Hello community, here is the log from the commit of package stunnel for openSUSE:Factory checked in at 2017-04-06 11:02:30 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/stunnel (Old) and /work/SRC/openSUSE:Factory/.stunnel.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "stunnel" Thu Apr 6 11:02:30 2017 rev:6 rq:484794 version:5.41 Changes: -------- --- /work/SRC/openSUSE:Factory/stunnel/stunnel.changes 2017-02-13 07:51:19.095408021 +0100 +++ /work/SRC/openSUSE:Factory/.stunnel.new/stunnel.changes 2017-04-06 11:02:31.480408094 +0200 @@ -1,0 +2,5 @@ +Sat Apr 1 19:07:51 UTC 2017 - michael@stroeder.com + +- update to version 5.41 + +------------------------------------------------------------------- Old: ---- stunnel-5.40.tar.gz New: ---- stunnel-5.41.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ stunnel.spec ++++++ --- /var/tmp/diff_new_pack.PE9ETQ/_old 2017-04-06 11:02:32.312290519 +0200 +++ /var/tmp/diff_new_pack.PE9ETQ/_new 2017-04-06 11:02:32.312290519 +0200 @@ -17,7 +17,7 @@ Name: stunnel -Version: 5.40 +Version: 5.41 Release: 0 Summary: Universal SSL Tunnel License: GPL-2.0+ ++++++ stunnel-5.40.tar.gz -> stunnel-5.41.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/stunnel-5.40/ChangeLog new/stunnel-5.41/ChangeLog --- old/stunnel-5.40/ChangeLog 2017-01-28 10:48:18.000000000 +0100 +++ new/stunnel-5.41/ChangeLog 2017-04-01 11:30:08.000000000 +0200 @@ -1,5 +1,17 @@ stunnel change log +Version 5.41, 2017.04.01, urgency: MEDIUM +* New features + - PKCS#11 engine DLL updated to version 0.4.5. + - Default engine UI set with ENGINE_CTRL_SET_USER_INTERFACE. + - Key file name added into the passphrase console prompt. + - Performance optimization in memory leak detection. +* Bugfixes + - Fixed crashes with the OpenSSL 1.1.0 branch. + - Fixed certificate verification with "verifyPeer = yes" + and "verifyChain = no" (the default), while the peer + only returns a single certificate. + Version 5.40, 2017.01.28, urgency: HIGH * Security bugfixes - OpenSSL DLLs updated to version 1.0.2k. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/stunnel-5.40/build-android.sh new/stunnel-5.41/build-android.sh --- old/stunnel-5.40/build-android.sh 2017-01-02 15:27:26.000000000 +0100 +++ new/stunnel-5.41/build-android.sh 2017-02-02 15:22:22.000000000 +0100 @@ -1,6 +1,6 @@ #!/bin/sh set -ev -VERSION=5.40 +VERSION=5.41 DST=stunnel-$VERSION-android # to build OpenSSL: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/stunnel-5.40/configure new/stunnel-5.41/configure --- old/stunnel-5.40/configure 2017-01-16 21:10:40.000000000 +0100 +++ new/stunnel-5.41/configure 2017-02-02 15:04:32.000000000 +0100 @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for stunnel 5.40. +# Generated by GNU Autoconf 2.69 for stunnel 5.41. # # # Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc. @@ -587,8 +587,8 @@ # Identity of this package. PACKAGE_NAME='stunnel' PACKAGE_TARNAME='stunnel' -PACKAGE_VERSION='5.40' -PACKAGE_STRING='stunnel 5.40' +PACKAGE_VERSION='5.41' +PACKAGE_STRING='stunnel 5.41' PACKAGE_BUGREPORT='' PACKAGE_URL='' @@ -1326,7 +1326,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures stunnel 5.40 to adapt to many kinds of systems. +\`configure' configures stunnel 5.41 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1396,7 +1396,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of stunnel 5.40:";; + short | recursive ) echo "Configuration of stunnel 5.41:";; esac cat <<\_ACEOF @@ -1510,7 +1510,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -stunnel configure 5.40 +stunnel configure 5.41 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -2116,7 +2116,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by stunnel $as_me 5.40, which was +It was created by stunnel $as_me 5.41, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -2985,7 +2985,7 @@ # Define the identity of the package. PACKAGE='stunnel' - VERSION='5.40' + VERSION='5.41' cat >>confdefs.h <<_ACEOF @@ -15772,7 +15772,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by stunnel $as_me 5.40, which was +This file was extended by stunnel $as_me 5.41, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -15838,7 +15838,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -stunnel config.status 5.40 +stunnel config.status 5.41 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/stunnel-5.40/configure.ac new/stunnel-5.41/configure.ac --- old/stunnel-5.40/configure.ac 2017-01-02 15:27:26.000000000 +0100 +++ new/stunnel-5.41/configure.ac 2017-02-02 15:04:22.000000000 +0100 @@ -1,6 +1,6 @@ # Process this file with autoconf to produce a configure script. -AC_INIT([stunnel],[5.40]) +AC_INIT([stunnel],[5.41]) AC_MSG_NOTICE([**************************************** initialization]) AC_CONFIG_AUX_DIR(auto) AC_CONFIG_MACRO_DIR([m4]) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/stunnel-5.40/doc/stunnel.8.in new/stunnel-5.41/doc/stunnel.8.in --- old/stunnel-5.40/doc/stunnel.8.in 2017-01-19 09:57:12.000000000 +0100 +++ new/stunnel-5.41/doc/stunnel.8.in 2017-04-01 13:39:19.000000000 +0200 @@ -71,7 +71,7 @@ .\" ======================================================================== .\" .IX Title "stunnel 8" -.TH stunnel 8 "2017.01.19" "5.40" "stunnel TLS Proxy" +.TH stunnel 8 "2017.04.01" "5.41" "stunnel TLS Proxy" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -377,20 +377,23 @@ c_rehash the directory on upgrade from \fBOpenSSL 0.x.x\fR to \fBOpenSSL 1.x.x\fR. .Sp \&\fICApath\fR path is relative to the \fIchroot\fR directory if specified. -.IP "\fBCAfile\fR = \s-1CERT_FILE\s0" 4 -.IX Item "CAfile = CERT_FILE" +.IP "\fBCAfile\fR = \s-1CA_FILE\s0" 4 +.IX Item "CAfile = CA_FILE" Certificate Authority file .Sp This file contains multiple \s-1CA\s0 certificates, to be used with the \fIverifyChain\fR and \fIverifyPeer\fR options. -.IP "\fBcert\fR = \s-1PEM_FILE\s0" 4 -.IX Item "cert = PEM_FILE" -certificate chain \s-1PEM\s0 file name +.IP "\fBcert\fR = \s-1CERT_FILE\s0" 4 +.IX Item "cert = CERT_FILE" +certificate chain file name +.Sp +The parameter specifies the file containing certificates used by \fBstunnel\fR +to authenticate itself against the remote client or server. +The file should contain the whole certificate chain starting from the actual +server/client certificate, and ending with the self-signed root \s-1CA\s0 certificate. +The file must be either in \s-1PEM\s0 or P12 format. .Sp -The certificates must be in \s-1PEM\s0 format, and must be from the -actual server/client certificate to the self-signed root \s-1CA\s0 certificate. -.Sp -A certificate is required in server mode, and optional in client mode. +A certificate chain is required in server mode, and optional in client mode. .Sp This parameter is also used as the certificate identifier when a hardware engine is enabled. @@ -470,8 +473,8 @@ c_rehash the directory on upgrade from \fBOpenSSL 0.x.x\fR to \fBOpenSSL 1.x.x\fR. .Sp \&\fICRLpath\fR path is relative to the \fIchroot\fR directory if specified. -.IP "\fBCRLfile\fR = \s-1CERT_FILE\s0" 4 -.IX Item "CRLfile = CERT_FILE" +.IP "\fBCRLfile\fR = \s-1CRL_FILE\s0" 4 +.IX Item "CRLfile = CRL_FILE" Certificate Revocation Lists file .Sp This file contains multiple CRLs, used with the \fIverifyChain\fR and @@ -626,7 +629,7 @@ .Sp Several \fIOCSPflag\fR can be used to specify multiple flags. .Sp -currently supported flags: \s-1NOCERTS, NOINTERN NOSIGS, NOCHAIN, NOVERIFY, +currently supported flags: \s-1NOCERTS, NOINTERN, NOSIGS, NOCHAIN, NOVERIFY, NOEXPLICIT, NOCASIGN, NODELEGATED, NOCHECKS, TRUSTOTHER, RESPID_KEY, NOTIME\s0 .IP "\fBOCSPnonce\fR = yes | no" 4 .IX Item "OCSPnonce = yes | no" @@ -1055,7 +1058,7 @@ verify the peer certificate chain starting from the root \s-1CA\s0 .Sp For server certificate verification it is essential to also require a specific -certificate with \fIcheckHost\fR or \fIverifyPeer\fR. +certificate with \fIcheckHost\fR or \fIcheckIP\fR. .Sp The self-signed root \s-1CA\s0 certificate needs to be stored either in the file specified with \fICAfile\fR, or in the directory specified with \fICApath\fR. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/stunnel-5.40/doc/stunnel.html.in new/stunnel-5.41/doc/stunnel.html.in --- old/stunnel-5.40/doc/stunnel.html.in 2017-01-19 09:57:12.000000000 +0100 +++ new/stunnel-5.41/doc/stunnel.html.in 2017-04-01 13:39:19.000000000 +0200 @@ -459,7 +459,7 @@ <p><i>CApath</i> path is relative to the <i>chroot</i> directory if specified.</p> </dd> -<dt id="CAfile-CERT_FILE"><b>CAfile</b> = CERT_FILE</dt> +<dt id="CAfile-CA_FILE"><b>CAfile</b> = CA_FILE</dt> <dd> <p>Certificate Authority file</p> @@ -467,14 +467,14 @@ <p>This file contains multiple CA certificates, to be used with the <i>verifyChain</i> and <i>verifyPeer</i> options.</p> </dd> -<dt id="cert-PEM_FILE"><b>cert</b> = PEM_FILE</dt> +<dt id="cert-CERT_FILE"><b>cert</b> = CERT_FILE</dt> <dd> -<p>certificate chain PEM file name</p> +<p>certificate chain file name</p> -<p>The certificates must be in PEM format, and must be from the actual server/client certificate to the self-signed root CA certificate.</p> +<p>The parameter specifies the file containing certificates used by <b>stunnel</b> to authenticate itself against the remote client or server. The file should contain the whole certificate chain starting from the actual server/client certificate, and ending with the self-signed root CA certificate. The file must be either in PEM or P12 format.</p> -<p>A certificate is required in server mode, and optional in client mode.</p> +<p>A certificate chain is required in server mode, and optional in client mode.</p> <p>This parameter is also used as the certificate identifier when a hardware engine is enabled.</p> @@ -561,7 +561,7 @@ <p><i>CRLpath</i> path is relative to the <i>chroot</i> directory if specified.</p> </dd> -<dt id="CRLfile-CERT_FILE"><b>CRLfile</b> = CERT_FILE</dt> +<dt id="CRLfile-CRL_FILE"><b>CRLfile</b> = CRL_FILE</dt> <dd> <p>Certificate Revocation Lists file</p> @@ -762,7 +762,7 @@ <p>Several <i>OCSPflag</i> can be used to specify multiple flags.</p> -<p>currently supported flags: NOCERTS, NOINTERN NOSIGS, NOCHAIN, NOVERIFY, NOEXPLICIT, NOCASIGN, NODELEGATED, NOCHECKS, TRUSTOTHER, RESPID_KEY, NOTIME</p> +<p>currently supported flags: NOCERTS, NOINTERN, NOSIGS, NOCHAIN, NOVERIFY, NOEXPLICIT, NOCASIGN, NODELEGATED, NOCHECKS, TRUSTOTHER, RESPID_KEY, NOTIME</p> </dd> <dt id="OCSPnonce-yes-no"><b>OCSPnonce</b> = yes | no</dt> @@ -1286,7 +1286,7 @@ <p>verify the peer certificate chain starting from the root CA</p> -<p>For server certificate verification it is essential to also require a specific certificate with <i>checkHost</i> or <i>verifyPeer</i>.</p> +<p>For server certificate verification it is essential to also require a specific certificate with <i>checkHost</i> or <i>checkIP</i>.</p> <p>The self-signed root CA certificate needs to be stored either in the file specified with <i>CAfile</i>, or in the directory specified with <i>CApath</i>.</p> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/stunnel-5.40/doc/stunnel.pl.8.in new/stunnel-5.41/doc/stunnel.pl.8.in --- old/stunnel-5.40/doc/stunnel.pl.8.in 2017-01-19 09:51:46.000000000 +0100 +++ new/stunnel-5.41/doc/stunnel.pl.8.in 2017-04-01 13:39:19.000000000 +0200 @@ -71,7 +71,7 @@ .\" ======================================================================== .\" .IX Title "stunnel 8" -.TH stunnel 8 "2017.01.19" "5.40" "stunnel TLS Proxy" +.TH stunnel 8 "2017.04.01" "5.41" "stunnel TLS Proxy" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -394,12 +394,16 @@ .Sp Opcja pozwala określić położenie pliku zawierającego certyfikaty używane przez opcję \fIverifyChain\fR lub \fIverifyPeer\fR. -.IP "\fBcert\fR = \s-1PLIK_PEM\s0" 4 -.IX Item "cert = PLIK_PEM" +.IP "\fBcert\fR = \s-1PLIK_CERT\s0" 4 +.IX Item "cert = PLIK_CERT" plik z łańcuchem certyfikatów .Sp Opcja określa położenie pliku zawierającego certyfikaty używane przez program \fBstunnel\fR do uwierzytelnienia się przed drugą stroną połączenia. +Plik powinien zawierać kompletny łańcuch certyfikatów począwszy od certyfikatu +klienta/serwera, a skończywszy na samopodpisanym certyfikacie głównego \s-1CA.\s0 +Obsługiwane są pliki w formacie \s-1PEM\s0 lub P12. +.Sp Certyfikat jest konieczny, aby używać programu w trybie serwera. W trybie klienta certyfikat jest opcjonalny. .Sp @@ -643,7 +647,7 @@ .IX Item "OCSPflag = FLAGA_OCSP" flaga respondera \s-1OCSP\s0 .Sp -Aktualnie wspierane flagi: \s-1NOCERTS, NOINTERN NOSIGS, NOCHAIN, NOVERIFY, +Aktualnie wspierane flagi: \s-1NOCERTS, NOINTERN, NOSIGS, NOCHAIN, NOVERIFY, NOEXPLICIT, NOCASIGN, NODELEGATED, NOCHECKS, TRUSTOTHER, RESPID_KEY, NOTIME\s0 .Sp Aby wyspecyfikować kilka flag należy użyć \fIOCSPflag\fR wielokrotnie. @@ -1067,7 +1071,7 @@ weryfikuj łańcuch certyfikatów drugiej strony .Sp Do weryfikacji certyfikatu serwera kluczowe jest, aby wymagać również -konkretnego certyfikatu przy pomocy \fIcheckHost\fR lub \fIverifyPeer\fR. +konkretnego certyfikatu przy pomocy \fIcheckHost\fR lub \fIcheckIP\fR. .Sp Samopodpisany certyfikat głównego \s-1CA\s0 należy umieścić albo w pliku podanym w opcji \fICAfile\fR, albo w katalogu podanym w opcji \fICApath\fR. @@ -1181,7 +1185,7 @@ \& client = yes \& accept = 127.0.0.1:1080 \& connect = vpn_server:9080 -\& verify = 4 +\& verifyPeer = yes \& CAfile = stunnel.pem .Ve .PP diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/stunnel-5.40/doc/stunnel.pl.html.in new/stunnel-5.41/doc/stunnel.pl.html.in --- old/stunnel-5.40/doc/stunnel.pl.html.in 2017-01-19 09:51:46.000000000 +0100 +++ new/stunnel-5.41/doc/stunnel.pl.html.in 2017-04-01 13:39:19.000000000 +0200 @@ -469,12 +469,14 @@ <p>Opcja pozwala określić położenie pliku zawierającego certyfikaty używane przez opcję <i>verifyChain</i> lub <i>verifyPeer</i>.</p> </dd> -<dt id="cert-PLIK_PEM"><b>cert</b> = PLIK_PEM</dt> +<dt id="cert-PLIK_CERT"><b>cert</b> = PLIK_CERT</dt> <dd> <p>plik z łańcuchem certyfikatów</p> -<p>Opcja określa położenie pliku zawierającego certyfikaty używane przez program <b>stunnel</b> do uwierzytelnienia się przed drugą stroną połączenia. Certyfikat jest konieczny, aby używać programu w trybie serwera. W trybie klienta certyfikat jest opcjonalny.</p> +<p>Opcja określa położenie pliku zawierającego certyfikaty używane przez program <b>stunnel</b> do uwierzytelnienia się przed drugą stroną połączenia. Plik powinien zawierać kompletny łańcuch certyfikatów począwszy od certyfikatu klienta/serwera, a skończywszy na samopodpisanym certyfikacie głównego CA. Obsługiwane są pliki w formacie PEM lub P12.</p> + +<p>Certyfikat jest konieczny, aby używać programu w trybie serwera. W trybie klienta certyfikat jest opcjonalny.</p> <p>Jeżeli używane jest sprzętowe urządzenie kryptograficzne, to opcja <b>cert</b> pozwala wybrać identyfikator używanego certyfikatu.</p> @@ -760,7 +762,7 @@ <p>flaga respondera OCSP</p> -<p>Aktualnie wspierane flagi: NOCERTS, NOINTERN NOSIGS, NOCHAIN, NOVERIFY, NOEXPLICIT, NOCASIGN, NODELEGATED, NOCHECKS, TRUSTOTHER, RESPID_KEY, NOTIME</p> +<p>Aktualnie wspierane flagi: NOCERTS, NOINTERN, NOSIGS, NOCHAIN, NOVERIFY, NOEXPLICIT, NOCASIGN, NODELEGATED, NOCHECKS, TRUSTOTHER, RESPID_KEY, NOTIME</p> <p>Aby wyspecyfikować kilka flag należy użyć <i>OCSPflag</i> wielokrotnie.</p> @@ -1284,7 +1286,7 @@ <p>weryfikuj łańcuch certyfikatów drugiej strony</p> -<p>Do weryfikacji certyfikatu serwera kluczowe jest, aby wymagać również konkretnego certyfikatu przy pomocy <i>checkHost</i> lub <i>verifyPeer</i>.</p> +<p>Do weryfikacji certyfikatu serwera kluczowe jest, aby wymagać również konkretnego certyfikatu przy pomocy <i>checkHost</i> lub <i>checkIP</i>.</p> <p>Samopodpisany certyfikat głównego CA należy umieścić albo w pliku podanym w opcji <i>CAfile</i>, albo w katalogu podanym w opcji <i>CApath</i>.</p> @@ -1401,7 +1403,7 @@ client = yes accept = 127.0.0.1:1080 connect = vpn_server:9080 - verify = 4 + verifyPeer = yes CAfile = stunnel.pem</code></pre> <p>Odpowiadająca jej konfiguracja serwera vpn_server:</p> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/stunnel-5.40/doc/stunnel.pl.pod.in new/stunnel-5.41/doc/stunnel.pl.pod.in --- old/stunnel-5.40/doc/stunnel.pl.pod.in 2017-01-19 09:51:32.000000000 +0100 +++ new/stunnel-5.41/doc/stunnel.pl.pod.in 2017-04-01 13:39:17.000000000 +0200 @@ -406,12 +406,16 @@ Opcja pozwala określić położenie pliku zawierającego certyfikaty używane przez opcję I<verifyChain> lub I<verifyPeer>. -=item B<cert> = PLIK_PEM +=item B<cert> = PLIK_CERT plik z łańcuchem certyfikatów Opcja określa położenie pliku zawierającego certyfikaty używane przez program B<stunnel> do uwierzytelnienia się przed drugą stroną połączenia. +Plik powinien zawierać kompletny łańcuch certyfikatów począwszy od certyfikatu +klienta/serwera, a skończywszy na samopodpisanym certyfikacie głównego CA. +Obsługiwane są pliki w formacie PEM lub P12. + Certyfikat jest konieczny, aby używać programu w trybie serwera. W trybie klienta certyfikat jest opcjonalny. @@ -682,7 +686,7 @@ flaga respondera OCSP -Aktualnie wspierane flagi: NOCERTS, NOINTERN NOSIGS, NOCHAIN, NOVERIFY, +Aktualnie wspierane flagi: NOCERTS, NOINTERN, NOSIGS, NOCHAIN, NOVERIFY, NOEXPLICIT, NOCASIGN, NODELEGATED, NOCHECKS, TRUSTOTHER, RESPID_KEY, NOTIME Aby wyspecyfikować kilka flag należy użyć I<OCSPflag> wielokrotnie. @@ -1151,7 +1155,7 @@ weryfikuj łańcuch certyfikatów drugiej strony Do weryfikacji certyfikatu serwera kluczowe jest, aby wymagać również -konkretnego certyfikatu przy pomocy I<checkHost> lub I<verifyPeer>. +konkretnego certyfikatu przy pomocy I<checkHost> lub I<checkIP>. Samopodpisany certyfikat głównego CA należy umieścić albo w pliku podanym w opcji I<CAfile>, albo w katalogu podanym w opcji I<CApath>. @@ -1280,7 +1284,7 @@ client = yes accept = 127.0.0.1:1080 connect = vpn_server:9080 - verify = 4 + verifyPeer = yes CAfile = stunnel.pem Odpowiadająca jej konfiguracja serwera vpn_server: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/stunnel-5.40/doc/stunnel.pod.in new/stunnel-5.41/doc/stunnel.pod.in --- old/stunnel-5.40/doc/stunnel.pod.in 2017-01-19 09:57:06.000000000 +0100 +++ new/stunnel-5.41/doc/stunnel.pod.in 2017-04-01 13:39:17.000000000 +0200 @@ -390,21 +390,24 @@ I<CApath> path is relative to the I<chroot> directory if specified. -=item B<CAfile> = CERT_FILE +=item B<CAfile> = CA_FILE Certificate Authority file This file contains multiple CA certificates, to be used with the I<verifyChain> and I<verifyPeer> options. -=item B<cert> = PEM_FILE +=item B<cert> = CERT_FILE -certificate chain PEM file name +certificate chain file name -The certificates must be in PEM format, and must be from the -actual server/client certificate to the self-signed root CA certificate. +The parameter specifies the file containing certificates used by B<stunnel> +to authenticate itself against the remote client or server. +The file should contain the whole certificate chain starting from the actual +server/client certificate, and ending with the self-signed root CA certificate. +The file must be either in PEM or P12 format. -A certificate is required in server mode, and optional in client mode. +A certificate chain is required in server mode, and optional in client mode. This parameter is also used as the certificate identifier when a hardware engine is enabled. @@ -493,7 +496,7 @@ I<CRLpath> path is relative to the I<chroot> directory if specified. -=item B<CRLfile> = CERT_FILE +=item B<CRLfile> = CRL_FILE Certificate Revocation Lists file @@ -667,7 +670,7 @@ Several I<OCSPflag> can be used to specify multiple flags. -currently supported flags: NOCERTS, NOINTERN NOSIGS, NOCHAIN, NOVERIFY, +currently supported flags: NOCERTS, NOINTERN, NOSIGS, NOCHAIN, NOVERIFY, NOEXPLICIT, NOCASIGN, NODELEGATED, NOCHECKS, TRUSTOTHER, RESPID_KEY, NOTIME =item B<OCSPnonce> = yes | no @@ -1141,7 +1144,7 @@ verify the peer certificate chain starting from the root CA For server certificate verification it is essential to also require a specific -certificate with I<checkHost> or I<verifyPeer>. +certificate with I<checkHost> or I<checkIP>. The self-signed root CA certificate needs to be stored either in the file specified with I<CAfile>, or in the directory specified with I<CApath>. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/stunnel-5.40/src/client.c new/stunnel-5.41/src/client.c --- old/stunnel-5.40/src/client.c 2017-01-19 09:51:32.000000000 +0100 +++ new/stunnel-5.41/src/client.c 2017-03-26 22:25:00.000000000 +0200 @@ -83,7 +83,6 @@ c->opt=opt; c->local_rfd.fd=rfd; c->local_wfd.fd=wfd; - c->redirect=REDIRECT_OFF; c->seq=seq++; return c; } @@ -376,14 +375,17 @@ NOEXPORT void ssl_start(CLI *c) { int i, err; int unsafe_openssl; - X509 *peer_cert; c->ssl=SSL_new(c->opt->ctx); if(!c->ssl) { sslerror("SSL_new"); longjmp(c->err, 1); } - SSL_set_ex_data(c->ssl, index_cli, c); /* for callbacks */ + /* for callbacks */ + if(!SSL_set_ex_data(c->ssl, index_ssl_cli, c)) { + sslerror("SSL_set_ex_data"); + longjmp(c->err, 1); + } if(c->opt->option.client) { #ifndef OPENSSL_NO_TLSEXT if(c->opt->sni && *c->opt->sni) { @@ -477,26 +479,10 @@ c->opt->option.client ? "connected" : "accepted", SSL_session_reused(c->ssl) ? "previous session reused" : "new session negotiated"); - if(SSL_session_reused(c->ssl)) { - c->redirect=(uintptr_t)SSL_SESSION_get_ex_data(SSL_get_session(c->ssl), - index_redirect); - if(c->opt->redirect_addr.names && !c->redirect) { - s_log(LOG_ERR, "No application data found in the reused session"); - longjmp(c->err, 1); - } - } else { /* a new session was negotiated */ + if(!SSL_session_reused(c->ssl)) { /* a new session was negotiated */ new_chain(c); - peer_cert=SSL_get_peer_certificate(c->ssl); - if(peer_cert) /* c->redirect was set by the callback */ - X509_free(peer_cert); - else if(c->opt->redirect_addr.names) /* no peer certificate verified */ - c->redirect=REDIRECT_ON; - SSL_SESSION_set_ex_data(SSL_get_session(c->ssl), - index_redirect, (void *)c->redirect); if(c->opt->option.client) session_cache_save(c); - else /* TLS server */ - SSL_CTX_add_session(c->opt->ctx, SSL_get_session(c->ssl)); print_cipher(c); } } @@ -1402,8 +1388,9 @@ str_free(addr_txt); CRYPTO_THREAD_write_lock(stunnel_locks[LOCK_ADDR]); - old_addr=SSL_SESSION_get_ex_data(sess, index_addr); - SSL_SESSION_set_ex_data(sess, index_addr, new_addr); + old_addr=SSL_SESSION_get_ex_data(sess, index_session_connect_address); + /* we can safely ignore the SSL_SESSION_set_ex_data() failure */ + SSL_SESSION_set_ex_data(sess, index_session_connect_address, new_addr); CRYPTO_THREAD_write_unlock(stunnel_locks[LOCK_ADDR]); str_free(old_addr); /* NULL pointers are ignored */ } @@ -1416,7 +1403,8 @@ if(c->ssl && SSL_session_reused(c->ssl)) { CRYPTO_THREAD_read_lock(stunnel_locks[LOCK_ADDR]); - ptr=SSL_SESSION_get_ex_data(SSL_get_session(c->ssl), index_addr); + ptr=SSL_SESSION_get_ex_data(SSL_get_session(c->ssl), + index_session_connect_address); if(ptr) { len=addr_len(ptr); memcpy(&addr, ptr, (size_t)len); @@ -1455,7 +1443,9 @@ NOEXPORT void connect_setup(CLI *c) { /* process "redirect" first */ - if(c->redirect==REDIRECT_ON) { + if(c->opt->redirect_addr.names && + (!c->ssl || !SSL_SESSION_get_ex_data(SSL_get_session(c->ssl), + index_session_authenticated))) { s_log(LOG_NOTICE, "Redirecting connection"); /* c->connect_addr.addr may be allocated in protocol negotiations */ str_free(c->connect_addr.addr); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/stunnel-5.40/src/ctx.c new/stunnel-5.41/src/ctx.c --- old/stunnel-5.40/src/ctx.c 2017-01-19 09:51:32.000000000 +0100 +++ new/stunnel-5.41/src/ctx.c 2017-03-26 22:25:00.000000000 +0200 @@ -38,6 +38,12 @@ #include "common.h" #include "prototypes.h" +SERVICE_OPTIONS *current_section=NULL; + +/* try an empty passphrase first */ +static char cached_passwd[PEM_BUFSIZE]=""; +static int cached_len=0; + #ifndef OPENSSL_NO_DH DH *dh_params=NULL; int dh_needed=0; @@ -79,7 +85,9 @@ NOEXPORT int load_cert_engine(SERVICE_OPTIONS *); NOEXPORT int load_key_engine(SERVICE_OPTIONS *); #endif -NOEXPORT int passphrase_cb(char *, int, int, void *); +NOEXPORT int cache_passwd_get_cb(char *, int, int, void *); +NOEXPORT int cache_passwd_set_cb(char *, int, int, void *); +NOEXPORT void set_prompt(const char *); NOEXPORT int ui_retry(); /* session callbacks */ @@ -124,7 +132,12 @@ sslerror("SSL_CTX_new"); return 1; /* FAILED */ } - SSL_CTX_set_ex_data(section->ctx, index_opt, section); /* for callbacks */ + /* for callbacks */ + if(!SSL_CTX_set_ex_data(section->ctx, index_ssl_ctx_opt, section)) { + sslerror("SSL_CTX_set_ex_data"); + return 1; /* FAILED */ + } + current_section=section; /* setup current section for callbacks */ /* ciphers */ if(section->cipher_list) { @@ -177,11 +190,6 @@ return 1; /* FAILED */ } } -#ifdef SSL_SESS_CACHE_NO_INTERNAL_STORE - /* the default cache mode is just SSL_SESS_CACHE_SERVER */ - SSL_CTX_set_session_cache_mode(section->ctx, - SSL_SESS_CACHE_SERVER|SSL_SESS_CACHE_NO_INTERNAL_STORE); -#endif SSL_CTX_sess_set_cache_size(section->ctx, section->session_size); SSL_CTX_set_timeout(section->ctx, section->session_timeout); SSL_CTX_sess_set_new_cb(section->ctx, sess_new_cb); @@ -244,7 +252,7 @@ for(list=section->servername_list_head; list; list=list->next) if(matches_wildcard((char *)servername, list->servername)) { s_log(LOG_DEBUG, "SNI: matched pattern: %s", list->servername); - c=SSL_get_ex_data(ssl, index_cli); + c=SSL_get_ex_data(ssl, index_ssl_cli); c->opt=list->opt; SSL_set_SSL_CTX(ssl, c->opt->ctx); SSL_set_verify(ssl, SSL_CTX_get_verify_mode(c->opt->ctx), @@ -524,7 +532,7 @@ size_t identity_len; (void)hint; /* squash the unused parameter warning */ - c=SSL_get_ex_data(ssl, index_cli); + c=SSL_get_ex_data(ssl, index_ssl_cli); if(!c->opt->psk_selected) { s_log(LOG_ERR, "INTERNAL ERROR: No PSK identity selected"); return 0; @@ -555,7 +563,7 @@ PSK_KEYS *found; size_t len; - c=SSL_get_ex_data(ssl, index_cli); + c=SSL_get_ex_data(ssl, index_ssl_cli); found=psk_find(&c->opt->psk_sorted, identity); if(found) { len=found->key_len; @@ -629,8 +637,8 @@ } NOEXPORT int load_pkcs12_file(SERVICE_OPTIONS *section) { + size_t len; int i, success; - UI_DATA ui_data; BIO *bio=NULL; PKCS12 *p12=NULL; X509 *cert=NULL; @@ -656,10 +664,12 @@ } BIO_free(bio); - ui_data.section=section; /* setup current section for callbacks */ - - /* try the cached value (initially an empty passphrase) */ - passphrase_cb(pass, PEM_BUFSIZE, 0, NULL); + /* try the cached value first */ + set_prompt(section->cert); + len=(size_t)cache_passwd_get_cb(pass, sizeof pass, 0, NULL); + if(len>=sizeof pass) + len=sizeof pass-1; + pass[len]='\0'; /* null-terminate */ success=PKCS12_parse(p12, pass, &pkey, &cert, &ca); /* invoke the UI */ @@ -672,7 +682,11 @@ sslerror_queue(); /* dump the error queue */ s_log(LOG_ERR, "Wrong passphrase: retrying"); } - passphrase_cb(pass, PEM_BUFSIZE, 0, &ui_data); + /* invoke the UI on subsequent calls */ + len=(size_t)cache_passwd_set_cb(pass, sizeof pass, 0, NULL); + if(len>=sizeof pass) + len=sizeof pass-1; + pass[len]='\0'; /* null-terminate */ success=PKCS12_parse(p12, pass, &pkey, &cert, &ca); } if(!success) { @@ -708,22 +722,20 @@ NOEXPORT int load_key_file(SERVICE_OPTIONS *section) { int i, success; - UI_DATA ui_data; s_log(LOG_INFO, "Loading private key from file: %s", section->key); if(file_permissions(section->key)) return 1; /* FAILED */ - ui_data.section=section; /* setup current section for callbacks */ - SSL_CTX_set_default_passwd_cb(section->ctx, passphrase_cb); - - /* try the cached value (initially an empty passphrase) */ - SSL_CTX_set_default_passwd_cb_userdata(section->ctx, NULL); + /* try the cached value first */ + set_prompt(section->key); + SSL_CTX_set_default_passwd_cb(section->ctx, cache_passwd_get_cb); success=SSL_CTX_use_PrivateKey_file(section->ctx, section->key, SSL_FILETYPE_PEM); + /* invoke the UI on subsequent calls */ + SSL_CTX_set_default_passwd_cb(section->ctx, cache_passwd_set_cb); /* invoke the UI */ - SSL_CTX_set_default_passwd_cb_userdata(section->ctx, &ui_data); for(i=0; !success && i<3; i++) { if(!ui_retry()) break; @@ -770,21 +782,16 @@ NOEXPORT int load_key_engine(SERVICE_OPTIONS *section) { int i; - UI_DATA ui_data; EVP_PKEY *pkey; - UI_METHOD *ui_method; s_log(LOG_INFO, "Initializing private key on engine ID: %s", section->key); - ui_data.section=section; /* setup current section for callbacks */ - SSL_CTX_set_default_passwd_cb(section->ctx, passphrase_cb); + /* do not use caching for engine PINs to prevent device lockout */ + SSL_CTX_set_default_passwd_cb(section->ctx, ui_passwd_cb); - ui_method=UI_stunnel(); - /* workaround for broken engines */ - /* ui_data.section=NULL; */ for(i=0; i<3; i++) { pkey=ENGINE_load_private_key(section->engine, section->key, - ui_method, &ui_data); + UI_stunnel(), NULL); if(!pkey) { if(i<2 && ui_retry()) { /* wrong PIN */ sslerror_queue(); /* dump the error queue */ @@ -805,24 +812,40 @@ #endif /* !defined(OPENSSL_NO_ENGINE) */ -NOEXPORT int passphrase_cb(char *buf, int size, int rwflag, void *userdata) { - static char cache[PEM_BUFSIZE]=""; /* try an empty passphrase first */ - int len; - - if(size>PEM_BUFSIZE) - size=PEM_BUFSIZE; - - if(!userdata) { /* try the cached value first */ - strncpy(buf, cache, (size_t)size); - buf[size-1]='\0'; - len=(int)strlen(buf); - } else { /* prompt the user on subsequent requests */ - len=passwd_cb(buf, size, rwflag, userdata); /* invoke the UI */ - memcpy(cache, buf, (size_t)size); /* save in cache */ - } +/* additional caching layer on top of ui_passwd_cb() */ + +/* retrieve the cached passwd */ +NOEXPORT int cache_passwd_get_cb(char *buf, int size, + int rwflag, void *userdata) { + int len=cached_len; + + (void)rwflag; /* squash the unused parameter warning */ + (void)userdata; /* squash the unused parameter warning */ + if(len<0 || size<0) /* the API uses signed integers */ + return 0; + if(len>size) /* truncate the returned data if needed */ + len=size; + memcpy(buf, cached_passwd, (size_t)len); return len; } +/* cache the passwd retrieved from UI */ +NOEXPORT int cache_passwd_set_cb(char *buf, int size, + int rwflag, void *userdata) { + memset(cached_passwd, 0, sizeof cached_passwd); + cached_len=ui_passwd_cb(cached_passwd, sizeof cached_passwd, + rwflag, userdata); + return cache_passwd_get_cb(buf, size, rwflag, userdata); +} + +NOEXPORT void set_prompt(const char *name) { + char *prompt; + + prompt=str_printf("Enter %s pass phrase:", name); + EVP_set_pw_prompt(prompt); + str_free(prompt); +} + NOEXPORT int ui_retry() { unsigned long err=ERR_peek_error(); @@ -877,10 +900,10 @@ CLI *c; s_log(LOG_DEBUG, "New session callback"); - c=SSL_get_ex_data(ssl, index_cli); + c=SSL_get_ex_data(ssl, index_ssl_cli); if(c->opt->option.sessiond) cache_new(ssl, sess); - return 1; /* leave the session in local cache for reuse */ + return 0; /* the OpenSSL's manual is really bad -> use the source here */ } NOEXPORT SSL_SESSION *sess_get_cb(SSL *ssl, @@ -892,7 +915,7 @@ s_log(LOG_DEBUG, "Get session callback"); *do_copy=0; /* allow the session to be freed automatically */ - c=SSL_get_ex_data(ssl, index_cli); + c=SSL_get_ex_data(ssl, index_ssl_cli); if(c->opt->option.sessiond) return cache_get(ssl, key, key_len); return NULL; /* no session to resume */ @@ -902,10 +925,9 @@ SERVICE_OPTIONS *opt; s_log(LOG_DEBUG, "Remove session callback"); - opt=SSL_CTX_get_ex_data(ctx, index_opt); + opt=SSL_CTX_get_ex_data(ctx, index_ssl_ctx_opt); if(opt->option.sessiond) cache_remove(ctx, sess); - SSL_SESSION_free(sess); } /**************************************** sessiond functionality */ @@ -1037,7 +1059,7 @@ } /* retrieve pointer to the section structure of this ctx */ - section=SSL_CTX_get_ex_data(ctx, index_opt); + section=SSL_CTX_get_ex_data(ctx, index_ssl_ctx_opt); if(sendto(s, (void *)packet, #ifdef USE_WIN32 (int) @@ -1107,7 +1129,7 @@ SSL_CTX *ctx; const char *state_string; - c=SSL_get_ex_data((SSL *)ssl, index_cli); + c=SSL_get_ex_data((SSL *)ssl, index_ssl_cli); if(c) { int state=SSL_get_state((SSL *)ssl); @@ -1139,8 +1161,7 @@ } else if((where&SSL_CB_ACCEPT_LOOP) && c->reneg_state==RENEG_ESTABLISHED) { #ifndef SSL3_ST_SR_CLNT_HELLO_A - if(state==TLS_ST_SR_CLNT_HELLO - || state==TLS_ST_SR_CLNT_HELLO) { + if(state==TLS_ST_SR_CLNT_HELLO) { #else if(state==SSL3_ST_SR_CLNT_HELLO_A || state==SSL23_ST_SR_CLNT_HELLO_A) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/stunnel-5.40/src/dhparam.c new/stunnel-5.41/src/dhparam.c --- old/stunnel-5.40/src/dhparam.c 2017-01-02 15:27:26.000000000 +0100 +++ new/stunnel-5.41/src/dhparam.c 2017-02-02 15:20:22.000000000 +0100 @@ -8,32 +8,32 @@ DH *get_dh2048() { static unsigned char dhp_2048[] = { - 0x89, 0x9D, 0x84, 0xB8, 0x3A, 0x2D, 0xD4, 0xF7, 0x41, 0x5A, - 0xBB, 0x27, 0x00, 0x69, 0xAE, 0xB4, 0xAC, 0x5E, 0xD8, 0xEB, - 0xAE, 0x3D, 0x0E, 0x1A, 0x05, 0xD5, 0xE5, 0xEF, 0x2B, 0x8E, - 0x4F, 0xF3, 0x65, 0x3C, 0xE3, 0x40, 0x6B, 0xFB, 0xA7, 0x24, - 0x58, 0x85, 0xE4, 0xFA, 0x86, 0x0D, 0xED, 0x8D, 0xBF, 0xA0, - 0x4D, 0x58, 0xC9, 0x30, 0x26, 0x3B, 0xF0, 0x1E, 0xAF, 0x15, - 0x6F, 0x4E, 0x71, 0x2D, 0xF1, 0x67, 0xED, 0x44, 0x8C, 0x04, - 0x04, 0x23, 0xE4, 0xA8, 0x5B, 0x7B, 0x28, 0x32, 0x0D, 0x67, - 0xBB, 0x7E, 0xE5, 0x1B, 0x58, 0x6F, 0x0C, 0x3C, 0x0A, 0x8A, - 0x3E, 0xC8, 0x8A, 0x10, 0xCA, 0x74, 0x94, 0x6E, 0xC8, 0xC0, - 0x52, 0x9C, 0xE5, 0x45, 0xE7, 0x0A, 0x78, 0x9B, 0x30, 0x60, - 0x70, 0xEA, 0xF2, 0xEF, 0xB6, 0xD5, 0x28, 0x2F, 0xA1, 0x92, - 0xA6, 0x94, 0x45, 0x03, 0x5A, 0x8F, 0xF3, 0x17, 0x93, 0x99, - 0x28, 0x1B, 0x9C, 0xE1, 0x3F, 0x96, 0x4E, 0x95, 0x62, 0x72, - 0x79, 0x8E, 0xD9, 0xE6, 0x42, 0xEF, 0xF5, 0x46, 0xBF, 0xB3, - 0x2B, 0x23, 0x5D, 0xEF, 0x11, 0x18, 0x81, 0x85, 0xBB, 0xD9, - 0xD1, 0x32, 0x96, 0xEE, 0x98, 0x8C, 0x14, 0x6E, 0x57, 0x68, - 0xAD, 0x5B, 0xE0, 0xF4, 0x7A, 0x75, 0x9E, 0x8D, 0xB0, 0x18, - 0x9A, 0xFD, 0x1E, 0x0C, 0xD9, 0x23, 0x4B, 0xF1, 0xF3, 0x92, - 0xD8, 0x23, 0x41, 0xE0, 0xEC, 0x94, 0xDE, 0xF3, 0x34, 0x87, - 0xF6, 0x87, 0x35, 0xF4, 0x48, 0x9B, 0xB7, 0x3B, 0x4E, 0xCD, - 0x1A, 0x8D, 0xFC, 0x5A, 0xD1, 0x39, 0x41, 0x33, 0x66, 0xE2, - 0x06, 0xEE, 0x2C, 0x1B, 0x5F, 0x5C, 0xB2, 0xF2, 0xB3, 0xBA, - 0xA3, 0x58, 0x8B, 0xF2, 0xD2, 0x9A, 0xAF, 0x03, 0xA2, 0x84, - 0x7D, 0xA1, 0xAA, 0x23, 0x3A, 0x7B, 0xE2, 0xF8, 0xAF, 0xA6, - 0xE3, 0x5B, 0xCE, 0x25, 0x68, 0x7B + 0xFD, 0x64, 0x87, 0xF6, 0xC7, 0xF8, 0x45, 0x8D, 0x04, 0x72, + 0xAB, 0x25, 0xC7, 0xDB, 0x2D, 0x3F, 0x6E, 0xF1, 0xD3, 0xD7, + 0xC8, 0x81, 0x9A, 0x68, 0xE4, 0xDA, 0x63, 0x72, 0x6B, 0xE7, + 0x12, 0x31, 0x5A, 0x6B, 0x3C, 0x76, 0xCE, 0x6D, 0x9D, 0x1A, + 0x2B, 0x4A, 0xA7, 0x61, 0xC1, 0x5C, 0xF4, 0x40, 0xBE, 0xFF, + 0x15, 0x40, 0xC9, 0x5F, 0xFF, 0x77, 0x50, 0x11, 0x20, 0x5F, + 0x3D, 0x0F, 0xB9, 0x4B, 0x0F, 0x36, 0x05, 0x39, 0x3C, 0x19, + 0x35, 0x64, 0x1D, 0xD6, 0x46, 0x61, 0x7C, 0xD4, 0x8C, 0x62, + 0xEB, 0x45, 0xC2, 0x78, 0xDD, 0x7E, 0x9B, 0x3F, 0xE7, 0xD7, + 0x28, 0x4E, 0x18, 0x8F, 0xA6, 0x2B, 0x73, 0xC4, 0x84, 0xB4, + 0xA0, 0x57, 0x3E, 0x05, 0x1D, 0x5E, 0x05, 0xF3, 0xEE, 0x29, + 0x61, 0x43, 0xE7, 0x93, 0xC8, 0xF5, 0xC0, 0x1E, 0x26, 0x32, + 0xE1, 0xA4, 0x3D, 0x9B, 0x2C, 0x22, 0xCE, 0xEC, 0x78, 0xD8, + 0x01, 0xD6, 0xFA, 0x5A, 0x94, 0xF0, 0x27, 0x39, 0x76, 0xAF, + 0x4F, 0xEA, 0x7C, 0xAA, 0xAF, 0x04, 0xF0, 0xCC, 0x69, 0x8F, + 0x0E, 0x6D, 0x3A, 0x79, 0x0A, 0x2C, 0xE0, 0x7D, 0x73, 0x1B, + 0xF1, 0x24, 0xF2, 0x66, 0x26, 0x48, 0x5C, 0x1B, 0x6C, 0xDB, + 0x0F, 0x11, 0x2F, 0x66, 0x8A, 0xF5, 0x30, 0x8D, 0x69, 0xE2, + 0x4E, 0x47, 0x07, 0x8F, 0xB8, 0x36, 0xA1, 0x5F, 0x88, 0xCC, + 0xAA, 0xBA, 0xA7, 0x41, 0x87, 0xB4, 0x96, 0xAA, 0xA7, 0xA6, + 0x89, 0x20, 0x51, 0xE3, 0x3A, 0xEA, 0xE1, 0x20, 0x4C, 0x11, + 0x63, 0x00, 0xC2, 0x08, 0x4E, 0x07, 0x44, 0xFE, 0xE3, 0xB0, + 0x65, 0xA1, 0xE0, 0x79, 0x43, 0x37, 0xFD, 0xB0, 0x96, 0x34, + 0x2C, 0xEE, 0xC9, 0xD6, 0xD2, 0x2E, 0x0F, 0x57, 0xAA, 0x24, + 0x62, 0x22, 0xA9, 0x47, 0xBB, 0xDC, 0x2C, 0x6C, 0xF7, 0x86, + 0x43, 0xE4, 0x32, 0x99, 0xED, 0x03 }; static unsigned char dhg_2048[] = { 0x02 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/stunnel-5.40/src/options.c new/stunnel-5.41/src/options.c --- old/stunnel-5.40/src/options.c 2017-01-28 09:47:51.000000000 +0100 +++ new/stunnel-5.41/src/options.c 2017-03-28 16:04:38.000000000 +0200 @@ -2304,7 +2304,7 @@ section->option.delayed_lookup=1; } if(!section->option.verify_chain && !section->option.verify_peer) - return "\"verify\" needs to be 1 or higher for \"redirect\" to work"; + return "Either \"verifyChain\" or \"verifyPeer\" has to be enabled for \"redirect\" to work"; } break; case CMD_FREE: @@ -3594,6 +3594,15 @@ return "Failed to open the engine"; } engine_initialized=0; + if(ENGINE_ctrl(engines[current_engine], ENGINE_CTRL_SET_USER_INTERFACE, + 0, UI_stunnel(), NULL)) { + s_log(LOG_NOTICE, "UI set for engine #%d (%s)", + current_engine+1, ENGINE_get_id(engines[current_engine])); + } else { + ERR_clear_error(); + s_log(LOG_INFO, "UI not supported by engine #%d (%s)", + current_engine+1, ENGINE_get_id(engines[current_engine])); + } return NULL; /* OK */ } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/stunnel-5.40/src/os2.mak new/stunnel-5.41/src/os2.mak --- old/stunnel-5.40/src/os2.mak 2017-01-02 15:27:26.000000000 +0100 +++ new/stunnel-5.41/src/os2.mak 2017-02-02 15:21:32.000000000 +0100 @@ -1,11 +1,11 @@ prefix=. DEFS = -DPACKAGE_NAME=\"stunnel\" \ -DPACKAGE_TARNAME=\"stunnel\" \ - -DPACKAGE_VERSION=\"5.40\" \ - -DPACKAGE_STRING=\"stunnel\ 5.40\" \ + -DPACKAGE_VERSION=\"5.41\" \ + -DPACKAGE_STRING=\"stunnel\ 5.41\" \ -DPACKAGE_BUGREPORT=\"\" \ -DPACKAGE=\"stunnel\" \ - -DVERSION=\"5.40\" \ + -DVERSION=\"5.41\" \ -DSTDC_HEADERS=1 \ -DHAVE_SYS_TYPES_H=1 \ -DHAVE_SYS_STAT_H=1 \ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/stunnel-5.40/src/prototypes.h new/stunnel-5.41/src/prototypes.h --- old/stunnel-5.40/src/prototypes.h 2017-01-02 15:27:26.000000000 +0100 +++ new/stunnel-5.41/src/prototypes.h 2017-03-26 22:25:00.000000000 +0200 @@ -46,10 +46,6 @@ /**************************************** data structures */ -/* non-zero constants for the "redirect" option */ -#define REDIRECT_ON 1 -#define REDIRECT_OFF 2 - #if defined (USE_WIN32) #define ICON_IMAGE HICON #elif defined(__APPLE__) @@ -410,7 +406,6 @@ FD *ssl_rfd, *ssl_wfd; /* read and write TLS descriptors */ uint64_t sock_bytes, ssl_bytes; /* bytes written to socket and TLS */ s_poll_set *fds; /* file descriptors */ - uintptr_t redirect; /* redirect to another destination after failed auth */ } CLI; /**************************************** prototypes for stunnel.c */ @@ -491,17 +486,15 @@ /**************************************** prototypes for ssl.c */ -extern int index_cli, index_opt, index_redirect, index_addr; +extern int index_ssl_cli, index_ssl_ctx_opt; +extern int index_session_authenticated, index_session_connect_address; int ssl_init(void); int ssl_configure(GLOBAL_OPTIONS *); /**************************************** prototypes for ctx.c */ -typedef struct { - SERVICE_OPTIONS *section; - char pass[PEM_BUFSIZE]; -} UI_DATA; +extern SERVICE_OPTIONS *current_section; #ifndef OPENSSL_NO_DH extern DH *dh_params; @@ -802,7 +795,7 @@ void message_box(LPCTSTR, const UINT); #endif /* USE_WIN32 */ -int passwd_cb(char *, int, int, void *); +int ui_passwd_cb(char *, int, int, void *); #ifndef OPENSSL_NO_ENGINE UI_METHOD *UI_stunnel(void); #endif /* !defined(OPENSSL_NO_ENGINE) */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/stunnel-5.40/src/ssl.c new/stunnel-5.41/src/ssl.c --- old/stunnel-5.40/src/ssl.c 2017-01-02 15:27:26.000000000 +0100 +++ new/stunnel-5.41/src/ssl.c 2017-03-26 22:25:00.000000000 +0200 @@ -47,7 +47,8 @@ NOEXPORT int prng_init(GLOBAL_OPTIONS *); NOEXPORT int add_rand_file(GLOBAL_OPTIONS *, const char *); -int index_cli, index_opt, index_redirect, index_addr; +int index_ssl_cli, index_ssl_ctx_opt; +int index_session_authenticated, index_session_connect_address; int ssl_init(void) { /* init TLS before parsing configuration file */ #if OPENSSL_VERSION_NUMBER>=0x10100000L @@ -57,15 +58,17 @@ SSL_load_error_strings(); SSL_library_init(); #endif - index_cli=SSL_get_ex_new_index(0, "cli index", - NULL, NULL, NULL); - index_opt=SSL_CTX_get_ex_new_index(0, "opt index", - NULL, NULL, NULL); - index_redirect=SSL_SESSION_get_ex_new_index(0, "redirect index", - NULL, NULL, NULL); - index_addr=SSL_SESSION_get_ex_new_index(0, "addr index", - NULL, NULL, cb_free); - if(index_cli<0 || index_opt<0 || index_redirect<0 || index_addr<0) { + index_ssl_cli=SSL_get_ex_new_index(0, + "CLI pointer", NULL, NULL, NULL); + index_ssl_ctx_opt=SSL_CTX_get_ex_new_index(0, + "SERVICE_OPTIONS pointer", NULL, NULL, NULL); + index_session_authenticated=SSL_SESSION_get_ex_new_index(0, + "session authenticated", NULL, NULL, NULL); + index_session_connect_address=SSL_SESSION_get_ex_new_index(0, + "session connect address", NULL, NULL, cb_free); + if(index_ssl_cli<0 || index_ssl_ctx_opt<0 || + index_session_authenticated<0 || + index_session_connect_address<0) { s_log(LOG_ERR, "Application specific data initialization failed"); return 1; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/stunnel-5.40/src/str.c new/stunnel-5.41/src/str.c --- old/stunnel-5.40/src/str.c 2017-01-02 15:27:26.000000000 +0100 +++ new/stunnel-5.41/src/str.c 2017-03-23 15:42:08.000000000 +0100 @@ -84,7 +84,7 @@ } LEAK_ENTRY; NOEXPORT LEAK_ENTRY leak_hash_table[LEAK_TABLE_SIZE], *leak_results[LEAK_TABLE_SIZE]; -NOEXPORT int leak_result_num=0; +NOEXPORT volatile int leak_result_num=0; #ifdef USE_WIN32 NOEXPORT LPTSTR str_vtprintf(LPCTSTR, va_list); @@ -411,7 +411,6 @@ static size_t entries=0; LEAK_ENTRY *entry; int new_entry, allocations; - long limit; #ifndef USE_FORK if(!stunnel_locks[STUNNEL_LOCKS-1]) /* threads not initialized */ @@ -448,17 +447,25 @@ allocations=(entry->num+=change); /* we just need an estimate... */ #endif - limit=leak_threshold(); - - if(allocations>limit) { - CRYPTO_THREAD_write_lock(stunnel_locks[LOCK_LEAK_RESULTS]); - if(allocations>entry->max) { - if(entry->max==0) /* discovered for the first time */ - leak_results[leak_result_num++]=entry; - entry->max=allocations; - } - CRYPTO_THREAD_write_unlock(stunnel_locks[LOCK_LEAK_RESULTS]); + if(allocations<=leak_threshold()) /* leak not detected */ + return; + if(allocations<=entry->max) /* not the biggest leak for this entry */ + return; + if(entry->max) { /* not the first time we found a leak for this entry */ + entry->max=allocations; /* just update the value */ + return; } + /* we *may* need to allocate a new leak_results entry */ + /* locking is slow, so we try to avoid it if possible */ + CRYPTO_THREAD_write_lock(stunnel_locks[LOCK_LEAK_RESULTS]); + if(entry->max==0) { /* the table may have changed */ + leak_results[leak_result_num]=entry; + entry->max=allocations; + ++leak_result_num; /* at the end to avoid a lock in leak_report() */ + } else { /* gracefully handle the race condition */ + entry->max=allocations; + } + CRYPTO_THREAD_write_unlock(stunnel_locks[LOCK_LEAK_RESULTS]); } /* O(1) hash table lookup */ @@ -478,14 +485,12 @@ long limit; limit=leak_threshold(); - - CRYPTO_THREAD_read_lock(stunnel_locks[LOCK_LEAK_RESULTS]); for(i=0; i<leak_result_num; ++i) - if(leak_results[i]->max>limit) /* the limit could have changed */ + if(leak_results[i] /* an officious compiler could reorder code */ && + leak_results[i]->max>limit /* the limit could have changed */) s_log(LOG_WARNING, "Possible memory leak at %s:%d: %d allocations", leak_results[i]->alloc_file, leak_results[i]->alloc_line, leak_results[i]->max); - CRYPTO_THREAD_read_unlock(stunnel_locks[LOCK_LEAK_RESULTS]); } NOEXPORT long leak_threshold() { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/stunnel-5.40/src/stunnel.c new/stunnel-5.41/src/stunnel.c --- old/stunnel-5.40/src/stunnel.c 2017-01-19 09:51:32.000000000 +0100 +++ new/stunnel-5.41/src/stunnel.c 2017-03-19 23:36:20.000000000 +0100 @@ -225,7 +225,6 @@ #ifdef USE_FORK NOEXPORT void client_status(void) { /* dead children detected */ int pid, status; - char *sig_name; #ifdef HAVE_WAIT_FOR_PID while((pid=wait_for_pid(-1, &status, WNOHANG))>0) { @@ -234,7 +233,7 @@ #endif #ifdef WIFSIGNALED if(WIFSIGNALED(status)) { - sig_name=signal_name(WTERMSIG(status)); + char *sig_name=signal_name(WTERMSIG(status)); s_log(LOG_DEBUG, "Process %d terminated on %s", pid, sig_name); str_free(sig_name); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/stunnel-5.40/src/ui_unix.c new/stunnel-5.41/src/ui_unix.c --- old/stunnel-5.40/src/ui_unix.c 2017-01-02 15:27:26.000000000 +0100 +++ new/stunnel-5.41/src/ui_unix.c 2017-02-19 23:16:00.000000000 +0100 @@ -255,9 +255,8 @@ /**************************************** ctx callbacks */ -int passwd_cb(char *buf, int size, int rwflag, void *userdata) { - (void)userdata; /* squash the unused parameter warning */ - return PEM_def_callback(buf, size, rwflag, NULL); +int ui_passwd_cb(char *buf, int size, int rwflag, void *userdata) { + return PEM_def_callback(buf, size, rwflag, userdata); } #ifndef OPENSSL_NO_ENGINE diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/stunnel-5.40/src/ui_win_cli.c new/stunnel-5.41/src/ui_win_cli.c --- old/stunnel-5.40/src/ui_win_cli.c 2017-01-02 15:27:26.000000000 +0100 +++ new/stunnel-5.41/src/ui_win_cli.c 2017-02-19 23:16:00.000000000 +0100 @@ -125,9 +125,8 @@ /**************************************** ctx callbacks */ -int passwd_cb(char *buf, int size, int rwflag, void *userdata) { - (void)userdata; /* squash the unused parameter warning */ - return PEM_def_callback(buf, size, rwflag, NULL); +int ui_passwd_cb(char *buf, int size, int rwflag, void *userdata) { + return PEM_def_callback(buf, size, rwflag, userdata); } #ifndef OPENSSL_NO_ENGINE diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/stunnel-5.40/src/ui_win_gui.c new/stunnel-5.41/src/ui_win_gui.c --- old/stunnel-5.40/src/ui_win_gui.c 2017-01-02 15:27:26.000000000 +0100 +++ new/stunnel-5.41/src/ui_win_gui.c 2017-02-23 14:52:40.000000000 +0100 @@ -137,14 +137,14 @@ static HANDLE config_ready=NULL; /* reload without a valid configuration */ static LONG new_logs=0; -static UI_DATA *ui_data=NULL; - static struct { char *config_file; unsigned service:1, install:1, uninstall:1, start:1, stop:1, quiet:1, exit:1, reload:1, reopen:1; } cmdline; +static char ui_pass[PEM_BUFSIZE]; + /**************************************** initialization */ int WINAPI WinMain(HINSTANCE this_instance, HINSTANCE prev_instance, @@ -693,11 +693,13 @@ /* set the default push button to "Cancel" */ SendMessage(dialog_handle, DM_SETDEFID, (WPARAM)IDCANCEL, (LPARAM)0); - key_file_name=str2tstr(ui_data->section->key); - titlebar=str_tprintf(TEXT("Private key: %s"), key_file_name); - str_free(key_file_name); - SetWindowText(dialog_handle, titlebar); - str_free(titlebar); + if(current_section) { /* should always be set */ + key_file_name=str2tstr(current_section->key); + titlebar=str_tprintf(TEXT("Private key: %s"), key_file_name); + str_free(key_file_name); + SetWindowText(dialog_handle, titlebar); + str_free(titlebar); + } return TRUE; case WM_COMMAND: @@ -722,9 +724,9 @@ (WPARAM)0 /* line 0 */, (LPARAM)pass_dialog.txt); pass_dialog.txt[pass_len]='\0'; /* null-terminate the string */ - /* convert input passphrase to UTF-8 string (as ui_data->pass) */ + /* convert input passphrase to UTF-8 string (as ui_pass) */ pass_txt=tstr2str(pass_dialog.txt); - strcpy(ui_data->pass, pass_txt); + strcpy(ui_pass, pass_txt); str_free(pass_txt); EndDialog(dialog_handle, TRUE); @@ -741,17 +743,21 @@ UNREFERENCED_PARAMETER(lParam); } -int passwd_cb(char *buf, int size, int rwflag, void *userdata) { - (void)rwflag; /* squash the unused parameter warning */ +int ui_passwd_cb(char *buf, int size, int rwflag, void *userdata) { + int len; - ui_data=userdata; - if(size<0) /* just in case */ - return 0; + (void)rwflag; /* squash the unused parameter warning */ + (void)userdata; /* squash the unused parameter warning */ if(!DialogBox(ghInst, TEXT("PassBox"), hwnd, (DLGPROC)pass_proc)) - return 0; /* error */ - strncpy(buf, ui_data->pass, (size_t)size); - buf[size-1]='\0'; - return (int)strlen(buf); + return 0; /* dialog cancelled or failed */ + len=(int)strlen(ui_pass); + if(len<0 || size<0) /* the API uses signed integers */ + return 0; + if(len>size) /* truncate the returned data if needed */ + len=size; + memcpy(buf, ui_pass, (size_t)len); + memset(ui_pass, 0, sizeof ui_pass); + return len; } #ifndef OPENSSL_NO_ENGINE @@ -770,14 +776,10 @@ } NOEXPORT int pin_cb(UI *ui, UI_STRING *uis) { - ui_data=UI_get0_user_data(ui); /* was: ui_data=UI_get_app_data(ui); */ - if(!ui_data) { - s_log(LOG_ERR, "INTERNAL ERROR: user data data pointer"); - return 0; - } if(!DialogBox(ghInst, TEXT("PassBox"), hwnd, (DLGPROC)pass_proc)) - return 0; /* error */ - UI_set_result(ui, uis, ui_data->pass); + return 0; /* dialog cancelled or failed */ + UI_set_result(ui, uis, ui_pass); + memset(ui_pass, 0, sizeof ui_pass); return 1; } #endif @@ -993,7 +995,7 @@ TEXT("Peer certificate chain has been saved.\n") TEXT("Add the following lines to section [%s]:\n") TEXT("\tCAfile = peer-%s.pem\n") - TEXT("\tverify = 3\n") + TEXT("\tverifyPeer = yes\n") TEXT("to enable cryptographic authentication.\n") TEXT("Then reload stunnel configuration file."), servname, servname); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/stunnel-5.40/src/verify.c new/stunnel-5.41/src/verify.c --- old/stunnel-5.40/src/verify.c 2017-01-02 15:27:26.000000000 +0100 +++ new/stunnel-5.41/src/verify.c 2017-03-26 22:25:00.000000000 +0200 @@ -183,7 +183,7 @@ return; #endif /* OPENSSL_VERSION_NUMBER>=0x10002000L */ s_log(LOG_WARNING, - "Service [%s] uses \"verify = 2\" without subject checks", + "Service [%s] uses \"verifyChain\" without subject checks", section->servname); #if OPENSSL_VERSION_NUMBER<0x10002000L s_log(LOG_WARNING, @@ -208,20 +208,24 @@ /* retrieve application specific data */ ssl=X509_STORE_CTX_get_ex_data(callback_ctx, SSL_get_ex_data_X509_STORE_CTX_idx()); - c=SSL_get_ex_data(ssl, index_cli); + c=SSL_get_ex_data(ssl, index_ssl_cli); if(!c->opt->option.verify_chain && !c->opt->option.verify_peer) { s_log(LOG_INFO, "Certificate verification disabled"); return 1; /* accept */ } - if(verify_checks(c, preverify_ok, callback_ctx)) + if(verify_checks(c, preverify_ok, callback_ctx)) { + if(!SSL_SESSION_set_ex_data(SSL_get_session(ssl), + index_session_authenticated, (void *)(-1))) { + sslerror("SSL_SESSION_set_ex_data"); + return 0; /* reject */ + } return 1; /* accept */ + } if(c->opt->option.client || c->opt->protocol) return 0; /* reject */ - if(c->opt->redirect_addr.names) { - c->redirect=REDIRECT_ON; + if(c->opt->redirect_addr.names) return 1; /* accept */ - } return 0; /* reject */ } @@ -261,19 +265,22 @@ NOEXPORT int cert_check(CLI *c, X509_STORE_CTX *callback_ctx, int preverify_ok) { + int err=X509_STORE_CTX_get_error(callback_ctx); int depth=X509_STORE_CTX_get_error_depth(callback_ctx); if(preverify_ok) { s_log(LOG_DEBUG, "CERT: Pre-verification succeeded"); } else { /* remote site sent an invalid certificate */ - if(c->opt->option.verify_chain || depth==0) { + if(c->opt->option.verify_chain || (depth==0 && + err!=X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY && + err!=X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE)) { s_log(LOG_WARNING, "CERT: Pre-verification error: %s", - X509_verify_cert_error_string( - X509_STORE_CTX_get_error(callback_ctx))); + X509_verify_cert_error_string(err)); /* retain the STORE_CTX error produced by pre-verification */ return 0; /* reject */ } - s_log(LOG_INFO, "CERT: Invalid CA certificate ignored"); + s_log(LOG_INFO, "CERT: Pre-verification error ignored: %s", + X509_verify_cert_error_string(err)); } if(depth==0) { /* additional peer certificate checks */ @@ -333,22 +340,18 @@ } #endif /* OPENSSL_VERSION_NUMBER>=0x10002000L */ +#if OPENSSL_VERSION_NUMBER>=0x10000000L +/* modern implementation for OpenSSL version >= 1.0.0 */ + NOEXPORT int cert_check_local(X509_STORE_CTX *callback_ctx) { X509 *cert; X509_NAME *subject; -#if OPENSSL_VERSION_NUMBER>=0x10000000L STACK_OF(X509) *sk; int i; -#endif -#if OPENSSL_VERSION_NUMBER<0x10100000L - X509_OBJECT obj; - int success; -#endif cert=X509_STORE_CTX_get_current_cert(callback_ctx); subject=X509_get_subject_name(cert); -#if OPENSSL_VERSION_NUMBER>=0x10000000L #if OPENSSL_VERSION_NUMBER<0x10100006L #define X509_STORE_CTX_get1_certs X509_STORE_get1_certs #endif @@ -362,29 +365,44 @@ } sk_X509_pop_free(sk, X509_free); } -#endif -#if OPENSSL_VERSION_NUMBER<0x10100000L + s_log(LOG_WARNING, "CERT: Certificate not found in local repository"); + X509_STORE_CTX_set_error(callback_ctx, X509_V_ERR_CERT_REJECTED); + return 0; /* reject */ +} + +#else /* OPENSSL_VERSION_NUMBER<0x10000000L */ +/* legacy implementation for OpenSSL version < 1.0.0 */ + +NOEXPORT int cert_check_local(X509_STORE_CTX *callback_ctx) { + X509 *cert; + X509_NAME *subject; + X509_OBJECT obj; + int success; + + cert=X509_STORE_CTX_get_current_cert(callback_ctx); + subject=X509_get_subject_name(cert); + /* pre-1.0.0 API only returns a single matching certificate */ - /* we also invoke it for other OpenSSL versions before 1.1.0 */ memset((char *)&obj, 0, sizeof obj); if(X509_STORE_get_by_subject(callback_ctx, X509_LU_X509, subject, &obj)<=0) { - s_log(LOG_WARNING, - "CERT: Certificate not found in local repository"); + s_log(LOG_WARNING, "CERT: Certificate not found in local repository"); + X509_STORE_CTX_set_error(callback_ctx, X509_V_ERR_CERT_REJECTED); return 0; /* reject */ } success=compare_pubkeys(cert, obj.data.x509); X509_OBJECT_free_contents(&obj); if(success) return 1; /* accept */ -#endif s_log(LOG_WARNING, "CERT: Public keys do not match"); X509_STORE_CTX_set_error(callback_ctx, X509_V_ERR_CERT_REJECTED); return 0; /* reject */ } +#endif /* OPENSSL_VERSION_NUMBER>=0x10000000L */ + NOEXPORT int compare_pubkeys(X509 *c1, X509 *c2) { ASN1_BIT_STRING *k1=X509_get0_pubkey_bitstr(c1); ASN1_BIT_STRING *k2=X509_get0_pubkey_bitstr(c2); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/stunnel-5.40/src/version.h new/stunnel-5.41/src/version.h --- old/stunnel-5.40/src/version.h 2017-01-02 15:27:26.000000000 +0100 +++ new/stunnel-5.41/src/version.h 2017-02-02 15:04:02.000000000 +0100 @@ -65,7 +65,7 @@ /* START CUSTOMIZE */ #define VERSION_MAJOR 5 -#define VERSION_MINOR 40 +#define VERSION_MINOR 41 /* END CUSTOMIZE */ /* all the following macros are ABSOLUTELY NECESSARY to have proper string diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/stunnel-5.40/tools/stunnel.nsi new/stunnel-5.41/tools/stunnel.nsi --- old/stunnel-5.40/tools/stunnel.nsi 2017-01-02 15:27:26.000000000 +0100 +++ new/stunnel-5.41/tools/stunnel.nsi 2017-04-01 11:21:22.000000000 +0200 @@ -49,7 +49,7 @@ !define /ifndef ZLIB_DIR ${BIN_DIR}\zlib !define /ifndef REDIST_DIR ${BIN_DIR}\redist -!define /ifndef LIBP11_DIR ${ROOT_DIR}\src\libp11-0.4.3\src +!define /ifndef LIBP11_DIR ${ROOT_DIR}\src\libp11-0.4.5\src !define MUI_ICON ${STUNNEL_SRC_DIR}\stunnel.ico diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/stunnel-5.40/tools/stunnel.spec new/stunnel-5.41/tools/stunnel.spec --- old/stunnel-5.40/tools/stunnel.spec 2017-01-02 15:27:26.000000000 +0100 +++ new/stunnel-5.41/tools/stunnel.spec 2017-02-02 15:21:59.000000000 +0100 @@ -1,5 +1,5 @@ Name: stunnel -Version: 5.40 +Version: 5.41 Release: 1%{?dist} Summary: An TLS-encrypting socket wrapper Group: Applications/Internet