summaryrefslogtreecommitdiff
path: root/net-vpn/openconnect
diff options
context:
space:
mode:
authorV3n3RiX <venerix@koprulu.sector>2022-04-16 13:07:24 +0100
committerV3n3RiX <venerix@koprulu.sector>2022-04-16 13:07:24 +0100
commit0c100b7dd2b30e75b799d806df4ef899fd98e1ea (patch)
tree464c922e949c7e4d5d891fb2cdda5daee5612537 /net-vpn/openconnect
parente68d405c5d712af4387159df07e226217bdda049 (diff)
gentoo resync : 16.04.2022
Diffstat (limited to 'net-vpn/openconnect')
-rw-r--r--net-vpn/openconnect/Manifest8
-rw-r--r--net-vpn/openconnect/files/8.20-insecure-crypto.patch46
-rw-r--r--net-vpn/openconnect/files/8.20-rsa-securid.patch51
-rw-r--r--net-vpn/openconnect/openconnect-8.10-r6.ebuild5
-rw-r--r--net-vpn/openconnect/openconnect-8.20.ebuild153
-rw-r--r--net-vpn/openconnect/openconnect-9999.ebuild26
6 files changed, 274 insertions, 15 deletions
diff --git a/net-vpn/openconnect/Manifest b/net-vpn/openconnect/Manifest
index 5b166f73a971..869556d09fa9 100644
--- a/net-vpn/openconnect/Manifest
+++ b/net-vpn/openconnect/Manifest
@@ -1,8 +1,12 @@
+AUX 8.20-insecure-crypto.patch 1437 BLAKE2B 9f69172f9e2b6518b5952c25b636e8fbba89b0810acf502db178b72e23477f44b298d0f64d81dc55527438eec539960d4b5bbb55ff5283dcee449362e5a2ff09 SHA512 112614751241f48395c57a5e07d46907e645de7cde2ceabbd6643ff6c6d52482348acf4c5240ad0e0dae56683fa300a7128f868143f407495a834f198eb48278
+AUX 8.20-rsa-securid.patch 1693 BLAKE2B 4660d2c604f58fd2097b781b1ea69eb9b99ca0b3732e9c0ed720a5a7e5b1f1fb59093b3510496b93b16ca62a87469a9db3b957c94996fe9f80afb5eba12b85c9 SHA512 3c4c15b5496983e82347cc540391aeaee08b62653d7c5009e5a4ccd41c13fff350828f17448bdcdfc49308beeb938fd29bc36005ed1bfef005a8558a55ea16f6
AUX README.OpenRC 416 BLAKE2B a7dcfde210b217d521fcb7c54eb41d07b0e32321aa9c6cc47c78ad7952ee5b6ceede5850de4c4e30891e29e2c4b631b99f65c2c696a9d4fa01ddd190346363bf SHA512 fed0a786466736cd891de7783994e86bb2a20bdb8aa2f9a18f55bc892be0e50d514855b120def151b6fac7e3d2b819510d7dbf496deca65579fea9b42206c49a
AUX openconnect.confd 230 BLAKE2B 6013d6e415ad37f5c4b0d31df011c207978c2f266d94bc081b64c2950ef2a14fd80606abe0f950f443323b43811198838252f2a80e1f3812aed9397ca9809053 SHA512 d773926cf787c5f819f4bdd750ccc6de84a287ce7e0f7322b748a2fb1d88dc4822f8ea0f41c14c60054a54b69caeffe0fc9db76021667b44f0db013ed28cee1b
AUX openconnect.initd 664 BLAKE2B 5fcf983c474ccb10c2b785f1af161e6f85efcb19fe13abc9710a797633496a48ced470cac73cb9c51e3ad66f5efc9e5c559961cfb4213b12684133410614203c SHA512 5c75143e61fd215e13888b647357cf5626902b74cc4af2a8c147c95412ef9393572a8eb34cd5d86babedf2674ca5c3aa35991101a730a033b5af5c8ee9cc4ad9
AUX openconnect.logrotate 116 BLAKE2B 308d088f7c06239ec68831e415df420362c1825ae279fa6f736f36df0bf2e7efc8ea6a4ab43d9b53680dd0ab5028c92bf70a0597b56a20da06b302457e7d5f07 SHA512 ea1b6caf6278fea515c299072ee799ab3676014784703d7fa8e4f4d7bfc4599650c386d9706a3e6d92c195c9e5e1628fa6efc1124e1ae72875cc9eaab73cb077
DIST openconnect-8.10.tar.gz 2084534 BLAKE2B 98ad0e24e09bc565f359139540f60eb9b6b5ed2239a9c46c56889b8554fc3de3605c10f1bb4fa0b0b206ba35404ae90a389ab8dcee54cf05a24d984529d24c2a SHA512 a36a106cf5c637602fc5bd3cd12df8f6dfe55217c1aae93c66ca33208507f3f8cda15e3a46d75615c7fcea1859d1a04017a07674ad0246876154467305477356
-EBUILD openconnect-8.10-r6.ebuild 2886 BLAKE2B 9e755bfe27024b468fc029b83e1646be46e3ff2a5169d0d5a9703a0cbd458017afae5359fd650baee400fd4368fad49a6f86235cf587285dd715a17c8e5e0c6e SHA512 6a17c273c2cc7213635d8e8d97fa1b1885db6eaa0d42617eb3cfe0f694f2de7a4672921b103a9a7929301bea18c707b3d75e5011a5d999c4df02ddd2dee3f28d
-EBUILD openconnect-9999.ebuild 2891 BLAKE2B 1d57c5d59b90ee18227561c1a2fefeae492e33476fb469f13365d7aee9b95d43a4a3a6f4b9110b96eedaf875e518bee5e47d647012b7e4b9add28b9a3c60bf3f SHA512 68e4417b6f075496d7fad2863b487dc43ceb3790d7efd02d12e1a7c90f2b37d63d610ab422a6de783680f1b6f784faa18cb3e36254891945943b4c2ed787df14
+DIST openconnect-8.20.tar.gz 2651542 BLAKE2B 327b437993ee0d705c0194202f6fd7c2b330e69bfbb916ef004b0662c8b9aebc1252aa3c83bd41b4d1cf85b933878d37b1a7608f076d82b50e325a3efaea2dec SHA512 76f5e49948391397ea1f7d2fca5798731f4278fee74c3da9b0f0daba6c386ce79ec5d87d40b6d3d99bb2528a038b5a2076df4159bb29c52cba62efb2ca52c8ab
+EBUILD openconnect-8.10-r6.ebuild 2931 BLAKE2B bfff3567d1551a4fb47024ca3c44dd2f9c1c8bb0d229993082f43e869ae98380177222e68051fa6f6f55376450cf27d96589926c3ca25c696832e96035481528 SHA512 9bb65ae4020bb2cc5fa7384ccda9ca7bc0ffca93f8082159752ae2be76568847fa6e926a8e7770583f6a07c6baea890addf11684ee7f1a0cf3b067266de1a180
+EBUILD openconnect-8.20.ebuild 3144 BLAKE2B b4c2b962b95c5bd49d7dbcd39d25e61f9a35b8b648519e9155f7f560db5828e2404ecee709000bba0d504f771da342ea986cdd44e74ee0a561f546f67b4d264b SHA512 6a9b267ce84cee680766e46694d942eca1487ec9f40649bd2ac278b4ff9356938df8c7e0f474ae98c9b8ca897c1b45ae1718225d871f93d62fae894eaebafba4
+EBUILD openconnect-9999.ebuild 3042 BLAKE2B efaa6717ae02f49960377f7b46c04f130b78ddb0a7de40ab77901b4429a83f5c63e1ecf1a7ea4c29c81f6e549fe25b0bde773c5956ae8eb6f9b31eb44c5ca41c SHA512 38d815e9612ee758b2bddbab39c9d9fc09a94794014a242eb916723b72ea38305a57d18a5cf285a3288a5ebc24863a0c672643fe80f7171fcd00f5ffc23402cb
MISC metadata.xml 594 BLAKE2B 63b24f0d189e935368858b3f7f4160d9121847dc598ee6fb0cd8ed313d51e03de983584a48a799553349f779c6a18d1f080a906449fe0f4d05cec0f43c4a2c70 SHA512 6a474d13019ee9a325c3b262220a41b1faeaa3315500a2e73670bfea2cb2778036d107fcf783f89d286ec4125460b0cf7a19b85155f9b6b9f9d9459cbf87e070
diff --git a/net-vpn/openconnect/files/8.20-insecure-crypto.patch b/net-vpn/openconnect/files/8.20-insecure-crypto.patch
new file mode 100644
index 000000000000..7644e1a264ba
--- /dev/null
+++ b/net-vpn/openconnect/files/8.20-insecure-crypto.patch
@@ -0,0 +1,46 @@
+From e2b38313bbd5050acaac49a75f0a024d05b505e5 Mon Sep 17 00:00:00 2001
+From: Mike Gilbert <floppym@gentoo.org>
+Date: Sun, 10 Apr 2022 12:21:57 -0400
+Subject: [PATCH] openssl: allow ALL ciphers when allow-insecure-crypto is
+ enabled
+
+Previously, the cipher list was set to "DEFAULT:+3DES:+RC4". However,
+according to ciphers(1), the DEFAULT keyword cannot be combined with
+other strings using the + characters. In other words, ":+3DES:+RC4" gets
+ignored.
+
+The user is opting into insecure behavior, so let's keep it simple and
+just allow everything.
+
+This change fixes the obsolete-server-crypto test when openconnect is
+built against openssl-1.1.x.
+
+Signed-off-by: Mike Gilbert <floppym@gentoo.org>
+---
+ openssl.c | 9 +++------
+ 1 file changed, 3 insertions(+), 6 deletions(-)
+
+diff --git a/openssl.c b/openssl.c
+index 3205dbd7..2bf594e7 100644
+--- a/openssl.c
++++ b/openssl.c
+@@ -1868,13 +1868,10 @@ int openconnect_open_https(struct openconnect_info *vpninfo)
+ struct oc_text_buf *buf = buf_alloc();
+ if (vpninfo->pfs)
+ buf_append(buf, "HIGH:!aNULL:!eNULL:-RSA");
++ else if (vpninfo->allow_insecure_crypto)
++ buf_append(buf, "ALL");
+ else
+- buf_append(buf, "DEFAULT");
+-
+- if (vpninfo->allow_insecure_crypto)
+- buf_append(buf, ":+3DES:+RC4");
+- else
+- buf_append(buf, ":-3DES:-RC4");
++ buf_append(buf, "DEFAULT:-3DES:-RC4");
+
+ if (buf_error(buf)) {
+ vpn_progress(vpninfo, PRG_ERR,
+--
+2.35.1
+
diff --git a/net-vpn/openconnect/files/8.20-rsa-securid.patch b/net-vpn/openconnect/files/8.20-rsa-securid.patch
new file mode 100644
index 000000000000..57ab2d740707
--- /dev/null
+++ b/net-vpn/openconnect/files/8.20-rsa-securid.patch
@@ -0,0 +1,51 @@
+From 19417131895eb39aabf3641a9e4e0d7082b04f6d Mon Sep 17 00:00:00 2001
+From: Daniel Lenski <dlenski@gmail.com>
+Date: Mon, 7 Mar 2022 08:50:13 -0800
+Subject: [PATCH] Bugfix RSA SecurID token decryption and PIN entry forms
+
+As of
+https://gitlab.com/openconnect/openconnect/-/commit/386a6edb6d2d1d2cd3e9c9de8d85dc7bfda60d34,
+all auth forms are required to have a non-NULL `auth_id`.
+
+However, we forget to make stoken.c set the `auth_id` for the forms that it
+creates for RSA SecurID token decryption and PIN entry. Let's name these:
+
+ - `_rsa_unlock`, for token decryption.
+ - `_rsa_pin`, for PIN entry. Also, rename the numeric PIN field to `pin`
+ rather than `password`; there can't be any existing users relying on
+ `--form-entry` to set its value, because that wouldn't work without the
+ `auth_id`.
+
+Fixes #388.
+
+Signed-off-by: Daniel Lenski <dlenski@gmail.com>
+---
+ stoken.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/stoken.c b/stoken.c
+index 00a67625..45d849f5 100644
+--- a/stoken.c
++++ b/stoken.c
+@@ -100,6 +100,7 @@ static int decrypt_stoken(struct openconnect_info *vpninfo)
+
+ form.opts = opts;
+ form.message = _("Enter credentials to unlock software token.");
++ form.auth_id = "_rsa_unlock";
+
+ if (stoken_devid_required(vpninfo->stoken_ctx)) {
+ opt->type = OC_FORM_OPT_TEXT;
+@@ -206,9 +207,10 @@ static int request_stoken_pin(struct openconnect_info *vpninfo)
+
+ form.opts = opts;
+ form.message = _("Enter software token PIN.");
++ form.auth_id = "_rsa_pin";
+
+ opt->type = OC_FORM_OPT_PASSWORD;
+- opt->name = (char *)"password";
++ opt->name = (char *)"pin";
+ opt->label = _("PIN:");
+ opt->flags = OC_FORM_OPT_NUMERIC;
+
+--
+GitLab
diff --git a/net-vpn/openconnect/openconnect-8.10-r6.ebuild b/net-vpn/openconnect/openconnect-8.10-r6.ebuild
index da0988a8a8fc..1251db14a690 100644
--- a/net-vpn/openconnect/openconnect-8.10-r6.ebuild
+++ b/net-vpn/openconnect/openconnect-8.10-r6.ebuild
@@ -1,4 +1,4 @@
-# Copyright 2011-2021 Gentoo Authors
+# Copyright 2011-2022 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=7
@@ -21,7 +21,7 @@ HOMEPAGE="http://www.infradead.org/openconnect.html"
LICENSE="LGPL-2.1 GPL-2"
SLOT="0/5"
-IUSE="doc +gnutls gssapi libproxy lz4 nls pskc smartcard stoken test"
+IUSE="doc +gnutls gssapi libproxy lz4 nls pskc selinux smartcard stoken test"
RESTRICT="!test? ( test )"
DEPEND="
@@ -51,6 +51,7 @@ DEPEND="
RDEPEND="${DEPEND}
sys-apps/iproute2
>=net-vpn/vpnc-scripts-20210402-r1
+ selinux? ( sec-policy/selinux-vpn )
"
BDEPEND="
virtual/pkgconfig
diff --git a/net-vpn/openconnect/openconnect-8.20.ebuild b/net-vpn/openconnect/openconnect-8.20.ebuild
new file mode 100644
index 000000000000..005edaf647c5
--- /dev/null
+++ b/net-vpn/openconnect/openconnect-8.20.ebuild
@@ -0,0 +1,153 @@
+# Copyright 2011-2022 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+PYTHON_COMPAT=( python3_{8..10} )
+PYTHON_REQ_USE="xml"
+
+inherit linux-info python-any-r1
+
+if [[ ${PV} == 9999 ]]; then
+ EGIT_REPO_URI="https://gitlab.com/openconnect/openconnect.git"
+ inherit git-r3 autotools
+else
+ SRC_URI="ftp://ftp.infradead.org/pub/${PN}/${P}.tar.gz"
+ KEYWORDS="~amd64 ~arm ~arm64 ~ppc64 ~riscv ~x86"
+fi
+
+DESCRIPTION="Free client for Cisco AnyConnect SSL VPN software"
+HOMEPAGE="http://www.infradead.org/openconnect.html"
+
+LICENSE="LGPL-2.1 GPL-2"
+SLOT="0/5"
+IUSE="doc +gnutls gssapi libproxy lz4 nls pskc selinux smartcard stoken test"
+RESTRICT="!test? ( test )"
+
+COMMON_DEPEND="
+ dev-libs/libxml2
+ sys-libs/zlib
+ app-crypt/p11-kit
+ !gnutls? (
+ >=dev-libs/openssl-1.0.1h:0=
+ dev-libs/libp11
+ )
+ gnutls? (
+ app-crypt/trousers
+ app-misc/ca-certificates
+ dev-libs/nettle
+ >=net-libs/gnutls-3.6.13:0=
+ dev-libs/libtasn1:0=
+ app-crypt/tpm2-tss
+ )
+ gssapi? ( virtual/krb5 )
+ libproxy? ( net-libs/libproxy )
+ lz4? ( app-arch/lz4:= )
+ nls? ( virtual/libintl )
+ pskc? ( sys-auth/oath-toolkit[pskc] )
+ smartcard? ( sys-apps/pcsc-lite:0= )
+ stoken? ( app-crypt/stoken )
+"
+DEPEND="${COMMON_DEPEND}
+ test? (
+ net-libs/socket_wrapper
+ sys-libs/uid_wrapper
+ !gnutls? ( dev-libs/openssl:0[weak-ssl-ciphers(-)] )
+ )
+"
+RDEPEND="${COMMON_DEPEND}
+ sys-apps/iproute2
+ >=net-vpn/vpnc-scripts-20210402-r1
+ selinux? ( sec-policy/selinux-vpn )
+"
+BDEPEND="
+ virtual/pkgconfig
+ doc? ( ${PYTHON_DEPS} sys-apps/groff )
+ nls? ( sys-devel/gettext )
+ test? ( net-vpn/ocserv )
+"
+
+CONFIG_CHECK="~TUN"
+
+pkg_pretend() {
+ check_extra_config
+}
+
+pkg_setup() {
+ :
+}
+
+src_unpack() {
+ if [[ ${PV} == 9999 ]]; then
+ git-r3_src_unpack
+ fi
+ default
+}
+
+src_prepare() {
+ local PATCHES=(
+ "${FILESDIR}/8.20-rsa-securid.patch"
+ "${FILESDIR}/8.20-insecure-crypto.patch"
+ )
+ default
+ if [[ ${PV} == 9999 ]]; then
+ eautoreconf
+ fi
+}
+
+src_configure() {
+ if use doc; then
+ python_setup
+ else
+ export ac_cv_path_PYTHON=
+ fi
+
+ # Used by tests if userpriv is disabled
+ addwrite /run/netns
+
+ local myconf=(
+ --disable-dsa-tests
+ $(use_enable nls)
+ --disable-static
+ $(use_with !gnutls openssl)
+ $(use_with gnutls)
+ $(use_with libproxy)
+ $(use_with lz4)
+ $(use_with gssapi)
+ $(use_with pskc libpskc)
+ $(use_with smartcard libpcsclite)
+ $(use_with stoken)
+ --with-vpnc-script="${EPREFIX}/etc/vpnc/vpnc-script"
+ --without-java
+ )
+
+ econf "${myconf[@]}"
+}
+
+src_test() {
+ local charset
+ for charset in UTF-8 ISO-8859-2; do
+ if [[ $(LC_ALL=cs_CZ.${charset} locale charmap 2>/dev/null) != ${charset} ]]; then
+ # If we don't have valid cs_CZ locale data, auth-nonascii will fail.
+ # Force a test skip by exiting with status 77.
+ sed -i -e '2i exit 77' tests/auth-nonascii || die
+ break
+ fi
+ done
+ default
+}
+
+src_install() {
+ default
+ find "${ED}" -name '*.la' -delete || die
+
+ dodoc "${FILESDIR}"/README.OpenRC
+
+ newconfd "${FILESDIR}"/openconnect.confd openconnect
+ newinitd "${FILESDIR}"/openconnect.initd openconnect
+
+ insinto /etc/logrotate.d
+ newins "${FILESDIR}"/openconnect.logrotate openconnect
+
+ keepdir /var/log/openconnect
+}
diff --git a/net-vpn/openconnect/openconnect-9999.ebuild b/net-vpn/openconnect/openconnect-9999.ebuild
index 5a6a3065e1dc..90982f02608c 100644
--- a/net-vpn/openconnect/openconnect-9999.ebuild
+++ b/net-vpn/openconnect/openconnect-9999.ebuild
@@ -1,7 +1,7 @@
-# Copyright 2011-2021 Gentoo Authors
+# Copyright 2011-2022 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
-EAPI=7
+EAPI=8
PYTHON_COMPAT=( python3_{8..10} )
PYTHON_REQ_USE="xml"
@@ -21,10 +21,10 @@ HOMEPAGE="http://www.infradead.org/openconnect.html"
LICENSE="LGPL-2.1 GPL-2"
SLOT="0/5"
-IUSE="doc +gnutls gssapi libproxy lz4 nls pskc smartcard stoken test"
+IUSE="doc +gnutls gssapi libproxy lz4 nls pskc selinux smartcard stoken test"
RESTRICT="!test? ( test )"
-DEPEND="
+COMMON_DEPEND="
dev-libs/libxml2
sys-libs/zlib
app-crypt/p11-kit
@@ -48,19 +48,23 @@ DEPEND="
smartcard? ( sys-apps/pcsc-lite:0= )
stoken? ( app-crypt/stoken )
"
-RDEPEND="${DEPEND}
+DEPEND="${COMMON_DEPEND}
+ test? (
+ net-libs/socket_wrapper
+ sys-libs/uid_wrapper
+ !gnutls? ( dev-libs/openssl:0[weak-ssl-ciphers(-)] )
+ )
+"
+RDEPEND="${COMMON_DEPEND}
sys-apps/iproute2
>=net-vpn/vpnc-scripts-20210402-r1
+ selinux? ( sec-policy/selinux-vpn )
"
BDEPEND="
virtual/pkgconfig
doc? ( ${PYTHON_DEPS} sys-apps/groff )
nls? ( sys-devel/gettext )
- test? (
- net-libs/socket_wrapper
- net-vpn/ocserv
- sys-libs/uid_wrapper
- )
+ test? ( net-vpn/ocserv )
"
CONFIG_CHECK="~TUN"
@@ -118,7 +122,7 @@ src_configure() {
src_test() {
local charset
- for charset in UTF-8 ISO8859-2; do
+ for charset in UTF-8 ISO-8859-2; do
if [[ $(LC_ALL=cs_CZ.${charset} locale charmap 2>/dev/null) != ${charset} ]]; then
# If we don't have valid cs_CZ locale data, auth-nonascii will fail.
# Force a test skip by exiting with status 77.