diff options
author | kali <kali@leap.se> | 2020-07-27 18:18:38 +0200 |
---|---|---|
committer | Ruben Pollan <meskio@sindominio.net> | 2020-10-13 19:08:40 +0200 |
commit | 2cf32806dcce2d41920be28bd0e7d12e5d049357 (patch) | |
tree | 5ecad10f0c2804ab0ded8380431490e475f57998 /branding | |
parent | 211fc457329b074fd4331aec0c4fc5d765e9023f (diff) |
[pkg] update build script for openvpn
Diffstat (limited to 'branding')
-rw-r--r-- | branding/installer/osx/se.leap.bitmask-helper.plist | 26 | ||||
-rwxr-xr-x | branding/installer/post-install.py | 96 | ||||
-rw-r--r-- | branding/thirdparty/openvpn/build.mk | 11 | ||||
-rwxr-xr-x | branding/thirdparty/openvpn/build_openvpn.sh | 190 |
4 files changed, 323 insertions, 0 deletions
diff --git a/branding/installer/osx/se.leap.bitmask-helper.plist b/branding/installer/osx/se.leap.bitmask-helper.plist new file mode 100644 index 0000000..c9d9687 --- /dev/null +++ b/branding/installer/osx/se.leap.bitmask-helper.plist @@ -0,0 +1,26 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> +<plist version="1.0"> +<dict> + <key>WorkingDirectory</key> + <string>/tmp</string> + <key>StandardOutPath</key> + <string>bitmask-helper.log</string> + <key>StandardErrorPath</key> + <string>bitmask-helper-err.log</string> + <key>GroupName</key> + <string>daemon</string> + <key>RunAtLoad</key> + <true/> + <key>SessionCreate</key> + <true/> + <key>KeepAlive</key> + <true/> + <key>ThrottleInterval</key> + <integer>5</integer> + <key>Label</key> + <string>se.leap.BitmaskHelper</string> + <key>Program</key> + <string>PATH/bitmask-helper</string> +</dict> +</plist> diff --git a/branding/installer/post-install.py b/branding/installer/post-install.py new file mode 100755 index 0000000..02da859 --- /dev/null +++ b/branding/installer/post-install.py @@ -0,0 +1,96 @@ +#!/usr/bin/env python + +import os +import shutil +import sys +import subprocess + +HELPER = "bitmask-helper" +HELPER_PLIST = "/Library/LaunchDaemons/se.leap.bitmask-helper.plist" +_dir = os.path.dirname(os.path.realpath(__file__)) + +def main(): + log = open(os.path.join(_dir, 'post-install.log'), 'w') + log.write('Checking for admin privileges...\n') + + _id = os.getuid() + if _id != 0: + err = "error: need to run as root. UID: %s\n" % str(_id) + logErr(log, err) + + # failure: sys.exit(1) + + if isHelperRunning(): + log.write("Trying to stop bitmask-helper...\n") + # if this fail, we can check if the HELPER_PLIST is there + ok = unloadHelper() + log.write("success: %s \n" % str(ok)) + + ok = fixHelperOwner(log) + log.write("chown helper: %s \n" % str(ok)) + + log.write("Copy launch daemon...\n") + copyLaunchDaemon() + + out = launchHelper() + log.write("Copy plist: %s \n" % str(ok)) + + grantPermissionsOnLogFolder() + + # all done + log.write('post-install script: done\n') + sys.exit(0) + + +def logErr(log, msg): + log.write(msg) + sys.exit(1) + +def isHelperRunning(): + ps = _getProcessList() + return HELPER in ps + +def unloadHelper(): + out = subprocess.call(["launchctl", "unload", HELPER_PLIST]) + return out == 0 + +def fixHelperOwner(log): + path = os.path.join(_dir, HELPER) + try: + os.chown(path, 0, 0) + except OSError as exc: + log.write(str(exc)) + return False + return True + +def copyLaunchDaemon(): + plist = "se.leap.bitmask-helper.plist" + path = os.path.join(_dir, plist) + dest = os.path.join('/Library/LaunchDaemons', plist) + _p = _dir.replace("/", "\/") + subprocess.call(["sed", "-i.back", "s/PATH/%s/" % _p, path]) + shutil.copy(path, dest) + +def launchHelper(): + out = subprocess.call(["launchctl", "load", "/Library/LaunchDaemons/se.leap.bitmask-helper.plist"]) + return out == 0 + +def grantPermissionsOnLogFolder(): + helperDir = os.path.join(_dir, 'helper') + try: + os.makedirs(helperDir) + except Exception: + pass + os.chown(helperDir, 0, 0) + +def _getProcessList(): + _out = [] + output = subprocess.Popen(["ps", "-ceA"], stdout=subprocess.PIPE, stderr=subprocess.STDOUT) + stdout, stderr = output.communicate() + for line in stdout.split('\n'): + cmd = line.split(' ')[-1] + _out.append(cmd.strip()) + return _out + +if __name__ == "__main__": + main() diff --git a/branding/thirdparty/openvpn/build.mk b/branding/thirdparty/openvpn/build.mk new file mode 100644 index 0000000..df87eb2 --- /dev/null +++ b/branding/thirdparty/openvpn/build.mk @@ -0,0 +1,11 @@ +build_static_openvpn: + pkg/thirdparty/openvpn/build_openvpn.sh + +upload_openvpn: + rsync --rsh='ssh' -avztlpog --progress --partial ~/openvpn_build/sbin/openvpn* downloads.leap.se:./public/thirdparty/linux/openvpn/ + +download_openvpn: + wget https://downloads.leap.se/thirdparty/linux/openvpn/openvpn + +clean_openvpn_build: + rm -rf ~/openvpn_build diff --git a/branding/thirdparty/openvpn/build_openvpn.sh b/branding/thirdparty/openvpn/build_openvpn.sh new file mode 100755 index 0000000..20f764a --- /dev/null +++ b/branding/thirdparty/openvpn/build_openvpn.sh @@ -0,0 +1,190 @@ +#!/bin/bash + +############################################################################# +# Builds OpenVPN statically against mbedtls (aka polarssl). +# Requirements: cmake +# Output: ~/openvpn_build/sbin/openvpn-x.y.z +############################################################################# + +set -e +#set -x + +# [!] This needs to be updated for every release -------------------------- +OPENVPN="openvpn-2.4.9" +MBEDTLS="mbedtls-2.23.0" +LZO="lzo-2.10" +ZLIB="zlib-1.2.11" +MBEDTLS_SHA512="c2a04f659bf63522f10f6660c2d196d7f39a057ff5a382734ba3b839f463ead4e5c9bc0d21fb909d56fcd2ee4c711248be14861f388cd383385484d364247634" +LZO_SHA1="4924676a9bae5db58ef129dc1cebce3baa3c4b5d" +# ------------------------------------------------------------------------- + +platform='unknown' +unamestr=`uname` +if [[ "$unamestr" == 'Linux' ]]; then + platform='linux' +elif [[ "$unamestr" == 'Darwin' ]]; then + platform='osx' +fi + +BUILDDIR="openvpn_build" +mkdir -p ~/$BUILDDIR && cd ~/$BUILDDIR + +BASE=`pwd` +SRC=$BASE/src +mkdir -p $SRC + +SHASUM="/usr/bin/shasum" + +ZLIB_KEYS="https://keys.gnupg.net/pks/lookup?op=get&search=0x783FCD8E58BCAFBA" +OPENVPN_KEYS="https://swupdate.openvpn.net/community/keys/security.key.asc" + +WGET="wget --prefer-family=IPv4" +DEST=$BASE/install +LDFLAGS="-L$DEST/lib -L$DEST/usr/local/lib -W" +CPPFLAGS="-I$DEST/include" +CFLAGS="-D_FORTIFY_SOURCE=2 -O1 -Wformat -Wformat-security -fstack-protector -fPIE" +CXXFLAGS=$CFLAGS +CONFIGURE="./configure --prefix=/install" +MAKE="make -j4" + + +######## #################################################################### +# ZLIB # #################################################################### +######## #################################################################### + +function build_zlib() +{ + gpg --fetch-keys $ZLIB_KEYS + mkdir $SRC/zlib && cd $SRC/zlib + + if [ ! -f $ZLIB.tar.gz ]; then + $WGET https://zlib.net/$ZLIB.tar.gz + $WGET https://zlib.net/$ZLIB.tar.gz.asc + fi + tar zxvf $ZLIB.tar.gz + cd $ZLIB + + LDFLAGS=$LDFLAGS \ + CPPFLAGS=$CPPFLAGS \ + CFLAGS=$CFLAGS \ + CXXFLAGS=$CXXFLAGS \ + ./configure \ + --prefix=/install + + $MAKE + make install DESTDIR=$BASE +} + +########### ################################################################## +# MBEDTLS # ################################################################## +########### ################################################################## + +function build_mbedtls() +{ + mkdir -p $SRC/polarssl && cd $SRC/polarssl + if [ ! -f $MBEDTLS.tar.gz ]; then + $WGET https://github.com/ARMmbed/mbedtls/archive/$MBEDTLS.tar.gz + fi + sha512=`${SHASUM} -a 512 -p ${MBEDTLS}.tar.gz | cut -d' ' -f 1` + + if [ "${MBEDTLS_SHA512}" = "${sha512}" ]; then + echo "[+] sha1 verified ok" + else + echo "[!] problem with sha1 verification" + exit 1 + fi + tar zxvf $MBEDTLS.tar.gz + cd mbedtls-$MBEDTLS + mkdir -p build + cd build + cmake .. + $MAKE + make install DESTDIR=$BASE/install +} + + +######## #################################################################### +# LZO2 # #################################################################### +######## #################################################################### + +function build_lzo2() +{ + mkdir $SRC/lzo2 && cd $SRC/lzo2 + if [ ! -f $LZO.tar.gz ]; then + $WGET http://www.oberhumer.com/opensource/lzo/download/$LZO.tar.gz + fi + sha1=`$SHASUM $LZO.tar.gz | cut -d' ' -f 1` + if [ "${LZO_SHA1}" = "${sha1}" ]; then + echo "[+] sha1 verified ok" + else + echo "[!] problem with sha1 verification" + exit 1 + fi + tar zxvf $LZO.tar.gz + cd $LZO + + LDFLAGS=$LDFLAGS \ + CPPFLAGS=$CPPFLAGS \ + CFLAGS=$CFLAGS \ + CXXFLAGS=$CXXFLAGS \ + $CONFIGURE --enable-static --disable-debug + + $MAKE + make install DESTDIR=$BASE +} + +########### ################################################################# +# OPENVPN # ################################################################# +########### ################################################################# + +function build_openvpn() +{ + mkdir $SRC/openvpn && cd $SRC/openvpn + gpg --fetch-keys $OPENVPN_KEYS + if [ ! -f $OPENVPN.tar.gz ]; then + $WGET https://build.openvpn.net/downloads/releases/$OPENVPN.tar.gz + $WGET https://build.openvpn.net/downloads/releases/$OPENVPN.tar.gz.asc + fi + gpg --verify $OPENVPN.tar.gz.asc && echo "[+] gpg verification ok" + tar zxvf $OPENVPN.tar.gz + cd $OPENVPN + + MBEDTLS_CFLAGS=-I$BASE/install/usr/local/include/ \ + MBEDTLS_LIBS="$DEST/usr/local/lib/libmbedtls.a $DEST/usr/local/lib/libmbedcrypto.a $DEST/usr/local/lib/libmbedx509.a" \ + LDFLAGS=$LDFLAGS \ + CPPFLAGS=$CPPFLAGS \ + CFLAGS="$CFLAGS -I$BASE/install/usr/local/include" \ + CXXFLAGS=$CXXFLAGS \ + $CONFIGURE \ + --disable-plugin-auth-pam \ + --with-crypto-library=mbedtls \ + --enable-small \ + --disable-debug + + $MAKE LIBS="-all-static -lz -llzo2" + make install DESTDIR=$BASE/openvpn + mkdir -p $BASE/sbin/ + cp $BASE/openvpn/install/sbin/openvpn $BASE/sbin/$OPENVPN + strip $BASE/sbin/$OPENVPN +} + +function build_all() +{ + echo "[+] Building" $OPENVPN + build_zlib + build_lzo2 + build_mbedtls + build_openvpn +} + +function main() +{ + if [[ $platform == 'linux' ]]; then + build_all + fi + if [[ $platform == 'osx' ]]; then + build_all + fi +} + +main "$@" |