From nobody Sun Apr 03 11:16:10 2022 X-Original-To: dev-commits-ports-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 1D84C1A50EDE; Sun, 3 Apr 2022 11:16:11 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4KWWYl0FtPz4tgW; Sun, 3 Apr 2022 11:16:11 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1648984571; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=nVZjdozF44Uv/WZyY9c1/mf2qb12Xc3eq2czupBMIKo=; b=BMso/DceKtnMbD14BZWTha79kzQYPCVulbwVuExqLdSZMl4cs0z6/iNARBAO2WfUCX30+M ubmJ9DPRk9Ys7na3Pj4+nsXA5auUxjrphUrWnJgGMZbcHs1d1+txWbp/T5Kb319KCN4qvx Ot9cLXWyJG7acuaAL1bpfc+EGjD9j3mr2kEMRxPhNNdoT4mzXIVM8kU6ZiPfCEZDiTNMlk OsYno9IN6UEvHHKU4H/nac3bSAMEXsIe+Uo9jBEjNlxJdFNQgoWkHCCXRbldOwsIcdRrjY YBCxMZOUtCkOBfqaRS2QzN/dhcN9M28nmtjg1ptpiU8Ot7tk1kwJsjobbNwhuw== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id DDF461C164; Sun, 3 Apr 2022 11:16:10 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 233BGA9B059217; Sun, 3 Apr 2022 11:16:10 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 233BGASR059216; Sun, 3 Apr 2022 11:16:10 GMT (envelope-from git) Date: Sun, 3 Apr 2022 11:16:10 GMT Message-Id: <202204031116.233BGASR059216@gitrepo.freebsd.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org From: Matthias Andree Subject: git: 69cd4e114c00 - main - security/openvpn: remove MBEDTLS and TUNNELBLICK options. List-Id: Commit messages for all branches of the ports repository List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-ports-all@freebsd.org X-BeenThere: dev-commits-ports-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: mandree X-Git-Repository: ports X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 69cd4e114c005a94137adade08306e574fb20382 Auto-Submitted: auto-generated ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1648984571; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=nVZjdozF44Uv/WZyY9c1/mf2qb12Xc3eq2czupBMIKo=; b=ZcZ8ODzRELD1XLNFUD55MFqJKLKWpKjDxIvq4Js2C1NWRAWxFtRfoOYe8eyIHVj3+iJDbs 8fiYLS8sd/3Ubzrxo6I3ia4h0bNNOgpPCviob10FHiOvCjkMlMR1mOv90AQLpLNygCJu1h c0JP4wr8Po/7zq3L2/D8I44ZtsLqblke4IMaE+Bn8V5wn1YLohsUmL24p4CVSSHbYRKEMR FsMv9Xvbq5+6Ni1SefTzhy1Jm91pNclIONtBpW5m+ItT7vamFnje9ERmXKnAslKkoYafi6 lmMfj/DCiUpZ/bmNNLnf1Tgb4ispU/AcmivnjtJKTyyJG4AGVA5MHS8lxSGFuw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1648984571; a=rsa-sha256; cv=none; b=Ec1UPoNnAKLj363yT/1IYCxFNOMKNbYzYVhDUN4DUQyT9MAUwzxpuMGHFQDO4NLN1c9+RA RQ4wZkKHXo/gPHEQwLgLSPe0SqixKkzSIrOWeUjsAksygKtRg16ptR+lNWSUMeM/zZZtsx TictTNmfan3l5Gljbrfcpo6wttunC4icA/0uzGIRCFgpECE9Li0lDE0QyEM8c2NgIWKu/Z 5+uXL0f0Z6H+mCzZe7tYBahowE05H038WlaXh/K/9r+VJKPs4IaKWTsMSeWsoFEUSlty8Q fTuSqORimGFlGB1MN7FuB2SVR/aWyIycIiANBbW0jpGG6MBRw2skghLhNbvW8g== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N The branch main has been updated by mandree: URL: https://cgit.FreeBSD.org/ports/commit/?id=69cd4e114c005a94137adade08306e574fb20382 commit 69cd4e114c005a94137adade08306e574fb20382 Author: Matthias Andree AuthorDate: 2022-04-03 10:24:08 +0000 Commit: Matthias Andree CommitDate: 2022-04-03 11:15:57 +0000 security/openvpn: remove MBEDTLS and TUNNELBLICK options. --- security/openvpn/Makefile | 44 +-- .../files/extra-tunnelblick-openvpn_xorpatch | 302 --------------------- 2 files changed, 7 insertions(+), 339 deletions(-) diff --git a/security/openvpn/Makefile b/security/openvpn/Makefile index 680e92e82fde..8b035982a36f 100644 --- a/security/openvpn/Makefile +++ b/security/openvpn/Makefile @@ -14,7 +14,7 @@ COMMENT?= Secure IP/Ethernet tunnel daemon LICENSE= GPLv2 LICENSE_FILE= ${WRKSRC}/COPYRIGHT.GPL -USES= cpe libtool localbase:ldflags pkgconfig shebangfix tar:xz +USES= cpe libtool localbase:ldflags pkgconfig shebangfix ssl tar:xz USE_RC_SUBR= openvpn SHEBANG_FILES= sample/sample-scripts/verify-cn \ @@ -22,7 +22,7 @@ SHEBANG_FILES= sample/sample-scripts/verify-cn \ sample/sample-scripts/ucn.pl GNU_CONFIGURE= yes -CONFIGURE_ARGS+= --enable-strict +CONFIGURE_ARGS+= --enable-strict --with-crypto-library=openssl # set PLUGIN_LIBDIR so that unqualified plugin paths are found: CONFIGURE_ENV+= PLUGINDIR="${PREFIX}/lib/openvpn/plugins" @@ -37,19 +37,15 @@ PORTDOCS= * PORTEXAMPLES= * OPTIONS_DEFINE= ASYNC_PUSH DOCS EASYRSA EXAMPLES LZ4 LZO PKCS11 SMALL \ - TEST TUNNELBLICK UNITTESTS X509ALTUSERNAME -OPTIONS_DEFAULT= EASYRSA LZ4 LZO OPENSSL PKCS11 TEST -OPTIONS_SINGLE= SSL -OPTIONS_SINGLE_SSL= OPENSSL MBEDTLS + TEST UNITTESTS X509ALTUSERNAME +OPTIONS_DEFAULT= EASYRSA LZ4 LZO PKCS11 TEST ASYNC_PUSH_DESC= Enable async-push support EASYRSA_DESC= Install security/easy-rsa RSA helper package LZO_DESC= LZO compression (incompatible with LibreSSL) -MBEDTLS_DESC= SSL/TLS via mbedTLS (lacks TLS v1.3) -PKCS11_DESC= Use security/pkcs11-helper (OpenSSL only) +PKCS11_DESC= Use security/pkcs11-helper SMALL_DESC= Build a smaller executable with fewer features -TUNNELBLICK_DESC= XOR scrambling patch - DEPRECATED! UNITTESTS_DESC= Enable unit tests -X509ALTUSERNAME_DESC= Enable --x509-username-field (OpenSSL only) +X509ALTUSERNAME_DESC= Enable --x509-username-field ASYNC_PUSH_LIB_DEPENDS= libinotify.so:devel/libinotify ASYNC_PUSH_CONFIGURE_ENABLE= async-push @@ -62,14 +58,6 @@ LZ4_CONFIGURE_ENABLE= lz4 LZO_LIB_DEPENDS+= liblzo2.so:archivers/lzo2 LZO_CONFIGURE_ENABLE= lzo -MBEDTLS_LIB_DEPENDS= libmbedtls.so:security/mbedtls -MBEDTLS_CONFIGURE_ON= --with-crypto-library=mbedtls - -OPENSSL_USES= ssl -OPENSSL_CONFIGURE_ON= --with-crypto-library=openssl - -PKCS11_PREVENTS= MBEDTLS -PKCS11_PREVENTS_MSG= OpenVPN cannot use pkcs11-helper with mbedTLS. Disable PKCS11, or use OpenSSL instead PKCS11_LIB_DEPENDS= libpkcs11-helper.so:security/pkcs11-helper PKCS11_CONFIGURE_ENABLE= pkcs11 @@ -78,13 +66,9 @@ SMALL_CONFIGURE_ENABLE= small TEST_ALL_TARGET= check TEST_TEST_TARGET_OFF= check -TUNNELBLICK_EXTRA_PATCHES= ${FILESDIR}/extra-tunnelblick-openvpn_xorpatch:-p1 - UNITTESTS_BUILD_DEPENDS= cmocka>=0:sysutils/cmocka UNITTESTS_CONFIGURE_ENABLE= unit-tests -X509ALTUSERNAME_PREVENTS= MBEDTLS -X509ALTUSERNAME_PREVENTS_MSG= OpenVPN ${DISTVERSION} cannot use --x509-username-field with mbedTLS. Disable X509ALTUSERNAME, or use OpenSSL instead X509ALTUSERNAME_CONFIGURE_ENABLE= x509-alt-username .ifdef (LOG_OPENVPN) @@ -93,14 +77,6 @@ CFLAGS+= -DLOG_OPENVPN=${LOG_OPENVPN} .include -.if ${PORT_OPTIONS:MMBEDTLS} -BROKEN_FreeBSD_14= OpenVPN-mbedTLS fails on FreeBSD 14 -_tlslibs=libmbedtls libmbedx509 libmbedcrypto -.else -# OpenSSL -_tlslibs=libssl libcrypto -.endif - .if ${PORT_OPTIONS:MLZO} IGNORE_SSL=libressl libressl-devel IGNORE_SSL_REASON=OpenVPN does not have permission to include LZO with LibreSSL. Compile against OpenSSL, or if your setups support it, disable LZO support @@ -119,13 +95,6 @@ pre-everything:: @${SHELL} -c 'exit 1' .endif -.if !empty(PORT_OPTIONS:MMBEDTLS) || !empty(PORT_OPTIONS:MTUNNELBLICK) -pre-everything:: - @${ECHO_CMD} >&2 "======================================================================" - @${ECHO_CMD} >&2 "Note that the mbedTLS and Tunnelblick options will go away 2022-03-31." - @${ECHO_CMD} >&2 "======================================================================" -.endif - post-patch: ${REINPLACE_CMD} -E -i '' -e 's/(user|group) nobody/\1 openvpn/' \ -e 's/"nobody"( after init)/"openvpn" \1/' \ @@ -159,6 +128,7 @@ post-configure: # sanity check that we don't inherit incompatible SSL libs through, # for instance, pkcs11-helper: +_tlslibs=libssl libcrypto post-build: @a=$$(LC_ALL=C ldd -f '%o\n' ${WRKSRC}/src/openvpn/openvpn \ | ${SORT} -u) ; set -- $$(for i in ${_tlslibs} ; do ${PRINTF} '%s\n' "$$a" | ${GREP} $${i}.so | wc -l ; done | ${SORT} -u) ;\ diff --git a/security/openvpn/files/extra-tunnelblick-openvpn_xorpatch b/security/openvpn/files/extra-tunnelblick-openvpn_xorpatch deleted file mode 100644 index bb00494137c0..000000000000 --- a/security/openvpn/files/extra-tunnelblick-openvpn_xorpatch +++ /dev/null @@ -1,302 +0,0 @@ -This work allows obfuscation of the OpenVPN header to make it harder for -layer 7 inspection to identify such traffic, which may come with blocking -or recording actions in certain territories of the world. This patch, in -a nutshell, can increase privacy and range of communication for its users. - -The `scramble' option introduced hereby is off by default. - -The option's usage, history and controversy of the patch is explained in -detail on the following wiki page: - -https://tunnelblick.net/cOpenvpn_xorpatch.html - -diff -u -r -x .DS_Store openvpn-2.5_beta1.old/src/openvpn/forward.c openvpn-2.5_beta1.new/src/openvpn/forward.c ---- openvpn-2.5_beta1.old/src/openvpn/forward.c 2020-08-16 11:57:15.000000000 -0400 -+++ openvpn-2.5_beta1.new/src/openvpn/forward.c 2020-08-16 11:57:15.000000000 -0400 -@@ -811,7 +811,10 @@ - - status = link_socket_read(c->c2.link_socket, - &c->c2.buf, -- &c->c2.from); -+ &c->c2.from, -+ c->options.ce.xormethod, -+ c->options.ce.xormask, -+ c->options.ce.xormasklen); - - if (socket_connection_reset(c->c2.link_socket, status)) - { -@@ -1621,7 +1624,10 @@ - /* Send packet */ - size = link_socket_write(c->c2.link_socket, - &c->c2.to_link, -- to_addr); -+ to_addr, -+ c->options.ce.xormethod, -+ c->options.ce.xormask, -+ c->options.ce.xormasklen); - - /* Undo effect of prepend */ - link_socket_write_post_size_adjust(&size, size_delta, &c->c2.to_link); -diff -u -r -x .DS_Store openvpn-2.5_rc3.old/src/openvpn/options.c openvpn-2.5_rc3.new/src/openvpn/options.c ---- openvpn-2.5_rc3.old/src/openvpn/options.c 2020-10-19 13:38:17.000000000 -0400 -+++ openvpn-2.5_rc3.new/src/openvpn/options.c 2020-10-19 13:38:17.000000000 -0400 -@@ -821,6 +821,9 @@ - o->resolve_retry_seconds = RESOLV_RETRY_INFINITE; - o->resolve_in_advance = false; - o->proto_force = -1; -+ o->ce.xormethod = 0; -+ o->ce.xormask = "\0"; -+ o->ce.xormasklen = 0; - o->occ = true; - #ifdef ENABLE_MANAGEMENT - o->management_log_history_cache = 250; -@@ -973,6 +976,9 @@ - setenv_str_i(es, "local_port", e->local_port, i); - setenv_str_i(es, "remote", e->remote, i); - setenv_str_i(es, "remote_port", e->remote_port, i); -+ setenv_int_i(es, "xormethod", e->xormethod, i); -+ setenv_str_i(es, "xormask", e->xormask, i); -+ setenv_int_i(es, "xormasklen", e->xormasklen, i); - - if (e->http_proxy_options) - { -@@ -1452,6 +1458,9 @@ - SHOW_BOOL(bind_ipv6_only); - SHOW_INT(connect_retry_seconds); - SHOW_INT(connect_timeout); -+ SHOW_INT (xormethod); -+ SHOW_STR (xormask); -+ SHOW_INT (xormasklen); - - if (o->http_proxy_options) - { -@@ -6260,6 +6269,46 @@ - } - options->proto_force = proto_force; - } -+ else if (streq (p[0], "scramble") && p[1]) -+ { -+ VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION); -+ if (streq (p[1], "xormask") && p[2] && (!p[3])) -+ { -+ options->ce.xormethod = 1; -+ options->ce.xormask = p[2]; -+ options->ce.xormasklen = strlen(options->ce.xormask); -+ } -+ else if (streq (p[1], "xorptrpos") && (!p[2])) -+ { -+ options->ce.xormethod = 2; -+ options->ce.xormask = NULL; -+ options->ce.xormasklen = 0; -+ } -+ else if (streq (p[1], "reverse") && (!p[2])) -+ { -+ options->ce.xormethod = 3; -+ options->ce.xormask = NULL; -+ options->ce.xormasklen = 0; -+ } -+ else if (streq (p[1], "obfuscate") && p[2] && (!p[3])) -+ { -+ options->ce.xormethod = 4; -+ options->ce.xormask = p[2]; -+ options->ce.xormasklen = strlen(options->ce.xormask); -+ } -+ else if (!p[2]) -+ { -+ msg (M_WARN, "WARNING: No recognized 'scramble' method specified; using 'scramble xormask \"%s\"'", p[1]); -+ options->ce.xormethod = 1; -+ options->ce.xormask = p[1]; -+ options->ce.xormasklen = strlen(options->ce.xormask); -+ } -+ else -+ { -+ msg (msglevel, "No recognized 'scramble' method specified or extra parameters for 'scramble'"); -+ goto err; -+ } -+ } - else if (streq(p[0], "http-proxy") && p[1] && !p[5]) - { - struct http_proxy_options *ho; -diff -u -r -x .DS_Store openvpn-2.5_git_57d6f10.old/src/openvpn/options.h openvpn-2.5_git_57d6f10.new/src/openvpn/options.h ---- openvpn-2.5_git_57d6f10.old/src/openvpn/options.h 2018-07-28 06:02:27.000000000 -0400 -+++ openvpn-2.5_git_57d6f10.new/src/openvpn/options.h 2018-07-28 06:02:27.000000000 -0400 -@@ -99,6 +99,9 @@ - int connect_retry_seconds; - int connect_retry_seconds_max; - int connect_timeout; -+ int xormethod; -+ const char *xormask; -+ int xormasklen; - struct http_proxy_options *http_proxy_options; - const char *socks_proxy_server; - const char *socks_proxy_port; ---- openvpn-2.5_git_974513e/src/openvpn/socket.c 2017-08-17 11:27:23.000000000 -0400 -+++ openvpn-2.5_git_974513e_patched/src/openvpn/socket.c 2017-08-18 18:37:11.000000000 -0400 -@@ -54,6 +54,56 @@ - IPv6_TCP_HEADER_SIZE, - }; - -+int buffer_mask(struct buffer *buf, const char *mask, int xormasklen) -+{ -+ int i; -+ uint8_t *b; -+ if ( xormasklen > 0 ) { -+ for (i = 0, b = BPTR (buf); i < BLEN(buf); i++, b++) { -+ *b = *b ^ mask[i % xormasklen]; -+ } -+ } -+ return BLEN (buf); -+} -+ -+int buffer_xorptrpos(struct buffer *buf) -+{ -+ int i; -+ uint8_t *b; -+ for (i = 0, b = BPTR (buf); i < BLEN(buf); i++, b++) { -+ *b = *b ^ i+1; -+ } -+ return BLEN (buf); -+} -+ -+int buffer_reverse(struct buffer *buf) -+{ -+/* This function has been rewritten for Tunnelblick. The buffer_reverse function at -+ * https://github.com/clayface/openvpn_xorpatch -+ * makes a copy of the buffer and it writes to the byte **after** the -+ * buffer contents, so if the buffer is full then it writes outside of the buffer. -+ * This rewritten version does neither. -+ * -+ * For interoperability, this rewritten version preserves the behavior of the original -+ * function: it does not modify the first character of the buffer. So it does not -+ * actually reverse the contents of the buffer. Instead, it changes 'abcde' to 'aedcb'. -+ * (Of course, the actual buffer contents are bytes, and not necessarily characters.) -+ */ -+ int len = BLEN(buf); -+ if ( len > 2 ) { /* Leave '', 'a', and 'ab' alone */ -+ int i; -+ uint8_t *b_start = BPTR (buf) + 1; /* point to first byte to swap */ -+ uint8_t *b_end = BPTR (buf) + (len - 1); /* point to last byte to swap */ -+ uint8_t tmp; -+ for (i = 0; i < (len-1)/2; i++, b_start++, b_end--) { -+ tmp = *b_start; -+ *b_start = *b_end; -+ *b_end = tmp; -+ } -+ } -+ return len; -+} -+ - /* - * Convert sockflags/getaddr_flags into getaddr_flags - */ -diff -u -r -x .DS_Store openvpn-2.5_beta1.old/src/openvpn/socket.h openvpn-2.5_beta1.new/src/openvpn/socket.h ---- openvpn-2.5_beta1.old/src/openvpn/socket.h 2020-08-16 11:57:17.000000000 -0400 -+++ openvpn-2.5_beta1.new/src/openvpn/socket.h 2020-08-16 11:57:17.000000000 -0400 -@@ -249,6 +249,10 @@ - #endif - }; - -+int buffer_mask(struct buffer *buf, const char *xormask, int xormasklen); -+int buffer_xorptrpos(struct buffer *buf); -+int buffer_reverse(struct buffer *buf); -+ - /* - * Some Posix/Win32 differences. - */ -@@ -1049,30 +1053,56 @@ - static inline int - link_socket_read(struct link_socket *sock, - struct buffer *buf, -- struct link_socket_actual *from) -+ struct link_socket_actual *from, -+ int xormethod, -+ const char *xormask, -+ int xormasklen) - { -+ int res; - if (proto_is_udp(sock->info.proto)) /* unified UDPv4 and UDPv6 */ - { -- int res; - - #ifdef _WIN32 - res = link_socket_read_udp_win32(sock, buf, from); - #else - res = link_socket_read_udp_posix(sock, buf, from); - #endif -- return res; - } - else if (proto_is_tcp(sock->info.proto)) /* unified TCPv4 and TCPv6 */ - { - /* from address was returned by accept */ - addr_copy_sa(&from->dest, &sock->info.lsa->actual.dest); -- return link_socket_read_tcp(sock, buf); -+ res = link_socket_read_tcp(sock, buf); - } - else - { - ASSERT(0); - return -1; /* NOTREACHED */ - } -+ switch(xormethod) -+ { -+ case 0: -+ break; -+ case 1: -+ buffer_mask(buf,xormask,xormasklen); -+ break; -+ case 2: -+ buffer_xorptrpos(buf); -+ break; -+ case 3: -+ buffer_reverse(buf); -+ break; -+ case 4: -+ buffer_mask(buf,xormask,xormasklen); -+ buffer_xorptrpos(buf); -+ buffer_reverse(buf); -+ buffer_xorptrpos(buf); -+ break; -+ default: -+ ASSERT (0); -+ return -1; /* NOTREACHED */ -+ } -+ return res; - } - - /* -@@ -1163,8 +1193,34 @@ - static inline int - link_socket_write(struct link_socket *sock, - struct buffer *buf, -- struct link_socket_actual *to) -+ struct link_socket_actual *to, -+ int xormethod, -+ const char *xormask, -+ int xormasklen) - { -+ switch(xormethod) -+ { -+ case 0: -+ break; -+ case 1: -+ buffer_mask(buf,xormask,xormasklen); -+ break; -+ case 2: -+ buffer_xorptrpos(buf); -+ break; -+ case 3: -+ buffer_reverse(buf); -+ break; -+ case 4: -+ buffer_xorptrpos(buf); -+ buffer_reverse(buf); -+ buffer_xorptrpos(buf); -+ buffer_mask(buf,xormask,xormasklen); -+ break; -+ default: -+ ASSERT (0); -+ return -1; /* NOTREACHED */ -+ } - if (proto_is_udp(sock->info.proto)) /* unified UDPv4 and UDPv6 */ - { - return link_socket_write_udp(sock, buf, to);