[pkg] update build script for openvpn

4 files changed, 323 insertions, 0 deletions

diff --git a/branding/installer/osx/se.leap.bitmask-helper.plist b/branding/installer/osx/se.leap.bitmask-helper.plist
new file mode 100644
index 0000000..c9d9687
--- /dev/null
+++ b/branding/installer/osx/se.leap.bitmask-helper.plist
@@ -0,0 +1,26 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>WorkingDirectory</key>
+	<string>/tmp</string>
+	<key>StandardOutPath</key>
+	<string>bitmask-helper.log</string>
+	<key>StandardErrorPath</key>
+	<string>bitmask-helper-err.log</string>
+	<key>GroupName</key>
+	<string>daemon</string>
+	<key>RunAtLoad</key>
+	<true/>
+	<key>SessionCreate</key>
+	<true/>
+	<key>KeepAlive</key>
+    <true/>
+    <key>ThrottleInterval</key>
+    <integer>5</integer>
+    <key>Label</key>
+	<string>se.leap.BitmaskHelper</string>
+	<key>Program</key>
+    <string>PATH/bitmask-helper</string>
+</dict>
+</plist>
diff --git a/branding/installer/post-install.py b/branding/installer/post-install.py
new file mode 100755
index 0000000..02da859
--- /dev/null
+++ b/branding/installer/post-install.py
@@ -0,0 +1,96 @@
+#!/usr/bin/env python
+
+import os
+import shutil
+import sys
+import subprocess
+
+HELPER = "bitmask-helper"
+HELPER_PLIST = "/Library/LaunchDaemons/se.leap.bitmask-helper.plist"
+_dir = os.path.dirname(os.path.realpath(__file__))
+
+def main():
+    log = open(os.path.join(_dir, 'post-install.log'), 'w')
+    log.write('Checking for admin privileges...\n')
+
+    _id = os.getuid()
+    if _id != 0:
+      err  = "error: need to run as root. UID: %s\n" % str(_id)
+      logErr(log, err)
+    
+    # failure: sys.exit(1)
+    
+    if isHelperRunning():
+        log.write("Trying to stop bitmask-helper...\n")
+	# if this fail, we can check if the HELPER_PLIST is there
+        ok = unloadHelper()
+        log.write("success: %s \n" % str(ok))
+
+    ok = fixHelperOwner(log)
+    log.write("chown helper: %s \n" % str(ok))
+
+    log.write("Copy launch daemon...\n")
+    copyLaunchDaemon()
+
+    out = launchHelper()
+    log.write("Copy plist: %s \n" % str(ok))
+
+    grantPermissionsOnLogFolder()
+    
+    # all done
+    log.write('post-install script: done\n')
+    sys.exit(0)
+
+
+def logErr(log, msg):
+    log.write(msg)
+    sys.exit(1)
+
+def isHelperRunning():
+    ps = _getProcessList()
+    return HELPER in ps 
+
+def unloadHelper():
+    out = subprocess.call(["launchctl", "unload", HELPER_PLIST])
+    return out == 0
+
+def fixHelperOwner(log):
+    path = os.path.join(_dir, HELPER)
+    try:
+        os.chown(path, 0, 0)
+    except OSError as exc:
+        log.write(str(exc))
+        return False
+    return True
+
+def copyLaunchDaemon():
+    plist = "se.leap.bitmask-helper.plist"
+    path = os.path.join(_dir, plist)
+    dest = os.path.join('/Library/LaunchDaemons', plist)
+    _p = _dir.replace("/", "\/")
+    subprocess.call(["sed", "-i.back", "s/PATH/%s/" % _p, path])
+    shutil.copy(path, dest)
+
+def launchHelper():
+    out = subprocess.call(["launchctl", "load", "/Library/LaunchDaemons/se.leap.bitmask-helper.plist"])
+    return out == 0
+
+def grantPermissionsOnLogFolder():
+    helperDir = os.path.join(_dir, 'helper')
+    try:
+        os.makedirs(helperDir)
+    except Exception:
+        pass
+    os.chown(helperDir, 0, 0)
+
+def _getProcessList():
+    _out = []
+    output = subprocess.Popen(["ps", "-ceA"], stdout=subprocess.PIPE, stderr=subprocess.STDOUT)
+    stdout, stderr = output.communicate()
+    for line  in stdout.split('\n'):
+        cmd = line.split(' ')[-1]
+        _out.append(cmd.strip())
+    return _out
+
+if __name__ == "__main__":
+    main()
diff --git a/branding/thirdparty/openvpn/build.mk b/branding/thirdparty/openvpn/build.mk
new file mode 100644
index 0000000..df87eb2
--- /dev/null
+++ b/branding/thirdparty/openvpn/build.mk
@@ -0,0 +1,11 @@
+build_static_openvpn:
+	pkg/thirdparty/openvpn/build_openvpn.sh
+
+upload_openvpn:
+	rsync --rsh='ssh' -avztlpog --progress --partial ~/openvpn_build/sbin/openvpn* downloads.leap.se:./public/thirdparty/linux/openvpn/
+
+download_openvpn:
+	wget https://downloads.leap.se/thirdparty/linux/openvpn/openvpn
+
+clean_openvpn_build:
+	rm -rf ~/openvpn_build
diff --git a/branding/thirdparty/openvpn/build_openvpn.sh b/branding/thirdparty/openvpn/build_openvpn.sh
new file mode 100755
index 0000000..20f764a
--- /dev/null
+++ b/branding/thirdparty/openvpn/build_openvpn.sh
@@ -0,0 +1,190 @@
+#!/bin/bash
+
+#############################################################################
+# Builds OpenVPN statically against mbedtls (aka polarssl).
+# Requirements:  cmake
+# Output: ~/openvpn_build/sbin/openvpn-x.y.z
+#############################################################################
+
+set -e
+#set -x
+
+# [!] This needs to be updated for every release --------------------------
+OPENVPN="openvpn-2.4.9"
+MBEDTLS="mbedtls-2.23.0"
+LZO="lzo-2.10"
+ZLIB="zlib-1.2.11"
+MBEDTLS_SHA512="c2a04f659bf63522f10f6660c2d196d7f39a057ff5a382734ba3b839f463ead4e5c9bc0d21fb909d56fcd2ee4c711248be14861f388cd383385484d364247634"
+LZO_SHA1="4924676a9bae5db58ef129dc1cebce3baa3c4b5d"
+# -------------------------------------------------------------------------
+
+platform='unknown'
+unamestr=`uname`
+if [[ "$unamestr" == 'Linux' ]]; then
+   platform='linux'
+elif [[ "$unamestr" == 'Darwin' ]]; then
+   platform='osx'
+fi
+
+BUILDDIR="openvpn_build"
+mkdir -p ~/$BUILDDIR && cd ~/$BUILDDIR
+
+BASE=`pwd`
+SRC=$BASE/src
+mkdir -p $SRC
+
+SHASUM="/usr/bin/shasum"
+
+ZLIB_KEYS="https://keys.gnupg.net/pks/lookup?op=get&search=0x783FCD8E58BCAFBA"
+OPENVPN_KEYS="https://swupdate.openvpn.net/community/keys/security.key.asc"
+
+WGET="wget --prefer-family=IPv4"
+DEST=$BASE/install
+LDFLAGS="-L$DEST/lib -L$DEST/usr/local/lib -W"
+CPPFLAGS="-I$DEST/include"
+CFLAGS="-D_FORTIFY_SOURCE=2 -O1 -Wformat -Wformat-security -fstack-protector -fPIE"
+CXXFLAGS=$CFLAGS
+CONFIGURE="./configure --prefix=/install"
+MAKE="make -j4"
+
+
+######## ####################################################################
+# ZLIB # ####################################################################
+######## ####################################################################
+
+function build_zlib()
+{
+        gpg --fetch-keys $ZLIB_KEYS
+	mkdir $SRC/zlib && cd $SRC/zlib
+
+	if [ ! -f $ZLIB.tar.gz ]; then
+	    $WGET https://zlib.net/$ZLIB.tar.gz
+	    $WGET https://zlib.net/$ZLIB.tar.gz.asc
+	fi
+	tar zxvf $ZLIB.tar.gz
+	cd $ZLIB
+
+	LDFLAGS=$LDFLAGS \
+	CPPFLAGS=$CPPFLAGS \
+	CFLAGS=$CFLAGS \
+	CXXFLAGS=$CXXFLAGS \
+	./configure \
+	--prefix=/install
+
+	$MAKE
+	make install DESTDIR=$BASE
+}
+
+########### ##################################################################
+# MBEDTLS # ##################################################################
+########### ##################################################################
+
+function build_mbedtls()
+{
+	mkdir -p $SRC/polarssl && cd $SRC/polarssl
+	if [ ! -f $MBEDTLS.tar.gz ]; then
+	    $WGET https://github.com/ARMmbed/mbedtls/archive/$MBEDTLS.tar.gz
+	fi
+	sha512=`${SHASUM} -a 512 -p ${MBEDTLS}.tar.gz | cut -d' ' -f 1`
+	
+	if [ "${MBEDTLS_SHA512}" = "${sha512}" ]; then
+	    echo "[+] sha1 verified ok"
+	else
+	    echo "[!] problem with sha1 verification"
+	    exit 1
+	fi
+	tar zxvf $MBEDTLS.tar.gz
+	cd mbedtls-$MBEDTLS
+	mkdir -p build
+	cd build
+	cmake ..
+	$MAKE
+	make install DESTDIR=$BASE/install
+}
+
+
+######## ####################################################################
+# LZO2 # ####################################################################
+######## ####################################################################
+
+function build_lzo2()
+{
+	mkdir $SRC/lzo2 && cd $SRC/lzo2
+	if [ ! -f $LZO.tar.gz ]; then
+	    $WGET http://www.oberhumer.com/opensource/lzo/download/$LZO.tar.gz
+	fi
+	sha1=`$SHASUM $LZO.tar.gz | cut -d' ' -f 1`
+	if [ "${LZO_SHA1}" = "${sha1}" ]; then
+	    echo "[+] sha1 verified ok"
+	else
+	    echo "[!] problem with sha1 verification"
+	    exit 1
+	fi
+	tar zxvf $LZO.tar.gz
+	cd $LZO
+
+	LDFLAGS=$LDFLAGS \
+	CPPFLAGS=$CPPFLAGS \
+	CFLAGS=$CFLAGS \
+	CXXFLAGS=$CXXFLAGS \
+	$CONFIGURE --enable-static --disable-debug
+
+	$MAKE
+	make install DESTDIR=$BASE
+}
+
+########### #################################################################
+# OPENVPN # #################################################################
+########### #################################################################
+
+function build_openvpn()
+{
+	mkdir $SRC/openvpn && cd $SRC/openvpn
+	gpg --fetch-keys $OPENVPN_KEYS
+	if [ ! -f $OPENVPN.tar.gz ]; then
+            $WGET https://build.openvpn.net/downloads/releases/$OPENVPN.tar.gz
+            $WGET https://build.openvpn.net/downloads/releases/$OPENVPN.tar.gz.asc
+	fi
+	gpg --verify $OPENVPN.tar.gz.asc && echo "[+] gpg verification ok"
+	tar zxvf $OPENVPN.tar.gz
+	cd $OPENVPN
+
+	MBEDTLS_CFLAGS=-I$BASE/install/usr/local/include/ \
+	MBEDTLS_LIBS="$DEST/usr/local/lib/libmbedtls.a $DEST/usr/local/lib/libmbedcrypto.a $DEST/usr/local/lib/libmbedx509.a" \
+	LDFLAGS=$LDFLAGS \
+	CPPFLAGS=$CPPFLAGS \
+	CFLAGS="$CFLAGS -I$BASE/install/usr/local/include" \
+	CXXFLAGS=$CXXFLAGS \
+	$CONFIGURE \
+	--disable-plugin-auth-pam \
+	--with-crypto-library=mbedtls \
+	--enable-small \
+	--disable-debug
+
+	$MAKE LIBS="-all-static -lz -llzo2"
+	make install DESTDIR=$BASE/openvpn
+	mkdir -p $BASE/sbin/
+	cp $BASE/openvpn/install/sbin/openvpn $BASE/sbin/$OPENVPN
+	strip $BASE/sbin/$OPENVPN
+}
+
+function build_all()
+{
+	echo "[+] Building" $OPENVPN
+	build_zlib
+	build_lzo2
+	build_mbedtls
+	build_openvpn
+}
+
+function main()
+{
+    if [[ $platform == 'linux' ]]; then
+      build_all
+    fi
+    if [[ $platform == 'osx' ]]; then
+      build_all
+    fi
+}
+
+main "$@"