commit: cb84d12940f854ce1704fa1afacc92422810b7b5 Author: Mike Gilbert <floppym <AT> gentoo <DOT> org> AuthorDate: Mon Apr 11 00:58:05 2022 +0000 Commit: Mike Gilbert <floppym <AT> gentoo <DOT> org> CommitDate: Mon Apr 11 00:58:42 2022 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cb84d129
net-vpn/openconnect: add 8.20 Closes: https://bugs.gentoo.org/837638 Signed-off-by: Mike Gilbert <floppym <AT> gentoo.org> net-vpn/openconnect/Manifest | 1 + .../openconnect/files/8.20-insecure-crypto.patch | 46 ++++++ net-vpn/openconnect/files/8.20-rsa-securid.patch | 51 +++++++ net-vpn/openconnect/openconnect-8.20.ebuild | 154 +++++++++++++++++++++ 4 files changed, 252 insertions(+) diff --git a/net-vpn/openconnect/Manifest b/net-vpn/openconnect/Manifest index 3938384a6964..d98ead0c1db1 100644 --- a/net-vpn/openconnect/Manifest +++ b/net-vpn/openconnect/Manifest @@ -1 +1,2 @@ DIST openconnect-8.10.tar.gz 2084534 BLAKE2B 98ad0e24e09bc565f359139540f60eb9b6b5ed2239a9c46c56889b8554fc3de3605c10f1bb4fa0b0b206ba35404ae90a389ab8dcee54cf05a24d984529d24c2a SHA512 a36a106cf5c637602fc5bd3cd12df8f6dfe55217c1aae93c66ca33208507f3f8cda15e3a46d75615c7fcea1859d1a04017a07674ad0246876154467305477356 +DIST openconnect-8.20.tar.gz 2651542 BLAKE2B 327b437993ee0d705c0194202f6fd7c2b330e69bfbb916ef004b0662c8b9aebc1252aa3c83bd41b4d1cf85b933878d37b1a7608f076d82b50e325a3efaea2dec SHA512 76f5e49948391397ea1f7d2fca5798731f4278fee74c3da9b0f0daba6c386ce79ec5d87d40b6d3d99bb2528a038b5a2076df4159bb29c52cba62efb2ca52c8ab diff --git a/net-vpn/openconnect/files/8.20-insecure-crypto.patch b/net-vpn/openconnect/files/8.20-insecure-crypto.patch new file mode 100644 index 000000000000..7644e1a264ba --- /dev/null +++ b/net-vpn/openconnect/files/8.20-insecure-crypto.patch @@ -0,0 +1,46 @@ +From e2b38313bbd5050acaac49a75f0a024d05b505e5 Mon Sep 17 00:00:00 2001 +From: Mike Gilbert <flop...@gentoo.org> +Date: Sun, 10 Apr 2022 12:21:57 -0400 +Subject: [PATCH] openssl: allow ALL ciphers when allow-insecure-crypto is + enabled + +Previously, the cipher list was set to "DEFAULT:+3DES:+RC4". However, +according to ciphers(1), the DEFAULT keyword cannot be combined with +other strings using the + characters. In other words, ":+3DES:+RC4" gets +ignored. + +The user is opting into insecure behavior, so let's keep it simple and +just allow everything. + +This change fixes the obsolete-server-crypto test when openconnect is +built against openssl-1.1.x. + +Signed-off-by: Mike Gilbert <flop...@gentoo.org> +--- + openssl.c | 9 +++------ + 1 file changed, 3 insertions(+), 6 deletions(-) + +diff --git a/openssl.c b/openssl.c +index 3205dbd7..2bf594e7 100644 +--- a/openssl.c ++++ b/openssl.c +@@ -1868,13 +1868,10 @@ int openconnect_open_https(struct openconnect_info *vpninfo) + struct oc_text_buf *buf = buf_alloc(); + if (vpninfo->pfs) + buf_append(buf, "HIGH:!aNULL:!eNULL:-RSA"); ++ else if (vpninfo->allow_insecure_crypto) ++ buf_append(buf, "ALL"); + else +- buf_append(buf, "DEFAULT"); +- +- if (vpninfo->allow_insecure_crypto) +- buf_append(buf, ":+3DES:+RC4"); +- else +- buf_append(buf, ":-3DES:-RC4"); ++ buf_append(buf, "DEFAULT:-3DES:-RC4"); + + if (buf_error(buf)) { + vpn_progress(vpninfo, PRG_ERR, +-- +2.35.1 + diff --git a/net-vpn/openconnect/files/8.20-rsa-securid.patch b/net-vpn/openconnect/files/8.20-rsa-securid.patch new file mode 100644 index 000000000000..57ab2d740707 --- /dev/null +++ b/net-vpn/openconnect/files/8.20-rsa-securid.patch @@ -0,0 +1,51 @@ +From 19417131895eb39aabf3641a9e4e0d7082b04f6d Mon Sep 17 00:00:00 2001 +From: Daniel Lenski <dlen...@gmail.com> +Date: Mon, 7 Mar 2022 08:50:13 -0800 +Subject: [PATCH] Bugfix RSA SecurID token decryption and PIN entry forms + +As of +https://gitlab.com/openconnect/openconnect/-/commit/386a6edb6d2d1d2cd3e9c9de8d85dc7bfda60d34, +all auth forms are required to have a non-NULL `auth_id`. + +However, we forget to make stoken.c set the `auth_id` for the forms that it +creates for RSA SecurID token decryption and PIN entry. Let's name these: + + - `_rsa_unlock`, for token decryption. + - `_rsa_pin`, for PIN entry. Also, rename the numeric PIN field to `pin` + rather than `password`; there can't be any existing users relying on + `--form-entry` to set its value, because that wouldn't work without the + `auth_id`. + +Fixes #388. + +Signed-off-by: Daniel Lenski <dlen...@gmail.com> +--- + stoken.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/stoken.c b/stoken.c +index 00a67625..45d849f5 100644 +--- a/stoken.c ++++ b/stoken.c +@@ -100,6 +100,7 @@ static int decrypt_stoken(struct openconnect_info *vpninfo) + + form.opts = opts; + form.message = _("Enter credentials to unlock software token."); ++ form.auth_id = "_rsa_unlock"; + + if (stoken_devid_required(vpninfo->stoken_ctx)) { + opt->type = OC_FORM_OPT_TEXT; +@@ -206,9 +207,10 @@ static int request_stoken_pin(struct openconnect_info *vpninfo) + + form.opts = opts; + form.message = _("Enter software token PIN."); ++ form.auth_id = "_rsa_pin"; + + opt->type = OC_FORM_OPT_PASSWORD; +- opt->name = (char *)"password"; ++ opt->name = (char *)"pin"; + opt->label = _("PIN:"); + opt->flags = OC_FORM_OPT_NUMERIC; + +-- +GitLab diff --git a/net-vpn/openconnect/openconnect-8.20.ebuild b/net-vpn/openconnect/openconnect-8.20.ebuild new file mode 100644 index 000000000000..ba5c1e11f3b9 --- /dev/null +++ b/net-vpn/openconnect/openconnect-8.20.ebuild @@ -0,0 +1,154 @@ +# Copyright 2011-2022 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +PYTHON_COMPAT=( python3_{8..10} ) +PYTHON_REQ_USE="xml" + +inherit linux-info python-any-r1 + +if [[ ${PV} == 9999 ]]; then + EGIT_REPO_URI="https://gitlab.com/openconnect/openconnect.git"; + inherit git-r3 autotools +else + SRC_URI="ftp://ftp.infradead.org/pub/${PN}/${P}.tar.gz"; + KEYWORDS="~amd64 ~arm ~arm64 ~ppc64 ~riscv ~x86" +fi + +DESCRIPTION="Free client for Cisco AnyConnect SSL VPN software" +HOMEPAGE="http://www.infradead.org/openconnect.html"; + +LICENSE="LGPL-2.1 GPL-2" +SLOT="0/5" +IUSE="doc +gnutls gssapi libproxy lz4 nls pskc selinux smartcard stoken test" +RESTRICT="!test? ( test )" + +DEPEND=" + dev-libs/libxml2 + sys-libs/zlib + app-crypt/p11-kit + !gnutls? ( + >=dev-libs/openssl-1.0.1h:0= + dev-libs/libp11 + test? ( || ( + >=dev-libs/openssl-1.1.0:0[weak-ssl-ciphers(-)] + <dev-libs/openssl-1.1.0:0 + ) ) + ) + gnutls? ( + app-crypt/trousers + app-misc/ca-certificates + dev-libs/nettle + >=net-libs/gnutls-3.6.13:0= + dev-libs/libtasn1:0= + app-crypt/tpm2-tss + ) + gssapi? ( virtual/krb5 ) + libproxy? ( net-libs/libproxy ) + lz4? ( app-arch/lz4:= ) + nls? ( virtual/libintl ) + pskc? ( sys-auth/oath-toolkit[pskc] ) + smartcard? ( sys-apps/pcsc-lite:0= ) + stoken? ( app-crypt/stoken ) +" +RDEPEND="${DEPEND} + sys-apps/iproute2 + >=net-vpn/vpnc-scripts-20210402-r1 + selinux? ( sec-policy/selinux-vpn ) +" +BDEPEND=" + virtual/pkgconfig + doc? ( ${PYTHON_DEPS} sys-apps/groff ) + nls? ( sys-devel/gettext ) + test? ( + net-libs/socket_wrapper + net-vpn/ocserv + sys-libs/uid_wrapper + ) +" + +CONFIG_CHECK="~TUN" + +pkg_pretend() { + check_extra_config +} + +pkg_setup() { + : +} + +src_unpack() { + if [[ ${PV} == 9999 ]]; then + git-r3_src_unpack + fi + default +} + +src_prepare() { + local PATCHES=( + "${FILESDIR}/8.20-rsa-securid.patch" + "${FILESDIR}/8.20-insecure-crypto.patch" + ) + default + if [[ ${PV} == 9999 ]]; then + eautoreconf + fi +} + +src_configure() { + if use doc; then + python_setup + else + export ac_cv_path_PYTHON= + fi + + # Used by tests if userpriv is disabled + addwrite /run/netns + + local myconf=( + --disable-dsa-tests + $(use_enable nls) + --disable-static + $(use_with !gnutls openssl) + $(use_with gnutls) + $(use_with libproxy) + $(use_with lz4) + $(use_with gssapi) + $(use_with pskc libpskc) + $(use_with smartcard libpcsclite) + $(use_with stoken) + --with-vpnc-script="${EPREFIX}/etc/vpnc/vpnc-script" + --without-java + ) + + econf "${myconf[@]}" +} + +src_test() { + local charset + for charset in UTF-8 ISO-8859-2; do + if [[ $(LC_ALL=cs_CZ.${charset} locale charmap 2>/dev/null) != ${charset} ]]; then + # If we don't have valid cs_CZ locale data, auth-nonascii will fail. + # Force a test skip by exiting with status 77. + sed -i -e '2i exit 77' tests/auth-nonascii || die + break + fi + done + default +} + +src_install() { + default + find "${ED}" -name '*.la' -delete || die + + dodoc "${FILESDIR}"/README.OpenRC + + newconfd "${FILESDIR}"/openconnect.confd openconnect + newinitd "${FILESDIR}"/openconnect.initd openconnect + + insinto /etc/logrotate.d + newins "${FILESDIR}"/openconnect.logrotate openconnect + + keepdir /var/log/openconnect +}
