From 63b64b2323d81fc494e2b1ed7db8210732201767309c0d6f0ed4b1625afe5d94 Mon Sep 17 00:00:00 2001 From: Andreas Vetter Date: Thu, 7 Sep 2023 18:44:15 +0000 Subject: [PATCH] Accepting request 1109525 from home:pmonrealgonzalez:branches:security:Stunnel - Enable crypto-policies support: [bsc#1211301] * The system's crypto-policies are the best source to determine which cipher suites to accept in TLS. OpenSSL supports the PROFILE=SYSTEM setting to use those policies. Change stunnel to default to the system settings. * Add patches: - stunnel-5.69-system-ciphers.patch - stunnel-5.69-default-tls-version.patch - Enable bash completion support OBS-URL: https://build.opensuse.org/request/show/1109525 OBS-URL: https://build.opensuse.org/package/show/security:Stunnel/stunnel?expand=0&rev=166 --- stunnel-5.69-default-tls-version.patch | 117 +++++++++++++++++++++++++ stunnel-5.69-system-ciphers.patch | 37 ++++++++ stunnel.changes | 17 ++++ stunnel.spec | 13 ++- 4 files changed, 183 insertions(+), 1 deletion(-) create mode 100644 stunnel-5.69-default-tls-version.patch create mode 100644 stunnel-5.69-system-ciphers.patch diff --git a/stunnel-5.69-default-tls-version.patch b/stunnel-5.69-default-tls-version.patch new file mode 100644 index 0000000..1884af0 --- /dev/null +++ b/stunnel-5.69-default-tls-version.patch @@ -0,0 +1,117 @@ +From 1d3349209f339e6a68312fce076e355bc767d76c Mon Sep 17 00:00:00 2001 +From: Clemens Lang +Date: Mon, 12 Sep 2022 11:07:38 +0200 +Subject: [PATCH 5/7] Apply patch stunnel-5.69-default-tls-version.patch + +Patch-name: stunnel-5.69-default-tls-version.patch +Patch-id: 5 +From-dist-git-commit: 70b3076eb09912b3a11f371b8c523303114fffa3 +--- + src/ctx.c | 34 ++++++++++++++++++++++------------ + src/options.c | 15 +++++++++++---- + src/prototypes.h | 3 +++ + 3 files changed, 36 insertions(+), 16 deletions(-) + +diff --git a/src/ctx.c b/src/ctx.c +index 6a42a6b..cba24d9 100644 +--- a/src/ctx.c ++++ b/src/ctx.c +@@ -152,19 +152,29 @@ int context_init(SERVICE_OPTIONS *section) { /* init TLS context */ + section->ctx=SSL_CTX_new(section->option.client ? + TLS_client_method() : TLS_server_method()); + #endif /* OPENSSL_VERSION_NUMBER>=0x30000000L */ +- if(section->min_proto_version && +- !SSL_CTX_set_min_proto_version(section->ctx, +- section->min_proto_version)) { +- s_log(LOG_ERR, "Failed to set the minimum protocol version 0x%X", +- section->min_proto_version); +- return 1; /* FAILED */ ++ if (section->min_proto_version == USE_DEFAULT_TLS_VERSION) { ++ s_log(LOG_INFO, "Using the default TLS minimum version as specified in" ++ " crypto policies. Not setting explicitly."); ++ } else { ++ if(section->min_proto_version && ++ !SSL_CTX_set_min_proto_version(section->ctx, ++ section->min_proto_version)) { ++ s_log(LOG_ERR, "Failed to set the minimum protocol version 0x%X", ++ section->min_proto_version); ++ return 1; /* FAILED */ ++ } + } +- if(section->max_proto_version && +- !SSL_CTX_set_max_proto_version(section->ctx, +- section->max_proto_version)) { +- s_log(LOG_ERR, "Failed to set the maximum protocol version 0x%X", +- section->max_proto_version); +- return 1; /* FAILED */ ++ if (section->max_proto_version == USE_DEFAULT_TLS_VERSION) { ++ s_log(LOG_INFO, "Using the default TLS maximum version as specified in" ++ " crypto policies. Not setting explicitly"); ++ } else { ++ if(section->max_proto_version && ++ !SSL_CTX_set_max_proto_version(section->ctx, ++ section->max_proto_version)) { ++ s_log(LOG_ERR, "Failed to set the maximum protocol version 0x%X", ++ section->max_proto_version); ++ return 1; /* FAILED */ ++ } + } + #else /* OPENSSL_VERSION_NUMBER<0x10100000L */ + if(section->option.client) +diff --git a/src/options.c b/src/options.c +index 4d31815..2ec5934 100644 +--- a/src/options.c ++++ b/src/options.c +@@ -3371,8 +3371,9 @@ NOEXPORT const char *parse_service_option(CMD cmd, SERVICE_OPTIONS **section_ptr + return "Invalid protocol version"; + return NULL; /* OK */ + case CMD_INITIALIZE: +- if(section->max_proto_version && section->min_proto_version && +- section->max_proto_versionmin_proto_version) ++ if(section->max_proto_version != USE_DEFAULT_TLS_VERSION ++ && section->min_proto_version != USE_DEFAULT_TLS_VERSION ++ && section->max_proto_versionmin_proto_version) + return "Invalid protocol version range"; + break; + case CMD_PRINT_DEFAULTS: +@@ -3390,7 +3391,10 @@ NOEXPORT const char *parse_service_option(CMD cmd, SERVICE_OPTIONS **section_ptr + /* sslVersionMax */ + switch(cmd) { + case CMD_SET_DEFAULTS: +- section->max_proto_version=0; /* highest supported */ ++ section->max_proto_version=USE_DEFAULT_TLS_VERSION; /* use defaults in ++ OpenSSL crypto ++ policies.Do not ++ override it */ + break; + case CMD_SET_COPY: + section->max_proto_version=new_service_options.max_proto_version; +@@ -3421,7 +3425,10 @@ NOEXPORT const char *parse_service_option(CMD cmd, SERVICE_OPTIONS **section_ptr + /* sslVersionMin */ + switch(cmd) { + case CMD_SET_DEFAULTS: +- section->min_proto_version=0; /* lowest supported */ ++ section->min_proto_version=USE_DEFAULT_TLS_VERSION; /* use defaults in ++ OpenSSL crypto ++ policies. Do not ++ override it */ + break; + case CMD_SET_COPY: + section->min_proto_version=new_service_options.min_proto_version; +diff --git a/src/prototypes.h b/src/prototypes.h +index 0ecd719..a126c9e 100644 +--- a/src/prototypes.h ++++ b/src/prototypes.h +@@ -940,6 +940,9 @@ ICON_IMAGE load_icon_default(ICON_TYPE); + ICON_IMAGE load_icon_file(const char *); + #endif + ++#define USE_DEFAULT_TLS_VERSION ((int)-2) /* Use defaults in OpenSSL ++ crypto policies */ ++ + #endif /* defined PROTOTYPES_H */ + + /* end of prototypes.h */ +-- +2.39.2 + diff --git a/stunnel-5.69-system-ciphers.patch b/stunnel-5.69-system-ciphers.patch new file mode 100644 index 0000000..f328be0 --- /dev/null +++ b/stunnel-5.69-system-ciphers.patch @@ -0,0 +1,37 @@ +From 6c8c4c8c85204943223b251d09ca1e93571a437a Mon Sep 17 00:00:00 2001 +From: Sahana Prasad +Date: Mon, 12 Sep 2022 11:07:38 +0200 +Subject: [PATCH 3/7] Use cipher configuration from crypto-policies + +On Fedora, CentOS and RHEL, the system's crypto policies are the best +source to determine which cipher suites to accept in TLS. On these +platforms, OpenSSL supports the PROFILE=SYSTEM setting to use those +policies. Change stunnel to default to this setting. + +Co-Authored-by: Sahana Prasad +Patch-name: stunnel-5.69-system-ciphers.patch +Patch-id: 3 +From-dist-git-commit: 70b3076eb09912b3a11f371b8c523303114fffa3 +--- + src/options.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/options.c b/src/options.c +index 6e4a18b..4d31815 100644 +--- a/src/options.c ++++ b/src/options.c +@@ -321,9 +321,9 @@ static const char *option_not_found= + "Specified option name is not valid here"; + + static const char *stunnel_cipher_list= +- "HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK"; ++ "PROFILE=SYSTEM"; + static const char *fips_cipher_list= +- "FIPS:!DH:!kDHEPSK"; ++ "PROFILE=SYSTEM"; + + #ifndef OPENSSL_NO_TLS1_3 + static const char *stunnel_ciphersuites= +-- +2.39.2 + diff --git a/stunnel.changes b/stunnel.changes index de46a2b..071bc4d 100644 --- a/stunnel.changes +++ b/stunnel.changes @@ -1,3 +1,20 @@ +------------------------------------------------------------------- +Thu Sep 7 11:01:11 UTC 2023 - Pedro Monreal + +- Enable crypto-policies support: [bsc#1211301] + * The system's crypto-policies are the best source to determine + which cipher suites to accept in TLS. OpenSSL supports the + PROFILE=SYSTEM setting to use those policies. Change stunnel + to default to the system settings. + * Add patches: + - stunnel-5.69-system-ciphers.patch + - stunnel-5.69-default-tls-version.patch + +------------------------------------------------------------------- +Thu Sep 7 10:34:18 UTC 2023 - Pedro Monreal + +- Enable bash completion support + ------------------------------------------------------------------- Fri Jul 21 07:37:10 UTC 2023 - Andreas Vetter diff --git a/stunnel.spec b/stunnel.spec index e89b2a0..055e235 100644 --- a/stunnel.spec +++ b/stunnel.spec @@ -37,6 +37,11 @@ Source7: stunnel.README # PATCH-FIX-UPSTREAM Fix service file, so it ensure we are starting after network is really up! Patch1: stunnel-5.59_service_always_after_network.patch Patch2: harden_stunnel.service.patch +%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400 +# PATCH-FIX-FEDORA bsc#1211301 Add crypto-policies support +Patch3: stunnel-5.69-system-ciphers.patch +Patch4: stunnel-5.69-default-tls-version.patch +%endif BuildRequires: libopenssl-devel # test dependencies BuildRequires: netcat @@ -77,12 +82,17 @@ This package contains additional documentation for the stunnel program. chmod -x %{_builddir}/stunnel-%{version}/tools/ca.* chmod -x %{_builddir}/stunnel-%{version}/tools/importCA.* %patch2 -p1 +%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400 +%patch3 -p1 +%patch4 -p1 +%endif %build sed -i 's/-m 1770//g' tools/Makefile.in %configure \ --disable-static \ - --bindir=%{_sbindir} + --bindir=%{_sbindir} \ + --with-bashcompdir=%{_datadir}/bash-completion/completions %if 0%{?sle_version} < 150000 %define make_build %{__make} -O %{?_smp_mflags} %endif @@ -161,6 +171,7 @@ fi %dir %attr(755,stunnel,root) %{_localstatedir}/lib/stunnel%{_localstatedir}/run %{_fillupdir}/sysconfig.syslog-stunnel %{_unitdir}/stunnel.service +%{_datadir}/bash-completion/completions/%{name}.bash %files doc %doc %{_docdir}/%{name}