OpenVPN SSL obfuscation
Ziel: eine ordentliche Patchdatei bauen, die man fuer OpenWrt verwenden kann. Wir ueber mal mit folgendem commit den ich gefunden habe:
https://github.com/hizukiayaka/openvpn/commit/2eb2234f28d176a74d949f8563eb11ac2ad70bb8
erstmal OpenWrt holen und schauen wo 'openvpn' liegt:
bastian@X301:~/software$ git clone git://git.openwrt.org/openwrt.git bastian@X301:~/software$ cd openwrt bastian@X301:~/software/openwrt$ find . -type d -name openvpn ./package/network/services/openvpn
OK, wir schauen uns das Makefile an und den Downloadlink/Version:
bastian@X301:~/software/openwrt$ grep -m6 ^[A-Z] ./package/network/services/openvpn/Makefile PKG_NAME:=openvpn PKG_VERSION:=2.3.7 PKG_RELEASE:=1 PKG_SOURCE_URL:=http://swupdate.openvpn.net/community/releases PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_MD5SUM:=070bca95e478f88dff9ec6a221e2c3f7
OK, wir machen uns ein lokales git und holen den tarball:
bastian@X301:~/software/openwrt$ cd .. bastian@X301:~/software$ mkdir openvpn bastian@X301:~/software$ cd openvpn/ bastian@X301:~/software/openvpn$ git init Initialized empty Git repository in /home/bastian/software/openvpn/.git/ bastian@X301:~/software/openvpn$ wget http://swupdate.openvpn.net/community/releases/openvpn-2.3.7.tar.gz bastian@X301:~/software/openvpn$ tar xzf openvpn-2.3.7.tar.gz bastian@X301:~/software/openvpn$ cd openvpn-2.3.7/ bastian@X301:~/software/openvpn/openvpn-2.3.7$ git init Initialized empty Git repository in /home/bastian/software/openvpn/openvpn-2.3.7/.git/ bastian@X301:~/software/openvpn/openvpn-2.3.7$ git add . bastian@X301:~/software/openvpn/openvpn-2.3.7$ git commit -m "extracted openvpn-2.3.7.tar.gz" [master (root-commit) e97a8c6] extracted openvpn-2.3.7.tar.gz 306 files changed, 112266 insertions(+)
Nun laden wir uns von dem github-commit das patchfile herunter:
# https://github.com/hizukiayaka/openvpn/commit/2eb2234f28d176a74d949f8563eb11ac2ad70bb8 # .patch anhängen: bastian@X301:~/software/openvpn/openvpn-2.3.7$ wget -O /tmp/mypatch https://github.com/hizukiayaka/openvpn/commit/2eb2234f28d176a74d949f8563eb11ac2ad70bb8.patch bastian@X301:~/software/openvpn/openvpn-2.3.7$ git apply --check </tmp/mypatch error: patch failed: src/openvpn/options.c:6593 error: src/openvpn/options.c: patch does not apply error: patch failed: src/openvpn/options.h:522 error: src/openvpn/options.h: patch does not apply
ok, das geht nicht so einfach, wir holen uns also option.c und option.h vom commit davor ("parent")
parent='3ec9eb8ee402ea977805eaac6a8caa38f5800bbd' wget -O src/openvpn/options.c "https://raw.githubusercontent.com/hizukiayaka/openvpn/$parent/src/openvpn/options.c" wget -O src/openvpn/options.h "https://raw.githubusercontent.com/hizukiayaka/openvpn/$parent/src/openvpn/options.h" git add . git commit -m "sync options.* of parent"
nun nochmal testen ob es geht:
bastian@X301:~/software/openvpn/openvpn-2.3.7$ git apply --check /tmp/mypatch bastian@X301:~/software/openvpn/openvpn-2.3.7$ git am --ignore-whitespace --signoff </tmp/mypatch
bastian@X301:~/software/openvpn/openvpn-2.3.7$ git log commit dc3103e7fef1afb1c7c76bc83d1d6d78079284da Author: ayaka <ayaka@soulik.info> Date: Fri Aug 28 18:00:58 2015 +0800 obfuscation: apply xor in SSL layer NOTE: It only work with OpenSSL library not PolarSSL library. The xor patch before only worked with IP tunnel package. Signed-off-by: ayaka <ayaka@soulik.info> Signed-off-by: Bastian Bittorf <bittorf@bluebottle.com> commit 6d764b72d92594b478c73f2a843abafd8ce02f52 Author: Bastian Bittorf <bittorf@bluebottle.com> Date: Sat Dec 12 16:21:33 2015 +0100 options.* from parent wunderbar! nun machen wir daraus 2 normale patchdateien: bastian@X301:~/software/openvpn/openvpn-2.3.7$ git format-patch -s -2 0001-options.-from-parent.patch 0002-obfuscation-apply-xor-in-SSL-layer.patch
...und kopieren die uns OpenWrt-buildsystem:
bastian@X301:~/software/openvpn/openvpn-2.3.7$ find ../../openwrt -type d -name openvpn ../../openwrt/package/network/services/openvpn bastian@X301:~/software/openvpn/openvpn-2.3.7$ mv 000* ../../openwrt/package/network/services/openvpn/patches/
die patches habe ich mal hochgeladen: https://github.com/bittorf/kalua/tree/master/openwrt-patches/interesting/openvpn-ssl-obfuscation
via 'make menuconfig' muss unter network->VPN->openvpn-openssl gewaehlt werden:
make package/openvpn/clean make package/openvpn/compile make package/openvpn/install
fertig!