commit: 9c8f2fc6da823463194458c94437441a11f908b8 Author: Mike Gilbert <floppym <AT> gentoo <DOT> org> AuthorDate: Sat Oct 25 19:42:14 2025 +0000 Commit: Mike Gilbert <floppym <AT> gentoo <DOT> org> CommitDate: Sat Oct 25 19:44:03 2025 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9c8f2fc6
net-vpn/openconnect: backport patch Closes: https://bugs.gentoo.org/965061 Signed-off-by: Mike Gilbert <floppym <AT> gentoo.org> .../files/openconnect-9.12-strap-rfc9266.patch | 111 +++++++++++++++ net-vpn/openconnect/openconnect-9.12-r2.ebuild | 158 +++++++++++++++++++++ 2 files changed, 269 insertions(+) diff --git a/net-vpn/openconnect/files/openconnect-9.12-strap-rfc9266.patch b/net-vpn/openconnect/files/openconnect-9.12-strap-rfc9266.patch new file mode 100644 index 000000000000..2e81568b5b63 --- /dev/null +++ b/net-vpn/openconnect/files/openconnect-9.12-strap-rfc9266.patch @@ -0,0 +1,111 @@ +https://bugs.gentoo.org/965061 +https://gitlab.com/openconnect/openconnect/-/merge_requests/574 + +From 94868eef754f88569f690f8440010b331a3a67fb Mon Sep 17 00:00:00 2001 +From: David Woodhouse <[email protected]> +Date: Fri, 15 Nov 2024 15:46:05 +0000 +Subject: [PATCH] Use RFC9266 'tls-exporter' channel bindings for Cisco STRAP + with TLSv1.3 + +Fixes #659 + +Signed-off-by: David Woodhouse <[email protected]> +(cherry picked from commit 94e0b16c011b7b88708b8a8505fac6bfbe2e3cca) +--- + gnutls.c | 20 +++++++++++++++++++- + openconnect-internal.h | 5 +++++ + openssl.c | 30 +++++++++++++++++++++++------- + 3 files changed, 47 insertions(+), 8 deletions(-) + +diff --git a/gnutls.c b/gnutls.c +index 9fc010b9..6c2e3aec 100644 +--- a/gnutls.c ++++ b/gnutls.c +@@ -3176,7 +3176,25 @@ void append_strap_verify(struct openconnect_info *vpninfo, + + /* Concatenate our Finished message with our pubkey to be signed */ + struct oc_text_buf *nonce = buf_alloc(); +- buf_append_bytes(nonce, vpninfo->finished, vpninfo->finished_len); ++ if (gnutls_protocol_get_version(vpninfo->https_sess) <= GNUTLS_TLS1_2) { ++ /* For TLSv1.2 and earlier, use RFC5929 'tls-unique' channel binding */ ++ buf_append_bytes(nonce, vpninfo->finished, vpninfo->finished_len); ++ } else { ++ /* For TLSv1.3 use RFC9266 'tls-exporter' channel binding */ ++ char channel_binding_buf[TLS_EXPORTER_KEY_SIZE]; ++ err = gnutls_prf(vpninfo->https_sess, TLS_EXPORTER_LABEL_SIZE, TLS_EXPORTER_LABEL, ++ 0, 0, 0, TLS_EXPORTER_KEY_SIZE, channel_binding_buf); ++ if (err) { ++ vpn_progress(vpninfo, PRG_ERR, ++ _("Failed to generate channel bindings for STRAP key: %s\n"), ++ gnutls_strerror(err)); ++ if (!buf_error(buf)) ++ buf->error = -EIO; ++ buf_free(nonce); ++ return; ++ } ++ buf_append_bytes(nonce, channel_binding_buf, TLS_EXPORTER_KEY_SIZE); ++ } + + if (rekey) { + /* We have a copy and we don't want it freed just yet */ +diff --git a/openconnect-internal.h b/openconnect-internal.h +index f19b4d81..541d5594 100644 +--- a/openconnect-internal.h ++++ b/openconnect-internal.h +@@ -1058,6 +1058,11 @@ static inline void __monitor_fd_new(struct openconnect_info *vpninfo, + #define PSK_LABEL_SIZE (sizeof(PSK_LABEL) - 1) + #define PSK_KEY_SIZE 32 + ++/* Key material for RFC9266 tls-exporter channel binding */ ++#define TLS_EXPORTER_LABEL "EXPORTER-Channel-Binding" ++#define TLS_EXPORTER_LABEL_SIZE (sizeof(TLS_EXPORTER_LABEL) - 1) ++#define TLS_EXPORTER_KEY_SIZE 32 ++ + /* Packet types */ + + #define AC_PKT_DATA 0 /* Uncompressed data */ +diff --git a/openssl.c b/openssl.c +index 12a08692..4177e3f9 100644 +--- a/openssl.c ++++ b/openssl.c +@@ -2510,14 +2510,30 @@ void append_strap_verify(struct openconnect_info *vpninfo, + struct oc_text_buf *buf, int rekey) + { + unsigned char finished[64]; +- size_t flen = SSL_get_finished(vpninfo->https_ssl, finished, sizeof(finished)); ++ size_t flen; + +- if (flen > sizeof(finished)) { +- vpn_progress(vpninfo, PRG_ERR, +- _("SSL Finished message too large (%zd bytes)\n"), flen); +- if (!buf_error(buf)) +- buf->error = -EIO; +- return; ++ if (SSL_SESSION_get_protocol_version(SSL_get_session(vpninfo->https_ssl)) <= TLS1_2_VERSION) { ++ /* For TLSv1.2 and earlier, use RFC5929 'tls-unique' channel binding */ ++ flen = SSL_get_finished(vpninfo->https_ssl, finished, sizeof(finished)); ++ if (flen > sizeof(finished)) { ++ vpn_progress(vpninfo, PRG_ERR, ++ _("SSL Finished message too large (%zu bytes)\n"), flen); ++ if (!buf_error(buf)) ++ buf->error = -EIO; ++ return; ++ } ++ } else { ++ /* For TLSv1.3 use RFC9266 'tls-exporter' channel binding */ ++ if (!SSL_export_keying_material(vpninfo->https_ssl, ++ finished, TLS_EXPORTER_KEY_SIZE, ++ TLS_EXPORTER_LABEL, TLS_EXPORTER_LABEL_SIZE, ++ NULL, 0, 0)) { ++ vpn_progress(vpninfo, PRG_ERR, ++ _("Failed to generate channel bindings for STRAP key\n")); ++ openconnect_report_ssl_errors(vpninfo); ++ return; ++ } ++ flen = TLS_EXPORTER_KEY_SIZE; + } + + /* If we're rekeying, we need to sign the Verify header with the *old* key. */ +-- +2.51.1 + diff --git a/net-vpn/openconnect/openconnect-9.12-r2.ebuild b/net-vpn/openconnect/openconnect-9.12-r2.ebuild new file mode 100644 index 000000000000..df375524de34 --- /dev/null +++ b/net-vpn/openconnect/openconnect-9.12-r2.ebuild @@ -0,0 +1,158 @@ +# Copyright 2011-2025 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +PYTHON_COMPAT=( python3_{10..13} ) +PYTHON_REQ_USE="xml(+)" + +inherit linux-info python-any-r1 + +if [[ ${PV} == 9999 ]]; then + EGIT_REPO_URI="https://gitlab.com/openconnect/openconnect.git" + inherit git-r3 autotools +else + inherit verify-sig + SRC_URI="https://www.infradead.org/openconnect/download/${P}.tar.gz + verify-sig? ( https://www.infradead.org/openconnect/download/${P}.tar.gz.asc )" + KEYWORDS="~amd64 ~arm ~arm64 ~loong ~ppc64 ~riscv ~x86" +fi + +DESCRIPTION="Free client for Cisco AnyConnect SSL VPN software" +HOMEPAGE="https://www.infradead.org/openconnect/" + +LICENSE="LGPL-2.1 GPL-2" +SLOT="0/5" +IUSE="doc +gnutls gssapi libproxy lz4 nls pskc selinux smartcard stoken test" +RESTRICT="!test? ( test )" + +COMMON_DEPEND=" + dev-libs/json-parser:0= + dev-libs/libxml2:= + sys-libs/zlib + app-crypt/p11-kit + !gnutls? ( + >=dev-libs/openssl-1.0.1h:0= + dev-libs/libp11 + ) + gnutls? ( + app-crypt/trousers + app-misc/ca-certificates + dev-libs/nettle + >=net-libs/gnutls-3.6.13:0= + dev-libs/libtasn1:0= + app-crypt/tpm2-tss:= + ) + gssapi? ( virtual/krb5 ) + libproxy? ( net-libs/libproxy ) + lz4? ( app-arch/lz4:= ) + nls? ( virtual/libintl ) + pskc? ( sys-auth/oath-toolkit[pskc(+)] ) + smartcard? ( sys-apps/pcsc-lite:0= ) + stoken? ( app-crypt/stoken ) +" +DEPEND="${COMMON_DEPEND} + test? ( + net-libs/socket_wrapper + sys-libs/uid_wrapper + !gnutls? ( dev-libs/openssl:0[weak-ssl-ciphers(-)] ) + ) +" +RDEPEND="${COMMON_DEPEND} + sys-apps/iproute2 + >=net-vpn/vpnc-scripts-20210402-r1 + selinux? ( sec-policy/selinux-vpn ) +" +BDEPEND=" + virtual/pkgconfig + doc? ( ${PYTHON_DEPS} sys-apps/groff ) + nls? ( sys-devel/gettext ) + test? ( net-vpn/ocserv ) +" + +if [[ ${PV} != 9999 ]]; then + BDEPEND+=" verify-sig? ( sec-keys/openpgp-keys-dwmw2 )" + VERIFY_SIG_OPENPGP_KEY_PATH="/usr/share/openpgp-keys/[email protected]" +fi + +QA_CONFIG_IMPL_DECL_SKIP=( memset_s ) + +CONFIG_CHECK="~TUN" + +pkg_pretend() { + check_extra_config +} + +pkg_setup() { + : +} + +src_prepare() { + local PATCHES=( + "${FILESDIR}/openconnect-9.12-stdlib.patch" + "${FILESDIR}/openconnect-9.12-strap-rfc9266.patch" + ) + default + if [[ ${PV} == 9999 ]]; then + eautoreconf + fi +} + +src_configure() { + if use doc; then + python_setup + else + export ac_cv_path_PYTHON= + fi + + # Used by tests if userpriv is disabled + addwrite /run/netns + + local myconf=( + --disable-dsa-tests + $(use_enable nls) + --disable-static + $(use_with !gnutls openssl) + $(use_with gnutls) + $(use_with libproxy) + $(use_with lz4) + $(use_with gssapi) + $(use_with pskc libpskc) + $(use_with smartcard libpcsclite) + $(use_with stoken) + --with-vpnc-script="${EPREFIX}/etc/vpnc/vpnc-script" + --without-builtin-json + --without-java + ) + + econf "${myconf[@]}" +} + +src_test() { + local charset + for charset in UTF-8 ISO-8859-2; do + if [[ $(LC_ALL=cs_CZ.${charset} locale charmap 2>/dev/null) != ${charset} ]]; then + # If we don't have valid cs_CZ locale data, auth-nonascii will fail. + # Force a test skip by exiting with status 77. + sed -i -e '2i exit 77' tests/auth-nonascii || die + break + fi + done + addwrite /proc + default +} + +src_install() { + default + find "${ED}" -name '*.la' -delete || die + + dodoc "${FILESDIR}"/README.OpenRC + + newconfd "${FILESDIR}"/openconnect.confd openconnect + newinitd "${FILESDIR}"/openconnect.initd openconnect + + insinto /etc/logrotate.d + newins "${FILESDIR}"/openconnect.logrotate openconnect + + keepdir /var/log/openconnect +}
