github/OpenVPNAdapter
4
0
Fork 0
mirror of https://github.com/deneraraujo/OpenVPNAdapter.git synced 2026-04-06 00:00:03 +08:00
Code Issues Packages Projects Releases Wiki Activity

Merge commit '86cc97e55fe346502462284d2e636a2b3708163e' as 'Sources/OpenVPN3'

Browse Source
This commit is contained in:
Sergey Abramchuk
2020-02-24 14:43:11 +03:00
parent 133b3756e6 86cc97e55f
commit 32f1555929
655 changed files with 146468 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

113
Sources/OpenVPN3/openvpn/proxy/httpdigest.hpp Normal file
View File

@@ -0,0 +1,113 @@
// OpenVPN -- An application to securely tunnel IP networks
// over a single port, with support for SSL/TLS-based
// session authentication and key exchange,
// packet encryption, packet authentication, and
// packet compression.
//
// Copyright (C) 2012-2017 OpenVPN Inc.
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License Version 3
// as published by the Free Software Foundation.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program in the COPYING file.
// If not, see <http://www.gnu.org/licenses/>.
// Low-level methods used to implement HTTP Digest authentication
#ifndef OPENVPN_PROXY_HTTPDIGEST_H
#define OPENVPN_PROXY_HTTPDIGEST_H
#include <cstring> // for std::strlen and others
#include <string>
#include <openvpn/crypto/hashstr.hpp>
namespace openvpn {
namespace HTTPProxy {
class Digest
{
public:
// calculate H(A1) as per spec
static std::string calcHA1(DigestFactory& digest_factory,
const std::string& alg,
const std::string& username,
const std::string& realm,
const std::string& password,
const std::string& nonce,
const std::string& cnonce)
{
HashString h1(digest_factory, CryptoAlgs::MD5);
h1.update(username);
h1.update(':');
h1.update(realm);
h1.update(':');
h1.update(password);
BufferPtr result = h1.final();
if (string::strcasecmp(alg, "md5-sess") == 0)
{
HashString h2(digest_factory, CryptoAlgs::MD5);
h2.update(*result);
h2.update(':');
h2.update(nonce);
h2.update(':');
h2.update(cnonce);
result = h2.final();
}
return render_hex_generic(*result);
}
// calculate request-digest/response-digest as per HTTP Digest spec
static std::string calcResponse(DigestFactory& digest_factory,
const std::string& hA1, // H(A1)
const std::string& nonce, // nonce from server
const std::string& nonce_count, // 8 hex digits
const std::string& cnonce, // client nonce
const std::string& qop, // qop-value: "", "auth", "auth-int"
const std::string& method, // method from the request
const std::string& digestUri, // requested URI
const std::string& hEntity) // H(entity body) if qop="auth-int"
{
// calculate H(A2)
HashString h1(digest_factory, CryptoAlgs::MD5);
h1.update(method);
h1.update(':');
h1.update(digestUri);
if (string::strcasecmp(qop, "auth-int") == 0)
{
h1.update(':');
h1.update(hEntity);
}
const std::string hA2 = h1.final_hex();
// calculate response
HashString h2(digest_factory, CryptoAlgs::MD5);
h2.update(hA1);
h2.update(':');
h2.update(nonce);
h2.update(':');
if (!qop.empty())
{
h2.update(nonce_count);
h2.update(':');
h2.update(cnonce);
h2.update(':');
h2.update(qop);
h2.update(':');
}
h2.update(hA2);
return h2.final_hex();
}
};
}
}
#endif

229
Sources/OpenVPN3/openvpn/proxy/ntlm.hpp Normal file
View File

@@ -0,0 +1,229 @@
// OpenVPN -- An application to securely tunnel IP networks
// over a single port, with support for SSL/TLS-based
// session authentication and key exchange,
// packet encryption, packet authentication, and
// packet compression.
//
// Copyright (C) 2012-2017 OpenVPN Inc.
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License Version 3
// as published by the Free Software Foundation.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program in the COPYING file.
// If not, see <http://www.gnu.org/licenses/>.
// Low-level methods used to implement NTLMv2 proxy authentication
#ifndef OPENVPN_PROXY_NTLM_H
#define OPENVPN_PROXY_NTLM_H
#include <cstring>
#include <string>
#include <vector>
#include <cstdint> // for std::uint32_t, uint64_t
#include <openvpn/common/size.hpp>
#include <openvpn/common/exception.hpp>
#include <openvpn/common/base64.hpp>
#include <openvpn/common/split.hpp>
#include <openvpn/common/unicode.hpp>
#include <openvpn/common/string.hpp>
#include <openvpn/time/time.hpp>
#include <openvpn/buffer/buffer.hpp>
#include <openvpn/crypto/digestapi.hpp>
namespace openvpn {
namespace HTTPProxy {
class NTLM
{
public:
/*
* NTLMv2 handshake
* http://davenport.sourceforge.net/ntlm.html
*
*/
static std::string phase_1()
{
return "TlRMTVNTUAABAAAAAgIAAA==";
}
static std::string phase_3(DigestFactory& digest_factory,
const std::string& phase_2_response,
const std::string& dom_username,
const std::string& password,
RandomAPI& rng)
{
// sanity checks
if (dom_username.empty())
throw Exception("username is blank");
if (password.empty())
throw Exception("password is blank");
// ensure that RNG is crypto-strength
rng.assert_crypto();
// split domain\username
std::string domain;
std::string username;
split_domain_username(dom_username, domain, username);
// convert password from utf-8 to utf-16 and take an MD4 hash of it
BufferPtr password_u = Unicode::string_to_utf16(password);
DigestInstance::Ptr md4_ctx(digest_factory.new_digest(CryptoAlgs::MD4));
md4_ctx->update(password_u->c_data(), password_u->size());
unsigned char md4_hash[21];
md4_ctx->final(md4_hash);
std::memset(md4_hash + 16, 0, 5); // pad to 21 bytes
// decode phase_2_response from base64 to raw data
BufferAllocated response(phase_2_response.size(), 0);
base64->decode(response, phase_2_response);
// extract the challenge from bytes 24-31 in the response
unsigned char challenge[8];
for (size_t i = 0; i < 8; ++i)
challenge[i] = response[i+24];
// concatenate uppercase(username) + domain,
// convert to utf-16, and run it through HMAC-MD5
// keyed to md4_hash
const std::string ud = string::to_upper_copy(username) + domain;
BufferPtr ud_u = Unicode::string_to_utf16(ud);
HMACInstance::Ptr hmac_ctx1(digest_factory.new_hmac(CryptoAlgs::MD5, md4_hash, 16));
hmac_ctx1->update(ud_u->c_data(), ud_u->size());
unsigned char ntlmv2_hash[16];
hmac_ctx1->final(ntlmv2_hash);
// NTLMv2 Blob
unsigned char ntlmv2_response[144];
unsigned char *ntlmv2_blob = ntlmv2_response + 16; // inside ntlmv2_response, length: 128
memset(ntlmv2_blob, 0, 128); // clear blob buffer
ntlmv2_blob[0x00]=1; // signature
ntlmv2_blob[0x01]=1; // signature
ntlmv2_blob[0x04]=0; // reserved
store_win_time(ntlmv2_blob + 0x08); // 64-bit Windows-style timestamp
rng.rand_bytes(ntlmv2_blob + 0x10, 8); // 64-bit client nonce
ntlmv2_blob[0x18]=0; // unknown, zero should work
// add target information block to the blob
size_t tib_len = 0;
if (response[0x16] & 0x80) // check for Target Information block (TIB)
{
tib_len = response[0x28]; // get TIB size
if (tib_len > 96)
tib_len = 96;
const size_t tib_offset = response[0x2c];
if (tib_offset + tib_len < response.size())
{
const unsigned char *tib_ptr = response.c_data() + tib_offset; // get TIB pointer
std::memcpy(&ntlmv2_blob[0x1c], tib_ptr, tib_len); // copy TIB into the blob
}
else
tib_len = 0;
}
ntlmv2_blob[0x1c + tib_len] = 0; // unknown, zero works
// Get blob length
const size_t ntlmv2_blob_size = 0x20 + tib_len;
// Add challenge from message 2
std::memcpy(&ntlmv2_response[8], challenge, 8);
// hmac-md5
HMACInstance::Ptr hmac_ctx2(digest_factory.new_hmac(CryptoAlgs::MD5, ntlmv2_hash, 16));
hmac_ctx2->update(&ntlmv2_response[8], ntlmv2_blob_size + 8);
unsigned char ntlmv2_hmacmd5[16];
hmac_ctx2->final(ntlmv2_hmacmd5);
// add hmac-md5 result to the blob
// Note: This overwrites challenge previously written at ntlmv2_response[8..15]
std::memcpy(ntlmv2_response, ntlmv2_hmacmd5, 16);
// start building phase3 message (what we return to caller)
BufferAllocated phase3(0x40, BufferAllocated::ARRAY|BufferAllocated::CONSTRUCT_ZERO|BufferAllocated::GROW);
std::strcpy((char *)phase3.data(), "NTLMSSP"); // signature
phase3[8] = 3; // type 3
// NTLMv2 response
add_security_buffer(0x14, ntlmv2_response, ntlmv2_blob_size + 16, phase3);
// username
add_security_buffer(0x24, username.c_str(), username.length(), phase3);
// Set domain. If <domain> is empty, default domain will be used (i.e. proxy's domain).
add_security_buffer(0x1c, domain.c_str(), domain.size(), phase3);
// other security buffers will be empty
phase3[0x10] = phase3.size(); // lm not used
phase3[0x30] = phase3.size(); // no workstation name supplied
phase3[0x38] = phase3.size(); // no session key
// flags
phase3[0x3c] = 0x02; // negotiate oem
phase3[0x3d] = 0x02; // negotiate ntlm
return base64->encode(phase3);
}
private:
// adds security buffer data to a message and sets security buffer's offset and length
static void add_security_buffer(const size_t sb_offset,
const void *data,
const unsigned char length,
Buffer& msg_buf)
{
msg_buf[sb_offset] = length;
msg_buf[sb_offset + 2] = length;
msg_buf[sb_offset + 4] = msg_buf.size() & 0xff;
msg_buf[sb_offset + 5] = (msg_buf.size() >> 8) & 0xff;
msg_buf.write((unsigned char *)data, length);
}
// store 64-bit windows time into a little-endian 8-byte buffer
static void store_win_time(unsigned char *dest)
{
const std::uint64_t wt = Time::win_time();
dest[0]= (unsigned char)wt;
dest[1]= (unsigned char)(wt >> 8);
dest[2]= (unsigned char)(wt >> 16);
dest[3]= (unsigned char)(wt >> 24);
dest[4]= (unsigned char)(wt >> 32);
dest[5]= (unsigned char)(wt >> 40);
dest[6]= (unsigned char)(wt >> 48);
dest[7]= (unsigned char)(wt >> 56);
}
static void split_domain_username(const std::string& combined, std::string& domain, std::string& username)
{
typedef std::vector<std::string> StringList;
StringList sl;
sl.reserve(2);
Split::by_char_void<StringList, NullLex, Split::NullLimit>(sl, combined, '\\', 1);
if (sl.size() == 1)
{
domain = "";
username = sl[0];
}
else if (sl.size() == 2)
{
domain = sl[0];
username = sl[1];
}
else
throw Exception("split_domain_username failed");
}
};
}
}
#endif

86
Sources/OpenVPN3/openvpn/proxy/proxyauth.hpp Normal file
View File

@@ -0,0 +1,86 @@
// OpenVPN -- An application to securely tunnel IP networks
// over a single port, with support for SSL/TLS-based
// session authentication and key exchange,
// packet encryption, packet authentication, and
// packet compression.
//
// Copyright (C) 2012-2017 OpenVPN Inc.
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License Version 3
// as published by the Free Software Foundation.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program in the COPYING file.
// If not, see <http://www.gnu.org/licenses/>.
#ifndef OPENVPN_PROXY_PROXYAUTH_H
#define OPENVPN_PROXY_PROXYAUTH_H
#include <vector>
#include <openvpn/common/rc.hpp>
#include <openvpn/common/split.hpp>
#include <openvpn/http/header.hpp>
namespace openvpn {
namespace HTTPProxy {
// parse the Proxy-Authenticate HTTP header
class ProxyAuthenticate : public RC<thread_unsafe_refcount> {
public:
typedef RCPtr<ProxyAuthenticate> Ptr;
ProxyAuthenticate() {}
ProxyAuthenticate(const std::string& line)
{
do_parse(line);
}
void parse(const std::string& line)
{
method = "";
parms.clear();
do_parse(line);
}
std::string to_string() const
{
std::ostringstream out;
out << "Proxy-Authenticate header" << std::endl;
out << "method=" << method << std::endl;
out << parms.to_string();
return out.str();
}
std::string method;
HTTP::HeaderList parms;
private:
void do_parse(const std::string& line)
{
std::vector<std::string> tuple = Split::by_char<std::vector<std::string>, StandardLex, Split::NullLimit>(line, ' ', 0, 1);
if (tuple.size() >= 1)
method = tuple[0];
if (tuple.size() == 2)
{
std::vector<std::string> list = Split::by_char<std::vector<std::string>, StandardLex, Split::NullLimit>(tuple[1], ',', Split::TRIM_LEADING_SPACES|Split::TRIM_SPECIAL);
for (std::vector<std::string>::const_iterator i = list.begin(); i != list.end(); ++i)
{
std::vector<std::string> pair = Split::by_char<std::vector<std::string>, StandardLex, Split::NullLimit>(*i, '=', 0, 1);
if (pair.size() == 2)
parms.push_back(HTTP::Header(pair[0], pair[1]));
}
}
}
};
}
}
#endif