github/OpenVPNAdapter
4
0
Fork 0
mirror of https://github.com/deneraraujo/OpenVPNAdapter.git synced 2026-04-24 00:00:05 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
8e87aecebf66f50957e35966c547d77a6fb526ab
OpenVPNAdapter/openvpn/crypto/packet_id.hpp
T
Sergey Abramchuk 8e87aecebf Squashed 'Sources/OpenVPNAdapter/Libraries/Vendors/openvpn/' changes from 275cf80efb..7db7a009b0 
7db7a009b0 proto: Client complains about stub compressors
390154d0e4 Update Build instructions for OSX
1b92069834 deps: Update to mbedtls-2.7.12
8cab79540d compression: Extend compression alert to include server pushes
67b4641a99 CompressContext: Add is_any_stub() method
cdf9e7bece compression: Issue an Event if compression is activated
fa38064403 build script: added a new PROF type "auto" that tries to automatically determine the local platform
7ce7b52b7c MTRand: added OPENVPN_INSECURE_RANDOM compile flag that allows MTRand to masquerade as a secure RNG
85e7e49f72 MTRand: added constructor accepting an initialization seed
1fa3229a10 IPv4, IPv6: added #include <openvpn/common/hash.hpp>
48e9217d26 vcxproj: add missing header file
d2a2601b2f Wintun: unmap ring buffers
e320bc63ff openssl: Improve OpenSSLContext fencing against multiple declarations
2f8fe2d318 openssl: Missing inline keyword in a couple of compat functions
32b984c0ff enum_dir: use a function template
725ee04593 VPNServerNetblock::Netblock::to_string(): show prefix_len
409d1c52b8 ManClientInstance::Send::describe_user(): added bool show_userprop parameter
e05fc16b20 string::indent(): try to fix all the corner cases
4e1645ea80 RunContext: mark virtual Stop* async_stop() with override attribute
e8b31c5454 cli: advertise "openurl" as supported SSO method
80b45731eb ICMPv6: added DEST_UNREACH code
679003094d AsioTimerSafe: refactor to allow as drop-in replacement for AsioTimer
f7845578f1 RunContext: check for halt in timer closure
84483eda25 AsioPolySock: add support for socket shutdown
1b3402aec3 tcplinkcommon.hpp: added missing include
2e26c7565c time: added nanotime_t typedef
c3c8ab7f6b string: added additional detail to split() comment
95ce4f22c8 string: added to_delim() method then redefined first_line() method to use it
448218b1e1 string: added add_leading() method
e3b0bf4f5c MSF iterator: allow conversion from ordinary iterator and added exists() method
11412ac50a AsioPolySock: in remote_endpoint_str() method, test for alt_routing_enabled()
9fb4e705f9 Added TimeSkew to skew a time duration by a random flux
7496383002 write_binary_atomic: reduce the length of the temporary filename
b31d9c0191 auth-token-user: increase size limit to 340 chars
c82644c03a Added BufferLineIterator
115cb656b6 RandomAPI: added randbyte() and randbool() methods
4fa8348689 RunContext: ASIO SIGNAL message now shows signal name rather than number
ebfce58513 Added StaticBuffer, a constant-length Buffer for writing that cannot be extended
c8f9cb88a4 string::split(): call reserve() on return vector
f15e566065 read_binary_unix_fast: should return an int (i.e. errno), not a bool
60501b4513 random: factor out rand32_distribute() from RandomAPI::randrange32()
90123495a5 wintun: get device interfaces list only once
ec790df73b wintun: read packets in bulk
0f85d3f729 wintun: use correct io_context when performing initial read
a6151cdeab wintun: use auto-reset events
29acfd95f3 libs: update ASIO to 1.14.0
438a0ef287 Remove outdated and unused android build files
e9df57969f Merge remote-tracking branch 'origin/released'
44725ad094 ssl: Fix building with OpenSSL 1.0.2
efe3f1f635 version: Reset version reference for git master
8c79c06d94 Make tls-crypt/tls-cryptv2 compile with multiple compilation units
4d18aaeb88 Fix LLVM warnings reported during OS X build
8c9496bb4d Use const_cast for SSL_session_reused
33be562a39 Add missing override keywords to openssl/sslctx.hpp
2c5435a000 dcocli: use compile time define for Tun methods instead of hardcoded iproute
7c39088f00 Allow overriding reported HW_ADDR and support IV_PLAT_VER
7bb1ea19ee Move sending IV_UI_VER and IV_SSO to build_peer_info
23959fa705 Add reporting of IV_SSL_VER
63ab5b5e46 Only initialise static member in OpenSSLContext once
ecebb40304 Merge remote-tracking branch 'origin/qa'
52c9702502 wintun: replace volatiles with atomics
d720c7104c appveyor: install Strawberry perl
60a253a7ef appveyor: update to VS2019
48f2b5100b wintun: support for privilege separation
6f266be3d8 wintun: ring buffers support
baa1ce2ccf vcxproj: bump VS version to 2019
98bfd037e3 tun/win: factor out ClientConfig into separate header
aeb5ce0ad7 wintun: open device with SetupAPI
3998d303ce Finalizing the OpenVPN 3 Core library 3.3 release
728733aee7 deps/mbedtls: rebase "enable unsupported critical extensions" patch
43e36ca45a lib-version: update to mbedtls-2.7.11
4dbcd85e50 openssl/cipher.hpp: add missing include <compat.hpp>
69d72ed64f DCOTransport: Fix server side specific trunk handling
ff732e3b5d Fix OpenVPN Core build with OpenSSL 1.1.0
0da42f393f Do not use deprecated OpenSSL 1.1.0 methods
35062c0b60 travis.yml: update environment
47046cf6d2 Merge branch 'qa'
6933c395a4 [OVPN3-423] cliconnect.hpp: fix reconnect on Windows after sleep
462c36c813 random_subnet(): added comment
ac1d447156 IP::Addr::from_byte_string(): fixed bug for IPv6 case
d6eaea3468 string::split(): minor implementation tweaks
ca15b7cdf4 hexstr: added dump_hex() variant accepting void *
0e61a2afd7 SessionIDType::find_weak: added conflict parameter
089aec00b1 DCOTransport: new routing code for trunk links
5befbd430f build: added CAP=1 -- build with libcap
eb85ada21e signals: added trivial signal_name() function
f89013ef92 RunContext: don't try to catch SIGQUIT by default
e0ee540135 SessionIDType: added hash() method
f0e1f8aa42 logging: added basic components for logrotate
fbb0c81f29 UMask: added UMaskDaemon, a umask context object appropriate for daemons
1c7bac90d9 build script: when building with DEBUG=1 on Linux, use -ggdb instead of -g
73cce80e43 OpenSSL: added openssl_reseed_rng() function
25780cf798 OpenSSL: fixed some memory leaks in CipherContextGCM and TokenEncrypt
168dba95f5 OpenSSL: define OPENSSL_SERVER_SNI when OpenSSL version is at least 1.1
84e78d8fed SNI: added OpenVPN client support for SNI (currently OpenSSL only)
310766b270 build: added MTLS_DIST setting
4eaa46a879 MbedTLS: added MBEDTLS_DISABLE_NAME_CONSTRAINTS preprocessor flag
16226d1b05 OpenSSLSign: updated for OpenSSL 1.1
aed0678c96 SSL: added SNI::Metadata, an abstract base class for packaging app-specific SNI metadata in AuthCert
001b731fe2 SNI: create SNI namespace and rename SNIHandlerBase -> SNI::HandlerBase
4bd5869305 README.rst: Make Windows-specific build steps up to date.
ac365ee977 wintun: support for 0.4
9245056a2a wintun: support for 0.3
b73d484950 mbedtls: throw exception on unsupported SSL:Const::PEER_CERT_OPTIONAL option
1d6bae4b5b tcplinkcommon: bubble up real exception error
c18c8bd156 tcpcli: ensure SSL Factory survives as long as TLS link
4192193087 tls: parse and load TLS specific CA
2a19b7fcff win/tuncli.hpp: fix Wintun padding calculation
44cb9f44da appveyor: make ReleaseOpenSSL default configuration
5485de19a2 win/impersonate: refactor impersonate logic
29a655147b win/tunsetup.hpp: remove unneeded parameter
61794b0efd win: link OpenSSL dynamically
e569b84465 win/tuncli.hpp: fix indentation
374c57e708 frame_init.hpp: tweak wintun read buf size
c3c45c9b38 tun: added Error::TUN_HALT for tun_error() signaling
acd7af5e9a RandomAPI: added randrange32() method
c1a7f8cc68 std::clamp() is useful but only available in C++17 and up, so we add our own clamp()
f8c71ef1ce Minor change to Error::INACTIVE_TIMEOUT handler
3202ab5fce OpenSSLSign: renamed OpenSSLPKI::X509Base to OpenSSLPKI::X509 to conform to changes in OpenSSLPKI
8d767febb5 ReachabilityBase: added virtual destructor
6a4826965f MbedTLS: update json_override() prototype
bee0d8d187 SSL: added SSLConst::SEND_CLIENT_CA_LIST server-side flag and implemented for OpenSSL
5eb39c1dea AuthCert: save the SNI name
3b34449d0e SSLAPI: auth_cert() can now be const
a672e91631 SNI server-side: support additional JSON configuration settings
95e761f3cc OpenSSL PKI cleanup
d5eb77c53c AuthCert::Fail cleanup
6e98b9aadc SSLAPI: move PKType from SSLConfigAPI into standalone header to avoid dependency inversion
bbae814864 OpenSSL: added SNI implementation
5def1d23ab OpenSSLContext: in constructor, removed redundant if statement
1a0747e783 OpenSSLContext: in constructor, consolidate sslopt fixed flags
eef9868816 OpenSSLContext::SSL::ssl_handshake_details(): include leaf-cert CN in details
f9631cd90f AuthCert::Fail: use std::string for the reason string (instead of const char *)
a17b77641f OpenSSLPKI::X509: copy constructor doesn't need erase() and define X509::Ptr
78cae5bb52 OpenSSLPKI::DH: copy constructor doesn't need erase()
c0d43a4153 RCPtr: added static_pointer_cast() method
34a3f264f5 [OVPN-314] Add support for signalling SSO support via IV_SSO
7d112eb3e5 cli: enable utf8 console output
980ef1eff8 win/call.hpp: re-encode command output to utf8
fddb440e99 unicode.hpp: customize utf16 conversion routine
4d7c12ac4d [OVPN3-405] Support for non-ASCII profile path on Windows

git-subtree-dir: Sources/OpenVPNAdapter/Libraries/Vendors/openvpn
git-subtree-split: 7db7a009b0b4eca0fc3733c99c50aff7f7c2556f
2019-10-12 15:50:02 +03:00

448 lines
11 KiB
C++
Raw Blame History

// OpenVPN -- An application to securely tunnel IP networks
// over a single port, with support for SSL/TLS-based
// session authentication and key exchange,
// packet encryption, packet authentication, and
// packet compression.
//
// Copyright (C) 2012-2017 OpenVPN Inc.
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License Version 3
// as published by the Free Software Foundation.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program in the COPYING file.
// If not, see <http://www.gnu.org/licenses/>.
// Manage OpenVPN protocol Packet IDs for packet replay detection
#ifndef OPENVPN_CRYPTO_PACKET_ID_H
#define OPENVPN_CRYPTO_PACKET_ID_H
#include <string>
#include <cstring>
#include <sstream>
#include <cstdint> // for std::uint32_t
#include <openvpn/io/io.hpp>
#include <openvpn/common/size.hpp>
#include <openvpn/common/exception.hpp>
#include <openvpn/common/circ_list.hpp>
#include <openvpn/common/socktypes.hpp>
#include <openvpn/common/likely.hpp>
#include <openvpn/time/time.hpp>
#include <openvpn/buffer/buffer.hpp>
#include <openvpn/log/sessionstats.hpp>
namespace openvpn {
/*
* Communicate packet-id over the wire.
* A short packet-id is just a 32 bit
* sequence number. A long packet-id
* includes a timestamp as well.
*
* Long packet-ids are used as IVs for
* CFB/OFB ciphers.
*
* This data structure is always sent
* over the net in network byte order,
* by calling htonpid, ntohpid,
* htontime, and ntohtime on the
* data elements to change them
* to and from standard sizes.
*
* In addition, time is converted to
* a PacketID::net_time_t before sending,
* since openvpn always
* uses a 32-bit time_t but some
* 64 bit platforms use a
* 64 bit time_t.
*/
struct PacketID
{
typedef std::uint32_t id_t;
typedef std::uint32_t net_time_t;
typedef Time::base_type time_t;
enum {
SHORT_FORM = 0, // short form of ID (4 bytes)
LONG_FORM = 1, // long form of ID (8 bytes)
UNDEF = 0, // special undefined/null id_t value
};
id_t id; // legal values are 1 through 2^32-1
time_t time; // converted to PacketID::net_time_t before transmission
static size_t size(const int form)
{
if (form == PacketID::LONG_FORM)
return longidsize;
else
return shortidsize;
}
constexpr static size_t shortidsize = sizeof(id_t);
constexpr static size_t longidsize = sizeof(id_t) + sizeof(net_time_t);
bool is_valid() const
{
return id != UNDEF;
}
void reset()
{
id = id_t(0);
time = time_t(0);
}
void read(Buffer& buf, const int form)
{
id_t net_id;
net_time_t net_time;
buf.read ((unsigned char *)&net_id, sizeof (net_id));
id = ntohl (net_id);
if (form == LONG_FORM)
{
buf.read ((unsigned char *)&net_time, sizeof (net_time));
time = ntohl (net_time);
}
else
time = time_t(0);
}
void write(Buffer& buf, const int form, const bool prepend) const
{
const id_t net_id = htonl(id);
const net_time_t net_time = htonl(time);
if (prepend)
{
if (form == LONG_FORM)
buf.prepend ((unsigned char *)&net_time, sizeof (net_time));
buf.prepend ((unsigned char *)&net_id, sizeof (net_id));
}
else
{
buf.write ((unsigned char *)&net_id, sizeof (net_id));
if (form == LONG_FORM)
buf.write ((unsigned char *)&net_time, sizeof (net_time));
}
}
std::string str() const
{
std::ostringstream os;
os << "[" << time << "," << id << "]";
return os.str();
}
};
struct PacketIDConstruct : public PacketID
{
PacketIDConstruct(const PacketID::time_t v_time = PacketID::time_t(0), const PacketID::id_t v_id = PacketID::id_t(0))
{
id = v_id;
time = v_time;
}
};
class PacketIDSend
{
public:
OPENVPN_SIMPLE_EXCEPTION(packet_id_wrap);
PacketIDSend()
{
init(PacketID::SHORT_FORM);
}
void init(const int form) // PacketID::LONG_FORM or PacketID::SHORT_FORM
{
pid_.id = PacketID::id_t(0);
pid_.time = PacketID::time_t(0);
form_ = form;
}
PacketID next(const PacketID::time_t now)
{
PacketID ret;
if (!pid_.time)
pid_.time = now;
ret.id = ++pid_.id;
if (unlikely(!pid_.id)) // wraparound
{
if (form_ != PacketID::LONG_FORM)
throw packet_id_wrap();
pid_.time = now;
ret.id = pid_.id = 1;
}
ret.time = pid_.time;
return ret;
}
void write_next(Buffer& buf, const bool prepend, const PacketID::time_t now)
{
const PacketID pid = next(now);
pid.write(buf, form_, prepend);
}
/*
* In TLS mode, when a packet ID gets to this level,
* start thinking about triggering a new
* SSL/TLS handshake.
*/
bool wrap_warning() const
{
const PacketID::id_t wrap_at = 0xFF000000;
return pid_.id >= wrap_at;
}
std::string str() const
{
std::string ret;
ret = pid_.str();
if (form_ == PacketID::LONG_FORM)
ret += 'L';
return ret;
}
private:
PacketID pid_;
int form_;
};
/*
* This is the data structure we keep on the receiving side,
* to check that no packet-id (i.e. sequence number + optional timestamp)
* is accepted more than once.
*
* Replay window sizing in bytes = 2^REPLAY_WINDOW_ORDER.
* PKTID_RECV_EXPIRE is backtrack expire in seconds.
*/
template <unsigned int REPLAY_WINDOW_ORDER,
unsigned int PKTID_RECV_EXPIRE>
class PacketIDReceiveType
{
public:
static constexpr unsigned int REPLAY_WINDOW_BYTES = 1 << REPLAY_WINDOW_ORDER;
static constexpr unsigned int REPLAY_WINDOW_SIZE = REPLAY_WINDOW_BYTES * 8;
// mode
enum {
UDP_MODE = 0,
TCP_MODE = 1
};
OPENVPN_SIMPLE_EXCEPTION(packet_id_not_initialized);
PacketIDReceiveType()
: initialized_(false)
{
}
void init(const int mode_arg,
const int form_arg,
const char *name_arg,
const int unit_arg,
const SessionStats::Ptr& stats_arg)
{
initialized_ = true;
base = 0;
extent = 0;
expire = 0;
id_high = 0;
time_high = 0;
id_floor = 0;
max_backtrack = 0;
mode = mode_arg;
form = form_arg;
unit = unit_arg;
name = name_arg;
stats = stats_arg;
std::memset(history, 0, sizeof(history));
}
bool initialized() const
{
return initialized_;
}
bool test_add(const PacketID& pin,
const PacketID::time_t now,
const bool mod) // don't modify history unless mod is true
{
const Error::Type err = do_test_add(pin, now, mod);
if (unlikely(err != Error::SUCCESS))
{
stats->error(err);
return false;
}
else
return true;
}
Error::Type do_test_add(const PacketID& pin,
const PacketID::time_t now,
const bool mod) // don't modify history unless mod is true
{
// make sure we were initialized
if (unlikely(!initialized_))
throw packet_id_not_initialized();
// expire backtracks at or below id_floor after PKTID_RECV_EXPIRE time
if (unlikely(now >= expire))
id_floor = id_high;
expire = now + PKTID_RECV_EXPIRE;
// ID must not be zero
if (unlikely(!pin.is_valid()))
return Error::PKTID_INVALID;
// time changed?
if (unlikely(pin.time != time_high))
{
if (pin.time > time_high)
{
// time moved forward, accept
if (!mod)
return Error::SUCCESS;
base = 0;
extent = 0;
id_high = 0;
time_high = pin.time;
id_floor = 0;
}
else
{
// time moved backward, reject
return Error::PKTID_TIME_BACKTRACK;
}
}
if (likely(pin.id == id_high + 1))
{
// well-formed ID sequence (incremented by 1)
if (!mod)
return Error::SUCCESS;
base = REPLAY_INDEX(-1);
history[base / 8] |= (1 << (base % 8));
if (extent < REPLAY_WINDOW_SIZE)
++extent;
id_high = pin.id;
}
else if (pin.id > id_high)
{
// ID jumped forward by more than one
if (!mod)
return Error::SUCCESS;
const unsigned int delta = pin.id - id_high;
if (delta < REPLAY_WINDOW_SIZE)
{
base = REPLAY_INDEX(-delta);
history[base / 8] |= (1 << (base % 8));
extent += delta;
if (extent > REPLAY_WINDOW_SIZE)
extent = REPLAY_WINDOW_SIZE;
for (unsigned i = 1; i < delta; ++i)
{
const unsigned int newbase = REPLAY_INDEX(i);
history[newbase / 8] &= ~(1 << (newbase % 8));
}
}
else
{
base = 0;
extent = REPLAY_WINDOW_SIZE;
std::memset(history, 0, sizeof(history));
history[0] = 1;
}
id_high = pin.id;
}
else
{
// ID backtrack
const unsigned int delta = id_high - pin.id;
if (delta > max_backtrack)
max_backtrack = delta;
if (delta < extent)
{
if (pin.id > id_floor)
{
const unsigned int ri = REPLAY_INDEX(delta);
std::uint8_t *p = &history[ri / 8];
const std::uint8_t mask = (1 << (ri % 8));
if (*p & mask)
return Error::PKTID_REPLAY;
if (!mod)
return Error::SUCCESS;
*p |= mask;
}
else
return Error::PKTID_EXPIRE;
}
else
return Error::PKTID_BACKTRACK;
}
return Error::SUCCESS;
}
PacketID read_next(Buffer& buf) const
{
if (!initialized_)
throw packet_id_not_initialized();
PacketID pid;
pid.read(buf, form);
return pid;
}
std::string str() const
{
std::ostringstream os;
os << "[e=" << extent << " f=" << id_floor << " h=" << time_high << '/' << id_high << ']';
return os.str();
}
private:
unsigned int REPLAY_INDEX(const int i) const
{
return (base + i) & (REPLAY_WINDOW_SIZE - 1);
}
bool initialized_;
unsigned int base; // bit position of deque base in history
unsigned int extent; // extent (in bits) of deque in history
PacketID::time_t expire; // expiration of history
PacketID::id_t id_high; // highest sequence number received
PacketID::time_t time_high; // highest time stamp received
PacketID::id_t id_floor; // we will only accept backtrack IDs > id_floor
unsigned int max_backtrack;
int mode; // UDP_MODE or TCP_MODE
int form; // PacketID::LONG_FORM or PacketID::SHORT_FORM
int unit; // unit number of this object (for debugging)
std::string name; // name of this object (for debugging)
SessionStats::Ptr stats;
std::uint8_t history[REPLAY_WINDOW_BYTES]; /* "sliding window" bitmask of recent packet IDs received */
};
// Our standard packet ID window with order=8 (window size=2048).
// and recv expire=30 seconds.
typedef PacketIDReceiveType<8, 30> PacketIDReceive;
} // namespace openvpn
#endif // OPENVPN_CRYPTO_PACKET_ID_H
Reference in New Issue View Git Blame Copy Permalink