Upgrade stunnel for work item 56658178 (#13502)

Author: sandeepkarambelkar

SPECS-EXTENDED/stunnel/stunnel-5.56-coverity.patch

@@ -1,8 +1,8 @@
-From e951a8a7edc87dbd608043f8aab67ef12979e3ca Mon Sep 17 00:00:00 2001
+From 2d720572b081397b187f502980bb57a8301f06f0 Mon Sep 17 00:00:00 2001
 From: Sahana Prasad <sahana@redhat.com>
 Date: Mon, 12 Sep 2022 11:07:38 +0200
-Subject: [PATCH 6/8] Apply patch stunnel-5.56-curves-doc-update.patch
-
+Subject: [PATCH 5/5] Apply patch stunnel-5.56-curves-doc-update.patch
+ 
 Patch-name: stunnel-5.56-curves-doc-update.patch
 Patch-id: 6
 From-dist-git-commit: 70b3076eb09912b3a11f371b8c523303114fffa3
@@ -14,25 +14,25 @@ From-dist-git-commit: 70b3076eb09912b3a11f371b8c523303114fffa3
  doc/stunnel.pl.pod.in  | 2 ++
  doc/stunnel.pod.in     | 2 ++
  6 files changed, 12 insertions(+)
-
+ 
 diff --git a/doc/stunnel.8.in b/doc/stunnel.8.in
-index a56f0b7..977a1a4 100644
+index e74e174..03b503b 100644
 --- a/doc/stunnel.8.in
 +++ b/doc/stunnel.8.in
-@@ -475,6 +475,8 @@ This file contains multiple CRLs, used with the \fIverifyChain\fR and
+@@ -490,6 +490,8 @@ This file contains multiple CRLs, used with the \fIverifyChain\fR and
  .IX Item "curves = list"
- \&\s-1ECDH\s0 curves separated with ':'
+ ECDH curves separated with ':'
  .Sp
 +Note: This option is supported for server mode sockets only.
 +.Sp
  Only a single curve name is allowed for OpenSSL older than 1.1.1.
  .Sp
  To get a list of supported curves use:
 diff --git a/doc/stunnel.html.in b/doc/stunnel.html.in
-index 608afa9..cecc81a 100644
+index df0efdd..385ac8d 100644
 --- a/doc/stunnel.html.in
 +++ b/doc/stunnel.html.in
-@@ -570,6 +570,8 @@
+@@ -596,6 +596,8 @@
 
  <p>ECDH curves separated with &#39;:&#39;</p>
 
@@ -42,23 +42,23 @@ index 608afa9..cecc81a 100644
 
  <p>To get a list of supported curves use:</p>
 diff --git a/doc/stunnel.pl.8.in b/doc/stunnel.pl.8.in
-index e2e6622..eae88f8 100644
+index 4efe602..9683b4c 100644
 --- a/doc/stunnel.pl.8.in
 +++ b/doc/stunnel.pl.8.in
-@@ -492,6 +492,8 @@ przez opcje \fIverifyChain\fR i \fIverifyPeer\fR.
+@@ -494,6 +494,8 @@ przez opcje \fIverifyChain\fR i \fIverifyPeer\fR.
  .IX Item "curves = lista"
- krzywe \s-1ECDH\s0 odddzielone ':'
+ krzywe ECDH odddzielone ':'
  .Sp
 +Uwaga: ta opcja wpływa tylko na gniazda w trybie serwera.
 +.Sp
  Wersje OpenSSL starsze niż 1.1.1 pozwalają na użycie tylko jednej krzywej.
  .Sp
  Listę dostępnych krzywych można uzyskać poleceniem:
 diff --git a/doc/stunnel.pl.html.in b/doc/stunnel.pl.html.in
-index 7be87f1..7fd7a7c 100644
+index 8e40042..3025e9f 100644
 --- a/doc/stunnel.pl.html.in
 +++ b/doc/stunnel.pl.html.in
-@@ -568,6 +568,8 @@
+@@ -586,6 +586,8 @@
 
  <p>krzywe ECDH odddzielone &#39;:&#39;</p>
 
@@ -68,10 +68,10 @@ index 7be87f1..7fd7a7c 100644
 
  <p>List&#x119; dost&#x119;pnych krzywych mo&#x17C;na uzyska&#x107; poleceniem:</p>
 diff --git a/doc/stunnel.pl.pod.in b/doc/stunnel.pl.pod.in
-index dc6b255..712f751 100644
+index 4419f9f..c48387a 100644
 --- a/doc/stunnel.pl.pod.in
 +++ b/doc/stunnel.pl.pod.in
-@@ -516,6 +516,8 @@ przez opcje I<verifyChain> i I<verifyPeer>.
+@@ -535,6 +535,8 @@ przez opcje I<verifyChain> i I<verifyPeer>.
 
  krzywe ECDH odddzielone ':'
 
@@ -81,10 +81,10 @@ index dc6b255..712f751 100644
 
  Listę dostępnych krzywych można uzyskać poleceniem:
 diff --git a/doc/stunnel.pod.in b/doc/stunnel.pod.in
-index 840c708..85cc199 100644
+index 1a49d42..7a92697 100644
 --- a/doc/stunnel.pod.in
 +++ b/doc/stunnel.pod.in
-@@ -501,6 +501,8 @@ I<verifyPeer> options.
+@@ -533,6 +533,8 @@ I<verifyPeer> options.
 
  ECDH curves separated with ':'
 
@@ -94,5 +94,4 @@ index 840c708..85cc199 100644
 
  To get a list of supported curves use:
 -- 
-2.37.3
-
+2.46.0

SPECS-EXTENDED/stunnel/stunnel-5.56-curves-doc-update.patch

@@ -1,7 +1,7 @@
-From 1d3349209f339e6a68312fce076e355bc767d76c Mon Sep 17 00:00:00 2001
+From 749c3b57caded6285cb5f76f17c4359e92474875 Mon Sep 17 00:00:00 2001
 From: Clemens Lang <cllang@redhat.com>
 Date: Mon, 12 Sep 2022 11:07:38 +0200
-Subject: [PATCH 5/7] Apply patch stunnel-5.69-default-tls-version.patch
+Subject: [PATCH] Apply patch stunnel-5.69-default-tls-version.patch
 
 Patch-name: stunnel-5.69-default-tls-version.patch
 Patch-id: 5
@@ -13,13 +13,13 @@ From-dist-git-commit: 70b3076eb09912b3a11f371b8c523303114fffa3
  3 files changed, 36 insertions(+), 16 deletions(-)
 
 diff --git a/src/ctx.c b/src/ctx.c
-index 6a42a6b..cba24d9 100644
+index 3f3dbf8..7935e84 100644
 --- a/src/ctx.c
 +++ b/src/ctx.c
-@@ -152,19 +152,29 @@ int context_init(SERVICE_OPTIONS *section) { /* init TLS context */
-     section->ctx=SSL_CTX_new(section->option.client ?
-         TLS_client_method() : TLS_server_method());
- #endif /* OPENSSL_VERSION_NUMBER>=0x30000000L */
+@@ -168,19 +168,29 @@ int context_init(SERVICE_OPTIONS *section) { /* init TLS context */
+ 
+     /* set supported protocol versions */
+ #if OPENSSL_VERSION_NUMBER>=0x10100000L
 -    if(section->min_proto_version &&
 -            !SSL_CTX_set_min_proto_version(section->ctx,
 -            section->min_proto_version)) {
@@ -56,13 +56,13 @@ index 6a42a6b..cba24d9 100644
 +            return 1; /* FAILED */
 +        }
      }
- #else /* OPENSSL_VERSION_NUMBER<0x10100000L */
-     if(section->option.client)
+ #endif /* OPENSSL_VERSION_NUMBER>=0x10100000L */
+ 
 diff --git a/src/options.c b/src/options.c
-index 4d31815..2ec5934 100644
+index 00196fc..1946129 100644
 --- a/src/options.c
 +++ b/src/options.c
-@@ -3371,8 +3371,9 @@ NOEXPORT const char *parse_service_option(CMD cmd, SERVICE_OPTIONS **section_ptr
+@@ -3437,8 +3437,9 @@ NOEXPORT const char *parse_service_option(CMD cmd, SERVICE_OPTIONS **section_ptr
              return "Invalid protocol version";
          return NULL; /* OK */
      case CMD_INITIALIZE:
@@ -74,7 +74,7 @@ index 4d31815..2ec5934 100644
              return "Invalid protocol version range";
          break;
      case CMD_PRINT_DEFAULTS:
-@@ -3390,7 +3391,10 @@ NOEXPORT const char *parse_service_option(CMD cmd, SERVICE_OPTIONS **section_ptr
+@@ -3456,7 +3457,10 @@ NOEXPORT const char *parse_service_option(CMD cmd, SERVICE_OPTIONS **section_ptr
      /* sslVersionMax */
      switch(cmd) {
      case CMD_SET_DEFAULTS:
@@ -86,7 +86,7 @@ index 4d31815..2ec5934 100644
          break;
      case CMD_SET_COPY:
          section->max_proto_version=new_service_options.max_proto_version;
-@@ -3421,7 +3425,10 @@ NOEXPORT const char *parse_service_option(CMD cmd, SERVICE_OPTIONS **section_ptr
+@@ -3487,7 +3491,10 @@ NOEXPORT const char *parse_service_option(CMD cmd, SERVICE_OPTIONS **section_ptr
      /* sslVersionMin */
      switch(cmd) {
      case CMD_SET_DEFAULTS:
@@ -99,10 +99,10 @@ index 4d31815..2ec5934 100644
      case CMD_SET_COPY:
          section->min_proto_version=new_service_options.min_proto_version;
 diff --git a/src/prototypes.h b/src/prototypes.h
-index 0ecd719..a126c9e 100644
+index 83496bd..d443e18 100644
 --- a/src/prototypes.h
 +++ b/src/prototypes.h
-@@ -940,6 +940,9 @@ ICON_IMAGE load_icon_default(ICON_TYPE);
+@@ -960,6 +960,9 @@ ICON_IMAGE load_icon_default(ICON_TYPE);
  ICON_IMAGE load_icon_file(const char *);
  #endif
 
@@ -113,5 +113,5 @@ index 0ecd719..a126c9e 100644
 
  /* end of prototypes.h */
 -- 
-2.39.2
+2.45.3
 

SPECS-EXTENDED/stunnel/stunnel-5.62-disabled-curves.patch

@@ -3,9 +3,9 @@
   "Certificate-Creation": "d00fa133b7e7b241c6d973a70a2ae24d38afed6dfc06014aeff117f4cf8e0163",
   "pop3-redirect.xinetd": "d4953253db8cfd8ea1449911ad32723bf7230a8c8edfb394c83b02feeb25f84b",
   "sfinger.xinetd": "e9bb26d7e8fbe978d34168ecbb22205179345cfc1874b00c87de17bcb287d9a9",
-  "stunnel-5.70.tar.gz": "7bbc7b9e9a988d76301325db4c110ec360a98ffb8a221c7accbff9c0a8bae2f3",
+  "stunnel-5.74.tar.gz": "9bef235ab5d24a2a8dff6485dfd782ed235f4407e9bc8716deb383fc80cd6230",
   "stunnel-pop3s-client.conf": "95379ab5046177833b717c4c832748d31ec314f469c67e9fe4b160876ca93066",
   "stunnel-sfinger.conf": "4d06bccd910b1c8d89ed560fb8375e5e0b220e368a51ce6714e0bc2cd67dc6e4",
   "stunnel@.service": "8e86d44d83d1722371393ff3943e1779111b033da5e89ad1e564d2e5e3be0d89"
  }
-}
+}

SPECS-EXTENDED/stunnel/stunnel-5.69-default-tls-version.patch

@@ -4,7 +4,7 @@
 
 Summary:        A TLS-encrypting socket wrapper
 Name:           stunnel
-Version:        5.70
+Version:        5.74
 Release:        1%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
@@ -26,11 +26,8 @@ Patch1:         stunnel-5.61-systemd-service.patch
 # platforms, OpenSSL supports the PROFILE=SYSTEM setting to use those
 # policies. Change stunnel to default to this setting.
 Patch3:         stunnel-5.69-system-ciphers.patch
-Patch4:         stunnel-5.56-coverity.patch
 Patch5:         stunnel-5.69-default-tls-version.patch
 Patch6:         stunnel-5.56-curves-doc-update.patch
-# Limit curves defaults in FIPS mode
-Patch8:         stunnel-5.62-disabled-curves.patch
 # build test requirements
 BuildRequires:  %{_bindir}/nc
 BuildRequires:  %{_bindir}/pod2html
@@ -46,6 +43,7 @@ BuildRequires:  openssl-devel
 BuildRequires:  pkgconfig
 BuildRequires:  systemd
 BuildRequires:  util-linux
+BuildRequires:  python-cryptography
 %{?systemd_requires}
 %if %{with libwrap}
 BuildRequires:  tcp_wrappers-devel
@@ -143,6 +141,10 @@ make test || (for i in tests/logs/*.log ; do echo "$i": ; cat "$i" ; done)
 %systemd_postun_with_restart %{name}.service
 
 %changelog
+* Mon Apr 21 2025 Sandeep Karambelkar <skarambelkar@microsoft.com> - 5.74-1
+- Upgrade to 5.74 and remove unwanted patches
+- Verified License
+
 * Mon Sep 04 2023 Muhammad Falak R Wani <mwani@microsoft.com> - 5.70-1
 - Upgrade version to address CVE-2021-20230
 - Lint spec

SPECS-EXTENDED/stunnel/stunnel.signatures.json

@@ -28546,8 +28546,8 @@
         "type": "other",
         "other": {
           "name": "stunnel",
-          "version": "5.70",
-          "downloadUrl": "https://www.stunnel.org/downloads/stunnel-5.70.tar.gz"
+          "version": "5.74",
+          "downloadUrl": "https://www.stunnel.org/downloads/stunnel-5.74.tar.gz"
         }
       }
     },