github/OpenVPNAdapter
4
0
Fork 0
mirror of https://github.com/deneraraujo/OpenVPNAdapter.git synced 2026-04-24 00:00:05 +08:00
Code Issues Packages Projects Releases Wiki Activity

Merge commit '86cc97e55fe346502462284d2e636a2b3708163e' as 'Sources/OpenVPN3'

Browse Source
This commit is contained in:
Sergey Abramchuk
2020-02-24 14:43:11 +03:00
parent 133b3756e6 86cc97e55f
commit 32f1555929
655 changed files with 146468 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Sources/OpenVPN3/openvpn/openssl/bio/bio_memq_dgram.hpp
+262
View File
@@ -0,0 +1,262 @@
// OpenVPN -- An application to securely tunnel IP networks
// over a single port, with support for SSL/TLS-based
// session authentication and key exchange,
// packet encryption, packet authentication, and
// packet compression.
//
// Copyright (C) 2012-2017 OpenVPN Inc.
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License Version 3
// as published by the Free Software Foundation.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program in the COPYING file.
// If not, see <http://www.gnu.org/licenses/>.
// This code implements an OpenSSL BIO object for datagrams based on the
// MemQ buffer queue object.
#ifndef OPENVPN_OPENSSL_BIO_BIO_MEMQ_DGRAM_H
#define OPENVPN_OPENSSL_BIO_BIO_MEMQ_DGRAM_H
#include <cstring> // for std::strlen
#include <openssl/err.h>
#include <openssl/bio.h>
#include <openvpn/common/size.hpp>
#include <openvpn/common/exception.hpp>
#include <openvpn/frame/frame.hpp>
#include <openvpn/frame/memq_dgram.hpp>
namespace openvpn {
namespace bmq_dgram {
class MemQ : public MemQDgram {
public:
MemQ()
{
mtu = 0;
query_mtu_return = 0;
std::memset(&next_timeout, 0, sizeof(next_timeout));
}
void set_mtu(long mtu) { query_mtu_return = mtu; }
const struct timeval *get_next_timeout(void) const { return &next_timeout; }
long ctrl (BIO *b, int cmd, long num, void *ptr)
{
long ret = 1;
switch (cmd)
{
case BIO_CTRL_RESET:
clear();
break;
case BIO_CTRL_EOF:
ret = (long)empty();
break;
case BIO_C_SET_BUF_MEM_EOF_RETURN:
return_eof_on_empty = (num == 0);
break;
case BIO_CTRL_GET_CLOSE:
ret = (long)(BIO_get_shutdown (b));
break;
case BIO_CTRL_SET_CLOSE:
BIO_set_shutdown (b, (int)num);
break;
case BIO_CTRL_WPENDING:
ret = 0L;
break;
case BIO_CTRL_PENDING:
ret = (long)pending();
break;
case BIO_CTRL_DUP:
case BIO_CTRL_FLUSH:
ret = 1;
break;
case BIO_CTRL_DGRAM_QUERY_MTU:
ret = mtu = query_mtu_return;
break;
case BIO_CTRL_DGRAM_GET_MTU:
ret = mtu;
break;
case BIO_CTRL_DGRAM_SET_MTU:
ret = mtu = num;
break;
case BIO_CTRL_DGRAM_SET_NEXT_TIMEOUT:
std::memcpy(&next_timeout, ptr, sizeof(struct timeval));
break;
default:
//OPENVPN_LOG("*** MemQ-dgram unimplemented ctrl method=" << cmd);
ret = 0;
break;
}
return (ret);
}
private:
long mtu;
long query_mtu_return;
bool return_eof_on_empty;
struct timeval next_timeout;
};
namespace bio_memq_internal {
static int memq_method_type=0;
static BIO_METHOD* memq_method = nullptr;
inline int memq_new (BIO *b)
{
MemQ *bmq = new(std::nothrow) MemQ();
if (!bmq)
return 0;
BIO_set_shutdown(b, 1);
BIO_set_init(b, 1);
b->return_eof_on_empty = false;
BIO_set_data(b, (void *)bmq);
return 1;
}
inline int memq_free (BIO *b)
{
if (b == nullptr)
return (0);
if (BIO_get_shutdown (b))
{
MemQ *bmq = (MemQ*) (BIO_get_data (b));
if (BIO_get_init (b) && (bmq != nullptr))
{
delete bmq;
BIO_set_data (b, nullptr);
}
}
return 1;
}
inline int memq_write (BIO *b, const char *in, int len)
{
MemQ *bmq = (MemQ*) (BIO_get_data (b));
if (in)
{
BIO_clear_retry_flags (b);
try {
if (len)
bmq->write((const unsigned char *)in, (size_t)len);
return len;
}
catch (...)
{
BIOerr(BIO_F_MEM_WRITE, BIO_R_INVALID_ARGUMENT);
return -1;
}
}
else
{
BIOerr(BIO_F_MEM_WRITE, BIO_R_NULL_PARAMETER);
return -1;
}
}
inline int memq_read (BIO *b, char *out, int size)
{
MemQ *bmq = (MemQ*) (BIO_get_data (b));
int ret = -1;
BIO_clear_retry_flags (b);
if (!bmq->empty())
{
try {
ret = (int)bmq->read((unsigned char *)out, (size_t)size);
}
catch (...)
{
BIOerr(BIO_F_MEM_READ, BIO_R_INVALID_ARGUMENT);
return -1;
}
}
else
{
ret = b->num;
if (ret != 0)
BIO_set_retry_read (b);
}
return ret;
}
inline long memq_ctrl (BIO *b, int cmd, long arg1, void *arg2)
{
MemQ *bmq = (MemQ*) (BIO_get_data (b));
return bmq->ctrl(b, cmd, arg1, arg2);
}
inline int memq_puts (BIO *b, const char *str)
{
const int len = std::strlen (str);
const int ret = memq_write (b, str, len);
return ret;
}
inline void create_bio_method ()
{
if (!memq_method_type)
memq_method_type = BIO_get_new_index ();
memq_method = BIO_meth_new (memq_method_type, "datagram memory queue");
BIO_meth_set_write (memq_method, memq_write);
BIO_meth_set_read (memq_read);
BIO_meth_set_puts (memq_puts);
BIO_meth_set_create (memq_new);
BIO_meth_set_destroy (memq_destroy);
BIO_meth_set_gets (nullptr);
BIO_meth_set_ctrl (memq_method, memq_ctrl);
}
inline void free_bio_method()
{
BIO_meth_free (memq_method);
}
} // namespace bio_memq_internal
inline BIO_METHOD *BIO_s_memq(void)
{
// TODO: call free in some cleanup
bio_memq_internal::create_bio_method ();
return bio_memq_internal::memq_method;
}
inline MemQ *memq_from_bio(BIO *b)
{
if (BIO_method_type (b) == bio_memq_internal::memq_method_type)
return (MemQ *)(BIO_get_data (b));
else
return nullptr;
}
inline const MemQ *const_memq_from_bio(const BIO *b)
{
if (BIO_method_type (b) == bio_memq_internal::memq_method_type)
return (const MemQ *)(BIO_get_data (const_cast<BIO*>(b)));
else
return nullptr;
}
MemQ()
{
mtu = 0;
query_mtu_return = 0;
std::memset(&next_timeout, 0, sizeof(next_timeout));
bio_memq_internal::create_bio_method ();
}
~MemQ() { bio_memq_internal::free_bio_method(); }
} // namespace bmq_dgram
} // namespace openvpn
#endif // OPENVPN_OPENSSL_BIO_BIO_MEMQ_DGRAM_H
Sources/OpenVPN3/openvpn/openssl/bio/bio_memq_stream.hpp
+233
View File
@@ -0,0 +1,233 @@
// OpenVPN -- An application to securely tunnel IP networks
// over a single port, with support for SSL/TLS-based
// session authentication and key exchange,
// packet encryption, packet authentication, and
// packet compression.
//
// Copyright (C) 2012-2017 OpenVPN Inc.
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License Version 3
// as published by the Free Software Foundation.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program in the COPYING file.
// If not, see <http://www.gnu.org/licenses/>.
// This code implements an OpenSSL BIO object for streams based on the
// MemQ buffer queue object.
#pragma once
#include <cstring> // for std::strlen and others
#include <openssl/err.h>
#include <openssl/bio.h>
#include <openvpn/common/size.hpp>
#include <openvpn/common/exception.hpp>
#include <openvpn/frame/frame.hpp>
#include <openvpn/frame/memq_stream.hpp>
#include <openvpn/openssl/compat.hpp>
namespace openvpn {
namespace bmq_stream {
class MemQ : public MemQStream {
public:
MemQ() {}
long ctrl (BIO *b, int cmd, long num, void *ptr)
{
long ret = 1;
switch (cmd)
{
case BIO_CTRL_RESET:
clear();
break;
case BIO_CTRL_EOF:
ret = (long)empty();
break;
case BIO_C_SET_BUF_MEM_EOF_RETURN:
return_eof_on_empty = (num == 0);
break;
case BIO_CTRL_GET_CLOSE:
ret = BIO_get_shutdown(b);
break;
case BIO_CTRL_SET_CLOSE:
BIO_set_shutdown(b, (int) num);
break;
case BIO_CTRL_WPENDING:
ret = 0L;
break;
case BIO_CTRL_PENDING:
ret = (long)pending();
break;
case BIO_CTRL_DUP:
case BIO_CTRL_FLUSH:
ret = 1;
break;
default:
//OPENVPN_LOG("*** MemQ-stream unimplemented ctrl method=" << cmd);
ret = 0;
break;
}
return (ret);
}
bool return_eof_on_empty = false;
};
class bio_memq_internal {
public:
static int memq_method_type;
static BIO_METHOD* memq_method;
static inline int memq_new (BIO *b)
{
MemQ *bmq = new(std::nothrow) MemQ();
if (!bmq)
return 0;
BIO_set_shutdown(b, 1);
BIO_set_init(b, 1);
BIO_set_data(b, (void *)bmq);
return 1;
}
static inline int memq_free (BIO *b)
{
if (b == nullptr)
return (0);
if (BIO_get_shutdown (b))
{
MemQ *bmq = (MemQ*) (BIO_get_data (b));
if (BIO_get_init (b) && (bmq != nullptr))
{
delete bmq;
BIO_set_data (b, nullptr);
}
}
return 1;
}
static inline int memq_write (BIO *b, const char *in, int len)
{
MemQ *bmq = (MemQ*)(BIO_get_data(b));
if (in)
{
BIO_clear_retry_flags (b);
try {
if (len)
bmq->write((const unsigned char *)in, (size_t)len);
return len;
}
catch (...)
{
BIOerr(BIO_F_MEM_WRITE, BIO_R_INVALID_ARGUMENT);
return -1;
}
}
else
{
BIOerr(BIO_F_MEM_WRITE, BIO_R_NULL_PARAMETER);
return -1;
}
}
static inline int memq_read (BIO *b, char *out, int size)
{
MemQ *bmq = (MemQ*)(BIO_get_data(b));
int ret = -1;
BIO_clear_retry_flags (b);
if (!bmq->empty())
{
try {
ret = (int)bmq->read((unsigned char *)out, (size_t)size);
}
catch (...)
{
BIOerr(memq_method_type, BIO_R_INVALID_ARGUMENT);
return -1;
}
}
else
{
if (!bmq->return_eof_on_empty)
BIO_set_retry_read (b);
}
return ret;
}
static inline long memq_ctrl (BIO *b, int cmd, long arg1, void *arg2)
{
MemQ *bmq = (MemQ*)(BIO_get_data(b));
return bmq->ctrl(b, cmd, arg1, arg2);
}
static inline int memq_puts (BIO *b, const char *str)
{
const int len = std::strlen (str);
const int ret = memq_write (b, str, len);
return ret;
}
static inline void init_static ()
{
memq_method_type = BIO_get_new_index ();
memq_method = BIO_meth_new (memq_method_type, "stream memory queue");
BIO_meth_set_write (memq_method, memq_write);
BIO_meth_set_read (memq_method, memq_read);
BIO_meth_set_puts (memq_method, memq_puts);
BIO_meth_set_create (memq_method, memq_new);
BIO_meth_set_destroy (memq_method, memq_free);
BIO_meth_set_gets (memq_method, nullptr);
BIO_meth_set_ctrl (memq_method, memq_ctrl);
}
static inline void free_bio_method()
{
BIO_meth_free (memq_method);
memq_method = nullptr;
}
}; // class bio_memq_internal
#if defined(OPENVPN_NO_EXTERN)
int bio_memq_internal::memq_method_type = -1;
BIO_METHOD* bio_memq_internal::memq_method = nullptr;
#endif
inline void init_static()
{
bio_memq_internal::init_static();
}
inline BIO_METHOD *BIO_s_memq(void)
{
return (bio_memq_internal::memq_method);
}
inline MemQ *memq_from_bio(BIO *b)
{
if (BIO_method_type(b) == bio_memq_internal::memq_method_type)
return (MemQ *)(BIO_get_data (b));
else
return nullptr;
}
inline const MemQ *const_memq_from_bio(const BIO *b)
{
if (BIO_method_type(b) == bio_memq_internal::memq_method_type)
return (const MemQ *)(BIO_get_data (const_cast<BIO*>(b)));
else
return nullptr;
}
} // namespace bmq_dgram
} // namespace openvpn
Sources/OpenVPN3/openvpn/openssl/compat.hpp
+349
View File
@@ -0,0 +1,349 @@
// OpenVPN -- An application to securely tunnel IP networks
// over a single port, with support for SSL/TLS-based
// session authentication and key exchange,
// packet encryption, packet authentication, and
// packet compression.
//
// Copyright (C) 2012-2019 OpenVPN Inc.
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License Version 3
// as published by the Free Software Foundation.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program in the COPYING file.
// If not, see <http://www.gnu.org/licenses/>.
#pragma once
#if OPENSSL_VERSION_NUMBER < 0x10100000L
#include <openssl/bio.h>
#include <openssl/crypto.h>
#include <openssl/rsa.h>
#include <openssl/dsa.h>
#include <openssl/hmac.h>
// make sure type 94 doesn't collide with anything in bio.h
// Start with the same number as before
static int lastindex = 94;
inline int BIO_get_new_index(void)
{
int newval = lastindex | BIO_TYPE_SOURCE_SINK;
lastindex++;
return newval;
}
inline BIO_METHOD *BIO_meth_new(int type, const char *name)
{
BIO_METHOD *biom = new BIO_METHOD();
if ((biom->name = OPENSSL_strdup(name)) == nullptr)
{
delete biom;
BIOerr(BIO_F_BIO_NEW, ERR_R_MALLOC_FAILURE);
return nullptr;
}
biom->type = type;
return biom;
}
inline void BIO_meth_free(BIO_METHOD *biom)
{
if (biom != nullptr)
{
OPENSSL_free((void *)biom->name);
delete biom;
}
}
inline RSA_METHOD *RSA_meth_new(const char *name, int flags)
{
RSA_METHOD *meth = new RSA_METHOD();
meth->flags = flags;
meth->name = name;
return meth;
}
inline void RSA_meth_free(RSA_METHOD *meth)
{
delete meth;
}
inline HMAC_CTX *HMAC_CTX_new()
{
HMAC_CTX *ctx = new HMAC_CTX();
HMAC_CTX_init(ctx);
return ctx;
}
inline void HMAC_CTX_free(HMAC_CTX *ctx)
{
HMAC_CTX_cleanup(ctx);
delete ctx;
}
inline EVP_MD_CTX *EVP_MD_CTX_new()
{
return new EVP_MD_CTX();
}
inline void EVP_MD_CTX_free(EVP_MD_CTX *ctx)
{
delete ctx;
}
inline void BIO_set_shutdown(BIO *a, int shut)
{
a->shutdown = shut;
}
inline int BIO_get_shutdown(BIO *a)
{
return a->shutdown;
}
inline void BIO_set_data(BIO *a, void *ptr)
{
a->ptr = ptr;
}
inline void *BIO_get_data(BIO *a)
{
return a->ptr;
}
inline void BIO_set_init(BIO *a, int init)
{
a->init = init;
}
inline int BIO_get_init(BIO *a)
{
return a->init;
}
inline int BIO_meth_set_write(BIO_METHOD *biom,
int (*bwrite)(BIO *, const char *, int))
{
biom->bwrite = bwrite;
return 1;
}
inline int BIO_meth_set_read(BIO_METHOD *biom,
int (*bread)(BIO *, char *, int))
{
biom->bread = bread;
return 1;
}
inline int BIO_meth_set_puts(BIO_METHOD *biom,
int (*bputs)(BIO *, const char *))
{
biom->bputs = bputs;
return 1;
}
inline int BIO_meth_set_gets(BIO_METHOD *biom,
int (*bgets)(BIO *, char *, int))
{
biom->bgets = bgets;
return 1;
}
inline int BIO_meth_set_ctrl(BIO_METHOD *biom,
long (*ctrl)(BIO *, int, long, void *))
{
biom->ctrl = ctrl;
return 1;
}
inline int BIO_meth_set_create(BIO_METHOD *biom, int (*create)(BIO *))
{
biom->create = create;
return 1;
}
inline int BIO_meth_set_destroy(BIO_METHOD *biom, int (*destroy)(BIO *))
{
biom->destroy = destroy;
return 1;
}
inline RSA *EVP_PKEY_get0_RSA(EVP_PKEY *pkey)
{
return pkey->pkey.rsa;
}
inline int RSA_meth_set_pub_enc(RSA_METHOD *meth,
int (*pub_enc)(int flen, const unsigned char *from,
unsigned char *to, RSA *rsa,
int padding))
{
meth->rsa_pub_enc = pub_enc;
return 1;
}
inline int RSA_meth_set_pub_dec(RSA_METHOD *meth,
int (*pub_dec)(int flen, const unsigned char *from,
unsigned char *to, RSA *rsa,
int padding))
{
meth->rsa_pub_dec = pub_dec;
return 1;
}
inline int RSA_meth_set_priv_enc(RSA_METHOD *meth,
int (*priv_enc)(int flen, const unsigned char *from,
unsigned char *to, RSA *rsa,
int padding))
{
meth->rsa_priv_enc = priv_enc;
return 1;
}
inline int RSA_meth_set_priv_dec(RSA_METHOD *meth,
int (*priv_dec)(int flen, const unsigned char *from,
unsigned char *to, RSA *rsa,
int padding))
{
meth->rsa_priv_dec = priv_dec;
return 1;
}
inline int RSA_meth_set_init(RSA_METHOD *meth, int (*init)(RSA *rsa))
{
meth->init = init;
return 1;
}
inline int RSA_meth_set_finish(RSA_METHOD *meth, int (*finish)(RSA *rsa))
{
meth->finish = finish;
return 1;
}
inline int RSA_meth_set0_app_data(RSA_METHOD *meth, void *app_data)
{
meth->app_data = (char *) app_data;
return 1;
}
inline void *RSA_meth_get0_app_data(const RSA_METHOD *meth)
{
return (void *) meth->app_data;
}
inline DSA *EVP_PKEY_get0_DSA(EVP_PKEY *pkey)
{
return pkey->pkey.dsa;
}
inline void DSA_get0_pqg(const DSA *d, const BIGNUM **p, const BIGNUM **q, const BIGNUM **g)
{
if (p != nullptr)
*p = d->p;
if (q != nullptr)
*q = d->q;
if (g != nullptr)
*g = d->g;
}
inline void RSA_set_flags(RSA *r, int flags)
{
r->flags |= flags;
}
inline int RSA_set0_key(RSA *rsa, BIGNUM *n, BIGNUM *e, BIGNUM *d)
{
if ((rsa->n == nullptr && n == nullptr)
|| (rsa->e == nullptr && e == nullptr))
return 0;
if (n != nullptr)
{
BN_free(rsa->n);
rsa->n = n;
}
if (e != nullptr)
{
BN_free(rsa->e);
rsa->e = e;
}
if (d != nullptr)
{
BN_free(rsa->d);
rsa->d = d;
}
return 1;
}
inline void RSA_get0_key(const RSA *rsa, const BIGNUM **n, const BIGNUM **e, const BIGNUM **d)
{
if (n != nullptr)
*n = rsa->n;
if (e != nullptr)
*e = rsa->e;
if (d != nullptr)
*d = rsa->d;
}
/* Renamed in OpenSSL 1.1 */
#define X509_get0_pubkey X509_get_pubkey
#define RSA_F_RSA_OSSL_PRIVATE_ENCRYPT RSA_F_RSA_EAY_PRIVATE_ENCRYPT
/*
* EVP_CIPHER_CTX_init and EVP_CIPHER_CTX_cleanup are both replaced by
* EVP_CIPHER_CTX_reset in OpenSSL 1.1 but replacing them both with
* reset is wrong for older version. The man page mention cleanup
* being officially removed and init to be an alias for reset.
*
* So we only use reset as alias for init in older versions.
*
* EVP_CIPHER_CTX_free already implicitly calls EVP_CIPHER_CTX_cleanup in
* 1.0.2, so we can avoid using the old API.
*/
#define EVP_CIPHER_CTX_reset EVP_CIPHER_CTX_init
#endif
#if OPENSSL_VERSION_NUMBER < 0x10101000L
#include <openssl/rsa.h>
#include <openssl/dsa.h>
inline const BIGNUM *RSA_get0_n(const RSA *r)
{
const BIGNUM *n;
RSA_get0_key(r, &n, nullptr, nullptr);
return n;
}
inline const BIGNUM *RSA_get0_e(const RSA *r)
{
const BIGNUM *e;
RSA_get0_key(r, nullptr, &e, nullptr);
return e;
}
inline const BIGNUM *DSA_get0_p(const DSA *d)
{
const BIGNUM *p;
DSA_get0_pqg(d, &p, nullptr, nullptr);
return p;
}
#endif
Sources/OpenVPN3/openvpn/openssl/crypto/api.hpp
+46
View File
@@ -0,0 +1,46 @@
// OpenVPN -- An application to securely tunnel IP networks
// over a single port, with support for SSL/TLS-based
// session authentication and key exchange,
// packet encryption, packet authentication, and
// packet compression.
//
// Copyright (C) 2012-2017 OpenVPN Inc.
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License Version 3
// as published by the Free Software Foundation.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program in the COPYING file.
// If not, see <http://www.gnu.org/licenses/>.
#ifndef OPENVPN_OPENSSL_CRYPTO_API_H
#define OPENVPN_OPENSSL_CRYPTO_API_H
#include <openvpn/openssl/crypto/cipher.hpp>
#include <openvpn/openssl/crypto/ciphergcm.hpp>
#include <openvpn/openssl/crypto/digest.hpp>
#include <openvpn/openssl/crypto/hmac.hpp>
namespace openvpn {
// type container for OpenSSL Crypto-level API
struct OpenSSLCryptoAPI {
// cipher
typedef OpenSSLCrypto::CipherContext CipherContext;
typedef OpenSSLCrypto::CipherContextGCM CipherContextGCM;
// digest
typedef OpenSSLCrypto::DigestContext DigestContext;
// HMAC
typedef OpenSSLCrypto::HMACContext HMACContext;
};
}
#endif
Sources/OpenVPN3/openvpn/openssl/crypto/cipher.hpp
+200
View File
@@ -0,0 +1,200 @@
// OpenVPN -- An application to securely tunnel IP networks
// over a single port, with support for SSL/TLS-based
// session authentication and key exchange,
// packet encryption, packet authentication, and
// packet compression.
//
// Copyright (C) 2012-2017 OpenVPN Inc.
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License Version 3
// as published by the Free Software Foundation.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program in the COPYING file.
// If not, see <http://www.gnu.org/licenses/>.
// Wrap the OpenSSL cipher API defined in <openssl/evp.h> so
// that it can be used as part of the crypto layer of the OpenVPN core.
#ifndef OPENVPN_OPENSSL_CRYPTO_CIPHER_H
#define OPENVPN_OPENSSL_CRYPTO_CIPHER_H
#include <string>
#include <openssl/objects.h>
#include <openssl/evp.h>
#include <openvpn/common/size.hpp>
#include <openvpn/common/exception.hpp>
#include <openvpn/crypto/static_key.hpp>
#include <openvpn/crypto/cryptoalgs.hpp>
#include <openvpn/openssl/util/error.hpp>
#include <openvpn/openssl/compat.hpp>
namespace openvpn {
namespace OpenSSLCrypto {
class CipherContext
{
CipherContext(const CipherContext&) = delete;
CipherContext& operator=(const CipherContext&) = delete;
public:
OPENVPN_SIMPLE_EXCEPTION(openssl_cipher_mode_error);
OPENVPN_SIMPLE_EXCEPTION(openssl_cipher_uninitialized);
OPENVPN_EXCEPTION(openssl_cipher_error);
// mode parameter for constructor
enum {
MODE_UNDEF = -1,
ENCRYPT = 1,
DECRYPT = 0
};
// OpenSSL cipher constants
enum {
MAX_IV_LENGTH = EVP_MAX_IV_LENGTH,
CIPH_CBC_MODE = EVP_CIPH_CBC_MODE
};
CipherContext()
: initialized(false)
{
}
~CipherContext() { erase() ; }
void init(const CryptoAlgs::Type alg, const unsigned char *key, const int mode)
{
// check that mode is valid
if (!(mode == ENCRYPT || mode == DECRYPT))
throw openssl_cipher_mode_error();
erase();
ctx = EVP_CIPHER_CTX_new ();
EVP_CIPHER_CTX_reset (ctx);
if (!EVP_CipherInit_ex (ctx, cipher_type(alg), nullptr, key, nullptr, mode))
{
openssl_clear_error_stack();
throw openssl_cipher_error("EVP_CipherInit_ex (init)");
}
initialized = true;
}
void reset(const unsigned char *iv)
{
check_initialized();
if (!EVP_CipherInit_ex (ctx, nullptr, nullptr, nullptr, iv, -1))
{
openssl_clear_error_stack();
throw openssl_cipher_error("EVP_CipherInit_ex (reset)");
}
}
bool update(unsigned char *out, const size_t max_out_size,
const unsigned char *in, const size_t in_size,
size_t& out_acc)
{
check_initialized();
int outlen;
if (EVP_CipherUpdate (ctx, out, &outlen, in, int(in_size)))
{
out_acc += outlen;
return true;
}
else
{
openssl_clear_error_stack();
return false;
}
}
bool final(unsigned char *out, const size_t max_out_size, size_t& out_acc)
{
check_initialized();
int outlen;
if (EVP_CipherFinal_ex (ctx, out, &outlen))
{
out_acc += outlen;
return true;
}
else
{
openssl_clear_error_stack();
return false;
}
}
bool is_initialized() const { return initialized; }
size_t iv_length() const
{
check_initialized();
return EVP_CIPHER_CTX_iv_length (ctx);
}
size_t block_size() const
{
check_initialized();
return EVP_CIPHER_CTX_block_size (ctx);
}
// return cipher mode (such as CIPH_CBC_MODE, etc.)
int cipher_mode() const
{
check_initialized();
return EVP_CIPHER_CTX_mode (ctx);
}
private:
static const EVP_CIPHER *cipher_type(const CryptoAlgs::Type alg)
{
switch (alg)
{
case CryptoAlgs::AES_128_CBC:
return EVP_aes_128_cbc();
case CryptoAlgs::AES_192_CBC:
return EVP_aes_192_cbc();
case CryptoAlgs::AES_256_CBC:
return EVP_aes_256_cbc();
case CryptoAlgs::AES_256_CTR:
return EVP_aes_256_ctr();
case CryptoAlgs::DES_CBC:
return EVP_des_cbc();
case CryptoAlgs::DES_EDE3_CBC:
return EVP_des_ede3_cbc();
case CryptoAlgs::BF_CBC:
return EVP_bf_cbc();
default:
OPENVPN_THROW(openssl_cipher_error, CryptoAlgs::name(alg) << ": not usable");
}
}
void erase()
{
if (initialized)
{
EVP_CIPHER_CTX_free (ctx);
initialized = false;
}
}
void check_initialized() const
{
#ifdef OPENVPN_ENABLE_ASSERT
if (!initialized)
throw openssl_cipher_uninitialized();
#endif
}
bool initialized;
EVP_CIPHER_CTX* ctx;
};
}
}
#endif
Sources/OpenVPN3/openvpn/openssl/crypto/ciphergcm.hpp
+245
View File
@@ -0,0 +1,245 @@
// OpenVPN -- An application to securely tunnel IP networks
// over a single port, with support for SSL/TLS-based
// session authentication and key exchange,
// packet encryption, packet authentication, and
// packet compression.
//
// Copyright (C) 2012-2017 OpenVPN Inc.
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License Version 3
// as published by the Free Software Foundation.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program in the COPYING file.
// If not, see <http://www.gnu.org/licenses/>.
// Wrap the OpenSSL GCM API.
#ifndef OPENVPN_OPENSSL_CRYPTO_CIPHERGCM_H
#define OPENVPN_OPENSSL_CRYPTO_CIPHERGCM_H
#include <string>
#include <openssl/objects.h>
#include <openssl/evp.h>
#include <openvpn/common/size.hpp>
#include <openvpn/common/exception.hpp>
#include <openvpn/common/likely.hpp>
#include <openvpn/crypto/static_key.hpp>
#include <openvpn/crypto/cryptoalgs.hpp>
#include <openvpn/openssl/util/error.hpp>
namespace openvpn {
namespace OpenSSLCrypto {
class CipherContextGCM
{
CipherContextGCM(const CipherContextGCM&) = delete;
CipherContextGCM& operator=(const CipherContextGCM&) = delete;
public:
OPENVPN_EXCEPTION(openssl_gcm_error);
// mode parameter for constructor
enum {
MODE_UNDEF = -1,
ENCRYPT = 1,
DECRYPT = 0
};
// OpenSSL cipher constants
enum {
IV_LEN = 12,
AUTH_TAG_LEN = 16,
SUPPORTS_IN_PLACE_ENCRYPT = 0,
};
CipherContextGCM()
: initialized(false)
{
}
~CipherContextGCM() { erase() ; }
void init(const CryptoAlgs::Type alg,
const unsigned char *key,
const unsigned int keysize,
const int mode)
{
erase();
unsigned int ckeysz = 0;
const EVP_CIPHER *ciph = cipher_type(alg, ckeysz);
if (ckeysz > keysize)
throw openssl_gcm_error("insufficient key material");
ctx = EVP_CIPHER_CTX_new();
EVP_CIPHER_CTX_reset(ctx);
switch (mode)
{
case ENCRYPT:
if (!EVP_EncryptInit_ex(ctx, ciph, nullptr, key, nullptr))
{
openssl_clear_error_stack();
throw openssl_gcm_error("EVP_EncryptInit_ex (init)");
}
break;
case DECRYPT:
if (!EVP_DecryptInit_ex(ctx, ciph, nullptr, key, nullptr))
{
openssl_clear_error_stack();
throw openssl_gcm_error("EVP_DecryptInit_ex (init)");
}
break;
default:
throw openssl_gcm_error("bad mode");
}
if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_IVLEN, IV_LEN, nullptr) != 1)
{
openssl_clear_error_stack();
throw openssl_gcm_error("EVP_CIPHER_CTX_ctrl set IV len");
}
initialized = true;
}
void encrypt(const unsigned char *input,
unsigned char *output,
size_t length,
const unsigned char *iv,
unsigned char *tag,
const unsigned char *ad,
size_t ad_len)
{
int len;
int ciphertext_len;
check_initialized();
if (!EVP_EncryptInit_ex(ctx, nullptr, nullptr, nullptr, iv))
{
openssl_clear_error_stack();
throw openssl_gcm_error("EVP_EncryptInit_ex (reset)");
}
if (!EVP_EncryptUpdate(ctx, nullptr, &len, ad, int(ad_len)))
{
openssl_clear_error_stack();
throw openssl_gcm_error("EVP_EncryptUpdate AD");
}
if (!EVP_EncryptUpdate(ctx, output, &len, input, int(length)))
{
openssl_clear_error_stack();
throw openssl_gcm_error("EVP_EncryptUpdate data");
}
ciphertext_len = len;
if (!EVP_EncryptFinal_ex(ctx, output+len, &len))
{
openssl_clear_error_stack();
throw openssl_gcm_error("EVP_EncryptFinal_ex");
}
ciphertext_len += len;
if (ciphertext_len != length)
{
throw openssl_gcm_error("encrypt size inconsistency");
}
if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_GET_TAG, AUTH_TAG_LEN, tag))
{
openssl_clear_error_stack();
throw openssl_gcm_error("EVP_CIPHER_CTX_ctrl get tag");
}
}
bool decrypt(const unsigned char *input,
unsigned char *output,
size_t length,
const unsigned char *iv,
unsigned char *tag,
const unsigned char *ad,
size_t ad_len)
{
int len;
int plaintext_len;
check_initialized();
if (!EVP_DecryptInit_ex(ctx, nullptr, nullptr, nullptr, iv))
{
openssl_clear_error_stack();
throw openssl_gcm_error("EVP_DecryptInit_ex (reset)");
}
if (!EVP_DecryptUpdate(ctx, nullptr, &len, ad, int(ad_len)))
{
openssl_clear_error_stack();
throw openssl_gcm_error("EVP_DecryptUpdate AD");
}
if (!EVP_DecryptUpdate(ctx, output, &len, input, int(length)))
{
openssl_clear_error_stack();
throw openssl_gcm_error("EVP_DecryptUpdate data");
}
plaintext_len = len;
if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_TAG, AUTH_TAG_LEN, tag))
{
openssl_clear_error_stack();
throw openssl_gcm_error("EVP_CIPHER_CTX_ctrl set tag");
}
if (!EVP_DecryptFinal_ex(ctx, output+len, &len))
{
openssl_clear_error_stack();
return false;
}
plaintext_len += len;
if (plaintext_len != length)
{
throw openssl_gcm_error("decrypt size inconsistency");
}
return true;
}
bool is_initialized() const { return initialized; }
private:
static const EVP_CIPHER *cipher_type(const CryptoAlgs::Type alg,
unsigned int& keysize)
{
switch (alg)
{
case CryptoAlgs::AES_128_GCM:
keysize = 16;
return EVP_aes_128_gcm();
case CryptoAlgs::AES_192_GCM:
keysize = 24;
return EVP_aes_192_gcm();
case CryptoAlgs::AES_256_GCM:
keysize = 32;
return EVP_aes_256_gcm();
default:
OPENVPN_THROW(openssl_gcm_error, CryptoAlgs::name(alg) << ": not usable");
}
}
void erase()
{
if (initialized)
{
EVP_CIPHER_CTX_free(ctx);
initialized = false;
}
}
void check_initialized() const
{
#ifdef OPENVPN_ENABLE_ASSERT
if (unlikely(!initialized))
throw openssl_gcm_error("uninitialized");
#endif
}
bool initialized;
EVP_CIPHER_CTX *ctx;
};
}
}
#endif
Sources/OpenVPN3/openvpn/openssl/crypto/digest.hpp
+168
View File
@@ -0,0 +1,168 @@
// OpenVPN -- An application to securely tunnel IP networks
// over a single port, with support for SSL/TLS-based
// session authentication and key exchange,
// packet encryption, packet authentication, and
// packet compression.
//
// Copyright (C) 2012-2017 OpenVPN Inc.
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License Version 3
// as published by the Free Software Foundation.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program in the COPYING file.
// If not, see <http://www.gnu.org/licenses/>.
// Wrap the OpenSSL digest API defined in <openssl/evp.h>
// so that it can be used as part of the crypto layer of the OpenVPN core.
#ifndef OPENVPN_OPENSSL_CRYPTO_DIGEST_H
#define OPENVPN_OPENSSL_CRYPTO_DIGEST_H
#include <string>
#include <openssl/objects.h>
#include <openssl/evp.h>
#include <openssl/md4.h>
#include <openssl/md5.h>
#include <openssl/sha.h>
#include <openssl/hmac.h>
#include <openvpn/common/size.hpp>
#include <openvpn/common/exception.hpp>
#include <openvpn/crypto/cryptoalgs.hpp>
#include <openvpn/openssl/util/error.hpp>
#include <openvpn/openssl/compat.hpp>
namespace openvpn {
namespace OpenSSLCrypto {
class HMACContext;
class DigestContext
{
DigestContext(const DigestContext&) = delete;
DigestContext& operator=(const DigestContext&) = delete;
public:
friend class HMACContext;
OPENVPN_SIMPLE_EXCEPTION(openssl_digest_uninitialized);
OPENVPN_EXCEPTION(openssl_digest_error);
enum {
MAX_DIGEST_SIZE = EVP_MAX_MD_SIZE
};
DigestContext()
: initialized(false)
{
}
DigestContext(const CryptoAlgs::Type alg)
: initialized(false)
{
init(alg);
}
~DigestContext() { erase() ; }
void init(const CryptoAlgs::Type alg)
{
erase();
ctx=EVP_MD_CTX_new ();
if (!EVP_DigestInit(ctx, digest_type(alg)))
{
openssl_clear_error_stack();
throw openssl_digest_error("EVP_DigestInit");
}
initialized = true;
}
void update(const unsigned char *in, const size_t size)
{
check_initialized();
if (!EVP_DigestUpdate(ctx, in, int(size)))
{
openssl_clear_error_stack();
throw openssl_digest_error("EVP_DigestUpdate");
}
}
size_t final(unsigned char *out)
{
check_initialized();
unsigned int outlen;
if (!EVP_DigestFinal(ctx, out, &outlen))
{
openssl_clear_error_stack();
throw openssl_digest_error("EVP_DigestFinal");
}
return outlen;
}
size_t size() const
{
check_initialized();
return EVP_MD_CTX_size(ctx);
}
bool is_initialized() const { return initialized; }
private:
static const EVP_MD *digest_type(const CryptoAlgs::Type alg)
{
switch (alg)
{
case CryptoAlgs::MD4:
return EVP_md4();
case CryptoAlgs::MD5:
return EVP_md5();
case CryptoAlgs::SHA1:
return EVP_sha1();
case CryptoAlgs::SHA224:
return EVP_sha224();
case CryptoAlgs::SHA256:
return EVP_sha256();
case CryptoAlgs::SHA384:
return EVP_sha384();
case CryptoAlgs::SHA512:
return EVP_sha512();
default:
OPENVPN_THROW(openssl_digest_error, CryptoAlgs::name(alg) << ": not usable");
}
}
void erase()
{
if (initialized)
{
#if OPENSSL_VERSION_NUMBER < 0x10100000L
EVP_MD_CTX_cleanup(ctx);
#endif
EVP_MD_CTX_free(ctx);
initialized = false;
}
}
void check_initialized() const
{
#ifdef OPENVPN_ENABLE_ASSERT
if (!initialized)
throw openssl_digest_uninitialized();
#endif
}
bool initialized;
EVP_MD_CTX *ctx;
};
}
}
#endif
Sources/OpenVPN3/openvpn/openssl/crypto/hmac.hpp
+148
View File
@@ -0,0 +1,148 @@
// OpenVPN -- An application to securely tunnel IP networks
// over a single port, with support for SSL/TLS-based
// session authentication and key exchange,
// packet encryption, packet authentication, and
// packet compression.
//
// Copyright (C) 2012-2017 OpenVPN Inc.
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License Version 3
// as published by the Free Software Foundation.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program in the COPYING file.
// If not, see <http://www.gnu.org/licenses/>.
// Wrap the OpenSSL HMAC API defined in <openssl/hmac.h> so
// that it can be used as part of the crypto layer of the OpenVPN core.
#ifndef OPENVPN_OPENSSL_CRYPTO_HMAC_H
#define OPENVPN_OPENSSL_CRYPTO_HMAC_H
#include <string>
#include <openvpn/common/size.hpp>
#include <openvpn/common/exception.hpp>
#include <openvpn/openssl/crypto/digest.hpp>
#include <openvpn/openssl/compat.hpp>
namespace openvpn {
namespace OpenSSLCrypto {
class HMACContext
{
HMACContext(const HMACContext&) = delete;
HMACContext& operator=(const HMACContext&) = delete;
public:
OPENVPN_SIMPLE_EXCEPTION(openssl_hmac_uninitialized);
OPENVPN_EXCEPTION(openssl_hmac_error);
enum {
MAX_HMAC_SIZE = EVP_MAX_MD_SIZE
};
HMACContext()
: initialized(false)
{
}
HMACContext(const CryptoAlgs::Type digest, const unsigned char *key, const size_t key_size)
: initialized(false)
{
init(digest, key, key_size);
}
~HMACContext() { erase() ; }
void init(const CryptoAlgs::Type digest, const unsigned char *key, const size_t key_size)
{
erase();
ctx = HMAC_CTX_new ();
if (!HMAC_Init_ex (ctx, key, int(key_size), DigestContext::digest_type(digest), nullptr))
{
openssl_clear_error_stack();
throw openssl_hmac_error("HMAC_Init_ex (init)");
}
initialized = true;
}
void reset()
{
check_initialized();
if (!HMAC_Init_ex (ctx, nullptr, 0, nullptr, nullptr))
{
openssl_clear_error_stack();
throw openssl_hmac_error("HMAC_Init_ex (reset)");
}
}
void update(const unsigned char *in, const size_t size)
{
check_initialized();
if (!HMAC_Update(ctx, in, int(size)))
{
openssl_clear_error_stack();
throw openssl_hmac_error("HMAC_Update");
}
}
size_t final(unsigned char *out)
{
check_initialized();
unsigned int outlen;
if (!HMAC_Final(ctx, out, &outlen))
{
openssl_clear_error_stack();
throw openssl_hmac_error("HMAC_Final");
}
return outlen;
}
size_t size() const
{
check_initialized();
return size_();
}
bool is_initialized() const { return initialized; }
private:
void erase()
{
if (initialized)
{
#if OPENSSL_VERSION_NUMBER < 0x10100000L
#endif
HMAC_CTX_free(ctx);
initialized = false;
}
}
size_t size_() const
{
return HMAC_size(ctx);
}
void check_initialized() const
{
#ifdef OPENVPN_ENABLE_ASSERT
if (!initialized)
throw openssl_hmac_uninitialized();
#endif
}
bool initialized;
HMAC_CTX* ctx;
};
}
}
#endif
Sources/OpenVPN3/openvpn/openssl/pki/crl.hpp
+169
View File
@@ -0,0 +1,169 @@
// OpenVPN -- An application to securely tunnel IP networks
// over a single port, with support for SSL/TLS-based
// session authentication and key exchange,
// packet encryption, packet authentication, and
// packet compression.
//
// Copyright (C) 2012-2017 OpenVPN Inc.
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License Version 3
// as published by the Free Software Foundation.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program in the COPYING file.
// If not, see <http://www.gnu.org/licenses/>.
// Wrap an OpenSSL X509_CRL object
#pragma once
#include <string>
#include <vector>
#include <openssl/ssl.h>
#include <openssl/bio.h>
#include <openvpn/common/size.hpp>
#include <openvpn/common/exception.hpp>
#include <openvpn/openssl/util/error.hpp>
namespace openvpn {
namespace OpenSSLPKI {
class CRL
{
public:
CRL()
: crl_(nullptr)
{
}
explicit CRL(const std::string& crl_txt)
: crl_(nullptr)
{
parse_pem(crl_txt);
}
CRL(const CRL& other)
: crl_(dup(other.crl_))
{
}
CRL(CRL&& other) noexcept
: crl_(other.crl_)
{
other.crl_ = nullptr;
}
CRL& operator=(const CRL& other)
{
if (this != &other)
{
erase();
crl_ = dup(other.crl_);
}
return *this;
}
CRL& operator=(CRL&& other) noexcept
{
if (this != &other)
{
erase();
crl_ = other.crl_;
other.crl_ = nullptr;
}
return *this;
}
bool defined() const { return crl_ != nullptr; }
::X509_CRL* obj() const { return crl_; }
void parse_pem(const std::string& crl_txt)
{
BIO *bio = ::BIO_new_mem_buf(const_cast<char *>(crl_txt.c_str()), crl_txt.length());
if (!bio)
throw OpenSSLException();
::X509_CRL *crl = ::PEM_read_bio_X509_CRL(bio, nullptr, nullptr, nullptr);
::BIO_free(bio);
if (!crl)
throw OpenSSLException("CRL::parse_pem");
erase();
crl_ = crl;
}
std::string render_pem() const
{
if (crl_)
{
BIO *bio = ::BIO_new(BIO_s_mem());
const int ret = ::PEM_write_bio_X509_CRL(bio, crl_);
if (ret == 0)
{
::BIO_free(bio);
throw OpenSSLException("CRL::render_pem");
}
{
char *temp;
const int buf_len = ::BIO_get_mem_data(bio, &temp);
std::string ret = std::string(temp, buf_len);
::BIO_free(bio);
return ret;
}
}
else
return "";
}
~CRL()
{
erase();
}
private:
void erase()
{
if (crl_)
::X509_CRL_free(crl_);
}
static X509_CRL *dup(const X509_CRL *crl)
{
if (crl)
return ::X509_CRL_dup(const_cast<X509_CRL *>(crl));
else
return nullptr;
}
::X509_CRL *crl_;
};
class CRLList : public std::vector<CRL>
{
public:
typedef X509 CRL;
bool defined() const
{
return !empty();
}
std::string render_pem() const
{
std::string ret;
for (const auto &e : *this)
ret += e.render_pem();
return ret;
}
};
}
}
Sources/OpenVPN3/openvpn/openssl/pki/dh.hpp
+163
View File
@@ -0,0 +1,163 @@
// OpenVPN -- An application to securely tunnel IP networks
// over a single port, with support for SSL/TLS-based
// session authentication and key exchange,
// packet encryption, packet authentication, and
// packet compression.
//
// Copyright (C) 2012-2017 OpenVPN Inc.
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License Version 3
// as published by the Free Software Foundation.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program in the COPYING file.
// If not, see <http://www.gnu.org/licenses/>.
// Wrap an OpenSSL DH object
#pragma once
#include <string>
#include <openssl/ssl.h>
#include <openssl/bio.h>
#include <openvpn/common/size.hpp>
#include <openvpn/common/exception.hpp>
#include <openvpn/openssl/util/error.hpp>
// workaround for bug in DHparams_dup macro on OpenSSL 0.9.8 and lower
#if SSLEAY_VERSION_NUMBER <= 0x00908000L
#undef CHECKED_PTR_OF
#define CHECKED_PTR_OF(type, p) ((char*) (1 ? p : (type*)0))
#endif
namespace openvpn {
namespace OpenSSLPKI {
namespace DH_private {
// defined outside of DH class to avoid symbol collision in way
// that DHparams_dup macro is defined
inline ::DH *dup(const ::DH *dh)
{
if (dh)
return DHparams_dup(const_cast< ::DH * >(dh));
else
return nullptr;
}
}
class DH
{
public:
DH()
: dh_(nullptr)
{
}
explicit DH(const std::string& dh_txt)
: dh_(nullptr)
{
parse_pem(dh_txt);
}
DH(const DH& other)
{
dup(other.dh_);
}
DH(DH&& other) noexcept
: dh_(other.dh_)
{
other.dh_ = nullptr;
}
void operator=(const DH& other)
{
if (this != &other)
{
erase();
dup(other.dh_);
}
}
DH& operator=(DH&& other) noexcept
{
if (this != &other)
{
erase();
dh_ = other.dh_;
other.dh_ = nullptr;
}
return *this;
}
bool defined() const { return dh_ != nullptr; }
::DH* obj() const { return dh_; }
void parse_pem(const std::string& dh_txt)
{
BIO *bio = ::BIO_new_mem_buf(const_cast<char *>(dh_txt.c_str()), dh_txt.length());
if (!bio)
throw OpenSSLException();
::DH *dh = ::PEM_read_bio_DHparams(bio, nullptr, nullptr, nullptr);
::BIO_free(bio);
if (!dh)
throw OpenSSLException("DH::parse_pem");
erase();
dh_ = dh;
}
std::string render_pem() const
{
if (dh_)
{
BIO *bio = ::BIO_new(BIO_s_mem());
const int ret = ::PEM_write_bio_DHparams(bio, dh_);
if (ret == 0)
{
::BIO_free(bio);
throw OpenSSLException("DH::render_pem");
}
{
char *temp;
const int buf_len = ::BIO_get_mem_data(bio, &temp);
std::string ret = std::string(temp, buf_len);
::BIO_free(bio);
return ret;
}
}
else
return "";
}
~DH()
{
erase();
}
private:
void erase()
{
if (dh_)
::DH_free(dh_);
}
void dup(const ::DH *dh)
{
dh_ = DH_private::dup(dh);
}
::DH *dh_;
};
}
}
Sources/OpenVPN3/openvpn/openssl/pki/pkey.hpp
+214
View File
@@ -0,0 +1,214 @@
// OpenVPN -- An application to securely tunnel IP networks
// over a single port, with support for SSL/TLS-based
// session authentication and key exchange,
// packet encryption, packet authentication, and
// packet compression.
//
// Copyright (C) 2012-2017 OpenVPN Inc.
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License Version 3
// as published by the Free Software Foundation.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program in the COPYING file.
// If not, see <http://www.gnu.org/licenses/>.
// Wrap an OpenSSL EVP_PKEY object
#pragma once
#include <string>
#include <utility>
#include <openssl/ssl.h>
#include <openssl/bio.h>
#include <openvpn/common/size.hpp>
#include <openvpn/common/exception.hpp>
#include <openvpn/openssl/util/error.hpp>
#include <openvpn/pki/pktype.hpp>
namespace openvpn {
namespace OpenSSLPKI {
class PKey
{
public:
PKey()
: pkey_(nullptr)
{
}
PKey(const std::string& pkey_txt, const std::string& title)
: pkey_(nullptr)
{
parse_pem(pkey_txt, title);
}
PKey(const PKey& other)
: pkey_(dup(other.pkey_)),
priv_key_pwd(other.priv_key_pwd)
{
}
PKey(PKey&& other) noexcept
: pkey_(other.pkey_),
priv_key_pwd(std::move(other.priv_key_pwd))
{
other.pkey_ = nullptr;
}
PKey& operator=(const PKey& other)
{
if (this != &other)
{
erase();
pkey_ = dup(other.pkey_);
priv_key_pwd = other.priv_key_pwd;
}
return *this;
}
PKey& operator=(PKey&& other) noexcept
{
if (this != &other)
{
erase();
pkey_ = other.pkey_;
other.pkey_ = nullptr;
priv_key_pwd = std::move(other.priv_key_pwd);
}
return *this;
}
bool defined() const { return pkey_ != nullptr; }
::EVP_PKEY* obj() const { return pkey_; }
PKType::Type key_type() const
{
switch (::EVP_PKEY_id(pkey_))
{
case EVP_PKEY_RSA:
case EVP_PKEY_RSA2:
return PKType::PK_RSA;
case EVP_PKEY_EC:
return PKType::PK_EC;
case EVP_PKEY_DSA:
case EVP_PKEY_DSA1:
case EVP_PKEY_DSA2:
case EVP_PKEY_DSA3:
case EVP_PKEY_DSA4:
return PKType::PK_DSA;
case EVP_PKEY_NONE:
return PKType::PK_NONE;
default:
return PKType::PK_UNKNOWN;
}
}
size_t key_length() const
{
int ret = ::i2d_PrivateKey(pkey_, NULL);
if (ret < 0)
return 0;
/* convert to bits */
return ret * 8;
}
void set_private_key_password(const std::string& pwd)
{
priv_key_pwd = pwd;
}
void parse_pem(const std::string& pkey_txt, const std::string& title)
{
BIO *bio = ::BIO_new_mem_buf(const_cast<char *>(pkey_txt.c_str()), pkey_txt.length());
if (!bio)
throw OpenSSLException();
::EVP_PKEY *pkey = ::PEM_read_bio_PrivateKey(bio, nullptr, pem_password_callback, this);
::BIO_free(bio);
if (!pkey)
throw OpenSSLException(std::string("PKey::parse_pem: error in ") + title + std::string(":"));
erase();
pkey_ = pkey;
}
std::string render_pem() const
{
if (pkey_)
{
BIO *bio = ::BIO_new(BIO_s_mem());
const int ret = ::PEM_write_bio_PrivateKey(bio, pkey_, nullptr, nullptr, 0, nullptr, nullptr);
if (ret == 0)
{
::BIO_free(bio);
throw OpenSSLException("PKey::render_pem");
}
{
char *temp;
const int buf_len = ::BIO_get_mem_data(bio, &temp);
std::string ret = std::string(temp, buf_len);
::BIO_free(bio);
return ret;
}
}
else
return "";
}
~PKey()
{
erase();
}
private:
static int pem_password_callback (char *buf, int size, int rwflag, void *userdata)
{
// get this
const PKey* self = (PKey*) userdata;
if (buf)
{
string::strncpynt(buf, self->priv_key_pwd.c_str(), size);
return std::strlen(buf);
}
return 0;
}
void erase()
{
if (pkey_)
::EVP_PKEY_free(pkey_);
}
static ::EVP_PKEY *dup(const ::EVP_PKEY *pkey)
{
// No OpenSSL EVP_PKEY_dup method so we roll our own
if (pkey)
{
::EVP_PKEY* pDupKey = ::EVP_PKEY_new();
::RSA* pRSA = ::EVP_PKEY_get1_RSA(const_cast<::EVP_PKEY *>(pkey));
::RSA* pRSADupKey = ::RSAPrivateKey_dup(pRSA);
::RSA_free(pRSA);
::EVP_PKEY_set1_RSA(pDupKey, pRSADupKey);
::RSA_free(pRSADupKey);
return pDupKey;
}
else
return nullptr;
}
::EVP_PKEY *pkey_;
std::string priv_key_pwd;
};
}
}
Sources/OpenVPN3/openvpn/openssl/pki/x509.hpp
+178
View File
@@ -0,0 +1,178 @@
// OpenVPN -- An application to securely tunnel IP networks
// over a single port, with support for SSL/TLS-based
// session authentication and key exchange,
// packet encryption, packet authentication, and
// packet compression.
//
// Copyright (C) 2012-2017 OpenVPN Inc.
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License Version 3
// as published by the Free Software Foundation.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program in the COPYING file.
// If not, see <http://www.gnu.org/licenses/>.
// Wrap an OpenSSL X509 object
#pragma once
#include <string>
#include <vector>
#include <openssl/ssl.h>
#include <openssl/bio.h>
#include <openvpn/common/size.hpp>
#include <openvpn/common/exception.hpp>
#include <openvpn/openssl/util/error.hpp>
namespace openvpn {
namespace OpenSSLPKI {
class X509
{
public:
X509()
: x509_(nullptr)
{
}
X509(const std::string& cert_txt, const std::string& title)
: x509_(nullptr)
{
parse_pem(cert_txt, title);
}
explicit X509(::X509 *x509, const bool create=true)
{
if (create)
x509_ = x509;
else
x509_ = dup(x509);
}
X509(const X509& other)
: x509_(dup(other.x509_))
{
}
X509(X509&& other) noexcept
: x509_(other.x509_)
{
other.x509_ = nullptr;
}
X509& operator=(const X509& other)
{
if (this != &other)
{
erase();
x509_ = dup(other.x509_);
}
return *this;
}
X509& operator=(X509&& other) noexcept
{
if (this != &other)
{
erase();
x509_ = other.x509_;
other.x509_ = nullptr;
}
return *this;
}
bool defined() const { return x509_ != nullptr; }
::X509* obj() const { return x509_; }
::X509* obj_dup() const { return dup(x509_); }
void parse_pem(const std::string& cert_txt, const std::string& title)
{
BIO *bio = ::BIO_new_mem_buf(const_cast<char *>(cert_txt.c_str()), cert_txt.length());
if (!bio)
throw OpenSSLException();
::X509 *cert = ::PEM_read_bio_X509(bio, nullptr, nullptr, nullptr);
::BIO_free(bio);
if (!cert)
throw OpenSSLException(std::string("X509::parse_pem: error in ") + title + std::string(":"));
erase();
x509_ = cert;
}
std::string render_pem() const
{
if (x509_)
{
BIO *bio = ::BIO_new(BIO_s_mem());
const int ret = ::PEM_write_bio_X509(bio, x509_);
if (ret == 0)
{
::BIO_free(bio);
throw OpenSSLException("X509::render_pem");
}
{
char *temp;
const int buf_len = ::BIO_get_mem_data(bio, &temp);
std::string ret = std::string(temp, buf_len);
::BIO_free(bio);
return ret;
}
}
else
return "";
}
~X509()
{
erase();
}
private:
static ::X509 *dup(const ::X509 *x509)
{
if (x509)
return ::X509_dup(const_cast< ::X509 * >(x509));
else
return nullptr;
}
void erase()
{
if (x509_)
::X509_free(x509_);
}
::X509 *x509_;
};
class X509List : public std::vector<X509>
{
public:
typedef X509 Item;
bool defined() const
{
return !empty();
}
std::string render_pem() const
{
std::string ret;
for (const auto &e : *this)
ret += e.render_pem();
return ret;
}
};
}
}
Sources/OpenVPN3/openvpn/openssl/pki/x509store.hpp
+104
View File
@@ -0,0 +1,104 @@
// OpenVPN -- An application to securely tunnel IP networks
// over a single port, with support for SSL/TLS-based
// session authentication and key exchange,
// packet encryption, packet authentication, and
// packet compression.
//
// Copyright (C) 2012-2017 OpenVPN Inc.
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License Version 3
// as published by the Free Software Foundation.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program in the COPYING file.
// If not, see <http://www.gnu.org/licenses/>.
// Wrap an OpenSSL X509Store object
#pragma once
#include <openvpn/common/size.hpp>
#include <openvpn/common/exception.hpp>
#include <openvpn/pki/cclist.hpp>
#include <openvpn/openssl/util/error.hpp>
#include <openvpn/openssl/pki/x509.hpp>
#include <openvpn/openssl/pki/crl.hpp>
namespace openvpn {
namespace OpenSSLPKI {
class X509Store
{
public:
OPENVPN_EXCEPTION(x509_store_error);
typedef CertCRLListTemplate<X509List, CRLList> CertCRLList;
X509Store()
: x509_store_(nullptr)
{
}
explicit X509Store(const CertCRLList& cc)
{
init();
// Load cert list
{
for (const auto &e : cc.certs)
{
if (!::X509_STORE_add_cert(x509_store_, e.obj()))
throw x509_store_error("X509_STORE_add_cert(");
}
}
// Load CRL list
{
if (cc.crls.defined())
{
::X509_STORE_set_flags(x509_store_, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
for (const auto &e : cc.crls)
{
if (!::X509_STORE_add_crl(x509_store_, e.obj()))
throw x509_store_error("X509_STORE_add_crl");
}
}
}
}
X509_STORE* obj() const
{
return x509_store_;
}
X509_STORE* release()
{
X509_STORE* ret = x509_store_;
x509_store_ = nullptr;
return ret;
}
~X509Store()
{
if (x509_store_)
::X509_STORE_free(x509_store_);
}
private:
void init()
{
x509_store_ = ::X509_STORE_new();
if (!x509_store_)
throw x509_store_error("X509_STORE_new");
}
::X509_STORE* x509_store_;
};
}
}
Sources/OpenVPN3/openvpn/openssl/sign/pkcs7verify.hpp
+87
View File
@@ -0,0 +1,87 @@
// OpenVPN -- An application to securely tunnel IP networks
// over a single port, with support for SSL/TLS-based
// session authentication and key exchange,
// packet encryption, packet authentication, and
// packet compression.
//
// Copyright (C) 2012-2017 OpenVPN Inc.
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License Version 3
// as published by the Free Software Foundation.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program in the COPYING file.
// If not, see <http://www.gnu.org/licenses/>.
// Verify a PKCS7 signature
#ifndef OPENVPN_OPENSSL_SIGN_PKCS7VERIFY_H
#define OPENVPN_OPENSSL_SIGN_PKCS7VERIFY_H
#include <string>
#include <openssl/ssl.h>
#include <openssl/bio.h>
#include <openssl/pkcs7.h>
#include <openvpn/common/cleanup.hpp>
#include <openvpn/openssl/pki/x509.hpp>
#include <openvpn/openssl/util/error.hpp>
namespace openvpn {
namespace OpenSSLSign {
/*
* Verify PKCS7 signature.
* On success, return.
* On fail, throw exception.
*/
inline void verify_pkcs7(const OpenSSLPKI::X509& cert,
const std::string& sig,
const std::string& data)
{
STACK_OF(X509) *x509_stack = nullptr;
BIO *in = nullptr;
PKCS7 *p7 = nullptr;
auto clean = Cleanup([&]() {
if (x509_stack)
sk_X509_free(x509_stack);
if (in)
BIO_free(in);
if (p7)
PKCS7_free(p7);
});
/* create x509_stack from cert */
x509_stack = sk_X509_new_null();
sk_X509_push(x509_stack, cert.obj());
/* get signature */
in = BIO_new_mem_buf(sig.c_str(), sig.length());
p7 = PEM_read_bio_PKCS7(in, NULL, NULL, NULL);
if (!p7)
throw OpenSSLException("OpenSSLSign::verify_pkcs7: failed to parse pkcs7 signature");
BIO_free(in);
in = nullptr;
/* get data */
in = BIO_new_mem_buf(data.c_str(), data.length());
/* OpenSSL 1.0.2e and higher no longer allows calling PKCS7_verify
with both data and content. Empty out the content. */
p7->d.sign->contents->d.ptr = 0;
/* do the verify */
if (PKCS7_verify(p7, x509_stack, NULL, in, NULL, PKCS7_NOVERIFY) != 1)
throw OpenSSLException("OpenSSLSign::verify_pkcs7: verification failed");
}
}
}
#endif
Sources/OpenVPN3/openvpn/openssl/sign/verify.hpp
+99
View File
@@ -0,0 +1,99 @@
// OpenVPN -- An application to securely tunnel IP networks
// over a single port, with support for SSL/TLS-based
// session authentication and key exchange,
// packet encryption, packet authentication, and
// packet compression.
//
// Copyright (C) 2012-2017 OpenVPN Inc.
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License Version 3
// as published by the Free Software Foundation.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program in the COPYING file.
// If not, see <http://www.gnu.org/licenses/>.
// Verify a signature using OpenSSL EVP interface
#ifndef OPENVPN_OPENSSL_SIGN_VERIFY_H
#define OPENVPN_OPENSSL_SIGN_VERIFY_H
#include <string>
#include <openssl/ssl.h>
#include <openssl/bio.h>
#include <openvpn/common/cleanup.hpp>
#include <openvpn/common/base64.hpp>
#include <openvpn/openssl/pki/x509.hpp>
#include <openvpn/openssl/util/error.hpp>
#include <openvpn/openssl/compat.hpp>
namespace openvpn {
namespace OpenSSLSign {
/*
* Verify signature.
* On success, return.
* On fail, throw exception.
*/
inline void verify(const OpenSSLPKI::X509& cert,
const std::string& sig,
const std::string& data,
const std::string& digest)
{
const EVP_MD *dig;
EVP_MD_CTX* md_ctx = nullptr;
EVP_PKEY *pkey = nullptr;
auto clean = Cleanup([&]() {
if (pkey)
EVP_PKEY_free(pkey);
if (md_ctx)
{
#if OPENSSL_VERSION_NUMBER < 0x10100000L
EVP_MD_CTX_cleanup(md_ctx);
#endif
EVP_MD_CTX_free(md_ctx);
}
});
// get digest
dig = EVP_get_digestbyname(digest.c_str());
if (!dig)
throw Exception("OpenSSLSign::verify: unknown digest: " + digest);
// get public key
pkey = X509_get_pubkey(cert.obj());
if (!pkey)
throw Exception("OpenSSLSign::verify: no public key");
// convert signature from base64 to binary
BufferAllocated binsig(1024, 0);
try {
base64->decode(binsig, sig);
}
catch (const std::exception& e)
{
throw Exception(std::string("OpenSSLSign::verify: base64 decode error on signature: ") + e.what());
}
// initialize digest context
md_ctx = EVP_MD_CTX_new();
// verify signature
EVP_VerifyInit (md_ctx, dig);
EVP_VerifyUpdate(md_ctx, data.c_str(), data.length());
if (EVP_VerifyFinal(md_ctx, binsig.c_data(), binsig.length(), pkey) != 1)
throw OpenSSLException("OpenSSLSign::verify: verification failed");
}
}
}
#endif
Sources/OpenVPN3/openvpn/openssl/ssl/sess_cache.hpp
+186
View File
@@ -0,0 +1,186 @@
// OpenVPN -- An application to securely tunnel IP networks
// over a single port, with support for SSL/TLS-based
// session authentication and key exchange,
// packet encryption, packet authentication, and
// packet compression.
//
// Copyright (C) 2012-2017 OpenVPN Inc.
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License Version 3
// as published by the Free Software Foundation.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program in the COPYING file.
// If not, see <http://www.gnu.org/licenses/>.
#pragma once
#include <string>
#include <map>
#include <set>
#include <tuple>
#include <memory>
#include <utility>
#include <openssl/ssl.h>
#include <openvpn/common/rc.hpp>
#include <openvpn/common/msfind.hpp>
namespace openvpn {
// Client-side session cache.
// (We don't cache server-side sessions because we use TLS
// session resumption tickets which are stateless on the server).
class OpenSSLSessionCache : public RC<thread_unsafe_refcount>
{
public:
typedef RCPtr<OpenSSLSessionCache> Ptr;
OPENVPN_EXCEPTION(openssl_sess_cache_error);
// Wrapper for OpenSSL SSL_SESSION pointers that manages reference counts.
class Session
{
public:
Session(::SSL_SESSION* sess) // caller must pre-increment refcount on sess
: sess_(sess)
{
}
Session(Session&& other) noexcept
{
sess_ = other.sess_;
other.sess_ = nullptr;
}
Session& operator=(Session&& other) noexcept
{
if (sess_)
::SSL_SESSION_free(sess_);
sess_ = other.sess_;
other.sess_ = nullptr;
return *this;
}
::SSL_SESSION* openssl_session() const
{
return sess_;
}
bool operator<(const Session& rhs) const // used when Session is a std::set key
{
return sess_ < rhs.sess_;
}
explicit operator bool() const
{
return sess_ != nullptr;
}
~Session()
{
if (sess_)
::SSL_SESSION_free(sess_);
}
private:
// These methods are deleted because we have no way to increment
// an SSL_SESSION refcount until OpenSSL 1.1.
Session(const Session&) = delete;
Session& operator=(const Session&) = delete;
::SSL_SESSION* sess_;
};
class Key
{
public:
typedef std::unique_ptr<Key> UPtr;
Key(const std::string& key_arg,
OpenSSLSessionCache::Ptr cache_arg)
: key(key_arg),
cache(std::move(cache_arg))
{
//OPENVPN_LOG("OpenSSLSessionCache::Key CONSTRUCT key=" << key);
}
void commit(::SSL_SESSION* sess)
{
if (!sess)
return;
auto mi = MSF::find(cache->map, key);
if (mi)
{
/* auto ins = */ mi->second.emplace(sess);
//OPENVPN_LOG("OpenSSLSessionCache::Key::commit ADD=" << ins.second << " key=" << key);
}
else
{
//OPENVPN_LOG("OpenSSLSessionCache::Key::commit CREATE key=" << key);
auto ins = cache->map.emplace(std::piecewise_construct,
std::forward_as_tuple(key),
std::forward_as_tuple());
ins.first->second.emplace(sess);
}
}
private:
const std::string key;
OpenSSLSessionCache::Ptr cache;
};
// Remove a session from the map after calling func() on it.
// This would be a lot cleaner if we had C++17 std::set::extract().
template <typename FUNC>
void extract(const std::string& key, FUNC func)
{
auto mi = MSF::find(map, key);
if (mi)
{
//OPENVPN_LOG("OpenSSLSessionCache::Key::lookup EXISTS key=" << key);
SessionSet& ss = mi->second;
if (ss.empty())
throw openssl_sess_cache_error("internal error: SessionSet is empty");
auto ssi = ss.begin();
try {
func(ssi->openssl_session());
}
catch (...)
{
remove_session(mi, ss, ssi);
throw;
}
remove_session(mi, ss, ssi);
}
else
{
//OPENVPN_LOG("OpenSSLSessionCache::Key::lookup NOT_FOUND key=" << key);
}
}
private:
struct SessionSet : public std::set<Session>
{
};
typedef std::map<std::string, SessionSet> Map;
void remove_session(Map::iterator mi, SessionSet& ss, SessionSet::iterator ssi)
{
ss.erase(ssi);
if (ss.empty())
map.erase(mi);
}
Map map;
};
}
Sources/OpenVPN3/openvpn/openssl/ssl/sslctx.hpp
+2145
View File
File diff suppressed because it is too large Load Diff
Sources/OpenVPN3/openvpn/openssl/util/engine.hpp
+61
View File
@@ -0,0 +1,61 @@
// OpenVPN -- An application to securely tunnel IP networks
// over a single port, with support for SSL/TLS-based
// session authentication and key exchange,
// packet encryption, packet authentication, and
// packet compression.
//
// Copyright (C) 2012-2017 OpenVPN Inc.
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License Version 3
// as published by the Free Software Foundation.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program in the COPYING file.
// If not, see <http://www.gnu.org/licenses/>.
// Method to set up a particular OpenSSL engine type
#ifndef OPENVPN_OPENSSL_UTIL_ENGINE_H
#define OPENVPN_OPENSSL_UTIL_ENGINE_H
#include <string>
#ifndef OPENSSL_NO_ENGINE
#include <openssl/engine.h>
#endif
#include <openvpn/common/exception.hpp>
#include <openvpn/openssl/util/error.hpp>
namespace openvpn {
OPENVPN_EXCEPTION(openssl_engine_error);
inline void openssl_setup_engine (const std::string& engine)
{
#ifndef OPENSSL_NO_ENGINE
ENGINE_load_builtin_engines ();
if (engine == "auto")
{
ENGINE_register_all_complete ();
return;
}
ENGINE *e = ENGINE_by_id (engine.c_str());
if (!e)
throw openssl_engine_error();
if (!ENGINE_set_default (e, ENGINE_METHOD_ALL))
throw openssl_engine_error();
#endif
}
} // namespace openvpn
#endif // OPENVPN_OPENSSL_UTIL_ENGINE_H
Sources/OpenVPN3/openvpn/openssl/util/error.hpp
+200
View File
@@ -0,0 +1,200 @@
// OpenVPN -- An application to securely tunnel IP networks
// over a single port, with support for SSL/TLS-based
// session authentication and key exchange,
// packet encryption, packet authentication, and
// packet compression.
//
// Copyright (C) 2012-2017 OpenVPN Inc.
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License Version 3
// as published by the Free Software Foundation.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program in the COPYING file.
// If not, see <http://www.gnu.org/licenses/>.
// OpenSSL exception class that allows a full OpenSSL error stack
// to be represented.
#ifndef OPENVPN_OPENSSL_UTIL_ERROR_H
#define OPENVPN_OPENSSL_UTIL_ERROR_H
#include <string>
#include <openssl/err.h>
#include <openssl/ssl.h>
#include <openvpn/common/exception.hpp>
#include <openvpn/error/error.hpp>
#include <openvpn/error/excode.hpp>
namespace openvpn {
// string exception class
class OpenSSLException : public ExceptionCode
{
public:
OPENVPN_EXCEPTION(ssl_exception_index);
enum {
MAX_ERRORS = 8
};
OpenSSLException()
{
ssl_err = -1;
init_error("OpenSSL");
}
explicit OpenSSLException(const std::string& error_text)
{
ssl_err = -1;
init_error(error_text.c_str());
}
explicit OpenSSLException(const int ssl_error)
{
init_ssl_error(ssl_error, "OpenSSL");
}
explicit OpenSSLException(const std::string& error_text, const int ssl_error)
{
init_ssl_error(ssl_error, error_text.c_str());
}
virtual const char* what() const throw() { return errtxt.c_str(); }
std::string what_str() const { return errtxt; }
size_t len() const { return n_err; }
unsigned long operator[](const size_t i) const
{
if (i < n_err)
return errstack[i];
else
throw ssl_exception_index();
}
int ssl_error() const { return ssl_err; }
virtual ~OpenSSLException() throw() {}
static const char *ssl_error_text(const int ssl_error, bool *unknown = nullptr)
{
switch (ssl_error)
{
case SSL_ERROR_NONE:
return "SSL_ERROR_NONE";
case SSL_ERROR_ZERO_RETURN:
return "SSL_ERROR_ZERO_RETURN";
case SSL_ERROR_WANT_READ:
return "SSL_ERROR_WANT_READ";
case SSL_ERROR_WANT_WRITE:
return "SSL_ERROR_WANT_WRITE";
case SSL_ERROR_WANT_CONNECT:
return "SSL_ERROR_WANT_CONNECT";
case SSL_ERROR_WANT_ACCEPT:
return "SSL_ERROR_WANT_ACCEPT";
case SSL_ERROR_WANT_X509_LOOKUP:
return "SSL_ERROR_WANT_X509_LOOKUP";
case SSL_ERROR_SYSCALL:
return "SSL_ERROR_SYSCALL";
case SSL_ERROR_SSL:
return "SSL_ERROR_SSL";
default:
if (unknown)
*unknown = true;
return "(unknown SSL error)";
}
}
private:
void init_error(const char *error_text)
{
const char *prefix = ": ";
std::ostringstream tmp;
char buf[256];
tmp << error_text;
n_err = 0;
while (unsigned long err = ERR_get_error())
{
if (n_err < MAX_ERRORS)
errstack[n_err++] = err;
ERR_error_string_n(err, buf, sizeof(buf));
tmp << prefix << buf;
prefix = " / ";
// for certain OpenSSL errors, translate them to an OpenVPN error code,
// so they can be propagated up to the higher levels (such as UI level)
switch (ERR_GET_REASON(err))
{
case SSL_R_CERTIFICATE_VERIFY_FAILED:
set_code(Error::CERT_VERIFY_FAIL, true);
break;
case PEM_R_BAD_PASSWORD_READ:
case PEM_R_BAD_DECRYPT:
set_code(Error::PEM_PASSWORD_FAIL, true);
break;
case SSL_R_UNSUPPORTED_PROTOCOL:
set_code(Error::TLS_VERSION_MIN, true);
break;
}
}
errtxt = tmp.str();
}
void init_ssl_error(const int ssl_error, const char *error_text)
{
bool unknown = false;
ssl_err = ssl_error;
const char *text = ssl_error_text(ssl_error, &unknown);
if (unknown || ssl_error == SSL_ERROR_SYSCALL || ssl_error == SSL_ERROR_SSL)
{
init_error(error_text);
errtxt += " (";
errtxt += text;
errtxt += ")";
}
else
{
errtxt = error_text;
errtxt += ": ";
errtxt += text;
}
}
size_t n_err;
unsigned long errstack[MAX_ERRORS];
std::string errtxt;
int ssl_err;
};
// return an OpenSSL error string
inline std::string openssl_error()
{
OpenSSLException err;
return err.what_str();
}
inline std::string openssl_error(const int ssl_error)
{
OpenSSLException err(ssl_error);
return err.what_str();
}
inline void openssl_clear_error_stack()
{
while (ERR_get_error())
;
}
} // namespace openvpn
#endif // OPENVPN_OPENSSL_UTIL_ERROR_H
Sources/OpenVPN3/openvpn/openssl/util/init.hpp
+39
View File
@@ -0,0 +1,39 @@
// OpenVPN -- An application to securely tunnel IP networks
// over a single port, with support for SSL/TLS-based
// session authentication and key exchange,
// packet encryption, packet authentication, and
// packet compression.
//
// Copyright (C) 2012-2017 OpenVPN Inc.
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License Version 3
// as published by the Free Software Foundation.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program in the COPYING file.
// If not, see <http://www.gnu.org/licenses/>.
#pragma once
#include <openssl/opensslv.h>
// OpenSSL 1.1.0 does not require an explicit init, in fact the
// asio init for 1.1.0 is a noop, see also OPENSSL_init_ssl man page
#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
#define OPENSSL_NEEDS_INIT
// Instantiate this object to ensure openssl is initialised.
#ifdef USE_ASIO
#include <asio/ssl/detail/openssl_init.hpp>
typedef asio::ssl::detail::openssl_init<> openssl_init;
#else
#error no OpenSSL init code (USE_ASIO needed for OpenSSL < 1.1)
#endif
#endif
Sources/OpenVPN3/openvpn/openssl/util/pem.hpp
+103
View File
@@ -0,0 +1,103 @@
// OpenVPN -- An application to securely tunnel IP networks
// over a single port, with support for SSL/TLS-based
// session authentication and key exchange,
// packet encryption, packet authentication, and
// packet compression.
//
// Copyright (C) 2017-2018 OpenVPN Technologies, Inc.
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU General Public License Version 3
// as published by the Free Software Foundation.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
//
// You should have received a copy of the GNU General Public License
// along with this program in the COPYING file.
// If not, see <http://www.gnu.org/licenses/>.
// Wrap the OpenSSL PEM API defined in <openssl/pem.h> so
// that it can be used as part of the crypto layer of the OpenVPN core.
#ifndef OPENVPN_OPENSSL_UTIL_PEM_H
#define OPENVPN_OPENSSL_UTIL_PEM_H
#include <openvpn/openssl/util/error.hpp>
#include <openssl/pem.h>
namespace openvpn {
class OpenSSLPEM
{
public:
static bool pem_encode(BufferAllocated& dst, const unsigned char *src,
size_t src_len, const std::string& key_name)
{
bool ret = false;
BIO *bio = BIO_new(BIO_s_mem());
if (!bio)
return false;
if (!PEM_write_bio(bio, key_name.c_str(), "", src, src_len))
goto out;
BUF_MEM *bptr;
BIO_get_mem_ptr(bio, &bptr);
dst.write((unsigned char *)bptr->data, bptr->length);
ret = true;
out:
if (!BIO_free(bio))
ret = false;
return ret;
}
static bool pem_decode(BufferAllocated& dst, const char *src,
size_t src_len, const std::string& key_name)
{
bool ret = false;
BIO *bio;
if (!(bio = BIO_new_mem_buf(src, src_len)))
throw OpenSSLException("Cannot open memory BIO for PEM decode");
char *name_read = NULL;
char *header_read = NULL;
uint8_t *data_read = NULL;
long data_read_len = 0;
if (!PEM_read_bio(bio, &name_read, &header_read, &data_read,
&data_read_len))
{
OPENVPN_LOG("PEM decode failed");
goto out;
}
if (key_name.compare(std::string(name_read)))
{
OPENVPN_LOG("unexpected PEM name (got '" << name_read <<
"', expected '" << key_name << "')");
goto out;
}
dst.write(data_read, data_read_len);
ret = true;
out:
OPENSSL_free(name_read);
OPENSSL_free(header_read);
OPENSSL_free(data_read);
if (!BIO_free(bio))
ret = false;
return ret;
}
};
};
#endif /* OPENVPN_OPENSSL_UTIL_PEM_H */
Sources/OpenVPN3/openvpn/openssl/util/rand.hpp
+78
View File
@@ -0,0 +1,78 @@
// OpenVPN -- An application to securely tunnel IP networks
// over a single port, with support for SSL/TLS-based
// session authentication and key exchange,
// packet encryption, packet authentication, and
// packet compression.
//
// Copyright (C) 2012-2017 OpenVPN Inc.
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License Version 3
// as published by the Free Software Foundation.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program in the COPYING file.
// If not, see <http://www.gnu.org/licenses/>.
// Wrap the OpenSSL Cryptographic Random API defined in <openssl/rand.h>
// so that it can be used as the primary source of cryptographic entropy by
// the OpenVPN core.
#ifndef OPENVPN_OPENSSL_UTIL_RAND_H
#define OPENVPN_OPENSSL_UTIL_RAND_H
#include <openssl/rand.h>
#include <openvpn/random/randapi.hpp>
namespace openvpn {
class OpenSSLRandom : public RandomAPI
{
public:
OPENVPN_EXCEPTION(rand_error_openssl);
typedef RCPtr<OpenSSLRandom> Ptr;
OpenSSLRandom(const bool prng)
{
}
virtual std::string name() const
{
return "OpenSSLRandom";
}
// Return true if algorithm is crypto-strength
virtual bool is_crypto() const
{
return true;
}
// Fill buffer with random bytes
virtual void rand_bytes(unsigned char *buf, size_t size)
{
if (!rndbytes(buf, size))
throw rand_error_openssl("rand_bytes");
}
// Like rand_bytes, but don't throw exception.
// Return true on successs, false on fail.
virtual bool rand_bytes_noexcept(unsigned char *buf, size_t size)
{
return rndbytes(buf, size);
}
private:
bool rndbytes(unsigned char *buf, size_t size)
{
return RAND_bytes(buf, size) == 1;
}
};
}
#endif
Sources/OpenVPN3/openvpn/openssl/util/reseed.hpp
+40
View File
@@ -0,0 +1,40 @@
// OpenVPN -- An application to securely tunnel IP networks
// over a single port, with support for SSL/TLS-based
// session authentication and key exchange,
// packet encryption, packet authentication, and
// packet compression.
//
// Copyright (C) 2012-2017 OpenVPN Inc.
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License Version 3
// as published by the Free Software Foundation.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program in the COPYING file.
// If not, see <http://www.gnu.org/licenses/>.
#pragma once
// seed OpenSSL's random number generator with /dev/urandom
#include <openssl/rand.h>
#include <openvpn/random/devurand.hpp>
namespace openvpn {
inline void openssl_reseed_rng()
{
unsigned char entropy[64];
RandomAPI::Ptr rng(new DevURand);
rng->rand_bytes(entropy, sizeof(entropy));
RAND_seed(entropy, sizeof(entropy));
}
}
Sources/OpenVPN3/openvpn/openssl/util/tokenencrypt.hpp
+121
View File
@@ -0,0 +1,121 @@
// OpenVPN -- An application to securely tunnel IP networks
// over a single port, with support for SSL/TLS-based
// session authentication and key exchange,
// packet encryption, packet authentication, and
// packet compression.
//
// Copyright (C) 2012-2017 OpenVPN Inc.
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License Version 3
// as published by the Free Software Foundation.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program in the COPYING file.
// If not, see <http://www.gnu.org/licenses/>.
#ifndef OPENVPN_CRYPTO_TOKENENCRYPT_H
#define OPENVPN_CRYPTO_TOKENENCRYPT_H
#include <string>
#include <atomic>
#include <cstdint> // for std::uint8_t
#include <openssl/evp.h>
#include <openvpn/common/size.hpp>
#include <openvpn/common/exception.hpp>
#include <openvpn/common/base64.hpp>
#include <openvpn/buffer/buffer.hpp>
#include <openvpn/random/randapi.hpp>
#include <openvpn/openssl/util/error.hpp>
#include <openvpn/openssl/compat.hpp>
namespace openvpn {
class TokenEncrypt
{
public:
class Key
{
public:
static constexpr size_t SIZE = 16;
Key(RandomAPI& rng)
{
rng.assert_crypto();
rng.rand_bytes(data, sizeof(data));
}
private:
friend class TokenEncrypt;
std::uint8_t data[SIZE];
};
// mode parameter for constructor
enum {
ENCRYPT = 1,
DECRYPT = 0
};
TokenEncrypt(const Key& key, const int mode)
{
ctx = EVP_CIPHER_CTX_new ();
EVP_CIPHER_CTX_reset (ctx);
if (!EVP_CipherInit_ex(ctx, EVP_aes_128_ecb(), nullptr, key.data, nullptr, mode))
{
EVP_CIPHER_CTX_free(ctx);
throw OpenSSLException("TokenEncrypt: EVP_CipherInit_ex[1] failed");
}
EVP_CIPHER_CTX_set_padding(ctx, 0);
}
~TokenEncrypt()
{
EVP_CIPHER_CTX_free(ctx);
}
// Do the encrypt/decrypt
void operator()(std::uint8_t* dest, const std::uint8_t* src, const size_t size)
{
// NOTE: since this algorithm uses the ECB block cipher mode,
// it should only be used to encrypt/decrypt a message which
// is exactly equal to the AES block size (16 bytes).
if (size != EVP_CIPHER_CTX_block_size(ctx))
throw Exception("TokenEncrypt: encrypt/decrypt data must be equal to AES block size");
int outlen=0;
if (!EVP_CipherInit_ex(ctx, nullptr, nullptr, nullptr, nullptr, -1))
throw OpenSSLException("TokenEncrypt: EVP_CipherInit_ex[2] failed");
if (!EVP_CipherUpdate(ctx, dest, &outlen, src, size))
throw OpenSSLException("TokenEncrypt: EVP_CipherUpdate failed");
// NOTE: we skip EVP_CipherFinal_ex because we are running in ECB mode without padding
if (outlen != size)
throw Exception("TokenEncrypt: unexpected output length=" + std::to_string(outlen) + " expected=" + std::to_string(size));
}
private:
TokenEncrypt(const TokenEncrypt&) = delete;
TokenEncrypt& operator=(const TokenEncrypt&) = delete;
EVP_CIPHER_CTX* ctx;
};
struct TokenEncryptDecrypt
{
TokenEncryptDecrypt(const TokenEncrypt::Key& key)
: encrypt(key, TokenEncrypt::ENCRYPT),
decrypt(key, TokenEncrypt::DECRYPT)
{
}
TokenEncrypt encrypt;
TokenEncrypt decrypt;
};
}
#endif