Index: head/security/openvpn-devel/Makefile =================================================================== --- head/security/openvpn-devel/Makefile (revision 546734) +++ head/security/openvpn-devel/Makefile (revision 546735) @@ -1,145 +1,145 @@ # Created by: Matthias Andree # $FreeBSD$ PORTNAME= openvpn -DISTVERSION= 202033 +DISTVERSION= 202035 CATEGORIES= security net net-vpn MASTER_SITES= https://secure-computing.net/files/openvpn/ PKGNAMESUFFIX= -devel MAINTAINER= ecrist@secure-computing.net # let's use ?= in spite of portlint WARNings because this might become # security/openvpn one day which would then have a slave port: COMMENT?= Secure IP/Ethernet tunnel daemon LICENSE= GPLv2 LICENSE_FILE= ${WRKSRC}/COPYRIGHT.GPL IGNORE_SSL= libressl libressl-devel USES= cpe libtool pkgconfig shebangfix tar:xz CONFLICTS_INSTALL?= openvpn-2.[!4].* openvpn-[!2].* openvpn-beta-[0-9]* openvpn-devel-[0-9]* openvpn-mbedtls-[0-9]* GNU_CONFIGURE= yes WRKSRC= ${WRKDIR}/${PORTNAME}${PKGNAMESUFFIX} SHEBANG_FILES= sample/sample-scripts/verify-cn \ sample/sample-scripts/auth-pam.pl \ sample/sample-scripts/ucn.pl CONFIGURE_ARGS+= --enable-strict # set PLUGIN_LIBDIR so that unqualified plugin paths are found: CONFIGURE_ENV+= PLUGINDIR="${PREFIX}/lib/openvpn/plugins" # let OpenVPN's configure script pick up the requisite libraries, # but do not break the plugin build if an older version is installed CPPFLAGS+= -I${WRKSRC}/include -I${LOCALBASE}/include LDFLAGS+= -L${LOCALBASE}/lib OPTIONS_DEFINE= PKCS11 EASYRSA DOCS EXAMPLES X509ALTUSERNAME \ TEST LZ4 SMALL TUNNELBLICK OPTIONS_DEFAULT= EASYRSA OPENSSL TEST LZ4 OPTIONS_SINGLE= SSL OPTIONS_SINGLE_SSL= OPENSSL MBEDTLS PKCS11_DESC= Use security/pkcs11-helper EASYRSA_DESC= Install security/easy-rsa RSA helper package MBEDTLS_DESC= SSL/TLS via mbedTLS (lacks TLS v1.3) TUNNELBLICK_DESC= Tunnelblick XOR scramble patch (READ HELP!) X509ALTUSERNAME_DESC= Enable --x509-username-field (OpenSSL only) SMALL_DESC= Build a smaller executable with fewer features EASYRSA_RUN_DEPENDS= easy-rsa>=0:security/easy-rsa PKCS11_LIB_DEPENDS= libpkcs11-helper.so:security/pkcs11-helper PKCS11_CONFIGURE_ENABLE= pkcs11 PKCS11_PREVENTS= MBEDTLS PKCS11_PREVENTS_MSG= OpenVPN cannot use pkcs11-helper with mbedTLS. Disable PKCS11, or use OpenSSL instead TUNNELBLICK_EXTRA_PATCHES= ${FILESDIR}/extra-tunnelblick-openvpn_xorpatch X509ALTUSERNAME_CONFIGURE_ENABLE= x509-alt-username X509ALTUSERNAME_PREVENTS= MBEDTLS X509ALTUSERNAME_PREVENTS_MSG= OpenVPN ${DISTVERSION} cannot use --x509-username-field with mbedTLS. Disable X509ALTUSERNAME, or use OpenSSL instead OPENSSL_USES= ssl OPENSSL_CONFIGURE_ON= --with-crypto-library=openssl LZ4_CONFIGURE_OFF= --disable-lz4 SMALL_CONFIGURE_ON= --enable-small MBEDTLS_LIB_DEPENDS= libmbedtls.so:security/mbedtls MBEDTLS_CONFIGURE_ON= --with-crypto-library=mbedtls USE_RC_SUBR= openvpn SUB_FILES= pkg-message openvpn-client .ifdef (LOG_OPENVPN) CFLAGS+= -DLOG_OPENVPN=${LOG_OPENVPN} .endif BUILD_DEPENDS+= cmocka>=0:sysutils/cmocka \ rst2man:textproc/py-docutils LIB_DEPENDS+= liblzo2.so:archivers/lzo2 LZ4_LIB_DEPENDS+= liblz4.so:archivers/liblz4 PORTDOCS= * PORTEXAMPLES= * TEST_ALL_TARGET= check TEST_TEST_TARGET_OFF= check pre-configure: .ifdef (LOG_OPENVPN) @${ECHO} "Building with LOG_OPENVPN=${LOG_OPENVPN}" .else @${ECHO} "" @${ECHO} "You may use the following build options:" @${ECHO} "" @${ECHO} " LOG_OPENVPN={Valid syslog facility, default LOG_DAEMON}" @${ECHO} " EXAMPLE: make LOG_OPENVPN=LOG_LOCAL6" @${ECHO} "" .endif post-configure: ${REINPLACE_CMD} '/^CFLAGS =/s/$$/ -fPIC/' \ ${WRKSRC}/src/plugins/auth-pam/Makefile \ ${WRKSRC}/src/plugins/down-root/Makefile .include .if ${PORT_OPTIONS:MMBEDTLS} _tlslibs=libmbedtls libmbedx509 libmbedcrypto .else # OpenSSL _tlslibs=libssl libcrypto .endif # sanity check that we don't inherit incompatible SSL libs through, # for instance, pkcs11-helper: post-build: @a=$$(LC_ALL=C ldd -f '%o\n' ${WRKSRC}/src/openvpn/openvpn \ | ${SORT} -u) ; set -- $$(for i in ${_tlslibs} ; do ${PRINTF} '%s\n' "$$a" | ${GREP} $${i}.so | wc -l ; done | ${SORT} -u) ;\ if test "$$*" != "1" ; then ${ECHO_CMD} >&2 "${.CURDIR} FAILED: either of ${_tlslibs} libraries linked multiple times" ; ${PRINTF} '%s\n' "$$a"; ${RM} ${BUILD_COOKIE} ; exit 1 ; fi post-install: ${STRIP_CMD} ${STAGEDIR}${PREFIX}/lib/openvpn/plugins/openvpn-plugin-auth-pam.so ${STRIP_CMD} ${STAGEDIR}${PREFIX}/lib/openvpn/plugins/openvpn-plugin-down-root.so ${INSTALL_SCRIPT} ${WRKSRC}/contrib/pull-resolv-conf/client.up ${STAGEDIR}${PREFIX}/libexec/openvpn-client.up ${INSTALL_SCRIPT} ${WRKSRC}/contrib/pull-resolv-conf/client.down ${STAGEDIR}${PREFIX}/libexec/openvpn-client.down @${REINPLACE_CMD} 's|resolvconf -p -a|resolvconf -a|' ${STAGEDIR}${PREFIX}/libexec/openvpn-client.up ${INSTALL_SCRIPT} ${WRKDIR}/openvpn-client ${STAGEDIR}${PREFIX}/sbin/openvpn-client ${MKDIR} ${STAGEDIR}${PREFIX}/include post-install-DOCS-on: ${MKDIR} ${STAGEDIR}${DOCSDIR}/ .for i in AUTHORS ChangeLog PORTS ${INSTALL_DATA} ${WRKSRC}/${i} ${STAGEDIR}${DOCSDIR}/ .endfor post-install-EXAMPLES-on: (cd ${WRKSRC}/sample && ${COPYTREE_SHARE} \* ${STAGEDIR}${EXAMPLESDIR}/) ${CHMOD} ${BINMODE} ${STAGEDIR}${EXAMPLESDIR}/sample-scripts/* .include Index: head/security/openvpn-devel/distinfo =================================================================== --- head/security/openvpn-devel/distinfo (revision 546734) +++ head/security/openvpn-devel/distinfo (revision 546735) @@ -1,3 +1,3 @@ -TIMESTAMP = 1597145486 -SHA256 (openvpn-202033.tar.xz) = 0759d8f06b1af368bf6551785f90e8deceee1396ae5046fd2a96a7a8fcb88b05 -SIZE (openvpn-202033.tar.xz) = 1057600 +TIMESTAMP = 1598621546 +SHA256 (openvpn-202035.tar.xz) = ea195c1c1c2e9bc1a5ff443b2649e58f730926bd34fe6ab24400a11c749c11cd +SIZE (openvpn-202035.tar.xz) = 1053628 Index: head/security/openvpn-devel/files/extra-tunnelblick-openvpn_xorpatch =================================================================== --- head/security/openvpn-devel/files/extra-tunnelblick-openvpn_xorpatch (revision 546734) +++ head/security/openvpn-devel/files/extra-tunnelblick-openvpn_xorpatch (revision 546735) @@ -1,296 +1,294 @@ This work allows obfuscation of the OpenVPN header to make it harder for layer 7 inspection to identify such traffic, which may come with blocking or recording actions in certain territories of the world. This patch, in a nutshell, can increase privacy and range of communication for its users. The `scramble' option introduced hereby is off by default. The option's usage, history and controversy of the patch is explained in detail on the following wiki page: https://tunnelblick.net/cOpenvpn_xorpatch.html The patch was ported to OpenVPN 2.4 by OPNsense. --- src/openvpn/forward.c.orig 2016-12-22 07:25:18 UTC +++ src/openvpn/forward.c @@ -730,7 +730,10 @@ read_incoming_link(struct context *c) status = link_socket_read(c->c2.link_socket, &c->c2.buf, - &c->c2.from); + &c->c2.from, + c->options.ce.xormethod, + c->options.ce.xormask, + c->options.ce.xormasklen); if (socket_connection_reset(c->c2.link_socket, status)) { @@ -1368,7 +1371,10 @@ process_outgoing_link(struct context *c) /* Send packet */ size = link_socket_write(c->c2.link_socket, &c->c2.to_link, - to_addr); + to_addr, + c->options.ce.xormethod, + c->options.ce.xormask, + c->options.ce.xormasklen); /* Undo effect of prepend */ link_socket_write_post_size_adjust(&size, size_delta, &c->c2.to_link); --- src/openvpn/options.c.orig 2016-12-22 07:25:18 UTC +++ src/openvpn/options.c -@@ -811,6 +811,9 @@ init_options(struct options *o, const bo +@@ -811,4 +811,7 @@ init_options(struct options *o, const bo o->resolve_retry_seconds = RESOLV_RETRY_INFINITE; o->resolve_in_advance = false; o->proto_force = -1; + o->ce.xormethod = 0; + o->ce.xormask = "\0"; + o->ce.xormasklen = 0; - #ifdef ENABLE_OCC o->occ = true; - #endif @@ -972,6 +975,9 @@ setenv_connection_entry(struct env_set * setenv_str_i(es, "local_port", e->local_port, i); setenv_str_i(es, "remote", e->remote, i); setenv_str_i(es, "remote_port", e->remote_port, i); + setenv_int_i(es, "xormethod", e->xormethod, i); + setenv_str_i(es, "xormask", e->xormask, i); + setenv_int_i(es, "xormasklen", e->xormasklen, i); if (e->http_proxy_options) { @@ -1474,6 +1480,9 @@ show_connection_entry(const struct conne SHOW_BOOL(bind_ipv6_only); SHOW_INT(connect_retry_seconds); SHOW_INT(connect_timeout); + SHOW_INT(xormethod); + SHOW_STR(xormask); + SHOW_INT(xormasklen); if (o->http_proxy_options) { @@ -5915,6 +5924,46 @@ add_option(struct options *options, } options->proto_force = proto_force; } + else if (streq (p[0], "scramble") && p[1]) + { + VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION); + if (streq (p[1], "xormask") && p[2] && (!p[3])) + { + options->ce.xormethod = 1; + options->ce.xormask = p[2]; + options->ce.xormasklen = strlen(options->ce.xormask); + } + else if (streq (p[1], "xorptrpos") && (!p[2])) + { + options->ce.xormethod = 2; + options->ce.xormask = NULL; + options->ce.xormasklen = 0; + } + else if (streq (p[1], "reverse") && (!p[2])) + { + options->ce.xormethod = 3; + options->ce.xormask = NULL; + options->ce.xormasklen = 0; + } + else if (streq (p[1], "obfuscate") && p[2] && (!p[3])) + { + options->ce.xormethod = 4; + options->ce.xormask = p[2]; + options->ce.xormasklen = strlen(options->ce.xormask); + } + else if (!p[2]) + { + msg(M_WARN, "WARNING: No recognized 'scramble' method specified; using 'scramble xormask \"%s\"'", p[1]); + options->ce.xormethod = 1; + options->ce.xormask = p[1]; + options->ce.xormasklen = strlen(options->ce.xormask); + } + else + { + msg(msglevel, "No recognized 'scramble' method specified or extra parameters for 'scramble'"); + goto err; + } + } else if (streq(p[0], "http-proxy") && p[1] && !p[5]) { struct http_proxy_options *ho; --- src/openvpn/options.h.orig 2016-12-22 07:25:18 UTC +++ src/openvpn/options.h @@ -98,6 +98,9 @@ struct connection_entry int connect_retry_seconds; int connect_retry_seconds_max; int connect_timeout; + int xormethod; + const char *xormask; + int xormasklen; struct http_proxy_options *http_proxy_options; const char *socks_proxy_server; const char *socks_proxy_port; --- src/openvpn/socket.c.orig 2016-12-22 07:25:18 UTC +++ src/openvpn/socket.c @@ -55,6 +55,53 @@ const int proto_overhead[] = { /* indexe IPv6_TCP_HEADER_SIZE, }; +int buffer_mask (struct buffer *buf, const char *mask, int xormasklen) { + int i; + uint8_t *b; + if ( xormasklen > 0 ) { + for (i = 0, b = BPTR (buf); i < BLEN(buf); i++, b++) { + *b = *b ^ mask[i % xormasklen]; + } + } + return BLEN (buf); +} + +int buffer_xorptrpos (struct buffer *buf) { + int i; + uint8_t *b; + for (i = 0, b = BPTR (buf); i < BLEN(buf); i++, b++) { + *b = *b ^ i+1; + } + return BLEN (buf); +} + +int buffer_reverse (struct buffer *buf) { +/* This function has been rewritten for Tunnelblick. The buffer_reverse function at + * https://github.com/clayface/openvpn_xorpatch + * makes a copy of the buffer and it writes to the byte **after** the + * buffer contents, so if the buffer is full then it writes outside of the buffer. + * This rewritten version does neither. + * + * For interoperability, this rewritten version preserves the behavior of the original + * function: it does not modify the first character of the buffer. So it does not + * actually reverse the contents of the buffer. Instead, it changes 'abcde' to 'aedcb'. + * (Of course, the actual buffer contents are bytes, and not necessarily characters.) + */ + int len = BLEN(buf); + if ( len > 2 ) { /* Leave '', 'a', and 'ab' alone */ + int i; + uint8_t *b_start = BPTR (buf) + 1; /* point to first byte to swap */ + uint8_t *b_end = BPTR (buf) + (len - 1); /* point to last byte to swap */ + uint8_t tmp; + for (i = 0; i < (len-1)/2; i++, b_start++, b_end--) { + tmp = *b_start; + *b_start = *b_end; + *b_end = tmp; + } + } + return len; +} + /* * Convert sockflags/getaddr_flags into getaddr_flags */ --- src/openvpn/socket.h.orig 2016-12-22 07:25:18 UTC +++ src/openvpn/socket.h @@ -249,6 +249,10 @@ struct link_socket #endif }; +int buffer_mask (struct buffer *buf, const char *xormask, int xormasklen); +int buffer_xorptrpos (struct buffer *buf); +int buffer_reverse (struct buffer *buf); + /* * Some Posix/Win32 differences. */ @@ -1046,30 +1050,55 @@ int link_socket_read_udp_posix(struct li static inline int link_socket_read(struct link_socket *sock, struct buffer *buf, - struct link_socket_actual *from) + struct link_socket_actual *from, + int xormethod, + const char *xormask, + int xormasklen) { + int res; + if (proto_is_udp(sock->info.proto)) /* unified UDPv4 and UDPv6 */ { - int res; - #ifdef _WIN32 res = link_socket_read_udp_win32(sock, buf, from); #else res = link_socket_read_udp_posix(sock, buf, from); #endif - return res; } else if (proto_is_tcp(sock->info.proto)) /* unified TCPv4 and TCPv6 */ { /* from address was returned by accept */ addr_copy_sa(&from->dest, &sock->info.lsa->actual.dest); - return link_socket_read_tcp(sock, buf); + res = link_socket_read_tcp(sock, buf); } else { ASSERT(0); return -1; /* NOTREACHED */ } + switch (xormethod) { + case 0: + break; + case 1: + buffer_mask(buf,xormask,xormasklen); + break; + case 2: + buffer_xorptrpos(buf); + break; + case 3: + buffer_reverse(buf); + break; + case 4: + buffer_mask(buf,xormask,xormasklen); + buffer_xorptrpos(buf); + buffer_reverse(buf); + buffer_xorptrpos(buf); + break; + default: + ASSERT (0); + return -1; /* NOTREACHED */ + } + return res; } /* @@ -1159,8 +1188,33 @@ link_socket_write_udp(struct link_socket static inline int link_socket_write(struct link_socket *sock, struct buffer *buf, - struct link_socket_actual *to) + struct link_socket_actual *to, + int xormethod, + const char *xormask, + int xormasklen) { + switch (xormethod) { + case 0: + break; + case 1: + buffer_mask(buf,xormask,xormasklen); + break; + case 2: + buffer_xorptrpos(buf); + break; + case 3: + buffer_reverse(buf); + break; + case 4: + buffer_xorptrpos(buf); + buffer_reverse(buf); + buffer_xorptrpos(buf); + buffer_mask(buf,xormask,xormasklen); + break; + default: + ASSERT (0); + return -1; /* NOTREACHED */ + } if (proto_is_udp(sock->info.proto)) /* unified UDPv4 and UDPv6 */ { return link_socket_write_udp(sock, buf, to);