Accepting request 1109525 from home:pmonrealgonzalez:branches:security:Stunnel

- Enable crypto-policies support: [bsc#1211301] * The system's crypto-policies are the best source to determine which cipher suites to accept in TLS. OpenSSL supports the PROFILE=SYSTEM setting to use those policies. Change stunnel to default to the system settings. * Add patches: - stunnel-5.69-system-ciphers.patch - stunnel-5.69-default-tls-version.patch - Enable bash completion support OBS-URL: https://build.opensuse.org/request/show/1109525 OBS-URL: https://build.opensuse.org/package/show/security:Stunnel/stunnel?expand=0&rev=166
2023-09-07 18:44:15 +00:00 · 2023-09-07 18:44:15 +00:00 · 63b64b2323
commit 63b64b2323
parent 9c536d619a
4 changed files with 183 additions and 1 deletions
--- a/stunnel-5.69-default-tls-version.patch
+++ b/stunnel-5.69-default-tls-version.patch
@ -0,0 +1,117 @@
+From 1d3349209f339e6a68312fce076e355bc767d76c Mon Sep 17 00:00:00 2001
+From: Clemens Lang <cllang@redhat.com>
+Date: Mon, 12 Sep 2022 11:07:38 +0200
+Subject: [PATCH 5/7] Apply patch stunnel-5.69-default-tls-version.patch
+
+Patch-name: stunnel-5.69-default-tls-version.patch
+Patch-id: 5
+From-dist-git-commit: 70b3076eb09912b3a11f371b8c523303114fffa3
+---
+ src/ctx.c        | 34 ++++++++++++++++++++++------------
+ src/options.c    | 15 +++++++++++----
+ src/prototypes.h |  3 +++
+ 3 files changed, 36 insertions(+), 16 deletions(-)
+
+diff --git a/src/ctx.c b/src/ctx.c
+index 6a42a6b..cba24d9 100644
+--- a/src/ctx.c
+++ b/src/ctx.c
+@@ -152,19 +152,29 @@ int context_init(SERVICE_OPTIONS *section) { /* init TLS context */
+     section->ctx=SSL_CTX_new(section->option.client ?
+         TLS_client_method() : TLS_server_method());
+ #endif /* OPENSSL_VERSION_NUMBER>=0x30000000L */
+-    if(section->min_proto_version &&
+-            !SSL_CTX_set_min_proto_version(section->ctx,
+-            section->min_proto_version)) {
+-        s_log(LOG_ERR, "Failed to set the minimum protocol version 0x%X",
+-            section->min_proto_version);
+-        return 1; /* FAILED */
+    if (section->min_proto_version == USE_DEFAULT_TLS_VERSION) {
+        s_log(LOG_INFO, "Using the default TLS minimum version as specified in"
+                " crypto policies. Not setting explicitly.");
+    } else {
+        if(section->min_proto_version &&
+                !SSL_CTX_set_min_proto_version(section->ctx,
+                section->min_proto_version)) {
+            s_log(LOG_ERR, "Failed to set the minimum protocol version 0x%X",
+                section->min_proto_version);
+            return 1; /* FAILED */
+        }
+     }
+-    if(section->max_proto_version &&
+-            !SSL_CTX_set_max_proto_version(section->ctx,
+-            section->max_proto_version)) {
+-        s_log(LOG_ERR, "Failed to set the maximum protocol version 0x%X",
+-            section->max_proto_version);
+-        return 1; /* FAILED */
+    if (section->max_proto_version == USE_DEFAULT_TLS_VERSION) {
+        s_log(LOG_INFO, "Using the default TLS maximum version as specified in"
+                " crypto policies. Not setting explicitly");
+    } else {
+        if(section->max_proto_version &&
+                !SSL_CTX_set_max_proto_version(section->ctx,
+                section->max_proto_version)) {
+            s_log(LOG_ERR, "Failed to set the maximum protocol version 0x%X",
+                section->max_proto_version);
+            return 1; /* FAILED */
+        }
+     }
+ #else /* OPENSSL_VERSION_NUMBER<0x10100000L */
+     if(section->option.client)
+diff --git a/src/options.c b/src/options.c
+index 4d31815..2ec5934 100644
+--- a/src/options.c
+++ b/src/options.c
+@@ -3371,8 +3371,9 @@ NOEXPORT const char *parse_service_option(CMD cmd, SERVICE_OPTIONS **section_ptr
+             return "Invalid protocol version";
+         return NULL; /* OK */
+     case CMD_INITIALIZE:
+-        if(section->max_proto_version && section->min_proto_version &&
+-                section->max_proto_version<section->min_proto_version)
+        if(section->max_proto_version != USE_DEFAULT_TLS_VERSION
+                && section->min_proto_version != USE_DEFAULT_TLS_VERSION
+                && section->max_proto_version<section->min_proto_version)
+             return "Invalid protocol version range";
+         break;
+     case CMD_PRINT_DEFAULTS:
+@@ -3390,7 +3391,10 @@ NOEXPORT const char *parse_service_option(CMD cmd, SERVICE_OPTIONS **section_ptr
+     /* sslVersionMax */
+     switch(cmd) {
+     case CMD_SET_DEFAULTS:
+-        section->max_proto_version=0; /* highest supported */
+        section->max_proto_version=USE_DEFAULT_TLS_VERSION; /* use defaults in
+                                                               OpenSSL crypto
+                                                               policies.Do not
+                                                               override it */
+         break;
+     case CMD_SET_COPY:
+         section->max_proto_version=new_service_options.max_proto_version;
+@@ -3421,7 +3425,10 @@ NOEXPORT const char *parse_service_option(CMD cmd, SERVICE_OPTIONS **section_ptr
+     /* sslVersionMin */
+     switch(cmd) {
+     case CMD_SET_DEFAULTS:
+-        section->min_proto_version=0; /* lowest supported */
+        section->min_proto_version=USE_DEFAULT_TLS_VERSION; /* use defaults in
+                                                               OpenSSL crypto
+                                                               policies. Do not
+                                                               override it */
+         break;
+     case CMD_SET_COPY:
+         section->min_proto_version=new_service_options.min_proto_version;
+diff --git a/src/prototypes.h b/src/prototypes.h
+index 0ecd719..a126c9e 100644
+--- a/src/prototypes.h
+++ b/src/prototypes.h
+@@ -940,6 +940,9 @@ ICON_IMAGE load_icon_default(ICON_TYPE);
+ ICON_IMAGE load_icon_file(const char *);
+ #endif
+ 
+#define USE_DEFAULT_TLS_VERSION ((int)-2) /* Use defaults in OpenSSL
+                                             crypto policies */
+
+ #endif /* defined PROTOTYPES_H */
+ 
+ /* end of prototypes.h */
+-- 
+2.39.2
+
--- a/stunnel-5.69-system-ciphers.patch
+++ b/stunnel-5.69-system-ciphers.patch
@ -0,0 +1,37 @@
+From 6c8c4c8c85204943223b251d09ca1e93571a437a Mon Sep 17 00:00:00 2001
+From: Sahana Prasad <sprasad@localhost.localdomain>
+Date: Mon, 12 Sep 2022 11:07:38 +0200
+Subject: [PATCH 3/7] Use cipher configuration from crypto-policies
+
+On Fedora, CentOS and RHEL, the system's crypto policies are the best
+source to determine which cipher suites to accept in TLS. On these
+platforms, OpenSSL supports the PROFILE=SYSTEM setting to use those
+policies. Change stunnel to default to this setting.
+
+Co-Authored-by: Sahana Prasad <shebburn@redhat.com>
+Patch-name: stunnel-5.69-system-ciphers.patch
+Patch-id: 3
+From-dist-git-commit: 70b3076eb09912b3a11f371b8c523303114fffa3
+---
+ src/options.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/options.c b/src/options.c
+index 6e4a18b..4d31815 100644
+--- a/src/options.c
+++ b/src/options.c
+@@ -321,9 +321,9 @@ static const char *option_not_found=
+     "Specified option name is not valid here";
+ 
+ static const char *stunnel_cipher_list=
+-    "HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK";
+    "PROFILE=SYSTEM";
+ static const char *fips_cipher_list=
+-    "FIPS:!DH:!kDHEPSK";
+    "PROFILE=SYSTEM";
+ 
+ #ifndef OPENSSL_NO_TLS1_3
+ static const char *stunnel_ciphersuites=
+-- 
+2.39.2
+
--- a/stunnel.changes
+++ b/stunnel.changes
@ -1,3 +1,20 @@
+-------------------------------------------------------------------
+Thu Sep  7 11:01:11 UTC 2023 - Pedro Monreal <pmonreal@suse.com>
+
+- Enable crypto-policies support: [bsc#1211301]
+  * The system's crypto-policies are the best source to determine
+    which cipher suites to accept in TLS. OpenSSL supports the
+    PROFILE=SYSTEM setting to use those policies. Change stunnel
+    to default to the system settings.
+  * Add patches:
+    - stunnel-5.69-system-ciphers.patch
+    - stunnel-5.69-default-tls-version.patch
+
+-------------------------------------------------------------------
+Thu Sep  7 10:34:18 UTC 2023 - Pedro Monreal <pmonreal@suse.com>
+
+- Enable bash completion support
+
 -------------------------------------------------------------------
 Fri Jul 21 07:37:10 UTC 2023 - Andreas Vetter <vetter@physik.uni-wuerzburg.de>

--- a/stunnel.spec
+++ b/stunnel.spec
@ -37,6 +37,11 @@ Source7:        stunnel.README
 # PATCH-FIX-UPSTREAM Fix service file, so it ensure we are starting after network is really up!
 Patch1:         stunnel-5.59_service_always_after_network.patch
 Patch2:         harden_stunnel.service.patch
+%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400
+# PATCH-FIX-FEDORA bsc#1211301 Add crypto-policies support
+Patch3:         stunnel-5.69-system-ciphers.patch
+Patch4:         stunnel-5.69-default-tls-version.patch
+%endif
 BuildRequires:  libopenssl-devel
 # test dependencies
 BuildRequires:  netcat
@ -77,12 +82,17 @@ This package contains additional documentation for the stunnel program.
 chmod -x %{_builddir}/stunnel-%{version}/tools/ca.*
 chmod -x %{_builddir}/stunnel-%{version}/tools/importCA.*
 %patch2 -p1
+%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400
+%patch3 -p1
+%patch4 -p1
+%endif

 %build
 sed -i 's/-m 1770//g' tools/Makefile.in
 %configure \
 	--disable-static \
-	--bindir=%{_sbindir}
+	--bindir=%{_sbindir} \
+	--with-bashcompdir=%{_datadir}/bash-completion/completions
 %if 0%{?sle_version} < 150000
  %define make_build %{__make} -O %{?_smp_mflags}
 %endif
@ -161,6 +171,7 @@ fi
 %dir %attr(755,stunnel,root) %{_localstatedir}/lib/stunnel%{_localstatedir}/run
 %{_fillupdir}/sysconfig.syslog-stunnel
 %{_unitdir}/stunnel.service
+%{_datadir}/bash-completion/completions/%{name}.bash

 %files doc
 %doc %{_docdir}/%{name}