proj/gentoo: Initial commit

This commit represents a new era for Gentoo:
Storing the gentoo-x86 tree in Git, as converted from CVS.

This commit is the start of the NEW history.
Any historical data is intended to be grafted onto this point.

Creation process:
1. Take final CVS checkout snapshot
2. Remove ALL ChangeLog* files
3. Transform all Manifests to thin
4. Remove empty Manifests
5. Convert all stale $Header$/$Id$ CVS keywords to non-expanded Git $Id$
5.1. Do not touch files with -kb/-ko keyword flags.

Signed-off-by: Robin H. Johnson <robbat2@gentoo.org>
X-Thanks: Alec Warner <antarus@gentoo.org> - did the GSoC 2006 migration tests
X-Thanks: Robin H. Johnson <robbat2@gentoo.org> - infra guy, herding this project
X-Thanks: Nguyen Thai Ngoc Duy <pclouds@gentoo.org> - Former Gentoo developer, wrote Git features for the migration
X-Thanks: Brian Harring <ferringb@gentoo.org> - wrote much python to improve cvs2svn
X-Thanks: Rich Freeman <rich0@gentoo.org> - validation scripts
X-Thanks: Patrick Lauer <patrick@gentoo.org> - Gentoo dev, running new 2014 work in migration
X-Thanks: Michał Górny <mgorny@gentoo.org> - scripts, QA, nagging
X-Thanks: All of other Gentoo developers - many ideas and lots of paint on the bikeshed

5 files changed, 811 insertions, 0 deletions

diff --git a/net-misc/networkmanager-openconnect/files/0.9.10.0/0016-Add-HOTP-support.patch b/net-misc/networkmanager-openconnect/files/0.9.10.0/0016-Add-HOTP-support.patch
new file mode 100644
index 000000000000..9dc8c4ae70d6
--- /dev/null
+++ b/net-misc/networkmanager-openconnect/files/0.9.10.0/0016-Add-HOTP-support.patch
@@ -0,0 +1,148 @@
+From b3815e96635c8f89c6161bdb6de53cd3c01c8535 Mon Sep 17 00:00:00 2001
+From: David Woodhouse <David.Woodhouse@intel.com>
+Date: Tue, 12 Aug 2014 14:55:39 +0100
+Subject: [PATCH 16/34] Add HOTP support
+
+This requires migrating the token_secret from a config item to a secret,
+which thankfully doesn't seem to be too diffcult.
+---
+ auth-dialog/main.c                  | 24 +++++++++++++++++++++++-
+ properties/nm-openconnect-dialog.ui |  6 ++++++
+ properties/nm-openconnect.c         | 18 ++++++++++++++----
+ 3 files changed, 43 insertions(+), 5 deletions(-)
+
+diff --git a/auth-dialog/main.c b/auth-dialog/main.c
+index 2133e52..b078d48 100644
+--- a/auth-dialog/main.c
++++ b/auth-dialog/main.c
+@@ -1194,7 +1194,9 @@ static int get_config (GHashTable *options, GHashTable *secrets,
+ 		openconnect_passphrase_from_fsid(vpninfo);
+ 
+ 	token_mode = g_hash_table_lookup (options, NM_OPENCONNECT_KEY_TOKEN_MODE);
+-	token_secret = g_hash_table_lookup (options, NM_OPENCONNECT_KEY_TOKEN_SECRET);
++	token_secret = g_hash_table_lookup (secrets, NM_OPENCONNECT_KEY_TOKEN_SECRET);
++	if (!token_secret || !token_secret[0])
++		token_secret = g_hash_table_lookup (options, NM_OPENCONNECT_KEY_TOKEN_SECRET);
+ 	if (token_mode) {
+ 		int ret = 0;
+ 
+@@ -1204,6 +1206,10 @@ static int get_config (GHashTable *options, GHashTable *secrets,
+ 			ret = __openconnect_set_token_mode(vpninfo, OC_TOKEN_MODE_STOKEN, NULL);
+ 		else if (!strcmp(token_mode, "totp") && token_secret)
+ 			ret = __openconnect_set_token_mode(vpninfo, OC_TOKEN_MODE_TOTP, token_secret);
++#if OPENCONNECT_CHECK_VER(3,4)
++		else if (!strcmp(token_mode, "hotp") && token_secret)
++			ret = __openconnect_set_token_mode(vpninfo, OC_TOKEN_MODE_HOTP, token_secret);
++#endif
+ 
+ 		if (ret)
+ 			fprintf(stderr, "Failed to initialize software token: %d\n", ret);
+@@ -1229,6 +1235,17 @@ static void populate_vpnhost_combo(auth_ui_data *ui_data)
+ 	}
+ }
+ 
++#if OPENCONNECT_CHECK_VER(3,4)
++static int update_token(void *cbdata, const char *tok)
++{
++	auth_ui_data *ui_data = cbdata;
++	g_hash_table_insert (ui_data->secrets, g_strdup (NM_OPENCONNECT_KEY_TOKEN_SECRET),
++			     g_strdup(tok));
++
++	return 0;
++}
++#endif
++
+ static int write_new_config(void *cbdata, char *buf, int buflen)
+ {
+ 	auth_ui_data *ui_data = cbdata;
+@@ -1801,6 +1818,11 @@ int main (int argc, char **argv)
+ 		fprintf(stderr, "Failed to find VPN UUID %s\n", vpn_uuid);
+ 		return 1;
+ 	}
++
++#if OPENCONNECT_CHECK_VER(3,4)
++	openconnect_set_token_callbacks (_ui_data->vpninfo, _ui_data, NULL, update_token);
++#endif
++
+ 	build_main_dialog(_ui_data);
+ 
+ #ifdef OPENCONNECT_OPENSSL
+diff --git a/properties/nm-openconnect-dialog.ui b/properties/nm-openconnect-dialog.ui
+index b3401db..4643b73 100644
+--- a/properties/nm-openconnect-dialog.ui
++++ b/properties/nm-openconnect-dialog.ui
+@@ -766,6 +766,12 @@
+             <col id="2" translatable="no">totp</col>
+             <col id="3" translatable="no">True</col>
+           </row>
++          <row>
++            <col id="0" translatable="yes">HOTP - manually entered</col>
++            <col id="1" translatable="no">hotp</col>
++            <col id="2" translatable="no">hotp</col>
++            <col id="3" translatable="no">True</col>
++          </row>
+         </data>
+       </object>
+ </interface>
+diff --git a/properties/nm-openconnect.c b/properties/nm-openconnect.c
+index e00e757..dfd5f5c 100644
+--- a/properties/nm-openconnect.c
++++ b/properties/nm-openconnect.c
+@@ -214,7 +214,7 @@ import (NMVpnPluginUiInterface *iface, const char *path, GError **error)
+ 	/* Soft token secret */
+ 	buf = g_key_file_get_string (keyfile, "openconnect", "StokenString", NULL);
+ 	if (buf)
+-		nm_setting_vpn_add_data_item (s_vpn, NM_OPENCONNECT_KEY_TOKEN_SECRET, buf);
++		nm_setting_vpn_add_secret (s_vpn, NM_OPENCONNECT_KEY_TOKEN_SECRET, buf);
+ 
+ 	return connection;
+ }
+@@ -297,9 +297,14 @@ export (NMVpnPluginUiInterface *iface,
+ 	if (value && strlen (value))
+ 		token_mode = value;
+ 
+-	value = nm_setting_vpn_get_data_item (s_vpn, NM_OPENCONNECT_KEY_TOKEN_SECRET);
++	value = nm_setting_vpn_get_secret (s_vpn, NM_OPENCONNECT_KEY_TOKEN_SECRET);
+ 	if (value && strlen (value))
+ 		token_secret = value;
++	else {
++		value = nm_setting_vpn_get_data_item (s_vpn, NM_OPENCONNECT_KEY_TOKEN_SECRET);
++		if (value && strlen (value))
++			token_secret = value;
++	}
+ 
+ 	fprintf (f,
+ 		 "[openconnect]\n"
+@@ -427,6 +432,9 @@ init_token_mode_options (GtkComboBox *token_mode)
+ 			iter_valid = gtk_list_store_remove (token_mode_list, &iter);
+ 		else if (!strcmp (token_type, "totp") && !openconnect_has_oath_support ())
+ 			iter_valid = gtk_list_store_remove (token_mode_list, &iter);
++		else if (!strcmp (token_type, "hotp") &&
++				 (!openconnect_has_oath_support () || !OPENCONNECT_CHECK_VER(3,4)))
++			iter_valid = gtk_list_store_remove (token_mode_list, &iter);
+ 		else {
+ 			iter_valid = gtk_tree_model_iter_next (model, &iter);
+ 			valid_rows++;
+@@ -492,7 +500,9 @@ init_token_ui (OpenconnectPluginUiWidget *self,
+ 	if (!buffer)
+ 		return FALSE;
+ 	if (s_vpn) {
+-		value = nm_setting_vpn_get_data_item (s_vpn, NM_OPENCONNECT_KEY_TOKEN_SECRET);
++		value = nm_setting_vpn_get_secret (s_vpn, NM_OPENCONNECT_KEY_TOKEN_SECRET);
++		if (!value)
++			value = nm_setting_vpn_get_data_item (s_vpn, NM_OPENCONNECT_KEY_TOKEN_SECRET);
+ 		if (value)
+ 			gtk_text_buffer_set_text (buffer, value, -1);
+ 	}
+@@ -653,7 +663,7 @@ update_connection (NMVpnPluginUiWidgetInterface *iface,
+ 		*dst = 0;
+ 
+ 		if (strlen (str))
+-			nm_setting_vpn_add_data_item (s_vpn, NM_OPENCONNECT_KEY_TOKEN_SECRET, str);
++			nm_setting_vpn_add_secret (s_vpn, NM_OPENCONNECT_KEY_TOKEN_SECRET, str);
+ 	}
+ 
+ 	if (!check_validity (self, error))
+-- 
+2.2.0
+
diff --git a/net-misc/networkmanager-openconnect/files/0.9.10.0/0017-Always-return-success-from-auth-dialog.patch b/net-misc/networkmanager-openconnect/files/0.9.10.0/0017-Always-return-success-from-auth-dialog.patch
new file mode 100644
index 000000000000..f5427130c5dd
--- /dev/null
+++ b/net-misc/networkmanager-openconnect/files/0.9.10.0/0017-Always-return-success-from-auth-dialog.patch
@@ -0,0 +1,68 @@
+From 5e899ec0dfff56ac15f9e19cccb8b8d17f792afd Mon Sep 17 00:00:00 2001
+From: David Woodhouse <David.Woodhouse@intel.com>
+Date: Tue, 12 Aug 2014 14:58:05 +0100
+Subject: [PATCH 17/34] Always return success from auth-dialog
+
+We want to store the secrets even when we ultimately failed to log in.
+This was slightly suboptimal even before, when we were failing to remember
+things like the 'autoconnect' and 'certsigs' secrets. But now with HOTP
+it's particularly important that we keep track of which tokens have been
+used *even* if we end up failing to log in.
+
+Even if we don't get a valid login cookie, it's OK to return success.
+---
+ auth-dialog/main.c | 7 +------
+ 1 file changed, 1 insertion(+), 6 deletions(-)
+
+diff --git a/auth-dialog/main.c b/auth-dialog/main.c
+index b078d48..7171247 100644
+--- a/auth-dialog/main.c
++++ b/auth-dialog/main.c
+@@ -180,7 +180,6 @@ typedef struct auth_ui_data {
+ 	GtkWidget *last_notice_icon;
+ 	GtkTextBuffer *log;
+ 
+-	int retval;
+ 	int cookie_retval;
+ 
+ 	int cancel_pipes[2];
+@@ -1376,7 +1375,6 @@ static gboolean cookie_obtained(auth_ui_data *ui_data)
+ 			gtk_widget_show_all(ui_data->ssl_box);
+ 			gtk_widget_set_sensitive(ui_data->cancel_button, FALSE);
+ 		}
+-		ui_data->retval = 1;
+ 	} else if (!ui_data->cookie_retval) {
+ 		OPENCONNECT_X509 *cert;
+ 		gchar *key, *value;
+@@ -1413,13 +1411,11 @@ static gboolean cookie_obtained(auth_ui_data *ui_data)
+ 					     keyring_store_passwords,
+ 					     NULL);
+ 		}
+-		ui_data->retval = 0;
+ 
+ 		gtk_main_quit();
+ 	} else {
+ 		/* no cookie; user cancellation */
+ 		gtk_widget_show (ui_data->no_form_label);
+-		ui_data->retval = 1;
+ 	}
+ 
+ 	g_hash_table_remove_all (ui_data->success_secrets);
+@@ -1672,7 +1668,6 @@ static auth_ui_data *init_ui_data (char *vpn_name, GHashTable *options, GHashTab
+ 	auth_ui_data *ui_data;
+ 
+ 	ui_data = g_slice_new0(auth_ui_data);
+-	ui_data->retval = 1;
+ 
+ 	ui_data->form_entries = g_queue_new();
+ 	g_mutex_init(&ui_data->form_mutex);
+@@ -1848,5 +1843,5 @@ int main (int argc, char **argv)
+ 
+ 	wait_for_quit ();
+ 
+-	return _ui_data->retval;
++	return 0;
+ }
+-- 
+2.2.0
+
diff --git a/net-misc/networkmanager-openconnect/files/0.9.10.0/0025-Support-libopenconnect.so.4.patch b/net-misc/networkmanager-openconnect/files/0.9.10.0/0025-Support-libopenconnect.so.4.patch
new file mode 100644
index 000000000000..ed366702b1ce
--- /dev/null
+++ b/net-misc/networkmanager-openconnect/files/0.9.10.0/0025-Support-libopenconnect.so.4.patch
@@ -0,0 +1,127 @@
+From 58944a3ef9c92f7afa07cbb539d062e1956bafc0 Mon Sep 17 00:00:00 2001
+From: David Woodhouse <David.Woodhouse@intel.com>
+Date: Thu, 30 Oct 2014 23:09:14 +0000
+Subject: [PATCH 25/34] Support libopenconnect.so.4
+
+---
+ auth-dialog/main.c | 38 ++++++++++++++++++++++++++------------
+ 1 file changed, 26 insertions(+), 12 deletions(-)
+
+diff --git a/auth-dialog/main.c b/auth-dialog/main.c
+index 7171247..8285bf4 100644
+--- a/auth-dialog/main.c
++++ b/auth-dialog/main.c
+@@ -89,6 +89,21 @@
+ #define OC_FORM_RESULT_NEWGROUP		2
+ #endif
+ 
++#if OPENCONNECT_CHECK_VER(4,0)
++#define dup_option_value(opt)		g_strdup((opt)->_value);
++#define OC3DUP(x)			(x)
++#define write_config_const		const
++#else
++#define dup_option_value(opt)		g_strdup((opt)->value);
++#define openconnect_set_option_value(opt, val) do { \
++		struct oc_form_opt *_o = (opt);				\
++		free(_o->value); _o->value = g_strdup(val);		\
++	} while (0)
++#define openconnect_free_cert_info(v, x) free(x)
++#define OC3DUP(x)			g_strdup(x)
++#define write_config_const		/* */
++#endif
++
+ #ifdef OPENCONNECT_OPENSSL
+ #include <openssl/ssl.h>
+ #include <openssl/bio.h>
+@@ -712,7 +727,7 @@ static gboolean ui_form (struct oc_auth_form *form)
+ 				data->entry_text = g_strdup (find_form_answer(ui_data->secrets,
+ 									      form, opt));
+ 				if (!data->entry_text)
+-					data->entry_text = g_strdup (opt->value);
++					data->entry_text = dup_option_value(opt);
+ 			} else {
+ 				GHashTable *attrs;
+ 
+@@ -776,8 +791,7 @@ static gboolean set_initial_authgroup (auth_ui_data *ui_data, struct oc_auth_for
+ 		for (i = 0; i < sopt->nr_choices; i++) {
+ 			struct oc_choice *ch = FORMCHOICE(sopt, i);
+ 			if (!strcmp(saved_group, ch->name) && i != AUTHGROUP_SELECTION(form)) {
+-				free(opt->value);
+-				opt->value = g_strdup(saved_group);
++				openconnect_set_option_value(opt, saved_group);
+ 				return TRUE;
+ 			}
+ 		}
+@@ -823,7 +837,7 @@ static int nm_process_auth_form (void *cbdata, struct oc_auth_form *form)
+ 				g_cancellable_cancel(data->cancel);
+ 
+ 			if (data->entry_text) {
+-				data->opt->value = g_strdup (data->entry_text);
++				openconnect_set_option_value(data->opt, data->entry_text);
+ 
+ 				if (data->opt->type == OC_FORM_OPT_TEXT ||
+ 				    data->opt->type == OC_FORM_OPT_SELECT) {
+@@ -932,7 +946,7 @@ static gboolean user_validate_cert(cert_data *data)
+ 	text = gtk_text_view_new();
+ 	buffer = gtk_text_view_get_buffer(GTK_TEXT_VIEW(text));
+ 	gtk_text_buffer_set_text(buffer, details, -1);
+-	free(details);
++	openconnect_free_cert_info(data->ui_data->vpninfo, details);
+ 	gtk_text_view_set_editable(GTK_TEXT_VIEW(text), 0);
+ 	gtk_text_view_set_cursor_visible(GTK_TEXT_VIEW(text), FALSE);
+ 	gtk_container_add(GTK_CONTAINER(scroll), text);
+@@ -1166,7 +1180,7 @@ static int get_config (GHashTable *options, GHashTable *secrets,
+ 
+ 	cafile = g_hash_table_lookup (options, NM_OPENCONNECT_KEY_CACERT);
+ 	if (cafile)
+-		openconnect_set_cafile(vpninfo, g_strdup (cafile));
++		openconnect_set_cafile(vpninfo, OC3DUP (cafile));
+ 
+ 	csd = g_hash_table_lookup (options, NM_OPENCONNECT_KEY_CSD_ENABLE);
+ 	if (csd && !strcmp(csd, "yes")) {
+@@ -1176,16 +1190,16 @@ static int get_config (GHashTable *options, GHashTable *secrets,
+ 		if (csd_wrapper && !csd_wrapper[0])
+ 			csd_wrapper = NULL;
+ 
+-		openconnect_setup_csd(vpninfo, getuid(), 1, g_strdup (csd_wrapper));
++		openconnect_setup_csd(vpninfo, getuid(), 1, OC3DUP (csd_wrapper));
+ 	}
+ 
+ 	proxy = g_hash_table_lookup (options, NM_OPENCONNECT_KEY_PROXY);
+-	if (proxy && proxy[0] && openconnect_set_http_proxy(vpninfo, g_strdup (proxy)))
++	if (proxy && proxy[0] && openconnect_set_http_proxy(vpninfo, OC3DUP (proxy)))
+ 		return -EINVAL;
+ 
+ 	cert = g_hash_table_lookup (options, NM_OPENCONNECT_KEY_USERCERT);
+ 	sslkey = g_hash_table_lookup (options, NM_OPENCONNECT_KEY_PRIVKEY);
+-	openconnect_set_client_cert (vpninfo, g_strdup (cert), g_strdup (sslkey));
++	openconnect_set_client_cert (vpninfo, OC3DUP (cert), OC3DUP (sslkey));
+ 
+ 	pem_passphrase_fsid = g_hash_table_lookup (options,
+ 						   NM_OPENCONNECT_KEY_PEM_PASSPHRASE_FSID);
+@@ -1245,7 +1259,7 @@ static int update_token(void *cbdata, const char *tok)
+ }
+ #endif
+ 
+-static int write_new_config(void *cbdata, char *buf, int buflen)
++static int write_new_config(void *cbdata, write_config_const char *buf, int buflen)
+ {
+ 	auth_ui_data *ui_data = cbdata;
+ 	g_hash_table_insert (ui_data->secrets, g_strdup ("xmlconfig"),
+@@ -1472,11 +1486,11 @@ static void connect_host(auth_ui_data *ui_data)
+ 	if (openconnect_parse_url(ui_data->vpninfo, host->hostaddress)) {
+ 		fprintf(stderr, "Failed to parse server URL '%s'\n",
+ 			host->hostaddress);
+-		openconnect_set_hostname (ui_data->vpninfo, g_strdup(host->hostaddress));
++		openconnect_set_hostname (ui_data->vpninfo, OC3DUP (host->hostaddress));
+ 	}
+ 
+ 	if (!openconnect_get_urlpath(ui_data->vpninfo) && host->usergroup)
+-		openconnect_set_urlpath(ui_data->vpninfo, g_strdup(host->usergroup));
++		openconnect_set_urlpath(ui_data->vpninfo, OC3DUP (host->usergroup));
+ 
+ 
+ 	g_hash_table_insert (ui_data->success_secrets, g_strdup("lasthost"),
+-- 
+2.2.0
+
diff --git a/net-misc/networkmanager-openconnect/files/0.9.10.0/0026-Drop-support-for-libopenconnect.so.1.patch b/net-misc/networkmanager-openconnect/files/0.9.10.0/0026-Drop-support-for-libopenconnect.so.1.patch
new file mode 100644
index 000000000000..835f694e4fb1
--- /dev/null
+++ b/net-misc/networkmanager-openconnect/files/0.9.10.0/0026-Drop-support-for-libopenconnect.so.1.patch
@@ -0,0 +1,283 @@
+From b8c7e773204d3b4a85a27d7d2ae58dfc1939e1a8 Mon Sep 17 00:00:00 2001
+From: David Woodhouse <David.Woodhouse@intel.com>
+Date: Thu, 30 Oct 2014 23:16:20 +0000
+Subject: [PATCH 26/34] Drop support for libopenconnect.so.1
+
+---
+ auth-dialog/main.c | 201 +----------------------------------------------------
+ 1 file changed, 2 insertions(+), 199 deletions(-)
+
+diff --git a/auth-dialog/main.c b/auth-dialog/main.c
+index 8285bf4..df0146c 100644
+--- a/auth-dialog/main.c
++++ b/auth-dialog/main.c
+@@ -49,20 +49,6 @@
+ 
+ #include "openconnect.h"
+ 
+-#if OPENCONNECT_API_VERSION_MAJOR == 1
+-#define openconnect_vpninfo_new openconnect_vpninfo_new_with_cbdata
+-#define openconnect_init_ssl openconnect_init_openssl
+-#endif
+-
+-#ifndef OPENCONNECT_CHECK_VER
+-#define OPENCONNECT_CHECK_VER(x,y) 0
+-#endif
+-
+-#if !OPENCONNECT_CHECK_VER(1,5)
+-#define OPENCONNECT_X509 X509
+-#define OPENCONNECT_OPENSSL
+-#endif
+-
+ #if !OPENCONNECT_CHECK_VER(2,1)
+ #define __openconnect_set_token_mode(...) -EOPNOTSUPP
+ #elif !OPENCONNECT_CHECK_VER(2,2)
+@@ -104,12 +90,6 @@
+ #define write_config_const		/* */
+ #endif
+ 
+-#ifdef OPENCONNECT_OPENSSL
+-#include <openssl/ssl.h>
+-#include <openssl/bio.h>
+-#include <openssl/ui.h>
+-#endif
+-
+ static const SecretSchema openconnect_secret_schema = {
+ 	"org.freedesktop.NetworkManager.Connection.Openconnect",
+ 	SECRET_SCHEMA_DONT_MATCH_NAME,
+@@ -301,9 +281,6 @@ typedef struct ui_fragment_data {
+ 	GtkWidget *entry;
+ 	GCancellable *cancel;
+ 	auth_ui_data *ui_data;
+-#ifdef OPENCONNECT_OPENSSL
+-	UI_STRING *uis;
+-#endif
+ 	struct oc_form_opt *opt;
+ 	char *entry_text;
+ 	int initial_selection;
+@@ -315,27 +292,9 @@ static void entry_activate_cb(GtkWidget *widget, auth_ui_data *ui_data)
+ 	gtk_dialog_response(GTK_DIALOG(ui_data->dialog), AUTH_DIALOG_RESPONSE_LOGIN);
+ }
+ 
+-#ifdef OPENCONNECT_OPENSSL
+-static void do_check_visibility(ui_fragment_data *data, gboolean *visible)
+-{
+-	int min_len;
+-
+-	if (!data->uis)
+-		return;
+-
+-	min_len = UI_get_result_minsize(data->uis);
+-
+-	if (min_len && (!data->entry_text || strlen(data->entry_text) < min_len))
+-		*visible = FALSE;
+-}
+-#endif
+ static void evaluate_login_visibility(auth_ui_data *ui_data)
+ {
+ 	gboolean visible = TRUE;
+-#ifdef OPENCONNECT_OPENSSL
+-	g_queue_foreach(ui_data->form_entries, (GFunc)do_check_visibility,
+-			&visible);
+-#endif
+ 	gtk_widget_set_sensitive (ui_data->login_button, visible);
+ }
+ 
+@@ -343,9 +302,6 @@ static void entry_changed(GtkEntry *entry, ui_fragment_data *data)
+ {
+ 	g_free (data->entry_text);
+ 	data->entry_text = g_strdup(gtk_entry_get_text(entry));
+-#ifdef OPENCONNECT_OPENSSL
+-	evaluate_login_visibility(data->ui_data);
+-#endif
+ }
+ 
+ static void do_override_label(ui_fragment_data *data, struct oc_choice *choice)
+@@ -387,26 +343,6 @@ static void combo_changed(GtkComboBox *combo, ui_fragment_data *data)
+ 			FORMCHOICE(sopt, entry));
+ }
+ 
+-#ifdef OPENCONNECT_OPENSSL
+-static gboolean ui_write_error (ui_fragment_data *data)
+-{
+-	ssl_box_add_error(data->ui_data, UI_get0_output_string(data->uis));
+-
+-	g_slice_free (ui_fragment_data, data);
+-
+-	return FALSE;
+-}
+-
+-static gboolean ui_write_info (ui_fragment_data *data)
+-{
+-	ssl_box_add_info(data->ui_data, UI_get0_output_string(data->uis));
+-
+-	g_slice_free (ui_fragment_data, data);
+-
+-	return FALSE;
+-}
+-#endif
+-
+ static gboolean ui_write_prompt (ui_fragment_data *data)
+ {
+ 	auth_ui_data *ui_data = _ui_data; /* FIXME global */
+@@ -414,16 +350,8 @@ static gboolean ui_write_prompt (ui_fragment_data *data)
+ 	int visible;
+ 	const char *label;
+ 
+-#ifdef OPENCONNECT_OPENSSL
+-	if (data->uis) {
+-		label = UI_get0_output_string(data->uis);
+-		visible = UI_get_input_flags(data->uis) & UI_INPUT_FLAG_ECHO;
+-	} else 
+-#endif
+-	{
+-		label = data->opt->label;
+-		visible = (data->opt->type == OC_FORM_OPT_TEXT);
+-	}
++	label = data->opt->label;
++	visible = (data->opt->type == OC_FORM_OPT_TEXT);
+ 
+ 	hbox = gtk_box_new (GTK_ORIENTATION_HORIZONTAL, 0);
+ 	gtk_box_pack_start(GTK_BOX(data->ui_data->ssl_box), hbox, FALSE, FALSE, 0);
+@@ -512,128 +440,6 @@ static gboolean ui_show (auth_ui_data *ui_data)
+ 	return FALSE;
+ }
+ 
+-#ifdef OPENCONNECT_OPENSSL
+-/* runs in worker thread */
+-static int ui_open(UI *ui)
+-{
+-	auth_ui_data *ui_data = _ui_data; /* FIXME global */
+-
+-	UI_add_user_data(ui, ui_data);
+-
+-	return 1;
+-}
+-
+-/* runs in worker thread */
+-static int ui_write(UI *ui, UI_STRING *uis)
+-{
+-	auth_ui_data *ui_data;
+-	ui_fragment_data *data;
+-
+-	ui_data = UI_get0_user_data(ui);
+-
+-	/* return if a new host has been selected */
+-	if (ui_data->cancelled) {
+-		return 1;
+-	}
+-
+-	data = g_slice_new0 (ui_fragment_data);
+-	data->ui_data = ui_data;
+-	data->uis = uis;
+-
+-	switch(UI_get_string_type(uis)) {
+-	case UIT_ERROR:
+-		g_idle_add ((GSourceFunc)ui_write_error, data);
+-		break;
+-
+-	case UIT_INFO:
+-		g_idle_add ((GSourceFunc)ui_write_info, data);
+-		break;
+-
+-	case UIT_PROMPT:
+-	case UIT_VERIFY:
+-		g_mutex_lock (&ui_data->form_mutex);
+-		g_queue_push_head(ui_data->form_entries, data);
+-		g_mutex_unlock (&ui_data->form_mutex);
+-
+-		g_idle_add ((GSourceFunc)ui_write_prompt, data);
+-		break;
+-
+-	case UIT_BOOLEAN:
+-		/* FIXME */
+-	case UIT_NONE:
+-	default:
+-		g_slice_free (ui_fragment_data, data);
+-	}
+-	return 1;
+-}
+-
+-/* runs in worker thread */
+-static int ui_flush(UI* ui)
+-{
+-	auth_ui_data *ui_data;
+-	int response;
+-
+-	ui_data = UI_get0_user_data(ui);
+-
+-	g_idle_add((GSourceFunc)ui_show, ui_data);
+-	g_mutex_lock(&ui_data->form_mutex);
+-	/* wait for ui to show */
+-	while (!ui_data->form_shown) {
+-		g_cond_wait(&ui_data->form_shown_changed, &ui_data->form_mutex);
+-	}
+-	ui_data->form_shown = FALSE;
+-
+-	if (!ui_data->cancelled) {
+-		/* wait for form submission or cancel */
+-		while (!ui_data->form_retval) {
+-			g_cond_wait(&ui_data->form_retval_changed, &ui_data->form_mutex);
+-		}
+-		response = GPOINTER_TO_INT (ui_data->form_retval);
+-		ui_data->form_retval = NULL;
+-	} else
+-		response = AUTH_DIALOG_RESPONSE_CANCEL;
+-
+-	/* set entry results and free temporary data structures */
+-	while (!g_queue_is_empty (ui_data->form_entries)) {
+-		ui_fragment_data *data;
+-		data = g_queue_pop_tail (ui_data->form_entries);
+-		if (data->entry_text) {
+-			UI_set_result(ui, data->uis, data->entry_text);
+-		}
+-		if (data->cancel) {
+-			g_cancellable_cancel(data->cancel);
+-		}
+-		g_slice_free (ui_fragment_data, data);
+-	}
+-	ui_data->form_grabbed = 0;
+-	g_mutex_unlock(&ui_data->form_mutex);
+-
+-	/* -1 = cancel,
+-	 *  0 = failure,
+-	 *  1 = success */
+-	return (response == AUTH_DIALOG_RESPONSE_LOGIN ? 1 : -1);
+-}
+-
+-/* runs in worker thread */
+-static int ui_close(UI *ui)
+-{
+-	return 1;
+-}
+-
+-static int init_openssl_ui(void)
+-{
+-	UI_METHOD *ui_method = UI_create_method("OpenConnect VPN UI (gtk)");
+-
+-	UI_method_set_opener(ui_method, ui_open);
+-	UI_method_set_flusher(ui_method, ui_flush);
+-	UI_method_set_writer(ui_method, ui_write);
+-	UI_method_set_closer(ui_method, ui_close);
+-
+-	UI_set_default_method(ui_method);
+-	return 0;
+-}
+-#endif /* OPENCONNECT_OPENSSL */
+-
+ static char *find_form_answer(GHashTable *secrets, struct oc_auth_form *form,
+ 			      struct oc_form_opt *opt)
+ {
+@@ -1834,9 +1640,6 @@ int main (int argc, char **argv)
+ 
+ 	build_main_dialog(_ui_data);
+ 
+-#ifdef OPENCONNECT_OPENSSL
+-	init_openssl_ui();
+-#endif
+ 	openconnect_init_ssl();
+ 
+ 	/* Start connecting now if there's only one host. Or if configured to */
+-- 
+2.2.0
+
diff --git a/net-misc/networkmanager-openconnect/files/0.9.10.0/0028-Update-to-new-hash-handling-fix-to-match-stored-cert.patch b/net-misc/networkmanager-openconnect/files/0.9.10.0/0028-Update-to-new-hash-handling-fix-to-match-stored-cert.patch
new file mode 100644
index 000000000000..223d59f0c1db
--- /dev/null
+++ b/net-misc/networkmanager-openconnect/files/0.9.10.0/0028-Update-to-new-hash-handling-fix-to-match-stored-cert.patch
@@ -0,0 +1,185 @@
+From 2dc45e25b200e1b70e862f46c9f7ad652e59c8a2 Mon Sep 17 00:00:00 2001
+From: David Woodhouse <David.Woodhouse@intel.com>
+Date: Mon, 3 Nov 2014 17:39:43 +0000
+Subject: [PATCH 28/34] Update to new hash handling, fix to match stored certs
+ only for the same host/port
+
+---
+ auth-dialog/main.c | 90 +++++++++++++++++++++++++++++-------------------------
+ 1 file changed, 49 insertions(+), 41 deletions(-)
+
+diff --git a/auth-dialog/main.c b/auth-dialog/main.c
+index df0146c..38f3a8f 100644
+--- a/auth-dialog/main.c
++++ b/auth-dialog/main.c
+@@ -694,7 +694,7 @@ static char* get_title(const char *vpn_name)
+ 
+ typedef struct cert_data {
+ 	auth_ui_data *ui_data;
+-	OPENCONNECT_X509 *peer_cert;
++	char *cert_details;
+ 	const char *reason;
+ } cert_data;
+ 
+@@ -722,13 +722,10 @@ static gboolean user_validate_cert(cert_data *data)
+ {
+ 	auth_ui_data *ui_data = _ui_data; /* FIXME global */
+ 	char *title;
+-	char *details;
+ 	GtkWidget *dlg, *text, *scroll;
+ 	GtkTextBuffer *buffer;
+ 	int result;
+ 
+-	details = openconnect_get_cert_details(ui_data->vpninfo, data->peer_cert);
+-
+ 	title = get_title(data->ui_data->vpn_name);
+ 	dlg = gtk_message_dialog_new(NULL, 0, GTK_MESSAGE_QUESTION,
+ 				     GTK_BUTTONS_OK_CANCEL,
+@@ -751,8 +748,7 @@ static gboolean user_validate_cert(cert_data *data)
+ 
+ 	text = gtk_text_view_new();
+ 	buffer = gtk_text_view_get_buffer(GTK_TEXT_VIEW(text));
+-	gtk_text_buffer_set_text(buffer, details, -1);
+-	openconnect_free_cert_info(data->ui_data->vpninfo, details);
++	gtk_text_buffer_set_text(buffer, data->cert_details, -1);
+ 	gtk_text_view_set_editable(GTK_TEXT_VIEW(text), 0);
+ 	gtk_text_view_set_cursor_visible(GTK_TEXT_VIEW(text), FALSE);
+ 	gtk_container_add(GTK_CONTAINER(scroll), text);
+@@ -775,36 +771,40 @@ static gboolean user_validate_cert(cert_data *data)
+ 
+ /* runs in worker thread */
+ static int validate_peer_cert(void *cbdata,
+-			      OPENCONNECT_X509 *peer_cert, const char *reason)
++#if !OPENCONNECT_CHECK_VER(5,0)
++			      OPENCONNECT_X509 *peer_cert,
++#endif
++			      const char *reason)
+ {
+ 	auth_ui_data *ui_data = cbdata;
+-	char fingerprint[41];
+-	char *certs_data;
+ 	int ret = 0;
+ 	cert_data *data;
++	char *certkey;
++	char *accepted_hash = NULL;
++#if OPENCONNECT_CHECK_VER(5,0)
++	const char *fingerprint = openconnect_get_peer_cert_hash(ui_data->vpninfo);
++#else
++	char fingerprint[41];
+ 
+ 	ret = openconnect_get_cert_sha1(ui_data->vpninfo, peer_cert, fingerprint);
+ 	if (ret)
+ 		return ret;
+ 
+-	certs_data = g_hash_table_lookup (ui_data->secrets, "certsigs");
+-	if (certs_data) {
+-		char **certs = g_strsplit_set(certs_data, "\t", 0);
+-		char **this = certs;
++#define openconnect_check_peer_cert_hash(v, h) strcmp(h, fingerprint)
++#define openconnect_get_peer_cert_details(v) openconnect_get_cert_details(v, peer_cert);
++#endif
+ 
+-		while (*this) {
+-			if (!strcmp(*this, fingerprint)) {
+-				g_strfreev(certs);
+-				goto out;
+-			}
+-			this++;
+-		}
+-		g_strfreev(certs);
+-	}
++	certkey = g_strdup_printf ("certificate:%s:%d",
++				   openconnect_get_hostname(ui_data->vpninfo),
++				   openconnect_get_port(ui_data->vpninfo));
++
++	accepted_hash = g_hash_table_lookup (ui_data->secrets, certkey);
++	if (accepted_hash && !openconnect_check_peer_cert_hash(ui_data->vpninfo, accepted_hash))
++		goto accepted;
+ 
+ 	data = g_slice_new(cert_data);
+ 	data->ui_data = ui_data; /* FIXME uses global */
+-	data->peer_cert = peer_cert;
++	data->cert_details = openconnect_get_peer_cert_details(ui_data->vpninfo);
+ 	data->reason = reason;
+ 
+ 	g_mutex_lock(&ui_data->form_mutex);
+@@ -813,27 +813,27 @@ static int validate_peer_cert(void *cbdata,
+ 	g_idle_add((GSourceFunc)user_validate_cert, data);
+ 
+ 	/* wait for user to accept or cancel */
+-	while (ui_data->cert_response == CERT_USER_NOT_READY) {
++	while (ui_data->cert_response == CERT_USER_NOT_READY)
+ 		g_cond_wait(&ui_data->cert_response_changed, &ui_data->form_mutex);
+-	}
+-	if (ui_data->cert_response == CERT_ACCEPTED) {
+-		if (certs_data) {
+-			char *new = g_strdup_printf("%s\t%s", certs_data, fingerprint);
+-			g_hash_table_insert (ui_data->secrets,
+-					     g_strdup ("certsigs"), new);
+-		} else {
+-			g_hash_table_insert (ui_data->secrets, g_strdup ("certsigs"),
+-					     g_strdup (fingerprint));
+-		}
++
++	openconnect_free_cert_info(data->ui_data->vpninfo, data->cert_details);
++	g_slice_free(cert_data, data);
++
++	if (ui_data->cert_response == CERT_ACCEPTED)
+ 		ret = 0;
+-	} else {
++	else
+ 		ret = -EINVAL;
+-	}
++
+ 	g_mutex_unlock (&ui_data->form_mutex);
+ 
+-	g_slice_free(cert_data, data);
++ accepted:
++	if (!ret) {
++		g_hash_table_insert (ui_data->secrets, certkey,
++				     g_strdup(fingerprint));
++		certkey = NULL;
++	}
+ 
+- out:
++	g_free (certkey);
+ 	return ret;
+ }
+ 
+@@ -1196,7 +1196,7 @@ static gboolean cookie_obtained(auth_ui_data *ui_data)
+ 			gtk_widget_set_sensitive(ui_data->cancel_button, FALSE);
+ 		}
+ 	} else if (!ui_data->cookie_retval) {
+-		OPENCONNECT_X509 *cert;
++		const void *cert;
+ 		gchar *key, *value;
+ 
+ 		/* got cookie */
+@@ -1218,14 +1218,22 @@ static gboolean cookie_obtained(auth_ui_data *ui_data)
+ 		g_hash_table_insert (ui_data->secrets, key, value);
+ 		openconnect_clear_cookie(ui_data->vpninfo);
+ 
++#if OPENCONNECT_CHECK_VER(5,0)
++		cert = openconnect_get_peer_cert_hash (ui_data->vpninfo);
++		if (cert) {
++			key = g_strdup (NM_OPENCONNECT_KEY_GWCERT);
++			value = g_strdup (cert);
++			g_hash_table_insert (ui_data->secrets, key, value);
++		}
++#else
+ 		cert = openconnect_get_peer_cert (ui_data->vpninfo);
+ 		if (cert) {
+ 			key = g_strdup (NM_OPENCONNECT_KEY_GWCERT);
+ 			value = g_malloc0 (41);
+-			openconnect_get_cert_sha1(ui_data->vpninfo, cert, value);
++			openconnect_get_cert_sha1(ui_data->vpninfo, (void *)cert, value);
+ 			g_hash_table_insert (ui_data->secrets, key, value);
+ 		}
+-
++#endif
+ 		if (get_save_passwords(ui_data->secrets)) {
+ 			g_hash_table_foreach(ui_data->success_passwords,
+ 					     keyring_store_passwords,
+-- 
+2.2.0
+