ziggi/bsdports
1
0
Fork 0
mirror of https://github.com/beard7n/bsdports.git synced 2026-04-10 02:21:15 +02:00
Code Issues Packages Projects Releases Wiki Activity

openvpn updated

Browse Source
This commit is contained in:
Oleg Borodin
2023-09-10 22:08:23 +02:00
parent 30da41edb8
commit b0a0f61ed4
8 changed files with 53 additions and 370 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
net/openvpn/Makefile
View File

@@ -2,7 +2,7 @@
# $Id$ # $Id$
# #
PORTNAME= openvpn PORTNAME= openvpn
PORTVERSION= 2.5.5 PORTVERSION= 2.6.6
CATEGORIES= security net CATEGORIES= security net
#MASTER_SITES= http://openvpn.net/release/ #MASTER_SITES= http://openvpn.net/release/
MASTER_SITES+= http://swupdate.openvpn.net/community/releases/ MASTER_SITES+= http://swupdate.openvpn.net/community/releases/
@@ -13,7 +13,7 @@ COMMENT= Secure IP/Ethernet tunnel daemon
LIB_DEPENDS+= liblzo2.so:arch/liblzo2 LIB_DEPENDS+= liblzo2.so:arch/liblzo2
USES+= tar:xz
GNU_CONFIGURE= yes GNU_CONFIGURE= yes
USES+= gmake USES+= gmake
CONFIGURE_ARGS+= --enable-password-save CONFIGURE_ARGS+= --enable-password-save

6
net/openvpn/distinfo
View File

@@ -1,3 +1,3 @@
TIMESTAMP = 1645868736 TIMESTAMP = 1694376351
SHA256 (openvpn-2.5.5.tar.xz) = 119bd69fa0210838f6cdaa273696dc738efa200f454dbe11eb6dfb75dfb6003b SHA256 (openvpn-2.6.6.tar.gz) = 3b074f392818b31aa529b84f76e8b5e4ad03fca764924f46d906bceaaf421034
SIZE (openvpn-2.5.5.tar.xz) = 1147184 SIZE (openvpn-2.6.6.tar.gz) = 1901689

296
net/openvpn/files/extra-tunnelblick-openvpn_xorpatch
View File

@@ -1,296 +0,0 @@
This work allows obfuscation of the OpenVPN header to make it harder for
layer 7 inspection to identify such traffic, which may come with blocking
or recording actions in certain territories of the world. This patch, in
a nutshell, can increase privacy and range of communication for its users.
The `scramble' option introduced hereby is off by default.
The option's usage, history and controversy of the patch is explained in
detail on the following wiki page:
https://tunnelblick.net/cOpenvpn_xorpatch.html
The patch was ported to OpenVPN 2.4 by OPNsense.
--- src/openvpn/forward.c.orig 2016-12-22 07:25:18 UTC
+++ src/openvpn/forward.c
@@ -730,7 +730,10 @@ read_incoming_link(struct context *c)
status = link_socket_read(c->c2.link_socket,
&c->c2.buf,
- &c->c2.from);
+ &c->c2.from,
+ c->options.ce.xormethod,
+ c->options.ce.xormask,
+ c->options.ce.xormasklen);
if (socket_connection_reset(c->c2.link_socket, status))
{
@@ -1368,7 +1371,10 @@ process_outgoing_link(struct context *c)
/* Send packet */
size = link_socket_write(c->c2.link_socket,
&c->c2.to_link,
- to_addr);
+ to_addr,
+ c->options.ce.xormethod,
+ c->options.ce.xormask,
+ c->options.ce.xormasklen);
/* Undo effect of prepend */
link_socket_write_post_size_adjust(&size, size_delta, &c->c2.to_link);
--- src/openvpn/options.c.orig 2016-12-22 07:25:18 UTC
+++ src/openvpn/options.c
@@ -811,6 +811,9 @@ init_options(struct options *o, const bo
o->resolve_retry_seconds = RESOLV_RETRY_INFINITE;
o->resolve_in_advance = false;
o->proto_force = -1;
+ o->ce.xormethod = 0;
+ o->ce.xormask = "\0";
+ o->ce.xormasklen = 0;
#ifdef ENABLE_OCC
o->occ = true;
#endif
@@ -972,6 +975,9 @@ setenv_connection_entry(struct env_set *
setenv_str_i(es, "local_port", e->local_port, i);
setenv_str_i(es, "remote", e->remote, i);
setenv_str_i(es, "remote_port", e->remote_port, i);
+ setenv_int_i(es, "xormethod", e->xormethod, i);
+ setenv_str_i(es, "xormask", e->xormask, i);
+ setenv_int_i(es, "xormasklen", e->xormasklen, i);
if (e->http_proxy_options)
{
@@ -1474,6 +1480,9 @@ show_connection_entry(const struct conne
SHOW_BOOL(bind_ipv6_only);
SHOW_INT(connect_retry_seconds);
SHOW_INT(connect_timeout);
+ SHOW_INT(xormethod);
+ SHOW_STR(xormask);
+ SHOW_INT(xormasklen);
if (o->http_proxy_options)
{
@@ -5915,6 +5924,46 @@ add_option(struct options *options,
}
options->proto_force = proto_force;
}
+ else if (streq (p[0], "scramble") && p[1])
+ {
+ VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);
+ if (streq (p[1], "xormask") && p[2] && (!p[3]))
+ {
+ options->ce.xormethod = 1;
+ options->ce.xormask = p[2];
+ options->ce.xormasklen = strlen(options->ce.xormask);
+ }
+ else if (streq (p[1], "xorptrpos") && (!p[2]))
+ {
+ options->ce.xormethod = 2;
+ options->ce.xormask = NULL;
+ options->ce.xormasklen = 0;
+ }
+ else if (streq (p[1], "reverse") && (!p[2]))
+ {
+ options->ce.xormethod = 3;
+ options->ce.xormask = NULL;
+ options->ce.xormasklen = 0;
+ }
+ else if (streq (p[1], "obfuscate") && p[2] && (!p[3]))
+ {
+ options->ce.xormethod = 4;
+ options->ce.xormask = p[2];
+ options->ce.xormasklen = strlen(options->ce.xormask);
+ }
+ else if (!p[2])
+ {
+ msg(M_WARN, "WARNING: No recognized 'scramble' method specified; using 'scramble xormask \"%s\"'", p[1]);
+ options->ce.xormethod = 1;
+ options->ce.xormask = p[1];
+ options->ce.xormasklen = strlen(options->ce.xormask);
+ }
+ else
+ {
+ msg(msglevel, "No recognized 'scramble' method specified or extra parameters for 'scramble'");
+ goto err;
+ }
+ }
else if (streq(p[0], "http-proxy") && p[1] && !p[5])
{
struct http_proxy_options *ho;
--- src/openvpn/options.h.orig 2016-12-22 07:25:18 UTC
+++ src/openvpn/options.h
@@ -98,6 +98,9 @@ struct connection_entry
int connect_retry_seconds;
int connect_retry_seconds_max;
int connect_timeout;
+ int xormethod;
+ const char *xormask;
+ int xormasklen;
struct http_proxy_options *http_proxy_options;
const char *socks_proxy_server;
const char *socks_proxy_port;
--- src/openvpn/socket.c.orig 2016-12-22 07:25:18 UTC
+++ src/openvpn/socket.c
@@ -55,6 +55,53 @@ const int proto_overhead[] = { /* indexe
IPv6_TCP_HEADER_SIZE,
};
+int buffer_mask (struct buffer *buf, const char *mask, int xormasklen) {
+ int i;
+ uint8_t *b;
+ if ( xormasklen > 0 ) {
+ for (i = 0, b = BPTR (buf); i < BLEN(buf); i++, b++) {
+ *b = *b ^ mask[i % xormasklen];
+ }
+ }
+ return BLEN (buf);
+}
+
+int buffer_xorptrpos (struct buffer *buf) {
+ int i;
+ uint8_t *b;
+ for (i = 0, b = BPTR (buf); i < BLEN(buf); i++, b++) {
+ *b = *b ^ i+1;
+ }
+ return BLEN (buf);
+}
+
+int buffer_reverse (struct buffer *buf) {
+/* This function has been rewritten for Tunnelblick. The buffer_reverse function at
+ * https://github.com/clayface/openvpn_xorpatch
+ * makes a copy of the buffer and it writes to the byte **after** the
+ * buffer contents, so if the buffer is full then it writes outside of the buffer.
+ * This rewritten version does neither.
+ *
+ * For interoperability, this rewritten version preserves the behavior of the original
+ * function: it does not modify the first character of the buffer. So it does not
+ * actually reverse the contents of the buffer. Instead, it changes 'abcde' to 'aedcb'.
+ * (Of course, the actual buffer contents are bytes, and not necessarily characters.)
+ */
+ int len = BLEN(buf);
+ if ( len > 2 ) { /* Leave '', 'a', and 'ab' alone */
+ int i;
+ uint8_t *b_start = BPTR (buf) + 1; /* point to first byte to swap */
+ uint8_t *b_end = BPTR (buf) + (len - 1); /* point to last byte to swap */
+ uint8_t tmp;
+ for (i = 0; i < (len-1)/2; i++, b_start++, b_end--) {
+ tmp = *b_start;
+ *b_start = *b_end;
+ *b_end = tmp;
+ }
+ }
+ return len;
+}
+
/*
* Convert sockflags/getaddr_flags into getaddr_flags
*/
--- src/openvpn/socket.h.orig 2016-12-22 07:25:18 UTC
+++ src/openvpn/socket.h
@@ -249,6 +249,10 @@ struct link_socket
#endif
};
+int buffer_mask (struct buffer *buf, const char *xormask, int xormasklen);
+int buffer_xorptrpos (struct buffer *buf);
+int buffer_reverse (struct buffer *buf);
+
/*
* Some Posix/Win32 differences.
*/
@@ -1046,30 +1050,55 @@ int link_socket_read_udp_posix(struct li
static inline int
link_socket_read(struct link_socket *sock,
struct buffer *buf,
- struct link_socket_actual *from)
+ struct link_socket_actual *from,
+ int xormethod,
+ const char *xormask,
+ int xormasklen)
{
+ int res;
+
if (proto_is_udp(sock->info.proto)) /* unified UDPv4 and UDPv6 */
{
- int res;
-
#ifdef _WIN32
res = link_socket_read_udp_win32(sock, buf, from);
#else
res = link_socket_read_udp_posix(sock, buf, from);
#endif
- return res;
}
else if (proto_is_tcp(sock->info.proto)) /* unified TCPv4 and TCPv6 */
{
/* from address was returned by accept */
addr_copy_sa(&from->dest, &sock->info.lsa->actual.dest);
- return link_socket_read_tcp(sock, buf);
+ res = link_socket_read_tcp(sock, buf);
}
else
{
ASSERT(0);
return -1; /* NOTREACHED */
}
+ switch (xormethod) {
+ case 0:
+ break;
+ case 1:
+ buffer_mask(buf,xormask,xormasklen);
+ break;
+ case 2:
+ buffer_xorptrpos(buf);
+ break;
+ case 3:
+ buffer_reverse(buf);
+ break;
+ case 4:
+ buffer_mask(buf,xormask,xormasklen);
+ buffer_xorptrpos(buf);
+ buffer_reverse(buf);
+ buffer_xorptrpos(buf);
+ break;
+ default:
+ ASSERT (0);
+ return -1; /* NOTREACHED */
+ }
+ return res;
}
/*
@@ -1159,8 +1188,33 @@ link_socket_write_udp(struct link_socket
static inline int
link_socket_write(struct link_socket *sock,
struct buffer *buf,
- struct link_socket_actual *to)
+ struct link_socket_actual *to,
+ int xormethod,
+ const char *xormask,
+ int xormasklen)
{
+ switch (xormethod) {
+ case 0:
+ break;
+ case 1:
+ buffer_mask(buf,xormask,xormasklen);
+ break;
+ case 2:
+ buffer_xorptrpos(buf);
+ break;
+ case 3:
+ buffer_reverse(buf);
+ break;
+ case 4:
+ buffer_xorptrpos(buf);
+ buffer_reverse(buf);
+ buffer_xorptrpos(buf);
+ buffer_mask(buf,xormask,xormasklen);
+ break;
+ default:
+ ASSERT (0);
+ return -1; /* NOTREACHED */
+ }
if (proto_is_udp(sock->info.proto)) /* unified UDPv4 and UDPv6 */
{
return link_socket_write_udp(sock, buf, to);

18
net/openvpn/files/patch-doc_man-sections_generic-options.rst
View File

@@ -1,11 +1,11 @@
--- doc/man-sections/generic-options.rst.orig 2021-10-31 16:17:17 UTC --- doc/man-sections/generic-options.rst.orig 2023-01-25 10:00:58 UTC
+++ doc/man-sections/generic-options.rst +++ doc/man-sections/generic-options.rst
@@ -431,7 +431,7 @@ which mode OpenVPN is configured as. @@ -507,5 +507,8 @@ which mode OpenVPN is configured as.
able to gain control of an OpenVPN session. Though OpenVPN's security since it is usually used by other system services already. Always
features make this unlikely, it is provided as a second line of defense. create a dedicated user for openvpn.
- By setting ``user`` to :code:`nobody` or somebody similarly unprivileged, + The FreeBSD port creates a group and user named :code:`openvpn`
+ By setting ``user`` to :code:`openvpn` or somebody similarly unprivileged, + for this purpose.
the hostile party would be limited in what damage they could cause. Of +
course once you take away privileges, you cannot return them to an --writepid file
OpenVPN session. This means, for example, that if you want to reset an Write OpenVPN's main process ID to ``file``.

20
net/openvpn/files/patch-doc_openvpn.8
View File

@@ -1,20 +0,0 @@
--- doc/openvpn.8.orig 2021-10-05 05:57:01 UTC
+++ doc/openvpn.8
@@ -358,7 +358,7 @@ lower priority, \fBn\fP less than zero is higher prior
.B \-\-persist\-key
Don\(aqt re\-read key files across \fBSIGUSR1\fP or \fB\-\-ping\-restart\fP\&.
.sp
-This option can be combined with \fB\-\-user nobody\fP to allow restarts
+This option can be combined with \fB\-\-user openvpn\fP to allow restarts
triggered by the \fBSIGUSR1\fP signal. Normally if you drop root
privileges in OpenVPN, the daemon cannot be restarted since it will now
be unable to re\-read protected key files.
@@ -577,7 +577,7 @@ useful to protect the system in the event that some ho
able to gain control of an OpenVPN session. Though OpenVPN\(aqs security
features make this unlikely, it is provided as a second line of defense.
.sp
-By setting \fBuser\fP to \fBnobody\fP or somebody similarly unprivileged,
+By setting \fBuser\fP to \fBopenvpn\fP or somebody similarly unprivileged,
the hostile party would be limited in what damage they could cause. Of
course once you take away privileges, you cannot return them to an
OpenVPN session. This means, for example, that if you want to reset an

20
net/openvpn/files/patch-doc_openvpn.8.html
View File

@@ -1,20 +0,0 @@
--- doc/openvpn.8.html.orig 2021-10-05 05:57:01 UTC
+++ doc/openvpn.8.html
@@ -650,7 +650,7 @@ lower priority, <tt class="docutils literal">n</tt> le
<tr><td class="option-group">
<kbd><span class="option">--persist-key</span></kbd></td>
<td><p class="first">Don't re-read key files across <code>SIGUSR1</code> or <tt class="docutils literal"><span class="pre">--ping-restart</span></tt>.</p>
-<p>This option can be combined with <tt class="docutils literal"><span class="pre">--user</span> nobody</tt> to allow restarts
+<p>This option can be combined with <tt class="docutils literal"><span class="pre">--user</span> openvpn</tt> to allow restarts
triggered by the <code>SIGUSR1</code> signal. Normally if you drop root
privileges in OpenVPN, the daemon cannot be restarted since it will now
be unable to re-read protected key files.</p>
@@ -824,7 +824,7 @@ initialization, dropping privileges in the process. Th
useful to protect the system in the event that some hostile party was
able to gain control of an OpenVPN session. Though OpenVPN's security
features make this unlikely, it is provided as a second line of defense.</p>
-<p class="last">By setting <tt class="docutils literal">user</tt> to <code>nobody</code> or somebody similarly unprivileged,
+<p class="last">By setting <tt class="docutils literal">user</tt> to <code>openvpn</code> or somebody similarly unprivileged,
the hostile party would be limited in what damage they could cause. Of
course once you take away privileges, you cannot return them to an
OpenVPN session. This means, for example, that if you want to reset an

20
net/openvpn/files/patch-src_openvpn_openssl__compat.h
View File

@@ -1,20 +0,0 @@
--- src/openvpn/openssl_compat.h.orig 2020-04-16 13:26:45 UTC
+++ src/openvpn/openssl_compat.h
@@ -747,7 +747,7 @@ SSL_CTX_get_max_proto_version(SSL_CTX *ctx)
}
#endif /* SSL_CTX_get_max_proto_version */
-#ifndef SSL_CTX_set_min_proto_version
+#if !defined(SSL_CTX_set_min_proto_version) && !defined(LIBRESSL_VERSION_NUMBER)
/** Mimics SSL_CTX_set_min_proto_version for OpenSSL < 1.1 */
static inline int
SSL_CTX_set_min_proto_version(SSL_CTX *ctx, long tls_ver_min)
@@ -776,7 +776,7 @@ SSL_CTX_set_min_proto_version(SSL_CTX *ctx, long tls_v
}
#endif /* SSL_CTX_set_min_proto_version */
-#ifndef SSL_CTX_set_max_proto_version
+#if !defined(SSL_CTX_set_max_proto_version) && !defined(LIBRESSL_VERSION_NUMBER)
/** Mimics SSL_CTX_set_max_proto_version for OpenSSL < 1.1 */
static inline int
SSL_CTX_set_max_proto_version(SSL_CTX *ctx, long tls_ver_max)

39
net/openvpn/pkg-plist.new Normal file
View File

@@ -0,0 +1,39 @@
etc/rc.d/openvpn
include/openvpn-msg.h
include/openvpn-plugin.h
lib/openvpn/plugins/openvpn-plugin-auth-pam.la
lib/openvpn/plugins/openvpn-plugin-auth-pam.so
lib/openvpn/plugins/openvpn-plugin-down-root.la
lib/openvpn/plugins/openvpn-plugin-down-root.so
man/man5/openvpn-examples.5.gz
man/man8/openvpn.8.gz
sbin/openvpn
share/doc/openvpn/Changes.rst
share/doc/openvpn/COPYING
share/doc/openvpn/COPYRIGHT.GPL
share/doc/openvpn/gui-notes.txt
share/doc/openvpn/management-notes.txt
share/doc/openvpn/README
share/doc/openvpn/README.auth-pam
share/doc/openvpn/README.down-root
share/doc/openvpn/README.mbedtls
share/examples/openvpn/client.conf
share/examples/openvpn/server.conf
share/examples/openvpn/tls-home.conf
share/examples/openvpn/tls-office.conf
@dir etc/rc.d
@dir etc
@dir include
@dir lib/openvpn/plugins
@dir lib/openvpn
@dir lib
@dir man/man5
@dir man/man8
@dir man
@dir sbin
@dir share/doc/openvpn
@dir share/doc
@dir share/examples/openvpn
@dir share/examples
@dir share
@dir .