mirror of
https://github.com/deneraraujo/OpenVPNAdapter.git
synced 2026-04-24 00:00:05 +08:00
Sergey Abramchuk
f5fda0fa73
6608878d5 [OVPN3-341] implement mssfix support 1bf3fc0e4 win: update project files f8d209435 travis: update to default osx image: xcode9.4 31eb246a8 travis.yml: align deps version to lib-version 996f86635 RunContext: fixed rebase issue that added two "default: signal_rearm();" clauses aebea6456 build script: minor changes to Cityhash inclusion 1d754072c modstat: make update_file_mod_time_nanoseconds() a no-op on non-Linux 7974c9867 Fixed some breakage caused by recent endian/ffs commits a0dd7fe8b endian.hpp: break out endian compile-time tests to endian_platform.hpp c8bdf5a34 ffs.hpp: support additional numeric types dcb0c9452 BufferType: append() argument can now be a flexible buffer type 2009a8a25 Added AsioTimerSafe 39e71b7dd event_loop_wait_barrier: use a longer default timeout when running under valgrind 8b7e08e9b string::contains_non_space_ctrl: consider ASCII char 127 (DEL) to be a control char e43024d7c RunContext: rearm non-terminating signals 6ab379323 write_binary_atomic: remove temporary file on move failure 55dc653cd path: added is_contained() 02bf235c6 Reverted previous commit: "ReplyParser: added undefined status" 84dbc5b9b Allow test/cli.cpp to be used with NetCfg Tunbuilder client 80fed2c55 Allow updating auth-token during session ad7da751e don't print time in debug message and use OPENVPN_LOG_PROTO_VERBOSE 981407994 tls-crypt-v2: implement abstract metadata parser be38bbeb8 tls-crypt-v2: test/ssl/proto.cpp - extend protocol test 60fcf374f tls-crypt-v2: implement WKc appending/unwrapping logic 51f4a3a29 tls-crypt-v2: introduce CONTROL_HARD_RESET_V3 packet type 156a6e58b tls-crypt-v2: implement client key parser and renderer 54a97b381 ssl: add support for encoding/decoding PEM format f090fcda4 tls-crypt: make HMAC API more generic d87f5bbc0 OpenSSL: init library 2ea88a93b Add Remote endpoint information to protect_socket call 0a081ee17 [OVPN3-315] cli/go: add option to compile SITNL component 5bbfb57c0 [OVPN3-315] TunLinux::Client: allow user to select netlink at compile time e8458a68e [OVPN3-315] GW: add netlink support 4e77edb9e [OVPN3-315] TunLinux: add Netlink implementation for Tun setup methods 68508fe56 bigmutex: include missing extern.hpp header a7b923e1e Fix logic inversion from commit 2de9aebc 923e10d13 runcontext: arrange members to allow inheritance 2de9aebc7 Replace deprecated mbedtls_sha1 with mbedtls_sha1_ret e9c0bd00b Remove unused private field ee17c33c2 Add virtual deconstructor to TransportClientParent fab64ba0f Fix clang warning about unused attributes and missing overrides 2624d9ddf Also parse dhcp-option DNS6 as DNS server for compatibility with OpenVPN 2 6d12c9cc2 Refuse external pki with non RSA keys 4a25059f5 test/ovpncli: Don't override PROF env variable f241c4c5f scripts: Add tool to update copyright years 27beeb03d Update lz4 version to 1.8.3 17e356858 Define DASIO_HAS_STD_STRING_VIEW on Android build b107fd994 Remove unsupported platforms from Android build 6a200f72e Ensure all Android components are always installed fbcd374a4 [OVPN3-327] OpenSSL: ensure >TLS1.0 is negotiated by default d9b1f78b6 JSON: #define OPENVPN_JSON_INTERNAL when internal JSON library is used 39290f19d Fix build issues with #if macro on big-endian hardware d4f62d9ed Fix instantiating a new URL instead of parsing the URL git-subtree-dir: Sources/OpenVPNAdapter/Libraries/Vendors/openvpn git-subtree-split: 6608878d57eec1c64c16c5a13ee65b2cf0418ca1
480 lines
13 KiB
C++
480 lines
13 KiB
C++
// OpenVPN -- An application to securely tunnel IP networks
|
|
// over a single port, with support for SSL/TLS-based
|
|
// session authentication and key exchange,
|
|
// packet encryption, packet authentication, and
|
|
// packet compression.
|
|
//
|
|
// Copyright (C) 2012-2017 OpenVPN Inc.
|
|
//
|
|
// This program is free software: you can redistribute it and/or modify
|
|
// it under the terms of the GNU Affero General Public License Version 3
|
|
// as published by the Free Software Foundation.
|
|
//
|
|
// This program is distributed in the hope that it will be useful,
|
|
// but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
// GNU Affero General Public License for more details.
|
|
//
|
|
// You should have received a copy of the GNU Affero General Public License
|
|
// along with this program in the COPYING file.
|
|
// If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
// This class will read a standard OpenVPN config file that might contain
|
|
// references to other files, and it will merge the included files into the
|
|
// config file, using inline configuration syntax, to produce a single,
|
|
// unified config file.
|
|
|
|
#ifndef OPENVPN_OPTIONS_MERGE_H
|
|
#define OPENVPN_OPTIONS_MERGE_H
|
|
|
|
#include <string>
|
|
#include <sstream>
|
|
#include <vector>
|
|
|
|
#include <openvpn/common/size.hpp>
|
|
#include <openvpn/common/exception.hpp>
|
|
#include <openvpn/common/options.hpp>
|
|
#include <openvpn/common/string.hpp>
|
|
#include <openvpn/common/split.hpp>
|
|
#include <openvpn/common/path.hpp>
|
|
#include <openvpn/common/file.hpp>
|
|
#include <openvpn/common/splitlines.hpp>
|
|
|
|
namespace openvpn {
|
|
|
|
class ProfileMerge
|
|
{
|
|
// internal flags
|
|
enum {
|
|
F_MAY_INCLUDE_KEY_DIRECTION = (1<<0),
|
|
F_PKCS12 = (1<<1),
|
|
F_HTTP_PROXY = (1<<2),
|
|
};
|
|
|
|
// limits
|
|
enum {
|
|
MAX_FN_LIST_SIZE=16,
|
|
};
|
|
|
|
public:
|
|
OPENVPN_EXCEPTION(merge_error);
|
|
|
|
// public status values
|
|
enum Status {
|
|
MERGE_UNDEFINED,
|
|
MERGE_SUCCESS,
|
|
MERGE_EXCEPTION,
|
|
MERGE_OVPN_EXT_FAIL,
|
|
MERGE_OVPN_FILE_FAIL,
|
|
MERGE_REF_FAIL,
|
|
MERGE_MULTIPLE_REF_FAIL,
|
|
};
|
|
|
|
// merge status
|
|
Status status() const { return status_; }
|
|
const std::string& error() const { return error_; }
|
|
|
|
// merge path basename
|
|
const std::string& basename() const { return basename_; }
|
|
|
|
// final unified profile
|
|
const std::string& profile_content() const { return profile_content_; }
|
|
|
|
// list of all reference paths successfully read
|
|
const std::vector<std::string>& ref_path_list() const { return ref_succeed_list_; }
|
|
|
|
// merge status as a string
|
|
const char *status_string() const
|
|
{
|
|
switch (status_)
|
|
{
|
|
case MERGE_UNDEFINED:
|
|
return "MERGE_UNDEFINED";
|
|
case MERGE_SUCCESS:
|
|
return "MERGE_SUCCESS";
|
|
case MERGE_EXCEPTION:
|
|
return "MERGE_EXCEPTION";
|
|
case MERGE_OVPN_EXT_FAIL:
|
|
return "MERGE_OVPN_EXT_FAIL";
|
|
case MERGE_OVPN_FILE_FAIL:
|
|
return "MERGE_OVPN_FILE_FAIL";
|
|
case MERGE_REF_FAIL:
|
|
return "MERGE_REF_FAIL";
|
|
case MERGE_MULTIPLE_REF_FAIL:
|
|
return "MERGE_MULTIPLE_REF_FAIL";
|
|
default:
|
|
return "MERGE_?";
|
|
}
|
|
}
|
|
|
|
// allow following of external file references
|
|
enum Follow {
|
|
FOLLOW_NONE,
|
|
FOLLOW_PARTIAL,
|
|
FOLLOW_FULL,
|
|
};
|
|
|
|
ProfileMerge(const std::string& profile_path,
|
|
const std::string& profile_ext,
|
|
const std::string& profile_dir_override,
|
|
const Follow follow_references,
|
|
const size_t max_line_len,
|
|
const size_t max_size)
|
|
: status_(MERGE_UNDEFINED)
|
|
{
|
|
try {
|
|
size_t total_size = 0;
|
|
|
|
// read the profile
|
|
std::string orig_profile_content;
|
|
std::string profile_dir;
|
|
try {
|
|
profile_dir = !profile_dir_override.empty() ? profile_dir_override : path::dirname(profile_path);
|
|
basename_ = path::basename(profile_path);
|
|
const std::string ext = path::ext(basename_);
|
|
if (profile_ext.empty() || string::strcasecmp(ext, profile_ext) == 0)
|
|
{
|
|
orig_profile_content = read_text_utf8(profile_path, max_size);
|
|
total_size = orig_profile_content.size();
|
|
}
|
|
else
|
|
{
|
|
status_ = MERGE_OVPN_EXT_FAIL;
|
|
error_ = basename_;
|
|
return;
|
|
}
|
|
}
|
|
catch (const std::exception& e)
|
|
{
|
|
status_ = MERGE_OVPN_FILE_FAIL;
|
|
error_ = e.what();
|
|
return;
|
|
}
|
|
|
|
// expand the profile
|
|
expand_profile(orig_profile_content, profile_dir, follow_references, max_line_len, max_size, total_size);
|
|
}
|
|
catch (const std::exception& e)
|
|
{
|
|
status_ = MERGE_EXCEPTION;
|
|
error_ = e.what();
|
|
}
|
|
}
|
|
|
|
static std::string merge(const std::string& profile_path,
|
|
const std::string& profile_ext,
|
|
const std::string& profile_dir_override,
|
|
const Follow follow_references,
|
|
const size_t max_line_len,
|
|
const size_t max_size)
|
|
{
|
|
const ProfileMerge pm(profile_path, profile_ext, profile_dir_override,
|
|
follow_references, max_line_len, max_size);
|
|
if (pm.status() == ProfileMerge::MERGE_SUCCESS)
|
|
return pm.profile_content();
|
|
else
|
|
OPENVPN_THROW(merge_error, pm.status_string() << ": " << pm.error());
|
|
}
|
|
|
|
protected:
|
|
ProfileMerge() : status_(MERGE_UNDEFINED) {}
|
|
|
|
void expand_profile(const std::string& orig_profile_content,
|
|
const std::string& profile_dir,
|
|
const Follow follow_references,
|
|
const size_t max_line_len,
|
|
const size_t max_size,
|
|
size_t total_size)
|
|
{
|
|
if (total_size > max_size)
|
|
{
|
|
status_ = MERGE_EXCEPTION;
|
|
error_ = "file too large";
|
|
return;
|
|
}
|
|
|
|
status_ = MERGE_SUCCESS;
|
|
|
|
SplitLines in(orig_profile_content, max_line_len);
|
|
int line_num = 0;
|
|
bool in_multiline = false;
|
|
bool opaque_multiline = false;
|
|
Option multiline;
|
|
|
|
profile_content_.reserve(orig_profile_content.length());
|
|
while (in(true))
|
|
{
|
|
if (in.line_overflow())
|
|
{
|
|
status_ = MERGE_EXCEPTION;
|
|
error_ = "line too long";
|
|
return;
|
|
}
|
|
const std::string& line = in.line_ref();
|
|
bool echo = true;
|
|
++line_num;
|
|
if (in_multiline)
|
|
{
|
|
if (OptionList::is_close_tag(line, multiline.ref(0)))
|
|
{
|
|
multiline.clear();
|
|
in_multiline = false;
|
|
opaque_multiline = false;
|
|
}
|
|
}
|
|
else if (!OptionList::ignore_line(line))
|
|
{
|
|
Option opt = Split::by_space<Option, OptionList::LexComment, SpaceMatch, Split::NullLimit>(line);
|
|
if (opt.size())
|
|
{
|
|
if (OptionList::is_open_tag(opt.ref(0)) && opt.size() == 1)
|
|
{
|
|
OptionList::untag_open_tag(opt.ref(0));
|
|
multiline = opt;
|
|
in_multiline = true;
|
|
unsigned int flags = 0; // not used
|
|
opaque_multiline = is_fileref_directive(multiline.ref(0), flags);
|
|
}
|
|
else
|
|
{
|
|
unsigned int flags = 0;
|
|
bool is_fileref = (!opaque_multiline
|
|
&& opt.size() >= 2
|
|
&& is_fileref_directive(opt.ref(0), flags));
|
|
if (is_fileref)
|
|
{
|
|
// check if http-proxy directive references a creds file
|
|
if (flags & F_HTTP_PROXY)
|
|
{
|
|
is_fileref = false;
|
|
if (opt.size() >= 4)
|
|
{
|
|
const std::string authfile = opt.get(3, 256);
|
|
if (authfile != "auto" && authfile != "auto-nct")
|
|
{
|
|
opt.ref(3) = "auto";
|
|
profile_content_ += opt.escape();
|
|
profile_content_ += '\n';
|
|
opt.ref(0) = "http-proxy-user-pass";
|
|
opt.ref(1) = authfile;
|
|
opt.resize(2);
|
|
is_fileref = true;
|
|
}
|
|
}
|
|
}
|
|
}
|
|
if (is_fileref)
|
|
{
|
|
// found a directive referencing a file
|
|
|
|
// get basename of file and make sure that it doesn't
|
|
// attempt to traverse directories (unless
|
|
// follow_references == FOLLOW_FULL)
|
|
const std::string fn_str = opt.get(1, 256);
|
|
const std::string fn = (follow_references == FOLLOW_FULL ? fn_str : path::basename(fn_str));
|
|
if (fn.empty())
|
|
{
|
|
echo = false;
|
|
status_ = MERGE_REF_FAIL;
|
|
}
|
|
else if (follow_references != FOLLOW_FULL && !path::is_flat(fn))
|
|
{
|
|
echo = false;
|
|
status_ = MERGE_REF_FAIL;
|
|
error_ = fn;
|
|
if (ref_fail_list_.size() < MAX_FN_LIST_SIZE)
|
|
ref_fail_list_.push_back(fn);
|
|
}
|
|
else
|
|
{
|
|
std::string path;
|
|
std::string file_content;
|
|
bool error = false;
|
|
try {
|
|
if (follow_references == FOLLOW_NONE)
|
|
{
|
|
status_ = MERGE_EXCEPTION;
|
|
error_ = fn + ": cannot follow file reference";
|
|
return;
|
|
}
|
|
path = path::join(profile_dir, fn);
|
|
file_content = read_text_utf8(path, max_size);
|
|
total_size += file_content.size();
|
|
if (total_size > max_size)
|
|
{
|
|
status_ = MERGE_EXCEPTION;
|
|
error_ = fn + ": file too large";
|
|
return;
|
|
}
|
|
OptionList::detect_multiline_breakout(file_content, opt.ref(0));
|
|
}
|
|
catch (const std::exception& e)
|
|
{
|
|
error = true;
|
|
status_ = MERGE_REF_FAIL;
|
|
error_ = fn + " : " + e.what();
|
|
if (ref_fail_list_.size() < MAX_FN_LIST_SIZE)
|
|
ref_fail_list_.push_back(fn);
|
|
}
|
|
|
|
if (!error) // succeeded in reading file?
|
|
{
|
|
// don't echo this line, i.e. opt[], instead expand file_content into profile
|
|
echo = false;
|
|
|
|
// tls-auth or secret directive may include key-direction parameter
|
|
if (flags & F_MAY_INCLUDE_KEY_DIRECTION)
|
|
{
|
|
std::string key_direction;
|
|
if (opt.size() >= 3)
|
|
key_direction = opt.get(2, 16);
|
|
else
|
|
key_direction = "bidirectional";
|
|
profile_content_ += "key-direction " + key_direction + "\n";
|
|
}
|
|
|
|
// format file_content for appending to profile
|
|
{
|
|
std::ostringstream os;
|
|
const std::string& tag = opt.ref(0);
|
|
string::add_trailing(file_content, '\n');
|
|
os << '<' << tag << ">\n" << file_content << "</" << tag << ">\n";
|
|
profile_content_ += os.str();
|
|
}
|
|
|
|
// save file we referenced
|
|
if (ref_succeed_list_.size() < MAX_FN_LIST_SIZE)
|
|
ref_succeed_list_.push_back(path);
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
if (echo)
|
|
{
|
|
profile_content_ += line;
|
|
profile_content_ += '\n';
|
|
}
|
|
}
|
|
|
|
// If more than 2 errors occurred, change status to
|
|
// MERGE_MULTIPLE_REF_FAIL and enumerate each failed file.
|
|
if (ref_fail_list_.size() >= 2)
|
|
{
|
|
status_ = MERGE_MULTIPLE_REF_FAIL;
|
|
error_ = "";
|
|
for (size_t i = 0; i < ref_fail_list_.size(); ++i)
|
|
{
|
|
if (i)
|
|
error_ += ", ";
|
|
error_ += ref_fail_list_[i];
|
|
}
|
|
}
|
|
}
|
|
|
|
static bool is_fileref_directive(const std::string& d, unsigned int& flags)
|
|
{
|
|
if (d.length() > 0)
|
|
{
|
|
switch (d[0])
|
|
{
|
|
case 'a':
|
|
return d == "auth-user-pass";
|
|
case 'c':
|
|
return d == "ca" || d == "cert" || d == "crl-verify";
|
|
case 'd':
|
|
return d == "dh";
|
|
case 'e':
|
|
return d == "extra-certs";
|
|
case 'h':
|
|
if (d == "http-proxy")
|
|
{
|
|
flags |= F_HTTP_PROXY;
|
|
return true;
|
|
}
|
|
return false;
|
|
case 'k':
|
|
return d == "key";
|
|
#if 0 // define when we have capability to parse out pkcs12 from profile and add to Keychain (fixme)
|
|
case 'p':
|
|
if (d == "pkcs12")
|
|
{
|
|
flags |= F_PKCS12;
|
|
return true;
|
|
}
|
|
return false;
|
|
#endif
|
|
case 'r':
|
|
if (d == "relay-extra-ca")
|
|
return true;
|
|
if (d == "relay-tls-auth")
|
|
{
|
|
flags |= F_MAY_INCLUDE_KEY_DIRECTION;
|
|
return true;
|
|
}
|
|
return false;
|
|
case 't':
|
|
if (d == "tls-auth")
|
|
{
|
|
flags |= F_MAY_INCLUDE_KEY_DIRECTION;
|
|
return true;
|
|
}
|
|
if (d == "tls-crypt")
|
|
return true;
|
|
if (d == "tls-crypt-v2")
|
|
return true;
|
|
return false;
|
|
}
|
|
}
|
|
return false;
|
|
}
|
|
|
|
Status status_;
|
|
std::string profile_content_;
|
|
std::string basename_;
|
|
std::string error_;
|
|
std::vector<std::string> ref_fail_list_;
|
|
std::vector<std::string> ref_succeed_list_;
|
|
};
|
|
|
|
class ProfileMergeFromString : public ProfileMerge
|
|
{
|
|
public:
|
|
ProfileMergeFromString(const std::string& profile_content,
|
|
const std::string& ref_dir,
|
|
const Follow follow_references,
|
|
const size_t max_line_len,
|
|
const size_t max_size)
|
|
{
|
|
try {
|
|
// expand the profile
|
|
expand_profile(profile_content, ref_dir, follow_references,
|
|
max_line_len, max_size, profile_content.size());
|
|
}
|
|
catch (const std::exception& e)
|
|
{
|
|
status_ = MERGE_EXCEPTION;
|
|
error_ = e.what();
|
|
}
|
|
}
|
|
|
|
static std::string merge(const std::string& profile_content,
|
|
const std::string& ref_dir,
|
|
const Follow follow_references,
|
|
const size_t max_line_len,
|
|
const size_t max_size)
|
|
{
|
|
const ProfileMergeFromString pm(profile_content, ref_dir,
|
|
follow_references, max_line_len, max_size);
|
|
if (pm.status() == ProfileMerge::MERGE_SUCCESS)
|
|
return pm.profile_content();
|
|
else
|
|
OPENVPN_THROW(merge_error, pm.status_string() << ": " << pm.error());
|
|
}
|
|
|
|
};
|
|
}
|
|
|
|
#endif
|