diff --git a/SOURCES/stunnel-5.62-openssl3-error-handling.patch b/SOURCES/stunnel-5.62-openssl3-error-handling.patch new file mode 100644 index 0000000..b8c26ff --- /dev/null +++ b/SOURCES/stunnel-5.62-openssl3-error-handling.patch @@ -0,0 +1,140 @@ +From 6baa5762ea5edb192ec003333d62b1d0e56509bf Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Micha=C5=82=20Trojnara?= +Date: Sun, 11 Sep 2022 23:52:18 +0200 +Subject: [PATCH] stunnel-5.66 + +--- + src/common.h | 6 +++++- + src/ctx.c | 58 +++++++++++++++++++++++++++++++++++++++++++--------- + 2 files changed, 53 insertions(+), 11 deletions(-) + +diff --git a/src/common.h b/src/common.h +index bc37eb5..997e66e 100644 +--- a/src/common.h ++++ b/src/common.h +@@ -491,7 +491,7 @@ extern char *sys_errlist[]; + #include + #if OPENSSL_VERSION_NUMBER<0x10100000L + int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g); +-#endif /* OpenSSL older than 1.1.0 */ ++#endif /* OPENSSL_VERSION_NUMBER<0x10100000L */ + #endif /* !defined(OPENSSL_NO_DH) */ + #ifndef OPENSSL_NO_ENGINE + #include +@@ -503,8 +503,12 @@ int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g); + /* not defined in public headers before OpenSSL 0.9.8 */ + STACK_OF(SSL_COMP) *SSL_COMP_get_compression_methods(void); + #endif /* !defined(OPENSSL_NO_COMP) */ ++#if OPENSSL_VERSION_NUMBER>=0x10101000L ++#include ++#endif /* OPENSSL_VERSION_NUMBER>=0x10101000L */ + #if OPENSSL_VERSION_NUMBER>=0x30000000L + #include ++#include + #endif /* OPENSSL_VERSION_NUMBER>=0x30000000L */ + + #ifndef OPENSSL_VERSION +diff --git a/src/ctx.c b/src/ctx.c +index a2202b7..cc0806c 100644 +--- a/src/ctx.c ++++ b/src/ctx.c +@@ -1001,30 +1001,41 @@ NOEXPORT int ui_retry() { + unsigned long err=ERR_peek_error(); + + switch(ERR_GET_LIB(err)) { +- case ERR_LIB_ASN1: +- return 1; +- case ERR_LIB_PKCS12: ++ case ERR_LIB_EVP: /* 6 */ + switch(ERR_GET_REASON(err)) { +- case PKCS12_R_MAC_VERIFY_FAILURE: ++ case EVP_R_BAD_DECRYPT: + return 1; + default: ++ s_log(LOG_ERR, "Unhandled ERR_LIB_EVP error reason: %d", ++ ERR_GET_REASON(err)); + return 0; + } +- case ERR_LIB_EVP: ++ case ERR_LIB_PEM: /* 9 */ + switch(ERR_GET_REASON(err)) { +- case EVP_R_BAD_DECRYPT: ++ case PEM_R_BAD_PASSWORD_READ: ++ case PEM_R_BAD_DECRYPT: + return 1; + default: ++ s_log(LOG_ERR, "Unhandled ERR_LIB_PEM error reason: %d", ++ ERR_GET_REASON(err)); + return 0; + } +- case ERR_LIB_PEM: ++ case ERR_LIB_ASN1: /* 13 */ ++ return 1; ++ case ERR_LIB_PKCS12: /* 35 */ + switch(ERR_GET_REASON(err)) { +- case PEM_R_BAD_PASSWORD_READ: ++ case PKCS12_R_MAC_VERIFY_FAILURE: + return 1; + default: ++ s_log(LOG_ERR, "Unhandled ERR_LIB_PKCS12 error reason: %d", ++ ERR_GET_REASON(err)); + return 0; + } +- case ERR_LIB_UI: ++#ifdef ERR_LIB_DSO /* 37 */ ++ case ERR_LIB_DSO: ++ return 1; ++#endif ++ case ERR_LIB_UI: /* 40 */ + switch(ERR_GET_REASON(err)) { + case UI_R_RESULT_TOO_LARGE: + case UI_R_RESULT_TOO_SMALL: +@@ -1033,17 +1044,44 @@ NOEXPORT int ui_retry() { + #endif + return 1; + default: ++ s_log(LOG_ERR, "Unhandled ERR_LIB_UI error reason: %d", ++ ERR_GET_REASON(err)); ++ return 0; ++ } ++#ifdef ERR_LIB_OSSL_STORE ++ case ERR_LIB_OSSL_STORE: /* 44 - added in OpenSSL 1.1.1 */ ++ switch(ERR_GET_REASON(err)) { ++ case OSSL_STORE_R_BAD_PASSWORD_READ: ++ return 1; ++ default: ++ s_log(LOG_ERR, "Unhandled ERR_LIB_OSSL_STORE error reason: %d", ++ ERR_GET_REASON(err)); ++ return 0; ++ } ++#endif ++#ifdef ERR_LIB_PROV ++ case ERR_LIB_PROV: /* 57 - added in OpenSSL 3.0 */ ++ switch(ERR_GET_REASON(err)) { ++ case PROV_R_BAD_DECRYPT: ++ return 1; ++ default: ++ s_log(LOG_ERR, "Unhandled ERR_LIB_PROV error reason: %d", ++ ERR_GET_REASON(err)); + return 0; + } +- case ERR_LIB_USER: /* PKCS#11 hacks */ ++#endif ++ case ERR_LIB_USER: /* 128 - PKCS#11 hacks */ + switch(ERR_GET_REASON(err)) { + case 7UL: /* CKR_ARGUMENTS_BAD */ + case 0xa0UL: /* CKR_PIN_INCORRECT */ + return 1; + default: ++ s_log(LOG_ERR, "Unhandled ERR_LIB_USER error reason: %d", ++ ERR_GET_REASON(err)); + return 0; + } + default: ++ s_log(LOG_ERR, "Unhandled error library: %d", ERR_GET_LIB(err)); + return 0; + } + } +-- +2.38.1 + diff --git a/SPECS/stunnel.spec b/SPECS/stunnel.spec index b2a3fd4..63f6834 100644 --- a/SPECS/stunnel.spec +++ b/SPECS/stunnel.spec @@ -10,7 +10,7 @@ Summary: A TLS-encrypting socket wrapper Name: stunnel Version: 5.62 -Release: 2%{?dist} +Release: 3%{?dist} License: GPLv2 URL: https://www.stunnel.org/ Source0: https://www.stunnel.org/downloads/stunnel-%{version}.tar.gz @@ -29,6 +29,7 @@ Patch5: stunnel-5.61-default-tls-version.patch Patch6: stunnel-5.56-curves-doc-update.patch Patch7: stunnel-5.61-openssl30-fips.patch Patch8: stunnel-5.62-disabled-curves.patch +Patch9: stunnel-5.62-openssl3-error-handling.patch # util-linux is needed for rename BuildRequires: make BuildRequires: gcc @@ -61,6 +62,7 @@ conjunction with imapd to create a TLS secure IMAP server. %patch6 -p1 -b .curves-doc-update %patch7 -p1 -b .openssl30-fips %patch8 -p1 -b .disabled-curves +%patch9 -p1 -b .openssl3-error-handling # Fix the stack protector flag sed -i 's/-fstack-protector/-fstack-protector-strong/' configure @@ -142,6 +144,10 @@ fi %systemd_postun_with_restart %{name}.service %changelog +* Thu Dec 08 2022 Clemens Lang - 5.62-3 +- Fix use of encrypted key files and password retry with OpenSSL 3 + Resolves: rhbz#2151888 + * Fri Feb 04 2022 Clemens Lang - 5.62-2 - Fix stunnel in FIPS mode Resolves: rhbz#2050617