diff --git a/SOURCES/stunnel-5.56-verify-chain.patch b/SOURCES/stunnel-5.56-verify-chain.patch new file mode 100644 index 0000000..d36f240 --- /dev/null +++ b/SOURCES/stunnel-5.56-verify-chain.patch @@ -0,0 +1,219 @@ +diff -up stunnel-5.56/src/ssl.c.verify-chain stunnel-5.56/src/ssl.c +--- stunnel-5.56/src/ssl.c.verify-chain 2021-02-17 00:37:28.950981672 +0100 ++++ stunnel-5.56/src/ssl.c 2021-02-17 00:37:36.047053139 +0100 +@@ -1,6 +1,6 @@ + /* + * stunnel TLS offloading and load-balancing proxy +- * Copyright (C) 1998-2019 Michal Trojnara ++ * Copyright (C) 1998-2020 Michal Trojnara + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the +@@ -39,7 +39,12 @@ + #include "prototypes.h" + + /* global OpenSSL initialization: compression, engine, entropy */ +-#if OPENSSL_VERSION_NUMBER>=0x10100000L ++NOEXPORT void cb_new_auth(void *parent, void *ptr, CRYPTO_EX_DATA *ad, ++ int idx, long argl, void *argp); ++#if OPENSSL_VERSION_NUMBER>=0x30000000L ++NOEXPORT int cb_dup_addr(CRYPTO_EX_DATA *to, const CRYPTO_EX_DATA *from, ++ void **from_d, int idx, long argl, void *argp); ++#elif OPENSSL_VERSION_NUMBER>=0x10100000L + NOEXPORT int cb_dup_addr(CRYPTO_EX_DATA *to, const CRYPTO_EX_DATA *from, + void *from_d, int idx, long argl, void *argp); + #else +@@ -72,7 +77,7 @@ int ssl_init(void) { /* init TLS before + index_ssl_ctx_opt=SSL_CTX_get_ex_new_index(0, + "SERVICE_OPTIONS pointer", NULL, NULL, NULL); + index_session_authenticated=SSL_SESSION_get_ex_new_index(0, +- "session authenticated", NULL, NULL, NULL); ++ "session authenticated", cb_new_auth, NULL, NULL); + index_session_connect_address=SSL_SESSION_get_ex_new_index(0, + "session connect address", NULL, cb_dup_addr, cb_free_addr); + if(index_ssl_cli<0 || index_ssl_ctx_opt<0 || +@@ -104,17 +109,31 @@ int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNU + BN_free(dh->p); + BN_free(dh->q); + BN_free(dh->g); +- dh->p = p; +- dh->q = q; +- dh->g = g; ++ dh->p=p; ++ dh->q=q; ++ dh->g=g; + if(q) +- dh->length = BN_num_bits(q); ++ dh->length=BN_num_bits(q); + return 1; + } + #endif + #endif + +-#if OPENSSL_VERSION_NUMBER>=0x10100000L ++NOEXPORT void cb_new_auth(void *parent, void *ptr, CRYPTO_EX_DATA *ad, ++ int idx, long argl, void *argp) { ++ (void)parent; /* squash the unused parameter warning */ ++ (void)ptr; /* squash the unused parameter warning */ ++ (void)argl; /* squash the unused parameter warning */ ++ s_log(LOG_DEBUG, "Initializing application specific data for %s", ++ (char *)argp); ++ if(!CRYPTO_set_ex_data(ad, idx, (void *)(-1))) ++ sslerror("CRYPTO_set_ex_data"); ++} ++ ++#if OPENSSL_VERSION_NUMBER>=0x30000000L ++NOEXPORT int cb_dup_addr(CRYPTO_EX_DATA *to, const CRYPTO_EX_DATA *from, ++ void **from_d, int idx, long argl, void *argp) { ++#elif OPENSSL_VERSION_NUMBER>=0x10100000L + NOEXPORT int cb_dup_addr(CRYPTO_EX_DATA *to, const CRYPTO_EX_DATA *from, + void *from_d, int idx, long argl, void *argp) { + #else +diff -up stunnel-5.56/src/verify.c.verify-chain stunnel-5.56/src/verify.c +--- stunnel-5.56/src/verify.c.verify-chain 2021-02-17 00:37:11.577806692 +0100 ++++ stunnel-5.56/src/verify.c 2021-02-17 00:37:42.542118546 +0100 +@@ -1,6 +1,6 @@ + /* + * stunnel TLS offloading and load-balancing proxy +- * Copyright (C) 1998-2019 Michal Trojnara ++ * Copyright (C) 1998-2020 Michal Trojnara + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the +@@ -214,11 +214,15 @@ NOEXPORT int verify_callback(int preveri + s_log(LOG_INFO, "Certificate verification disabled"); + return 1; /* accept */ + } +- if(verify_checks(c, preverify_ok, callback_ctx)) { ++ if(verify_checks(c, preverify_ok, callback_ctx)) ++ return 1; /* accept */ ++ if(c->opt->option.client || c->opt->protocol) ++ return 0; /* reject */ ++ if(c->opt->redirect_addr.names) { + SSL_SESSION *sess=SSL_get1_session(c->ssl); + if(sess) { +- int ok=SSL_SESSION_set_ex_data(sess, index_session_authenticated, +- (void *)(-1)); ++ int ok=SSL_SESSION_set_ex_data(sess, ++ index_session_authenticated, NULL); + SSL_SESSION_free(sess); + if(!ok) { + sslerror("SSL_SESSION_set_ex_data"); +@@ -227,10 +231,6 @@ NOEXPORT int verify_callback(int preveri + } + return 1; /* accept */ + } +- if(c->opt->option.client || c->opt->protocol) +- return 0; /* reject */ +- if(c->opt->redirect_addr.names) +- return 1; /* accept */ + return 0; /* reject */ + } + +diff -up stunnel-5.56/tests/recipes/028_redirect_chain.verify-chain stunnel-5.56/tests/recipes/028_redirect_chain +--- stunnel-5.56/tests/recipes/028_redirect_chain.verify-chain 2021-02-17 00:38:44.823745781 +0100 ++++ stunnel-5.56/tests/recipes/028_redirect_chain 2021-02-17 00:38:16.143456937 +0100 +@@ -0,0 +1,50 @@ ++#!/bin/sh ++ ++# Redirect TLS client connections on certificate-based authentication failures. ++# [client_1] -> [server_1] -> [client_2] -> [server_2] ++# The success is expected because the client presents the *wrong* certificate ++# and the client connection is redirected. ++# Checking if the verifyChain option verifies the peer certificate starting from the root CA. ++ ++. $(dirname $0)/../test_library ++ ++start() { ++ ../../src/stunnel -fd 0 <> "stderr.log" ++exit $? +diff -up stunnel-5.56/tests/recipes/029_no_redirect_chain.verify-chain stunnel-5.56/tests/recipes/029_no_redirect_chain +--- stunnel-5.56/tests/recipes/029_no_redirect_chain.verify-chain 2021-02-17 00:38:57.819876672 +0100 ++++ stunnel-5.56/tests/recipes/029_no_redirect_chain 2021-02-17 00:38:24.895545080 +0100 +@@ -0,0 +1,49 @@ ++#!/bin/sh ++ ++# Do not redirect TLS client connections on certificate-based authentication success. ++# [client_1] -> [server_1] ++# The success is expected because the client presents the *correct* certificate ++# and the client connection isn't redirected. ++# Checking if the verifyChain option verifies the peer certificate starting from the root CA. ++ ++. $(dirname $0)/../test_library ++ ++start() { ++ ../../src/stunnel -fd 0 <> "stderr.log" ++exit $? diff --git a/SPECS/stunnel.spec b/SPECS/stunnel.spec index bc7a8f5..8b55caa 100644 --- a/SPECS/stunnel.spec +++ b/SPECS/stunnel.spec @@ -10,7 +10,7 @@ Summary: A TLS-encrypting socket wrapper Name: stunnel Version: 5.56 -Release: 4%{?dist} +Release: 5%{?dist} License: GPLv2 Group: Applications/Internet URL: http://www.stunnel.org/ @@ -28,6 +28,7 @@ Patch3: stunnel-5.56-system-ciphers.patch Patch4: stunnel-5.56-coverity.patch Patch5: stunnel-5.56-default-tls-version.patch Patch6: stunnel-5.56-curves-doc-update.patch +Patch7: stunnel-5.56-verify-chain.patch # util-linux is needed for rename BuildRequires: gcc BuildRequires: openssl-devel, pkgconfig, util-linux @@ -56,6 +57,7 @@ conjunction with imapd to create a TLS secure IMAP server. %patch4 -p1 -b .coverity %patch5 -p1 -b .default-tls-version %patch6 -p1 -b .curves-doc-update +%patch7 -p1 -b .verify-chain # Fix the configure script output for FIPS mode and stack protector flag sed -i '/yes).*result: no/,+1{s/result: no/result: yes/;s/as_echo "no"/as_echo "yes"/};s/-fstack-protector/-fstack-protector-strong/' configure @@ -101,8 +103,6 @@ cp %{SOURCE7} %{buildroot}%{_unitdir}/%{name}@.service # For unknown reason the 042_inetd test fails in Brew. The failure is not reproducible # in Fedora or normal RHEL-8 install. rm tests/recipes/042_inetd -# For unknown reason the 050_ticket_secrets test fails on i686. -rm tests/recipes/050_ticket_secrets # We override the security policy as it is too strict for the tests. OPENSSL_SYSTEM_CIPHERS_OVERRIDE=xyz_nonexistent_file export OPENSSL_SYSTEM_CIPHERS_OVERRIDE @@ -143,6 +143,10 @@ make test %systemd_postun_with_restart %{name}.service %changelog +* Tue Feb 16 2021 Sahana Prasad - 5.56-5 +- Fix CVE-2021-20230 stunnel: client certificate not + correctly verified when redirect and verifyChain options are used. + * Thu Apr 16 2020 Sahana Prasad - 5.56-4 - Updates documentation to specify that the option "curves" can be used in server mode only.