Move VPN packages into net-vpn/

6 files changed, 359 insertions, 0 deletions

diff --git a/net-vpn/openconnect/files/openconnect-7.07-libressl.patch b/net-vpn/openconnect/files/openconnect-7.07-libressl.patch
new file mode 100644
index 000000000000..4f9d34bceee1
--- /dev/null
+++ b/net-vpn/openconnect/files/openconnect-7.07-libressl.patch
@@ -0,0 +1,77 @@
+From d4a8afc2e8693628f2de554e717458e08bcc2fcf Mon Sep 17 00:00:00 2001
+From: Aric Belsito <lluixhi@gmail.com>
+Date: Thu, 3 Nov 2016 11:37:23 -0700
+Subject: [PATCH] Fix LibreSSL Build.
+
+From Voidlinux:
+
+From d51ab5615e11af4a2c160b2b8240e5d9f3c15422 Mon Sep 17 00:00:00 2001
+From: Duncaen <duncaen@voidlinux.eu>
+Date: Wed, 13 Jul 2016 15:21:16 +0200
+Subject: [PATCH] openconnect: update to 7.07.
+---
+ openssl-esp.c | 4 ++--
+ openssl.c     | 8 ++++----
+ 2 files changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/openssl-esp.c b/openssl-esp.c
+index 2c1aa49..bd4dce3 100644
+--- a/openssl-esp.c
++++ b/openssl-esp.c
+@@ -27,7 +27,7 @@
+ #include <openssl/evp.h>
+ #include <openssl/rand.h>
+ 
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+ 
+ #define EVP_CIPHER_CTX_free(c) do {				\
+ 				    EVP_CIPHER_CTX_cleanup(c);	\
+@@ -85,7 +85,7 @@ static int init_esp_ciphers(struct openconnect_info *vpninfo, struct esp *esp,
+ 	}
+ 	EVP_CIPHER_CTX_set_padding(esp->cipher, 0);
+ 
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+ 	esp->hmac = malloc(sizeof(*esp->hmac));
+ 	esp->pkt_hmac = malloc(sizeof(*esp->pkt_hmac));
+ 	if (!esp->hmac || &esp->pkt_hmac) {
+diff --git a/openssl.c b/openssl.c
+index 785fd2a..6007cef 100644
+--- a/openssl.c
++++ b/openssl.c
+@@ -36,11 +36,11 @@
+ #include <openssl/ui.h>
+ #include <openssl/rsa.h>
+ 
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+ #define X509_up_ref(x) 	CRYPTO_add(&(x)->references, 1, CRYPTO_LOCK_X509)
+ #endif
+ 
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+ #define EVP_MD_CTX_new EVP_MD_CTX_create
+ #define EVP_MD_CTX_free EVP_MD_CTX_destroy
+ #define X509_STORE_CTX_get0_chain(ctx) ((ctx)->chain)
+@@ -991,7 +991,7 @@ static int set_peer_cert_hash(struct openconnect_info *vpninfo)
+ 	return 0;
+ }
+ 
+-#if OPENSSL_VERSION_NUMBER < 0x10002000L
++#if OPENSSL_VERSION_NUMBER < 0x10002000L || defined(LIBRESSL_VERSION_NUMBER)
+ static int match_hostname_elem(const char *hostname, int helem_len,
+ 			       const char *match, int melem_len)
+ {
+@@ -1653,7 +1653,7 @@ int openconnect_open_https(struct openconnect_info *vpninfo)
+ 	 * 4fcdd66fff5fea0cfa1055c6680a76a4303f28a2
+ 	 * cd6bd5ffda616822b52104fee0c4c7d623fd4f53
+ 	 */
+-#if OPENSSL_VERSION_NUMBER >= 0x10001070
++#if OPENSSL_VERSION_NUMBER >= 0x10001070 || defined(LIBRESSL_VERSION_NUMBER)
+ 	if (string_is_hostname(vpninfo->hostname))
+ 		SSL_set_tlsext_host_name(https_ssl, vpninfo->hostname);
+ #endif
+-- 
+2.10.2
+
diff --git a/net-vpn/openconnect/files/openconnect-7.07-mimic-pulse-client.patch b/net-vpn/openconnect/files/openconnect-7.07-mimic-pulse-client.patch
new file mode 100644
index 000000000000..5cfeca6ec52d
--- /dev/null
+++ b/net-vpn/openconnect/files/openconnect-7.07-mimic-pulse-client.patch
@@ -0,0 +1,38 @@
+From 4ce9c9241f5707917e87e93a055f757cea5fb84d Mon Sep 17 00:00:00 2001
+From: Jon DeVree <nuxi@vault24.org>
+Date: Mon, 19 Sep 2016 21:00:18 -0400
+Subject: [PATCH] Add Content-Length header to mimic official pulse client
+
+The official pulse client sends in a fixed "Content-Length: 256" header
+with these two HTTP requests. Some versions of the VPN server will
+reject requests with an HTTP 400 error if they do not have this header.
+
+Signed-off-by: Jon DeVree <nuxi@vault24.org>
+Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
+---
+ oncp.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/oncp.c b/oncp.c
+index cc9a223..2bf1571 100644
+--- a/oncp.c
++++ b/oncp.c
+@@ -562,6 +562,7 @@ int oncp_connect(struct openconnect_info *vpninfo)
+ 
+  	buf_append(reqbuf, "POST /dana/js?prot=1&svc=1 HTTP/1.1\r\n");
+ 	oncp_common_headers(vpninfo, reqbuf);
++	buf_append(reqbuf, "Content-Length: 256\r\n");
+ 	buf_append(reqbuf, "\r\n");
+ 
+ 	if (buf_error(reqbuf)) {
+@@ -606,6 +607,7 @@ int oncp_connect(struct openconnect_info *vpninfo)
+ 	buf_truncate(reqbuf);
+ 	buf_append(reqbuf, "POST /dana/js?prot=1&svc=4 HTTP/1.1\r\n");
+ 	oncp_common_headers(vpninfo, reqbuf);
++	buf_append(reqbuf, "Content-Length: 256\r\n");
+ 	buf_append(reqbuf, "\r\n");
+ 
+ 	if (buf_error(reqbuf)) {
+-- 
+2.7.3
+
diff --git a/net-vpn/openconnect/files/openconnect.conf.in b/net-vpn/openconnect/files/openconnect.conf.in
new file mode 100644
index 000000000000..53b14e61378e
--- /dev/null
+++ b/net-vpn/openconnect/files/openconnect.conf.in
@@ -0,0 +1,26 @@
+# Variables to configure vpn tunnels where "vpnname" is the name of your vpn tunnel:
+#
+# server_vpnname
+# password_vpnname
+# vpnopts_vpnname
+#
+# The tunnel will need to be started with a symbolic link to openconnect:
+#
+# ln -s /etc/init.d/openconnect /etc/init.d/openconnect.vpnname
+#
+# If you'd like to execute a script on preup, postup, predown and postdown of the vpn tunnel, you
+# need to create executable scripts in a directory with the same name as
+# the vpn tunnel (vpn0 can be replaced with the vpn name):
+#
+# mkdir /etc/openconnect/vpn0
+# cd /etc/openconnect/vpn0"
+# echo '#!/bin/sh' > preup.sh"
+# cp preup.sh predown.sh"
+# cp preup.sh postup.sh"
+# cp preup.sh postdown.sh"
+# chmod 755 /etc/openconnect/vpn0/*"
+
+server_vpn0="vpn.server.tld"
+password_vpn0="YOUR_PASSWORD"
+# Any OPENCONNECT options my go here (see openconnect --help)
+vpnopts_vpn0="-l --passwd-on-stdin --user=YOUR_USERNAME --script=/etc/openconnect/openconnect.sh"
diff --git a/net-vpn/openconnect/files/openconnect.init.in b/net-vpn/openconnect/files/openconnect.init.in
new file mode 100644
index 000000000000..c4497956d8a3
--- /dev/null
+++ b/net-vpn/openconnect/files/openconnect.init.in
@@ -0,0 +1,122 @@
+#!/sbin/openrc-run
+# Copyright 1999-2012 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+VPN="${RC_SVCNAME#*.}"
+VPNLOG="/var/log/openconnect/${VPN}"
+VPNLOGFILE="${VPNLOG}/openconnect.log"
+VPNERRFILE="${VPNLOG}/openconnect.err"
+VPNPID="/run/openconnect/${VPN}.pid"
+VPNDIR="/etc/openconnect/${VPN}"
+PREUPSCRIPT="${VPNDIR}/preup.sh"
+PREDOWNSCRIPT="${VPNDIR}/predown.sh"
+POSTUPSCRIPT="${VPNDIR}/postup.sh"
+POSTDOWNSCRIPT="${VPNDIR}/postdown.sh"
+SERVER="server_${VPN}"
+PASSWORD="password_${VPN}"
+VPNOPTS="vpnopts_${VPN}"
+
+depend() {
+	before netmount
+}
+
+checkconfig() {
+	if [ $VPN = "openconnect" ]; then
+		eerror "You cannot call openconnect directly. You must create a symbolic link to it with the vpn name:"
+		echo
+		eerror "ln -s /etc/init.d/openconnect /etc/init.d/openconnect.vpn0"
+		echo
+		eerror "And then call it instead:"
+		echo
+		eerror "/etc/init.d/openconnect.vpn0 start"
+		return 1
+	fi
+}
+
+checktuntap() {
+	if [ $(uname -s) = "Linux" ] ; then
+		if [ ! -e /dev/net/tun ]; then
+			if ! modprobe tun ; then
+				eerror "TUN/TAP support is not available in this kernel"
+				return 1
+			fi
+		fi
+		if [ -h /dev/net/tun ] && [ -c /dev/misc/net/tun ]; then
+			ebegin "Detected broken /dev/net/tun symlink, fixing..."
+			rm -f /dev/net/tun
+			ln -s /dev/misc/net/tun /dev/net/tun
+			eend $?
+		fi
+	fi
+}
+
+start() {
+	ebegin "Starting OpenConnect: ${VPN}"
+
+	checkconfig || return 1
+
+	checktuntap || return 1
+
+	if [ "${!SERVER}" == "vpn.server.tld" ]; then
+		eend 1 "${VPN} not configured"
+		return 1
+	fi
+
+	if [ ! -e "${VPNLOG}" ]; then
+		mkdir -p "${VPNLOG}"
+	fi
+
+        local piddir="${VPNPID%/*}"
+        if [ ! -d "$piddir" ] ; then
+                mkdir -p "$piddir"
+                if [ $? -ne 0 ]; then
+                        eerror "Directory $piddir for pidfile does not exist and cannot be created"
+                        return 1
+                fi
+        fi
+
+	if [ -x "${PREUPSCRIPT}" ] ; then 
+		"${PREUPSCRIPT}"
+	fi
+
+	start-stop-daemon --start --make-pidfile --pidfile "${VPNPID}" --stderr "${VPNERRFILE}" --stdout "${VPNLOGFILE}" --background \
+			--exec /usr/sbin/openconnect \
+			-- --pid-file="${VPNPID}" ${!VPNOPTS} ${!SERVER} <<< ${!PASSWORD}
+
+ 	local retval=$?
+
+ 	if [ ! ${retval} -eq 0 ]; then
+		eend ${retval}
+		return ${retval}
+ 	fi
+
+	if [ -x "${POSTUPSCRIPT}" ] ; then 
+		"${POSTUPSCRIPT}"
+	fi
+
+	eend $?
+}
+
+stop() {
+	ebegin "Stopping OpenConnect: ${VPN}"
+
+	checkconfig || return 1
+
+	if [ -x "${PREDOWNSCRIPT}" ] ; then 
+		"${PREDOWNSCRIPT}"
+	fi
+
+	start-stop-daemon --pidfile "${VPNPID}" --stop /usr/sbin/openconnect
+ 	local retval=$?
+
+ 	if [ ! ${retval} -eq 0 ]; then
+		eend ${retval}
+ 		return ${retval}
+ 	fi
+
+
+	if [ -x "${POSTDOWNSCRIPT}" ] ; then 
+		"${POSTDOWNSCRIPT}"
+	fi
+	eend $?
+}
diff --git a/net-vpn/openconnect/files/openconnect.init.in-r4 b/net-vpn/openconnect/files/openconnect.init.in-r4
new file mode 100644
index 000000000000..040edc76f637
--- /dev/null
+++ b/net-vpn/openconnect/files/openconnect.init.in-r4
@@ -0,0 +1,88 @@
+#!/sbin/openrc-run
+# Copyright 1999-2015 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+VPN="${RC_SVCNAME#*.}"
+VPNDIR="/etc/openconnect/${VPN}"
+VPNLOG="/var/log/openconnect/${VPN}"
+VPNLOGFILE="${VPNLOG}/openconnect.log"
+VPNERRFILE="${VPNLOG}/openconnect.err"
+
+command="/usr/sbin/openconnect"
+name="OpenConnect: ${VPN}"
+pidfile="/run/openconnect/${VPN}.pid"
+stopsig="SIGINT"
+
+depend() {
+	before netmount
+}
+
+checkconfig() {
+	if [ $VPN = "openconnect" ]; then
+		eerror "You cannot call openconnect directly. You must create a symbolic link to it with the vpn name:"
+		eerror
+		eerror "ln -s /etc/init.d/openconnect /etc/init.d/openconnect.vpn0"
+		eerror
+		eerror "And then call it instead:"
+		eerror
+		eerror "/etc/init.d/openconnect.vpn0 start"
+		return 1
+	fi
+}
+
+checktuntap() {
+	if [ "$RC_UNAME" = "Linux" -a ! -e /dev/net/tun ] ; then
+		if ! modprobe tun ; then
+			eerror "TUN/TAP support is not available in this kernel"
+			return 1
+		fi
+	fi
+}
+
+run_hook() {
+	if [ -x "$1" ]; then
+		"$@"
+	fi
+}
+
+start_pre() {
+	checkconfig || return
+	checktuntap || return
+	checkpath -d "${VPNLOG}" || return
+	checkpath -d /run/openconnect || return
+	run_hook "${VPNDIR}/preup.sh"
+}
+
+start() {
+	local server vpnopts password
+	eval server=\$server_${VPN}
+	eval vpnopts=\$vpnopts_${VPN}
+	eval password=\$password_${VPN}
+
+	ebegin "Starting ${name}"
+	start-stop-daemon --start --exec "${command}" -- \
+		--background \
+		--interface="${VPN}" \
+		--pid-file="${pidfile}" \
+		${vpnopts} \
+		"${server}" \
+		>> "${VPNLOGFILE}" \
+		2>> "${VPNERRFILE}" \
+		<<EOF
+${password}
+EOF
+	eend $?
+}
+
+start_post() {
+	run_hook "${VPNDIR}/postup.sh"
+}
+
+stop_pre() {
+	checkconfig || return
+	run_hook "${VPNDIR}/predown.sh"
+}
+
+stop_post() {
+	run_hook "${VPNDIR}/postdown.sh"
+}
diff --git a/net-vpn/openconnect/files/openconnect.logrotate b/net-vpn/openconnect/files/openconnect.logrotate
new file mode 100644
index 000000000000..0455e6845b28
--- /dev/null
+++ b/net-vpn/openconnect/files/openconnect.logrotate
@@ -0,0 +1,8 @@
+# openconnect logrotate snipet for Gentoo Linux
+#
+/var/log/openconnect/*/*  {
+  missingok
+  size 5M
+  notifempty
+}
+