From 2af86cd1152f88daaeb3306a64d7939045904376 Mon Sep 17 00:00:00 2001 From: Toyam Cox Date: Tue, 4 Apr 2017 21:09:19 -0400 Subject: [PATCH] stunnel: update to 5.41. --- srcpkgs/stunnel/patches/stunnel-openbsd.patch | 11 ++++----- srcpkgs/stunnel/template | 23 ++++++++++++++----- 2 files changed, 22 insertions(+), 12 deletions(-) diff --git a/srcpkgs/stunnel/patches/stunnel-openbsd.patch b/srcpkgs/stunnel/patches/stunnel-openbsd.patch index 1ff82df299f..e60fae630ad 100644 --- a/srcpkgs/stunnel/patches/stunnel-openbsd.patch +++ b/srcpkgs/stunnel/patches/stunnel-openbsd.patch @@ -1,17 +1,16 @@ $OpenBSD: patch-src_verify_c,v 1.5 2016/11/10 10:10:50 gsoares Exp $ ---- src/verify.c.orig Wed Jul 6 13:18:17 2016 -+++ src/verify.c Thu Nov 10 07:00:09 2016 -@@ -349,7 +349,7 @@ NOEXPORT int cert_check_local(X509_STORE_CTX *callback +--- src/verify.c.orig 2017-04-04 20:02:57.168123782 -0400 ++++ src/verify.c 2017-04-04 20:51:08.931284080 -0400 +@@ -352,7 +352,7 @@ + cert=X509_STORE_CTX_get_current_cert(callback_ctx); subject=X509_get_subject_name(cert); - - #if OPENSSL_VERSION_NUMBER>=0x10000000L + -#if OPENSSL_VERSION_NUMBER<0x10100006L +#if OPENSSL_VERSION_NUMBER<0x10100006L || defined(LIBRESSL_VERSION_NUMBER) #define X509_STORE_CTX_get1_certs X509_STORE_get1_certs #endif /* modern API allows retrieving multiple matching certificates */ - $OpenBSD: patch-src_sthreads_c,v 1.2 2016/11/10 10:10:50 gsoares Exp $ --- src/sthreads.c.orig Sat Oct 29 05:25:37 2016 +++ src/sthreads.c Wed Nov 9 20:22:39 2016 diff --git a/srcpkgs/stunnel/template b/srcpkgs/stunnel/template index 2fa04d21b85..58866e411ac 100644 --- a/srcpkgs/stunnel/template +++ b/srcpkgs/stunnel/template @@ -1,6 +1,6 @@ # Template file for 'stunnel' pkgname=stunnel -version=5.40 +version=5.41 revision=1 build_style=gnu-configure configure_args="--enable-ipv6 --with-ssl=${XBPS_CROSS_BASE}/usr" @@ -11,7 +11,7 @@ maintainer="Toyam Cox " license="GPL-2" homepage="https://www.stunnel.org/" distfiles="https://www.stunnel.org/downloads/archive/5.x/${pkgname}-${version}.tar.gz" -checksum=23acdb390326ffd507d90f8984ecc90e0d9993f6bd6eac1d0a642456565c45ff +checksum=f05c6321ee1f6ddebacc234ccf20825971941e831b5beea6d0ce0b8e1668148f post_install() { rm ${DESTDIR}/usr/share/man/man8/stunnel.??.8 @@ -24,13 +24,24 @@ post_install() { # Using the archive is the only way to get builds to keep working after the # new version is out. LibreSSL patches for stunnel 5.35 don't yet work. Not # enough is made conditional. +# -- +# It is important to note that upstream has expressly refused to support +# LibreSSL. +# -- # Significant thanks to the OpenBSD project for creating patch sets for 5.37 # One thing OpenBSD does that we don't do here is add a _stunnel user/group and # modify the configuration samples to chroot and use this by default. # As of 5.38 the signature expected for the CRYPTO_set_mem_functions seems to # be out of line with what libressl provides. # LibreSSL wants 'void (*)(void *)' but argument is of type 'void (*)(void *, const char *, int)' -# This is probably not a security problem. -# As of 5.39_2 it is patched to avoid the function call if using LibreSSL, -# and a different call to SSL_CTX_sess_set_get_cb gets a const unsigned char -# * instead of an unsigned char * +# This is probably not a security problem. EDIT: Well, it would break. Badly. +# -- +# As of 5.39_2 the code now doesn't use above function call if using LibreSSL, +# and a different call to SSL_CTX_sess_set_get_cb gets a const unsigned char * +# instead of an unsigned char * +# -- +# As of 5.41_1 there are only two sorts of code warnings: +# conversion 'long int' from 'long unsigned int' for what appear to be flags +# and SSL_SESSION* (*)(struct ssl_st *, unsigned char *, int, int*) expected +# got SSL_SESSION* (*)(struct ssl_st *, const unsigned char *, int, int*) +# These are not being considered issues.