Attachment #160778 for bug #198997




		--with-ssl="${OPENSSLBASE}"
SHEBANG_FILES=	src/stunnel3.in

OPTIONS_DEFINE=			DOCS EXAMPLES FIPS IPV6 LIBWRAP
OPTIONS_SINGLE=			THREAD
OPTIONS_SINGLE_THREAD=		FORK PTHREAD UCONTEXT
OPTIONS_DEFAULT=		PTHREAD

FIPS_CONFIGURE_ENABLE=		fips
IPV6_CONFIGURE_ENABLE=		ipv6
LIBWRAP_CONFIGURE_ENABLE=	libwrap
FIPS_CONFIGURE_ENABLE=		fips

FIPS_DESC=			Enable OpenSSL FIPS mode
FORK_DESC=			Use the fork(3) threading model
PTHREAD_DESC=			Use the pthread(3) threading model
UCONTEXT_DESC=			Use the ucontext(3) threading model
FIPS_DESC=			Enable OpenSSL FIPS mode

STUNNEL_USER?=	stunnel
STUNNEL_GROUP?=	stunnel

LDFLAGS+=	-lpthread
.endif

.if ${PORT_OPTIONS:MFIPS} && "${OPENSSL_PORT}" == "security/libressl"
IGNORE=		LibreSSL does not support FIPS standard
.endif

.if "${OPENSSL_PORT}" == "security/libressl"
NO_PACKAGE=	The stunnel license restricts distribution when linked to non-OpenSSL non-base SSL-libraries
.endif

post-patch:
# place files under /var/tmp so that this can be run by an unprivileged
# user stunnel and group stunnel




--- src/ssl.c.orig	2015-09-02 07:45:43 UTC
+++ src/ssl.c
@@ -208,6 +208,7 @@ NOEXPORT int prng_init(GLOBAL_OPTIONS *g
     }
     s_log(LOG_DEBUG, "RAND_screen failed to sufficiently seed PRNG");
 #else
+#ifndef OPENSSL_NO_EGD
     if(global->egd_sock) {
         if((bytes=RAND_egd(global->egd_sock))==-1) {
             s_log(LOG_WARNING, "EGD Socket %s failed", global->egd_sock);
@@ -220,6 +221,7 @@ NOEXPORT int prng_init(GLOBAL_OPTIONS *g
                          so no need to check if seeded sufficiently */
         }
     }
+#endif
     /* try the good-old default /dev/urandom, if available  */
     totbytes+=add_rand_file(global, "/dev/urandom");
     if(RAND_status())

Return to bug 198997

Lines 36-54 Link Here

(-)security/stunnel/Makefile (-3 / +11 lines)
36	--with-ssl="${OPENSSLBASE}"	36	--with-ssl="${OPENSSLBASE}"
37	SHEBANG_FILES= src/stunnel3.in	37	SHEBANG_FILES= src/stunnel3.in
38		38
39	OPTIONS_DEFINE= IPV6 LIBWRAP FIPS DOCS EXAMPLES	39	OPTIONS_DEFINE= DOCS EXAMPLES FIPS IPV6 LIBWRAP
40	OPTIONS_SINGLE= THREAD	40	OPTIONS_SINGLE= THREAD
41	OPTIONS_SINGLE_THREAD= FORK PTHREAD UCONTEXT	41	OPTIONS_SINGLE_THREAD= FORK PTHREAD UCONTEXT
42	OPTIONS_DEFAULT= PTHREAD	42	OPTIONS_DEFAULT= PTHREAD
43		43
		44	FIPS_CONFIGURE_ENABLE= fips
44	IPV6_CONFIGURE_ENABLE= ipv6	45	IPV6_CONFIGURE_ENABLE= ipv6
45	LIBWRAP_CONFIGURE_ENABLE= libwrap	46	LIBWRAP_CONFIGURE_ENABLE= libwrap
46	FIPS_CONFIGURE_ENABLE= fips
47		47
		48	FIPS_DESC= Enable OpenSSL FIPS mode
48	FORK_DESC= Use the fork(3) threading model	49	FORK_DESC= Use the fork(3) threading model
49	PTHREAD_DESC= Use the pthread(3) threading model	50	PTHREAD_DESC= Use the pthread(3) threading model
50	UCONTEXT_DESC= Use the ucontext(3) threading model	51	UCONTEXT_DESC= Use the ucontext(3) threading model
51	FIPS_DESC= Enable OpenSSL FIPS mode
52		52
53	STUNNEL_USER?= stunnel	53	STUNNEL_USER?= stunnel
54	STUNNEL_GROUP?= stunnel	54	STUNNEL_GROUP?= stunnel
Lines 72-77 Link Here
72	LDFLAGS+= -lpthread	72	LDFLAGS+= -lpthread
73	.endif	73	.endif
74		74
		75	.if ${PORT_OPTIONS:MFIPS} && "${OPENSSL_PORT}" == "security/libressl"
		76	IGNORE= LibreSSL does not support FIPS standard
		77	.endif
		78
		79	.if "${OPENSSL_PORT}" == "security/libressl"
		80	NO_PACKAGE= The stunnel license restricts distribution when linked to non-OpenSSL non-base SSL-libraries
		81	.endif
		82
75	post-patch:	83	post-patch:
76	# place files under /var/tmp so that this can be run by an unprivileged	84	# place files under /var/tmp so that this can be run by an unprivileged
77	# user stunnel and group stunnel	85	# user stunnel and group stunnel

Line 0 Link Here

(-)security/stunnel/files/patch-src_ssl.c (+18 lines)
	1	--- src/ssl.c.orig 2015-09-02 07:45:43 UTC
	2	+++ src/ssl.c
	3	@@ -208,6 +208,7 @@ NOEXPORT int prng_init(GLOBAL_OPTIONS *g
	4	}
	5	s_log(LOG_DEBUG, "RAND_screen failed to sufficiently seed PRNG");
	6	#else
	7	+#ifndef OPENSSL_NO_EGD
	8	if(global->egd_sock) {
	9	if((bytes=RAND_egd(global->egd_sock))==-1) {
	10	s_log(LOG_WARNING, "EGD Socket %s failed", global->egd_sock);
	11	@@ -220,6 +221,7 @@ NOEXPORT int prng_init(GLOBAL_OPTIONS *g
	12	so no need to check if seeded sufficiently */
	13	}
	14	}
	15	+#endif
	16	/* try the good-old default /dev/urandom, if available */
	17	totbytes+=add_rand_file(global, "/dev/urandom");
	18	if(RAND_status())