16533604 stunnel should upgrade to 4.56
15590084 SUNBT6882553 stunnel should use CRYPTO_num_locks() instead of CRYPTO_NUM_LOCKS
--- a/components/stunnel/Makefile Tue Apr 09 10:37:15 2013 -0700
+++ b/components/stunnel/Makefile Tue Apr 09 12:17:40 2013 -0700
@@ -26,15 +26,14 @@
include ../../make-rules/shared-macros.mk
COMPONENT_NAME= stunnel
-COMPONENT_VERSION= 4.29
-COMPONENT_PROJECT_URL= http://stunnel.mirt.net/
+COMPONENT_VERSION= 4.56
+COMPONENT_PROJECT_URL= http://www.stunnel.org/
COMPONENT_SRC= $(COMPONENT_NAME)-$(COMPONENT_VERSION)
COMPONENT_ARCHIVE= $(COMPONENT_SRC).tar.gz
COMPONENT_ARCHIVE_HASH= \
- sha256:018064e852a2a125bcfb4b81baa77b5701ccf6aabe6a47564bfc046b18d11f9b
+ sha256:9cae2cfbe26d87443398ce50d7d5db54e5ea363889d5d2ec8d2778a01c871293
-# ftp://stunnel.mirt.net/stunnel/stunnel-4.29.tar.gz is no longer there.
-COMPONENT_ARCHIVE_URL= http://pkgs.fedoraproject.org/repo/pkgs/$(COMPONENT_NAME)/$(COMPONENT_ARCHIVE)/14dc3f8412947f0548975cbce74d6863/$(COMPONENT_ARCHIVE)
+COMPONENT_ARCHIVE_URL= http://pkgs.fedoraproject.org/repo/pkgs/$(COMPONENT_NAME)/$(COMPONENT_ARCHIVE)/ac4c4a30bd7a55b6687cbd62d864054c/$(COMPONENT_ARCHIVE)
COMPONENT_BUGDB= utility/stunnel
@@ -42,14 +41,15 @@
include ../../make-rules/configure.mk
include ../../make-rules/ips.mk
-COMPONENT_PREP_ACTION = (cd $(@D) ; autoreconf -if)
-
# need /usr/perl5/bin on path to access pod2man perl script, used by
# the build to create docs
COMPONENT_BUILD_ENV += PATH=/usr/perl5/bin:$(PATH)
CPPFLAGS += "-DPIDFILE='\"/var/run/stunnel.pid\"'"
+# used to generate the 64-bit interposer location
+CPPFLAGS += -DMACH64='\"$(MACH64)\"'
+
CONFIGURE_OPTIONS += --disable-fips
CONFIGURE_OPTIONS += --enable-ipv6
CONFIGURE_OPTIONS += --sysconfdir=$(ETCDIR)
@@ -57,6 +57,9 @@
CONFIGURE_OPTIONS += CFLAGS="$(CFLAGS)"
CONFIGURE_OPTIONS += LDFLAGS="$(LDFLAGS)"
+# used to generate LD_PRELOAD_* interposer pathnames
+COMPONENT_BUILD_ARGS += pkglibdir=/usr/lib/stunnel
+
COMPONENT_PRE_INSTALL_ACTION = \
$(MKDIR) $(PROTOETCDIR)/stunnel ; \
$(TOUCH) $(PROTOETCDIR)/stunnel/stunnel.pem
--- a/components/stunnel/patches/stunnel-4.29-authpriv.patch Tue Apr 09 10:37:15 2013 -0700
+++ b/components/stunnel/patches/stunnel-4.29-authpriv.patch Tue Apr 09 12:17:40 2013 -0700
@@ -1,50 +1,41 @@
-diff -urNp stunnel-4.29-orig/doc/stunnel.8 stunnel-4.29/doc/stunnel.8
---- stunnel-4.29-orig/doc/stunnel.8 2009-11-20 15:50:52.000000000 -0500
-+++ stunnel-4.29/doc/stunnel.8 2009-12-09 16:44:25.000000000 -0500
[email protected]@ -169,7 +169,7 @@ info (6), or debug (7). All logs for th
- all levels numerically less than it will be shown. Use \fBdebug = debug\fR or
- \&\fBdebug = 7\fR for greatest debugging output. The default is notice (5).
- .Sp
--The syslog facility 'daemon' will be used unless a facility name is supplied.
-+The syslog facility 'authpriv' will be used unless a facility name is supplied.
- (Facilities are not supported on Win32.)
- .Sp
- Case is ignored for both facilities and levels.
-diff -urNp stunnel-4.29-orig/doc/stunnel.html stunnel-4.29/doc/stunnel.html
---- stunnel-4.29-orig/doc/stunnel.html 2009-11-20 15:50:52.000000000 -0500
-+++ stunnel-4.29/doc/stunnel.html 2009-12-09 16:43:09.000000000 -0500
[email protected]@ -192,7 +192,7 @@ emerg (0), alert (1), crit (2), err (3),
- info (6), or debug (7). All logs for the specified level and
- all levels numerically less than it will be shown. Use <strong>debug = debug</strong> or
- <strong>debug = 7</strong> for greatest debugging output. The default is notice (5).</p>
--<p>The syslog facility 'daemon' will be used unless a facility name is supplied.
-+<p>The syslog facility 'authpriv' will be used unless a facility name is supplied.
- (Facilities are not supported on Win32.)</p>
- <p>Case is ignored for both facilities and levels.</p>
- </dd>
-diff -urNp stunnel-4.29-orig/doc/stunnel.pod stunnel-4.29/doc/stunnel.pod
---- stunnel-4.29-orig/doc/stunnel.pod 2009-11-20 15:48:33.000000000 -0500
-+++ stunnel-4.29/doc/stunnel.pod 2009-12-09 16:43:52.000000000 -0500
[email protected]@ -144,7 +144,7 @@ info (6), or debug (7). All logs for th
- all levels numerically less than it will be shown. Use B<debug = debug> or
- B<debug = 7> for greatest debugging output. The default is notice (5).
+# Make the 'authpriv' syslog facility the default on Solaris
+#
+
+diff -u -r stunnel-4.55.orig/doc/stunnel.fr.pod stunnel-4.55/doc/stunnel.fr.pod
+--- stunnel-4.55.orig/doc/stunnel.fr.pod 2012-12-02 11:00:24.000000000 -0800
++++ stunnel-4.55/doc/stunnel.fr.pod 2013-03-21 22:30:02.672293057 -0700
[email protected]@ -178,7 +178,7 @@
+ B<debug = 7> donneront le maximum d'informations. La valeur par défaut
+ est notice (5).
+
+-La facilité syslog «E<nbsp>daemonE<nbsp>» est utilisée, sauf si un autre nom est spécifié
++La facilité syslog «E<nbsp>authprivE<nbsp>» est utilisée, sauf si un autre nom est spécifié
+ (Win32 ne permet pas l'usage des facilités.)
+
+ La casse est ignorée, aussi bien pour la facilité que pour le niveau.
+diff -u -r stunnel-4.55.orig/doc/stunnel.pod stunnel-4.55/doc/stunnel.pod
+--- stunnel-4.55.orig/doc/stunnel.pod 2013-01-13 09:25:20.000000000 -0800
++++ stunnel-4.55/doc/stunnel.pod 2013-03-21 22:28:04.473314299 -0700
[email protected]@ -184,7 +184,7 @@
+ all levels numerically less than it will be shown. Use I<debug = debug> or
+ I<debug = 7> for greatest debugging output. The default is notice (5).
-The syslog facility 'daemon' will be used unless a facility name is supplied.
+The syslog facility 'authpriv' will be used unless a facility name is supplied.
(Facilities are not supported on Win32.)
Case is ignored for both facilities and levels.
-diff -urNp stunnel-4.29-orig/src/options.c stunnel-4.29/src/options.c
---- stunnel-4.29-orig/src/options.c 2009-11-20 15:55:12.000000000 -0500
-+++ stunnel-4.29/src/options.c 2009-12-09 16:45:57.000000000 -0500
[email protected]@ -136,8 +136,12 @@ static char *global_options(CMD cmd, cha
- case CMD_INIT:
- options.debug_level=5;
+diff -u -r stunnel-4.55.orig/src/options.c stunnel-4.55/src/options.c
+--- stunnel-4.55.orig/src/options.c 2013-02-02 08:20:32.000000000 -0800
++++ stunnel-4.55/src/options.c 2013-03-21 22:27:13.163038368 -0700
[email protected]@ -185,8 +185,12 @@
+ case CMD_BEGIN:
+ new_global_options.debug_level=LOG_NOTICE;
#if !defined (USE_WIN32) && !defined (__vms)
+#if defined(LOG_AUTHPRIV)
-+ options.facility=LOG_AUTHPRIV;
++ new_global_options.facility=LOG_AUTHPRIV;
+#else
- options.facility=LOG_DAEMON;
+ new_global_options.facility=LOG_DAEMON;
#endif
+#endif
break;
--- a/components/stunnel/patches/stunnel-4.29-chgrp.patch Tue Apr 09 10:37:15 2013 -0700
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,14 +0,0 @@
---- a/tools/Makefile.am.bk 2011-05-11 17:06:41.263948182 +0800
-+++ b/tools/Makefile.am 2011-05-11 17:06:57.885923460 +0800
[email protected]@ -30,11 +30,6 @@
- fi
- ${INSTALL} -d -m 1770 $(DESTDIR)$(localstatedir)/lib/stunnel
- -chgrp $(DEFAULT_GROUP) $(DESTDIR)$(localstatedir)/lib/stunnel
-- if uname | grep SunOS; then \
-- ${INSTALL} -d -m 755 $(DESTDIR)$(localstatedir)/lib/stunnel/dev; \
-- mknod $(DESTDIR)$(localstatedir)/lib/stunnel/dev/zero c 13 12; \
-- chmod 666 $(DESTDIR)$(localstatedir)/lib/stunnel/dev/zero; \
-- fi
-
- clean-local:
- -rm -f stunnel.rnd
--- a/components/stunnel/patches/stunnel-4.29-decl.patch Tue Apr 09 10:37:15 2013 -0700
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,11 +0,0 @@
---- a/src/prototypes.h.orig Wed Mar 9 23:51:18 2011
-+++ b/src/prototypes.h Wed Mar 9 23:51:29 2011
[email protected]@ -110,7 +110,7 @@
- COMP_NONE, COMP_ZLIB, COMP_RLE
- } COMP_TYPE;
-
--extern int cli_index, opt_index;;
-+extern int cli_index, opt_index;
-
- void ssl_init(void);
- void ssl_configure(void);
--- a/components/stunnel/patches/stunnel-4.29-sample.patch Tue Apr 09 10:37:15 2013 -0700
+++ b/components/stunnel/patches/stunnel-4.29-sample.patch Tue Apr 09 12:17:40 2013 -0700
@@ -1,25 +1,30 @@
-diff -urNp stunnel-4.29-orig/tools/stunnel.conf-sample.in stunnel-4.29/tools/stunnel.conf-sample.in
---- stunnel-4.29-orig/tools/stunnel.conf-sample.in 2009-11-08 14:40:24.000000000 -0500
-+++ stunnel-4.29/tools/stunnel.conf-sample.in 2010-01-15 16:21:47.000000000 -0500
[email protected]@ -3,14 +3,14 @@
- ; Please make sure you understand them (especially the effect of the chroot jail)
+# the sample config file should point to the right places on Solaris
+#
+#
+diff -u -r stunnel-4.55.orig/tools/stunnel.conf-sample.in stunnel-4.55/tools/stunnel.conf-sample.in
+--- stunnel-4.55.orig/tools/stunnel.conf-sample.in 2012-01-01 13:46:46.000000000 -0800
++++ stunnel-4.55/tools/stunnel.conf-sample.in 2013-03-21 22:38:08.025113934 -0700
[email protected]@ -9,7 +9,7 @@
+
+ ; A copy of some devices and system files is needed within the chroot jail
+ ; Chroot conflicts with configuration file reload and many other features
+-chroot = @[email protected]/var/lib/stunnel/
++chroot = @[email protected]/run/stunnel/
+ ; Chroot jail can be escaped if setuid option is not used
+ setuid = nobody
+ setgid = @[email protected]
[email protected]@ -26,8 +26,8 @@
+ ; **************************************************************************
; Certificate/key is needed in server mode and optional in client mode
-cert = @[email protected]/etc/stunnel/mail.pem
-;key = @[email protected]/etc/stunnel/mail.pem
-+cert = @[email protected]/stunnel/mail.crt
-+;key = @[email protected]/stunnel/mail.key
-
- ; Protocol version (all, SSLv2, SSLv3, TLSv1)
- sslVersion = SSLv3
++cert = @[email protected]/stunnel/mail.pem
++;key = @[email protected]/stunnel/mail.pem
- ; Some security enhancements for UNIX systems - comment them out on Win32
--chroot = @[email protected]/var/lib/stunnel/
-+chroot = @[email protected]/run/stunnel/
- setuid = nobody
- setgid = @[email protected]
- ; PID is created inside the chroot jail
[email protected]@ -30,12 +30,13 @@ socket = r:TCP_NODELAY=1
+ ; Authentication stuff needs to be configured to prevent MITM attacks
+ ; It is not enabled by default!
[email protected]@ -36,12 +36,13 @@
; CApath is located inside chroot jail
;CApath = /certs
; It's often easier to use CAfile
@@ -29,9 +34,9 @@
; Don't forget to c_rehash CRLpath
; CRLpath is located inside chroot jail
;CRLpath = /crls
- ; Alternatively you can use CRLfile
+ ; Alternatively CRLfile can be used
-;CRLfile = @[email protected]/etc/stunnel/crls.pem
+;CRLfile = @[email protected]/stunnel/crls.pem
- ; Some debugging stuff useful for troubleshooting
- ;debug = 7
+ ; Disable support for insecure SSLv2 protocol
+ options = NO_SSLv2
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/stunnel/patches/stunnel-4.56-32_64.patch Tue Apr 09 12:17:40 2013 -0700
@@ -0,0 +1,25 @@
+# On Solaris, fix stunnel so that the linker know where both the 32 and 64 bit
+# interposer libraries are. If you use LD_PRELOAD with the wrong bittedness
+# of interposer, the runtime linker hits a fatal error in trying to load
+# mismatched ELF objects.
+#
+diff -r -u stunnel-4.55.orig/src/client.c stunnel-4.55/src/client.c
+--- stunnel-4.55.orig/src/client.c 2013-02-28 00:17:58.000000000 -0800
++++ stunnel-4.55/src/client.c 2013-03-21 22:55:21.098479331 -0700
[email protected]@ -1100,9 +1100,14 @@
+ /* just don't set these variables if getnameinfo() fails */
+ putenv(str_printf("REMOTE_HOST=%s", host));
+ if(c->opt->option.transparent_src) {
+- putenv("LD_PRELOAD=" LIBDIR "/libstunnel.so");
+- /* for Tru64 _RLD_LIST is used instead */
++#ifdef MACH64
++ putenv("LD_PRELOAD_32=" LIBDIR "/libstunnel.so");
++ putenv("LD_PRELOAD_64=" LIBDIR "/" MACH64 "/libstunnel.so");
++#elif __osf /* for Tru64 _RLD_LIST is used instead */
+ putenv("_RLD_LIST=" LIBDIR "/libstunnel.so:DEFAULT");
++#else
++ putenv("LD_PRELOAD=" LIBDIR "/libstunnel.so");
++#endif
+ }
+ }
+
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/stunnel/patches/stunnel-4.56-CRYPTO_num_locks.patch Tue Apr 09 12:17:40 2013 -0700
@@ -0,0 +1,34 @@
+# stunnel should use CRYPTO_num_locks() function instead of CRYPTO_NUM_LOCKS
+# macro. The function interogates libcrypto at run-time for sizing and the
+# macro at compile time. If you interpose a a version at runtime to switch
+# between FIPS/non-FIPS support, the lock table may not be sized correctly.
+#
+diff -r -u stunnel-4.55.orig/src/sthreads.c stunnel-4.55/src/sthreads.c
+--- stunnel-4.55.orig/src/sthreads.c 2012-08-09 14:44:18.000000000 -0700
++++ stunnel-4.55/src/sthreads.c 2013-03-21 23:29:34.912001586 -0700
[email protected]@ -212,7 +212,7 @@
+ #ifdef USE_PTHREAD
+
+ static pthread_mutex_t stunnel_cs[CRIT_SECTIONS];
+-static pthread_mutex_t lock_cs[CRYPTO_NUM_LOCKS];
++static pthread_mutex_t *lock_cs;
+
+ void enter_critical_section(SECTION_CODE i) {
+ pthread_mutex_lock(stunnel_cs+i);
[email protected]@ -275,13 +275,15 @@
+
+ int sthreads_init(void) {
+ int i;
++ int num_locks = CRYPTO_num_locks();
+
+ /* initialize stunnel critical sections */
+ for(i=0; i<CRIT_SECTIONS; i++)
+ pthread_mutex_init(stunnel_cs+i, NULL);
+
+ /* initialize OpenSSL locking callback */
+- for(i=0; i<CRYPTO_NUM_LOCKS; i++)
++ lock_cs = calloc(num_locks, sizeof (*lock_cs));
++ for(i=0; i<num_locks; i++)
+ pthread_mutex_init(lock_cs+i, NULL);
+ CRYPTO_set_id_callback(stunnel_thread_id);
+ CRYPTO_set_locking_callback(locking_callback);
--- a/components/stunnel/stunnel.license Tue Apr 09 10:37:15 2013 -0700
+++ b/components/stunnel/stunnel.license Tue Apr 09 12:17:40 2013 -0700
@@ -341,7 +341,7 @@
stunnel Universal SSL tunnel
-Copyright (C) 1998-2008 Michal Trojnara
+Copyright (C) 1998-2013 Michal Trojnara
This program is free software; you can redistribute it and/or modify it under
the terms of the GNU General Public License as published by the Free Software