mirror of
https://github.com/deneraraujo/OpenVPNAdapter.git
synced 2026-04-24 00:00:05 +08:00
Sergey Abramchuk
f5fda0fa73
6608878d5 [OVPN3-341] implement mssfix support 1bf3fc0e4 win: update project files f8d209435 travis: update to default osx image: xcode9.4 31eb246a8 travis.yml: align deps version to lib-version 996f86635 RunContext: fixed rebase issue that added two "default: signal_rearm();" clauses aebea6456 build script: minor changes to Cityhash inclusion 1d754072c modstat: make update_file_mod_time_nanoseconds() a no-op on non-Linux 7974c9867 Fixed some breakage caused by recent endian/ffs commits a0dd7fe8b endian.hpp: break out endian compile-time tests to endian_platform.hpp c8bdf5a34 ffs.hpp: support additional numeric types dcb0c9452 BufferType: append() argument can now be a flexible buffer type 2009a8a25 Added AsioTimerSafe 39e71b7dd event_loop_wait_barrier: use a longer default timeout when running under valgrind 8b7e08e9b string::contains_non_space_ctrl: consider ASCII char 127 (DEL) to be a control char e43024d7c RunContext: rearm non-terminating signals 6ab379323 write_binary_atomic: remove temporary file on move failure 55dc653cd path: added is_contained() 02bf235c6 Reverted previous commit: "ReplyParser: added undefined status" 84dbc5b9b Allow test/cli.cpp to be used with NetCfg Tunbuilder client 80fed2c55 Allow updating auth-token during session ad7da751e don't print time in debug message and use OPENVPN_LOG_PROTO_VERBOSE 981407994 tls-crypt-v2: implement abstract metadata parser be38bbeb8 tls-crypt-v2: test/ssl/proto.cpp - extend protocol test 60fcf374f tls-crypt-v2: implement WKc appending/unwrapping logic 51f4a3a29 tls-crypt-v2: introduce CONTROL_HARD_RESET_V3 packet type 156a6e58b tls-crypt-v2: implement client key parser and renderer 54a97b381 ssl: add support for encoding/decoding PEM format f090fcda4 tls-crypt: make HMAC API more generic d87f5bbc0 OpenSSL: init library 2ea88a93b Add Remote endpoint information to protect_socket call 0a081ee17 [OVPN3-315] cli/go: add option to compile SITNL component 5bbfb57c0 [OVPN3-315] TunLinux::Client: allow user to select netlink at compile time e8458a68e [OVPN3-315] GW: add netlink support 4e77edb9e [OVPN3-315] TunLinux: add Netlink implementation for Tun setup methods 68508fe56 bigmutex: include missing extern.hpp header a7b923e1e Fix logic inversion from commit 2de9aebc 923e10d13 runcontext: arrange members to allow inheritance 2de9aebc7 Replace deprecated mbedtls_sha1 with mbedtls_sha1_ret e9c0bd00b Remove unused private field ee17c33c2 Add virtual deconstructor to TransportClientParent fab64ba0f Fix clang warning about unused attributes and missing overrides 2624d9ddf Also parse dhcp-option DNS6 as DNS server for compatibility with OpenVPN 2 6d12c9cc2 Refuse external pki with non RSA keys 4a25059f5 test/ovpncli: Don't override PROF env variable f241c4c5f scripts: Add tool to update copyright years 27beeb03d Update lz4 version to 1.8.3 17e356858 Define DASIO_HAS_STD_STRING_VIEW on Android build b107fd994 Remove unsupported platforms from Android build 6a200f72e Ensure all Android components are always installed fbcd374a4 [OVPN3-327] OpenSSL: ensure >TLS1.0 is negotiated by default d9b1f78b6 JSON: #define OPENVPN_JSON_INTERNAL when internal JSON library is used 39290f19d Fix build issues with #if macro on big-endian hardware d4f62d9ed Fix instantiating a new URL instead of parsing the URL git-subtree-dir: Sources/OpenVPNAdapter/Libraries/Vendors/openvpn git-subtree-split: 6608878d57eec1c64c16c5a13ee65b2cf0418ca1
199 lines
5.7 KiB
C++
199 lines
5.7 KiB
C++
// OpenVPN -- An application to securely tunnel IP networks
|
|
// over a single port, with support for SSL/TLS-based
|
|
// session authentication and key exchange,
|
|
// packet encryption, packet authentication, and
|
|
// packet compression.
|
|
//
|
|
// Copyright (C) 2017-2018 OpenVPN Technologies, Inc.
|
|
//
|
|
// This program is free software: you can redistribute it and/or modify
|
|
// it under the terms of the GNU General Public License Version 3
|
|
// as published by the Free Software Foundation.
|
|
//
|
|
// This program is distributed in the hope that it will be useful,
|
|
// but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
// GNU General Public License for more details.
|
|
//
|
|
// You should have received a copy of the GNU General Public License
|
|
// along with this program in the COPYING file.
|
|
// If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
// Classes for handling OpenVPN tls-crypt-v2 internals
|
|
|
|
#ifndef OPENVPN_CRYPTO_TLS_CRYPT_V2_H
|
|
#define OPENVPN_CRYPTO_TLS_CRYPT_V2_H
|
|
|
|
#include <string>
|
|
|
|
#include <openvpn/common/exception.hpp>
|
|
#include <openvpn/buffer/buffer.hpp>
|
|
#include <openvpn/crypto/static_key.hpp>
|
|
#include <openvpn/crypto/tls_crypt.hpp>
|
|
#include <openvpn/ssl/sslchoose.hpp>
|
|
|
|
namespace openvpn {
|
|
class TLSCryptV2ServerKey
|
|
{
|
|
public:
|
|
OPENVPN_SIMPLE_EXCEPTION(tls_crypt_v2_server_key_parse_error);
|
|
OPENVPN_SIMPLE_EXCEPTION(tls_crypt_v2_server_key_encode_error);
|
|
OPENVPN_SIMPLE_EXCEPTION(tls_crypt_v2_server_key_bad_size);
|
|
|
|
TLSCryptV2ServerKey()
|
|
: key_size(128),
|
|
key(key_size, BufferAllocated::DESTRUCT_ZERO)
|
|
{}
|
|
|
|
bool defined() const
|
|
{
|
|
return key.defined();
|
|
}
|
|
|
|
void parse(const std::string& key_text)
|
|
{
|
|
if (!SSLLib::PEMAPI::pem_decode(key, key_text.c_str(), key_text.length(),
|
|
tls_crypt_v2_server_key_name))
|
|
throw tls_crypt_v2_server_key_parse_error();
|
|
|
|
if (key.size() != key_size)
|
|
throw tls_crypt_v2_server_key_bad_size();
|
|
}
|
|
|
|
void extract_key(OpenVPNStaticKey& tls_key)
|
|
{
|
|
std::memcpy(tls_key.raw_alloc(), key.c_data(), key_size);
|
|
}
|
|
|
|
std::string render() const
|
|
{
|
|
BufferAllocated data(32 + 2 * key.size(), 0);
|
|
|
|
if (!SSLLib::PEMAPI::pem_encode(data, key.c_data(), key.size(),
|
|
tls_crypt_v2_server_key_name))
|
|
throw tls_crypt_v2_server_key_encode_error();
|
|
|
|
return std::string((const char *)data.c_data());
|
|
}
|
|
|
|
private:
|
|
const size_t key_size;
|
|
BufferAllocated key;
|
|
static const std::string tls_crypt_v2_server_key_name;
|
|
};
|
|
|
|
const std::string TLSCryptV2ServerKey::tls_crypt_v2_server_key_name = "OpenVPN tls-crypt-v2 server key";
|
|
|
|
class TLSCryptV2ClientKey
|
|
{
|
|
public:
|
|
enum {
|
|
WKC_MAX_SIZE = 1024, // bytes
|
|
};
|
|
|
|
OPENVPN_SIMPLE_EXCEPTION(tls_crypt_v2_client_key_parse_error);
|
|
OPENVPN_SIMPLE_EXCEPTION(tls_crypt_v2_client_key_encode_error);
|
|
OPENVPN_SIMPLE_EXCEPTION(tls_crypt_v2_client_key_bad_size);
|
|
|
|
TLSCryptV2ClientKey() = delete;
|
|
|
|
TLSCryptV2ClientKey(TLSCryptContext::Ptr context)
|
|
: key_size(OpenVPNStaticKey::KEY_SIZE),
|
|
tag_size(context->digest_size())
|
|
{}
|
|
|
|
bool defined() const
|
|
{
|
|
return key.defined() && wkc.defined();
|
|
}
|
|
|
|
void parse(const std::string& key_text)
|
|
{
|
|
BufferAllocated data(key_size + WKC_MAX_SIZE, BufferAllocated::DESTRUCT_ZERO);
|
|
|
|
if (!SSLLib::PEMAPI::pem_decode(data, key_text.c_str(), key_text.length(),
|
|
tls_crypt_v2_client_key_name))
|
|
throw tls_crypt_v2_client_key_parse_error();
|
|
|
|
if (data.size() < (tag_size + key_size))
|
|
throw tls_crypt_v2_client_key_bad_size();
|
|
|
|
key.init(data.data(), key_size, BufferAllocated::DESTRUCT_ZERO);
|
|
wkc.init(data.data() + key_size, data.size() - key_size, BufferAllocated::DESTRUCT_ZERO);
|
|
}
|
|
|
|
void extract_key(OpenVPNStaticKey& tls_key)
|
|
{
|
|
std::memcpy(tls_key.raw_alloc(), key.c_data(), key_size);
|
|
}
|
|
|
|
std::string render() const
|
|
{
|
|
BufferAllocated data(32 + 2 * (key.size() + wkc.size()), 0);
|
|
BufferAllocated in(key, BufferAllocated::GROW);
|
|
in.append(wkc);
|
|
|
|
if (!SSLLib::PEMAPI::pem_encode(data, in.c_data(), in.size(), tls_crypt_v2_client_key_name))
|
|
throw tls_crypt_v2_client_key_encode_error();
|
|
|
|
return std::string((const char *)data.c_data());
|
|
}
|
|
|
|
void extract_wkc(BufferAllocated& wkc_out) const
|
|
{
|
|
wkc_out = wkc;
|
|
}
|
|
|
|
private:
|
|
BufferAllocated key;
|
|
BufferAllocated wkc;
|
|
|
|
const size_t key_size;
|
|
const size_t tag_size;
|
|
|
|
static const std::string tls_crypt_v2_client_key_name;
|
|
};
|
|
|
|
const std::string TLSCryptV2ClientKey::tls_crypt_v2_client_key_name = "OpenVPN tls-crypt-v2 client key";
|
|
|
|
// the user can extend the TLSCryptMetadata and the TLSCryptMetadataFactory
|
|
// classes to implement its own metadata verification method.
|
|
//
|
|
// default method is to *ignore* the metadata contained in the WKc sent by the client
|
|
class TLSCryptMetadata : public RC<thread_unsafe_refcount>
|
|
{
|
|
public:
|
|
typedef RCPtr<TLSCryptMetadata> Ptr;
|
|
|
|
// override this method with your own verification mechanism.
|
|
//
|
|
// If type is -1 it means that metadata is empty.
|
|
//
|
|
virtual bool verify(int type, Buffer& metadata) const
|
|
{
|
|
return true;
|
|
}
|
|
};
|
|
|
|
// abstract class to be extended when creating other factories
|
|
class TLSCryptMetadataFactory : public RC<thread_unsafe_refcount>
|
|
{
|
|
public:
|
|
typedef RCPtr<TLSCryptMetadataFactory> Ptr;
|
|
|
|
virtual TLSCryptMetadata::Ptr new_obj() = 0;
|
|
};
|
|
|
|
// factory implementation for the basic verification method
|
|
class CryptoTLSCryptMetadataFactory : public TLSCryptMetadataFactory
|
|
{
|
|
public:
|
|
TLSCryptMetadata::Ptr new_obj()
|
|
{
|
|
return new TLSCryptMetadata();
|
|
}
|
|
};
|
|
}
|
|
|
|
#endif /* OPENVPN_CRYPTO_TLS_CRYPT_V2_H */
|