Hello community,
here is the log from the commit of package stunnel for openSUSE:Factory checked
in at 2017-04-06 11:02:30
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/stunnel (Old)
and /work/SRC/openSUSE:Factory/.stunnel.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "stunnel"
Thu Apr 6 11:02:30 2017 rev:6 rq:484794 version:5.41
Changes:
--------
--- /work/SRC/openSUSE:Factory/stunnel/stunnel.changes 2017-02-13
07:51:19.095408021 +0100
+++ /work/SRC/openSUSE:Factory/.stunnel.new/stunnel.changes 2017-04-06
11:02:31.480408094 +0200
@@ -1,0 +2,5 @@
+Sat Apr 1 19:07:51 UTC 2017 - mich...@stroeder.com
+
+- update to version 5.41
+
+-------------------------------------------------------------------
Old:
----
stunnel-5.40.tar.gz
New:
----
stunnel-5.41.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ stunnel.spec ++++++
--- /var/tmp/diff_new_pack.PE9ETQ/_old 2017-04-06 11:02:32.312290519 +0200
+++ /var/tmp/diff_new_pack.PE9ETQ/_new 2017-04-06 11:02:32.312290519 +0200
@@ -17,7 +17,7 @@
Name: stunnel
-Version: 5.40
+Version: 5.41
Release: 0
Summary: Universal SSL Tunnel
License: GPL-2.0+
++++++ stunnel-5.40.tar.gz -> stunnel-5.41.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/stunnel-5.40/ChangeLog new/stunnel-5.41/ChangeLog
--- old/stunnel-5.40/ChangeLog 2017-01-28 10:48:18.000000000 +0100
+++ new/stunnel-5.41/ChangeLog 2017-04-01 11:30:08.000000000 +0200
@@ -1,5 +1,17 @@
stunnel change log
+Version 5.41, 2017.04.01, urgency: MEDIUM
+* New features
+ - PKCS#11 engine DLL updated to version 0.4.5.
+ - Default engine UI set with ENGINE_CTRL_SET_USER_INTERFACE.
+ - Key file name added into the passphrase console prompt.
+ - Performance optimization in memory leak detection.
+* Bugfixes
+ - Fixed crashes with the OpenSSL 1.1.0 branch.
+ - Fixed certificate verification with "verifyPeer = yes"
+ and "verifyChain = no" (the default), while the peer
+ only returns a single certificate.
+
Version 5.40, 2017.01.28, urgency: HIGH
* Security bugfixes
- OpenSSL DLLs updated to version 1.0.2k.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/stunnel-5.40/build-android.sh
new/stunnel-5.41/build-android.sh
--- old/stunnel-5.40/build-android.sh 2017-01-02 15:27:26.000000000 +0100
+++ new/stunnel-5.41/build-android.sh 2017-02-02 15:22:22.000000000 +0100
@@ -1,6 +1,6 @@
#!/bin/sh
set -ev
-VERSION=5.40
+VERSION=5.41
DST=stunnel-$VERSION-android
# to build OpenSSL:
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/stunnel-5.40/configure new/stunnel-5.41/configure
--- old/stunnel-5.40/configure 2017-01-16 21:10:40.000000000 +0100
+++ new/stunnel-5.41/configure 2017-02-02 15:04:32.000000000 +0100
@@ -1,6 +1,6 @@
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for stunnel 5.40.
+# Generated by GNU Autoconf 2.69 for stunnel 5.41.
#
#
# Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc.
@@ -587,8 +587,8 @@
# Identity of this package.
PACKAGE_NAME='stunnel'
PACKAGE_TARNAME='stunnel'
-PACKAGE_VERSION='5.40'
-PACKAGE_STRING='stunnel 5.40'
+PACKAGE_VERSION='5.41'
+PACKAGE_STRING='stunnel 5.41'
PACKAGE_BUGREPORT=''
PACKAGE_URL=''
@@ -1326,7 +1326,7 @@
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
-\`configure' configures stunnel 5.40 to adapt to many kinds of systems.
+\`configure' configures stunnel 5.41 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
@@ -1396,7 +1396,7 @@
if test -n "$ac_init_help"; then
case $ac_init_help in
- short | recursive ) echo "Configuration of stunnel 5.40:";;
+ short | recursive ) echo "Configuration of stunnel 5.41:";;
esac
cat <<\_ACEOF
@@ -1510,7 +1510,7 @@
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
-stunnel configure 5.40
+stunnel configure 5.41
generated by GNU Autoconf 2.69
Copyright (C) 2012 Free Software Foundation, Inc.
@@ -2116,7 +2116,7 @@
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
-It was created by stunnel $as_me 5.40, which was
+It was created by stunnel $as_me 5.41, which was
generated by GNU Autoconf 2.69. Invocation command line was
$ $0 $@
@@ -2985,7 +2985,7 @@
# Define the identity of the package.
PACKAGE='stunnel'
- VERSION='5.40'
+ VERSION='5.41'
cat >>confdefs.h <<_ACEOF
@@ -15772,7 +15772,7 @@
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
-This file was extended by stunnel $as_me 5.40, which was
+This file was extended by stunnel $as_me 5.41, which was
generated by GNU Autoconf 2.69. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
@@ -15838,7 +15838,7 @@
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //;
s/[\\""\`\$]/\\\\&/g'`"
ac_cs_version="\\
-stunnel config.status 5.40
+stunnel config.status 5.41
configured by $0, generated by GNU Autoconf 2.69,
with options \\"\$ac_cs_config\\"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/stunnel-5.40/configure.ac
new/stunnel-5.41/configure.ac
--- old/stunnel-5.40/configure.ac 2017-01-02 15:27:26.000000000 +0100
+++ new/stunnel-5.41/configure.ac 2017-02-02 15:04:22.000000000 +0100
@@ -1,6 +1,6 @@
# Process this file with autoconf to produce a configure script.
-AC_INIT([stunnel],[5.40])
+AC_INIT([stunnel],[5.41])
AC_MSG_NOTICE([**************************************** initialization])
AC_CONFIG_AUX_DIR(auto)
AC_CONFIG_MACRO_DIR([m4])
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/stunnel-5.40/doc/stunnel.8.in
new/stunnel-5.41/doc/stunnel.8.in
--- old/stunnel-5.40/doc/stunnel.8.in 2017-01-19 09:57:12.000000000 +0100
+++ new/stunnel-5.41/doc/stunnel.8.in 2017-04-01 13:39:19.000000000 +0200
@@ -71,7 +71,7 @@
.\" ========================================================================
.\"
.IX Title "stunnel 8"
-.TH stunnel 8 "2017.01.19" "5.40" "stunnel TLS Proxy"
+.TH stunnel 8 "2017.04.01" "5.41" "stunnel TLS Proxy"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
@@ -377,20 +377,23 @@
c_rehash the directory on upgrade from \fBOpenSSL 0.x.x\fR to \fBOpenSSL
1.x.x\fR.
.Sp
\&\fICApath\fR path is relative to the \fIchroot\fR directory if specified.
-.IP "\fBCAfile\fR = \s-1CERT_FILE\s0" 4
-.IX Item "CAfile = CERT_FILE"
+.IP "\fBCAfile\fR = \s-1CA_FILE\s0" 4
+.IX Item "CAfile = CA_FILE"
Certificate Authority file
.Sp
This file contains multiple \s-1CA\s0 certificates, to be used with the
\fIverifyChain\fR
and \fIverifyPeer\fR options.
-.IP "\fBcert\fR = \s-1PEM_FILE\s0" 4
-.IX Item "cert = PEM_FILE"
-certificate chain \s-1PEM\s0 file name
+.IP "\fBcert\fR = \s-1CERT_FILE\s0" 4
+.IX Item "cert = CERT_FILE"
+certificate chain file name
+.Sp
+The parameter specifies the file containing certificates used by \fBstunnel\fR
+to authenticate itself against the remote client or server.
+The file should contain the whole certificate chain starting from the actual
+server/client certificate, and ending with the self-signed root \s-1CA\s0
certificate.
+The file must be either in \s-1PEM\s0 or P12 format.
.Sp
-The certificates must be in \s-1PEM\s0 format, and must be from the
-actual server/client certificate to the self-signed root \s-1CA\s0 certificate.
-.Sp
-A certificate is required in server mode, and optional in client mode.
+A certificate chain is required in server mode, and optional in client mode.
.Sp
This parameter is also used as the certificate identifier when a hardware
engine is enabled.
@@ -470,8 +473,8 @@
c_rehash the directory on upgrade from \fBOpenSSL 0.x.x\fR to \fBOpenSSL
1.x.x\fR.
.Sp
\&\fICRLpath\fR path is relative to the \fIchroot\fR directory if specified.
-.IP "\fBCRLfile\fR = \s-1CERT_FILE\s0" 4
-.IX Item "CRLfile = CERT_FILE"
+.IP "\fBCRLfile\fR = \s-1CRL_FILE\s0" 4
+.IX Item "CRLfile = CRL_FILE"
Certificate Revocation Lists file
.Sp
This file contains multiple CRLs, used with the \fIverifyChain\fR and
@@ -626,7 +629,7 @@
.Sp
Several \fIOCSPflag\fR can be used to specify multiple flags.
.Sp
-currently supported flags: \s-1NOCERTS, NOINTERN NOSIGS, NOCHAIN, NOVERIFY,
+currently supported flags: \s-1NOCERTS, NOINTERN, NOSIGS, NOCHAIN, NOVERIFY,
NOEXPLICIT, NOCASIGN, NODELEGATED, NOCHECKS, TRUSTOTHER, RESPID_KEY, NOTIME\s0
.IP "\fBOCSPnonce\fR = yes | no" 4
.IX Item "OCSPnonce = yes | no"
@@ -1055,7 +1058,7 @@
verify the peer certificate chain starting from the root \s-1CA\s0
.Sp
For server certificate verification it is essential to also require a specific
-certificate with \fIcheckHost\fR or \fIverifyPeer\fR.
+certificate with \fIcheckHost\fR or \fIcheckIP\fR.
.Sp
The self-signed root \s-1CA\s0 certificate needs to be stored either in the
file
specified with \fICAfile\fR, or in the directory specified with \fICApath\fR.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/stunnel-5.40/doc/stunnel.html.in
new/stunnel-5.41/doc/stunnel.html.in
--- old/stunnel-5.40/doc/stunnel.html.in 2017-01-19 09:57:12.000000000
+0100
+++ new/stunnel-5.41/doc/stunnel.html.in 2017-04-01 13:39:19.000000000
+0200
@@ -459,7 +459,7 @@
<p><i>CApath</i> path is relative to the <i>chroot</i> directory if
specified.</p>
</dd>
-<dt id="CAfile-CERT_FILE"><b>CAfile</b> = CERT_FILE</dt>
+<dt id="CAfile-CA_FILE"><b>CAfile</b> = CA_FILE</dt>
<dd>
<p>Certificate Authority file</p>
@@ -467,14 +467,14 @@
<p>This file contains multiple CA certificates, to be used with the
<i>verifyChain</i> and <i>verifyPeer</i> options.</p>
</dd>
-<dt id="cert-PEM_FILE"><b>cert</b> = PEM_FILE</dt>
+<dt id="cert-CERT_FILE"><b>cert</b> = CERT_FILE</dt>
<dd>
-<p>certificate chain PEM file name</p>
+<p>certificate chain file name</p>
-<p>The certificates must be in PEM format, and must be from the actual
server/client certificate to the self-signed root CA certificate.</p>
+<p>The parameter specifies the file containing certificates used by
<b>stunnel</b> to authenticate itself against the remote client or server. The
file should contain the whole certificate chain starting from the actual
server/client certificate, and ending with the self-signed root CA certificate.
The file must be either in PEM or P12 format.</p>
-<p>A certificate is required in server mode, and optional in client mode.</p>
+<p>A certificate chain is required in server mode, and optional in client
mode.</p>
<p>This parameter is also used as the certificate identifier when a hardware
engine is enabled.</p>
@@ -561,7 +561,7 @@
<p><i>CRLpath</i> path is relative to the <i>chroot</i> directory if
specified.</p>
</dd>
-<dt id="CRLfile-CERT_FILE"><b>CRLfile</b> = CERT_FILE</dt>
+<dt id="CRLfile-CRL_FILE"><b>CRLfile</b> = CRL_FILE</dt>
<dd>
<p>Certificate Revocation Lists file</p>
@@ -762,7 +762,7 @@
<p>Several <i>OCSPflag</i> can be used to specify multiple flags.</p>
-<p>currently supported flags: NOCERTS, NOINTERN NOSIGS, NOCHAIN, NOVERIFY,
NOEXPLICIT, NOCASIGN, NODELEGATED, NOCHECKS, TRUSTOTHER, RESPID_KEY, NOTIME</p>
+<p>currently supported flags: NOCERTS, NOINTERN, NOSIGS, NOCHAIN, NOVERIFY,
NOEXPLICIT, NOCASIGN, NODELEGATED, NOCHECKS, TRUSTOTHER, RESPID_KEY, NOTIME</p>
</dd>
<dt id="OCSPnonce-yes-no"><b>OCSPnonce</b> = yes | no</dt>
@@ -1286,7 +1286,7 @@
<p>verify the peer certificate chain starting from the root CA</p>
-<p>For server certificate verification it is essential to also require a
specific certificate with <i>checkHost</i> or <i>verifyPeer</i>.</p>
+<p>For server certificate verification it is essential to also require a
specific certificate with <i>checkHost</i> or <i>checkIP</i>.</p>
<p>The self-signed root CA certificate needs to be stored either in the file
specified with <i>CAfile</i>, or in the directory specified with
<i>CApath</i>.</p>
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/stunnel-5.40/doc/stunnel.pl.8.in
new/stunnel-5.41/doc/stunnel.pl.8.in
--- old/stunnel-5.40/doc/stunnel.pl.8.in 2017-01-19 09:51:46.000000000
+0100
+++ new/stunnel-5.41/doc/stunnel.pl.8.in 2017-04-01 13:39:19.000000000
+0200
@@ -71,7 +71,7 @@
.\" ========================================================================
.\"
.IX Title "stunnel 8"
-.TH stunnel 8 "2017.01.19" "5.40" "stunnel TLS Proxy"
+.TH stunnel 8 "2017.04.01" "5.41" "stunnel TLS Proxy"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
@@ -394,12 +394,16 @@
.Sp
Opcja pozwala określić położenie pliku zawierającego certyfikaty używane
przez opcję \fIverifyChain\fR lub \fIverifyPeer\fR.
-.IP "\fBcert\fR = \s-1PLIK_PEM\s0" 4
-.IX Item "cert = PLIK_PEM"
+.IP "\fBcert\fR = \s-1PLIK_CERT\s0" 4
+.IX Item "cert = PLIK_CERT"
plik z łańcuchem certyfikatów
.Sp
Opcja określa położenie pliku zawierającego certyfikaty używane przez
program \fBstunnel\fR do uwierzytelnienia się przed drugą stroną połączenia.
+Plik powinien zawierać kompletny łańcuch certyfikatów począwszy od certyfikatu
+klienta/serwera, a skończywszy na samopodpisanym certyfikacie głównego
\s-1CA.\s0
+Obsługiwane są pliki w formacie \s-1PEM\s0 lub P12.
+.Sp
Certyfikat jest konieczny, aby używać programu w trybie serwera.
W trybie klienta certyfikat jest opcjonalny.
.Sp
@@ -643,7 +647,7 @@
.IX Item "OCSPflag = FLAGA_OCSP"
flaga respondera \s-1OCSP\s0
.Sp
-Aktualnie wspierane flagi: \s-1NOCERTS, NOINTERN NOSIGS, NOCHAIN, NOVERIFY,
+Aktualnie wspierane flagi: \s-1NOCERTS, NOINTERN, NOSIGS, NOCHAIN, NOVERIFY,
NOEXPLICIT, NOCASIGN, NODELEGATED, NOCHECKS, TRUSTOTHER, RESPID_KEY, NOTIME\s0
.Sp
Aby wyspecyfikować kilka flag należy użyć \fIOCSPflag\fR wielokrotnie.
@@ -1067,7 +1071,7 @@
weryfikuj łańcuch certyfikatów drugiej strony
.Sp
Do weryfikacji certyfikatu serwera kluczowe jest, aby wymagać również
-konkretnego certyfikatu przy pomocy \fIcheckHost\fR lub \fIverifyPeer\fR.
+konkretnego certyfikatu przy pomocy \fIcheckHost\fR lub \fIcheckIP\fR.
.Sp
Samopodpisany certyfikat głównego \s-1CA\s0 należy umieścić albo w pliku
podanym w opcji \fICAfile\fR, albo w katalogu podanym w opcji \fICApath\fR.
@@ -1181,7 +1185,7 @@
\& client = yes
\& accept = 127.0.0.1:1080
\& connect = vpn_server:9080
-\& verify = 4
+\& verifyPeer = yes
\& CAfile = stunnel.pem
.Ve
.PP
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/stunnel-5.40/doc/stunnel.pl.html.in
new/stunnel-5.41/doc/stunnel.pl.html.in
--- old/stunnel-5.40/doc/stunnel.pl.html.in 2017-01-19 09:51:46.000000000
+0100
+++ new/stunnel-5.41/doc/stunnel.pl.html.in 2017-04-01 13:39:19.000000000
+0200
@@ -469,12 +469,14 @@
<p>Opcja pozwala określić położenie pliku
zawierającego certyfikaty używane przez opcję
<i>verifyChain</i> lub <i>verifyPeer</i>.</p>
</dd>
-<dt id="cert-PLIK_PEM"><b>cert</b> = PLIK_PEM</dt>
+<dt id="cert-PLIK_CERT"><b>cert</b> = PLIK_CERT</dt>
<dd>
<p>plik z łańcuchem certyfikatów</p>
-<p>Opcja określa położenie pliku zawierającego
certyfikaty używane przez program <b>stunnel</b> do uwierzytelnienia
się przed drugą stroną połączenia. Certyfikat
jest konieczny, aby używać programu w trybie serwera. W trybie
klienta certyfikat jest opcjonalny.</p>
+<p>Opcja określa położenie pliku zawierającego
certyfikaty używane przez program <b>stunnel</b> do uwierzytelnienia
się przed drugą stroną połączenia. Plik powinien
zawierać kompletny łańcuch certyfikatów
począwszy od certyfikatu klienta/serwera, a skończywszy na
samopodpisanym certyfikacie głównego CA. Obsługiwane
są pliki w formacie PEM lub P12.</p>
+
+<p>Certyfikat jest konieczny, aby używać programu w trybie
serwera. W trybie klienta certyfikat jest opcjonalny.</p>
<p>Jeżeli używane jest sprzętowe urządzenie
kryptograficzne, to opcja <b>cert</b> pozwala wybrać identyfikator
używanego certyfikatu.</p>
@@ -760,7 +762,7 @@
<p>flaga respondera OCSP</p>
-<p>Aktualnie wspierane flagi: NOCERTS, NOINTERN NOSIGS, NOCHAIN, NOVERIFY,
NOEXPLICIT, NOCASIGN, NODELEGATED, NOCHECKS, TRUSTOTHER, RESPID_KEY, NOTIME</p>
+<p>Aktualnie wspierane flagi: NOCERTS, NOINTERN, NOSIGS, NOCHAIN, NOVERIFY,
NOEXPLICIT, NOCASIGN, NODELEGATED, NOCHECKS, TRUSTOTHER, RESPID_KEY, NOTIME</p>
<p>Aby wyspecyfikować kilka flag należy użyć
<i>OCSPflag</i> wielokrotnie.</p>
@@ -1284,7 +1286,7 @@
<p>weryfikuj łańcuch certyfikatów drugiej strony</p>
-<p>Do weryfikacji certyfikatu serwera kluczowe jest, aby wymagać
również konkretnego certyfikatu przy pomocy <i>checkHost</i> lub
<i>verifyPeer</i>.</p>
+<p>Do weryfikacji certyfikatu serwera kluczowe jest, aby wymagać
również konkretnego certyfikatu przy pomocy <i>checkHost</i> lub
<i>checkIP</i>.</p>
<p>Samopodpisany certyfikat głównego CA należy
umieścić albo w pliku podanym w opcji <i>CAfile</i>, albo w
katalogu podanym w opcji <i>CApath</i>.</p>
@@ -1401,7 +1403,7 @@
client = yes
accept = 127.0.0.1:1080
connect = vpn_server:9080
- verify = 4
+ verifyPeer = yes
CAfile = stunnel.pem</code></pre>
<p>Odpowiadająca jej konfiguracja serwera vpn_server:</p>
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/stunnel-5.40/doc/stunnel.pl.pod.in
new/stunnel-5.41/doc/stunnel.pl.pod.in
--- old/stunnel-5.40/doc/stunnel.pl.pod.in 2017-01-19 09:51:32.000000000
+0100
+++ new/stunnel-5.41/doc/stunnel.pl.pod.in 2017-04-01 13:39:17.000000000
+0200
@@ -406,12 +406,16 @@
Opcja pozwala określić położenie pliku zawierającego certyfikaty używane
przez opcję I<verifyChain> lub I<verifyPeer>.
-=item B<cert> = PLIK_PEM
+=item B<cert> = PLIK_CERT
plik z łańcuchem certyfikatów
Opcja określa położenie pliku zawierającego certyfikaty używane przez
program B<stunnel> do uwierzytelnienia się przed drugą stroną połączenia.
+Plik powinien zawierać kompletny łańcuch certyfikatów począwszy od certyfikatu
+klienta/serwera, a skończywszy na samopodpisanym certyfikacie głównego CA.
+Obsługiwane są pliki w formacie PEM lub P12.
+
Certyfikat jest konieczny, aby używać programu w trybie serwera.
W trybie klienta certyfikat jest opcjonalny.
@@ -682,7 +686,7 @@
flaga respondera OCSP
-Aktualnie wspierane flagi: NOCERTS, NOINTERN NOSIGS, NOCHAIN, NOVERIFY,
+Aktualnie wspierane flagi: NOCERTS, NOINTERN, NOSIGS, NOCHAIN, NOVERIFY,
NOEXPLICIT, NOCASIGN, NODELEGATED, NOCHECKS, TRUSTOTHER, RESPID_KEY, NOTIME
Aby wyspecyfikować kilka flag należy użyć I<OCSPflag> wielokrotnie.
@@ -1151,7 +1155,7 @@
weryfikuj łańcuch certyfikatów drugiej strony
Do weryfikacji certyfikatu serwera kluczowe jest, aby wymagać również
-konkretnego certyfikatu przy pomocy I<checkHost> lub I<verifyPeer>.
+konkretnego certyfikatu przy pomocy I<checkHost> lub I<checkIP>.
Samopodpisany certyfikat głównego CA należy umieścić albo w pliku
podanym w opcji I<CAfile>, albo w katalogu podanym w opcji I<CApath>.
@@ -1280,7 +1284,7 @@
client = yes
accept = 127.0.0.1:1080
connect = vpn_server:9080
- verify = 4
+ verifyPeer = yes
CAfile = stunnel.pem
Odpowiadająca jej konfiguracja serwera vpn_server:
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/stunnel-5.40/doc/stunnel.pod.in
new/stunnel-5.41/doc/stunnel.pod.in
--- old/stunnel-5.40/doc/stunnel.pod.in 2017-01-19 09:57:06.000000000 +0100
+++ new/stunnel-5.41/doc/stunnel.pod.in 2017-04-01 13:39:17.000000000 +0200
@@ -390,21 +390,24 @@
I<CApath> path is relative to the I<chroot> directory if specified.
-=item B<CAfile> = CERT_FILE
+=item B<CAfile> = CA_FILE
Certificate Authority file
This file contains multiple CA certificates, to be used with the I<verifyChain>
and I<verifyPeer> options.
-=item B<cert> = PEM_FILE
+=item B<cert> = CERT_FILE
-certificate chain PEM file name
+certificate chain file name
-The certificates must be in PEM format, and must be from the
-actual server/client certificate to the self-signed root CA certificate.
+The parameter specifies the file containing certificates used by B<stunnel>
+to authenticate itself against the remote client or server.
+The file should contain the whole certificate chain starting from the actual
+server/client certificate, and ending with the self-signed root CA certificate.
+The file must be either in PEM or P12 format.
-A certificate is required in server mode, and optional in client mode.
+A certificate chain is required in server mode, and optional in client mode.
This parameter is also used as the certificate identifier when a hardware
engine is enabled.
@@ -493,7 +496,7 @@
I<CRLpath> path is relative to the I<chroot> directory if specified.
-=item B<CRLfile> = CERT_FILE
+=item B<CRLfile> = CRL_FILE
Certificate Revocation Lists file
@@ -667,7 +670,7 @@
Several I<OCSPflag> can be used to specify multiple flags.
-currently supported flags: NOCERTS, NOINTERN NOSIGS, NOCHAIN, NOVERIFY,
+currently supported flags: NOCERTS, NOINTERN, NOSIGS, NOCHAIN, NOVERIFY,
NOEXPLICIT, NOCASIGN, NODELEGATED, NOCHECKS, TRUSTOTHER, RESPID_KEY, NOTIME
=item B<OCSPnonce> = yes | no
@@ -1141,7 +1144,7 @@
verify the peer certificate chain starting from the root CA
For server certificate verification it is essential to also require a specific
-certificate with I<checkHost> or I<verifyPeer>.
+certificate with I<checkHost> or I<checkIP>.
The self-signed root CA certificate needs to be stored either in the file
specified with I<CAfile>, or in the directory specified with I<CApath>.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/stunnel-5.40/src/client.c
new/stunnel-5.41/src/client.c
--- old/stunnel-5.40/src/client.c 2017-01-19 09:51:32.000000000 +0100
+++ new/stunnel-5.41/src/client.c 2017-03-26 22:25:00.000000000 +0200
@@ -83,7 +83,6 @@
c->opt=opt;
c->local_rfd.fd=rfd;
c->local_wfd.fd=wfd;
- c->redirect=REDIRECT_OFF;
c->seq=seq++;
return c;
}
@@ -376,14 +375,17 @@
NOEXPORT void ssl_start(CLI *c) {
int i, err;
int unsafe_openssl;
- X509 *peer_cert;
c->ssl=SSL_new(c->opt->ctx);
if(!c->ssl) {
sslerror("SSL_new");
longjmp(c->err, 1);
}
- SSL_set_ex_data(c->ssl, index_cli, c); /* for callbacks */
+ /* for callbacks */
+ if(!SSL_set_ex_data(c->ssl, index_ssl_cli, c)) {
+ sslerror("SSL_set_ex_data");
+ longjmp(c->err, 1);
+ }
if(c->opt->option.client) {
#ifndef OPENSSL_NO_TLSEXT
if(c->opt->sni && *c->opt->sni) {
@@ -477,26 +479,10 @@
c->opt->option.client ? "connected" : "accepted",
SSL_session_reused(c->ssl) ?
"previous session reused" : "new session negotiated");
- if(SSL_session_reused(c->ssl)) {
- c->redirect=(uintptr_t)SSL_SESSION_get_ex_data(SSL_get_session(c->ssl),
- index_redirect);
- if(c->opt->redirect_addr.names && !c->redirect) {
- s_log(LOG_ERR, "No application data found in the reused session");
- longjmp(c->err, 1);
- }
- } else { /* a new session was negotiated */
+ if(!SSL_session_reused(c->ssl)) { /* a new session was negotiated */
new_chain(c);
- peer_cert=SSL_get_peer_certificate(c->ssl);
- if(peer_cert) /* c->redirect was set by the callback */
- X509_free(peer_cert);
- else if(c->opt->redirect_addr.names) /* no peer certificate verified */
- c->redirect=REDIRECT_ON;
- SSL_SESSION_set_ex_data(SSL_get_session(c->ssl),
- index_redirect, (void *)c->redirect);
if(c->opt->option.client)
session_cache_save(c);
- else /* TLS server */
- SSL_CTX_add_session(c->opt->ctx, SSL_get_session(c->ssl));
print_cipher(c);
}
}
@@ -1402,8 +1388,9 @@
str_free(addr_txt);
CRYPTO_THREAD_write_lock(stunnel_locks[LOCK_ADDR]);
- old_addr=SSL_SESSION_get_ex_data(sess, index_addr);
- SSL_SESSION_set_ex_data(sess, index_addr, new_addr);
+ old_addr=SSL_SESSION_get_ex_data(sess, index_session_connect_address);
+ /* we can safely ignore the SSL_SESSION_set_ex_data() failure */
+ SSL_SESSION_set_ex_data(sess, index_session_connect_address, new_addr);
CRYPTO_THREAD_write_unlock(stunnel_locks[LOCK_ADDR]);
str_free(old_addr); /* NULL pointers are ignored */
}
@@ -1416,7 +1403,8 @@
if(c->ssl && SSL_session_reused(c->ssl)) {
CRYPTO_THREAD_read_lock(stunnel_locks[LOCK_ADDR]);
- ptr=SSL_SESSION_get_ex_data(SSL_get_session(c->ssl), index_addr);
+ ptr=SSL_SESSION_get_ex_data(SSL_get_session(c->ssl),
+ index_session_connect_address);
if(ptr) {
len=addr_len(ptr);
memcpy(&addr, ptr, (size_t)len);
@@ -1455,7 +1443,9 @@
NOEXPORT void connect_setup(CLI *c) {
/* process "redirect" first */
- if(c->redirect==REDIRECT_ON) {
+ if(c->opt->redirect_addr.names &&
+ (!c->ssl || !SSL_SESSION_get_ex_data(SSL_get_session(c->ssl),
+ index_session_authenticated))) {
s_log(LOG_NOTICE, "Redirecting connection");
/* c->connect_addr.addr may be allocated in protocol negotiations */
str_free(c->connect_addr.addr);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/stunnel-5.40/src/ctx.c new/stunnel-5.41/src/ctx.c
--- old/stunnel-5.40/src/ctx.c 2017-01-19 09:51:32.000000000 +0100
+++ new/stunnel-5.41/src/ctx.c 2017-03-26 22:25:00.000000000 +0200
@@ -38,6 +38,12 @@
#include "common.h"
#include "prototypes.h"
+SERVICE_OPTIONS *current_section=NULL;
+
+/* try an empty passphrase first */
+static char cached_passwd[PEM_BUFSIZE]="";
+static int cached_len=0;
+
#ifndef OPENSSL_NO_DH
DH *dh_params=NULL;
int dh_needed=0;
@@ -79,7 +85,9 @@
NOEXPORT int load_cert_engine(SERVICE_OPTIONS *);
NOEXPORT int load_key_engine(SERVICE_OPTIONS *);
#endif
-NOEXPORT int passphrase_cb(char *, int, int, void *);
+NOEXPORT int cache_passwd_get_cb(char *, int, int, void *);
+NOEXPORT int cache_passwd_set_cb(char *, int, int, void *);
+NOEXPORT void set_prompt(const char *);
NOEXPORT int ui_retry();
/* session callbacks */
@@ -124,7 +132,12 @@
sslerror("SSL_CTX_new");
return 1; /* FAILED */
}
- SSL_CTX_set_ex_data(section->ctx, index_opt, section); /* for callbacks */
+ /* for callbacks */
+ if(!SSL_CTX_set_ex_data(section->ctx, index_ssl_ctx_opt, section)) {
+ sslerror("SSL_CTX_set_ex_data");
+ return 1; /* FAILED */
+ }
+ current_section=section; /* setup current section for callbacks */
/* ciphers */
if(section->cipher_list) {
@@ -177,11 +190,6 @@
return 1; /* FAILED */
}
}
-#ifdef SSL_SESS_CACHE_NO_INTERNAL_STORE
- /* the default cache mode is just SSL_SESS_CACHE_SERVER */
- SSL_CTX_set_session_cache_mode(section->ctx,
- SSL_SESS_CACHE_SERVER|SSL_SESS_CACHE_NO_INTERNAL_STORE);
-#endif
SSL_CTX_sess_set_cache_size(section->ctx, section->session_size);
SSL_CTX_set_timeout(section->ctx, section->session_timeout);
SSL_CTX_sess_set_new_cb(section->ctx, sess_new_cb);
@@ -244,7 +252,7 @@
for(list=section->servername_list_head; list; list=list->next)
if(matches_wildcard((char *)servername, list->servername)) {
s_log(LOG_DEBUG, "SNI: matched pattern: %s", list->servername);
- c=SSL_get_ex_data(ssl, index_cli);
+ c=SSL_get_ex_data(ssl, index_ssl_cli);
c->opt=list->opt;
SSL_set_SSL_CTX(ssl, c->opt->ctx);
SSL_set_verify(ssl, SSL_CTX_get_verify_mode(c->opt->ctx),
@@ -524,7 +532,7 @@
size_t identity_len;
(void)hint; /* squash the unused parameter warning */
- c=SSL_get_ex_data(ssl, index_cli);
+ c=SSL_get_ex_data(ssl, index_ssl_cli);
if(!c->opt->psk_selected) {
s_log(LOG_ERR, "INTERNAL ERROR: No PSK identity selected");
return 0;
@@ -555,7 +563,7 @@
PSK_KEYS *found;
size_t len;
- c=SSL_get_ex_data(ssl, index_cli);
+ c=SSL_get_ex_data(ssl, index_ssl_cli);
found=psk_find(&c->opt->psk_sorted, identity);
if(found) {
len=found->key_len;
@@ -629,8 +637,8 @@
}
NOEXPORT int load_pkcs12_file(SERVICE_OPTIONS *section) {
+ size_t len;
int i, success;
- UI_DATA ui_data;
BIO *bio=NULL;
PKCS12 *p12=NULL;
X509 *cert=NULL;
@@ -656,10 +664,12 @@
}
BIO_free(bio);
- ui_data.section=section; /* setup current section for callbacks */
-
- /* try the cached value (initially an empty passphrase) */
- passphrase_cb(pass, PEM_BUFSIZE, 0, NULL);
+ /* try the cached value first */
+ set_prompt(section->cert);
+ len=(size_t)cache_passwd_get_cb(pass, sizeof pass, 0, NULL);
+ if(len>=sizeof pass)
+ len=sizeof pass-1;
+ pass[len]='\0'; /* null-terminate */
success=PKCS12_parse(p12, pass, &pkey, &cert, &ca);
/* invoke the UI */
@@ -672,7 +682,11 @@
sslerror_queue(); /* dump the error queue */
s_log(LOG_ERR, "Wrong passphrase: retrying");
}
- passphrase_cb(pass, PEM_BUFSIZE, 0, &ui_data);
+ /* invoke the UI on subsequent calls */
+ len=(size_t)cache_passwd_set_cb(pass, sizeof pass, 0, NULL);
+ if(len>=sizeof pass)
+ len=sizeof pass-1;
+ pass[len]='\0'; /* null-terminate */
success=PKCS12_parse(p12, pass, &pkey, &cert, &ca);
}
if(!success) {
@@ -708,22 +722,20 @@
NOEXPORT int load_key_file(SERVICE_OPTIONS *section) {
int i, success;
- UI_DATA ui_data;
s_log(LOG_INFO, "Loading private key from file: %s", section->key);
if(file_permissions(section->key))
return 1; /* FAILED */
- ui_data.section=section; /* setup current section for callbacks */
- SSL_CTX_set_default_passwd_cb(section->ctx, passphrase_cb);
-
- /* try the cached value (initially an empty passphrase) */
- SSL_CTX_set_default_passwd_cb_userdata(section->ctx, NULL);
+ /* try the cached value first */
+ set_prompt(section->key);
+ SSL_CTX_set_default_passwd_cb(section->ctx, cache_passwd_get_cb);
success=SSL_CTX_use_PrivateKey_file(section->ctx, section->key,
SSL_FILETYPE_PEM);
+ /* invoke the UI on subsequent calls */
+ SSL_CTX_set_default_passwd_cb(section->ctx, cache_passwd_set_cb);
/* invoke the UI */
- SSL_CTX_set_default_passwd_cb_userdata(section->ctx, &ui_data);
for(i=0; !success && i<3; i++) {
if(!ui_retry())
break;
@@ -770,21 +782,16 @@
NOEXPORT int load_key_engine(SERVICE_OPTIONS *section) {
int i;
- UI_DATA ui_data;
EVP_PKEY *pkey;
- UI_METHOD *ui_method;
s_log(LOG_INFO, "Initializing private key on engine ID: %s", section->key);
- ui_data.section=section; /* setup current section for callbacks */
- SSL_CTX_set_default_passwd_cb(section->ctx, passphrase_cb);
+ /* do not use caching for engine PINs to prevent device lockout */
+ SSL_CTX_set_default_passwd_cb(section->ctx, ui_passwd_cb);
- ui_method=UI_stunnel();
- /* workaround for broken engines */
- /* ui_data.section=NULL; */
for(i=0; i<3; i++) {
pkey=ENGINE_load_private_key(section->engine, section->key,
- ui_method, &ui_data);
+ UI_stunnel(), NULL);
if(!pkey) {
if(i<2 && ui_retry()) { /* wrong PIN */
sslerror_queue(); /* dump the error queue */
@@ -805,24 +812,40 @@
#endif /* !defined(OPENSSL_NO_ENGINE) */
-NOEXPORT int passphrase_cb(char *buf, int size, int rwflag, void *userdata) {
- static char cache[PEM_BUFSIZE]=""; /* try an empty passphrase first */
- int len;
-
- if(size>PEM_BUFSIZE)
- size=PEM_BUFSIZE;
-
- if(!userdata) { /* try the cached value first */
- strncpy(buf, cache, (size_t)size);
- buf[size-1]='\0';
- len=(int)strlen(buf);
- } else { /* prompt the user on subsequent requests */
- len=passwd_cb(buf, size, rwflag, userdata); /* invoke the UI */
- memcpy(cache, buf, (size_t)size); /* save in cache */
- }
+/* additional caching layer on top of ui_passwd_cb() */
+
+/* retrieve the cached passwd */
+NOEXPORT int cache_passwd_get_cb(char *buf, int size,
+ int rwflag, void *userdata) {
+ int len=cached_len;
+
+ (void)rwflag; /* squash the unused parameter warning */
+ (void)userdata; /* squash the unused parameter warning */
+ if(len<0 || size<0) /* the API uses signed integers */
+ return 0;
+ if(len>size) /* truncate the returned data if needed */
+ len=size;
+ memcpy(buf, cached_passwd, (size_t)len);
return len;
}
+/* cache the passwd retrieved from UI */
+NOEXPORT int cache_passwd_set_cb(char *buf, int size,
+ int rwflag, void *userdata) {
+ memset(cached_passwd, 0, sizeof cached_passwd);
+ cached_len=ui_passwd_cb(cached_passwd, sizeof cached_passwd,
+ rwflag, userdata);
+ return cache_passwd_get_cb(buf, size, rwflag, userdata);
+}
+
+NOEXPORT void set_prompt(const char *name) {
+ char *prompt;
+
+ prompt=str_printf("Enter %s pass phrase:", name);
+ EVP_set_pw_prompt(prompt);
+ str_free(prompt);
+}
+
NOEXPORT int ui_retry() {
unsigned long err=ERR_peek_error();
@@ -877,10 +900,10 @@
CLI *c;
s_log(LOG_DEBUG, "New session callback");
- c=SSL_get_ex_data(ssl, index_cli);
+ c=SSL_get_ex_data(ssl, index_ssl_cli);
if(c->opt->option.sessiond)
cache_new(ssl, sess);
- return 1; /* leave the session in local cache for reuse */
+ return 0; /* the OpenSSL's manual is really bad -> use the source here */
}
NOEXPORT SSL_SESSION *sess_get_cb(SSL *ssl,
@@ -892,7 +915,7 @@
s_log(LOG_DEBUG, "Get session callback");
*do_copy=0; /* allow the session to be freed automatically */
- c=SSL_get_ex_data(ssl, index_cli);
+ c=SSL_get_ex_data(ssl, index_ssl_cli);
if(c->opt->option.sessiond)
return cache_get(ssl, key, key_len);
return NULL; /* no session to resume */
@@ -902,10 +925,9 @@
SERVICE_OPTIONS *opt;
s_log(LOG_DEBUG, "Remove session callback");
- opt=SSL_CTX_get_ex_data(ctx, index_opt);
+ opt=SSL_CTX_get_ex_data(ctx, index_ssl_ctx_opt);
if(opt->option.sessiond)
cache_remove(ctx, sess);
- SSL_SESSION_free(sess);
}
/**************************************** sessiond functionality */
@@ -1037,7 +1059,7 @@
}
/* retrieve pointer to the section structure of this ctx */
- section=SSL_CTX_get_ex_data(ctx, index_opt);
+ section=SSL_CTX_get_ex_data(ctx, index_ssl_ctx_opt);
if(sendto(s, (void *)packet,
#ifdef USE_WIN32
(int)
@@ -1107,7 +1129,7 @@
SSL_CTX *ctx;
const char *state_string;
- c=SSL_get_ex_data((SSL *)ssl, index_cli);
+ c=SSL_get_ex_data((SSL *)ssl, index_ssl_cli);
if(c) {
int state=SSL_get_state((SSL *)ssl);
@@ -1139,8 +1161,7 @@
} else if((where&SSL_CB_ACCEPT_LOOP)
&& c->reneg_state==RENEG_ESTABLISHED) {
#ifndef SSL3_ST_SR_CLNT_HELLO_A
- if(state==TLS_ST_SR_CLNT_HELLO
- || state==TLS_ST_SR_CLNT_HELLO) {
+ if(state==TLS_ST_SR_CLNT_HELLO) {
#else
if(state==SSL3_ST_SR_CLNT_HELLO_A
|| state==SSL23_ST_SR_CLNT_HELLO_A) {
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/stunnel-5.40/src/dhparam.c
new/stunnel-5.41/src/dhparam.c
--- old/stunnel-5.40/src/dhparam.c 2017-01-02 15:27:26.000000000 +0100
+++ new/stunnel-5.41/src/dhparam.c 2017-02-02 15:20:22.000000000 +0100
@@ -8,32 +8,32 @@
DH *get_dh2048()
{
static unsigned char dhp_2048[] = {
- 0x89, 0x9D, 0x84, 0xB8, 0x3A, 0x2D, 0xD4, 0xF7, 0x41, 0x5A,
- 0xBB, 0x27, 0x00, 0x69, 0xAE, 0xB4, 0xAC, 0x5E, 0xD8, 0xEB,
- 0xAE, 0x3D, 0x0E, 0x1A, 0x05, 0xD5, 0xE5, 0xEF, 0x2B, 0x8E,
- 0x4F, 0xF3, 0x65, 0x3C, 0xE3, 0x40, 0x6B, 0xFB, 0xA7, 0x24,
- 0x58, 0x85, 0xE4, 0xFA, 0x86, 0x0D, 0xED, 0x8D, 0xBF, 0xA0,
- 0x4D, 0x58, 0xC9, 0x30, 0x26, 0x3B, 0xF0, 0x1E, 0xAF, 0x15,
- 0x6F, 0x4E, 0x71, 0x2D, 0xF1, 0x67, 0xED, 0x44, 0x8C, 0x04,
- 0x04, 0x23, 0xE4, 0xA8, 0x5B, 0x7B, 0x28, 0x32, 0x0D, 0x67,
- 0xBB, 0x7E, 0xE5, 0x1B, 0x58, 0x6F, 0x0C, 0x3C, 0x0A, 0x8A,
- 0x3E, 0xC8, 0x8A, 0x10, 0xCA, 0x74, 0x94, 0x6E, 0xC8, 0xC0,
- 0x52, 0x9C, 0xE5, 0x45, 0xE7, 0x0A, 0x78, 0x9B, 0x30, 0x60,
- 0x70, 0xEA, 0xF2, 0xEF, 0xB6, 0xD5, 0x28, 0x2F, 0xA1, 0x92,
- 0xA6, 0x94, 0x45, 0x03, 0x5A, 0x8F, 0xF3, 0x17, 0x93, 0x99,
- 0x28, 0x1B, 0x9C, 0xE1, 0x3F, 0x96, 0x4E, 0x95, 0x62, 0x72,
- 0x79, 0x8E, 0xD9, 0xE6, 0x42, 0xEF, 0xF5, 0x46, 0xBF, 0xB3,
- 0x2B, 0x23, 0x5D, 0xEF, 0x11, 0x18, 0x81, 0x85, 0xBB, 0xD9,
- 0xD1, 0x32, 0x96, 0xEE, 0x98, 0x8C, 0x14, 0x6E, 0x57, 0x68,
- 0xAD, 0x5B, 0xE0, 0xF4, 0x7A, 0x75, 0x9E, 0x8D, 0xB0, 0x18,
- 0x9A, 0xFD, 0x1E, 0x0C, 0xD9, 0x23, 0x4B, 0xF1, 0xF3, 0x92,
- 0xD8, 0x23, 0x41, 0xE0, 0xEC, 0x94, 0xDE, 0xF3, 0x34, 0x87,
- 0xF6, 0x87, 0x35, 0xF4, 0x48, 0x9B, 0xB7, 0x3B, 0x4E, 0xCD,
- 0x1A, 0x8D, 0xFC, 0x5A, 0xD1, 0x39, 0x41, 0x33, 0x66, 0xE2,
- 0x06, 0xEE, 0x2C, 0x1B, 0x5F, 0x5C, 0xB2, 0xF2, 0xB3, 0xBA,
- 0xA3, 0x58, 0x8B, 0xF2, 0xD2, 0x9A, 0xAF, 0x03, 0xA2, 0x84,
- 0x7D, 0xA1, 0xAA, 0x23, 0x3A, 0x7B, 0xE2, 0xF8, 0xAF, 0xA6,
- 0xE3, 0x5B, 0xCE, 0x25, 0x68, 0x7B
+ 0xFD, 0x64, 0x87, 0xF6, 0xC7, 0xF8, 0x45, 0x8D, 0x04, 0x72,
+ 0xAB, 0x25, 0xC7, 0xDB, 0x2D, 0x3F, 0x6E, 0xF1, 0xD3, 0xD7,
+ 0xC8, 0x81, 0x9A, 0x68, 0xE4, 0xDA, 0x63, 0x72, 0x6B, 0xE7,
+ 0x12, 0x31, 0x5A, 0x6B, 0x3C, 0x76, 0xCE, 0x6D, 0x9D, 0x1A,
+ 0x2B, 0x4A, 0xA7, 0x61, 0xC1, 0x5C, 0xF4, 0x40, 0xBE, 0xFF,
+ 0x15, 0x40, 0xC9, 0x5F, 0xFF, 0x77, 0x50, 0x11, 0x20, 0x5F,
+ 0x3D, 0x0F, 0xB9, 0x4B, 0x0F, 0x36, 0x05, 0x39, 0x3C, 0x19,
+ 0x35, 0x64, 0x1D, 0xD6, 0x46, 0x61, 0x7C, 0xD4, 0x8C, 0x62,
+ 0xEB, 0x45, 0xC2, 0x78, 0xDD, 0x7E, 0x9B, 0x3F, 0xE7, 0xD7,
+ 0x28, 0x4E, 0x18, 0x8F, 0xA6, 0x2B, 0x73, 0xC4, 0x84, 0xB4,
+ 0xA0, 0x57, 0x3E, 0x05, 0x1D, 0x5E, 0x05, 0xF3, 0xEE, 0x29,
+ 0x61, 0x43, 0xE7, 0x93, 0xC8, 0xF5, 0xC0, 0x1E, 0x26, 0x32,
+ 0xE1, 0xA4, 0x3D, 0x9B, 0x2C, 0x22, 0xCE, 0xEC, 0x78, 0xD8,
+ 0x01, 0xD6, 0xFA, 0x5A, 0x94, 0xF0, 0x27, 0x39, 0x76, 0xAF,
+ 0x4F, 0xEA, 0x7C, 0xAA, 0xAF, 0x04, 0xF0, 0xCC, 0x69, 0x8F,
+ 0x0E, 0x6D, 0x3A, 0x79, 0x0A, 0x2C, 0xE0, 0x7D, 0x73, 0x1B,
+ 0xF1, 0x24, 0xF2, 0x66, 0x26, 0x48, 0x5C, 0x1B, 0x6C, 0xDB,
+ 0x0F, 0x11, 0x2F, 0x66, 0x8A, 0xF5, 0x30, 0x8D, 0x69, 0xE2,
+ 0x4E, 0x47, 0x07, 0x8F, 0xB8, 0x36, 0xA1, 0x5F, 0x88, 0xCC,
+ 0xAA, 0xBA, 0xA7, 0x41, 0x87, 0xB4, 0x96, 0xAA, 0xA7, 0xA6,
+ 0x89, 0x20, 0x51, 0xE3, 0x3A, 0xEA, 0xE1, 0x20, 0x4C, 0x11,
+ 0x63, 0x00, 0xC2, 0x08, 0x4E, 0x07, 0x44, 0xFE, 0xE3, 0xB0,
+ 0x65, 0xA1, 0xE0, 0x79, 0x43, 0x37, 0xFD, 0xB0, 0x96, 0x34,
+ 0x2C, 0xEE, 0xC9, 0xD6, 0xD2, 0x2E, 0x0F, 0x57, 0xAA, 0x24,
+ 0x62, 0x22, 0xA9, 0x47, 0xBB, 0xDC, 0x2C, 0x6C, 0xF7, 0x86,
+ 0x43, 0xE4, 0x32, 0x99, 0xED, 0x03
};
static unsigned char dhg_2048[] = {
0x02
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/stunnel-5.40/src/options.c
new/stunnel-5.41/src/options.c
--- old/stunnel-5.40/src/options.c 2017-01-28 09:47:51.000000000 +0100
+++ new/stunnel-5.41/src/options.c 2017-03-28 16:04:38.000000000 +0200
@@ -2304,7 +2304,7 @@
section->option.delayed_lookup=1;
}
if(!section->option.verify_chain && !section->option.verify_peer)
- return "\"verify\" needs to be 1 or higher for \"redirect\" to
work";
+ return "Either \"verifyChain\" or \"verifyPeer\" has to be
enabled for \"redirect\" to work";
}
break;
case CMD_FREE:
@@ -3594,6 +3594,15 @@
return "Failed to open the engine";
}
engine_initialized=0;
+ if(ENGINE_ctrl(engines[current_engine], ENGINE_CTRL_SET_USER_INTERFACE,
+ 0, UI_stunnel(), NULL)) {
+ s_log(LOG_NOTICE, "UI set for engine #%d (%s)",
+ current_engine+1, ENGINE_get_id(engines[current_engine]));
+ } else {
+ ERR_clear_error();
+ s_log(LOG_INFO, "UI not supported by engine #%d (%s)",
+ current_engine+1, ENGINE_get_id(engines[current_engine]));
+ }
return NULL; /* OK */
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/stunnel-5.40/src/os2.mak new/stunnel-5.41/src/os2.mak
--- old/stunnel-5.40/src/os2.mak 2017-01-02 15:27:26.000000000 +0100
+++ new/stunnel-5.41/src/os2.mak 2017-02-02 15:21:32.000000000 +0100
@@ -1,11 +1,11 @@
prefix=.
DEFS = -DPACKAGE_NAME=\"stunnel\" \
-DPACKAGE_TARNAME=\"stunnel\" \
- -DPACKAGE_VERSION=\"5.40\" \
- -DPACKAGE_STRING=\"stunnel\ 5.40\" \
+ -DPACKAGE_VERSION=\"5.41\" \
+ -DPACKAGE_STRING=\"stunnel\ 5.41\" \
-DPACKAGE_BUGREPORT=\"\" \
-DPACKAGE=\"stunnel\" \
- -DVERSION=\"5.40\" \
+ -DVERSION=\"5.41\" \
-DSTDC_HEADERS=1 \
-DHAVE_SYS_TYPES_H=1 \
-DHAVE_SYS_STAT_H=1 \
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/stunnel-5.40/src/prototypes.h
new/stunnel-5.41/src/prototypes.h
--- old/stunnel-5.40/src/prototypes.h 2017-01-02 15:27:26.000000000 +0100
+++ new/stunnel-5.41/src/prototypes.h 2017-03-26 22:25:00.000000000 +0200
@@ -46,10 +46,6 @@
/**************************************** data structures */
-/* non-zero constants for the "redirect" option */
-#define REDIRECT_ON 1
-#define REDIRECT_OFF 2
-
#if defined (USE_WIN32)
#define ICON_IMAGE HICON
#elif defined(__APPLE__)
@@ -410,7 +406,6 @@
FD *ssl_rfd, *ssl_wfd; /* read and write TLS descriptors */
uint64_t sock_bytes, ssl_bytes; /* bytes written to socket and TLS */
s_poll_set *fds; /* file descriptors */
- uintptr_t redirect; /* redirect to another destination after failed auth */
} CLI;
/**************************************** prototypes for stunnel.c */
@@ -491,17 +486,15 @@
/**************************************** prototypes for ssl.c */
-extern int index_cli, index_opt, index_redirect, index_addr;
+extern int index_ssl_cli, index_ssl_ctx_opt;
+extern int index_session_authenticated, index_session_connect_address;
int ssl_init(void);
int ssl_configure(GLOBAL_OPTIONS *);
/**************************************** prototypes for ctx.c */
-typedef struct {
- SERVICE_OPTIONS *section;
- char pass[PEM_BUFSIZE];
-} UI_DATA;
+extern SERVICE_OPTIONS *current_section;
#ifndef OPENSSL_NO_DH
extern DH *dh_params;
@@ -802,7 +795,7 @@
void message_box(LPCTSTR, const UINT);
#endif /* USE_WIN32 */
-int passwd_cb(char *, int, int, void *);
+int ui_passwd_cb(char *, int, int, void *);
#ifndef OPENSSL_NO_ENGINE
UI_METHOD *UI_stunnel(void);
#endif /* !defined(OPENSSL_NO_ENGINE) */
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/stunnel-5.40/src/ssl.c new/stunnel-5.41/src/ssl.c
--- old/stunnel-5.40/src/ssl.c 2017-01-02 15:27:26.000000000 +0100
+++ new/stunnel-5.41/src/ssl.c 2017-03-26 22:25:00.000000000 +0200
@@ -47,7 +47,8 @@
NOEXPORT int prng_init(GLOBAL_OPTIONS *);
NOEXPORT int add_rand_file(GLOBAL_OPTIONS *, const char *);
-int index_cli, index_opt, index_redirect, index_addr;
+int index_ssl_cli, index_ssl_ctx_opt;
+int index_session_authenticated, index_session_connect_address;
int ssl_init(void) { /* init TLS before parsing configuration file */
#if OPENSSL_VERSION_NUMBER>=0x10100000L
@@ -57,15 +58,17 @@
SSL_load_error_strings();
SSL_library_init();
#endif
- index_cli=SSL_get_ex_new_index(0, "cli index",
- NULL, NULL, NULL);
- index_opt=SSL_CTX_get_ex_new_index(0, "opt index",
- NULL, NULL, NULL);
- index_redirect=SSL_SESSION_get_ex_new_index(0, "redirect index",
- NULL, NULL, NULL);
- index_addr=SSL_SESSION_get_ex_new_index(0, "addr index",
- NULL, NULL, cb_free);
- if(index_cli<0 || index_opt<0 || index_redirect<0 || index_addr<0) {
+ index_ssl_cli=SSL_get_ex_new_index(0,
+ "CLI pointer", NULL, NULL, NULL);
+ index_ssl_ctx_opt=SSL_CTX_get_ex_new_index(0,
+ "SERVICE_OPTIONS pointer", NULL, NULL, NULL);
+ index_session_authenticated=SSL_SESSION_get_ex_new_index(0,
+ "session authenticated", NULL, NULL, NULL);
+ index_session_connect_address=SSL_SESSION_get_ex_new_index(0,
+ "session connect address", NULL, NULL, cb_free);
+ if(index_ssl_cli<0 || index_ssl_ctx_opt<0 ||
+ index_session_authenticated<0 ||
+ index_session_connect_address<0) {
s_log(LOG_ERR, "Application specific data initialization failed");
return 1;
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/stunnel-5.40/src/str.c new/stunnel-5.41/src/str.c
--- old/stunnel-5.40/src/str.c 2017-01-02 15:27:26.000000000 +0100
+++ new/stunnel-5.41/src/str.c 2017-03-23 15:42:08.000000000 +0100
@@ -84,7 +84,7 @@
} LEAK_ENTRY;
NOEXPORT LEAK_ENTRY leak_hash_table[LEAK_TABLE_SIZE],
*leak_results[LEAK_TABLE_SIZE];
-NOEXPORT int leak_result_num=0;
+NOEXPORT volatile int leak_result_num=0;
#ifdef USE_WIN32
NOEXPORT LPTSTR str_vtprintf(LPCTSTR, va_list);
@@ -411,7 +411,6 @@
static size_t entries=0;
LEAK_ENTRY *entry;
int new_entry, allocations;
- long limit;
#ifndef USE_FORK
if(!stunnel_locks[STUNNEL_LOCKS-1]) /* threads not initialized */
@@ -448,17 +447,25 @@
allocations=(entry->num+=change); /* we just need an estimate... */
#endif
- limit=leak_threshold();
-
- if(allocations>limit) {
- CRYPTO_THREAD_write_lock(stunnel_locks[LOCK_LEAK_RESULTS]);
- if(allocations>entry->max) {
- if(entry->max==0) /* discovered for the first time */
- leak_results[leak_result_num++]=entry;
- entry->max=allocations;
- }
- CRYPTO_THREAD_write_unlock(stunnel_locks[LOCK_LEAK_RESULTS]);
+ if(allocations<=leak_threshold()) /* leak not detected */
+ return;
+ if(allocations<=entry->max) /* not the biggest leak for this entry */
+ return;
+ if(entry->max) { /* not the first time we found a leak for this entry */
+ entry->max=allocations; /* just update the value */
+ return;
}
+ /* we *may* need to allocate a new leak_results entry */
+ /* locking is slow, so we try to avoid it if possible */
+ CRYPTO_THREAD_write_lock(stunnel_locks[LOCK_LEAK_RESULTS]);
+ if(entry->max==0) { /* the table may have changed */
+ leak_results[leak_result_num]=entry;
+ entry->max=allocations;
+ ++leak_result_num; /* at the end to avoid a lock in leak_report() */
+ } else { /* gracefully handle the race condition */
+ entry->max=allocations;
+ }
+ CRYPTO_THREAD_write_unlock(stunnel_locks[LOCK_LEAK_RESULTS]);
}
/* O(1) hash table lookup */
@@ -478,14 +485,12 @@
long limit;
limit=leak_threshold();
-
- CRYPTO_THREAD_read_lock(stunnel_locks[LOCK_LEAK_RESULTS]);
for(i=0; i<leak_result_num; ++i)
- if(leak_results[i]->max>limit) /* the limit could have changed */
+ if(leak_results[i] /* an officious compiler could reorder code */ &&
+ leak_results[i]->max>limit /* the limit could have changed */)
s_log(LOG_WARNING, "Possible memory leak at %s:%d: %d allocations",
leak_results[i]->alloc_file, leak_results[i]->alloc_line,
leak_results[i]->max);
- CRYPTO_THREAD_read_unlock(stunnel_locks[LOCK_LEAK_RESULTS]);
}
NOEXPORT long leak_threshold() {
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/stunnel-5.40/src/stunnel.c
new/stunnel-5.41/src/stunnel.c
--- old/stunnel-5.40/src/stunnel.c 2017-01-19 09:51:32.000000000 +0100
+++ new/stunnel-5.41/src/stunnel.c 2017-03-19 23:36:20.000000000 +0100
@@ -225,7 +225,6 @@
#ifdef USE_FORK
NOEXPORT void client_status(void) { /* dead children detected */
int pid, status;
- char *sig_name;
#ifdef HAVE_WAIT_FOR_PID
while((pid=wait_for_pid(-1, &status, WNOHANG))>0) {
@@ -234,7 +233,7 @@
#endif
#ifdef WIFSIGNALED
if(WIFSIGNALED(status)) {
- sig_name=signal_name(WTERMSIG(status));
+ char *sig_name=signal_name(WTERMSIG(status));
s_log(LOG_DEBUG, "Process %d terminated on %s",
pid, sig_name);
str_free(sig_name);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/stunnel-5.40/src/ui_unix.c
new/stunnel-5.41/src/ui_unix.c
--- old/stunnel-5.40/src/ui_unix.c 2017-01-02 15:27:26.000000000 +0100
+++ new/stunnel-5.41/src/ui_unix.c 2017-02-19 23:16:00.000000000 +0100
@@ -255,9 +255,8 @@
/**************************************** ctx callbacks */
-int passwd_cb(char *buf, int size, int rwflag, void *userdata) {
- (void)userdata; /* squash the unused parameter warning */
- return PEM_def_callback(buf, size, rwflag, NULL);
+int ui_passwd_cb(char *buf, int size, int rwflag, void *userdata) {
+ return PEM_def_callback(buf, size, rwflag, userdata);
}
#ifndef OPENSSL_NO_ENGINE
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/stunnel-5.40/src/ui_win_cli.c
new/stunnel-5.41/src/ui_win_cli.c
--- old/stunnel-5.40/src/ui_win_cli.c 2017-01-02 15:27:26.000000000 +0100
+++ new/stunnel-5.41/src/ui_win_cli.c 2017-02-19 23:16:00.000000000 +0100
@@ -125,9 +125,8 @@
/**************************************** ctx callbacks */
-int passwd_cb(char *buf, int size, int rwflag, void *userdata) {
- (void)userdata; /* squash the unused parameter warning */
- return PEM_def_callback(buf, size, rwflag, NULL);
+int ui_passwd_cb(char *buf, int size, int rwflag, void *userdata) {
+ return PEM_def_callback(buf, size, rwflag, userdata);
}
#ifndef OPENSSL_NO_ENGINE
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/stunnel-5.40/src/ui_win_gui.c
new/stunnel-5.41/src/ui_win_gui.c
--- old/stunnel-5.40/src/ui_win_gui.c 2017-01-02 15:27:26.000000000 +0100
+++ new/stunnel-5.41/src/ui_win_gui.c 2017-02-23 14:52:40.000000000 +0100
@@ -137,14 +137,14 @@
static HANDLE config_ready=NULL; /* reload without a valid configuration */
static LONG new_logs=0;
-static UI_DATA *ui_data=NULL;
-
static struct {
char *config_file;
unsigned service:1, install:1, uninstall:1, start:1, stop:1,
quiet:1, exit:1, reload:1, reopen:1;
} cmdline;
+static char ui_pass[PEM_BUFSIZE];
+
/**************************************** initialization */
int WINAPI WinMain(HINSTANCE this_instance, HINSTANCE prev_instance,
@@ -693,11 +693,13 @@
/* set the default push button to "Cancel" */
SendMessage(dialog_handle, DM_SETDEFID, (WPARAM)IDCANCEL, (LPARAM)0);
- key_file_name=str2tstr(ui_data->section->key);
- titlebar=str_tprintf(TEXT("Private key: %s"), key_file_name);
- str_free(key_file_name);
- SetWindowText(dialog_handle, titlebar);
- str_free(titlebar);
+ if(current_section) { /* should always be set */
+ key_file_name=str2tstr(current_section->key);
+ titlebar=str_tprintf(TEXT("Private key: %s"), key_file_name);
+ str_free(key_file_name);
+ SetWindowText(dialog_handle, titlebar);
+ str_free(titlebar);
+ }
return TRUE;
case WM_COMMAND:
@@ -722,9 +724,9 @@
(WPARAM)0 /* line 0 */, (LPARAM)pass_dialog.txt);
pass_dialog.txt[pass_len]='\0'; /* null-terminate the string */
- /* convert input passphrase to UTF-8 string (as ui_data->pass) */
+ /* convert input passphrase to UTF-8 string (as ui_pass) */
pass_txt=tstr2str(pass_dialog.txt);
- strcpy(ui_data->pass, pass_txt);
+ strcpy(ui_pass, pass_txt);
str_free(pass_txt);
EndDialog(dialog_handle, TRUE);
@@ -741,17 +743,21 @@
UNREFERENCED_PARAMETER(lParam);
}
-int passwd_cb(char *buf, int size, int rwflag, void *userdata) {
- (void)rwflag; /* squash the unused parameter warning */
+int ui_passwd_cb(char *buf, int size, int rwflag, void *userdata) {
+ int len;
- ui_data=userdata;
- if(size<0) /* just in case */
- return 0;
+ (void)rwflag; /* squash the unused parameter warning */
+ (void)userdata; /* squash the unused parameter warning */
if(!DialogBox(ghInst, TEXT("PassBox"), hwnd, (DLGPROC)pass_proc))
- return 0; /* error */
- strncpy(buf, ui_data->pass, (size_t)size);
- buf[size-1]='\0';
- return (int)strlen(buf);
+ return 0; /* dialog cancelled or failed */
+ len=(int)strlen(ui_pass);
+ if(len<0 || size<0) /* the API uses signed integers */
+ return 0;
+ if(len>size) /* truncate the returned data if needed */
+ len=size;
+ memcpy(buf, ui_pass, (size_t)len);
+ memset(ui_pass, 0, sizeof ui_pass);
+ return len;
}
#ifndef OPENSSL_NO_ENGINE
@@ -770,14 +776,10 @@
}
NOEXPORT int pin_cb(UI *ui, UI_STRING *uis) {
- ui_data=UI_get0_user_data(ui); /* was: ui_data=UI_get_app_data(ui); */
- if(!ui_data) {
- s_log(LOG_ERR, "INTERNAL ERROR: user data data pointer");
- return 0;
- }
if(!DialogBox(ghInst, TEXT("PassBox"), hwnd, (DLGPROC)pass_proc))
- return 0; /* error */
- UI_set_result(ui, uis, ui_data->pass);
+ return 0; /* dialog cancelled or failed */
+ UI_set_result(ui, uis, ui_pass);
+ memset(ui_pass, 0, sizeof ui_pass);
return 1;
}
#endif
@@ -993,7 +995,7 @@
TEXT("Peer certificate chain has been saved.\n")
TEXT("Add the following lines to section [%s]:\n")
TEXT("\tCAfile = peer-%s.pem\n")
- TEXT("\tverify = 3\n")
+ TEXT("\tverifyPeer = yes\n")
TEXT("to enable cryptographic authentication.\n")
TEXT("Then reload stunnel configuration file."),
servname, servname);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/stunnel-5.40/src/verify.c
new/stunnel-5.41/src/verify.c
--- old/stunnel-5.40/src/verify.c 2017-01-02 15:27:26.000000000 +0100
+++ new/stunnel-5.41/src/verify.c 2017-03-26 22:25:00.000000000 +0200
@@ -183,7 +183,7 @@
return;
#endif /* OPENSSL_VERSION_NUMBER>=0x10002000L */
s_log(LOG_WARNING,
- "Service [%s] uses \"verify = 2\" without subject checks",
+ "Service [%s] uses \"verifyChain\" without subject checks",
section->servname);
#if OPENSSL_VERSION_NUMBER<0x10002000L
s_log(LOG_WARNING,
@@ -208,20 +208,24 @@
/* retrieve application specific data */
ssl=X509_STORE_CTX_get_ex_data(callback_ctx,
SSL_get_ex_data_X509_STORE_CTX_idx());
- c=SSL_get_ex_data(ssl, index_cli);
+ c=SSL_get_ex_data(ssl, index_ssl_cli);
if(!c->opt->option.verify_chain && !c->opt->option.verify_peer) {
s_log(LOG_INFO, "Certificate verification disabled");
return 1; /* accept */
}
- if(verify_checks(c, preverify_ok, callback_ctx))
+ if(verify_checks(c, preverify_ok, callback_ctx)) {
+ if(!SSL_SESSION_set_ex_data(SSL_get_session(ssl),
+ index_session_authenticated, (void *)(-1))) {
+ sslerror("SSL_SESSION_set_ex_data");
+ return 0; /* reject */
+ }
return 1; /* accept */
+ }
if(c->opt->option.client || c->opt->protocol)
return 0; /* reject */
- if(c->opt->redirect_addr.names) {
- c->redirect=REDIRECT_ON;
+ if(c->opt->redirect_addr.names)
return 1; /* accept */
- }
return 0; /* reject */
}
@@ -261,19 +265,22 @@
NOEXPORT int cert_check(CLI *c, X509_STORE_CTX *callback_ctx,
int preverify_ok) {
+ int err=X509_STORE_CTX_get_error(callback_ctx);
int depth=X509_STORE_CTX_get_error_depth(callback_ctx);
if(preverify_ok) {
s_log(LOG_DEBUG, "CERT: Pre-verification succeeded");
} else { /* remote site sent an invalid certificate */
- if(c->opt->option.verify_chain || depth==0) {
+ if(c->opt->option.verify_chain || (depth==0 &&
+ err!=X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY &&
+ err!=X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE)) {
s_log(LOG_WARNING, "CERT: Pre-verification error: %s",
- X509_verify_cert_error_string(
- X509_STORE_CTX_get_error(callback_ctx)));
+ X509_verify_cert_error_string(err));
/* retain the STORE_CTX error produced by pre-verification */
return 0; /* reject */
}
- s_log(LOG_INFO, "CERT: Invalid CA certificate ignored");
+ s_log(LOG_INFO, "CERT: Pre-verification error ignored: %s",
+ X509_verify_cert_error_string(err));
}
if(depth==0) { /* additional peer certificate checks */
@@ -333,22 +340,18 @@
}
#endif /* OPENSSL_VERSION_NUMBER>=0x10002000L */
+#if OPENSSL_VERSION_NUMBER>=0x10000000L
+/* modern implementation for OpenSSL version >= 1.0.0 */
+
NOEXPORT int cert_check_local(X509_STORE_CTX *callback_ctx) {
X509 *cert;
X509_NAME *subject;
-#if OPENSSL_VERSION_NUMBER>=0x10000000L
STACK_OF(X509) *sk;
int i;
-#endif
-#if OPENSSL_VERSION_NUMBER<0x10100000L
- X509_OBJECT obj;
- int success;
-#endif
cert=X509_STORE_CTX_get_current_cert(callback_ctx);
subject=X509_get_subject_name(cert);
-#if OPENSSL_VERSION_NUMBER>=0x10000000L
#if OPENSSL_VERSION_NUMBER<0x10100006L
#define X509_STORE_CTX_get1_certs X509_STORE_get1_certs
#endif
@@ -362,29 +365,44 @@
}
sk_X509_pop_free(sk, X509_free);
}
-#endif
-#if OPENSSL_VERSION_NUMBER<0x10100000L
+ s_log(LOG_WARNING, "CERT: Certificate not found in local repository");
+ X509_STORE_CTX_set_error(callback_ctx, X509_V_ERR_CERT_REJECTED);
+ return 0; /* reject */
+}
+
+#else /* OPENSSL_VERSION_NUMBER<0x10000000L */
+/* legacy implementation for OpenSSL version < 1.0.0 */
+
+NOEXPORT int cert_check_local(X509_STORE_CTX *callback_ctx) {
+ X509 *cert;
+ X509_NAME *subject;
+ X509_OBJECT obj;
+ int success;
+
+ cert=X509_STORE_CTX_get_current_cert(callback_ctx);
+ subject=X509_get_subject_name(cert);
+
/* pre-1.0.0 API only returns a single matching certificate */
- /* we also invoke it for other OpenSSL versions before 1.1.0 */
memset((char *)&obj, 0, sizeof obj);
if(X509_STORE_get_by_subject(callback_ctx, X509_LU_X509,
subject, &obj)<=0) {
- s_log(LOG_WARNING,
- "CERT: Certificate not found in local repository");
+ s_log(LOG_WARNING, "CERT: Certificate not found in local repository");
+ X509_STORE_CTX_set_error(callback_ctx, X509_V_ERR_CERT_REJECTED);
return 0; /* reject */
}
success=compare_pubkeys(cert, obj.data.x509);
X509_OBJECT_free_contents(&obj);
if(success)
return 1; /* accept */
-#endif
s_log(LOG_WARNING, "CERT: Public keys do not match");
X509_STORE_CTX_set_error(callback_ctx, X509_V_ERR_CERT_REJECTED);
return 0; /* reject */
}
+#endif /* OPENSSL_VERSION_NUMBER>=0x10000000L */
+
NOEXPORT int compare_pubkeys(X509 *c1, X509 *c2) {
ASN1_BIT_STRING *k1=X509_get0_pubkey_bitstr(c1);
ASN1_BIT_STRING *k2=X509_get0_pubkey_bitstr(c2);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/stunnel-5.40/src/version.h
new/stunnel-5.41/src/version.h
--- old/stunnel-5.40/src/version.h 2017-01-02 15:27:26.000000000 +0100
+++ new/stunnel-5.41/src/version.h 2017-02-02 15:04:02.000000000 +0100
@@ -65,7 +65,7 @@
/* START CUSTOMIZE */
#define VERSION_MAJOR 5
-#define VERSION_MINOR 40
+#define VERSION_MINOR 41
/* END CUSTOMIZE */
/* all the following macros are ABSOLUTELY NECESSARY to have proper string
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/stunnel-5.40/tools/stunnel.nsi
new/stunnel-5.41/tools/stunnel.nsi
--- old/stunnel-5.40/tools/stunnel.nsi 2017-01-02 15:27:26.000000000 +0100
+++ new/stunnel-5.41/tools/stunnel.nsi 2017-04-01 11:21:22.000000000 +0200
@@ -49,7 +49,7 @@
!define /ifndef ZLIB_DIR ${BIN_DIR}\zlib
!define /ifndef REDIST_DIR ${BIN_DIR}\redist
-!define /ifndef LIBP11_DIR ${ROOT_DIR}\src\libp11-0.4.3\src
+!define /ifndef LIBP11_DIR ${ROOT_DIR}\src\libp11-0.4.5\src
!define MUI_ICON ${STUNNEL_SRC_DIR}\stunnel.ico
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/stunnel-5.40/tools/stunnel.spec
new/stunnel-5.41/tools/stunnel.spec
--- old/stunnel-5.40/tools/stunnel.spec 2017-01-02 15:27:26.000000000 +0100
+++ new/stunnel-5.41/tools/stunnel.spec 2017-02-02 15:21:59.000000000 +0100
@@ -1,5 +1,5 @@
Name: stunnel
-Version: 5.40
+Version: 5.41
Release: 1%{?dist}
Summary: An TLS-encrypting socket wrapper
Group: Applications/Internet
