16533604 stunnel should upgrade to 4.56
authorNorm Jacobs <Norm.Jacobs@Oracle.COM>
Tue, 09 Apr 2013 12:17:40 -0700
changeset 1252 86b53be32d7c
parent 1251 f1fb66b52f41
child 1253 7ea5bcb38fc1
16533604 stunnel should upgrade to 4.56 15590084 SUNBT6882553 stunnel should use CRYPTO_num_locks() instead of CRYPTO_NUM_LOCKS
components/stunnel/Makefile
components/stunnel/patches/stunnel-4.29-authpriv.patch
components/stunnel/patches/stunnel-4.29-chgrp.patch
components/stunnel/patches/stunnel-4.29-decl.patch
components/stunnel/patches/stunnel-4.29-sample.patch
components/stunnel/patches/stunnel-4.56-32_64.patch
components/stunnel/patches/stunnel-4.56-CRYPTO_num_locks.patch
components/stunnel/stunnel.license
--- a/components/stunnel/Makefile	Tue Apr 09 10:37:15 2013 -0700
+++ b/components/stunnel/Makefile	Tue Apr 09 12:17:40 2013 -0700
@@ -26,15 +26,14 @@
 include ../../make-rules/shared-macros.mk
 
 COMPONENT_NAME=		stunnel
-COMPONENT_VERSION=	4.29
-COMPONENT_PROJECT_URL=	http://stunnel.mirt.net/
+COMPONENT_VERSION=	4.56
+COMPONENT_PROJECT_URL=	http://www.stunnel.org/
 COMPONENT_SRC=		$(COMPONENT_NAME)-$(COMPONENT_VERSION)
 COMPONENT_ARCHIVE=	$(COMPONENT_SRC).tar.gz
 COMPONENT_ARCHIVE_HASH=	\
-    sha256:018064e852a2a125bcfb4b81baa77b5701ccf6aabe6a47564bfc046b18d11f9b
+    sha256:9cae2cfbe26d87443398ce50d7d5db54e5ea363889d5d2ec8d2778a01c871293
 
-# ftp://stunnel.mirt.net/stunnel/stunnel-4.29.tar.gz is no longer there.
-COMPONENT_ARCHIVE_URL=	http://pkgs.fedoraproject.org/repo/pkgs/$(COMPONENT_NAME)/$(COMPONENT_ARCHIVE)/14dc3f8412947f0548975cbce74d6863/$(COMPONENT_ARCHIVE)
+COMPONENT_ARCHIVE_URL=	http://pkgs.fedoraproject.org/repo/pkgs/$(COMPONENT_NAME)/$(COMPONENT_ARCHIVE)/ac4c4a30bd7a55b6687cbd62d864054c/$(COMPONENT_ARCHIVE)
 
 COMPONENT_BUGDB=	utility/stunnel
 
@@ -42,14 +41,15 @@
 include ../../make-rules/configure.mk
 include ../../make-rules/ips.mk
 
-COMPONENT_PREP_ACTION =	(cd $(@D) ; autoreconf -if)
-
 # need /usr/perl5/bin on path to access pod2man perl script, used by 
 # the build to create docs
 COMPONENT_BUILD_ENV +=  PATH=/usr/perl5/bin:$(PATH)
 
 CPPFLAGS +=	"-DPIDFILE='\"/var/run/stunnel.pid\"'"
 
+# used to generate the 64-bit interposer location
+CPPFLAGS += -DMACH64='\"$(MACH64)\"'
+
 CONFIGURE_OPTIONS +=	--disable-fips
 CONFIGURE_OPTIONS +=	--enable-ipv6
 CONFIGURE_OPTIONS +=	--sysconfdir=$(ETCDIR)
@@ -57,6 +57,9 @@
 CONFIGURE_OPTIONS +=	CFLAGS="$(CFLAGS)"
 CONFIGURE_OPTIONS +=	LDFLAGS="$(LDFLAGS)"
 
+# used to generate LD_PRELOAD_* interposer pathnames
+COMPONENT_BUILD_ARGS += pkglibdir=/usr/lib/stunnel
+
 COMPONENT_PRE_INSTALL_ACTION = \
 	$(MKDIR) $(PROTOETCDIR)/stunnel ; \
 	$(TOUCH) $(PROTOETCDIR)/stunnel/stunnel.pem
--- a/components/stunnel/patches/stunnel-4.29-authpriv.patch	Tue Apr 09 10:37:15 2013 -0700
+++ b/components/stunnel/patches/stunnel-4.29-authpriv.patch	Tue Apr 09 12:17:40 2013 -0700
@@ -1,50 +1,41 @@
-diff -urNp stunnel-4.29-orig/doc/stunnel.8 stunnel-4.29/doc/stunnel.8
---- stunnel-4.29-orig/doc/stunnel.8	2009-11-20 15:50:52.000000000 -0500
-+++ stunnel-4.29/doc/stunnel.8	2009-12-09 16:44:25.000000000 -0500
[email protected]@ -169,7 +169,7 @@ info (6), or debug (7).  All logs for th
- all levels numerically less than it will be shown.  Use \fBdebug = debug\fR or
- \&\fBdebug = 7\fR for greatest debugging output.  The default is notice (5).
- .Sp
--The syslog facility 'daemon' will be used unless a facility name is supplied.
-+The syslog facility 'authpriv' will be used unless a facility name is supplied.
- (Facilities are not supported on Win32.)
- .Sp
- Case is ignored for both facilities and levels.
-diff -urNp stunnel-4.29-orig/doc/stunnel.html stunnel-4.29/doc/stunnel.html
---- stunnel-4.29-orig/doc/stunnel.html	2009-11-20 15:50:52.000000000 -0500
-+++ stunnel-4.29/doc/stunnel.html	2009-12-09 16:43:09.000000000 -0500
[email protected]@ -192,7 +192,7 @@ emerg (0), alert (1), crit (2), err (3),
- info (6), or debug (7).  All logs for the specified level and
- all levels numerically less than it will be shown.  Use <strong>debug = debug</strong> or
- <strong>debug = 7</strong> for greatest debugging output.  The default is notice (5).</p>
--<p>The syslog facility 'daemon' will be used unless a facility name is supplied.
-+<p>The syslog facility 'authpriv' will be used unless a facility name is supplied.
- (Facilities are not supported on Win32.)</p>
- <p>Case is ignored for both facilities and levels.</p>
- </dd>
-diff -urNp stunnel-4.29-orig/doc/stunnel.pod stunnel-4.29/doc/stunnel.pod
---- stunnel-4.29-orig/doc/stunnel.pod	2009-11-20 15:48:33.000000000 -0500
-+++ stunnel-4.29/doc/stunnel.pod	2009-12-09 16:43:52.000000000 -0500
[email protected]@ -144,7 +144,7 @@ info (6), or debug (7).  All logs for th
- all levels numerically less than it will be shown.  Use B<debug = debug> or
- B<debug = 7> for greatest debugging output.  The default is notice (5).
+# Make the 'authpriv' syslog facility the default on Solaris
+#
+
+diff -u -r stunnel-4.55.orig/doc/stunnel.fr.pod stunnel-4.55/doc/stunnel.fr.pod
+--- stunnel-4.55.orig/doc/stunnel.fr.pod	2012-12-02 11:00:24.000000000 -0800
++++ stunnel-4.55/doc/stunnel.fr.pod	2013-03-21 22:30:02.672293057 -0700
[email protected]@ -178,7 +178,7 @@
+ B<debug = 7> donneront le maximum d'informations. La valeur par défaut
+ est notice (5).
+ 
+-La facilité syslog «E<nbsp>daemonE<nbsp>» est utilisée, sauf si un autre nom est spécifié
++La facilité syslog «E<nbsp>authprivE<nbsp>» est utilisée, sauf si un autre nom est spécifié
+ (Win32 ne permet pas l'usage des facilités.)
+ 
+ La casse est ignorée, aussi bien pour la facilité que pour le niveau.
+diff -u -r stunnel-4.55.orig/doc/stunnel.pod stunnel-4.55/doc/stunnel.pod
+--- stunnel-4.55.orig/doc/stunnel.pod	2013-01-13 09:25:20.000000000 -0800
++++ stunnel-4.55/doc/stunnel.pod	2013-03-21 22:28:04.473314299 -0700
[email protected]@ -184,7 +184,7 @@
+ all levels numerically less than it will be shown.  Use I<debug = debug> or
+ I<debug = 7> for greatest debugging output.  The default is notice (5).
  
 -The syslog facility 'daemon' will be used unless a facility name is supplied.
 +The syslog facility 'authpriv' will be used unless a facility name is supplied.
  (Facilities are not supported on Win32.)
  
  Case is ignored for both facilities and levels.
-diff -urNp stunnel-4.29-orig/src/options.c stunnel-4.29/src/options.c
---- stunnel-4.29-orig/src/options.c	2009-11-20 15:55:12.000000000 -0500
-+++ stunnel-4.29/src/options.c	2009-12-09 16:45:57.000000000 -0500
[email protected]@ -136,8 +136,12 @@ static char *global_options(CMD cmd, cha
-     case CMD_INIT:
-         options.debug_level=5;
+diff -u -r stunnel-4.55.orig/src/options.c stunnel-4.55/src/options.c
+--- stunnel-4.55.orig/src/options.c	2013-02-02 08:20:32.000000000 -0800
++++ stunnel-4.55/src/options.c	2013-03-21 22:27:13.163038368 -0700
[email protected]@ -185,8 +185,12 @@
+     case CMD_BEGIN:
+         new_global_options.debug_level=LOG_NOTICE;
  #if !defined (USE_WIN32) && !defined (__vms)
 +#if defined(LOG_AUTHPRIV)
-+        options.facility=LOG_AUTHPRIV;
++        new_global_options.facility=LOG_AUTHPRIV;
 +#else
-         options.facility=LOG_DAEMON;
+         new_global_options.facility=LOG_DAEMON;
  #endif
 +#endif
          break;
--- a/components/stunnel/patches/stunnel-4.29-chgrp.patch	Tue Apr 09 10:37:15 2013 -0700
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,14 +0,0 @@
---- a/tools/Makefile.am.bk	2011-05-11 17:06:41.263948182 +0800
-+++ b/tools/Makefile.am	2011-05-11 17:06:57.885923460 +0800
[email protected]@ -30,11 +30,6 @@
- 	fi
- 	${INSTALL} -d -m 1770 $(DESTDIR)$(localstatedir)/lib/stunnel
- 	-chgrp $(DEFAULT_GROUP) $(DESTDIR)$(localstatedir)/lib/stunnel
--	if uname | grep SunOS; then \
--		${INSTALL} -d -m 755 $(DESTDIR)$(localstatedir)/lib/stunnel/dev; \
--		mknod $(DESTDIR)$(localstatedir)/lib/stunnel/dev/zero c 13 12; \
--		chmod 666 $(DESTDIR)$(localstatedir)/lib/stunnel/dev/zero; \
--	fi
- 
- clean-local:
- 	-rm -f stunnel.rnd
--- a/components/stunnel/patches/stunnel-4.29-decl.patch	Tue Apr 09 10:37:15 2013 -0700
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,11 +0,0 @@
---- a/src/prototypes.h.orig	Wed Mar  9 23:51:18 2011
-+++ b/src/prototypes.h	Wed Mar  9 23:51:29 2011
[email protected]@ -110,7 +110,7 @@
-     COMP_NONE, COMP_ZLIB, COMP_RLE
- } COMP_TYPE;
- 
--extern int cli_index, opt_index;;
-+extern int cli_index, opt_index;
- 
- void ssl_init(void);
- void ssl_configure(void);
--- a/components/stunnel/patches/stunnel-4.29-sample.patch	Tue Apr 09 10:37:15 2013 -0700
+++ b/components/stunnel/patches/stunnel-4.29-sample.patch	Tue Apr 09 12:17:40 2013 -0700
@@ -1,25 +1,30 @@
-diff -urNp stunnel-4.29-orig/tools/stunnel.conf-sample.in stunnel-4.29/tools/stunnel.conf-sample.in
---- stunnel-4.29-orig/tools/stunnel.conf-sample.in	2009-11-08 14:40:24.000000000 -0500
-+++ stunnel-4.29/tools/stunnel.conf-sample.in	2010-01-15 16:21:47.000000000 -0500
[email protected]@ -3,14 +3,14 @@
- ; Please make sure you understand them (especially the effect of the chroot jail)
+# the sample config file should point to the right places on Solaris
+#
+#
+diff -u -r stunnel-4.55.orig/tools/stunnel.conf-sample.in stunnel-4.55/tools/stunnel.conf-sample.in
+--- stunnel-4.55.orig/tools/stunnel.conf-sample.in	2012-01-01 13:46:46.000000000 -0800
++++ stunnel-4.55/tools/stunnel.conf-sample.in	2013-03-21 22:38:08.025113934 -0700
[email protected]@ -9,7 +9,7 @@
+ 
+ ; A copy of some devices and system files is needed within the chroot jail
+ ; Chroot conflicts with configuration file reload and many other features
+-chroot = @[email protected]/var/lib/stunnel/
++chroot = @[email protected]/run/stunnel/
+ ; Chroot jail can be escaped if setuid option is not used
+ setuid = nobody
+ setgid = @[email protected]
[email protected]@ -26,8 +26,8 @@
+ ; **************************************************************************
  
  ; Certificate/key is needed in server mode and optional in client mode
 -cert = @[email protected]/etc/stunnel/mail.pem
 -;key = @[email protected]/etc/stunnel/mail.pem
-+cert = @[email protected]/stunnel/mail.crt
-+;key = @[email protected]/stunnel/mail.key
- 
- ; Protocol version (all, SSLv2, SSLv3, TLSv1)
- sslVersion = SSLv3
++cert = @[email protected]/stunnel/mail.pem
++;key = @[email protected]/stunnel/mail.pem
  
- ; Some security enhancements for UNIX systems - comment them out on Win32
--chroot = @[email protected]/var/lib/stunnel/
-+chroot = @[email protected]/run/stunnel/
- setuid = nobody
- setgid = @[email protected]
- ; PID is created inside the chroot jail
[email protected]@ -30,12 +30,13 @@ socket = r:TCP_NODELAY=1
+ ; Authentication stuff needs to be configured to prevent MITM attacks
+ ; It is not enabled by default!
[email protected]@ -36,12 +36,13 @@
  ; CApath is located inside chroot jail
  ;CApath = /certs
  ; It's often easier to use CAfile
@@ -29,9 +34,9 @@
  ; Don't forget to c_rehash CRLpath
  ; CRLpath is located inside chroot jail
  ;CRLpath = /crls
- ; Alternatively you can use CRLfile
+ ; Alternatively CRLfile can be used
 -;CRLfile = @[email protected]/etc/stunnel/crls.pem
 +;CRLfile = @[email protected]/stunnel/crls.pem
  
- ; Some debugging stuff useful for troubleshooting
- ;debug = 7
+ ; Disable support for insecure SSLv2 protocol
+ options = NO_SSLv2
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/stunnel/patches/stunnel-4.56-32_64.patch	Tue Apr 09 12:17:40 2013 -0700
@@ -0,0 +1,25 @@
+# On Solaris, fix stunnel so that the linker know where both the 32 and 64 bit
+# interposer libraries are.  If you use LD_PRELOAD with the wrong bittedness
+# of interposer, the runtime linker hits a fatal error in trying to load
+# mismatched ELF objects.
+#
+diff -r -u stunnel-4.55.orig/src/client.c stunnel-4.55/src/client.c
+--- stunnel-4.55.orig/src/client.c	2013-02-28 00:17:58.000000000 -0800
++++ stunnel-4.55/src/client.c	2013-03-21 22:55:21.098479331 -0700
[email protected]@ -1100,9 +1100,14 @@
+             /* just don't set these variables if getnameinfo() fails */
+             putenv(str_printf("REMOTE_HOST=%s", host));
+             if(c->opt->option.transparent_src) {
+-                putenv("LD_PRELOAD=" LIBDIR "/libstunnel.so");
+-                /* for Tru64 _RLD_LIST is used instead */
++#ifdef MACH64
++                putenv("LD_PRELOAD_32=" LIBDIR "/libstunnel.so");
++                putenv("LD_PRELOAD_64=" LIBDIR "/" MACH64 "/libstunnel.so");
++#elif __osf /* for Tru64 _RLD_LIST is used instead */
+                 putenv("_RLD_LIST=" LIBDIR "/libstunnel.so:DEFAULT");
++#else
++                putenv("LD_PRELOAD=" LIBDIR "/libstunnel.so");
++#endif
+             }
+         }
+ 
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/stunnel/patches/stunnel-4.56-CRYPTO_num_locks.patch	Tue Apr 09 12:17:40 2013 -0700
@@ -0,0 +1,34 @@
+# stunnel should use CRYPTO_num_locks() function instead of CRYPTO_NUM_LOCKS
+# macro.  The function interogates libcrypto at run-time for sizing and the
+# macro at compile time.  If you interpose a a version at runtime to switch
+# between FIPS/non-FIPS support, the lock table may not be sized correctly.
+#
+diff -r -u stunnel-4.55.orig/src/sthreads.c stunnel-4.55/src/sthreads.c
+--- stunnel-4.55.orig/src/sthreads.c	2012-08-09 14:44:18.000000000 -0700
++++ stunnel-4.55/src/sthreads.c	2013-03-21 23:29:34.912001586 -0700
[email protected]@ -212,7 +212,7 @@
+ #ifdef USE_PTHREAD
+ 
+ static pthread_mutex_t stunnel_cs[CRIT_SECTIONS];
+-static pthread_mutex_t lock_cs[CRYPTO_NUM_LOCKS];
++static pthread_mutex_t *lock_cs;
+ 
+ void enter_critical_section(SECTION_CODE i) {
+     pthread_mutex_lock(stunnel_cs+i);
[email protected]@ -275,13 +275,15 @@
+ 
+ int sthreads_init(void) {
+     int i;
++    int num_locks = CRYPTO_num_locks();
+ 
+     /* initialize stunnel critical sections */
+     for(i=0; i<CRIT_SECTIONS; i++)
+         pthread_mutex_init(stunnel_cs+i, NULL);
+ 
+     /* initialize OpenSSL locking callback */
+-    for(i=0; i<CRYPTO_NUM_LOCKS; i++)
++    lock_cs = calloc(num_locks, sizeof (*lock_cs));
++    for(i=0; i<num_locks; i++)
+         pthread_mutex_init(lock_cs+i, NULL);
+     CRYPTO_set_id_callback(stunnel_thread_id);
+     CRYPTO_set_locking_callback(locking_callback);
--- a/components/stunnel/stunnel.license	Tue Apr 09 10:37:15 2013 -0700
+++ b/components/stunnel/stunnel.license	Tue Apr 09 12:17:40 2013 -0700
@@ -341,7 +341,7 @@
 
 stunnel Universal SSL tunnel
 
-Copyright (C) 1998-2008 Michal Trojnara
+Copyright (C) 1998-2013 Michal Trojnara
 
 This program is free software; you can redistribute it and/or modify it under
 the terms of the GNU General Public License as published by the Free Software