stunnel 2.64

author: Ismael Luceno 2022-08-08 20:27:41 +0200
committer: Ismael Luceno 2022-08-08 21:26:52 +0200
commit: 7766665fb9522b09380cd9b9658da5b30a3e72a5 (patch)
tree: 286efa8aadd0597e8d6e99f38c0c1301e3ad6f2d
parent: 03d8a18b6273e0ec0b932b798101baae9dff9f5d (diff)
6 files changed, 253 insertions, 32 deletions
diff --git a/net/stunnel/DETAILS b/net/stunnel/DETAILS
index e38e278616..12b32b7902 100755
--- a/net/stunnel/DETAILS
+++ b/net/stunnel/DETAILS
@@ -1,13 +1,12 @@
            SPELL=stunnel
-         VERSION=5.14
+         VERSION=5.64
   SECURITY_PATCH=2
-          BRANCH=$(echo $VERSION | cut -d. -f1)
           SOURCE=$SPELL-$VERSION.tar.gz
          SOURCE2=$SOURCE.asc
 SOURCE_DIRECTORY="$BUILD_DIRECTORY/$SPELL-$VERSION"
-   SOURCE_URL[0]=ftp://ftp.stunnel.org/stunnel/archive/$BRANCH.x/$SOURCE
-   SOURCE_URL[1]=http://www.usenix.org.uk/mirrors/stunnel/archive/$BRANCH.x/$SOURCE
-   SOURCE_URL[2]=ftp://ftp.nluug.nl/pub/networking/stunnel/archive/$BRANCH.x/$SOURCE
+   SOURCE_URL[0]=ftp://ftp.stunnel.org/stunnel/archive/${VERSION%.*}.x/$SOURCE
+   SOURCE_URL[1]=http://www.usenix.org.uk/mirrors/stunnel/archive/${VERSION%.*}.x/$SOURCE
+   SOURCE_URL[2]=ftp://ftp.nluug.nl/pub/networking/stunnel/archive/${VERSION%.*}.x/$SOURCE
   SOURCE2_URL[0]=$SOURCE_URL.asc
   SOURCE2_URL[1]=${SOURCE_URL[1]}.asc
   SOURCE2_URL[2]=${SOURCE_URL[2]}.asc
diff --git a/net/stunnel/HISTORY b/net/stunnel/HISTORY
index 061cb48c0b..6e83ed5856 100644
--- a/net/stunnel/HISTORY
+++ b/net/stunnel/HISTORY
@@ -1,5 +1,6 @@
 2022-08-08 Ismael Luceno <ismael@sourcemage.org>
 	* INSTALL: merged sedit commands into one
+	* DETAILS, INSTALL, PRE_BUILD, libressl.patch: updated spell to 5.64
 
 2015-04-22 Vlad Glagolev <stealth@sourcemage.org>
 	* DETAILS: updated spell to 5.14; SECURITY_PATCH++
diff --git a/net/stunnel/INSTALL b/net/stunnel/INSTALL
index 2bd0f43579..7d6b339a04 100755
--- a/net/stunnel/INSTALL
+++ b/net/stunnel/INSTALL
@@ -1,4 +1,4 @@
-local STUNNEL_CNF="tools/stunnel.cnf" &&
+local STUNNEL_CNF="tools/openssl.cnf" &&
 
 sedit "
 	s:^countryName_default.*:countryName_value = $COUNTRY_NAME:
diff --git a/net/stunnel/PRE_BUILD b/net/stunnel/PRE_BUILD
index c3c2124912..c230ad14bf 100755
--- a/net/stunnel/PRE_BUILD
+++ b/net/stunnel/PRE_BUILD
@@ -1,10 +1,3 @@
 default_pre_build &&
 cd "$SOURCE_DIRECTORY" &&
-
-patch -p1 < "$SPELL_DIRECTORY/libressl.patch" &&
-
-# fixed default paths in configuration file
-sedit "s:@prefix@::g" tools/stunnel.conf-sample.in &&
-
-# fixed check for existent stunnel certificate
-sedit "s:\$(DESTDIR)\$(confdir)/stunnel.pem:$INSTALL_ROOT/etc/stunnel/stunnel.pem:" tools/Makefile.in
+apply_patch_dir patches
diff --git a/net/stunnel/libressl.patch b/net/stunnel/libressl.patch
deleted file mode 100644
index 85b90071b9..0000000000
--- a/net/stunnel/libressl.patch
+++ /dev/null
@@ -1,18 +0,0 @@
---- stunnel-5.02.org/src/ssl.c	2014-07-12 06:13:07.356889656 +0000
-+++ stunnel-5.02/src/ssl.c	2014-07-12 06:15:39.032889896 +0000
-@@ -195,6 +195,7 @@
-     }
-     s_log(LOG_DEBUG, "RAND_screen failed to sufficiently seed PRNG");
- #else
-+#ifdef HAVE_RAND_EGD
-     if(global->egd_sock) {
-         if((bytes=RAND_egd(global->egd_sock))==-1) {
-             s_log(LOG_WARNING, "EGD Socket %s failed", global->egd_sock);
-@@ -207,6 +208,7 @@
-                          so no need to check if seeded sufficiently */
-         }
-     }
-+#endif
-     /* try the good-old default /dev/urandom, if available  */
-     totbytes+=add_rand_file(global, "/dev/urandom");
-     if(RAND_status())
diff --git a/net/stunnel/patches/libressl.patch b/net/stunnel/patches/libressl.patch
new file mode 100644
index 0000000000..f4ae841689
--- /dev/null
+++ b/net/stunnel/patches/libressl.patch
@@ -0,0 +1,246 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: FIXME <unknown@unknown>
+Subject: [PATCH] Add LibreSSL support
+Date: Mon,  8 Aug 2022 16:50:47 +0200
+
+Origin: OpenBSD
+[ismael@iodev.co.uk: Updated for stunnel 5.64]
+Signed-off-by: Ismael Luceno <ismael@iodev.co.uk>
+---
+ src/client.c     |    6 +++---
+ src/common.h     |    2 +-
+ src/ctx.c        |   12 ++++++------
+ src/options.c    |    2 +-
+ src/prototypes.h |    4 ++--
+ src/ssl.c        |    6 +++---
+ src/sthreads.c   |    7 ++++---
+ src/tls.c        |    6 +++---
+ src/verify.c     |    2 +-
+ 9 files changed, 24 insertions(+), 23 deletions(-)
+
+--- a/src/common.h
++++ b/src/common.h
+@@ -457,7 +457,7 @@ extern char *sys_errlist[];
+ #define OPENSSL_NO_TLS1_2
+ #endif /* OpenSSL older than 1.0.1 || defined(OPENSSL_NO_TLS1) */
+
+-#if OPENSSL_VERSION_NUMBER>=0x10100000L
++#if OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+ #ifndef OPENSSL_NO_SSL2
+ #define OPENSSL_NO_SSL2
+ #endif /* !defined(OPENSSL_NO_SSL2) */
+--- a/src/client.c
++++ b/src/client.c
+@@ -753,7 +753,7 @@ NOEXPORT void print_cipher(CLI *c) { /* print negotiat
+ NOEXPORT void transfer(CLI *c) {
+     int timeout; /* s_poll_wait timeout in seconds */
+     int pending; /* either processed on unprocessed TLS data */
+-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+     int has_pending=0, prev_has_pending;
+ #endif
+     int watchdog=0; /* a counter to detect an infinite loop */
+@@ -800,7 +800,7 @@ NOEXPORT void transfer(CLI *c) {
+
+         /****************************** wait for an event */
+         pending=SSL_pending(c->ssl);
+-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+         /* only attempt to process SSL_has_pending() data once */
+         prev_has_pending=has_pending;
+         has_pending=SSL_has_pending(c->ssl);
+@@ -1205,7 +1205,7 @@ NOEXPORT void transfer(CLI *c) {
+             s_log(LOG_ERR,
+                 "please report the problem to Michal.Trojnara@stunnel.org");
+             stunnel_info(LOG_ERR);
+-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+             s_log(LOG_ERR, "protocol=%s, SSL_pending=%d, SSL_has_pending=%d",
+                 SSL_get_version(c->ssl),
+                 SSL_pending(c->ssl), SSL_has_pending(c->ssl));
+--- a/src/ctx.c
++++ b/src/ctx.c
+@@ -94,7 +94,7 @@ NOEXPORT void set_prompt(const char *);
+ NOEXPORT int ui_retry();
+ 
+ /* session tickets */
+-#if OPENSSL_VERSION_NUMBER >= 0x10101000L
++#if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER)
+ NOEXPORT int generate_session_ticket_cb(SSL *, void *);
+ NOEXPORT int decrypt_session_ticket_cb(SSL *, SSL_SESSION *,
+     const unsigned char *, size_t, SSL_TICKET_STATUS, void *);
+@@ -182,7 +182,7 @@ int context_init(SERVICE_OPTIONS *section) { /* init T
+     }
+     current_section=section; /* setup current section for callbacks */
+
+-#if OPENSSL_VERSION_NUMBER>=0x10100000L
++#if OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+     /* set the security level */
+     if(section->security_level>=0) {
+         /* set the user-specified value */
+@@ -270,7 +270,7 @@ int context_init(SERVICE_OPTIONS *section) { /* init T
+ #endif
+
+     /* setup session tickets */
+-#if OPENSSL_VERSION_NUMBER >= 0x10101000L
++#if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER)
+     SSL_CTX_set_session_ticket_cb(section->ctx, generate_session_ticket_cb,
+         decrypt_session_ticket_cb, NULL);
+ #endif /* OpenSSL 1.1.1 or later */
+@@ -544,7 +544,7 @@ NOEXPORT int ecdh_init(SERVICE_OPTIONS *section) {
+ /**************************************** initialize OpenSSL CONF */
+
+ NOEXPORT int conf_init(SERVICE_OPTIONS *section) {
+-#if OPENSSL_VERSION_NUMBER>=0x10002000L
++#if OPENSSL_VERSION_NUMBER>=0x10002000L && !defined(LIBRESSL_VERSION_NUMBER)
+     SSL_CONF_CTX *cctx;
+     NAME_LIST *curr;
+     char *cmd, *param;
+@@ -1050,7 +1050,7 @@ NOEXPORT int ui_retry() {
+
+ /**************************************** session tickets */
+
+-#if OPENSSL_VERSION_NUMBER >= 0x10101000L
++#if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER)
+
+ typedef struct {
+     void *session_authenticated;
+@@ -1541,7 +1541,7 @@ NOEXPORT void info_callback(const SSL *ssl, int where,
+
+     c=SSL_get_ex_data((SSL *)ssl, index_ssl_cli);
+     if(c) {
+-#if OPENSSL_VERSION_NUMBER>=0x10100000L
++#if OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+         OSSL_HANDSHAKE_STATE state=SSL_get_state(ssl);
+ #else
+         int state=SSL_get_state((SSL *)ssl);
+--- a/src/options.c
++++ b/src/options.c
+@@ -37,7 +37,7 @@
+ #include "common.h"
+ #include "prototypes.h"
+ 
+-#if OPENSSL_VERSION_NUMBER >= 0x10101000L
++#if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER)
+ #define DEFAULT_CURVES "X25519:P-256:X448:P-521:P-384"
+ #else /* OpenSSL version < 1.1.1 */
+ #define DEFAULT_CURVES "prime256v1"
+--- a/src/prototypes.h
++++ b/src/prototypes.h
+@@ -726,7 +726,7 @@ int getnameinfo(const struct sockaddr *, socklen_t,
+ extern CLI *thread_head;
+ #endif
+ 
+-#if OPENSSL_VERSION_NUMBER<0x10100004L
++#if OPENSSL_VERSION_NUMBER<0x10100004L || defined(LIBRESSL_VERSION_NUMBER)
+ 
+ #ifdef USE_OS_THREADS
+ 
+@@ -777,7 +777,7 @@ typedef enum {
+ 
+ extern CRYPTO_RWLOCK *stunnel_locks[STUNNEL_LOCKS];
+ 
+-#if OPENSSL_VERSION_NUMBER<0x10100004L
++#if OPENSSL_VERSION_NUMBER<0x10100004L || defined(LIBRESSL_VERSION_NUMBER)
+ /* Emulate the OpenSSL 1.1 locking API for older OpenSSL versions */
+ CRYPTO_RWLOCK *CRYPTO_THREAD_lock_new(void);
+ int CRYPTO_THREAD_read_lock(CRYPTO_RWLOCK *);
+--- a/src/ssl.c
++++ b/src/ssl.c
+@@ -43,7 +43,7 @@ NOEXPORT void cb_new_auth(void *parent, void *ptr, CRY
+ #if OPENSSL_VERSION_NUMBER>=0x30000000L
+ NOEXPORT int cb_dup_addr(CRYPTO_EX_DATA *to, const CRYPTO_EX_DATA *from,
+     void **from_d, int idx, long argl, void *argp);
+-#elif OPENSSL_VERSION_NUMBER>=0x10100000L
++#elif OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+ NOEXPORT int cb_dup_addr(CRYPTO_EX_DATA *to, const CRYPTO_EX_DATA *from,
+     void *from_d, int idx, long argl, void *argp);
+ #else
+@@ -83,7 +83,7 @@ int fips_available() { /* either FIPS provider or cont
+ }
+ 
+ int ssl_init(void) { /* init TLS before parsing configuration file */
+-#if OPENSSL_VERSION_NUMBER>=0x10100000L
++#if OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+     OPENSSL_INIT_SETTINGS *conf=OPENSSL_INIT_new();
+ #ifdef USE_WIN32
+     OPENSSL_INIT_set_config_filename(conf, "..\\config\\openssl.cnf");
+@@ -200,7 +200,7 @@ NOEXPORT void cb_new_auth(void *parent, void *ptr, CRY
+ #if OPENSSL_VERSION_NUMBER>=0x30000000L
+ NOEXPORT int cb_dup_addr(CRYPTO_EX_DATA *to, const CRYPTO_EX_DATA *from,
+         void **from_d, int idx, long argl, void *argp) {
+-#elif OPENSSL_VERSION_NUMBER>=0x10100000L
++#elif OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+ NOEXPORT int cb_dup_addr(CRYPTO_EX_DATA *to, const CRYPTO_EX_DATA *from,
+         void *from_d, int idx, long argl, void *argp) {
+ #else
+--- a/src/sthreads.c
++++ b/src/sthreads.c
+@@ -123,7 +123,7 @@ void thread_id_init(void) {
+ /**************************************** locking */
+ 
+ /* we only need to initialize locking with OpenSSL older than 1.1.0 */
+-#if OPENSSL_VERSION_NUMBER<0x10100004L
++#if OPENSSL_VERSION_NUMBER<0x10100004L || defined(LIBRESSL_VERSION_NUMBER)
+ 
+ #ifdef USE_PTHREAD
+ 
+@@ -283,7 +283,7 @@ NOEXPORT int s_atomic_add(int *val, int amount, CRYPTO
+ 
+ CRYPTO_RWLOCK *stunnel_locks[STUNNEL_LOCKS];
+ 
+-#if OPENSSL_VERSION_NUMBER<0x10100004L
++#if OPENSSL_VERSION_NUMBER<0x10100004L || defined(LIBRESSL_VERSION_NUMBER)
+ 
+ #ifdef USE_OS_THREADS
+ 
+@@ -391,7 +391,8 @@ int CRYPTO_atomic_add(int *val, int amount, int *ret, 
+ 
+ void locking_init(void) {
+     size_t i;
+-#if defined(USE_OS_THREADS) && OPENSSL_VERSION_NUMBER<0x10100004L
++#if defined(USE_OS_THREADS) && \
++	(OPENSSL_VERSION_NUMBER<0x10100004L || defined(LIBRESSL_VERSION_NUMBER))
+     size_t num;
+ 
+     /* initialize the OpenSSL static locking */
+--- a/src/tls.c
++++ b/src/tls.c
+@@ -40,7 +40,7 @@
+ volatile int tls_initialized=0;
+ 
+ NOEXPORT void tls_platform_init();
+-#if OPENSSL_VERSION_NUMBER<0x10100000L
++#if OPENSSL_VERSION_NUMBER<0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+ NOEXPORT void free_function(void *);
+ #endif
+ 
+@@ -51,7 +51,7 @@ void tls_init() {
+     tls_platform_init();
+     tls_initialized=1;
+     ui_tls=tls_alloc(NULL, NULL, "ui");
+-#if OPENSSL_VERSION_NUMBER>=0x10100000L
++#if OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+     CRYPTO_set_mem_functions(str_alloc_detached_debug,
+         str_realloc_detached_debug, str_free_debug);
+ #else
+@@ -183,7 +183,7 @@ TLS_DATA *tls_get() {
+
+ /**************************************** OpenSSL allocator hook */
+
+-#if OPENSSL_VERSION_NUMBER<0x10100000L
++#if OPENSSL_VERSION_NUMBER<0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+ NOEXPORT void free_function(void *ptr) {
+     /* CRYPTO_set_mem_ex_functions() needs a function rather than a macro */
+     /* unfortunately, OpenSSL provides no file:line information here */
+--- a/src/verify.c
++++ b/src/verify.c
+@@ -350,7 +350,7 @@ NOEXPORT int cert_check_local(X509_STORE_CTX *callback
+     cert=X509_STORE_CTX_get_current_cert(callback_ctx);
+     subject=X509_get_subject_name(cert);
+ 
+-#if OPENSSL_VERSION_NUMBER<0x10100006L
++#if OPENSSL_VERSION_NUMBER<0x10100006L || defined(LIBRESSL_VERSION_NUMBER)
+ #define X509_STORE_CTX_get1_certs X509_STORE_get1_certs
+ #endif
+     /* modern API allows retrieving multiple matching certificates */
author	Ismael Luceno	2022-08-08 20:27:41 +0200
committer	Ismael Luceno	2022-08-08 21:26:52 +0200
commit	7766665fb9522b09380cd9b9658da5b30a3e72a5 (patch)
tree	286efa8aadd0597e8d6e99f38c0c1301e3ad6f2d
parent	03d8a18b6273e0ec0b932b798101baae9dff9f5d (diff)