From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id DEF59158089 for ; Wed, 8 Nov 2023 00:16:25 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id C46B02BC01D; Wed, 8 Nov 2023 00:16:24 +0000 (UTC) Received: from smtp.gentoo.org (woodpecker.gentoo.org [140.211.166.183]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 93F992BC01D for ; Wed, 8 Nov 2023 00:16:24 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 3C7B7335D2E for ; Wed, 8 Nov 2023 00:16:23 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 87F1FAAC for ; Wed, 8 Nov 2023 00:16:21 +0000 (UTC) From: "orbea" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "orbea" Message-ID: <1699402544.7648230ba97b7376a03c836c82e38a23df7a93ef.orbea@gentoo> Subject: [gentoo-commits] repo/proj/libressl:master commit in: net-misc/stunnel/files/, net-misc/stunnel/ X-VCS-Repository: repo/proj/libressl X-VCS-Files: net-misc/stunnel/Manifest net-misc/stunnel/files/stunnel-5.71-dont-clobber-fortify-source.patch net-misc/stunnel/files/stunnel-5.71-libressl.patch net-misc/stunnel/files/stunnel-5.71-respect-EPYTHON-for-tests.patch net-misc/stunnel/stunnel-5.71.ebuild X-VCS-Directories: net-misc/stunnel/ net-misc/stunnel/files/ X-VCS-Committer: orbea X-VCS-Committer-Name: orbea X-VCS-Revision: 7648230ba97b7376a03c836c82e38a23df7a93ef X-VCS-Branch: master Date: Wed, 8 Nov 2023 00:16:21 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply X-Archives-Salt: 207da756-9a33-4ac2-876e-50ee7ffa120b X-Archives-Hash: 495031334e336168ee173ec9a26823a5 commit: 7648230ba97b7376a03c836c82e38a23df7a93ef Author: orbea riseup net> AuthorDate: Wed Nov 8 00:08:38 2023 +0000 Commit: orbea riseup net> CommitDate: Wed Nov 8 00:15:44 2023 +0000 URL: https://gitweb.gentoo.org/repo/proj/libressl.git/commit/?id=7648230b net-misc/stunnel: add 5.71 Signed-off-by: orbea riseup.net> net-misc/stunnel/Manifest | 1 + .../stunnel-5.71-dont-clobber-fortify-source.patch | 15 + net-misc/stunnel/files/stunnel-5.71-libressl.patch | 302 +++++++++++++++++++++ .../stunnel-5.71-respect-EPYTHON-for-tests.patch | 12 + net-misc/stunnel/stunnel-5.71.ebuild | 126 +++++++++ 5 files changed, 456 insertions(+) diff --git a/net-misc/stunnel/Manifest b/net-misc/stunnel/Manifest index 1f9de10..de88c81 100644 --- a/net-misc/stunnel/Manifest +++ b/net-misc/stunnel/Manifest @@ -1,3 +1,4 @@ DIST stunnel-5.64.tar.gz 869088 BLAKE2B c6be054b825e57c1ac44adf28d4546ab78250cf9d7b17bc9e039d2715ca2316fef674a3ed2c4419a5a7ad6fa85b56809f736d0dca0bc672521347d5f51d2ed23 SHA512 85ed22664420db3c97b871f1afeb6483e547f421f0419fed1ccb4f3563ea154b6aeb6ae7221f001557c786a3406ada4c7b0d44b208dcf98f16209229aee4e0aa DIST stunnel-5.65.tar.gz 872293 BLAKE2B 45cc4dd0ec91cb9a99c10d26910b05325af29ec2609c0b86d5aceb07fbd495ff6fe39b0fe2c5895358596ee34ed822870c6eb1a538e30557f4485d042f5ae781 SHA512 96ca0535a07d5ea050a5d985c0ab6299bb92e551715120f536869a7b408b795fdc251782aaa7a4a282749d3146726d71c8b3c25430969aa55745a863abe5728a DIST stunnel-5.68.tar.gz 884989 BLAKE2B e2551b2052db0719203b24dcf16a2ef74c078dccd1200d25502defcef1301456e755a71a1a2b6ab7b43fc9ddc04cd031fca83ffb760528133a0e22ae22e64d40 SHA512 cdc3b8ab4cd35ba722b5248c005ae58a39d79a80600447417b1d0d01fd3aa9e8b22f8568c3177423be99d7395bb15a8754e975fb953556cd80a9cc11e185e9fb +DIST stunnel-5.71.tar.gz 895646 BLAKE2B d323363c7bfdd6c0b7931b84a6069cf9a8337e967c31e14d15976d7932f0c0d6f40f7a1cbf5abbdff0e9edc52176cdcead4f848653088193b2debf4e77443b42 SHA512 c7004f48b93b3415305eec1193d51b7bf51a3bdd2cdc9f6ae588f563b32408b1ecde83b9f3f5b658f945ab5bcc5124390c38235394aad4471bf5b666081af2a2 diff --git a/net-misc/stunnel/files/stunnel-5.71-dont-clobber-fortify-source.patch b/net-misc/stunnel/files/stunnel-5.71-dont-clobber-fortify-source.patch new file mode 100644 index 0000000..723b9c5 --- /dev/null +++ b/net-misc/stunnel/files/stunnel-5.71-dont-clobber-fortify-source.patch @@ -0,0 +1,15 @@ +Don't clobber toolchain defaults. + +https://bugs.gentoo.org/892992 +--- a/configure.ac ++++ b/configure.ac +@@ -109,7 +109,8 @@ if test "${GCC}" = yes; then + AX_APPEND_LINK_FLAGS([-Wl,-z,now]) + AX_APPEND_LINK_FLAGS([-Wl,-z,noexecstack]) + fi +-AX_APPEND_COMPILE_FLAGS([-D_FORTIFY_SOURCE=2]) ++ ++AX_ADD_FORTIFY_SOURCE + + AC_MSG_NOTICE([**************************************** libtool]) + LT_INIT([disable-static]) diff --git a/net-misc/stunnel/files/stunnel-5.71-libressl.patch b/net-misc/stunnel/files/stunnel-5.71-libressl.patch new file mode 100644 index 0000000..cd29227 --- /dev/null +++ b/net-misc/stunnel/files/stunnel-5.71-libressl.patch @@ -0,0 +1,302 @@ +Rebased from an OpenBSD patch. + +--- a/src/client.c ++++ b/src/client.c +@@ -783,7 +783,7 @@ NOEXPORT void print_cipher(CLI *c) { /* print negotiated cipher */ + NOEXPORT void transfer(CLI *c) { + int timeout; /* s_poll_wait timeout in seconds */ + int pending; /* either processed on unprocessed TLS data */ +-#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) + int has_pending=0, prev_has_pending; + #endif + int watchdog=0; /* a counter to detect an infinite loop */ +@@ -830,7 +830,7 @@ NOEXPORT void transfer(CLI *c) { + + /****************************** wait for an event */ + pending=SSL_pending(c->ssl); +-#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) + /* only attempt to process SSL_has_pending() data once */ + prev_has_pending=has_pending; + has_pending=SSL_has_pending(c->ssl); +@@ -1253,7 +1253,7 @@ NOEXPORT void transfer(CLI *c) { + s_log(LOG_ERR, + "please report the problem to Michal.Trojnara@stunnel.org"); + stunnel_info(LOG_ERR); +-#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) + s_log(LOG_ERR, "protocol=%s, SSL_pending=%d, SSL_has_pending=%d", + SSL_get_version(c->ssl), + SSL_pending(c->ssl), SSL_has_pending(c->ssl)); +--- a/src/common.h ++++ b/src/common.h +@@ -459,7 +459,7 @@ extern char *sys_errlist[]; + #define OPENSSL_NO_TLS1_2 + #endif /* OpenSSL older than 1.0.1 || defined(OPENSSL_NO_TLS1) */ + +-#if OPENSSL_VERSION_NUMBER>=0x10100000L ++#if OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) + #ifndef OPENSSL_NO_SSL2 + #define OPENSSL_NO_SSL2 + #endif /* !defined(OPENSSL_NO_SSL2) */ +@@ -505,7 +505,7 @@ int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g); + /* not defined in public headers before OpenSSL 0.9.8 */ + STACK_OF(SSL_COMP) *SSL_COMP_get_compression_methods(void); + #endif /* !defined(OPENSSL_NO_COMP) */ +-#if OPENSSL_VERSION_NUMBER>=0x10101000L ++#if OPENSSL_VERSION_NUMBER>=0x10101000L && !defined(LIBRESSL_VERSION_NUMBER) + #include + #endif /* OPENSSL_VERSION_NUMBER>=0x10101000L */ + #if OPENSSL_VERSION_NUMBER>=0x30000000L +--- a/src/ctx.c ++++ b/src/ctx.c +@@ -94,7 +94,7 @@ NOEXPORT void set_prompt(const char *); + NOEXPORT int ui_retry(void); + + /* session tickets */ +-#if OPENSSL_VERSION_NUMBER >= 0x10101000L ++#if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER) + NOEXPORT int generate_session_ticket_cb(SSL *, void *); + NOEXPORT int decrypt_session_ticket_cb(SSL *, SSL_SESSION *, + const unsigned char *, size_t, SSL_TICKET_STATUS, void *); +@@ -133,7 +133,7 @@ NOEXPORT void sslerror_log(unsigned long, const char *, int, const char *); + + /**************************************** initialize section->ctx */ + +-#if OPENSSL_VERSION_NUMBER>=0x10100000L ++#if OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) + typedef long unsigned SSL_OPTIONS_TYPE; + #else + typedef long SSL_OPTIONS_TYPE; +@@ -186,7 +186,7 @@ int context_init(SERVICE_OPTIONS *section) { /* init TLS context */ + } + current_section=section; /* setup current section for callbacks */ + +-#if OPENSSL_VERSION_NUMBER>=0x10100000L ++#if OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) + /* set the security level */ + if(section->security_level>=0) { + /* set the user-specified value */ +@@ -274,7 +274,7 @@ int context_init(SERVICE_OPTIONS *section) { /* init TLS context */ + #endif + + /* setup session tickets */ +-#if OPENSSL_VERSION_NUMBER >= 0x10101000L ++#if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER) + SSL_CTX_set_session_ticket_cb(section->ctx, generate_session_ticket_cb, + decrypt_session_ticket_cb, NULL); + #endif /* OpenSSL 1.1.1 or later */ +@@ -573,7 +573,7 @@ NOEXPORT int ecdh_init(SERVICE_OPTIONS *section) { + /**************************************** initialize OpenSSL CONF */ + + NOEXPORT int conf_init(SERVICE_OPTIONS *section) { +-#if OPENSSL_VERSION_NUMBER>=0x10002000L ++#if OPENSSL_VERSION_NUMBER>=0x10002000L && !defined(LIBRESSL_VERSION_NUMBER) + SSL_CONF_CTX *cctx; + NAME_LIST *curr; + char *cmd, *param; +@@ -1133,7 +1133,7 @@ NOEXPORT int ui_retry() { + + /**************************************** session tickets */ + +-#if OPENSSL_VERSION_NUMBER >= 0x10101000L ++#if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER) + + typedef struct { + void *session_authenticated; +@@ -1621,7 +1621,7 @@ NOEXPORT void info_callback(const SSL *ssl, int where, int ret) { + CLI *c; + SSL_CTX *ctx; + const char *state_string; +-#if OPENSSL_VERSION_NUMBER>=0x10100000L ++#if OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) + OSSL_HANDSHAKE_STATE state=SSL_get_state(ssl); + #else + int state=SSL_get_state((SSL *)ssl); +--- a/src/ocsp.c ++++ b/src/ocsp.c +@@ -108,7 +108,7 @@ int ocsp_init(SERVICE_OPTIONS *section) { + } + s_log(LOG_DEBUG, "OCSP: Client OCSP stapling enabled"); + } else { +-#if OPENSSL_VERSION_NUMBER>=0x10002000L ++#if OPENSSL_VERSION_NUMBER>=0x10002000L && !defined(LIBRESSL_VERSION_NUMBER) + if(!section->psk_keys) { + if(SSL_CTX_set_tlsext_status_cb(section->ctx, ocsp_server_cb)==TLSEXT_STATUSTYPE_ocsp) + s_log(LOG_DEBUG, "OCSP: Server OCSP stapling enabled"); +--- a/src/prototypes.h ++++ b/src/prototypes.h +@@ -72,7 +72,7 @@ typedef struct servername_list_struct SERVERNAME_LIST; + typedef HANDLE THREAD_ID; + #endif + +-#if OPENSSL_VERSION_NUMBER<0x10100004L ++#if OPENSSL_VERSION_NUMBER<0x10100004L || defined(LIBRESSL_VERSION_NUMBER) + + #ifdef USE_OS_THREADS + +@@ -798,7 +798,7 @@ extern CLI *thread_head; + + extern CRYPTO_RWLOCK *stunnel_locks[STUNNEL_LOCKS]; + +-#if OPENSSL_VERSION_NUMBER<0x10100004L ++#if OPENSSL_VERSION_NUMBER<0x10100004L || defined(LIBRESSL_VERSION_NUMBER) + /* Emulate the OpenSSL 1.1 locking API for older OpenSSL versions */ + CRYPTO_RWLOCK *CRYPTO_THREAD_lock_new(void); + int CRYPTO_THREAD_read_lock(CRYPTO_RWLOCK *); +--- a/src/ssl.c ++++ b/src/ssl.c +@@ -48,7 +48,7 @@ NOEXPORT int cb_new_auth(void *parent, void *ptr, CRYPTO_EX_DATA *ad, + #if OPENSSL_VERSION_NUMBER>=0x30000000L + NOEXPORT int cb_dup_addr(CRYPTO_EX_DATA *to, const CRYPTO_EX_DATA *from, + void **from_d, int idx, long argl, void *argp); +-#elif OPENSSL_VERSION_NUMBER>=0x10100000L ++#elif OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) + NOEXPORT int cb_dup_addr(CRYPTO_EX_DATA *to, const CRYPTO_EX_DATA *from, + void *from_d, int idx, long argl, void *argp); + #else +@@ -108,7 +108,7 @@ int fips_available() { /* either FIPS provider or container is available */ + + /* initialize libcrypto before invoking API functions that require it */ + void crypto_init() { +-#if OPENSSL_VERSION_NUMBER>=0x10100000L ++#if OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) + OPENSSL_INIT_SETTINGS *conf; + #endif /* OPENSSL_VERSION_NUMBER>=0x10100000L */ + #ifdef USE_WIN32 +@@ -151,7 +151,7 @@ void crypto_init() { + #endif /* USE_WIN32 */ + + /* initialize OpenSSL */ +-#if OPENSSL_VERSION_NUMBER>=0x10100000L ++#if OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) + conf=OPENSSL_INIT_new(); + #ifdef USE_WIN32 + stunnel_dir=tstr2str(stunnel_exe_path); +@@ -259,7 +259,7 @@ NOEXPORT int cb_new_auth(void *parent, void *ptr, CRYPTO_EX_DATA *ad, + #if OPENSSL_VERSION_NUMBER>=0x30000000L + NOEXPORT int cb_dup_addr(CRYPTO_EX_DATA *to, const CRYPTO_EX_DATA *from, + void **from_d, int idx, long argl, void *argp) { +-#elif OPENSSL_VERSION_NUMBER>=0x10100000L ++#elif OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) + NOEXPORT int cb_dup_addr(CRYPTO_EX_DATA *to, const CRYPTO_EX_DATA *from, + void *from_d, int idx, long argl, void *argp) { + #else +--- a/src/sthreads.c ++++ b/src/sthreads.c +@@ -123,7 +123,7 @@ NOEXPORT void thread_id_init() { + /**************************************** locking */ + + /* we only need to initialize locking with OpenSSL older than 1.1.0 */ +-#if OPENSSL_VERSION_NUMBER<0x10100004L ++#if OPENSSL_VERSION_NUMBER<0x10100004L || defined(LIBRESSL_VERSION_NUMBER) + + #ifdef USE_PTHREAD + +@@ -283,7 +283,7 @@ NOEXPORT int s_atomic_add(int *val, int amount, CRYPTO_RWLOCK *lock) { + + CRYPTO_RWLOCK *stunnel_locks[STUNNEL_LOCKS]; + +-#if OPENSSL_VERSION_NUMBER<0x10100004L ++#if OPENSSL_VERSION_NUMBER<0x10100004L || defined(LIBRESSL_VERSION_NUMBER) + + #ifdef USE_OS_THREADS + +@@ -391,7 +391,8 @@ int CRYPTO_atomic_add(int *val, int amount, int *ret, CRYPTO_RWLOCK *lock) { + + NOEXPORT void locking_init() { + size_t i; +-#if defined(USE_OS_THREADS) && OPENSSL_VERSION_NUMBER<0x10100004L ++#if defined(USE_OS_THREADS) && \ ++ (OPENSSL_VERSION_NUMBER<0x10100004L || defined(LIBRESSL_VERSION_NUMBER)) + size_t num; + + /* initialize the OpenSSL static locking */ +--- a/src/str.c ++++ b/src/str.c +@@ -93,7 +93,7 @@ NOEXPORT LEAK_ENTRY leak_hash_table[LEAK_TABLE_SIZE], + *leak_results[LEAK_TABLE_SIZE]; + NOEXPORT int leak_result_num=0; + +-#if OPENSSL_VERSION_NUMBER >= 0x10101000L ++#if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER) + DEFINE_STACK_OF(LEAK_ENTRY) + #endif /* OpenSSL version >= 1.1.1 */ + +@@ -107,7 +107,7 @@ NOEXPORT ALLOC_LIST *get_alloc_list_ptr(void *, const char *, int); + NOEXPORT void str_leak_debug(const ALLOC_LIST *, int); + + NOEXPORT LEAK_ENTRY *leak_search(const ALLOC_LIST *); +-#if OPENSSL_VERSION_NUMBER >= 0x10101000L ++#if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER) + NOEXPORT int leak_cmp(const LEAK_ENTRY *const *, const LEAK_ENTRY *const *); + #endif /* OpenSSL version >= 1.1.1 */ + NOEXPORT void leak_report(void); +@@ -558,7 +558,7 @@ NOEXPORT LEAK_ENTRY *leak_search(const ALLOC_LIST *alloc_list) { + void leak_table_utilization() { + int i, utilization=0; + int64_t grand_total=0; +-#if OPENSSL_VERSION_NUMBER >= 0x10101000L ++#if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER) + STACK_OF(LEAK_ENTRY) *stats; + #endif /* OpenSSL version >= 1.1.1 */ + +@@ -575,7 +575,7 @@ void leak_table_utilization() { + s_log(LOG_DEBUG, "Leak detection table utilization: %d/%d (%05.2f%%)", + utilization, LEAK_TABLE_SIZE, 100.0*utilization/LEAK_TABLE_SIZE); + +-#if OPENSSL_VERSION_NUMBER >= 0x10101000L ++#if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER) + /* log up to 5 most frequently used heap allocations */ + stats=sk_LEAK_ENTRY_new_reserve(leak_cmp, utilization); + for(i=0; i= 1.1.1 */ + } + +-#if OPENSSL_VERSION_NUMBER >= 0x10101000L ++#if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER) + NOEXPORT int leak_cmp(const LEAK_ENTRY *const *a, const LEAK_ENTRY *const *b) { + int64_t d = (*a)->total - (*b)->total; + if(d>0) +--- a/src/tls.c ++++ b/src/tls.c +@@ -40,7 +40,7 @@ + volatile int tls_initialized=0; + + NOEXPORT void tls_platform_init(void); +-#if OPENSSL_VERSION_NUMBER<0x10100000L ++#if OPENSSL_VERSION_NUMBER<0x10100000L || defined(LIBRESSL_VERSION_NUMBER) + NOEXPORT void free_function(void *); + #endif + +@@ -51,7 +51,7 @@ void tls_init() { + tls_platform_init(); + tls_initialized=1; + ui_tls=tls_alloc(NULL, NULL, "ui"); +-#if OPENSSL_VERSION_NUMBER>=0x10100000L ++#if OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) + CRYPTO_set_mem_functions(str_alloc_detached_debug, + str_realloc_detached_debug, str_free_debug); + #else +@@ -184,7 +184,7 @@ TLS_DATA *tls_get() { + + /**************************************** OpenSSL allocator hook */ + +-#if OPENSSL_VERSION_NUMBER<0x10100000L ++#if OPENSSL_VERSION_NUMBER<0x10100000L || defined(LIBRESSL_VERSION_NUMBER) + NOEXPORT void free_function(void *ptr) { + /* CRYPTO_set_mem_ex_functions() needs a function rather than a macro */ + /* unfortunately, OpenSSL provides no file:line information here */ +--- a/src/verify.c ++++ b/src/verify.c +@@ -379,7 +379,7 @@ NOEXPORT int cert_check_local(X509_STORE_CTX *callback_ctx) { + cert=X509_STORE_CTX_get_current_cert(callback_ctx); + subject=X509_get_subject_name(cert); + +-#if OPENSSL_VERSION_NUMBER<0x10100006L ++#if OPENSSL_VERSION_NUMBER<0x10100006L || defined(LIBRESSL_VERSION_NUMBER) + #define X509_STORE_CTX_get1_certs X509_STORE_get1_certs + #endif + /* modern API allows retrieving multiple matching certificates */ diff --git a/net-misc/stunnel/files/stunnel-5.71-respect-EPYTHON-for-tests.patch b/net-misc/stunnel/files/stunnel-5.71-respect-EPYTHON-for-tests.patch new file mode 100644 index 0000000..3c421da --- /dev/null +++ b/net-misc/stunnel/files/stunnel-5.71-respect-EPYTHON-for-tests.patch @@ -0,0 +1,12 @@ +--- a/tests/Makefile.am ++++ b/tests/Makefile.am +@@ -7,8 +7,7 @@ EXTRA_DIST = maketest.py plugin_collection.py reader.py error.py plugins + + # try to find a supported python version (>= 3.7) that works + check-local: +- for v in $$(seq 20 -1 7); do command -v python3.$$v && break; done || ( echo "Python 3.7 or later not found" && false ) +- for v in $$(seq 20 -1 7); do command -v python3.$$v && python3.$$v $(srcdir)/maketest.py --debug=10 --libs=$(SSLDIR)/lib64:$(SSLDIR)/lib && break; done ++ ${EPYTHON} $(srcdir)/maketest.py --debug=10 --libs=$(SSLDIR)/lib64:$(SSLDIR)/lib + + dist-hook: + rm -rf $(distdir)/__pycache__ $(distdir)/plugins/__pycache__ diff --git a/net-misc/stunnel/stunnel-5.71.ebuild b/net-misc/stunnel/stunnel-5.71.ebuild new file mode 100644 index 0000000..32940e0 --- /dev/null +++ b/net-misc/stunnel/stunnel-5.71.ebuild @@ -0,0 +1,126 @@ +# Copyright 1999-2023 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +PYTHON_COMPAT=( python3_{10..12} ) +inherit autotools python-any-r1 ssl-cert systemd tmpfiles + +DESCRIPTION="TLS/SSL - Port Wrapper" +HOMEPAGE="https://www.stunnel.org/index.html" +SRC_URI=" + https://www.stunnel.org/downloads/${P}.tar.gz + ftp://ftp.stunnel.org/stunnel/archive/${PV%%.*}.x/${P}.tar.gz + http://www.usenix.org.uk/mirrors/stunnel/archive/${PV%%.*}.x/${P}.tar.gz + http://ftp.nluug.nl/pub/networking/stunnel/archive/${PV%%.*}.x/${P}.tar.gz + http://www.namesdir.com/mirrors/stunnel/archive/${PV%%.*}.x/${P}.tar.gz + http://stunnel.cybermirror.org/archive/${PV%%.*}.x/${P}.tar.gz + http://mirrors.zerg.biz/stunnel/archive/${PV%%.*}.x/${P}.tar.gz + ftp://mirrors.go-parts.com/stunnel/archive/${PV%%.*}.x/${P}.tar.gz +" + +LICENSE="GPL-2" +SLOT="0" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~ppc-macos" +IUSE="selinux stunnel3 systemd tcpd test" +RESTRICT="!test? ( test )" + +DEPEND=" + dev-libs/openssl:= + tcpd? ( sys-apps/tcp-wrappers ) + systemd? ( sys-apps/systemd:= ) +" +RDEPEND=" + ${DEPEND} + acct-user/stunnel + acct-group/stunnel + selinux? ( sec-policy/selinux-stunnel ) + stunnel3? ( dev-lang/perl ) +" +# autoconf-archive for F_S patch +BDEPEND=" + sys-devel/autoconf-archive + test? ( ${PYTHON_DEPS} ) +" + +PATCHES=( + "${FILESDIR}"/${PN}-5.71-libressl.patch #656420 + "${FILESDIR}"/${PN}-5.71-dont-clobber-fortify-source.patch + "${FILESDIR}"/${PN}-5.71-respect-EPYTHON-for-tests.patch +) + +pkg_setup() { + use test && python-any-r1_pkg_setup +} + +src_prepare() { + default + + # Hack away generation of certificate + sed -i -e "s/^install-data-local:/do-not-run-this:/" \ + tools/Makefile.am || die "sed failed" + + echo "CONFIG_PROTECT=\"/etc/stunnel/stunnel.conf\"" > "${T}"/20stunnel || die + + # We pass --disable-fips to configure, so avoid spurious test failures + rm tests/plugins/p10_fips.py tests/plugins/p11_fips_cipher.py || die + + # Needed for FORTIFY_SOURCE patch + eautoreconf +} + +src_configure() { + local myeconfargs=( + --libdir="${EPREFIX}/usr/$(get_libdir)" + --with-ssl="${EPREFIX}"/usr + --disable-fips + $(use_enable tcpd libwrap) + $(use_enable systemd) + ) + + econf "${myeconfargs[@]}" +} + +src_install() { + emake DESTDIR="${D}" install + + rm -rf "${ED}"/usr/share/doc/${PN} || die + rm -f "${ED}"/etc/stunnel/stunnel.conf-sample \ + "${ED}"/usr/share/man/man8/stunnel.{fr,pl}.8 || die + + if ! use stunnel3 ; then + rm -f "${ED}"/usr/bin/stunnel3 || die + fi + + dodoc AUTHORS.md BUGS.md CREDITS.md PORTS.md README.md TODO.md + docinto html + dodoc doc/stunnel.html doc/en/VNC_StunnelHOWTO.html tools/ca.html \ + tools/importCA.html + + insinto /etc/stunnel + doins "${FILESDIR}"/stunnel.conf + newinitd "${FILESDIR}"/stunnel-r2 stunnel + + doenvd "${T}"/20stunnel + + systemd_dounit "${S}/tools/stunnel.service" + newtmpfiles "${FILESDIR}"/stunnel.tmpfiles.conf stunnel.conf + + find "${ED}" -name '*.la' -delete || die +} + +pkg_postinst() { + if [[ ! -f "${EROOT}"/etc/stunnel/stunnel.key ]]; then + install_cert /etc/stunnel/stunnel + chown stunnel:stunnel "${EROOT}"/etc/stunnel/stunnel.{crt,csr,key,pem} + chmod 0640 "${EROOT}"/etc/stunnel/stunnel.{crt,csr,key,pem} + fi + + tmpfiles_process stunnel.conf + + einfo "If you want to run multiple instances of stunnel, create a new config" + einfo "file ending with .conf in /etc/stunnel/. **Make sure** you change " + einfo "\'pid= \' with a unique filename. For openrc make a symlink from the" + einfo "stunnel init script to \'stunnel.name\' and use that to start|stop" + einfo "your custom instance" +}