From owner-svn-ports-all@freebsd.org Fri Oct 30 20:36:02 2020 Return-Path: Delivered-To: svn-ports-all@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id EFBA645AFF5; Fri, 30 Oct 2020 20:36:02 +0000 (UTC) (envelope-from mandree@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4CNDbk6Qjqz4SGm; Fri, 30 Oct 2020 20:36:02 +0000 (UTC) (envelope-from mandree@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id BFA8A1C6A6; Fri, 30 Oct 2020 20:36:02 +0000 (UTC) (envelope-from mandree@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 09UKa2F3001636; Fri, 30 Oct 2020 20:36:02 GMT (envelope-from mandree@FreeBSD.org) Received: (from mandree@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id 09UKa18h001631; Fri, 30 Oct 2020 20:36:01 GMT (envelope-from mandree@FreeBSD.org) Message-Id: <202010302036.09UKa18h001631@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: mandree set sender to mandree@FreeBSD.org using -f From: Matthias Andree Date: Fri, 30 Oct 2020 20:36:01 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r553713 - in head: . security/openvpn security/openvpn/files X-SVN-Group: ports-head X-SVN-Commit-Author: mandree X-SVN-Commit-Paths: in head: . security/openvpn security/openvpn/files X-SVN-Commit-Revision: 553713 X-SVN-Commit-Repository: ports MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-ports-all@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: SVN commit messages for the ports tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 Oct 2020 20:36:03 -0000 Author: mandree Date: Fri Oct 30 20:36:01 2020 New Revision: 553713 URL: https://svnweb.freebsd.org/changeset/ports/553713 Log: Update security/openvpn 2.5. For 2.3 peers, update your configuration, ...see ports/UPDATING or the ChangeLog: https://github.com/OpenVPN/openvpn/blob/release/2.5/Changes.rst#overview-of-changes-in-25 Avoid LibreSSL (IGNORE_SSL). INSTALL_DATA -> INSTALL_MAN for documentation. Rearrange Makefile according to portclippy. Deleted: head/security/openvpn/files/patch-configure head/security/openvpn/files/patch-git-098edbb1f5a2e1360fd6a4ae0642b63bec12e992 head/security/openvpn/files/patch-git-38b46e6bf65489c2c5d75da1c02a3a1c33e6da88 head/security/openvpn/files/patch-git-b89e48b015e581a4a0f5c306e2ab20da34c862ea head/security/openvpn/files/patch-git-cab48ad43eaba51c54fa23e55b0b2eb436dd921f head/security/openvpn/files/patch-git-fc0297143494e0a0f08564d90dbb210669d0abf5 head/security/openvpn/files/patch-src_openvpn_ssl__openssl.c Modified: head/UPDATING head/security/openvpn/Makefile head/security/openvpn/distinfo head/security/openvpn/files/extra-tunnelblick-openvpn_xorpatch head/security/openvpn/pkg-plist Modified: head/UPDATING ============================================================================== --- head/UPDATING Fri Oct 30 19:27:52 2020 (r553712) +++ head/UPDATING Fri Oct 30 20:36:01 2020 (r553713) @@ -5,6 +5,18 @@ they are unavoidable. You should get into the habit of checking this file for changes each time you update your ports collection, before attempting any port upgrades. +20201030: + AFFECTS: users of security/openvpn + AUTHOR: mandree@FreeBSD.org + + The security/openvpn port has been updated to v2.5.0, which brings a + change to the default ciphersuite, which no longer contains BF-CBC. + + Some options have been removed. Also, if you need to support very old (v2.3) + and unsupported clients or servers, you will need to adjust the + configuration. For details, see: + https://github.com/OpenVPN/openvpn/blob/release/2.5/Changes.rst#overview-of-changes-in-25 + 20201029: AFFECTS: users of www/node AUTHOR: bhughes@FreeBSD.org Modified: head/security/openvpn/Makefile ============================================================================== --- head/security/openvpn/Makefile Fri Oct 30 19:27:52 2020 (r553712) +++ head/security/openvpn/Makefile Fri Oct 30 20:36:01 2020 (r553713) @@ -2,8 +2,8 @@ # $FreeBSD$ PORTNAME= openvpn -DISTVERSION= 2.4.9 -PORTREVISION?= 3 +DISTVERSION= 2.5.0 +PORTREVISION?= 0 CATEGORIES= security net net-vpn MASTER_SITES= https://swupdate.openvpn.org/community/releases/ \ https://build.openvpn.net/downloads/releases/ \ @@ -15,86 +15,79 @@ COMMENT?= Secure IP/Ethernet tunnel daemon LICENSE= GPLv2 LICENSE_FILE= ${WRKSRC}/COPYRIGHT.GPL -USES= cpe libtool pkgconfig shebangfix tar:xz +USES= cpe libtool localbase:ldflags pkgconfig shebangfix tar:xz +IGNORE_SSL= libressl libressl-devel +USE_RC_SUBR= openvpn -CONFLICTS_INSTALL?= openvpn-2.[!4].* openvpn-[!2].* openvpn-beta-[0-9]* openvpn-devel-[0-9]* openvpn-mbedtls-[0-9]* - -GNU_CONFIGURE= yes SHEBANG_FILES= sample/sample-scripts/verify-cn \ sample/sample-scripts/auth-pam.pl \ sample/sample-scripts/ucn.pl + +GNU_CONFIGURE= yes CONFIGURE_ARGS+= --enable-strict # set PLUGIN_LIBDIR so that unqualified plugin paths are found: CONFIGURE_ENV+= PLUGINDIR="${PREFIX}/lib/openvpn/plugins" +CONFLICTS_INSTALL?= openvpn-2.[!5].* openvpn-[!2].* openvpn-beta-[0-9]* openvpn-devel-[0-9]* openvpn-mbedtls-[0-9]* + +SUB_FILES= pkg-message openvpn-client + +PORTDOCS= * +PORTEXAMPLES= * + # avoid picking up CMAKE, we don't have cmocka in the tarballs. CONFIGURE_ENV+= ac_cv_prog_CMAKE= CMAKE= -# let OpenVPN's configure script pick up the requisite libraries, -# but do not break the plugin build if an older version is installed -# XXX FIXME: once there is an opportunity for testing with older -# versions with incompatible plugins again, try USES+=localbase:ldflags, -# suggested by Mateusz Piotrowski 0mp@ 2020-07-17 -CPPFLAGS+= -I${WRKSRC}/include -I${LOCALBASE}/include -LDFLAGS+= -L${LOCALBASE}/lib -Wl,--as-needed - OPTIONS_DEFINE= PKCS11 EASYRSA DOCS EXAMPLES X509ALTUSERNAME \ TEST LZ4 LZO SMALL TUNNELBLICK ASYNC_PUSH OPTIONS_DEFAULT= EASYRSA OPENSSL TEST LZ4 LZO OPTIONS_SINGLE= SSL OPTIONS_SINGLE_SSL= OPENSSL MBEDTLS ASYNC_PUSH_DESC= Enable async-push support -PKCS11_DESC= Use security/pkcs11-helper (OpenSSL only) EASYRSA_DESC= Install security/easy-rsa RSA helper package MBEDTLS_DESC= SSL/TLS via mbedTLS (lacks TLS v1.3) +PKCS11_DESC= Use security/pkcs11-helper (OpenSSL only) +SMALL_DESC= Build a smaller executable with fewer features TUNNELBLICK_DESC= Tunnelblick XOR scramble patch (READ HELP!) X509ALTUSERNAME_DESC= Enable --x509-username-field (OpenSSL only) -SMALL_DESC= Build a smaller executable with fewer features -ASYNC_PUSH_CONFIGURE_ENABLE= async-push ASYNC_PUSH_LIB_DEPENDS= libinotify.so:devel/libinotify +ASYNC_PUSH_CONFIGURE_ENABLE= async-push EASYRSA_RUN_DEPENDS= easy-rsa>=0:security/easy-rsa -PKCS11_LIB_DEPENDS= libpkcs11-helper.so:security/pkcs11-helper -PKCS11_CONFIGURE_ENABLE= pkcs11 -PKCS11_PREVENTS= MBEDTLS -PKCS11_PREVENTS_MSG= OpenVPN cannot use pkcs11-helper with mbedTLS. Disable PKCS11, or use OpenSSL instead +LZ4_LIB_DEPENDS+= liblz4.so:archivers/liblz4 +LZ4_CONFIGURE_ENABLE= lz4 -TUNNELBLICK_EXTRA_PATCHES= ${FILESDIR}/extra-tunnelblick-openvpn_xorpatch +LZO_LIB_DEPENDS+= liblzo2.so:archivers/lzo2 +LZO_CONFIGURE_ENABLE= lzo -X509ALTUSERNAME_CONFIGURE_ENABLE= x509-alt-username -X509ALTUSERNAME_PREVENTS= MBEDTLS -X509ALTUSERNAME_PREVENTS_MSG= OpenVPN ${DISTVERSION} cannot use --x509-username-field with mbedTLS. Disable X509ALTUSERNAME, or use OpenSSL instead +MBEDTLS_LIB_DEPENDS= libmbedtls.so:security/mbedtls +MBEDTLS_CONFIGURE_ON= --with-crypto-library=mbedtls OPENSSL_USES= ssl OPENSSL_CONFIGURE_ON= --with-crypto-library=openssl -MBEDTLS_LIB_DEPENDS= libmbedtls.so:security/mbedtls -MBEDTLS_CONFIGURE_ON= --with-crypto-library=mbedtls +PKCS11_PREVENTS= MBEDTLS +PKCS11_PREVENTS_MSG= OpenVPN cannot use pkcs11-helper with mbedTLS. Disable PKCS11, or use OpenSSL instead +PKCS11_LIB_DEPENDS= libpkcs11-helper.so:security/pkcs11-helper +PKCS11_CONFIGURE_ENABLE= pkcs11 -LZO_CONFIGURE_ENABLE= lzo -LZO_LIB_DEPENDS+= liblzo2.so:archivers/lzo2 - -LZ4_CONFIGURE_ENABLE= lz4 -LZ4_LIB_DEPENDS+= liblz4.so:archivers/liblz4 - SMALL_CONFIGURE_ENABLE= small -USE_RC_SUBR= openvpn +TEST_ALL_TARGET= check +TEST_TEST_TARGET_OFF= check -SUB_FILES= pkg-message openvpn-client +TUNNELBLICK_EXTRA_PATCHES= ${FILESDIR}/extra-tunnelblick-openvpn_xorpatch:-p1 +X509ALTUSERNAME_PREVENTS= MBEDTLS +X509ALTUSERNAME_PREVENTS_MSG= OpenVPN ${DISTVERSION} cannot use --x509-username-field with mbedTLS. Disable X509ALTUSERNAME, or use OpenSSL instead +X509ALTUSERNAME_CONFIGURE_ENABLE= x509-alt-username + .ifdef (LOG_OPENVPN) CFLAGS+= -DLOG_OPENVPN=${LOG_OPENVPN} .endif -PORTDOCS= * -PORTEXAMPLES= * - -TEST_ALL_TARGET= check -TEST_TEST_TARGET_OFF= check - .include .if ${PORT_OPTIONS:MMBEDTLS} @@ -140,11 +133,13 @@ post-install: @${REINPLACE_CMD} 's|resolvconf -p -a|resolvconf -a|' ${STAGEDIR}${PREFIX}/libexec/openvpn-client.up ${INSTALL_SCRIPT} ${WRKDIR}/openvpn-client ${STAGEDIR}${PREFIX}/sbin/openvpn-client ${MKDIR} ${STAGEDIR}${PREFIX}/include + @: # workaround for 2.5.0 only XXX FIXME remove after 2.5.0 + ${INSTALL_MAN} ${WRKSRC}/doc/openvpn.8 ${STAGEDIR}${MANPREFIX}/man/man8 post-install-DOCS-on: ${MKDIR} ${STAGEDIR}${DOCSDIR}/ .for i in AUTHORS ChangeLog PORTS - ${INSTALL_DATA} ${WRKSRC}/${i} ${STAGEDIR}${DOCSDIR}/ + ${INSTALL_MAN} ${WRKSRC}/${i} ${STAGEDIR}${DOCSDIR}/ .endfor post-install-EXAMPLES-on: Modified: head/security/openvpn/distinfo ============================================================================== --- head/security/openvpn/distinfo Fri Oct 30 19:27:52 2020 (r553712) +++ head/security/openvpn/distinfo Fri Oct 30 20:36:01 2020 (r553713) @@ -1,3 +1,3 @@ -TIMESTAMP = 1587146198 -SHA256 (openvpn-2.4.9.tar.xz) = 641f3add8694b2ccc39fd4fd92554e4f089ad16a8db6d2b473ec284839a5ebe2 -SIZE (openvpn-2.4.9.tar.xz) = 954264 +TIMESTAMP = 1604077828 +SHA256 (openvpn-2.5.0.tar.xz) = 029a426e44d656cb4e1189319c95fe6fc9864247724f5599d99df9c4c3478fbd +SIZE (openvpn-2.5.0.tar.xz) = 1126928 Modified: head/security/openvpn/files/extra-tunnelblick-openvpn_xorpatch ============================================================================== --- head/security/openvpn/files/extra-tunnelblick-openvpn_xorpatch Fri Oct 30 19:27:52 2020 (r553712) +++ head/security/openvpn/files/extra-tunnelblick-openvpn_xorpatch Fri Oct 30 20:36:01 2020 (r553713) @@ -10,47 +10,47 @@ detail on the following wiki page: https://tunnelblick.net/cOpenvpn_xorpatch.html -The patch was ported to OpenVPN 2.4 by OPNsense. - ---- src/openvpn/forward.c.orig 2016-12-22 07:25:18 UTC -+++ src/openvpn/forward.c -@@ -730,7 +730,10 @@ read_incoming_link(struct context *c) +diff -u -r -x .DS_Store openvpn-2.5_beta1.old/src/openvpn/forward.c openvpn-2.5_beta1.new/src/openvpn/forward.c +--- openvpn-2.5_beta1.old/src/openvpn/forward.c 2020-08-16 11:57:15.000000000 -0400 ++++ openvpn-2.5_beta1.new/src/openvpn/forward.c 2020-08-16 11:57:15.000000000 -0400 +@@ -811,7 +811,10 @@ status = link_socket_read(c->c2.link_socket, &c->c2.buf, - &c->c2.from); -+ &c->c2.from, -+ c->options.ce.xormethod, -+ c->options.ce.xormask, -+ c->options.ce.xormasklen); ++ &c->c2.from, ++ c->options.ce.xormethod, ++ c->options.ce.xormask, ++ c->options.ce.xormasklen); if (socket_connection_reset(c->c2.link_socket, status)) { -@@ -1368,7 +1371,10 @@ process_outgoing_link(struct context *c) +@@ -1621,7 +1624,10 @@ /* Send packet */ size = link_socket_write(c->c2.link_socket, &c->c2.to_link, - to_addr); + to_addr, -+ c->options.ce.xormethod, -+ c->options.ce.xormask, -+ c->options.ce.xormasklen); ++ c->options.ce.xormethod, ++ c->options.ce.xormask, ++ c->options.ce.xormasklen); /* Undo effect of prepend */ link_socket_write_post_size_adjust(&size, size_delta, &c->c2.to_link); ---- src/openvpn/options.c.orig 2016-12-22 07:25:18 UTC -+++ src/openvpn/options.c -@@ -811,6 +811,9 @@ init_options(struct options *o, const bo +diff -u -r -x .DS_Store openvpn-2.5_rc3.old/src/openvpn/options.c openvpn-2.5_rc3.new/src/openvpn/options.c +--- openvpn-2.5_rc3.old/src/openvpn/options.c 2020-10-19 13:38:17.000000000 -0400 ++++ openvpn-2.5_rc3.new/src/openvpn/options.c 2020-10-19 13:38:17.000000000 -0400 +@@ -821,6 +821,9 @@ o->resolve_retry_seconds = RESOLV_RETRY_INFINITE; o->resolve_in_advance = false; o->proto_force = -1; + o->ce.xormethod = 0; + o->ce.xormask = "\0"; + o->ce.xormasklen = 0; - #ifdef ENABLE_OCC o->occ = true; - #endif -@@ -972,6 +975,9 @@ setenv_connection_entry(struct env_set * + #ifdef ENABLE_MANAGEMENT + o->management_log_history_cache = 250; +@@ -973,6 +976,9 @@ setenv_str_i(es, "local_port", e->local_port, i); setenv_str_i(es, "remote", e->remote, i); setenv_str_i(es, "remote_port", e->remote_port, i); @@ -60,17 +60,17 @@ The patch was ported to OpenVPN 2.4 by OPNsense. if (e->http_proxy_options) { -@@ -1474,6 +1480,9 @@ show_connection_entry(const struct conne +@@ -1452,6 +1458,9 @@ SHOW_BOOL(bind_ipv6_only); SHOW_INT(connect_retry_seconds); SHOW_INT(connect_timeout); -+ SHOW_INT(xormethod); -+ SHOW_STR(xormask); -+ SHOW_INT(xormasklen); ++ SHOW_INT (xormethod); ++ SHOW_STR (xormask); ++ SHOW_INT (xormasklen); if (o->http_proxy_options) { -@@ -5915,6 +5924,46 @@ add_option(struct options *options, +@@ -6260,6 +6269,46 @@ } options->proto_force = proto_force; } @@ -103,23 +103,24 @@ The patch was ported to OpenVPN 2.4 by OPNsense. + } + else if (!p[2]) + { -+ msg(M_WARN, "WARNING: No recognized 'scramble' method specified; using 'scramble xormask \"%s\"'", p[1]); ++ msg (M_WARN, "WARNING: No recognized 'scramble' method specified; using 'scramble xormask \"%s\"'", p[1]); + options->ce.xormethod = 1; + options->ce.xormask = p[1]; + options->ce.xormasklen = strlen(options->ce.xormask); + } + else + { -+ msg(msglevel, "No recognized 'scramble' method specified or extra parameters for 'scramble'"); ++ msg (msglevel, "No recognized 'scramble' method specified or extra parameters for 'scramble'"); + goto err; + } + } else if (streq(p[0], "http-proxy") && p[1] && !p[5]) { struct http_proxy_options *ho; ---- src/openvpn/options.h.orig 2016-12-22 07:25:18 UTC -+++ src/openvpn/options.h -@@ -98,6 +98,9 @@ struct connection_entry +diff -u -r -x .DS_Store openvpn-2.5_git_57d6f10.old/src/openvpn/options.h openvpn-2.5_git_57d6f10.new/src/openvpn/options.h +--- openvpn-2.5_git_57d6f10.old/src/openvpn/options.h 2018-07-28 06:02:27.000000000 -0400 ++++ openvpn-2.5_git_57d6f10.new/src/openvpn/options.h 2018-07-28 06:02:27.000000000 -0400 +@@ -99,6 +99,9 @@ int connect_retry_seconds; int connect_retry_seconds_max; int connect_timeout; @@ -129,33 +130,36 @@ The patch was ported to OpenVPN 2.4 by OPNsense. struct http_proxy_options *http_proxy_options; const char *socks_proxy_server; const char *socks_proxy_port; ---- src/openvpn/socket.c.orig 2016-12-22 07:25:18 UTC -+++ src/openvpn/socket.c -@@ -55,6 +55,53 @@ const int proto_overhead[] = { /* indexe +--- openvpn-2.5_git_974513e/src/openvpn/socket.c 2017-08-17 11:27:23.000000000 -0400 ++++ openvpn-2.5_git_974513e_patched/src/openvpn/socket.c 2017-08-18 18:37:11.000000000 -0400 +@@ -54,6 +54,56 @@ IPv6_TCP_HEADER_SIZE, }; - -+int buffer_mask (struct buffer *buf, const char *mask, int xormasklen) { -+ int i; -+ uint8_t *b; -+ if ( xormasklen > 0 ) { -+ for (i = 0, b = BPTR (buf); i < BLEN(buf); i++, b++) { -+ *b = *b ^ mask[i % xormasklen]; -+ } -+ } -+ return BLEN (buf); + ++int buffer_mask(struct buffer *buf, const char *mask, int xormasklen) ++{ ++ int i; ++ uint8_t *b; ++ if ( xormasklen > 0 ) { ++ for (i = 0, b = BPTR (buf); i < BLEN(buf); i++, b++) { ++ *b = *b ^ mask[i % xormasklen]; ++ } ++ } ++ return BLEN (buf); +} + -+int buffer_xorptrpos (struct buffer *buf) { -+ int i; -+ uint8_t *b; -+ for (i = 0, b = BPTR (buf); i < BLEN(buf); i++, b++) { -+ *b = *b ^ i+1; -+ } -+ return BLEN (buf); ++int buffer_xorptrpos(struct buffer *buf) ++{ ++ int i; ++ uint8_t *b; ++ for (i = 0, b = BPTR (buf); i < BLEN(buf); i++, b++) { ++ *b = *b ^ i+1; ++ } ++ return BLEN (buf); +} + -+int buffer_reverse (struct buffer *buf) { ++int buffer_reverse(struct buffer *buf) ++{ +/* This function has been rewritten for Tunnelblick. The buffer_reverse function at + * https://github.com/clayface/openvpn_xorpatch + * makes a copy of the buffer and it writes to the byte **after** the @@ -167,38 +171,39 @@ The patch was ported to OpenVPN 2.4 by OPNsense. + * actually reverse the contents of the buffer. Instead, it changes 'abcde' to 'aedcb'. + * (Of course, the actual buffer contents are bytes, and not necessarily characters.) + */ -+ int len = BLEN(buf); -+ if ( len > 2 ) { /* Leave '', 'a', and 'ab' alone */ -+ int i; -+ uint8_t *b_start = BPTR (buf) + 1; /* point to first byte to swap */ -+ uint8_t *b_end = BPTR (buf) + (len - 1); /* point to last byte to swap */ -+ uint8_t tmp; -+ for (i = 0; i < (len-1)/2; i++, b_start++, b_end--) { -+ tmp = *b_start; -+ *b_start = *b_end; -+ *b_end = tmp; ++ int len = BLEN(buf); ++ if ( len > 2 ) { /* Leave '', 'a', and 'ab' alone */ ++ int i; ++ uint8_t *b_start = BPTR (buf) + 1; /* point to first byte to swap */ ++ uint8_t *b_end = BPTR (buf) + (len - 1); /* point to last byte to swap */ ++ uint8_t tmp; ++ for (i = 0; i < (len-1)/2; i++, b_start++, b_end--) { ++ tmp = *b_start; ++ *b_start = *b_end; ++ *b_end = tmp; ++ } + } -+ } -+ return len; ++ return len; +} + /* * Convert sockflags/getaddr_flags into getaddr_flags */ ---- src/openvpn/socket.h.orig 2016-12-22 07:25:18 UTC -+++ src/openvpn/socket.h -@@ -249,6 +249,10 @@ struct link_socket +diff -u -r -x .DS_Store openvpn-2.5_beta1.old/src/openvpn/socket.h openvpn-2.5_beta1.new/src/openvpn/socket.h +--- openvpn-2.5_beta1.old/src/openvpn/socket.h 2020-08-16 11:57:17.000000000 -0400 ++++ openvpn-2.5_beta1.new/src/openvpn/socket.h 2020-08-16 11:57:17.000000000 -0400 +@@ -249,6 +249,10 @@ #endif }; -+int buffer_mask (struct buffer *buf, const char *xormask, int xormasklen); -+int buffer_xorptrpos (struct buffer *buf); -+int buffer_reverse (struct buffer *buf); ++int buffer_mask(struct buffer *buf, const char *xormask, int xormasklen); ++int buffer_xorptrpos(struct buffer *buf); ++int buffer_reverse(struct buffer *buf); + /* * Some Posix/Win32 differences. */ -@@ -1046,30 +1050,55 @@ int link_socket_read_udp_posix(struct li +@@ -1049,30 +1053,56 @@ static inline int link_socket_read(struct link_socket *sock, struct buffer *buf, @@ -209,11 +214,10 @@ The patch was ported to OpenVPN 2.4 by OPNsense. + int xormasklen) { + int res; -+ if (proto_is_udp(sock->info.proto)) /* unified UDPv4 and UDPv6 */ { - int res; -- + #ifdef _WIN32 res = link_socket_read_udp_win32(sock, buf, from); #else @@ -233,33 +237,34 @@ The patch was ported to OpenVPN 2.4 by OPNsense. ASSERT(0); return -1; /* NOTREACHED */ } -+ switch (xormethod) { -+ case 0: -+ break; -+ case 1: -+ buffer_mask(buf,xormask,xormasklen); -+ break; -+ case 2: -+ buffer_xorptrpos(buf); -+ break; -+ case 3: -+ buffer_reverse(buf); -+ break; -+ case 4: -+ buffer_mask(buf,xormask,xormasklen); -+ buffer_xorptrpos(buf); -+ buffer_reverse(buf); -+ buffer_xorptrpos(buf); -+ break; -+ default: -+ ASSERT (0); -+ return -1; /* NOTREACHED */ ++ switch(xormethod) ++ { ++ case 0: ++ break; ++ case 1: ++ buffer_mask(buf,xormask,xormasklen); ++ break; ++ case 2: ++ buffer_xorptrpos(buf); ++ break; ++ case 3: ++ buffer_reverse(buf); ++ break; ++ case 4: ++ buffer_mask(buf,xormask,xormasklen); ++ buffer_xorptrpos(buf); ++ buffer_reverse(buf); ++ buffer_xorptrpos(buf); ++ break; ++ default: ++ ASSERT (0); ++ return -1; /* NOTREACHED */ + } + return res; } /* -@@ -1159,8 +1188,33 @@ link_socket_write_udp(struct link_socket +@@ -1163,8 +1193,34 @@ static inline int link_socket_write(struct link_socket *sock, struct buffer *buf, @@ -269,27 +274,28 @@ The patch was ported to OpenVPN 2.4 by OPNsense. + const char *xormask, + int xormasklen) { -+ switch (xormethod) { -+ case 0: -+ break; -+ case 1: -+ buffer_mask(buf,xormask,xormasklen); -+ break; -+ case 2: -+ buffer_xorptrpos(buf); -+ break; -+ case 3: -+ buffer_reverse(buf); -+ break; -+ case 4: -+ buffer_xorptrpos(buf); -+ buffer_reverse(buf); -+ buffer_xorptrpos(buf); -+ buffer_mask(buf,xormask,xormasklen); -+ break; -+ default: -+ ASSERT (0); -+ return -1; /* NOTREACHED */ ++ switch(xormethod) ++ { ++ case 0: ++ break; ++ case 1: ++ buffer_mask(buf,xormask,xormasklen); ++ break; ++ case 2: ++ buffer_xorptrpos(buf); ++ break; ++ case 3: ++ buffer_reverse(buf); ++ break; ++ case 4: ++ buffer_xorptrpos(buf); ++ buffer_reverse(buf); ++ buffer_xorptrpos(buf); ++ buffer_mask(buf,xormask,xormasklen); ++ break; ++ default: ++ ASSERT (0); ++ return -1; /* NOTREACHED */ + } if (proto_is_udp(sock->info.proto)) /* unified UDPv4 and UDPv6 */ { Modified: head/security/openvpn/pkg-plist ============================================================================== --- head/security/openvpn/pkg-plist Fri Oct 30 19:27:52 2020 (r553712) +++ head/security/openvpn/pkg-plist Fri Oct 30 20:36:01 2020 (r553713) @@ -1,9 +1,9 @@ -include/openvpn-plugin.h include/openvpn-msg.h +include/openvpn-plugin.h lib/openvpn/plugins/openvpn-plugin-auth-pam.so lib/openvpn/plugins/openvpn-plugin-down-root.so +libexec/openvpn-client.down +libexec/openvpn-client.up man/man8/openvpn.8.gz sbin/openvpn sbin/openvpn-client -libexec/openvpn-client.up -libexec/openvpn-client.down