diff options
author | kali <kali@leap.se> | 2020-07-27 18:18:38 +0200 |
---|---|---|
committer | Ruben Pollan <meskio@sindominio.net> | 2020-10-13 19:08:40 +0200 |
commit | 2cf32806dcce2d41920be28bd0e7d12e5d049357 (patch) | |
tree | 5ecad10f0c2804ab0ded8380431490e475f57998 | |
parent | 211fc457329b074fd4331aec0c4fc5d765e9023f (diff) |
[pkg] update build script for openvpn
-rw-r--r-- | Makefile | 22 | ||||
-rw-r--r-- | bitmask.pro | 2 | ||||
-rw-r--r-- | branding/installer/osx/se.leap.bitmask-helper.plist | 26 | ||||
-rwxr-xr-x | branding/installer/post-install.py | 96 | ||||
-rw-r--r-- | branding/thirdparty/openvpn/build.mk | 11 | ||||
-rwxr-xr-x | branding/thirdparty/openvpn/build_openvpn.sh | 190 | ||||
-rw-r--r-- | gui/backend.go | 1 | ||||
-rwxr-xr-x | gui/build.sh | 13 | ||||
-rw-r--r-- | gui/main.cpp | 6 | ||||
-rw-r--r-- | installer/bitmask-installer.pro | 5 | ||||
-rw-r--r-- | installer/config/config.xml | 2 | ||||
-rw-r--r-- | installer/packages/riseupvpn/data/.gitignore | 3 | ||||
-rwxr-xr-x | installer/packages/riseupvpn/data/post-install.py | 54 | ||||
-rw-r--r-- | installer/packages/riseupvpn/data/se.leap.bitmask-helper.plist | 26 | ||||
-rw-r--r-- | pkg/helper/args.go | 11 | ||||
-rw-r--r-- | pkg/helper/darwin.go | 40 | ||||
-rw-r--r-- | pkg/helper/linux.go | 9 | ||||
-rw-r--r-- | pkg/helper/windows.go | 8 |
18 files changed, 471 insertions, 54 deletions
@@ -29,6 +29,7 @@ SCRIPTS = branding/scripts all: icon locales helper build HAS_QTIFW := $(shell PATH=$(PATH) which binarycreator) +OPENVPN_BIN = "$(HOME)/openvpn_build/sbin/$(shell grep OPENVPN branding/thirdparty/openvpn/build_openvpn.sh | head -n 1 | cut -d = -f 2 | tr -d '"')" ######################################################################### @@ -55,17 +56,22 @@ dependsDarwin: @brew install python3 golang make pkg-config curl @brew install --default-names gnu-sed +ifeq ($(PLATFORM), darwin) + EXTRA_FLAGS = MACOSX_DEPLOYMENT_TARGET=10.10 GOOS=darwin CC=clang +else + EXTRA_FLAGS = +endif golib: - CGO_ENABLED=1 go build -buildmode=c-archive -o ${TARGET_GOLIB} ${SOURCE_GOLIB} + CGO_ENABLED=1 ${EXTRA_FLAGS} go build -buildmode=c-archive -o ${TARGET_GOLIB} ${SOURCE_GOLIB} + +build: build_helper build_openvpn + @XBUILD=no gui/build.sh build_helper: @echo "PLATFORM: ${PLATFORM}" @mkdir -p build/bin/${PLATFORM} go build -o build/bin/${PLATFORM}/bitmask-helper -ldflags "-X main.AppName=${PROVIDER}VPN -X main.Version=${VERSION}" ./cmd/bitmask-helper/ -build: build_helper - @gui/build.sh - build_old: ifeq (${XBUILD}, yes) $(MAKE) build_cross_win @@ -81,9 +87,16 @@ else @gui/build.sh endif +build_openvpn: + @[ -f $(OPENVPN_BIN) ] && echo "OpenVPN already built at" $(OPENVPN_BIN) || ./branding/thirdparty/openvpn/build_openvpn.sh + build_installer: check_qtifw build cp -r qtbuild/release/${PROVIDER}-vpn.app installer/packages/${PROVIDER}vpn/data/ cp build/bin/${PLATFORM}/bitmask-helper installer/packages/${PROVIDER}vpn/data/ + cp $(OPENVPN_BIN) installer/packages/${PROVIDER}vpn/data/openvpn.leap + cp branding/templates/osx/bitmask.pf.conf installer/packages/${PROVIDER}vpn/data/helper/bitmask.pf.conf + cp branding/templates/osx/client.up.sh installer/packages/${PROVIDER}vpn/data/ + cp branding/templates/osx/client.down.sh installer/packages/${PROVIDER}vpn/data/ cd installer && qmake && make check_qtifw: @@ -263,6 +276,7 @@ package_deb: @make -C build/${PROVIDER} pkg_deb installer_win: + # XXX refactor with build_installer cp helper.exe ${WININST_DATA} cp qtbuild/release/${TARGET}.exe ${WININST_DATA}${PROVIDER}-vpn.exe windeployqt --qmldir gui/qml ${WININST_DATA}${PROVIDER}-vpn.exe diff --git a/bitmask.pro b/bitmask.pro index 7f4b488..7acf7a9 100644 --- a/bitmask.pro +++ b/bitmask.pro @@ -5,7 +5,7 @@ CONFIG += qt staticlib windows:CONFIG += console unix:DEBUG:CONFIG += debug lessThan(QT_MAJOR_VERSION, 5): error("requires Qt 5") -QMAKE_MACOSX_DEPLOYMENT_TARGET = 10.14 +QMAKE_MACOSX_DEPLOYMENT_TARGET = 10.12 macx { LIBS += -framework Security diff --git a/branding/installer/osx/se.leap.bitmask-helper.plist b/branding/installer/osx/se.leap.bitmask-helper.plist new file mode 100644 index 0000000..c9d9687 --- /dev/null +++ b/branding/installer/osx/se.leap.bitmask-helper.plist @@ -0,0 +1,26 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> +<plist version="1.0"> +<dict> + <key>WorkingDirectory</key> + <string>/tmp</string> + <key>StandardOutPath</key> + <string>bitmask-helper.log</string> + <key>StandardErrorPath</key> + <string>bitmask-helper-err.log</string> + <key>GroupName</key> + <string>daemon</string> + <key>RunAtLoad</key> + <true/> + <key>SessionCreate</key> + <true/> + <key>KeepAlive</key> + <true/> + <key>ThrottleInterval</key> + <integer>5</integer> + <key>Label</key> + <string>se.leap.BitmaskHelper</string> + <key>Program</key> + <string>PATH/bitmask-helper</string> +</dict> +</plist> diff --git a/branding/installer/post-install.py b/branding/installer/post-install.py new file mode 100755 index 0000000..02da859 --- /dev/null +++ b/branding/installer/post-install.py @@ -0,0 +1,96 @@ +#!/usr/bin/env python + +import os +import shutil +import sys +import subprocess + +HELPER = "bitmask-helper" +HELPER_PLIST = "/Library/LaunchDaemons/se.leap.bitmask-helper.plist" +_dir = os.path.dirname(os.path.realpath(__file__)) + +def main(): + log = open(os.path.join(_dir, 'post-install.log'), 'w') + log.write('Checking for admin privileges...\n') + + _id = os.getuid() + if _id != 0: + err = "error: need to run as root. UID: %s\n" % str(_id) + logErr(log, err) + + # failure: sys.exit(1) + + if isHelperRunning(): + log.write("Trying to stop bitmask-helper...\n") + # if this fail, we can check if the HELPER_PLIST is there + ok = unloadHelper() + log.write("success: %s \n" % str(ok)) + + ok = fixHelperOwner(log) + log.write("chown helper: %s \n" % str(ok)) + + log.write("Copy launch daemon...\n") + copyLaunchDaemon() + + out = launchHelper() + log.write("Copy plist: %s \n" % str(ok)) + + grantPermissionsOnLogFolder() + + # all done + log.write('post-install script: done\n') + sys.exit(0) + + +def logErr(log, msg): + log.write(msg) + sys.exit(1) + +def isHelperRunning(): + ps = _getProcessList() + return HELPER in ps + +def unloadHelper(): + out = subprocess.call(["launchctl", "unload", HELPER_PLIST]) + return out == 0 + +def fixHelperOwner(log): + path = os.path.join(_dir, HELPER) + try: + os.chown(path, 0, 0) + except OSError as exc: + log.write(str(exc)) + return False + return True + +def copyLaunchDaemon(): + plist = "se.leap.bitmask-helper.plist" + path = os.path.join(_dir, plist) + dest = os.path.join('/Library/LaunchDaemons', plist) + _p = _dir.replace("/", "\/") + subprocess.call(["sed", "-i.back", "s/PATH/%s/" % _p, path]) + shutil.copy(path, dest) + +def launchHelper(): + out = subprocess.call(["launchctl", "load", "/Library/LaunchDaemons/se.leap.bitmask-helper.plist"]) + return out == 0 + +def grantPermissionsOnLogFolder(): + helperDir = os.path.join(_dir, 'helper') + try: + os.makedirs(helperDir) + except Exception: + pass + os.chown(helperDir, 0, 0) + +def _getProcessList(): + _out = [] + output = subprocess.Popen(["ps", "-ceA"], stdout=subprocess.PIPE, stderr=subprocess.STDOUT) + stdout, stderr = output.communicate() + for line in stdout.split('\n'): + cmd = line.split(' ')[-1] + _out.append(cmd.strip()) + return _out + +if __name__ == "__main__": + main() diff --git a/branding/thirdparty/openvpn/build.mk b/branding/thirdparty/openvpn/build.mk new file mode 100644 index 0000000..df87eb2 --- /dev/null +++ b/branding/thirdparty/openvpn/build.mk @@ -0,0 +1,11 @@ +build_static_openvpn: + pkg/thirdparty/openvpn/build_openvpn.sh + +upload_openvpn: + rsync --rsh='ssh' -avztlpog --progress --partial ~/openvpn_build/sbin/openvpn* downloads.leap.se:./public/thirdparty/linux/openvpn/ + +download_openvpn: + wget https://downloads.leap.se/thirdparty/linux/openvpn/openvpn + +clean_openvpn_build: + rm -rf ~/openvpn_build diff --git a/branding/thirdparty/openvpn/build_openvpn.sh b/branding/thirdparty/openvpn/build_openvpn.sh new file mode 100755 index 0000000..20f764a --- /dev/null +++ b/branding/thirdparty/openvpn/build_openvpn.sh @@ -0,0 +1,190 @@ +#!/bin/bash + +############################################################################# +# Builds OpenVPN statically against mbedtls (aka polarssl). +# Requirements: cmake +# Output: ~/openvpn_build/sbin/openvpn-x.y.z +############################################################################# + +set -e +#set -x + +# [!] This needs to be updated for every release -------------------------- +OPENVPN="openvpn-2.4.9" +MBEDTLS="mbedtls-2.23.0" +LZO="lzo-2.10" +ZLIB="zlib-1.2.11" +MBEDTLS_SHA512="c2a04f659bf63522f10f6660c2d196d7f39a057ff5a382734ba3b839f463ead4e5c9bc0d21fb909d56fcd2ee4c711248be14861f388cd383385484d364247634" +LZO_SHA1="4924676a9bae5db58ef129dc1cebce3baa3c4b5d" +# ------------------------------------------------------------------------- + +platform='unknown' +unamestr=`uname` +if [[ "$unamestr" == 'Linux' ]]; then + platform='linux' +elif [[ "$unamestr" == 'Darwin' ]]; then + platform='osx' +fi + +BUILDDIR="openvpn_build" +mkdir -p ~/$BUILDDIR && cd ~/$BUILDDIR + +BASE=`pwd` +SRC=$BASE/src +mkdir -p $SRC + +SHASUM="/usr/bin/shasum" + +ZLIB_KEYS="https://keys.gnupg.net/pks/lookup?op=get&search=0x783FCD8E58BCAFBA" +OPENVPN_KEYS="https://swupdate.openvpn.net/community/keys/security.key.asc" + +WGET="wget --prefer-family=IPv4" +DEST=$BASE/install +LDFLAGS="-L$DEST/lib -L$DEST/usr/local/lib -W" +CPPFLAGS="-I$DEST/include" +CFLAGS="-D_FORTIFY_SOURCE=2 -O1 -Wformat -Wformat-security -fstack-protector -fPIE" +CXXFLAGS=$CFLAGS +CONFIGURE="./configure --prefix=/install" +MAKE="make -j4" + + +######## #################################################################### +# ZLIB # #################################################################### +######## #################################################################### + +function build_zlib() +{ + gpg --fetch-keys $ZLIB_KEYS + mkdir $SRC/zlib && cd $SRC/zlib + + if [ ! -f $ZLIB.tar.gz ]; then + $WGET https://zlib.net/$ZLIB.tar.gz + $WGET https://zlib.net/$ZLIB.tar.gz.asc + fi + tar zxvf $ZLIB.tar.gz + cd $ZLIB + + LDFLAGS=$LDFLAGS \ + CPPFLAGS=$CPPFLAGS \ + CFLAGS=$CFLAGS \ + CXXFLAGS=$CXXFLAGS \ + ./configure \ + --prefix=/install + + $MAKE + make install DESTDIR=$BASE +} + +########### ################################################################## +# MBEDTLS # ################################################################## +########### ################################################################## + +function build_mbedtls() +{ + mkdir -p $SRC/polarssl && cd $SRC/polarssl + if [ ! -f $MBEDTLS.tar.gz ]; then + $WGET https://github.com/ARMmbed/mbedtls/archive/$MBEDTLS.tar.gz + fi + sha512=`${SHASUM} -a 512 -p ${MBEDTLS}.tar.gz | cut -d' ' -f 1` + + if [ "${MBEDTLS_SHA512}" = "${sha512}" ]; then + echo "[+] sha1 verified ok" + else + echo "[!] problem with sha1 verification" + exit 1 + fi + tar zxvf $MBEDTLS.tar.gz + cd mbedtls-$MBEDTLS + mkdir -p build + cd build + cmake .. + $MAKE + make install DESTDIR=$BASE/install +} + + +######## #################################################################### +# LZO2 # #################################################################### +######## #################################################################### + +function build_lzo2() +{ + mkdir $SRC/lzo2 && cd $SRC/lzo2 + if [ ! -f $LZO.tar.gz ]; then + $WGET http://www.oberhumer.com/opensource/lzo/download/$LZO.tar.gz + fi + sha1=`$SHASUM $LZO.tar.gz | cut -d' ' -f 1` + if [ "${LZO_SHA1}" = "${sha1}" ]; then + echo "[+] sha1 verified ok" + else + echo "[!] problem with sha1 verification" + exit 1 + fi + tar zxvf $LZO.tar.gz + cd $LZO + + LDFLAGS=$LDFLAGS \ + CPPFLAGS=$CPPFLAGS \ + CFLAGS=$CFLAGS \ + CXXFLAGS=$CXXFLAGS \ + $CONFIGURE --enable-static --disable-debug + + $MAKE + make install DESTDIR=$BASE +} + +########### ################################################################# +# OPENVPN # ################################################################# +########### ################################################################# + +function build_openvpn() +{ + mkdir $SRC/openvpn && cd $SRC/openvpn + gpg --fetch-keys $OPENVPN_KEYS + if [ ! -f $OPENVPN.tar.gz ]; then + $WGET https://build.openvpn.net/downloads/releases/$OPENVPN.tar.gz + $WGET https://build.openvpn.net/downloads/releases/$OPENVPN.tar.gz.asc + fi + gpg --verify $OPENVPN.tar.gz.asc && echo "[+] gpg verification ok" + tar zxvf $OPENVPN.tar.gz + cd $OPENVPN + + MBEDTLS_CFLAGS=-I$BASE/install/usr/local/include/ \ + MBEDTLS_LIBS="$DEST/usr/local/lib/libmbedtls.a $DEST/usr/local/lib/libmbedcrypto.a $DEST/usr/local/lib/libmbedx509.a" \ + LDFLAGS=$LDFLAGS \ + CPPFLAGS=$CPPFLAGS \ + CFLAGS="$CFLAGS -I$BASE/install/usr/local/include" \ + CXXFLAGS=$CXXFLAGS \ + $CONFIGURE \ + --disable-plugin-auth-pam \ + --with-crypto-library=mbedtls \ + --enable-small \ + --disable-debug + + $MAKE LIBS="-all-static -lz -llzo2" + make install DESTDIR=$BASE/openvpn + mkdir -p $BASE/sbin/ + cp $BASE/openvpn/install/sbin/openvpn $BASE/sbin/$OPENVPN + strip $BASE/sbin/$OPENVPN +} + +function build_all() +{ + echo "[+] Building" $OPENVPN + build_zlib + build_lzo2 + build_mbedtls + build_openvpn +} + +function main() +{ + if [[ $platform == 'linux' ]]; then + build_all + fi + if [[ $platform == 'osx' ]]; then + build_all + fi +} + +main "$@" diff --git a/gui/backend.go b/gui/backend.go index 9453d88..f8ee2bd 100644 --- a/gui/backend.go +++ b/gui/backend.go @@ -3,6 +3,7 @@ package main /* a wrapper around bitmask that exposes status to a QtQml gui. Have a look at the pkg/backend module for further enlightment. */ +// #cgo CXXFLAGS: -mmacosx-version-min=10.10 import ( "C" "unsafe" diff --git a/gui/build.sh b/gui/build.sh index 91be4fc..9c10341 100755 --- a/gui/build.sh +++ b/gui/build.sh @@ -1,6 +1,6 @@ #!/bin/bash set -e - +set -x XBUILD=${XBUILD-no} WIN64="win64" @@ -30,6 +30,7 @@ else fi fi +PLATFORM=`uname -s` function init { mkdir -p lib @@ -38,10 +39,18 @@ function init { function buildGoLib { echo "[+] Using go in" $GO "[`go version`]" $GO generate ./pkg/config/version/genver/gen.go + if [ "$PLATFORM" == "Darwin" ] + then + OSX_TARGET=10.12 + GOOS=darwin + CC=clang + CGO_CFLAGS="-g -O2 -mmacosx-version-min=$OSX_TARGET" + CGO_LDFLAGS="-g -O2 -mmacosx-version-min=$OSX_TARGET" + fi if [ "$XBUILD" == "no" ] then echo "[+] Building Go library with standard Go compiler" - CGO_ENABLED=1 go build -buildmode=c-archive -o $TARGET_GOLIB $SOURCE_GOLIB + CGO_ENABLED=1 GOOS=$GOOS CC=$CC CGO_CFLAGS=$CGO_CFLAGS CGO_LDFLAGS=$CGO_LDFLAGS go build -buildmode=c-archive -o $TARGET_GOLIB $SOURCE_GOLIB fi if [ "$XBUILD" == "$WIN64" ] then diff --git a/gui/main.cpp b/gui/main.cpp index a177e60..684b0be 100644 --- a/gui/main.cpp +++ b/gui/main.cpp @@ -98,12 +98,6 @@ int main(int argc, char **argv) { "Install helpers (linux only, requires sudo)."), }, { - {"v", "version"}, - QApplication::translate( - "main", - "Version of the bitmask-vpn."), - }, - { {"o", "obfs4"}, QApplication::translate( "main", diff --git a/installer/bitmask-installer.pro b/installer/bitmask-installer.pro index 1435e4c..49179c4 100644 --- a/installer/bitmask-installer.pro +++ b/installer/bitmask-installer.pro @@ -22,6 +22,11 @@ macx { OTHER_FILES += "packages/riseupvpn/data/riseup-vpn.app" OTHER_FILES += "packages/riseupvpn/data/bitmask-helper" OTHER_FILES += "packages/riseupvpn/data/installer.py" + OTHER_FILES += "packages/riseupvpn/data/se.leap.bitmask-helper.plist" + OTHER_FILES += "packages/riseupvpn/data/openvpn.leap" + OTHER_FILES += "packages/riseupvpn/data/helper/bitmask.pf.conf" + OTHER_FILES += "packages/riseupvpn/data/client.up.sh" + OTHER_FILES += "packages/riseupvpn/data/client.down.sh" } linux { OTHER_FILES += "packages/riseupvpn/data/riseup-vpn" diff --git a/installer/config/config.xml b/installer/config/config.xml index ef0e5e8..492e76f 100644 --- a/installer/config/config.xml +++ b/installer/config/config.xml @@ -1,6 +1,7 @@ <?xml version="1.0" encoding="UTF-8"?> <Installer> <Name>RiseupVPN Installer 1.0</Name> + <Publisher>LEAP Encryption Access Project</Publisher> <Title>RiseupVPN Installer</Title> <Version>1.0.0</Version> <TargetDir>@ApplicationsDir@/RiseupVPN</TargetDir> @@ -9,4 +10,5 @@ <Url>http://localhost/repository/</Url> </Repository> </RemoteRepositories> + <WizardStyle>mac</WizardStyle> </Installer> diff --git a/installer/packages/riseupvpn/data/.gitignore b/installer/packages/riseupvpn/data/.gitignore new file mode 100644 index 0000000..63c86a1 --- /dev/null +++ b/installer/packages/riseupvpn/data/.gitignore @@ -0,0 +1,3 @@ +openvpn.leap +bitmask-helper +riseup-vpn.app diff --git a/installer/packages/riseupvpn/data/post-install.py b/installer/packages/riseupvpn/data/post-install.py index 1e1addd..02da859 100755 --- a/installer/packages/riseupvpn/data/post-install.py +++ b/installer/packages/riseupvpn/data/post-install.py @@ -1,49 +1,49 @@ #!/usr/bin/env python import os +import shutil import sys import subprocess HELPER = "bitmask-helper" HELPER_PLIST = "/Library/LaunchDaemons/se.leap.bitmask-helper.plist" +_dir = os.path.dirname(os.path.realpath(__file__)) def main(): - _dir = os.path.dirname(os.path.realpath(__file__)) log = open(os.path.join(_dir, 'post-install.log'), 'w') - log.write('Checking for admin privileges...') + log.write('Checking for admin privileges...\n') _id = os.getuid() if _id != 0: err = "error: need to run as root. UID: %s\n" % str(_id) - logErr(log, msg) + logErr(log, err) # failure: sys.exit(1) if isHelperRunning(): - log.write("Trying to stop bitmask-helper...") + log.write("Trying to stop bitmask-helper...\n") # if this fail, we can check if the HELPER_PLIST is there ok = unloadHelper() log.write("success: %s \n" % str(ok)) - ok = makeHelperExecutable() - log.write("chmod +x helper: %s \n" % str(ok)) + ok = fixHelperOwner(log) + log.write("chown helper: %s \n" % str(ok)) - # 3. cp se.leap.bitmask-helper.plist /Library/LaunchDaemons/ + log.write("Copy launch daemon...\n") copyLaunchDaemon() - # 4. launchctl load /Library/LaunchDaemons/se.leap.bitmask-helper.plist - launchHelper() + out = launchHelper() + log.write("Copy plist: %s \n" % str(ok)) - # 5. chown admin:wheel /Applications/$applicationName.app/Contents/helper # is this the folder? grantPermissionsOnLogFolder() - # all good - log.write('post-install script: done') + # all done + log.write('post-install script: done\n') sys.exit(0) def logErr(log, msg): - log.write(err) + log.write(msg) sys.exit(1) def isHelperRunning(): @@ -54,18 +54,34 @@ def unloadHelper(): out = subprocess.call(["launchctl", "unload", HELPER_PLIST]) return out == 0 -def makeHelperExecutable(): - out = subprocess.call(["chmod", "+x", HELPER]) - return out == 0 +def fixHelperOwner(log): + path = os.path.join(_dir, HELPER) + try: + os.chown(path, 0, 0) + except OSError as exc: + log.write(str(exc)) + return False + return True def copyLaunchDaemon(): - pass + plist = "se.leap.bitmask-helper.plist" + path = os.path.join(_dir, plist) + dest = os.path.join('/Library/LaunchDaemons', plist) + _p = _dir.replace("/", "\/") + subprocess.call(["sed", "-i.back", "s/PATH/%s/" % _p, path]) + shutil.copy(path, dest) def launchHelper(): - pass + out = subprocess.call(["launchctl", "load", "/Library/LaunchDaemons/se.leap.bitmask-helper.plist"]) + return out == 0 def grantPermissionsOnLogFolder(): - pass + helperDir = os.path.join(_dir, 'helper') + try: + os.makedirs(helperDir) + except Exception: + pass + os.chown(helperDir, 0, 0) def _getProcessList(): _out = [] diff --git a/installer/packages/riseupvpn/data/se.leap.bitmask-helper.plist b/installer/packages/riseupvpn/data/se.leap.bitmask-helper.plist new file mode 100644 index 0000000..c9d9687 --- /dev/null +++ b/installer/packages/riseupvpn/data/se.leap.bitmask-helper.plist @@ -0,0 +1,26 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> +<plist version="1.0"> +<dict> + <key>WorkingDirectory</key> + <string>/tmp</string> + <key>StandardOutPath</key> + <string>bitmask-helper.log</string> + <key>StandardErrorPath</key> + <string>bitmask-helper-err.log</string> + <key>GroupName</key> + <string>daemon</string> + <key>RunAtLoad</key> + <true/> + <key>SessionCreate</key> + <true/> + <key>KeepAlive</key> + <true/> + <key>ThrottleInterval</key> + <integer>5</integer> + <key>Label</key> + <string>se.leap.BitmaskHelper</string> + <key>Program</key> + <string>PATH/bitmask-helper</string> +</dict> +</plist> diff --git a/pkg/helper/args.go b/pkg/helper/args.go index 1a5bd3b..5a7873f 100644 --- a/pkg/helper/args.go +++ b/pkg/helper/args.go @@ -6,6 +6,7 @@ import ( "os" "regexp" "strconv" + "path/filepath" ) const ( @@ -22,11 +23,11 @@ var ( "--tls-client", "--remote-cert-tls", "server", "--dhcp-option", "DNS", nameserver, - "--log", LogFolder + "openvpn.log", "--tls-version-min", "1.0", + "--log", filepath.Join(LogFolder, "openvpn-leap.log"), } - allowendArgs = map[string][]string{ + allowedArgs = map[string][]string{ "--remote": []string{"IP", "NUMBER", "PROTO"}, "--tls-cipher": []string{"CIPHER"}, "--cipher": []string{"CIPHER"}, @@ -44,7 +45,7 @@ var ( cipher = regexp.MustCompile("^[A-Z0-9-]+$") formats = map[string]func(s string) bool{ - "NUMBER": isNumber, + "NUMBER": isNumber, "PROTO": isProto, "IP": isIP, "CIPHER": cipher.MatchString, @@ -54,9 +55,9 @@ var ( func parseOpenvpnArgs(args []string) []string { newArgs := fixedArgs - newArgs = append(newArgs, platformOpenvpnFlags...) + newArgs = append(newArgs, getPlatformOpenvpnFlags()...) for i := 0; i < len(args); i++ { - params, ok := allowendArgs[args[i]] + params, ok := allowedArgs[args[i]] if !ok { log.Printf("Invalid openvpn arg: %s", args[i]) continue diff --git a/pkg/helper/darwin.go b/pkg/helper/darwin.go index 82becee..ae42646 100644 --- a/pkg/helper/darwin.go +++ b/pkg/helper/darwin.go @@ -1,5 +1,5 @@ // +build darwin -// Copyright (C) 2018 LEAP +// Copyright (C) 2018-2020 LEAP // // This program is free software: you can redistribute it and/or modify // it under the terms of the GNU General Public License as published by @@ -29,6 +29,7 @@ package helper import ( "errors" "fmt" + "path/filepath" "log" "os" "os/exec" @@ -36,30 +37,39 @@ import ( "strconv" "strings" - "0xacab.org/leap/bitmask-vpn/pkg/config" "github.com/sevlyar/go-daemon" ) const ( - appPath = "/Applications/" + config.ApplicationName + ".app/" - helperPath = appPath + "Contents/helper/" - LogFolder = helperPath - openvpnPath = appPath + "Contents/Resources/openvpn.leap" - - rulefilePath = helperPath + "bitmask.pf.conf" bitmask_anchor = "com.apple/250.BitmaskFirewall" gateways_table = "bitmask_gateways" - pfctl = "/sbin/pfctl" + LogFolder = "/var/log/" ) -var ( - platformOpenvpnFlags = []string{ +func _getExecPath() string { + ex, err := os.Executable() + if err != nil { + log.Print("error while getting executable path!") + } + return filepath.Dir(ex) +} + +func getHelperPath() string { + execPath := _getExecPath() + hp := filepath.Join(execPath, "../../../", "bitmask-helper") + log.Println(">>> DEBUG: helper", hp) + return hp +} + +func getPlatformOpenvpnFlags() []string { + helperPath := getHelperPath() + return []string{ "--script-security", "2", "--up", helperPath + "client.up.sh", "--down", helperPath + "client.down.sh", } -) +} func parseCliArgs() { // OSX helper does not respond to arguments @@ -97,6 +107,9 @@ func runServer(preferredPort int) { } func getOpenvpnPath() string { + execPath := _getExecPath() + openvpnPath := filepath.Join(execPath, "../../../", "openvpn.leap") + log.Println(">>> DEBUG: openvpn", openvpnPath) return openvpnPath } @@ -190,6 +203,9 @@ func loadBitmaskAnchor() error { } func getRulefilePath() (string, error) { + rulefilePath := filepath.Join(getHelperPath(), "helper", "bitmask.pf.conf") + log.Println("DEBUG: rule file path", rulefilePath) + if _, err := os.Stat(rulefilePath); !os.IsNotExist(err) { return rulefilePath, nil } diff --git a/pkg/helper/linux.go b/pkg/helper/linux.go index f1e21c8..d6f30f2 100644 --- a/pkg/helper/linux.go +++ b/pkg/helper/linux.go @@ -1,5 +1,5 @@ // +build linux -// Copyright (C) 2018 LEAP +// Copyright (C) 2018, 2020 LEAP // // This program is free software: you can redistribute it and/or modify // it under the terms of the GNU General Public License as published by @@ -34,12 +34,15 @@ const ( var ( snapOpenvpnPath = "/snap/bin/" + config.BinaryName + ".openvpn" - platformOpenvpnFlags = []string{ +) + +func getPlatformOpenvpnFlags() []string { + return []string{ "--script-security", "1", "--user", openvpnUser, "--group", openvpnGroup, } -) +} func parseCliArgs() { // linux helper does not reply to args diff --git a/pkg/helper/windows.go b/pkg/helper/windows.go index 44ac6f5..c33a4bc 100644 --- a/pkg/helper/windows.go +++ b/pkg/helper/windows.go @@ -40,11 +40,15 @@ var ( openvpnPath = path.Join(appPath, "openvpn.exe") chocoOpenvpnPath = `C:\Program Files\OpenVPN\bin\openvpn.exe` platformOpenvpnFlags = []string{ + httpServerConf = &httpConf{} +) + +func getPlatformOpenvpnFlags() []string { + return []string{ "--script-security", "1", "--block-outside-dns", } - httpServerConf = &httpConf{} -) +} func getExecDir() string { ex, err := os.Executable() |