stunnel: update to 5.37.
This commit is contained in:
Toyam Cox
parent
0b33eb8951
commit
e0a5911c72
3 changed files with 163 additions and 79 deletions
|
|
@ -1,14 +1,32 @@
|
||||||
--- src/ctx.c 2015-11-26 13:32:51.458101892 +0100
|
--- src/verify.c 2015-11-26 13:32:51.458101892 +0100
|
||||||
+++ src/ctx.c 2015-11-26 13:36:05.918181575 +0100
|
+++ src/verify.c 2015-11-26 13:37:51.442682192 +0100
|
||||||
@@ -349,7 +349,7 @@
|
@@ -51,7 +51,7 @@
|
||||||
/**************************************** initialize OpenSSL CONF */
|
NOEXPORT int verify_callback(int, X509_STORE_CTX *);
|
||||||
|
NOEXPORT int verify_checks(CLI *, int, X509_STORE_CTX *);
|
||||||
NOEXPORT int conf_init(SERVICE_OPTIONS *section) {
|
NOEXPORT int cert_check(CLI *, X509_STORE_CTX *, int);
|
||||||
-#if OPENSSL_VERSION_NUMBER>=0x10002000L
|
-#if OPENSSL_VERSION_NUMBER>=0x10002000L
|
||||||
+#if OPENSSL_VERSION_NUMBER>=0x10002000L && !defined(LIBRESSL_VERSION_NUMBER)
|
+#if OPENSSL_VERSION_NUMBER>=0x10002000L && !defined(LIBRESSL_VERSION_NUMBER)
|
||||||
SSL_CONF_CTX *cctx;
|
NOEXPORT int cert_check_subject(CLI *, X509_STORE_CTX *);
|
||||||
NAME_LIST *curr;
|
#endif /* OPENSSL_VERSION_NUMBER>=0x10002000L */
|
||||||
char *cmd, *param;
|
NOEXPORT int cert_check_local(X509_STORE_CTX *);
|
||||||
|
@@ -280,7 +280,7 @@
|
||||||
|
}
|
||||||
|
|
||||||
|
if(depth==0) { /* additional peer certificate checks */
|
||||||
|
-#if OPENSSL_VERSION_NUMBER>=0x10002000L
|
||||||
|
+#if OPENSSL_VERSION_NUMBER>=0x10002000L && !defined(LIBRESSL_VERSION_NUMBER)
|
||||||
|
if(!cert_check_subject(c, callback_ctx))
|
||||||
|
return 0; /* reject */
|
||||||
|
#endif /* OPENSSL_VERSION_NUMBER>=0x10002000L */
|
||||||
|
@@ -291,7 +291,7 @@
|
||||||
|
return 1; /* accept */
|
||||||
|
}
|
||||||
|
|
||||||
|
-#if OPENSSL_VERSION_NUMBER>=0x10002000L
|
||||||
|
+#if OPENSSL_VERSION_NUMBER>=0x10002000L && !defined(LIBRESSL_VERSION_NUMBER)
|
||||||
|
NOEXPORT int cert_check_subject(CLI *c, X509_STORE_CTX *callback_ctx) {
|
||||||
|
X509 *cert=X509_STORE_CTX_get_current_cert(callback_ctx);
|
||||||
|
NAME_LIST *ptr;
|
||||||
--- src/options.c 2015-11-26 13:32:51.457101897 +0100
|
--- src/options.c 2015-11-26 13:32:51.457101897 +0100
|
||||||
+++ src/options.c 2015-11-26 13:39:04.422336822 +0100
|
+++ src/options.c 2015-11-26 13:39:04.422336822 +0100
|
||||||
@@ -1261,7 +1261,7 @@
|
@@ -1261,7 +1261,7 @@
|
||||||
|
|
@ -29,70 +47,3 @@
|
||||||
|
|
||||||
/* config */
|
/* config */
|
||||||
switch(cmd) {
|
switch(cmd) {
|
||||||
@@ -2539,7 +2539,7 @@
|
|
||||||
/* sslVersion */
|
|
||||||
switch(cmd) {
|
|
||||||
case CMD_BEGIN:
|
|
||||||
-#if OPENSSL_VERSION_NUMBER>=0x10100000L
|
|
||||||
+#if OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
|
|
||||||
section->client_method=(SSL_METHOD *)TLS_client_method();
|
|
||||||
section->server_method=(SSL_METHOD *)TLS_server_method();
|
|
||||||
#else
|
|
||||||
@@ -2551,7 +2551,7 @@
|
|
||||||
if(strcasecmp(opt, "sslVersion"))
|
|
||||||
break;
|
|
||||||
if(!strcasecmp(arg, "all")) {
|
|
||||||
-#if OPENSSL_VERSION_NUMBER>=0x10100000L
|
|
||||||
+#if OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
|
|
||||||
section->client_method=(SSL_METHOD *)TLS_client_method();
|
|
||||||
section->server_method=(SSL_METHOD *)TLS_server_method();
|
|
||||||
#else
|
|
||||||
--- src/prototypes.h 2015-11-26 13:32:51.459101887 +0100
|
|
||||||
+++ src/prototypes.h 2015-11-26 13:38:04.814618905 +0100
|
|
||||||
@@ -207,7 +207,7 @@
|
|
||||||
char *ocsp_url;
|
|
||||||
unsigned long ocsp_flags;
|
|
||||||
#endif /* !defined(OPENSSL_NO_OCSP) */
|
|
||||||
-#if OPENSSL_VERSION_NUMBER>=0x10002000L
|
|
||||||
+#if OPENSSL_VERSION_NUMBER>=0x10002000L && !defined(LIBRESSL_VERSION_NUMBER)
|
|
||||||
NAME_LIST *check_host, *check_email, *check_ip; /* cert subject checks */
|
|
||||||
NAME_LIST *config; /* OpenSSL CONF options */
|
|
||||||
#endif /* OPENSSL_VERSION_NUMBER>=0x10002000L */
|
|
||||||
--- src/verify.c 2015-11-26 13:32:51.458101892 +0100
|
|
||||||
+++ src/verify.c 2015-11-26 13:37:51.442682192 +0100
|
|
||||||
@@ -51,7 +51,7 @@
|
|
||||||
NOEXPORT int verify_callback(int, X509_STORE_CTX *);
|
|
||||||
NOEXPORT int verify_checks(CLI *, int, X509_STORE_CTX *);
|
|
||||||
NOEXPORT int cert_check(CLI *, X509_STORE_CTX *, int);
|
|
||||||
-#if OPENSSL_VERSION_NUMBER>=0x10002000L
|
|
||||||
+#if OPENSSL_VERSION_NUMBER>=0x10002000L && !defined(LIBRESSL_VERSION_NUMBER)
|
|
||||||
NOEXPORT int cert_check_subject(CLI *, X509_STORE_CTX *);
|
|
||||||
#endif /* OPENSSL_VERSION_NUMBER>=0x10002000L */
|
|
||||||
NOEXPORT int cert_check_local(X509_STORE_CTX *);
|
|
||||||
@@ -185,7 +185,7 @@
|
|
||||||
}
|
|
||||||
if(section->verify_level>=3) /* levels>=3 don't rely on PKI */
|
|
||||||
return;
|
|
||||||
-#if OPENSSL_VERSION_NUMBER>=0x10002000L
|
|
||||||
+#if OPENSSL_VERSION_NUMBER>=0x10002000L && !defined(LIBRESSL_VERSION_NUMBER)
|
|
||||||
if(section->check_email || section->check_host || section->check_ip)
|
|
||||||
return;
|
|
||||||
#endif /* OPENSSL_VERSION_NUMBER>=0x10002000L */
|
|
||||||
@@ -280,7 +280,7 @@
|
|
||||||
}
|
|
||||||
|
|
||||||
if(depth==0) { /* additional peer certificate checks */
|
|
||||||
-#if OPENSSL_VERSION_NUMBER>=0x10002000L
|
|
||||||
+#if OPENSSL_VERSION_NUMBER>=0x10002000L && !defined(LIBRESSL_VERSION_NUMBER)
|
|
||||||
if(!cert_check_subject(c, callback_ctx))
|
|
||||||
return 0; /* reject */
|
|
||||||
#endif /* OPENSSL_VERSION_NUMBER>=0x10002000L */
|
|
||||||
@@ -291,7 +291,7 @@
|
|
||||||
return 1; /* accept */
|
|
||||||
}
|
|
||||||
|
|
||||||
-#if OPENSSL_VERSION_NUMBER>=0x10002000L
|
|
||||||
+#if OPENSSL_VERSION_NUMBER>=0x10002000L && !defined(LIBRESSL_VERSION_NUMBER)
|
|
||||||
NOEXPORT int cert_check_subject(CLI *c, X509_STORE_CTX *callback_ctx) {
|
|
||||||
X509 *cert=X509_STORE_CTX_get_current_cert(callback_ctx);
|
|
||||||
NAME_LIST *ptr;
|
|
||||||
|
|
|
||||||
130
srcpkgs/stunnel/patches/stunnel-openbsd.patch
Normal file
130
srcpkgs/stunnel/patches/stunnel-openbsd.patch
Normal file
|
|
@ -0,0 +1,130 @@
|
||||||
|
$OpenBSD: patch-src_verify_c,v 1.5 2016/11/10 10:10:50 gsoares Exp $
|
||||||
|
--- src/verify.c.orig Wed Jul 6 13:18:17 2016
|
||||||
|
+++ src/verify.c Thu Nov 10 07:00:09 2016
|
||||||
|
@@ -349,7 +349,7 @@ NOEXPORT int cert_check_local(X509_STORE_CTX *callback
|
||||||
|
subject=X509_get_subject_name(cert);
|
||||||
|
|
||||||
|
#if OPENSSL_VERSION_NUMBER>=0x10000000L
|
||||||
|
-#if OPENSSL_VERSION_NUMBER<0x10100006L
|
||||||
|
+#if OPENSSL_VERSION_NUMBER<0x10100006L || defined(LIBRESSL_VERSION_NUMBER)
|
||||||
|
#define X509_STORE_CTX_get1_certs X509_STORE_get1_certs
|
||||||
|
#endif
|
||||||
|
/* modern API allows retrieving multiple matching certificates */
|
||||||
|
|
||||||
|
|
||||||
|
$OpenBSD: patch-src_sthreads_c,v 1.2 2016/11/10 10:10:50 gsoares Exp $
|
||||||
|
--- src/sthreads.c.orig Sat Oct 29 05:25:37 2016
|
||||||
|
+++ src/sthreads.c Wed Nov 9 20:22:39 2016
|
||||||
|
@@ -47,7 +47,7 @@
|
||||||
|
STUNNEL_RWLOCK stunnel_locks[STUNNEL_LOCKS];
|
||||||
|
#endif
|
||||||
|
|
||||||
|
-#if OPENSSL_VERSION_NUMBER<0x10100004L
|
||||||
|
+#if OPENSSL_VERSION_NUMBER<0x10100004L || defined(LIBRESSL_VERSION_NUMBER)
|
||||||
|
#define CRYPTO_THREAD_lock_new() CRYPTO_get_new_dynlockid()
|
||||||
|
#endif
|
||||||
|
|
||||||
|
|
||||||
|
$OpenBSD: patch-src_ssl_c,v 1.4 2016/11/09 23:14:31 gsoares Exp $
|
||||||
|
--- src/ssl.c.orig Fri Aug 5 06:39:57 2016
|
||||||
|
+++ src/ssl.c Thu Nov 3 23:50:50 2016
|
||||||
|
@@ -50,7 +50,7 @@ NOEXPORT int add_rand_file(GLOBAL_OPTIONS *, const cha
|
||||||
|
int index_cli, index_opt, index_redirect, index_addr;
|
||||||
|
|
||||||
|
int ssl_init(void) { /* init SSL before parsing configuration file */
|
||||||
|
-#if OPENSSL_VERSION_NUMBER>=0x10100000L
|
||||||
|
+#if OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
|
||||||
|
OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS |
|
||||||
|
OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL);
|
||||||
|
#else
|
||||||
|
@@ -83,7 +83,7 @@ int ssl_init(void) { /* init SSL before parsing config
|
||||||
|
}
|
||||||
|
|
||||||
|
#ifndef OPENSSL_NO_DH
|
||||||
|
-#if OPENSSL_VERSION_NUMBER<0x10100000L
|
||||||
|
+#if OPENSSL_VERSION_NUMBER<0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
|
||||||
|
/* this is needed for dhparam.c generated with OpenSSL >= 1.1.0
|
||||||
|
* to be linked against the older versions */
|
||||||
|
int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g) {
|
||||||
|
|
||||||
|
$OpenBSD: patch-src_prototypes_h,v 1.2 2016/11/10 10:10:50 gsoares Exp $
|
||||||
|
--- src/prototypes.h.orig Sat Oct 29 05:25:37 2016
|
||||||
|
+++ src/prototypes.h Wed Nov 9 20:22:39 2016
|
||||||
|
@@ -660,13 +660,13 @@ typedef enum {
|
||||||
|
#endif /* OPENSSL_NO_DH */
|
||||||
|
STUNNEL_LOCKS /* number of locks */
|
||||||
|
} LOCK_TYPE;
|
||||||
|
-#if OPENSSL_VERSION_NUMBER < 0x10100004L
|
||||||
|
+#if OPENSSL_VERSION_NUMBER < 0x10100004L || defined(LIBRESSL_VERSION_NUMBER)
|
||||||
|
typedef int STUNNEL_RWLOCK;
|
||||||
|
#else
|
||||||
|
typedef CRYPTO_RWLOCK *STUNNEL_RWLOCK;
|
||||||
|
#endif
|
||||||
|
extern STUNNEL_RWLOCK stunnel_locks[STUNNEL_LOCKS];
|
||||||
|
-#if OPENSSL_VERSION_NUMBER>=0x10100004L
|
||||||
|
+#if OPENSSL_VERSION_NUMBER>=0x10100004L && !defined(LIBRESSL_VERSION_NUMBER)
|
||||||
|
#define CRYPTO_THREAD_read_unlock(type) CRYPTO_THREAD_unlock(type)
|
||||||
|
#define CRYPTO_THREAD_write_unlock(type) CRYPTO_THREAD_unlock(type)
|
||||||
|
#else
|
||||||
|
|
||||||
|
$OpenBSD: patch-src_options_c,v 1.7 2016/11/09 23:14:31 gsoares Exp $
|
||||||
|
|
||||||
|
use SSLv23_client_method() required to build with libressl since that it haven't
|
||||||
|
TLS_client_method() for now.
|
||||||
|
|
||||||
|
--- src/options.c.orig Fri Aug 5 06:39:57 2016
|
||||||
|
+++ src/options.c Thu Nov 3 23:13:15 2016
|
||||||
|
@@ -2617,7 +2617,7 @@ NOEXPORT char *parse_service_option(CMD cmd, SERVICE_O
|
||||||
|
/* sslVersion */
|
||||||
|
switch(cmd) {
|
||||||
|
case CMD_BEGIN:
|
||||||
|
-#if OPENSSL_VERSION_NUMBER>=0x10100000L
|
||||||
|
+#if OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
|
||||||
|
section->client_method=(SSL_METHOD *)TLS_client_method();
|
||||||
|
section->server_method=(SSL_METHOD *)TLS_server_method();
|
||||||
|
#else
|
||||||
|
@@ -2629,7 +2629,7 @@ NOEXPORT char *parse_service_option(CMD cmd, SERVICE_O
|
||||||
|
if(strcasecmp(opt, "sslVersion"))
|
||||||
|
break;
|
||||||
|
if(!strcasecmp(arg, "all")) {
|
||||||
|
-#if OPENSSL_VERSION_NUMBER>=0x10100000L
|
||||||
|
+#if OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
|
||||||
|
section->client_method=(SSL_METHOD *)TLS_client_method();
|
||||||
|
section->server_method=(SSL_METHOD *)TLS_server_method();
|
||||||
|
#else
|
||||||
|
|
||||||
|
$OpenBSD: patch-src_ctx_c,v 1.4 2016/11/09 23:14:31 gsoares Exp $
|
||||||
|
--- src/ctx.c.orig Tue Jun 21 12:06:14 2016
|
||||||
|
+++ src/ctx.c Thu Nov 3 23:13:15 2016
|
||||||
|
@@ -366,7 +366,7 @@ NOEXPORT int ecdh_init(SERVICE_OPTIONS *section) {
|
||||||
|
/**************************************** initialize OpenSSL CONF */
|
||||||
|
|
||||||
|
NOEXPORT int conf_init(SERVICE_OPTIONS *section) {
|
||||||
|
-#if OPENSSL_VERSION_NUMBER>=0x10002000L
|
||||||
|
+#if OPENSSL_VERSION_NUMBER>=0x10002000L && !defined(LIBRESSL_VERSION_NUMBER)
|
||||||
|
SSL_CONF_CTX *cctx;
|
||||||
|
NAME_LIST *curr;
|
||||||
|
char *cmd, *param;
|
||||||
|
|
||||||
|
$OpenBSD: patch-src_common_h,v 1.1 2016/11/09 23:14:31 gsoares Exp $
|
||||||
|
--- src/common.h.orig Mon Jun 27 04:29:32 2016
|
||||||
|
+++ src/common.h Thu Nov 3 23:57:29 2016
|
||||||
|
@@ -448,7 +448,7 @@ extern char *sys_errlist[];
|
||||||
|
#define OPENSSL_NO_TLS1_2
|
||||||
|
#endif /* OpenSSL older than 1.0.1 || defined(OPENSSL_NO_TLS1) */
|
||||||
|
|
||||||
|
-#if OPENSSL_VERSION_NUMBER>=0x10100000L
|
||||||
|
+#if OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
|
||||||
|
#ifndef OPENSSL_NO_SSL2
|
||||||
|
#define OPENSSL_NO_SSL2
|
||||||
|
#endif /* !defined(OPENSSL_NO_SSL2) */
|
||||||
|
@@ -474,7 +474,7 @@ extern char *sys_errlist[];
|
||||||
|
#include <openssl/des.h>
|
||||||
|
#ifndef OPENSSL_NO_DH
|
||||||
|
#include <openssl/dh.h>
|
||||||
|
-#if OPENSSL_VERSION_NUMBER<0x10100000L
|
||||||
|
+#if OPENSSL_VERSION_NUMBER<0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
|
||||||
|
int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g);
|
||||||
|
#endif /* OpenSSL older than 1.1.0 */
|
||||||
|
#endif /* !defined(OPENSSL_NO_DH) */
|
||||||
|
|
||||||
|
|
@ -1,7 +1,7 @@
|
||||||
# Template file for 'stunnel'
|
# Template file for 'stunnel'
|
||||||
pkgname=stunnel
|
pkgname=stunnel
|
||||||
version=5.31
|
version=5.37
|
||||||
revision=3
|
revision=1
|
||||||
build_style=gnu-configure
|
build_style=gnu-configure
|
||||||
configure_args="--enable-ipv6 --with-ssl=${XBPS_CROSS_BASE}/usr"
|
configure_args="--enable-ipv6 --with-ssl=${XBPS_CROSS_BASE}/usr"
|
||||||
hostmakedepends="perl"
|
hostmakedepends="perl"
|
||||||
|
|
@ -11,7 +11,7 @@ maintainer="Toyam Cox <Vaelatern@gmail.com>"
|
||||||
license="GPL-2"
|
license="GPL-2"
|
||||||
homepage="https://www.stunnel.org/"
|
homepage="https://www.stunnel.org/"
|
||||||
distfiles="https://www.stunnel.org/downloads/archive/5.x/${pkgname}-${version}.tar.gz"
|
distfiles="https://www.stunnel.org/downloads/archive/5.x/${pkgname}-${version}.tar.gz"
|
||||||
checksum=a746b71ab3dc6c23eacb0daf7342467870e43ac933430905eb1b1d050bbae0b7
|
checksum=d0e3530e3effc64fdec792c71791d4937c6b8bd3b9ea4895c6bb6526dcd0d241
|
||||||
|
|
||||||
post_install() {
|
post_install() {
|
||||||
rm ${DESTDIR}/usr/share/man/man8/stunnel.??.8
|
rm ${DESTDIR}/usr/share/man/man8/stunnel.??.8
|
||||||
|
|
@ -24,3 +24,6 @@ post_install() {
|
||||||
# Using the archive is the only way to get builds to keep working after the
|
# Using the archive is the only way to get builds to keep working after the
|
||||||
# new version is out. LibreSSL patches for stunnel 5.35 don't yet work. Not
|
# new version is out. LibreSSL patches for stunnel 5.35 don't yet work. Not
|
||||||
# enough is made conditional.
|
# enough is made conditional.
|
||||||
|
# Significant thanks to the OpenBSD project for creating patch sets for 5.37
|
||||||
|
# One thing OpenBSD does that we don't do here is add a _stunnel user/group and
|
||||||
|
# modify the configuration samples to chroot and use this by default.
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue