diff --git a/.gitignore b/.gitignore index fdea1fe..413edf9 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/stunnel-5.48.tar.gz +SOURCES/stunnel-5.56.tar.gz diff --git a/.stunnel.metadata b/.stunnel.metadata index 00869cd..01414ab 100644 --- a/.stunnel.metadata +++ b/.stunnel.metadata @@ -1 +1 @@ -8e8576abf9b143c7ef1b7390c35b46c4cf878ca0 SOURCES/stunnel-5.48.tar.gz +a7fa3fb55d698f50f3d54e4fc08588a119f21cad SOURCES/stunnel-5.56.tar.gz diff --git a/SOURCES/stunnel-5.40-authpriv.patch b/SOURCES/stunnel-5.40-authpriv.patch deleted file mode 100644 index 4100df5..0000000 --- a/SOURCES/stunnel-5.40-authpriv.patch +++ /dev/null @@ -1,56 +0,0 @@ -diff --git a/doc/stunnel.8.in b/doc/stunnel.8.in -index a00cc78..85a0123 100644 ---- a/doc/stunnel.8.in -+++ b/doc/stunnel.8.in -@@ -204,7 +204,7 @@ info (6), or debug (7). All logs for the specified level and - all levels numerically less than it will be shown. Use \fIdebug = debug\fR or - \&\fIdebug = 7\fR for greatest debugging output. The default is notice (5). - .Sp --The syslog facility 'daemon' will be used unless a facility name is supplied. -+The syslog facility 'authpriv' will be used unless a facility name is supplied. - (Facilities are not supported on Win32.) - .Sp - Case is ignored for both facilities and levels. -diff --git a/doc/stunnel.html.in b/doc/stunnel.html.in -index b7a0663..6bb01cd 100644 ---- a/doc/stunnel.html.in -+++ b/doc/stunnel.html.in -@@ -244,7 +244,7 @@ - -

Level is one of the syslog level names or numbers emerg (0), alert (1), crit (2), err (3), warning (4), notice (5), info (6), or debug (7). All logs for the specified level and all levels numerically less than it will be shown. Use debug = debug or debug = 7 for greatest debugging output. The default is notice (5).

- --

The syslog facility 'daemon' will be used unless a facility name is supplied. (Facilities are not supported on Win32.)

-+

The syslog facility 'authpriv' will be used unless a facility name is supplied. (Facilities are not supported on Win32.)

- -

Case is ignored for both facilities and levels.

- -diff --git a/doc/stunnel.pod.in b/doc/stunnel.pod.in -index 42d3a33..3806b5a 100644 ---- a/doc/stunnel.pod.in -+++ b/doc/stunnel.pod.in -@@ -192,7 +192,7 @@ info (6), or debug (7). All logs for the specified level and - all levels numerically less than it will be shown. Use I or - I for greatest debugging output. The default is notice (5). - --The syslog facility 'daemon' will be used unless a facility name is supplied. -+The syslog facility 'authpriv' will be used unless a facility name is supplied. - (Facilities are not supported on Win32.) - - Case is ignored for both facilities and levels. -diff --git a/src/options.c b/src/options.c -index 5881486..345d274 100644 ---- a/src/options.c -+++ b/src/options.c -@@ -1554,8 +1554,12 @@ NOEXPORT char *parse_service_option(CMD cmd, SERVICE_OPTIONS *section, - case CMD_BEGIN: - section->log_level=LOG_NOTICE; - #if !defined (USE_WIN32) && !defined (__vms) -+#if defined(LOG_AUTHPRIV) -+ new_global_options.log_facility=LOG_AUTHPRIV; -+#else - new_global_options.log_facility=LOG_DAEMON; - #endif -+#endif - break; - case CMD_EXEC: - if(strcasecmp(opt, "debug")) diff --git a/SOURCES/stunnel-5.40-systemd-service.patch b/SOURCES/stunnel-5.40-systemd-service.patch deleted file mode 100644 index 10ad1bb..0000000 --- a/SOURCES/stunnel-5.40-systemd-service.patch +++ /dev/null @@ -1,17 +0,0 @@ -diff --git a/tools/stunnel.service.in b/tools/stunnel.service.in -index 53ad3e7..620a0e7 100644 ---- a/tools/stunnel.service.in -+++ b/tools/stunnel.service.in -@@ -1,10 +1,11 @@ - [Unit] - Description=TLS tunnel for network daemons --After=syslog.target -+After=syslog.target network.target - - [Service] - ExecStart=@bindir@/stunnel - Type=forking -+PrivateTmp=true - - [Install] - WantedBy=multi-user.target diff --git a/SOURCES/stunnel-5.46-system-ciphers.patch b/SOURCES/stunnel-5.46-system-ciphers.patch deleted file mode 100644 index 869c162..0000000 --- a/SOURCES/stunnel-5.46-system-ciphers.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -up stunnel-5.46/src/options.c.system-ciphers stunnel-5.46/src/options.c ---- stunnel-5.46/src/options.c.system-ciphers 2018-05-29 08:58:03.601089886 +0200 -+++ stunnel-5.46/src/options.c 2018-05-29 08:59:00.880244728 +0200 -@@ -252,7 +252,7 @@ static char *option_not_found= - "Specified option name is not valid here"; - - static char *stunnel_cipher_list= -- "HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK"; -+ "PROFILE=SYSTEM"; - - /**************************************** parse commandline parameters */ - diff --git a/SOURCES/stunnel-5.48-coverity.patch b/SOURCES/stunnel-5.48-coverity.patch deleted file mode 100644 index 7d2f63f..0000000 --- a/SOURCES/stunnel-5.48-coverity.patch +++ /dev/null @@ -1,55 +0,0 @@ -diff -up stunnel-5.48/src/file.c.coverity stunnel-5.48/src/file.c ---- stunnel-5.48/src/file.c.coverity 2018-04-06 16:25:10.000000000 +0200 -+++ stunnel-5.48/src/file.c 2018-09-04 17:24:08.948928882 +0200 -@@ -120,7 +120,7 @@ DISK_FILE *file_open(char *name, FILE_MO - return NULL; - - /* setup df structure */ -- df=str_alloc(sizeof df); -+ df=str_alloc(sizeof *df); - df->fd=fd; - return df; - } -diff -up stunnel-5.48/src/options.c.coverity stunnel-5.48/src/options.c ---- stunnel-5.48/src/options.c.coverity 2018-09-04 17:24:08.946928836 +0200 -+++ stunnel-5.48/src/options.c 2018-09-04 18:47:03.135083884 +0200 -@@ -515,8 +515,7 @@ NOEXPORT int options_include(char *direc - "%s/%s", - #endif - directory, namelist[i]->d_name); -- stat(name, &sb); -- if(S_ISREG(sb.st_mode)) -+ if(stat(name, &sb) == 0 && S_ISREG(sb.st_mode)) - err=options_file(name, CONF_FILE, section); - else - s_log(LOG_DEBUG, "\"%s\" is not a file", name); -@@ -3773,6 +3772,7 @@ NOEXPORT PSK_KEYS *psk_dup(PSK_KEYS *src - else - head=curr; - tail=curr; -+ src=src->next; - } - return head; - } -diff -up stunnel-5.48/src/str.c.coverity stunnel-5.48/src/str.c ---- stunnel-5.48/src/str.c.coverity 2018-07-02 23:30:10.000000000 +0200 -+++ stunnel-5.48/src/str.c 2018-09-04 17:24:08.949928906 +0200 -@@ -165,6 +165,7 @@ char *str_vprintf(const char *format, va - for(;;) { - va_copy(ap, start_ap); - n=vsnprintf(p, size, format, ap); -+ va_end(ap); - if(n>-1 && n<(int)size) - return p; - if(n>-1) /* glibc 2.1 */ -diff -up stunnel-5.48/src/stunnel.c.coverity stunnel-5.48/src/stunnel.c ---- stunnel-5.48/src/stunnel.c.coverity 2018-07-02 23:30:10.000000000 +0200 -+++ stunnel-5.48/src/stunnel.c 2018-09-04 17:24:08.949928906 +0200 -@@ -364,7 +364,6 @@ NOEXPORT int accept_connection(SERVICE_O - #endif - if(create_client(fd, s, alloc_client_session(opt, s, s))) { - s_log(LOG_ERR, "Connection rejected: create_client failed"); -- closesocket(s); - #ifndef USE_FORK - service_free(opt); - #endif diff --git a/SOURCES/stunnel-5.48-failover-crash.patch b/SOURCES/stunnel-5.48-failover-crash.patch deleted file mode 100644 index 87f25f7..0000000 --- a/SOURCES/stunnel-5.48-failover-crash.patch +++ /dev/null @@ -1,83 +0,0 @@ -diff -up stunnel-5.48/src/client.c.failover-crash stunnel-5.48/src/client.c ---- stunnel-5.48/src/client.c.failover-crash 2018-07-02 23:30:10.000000000 +0200 -+++ stunnel-5.48/src/client.c 2019-04-03 08:53:22.350538002 +0200 -@@ -1431,10 +1431,14 @@ NOEXPORT void idx_cache_save(SSL_SESSION - - CRYPTO_THREAD_write_lock(stunnel_locks[LOCK_ADDR]); - old_addr=SSL_SESSION_get_ex_data(sess, index_session_connect_address); -- /* we can safely ignore the SSL_SESSION_set_ex_data() failure */ -- SSL_SESSION_set_ex_data(sess, index_session_connect_address, new_addr); -- CRYPTO_THREAD_unlock(stunnel_locks[LOCK_ADDR]); -- str_free(old_addr); /* NULL pointers are ignored */ -+ if(SSL_SESSION_set_ex_data(sess, index_session_connect_address, new_addr)) { -+ CRYPTO_THREAD_unlock(stunnel_locks[LOCK_ADDR]); -+ str_free(old_addr); /* NULL pointers are ignored */ -+ } else { /* failed to store new_addr -> remove it */ -+ sslerror("SSL_SESSION_set_ex_data"); -+ CRYPTO_THREAD_unlock(stunnel_locks[LOCK_ADDR]); -+ str_free(new_addr); /* NULL pointers are ignored */ -+ } - } - - NOEXPORT unsigned idx_cache_retrieve(CLI *c) { -diff -up stunnel-5.48/src/ssl.c.failover-crash stunnel-5.48/src/ssl.c ---- stunnel-5.48/src/ssl.c.failover-crash 2018-04-06 16:25:10.000000000 +0200 -+++ stunnel-5.48/src/ssl.c 2019-04-03 09:07:05.586306038 +0200 -@@ -39,7 +39,14 @@ - #include "prototypes.h" - - /* global OpenSSL initialization: compression, engine, entropy */ --NOEXPORT void cb_free(void *parent, void *ptr, CRYPTO_EX_DATA *ad, -+#if OPENSSL_VERSION_NUMBER>=0x10100000L -+NOEXPORT int cb_dup_addr(CRYPTO_EX_DATA *to, const CRYPTO_EX_DATA *from, -+ void *from_d, int idx, long argl, void *argp); -+#else -+NOEXPORT int cb_dup_addr(CRYPTO_EX_DATA *to, CRYPTO_EX_DATA *from, -+ void *from_d, int idx, long argl, void *argp); -+#endif -+NOEXPORT void cb_free_addr(void *parent, void *ptr, CRYPTO_EX_DATA *ad, - int idx, long argl, void *argp); - #ifndef OPENSSL_NO_COMP - NOEXPORT int compression_init(GLOBAL_OPTIONS *); -@@ -67,7 +74,7 @@ int ssl_init(void) { /* init TLS before - index_session_authenticated=SSL_SESSION_get_ex_new_index(0, - "session authenticated", NULL, NULL, NULL); - index_session_connect_address=SSL_SESSION_get_ex_new_index(0, -- "session connect address", NULL, NULL, cb_free); -+ "session connect address", NULL, cb_dup_addr, cb_free_addr); - if(index_ssl_cli<0 || index_ssl_ctx_opt<0 || - index_session_authenticated<0 || - index_session_connect_address<0) { -@@ -107,7 +114,31 @@ int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNU - #endif - #endif - --NOEXPORT void cb_free(void *parent, void *ptr, CRYPTO_EX_DATA *ad, -+#if OPENSSL_VERSION_NUMBER>=0x10100000L -+NOEXPORT int cb_dup_addr(CRYPTO_EX_DATA *to, const CRYPTO_EX_DATA *from, -+ void *from_d, int idx, long argl, void *argp) { -+#else -+NOEXPORT int cb_dup_addr(CRYPTO_EX_DATA *to, CRYPTO_EX_DATA *from, -+ void *from_d, int idx, long argl, void *argp) { -+#endif -+ SOCKADDR_UNION *src, *dst; -+ socklen_t len; -+ -+ (void)to; /* squash the unused parameter warning */ -+ (void)from; /* squash the unused parameter warning */ -+ (void)idx; /* squash the unused parameter warning */ -+ (void)argl; /* squash the unused parameter warning */ -+ s_log(LOG_DEBUG, "Duplicating application specific data for %s", -+ (char *)argp); -+ src=*(void **)from_d; -+ len=addr_len(src); -+ dst=str_alloc_detached((size_t)len); -+ memcpy(dst, src, (size_t)len); -+ *(void **)from_d=dst; -+ return 1; -+} -+ -+NOEXPORT void cb_free_addr(void *parent, void *ptr, CRYPTO_EX_DATA *ad, - int idx, long argl, void *argp) { - (void)parent; /* squash the unused parameter warning */ - (void)ad; /* squash the unused parameter warning */ diff --git a/SOURCES/stunnel-5.48.tar.gz.asc b/SOURCES/stunnel-5.48.tar.gz.asc deleted file mode 100644 index 86a5b06..0000000 --- a/SOURCES/stunnel-5.48.tar.gz.asc +++ /dev/null @@ -1,18 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQKTBAABCgB9FiEEK8fk5n48wMG+py+MLvx/8NQW4BQFAls6m2RfFIAAAAAALgAo -aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDJC -QzdFNEU2N0UzQ0MwQzFCRUE3MkY4QzJFRkM3RkYwRDQxNkUwMTQACgkQLvx/8NQW -4BTksRAAiWO5DWBpHrnDKy1jon+4lG/OPHe92nWxc6yH2HVeB064tXYeXYjRnnR4 -mItaO4wCJICd94+5EUO6DUfut4+7SIAWNPUnZd5OgFkgmGd0YEF6tEfM9z6BhMc3 -T8ZwKCP/hhU5oxqQyDO/esk2+Opps5ddsQLx84iUsylFwq8gK8BkVZrx2yLBX/fz -wGpP1YnxLdx+rQQx/BkHd52nQAR3gqrGcZtMgchhTBsfZ4jgnr4Xr4XgXJPfe0Di -xGCD7/sy+N8sNu4S6RER4qNV6PLBcZ6Bjp+VqMpODdoXlD0EQXundgbrg8Nuq8HR -TTbL1pItHo0vy5QetFILJqlrdLw3sIG5Wy1+k87X485DKhJuvZqU0nKixYmaujB9 -as1YNccDb2FwF7Rzq4hF1J0IwYUsyfgbd58k1VdmtPp5TSUyd1lp+tpX0tEJePk6 -g1X3NecNVbw8p66gPiUadlTYkkUQdqDHnGxD9EKG7BwRE8lPR5CTJD1w8xEOzLMw -tVKSBgcHeIA7Sn9mJtOFOJ7Y+aUccMIliprgk34P3+4bFFBxLQaRQycfLVIyRy4t -3QRk+vsMxfuAVainN/yVU7hCtiL09ZHm3g8AnDZFKmtZzYcBbb24RWhONt0bz9j1 -fnYKvguL78ptBpsmPmXjwBY+qxmJx4LAWFxE7TUgqsaASJYWSH4= -=KMsG ------END PGP SIGNATURE----- diff --git a/SOURCES/stunnel-5.50-authpriv.patch b/SOURCES/stunnel-5.50-authpriv.patch new file mode 100644 index 0000000..13c1e9c --- /dev/null +++ b/SOURCES/stunnel-5.50-authpriv.patch @@ -0,0 +1,52 @@ +diff -up stunnel-5.50/doc/stunnel.8.in.authpriv stunnel-5.50/doc/stunnel.8.in +--- stunnel-5.50/doc/stunnel.8.in.authpriv 2018-12-02 23:47:20.000000000 +0100 ++++ stunnel-5.50/doc/stunnel.8.in 2019-01-14 12:15:05.135100163 +0100 +@@ -200,7 +200,7 @@ info (6), or debug (7). All logs for th + all levels numerically less than it will be shown. Use \fIdebug = debug\fR or + \&\fIdebug = 7\fR for greatest debugging output. The default is notice (5). + .Sp +-The syslog facility 'daemon' will be used unless a facility name is supplied. ++The syslog facility 'authpriv' will be used unless a facility name is supplied. + (Facilities are not supported on Win32.) + .Sp + Case is ignored for both facilities and levels. +diff -up stunnel-5.50/doc/stunnel.html.in.authpriv stunnel-5.50/doc/stunnel.html.in +--- stunnel-5.50/doc/stunnel.html.in.authpriv 2018-12-02 23:47:21.000000000 +0100 ++++ stunnel-5.50/doc/stunnel.html.in 2019-01-14 12:15:05.136100146 +0100 +@@ -244,7 +244,7 @@ + +

Level is one of the syslog level names or numbers emerg (0), alert (1), crit (2), err (3), warning (4), notice (5), info (6), or debug (7). All logs for the specified level and all levels numerically less than it will be shown. Use debug = debug or debug = 7 for greatest debugging output. The default is notice (5).

+ +-

The syslog facility 'daemon' will be used unless a facility name is supplied. (Facilities are not supported on Win32.)

++

The syslog facility 'authpriv' will be used unless a facility name is supplied. (Facilities are not supported on Win32.)

+ +

Case is ignored for both facilities and levels.

+ +diff -up stunnel-5.50/doc/stunnel.pod.in.authpriv stunnel-5.50/doc/stunnel.pod.in +--- stunnel-5.50/doc/stunnel.pod.in.authpriv 2018-12-02 23:47:18.000000000 +0100 ++++ stunnel-5.50/doc/stunnel.pod.in 2019-01-14 12:15:05.136100146 +0100 +@@ -192,7 +192,7 @@ info (6), or debug (7). All logs for th + all levels numerically less than it will be shown. Use I or + I for greatest debugging output. The default is notice (5). + +-The syslog facility 'daemon' will be used unless a facility name is supplied. ++The syslog facility 'authpriv' will be used unless a facility name is supplied. + (Facilities are not supported on Win32.) + + Case is ignored for both facilities and levels. +diff -up stunnel-5.50/src/options.c.authpriv stunnel-5.50/src/options.c +--- stunnel-5.50/src/options.c.authpriv 2019-01-14 12:15:05.136100146 +0100 ++++ stunnel-5.50/src/options.c 2019-01-14 12:16:25.537727511 +0100 +@@ -1745,8 +1745,12 @@ NOEXPORT char *parse_service_option(CMD + case CMD_SET_DEFAULTS: + section->log_level=LOG_NOTICE; + #if !defined (USE_WIN32) && !defined (__vms) ++#if defined(LOG_AUTHPRIV) ++ new_global_options.log_facility=LOG_AUTHPRIV; ++#else + new_global_options.log_facility=LOG_DAEMON; + #endif ++#endif + break; + case CMD_SET_COPY: + section->log_level=new_service_options.log_level; diff --git a/SOURCES/stunnel-5.50-systemd-service.patch b/SOURCES/stunnel-5.50-systemd-service.patch new file mode 100644 index 0000000..9fc170b --- /dev/null +++ b/SOURCES/stunnel-5.50-systemd-service.patch @@ -0,0 +1,11 @@ +diff -up stunnel-5.50/tools/stunnel.service.in.systemd-service stunnel-5.50/tools/stunnel.service.in +--- stunnel-5.50/tools/stunnel.service.in.systemd-service 2019-01-14 12:17:15.826868965 +0100 ++++ stunnel-5.50/tools/stunnel.service.in 2019-01-14 12:18:21.186753131 +0100 +@@ -5,6 +5,7 @@ After=syslog.target network.target + [Service] + ExecStart=@bindir@/stunnel + Type=forking ++PrivateTmp=true + + [Install] + WantedBy=multi-user.target diff --git a/SOURCES/stunnel-5.56-coverity.patch b/SOURCES/stunnel-5.56-coverity.patch new file mode 100644 index 0000000..526f7f0 --- /dev/null +++ b/SOURCES/stunnel-5.56-coverity.patch @@ -0,0 +1,22 @@ +diff -up stunnel-5.48/src/str.c.coverity stunnel-5.48/src/str.c +--- stunnel-5.48/src/str.c.coverity 2018-07-02 23:30:10.000000000 +0200 ++++ stunnel-5.48/src/str.c 2018-09-04 17:24:08.949928906 +0200 +@@ -165,6 +165,7 @@ char *str_vprintf(const char *format, va + for(;;) { + va_copy(ap, start_ap); + n=vsnprintf(p, size, format, ap); ++ va_end(ap); + if(n>-1 && n<(int)size) + return p; + if(n>-1) /* glibc 2.1 */ +diff -up stunnel-5.48/src/stunnel.c.coverity stunnel-5.48/src/stunnel.c +--- stunnel-5.48/src/stunnel.c.coverity 2018-07-02 23:30:10.000000000 +0200 ++++ stunnel-5.48/src/stunnel.c 2018-09-04 17:24:08.949928906 +0200 +@@ -364,7 +364,6 @@ NOEXPORT int accept_connection(SERVICE_O + #endif + if(create_client(fd, s, alloc_client_session(opt, s, s))) { + s_log(LOG_ERR, "Connection rejected: create_client failed"); +- closesocket(s); + #ifndef USE_FORK + service_free(opt); + #endif diff --git a/SOURCES/stunnel-5.56-curves-doc-update.patch b/SOURCES/stunnel-5.56-curves-doc-update.patch new file mode 100644 index 0000000..84a01a3 --- /dev/null +++ b/SOURCES/stunnel-5.56-curves-doc-update.patch @@ -0,0 +1,66 @@ +--- stunnel-5.56/doc/stunnel.8.in.curves-doc-update 2020-04-16 17:12:48.171590017 +0200 ++++ stunnel-5.56/doc/stunnel.8.in 2020-04-16 17:16:07.001603122 +0200 +@@ -473,6 +473,8 @@ This file contains multiple CRLs, used w + .IX Item "curves = list" + \&\s-1ECDH\s0 curves separated with ':' + .Sp ++Note: This option is supported for server mode sockets only. ++.Sp + Only a single curve name is allowed for OpenSSL older than 1.1.0. + .Sp + To get a list of supported curves use: +--- stunnel-5.56/doc/stunnel.html.in.curves-doc-update 2020-04-16 17:13:25.664962696 +0200 ++++ stunnel-5.56/doc/stunnel.html.in 2020-04-16 17:16:55.897111302 +0200 +@@ -568,6 +568,8 @@ + +

ECDH curves separated with ':'

+ ++

Note: This option is supported for server mode sockets only.

++ +

Only a single curve name is allowed for OpenSSL older than 1.1.0.

+ +

To get a list of supported curves use:

+--- stunnel-5.56/doc/stunnel.pod.in.curves-doc-update 2020-04-16 17:13:43.412139122 +0200 ++++ stunnel-5.56/doc/stunnel.pod.in 2020-04-16 17:17:25.414418073 +0200 +@@ -499,6 +499,8 @@ I options. + + ECDH curves separated with ':' + ++Note: This option is supported for server mode sockets only. ++ + Only a single curve name is allowed for OpenSSL older than 1.1.0. + + To get a list of supported curves use: +--- stunnel-5.56/doc/stunnel.pl.pod.in.curves-doc-update 2020-04-16 17:25:22.631934496 +0200 ++++ stunnel-5.56/doc/stunnel.pl.pod.in 2020-04-16 17:47:46.872353210 +0200 +@@ -507,6 +507,8 @@ przez opcje I i Ikrzywe ECDH odddzielone ':'

+ ++

Uwaga: ta opcja wpływa tylko na gniazda w trybie serwera.

++ +

Wersje OpenSSL starsze niż 1.1.0 pozwalają na użycie tylko jednej krzywej.

+ +

Listę dostępnych krzywych można uzyskać poleceniem:

+--- stunnel-5.56/doc/stunnel.pl.8.in.curves-doc-update 2020-04-16 17:24:25.665369474 +0200 ++++ stunnel-5.56/doc/stunnel.pl.8.in 2020-04-16 17:45:14.141792786 +0200 +@@ -483,6 +483,8 @@ przez opcje \fIverifyChain\fR i \fIverif + .IX Item "curves = lista" + krzywe \s-1ECDH\s0 odddzielone ':' + .Sp ++Uwaga: ta opcja wpływa tylko na gniazda w trybie serwera. ++.Sp + Wersje OpenSSL starsze niż 1.1.0 pozwalają na użycie tylko jednej krzywej. + .Sp + Listę dostępnych krzywych można uzyskać poleceniem: diff --git a/SOURCES/stunnel-5.56-default-tls-version.patch b/SOURCES/stunnel-5.56-default-tls-version.patch new file mode 100644 index 0000000..2515ee6 --- /dev/null +++ b/SOURCES/stunnel-5.56-default-tls-version.patch @@ -0,0 +1,92 @@ +--- stunnel-5.56/src/prototypes.h.default-tls-version 2020-04-06 11:22:24.480280384 +0200 ++++ stunnel-5.56/src/prototypes.h 2020-04-06 11:21:05.407597053 +0200 +@@ -897,6 +897,9 @@ ICON_IMAGE load_icon_default(ICON_TYPE); + ICON_IMAGE load_icon_file(const char *); + #endif + ++#define USE_DEFAULT_TLS_VERSION ((int)-2) /* Use defaults in OpenSSL ++ crypto policies */ ++ + #endif /* defined PROTOTYPES_H */ + + /* end of prototypes.h */ +--- stunnel-5.56/src/options.c.default-tls-version 2020-04-06 18:58:48.947214149 +0200 ++++ stunnel-5.56/src/options.c 2020-04-08 15:45:18.093520780 +0200 +@@ -3123,8 +3123,9 @@ NOEXPORT char *parse_service_option(CMD + return "Invalid protocol version"; + return NULL; /* OK */ + case CMD_INITIALIZE: +- if(section->max_proto_version && section->min_proto_version && +- section->max_proto_versionmin_proto_version) ++ if(section->max_proto_version != USE_DEFAULT_TLS_VERSION ++ && section->min_proto_version != USE_DEFAULT_TLS_VERSION ++ && section->max_proto_versionmin_proto_version) + return "Invalid protocol version range"; + break; + case CMD_PRINT_DEFAULTS: +@@ -3142,7 +3143,10 @@ NOEXPORT char *parse_service_option(CMD + /* sslVersionMax */ + switch(cmd) { + case CMD_SET_DEFAULTS: +- section->max_proto_version=0; /* highest supported */ ++ section->max_proto_version=USE_DEFAULT_TLS_VERSION; /* use defaults in ++ OpenSSL crypto ++ policies.Do not ++ override it */ + break; + case CMD_SET_COPY: + section->max_proto_version=new_service_options.max_proto_version; +@@ -3173,7 +3177,10 @@ NOEXPORT char *parse_service_option(CMD + /* sslVersionMin */ + switch(cmd) { + case CMD_SET_DEFAULTS: +- section->min_proto_version=TLS1_VERSION; ++ section->min_proto_version=USE_DEFAULT_TLS_VERSION; /* use defaults in ++ OpenSSL crypto ++ policies. Do not ++ override it */ + break; + case CMD_SET_COPY: + section->min_proto_version=new_service_options.min_proto_version; +--- stunnel-5.56/src/ctx.c.default-tls-version 2019-10-24 10:48:11.000000000 +0200 ++++ stunnel-5.56/src/ctx.c 2020-04-06 11:16:48.406406794 +0200 +@@ -143,17 +143,29 @@ int context_init(SERVICE_OPTIONS *sectio + section->ctx=SSL_CTX_new(TLS_client_method()); + else /* server mode */ + section->ctx=SSL_CTX_new(TLS_server_method()); +- if(!SSL_CTX_set_min_proto_version(section->ctx, +- section->min_proto_version)) { +- s_log(LOG_ERR, "Failed to set the minimum protocol version 0x%X", +- section->min_proto_version); +- return 1; /* FAILED */ ++ ++ if (section->min_proto_version == USE_DEFAULT_TLS_VERSION) { ++ s_log(LOG_INFO, "Using the default TLS version as specified in \ ++ OpenSSL crypto policies. Not setting explicitly."); ++ } else { ++ if(!SSL_CTX_set_min_proto_version(section->ctx, ++ section->min_proto_version)) { ++ s_log(LOG_ERR, "Failed to set the minimum protocol version 0x%X", ++ section->min_proto_version); ++ return 1; /* FAILED */ ++ } + } +- if(!SSL_CTX_set_max_proto_version(section->ctx, +- section->max_proto_version)) { +- s_log(LOG_ERR, "Failed to set the maximum protocol version 0x%X", +- section->max_proto_version); +- return 1; /* FAILED */ ++ ++ if (section->max_proto_version == USE_DEFAULT_TLS_VERSION) { ++ s_log(LOG_INFO, "Using the default TLS version as specified in \ ++ OpenSSL crypto policies. Not setting explicitly"); ++ } else { ++ if(!SSL_CTX_set_max_proto_version(section->ctx, ++ section->max_proto_version)) { ++ s_log(LOG_ERR, "Failed to set the maximum protocol version 0x%X", ++ section->max_proto_version); ++ return 1; /* FAILED */ ++ } + } + #else /* OPENSSL_VERSION_NUMBER<0x10100000L */ + if(section->option.client) diff --git a/SOURCES/stunnel-5.56-system-ciphers.patch b/SOURCES/stunnel-5.56-system-ciphers.patch new file mode 100644 index 0000000..de8679c --- /dev/null +++ b/SOURCES/stunnel-5.56-system-ciphers.patch @@ -0,0 +1,12 @@ +diff -up stunnel-5.55/src/options.c.system-ciphers stunnel-5.55/src/options.c +--- stunnel-5.55/src/options.c.system-ciphers 2019-09-19 14:43:00.631059024 +0200 ++++ stunnel-5.55/src/options.c 2019-09-19 14:51:02.120053849 +0200 +@@ -277,7 +277,7 @@ static char *option_not_found= + "Specified option name is not valid here"; + + static char *stunnel_cipher_list= +- "HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK"; ++ "PROFILE=SYSTEM"; + + #ifndef OPENSSL_NO_TLS1_3 + static char *stunnel_ciphersuites= diff --git a/SOURCES/stunnel-5.56.tar.gz.asc b/SOURCES/stunnel-5.56.tar.gz.asc new file mode 100644 index 0000000..6142f0f --- /dev/null +++ b/SOURCES/stunnel-5.56.tar.gz.asc @@ -0,0 +1,18 @@ +-----BEGIN PGP SIGNATURE----- + +iQKTBAABCgB9FiEEK8fk5n48wMG+py+MLvx/8NQW4BQFAl3YIPhfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDJC +QzdFNEU2N0UzQ0MwQzFCRUE3MkY4QzJFRkM3RkYwRDQxNkUwMTQACgkQLvx/8NQW +4BTuMw//R+LJhCo2prR6RIxEsYbfzIwkl9NwcE5EPTKse2umTOHsMRfVMpZiKjCl +5UC1tLbqUzSjAydQiFwdvcHZAJLWblr84p+CC5hEaS/rwX4PL221gqqrC8Ut7ap3 +n/v5gCJ8iqnpgZSgHPSGqucG3x1KlZotPnny1RVIjCSHPvoUtocAwJNSChRkyUT0 +ym8qhUPyOmRhYQZew1haxFJa26yc017dN5QZy+H3uo0zPLXaWJpPjJG/1pBtden4 +mL+mg8phZZ9MtBtEOK2NTA+4K24vcM+aHoEyMI/dcmi4NN256N5CJZ13tF3LgHNV +j0vp1a75p5aAMeRTv7zShegZGvJJciyYJKwRnOAUnHVFDhnsgd05VQHeWC1aFKjM +cXwrvHgGn+TG0V29ahnzR7NdVhkuP3etcqx6FuIgcj2omp0Bj4zFRlKSl4x+hY56 +MTvwksIXZTItHvffiE49ExGPA8OQW3S9Sr+lPFk98xjVuTU/P8GIVNp2kof4ezYN +Yhav4mA/KAkMX0fb+Cw6eyZl0aZEPx76hhkKhh2OmR8w3k5X2hetGcXX1/UFEHCm +uNCvWwV5Ry6Kc8Zpr8p6fUOh0Se4cNi59c1FKEwMX1hTgLklbIZioiFM/fR0RLOJ +PU/Cq+NbaZ3O8Cup7PsVjCDgXTcKcQAdQTOxgfW6f+szmTo5Qx4= +=RhpX +-----END PGP SIGNATURE----- diff --git a/SPECS/stunnel.spec b/SPECS/stunnel.spec index a506a13..619dc00 100644 --- a/SPECS/stunnel.spec +++ b/SPECS/stunnel.spec @@ -9,8 +9,8 @@ Summary: A TLS-encrypting socket wrapper Name: stunnel -Version: 5.48 -Release: 5%{?dist}.0.1 +Version: 5.56 +Release: 4%{?dist} License: GPLv2 Group: Applications/Internet URL: http://www.stunnel.org/ @@ -22,12 +22,12 @@ Source4: stunnel-sfinger.conf Source5: pop3-redirect.xinetd Source6: stunnel-pop3s-client.conf Source7: stunnel@.service -Patch0: stunnel-5.40-authpriv.patch -Patch1: stunnel-5.40-systemd-service.patch -Patch3: stunnel-5.46-system-ciphers.patch -Patch4: stunnel-5.48-coverity.patch -Patch999: stunnel-5.48-failover-crash.patch - +Patch0: stunnel-5.50-authpriv.patch +Patch1: stunnel-5.50-systemd-service.patch +Patch3: stunnel-5.56-system-ciphers.patch +Patch4: stunnel-5.56-coverity.patch +Patch5: stunnel-5.56-default-tls-version.patch +Patch6: stunnel-5.56-curves-doc-update.patch # util-linux is needed for rename BuildRequires: gcc BuildRequires: openssl-devel, pkgconfig, util-linux @@ -54,7 +54,9 @@ conjunction with imapd to create a TLS secure IMAP server. %patch1 -p1 -b .systemd-service %patch3 -p1 -b .system-ciphers %patch4 -p1 -b .coverity -%patch999 -p1 -b .failover +%patch5 -p1 -b .default-tls-version +%patch6 -p1 -b .curves-doc-update + # Fix the configure script output for FIPS mode and stack protector flag sed -i '/yes).*result: no/,+1{s/result: no/result: yes/;s/as_echo "no"/as_echo "yes"/};s/-fstack-protector/-fstack-protector-strong/' configure @@ -108,7 +110,7 @@ make test %files %{!?_licensedir:%global license %%doc} -%doc AUTHORS BUGS ChangeLog CREDITS PORTS README TODO +%doc AUTHORS.md BUGS.md CREDITS.md PORTS.md README.md TODO.md %doc tools/stunnel.conf-sample %doc srpm-docs/* %license COPY* @@ -139,8 +141,17 @@ make test %systemd_postun_with_restart %{name}.service %changelog -* Wed Apr 3 2019 Johnny Hughes - 5.48-5.0.1 -- fix RH bugzilla bug 1665899 +* Thu Apr 16 2020 Sahana Prasad - 5.56-4 +- Updates documentation to specify that the option "curves" can be used in server mode only. + +* Wed Apr 08 2020 Sahana Prasad - 5.56-3 +- Fixes default tls version patch to handle default values from OpenSSL crypto policies + +* Mon Apr 06 2020 Sahana Prasad - 5.56-2 +- Adds default tls version patch to comply with OpenSSL crypto policies + +* Fri Apr 03 2020 Sahana Prasad - 5.56-1 +- New upstream release 5.56 * Tue Sep 4 2018 Tomáš Mráz - 5.48-5 - Fix -fstack-protector-strong build flag application