diff --git a/security/openvpn-devel/Makefile b/security/openvpn-devel/Makefile index 4c2af67b83f1..522c9f5db9f4 100644 --- a/security/openvpn-devel/Makefile +++ b/security/openvpn-devel/Makefile @@ -1,153 +1,152 @@ PORTNAME= openvpn DISTVERSION= g20220820 PORTREVISION= 0 PORTEPOCH= 1 CATEGORIES= security net net-vpn PKGNAMESUFFIX= -devel MAINTAINER= gert@greenie.muc.de # let's use ?= in spite of portlint WARNings because this might become # security/openvpn one day which would then have a slave port: COMMENT?= Secure IP/Ethernet tunnel daemon LICENSE= GPLv2 LICENSE_FILE= ${WRKSRC}/COPYRIGHT.GPL BUILD_DEPENDS+= cmocka>=0:sysutils/cmocka \ rst2man:textproc/py-docutils LIB_DEPENDS+= liblzo2.so:archivers/lzo2 USES= autoreconf cpe libtool pkgconfig shebangfix tar:xz IGNORE_SSL= libressl libressl-devel USE_GITLAB= yes GL_COMMIT= 734de8f9aa2df56bcb45ebab7cfa799a23f36403 USE_RC_SUBR= openvpn SHEBANG_FILES= sample/sample-scripts/auth-pam.pl sample/sample-scripts/ucn.pl \ sample/sample-scripts/verify-cn GNU_CONFIGURE= yes CONFIGURE_ARGS+= --enable-strict # set PLUGIN_LIBDIR so that unqualified plugin paths are found: CONFIGURE_ENV+= PLUGINDIR="${PREFIX}/lib/openvpn/plugins" # let OpenVPN's configure script pick up the requisite libraries, # but do not break the plugin build if an older version is installed .ifdef (LOG_OPENVPN) CFLAGS+= -DLOG_OPENVPN=${LOG_OPENVPN} .endif CPPFLAGS+= -I${WRKSRC}/include -I${LOCALBASE}/include -DCONFIGURE_GIT_REVISION='\"${GL_COMMIT}\"' -DCONFIGURE_GIT_FLAGS= LDFLAGS+= -L${LOCALBASE}/lib CONFLICTS_INSTALL?= openvpn-2.[!4].* openvpn-[!2].* openvpn-beta \ openvpn-devel openvpn-mbedtls SUB_FILES= openvpn-client pkg-message PORTDOCS= * PORTEXAMPLES= * -OPTIONS_DEFINE= DOCS EASYRSA EXAMPLES LZ4 PKCS11 SMALL DCO TEST TUNNELBLICK \ +OPTIONS_DEFINE= DOCS EASYRSA EXAMPLES LZ4 PKCS11 SMALL DCO TEST \ X509ALTUSERNAME OPTIONS_DEFAULT= EASYRSA LZ4 OPENSSL TEST +OPTIONS_EXCLUDE_FreeBSD_12= DCO # FreeBSD 14 only +OPTIONS_EXCLUDE_FreeBSD_13= DCO # FreeBSD 14 only OPTIONS_SINGLE= SSL OPTIONS_SINGLE_SSL= MBEDTLS OPENSSL # option descriptions and interdependencies EASYRSA_DESC= Install security/easy-rsa RSA helper package MBEDTLS_DESC= SSL/TLS via mbedTLS (lacks TLS v1.3) PKCS11_DESC= Use security/pkcs11-helper PKCS11_PREVENTS= MBEDTLS PKCS11_PREVENTS_MSG= OpenVPN cannot use pkcs11-helper with mbedTLS. \ Disable PKCS11, or use OpenSSL instead SMALL_DESC= Build a smaller executable with fewer features DCO_DESC= Build with Data Channel Offload (ovpn(4)) support -TUNNELBLICK_DESC= Tunnelblick XOR scramble patch (READ HELP!) X509ALTUSERNAME_DESC= Enable --x509-username-field (OpenSSL only) X509ALTUSERNAME_PREVENTS= MBEDTLS X509ALTUSERNAME_PREVENTS_MSG= OpenVPN ${DISTVERSION} cannot use \ --x509-username-field with mbedTLS. Disable \ X509ALTUSERNAME, or use OpenSSL instead # option implementations EASYRSA_RUN_DEPENDS= easy-rsa>=0:security/easy-rsa LZ4_LIB_DEPENDS+= liblz4.so:archivers/liblz4 LZ4_CONFIGURE_OFF= --disable-lz4 MBEDTLS_LIB_DEPENDS= libmbedtls.so:security/mbedtls MBEDTLS_CONFIGURE_ON= --with-crypto-library=mbedtls OPENSSL_USES= ssl OPENSSL_CONFIGURE_ON= --with-crypto-library=openssl PKCS11_LIB_DEPENDS= libpkcs11-helper.so:security/pkcs11-helper PKCS11_CONFIGURE_ENABLE= pkcs11 SMALL_CONFIGURE_ON= --enable-small DCO_CONFIGURE_ON= --enable-dco TEST_ALL_TARGET= check TEST_TEST_TARGET_OFF= check -TUNNELBLICK_EXTRA_PATCHES= ${FILESDIR}/extra-tunnelblick-openvpn_xorpatch - X509ALTUSERNAME_CONFIGURE_ENABLE= x509-alt-username pre-configure: .ifdef (LOG_OPENVPN) @${ECHO} "Building with LOG_OPENVPN=${LOG_OPENVPN}" .else @${ECHO} "" @${ECHO} "You may use the following build options:" @${ECHO} "" @${ECHO} " LOG_OPENVPN={Valid syslog facility, default LOG_DAEMON}" @${ECHO} " EXAMPLE: make LOG_OPENVPN=LOG_LOCAL6" @${ECHO} "" .endif post-configure: ${REINPLACE_CMD} '/^CFLAGS =/s/$$/ -fPIC/' \ ${WRKSRC}/src/plugins/auth-pam/Makefile \ ${WRKSRC}/src/plugins/down-root/Makefile .include .if ${PORT_OPTIONS:MMBEDTLS} _tlslibs= libmbedtls libmbedx509 libmbedcrypto .else # OpenSSL _tlslibs= libssl libcrypto .endif # sanity check that we don't inherit incompatible SSL libs through, # for instance, pkcs11-helper: post-build: @a=$$(LC_ALL=C ldd -f '%o\n' ${WRKSRC}/src/openvpn/openvpn \ | ${SORT} -u) ; set -- $$(for i in ${_tlslibs} ; do ${PRINTF} '%s\n' "$$a" | ${GREP} $${i}.so | wc -l ; done | ${SORT} -u) ;\ if test "$$*" != "1" ; then ${ECHO_CMD} >&2 "${.CURDIR} FAILED: either of ${_tlslibs} libraries linked multiple times" ; ${PRINTF} '%s\n' "$$a"; ${RM} ${BUILD_COOKIE} ; exit 1 ; fi post-install: ${STRIP_CMD} ${STAGEDIR}${PREFIX}/lib/openvpn/plugins/openvpn-plugin-auth-pam.so ${STRIP_CMD} ${STAGEDIR}${PREFIX}/lib/openvpn/plugins/openvpn-plugin-down-root.so ${INSTALL_SCRIPT} ${WRKSRC}/contrib/pull-resolv-conf/client.up ${STAGEDIR}${PREFIX}/libexec/openvpn-client.up ${INSTALL_SCRIPT} ${WRKSRC}/contrib/pull-resolv-conf/client.down ${STAGEDIR}${PREFIX}/libexec/openvpn-client.down ${INSTALL_SCRIPT} ${WRKDIR}/openvpn-client ${STAGEDIR}${PREFIX}/sbin/openvpn-client ${MKDIR} ${STAGEDIR}${PREFIX}/include post-install-DOCS-on: ${MKDIR} ${STAGEDIR}${DOCSDIR}/ .for i in AUTHORS ChangeLog PORTS ${INSTALL_DATA} ${WRKSRC}/${i} ${STAGEDIR}${DOCSDIR}/ .endfor post-install-EXAMPLES-on: (cd ${WRKSRC}/sample && ${COPYTREE_SHARE} \* ${STAGEDIR}${EXAMPLESDIR}/) ${CHMOD} ${BINMODE} ${STAGEDIR}${EXAMPLESDIR}/sample-scripts/* ${RM} ${STAGEDIR}${EXAMPLESDIR}/sample-config-files/*.orig .include diff --git a/security/openvpn-devel/files/extra-tunnelblick-openvpn_xorpatch b/security/openvpn-devel/files/extra-tunnelblick-openvpn_xorpatch deleted file mode 100644 index 20a0e0bf579f..000000000000 --- a/security/openvpn-devel/files/extra-tunnelblick-openvpn_xorpatch +++ /dev/null @@ -1,294 +0,0 @@ -This work allows obfuscation of the OpenVPN header to make it harder for -layer 7 inspection to identify such traffic, which may come with blocking -or recording actions in certain territories of the world. This patch, in -a nutshell, can increase privacy and range of communication for its users. - -The `scramble' option introduced hereby is off by default. - -The option's usage, history and controversy of the patch is explained in -detail on the following wiki page: - -https://tunnelblick.net/cOpenvpn_xorpatch.html - -The patch was ported to OpenVPN 2.4 by OPNsense. - ---- src/openvpn/forward.c.orig 2016-12-22 07:25:18 UTC -+++ src/openvpn/forward.c -@@ -730,7 +730,10 @@ read_incoming_link(struct context *c) - - status = link_socket_read(c->c2.link_socket, - &c->c2.buf, -- &c->c2.from); -+ &c->c2.from, -+ c->options.ce.xormethod, -+ c->options.ce.xormask, -+ c->options.ce.xormasklen); - - if (socket_connection_reset(c->c2.link_socket, status)) - { -@@ -1368,7 +1371,10 @@ process_outgoing_link(struct context *c) - /* Send packet */ - size = link_socket_write(c->c2.link_socket, - &c->c2.to_link, -- to_addr); -+ to_addr, -+ c->options.ce.xormethod, -+ c->options.ce.xormask, -+ c->options.ce.xormasklen); - - /* Undo effect of prepend */ - link_socket_write_post_size_adjust(&size, size_delta, &c->c2.to_link); ---- src/openvpn/options.c.orig 2016-12-22 07:25:18 UTC -+++ src/openvpn/options.c -@@ -811,4 +811,7 @@ init_options(struct options *o, const bo - o->resolve_retry_seconds = RESOLV_RETRY_INFINITE; - o->resolve_in_advance = false; - o->proto_force = -1; -+ o->ce.xormethod = 0; -+ o->ce.xormask = "\0"; -+ o->ce.xormasklen = 0; - o->occ = true; -@@ -972,6 +975,9 @@ setenv_connection_entry(struct env_set * - setenv_str_i(es, "local_port", e->local_port, i); - setenv_str_i(es, "remote", e->remote, i); - setenv_str_i(es, "remote_port", e->remote_port, i); -+ setenv_int_i(es, "xormethod", e->xormethod, i); -+ setenv_str_i(es, "xormask", e->xormask, i); -+ setenv_int_i(es, "xormasklen", e->xormasklen, i); - - if (e->http_proxy_options) - { -@@ -1474,6 +1480,9 @@ show_connection_entry(const struct conne - SHOW_BOOL(bind_ipv6_only); - SHOW_INT(connect_retry_seconds); - SHOW_INT(connect_timeout); -+ SHOW_INT(xormethod); -+ SHOW_STR(xormask); -+ SHOW_INT(xormasklen); - - if (o->http_proxy_options) - { -@@ -5915,6 +5924,46 @@ add_option(struct options *options, - } - options->proto_force = proto_force; - } -+ else if (streq (p[0], "scramble") && p[1]) -+ { -+ VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION); -+ if (streq (p[1], "xormask") && p[2] && (!p[3])) -+ { -+ options->ce.xormethod = 1; -+ options->ce.xormask = p[2]; -+ options->ce.xormasklen = strlen(options->ce.xormask); -+ } -+ else if (streq (p[1], "xorptrpos") && (!p[2])) -+ { -+ options->ce.xormethod = 2; -+ options->ce.xormask = NULL; -+ options->ce.xormasklen = 0; -+ } -+ else if (streq (p[1], "reverse") && (!p[2])) -+ { -+ options->ce.xormethod = 3; -+ options->ce.xormask = NULL; -+ options->ce.xormasklen = 0; -+ } -+ else if (streq (p[1], "obfuscate") && p[2] && (!p[3])) -+ { -+ options->ce.xormethod = 4; -+ options->ce.xormask = p[2]; -+ options->ce.xormasklen = strlen(options->ce.xormask); -+ } -+ else if (!p[2]) -+ { -+ msg(M_WARN, "WARNING: No recognized 'scramble' method specified; using 'scramble xormask \"%s\"'", p[1]); -+ options->ce.xormethod = 1; -+ options->ce.xormask = p[1]; -+ options->ce.xormasklen = strlen(options->ce.xormask); -+ } -+ else -+ { -+ msg(msglevel, "No recognized 'scramble' method specified or extra parameters for 'scramble'"); -+ goto err; -+ } -+ } - else if (streq(p[0], "http-proxy") && p[1] && !p[5]) - { - struct http_proxy_options *ho; ---- src/openvpn/options.h.orig 2016-12-22 07:25:18 UTC -+++ src/openvpn/options.h -@@ -98,6 +98,9 @@ struct connection_entry - int connect_retry_seconds; - int connect_retry_seconds_max; - int connect_timeout; -+ int xormethod; -+ const char *xormask; -+ int xormasklen; - struct http_proxy_options *http_proxy_options; - const char *socks_proxy_server; - const char *socks_proxy_port; ---- src/openvpn/socket.c.orig 2016-12-22 07:25:18 UTC -+++ src/openvpn/socket.c -@@ -55,6 +55,53 @@ const int proto_overhead[] = { /* indexe - IPv6_TCP_HEADER_SIZE, - }; - -+int buffer_mask (struct buffer *buf, const char *mask, int xormasklen) { -+ int i; -+ uint8_t *b; -+ if ( xormasklen > 0 ) { -+ for (i = 0, b = BPTR (buf); i < BLEN(buf); i++, b++) { -+ *b = *b ^ mask[i % xormasklen]; -+ } -+ } -+ return BLEN (buf); -+} -+ -+int buffer_xorptrpos (struct buffer *buf) { -+ int i; -+ uint8_t *b; -+ for (i = 0, b = BPTR (buf); i < BLEN(buf); i++, b++) { -+ *b = *b ^ i+1; -+ } -+ return BLEN (buf); -+} -+ -+int buffer_reverse (struct buffer *buf) { -+/* This function has been rewritten for Tunnelblick. The buffer_reverse function at -+ * https://github.com/clayface/openvpn_xorpatch -+ * makes a copy of the buffer and it writes to the byte **after** the -+ * buffer contents, so if the buffer is full then it writes outside of the buffer. -+ * This rewritten version does neither. -+ * -+ * For interoperability, this rewritten version preserves the behavior of the original -+ * function: it does not modify the first character of the buffer. So it does not -+ * actually reverse the contents of the buffer. Instead, it changes 'abcde' to 'aedcb'. -+ * (Of course, the actual buffer contents are bytes, and not necessarily characters.) -+ */ -+ int len = BLEN(buf); -+ if ( len > 2 ) { /* Leave '', 'a', and 'ab' alone */ -+ int i; -+ uint8_t *b_start = BPTR (buf) + 1; /* point to first byte to swap */ -+ uint8_t *b_end = BPTR (buf) + (len - 1); /* point to last byte to swap */ -+ uint8_t tmp; -+ for (i = 0; i < (len-1)/2; i++, b_start++, b_end--) { -+ tmp = *b_start; -+ *b_start = *b_end; -+ *b_end = tmp; -+ } -+ } -+ return len; -+} -+ - /* - * Convert sockflags/getaddr_flags into getaddr_flags - */ ---- src/openvpn/socket.h.orig 2016-12-22 07:25:18 UTC -+++ src/openvpn/socket.h -@@ -249,6 +249,10 @@ struct link_socket - #endif - }; - -+int buffer_mask (struct buffer *buf, const char *xormask, int xormasklen); -+int buffer_xorptrpos (struct buffer *buf); -+int buffer_reverse (struct buffer *buf); -+ - /* - * Some Posix/Win32 differences. - */ -@@ -1046,30 +1050,55 @@ int link_socket_read_udp_posix(struct li - static inline int - link_socket_read(struct link_socket *sock, - struct buffer *buf, -- struct link_socket_actual *from) -+ struct link_socket_actual *from, -+ int xormethod, -+ const char *xormask, -+ int xormasklen) - { -+ int res; -+ - if (proto_is_udp(sock->info.proto)) /* unified UDPv4 and UDPv6 */ - { -- int res; -- - #ifdef _WIN32 - res = link_socket_read_udp_win32(sock, buf, from); - #else - res = link_socket_read_udp_posix(sock, buf, from); - #endif -- return res; - } - else if (proto_is_tcp(sock->info.proto)) /* unified TCPv4 and TCPv6 */ - { - /* from address was returned by accept */ - addr_copy_sa(&from->dest, &sock->info.lsa->actual.dest); -- return link_socket_read_tcp(sock, buf); -+ res = link_socket_read_tcp(sock, buf); - } - else - { - ASSERT(0); - return -1; /* NOTREACHED */ - } -+ switch (xormethod) { -+ case 0: -+ break; -+ case 1: -+ buffer_mask(buf,xormask,xormasklen); -+ break; -+ case 2: -+ buffer_xorptrpos(buf); -+ break; -+ case 3: -+ buffer_reverse(buf); -+ break; -+ case 4: -+ buffer_mask(buf,xormask,xormasklen); -+ buffer_xorptrpos(buf); -+ buffer_reverse(buf); -+ buffer_xorptrpos(buf); -+ break; -+ default: -+ ASSERT (0); -+ return -1; /* NOTREACHED */ -+ } -+ return res; - } - - /* -@@ -1159,8 +1188,33 @@ link_socket_write_udp(struct link_socket - static inline int - link_socket_write(struct link_socket *sock, - struct buffer *buf, -- struct link_socket_actual *to) -+ struct link_socket_actual *to, -+ int xormethod, -+ const char *xormask, -+ int xormasklen) - { -+ switch (xormethod) { -+ case 0: -+ break; -+ case 1: -+ buffer_mask(buf,xormask,xormasklen); -+ break; -+ case 2: -+ buffer_xorptrpos(buf); -+ break; -+ case 3: -+ buffer_reverse(buf); -+ break; -+ case 4: -+ buffer_xorptrpos(buf); -+ buffer_reverse(buf); -+ buffer_xorptrpos(buf); -+ buffer_mask(buf,xormask,xormasklen); -+ break; -+ default: -+ ASSERT (0); -+ return -1; /* NOTREACHED */ -+ } - if (proto_is_udp(sock->info.proto)) /* unified UDPv4 and UDPv6 */ - { - return link_socket_write_udp(sock, buf, to); diff --git a/security/openvpn-devel/pkg-help b/security/openvpn-devel/pkg-help deleted file mode 100644 index 9fd1cd9567bd..000000000000 --- a/security/openvpn-devel/pkg-help +++ /dev/null @@ -1,10 +0,0 @@ -Note that "Tunnelblick" is a controversial option. -It is included for compatibility, not enabled by default, -and should only be used with due consideration, and it should not -replace proper cryptography use in OpenVPN. - -Note that this patch does NOT add documentation for the new --scramble -option, neither to the --help output, nor the manual page. - -Please see this website for a more detailed discussion: -https://tunnelblick.net/cOpenvpn_xorpatch.html