commit: 9ea2b28e1c70517b35d40fc0dd93c410c1c18ff7 Author: Mike Gilbert <floppym <AT> gentoo <DOT> org> AuthorDate: Sun Jul 31 17:03:53 2022 +0000 Commit: Mike Gilbert <floppym <AT> gentoo <DOT> org> CommitDate: Sun Jul 31 17:03:53 2022 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9ea2b28e
net-vpn/openconnect: drop 8.20-r1 Signed-off-by: Mike Gilbert <floppym <AT> gentoo.org> net-vpn/openconnect/Manifest | 1 - .../openconnect/files/8.20-insecure-crypto.patch | 46 ------- net-vpn/openconnect/files/8.20-rsa-securid.patch | 51 ------- net-vpn/openconnect/openconnect-8.20-r1.ebuild | 153 --------------------- 4 files changed, 251 deletions(-) diff --git a/net-vpn/openconnect/Manifest b/net-vpn/openconnect/Manifest index a7dd1ff6597b..a855a2300764 100644 --- a/net-vpn/openconnect/Manifest +++ b/net-vpn/openconnect/Manifest @@ -1,2 +1 @@ -DIST openconnect-8.20.tar.gz 2651542 BLAKE2B 327b437993ee0d705c0194202f6fd7c2b330e69bfbb916ef004b0662c8b9aebc1252aa3c83bd41b4d1cf85b933878d37b1a7608f076d82b50e325a3efaea2dec SHA512 76f5e49948391397ea1f7d2fca5798731f4278fee74c3da9b0f0daba6c386ce79ec5d87d40b6d3d99bb2528a038b5a2076df4159bb29c52cba62efb2ca52c8ab DIST openconnect-9.01.tar.gz 2718526 BLAKE2B e346b30ed8a299bcdd1fc88868d59b4d501c48bc5c02092e92e7ded0cd36e4de6a5b65aae4f6bf8c9aa60cf70f5466b110b64889df8d286016c9a1b4d9f46ff7 SHA512 b7428847a90f8ca9d1f1f61653c1f2486f0a07989f3b7435b746c5e901998194f4ee2b4f9569a548a23bba368bb1e9f273674c0759aac9df30208d2a6a303c34 diff --git a/net-vpn/openconnect/files/8.20-insecure-crypto.patch b/net-vpn/openconnect/files/8.20-insecure-crypto.patch deleted file mode 100644 index 7644e1a264ba..000000000000 --- a/net-vpn/openconnect/files/8.20-insecure-crypto.patch +++ /dev/null @@ -1,46 +0,0 @@ -From e2b38313bbd5050acaac49a75f0a024d05b505e5 Mon Sep 17 00:00:00 2001 -From: Mike Gilbert <[email protected]> -Date: Sun, 10 Apr 2022 12:21:57 -0400 -Subject: [PATCH] openssl: allow ALL ciphers when allow-insecure-crypto is - enabled - -Previously, the cipher list was set to "DEFAULT:+3DES:+RC4". However, -according to ciphers(1), the DEFAULT keyword cannot be combined with -other strings using the + characters. In other words, ":+3DES:+RC4" gets -ignored. - -The user is opting into insecure behavior, so let's keep it simple and -just allow everything. - -This change fixes the obsolete-server-crypto test when openconnect is -built against openssl-1.1.x. - -Signed-off-by: Mike Gilbert <[email protected]> ---- - openssl.c | 9 +++------ - 1 file changed, 3 insertions(+), 6 deletions(-) - -diff --git a/openssl.c b/openssl.c -index 3205dbd7..2bf594e7 100644 ---- a/openssl.c -+++ b/openssl.c -@@ -1868,13 +1868,10 @@ int openconnect_open_https(struct openconnect_info *vpninfo) - struct oc_text_buf *buf = buf_alloc(); - if (vpninfo->pfs) - buf_append(buf, "HIGH:!aNULL:!eNULL:-RSA"); -+ else if (vpninfo->allow_insecure_crypto) -+ buf_append(buf, "ALL"); - else -- buf_append(buf, "DEFAULT"); -- -- if (vpninfo->allow_insecure_crypto) -- buf_append(buf, ":+3DES:+RC4"); -- else -- buf_append(buf, ":-3DES:-RC4"); -+ buf_append(buf, "DEFAULT:-3DES:-RC4"); - - if (buf_error(buf)) { - vpn_progress(vpninfo, PRG_ERR, --- -2.35.1 - diff --git a/net-vpn/openconnect/files/8.20-rsa-securid.patch b/net-vpn/openconnect/files/8.20-rsa-securid.patch deleted file mode 100644 index 57ab2d740707..000000000000 --- a/net-vpn/openconnect/files/8.20-rsa-securid.patch +++ /dev/null @@ -1,51 +0,0 @@ -From 19417131895eb39aabf3641a9e4e0d7082b04f6d Mon Sep 17 00:00:00 2001 -From: Daniel Lenski <[email protected]> -Date: Mon, 7 Mar 2022 08:50:13 -0800 -Subject: [PATCH] Bugfix RSA SecurID token decryption and PIN entry forms - -As of -https://gitlab.com/openconnect/openconnect/-/commit/386a6edb6d2d1d2cd3e9c9de8d85dc7bfda60d34, -all auth forms are required to have a non-NULL `auth_id`. - -However, we forget to make stoken.c set the `auth_id` for the forms that it -creates for RSA SecurID token decryption and PIN entry. Let's name these: - - - `_rsa_unlock`, for token decryption. - - `_rsa_pin`, for PIN entry. Also, rename the numeric PIN field to `pin` - rather than `password`; there can't be any existing users relying on - `--form-entry` to set its value, because that wouldn't work without the - `auth_id`. - -Fixes #388. - -Signed-off-by: Daniel Lenski <[email protected]> ---- - stoken.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/stoken.c b/stoken.c -index 00a67625..45d849f5 100644 ---- a/stoken.c -+++ b/stoken.c -@@ -100,6 +100,7 @@ static int decrypt_stoken(struct openconnect_info *vpninfo) - - form.opts = opts; - form.message = _("Enter credentials to unlock software token."); -+ form.auth_id = "_rsa_unlock"; - - if (stoken_devid_required(vpninfo->stoken_ctx)) { - opt->type = OC_FORM_OPT_TEXT; -@@ -206,9 +207,10 @@ static int request_stoken_pin(struct openconnect_info *vpninfo) - - form.opts = opts; - form.message = _("Enter software token PIN."); -+ form.auth_id = "_rsa_pin"; - - opt->type = OC_FORM_OPT_PASSWORD; -- opt->name = (char *)"password"; -+ opt->name = (char *)"pin"; - opt->label = _("PIN:"); - opt->flags = OC_FORM_OPT_NUMERIC; - --- -GitLab diff --git a/net-vpn/openconnect/openconnect-8.20-r1.ebuild b/net-vpn/openconnect/openconnect-8.20-r1.ebuild deleted file mode 100644 index c9b970792d0e..000000000000 --- a/net-vpn/openconnect/openconnect-8.20-r1.ebuild +++ /dev/null @@ -1,153 +0,0 @@ -# Copyright 2011-2022 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=8 - -PYTHON_COMPAT=( python3_{8..10} ) -PYTHON_REQ_USE="xml" - -inherit linux-info python-any-r1 - -if [[ ${PV} == 9999 ]]; then - EGIT_REPO_URI="https://gitlab.com/openconnect/openconnect.git"; - inherit git-r3 autotools -else - SRC_URI="ftp://ftp.infradead.org/pub/${PN}/${P}.tar.gz"; - KEYWORDS="amd64 arm arm64 ppc64 ~riscv x86" -fi - -DESCRIPTION="Free client for Cisco AnyConnect SSL VPN software" -HOMEPAGE="https://www.infradead.org/openconnect/"; - -LICENSE="LGPL-2.1 GPL-2" -SLOT="0/5" -IUSE="doc +gnutls gssapi libproxy lz4 nls pskc selinux smartcard stoken test" -RESTRICT="!test? ( test )" - -COMMON_DEPEND=" - dev-libs/libxml2 - sys-libs/zlib - app-crypt/p11-kit - !gnutls? ( - >=dev-libs/openssl-1.0.1h:0= - dev-libs/libp11 - ) - gnutls? ( - app-crypt/trousers - app-misc/ca-certificates - dev-libs/nettle - >=net-libs/gnutls-3.6.13:0= - dev-libs/libtasn1:0= - app-crypt/tpm2-tss:= - ) - gssapi? ( virtual/krb5 ) - libproxy? ( net-libs/libproxy ) - lz4? ( app-arch/lz4:= ) - nls? ( virtual/libintl ) - pskc? ( sys-auth/oath-toolkit[pskc] ) - smartcard? ( sys-apps/pcsc-lite:0= ) - stoken? ( app-crypt/stoken ) -" -DEPEND="${COMMON_DEPEND} - test? ( - net-libs/socket_wrapper - sys-libs/uid_wrapper - !gnutls? ( dev-libs/openssl:0[weak-ssl-ciphers(-)] ) - ) -" -RDEPEND="${COMMON_DEPEND} - sys-apps/iproute2 - >=net-vpn/vpnc-scripts-20210402-r1 - selinux? ( sec-policy/selinux-vpn ) -" -BDEPEND=" - virtual/pkgconfig - doc? ( ${PYTHON_DEPS} sys-apps/groff ) - nls? ( sys-devel/gettext ) - test? ( net-vpn/ocserv ) -" - -CONFIG_CHECK="~TUN" - -pkg_pretend() { - check_extra_config -} - -pkg_setup() { - : -} - -src_unpack() { - if [[ ${PV} == 9999 ]]; then - git-r3_src_unpack - fi - default -} - -src_prepare() { - local PATCHES=( - "${FILESDIR}/8.20-rsa-securid.patch" - "${FILESDIR}/8.20-insecure-crypto.patch" - ) - default - if [[ ${PV} == 9999 ]]; then - eautoreconf - fi -} - -src_configure() { - if use doc; then - python_setup - else - export ac_cv_path_PYTHON= - fi - - # Used by tests if userpriv is disabled - addwrite /run/netns - - local myconf=( - --disable-dsa-tests - $(use_enable nls) - --disable-static - $(use_with !gnutls openssl) - $(use_with gnutls) - $(use_with libproxy) - $(use_with lz4) - $(use_with gssapi) - $(use_with pskc libpskc) - $(use_with smartcard libpcsclite) - $(use_with stoken) - --with-vpnc-script="${EPREFIX}/etc/vpnc/vpnc-script" - --without-java - ) - - econf "${myconf[@]}" -} - -src_test() { - local charset - for charset in UTF-8 ISO-8859-2; do - if [[ $(LC_ALL=cs_CZ.${charset} locale charmap 2>/dev/null) != ${charset} ]]; then - # If we don't have valid cs_CZ locale data, auth-nonascii will fail. - # Force a test skip by exiting with status 77. - sed -i -e '2i exit 77' tests/auth-nonascii || die - break - fi - done - default -} - -src_install() { - default - find "${ED}" -name '*.la' -delete || die - - dodoc "${FILESDIR}"/README.OpenRC - - newconfd "${FILESDIR}"/openconnect.confd openconnect - newinitd "${FILESDIR}"/openconnect.initd openconnect - - insinto /etc/logrotate.d - newins "${FILESDIR}"/openconnect.logrotate openconnect - - keepdir /var/log/openconnect -}
