From 0c100b7dd2b30e75b799d806df4ef899fd98e1ea Mon Sep 17 00:00:00 2001 From: V3n3RiX Date: Sat, 16 Apr 2022 13:07:24 +0100 Subject: gentoo resync : 16.04.2022 --- .../openconnect/files/8.20-insecure-crypto.patch | 46 +++++++++++++++++++ net-vpn/openconnect/files/8.20-rsa-securid.patch | 51 ++++++++++++++++++++++ 2 files changed, 97 insertions(+) create mode 100644 net-vpn/openconnect/files/8.20-insecure-crypto.patch create mode 100644 net-vpn/openconnect/files/8.20-rsa-securid.patch (limited to 'net-vpn/openconnect/files') diff --git a/net-vpn/openconnect/files/8.20-insecure-crypto.patch b/net-vpn/openconnect/files/8.20-insecure-crypto.patch new file mode 100644 index 000000000000..7644e1a264ba --- /dev/null +++ b/net-vpn/openconnect/files/8.20-insecure-crypto.patch @@ -0,0 +1,46 @@ +From e2b38313bbd5050acaac49a75f0a024d05b505e5 Mon Sep 17 00:00:00 2001 +From: Mike Gilbert +Date: Sun, 10 Apr 2022 12:21:57 -0400 +Subject: [PATCH] openssl: allow ALL ciphers when allow-insecure-crypto is + enabled + +Previously, the cipher list was set to "DEFAULT:+3DES:+RC4". However, +according to ciphers(1), the DEFAULT keyword cannot be combined with +other strings using the + characters. In other words, ":+3DES:+RC4" gets +ignored. + +The user is opting into insecure behavior, so let's keep it simple and +just allow everything. + +This change fixes the obsolete-server-crypto test when openconnect is +built against openssl-1.1.x. + +Signed-off-by: Mike Gilbert +--- + openssl.c | 9 +++------ + 1 file changed, 3 insertions(+), 6 deletions(-) + +diff --git a/openssl.c b/openssl.c +index 3205dbd7..2bf594e7 100644 +--- a/openssl.c ++++ b/openssl.c +@@ -1868,13 +1868,10 @@ int openconnect_open_https(struct openconnect_info *vpninfo) + struct oc_text_buf *buf = buf_alloc(); + if (vpninfo->pfs) + buf_append(buf, "HIGH:!aNULL:!eNULL:-RSA"); ++ else if (vpninfo->allow_insecure_crypto) ++ buf_append(buf, "ALL"); + else +- buf_append(buf, "DEFAULT"); +- +- if (vpninfo->allow_insecure_crypto) +- buf_append(buf, ":+3DES:+RC4"); +- else +- buf_append(buf, ":-3DES:-RC4"); ++ buf_append(buf, "DEFAULT:-3DES:-RC4"); + + if (buf_error(buf)) { + vpn_progress(vpninfo, PRG_ERR, +-- +2.35.1 + diff --git a/net-vpn/openconnect/files/8.20-rsa-securid.patch b/net-vpn/openconnect/files/8.20-rsa-securid.patch new file mode 100644 index 000000000000..57ab2d740707 --- /dev/null +++ b/net-vpn/openconnect/files/8.20-rsa-securid.patch @@ -0,0 +1,51 @@ +From 19417131895eb39aabf3641a9e4e0d7082b04f6d Mon Sep 17 00:00:00 2001 +From: Daniel Lenski +Date: Mon, 7 Mar 2022 08:50:13 -0800 +Subject: [PATCH] Bugfix RSA SecurID token decryption and PIN entry forms + +As of +https://gitlab.com/openconnect/openconnect/-/commit/386a6edb6d2d1d2cd3e9c9de8d85dc7bfda60d34, +all auth forms are required to have a non-NULL `auth_id`. + +However, we forget to make stoken.c set the `auth_id` for the forms that it +creates for RSA SecurID token decryption and PIN entry. Let's name these: + + - `_rsa_unlock`, for token decryption. + - `_rsa_pin`, for PIN entry. Also, rename the numeric PIN field to `pin` + rather than `password`; there can't be any existing users relying on + `--form-entry` to set its value, because that wouldn't work without the + `auth_id`. + +Fixes #388. + +Signed-off-by: Daniel Lenski +--- + stoken.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/stoken.c b/stoken.c +index 00a67625..45d849f5 100644 +--- a/stoken.c ++++ b/stoken.c +@@ -100,6 +100,7 @@ static int decrypt_stoken(struct openconnect_info *vpninfo) + + form.opts = opts; + form.message = _("Enter credentials to unlock software token."); ++ form.auth_id = "_rsa_unlock"; + + if (stoken_devid_required(vpninfo->stoken_ctx)) { + opt->type = OC_FORM_OPT_TEXT; +@@ -206,9 +207,10 @@ static int request_stoken_pin(struct openconnect_info *vpninfo) + + form.opts = opts; + form.message = _("Enter software token PIN."); ++ form.auth_id = "_rsa_pin"; + + opt->type = OC_FORM_OPT_PASSWORD; +- opt->name = (char *)"password"; ++ opt->name = (char *)"pin"; + opt->label = _("PIN:"); + opt->flags = OC_FORM_OPT_NUMERIC; + +-- +GitLab -- cgit v1.2.3