net-vpn/openconnect: add 8.20

Closes: https://bugs.gentoo.org/837638 Signed-off-by: Mike Gilbert <floppym@gentoo.org>
author: Mike Gilbert <floppym@gentoo.org> 2022-04-10 20:58:05 -0400
committer: Mike Gilbert <floppym@gentoo.org> 2022-04-10 20:58:42 -0400
commit: cb84d12940f854ce1704fa1afacc92422810b7b5 (patch)
tree: 82d1c75193cca3608fd07bc73dedbaa8436495e3
parent: net-vpn/openconnect: update openssl test deps (diff)
download: gentoo-cb84d12940f854ce1704fa1afacc92422810b7b5.tar.gz
gentoo-cb84d12940f854ce1704fa1afacc92422810b7b5.tar.bz2
gentoo-cb84d12940f854ce1704fa1afacc92422810b7b5.zip
4 files changed, 252 insertions, 0 deletions
diff --git a/net-vpn/openconnect/Manifest b/net-vpn/openconnect/Manifest
index 3938384a6964..d98ead0c1db1 100644
--- a/net-vpn/openconnect/Manifest
+++ b/net-vpn/openconnect/Manifest
@@ -1 +1,2 @@
 DIST openconnect-8.10.tar.gz 2084534 BLAKE2B 98ad0e24e09bc565f359139540f60eb9b6b5ed2239a9c46c56889b8554fc3de3605c10f1bb4fa0b0b206ba35404ae90a389ab8dcee54cf05a24d984529d24c2a SHA512 a36a106cf5c637602fc5bd3cd12df8f6dfe55217c1aae93c66ca33208507f3f8cda15e3a46d75615c7fcea1859d1a04017a07674ad0246876154467305477356
+DIST openconnect-8.20.tar.gz 2651542 BLAKE2B 327b437993ee0d705c0194202f6fd7c2b330e69bfbb916ef004b0662c8b9aebc1252aa3c83bd41b4d1cf85b933878d37b1a7608f076d82b50e325a3efaea2dec SHA512 76f5e49948391397ea1f7d2fca5798731f4278fee74c3da9b0f0daba6c386ce79ec5d87d40b6d3d99bb2528a038b5a2076df4159bb29c52cba62efb2ca52c8ab
diff --git a/net-vpn/openconnect/files/8.20-insecure-crypto.patch b/net-vpn/openconnect/files/8.20-insecure-crypto.patch
new file mode 100644
index 000000000000..7644e1a264ba
--- /dev/null
+++ b/net-vpn/openconnect/files/8.20-insecure-crypto.patch
@@ -0,0 +1,46 @@
+From e2b38313bbd5050acaac49a75f0a024d05b505e5 Mon Sep 17 00:00:00 2001
+From: Mike Gilbert <floppym@gentoo.org>
+Date: Sun, 10 Apr 2022 12:21:57 -0400
+Subject: [PATCH] openssl: allow ALL ciphers when allow-insecure-crypto is
+ enabled
+
+Previously, the cipher list was set to "DEFAULT:+3DES:+RC4". However,
+according to ciphers(1), the DEFAULT keyword cannot be combined with
+other strings using the + characters. In other words, ":+3DES:+RC4" gets
+ignored.
+
+The user is opting into insecure behavior, so let's keep it simple and
+just allow everything.
+
+This change fixes the obsolete-server-crypto test when openconnect is
+built against openssl-1.1.x.
+
+Signed-off-by: Mike Gilbert <floppym@gentoo.org>
+---
+ openssl.c | 9 +++------
+ 1 file changed, 3 insertions(+), 6 deletions(-)
+
+diff --git a/openssl.c b/openssl.c
+index 3205dbd7..2bf594e7 100644
+--- a/openssl.c
++++ b/openssl.c
+@@ -1868,13 +1868,10 @@ int openconnect_open_https(struct openconnect_info *vpninfo)
+ 			struct oc_text_buf *buf = buf_alloc();
+ 			if (vpninfo->pfs)
+ 				buf_append(buf, "HIGH:!aNULL:!eNULL:-RSA");
++			else if (vpninfo->allow_insecure_crypto)
++				buf_append(buf, "ALL");
+ 			else
+-				buf_append(buf, "DEFAULT");
+-
+-			if (vpninfo->allow_insecure_crypto)
+-				buf_append(buf, ":+3DES:+RC4");
+-			else
+-				buf_append(buf, ":-3DES:-RC4");
++				buf_append(buf, "DEFAULT:-3DES:-RC4");
+ 
+ 			if (buf_error(buf)) {
+ 				vpn_progress(vpninfo, PRG_ERR,
+-- 
+2.35.1
+
diff --git a/net-vpn/openconnect/files/8.20-rsa-securid.patch b/net-vpn/openconnect/files/8.20-rsa-securid.patch
new file mode 100644
index 000000000000..57ab2d740707
--- /dev/null
+++ b/net-vpn/openconnect/files/8.20-rsa-securid.patch
@@ -0,0 +1,51 @@
+From 19417131895eb39aabf3641a9e4e0d7082b04f6d Mon Sep 17 00:00:00 2001
+From: Daniel Lenski <dlenski@gmail.com>
+Date: Mon, 7 Mar 2022 08:50:13 -0800
+Subject: [PATCH] Bugfix RSA SecurID token decryption and PIN entry forms
+
+As of
+https://gitlab.com/openconnect/openconnect/-/commit/386a6edb6d2d1d2cd3e9c9de8d85dc7bfda60d34,
+all auth forms are required to have a non-NULL `auth_id`.
+
+However, we forget to make stoken.c set the `auth_id` for the forms that it
+creates for RSA SecurID token decryption and PIN entry.  Let's name these:
+
+  - `_rsa_unlock`, for token decryption.
+  - `_rsa_pin`, for PIN entry.  Also, rename the numeric PIN field to `pin`
+    rather than `password`; there can't be any existing users relying on
+    `--form-entry` to set its value, because that wouldn't work without the
+    `auth_id`.
+
+Fixes #388.
+
+Signed-off-by: Daniel Lenski <dlenski@gmail.com>
+---
+ stoken.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/stoken.c b/stoken.c
+index 00a67625..45d849f5 100644
+--- a/stoken.c
++++ b/stoken.c
+@@ -100,6 +100,7 @@ static int decrypt_stoken(struct openconnect_info *vpninfo)
+ 
+ 	form.opts = opts;
+ 	form.message = _("Enter credentials to unlock software token.");
++	form.auth_id = "_rsa_unlock";
+ 
+ 	if (stoken_devid_required(vpninfo->stoken_ctx)) {
+ 		opt->type = OC_FORM_OPT_TEXT;
+@@ -206,9 +207,10 @@ static int request_stoken_pin(struct openconnect_info *vpninfo)
+ 
+ 	form.opts = opts;
+ 	form.message = _("Enter software token PIN.");
++	form.auth_id = "_rsa_pin";
+ 
+ 	opt->type = OC_FORM_OPT_PASSWORD;
+-	opt->name = (char *)"password";
++	opt->name = (char *)"pin";
+ 	opt->label = _("PIN:");
+ 	opt->flags = OC_FORM_OPT_NUMERIC;
+ 
+-- 
+GitLab
diff --git a/net-vpn/openconnect/openconnect-8.20.ebuild b/net-vpn/openconnect/openconnect-8.20.ebuild
new file mode 100644
index 000000000000..ba5c1e11f3b9
--- /dev/null
+++ b/net-vpn/openconnect/openconnect-8.20.ebuild
@@ -0,0 +1,154 @@
+# Copyright 2011-2022 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+PYTHON_COMPAT=( python3_{8..10} )
+PYTHON_REQ_USE="xml"
+
+inherit linux-info python-any-r1
+
+if [[ ${PV} == 9999 ]]; then
+	EGIT_REPO_URI="https://gitlab.com/openconnect/openconnect.git"
+	inherit git-r3 autotools
+else
+	SRC_URI="ftp://ftp.infradead.org/pub/${PN}/${P}.tar.gz"
+	KEYWORDS="~amd64 ~arm ~arm64 ~ppc64 ~riscv ~x86"
+fi
+
+DESCRIPTION="Free client for Cisco AnyConnect SSL VPN software"
+HOMEPAGE="http://www.infradead.org/openconnect.html"
+
+LICENSE="LGPL-2.1 GPL-2"
+SLOT="0/5"
+IUSE="doc +gnutls gssapi libproxy lz4 nls pskc selinux smartcard stoken test"
+RESTRICT="!test? ( test )"
+
+DEPEND="
+	dev-libs/libxml2
+	sys-libs/zlib
+	app-crypt/p11-kit
+	!gnutls? (
+		>=dev-libs/openssl-1.0.1h:0=
+		dev-libs/libp11
+		test? ( || (
+			>=dev-libs/openssl-1.1.0:0[weak-ssl-ciphers(-)]
+			<dev-libs/openssl-1.1.0:0
+		) )
+	)
+	gnutls? (
+		app-crypt/trousers
+		app-misc/ca-certificates
+		dev-libs/nettle
+		>=net-libs/gnutls-3.6.13:0=
+		dev-libs/libtasn1:0=
+		app-crypt/tpm2-tss
+	)
+	gssapi? ( virtual/krb5 )
+	libproxy? ( net-libs/libproxy )
+	lz4? ( app-arch/lz4:= )
+	nls? ( virtual/libintl )
+	pskc? ( sys-auth/oath-toolkit[pskc] )
+	smartcard? ( sys-apps/pcsc-lite:0= )
+	stoken? ( app-crypt/stoken )
+"
+RDEPEND="${DEPEND}
+	sys-apps/iproute2
+	>=net-vpn/vpnc-scripts-20210402-r1
+	selinux? ( sec-policy/selinux-vpn )
+"
+BDEPEND="
+	virtual/pkgconfig
+	doc? ( ${PYTHON_DEPS} sys-apps/groff )
+	nls? ( sys-devel/gettext )
+	test? (
+		net-libs/socket_wrapper
+		net-vpn/ocserv
+		sys-libs/uid_wrapper
+	)
+"
+
+CONFIG_CHECK="~TUN"
+
+pkg_pretend() {
+	check_extra_config
+}
+
+pkg_setup() {
+	:
+}
+
+src_unpack() {
+	if [[ ${PV} == 9999 ]]; then
+		git-r3_src_unpack
+	fi
+	default
+}
+
+src_prepare() {
+	local PATCHES=(
+		"${FILESDIR}/8.20-rsa-securid.patch"
+		"${FILESDIR}/8.20-insecure-crypto.patch"
+	)
+	default
+	if [[ ${PV} == 9999 ]]; then
+		eautoreconf
+	fi
+}
+
+src_configure() {
+	if use doc; then
+		python_setup
+	else
+		export ac_cv_path_PYTHON=
+	fi
+
+	# Used by tests if userpriv is disabled
+	addwrite /run/netns
+
+	local myconf=(
+		--disable-dsa-tests
+		$(use_enable nls)
+		--disable-static
+		$(use_with !gnutls openssl)
+		$(use_with gnutls)
+		$(use_with libproxy)
+		$(use_with lz4)
+		$(use_with gssapi)
+		$(use_with pskc libpskc)
+		$(use_with smartcard libpcsclite)
+		$(use_with stoken)
+		--with-vpnc-script="${EPREFIX}/etc/vpnc/vpnc-script"
+		--without-java
+	)
+
+	econf "${myconf[@]}"
+}
+
+src_test() {
+	local charset
+	for charset in UTF-8 ISO-8859-2; do
+		if [[ $(LC_ALL=cs_CZ.${charset} locale charmap 2>/dev/null) != ${charset} ]]; then
+			# If we don't have valid cs_CZ locale data, auth-nonascii will fail.
+			# Force a test skip by exiting with status 77.
+			sed -i -e '2i exit 77' tests/auth-nonascii || die
+			break
+		fi
+	done
+	default
+}
+
+src_install() {
+	default
+	find "${ED}" -name '*.la' -delete || die
+
+	dodoc "${FILESDIR}"/README.OpenRC
+
+	newconfd "${FILESDIR}"/openconnect.confd openconnect
+	newinitd "${FILESDIR}"/openconnect.initd openconnect
+
+	insinto /etc/logrotate.d
+	newins "${FILESDIR}"/openconnect.logrotate openconnect
+
+	keepdir /var/log/openconnect
+}
author	Mike Gilbert <floppym@gentoo.org>	2022-04-10 20:58:05 -0400
committer	Mike Gilbert <floppym@gentoo.org>	2022-04-10 20:58:42 -0400
commit	cb84d12940f854ce1704fa1afacc92422810b7b5 (patch)
tree	82d1c75193cca3608fd07bc73dedbaa8436495e3
parent	net-vpn/openconnect: update openssl test deps (diff)
download	gentoo-cb84d12940f854ce1704fa1afacc92422810b7b5.tar.gz gentoo-cb84d12940f854ce1704fa1afacc92422810b7b5.tar.bz2 gentoo-cb84d12940f854ce1704fa1afacc92422810b7b5.zip