stunnel: upgrade 5.69 -> 5.72

fix-openssl-no-des.patch
refreshed for 5.72

License-Update: Copyright year updated to 2024.

Changelog:
===========
* Security bugfixes
  - OpenSSL DLLs updated to version 3.2.1.
  - OpenSSL FIPS Provider updated to version 3.0.8.
* Bugfixes
  - Fixed SSL_CTX_new() errors handling.
  - Fixed OPENSSL_NO_PSK builds.
  - Android build updated for NDK r23c.
  - stunnel.nsi updated for Debian 12.
  - Fixed tests with OpenSSL older than 1.0.2.
  - Fixed the console output of tstunnel.exe.
  - Fixed TLS socket EOF handling with OpenSSL 3.x.
    This bug caused major interoperability issues between
    stunnel built with OpenSSL 3.x and Microsoft's
    Schannel Security Support Provider (SSP).
  - Fixed reading certificate chains from PKCS#12 files.
* Features sponsored by SAE IT-systems
  - OCSP stapling is requested and verified in the client mode.
  - Using "verifyChain" automatically enables OCSP
    stapling in the client mode.
  - OCSP stapling is always available in the server mode.
  - An inconclusive OCSP verification breaks TLS negotiation.
    This can be disabled with "OCSPrequire = no".
  - Added the "TIMEOUTocsp" option to control the maximum
    time allowed for connecting an OCSP responder.
* Features
  - Added support for Red Hat OpenSSL 3.x patches.
  - Added configurable delay for the "retry" option.

Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>

2 files changed, 20 insertions, 18 deletions

diff --git a/meta-networking/recipes-support/stunnel/stunnel/fix-openssl-no-des.patch b/meta-networking/recipes-support/stunnel/stunnel/fix-openssl-no-des.patch
index 0840cbbd8..82d355101 100644
--- a/meta-networking/recipes-support/stunnel/stunnel/fix-openssl-no-des.patch
+++ b/meta-networking/recipes-support/stunnel/stunnel/fix-openssl-no-des.patch
@@ -11,17 +11,16 @@ failed. Fix it by checking macro OPENSSL_NO_DES to use openssl des related
 library conditionaly.
 
 Signed-off-by: Kai Kang <kai.kang@windriver.com>
-
 ---
  src/common.h   | 2 ++
  src/protocol.c | 6 +++---
  2 files changed, 5 insertions(+), 3 deletions(-)
 
 diff --git a/src/common.h b/src/common.h
-index bc37eb5..03ee3e5 100644
+index 2b4869f..180d31a 100644
 --- a/src/common.h
 +++ b/src/common.h
-@@ -486,7 +486,9 @@ extern char *sys_errlist[];
+@@ -492,7 +492,9 @@ extern char *sys_errlist[];
  #ifndef OPENSSL_NO_MD4
  #include <openssl/md4.h>
  #endif /* !defined(OPENSSL_NO_MD4) */
@@ -32,29 +31,29 @@ index bc37eb5..03ee3e5 100644
  #include <openssl/dh.h>
  #if OPENSSL_VERSION_NUMBER<0x10100000L
 diff --git a/src/protocol.c b/src/protocol.c
-index 804f115..d9b2b50 100644
+index cfe6d3b..3936aea 100644
 --- a/src/protocol.c
 +++ b/src/protocol.c
-@@ -66,7 +66,7 @@ NOEXPORT char *nntp_client(CLI *, SERVICE_OPTIONS *, const PHASE);
- NOEXPORT char *ldap_client(CLI *, SERVICE_OPTIONS *, const PHASE);
- NOEXPORT char *connect_server(CLI *, SERVICE_OPTIONS *, const PHASE);
- NOEXPORT char *connect_client(CLI *, SERVICE_OPTIONS *, const PHASE);
+@@ -81,7 +81,7 @@ NOEXPORT void ldap_client_middle(CLI *);
+ 
+ NOEXPORT void connect_server_early(CLI *);
+ NOEXPORT void connect_client_middle(CLI *);
 -#ifndef OPENSSL_NO_MD4
 +#if !defined(OPENSSL_NO_MD4) && !defined(OPENSSL_NO_DES)
- NOEXPORT void ntlm(CLI *, SERVICE_OPTIONS *);
+ NOEXPORT void ntlm(CLI *);
  NOEXPORT char *ntlm1(void);
  NOEXPORT char *ntlm3(char *, char *, char *, char *);
-@@ -1351,7 +1351,7 @@ NOEXPORT char *connect_client(CLI *c, SERVICE_OPTIONS *opt, const PHASE phase) {
-     fd_printf(c, c->remote_fd.fd, "Host: %s", opt->protocol_host);
-     if(opt->protocol_username && opt->protocol_password) {
-         if(!strcasecmp(opt->protocol_authentication, "ntlm")) {
+@@ -1331,7 +1331,7 @@ NOEXPORT void connect_client_middle(CLI *c) {
+     fd_printf(c, c->remote_fd.fd, "Host: %s", c->opt->protocol_host);
+     if(c->opt->protocol_username && c->opt->protocol_password) {
+         if(!strcasecmp(c->opt->protocol_authentication, "ntlm")) {
 -#ifndef OPENSSL_NO_MD4
 +#if !defined(OPENSSL_NO_MD4) && !defined(OPENSSL_NO_DES)
-             ntlm(c, opt);
+             ntlm(c);
  #else
              s_log(LOG_ERR, "NTLM authentication is not available");
-@@ -1395,7 +1395,7 @@ NOEXPORT char *connect_client(CLI *c, SERVICE_OPTIONS *opt, const PHASE phase) {
-     return NULL;
+@@ -1374,7 +1374,7 @@ NOEXPORT void connect_client_middle(CLI *c) {
+     str_free(line);
  }
  
 -#ifndef OPENSSL_NO_MD4
@@ -62,3 +61,6 @@ index 804f115..d9b2b50 100644
  
  /*
   * NTLM code is based on the following documentation:
+-- 
+2.34.1
+
diff --git a/meta-networking/recipes-support/stunnel/stunnel_5.69.bb b/meta-networking/recipes-support/stunnel/stunnel_5.72.bb
index 816152973..6d21027a1 100644
--- a/meta-networking/recipes-support/stunnel/stunnel_5.69.bb
+++ b/meta-networking/recipes-support/stunnel/stunnel_5.72.bb
@@ -3,7 +3,7 @@ DESCRIPTION = "SSL encryption wrapper between remote client and local (inetd-sta
 HOMEPAGE = "https://www.stunnel.org/"
 SECTION = "net"
 LICENSE = "GPL-2.0-or-later"
-LIC_FILES_CHKSUM = "file://COPYING.md;md5=b4988f33f70b383b3011c4ede0a679ce"
+LIC_FILES_CHKSUM = "file://COPYING.md;md5=906ac034adaee9d093318e51b53453ca"
 
 DEPENDS = "autoconf-archive libnsl2 openssl"
 
@@ -11,7 +11,7 @@ SRC_URI = "https://stunnel.org/archive/5.x/${BP}.tar.gz \
            file://fix-openssl-no-des.patch \
 "
 
-SRC_URI[sha256sum] = "1ff7d9f30884c75b98c8a0a4e1534fa79adcada2322635e6787337b4e38fdb81"
+SRC_URI[sha256sum] = "3d532941281ae353319735144e4adb9ae489a10b7e309c58a48157f08f42e949"
 
 inherit autotools bash-completion pkgconfig