Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package stunnel for openSUSE:Factory checked
in at 2022-11-02 12:47:06
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/stunnel (Old)
and /work/SRC/openSUSE:Factory/.stunnel.new.2275 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "stunnel"
Wed Nov 2 12:47:06 2022 rev:34 rq:1032746 version:5.67
Changes:
--------
--- /work/SRC/openSUSE:Factory/stunnel/stunnel.changes 2022-09-15
23:01:17.645571762 +0200
+++ /work/SRC/openSUSE:Factory/.stunnel.new.2275/stunnel.changes
2022-11-02 12:47:52.101789402 +0100
@@ -1,0 +2,11 @@
+Tue Nov 1 19:41:16 UTC 2022 - Michael Str??der <mich...@stroeder.com>
+
+- Update to 5.67
+ * New features
+ - Provided a logging callback to custom engines.
+ * Bugfixes
+ - Fixed "make cert" with OpenSSL older than 3.0.
+ - Fixed the code and the documentation to use conscious
+ language for SNI servers (thx to Clemens Lang).
+
+-------------------------------------------------------------------
Old:
----
stunnel-5.66.tar.gz
stunnel-5.66.tar.gz.asc
New:
----
stunnel-5.67.tar.gz
stunnel-5.67.tar.gz.asc
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ stunnel.spec ++++++
--- /var/tmp/diff_new_pack.q2CUMS/_old 2022-11-02 12:47:52.837793138 +0100
+++ /var/tmp/diff_new_pack.q2CUMS/_new 2022-11-02 12:47:52.841793158 +0100
@@ -22,7 +22,7 @@
%define _fillupdir %{_localstatedir}/adm/fillup-templates
%endif
Name: stunnel
-Version: 5.66
+Version: 5.67
Release: 0
Summary: Universal TLS Tunnel
License: GPL-2.0-or-later
++++++ stunnel-5.66.tar.gz -> stunnel-5.67.tar.gz ++++++
++++ 21534 lines of diff (skipped)
++++ retrying with extended exclude list
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude
config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4
--exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh
old/stunnel-5.66/NEWS.md new/stunnel-5.67/NEWS.md
--- old/stunnel-5.66/NEWS.md 2022-09-11 23:15:42.000000000 +0200
+++ new/stunnel-5.67/NEWS.md 2022-10-29 20:24:53.000000000 +0200
@@ -1,7 +1,16 @@
# stunnel change log
-### Version 5.66, unreleased, urgency: MEDIUM
+### Version 5.67, unreleased, urgency: LOW
+* New features
+ - Provided a logging callback to custom engines.
+* Bugfixes
+ - OpenSSL DLLs updated to version 3.0.6.
+ - Fixed "make cert" with OpenSSL older than 3.0.
+ - Fixed the code and the documentation to use concious
+ language for SNI servers (thx to Clemens Lang).
+
+### Version 5.66, 2022.09.11, urgency: MEDIUM
* New features
- OpenSSL 3.0 FIPS Provider support for Windows.
* Bugfixes
@@ -265,7 +274,7 @@
- Clarified port binding error logs.
- Various "make test" improvements.
* Bugfixes
- - Fixed a crash on switching to SNI slave sections.
+ - Fixed a crash on switching to SNI secondary sections.
### Version 5.46, 2018.05.28, urgency: MEDIUM
* New features
@@ -386,8 +395,8 @@
### Version 5.37, 2016.11.06, urgency: MEDIUM
* Bugfixes
- OpenSSL DLLs updated to version 1.0.2j (stops crashes).
- - The default SNI target (not handled by any slave service)
- is handled by the master service rather than rejected.
+ - The default SNI target (not handled by any secondary service)
+ is handled by the primary service rather than rejected.
- Removed thread synchronization in the FORK threading model.
### Version 5.36, 2016.09.22, urgency: HIGH
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude
config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4
--exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh
old/stunnel-5.66/auto/compile new/stunnel-5.67/auto/compile
--- old/stunnel-5.66/auto/compile 2021-04-05 23:20:17.000000000 +0200
+++ new/stunnel-5.67/auto/compile 2022-08-13 15:50:40.000000000 +0200
@@ -3,7 +3,7 @@
scriptversion=2018-03-07.03; # UTC
-# Copyright (C) 1999-2020 Free Software Foundation, Inc.
+# Copyright (C) 1999-2021 Free Software Foundation, Inc.
# Written by Tom Tromey <tro...@cygnus.com>.
#
# This program is free software; you can redistribute it and/or modify
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude
config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4
--exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh
old/stunnel-5.66/auto/missing new/stunnel-5.67/auto/missing
--- old/stunnel-5.66/auto/missing 2021-04-05 23:20:17.000000000 +0200
+++ new/stunnel-5.67/auto/missing 2022-08-13 15:50:40.000000000 +0200
@@ -3,7 +3,7 @@
scriptversion=2018-03-07.03; # UTC
-# Copyright (C) 1996-2020 Free Software Foundation, Inc.
+# Copyright (C) 1996-2021 Free Software Foundation, Inc.
# Originally written by Fran,cois Pinard <pin...@iro.umontreal.ca>, 1996.
# This program is free software; you can redistribute it and/or modify
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude
config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4
--exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh
old/stunnel-5.66/configure.ac new/stunnel-5.67/configure.ac
--- old/stunnel-5.66/configure.ac 2022-09-11 23:15:42.000000000 +0200
+++ new/stunnel-5.67/configure.ac 2022-09-15 22:13:24.000000000 +0200
@@ -1,6 +1,6 @@
# Process this file with autoconf to produce a configure script.
-AC_INIT([stunnel],[5.66])
+AC_INIT([stunnel],[5.67])
AC_MSG_NOTICE([**************************************** initialization])
AC_CONFIG_AUX_DIR(auto)
AC_CONFIG_MACRO_DIR([m4])
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude
config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4
--exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh
old/stunnel-5.66/doc/stunnel.8.in new/stunnel-5.67/doc/stunnel.8.in
--- old/stunnel-5.66/doc/stunnel.8.in 2021-12-23 11:55:31.000000000 +0100
+++ new/stunnel-5.67/doc/stunnel.8.in 2022-10-08 20:08:13.000000000 +0200
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.40)
+.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
.\"
.\" Standard preamble:
.\" ========================================================================
@@ -71,7 +71,7 @@
.\" ========================================================================
.\"
.IX Title "stunnel 8"
-.TH stunnel 8 "2021.12.23" "5.62" "stunnel TLS Proxy"
+.TH stunnel 8 "2022.10.08" "5.67" "stunnel TLS Proxy"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
@@ -198,13 +198,18 @@
.IX Item "debug = [FACILITY.]LEVEL"
debugging level
.Sp
-Level is one of the syslog level names or numbers
-emerg (0), alert (1), crit (2), err (3), warning (4), notice (5),
-info (6), or debug (7). All logs for the specified level and
-all levels numerically less than it will be shown. Use \fIdebug = debug\fR or
-\&\fIdebug = 7\fR for greatest debugging output. The default is notice (5).
+Level is one of the syslog level names or numbers emerg (0), alert (1),
+crit (2), err (3), warning (4), notice (5), info (6), or debug (7). All logs
+for the specified level and all levels numerically less than it will be shown.
+.Sp
+The \fIdebug = debug\fR (or the equivalent <debug = 7>) level produces for the
+most verbose log output. This logging level is only meant to be understood by
+stunnel developers, and not by users. Please either use the debug level when
+requested to do so by an stunnel developer, or when you intend to get confused.
+.Sp
+The default logging level is notice (5).
.Sp
-The syslog facility 'daemon' will be used unless a facility name is supplied.
+The syslog 'daemon' facility will be used unless a facility name is supplied.
(Facilities are not supported on Win32.)
.Sp
Case is ignored for both facilities and levels.
@@ -938,26 +943,26 @@
address of sessiond \s-1TLS\s0 cache server
.IP "\fBsni\fR = \s-1SERVICE_NAME:SERVER_NAME_PATTERN\s0 (server mode)" 4
.IX Item "sni = SERVICE_NAME:SERVER_NAME_PATTERN (server mode)"
-Use the service as a slave service (a name-based virtual server) for Server
+Use the service as a secondary service (a name-based virtual server) for Server
Name Indication \s-1TLS\s0 extension (\s-1RFC 3546\s0).
.Sp
-\&\fI\s-1SERVICE_NAME\s0\fR specifies the master service that accepts client
connections
+\&\fI\s-1SERVICE_NAME\s0\fR specifies the primary service that accepts client
connections
with the \fIaccept\fR option. \fI\s-1SERVER_NAME_PATTERN\s0\fR specifies the
host name to
be redirected. The pattern may start with the '*' character, e.g.
-\&'*.example.com'. Multiple slave services are normally specified for a single
-master service. The \fIsni\fR option can also be specified more than once
within
-a single slave service.
+\&'*.example.com'. Multiple secondary services are normally specified for
+a single primary service. The \fIsni\fR option can also be specified more than
+once within a single secondary service.
.Sp
-This service, as well as the master service, may not be configured in client
+This service, as well as the primary service, may not be configured in client
mode.
.Sp
-The \fIconnect\fR option of the slave service is ignored when the
\fIprotocol\fR
+The \fIconnect\fR option of the secondary service is ignored when the
\fIprotocol\fR
option is specified, as \fIprotocol\fR connects to the remote host before
\s-1TLS\s0
handshake.
.Sp
-Libwrap checks (Unix only) are performed twice: with the master service name
-after \s-1TCP\s0 connection is accepted, and with the slave service name
during the
-\&\s-1TLS\s0 handshake.
+Libwrap checks (Unix only) are performed twice: with the primary service name
+after \s-1TCP\s0 connection is accepted, and with the secondary service name
during
+the \s-1TLS\s0 handshake.
.Sp
The \fIsni\fR option is only available when compiled with \fBOpenSSL 1.0.0\fR
and
later.
@@ -1376,19 +1381,19 @@
.PP
.Vb 5
\& [virtual]
-\& ; master service
+\& ; primary service
\& accept = 443
\& cert = default.pem
\& connect = default.internal.mydomain.com:8080
\&
\& [sni1]
-\& ; slave service 1
+\& ; secondary service 1
\& sni = virtual:server1.mydomain.com
\& cert = server1.pem
\& connect = server1.internal.mydomain.com:8081
\&
\& [sni2]
-\& ; slave service 2
+\& ; secondary service 2
\& sni = virtual:server2.mydomain.com
\& cert = server2.pem
\& connect = server2.internal.mydomain.com:8082
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude
config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4
--exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh
old/stunnel-5.66/doc/stunnel.html.in new/stunnel-5.67/doc/stunnel.html.in
--- old/stunnel-5.66/doc/stunnel.html.in 2021-12-23 11:55:31.000000000
+0100
+++ new/stunnel-5.67/doc/stunnel.html.in 2022-10-08 20:08:12.000000000
+0200
@@ -242,9 +242,13 @@
<p>debugging level</p>
-<p>Level is one of the syslog level names or numbers emerg (0), alert (1),
crit (2), err (3), warning (4), notice (5), info (6), or debug (7). All logs
for the specified level and all levels numerically less than it will be shown.
Use <i>debug = debug</i> or <i>debug = 7</i> for greatest debugging output. The
default is notice (5).</p>
+<p>Level is one of the syslog level names or numbers emerg (0), alert (1),
crit (2), err (3), warning (4), notice (5), info (6), or debug (7). All logs
for the specified level and all levels numerically less than it will be
shown.</p>
-<p>The syslog facility 'daemon' will be used unless a facility name is
supplied. (Facilities are not supported on Win32.)</p>
+<p>The <i>debug = debug</i> (or the equivalent <debug = 7>) level
produces for the most verbose log output. This logging level is only meant to
be understood by stunnel developers, and not by users. Please either use the
debug level when requested to do so by an stunnel developer, or when you intend
to get confused.</p>
+
+<p>The default logging level is notice (5).</p>
+
+<p>The syslog 'daemon' facility will be used unless a facility name is
supplied. (Facilities are not supported on Win32.)</p>
<p>Case is ignored for both facilities and levels.</p>
@@ -424,7 +428,7 @@
<p>To listen on all IPv6 addresses use:</p>
-<pre><code> accept = :::PORT</code></pre>
+<pre><code>accept = :::PORT</code></pre>
</dd>
<dt id="CApath-DIRECTORY"><b>CApath</b> = DIRECTORY</dt>
@@ -574,13 +578,13 @@
<p>To get a list of supported curves use:</p>
-<pre><code> openssl ecparam -list_curves</code></pre>
+<pre><code>openssl ecparam -list_curves</code></pre>
<p>default:</p>
-<pre><code> X25519:P-256:X448:P-521:P-384 (OpenSSL 1.1.1 or later)
+<pre><code>X25519:P-256:X448:P-521:P-384 (OpenSSL 1.1.1 or later)
- prime256v1 (OpenSSL older than 1.1.1)</code></pre>
+prime256v1 (OpenSSL older than 1.1.1)</code></pre>
</dd>
<dt id="logId-TYPE"><b>logId</b> = TYPE</dt>
@@ -718,13 +722,13 @@
<p>for global options:</p>
-<pre><code> 00-global.conf</code></pre>
+<pre><code>00-global.conf</code></pre>
<p>for local service-level options:</p>
-<pre><code> 01-service.conf
+<pre><code>01-service.conf
- 02-service.conf</code></pre>
+02-service.conf</code></pre>
</dd>
<dt id="key-KEY_FILE"><b>key</b> = KEY_FILE</dt>
@@ -734,7 +738,7 @@
<p>A private key is needed to authenticate the certificate owner. Since this
file should be kept secret it should only be readable by its owner. On Unix
systems you can use the following command:</p>
-<pre><code> chmod 600 keyfile</code></pre>
+<pre><code>chmod 600 keyfile</code></pre>
<p>This parameter is also used as the private key identifier when a hardware
engine is enabled.</p>
@@ -798,12 +802,12 @@
<p>For example, for compatibility with the erroneous Eudora TLS
implementation, the following option can be used:</p>
-<pre><code> options = DONT_INSERT_EMPTY_FRAGMENTS</code></pre>
+<pre><code>options = DONT_INSERT_EMPTY_FRAGMENTS</code></pre>
<p>default:</p>
-<pre><code> options = NO_SSLv2
- options = NO_SSLv3</code></pre>
+<pre><code>options = NO_SSLv2
+options = NO_SSLv3</code></pre>
<p>Use <i>sslVersionMax</i> or <i>sslVersionMin</i> option instead of
disabling specific TLS protocol versions when compiled with <b>OpenSSL
1.1.0</b> or later.</p>
@@ -979,7 +983,7 @@
<p>Each line of the file in the following format:</p>
-<pre><code> IDENTITY:KEY</code></pre>
+<pre><code>IDENTITY:KEY</code></pre>
<p>Hexadecimal keys are automatically converted to binary form. Keys are
required to be at least 16 bytes long, which implies at least 32 characters for
hexadecimal keys. The file should neither be world-readable nor
world-writable.</p>
@@ -1153,15 +1157,15 @@
<dt id="sni-SERVICE_NAME:SERVER_NAME_PATTERN-server-mode"><b>sni</b> =
SERVICE_NAME:SERVER_NAME_PATTERN (server mode)</dt>
<dd>
-<p>Use the service as a slave service (a name-based virtual server) for Server
Name Indication TLS extension (RFC 3546).</p>
+<p>Use the service as a secondary service (a name-based virtual server) for
Server Name Indication TLS extension (RFC 3546).</p>
-<p><i>SERVICE_NAME</i> specifies the master service that accepts client
connections with the <i>accept</i> option. <i>SERVER_NAME_PATTERN</i> specifies
the host name to be redirected. The pattern may start with the '*'
character, e.g. '*.example.com'. Multiple slave services are normally
specified for a single master service. The <i>sni</i> option can also be
specified more than once within a single slave service.</p>
+<p><i>SERVICE_NAME</i> specifies the primary service that accepts client
connections with the <i>accept</i> option. <i>SERVER_NAME_PATTERN</i> specifies
the host name to be redirected. The pattern may start with the '*'
character, e.g. '*.example.com'. Multiple secondary services are
normally specified for a single primary service. The <i>sni</i> option can also
be specified more than once within a single secondary service.</p>
-<p>This service, as well as the master service, may not be configured in
client mode.</p>
+<p>This service, as well as the primary service, may not be configured in
client mode.</p>
-<p>The <i>connect</i> option of the slave service is ignored when the
<i>protocol</i> option is specified, as <i>protocol</i> connects to the remote
host before TLS handshake.</p>
+<p>The <i>connect</i> option of the secondary service is ignored when the
<i>protocol</i> option is specified, as <i>protocol</i> connects to the remote
host before TLS handshake.</p>
-<p>Libwrap checks (Unix only) are performed twice: with the master service
name after TCP connection is accepted, and with the slave service name during
the TLS handshake.</p>
+<p>Libwrap checks (Unix only) are performed twice: with the primary service
name after TCP connection is accepted, and with the secondary service name
during the TLS handshake.</p>
<p>The <i>sni</i> option is only available when compiled with <b>OpenSSL
1.0.0</b> and later.</p>
@@ -1185,15 +1189,15 @@
<p>Examples:</p>
-<pre><code> socket = l:SO_LINGER=1:60
- set one minute timeout for closing local socket
- socket = r:SO_OOBINLINE=yes
- place out-of-band data directly into the
- receive data stream for remote sockets
- socket = a:SO_REUSEADDR=no
- disable address reuse (enabled by default)
- socket = a:SO_BINDTODEVICE=lo
- only accept connections on loopback interface</code></pre>
+<pre><code>socket = l:SO_LINGER=1:60
+ set one minute timeout for closing local socket
+socket = r:SO_OOBINLINE=yes
+ place out-of-band data directly into the
+ receive data stream for remote sockets
+socket = a:SO_REUSEADDR=no
+ disable address reuse (enabled by default)
+socket = a:SO_BINDTODEVICE=lo
+ only accept connections on loopback interface</code></pre>
</dd>
<dt id="sslVersion-SSL_VERSION"><b>sslVersion</b> = SSL_VERSION</dt>
@@ -1209,12 +1213,12 @@
<p>Setting the option</p>
-<pre><code> sslVersion = SSL_VERSION</code></pre>
+<pre><code>sslVersion = SSL_VERSION</code></pre>
<p>is equivalent to options</p>
-<pre><code> sslVersionMax = SSL_VERSION
- sslVersionMin = SSL_VERSION</code></pre>
+<pre><code>sslVersionMax = SSL_VERSION
+sslVersionMin = SSL_VERSION</code></pre>
<p>when compiled with <b>OpenSSL 1.1.0</b> and later.</p>
@@ -1346,13 +1350,13 @@
<p>This configuration requires the following setup for iptables and routing
(possibly in /etc/rc.local or equivalent file):</p>
-<pre><code> iptables -t mangle -N DIVERT
- iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
- iptables -t mangle -A DIVERT -j MARK --set-mark 1
- iptables -t mangle -A DIVERT -j ACCEPT
- ip rule add fwmark 1 lookup 100
- ip route add local 0.0.0.0/0 dev lo table 100
- echo 0 >/proc/sys/net/ipv4/conf/lo/rp_filter</code></pre>
+<pre><code>iptables -t mangle -N DIVERT
+iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
+iptables -t mangle -A DIVERT -j MARK --set-mark 1
+iptables -t mangle -A DIVERT -j ACCEPT
+ip rule add fwmark 1 lookup 100
+ip route add local 0.0.0.0/0 dev lo table 100
+echo 0 >/proc/sys/net/ipv4/conf/lo/rp_filter</code></pre>
<p><b>stunnel</b> must also to be executed as root and without the
<i>setuid</i> option.</p>
@@ -1387,24 +1391,24 @@
<p>A service section for transparent destination may look like this:</p>
-<pre><code> [transparent]
- client = yes
- accept = <stunnel_port>
- transparent = destination</code></pre>
+<pre><code>[transparent]
+client = yes
+accept = <stunnel_port>
+transparent = destination</code></pre>
<p>This configuration requires iptables setup to work, possibly in
/etc/rc.local or equivalent file.</p>
<p>For a connect target installed on the same host:</p>
-<pre><code> /sbin/iptables -t nat -I OUTPUT -p tcp --dport
<redirected_port> \
- -m ! --uid-owner <stunnel_user_id> \
- -j DNAT --to-destination
<local_ip>:<stunnel_port></code></pre>
+<pre><code>/sbin/iptables -t nat -I OUTPUT -p tcp --dport
<redirected_port> \
+ -m ! --uid-owner <stunnel_user_id> \
+ -j DNAT --to-destination <local_ip>:<stunnel_port></code></pre>
<p>For a connect target installed on a remote host:</p>
-<pre><code> /sbin/iptables -I INPUT -i eth0 -p tcp --dport
<stunnel_port> -j ACCEPT
- /sbin/iptables -t nat -I PREROUTING -p tcp --dport <redirected_port>
\
- -i eth0 -j DNAT --to-destination
<local_ip>:<stunnel_port></code></pre>
+<pre><code>/sbin/iptables -I INPUT -i eth0 -p tcp --dport <stunnel_port>
-j ACCEPT
+/sbin/iptables -t nat -I PREROUTING -p tcp --dport <redirected_port> \
+ -i eth0 -j DNAT --to-destination
<local_ip>:<stunnel_port></code></pre>
<p>The transparent destination option is currently only supported on Linux.</p>
@@ -1575,116 +1579,116 @@
<p>In order to provide TLS encapsulation to your local <i>imapd</i> service,
use:</p>
-<pre><code> [imapd]
- accept = 993
- exec = /usr/sbin/imapd
- execArgs = imapd</code></pre>
+<pre><code>[imapd]
+accept = 993
+exec = /usr/sbin/imapd
+execArgs = imapd</code></pre>
<p>or in remote mode:</p>
-<pre><code> [imapd]
- accept = 993
- connect = 143</code></pre>
+<pre><code>[imapd]
+accept = 993
+connect = 143</code></pre>
<p>In order to let your local e-mail client connect to a TLS-enabled
<i>imapd</i> service on another server, configure the e-mail client to connect
to localhost on port 119 and use:</p>
-<pre><code> [imap]
- client = yes
- accept = 143
- connect = servername:993</code></pre>
+<pre><code>[imap]
+client = yes
+accept = 143
+connect = servername:993</code></pre>
<p>If you want to provide tunneling to your <i>pppd</i> daemon on port 2020,
use something like:</p>
-<pre><code> [vpn]
- accept = 2020
- exec = /usr/sbin/pppd
- execArgs = pppd local
- pty = yes</code></pre>
+<pre><code>[vpn]
+accept = 2020
+exec = /usr/sbin/pppd
+execArgs = pppd local
+pty = yes</code></pre>
<p>If you want to use <b>stunnel</b> in <i>inetd</i> mode to launch your imapd
process, you'd use this <i>stunnel.conf</i>. Note there must be no
<i>[service_name]</i> section.</p>
-<pre><code> exec = /usr/sbin/imapd
- execArgs = imapd</code></pre>
+<pre><code>exec = /usr/sbin/imapd
+execArgs = imapd</code></pre>
<p>To setup SOCKS VPN configure the following client service:</p>
-<pre><code> [socks_client]
- client = yes
- accept = 127.0.0.1:1080
- connect = vpn_server:9080
- verifyPeer = yes
- CAfile = stunnel.pem</code></pre>
+<pre><code>[socks_client]
+client = yes
+accept = 127.0.0.1:1080
+connect = vpn_server:9080
+verifyPeer = yes
+CAfile = stunnel.pem</code></pre>
<p>The corresponding configuration on the vpn_server host:</p>
-<pre><code> [socks_server]
- protocol = socks
- accept = 9080
- cert = stunnel.pem
- key = stunnel.key</code></pre>
+<pre><code>[socks_server]
+protocol = socks
+accept = 9080
+cert = stunnel.pem
+key = stunnel.key</code></pre>
<p>Now test your configuration on the client machine with:</p>
-<pre><code> curl --socks4a localhost http://www.example.com/</code></pre>
+<pre><code>curl --socks4a localhost http://www.example.com/</code></pre>
<p>An example server mode SNI configuration:</p>
-<pre><code> [virtual]
- ; master service
- accept = 443
- cert = default.pem
- connect = default.internal.mydomain.com:8080
-
- [sni1]
- ; slave service 1
- sni = virtual:server1.mydomain.com
- cert = server1.pem
- connect = server1.internal.mydomain.com:8081
-
- [sni2]
- ; slave service 2
- sni = virtual:server2.mydomain.com
- cert = server2.pem
- connect = server2.internal.mydomain.com:8082
- verifyPeer = yes
- CAfile = server2-allowed-clients.pem</code></pre>
+<pre><code>[virtual]
+; primary service
+accept = 443
+cert = default.pem
+connect = default.internal.mydomain.com:8080
+
+[sni1]
+; secondary service 1
+sni = virtual:server1.mydomain.com
+cert = server1.pem
+connect = server1.internal.mydomain.com:8081
+
+[sni2]
+; secondary service 2
+sni = virtual:server2.mydomain.com
+cert = server2.pem
+connect = server2.internal.mydomain.com:8082
+verifyPeer = yes
+CAfile = server2-allowed-clients.pem</code></pre>
<p>An example of advanced engine configuration allows for authentication with
private keys stored in the Windows certificate store (Windows only). With the
CAPI engine you don't need to manually select the client key to use. The
client key is automatically selected based on the list of CAs trusted by the
server.</p>
-<pre><code> engine = capi
+<pre><code>engine = capi
- [service]
- engineId = capi
- client = yes
- accept = 127.0.0.1:8080
- connect = example.com:8443</code></pre>
+[service]
+engineId = capi
+client = yes
+accept = 127.0.0.1:8080
+connect = example.com:8443</code></pre>
<p>An example of advanced engine configuration to use the certificate and the
corresponding private key from a pkcs11 engine:</p>
-<pre><code> engine = pkcs11
- engineCtrl = MODULE_PATH:opensc-pkcs11.so
- engineCtrl = PIN:123456
-
- [service]
- engineId = pkcs11
- client = yes
- accept = 127.0.0.1:8080
- connect = example.com:843
- cert = pkcs11:token=MyToken;object=MyCert
- key = pkcs11:token=MyToken;object=MyKey</code></pre>
+<pre><code>engine = pkcs11
+engineCtrl = MODULE_PATH:opensc-pkcs11.so
+engineCtrl = PIN:123456
+
+[service]
+engineId = pkcs11
+client = yes
+accept = 127.0.0.1:8080
+connect = example.com:843
+cert = pkcs11:token=MyToken;object=MyCert
+key = pkcs11:token=MyToken;object=MyKey</code></pre>
<p>An example of advanced engine configuration to use the certificate and the
corresponding private key from a SoftHSM token:</p>
-<pre><code> engine = pkcs11
- engineCtrl = MODULE_PATH:softhsm2.dll
- engineCtrl = PIN:12345
-
- [service]
- engineId = pkcs11
- client = yes
- accept = 127.0.0.1:8080
- connect = example.com:843
- cert = pkcs11:token=MyToken;object=KeyCert</code></pre>
+<pre><code>engine = pkcs11
+engineCtrl = MODULE_PATH:softhsm2.dll
+engineCtrl = PIN:12345
+
+[service]
+engineId = pkcs11
+client = yes
+accept = 127.0.0.1:8080
+connect = example.com:843
+cert = pkcs11:token=MyToken;object=KeyCert</code></pre>
<a href="#_podtop_"><h1 id="NOTES">NOTES</h1></a>
@@ -1698,7 +1702,7 @@
<p>For example, if you have the following line in <i>inetd.conf</i>:</p>
-<pre><code> imaps stream tcp nowait root @bindir@/stunnel stunnel
@sysconfdir@/stunnel/imaps.conf</code></pre>
+<pre><code>imaps stream tcp nowait root @bindir@/stunnel stunnel
@sysconfdir@/stunnel/imaps.conf</code></pre>
<p>In these cases, the <i>inetd</i>-style program is responsible for binding a
network socket (<i>imaps</i> above) and handing it to <b>stunnel</b> when a
connection is received. Thus you do not want <b>stunnel</b> to have any
<i>accept</i> option. All the <i>Service Level Options</i> should be placed in
the global options section, and no <i>[service_name]</i> section will be
present. See the <i>EXAMPLES</i> section for example configurations.</p>
@@ -1708,12 +1712,12 @@
<p>The <i>.pem</i> file should contain the unencrypted private key and a
signed certificate (not certificate request). So the file should look like
this:</p>
-<pre><code> -----BEGIN RSA PRIVATE KEY-----
- [encoded key]
- -----END RSA PRIVATE KEY-----
- -----BEGIN CERTIFICATE-----
- [encoded certificate]
- -----END CERTIFICATE-----</code></pre>
+<pre><code>-----BEGIN RSA PRIVATE KEY-----
+[encoded key]
+-----END RSA PRIVATE KEY-----
+-----BEGIN CERTIFICATE-----
+[encoded certificate]
+-----END CERTIFICATE-----</code></pre>
<h2 id="RANDOMNESS">RANDOMNESS</h2>
@@ -1759,7 +1763,7 @@
<p>Alternatively, it is possible to specify static DH parameters in the
certificate file, which disables generating temporary DH parameters:</p>
-<pre><code> openssl dhparam 2048 >> stunnel.pem</code></pre>
+<pre><code>openssl dhparam 2048 >> stunnel.pem</code></pre>
<a href="#_podtop_"><h1 id="FILES">FILES</h1></a>
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude
config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4
--exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh
old/stunnel-5.66/doc/stunnel.pl.8.in new/stunnel-5.67/doc/stunnel.pl.8.in
--- old/stunnel-5.66/doc/stunnel.pl.8.in 2021-12-23 11:55:31.000000000
+0100
+++ new/stunnel-5.67/doc/stunnel.pl.8.in 2022-03-15 20:27:02.000000000
+0100
@@ -71,7 +71,7 @@
.\" ========================================================================
.\"
.IX Title "stunnel 8"
-.TH stunnel 8 "2021.12.23" "5.62" "stunnel TLS Proxy"
+.TH stunnel 8 "2022.03.15" "5.64" "stunnel TLS Proxy"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude
config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4
--exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh
old/stunnel-5.66/doc/stunnel.pod.in new/stunnel-5.67/doc/stunnel.pod.in
--- old/stunnel-5.66/doc/stunnel.pod.in 2021-12-23 11:54:23.000000000 +0100
+++ new/stunnel-5.67/doc/stunnel.pod.in 2022-09-15 22:13:24.000000000 +0200
@@ -186,13 +186,18 @@
debugging level
-Level is one of the syslog level names or numbers
-emerg (0), alert (1), crit (2), err (3), warning (4), notice (5),
-info (6), or debug (7). All logs for the specified level and
-all levels numerically less than it will be shown. Use I<debug = debug> or
-I<debug = 7> for greatest debugging output. The default is notice (5).
+Level is one of the syslog level names or numbers emerg (0), alert (1),
+crit (2), err (3), warning (4), notice (5), info (6), or debug (7). All logs
+for the specified level and all levels numerically less than it will be shown.
+
+The I<debug = debug> (or the equivalent <debug = 7>) level produces for the
+most verbose log output. This logging level is only meant to be understood by
+stunnel developers, and not by users. Please either use the debug level when
+requested to do so by an stunnel developer, or when you intend to get confused.
+
+The default logging level is notice (5).
-The syslog facility 'daemon' will be used unless a facility name is supplied.
+The syslog 'daemon' facility will be used unless a facility name is supplied.
(Facilities are not supported on Win32.)
Case is ignored for both facilities and levels.
@@ -1012,26 +1017,26 @@
=item B<sni> = SERVICE_NAME:SERVER_NAME_PATTERN (server mode)
-Use the service as a slave service (a name-based virtual server) for Server
+Use the service as a secondary service (a name-based virtual server) for Server
Name Indication TLS extension (RFC 3546).
-I<SERVICE_NAME> specifies the master service that accepts client connections
+I<SERVICE_NAME> specifies the primary service that accepts client connections
with the I<accept> option. I<SERVER_NAME_PATTERN> specifies the host name to
be redirected. The pattern may start with the '*' character, e.g.
-'*.example.com'. Multiple slave services are normally specified for a single
-master service. The I<sni> option can also be specified more than once within
-a single slave service.
+'*.example.com'. Multiple secondary services are normally specified for
+a single primary service. The I<sni> option can also be specified more than
+once within a single secondary service.
-This service, as well as the master service, may not be configured in client
+This service, as well as the primary service, may not be configured in client
mode.
-The I<connect> option of the slave service is ignored when the I<protocol>
+The I<connect> option of the secondary service is ignored when the I<protocol>
option is specified, as I<protocol> connects to the remote host before TLS
handshake.
-Libwrap checks (Unix only) are performed twice: with the master service name
-after TCP connection is accepted, and with the slave service name during the
-TLS handshake.
+Libwrap checks (Unix only) are performed twice: with the primary service name
+after TCP connection is accepted, and with the secondary service name during
+the TLS handshake.
The I<sni> option is only available when compiled with B<OpenSSL 1.0.0> and
later.
@@ -1479,19 +1484,19 @@
An example server mode SNI configuration:
[virtual]
- ; master service
+ ; primary service
accept = 443
cert = default.pem
connect = default.internal.mydomain.com:8080
[sni1]
- ; slave service 1
+ ; secondary service 1
sni = virtual:server1.mydomain.com
cert = server1.pem
connect = server1.internal.mydomain.com:8081
[sni2]
- ; slave service 2
+ ; secondary service 2
sni = virtual:server2.mydomain.com
cert = server2.pem
connect = server2.internal.mydomain.com:8082
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude
config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4
--exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh
old/stunnel-5.66/src/client.c new/stunnel-5.67/src/client.c
--- old/stunnel-5.66/src/client.c 2022-09-11 23:15:42.000000000 +0200
+++ new/stunnel-5.67/src/client.c 2022-10-29 20:24:53.000000000 +0200
@@ -673,19 +673,18 @@
#if OPENSSL_VERSION_NUMBER >= 0x10101000L
NOEXPORT void print_tmp_key(SSL *s) {
EVP_PKEY *key;
+ long tmp_key_found;
#ifdef SSL_CTRL_GET_PEER_TMP_KEY
- if (!SSL_get_peer_tmp_key(s, &key)) {
- sslerror("SSL_get_peer_tmp_key");
- return;
- }
+ tmp_key_found=SSL_get_peer_tmp_key(s, &key);
#else
- if (!SSL_get_server_tmp_key(s, &key)) {
- sslerror("SSL_get_server_tmp_key");
+ tmp_key_found=SSL_get_server_tmp_key(s, &key);
+#endif
+ if(!tmp_key_found) {
+ s_log(LOG_INFO, "No peer temporary key received");
return;
}
-#endif
- switch (EVP_PKEY_id(key)) {
+ switch(EVP_PKEY_id(key)) {
case EVP_PKEY_RSA:
s_log(LOG_INFO, "Peer temporary key: RSA, %d bits",
EVP_PKEY_bits(key));
break;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude
config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4
--exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh
old/stunnel-5.66/src/config.h.in new/stunnel-5.67/src/config.h.in
--- old/stunnel-5.66/src/config.h.in 2022-09-11 23:16:06.000000000 +0200
+++ new/stunnel-5.67/src/config.h.in 2022-10-08 20:06:24.000000000 +0200
@@ -69,9 +69,6 @@
/* Define to 1 if you have the <malloc.h> header file. */
#undef HAVE_MALLOC_H
-/* Define to 1 if you have the <memory.h> header file. */
-#undef HAVE_MEMORY_H
-
/* Define to 1 if you have 'msghdr.msg_control' structure. */
#undef HAVE_MSGHDR_MSG_CONTROL
@@ -120,6 +117,9 @@
/* Define to 1 if you have the <stdint.h> header file. */
#undef HAVE_STDINT_H
+/* Define to 1 if you have the <stdio.h> header file. */
+#undef HAVE_STDIO_H
+
/* Define to 1 if you have the <stdlib.h> header file. */
#undef HAVE_STDLIB_H
@@ -247,7 +247,9 @@
/* TLS directory */
#undef SSLDIR
-/* Define to 1 if you have the ANSI C header files. */
+/* Define to 1 if all of the C90 standard headers exist (not just the ones
+ required in a freestanding environment). This macro is provided for
+ backward compatibility; new code need not use it. */
#undef STDC_HEADERS
/* Define to 1 to enable OpenSSL FIPS support */
@@ -277,11 +279,6 @@
/* Use Darwin source */
#undef _DARWIN_C_SOURCE
-/* Enable large inode numbers on Mac OS X 10.5. */
-#ifndef _DARWIN_USE_64_BIT_INODE
-# define _DARWIN_USE_64_BIT_INODE 1
-#endif
-
/* Number of bits in a file offset, on hosts where this is settable. */
#undef _FILE_OFFSET_BITS
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude
config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4
--exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh
old/stunnel-5.66/src/ctx.c new/stunnel-5.67/src/ctx.c
--- old/stunnel-5.66/src/ctx.c 2022-09-11 23:15:42.000000000 +0200
+++ new/stunnel-5.67/src/ctx.c 2022-10-30 15:26:14.000000000 +0100
@@ -152,13 +152,15 @@
section->ctx=SSL_CTX_new(section->option.client ?
TLS_client_method() : TLS_server_method());
#endif /* OPENSSL_VERSION_NUMBER>=0x30000000L */
- if(!SSL_CTX_set_min_proto_version(section->ctx,
+ if(section->min_proto_version &&
+ !SSL_CTX_set_min_proto_version(section->ctx,
section->min_proto_version)) {
s_log(LOG_ERR, "Failed to set the minimum protocol version 0x%X",
section->min_proto_version);
return 1; /* FAILED */
}
- if(!SSL_CTX_set_max_proto_version(section->ctx,
+ if(section->max_proto_version &&
+ !SSL_CTX_set_max_proto_version(section->ctx,
section->max_proto_version)) {
s_log(LOG_ERR, "Failed to set the maximum protocol version 0x%X",
section->max_proto_version);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude
config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4
--exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh
old/stunnel-5.66/src/dhparam.c new/stunnel-5.67/src/dhparam.c
--- old/stunnel-5.66/src/dhparam.c 2022-09-11 23:15:42.000000000 +0200
+++ new/stunnel-5.67/src/dhparam.c 2022-10-08 20:04:36.000000000 +0200
@@ -4,28 +4,28 @@
#define DN_new DH_new
DH *get_dh2048(void) {
static unsigned char dhp_2048[] = {
- 0xb3, 0x2a, 0xc3, 0xfb, 0x95, 0x8e, 0x18, 0x0b, 0x24, 0xd6, 0x08, 0xf1,
- 0xb1, 0x70, 0xfd, 0xaf, 0x72, 0x3d, 0x2a, 0x7a, 0xa2, 0xb9, 0x62, 0xbe,
- 0x6f, 0x58, 0xde, 0x0d, 0x7f, 0x69, 0x41, 0xf8, 0xcc, 0x51, 0x38, 0x57,
- 0x87, 0xca, 0xa5, 0x74, 0x2a, 0x84, 0xf1, 0x9a, 0xfa, 0x49, 0xe5, 0x1c,
- 0xd4, 0x5c, 0x9b, 0xa2, 0x23, 0xca, 0xb1, 0x36, 0x6d, 0xa6, 0x9a, 0x4c,
- 0xa3, 0x03, 0x9b, 0x92, 0xea, 0x84, 0x71, 0x0a, 0xdd, 0x41, 0x6c, 0x9e,
- 0x56, 0x65, 0x31, 0x5d, 0x4a, 0x71, 0x74, 0x13, 0xb3, 0x07, 0x6b, 0xc6,
- 0xc5, 0x64, 0x73, 0x1d, 0x22, 0xc1, 0xc9, 0x2f, 0x5d, 0xb3, 0x61, 0xc6,
- 0xb8, 0xc3, 0x29, 0x2c, 0xd9, 0x35, 0x20, 0x5e, 0xa8, 0x7c, 0x63, 0xc0,
- 0x07, 0xa8, 0x8e, 0x5a, 0x96, 0x33, 0x49, 0xb3, 0xfe, 0xaa, 0x05, 0xfe,
- 0xc1, 0xeb, 0x8b, 0x34, 0x8b, 0x15, 0xf5, 0xc9, 0xe9, 0xbd, 0xd5, 0xca,
- 0x47, 0x12, 0xb8, 0x4f, 0xfb, 0x5c, 0x76, 0xa5, 0x72, 0x17, 0xd8, 0xa1,
- 0xbe, 0xbd, 0x4e, 0xa2, 0x86, 0x0f, 0x80, 0xb7, 0x98, 0x61, 0x4f, 0x3d,
- 0x5f, 0x03, 0x54, 0x7c, 0xf4, 0x3d, 0x41, 0x5e, 0xd2, 0xf1, 0xa9, 0xbb,
- 0xb5, 0x1a, 0x49, 0x48, 0x6f, 0xf6, 0x9c, 0x44, 0x99, 0xff, 0x73, 0x01,
- 0x29, 0x52, 0xb7, 0xc3, 0xe1, 0x43, 0x51, 0xce, 0xef, 0xd5, 0x77, 0xf5,
- 0x0b, 0x50, 0x20, 0x70, 0xee, 0x11, 0xe1, 0x88, 0x83, 0x4e, 0x89, 0x69,
- 0xcd, 0x13, 0x22, 0x00, 0x68, 0x93, 0x53, 0xdb, 0x97, 0xc3, 0xb2, 0x38,
- 0x82, 0x41, 0x7f, 0x4a, 0x53, 0xc5, 0x11, 0xdb, 0xed, 0x4c, 0xa8, 0x04,
- 0x8a, 0x5e, 0x2d, 0x9a, 0x7f, 0xb7, 0x14, 0x44, 0x91, 0x75, 0x73, 0xc6,
- 0x9c, 0xd4, 0x24, 0xea, 0xd5, 0x41, 0xc7, 0x81, 0x7c, 0x41, 0x88, 0x48,
- 0x1a, 0x7f, 0x80, 0xff
+ 0xdf, 0x60, 0xce, 0x2a, 0x84, 0xc3, 0xcd, 0xe3, 0x7c, 0x59, 0x18, 0xec,
+ 0x76, 0xbe, 0xde, 0x6a, 0xfc, 0x51, 0x29, 0xd2, 0xc4, 0xf2, 0x19, 0xa5,
+ 0x11, 0x53, 0x36, 0x3f, 0xfd, 0xfd, 0x17, 0x2a, 0xc9, 0x8b, 0xb0, 0xc0,
+ 0x1e, 0xbe, 0x72, 0x15, 0xa0, 0x6f, 0xac, 0x24, 0xf8, 0x2b, 0x89, 0xce,
+ 0x61, 0x0f, 0x56, 0xa2, 0x1f, 0x3a, 0x89, 0x50, 0xc1, 0x8a, 0x17, 0x4d,
+ 0xd9, 0x21, 0xd6, 0x65, 0x09, 0xe2, 0xea, 0xa8, 0x73, 0x1e, 0x66, 0xa2,
+ 0xba, 0x07, 0xe6, 0x46, 0x6c, 0xe1, 0x1f, 0x16, 0xec, 0x46, 0x3a, 0x6c,
+ 0xa2, 0xea, 0x8b, 0x05, 0xdb, 0x67, 0x11, 0xfb, 0xea, 0x57, 0xad, 0xcb,
+ 0x91, 0xd4, 0xab, 0xc7, 0xd5, 0xde, 0x8b, 0xda, 0x01, 0xb4, 0x99, 0x47,
+ 0x30, 0x33, 0xe0, 0x80, 0xe5, 0x7d, 0x78, 0x08, 0xb4, 0xe1, 0xa5, 0x9d,
+ 0x22, 0xf2, 0x1e, 0x68, 0xa5, 0xdb, 0xee, 0x3a, 0x85, 0x60, 0x79, 0xcb,
+ 0x31, 0x3a, 0x46, 0xa4, 0xff, 0x81, 0x31, 0xee, 0xee, 0x93, 0x08, 0x39,
+ 0x2c, 0xd5, 0x1b, 0xa3, 0x9e, 0xc9, 0xc4, 0x65, 0x7b, 0x0d, 0xb5, 0x61,
+ 0x29, 0x34, 0xe7, 0xba, 0x8b, 0xd2, 0x1a, 0x6c, 0x95, 0x3f, 0x58, 0x1f,
+ 0x62, 0xc6, 0xf5, 0x8d, 0x20, 0x0c, 0x2e, 0x31, 0xfb, 0x8d, 0x7c, 0xd3,
+ 0xd7, 0x0c, 0x72, 0x7b, 0xb5, 0x6a, 0xeb, 0x55, 0x05, 0x0d, 0x6d, 0xe8,
+ 0x6d, 0x7b, 0x98, 0x16, 0x7d, 0x4f, 0x46, 0x1e, 0x64, 0xb6, 0x89, 0xef,
+ 0x9c, 0xff, 0xeb, 0x2b, 0x4c, 0x84, 0xc0, 0x97, 0x8d, 0x16, 0xb0, 0x76,
+ 0x4c, 0x22, 0x20, 0xb5, 0xc0, 0xc7, 0x9d, 0x47, 0xfb, 0xdf, 0xf6, 0x48,
+ 0xaa, 0x8f, 0x56, 0xad, 0xcc, 0x40, 0x0e, 0x25, 0x7d, 0xa9, 0xb1, 0xc2,
+ 0x43, 0xf0, 0x6f, 0x4a, 0xb6, 0x54, 0x9f, 0xd7, 0xfb, 0x04, 0x5c, 0x9a,
+ 0x63, 0x90, 0x14, 0x5b
};
static unsigned char dhg_2048[] = {
0x02
@@ -47,4 +47,4 @@
return dh;
}
#endif /* OPENSSL_NO_DH */
-/* built for stunnel 5.66 */
+/* built for stunnel 5.67 */
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude
config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4
--exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh
old/stunnel-5.66/src/log.c new/stunnel-5.67/src/log.c
--- old/stunnel-5.66/src/log.c 2022-07-08 18:20:51.000000000 +0200
+++ new/stunnel-5.67/src/log.c 2022-10-11 22:43:52.000000000 +0200
@@ -139,6 +139,13 @@
void s_log(int level, const char *format, ...) {
va_list ap;
+
+ va_start(ap, format);
+ s_vlog(level, format, ap);
+ va_end(ap);
+}
+
+void s_vlog(int level, const char *format, va_list ap) {
char *text, *stamp, *id;
#ifdef USE_WIN32
DWORD libc_error;
@@ -152,6 +159,7 @@
struct tm timestruct;
#endif
TLS_DATA *tls_data;
+ size_t i;
libc_error=get_last_error();
socket_error=get_last_socket_error();
@@ -178,9 +186,10 @@
id=str_printf("LOG%d[%s]", level, tls_data->id);
/* format the text to be logged */
- va_start(ap, format);
text=str_vprintf(format, ap);
- va_end(ap);
+ i=strlen(text);
+ while(i>0 && text[i-1]=='\n')
+ text[--i]='\0'; /* strip trailing newlines */
safestring(text);
/* either log or queue for logging */
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude
config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4
--exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh
old/stunnel-5.66/src/options.c new/stunnel-5.67/src/options.c
--- old/stunnel-5.66/src/options.c 2022-07-08 18:20:51.000000000 +0200
+++ new/stunnel-5.67/src/options.c 2022-10-30 15:26:14.000000000 +0100
@@ -3231,7 +3231,7 @@
case CMD_PRINT_DEFAULTS:
break;
case CMD_PRINT_HELP:
- s_log(LOG_NOTICE, "%-22s = master_service:host_name for an SNI virtual
service",
+ s_log(LOG_NOTICE, "%-22s = primary_service:host_name for an SNI
virtual service",
"sni");
break;
}
@@ -3335,7 +3335,7 @@
/* sslVersionMin */
switch(cmd) {
case CMD_SET_DEFAULTS:
- section->min_proto_version=TLS1_VERSION;
+ section->min_proto_version=0; /* lowest supported */
break;
case CMD_SET_COPY:
section->min_proto_version=new_service_options.min_proto_version;
@@ -3856,7 +3856,7 @@
if(!tmpsrv)
return "SNI section name not found";
if(tmpsrv->option.client)
- return "SNI master service is a TLS client";
+ return "SNI primary service is a TLS client";
if(tmpsrv->servername_list_tail) {
tmpsrv->servername_list_tail->next=str_alloc_detached(sizeof(SERVERNAME_LIST));
tmpsrv->servername_list_tail=tmpsrv->servername_list_tail->next;
@@ -3867,7 +3867,7 @@
tmpsrv->ssl_options_set|=
SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION;
}
- /* a slave section reference is needed to prevent a race condition
+ /* a secondary section reference is needed to prevent a race condition
while switching to a section after configuration file reload */
service_up_ref(section);
tmpsrv->servername_list_tail->servername=str_dup_detached(tmp_str);
@@ -3904,7 +3904,7 @@
while(curr) {
SERVERNAME_LIST *next=curr->next;
str_free(curr->servername);
- service_free(curr->opt); /* free the slave section */
+ service_free(curr->opt); /* free the secondary section */
str_free(curr);
curr=next;
}
@@ -4663,25 +4663,43 @@
}
NOEXPORT const char *engine_open(const char *name) {
+ ENGINE *e;
+ struct {
+ void (*vlog)(int, const char *, va_list);
+ } vlog_callback;
+
engine_init(); /* initialize the previous engine (if any) */
if(++current_engine>=MAX_ENGINES)
return "Too many open engines";
+
s_log(LOG_DEBUG, "Enabling support for engine \"%s\"", name);
- engines[current_engine]=ENGINE_by_id(name);
- if(!engines[current_engine]) {
+ e=ENGINE_by_id(name);
+ if(!e) {
sslerror("ENGINE_by_id");
return "Failed to open the engine";
}
engine_initialized=0;
- if(ENGINE_ctrl(engines[current_engine], ENGINE_CTRL_SET_USER_INTERFACE,
- 0, ui_stunnel(), NULL)) {
+
+ vlog_callback.vlog=&s_vlog;
+ if(ENGINE_ctrl_cmd(e, "VLOG_A", 0, &vlog_callback, NULL, 0)) {
+ s_log(LOG_NOTICE, "Logging initialized on engine #%d (%s)",
+ current_engine+1, ENGINE_get_id(e));
+ } else {
+ ERR_clear_error();
+ s_log(LOG_INFO, "Logging not supported by engine #%d (%s)",
+ current_engine+1, ENGINE_get_id(e));
+ }
+
+ if(ENGINE_ctrl(e, ENGINE_CTRL_SET_USER_INTERFACE, 0, ui_stunnel(), NULL)) {
s_log(LOG_NOTICE, "UI set for engine #%d (%s)",
- current_engine+1, ENGINE_get_id(engines[current_engine]));
+ current_engine+1, ENGINE_get_id(e));
} else {
ERR_clear_error();
s_log(LOG_INFO, "UI not supported by engine #%d (%s)",
- current_engine+1, ENGINE_get_id(engines[current_engine]));
+ current_engine+1, ENGINE_get_id(e));
}
+
+ engines[current_engine]=e;
return NULL; /* OK */
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude
config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4
--exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh
old/stunnel-5.66/src/os2.mak new/stunnel-5.67/src/os2.mak
--- old/stunnel-5.66/src/os2.mak 2022-08-15 18:32:58.000000000 +0200
+++ new/stunnel-5.67/src/os2.mak 2022-09-15 22:13:24.000000000 +0200
@@ -1,11 +1,11 @@
prefix=.
DEFS = -DPACKAGE_NAME=\"stunnel\" \
-DPACKAGE_TARNAME=\"stunnel\" \
- -DPACKAGE_VERSION=\"5.66\" \
- -DPACKAGE_STRING=\"stunnel\ 5.66\" \
+ -DPACKAGE_VERSION=\"5.67\" \
+ -DPACKAGE_STRING=\"stunnel\ 5.67\" \
-DPACKAGE_BUGREPORT=\"\" \
-DPACKAGE=\"stunnel\" \
- -DVERSION=\"5.66\" \
+ -DVERSION=\"5.67\" \
-DSTDC_HEADERS=1 \
-DHAVE_SYS_TYPES_H=1 \
-DHAVE_SYS_STAT_H=1 \
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude
config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4
--exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh
old/stunnel-5.66/src/prototypes.h new/stunnel-5.67/src/prototypes.h
--- old/stunnel-5.66/src/prototypes.h 2022-07-08 18:20:51.000000000 +0200
+++ new/stunnel-5.67/src/prototypes.h 2022-10-30 15:26:14.000000000 +0100
@@ -530,6 +530,7 @@
#else
;
#endif
+void s_vlog(int, const char *, va_list);
char *log_id(CLI *);
void fatal_debug(const char *, const char *, int) NORETURN;
#define fatal(a) fatal_debug((a), __FILE__, __LINE__)
@@ -861,8 +862,9 @@
const char *id;
};
-void str_init(TLS_DATA *);
-void str_cleanup(TLS_DATA *);
+void str_init(void);
+void str_thread_init(TLS_DATA *);
+void str_thread_cleanup(TLS_DATA *);
char *str_dup_debug(const char *, const char *, int);
#define str_dup(a) str_dup_debug((a), __FILE__, __LINE__)
char *str_dup_detached_debug(const char *, const char *, int);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude
config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4
--exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh
old/stunnel-5.66/src/str.c new/stunnel-5.67/src/str.c
--- old/stunnel-5.66/src/str.c 2022-07-08 18:20:51.000000000 +0200
+++ new/stunnel-5.67/src/str.c 2022-10-31 13:16:42.000000000 +0100
@@ -84,14 +84,19 @@
#define LEAK_TABLE_SIZE 997
typedef struct {
+ int num, max; /* current and highest number of allocations */
+ int64_t total; /* approximate total number of heap operations */
const char *alloc_file;
int alloc_line;
- int num, max;
} LEAK_ENTRY;
NOEXPORT LEAK_ENTRY leak_hash_table[LEAK_TABLE_SIZE],
*leak_results[LEAK_TABLE_SIZE];
NOEXPORT int leak_result_num=0;
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+DEFINE_STACK_OF(LEAK_ENTRY)
+#endif /* OpenSSL version >= 1.1.0 */
+
#ifdef USE_WIN32
NOEXPORT LPTSTR str_vtprintf(LPCTSTR, va_list);
#endif /* USE_WIN32 */
@@ -102,6 +107,7 @@
NOEXPORT void str_leak_debug(const ALLOC_LIST *, int);
NOEXPORT LEAK_ENTRY *leak_search(const ALLOC_LIST *);
+NOEXPORT int leak_cmp(const LEAK_ENTRY *const *, const LEAK_ENTRY *const *);
NOEXPORT void leak_report(void);
NOEXPORT long leak_threshold(void);
@@ -157,7 +163,7 @@
#endif /* __GNUC__ */
char *str_vprintf(const char *format, va_list start_ap) {
int n;
- size_t size=32;
+ size_t size=96;
char *p;
va_list ap;
@@ -213,12 +219,16 @@
/**************************************** memory allocation wrappers */
-void str_init(TLS_DATA *tls_data) {
+void str_init(void) {
+ memset(leak_hash_table, 0, sizeof leak_hash_table);
+}
+
+void str_thread_init(TLS_DATA *tls_data) {
tls_data->alloc_head=NULL;
tls_data->alloc_bytes=tls_data->alloc_blocks=0;
}
-void str_cleanup(TLS_DATA *tls_data) {
+void str_thread_cleanup(TLS_DATA *tls_data) {
/* free all attached allocations */
while(tls_data->alloc_head) /* str_free macro requires an lvalue */
str_free_expression(tls_data->alloc_head+1);
@@ -498,7 +508,11 @@
CRYPTO_THREAD_unlock(stunnel_locks[LOCK_LEAK_HASH]);
}
- /* for performance we try to avoid calling CRYPTO_atomic_add() here */
+ /* for performance reasons, we ignore the race condition, as an approximate
+ * number of allocations is good enough to identify the most used entries
*/
+ entry->total++;
+
+ /* for performance reasons, we try to avoid calling CRYPTO_atomic_add() */
#ifdef USE_OS_THREADS
#ifdef _MSC_VER
/* casting is safe, because sizeof(long)==sizeof(int) on Windows */
@@ -536,7 +550,7 @@
/* O(1) hash table lookup */
NOEXPORT LEAK_ENTRY *leak_search(const ALLOC_LIST *alloc_list) {
/* a trivial hash based on source file name *address* and line number */
- unsigned i=((unsigned)(uintptr_t)alloc_list->alloc_file+
+ unsigned i=(1777*(unsigned)(uintptr_t)alloc_list->alloc_file+
(unsigned)alloc_list->alloc_line)%LEAK_TABLE_SIZE;
while(!(leak_hash_table[i].alloc_line==0 ||
@@ -548,18 +562,48 @@
void leak_table_utilization() {
int i, utilization=0;
+ int64_t grand_total=0;
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ STACK_OF(LEAK_ENTRY) *stats;
+#endif /* OpenSSL version >= 1.1.0 */
+
+ /* leak_hash_table[] is only filled at the DEBUG logging level */
+ if(service_options.log_level<LOG_DEBUG)
+ return;
- for(i=0; i<LEAK_TABLE_SIZE; ++i) {
- if(leak_hash_table[i].alloc_line) {
+ /* log total hash table utilization */
+ for(i=0; i<LEAK_TABLE_SIZE; ++i)
+ if(leak_hash_table[i].total) {
++utilization;
-#if 0
- s_log(LOG_DEBUG, "Leak hash entry %d: %s:%d", i,
- leak_hash_table[i].alloc_file, leak_hash_table[i].alloc_line);
-#endif
+ grand_total+=leak_hash_table[i].total;
}
- }
- s_log(LOG_DEBUG, "Leak detection table utilization: %d/%d, %02.2f%%",
+ s_log(LOG_DEBUG, "Leak detection table utilization: %d/%d (%05.2f%%)",
utilization, LEAK_TABLE_SIZE, 100.0*utilization/LEAK_TABLE_SIZE);
+
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ /* log up to 5 most frequently used heap allocations */
+ stats=sk_LEAK_ENTRY_new_reserve(leak_cmp, utilization);
+ for(i=0; i<LEAK_TABLE_SIZE; ++i)
+ if(leak_hash_table[i].total)
+ sk_LEAK_ENTRY_push(stats, leak_hash_table + i);
+ sk_LEAK_ENTRY_sort(stats);
+ for(i=0; i<5 && sk_LEAK_ENTRY_num(stats); ++i) {
+ LEAK_ENTRY *entry=sk_LEAK_ENTRY_pop(stats);
+ s_log(LOG_DEBUG, "#%d: %05.2f%% of heap operations: %s:%d",
+ i+1, 100.0*(double)entry->total/(double)grand_total,
+ entry->alloc_file, entry->alloc_line);
+ }
+ sk_LEAK_ENTRY_free(stats);
+#endif /* OpenSSL version >= 1.1.0 */
+}
+
+NOEXPORT int leak_cmp(const LEAK_ENTRY *const *a, const LEAK_ENTRY *const *b) {
+ int64_t d = (*a)->total - (*b)->total;
+ if(d>0)
+ return 1;
+ if(d<0)
+ return -1;
+ return 0;
}
/* report identified leaks */
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude
config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4
--exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh
old/stunnel-5.66/src/stunnel.c new/stunnel-5.67/src/stunnel.c
--- old/stunnel-5.66/src/stunnel.c 2022-07-08 18:20:51.000000000 +0200
+++ new/stunnel-5.67/src/stunnel.c 2022-09-15 22:13:24.000000000 +0200
@@ -588,7 +588,7 @@
s_log(LOG_DEBUG, "Skipped exec+connect service [%s]",
opt->servname);
#ifndef OPENSSL_NO_TLSEXT
} else if(!opt->option.client && opt->sni) {
- s_log(LOG_DEBUG, "Skipped SNI slave service [%s]", opt->servname);
+ s_log(LOG_DEBUG, "Skipped SNI secondary service [%s]",
opt->servname);
#endif
} else { /* each service must define two endpoints */
s_log(LOG_ERR, "Invalid service [%s]", opt->servname);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude
config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4
--exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh
old/stunnel-5.66/src/tls.c new/stunnel-5.67/src/tls.c
--- old/stunnel-5.66/src/tls.c 2022-07-08 18:20:51.000000000 +0200
+++ new/stunnel-5.67/src/tls.c 2022-10-30 15:26:14.000000000 +0100
@@ -58,6 +58,7 @@
CRYPTO_set_mem_ex_functions(str_alloc_detached_debug,
str_realloc_detached_debug, free_function);
#endif
+ str_init();
}
/* this has to be the first function called by a new thread */
@@ -73,7 +74,7 @@
fatal("Out of memory");
if(c)
c->tls=tls_data;
- str_init(tls_data);
+ str_thread_init(tls_data);
tls_data->c=c;
tls_data->opt=c?c->opt:&service_options;
}
@@ -99,7 +100,7 @@
tls_data=tls_get();
if(!tls_data)
return;
- str_cleanup(tls_data);
+ str_thread_cleanup(tls_data);
str_free_const(tls_data->id); /* detached allocation */
tls_set(NULL);
free(tls_data);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude
config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4
--exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh
old/stunnel-5.66/src/version.h new/stunnel-5.67/src/version.h
--- old/stunnel-5.66/src/version.h 2022-08-15 18:32:58.000000000 +0200
+++ new/stunnel-5.67/src/version.h 2022-09-15 22:13:24.000000000 +0200
@@ -65,7 +65,7 @@
/* START CUSTOMIZE */
#define VERSION_MAJOR 5
-#define VERSION_MINOR 66
+#define VERSION_MINOR 67
/* END CUSTOMIZE */
/* all the following macros are ABSOLUTELY NECESSARY to have proper string
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude
config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4
--exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh
old/stunnel-5.66/tests/plugins/p12_sni.py
new/stunnel-5.67/tests/plugins/p12_sni.py
--- old/stunnel-5.66/tests/plugins/p12_sni.py 2021-12-21 12:44:01.000000000
+0100
+++ new/stunnel-5.67/tests/plugins/p12_sni.py 2022-09-15 22:13:24.000000000
+0200
@@ -19,9 +19,9 @@
class SNITest(StunnelTest):
- """Use the service as a slave service (a name-based virtual server)
+ """Use the service as a secondary service (a name-based virtual server)
for Server Name Indication TLS extension.
- SERVICE_NAME (server_virtual) specifies the master service that
+ SERVICE_NAME (server_virtual) specifies the primary service that
accepts client connections with the accept option.
SERVER_NAME_PATTERN (*.mydomain.com) specifies the host name to be
redirected.
The success is expected because the client presents the sni pattern
(sni.mydomain.com)
@@ -98,9 +98,9 @@
class FailureSNITest(StunnelTest):
- """Use the service as a slave service (a name-based virtual server)
+ """Use the service as a secondary service (a name-based virtual server)
for Server Name Indication TLS extension.
- SERVICE_NAME (server_virtual) specifies the master service that
+ SERVICE_NAME (server_virtual) specifies the primary service that
accepts client connections with the accept option.
SERVER_NAME_PATTERN sni.mydomain.com) specifies the host name to be
redirected.
The success is expected because the client doesn't present any sni
pattern.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude
config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4
--exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh
old/stunnel-5.66/tools/Makefile.am new/stunnel-5.67/tools/Makefile.am
--- old/stunnel-5.66/tools/Makefile.am 2022-01-17 20:53:27.000000000 +0100
+++ new/stunnel-5.67/tools/Makefile.am 2022-10-29 20:24:53.000000000 +0200
@@ -2,7 +2,7 @@
# by Michal Trojnara 1998-2022
EXTRA_DIST = ca.html ca.pl importCA.html importCA.sh script.sh makecert.sh
-EXTRA_DIST += openssl.cnf stunnel.nsi stunnel.license stunnel.conf
+EXTRA_DIST += openssl.cnf stunnel.nsi ReplaceInFile3.nsh stunnel.license
stunnel.conf
EXTRA_DIST += stunnel.conf-sample.in stunnel.init.in stunnel.service.in
EXTRA_DIST += stunnel.logrotate stunnel.rh.init stunnel.spec
EXTRA_DIST += ca-certs.pem
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude
config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4
--exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh
old/stunnel-5.66/tools/ReplaceInFile3.nsh
new/stunnel-5.67/tools/ReplaceInFile3.nsh
--- old/stunnel-5.66/tools/ReplaceInFile3.nsh 1970-01-01 01:00:00.000000000
+0100
+++ new/stunnel-5.67/tools/ReplaceInFile3.nsh 2022-10-29 20:24:53.000000000
+0200
@@ -0,0 +1,154 @@
+/*
+First occurrence to be replaced: FST_OCC.
+ FST_OCC = all, renders the same as FST_OCC = 1.
+ if FST_OCC greater than the number of occurences in the file: no alteration
of the file,
+ FST_OCC negative or 0 will leave the file content unchanged no matter the
NR_OCC value.
+Nr max of occurrences replaced onwards: NR_OCC,
+ if NR_OCC = all --> replacement as long as a string to be replaced is found,
+ if NR_OCC = stritly positive integer, replaces up to NR_OCC occurrences
provided they exist,
+ NR_OCC negative or 0 yields the same as all.
+
+Order to run down and search the file: from left to right and top down.
+REPLACEMENT_STR, OLD_STR, read line should be less than 1024 characters long.
+For NSIS Unicode, FILE_TO_MODIFIED must be utf-8 encoded.
+*/
+
+Var /Global OLD_STR
+Var /Global FST_OCC
+Var /Global NR_OCC
+Var /Global REPLACEMENT_STR
+Var /Global FILE_TO_MODIFIED
+
+!macro ReplaceInFile OLD_STR FST_OCC NR_OCC REPLACEMENT_STR FILE_TO_MODIFIED
+
+ Push "${OLD_STR}" ;text to be replaced
+ Push "${REPLACEMENT_STR}" ;replace with
+ Push "${FST_OCC}" ; starts replacing onwards FST_OCC occurrences
+ Push "${NR_OCC}" ; replaces NR_OCC occurrences in all
+ Push "${FILE_TO_MODIFIED}" ; file to replace in
+ Call AdvReplaceInFile
+
+!macroend
+
+
+Function AdvReplaceInFile
+Exch $0 ;FILE_TO_MODIFIED file to replace in
+Exch
+Exch $1 ;the NR_OCC of OLD_STR occurrences to be replaced.
+Exch
+Exch 2
+Exch $2 ;FST_OCC: the first occurrence to be replaced and onwards
+Exch 2
+Exch 3
+Exch $3 ;REPLACEMENT_STR string to replace with
+Exch 3
+Exch 4
+Exch $4 ;OLD_STR to be replaced
+Exch 4
+Push $5 ;incrementing counter
+Push $6 ;a chunk of read line
+Push $7 ;the read line altered or not
+Push $8 ;left string
+Push $9 ;right string or forster read line
+Push $R0 ;temp file handle
+Push $R1 ;FILE_TO_MODIFIED file handle
+Push $R2 ;a line read
+Push $R3 ;the length of OLD_STR
+Push $R4 ;counts reaching of FST_OCC
+Push $R5 ;counts reaching of NR_OCC
+Push $R6 ;temp file name
+
+
+ GetTempFileName $R6
+
+ FileOpen $R1 $0 r ;FILE_TO_MODIFIED file to search in
+ FileOpen $R0 $R6 w ;temp file
+ StrLen $R3 $4 ;the length of OLD_STR
+ StrCpy $R4 0 ;counter initialization
+ StrCpy $R5 -1 ;counter initialization
+
+loop_read:
+ ClearErrors
+ FileRead $R1 $R2 ;reading line
+ IfErrors exit ;when end of file has been reached
+
+ StrCpy $5 -1 ;cursor, start of read line chunk
+ StrLen $7 $R2 ;read line length
+ IntOp $5 $5 - $7 ;cursor initialization
+ StrCpy $7 $R2 ;$7 contains read line
+
+loop_filter:
+ IntOp $5 $5 + 1 ;cursor shifting
+ StrCmp $5 0 file_write ;end of line has been reached
+ StrCpy $6 $7 $R3 $5 ;a chunk of read line of length
OLD_STR
+ StrCmp $6 $4 0 loop_filter ;continues to search OLD_STR if no match
+
+StrCpy $8 $7 $5 ;left part
+IntOp $6 $5 + $R3
+IntCmp $6 0 yes no ;left part + OLD_STR == full line read ?
+yes:
+StrCpy $9 ""
+Goto done
+no:
+StrCpy $9 $7 "" $6 ;right part
+done:
+StrCpy $9 $8$3$9 ;replacing OLD_STR by REPLACEMENT_STR
in forster read line
+
+IntOp $R4 $R4 + 1 ;counter incrementation
+;MessageBox MB_OK|MB_ICONINFORMATION \
+;"count R4 = $R4, fst_occ = $2"
+StrCmp $2 all follow_up ;exchange ok, then goes to
search the next OLD_STR
+IntCmp $R4 $2 follow_up ;no exchange until FST_OCC has
been reached,
+Goto loop_filter ;and then searching for the next OLD_STR
+
+follow_up:
+IntOp $R4 $R4 - 1 ;now counter is to be stuck to FST_OCC
+
+IntOp $R5 $R5 + 1 ;counter incrementation
+;MessageBox MB_OK|MB_ICONINFORMATION \
+;"count R5 = $R5, nbr_occ = $1"
+StrCmp $1 all exchange_ok ;goes to exchange OLD_STR with
REPLACEMENT_STR
+IntCmp $R5 $1 finalize ;proceeding exchange until NR_OCC has
been reached
+
+exchange_ok:
+IntOp $5 $5 + $R3 ;updating cursor
+StrCpy $7 $9 ;updating read line with forster read
line
+Goto loop_filter ;goes searching the same read line
+
+finalize:
+IntOp $R5 $R5 - 1 ;now counter is to be stuck to NR_OCC
+
+file_write:
+ FileWrite $R0 $7 ;writes altered or unaltered line
+Goto loop_read ;reads the next line
+
+exit:
+ FileClose $R0
+ FileClose $R1
+
+ ;SetDetailsPrint none
+ Delete $0
+ Rename $R6 $0 ;superseding FILE_TO_MODIFIED
file with
+ ;temp file built with REPLACEMENT_STR
+ ;Delete $R6
+ ;SetDetailsPrint lastused
+
+Pop $R6
+Pop $R5
+Pop $R4
+Pop $R3
+Pop $R2
+Pop $R1
+Pop $R0
+Pop $9
+Pop $8
+Pop $7
+Pop $6
+Pop $5
+;These values are stored in the stack in the reverse order they were pushed
+Pop $0
+Pop $1
+Pop $2
+Pop $3
+Pop $4
+FunctionEnd
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude
config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4
--exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh
old/stunnel-5.66/tools/openssl.cnf new/stunnel-5.67/tools/openssl.cnf
--- old/stunnel-5.66/tools/openssl.cnf 2022-07-07 15:58:33.000000000 +0200
+++ new/stunnel-5.67/tools/openssl.cnf 2022-10-29 20:24:53.000000000 +0200
@@ -11,7 +11,7 @@
#.include "../config/fipsmodule.cnf"
[openssl_init]
-providers = provider_sect
+#providers = provider_sect
alg_section = evp_properties
# List of providers to load
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude
config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4
--exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh
old/stunnel-5.66/tools/stunnel.nsi new/stunnel-5.67/tools/stunnel.nsi
--- old/stunnel-5.66/tools/stunnel.nsi 2022-09-11 23:15:42.000000000 +0200
+++ new/stunnel-5.67/tools/stunnel.nsi 2022-10-30 15:26:03.000000000 +0100
@@ -30,6 +30,9 @@
!define MUI_FINISHPAGE_RUN "$INSTDIR\bin\stunnel.exe"
!define MUI_FINISHPAGE_RUN_TEXT "Start stunnel after installation"
!define MUI_FINISHPAGE_RUN_NOTCHECKED
+!define MUI_FINISHPAGE_NOAUTOCLOSE
+!define MUI_UNFINISHPAGE_NOAUTOCLOSE
+
!include "MUI2.nsh"
# define SF_SELECTED
!include "Sections.nsh"
@@ -54,11 +57,12 @@
!define /ifndef ZLIB_DIR ${BIN_DIR}\zlib
!define /ifndef REDIST_DIR ${BIN_DIR}\redist
+!if ${SUFFIX} == "3"
+!include "${STUNNEL_TOOLS_DIR}/ReplaceInFile3.nsh"
+!endif
+
# additional plugins
!addplugindir "${STUNNEL_TOOLS_DIR}/plugins/"
-!if ${ENABLE_FIPS}
-!include "${STUNNEL_TOOLS_DIR}/plugins/TextReplace.nsh"
-!endif
!define MUI_ICON ${STUNNEL_SRC_DIR}\stunnel.ico
@@ -453,8 +457,17 @@
Section "openssl.exe" sectionOPENSSL
SetOutPath "$INSTDIR\bin"
File "${OPENSSL_BIN_DIR}\openssl.exe"
+
SetOutPath "$INSTDIR\config"
File "${STUNNEL_TOOLS_DIR}\openssl.cnf"
+!if ${SUFFIX} == "3"
+ Push "#providers = provider_sect" # text to be replaced
+ Push "providers = provider_sect" # replace with
+ Push 1 # start replacing at the 1st occurrence
+ Push 1 # replace 1 occurrences onwards, in all
+ Push "$INSTDIR\config\openssl.cnf" # file to replace in
+ Call AdvReplaceInFile
+!endif
!if ${ENABLE_FIPS}
# create fipsmodule.cnf
@@ -462,12 +475,26 @@
-out "$INSTDIR\config\fipsmodule.cnf" -provider_name fips'
# modify fipsmodule.cnf and openssl.cnf to enable FIPS mode
- ${textreplace::ReplaceInFile} "$INSTDIR\config\fipsmodule.cnf"
"$INSTDIR\config\fipsmodule.cnf" \
- "activate = 1" "#activate = 1" "/S=1 /C=0 /AO=1" $0
- ${textreplace::ReplaceInFile} "$INSTDIR\config\openssl.cnf"
"$INSTDIR\config\openssl.cnf" \
- "#.include" ".include" "/S=1 /C=0 /AO=1" $0
- ${textreplace::ReplaceInFile} "$INSTDIR\config\openssl.cnf"
"$INSTDIR\config\openssl.cnf" \
- "#fips = fips_sect" "fips = fips_sect" "/S=1 /C=0 /AO=1" $0
+ Push "activate = 1" # text to be replaced
+ Push "#activate = 1" # replace with
+ Push 1 # start replacing at the 1st occurrence
+ Push 1 # replace 1 occurrences onwards, in all
+ Push "$INSTDIR\config\fipsmodule.cnf" # file to replace in
+ Call AdvReplaceInFile
+
+ Push "#.include" # text to be replaced
+ Push ".include" # replace with
+ Push 1 # start replacing at the 1st occurrence
+ Push 1 # replace 1 occurrences onwards, in all
+ Push "$INSTDIR\config\openssl.cnf" # file to replace in
+ Call AdvReplaceInFile
+
+ Push "#fips = fips_sect" # text to be replaced
+ Push "fips = fips_sect" # replace with
+ Push 1 # start replacing at the 1st occurrence
+ Push 1 # replace 1 occurrences onwards, in all
+ Push "$INSTDIR\config\openssl.cnf" # file to replace in
+ Call AdvReplaceInFile
!endif
# create stunnel.pem
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude
config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4
--exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh
old/stunnel-5.66/tools/stunnel.spec new/stunnel-5.67/tools/stunnel.spec
--- old/stunnel-5.66/tools/stunnel.spec 2022-08-15 18:32:58.000000000 +0200
+++ new/stunnel-5.67/tools/stunnel.spec 2022-09-15 22:13:24.000000000 +0200
@@ -1,5 +1,5 @@
Name: stunnel
-Version: 5.66
+Version: 5.67
Release: 1%{?dist}
Summary: An TLS-encrypting socket wrapper
Group: Applications/Internet
