Add xormask option

[XMB5]

This PR adds the scramble xormask option from the openvpn xor patch. This option XORs all incoming and outgoing bytes (except for packet lengths when using TCP) with any byte. This does not add security; instead it is for bypassing firewalls. This implementation only supports one-byte xormasks, for example scramble xormask z. In this example, all incoming and outgoing bytes would be XORed with 0x7A, the ascii value of z.

The XORing happens in ControlPacket.m. The rest of the changes are for parsing the option from an ovpn config file.

Solves issue 38.

[XMB5]

I didn't test UDP because UDP wasn't working without any modifications

[keeshux]

Unwrapped self here is very likely to raise unpredictable, obscure exceptions on disconnection. Better add a guard.

[keeshux]

This code in dangerous. Replace _ in 61 and use it rather than self! for safety. Also, packets in the else block may be nil if xorMask != 0.

[keeshux]

@XMB5 meanwhile could you send me an email to beta@passepartoutvpn.app from your main contact? Thank you!

[XMB5]

Sent it

[keeshux]

A follow-up: I think of postponing this because I'd like to evaluate pluggable transports in the (far) future. It's just that with a new API this code would need to be adjusted. I'll keep you updated along with my considerations.

[theNerdFromSiliconValley]

Is there any update on this?

[keeshux]

Is there any update on this?

Not until I have time to test it thoroughly. It's a deep change for a stable app in production, I can't mess up.

[cyberjoost]

Isn't tls-crypt, which is already supported, more effective or the same in effectiveness in bypassing firewalls? I have customers happily using OpenVPN with tls-crypt enabled to bypass the GFW, without xorpatch.