From dd37e45548b2fdb93daca7db7bcb8bb0687e2938 Mon Sep 17 00:00:00 2001 From: David Woodhouse Date: Jul 11 2016 15:27:26 +0000 Subject: Update to 7.07 --- diff --git a/.gitignore b/.gitignore index a780504..2cb5fba 100644 --- a/.gitignore +++ b/.gitignore @@ -43,3 +43,5 @@ openconnect-2.25.tar.gz /openconnect-7.06.tar.gz.asc /pubring.gpg /gpgkey-BE07D9FD54809AB2C4B0FF5F63762CDA67E2F359.gpg +/openconnect-7.07.tar.gz +/openconnect-7.07.tar.gz.asc diff --git a/fix-ipv6-only.patch b/fix-ipv6-only.patch deleted file mode 100644 index fedef47..0000000 --- a/fix-ipv6-only.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 430f8bcab5c0e10881f7dcdc07a15803ebf31607 Mon Sep 17 00:00:00 2001 -From: David Woodhouse -Date: Thu, 26 Nov 2015 08:02:34 +0000 -Subject: [PATCH] Fix IPv6-only connectivity - -Commit a5dd38ec8 ("Assign Address-IP6 field to netmask instead of address") -broke IPv6-only configurations, because we only check for ip_info.addr -and ip_info.addr6 being NULL. We need to allow the connection to continue -when ip_info.netmask6 is non-NULL too. - -Reported-by: Dennis Gilmore -Signed-off-by: David Woodhouse ---- - cstp.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/cstp.c b/cstp.c -index 4aad2c1..b9408c7 100644 ---- a/cstp.c -+++ b/cstp.c -@@ -494,7 +494,8 @@ static int start_cstp_connection(struct openconnect_info *vpninfo) - } - vpninfo->ip_info.mtu = mtu; - -- if (!vpninfo->ip_info.addr && !vpninfo->ip_info.addr6) { -+ if (!vpninfo->ip_info.addr && !vpninfo->ip_info.addr6 && -+ !vpninfo->ip_info.netmask6) { - vpn_progress(vpninfo, PRG_ERR, - _("No IP address received. Aborting\n")); - return -EINVAL; --- -1.9.3 - diff --git a/openconnect-7.05-ensure-dtls-ciphers-match-the-allowed.patch b/openconnect-7.05-ensure-dtls-ciphers-match-the-allowed.patch deleted file mode 100644 index b7d6088..0000000 --- a/openconnect-7.05-ensure-dtls-ciphers-match-the-allowed.patch +++ /dev/null @@ -1,200 +0,0 @@ -From 4892c7a53bb0adec98c4540a0b127b209625f82a Mon Sep 17 00:00:00 2001 -From: Nikos Mavrogiannopoulos -Date: Wed, 4 Mar 2015 10:29:06 +0100 -Subject: [PATCH 2/2] when using gnutls enable only the DTLS ciphersuites that - were available during TLS - -Signed-off-by: Nikos Mavrogiannopoulos ---- - cstp.c | 3 ++ - dtls.c | 79 ++++++++++++++++++++++++++++++++++++++++++++++---- - gnutls.c | 7 ++--- - openconnect-internal.h | 2 ++ - 4 files changed, 81 insertions(+), 10 deletions(-) - -diff --git a/cstp.c b/cstp.c -index d0d7eff..a06ca34 100644 ---- a/cstp.c -+++ b/cstp.c -@@ -202,6 +202,9 @@ static int start_cstp_connection(struct openconnect_info *vpninfo) - vpninfo->ip_info.domain = vpninfo->ip_info.proxy_pac = NULL; - vpninfo->banner = NULL; - -+ if (!vpninfo->dtls_ciphers) -+ vpninfo->dtls_ciphers = dtls_ciphers_from_conn(vpninfo); -+ - for (i = 0; i < 3; i++) - vpninfo->ip_info.dns[i] = vpninfo->ip_info.nbns[i] = NULL; - free_split_routes(vpninfo); -diff --git a/dtls.c b/dtls.c -index abffbf1..6ac537d 100644 ---- a/dtls.c -+++ b/dtls.c -@@ -222,6 +222,11 @@ static SSL_SESSION *generate_dtls_session(struct openconnect_info *vpninfo, - } - #endif - -+char *dtls_ciphers_from_conn(struct openconnect_info *vpninfo) -+{ -+ return NULL; -+} -+ - static int start_dtls_handshake(struct openconnect_info *vpninfo, int dtls_fd) - { - STACK_OF(SSL_CIPHER) *ciphers; -@@ -438,27 +443,89 @@ void dtls_shutdown(struct openconnect_info *vpninfo) - #include - #include "gnutls.h" - -+#define SSTR(x) x,sizeof(x) - struct { - const char *name; -+ unsigned name_len; - gnutls_protocol_t version; - gnutls_cipher_algorithm_t cipher; - gnutls_mac_algorithm_t mac; - const char *prio; -+ unsigned disabled; - } gnutls_dtls_ciphers[] = { -- { "AES128-SHA", GNUTLS_DTLS0_9, GNUTLS_CIPHER_AES_128_CBC, GNUTLS_MAC_SHA1, -+ { SSTR("AES128-SHA"), GNUTLS_DTLS0_9, GNUTLS_CIPHER_AES_128_CBC, GNUTLS_MAC_SHA1, - "NONE:+VERS-DTLS0.9:+COMP-NULL:+AES-128-CBC:+SHA1:+RSA:%COMPAT" }, -- { "AES256-SHA", GNUTLS_DTLS0_9, GNUTLS_CIPHER_AES_256_CBC, GNUTLS_MAC_SHA1, -+ { SSTR("AES256-SHA"), GNUTLS_DTLS0_9, GNUTLS_CIPHER_AES_256_CBC, GNUTLS_MAC_SHA1, - "NONE:+VERS-DTLS0.9:+COMP-NULL:+AES-256-CBC:+SHA1:+RSA:%COMPAT" }, -- { "DES-CBC3-SHA", GNUTLS_DTLS0_9, GNUTLS_CIPHER_3DES_CBC, GNUTLS_MAC_SHA1, -+ { SSTR("DES-CBC3-SHA"), GNUTLS_DTLS0_9, GNUTLS_CIPHER_3DES_CBC, GNUTLS_MAC_SHA1, - "NONE:+VERS-DTLS0.9:+COMP-NULL:+3DES-CBC:+SHA1:+RSA:%COMPAT" }, - #if GNUTLS_VERSION_NUMBER >= 0x030207 /* if DTLS 1.2 is supported (and a bug in gnutls is solved) */ -- { "OC-DTLS1_2-AES128-GCM", GNUTLS_DTLS1_2, GNUTLS_CIPHER_AES_128_GCM, GNUTLS_MAC_AEAD, -+ { SSTR("OC-DTLS1_2-AES128-GCM"), GNUTLS_DTLS1_2, GNUTLS_CIPHER_AES_128_GCM, GNUTLS_MAC_AEAD, - "NONE:+VERS-DTLS1.2:+COMP-NULL:+AES-128-GCM:+AEAD:+RSA:%COMPAT:+SIGN-ALL" }, -- { "OC-DTLS1_2-AES256-GCM", GNUTLS_DTLS1_2, GNUTLS_CIPHER_AES_256_GCM, GNUTLS_MAC_AEAD, -+ { SSTR("OC-DTLS1_2-AES256-GCM"), GNUTLS_DTLS1_2, GNUTLS_CIPHER_AES_256_GCM, GNUTLS_MAC_AEAD, - "NONE:+VERS-DTLS1.2:+COMP-NULL:+AES-256-GCM:+AEAD:+RSA:%COMPAT:+SIGN-ALL" }, - #endif - }; - -+char *dtls_ciphers_from_conn(struct openconnect_info *vpninfo) -+{ -+ /* only enable the ciphers that would have been negotiated in the TLS channel */ -+ unsigned i, j; -+ int ret; -+ unsigned idx; -+ gnutls_cipher_algorithm_t cipher; -+ gnutls_mac_algorithm_t mac; -+ struct oc_text_buf *buf; -+ gnutls_priority_t cache; -+ char *p; -+ -+ /* everything is disabled by default */ -+ for (i = 0; i < sizeof(gnutls_dtls_ciphers)/sizeof(gnutls_dtls_ciphers[0]); i++) { -+ gnutls_dtls_ciphers[i].disabled = 1; -+ } -+ -+ ret = gnutls_priority_init(&cache, vpninfo->gnutls_default_prio, NULL); -+ if (ret < 0) -+ return NULL; -+ -+ for (j=0;;j++) { -+ ret = gnutls_priority_get_cipher_suite_index(cache, j, &idx); -+ if (ret == GNUTLS_E_UNKNOWN_CIPHER_SUITE) -+ continue; -+ else if (ret < 0) -+ break; -+ -+ if (gnutls_cipher_suite_info(idx, NULL, NULL, &cipher, &mac, NULL) != NULL) { -+ for (i = 0; i < sizeof(gnutls_dtls_ciphers)/sizeof(gnutls_dtls_ciphers[0]); i++) { -+ if (gnutls_dtls_ciphers[i].mac == mac && gnutls_dtls_ciphers[i].cipher == cipher) { -+ gnutls_dtls_ciphers[i].disabled = 0; -+ break; -+ } -+ } -+ } -+ } -+ -+ buf = buf_alloc(); -+ -+ for (i = 0; i < sizeof(gnutls_dtls_ciphers)/sizeof(gnutls_dtls_ciphers[0]); i++) { -+ if (!gnutls_dtls_ciphers[i].disabled) { -+ if (buf->buf_len == 0) { -+ buf_append(buf, "%s", gnutls_dtls_ciphers[i].name); -+ } else { -+ buf_append(buf, ":%s", gnutls_dtls_ciphers[i].name); -+ } -+ } -+ } -+ -+ /* steal buffer */ -+ p = buf->data; -+ buf->data = NULL; -+ -+ buf_free(buf); -+ gnutls_priority_deinit(cache); -+ return p; -+} -+ - #define DTLS_SEND gnutls_record_send - #define DTLS_RECV gnutls_record_recv - #define DTLS_FREE gnutls_deinit -@@ -470,7 +537,7 @@ static int start_dtls_handshake(struct openconnect_info *vpninfo, int dtls_fd) - int cipher; - - for (cipher = 0; cipher < sizeof(gnutls_dtls_ciphers)/sizeof(gnutls_dtls_ciphers[0]); cipher++) { -- if (!strcmp(vpninfo->dtls_cipher, gnutls_dtls_ciphers[cipher].name)) -+ if (!strcmp(vpninfo->dtls_cipher, gnutls_dtls_ciphers[cipher].name) && !gnutls_dtls_ciphers[cipher].disabled) - goto found_cipher; - } - vpn_progress(vpninfo, PRG_ERR, _("Unknown DTLS parameters for requested CipherSuite '%s'\n"), -diff --git a/gnutls.c b/gnutls.c -index 34119da..e121842 100644 ---- a/gnutls.c -+++ b/gnutls.c -@@ -2070,7 +2070,6 @@ int openconnect_open_https(struct openconnect_info *vpninfo) - { - int ssl_sock = -1; - int err; -- const char * prio; - - if (vpninfo->https_sess) - return 0; -@@ -2196,13 +2195,13 @@ int openconnect_open_https(struct openconnect_info *vpninfo) - strlen(vpninfo->hostname)); - - if (vpninfo->pfs) { -- prio = DEFAULT_PRIO":-RSA"; -+ vpninfo->gnutls_default_prio = DEFAULT_PRIO":-RSA"; - } else { -- prio = DEFAULT_PRIO; -+ vpninfo->gnutls_default_prio = DEFAULT_PRIO; - } - - err = gnutls_priority_set_direct(vpninfo->https_sess, -- prio, NULL); -+ vpninfo->gnutls_default_prio, NULL); - if (err) { - vpn_progress(vpninfo, PRG_ERR, - _("Failed to set TLS priority string: %s\n"), -diff --git a/openconnect-internal.h b/openconnect-internal.h -index 04cb226..7b7161c 100644 ---- a/openconnect-internal.h -+++ b/openconnect-internal.h -@@ -469,6 +469,7 @@ struct openconnect_info { - gnutls_session_t https_sess; - gnutls_certificate_credentials_t https_cred; - char local_cert_md5[MD5_SIZE * 2 + 1]; /* For CSD */ -+ const char *gnutls_default_prio; - #ifdef HAVE_TROUSERS - TSS_HCONTEXT tpm_context; - TSS_HKEY srk; -@@ -765,6 +766,7 @@ int dtls_setup(struct openconnect_info *vpninfo, int dtls_attempt_period); - int dtls_mainloop(struct openconnect_info *vpninfo, int *timeout); - void dtls_close(struct openconnect_info *vpninfo); - void dtls_shutdown(struct openconnect_info *vpninfo); -+char *dtls_ciphers_from_conn(struct openconnect_info *vpninfo); - - /* cstp.c */ - void cstp_common_headers(struct openconnect_info *vpninfo, struct oc_text_buf *buf); --- -2.1.0 - diff --git a/openconnect-7.05-override-default-prio-string.patch b/openconnect-7.05-override-default-prio-string.patch deleted file mode 100644 index 2e5c906..0000000 --- a/openconnect-7.05-override-default-prio-string.patch +++ /dev/null @@ -1,64 +0,0 @@ -From db955eceff87ecc7994348c952029ae012fc5b6a Mon Sep 17 00:00:00 2001 -From: Nikos Mavrogiannopoulos -Date: Tue, 3 Mar 2015 16:57:51 +0100 -Subject: [PATCH 1/2] Allow overriding the default GnuTLS priority string - -Signed-off-by: Nikos Mavrogiannopoulos ---- - configure.ac | 9 +++++++++ - gnutls.c | 18 ++++++++++-------- - 2 files changed, 19 insertions(+), 8 deletions(-) - -diff --git a/configure.ac b/configure.ac -index e5b5e80..ddb5c48 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -417,6 +417,15 @@ if test "$with_gnutls" = "yes"; then - LIBS="$oldlibs" - CFLAGS="$oldcflags" - fi -+ -+AC_ARG_WITH([default-gnutls-priority], -+ AS_HELP_STRING([--with-default-gnutls-priority=STRING], -+ [Provide a default string as GnuTLS priority string]), -+ default_gnutls_priority=$withval) -+if test -n "$default_gnutls_priority"; then -+ AC_DEFINE_UNQUOTED([DEFAULT_PRIO], ["$default_gnutls_priority"], [The GnuTLS priority string]) -+fi -+ - if test "$with_openssl" = "yes" || test "$with_openssl" = "" || test "$ssl_library" = "both"; then - PKG_CHECK_MODULES(OPENSSL, openssl, [], - [oldLIBS="$LIBS" -diff --git a/gnutls.c b/gnutls.c -index 3f79a22..34119da 100644 ---- a/gnutls.c -+++ b/gnutls.c -@@ -2052,15 +2052,17 @@ static int verify_peer(gnutls_session_t session) - * >= 3.2.9 as there the %COMPAT keyword ensures that the client hello - * will be outside that range. - */ --#if GNUTLS_VERSION_NUMBER >= 0x030209 --# define DEFAULT_PRIO "NORMAL:-VERS-SSL3.0:%COMPAT" --#else --# define _DEFAULT_PRIO "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0:" \ -+#ifndef DEFAULT_PRIO -+# if GNUTLS_VERSION_NUMBER >= 0x030209 -+# define DEFAULT_PRIO "NORMAL:-VERS-SSL3.0:%COMPAT" -+# else -+# define _DEFAULT_PRIO "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0:" \ - "%COMPAT:%DISABLE_SAFE_RENEGOTIATION:%LATEST_RECORD_VERSION" --# if GNUTLS_VERSION_MAJOR >= 3 --# define DEFAULT_PRIO _DEFAULT_PRIO":-CURVE-ALL:-ECDHE-RSA:-ECDHE-ECDSA" --#else --# define DEFAULT_PRIO _DEFAULT_PRIO -+# if GNUTLS_VERSION_MAJOR >= 3 -+# define DEFAULT_PRIO _DEFAULT_PRIO":-CURVE-ALL:-ECDHE-RSA:-ECDHE-ECDSA" -+# else -+# define DEFAULT_PRIO _DEFAULT_PRIO -+# endif - # endif - #endif - --- -2.1.0 - diff --git a/openconnect.spec b/openconnect.spec index 79fed49..482def0 100644 --- a/openconnect.spec +++ b/openconnect.spec @@ -20,8 +20,8 @@ %endif Name: openconnect -Version: 7.06 -Release: 7%{?relsuffix}%{?dist} +Version: 7.07 +Release: 1%{?relsuffix}%{?dist} Summary: Open client for Cisco AnyConnect VPN Group: Applications/Internet @@ -33,14 +33,11 @@ Source1: ftp://ftp.infradead.org/pub/openconnect/openconnect-%{version}%{?gitsuf %endif Source2: gpgkey-BE07D9FD54809AB2C4B0FF5F63762CDA67E2F359.gpg -Patch1: openconnect-7.05-override-default-prio-string.patch -Patch2: openconnect-7.05-ensure-dtls-ciphers-match-the-allowed.patch -Patch3: fix-ipv6-only.patch - BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) -BuildRequires: pkgconfig(openssl) pkgconfig(libxml-2.0) gnupg2 +BuildRequires: pkgconfig(libxml-2.0) pkgconfig(libpcsclite) gnupg2 BuildRequires: autoconf automake libtool python gettext pkgconfig(liblz4) +BuildRequires: pkgconfig(uid_wrapper) pkgconfig(socket_wrapper) %if 0%{?fedora} || 0%{?rhel} >= 7 Obsoletes: openconnect-lib-compat%{?_isa} < %{version}-%{release} Requires: vpnc-script @@ -49,7 +46,9 @@ Requires: vpnc %endif %if %{use_gnutls} -BuildRequires: pkgconfig(gnutls) trousers-devel pkgconfig(libpcsclite) +BuildRequires: pkgconfig(gnutls) trousers-devel +%else +BuildRequires: pkgconfig(openssl) pkgconfig(libp11) pkgconfig(p11-kit-1) %endif %if %{use_libproxy} BuildRequires: pkgconfig(libproxy-1.0) @@ -83,12 +82,7 @@ gpgv2 --keyring %{SOURCE2} %{SOURCE1} %{SOURCE0} %setup -q -n openconnect-%{version}%{?gitsuffix} -%patch1 -p1 -b .prio -%patch2 -p1 -b .ciphers -%patch3 -p1 -b .ipv6 - %build -autoreconf -fvi %configure --with-vpnc-script=/etc/vpnc/vpnc-script \ --with-default-gnutls-priority="@SYSTEM" \ %if !%{use_gnutls} @@ -104,6 +98,9 @@ rm -rf $RPM_BUILD_ROOT rm -f $RPM_BUILD_ROOT/%{_libdir}/libopenconnect.la %find_lang %{name} +%check +make check + %clean rm -rf $RPM_BUILD_ROOT @@ -126,6 +123,10 @@ rm -rf $RPM_BUILD_ROOT %{_libdir}/pkgconfig/openconnect.pc %changelog +* Mon Jul 11 2016 David Woodhouse - 7.07-1 +- Update to 7.07 release +- Enable PKCS#11 and Yubikey OATH support for OpenSSL (i.e. EL6) build + * Tue Mar 22 2016 David Woodhouse - 7.06-7 - Switch to using GPGv2 for signature check diff --git a/sources b/sources index fd37447..89f3573 100644 --- a/sources +++ b/sources @@ -1,3 +1,2 @@ -80f397911e1fed43d897d99be3d5f1a1 openconnect-7.06.tar.gz -ef7bb028ca55bb5e0794134ceb277efc openconnect-7.06.tar.gz.asc -2b85959af07ca0e8466853443fd7d766 gpgkey-BE07D9FD54809AB2C4B0FF5F63762CDA67E2F359.gpg +582692c4bd8c157daadfcc89d6680cb8 openconnect-7.07.tar.gz +36043109d9c050e5f12e42c2c8ddf1b6 openconnect-7.07.tar.gz.asc