nmav pushed to openconnect (epel7). "Allow compiling with old gnutls version but using the new features when linked with a newer version"

notifications at fedoraproject.org notifications at fedoraproject.org
Tue Mar 31 11:54:34 UTC 2015 

>From f3fa4cd96fa39c5c2888fcc9699a155cbf1e0396 Mon Sep 17 00:00:00 2001
From: Nikos Mavrogiannopoulos <nmav at redhat.com>
Date: Tue, 31 Mar 2015 11:05:51 +0200
Subject: Allow compiling with old gnutls version but using the new features
 when linked with a newer version


diff --git a/openconnect-7.05-dynamic-checks.patch b/openconnect-7.05-dynamic-checks.patch
new file mode 100644
index 0000000..54c3ed4
--- /dev/null
+++ b/openconnect-7.05-dynamic-checks.patch
@@ -0,0 +1,227 @@
+diff --git a/cstp.c b/cstp.c
+index d0d7eff..67d2f7e 100644
+--- a/cstp.c
++++ b/cstp.c
+@@ -129,18 +129,6 @@ static void calculate_mtu(struct openconnect_info *vpninfo, int *base_mtu, int *
+ 		*mtu = 1280;
+ }
+ 
+-/* For OpenSSL the configure script detects DTLS 1.2 support.
+- * For GnuTLS just check for v3.2.0+ */
+-#if defined(DTLS_GNUTLS) && GNUTLS_VERSION_NUMBER >= 0x030200
+-#define HAVE_DTLS12 1
+-#endif
+-
+-#ifdef HAVE_DTLS12
+-# define DEFAULT_CIPHER_LIST "OC-DTLS1_2-AES256-GCM:OC-DTLS1_2-AES128-GCM:AES256-SHA:AES128-SHA:DES-CBC3-SHA:DES-CBC-SHA"
+-#else
+-# define DEFAULT_CIPHER_LIST "AES256-SHA:AES128-SHA:DES-CBC3-SHA:DES-CBC-SHA"
+-#endif
+-
+ static void append_compr_types(struct oc_text_buf *buf, const char *proto, int avail)
+ {
+ 	if (avail) {
+@@ -194,6 +182,12 @@ static int start_cstp_connection(struct openconnect_info *vpninfo)
+ 	const char *old_addr6 = vpninfo->ip_info.addr6;
+ 	const char *old_netmask6 = vpninfo->ip_info.netmask6;
+ 	int base_mtu, mtu;
++	const char *default_cipher_list;
++
++	if (gnutls_check_version("3.2.0"))
++		default_cipher_list = "OC-DTLS1_2-AES256-GCM:OC-DTLS1_2-AES128-GCM:AES256-SHA:AES128-SHA:DES-CBC3-SHA:DES-CBC-SHA";
++	else
++		default_cipher_list = "AES256-SHA:AES128-SHA:DES-CBC3-SHA:DES-CBC-SHA";
+ 
+ 	/* Clear old options which will be overwritten */
+ 	vpninfo->ip_info.addr = vpninfo->ip_info.netmask = NULL;
+@@ -239,8 +233,9 @@ static int start_cstp_connection(struct openconnect_info *vpninfo)
+ 			buf_free(reqbuf);
+ 			return -EINVAL;
+ 		}
++
+ 		buf_append(reqbuf, "\r\nX-DTLS-CipherSuite: %s\r\n",
+-			   vpninfo->dtls_ciphers ? : DEFAULT_CIPHER_LIST);
++			   vpninfo->dtls_ciphers ? : default_cipher_list);
+ 
+ 		append_compr_types(reqbuf, "DTLS", vpninfo->req_compr & ~COMPR_DEFLATE);
+ 	}
+diff --git a/dtls.c b/dtls.c
+index abffbf1..3e58477 100644
+--- a/dtls.c
++++ b/dtls.c
+@@ -438,25 +438,28 @@ void dtls_shutdown(struct openconnect_info *vpninfo)
+ #include <gnutls/dtls.h>
+ #include "gnutls.h"
+ 
++#if GNUTLS_VERSION_NUMBER < 0x030200
++# define GNUTLS_DTLS1_2 202
++#endif
++
+ struct {
+ 	const char *name;
+ 	gnutls_protocol_t version;
+ 	gnutls_cipher_algorithm_t cipher;
+ 	gnutls_mac_algorithm_t mac;
+ 	const char *prio;
++	const char *min_gnutls_version;
+ } gnutls_dtls_ciphers[] = {
+ 	{ "AES128-SHA", GNUTLS_DTLS0_9, GNUTLS_CIPHER_AES_128_CBC, GNUTLS_MAC_SHA1,
+-	  "NONE:+VERS-DTLS0.9:+COMP-NULL:+AES-128-CBC:+SHA1:+RSA:%COMPAT" },
++	  "NONE:+VERS-DTLS0.9:+COMP-NULL:+AES-128-CBC:+SHA1:+RSA:%COMPAT", "2.12.0" },
+ 	{ "AES256-SHA", GNUTLS_DTLS0_9, GNUTLS_CIPHER_AES_256_CBC, GNUTLS_MAC_SHA1,
+-	  "NONE:+VERS-DTLS0.9:+COMP-NULL:+AES-256-CBC:+SHA1:+RSA:%COMPAT" },
++	  "NONE:+VERS-DTLS0.9:+COMP-NULL:+AES-256-CBC:+SHA1:+RSA:%COMPAT", "2.12.0" },
+ 	{ "DES-CBC3-SHA", GNUTLS_DTLS0_9, GNUTLS_CIPHER_3DES_CBC, GNUTLS_MAC_SHA1,
+-	  "NONE:+VERS-DTLS0.9:+COMP-NULL:+3DES-CBC:+SHA1:+RSA:%COMPAT" },
+-#if GNUTLS_VERSION_NUMBER >= 0x030207 /* if DTLS 1.2 is supported (and a bug in gnutls is solved) */
++	  "NONE:+VERS-DTLS0.9:+COMP-NULL:+3DES-CBC:+SHA1:+RSA:%COMPAT", "2.12.0" },
+ 	{ "OC-DTLS1_2-AES128-GCM", GNUTLS_DTLS1_2, GNUTLS_CIPHER_AES_128_GCM, GNUTLS_MAC_AEAD,
+-	  "NONE:+VERS-DTLS1.2:+COMP-NULL:+AES-128-GCM:+AEAD:+RSA:%COMPAT:+SIGN-ALL" },
++	  "NONE:+VERS-DTLS1.2:+COMP-NULL:+AES-128-GCM:+AEAD:+RSA:%COMPAT:+SIGN-ALL", "3.2.7" },
+ 	{ "OC-DTLS1_2-AES256-GCM", GNUTLS_DTLS1_2, GNUTLS_CIPHER_AES_256_GCM, GNUTLS_MAC_AEAD,
+-	  "NONE:+VERS-DTLS1.2:+COMP-NULL:+AES-256-GCM:+AEAD:+RSA:%COMPAT:+SIGN-ALL" },
+-#endif
++	  "NONE:+VERS-DTLS1.2:+COMP-NULL:+AES-256-GCM:+AEAD:+RSA:%COMPAT:+SIGN-ALL", "3.2.7" },
+ };
+ 
+ #define DTLS_SEND gnutls_record_send
+@@ -470,6 +473,8 @@ static int start_dtls_handshake(struct openconnect_info *vpninfo, int dtls_fd)
+ 	int cipher;
+ 
+ 	for (cipher = 0; cipher < sizeof(gnutls_dtls_ciphers)/sizeof(gnutls_dtls_ciphers[0]); cipher++) {
++		if (gnutls_check_version(gnutls_dtls_ciphers[cipher].min_gnutls_version) == NULL)
++			continue;
+ 		if (!strcmp(vpninfo->dtls_cipher, gnutls_dtls_ciphers[cipher].name))
+ 			goto found_cipher;
+ 	}
+diff --git a/gnutls.c b/gnutls.c
+index 3f79a22..70a86a3 100644
+--- a/gnutls.c
++++ b/gnutls.c
+@@ -471,13 +471,13 @@ static int load_pkcs12_certificate(struct openconnect_info *vpninfo,
+    reference (c1ef7efb in master, 5196786c in gnutls_3_0_x-2)? */
+ static int check_issuer_sanity(gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer)
+ {
+-#if GNUTLS_VERSION_NUMBER > 0x030014
+-	return 0;
+-#else
+ 	unsigned char id1[512], id2[512];
+ 	size_t id1_size = 512, id2_size = 512;
+ 	int err;
+ 
++	if (gnutls_check_version("3.0.15"))
++		return 0;
++
+ 	err = gnutls_x509_crt_get_authority_key_id(cert, id1, &id1_size, NULL);
+ 	if (err)
+ 		return 0;
+@@ -490,7 +490,6 @@ static int check_issuer_sanity(gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer)
+ 
+ 	/* EEP! */
+ 	return -EIO;
+-#endif
+ }
+ 
+ static int count_x509_certificates(gnutls_datum_t *datum)
+@@ -2000,14 +1999,14 @@ static int verify_peer(gnutls_session_t session)
+ 			if (inet_pton(AF_INET6, vpninfo->hostname + 1, addrbuf) > 0)
+ 				addrlen = 16;
+ 			*p = ']';
++		} else if (gnutls_check_version("3.3.6") == NULL) {
++			/* And before 3.3.6 it didn't check IP addresses at all. */
++			if (inet_pton(AF_INET, vpninfo->hostname, addrbuf) > 0)
++				addrlen = 4;
++			if (inet_pton(AF_INET6, vpninfo->hostname, addrbuf) > 0)
++				addrlen = 16;
+ 		}
+-#if GNUTLS_VERSION_NUMBER < 0x030306
+-		/* And before 3.3.6 it didn't check IP addresses at all. */
+-		else if (inet_pton(AF_INET, vpninfo->hostname, addrbuf) > 0)
+-			addrlen = 4;
+-		else if (inet_pton(AF_INET6, vpninfo->hostname, addrbuf) > 0)
+-			addrlen = 16;
+-#endif
++
+ 		if (!addrlen) {
+ 			/* vpninfo->hostname was not a bare IP address. Nothing to do */
+ 			goto badhost;
+@@ -2046,29 +2045,11 @@ static int verify_peer(gnutls_session_t session)
+ }
+ 
+ 
+-/* The F5 firewall is confused when the TLS client hello is between
+- * 256 and 512 bytes. By disabling several TLS options we force the
+- * client hello to be < 256 bytes. We don't do that in gnutls versions
+- * >= 3.2.9 as there the %COMPAT keyword ensures that the client hello
+- * will be outside that range.
+- */
+-#if GNUTLS_VERSION_NUMBER >= 0x030209
+-# define DEFAULT_PRIO "NORMAL:-VERS-SSL3.0:%COMPAT"
+-#else
+-# define _DEFAULT_PRIO "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0:" \
+-	"%COMPAT:%DISABLE_SAFE_RENEGOTIATION:%LATEST_RECORD_VERSION"
+-# if GNUTLS_VERSION_MAJOR >= 3
+-#  define DEFAULT_PRIO _DEFAULT_PRIO":-CURVE-ALL:-ECDHE-RSA:-ECDHE-ECDSA"
+-#else
+-#  define DEFAULT_PRIO _DEFAULT_PRIO
+-# endif
+-#endif
+-
+ int openconnect_open_https(struct openconnect_info *vpninfo)
+ {
+ 	int ssl_sock = -1;
+ 	int err;
+-	const char * prio;
++	char prio[256];
+ 
+ 	if (vpninfo->https_sess)
+ 		return 0;
+@@ -2193,10 +2174,24 @@ int openconnect_open_https(struct openconnect_info *vpninfo)
+ 				       vpninfo->hostname,
+ 				       strlen(vpninfo->hostname));
+ 
+-	if (vpninfo->pfs) {
+-		prio = DEFAULT_PRIO":-RSA";
++	/* The F5 firewall is confused when the TLS client hello is between
++	 * 256 and 512 bytes. By disabling several TLS options we force the
++	 * client hello to be < 256 bytes. We don't do that in gnutls versions
++	 * >= 3.2.9 as there the %COMPAT keyword ensures that the client hello
++	 * will be outside that range.
++	 */
++	if (gnutls_check_version("3.2.9")) {
++		snprintf(prio, sizeof(prio), "NORMAL:-VERS-SSL3.0:%%COMPAT%s", vpninfo->pfs?":-RSA":"");
+ 	} else {
+-		prio = DEFAULT_PRIO;
++		if (gnutls_check_version("3.0.0")) {
++			snprintf(prio, sizeof(prio), "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0:" \
++			       "%%COMPAT:%%DISABLE_SAFE_RENEGOTIATION:%%LATEST_RECORD_VERSION" \
++			       ":-CURVE-ALL:-ECDHE-RSA:-ECDHE-ECDSA%s", vpninfo->pfs?":-RSA":"");
++		} else {
++			snprintf(prio, sizeof(prio), "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0:" \
++			       "%%COMPAT:%%DISABLE_SAFE_RENEGOTIATION:%%LATEST_RECORD_VERSION%s",
++			       vpninfo->pfs?":-RSA":"");
++		}
+ 	}
+ 
+ 	err = gnutls_priority_set_direct(vpninfo->https_sess,
+@@ -2376,13 +2371,13 @@ int openconnect_init_ssl(void)
+ char *get_gnutls_cipher(gnutls_session_t session)
+ {
+ 	char *str;
+-#if GNUTLS_VERSION_NUMBER > 0x03010a
+-	str = gnutls_session_get_desc(session);
+-#else
+-	str = gnutls_strdup(gnutls_cipher_suite_get_name(
+-		gnutls_kx_get(session), gnutls_cipher_get(session),
+-		gnutls_mac_get(session)));
+-#endif
++
++	if (gnutls_check_version("3.1.11"))
++		str = gnutls_session_get_desc(session);
++	else
++		str = gnutls_strdup(gnutls_cipher_suite_get_name(
++			gnutls_kx_get(session), gnutls_cipher_get(session),
++			gnutls_mac_get(session)));
+ 	return str;
+ }
+ 
diff --git a/openconnect.spec b/openconnect.spec
index 1dce974..e6b96ec 100644
--- a/openconnect.spec
+++ b/openconnect.spec
@@ -27,8 +27,9 @@ Summary:	Open client for Cisco AnyConnect VPN
 Group:		Applications/Internet
 License:	LGPLv2+
 URL:		http://www.infradead.org/openconnect.html
-Source0:	ftp://ftp.infradead.org/pub/openconnect/openconnect-7.04%{?gitsuffix}.tar.gz
+Source0:	ftp://ftp.infradead.org/pub/openconnect/openconnect-%{?version}%{?gitsuffix}.tar.gz
 BuildRoot:	%{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
+Patch0:		openconnect-7.05-dynamic-checks.patch
 
 BuildRequires:	pkgconfig(openssl) pkgconfig(libxml-2.0)
 BuildRequires:	autoconf automake libtool python gettext pkgconfig(liblz4)
@@ -68,11 +69,14 @@ the OpenConnect VPN client, to be used by GUI authentication dialogs
 for NetworkManager etc.
 
 %prep
-%setup -q -n openconnect-7.04%{?gitsuffix}
+%setup -q -n openconnect-%{?version}%{?gitsuffix}
+%patch0 -p1 -b .dynamic-checks
 
 %build
 %configure	--with-vpnc-script=/etc/vpnc/vpnc-script \
-%if !%{use_gnutls}
+%if %{use_gnutls}
+		--with-gnutls \
+%else
 		--with-openssl --without-openssl-version-check \
 %endif
 		--htmldir=%{_docdir}/%{name}
@@ -110,6 +114,8 @@ rm -rf $RPM_BUILD_ROOT
 %changelog
 * Tue Mar 31 2015 Nikos Mavrogiannopoulos <nmav at redhat.com> - 7.05-1
 - Update to 7.05 release
+- Allow compiling with old gnutls version but using the new features
+  when linked with a newer version.
 
 * Wed Jan 28 2015 Nikos Mavrogiannopoulos <nmav at redhat.com> - 7.04-1
 - Update to 7.04 release to align with f21
-- 
cgit v0.10.2


	http://pkgs.fedoraproject.org/cgit/openconnect.git/commit/?h=epel7&id=f3fa4cd96fa39c5c2888fcc9699a155cbf1e0396

More information about the scm-commits mailing list