mirror of
https://git.freebsd.org/ports.git
synced 2025-05-18 18:13:12 -04:00
1a948efb1d
OpenVPN has been updated to v2.4.0. Changes: <https://github.com/OpenVPN/openvpn/blob/v2.4.0/Changes.rst> openvpn-polarssl has been renamed to openvpn-mbedtls to match the TLS library's change of name. The prior versions of the openvpn ports have been preserved in openvpn23 and openvpn23-polarssl, respectively, and are set to expire 2017-03-31.
296 lines
9.5 KiB
Text
296 lines
9.5 KiB
Text
This work allows obfuscation of the OpenVPN header to make it harder for
|
|
layer 7 inspection to identify such traffic, which may come with blocking
|
|
or recording actions in certain territories of the world. This patch, in
|
|
a nutshell, can increase privacy and range of communication for its users.
|
|
|
|
The `scramble' option introduced hereby is off by default.
|
|
|
|
The option's usage, history and controversy of the patch is explained in
|
|
detail on the following wiki page:
|
|
|
|
https://tunnelblick.net/cOpenvpn_xorpatch.html
|
|
|
|
The patch was ported to OpenVPN 2.4 by OPNsense.
|
|
|
|
--- src/openvpn/forward.c.orig 2016-12-22 07:25:18 UTC
|
|
+++ src/openvpn/forward.c
|
|
@@ -730,7 +730,10 @@ read_incoming_link(struct context *c)
|
|
|
|
status = link_socket_read(c->c2.link_socket,
|
|
&c->c2.buf,
|
|
- &c->c2.from);
|
|
+ &c->c2.from,
|
|
+ c->options.ce.xormethod,
|
|
+ c->options.ce.xormask,
|
|
+ c->options.ce.xormasklen);
|
|
|
|
if (socket_connection_reset(c->c2.link_socket, status))
|
|
{
|
|
@@ -1368,7 +1371,10 @@ process_outgoing_link(struct context *c)
|
|
/* Send packet */
|
|
size = link_socket_write(c->c2.link_socket,
|
|
&c->c2.to_link,
|
|
- to_addr);
|
|
+ to_addr,
|
|
+ c->options.ce.xormethod,
|
|
+ c->options.ce.xormask,
|
|
+ c->options.ce.xormasklen);
|
|
|
|
/* Undo effect of prepend */
|
|
link_socket_write_post_size_adjust(&size, size_delta, &c->c2.to_link);
|
|
--- src/openvpn/options.c.orig 2016-12-22 07:25:18 UTC
|
|
+++ src/openvpn/options.c
|
|
@@ -811,6 +811,9 @@ init_options(struct options *o, const bo
|
|
o->resolve_retry_seconds = RESOLV_RETRY_INFINITE;
|
|
o->resolve_in_advance = false;
|
|
o->proto_force = -1;
|
|
+ o->ce.xormethod = 0;
|
|
+ o->ce.xormask = "\0";
|
|
+ o->ce.xormasklen = 0;
|
|
#ifdef ENABLE_OCC
|
|
o->occ = true;
|
|
#endif
|
|
@@ -972,6 +975,9 @@ setenv_connection_entry(struct env_set *
|
|
setenv_str_i(es, "local_port", e->local_port, i);
|
|
setenv_str_i(es, "remote", e->remote, i);
|
|
setenv_str_i(es, "remote_port", e->remote_port, i);
|
|
+ setenv_int_i(es, "xormethod", e->xormethod, i);
|
|
+ setenv_str_i(es, "xormask", e->xormask, i);
|
|
+ setenv_int_i(es, "xormasklen", e->xormasklen, i);
|
|
|
|
if (e->http_proxy_options)
|
|
{
|
|
@@ -1474,6 +1480,9 @@ show_connection_entry(const struct conne
|
|
SHOW_BOOL(bind_ipv6_only);
|
|
SHOW_INT(connect_retry_seconds);
|
|
SHOW_INT(connect_timeout);
|
|
+ SHOW_INT(xormethod);
|
|
+ SHOW_STR(xormask);
|
|
+ SHOW_INT(xormasklen);
|
|
|
|
if (o->http_proxy_options)
|
|
{
|
|
@@ -5915,6 +5924,46 @@ add_option(struct options *options,
|
|
}
|
|
options->proto_force = proto_force;
|
|
}
|
|
+ else if (streq (p[0], "scramble") && p[1])
|
|
+ {
|
|
+ VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);
|
|
+ if (streq (p[1], "xormask") && p[2] && (!p[3]))
|
|
+ {
|
|
+ options->ce.xormethod = 1;
|
|
+ options->ce.xormask = p[2];
|
|
+ options->ce.xormasklen = strlen(options->ce.xormask);
|
|
+ }
|
|
+ else if (streq (p[1], "xorptrpos") && (!p[2]))
|
|
+ {
|
|
+ options->ce.xormethod = 2;
|
|
+ options->ce.xormask = NULL;
|
|
+ options->ce.xormasklen = 0;
|
|
+ }
|
|
+ else if (streq (p[1], "reverse") && (!p[2]))
|
|
+ {
|
|
+ options->ce.xormethod = 3;
|
|
+ options->ce.xormask = NULL;
|
|
+ options->ce.xormasklen = 0;
|
|
+ }
|
|
+ else if (streq (p[1], "obfuscate") && p[2] && (!p[3]))
|
|
+ {
|
|
+ options->ce.xormethod = 4;
|
|
+ options->ce.xormask = p[2];
|
|
+ options->ce.xormasklen = strlen(options->ce.xormask);
|
|
+ }
|
|
+ else if (!p[2])
|
|
+ {
|
|
+ msg(M_WARN, "WARNING: No recognized 'scramble' method specified; using 'scramble xormask \"%s\"'", p[1]);
|
|
+ options->ce.xormethod = 1;
|
|
+ options->ce.xormask = p[1];
|
|
+ options->ce.xormasklen = strlen(options->ce.xormask);
|
|
+ }
|
|
+ else
|
|
+ {
|
|
+ msg(msglevel, "No recognized 'scramble' method specified or extra parameters for 'scramble'");
|
|
+ goto err;
|
|
+ }
|
|
+ }
|
|
else if (streq(p[0], "http-proxy") && p[1] && !p[5])
|
|
{
|
|
struct http_proxy_options *ho;
|
|
--- src/openvpn/options.h.orig 2016-12-22 07:25:18 UTC
|
|
+++ src/openvpn/options.h
|
|
@@ -98,6 +98,9 @@ struct connection_entry
|
|
int connect_retry_seconds;
|
|
int connect_retry_seconds_max;
|
|
int connect_timeout;
|
|
+ int xormethod;
|
|
+ const char *xormask;
|
|
+ int xormasklen;
|
|
struct http_proxy_options *http_proxy_options;
|
|
const char *socks_proxy_server;
|
|
const char *socks_proxy_port;
|
|
--- src/openvpn/socket.c.orig 2016-12-22 07:25:18 UTC
|
|
+++ src/openvpn/socket.c
|
|
@@ -55,6 +55,53 @@ const int proto_overhead[] = { /* indexe
|
|
IPv6_TCP_HEADER_SIZE,
|
|
};
|
|
|
|
+int buffer_mask (struct buffer *buf, const char *mask, int xormasklen) {
|
|
+ int i;
|
|
+ uint8_t *b;
|
|
+ if ( xormasklen > 0 ) {
|
|
+ for (i = 0, b = BPTR (buf); i < BLEN(buf); i++, b++) {
|
|
+ *b = *b ^ mask[i % xormasklen];
|
|
+ }
|
|
+ }
|
|
+ return BLEN (buf);
|
|
+}
|
|
+
|
|
+int buffer_xorptrpos (struct buffer *buf) {
|
|
+ int i;
|
|
+ uint8_t *b;
|
|
+ for (i = 0, b = BPTR (buf); i < BLEN(buf); i++, b++) {
|
|
+ *b = *b ^ i+1;
|
|
+ }
|
|
+ return BLEN (buf);
|
|
+}
|
|
+
|
|
+int buffer_reverse (struct buffer *buf) {
|
|
+/* This function has been rewritten for Tunnelblick. The buffer_reverse function at
|
|
+ * https://github.com/clayface/openvpn_xorpatch
|
|
+ * makes a copy of the buffer and it writes to the byte **after** the
|
|
+ * buffer contents, so if the buffer is full then it writes outside of the buffer.
|
|
+ * This rewritten version does neither.
|
|
+ *
|
|
+ * For interoperability, this rewritten version preserves the behavior of the original
|
|
+ * function: it does not modify the first character of the buffer. So it does not
|
|
+ * actually reverse the contents of the buffer. Instead, it changes 'abcde' to 'aedcb'.
|
|
+ * (Of course, the actual buffer contents are bytes, and not necessarily characters.)
|
|
+ */
|
|
+ int len = BLEN(buf);
|
|
+ if ( len > 2 ) { /* Leave '', 'a', and 'ab' alone */
|
|
+ int i;
|
|
+ uint8_t *b_start = BPTR (buf) + 1; /* point to first byte to swap */
|
|
+ uint8_t *b_end = BPTR (buf) + (len - 1); /* point to last byte to swap */
|
|
+ uint8_t tmp;
|
|
+ for (i = 0; i < (len-1)/2; i++, b_start++, b_end--) {
|
|
+ tmp = *b_start;
|
|
+ *b_start = *b_end;
|
|
+ *b_end = tmp;
|
|
+ }
|
|
+ }
|
|
+ return len;
|
|
+}
|
|
+
|
|
/*
|
|
* Convert sockflags/getaddr_flags into getaddr_flags
|
|
*/
|
|
--- src/openvpn/socket.h.orig 2016-12-22 07:25:18 UTC
|
|
+++ src/openvpn/socket.h
|
|
@@ -249,6 +249,10 @@ struct link_socket
|
|
#endif
|
|
};
|
|
|
|
+int buffer_mask (struct buffer *buf, const char *xormask, int xormasklen);
|
|
+int buffer_xorptrpos (struct buffer *buf);
|
|
+int buffer_reverse (struct buffer *buf);
|
|
+
|
|
/*
|
|
* Some Posix/Win32 differences.
|
|
*/
|
|
@@ -1046,30 +1050,55 @@ int link_socket_read_udp_posix(struct li
|
|
static inline int
|
|
link_socket_read(struct link_socket *sock,
|
|
struct buffer *buf,
|
|
- struct link_socket_actual *from)
|
|
+ struct link_socket_actual *from,
|
|
+ int xormethod,
|
|
+ const char *xormask,
|
|
+ int xormasklen)
|
|
{
|
|
+ int res;
|
|
+
|
|
if (proto_is_udp(sock->info.proto)) /* unified UDPv4 and UDPv6 */
|
|
{
|
|
- int res;
|
|
-
|
|
#ifdef _WIN32
|
|
res = link_socket_read_udp_win32(sock, buf, from);
|
|
#else
|
|
res = link_socket_read_udp_posix(sock, buf, from);
|
|
#endif
|
|
- return res;
|
|
}
|
|
else if (proto_is_tcp(sock->info.proto)) /* unified TCPv4 and TCPv6 */
|
|
{
|
|
/* from address was returned by accept */
|
|
addr_copy_sa(&from->dest, &sock->info.lsa->actual.dest);
|
|
- return link_socket_read_tcp(sock, buf);
|
|
+ res = link_socket_read_tcp(sock, buf);
|
|
}
|
|
else
|
|
{
|
|
ASSERT(0);
|
|
return -1; /* NOTREACHED */
|
|
}
|
|
+ switch (xormethod) {
|
|
+ case 0:
|
|
+ break;
|
|
+ case 1:
|
|
+ buffer_mask(buf,xormask,xormasklen);
|
|
+ break;
|
|
+ case 2:
|
|
+ buffer_xorptrpos(buf);
|
|
+ break;
|
|
+ case 3:
|
|
+ buffer_reverse(buf);
|
|
+ break;
|
|
+ case 4:
|
|
+ buffer_mask(buf,xormask,xormasklen);
|
|
+ buffer_xorptrpos(buf);
|
|
+ buffer_reverse(buf);
|
|
+ buffer_xorptrpos(buf);
|
|
+ break;
|
|
+ default:
|
|
+ ASSERT (0);
|
|
+ return -1; /* NOTREACHED */
|
|
+ }
|
|
+ return res;
|
|
}
|
|
|
|
/*
|
|
@@ -1159,8 +1188,33 @@ link_socket_write_udp(struct link_socket
|
|
static inline int
|
|
link_socket_write(struct link_socket *sock,
|
|
struct buffer *buf,
|
|
- struct link_socket_actual *to)
|
|
+ struct link_socket_actual *to,
|
|
+ int xormethod,
|
|
+ const char *xormask,
|
|
+ int xormasklen)
|
|
{
|
|
+ switch (xormethod) {
|
|
+ case 0:
|
|
+ break;
|
|
+ case 1:
|
|
+ buffer_mask(buf,xormask,xormasklen);
|
|
+ break;
|
|
+ case 2:
|
|
+ buffer_xorptrpos(buf);
|
|
+ break;
|
|
+ case 3:
|
|
+ buffer_reverse(buf);
|
|
+ break;
|
|
+ case 4:
|
|
+ buffer_xorptrpos(buf);
|
|
+ buffer_reverse(buf);
|
|
+ buffer_xorptrpos(buf);
|
|
+ buffer_mask(buf,xormask,xormasklen);
|
|
+ break;
|
|
+ default:
|
|
+ ASSERT (0);
|
|
+ return -1; /* NOTREACHED */
|
|
+ }
|
|
if (proto_is_udp(sock->info.proto)) /* unified UDPv4 and UDPv6 */
|
|
{
|
|
return link_socket_write_udp(sock, buf, to);
|