diff --git a/security/openvpn/Makefile b/security/openvpn/Makefile index 680e92e82fde..8b035982a36f 100644 --- a/security/openvpn/Makefile +++ b/security/openvpn/Makefile @@ -1,187 +1,157 @@ # Created by: Matthias Andree PORTNAME= openvpn DISTVERSION= 2.5.6 PORTREVISION?= 0 CATEGORIES= security net net-vpn MASTER_SITES= https://swupdate.openvpn.org/community/releases/ \ https://build.openvpn.net/downloads/releases/ \ LOCAL/mandree MAINTAINER= mandree@FreeBSD.org COMMENT?= Secure IP/Ethernet tunnel daemon LICENSE= GPLv2 LICENSE_FILE= ${WRKSRC}/COPYRIGHT.GPL -USES= cpe libtool localbase:ldflags pkgconfig shebangfix tar:xz +USES= cpe libtool localbase:ldflags pkgconfig shebangfix ssl tar:xz USE_RC_SUBR= openvpn SHEBANG_FILES= sample/sample-scripts/verify-cn \ sample/sample-scripts/auth-pam.pl \ sample/sample-scripts/ucn.pl GNU_CONFIGURE= yes -CONFIGURE_ARGS+= --enable-strict +CONFIGURE_ARGS+= --enable-strict --with-crypto-library=openssl # set PLUGIN_LIBDIR so that unqualified plugin paths are found: CONFIGURE_ENV+= PLUGINDIR="${PREFIX}/lib/openvpn/plugins" CONFLICTS_INSTALL?= openvpn-2.[!5].* openvpn-devel openvpn-mbedtls SUB_FILES= pkg-message openvpn-client USERS= openvpn GROUPS= openvpn PORTDOCS= * PORTEXAMPLES= * OPTIONS_DEFINE= ASYNC_PUSH DOCS EASYRSA EXAMPLES LZ4 LZO PKCS11 SMALL \ - TEST TUNNELBLICK UNITTESTS X509ALTUSERNAME -OPTIONS_DEFAULT= EASYRSA LZ4 LZO OPENSSL PKCS11 TEST -OPTIONS_SINGLE= SSL -OPTIONS_SINGLE_SSL= OPENSSL MBEDTLS + TEST UNITTESTS X509ALTUSERNAME +OPTIONS_DEFAULT= EASYRSA LZ4 LZO PKCS11 TEST ASYNC_PUSH_DESC= Enable async-push support EASYRSA_DESC= Install security/easy-rsa RSA helper package LZO_DESC= LZO compression (incompatible with LibreSSL) -MBEDTLS_DESC= SSL/TLS via mbedTLS (lacks TLS v1.3) -PKCS11_DESC= Use security/pkcs11-helper (OpenSSL only) +PKCS11_DESC= Use security/pkcs11-helper SMALL_DESC= Build a smaller executable with fewer features -TUNNELBLICK_DESC= XOR scrambling patch - DEPRECATED! UNITTESTS_DESC= Enable unit tests -X509ALTUSERNAME_DESC= Enable --x509-username-field (OpenSSL only) +X509ALTUSERNAME_DESC= Enable --x509-username-field ASYNC_PUSH_LIB_DEPENDS= libinotify.so:devel/libinotify ASYNC_PUSH_CONFIGURE_ENABLE= async-push EASYRSA_RUN_DEPENDS= easy-rsa>=0:security/easy-rsa LZ4_LIB_DEPENDS+= liblz4.so:archivers/liblz4 LZ4_CONFIGURE_ENABLE= lz4 LZO_LIB_DEPENDS+= liblzo2.so:archivers/lzo2 LZO_CONFIGURE_ENABLE= lzo -MBEDTLS_LIB_DEPENDS= libmbedtls.so:security/mbedtls -MBEDTLS_CONFIGURE_ON= --with-crypto-library=mbedtls - -OPENSSL_USES= ssl -OPENSSL_CONFIGURE_ON= --with-crypto-library=openssl - -PKCS11_PREVENTS= MBEDTLS -PKCS11_PREVENTS_MSG= OpenVPN cannot use pkcs11-helper with mbedTLS. Disable PKCS11, or use OpenSSL instead PKCS11_LIB_DEPENDS= libpkcs11-helper.so:security/pkcs11-helper PKCS11_CONFIGURE_ENABLE= pkcs11 SMALL_CONFIGURE_ENABLE= small TEST_ALL_TARGET= check TEST_TEST_TARGET_OFF= check -TUNNELBLICK_EXTRA_PATCHES= ${FILESDIR}/extra-tunnelblick-openvpn_xorpatch:-p1 - UNITTESTS_BUILD_DEPENDS= cmocka>=0:sysutils/cmocka UNITTESTS_CONFIGURE_ENABLE= unit-tests -X509ALTUSERNAME_PREVENTS= MBEDTLS -X509ALTUSERNAME_PREVENTS_MSG= OpenVPN ${DISTVERSION} cannot use --x509-username-field with mbedTLS. Disable X509ALTUSERNAME, or use OpenSSL instead X509ALTUSERNAME_CONFIGURE_ENABLE= x509-alt-username .ifdef (LOG_OPENVPN) CFLAGS+= -DLOG_OPENVPN=${LOG_OPENVPN} .endif .include -.if ${PORT_OPTIONS:MMBEDTLS} -BROKEN_FreeBSD_14= OpenVPN-mbedTLS fails on FreeBSD 14 -_tlslibs=libmbedtls libmbedx509 libmbedcrypto -.else -# OpenSSL -_tlslibs=libssl libcrypto -.endif - .if ${PORT_OPTIONS:MLZO} IGNORE_SSL=libressl libressl-devel IGNORE_SSL_REASON=OpenVPN does not have permission to include LZO with LibreSSL. Compile against OpenSSL, or if your setups support it, disable LZO support .endif .if ! ${PORT_OPTIONS:MLZ4} && ! ${PORT_OPTIONS:MLZO} CONFIGURE_ARGS+= --enable-comp-stub .endif .include .if !empty(PORT_OPTIONS:MLZO) && !empty(SSL_DEFAULT:Nbase:Nopenssl*) # in-depth security net if Mk/Uses/ssl.mk changes pre-everything:: @${ECHO_CMD} >&2 "ERROR: OpenVPN is not licensed to combine LZO with other OpenSSL-licensed libraries than OpenSSL. Compile against OpenSSL, or if your setups support it, disable LZO support." @${SHELL} -c 'exit 1' .endif -.if !empty(PORT_OPTIONS:MMBEDTLS) || !empty(PORT_OPTIONS:MTUNNELBLICK) -pre-everything:: - @${ECHO_CMD} >&2 "======================================================================" - @${ECHO_CMD} >&2 "Note that the mbedTLS and Tunnelblick options will go away 2022-03-31." - @${ECHO_CMD} >&2 "======================================================================" -.endif - post-patch: ${REINPLACE_CMD} -E -i '' -e 's/(user|group) nobody/\1 openvpn/' \ -e 's/"nobody"( after init)/"openvpn" \1/' \ ${WRKSRC}/sample/sample-config-files/*.conf \ ${WRKSRC}/sample/sample-config-files/xinetd-*-config \ ${WRKSRC}/doc/man-sections/generic-options.rst pre-configure: .ifdef (LOG_OPENVPN) @${ECHO} "Building with LOG_OPENVPN=${LOG_OPENVPN}" .else @${ECHO} "" @${ECHO} "You may use the following build options:" @${ECHO} "" @${ECHO} " LOG_OPENVPN={Valid syslog facility, default LOG_DAEMON}" @${ECHO} " EXAMPLE: make LOG_OPENVPN=LOG_LOCAL6" @${ECHO} "" .endif .if !empty(SSL_DEFAULT:Mlibressl*) @${ECHO} "### --------------------------------------------------------- ###" @${ECHO} "### NOTE that libressl is not primarily supported by OpenVPN ###" @${ECHO} "### Do not report bugs without fixes/patches unless the issue ###" @${ECHO} "### can be reproduced with a released OpenSSL version. ###" @${ECHO} "### --------------------------------------------------------- ###" .endif post-configure: ${REINPLACE_CMD} '/^CFLAGS =/s/$$/ -fPIC/' \ ${WRKSRC}/src/plugins/auth-pam/Makefile \ ${WRKSRC}/src/plugins/down-root/Makefile # sanity check that we don't inherit incompatible SSL libs through, # for instance, pkcs11-helper: +_tlslibs=libssl libcrypto post-build: @a=$$(LC_ALL=C ldd -f '%o\n' ${WRKSRC}/src/openvpn/openvpn \ | ${SORT} -u) ; set -- $$(for i in ${_tlslibs} ; do ${PRINTF} '%s\n' "$$a" | ${GREP} $${i}.so | wc -l ; done | ${SORT} -u) ;\ if test "$$*" != "1" ; then ${ECHO_CMD} >&2 "${.CURDIR} FAILED: either of ${_tlslibs} libraries linked multiple times" ; ${PRINTF} '%s\n' "$$a"; ${RM} ${BUILD_COOKIE} ; ( set -x ; ldd -a ${WRKSRC}/src/openvpn/openvpn ) ; exit 1 ; fi post-install: ${STRIP_CMD} ${STAGEDIR}${PREFIX}/lib/openvpn/plugins/openvpn-plugin-auth-pam.so ${STRIP_CMD} ${STAGEDIR}${PREFIX}/lib/openvpn/plugins/openvpn-plugin-down-root.so ${INSTALL_SCRIPT} ${WRKSRC}/contrib/pull-resolv-conf/client.up ${STAGEDIR}${PREFIX}/libexec/openvpn-client.up ${INSTALL_SCRIPT} ${WRKSRC}/contrib/pull-resolv-conf/client.down ${STAGEDIR}${PREFIX}/libexec/openvpn-client.down @${REINPLACE_CMD} 's|resolvconf -p -a|resolvconf -a|' ${STAGEDIR}${PREFIX}/libexec/openvpn-client.up ${INSTALL_SCRIPT} ${WRKDIR}/openvpn-client ${STAGEDIR}${PREFIX}/sbin/openvpn-client ${MKDIR} ${STAGEDIR}${PREFIX}/include post-install-DOCS-on: ${MKDIR} ${STAGEDIR}${DOCSDIR}/ .for i in AUTHORS ChangeLog PORTS ${INSTALL_MAN} ${WRKSRC}/${i} ${STAGEDIR}${DOCSDIR}/ .endfor post-install-EXAMPLES-on: (cd ${WRKSRC}/sample && ${COPYTREE_SHARE} \* ${STAGEDIR}${EXAMPLESDIR}/) ${CHMOD} ${BINMODE} ${STAGEDIR}${EXAMPLESDIR}/sample-scripts/* ${RM} ${STAGEDIR}${EXAMPLESDIR}/sample-config-files/*.orig .include diff --git a/security/openvpn/files/extra-tunnelblick-openvpn_xorpatch b/security/openvpn/files/extra-tunnelblick-openvpn_xorpatch deleted file mode 100644 index bb00494137c0..000000000000 --- a/security/openvpn/files/extra-tunnelblick-openvpn_xorpatch +++ /dev/null @@ -1,302 +0,0 @@ -This work allows obfuscation of the OpenVPN header to make it harder for -layer 7 inspection to identify such traffic, which may come with blocking -or recording actions in certain territories of the world. This patch, in -a nutshell, can increase privacy and range of communication for its users. - -The `scramble' option introduced hereby is off by default. - -The option's usage, history and controversy of the patch is explained in -detail on the following wiki page: - -https://tunnelblick.net/cOpenvpn_xorpatch.html - -diff -u -r -x .DS_Store openvpn-2.5_beta1.old/src/openvpn/forward.c openvpn-2.5_beta1.new/src/openvpn/forward.c ---- openvpn-2.5_beta1.old/src/openvpn/forward.c 2020-08-16 11:57:15.000000000 -0400 -+++ openvpn-2.5_beta1.new/src/openvpn/forward.c 2020-08-16 11:57:15.000000000 -0400 -@@ -811,7 +811,10 @@ - - status = link_socket_read(c->c2.link_socket, - &c->c2.buf, -- &c->c2.from); -+ &c->c2.from, -+ c->options.ce.xormethod, -+ c->options.ce.xormask, -+ c->options.ce.xormasklen); - - if (socket_connection_reset(c->c2.link_socket, status)) - { -@@ -1621,7 +1624,10 @@ - /* Send packet */ - size = link_socket_write(c->c2.link_socket, - &c->c2.to_link, -- to_addr); -+ to_addr, -+ c->options.ce.xormethod, -+ c->options.ce.xormask, -+ c->options.ce.xormasklen); - - /* Undo effect of prepend */ - link_socket_write_post_size_adjust(&size, size_delta, &c->c2.to_link); -diff -u -r -x .DS_Store openvpn-2.5_rc3.old/src/openvpn/options.c openvpn-2.5_rc3.new/src/openvpn/options.c ---- openvpn-2.5_rc3.old/src/openvpn/options.c 2020-10-19 13:38:17.000000000 -0400 -+++ openvpn-2.5_rc3.new/src/openvpn/options.c 2020-10-19 13:38:17.000000000 -0400 -@@ -821,6 +821,9 @@ - o->resolve_retry_seconds = RESOLV_RETRY_INFINITE; - o->resolve_in_advance = false; - o->proto_force = -1; -+ o->ce.xormethod = 0; -+ o->ce.xormask = "\0"; -+ o->ce.xormasklen = 0; - o->occ = true; - #ifdef ENABLE_MANAGEMENT - o->management_log_history_cache = 250; -@@ -973,6 +976,9 @@ - setenv_str_i(es, "local_port", e->local_port, i); - setenv_str_i(es, "remote", e->remote, i); - setenv_str_i(es, "remote_port", e->remote_port, i); -+ setenv_int_i(es, "xormethod", e->xormethod, i); -+ setenv_str_i(es, "xormask", e->xormask, i); -+ setenv_int_i(es, "xormasklen", e->xormasklen, i); - - if (e->http_proxy_options) - { -@@ -1452,6 +1458,9 @@ - SHOW_BOOL(bind_ipv6_only); - SHOW_INT(connect_retry_seconds); - SHOW_INT(connect_timeout); -+ SHOW_INT (xormethod); -+ SHOW_STR (xormask); -+ SHOW_INT (xormasklen); - - if (o->http_proxy_options) - { -@@ -6260,6 +6269,46 @@ - } - options->proto_force = proto_force; - } -+ else if (streq (p[0], "scramble") && p[1]) -+ { -+ VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION); -+ if (streq (p[1], "xormask") && p[2] && (!p[3])) -+ { -+ options->ce.xormethod = 1; -+ options->ce.xormask = p[2]; -+ options->ce.xormasklen = strlen(options->ce.xormask); -+ } -+ else if (streq (p[1], "xorptrpos") && (!p[2])) -+ { -+ options->ce.xormethod = 2; -+ options->ce.xormask = NULL; -+ options->ce.xormasklen = 0; -+ } -+ else if (streq (p[1], "reverse") && (!p[2])) -+ { -+ options->ce.xormethod = 3; -+ options->ce.xormask = NULL; -+ options->ce.xormasklen = 0; -+ } -+ else if (streq (p[1], "obfuscate") && p[2] && (!p[3])) -+ { -+ options->ce.xormethod = 4; -+ options->ce.xormask = p[2]; -+ options->ce.xormasklen = strlen(options->ce.xormask); -+ } -+ else if (!p[2]) -+ { -+ msg (M_WARN, "WARNING: No recognized 'scramble' method specified; using 'scramble xormask \"%s\"'", p[1]); -+ options->ce.xormethod = 1; -+ options->ce.xormask = p[1]; -+ options->ce.xormasklen = strlen(options->ce.xormask); -+ } -+ else -+ { -+ msg (msglevel, "No recognized 'scramble' method specified or extra parameters for 'scramble'"); -+ goto err; -+ } -+ } - else if (streq(p[0], "http-proxy") && p[1] && !p[5]) - { - struct http_proxy_options *ho; -diff -u -r -x .DS_Store openvpn-2.5_git_57d6f10.old/src/openvpn/options.h openvpn-2.5_git_57d6f10.new/src/openvpn/options.h ---- openvpn-2.5_git_57d6f10.old/src/openvpn/options.h 2018-07-28 06:02:27.000000000 -0400 -+++ openvpn-2.5_git_57d6f10.new/src/openvpn/options.h 2018-07-28 06:02:27.000000000 -0400 -@@ -99,6 +99,9 @@ - int connect_retry_seconds; - int connect_retry_seconds_max; - int connect_timeout; -+ int xormethod; -+ const char *xormask; -+ int xormasklen; - struct http_proxy_options *http_proxy_options; - const char *socks_proxy_server; - const char *socks_proxy_port; ---- openvpn-2.5_git_974513e/src/openvpn/socket.c 2017-08-17 11:27:23.000000000 -0400 -+++ openvpn-2.5_git_974513e_patched/src/openvpn/socket.c 2017-08-18 18:37:11.000000000 -0400 -@@ -54,6 +54,56 @@ - IPv6_TCP_HEADER_SIZE, - }; - -+int buffer_mask(struct buffer *buf, const char *mask, int xormasklen) -+{ -+ int i; -+ uint8_t *b; -+ if ( xormasklen > 0 ) { -+ for (i = 0, b = BPTR (buf); i < BLEN(buf); i++, b++) { -+ *b = *b ^ mask[i % xormasklen]; -+ } -+ } -+ return BLEN (buf); -+} -+ -+int buffer_xorptrpos(struct buffer *buf) -+{ -+ int i; -+ uint8_t *b; -+ for (i = 0, b = BPTR (buf); i < BLEN(buf); i++, b++) { -+ *b = *b ^ i+1; -+ } -+ return BLEN (buf); -+} -+ -+int buffer_reverse(struct buffer *buf) -+{ -+/* This function has been rewritten for Tunnelblick. The buffer_reverse function at -+ * https://github.com/clayface/openvpn_xorpatch -+ * makes a copy of the buffer and it writes to the byte **after** the -+ * buffer contents, so if the buffer is full then it writes outside of the buffer. -+ * This rewritten version does neither. -+ * -+ * For interoperability, this rewritten version preserves the behavior of the original -+ * function: it does not modify the first character of the buffer. So it does not -+ * actually reverse the contents of the buffer. Instead, it changes 'abcde' to 'aedcb'. -+ * (Of course, the actual buffer contents are bytes, and not necessarily characters.) -+ */ -+ int len = BLEN(buf); -+ if ( len > 2 ) { /* Leave '', 'a', and 'ab' alone */ -+ int i; -+ uint8_t *b_start = BPTR (buf) + 1; /* point to first byte to swap */ -+ uint8_t *b_end = BPTR (buf) + (len - 1); /* point to last byte to swap */ -+ uint8_t tmp; -+ for (i = 0; i < (len-1)/2; i++, b_start++, b_end--) { -+ tmp = *b_start; -+ *b_start = *b_end; -+ *b_end = tmp; -+ } -+ } -+ return len; -+} -+ - /* - * Convert sockflags/getaddr_flags into getaddr_flags - */ -diff -u -r -x .DS_Store openvpn-2.5_beta1.old/src/openvpn/socket.h openvpn-2.5_beta1.new/src/openvpn/socket.h ---- openvpn-2.5_beta1.old/src/openvpn/socket.h 2020-08-16 11:57:17.000000000 -0400 -+++ openvpn-2.5_beta1.new/src/openvpn/socket.h 2020-08-16 11:57:17.000000000 -0400 -@@ -249,6 +249,10 @@ - #endif - }; - -+int buffer_mask(struct buffer *buf, const char *xormask, int xormasklen); -+int buffer_xorptrpos(struct buffer *buf); -+int buffer_reverse(struct buffer *buf); -+ - /* - * Some Posix/Win32 differences. - */ -@@ -1049,30 +1053,56 @@ - static inline int - link_socket_read(struct link_socket *sock, - struct buffer *buf, -- struct link_socket_actual *from) -+ struct link_socket_actual *from, -+ int xormethod, -+ const char *xormask, -+ int xormasklen) - { -+ int res; - if (proto_is_udp(sock->info.proto)) /* unified UDPv4 and UDPv6 */ - { -- int res; - - #ifdef _WIN32 - res = link_socket_read_udp_win32(sock, buf, from); - #else - res = link_socket_read_udp_posix(sock, buf, from); - #endif -- return res; - } - else if (proto_is_tcp(sock->info.proto)) /* unified TCPv4 and TCPv6 */ - { - /* from address was returned by accept */ - addr_copy_sa(&from->dest, &sock->info.lsa->actual.dest); -- return link_socket_read_tcp(sock, buf); -+ res = link_socket_read_tcp(sock, buf); - } - else - { - ASSERT(0); - return -1; /* NOTREACHED */ - } -+ switch(xormethod) -+ { -+ case 0: -+ break; -+ case 1: -+ buffer_mask(buf,xormask,xormasklen); -+ break; -+ case 2: -+ buffer_xorptrpos(buf); -+ break; -+ case 3: -+ buffer_reverse(buf); -+ break; -+ case 4: -+ buffer_mask(buf,xormask,xormasklen); -+ buffer_xorptrpos(buf); -+ buffer_reverse(buf); -+ buffer_xorptrpos(buf); -+ break; -+ default: -+ ASSERT (0); -+ return -1; /* NOTREACHED */ -+ } -+ return res; - } - - /* -@@ -1163,8 +1193,34 @@ - static inline int - link_socket_write(struct link_socket *sock, - struct buffer *buf, -- struct link_socket_actual *to) -+ struct link_socket_actual *to, -+ int xormethod, -+ const char *xormask, -+ int xormasklen) - { -+ switch(xormethod) -+ { -+ case 0: -+ break; -+ case 1: -+ buffer_mask(buf,xormask,xormasklen); -+ break; -+ case 2: -+ buffer_xorptrpos(buf); -+ break; -+ case 3: -+ buffer_reverse(buf); -+ break; -+ case 4: -+ buffer_xorptrpos(buf); -+ buffer_reverse(buf); -+ buffer_xorptrpos(buf); -+ buffer_mask(buf,xormask,xormasklen); -+ break; -+ default: -+ ASSERT (0); -+ return -1; /* NOTREACHED */ -+ } - if (proto_is_udp(sock->info.proto)) /* unified UDPv4 and UDPv6 */ - { - return link_socket_write_udp(sock, buf, to);