net-vpn/openconnect: backport patch

Closes: https://bugs.gentoo.org/965061
Signed-off-by: Mike Gilbert <floppym@gentoo.org>

net-vpn/openconnect/files/openconnect-9.12-strap-rfc9266.patch

@@ -0,0 +1,111 @@
+https://bugs.gentoo.org/965061
+https://gitlab.com/openconnect/openconnect/-/merge_requests/574
+
+From 94868eef754f88569f690f8440010b331a3a67fb Mon Sep 17 00:00:00 2001
+From: David Woodhouse <dwmw2@infradead.org>
+Date: Fri, 15 Nov 2024 15:46:05 +0000
+Subject: [PATCH] Use RFC9266 'tls-exporter' channel bindings for Cisco STRAP
+ with TLSv1.3
+
+Fixes #659
+
+Signed-off-by: David Woodhouse <dwmw2@infradead.org>
+(cherry picked from commit 94e0b16c011b7b88708b8a8505fac6bfbe2e3cca)
+---
+ gnutls.c               | 20 +++++++++++++++++++-
+ openconnect-internal.h |  5 +++++
+ openssl.c              | 30 +++++++++++++++++++++++-------
+ 3 files changed, 47 insertions(+), 8 deletions(-)
+
+diff --git a/gnutls.c b/gnutls.c
+index 9fc010b9..6c2e3aec 100644
+--- a/gnutls.c
++++ b/gnutls.c
+@@ -3176,7 +3176,25 @@ void append_strap_verify(struct openconnect_info *vpninfo,
+ 
+ 	/* Concatenate our Finished message with our pubkey to be signed */
+ 	struct oc_text_buf *nonce = buf_alloc();
+-	buf_append_bytes(nonce, vpninfo->finished, vpninfo->finished_len);
++	if (gnutls_protocol_get_version(vpninfo->https_sess) <= GNUTLS_TLS1_2) {
++		/* For TLSv1.2 and earlier, use RFC5929 'tls-unique' channel binding */
++		buf_append_bytes(nonce, vpninfo->finished, vpninfo->finished_len);
++	} else {
++		/* For TLSv1.3 use RFC9266 'tls-exporter' channel binding */
++		char channel_binding_buf[TLS_EXPORTER_KEY_SIZE];
++		err = gnutls_prf(vpninfo->https_sess, TLS_EXPORTER_LABEL_SIZE, TLS_EXPORTER_LABEL,
++				 0, 0, 0, TLS_EXPORTER_KEY_SIZE, channel_binding_buf);
++		if (err) {
++			vpn_progress(vpninfo, PRG_ERR,
++				     _("Failed to generate channel bindings for STRAP key: %s\n"),
++				     gnutls_strerror(err));
++			if (!buf_error(buf))
++				buf->error = -EIO;
++			buf_free(nonce);
++			return;
++		}
++		buf_append_bytes(nonce, channel_binding_buf, TLS_EXPORTER_KEY_SIZE);
++	}
+ 
+ 	if (rekey) {
+ 		/* We have a copy and we don't want it freed just yet */
+diff --git a/openconnect-internal.h b/openconnect-internal.h
+index f19b4d81..541d5594 100644
+--- a/openconnect-internal.h
++++ b/openconnect-internal.h
+@@ -1058,6 +1058,11 @@ static inline void __monitor_fd_new(struct openconnect_info *vpninfo,
+ #define PSK_LABEL_SIZE (sizeof(PSK_LABEL) - 1)
+ #define PSK_KEY_SIZE 32
+ 
++/* Key material for RFC9266 tls-exporter channel binding */
++#define TLS_EXPORTER_LABEL "EXPORTER-Channel-Binding"
++#define TLS_EXPORTER_LABEL_SIZE (sizeof(TLS_EXPORTER_LABEL) - 1)
++#define TLS_EXPORTER_KEY_SIZE 32
++
+ /* Packet types */
+ 
+ #define AC_PKT_DATA		0	/* Uncompressed data */
+diff --git a/openssl.c b/openssl.c
+index 12a08692..4177e3f9 100644
+--- a/openssl.c
++++ b/openssl.c
+@@ -2510,14 +2510,30 @@ void append_strap_verify(struct openconnect_info *vpninfo,
+ 			 struct oc_text_buf *buf, int rekey)
+ {
+ 	unsigned char finished[64];
+-	size_t flen = SSL_get_finished(vpninfo->https_ssl, finished, sizeof(finished));
++	size_t flen;
+ 
+-	if (flen > sizeof(finished)) {
+-		vpn_progress(vpninfo, PRG_ERR,
+-			     _("SSL Finished message too large (%zd bytes)\n"), flen);
+-		if (!buf_error(buf))
+-			buf->error = -EIO;
+-		return;
++	if (SSL_SESSION_get_protocol_version(SSL_get_session(vpninfo->https_ssl)) <= TLS1_2_VERSION) {
++		/* For TLSv1.2 and earlier, use RFC5929 'tls-unique' channel binding */
++		flen = SSL_get_finished(vpninfo->https_ssl, finished, sizeof(finished));
++		if (flen > sizeof(finished)) {
++			vpn_progress(vpninfo, PRG_ERR,
++				     _("SSL Finished message too large (%zu bytes)\n"), flen);
++			if (!buf_error(buf))
++				buf->error = -EIO;
++			return;
++		}
++	} else {
++		/* For TLSv1.3 use RFC9266 'tls-exporter' channel binding */
++		if (!SSL_export_keying_material(vpninfo->https_ssl,
++						finished, TLS_EXPORTER_KEY_SIZE,
++						TLS_EXPORTER_LABEL, TLS_EXPORTER_LABEL_SIZE,
++						NULL, 0, 0)) {
++			vpn_progress(vpninfo, PRG_ERR,
++				     _("Failed to generate channel bindings for STRAP key\n"));
++			openconnect_report_ssl_errors(vpninfo);
++			return;
++		}
++		flen = TLS_EXPORTER_KEY_SIZE;
+ 	}
+ 
+ 	/* If we're rekeying, we need to sign the Verify header with the *old* key. */
+-- 
+2.51.1
+

net-vpn/openconnect/openconnect-9.12-r2.ebuild

@@ -0,0 +1,158 @@
+# Copyright 2011-2025 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+PYTHON_COMPAT=( python3_{10..13} )
+PYTHON_REQ_USE="xml(+)"
+
+inherit linux-info python-any-r1
+
+if [[ ${PV} == 9999 ]]; then
+	EGIT_REPO_URI="https://gitlab.com/openconnect/openconnect.git"
+	inherit git-r3 autotools
+else
+	inherit verify-sig
+	SRC_URI="https://www.infradead.org/openconnect/download/${P}.tar.gz
+		verify-sig? ( https://www.infradead.org/openconnect/download/${P}.tar.gz.asc )"
+	KEYWORDS="~amd64 ~arm ~arm64 ~loong ~ppc64 ~riscv ~x86"
+fi
+
+DESCRIPTION="Free client for Cisco AnyConnect SSL VPN software"
+HOMEPAGE="https://www.infradead.org/openconnect/"
+
+LICENSE="LGPL-2.1 GPL-2"
+SLOT="0/5"
+IUSE="doc +gnutls gssapi libproxy lz4 nls pskc selinux smartcard stoken test"
+RESTRICT="!test? ( test )"
+
+COMMON_DEPEND="
+	dev-libs/json-parser:0=
+	dev-libs/libxml2:=
+	sys-libs/zlib
+	app-crypt/p11-kit
+	!gnutls? (
+		>=dev-libs/openssl-1.0.1h:0=
+		dev-libs/libp11
+	)
+	gnutls? (
+		app-crypt/trousers
+		app-misc/ca-certificates
+		dev-libs/nettle
+		>=net-libs/gnutls-3.6.13:0=
+		dev-libs/libtasn1:0=
+		app-crypt/tpm2-tss:=
+	)
+	gssapi? ( virtual/krb5 )
+	libproxy? ( net-libs/libproxy )
+	lz4? ( app-arch/lz4:= )
+	nls? ( virtual/libintl )
+	pskc? ( sys-auth/oath-toolkit[pskc(+)] )
+	smartcard? ( sys-apps/pcsc-lite:0= )
+	stoken? ( app-crypt/stoken )
+"
+DEPEND="${COMMON_DEPEND}
+	test? (
+		net-libs/socket_wrapper
+		sys-libs/uid_wrapper
+		!gnutls? ( dev-libs/openssl:0[weak-ssl-ciphers(-)] )
+	)
+"
+RDEPEND="${COMMON_DEPEND}
+	sys-apps/iproute2
+	>=net-vpn/vpnc-scripts-20210402-r1
+	selinux? ( sec-policy/selinux-vpn )
+"
+BDEPEND="
+	virtual/pkgconfig
+	doc? ( ${PYTHON_DEPS} sys-apps/groff )
+	nls? ( sys-devel/gettext )
+	test? ( net-vpn/ocserv )
+"
+
+if [[ ${PV} != 9999 ]]; then
+	BDEPEND+=" verify-sig? ( sec-keys/openpgp-keys-dwmw2 )"
+	VERIFY_SIG_OPENPGP_KEY_PATH="/usr/share/openpgp-keys/dwmw2@kernel.org.key"
+fi
+
+QA_CONFIG_IMPL_DECL_SKIP=( memset_s )
+
+CONFIG_CHECK="~TUN"
+
+pkg_pretend() {
+	check_extra_config
+}
+
+pkg_setup() {
+	:
+}
+
+src_prepare() {
+	local PATCHES=(
+		"${FILESDIR}/openconnect-9.12-stdlib.patch"
+		"${FILESDIR}/openconnect-9.12-strap-rfc9266.patch"
+	)
+	default
+	if [[ ${PV} == 9999 ]]; then
+		eautoreconf
+	fi
+}
+
+src_configure() {
+	if use doc; then
+		python_setup
+	else
+		export ac_cv_path_PYTHON=
+	fi
+
+	# Used by tests if userpriv is disabled
+	addwrite /run/netns
+
+	local myconf=(
+		--disable-dsa-tests
+		$(use_enable nls)
+		--disable-static
+		$(use_with !gnutls openssl)
+		$(use_with gnutls)
+		$(use_with libproxy)
+		$(use_with lz4)
+		$(use_with gssapi)
+		$(use_with pskc libpskc)
+		$(use_with smartcard libpcsclite)
+		$(use_with stoken)
+		--with-vpnc-script="${EPREFIX}/etc/vpnc/vpnc-script"
+		--without-builtin-json
+		--without-java
+	)
+
+	econf "${myconf[@]}"
+}
+
+src_test() {
+	local charset
+	for charset in UTF-8 ISO-8859-2; do
+		if [[ $(LC_ALL=cs_CZ.${charset} locale charmap 2>/dev/null) != ${charset} ]]; then
+			# If we don't have valid cs_CZ locale data, auth-nonascii will fail.
+			# Force a test skip by exiting with status 77.
+			sed -i -e '2i exit 77' tests/auth-nonascii || die
+			break
+		fi
+	done
+	addwrite /proc
+	default
+}
+
+src_install() {
+	default
+	find "${ED}" -name '*.la' -delete || die
+
+	dodoc "${FILESDIR}"/README.OpenRC
+
+	newconfd "${FILESDIR}"/openconnect.confd openconnect
+	newinitd "${FILESDIR}"/openconnect.initd openconnect
+
+	insinto /etc/logrotate.d
+	newins "${FILESDIR}"/openconnect.logrotate openconnect
+
+	keepdir /var/log/openconnect
+}