Merge commit '86cc97e55fe346502462284d2e636a2b3708163e' as 'Sources/OpenVPN3'

Sources/OpenVPN3/openvpn/pki/cclist.hpp

@@ -0,0 +1,160 @@
+//    OpenVPN -- An application to securely tunnel IP networks
+//               over a single port, with support for SSL/TLS-based
+//               session authentication and key exchange,
+//               packet encryption, packet authentication, and
+//               packet compression.
+//
+//    Copyright (C) 2012-2017 OpenVPN Inc.
+//
+//    This program is free software: you can redistribute it and/or modify
+//    it under the terms of the GNU Affero General Public License Version 3
+//    as published by the Free Software Foundation.
+//
+//    This program is distributed in the hope that it will be useful,
+//    but WITHOUT ANY WARRANTY; without even the implied warranty of
+//    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+//    GNU Affero General Public License for more details.
+//
+//    You should have received a copy of the GNU Affero General Public License
+//    along with this program in the COPYING file.
+//    If not, see <http://www.gnu.org/licenses/>.
+
+#ifndef OPENVPN_PKI_CCLIST_H
+#define OPENVPN_PKI_CCLIST_H
+
+#include <string>
+#include <sstream>
+#include <fstream>
+
+#include <openvpn/common/size.hpp>
+#include <openvpn/common/exception.hpp>
+#include <openvpn/common/file.hpp>
+#include <openvpn/common/string.hpp>
+
+namespace openvpn {
+
+  // Parse a concatenated list of certs and CRLs (PEM format).
+  // Abstracts CertList and CRLList, so can be used with any crypto lib.
+  // CertList and CRLList must define Item type.
+  template <typename CertList, typename CRLList>
+  class CertCRLListTemplate
+  {
+  public:
+    OPENVPN_EXCEPTION(parse_cert_crl_error);
+
+    CertCRLListTemplate() {}
+
+    explicit CertCRLListTemplate(const std::string& content, const std::string& title)
+    {
+      from_string(content, title, &certs, &crls);
+    }
+
+    void parse_pem(const std::string& content, const std::string& title)
+    {
+      from_string(content, title, &certs, &crls);
+    }
+
+    void parse_pem_file(const std::string& filename)
+    {
+      from_file(filename, &certs, &crls);
+    }
+
+    std::string render_pem() const
+    {
+      return certs.render_pem() + crls.render_pem();
+    }
+
+    static void from_istream(std::istream& in, const std::string& title, CertList* cert_list, CRLList* crl_list)
+    {
+      static const char cert_start[] = "-----BEGIN CERTIFICATE-----";
+      static const char cert_end[] = "-----END CERTIFICATE-----";
+      static const char crl_start[] = "-----BEGIN X509 CRL-----";
+      static const char crl_end[] = "-----END X509 CRL-----";
+
+      enum {
+	S_OUTSIDE, // outside of CERT or CRL block
+	S_IN_CERT, // in CERT block
+	S_IN_CRL,  // in CRL block
+      };
+
+      std::string line;
+      int state = S_OUTSIDE;
+      std::string item = "";
+      int line_num = 0;
+
+      while (std::getline(in, line))
+	{
+	  line_num++;
+	  string::trim(line);
+	  if (state == S_OUTSIDE)
+	    {
+	      if (line == cert_start)
+		{
+		  if (!cert_list)
+		    OPENVPN_THROW(parse_cert_crl_error, title << ":" << line_num << " : not expecting a CERT");
+		  state = S_IN_CERT;
+		}
+	      else if (line == crl_start)
+		{
+		  if (!crl_list)
+		    OPENVPN_THROW(parse_cert_crl_error, title << ":" << line_num << " : not expecting a CRL");
+		  state = S_IN_CRL;
+		}
+	    }
+	  if (state != S_OUTSIDE)
+	    {
+	      item += line;
+	      item += "\n";
+	    }
+	  if (state == S_IN_CERT && line == cert_end)
+	    {
+	      try {
+		cert_list->emplace_back(item, title);
+	      }
+	      catch (const std::exception& e)
+		{
+		  OPENVPN_THROW(parse_cert_crl_error, title << ":" << line_num << " : error parsing CERT: " << e.what());
+		}
+	      state = S_OUTSIDE;
+	      item = "";
+	    }
+	  if (state == S_IN_CRL && line == crl_end)
+	    {
+	      try {
+		crl_list->emplace_back(item);
+	      }
+	      catch (const std::exception& e)
+		{
+		  OPENVPN_THROW(parse_cert_crl_error, title << ":" << line_num << " : error parsing CRL: " << e.what());
+		}
+	      state = S_OUTSIDE;
+	      item = "";
+	    }
+	}
+      if (state != S_OUTSIDE)
+	OPENVPN_THROW(parse_cert_crl_error, title << " : CERT/CRL content ended unexpectedly without END marker");
+    }
+
+    static void from_string(const std::string& content, const std::string& title, CertList* cert_list, CRLList* crl_list = nullptr)
+    {
+      std::stringstream in(content);
+      from_istream(in, title, cert_list, crl_list);
+    }
+
+    static void from_file(const std::string& filename, CertList* cert_list, CRLList* crl_list = nullptr)
+    {
+      std::ifstream ifs(filename.c_str());
+      if (!ifs)
+	OPENVPN_THROW(open_file_error, "cannot open CERT/CRL file " << filename);
+      from_istream(ifs, filename, cert_list, crl_list);
+      if (ifs.bad())
+	OPENVPN_THROW(open_file_error, "cannot read CERT/CRL file " << filename);
+    }
+
+    CertList certs;
+    CRLList crls;
+  };
+
+} // namespace openvpn
+
+#endif // OPENVPN_PKI_CCLIST_H

Sources/OpenVPN3/openvpn/pki/epkibase.hpp

@@ -0,0 +1,42 @@
+//    OpenVPN -- An application to securely tunnel IP networks
+//               over a single port, with support for SSL/TLS-based
+//               session authentication and key exchange,
+//               packet encryption, packet authentication, and
+//               packet compression.
+//
+//    Copyright (C) 2012-2017 OpenVPN Inc.
+//
+//    This program is free software: you can redistribute it and/or modify
+//    it under the terms of the GNU Affero General Public License Version 3
+//    as published by the Free Software Foundation.
+//
+//    This program is distributed in the hope that it will be useful,
+//    but WITHOUT ANY WARRANTY; without even the implied warranty of
+//    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+//    GNU Affero General Public License for more details.
+//
+//    You should have received a copy of the GNU Affero General Public License
+//    along with this program in the COPYING file.
+//    If not, see <http://www.gnu.org/licenses/>.
+
+#ifndef OPENVPN_PKI_EPKIBASE_H
+#define OPENVPN_PKI_EPKIBASE_H
+
+#include <string>
+
+namespace openvpn {
+
+  // Abstract base class used to provide an interface where core SSL implementation
+  // can use an external private key.
+  class ExternalPKIBase
+  {
+  public:
+    // Sign data (base64) and return signature as sig (base64).
+    // Return true on success or false on error.
+    virtual bool sign(const std::string& data, std::string& sig, const std::string& algorithm) = 0;
+
+    virtual ~ExternalPKIBase() {}
+  };
+}
+
+#endif

Sources/OpenVPN3/openvpn/pki/pkcs1.hpp

@@ -0,0 +1,117 @@
+//    OpenVPN -- An application to securely tunnel IP networks
+//               over a single port, with support for SSL/TLS-based
+//               session authentication and key exchange,
+//               packet encryption, packet authentication, and
+//               packet compression.
+//
+//    Copyright (C) 2012-2017 OpenVPN Inc.
+//
+//    This program is free software: you can redistribute it and/or modify
+//    it under the terms of the GNU Affero General Public License Version 3
+//    as published by the Free Software Foundation.
+//
+//    This program is distributed in the hope that it will be useful,
+//    but WITHOUT ANY WARRANTY; without even the implied warranty of
+//    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+//    GNU Affero General Public License for more details.
+//
+//    You should have received a copy of the GNU Affero General Public License
+//    along with this program in the COPYING file.
+//    If not, see <http://www.gnu.org/licenses/>.
+
+#ifndef OPENVPN_PKI_PKCS1_H
+#define OPENVPN_PKI_PKCS1_H
+
+#include <cstring>
+
+#include <openvpn/common/size.hpp>
+#include <openvpn/buffer/buffer.hpp>
+
+namespace openvpn {
+  namespace PKCS1 {
+    // from http://www.ietf.org/rfc/rfc3447.txt
+    namespace DigestPrefix { // CONST GLOBAL
+      namespace {
+	const unsigned char MD2[] = { 0x30, 0x20, 0x30, 0x0c, 0x06, 0x08,
+				      0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
+				      0x02, 0x02, 0x05, 0x00, 0x04, 0x10 };
+	const unsigned char MD5[] = { 0x30, 0x20, 0x30, 0x0c, 0x06, 0x08,
+				      0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
+				      0x02, 0x05, 0x05, 0x00, 0x04, 0x10 };
+	const unsigned char SHA1[] = { 0x30, 0x21, 0x30, 0x09, 0x06, 0x05,
+				       0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x05,
+				       0x00, 0x04, 0x14 };
+	const unsigned char SHA256[] = { 0x30, 0x31, 0x30, 0x0d, 0x06, 0x09,
+					 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
+					 0x04, 0x02, 0x01, 0x05, 0x00, 0x04,
+					 0x20 };
+	const unsigned char SHA384[] = { 0x30, 0x41, 0x30, 0x0d, 0x06, 0x09,
+					 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
+					 0x04, 0x02, 0x02, 0x05, 0x00, 0x04,
+					 0x30 };
+	const unsigned char SHA512[] = { 0x30, 0x51, 0x30, 0x0d, 0x06, 0x09,
+					 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
+					 0x04, 0x02, 0x03, 0x05, 0x00, 0x04,
+					 0x40 };
+      }
+
+      template <typename T>
+      class Parse
+      {
+      public:
+	Parse(const T none,
+	      const T md2,
+	      const T md5,
+	      const T sha1,
+	      const T sha256,
+	      const T sha384,
+	      const T sha512)
+	  : none_(none),
+	    md2_(md2),
+	    md5_(md5),
+	    sha1_(sha1),
+	    sha256_(sha256),
+	    sha384_(sha384),
+	    sha512_(sha512)
+	{
+	}
+
+	T alg_from_prefix(Buffer& buf) const
+	{
+	  if (match(buf, MD2, sizeof(MD2)))
+	    return md2_;
+	  else if (match(buf, MD5, sizeof(MD5)))
+	    return md5_;
+	  else if (match(buf, SHA1, sizeof(SHA1)))
+	    return sha1_;
+	  else if (match(buf, SHA256, sizeof(SHA256)))
+	    return sha256_;
+	  else if (match(buf, SHA384, sizeof(SHA384)))
+	    return sha384_;
+	  else if (match(buf, SHA512, sizeof(SHA512)))
+	    return sha512_;
+	  else
+	    return none_;
+	}
+
+      private:
+	bool match(Buffer& buf, const unsigned char *data, const size_t size) const
+	{
+	  if (buf.size() < size)
+	    return false;
+	  else if (std::memcmp(buf.c_data(), data, size) == 0)
+	    {
+	      buf.advance(size);
+	      return true;
+	    }
+	  else
+	    return false;
+	}
+
+	const T none_, md2_, md5_, sha1_, sha256_, sha384_, sha512_;
+      };
+    }
+  }
+}
+
+#endif

Sources/OpenVPN3/openvpn/pki/pktype.hpp

@@ -0,0 +1,39 @@
+//    OpenVPN -- An application to securely tunnel IP networks
+//               over a single port, with support for SSL/TLS-based
+//               session authentication and key exchange,
+//               packet encryption, packet authentication, and
+//               packet compression.
+//
+//    Copyright (C) 2012-2017 OpenVPN Inc.
+//
+//    This program is free software: you can redistribute it and/or modify
+//    it under the terms of the GNU Affero General Public License Version 3
+//    as published by the Free Software Foundation.
+//
+//    This program is distributed in the hope that it will be useful,
+//    but WITHOUT ANY WARRANTY; without even the implied warranty of
+//    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+//    GNU Affero General Public License for more details.
+//
+//    You should have received a copy of the GNU Affero General Public License
+//    along with this program in the COPYING file.
+//    If not, see <http://www.gnu.org/licenses/>.
+
+#pragma once
+
+// private key types
+
+namespace openvpn {
+  namespace PKType {
+
+    enum Type {
+      PK_UNKNOWN = 0,
+      PK_NONE,
+      PK_DSA,
+      PK_RSA,
+      PK_EC,
+      PK_ECDSA,
+    };
+
+  }
+}

Sources/OpenVPN3/openvpn/pki/x509track.hpp

@@ -0,0 +1,230 @@
+//    OpenVPN -- An application to securely tunnel IP networks
+//               over a single port, with support for SSL/TLS-based
+//               session authentication and key exchange,
+//               packet encryption, packet authentication, and
+//               packet compression.
+//
+//    Copyright (C) 2012-2017 OpenVPN Inc.
+//
+//    This program is free software: you can redistribute it and/or modify
+//    it under the terms of the GNU Affero General Public License Version 3
+//    as published by the Free Software Foundation.
+//
+//    This program is distributed in the hope that it will be useful,
+//    but WITHOUT ANY WARRANTY; without even the implied warranty of
+//    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+//    GNU Affero General Public License for more details.
+//
+//    You should have received a copy of the GNU Affero General Public License
+//    along with this program in the COPYING file.
+//    If not, see <http://www.gnu.org/licenses/>.
+
+#ifndef OPENVPN_PKI_X509TRACK_H
+#define OPENVPN_PKI_X509TRACK_H
+
+#include <string>
+#include <vector>
+
+#include <openvpn/common/exception.hpp>
+#include <openvpn/common/options.hpp>
+#include <openvpn/common/arraysize.hpp>
+#include <openvpn/common/string.hpp>
+#include <openvpn/common/to_string.hpp>
+
+namespace openvpn {
+  namespace X509Track {
+
+    enum Type {
+      UNDEF=-1,
+      SERIAL,
+      SERIAL_HEX,
+      SHA1,
+      CN,
+      C,
+      L,
+      ST,
+      O,
+      OU,
+      EMAIL,
+      N_TYPES,
+    };
+
+    static const char *const names[] = { // CONST GLOBAL
+      "SERIAL",
+      "SERIAL_HEX",
+      "SHA1",
+      "CN",
+      "C",
+      "L",
+      "ST",
+      "O",
+      "OU",
+      "emailAddress",
+    };
+
+    OPENVPN_EXCEPTION(x509_track_error);
+
+    inline const char *name(const Type type)
+    {
+      static_assert(N_TYPES == array_size(names), "x509 names array inconsistency");
+      if (type >= 0 && type < N_TYPES)
+	return names[type];
+      else
+	return "UNDEF";
+    }
+
+    inline Type parse_type(const std::string& name)
+    {
+      for (size_t i = 0; i < N_TYPES; ++i)
+	if (name == names[i])
+	  return Type(i);
+      return UNDEF;
+    }
+
+    struct Config
+    {
+      Config(const Type type_arg, const bool full_chain_arg)
+	: type(type_arg),
+	  full_chain(full_chain_arg)
+      {
+      }
+
+      Config(const std::string& spec)
+      {
+	full_chain = (spec.length() > 0 && spec[0] == '+');
+	type = parse_type(spec.substr(full_chain ? 1 : 0));
+	if (type == UNDEF)
+	  throw Exception("cannot parse attribute '" + spec + "'");
+      }
+
+      std::string to_string() const
+      {
+	std::string ret;
+	if (full_chain)
+	  ret += '+';
+	ret += name(type);
+	return ret;
+      }
+
+      bool depth_match(const int depth) const
+      {
+	return !depth || full_chain;
+      }
+
+      Type type;
+      bool full_chain;
+    };
+
+    struct ConfigSet : public std::vector<Config>
+    {
+      ConfigSet() {}
+
+      ConfigSet(const OptionList& opt,
+		const bool include_serial,
+		const bool include_serial_hex)
+      {
+	const auto* xt = opt.get_index_ptr("x509-track");
+	if (xt)
+	  {
+	    for (const auto &i : *xt)
+	      {
+		try {
+		  const Option& o = opt[i];
+		  o.touch();
+		  emplace_back(o.get(1, 64));
+		}
+		catch (const std::exception& e)
+		  {
+		    throw x509_track_error(e.what());
+		  }
+	      }
+	  }
+
+	if (include_serial && !exists(SERIAL))
+	  emplace_back(SERIAL, true);
+	if (include_serial_hex && !exists(SERIAL_HEX))
+	  emplace_back(SERIAL_HEX, true);
+      }
+
+      bool exists(const Type t) const
+      {
+	for (auto &c : *this)
+	  if (c.type == t)
+	    return true;
+	return false;
+      }
+
+      std::string to_string() const
+      {
+	std::string ret;
+	for (auto &c : *this)
+	  {
+	    ret += c.to_string();
+	    ret += '\n';
+	  }
+	return ret;
+      }
+    };
+
+    struct KeyValue
+    {
+      KeyValue(const Type type_arg,
+	       const int depth_arg,
+	       std::string value_arg)
+	: type(type_arg),
+	  depth(depth_arg),
+	  value(std::move(value_arg))
+      {
+      }
+
+      std::string to_string(const bool omi_form) const
+      {
+	std::string ret;
+	ret.reserve(128);
+	if (omi_form)
+	  ret += ">CLIENT:ENV,";
+	ret += key_name();
+	ret += '=';
+	ret += string::reduce_spaces(value, ' ');
+	return ret;
+      }
+
+      std::string key_name() const
+      {
+	switch (type)
+	  {
+	  case SERIAL:
+	    return "tls_serial_" + openvpn::to_string(depth);
+	  case SERIAL_HEX:
+	    return "tls_serial_hex_" + openvpn::to_string(depth);
+	  default:
+	    return "X509_" + openvpn::to_string(depth) + '_' + name(type);
+	  }
+      }
+
+      Type type = UNDEF;
+      int depth = 0;
+      std::string value;
+    };
+
+    struct Set : public std::vector<KeyValue>
+    {
+      std::string to_string(const bool omi_form) const
+      {
+	std::string ret;
+	ret.reserve(512);
+	for (auto &kv : *this)
+	  {
+	    ret += kv.to_string(omi_form);
+	    if (omi_form)
+	      ret += '\r';
+	    ret += '\n';
+	  }
+	return ret;
+      }
+    };
+
+  }
+}
+
+#endif