FreeBSD Bugzilla – Attachment 162012 Details for
Bug 200215
security/openvpn: Add option to enable Tunnelblick XOR patch
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
option + annotated patch as git diff
openvpn_txp.patch (text/plain), 10.84 KB, created by
Franco Fichtner
on 2015-10-14 06:07:34 UTC
(
hide
)
Description:
option + annotated patch as git diff
Filename:
MIME Type:
Creator:
Franco Fichtner
Created:
2015-10-14 06:07:34 UTC
Size:
10.84 KB
patch
obsolete
>diff --git a/security/openvpn/Makefile b/security/openvpn/Makefile >index aee8d70..4778999 100644 >--- a/security/openvpn/Makefile >+++ b/security/openvpn/Makefile >@@ -27,7 +27,8 @@ LDFLAGS+= -L${LOCALBASE}/lib > # set PLUGIN_LIBDIR so that unqualified plugin paths are found: > CPPFLAGS+= -DPLUGIN_LIBDIR=\\\"${PREFIX}/lib/openvpn/plugins\\\" > >-OPTIONS_DEFINE= PW_SAVE PKCS11 EASYRSA DOCS EXAMPLES X509ALTUSERNAME >+OPTIONS_DEFINE= PW_SAVE PKCS11 EASYRSA DOCS EXAMPLES X509ALTUSERNAME \ >+ TXP > OPTIONS_DEFAULT= EASYRSA OPENSSL > OPTIONS_SINGLE= SSL > OPTIONS_SINGLE_SSL= OPENSSL POLARSSL >@@ -35,6 +36,7 @@ PW_SAVE_DESC= Interactive passwords may be read from a file > PKCS11_DESC= Use security/pkcs11-helper > EASYRSA_DESC= Install security/easy-rsa RSA helper package > POLARSSL_DESC= SSL/TLS support via PolarSSL 1.2 >+TXP_DESC= Tunnelblick XOR scramble patch > X509ALTUSERNAME_DESC= Enable --x509-username-field (only with OpenSSL) > > EASYRSA_RUN_DEPENDS= easy-rsa>=0:${PORTSDIR}/security/easy-rsa >@@ -44,6 +46,8 @@ PKCS11_CONFIGURE_ENABLE= pkcs11 > > PW_SAVE_CONFIGURE_ENABLE= password-save > >+TXP_EXTRA_PATCHES= ${FILESDIR}/extra-tunnelblick-openvpn_xorpatch >+ > X509ALTUSERNAME_CONFIGURE_ENABLE= x509-alt-username > > .include <bsd.port.options.mk> >@@ -55,7 +59,9 @@ BROKEN= OpenVPN ${DISTVERSION} cannot use --x509-username-field with PolarSSL. D > LIB_DEPENDS+= libpolarssl.so:${PORTSDIR}/security/polarssl > CONFIGURE_ARGS+= --with-crypto-library=polarssl > . endif >-.else >+.endif >+ >+.if ${PORT_OPTIONS:MOPENSSL} > USE_OPENSSL= yes > CONFIGURE_ARGS+= --with-crypto-library=openssl > .endif >diff --git a/security/openvpn/files/extra-tunnelblick-openvpn_xorpatch b/security/openvpn/files/extra-tunnelblick-openvpn_xorpatch >new file mode 100644 >index 0000000..9e741f1 >--- /dev/null >+++ b/security/openvpn/files/extra-tunnelblick-openvpn_xorpatch >@@ -0,0 +1,301 @@ >+This work allows obfuscation of the OpenVPN header to make it harder for >+layer 7 inspection to identify such traffic, which may come with blocking >+or recording actions in certain territories of the world. This patch, in >+a nutshell, can increase privacy and range of communication for its users. >+ >+The `scramble' option introduced hereby is off by default. >+ >+The option's usage, history and controversy of the patch is explained in >+detail on the following wiki page: >+ >+https://tunnelblick.net/cOpenvpn_xorpatch.html >+ >+ >+diff -u -r src/openvpn/forward.c src/openvpn/forward.c >+--- src/openvpn/forward.c 2014-11-29 10:00:35.000000000 -0500 >++++ src/openvpn/forward.c 2015-04-07 22:38:20.000000000 -0400 >+@@ -674,7 +674,10 @@ >+ status = link_socket_read (c->c2.link_socket, >+ &c->c2.buf, >+ MAX_RW_SIZE_LINK (&c->c2.frame), >+- &c->c2.from); >++ &c->c2.from, >++ c->options.ce.xormethod, >++ c->options.ce.xormask, >++ c->options.ce.xormasklen); >+ >+ if (socket_connection_reset (c->c2.link_socket, status)) >+ { >+@@ -1150,7 +1153,10 @@ >+ /* Send packet */ >+ size = link_socket_write (c->c2.link_socket, >+ &c->c2.to_link, >+- to_addr); >++ to_addr, >++ c->options.ce.xormethod, >++ c->options.ce.xormask, >++ c->options.ce.xormasklen); >+ >+ #ifdef ENABLE_SOCKS >+ /* Undo effect of prepend */ >+diff -u -r src/openvpn/options.c src/openvpn/options.c >+--- src/openvpn/options.c 2014-11-29 10:00:35.000000000 -0500 >++++ src/openvpn/options.c 2015-04-09 12:56:32.000000000 -0400 >+@@ -785,6 +785,9 @@ >+ o->max_routes = MAX_ROUTES_DEFAULT; >+ o->resolve_retry_seconds = RESOLV_RETRY_INFINITE; >+ o->proto_force = -1; >++ o->ce.xormethod = 0; >++ o->ce.xormask = "\0"; >++ o->ce.xormasklen = 0; >+ #ifdef ENABLE_OCC >+ o->occ = true; >+ #endif >+@@ -903,6 +906,9 @@ >+ setenv_int_i (es, "local_port", e->local_port, i); >+ setenv_str_i (es, "remote", e->remote, i); >+ setenv_int_i (es, "remote_port", e->remote_port, i); >++ setenv_int_i (es, "xormethod", e->xormethod, i); >++ setenv_str_i (es, "xormask", e->xormask, i); >++ setenv_int_i (es, "xormasklen", e->xormasklen, i); >+ >+ #ifdef ENABLE_HTTP_PROXY >+ if (e->http_proxy_options) >+@@ -1348,6 +1354,9 @@ >+ SHOW_INT (connect_retry_seconds); >+ SHOW_INT (connect_timeout); >+ SHOW_INT (connect_retry_max); >++ SHOW_INT (xormethod); >++ SHOW_STR (xormask); >++ SHOW_INT (xormasklen); >+ >+ #ifdef ENABLE_HTTP_PROXY >+ if (o->http_proxy_options) >+@@ -5049,6 +5058,46 @@ >+ options->proto_force = proto_force; >+ options->force_connection_list = true; >+ } >++ else if (streq (p[0], "scramble") && p[1]) >++ { >++ VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION); >++ if (streq (p[1], "xormask") && p[2] && (!p[3])) >++ { >++ options->ce.xormethod = 1; >++ options->ce.xormask = p[2]; >++ options->ce.xormasklen = strlen(options->ce.xormask); >++ } >++ else if (streq (p[1], "xorptrpos") && (!p[2])) >++ { >++ options->ce.xormethod = 2; >++ options->ce.xormask = NULL; >++ options->ce.xormasklen = 0; >++ } >++ else if (streq (p[1], "reverse") && (!p[2])) >++ { >++ options->ce.xormethod = 3; >++ options->ce.xormask = NULL; >++ options->ce.xormasklen = 0; >++ } >++ else if (streq (p[1], "obfuscate") && p[2] && (!p[3])) >++ { >++ options->ce.xormethod = 4; >++ options->ce.xormask = p[2]; >++ options->ce.xormasklen = strlen(options->ce.xormask); >++ } >++ else if (!p[2]) >++ { >++ msg (M_WARN, "WARNING: No recognized 'scramble' method specified; using 'scramble xormask \"%s\"'", p[1]); >++ options->ce.xormethod = 1; >++ options->ce.xormask = p[1]; >++ options->ce.xormasklen = strlen(options->ce.xormask); >++ } >++ else >++ { >++ msg (msglevel, "No recognized 'scramble' method specified or extra parameters for 'scramble'"); >++ goto err; >++ } >++ } >+ #ifdef ENABLE_HTTP_PROXY >+ else if (streq (p[0], "http-proxy") && p[1]) >+ { >+diff -u -r src/openvpn/options.h src/openvpn/options.h >+--- src/openvpn/options.h 2014-11-29 10:00:35.000000000 -0500 >++++ src/openvpn/options.h 2015-04-07 22:38:20.000000000 -0400 >+@@ -100,6 +100,9 @@ >+ int connect_retry_max; >+ int connect_timeout; >+ bool connect_timeout_defined; >++ int xormethod; >++ const char *xormask; >++ int xormasklen; >+ #ifdef ENABLE_HTTP_PROXY >+ struct http_proxy_options *http_proxy_options; >+ #endif >+diff -u -r src/openvpn/socket.c src/openvpn/socket.c >+--- src/openvpn/socket.c 2014-11-29 10:00:35.000000000 -0500 >++++ src/openvpn/socket.c 2015-04-09 08:48:01.000000000 -0400 >+@@ -52,6 +52,53 @@ >+ IPv6_TCP_HEADER_SIZE, >+ }; >+ >++int buffer_mask (struct buffer *buf, const char *mask, int xormasklen) { >++ int i; >++ uint8_t *b; >++ if ( xormasklen > 0 ) { >++ for (i = 0, b = BPTR (buf); i < BLEN(buf); i++, b++) { >++ *b = *b ^ mask[i % xormasklen]; >++ } >++ } >++ return BLEN (buf); >++} >++ >++int buffer_xorptrpos (struct buffer *buf) { >++ int i; >++ uint8_t *b; >++ for (i = 0, b = BPTR (buf); i < BLEN(buf); i++, b++) { >++ *b = *b ^ i+1; >++ } >++ return BLEN (buf); >++} >++ >++int buffer_reverse (struct buffer *buf) { >++/* This function has been rewritten for Tunnelblick. The buffer_reverse function at >++ * https://github.com/clayface/openvpn_xorpatch >++ * makes a copy of the buffer and it writes to the byte **after** the >++ * buffer contents, so if the buffer is full then it writes outside of the buffer. >++ * This rewritten version does neither. >++ * >++ * For interoperability, this rewritten version preserves the behavior of the original >++ * function: it does not modify the first character of the buffer. So it does not >++ * actually reverse the contents of the buffer. Instead, it changes 'abcde' to 'aedcb'. >++ * (Of course, the actual buffer contents are bytes, and not necessarily characters.) >++ */ >++ int len = BLEN(buf); >++ if ( len > 2 ) { /* Leave '', 'a', and 'ab' alone */ >++ int i; >++ uint8_t *b_start = BPTR (buf) + 1; /* point to first byte to swap */ >++ uint8_t *b_end = BPTR (buf) + (len - 1); /* point to last byte to swap */ >++ uint8_t tmp; >++ for (i = 0; i < (len-1)/2; i++, b_start++, b_end--) { >++ tmp = *b_start; >++ *b_start = *b_end; >++ *b_end = tmp; >++ } >++ } >++ return len; >++} >++ >+ /* >+ * Convert sockflags/getaddr_flags into getaddr_flags >+ */ >+diff -u -r src/openvpn/socket.h src/openvpn/socket.h >+--- src/openvpn/socket.h 2014-11-29 10:00:35.000000000 -0500 >++++ src/openvpn/socket.h 2015-04-08 20:12:02.000000000 -0400 >+@@ -250,6 +250,10 @@ >+ #endif >+ }; >+ >++int buffer_mask (struct buffer *buf, const char *xormask, int xormasklen); >++int buffer_xorptrpos (struct buffer *buf); >++int buffer_reverse (struct buffer *buf); >++ >+ /* >+ * Some Posix/Win32 differences. >+ */ >+@@ -875,30 +879,56 @@ >+ link_socket_read (struct link_socket *sock, >+ struct buffer *buf, >+ int maxsize, >+- struct link_socket_actual *from) >++ struct link_socket_actual *from, >++ int xormethod, >++ const char *xormask, >++ int xormasklen) >+ { >++ int res; >+ if (proto_is_udp(sock->info.proto)) /* unified UDPv4 and UDPv6 */ >+ { >+- int res; >+ >+ #ifdef WIN32 >+ res = link_socket_read_udp_win32 (sock, buf, from); >+ #else >+ res = link_socket_read_udp_posix (sock, buf, maxsize, from); >+ #endif >+- return res; >+ } >+ else if (proto_is_tcp(sock->info.proto)) /* unified TCPv4 and TCPv6 */ >+ { >+ /* from address was returned by accept */ >+ addr_copy_sa(&from->dest, &sock->info.lsa->actual.dest); >+- return link_socket_read_tcp (sock, buf); >++ res = link_socket_read_tcp (sock, buf); >+ } >+ else >+ { >+ ASSERT (0); >+ return -1; /* NOTREACHED */ >+ } >++ switch(xormethod) >++ { >++ case 0: >++ break; >++ case 1: >++ buffer_mask(buf,xormask,xormasklen); >++ break; >++ case 2: >++ buffer_xorptrpos(buf); >++ break; >++ case 3: >++ buffer_reverse(buf); >++ break; >++ case 4: >++ buffer_mask(buf,xormask,xormasklen); >++ buffer_xorptrpos(buf); >++ buffer_reverse(buf); >++ buffer_xorptrpos(buf); >++ break; >++ default: >++ ASSERT (0); >++ return -1; /* NOTREACHED */ >++ } >++ return res; >+ } >+ >+ /* >+@@ -982,8 +1012,34 @@ >+ static inline int >+ link_socket_write (struct link_socket *sock, >+ struct buffer *buf, >+- struct link_socket_actual *to) >++ struct link_socket_actual *to, >++ int xormethod, >++ const char *xormask, >++ int xormasklen) >+ { >++ switch(xormethod) >++ { >++ case 0: >++ break; >++ case 1: >++ buffer_mask(buf,xormask,xormasklen); >++ break; >++ case 2: >++ buffer_xorptrpos(buf); >++ break; >++ case 3: >++ buffer_reverse(buf); >++ break; >++ case 4: >++ buffer_xorptrpos(buf); >++ buffer_reverse(buf); >++ buffer_xorptrpos(buf); >++ buffer_mask(buf,xormask,xormasklen); >++ break; >++ default: >++ ASSERT (0); >++ return -1; /* NOTREACHED */ >++ } >+ if (proto_is_udp(sock->info.proto)) /* unified UDPv4 and UDPv6 */ >+ { >+ return link_socket_write_udp (sock, buf, to);
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=162012">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 200215
:
156792
|
157330
|
157331
|
157332
|
162012
|
162270