D8813.1775548528.diff
No OneTemporary
Actions

Size

33 KB

Referenced Files

None

Subscribers

None

D8813.1775548528.diff
View Options

	Index: Makefile
	===================================================================
	--- Makefile
	+++ Makefile
	@@ -436,7 +436,9 @@
	SUBDIR += openvpn-auth-ldap
	SUBDIR += openvpn-auth-radius
	SUBDIR += openvpn-devel
	- SUBDIR += openvpn-polarssl
	+ SUBDIR += openvpn-mbedtls
	+ SUBDIR += openvpn23
	+ SUBDIR += openvpn23-polarssl
	SUBDIR += ophcrack
	SUBDIR += orthrus
	SUBDIR += osiris
	Index: openvpn-mbedtls/Makefile
	===================================================================
	--- openvpn-mbedtls/Makefile
	+++ openvpn-mbedtls/Makefile
	@@ -0,0 +1,13 @@
	+# Created by: Matthias Andree <mandree@FreeBSD.org>
	+# $FreeBSD$
	+
	+PKGNAMESUFFIX= -mbedtls
	+
	+COMMENT= Secure IP/Ethernet tunnel daemon, mbedTLS-based build
	+
	+OPTIONS_EXCLUDE= OPENSSL PKCS11 X509ALTUSERNAME
	+OPTIONS_SLAVE= MBEDTLS
	+
	+MASTERDIR= ${.CURDIR}/../../security/openvpn
	+
	+.include "${MASTERDIR}/Makefile"
	Index: openvpn-polarssl/Makefile
	===================================================================
	--- openvpn-polarssl/Makefile
	+++ openvpn-polarssl/Makefile
	@@ -1,13 +0,0 @@
	-# Created by: Matthias Andree <mandree@FreeBSD.org>
	-# $FreeBSD$
	-
	-PKGNAMESUFFIX= -polarssl
	-
	-COMMENT= Secure IP/Ethernet tunnel daemon, PolarSSL-based build
	-
	-OPTIONS_EXCLUDE= OPENSSL PKCS11 X509ALTUSERNAME
	-OPTIONS_SLAVE= POLARSSL
	-
	-MASTERDIR= ${.CURDIR}/../../security/openvpn
	-
	-.include "${MASTERDIR}/Makefile"
	Index: openvpn/Makefile
	===================================================================
	--- openvpn/Makefile
	+++ openvpn/Makefile
	@@ -2,7 +2,7 @@
	# $FreeBSD$

	PORTNAME= openvpn
	-DISTVERSION= 2.3.14
	+DISTVERSION= 2.4_rc2
	CATEGORIES= security net
	MASTER_SITES= http://swupdate.openvpn.net/community/releases/ \
	http://build.openvpn.net/downloads/releases/
	@@ -12,7 +12,7 @@

	LICENSE= GPLv2

	-CONFLICTS_INSTALL= openvpn-2.[!3].* openvpn-[!2].* openvpn-beta-[0-9]* openvpn-devel-[0-9]*
	+CONFLICTS_INSTALL= openvpn-2.[!4].* openvpn-[!2].* openvpn-beta-[0-9]* openvpn-devel-[0-9]*

	GNU_CONFIGURE= yes
	USES= cpe libtool pkgconfig shebangfix tar:xz
	@@ -19,7 +19,8 @@
	SHEBANG_FILES= sample/sample-scripts/verify-cn \
	sample/sample-scripts/auth-pam.pl \
	sample/sample-scripts/ucn.pl
	-# avoid picking up CMAKE, we don't have cmocka anyways.
	+CONFIGURE_ARGS+= --enable-strict
	+# avoid picking up CMAKE, we don't have cmocka in the tarballs..
	CONFIGURE_ENV+= ac_cv_prog_CMAKE= CMAKE=

	# let OpenVPN's configure script pick up the requisite libraries,
	@@ -31,17 +32,16 @@
	CPPFLAGS+= -DPLUGIN_LIBDIR=\\\"${PREFIX}/lib/openvpn/plugins\\\"

	OPTIONS_DEFINE= PKCS11 EASYRSA DOCS EXAMPLES X509ALTUSERNAME \
	- TUNNELBLICK TEST
	-OPTIONS_DEFAULT= EASYRSA OPENSSL TEST
	+ TEST LZ4 SMALL # TUNNELBLICK
	+OPTIONS_DEFAULT= EASYRSA OPENSSL TEST LZ4
	OPTIONS_SINGLE= SSL
	-OPTIONS_SINGLE_SSL= OPENSSL POLARSSL
	-# The following feature is always enabled since 2.3.9 and no longer optional.
	-# PW_SAVE_DESC= Interactive passwords may be read from a file
	+OPTIONS_SINGLE_SSL= OPENSSL MBEDTLS
	PKCS11_DESC= Use security/pkcs11-helper
	EASYRSA_DESC= Install security/easy-rsa RSA helper package
	-POLARSSL_DESC= SSL/TLS via mbedTLS 1.3.X (not 2.x)
	+MBEDTLS_DESC= SSL/TLS via mbedTLS
	TUNNELBLICK_DESC= Tunnelblick XOR scramble patch (READ HELP!)
	X509ALTUSERNAME_DESC= Enable --x509-username-field (OpenSSL only)
	+SMALL_DESC= Build a smaller executable with fewer features

	EASYRSA_RUN_DEPENDS= easy-rsa>=0:security/easy-rsa

	@@ -52,18 +52,19 @@

	X509ALTUSERNAME_CONFIGURE_ENABLE= x509-alt-username

	-X509ALTUSERNAME_PREVENTS= POLARSSL
	-X509ALTUSERNAME_PREVENTS_MSG= OpenVPN ${DISTVERSION} cannot use --x509-username-field with PolarSSL. Disable X509ALTUSERNAME, or use OpenSSL instead
	+X509ALTUSERNAME_PREVENTS= MBEDTLS
	+X509ALTUSERNAME_PREVENTS_MSG= OpenVPN ${DISTVERSION} cannot use --x509-username-field with mbedTLS. Disable X509ALTUSERNAME, or use OpenSSL instead

	OPENSSL_USES= ssl
	OPENSSL_CONFIGURE_ON= --with-crypto-library=openssl

	-# Pin the libmbedtls version because the 2.3.x port can't work with .so.10 or
	-# newer from the security/mbedtls package. Upstream works in progress
	-# for OpenVPN 2.4 to use mbedTLS 2.X.
	-POLARSSL_LIB_DEPENDS= libmbedtls.so.9:security/polarssl13
	-POLARSSL_CONFIGURE_ON= --with-crypto-library=polarssl
	+LZ4_CONFIGURE_OFF= --disable-lz4

	+SMALL_CONFIGURE_ON= --enable-small
	+
	+MBEDTLS_LIB_DEPENDS= libmbedtls.so:security/mbedtls
	+MBEDTLS_CONFIGURE_ON= --with-crypto-library=mbedtls
	+
	USE_RC_SUBR= openvpn
	USE_LDCONFIG= ${PREFIX}/lib

	@@ -75,6 +76,8 @@

	LIB_DEPENDS+= liblzo2.so:archivers/lzo2

	+LZ4_LIB_DEPENDS+= liblz4.so:archivers/liblz4
	+
	PORTDOCS= *
	PORTEXAMPLES= *

	Index: openvpn/distinfo
	===================================================================
	--- openvpn/distinfo
	+++ openvpn/distinfo
	@@ -1,3 +1,3 @@
	-TIMESTAMP = 1481159357
	-SHA256 (openvpn-2.3.14.tar.xz) = f3a0d0eaf8d544409f76a9f2a238a0cd3dde9e1a9c1f98ac732a8b572bcdee98
	-SIZE (openvpn-2.3.14.tar.xz) = 831404
	+TIMESTAMP = 1481917748
	+SHA256 (openvpn-2.4_rc2.tar.xz) = 3e5dbfda2c1c941bc61e5e067601b31f578ad4cdf3683e569014e18c2cc6e2e9
	+SIZE (openvpn-2.4_rc2.tar.xz) = 926832
	Index: openvpn/pkg-plist
	===================================================================
	--- openvpn/pkg-plist
	+++ openvpn/pkg-plist
	@@ -1,4 +1,5 @@
	include/openvpn-plugin.h
	+include/openvpn-msg.h
	lib/openvpn/plugins/openvpn-plugin-auth-pam.so
	lib/openvpn/plugins/openvpn-plugin-down-root.so
	man/man8/openvpn.8.gz
	Index: openvpn23-polarssl/Makefile
	===================================================================
	--- openvpn23-polarssl/Makefile
	+++ openvpn23-polarssl/Makefile
	@@ -0,0 +1,13 @@
	+# Created by: Matthias Andree <mandree@FreeBSD.org>
	+# $FreeBSD$
	+
	+PKGNAMESUFFIX= -polarssl
	+
	+COMMENT= Secure IP/Ethernet tunnel daemon, PolarSSL-based build
	+
	+OPTIONS_EXCLUDE= OPENSSL PKCS11 X509ALTUSERNAME
	+OPTIONS_SLAVE= POLARSSL
	+
	+MASTERDIR= ${.CURDIR}/../../security/openvpn23
	+
	+.include "${MASTERDIR}/Makefile"
	Index: openvpn23/Makefile
	===================================================================
	--- openvpn23/Makefile
	+++ openvpn23/Makefile
	@@ -0,0 +1,129 @@
	+# Created by: Matthias Andree <mandree@FreeBSD.org>
	+# $FreeBSD$
	+
	+PORTNAME= openvpn
	+DISTVERSION= 2.3.14
	+CATEGORIES= security net
	+MASTER_SITES= http://swupdate.openvpn.net/community/releases/ \
	+ http://build.openvpn.net/downloads/releases/
	+
	+MAINTAINER= mandree@FreeBSD.org
	+COMMENT?= Secure IP/Ethernet tunnel daemon
	+
	+DEPRECATED= Replaced by new upstream relesae 2.4.x
	+EXPIRATION_DATE= 2017-03-31
	+
	+LICENSE= GPLv2
	+
	+CONFLICTS_INSTALL= openvpn-2.[!3].* openvpn-[!2].* openvpn-beta-[0-9]* openvpn-devel-[0-9]*
	+
	+GNU_CONFIGURE= yes
	+USES= cpe libtool pkgconfig shebangfix tar:xz
	+SHEBANG_FILES= sample/sample-scripts/verify-cn \
	+ sample/sample-scripts/auth-pam.pl \
	+ sample/sample-scripts/ucn.pl
	+# avoid picking up CMAKE, we don't have cmocka anyways.
	+CONFIGURE_ENV+= ac_cv_prog_CMAKE= CMAKE=
	+
	+# let OpenVPN's configure script pick up the requisite libraries,
	+# but do not break the plugin build if an older version is installed
	+CPPFLAGS+= -I${WRKSRC}/include -I${LOCALBASE}/include
	+LDFLAGS+= -L${LOCALBASE}/lib
	+
	+# set PLUGIN_LIBDIR so that unqualified plugin paths are found:
	+CPPFLAGS+= -DPLUGIN_LIBDIR=\\\"${PREFIX}/lib/openvpn/plugins\\\"
	+
	+OPTIONS_DEFINE= PKCS11 EASYRSA DOCS EXAMPLES X509ALTUSERNAME \
	+ TUNNELBLICK TEST
	+OPTIONS_DEFAULT= EASYRSA OPENSSL TEST
	+OPTIONS_SINGLE= SSL
	+OPTIONS_SINGLE_SSL= OPENSSL POLARSSL
	+# The following feature is always enabled since 2.3.9 and no longer optional.
	+# PW_SAVE_DESC= Interactive passwords may be read from a file
	+PKCS11_DESC= Use security/pkcs11-helper
	+EASYRSA_DESC= Install security/easy-rsa RSA helper package
	+POLARSSL_DESC= SSL/TLS via mbedTLS 1.3.X (not 2.x)
	+TUNNELBLICK_DESC= Tunnelblick XOR scramble patch (READ HELP!)
	+X509ALTUSERNAME_DESC= Enable --x509-username-field (OpenSSL only)
	+
	+EASYRSA_RUN_DEPENDS= easy-rsa>=0:security/easy-rsa
	+
	+PKCS11_LIB_DEPENDS= libpkcs11-helper.so:security/pkcs11-helper
	+PKCS11_CONFIGURE_ENABLE= pkcs11
	+
	+TUNNELBLICK_EXTRA_PATCHES= ${FILESDIR}/extra-tunnelblick-openvpn_xorpatch
	+
	+X509ALTUSERNAME_CONFIGURE_ENABLE= x509-alt-username
	+
	+X509ALTUSERNAME_PREVENTS= POLARSSL
	+X509ALTUSERNAME_PREVENTS_MSG= OpenVPN ${DISTVERSION} cannot use --x509-username-field with PolarSSL. Disable X509ALTUSERNAME, or use OpenSSL instead
	+
	+OPENSSL_USES= ssl
	+OPENSSL_CONFIGURE_ON= --with-crypto-library=openssl
	+
	+# Pin the libmbedtls version because the 2.3.x port can't work with .so.10 or
	+# newer from the security/mbedtls package. Upstream works in progress
	+# for OpenVPN 2.4 to use mbedTLS 2.X.
	+POLARSSL_LIB_DEPENDS= libmbedtls.so.9:security/polarssl13
	+POLARSSL_CONFIGURE_ON= --with-crypto-library=polarssl
	+
	+USE_RC_SUBR= openvpn
	+USE_LDCONFIG= ${PREFIX}/lib
	+
	+SUB_FILES= pkg-message openvpn-client
	+
	+.ifdef (LOG_OPENVPN)
	+CFLAGS+= -DLOG_OPENVPN=${LOG_OPENVPN}
	+.endif
	+
	+LIB_DEPENDS+= liblzo2.so:archivers/lzo2
	+
	+PORTDOCS= *
	+PORTEXAMPLES= *
	+
	+TEST_ALL_TARGET= check
	+TEST_TEST_TARGET_OFF= check
	+
	+# XXX Please remove this compatibility wrapper after 2017Q2 is branched.
	+.ifdef(WITHOUT_CHECK)
	+WARNING+= "${.CURDIR}: WITHOUT_CHECK is deprecated, please use WITHOUT=TEST or OPTIONS_UNSET=TEST."
	+WITHOUT+= TEST
	+.endif
	+
	+pre-configure:
	+.ifdef (LOG_OPENVPN)
	+ @${ECHO} "Building with LOG_OPENVPN=${LOG_OPENVPN}"
	+.else
	+ @${ECHO} ""
	+ @${ECHO} "You may use the following build options:"
	+ @${ECHO} ""
	+ @${ECHO} " LOG_OPENVPN={Valid syslog facility, default LOG_DAEMON}"
	+ @${ECHO} " EXAMPLE: make LOG_OPENVPN=LOG_LOCAL6"
	+ @${ECHO} ""
	+.endif
	+
	+post-configure:
	+ ${REINPLACE_CMD} '/^CFLAGS =/s/$$/ -fPIC/' \
	+ ${WRKSRC}/src/plugins/auth-pam/Makefile \
	+ ${WRKSRC}/src/plugins/down-root/Makefile
	+
	+post-install:
	+ ${STRIP_CMD} ${STAGEDIR}${PREFIX}/lib/openvpn/plugins/openvpn-plugin-auth-pam.so
	+ ${STRIP_CMD} ${STAGEDIR}${PREFIX}/lib/openvpn/plugins/openvpn-plugin-down-root.so
	+ ${INSTALL_SCRIPT} ${WRKSRC}/contrib/pull-resolv-conf/client.up ${STAGEDIR}${PREFIX}/libexec/openvpn-client.up
	+ ${INSTALL_SCRIPT} ${WRKSRC}/contrib/pull-resolv-conf/client.down ${STAGEDIR}${PREFIX}/libexec/openvpn-client.down
	+ @${REINPLACE_CMD} 's\|resolvconf -p -a\|resolvconf -a\|' ${STAGEDIR}${PREFIX}/libexec/openvpn-client.up
	+ ${INSTALL_SCRIPT} ${WRKDIR}/openvpn-client ${STAGEDIR}${PREFIX}/sbin/openvpn-client
	+ ${MKDIR} ${STAGEDIR}${PREFIX}/include
	+
	+post-install-DOCS-on:
	+ ${MKDIR} ${STAGEDIR}${DOCSDIR}/
	+.for i in AUTHORS ChangeLog PORTS
	+ ${INSTALL_MAN} ${WRKSRC}/${i} ${STAGEDIR}${DOCSDIR}/
	+.endfor
	+
	+post-install-EXAMPLES-on:
	+ (cd ${WRKSRC}/sample && ${COPYTREE_SHARE} \* ${STAGEDIR}${EXAMPLESDIR}/)
	+ ${CHMOD} ${BINMODE} ${STAGEDIR}${EXAMPLESDIR}/sample-scripts/*
	+
	+.include <bsd.port.mk>
	Index: openvpn23/distinfo
	===================================================================
	--- openvpn23/distinfo
	+++ openvpn23/distinfo
	@@ -0,0 +1,3 @@
	+TIMESTAMP = 1481159357
	+SHA256 (openvpn-2.3.14.tar.xz) = f3a0d0eaf8d544409f76a9f2a238a0cd3dde9e1a9c1f98ac732a8b572bcdee98
	+SIZE (openvpn-2.3.14.tar.xz) = 831404
	Index: openvpn23/files/extra-tunnelblick-openvpn_xorpatch
	===================================================================
	--- openvpn23/files/extra-tunnelblick-openvpn_xorpatch
	+++ openvpn23/files/extra-tunnelblick-openvpn_xorpatch
	@@ -0,0 +1,296 @@
	+This work allows obfuscation of the OpenVPN header to make it harder for
	+layer 7 inspection to identify such traffic, which may come with blocking
	+or recording actions in certain territories of the world. This patch, in
	+a nutshell, can increase privacy and range of communication for its users.
	+
	+The `scramble' option introduced hereby is off by default.
	+
	+The option's usage, history and controversy of the patch is explained in
	+detail on the following wiki page:
	+
	+https://tunnelblick.net/cOpenvpn_xorpatch.html
	+
	+
	+--- src/openvpn/forward.c.orig 2016-08-23 14:16:28 UTC
	++++ src/openvpn/forward.c
	+@@ -674,7 +674,10 @@ read_incoming_link (struct context *c)
	+
	+ status = link_socket_read (c->c2.link_socket,
	+ &c->c2.buf,
	+- &c->c2.from);
	++ &c->c2.from,
	++ c->options.ce.xormethod,
	++ c->options.ce.xormask,
	++ c->options.ce.xormasklen);
	+
	+ if (socket_connection_reset (c->c2.link_socket, status))
	+ {
	+@@ -1151,7 +1154,10 @@ process_outgoing_link (struct context *c
	+ /* Send packet */
	+ size = link_socket_write (c->c2.link_socket,
	+ &c->c2.to_link,
	+- to_addr);
	++ to_addr,
	++ c->options.ce.xormethod,
	++ c->options.ce.xormask,
	++ c->options.ce.xormasklen);
	+
	+ #ifdef ENABLE_SOCKS
	+ /* Undo effect of prepend */
	+--- src/openvpn/options.c.orig 2016-08-23 14:16:22 UTC
	++++ src/openvpn/options.c
	+@@ -792,6 +792,9 @@ init_options (struct options *o, const b
	+ o->max_routes = MAX_ROUTES_DEFAULT;
	+ o->resolve_retry_seconds = RESOLV_RETRY_INFINITE;
	+ o->proto_force = -1;
	++ o->ce.xormethod = 0;
	++ o->ce.xormask = "\0";
	++ o->ce.xormasklen = 0;
	+ #ifdef ENABLE_OCC
	+ o->occ = true;
	+ #endif
	+@@ -907,6 +910,9 @@ setenv_connection_entry (struct env_set
	+ setenv_int_i (es, "local_port", e->local_port, i);
	+ setenv_str_i (es, "remote", e->remote, i);
	+ setenv_int_i (es, "remote_port", e->remote_port, i);
	++ setenv_int_i (es, "xormethod", e->xormethod, i);
	++ setenv_str_i (es, "xormask", e->xormask, i);
	++ setenv_int_i (es, "xormasklen", e->xormasklen, i);
	+
	+ #ifdef ENABLE_HTTP_PROXY
	+ if (e->http_proxy_options)
	+@@ -1366,6 +1372,9 @@ show_connection_entry (const struct conn
	+ SHOW_INT (connect_retry_seconds);
	+ SHOW_INT (connect_timeout);
	+ SHOW_INT (connect_retry_max);
	++ SHOW_INT (xormethod);
	++ SHOW_STR (xormask);
	++ SHOW_INT (xormasklen);
	+
	+ #ifdef ENABLE_HTTP_PROXY
	+ if (o->http_proxy_options)
	+@@ -5131,6 +5140,46 @@ add_option (struct options *options,
	+ options->proto_force = proto_force;
	+ options->force_connection_list = true;
	+ }
	++ else if (streq (p[0], "scramble") && p[1])
	++ {
	++ VERIFY_PERMISSION (OPT_P_GENERAL\|OPT_P_CONNECTION);
	++ if (streq (p[1], "xormask") && p[2] && (!p[3]))
	++ {
	++ options->ce.xormethod = 1;
	++ options->ce.xormask = p[2];
	++ options->ce.xormasklen = strlen(options->ce.xormask);
	++ }
	++ else if (streq (p[1], "xorptrpos") && (!p[2]))
	++ {
	++ options->ce.xormethod = 2;
	++ options->ce.xormask = NULL;
	++ options->ce.xormasklen = 0;
	++ }
	++ else if (streq (p[1], "reverse") && (!p[2]))
	++ {
	++ options->ce.xormethod = 3;
	++ options->ce.xormask = NULL;
	++ options->ce.xormasklen = 0;
	++ }
	++ else if (streq (p[1], "obfuscate") && p[2] && (!p[3]))
	++ {
	++ options->ce.xormethod = 4;
	++ options->ce.xormask = p[2];
	++ options->ce.xormasklen = strlen(options->ce.xormask);
	++ }
	++ else if (!p[2])
	++ {
	++ msg (M_WARN, "WARNING: No recognized 'scramble' method specified; using 'scramble xormask \"%s\"'", p[1]);
	++ options->ce.xormethod = 1;
	++ options->ce.xormask = p[1];
	++ options->ce.xormasklen = strlen(options->ce.xormask);
	++ }
	++ else
	++ {
	++ msg (msglevel, "No recognized 'scramble' method specified or extra parameters for 'scramble'");
	++ goto err;
	++ }
	++ }
	+ #ifdef ENABLE_HTTP_PROXY
	+ else if (streq (p[0], "http-proxy") && p[1])
	+ {
	+--- src/openvpn/options.h.orig 2016-08-23 14:16:22 UTC
	++++ src/openvpn/options.h
	+@@ -100,6 +100,9 @@ struct connection_entry
	+ int connect_retry_max;
	+ int connect_timeout;
	+ bool connect_timeout_defined;
	++ int xormethod;
	++ const char *xormask;
	++ int xormasklen;
	+ #ifdef ENABLE_HTTP_PROXY
	+ struct http_proxy_options *http_proxy_options;
	+ #endif
	+--- src/openvpn/socket.c.orig 2016-08-23 14:16:22 UTC
	++++ src/openvpn/socket.c
	+@@ -52,6 +52,53 @@ const int proto_overhead[] = { /* indexe
	+ IPv6_TCP_HEADER_SIZE,
	+ };
	+
	++int buffer_mask (struct buffer buf, const char mask, int xormasklen) {
	++ int i;
	++ uint8_t *b;
	++ if ( xormasklen > 0 ) {
	++ for (i = 0, b = BPTR (buf); i < BLEN(buf); i++, b++) {
	++ b = b ^ mask[i % xormasklen];
	++ }
	++ }
	++ return BLEN (buf);
	++}
	++
	++int buffer_xorptrpos (struct buffer *buf) {
	++ int i;
	++ uint8_t *b;
	++ for (i = 0, b = BPTR (buf); i < BLEN(buf); i++, b++) {
	++ b = b ^ i+1;
	++ }
	++ return BLEN (buf);
	++}
	++
	++int buffer_reverse (struct buffer *buf) {
	++/* This function has been rewritten for Tunnelblick. The buffer_reverse function at
	++ * https://github.com/clayface/openvpn_xorpatch
	++ * makes a copy of the buffer and it writes to the byte after the
	++ * buffer contents, so if the buffer is full then it writes outside of the buffer.
	++ * This rewritten version does neither.
	++ *
	++ * For interoperability, this rewritten version preserves the behavior of the original
	++ * function: it does not modify the first character of the buffer. So it does not
	++ * actually reverse the contents of the buffer. Instead, it changes 'abcde' to 'aedcb'.
	++ * (Of course, the actual buffer contents are bytes, and not necessarily characters.)
	++ */
	++ int len = BLEN(buf);
	++ if ( len > 2 ) { /* Leave '', 'a', and 'ab' alone */
	++ int i;
	++ uint8_t b_start = BPTR (buf) + 1; / point to first byte to swap */
	++ uint8_t b_end = BPTR (buf) + (len - 1); / point to last byte to swap */
	++ uint8_t tmp;
	++ for (i = 0; i < (len-1)/2; i++, b_start++, b_end--) {
	++ tmp = *b_start;
	++ b_start = b_end;
	++ *b_end = tmp;
	++ }
	++ }
	++ return len;
	++}
	++
	+ /*
	+ * Convert sockflags/getaddr_flags into getaddr_flags
	+ */
	+--- src/openvpn/socket.h.orig 2016-08-23 14:16:22 UTC
	++++ src/openvpn/socket.h
	+@@ -245,6 +245,10 @@ struct link_socket
	+ #endif
	+ };
	+
	++int buffer_mask (struct buffer buf, const char xormask, int xormasklen);
	++int buffer_xorptrpos (struct buffer *buf);
	++int buffer_reverse (struct buffer *buf);
	++
	+ /*
	+ * Some Posix/Win32 differences.
	+ */
	+@@ -873,30 +877,56 @@ int link_socket_read_udp_posix (struct l
	+ static inline int
	+ link_socket_read (struct link_socket *sock,
	+ struct buffer *buf,
	+- struct link_socket_actual *from)
	++ struct link_socket_actual *from,
	++ int xormethod,
	++ const char *xormask,
	++ int xormasklen)
	+ {
	++ int res;
	+ if (proto_is_udp(sock->info.proto)) /* unified UDPv4 and UDPv6 */
	+ {
	+- int res;
	+
	+ #ifdef WIN32
	+ res = link_socket_read_udp_win32 (sock, buf, from);
	+ #else
	+ res = link_socket_read_udp_posix (sock, buf, from);
	+ #endif
	+- return res;
	+ }
	+ else if (proto_is_tcp(sock->info.proto)) /* unified TCPv4 and TCPv6 */
	+ {
	+ /* from address was returned by accept */
	+ addr_copy_sa(&from->dest, &sock->info.lsa->actual.dest);
	+- return link_socket_read_tcp (sock, buf);
	++ res = link_socket_read_tcp (sock, buf);
	+ }
	+ else
	+ {
	+ ASSERT (0);
	+ return -1; /* NOTREACHED */
	+ }
	++ switch(xormethod)
	++ {
	++ case 0:
	++ break;
	++ case 1:
	++ buffer_mask(buf,xormask,xormasklen);
	++ break;
	++ case 2:
	++ buffer_xorptrpos(buf);
	++ break;
	++ case 3:
	++ buffer_reverse(buf);
	++ break;
	++ case 4:
	++ buffer_mask(buf,xormask,xormasklen);
	++ buffer_xorptrpos(buf);
	++ buffer_reverse(buf);
	++ buffer_xorptrpos(buf);
	++ break;
	++ default:
	++ ASSERT (0);
	++ return -1; /* NOTREACHED */
	++ }
	++ return res;
	+ }
	+
	+ /*
	+@@ -980,8 +1010,34 @@ link_socket_write_udp (struct link_socke
	+ static inline int
	+ link_socket_write (struct link_socket *sock,
	+ struct buffer *buf,
	+- struct link_socket_actual *to)
	++ struct link_socket_actual *to,
	++ int xormethod,
	++ const char *xormask,
	++ int xormasklen)
	+ {
	++ switch(xormethod)
	++ {
	++ case 0:
	++ break;
	++ case 1:
	++ buffer_mask(buf,xormask,xormasklen);
	++ break;
	++ case 2:
	++ buffer_xorptrpos(buf);
	++ break;
	++ case 3:
	++ buffer_reverse(buf);
	++ break;
	++ case 4:
	++ buffer_xorptrpos(buf);
	++ buffer_reverse(buf);
	++ buffer_xorptrpos(buf);
	++ buffer_mask(buf,xormask,xormasklen);
	++ break;
	++ default:
	++ ASSERT (0);
	++ return -1; /* NOTREACHED */
	++ }
	+ if (proto_is_udp(sock->info.proto)) /* unified UDPv4 and UDPv6 */
	+ {
	+ return link_socket_write_udp (sock, buf, to);
	Index: openvpn23/files/openvpn-client.in
	===================================================================
	--- openvpn23/files/openvpn-client.in
	+++ openvpn23/files/openvpn-client.in
	@@ -0,0 +1,6 @@
	+#!/bin/sh
	+
	+exec %%PREFIX%%/sbin/openvpn --script-security 2 \
	+ --up %%PREFIX%%/libexec/openvpn-client.up \
	+ --plugin openvpn-plugin-down-root.so %%PREFIX%%/libexec/openvpn-client.down \
	+ --config "$@"
	Index: openvpn23/files/openvpn.in
	===================================================================
	--- openvpn23/files/openvpn.in
	+++ openvpn23/files/openvpn.in
	@@ -0,0 +1,145 @@
	+#!/bin/sh
	+#
	+# openvpn.sh - load tun/tap driver and start OpenVPN daemon
	+#
	+# (C) Copyright 2005 - 2008, 2010 by Matthias Andree
	+# based on suggestions by Matthias Grimm and Dirk Gouders
	+# with multi-instance contribution from Denis Shaposhnikov, Gleb Kozyrev
	+# and Vasil Dimov
	+# softrestart feature suggested by Nick Hibma
	+#
	+# $FreeBSD$
	+#
	+# This program is free software; you can redistribute it and/or modify it under
	+# the terms of the GNU General Public License as published by the Free Software
	+# Foundation; either version 2 of the License, or (at your option) any later
	+# version.
	+#
	+# This program is distributed in the hope that it will be useful, but WITHOUT
	+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
	+# FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
	+# details.
	+#
	+# You should have received a copy of the GNU General Public License along with
	+# this program; if not, write to the Free Software Foundation, Inc., 51 Franklin
	+# Street, Fifth Floor, Boston, MA 02110-1301, USA.
	+
	+# PROVIDE: openvpn
	+# REQUIRE: DAEMON
	+# KEYWORD: shutdown
	+
	+# -----------------------------------------------------------------------------
	+#
	+# This script supports running multiple instances of openvpn.
	+# To run additional instances link this script to something like
	+# % ln -s openvpn openvpn_foo
	+# and define additional openvpn_foo_* variables in one of
	+# /etc/rc.conf, /etc/rc.conf.local or /etc/rc.conf.d/openvpn_foo
	+#
	+# Below NAME should be substituted with the name of this script. By default
	+# it is openvpn, so read as openvpn_enable. If you linked the script to
	+# openvpn_foo, then read as openvpn_foo_enable etc.
	+#
	+# The following variables are supported (defaults are shown).
	+# You can place them in any of
	+# /etc/rc.conf, /etc/rc.conf.local or /etc/rc.conf.d/NAME
	+#
	+# NAME_enable="NO" # set to YES to enable openvpn
	+# NAME_if= # driver(s) to load, set to "tun", "tap" or "tun tap"
	+# # it is OK to specify the if_ prefix.
	+#
	+# # optional:
	+# NAME_flags= # additional command line arguments
	+# NAME_configfile="%%PREFIX%%/etc/openvpn/NAME.conf" # --config file
	+# NAME_dir="%%PREFIX%%/etc/openvpn" # --cd directory
	+#
	+# You also need to set NAME_configfile and NAME_dir, if the configuration
	+# file and directory where keys and certificates reside differ from the above
	+# settings.
	+#
	+# Note that we deliberately refrain from unloading drivers.
	+#
	+# For further documentation, please see openvpn(8).
	+#
	+
	+. /etc/rc.subr
	+
	+# service(8) does not create an authentic environment, try to guess,
	+# and as of 10.3-RELEASE-p0, it will not find the indented name=
	+# assignments below. So give it a default.
	+# Trailing semicolon also for service(8)'s benefit:
	+name="$file" ;
	+
	+case "$0" in
	+/etc/rc*)
	+ # during boot (shutdown) $0 is /etc/rc (/etc/rc.shutdown),
	+ # so get the name of the script from $_file
	+ name="$_file"
	+ ;;
	+*/service)
	+ # do not use this as $0
	+ ;;
	+*)
	+ name="$0"
	+ ;;
	+esac
	+
	+# default name to "openvpn" if guessing failed
	+# Trailing semicolon also for service(8)'s benefit:
	+name="${name:-openvpn}" ;
	+name="${name##*/}"
	+rcvar=${name}_enable
	+
	+stop_postcmd()
	+{
	+ rm -f "$pidfile" \|\| warn "Could not remove $pidfile."
	+}
	+
	+softrestart()
	+{
	+ sig_reload=USR1 run_rc_command reload
	+ exit $?
	+}
	+
	+openvpn_stats()
	+{
	+ sig_reload=USR2
	+ run_rc_command ${rc_prefix}reload $rc_extra_args
	+}
	+
	+# reload: support SIGHUP to reparse configuration file
	+# softrestart: support SIGUSR1 to reconnect without superuser privileges
	+# stats: support SIGUSR2 to write statistics to the syslog
	+extra_commands="reload softrestart stats"
	+softrestart_cmd="softrestart"
	+stats_cmd="openvpn_stats"
	+
	+# pidfile
	+pidfile="/var/run/${name}.pid"
	+
	+# command and arguments
	+command="%%PREFIX%%/sbin/openvpn"
	+
	+# run this last
	+stop_postcmd="stop_postcmd"
	+
	+load_rc_config ${name}
	+
	+eval ": \${${name}_enable:=\"NO\"}"
	+eval ": \${${name}_configfile:=\"%%PREFIX%%/etc/openvpn/${name}.conf\"}"
	+eval ": \${${name}_dir:=\"%%PREFIX%%/etc/openvpn\"}"
	+
	+configfile="$(eval echo \${${name}_configfile})"
	+dir="$(eval echo \${${name}_dir})"
	+interfaces="$(eval echo \${${name}_if})"
	+
	+required_modules=
	+for i in $interfaces ; do
	+ required_modules="$required_modules${required_modules:+" "}if_${i#if_}"
	+done
	+
	+required_files=${configfile}
	+
	+command_args="--cd ${dir} --daemon ${name} --config ${configfile} --writepid ${pidfile}"
	+
	+run_rc_command "$1"
	Index: openvpn23/files/patch-configure
	===================================================================
	--- openvpn23/files/patch-configure
	+++ openvpn23/files/patch-configure
	@@ -0,0 +1,11 @@
	+--- configure.orig 2016-08-23 14:19:07 UTC
	++++ configure
	+@@ -17160,8 +17160,6 @@ fi
	+ $as_echo "!! WARNING !! The cmoka git submodule has not been initialized or updated. Unit testing cannot be performed." >&6; }
	+ fi
	+ else
	+- { $as_echo "$as_me:${as_lineno-$LINENO}: result: !! WARNING !! CMake is NOT available. Unit testing cannot be performed." >&5
	+-$as_echo "!! WARNING !! CMake is NOT available. Unit testing cannot be performed." >&6; }
	+ if false; then
	+ CMOCKA_INITIALIZED_TRUE=
	+ CMOCKA_INITIALIZED_FALSE='#'
	Index: openvpn23/files/patch-sample__sample-config-files__loopback-client
	===================================================================
	--- openvpn23/files/patch-sample__sample-config-files__loopback-client
	+++ openvpn23/files/patch-sample__sample-config-files__loopback-client
	@@ -0,0 +1,13 @@
	+--- sample/sample-config-files/loopback-client.orig 2016-08-23 14:16:22 UTC
	++++ sample/sample-config-files/loopback-client
	+@@ -9,8 +9,8 @@
	+ # ./openvpn --config sample-config-files/loopback-client (In one window)
	+ # ./openvpn --config sample-config-files/loopback-server (Simultaneously in another window)
	+
	+-rport 16000
	+-lport 16001
	++rport 16100
	++lport 16101
	+ remote localhost
	+ local localhost
	+ dev null
	Index: openvpn23/files/patch-sample__sample-config-files__loopback-server
	===================================================================
	--- openvpn23/files/patch-sample__sample-config-files__loopback-server
	+++ openvpn23/files/patch-sample__sample-config-files__loopback-server
	@@ -0,0 +1,13 @@
	+--- sample/sample-config-files/loopback-server.orig 2016-08-23 14:16:22 UTC
	++++ sample/sample-config-files/loopback-server
	+@@ -9,8 +9,8 @@
	+ # ./openvpn --config sample-config-files/loopback-client (In one window)
	+ # ./openvpn --config sample-config-files/loopback-server (Simultaneously in another window)
	+
	+-rport 16001
	+-lport 16000
	++rport 16101
	++lport 16100
	+ remote localhost
	+ local localhost
	+ dev null
	Index: openvpn23/files/patch-tests__t_cltsrv.sh
	===================================================================
	--- openvpn23/files/patch-tests__t_cltsrv.sh
	+++ openvpn23/files/patch-tests__t_cltsrv.sh
	@@ -0,0 +1,65 @@
	+--- tests/t_cltsrv.sh.orig 2016-08-23 13:10:22 UTC
	++++ tests/t_cltsrv.sh
	+@@ -1,7 +1,7 @@
	+ #! /bin/sh
	+ #
	+ # t_cltsrv.sh - script to test OpenVPN's crypto loopback
	+-# Copyright (C) 2005, 2006, 2008 Matthias Andree
	++# Copyright (C) 2005 - 2014 Matthias Andree
	+ #
	+ # This program is free software; you can redistribute it and/or
	+ # modify it under the terms of the GNU General Public License
	+@@ -22,8 +22,9 @@ set -e
	+ srcdir="${srcdir:-.}"
	+ top_srcdir="${top_srcdir:-..}"
	+ top_builddir="${top_builddir:-..}"
	+-trap "rm -f log.$$ log.$$.signal ; trap 0 ; exit 77" 1 2 15
	+-trap "rm -f log.$$ log.$$.signal ; exit 1" 0 3
	++root="${top_srcdir}/sample"
	++trap "rm -f ${root}/sample-config-files/loopback-*.test log.$$ log.$$.signal ; trap 0 ; exit 77" 1 2 15
	++trap "a=\$? ; rm -f ${root}/sample-config-files/loopback-*.test log.$$ log.$$.signal ; test \$a = 0 && exit 1 \|\| exit \$a" 0 3
	+ addopts=
	+ case `uname -s` in
	+ FreeBSD)
	+@@ -45,18 +46,38 @@ esac
	+ # make sure that the --down script is executable -- fail (rather than
	+ # skip) test if it isn't.
	+ downscript="../tests/t_cltsrv-down.sh"
	+-root="${top_srcdir}/sample"
	+ test -x "${root}/${downscript}" \|\| chmod +x "${root}/${downscript}" \|\| { echo >&2 "${root}/${downscript} is not executable, failing." ; exit 1 ; }
	+ echo "The following test will take about two minutes." >&2
	+ echo "If the addresses are in use, this test will retry up to two times." >&2
	+
	++set -- $(ifconfig lo0 \| grep -E '\<inet' \| head -n1)
	++add=
	++if [ "x$1$2" = "x" ] ; then
	++ echo >&2 "### NO ADDRESSES ON LOOPBACK INTERFACE lo0, SKIPPING TEST ###"
	++ exit 77
	++fi
	++if [ "inet6" = "$1" ] ; then
	++ add='proto udp6 '
	++fi
	++for i in server client ; do
	++ sed -e "s/localhost/$2/" -e "/^remote /a\\
	++$add" ${root}/sample-config-files/loopback-$i \
	++ >${root}/sample-config-files/loopback-$i.test
	++done
	++
	+ # go
	+ success=0
	+ for i in 1 2 3 ; do
	+ set +e
	+ (
	+- "${top_builddir}/src/openvpn/openvpn" --script-security 2 --cd "${root}" ${addopts} --setenv role srv --down "${downscript}" --tls-exit --ping-exit 180 --config "sample-config-files/loopback-server" &
	+- "${top_builddir}/src/openvpn/openvpn" --script-security 2 --cd "${top_srcdir}/sample" ${addopts} --setenv role clt --down "${downscript}" --tls-exit --ping-exit 180 --config "sample-config-files/loopback-client"
	++ "${top_builddir}/src/openvpn/openvpn" --script-security 2 \
	++ --cd "${root}" ${addopts} --setenv role srv \
	++ --down "${downscript}" --tls-exit --ping-exit 180 \
	++ --config "sample-config-files/loopback-server.test" &
	++ "${top_builddir}/src/openvpn/openvpn" --script-security 2 \
	++ --cd "${top_srcdir}/sample" ${addopts} --setenv role clt \
	++ --down "${downscript}" --tls-exit --ping-exit 180 \
	++ --config "sample-config-files/loopback-client.test"
	+ ) 3>log.$$.signal >log.$$ 2>&1
	+ e1=$?
	+ wait $!
	Index: openvpn23/files/pkg-message.in
	===================================================================
	--- openvpn23/files/pkg-message.in
	+++ openvpn23/files/pkg-message.in
	@@ -0,0 +1,11 @@
	+### ------------------------------------------------------------------------
	+### Edit /etc/rc.conf[.local] to start OpenVPN automatically at system
	+### startup. See %%PREFIX%%/etc/rc.d/openvpn for details.
	+### ------------------------------------------------------------------------
	+### Connect to VPN server as a client with this command to include
	+### the client.up/down scripts in the initialization:
	+### openvpn-client <spec>.ovpn
	+### ------------------------------------------------------------------------
	+### For compatibility notes when interoperating with older OpenVPN
	+### versions, please, see <http://openvpn.net/relnotes.html>
	+### ------------------------------------------------------------------------
	Index: openvpn23/files/up-script.sample
	===================================================================
	--- openvpn23/files/up-script.sample
	+++ openvpn23/files/up-script.sample
	@@ -0,0 +1,27 @@
	+#!/bin/sh
	+# OpenVPN simple up/down script for openresolvconf integration.
	+# (C) Copyright 2016 Baptiste Daroussin
	+# BSD 2-clause license.
	+
	+set -e +u
	+: ${script_type:=down}
	+case "${script_type}" in
	+up)
	+ i=1
	+ while :; do
	+ eval option=\"\$foreign_option_${i}\" \|\| break
	+ [ "${option}" ] \|\| break
	+ set -- ${option}
	+ i=$((i + 1))
	+ [ "$1" = "dhcp-option" ] \|\| continue
	+ case "$2" in
	+ DNS) echo "nameserver ${3}" ;;
	+ DOMAIN) echo "domain ${3}" ;;
	+ DOMAIN-SEARCH) echo "search ${3}" ;;
	+ esac
	+ done \| /sbin/resolvconf -a "${dev}"
	+ ;;
	+down)
	+ /sbin/resolvconf -d "${dev}" -f
	+ ;;
	+esac
	Index: openvpn23/pkg-descr
	===================================================================
	--- openvpn23/pkg-descr
	+++ openvpn23/pkg-descr
	@@ -0,0 +1,7 @@
	+OpenVPN is a robust, scalable and highly configurable VPN (Virtual Private
	+Network) daemon which can be used to securely link two or more private networks
	+using an encrypted tunnel over the internet. It can operate over UDP or TCP,
	+can use SSL or a pre-shared secret to authenticate peers, and in SSL mode, one
	+server can handle many clients.
	+
	+WWW: http://openvpn.net/index.php/open-source.html
	Index: openvpn23/pkg-help
	===================================================================
	--- openvpn23/pkg-help
	+++ openvpn23/pkg-help
	@@ -0,0 +1,10 @@
	+Note that "Tunnelblick" is a controversial option.
	+It is included for compatibility, not enabled by default,
	+and should only be used with due consideration, and it should not
	+replace proper cryptography use in OpenVPN.
	+
	+Note that this patch does NOT add documentation for the new --scramble
	+option, neither to the --help output, nor the manual page.
	+
	+Please see this website for a more detailed discussion:
	+https://tunnelblick.net/cOpenvpn_xorpatch.html
	Index: openvpn23/pkg-plist
	===================================================================
	--- openvpn23/pkg-plist
	+++ openvpn23/pkg-plist
	@@ -0,0 +1,8 @@
	+include/openvpn-plugin.h
	+lib/openvpn/plugins/openvpn-plugin-auth-pam.so
	+lib/openvpn/plugins/openvpn-plugin-down-root.so
	+man/man8/openvpn.8.gz
	+sbin/openvpn
	+sbin/openvpn-client
	+libexec/openvpn-client.up
	+libexec/openvpn-client.down

File Metadata

Mime Type: text/plain
Expires: Tue, Apr 7, 7:55 AM (4 h, 41 m)
Storage Engine: blob
Storage Format: Raw Data
Storage Handle: 28285907
Default Alt Text: D8813.1775548528.diff (33 KB)

D8813.1775548528.diffNo OneTemporaryActions

D8813.1775548528.diffView Options

File Metadata

Event Timeline

D8813.1775548528.diff
No OneTemporary
Actions

D8813.1775548528.diff
View Options