diff options
author | Daniel Ahlberg <aliz@gentoo.org> | 2003-03-25 10:25:27 +0000 |
---|---|---|
committer | Daniel Ahlberg <aliz@gentoo.org> | 2003-03-25 10:25:27 +0000 |
commit | f8f2a5b0fd78b12a54cd1b9b329a0f724cb1ae2c (patch) | |
tree | 51da42970256ce4db5c2a8f0ea2c121c92c20def | |
parent | gtk is optional (diff) | |
download | gentoo-2-f8f2a5b0fd78b12a54cd1b9b329a0f724cb1ae2c.tar.gz gentoo-2-f8f2a5b0fd78b12a54cd1b9b329a0f724cb1ae2c.tar.bz2 gentoo-2-f8f2a5b0fd78b12a54cd1b9b329a0f724cb1ae2c.zip |
Security update
-rw-r--r-- | net-misc/stunnel/ChangeLog | 12 | ||||
-rw-r--r-- | net-misc/stunnel/files/digest-stunnel-3.22-r2 | 1 | ||||
-rw-r--r-- | net-misc/stunnel/files/digest-stunnel-4.04 | 1 | ||||
-rw-r--r-- | net-misc/stunnel/files/stunnel-3.22-blinding.patch | 133 | ||||
-rw-r--r-- | net-misc/stunnel/files/stunnel-4.04-blinding.patch | 91 | ||||
-rw-r--r-- | net-misc/stunnel/files/stunnel-4.04-gentoo.diff | 12 | ||||
-rw-r--r-- | net-misc/stunnel/stunnel-3.22-r2.ebuild | 34 | ||||
-rw-r--r-- | net-misc/stunnel/stunnel-4.04.ebuild | 56 |
8 files changed, 339 insertions, 1 deletions
diff --git a/net-misc/stunnel/ChangeLog b/net-misc/stunnel/ChangeLog index 927429f593d8..d07d98c55dcd 100644 --- a/net-misc/stunnel/ChangeLog +++ b/net-misc/stunnel/ChangeLog @@ -1,6 +1,16 @@ # ChangeLog for net-misc/stunnel # Copyright 2002-2003 Gentoo Technologies, Inc.; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/net-misc/stunnel/ChangeLog,v 1.7 2003/02/12 08:33:21 vapier Exp $ +# $Header: /var/cvsroot/gentoo-x86/net-misc/stunnel/ChangeLog,v 1.8 2003/03/25 10:25:27 aliz Exp $ + +*stunnel-4.04 (25 Mar 2003) + + 25 Mar 2003; Daniel Ahlberg <aliz@gentoo.org> stunnel-4.04.ebuild : + Security update. + +*stunnel-3.22-r2 (25 Mar 2003) + + 25 Mar 2003; Daniel Ahlberg <aliz@gentoo.org> stunnel-3.22-r2.ebuild : + Security update. 04 Jan 2003; Daniel Ahlberg <aliz@gentoo.org> stunnel-4.02.ebuild, files/stunnel.rc6 : Misc fixes, closes #12608. diff --git a/net-misc/stunnel/files/digest-stunnel-3.22-r2 b/net-misc/stunnel/files/digest-stunnel-3.22-r2 new file mode 100644 index 000000000000..a6702e42c458 --- /dev/null +++ b/net-misc/stunnel/files/digest-stunnel-3.22-r2 @@ -0,0 +1 @@ +MD5 69000d8365b006b3c080a1e2dc9ccba9 stunnel-3.22.tar.gz 204413 diff --git a/net-misc/stunnel/files/digest-stunnel-4.04 b/net-misc/stunnel/files/digest-stunnel-4.04 new file mode 100644 index 000000000000..f8df0f6a7fdf --- /dev/null +++ b/net-misc/stunnel/files/digest-stunnel-4.04 @@ -0,0 +1 @@ +MD5 2fcdf0311a0ab8a3223293c706a84e97 stunnel-4.04.tar.gz 309072 diff --git a/net-misc/stunnel/files/stunnel-3.22-blinding.patch b/net-misc/stunnel/files/stunnel-3.22-blinding.patch new file mode 100644 index 000000000000..43587ed7dfa8 --- /dev/null +++ b/net-misc/stunnel/files/stunnel-3.22-blinding.patch @@ -0,0 +1,133 @@ +diff -cr stunnel-3.22/client.c stunnel-3.22.new/client.c +*** stunnel-3.22/client.c Sun Dec 23 11:41:32 2001 +--- stunnel-3.22.new/client.c Fri Mar 21 09:50:15 2003 +*************** +*** 252,257 **** +--- 252,262 ---- + c->error=1; + return; + } ++ /* Set blinding iff it's not built into our OpenSSL version */ ++ #if SSLEAY_VERSION_NUMBER <= 0x0090701fL ++ set_rsa_blinding(c->ssl); ++ #endif ++ + #if SSLEAY_VERSION_NUMBER >= 0x0922 + SSL_set_session_id_context(c->ssl, sid_ctx, strlen(sid_ctx)); + #endif +*************** +*** 939,943 **** +--- 944,980 ---- + if(setsockopt(fd, SOL_SOCKET, SO_LINGER, (void *)&l, sizeof(l))) + log_error(LOG_DEBUG, get_last_socket_error(), txt); + } ++ ++ int set_rsa_blinding(SSL *ssl) { ++ #ifndef NO_RSA ++ ++ /* Turn on blinding iff using RSA */ ++ ++ RSA *rsa; ++ EVP_PKEY *pkey; ++ ++ if ( (pkey = SSL_get_privatekey(ssl)) ) { ++ if ( (rsa = EVP_PKEY_get1_RSA(pkey)) ) { ++ if ( RSA_blinding_on(rsa,NULL) ) { ++ log(LOG_DEBUG, "RSA blinding enabled"); ++ } else { ++ log(LOG_ERR, "Unable to set RSA blinding"); ++ sslerror("RSA_blinding_on"); ++ exit(1); ++ } ++ /* EVP_PKEY_get1_RSA ups the count for rsa - free extra */ ++ RSA_free(rsa); ++ } else { ++ log(LOG_DEBUG, "Private key is not RSA, no blinding needed"); ++ } ++ } else { ++ log(LOG_ERR, "Unable to get access to the SSL private key."); ++ sslerror("SSL_get_privatekey"); ++ exit(1); ++ } ++ #endif ++ return(1); ++ } ++ + + /* End of client.c */ +diff -cr stunnel-3.22/prototypes.h stunnel-3.22.new/prototypes.h +*** stunnel-3.22/prototypes.h Sun Nov 11 11:16:01 2001 +--- stunnel-3.22.new/prototypes.h Fri Mar 21 09:54:55 2003 +*************** +*** 43,48 **** +--- 43,50 ---- + /* descriptor versions of fprintf/fscanf */ + int fdprintf(int, char *, ...); + int fdscanf(int, char *, char *); ++ #include <openssl/ssl.h> ++ int set_rsa_blinding(SSL *); + + /* Prototypes for log.c */ + +diff -cr stunnel-3.22/ssl.c stunnel-3.22.new/ssl.c +*** stunnel-3.22/ssl.c Sun Dec 23 11:46:03 2001 +--- stunnel-3.22.new/ssl.c Fri Mar 21 09:57:45 2003 +*************** +*** 65,71 **** + #endif /* NO_RSA */ + static void verify_init(); + static int verify_callback(int, X509_STORE_CTX *); +! static void info_callback(SSL *, int, int); + static void print_stats(); + + SSL_CTX *ctx; /* global SSL context */ +--- 65,71 ---- + #endif /* NO_RSA */ + static void verify_init(); + static int verify_callback(int, X509_STORE_CTX *); +! static void info_callback(const SSL *, int, int); + static void print_stats(); + + SSL_CTX *ctx; /* global SSL context */ +*************** +*** 328,333 **** +--- 328,334 ---- + } + retval=longkey; + } ++ + leave_critical_section(CRIT_KEYGEN); + return retval; + } +*************** +*** 342,347 **** +--- 343,354 ---- + result=RSA_generate_key(keylen, RSA_F4, NULL); + #endif + log(LOG_DEBUG, "Temporary RSA key created"); ++ ++ /* Set blinding iff it's not built into our OpenSSL version */ ++ #if SSLEAY_VERSION_NUMBER <= 0x0090701fL ++ RSA_blinding_on(result,NULL); ++ #endif ++ + return result; + } + +*************** +*** 440,446 **** + return 1; /* Accept connection */ + } + +! static void info_callback(SSL *s, int where, int ret) { + if(where & SSL_CB_LOOP) + log(LOG_DEBUG, "SSL state (%s): %s", + where & SSL_ST_CONNECT ? "connect" : +--- 447,453 ---- + return 1; /* Accept connection */ + } + +! static void info_callback(const SSL *s, int where, int ret) { + if(where & SSL_CB_LOOP) + log(LOG_DEBUG, "SSL state (%s): %s", + where & SSL_ST_CONNECT ? "connect" : diff --git a/net-misc/stunnel/files/stunnel-4.04-blinding.patch b/net-misc/stunnel/files/stunnel-4.04-blinding.patch new file mode 100644 index 000000000000..44edbd388005 --- /dev/null +++ b/net-misc/stunnel/files/stunnel-4.04-blinding.patch @@ -0,0 +1,91 @@ +diff -cr stunnel-4.04/src/client.c stunnel-4.04.new/src/client.c +*** stunnel-4.04/src/client.c Wed Jan 1 11:04:39 2003 +--- stunnel-4.04.new/src/client.c Fri Mar 21 09:21:38 2003 +*************** +*** 234,239 **** +--- 234,246 ---- + sslerror("SSL_new"); + return -1; + } ++ ++ /* Set blinding iff it's not built into our OpenSSL version */ ++ #if SSLEAY_VERSION_NUMBER <= 0x0090701fL ++ set_rsa_blinding(c->ssl); ++ #endif ++ ++ + #if SSLEAY_VERSION_NUMBER >= 0x0922 + SSL_set_session_id_context(c->ssl, sid_ctx, strlen(sid_ctx)); + #endif +*************** +*** 913,917 **** +--- 920,957 ---- + if(setsockopt(fd, SOL_SOCKET, SO_LINGER, (void *)&l, sizeof(l))) + log_error(LOG_DEBUG, get_last_socket_error(), txt); + } ++ ++ ++ int set_rsa_blinding(SSL *ssl) { ++ #ifndef NO_RSA ++ ++ /* Turn on blinding iff using RSA */ ++ ++ RSA *rsa; ++ EVP_PKEY *pkey; ++ ++ if ( (pkey = SSL_get_privatekey(ssl)) ) { ++ if ( (rsa = EVP_PKEY_get1_RSA(pkey)) ) { ++ if ( RSA_blinding_on(rsa,NULL) ) { ++ log(LOG_DEBUG, "RSA blinding enabled"); ++ } else { ++ log(LOG_ERR, "Unable to set RSA blinding"); ++ sslerror("RSA_blinding_on"); ++ exit(1); ++ } ++ /* EVP_PKEY_get1_RSA ups the count for rsa - free extra */ ++ RSA_free(rsa); ++ } else { ++ log(LOG_DEBUG, "Private key is not RSA, no blinding needed"); ++ } ++ } else { ++ log(LOG_ERR, "Unable to get access to the SSL private key."); ++ sslerror("SSL_get_privatekey"); ++ exit(1); ++ } ++ #endif ++ return(1); ++ } ++ + + /* End of client.c */ +diff -cr stunnel-4.04/src/prototypes.h stunnel-4.04.new/src/prototypes.h +*** stunnel-4.04/src/prototypes.h Thu Mar 20 11:55:05 2003 +--- stunnel-4.04.new/src/prototypes.h Thu Mar 20 11:55:31 2003 +*************** +*** 242,247 **** +--- 242,248 ---- + + void *alloc_client_session(LOCAL_OPTIONS *, int, int); + void *client(void *); ++ int set_rsa_blinding(SSL *); + + /**************************************** Prototype for protocol.c */ + +diff -cr stunnel-4.04/src/ssl.c stunnel-4.04.new/src/ssl.c +*** stunnel-4.04/src/ssl.c Wed Jan 1 06:07:08 2003 +--- stunnel-4.04.new/src/ssl.c Fri Mar 21 09:18:28 2003 +*************** +*** 367,372 **** +--- 367,378 ---- + result=RSA_generate_key(keylen, RSA_F4, NULL); + #endif + log(LOG_DEBUG, "Temporary RSA key created"); ++ ++ /* Set blinding iff it's not built into our OpenSSL version */ ++ #if SSLEAY_VERSION_NUMBER <= 0x0090701fL ++ RSA_blinding_on(result,NULL); ++ #endif ++ + return result; + } + diff --git a/net-misc/stunnel/files/stunnel-4.04-gentoo.diff b/net-misc/stunnel/files/stunnel-4.04-gentoo.diff new file mode 100644 index 000000000000..b41de790e162 --- /dev/null +++ b/net-misc/stunnel/files/stunnel-4.04-gentoo.diff @@ -0,0 +1,12 @@ +--- tools/Makefile.in 2002-10-26 16:48:22.000000000 +0000 ++++ tools/Makefile.in 2002-10-26 16:48:38.000000000 +0000 +@@ -83,7 +83,7 @@ + + + confdir = $(sysconfdir)/stunnel +-conf_DATA = stunnel.conf-sample stunnel.pem ++conf_DATA = stunnel.conf-sample + + docdir = $(datadir)/doc/stunnel + examplesdir = $(docdir)/examples + diff --git a/net-misc/stunnel/stunnel-3.22-r2.ebuild b/net-misc/stunnel/stunnel-3.22-r2.ebuild new file mode 100644 index 000000000000..162aa4fba00e --- /dev/null +++ b/net-misc/stunnel/stunnel-3.22-r2.ebuild @@ -0,0 +1,34 @@ +# Copyright 1999-2003 Gentoo Technologies, Inc. +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/net-misc/stunnel/stunnel-3.22-r2.ebuild,v 1.1 2003/03/25 10:25:27 aliz Exp $ + +inherit eutils + +S=${WORKDIR}/${P} +DESCRIPTION="TSL/SSL - Port Wrapper" +SRC_URI="http://www.stunnel.org/download/stunnel/src/${P}.tar.gz" +HOMEPAGE="http://www.stunnel.org/" +DEPEND="virtual/glibc >=dev-libs/openssl-0.9.6c" +RDEPEND=">=dev-libs/openssl-0.9.6c" +KEYWORDS="x86 sparc " +LICENSE="GPL-2" +SLOT="0" + +src_unpack() { + unpack ${A}; cd ${S} + epatch ${FILESDIR}/${P}-gentoo.diff + epatch ${FILESDIR}/${P}-blinding.patch +} + +src_compile() { + ./configure --prefix=/usr --infodir=/usr/share/info --mandir=/usr/share/man || die + emake || die +} + +src_install() { + into /usr + dosbin stunnel + dodoc FAQ README HISTORY COPYING BUGS PORTS TODO transproxy.txt + doman stunnel.8 + dolib.so stunnel.so +} diff --git a/net-misc/stunnel/stunnel-4.04.ebuild b/net-misc/stunnel/stunnel-4.04.ebuild new file mode 100644 index 000000000000..143641445ab4 --- /dev/null +++ b/net-misc/stunnel/stunnel-4.04.ebuild @@ -0,0 +1,56 @@ +# Copyright 1999-2003 Gentoo Technologies, Inc. +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/net-misc/stunnel/stunnel-4.04.ebuild,v 1.1 2003/03/25 10:25:27 aliz Exp $ + +inherit eutils + +S=${WORKDIR}/${P} +DESCRIPTION="TSL/SSL - Port Wrapper" +SRC_URI="http://www.stunnel.org/download/stunnel/src/${P}.tar.gz" +HOMEPAGE="http://stunnel.mirt.net" +DEPEND="virtual/glibc >=dev-libs/openssl-0.9.6c" +RDEPEND=">=dev-libs/openssl-0.9.6c" +KEYWORDS="~x86 ~sparc " +LICENSE="GPL-2" +SLOT="0" + +src_unpack() { + unpack ${A}; cd ${S} + epatch ${FILESDIR}/${PF}-gentoo.diff + epatch ${FILESDIR}/${P}-blinding.patch +} + +#src_compile() { +# econf || die +# emake || die +#} + +src_install() { + into /usr + dosbin src/stunnel + dodoc AUTHORS BUGS COPYING COPYRIGHT.GPL CREDITS INSTALL NEWS PORTS README TODO + dodoc doc/en/transproxy.txt + dohtml doc/stunnel.html doc/en/VNC_StunnelHOWTO.html tools/ca.html tools/importCA.html + doman doc/stunnel.8 + + insinto /usr/share/doc/${PF} + doins tools/ca.pl tools/importCA.sh + + exeinto /etc/init.d + newexe ${FILESDIR}/stunnel.rc6 stunnel + + dolib src/.libs/libstunnel.la + dolib.so src/.libs/libstunnel.so + + insinto /etc/stunnel + doins ${FILESDIR}/stunnel.conf + + dosed "s:/usr/etc/stunnel:/etc/stunnel:" /etc/stunnel/stunnel.conf + + dodir /etc/stunnel +} + +pkg_postinst() { + einfo "Starting from version 4 stunnel now uses a configuration file for setting up stunnels." + einfo "Stunnel can now also be run as a daemon" +} |