svn commit: r553713 - in head: . security/openvpn security/openvpn/files
Matthias Andree
mandree at FreeBSD.org
Fri Oct 30 20:36:03 UTC 2020
Author: mandree
Date: Fri Oct 30 20:36:01 2020
New Revision: 553713
URL: https://svnweb.freebsd.org/changeset/ports/553713
Log:
Update security/openvpn 2.5. For 2.3 peers, update your configuration,
...see ports/UPDATING or the
ChangeLog: https://github.com/OpenVPN/openvpn/blob/release/2.5/Changes.rst#overview-of-changes-in-25
Avoid LibreSSL (IGNORE_SSL).
INSTALL_DATA -> INSTALL_MAN for documentation.
Rearrange Makefile according to portclippy.
Deleted:
head/security/openvpn/files/patch-configure
head/security/openvpn/files/patch-git-098edbb1f5a2e1360fd6a4ae0642b63bec12e992
head/security/openvpn/files/patch-git-38b46e6bf65489c2c5d75da1c02a3a1c33e6da88
head/security/openvpn/files/patch-git-b89e48b015e581a4a0f5c306e2ab20da34c862ea
head/security/openvpn/files/patch-git-cab48ad43eaba51c54fa23e55b0b2eb436dd921f
head/security/openvpn/files/patch-git-fc0297143494e0a0f08564d90dbb210669d0abf5
head/security/openvpn/files/patch-src_openvpn_ssl__openssl.c
Modified:
head/UPDATING
head/security/openvpn/Makefile
head/security/openvpn/distinfo
head/security/openvpn/files/extra-tunnelblick-openvpn_xorpatch
head/security/openvpn/pkg-plist
Modified: head/UPDATING
==============================================================================
--- head/UPDATING Fri Oct 30 19:27:52 2020 (r553712)
+++ head/UPDATING Fri Oct 30 20:36:01 2020 (r553713)
@@ -5,6 +5,18 @@ they are unavoidable.
You should get into the habit of checking this file for changes each time
you update your ports collection, before attempting any port upgrades.
+20201030:
+ AFFECTS: users of security/openvpn
+ AUTHOR: mandree at FreeBSD.org
+
+ The security/openvpn port has been updated to v2.5.0, which brings a
+ change to the default ciphersuite, which no longer contains BF-CBC.
+
+ Some options have been removed. Also, if you need to support very old (v2.3)
+ and unsupported clients or servers, you will need to adjust the
+ configuration. For details, see:
+ https://github.com/OpenVPN/openvpn/blob/release/2.5/Changes.rst#overview-of-changes-in-25
+
20201029:
AFFECTS: users of www/node
AUTHOR: bhughes at FreeBSD.org
Modified: head/security/openvpn/Makefile
==============================================================================
--- head/security/openvpn/Makefile Fri Oct 30 19:27:52 2020 (r553712)
+++ head/security/openvpn/Makefile Fri Oct 30 20:36:01 2020 (r553713)
@@ -2,8 +2,8 @@
# $FreeBSD$
PORTNAME= openvpn
-DISTVERSION= 2.4.9
-PORTREVISION?= 3
+DISTVERSION= 2.5.0
+PORTREVISION?= 0
CATEGORIES= security net net-vpn
MASTER_SITES= https://swupdate.openvpn.org/community/releases/ \
https://build.openvpn.net/downloads/releases/ \
@@ -15,86 +15,79 @@ COMMENT?= Secure IP/Ethernet tunnel daemon
LICENSE= GPLv2
LICENSE_FILE= ${WRKSRC}/COPYRIGHT.GPL
-USES= cpe libtool pkgconfig shebangfix tar:xz
+USES= cpe libtool localbase:ldflags pkgconfig shebangfix tar:xz
+IGNORE_SSL= libressl libressl-devel
+USE_RC_SUBR= openvpn
-CONFLICTS_INSTALL?= openvpn-2.[!4].* openvpn-[!2].* openvpn-beta-[0-9]* openvpn-devel-[0-9]* openvpn-mbedtls-[0-9]*
-
-GNU_CONFIGURE= yes
SHEBANG_FILES= sample/sample-scripts/verify-cn \
sample/sample-scripts/auth-pam.pl \
sample/sample-scripts/ucn.pl
+
+GNU_CONFIGURE= yes
CONFIGURE_ARGS+= --enable-strict
# set PLUGIN_LIBDIR so that unqualified plugin paths are found:
CONFIGURE_ENV+= PLUGINDIR="${PREFIX}/lib/openvpn/plugins"
+CONFLICTS_INSTALL?= openvpn-2.[!5].* openvpn-[!2].* openvpn-beta-[0-9]* openvpn-devel-[0-9]* openvpn-mbedtls-[0-9]*
+
+SUB_FILES= pkg-message openvpn-client
+
+PORTDOCS= *
+PORTEXAMPLES= *
+
# avoid picking up CMAKE, we don't have cmocka in the tarballs.
CONFIGURE_ENV+= ac_cv_prog_CMAKE= CMAKE=
-# let OpenVPN's configure script pick up the requisite libraries,
-# but do not break the plugin build if an older version is installed
-# XXX FIXME: once there is an opportunity for testing with older
-# versions with incompatible plugins again, try USES+=localbase:ldflags,
-# suggested by Mateusz Piotrowski 0mp@ 2020-07-17
-CPPFLAGS+= -I${WRKSRC}/include -I${LOCALBASE}/include
-LDFLAGS+= -L${LOCALBASE}/lib -Wl,--as-needed
-
OPTIONS_DEFINE= PKCS11 EASYRSA DOCS EXAMPLES X509ALTUSERNAME \
TEST LZ4 LZO SMALL TUNNELBLICK ASYNC_PUSH
OPTIONS_DEFAULT= EASYRSA OPENSSL TEST LZ4 LZO
OPTIONS_SINGLE= SSL
OPTIONS_SINGLE_SSL= OPENSSL MBEDTLS
ASYNC_PUSH_DESC= Enable async-push support
-PKCS11_DESC= Use security/pkcs11-helper (OpenSSL only)
EASYRSA_DESC= Install security/easy-rsa RSA helper package
MBEDTLS_DESC= SSL/TLS via mbedTLS (lacks TLS v1.3)
+PKCS11_DESC= Use security/pkcs11-helper (OpenSSL only)
+SMALL_DESC= Build a smaller executable with fewer features
TUNNELBLICK_DESC= Tunnelblick XOR scramble patch (READ HELP!)
X509ALTUSERNAME_DESC= Enable --x509-username-field (OpenSSL only)
-SMALL_DESC= Build a smaller executable with fewer features
-ASYNC_PUSH_CONFIGURE_ENABLE= async-push
ASYNC_PUSH_LIB_DEPENDS= libinotify.so:devel/libinotify
+ASYNC_PUSH_CONFIGURE_ENABLE= async-push
EASYRSA_RUN_DEPENDS= easy-rsa>=0:security/easy-rsa
-PKCS11_LIB_DEPENDS= libpkcs11-helper.so:security/pkcs11-helper
-PKCS11_CONFIGURE_ENABLE= pkcs11
-PKCS11_PREVENTS= MBEDTLS
-PKCS11_PREVENTS_MSG= OpenVPN cannot use pkcs11-helper with mbedTLS. Disable PKCS11, or use OpenSSL instead
+LZ4_LIB_DEPENDS+= liblz4.so:archivers/liblz4
+LZ4_CONFIGURE_ENABLE= lz4
-TUNNELBLICK_EXTRA_PATCHES= ${FILESDIR}/extra-tunnelblick-openvpn_xorpatch
+LZO_LIB_DEPENDS+= liblzo2.so:archivers/lzo2
+LZO_CONFIGURE_ENABLE= lzo
-X509ALTUSERNAME_CONFIGURE_ENABLE= x509-alt-username
-X509ALTUSERNAME_PREVENTS= MBEDTLS
-X509ALTUSERNAME_PREVENTS_MSG= OpenVPN ${DISTVERSION} cannot use --x509-username-field with mbedTLS. Disable X509ALTUSERNAME, or use OpenSSL instead
+MBEDTLS_LIB_DEPENDS= libmbedtls.so:security/mbedtls
+MBEDTLS_CONFIGURE_ON= --with-crypto-library=mbedtls
OPENSSL_USES= ssl
OPENSSL_CONFIGURE_ON= --with-crypto-library=openssl
-MBEDTLS_LIB_DEPENDS= libmbedtls.so:security/mbedtls
-MBEDTLS_CONFIGURE_ON= --with-crypto-library=mbedtls
+PKCS11_PREVENTS= MBEDTLS
+PKCS11_PREVENTS_MSG= OpenVPN cannot use pkcs11-helper with mbedTLS. Disable PKCS11, or use OpenSSL instead
+PKCS11_LIB_DEPENDS= libpkcs11-helper.so:security/pkcs11-helper
+PKCS11_CONFIGURE_ENABLE= pkcs11
-LZO_CONFIGURE_ENABLE= lzo
-LZO_LIB_DEPENDS+= liblzo2.so:archivers/lzo2
-
-LZ4_CONFIGURE_ENABLE= lz4
-LZ4_LIB_DEPENDS+= liblz4.so:archivers/liblz4
-
SMALL_CONFIGURE_ENABLE= small
-USE_RC_SUBR= openvpn
+TEST_ALL_TARGET= check
+TEST_TEST_TARGET_OFF= check
-SUB_FILES= pkg-message openvpn-client
+TUNNELBLICK_EXTRA_PATCHES= ${FILESDIR}/extra-tunnelblick-openvpn_xorpatch:-p1
+X509ALTUSERNAME_PREVENTS= MBEDTLS
+X509ALTUSERNAME_PREVENTS_MSG= OpenVPN ${DISTVERSION} cannot use --x509-username-field with mbedTLS. Disable X509ALTUSERNAME, or use OpenSSL instead
+X509ALTUSERNAME_CONFIGURE_ENABLE= x509-alt-username
+
.ifdef (LOG_OPENVPN)
CFLAGS+= -DLOG_OPENVPN=${LOG_OPENVPN}
.endif
-PORTDOCS= *
-PORTEXAMPLES= *
-
-TEST_ALL_TARGET= check
-TEST_TEST_TARGET_OFF= check
-
.include <bsd.port.options.mk>
.if ${PORT_OPTIONS:MMBEDTLS}
@@ -140,11 +133,13 @@ post-install:
@${REINPLACE_CMD} 's|resolvconf -p -a|resolvconf -a|' ${STAGEDIR}${PREFIX}/libexec/openvpn-client.up
${INSTALL_SCRIPT} ${WRKDIR}/openvpn-client ${STAGEDIR}${PREFIX}/sbin/openvpn-client
${MKDIR} ${STAGEDIR}${PREFIX}/include
+ @: # workaround for 2.5.0 only XXX FIXME remove after 2.5.0
+ ${INSTALL_MAN} ${WRKSRC}/doc/openvpn.8 ${STAGEDIR}${MANPREFIX}/man/man8
post-install-DOCS-on:
${MKDIR} ${STAGEDIR}${DOCSDIR}/
.for i in AUTHORS ChangeLog PORTS
- ${INSTALL_DATA} ${WRKSRC}/${i} ${STAGEDIR}${DOCSDIR}/
+ ${INSTALL_MAN} ${WRKSRC}/${i} ${STAGEDIR}${DOCSDIR}/
.endfor
post-install-EXAMPLES-on:
Modified: head/security/openvpn/distinfo
==============================================================================
--- head/security/openvpn/distinfo Fri Oct 30 19:27:52 2020 (r553712)
+++ head/security/openvpn/distinfo Fri Oct 30 20:36:01 2020 (r553713)
@@ -1,3 +1,3 @@
-TIMESTAMP = 1587146198
-SHA256 (openvpn-2.4.9.tar.xz) = 641f3add8694b2ccc39fd4fd92554e4f089ad16a8db6d2b473ec284839a5ebe2
-SIZE (openvpn-2.4.9.tar.xz) = 954264
+TIMESTAMP = 1604077828
+SHA256 (openvpn-2.5.0.tar.xz) = 029a426e44d656cb4e1189319c95fe6fc9864247724f5599d99df9c4c3478fbd
+SIZE (openvpn-2.5.0.tar.xz) = 1126928
Modified: head/security/openvpn/files/extra-tunnelblick-openvpn_xorpatch
==============================================================================
--- head/security/openvpn/files/extra-tunnelblick-openvpn_xorpatch Fri Oct 30 19:27:52 2020 (r553712)
+++ head/security/openvpn/files/extra-tunnelblick-openvpn_xorpatch Fri Oct 30 20:36:01 2020 (r553713)
@@ -10,47 +10,47 @@ detail on the following wiki page:
https://tunnelblick.net/cOpenvpn_xorpatch.html
-The patch was ported to OpenVPN 2.4 by OPNsense.
-
---- src/openvpn/forward.c.orig 2016-12-22 07:25:18 UTC
-+++ src/openvpn/forward.c
-@@ -730,7 +730,10 @@ read_incoming_link(struct context *c)
+diff -u -r -x .DS_Store openvpn-2.5_beta1.old/src/openvpn/forward.c openvpn-2.5_beta1.new/src/openvpn/forward.c
+--- openvpn-2.5_beta1.old/src/openvpn/forward.c 2020-08-16 11:57:15.000000000 -0400
++++ openvpn-2.5_beta1.new/src/openvpn/forward.c 2020-08-16 11:57:15.000000000 -0400
+@@ -811,7 +811,10 @@
status = link_socket_read(c->c2.link_socket,
&c->c2.buf,
- &c->c2.from);
-+ &c->c2.from,
-+ c->options.ce.xormethod,
-+ c->options.ce.xormask,
-+ c->options.ce.xormasklen);
++ &c->c2.from,
++ c->options.ce.xormethod,
++ c->options.ce.xormask,
++ c->options.ce.xormasklen);
if (socket_connection_reset(c->c2.link_socket, status))
{
-@@ -1368,7 +1371,10 @@ process_outgoing_link(struct context *c)
+@@ -1621,7 +1624,10 @@
/* Send packet */
size = link_socket_write(c->c2.link_socket,
&c->c2.to_link,
- to_addr);
+ to_addr,
-+ c->options.ce.xormethod,
-+ c->options.ce.xormask,
-+ c->options.ce.xormasklen);
++ c->options.ce.xormethod,
++ c->options.ce.xormask,
++ c->options.ce.xormasklen);
/* Undo effect of prepend */
link_socket_write_post_size_adjust(&size, size_delta, &c->c2.to_link);
---- src/openvpn/options.c.orig 2016-12-22 07:25:18 UTC
-+++ src/openvpn/options.c
-@@ -811,6 +811,9 @@ init_options(struct options *o, const bo
+diff -u -r -x .DS_Store openvpn-2.5_rc3.old/src/openvpn/options.c openvpn-2.5_rc3.new/src/openvpn/options.c
+--- openvpn-2.5_rc3.old/src/openvpn/options.c 2020-10-19 13:38:17.000000000 -0400
++++ openvpn-2.5_rc3.new/src/openvpn/options.c 2020-10-19 13:38:17.000000000 -0400
+@@ -821,6 +821,9 @@
o->resolve_retry_seconds = RESOLV_RETRY_INFINITE;
o->resolve_in_advance = false;
o->proto_force = -1;
+ o->ce.xormethod = 0;
+ o->ce.xormask = "\0";
+ o->ce.xormasklen = 0;
- #ifdef ENABLE_OCC
o->occ = true;
- #endif
-@@ -972,6 +975,9 @@ setenv_connection_entry(struct env_set *
+ #ifdef ENABLE_MANAGEMENT
+ o->management_log_history_cache = 250;
+@@ -973,6 +976,9 @@
setenv_str_i(es, "local_port", e->local_port, i);
setenv_str_i(es, "remote", e->remote, i);
setenv_str_i(es, "remote_port", e->remote_port, i);
@@ -60,17 +60,17 @@ The patch was ported to OpenVPN 2.4 by OPNsense.
if (e->http_proxy_options)
{
-@@ -1474,6 +1480,9 @@ show_connection_entry(const struct conne
+@@ -1452,6 +1458,9 @@
SHOW_BOOL(bind_ipv6_only);
SHOW_INT(connect_retry_seconds);
SHOW_INT(connect_timeout);
-+ SHOW_INT(xormethod);
-+ SHOW_STR(xormask);
-+ SHOW_INT(xormasklen);
++ SHOW_INT (xormethod);
++ SHOW_STR (xormask);
++ SHOW_INT (xormasklen);
if (o->http_proxy_options)
{
-@@ -5915,6 +5924,46 @@ add_option(struct options *options,
+@@ -6260,6 +6269,46 @@
}
options->proto_force = proto_force;
}
@@ -103,23 +103,24 @@ The patch was ported to OpenVPN 2.4 by OPNsense.
+ }
+ else if (!p[2])
+ {
-+ msg(M_WARN, "WARNING: No recognized 'scramble' method specified; using 'scramble xormask \"%s\"'", p[1]);
++ msg (M_WARN, "WARNING: No recognized 'scramble' method specified; using 'scramble xormask \"%s\"'", p[1]);
+ options->ce.xormethod = 1;
+ options->ce.xormask = p[1];
+ options->ce.xormasklen = strlen(options->ce.xormask);
+ }
+ else
+ {
-+ msg(msglevel, "No recognized 'scramble' method specified or extra parameters for 'scramble'");
++ msg (msglevel, "No recognized 'scramble' method specified or extra parameters for 'scramble'");
+ goto err;
+ }
+ }
else if (streq(p[0], "http-proxy") && p[1] && !p[5])
{
struct http_proxy_options *ho;
---- src/openvpn/options.h.orig 2016-12-22 07:25:18 UTC
-+++ src/openvpn/options.h
-@@ -98,6 +98,9 @@ struct connection_entry
+diff -u -r -x .DS_Store openvpn-2.5_git_57d6f10.old/src/openvpn/options.h openvpn-2.5_git_57d6f10.new/src/openvpn/options.h
+--- openvpn-2.5_git_57d6f10.old/src/openvpn/options.h 2018-07-28 06:02:27.000000000 -0400
++++ openvpn-2.5_git_57d6f10.new/src/openvpn/options.h 2018-07-28 06:02:27.000000000 -0400
+@@ -99,6 +99,9 @@
int connect_retry_seconds;
int connect_retry_seconds_max;
int connect_timeout;
@@ -129,33 +130,36 @@ The patch was ported to OpenVPN 2.4 by OPNsense.
struct http_proxy_options *http_proxy_options;
const char *socks_proxy_server;
const char *socks_proxy_port;
---- src/openvpn/socket.c.orig 2016-12-22 07:25:18 UTC
-+++ src/openvpn/socket.c
-@@ -55,6 +55,53 @@ const int proto_overhead[] = { /* indexe
+--- openvpn-2.5_git_974513e/src/openvpn/socket.c 2017-08-17 11:27:23.000000000 -0400
++++ openvpn-2.5_git_974513e_patched/src/openvpn/socket.c 2017-08-18 18:37:11.000000000 -0400
+@@ -54,6 +54,56 @@
IPv6_TCP_HEADER_SIZE,
};
-
-+int buffer_mask (struct buffer *buf, const char *mask, int xormasklen) {
-+ int i;
-+ uint8_t *b;
-+ if ( xormasklen > 0 ) {
-+ for (i = 0, b = BPTR (buf); i < BLEN(buf); i++, b++) {
-+ *b = *b ^ mask[i % xormasklen];
-+ }
-+ }
-+ return BLEN (buf);
+
++int buffer_mask(struct buffer *buf, const char *mask, int xormasklen)
++{
++ int i;
++ uint8_t *b;
++ if ( xormasklen > 0 ) {
++ for (i = 0, b = BPTR (buf); i < BLEN(buf); i++, b++) {
++ *b = *b ^ mask[i % xormasklen];
++ }
++ }
++ return BLEN (buf);
+}
+
-+int buffer_xorptrpos (struct buffer *buf) {
-+ int i;
-+ uint8_t *b;
-+ for (i = 0, b = BPTR (buf); i < BLEN(buf); i++, b++) {
-+ *b = *b ^ i+1;
-+ }
-+ return BLEN (buf);
++int buffer_xorptrpos(struct buffer *buf)
++{
++ int i;
++ uint8_t *b;
++ for (i = 0, b = BPTR (buf); i < BLEN(buf); i++, b++) {
++ *b = *b ^ i+1;
++ }
++ return BLEN (buf);
+}
+
-+int buffer_reverse (struct buffer *buf) {
++int buffer_reverse(struct buffer *buf)
++{
+/* This function has been rewritten for Tunnelblick. The buffer_reverse function at
+ * https://github.com/clayface/openvpn_xorpatch
+ * makes a copy of the buffer and it writes to the byte **after** the
@@ -167,38 +171,39 @@ The patch was ported to OpenVPN 2.4 by OPNsense.
+ * actually reverse the contents of the buffer. Instead, it changes 'abcde' to 'aedcb'.
+ * (Of course, the actual buffer contents are bytes, and not necessarily characters.)
+ */
-+ int len = BLEN(buf);
-+ if ( len > 2 ) { /* Leave '', 'a', and 'ab' alone */
-+ int i;
-+ uint8_t *b_start = BPTR (buf) + 1; /* point to first byte to swap */
-+ uint8_t *b_end = BPTR (buf) + (len - 1); /* point to last byte to swap */
-+ uint8_t tmp;
-+ for (i = 0; i < (len-1)/2; i++, b_start++, b_end--) {
-+ tmp = *b_start;
-+ *b_start = *b_end;
-+ *b_end = tmp;
++ int len = BLEN(buf);
++ if ( len > 2 ) { /* Leave '', 'a', and 'ab' alone */
++ int i;
++ uint8_t *b_start = BPTR (buf) + 1; /* point to first byte to swap */
++ uint8_t *b_end = BPTR (buf) + (len - 1); /* point to last byte to swap */
++ uint8_t tmp;
++ for (i = 0; i < (len-1)/2; i++, b_start++, b_end--) {
++ tmp = *b_start;
++ *b_start = *b_end;
++ *b_end = tmp;
++ }
+ }
-+ }
-+ return len;
++ return len;
+}
+
/*
* Convert sockflags/getaddr_flags into getaddr_flags
*/
---- src/openvpn/socket.h.orig 2016-12-22 07:25:18 UTC
-+++ src/openvpn/socket.h
-@@ -249,6 +249,10 @@ struct link_socket
+diff -u -r -x .DS_Store openvpn-2.5_beta1.old/src/openvpn/socket.h openvpn-2.5_beta1.new/src/openvpn/socket.h
+--- openvpn-2.5_beta1.old/src/openvpn/socket.h 2020-08-16 11:57:17.000000000 -0400
++++ openvpn-2.5_beta1.new/src/openvpn/socket.h 2020-08-16 11:57:17.000000000 -0400
+@@ -249,6 +249,10 @@
#endif
};
-+int buffer_mask (struct buffer *buf, const char *xormask, int xormasklen);
-+int buffer_xorptrpos (struct buffer *buf);
-+int buffer_reverse (struct buffer *buf);
++int buffer_mask(struct buffer *buf, const char *xormask, int xormasklen);
++int buffer_xorptrpos(struct buffer *buf);
++int buffer_reverse(struct buffer *buf);
+
/*
* Some Posix/Win32 differences.
*/
-@@ -1046,30 +1050,55 @@ int link_socket_read_udp_posix(struct li
+@@ -1049,30 +1053,56 @@
static inline int
link_socket_read(struct link_socket *sock,
struct buffer *buf,
@@ -209,11 +214,10 @@ The patch was ported to OpenVPN 2.4 by OPNsense.
+ int xormasklen)
{
+ int res;
-+
if (proto_is_udp(sock->info.proto)) /* unified UDPv4 and UDPv6 */
{
- int res;
--
+
#ifdef _WIN32
res = link_socket_read_udp_win32(sock, buf, from);
#else
@@ -233,33 +237,34 @@ The patch was ported to OpenVPN 2.4 by OPNsense.
ASSERT(0);
return -1; /* NOTREACHED */
}
-+ switch (xormethod) {
-+ case 0:
-+ break;
-+ case 1:
-+ buffer_mask(buf,xormask,xormasklen);
-+ break;
-+ case 2:
-+ buffer_xorptrpos(buf);
-+ break;
-+ case 3:
-+ buffer_reverse(buf);
-+ break;
-+ case 4:
-+ buffer_mask(buf,xormask,xormasklen);
-+ buffer_xorptrpos(buf);
-+ buffer_reverse(buf);
-+ buffer_xorptrpos(buf);
-+ break;
-+ default:
-+ ASSERT (0);
-+ return -1; /* NOTREACHED */
++ switch(xormethod)
++ {
++ case 0:
++ break;
++ case 1:
++ buffer_mask(buf,xormask,xormasklen);
++ break;
++ case 2:
++ buffer_xorptrpos(buf);
++ break;
++ case 3:
++ buffer_reverse(buf);
++ break;
++ case 4:
++ buffer_mask(buf,xormask,xormasklen);
++ buffer_xorptrpos(buf);
++ buffer_reverse(buf);
++ buffer_xorptrpos(buf);
++ break;
++ default:
++ ASSERT (0);
++ return -1; /* NOTREACHED */
+ }
+ return res;
}
/*
-@@ -1159,8 +1188,33 @@ link_socket_write_udp(struct link_socket
+@@ -1163,8 +1193,34 @@
static inline int
link_socket_write(struct link_socket *sock,
struct buffer *buf,
@@ -269,27 +274,28 @@ The patch was ported to OpenVPN 2.4 by OPNsense.
+ const char *xormask,
+ int xormasklen)
{
-+ switch (xormethod) {
-+ case 0:
-+ break;
-+ case 1:
-+ buffer_mask(buf,xormask,xormasklen);
-+ break;
-+ case 2:
-+ buffer_xorptrpos(buf);
-+ break;
-+ case 3:
-+ buffer_reverse(buf);
-+ break;
-+ case 4:
-+ buffer_xorptrpos(buf);
-+ buffer_reverse(buf);
-+ buffer_xorptrpos(buf);
-+ buffer_mask(buf,xormask,xormasklen);
-+ break;
-+ default:
-+ ASSERT (0);
-+ return -1; /* NOTREACHED */
++ switch(xormethod)
++ {
++ case 0:
++ break;
++ case 1:
++ buffer_mask(buf,xormask,xormasklen);
++ break;
++ case 2:
++ buffer_xorptrpos(buf);
++ break;
++ case 3:
++ buffer_reverse(buf);
++ break;
++ case 4:
++ buffer_xorptrpos(buf);
++ buffer_reverse(buf);
++ buffer_xorptrpos(buf);
++ buffer_mask(buf,xormask,xormasklen);
++ break;
++ default:
++ ASSERT (0);
++ return -1; /* NOTREACHED */
+ }
if (proto_is_udp(sock->info.proto)) /* unified UDPv4 and UDPv6 */
{
Modified: head/security/openvpn/pkg-plist
==============================================================================
--- head/security/openvpn/pkg-plist Fri Oct 30 19:27:52 2020 (r553712)
+++ head/security/openvpn/pkg-plist Fri Oct 30 20:36:01 2020 (r553713)
@@ -1,9 +1,9 @@
-include/openvpn-plugin.h
include/openvpn-msg.h
+include/openvpn-plugin.h
lib/openvpn/plugins/openvpn-plugin-auth-pam.so
lib/openvpn/plugins/openvpn-plugin-down-root.so
+libexec/openvpn-client.down
+libexec/openvpn-client.up
man/man8/openvpn.8.gz
sbin/openvpn
sbin/openvpn-client
-libexec/openvpn-client.up
-libexec/openvpn-client.down
More information about the svn-ports-all
mailing list