openconnect: updated to 8.05

Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>

net/openconnect/Makefile

@@ -8,12 +8,12 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=openconnect
-PKG_VERSION:=8.03
+PKG_VERSION:=8.05
-PKG_RELEASE:=2
+PKG_RELEASE:=1
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=ftp://ftp.infradead.org/pub/openconnect/
-PKG_HASH:=908cff9b1ce266b6bb7f969a7f62723543ab94719ba3c95a150fe3894cbc9ef2
+PKG_HASH:=335c2952d0cb36822acb112eaaf5e3b4acffc6874985fb614fec0b76c4c12992
 
 PKG_LICENSE:=LGPL-2.1-or-later
 PKG_LICENSE_FILES:=COPYING.LGPL

net/openconnect/README

@@ -33,6 +33,9 @@ config interface 'MYVPN'
 	# Juniper vpn support
 	#option juniper '1'
 
+	# Authentication form responses
+	#list form_entry FORM:OPT=VAL
+
 The additional files are also used:
 /etc/openconnect/user-cert-vpn-MYVPN.pem: The user certificate
 /etc/openconnect/user-key-vpn-MYVPN.pem: The user private key

net/openconnect/files/openconnect.sh

@@ -19,14 +19,19 @@ proto_openconnect_init_config() {
 	proto_config_add_string "token_script"
 	proto_config_add_string "os"
 	proto_config_add_string "csd_wrapper"
+	proto_config_add_array 'form_entry:regex("[^:]+:[^=]+=.*")'
 	no_device=1
 	available=1
 }
 
+proto_openconnect_add_form_entry() {
+	[ -n "$1" ] && append cmdline "--form-entry $1"
+}
+
 proto_openconnect_setup() {
 	local config="$1"
 
-	json_get_vars server port interface username serverhash authgroup password password2 token_mode token_secret token_script os csd_wrapper mtu juniper
+	json_get_vars server port interface username serverhash authgroup password password2 token_mode token_secret token_script os csd_wrapper mtu juniper form_entry
 
 	grep -q tun /proc/modules || insmod tun
 	ifname="vpn-$config"
@@ -88,6 +93,8 @@ proto_openconnect_setup() {
 	[ -n "$os" ] && append cmdline "--os=$os"
 	[ -n "$csd_wrapper" ] && [ -x "$csd_wrapper" ] && append cmdline "--csd-wrapper=$csd_wrapper"
 
+	json_for_each_item proto_openconnect_add_form_entry form_entry
+
 	proto_export INTERFACE="$config"
 	logger -t openconnect "executing 'openconnect $cmdline'"
 

net/openconnect/patches/010-Fix-compilation-without-deprecated-OpenSSL-1.1-APIs.patch

@@ -1,75 +0,0 @@
-From 460c060dda115bc8066bb4b955453c673459b6cc Mon Sep 17 00:00:00 2001
-From: Rosen Penev <rosenp@gmail.com>
-Date: Sun, 9 Jun 2019 23:36:53 -0700
-Subject: [PATCH] Fix compilation without deprecated OpenSSL 1.1 APIs
-
-Initialization and deinitialization is deprecated.
-
-Signed-off-by: Rosen Penev <rosenp@gmail.com>
----
- library.c             | 4 ++++
- openssl.c             | 2 ++
- tests/bad_dtls_test.c | 4 ++++
- 3 files changed, 10 insertions(+)
-
-diff --git a/library.c b/library.c
-index 0e3d05e6..e45e93a2 100644
---- a/library.c
-+++ b/library.c
-@@ -38,6 +38,10 @@
- #include "gnutls.h"
- #endif
- 
-+#if defined(OPENCONNECT_OPENSSL)
-+#include <openssl/bio.h>
-+#endif
-+
- struct openconnect_info *openconnect_vpninfo_new(const char *useragent,
- 						 openconnect_validate_peer_cert_vfn validate_peer_cert,
- 						 openconnect_write_new_config_vfn write_new_config,
-diff --git a/openssl.c b/openssl.c
-index 2b1f07bd..e505f49a 100644
---- a/openssl.c
-+++ b/openssl.c
-@@ -1879,10 +1879,12 @@ int openconnect_init_ssl(void)
- 	if (ret)
- 		return ret;
- #endif
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
- 	SSL_library_init();
- 	ERR_clear_error();
- 	SSL_load_error_strings();
- 	OpenSSL_add_all_algorithms();
-+#endif
- 	return 0;
- }
- 
-diff --git a/tests/bad_dtls_test.c b/tests/bad_dtls_test.c
-index ac8d3f1e..c123c8f8 100644
---- a/tests/bad_dtls_test.c
-+++ b/tests/bad_dtls_test.c
-@@ -752,8 +752,10 @@ int main(int argc, char *argv[])
-     int ret;
-     int i;
- 
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
-     SSL_library_init();
-     SSL_load_error_strings();
-+#endif
- 
-     RAND_bytes(session_id, sizeof(session_id));
-     RAND_bytes(master_secret, sizeof(master_secret));
-@@ -910,8 +912,10 @@ int main(int argc, char *argv[])
-         printf("Cisco BadDTLS test: FAILED\n");
-     }
- 
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
-     ERR_free_strings();
-     EVP_cleanup();
-+#endif
- 
-     return testresult?0:1;
- }
--- 
-2.17.1
-

net/openconnect/patches/020-Fix-DTLS-bug-when-lacking-deprecated-APIs.patch

@@ -1,139 +0,0 @@
-From afb6442533dc7475ed61642c3f5b295db1e6f561 Mon Sep 17 00:00:00 2001
-From: Rosen Penev <rosenp@gmail.com>
-Date: Sun, 9 Jun 2019 23:40:21 -0700
-Subject: [PATCH] Fix DTLS bug when lacking deprecated APIs
-
-HAVE_DTLS12 is for DTLSv1_method. This causes dtls_method to be NULL and
-crash.
-
-[dwmw2: Rework it quite a bit more]
-
-Signed-off-by: Rosen Penev <rosenp@gmail.com>
-Signed-off-by: David Woodhouse <dwmw2@infradead.org>
----
- configure.ac   | 17 ++++++++++++++---
- openssl-dtls.c | 49 ++++++++++++++++++++++++++-----------------------
- 2 files changed, 40 insertions(+), 26 deletions(-)
-
-diff --git a/configure.ac b/configure.ac
-index 02096c51..f7557933 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -455,11 +455,22 @@ case "$ssl_library" in
- 			AC_DEFINE(HAVE_DTLS1_STOP_TIMER, [1], [OpenSSL has dtls1_stop_timer() function])],
- 		       [AC_MSG_RESULT(no)])
- 
--	AC_MSG_CHECKING([for DTLSv1_2_client_method() in OpenSSL])
-+	# DTLS_client_method() and DTLSv1_2_client_method() were both added between
-+	# OpenSSL v1.0.1 and v1.0.2. DTLSV1.2_client_method() was later deprecated
-+	# in v1.1.0 so we use DTLS_client_method() as our check for DTLSv1.2 support
-+	# and that's what we actually use in openssl-dtls.c too.
-+	AC_MSG_CHECKING([for DTLS_client_method() in OpenSSL])
- 	AC_LINK_IFELSE([AC_LANG_PROGRAM([#include <openssl/ssl.h>],
--					[DTLSv1_2_client_method();])],
-+					[DTLS_client_method();])],
- 		       [AC_MSG_RESULT(yes)
--			AC_DEFINE(HAVE_DTLS12, [1], [OpenSSL has DTLSv1_2_client_method() function])],
-+			AC_DEFINE(HAVE_DTLS12, [1], [OpenSSL has DTLS_client_method() function])],
-+		       [AC_MSG_RESULT(no)])
-+
-+	AC_MSG_CHECKING([for SSL_CTX_set_min_proto_version() in OpenSSL])
-+	AC_LINK_IFELSE([AC_LANG_PROGRAM([#include <openssl/ssl.h>],
-+					[SSL_CTX_set_min_proto_version((void *)0, 0);])],
-+		       [AC_MSG_RESULT(yes)
-+			AC_DEFINE(HAVE_SSL_CTX_PROTOVER, [1], [OpenSSL has SSL_CTX_set_min_proto_version() function])],
- 		       [AC_MSG_RESULT(no)])
- 
- 	AC_CHECK_FUNC(HMAC_CTX_copy,
-diff --git a/openssl-dtls.c b/openssl-dtls.c
-index 5086440f..9e3c5d46 100644
---- a/openssl-dtls.c
-+++ b/openssl-dtls.c
-@@ -332,6 +332,7 @@ int start_dtls_handshake(struct openconnect_info *vpninfo, int dtls_fd)
- 	const char *cipher = vpninfo->dtls_cipher;
- 
- #ifdef HAVE_DTLS12
-+	/* These things should never happen unless they're supported */
- 	if (vpninfo->cisco_dtls12) {
- 		dtlsver = DTLS1_2_VERSION;
- 	} else if (!strcmp(cipher, "OC-DTLS1_2-AES128-GCM")) {
-@@ -349,16 +350,16 @@ int start_dtls_handshake(struct openconnect_info *vpninfo, int dtls_fd)
- 
- 	if (!vpninfo->dtls_ctx) {
- #ifdef HAVE_DTLS12
-+		/* If we can use SSL_CTX_set_min_proto_version, do so. */
- 		dtls_method = DTLS_client_method();
- #endif
--#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
-+#ifndef HAVE_SSL_CTX_PROTOVER
-+		/* If !HAVE_DTLS12, dtlsver *MUST* be DTLS1_BAD_VER because it's set
-+		 * at the top of the function and nothing can change it. */
- 		if (dtlsver == DTLS1_BAD_VER)
- 			dtls_method = DTLSv1_client_method();
--#ifdef HAVE_DTLS12
--		else if (dtlsver == DTLS1_2_VERSION)
--			dtls_method = DTLSv1_2_client_method();
--#endif
- #endif
-+
- 		vpninfo->dtls_ctx = SSL_CTX_new(dtls_method);
- 		if (!vpninfo->dtls_ctx) {
- 			vpn_progress(vpninfo, PRG_ERR,
-@@ -367,24 +368,26 @@ int start_dtls_handshake(struct openconnect_info *vpninfo, int dtls_fd)
- 			vpninfo->dtls_attempt_period = 0;
- 			return -EINVAL;
- 		}
--		if (dtlsver) {
--#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
--			if (dtlsver == DTLS1_BAD_VER)
--				SSL_CTX_set_options(vpninfo->dtls_ctx, SSL_OP_CISCO_ANYCONNECT);
--#else
--			if (!SSL_CTX_set_min_proto_version(vpninfo->dtls_ctx, dtlsver) ||
--			    !SSL_CTX_set_max_proto_version(vpninfo->dtls_ctx, dtlsver)) {
--				vpn_progress(vpninfo, PRG_ERR,
--					     _("Set DTLS CTX version failed\n"));
--				openconnect_report_ssl_errors(vpninfo);
--				SSL_CTX_free(vpninfo->dtls_ctx);
--				vpninfo->dtls_ctx = NULL;
--				vpninfo->dtls_attempt_period = 0;
--				return -EINVAL;
--			}
-+#ifdef HAVE_SSL_CTX_PROTOVER
-+		if (dtlsver &&
-+		    (!SSL_CTX_set_min_proto_version(vpninfo->dtls_ctx, dtlsver) ||
-+		     !SSL_CTX_set_max_proto_version(vpninfo->dtls_ctx, dtlsver))) {
-+			vpn_progress(vpninfo, PRG_ERR,
-+				     _("Set DTLS CTX version failed\n"));
-+			openconnect_report_ssl_errors(vpninfo);
-+			SSL_CTX_free(vpninfo->dtls_ctx);
-+			vpninfo->dtls_ctx = NULL;
-+			vpninfo->dtls_attempt_period = 0;
-+			return -EINVAL;
-+		}
-+#else /* !HAVE_SSL_CTX_PROTOVER */
-+		/* If we used the legacy version-specific methods, we need the special
-+		 * way to make TLSv1_client_method() do DTLS1_BAD_VER. */
-+		if (dtlsver == DTLS1_BAD_VER)
-+			SSL_CTX_set_options(vpninfo->dtls_ctx, SSL_OP_CISCO_ANYCONNECT);
- #endif
- #if defined (HAVE_DTLS12) && !defined(OPENSSL_NO_PSK)
--		} else {
-+		if (!dtlsver) {
- 			SSL_CTX_set_psk_client_callback(vpninfo->dtls_ctx, psk_callback);
- 			/* For PSK we override the DTLS master secret with one derived
- 			 * from the HTTPS session. */
-@@ -401,9 +404,9 @@ int start_dtls_handshake(struct openconnect_info *vpninfo, int dtls_fd)
- 			}
- 			/* For SSL_CTX_set_cipher_list() */
- 			cipher = "PSK";
--
--#endif
- 		}
-+#endif /* OPENSSL_NO_PSK */
-+
- 		/* If we don't readahead, then we do short reads and throw
- 		   away the tail of data packets. */
- 		SSL_CTX_set_read_ahead(vpninfo->dtls_ctx, 1);
--- 
-2.17.1
-

net/openconnect/patches/030-Disable-encrypt-then-mac-where-possible-with-DTLS-an.patch

@@ -1,38 +0,0 @@
-From 97cafd182f5a5c2d13f57d7faeac8432aea9bbf8 Mon Sep 17 00:00:00 2001
-From: David Woodhouse <dwmw2@infradead.org>
-Date: Mon, 10 Jun 2019 12:34:43 +0100
-Subject: [PATCH] Disable encrypt-then-mac where possible with DTLS and OpenSSL
-
-There is pain here. Just don't bother.
-
-Signed-off-by: David Woodhouse <dwmw2@infradead.org>
----
- openssl-dtls.c | 12 +++++++++++-
- 1 file changed, 11 insertions(+), 1 deletion(-)
-
-diff --git a/openssl-dtls.c b/openssl-dtls.c
-index 9e3c5d46..646bf71c 100644
---- a/openssl-dtls.c
-+++ b/openssl-dtls.c
-@@ -406,7 +406,17 @@ int start_dtls_handshake(struct openconnect_info *vpninfo, int dtls_fd)
- 			cipher = "PSK";
- 		}
- #endif /* OPENSSL_NO_PSK */
--
-+#ifdef SSL_OP_NO_ENCRYPT_THEN_MAC
-+		/* I'm fairly sure I wasn't lying when I said I had tested
-+		 * https://github.com/openssl/openssl/commit/e23d5071ec4c7aa6bb2b
-+		 * against GnuTLS both with and without EtM in 2016.
-+		 * Nevertheless, in 2019 it seems to be failing to negotiate
-+		 * at least for DTLS1_BAD_VER against ocserv with GnuTLS 3.6.7.
-+		 * Just turn it off. Real Cisco servers don't do it for
-+		 * DTLS1_BAD_VER, and we should be using GCM ciphersuites in
-+		 * newer versions of DTLS anyway so it's irrelevant. */
-+		SSL_CTX_set_options(vpninfo->dtls_ctx, SSL_OP_NO_ENCRYPT_THEN_MAC);
-+#endif
- 		/* If we don't readahead, then we do short reads and throw
- 		   away the tail of data packets. */
- 		SSL_CTX_set_read_ahead(vpninfo->dtls_ctx, 1);
--- 
-2.17.1
-