svn commit: r402095 - in head/security/openvpn: . files
Matthias Andree
mandree at FreeBSD.org
Fri Nov 20 18:41:17 UTC 2015
Author: mandree
Date: Fri Nov 20 18:41:15 2015
New Revision: 402095
URL: https://svnweb.freebsd.org/changeset/ports/402095
Log:
Add optional extra patch for Tunnelblick obfuscation.
Adds a --scramble method to the executable but not documentation.
Requires careful review of implications before enabling, and has not
been accepted upstream. https://tunnelblick.net/cOpenvpn_xorpatch.html
PR: 200215
Submitted by: Franco Fichtner
Added:
head/security/openvpn/files/extra-tunnelblick-openvpn_xorpatch (contents, props changed)
head/security/openvpn/pkg-help (contents, props changed)
Modified:
head/security/openvpn/Makefile
Modified: head/security/openvpn/Makefile
==============================================================================
--- head/security/openvpn/Makefile Fri Nov 20 17:12:27 2015 (r402094)
+++ head/security/openvpn/Makefile Fri Nov 20 18:41:15 2015 (r402095)
@@ -27,7 +27,8 @@ LDFLAGS+= -L${LOCALBASE}/lib
# set PLUGIN_LIBDIR so that unqualified plugin paths are found:
CPPFLAGS+= -DPLUGIN_LIBDIR=\\\"${PREFIX}/lib/openvpn/plugins\\\"
-OPTIONS_DEFINE= PW_SAVE PKCS11 EASYRSA DOCS EXAMPLES X509ALTUSERNAME
+OPTIONS_DEFINE= PW_SAVE PKCS11 EASYRSA DOCS EXAMPLES X509ALTUSERNAME \
+ TUNNELBLICK
OPTIONS_DEFAULT= EASYRSA OPENSSL
OPTIONS_SINGLE= SSL
OPTIONS_SINGLE_SSL= OPENSSL POLARSSL
@@ -35,7 +36,8 @@ PW_SAVE_DESC= Interactive passwords may
PKCS11_DESC= Use security/pkcs11-helper
EASYRSA_DESC= Install security/easy-rsa RSA helper package
POLARSSL_DESC= SSL/TLS support via PolarSSL 1.2
-X509ALTUSERNAME_DESC= Enable --x509-username-field (only with OpenSSL)
+TUNNELBLICK_DESC= Tunnelblick XOR scramble patch (READ HELP!)
+X509ALTUSERNAME_DESC= Enable --x509-username-field (OpenSSL only)
EASYRSA_RUN_DEPENDS= easy-rsa>=0:${PORTSDIR}/security/easy-rsa
@@ -44,6 +46,8 @@ PKCS11_CONFIGURE_ENABLE= pkcs11
PW_SAVE_CONFIGURE_ENABLE= password-save
+TUNNELBLICK_EXTRA_PATCHES= ${FILESDIR}/extra-tunnelblick-openvpn_xorpatch
+
X509ALTUSERNAME_CONFIGURE_ENABLE= x509-alt-username
X509ALTUSERNAME_PREVENTS= POLARSSL
Added: head/security/openvpn/files/extra-tunnelblick-openvpn_xorpatch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/security/openvpn/files/extra-tunnelblick-openvpn_xorpatch Fri Nov 20 18:41:15 2015 (r402095)
@@ -0,0 +1,301 @@
+This work allows obfuscation of the OpenVPN header to make it harder for
+layer 7 inspection to identify such traffic, which may come with blocking
+or recording actions in certain territories of the world. This patch, in
+a nutshell, can increase privacy and range of communication for its users.
+
+The `scramble' option introduced hereby is off by default.
+
+The option's usage, history and controversy of the patch is explained in
+detail on the following wiki page:
+
+https://tunnelblick.net/cOpenvpn_xorpatch.html
+
+
+diff -u -r src/openvpn/forward.c src/openvpn/forward.c
+--- src/openvpn/forward.c 2014-11-29 10:00:35.000000000 -0500
++++ src/openvpn/forward.c 2015-04-07 22:38:20.000000000 -0400
+@@ -674,7 +674,10 @@
+ status = link_socket_read (c->c2.link_socket,
+ &c->c2.buf,
+ MAX_RW_SIZE_LINK (&c->c2.frame),
+- &c->c2.from);
++ &c->c2.from,
++ c->options.ce.xormethod,
++ c->options.ce.xormask,
++ c->options.ce.xormasklen);
+
+ if (socket_connection_reset (c->c2.link_socket, status))
+ {
+@@ -1150,7 +1153,10 @@
+ /* Send packet */
+ size = link_socket_write (c->c2.link_socket,
+ &c->c2.to_link,
+- to_addr);
++ to_addr,
++ c->options.ce.xormethod,
++ c->options.ce.xormask,
++ c->options.ce.xormasklen);
+
+ #ifdef ENABLE_SOCKS
+ /* Undo effect of prepend */
+diff -u -r src/openvpn/options.c src/openvpn/options.c
+--- src/openvpn/options.c 2014-11-29 10:00:35.000000000 -0500
++++ src/openvpn/options.c 2015-04-09 12:56:32.000000000 -0400
+@@ -785,6 +785,9 @@
+ o->max_routes = MAX_ROUTES_DEFAULT;
+ o->resolve_retry_seconds = RESOLV_RETRY_INFINITE;
+ o->proto_force = -1;
++ o->ce.xormethod = 0;
++ o->ce.xormask = "\0";
++ o->ce.xormasklen = 0;
+ #ifdef ENABLE_OCC
+ o->occ = true;
+ #endif
+@@ -903,6 +906,9 @@
+ setenv_int_i (es, "local_port", e->local_port, i);
+ setenv_str_i (es, "remote", e->remote, i);
+ setenv_int_i (es, "remote_port", e->remote_port, i);
++ setenv_int_i (es, "xormethod", e->xormethod, i);
++ setenv_str_i (es, "xormask", e->xormask, i);
++ setenv_int_i (es, "xormasklen", e->xormasklen, i);
+
+ #ifdef ENABLE_HTTP_PROXY
+ if (e->http_proxy_options)
+@@ -1348,6 +1354,9 @@
+ SHOW_INT (connect_retry_seconds);
+ SHOW_INT (connect_timeout);
+ SHOW_INT (connect_retry_max);
++ SHOW_INT (xormethod);
++ SHOW_STR (xormask);
++ SHOW_INT (xormasklen);
+
+ #ifdef ENABLE_HTTP_PROXY
+ if (o->http_proxy_options)
+@@ -5049,6 +5058,46 @@
+ options->proto_force = proto_force;
+ options->force_connection_list = true;
+ }
++ else if (streq (p[0], "scramble") && p[1])
++ {
++ VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);
++ if (streq (p[1], "xormask") && p[2] && (!p[3]))
++ {
++ options->ce.xormethod = 1;
++ options->ce.xormask = p[2];
++ options->ce.xormasklen = strlen(options->ce.xormask);
++ }
++ else if (streq (p[1], "xorptrpos") && (!p[2]))
++ {
++ options->ce.xormethod = 2;
++ options->ce.xormask = NULL;
++ options->ce.xormasklen = 0;
++ }
++ else if (streq (p[1], "reverse") && (!p[2]))
++ {
++ options->ce.xormethod = 3;
++ options->ce.xormask = NULL;
++ options->ce.xormasklen = 0;
++ }
++ else if (streq (p[1], "obfuscate") && p[2] && (!p[3]))
++ {
++ options->ce.xormethod = 4;
++ options->ce.xormask = p[2];
++ options->ce.xormasklen = strlen(options->ce.xormask);
++ }
++ else if (!p[2])
++ {
++ msg (M_WARN, "WARNING: No recognized 'scramble' method specified; using 'scramble xormask \"%s\"'", p[1]);
++ options->ce.xormethod = 1;
++ options->ce.xormask = p[1];
++ options->ce.xormasklen = strlen(options->ce.xormask);
++ }
++ else
++ {
++ msg (msglevel, "No recognized 'scramble' method specified or extra parameters for 'scramble'");
++ goto err;
++ }
++ }
+ #ifdef ENABLE_HTTP_PROXY
+ else if (streq (p[0], "http-proxy") && p[1])
+ {
+diff -u -r src/openvpn/options.h src/openvpn/options.h
+--- src/openvpn/options.h 2014-11-29 10:00:35.000000000 -0500
++++ src/openvpn/options.h 2015-04-07 22:38:20.000000000 -0400
+@@ -100,6 +100,9 @@
+ int connect_retry_max;
+ int connect_timeout;
+ bool connect_timeout_defined;
++ int xormethod;
++ const char *xormask;
++ int xormasklen;
+ #ifdef ENABLE_HTTP_PROXY
+ struct http_proxy_options *http_proxy_options;
+ #endif
+diff -u -r src/openvpn/socket.c src/openvpn/socket.c
+--- src/openvpn/socket.c 2014-11-29 10:00:35.000000000 -0500
++++ src/openvpn/socket.c 2015-04-09 08:48:01.000000000 -0400
+@@ -52,6 +52,53 @@
+ IPv6_TCP_HEADER_SIZE,
+ };
+
++int buffer_mask (struct buffer *buf, const char *mask, int xormasklen) {
++ int i;
++ uint8_t *b;
++ if ( xormasklen > 0 ) {
++ for (i = 0, b = BPTR (buf); i < BLEN(buf); i++, b++) {
++ *b = *b ^ mask[i % xormasklen];
++ }
++ }
++ return BLEN (buf);
++}
++
++int buffer_xorptrpos (struct buffer *buf) {
++ int i;
++ uint8_t *b;
++ for (i = 0, b = BPTR (buf); i < BLEN(buf); i++, b++) {
++ *b = *b ^ i+1;
++ }
++ return BLEN (buf);
++}
++
++int buffer_reverse (struct buffer *buf) {
++/* This function has been rewritten for Tunnelblick. The buffer_reverse function at
++ * https://github.com/clayface/openvpn_xorpatch
++ * makes a copy of the buffer and it writes to the byte **after** the
++ * buffer contents, so if the buffer is full then it writes outside of the buffer.
++ * This rewritten version does neither.
++ *
++ * For interoperability, this rewritten version preserves the behavior of the original
++ * function: it does not modify the first character of the buffer. So it does not
++ * actually reverse the contents of the buffer. Instead, it changes 'abcde' to 'aedcb'.
++ * (Of course, the actual buffer contents are bytes, and not necessarily characters.)
++ */
++ int len = BLEN(buf);
++ if ( len > 2 ) { /* Leave '', 'a', and 'ab' alone */
++ int i;
++ uint8_t *b_start = BPTR (buf) + 1; /* point to first byte to swap */
++ uint8_t *b_end = BPTR (buf) + (len - 1); /* point to last byte to swap */
++ uint8_t tmp;
++ for (i = 0; i < (len-1)/2; i++, b_start++, b_end--) {
++ tmp = *b_start;
++ *b_start = *b_end;
++ *b_end = tmp;
++ }
++ }
++ return len;
++}
++
+ /*
+ * Convert sockflags/getaddr_flags into getaddr_flags
+ */
+diff -u -r src/openvpn/socket.h src/openvpn/socket.h
+--- src/openvpn/socket.h 2014-11-29 10:00:35.000000000 -0500
++++ src/openvpn/socket.h 2015-04-08 20:12:02.000000000 -0400
+@@ -250,6 +250,10 @@
+ #endif
+ };
+
++int buffer_mask (struct buffer *buf, const char *xormask, int xormasklen);
++int buffer_xorptrpos (struct buffer *buf);
++int buffer_reverse (struct buffer *buf);
++
+ /*
+ * Some Posix/Win32 differences.
+ */
+@@ -875,30 +879,56 @@
+ link_socket_read (struct link_socket *sock,
+ struct buffer *buf,
+ int maxsize,
+- struct link_socket_actual *from)
++ struct link_socket_actual *from,
++ int xormethod,
++ const char *xormask,
++ int xormasklen)
+ {
++ int res;
+ if (proto_is_udp(sock->info.proto)) /* unified UDPv4 and UDPv6 */
+ {
+- int res;
+
+ #ifdef WIN32
+ res = link_socket_read_udp_win32 (sock, buf, from);
+ #else
+ res = link_socket_read_udp_posix (sock, buf, maxsize, from);
+ #endif
+- return res;
+ }
+ else if (proto_is_tcp(sock->info.proto)) /* unified TCPv4 and TCPv6 */
+ {
+ /* from address was returned by accept */
+ addr_copy_sa(&from->dest, &sock->info.lsa->actual.dest);
+- return link_socket_read_tcp (sock, buf);
++ res = link_socket_read_tcp (sock, buf);
+ }
+ else
+ {
+ ASSERT (0);
+ return -1; /* NOTREACHED */
+ }
++ switch(xormethod)
++ {
++ case 0:
++ break;
++ case 1:
++ buffer_mask(buf,xormask,xormasklen);
++ break;
++ case 2:
++ buffer_xorptrpos(buf);
++ break;
++ case 3:
++ buffer_reverse(buf);
++ break;
++ case 4:
++ buffer_mask(buf,xormask,xormasklen);
++ buffer_xorptrpos(buf);
++ buffer_reverse(buf);
++ buffer_xorptrpos(buf);
++ break;
++ default:
++ ASSERT (0);
++ return -1; /* NOTREACHED */
++ }
++ return res;
+ }
+
+ /*
+@@ -982,8 +1012,34 @@
+ static inline int
+ link_socket_write (struct link_socket *sock,
+ struct buffer *buf,
+- struct link_socket_actual *to)
++ struct link_socket_actual *to,
++ int xormethod,
++ const char *xormask,
++ int xormasklen)
+ {
++ switch(xormethod)
++ {
++ case 0:
++ break;
++ case 1:
++ buffer_mask(buf,xormask,xormasklen);
++ break;
++ case 2:
++ buffer_xorptrpos(buf);
++ break;
++ case 3:
++ buffer_reverse(buf);
++ break;
++ case 4:
++ buffer_xorptrpos(buf);
++ buffer_reverse(buf);
++ buffer_xorptrpos(buf);
++ buffer_mask(buf,xormask,xormasklen);
++ break;
++ default:
++ ASSERT (0);
++ return -1; /* NOTREACHED */
++ }
+ if (proto_is_udp(sock->info.proto)) /* unified UDPv4 and UDPv6 */
+ {
+ return link_socket_write_udp (sock, buf, to);
Added: head/security/openvpn/pkg-help
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/security/openvpn/pkg-help Fri Nov 20 18:41:15 2015 (r402095)
@@ -0,0 +1,10 @@
+Note that "Tunnelblick" is a controversial option.
+It is included for compatibility, not enabled by default,
+and should only be used with due consideration, and it should not
+replace proper cryptography use in OpenVPN.
+
+Note that this patch does NOT add documentation for the new --scramble
+option, neither to the --help output, nor the manual page.
+
+Please see this website for a more detailed discussion:
+https://tunnelblick.net/cOpenvpn_xorpatch.html
More information about the svn-ports-all
mailing list