FreeBSD Bugzilla – Attachment 174049 Details for
Bug 212136
security/openvpn: correct XOR patch for current version
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
regenerated patch file
extra-tunnelblick-openvpn_xorpatch (text/plain), 8.60 KB, created by
Franco Fichtner
on 2016-08-25 07:13:12 UTC
(
hide
)
Description:
regenerated patch file
Filename:
MIME Type:
Creator:
Franco Fichtner
Created:
2016-08-25 07:13:12 UTC
Size:
8.60 KB
patch
obsolete
>This work allows obfuscation of the OpenVPN header to make it harder for >layer 7 inspection to identify such traffic, which may come with blocking >or recording actions in certain territories of the world. This patch, in >a nutshell, can increase privacy and range of communication for its users. > >The `scramble' option introduced hereby is off by default. > >The option's usage, history and controversy of the patch is explained in >detail on the following wiki page: > >https://tunnelblick.net/cOpenvpn_xorpatch.html > > >--- src/openvpn/forward.c.orig 2016-08-23 14:16:28 UTC >+++ src/openvpn/forward.c >@@ -674,7 +674,10 @@ read_incoming_link (struct context *c) > > status = link_socket_read (c->c2.link_socket, > &c->c2.buf, >- &c->c2.from); >+ &c->c2.from, >+ c->options.ce.xormethod, >+ c->options.ce.xormask, >+ c->options.ce.xormasklen); > > if (socket_connection_reset (c->c2.link_socket, status)) > { >@@ -1151,7 +1154,10 @@ process_outgoing_link (struct context *c > /* Send packet */ > size = link_socket_write (c->c2.link_socket, > &c->c2.to_link, >- to_addr); >+ to_addr, >+ c->options.ce.xormethod, >+ c->options.ce.xormask, >+ c->options.ce.xormasklen); > > #ifdef ENABLE_SOCKS > /* Undo effect of prepend */ >--- src/openvpn/options.c.orig 2016-08-23 14:16:22 UTC >+++ src/openvpn/options.c >@@ -792,6 +792,9 @@ init_options (struct options *o, const b > o->max_routes = MAX_ROUTES_DEFAULT; > o->resolve_retry_seconds = RESOLV_RETRY_INFINITE; > o->proto_force = -1; >+ o->ce.xormethod = 0; >+ o->ce.xormask = "\0"; >+ o->ce.xormasklen = 0; > #ifdef ENABLE_OCC > o->occ = true; > #endif >@@ -907,6 +910,9 @@ setenv_connection_entry (struct env_set > setenv_int_i (es, "local_port", e->local_port, i); > setenv_str_i (es, "remote", e->remote, i); > setenv_int_i (es, "remote_port", e->remote_port, i); >+ setenv_int_i (es, "xormethod", e->xormethod, i); >+ setenv_str_i (es, "xormask", e->xormask, i); >+ setenv_int_i (es, "xormasklen", e->xormasklen, i); > > #ifdef ENABLE_HTTP_PROXY > if (e->http_proxy_options) >@@ -1366,6 +1372,9 @@ show_connection_entry (const struct conn > SHOW_INT (connect_retry_seconds); > SHOW_INT (connect_timeout); > SHOW_INT (connect_retry_max); >+ SHOW_INT (xormethod); >+ SHOW_STR (xormask); >+ SHOW_INT (xormasklen); > > #ifdef ENABLE_HTTP_PROXY > if (o->http_proxy_options) >@@ -5131,6 +5140,46 @@ add_option (struct options *options, > options->proto_force = proto_force; > options->force_connection_list = true; > } >+ else if (streq (p[0], "scramble") && p[1]) >+ { >+ VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION); >+ if (streq (p[1], "xormask") && p[2] && (!p[3])) >+ { >+ options->ce.xormethod = 1; >+ options->ce.xormask = p[2]; >+ options->ce.xormasklen = strlen(options->ce.xormask); >+ } >+ else if (streq (p[1], "xorptrpos") && (!p[2])) >+ { >+ options->ce.xormethod = 2; >+ options->ce.xormask = NULL; >+ options->ce.xormasklen = 0; >+ } >+ else if (streq (p[1], "reverse") && (!p[2])) >+ { >+ options->ce.xormethod = 3; >+ options->ce.xormask = NULL; >+ options->ce.xormasklen = 0; >+ } >+ else if (streq (p[1], "obfuscate") && p[2] && (!p[3])) >+ { >+ options->ce.xormethod = 4; >+ options->ce.xormask = p[2]; >+ options->ce.xormasklen = strlen(options->ce.xormask); >+ } >+ else if (!p[2]) >+ { >+ msg (M_WARN, "WARNING: No recognized 'scramble' method specified; using 'scramble xormask \"%s\"'", p[1]); >+ options->ce.xormethod = 1; >+ options->ce.xormask = p[1]; >+ options->ce.xormasklen = strlen(options->ce.xormask); >+ } >+ else >+ { >+ msg (msglevel, "No recognized 'scramble' method specified or extra parameters for 'scramble'"); >+ goto err; >+ } >+ } > #ifdef ENABLE_HTTP_PROXY > else if (streq (p[0], "http-proxy") && p[1]) > { >--- src/openvpn/options.h.orig 2016-08-23 14:16:22 UTC >+++ src/openvpn/options.h >@@ -100,6 +100,9 @@ struct connection_entry > int connect_retry_max; > int connect_timeout; > bool connect_timeout_defined; >+ int xormethod; >+ const char *xormask; >+ int xormasklen; > #ifdef ENABLE_HTTP_PROXY > struct http_proxy_options *http_proxy_options; > #endif >--- src/openvpn/socket.c.orig 2016-08-23 14:16:22 UTC >+++ src/openvpn/socket.c >@@ -52,6 +52,53 @@ const int proto_overhead[] = { /* indexe > IPv6_TCP_HEADER_SIZE, > }; > >+int buffer_mask (struct buffer *buf, const char *mask, int xormasklen) { >+ int i; >+ uint8_t *b; >+ if ( xormasklen > 0 ) { >+ for (i = 0, b = BPTR (buf); i < BLEN(buf); i++, b++) { >+ *b = *b ^ mask[i % xormasklen]; >+ } >+ } >+ return BLEN (buf); >+} >+ >+int buffer_xorptrpos (struct buffer *buf) { >+ int i; >+ uint8_t *b; >+ for (i = 0, b = BPTR (buf); i < BLEN(buf); i++, b++) { >+ *b = *b ^ i+1; >+ } >+ return BLEN (buf); >+} >+ >+int buffer_reverse (struct buffer *buf) { >+/* This function has been rewritten for Tunnelblick. The buffer_reverse function at >+ * https://github.com/clayface/openvpn_xorpatch >+ * makes a copy of the buffer and it writes to the byte **after** the >+ * buffer contents, so if the buffer is full then it writes outside of the buffer. >+ * This rewritten version does neither. >+ * >+ * For interoperability, this rewritten version preserves the behavior of the original >+ * function: it does not modify the first character of the buffer. So it does not >+ * actually reverse the contents of the buffer. Instead, it changes 'abcde' to 'aedcb'. >+ * (Of course, the actual buffer contents are bytes, and not necessarily characters.) >+ */ >+ int len = BLEN(buf); >+ if ( len > 2 ) { /* Leave '', 'a', and 'ab' alone */ >+ int i; >+ uint8_t *b_start = BPTR (buf) + 1; /* point to first byte to swap */ >+ uint8_t *b_end = BPTR (buf) + (len - 1); /* point to last byte to swap */ >+ uint8_t tmp; >+ for (i = 0; i < (len-1)/2; i++, b_start++, b_end--) { >+ tmp = *b_start; >+ *b_start = *b_end; >+ *b_end = tmp; >+ } >+ } >+ return len; >+} >+ > /* > * Convert sockflags/getaddr_flags into getaddr_flags > */ >--- src/openvpn/socket.h.orig 2016-08-23 14:16:22 UTC >+++ src/openvpn/socket.h >@@ -245,6 +245,10 @@ struct link_socket > #endif > }; > >+int buffer_mask (struct buffer *buf, const char *xormask, int xormasklen); >+int buffer_xorptrpos (struct buffer *buf); >+int buffer_reverse (struct buffer *buf); >+ > /* > * Some Posix/Win32 differences. > */ >@@ -873,30 +877,56 @@ int link_socket_read_udp_posix (struct l > static inline int > link_socket_read (struct link_socket *sock, > struct buffer *buf, >- struct link_socket_actual *from) >+ struct link_socket_actual *from, >+ int xormethod, >+ const char *xormask, >+ int xormasklen) > { >+ int res; > if (proto_is_udp(sock->info.proto)) /* unified UDPv4 and UDPv6 */ > { >- int res; > > #ifdef WIN32 > res = link_socket_read_udp_win32 (sock, buf, from); > #else > res = link_socket_read_udp_posix (sock, buf, from); > #endif >- return res; > } > else if (proto_is_tcp(sock->info.proto)) /* unified TCPv4 and TCPv6 */ > { > /* from address was returned by accept */ > addr_copy_sa(&from->dest, &sock->info.lsa->actual.dest); >- return link_socket_read_tcp (sock, buf); >+ res = link_socket_read_tcp (sock, buf); > } > else > { > ASSERT (0); > return -1; /* NOTREACHED */ > } >+ switch(xormethod) >+ { >+ case 0: >+ break; >+ case 1: >+ buffer_mask(buf,xormask,xormasklen); >+ break; >+ case 2: >+ buffer_xorptrpos(buf); >+ break; >+ case 3: >+ buffer_reverse(buf); >+ break; >+ case 4: >+ buffer_mask(buf,xormask,xormasklen); >+ buffer_xorptrpos(buf); >+ buffer_reverse(buf); >+ buffer_xorptrpos(buf); >+ break; >+ default: >+ ASSERT (0); >+ return -1; /* NOTREACHED */ >+ } >+ return res; > } > > /* >@@ -980,8 +1010,34 @@ link_socket_write_udp (struct link_socke > static inline int > link_socket_write (struct link_socket *sock, > struct buffer *buf, >- struct link_socket_actual *to) >+ struct link_socket_actual *to, >+ int xormethod, >+ const char *xormask, >+ int xormasklen) > { >+ switch(xormethod) >+ { >+ case 0: >+ break; >+ case 1: >+ buffer_mask(buf,xormask,xormasklen); >+ break; >+ case 2: >+ buffer_xorptrpos(buf); >+ break; >+ case 3: >+ buffer_reverse(buf); >+ break; >+ case 4: >+ buffer_xorptrpos(buf); >+ buffer_reverse(buf); >+ buffer_xorptrpos(buf); >+ buffer_mask(buf,xormask,xormasklen); >+ break; >+ default: >+ ASSERT (0); >+ return -1; /* NOTREACHED */ >+ } > if (proto_is_udp(sock->info.proto)) /* unified UDPv4 and UDPv6 */ > { > return link_socket_write_udp (sock, buf, to);
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=174049">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 212136
: 174049