github/OpenVPNAdapter
4
0
Fork 0
mirror of https://github.com/deneraraujo/OpenVPNAdapter.git synced 2026-04-06 00:00:03 +08:00
Code Issues Packages Projects Releases Wiki Activity

Merge commit '86cc97e55fe346502462284d2e636a2b3708163e' as 'Sources/OpenVPN3'

Browse Source
This commit is contained in:
Sergey Abramchuk
2020-02-24 14:43:11 +03:00
parent 133b3756e6 86cc97e55f
commit 32f1555929
655 changed files with 146468 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

46
Sources/OpenVPN3/openvpn/applecrypto/crypto/api.hpp Normal file
View File

@@ -0,0 +1,46 @@
// OpenVPN -- An application to securely tunnel IP networks
// over a single port, with support for SSL/TLS-based
// session authentication and key exchange,
// packet encryption, packet authentication, and
// packet compression.
//
// Copyright (C) 2012-2017 OpenVPN Inc.
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License Version 3
// as published by the Free Software Foundation.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program in the COPYING file.
// If not, see <http://www.gnu.org/licenses/>.
#ifndef OPENVPN_APPLECRYPTO_CRYPTO_API_H
#define OPENVPN_APPLECRYPTO_CRYPTO_API_H
#include <openvpn/applecrypto/crypto/cipher.hpp>
#include <openvpn/applecrypto/crypto/ciphergcm.hpp>
#include <openvpn/applecrypto/crypto/digest.hpp>
#include <openvpn/applecrypto/crypto/hmac.hpp>
namespace openvpn {
// type container for Apple Crypto-level API
struct AppleCryptoAPI {
// cipher
typedef AppleCrypto::CipherContext CipherContext;
typedef AppleCrypto::CipherContextGCM CipherContextGCM;
// digest
typedef AppleCrypto::DigestContext DigestContext;
// HMAC
typedef AppleCrypto::HMACContext HMACContext;
};
}
#endif

201
Sources/OpenVPN3/openvpn/applecrypto/crypto/cipher.hpp Normal file
View File

@@ -0,0 +1,201 @@
// OpenVPN -- An application to securely tunnel IP networks
// over a single port, with support for SSL/TLS-based
// session authentication and key exchange,
// packet encryption, packet authentication, and
// packet compression.
//
// Copyright (C) 2012-2017 OpenVPN Inc.
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License Version 3
// as published by the Free Software Foundation.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program in the COPYING file.
// If not, see <http://www.gnu.org/licenses/>.
// Wrap the Apple cipher API defined in <CommonCrypto/CommonCryptor.h> so
// that it can be used as part of the crypto layer of the OpenVPN core.
#ifndef OPENVPN_APPLECRYPTO_CRYPTO_CIPHER_H
#define OPENVPN_APPLECRYPTO_CRYPTO_CIPHER_H
#include <string>
#include <cstring>
#include <CommonCrypto/CommonCryptor.h>
#include <openvpn/common/size.hpp>
#include <openvpn/common/exception.hpp>
#include <openvpn/common/platform.hpp>
#include <openvpn/common/string.hpp>
#include <openvpn/crypto/static_key.hpp>
#include <openvpn/crypto/cryptoalgs.hpp>
#include <openvpn/apple/cf/error.hpp>
namespace openvpn {
namespace AppleCrypto {
class CipherContext
{
CipherContext(const CipherContext&) = delete;
CipherContext& operator=(const CipherContext&) = delete;
public:
OPENVPN_SIMPLE_EXCEPTION(apple_cipher_mode_error);
OPENVPN_SIMPLE_EXCEPTION(apple_cipher_uninitialized);
OPENVPN_EXCEPTION(apple_cipher_error);
// mode parameter for constructor
enum {
MODE_UNDEF = -1,
ENCRYPT = kCCEncrypt,
DECRYPT = kCCDecrypt
};
enum {
MAX_IV_LENGTH = 16,
CIPH_CBC_MODE = 0
};
CipherContext()
: cinfo(nullptr), cref(nullptr)
{
}
~CipherContext() { erase() ; }
void init(const CryptoAlgs::Type alg, const unsigned char *key, const int mode)
{
erase();
// check that mode is valid
if (!(mode == ENCRYPT || mode == DECRYPT))
throw apple_cipher_mode_error();
// initialize cipher context with cipher type
const CCCryptorStatus status = CCCryptorCreate(mode,
cipher_type(alg),
kCCOptionPKCS7Padding,
key,
CryptoAlgs::key_length(alg),
nullptr,
&cref);
if (status != kCCSuccess)
throw CFException("CipherContext: CCCryptorCreate", status);
cinfo = CryptoAlgs::get_ptr(alg);
}
void reset(const unsigned char *iv)
{
check_initialized();
const CCCryptorStatus status = CCCryptorReset(cref, iv);
if (status != kCCSuccess)
throw CFException("CipherContext: CCCryptorReset", status);
}
bool update(unsigned char *out, const size_t max_out_size,
const unsigned char *in, const size_t in_size,
size_t& out_acc)
{
check_initialized();
size_t dataOutMoved;
const CCCryptorStatus status = CCCryptorUpdate(cref, in, in_size, out, max_out_size, &dataOutMoved);
if (status == kCCSuccess)
{
out_acc += dataOutMoved;
return true;
}
else
return false;
}
bool final(unsigned char *out, const size_t max_out_size, size_t& out_acc)
{
check_initialized();
size_t dataOutMoved;
const CCCryptorStatus status = CCCryptorFinal(cref, out, max_out_size, &dataOutMoved);
if (status == kCCSuccess)
{
out_acc += dataOutMoved;
return true;
}
else
return false;
}
bool is_initialized() const { return cinfo != nullptr; }
size_t iv_length() const
{
check_initialized();
return cinfo->iv_length();
}
size_t block_size() const
{
check_initialized();
return cinfo->block_size();
}
// return cipher mode (such as CIPH_CBC_MODE, etc.)
int cipher_mode() const
{
check_initialized();
return CIPH_CBC_MODE;
}
private:
static CCAlgorithm cipher_type(const CryptoAlgs::Type alg)
{
switch (alg)
{
case CryptoAlgs::AES_128_CBC:
case CryptoAlgs::AES_192_CBC:
case CryptoAlgs::AES_256_CBC:
case CryptoAlgs::AES_256_CTR:
return kCCAlgorithmAES128;
case CryptoAlgs::DES_CBC:
return kCCAlgorithmDES;
case CryptoAlgs::DES_EDE3_CBC:
return kCCAlgorithm3DES;
#ifdef OPENVPN_PLATFORM_IPHONE
case CryptoAlgs::BF_CBC:
return kCCAlgorithmBlowfish;
#endif
default:
OPENVPN_THROW(apple_cipher_error, CryptoAlgs::name(alg) << ": not usable");
}
}
void erase()
{
if (cinfo)
{
if (cref)
CCCryptorRelease(cref);
cref = nullptr;
cinfo = nullptr;
}
}
void check_initialized() const
{
#ifdef OPENVPN_ENABLE_ASSERT
if (!cinfo)
throw apple_cipher_uninitialized();
#endif
}
const CryptoAlgs::Alg* cinfo;
CCCryptorRef cref;
};
}
}
#endif

255
Sources/OpenVPN3/openvpn/applecrypto/crypto/digest.hpp Normal file
View File

@@ -0,0 +1,255 @@
// OpenVPN -- An application to securely tunnel IP networks
// over a single port, with support for SSL/TLS-based
// session authentication and key exchange,
// packet encryption, packet authentication, and
// packet compression.
//
// Copyright (C) 2012-2017 OpenVPN Inc.
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License Version 3
// as published by the Free Software Foundation.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program in the COPYING file.
// If not, see <http://www.gnu.org/licenses/>.
// Wrap the Apple digest API defined in <CommonCrypto/CommonDigest.h>
// so that it can be used as part of the crypto layer of the OpenVPN core.
#ifndef OPENVPN_APPLECRYPTO_CRYPTO_DIGEST_H
#define OPENVPN_APPLECRYPTO_CRYPTO_DIGEST_H
#include <string>
#include <CommonCrypto/CommonDigest.h>
#include <CommonCrypto/CommonHMAC.h>
#include <openvpn/common/size.hpp>
#include <openvpn/common/exception.hpp>
#include <openvpn/common/string.hpp>
#include <openvpn/crypto/cryptoalgs.hpp>
#include <openvpn/apple/cf/error.hpp>
#define OPENVPN_DIGEST_CONTEXT(TYPE) CC_##TYPE##_CTX TYPE##_ctx
#define OPENVPN_DIGEST_ALG_CLASS(TYPE) \
class DigestAlgorithm##TYPE : public DigestAlgorithm \
{ \
public: \
DigestAlgorithm##TYPE() {} \
virtual int init(DigestCTX& ctx) const \
{ \
return CC_##TYPE##_Init(&ctx.u.TYPE##_ctx); \
} \
virtual int update(DigestCTX& ctx, const unsigned char *data, size_t size) const \
{ \
return CC_##TYPE##_Update(&ctx.u.TYPE##_ctx, data, size); \
} \
virtual int final(DigestCTX& ctx, unsigned char *md) const \
{ \
return CC_##TYPE##_Final(md, &ctx.u.TYPE##_ctx); \
} \
}
#define OPENVPN_DIGEST_ALG_DECLARE(TYPE) const DigestAlgorithm##TYPE alg_##TYPE;
#define OPENVPN_DIGEST_INFO_DECLARE(TYPE) const DigestInfo info_##TYPE(CryptoAlgs::TYPE, &alg_##TYPE, kCCHmacAlg##TYPE)
#define OPENVPN_DIGEST_INFO_DECLARE_NO_HMAC(TYPE) const DigestInfo info_##TYPE(CryptoAlgs::TYPE, &alg_##TYPE, DigestInfo::NO_HMAC_ALG)
namespace openvpn {
namespace AppleCrypto {
typedef CC_SHA256_CTX CC_SHA224_CTX;
typedef CC_SHA512_CTX CC_SHA384_CTX;
struct DigestCTX {
union {
OPENVPN_DIGEST_CONTEXT(MD4);
OPENVPN_DIGEST_CONTEXT(MD5);
OPENVPN_DIGEST_CONTEXT(SHA1);
OPENVPN_DIGEST_CONTEXT(SHA224);
OPENVPN_DIGEST_CONTEXT(SHA256);
OPENVPN_DIGEST_CONTEXT(SHA384);
OPENVPN_DIGEST_CONTEXT(SHA512);
} u;
};
struct DigestAlgorithm {
virtual int init(DigestCTX& ctx) const = 0;
virtual int update(DigestCTX& ctx, const unsigned char *data, size_t size) const = 0;
virtual int final(DigestCTX& ctx, unsigned char *md) const = 0;
};
// individual digest algorithm classes (each inherits from DigestAlgorithm)
OPENVPN_DIGEST_ALG_CLASS(MD4);
OPENVPN_DIGEST_ALG_CLASS(MD5);
OPENVPN_DIGEST_ALG_CLASS(SHA1);
OPENVPN_DIGEST_ALG_CLASS(SHA224);
OPENVPN_DIGEST_ALG_CLASS(SHA256);
OPENVPN_DIGEST_ALG_CLASS(SHA384);
OPENVPN_DIGEST_ALG_CLASS(SHA512);
class DigestInfo
{
public:
enum {
NO_HMAC_ALG = -1
};
DigestInfo(CryptoAlgs::Type type,
const DigestAlgorithm* digest_alg,
const CCHmacAlgorithm hmac_alg)
: type_(type),
digest_alg_(digest_alg),
hmac_alg_(hmac_alg) {}
CryptoAlgs::Type type() const { return type_; }
const char *name() const { return CryptoAlgs::name(type_); }
size_t size() const { return CryptoAlgs::size(type_); }
const DigestAlgorithm* digest_alg() const { return digest_alg_; }
CCHmacAlgorithm hmac_alg() const { return hmac_alg_; }
private:
CryptoAlgs::Type type_;
const DigestAlgorithm* digest_alg_;
CCHmacAlgorithm hmac_alg_;
};
// instantiate individual digest algorithm class instances (each inherits from DigestAlgorithm),
// naming convention is alg_TYPE
OPENVPN_DIGEST_ALG_DECLARE(MD4);
OPENVPN_DIGEST_ALG_DECLARE(MD5);
OPENVPN_DIGEST_ALG_DECLARE(SHA1);
OPENVPN_DIGEST_ALG_DECLARE(SHA224);
OPENVPN_DIGEST_ALG_DECLARE(SHA256);
OPENVPN_DIGEST_ALG_DECLARE(SHA384);
OPENVPN_DIGEST_ALG_DECLARE(SHA512);
// instantiate individual digest info class instances (each is a DigestInfo),
// naming convention is info_TYPE
OPENVPN_DIGEST_INFO_DECLARE_NO_HMAC(MD4);
OPENVPN_DIGEST_INFO_DECLARE(MD5);
OPENVPN_DIGEST_INFO_DECLARE(SHA1);
OPENVPN_DIGEST_INFO_DECLARE(SHA224);
OPENVPN_DIGEST_INFO_DECLARE(SHA256);
OPENVPN_DIGEST_INFO_DECLARE(SHA384);
OPENVPN_DIGEST_INFO_DECLARE(SHA512);
class HMACContext;
class DigestContext
{
DigestContext(const DigestContext&) = delete;
DigestContext& operator=(const DigestContext&) = delete;
public:
friend class HMACContext;
OPENVPN_SIMPLE_EXCEPTION(apple_digest_uninitialized);
OPENVPN_SIMPLE_EXCEPTION(apple_digest_final_overflow);
OPENVPN_EXCEPTION(apple_digest_error);
enum {
MAX_DIGEST_SIZE = CC_SHA512_DIGEST_LENGTH // largest known is SHA512
};
DigestContext()
{
clear();
}
DigestContext(const CryptoAlgs::Type alg)
{
init(alg);
}
void init(const CryptoAlgs::Type alg)
{
clear();
info = digest_type(alg);
meth = info->digest_alg();
if (meth->init(ctx) != 1)
throw apple_digest_error("init");
initialized = true;
}
void update(const unsigned char *in, const size_t size)
{
check_initialized();
if (meth->update(ctx, in, size) != 1)
throw apple_digest_error("update");
}
size_t final(unsigned char *out)
{
check_initialized();
if (meth->final(ctx, out) != 1)
throw apple_digest_error("final");
return info->size();
}
size_t size() const
{
check_initialized();
return info->size();
}
bool is_initialized() const { return initialized; }
private:
static const DigestInfo *digest_type(const CryptoAlgs::Type alg)
{
switch (alg)
{
case CryptoAlgs::MD4:
return &info_MD4;
case CryptoAlgs::MD5:
return &info_MD5;
case CryptoAlgs::SHA1:
return &info_SHA1;
case CryptoAlgs::SHA224:
return &info_SHA224;
case CryptoAlgs::SHA256:
return &info_SHA256;
case CryptoAlgs::SHA384:
return &info_SHA384;
case CryptoAlgs::SHA512:
return &info_SHA512;
default:
OPENVPN_THROW(apple_digest_error, CryptoAlgs::name(alg) << ": not usable");
}
}
void clear()
{
initialized = false;
}
void check_initialized() const
{
#ifdef OPENVPN_ENABLE_ASSERT
if (!initialized)
throw apple_digest_uninitialized();
#endif
}
bool initialized;
const DigestInfo *info;
const DigestAlgorithm *meth;
DigestCTX ctx;
};
}
}
#undef OPENVPN_DIGEST_CONTEXT
#undef OPENVPN_DIGEST_ALG_CLASS
#undef OPENVPN_DIGEST_ALG_DECLARE
#undef OPENVPN_DIGEST_INFO_DECLARE
#endif

145
Sources/OpenVPN3/openvpn/applecrypto/crypto/hmac.hpp Normal file
View File

@@ -0,0 +1,145 @@
// OpenVPN -- An application to securely tunnel IP networks
// over a single port, with support for SSL/TLS-based
// session authentication and key exchange,
// packet encryption, packet authentication, and
// packet compression.
//
// Copyright (C) 2012-2017 OpenVPN Inc.
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License Version 3
// as published by the Free Software Foundation.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program in the COPYING file.
// If not, see <http://www.gnu.org/licenses/>.
#ifndef OPENVPN_APPLECRYPTO_CRYPTO_HMAC_H
#define OPENVPN_APPLECRYPTO_CRYPTO_HMAC_H
// Wrap the Apple HMAC API defined in <CommonCrypto/CommonHMAC.h> so that
// it can be used as part of the crypto layer of the OpenVPN core.
#include <string>
#include <cstring>
#include <CommonCrypto/CommonHMAC.h>
#include <openvpn/common/size.hpp>
#include <openvpn/common/exception.hpp>
#include <openvpn/applecrypto/crypto/digest.hpp>
namespace openvpn {
namespace AppleCrypto {
class HMACContext
{
HMACContext(const HMACContext&) = delete;
HMACContext& operator=(const HMACContext&) = delete;
public:
OPENVPN_EXCEPTION(digest_cannot_be_used_with_hmac);
OPENVPN_SIMPLE_EXCEPTION(hmac_uninitialized);
OPENVPN_SIMPLE_EXCEPTION(hmac_keysize_error);
enum {
MAX_HMAC_SIZE = DigestContext::MAX_DIGEST_SIZE,
MAX_HMAC_KEY_SIZE = 128,
};
HMACContext()
{
state = PRE;
}
HMACContext(const CryptoAlgs::Type digest, const unsigned char *key, const size_t key_size)
{
init(digest, key, key_size);
}
~HMACContext()
{
}
void init(const CryptoAlgs::Type digest, const unsigned char *key, const size_t key_size)
{
state = PRE;
info = DigestContext::digest_type(digest);
digest_size_ = CryptoAlgs::size(digest);
hmac_alg = info->hmac_alg();
if (hmac_alg == DigestInfo::NO_HMAC_ALG)
throw digest_cannot_be_used_with_hmac(info->name());
if (key_size > MAX_HMAC_KEY_SIZE)
throw hmac_keysize_error();
std::memcpy(key_, key, key_size_ = key_size);
state = PARTIAL;
}
void reset() // Apple HMAC API is missing reset method, so we have to reinit
{
cond_reset(true);
}
void update(const unsigned char *in, const size_t size)
{
cond_reset(false);
CCHmacUpdate(&ctx, in, size);
}
size_t final(unsigned char *out)
{
cond_reset(false);
CCHmacFinal(&ctx, out);
return digest_size_;
}
size_t size() const
{
if (!is_initialized())
throw hmac_uninitialized();
return digest_size_;
}
bool is_initialized() const
{
return state >= PARTIAL;
}
private:
void cond_reset(const bool force_init)
{
switch (state)
{
case PRE:
throw hmac_uninitialized();
case READY:
if (!force_init)
return;
case PARTIAL:
CCHmacInit(&ctx, hmac_alg, key_, key_size_);
state = READY;
}
}
enum State {
PRE=0,
PARTIAL,
READY
};
int state;
const DigestInfo *info;
CCHmacAlgorithm hmac_alg;
size_t key_size_;
size_t digest_size_;
unsigned char key_[MAX_HMAC_KEY_SIZE];
CCHmacContext ctx;
};
}
}
#endif

493
Sources/OpenVPN3/openvpn/applecrypto/ssl/sslctx.hpp Normal file
View File

@@ -0,0 +1,493 @@
// OpenVPN -- An application to securely tunnel IP networks
// over a single port, with support for SSL/TLS-based
// session authentication and key exchange,
// packet encryption, packet authentication, and
// packet compression.
//
// Copyright (C) 2012-2017 OpenVPN Inc.
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License Version 3
// as published by the Free Software Foundation.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program in the COPYING file.
// If not, see <http://www.gnu.org/licenses/>.
// Wrap the Apple SSL API as defined in <Security/SecureTransport.h>
// so that it can be used as the SSL layer by the OpenVPN core.
// NOTE: not used in production code.
// Note that the Apple SSL API is missing some functionality (as of
// Mac OS X 10.8) that makes it difficult to use as a drop in replacement
// for OpenSSL or MbedTLS. The biggest issue is that the API doesn't
// allow an SSL context to be built out of PEM-based certificates and
// keys. It requires an "Identity" in the Keychain that was imported
// by the user as a PKCS#12 file.
#ifndef OPENVPN_APPLECRYPTO_SSL_SSLCTX_H
#define OPENVPN_APPLECRYPTO_SSL_SSLCTX_H
#include <string>
#include <Security/SecImportExport.h>
#include <Security/SecItem.h>
#include <Security/SecureTransport.h>
#include <Security/SecKey.h>
#include <openvpn/common/size.hpp>
#include <openvpn/common/exception.hpp>
#include <openvpn/common/mode.hpp>
#include <openvpn/buffer/buffer.hpp>
#include <openvpn/frame/frame.hpp>
#include <openvpn/frame/memq_stream.hpp>
#include <openvpn/pki/epkibase.hpp>
#include <openvpn/apple/cf/cfsec.hpp>
#include <openvpn/apple/cf/error.hpp>
#include <openvpn/ssl/tlsver.hpp>
#include <openvpn/ssl/sslconsts.hpp>
#include <openvpn/ssl/sslapi.hpp>
// An SSL Context is essentially a configuration that can be used
// to generate an arbitrary number of actual SSL connections objects.
// AppleSSLContext is an SSL Context implementation that uses the
// Mac/iOS SSL library as a backend.
namespace openvpn {
// Represents an SSL configuration that can be used
// to instantiate actual SSL sessions.
class AppleSSLContext : public SSLFactoryAPI
{
public:
typedef RCPtr<AppleSSLContext> Ptr;
enum {
MAX_CIPHERTEXT_IN = 64
};
// The data needed to construct an AppleSSLContext.
class Config : public SSLConfigAPI
{
friend class AppleSSLContext;
public:
typedef RCPtr<Config> Ptr;
Config() {}
void load_identity(const std::string& subject_match)
{
identity = load_identity_(subject_match);
if (!identity())
OPENVPN_THROW(ssl_context_error, "AppleSSLContext: identity '" << subject_match << "' undefined");
}
virtual SSLFactoryAPI::Ptr new_factory()
{
return SSLFactoryAPI::Ptr(new AppleSSLContext(this));
}
virtual void set_mode(const Mode& mode_arg)
{
mode = mode_arg;
}
virtual const Mode& get_mode() const
{
return mode;
}
virtual void set_frame(const Frame::Ptr& frame_arg)
{
frame = frame_arg;
}
virtual void load(const OptionList& opt, const unsigned int lflags)
{
// client/server
if (lflags & LF_PARSE_MODE)
mode = opt.exists("client") ? Mode(Mode::CLIENT) : Mode(Mode::SERVER);
// identity
{
const std::string& subject_match = opt.get("identity", 1, 256);
load_identity(subject_match);
}
}
virtual void set_external_pki_callback(ExternalPKIBase* external_pki_arg)
{
not_implemented("set_external_pki_callback");
}
virtual void set_private_key_password(const std::string& pwd)
{
return not_implemented("set_private_key_password");
}
virtual void load_ca(const std::string& ca_txt, bool strict)
{
return not_implemented("load_ca");
}
virtual void load_crl(const std::string& crl_txt)
{
return not_implemented("load_crl");
}
virtual void load_cert(const std::string& cert_txt)
{
return not_implemented("load_cert");
}
virtual void load_cert(const std::string& cert_txt, const std::string& extra_certs_txt)
{
return not_implemented("load_cert");
}
virtual void load_private_key(const std::string& key_txt)
{
return not_implemented("load_private_key");
}
virtual void load_dh(const std::string& dh_txt)
{
return not_implemented("load_dh");
}
virtual void set_debug_level(const int debug_level)
{
return not_implemented("set_debug_level");
}
virtual void set_flags(const unsigned int flags_arg)
{
return not_implemented("set_flags");
}
virtual void set_ns_cert_type(const NSCert::Type ns_cert_type_arg)
{
return not_implemented("set_ns_cert_type");
}
virtual void set_remote_cert_tls(const KUParse::TLSWebType wt)
{
return not_implemented("set_remote_cert_tls");
}
virtual void set_tls_remote(const std::string& tls_remote_arg)
{
return not_implemented("set_tls_remote");
}
virtual void set_tls_version_min(const TLSVersion::Type tvm)
{
return not_implemented("set_tls_version_min");
}
virtual void set_local_cert_enabled(const bool v)
{
return not_implemented("set_local_cert_enabled");
}
virtual void set_enable_renegotiation(const bool v)
{
return not_implemented("set_enable_renegotiation");
}
virtual void set_force_aes_cbc_ciphersuites(const bool v)
{
return not_implemented("set_force_aes_cbc_ciphersuites");
}
virtual void set_rng(const RandomAPI::Ptr& rng_arg)
{
return not_implemented("set_rng");
}
private:
void not_implemented(const char *funcname)
{
OPENVPN_LOG("AppleSSL: " << funcname << " not implemented");
}
Mode mode;
CF::Array identity; // as returned by load_identity
Frame::Ptr frame;
};
// Represents an actual SSL session.
// Normally instantiated by AppleSSLContext::ssl().
class SSL : public SSLAPI
{
friend class AppleSSLContext;
public:
typedef RCPtr<SSL> Ptr;
virtual void start_handshake()
{
SSLHandshake(ssl);
}
virtual ssize_t write_cleartext_unbuffered(const void *data, const size_t size)
{
size_t actual = 0;
const OSStatus status = SSLWrite(ssl, data, size, &actual);
if (status < 0)
{
if (status == errSSLWouldBlock)
return SSLConst::SHOULD_RETRY;
else
throw CFException("AppleSSLContext::SSL::write_cleartext failed", status);
}
else
return actual;
}
virtual ssize_t read_cleartext(void *data, const size_t capacity)
{
if (!overflow)
{
size_t actual = 0;
const OSStatus status = SSLRead(ssl, data, capacity, &actual);
if (status < 0)
{
if (status == errSSLWouldBlock)
return SSLConst::SHOULD_RETRY;
else
throw CFException("AppleSSLContext::SSL::read_cleartext failed", status);
}
else
return actual;
}
else
throw ssl_ciphertext_in_overflow();
}
virtual bool read_cleartext_ready() const
{
// fixme: need to detect data buffered at SSL layer
return !ct_in.empty();
}
virtual void write_ciphertext(const BufferPtr& buf)
{
if (ct_in.size() < MAX_CIPHERTEXT_IN)
ct_in.write_buf(buf);
else
overflow = true;
}
virtual bool read_ciphertext_ready() const
{
return !ct_out.empty();
}
virtual BufferPtr read_ciphertext()
{
return ct_out.read_buf();
}
virtual std::string ssl_handshake_details() const // fixme -- code me
{
return "[AppleSSL not implemented]";
}
virtual const AuthCert::Ptr& auth_cert() const
{
OPENVPN_THROW(ssl_context_error, "AppleSSL::SSL: auth_cert() not implemented");
}
~SSL()
{
ssl_erase();
}
private:
SSL(const AppleSSLContext& ctx)
{
ssl_clear();
try {
OSStatus s;
#ifdef OPENVPN_PLATFORM_IPHONE
// init SSL object, select client or server mode
if (ctx.mode().is_server())
ssl = SSLCreateContext(kCFAllocatorDefault, kSSLServerSide, kSSLStreamType);
else if (ctx.mode().is_client())
ssl = SSLCreateContext(kCFAllocatorDefault, kSSLClientSide, kSSLStreamType);
else
OPENVPN_THROW(ssl_context_error, "AppleSSLContext::SSL: unknown client/server mode");
if (ssl == nullptr)
throw CFException("SSLCreateContext failed");
// use TLS v1
s = SSLSetProtocolVersionMin(ssl, kTLSProtocol1);
if (s)
throw CFException("SSLSetProtocolVersionMin failed", s);
#else
// init SSL object, select client or server mode
if (ctx.mode().is_server())
s = SSLNewContext(true, &ssl);
else if (ctx.mode().is_client())
s = SSLNewContext(false, &ssl);
else
OPENVPN_THROW(ssl_context_error, "AppleSSLContext::SSL: unknown client/server mode");
if (s)
throw CFException("SSLNewContext failed", s);
// use TLS v1
s = SSLSetProtocolVersionEnabled(ssl, kSSLProtocol2, false);
if (s)
throw CFException("SSLSetProtocolVersionEnabled !S2 failed", s);
s = SSLSetProtocolVersionEnabled(ssl, kSSLProtocol3, false);
if (s)
throw CFException("SSLSetProtocolVersionEnabled !S3 failed", s);
s = SSLSetProtocolVersionEnabled(ssl, kTLSProtocol1, true);
if (s)
throw CFException("SSLSetProtocolVersionEnabled T1 failed", s);
#endif
// configure cert, private key, and supporting CAs via identity wrapper
s = SSLSetCertificate(ssl, ctx.identity()());
if (s)
throw CFException("SSLSetCertificate failed", s);
// configure ciphertext buffers
ct_in.set_frame(ctx.frame());
ct_out.set_frame(ctx.frame());
// configure the "connection" object to be self
s = SSLSetConnection(ssl, this);
if (s)
throw CFException("SSLSetConnection", s);
// configure ciphertext read/write callbacks
s = SSLSetIOFuncs(ssl, ct_read_func, ct_write_func);
if (s)
throw CFException("SSLSetIOFuncs failed", s);
}
catch (...)
{
ssl_erase();
throw;
}
}
static OSStatus ct_read_func(SSLConnectionRef cref, void *data, size_t *length)
{
try {
SSL *self = (SSL *)cref;
const size_t actual = self->ct_in.read((unsigned char *)data, *length);
const OSStatus ret = (*length == actual) ? 0 : errSSLWouldBlock;
*length = actual;
return ret;
}
catch (...)
{
return errSSLInternal;
}
}
static OSStatus ct_write_func(SSLConnectionRef cref, const void *data, size_t *length)
{
try {
SSL *self = (SSL *)cref;
self->ct_out.write((const unsigned char *)data, *length);
return 0;
}
catch (...)
{
return errSSLInternal;
}
}
void ssl_clear()
{
ssl = nullptr;
overflow = false;
}
void ssl_erase()
{
if (ssl)
{
#ifdef OPENVPN_PLATFORM_IPHONE
CFRelease(ssl);
#else
SSLDisposeContext(ssl);
#endif
}
ssl_clear();
}
SSLContextRef ssl; // underlying SSL connection object
MemQStream ct_in; // write ciphertext to here
MemQStream ct_out; // read ciphertext from here
bool overflow;
};
/////// start of main class implementation
// create a new SSL instance
virtual SSLAPI::Ptr ssl()
{
return SSL::Ptr(new SSL(*this));
}
// like ssl() above but verify hostname against cert CommonName and/or SubjectAltName
virtual SSLAPI::Ptr ssl(const std::string& hostname)
{
OPENVPN_THROW(ssl_context_error, "AppleSSLContext: ssl session with CommonName and/or SubjectAltName verification not implemented");
}
virtual const Mode& mode() const
{
return config_->mode;
}
private:
AppleSSLContext(Config* config)
: config_(config)
{
if (!config_->identity())
OPENVPN_THROW(ssl_context_error, "AppleSSLContext: identity undefined");
}
const Frame::Ptr& frame() const { return config_->frame; }
const CF::Array& identity() const { return config_->identity; }
// load an identity from keychain, return as an array that can
// be passed to SSLSetCertificate
static CF::Array load_identity_(const std::string& subj_match)
{
const CF::String label = CF::string(subj_match);
const void *keys[] = { kSecClass, kSecMatchSubjectContains, kSecMatchTrustedOnly, kSecReturnRef };
const void *values[] = { kSecClassIdentity, label(), kCFBooleanTrue, kCFBooleanTrue };
const CF::Dict query = CF::dict(keys, values, sizeof(keys)/sizeof(keys[0]));
CF::Generic result;
const OSStatus s = SecItemCopyMatching(query(), result.mod_ref());
if (!s && result.defined())
{
const void *asrc[] = { result() };
return CF::array(asrc, 1);
}
else
return CF::Array(); // not found
}
Config::Ptr config_;
};
typedef AppleSSLContext::Ptr AppleSSLContextPtr;
} // namespace openvpn
#endif // OPENVPN_APPLECRYPTO_SSL_SSLCTX_H

78
Sources/OpenVPN3/openvpn/applecrypto/util/rand.hpp Normal file
View File

@@ -0,0 +1,78 @@
// OpenVPN -- An application to securely tunnel IP networks
// over a single port, with support for SSL/TLS-based
// session authentication and key exchange,
// packet encryption, packet authentication, and
// packet compression.
//
// Copyright (C) 2012-2017 OpenVPN Inc.
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License Version 3
// as published by the Free Software Foundation.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program in the COPYING file.
// If not, see <http://www.gnu.org/licenses/>.
// Wrap the Apple Cryptographic Random API defined in <Security/SecRandom.h>
// so that it can be used as the primary source of cryptographic entropy by
// the OpenVPN core.
#ifndef OPENVPN_APPLECRYPTO_UTIL_RAND_H
#define OPENVPN_APPLECRYPTO_UTIL_RAND_H
#include <Security/SecRandom.h>
#include <openvpn/random/randapi.hpp>
namespace openvpn {
class AppleRandom : public RandomAPI
{
public:
OPENVPN_EXCEPTION(rand_error_apple);
typedef RCPtr<AppleRandom> Ptr;
AppleRandom(const bool prng)
{
}
virtual std::string name() const
{
return "AppleRandom";
}
// Return true if algorithm is crypto-strength
virtual bool is_crypto() const
{
return true;
}
// Fill buffer with random bytes
virtual void rand_bytes(unsigned char *buf, size_t size)
{
if (!rndbytes(buf, size))
throw rand_error_apple("rand_bytes");
}
// Like rand_bytes, but don't throw exception.
// Return true on successs, false on fail.
virtual bool rand_bytes_noexcept(unsigned char *buf, size_t size)
{
return rndbytes(buf, size);
}
private:
bool rndbytes(unsigned char *buf, size_t size)
{
return SecRandomCopyBytes(kSecRandomDefault, size, buf) ? false : true;
}
};
}
#endif