summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDaniel Ahlberg <aliz@gentoo.org>2003-03-25 10:25:27 +0000
committerDaniel Ahlberg <aliz@gentoo.org>2003-03-25 10:25:27 +0000
commitf8f2a5b0fd78b12a54cd1b9b329a0f724cb1ae2c (patch)
tree51da42970256ce4db5c2a8f0ea2c121c92c20def
parentgtk is optional (diff)
downloadgentoo-2-f8f2a5b0fd78b12a54cd1b9b329a0f724cb1ae2c.tar.gz
gentoo-2-f8f2a5b0fd78b12a54cd1b9b329a0f724cb1ae2c.tar.bz2
gentoo-2-f8f2a5b0fd78b12a54cd1b9b329a0f724cb1ae2c.zip
Security update
-rw-r--r--net-misc/stunnel/ChangeLog12
-rw-r--r--net-misc/stunnel/files/digest-stunnel-3.22-r21
-rw-r--r--net-misc/stunnel/files/digest-stunnel-4.041
-rw-r--r--net-misc/stunnel/files/stunnel-3.22-blinding.patch133
-rw-r--r--net-misc/stunnel/files/stunnel-4.04-blinding.patch91
-rw-r--r--net-misc/stunnel/files/stunnel-4.04-gentoo.diff12
-rw-r--r--net-misc/stunnel/stunnel-3.22-r2.ebuild34
-rw-r--r--net-misc/stunnel/stunnel-4.04.ebuild56
8 files changed, 339 insertions, 1 deletions
diff --git a/net-misc/stunnel/ChangeLog b/net-misc/stunnel/ChangeLog
index 927429f593d8..d07d98c55dcd 100644
--- a/net-misc/stunnel/ChangeLog
+++ b/net-misc/stunnel/ChangeLog
@@ -1,6 +1,16 @@
# ChangeLog for net-misc/stunnel
# Copyright 2002-2003 Gentoo Technologies, Inc.; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/net-misc/stunnel/ChangeLog,v 1.7 2003/02/12 08:33:21 vapier Exp $
+# $Header: /var/cvsroot/gentoo-x86/net-misc/stunnel/ChangeLog,v 1.8 2003/03/25 10:25:27 aliz Exp $
+
+*stunnel-4.04 (25 Mar 2003)
+
+ 25 Mar 2003; Daniel Ahlberg <aliz@gentoo.org> stunnel-4.04.ebuild :
+ Security update.
+
+*stunnel-3.22-r2 (25 Mar 2003)
+
+ 25 Mar 2003; Daniel Ahlberg <aliz@gentoo.org> stunnel-3.22-r2.ebuild :
+ Security update.
04 Jan 2003; Daniel Ahlberg <aliz@gentoo.org> stunnel-4.02.ebuild, files/stunnel.rc6 :
Misc fixes, closes #12608.
diff --git a/net-misc/stunnel/files/digest-stunnel-3.22-r2 b/net-misc/stunnel/files/digest-stunnel-3.22-r2
new file mode 100644
index 000000000000..a6702e42c458
--- /dev/null
+++ b/net-misc/stunnel/files/digest-stunnel-3.22-r2
@@ -0,0 +1 @@
+MD5 69000d8365b006b3c080a1e2dc9ccba9 stunnel-3.22.tar.gz 204413
diff --git a/net-misc/stunnel/files/digest-stunnel-4.04 b/net-misc/stunnel/files/digest-stunnel-4.04
new file mode 100644
index 000000000000..f8df0f6a7fdf
--- /dev/null
+++ b/net-misc/stunnel/files/digest-stunnel-4.04
@@ -0,0 +1 @@
+MD5 2fcdf0311a0ab8a3223293c706a84e97 stunnel-4.04.tar.gz 309072
diff --git a/net-misc/stunnel/files/stunnel-3.22-blinding.patch b/net-misc/stunnel/files/stunnel-3.22-blinding.patch
new file mode 100644
index 000000000000..43587ed7dfa8
--- /dev/null
+++ b/net-misc/stunnel/files/stunnel-3.22-blinding.patch
@@ -0,0 +1,133 @@
+diff -cr stunnel-3.22/client.c stunnel-3.22.new/client.c
+*** stunnel-3.22/client.c Sun Dec 23 11:41:32 2001
+--- stunnel-3.22.new/client.c Fri Mar 21 09:50:15 2003
+***************
+*** 252,257 ****
+--- 252,262 ----
+ c->error=1;
+ return;
+ }
++ /* Set blinding iff it's not built into our OpenSSL version */
++ #if SSLEAY_VERSION_NUMBER <= 0x0090701fL
++ set_rsa_blinding(c->ssl);
++ #endif
++
+ #if SSLEAY_VERSION_NUMBER >= 0x0922
+ SSL_set_session_id_context(c->ssl, sid_ctx, strlen(sid_ctx));
+ #endif
+***************
+*** 939,943 ****
+--- 944,980 ----
+ if(setsockopt(fd, SOL_SOCKET, SO_LINGER, (void *)&l, sizeof(l)))
+ log_error(LOG_DEBUG, get_last_socket_error(), txt);
+ }
++
++ int set_rsa_blinding(SSL *ssl) {
++ #ifndef NO_RSA
++
++ /* Turn on blinding iff using RSA */
++
++ RSA *rsa;
++ EVP_PKEY *pkey;
++
++ if ( (pkey = SSL_get_privatekey(ssl)) ) {
++ if ( (rsa = EVP_PKEY_get1_RSA(pkey)) ) {
++ if ( RSA_blinding_on(rsa,NULL) ) {
++ log(LOG_DEBUG, "RSA blinding enabled");
++ } else {
++ log(LOG_ERR, "Unable to set RSA blinding");
++ sslerror("RSA_blinding_on");
++ exit(1);
++ }
++ /* EVP_PKEY_get1_RSA ups the count for rsa - free extra */
++ RSA_free(rsa);
++ } else {
++ log(LOG_DEBUG, "Private key is not RSA, no blinding needed");
++ }
++ } else {
++ log(LOG_ERR, "Unable to get access to the SSL private key.");
++ sslerror("SSL_get_privatekey");
++ exit(1);
++ }
++ #endif
++ return(1);
++ }
++
+
+ /* End of client.c */
+diff -cr stunnel-3.22/prototypes.h stunnel-3.22.new/prototypes.h
+*** stunnel-3.22/prototypes.h Sun Nov 11 11:16:01 2001
+--- stunnel-3.22.new/prototypes.h Fri Mar 21 09:54:55 2003
+***************
+*** 43,48 ****
+--- 43,50 ----
+ /* descriptor versions of fprintf/fscanf */
+ int fdprintf(int, char *, ...);
+ int fdscanf(int, char *, char *);
++ #include <openssl/ssl.h>
++ int set_rsa_blinding(SSL *);
+
+ /* Prototypes for log.c */
+
+diff -cr stunnel-3.22/ssl.c stunnel-3.22.new/ssl.c
+*** stunnel-3.22/ssl.c Sun Dec 23 11:46:03 2001
+--- stunnel-3.22.new/ssl.c Fri Mar 21 09:57:45 2003
+***************
+*** 65,71 ****
+ #endif /* NO_RSA */
+ static void verify_init();
+ static int verify_callback(int, X509_STORE_CTX *);
+! static void info_callback(SSL *, int, int);
+ static void print_stats();
+
+ SSL_CTX *ctx; /* global SSL context */
+--- 65,71 ----
+ #endif /* NO_RSA */
+ static void verify_init();
+ static int verify_callback(int, X509_STORE_CTX *);
+! static void info_callback(const SSL *, int, int);
+ static void print_stats();
+
+ SSL_CTX *ctx; /* global SSL context */
+***************
+*** 328,333 ****
+--- 328,334 ----
+ }
+ retval=longkey;
+ }
++
+ leave_critical_section(CRIT_KEYGEN);
+ return retval;
+ }
+***************
+*** 342,347 ****
+--- 343,354 ----
+ result=RSA_generate_key(keylen, RSA_F4, NULL);
+ #endif
+ log(LOG_DEBUG, "Temporary RSA key created");
++
++ /* Set blinding iff it's not built into our OpenSSL version */
++ #if SSLEAY_VERSION_NUMBER <= 0x0090701fL
++ RSA_blinding_on(result,NULL);
++ #endif
++
+ return result;
+ }
+
+***************
+*** 440,446 ****
+ return 1; /* Accept connection */
+ }
+
+! static void info_callback(SSL *s, int where, int ret) {
+ if(where & SSL_CB_LOOP)
+ log(LOG_DEBUG, "SSL state (%s): %s",
+ where & SSL_ST_CONNECT ? "connect" :
+--- 447,453 ----
+ return 1; /* Accept connection */
+ }
+
+! static void info_callback(const SSL *s, int where, int ret) {
+ if(where & SSL_CB_LOOP)
+ log(LOG_DEBUG, "SSL state (%s): %s",
+ where & SSL_ST_CONNECT ? "connect" :
diff --git a/net-misc/stunnel/files/stunnel-4.04-blinding.patch b/net-misc/stunnel/files/stunnel-4.04-blinding.patch
new file mode 100644
index 000000000000..44edbd388005
--- /dev/null
+++ b/net-misc/stunnel/files/stunnel-4.04-blinding.patch
@@ -0,0 +1,91 @@
+diff -cr stunnel-4.04/src/client.c stunnel-4.04.new/src/client.c
+*** stunnel-4.04/src/client.c Wed Jan 1 11:04:39 2003
+--- stunnel-4.04.new/src/client.c Fri Mar 21 09:21:38 2003
+***************
+*** 234,239 ****
+--- 234,246 ----
+ sslerror("SSL_new");
+ return -1;
+ }
++
++ /* Set blinding iff it's not built into our OpenSSL version */
++ #if SSLEAY_VERSION_NUMBER <= 0x0090701fL
++ set_rsa_blinding(c->ssl);
++ #endif
++
++
+ #if SSLEAY_VERSION_NUMBER >= 0x0922
+ SSL_set_session_id_context(c->ssl, sid_ctx, strlen(sid_ctx));
+ #endif
+***************
+*** 913,917 ****
+--- 920,957 ----
+ if(setsockopt(fd, SOL_SOCKET, SO_LINGER, (void *)&l, sizeof(l)))
+ log_error(LOG_DEBUG, get_last_socket_error(), txt);
+ }
++
++
++ int set_rsa_blinding(SSL *ssl) {
++ #ifndef NO_RSA
++
++ /* Turn on blinding iff using RSA */
++
++ RSA *rsa;
++ EVP_PKEY *pkey;
++
++ if ( (pkey = SSL_get_privatekey(ssl)) ) {
++ if ( (rsa = EVP_PKEY_get1_RSA(pkey)) ) {
++ if ( RSA_blinding_on(rsa,NULL) ) {
++ log(LOG_DEBUG, "RSA blinding enabled");
++ } else {
++ log(LOG_ERR, "Unable to set RSA blinding");
++ sslerror("RSA_blinding_on");
++ exit(1);
++ }
++ /* EVP_PKEY_get1_RSA ups the count for rsa - free extra */
++ RSA_free(rsa);
++ } else {
++ log(LOG_DEBUG, "Private key is not RSA, no blinding needed");
++ }
++ } else {
++ log(LOG_ERR, "Unable to get access to the SSL private key.");
++ sslerror("SSL_get_privatekey");
++ exit(1);
++ }
++ #endif
++ return(1);
++ }
++
+
+ /* End of client.c */
+diff -cr stunnel-4.04/src/prototypes.h stunnel-4.04.new/src/prototypes.h
+*** stunnel-4.04/src/prototypes.h Thu Mar 20 11:55:05 2003
+--- stunnel-4.04.new/src/prototypes.h Thu Mar 20 11:55:31 2003
+***************
+*** 242,247 ****
+--- 242,248 ----
+
+ void *alloc_client_session(LOCAL_OPTIONS *, int, int);
+ void *client(void *);
++ int set_rsa_blinding(SSL *);
+
+ /**************************************** Prototype for protocol.c */
+
+diff -cr stunnel-4.04/src/ssl.c stunnel-4.04.new/src/ssl.c
+*** stunnel-4.04/src/ssl.c Wed Jan 1 06:07:08 2003
+--- stunnel-4.04.new/src/ssl.c Fri Mar 21 09:18:28 2003
+***************
+*** 367,372 ****
+--- 367,378 ----
+ result=RSA_generate_key(keylen, RSA_F4, NULL);
+ #endif
+ log(LOG_DEBUG, "Temporary RSA key created");
++
++ /* Set blinding iff it's not built into our OpenSSL version */
++ #if SSLEAY_VERSION_NUMBER <= 0x0090701fL
++ RSA_blinding_on(result,NULL);
++ #endif
++
+ return result;
+ }
+
diff --git a/net-misc/stunnel/files/stunnel-4.04-gentoo.diff b/net-misc/stunnel/files/stunnel-4.04-gentoo.diff
new file mode 100644
index 000000000000..b41de790e162
--- /dev/null
+++ b/net-misc/stunnel/files/stunnel-4.04-gentoo.diff
@@ -0,0 +1,12 @@
+--- tools/Makefile.in 2002-10-26 16:48:22.000000000 +0000
++++ tools/Makefile.in 2002-10-26 16:48:38.000000000 +0000
+@@ -83,7 +83,7 @@
+
+
+ confdir = $(sysconfdir)/stunnel
+-conf_DATA = stunnel.conf-sample stunnel.pem
++conf_DATA = stunnel.conf-sample
+
+ docdir = $(datadir)/doc/stunnel
+ examplesdir = $(docdir)/examples
+
diff --git a/net-misc/stunnel/stunnel-3.22-r2.ebuild b/net-misc/stunnel/stunnel-3.22-r2.ebuild
new file mode 100644
index 000000000000..162aa4fba00e
--- /dev/null
+++ b/net-misc/stunnel/stunnel-3.22-r2.ebuild
@@ -0,0 +1,34 @@
+# Copyright 1999-2003 Gentoo Technologies, Inc.
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/net-misc/stunnel/stunnel-3.22-r2.ebuild,v 1.1 2003/03/25 10:25:27 aliz Exp $
+
+inherit eutils
+
+S=${WORKDIR}/${P}
+DESCRIPTION="TSL/SSL - Port Wrapper"
+SRC_URI="http://www.stunnel.org/download/stunnel/src/${P}.tar.gz"
+HOMEPAGE="http://www.stunnel.org/"
+DEPEND="virtual/glibc >=dev-libs/openssl-0.9.6c"
+RDEPEND=">=dev-libs/openssl-0.9.6c"
+KEYWORDS="x86 sparc "
+LICENSE="GPL-2"
+SLOT="0"
+
+src_unpack() {
+ unpack ${A}; cd ${S}
+ epatch ${FILESDIR}/${P}-gentoo.diff
+ epatch ${FILESDIR}/${P}-blinding.patch
+}
+
+src_compile() {
+ ./configure --prefix=/usr --infodir=/usr/share/info --mandir=/usr/share/man || die
+ emake || die
+}
+
+src_install() {
+ into /usr
+ dosbin stunnel
+ dodoc FAQ README HISTORY COPYING BUGS PORTS TODO transproxy.txt
+ doman stunnel.8
+ dolib.so stunnel.so
+}
diff --git a/net-misc/stunnel/stunnel-4.04.ebuild b/net-misc/stunnel/stunnel-4.04.ebuild
new file mode 100644
index 000000000000..143641445ab4
--- /dev/null
+++ b/net-misc/stunnel/stunnel-4.04.ebuild
@@ -0,0 +1,56 @@
+# Copyright 1999-2003 Gentoo Technologies, Inc.
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/net-misc/stunnel/stunnel-4.04.ebuild,v 1.1 2003/03/25 10:25:27 aliz Exp $
+
+inherit eutils
+
+S=${WORKDIR}/${P}
+DESCRIPTION="TSL/SSL - Port Wrapper"
+SRC_URI="http://www.stunnel.org/download/stunnel/src/${P}.tar.gz"
+HOMEPAGE="http://stunnel.mirt.net"
+DEPEND="virtual/glibc >=dev-libs/openssl-0.9.6c"
+RDEPEND=">=dev-libs/openssl-0.9.6c"
+KEYWORDS="~x86 ~sparc "
+LICENSE="GPL-2"
+SLOT="0"
+
+src_unpack() {
+ unpack ${A}; cd ${S}
+ epatch ${FILESDIR}/${PF}-gentoo.diff
+ epatch ${FILESDIR}/${P}-blinding.patch
+}
+
+#src_compile() {
+# econf || die
+# emake || die
+#}
+
+src_install() {
+ into /usr
+ dosbin src/stunnel
+ dodoc AUTHORS BUGS COPYING COPYRIGHT.GPL CREDITS INSTALL NEWS PORTS README TODO
+ dodoc doc/en/transproxy.txt
+ dohtml doc/stunnel.html doc/en/VNC_StunnelHOWTO.html tools/ca.html tools/importCA.html
+ doman doc/stunnel.8
+
+ insinto /usr/share/doc/${PF}
+ doins tools/ca.pl tools/importCA.sh
+
+ exeinto /etc/init.d
+ newexe ${FILESDIR}/stunnel.rc6 stunnel
+
+ dolib src/.libs/libstunnel.la
+ dolib.so src/.libs/libstunnel.so
+
+ insinto /etc/stunnel
+ doins ${FILESDIR}/stunnel.conf
+
+ dosed "s:/usr/etc/stunnel:/etc/stunnel:" /etc/stunnel/stunnel.conf
+
+ dodir /etc/stunnel
+}
+
+pkg_postinst() {
+ einfo "Starting from version 4 stunnel now uses a configuration file for setting up stunnels."
+ einfo "Stunnel can now also be run as a daemon"
+}