diff --git a/.gitignore b/.gitignore index cad0b38..c3a8e75 100644 --- a/.gitignore +++ b/.gitignore @@ -118,3 +118,5 @@ stunnel-4.33.tar.gz.asc /stunnel-5.57.tar.gz.asc /stunnel-5.58.tar.gz /stunnel-5.58.tar.gz.asc +/stunnel-5.61.tar.gz +/stunnel-5.61.tar.gz.asc diff --git a/sources b/sources index 16495eb..81f4370 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (stunnel-5.58.tar.gz) = 6f62bf13bf53f174b2810ad6708a9dfdb70e9b4e2f60c0c9cf4df691169a63014901402ccbe2862010f4cee240c1a8eec34b70a7a3fcef36e7a2ca14a7f70ece -SHA512 (stunnel-5.58.tar.gz.asc) = 0deb4f521e3683b5f74afd0493ddd950193ffc30159b759a5eb5d0f8a4fb2cccacceb12e202b2abc963718ed44704415f53cc705f46656b96721013cc2f6747b +SHA512 (stunnel-5.61.tar.gz) = e228d21fb39bba0175684a70d7323ed839c689810fccb84e9140619b22a7ce91c0ac2a38107c3c52ac9652a02d10918d087459673382ea4d00df8b3ad3abe6cc +SHA512 (stunnel-5.61.tar.gz.asc) = ef7882d9a3a823f99edfa5c8ed8b44fa29a6b66d5ac02a5813b6addc98d1473dc02ff697631c3e4cb17292fd691832c12bb5b5675c87efe9e2be1fb2b668f23b diff --git a/stunnel-5.50-systemd-service.patch b/stunnel-5.50-systemd-service.patch deleted file mode 100644 index 9fc170b..0000000 --- a/stunnel-5.50-systemd-service.patch +++ /dev/null @@ -1,11 +0,0 @@ -diff -up stunnel-5.50/tools/stunnel.service.in.systemd-service stunnel-5.50/tools/stunnel.service.in ---- stunnel-5.50/tools/stunnel.service.in.systemd-service 2019-01-14 12:17:15.826868965 +0100 -+++ stunnel-5.50/tools/stunnel.service.in 2019-01-14 12:18:21.186753131 +0100 -@@ -5,6 +5,7 @@ After=syslog.target network.target - [Service] - ExecStart=@bindir@/stunnel - Type=forking -+PrivateTmp=true - - [Install] - WantedBy=multi-user.target diff --git a/stunnel-5.56-default-tls-version.patch b/stunnel-5.56-default-tls-version.patch deleted file mode 100644 index b66753e..0000000 --- a/stunnel-5.56-default-tls-version.patch +++ /dev/null @@ -1,92 +0,0 @@ ---- stunnel-5.56/src/prototypes.h.default-tls-version 2020-04-06 11:22:24.480280384 +0200 -+++ stunnel-5.56/src/prototypes.h 2020-04-06 11:21:05.407597053 +0200 -@@ -897,6 +897,9 @@ ICON_IMAGE load_icon_default(ICON_TYPE); - ICON_IMAGE load_icon_file(const char *); - #endif - -+#define USE_DEFAULT_TLS_VERSION ((int)-2) /* Use defaults in OpenSSL -+ crypto policies */ -+ - #endif /* defined PROTOTYPES_H */ - - /* end of prototypes.h */ ---- stunnel-5.56/src/options.c.default-tls-version 2020-04-06 18:58:48.947214149 +0200 -+++ stunnel-5.56/src/options.c 2020-04-08 15:45:18.093520780 +0200 -@@ -3123,8 +3123,9 @@ NOEXPORT char *parse_service_option(CMD - return "Invalid protocol version"; - return NULL; /* OK */ - case CMD_INITIALIZE: -- if(section->max_proto_version && section->min_proto_version && -- section->max_proto_versionmin_proto_version) -+ if(section->max_proto_version != USE_DEFAULT_TLS_VERSION -+ && section->min_proto_version != USE_DEFAULT_TLS_VERSION -+ && section->max_proto_versionmin_proto_version) - return "Invalid protocol version range"; - break; - case CMD_PRINT_DEFAULTS: -@@ -3142,7 +3143,10 @@ NOEXPORT char *parse_service_option(CMD - /* sslVersionMax */ - switch(cmd) { - case CMD_SET_DEFAULTS: -- section->max_proto_version=0; /* highest supported */ -+ section->max_proto_version=USE_DEFAULT_TLS_VERSION; /* use defaults in -+ OpenSSL crypto -+ policies.Do not -+ override it */ - break; - case CMD_SET_COPY: - section->max_proto_version=new_service_options.max_proto_version; -@@ -3173,7 +3177,10 @@ NOEXPORT char *parse_service_option(CMD - /* sslVersionMin */ - switch(cmd) { - case CMD_SET_DEFAULTS: -- section->min_proto_version=TLS1_VERSION; -+ section->min_proto_version=USE_DEFAULT_TLS_VERSION; /* use defaults in -+ OpenSSL crypto -+ policies. Do not -+ override it */ - break; - case CMD_SET_COPY: - section->min_proto_version=new_service_options.min_proto_version; ---- stunnel-5.56/src/ctx.c.default-tls-version 2019-10-24 10:48:11.000000000 +0200 -+++ stunnel-5.56/src/ctx.c 2020-04-06 11:16:48.406406794 +0200 -@@ -143,17 +143,29 @@ int context_init(SERVICE_OPTIONS *sectio - section->ctx=SSL_CTX_new(TLS_client_method()); - else /* server mode */ - section->ctx=SSL_CTX_new(TLS_server_method()); -- if(!SSL_CTX_set_min_proto_version(section->ctx, -- section->min_proto_version)) { -- s_log(LOG_ERR, "Failed to set the minimum protocol version 0x%X", -- section->min_proto_version); -- return 1; /* FAILED */ -+ -+ if (section->min_proto_version == USE_DEFAULT_TLS_VERSION) { -+ s_log(LOG_INFO, "Using the default TLS version as specified in \ -+ OpenSSL crypto policies. Not setting explicitly."); -+ } else { -+ if(!SSL_CTX_set_min_proto_version(section->ctx, -+ section->min_proto_version)) { -+ s_log(LOG_ERR, "Failed to set the minimum protocol version 0x%X", -+ section->min_proto_version); -+ return 1; /* FAILED */ -+ } - } -- if(!SSL_CTX_set_max_proto_version(section->ctx, -- section->max_proto_version)) { -- s_log(LOG_ERR, "Failed to set the maximum protocol version 0x%X", -- section->max_proto_version); -- return 1; /* FAILED */ -+ -+ if (section->max_proto_version == USE_DEFAULT_TLS_VERSION) { -+ s_log(LOG_INFO, "Using the default TLS version as specified in \ -+ OpenSSL crypto policies. Not setting explicitly"); -+ } else { -+ if(!SSL_CTX_set_max_proto_version(section->ctx, -+ section->max_proto_version)) { -+ s_log(LOG_ERR, "Failed to set the maximum protocol version 0x%X", -+ section->max_proto_version); -+ return 1; /* FAILED */ -+ } - } - #else /* OPENSSL_VERSION_NUMBER<0x10100000L */ - if(section->option.client) diff --git a/stunnel-5.61-default-tls-version.patch b/stunnel-5.61-default-tls-version.patch new file mode 100644 index 0000000..f779e4e --- /dev/null +++ b/stunnel-5.61-default-tls-version.patch @@ -0,0 +1,95 @@ +diff -up stunnel-5.61/src/ctx.c.default-tls-version stunnel-5.61/src/ctx.c +--- stunnel-5.61/src/ctx.c.default-tls-version 2021-12-13 09:43:22.000000000 +0100 ++++ stunnel-5.61/src/ctx.c 2022-01-10 19:27:49.913243127 +0100 +@@ -149,18 +149,28 @@ int context_init(SERVICE_OPTIONS *sectio + section->ctx=SSL_CTX_new(section->option.client ? + TLS_client_method() : TLS_server_method()); + #endif /* OPENSSL_VERSION_NUMBER>=0x30000000L */ +- if(!SSL_CTX_set_min_proto_version(section->ctx, +- section->min_proto_version)) { +- s_log(LOG_ERR, "Failed to set the minimum protocol version 0x%X", +- section->min_proto_version); +- return 1; /* FAILED */ +- } +- if(!SSL_CTX_set_max_proto_version(section->ctx, +- section->max_proto_version)) { +- s_log(LOG_ERR, "Failed to set the maximum protocol version 0x%X", +- section->max_proto_version); +- return 1; /* FAILED */ ++ if (section->min_proto_version == USE_DEFAULT_TLS_VERSION) { ++ s_log(LOG_INFO, "Using the default TLS version as specified in " ++ "OpenSSL crypto policies. Not setting explicitly."); ++ } else { ++ if(!SSL_CTX_set_min_proto_version(section->ctx, ++ section->min_proto_version)) { ++ s_log(LOG_ERR, "Failed to set the minimum protocol version 0x%X", ++ section->min_proto_version); ++ return 1; /* FAILED */ ++ } + } ++ if (section->max_proto_version == USE_DEFAULT_TLS_VERSION) { ++ s_log(LOG_INFO, "Using the default TLS version as specified in " ++ "OpenSSL crypto policies. Not setting explicitly"); ++ } else { ++ if(!SSL_CTX_set_max_proto_version(section->ctx, ++ section->max_proto_version)) { ++ s_log(LOG_ERR, "Failed to set the maximum protocol version 0x%X", ++ section->max_proto_version); ++ return 1; /* FAILED */ ++ } ++ } + #else /* OPENSSL_VERSION_NUMBER<0x10100000L */ + if(section->option.client) + section->ctx=SSL_CTX_new(section->client_method); +diff -up stunnel-5.61/src/options.c.default-tls-version stunnel-5.61/src/options.c +--- stunnel-5.61/src/options.c.default-tls-version 2022-01-10 19:23:15.096254067 +0100 ++++ stunnel-5.61/src/options.c 2022-01-10 19:23:15.098254103 +0100 +@@ -3297,8 +3297,9 @@ NOEXPORT char *parse_service_option(CMD + return "Invalid protocol version"; + return NULL; /* OK */ + case CMD_INITIALIZE: +- if(section->max_proto_version && section->min_proto_version && +- section->max_proto_versionmin_proto_version) ++ if(section->max_proto_version != USE_DEFAULT_TLS_VERSION ++ && section->min_proto_version != USE_DEFAULT_TLS_VERSION ++ && section->max_proto_versionmin_proto_version) + return "Invalid protocol version range"; + break; + case CMD_PRINT_DEFAULTS: +@@ -3316,7 +3317,10 @@ NOEXPORT char *parse_service_option(CMD + /* sslVersionMax */ + switch(cmd) { + case CMD_SET_DEFAULTS: +- section->max_proto_version=0; /* highest supported */ ++ section->max_proto_version=USE_DEFAULT_TLS_VERSION; /* use defaults in ++ OpenSSL crypto ++ policies.Do not ++ override it */ + break; + case CMD_SET_COPY: + section->max_proto_version=new_service_options.max_proto_version; +@@ -3347,7 +3351,10 @@ NOEXPORT char *parse_service_option(CMD + /* sslVersionMin */ + switch(cmd) { + case CMD_SET_DEFAULTS: +- section->min_proto_version=TLS1_VERSION; ++ section->min_proto_version=USE_DEFAULT_TLS_VERSION; /* use defaults in ++ OpenSSL crypto ++ policies. Do not ++ override it */ + break; + case CMD_SET_COPY: + section->min_proto_version=new_service_options.min_proto_version; +diff -up stunnel-5.61/src/prototypes.h.default-tls-version stunnel-5.61/src/prototypes.h +--- stunnel-5.61/src/prototypes.h.default-tls-version 2021-12-13 09:43:22.000000000 +0100 ++++ stunnel-5.61/src/prototypes.h 2022-01-10 19:23:15.099254121 +0100 +@@ -932,6 +932,9 @@ ICON_IMAGE load_icon_default(ICON_TYPE); + ICON_IMAGE load_icon_file(const char *); + #endif + ++#define USE_DEFAULT_TLS_VERSION ((int)-2) /* Use defaults in OpenSSL ++ crypto policies */ ++ + #endif /* defined PROTOTYPES_H */ + + /* end of prototypes.h */ diff --git a/stunnel-5.61-fips-test.patch b/stunnel-5.61-fips-test.patch new file mode 100644 index 0000000..ad6ace1 --- /dev/null +++ b/stunnel-5.61-fips-test.patch @@ -0,0 +1,58 @@ +Skip FIPS tests if FIPS is unconfigured + +When built against OpenSSL 3 with the enable-fips option, the FIPS +shared library can be loaded, but unless the system administrator has +run openssl fipsinstall and modified the OpenSSL configuration, FIPS +mode will still fail with an error message saying it is missing config +data. + +Since this does not indicate a problem with stunnel's code, but with the +underlying OpenSSL setup, skip the test if this occurs. This is the same +behavior when running against a copy of OpenSSL 3.x that was not built with +'enable-fips'. +diff -up stunnel-5.61/tests/plugins/p10_fips.py.fips-tests stunnel-5.61/tests/plugins/p10_fips.py +--- stunnel-5.61/tests/plugins/p10_fips.py.fips-tests 2022-01-12 11:40:11.121241545 +0100 ++++ stunnel-5.61/tests/plugins/p10_fips.py 2022-01-12 11:45:01.791364483 +0100 +@@ -29,7 +29,8 @@ class FIPSTest(StunnelTest): + self.events.skip = [ + "FIPS provider not available", + "fips mode not supported", +- r"FIPS PROVIDER.*could not load the shared library" ++ r"FIPS PROVIDER.*could not load the shared library", ++ r"FIPS PROVIDER.*missing config data" + ] + self.events.failure = [ + "peer did not return a certificate", +diff -up stunnel-5.61/tests/plugins/p11_fips_cipher.py.fips-tests stunnel-5.61/tests/plugins/p11_fips_cipher.py +--- stunnel-5.61/tests/plugins/p11_fips_cipher.py.fips-tests 2022-01-12 11:40:16.192330329 +0100 ++++ stunnel-5.61/tests/plugins/p11_fips_cipher.py 2022-01-12 11:52:22.159227499 +0100 +@@ -30,7 +30,8 @@ class FailureCipherFIPS(StunnelTest): + self.events.skip = [ + "FIPS provider not available", + "fips mode not supported", +- r"FIPS PROVIDER.*could not load the shared library" ++ r"FIPS PROVIDER.*could not load the shared library", ++ r"FIPS PROVIDER.*missing config data" + ] + self.events.count = 1 + self.events.success = [ +@@ -86,7 +87,8 @@ class FailureCiphersuitesFIPS(StunnelTes + self.events.skip = [ + "FIPS provider not available", + "fips mode not supported", +- r"FIPS PROVIDER.*could not load the shared library" ++ r"FIPS PROVIDER.*could not load the shared library", ++ r"FIPS PROVIDER.*missing config data" + ] + self.events.count = 1 + self.events.success = [ +@@ -145,7 +147,8 @@ class FailureEllipticCurveFIPS(StunnelTe + self.events.skip = [ + "FIPS provider not available", + "fips mode not supported", +- r"FIPS PROVIDER.*could not load the shared library" ++ r"FIPS PROVIDER.*could not load the shared library", ++ r"FIPS PROVIDER.*missing config data" + ] + self.events.count = 1 + self.events.success = [ diff --git a/stunnel-5.61-systemd-service.patch b/stunnel-5.61-systemd-service.patch new file mode 100644 index 0000000..c204e3f --- /dev/null +++ b/stunnel-5.61-systemd-service.patch @@ -0,0 +1,11 @@ +diff -up stunnel-5.61/tools/stunnel.service.in.systemd-service stunnel-5.61/tools/stunnel.service.in +--- stunnel-5.61/tools/stunnel.service.in.systemd-service 2022-01-10 19:16:30.973923459 +0100 ++++ stunnel-5.61/tools/stunnel.service.in 2022-01-10 19:17:08.588605718 +0100 +@@ -6,6 +6,7 @@ After=syslog.target network-online.targe + ExecStart=@bindir@/stunnel + ExecReload=/bin/kill -HUP $MAINPID + Type=forking ++PrivateTmp=true + + [Install] + WantedBy=multi-user.target diff --git a/stunnel.spec b/stunnel.spec index 95694ab..300e6c6 100644 --- a/stunnel.spec +++ b/stunnel.spec @@ -9,10 +9,10 @@ Summary: A TLS-encrypting socket wrapper Name: stunnel -Version: 5.58 -Release: 4%{?dist} +Version: 5.61 +Release: 1%{?dist} License: GPLv2 -URL: http://www.stunnel.org/ +URL: https://www.stunnel.org/ Source0: https://www.stunnel.org/downloads/stunnel-%{version}.tar.gz Source1: https://www.stunnel.org/downloads/stunnel-%{version}.tar.gz.asc Source2: Certificate-Creation @@ -22,11 +22,12 @@ Source5: pop3-redirect.xinetd Source6: stunnel-pop3s-client.conf Source7: stunnel@.service Patch0: stunnel-5.50-authpriv.patch -Patch1: stunnel-5.50-systemd-service.patch +Patch1: stunnel-5.61-systemd-service.patch Patch3: stunnel-5.56-system-ciphers.patch Patch4: stunnel-5.56-coverity.patch -Patch5: stunnel-5.56-default-tls-version.patch +Patch5: stunnel-5.61-default-tls-version.patch Patch6: stunnel-5.56-curves-doc-update.patch +Patch7: stunnel-5.61-fips-test.patch # util-linux is needed for rename BuildRequires: make BuildRequires: gcc @@ -39,6 +40,7 @@ BuildRequires: /usr/bin/pod2man BuildRequires: /usr/bin/pod2html # build test requirements BuildRequires: /usr/bin/nc, /usr/bin/lsof, /usr/bin/ps +BuildRequires: python3 openssl BuildRequires: systemd %{?systemd_requires} @@ -56,12 +58,10 @@ conjunction with imapd to create a TLS secure IMAP server. %patch4 -p1 -b .coverity %patch5 -p1 -b .default-tls-version %patch6 -p1 -b .curves-doc-update +%patch7 -p1 -b .fips-test -# Fix the configure script output for FIPS mode and stack protector flag -sed -i '/yes).*result: no/,+1{s/result: no/result: yes/;s/as_echo "no"/as_echo "yes"/};s/-fstack-protector/-fstack-protector-strong/' configure - -# Fix a testcase with system-ciphers support -sed -i '/client = yes/a \\ ciphers = PSK' tests/recipes/014_PSK_secrets +# Fix the stack protector flag +sed -i 's/-fstack-protector/-fstack-protector-strong/' configure %build #autoreconf -v @@ -98,14 +98,6 @@ cp %{SOURCE7} %{buildroot}%{_unitdir}/%{name}@.service %endif %check -# For unknown reason the 042_inetd test fails in Koji. The failure is not reproducible -# in local build. -rm tests/recipes/042_inetd -# We override the security policy as it is too strict for the tests. -OPENSSL_SYSTEM_CIPHERS_OVERRIDE=xyz_nonexistent_file -export OPENSSL_SYSTEM_CIPHERS_OVERRIDE -OPENSSL_CONF= -export OPENSSL_CONF make test || (for i in tests/logs/*.log ; do echo "$i": ; cat "$i" ; done) %files @@ -141,6 +133,9 @@ make test || (for i in tests/logs/*.log ; do echo "$i": ; cat "$i" ; done) %systemd_postun_with_restart %{name}.service %changelog +* Mon Jan 10 2022 Clemens Lang - 5.61-1 +- New upstream release 5.61 + * Tue Sep 14 2021 Sahana Prasad - 5.58-4 - Rebuilt with OpenSSL 3.0.0