Compare commits

..

No commits in common. 'i10ce' and 'f38' have entirely different histories.
i10ce ... f38

84
.gitignore vendored

@ -1 +1,83 @@
SOURCES/openconnect-9.12.tar.gz
openconnect-2.25.tar.gz
/openconnect-2.26.tar.gz
/openconnect-3.00.tar.gz
/openconnect-3.01.tar.gz
/openconnect-3.02.tar.gz
/openconnect-3.10.tar.gz
/openconnect-3.11.tar.gz
/openconnect-3.12.tar.gz
/openconnect-3.13.tar.gz
/openconnect-3.14.tar.gz
/openconnect-3.15.tar.gz
/openconnect-3.16.tar.gz
/openconnect-3.17.tar.gz
/openconnect-3.18.tar.gz
/openconnect-3.19.tar.gz
/openconnect-3.20.tar.gz
/openconnect-3.99.tar.gz
/openconnect-3.99-26-gb40dcae.tar.gz
/openconnect-3.99-33-g2d08bf0.tar.gz
/openconnect-3.99-36-gb0f2edb.tar.gz
/openconnect-4.00.tar.gz
/openconnect-4.01.tar.gz
/openconnect-4.02.tar.gz
/openconnect-4.03.tar.gz
/openconnect-4.04.tar.gz
/openconnect-4.05.tar.gz
/openconnect-4.06.tar.gz
/openconnect-4.07.tar.gz
/openconnect-4.99.tar.gz
/openconnect-5.00.tar.gz
/openconnect-5.01.tar.gz
/openconnect-5.02.tar.gz
/openconnect-5.99.tar.gz
/openconnect-6.00.tar.gz
/openconnect-7.00.tar.gz
/openconnect-7.00.tar.gz.asc
/openconnect-7.01.tar.gz
/openconnect-7.02.tar.gz
/openconnect-7.03.tar.gz
/openconnect-7.04.tar.gz
/openconnect-7.05.tar.gz
/openconnect-7.06.tar.gz
/openconnect-7.06.tar.gz.asc
/pubring.gpg
/gpgkey-BE07D9FD54809AB2C4B0FF5F63762CDA67E2F359.gpg
/openconnect-7.07.tar.gz
/openconnect-7.07.tar.gz.asc
/openconnect-7.08.tar.gz
/openconnect-7.08.tar.gz.asc
/openconnect-8.00.tar.gz
/openconnect-8.00.tar.gz.asc
/openconnect-8.01.tar.gz
/openconnect-8.01.tar.gz.asc
/openconnect-8.02.tar.gz
/openconnect-8.02.tar.gz.asc
/openconnect-8.03.tar.gz
/openconnect-8.03.tar.gz.asc
/openconnect-8.04.tar.gz
/openconnect-8.04.tar.gz.asc
/openconnect-8.05.tar.gz
/openconnect-8.05.tar.gz.asc
/openconnect-8.06.tar.gz
/openconnect-8.06.tar.gz.asc
/openconnect-8.07.tar.gz
/openconnect-8.07.tar.gz.asc
/openconnect-8.08.tar.gz
/openconnect-8.08.tar.gz.asc
/openconnect-8.09.tar.gz
/openconnect-8.09.tar.gz.asc
/openconnect-8.10.tar.gz
/openconnect-8.10.tar.gz.asc
/openconnect-8.20.tar.gz
/openconnect-8.20.tar.gz.asc
/openconnect-9.00.tar.gz
/openconnect-9.00.tar.gz.asc
/openconnect-9.01.tar.gz
/openconnect-9.01.tar.gz.asc
/openconnect-9.10.tar.gz
/openconnect-9.10.tar.gz.asc
/openconnect-9.11.tar.gz
/openconnect-9.11.tar.gz.asc
/openconnect-9.12.tar.gz
/openconnect-9.12.tar.gz.asc

@ -1 +0,0 @@
1fa47eb23fa6fd41b3b7b88b9079a92285add7d8 SOURCES/openconnect-9.12.tar.gz

@ -0,0 +1,65 @@
From 4ff991c46e6b202cabd623eeffa5ae1af1ba5c8e Mon Sep 17 00:00:00 2001
From: David Woodhouse <dwmw2@infradead.org>
Date: Fri, 23 Apr 2021 10:40:44 +0100
Subject: [PATCH 1/2] Ignore errors fetching NC landing page if auth was
successful
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
(cherry picked from commit 3e77943692b511719d9217d2ecc43588b7c6c08b)
---
auth-juniper.c | 18 +++++++++++-------
www/changelog.xml | 2 +-
2 files changed, 12 insertions(+), 8 deletions(-)
diff --git a/auth-juniper.c b/auth-juniper.c
index 19d43978..63af3bfc 100644
--- a/auth-juniper.c
+++ b/auth-juniper.c
@@ -663,6 +663,17 @@ int oncp_obtain_cookie(struct openconnect_info *vpninfo)
ret = do_https_request(vpninfo, "GET", NULL, NULL,
&form_buf, 2);
+ /* After login, the server will redirect the "browser" to a landing page.
+ * https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784
+ * turned some of those landing pages into a 403 but we don't *care*
+ * about that as long as we have the cookie we wanted. So check for
+ * cookie success *before* checking 'ret'. */
+ if (!check_cookie_success(vpninfo)) {
+ free(form_buf);
+ ret = 0;
+ break;
+ }
+
if (ret < 0)
break;
@@ -680,13 +691,6 @@ int oncp_obtain_cookie(struct openconnect_info *vpninfo)
break;
}
- if (!check_cookie_success(vpninfo)) {
- buf_free(url);
- free(form_buf);
- ret = 0;
- break;
- }
-
doc = htmlReadMemory(form_buf, ret, url->data, NULL,
HTML_PARSE_RECOVER|HTML_PARSE_NOERROR|HTML_PARSE_NOWARNING|HTML_PARSE_NONET);
buf_free(url);
diff --git a/www/changelog.xml b/www/changelog.xml
index bca5c8e2..1a05eda7 100644
--- a/www/changelog.xml
+++ b/www/changelog.xml
@@ -15,7 +15,7 @@
<ul>
<li><b>OpenConnect HEAD</b>
<ul>
- <li><i>No changelog entries yet</i></li>
+ <li>Ignore failures to fetch the NC landing page if the authentication was successful.</li>
</ul><br/>
</li>
<li><b><a href="ftp://ftp.infradead.org/pub/openconnect/openconnect-8.10.tar.gz">OpenConnect v8.10</a></b>
--
2.31.1

@ -0,0 +1,134 @@
From cc4658504b21eb87f9fa6bf7c1e42b83b6f64aaa Mon Sep 17 00:00:00 2001
From: David Woodhouse <dwmw2@infradead.org>
Date: Sat, 12 Jun 2021 08:50:09 +0100
Subject: [PATCH 2/2] Unconditionally bypass system crypto policy
This makes me extremely sad, but they rolled it out with *no* way to
selectively allow the user to say "connect anyway", as we've always had
for "invalid" certificates, etc.
It's just unworkable and incomplete as currently implemented in the
distributions, so we have no choice except to bypass it and wait for
it to be fixed.
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
(cherry picked from commit 7e862f2f0352409357fa7a4762481fde49909eb8
and commit d29822cf30293d5f8b039baf3306eed2769fa0b5)
---
configure.ac | 3 +++
libopenconnect.map.in | 2 +-
main.c | 23 +++++++++++++++++++++++
openconnect-internal.h | 9 +++++++++
www/changelog.xml | 1 +
5 files changed, 37 insertions(+), 1 deletion(-)
diff --git a/configure.ac b/configure.ac
index 8b1b540f..3ea5e9cc 100644
--- a/configure.ac
+++ b/configure.ac
@@ -26,6 +26,7 @@ symver_getline=
symver_asprintf=
symver_vasprintf=
symver_win32_strerror=
+symver_win32_setenv=
case $host_os in
*linux* | *gnu* | *nacl*)
@@ -54,6 +55,7 @@ case $host_os in
# For asprintf()
AC_DEFINE(_GNU_SOURCE, 1, [_GNU_SOURCE])
symver_win32_strerror="openconnect__win32_strerror;"
+ symver_win32_setenv="openconnect__win32_setenv;"
# Win32 does have the SCard API
system_pcsc_libs="-lwinscard"
system_pcsc_cflags=
@@ -156,6 +158,7 @@ AC_SUBST(SYMVER_GETLINE, $symver_getline)
AC_SUBST(SYMVER_ASPRINTF, $symver_asprintf)
AC_SUBST(SYMVER_VASPRINTF, $symver_vasprintf)
AC_SUBST(SYMVER_WIN32_STRERROR, $symver_win32_strerror)
+AC_SUBST(SYMVER_WIN32_SETENV, $symver_win32_setenv)
AS_COMPILER_FLAGS(WFLAGS,
"-Wall
diff --git a/libopenconnect.map.in b/libopenconnect.map.in
index 5b4bc5d7..1039aacf 100644
--- a/libopenconnect.map.in
+++ b/libopenconnect.map.in
@@ -109,7 +109,7 @@ OPENCONNECT_5_6 {
} OPENCONNECT_5_5;
OPENCONNECT_PRIVATE {
- global: @SYMVER_TIME@ @SYMVER_GETLINE@ @SYMVER_JAVA@ @SYMVER_ASPRINTF@ @SYMVER_VASPRINTF@ @SYMVER_WIN32_STRERROR@
+ global: @SYMVER_TIME@ @SYMVER_GETLINE@ @SYMVER_JAVA@ @SYMVER_ASPRINTF@ @SYMVER_VASPRINTF@ @SYMVER_WIN32_STRERROR@ @SYMVER_WIN32_SETENV@
openconnect_get_tls_library_version;
openconnect_fopen_utf8;
openconnect_open_utf8;
diff --git a/main.c b/main.c
index cc3dd91e..129755a1 100644
--- a/main.c
+++ b/main.c
@@ -1436,6 +1436,29 @@ int main(int argc, char **argv)
openconnect_binary_version, openconnect_version_str);
}
+ /* Some systems have a crypto policy which completely prevents DTLSv1.0
+ * from being used, which is entirely pointless and will just drive
+ * users back to the crappy proprietary clients. Or drive OpenConnect
+ * to implement its own DTLS instead of using the system crypto libs.
+ * We're happy to conform by default to the system policy which is
+ * carefully curated to keep up to date with developments in crypto
+ * attacks — but we also *need* to be able to override it and connect
+ * anyway, when the user asks us to. Just as we *can* continue even
+ * when the server has an invalid certificate, based on user input.
+ * It was a massive oversight that GnuTLS implemented the system
+ * policy *without* that basic override facility, so until/unless
+ * it actually gets implemented properly we have to just disable it.
+ * We can't do this from openconnect_init_ssl() since that would be
+ * calling setenv() from a library in someone else's process. And
+ * thankfully we don't really need to since the auth-dialogs don't
+ * care; this is mostly for the DTLS connection.
+ */
+#ifdef OPENCONNECT_GNUTLS
+ setenv("GNUTLS_SYSTEM_PRIORITY_FILE", DEVNULL, 0);
+#else
+ setenv("OPENSSL_CONF", DEVNULL, 0);
+#endif
+
openconnect_init_ssl();
vpninfo = openconnect_vpninfo_new((char *)"Open AnyConnect VPN Agent",
diff --git a/openconnect-internal.h b/openconnect-internal.h
index 92edf763..9eb274c2 100644
--- a/openconnect-internal.h
+++ b/openconnect-internal.h
@@ -41,6 +41,15 @@
#include "openconnect.h"
+/* Equivalent of "/dev/null" on Windows.
+ * See https://stackoverflow.com/a/44163934
+ */
+#ifdef _WIN32
+#define DEVNULL "NUL:"
+#else
+#define DEVNULL "/dev/null"
+#endif
+
#if defined(OPENCONNECT_OPENSSL)
#include <openssl/ssl.h>
#include <openssl/err.h>
diff --git a/www/changelog.xml b/www/changelog.xml
index 1a05eda7..ca90413f 100644
--- a/www/changelog.xml
+++ b/www/changelog.xml
@@ -16,6 +16,7 @@
<li><b>OpenConnect HEAD</b>
<ul>
<li>Ignore failures to fetch the NC landing page if the authentication was successful.</li>
+ <li>Disable brittle "system policy" enforcement where it cannot be gracefully overridden at user request. <a href="https://bugzilla.redhat.com/show_bug.cgi?id=1960763"><i>(RH#1960763)</i></a>.</li>
</ul><br/>
</li>
<li><b><a href="ftp://ftp.infradead.org/pub/openconnect/openconnect-8.10.tar.gz">OpenConnect v8.10</a></b>
--
2.31.1

@ -1,174 +0,0 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1
mQINBE6NcQEBEADN5LtGr/flvrjd17mCOlqtRB26tj6G4jAc5VURYbejQGbbYzP5
L+fCLfDo01MYLI6jffklfpcDRHh2r/ACvA+NBTTVrP+XX8+s8+Y49Ke/39rt4NUW
C/t9UaIkV+0gP3DPYQA2GseOGwaF8V7v3BXq6VrwoyV2KlD4vAYUahJ52VxsZG+/
IhrvZn2MjmAyb1fjzZYr/7GX568CKdRY5VaVFqLKXdC7ZzRZObgzR83zaa3coC7l
3cFRtmGRmttDgUJ8R3Oqp2X9oe+eylzpmndEZkzGPZiI90VmZchvt1XUJ/VRpRwP
xmJvrz+NJWVktzDU1koauyOmiyB2cO6+RcSMaoQIX+TpyqJZ96rd6KsHCyTodF39
3xs730V24pRJXSbqJpyBNTOjd2T856MI9CIQ0SRvTUJGsp4x82j+3rJvSKGTClPw
FOJkJ0KaQyPMIaudP0PdsqULSoHXiBk3k+yj6tg9Ca84TrsSrLx1fvM4sAZpqo5p
LriDbl7ji6tUZovqW06MRT7rFCMjJW0Bk8jPp2r/5ASdjv33Ljxvr+9weYHJ5/rN
J9MUVw3rXmyDbUh7+uAm/2e24z26xE6LsxJB8JzdRqRSMqXdf8JsiuQLWpKZBwYo
hLD+EKK+bfpqvTAHH39XLPz+Hx1Pyg3+nkcQJIHsZOiH5uneQyf5oId0MQARAQAB
tCVEYXZpZCBXb29kaG91c2UgPGR3bXcyQGluZnJhZGVhZC5vcmc+iQI7BBMBAgAl
AhsDAh4BAheAAhkBBQJOz8SvBgsJCAcDAgYVCAIJCgsEFgIDAQAKCRBjdizaZ+Lz
WY5QD/9EJrnssxVTZVAt/OeX4ecgy6Z7nEsAq68QWc7nUbumzG3d3kzWn9li5yLL
R6kEvj1g5w6t7X9pOG7UTqpCYs0jw72ozBPrJTNJk8rk00/R24ROVX4Bjb1tBUdL
EuIne9lS7MnI2oaNTT9vyTV07OLc/aorKv3hyI6dryW43IDVAXQBqFL7H+iPzt0m
STOo+uCwY1G5pusmWUlLUAk83AfenBJCgj6F0WrcxY9MRxBpgghBVq07hynM2wul
U4EHxjitzfVHmkqZa0dZhAYo/jOdU+K16kL2+dpKPy/1KADzbpNE4kULOmL0E8te
nEBLM5Cb8QWVE0t4n0phFX2lrfH/bG1X3lj5uVEiBvx8LIjTcve+8G22qATtuQvt
6wuFu6xSqs2LEV5yigVok1bQ7O4L0AXRqlkcCTI9XK0wxYCNPRp/jf17YSHAv0k7
yXQ4GqJsbr/aFKjPUDJtcfI1Q/uJ5xGD1qVeJrcY6APoCFvlb9TxiUvt/fnZQNkx
LQ8yXxjxN2BdI48vMnKsPsvWq+vp57Kcqy2nwlMm1wmn0NdtfhfsyFX0eiiq/l8u
W3R1FbkVnj/hH1p2mLnr0aDLGPtvXlETuoYdUtWWLpKQDST+zbtqJwDzjj9nvF/E
xdt2XGHDjdP7J3jJ5wrli0P2fdWY0w7vAY2wmD1qoFLg+n/ENrQgRGF2aWQgV29v
ZGhvdXNlIDxkd213MkBleGltLm9yZz6JAjgEEwECACICGwMCHgECF4AFAk7PxLgG
CwkIBwMCBhUIAgkKCwQWAgMBAAoJEGN2LNpn4vNZhm4QALEBYT7YFCeywswA3PH8
8h951uia3Cc5Gn4XBKbQxQQ4QRWHkrRhmINRqc7SMBUfxUtYnT+T2/Ei07OtRzKX
1AjKN74mF+p7s8i7JCM2t7Kc+/xSIZIhpwgbf4OOjtUQ3RJoYjlL+ke8YomX6geM
ZV/IXN2nqj4a8CYkmzXCi2dg7uWf8v/p/hyk/DLYlD+HwxpRG6ANUkQ6zxTxgnzw
ihrnhaNsu2PAnWJo9G/Tfk8o5JuTRBn5qGr7SyQ0PUG5s8D2IPgMaABHhpoT9mYv
VOundroC2RyusS9xzrTJC+BEvLZ+J3idAvT7/TfjJuOrPpkr2BUIZYr4MF+acG0Q
QUstsJdp7V27iINNN0jmlybbCl7RiIO8nCSfVRssgKbfJMnThvMGjYSSFPUz25gI
gH95t8a/2rGR5nnBJQYbd+1Toj0vqc4PIuSALk8bF/fr0s1DwKUJGgbiUYA4moIY
165he7/RVGVwm5qM49YgSaJWwintDCGox7kDJMBfOz1n0FVi5LLGCHmWosLt/CRp
b+F+r0ix2g4d5kIU/JedT1kU8dOugLVb5bLuisK28h5J06k48VfTkzkSjOb8Nn4w
7q78RUZ2zx8Ny5Y5+BFEKtmu7Bs9Pzs6698DHSaeZzqIuSTgn8ddu8iBjHZF/sw7
wrZO1z2cKj6FW6bMen/bX+HbtCJEYXZpZCBXb29kaG91c2UgPGRhdmlkQHdvb2Ro
b3Uuc2U+iQI4BBMBAgAiAhsDAh4BAheABQJOz8S4BgsJCAcDAgYVCAIJCgsEFgID
AQAKCRBjdizaZ+LzWbR7D/4hKUfh04TLD2ZFsIWxrgEE/661lHaYZNi/rJAkhX73
+bpPP5aVuWiqvFkYbcIvA4+PzSi8KXuKiLSbxtUDgqBKPWI9Zh2cOj2Ykl/+Qqp+
TAPnjTde5+lc++MUm7K0QU2CJQZwvRwnLtwMvqsj7dlF37N46oSOqcPb6JRsDmJm
oJUn1ylZhjys0qAw9A+3VVxXIIacsf7Oxr+5VDMTJmyclfGwbsAAEyYYEgopQ2R8
Z+bEOVTdDYSC051oO0KUHidbRGU8/un7yM8RFtZSoPp88O4wdWyr9xbahSr4LYIm
oNUGpJLQQKf+EtMI4pKITDs5Nkl8S6q/Gkh8nhqleuVQ/jT35Uk0T1qzhX+8EaUA
s4Bp/kUJ50K+V6C4wBMECoMDHXyvmgkKCkb18g7tMgv1ea3gZXcOU7MUvhgSzcnd
LKZi+taGTgmO+bNNdOnA1MAxMJpoU45cWpVyPp5nUg1E5/joQGW9VDJFLkoIArO5
0e2Ccx+beDPtD20zBO4Yga+hfrztlAP9aGUAr5Zxu49MpeClqTyTnCoFyAMbAJXS
jaBEcnpIWghaUZinyvnneB8JpK4I4zjwBgwaN2+D6K0MTDJjyYw/bkRa4U6vv8L9
1NTH6avCpMJMdo9SeokLVuPGXxAH85JfzeK/q1bnjrGBca/HJSksT+3wtj7XCAKI
KLQiRGF2aWQgV29vZGhvdXNlIDxkd213MkBrZXJuZWwub3JnPokCOAQTAQIAIgIb
AwIeAQIXgAUCTs/EuAYLCQgHAwIGFQgCCQoLBBYCAwEACgkQY3Ys2mfi81lOqg/9
Ev3xFwdEWPZdknj63f4DruELPC7GYb5aY4mANzmsLkl5qlbr6+JtTZOyvM5wmR/0
zD6me3e7YvMWC3bQJplMExcRJVlTBrk9hdieP/0CGaY5iXFLLqSVbKyNNQ3BoES6
vJBX4OAgnD5J5NmCy7pnplHF7hRiasK0YyCG2QcDtMdgq2AKkqRjaQ3r0kBblbNQ
bU1KMhVfww890wYIJ/1H51ep3IkCw9L1i/0C8Z9mBQbUBGW8k6Vd4wtvnPYs6LNB
XHuDX9qZumClEALfdIx/WIQZZ5OIhB94FSC206gP4pgMFJb+dgOrQU6Q46y8rRsA
rEJRkQBS0m1Nd5hTxYi+O5V2igbi2vvMw3ijemA+nEURCJku7/qb7vXhtfUYCK+9
XUUIHkW6IadW5hRqt0+O24tnOsoj5yZWdbbS2tpH44F/lFO5VRhKkKVy+j9D5+WX
sR2NLnujMpqLVezIZY+5H8QsNp9+nPXKaLy6kfg86Ou4C0gdOXY3M9h+j6METzPO
ehhPcU4Oep6uwdogFEP85cQH/YubpX/xrTmVVcXJPfYsDoR/SEvCN0ZW6HBRbXs5
fJrCZeFwvAG+ytXJ6CY56vp9n9fHp1n1+WuEf8eMBJvWn9IaZYa4fUKNPp2FGj5e
CRS95onmKngom8YL4nzEN2qRQ8edF1Sz9H78Osshh5+5Ag0ETo1xAQEQANqF/lhc
KNgCwHOcuClEUvjsfROGO/Enstf9sI9OjzVfxPe76R3zYAWvqo3Jz91reZUEnQdQ
yo5IZdOdPqdy+XF7nododfT1lZz3I41r4suFYy8eHxx9L1np8fkjVY/QOu0tGh87
30r6AYTwZ+VoRMiioZUJwpsfByYGbJ8kzs5xhsE2rW8yPu+wXohXJgawYKYugDCO
5lfeA7+ZlLCIkZjhcdBDHjCJEuaHGX8e9wKKo05nLcVoPyz4oFmFeg54C2PmDS9C
V5Fygunp9YRcHP95JoALfLY/16CPsJaOxD/yTLh0Sr73pUP5ev0YTRwpUV8A8NIJ
sLZwcF8VssENeWeLMuCoFYSMknWM8Bwbmlx2ThiUvQ2HvdmSn0S4H2cuzlsuxayZ
w0EKwdeSCr8a4MrORbOZWGBDpil0gzQ8n7JybKzmYStmORT3jZEkgP3Gk7a0iwGh
ZBPnDSe8A56OOOhIUxUYhYpHAyk3Jej8xDwii9qFnCfUH/UJCBtpM/m6eYCDJiBD
lsq9/tBWgUHfS27ZJf1zwifHaZrS2kjzYZleYQDgKuCiTWrctBE07tNUSYTgjlzf
seRZbvP2jI7n0pksjqMJApwhmdO427e+Ip/UYLZ/LbpCB2dNkUjlU6V9FhtXO79X
sysAbnqLeVmMQnu5eEE826DExe3Gh6C9tePzABEBAAGJAh8EGAECAAkFAk6NcQEC
GwwACgkQY3Ys2mfi81kOrRAAx451eVoziks7qykXESWRQrtjBIOPahojcMoN+wy3
ljVwzWmfoM8lYUTT4jccbsq42PWV1zENAnvktByWBLRIlSSfeQwAWRlFykHattdi
lSg3/11nKI8WPrz0SCqiiJBVW/SZvKucMwkiVDeiPQNQZR8BjcpcFVJqZ4Ochp0w
qw9q7BYi6ppPoGiiShVhqMQbuZ5Szh8IgbwrCL5jP3x0VJxBuS9hJQYLfiL2D7fk
qdDpnJjafuFhAdGLN+S5g4+T2IXxgsxp5/D5IMa7rYQf55Lkinlys3A0DON0RMdG
zd81XNbEe3j7wpgj6dEEHBJ5B6z6DHkhg9oEn27XoFvrKArzgYCmDF1gFPp307wZ
JPlVIUVVrptkNbYavsxQBbo7iMUut+VnHqqp5/zoAb/bLfqlmCul9ODgImzMtKdx
PG4tBLp8rFK5qgH4fhefdTSdYOSmYby0cIRZmQ+S0FwN5uncr6IEYf/TSjLbixNA
/OP+bfPhJPMGYwXIijv/0x3UfQ9qGBNhtUOq4M/b64QiHQGHizFvDlW50HGt7hWl
XEwt+6fZqUPTX0k3WdOwIuy+SdvoDbPIRv9sr9gCs+SALR4r+4bH61IJU0nMnB2a
3LHqUhKy5FaBqZqR6NkBAnVGxh7Li7FyFWggGiwSv3ocYBcLpAapQamaniB3jlk6
HJGZAg0ETo1xAQEQAM3ku0av9+W+uN3XuYI6Wq1EHbq2PobiMBzlVRFht6NAZttj
M/kv58It8OjTUxgsjqN9+SV+lwNEeHav8AK8D40FNNWs/5dfz6zz5jj0p7/f2u3g
1RYL+31RoiRX7SA/cM9hADYax44bBoXxXu/cFerpWvCjJXYqUPi8BhRqEnnZXGxk
b78iGu9mfYyOYDJvV+PNliv/sZfnrwIp1FjlVpUWospd0LtnNFk5uDNHzfNprdyg
LuXdwVG2YZGa20OBQnxHc6qnZf2h757KXOmad0RmTMY9mIj3RWZlyG+3VdQn9VGl
HA/GYm+vP40lZWS3MNTWShq7I6aLIHZw7r5FxIxqhAhf5OnKoln3qt3oqwcLJOh0
Xf3fGzvfRXbilEldJuomnIE1M6N3ZPznowj0IhDRJG9NQkaynjHzaP7esm9IoZMK
U/AU4mQnQppDI8whq50/Q92ypQtKgdeIGTeT7KPq2D0JrzhOuxKsvHV+8ziwBmmq
jmkuuINuXuOLq1Rmi+pbToxFPusUIyMlbQGTyM+nav/kBJ2O/fcuPG+v73B5gcnn
+s0n0xRXDetebINtSHv64Cb/Z7bjPbrETouzEkHwnN1GpFIypd1/wmyK5AtakpkH
BiiEsP4Qor5t+mq9MAcff1cs/P4fHU/KDf6eRxAkgexk6Ifm6d5DJ/mgh3QxABEB
AAG0IkRhdmlkIFdvb2Rob3VzZSA8ZHdtdzJAa2VybmVsLm9yZz6JAjkEEwECACMF
Ak6NcQECGwMHCwkIBwMCAQYVCAIJCgsEFgIDAQIeAQIXgAAKCRBjdizaZ+LzWbb7
EACsXiAheiW9vyTyJlbTV0Fa/ut5QE6Yq//6vqBl1m6OWzax10sq1ydAGyTTMtzK
AaVvFSdnmQ5zmgSA3mnnezLWwMIR94+8iJiWP0zVhwo5I+5hXEa0zz++3PCdLHQI
FizGmBaTBitqHpjzBJxsoJ55Z5A5+75B6bOc3cc93zL5T1i3vcv4KezikVY9B0y0
+jWU4Pq+IsOoIdUCyCLDtO00nrY3gUPWGNK1dXwhgvRHPlEd7LftQ6oLCrHNr9sh
YCZ+ebz67q+baUyrRGSIoqoIZLDcc1Z9qSnE6xvwR3izZ416ylEgKr6Vb4c5UqKV
SFk6TX1qUjkz5ZuZkGvMduK4Dr1efcv5JkXZIHFbfMJxTLovynOAG6WLkEL6mr0R
cSXVPUfn1+DEy0f5TCrm8btWF8lkI3oHWbD9egqEV5YO8eR5Kik1P+u6Ib0bqZFj
E3vgbeB5e2lhvgix6v32lTeDkXWcUvE331yoPX5Daoev3zNLEWJIduuQ27aaDsJv
KJO8MdiwTk/ob1YyGlu/hd9zoMOkHOJF065GKSBBNcy6uEu4FRv3BTcc6LPti+Ht
Ymt25fwnYa+5d5wGYba6c8Ikrq0yMfqWBoKhkrJuOv+ImDWpgpM0Sjn9bxKD68gj
/KLkP9hx1LhkkM8JGMWyTF342q8EwMbipakJRfembRUm7LQiRGF2aWQgV29vZGhv
dXNlIDxkYXZpZEB3b29kaG91LnNlPokCOQQTAQIAIwUCTo7TBQIbAwcLCQgHAwIB
BhUIAgkKCwQWAgMBAh4BAheAAAoJEGN2LNpn4vNZbtkP/1PemSv+Gneh525mBCYR
pyUwaelWRNp6pw5fi62u5DkckiT647S1X6hOVVqnlEpLLIQOKZFa2GdtrOyzmQ9A
pyfrEGEUNxbqBn/PGJ/OtxLThrwFxGCGLZergms+eyssq8ANYlP25WAh/VSy17+5
LZuDP/qDzQp92YZ8A5ARWHvf86nQyzOeiyBk6Ws0AAya7I60rXkShsNSxbK9xf4/
cErgN3B/4clJjyaWRgADRDbYYcXpoU7UBi/DHTZGN7j1e3CFY2ocYnT1ukmWNcou
AzPeKfEpXsXhXc30CKIveZiR6nnDqFxfhfAjNAy0thwcyjPt5GDdxkzrdD4Q5oFf
cz1DaUsf1dmtf4fxM5shKtTdGYW/9Fc+m8hwwYaGhxmlvr7ZzjZ0xQNtPO18k8Ee
ZXKnJh8b6Zvqke+BFAfCYR5NUShV/3YQx6YTbmJ3UUJTxVdZtaLn88m+fIpSq8KU
YPKEqZ5BklZKYxu65KuSco4z9hrW2viNIYx4CSQEyWND171JsWqIEaz9Fde2UzMQ
IAbxRFnQ9516ke87JM5oPqJ/tyxyUvUJpgyZoaab1ExICtXTh+q2ZM6CS6IpeWkn
VzN4stAdYrgWr4ZGwHnh5cwqsB8R/RRFnhc+TeAxnADYi8rBkUFLZK2kXXeRJfEc
UtIUoH73f60RkXVf2TlolgljtCVEYXZpZCBXb29kaG91c2UgPGR3bXcyQGluZnJh
ZGVhZC5vcmc+iQI5BBMBAgAjBQJOjtMWAhsDBwsJCAcDAgEGFQgCCQoLBBYCAwEC
HgECF4AACgkQY3Ys2mfi81lwgBAAnJQTH97P/tXelVSjKzLlSN4eIBHBpiohdBk9
/oeEzknH/vv2ZVNsv+QoRpeEW1pxwW1QCXqV2yYTa+2O3LwqnbfRJrtM45HVuD6V
YVwfrqu+/KqT7p5DMo++CYjNRzxRJJ9J7Iap6m0hEK5kfXnQKfDNUUfPuEB+4R6e
s8lTUfnGrUAcUreW3DlXTEeZg3FjfNUpijfl+CyRsNcEsczzB4hXfTd4sdE+p6tJ
4T+MFu6NnIX6/fQDK5MP7ga5w1AKL1up59dtZ3klZtRsYOzFWjLyaOYo4NDkwKA2
QJxM/YKt1ZCvxDbTsRydTRpJpsmoXAU+z7ifjHRjwhVSkW78zkgX49blNznHZjWO
z7xRvZh8MUT6wLmsTCI1/mDrKxPvWz+nPcT4mD6XgyRNIXNgXZr2DNTo5w73U84V
y0UAm/KiZpJJ6fePsmmRvR/LxHHRjMKMYJX3q0m2tRs0B3AXmC7fEr2BfRC/Atru
FVX6QHgwruNTIFd+aac6Spahhs6jK3hU7VVq166iE0JjxNrEM3KQQkcns8EhGiJ5
IQkLLP+u9PRkxJXE34ksSOwZEWLa7R7xyLrN3cuRxtLH48UzkY7Ab1FU8W/Ptfha
Xkjj7uTULtrcnyWd2OSMimpjhWntBGFyCG/Pt7Pgu7PhJha2H63xwd/ah/EJAcug
/tUvYga0IERhdmlkIFdvb2Rob3VzZSA8ZHdtdzJAZXhpbS5vcmc+iQI5BBMBAgAj
BQJOjzcQAhsDBwsJCAcDAgEGFQgCCQoLBBYCAwECHgECF4AACgkQY3Ys2mfi81n8
BBAAn0AY63xTB2SUo44DKVdL6eLfe2L2pINWCW6uOzMzQEduHxCZ2dazlsGVIyqm
F+LsYJP+G/WDvegEpYIL10gdDoYqnVaYegn2en6dv9GZ9E8eaFz4c79rW8fEozip
+faf4opcbyVfl5k3OPdei0VTI6Qku4nmHjgJGvsgNguFzmnhGoqaXZ5TJuXiqnPv
h9jIlAK5hkEa6waZ43uDudrv8f0Srok6qtRN47kOUQr+LQP+uo+to0Gs163abQMm
gq20Y5PuL91pYAIXrrrercgJxMUFCtphjoO3jtqvJQO7pWpRBc/3IAa2MpaGbWpu
5nFf/Tb8vb8xdVT1vFjbGXHaYGkWv19MMhOcX3tw+jxD2FP2kbO6QP8bOkag93qu
go/kLqQ7xZvzxUB/stUU5ZFlwisnzT4iaw2vtmQ+8M7B/Oscdeg9OZi6jUgSdwlX
r5cSPXUKDcRHkf9R7ca9HC08dSnFbFZOp2RmrVukYcqq4cQq76s1FDjdLaXLY/oE
JyweBktZgUtuQpv16yqgH1sRCNSbRY5tMkx6PUWhwVg4Raj28Ub7X6k4H25Zv/NG
Vd+YaL8PzW1dgPtDe8N5eTZ1/4F8CculPy62B0h7xxwfx+0E8YG1+Ts82k2rJJOG
bWhr5KWo8gElEAn+H20cmtlv+HAfc4ai1UwDCuuNnLAoMai5Ag0ETo1xAQEQANqF
/lhcKNgCwHOcuClEUvjsfROGO/Enstf9sI9OjzVfxPe76R3zYAWvqo3Jz91reZUE
nQdQyo5IZdOdPqdy+XF7nododfT1lZz3I41r4suFYy8eHxx9L1np8fkjVY/QOu0t
Gh8730r6AYTwZ+VoRMiioZUJwpsfByYGbJ8kzs5xhsE2rW8yPu+wXohXJgawYKYu
gDCO5lfeA7+ZlLCIkZjhcdBDHjCJEuaHGX8e9wKKo05nLcVoPyz4oFmFeg54C2Pm
DS9CV5Fygunp9YRcHP95JoALfLY/16CPsJaOxD/yTLh0Sr73pUP5ev0YTRwpUV8A
8NIJsLZwcF8VssENeWeLMuCoFYSMknWM8Bwbmlx2ThiUvQ2HvdmSn0S4H2cuzlsu
xayZw0EKwdeSCr8a4MrORbOZWGBDpil0gzQ8n7JybKzmYStmORT3jZEkgP3Gk7a0
iwGhZBPnDSe8A56OOOhIUxUYhYpHAyk3Jej8xDwii9qFnCfUH/UJCBtpM/m6eYCD
JiBDlsq9/tBWgUHfS27ZJf1zwifHaZrS2kjzYZleYQDgKuCiTWrctBE07tNUSYTg
jlzfseRZbvP2jI7n0pksjqMJApwhmdO427e+Ip/UYLZ/LbpCB2dNkUjlU6V9FhtX
O79XsysAbnqLeVmMQnu5eEE826DExe3Gh6C9tePzABEBAAGJAh8EGAECAAkFAk6N
cQECGwwACgkQY3Ys2mfi81kOrRAAx451eVoziks7qykXESWRQrtjBIOPahojcMoN
+wy3ljVwzWmfoM8lYUTT4jccbsq42PWV1zENAnvktByWBLRIlSSfeQwAWRlFykHa
ttdilSg3/11nKI8WPrz0SCqiiJBVW/SZvKucMwkiVDeiPQNQZR8BjcpcFVJqZ4Oc
hp0wqw9q7BYi6ppPoGiiShVhqMQbuZ5Szh8IgbwrCL5jP3x0VJxBuS9hJQYLfiL2
D7fkqdDpnJjafuFhAdGLN+S5g4+T2IXxgsxp5/D5IMa7rYQf55Lkinlys3A0DON0
RMdGzd81XNbEe3j7wpgj6dEEHBJ5B6z6DHkhg9oEn27XoFvrKArzgYCmDF1gFPp3
07wZJPlVIUVVrptkNbYavsxQBbo7iMUut+VnHqqp5/zoAb/bLfqlmCul9ODgImzM
tKdxPG4tBLp8rFK5qgH4fhefdTSdYOSmYby0cIRZmQ+S0FwN5uncr6IEYf/TSjLb
ixNA/OP+bfPhJPMGYwXIijv/0x3UfQ9qGBNhtUOq4M/b64QiHQGHizFvDlW50HGt
7hWlXEwt+6fZqUPTX0k3WdOwIuy+SdvoDbPIRv9sr9gCs+SALR4r+4bH61IJU0nM
nB2a3LHqUhKy5FaBqZqR6NkBAnVGxh7Li7FyFWggGiwSv3ocYBcLpAapQamaniB3
jlk6HJE=
=8HB8
-----END PGP PUBLIC KEY BLOCK-----

@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEvgfZ/VSAmrLEsP9fY3Ys2mfi81kFAmRoemcACgkQY3Ys2mfi
81naVQ//XPASeJMAl4eDUT49eSXqh2WIzrwdGvWJtk/hgF5ftTjC2bGSQnEnV7Zg
99jDAAE8ZYh72eaI2Gj7WwyWoqL56xRlI3EQRBOou2Pz1a/9vZsi1JhpbsSMweia
D+b1v0jS0P0g+7sHYRl/naehyS6u1umtaceiSxg4l3XcobWne4K9b7i2RAPdaTrd
fNTOSwdXgWXYhZ2yEyd5EF4paBgQgquDQ9WPcUv7NWN+L4xncaKer/0D3IqcFdeP
B/pB/nN93b6C4BsKPQRyNbWPeikEBd8sbjReLr2ohjA4IH6CPZisAdK6iwhMD2kn
a2FH7CXxH4imIVv93cq3w59pdMXEIdJ0O4NPEH14T1YTulgfi9+j+45BzTQpLwGA
sMx0flSEnYgFvC9uthpIu+g5zk+icUSn3iwCa8BC3fn0KP40atzVQLhxYs/kDn5B
te6rCtzWPLiwcOy/DpRuSUjUTv74Eaa/T6LorKX/JSjOjg5lSPKFq7Sbcw9JN4yy
m2mXED87JeVyY82O8Mz6DzSAYJ1zY4+B7MZ0D6NbvwqXjNw6zQgYCNJi0Lh/z1VW
gH1d/7XThjReaaXiDU9sV49hLxxIZnlu7HbyO3Pv+ZlB6GzNj5WW+iPjbf93BF7P
wGLeDAsU+QIV/GqI/2aySV6jKzksBHMA8IJNhpTEozYUC51zEOI=
=uYim
-----END PGP SIGNATURE-----

@ -1,10 +1,30 @@
# % define gitcount 227
# % define gitrev a03e4bf
%if 0%{?gitcount} > 0
%define gitsuffix -%{gitcount}-g%{gitrev}
%define relsuffix .git%{gitcount}_%{gitrev}
%endif
# RHEL6 still has ancient GnuTLS
%define use_gnutls 0%{?fedora} || 0%{?rhel} >= 7
# RHEL5 has no libproxy, and no %%make_install macro
%if 0%{?rhel} && 0%{?rhel} <= 5
%define use_libproxy 0
%define make_install %{__make} install DESTDIR=%{?buildroot}
%define use_tokens 0
%else
%define use_libproxy 1
%define use_tokens 1
%endif
# RHEL8 does not have libpskc, softhsm, ocserv yet
%if 0%{?rhel} && 0%{?rhel} == 8
%define use_tokens 0
%define use_ocserv 0
%define use_softhsm 0
%else
%define use_tokens 1
%define use_ocserv 1
%define use_softhsm 1
%endif
@ -20,34 +40,46 @@
Name: openconnect
Version: 9.12
Release: 6%{?relsuffix}%{?dist}
Release: 1%{?relsuffix}%{?dist}
Summary: Open multi-protocol SSL VPN client
License: LGPL-2.1-or-later
License: LGPLv2+
URL: http://www.infradead.org/openconnect.html
Source0: https://ftp.infradead.org/pub/openconnect/openconnect-%{version}.tar.gz
Source1: https://ftp.infradead.org/pub/openconnect/openconnect-%{version}.tar.gz.asc
Source0: ftp://ftp.infradead.org/pub/openconnect/openconnect-%{version}%{?gitsuffix}.tar.gz
%if 0%{?gitcount} == 0
Source1: ftp://ftp.infradead.org/pub/openconnect/openconnect-%{version}%{?gitsuffix}.tar.gz.asc
%endif
Source2: gpgkey-BE07D9FD54809AB2C4B0FF5F63762CDA67E2F359.asc
BuildRequires: make xdg-utils
BuildRequires: make xdg-utils
BuildRequires: pkgconfig(libxml-2.0) pkgconfig(libpcsclite) krb5-devel gnupg2
BuildRequires: autoconf automake libtool gettext pkgconfig(liblz4)
BuildRequires: pkgconfig(uid_wrapper) pkgconfig(socket_wrapper)
%if %{use_softhsm}
BuildRequires: softhsm
%endif
%if 0%{?fedora} || 0%{?rhel} >= 7
Obsoletes: openconnect-lib-compat < %{version}-%{release}
Requires: vpnc-script
%else
Requires: vpnc
%endif
%if 0%{?fedora} >= 30 || 0%{?rhel} >= 9
BuildRequires: glibc-langpack-cs
%endif
BuildRequires: pkgconfig(libproxy-1.0)
BuildRequires: pkgconfig(gnutls)
# Anywhere we use GnuTLS, there should be an ocserv package too
%if %{use_gnutls}
BuildRequires: pkgconfig(gnutls) trousers-devel
# Anywhere we use GnuTLS ,there should be an ocserv package too
%if %{use_ocserv}
BuildRequires: ocserv
%endif
%else
BuildRequires: pkgconfig(openssl) pkgconfig(libp11) pkgconfig(p11-kit-1)
%endif
%if %{use_libproxy}
BuildRequires: pkgconfig(libproxy-1.0)
%endif
%if %{use_tokens}
BuildRequires: pkgconfig(stoken) pkgconfig(libpskc)
%endif
@ -64,6 +96,10 @@ Palo Alto Networks GlobalProtect SSL VPN, Array Networks SSL VPN.
%package devel
Summary: Development package for OpenConnect VPN authentication tools
Requires: %{name}%{?_isa} = %{version}-%{release}
# RHEL5 needs these spelled out because it doesn't automatically infer from pkgconfig
%if 0%{?rhel} && 0%{?rhel} <= 5
Requires: openssl-devel zlib-devel
%endif
%description devel
This package provides the core HTTP and authentication support from
@ -71,17 +107,23 @@ the OpenConnect VPN client, to be used by GUI authentication dialogs
for NetworkManager etc.
%prep
%if 0%{?gitcount} == 0
%{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}'
%autosetup -p1
%endif
%autosetup -n openconnect-%{version}%{?gitsuffix} -p1
%build
%configure --with-vpnc-script=/etc/vpnc/vpnc-script \
--disable-dsa-tests \
%if %{use_gnutls}
--with-default-gnutls-priority="@OPENCONNECT,SYSTEM" \
--without-gnutls-version-check \
%else
--with-openssl --without-openssl-version-check \
%endif
--htmldir=%{_pkgdocdir}
%make_build
make %{?_smp_mflags} V=1
%install
@ -93,10 +135,7 @@ rm -f $RPM_BUILD_ROOT/%{_libexecdir}/openconnect/hipreport-android.sh
%find_lang %{name}
%check
%if 0%{?rhel} >= 10
# RSA key exchange disabled in DEFAULT crypto config
make VERBOSE=1 check XFAIL_TESTS="obsolete-server-crypto pfs"
%elif 0%{?fedora} >= 34 || 0%{?rhel} >= 9
%if 0%{?fedora} >= 34 || 0%{?rhel} >= 9
# 3DES and MD5 really are just gone.
make VERBOSE=1 check XFAIL_TESTS=obsolete-server-crypto
%else
@ -106,13 +145,13 @@ make VERBOSE=1 check
%ldconfig_scriptlets
%files -f %{name}.lang
%license COPYING.LGPL
%doc %{_pkgdocdir}
%{_libdir}/libopenconnect.so.5*
%{_sbindir}/openconnect
%{_libexecdir}/openconnect/
%{_mandir}/man8/*
%{_datadir}/bash-completion/completions/openconnect
%doc TODO COPYING.LGPL
%doc %{_pkgdocdir}
%files devel
%{_libdir}/libopenconnect.so
@ -120,24 +159,6 @@ make VERBOSE=1 check
%{_libdir}/pkgconfig/openconnect.pc
%changelog
* Tue Dec 24 2024 Arkady L. Shane <tigro@msvsphere-os.ru> - 9.12-6
- Rebuilt for MSVSphere 10
* Thu Jul 18 2024 Fedora Release Engineering <releng@fedoraproject.org> - 9.12-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild
* Mon Jan 29 2024 Peter Robinson <pbrobinson@fedoraproject.org> - 9.12-5
- Cleanup spec, drop EOL release consditionals
* Thu Jan 25 2024 Fedora Release Engineering <releng@fedoraproject.org> - 9.12-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Sun Jan 21 2024 Fedora Release Engineering <releng@fedoraproject.org> - 9.12-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Thu Jul 20 2023 Fedora Release Engineering <releng@fedoraproject.org> - 9.12-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
* Sat May 20 2023 David Woodhouse <dwmw2@infradead.org> - 9.12-1
- Update to 9.12 release

@ -0,0 +1,2 @@
SHA512 (openconnect-9.12.tar.gz) = 5c622e8bdfac3d21b5881660444e5d2b84e9463a99493d42cbfb480c3aa3972076bdeeb618aca02abed68e31dbeadcb66fb1c370e62a20f20cd544753c7ac48e
SHA512 (openconnect-9.12.tar.gz.asc) = ade33209a4c17bbdfd0bea7490588b248c36c4da56a9aec60818ed6c96bc8c3570b1f2ac2685003122a1e52dd9d24e4b678d77e001c752461649114167a7304c
Loading…
Cancel
Save