[meta-networking,26/26] stunnel: upgrade 5.69 -> 5.72

Message ID	1709714608-19296-26-git-send-email-wangmy@fujitsu.com
State	Accepted
Headers	show Return-Path: <wangmy@fujitsu.com> ip: 207.54.90.48, mailfrom: wangmy@fujitsu.com) From: wangmy@fujitsu.com To: openembedded-devel@lists.openembedded.org Cc: Wang Mingyu <wangmy@fujitsu.com> Subject: [oe] [meta-networking] [PATCH 26/26] stunnel: upgrade 5.69 -> 5.72 Date: Wed, 6 Mar 2024 16:43:28 +0800 Message-Id: <1709714608-19296-26-git-send-email-wangmy@fujitsu.com> In-Reply-To: <1709714608-19296-1-git-send-email-wangmy@fujitsu.com> References: <1709714608-19296-1-git-send-email-wangmy@fujitsu.com>
Series	[meta-oe,01/26] abseil-cpp: upgrade 20230802.1 -> 20240116.1 \| expand [meta-oe,01/26] abseil-cpp: upgrade 20230802.1 -> 20240116.1 [meta-oe,02/26] bats: upgrade 1.10.0 -> 1.11.0 [meta-oe,03/26] c-ares: upgrade 1.26.0 -> 1.27.0 [meta-oe,04/26] ctags: upgrade 6.1.20240114.0 -> 6.1.20240225.0 [meta-oe,05/26] dbus-cxx: upgrade 2.5.0 -> 2.5.1 [meta-oe,06/26] ddrescue: upgrade 1.27 -> 1.28 [meta-networking,07/26] fetchmail: upgrade 6.4.37 -> 6.4.38 [meta-networking,08/26] libtalloc: upgrade 2.4.1 -> 2.4.2 [meta-networking,09/26] libtdb: upgrade 1.4.9 -> 1.4.10 [meta-oe,10/26] neatvnc: upgrade 0.7.2 -> 0.8.0 [meta-oe,11/26] ostree: upgrade 2024.3 -> 2024.4 [meta-python,12/26] python3-astroid: upgrade 3.0.3 -> 3.1.0 [meta-python,13/26] python3-cbor2: upgrade 5.6.1 -> 5.6.2 [meta-python,14/26] python3-dnspython: upgrade 2.6.0 -> 2.6.1 [meta-python,15/26] python3-eventlet: upgrade 0.35.1 -> 0.35.2 [meta-python,16/26] python3-gcovr: upgrade 7.0 -> 7.2 [meta-python,17/26] python3-google-api-core: upgrade 2.16.2 -> 2.17.1 [meta-python,18/26] python3-google-api-python-client: upgrade 2.118.0 -> 2.120.0 [meta-python,19/26] python3-grpcio(-tools): upgrade 1.60.1 -> 1.62.0 [meta-python,20/26] python3-ipython: upgrade 8.21.0 -> 8.22.1 [meta-python,21/26] python3-pdm: upgrade 2.12.3 -> 2.12.4 [meta-python,22/26] python3-pymisp: upgrade 2.4.185 -> 2.4.186 [meta-python,23/26] python3-scrypt: upgrade 0.8.20 -> 0.8.24 [meta-python,24/26] python3-sentry-sdk: upgrade 1.40.4 -> 1.40.6 [meta-oe,25/26] smarty: upgrade 4.3.4 -> 4.4.1 [meta-networking,26/26] stunnel: upgrade 5.69 -> 5.72

Message ID

1709714608-19296-26-git-send-email-wangmy@fujitsu.com

State

Accepted

Headers

From: wangmy@fujitsu.com
To: openembedded-devel@lists.openembedded.org
Cc: Wang Mingyu <wangmy@fujitsu.com>
Subject: [oe] [meta-networking] [PATCH 26/26] stunnel: upgrade 5.69 -> 5.72
Date: Wed,  6 Mar 2024 16:43:28 +0800
Message-Id: <1709714608-19296-26-git-send-email-wangmy@fujitsu.com>
In-Reply-To: <1709714608-19296-1-git-send-email-wangmy@fujitsu.com>
References: <1709714608-19296-1-git-send-email-wangmy@fujitsu.com>

Series

[meta-oe,01/26] abseil-cpp: upgrade 20230802.1 -> 20240116.1 | expand

Commit Message

Mingyu Wang (Fujitsu) March 6, 2024, 8:43 a.m. UTC

From: Wang Mingyu <wangmy@fujitsu.com>

fix-openssl-no-des.patch
refreshed for 5.72

License-Update: Copyright year updated to 2024.

Changelog:
===========
* Security bugfixes
  - OpenSSL DLLs updated to version 3.2.1.
  - OpenSSL FIPS Provider updated to version 3.0.8.
* Bugfixes
  - Fixed SSL_CTX_new() errors handling.
  - Fixed OPENSSL_NO_PSK builds.
  - Android build updated for NDK r23c.
  - stunnel.nsi updated for Debian 12.
  - Fixed tests with OpenSSL older than 1.0.2.
  - Fixed the console output of tstunnel.exe.
  - Fixed TLS socket EOF handling with OpenSSL 3.x.
    This bug caused major interoperability issues between
    stunnel built with OpenSSL 3.x and Microsoft's
    Schannel Security Support Provider (SSP).
  - Fixed reading certificate chains from PKCS#12 files.
* Features sponsored by SAE IT-systems
  - OCSP stapling is requested and verified in the client mode.
  - Using "verifyChain" automatically enables OCSP
    stapling in the client mode.
  - OCSP stapling is always available in the server mode.
  - An inconclusive OCSP verification breaks TLS negotiation.
    This can be disabled with "OCSPrequire = no".
  - Added the "TIMEOUTocsp" option to control the maximum
    time allowed for connecting an OCSP responder.
* Features
  - Added support for Red Hat OpenSSL 3.x patches.
  - Added configurable delay for the "retry" option.

Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
---
 .../stunnel/stunnel/fix-openssl-no-des.patch  | 34 ++++++++++---------
 .../{stunnel_5.69.bb => stunnel_5.72.bb}      |  4 +--
 2 files changed, 20 insertions(+), 18 deletions(-)
 rename meta-networking/recipes-support/stunnel/{stunnel_5.69.bb => stunnel_5.72.bb} (87%)

diff --git a/meta-networking/recipes-support/stunnel/stunnel/fix-openssl-no-des.patch b/meta-networking/recipes-support/stunnel/stunnel/fix-openssl-no-des.patch
index 0840cbbd8..82d355101 100644
--- a/meta-networking/recipes-support/stunnel/stunnel/fix-openssl-no-des.patch
+++ b/meta-networking/recipes-support/stunnel/stunnel/fix-openssl-no-des.patch
@@ -11,17 +11,16 @@  failed. Fix it by checking macro OPENSSL_NO_DES to use openssl des related
 library conditionaly.
 
 Signed-off-by: Kai Kang <kai.kang@windriver.com>
-
 ---
  src/common.h   | 2 ++
  src/protocol.c | 6 +++---
  2 files changed, 5 insertions(+), 3 deletions(-)
 
 diff --git a/src/common.h b/src/common.h
-index bc37eb5..03ee3e5 100644
+index 2b4869f..180d31a 100644
 --- a/src/common.h
 +++ b/src/common.h
-@@ -486,7 +486,9 @@ extern char *sys_errlist[];
+@@ -492,7 +492,9 @@ extern char *sys_errlist[];
  #ifndef OPENSSL_NO_MD4
  #include <openssl/md4.h>
  #endif /* !defined(OPENSSL_NO_MD4) */
@@ -32,29 +31,29 @@  index bc37eb5..03ee3e5 100644
  #include <openssl/dh.h>
  #if OPENSSL_VERSION_NUMBER<0x10100000L
 diff --git a/src/protocol.c b/src/protocol.c
-index 804f115..d9b2b50 100644
+index cfe6d3b..3936aea 100644
 --- a/src/protocol.c
 +++ b/src/protocol.c
-@@ -66,7 +66,7 @@ NOEXPORT char *nntp_client(CLI *, SERVICE_OPTIONS *, const PHASE);
- NOEXPORT char *ldap_client(CLI *, SERVICE_OPTIONS *, const PHASE);
- NOEXPORT char *connect_server(CLI *, SERVICE_OPTIONS *, const PHASE);
- NOEXPORT char *connect_client(CLI *, SERVICE_OPTIONS *, const PHASE);
+@@ -81,7 +81,7 @@ NOEXPORT void ldap_client_middle(CLI *);
+ 
+ NOEXPORT void connect_server_early(CLI *);
+ NOEXPORT void connect_client_middle(CLI *);
 -#ifndef OPENSSL_NO_MD4
 +#if !defined(OPENSSL_NO_MD4) && !defined(OPENSSL_NO_DES)
- NOEXPORT void ntlm(CLI *, SERVICE_OPTIONS *);
+ NOEXPORT void ntlm(CLI *);
  NOEXPORT char *ntlm1(void);
  NOEXPORT char *ntlm3(char *, char *, char *, char *);
-@@ -1351,7 +1351,7 @@ NOEXPORT char *connect_client(CLI *c, SERVICE_OPTIONS *opt, const PHASE phase) {
-     fd_printf(c, c->remote_fd.fd, "Host: %s", opt->protocol_host);
-     if(opt->protocol_username && opt->protocol_password) {
-         if(!strcasecmp(opt->protocol_authentication, "ntlm")) {
+@@ -1331,7 +1331,7 @@ NOEXPORT void connect_client_middle(CLI *c) {
+     fd_printf(c, c->remote_fd.fd, "Host: %s", c->opt->protocol_host);
+     if(c->opt->protocol_username && c->opt->protocol_password) {
+         if(!strcasecmp(c->opt->protocol_authentication, "ntlm")) {
 -#ifndef OPENSSL_NO_MD4
 +#if !defined(OPENSSL_NO_MD4) && !defined(OPENSSL_NO_DES)
-             ntlm(c, opt);
+             ntlm(c);
  #else
              s_log(LOG_ERR, "NTLM authentication is not available");
-@@ -1395,7 +1395,7 @@ NOEXPORT char *connect_client(CLI *c, SERVICE_OPTIONS *opt, const PHASE phase) {
-     return NULL;
+@@ -1374,7 +1374,7 @@ NOEXPORT void connect_client_middle(CLI *c) {
+     str_free(line);
  }
  
 -#ifndef OPENSSL_NO_MD4
@@ -62,3 +61,6 @@  index 804f115..d9b2b50 100644
  
  /*
   * NTLM code is based on the following documentation:
+-- 
+2.34.1
+
diff --git a/meta-networking/recipes-support/stunnel/stunnel_5.69.bb b/meta-networking/recipes-support/stunnel/stunnel_5.72.bb
similarity index 87%
rename from meta-networking/recipes-support/stunnel/stunnel_5.69.bb
rename to meta-networking/recipes-support/stunnel/stunnel_5.72.bb
index 816152973..6d21027a1 100644
--- a/meta-networking/recipes-support/stunnel/stunnel_5.69.bb
+++ b/meta-networking/recipes-support/stunnel/stunnel_5.72.bb
@@ -3,7 +3,7 @@  DESCRIPTION = "SSL encryption wrapper between remote client and local (inetd-sta
 HOMEPAGE = "https://www.stunnel.org/"
 SECTION = "net"
 LICENSE = "GPL-2.0-or-later"
-LIC_FILES_CHKSUM = "file://COPYING.md;md5=b4988f33f70b383b3011c4ede0a679ce"
+LIC_FILES_CHKSUM = "file://COPYING.md;md5=906ac034adaee9d093318e51b53453ca"
 
 DEPENDS = "autoconf-archive libnsl2 openssl"
 
@@ -11,7 +11,7 @@  SRC_URI = "https://stunnel.org/archive/5.x/${BP}.tar.gz \
            file://fix-openssl-no-des.patch \
 "
 
-SRC_URI[sha256sum] = "1ff7d9f30884c75b98c8a0a4e1534fa79adcada2322635e6787337b4e38fdb81"
+SRC_URI[sha256sum] = "3d532941281ae353319735144e4adb9ae489a10b7e309c58a48157f08f42e949"
 
 inherit autotools bash-completion pkgconfig

[meta-networking,26/26] stunnel: upgrade 5.69 -> 5.72

Commit Message

Patch