Update to 5.63

OK sthen ### Version 5.63, 2022.03.15, urgency: HIGH * Security bugfixes - OpenSSL DLLs updated to version 3.0.2. * New features - Updated stunnel.spec to support bash completion. * Bugfixes - Fixed a PRNG initialization crash (thx to Gleydson Soares). ... further changelogs https://www.stunnel.org/NEWS.html
2022-03-16 17:28:26 +00:00 · 2022-03-16 17:28:26 +00:00 · 76ef3c7c56
commit 76ef3c7c56
parent c90d58e1f3
14 changed files with 251 additions and 47 deletions
--- a/security/stunnel/Makefile
+++ b/security/stunnel/Makefile
@ -1,8 +1,7 @@
 COMMENT=	SSL encryption wrapper for standard network daemons

-DISTNAME=	stunnel-5.44
+DISTNAME=	stunnel-5.63
 CATEGORIES=	security
-REVISION=	2

 MAINTAINER=	Gleydson Soares <gsoares@openbsd.org>

@ -11,12 +10,11 @@ PERMIT_PACKAGE=	Yes

 WANTLIB += c crypto pthread ssl util

-HOMEPAGE=	http://www.stunnel.org/
+HOMEPAGE=	https://www.stunnel.org/

 MASTER_SITES=	https://www.stunnel.org/downloads/archive/5.x/ \
-		http://ftp.nluug.nl/pub/networking/stunnel/archive/5.x/ \
-		http://mirror.bit.nl/stunnel/archive/5.x/ \
-		ftp://ftp.stunnel.org/stunnel/archive/5.x/
+		https://ftp.nluug.nl/pub/networking/stunnel/ \
+		https://www.usenix.org.uk/mirrors/stunnel/

 SEPARATE_BUILD=		Yes
 CONFIGURE_STYLE=	gnu
--- a/security/stunnel/distinfo
+++ b/security/stunnel/distinfo
@ -1,2 +1,2 @@
-SHA256 (stunnel-5.44.tar.gz) = mQoyXbtH132Idy3QL7vSfZGx/qPs52yf9EYeypPxIpk=
-SIZE (stunnel-5.44.tar.gz) = 699117
+SHA256 (stunnel-5.63.tar.gz) = x0xOFRRKOuNLi4kLsxyQkgcwFJC9HlG/qqX/6wqZRhc=
+SIZE (stunnel-5.63.tar.gz) = 866754
--- a/security/stunnel/patches/patch-Makefile_in
+++ b/security/stunnel/patches/patch-Makefile_in
@ -1,12 +1,12 @@
 Index: Makefile.in
 --- Makefile.in.orig
 +++ Makefile.in
-@@ -364,7 +364,7 @@ top_build_prefix = @top_build_prefix@
- top_builddir = @top_builddir@
- top_srcdir = @top_srcdir@
+@@ -371,7 +371,7 @@ top_srcdir = @top_srcdir@
+ with_bashcompdir = @with_bashcompdir@
+ AM_DISTCHECK_CONFIGURE_FLAGS = --with-bashcompdir='$$(datarootdir)/bash-completion/completions'
 ACLOCAL_AMFLAGS = -I m4
 -SUBDIRS = src doc tools tests
 +SUBDIRS = src doc tests
- EXTRA_DIST = PORTS BUGS COPYRIGHT.GPL CREDITS INSTALL.W32 INSTALL.WCE \
- 	INSTALL.FIPS build-android.sh .travis.yml
- doc_DATA = INSTALL README TODO COPYING AUTHORS ChangeLog PORTS BUGS \
+ doc_DATA = README.md TODO.md COPYING.md AUTHORS.md NEWS.md PORTS.md \
+ 	BUGS.md COPYRIGHT.md CREDITS.md INSTALL.W32.md INSTALL.WCE.md \
+ 	INSTALL.FIPS.md
--- a/security/stunnel/patches/patch-src_client_c
+++ b/security/stunnel/patches/patch-src_client_c
@ -0,0 +1,30 @@
+Index: src/client.c
+--- src/client.c.orig
+++ src/client.c
+@@ -750,7 +750,7 @@ NOEXPORT void print_cipher(CLI *c) { /* print negotiat
+ NOEXPORT void transfer(CLI *c) {
+     int timeout; /* s_poll_wait timeout in seconds */
+     int pending; /* either processed on unprocessed TLS data */
+-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+     int has_pending=0, prev_has_pending;
+ #endif
+     int watchdog=0; /* a counter to detect an infinite loop */
+@@ -797,7 +797,7 @@ NOEXPORT void transfer(CLI *c) {
+ 
+         /****************************** wait for an event */
+         pending=SSL_pending(c->ssl);
+-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+         /* only attempt to process SSL_has_pending() data once */
+         prev_has_pending=has_pending;
+         has_pending=SSL_has_pending(c->ssl);
+@@ -1202,7 +1202,7 @@ NOEXPORT void transfer(CLI *c) {
+             s_log(LOG_ERR,
+                 "please report the problem to Michal.Trojnara@stunnel.org");
+             stunnel_info(LOG_ERR);
+-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+             s_log(LOG_ERR, "protocol=%s, SSL_pending=%d, SSL_has_pending=%d",
+                 SSL_get_version(c->ssl),
+                 SSL_pending(c->ssl), SSL_has_pending(c->ssl));
--- a/security/stunnel/patches/patch-src_common_h
+++ b/security/stunnel/patches/patch-src_common_h
@ -0,0 +1,12 @@
+Index: src/common.h
+--- src/common.h.orig
+++ src/common.h
+@@ -454,7 +454,7 @@ extern char *sys_errlist[];
+ #define OPENSSL_NO_TLS1_2
+ #endif /* OpenSSL older than 1.0.1 || defined(OPENSSL_NO_TLS1) */
+ 
+-#if OPENSSL_VERSION_NUMBER>=0x10100000L
+#if OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+ #ifndef OPENSSL_NO_SSL2
+ #define OPENSSL_NO_SSL2
+ #endif /* !defined(OPENSSL_NO_SSL2) */
--- a/security/stunnel/patches/patch-src_ctx_c
+++ b/security/stunnel/patches/patch-src_ctx_c
@ -1,7 +1,34 @@
 Index: src/ctx.c
 --- src/ctx.c.orig
 +++ src/ctx.c
-@@ -398,7 +398,7 @@ NOEXPORT int ecdh_init(SERVICE_OPTIONS *section) {
+@@ -91,7 +91,7 @@ NOEXPORT void set_prompt(const char *);
+ NOEXPORT int ui_retry();
+ 
+ /* session tickets */
+-#if OPENSSL_VERSION_NUMBER >= 0x10101000L
+#if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER)
+ NOEXPORT int generate_session_ticket_cb(SSL *, void *);
+ NOEXPORT int decrypt_session_ticket_cb(SSL *, SSL_SESSION *,
+     const unsigned char *, size_t, SSL_TICKET_STATUS, void *);
+@@ -179,7 +179,7 @@ int context_init(SERVICE_OPTIONS *section) { /* init T
+     }
+     current_section=section; /* setup current section for callbacks */
+ 
+-#if OPENSSL_VERSION_NUMBER>=0x10100000L
+#if OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+     /* set the security level */
+     if(section->security_level>=0) {
+         /* set the user-specified value */
+@@ -265,7 +265,7 @@ int context_init(SERVICE_OPTIONS *section) { /* init T
+ #endif
+ 
+     /* setup session tickets */
+-#if OPENSSL_VERSION_NUMBER >= 0x10101000L
+#if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER)
+     SSL_CTX_set_session_ticket_cb(section->ctx, generate_session_ticket_cb,
+         decrypt_session_ticket_cb, NULL);
+ #endif /* OpenSSL 1.1.1 or later */
+@@ -539,7 +539,7 @@ NOEXPORT int ecdh_init(SERVICE_OPTIONS *section) {
 /**************************************** initialize OpenSSL CONF */
 
 NOEXPORT int conf_init(SERVICE_OPTIONS *section) {
@ -10,3 +37,21 @@ Index: src/ctx.c
     SSL_CONF_CTX *cctx;
     NAME_LIST *curr;
     char *cmd, *param;
+@@ -1045,7 +1045,7 @@ NOEXPORT int ui_retry() {
+ 
+ /**************************************** session tickets */
+ 
+-#if OPENSSL_VERSION_NUMBER >= 0x10101000L
+#if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER)
+ 
+ typedef struct {
+     void *session_authenticated;
+@@ -1538,7 +1538,7 @@ NOEXPORT void info_callback(const SSL *ssl, int where,
+ 
+     c=SSL_get_ex_data((SSL *)ssl, index_ssl_cli);
+     if(c) {
+-#if OPENSSL_VERSION_NUMBER>=0x10100000L
+#if OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+         OSSL_HANDSHAKE_STATE state=SSL_get_state(ssl);
+ #else
+         int state=SSL_get_state((SSL *)ssl);
--- a/security/stunnel/patches/patch-src_options_c
+++ b/security/stunnel/patches/patch-src_options_c
@ -0,0 +1,12 @@
+Index: src/options.c
+--- src/options.c.orig
+++ src/options.c
+@@ -38,7 +38,7 @@
+ #include "common.h"
+ #include "prototypes.h"
+ 
+-#if OPENSSL_VERSION_NUMBER >= 0x10101000L
+#if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER)
+ #define DEFAULT_CURVES "X25519:P-256:X448:P-521:P-384"
+ #else /* OpenSSL version < 1.1.1 */
+ #define DEFAULT_CURVES "prime256v1"
--- a/security/stunnel/patches/patch-src_prototypes_h
+++ b/security/stunnel/patches/patch-src_prototypes_h
@ -0,0 +1,21 @@
+Index: src/prototypes.h
+--- src/prototypes.h.orig
+++ src/prototypes.h
+@@ -736,7 +736,7 @@ int getnameinfo(const struct sockaddr *, socklen_t,
+ extern CLI *thread_head;
+ #endif
+ 
+-#if OPENSSL_VERSION_NUMBER<0x10100004L
+#if OPENSSL_VERSION_NUMBER<0x10100004L || defined(LIBRESSL_VERSION_NUMBER)
+ 
+ #ifdef USE_OS_THREADS
+ 
+@@ -787,7 +787,7 @@ typedef enum {
+ 
+ extern CRYPTO_RWLOCK *stunnel_locks[STUNNEL_LOCKS];
+ 
+-#if OPENSSL_VERSION_NUMBER<0x10100004L
+#if OPENSSL_VERSION_NUMBER<0x10100004L || defined(LIBRESSL_VERSION_NUMBER)
+ /* Emulate the OpenSSL 1.1 locking API for older OpenSSL versions */
+ CRYPTO_RWLOCK *CRYPTO_THREAD_lock_new(void);
+ int CRYPTO_THREAD_read_lock(CRYPTO_RWLOCK *);
--- a/security/stunnel/patches/patch-src_ssl_c
+++ b/security/stunnel/patches/patch-src_ssl_c
@ -0,0 +1,30 @@
+Index: src/ssl.c
+--- src/ssl.c.orig
+++ src/ssl.c
+@@ -44,7 +44,7 @@ NOEXPORT void cb_new_auth(void *parent, void *ptr, CRY
+ #if OPENSSL_VERSION_NUMBER>=0x30000000L
+ NOEXPORT int cb_dup_addr(CRYPTO_EX_DATA *to, const CRYPTO_EX_DATA *from,
+     void **from_d, int idx, long argl, void *argp);
+-#elif OPENSSL_VERSION_NUMBER>=0x10100000L
+#elif OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+ NOEXPORT int cb_dup_addr(CRYPTO_EX_DATA *to, const CRYPTO_EX_DATA *from,
+     void *from_d, int idx, long argl, void *argp);
+ #else
+@@ -87,7 +87,7 @@ int fips_available() { /* either FIPS provider or cont
+ }
+ 
+ int ssl_init(void) { /* init TLS before parsing configuration file */
+-#if OPENSSL_VERSION_NUMBER>=0x10100000L
+#if OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+     OPENSSL_INIT_SETTINGS *conf=OPENSSL_INIT_new();
+ #ifdef USE_WIN32
+     OPENSSL_INIT_set_config_filename(conf, "..\\config\\openssl.cnf");
+@@ -161,7 +161,7 @@ NOEXPORT void cb_new_auth(void *parent, void *ptr, CRY
+ #if OPENSSL_VERSION_NUMBER>=0x30000000L
+ NOEXPORT int cb_dup_addr(CRYPTO_EX_DATA *to, const CRYPTO_EX_DATA *from,
+         void **from_d, int idx, long argl, void *argp) {
+-#elif OPENSSL_VERSION_NUMBER>=0x10100000L
+#elif OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+ NOEXPORT int cb_dup_addr(CRYPTO_EX_DATA *to, const CRYPTO_EX_DATA *from,
+         void *from_d, int idx, long argl, void *argp) {
+ #else
--- a/security/stunnel/patches/patch-src_sthreads_c
+++ b/security/stunnel/patches/patch-src_sthreads_c
@ -0,0 +1,31 @@
+Index: src/sthreads.c
+--- src/sthreads.c.orig
+++ src/sthreads.c
+@@ -120,7 +120,7 @@ void thread_id_init(void) {
+ /**************************************** locking */
+ 
+ /* we only need to initialize locking with OpenSSL older than 1.1.0 */
+-#if OPENSSL_VERSION_NUMBER<0x10100004L
+#if OPENSSL_VERSION_NUMBER<0x10100004L || defined(LIBRESSL_VERSION_NUMBER)
+ 
+ #ifdef USE_PTHREAD
+ 
+@@ -279,7 +279,7 @@ NOEXPORT int s_atomic_add(int *val, int amount, CRYPTO
+ 
+ CRYPTO_RWLOCK *stunnel_locks[STUNNEL_LOCKS];
+ 
+-#if OPENSSL_VERSION_NUMBER<0x10100004L
+#if OPENSSL_VERSION_NUMBER<0x10100004L || defined(LIBRESSL_VERSION_NUMBER)
+ 
+ #ifdef USE_OS_THREADS
+ 
+@@ -387,7 +387,8 @@ int CRYPTO_atomic_add(int *val, int amount, int *ret, 
+ 
+ void locking_init(void) {
+     size_t i;
+-#if defined(USE_OS_THREADS) && OPENSSL_VERSION_NUMBER<0x10100004L
+#if defined(USE_OS_THREADS) && \
+	(OPENSSL_VERSION_NUMBER<0x10100004L || defined(LIBRESSL_VERSION_NUMBER))
+     size_t num;
+ 
+     /* initialize the OpenSSL static locking */
--- a/security/stunnel/patches/patch-src_tls_c
+++ b/security/stunnel/patches/patch-src_tls_c
@ -0,0 +1,30 @@
+Index: src/tls.c
+--- src/tls.c.orig
+++ src/tls.c
+@@ -41,7 +41,7 @@
+ volatile int tls_initialized=0;
+ 
+ NOEXPORT void tls_platform_init();
+-#if OPENSSL_VERSION_NUMBER<0x10100000L
+#if OPENSSL_VERSION_NUMBER<0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+ NOEXPORT void free_function(void *);
+ #endif
+ 
+@@ -52,7 +52,7 @@ void tls_init() {
+     tls_platform_init();
+     tls_initialized=1;
+     ui_tls=tls_alloc(NULL, NULL, "ui");
+-#if OPENSSL_VERSION_NUMBER>=0x10100000L
+#if OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+     CRYPTO_set_mem_functions(str_alloc_detached_debug,
+         str_realloc_detached_debug, str_free_debug);
+ #else
+@@ -184,7 +184,7 @@ TLS_DATA *tls_get() {
+ 
+ /**************************************** OpenSSL allocator hook */
+ 
+-#if OPENSSL_VERSION_NUMBER<0x10100000L
+#if OPENSSL_VERSION_NUMBER<0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+ NOEXPORT void free_function(void *ptr) {
+     /* CRYPTO_set_mem_ex_functions() needs a function rather than a macro */
+     /* unfortunately, OpenSSL provides no file:line information here */
--- a/security/stunnel/patches/patch-src_verify_c
+++ b/security/stunnel/patches/patch-src_verify_c
@ -1,7 +1,7 @@
 Index: src/verify.c
 --- src/verify.c.orig
 +++ src/verify.c
-@@ -353,7 +353,7 @@ NOEXPORT int cert_check_local(X509_STORE_CTX *callback
+@@ -351,7 +351,7 @@ NOEXPORT int cert_check_local(X509_STORE_CTX *callback
     cert=X509_STORE_CTX_get_current_cert(callback_ctx);
     subject=X509_get_subject_name(cert);
 
--- a/security/stunnel/patches/patch-tools_stunnel_conf-sample_in
+++ b/security/stunnel/patches/patch-tools_stunnel_conf-sample_in
@ -14,13 +14,13 @@ Index: tools/stunnel.conf-sample.in
 
 ; PID file is created inside the chroot jail (if enabled)
 -;pid = @localstatedir@/run/stunnel.pid
-+pid = /stunnel.pid
+;pid = /stunnel.pid
 
 ; Debugging stuff (may be useful for troubleshooting)
 ;foreground = yes
 ;debug = info
 -;output = @localstatedir@/log/stunnel.log
-+;output = stunnel.log
+;output = /stunnel.log
 
 ; Enable FIPS 140-2 mode if needed for compliance
 ;fips = yes
@ -33,7 +33,13 @@ Index: tools/stunnel.conf-sample.in
 
 ; **************************************************************************
 ; * Service definitions (remove all services for inetd mode)               *
-@@ -59,32 +60,32 @@
+@@ -54,37 +55,37 @@
+ 
+ ; ***************************************** Example TLS client mode services
+ 
+-; The following examples use /etc/ssl/certs, which is the common location
+; The following examples use ${SYSCONFDIR}/ssl/certs, which is the common location
+ ; of a hashed directory containing trusted CA certificates.  This is not
 ; a hardcoded path of the stunnel package, as it is not related to the
 ; stunnel configuration in @sysconfdir@/stunnel/.
 
@ -90,36 +96,27 @@ Index: tools/stunnel.conf-sample.in
 
 ; Encrypted HTTP proxy authenticated with a client certificate
 ; located in a cryptographic token
-@@ -98,43 +99,43 @@ OCSPaia = yes
- 
- ; ***************************************** Example TLS server mode services
- 
-;[pop3s]
-;accept  = 995
-;connect = 110
+@@ -101,12 +102,12 @@ OCSPaia = yes
+ ;[pop3s]
+ ;accept  = 995
+ ;connect = 110
 -;cert = @sysconfdir@/stunnel/stunnel.pem
-+[pop3s]
-+accept  = 995
-+connect = 110
-+cert = ${SYSCONFDIR}/stunnel/stunnel.pem
+;cert = ${SYSCONFDIR}/stunnel/stunnel.pem
 
-;[imaps]
-;accept  = 993
-;connect = 143
+ ;[imaps]
+ ;accept  = 993
+ ;connect = 143
 -;cert = @sysconfdir@/stunnel/stunnel.pem
-+[imaps]
-+accept  = 993
-+connect = 143
-+cert = ${SYSCONFDIR}/stunnel/stunnel.pem
+;cert = ${SYSCONFDIR}/stunnel/stunnel.pem
 
-;[ssmtp]
-;accept  = 465
-;connect = 25
+ ; Either only expose this service to trusted networks, or require
+ ; authentication when relaying emails originated from loopback.
+@@ -114,29 +115,29 @@ OCSPaia = yes
+ ;[ssmtp]
+ ;accept  = 465
+ ;connect = 25
 -;cert = @sysconfdir@/stunnel/stunnel.pem
-+[ssmtp]
-+accept  = 465
-+connect = 25
-+cert = ${SYSCONFDIR}/stunnel/stunnel.pem
+;cert = ${SYSCONFDIR}/stunnel/stunnel.pem
 
 ; TLS front-end to a web server
 ;[https]
@ -139,7 +136,6 @@ Index: tools/stunnel.conf-sample.in
 ;accept = 1337
 ;exec = /bin/sh
 ;execArgs = sh -i
- ;ciphers = PSK
 -;PSKsecrets = @sysconfdir@/stunnel/secrets.txt
 +;PSKsecrets = ${SYSCONFDIR}/stunnel/secrets.txt
 
--- a/security/stunnel/pkg/PLIST
+++ b/security/stunnel/pkg/PLIST
@ -1,6 +1,7 @@
@newgroup _stunnel:528
@newuser _stunnel:528:_stunnel:daemon:stunnel account:/var/stunnel:/sbin/nologin
@extra /var/stunnel/stunnel.pid
+@rcscript ${RCDIR}/stunnel
@man man/man8/stunnel.8
@bin sbin/stunnel
 sbin/stunnel3
@ -10,5 +11,3 @@ share/examples/stunnel/stunnel.conf-sample
@sample ${SYSCONFDIR}/stunnel/stunnel.conf
@owner _stunnel
@sample /var/stunnel/
-@owner
-@rcscript ${RCDIR}/stunnel