diff --git a/net/openvpn/Makefile b/net/openvpn/Makefile index e6530071..857491b9 100644 --- a/net/openvpn/Makefile +++ b/net/openvpn/Makefile @@ -2,7 +2,7 @@ # $Id$ # PORTNAME= openvpn -PORTVERSION= 2.5.5 +PORTVERSION= 2.6.6 CATEGORIES= security net #MASTER_SITES= http://openvpn.net/release/ MASTER_SITES+= http://swupdate.openvpn.net/community/releases/ @@ -13,7 +13,7 @@ COMMENT= Secure IP/Ethernet tunnel daemon LIB_DEPENDS+= liblzo2.so:arch/liblzo2 -USES+= tar:xz + GNU_CONFIGURE= yes USES+= gmake CONFIGURE_ARGS+= --enable-password-save diff --git a/net/openvpn/distinfo b/net/openvpn/distinfo index 1318bcad..bda026ec 100644 --- a/net/openvpn/distinfo +++ b/net/openvpn/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1645868736 -SHA256 (openvpn-2.5.5.tar.xz) = 119bd69fa0210838f6cdaa273696dc738efa200f454dbe11eb6dfb75dfb6003b -SIZE (openvpn-2.5.5.tar.xz) = 1147184 +TIMESTAMP = 1694376351 +SHA256 (openvpn-2.6.6.tar.gz) = 3b074f392818b31aa529b84f76e8b5e4ad03fca764924f46d906bceaaf421034 +SIZE (openvpn-2.6.6.tar.gz) = 1901689 diff --git a/net/openvpn/files/extra-tunnelblick-openvpn_xorpatch b/net/openvpn/files/extra-tunnelblick-openvpn_xorpatch deleted file mode 100644 index 63e73bae..00000000 --- a/net/openvpn/files/extra-tunnelblick-openvpn_xorpatch +++ /dev/null @@ -1,296 +0,0 @@ -This work allows obfuscation of the OpenVPN header to make it harder for -layer 7 inspection to identify such traffic, which may come with blocking -or recording actions in certain territories of the world. This patch, in -a nutshell, can increase privacy and range of communication for its users. - -The `scramble' option introduced hereby is off by default. - -The option's usage, history and controversy of the patch is explained in -detail on the following wiki page: - -https://tunnelblick.net/cOpenvpn_xorpatch.html - -The patch was ported to OpenVPN 2.4 by OPNsense. - ---- src/openvpn/forward.c.orig 2016-12-22 07:25:18 UTC -+++ src/openvpn/forward.c -@@ -730,7 +730,10 @@ read_incoming_link(struct context *c) - - status = link_socket_read(c->c2.link_socket, - &c->c2.buf, -- &c->c2.from); -+ &c->c2.from, -+ c->options.ce.xormethod, -+ c->options.ce.xormask, -+ c->options.ce.xormasklen); - - if (socket_connection_reset(c->c2.link_socket, status)) - { -@@ -1368,7 +1371,10 @@ process_outgoing_link(struct context *c) - /* Send packet */ - size = link_socket_write(c->c2.link_socket, - &c->c2.to_link, -- to_addr); -+ to_addr, -+ c->options.ce.xormethod, -+ c->options.ce.xormask, -+ c->options.ce.xormasklen); - - /* Undo effect of prepend */ - link_socket_write_post_size_adjust(&size, size_delta, &c->c2.to_link); ---- src/openvpn/options.c.orig 2016-12-22 07:25:18 UTC -+++ src/openvpn/options.c -@@ -811,6 +811,9 @@ init_options(struct options *o, const bo - o->resolve_retry_seconds = RESOLV_RETRY_INFINITE; - o->resolve_in_advance = false; - o->proto_force = -1; -+ o->ce.xormethod = 0; -+ o->ce.xormask = "\0"; -+ o->ce.xormasklen = 0; - #ifdef ENABLE_OCC - o->occ = true; - #endif -@@ -972,6 +975,9 @@ setenv_connection_entry(struct env_set * - setenv_str_i(es, "local_port", e->local_port, i); - setenv_str_i(es, "remote", e->remote, i); - setenv_str_i(es, "remote_port", e->remote_port, i); -+ setenv_int_i(es, "xormethod", e->xormethod, i); -+ setenv_str_i(es, "xormask", e->xormask, i); -+ setenv_int_i(es, "xormasklen", e->xormasklen, i); - - if (e->http_proxy_options) - { -@@ -1474,6 +1480,9 @@ show_connection_entry(const struct conne - SHOW_BOOL(bind_ipv6_only); - SHOW_INT(connect_retry_seconds); - SHOW_INT(connect_timeout); -+ SHOW_INT(xormethod); -+ SHOW_STR(xormask); -+ SHOW_INT(xormasklen); - - if (o->http_proxy_options) - { -@@ -5915,6 +5924,46 @@ add_option(struct options *options, - } - options->proto_force = proto_force; - } -+ else if (streq (p[0], "scramble") && p[1]) -+ { -+ VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION); -+ if (streq (p[1], "xormask") && p[2] && (!p[3])) -+ { -+ options->ce.xormethod = 1; -+ options->ce.xormask = p[2]; -+ options->ce.xormasklen = strlen(options->ce.xormask); -+ } -+ else if (streq (p[1], "xorptrpos") && (!p[2])) -+ { -+ options->ce.xormethod = 2; -+ options->ce.xormask = NULL; -+ options->ce.xormasklen = 0; -+ } -+ else if (streq (p[1], "reverse") && (!p[2])) -+ { -+ options->ce.xormethod = 3; -+ options->ce.xormask = NULL; -+ options->ce.xormasklen = 0; -+ } -+ else if (streq (p[1], "obfuscate") && p[2] && (!p[3])) -+ { -+ options->ce.xormethod = 4; -+ options->ce.xormask = p[2]; -+ options->ce.xormasklen = strlen(options->ce.xormask); -+ } -+ else if (!p[2]) -+ { -+ msg(M_WARN, "WARNING: No recognized 'scramble' method specified; using 'scramble xormask \"%s\"'", p[1]); -+ options->ce.xormethod = 1; -+ options->ce.xormask = p[1]; -+ options->ce.xormasklen = strlen(options->ce.xormask); -+ } -+ else -+ { -+ msg(msglevel, "No recognized 'scramble' method specified or extra parameters for 'scramble'"); -+ goto err; -+ } -+ } - else if (streq(p[0], "http-proxy") && p[1] && !p[5]) - { - struct http_proxy_options *ho; ---- src/openvpn/options.h.orig 2016-12-22 07:25:18 UTC -+++ src/openvpn/options.h -@@ -98,6 +98,9 @@ struct connection_entry - int connect_retry_seconds; - int connect_retry_seconds_max; - int connect_timeout; -+ int xormethod; -+ const char *xormask; -+ int xormasklen; - struct http_proxy_options *http_proxy_options; - const char *socks_proxy_server; - const char *socks_proxy_port; ---- src/openvpn/socket.c.orig 2016-12-22 07:25:18 UTC -+++ src/openvpn/socket.c -@@ -55,6 +55,53 @@ const int proto_overhead[] = { /* indexe - IPv6_TCP_HEADER_SIZE, - }; - -+int buffer_mask (struct buffer *buf, const char *mask, int xormasklen) { -+ int i; -+ uint8_t *b; -+ if ( xormasklen > 0 ) { -+ for (i = 0, b = BPTR (buf); i < BLEN(buf); i++, b++) { -+ *b = *b ^ mask[i % xormasklen]; -+ } -+ } -+ return BLEN (buf); -+} -+ -+int buffer_xorptrpos (struct buffer *buf) { -+ int i; -+ uint8_t *b; -+ for (i = 0, b = BPTR (buf); i < BLEN(buf); i++, b++) { -+ *b = *b ^ i+1; -+ } -+ return BLEN (buf); -+} -+ -+int buffer_reverse (struct buffer *buf) { -+/* This function has been rewritten for Tunnelblick. The buffer_reverse function at -+ * https://github.com/clayface/openvpn_xorpatch -+ * makes a copy of the buffer and it writes to the byte **after** the -+ * buffer contents, so if the buffer is full then it writes outside of the buffer. -+ * This rewritten version does neither. -+ * -+ * For interoperability, this rewritten version preserves the behavior of the original -+ * function: it does not modify the first character of the buffer. So it does not -+ * actually reverse the contents of the buffer. Instead, it changes 'abcde' to 'aedcb'. -+ * (Of course, the actual buffer contents are bytes, and not necessarily characters.) -+ */ -+ int len = BLEN(buf); -+ if ( len > 2 ) { /* Leave '', 'a', and 'ab' alone */ -+ int i; -+ uint8_t *b_start = BPTR (buf) + 1; /* point to first byte to swap */ -+ uint8_t *b_end = BPTR (buf) + (len - 1); /* point to last byte to swap */ -+ uint8_t tmp; -+ for (i = 0; i < (len-1)/2; i++, b_start++, b_end--) { -+ tmp = *b_start; -+ *b_start = *b_end; -+ *b_end = tmp; -+ } -+ } -+ return len; -+} -+ - /* - * Convert sockflags/getaddr_flags into getaddr_flags - */ ---- src/openvpn/socket.h.orig 2016-12-22 07:25:18 UTC -+++ src/openvpn/socket.h -@@ -249,6 +249,10 @@ struct link_socket - #endif - }; - -+int buffer_mask (struct buffer *buf, const char *xormask, int xormasklen); -+int buffer_xorptrpos (struct buffer *buf); -+int buffer_reverse (struct buffer *buf); -+ - /* - * Some Posix/Win32 differences. - */ -@@ -1046,30 +1050,55 @@ int link_socket_read_udp_posix(struct li - static inline int - link_socket_read(struct link_socket *sock, - struct buffer *buf, -- struct link_socket_actual *from) -+ struct link_socket_actual *from, -+ int xormethod, -+ const char *xormask, -+ int xormasklen) - { -+ int res; -+ - if (proto_is_udp(sock->info.proto)) /* unified UDPv4 and UDPv6 */ - { -- int res; -- - #ifdef _WIN32 - res = link_socket_read_udp_win32(sock, buf, from); - #else - res = link_socket_read_udp_posix(sock, buf, from); - #endif -- return res; - } - else if (proto_is_tcp(sock->info.proto)) /* unified TCPv4 and TCPv6 */ - { - /* from address was returned by accept */ - addr_copy_sa(&from->dest, &sock->info.lsa->actual.dest); -- return link_socket_read_tcp(sock, buf); -+ res = link_socket_read_tcp(sock, buf); - } - else - { - ASSERT(0); - return -1; /* NOTREACHED */ - } -+ switch (xormethod) { -+ case 0: -+ break; -+ case 1: -+ buffer_mask(buf,xormask,xormasklen); -+ break; -+ case 2: -+ buffer_xorptrpos(buf); -+ break; -+ case 3: -+ buffer_reverse(buf); -+ break; -+ case 4: -+ buffer_mask(buf,xormask,xormasklen); -+ buffer_xorptrpos(buf); -+ buffer_reverse(buf); -+ buffer_xorptrpos(buf); -+ break; -+ default: -+ ASSERT (0); -+ return -1; /* NOTREACHED */ -+ } -+ return res; - } - - /* -@@ -1159,8 +1188,33 @@ link_socket_write_udp(struct link_socket - static inline int - link_socket_write(struct link_socket *sock, - struct buffer *buf, -- struct link_socket_actual *to) -+ struct link_socket_actual *to, -+ int xormethod, -+ const char *xormask, -+ int xormasklen) - { -+ switch (xormethod) { -+ case 0: -+ break; -+ case 1: -+ buffer_mask(buf,xormask,xormasklen); -+ break; -+ case 2: -+ buffer_xorptrpos(buf); -+ break; -+ case 3: -+ buffer_reverse(buf); -+ break; -+ case 4: -+ buffer_xorptrpos(buf); -+ buffer_reverse(buf); -+ buffer_xorptrpos(buf); -+ buffer_mask(buf,xormask,xormasklen); -+ break; -+ default: -+ ASSERT (0); -+ return -1; /* NOTREACHED */ -+ } - if (proto_is_udp(sock->info.proto)) /* unified UDPv4 and UDPv6 */ - { - return link_socket_write_udp(sock, buf, to); diff --git a/net/openvpn/files/patch-doc_man-sections_generic-options.rst b/net/openvpn/files/patch-doc_man-sections_generic-options.rst index a6fecf86..295f20cd 100644 --- a/net/openvpn/files/patch-doc_man-sections_generic-options.rst +++ b/net/openvpn/files/patch-doc_man-sections_generic-options.rst @@ -1,11 +1,11 @@ ---- doc/man-sections/generic-options.rst.orig 2021-10-31 16:17:17 UTC +--- doc/man-sections/generic-options.rst.orig 2023-01-25 10:00:58 UTC +++ doc/man-sections/generic-options.rst -@@ -431,7 +431,7 @@ which mode OpenVPN is configured as. - able to gain control of an OpenVPN session. Though OpenVPN's security - features make this unlikely, it is provided as a second line of defense. +@@ -507,5 +507,8 @@ which mode OpenVPN is configured as. + since it is usually used by other system services already. Always + create a dedicated user for openvpn. -- By setting ``user`` to :code:`nobody` or somebody similarly unprivileged, -+ By setting ``user`` to :code:`openvpn` or somebody similarly unprivileged, - the hostile party would be limited in what damage they could cause. Of - course once you take away privileges, you cannot return them to an - OpenVPN session. This means, for example, that if you want to reset an ++ The FreeBSD port creates a group and user named :code:`openvpn` ++ for this purpose. ++ + --writepid file + Write OpenVPN's main process ID to ``file``. diff --git a/net/openvpn/files/patch-doc_openvpn.8 b/net/openvpn/files/patch-doc_openvpn.8 deleted file mode 100644 index a536dae7..00000000 --- a/net/openvpn/files/patch-doc_openvpn.8 +++ /dev/null @@ -1,20 +0,0 @@ ---- doc/openvpn.8.orig 2021-10-05 05:57:01 UTC -+++ doc/openvpn.8 -@@ -358,7 +358,7 @@ lower priority, \fBn\fP less than zero is higher prior - .B \-\-persist\-key - Don\(aqt re\-read key files across \fBSIGUSR1\fP or \fB\-\-ping\-restart\fP\&. - .sp --This option can be combined with \fB\-\-user nobody\fP to allow restarts -+This option can be combined with \fB\-\-user openvpn\fP to allow restarts - triggered by the \fBSIGUSR1\fP signal. Normally if you drop root - privileges in OpenVPN, the daemon cannot be restarted since it will now - be unable to re\-read protected key files. -@@ -577,7 +577,7 @@ useful to protect the system in the event that some ho - able to gain control of an OpenVPN session. Though OpenVPN\(aqs security - features make this unlikely, it is provided as a second line of defense. - .sp --By setting \fBuser\fP to \fBnobody\fP or somebody similarly unprivileged, -+By setting \fBuser\fP to \fBopenvpn\fP or somebody similarly unprivileged, - the hostile party would be limited in what damage they could cause. Of - course once you take away privileges, you cannot return them to an - OpenVPN session. This means, for example, that if you want to reset an diff --git a/net/openvpn/files/patch-doc_openvpn.8.html b/net/openvpn/files/patch-doc_openvpn.8.html deleted file mode 100644 index 5b1e8e80..00000000 --- a/net/openvpn/files/patch-doc_openvpn.8.html +++ /dev/null @@ -1,20 +0,0 @@ ---- doc/openvpn.8.html.orig 2021-10-05 05:57:01 UTC -+++ doc/openvpn.8.html -@@ -650,7 +650,7 @@ lower priority, n le - - --persist-key -

Don't re-read key files across SIGUSR1 or --ping-restart.

--

This option can be combined with --user nobody to allow restarts -+

This option can be combined with --user openvpn to allow restarts - triggered by the SIGUSR1 signal. Normally if you drop root - privileges in OpenVPN, the daemon cannot be restarted since it will now - be unable to re-read protected key files.

-@@ -824,7 +824,7 @@ initialization, dropping privileges in the process. Th - useful to protect the system in the event that some hostile party was - able to gain control of an OpenVPN session. Though OpenVPN's security - features make this unlikely, it is provided as a second line of defense.

--

By setting user to nobody or somebody similarly unprivileged, -+

By setting user to openvpn or somebody similarly unprivileged, - the hostile party would be limited in what damage they could cause. Of - course once you take away privileges, you cannot return them to an - OpenVPN session. This means, for example, that if you want to reset an diff --git a/net/openvpn/files/patch-src_openvpn_openssl__compat.h b/net/openvpn/files/patch-src_openvpn_openssl__compat.h deleted file mode 100644 index 2d68b96e..00000000 --- a/net/openvpn/files/patch-src_openvpn_openssl__compat.h +++ /dev/null @@ -1,20 +0,0 @@ ---- src/openvpn/openssl_compat.h.orig 2020-04-16 13:26:45 UTC -+++ src/openvpn/openssl_compat.h -@@ -747,7 +747,7 @@ SSL_CTX_get_max_proto_version(SSL_CTX *ctx) - } - #endif /* SSL_CTX_get_max_proto_version */ - --#ifndef SSL_CTX_set_min_proto_version -+#if !defined(SSL_CTX_set_min_proto_version) && !defined(LIBRESSL_VERSION_NUMBER) - /** Mimics SSL_CTX_set_min_proto_version for OpenSSL < 1.1 */ - static inline int - SSL_CTX_set_min_proto_version(SSL_CTX *ctx, long tls_ver_min) -@@ -776,7 +776,7 @@ SSL_CTX_set_min_proto_version(SSL_CTX *ctx, long tls_v - } - #endif /* SSL_CTX_set_min_proto_version */ - --#ifndef SSL_CTX_set_max_proto_version -+#if !defined(SSL_CTX_set_max_proto_version) && !defined(LIBRESSL_VERSION_NUMBER) - /** Mimics SSL_CTX_set_max_proto_version for OpenSSL < 1.1 */ - static inline int - SSL_CTX_set_max_proto_version(SSL_CTX *ctx, long tls_ver_max) diff --git a/net/openvpn/pkg-plist.new b/net/openvpn/pkg-plist.new new file mode 100644 index 00000000..5f144723 --- /dev/null +++ b/net/openvpn/pkg-plist.new @@ -0,0 +1,39 @@ +etc/rc.d/openvpn +include/openvpn-msg.h +include/openvpn-plugin.h +lib/openvpn/plugins/openvpn-plugin-auth-pam.la +lib/openvpn/plugins/openvpn-plugin-auth-pam.so +lib/openvpn/plugins/openvpn-plugin-down-root.la +lib/openvpn/plugins/openvpn-plugin-down-root.so +man/man5/openvpn-examples.5.gz +man/man8/openvpn.8.gz +sbin/openvpn +share/doc/openvpn/Changes.rst +share/doc/openvpn/COPYING +share/doc/openvpn/COPYRIGHT.GPL +share/doc/openvpn/gui-notes.txt +share/doc/openvpn/management-notes.txt +share/doc/openvpn/README +share/doc/openvpn/README.auth-pam +share/doc/openvpn/README.down-root +share/doc/openvpn/README.mbedtls +share/examples/openvpn/client.conf +share/examples/openvpn/server.conf +share/examples/openvpn/tls-home.conf +share/examples/openvpn/tls-office.conf +@dir etc/rc.d +@dir etc +@dir include +@dir lib/openvpn/plugins +@dir lib/openvpn +@dir lib +@dir man/man5 +@dir man/man8 +@dir man +@dir sbin +@dir share/doc/openvpn +@dir share/doc +@dir share/examples/openvpn +@dir share/examples +@dir share +@dir .