diff options
author | Wang Mingyu <wangmy@fujitsu.com> | 2024-03-06 16:43:28 +0800 |
---|---|---|
committer | Khem Raj <raj.khem@gmail.com> | 2024-03-08 10:07:24 -0800 |
commit | d49f1069c57d4e150e646e606dbf1bd272684d1d (patch) | |
tree | a73dd5a6e2b928a74fb3ce2d68cd20833b656926 /meta-networking | |
parent | 698c93690b73ad295e806f35eea1389784944309 (diff) | |
download | meta-openembedded-d49f1069c57d4e150e646e606dbf1bd272684d1d.tar.gz |
stunnel: upgrade 5.69 -> 5.72
fix-openssl-no-des.patch
refreshed for 5.72
License-Update: Copyright year updated to 2024.
Changelog:
===========
* Security bugfixes
- OpenSSL DLLs updated to version 3.2.1.
- OpenSSL FIPS Provider updated to version 3.0.8.
* Bugfixes
- Fixed SSL_CTX_new() errors handling.
- Fixed OPENSSL_NO_PSK builds.
- Android build updated for NDK r23c.
- stunnel.nsi updated for Debian 12.
- Fixed tests with OpenSSL older than 1.0.2.
- Fixed the console output of tstunnel.exe.
- Fixed TLS socket EOF handling with OpenSSL 3.x.
This bug caused major interoperability issues between
stunnel built with OpenSSL 3.x and Microsoft's
Schannel Security Support Provider (SSP).
- Fixed reading certificate chains from PKCS#12 files.
* Features sponsored by SAE IT-systems
- OCSP stapling is requested and verified in the client mode.
- Using "verifyChain" automatically enables OCSP
stapling in the client mode.
- OCSP stapling is always available in the server mode.
- An inconclusive OCSP verification breaks TLS negotiation.
This can be disabled with "OCSPrequire = no".
- Added the "TIMEOUTocsp" option to control the maximum
time allowed for connecting an OCSP responder.
* Features
- Added support for Red Hat OpenSSL 3.x patches.
- Added configurable delay for the "retry" option.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Diffstat (limited to 'meta-networking')
-rw-r--r-- | meta-networking/recipes-support/stunnel/stunnel/fix-openssl-no-des.patch | 34 | ||||
-rw-r--r-- | meta-networking/recipes-support/stunnel/stunnel_5.72.bb (renamed from meta-networking/recipes-support/stunnel/stunnel_5.69.bb) | 4 |
2 files changed, 20 insertions, 18 deletions
diff --git a/meta-networking/recipes-support/stunnel/stunnel/fix-openssl-no-des.patch b/meta-networking/recipes-support/stunnel/stunnel/fix-openssl-no-des.patch index 0840cbbd8..82d355101 100644 --- a/meta-networking/recipes-support/stunnel/stunnel/fix-openssl-no-des.patch +++ b/meta-networking/recipes-support/stunnel/stunnel/fix-openssl-no-des.patch | |||
@@ -11,17 +11,16 @@ failed. Fix it by checking macro OPENSSL_NO_DES to use openssl des related | |||
11 | library conditionaly. | 11 | library conditionaly. |
12 | 12 | ||
13 | Signed-off-by: Kai Kang <kai.kang@windriver.com> | 13 | Signed-off-by: Kai Kang <kai.kang@windriver.com> |
14 | |||
15 | --- | 14 | --- |
16 | src/common.h | 2 ++ | 15 | src/common.h | 2 ++ |
17 | src/protocol.c | 6 +++--- | 16 | src/protocol.c | 6 +++--- |
18 | 2 files changed, 5 insertions(+), 3 deletions(-) | 17 | 2 files changed, 5 insertions(+), 3 deletions(-) |
19 | 18 | ||
20 | diff --git a/src/common.h b/src/common.h | 19 | diff --git a/src/common.h b/src/common.h |
21 | index bc37eb5..03ee3e5 100644 | 20 | index 2b4869f..180d31a 100644 |
22 | --- a/src/common.h | 21 | --- a/src/common.h |
23 | +++ b/src/common.h | 22 | +++ b/src/common.h |
24 | @@ -486,7 +486,9 @@ extern char *sys_errlist[]; | 23 | @@ -492,7 +492,9 @@ extern char *sys_errlist[]; |
25 | #ifndef OPENSSL_NO_MD4 | 24 | #ifndef OPENSSL_NO_MD4 |
26 | #include <openssl/md4.h> | 25 | #include <openssl/md4.h> |
27 | #endif /* !defined(OPENSSL_NO_MD4) */ | 26 | #endif /* !defined(OPENSSL_NO_MD4) */ |
@@ -32,29 +31,29 @@ index bc37eb5..03ee3e5 100644 | |||
32 | #include <openssl/dh.h> | 31 | #include <openssl/dh.h> |
33 | #if OPENSSL_VERSION_NUMBER<0x10100000L | 32 | #if OPENSSL_VERSION_NUMBER<0x10100000L |
34 | diff --git a/src/protocol.c b/src/protocol.c | 33 | diff --git a/src/protocol.c b/src/protocol.c |
35 | index 804f115..d9b2b50 100644 | 34 | index cfe6d3b..3936aea 100644 |
36 | --- a/src/protocol.c | 35 | --- a/src/protocol.c |
37 | +++ b/src/protocol.c | 36 | +++ b/src/protocol.c |
38 | @@ -66,7 +66,7 @@ NOEXPORT char *nntp_client(CLI *, SERVICE_OPTIONS *, const PHASE); | 37 | @@ -81,7 +81,7 @@ NOEXPORT void ldap_client_middle(CLI *); |
39 | NOEXPORT char *ldap_client(CLI *, SERVICE_OPTIONS *, const PHASE); | 38 | |
40 | NOEXPORT char *connect_server(CLI *, SERVICE_OPTIONS *, const PHASE); | 39 | NOEXPORT void connect_server_early(CLI *); |
41 | NOEXPORT char *connect_client(CLI *, SERVICE_OPTIONS *, const PHASE); | 40 | NOEXPORT void connect_client_middle(CLI *); |
42 | -#ifndef OPENSSL_NO_MD4 | 41 | -#ifndef OPENSSL_NO_MD4 |
43 | +#if !defined(OPENSSL_NO_MD4) && !defined(OPENSSL_NO_DES) | 42 | +#if !defined(OPENSSL_NO_MD4) && !defined(OPENSSL_NO_DES) |
44 | NOEXPORT void ntlm(CLI *, SERVICE_OPTIONS *); | 43 | NOEXPORT void ntlm(CLI *); |
45 | NOEXPORT char *ntlm1(void); | 44 | NOEXPORT char *ntlm1(void); |
46 | NOEXPORT char *ntlm3(char *, char *, char *, char *); | 45 | NOEXPORT char *ntlm3(char *, char *, char *, char *); |
47 | @@ -1351,7 +1351,7 @@ NOEXPORT char *connect_client(CLI *c, SERVICE_OPTIONS *opt, const PHASE phase) { | 46 | @@ -1331,7 +1331,7 @@ NOEXPORT void connect_client_middle(CLI *c) { |
48 | fd_printf(c, c->remote_fd.fd, "Host: %s", opt->protocol_host); | 47 | fd_printf(c, c->remote_fd.fd, "Host: %s", c->opt->protocol_host); |
49 | if(opt->protocol_username && opt->protocol_password) { | 48 | if(c->opt->protocol_username && c->opt->protocol_password) { |
50 | if(!strcasecmp(opt->protocol_authentication, "ntlm")) { | 49 | if(!strcasecmp(c->opt->protocol_authentication, "ntlm")) { |
51 | -#ifndef OPENSSL_NO_MD4 | 50 | -#ifndef OPENSSL_NO_MD4 |
52 | +#if !defined(OPENSSL_NO_MD4) && !defined(OPENSSL_NO_DES) | 51 | +#if !defined(OPENSSL_NO_MD4) && !defined(OPENSSL_NO_DES) |
53 | ntlm(c, opt); | 52 | ntlm(c); |
54 | #else | 53 | #else |
55 | s_log(LOG_ERR, "NTLM authentication is not available"); | 54 | s_log(LOG_ERR, "NTLM authentication is not available"); |
56 | @@ -1395,7 +1395,7 @@ NOEXPORT char *connect_client(CLI *c, SERVICE_OPTIONS *opt, const PHASE phase) { | 55 | @@ -1374,7 +1374,7 @@ NOEXPORT void connect_client_middle(CLI *c) { |
57 | return NULL; | 56 | str_free(line); |
58 | } | 57 | } |
59 | 58 | ||
60 | -#ifndef OPENSSL_NO_MD4 | 59 | -#ifndef OPENSSL_NO_MD4 |
@@ -62,3 +61,6 @@ index 804f115..d9b2b50 100644 | |||
62 | 61 | ||
63 | /* | 62 | /* |
64 | * NTLM code is based on the following documentation: | 63 | * NTLM code is based on the following documentation: |
64 | -- | ||
65 | 2.34.1 | ||
66 | |||
diff --git a/meta-networking/recipes-support/stunnel/stunnel_5.69.bb b/meta-networking/recipes-support/stunnel/stunnel_5.72.bb index 816152973..6d21027a1 100644 --- a/meta-networking/recipes-support/stunnel/stunnel_5.69.bb +++ b/meta-networking/recipes-support/stunnel/stunnel_5.72.bb | |||
@@ -3,7 +3,7 @@ DESCRIPTION = "SSL encryption wrapper between remote client and local (inetd-sta | |||
3 | HOMEPAGE = "https://www.stunnel.org/" | 3 | HOMEPAGE = "https://www.stunnel.org/" |
4 | SECTION = "net" | 4 | SECTION = "net" |
5 | LICENSE = "GPL-2.0-or-later" | 5 | LICENSE = "GPL-2.0-or-later" |
6 | LIC_FILES_CHKSUM = "file://COPYING.md;md5=b4988f33f70b383b3011c4ede0a679ce" | 6 | LIC_FILES_CHKSUM = "file://COPYING.md;md5=906ac034adaee9d093318e51b53453ca" |
7 | 7 | ||
8 | DEPENDS = "autoconf-archive libnsl2 openssl" | 8 | DEPENDS = "autoconf-archive libnsl2 openssl" |
9 | 9 | ||
@@ -11,7 +11,7 @@ SRC_URI = "https://stunnel.org/archive/5.x/${BP}.tar.gz \ | |||
11 | file://fix-openssl-no-des.patch \ | 11 | file://fix-openssl-no-des.patch \ |
12 | " | 12 | " |
13 | 13 | ||
14 | SRC_URI[sha256sum] = "1ff7d9f30884c75b98c8a0a4e1534fa79adcada2322635e6787337b4e38fdb81" | 14 | SRC_URI[sha256sum] = "3d532941281ae353319735144e4adb9ae489a10b7e309c58a48157f08f42e949" |
15 | 15 | ||
16 | inherit autotools bash-completion pkgconfig | 16 | inherit autotools bash-completion pkgconfig |
17 | 17 | ||