Squashed 'OpenVPN Adapter/Vendors/openvpn/' content from commit da99df6

git-subtree-dir: OpenVPN Adapter/Vendors/openvpn
git-subtree-split: da99df69492256d7a18bbea303ae98457782a4bf

openvpn/mbedtls/pki/dh.hpp

@@ -0,0 +1,116 @@
+//    OpenVPN -- An application to securely tunnel IP networks
+//               over a single port, with support for SSL/TLS-based
+//               session authentication and key exchange,
+//               packet encryption, packet authentication, and
+//               packet compression.
+//
+//    Copyright (C) 2012-2017 OpenVPN Technologies, Inc.
+//
+//    This program is free software: you can redistribute it and/or modify
+//    it under the terms of the GNU General Public License Version 3
+//    as published by the Free Software Foundation.
+//
+//    This program is distributed in the hope that it will be useful,
+//    but WITHOUT ANY WARRANTY; without even the implied warranty of
+//    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+//    GNU General Public License for more details.
+//
+//    You should have received a copy of the GNU General Public License
+//    along with this program in the COPYING file.
+//    If not, see <http://www.gnu.org/licenses/>.
+
+// Wrap a mbed TLS dhm_context object (Diffie Hellman parameters).
+
+#ifndef OPENVPN_MBEDTLS_PKI_DH_H
+#define OPENVPN_MBEDTLS_PKI_DH_H
+
+#include <string>
+#include <sstream>
+#include <cstring>
+
+#include <mbedtls/x509.h>
+
+#include <openvpn/common/size.hpp>
+#include <openvpn/common/exception.hpp>
+#include <openvpn/common/rc.hpp>
+#include <openvpn/mbedtls/util/error.hpp>
+
+namespace openvpn {
+  namespace MbedTLSPKI {
+
+    class DH : public RC<thread_unsafe_refcount>
+    {
+    public:
+      typedef RCPtr<DH> Ptr;
+
+      DH() : dhc(nullptr) {}
+
+      DH(const std::string& dh_txt, const std::string& title)
+	: dhc(nullptr)
+      {
+	try {
+	  parse(dh_txt, title);
+	}
+	catch (...)
+	  {
+	    dealloc();
+	    throw;
+	  }
+      }
+
+      void parse(const std::string& dh_txt, const std::string& title)
+      {
+	alloc();
+	// dh_txt.length() is increased by 1 as it does not include the NULL-terminator
+	// which mbedtls_dhm_parse_dhm() expects to see.
+	const int status = mbedtls_dhm_parse_dhm(dhc,
+					 (const unsigned char *)dh_txt.c_str(),
+					 dh_txt.length() + 1);
+	if (status < 0)
+	  {
+	    throw MbedTLSException("error parsing " + title + " DH parameters", status);
+	  }
+	if (status > 0)
+	  {
+	    std::ostringstream os;
+	    os << status << " DH parameters in " << title << " failed to parse";
+	    throw MbedTLSException(os.str());
+	  }
+      }
+
+      mbedtls_dhm_context* get() const
+      {
+	return dhc;
+      }
+
+      ~DH()
+      {
+	dealloc();
+      }
+
+    private:
+      void alloc()
+      {
+	if (!dhc)
+	  {
+	    dhc = new mbedtls_dhm_context;
+	    mbedtls_dhm_init(dhc);
+	  }
+      }
+
+      void dealloc()
+      {
+	if (dhc)
+	  {
+	    mbedtls_dhm_free(dhc);
+	    delete dhc;
+	    dhc = nullptr;
+	  }
+      }
+
+      mbedtls_dhm_context *dhc;
+    };
+  }
+}
+
+#endif

openvpn/mbedtls/pki/pkctx.hpp

@@ -0,0 +1,126 @@
+//    OpenVPN -- An application to securely tunnel IP networks
+//               over a single port, with support for SSL/TLS-based
+//               session authentication and key exchange,
+//               packet encryption, packet authentication, and
+//               packet compression.
+//
+//    Copyright (C) 2012-2017 OpenVPN Technologies, Inc.
+//
+//    This program is free software: you can redistribute it and/or modify
+//    it under the terms of the GNU General Public License Version 3
+//    as published by the Free Software Foundation.
+//
+//    This program is distributed in the hope that it will be useful,
+//    but WITHOUT ANY WARRANTY; without even the implied warranty of
+//    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+//    GNU General Public License for more details.
+//
+//    You should have received a copy of the GNU General Public License
+//    along with this program in the COPYING file.
+//    If not, see <http://www.gnu.org/licenses/>.
+
+// Wrap a mbed TLS pk_context object.
+
+#ifndef OPENVPN_MBEDTLS_PKI_PKCTX_H
+#define OPENVPN_MBEDTLS_PKI_PKCTX_H
+
+#include <string>
+#include <sstream>
+#include <cstring>
+
+#include <mbedtls/pk.h>
+
+#include <openvpn/common/size.hpp>
+#include <openvpn/common/exception.hpp>
+#include <openvpn/common/rc.hpp>
+#include <openvpn/mbedtls/util/error.hpp>
+
+namespace openvpn {
+  namespace MbedTLSPKI {
+
+    class PKContext : public RC<thread_unsafe_refcount>
+    {
+    public:
+      typedef RCPtr<PKContext> Ptr;
+
+      PKContext() : ctx(nullptr) {}
+
+      PKContext(const std::string& key_txt, const std::string& title, const std::string& priv_key_pwd)
+	: ctx(nullptr)
+      {
+	try {
+	  parse(key_txt, title, priv_key_pwd);
+	}
+	catch (...)
+	  {
+	    dealloc();
+	    throw;
+	  }
+      }
+
+      bool defined() const
+      {
+	return ctx != nullptr;
+      }
+
+      void parse(const std::string& key_txt, const std::string& title, const std::string& priv_key_pwd)
+      {
+	alloc();
+	// key_txt.length() is increased by 1 as it does not include the NULL-terminator
+	// which mbedtls_pk_parse_key() expects to see.
+	const int status = mbedtls_pk_parse_key(ctx,
+					(const unsigned char *)key_txt.c_str(),
+					key_txt.length() + 1,
+					(const unsigned char *)priv_key_pwd.c_str(),
+					priv_key_pwd.length());
+	if (status < 0)
+	  throw MbedTLSException("error parsing " + title + " private key", status);
+      }
+
+      void epki_enable(void *arg,
+		       mbedtls_pk_rsa_alt_decrypt_func epki_decrypt,
+		       mbedtls_pk_rsa_alt_sign_func epki_sign,
+		       mbedtls_pk_rsa_alt_key_len_func epki_key_len)
+      {
+	alloc();
+	const int status = mbedtls_pk_setup_rsa_alt(ctx, arg, epki_decrypt, epki_sign, epki_key_len);
+	if (status < 0)
+	  throw MbedTLSException("error in mbedtls_pk_setup_rsa_alt", status);
+      }
+
+      mbedtls_pk_context* get() const
+      {
+	return ctx;
+      }
+
+      ~PKContext()
+      {
+	dealloc();
+      }
+
+    private:
+      void alloc()
+      {
+	if (!ctx)
+	  {
+	    ctx = new mbedtls_pk_context;
+	    mbedtls_pk_init(ctx);
+	  }
+      }
+
+      void dealloc()
+      {
+	if (ctx)
+	  {
+	    mbedtls_pk_free(ctx);
+	    delete ctx;
+	    ctx = nullptr;
+	  }
+      }
+
+      mbedtls_pk_context *ctx;
+    };
+
+  }
+}
+#endif

openvpn/mbedtls/pki/x509cert.hpp

@@ -0,0 +1,124 @@
+//    OpenVPN -- An application to securely tunnel IP networks
+//               over a single port, with support for SSL/TLS-based
+//               session authentication and key exchange,
+//               packet encryption, packet authentication, and
+//               packet compression.
+//
+//    Copyright (C) 2012-2017 OpenVPN Technologies, Inc.
+//
+//    This program is free software: you can redistribute it and/or modify
+//    it under the terms of the GNU General Public License Version 3
+//    as published by the Free Software Foundation.
+//
+//    This program is distributed in the hope that it will be useful,
+//    but WITHOUT ANY WARRANTY; without even the implied warranty of
+//    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+//    GNU General Public License for more details.
+//
+//    You should have received a copy of the GNU General Public License
+//    along with this program in the COPYING file.
+//    If not, see <http://www.gnu.org/licenses/>.
+
+// Wrap a mbed TLS x509_crt object
+
+#ifndef OPENVPN_MBEDTLS_PKI_X509CERT_H
+#define OPENVPN_MBEDTLS_PKI_X509CERT_H
+
+#include <string>
+#include <sstream>
+#include <cstring>
+#include <iostream>
+
+#include <mbedtls/x509.h>
+
+#include <openvpn/common/size.hpp>
+#include <openvpn/common/exception.hpp>
+#include <openvpn/common/rc.hpp>
+#include <openvpn/mbedtls/util/error.hpp>
+
+namespace openvpn {
+  namespace MbedTLSPKI {
+
+    class X509Cert : public RC<thread_unsafe_refcount>
+    {
+    public:
+      typedef RCPtr<X509Cert> Ptr;
+
+      X509Cert() : chain(nullptr) {}
+
+      X509Cert(const std::string& cert_txt, const std::string& title, const bool strict)
+	: chain(nullptr)
+      {
+	try {
+	  parse(cert_txt, title, strict);
+	}
+	catch (...)
+	  {
+	    dealloc();
+	    throw;
+	  }
+      }
+
+      void parse(const std::string& cert_txt, const std::string& title, const bool strict)
+      {
+	alloc();
+
+	if (cert_txt.empty())
+	  throw MbedTLSException(title + " certificate is undefined");
+
+	// cert_txt.length() is increased by 1 as it does not include the NULL-terminator
+	// which mbedtls_x509_crt_parse() expects to see.
+	const int status = mbedtls_x509_crt_parse(chain,
+						  (const unsigned char *)cert_txt.c_str(),
+						  cert_txt.length() + 1);
+	if (status < 0)
+	  {
+	    throw MbedTLSException("error parsing " + title + " certificate", status);
+	  }
+	if (status > 0)
+	  {
+	    std::ostringstream os;
+	    os << status << " certificate(s) in " << title << " bundle failed to parse";
+	    if (strict)
+	      throw MbedTLSException(os.str());
+	    else
+	      OPENVPN_LOG("MBEDTLS: " << os.str());
+	  }
+      }
+
+      mbedtls_x509_crt* get() const
+      {
+	return chain;
+      }
+
+      ~X509Cert()
+      {
+	dealloc();
+      }
+
+    private:
+      void alloc()
+      {
+	if (!chain)
+	  {
+	    chain = new mbedtls_x509_crt;
+	    std::memset(chain, 0, sizeof(mbedtls_x509_crt));
+	  }
+      }
+
+      void dealloc()
+      {
+	if (chain)
+	  {
+	    mbedtls_x509_crt_free(chain);
+	    delete chain;
+	    chain = nullptr;
+	  }
+      }
+
+      mbedtls_x509_crt *chain;
+    };
+  }
+}
+
+#endif

openvpn/mbedtls/pki/x509crl.hpp

@@ -0,0 +1,111 @@
+//    OpenVPN -- An application to securely tunnel IP networks
+//               over a single port, with support for SSL/TLS-based
+//               session authentication and key exchange,
+//               packet encryption, packet authentication, and
+//               packet compression.
+//
+//    Copyright (C) 2012-2017 OpenVPN Technologies, Inc.
+//
+//    This program is free software: you can redistribute it and/or modify
+//    it under the terms of the GNU General Public License Version 3
+//    as published by the Free Software Foundation.
+//
+//    This program is distributed in the hope that it will be useful,
+//    but WITHOUT ANY WARRANTY; without even the implied warranty of
+//    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+//    GNU General Public License for more details.
+//
+//    You should have received a copy of the GNU General Public License
+//    along with this program in the COPYING file.
+//    If not, see <http://www.gnu.org/licenses/>.
+
+// Wrap a mbed TLS x509_crl object
+
+#ifndef OPENVPN_MBEDTLS_PKI_X509CRL_H
+#define OPENVPN_MBEDTLS_PKI_X509CRL_H
+
+#include <string>
+#include <sstream>
+#include <cstring>
+
+#include <mbedtls/x509_crl.h>
+
+#include <openvpn/common/size.hpp>
+#include <openvpn/common/exception.hpp>
+#include <openvpn/common/rc.hpp>
+#include <openvpn/mbedtls/util/error.hpp>
+
+namespace openvpn {
+  namespace MbedTLSPKI {
+
+    class X509CRL : public RC<thread_unsafe_refcount>
+    {
+    public:
+      typedef RCPtr<X509CRL> Ptr;
+
+      X509CRL() : chain(nullptr) {}
+
+      X509CRL(const std::string& crl_txt)
+	: chain(nullptr)
+      {
+	try {
+	  parse(crl_txt);
+	}
+	catch (...)
+	  {
+	    dealloc();
+	    throw;
+	  }
+      }
+
+      void parse(const std::string& crl_txt)
+      {
+	alloc();
+
+	// crl_txt.length() is increased by 1 as it does not include the NULL-terminator
+	// which mbedtls_x509_crl_parse() expects to see.
+	const int status = mbedtls_x509_crl_parse(chain,
+						  (const unsigned char *)crl_txt.c_str(),
+						  crl_txt.length() + 1);
+	if (status < 0)
+	  {
+	    throw MbedTLSException("error parsing CRL", status);
+	  }
+      }
+
+      mbedtls_x509_crl* get() const
+      {
+	return chain;
+      }
+
+      ~X509CRL()
+      {
+	dealloc();
+      }
+
+    private:
+      void alloc()
+      {
+	if (!chain)
+	  {
+	    chain = new mbedtls_x509_crl;
+	    std::memset(chain, 0, sizeof(mbedtls_x509_crl));
+	  }
+      }
+
+      void dealloc()
+      {
+	if (chain)
+	  {
+	    mbedtls_x509_crl_free(chain);
+	    delete chain;
+	    chain = nullptr;
+	  }
+      }
+
+      mbedtls_x509_crl *chain;
+    };
+  }
+}
+
+#endif