Compare commits
No commits in common. 'c9' and 'c10-beta' have entirely different histories.
@ -1 +1 @@
|
|||||||
SOURCES/stunnel-5.62.tar.gz
|
SOURCES/stunnel-5.72.tar.gz
|
||||||
|
|||||||
@ -1 +1 @@
|
|||||||
e18be56bfee006f5e58de044fda7bdcfaa425b3f SOURCES/stunnel-5.62.tar.gz
|
6e647a4edf28518216dadbd79119cd4bd5ebaeec SOURCES/stunnel-5.72.tar.gz
|
||||||
|
|||||||
@ -0,0 +1,125 @@
|
|||||||
|
-----BEGIN PGP PUBLIC KEY BLOCK-----
|
||||||
|
|
||||||
|
mQINBFTU6YwBEAC6PP7E4J6cRZQsJlFE+o3zdQYo7Mg2sVxDR6K9Cha52wn7P0t0
|
||||||
|
hHUd0CSmWyfjmYUy3/7jYjgKe4oiGzeSCVK8b3TiX3ylHi/nW3mixwpDPwFmr5Cf
|
||||||
|
ce55Ro3TdIeslRGigK8Hl+/l4n9c9z/AiTvcdAEQ34BJhERce4/KFx+/omiaxe7S
|
||||||
|
fzzU/+52zy+v4FfnclgRQrzrD8sxNag6CQOaQ8lTMczNkBkDlhQTOPYkfNf76PUY
|
||||||
|
kbWpcH7n9N50nddjEaLf7DPjOETc4OH/g5a99FSEJL7jyEgn+C8RX7RpbbAxCNlX
|
||||||
|
1231NZoresLmxSulB6fRWLmhJ8pES3sRxE1IfwUfPpUZuTPzwXEFJY6StY5OCVy8
|
||||||
|
rNFpkYlEePuVn74XkGbvv7dkkisq4Hp59zfIUaNVRod0Xk2rM8Rx8d5IK801Ywsn
|
||||||
|
RyzCE02zt3N2O4IdXI1qQ1gMJNyaE/k2Qk8buh8BsKJzZca34WGocHOxz2O5s7FN
|
||||||
|
Q1pLNpLmuHZIdyvYqcsenLz5EV8X2LztRmJ3Se4ag/XyXPYwS6lXX1YUGVxZpk0E
|
||||||
|
sQDRdJvYCsGcUy253w+W7Nm/BtjKi6/PJmjEEU7ieHppR9Yp+LI3lyzNBeZAIVqk
|
||||||
|
4Hco05l4GUKtEDFfOQ58sULDqJWmpH4T72DHeCpfRB0guaPa5TYY7B0umQARAQAB
|
||||||
|
tC5NaWNoYcWCIFRyb2puYXJhIDxNaWNoYWwuVHJvam5hcmFAc3R1bm5lbC5vcmc+
|
||||||
|
iQJSBBMBCAA8AhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgBYhBKyRXqMGRdnT
|
||||||
|
1Nrk/rEEiTLdOqqjBQJiemhbAhkBAAoJELEEiTLdOqqjH/YP/i5fQuvTvwSHZAwK
|
||||||
|
JgSUijxD4z2jCtYvXIa7BPNiu8mnyupPAdoZE7BNehuvAc7kYj4dNmC/cY+CRcan
|
||||||
|
OW05ByU/N+RObQYs6dkSLuyzOfqdnA2SZgcPreOZyLe/Yz9nSh5BVigSyiNY+clT
|
||||||
|
JMfISdvfAxlxkVxyfJ293ePECZ7VKfzp18ntDBIY5yos4K0FXKpFVhhWHT9SlsQe
|
||||||
|
tAKTOm6WdJx852y53TvZYzPEVznZhLSj//yYWG7TVQ47oSrsUW5pGaQybtYNIwGa
|
||||||
|
sHGj0SFscYb8IBF4gOaTFPiwKJykmwfF0F7A6wO+oSs7By1o4fEoVr1y3UWO/ATx
|
||||||
|
RF3GyX/6NHTu2OwTmtWozTKkd4agGPmQgn+ApueaBq7Tn9EA+5e83hRY8/c0xOvu
|
||||||
|
XRHrB+PTp4HT3yPcVbGP6vRkpPsRIxtzzw+G1AdwIcMULg/J5qKilRyKLbN12cmc
|
||||||
|
Jjtk6Ii7cskgj/3iYVRy/Xtw9Q2+9aMPPs1H4QklimDuR/KWCqyd61e1ct+Y4XGq
|
||||||
|
HM93/GQuku1sGA6YsfUpDWv3rjwoGejyif3lyHjERaGh1BCYD6Olhe2QtCEuOvuA
|
||||||
|
G2qPT0gZ1q33JVN3wNJfD6JreG7HubG0le+iwLoQTXa3qjhF8DeAgOC+yLKYv3iD
|
||||||
|
ms49fpkKFScmRCmWU0C/2zqe0/GetCtNaWNoYcWCIFRyb2puYXJhIDxNaWNoYWwu
|
||||||
|
VHJvam5hcmFAbWlydC5uZXQ+iQJPBBMBCAA5AhsDBgsJCAcDAgYVCAIJCgsEFgID
|
||||||
|
AQIeAQIXgBYhBKyRXqMGRdnT1Nrk/rEEiTLdOqqjBQJiemhbAAoJELEEiTLdOqqj
|
||||||
|
k5UP/1G8u1Hpr0Ie4YXn1ru1hQaauEqTXGfgcsSuuqvS4GCgY93+Q0jv0YV1Owxs
|
||||||
|
pJWmN3aYKtsj86EAEkOcz23HkhwwvTKkhrZWCATQzhpGZfFWECPm+CycNksc+pkq
|
||||||
|
eykg5RN00DecGpG5x0p2twrRI4j+K4OKSGJvx8vjxBMGoGAoHtBl73nhwuY9CsqL
|
||||||
|
CnCn3lohv03GPvvlO6dhOordBI4U50ky5ZZsQ/qMD7vAGFktbJMyhYJ96ASdVqfG
|
||||||
|
L0DTQ6E1QwS4PQlyEt6PBCtt6T3kU7i9mYy+TQtI+wH3r2hx+UEQaC+9hzY4FZwH
|
||||||
|
xOdH7zumOthMu/uBGK2uMkj7mVpHEGU/69EvROYzf0HtN2vs2yCMirtrlbfQ0bez
|
||||||
|
YyXiTd8+ka0vTWM2rE6rav5RIRDmD7U3u4fPwnpSRTDxCHJglIisymLd01W0Qh8l
|
||||||
|
qCyHOOsRHu2k3RfdILd+F26Ii31073kAaga5iDlKrPyVV38upLIPy/G9QJ8rdYBR
|
||||||
|
EvF0VaYQW+rwsInE8mYfWgcwKT3ZeWop0dD7NFurbHZxfTkL1QCEo+EurrFxBLCm
|
||||||
|
qfPEbQwoMwS5hCAcGRjXDpt0ZZe55VdLXaW9E/GINHPVoM+dMqmmYxEOCvuOez4c
|
||||||
|
MMmt6a5kFPPtWo2o7dcBpDG7ZX3UkUGVAmQuSENIY3yXqYcXtC9NaWNoYcWCIFRy
|
||||||
|
b2puYXJhIDxNaWNoYWwuVHJvam5hcmFAbW9iaS1jb20ubmV0PokCTwQTAQgAOQIb
|
||||||
|
AwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AWIQSskV6jBkXZ09Ta5P6xBIky3Tqq
|
||||||
|
owUCYnpoUQAKCRCxBIky3Tqqo7cBD/sFjmAnOyuEvlVKXEihLmABFBeWjKiGaR4U
|
||||||
|
0+V8ZPvBEzHVQ5e2ywqa68xgFK66JlapnZlAeOoUZYc/uj0xzNwzS4sdnc/ejWn+
|
||||||
|
B0gM9ZLYs1BeYib2k4Bf0c8ccjjCX5r8+Uio8aCB4hSyckmyD+svfmnrzyMEEAZN
|
||||||
|
d+0uiwmmHNEDHqIg76xo7DO+DvV2+sEkLEtdKCfTws94qEWQHGHYwpcbDngSamVZ
|
||||||
|
zML48L4liQX0l7Dz8j09Tf1EYg2DRSvn4s2bzyrFIsnz6yrlf8K0hCYkaTLKnCSx
|
||||||
|
Bj7ESXj/bOQY4fBAHNy2gRXq3ELgdliCQHeT+9TD5JI58rWQBY48QGF7CAxMcC3H
|
||||||
|
3nI/Zq/DSaakOVwianqY2VJDFAYXogmEOR/kWE3lPerp6qum+n4WcDiteQXJMHmV
|
||||||
|
t/JYAZ3zbOhmu9F2NI7Ce4uZe8rQ0PG5Jgb5wE76i9zrCwFACPKhJVim4kWIOPf8
|
||||||
|
eT1LCC4adpyeUMrH342CVb2xpS+gQ89V7sTt9uFPp9wTl5QvsD3uTWKzGkRV9s7b
|
||||||
|
rnFuJYGDRM/EN0nFZF8D0RbrwYNK5KXSZ0VOTrud9ZcEsJQeISqLX4QBMrSl/Nst
|
||||||
|
r9MTUuBf6N3b5zDRmHJQ6+myyE/8cgHwEsmOIJCSEcQjkYsUruQhuW2Et1EZtrcb
|
||||||
|
/KHFRhRjP7RATWljaGHFgiBUcm9qbmFyYSAoYXV4aWxpYXJ5IGFkZHJlc3MpIDxN
|
||||||
|
aWNoYWwuVHJvam5hcmFAZ21haWwuY29tPokCTgQTAQgAOAIbAwULCQgHAgYVCgkI
|
||||||
|
CwIEFgIDAQIeAQIXgBYhBKyRXqMGRdnT1Nrk/rEEiTLdOqqjBQJiemhDAAoJELEE
|
||||||
|
iTLdOqqjWfkQALjs436L79R26iQc8aWu3IWAZ8FOv8VqbTcGH3fQ16DcJ+OaBQkl
|
||||||
|
qHTWsbs9Bhq49lU6WiZLIJWTp8bl6fdC5XbJYFYW7fMBSyUFpSqQFACY6EF3vdDS
|
||||||
|
bcVcT6aModzq1mG9CFuU5wt0GrZOy4v0pXvJK0Y+CzY3Rm/Nev0Ou3HUFWgsOpHZ
|
||||||
|
jnCCkNyQ1C1jJ9mDid55dID8byLvkmS8Z3pVhFQ3Ko9gZv47GeeNjG26rbNmsVwZ
|
||||||
|
Ki7c9iJM/RbCgr+LVElFVtFyJP2WUxHjl2RbrJIJB9YUNY1N7z0tDnqN1FCPbFkj
|
||||||
|
zkMuuj0yPp9CqGZge+A5tT5NfytGYPMSOD9up4SXVr+ejOtUL5riW3LsnewjTJuM
|
||||||
|
f2qP1h52FAduB9SfGTf0XlLlKJkjkw3Q9WmrOndJcEsKRGarfcWFPMOml3xmcoAM
|
||||||
|
9jU0H9P1ZAHlKON0eL1vKBgS5XL0s4pVvwsYZ+dfDcNU+bUCrTRLc0uccsIzDrio
|
||||||
|
bbaz7VtUzEsWqPozW6CTozDWDSfKRuWuB2vAYfqKJN8ZAkvOu00ZKwT/DiCpLQ6e
|
||||||
|
GQ8tcAvum9Sd9jydwqs89UNhKNkovwMwALjLITaZ72ILgYo3Mo57fT6MpVspxJ23
|
||||||
|
+6RP8+MAM+HhJYfODuGvNHR3n5aO0WnwM8YoH14hjHUKtr7z83iivhSOuQINBFTU
|
||||||
|
68MBEADyAgLrjV0rpqn1bUrcSSpGfTPrOLN1Uav+O9/zEVd5Sr5q7GLFnS0Rjo0z
|
||||||
|
kIFLJrkEIr0gZVaYk1trPJZRriWUDoS+ZTFxN4YTumlADgqXVvO9Srm6mj7z7RW6
|
||||||
|
q8sL9tXPQNScVJYlgcBms9n7I7TIyry9oZOjmTAqLFDg2L437USIAspl7HWDpRb1
|
||||||
|
3QcBxgRr+VNaHPcnRXXLJjhWi/fSC2ijrsqRIL9KzBnMhHTQJAavPe3CUa4HvdKb
|
||||||
|
Vh+oOptjx1Asl7JTSi8h5T3lUjlxAXoPUfxh1oxZCboy1UB8hflYygf56rgCeT2G
|
||||||
|
KVF4YA2QhY1KozbUOt27dytsYhiJk8Rp0p8bHCq7C9ENMSAPiCOoy8R3EDZbqzhZ
|
||||||
|
HfpLAyR460RKPbUyJHZgNxsjMhtSH2nQ/wNka9BxWHjmMKB05wvm2H1HTvqelcef
|
||||||
|
wUh7Yh8BmdfU6emwqf9ionTA0WEZhbFX/JkDXQ1sUoVeEPUUaqs7PqVKqaoPPTS1
|
||||||
|
eh8XjfZp77s/NM/2fhyKPiTRJgbWX8tOGc5gvdI1QIbesIBJ5aheaHEJhEaLRfDc
|
||||||
|
gmtylU2Y1AP5IstONUH3gCUONKXHWrRX73KaEYeLnXCwFJqMzAN7FpIj9YzXL2VE
|
||||||
|
7CXt54APjV88CvNOV4CpPz1qRYt69MEta+Pn2aS729kBbbr/VQARAQABiQIfBBgB
|
||||||
|
AgAJBQJU1OvDAhsMAAoJELEEiTLdOqqjY0IQAIcnt7SXw2FLiyV/N6PUABc7AvXA
|
||||||
|
N7Gfq2GmB7EDKpkshqJuqEjJuFKjUs4vU1j/nnK2xxs5Avs2WJEBdU3oX2Vx6v6r
|
||||||
|
PEvkmDHNRTp2vJqk1lizTq7fB+vxm1Ju8gA43/Dz22b20fGg1QhhllRlE4UFbp+f
|
||||||
|
xGSFuhCzSEkXFZ9aCE7GFLRNcnz8xnhhx8PL4TDosgDKbcDVdj777ZUwQeopzKFT
|
||||||
|
3lbmyoCx87kyRFZrQT0lNLZ1ZO141NY+ifLAkZf+ZJVUxmA5kXqjfZVv0tOcHrvp
|
||||||
|
hBo+IyW7aqD69GREz/PIaO8/HuGKV/rwJbFlwgeyV+nmAlXpG+2Ur6a4S8iRKY1j
|
||||||
|
KLyFCnVjkLq5Zv0la3/0hIn5fP6f7mcAcRTNb8t4QPKGNWVL286gADLXyvjuZDJv
|
||||||
|
MnarbM4ej3OXd8o4nZLhIUEoYe4iE87EbYKu6HE31Tn5HBMOooQJ64JlE4xhAvOW
|
||||||
|
Yg/a8z824VWFCbyI2FtO8R6eHiZYPgi44cmSq/MorMBeWWiy5QrgHSRuWHgZo5WY
|
||||||
|
SNpcbDzvz2s6VDMPnnrpKAo8M1S2ibn94hzLr9RgGgV3uUuW0hVJIIDVVQxTgxYm
|
||||||
|
CPBr2CTozGg17x1wnX3uhAx+Fk2MnzRLkL5rZqXjCtHa8v/eFeHLYzaQbvdEtLPE
|
||||||
|
SJWgmwb6FvM218hruQINBFTU7lkBEADWkatDVXdgxcXcPPC8D+5Zv3XanCpS8wAA
|
||||||
|
q9gIOIQsg4/Ttzfb7PTg39s5eOJnYlvwC4gKPi/3a1cDKC1/XzPHChTwA5eK5Jw/
|
||||||
|
fDLVmmsHDyTvV03LReYRduJfu2Quh7Q7NaUJo1NqNJdMQtP6dgdM6QGysLhP7LsD
|
||||||
|
Bi55AlhRpGQlH/lNzrxSdFI7b3mmAl3sShZYCTLdt0f5Mo3QyxqAInBr5GtcUa0g
|
||||||
|
qNTRcAqx11PFArHZJQYXRBV01n/XgO6jvdu2he0eAHSjF7CeyImnlcpZibntFI0u
|
||||||
|
/UsqvbqJJS1QzUIAhkAu4YwDJBdUSjs6bO5mY3TJFgzsVKekbisgOcPFiENNpr7F
|
||||||
|
ZvvfxXy4tANkBWcC4ESGrVFAQOtEz9ctuJu9UHOl34kj1ad40SnR6GrmwQLoVspj
|
||||||
|
PQepWTZIfUOlvS2Cu3HPdzus+zu9F2YUzFO5hy1LO6o0ekpf4LquDIBbazEQoPTK
|
||||||
|
zw5gRreG+tAVIDOcz+Pdfx2B7UOuIchB38O3j4sx09yxCTe+3LuljFkgNFr2GXue
|
||||||
|
Bp6xBJn/s9X9yPtTuqJ5OvW6U7UZzkZzJLYe7g/3XT0dfW0ERC8Yelup70tzZ3RU
|
||||||
|
qAdWMb28MusTWH+pcpuafQsXVhHh2Noz6xgJ9g475bNkpQAI90yrcuJ3/ehDvWnp
|
||||||
|
42C7qVByAQARAQABiQQ+BBgBAgAJBQJU1O5ZAhsCAikJELEEiTLdOqqjwV0gBBkB
|
||||||
|
AgAGBQJU1O5ZAAoJEC78f/DUFuAU3HoQAJHsIoHcy/aU1pFGtpVHCM2u6bI4Oqyd
|
||||||
|
f+h7eVp3TiIIFv0nEbI3JMYXSzq16hqhxfEh5nnRsXsa5hyd6kwameIwKQTbKaUz
|
||||||
|
qu4U01NRgLTYWyujApBugLtLkM3aXuVvieWDINfuc6U4yaFNzcP9Cx24zJL0fmSM
|
||||||
|
UUq3Mtg7BERX9Ecj/BBTJPLN7yqz8HGlPf8exIm4ZnJstJ39+Z4zjfGCFx18OApN
|
||||||
|
oaQWSGFbtRaC06FC1jGvRUPgcTDgL6czKSyooAgUwGMkCq2y5Z5KBq9WttTwqvOV
|
||||||
|
wkUdKui9ns+LSYoxgcaiY+y1lxnHCvXm3cGEO+iAxJGxxTWYtSKAsQaJbE9XG1CW
|
||||||
|
YdNl8yezgLLThLuMrgaLHQ83heL/2s5wsUJvnN11wtWuqK5P523879M8pQodO8sv
|
||||||
|
WAXgOXKlu7xNBa07vENI/LvBJ09ZQ3kYGOzFtl9WVam+9UyYZS7KAiXQuSsksobG
|
||||||
|
TfoCc2kQ+qxD171GyC7l0/2UY/PeKDETen5SWFajl6ompnAB8QVv7Q9DMpJDrMgV
|
||||||
|
AB/nR5Ij+lZ/5en1c5Pjt3jLxpbMcDtP+Nr21vJ356DvVk6o4W1U/zMVa+Y+eiiz
|
||||||
|
GsFHuor9EFjn89cqF8bXTIRhdKNNqnh2azLjfSXwxy6qjnmKLGBPm/Fl9N7IWNOM
|
||||||
|
eaO4cPWtNN+leTgP/0Yj1wh+tZzOGttY3wGg/roiYxelWFnMO3pLm710dI0l2qK8
|
||||||
|
PMKSS1v+mxcgu++7eouZvWcluw3M30Ymbouh27MInhKpqh2OEyQ2L9Nz3l3HSfZw
|
||||||
|
I/ZGH+O/OjvOupA7T1zxq3+kUSIXwuBSVzlBoH8Y2FcGomiDbI7NQ8YqrQ4zL/C2
|
||||||
|
1bjZMJ7tX4nx+efXrF8aGdXCaJZFBqp0KIUNjYiI4eGdHB8lUA2t11+5T8Any9jx
|
||||||
|
dfOvEjthkvjdXnfRaJyHVUHTRcsVTxqPTwWyN0W9HvsADEVT4J3qwfrKrqOxFeml
|
||||||
|
DQE47XlpH7CikS+0rAN1G7dNrB4LVcwstDhe431CXRswfR3rbq4wbbNR9kY7WM1M
|
||||||
|
5LixSESomwiZuwv+GA0Mpi9+jTBIc9aZCj2ePDtobwx7Lvsjd8vUQuP9N9rzqeM+
|
||||||
|
kn+2YUwtX2e1YAJxb9ze2iN1w/bvytPD/jOT5KvZm/7ds/XKMl3TPgHeBhjPYFRh
|
||||||
|
NTt3KIDjUqCThl9XWfY1QDFAljO8QgBlwwRYDes5Nv4CNwFVdfz0aTQETKRWYD0b
|
||||||
|
zTy1uYj7gNR3Zz/53XF659vjdMY6LAqrBj46z2J7LcVuyehi7Mo+x3ksHIkUS51s
|
||||||
|
wHXnaH3m783KxozQCML7I+2WlItQhoNRbvlUCVAo9aPUCDm5WlzZJwwSN69B
|
||||||
|
=EgcU
|
||||||
|
-----END PGP PUBLIC KEY BLOCK-----
|
||||||
@ -1,22 +0,0 @@
|
|||||||
diff -up stunnel-5.48/src/str.c.coverity stunnel-5.48/src/str.c
|
|
||||||
--- stunnel-5.48/src/str.c.coverity 2018-07-02 23:30:10.000000000 +0200
|
|
||||||
+++ stunnel-5.48/src/str.c 2018-09-04 17:24:08.949928906 +0200
|
|
||||||
@@ -165,6 +165,7 @@ char *str_vprintf(const char *format, va
|
|
||||||
for(;;) {
|
|
||||||
va_copy(ap, start_ap);
|
|
||||||
n=vsnprintf(p, size, format, ap);
|
|
||||||
+ va_end(ap);
|
|
||||||
if(n>-1 && n<(int)size)
|
|
||||||
return p;
|
|
||||||
if(n>-1) /* glibc 2.1 */
|
|
||||||
diff -up stunnel-5.48/src/stunnel.c.coverity stunnel-5.48/src/stunnel.c
|
|
||||||
--- stunnel-5.48/src/stunnel.c.coverity 2018-07-02 23:30:10.000000000 +0200
|
|
||||||
+++ stunnel-5.48/src/stunnel.c 2018-09-04 17:24:08.949928906 +0200
|
|
||||||
@@ -364,7 +364,6 @@ NOEXPORT int accept_connection(SERVICE_O
|
|
||||||
#endif
|
|
||||||
if(create_client(fd, s, alloc_client_session(opt, s, s))) {
|
|
||||||
s_log(LOG_ERR, "Connection rejected: create_client failed");
|
|
||||||
- closesocket(s);
|
|
||||||
#ifndef USE_FORK
|
|
||||||
service_free(opt);
|
|
||||||
#endif
|
|
||||||
@ -1,12 +0,0 @@
|
|||||||
diff -up stunnel-5.55/src/options.c.system-ciphers stunnel-5.55/src/options.c
|
|
||||||
--- stunnel-5.55/src/options.c.system-ciphers 2019-09-19 14:43:00.631059024 +0200
|
|
||||||
+++ stunnel-5.55/src/options.c 2019-09-19 14:51:02.120053849 +0200
|
|
||||||
@@ -277,7 +277,7 @@ static char *option_not_found=
|
|
||||||
"Specified option name is not valid here";
|
|
||||||
|
|
||||||
static char *stunnel_cipher_list=
|
|
||||||
- "HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK";
|
|
||||||
+ "PROFILE=SYSTEM";
|
|
||||||
|
|
||||||
#ifndef OPENSSL_NO_TLS1_3
|
|
||||||
static char *stunnel_ciphersuites=
|
|
||||||
@ -1,19 +0,0 @@
|
|||||||
tests: Adapt to OpenSSL 3.x FIPS mode
|
|
||||||
|
|
||||||
In OpenSSL 3.0 with FIPS enabled, this test no longer fails with
|
|
||||||
a human-readable error message (such as "no ciphers available"), but
|
|
||||||
instead causes an internal error. Extend the success regex list to also
|
|
||||||
accept this result.
|
|
||||||
diff -up stunnel-5.61/tests/plugins/p11_fips_cipher.py.openssl30 stunnel-5.61/tests/plugins/p11_fips_cipher.py
|
|
||||||
--- stunnel-5.61/tests/plugins/p11_fips_cipher.py.openssl30 2022-01-12 15:15:03.211690650 +0100
|
|
||||||
+++ stunnel-5.61/tests/plugins/p11_fips_cipher.py 2022-01-12 15:15:20.937008173 +0100
|
|
||||||
@@ -91,7 +91,8 @@ class FailureCiphersuitesFIPS(StunnelTes
|
|
||||||
self.events.count = 1
|
|
||||||
self.events.success = [
|
|
||||||
"disabled for FIPS",
|
|
||||||
- "no ciphers available"
|
|
||||||
+ "no ciphers available",
|
|
||||||
+ "TLS alert \\(write\\): fatal: internal error"
|
|
||||||
]
|
|
||||||
self.events.failure = [
|
|
||||||
"peer did not return a certificate",
|
|
||||||
@ -1,57 +0,0 @@
|
|||||||
Limit curves defaults in FIPS mode
|
|
||||||
|
|
||||||
Our copy of OpenSSL disables the X25519 and X448 curves in FIPS mode,
|
|
||||||
but stunnel defaults to enabling them and then fails to do so.
|
|
||||||
|
|
||||||
Upstream-Status: Inappropriate [caused by a downstream patch to openssl]
|
|
||||||
diff -up stunnel-5.62/src/options.c.disabled-curves stunnel-5.62/src/options.c
|
|
||||||
--- stunnel-5.62/src/options.c.disabled-curves 2022-02-04 13:46:45.936884124 +0100
|
|
||||||
+++ stunnel-5.62/src/options.c 2022-02-04 13:53:16.346725153 +0100
|
|
||||||
@@ -40,8 +40,10 @@
|
|
||||||
|
|
||||||
#if OPENSSL_VERSION_NUMBER >= 0x10101000L
|
|
||||||
#define DEFAULT_CURVES "X25519:P-256:X448:P-521:P-384"
|
|
||||||
+#define DEFAULT_CURVES_FIPS "P-256:P-521:P-384"
|
|
||||||
#else /* OpenSSL version < 1.1.1 */
|
|
||||||
#define DEFAULT_CURVES "prime256v1"
|
|
||||||
+#define DEFAULT_CURVES_FIPS "prime256v1"
|
|
||||||
#endif /* OpenSSL version >= 1.1.1 */
|
|
||||||
|
|
||||||
#if defined(_WIN32_WCE) && !defined(CONFDIR)
|
|
||||||
@@ -1855,7 +1857,7 @@ NOEXPORT char *parse_service_option(CMD
|
|
||||||
/* curves */
|
|
||||||
switch(cmd) {
|
|
||||||
case CMD_SET_DEFAULTS:
|
|
||||||
- section->curves=str_dup_detached(DEFAULT_CURVES);
|
|
||||||
+ section->curves = NULL;
|
|
||||||
break;
|
|
||||||
case CMD_SET_COPY:
|
|
||||||
section->curves=str_dup_detached(new_service_options.curves);
|
|
||||||
@@ -1870,9 +1872,26 @@ NOEXPORT char *parse_service_option(CMD
|
|
||||||
section->curves=str_dup_detached(arg);
|
|
||||||
return NULL; /* OK */
|
|
||||||
case CMD_INITIALIZE:
|
|
||||||
+ if(!section->curves) {
|
|
||||||
+ /* this is only executed for global options, because
|
|
||||||
+ * section->curves is no longer NULL in sections */
|
|
||||||
+#ifdef USE_FIPS
|
|
||||||
+ if(new_global_options.option.fips)
|
|
||||||
+ section->curves=str_dup_detached(DEFAULT_CURVES_FIPS);
|
|
||||||
+ else
|
|
||||||
+#endif /* USE_FIPS */
|
|
||||||
+ section->curves=str_dup_detached(DEFAULT_CURVES);
|
|
||||||
+ }
|
|
||||||
break;
|
|
||||||
case CMD_PRINT_DEFAULTS:
|
|
||||||
- s_log(LOG_NOTICE, "%-22s = %s", "curves", DEFAULT_CURVES);
|
|
||||||
+ if(fips_available()) {
|
|
||||||
+ s_log(LOG_NOTICE, "%-22s = %s %s", "curves",
|
|
||||||
+ DEFAULT_CURVES_FIPS, "(with \"fips = yes\")");
|
|
||||||
+ s_log(LOG_NOTICE, "%-22s = %s %s", "curves",
|
|
||||||
+ DEFAULT_CURVES, "(with \"fips = no\")");
|
|
||||||
+ } else {
|
|
||||||
+ s_log(LOG_NOTICE, "%-22s = %s", "curves", DEFAULT_CURVES);
|
|
||||||
+ }
|
|
||||||
break;
|
|
||||||
case CMD_PRINT_HELP:
|
|
||||||
s_log(LOG_NOTICE, "%-22s = ECDH curve names", "curves");
|
|
||||||
@ -1,140 +0,0 @@
|
|||||||
From 6baa5762ea5edb192ec003333d62b1d0e56509bf Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?Micha=C5=82=20Trojnara?= <Michal.Trojnara@stunnel.org>
|
|
||||||
Date: Sun, 11 Sep 2022 23:52:18 +0200
|
|
||||||
Subject: [PATCH] stunnel-5.66
|
|
||||||
|
|
||||||
---
|
|
||||||
src/common.h | 6 +++++-
|
|
||||||
src/ctx.c | 58 +++++++++++++++++++++++++++++++++++++++++++---------
|
|
||||||
2 files changed, 53 insertions(+), 11 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/common.h b/src/common.h
|
|
||||||
index bc37eb5..997e66e 100644
|
|
||||||
--- a/src/common.h
|
|
||||||
+++ b/src/common.h
|
|
||||||
@@ -491,7 +491,7 @@ extern char *sys_errlist[];
|
|
||||||
#include <openssl/dh.h>
|
|
||||||
#if OPENSSL_VERSION_NUMBER<0x10100000L
|
|
||||||
int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g);
|
|
||||||
-#endif /* OpenSSL older than 1.1.0 */
|
|
||||||
+#endif /* OPENSSL_VERSION_NUMBER<0x10100000L */
|
|
||||||
#endif /* !defined(OPENSSL_NO_DH) */
|
|
||||||
#ifndef OPENSSL_NO_ENGINE
|
|
||||||
#include <openssl/engine.h>
|
|
||||||
@@ -503,8 +503,12 @@ int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g);
|
|
||||||
/* not defined in public headers before OpenSSL 0.9.8 */
|
|
||||||
STACK_OF(SSL_COMP) *SSL_COMP_get_compression_methods(void);
|
|
||||||
#endif /* !defined(OPENSSL_NO_COMP) */
|
|
||||||
+#if OPENSSL_VERSION_NUMBER>=0x10101000L
|
|
||||||
+#include <openssl/storeerr.h>
|
|
||||||
+#endif /* OPENSSL_VERSION_NUMBER>=0x10101000L */
|
|
||||||
#if OPENSSL_VERSION_NUMBER>=0x30000000L
|
|
||||||
#include <openssl/provider.h>
|
|
||||||
+#include <openssl/proverr.h>
|
|
||||||
#endif /* OPENSSL_VERSION_NUMBER>=0x30000000L */
|
|
||||||
|
|
||||||
#ifndef OPENSSL_VERSION
|
|
||||||
diff --git a/src/ctx.c b/src/ctx.c
|
|
||||||
index a2202b7..cc0806c 100644
|
|
||||||
--- a/src/ctx.c
|
|
||||||
+++ b/src/ctx.c
|
|
||||||
@@ -1001,30 +1001,41 @@ NOEXPORT int ui_retry() {
|
|
||||||
unsigned long err=ERR_peek_error();
|
|
||||||
|
|
||||||
switch(ERR_GET_LIB(err)) {
|
|
||||||
- case ERR_LIB_ASN1:
|
|
||||||
- return 1;
|
|
||||||
- case ERR_LIB_PKCS12:
|
|
||||||
+ case ERR_LIB_EVP: /* 6 */
|
|
||||||
switch(ERR_GET_REASON(err)) {
|
|
||||||
- case PKCS12_R_MAC_VERIFY_FAILURE:
|
|
||||||
+ case EVP_R_BAD_DECRYPT:
|
|
||||||
return 1;
|
|
||||||
default:
|
|
||||||
+ s_log(LOG_ERR, "Unhandled ERR_LIB_EVP error reason: %d",
|
|
||||||
+ ERR_GET_REASON(err));
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
- case ERR_LIB_EVP:
|
|
||||||
+ case ERR_LIB_PEM: /* 9 */
|
|
||||||
switch(ERR_GET_REASON(err)) {
|
|
||||||
- case EVP_R_BAD_DECRYPT:
|
|
||||||
+ case PEM_R_BAD_PASSWORD_READ:
|
|
||||||
+ case PEM_R_BAD_DECRYPT:
|
|
||||||
return 1;
|
|
||||||
default:
|
|
||||||
+ s_log(LOG_ERR, "Unhandled ERR_LIB_PEM error reason: %d",
|
|
||||||
+ ERR_GET_REASON(err));
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
- case ERR_LIB_PEM:
|
|
||||||
+ case ERR_LIB_ASN1: /* 13 */
|
|
||||||
+ return 1;
|
|
||||||
+ case ERR_LIB_PKCS12: /* 35 */
|
|
||||||
switch(ERR_GET_REASON(err)) {
|
|
||||||
- case PEM_R_BAD_PASSWORD_READ:
|
|
||||||
+ case PKCS12_R_MAC_VERIFY_FAILURE:
|
|
||||||
return 1;
|
|
||||||
default:
|
|
||||||
+ s_log(LOG_ERR, "Unhandled ERR_LIB_PKCS12 error reason: %d",
|
|
||||||
+ ERR_GET_REASON(err));
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
- case ERR_LIB_UI:
|
|
||||||
+#ifdef ERR_LIB_DSO /* 37 */
|
|
||||||
+ case ERR_LIB_DSO:
|
|
||||||
+ return 1;
|
|
||||||
+#endif
|
|
||||||
+ case ERR_LIB_UI: /* 40 */
|
|
||||||
switch(ERR_GET_REASON(err)) {
|
|
||||||
case UI_R_RESULT_TOO_LARGE:
|
|
||||||
case UI_R_RESULT_TOO_SMALL:
|
|
||||||
@@ -1033,17 +1044,44 @@ NOEXPORT int ui_retry() {
|
|
||||||
#endif
|
|
||||||
return 1;
|
|
||||||
default:
|
|
||||||
+ s_log(LOG_ERR, "Unhandled ERR_LIB_UI error reason: %d",
|
|
||||||
+ ERR_GET_REASON(err));
|
|
||||||
+ return 0;
|
|
||||||
+ }
|
|
||||||
+#ifdef ERR_LIB_OSSL_STORE
|
|
||||||
+ case ERR_LIB_OSSL_STORE: /* 44 - added in OpenSSL 1.1.1 */
|
|
||||||
+ switch(ERR_GET_REASON(err)) {
|
|
||||||
+ case OSSL_STORE_R_BAD_PASSWORD_READ:
|
|
||||||
+ return 1;
|
|
||||||
+ default:
|
|
||||||
+ s_log(LOG_ERR, "Unhandled ERR_LIB_OSSL_STORE error reason: %d",
|
|
||||||
+ ERR_GET_REASON(err));
|
|
||||||
+ return 0;
|
|
||||||
+ }
|
|
||||||
+#endif
|
|
||||||
+#ifdef ERR_LIB_PROV
|
|
||||||
+ case ERR_LIB_PROV: /* 57 - added in OpenSSL 3.0 */
|
|
||||||
+ switch(ERR_GET_REASON(err)) {
|
|
||||||
+ case PROV_R_BAD_DECRYPT:
|
|
||||||
+ return 1;
|
|
||||||
+ default:
|
|
||||||
+ s_log(LOG_ERR, "Unhandled ERR_LIB_PROV error reason: %d",
|
|
||||||
+ ERR_GET_REASON(err));
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
- case ERR_LIB_USER: /* PKCS#11 hacks */
|
|
||||||
+#endif
|
|
||||||
+ case ERR_LIB_USER: /* 128 - PKCS#11 hacks */
|
|
||||||
switch(ERR_GET_REASON(err)) {
|
|
||||||
case 7UL: /* CKR_ARGUMENTS_BAD */
|
|
||||||
case 0xa0UL: /* CKR_PIN_INCORRECT */
|
|
||||||
return 1;
|
|
||||||
default:
|
|
||||||
+ s_log(LOG_ERR, "Unhandled ERR_LIB_USER error reason: %d",
|
|
||||||
+ ERR_GET_REASON(err));
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
default:
|
|
||||||
+ s_log(LOG_ERR, "Unhandled error library: %d", ERR_GET_LIB(err));
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
--
|
|
||||||
2.38.1
|
|
||||||
|
|
||||||
@ -1,18 +0,0 @@
|
|||||||
-----BEGIN PGP SIGNATURE-----
|
|
||||||
|
|
||||||
iQKTBAABCgB9FiEEK8fk5n48wMG+py+MLvx/8NQW4BQFAmHlyoBfFIAAAAAALgAo
|
|
||||||
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDJC
|
|
||||||
QzdFNEU2N0UzQ0MwQzFCRUE3MkY4QzJFRkM3RkYwRDQxNkUwMTQACgkQLvx/8NQW
|
|
||||||
4BRqiw//dzBO+CqezKNlkVT5sePEfriVPk0iYa7IyGQ2xclohI3X3A0NaLHhwysa
|
|
||||||
2pFo+myUn5h2qVM6jfuPbXHxDSgDQIcRoEEWpLbVEnVy5vMpVsB5wY4fwfyd3crM
|
|
||||||
2J24XPdODE8H2mB28JXHyQdXehMtzOAMJ57ugUbrU4drNOR8sCRbp+sBChI8JK9Q
|
|
||||||
IYvUoMPMCukFXws0KFEYjRom/FyQlde2Wz9ZPiluRzj6RWPQvQht8EiB7IfPrq2m
|
|
||||||
fiPmOxUnB+Ry6/eaSp7JLlrnL4q5Zhw0HS/pMbWpiB9nPb9SLoKufJ9hYQs5X2h9
|
|
||||||
L85VPMAAAStQ4PcvFYWt/nV03p3agImdMLrwlaMi/Bb95+tk7OoNLu7yz9RQ9QAo
|
|
||||||
SPamduORs4/KhtlMzRf2G8utIQRa4fI47KDOO1+1qRfTH4t/Bf3Fr/gI34AW24ZZ
|
|
||||||
hu2nHqr+UxGkU42HJEhsL9tAvBFr/mBI64sHtAI41e25CkqBQSqD+FxUw5snbVgP
|
|
||||||
XxiM9tNo/UUZpCMnmkAZUqVFKYT10VSFTDo6/LcoMYZf1zzCWch3wJTtf2ZPUJYG
|
|
||||||
6kNpdCEzsXYileL6iCof9+J5hNaNGpsgTi+ljz1jujzOHWGw6hyIWUiYTBGmRAbl
|
|
||||||
Pehbx5RYqQe9gX0nFRRs3o9y9p8B4MLMAvJdhx6vqxgd2H1SDJA=
|
|
||||||
=MLHM
|
|
||||||
-----END PGP SIGNATURE-----
|
|
||||||
@ -0,0 +1,37 @@
|
|||||||
|
From 6c8c4c8c85204943223b251d09ca1e93571a437a Mon Sep 17 00:00:00 2001
|
||||||
|
From: Sahana Prasad <sprasad@localhost.localdomain>
|
||||||
|
Date: Mon, 12 Sep 2022 11:07:38 +0200
|
||||||
|
Subject: [PATCH 3/7] Use cipher configuration from crypto-policies
|
||||||
|
|
||||||
|
On Fedora, CentOS and RHEL, the system's crypto policies are the best
|
||||||
|
source to determine which cipher suites to accept in TLS. On these
|
||||||
|
platforms, OpenSSL supports the PROFILE=SYSTEM setting to use those
|
||||||
|
policies. Change stunnel to default to this setting.
|
||||||
|
|
||||||
|
Co-Authored-by: Sahana Prasad <shebburn@redhat.com>
|
||||||
|
Patch-name: stunnel-5.69-system-ciphers.patch
|
||||||
|
Patch-id: 3
|
||||||
|
From-dist-git-commit: 70b3076eb09912b3a11f371b8c523303114fffa3
|
||||||
|
---
|
||||||
|
src/options.c | 4 ++--
|
||||||
|
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/options.c b/src/options.c
|
||||||
|
index 6e4a18b..4d31815 100644
|
||||||
|
--- a/src/options.c
|
||||||
|
+++ b/src/options.c
|
||||||
|
@@ -321,9 +321,9 @@ static const char *option_not_found=
|
||||||
|
"Specified option name is not valid here";
|
||||||
|
|
||||||
|
static const char *stunnel_cipher_list=
|
||||||
|
- "HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK";
|
||||||
|
+ "PROFILE=SYSTEM";
|
||||||
|
static const char *fips_cipher_list=
|
||||||
|
- "FIPS:!DH:!kDHEPSK";
|
||||||
|
+ "PROFILE=SYSTEM";
|
||||||
|
|
||||||
|
#ifndef OPENSSL_NO_TLS1_3
|
||||||
|
static const char *stunnel_ciphersuites=
|
||||||
|
--
|
||||||
|
2.39.2
|
||||||
|
|
||||||
@ -0,0 +1,16 @@
|
|||||||
|
-----BEGIN PGP SIGNATURE-----
|
||||||
|
|
||||||
|
iQIzBAABCgAdFiEEK8fk5n48wMG+py+MLvx/8NQW4BQFAmXAl5kACgkQLvx/8NQW
|
||||||
|
4BSnAxAAxC0u/yksf+byWhqkl1txYaZ7tKv6sg8QramWhyCpnlEtBgxCP3I3baae
|
||||||
|
PQm5HkVgOHNSFNhzrIApEeaXJle4rgH7T+uRkl5mThWYMf47h55Ll70BBg3Mpsjz
|
||||||
|
iwubuWllA4cyEbd2yWYl1MTzcSxY8F05otQdg+vwIxrHNF26k+pvnYUfBJiw6/7V
|
||||||
|
1exig3ZF03umSGM/8JTRdkJw4oKxgWR0nvAY6s6C28Hs6ok+700r40pDinmQgYyC
|
||||||
|
Sb1DC2/SAjFhs8vlxUBtgWCLTQk/uGKWXUjPoG2KqQyhKMfY3ntZT3D9iOWpvC/p
|
||||||
|
vvZbd3k27a8/D4CyBiBSh+L/bZtOgdZrDPCDxbf2EG1zC8mBjA8A8NIzMVL0D3UL
|
||||||
|
FHKpPBpw5RMy7Zbrwn59ggVoTSJS8Bcr1khmUjpyTpCnbTOSdsIhFDG5EtPOkJoT
|
||||||
|
k/6qXMxFAUL8EX3PlPjMSSs8aPWB7BqSEowRYbMGxG7Iqr+z56LiTdGjra+JY6Pv
|
||||||
|
FrLHHqGB9Hh3YIYbbf5O61DkXNeDVEZlqd03CI5Q9v5r9OKnIdzg4NM3XJ2hBUf4
|
||||||
|
PuYKWMhg2gZTwTuQtEV7Py+52sbqdiKCiWyQy3P8vRV/RwKuu/+2vPsxUIxULFEV
|
||||||
|
0FSBp+BPuM/FPiYwqNam/C67qHZ03jndiOgsTRapsJnAFKT/nXQ=
|
||||||
|
=vtS5
|
||||||
|
-----END PGP SIGNATURE-----
|
||||||
Loading…
Reference in new issue