4QzJFRkM3RkYwRDQxNkUwMTQACgkQLvx/8NQW -4BTjnw//WxZJR4No++ri5S4amhfYpLPY3Zr9qUGQ5hepESCWTYf/K+b24fPtKsiU -x/qn1jneQWw/dzPsD1e3UuPH+4d4ryzLzxVW9T8T+6cFQlaU89m5h0Epdd/LjwhF -YECEawGU3dA+pgrNrumgyUTzYtsWGCAkylS02eDrD3auYL3mllarAuXmOpjFxIRB -zod4HILm5fKggZ9++GsIeTFLz+q8Q1Y6QdELLje5p9wrqgP/N2Misc6yrYN8ZdOV -HvFirN/M/Zb0AYknYNe6GHu06u8SM5bZpbwqrrMGaY95mL0lYDn5mi8quel0dnBv -sI9rrflo1G9NMymSPN1knV9UeTKSnpSSr9HFxl1Y5eH2DcLIhfQZ9STBzrRPivxb -JC0gNE51K36Komd4VhfYA2RPtih+YeGi7bADSMoH3UOZDsMJ9YitO9NAsFS/MaY7 -EkxKcqisfccZ69ruykHVxfYHujdby/EOXIUZVmmkrV7BWudhnDmukFg6k6uOq7LT -k1ABoNhqfQx3f/daR0oluNgdOPz6bkt/9fa1RjFHqVLo+YOMBrHAEUv6eSQ2V0z5 -Lh5UCQQmPk7M6JWta1Bs9Ftv+H+CR6k6Ix9oF3lMjAjcJu4oj7zeRN4yH4KlGltP -SfWgOEK0SqwZZL8yE7Fp61WiDlTW3b02U7iESj/OJK6Z1CpCxtE= -=EoHl ------END PGP SIGNATURE----- diff --git a/SOURCES/stunnel-5.61-default-tls-version.patch b/SOURCES/stunnel-5.61-default-tls-version.patch new file mode 100644 index 0000000..f779e4e --- /dev/null +++ b/SOURCES/stunnel-5.61-default-tls-version.patch @@ -0,0 +1,95 @@ +diff -up stunnel-5.61/src/ctx.c.default-tls-version stunnel-5.61/src/ctx.c +--- stunnel-5.61/src/ctx.c.default-tls-version 2021-12-13 09:43:22.000000000 +0100 ++++ stunnel-5.61/src/ctx.c 2022-01-10 19:27:49.913243127 +0100 +@@ -149,18 +149,28 @@ int context_init(SERVICE_OPTIONS *sectio + section->ctx=SSL_CTX_new(section->option.client ? + TLS_client_method() : TLS_server_method()); + #endif /* OPENSSL_VERSION_NUMBER>=0x30000000L */ +- if(!SSL_CTX_set_min_proto_version(section->ctx, +- section->min_proto_version)) { +- s_log(LOG_ERR, "Failed to set the minimum protocol version 0x%X", +- section->min_proto_version); +- return 1; /* FAILED */ +- } +- if(!SSL_CTX_set_max_proto_version(section->ctx, +- section->max_proto_version)) { +- s_log(LOG_ERR, "Failed to set the maximum protocol version 0x%X", +- section->max_proto_version); +- return 1; /* FAILED */ ++ if (section->min_proto_version == USE_DEFAULT_TLS_VERSION) { ++ s_log(LOG_INFO, "Using the default TLS version as specified in " ++ "OpenSSL crypto policies. Not setting explicitly."); ++ } else { ++ if(!SSL_CTX_set_min_proto_version(section->ctx, ++ section->min_proto_version)) { ++ s_log(LOG_ERR, "Failed to set the minimum protocol version 0x%X", ++ section->min_proto_version); ++ return 1; /* FAILED */ ++ } + } ++ if (section->max_proto_version == USE_DEFAULT_TLS_VERSION) { ++ s_log(LOG_INFO, "Using the default TLS version as specified in " ++ "OpenSSL crypto policies. Not setting explicitly"); ++ } else { ++ if(!SSL_CTX_set_max_proto_version(section->ctx, ++ section->max_proto_version)) { ++ s_log(LOG_ERR, "Failed to set the maximum protocol version 0x%X", ++ section->max_proto_version); ++ return 1; /* FAILED */ ++ } ++ } + #else /* OPENSSL_VERSION_NUMBER<0x10100000L */ + if(section->option.client) + section->ctx=SSL_CTX_new(section->client_method); +diff -up stunnel-5.61/src/options.c.default-tls-version stunnel-5.61/src/options.c +--- stunnel-5.61/src/options.c.default-tls-version 2022-01-10 19:23:15.096254067 +0100 ++++ stunnel-5.61/src/options.c 2022-01-10 19:23:15.098254103 +0100 +@@ -3297,8 +3297,9 @@ NOEXPORT char *parse_service_option(CMD + return "Invalid protocol version"; + return NULL; /* OK */ + case CMD_INITIALIZE: +- if(section->max_proto_version && section->min_proto_version && +- section->max_proto_versionmin_proto_version) ++ if(section->max_proto_version != USE_DEFAULT_TLS_VERSION ++ && section->min_proto_version != USE_DEFAULT_TLS_VERSION ++ && section->max_proto_versionmin_proto_version) + return "Invalid protocol version range"; + break; + case CMD_PRINT_DEFAULTS: +@@ -3316,7 +3317,10 @@ NOEXPORT char *parse_service_option(CMD + /* sslVersionMax */ + switch(cmd) { + case CMD_SET_DEFAULTS: +- section->max_proto_version=0; /* highest supported */ ++ section->max_proto_version=USE_DEFAULT_TLS_VERSION; /* use defaults in ++ OpenSSL crypto ++ policies.Do not ++ override it */ + break; + case CMD_SET_COPY: + section->max_proto_version=new_service_options.max_proto_version; +@@ -3347,7 +3351,10 @@ NOEXPORT char *parse_service_option(CMD + /* sslVersionMin */ + switch(cmd) { + case CMD_SET_DEFAULTS: +- section->min_proto_version=TLS1_VERSION; ++ section->min_proto_version=USE_DEFAULT_TLS_VERSION; /* use defaults in ++ OpenSSL crypto ++ policies. Do not ++ override it */ + break; + case CMD_SET_COPY: + section->min_proto_version=new_service_options.min_proto_version; +diff -up stunnel-5.61/src/prototypes.h.default-tls-version stunnel-5.61/src/prototypes.h +--- stunnel-5.61/src/prototypes.h.default-tls-version 2021-12-13 09:43:22.000000000 +0100 ++++ stunnel-5.61/src/prototypes.h 2022-01-10 19:23:15.099254121 +0100 +@@ -932,6 +932,9 @@ ICON_IMAGE load_icon_default(ICON_TYPE); + ICON_IMAGE load_icon_file(const char *); + #endif + ++#define USE_DEFAULT_TLS_VERSION ((int)-2) /* Use defaults in OpenSSL ++ crypto policies */ ++ + #endif /* defined PROTOTYPES_H */ + + /* end of prototypes.h */ diff --git a/SOURCES/stunnel-5.61-openssl30-fips.patch b/SOURCES/stunnel-5.61-openssl30-fips.patch new file mode 100644 index 0000000..faaeef9 --- /dev/null +++ b/SOURCES/stunnel-5.61-openssl30-fips.patch @@ -0,0 +1,19 @@ +tests: Adapt to OpenSSL 3.x FIPS mode + +In OpenSSL 3.0 with FIPS enabled, this test no longer fails with +a human-readable error message (such as "no ciphers available"), but +instead causes an internal error. Extend the success regex list to also +accept this result. +diff -up stunnel-5.61/tests/plugins/p11_fips_cipher.py.openssl30 stunnel-5.61/tests/plugins/p11_fips_cipher.py +--- stunnel-5.61/tests/plugins/p11_fips_cipher.py.openssl30 2022-01-12 15:15:03.211690650 +0100 ++++ stunnel-5.61/tests/plugins/p11_fips_cipher.py 2022-01-12 15:15:20.937008173 +0100 +@@ -91,7 +91,8 @@ class FailureCiphersuitesFIPS(StunnelTes + self.events.count = 1 + self.events.success = [ + "disabled for FIPS", +- "no ciphers available" ++ "no ciphers available", ++ "TLS alert \\(write\\): fatal: internal error" + ] + self.events.failure = [ + "peer did not return a certificate", diff --git a/SOURCES/stunnel-5.61-systemd-service.patch b/SOURCES/stunnel-5.61-systemd-service.patch new file mode 100644 index 0000000..8c82221 --- /dev/null +++ b/SOURCES/stunnel-5.61-systemd-service.patch @@ -0,0 +1,11 @@ +diff -up stunnel-5.61/tools/stunnel.service.in.systemd-service stunnel-5.61/tools/stunnel.service.in +--- stunnel-5.61/tools/stunnel.service.in.systemd-service 2022-01-12 14:48:32.474150329 +0100 ++++ stunnel-5.61/tools/stunnel.service.in 2022-01-12 14:50:15.253984639 +0100 +@@ -6,6 +6,7 @@ After=syslog.target network-online.targe + ExecStart=@bindir@/stunnel + ExecReload=/bin/kill -HUP $MAINPID + Type=forking ++PrivateTmp=true + + [Install] + WantedBy=multi-user.target diff --git a/SOURCES/stunnel-5.62-disabled-curves.patch b/SOURCES/stunnel-5.62-disabled-curves.patch new file mode 100644 index 0000000..075ccec --- /dev/null +++ b/SOURCES/stunnel-5.62-disabled-curves.patch @@ -0,0 +1,57 @@ +Limit curves defaults in FIPS mode + +Our copy of OpenSSL disables the X25519 and X448 curves in FIPS mode, +but stunnel defaults to enabling them and then fails to do so. + +Upstream-Status: Inappropriate [caused by a downstream patch to openssl] +diff -up stunnel-5.62/src/options.c.disabled-curves stunnel-5.62/src/options.c +--- stunnel-5.62/src/options.c.disabled-curves 2022-02-04 13:46:45.936884124 +0100 ++++ stunnel-5.62/src/options.c 2022-02-04 13:53:16.346725153 +0100 +@@ -40,8 +40,10 @@ + + #if OPENSSL_VERSION_NUMBER >= 0x10101000L + #define DEFAULT_CURVES "X25519:P-256:X448:P-521:P-384" ++#define DEFAULT_CURVES_FIPS "P-256:P-521:P-384" + #else /* OpenSSL version < 1.1.1 */ + #define DEFAULT_CURVES "prime256v1" ++#define DEFAULT_CURVES_FIPS "prime256v1" + #endif /* OpenSSL version >= 1.1.1 */ + + #if defined(_WIN32_WCE) && !defined(CONFDIR) +@@ -1855,7 +1857,7 @@ NOEXPORT char *parse_service_option(CMD + /* curves */ + switch(cmd) { + case CMD_SET_DEFAULTS: +- section->curves=str_dup_detached(DEFAULT_CURVES); ++ section->curves = NULL; + break; + case CMD_SET_COPY: + section->curves=str_dup_detached(new_service_options.curves); +@@ -1870,9 +1872,26 @@ NOEXPORT char *parse_service_option(CMD + section->curves=str_dup_detached(arg); + return NULL; /* OK */ + case CMD_INITIALIZE: ++ if(!section->curves) { ++ /* this is only executed for global options, because ++ * section->curves is no longer NULL in sections */ ++#ifdef USE_FIPS ++ if(new_global_options.option.fips) ++ section->curves=str_dup_detached(DEFAULT_CURVES_FIPS); ++ else ++#endif /* USE_FIPS */ ++ section->curves=str_dup_detached(DEFAULT_CURVES); ++ } + break; + case CMD_PRINT_DEFAULTS: +- s_log(LOG_NOTICE, "%-22s = %s", "curves", DEFAULT_CURVES); ++ if(fips_available()) { ++ s_log(LOG_NOTICE, "%-22s = %s %s", "curves", ++ DEFAULT_CURVES_FIPS, "(with \"fips = yes\")"); ++ s_log(LOG_NOTICE, "%-22s = %s %s", "curves", ++ DEFAULT_CURVES, "(with \"fips = no\")"); ++ } else { ++ s_log(LOG_NOTICE, "%-22s = %s", "curves", DEFAULT_CURVES); ++ } + break; + case CMD_PRINT_HELP: + s_log(LOG_NOTICE, "%-22s = ECDH curve names", "curves"); diff --git a/SOURCES/stunnel-5.62.tar.gz.asc b/SOURCES/stunnel-5.62.tar.gz.asc new file mode 100644 index 0000000..194a431 --- /dev/null +++ b/SOURCES/stunnel-5.62.tar.gz.asc @@ -0,0 +1,18 @@ +-----BEGIN PGP SIGNATURE----- + +iQKTBAABCgB9FiEEK8fk5n48wMG+py+MLvx/8NQW4BQFAmHlyoBfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDJC +QzdFNEU2N0UzQ0MwQzFCRUE3MkY4QzJFRkM3RkYwRDQxNkUwMTQACgkQLvx/8NQW +4BRqiw//dzBO+CqezKNlkVT5sePEfriVPk0iYa7IyGQ2xclohI3X3A0NaLHhwysa +2pFo+myUn5h2qVM6jfuPbXHxDSgDQIcRoEEWpLbVEnVy5vMpVsB5wY4fwfyd3crM +2J24XPdODE8H2mB28JXHyQdXehMtzOAMJ57ugUbrU4drNOR8sCRbp+sBChI8JK9Q +IYvUoMPMCukFXws0KFEYjRom/FyQlde2Wz9ZPiluRzj6RWPQvQht8EiB7IfPrq2m +fiPmOxUnB+Ry6/eaSp7JLlrnL4q5Zhw0HS/pMbWpiB9nPb9SLoKufJ9hYQs5X2h9 +L85VPMAAAStQ4PcvFYWt/nV03p3agImdMLrwlaMi/Bb95+tk7OoNLu7yz9RQ9QAo +SPamduORs4/KhtlMzRf2G8utIQRa4fI47KDOO1+1qRfTH4t/Bf3Fr/gI34AW24ZZ +hu2nHqr+UxGkU42HJEhsL9tAvBFr/mBI64sHtAI41e25CkqBQSqD+FxUw5snbVgP +XxiM9tNo/UUZpCMnmkAZUqVFKYT10VSFTDo6/LcoMYZf1zzCWch3wJTtf2ZPUJYG +6kNpdCEzsXYileL6iCof9+J5hNaNGpsgTi+ljz1jujzOHWGw6hyIWUiYTBGmRAbl +Pehbx5RYqQe9gX0nFRRs3o9y9p8B4MLMAvJdhx6vqxgd2H1SDJA= +=MLHM +-----END PGP SIGNATURE----- diff --git a/SPECS/stunnel.spec b/SPECS/stunnel.spec index 24c057f..b2a3fd4 100644 --- a/SPECS/stunnel.spec +++ b/SPECS/stunnel.spec @@ -9,10 +9,10 @@ Summary: A TLS-encrypting socket wrapper Name: stunnel -Version: 5.58 -Release: 6%{?dist} +Version: 5.62 +Release: 2%{?dist} License: GPLv2 -URL: http://www.stunnel.org/ +URL: https://www.stunnel.org/ Source0: https://www.stunnel.org/downloads/stunnel-%{version}.tar.gz Source1: https://www.stunnel.org/downloads/stunnel-%{version}.tar.gz.asc Source2: Certificate-Creation @@ -22,12 +22,13 @@ Source5: pop3-redirect.xinetd Source6: stunnel-pop3s-client.conf Source7: stunnel@.service Patch0: stunnel-5.50-authpriv.patch -Patch1: stunnel-5.50-systemd-service.patch +Patch1: stunnel-5.61-systemd-service.patch Patch3: stunnel-5.56-system-ciphers.patch Patch4: stunnel-5.56-coverity.patch -Patch5: stunnel-5.56-default-tls-version.patch +Patch5: stunnel-5.61-default-tls-version.patch Patch6: stunnel-5.56-curves-doc-update.patch -Patch7: stunnel-5.58-openssl30.patch +Patch7: stunnel-5.61-openssl30-fips.patch +Patch8: stunnel-5.62-disabled-curves.patch # util-linux is needed for rename BuildRequires: make BuildRequires: gcc @@ -40,6 +41,7 @@ BuildRequires: /usr/bin/pod2man BuildRequires: /usr/bin/pod2html # build test requirements BuildRequires: /usr/bin/nc, /usr/bin/lsof, /usr/bin/ps +BuildRequires: python3 openssl BuildRequires: systemd %{?systemd_requires} @@ -57,13 +59,11 @@ conjunction with imapd to create a TLS secure IMAP server. %patch4 -p1 -b .coverity %patch5 -p1 -b .default-tls-version %patch6 -p1 -b .curves-doc-update -%patch7 -p1 -b .openssl30 +%patch7 -p1 -b .openssl30-fips +%patch8 -p1 -b .disabled-curves -# Fix the configure script output for FIPS mode and stack protector flag -sed -i '/yes).*result: no/,+1{s/result: no/result: yes/;s/as_echo "no"/as_echo "yes"/};s/-fstack-protector/-fstack-protector-strong/' configure - -# Fix a testcase with system-ciphers support -sed -i '/client = yes/a \\ ciphers = PSK' tests/recipes/014_PSK_secrets +# Fix the stack protector flag +sed -i 's/-fstack-protector/-fstack-protector-strong/' configure %build #autoreconf -v @@ -100,15 +100,13 @@ cp %{SOURCE7} %{buildroot}%{_unitdir}/%{name}@.service %endif %check -# For unknown reason the 042_inetd test fails in Koji. The failure is not reproducible -# in local build. -rm tests/recipes/042_inetd -# We override the security policy as it is too strict for the tests. -OPENSSL_SYSTEM_CIPHERS_OVERRIDE=xyz_nonexistent_file -export OPENSSL_SYSTEM_CIPHERS_OVERRIDE -OPENSSL_CONF= -export OPENSSL_CONF -make test || (for i in tests/logs/*.log ; do echo "$i": ; cat "$i" ; done) +if ! make test; then + for i in tests/logs/*.log; do + echo "$i": + cat "$i" + done + exit 1 +fi %files %{!?_licensedir:%global license %%doc} @@ -130,6 +128,7 @@ make test || (for i in tests/logs/*.log ; do echo "$i": ; cat "$i" ; done) %if 0%{?fedora} >= 15 || 0%{?rhel} >= 7 %{_unitdir}/%{name}*.service %endif +%{_datadir}/bash-completion/completions/%{name}.bash %post /sbin/ldconfig @@ -143,6 +142,16 @@ make test || (for i in tests/logs/*.log ; do echo "$i": ; cat "$i" ; done) %systemd_postun_with_restart %{name}.service %changelog +* Fri Feb 04 2022 Clemens Lang - 5.62-2 +- Fix stunnel in FIPS mode + Resolves: rhbz#2050617 +- Fail build if tests fail + Resolves: rhbz#2051083 + +* Tue Jan 18 2022 Clemens Lang - 5.62-1 +- New upstream release 5.62 + Resolves: rhbz#2039299 + * Tue Aug 10 2021 Mohan Boddu - 5.58-6 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags Related: rhbz#1991688