diff options
| -rw-r--r-- | security/stunnel/Makefile | 3 | ||||
| -rw-r--r-- | security/stunnel/files/patch-src_common.h | 20 | ||||
| -rw-r--r-- | security/stunnel/files/patch-src_ctx.c | 11 | ||||
| -rw-r--r-- | security/stunnel/files/patch-src_prototypes.h | 18 | ||||
| -rw-r--r-- | security/stunnel/files/patch-src_ssl.c | 11 | ||||
| -rw-r--r-- | security/stunnel/files/patch-src_sthreads.c | 59 | ||||
| -rw-r--r-- | security/stunnel/files/patch-src_verify.c | 64 |
7 files changed, 184 insertions, 2 deletions
diff --git a/security/stunnel/Makefile b/security/stunnel/Makefile index 1639a6c7b3c1..451ab313cfd3 100644 --- a/security/stunnel/Makefile +++ b/security/stunnel/Makefile @@ -28,10 +28,9 @@ COMMENT= SSL encryption wrapper for standard network daemons LICENSE= GPLv2 GPLv3 LICENSE_COMB= dual -USES= cpe libtool perl5 shebangfix +USES= cpe libtool perl5 shebangfix ssl USE_PERL5= build USE_LDCONFIG= yes -USE_OPENSSL= yes USE_RC_SUBR= stunnel GNU_CONFIGURE= yes diff --git a/security/stunnel/files/patch-src_common.h b/security/stunnel/files/patch-src_common.h new file mode 100644 index 000000000000..f6b0c9039bdc --- /dev/null +++ b/security/stunnel/files/patch-src_common.h @@ -0,0 +1,20 @@ +--- src/common.h.orig 2016-06-27 07:29:32 UTC ++++ src/common.h +@@ -448,7 +448,7 @@ extern char *sys_errlist[]; + #define OPENSSL_NO_TLS1_2 + #endif /* OpenSSL older than 1.0.1 || defined(OPENSSL_NO_TLS1) */ + +-#if OPENSSL_VERSION_NUMBER>=0x10100000L ++#if OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) + #ifndef OPENSSL_NO_SSL2 + #define OPENSSL_NO_SSL2 + #endif /* !defined(OPENSSL_NO_SSL2) */ +@@ -474,7 +474,7 @@ extern char *sys_errlist[]; + #include <openssl/des.h> + #ifndef OPENSSL_NO_DH + #include <openssl/dh.h> +-#if OPENSSL_VERSION_NUMBER<0x10100000L ++#if OPENSSL_VERSION_NUMBER<0x10100000L || defined(LIBRESSL_VERSION_NUMBER) + int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g); + #endif /* OpenSSL older than 1.1.0 */ + #endif /* !defined(OPENSSL_NO_DH) */ diff --git a/security/stunnel/files/patch-src_ctx.c b/security/stunnel/files/patch-src_ctx.c new file mode 100644 index 000000000000..c6b409481caf --- /dev/null +++ b/security/stunnel/files/patch-src_ctx.c @@ -0,0 +1,11 @@ +--- src/ctx.c.orig 2016-06-21 15:06:14 UTC ++++ src/ctx.c +@@ -366,7 +366,7 @@ NOEXPORT int ecdh_init(SERVICE_OPTIONS * + /**************************************** initialize OpenSSL CONF */ + + NOEXPORT int conf_init(SERVICE_OPTIONS *section) { +-#if OPENSSL_VERSION_NUMBER>=0x10002000L ++#if OPENSSL_VERSION_NUMBER>=0x10002000L && !defined(LIBRESSL_VERSION_NUMBER) + SSL_CONF_CTX *cctx; + NAME_LIST *curr; + char *cmd, *param; diff --git a/security/stunnel/files/patch-src_prototypes.h b/security/stunnel/files/patch-src_prototypes.h new file mode 100644 index 000000000000..1ef2cbd2c652 --- /dev/null +++ b/security/stunnel/files/patch-src_prototypes.h @@ -0,0 +1,18 @@ +--- src/prototypes.h.orig 2016-07-05 21:27:57 UTC ++++ src/prototypes.h +@@ -650,13 +650,13 @@ typedef enum { + #endif /* OPENSSL_NO_DH */ + STUNNEL_LOCKS /* number of locks */ + } LOCK_TYPE; +-#if OPENSSL_VERSION_NUMBER < 0x10100004L ++#if OPENSSL_VERSION_NUMBER < 0x10100004L || defined(LIBRESSL_VERSION_NUMBER) + typedef int STUNNEL_RWLOCK; + #else + typedef CRYPTO_RWLOCK *STUNNEL_RWLOCK; + #endif + extern STUNNEL_RWLOCK stunnel_locks[STUNNEL_LOCKS]; +-#if OPENSSL_VERSION_NUMBER>=0x10100004L ++#if OPENSSL_VERSION_NUMBER>=0x10100004L && !defined(LIBRESSL_VERSION_NUMBER) + #define CRYPTO_THREAD_read_unlock(type) CRYPTO_THREAD_unlock(type) + #define CRYPTO_THREAD_write_unlock(type) CRYPTO_THREAD_unlock(type) + #else diff --git a/security/stunnel/files/patch-src_ssl.c b/security/stunnel/files/patch-src_ssl.c new file mode 100644 index 000000000000..8c40e85993f4 --- /dev/null +++ b/security/stunnel/files/patch-src_ssl.c @@ -0,0 +1,11 @@ +--- src/ssl.c.orig 2016-06-02 13:43:49 UTC ++++ src/ssl.c +@@ -78,7 +78,7 @@ int ssl_init(void) { /* init SSL before + } + + #ifndef OPENSSL_NO_DH +-#if OPENSSL_VERSION_NUMBER<0x10100000L ++#if OPENSSL_VERSION_NUMBER<0x10100000L || defined(LIBRESSL_VERSION_NUMBER) + /* this is needed for dhparam.c generated with OpenSSL >= 1.1.0 + * to be linked against the older versions */ + int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g) { diff --git a/security/stunnel/files/patch-src_sthreads.c b/security/stunnel/files/patch-src_sthreads.c new file mode 100644 index 000000000000..c63ad3a1e995 --- /dev/null +++ b/security/stunnel/files/patch-src_sthreads.c @@ -0,0 +1,59 @@ +--- src/sthreads.c.orig 2016-05-03 18:35:03 UTC ++++ src/sthreads.c +@@ -45,7 +45,7 @@ + + STUNNEL_RWLOCK stunnel_locks[STUNNEL_LOCKS]; + +-#if OPENSSL_VERSION_NUMBER<0x10100004L ++#if OPENSSL_VERSION_NUMBER<0x10100004L || defined(LIBRESSL_VERSION_NUMBER) + #define CRYPTO_THREAD_lock_new() CRYPTO_get_new_dynlockid() + #endif + +@@ -203,7 +203,7 @@ int create_client(SOCKET ls, SOCKET s, C + + #ifdef USE_PTHREAD + +-#if OPENSSL_VERSION_NUMBER<0x10100004L ++#if OPENSSL_VERSION_NUMBER<0x10100004L || defined(LIBRESSL_VERSION_NUMBER) + + struct CRYPTO_dynlock_value { + pthread_rwlock_t rwlock; +@@ -263,16 +263,18 @@ unsigned long stunnel_thread_id(void) { + #endif + } + +-#if OPENSSL_VERSION_NUMBER>=0x10000000L && OPENSSL_VERSION_NUMBER<0x10100004L ++#if OPENSSL_VERSION_NUMBER>=0x10000000L ++#if OPENSSL_VERSION_NUMBER<0x10100004L || defined(LIBRESSL_VERSION_NUMBER) + NOEXPORT void threadid_func(CRYPTO_THREADID *tid) { + CRYPTO_THREADID_set_numeric(tid, stunnel_thread_id()); + } + #endif ++#endif + + int sthreads_init(void) { + int i; + +-#if OPENSSL_VERSION_NUMBER<0x10100004L ++#if OPENSSL_VERSION_NUMBER<0x10100004L || defined(LIBRESSL_VERSION_NUMBER) + /* initialize the OpenSSL dynamic locking */ + CRYPTO_set_dynlock_create_callback(dyn_create_function); + CRYPTO_set_dynlock_lock_callback(dyn_lock_function); +@@ -345,7 +347,7 @@ int create_client(SOCKET ls, SOCKET s, C + * but it is unsupported on Windows XP (and earlier versions of Windows): + * https://msdn.microsoft.com/en-us/library/windows/desktop/aa904937%28v=vs.85%29.aspx */ + +-#if OPENSSL_VERSION_NUMBER<0x10100004L ++#if OPENSSL_VERSION_NUMBER<0x10100004L || defined(LIBRESSL_VERSION_NUMBER) + + struct CRYPTO_dynlock_value { + CRITICAL_SECTION mutex; +@@ -398,7 +400,7 @@ unsigned long stunnel_thread_id(void) { + int sthreads_init(void) { + int i; + +-#if OPENSSL_VERSION_NUMBER<0x10100004L ++#if OPENSSL_VERSION_NUMBER<0x10100004L || defined(LIBRESSL_VERSION_NUMBER) + /* initialize the OpenSSL dynamic locking */ + CRYPTO_set_dynlock_create_callback(dyn_create_function); + CRYPTO_set_dynlock_lock_callback(dyn_lock_function); diff --git a/security/stunnel/files/patch-src_verify.c b/security/stunnel/files/patch-src_verify.c new file mode 100644 index 000000000000..043cdc55053b --- /dev/null +++ b/security/stunnel/files/patch-src_verify.c @@ -0,0 +1,64 @@ +--- src/verify.c.orig 2016-07-05 21:27:57 UTC ++++ src/verify.c +@@ -178,14 +178,14 @@ NOEXPORT void auth_warnings(SERVICE_OPTI + if(section->option.verify_peer) /* verify_peer does not depend on PKI */ + return; + if(section->option.verify_chain) { +-#if OPENSSL_VERSION_NUMBER>=0x10002000L ++#if OPENSSL_VERSION_NUMBER>=0x10002000L && !defined(LIBRESSL_VERSION_NUMBER) + if(section->check_email || section->check_host || section->check_ip) + return; + #endif /* OPENSSL_VERSION_NUMBER>=0x10002000L */ + s_log(LOG_WARNING, + "Service [%s] uses \"verify = 2\" without subject checks", + section->servname); +-#if OPENSSL_VERSION_NUMBER<0x10002000L ++#if OPENSSL_VERSION_NUMBER<0x10002000L || defined(LIBRESSL_VERSION_NUMBER) + s_log(LOG_WARNING, + "Rebuild your stunnel against OpenSSL version 1.0.2 or higher"); + #endif /* OPENSSL_VERSION_NUMBER<0x10002000L */ +@@ -277,7 +277,7 @@ NOEXPORT int cert_check(CLI *c, X509_STO + } + + if(depth==0) { /* additional peer certificate checks */ +-#if OPENSSL_VERSION_NUMBER>=0x10002000L ++#if OPENSSL_VERSION_NUMBER>=0x10002000L && !defined(LIBRESSL_VERSION_NUMBER) + if(!cert_check_subject(c, callback_ctx)) + return 0; /* reject */ + #endif /* OPENSSL_VERSION_NUMBER>=0x10002000L */ +@@ -288,7 +288,7 @@ NOEXPORT int cert_check(CLI *c, X509_STO + return 1; /* accept */ + } + +-#if OPENSSL_VERSION_NUMBER>=0x10002000L ++#if OPENSSL_VERSION_NUMBER>=0x10002000L && !defined(LIBRESSL_VERSION_NUMBER) + NOEXPORT int cert_check_subject(CLI *c, X509_STORE_CTX *callback_ctx) { + X509 *cert=X509_STORE_CTX_get_current_cert(callback_ctx); + NAME_LIST *ptr; +@@ -340,7 +340,7 @@ NOEXPORT int cert_check_local(X509_STORE + STACK_OF(X509) *sk; + int i; + #endif +-#if OPENSSL_VERSION_NUMBER<0x10100000L ++#if OPENSSL_VERSION_NUMBER<0x10100000L || defined(LIBRESSL_VERSION_NUMBER) + X509_OBJECT obj; + int success; + #endif +@@ -349,7 +349,7 @@ NOEXPORT int cert_check_local(X509_STORE + subject=X509_get_subject_name(cert); + + #if OPENSSL_VERSION_NUMBER>=0x10000000L +-#if OPENSSL_VERSION_NUMBER<0x10100006L ++#if OPENSSL_VERSION_NUMBER<0x10100006L || defined(LIBRESSL_VERSION_NUMBER) + #define X509_STORE_CTX_get1_certs X509_STORE_get1_certs + #endif + /* modern API allows retrieving multiple matching certificates */ +@@ -364,7 +364,7 @@ NOEXPORT int cert_check_local(X509_STORE + } + #endif + +-#if OPENSSL_VERSION_NUMBER<0x10100000L ++#if OPENSSL_VERSION_NUMBER<0x10100000L || defined(LIBRESSL_VERSION_NUMBER) + /* pre-1.0.0 API only returns a single matching certificate */ + /* we also invoke it for other OpenSSL versions before 1.1.0 */ + memset((char *)&obj, 0, sizeof obj); |