diff options
Diffstat (limited to 'community/stunnel')
-rw-r--r-- | community/stunnel/APKBUILD | 35 | ||||
-rw-r--r-- | community/stunnel/stunnel-libressl.patch | 254 |
2 files changed, 47 insertions, 242 deletions
diff --git a/community/stunnel/APKBUILD b/community/stunnel/APKBUILD index 10ffece1ff..a67d1d9b75 100644 --- a/community/stunnel/APKBUILD +++ b/community/stunnel/APKBUILD @@ -3,13 +3,12 @@ # Contributor: Jakub Jirutka <jakub@jirutka.cz> # Maintainer: Jakub Jirutka <jakub@jirutka.cz> pkgname=stunnel -pkgver=5.38 -pkgrel=1 +pkgver=5.42 +pkgrel=0 pkgdesc="SSL encryption wrapper between network client and server." url="http://www.stunnel.org/" arch="all" license="GPL2+ with OpenSSL exception" -depends="" makedepends="libressl-dev" subpackages="$pkgname-doc" install="$pkgname.pre-install" @@ -28,35 +27,29 @@ build() { --sysconfdir=/etc \ --mandir=/usr/share/man \ --localstatedir=/var \ - --disable-fips \ - || return 1 - make || return 1 + --disable-fips + make } -package() { +check() { cd "$builddir" + make check +} - make DESTDIR="$pkgdir" install || return 1 - +package() { + cd "$builddir" + make DESTDIR="$pkgdir" install install -Dm755 "$srcdir"/stunnel.initd \ - "$pkgdir"/etc/init.d/stunnel || return 1 + "$pkgdir"/etc/init.d/stunnel install -m644 "$srcdir"/stunnel.conf \ - "$pkgdir"/etc/stunnel/stunnel.conf || return 1 + "$pkgdir"/etc/stunnel/stunnel.conf mkdir -p "$pkgdir"/usr/share/doc/$pkgname/examples/ mv "$pkgdir"/etc/stunnel/stunnel.conf-sample \ "$pkgdir"/usr/share/doc/$pkgname/examples/ } -md5sums="4f91715f097da5f061eb0c8b635ad440 stunnel-5.38.tar.gz -35509eaaee3f0c6a56d5ec16cf0588bc stunnel-libressl.patch -da32978d82c03158d7b947e10b1ba284 stunnel.initd -f1227c57d136eb7db3853844f683916a stunnel.conf" -sha256sums="09ada29ba1683ab1fd1f31d7bed8305127a0876537e836a40cb83851da034fd5 stunnel-5.38.tar.gz -faf9e52e13008b6dc1c62e34871c30e885358c4684a166ceaf287960f975daf4 stunnel-libressl.patch -01c7c7f43cebb299659cd344a98bc64418d516f6530d0b24772d70bb1d56847e stunnel.initd -42971d32e5e79490564d2f71d6a47bbe4aaabd740ba75b75e38207ea0845fec1 stunnel.conf" -sha512sums="29adae28955639ab7732ff0d7ea3c097211babcd0c8932717c582f5e38279811a0a209f1daa2c6a22cf69ef28b8b67439038625ba58683c268c322b19e43ac58 stunnel-5.38.tar.gz -e80afff73159b9b702d5cce9d38325829f09018a349f69678a02828d64b5f054ea216b2011d1dff6a76076947daa60f1a5b26f3ca9747ebb10c730b3c78d1d21 stunnel-libressl.patch +sha512sums="875af19e8a4fa8e983e98d3e6bea198b789bea9b18933ed74aa1f9ce6922e4c4dd3a4ccae3b74c12de30c39b68c3210c9adb7cd228c7fefc28dff258dcdb4968 stunnel-5.42.tar.gz +43bb220856b6f1ce04a5f30f7482c135043310962867ac4b7e5505f2347dd3c205738ea3a72a48dfa71f040060c3c1080ef06dd15053122ba720053bb49cdd6c stunnel-libressl.patch 33e215413e08fdd5783cc76e6ba6a2342fb6d0573f801815c4d3022625e71be6c9739d47a7a61bf7c803f27911b9c92cf6ae3e522add040f83802e1aaeaee000 stunnel.initd a72bfddeb74787d58c9fd24782d86c0498ce3530a43fbdd4ec4c4b57baa6257b6ef21005aca274b22c4a22cdbbbcee63dd3d841f458af248db9c69e8d59fa56f stunnel.conf" diff --git a/community/stunnel/stunnel-libressl.patch b/community/stunnel/stunnel-libressl.patch index 16134e283f..c4f6dda772 100644 --- a/community/stunnel/stunnel-libressl.patch +++ b/community/stunnel/stunnel-libressl.patch @@ -1,7 +1,6 @@ -diff --git a/src/common.h b/src/common.h -index f7d38b0..6b81341 100644 ---- a/src/common.h -+++ b/src/common.h +$OpenBSD: patch-src_common_h,v 1.1 2016/11/09 23:14:31 gsoares Exp $ +--- a/src/common.h.orig Mon Jun 27 04:29:32 2016 ++++ b/src/common.h Thu Nov 3 23:57:29 2016 @@ -448,7 +448,7 @@ extern char *sys_errlist[]; #define OPENSSL_NO_TLS1_2 #endif /* OpenSSL older than 1.0.1 || defined(OPENSSL_NO_TLS1) */ @@ -20,11 +19,20 @@ index f7d38b0..6b81341 100644 int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g); #endif /* OpenSSL older than 1.1.0 */ #endif /* !defined(OPENSSL_NO_DH) */ -diff --git a/src/ctx.c b/src/ctx.c -index 5b282e9..7984f32 100644 ---- a/src/ctx.c +$OpenBSD: patch-src_ctx_c,v 1.5 2017/09/12 16:15:24 gsoares Exp $ +Index: src/ctx.c +--- a/src/ctx.c.orig +++ b/src/ctx.c -@@ -366,7 +366,7 @@ NOEXPORT int ecdh_init(SERVICE_OPTIONS *section) { +@@ -295,7 +295,7 @@ NOEXPORT int matches_wildcard(char *servername, char * + + #ifndef OPENSSL_NO_DH + +-#if OPENSSL_VERSION_NUMBER<0x10100000L ++#if OPENSSL_VERSION_NUMBER<0x10100000L || defined(LIBRESSL_VERSION_NUMBER) + NOEXPORT STACK_OF(SSL_CIPHER) *SSL_CTX_get_ciphers(const SSL_CTX *ctx) { + return ctx->cipher_list; + } +@@ -398,7 +398,7 @@ NOEXPORT int ecdh_init(SERVICE_OPTIONS *section) { /**************************************** initialize OpenSSL CONF */ NOEXPORT int conf_init(SERVICE_OPTIONS *section) { @@ -33,89 +41,20 @@ index 5b282e9..7984f32 100644 SSL_CONF_CTX *cctx; NAME_LIST *curr; char *cmd, *param; -diff --git a/src/options.c b/src/options.c -index 6727226..d1bae90 100644 ---- a/src/options.c -+++ b/src/options.c -@@ -1291,7 +1291,7 @@ NOEXPORT char *parse_service_option(CMD cmd, SERVICE_OPTIONS *section, - break; - } - --#if OPENSSL_VERSION_NUMBER>=0x10002000L -+#if OPENSSL_VERSION_NUMBER>=0x10002000L && !defined(LIBRESSL_VERSION_NUMBER) - - /* checkEmail */ - switch(cmd) { -@@ -1428,7 +1428,7 @@ NOEXPORT char *parse_service_option(CMD cmd, SERVICE_OPTIONS *section, - break; - } - --#if OPENSSL_VERSION_NUMBER>=0x10002000L -+#if OPENSSL_VERSION_NUMBER>=0x10002000L && !defined(LIBRESSL_VERSION_NUMBER) - - /* config */ - switch(cmd) { -@@ -2617,7 +2617,7 @@ NOEXPORT char *parse_service_option(CMD cmd, SERVICE_OPTIONS *section, - /* sslVersion */ - switch(cmd) { - case CMD_BEGIN: --#if OPENSSL_VERSION_NUMBER>=0x10100000L -+#if OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) - section->client_method=(SSL_METHOD *)TLS_client_method(); - section->server_method=(SSL_METHOD *)TLS_server_method(); - #else -@@ -2629,7 +2629,7 @@ NOEXPORT char *parse_service_option(CMD cmd, SERVICE_OPTIONS *section, - if(strcasecmp(opt, "sslVersion")) - break; - if(!strcasecmp(arg, "all")) { --#if OPENSSL_VERSION_NUMBER>=0x10100000L -+#if OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) - section->client_method=(SSL_METHOD *)TLS_client_method(); - section->server_method=(SSL_METHOD *)TLS_server_method(); - #else -diff --git a/src/prototypes.h b/src/prototypes.h -index 182c764..d57aff2 100644 ---- a/src/prototypes.h -+++ b/src/prototypes.h -@@ -206,7 +206,7 @@ typedef struct service_options_struct { - char *ocsp_url; - unsigned long ocsp_flags; - #endif /* !defined(OPENSSL_NO_OCSP) */ --#if OPENSSL_VERSION_NUMBER>=0x10002000L -+#if OPENSSL_VERSION_NUMBER>=0x10002000L && !defined(LIBRESSL_VERSION_NUMBER) - NAME_LIST *check_host, *check_email, *check_ip; /* cert subject checks */ - NAME_LIST *config; /* OpenSSL CONF options */ - #endif /* OPENSSL_VERSION_NUMBER>=0x10002000L */ -@@ -650,13 +650,13 @@ typedef enum { - #endif /* OPENSSL_NO_DH */ - STUNNEL_LOCKS /* number of locks */ - } LOCK_TYPE; --#if OPENSSL_VERSION_NUMBER < 0x10100004L -+#if OPENSSL_VERSION_NUMBER < 0x10100004L || defined(LIBRESSL_VERSION_NUMBER) - typedef int STUNNEL_RWLOCK; - #else - typedef CRYPTO_RWLOCK *STUNNEL_RWLOCK; - #endif - extern STUNNEL_RWLOCK stunnel_locks[STUNNEL_LOCKS]; --#if OPENSSL_VERSION_NUMBER>=0x10100004L -+#if OPENSSL_VERSION_NUMBER>=0x10100004L && !defined(LIBRESSL_VERSION_NUMBER) - #define CRYPTO_THREAD_read_unlock(type) CRYPTO_THREAD_unlock(type) - #define CRYPTO_THREAD_write_unlock(type) CRYPTO_THREAD_unlock(type) - #else -diff --git a/src/ssl.c b/src/ssl.c -index ba30d75..29c423d 100644 ---- a/src/ssl.c +$OpenBSD: patch-src_ssl_c,v 1.6 2017/09/12 16:15:24 gsoares Exp $ +Index: src/ssl.c +--- a/src/ssl.c.orig +++ b/src/ssl.c -@@ -50,7 +50,7 @@ NOEXPORT int add_rand_file(GLOBAL_OPTIONS *, const char *); - int index_cli, index_opt, index_redirect, index_addr; +@@ -51,7 +51,7 @@ int index_ssl_cli, index_ssl_ctx_opt; + int index_session_authenticated, index_session_connect_address; - int ssl_init(void) { /* init SSL before parsing configuration file */ + int ssl_init(void) { /* init TLS before parsing configuration file */ -#if OPENSSL_VERSION_NUMBER>=0x10100000L +#if OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS | OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL); #else -@@ -83,7 +83,7 @@ int ssl_init(void) { /* init SSL before parsing configuration file */ +@@ -86,7 +86,7 @@ int ssl_init(void) { /* init TLS before parsing config } #ifndef OPENSSL_NO_DH @@ -124,156 +63,29 @@ index ba30d75..29c423d 100644 /* this is needed for dhparam.c generated with OpenSSL >= 1.1.0 * to be linked against the older versions */ int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g) { -@@ -118,7 +118,7 @@ int ssl_configure(GLOBAL_OPTIONS *global) { /* configure global SSL settings */ - if(FIPS_mode()!=global->option.fips) { - RAND_set_rand_method(NULL); /* reset RAND methods */ - if(!FIPS_mode_set(global->option.fips)) { --#if OPENSSL_VERSION_NUMBER>=0x10100000L -+#if OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) - OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL); - #else - ERR_load_crypto_strings(); -@@ -177,7 +177,7 @@ NOEXPORT int compression_init(GLOBAL_OPTIONS *global) { - if(global->compression==COMP_ZLIB) { - /* 224 - within the private range (193 to 255) */ - COMP_METHOD *meth=COMP_zlib(); --#if OPENSSL_VERSION_NUMBER>=0x10100000L -+#if OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) - if(!meth || COMP_get_type(meth)==NID_undef) { - #else - if(!meth || meth->type==NID_undef) { -diff --git a/src/sthreads.c b/src/sthreads.c -index 4e4e0e9..f61f230 100644 ---- a/src/sthreads.c +$OpenBSD: patch-src_sthreads_c,v 1.3 2017/09/12 16:15:24 gsoares Exp $ +Index: src/sthreads.c +--- a/src/sthreads.c.orig +++ b/src/sthreads.c -@@ -45,7 +45,7 @@ +@@ -216,7 +216,7 @@ void stunnel_rwlock_destroy_debug(struct CRYPTO_dynloc - STUNNEL_RWLOCK stunnel_locks[STUNNEL_LOCKS]; + struct CRYPTO_dynlock_value stunnel_locks[STUNNEL_LOCKS]; -#if OPENSSL_VERSION_NUMBER<0x10100004L +#if OPENSSL_VERSION_NUMBER<0x10100004L || defined(LIBRESSL_VERSION_NUMBER) #define CRYPTO_THREAD_lock_new() CRYPTO_get_new_dynlockid() #endif -@@ -203,7 +203,7 @@ int create_client(SOCKET ls, SOCKET s, CLI *arg, void *(*cli)(void *)) { - - #ifdef USE_PTHREAD - --#if OPENSSL_VERSION_NUMBER<0x10100004L -+#if OPENSSL_VERSION_NUMBER<0x10100004L || defined(LIBRESSL_VERSION_NUMBER) - - struct CRYPTO_dynlock_value { - pthread_rwlock_t rwlock; -@@ -263,7 +263,8 @@ unsigned long stunnel_thread_id(void) { - #endif - } - --#if OPENSSL_VERSION_NUMBER>=0x10000000L && OPENSSL_VERSION_NUMBER<0x10100004L -+#if OPENSSL_VERSION_NUMBER>=0x10000000L && \ -+ (OPENSSL_VERSION_NUMBER<0x10100004L || defined(LIBRESSL_VERSION_NUMBER)) - NOEXPORT void threadid_func(CRYPTO_THREADID *tid) { - CRYPTO_THREADID_set_numeric(tid, stunnel_thread_id()); - } -@@ -272,7 +273,7 @@ NOEXPORT void threadid_func(CRYPTO_THREADID *tid) { - int sthreads_init(void) { - int i; - --#if OPENSSL_VERSION_NUMBER<0x10100004L -+#if OPENSSL_VERSION_NUMBER<0x10100004L || defined(LIBRESSL_VERSION_NUMBER) - /* initialize the OpenSSL dynamic locking */ - CRYPTO_set_dynlock_create_callback(dyn_create_function); - CRYPTO_set_dynlock_lock_callback(dyn_lock_function); -@@ -345,7 +346,7 @@ int create_client(SOCKET ls, SOCKET s, CLI *arg, void *(*cli)(void *)) { - * but it is unsupported on Windows XP (and earlier versions of Windows): - * https://msdn.microsoft.com/en-us/library/windows/desktop/aa904937%28v=vs.85%29.aspx */ - --#if OPENSSL_VERSION_NUMBER<0x10100004L -+#if OPENSSL_VERSION_NUMBER<0x10100004L || defined(LIBRESSL_VERSION_NUMBER) - - struct CRYPTO_dynlock_value { - CRITICAL_SECTION mutex; -@@ -398,7 +399,7 @@ unsigned long stunnel_thread_id(void) { - int sthreads_init(void) { - int i; - --#if OPENSSL_VERSION_NUMBER<0x10100004L -+#if OPENSSL_VERSION_NUMBER<0x10100004L || defined(LIBRESSL_VERSION_NUMBER) - /* initialize the OpenSSL dynamic locking */ - CRYPTO_set_dynlock_create_callback(dyn_create_function); - CRYPTO_set_dynlock_lock_callback(dyn_lock_function); -diff --git a/src/verify.c b/src/verify.c -index 9fc0ff9..5c7ff26 100644 ---- a/src/verify.c +$OpenBSD: patch-src_verify_c,v 1.6 2017/09/12 16:15:24 gsoares Exp $ +Index: src/verify.c +--- a/src/verify.c.orig +++ b/src/verify.c -@@ -51,7 +51,7 @@ NOEXPORT int add_dir_lookup(X509_STORE *, char *); - NOEXPORT int verify_callback(int, X509_STORE_CTX *); - NOEXPORT int verify_checks(CLI *, int, X509_STORE_CTX *); - NOEXPORT int cert_check(CLI *, X509_STORE_CTX *, int); --#if OPENSSL_VERSION_NUMBER>=0x10002000L -+#if OPENSSL_VERSION_NUMBER>=0x10002000L && !defined(LIBRESSL_VERSION_NUMBER) - NOEXPORT int cert_check_subject(CLI *, X509_STORE_CTX *); - #endif /* OPENSSL_VERSION_NUMBER>=0x10002000L */ - NOEXPORT int cert_check_local(X509_STORE_CTX *); -@@ -120,7 +120,7 @@ NOEXPORT int crl_init(SERVICE_OPTIONS *section) { - return 1; /* FAILED */ - } - if(section->crl_dir) { --#if OPENSSL_VERSION_NUMBER<0x10100000L -+#if OPENSSL_VERSION_NUMBER<0x10100000L || defined(LIBRESSL_VERSION_NUMBER) - /* do not cache CRLs (only required with OpenSSL version < 1.0.0) */ - store->cache=0; - #endif -@@ -178,7 +178,7 @@ NOEXPORT void auth_warnings(SERVICE_OPTIONS *section) { - if(section->option.verify_peer) /* verify_peer does not depend on PKI */ - return; - if(section->option.verify_chain) { --#if OPENSSL_VERSION_NUMBER>=0x10002000L -+#if OPENSSL_VERSION_NUMBER>=0x10002000L && !defined(LIBRESSL_VERSION_NUMBER) - if(section->check_email || section->check_host || section->check_ip) - return; - #endif /* OPENSSL_VERSION_NUMBER>=0x10002000L */ -@@ -277,7 +277,7 @@ NOEXPORT int cert_check(CLI *c, X509_STORE_CTX *callback_ctx, - } - - if(depth==0) { /* additional peer certificate checks */ --#if OPENSSL_VERSION_NUMBER>=0x10002000L -+#if OPENSSL_VERSION_NUMBER>=0x10002000L && !defined(LIBRESSL_VERSION_NUMBER) - if(!cert_check_subject(c, callback_ctx)) - return 0; /* reject */ - #endif /* OPENSSL_VERSION_NUMBER>=0x10002000L */ -@@ -288,7 +288,7 @@ NOEXPORT int cert_check(CLI *c, X509_STORE_CTX *callback_ctx, - return 1; /* accept */ - } - --#if OPENSSL_VERSION_NUMBER>=0x10002000L -+#if OPENSSL_VERSION_NUMBER>=0x10002000L && !defined(LIBRESSL_VERSION_NUMBER) - NOEXPORT int cert_check_subject(CLI *c, X509_STORE_CTX *callback_ctx) { - X509 *cert=X509_STORE_CTX_get_current_cert(callback_ctx); - NAME_LIST *ptr; -@@ -340,7 +340,7 @@ NOEXPORT int cert_check_local(X509_STORE_CTX *callback_ctx) { - STACK_OF(X509) *sk; - int i; - #endif --#if OPENSSL_VERSION_NUMBER<0x10100000L -+#if OPENSSL_VERSION_NUMBER<0x10100000L || defined(LIBRESSL_VERSION_NUMBER) - X509_OBJECT obj; - int success; - #endif -@@ -349,7 +349,7 @@ NOEXPORT int cert_check_local(X509_STORE_CTX *callback_ctx) { +@@ -353,7 +353,7 @@ NOEXPORT int cert_check_local(X509_STORE_CTX *callback + cert=X509_STORE_CTX_get_current_cert(callback_ctx); subject=X509_get_subject_name(cert); - #if OPENSSL_VERSION_NUMBER>=0x10000000L -#if OPENSSL_VERSION_NUMBER<0x10100006L +#if OPENSSL_VERSION_NUMBER<0x10100006L || defined(LIBRESSL_VERSION_NUMBER) #define X509_STORE_CTX_get1_certs X509_STORE_get1_certs #endif /* modern API allows retrieving multiple matching certificates */ -@@ -364,7 +364,7 @@ NOEXPORT int cert_check_local(X509_STORE_CTX *callback_ctx) { - } - #endif - --#if OPENSSL_VERSION_NUMBER<0x10100000L -+#if OPENSSL_VERSION_NUMBER<0x10100000L || defined(LIBRESSL_VERSION_NUMBER) - /* pre-1.0.0 API only returns a single matching certificate */ - /* we also invoke it for other OpenSSL versions before 1.1.0 */ - memset((char *)&obj, 0, sizeof obj); |