github/OpenVPNAdapter
4
0
Fork 0
mirror of https://github.com/deneraraujo/OpenVPNAdapter.git synced 2026-04-24 00:00:05 +08:00
Code Issues Packages Projects Releases Wiki Activity

Merge commit '86cc97e55fe346502462284d2e636a2b3708163e' as 'Sources/OpenVPN3'

Browse Source
This commit is contained in:
Sergey Abramchuk
2020-02-24 14:43:11 +03:00
parent 133b3756e6 86cc97e55f
commit 32f1555929
655 changed files with 146468 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Sources/OpenVPN3/openvpn/mbedtls/crypto/api.hpp
+46
View File
@@ -0,0 +1,46 @@
// OpenVPN -- An application to securely tunnel IP networks
// over a single port, with support for SSL/TLS-based
// session authentication and key exchange,
// packet encryption, packet authentication, and
// packet compression.
//
// Copyright (C) 2012-2017 OpenVPN Inc.
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License Version 3
// as published by the Free Software Foundation.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program in the COPYING file.
// If not, see <http://www.gnu.org/licenses/>.
#ifndef OPENVPN_MBEDTLS_CRYPTO_API_H
#define OPENVPN_MBEDTLS_CRYPTO_API_H
#include <openvpn/mbedtls/crypto/cipher.hpp>
#include <openvpn/mbedtls/crypto/ciphergcm.hpp>
#include <openvpn/mbedtls/crypto/digest.hpp>
#include <openvpn/mbedtls/crypto/hmac.hpp>
namespace openvpn {
// type container for MbedTLS Crypto-level API
struct MbedTLSCryptoAPI {
// cipher
typedef MbedTLSCrypto::CipherContext CipherContext;
typedef MbedTLSCrypto::CipherContextGCM CipherContextGCM;
// digest
typedef MbedTLSCrypto::DigestContext DigestContext;
// HMAC
typedef MbedTLSCrypto::HMACContext HMACContext;
};
}
#endif
Sources/OpenVPN3/openvpn/mbedtls/crypto/cipher.hpp
+196
View File
@@ -0,0 +1,196 @@
// OpenVPN -- An application to securely tunnel IP networks
// over a single port, with support for SSL/TLS-based
// session authentication and key exchange,
// packet encryption, packet authentication, and
// packet compression.
//
// Copyright (C) 2012-2017 OpenVPN Inc.
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License Version 3
// as published by the Free Software Foundation.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program in the COPYING file.
// If not, see <http://www.gnu.org/licenses/>.
// Wrap the mbed TLS cipher API defined in <mbedtls/cipher.h> so
// that it can be used as part of the crypto layer of the OpenVPN core.
#ifndef OPENVPN_MBEDTLS_CRYPTO_CIPHER_H
#define OPENVPN_MBEDTLS_CRYPTO_CIPHER_H
#include <string>
#include <mbedtls/cipher.h>
#include <openvpn/common/size.hpp>
#include <openvpn/common/exception.hpp>
#include <openvpn/crypto/static_key.hpp>
#include <openvpn/crypto/cryptoalgs.hpp>
namespace openvpn {
namespace MbedTLSCrypto {
class CipherContext
{
CipherContext(const CipherContext&) = delete;
CipherContext& operator=(const CipherContext&) = delete;
public:
OPENVPN_SIMPLE_EXCEPTION(mbedtls_cipher_mode_error);
OPENVPN_SIMPLE_EXCEPTION(mbedtls_cipher_uninitialized);
OPENVPN_EXCEPTION(mbedtls_cipher_error);
// mode parameter for constructor
enum {
MODE_UNDEF = MBEDTLS_OPERATION_NONE,
ENCRYPT = MBEDTLS_ENCRYPT,
DECRYPT = MBEDTLS_DECRYPT
};
// mbed TLS cipher constants
enum {
MAX_IV_LENGTH = MBEDTLS_MAX_IV_LENGTH,
CIPH_CBC_MODE = MBEDTLS_MODE_CBC
};
CipherContext()
: initialized(false)
{
}
~CipherContext() { erase() ; }
void init(const CryptoAlgs::Type alg, const unsigned char *key, const int mode)
{
erase();
// check that mode is valid
if (!(mode == ENCRYPT || mode == DECRYPT))
throw mbedtls_cipher_mode_error();
// get cipher type
const mbedtls_cipher_info_t *ci = cipher_type(alg);
// initialize cipher context with cipher type
if (mbedtls_cipher_setup(&ctx, ci) < 0)
throw mbedtls_cipher_error("mbedtls_cipher_setup");
// set key and encrypt/decrypt mode
if (mbedtls_cipher_setkey(&ctx, key, ci->key_bitlen, (mbedtls_operation_t)mode) < 0)
throw mbedtls_cipher_error("mbedtls_cipher_setkey");
initialized = true;
}
void reset(const unsigned char *iv)
{
check_initialized();
if (mbedtls_cipher_reset(&ctx) < 0)
throw mbedtls_cipher_error("mbedtls_cipher_reset");
if (mbedtls_cipher_set_iv(&ctx, iv, iv_length()))
throw mbedtls_cipher_error("mbedtls_cipher_set_iv");
}
bool update(unsigned char *out, const size_t max_out_size,
const unsigned char *in, const size_t in_size,
size_t& out_acc)
{
check_initialized();
size_t outlen;
if (mbedtls_cipher_update(&ctx, in, in_size, out, &outlen) >= 0)
{
out_acc += outlen;
return true;
}
else
return false;
}
bool final(unsigned char *out, const size_t max_out_size, size_t& out_acc)
{
check_initialized();
size_t outlen;
if (mbedtls_cipher_finish (&ctx, out, &outlen) >= 0)
{
out_acc += outlen;
return true;
}
else
return false;
}
bool is_initialized() const { return initialized; }
size_t iv_length() const
{
check_initialized();
return mbedtls_cipher_get_iv_size(&ctx);
}
size_t block_size() const
{
check_initialized();
return mbedtls_cipher_get_block_size(&ctx);
}
// return cipher mode (such as CIPH_CBC_MODE, etc.)
int cipher_mode() const
{
check_initialized();
return mbedtls_cipher_get_cipher_mode(&ctx);
}
private:
static const mbedtls_cipher_info_t *cipher_type(const CryptoAlgs::Type alg)
{
switch (alg)
{
case CryptoAlgs::AES_128_CBC:
return mbedtls_cipher_info_from_type(MBEDTLS_CIPHER_AES_128_CBC);
case CryptoAlgs::AES_192_CBC:
return mbedtls_cipher_info_from_type(MBEDTLS_CIPHER_AES_192_CBC);
case CryptoAlgs::AES_256_CBC:
return mbedtls_cipher_info_from_type(MBEDTLS_CIPHER_AES_256_CBC);
case CryptoAlgs::AES_256_CTR:
return mbedtls_cipher_info_from_type(MBEDTLS_CIPHER_AES_256_CTR);
case CryptoAlgs::DES_CBC:
return mbedtls_cipher_info_from_type(MBEDTLS_CIPHER_DES_CBC);
case CryptoAlgs::DES_EDE3_CBC:
return mbedtls_cipher_info_from_type(MBEDTLS_CIPHER_DES_EDE3_CBC);
case CryptoAlgs::BF_CBC:
return mbedtls_cipher_info_from_type(MBEDTLS_CIPHER_BLOWFISH_CBC);
default:
OPENVPN_THROW(mbedtls_cipher_error, CryptoAlgs::name(alg) << ": not usable");
}
}
void erase()
{
if (initialized)
{
mbedtls_cipher_free(&ctx);
initialized = false;
}
}
void check_initialized() const
{
#ifdef OPENVPN_ENABLE_ASSERT
if (!initialized)
throw mbedtls_cipher_uninitialized();
#endif
}
bool initialized;
mbedtls_cipher_context_t ctx;
};
}
}
#endif
Sources/OpenVPN3/openvpn/mbedtls/crypto/ciphergcm.hpp
+170
View File
@@ -0,0 +1,170 @@
// OpenVPN -- An application to securely tunnel IP networks
// over a single port, with support for SSL/TLS-based
// session authentication and key exchange,
// packet encryption, packet authentication, and
// packet compression.
//
// Copyright (C) 2012-2017 OpenVPN Inc.
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License Version 3
// as published by the Free Software Foundation.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program in the COPYING file.
// If not, see <http://www.gnu.org/licenses/>.
// Wrap the mbed TLS GCM API.
#ifndef OPENVPN_MBEDTLS_CRYPTO_CIPHERGCM_H
#define OPENVPN_MBEDTLS_CRYPTO_CIPHERGCM_H
#include <string>
#include <mbedtls/gcm.h>
#include <openvpn/common/size.hpp>
#include <openvpn/common/exception.hpp>
#include <openvpn/common/likely.hpp>
#include <openvpn/crypto/static_key.hpp>
#include <openvpn/crypto/cryptoalgs.hpp>
namespace openvpn {
namespace MbedTLSCrypto {
class CipherContextGCM
{
CipherContextGCM(const CipherContextGCM&) = delete;
CipherContextGCM& operator=(const CipherContextGCM&) = delete;
public:
OPENVPN_EXCEPTION(mbedtls_gcm_error);
// mode parameter for constructor
enum {
MODE_UNDEF = MBEDTLS_OPERATION_NONE,
ENCRYPT = MBEDTLS_ENCRYPT,
DECRYPT = MBEDTLS_DECRYPT
};
// mbed TLS cipher constants
enum {
IV_LEN = 12,
AUTH_TAG_LEN = 16,
SUPPORTS_IN_PLACE_ENCRYPT = 1,
};
#if 0
// mbed TLS encrypt/decrypt return values
enum {
GCM_AUTH_FAILED = MBEDTLS_ERR_GCM_AUTH_FAILED,
SUCCESS = 0,
};
#endif
CipherContextGCM()
: initialized(false)
{
}
~CipherContextGCM() { erase() ; }
void init(const CryptoAlgs::Type alg,
const unsigned char *key,
const unsigned int keysize,
const int mode) // unused
{
erase();
// get cipher type
unsigned int ckeysz = 0;
const mbedtls_cipher_id_t cid = cipher_type(alg, ckeysz);
if (ckeysz > keysize)
throw mbedtls_gcm_error("insufficient key material");
// initialize cipher context
mbedtls_gcm_init(&ctx);
if (mbedtls_gcm_setkey(&ctx, cid, key, ckeysz * 8) < 0)
throw mbedtls_gcm_error("mbedtls_gcm_setkey");
initialized = true;
}
void encrypt(const unsigned char *input,
unsigned char *output,
size_t length,
const unsigned char *iv,
unsigned char *tag,
const unsigned char *ad,
size_t ad_len)
{
check_initialized();
const int status = mbedtls_gcm_crypt_and_tag(&ctx, MBEDTLS_GCM_ENCRYPT,
length, iv, IV_LEN, ad, ad_len,
input, output, AUTH_TAG_LEN, tag);
if (unlikely(status))
OPENVPN_THROW(mbedtls_gcm_error, "mbedtls_gcm_crypt_and_tag failed with status=" << status);
}
// input and output may NOT be equal
bool decrypt(const unsigned char *input,
unsigned char *output,
size_t length,
const unsigned char *iv,
const unsigned char *tag,
const unsigned char *ad,
size_t ad_len)
{
check_initialized();
const int status = mbedtls_gcm_auth_decrypt(&ctx, length, iv, IV_LEN, ad, ad_len, tag,
AUTH_TAG_LEN, input, output);
return status == 0;
}
bool is_initialized() const { return initialized; }
private:
static mbedtls_cipher_id_t cipher_type(const CryptoAlgs::Type alg, unsigned int& keysize)
{
switch (alg)
{
case CryptoAlgs::AES_128_GCM:
keysize = 16;
return MBEDTLS_CIPHER_ID_AES;
case CryptoAlgs::AES_192_GCM:
keysize = 24;
return MBEDTLS_CIPHER_ID_AES;
case CryptoAlgs::AES_256_GCM:
keysize = 32;
return MBEDTLS_CIPHER_ID_AES;
default:
OPENVPN_THROW(mbedtls_gcm_error, CryptoAlgs::name(alg) << ": not usable");
}
}
void erase()
{
if (initialized)
{
mbedtls_gcm_free(&ctx);
initialized = false;
}
}
void check_initialized() const
{
if (unlikely(!initialized))
throw mbedtls_gcm_error("uninitialized");
}
bool initialized;
mbedtls_gcm_context ctx;
};
}
}
#endif
Sources/OpenVPN3/openvpn/mbedtls/crypto/digest.hpp
+157
View File
@@ -0,0 +1,157 @@
// OpenVPN -- An application to securely tunnel IP networks
// over a single port, with support for SSL/TLS-based
// session authentication and key exchange,
// packet encryption, packet authentication, and
// packet compression.
//
// Copyright (C) 2012-2017 OpenVPN Inc.
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License Version 3
// as published by the Free Software Foundation.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program in the COPYING file.
// If not, see <http://www.gnu.org/licenses/>.
// Wrap the mbed TLS digest API defined in <mbedtls/md.h>
// so that it can be used as part of the crypto layer of the OpenVPN core.
#ifndef OPENVPN_MBEDTLS_CRYPTO_DIGEST_H
#define OPENVPN_MBEDTLS_CRYPTO_DIGEST_H
#include <string>
#include <mbedtls/md.h>
#include <openvpn/common/size.hpp>
#include <openvpn/common/exception.hpp>
#include <openvpn/crypto/cryptoalgs.hpp>
namespace openvpn {
namespace MbedTLSCrypto {
class HMACContext;
class DigestContext
{
DigestContext(const DigestContext&) = delete;
DigestContext& operator=(const DigestContext&) = delete;
public:
friend class HMACContext;
OPENVPN_SIMPLE_EXCEPTION(mbedtls_digest_uninitialized);
OPENVPN_SIMPLE_EXCEPTION(mbedtls_digest_final_overflow);
OPENVPN_EXCEPTION(mbedtls_digest_error);
enum {
MAX_DIGEST_SIZE = MBEDTLS_MD_MAX_SIZE
};
DigestContext()
: initialized(false)
{
}
DigestContext(const CryptoAlgs::Type alg)
: initialized(false)
{
init(alg);
}
~DigestContext() { erase() ; }
void init(const CryptoAlgs::Type alg)
{
erase();
ctx.md_ctx = nullptr;
mbedtls_md_init(&ctx);
if ( mbedtls_md_setup(&ctx, digest_type(alg), 1) < 0)
throw mbedtls_digest_error("mbedtls_md_setup");
if (mbedtls_md_starts(&ctx) < 0)
throw mbedtls_digest_error("mbedtls_md_starts");
initialized = true;
}
void update(const unsigned char *in, const size_t size)
{
check_initialized();
if (mbedtls_md_update(&ctx, in, size) < 0)
throw mbedtls_digest_error("mbedtls_md_update");
}
size_t final(unsigned char *out)
{
check_initialized();
if (mbedtls_md_finish(&ctx, out) < 0)
throw mbedtls_digest_error("mbedtls_md_finish");
return size_();
}
size_t size() const
{
check_initialized();
return size_();
}
bool is_initialized() const { return initialized; }
private:
static const mbedtls_md_info_t *digest_type(const CryptoAlgs::Type alg)
{
switch (alg)
{
case CryptoAlgs::MD4:
return mbedtls_md_info_from_type(MBEDTLS_MD_MD4);
case CryptoAlgs::MD5:
return mbedtls_md_info_from_type(MBEDTLS_MD_MD5);
case CryptoAlgs::SHA1:
return mbedtls_md_info_from_type(MBEDTLS_MD_SHA1);
case CryptoAlgs::SHA224:
return mbedtls_md_info_from_type(MBEDTLS_MD_SHA224);
case CryptoAlgs::SHA256:
return mbedtls_md_info_from_type(MBEDTLS_MD_SHA256);
case CryptoAlgs::SHA384:
return mbedtls_md_info_from_type(MBEDTLS_MD_SHA384);
case CryptoAlgs::SHA512:
return mbedtls_md_info_from_type(MBEDTLS_MD_SHA512);
default:
OPENVPN_THROW(mbedtls_digest_error, CryptoAlgs::name(alg) << ": not usable");
}
}
void erase()
{
if (initialized)
{
mbedtls_md_free(&ctx);
initialized = false;
}
}
size_t size_() const
{
return mbedtls_md_get_size(ctx.md_info);
}
void check_initialized() const
{
#ifdef OPENVPN_ENABLE_ASSERT
if (!initialized)
throw mbedtls_digest_uninitialized();
#endif
}
bool initialized;
mbedtls_md_context_t ctx;
};
}
}
#endif
Sources/OpenVPN3/openvpn/mbedtls/crypto/hmac.hpp
+134
View File
@@ -0,0 +1,134 @@
// OpenVPN -- An application to securely tunnel IP networks
// over a single port, with support for SSL/TLS-based
// session authentication and key exchange,
// packet encryption, packet authentication, and
// packet compression.
//
// Copyright (C) 2012-2017 OpenVPN Inc.
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License Version 3
// as published by the Free Software Foundation.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program in the COPYING file.
// If not, see <http://www.gnu.org/licenses/>.
// Wrap the mbed TLS HMAC API defined in <mbedtls/md.h> so
// that it can be used as part of the crypto layer of the OpenVPN core.
#ifndef OPENVPN_MBEDTLS_CRYPTO_HMAC_H
#define OPENVPN_MBEDTLS_CRYPTO_HMAC_H
#include <string>
#include <openvpn/common/size.hpp>
#include <openvpn/common/exception.hpp>
#include <openvpn/mbedtls/crypto/digest.hpp>
namespace openvpn {
namespace MbedTLSCrypto {
class HMACContext
{
HMACContext(const HMACContext&) = delete;
HMACContext& operator=(const HMACContext&) = delete;
public:
OPENVPN_SIMPLE_EXCEPTION(mbedtls_hmac_uninitialized);
OPENVPN_EXCEPTION(mbedtls_hmac_error);
enum {
MAX_HMAC_SIZE = MBEDTLS_MD_MAX_SIZE
};
HMACContext()
: initialized(false)
{
}
HMACContext(const CryptoAlgs::Type digest, const unsigned char *key, const size_t key_size)
: initialized(false)
{
init(digest, key, key_size);
}
~HMACContext() { erase() ; }
void init(const CryptoAlgs::Type digest, const unsigned char *key, const size_t key_size)
{
erase();
ctx.md_ctx = nullptr;
mbedtls_md_init(&ctx);
if (mbedtls_md_setup(&ctx, DigestContext::digest_type(digest), 1) < 0)
throw mbedtls_hmac_error("mbedtls_md_setup");
if (mbedtls_md_hmac_starts(&ctx, key, key_size) < 0)
throw mbedtls_hmac_error("mbedtls_md_hmac_starts");
initialized = true;
}
void reset()
{
check_initialized();
if (mbedtls_md_hmac_reset(&ctx) < 0)
throw mbedtls_hmac_error("mbedtls_md_hmac_reset");
}
void update(const unsigned char *in, const size_t size)
{
check_initialized();
if (mbedtls_md_hmac_update(&ctx, in, size) < 0)
throw mbedtls_hmac_error("mbedtls_md_hmac_update");
}
size_t final(unsigned char *out)
{
check_initialized();
if (mbedtls_md_hmac_finish(&ctx, out) < 0)
throw mbedtls_hmac_error("mbedtls_md_hmac_finish");
return size_();
}
size_t size() const
{
check_initialized();
return size_();
}
bool is_initialized() const { return initialized; }
private:
void erase()
{
if (initialized)
{
mbedtls_md_free(&ctx);
initialized = false;
}
}
size_t size_() const
{
return mbedtls_md_get_size(ctx.md_info);
}
void check_initialized() const
{
#ifdef OPENVPN_ENABLE_ASSERT
if (!initialized)
throw mbedtls_hmac_uninitialized();
#endif
}
bool initialized;
mbedtls_md_context_t ctx;
};
}
}
#endif