From ff3eee8988814f2da8c74680f89fa73c41941cb5 Mon Sep 17 00:00:00 2001
From: Peter Robinson <pbrobinson@gmail.com>
Date: Jan 29 2024 12:04:37 +0000
Subject: Cleanup spec, drop EOL release consditionals


---

diff --git a/.gitignore b/.gitignore
index 20d4b71..a352ae2 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,83 +1,3 @@
-openconnect-2.25.tar.gz
-/openconnect-2.26.tar.gz
-/openconnect-3.00.tar.gz
-/openconnect-3.01.tar.gz
-/openconnect-3.02.tar.gz
-/openconnect-3.10.tar.gz
-/openconnect-3.11.tar.gz
-/openconnect-3.12.tar.gz
-/openconnect-3.13.tar.gz
-/openconnect-3.14.tar.gz
-/openconnect-3.15.tar.gz
-/openconnect-3.16.tar.gz
-/openconnect-3.17.tar.gz
-/openconnect-3.18.tar.gz
-/openconnect-3.19.tar.gz
-/openconnect-3.20.tar.gz
-/openconnect-3.99.tar.gz
-/openconnect-3.99-26-gb40dcae.tar.gz
-/openconnect-3.99-33-g2d08bf0.tar.gz
-/openconnect-3.99-36-gb0f2edb.tar.gz
-/openconnect-4.00.tar.gz
-/openconnect-4.01.tar.gz
-/openconnect-4.02.tar.gz
-/openconnect-4.03.tar.gz
-/openconnect-4.04.tar.gz
-/openconnect-4.05.tar.gz
-/openconnect-4.06.tar.gz
-/openconnect-4.07.tar.gz
-/openconnect-4.99.tar.gz
-/openconnect-5.00.tar.gz
-/openconnect-5.01.tar.gz
-/openconnect-5.02.tar.gz
-/openconnect-5.99.tar.gz
-/openconnect-6.00.tar.gz
-/openconnect-7.00.tar.gz
-/openconnect-7.00.tar.gz.asc
-/openconnect-7.01.tar.gz
-/openconnect-7.02.tar.gz
-/openconnect-7.03.tar.gz
-/openconnect-7.04.tar.gz
-/openconnect-7.05.tar.gz
-/openconnect-7.06.tar.gz
-/openconnect-7.06.tar.gz.asc
-/pubring.gpg
 /gpgkey-BE07D9FD54809AB2C4B0FF5F63762CDA67E2F359.gpg
-/openconnect-7.07.tar.gz
-/openconnect-7.07.tar.gz.asc
-/openconnect-7.08.tar.gz
-/openconnect-7.08.tar.gz.asc
-/openconnect-8.00.tar.gz
-/openconnect-8.00.tar.gz.asc
-/openconnect-8.01.tar.gz
-/openconnect-8.01.tar.gz.asc
-/openconnect-8.02.tar.gz
-/openconnect-8.02.tar.gz.asc
-/openconnect-8.03.tar.gz
-/openconnect-8.03.tar.gz.asc
-/openconnect-8.04.tar.gz
-/openconnect-8.04.tar.gz.asc
-/openconnect-8.05.tar.gz
-/openconnect-8.05.tar.gz.asc
-/openconnect-8.06.tar.gz
-/openconnect-8.06.tar.gz.asc
-/openconnect-8.07.tar.gz
-/openconnect-8.07.tar.gz.asc
-/openconnect-8.08.tar.gz
-/openconnect-8.08.tar.gz.asc
-/openconnect-8.09.tar.gz
-/openconnect-8.09.tar.gz.asc
-/openconnect-8.10.tar.gz
-/openconnect-8.10.tar.gz.asc
-/openconnect-8.20.tar.gz
-/openconnect-8.20.tar.gz.asc
-/openconnect-9.00.tar.gz
-/openconnect-9.00.tar.gz.asc
-/openconnect-9.01.tar.gz
-/openconnect-9.01.tar.gz.asc
-/openconnect-9.10.tar.gz
-/openconnect-9.10.tar.gz.asc
-/openconnect-9.11.tar.gz
-/openconnect-9.11.tar.gz.asc
-/openconnect-9.12.tar.gz
-/openconnect-9.12.tar.gz.asc
+/openconnect-*.tar.gz
+/openconnect-*.tar.gz.asc
diff --git a/0001-Ignore-errors-fetching-NC-landing-page-if-auth-was-s.patch b/0001-Ignore-errors-fetching-NC-landing-page-if-auth-was-s.patch
deleted file mode 100644
index 6fe452c..0000000
--- a/0001-Ignore-errors-fetching-NC-landing-page-if-auth-was-s.patch
+++ /dev/null
@@ -1,65 +0,0 @@
-From 4ff991c46e6b202cabd623eeffa5ae1af1ba5c8e Mon Sep 17 00:00:00 2001
-From: David Woodhouse <dwmw2@infradead.org>
-Date: Fri, 23 Apr 2021 10:40:44 +0100
-Subject: [PATCH 1/2] Ignore errors fetching NC landing page if auth was
- successful
-
-Signed-off-by: David Woodhouse <dwmw2@infradead.org>
-(cherry picked from commit 3e77943692b511719d9217d2ecc43588b7c6c08b)
----
- auth-juniper.c    | 18 +++++++++++-------
- www/changelog.xml |  2 +-
- 2 files changed, 12 insertions(+), 8 deletions(-)
-
-diff --git a/auth-juniper.c b/auth-juniper.c
-index 19d43978..63af3bfc 100644
---- a/auth-juniper.c
-+++ b/auth-juniper.c
-@@ -663,6 +663,17 @@ int oncp_obtain_cookie(struct openconnect_info *vpninfo)
- 			ret = do_https_request(vpninfo, "GET", NULL, NULL,
- 					       &form_buf, 2);
- 
-+		/* After login, the server will redirect the "browser" to a landing page.
-+		 * https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784
-+		 * turned some of those landing pages into a 403 but we don't *care*
-+		 * about that as long as we have the cookie we wanted. So check for
-+		 * cookie success *before* checking 'ret'. */
-+		if (!check_cookie_success(vpninfo)) {
-+			free(form_buf);
-+			ret = 0;
-+			break;
-+		}
-+
- 		if (ret < 0)
- 			break;
- 
-@@ -680,13 +691,6 @@ int oncp_obtain_cookie(struct openconnect_info *vpninfo)
- 			break;
- 		}
- 
--		if (!check_cookie_success(vpninfo)) {
--			buf_free(url);
--			free(form_buf);
--			ret = 0;
--			break;
--		}
--
- 		doc = htmlReadMemory(form_buf, ret, url->data, NULL,
- 				     HTML_PARSE_RECOVER|HTML_PARSE_NOERROR|HTML_PARSE_NOWARNING|HTML_PARSE_NONET);
- 		buf_free(url);
-diff --git a/www/changelog.xml b/www/changelog.xml
-index bca5c8e2..1a05eda7 100644
---- a/www/changelog.xml
-+++ b/www/changelog.xml
-@@ -15,7 +15,7 @@
- <ul>
-    <li><b>OpenConnect HEAD</b>
-      <ul>
--       <li><i>No changelog entries yet</i></li>
-+       <li>Ignore failures to fetch the NC landing page if the authentication was successful.</li>
-      </ul><br/>
-   </li>
-   <li><b><a href="ftp://ftp.infradead.org/pub/openconnect/openconnect-8.10.tar.gz">OpenConnect v8.10</a></b>
--- 
-2.31.1
-
diff --git a/0002-Unconditionally-bypass-system-crypto-policy.patch b/0002-Unconditionally-bypass-system-crypto-policy.patch
deleted file mode 100644
index d274370..0000000
--- a/0002-Unconditionally-bypass-system-crypto-policy.patch
+++ /dev/null
@@ -1,134 +0,0 @@
-From cc4658504b21eb87f9fa6bf7c1e42b83b6f64aaa Mon Sep 17 00:00:00 2001
-From: David Woodhouse <dwmw2@infradead.org>
-Date: Sat, 12 Jun 2021 08:50:09 +0100
-Subject: [PATCH 2/2] Unconditionally bypass system crypto policy
-
-This makes me extremely sad, but they rolled it out with *no* way to
-selectively allow the user to say "connect anyway", as we've always had
-for "invalid" certificates, etc.
-
-It's just unworkable and incomplete as currently implemented in the
-distributions, so we have no choice except to bypass it and wait for
-it to be fixed.
-
-Signed-off-by: David Woodhouse <dwmw2@infradead.org>
-(cherry picked from commit 7e862f2f0352409357fa7a4762481fde49909eb8
- and commit d29822cf30293d5f8b039baf3306eed2769fa0b5)
----
- configure.ac           |  3 +++
- libopenconnect.map.in  |  2 +-
- main.c                 | 23 +++++++++++++++++++++++
- openconnect-internal.h |  9 +++++++++
- www/changelog.xml      |  1 +
- 5 files changed, 37 insertions(+), 1 deletion(-)
-
-diff --git a/configure.ac b/configure.ac
-index 8b1b540f..3ea5e9cc 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -26,6 +26,7 @@ symver_getline=
- symver_asprintf=
- symver_vasprintf=
- symver_win32_strerror=
-+symver_win32_setenv=
- 
- case $host_os in
-  *linux* | *gnu* | *nacl*)
-@@ -54,6 +55,7 @@ case $host_os in
-     # For asprintf()
-     AC_DEFINE(_GNU_SOURCE, 1, [_GNU_SOURCE])
-     symver_win32_strerror="openconnect__win32_strerror;"
-+    symver_win32_setenv="openconnect__win32_setenv;"
-     # Win32 does have the SCard API
-     system_pcsc_libs="-lwinscard"
-     system_pcsc_cflags=
-@@ -156,6 +158,7 @@ AC_SUBST(SYMVER_GETLINE, $symver_getline)
- AC_SUBST(SYMVER_ASPRINTF, $symver_asprintf)
- AC_SUBST(SYMVER_VASPRINTF, $symver_vasprintf)
- AC_SUBST(SYMVER_WIN32_STRERROR, $symver_win32_strerror)
-+AC_SUBST(SYMVER_WIN32_SETENV, $symver_win32_setenv)
- 
- AS_COMPILER_FLAGS(WFLAGS,
-         "-Wall
-diff --git a/libopenconnect.map.in b/libopenconnect.map.in
-index 5b4bc5d7..1039aacf 100644
---- a/libopenconnect.map.in
-+++ b/libopenconnect.map.in
-@@ -109,7 +109,7 @@ OPENCONNECT_5_6 {
- } OPENCONNECT_5_5;
- 
- OPENCONNECT_PRIVATE {
-- global: @SYMVER_TIME@ @SYMVER_GETLINE@ @SYMVER_JAVA@ @SYMVER_ASPRINTF@ @SYMVER_VASPRINTF@ @SYMVER_WIN32_STRERROR@
-+ global: @SYMVER_TIME@ @SYMVER_GETLINE@ @SYMVER_JAVA@ @SYMVER_ASPRINTF@ @SYMVER_VASPRINTF@ @SYMVER_WIN32_STRERROR@ @SYMVER_WIN32_SETENV@
- 	openconnect_get_tls_library_version;
- 	openconnect_fopen_utf8;
- 	openconnect_open_utf8;
-diff --git a/main.c b/main.c
-index cc3dd91e..129755a1 100644
---- a/main.c
-+++ b/main.c
-@@ -1436,6 +1436,29 @@ int main(int argc, char **argv)
- 			openconnect_binary_version, openconnect_version_str);
- 	}
- 
-+	/* Some systems have a crypto policy which completely prevents DTLSv1.0
-+	 * from being used, which is entirely pointless and will just drive
-+	 * users back to the crappy proprietary clients. Or drive OpenConnect
-+	 * to implement its own DTLS instead of using the system crypto libs.
-+	 * We're happy to conform by default to the system policy which is
-+	 * carefully curated to keep up to date with developments in crypto
-+	 * attacks —  but we also *need* to be able to override it and connect
-+	 * anyway, when the user asks us to. Just as we *can* continue even
-+	 * when the server has an invalid certificate, based on user input.
-+	 * It was a massive oversight that GnuTLS implemented the system
-+	 * policy *without* that basic override facility, so until/unless
-+	 * it actually gets implemented properly we have to just disable it.
-+	 * We can't do this from openconnect_init_ssl() since that would be
-+	 * calling setenv() from a library in someone else's process. And
-+	 * thankfully we don't really need to since the auth-dialogs don't
-+	 * care; this is mostly for the DTLS connection.
-+	 */
-+#ifdef OPENCONNECT_GNUTLS
-+	setenv("GNUTLS_SYSTEM_PRIORITY_FILE", DEVNULL, 0);
-+#else
-+	setenv("OPENSSL_CONF", DEVNULL, 0);
-+#endif
-+
- 	openconnect_init_ssl();
- 
- 	vpninfo = openconnect_vpninfo_new((char *)"Open AnyConnect VPN Agent",
-diff --git a/openconnect-internal.h b/openconnect-internal.h
-index 92edf763..9eb274c2 100644
---- a/openconnect-internal.h
-+++ b/openconnect-internal.h
-@@ -41,6 +41,15 @@
- 
- #include "openconnect.h"
- 
-+/* Equivalent of "/dev/null" on Windows.
-+ * See https://stackoverflow.com/a/44163934
-+ */
-+#ifdef _WIN32
-+#define DEVNULL "NUL:"
-+#else
-+#define DEVNULL "/dev/null"
-+#endif
-+
- #if defined(OPENCONNECT_OPENSSL)
- #include <openssl/ssl.h>
- #include <openssl/err.h>
-diff --git a/www/changelog.xml b/www/changelog.xml
-index 1a05eda7..ca90413f 100644
---- a/www/changelog.xml
-+++ b/www/changelog.xml
-@@ -16,6 +16,7 @@
-    <li><b>OpenConnect HEAD</b>
-      <ul>
-        <li>Ignore failures to fetch the NC landing page if the authentication was successful.</li>
-+       <li>Disable brittle "system policy" enforcement where it cannot be gracefully overridden at user request. <a href="https://bugzilla.redhat.com/show_bug.cgi?id=1960763"><i>(RH#1960763)</i></a>.</li>
-      </ul><br/>
-   </li>
-   <li><b><a href="ftp://ftp.infradead.org/pub/openconnect/openconnect-8.10.tar.gz">OpenConnect v8.10</a></b>
--- 
-2.31.1
-
diff --git a/openconnect.spec b/openconnect.spec
index 0a65d68..74ec67d 100644
--- a/openconnect.spec
+++ b/openconnect.spec
@@ -1,30 +1,10 @@
-# % define gitcount 227
-# % define gitrev a03e4bf
-
-%if 0%{?gitcount} > 0
-%define gitsuffix -%{gitcount}-g%{gitrev}
-%define relsuffix .git%{gitcount}_%{gitrev}
-%endif
-
-# RHEL6 still has ancient GnuTLS
-%define use_gnutls 0%{?fedora} || 0%{?rhel} >= 7
-
-# RHEL5 has no libproxy, and no %%make_install macro
-%if 0%{?rhel} && 0%{?rhel} <= 5
-%define use_libproxy 0
-%define make_install %{__make} install DESTDIR=%{?buildroot}
-%define use_tokens 0
-%else
-%define use_libproxy 1
-%define use_tokens 1
-%endif
-
 # RHEL8 does not have libpskc, softhsm, ocserv yet
 %if 0%{?rhel} && 0%{?rhel} == 8
 %define use_tokens 0
 %define use_ocserv 0
 %define use_softhsm 0
 %else
+%define use_tokens 1
 %define use_ocserv 1
 %define use_softhsm 1
 %endif
@@ -40,46 +20,34 @@
 
 Name:		openconnect
 Version:	9.12
-Release:	4%{?relsuffix}%{?dist}
+Release:	5%{?relsuffix}%{?dist}
 Summary:	Open multi-protocol SSL VPN client
 
 License:	LGPL-2.1-or-later
 URL:		http://www.infradead.org/openconnect.html
-Source0:	ftp://ftp.infradead.org/pub/openconnect/openconnect-%{version}%{?gitsuffix}.tar.gz
-%if 0%{?gitcount} == 0
-Source1:	ftp://ftp.infradead.org/pub/openconnect/openconnect-%{version}%{?gitsuffix}.tar.gz.asc
-%endif
+Source0:	https://ftp.infradead.org/pub/openconnect/openconnect-%{version}.tar.gz
+Source1:	https://ftp.infradead.org/pub/openconnect/openconnect-%{version}.tar.gz.asc
 Source2:	gpgkey-BE07D9FD54809AB2C4B0FF5F63762CDA67E2F359.asc
 
-BuildRequires: make xdg-utils
+BuildRequires:	make xdg-utils
 BuildRequires:	pkgconfig(libxml-2.0) pkgconfig(libpcsclite) krb5-devel gnupg2
 BuildRequires:	autoconf automake libtool gettext pkgconfig(liblz4)
 BuildRequires:	pkgconfig(uid_wrapper) pkgconfig(socket_wrapper)
 %if %{use_softhsm}
 BuildRequires:	softhsm
 %endif
-%if 0%{?fedora} || 0%{?rhel} >= 7
 Obsoletes:	openconnect-lib-compat < %{version}-%{release}
 Requires:	vpnc-script
-%else
-Requires:	vpnc
-%endif
 
 %if 0%{?fedora} >= 30 || 0%{?rhel} >= 9
 BuildRequires: glibc-langpack-cs
 %endif
-%if %{use_gnutls}
-BuildRequires:	pkgconfig(gnutls) trousers-devel
-# Anywhere we use GnuTLS ,there should be an ocserv package too
+BuildRequires:	pkgconfig(libproxy-1.0)
+BuildRequires:	pkgconfig(gnutls)
+# Anywhere we use GnuTLS, there should be an ocserv package too
 %if %{use_ocserv}
 BuildRequires:	ocserv
 %endif
-%else
-BuildRequires:	pkgconfig(openssl) pkgconfig(libp11) pkgconfig(p11-kit-1)
-%endif
-%if %{use_libproxy}
-BuildRequires:	pkgconfig(libproxy-1.0)
-%endif
 %if %{use_tokens}
 BuildRequires:  pkgconfig(stoken) pkgconfig(libpskc)
 %endif
@@ -96,10 +64,6 @@ Palo Alto Networks GlobalProtect SSL VPN, Array Networks SSL VPN.
 %package devel
 Summary: Development package for OpenConnect VPN authentication tools
 Requires: %{name}%{?_isa} = %{version}-%{release}
-# RHEL5 needs these spelled out because it doesn't automatically infer from pkgconfig
-%if 0%{?rhel} && 0%{?rhel} <= 5
-Requires: openssl-devel zlib-devel
-%endif
 
 %description devel
 This package provides the core HTTP and authentication support from
@@ -107,23 +71,17 @@ the OpenConnect VPN client, to be used by GUI authentication dialogs
 for NetworkManager etc.
 
 %prep
-%if 0%{?gitcount} == 0
 %{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}'
-%endif
-
-%autosetup -n openconnect-%{version}%{?gitsuffix} -p1
+%autosetup -p1
 
 %build
 %configure	--with-vpnc-script=/etc/vpnc/vpnc-script \
 		--disable-dsa-tests \
-%if %{use_gnutls}
 		--with-default-gnutls-priority="@OPENCONNECT,SYSTEM" \
 		--without-gnutls-version-check \
-%else
-		--with-openssl --without-openssl-version-check \
-%endif
 		--htmldir=%{_pkgdocdir}
-make %{?_smp_mflags} V=1
+
+%make_build
 
 
 %install
@@ -145,13 +103,13 @@ make VERBOSE=1 check
 %ldconfig_scriptlets
 
 %files -f %{name}.lang
+%license COPYING.LGPL
+%doc %{_pkgdocdir}
 %{_libdir}/libopenconnect.so.5*
 %{_sbindir}/openconnect
 %{_libexecdir}/openconnect/
 %{_mandir}/man8/*
 %{_datadir}/bash-completion/completions/openconnect
-%doc TODO COPYING.LGPL
-%doc %{_pkgdocdir}
 
 %files devel
 %{_libdir}/libopenconnect.so
@@ -159,6 +117,9 @@ make VERBOSE=1 check
 %{_libdir}/pkgconfig/openconnect.pc
 
 %changelog
+* Mon Jan 29 2024 Peter Robinson <pbrobinson@fedoraproject.org> - 9.12-5
+- Cleanup spec, drop EOL release consditionals
+
 * Thu Jan 25 2024 Fedora Release Engineering <releng@fedoraproject.org> - 9.12-4
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild