Attachment #174049 for bug #212136

View | Details | Raw Unified | Return to bug 212136
Collapse All | Expand All

Lines 674-680 read_incoming_link (struct context *c) Link Here

(-)src/openvpn/forward.c (-2 / +8 lines)
674		674
675	status = link_socket_read (c->c2.link_socket,	675	status = link_socket_read (c->c2.link_socket,
676	&c->c2.buf,	676	&c->c2.buf,
677	&c->c2.from);	677	&c->c2.from,
		678	c->options.ce.xormethod,
		679	c->options.ce.xormask,
		680	c->options.ce.xormasklen);
678		681
679	if (socket_connection_reset (c->c2.link_socket, status))	682	if (socket_connection_reset (c->c2.link_socket, status))
680	{	683	{
Lines 1151-1157 process_outgoing_link (struct context *c Link Here
1151	/* Send packet */	1154	/* Send packet */
1152	size = link_socket_write (c->c2.link_socket,	1155	size = link_socket_write (c->c2.link_socket,
1153	&c->c2.to_link,	1156	&c->c2.to_link,
1154	to_addr);	1157	to_addr,
		1158	c->options.ce.xormethod,
		1159	c->options.ce.xormask,
		1160	c->options.ce.xormasklen);
1155		1161
1156	#ifdef ENABLE_SOCKS	1162	#ifdef ENABLE_SOCKS
1157	/* Undo effect of prepend */	1163	/* Undo effect of prepend */

Lines 792-797 init_options (struct options *o, const b Link Here

(-)src/openvpn/options.c (+49 lines)
792	o->max_routes = MAX_ROUTES_DEFAULT;	792	o->max_routes = MAX_ROUTES_DEFAULT;
793	o->resolve_retry_seconds = RESOLV_RETRY_INFINITE;	793	o->resolve_retry_seconds = RESOLV_RETRY_INFINITE;
794	o->proto_force = -1;	794	o->proto_force = -1;
		795	o->ce.xormethod = 0;
		796	o->ce.xormask = "\0";
		797	o->ce.xormasklen = 0;
795	#ifdef ENABLE_OCC	798	#ifdef ENABLE_OCC
796	o->occ = true;	799	o->occ = true;
797	#endif	800	#endif
Lines 907-912 setenv_connection_entry (struct env_set Link Here
907	setenv_int_i (es, "local_port", e->local_port, i);	910	setenv_int_i (es, "local_port", e->local_port, i);
908	setenv_str_i (es, "remote", e->remote, i);	911	setenv_str_i (es, "remote", e->remote, i);
909	setenv_int_i (es, "remote_port", e->remote_port, i);	912	setenv_int_i (es, "remote_port", e->remote_port, i);
		913	setenv_int_i (es, "xormethod", e->xormethod, i);
		914	setenv_str_i (es, "xormask", e->xormask, i);
		915	setenv_int_i (es, "xormasklen", e->xormasklen, i);
910		916
911	#ifdef ENABLE_HTTP_PROXY	917	#ifdef ENABLE_HTTP_PROXY
912	if (e->http_proxy_options)	918	if (e->http_proxy_options)
Lines 1366-1371 show_connection_entry (const struct conn Link Here
1366	SHOW_INT (connect_retry_seconds);	1372	SHOW_INT (connect_retry_seconds);
1367	SHOW_INT (connect_timeout);	1373	SHOW_INT (connect_timeout);
1368	SHOW_INT (connect_retry_max);	1374	SHOW_INT (connect_retry_max);
		1375	SHOW_INT (xormethod);
		1376	SHOW_STR (xormask);
		1377	SHOW_INT (xormasklen);
1369		1378
1370	#ifdef ENABLE_HTTP_PROXY	1379	#ifdef ENABLE_HTTP_PROXY
1371	if (o->http_proxy_options)	1380	if (o->http_proxy_options)
Lines 5131-5136 add_option (struct options *options, Link Here
5131	options->proto_force = proto_force;	5140	options->proto_force = proto_force;
5132	options->force_connection_list = true;	5141	options->force_connection_list = true;
5133	}	5142	}
		5143	else if (streq (p[0], "scramble") && p[1])
		5144	{
		5145	VERIFY_PERMISSION (OPT_P_GENERAL\|OPT_P_CONNECTION);
		5146	if (streq (p[1], "xormask") && p[2] && (!p[3]))
		5147	{
		5148	options->ce.xormethod = 1;
		5149	options->ce.xormask = p[2];
		5150	options->ce.xormasklen = strlen(options->ce.xormask);
		5151	}
		5152	else if (streq (p[1], "xorptrpos") && (!p[2]))
		5153	{
		5154	options->ce.xormethod = 2;
		5155	options->ce.xormask = NULL;
		5156	options->ce.xormasklen = 0;
		5157	}
		5158	else if (streq (p[1], "reverse") && (!p[2]))
		5159	{
		5160	options->ce.xormethod = 3;
		5161	options->ce.xormask = NULL;
		5162	options->ce.xormasklen = 0;
		5163	}
		5164	else if (streq (p[1], "obfuscate") && p[2] && (!p[3]))
		5165	{
		5166	options->ce.xormethod = 4;
		5167	options->ce.xormask = p[2];
		5168	options->ce.xormasklen = strlen(options->ce.xormask);
		5169	}
		5170	else if (!p[2])
		5171	{
		5172	msg (M_WARN, "WARNING: No recognized 'scramble' method specified; using 'scramble xormask \"%s\"'", p[1]);
		5173	options->ce.xormethod = 1;
		5174	options->ce.xormask = p[1];
		5175	options->ce.xormasklen = strlen(options->ce.xormask);
		5176	}
		5177	else
		5178	{
		5179	msg (msglevel, "No recognized 'scramble' method specified or extra parameters for 'scramble'");
		5180	goto err;
		5181	}
		5182	}
5134	#ifdef ENABLE_HTTP_PROXY	5183	#ifdef ENABLE_HTTP_PROXY
5135	else if (streq (p[0], "http-proxy") && p[1])	5184	else if (streq (p[0], "http-proxy") && p[1])
5136	{	5185	{

Lines 100-105 struct connection_entry Link Here

(-)src/openvpn/options.h (+3 lines)
100	int connect_retry_max;	100	int connect_retry_max;
101	int connect_timeout;	101	int connect_timeout;
102	bool connect_timeout_defined;	102	bool connect_timeout_defined;
		103	int xormethod;
		104	const char *xormask;
		105	int xormasklen;
103	#ifdef ENABLE_HTTP_PROXY	106	#ifdef ENABLE_HTTP_PROXY
104	struct http_proxy_options *http_proxy_options;	107	struct http_proxy_options *http_proxy_options;
105	#endif	108	#endif




  IPv6_TCP_HEADER_SIZE,
};

int buffer_mask (struct buffer *buf, const char *mask, int xormasklen) {
	int i;
	uint8_t *b;
	if (  xormasklen > 0  ) {
		for (i = 0, b = BPTR (buf); i < BLEN(buf); i++, b++) {
			*b = *b ^ mask[i % xormasklen];
		}
	}
	return BLEN (buf);
}

int buffer_xorptrpos (struct buffer *buf) {
	int i;
	uint8_t *b;
	for (i = 0, b = BPTR (buf); i < BLEN(buf); i++, b++) {
		*b = *b ^ i+1;
	}
	return BLEN (buf);
}

int buffer_reverse (struct buffer *buf) {
/* This function has been rewritten for Tunnelblick. The buffer_reverse function at
 * https://github.com/clayface/openvpn_xorpatch
 * makes a copy of the buffer and it writes to the byte **after** the
 * buffer contents, so if the buffer is full then it writes outside of the buffer.
 * This rewritten version does neither.
 *
 * For interoperability, this rewritten version preserves the behavior of the original
 * function: it does not modify the first character of the buffer. So it does not
 * actually reverse the contents of the buffer. Instead, it changes 'abcde' to 'aedcb'.
 * (Of course, the actual buffer contents are bytes, and not necessarily characters.)
 */
  int len = BLEN(buf);
  if (  len > 2  ) {                           /* Leave '', 'a', and 'ab' alone */
    int i;
    uint8_t *b_start = BPTR (buf) + 1;	        /* point to first byte to swap */
    uint8_t *b_end   = BPTR (buf) + (len - 1); /* point to last byte to swap */
    uint8_t tmp;
    for (i = 0; i < (len-1)/2; i++, b_start++, b_end--) {
      tmp = *b_start;
      *b_start = *b_end;
      *b_end = tmp;
    }
  }
  return len;
}

/*
 * Convert sockflags/getaddr_flags into getaddr_flags
 */

Lines 245-250 struct link_socket Link Here

(-)src/openvpn/socket.h (-5 / +61 lines)
245	#endif	245	#endif
246	};	246	};
247		247
		248	int buffer_mask (struct buffer buf, const char xormask, int xormasklen);
		249	int buffer_xorptrpos (struct buffer *buf);
		250	int buffer_reverse (struct buffer *buf);
		251
248	/*	252	/*
249	* Some Posix/Win32 differences.	253	* Some Posix/Win32 differences.
250	*/	254	*/
Lines 873-902 int link_socket_read_udp_posix (struct l Link Here
873	static inline int	877	static inline int
874	link_socket_read (struct link_socket *sock,	878	link_socket_read (struct link_socket *sock,
875	struct buffer *buf,	879	struct buffer *buf,
876	struct link_socket_actual *from)	880	struct link_socket_actual *from,
		881	int xormethod,
		882	const char *xormask,
		883	int xormasklen)
877	{	884	{
		885	int res;
878	if (proto_is_udp(sock->info.proto)) /* unified UDPv4 and UDPv6 */	886	if (proto_is_udp(sock->info.proto)) /* unified UDPv4 and UDPv6 */
879	{	887	{
880	int res;
881		888
882	#ifdef WIN32	889	#ifdef WIN32
883	res = link_socket_read_udp_win32 (sock, buf, from);	890	res = link_socket_read_udp_win32 (sock, buf, from);
884	#else	891	#else
885	res = link_socket_read_udp_posix (sock, buf, from);	892	res = link_socket_read_udp_posix (sock, buf, from);
886	#endif	893	#endif
887	return res;
888	}	894	}
889	else if (proto_is_tcp(sock->info.proto)) /* unified TCPv4 and TCPv6 */	895	else if (proto_is_tcp(sock->info.proto)) /* unified TCPv4 and TCPv6 */
890	{	896	{
891	/* from address was returned by accept */	897	/* from address was returned by accept */
892	addr_copy_sa(&from->dest, &sock->info.lsa->actual.dest);	898	addr_copy_sa(&from->dest, &sock->info.lsa->actual.dest);
893	return link_socket_read_tcp (sock, buf);	899	res = link_socket_read_tcp (sock, buf);
894	}	900	}
895	else	901	else
896	{	902	{
897	ASSERT (0);	903	ASSERT (0);
898	return -1; /* NOTREACHED */	904	return -1; /* NOTREACHED */
899	}	905	}
		906	switch(xormethod)
		907	{
		908	case 0:
		909	break;
		910	case 1:
		911	buffer_mask(buf,xormask,xormasklen);
		912	break;
		913	case 2:
		914	buffer_xorptrpos(buf);
		915	break;
		916	case 3:
		917	buffer_reverse(buf);
		918	break;
		919	case 4:
		920	buffer_mask(buf,xormask,xormasklen);
		921	buffer_xorptrpos(buf);
		922	buffer_reverse(buf);
		923	buffer_xorptrpos(buf);
		924	break;
		925	default:
		926	ASSERT (0);
		927	return -1; /* NOTREACHED */
		928	}
		929	return res;
900	}	930	}
901		931
902	/*	932	/*
Lines 980-987 link_socket_write_udp (struct link_socke Link Here
980	static inline int	1010	static inline int
981	link_socket_write (struct link_socket *sock,	1011	link_socket_write (struct link_socket *sock,
982	struct buffer *buf,	1012	struct buffer *buf,
983	struct link_socket_actual *to)	1013	struct link_socket_actual *to,
		1014	int xormethod,
		1015	const char *xormask,
		1016	int xormasklen)
984	{	1017	{
		1018	switch(xormethod)
		1019	{
		1020	case 0:
		1021	break;
		1022	case 1:
		1023	buffer_mask(buf,xormask,xormasklen);
		1024	break;
		1025	case 2:
		1026	buffer_xorptrpos(buf);
		1027	break;
		1028	case 3:
		1029	buffer_reverse(buf);
		1030	break;
		1031	case 4:
		1032	buffer_xorptrpos(buf);
		1033	buffer_reverse(buf);
		1034	buffer_xorptrpos(buf);
		1035	buffer_mask(buf,xormask,xormasklen);
		1036	break;
		1037	default:
		1038	ASSERT (0);
		1039	return -1; /* NOTREACHED */
		1040	}
985	if (proto_is_udp(sock->info.proto)) /* unified UDPv4 and UDPv6 */	1041	if (proto_is_udp(sock->info.proto)) /* unified UDPv4 and UDPv6 */
986	{	1042	{
987	return link_socket_write_udp (sock, buf, to);	1043	return link_socket_write_udp (sock, buf, to);

Return to bug 212136

Lines 52-57 const int proto_overhead[] = { /* indexe Link Here

(-)src/openvpn/socket.c (+47 lines)
52	IPv6_TCP_HEADER_SIZE,	52	IPv6_TCP_HEADER_SIZE,
53	};	53	};
54		54
		55	int buffer_mask (struct buffer buf, const char mask, int xormasklen) {
		56	int i;
		57	uint8_t *b;
		58	if ( xormasklen > 0 ) {
		59	for (i = 0, b = BPTR (buf); i < BLEN(buf); i++, b++) {
		60	b = b ^ mask[i % xormasklen];
		61	}
		62	}
		63	return BLEN (buf);
		64	}
		65
		66	int buffer_xorptrpos (struct buffer *buf) {
		67	int i;
		68	uint8_t *b;
		69	for (i = 0, b = BPTR (buf); i < BLEN(buf); i++, b++) {
		70	b = b ^ i+1;
		71	}
		72	return BLEN (buf);
		73	}
		74
		75	int buffer_reverse (struct buffer *buf) {
		76	/* This function has been rewritten for Tunnelblick. The buffer_reverse function at
		77	* https://github.com/clayface/openvpn_xorpatch
		78	* makes a copy of the buffer and it writes to the byte after the
		79	* buffer contents, so if the buffer is full then it writes outside of the buffer.
		80	* This rewritten version does neither.
		81	*
		82	* For interoperability, this rewritten version preserves the behavior of the original
		83	* function: it does not modify the first character of the buffer. So it does not
		84	* actually reverse the contents of the buffer. Instead, it changes 'abcde' to 'aedcb'.
		85	* (Of course, the actual buffer contents are bytes, and not necessarily characters.)
		86	*/
		87	int len = BLEN(buf);
		88	if ( len > 2 ) { /* Leave '', 'a', and 'ab' alone */
		89	int i;
		90	uint8_t b_start = BPTR (buf) + 1; / point to first byte to swap */
		91	uint8_t b_end = BPTR (buf) + (len - 1); / point to last byte to swap */
		92	uint8_t tmp;
		93	for (i = 0; i < (len-1)/2; i++, b_start++, b_end--) {
		94	tmp = *b_start;
		95	b_start = b_end;
		96	*b_end = tmp;
		97	}
		98	}
		99	return len;
		100	}
		101
55	/*	102	/*
56	* Convert sockflags/getaddr_flags into getaddr_flags	103	* Convert sockflags/getaddr_flags into getaddr_flags
57	*/	104	*/