From d49f1069c57d4e150e646e606dbf1bd272684d1d Mon Sep 17 00:00:00 2001 From: Wang Mingyu Date: Wed, 6 Mar 2024 16:43:28 +0800 Subject: stunnel: upgrade 5.69 -> 5.72 fix-openssl-no-des.patch refreshed for 5.72 License-Update: Copyright year updated to 2024. Changelog: =========== * Security bugfixes - OpenSSL DLLs updated to version 3.2.1. - OpenSSL FIPS Provider updated to version 3.0.8. * Bugfixes - Fixed SSL_CTX_new() errors handling. - Fixed OPENSSL_NO_PSK builds. - Android build updated for NDK r23c. - stunnel.nsi updated for Debian 12. - Fixed tests with OpenSSL older than 1.0.2. - Fixed the console output of tstunnel.exe. - Fixed TLS socket EOF handling with OpenSSL 3.x. This bug caused major interoperability issues between stunnel built with OpenSSL 3.x and Microsoft's Schannel Security Support Provider (SSP). - Fixed reading certificate chains from PKCS#12 files. * Features sponsored by SAE IT-systems - OCSP stapling is requested and verified in the client mode. - Using "verifyChain" automatically enables OCSP stapling in the client mode. - OCSP stapling is always available in the server mode. - An inconclusive OCSP verification breaks TLS negotiation. This can be disabled with "OCSPrequire = no". - Added the "TIMEOUTocsp" option to control the maximum time allowed for connecting an OCSP responder. * Features - Added support for Red Hat OpenSSL 3.x patches. - Added configurable delay for the "retry" option. Signed-off-by: Wang Mingyu Signed-off-by: Khem Raj --- .../stunnel/stunnel/fix-openssl-no-des.patch | 34 ++++++++++++---------- .../recipes-support/stunnel/stunnel_5.69.bb | 33 --------------------- .../recipes-support/stunnel/stunnel_5.72.bb | 33 +++++++++++++++++++++ 3 files changed, 51 insertions(+), 49 deletions(-) delete mode 100644 meta-networking/recipes-support/stunnel/stunnel_5.69.bb create mode 100644 meta-networking/recipes-support/stunnel/stunnel_5.72.bb (limited to 'meta-networking') diff --git a/meta-networking/recipes-support/stunnel/stunnel/fix-openssl-no-des.patch b/meta-networking/recipes-support/stunnel/stunnel/fix-openssl-no-des.patch index 0840cbbd8b..82d3551019 100644 --- a/meta-networking/recipes-support/stunnel/stunnel/fix-openssl-no-des.patch +++ b/meta-networking/recipes-support/stunnel/stunnel/fix-openssl-no-des.patch @@ -11,17 +11,16 @@ failed. Fix it by checking macro OPENSSL_NO_DES to use openssl des related library conditionaly. Signed-off-by: Kai Kang - --- src/common.h | 2 ++ src/protocol.c | 6 +++--- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/src/common.h b/src/common.h -index bc37eb5..03ee3e5 100644 +index 2b4869f..180d31a 100644 --- a/src/common.h +++ b/src/common.h -@@ -486,7 +486,9 @@ extern char *sys_errlist[]; +@@ -492,7 +492,9 @@ extern char *sys_errlist[]; #ifndef OPENSSL_NO_MD4 #include #endif /* !defined(OPENSSL_NO_MD4) */ @@ -32,29 +31,29 @@ index bc37eb5..03ee3e5 100644 #include #if OPENSSL_VERSION_NUMBER<0x10100000L diff --git a/src/protocol.c b/src/protocol.c -index 804f115..d9b2b50 100644 +index cfe6d3b..3936aea 100644 --- a/src/protocol.c +++ b/src/protocol.c -@@ -66,7 +66,7 @@ NOEXPORT char *nntp_client(CLI *, SERVICE_OPTIONS *, const PHASE); - NOEXPORT char *ldap_client(CLI *, SERVICE_OPTIONS *, const PHASE); - NOEXPORT char *connect_server(CLI *, SERVICE_OPTIONS *, const PHASE); - NOEXPORT char *connect_client(CLI *, SERVICE_OPTIONS *, const PHASE); +@@ -81,7 +81,7 @@ NOEXPORT void ldap_client_middle(CLI *); + + NOEXPORT void connect_server_early(CLI *); + NOEXPORT void connect_client_middle(CLI *); -#ifndef OPENSSL_NO_MD4 +#if !defined(OPENSSL_NO_MD4) && !defined(OPENSSL_NO_DES) - NOEXPORT void ntlm(CLI *, SERVICE_OPTIONS *); + NOEXPORT void ntlm(CLI *); NOEXPORT char *ntlm1(void); NOEXPORT char *ntlm3(char *, char *, char *, char *); -@@ -1351,7 +1351,7 @@ NOEXPORT char *connect_client(CLI *c, SERVICE_OPTIONS *opt, const PHASE phase) { - fd_printf(c, c->remote_fd.fd, "Host: %s", opt->protocol_host); - if(opt->protocol_username && opt->protocol_password) { - if(!strcasecmp(opt->protocol_authentication, "ntlm")) { +@@ -1331,7 +1331,7 @@ NOEXPORT void connect_client_middle(CLI *c) { + fd_printf(c, c->remote_fd.fd, "Host: %s", c->opt->protocol_host); + if(c->opt->protocol_username && c->opt->protocol_password) { + if(!strcasecmp(c->opt->protocol_authentication, "ntlm")) { -#ifndef OPENSSL_NO_MD4 +#if !defined(OPENSSL_NO_MD4) && !defined(OPENSSL_NO_DES) - ntlm(c, opt); + ntlm(c); #else s_log(LOG_ERR, "NTLM authentication is not available"); -@@ -1395,7 +1395,7 @@ NOEXPORT char *connect_client(CLI *c, SERVICE_OPTIONS *opt, const PHASE phase) { - return NULL; +@@ -1374,7 +1374,7 @@ NOEXPORT void connect_client_middle(CLI *c) { + str_free(line); } -#ifndef OPENSSL_NO_MD4 @@ -62,3 +61,6 @@ index 804f115..d9b2b50 100644 /* * NTLM code is based on the following documentation: +-- +2.34.1 + diff --git a/meta-networking/recipes-support/stunnel/stunnel_5.69.bb b/meta-networking/recipes-support/stunnel/stunnel_5.69.bb deleted file mode 100644 index 8161529735..0000000000 --- a/meta-networking/recipes-support/stunnel/stunnel_5.69.bb +++ /dev/null @@ -1,33 +0,0 @@ -SUMMARY = "Program for providing universal TLS/SSL tunneling service" -DESCRIPTION = "SSL encryption wrapper between remote client and local (inetd-startable) or remote server." -HOMEPAGE = "https://www.stunnel.org/" -SECTION = "net" -LICENSE = "GPL-2.0-or-later" -LIC_FILES_CHKSUM = "file://COPYING.md;md5=b4988f33f70b383b3011c4ede0a679ce" - -DEPENDS = "autoconf-archive libnsl2 openssl" - -SRC_URI = "https://stunnel.org/archive/5.x/${BP}.tar.gz \ - file://fix-openssl-no-des.patch \ -" - -SRC_URI[sha256sum] = "1ff7d9f30884c75b98c8a0a4e1534fa79adcada2322635e6787337b4e38fdb81" - -inherit autotools bash-completion pkgconfig - -PACKAGECONFIG ?= "${@bb.utils.filter('DISTRO_FEATURES', 'ipv6 systemd', d)} libwrap" - -PACKAGECONFIG[ipv6] = "--enable-ipv6,--disable-ipv6," -PACKAGECONFIG[libwrap] = "--enable-libwrap,--disable-libwrap,tcp-wrappers" -PACKAGECONFIG[systemd] = "--enable-systemd,--disable-systemd,systemd" - -EXTRA_OECONF += "--with-ssl='${STAGING_EXECPREFIXDIR}' --disable-fips" - -# When cross compiling, configure defaults to nobody, but provides no option to change it. -EXTRA_OEMAKE += "DEFAULT_GROUP='nogroup'" - -# stunnel3 is a Perl wrapper to allow use of the legacy stunnel 3.x commandline -# syntax with stunnel >= 4.05 -PACKAGES =+ "stunnel3" -FILES:stunnel3 = "${bindir}/stunnel3" -RDEPENDS:stunnel3 += "${PN} perl" diff --git a/meta-networking/recipes-support/stunnel/stunnel_5.72.bb b/meta-networking/recipes-support/stunnel/stunnel_5.72.bb new file mode 100644 index 0000000000..6d21027a16 --- /dev/null +++ b/meta-networking/recipes-support/stunnel/stunnel_5.72.bb @@ -0,0 +1,33 @@ +SUMMARY = "Program for providing universal TLS/SSL tunneling service" +DESCRIPTION = "SSL encryption wrapper between remote client and local (inetd-startable) or remote server." +HOMEPAGE = "https://www.stunnel.org/" +SECTION = "net" +LICENSE = "GPL-2.0-or-later" +LIC_FILES_CHKSUM = "file://COPYING.md;md5=906ac034adaee9d093318e51b53453ca" + +DEPENDS = "autoconf-archive libnsl2 openssl" + +SRC_URI = "https://stunnel.org/archive/5.x/${BP}.tar.gz \ + file://fix-openssl-no-des.patch \ +" + +SRC_URI[sha256sum] = "3d532941281ae353319735144e4adb9ae489a10b7e309c58a48157f08f42e949" + +inherit autotools bash-completion pkgconfig + +PACKAGECONFIG ?= "${@bb.utils.filter('DISTRO_FEATURES', 'ipv6 systemd', d)} libwrap" + +PACKAGECONFIG[ipv6] = "--enable-ipv6,--disable-ipv6," +PACKAGECONFIG[libwrap] = "--enable-libwrap,--disable-libwrap,tcp-wrappers" +PACKAGECONFIG[systemd] = "--enable-systemd,--disable-systemd,systemd" + +EXTRA_OECONF += "--with-ssl='${STAGING_EXECPREFIXDIR}' --disable-fips" + +# When cross compiling, configure defaults to nobody, but provides no option to change it. +EXTRA_OEMAKE += "DEFAULT_GROUP='nogroup'" + +# stunnel3 is a Perl wrapper to allow use of the legacy stunnel 3.x commandline +# syntax with stunnel >= 4.05 +PACKAGES =+ "stunnel3" +FILES:stunnel3 = "${bindir}/stunnel3" +RDEPENDS:stunnel3 += "${PN} perl" -- cgit v1.2.3-54-g00ecf