diff options
author | Ismael Luceno | 2022-08-08 20:27:41 +0200 |
---|---|---|
committer | Ismael Luceno | 2022-08-08 21:26:52 +0200 |
commit | 7766665fb9522b09380cd9b9658da5b30a3e72a5 (patch) | |
tree | 286efa8aadd0597e8d6e99f38c0c1301e3ad6f2d | |
parent | 03d8a18b6273e0ec0b932b798101baae9dff9f5d (diff) |
stunnel 2.64
-rwxr-xr-x | net/stunnel/DETAILS | 9 | ||||
-rw-r--r-- | net/stunnel/HISTORY | 1 | ||||
-rwxr-xr-x | net/stunnel/INSTALL | 2 | ||||
-rwxr-xr-x | net/stunnel/PRE_BUILD | 9 | ||||
-rw-r--r-- | net/stunnel/libressl.patch | 18 | ||||
-rw-r--r-- | net/stunnel/patches/libressl.patch | 246 |
6 files changed, 253 insertions, 32 deletions
diff --git a/net/stunnel/DETAILS b/net/stunnel/DETAILS index e38e278616..12b32b7902 100755 --- a/net/stunnel/DETAILS +++ b/net/stunnel/DETAILS @@ -1,13 +1,12 @@ SPELL=stunnel - VERSION=5.14 + VERSION=5.64 SECURITY_PATCH=2 - BRANCH=$(echo $VERSION | cut -d. -f1) SOURCE=$SPELL-$VERSION.tar.gz SOURCE2=$SOURCE.asc SOURCE_DIRECTORY="$BUILD_DIRECTORY/$SPELL-$VERSION" - SOURCE_URL[0]=ftp://ftp.stunnel.org/stunnel/archive/$BRANCH.x/$SOURCE - SOURCE_URL[1]=http://www.usenix.org.uk/mirrors/stunnel/archive/$BRANCH.x/$SOURCE - SOURCE_URL[2]=ftp://ftp.nluug.nl/pub/networking/stunnel/archive/$BRANCH.x/$SOURCE + SOURCE_URL[0]=ftp://ftp.stunnel.org/stunnel/archive/${VERSION%.*}.x/$SOURCE + SOURCE_URL[1]=http://www.usenix.org.uk/mirrors/stunnel/archive/${VERSION%.*}.x/$SOURCE + SOURCE_URL[2]=ftp://ftp.nluug.nl/pub/networking/stunnel/archive/${VERSION%.*}.x/$SOURCE SOURCE2_URL[0]=$SOURCE_URL.asc SOURCE2_URL[1]=${SOURCE_URL[1]}.asc SOURCE2_URL[2]=${SOURCE_URL[2]}.asc diff --git a/net/stunnel/HISTORY b/net/stunnel/HISTORY index 061cb48c0b..6e83ed5856 100644 --- a/net/stunnel/HISTORY +++ b/net/stunnel/HISTORY @@ -1,5 +1,6 @@ 2022-08-08 Ismael Luceno <ismael@sourcemage.org> * INSTALL: merged sedit commands into one + * DETAILS, INSTALL, PRE_BUILD, libressl.patch: updated spell to 5.64 2015-04-22 Vlad Glagolev <stealth@sourcemage.org> * DETAILS: updated spell to 5.14; SECURITY_PATCH++ diff --git a/net/stunnel/INSTALL b/net/stunnel/INSTALL index 2bd0f43579..7d6b339a04 100755 --- a/net/stunnel/INSTALL +++ b/net/stunnel/INSTALL @@ -1,4 +1,4 @@ -local STUNNEL_CNF="tools/stunnel.cnf" && +local STUNNEL_CNF="tools/openssl.cnf" && sedit " s:^countryName_default.*:countryName_value = $COUNTRY_NAME: diff --git a/net/stunnel/PRE_BUILD b/net/stunnel/PRE_BUILD index c3c2124912..c230ad14bf 100755 --- a/net/stunnel/PRE_BUILD +++ b/net/stunnel/PRE_BUILD @@ -1,10 +1,3 @@ default_pre_build && cd "$SOURCE_DIRECTORY" && - -patch -p1 < "$SPELL_DIRECTORY/libressl.patch" && - -# fixed default paths in configuration file -sedit "s:@prefix@::g" tools/stunnel.conf-sample.in && - -# fixed check for existent stunnel certificate -sedit "s:\$(DESTDIR)\$(confdir)/stunnel.pem:$INSTALL_ROOT/etc/stunnel/stunnel.pem:" tools/Makefile.in +apply_patch_dir patches diff --git a/net/stunnel/libressl.patch b/net/stunnel/libressl.patch deleted file mode 100644 index 85b90071b9..0000000000 --- a/net/stunnel/libressl.patch +++ /dev/null @@ -1,18 +0,0 @@ ---- stunnel-5.02.org/src/ssl.c 2014-07-12 06:13:07.356889656 +0000 -+++ stunnel-5.02/src/ssl.c 2014-07-12 06:15:39.032889896 +0000 -@@ -195,6 +195,7 @@ - } - s_log(LOG_DEBUG, "RAND_screen failed to sufficiently seed PRNG"); - #else -+#ifdef HAVE_RAND_EGD - if(global->egd_sock) { - if((bytes=RAND_egd(global->egd_sock))==-1) { - s_log(LOG_WARNING, "EGD Socket %s failed", global->egd_sock); -@@ -207,6 +208,7 @@ - so no need to check if seeded sufficiently */ - } - } -+#endif - /* try the good-old default /dev/urandom, if available */ - totbytes+=add_rand_file(global, "/dev/urandom"); - if(RAND_status()) diff --git a/net/stunnel/patches/libressl.patch b/net/stunnel/patches/libressl.patch new file mode 100644 index 0000000000..f4ae841689 --- /dev/null +++ b/net/stunnel/patches/libressl.patch @@ -0,0 +1,246 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: FIXME <unknown@unknown> +Subject: [PATCH] Add LibreSSL support +Date: Mon, 8 Aug 2022 16:50:47 +0200 + +Origin: OpenBSD +[ismael@iodev.co.uk: Updated for stunnel 5.64] +Signed-off-by: Ismael Luceno <ismael@iodev.co.uk> +--- + src/client.c | 6 +++--- + src/common.h | 2 +- + src/ctx.c | 12 ++++++------ + src/options.c | 2 +- + src/prototypes.h | 4 ++-- + src/ssl.c | 6 +++--- + src/sthreads.c | 7 ++++--- + src/tls.c | 6 +++--- + src/verify.c | 2 +- + 9 files changed, 24 insertions(+), 23 deletions(-) + +--- a/src/common.h ++++ b/src/common.h +@@ -457,7 +457,7 @@ extern char *sys_errlist[]; + #define OPENSSL_NO_TLS1_2 + #endif /* OpenSSL older than 1.0.1 || defined(OPENSSL_NO_TLS1) */ + +-#if OPENSSL_VERSION_NUMBER>=0x10100000L ++#if OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) + #ifndef OPENSSL_NO_SSL2 + #define OPENSSL_NO_SSL2 + #endif /* !defined(OPENSSL_NO_SSL2) */ +--- a/src/client.c ++++ b/src/client.c +@@ -753,7 +753,7 @@ NOEXPORT void print_cipher(CLI *c) { /* print negotiat + NOEXPORT void transfer(CLI *c) { + int timeout; /* s_poll_wait timeout in seconds */ + int pending; /* either processed on unprocessed TLS data */ +-#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) + int has_pending=0, prev_has_pending; + #endif + int watchdog=0; /* a counter to detect an infinite loop */ +@@ -800,7 +800,7 @@ NOEXPORT void transfer(CLI *c) { + + /****************************** wait for an event */ + pending=SSL_pending(c->ssl); +-#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) + /* only attempt to process SSL_has_pending() data once */ + prev_has_pending=has_pending; + has_pending=SSL_has_pending(c->ssl); +@@ -1205,7 +1205,7 @@ NOEXPORT void transfer(CLI *c) { + s_log(LOG_ERR, + "please report the problem to Michal.Trojnara@stunnel.org"); + stunnel_info(LOG_ERR); +-#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) + s_log(LOG_ERR, "protocol=%s, SSL_pending=%d, SSL_has_pending=%d", + SSL_get_version(c->ssl), + SSL_pending(c->ssl), SSL_has_pending(c->ssl)); +--- a/src/ctx.c ++++ b/src/ctx.c +@@ -94,7 +94,7 @@ NOEXPORT void set_prompt(const char *); + NOEXPORT int ui_retry(); + + /* session tickets */ +-#if OPENSSL_VERSION_NUMBER >= 0x10101000L ++#if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER) + NOEXPORT int generate_session_ticket_cb(SSL *, void *); + NOEXPORT int decrypt_session_ticket_cb(SSL *, SSL_SESSION *, + const unsigned char *, size_t, SSL_TICKET_STATUS, void *); +@@ -182,7 +182,7 @@ int context_init(SERVICE_OPTIONS *section) { /* init T + } + current_section=section; /* setup current section for callbacks */ + +-#if OPENSSL_VERSION_NUMBER>=0x10100000L ++#if OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) + /* set the security level */ + if(section->security_level>=0) { + /* set the user-specified value */ +@@ -270,7 +270,7 @@ int context_init(SERVICE_OPTIONS *section) { /* init T + #endif + + /* setup session tickets */ +-#if OPENSSL_VERSION_NUMBER >= 0x10101000L ++#if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER) + SSL_CTX_set_session_ticket_cb(section->ctx, generate_session_ticket_cb, + decrypt_session_ticket_cb, NULL); + #endif /* OpenSSL 1.1.1 or later */ +@@ -544,7 +544,7 @@ NOEXPORT int ecdh_init(SERVICE_OPTIONS *section) { + /**************************************** initialize OpenSSL CONF */ + + NOEXPORT int conf_init(SERVICE_OPTIONS *section) { +-#if OPENSSL_VERSION_NUMBER>=0x10002000L ++#if OPENSSL_VERSION_NUMBER>=0x10002000L && !defined(LIBRESSL_VERSION_NUMBER) + SSL_CONF_CTX *cctx; + NAME_LIST *curr; + char *cmd, *param; +@@ -1050,7 +1050,7 @@ NOEXPORT int ui_retry() { + + /**************************************** session tickets */ + +-#if OPENSSL_VERSION_NUMBER >= 0x10101000L ++#if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER) + + typedef struct { + void *session_authenticated; +@@ -1541,7 +1541,7 @@ NOEXPORT void info_callback(const SSL *ssl, int where, + + c=SSL_get_ex_data((SSL *)ssl, index_ssl_cli); + if(c) { +-#if OPENSSL_VERSION_NUMBER>=0x10100000L ++#if OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) + OSSL_HANDSHAKE_STATE state=SSL_get_state(ssl); + #else + int state=SSL_get_state((SSL *)ssl); +--- a/src/options.c ++++ b/src/options.c +@@ -37,7 +37,7 @@ + #include "common.h" + #include "prototypes.h" + +-#if OPENSSL_VERSION_NUMBER >= 0x10101000L ++#if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER) + #define DEFAULT_CURVES "X25519:P-256:X448:P-521:P-384" + #else /* OpenSSL version < 1.1.1 */ + #define DEFAULT_CURVES "prime256v1" +--- a/src/prototypes.h ++++ b/src/prototypes.h +@@ -726,7 +726,7 @@ int getnameinfo(const struct sockaddr *, socklen_t, + extern CLI *thread_head; + #endif + +-#if OPENSSL_VERSION_NUMBER<0x10100004L ++#if OPENSSL_VERSION_NUMBER<0x10100004L || defined(LIBRESSL_VERSION_NUMBER) + + #ifdef USE_OS_THREADS + +@@ -777,7 +777,7 @@ typedef enum { + + extern CRYPTO_RWLOCK *stunnel_locks[STUNNEL_LOCKS]; + +-#if OPENSSL_VERSION_NUMBER<0x10100004L ++#if OPENSSL_VERSION_NUMBER<0x10100004L || defined(LIBRESSL_VERSION_NUMBER) + /* Emulate the OpenSSL 1.1 locking API for older OpenSSL versions */ + CRYPTO_RWLOCK *CRYPTO_THREAD_lock_new(void); + int CRYPTO_THREAD_read_lock(CRYPTO_RWLOCK *); +--- a/src/ssl.c ++++ b/src/ssl.c +@@ -43,7 +43,7 @@ NOEXPORT void cb_new_auth(void *parent, void *ptr, CRY + #if OPENSSL_VERSION_NUMBER>=0x30000000L + NOEXPORT int cb_dup_addr(CRYPTO_EX_DATA *to, const CRYPTO_EX_DATA *from, + void **from_d, int idx, long argl, void *argp); +-#elif OPENSSL_VERSION_NUMBER>=0x10100000L ++#elif OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) + NOEXPORT int cb_dup_addr(CRYPTO_EX_DATA *to, const CRYPTO_EX_DATA *from, + void *from_d, int idx, long argl, void *argp); + #else +@@ -83,7 +83,7 @@ int fips_available() { /* either FIPS provider or cont + } + + int ssl_init(void) { /* init TLS before parsing configuration file */ +-#if OPENSSL_VERSION_NUMBER>=0x10100000L ++#if OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) + OPENSSL_INIT_SETTINGS *conf=OPENSSL_INIT_new(); + #ifdef USE_WIN32 + OPENSSL_INIT_set_config_filename(conf, "..\\config\\openssl.cnf"); +@@ -200,7 +200,7 @@ NOEXPORT void cb_new_auth(void *parent, void *ptr, CRY + #if OPENSSL_VERSION_NUMBER>=0x30000000L + NOEXPORT int cb_dup_addr(CRYPTO_EX_DATA *to, const CRYPTO_EX_DATA *from, + void **from_d, int idx, long argl, void *argp) { +-#elif OPENSSL_VERSION_NUMBER>=0x10100000L ++#elif OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) + NOEXPORT int cb_dup_addr(CRYPTO_EX_DATA *to, const CRYPTO_EX_DATA *from, + void *from_d, int idx, long argl, void *argp) { + #else +--- a/src/sthreads.c ++++ b/src/sthreads.c +@@ -123,7 +123,7 @@ void thread_id_init(void) { + /**************************************** locking */ + + /* we only need to initialize locking with OpenSSL older than 1.1.0 */ +-#if OPENSSL_VERSION_NUMBER<0x10100004L ++#if OPENSSL_VERSION_NUMBER<0x10100004L || defined(LIBRESSL_VERSION_NUMBER) + + #ifdef USE_PTHREAD + +@@ -283,7 +283,7 @@ NOEXPORT int s_atomic_add(int *val, int amount, CRYPTO + + CRYPTO_RWLOCK *stunnel_locks[STUNNEL_LOCKS]; + +-#if OPENSSL_VERSION_NUMBER<0x10100004L ++#if OPENSSL_VERSION_NUMBER<0x10100004L || defined(LIBRESSL_VERSION_NUMBER) + + #ifdef USE_OS_THREADS + +@@ -391,7 +391,8 @@ int CRYPTO_atomic_add(int *val, int amount, int *ret, + + void locking_init(void) { + size_t i; +-#if defined(USE_OS_THREADS) && OPENSSL_VERSION_NUMBER<0x10100004L ++#if defined(USE_OS_THREADS) && \ ++ (OPENSSL_VERSION_NUMBER<0x10100004L || defined(LIBRESSL_VERSION_NUMBER)) + size_t num; + + /* initialize the OpenSSL static locking */ +--- a/src/tls.c ++++ b/src/tls.c +@@ -40,7 +40,7 @@ + volatile int tls_initialized=0; + + NOEXPORT void tls_platform_init(); +-#if OPENSSL_VERSION_NUMBER<0x10100000L ++#if OPENSSL_VERSION_NUMBER<0x10100000L || defined(LIBRESSL_VERSION_NUMBER) + NOEXPORT void free_function(void *); + #endif + +@@ -51,7 +51,7 @@ void tls_init() { + tls_platform_init(); + tls_initialized=1; + ui_tls=tls_alloc(NULL, NULL, "ui"); +-#if OPENSSL_VERSION_NUMBER>=0x10100000L ++#if OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) + CRYPTO_set_mem_functions(str_alloc_detached_debug, + str_realloc_detached_debug, str_free_debug); + #else +@@ -183,7 +183,7 @@ TLS_DATA *tls_get() { + + /**************************************** OpenSSL allocator hook */ + +-#if OPENSSL_VERSION_NUMBER<0x10100000L ++#if OPENSSL_VERSION_NUMBER<0x10100000L || defined(LIBRESSL_VERSION_NUMBER) + NOEXPORT void free_function(void *ptr) { + /* CRYPTO_set_mem_ex_functions() needs a function rather than a macro */ + /* unfortunately, OpenSSL provides no file:line information here */ +--- a/src/verify.c ++++ b/src/verify.c +@@ -350,7 +350,7 @@ NOEXPORT int cert_check_local(X509_STORE_CTX *callback + cert=X509_STORE_CTX_get_current_cert(callback_ctx); + subject=X509_get_subject_name(cert); + +-#if OPENSSL_VERSION_NUMBER<0x10100006L ++#if OPENSSL_VERSION_NUMBER<0x10100006L || defined(LIBRESSL_VERSION_NUMBER) + #define X509_STORE_CTX_get1_certs X509_STORE_get1_certs + #endif + /* modern API allows retrieving multiple matching certificates */ |