github/OpenVPNAdapter
4
0
Fork 0
mirror of https://github.com/deneraraujo/OpenVPNAdapter.git synced 2026-04-24 00:00:05 +08:00
Code Issues Packages Projects Releases Wiki Activity

Merge commit '86cc97e55fe346502462284d2e636a2b3708163e' as 'Sources/OpenVPN3'

Browse Source
This commit is contained in:
Sergey Abramchuk
2020-02-24 14:43:11 +03:00
parent 133b3756e6 86cc97e55f
commit 32f1555929
655 changed files with 146468 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Sources/OpenVPN3/openvpn/auth/authcert.hpp
+284
View File
@@ -0,0 +1,284 @@
// OpenVPN -- An application to securely tunnel IP networks
// over a single port, with support for SSL/TLS-based
// session authentication and key exchange,
// packet encryption, packet authentication, and
// packet compression.
//
// Copyright (C) 2012-2017 OpenVPN Inc.
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License Version 3
// as published by the Free Software Foundation.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program in the COPYING file.
// If not, see <http://www.gnu.org/licenses/>.
#ifndef OPENVPN_AUTH_AUTHCERT_H
#define OPENVPN_AUTH_AUTHCERT_H
#include <string>
#include <vector>
#include <sstream>
#include <cstring>
#include <memory>
#include <utility>
#include <openvpn/common/rc.hpp>
#include <openvpn/common/string.hpp>
#include <openvpn/common/hexstr.hpp>
#include <openvpn/common/binprefix.hpp>
#include <openvpn/common/to_string.hpp>
#include <openvpn/pki/x509track.hpp>
#include <openvpn/ssl/sni_metadata.hpp>
namespace openvpn {
class OpenSSLContext;
class MbedTLSContext;
class AuthCert : public RC<thread_unsafe_refcount>
{
public:
// AuthCert needs to friend SSL implementation classes
friend class OpenSSLContext;
friend class MbedTLSContext;
typedef RCPtr<AuthCert> Ptr;
class Fail
{
public:
// Ordered by severity. If many errors are present, the
// most severe error will be returned by get_code().
enum Type {
OK=0, // OK MUST be 0
EXPIRED, // less severe...
BAD_CERT_TYPE,
CERT_FAIL,
SNI_ERROR, // more severe...
N
};
void add_fail(const size_t depth, const Type new_code, std::string reason)
{
if (new_code > code)
code = new_code;
while (errors.size() <= depth)
errors.emplace_back();
std::string& err = errors[depth];
if (err.empty())
err = std::move(reason);
else if (err.find(reason) == std::string::npos)
{
err += ", ";
err += reason;
}
}
bool is_fail() const
{
return code != OK;
}
Type get_code() const
{
return code;
}
std::string to_string(const bool use_prefix) const
{
std::string ret;
if (use_prefix)
{
ret += render_code(code);
ret += ": ";
}
bool notfirst = false;
for (size_t i = 0; i < errors.size(); ++i)
{
if (errors[i].empty())
continue;
if (notfirst)
ret += ", ";
notfirst = true;
ret += errors[i];
ret += " [";
ret += openvpn::to_string(i);
ret += ']';
}
return ret;
}
static std::string render_code(const Type code)
{
switch (code)
{
case OK:
return "OK";
case CERT_FAIL:
default:
return "CERT_FAIL";
case BAD_CERT_TYPE:
return "BAD_CERT_TYPE";
case EXPIRED:
return "EXPIRED";
case SNI_ERROR:
return "SNI_ERROR";
}
}
private:
Type code{OK}; // highest-valued cert fail code
std::vector<std::string> errors; // human-readable cert errors by depth
};
AuthCert()
{
std::memset(issuer_fp, 0, sizeof(issuer_fp));
sn = -1;
}
bool defined() const
{
return sn >= 0;
}
bool sni_defined() const
{
return !sni.empty();
}
bool cn_defined() const
{
return !cn.empty();
}
bool is_uninitialized() const
{
return cn.empty() && sn < 0 && !fail;
}
template <typename T>
T issuer_fp_prefix() const
{
return bin_prefix<T>(issuer_fp);
}
bool operator==(const AuthCert& other) const
{
return sni == other.sni && cn == other.cn && sn == other.sn && !std::memcmp(issuer_fp, other.issuer_fp, sizeof(issuer_fp));
}
bool operator!=(const AuthCert& other) const
{
return !operator==(other);
}
std::string to_string() const
{
std::ostringstream os;
if (!sni.empty())
os << "SNI=" << sni << ' ';
if (sni_metadata)
os << "SNI_CN=" << sni_metadata->sni_client_name(*this) << ' ';
os << "CN=" << cn
<< " SN=" << sn
<< " ISSUER_FP=" << issuer_fp_str(false);
return os.str();
}
std::string issuer_fp_str(const bool openssl_fmt) const
{
if (openssl_fmt)
return render_hex_sep(issuer_fp, sizeof(issuer_fp), ':', true);
else
return render_hex(issuer_fp, sizeof(issuer_fp), false);
}
std::string normalize_cn() const // remove trailing "_AUTOLOGIN" from AS certs
{
if (string::ends_with(cn, "_AUTOLOGIN"))
return cn.substr(0, cn.length() - 10);
else
return cn;
}
// Allow sni_metadata object, if it exists, to generate the client name.
// Otherwise fall back to normalize_cn().
std::string sni_client_name() const
{
if (sni_metadata)
return sni_metadata->sni_client_name(*this);
else
return normalize_cn();
}
const std::string& get_sni() const
{
return sni;
}
const std::string& get_cn() const
{
return cn;
}
long get_sn() const
{
return sn;
}
const X509Track::Set* x509_track_get() const
{
return x509_track.get();
}
std::unique_ptr<X509Track::Set> x509_track_take_ownership()
{
return std::move(x509_track);
}
void add_fail(const size_t depth, const Fail::Type new_code, std::string reason)
{
if (!fail)
fail.reset(new Fail());
fail->add_fail(depth, new_code, std::move(reason));
}
bool is_fail() const
{
return fail && fail->is_fail();
}
const Fail* get_fail() const
{
return fail.get();
}
std::string fail_str() const
{
if (fail)
return fail->to_string(true);
else
return "OK";
}
private:
std::string sni; // SNI (server name indication)
std::string cn; // common name
long sn; // serial number
unsigned char issuer_fp[20]; // issuer cert fingerprint
std::unique_ptr<Fail> fail;
std::unique_ptr<X509Track::Set> x509_track;
SNI::Metadata::UPtr sni_metadata;
};
}
#endif
Sources/OpenVPN3/openvpn/auth/authcreds.hpp
+92
View File
@@ -0,0 +1,92 @@
// OpenVPN -- An application to securely tunnel IP networks
// over a single port, with support for SSL/TLS-based
// session authentication and key exchange,
// packet encryption, packet authentication, and
// packet compression.
//
// Copyright (C) 2012-2017 OpenVPN Inc.
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License Version 3
// as published by the Free Software Foundation.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program in the COPYING file.
// If not, see <http://www.gnu.org/licenses/>.
#ifndef OPENVPN_AUTH_AUTHCREDS
#define OPENVPN_AUTH_AUTHCREDS
#include <utility> // for std::move
#include <string>
#include <openvpn/common/size.hpp>
#include <openvpn/common/exception.hpp>
#include <openvpn/common/rc.hpp>
#include <openvpn/common/options.hpp>
#include <openvpn/common/unicode.hpp>
#include <openvpn/buffer/safestr.hpp>
#include <openvpn/auth/validatecreds.hpp>
namespace openvpn {
class AuthCreds : public RC<thread_unsafe_refcount>
{
public:
typedef RCPtr<AuthCreds> Ptr;
AuthCreds(std::string&& username_arg,
SafeString&& password_arg,
const std::string& peer_info_str)
: username(std::move(username_arg)),
password(std::move(password_arg))
{
peer_info.parse_from_peer_info(peer_info_str, nullptr);
peer_info.update_map();
}
bool defined() const
{
return !username.empty();
}
bool is_valid_user_pass(const bool strict) const
{
return ValidateCreds::is_valid(ValidateCreds::USERNAME, username, strict)
&& ValidateCreds::is_valid(ValidateCreds::PASSWORD, password, strict);
}
bool is_valid(const bool strict) const
{
return defined() && is_valid_user_pass(strict);
}
void wipe_password()
{
password.wipe();
}
std::string to_string() const
{
std::ostringstream os;
os << "*** AuthCreds ***" << std::endl;
os << "user: '" << username << "'" << std::endl;
os << "pass: (" << password.length() << " chars)" << std::endl;
os << "peer info:" << std::endl;
os << peer_info.render(Option::RENDER_BRACKET|Option::RENDER_NUMBER);
return os.str();
}
std::string username;
SafeString password;
OptionList peer_info;
};
}
#endif
Sources/OpenVPN3/openvpn/auth/cr.hpp
+228
View File
@@ -0,0 +1,228 @@
// OpenVPN -- An application to securely tunnel IP networks
// over a single port, with support for SSL/TLS-based
// session authentication and key exchange,
// packet encryption, packet authentication, and
// packet compression.
//
// Copyright (C) 2012-2017 OpenVPN Inc.
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License Version 3
// as published by the Free Software Foundation.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program in the COPYING file.
// If not, see <http://www.gnu.org/licenses/>.
// Encapsulate the state of a static or dynamic authentication challenge.
#ifndef OPENVPN_AUTH_CR_H
#define OPENVPN_AUTH_CR_H
#include <string>
#include <sstream>
#include <vector>
#include <openvpn/common/exception.hpp>
#include <openvpn/common/base64.hpp>
#include <openvpn/common/split.hpp>
#include <openvpn/common/rc.hpp>
#include <openvpn/common/string.hpp>
// Static Challenge response:
// SCRV1:<BASE64_PASSWORD>:<BASE64_RESPONSE>
//
// Dynamic Challenge:
// CRV1:<FLAGS>:<STATE_ID>:<BASE64_USERNAME>:<CHALLENGE_TEXT>
// FLAGS is a comma-separated list of options:
// E -- echo
// R -- response required
//
// Dynamic Challenge response:
// Username: [username decoded from username_base64]
// Password: CRV1::<STATE_ID>::<RESPONSE_TEXT>
namespace openvpn {
class ChallengeResponse : public RC<thread_unsafe_refcount> {
public:
typedef RCPtr<ChallengeResponse> Ptr;
OPENVPN_SIMPLE_EXCEPTION(dynamic_challenge_parse_error);
OPENVPN_SIMPLE_EXCEPTION(static_challenge_parse_error);
ChallengeResponse()
: echo(false), response_required(false)
{
}
explicit ChallengeResponse(const std::string& cookie)
: echo(false), response_required(false)
{
init(cookie);
}
ChallengeResponse(const std::string& cookie, const std::string& user)
: echo(false), response_required(false)
{
if (!is_dynamic(cookie) && cookie.find_first_of(':') == std::string::npos)
{
state_id = cookie;
username = user;
}
else
init(cookie);
}
void init(const std::string& cookie)
{
typedef std::vector<std::string> StringList;
StringList sl;
sl.reserve(5);
Split::by_char_void<StringList, NullLex, Split::NullLimit>(sl, cookie, ':', 0, 4);
if (sl.size() != 5)
throw dynamic_challenge_parse_error();
if (sl[0] != "CRV1")
throw dynamic_challenge_parse_error();
// parse options
{
StringList opt;
opt.reserve(2);
Split::by_char_void<StringList, NullLex, Split::NullLimit>(opt, sl[1], ',');
for (StringList::const_iterator i = opt.begin(); i != opt.end(); ++i)
{
if (*i == "E")
echo = true;
else if (*i == "R")
response_required = true;
}
}
// save state ID
state_id = sl[2];
// save username
try {
username = base64->decode(sl[3]);
}
catch (const Base64::base64_decode_error&)
{
throw dynamic_challenge_parse_error();
}
// save challenge
challenge_text = sl[4];
}
static bool is_dynamic(const std::string& s)
{
return string::starts_with(s, "CRV1:");
}
static bool is_static(const std::string& s)
{
return string::starts_with(s, "SCRV1:");
}
static void validate_dynamic(const std::string& cookie)
{
ChallengeResponse cr(cookie);
}
std::string construct_dynamic_password(const std::string& response) const
{
std::ostringstream os;
os << "CRV1::" << state_id << "::" << response;
return os.str();
}
static std::string construct_static_password(const std::string& password,
const std::string& response)
{
std::ostringstream os;
os << "SCRV1:" << base64->encode(password) << ':' << base64->encode(response);
return os.str();
}
static void parse_static_cookie(const std::string& cookie,
std::string& password,
std::string& response)
{
typedef std::vector<std::string> StringList;
StringList sl;
sl.reserve(3);
Split::by_char_void<StringList, NullLex, Split::NullLimit>(sl, cookie, ':');
if (sl.size() != 3)
throw static_challenge_parse_error();
if (sl[0] != "SCRV1")
throw static_challenge_parse_error();
// get password
try {
password = base64->decode(sl[1]);
}
catch (const Base64::base64_decode_error&)
{
throw static_challenge_parse_error();
}
// get response
try {
response = base64->decode(sl[2]);
}
catch (const Base64::base64_decode_error&)
{
throw static_challenge_parse_error();
}
}
static std::string generate_dynamic_challenge(const std::string& session_token,
const std::string& username,
const std::string& challenge,
const bool echo,
const bool response_required)
{
std::ostringstream os;
bool comma = false;
os << "CRV1:";
if (echo)
{
if (comma)
os << ",";
os << "E";
comma = true;
}
if (response_required)
{
if (comma)
os << ",";
os << "R";
comma = true;
}
os << ':' << session_token;
os << ':' << base64->encode(username);
os << ':' << challenge;
return os.str();
}
const std::string& get_state_id() const { return state_id; }
const std::string& get_username() const { return username; }
bool get_echo() const { return echo; }
bool get_response_required() const { return response_required; }
const std::string& get_challenge_text() const { return challenge_text; }
private:
bool echo;
bool response_required;
std::string state_id;
std::string username;
std::string challenge_text;
};
}
#endif
Sources/OpenVPN3/openvpn/auth/validatecreds.hpp
+71
View File
@@ -0,0 +1,71 @@
// OpenVPN -- An application to securely tunnel IP networks
// over a single port, with support for SSL/TLS-based
// session authentication and key exchange,
// packet encryption, packet authentication, and
// packet compression.
//
// Copyright (C) 2012-2017 OpenVPN Inc.
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License Version 3
// as published by the Free Software Foundation.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program in the COPYING file.
// If not, see <http://www.gnu.org/licenses/>.
#ifndef OPENVPN_AUTH_VALIDATE_CREDS_H
#define OPENVPN_AUTH_VALIDATE_CREDS_H
#include <openvpn/common/unicode.hpp>
namespace openvpn {
// Validate authentication credential.
// Must be UTF-8.
// Other checks on size and content below.
// We don't check that the credential is non-empty.
namespace ValidateCreds {
enum Type {
USERNAME,
PASSWORD,
RESPONSE
};
template <typename STRING>
static bool is_valid(const Type type, const STRING& cred, const bool strict)
{
size_t max_len_flags;
if (strict)
{
// length <= 512 unicode chars, no control chars allowed
max_len_flags = 512 | Unicode::UTF8_NO_CTRL;
}
else
{
switch (type)
{
case USERNAME:
// length <= 512 unicode chars, no control chars allowed
max_len_flags = 512 | Unicode::UTF8_NO_CTRL;
break;
case PASSWORD:
case RESPONSE:
// length <= 16384 unicode chars
max_len_flags = 16384;
break;
default:
return false;
}
}
return Unicode::is_valid_utf8(cred, max_len_flags);
}
}
}
#endif