github/OpenVPNAdapter
4
0
Fork 0
mirror of https://github.com/deneraraujo/OpenVPNAdapter.git synced 2026-04-24 00:00:05 +08:00
Code Issues Packages Projects Releases Wiki Activity

Merge commit '86cc97e55fe346502462284d2e636a2b3708163e' as 'Sources/OpenVPN3'

Browse Source
This commit is contained in:
Sergey Abramchuk
2020-02-24 14:43:11 +03:00
parent 133b3756e6 86cc97e55f
commit 32f1555929
655 changed files with 146468 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Sources/OpenVPN3/openvpn/options/continuation.hpp
+106
View File
@@ -0,0 +1,106 @@
// OpenVPN -- An application to securely tunnel IP networks
// over a single port, with support for SSL/TLS-based
// session authentication and key exchange,
// packet encryption, packet authentication, and
// packet compression.
//
// Copyright (C) 2012-2017 OpenVPN Inc.
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License Version 3
// as published by the Free Software Foundation.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program in the COPYING file.
// If not, see <http://www.gnu.org/licenses/>.
// Handle pushed option list "continuations". This is where multiple
// option lists are pushed by the server, if an option list doesn't fit
// into the standard 1024 byte buffer. This class will aggregate the
// options.
#ifndef OPENVPN_OPTIONS_CONTINUATION_H
#define OPENVPN_OPTIONS_CONTINUATION_H
#include <openvpn/common/exception.hpp>
#include <openvpn/common/options.hpp>
namespace openvpn {
struct PushOptionsBase : public RC<thread_unsafe_refcount>
{
typedef RCPtr<PushOptionsBase> Ptr;
OptionList multi;
OptionList singleton;
};
// Aggregate pushed option continuations into a singular option list.
// Note that map is not updated until list is complete.
class OptionListContinuation : public OptionList
{
public:
OPENVPN_SIMPLE_EXCEPTION(olc_complete); // add called when object is already complete
OptionListContinuation(const PushOptionsBase::Ptr& push_base_arg)
: partial_(false),
complete_(false),
push_base(push_base_arg)
{
// Prepend from base where multiple options of the same type can aggregate,
// so that server-pushed options will be at the end of list.
if (push_base)
extend(push_base->multi, nullptr);
}
// call with option list fragments
void add(const OptionList& other, OptionList::FilterBase* filt)
{
if (!complete_)
{
partial_ = true;
extend(other, filt);
if (!continuation(other))
{
if (push_base)
{
// Append from base where only a single instance of each option makes sense,
// provided that option wasn't already pushed by server.
update_map();
extend_nonexistent(push_base->singleton);
}
update_map();
complete_ = true;
}
}
else
throw olc_complete();
}
// returns true if add() was called at least once
bool partial() const { return partial_; }
// returns true if option list is complete
bool complete() const { return complete_; }
private:
static bool continuation(const OptionList& opt)
{
const Option *o = opt.get_ptr("push-continuation");
return o && o->size() >= 2 && o->ref(1) == "2";
}
bool partial_;
bool complete_;
PushOptionsBase::Ptr push_base;
};
} // namespace openvpn
#endif // OPENVPN_OPTIONS_CONTINUATION_H
Sources/OpenVPN3/openvpn/options/merge.hpp
+496
View File
@@ -0,0 +1,496 @@
// OpenVPN -- An application to securely tunnel IP networks
// over a single port, with support for SSL/TLS-based
// session authentication and key exchange,
// packet encryption, packet authentication, and
// packet compression.
//
// Copyright (C) 2012-2017 OpenVPN Inc.
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License Version 3
// as published by the Free Software Foundation.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program in the COPYING file.
// If not, see <http://www.gnu.org/licenses/>.
// This class will read a standard OpenVPN config file that might contain
// references to other files, and it will merge the included files into the
// config file, using inline configuration syntax, to produce a single,
// unified config file.
#ifndef OPENVPN_OPTIONS_MERGE_H
#define OPENVPN_OPTIONS_MERGE_H
#include <string>
#include <sstream>
#include <vector>
#include <openvpn/common/size.hpp>
#include <openvpn/common/exception.hpp>
#include <openvpn/common/options.hpp>
#include <openvpn/common/string.hpp>
#include <openvpn/common/split.hpp>
#include <openvpn/common/path.hpp>
#include <openvpn/common/file.hpp>
#include <openvpn/common/splitlines.hpp>
namespace openvpn {
class ProfileMerge
{
// internal flags
enum {
F_MAY_INCLUDE_KEY_DIRECTION = (1<<0),
F_PKCS12 = (1<<1),
F_HTTP_PROXY = (1<<2),
};
// limits
enum {
MAX_FN_LIST_SIZE=16,
};
public:
OPENVPN_EXCEPTION(merge_error);
// public status values
enum Status {
MERGE_UNDEFINED,
MERGE_SUCCESS,
MERGE_EXCEPTION,
MERGE_OVPN_EXT_FAIL,
MERGE_OVPN_FILE_FAIL,
MERGE_REF_FAIL,
MERGE_MULTIPLE_REF_FAIL,
};
// merge status
Status status() const { return status_; }
const std::string& error() const { return error_; }
// merge path basename
const std::string& basename() const { return basename_; }
// final unified profile
const std::string& profile_content() const { return profile_content_; }
// list of all reference paths successfully read
const std::vector<std::string>& ref_path_list() const { return ref_succeed_list_; }
// merge status as a string
const char *status_string() const
{
switch (status_)
{
case MERGE_UNDEFINED:
return "MERGE_UNDEFINED";
case MERGE_SUCCESS:
return "MERGE_SUCCESS";
case MERGE_EXCEPTION:
return "MERGE_EXCEPTION";
case MERGE_OVPN_EXT_FAIL:
return "MERGE_OVPN_EXT_FAIL";
case MERGE_OVPN_FILE_FAIL:
return "MERGE_OVPN_FILE_FAIL";
case MERGE_REF_FAIL:
return "MERGE_REF_FAIL";
case MERGE_MULTIPLE_REF_FAIL:
return "MERGE_MULTIPLE_REF_FAIL";
default:
return "MERGE_?";
}
}
// allow following of external file references
enum Follow {
FOLLOW_NONE,
FOLLOW_PARTIAL,
FOLLOW_FULL,
};
ProfileMerge(const std::string& profile_path,
const std::string& profile_ext,
const std::string& profile_dir_override,
const Follow follow_references,
const size_t max_line_len,
const size_t max_size)
: status_(MERGE_UNDEFINED)
{
try {
size_t total_size = 0;
// read the profile
std::string orig_profile_content;
std::string profile_dir;
try {
profile_dir = !profile_dir_override.empty() ? profile_dir_override : path::dirname(profile_path);
basename_ = path::basename(profile_path);
const std::string ext = path::ext(basename_);
if (profile_ext.empty() || string::strcasecmp(ext, profile_ext) == 0)
{
orig_profile_content = read_text_utf8(profile_path, max_size);
total_size = orig_profile_content.size();
}
else
{
status_ = MERGE_OVPN_EXT_FAIL;
error_ = std::string("ERR_PROFILE_NO_OVPN_EXTENSION: ") + basename_;
return;
}
}
catch (const file_is_binary& e)
{
status_ = MERGE_OVPN_FILE_FAIL;
error_ = std::string("ERR_PROFILE_FILE_IS_BINARY: ") + e.what();
return;
}
catch (const file_too_large& e)
{
status_ = MERGE_OVPN_FILE_FAIL;
error_ = std::string("ERR_PROFILE_FILE_TOO_LARGE: ") + e.what();
return;
}
catch (const std::exception& e)
{
status_ = MERGE_OVPN_FILE_FAIL;
error_ = std::string("ERR_PROFILE_GENERIC: ") + e.what();
return;
}
// expand the profile
expand_profile(orig_profile_content, profile_dir, follow_references, max_line_len, max_size, total_size);
}
catch (const std::exception& e)
{
status_ = MERGE_EXCEPTION;
error_ = std::string("ERR_PROFILE_GENERIC: ") + e.what();
}
}
static std::string merge(const std::string& profile_path,
const std::string& profile_ext,
const std::string& profile_dir_override,
const Follow follow_references,
const size_t max_line_len,
const size_t max_size)
{
const ProfileMerge pm(profile_path, profile_ext, profile_dir_override,
follow_references, max_line_len, max_size);
if (pm.status() == ProfileMerge::MERGE_SUCCESS)
return pm.profile_content();
else
OPENVPN_THROW(merge_error, pm.status_string() << ": " << pm.error());
}
protected:
ProfileMerge() : status_(MERGE_UNDEFINED) {}
void expand_profile(const std::string& orig_profile_content,
const std::string& profile_dir,
const Follow follow_references,
const size_t max_line_len,
const size_t max_size,
size_t total_size)
{
if (total_size > max_size)
{
status_ = MERGE_EXCEPTION;
error_ = "ERR_PROFILE_FILE_TOO_LARGE: file too large";
return;
}
status_ = MERGE_SUCCESS;
SplitLines in(orig_profile_content, max_line_len);
int line_num = 0;
bool in_multiline = false;
bool opaque_multiline = false;
Option multiline;
profile_content_.reserve(orig_profile_content.length());
while (in(true))
{
if (in.line_overflow())
{
status_ = MERGE_EXCEPTION;
error_ = "ERR_PROFILE_LINE_TOO_LONG: line too long";
return;
}
const std::string& line = in.line_ref();
bool echo = true;
++line_num;
if (in_multiline)
{
if (OptionList::is_close_tag(line, multiline.ref(0)))
{
multiline.clear();
in_multiline = false;
opaque_multiline = false;
}
}
else if (!OptionList::ignore_line(line))
{
Option opt = Split::by_space<Option, OptionList::LexComment, SpaceMatch, Split::NullLimit>(line);
if (opt.size())
{
if (OptionList::is_open_tag(opt.ref(0)) && opt.size() == 1)
{
OptionList::untag_open_tag(opt.ref(0));
multiline = opt;
in_multiline = true;
unsigned int flags = 0; // not used
opaque_multiline = is_fileref_directive(multiline.ref(0), flags);
}
else
{
unsigned int flags = 0;
bool is_fileref = (!opaque_multiline
&& opt.size() >= 2
&& is_fileref_directive(opt.ref(0), flags));
if (is_fileref)
{
// check if http-proxy directive references a creds file
if (flags & F_HTTP_PROXY)
{
is_fileref = false;
if (opt.size() >= 4)
{
const std::string authfile = opt.get(3, 256);
if (authfile != "auto" && authfile != "auto-nct")
{
opt.ref(3) = "auto";
profile_content_ += opt.escape();
profile_content_ += '\n';
opt.ref(0) = "http-proxy-user-pass";
opt.ref(1) = authfile;
opt.resize(2);
is_fileref = true;
}
}
}
}
if (is_fileref)
{
// found a directive referencing a file
// get basename of file and make sure that it doesn't
// attempt to traverse directories (unless
// follow_references == FOLLOW_FULL)
const std::string fn_str = opt.get(1, 256);
const std::string fn = (follow_references == FOLLOW_FULL ? fn_str : path::basename(fn_str));
if (fn.empty())
{
echo = false;
status_ = MERGE_REF_FAIL;
error_ = "ERR_PROFILE_NO_FILENAME: filename not provided";
}
else if (follow_references != FOLLOW_FULL && !path::is_flat(fn))
{
echo = false;
status_ = MERGE_REF_FAIL;
error_ = std::string("ERR_PROFILE_CANT_FOLLOW_LINK: ") + fn;
if (ref_fail_list_.size() < MAX_FN_LIST_SIZE)
ref_fail_list_.push_back(fn);
}
else
{
std::string path;
std::string file_content;
bool error = false;
try {
if (follow_references == FOLLOW_NONE)
{
status_ = MERGE_EXCEPTION;
error_ = std::string("ERR_PROFILE_CANT_FOLLOW_LINK: ") + fn + ": cannot follow file reference";
return;
}
path = path::join(profile_dir, fn);
file_content = read_text_utf8(path, max_size);
total_size += file_content.size();
if (total_size > max_size)
{
status_ = MERGE_EXCEPTION;
error_ = std::string("ERR_PROFILE_FILE_TOO_LARGE: ") + fn + ": file too large";
return;
}
OptionList::detect_multiline_breakout(file_content, opt.ref(0));
}
catch (const std::exception& e)
{
error = true;
status_ = MERGE_REF_FAIL;
error_ = std::string("ERR_PROFILE_GENERIC: ") + fn + " : " + e.what();
if (ref_fail_list_.size() < MAX_FN_LIST_SIZE)
ref_fail_list_.push_back(fn);
}
if (!error) // succeeded in reading file?
{
// don't echo this line, i.e. opt[], instead expand file_content into profile
echo = false;
// tls-auth or secret directive may include key-direction parameter
if (flags & F_MAY_INCLUDE_KEY_DIRECTION)
{
std::string key_direction;
if (opt.size() >= 3)
key_direction = opt.get(2, 16);
else
key_direction = "bidirectional";
profile_content_ += "key-direction " + key_direction + "\n";
}
// format file_content for appending to profile
{
std::ostringstream os;
const std::string& tag = opt.ref(0);
string::add_trailing(file_content, '\n');
os << '<' << tag << ">\n" << file_content << "</" << tag << ">\n";
profile_content_ += os.str();
}
// save file we referenced
if (ref_succeed_list_.size() < MAX_FN_LIST_SIZE)
ref_succeed_list_.push_back(path);
}
}
}
}
}
}
if (echo)
{
profile_content_ += line;
profile_content_ += '\n';
}
}
// If more than 2 errors occurred, change status to
// MERGE_MULTIPLE_REF_FAIL and enumerate each failed file.
if (ref_fail_list_.size() >= 2)
{
status_ = MERGE_MULTIPLE_REF_FAIL;
error_ = "ERR_PROFILE_GENERIC: ";
for (size_t i = 0; i < ref_fail_list_.size(); ++i)
{
if (i)
error_ += ", ";
error_ += ref_fail_list_[i];
}
}
}
static bool is_fileref_directive(const std::string& d, unsigned int& flags)
{
if (d.length() > 0)
{
switch (d[0])
{
case 'a':
return d == "auth-user-pass";
case 'c':
return d == "ca" || d == "cert" || d == "crl-verify";
case 'd':
return d == "dh";
case 'e':
return d == "extra-certs";
case 'h':
if (d == "http-proxy")
{
flags |= F_HTTP_PROXY;
return true;
}
return false;
case 'k':
return d == "key";
#if 0 // define when we have capability to parse out pkcs12 from profile and add to Keychain (fixme)
case 'p':
if (d == "pkcs12")
{
flags |= F_PKCS12;
return true;
}
return false;
#endif
case 'r':
if (d == "relay-extra-ca")
return true;
if (d == "relay-tls-auth")
{
flags |= F_MAY_INCLUDE_KEY_DIRECTION;
return true;
}
return false;
case 's':
if (d == "static-key")
return true;
return false;
case 't':
if (d == "tls-auth")
{
flags |= F_MAY_INCLUDE_KEY_DIRECTION;
return true;
}
if (d == "tls-crypt")
return true;
if (d == "tls-crypt-v2")
return true;
return false;
}
}
return false;
}
Status status_;
std::string profile_content_;
std::string basename_;
std::string error_;
std::vector<std::string> ref_fail_list_;
std::vector<std::string> ref_succeed_list_;
};
class ProfileMergeFromString : public ProfileMerge
{
public:
ProfileMergeFromString(const std::string& profile_content,
const std::string& ref_dir,
const Follow follow_references,
const size_t max_line_len,
const size_t max_size)
{
try {
// expand the profile
expand_profile(profile_content, ref_dir, follow_references,
max_line_len, max_size, profile_content.size());
}
catch (const std::exception& e)
{
status_ = MERGE_EXCEPTION;
error_ = std::string("ERR_PROFILE_GENERIC: ") + e.what();
}
}
static std::string merge(const std::string& profile_content,
const std::string& ref_dir,
const Follow follow_references,
const size_t max_line_len,
const size_t max_size)
{
const ProfileMergeFromString pm(profile_content, ref_dir,
follow_references, max_line_len, max_size);
if (pm.status() == ProfileMerge::MERGE_SUCCESS)
return pm.profile_content();
else
OPENVPN_THROW(merge_error, pm.status_string() << ": " << pm.error());
}
};
}
#endif
Sources/OpenVPN3/openvpn/options/sanitize.hpp
+109
View File
@@ -0,0 +1,109 @@
// OpenVPN -- An application to securely tunnel IP networks
// over a single port, with support for SSL/TLS-based
// session authentication and key exchange,
// packet encryption, packet authentication, and
// packet compression.
//
// Copyright (C) 2012-2017 OpenVPN Inc.
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License Version 3
// as published by the Free Software Foundation.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program in the COPYING file.
// If not, see <http://www.gnu.org/licenses/>.
// Sanitize certain kinds of strings before they are output to the log file.
#ifndef OPENVPN_OPTIONS_SANITIZE_H
#define OPENVPN_OPTIONS_SANITIZE_H
#include <string>
#include <cstring>
#include <openvpn/common/exception.hpp>
#include <openvpn/common/options.hpp>
namespace openvpn {
inline std::string render_options_sanitized(const OptionList& opt, const unsigned int render_flags)
{
std::ostringstream out;
for (size_t i = 0; i < opt.size(); i++)
{
const Option& o = opt[i];
#ifndef OPENVPN_SHOW_SESSION_TOKEN
if (o.get_optional(0, 0) == "auth-token")
out << i << " [auth-token] ..." << std::endl;
else
#endif
out << i << ' ' << o.render(render_flags) << std::endl;
}
return out.str();
}
// Remove security-sensitive strings from control message
// so that they will not be output to log file.
inline std::string sanitize_control_message(const std::string& src_str)
{
#ifdef OPENVPN_SHOW_SESSION_TOKEN
return src_str;
#else
const char *src = src_str.c_str();
char *ret = new char[src_str.length()+1];
char *dest = ret;
bool redact = false;
int skip = 0;
for (;;)
{
const char c = *src;
if (c == '\0')
break;
if (c == 'S' && !::strncmp(src, "SESS_ID_", 8))
{
skip = 7;
redact = true;
}
else if (c == 'e' && !::strncmp(src, "echo ", 5))
{
skip = 4;
redact = true;
}
if (c == ',') /* end of redacted item? */
{
skip = 0;
redact = false;
}
if (redact)
{
if (skip > 0)
{
--skip;
*dest++ = c;
}
}
else
*dest++ = c;
++src;
}
*dest = '\0';
const std::string ret_str(ret);
delete [] ret;
return ret_str;
#endif
}
}
#endif
Sources/OpenVPN3/openvpn/options/servpush.hpp
+85
View File
@@ -0,0 +1,85 @@
// OpenVPN -- An application to securely tunnel IP networks
// over a single port, with support for SSL/TLS-based
// session authentication and key exchange,
// packet encryption, packet authentication, and
// packet compression.
//
// Copyright (C) 2012-2017 OpenVPN Inc.
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License Version 3
// as published by the Free Software Foundation.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program in the COPYING file.
// If not, see <http://www.gnu.org/licenses/>.
#ifndef OPENVPN_OPTIONS_SERVPUSH_H
#define OPENVPN_OPTIONS_SERVPUSH_H
#include <string>
#include <sstream>
#include <ostream>
#include <vector>
#include <utility> // for std::move
#include <openvpn/common/exception.hpp>
#include <openvpn/common/options.hpp>
namespace openvpn {
class ServerPushList : public std::vector<std::string>
{
public:
void parse(const std::string& opt_name, const OptionList& opt)
{
const auto* push = opt.get_index_ptr(opt_name);
if (push)
{
reserve(size() + push->size());
for (auto &i : *push)
{
const Option& o = opt[i];
o.touch();
push_back(o.get(1, 512));
}
}
}
void extend(const std::vector<std::string>& other)
{
reserve(size() + other.size());
for (auto &e : other)
push_back(e);
}
// do a roundtrip to csv and back to OptionList
OptionList to_option_list() const
{
std::ostringstream os;
output_csv(os);
return OptionList::parse_from_csv_static(os.str(), nullptr);
}
void output_csv(std::ostream& os) const
{
for (auto &e : *this)
{
os << ',';
output_arg(e, os);
}
}
static void output_arg(const std::string& e, std::ostream& os)
{
const bool must_quote = (e.find_first_of(',') != std::string::npos);
Option::escape_string(os, e, must_quote);
}
};
}
#endif