git: 69cd4e114c00 - main - security/openvpn: remove MBEDTLS and TUNNELBLICK options.
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Sun, 03 Apr 2022 11:16:10 UTC
The branch main has been updated by mandree:
URL: https://cgit.FreeBSD.org/ports/commit/?id=69cd4e114c005a94137adade08306e574fb20382
commit 69cd4e114c005a94137adade08306e574fb20382
Author: Matthias Andree <mandree@FreeBSD.org>
AuthorDate: 2022-04-03 10:24:08 +0000
Commit: Matthias Andree <mandree@FreeBSD.org>
CommitDate: 2022-04-03 11:15:57 +0000
security/openvpn: remove MBEDTLS and TUNNELBLICK options.
---
security/openvpn/Makefile | 44 +--
.../files/extra-tunnelblick-openvpn_xorpatch | 302 ---------------------
2 files changed, 7 insertions(+), 339 deletions(-)
diff --git a/security/openvpn/Makefile b/security/openvpn/Makefile
index 680e92e82fde..8b035982a36f 100644
--- a/security/openvpn/Makefile
+++ b/security/openvpn/Makefile
@@ -14,7 +14,7 @@ COMMENT?= Secure IP/Ethernet tunnel daemon
LICENSE= GPLv2
LICENSE_FILE= ${WRKSRC}/COPYRIGHT.GPL
-USES= cpe libtool localbase:ldflags pkgconfig shebangfix tar:xz
+USES= cpe libtool localbase:ldflags pkgconfig shebangfix ssl tar:xz
USE_RC_SUBR= openvpn
SHEBANG_FILES= sample/sample-scripts/verify-cn \
@@ -22,7 +22,7 @@ SHEBANG_FILES= sample/sample-scripts/verify-cn \
sample/sample-scripts/ucn.pl
GNU_CONFIGURE= yes
-CONFIGURE_ARGS+= --enable-strict
+CONFIGURE_ARGS+= --enable-strict --with-crypto-library=openssl
# set PLUGIN_LIBDIR so that unqualified plugin paths are found:
CONFIGURE_ENV+= PLUGINDIR="${PREFIX}/lib/openvpn/plugins"
@@ -37,19 +37,15 @@ PORTDOCS= *
PORTEXAMPLES= *
OPTIONS_DEFINE= ASYNC_PUSH DOCS EASYRSA EXAMPLES LZ4 LZO PKCS11 SMALL \
- TEST TUNNELBLICK UNITTESTS X509ALTUSERNAME
-OPTIONS_DEFAULT= EASYRSA LZ4 LZO OPENSSL PKCS11 TEST
-OPTIONS_SINGLE= SSL
-OPTIONS_SINGLE_SSL= OPENSSL MBEDTLS
+ TEST UNITTESTS X509ALTUSERNAME
+OPTIONS_DEFAULT= EASYRSA LZ4 LZO PKCS11 TEST
ASYNC_PUSH_DESC= Enable async-push support
EASYRSA_DESC= Install security/easy-rsa RSA helper package
LZO_DESC= LZO compression (incompatible with LibreSSL)
-MBEDTLS_DESC= SSL/TLS via mbedTLS (lacks TLS v1.3)
-PKCS11_DESC= Use security/pkcs11-helper (OpenSSL only)
+PKCS11_DESC= Use security/pkcs11-helper
SMALL_DESC= Build a smaller executable with fewer features
-TUNNELBLICK_DESC= XOR scrambling patch - DEPRECATED!
UNITTESTS_DESC= Enable unit tests
-X509ALTUSERNAME_DESC= Enable --x509-username-field (OpenSSL only)
+X509ALTUSERNAME_DESC= Enable --x509-username-field
ASYNC_PUSH_LIB_DEPENDS= libinotify.so:devel/libinotify
ASYNC_PUSH_CONFIGURE_ENABLE= async-push
@@ -62,14 +58,6 @@ LZ4_CONFIGURE_ENABLE= lz4
LZO_LIB_DEPENDS+= liblzo2.so:archivers/lzo2
LZO_CONFIGURE_ENABLE= lzo
-MBEDTLS_LIB_DEPENDS= libmbedtls.so:security/mbedtls
-MBEDTLS_CONFIGURE_ON= --with-crypto-library=mbedtls
-
-OPENSSL_USES= ssl
-OPENSSL_CONFIGURE_ON= --with-crypto-library=openssl
-
-PKCS11_PREVENTS= MBEDTLS
-PKCS11_PREVENTS_MSG= OpenVPN cannot use pkcs11-helper with mbedTLS. Disable PKCS11, or use OpenSSL instead
PKCS11_LIB_DEPENDS= libpkcs11-helper.so:security/pkcs11-helper
PKCS11_CONFIGURE_ENABLE= pkcs11
@@ -78,13 +66,9 @@ SMALL_CONFIGURE_ENABLE= small
TEST_ALL_TARGET= check
TEST_TEST_TARGET_OFF= check
-TUNNELBLICK_EXTRA_PATCHES= ${FILESDIR}/extra-tunnelblick-openvpn_xorpatch:-p1
-
UNITTESTS_BUILD_DEPENDS= cmocka>=0:sysutils/cmocka
UNITTESTS_CONFIGURE_ENABLE= unit-tests
-X509ALTUSERNAME_PREVENTS= MBEDTLS
-X509ALTUSERNAME_PREVENTS_MSG= OpenVPN ${DISTVERSION} cannot use --x509-username-field with mbedTLS. Disable X509ALTUSERNAME, or use OpenSSL instead
X509ALTUSERNAME_CONFIGURE_ENABLE= x509-alt-username
.ifdef (LOG_OPENVPN)
@@ -93,14 +77,6 @@ CFLAGS+= -DLOG_OPENVPN=${LOG_OPENVPN}
.include <bsd.port.options.mk>
-.if ${PORT_OPTIONS:MMBEDTLS}
-BROKEN_FreeBSD_14= OpenVPN-mbedTLS fails on FreeBSD 14
-_tlslibs=libmbedtls libmbedx509 libmbedcrypto
-.else
-# OpenSSL
-_tlslibs=libssl libcrypto
-.endif
-
.if ${PORT_OPTIONS:MLZO}
IGNORE_SSL=libressl libressl-devel
IGNORE_SSL_REASON=OpenVPN does not have permission to include LZO with LibreSSL. Compile against OpenSSL, or if your setups support it, disable LZO support
@@ -119,13 +95,6 @@ pre-everything::
@${SHELL} -c 'exit 1'
.endif
-.if !empty(PORT_OPTIONS:MMBEDTLS) || !empty(PORT_OPTIONS:MTUNNELBLICK)
-pre-everything::
- @${ECHO_CMD} >&2 "======================================================================"
- @${ECHO_CMD} >&2 "Note that the mbedTLS and Tunnelblick options will go away 2022-03-31."
- @${ECHO_CMD} >&2 "======================================================================"
-.endif
-
post-patch:
${REINPLACE_CMD} -E -i '' -e 's/(user|group) nobody/\1 openvpn/' \
-e 's/"nobody"( after init)/"openvpn" \1/' \
@@ -159,6 +128,7 @@ post-configure:
# sanity check that we don't inherit incompatible SSL libs through,
# for instance, pkcs11-helper:
+_tlslibs=libssl libcrypto
post-build:
@a=$$(LC_ALL=C ldd -f '%o\n' ${WRKSRC}/src/openvpn/openvpn \
| ${SORT} -u) ; set -- $$(for i in ${_tlslibs} ; do ${PRINTF} '%s\n' "$$a" | ${GREP} $${i}.so | wc -l ; done | ${SORT} -u) ;\
diff --git a/security/openvpn/files/extra-tunnelblick-openvpn_xorpatch b/security/openvpn/files/extra-tunnelblick-openvpn_xorpatch
deleted file mode 100644
index bb00494137c0..000000000000
--- a/security/openvpn/files/extra-tunnelblick-openvpn_xorpatch
+++ /dev/null
@@ -1,302 +0,0 @@
-This work allows obfuscation of the OpenVPN header to make it harder for
-layer 7 inspection to identify such traffic, which may come with blocking
-or recording actions in certain territories of the world. This patch, in
-a nutshell, can increase privacy and range of communication for its users.
-
-The `scramble' option introduced hereby is off by default.
-
-The option's usage, history and controversy of the patch is explained in
-detail on the following wiki page:
-
-https://tunnelblick.net/cOpenvpn_xorpatch.html
-
-diff -u -r -x .DS_Store openvpn-2.5_beta1.old/src/openvpn/forward.c openvpn-2.5_beta1.new/src/openvpn/forward.c
---- openvpn-2.5_beta1.old/src/openvpn/forward.c 2020-08-16 11:57:15.000000000 -0400
-+++ openvpn-2.5_beta1.new/src/openvpn/forward.c 2020-08-16 11:57:15.000000000 -0400
-@@ -811,7 +811,10 @@
-
- status = link_socket_read(c->c2.link_socket,
- &c->c2.buf,
-- &c->c2.from);
-+ &c->c2.from,
-+ c->options.ce.xormethod,
-+ c->options.ce.xormask,
-+ c->options.ce.xormasklen);
-
- if (socket_connection_reset(c->c2.link_socket, status))
- {
-@@ -1621,7 +1624,10 @@
- /* Send packet */
- size = link_socket_write(c->c2.link_socket,
- &c->c2.to_link,
-- to_addr);
-+ to_addr,
-+ c->options.ce.xormethod,
-+ c->options.ce.xormask,
-+ c->options.ce.xormasklen);
-
- /* Undo effect of prepend */
- link_socket_write_post_size_adjust(&size, size_delta, &c->c2.to_link);
-diff -u -r -x .DS_Store openvpn-2.5_rc3.old/src/openvpn/options.c openvpn-2.5_rc3.new/src/openvpn/options.c
---- openvpn-2.5_rc3.old/src/openvpn/options.c 2020-10-19 13:38:17.000000000 -0400
-+++ openvpn-2.5_rc3.new/src/openvpn/options.c 2020-10-19 13:38:17.000000000 -0400
-@@ -821,6 +821,9 @@
- o->resolve_retry_seconds = RESOLV_RETRY_INFINITE;
- o->resolve_in_advance = false;
- o->proto_force = -1;
-+ o->ce.xormethod = 0;
-+ o->ce.xormask = "\0";
-+ o->ce.xormasklen = 0;
- o->occ = true;
- #ifdef ENABLE_MANAGEMENT
- o->management_log_history_cache = 250;
-@@ -973,6 +976,9 @@
- setenv_str_i(es, "local_port", e->local_port, i);
- setenv_str_i(es, "remote", e->remote, i);
- setenv_str_i(es, "remote_port", e->remote_port, i);
-+ setenv_int_i(es, "xormethod", e->xormethod, i);
-+ setenv_str_i(es, "xormask", e->xormask, i);
-+ setenv_int_i(es, "xormasklen", e->xormasklen, i);
-
- if (e->http_proxy_options)
- {
-@@ -1452,6 +1458,9 @@
- SHOW_BOOL(bind_ipv6_only);
- SHOW_INT(connect_retry_seconds);
- SHOW_INT(connect_timeout);
-+ SHOW_INT (xormethod);
-+ SHOW_STR (xormask);
-+ SHOW_INT (xormasklen);
-
- if (o->http_proxy_options)
- {
-@@ -6260,6 +6269,46 @@
- }
- options->proto_force = proto_force;
- }
-+ else if (streq (p[0], "scramble") && p[1])
-+ {
-+ VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);
-+ if (streq (p[1], "xormask") && p[2] && (!p[3]))
-+ {
-+ options->ce.xormethod = 1;
-+ options->ce.xormask = p[2];
-+ options->ce.xormasklen = strlen(options->ce.xormask);
-+ }
-+ else if (streq (p[1], "xorptrpos") && (!p[2]))
-+ {
-+ options->ce.xormethod = 2;
-+ options->ce.xormask = NULL;
-+ options->ce.xormasklen = 0;
-+ }
-+ else if (streq (p[1], "reverse") && (!p[2]))
-+ {
-+ options->ce.xormethod = 3;
-+ options->ce.xormask = NULL;
-+ options->ce.xormasklen = 0;
-+ }
-+ else if (streq (p[1], "obfuscate") && p[2] && (!p[3]))
-+ {
-+ options->ce.xormethod = 4;
-+ options->ce.xormask = p[2];
-+ options->ce.xormasklen = strlen(options->ce.xormask);
-+ }
-+ else if (!p[2])
-+ {
-+ msg (M_WARN, "WARNING: No recognized 'scramble' method specified; using 'scramble xormask \"%s\"'", p[1]);
-+ options->ce.xormethod = 1;
-+ options->ce.xormask = p[1];
-+ options->ce.xormasklen = strlen(options->ce.xormask);
-+ }
-+ else
-+ {
-+ msg (msglevel, "No recognized 'scramble' method specified or extra parameters for 'scramble'");
-+ goto err;
-+ }
-+ }
- else if (streq(p[0], "http-proxy") && p[1] && !p[5])
- {
- struct http_proxy_options *ho;
-diff -u -r -x .DS_Store openvpn-2.5_git_57d6f10.old/src/openvpn/options.h openvpn-2.5_git_57d6f10.new/src/openvpn/options.h
---- openvpn-2.5_git_57d6f10.old/src/openvpn/options.h 2018-07-28 06:02:27.000000000 -0400
-+++ openvpn-2.5_git_57d6f10.new/src/openvpn/options.h 2018-07-28 06:02:27.000000000 -0400
-@@ -99,6 +99,9 @@
- int connect_retry_seconds;
- int connect_retry_seconds_max;
- int connect_timeout;
-+ int xormethod;
-+ const char *xormask;
-+ int xormasklen;
- struct http_proxy_options *http_proxy_options;
- const char *socks_proxy_server;
- const char *socks_proxy_port;
---- openvpn-2.5_git_974513e/src/openvpn/socket.c 2017-08-17 11:27:23.000000000 -0400
-+++ openvpn-2.5_git_974513e_patched/src/openvpn/socket.c 2017-08-18 18:37:11.000000000 -0400
-@@ -54,6 +54,56 @@
- IPv6_TCP_HEADER_SIZE,
- };
-
-+int buffer_mask(struct buffer *buf, const char *mask, int xormasklen)
-+{
-+ int i;
-+ uint8_t *b;
-+ if ( xormasklen > 0 ) {
-+ for (i = 0, b = BPTR (buf); i < BLEN(buf); i++, b++) {
-+ *b = *b ^ mask[i % xormasklen];
-+ }
-+ }
-+ return BLEN (buf);
-+}
-+
-+int buffer_xorptrpos(struct buffer *buf)
-+{
-+ int i;
-+ uint8_t *b;
-+ for (i = 0, b = BPTR (buf); i < BLEN(buf); i++, b++) {
-+ *b = *b ^ i+1;
-+ }
-+ return BLEN (buf);
-+}
-+
-+int buffer_reverse(struct buffer *buf)
-+{
-+/* This function has been rewritten for Tunnelblick. The buffer_reverse function at
-+ * https://github.com/clayface/openvpn_xorpatch
-+ * makes a copy of the buffer and it writes to the byte **after** the
-+ * buffer contents, so if the buffer is full then it writes outside of the buffer.
-+ * This rewritten version does neither.
-+ *
-+ * For interoperability, this rewritten version preserves the behavior of the original
-+ * function: it does not modify the first character of the buffer. So it does not
-+ * actually reverse the contents of the buffer. Instead, it changes 'abcde' to 'aedcb'.
-+ * (Of course, the actual buffer contents are bytes, and not necessarily characters.)
-+ */
-+ int len = BLEN(buf);
-+ if ( len > 2 ) { /* Leave '', 'a', and 'ab' alone */
-+ int i;
-+ uint8_t *b_start = BPTR (buf) + 1; /* point to first byte to swap */
-+ uint8_t *b_end = BPTR (buf) + (len - 1); /* point to last byte to swap */
-+ uint8_t tmp;
-+ for (i = 0; i < (len-1)/2; i++, b_start++, b_end--) {
-+ tmp = *b_start;
-+ *b_start = *b_end;
-+ *b_end = tmp;
-+ }
-+ }
-+ return len;
-+}
-+
- /*
- * Convert sockflags/getaddr_flags into getaddr_flags
- */
-diff -u -r -x .DS_Store openvpn-2.5_beta1.old/src/openvpn/socket.h openvpn-2.5_beta1.new/src/openvpn/socket.h
---- openvpn-2.5_beta1.old/src/openvpn/socket.h 2020-08-16 11:57:17.000000000 -0400
-+++ openvpn-2.5_beta1.new/src/openvpn/socket.h 2020-08-16 11:57:17.000000000 -0400
-@@ -249,6 +249,10 @@
- #endif
- };
-
-+int buffer_mask(struct buffer *buf, const char *xormask, int xormasklen);
-+int buffer_xorptrpos(struct buffer *buf);
-+int buffer_reverse(struct buffer *buf);
-+
- /*
- * Some Posix/Win32 differences.
- */
-@@ -1049,30 +1053,56 @@
- static inline int
- link_socket_read(struct link_socket *sock,
- struct buffer *buf,
-- struct link_socket_actual *from)
-+ struct link_socket_actual *from,
-+ int xormethod,
-+ const char *xormask,
-+ int xormasklen)
- {
-+ int res;
- if (proto_is_udp(sock->info.proto)) /* unified UDPv4 and UDPv6 */
- {
-- int res;
-
- #ifdef _WIN32
- res = link_socket_read_udp_win32(sock, buf, from);
- #else
- res = link_socket_read_udp_posix(sock, buf, from);
- #endif
-- return res;
- }
- else if (proto_is_tcp(sock->info.proto)) /* unified TCPv4 and TCPv6 */
- {
- /* from address was returned by accept */
- addr_copy_sa(&from->dest, &sock->info.lsa->actual.dest);
-- return link_socket_read_tcp(sock, buf);
-+ res = link_socket_read_tcp(sock, buf);
- }
- else
- {
- ASSERT(0);
- return -1; /* NOTREACHED */
- }
-+ switch(xormethod)
-+ {
-+ case 0:
-+ break;
-+ case 1:
-+ buffer_mask(buf,xormask,xormasklen);
-+ break;
-+ case 2:
-+ buffer_xorptrpos(buf);
-+ break;
-+ case 3:
-+ buffer_reverse(buf);
-+ break;
-+ case 4:
-+ buffer_mask(buf,xormask,xormasklen);
-+ buffer_xorptrpos(buf);
-+ buffer_reverse(buf);
-+ buffer_xorptrpos(buf);
-+ break;
-+ default:
-+ ASSERT (0);
-+ return -1; /* NOTREACHED */
-+ }
-+ return res;
- }
-
- /*
-@@ -1163,8 +1193,34 @@
- static inline int
- link_socket_write(struct link_socket *sock,
- struct buffer *buf,
-- struct link_socket_actual *to)
-+ struct link_socket_actual *to,
-+ int xormethod,
-+ const char *xormask,
-+ int xormasklen)
- {
-+ switch(xormethod)
-+ {
-+ case 0:
-+ break;
-+ case 1:
-+ buffer_mask(buf,xormask,xormasklen);
-+ break;
-+ case 2:
-+ buffer_xorptrpos(buf);
-+ break;
-+ case 3:
-+ buffer_reverse(buf);
-+ break;
-+ case 4:
-+ buffer_xorptrpos(buf);
-+ buffer_reverse(buf);
-+ buffer_xorptrpos(buf);
-+ buffer_mask(buf,xormask,xormasklen);
-+ break;
-+ default:
-+ ASSERT (0);
-+ return -1; /* NOTREACHED */
-+ }
- if (proto_is_udp(sock->info.proto)) /* unified UDPv4 and UDPv6 */
- {
- return link_socket_write_udp(sock, buf, to);