git: d165aeb41ae7 - main - security/openvpn-devel: options cleanup

From: Matthias Andree <mandree_at_FreeBSD.org>
Date: Sun, 21 Aug 2022 09:29:33 UTC
The branch main has been updated by mandree:

URL: https://cgit.FreeBSD.org/ports/commit/?id=d165aeb41ae7227ac5b1efcfa3d3162944c7ecfe

commit d165aeb41ae7227ac5b1efcfa3d3162944c7ecfe
Author:     Matthias Andree <mandree@FreeBSD.org>
AuthorDate: 2022-08-21 09:09:04 +0000
Commit:     Matthias Andree <mandree@FreeBSD.org>
CommitDate: 2022-08-21 09:14:15 +0000

    security/openvpn-devel: options cleanup
    
    - Drop TUNNELBLICK option and patch, which fails PATCH and if your force
      it, build. security/openvpn removed the option earlier this year.
      Drop pkg-help along with it
    - Exclude DCO-option on FreeBSD 12 and 13. It requires FreeBSD 14
      kernel features, and FreeBSD 11 and older are no longer supported.
    
    Approved by: portmgr (blanket)
---
 security/openvpn-devel/Makefile                    |   7 +-
 .../files/extra-tunnelblick-openvpn_xorpatch       | 294 ---------------------
 security/openvpn-devel/pkg-help                    |  10 -
 3 files changed, 3 insertions(+), 308 deletions(-)

diff --git a/security/openvpn-devel/Makefile b/security/openvpn-devel/Makefile
index 4c2af67b83f1..522c9f5db9f4 100644
--- a/security/openvpn-devel/Makefile
+++ b/security/openvpn-devel/Makefile
@@ -48,9 +48,11 @@ SUB_FILES=	openvpn-client pkg-message
 PORTDOCS=	*
 PORTEXAMPLES=	*
 
-OPTIONS_DEFINE=		DOCS EASYRSA EXAMPLES LZ4 PKCS11 SMALL DCO TEST TUNNELBLICK \
+OPTIONS_DEFINE=		DOCS EASYRSA EXAMPLES LZ4 PKCS11 SMALL DCO TEST \
 			X509ALTUSERNAME
 OPTIONS_DEFAULT=	EASYRSA LZ4 OPENSSL TEST
+OPTIONS_EXCLUDE_FreeBSD_12=	DCO # FreeBSD 14 only
+OPTIONS_EXCLUDE_FreeBSD_13=	DCO # FreeBSD 14 only
 OPTIONS_SINGLE=		SSL
 OPTIONS_SINGLE_SSL=	MBEDTLS OPENSSL
 
@@ -64,7 +66,6 @@ PKCS11_PREVENTS_MSG=		OpenVPN cannot use pkcs11-helper with mbedTLS. \
 				Disable PKCS11, or use OpenSSL instead
 SMALL_DESC=			Build a smaller executable with fewer features
 DCO_DESC=			Build with Data Channel Offload (ovpn(4)) support
-TUNNELBLICK_DESC=		Tunnelblick XOR scramble patch (READ HELP!)
 X509ALTUSERNAME_DESC=		Enable --x509-username-field (OpenSSL only)
 X509ALTUSERNAME_PREVENTS=	MBEDTLS
 X509ALTUSERNAME_PREVENTS_MSG=	OpenVPN ${DISTVERSION} cannot use \
@@ -94,8 +95,6 @@ DCO_CONFIGURE_ON=	--enable-dco
 TEST_ALL_TARGET=	check
 TEST_TEST_TARGET_OFF=	check
 
-TUNNELBLICK_EXTRA_PATCHES=	${FILESDIR}/extra-tunnelblick-openvpn_xorpatch
-
 X509ALTUSERNAME_CONFIGURE_ENABLE=	x509-alt-username
 
 pre-configure:
diff --git a/security/openvpn-devel/files/extra-tunnelblick-openvpn_xorpatch b/security/openvpn-devel/files/extra-tunnelblick-openvpn_xorpatch
deleted file mode 100644
index 20a0e0bf579f..000000000000
--- a/security/openvpn-devel/files/extra-tunnelblick-openvpn_xorpatch
+++ /dev/null
@@ -1,294 +0,0 @@
-This work allows obfuscation of the OpenVPN header to make it harder for
-layer 7 inspection to identify such traffic, which may come with blocking
-or recording actions in certain territories of the world.  This patch, in
-a nutshell, can increase privacy and range of communication for its users.
-
-The `scramble' option introduced hereby is off by default.
-
-The option's usage, history and controversy of the patch is explained in
-detail on the following wiki page:
-
-https://tunnelblick.net/cOpenvpn_xorpatch.html
-
-The patch was ported to OpenVPN 2.4 by OPNsense.
-
---- src/openvpn/forward.c.orig	2016-12-22 07:25:18 UTC
-+++ src/openvpn/forward.c
-@@ -730,7 +730,10 @@ read_incoming_link(struct context *c)
- 
-     status = link_socket_read(c->c2.link_socket,
-                               &c->c2.buf,
--                              &c->c2.from);
-+                              &c->c2.from,
-+                              c->options.ce.xormethod,
-+                              c->options.ce.xormask,
-+                              c->options.ce.xormasklen);
- 
-     if (socket_connection_reset(c->c2.link_socket, status))
-     {
-@@ -1368,7 +1371,10 @@ process_outgoing_link(struct context *c)
-                 /* Send packet */
-                 size = link_socket_write(c->c2.link_socket,
-                                          &c->c2.to_link,
--                                         to_addr);
-+                                         to_addr,
-+                                         c->options.ce.xormethod,
-+                                         c->options.ce.xormask,
-+                                         c->options.ce.xormasklen);
- 
-                 /* Undo effect of prepend */
-                 link_socket_write_post_size_adjust(&size, size_delta, &c->c2.to_link);
---- src/openvpn/options.c.orig	2016-12-22 07:25:18 UTC
-+++ src/openvpn/options.c
-@@ -811,4 +811,7 @@ init_options(struct options *o, const bo
-     o->resolve_retry_seconds = RESOLV_RETRY_INFINITE;
-     o->resolve_in_advance = false;
-     o->proto_force = -1;
-+    o->ce.xormethod = 0;
-+    o->ce.xormask = "\0";
-+    o->ce.xormasklen = 0;
-     o->occ = true;
-@@ -972,6 +975,9 @@ setenv_connection_entry(struct env_set *
-     setenv_str_i(es, "local_port", e->local_port, i);
-     setenv_str_i(es, "remote", e->remote, i);
-     setenv_str_i(es, "remote_port", e->remote_port, i);
-+    setenv_int_i(es, "xormethod", e->xormethod, i);
-+    setenv_str_i(es, "xormask", e->xormask, i);
-+    setenv_int_i(es, "xormasklen", e->xormasklen, i);
- 
-     if (e->http_proxy_options)
-     {
-@@ -1474,6 +1480,9 @@ show_connection_entry(const struct conne
-     SHOW_BOOL(bind_ipv6_only);
-     SHOW_INT(connect_retry_seconds);
-     SHOW_INT(connect_timeout);
-+    SHOW_INT(xormethod);
-+    SHOW_STR(xormask);
-+    SHOW_INT(xormasklen);
- 
-     if (o->http_proxy_options)
-     {
-@@ -5915,6 +5924,46 @@ add_option(struct options *options,
-         }
-         options->proto_force = proto_force;
-     }
-+    else if (streq (p[0], "scramble") && p[1])
-+    {
-+        VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);
-+        if (streq (p[1], "xormask") && p[2] && (!p[3]))
-+        {
-+            options->ce.xormethod = 1;
-+            options->ce.xormask = p[2];
-+            options->ce.xormasklen = strlen(options->ce.xormask);
-+        }
-+        else if (streq (p[1], "xorptrpos") && (!p[2]))
-+        {
-+            options->ce.xormethod = 2;
-+            options->ce.xormask = NULL;
-+            options->ce.xormasklen = 0;
-+        }
-+        else if (streq (p[1], "reverse") && (!p[2]))
-+        {
-+            options->ce.xormethod = 3;
-+            options->ce.xormask = NULL;
-+            options->ce.xormasklen = 0;
-+        }
-+        else if (streq (p[1], "obfuscate") && p[2] && (!p[3]))
-+        {
-+            options->ce.xormethod = 4;
-+            options->ce.xormask = p[2];
-+            options->ce.xormasklen = strlen(options->ce.xormask);
-+        }
-+        else if (!p[2])
-+        {
-+            msg(M_WARN, "WARNING: No recognized 'scramble' method specified; using 'scramble xormask \"%s\"'", p[1]);
-+            options->ce.xormethod = 1;
-+            options->ce.xormask = p[1];
-+            options->ce.xormasklen = strlen(options->ce.xormask);
-+        }
-+        else
-+        {
-+            msg(msglevel, "No recognized 'scramble' method specified or extra parameters for 'scramble'");
-+            goto err;
-+        }
-+    }
-     else if (streq(p[0], "http-proxy") && p[1] && !p[5])
-     {
-         struct http_proxy_options *ho;
---- src/openvpn/options.h.orig	2016-12-22 07:25:18 UTC
-+++ src/openvpn/options.h
-@@ -98,6 +98,9 @@ struct connection_entry
-     int connect_retry_seconds;
-     int connect_retry_seconds_max;
-     int connect_timeout;
-+    int xormethod;
-+    const char *xormask;
-+    int xormasklen;
-     struct http_proxy_options *http_proxy_options;
-     const char *socks_proxy_server;
-     const char *socks_proxy_port;
---- src/openvpn/socket.c.orig	2016-12-22 07:25:18 UTC
-+++ src/openvpn/socket.c
-@@ -55,6 +55,53 @@ const int proto_overhead[] = { /* indexe
-     IPv6_TCP_HEADER_SIZE,
- };
- 
-+int buffer_mask (struct buffer *buf, const char *mask, int xormasklen) {
-+	int i;
-+	uint8_t *b;
-+	if (  xormasklen > 0  ) {
-+		for (i = 0, b = BPTR (buf); i < BLEN(buf); i++, b++) {
-+			*b = *b ^ mask[i % xormasklen];
-+		}
-+	}
-+	return BLEN (buf);
-+}
-+
-+int buffer_xorptrpos (struct buffer *buf) {
-+	int i;
-+	uint8_t *b;
-+	for (i = 0, b = BPTR (buf); i < BLEN(buf); i++, b++) {
-+		*b = *b ^ i+1;
-+	}
-+	return BLEN (buf);
-+}
-+
-+int buffer_reverse (struct buffer *buf) {
-+/* This function has been rewritten for Tunnelblick. The buffer_reverse function at
-+ * https://github.com/clayface/openvpn_xorpatch
-+ * makes a copy of the buffer and it writes to the byte **after** the
-+ * buffer contents, so if the buffer is full then it writes outside of the buffer.
-+ * This rewritten version does neither.
-+ *
-+ * For interoperability, this rewritten version preserves the behavior of the original
-+ * function: it does not modify the first character of the buffer. So it does not
-+ * actually reverse the contents of the buffer. Instead, it changes 'abcde' to 'aedcb'.
-+ * (Of course, the actual buffer contents are bytes, and not necessarily characters.)
-+ */
-+  int len = BLEN(buf);
-+  if (  len > 2  ) {                           /* Leave '', 'a', and 'ab' alone */
-+    int i;
-+    uint8_t *b_start = BPTR (buf) + 1;	        /* point to first byte to swap */
-+    uint8_t *b_end   = BPTR (buf) + (len - 1); /* point to last byte to swap */
-+    uint8_t tmp;
-+    for (i = 0; i < (len-1)/2; i++, b_start++, b_end--) {
-+      tmp = *b_start;
-+      *b_start = *b_end;
-+      *b_end = tmp;
-+    }
-+  }
-+  return len;
-+}
-+
- /*
-  * Convert sockflags/getaddr_flags into getaddr_flags
-  */
---- src/openvpn/socket.h.orig	2016-12-22 07:25:18 UTC
-+++ src/openvpn/socket.h
-@@ -249,6 +249,10 @@ struct link_socket
- #endif
- };
- 
-+int buffer_mask (struct buffer *buf, const char *xormask, int xormasklen);
-+int buffer_xorptrpos (struct buffer *buf);
-+int buffer_reverse (struct buffer *buf);
-+
- /*
-  * Some Posix/Win32 differences.
-  */
-@@ -1046,30 +1050,55 @@ int link_socket_read_udp_posix(struct li
- static inline int
- link_socket_read(struct link_socket *sock,
-                  struct buffer *buf,
--                 struct link_socket_actual *from)
-+                 struct link_socket_actual *from,
-+                 int xormethod,
-+                 const char *xormask,
-+                 int xormasklen)
- {
-+    int res;
-+
-     if (proto_is_udp(sock->info.proto)) /* unified UDPv4 and UDPv6 */
-     {
--        int res;
--
- #ifdef _WIN32
-         res = link_socket_read_udp_win32(sock, buf, from);
- #else
-         res = link_socket_read_udp_posix(sock, buf, from);
- #endif
--        return res;
-     }
-     else if (proto_is_tcp(sock->info.proto)) /* unified TCPv4 and TCPv6 */
-     {
-         /* from address was returned by accept */
-         addr_copy_sa(&from->dest, &sock->info.lsa->actual.dest);
--        return link_socket_read_tcp(sock, buf);
-+        res = link_socket_read_tcp(sock, buf);
-     }
-     else
-     {
-         ASSERT(0);
-         return -1; /* NOTREACHED */
-     }
-+    switch (xormethod) {
-+    case 0:
-+        break;
-+    case 1:
-+        buffer_mask(buf,xormask,xormasklen);
-+        break;
-+    case 2:
-+        buffer_xorptrpos(buf);
-+        break;
-+    case 3:
-+        buffer_reverse(buf);
-+        break;
-+    case 4:
-+        buffer_mask(buf,xormask,xormasklen);
-+        buffer_xorptrpos(buf);
-+        buffer_reverse(buf);
-+        buffer_xorptrpos(buf);
-+        break;
-+    default:
-+        ASSERT (0);
-+        return -1; /* NOTREACHED */
-+    }
-+    return res;
- }
- 
- /*
-@@ -1159,8 +1188,33 @@ link_socket_write_udp(struct link_socket
- static inline int
- link_socket_write(struct link_socket *sock,
-                   struct buffer *buf,
--                  struct link_socket_actual *to)
-+                  struct link_socket_actual *to,
-+                  int xormethod,
-+                  const char *xormask,
-+                  int xormasklen)
- {
-+    switch (xormethod) {
-+    case 0:
-+        break;
-+    case 1:
-+        buffer_mask(buf,xormask,xormasklen);
-+        break;
-+    case 2:
-+        buffer_xorptrpos(buf);
-+        break;
-+    case 3:
-+        buffer_reverse(buf);
-+        break;
-+    case 4:
-+        buffer_xorptrpos(buf);
-+        buffer_reverse(buf);
-+        buffer_xorptrpos(buf);
-+        buffer_mask(buf,xormask,xormasklen);
-+        break;
-+    default:
-+        ASSERT (0);
-+        return -1; /* NOTREACHED */
-+    }
-     if (proto_is_udp(sock->info.proto)) /* unified UDPv4 and UDPv6 */
-     {
-         return link_socket_write_udp(sock, buf, to);
diff --git a/security/openvpn-devel/pkg-help b/security/openvpn-devel/pkg-help
deleted file mode 100644
index 9fd1cd9567bd..000000000000
--- a/security/openvpn-devel/pkg-help
+++ /dev/null
@@ -1,10 +0,0 @@
-Note that "Tunnelblick" is a controversial option.
-It is included for compatibility, not enabled by default,
-and should only be used with due consideration, and it should not
-replace proper cryptography use in OpenVPN.
-
-Note that this patch does NOT add documentation for the new --scramble
-option, neither to the --help output, nor the manual page.
-
-Please see this website for a more detailed discussion:
-https://tunnelblick.net/cOpenvpn_xorpatch.html