Hi, following diff brings stunnel to latest release 5.36. as bonus, enables X509_check_host, X509_check_email and X509_check_ip_asc courtesy of beck@ at g2k16. :-)
however as usual, this update requires some aditional patches to make (LIBRESSL_VERSION_NUMBER) dance. works fine @amd64 with my setup, comments and tests welcome. Index: Makefile =================================================================== RCS file: /cvs/ports/security/stunnel/Makefile,v retrieving revision 1.83 diff -u -p -r1.83 Makefile --- Makefile 24 Apr 2016 12:07:48 -0000 1.83 +++ Makefile 4 Nov 2016 03:43:56 -0000 @@ -2,7 +2,7 @@ COMMENT= SSL encryption wrapper for standard network daemons -DISTNAME= stunnel-5.31 +DISTNAME= stunnel-5.36 CATEGORIES= security MAINTAINER= Gleydson Soares <gsoa...@openbsd.org> @@ -10,7 +10,7 @@ MAINTAINER= Gleydson Soares <gsoares@ope # GPLv2+ with OpenSSL exemption PERMIT_PACKAGE_CDROM= Yes -WANTLIB += c crypto pthread ssl util z +WANTLIB += c crypto pthread ssl util HOMEPAGE= http://www.stunnel.org/ Index: distinfo =================================================================== RCS file: /cvs/ports/security/stunnel/distinfo,v retrieving revision 1.40 diff -u -p -r1.40 distinfo --- distinfo 24 Apr 2016 12:07:48 -0000 1.40 +++ distinfo 4 Nov 2016 03:43:56 -0000 @@ -1,2 +1,2 @@ -SHA256 (stunnel-5.31.tar.gz) = p0a3GrPcbCPqyw2vc0JGeHDkOskzQwkF6xsdBQu64Lc= -SIZE (stunnel-5.31.tar.gz) = 639381 +SHA256 (stunnel-5.36.tar.gz) = 64lS/P3831BWofGnjh7FAUuBnF9fdZm5JNxEkP/kteo= +SIZE (stunnel-5.36.tar.gz) = 645205 cvs server: Diffing patches Index: patches/patch-src_common_h =================================================================== RCS file: patches/patch-src_common_h diff -N patches/patch-src_common_h --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-src_common_h 4 Nov 2016 03:43:56 -0000 @@ -0,0 +1,21 @@ +$OpenBSD$ +--- src/common.h.orig Mon Jun 27 04:29:32 2016 ++++ src/common.h Thu Nov 3 23:57:29 2016 +@@ -448,7 +448,7 @@ extern char *sys_errlist[]; + #define OPENSSL_NO_TLS1_2 + #endif /* OpenSSL older than 1.0.1 || defined(OPENSSL_NO_TLS1) */ + +-#if OPENSSL_VERSION_NUMBER>=0x10100000L ++#if OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) + #ifndef OPENSSL_NO_SSL2 + #define OPENSSL_NO_SSL2 + #endif /* !defined(OPENSSL_NO_SSL2) */ +@@ -474,7 +474,7 @@ extern char *sys_errlist[]; + #include <openssl/des.h> + #ifndef OPENSSL_NO_DH + #include <openssl/dh.h> +-#if OPENSSL_VERSION_NUMBER<0x10100000L ++#if OPENSSL_VERSION_NUMBER<0x10100000L || defined(LIBRESSL_VERSION_NUMBER) + int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g); + #endif /* OpenSSL older than 1.1.0 */ + #endif /* !defined(OPENSSL_NO_DH) */ Index: patches/patch-src_ctx_c =================================================================== RCS file: /cvs/ports/security/stunnel/patches/patch-src_ctx_c,v retrieving revision 1.3 diff -u -p -r1.3 patch-src_ctx_c --- patches/patch-src_ctx_c 24 Apr 2016 12:07:48 -0000 1.3 +++ patches/patch-src_ctx_c 4 Nov 2016 03:43:56 -0000 @@ -1,7 +1,7 @@ $OpenBSD: patch-src_ctx_c,v 1.3 2016/04/24 12:07:48 gsoares Exp $ ---- src/ctx.c.orig Fri Feb 19 16:18:43 2016 -+++ src/ctx.c Thu Apr 21 21:59:31 2016 -@@ -363,7 +363,7 @@ NOEXPORT int ecdh_init(SERVICE_OPTIONS *section) { +--- src/ctx.c.orig Tue Jun 21 12:06:14 2016 ++++ src/ctx.c Thu Nov 3 23:13:15 2016 +@@ -366,7 +366,7 @@ NOEXPORT int ecdh_init(SERVICE_OPTIONS *section) { /**************************************** initialize OpenSSL CONF */ NOEXPORT int conf_init(SERVICE_OPTIONS *section) { Index: patches/patch-src_options_c =================================================================== RCS file: /cvs/ports/security/stunnel/patches/patch-src_options_c,v retrieving revision 1.6 diff -u -p -r1.6 patch-src_options_c --- patches/patch-src_options_c 24 Apr 2016 12:07:48 -0000 1.6 +++ patches/patch-src_options_c 4 Nov 2016 03:43:56 -0000 @@ -3,9 +3,9 @@ $OpenBSD: patch-src_options_c,v 1.6 2016 use SSLv23_client_method() required to build with libressl since that it haven't TLS_client_method() for now. ---- src/options.c.orig Fri Jan 15 13:45:23 2016 -+++ src/options.c Thu Apr 21 21:59:31 2016 -@@ -2579,7 +2579,7 @@ NOEXPORT char *parse_service_option(CMD cmd, SERVICE_O +--- src/options.c.orig Fri Aug 5 06:39:57 2016 ++++ src/options.c Thu Nov 3 23:13:15 2016 +@@ -2617,7 +2617,7 @@ NOEXPORT char *parse_service_option(CMD cmd, SERVICE_O /* sslVersion */ switch(cmd) { case CMD_BEGIN: @@ -14,7 +14,7 @@ TLS_client_method() for now. section->client_method=(SSL_METHOD *)TLS_client_method(); section->server_method=(SSL_METHOD *)TLS_server_method(); #else -@@ -2591,7 +2591,7 @@ NOEXPORT char *parse_service_option(CMD cmd, SERVICE_O +@@ -2629,7 +2629,7 @@ NOEXPORT char *parse_service_option(CMD cmd, SERVICE_O if(strcasecmp(opt, "sslVersion")) break; if(!strcasecmp(arg, "all")) { Index: patches/patch-src_prototypes_h =================================================================== RCS file: patches/patch-src_prototypes_h diff -N patches/patch-src_prototypes_h --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-src_prototypes_h 4 Nov 2016 03:43:56 -0000 @@ -0,0 +1,19 @@ +$OpenBSD$ +--- src/prototypes.h.orig Sun Jul 17 19:04:42 2016 ++++ src/prototypes.h Thu Nov 3 23:26:08 2016 +@@ -650,13 +650,13 @@ typedef enum { + #endif /* OPENSSL_NO_DH */ + STUNNEL_LOCKS /* number of locks */ + } LOCK_TYPE; +-#if OPENSSL_VERSION_NUMBER < 0x10100004L ++#if OPENSSL_VERSION_NUMBER < 0x10100004L || defined(LIBRESSL_VERSION_NUMBER) + typedef int STUNNEL_RWLOCK; + #else + typedef CRYPTO_RWLOCK *STUNNEL_RWLOCK; + #endif + extern STUNNEL_RWLOCK stunnel_locks[STUNNEL_LOCKS]; +-#if OPENSSL_VERSION_NUMBER>=0x10100004L ++#if OPENSSL_VERSION_NUMBER>=0x10100004L && !defined(LIBRESSL_VERSION_NUMBER) + #define CRYPTO_THREAD_read_unlock(type) CRYPTO_THREAD_unlock(type) + #define CRYPTO_THREAD_write_unlock(type) CRYPTO_THREAD_unlock(type) + #else Index: patches/patch-src_ssl_c =================================================================== RCS file: patches/patch-src_ssl_c diff -N patches/patch-src_ssl_c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-src_ssl_c 4 Nov 2016 03:43:56 -0000 @@ -0,0 +1,21 @@ +$OpenBSD$ +--- src/ssl.c.orig Fri Aug 5 06:39:57 2016 ++++ src/ssl.c Thu Nov 3 23:50:50 2016 +@@ -50,7 +50,7 @@ NOEXPORT int add_rand_file(GLOBAL_OPTIONS *, const cha + int index_cli, index_opt, index_redirect, index_addr; + + int ssl_init(void) { /* init SSL before parsing configuration file */ +-#if OPENSSL_VERSION_NUMBER>=0x10100000L ++#if OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS | + OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL); + #else +@@ -83,7 +83,7 @@ int ssl_init(void) { /* init SSL before parsing config + } + + #ifndef OPENSSL_NO_DH +-#if OPENSSL_VERSION_NUMBER<0x10100000L ++#if OPENSSL_VERSION_NUMBER<0x10100000L || defined(LIBRESSL_VERSION_NUMBER) + /* this is needed for dhparam.c generated with OpenSSL >= 1.1.0 + * to be linked against the older versions */ + int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g) { Index: patches/patch-src_sthreads_c =================================================================== RCS file: patches/patch-src_sthreads_c diff -N patches/patch-src_sthreads_c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-src_sthreads_c 4 Nov 2016 03:43:56 -0000 @@ -0,0 +1,12 @@ +$OpenBSD$ +--- src/sthreads.c.orig Thu Nov 3 23:44:55 2016 ++++ src/sthreads.c Thu Nov 3 23:45:02 2016 +@@ -45,7 +45,7 @@ + + STUNNEL_RWLOCK stunnel_locks[STUNNEL_LOCKS]; + +-#if OPENSSL_VERSION_NUMBER<0x10100004L ++#if OPENSSL_VERSION_NUMBER<0x10100004L || defined(LIBRESSL_VERSION_NUMBER) + #define CRYPTO_THREAD_lock_new() CRYPTO_get_new_dynlockid() + #endif + Index: patches/patch-src_verify_c =================================================================== RCS file: /cvs/ports/security/stunnel/patches/patch-src_verify_c,v retrieving revision 1.3 diff -u -p -r1.3 patch-src_verify_c --- patches/patch-src_verify_c 24 Apr 2016 12:07:48 -0000 1.3 +++ patches/patch-src_verify_c 4 Nov 2016 03:43:56 -0000 @@ -3,8 +3,8 @@ $OpenBSD: patch-src_verify_c,v 1.3 2016/ disable OpenSSL 1.0.2 X509_check_* functions, so it can build with libressl. ---- src/verify.c.orig Fri Feb 19 16:18:43 2016 -+++ src/verify.c Thu Apr 21 21:59:31 2016 +--- src/verify.c.orig Wed Jul 6 13:18:17 2016 ++++ src/verify.c Fri Nov 4 00:24:32 2016 @@ -51,7 +51,7 @@ NOEXPORT int add_dir_lookup(X509_STORE *, char *); NOEXPORT int verify_callback(int, X509_STORE_CTX *); NOEXPORT int verify_checks(CLI *, int, X509_STORE_CTX *); @@ -14,7 +14,7 @@ disable OpenSSL 1.0.2 X509_check_* funct NOEXPORT int cert_check_subject(CLI *, X509_STORE_CTX *); #endif /* OPENSSL_VERSION_NUMBER>=0x10002000L */ NOEXPORT int cert_check_local(X509_STORE_CTX *); -@@ -274,7 +274,7 @@ NOEXPORT int cert_check(CLI *c, X509_STORE_CTX *callba +@@ -277,7 +277,7 @@ NOEXPORT int cert_check(CLI *c, X509_STORE_CTX *callba } if(depth==0) { /* additional peer certificate checks */ @@ -23,12 +23,12 @@ disable OpenSSL 1.0.2 X509_check_* funct if(!cert_check_subject(c, callback_ctx)) return 0; /* reject */ #endif /* OPENSSL_VERSION_NUMBER>=0x10002000L */ -@@ -285,7 +285,7 @@ NOEXPORT int cert_check(CLI *c, X509_STORE_CTX *callba - return 1; /* accept */ - } +@@ -349,7 +349,7 @@ NOEXPORT int cert_check_local(X509_STORE_CTX *callback + subject=X509_get_subject_name(cert); --#if OPENSSL_VERSION_NUMBER>=0x10002000L -+#if OPENSSL_VERSION_NUMBER>=0x10002000L && !defined(LIBRESSL_VERSION_NUMBER) - NOEXPORT int cert_check_subject(CLI *c, X509_STORE_CTX *callback_ctx) { - X509 *cert=X509_STORE_CTX_get_current_cert(callback_ctx); - NAME_LIST *ptr; + #if OPENSSL_VERSION_NUMBER>=0x10000000L +-#if OPENSSL_VERSION_NUMBER<0x10100006L ++#if OPENSSL_VERSION_NUMBER<0x10100006L || defined(LIBRESSL_VERSION_NUMBER) + #define X509_STORE_CTX_get1_certs X509_STORE_get1_certs + #endif + /* modern API allows retrieving multiple matching certificates */ Index: patches/patch-tools_stunnel_conf-sample_in =================================================================== RCS file: /cvs/ports/security/stunnel/patches/patch-tools_stunnel_conf-sample_in,v retrieving revision 1.14 diff -u -p -r1.14 patch-tools_stunnel_conf-sample_in --- patches/patch-tools_stunnel_conf-sample_in 14 Oct 2015 02:05:06 -0000 1.14 +++ patches/patch-tools_stunnel_conf-sample_in 4 Nov 2016 03:43:56 -0000 @@ -1,6 +1,6 @@ $OpenBSD: patch-tools_stunnel_conf-sample_in,v 1.14 2015/10/14 02:05:06 gsoares Exp $ ---- tools/stunnel.conf-sample.in.orig Wed Sep 23 11:05:10 2015 -+++ tools/stunnel.conf-sample.in Tue Oct 6 06:10:53 2015 +--- tools/stunnel.conf-sample.in.orig Tue Jul 5 18:27:57 2016 ++++ tools/stunnel.conf-sample.in Thu Nov 3 23:16:09 2016 @@ -7,17 +7,18 @@ ; * Global options * ; ************************************************************************** @@ -41,7 +41,7 @@ $OpenBSD: patch-tools_stunnel_conf-sampl -client = yes -accept = 127.0.0.1:110 -connect = pop.gmail.com:995 --verify = 2 +-verifyChain = yes -CApath = /etc/ssl/certs -checkHost = pop.gmail.com -OCSPaia = yes @@ -49,7 +49,7 @@ $OpenBSD: patch-tools_stunnel_conf-sampl +;client = yes +;accept = 127.0.0.1:110 +;connect = pop.gmail.com:995 -+;verify = 2 ++;verifyChain = yes +;CApath = ${SYSCONFDIR}/ssl/certs +;checkHost = pop.gmail.com +;OCSPaia = yes @@ -58,7 +58,7 @@ $OpenBSD: patch-tools_stunnel_conf-sampl -client = yes -accept = 127.0.0.1:143 -connect = imap.gmail.com:993 --verify = 2 +-verifyChain = yes -CApath = /etc/ssl/certs -checkHost = imap.gmail.com -OCSPaia = yes @@ -66,7 +66,7 @@ $OpenBSD: patch-tools_stunnel_conf-sampl +;client = yes +;accept = 127.0.0.1:143 +;connect = imap.gmail.com:993 -+;verify = 2 ++;verifyChain = yes +;CApath = ${SYSCONFDIR}/ssl/certs +;checkHost = imap.gmail.com +;OCSPaia = yes @@ -75,7 +75,7 @@ $OpenBSD: patch-tools_stunnel_conf-sampl -client = yes -accept = 127.0.0.1:25 -connect = smtp.gmail.com:465 --verify = 2 +-verifyChain = yes -CApath = /etc/ssl/certs -checkHost = smtp.gmail.com -OCSPaia = yes @@ -83,7 +83,7 @@ $OpenBSD: patch-tools_stunnel_conf-sampl +;client = yes +;accept = 127.0.0.1:25 +;connect = smtp.gmail.com:465 -+;verify = 2 ++;verifyChain = yes +;CApath = ${SYSCONFDIR}/ssl/certs +;checkHost = smtp.gmail.com +;OCSPaia = yes