github/OpenVPNAdapter
4
0
Fork 0
mirror of https://github.com/deneraraujo/OpenVPNAdapter.git synced 2026-05-13 00:04:14 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
055bb04c14f30cc627492680d1cf486d7b9b0f79
OpenVPNAdapter/openvpn/client/cliopthelper.hpp
T
Sergey Abramchuk 82fea30fcc Squashed 'OpenVPN Adapter/Vendors/openvpn/' changes from 4095565..3e002c8 
3e002c8 remove unused Jenkinsfile
16b1055 [OVPN3-140] Update company names in copyrights
6caca2c [OVPN3-140] Relicense back to AGPLv3
4f9ae74 cliproto: react to tls_warnings
546547b Proto: export tls_warnings attribute from SSL session
7cbaa26 SSLAPI: add tls_warning attribute
7ed93a3 clievent: add Warn event class
7a71ba1 win: get 'arch' param value from environment
61bb21b win: make parameter optional
15d66c4 [OVPN3-141] win: disable WPO
97d9c28 [OU-15] mbedtls: remove duplicated code
95aec32 [OU-15] mbedtls: refactor X509Cert to allow reuse der2pem
946753e [OVPN3-135] Win: remove unneeded default route
d7f8c47 nrpt: create separate policy per dns suffix
577b5ca cli.cpp: fix typ0 in define
fc8f89d [OVPN3-129] android: ensure all SWIG files are archived and saved
e143bc0 [OVPN3-129] android: improve build system in order to perform full build
06d23ec [OVPN3-129] build-system: let scripts download dependencies
76bb99c fix usage of to_string() in Android
44c183a time: mute type conversion warnings for UWP client
7d7490c transport: enable socket protect call for UWP
1c003ac transport: pass protocol type to external factory
c0de92c transport: add stop_requeueing method
e2c60c8 android: build core library with MD5 support
3928069 [OVPN3-119] mbedTLS: create INSECURE profile including MD5
4f99310 remove function accidentally duplicated by last merge
b91d841 self-test: add missing includes
19e33c4 [OA-14] mbedTLS: relax x509 date/time format check
f3cf645 [OVPN3-116] disable SSL_CBC_RECORD_SPLITTING
fca9ed2 [OVPN3-105] ParseClientConfig: avoid crash when not all key material is provided
7299fef [OC-42] Android: specify API level on command line
d3da3df android: build client lib for x86 (for emulator)
8e501c5 Update version for mbedTLS and lz4
e57676e ParseClientConfig: export config to json format
9aa715f ParseClientConfig: export configuration to ovpn file format
1eab4cb ParseClientConfig: add helper constructor
71a59e4 ParseClientConfig: store the entire ovpn profile
e0bb85a Transport: convert from transport protocol to config string
2fe56c3 Compress: convert from ctx type to config string
174ee25 OpenSSL: implement stub methods for new private_key_type/length() SSLAPIs
3d57708 mbedTLS: implement private_key_type/length() API
a3210f0 SSLAPI: add private_key_type/length() getter methods
8ffe888 OpenSSL: implement stub methods for new extract_* SSLAPIs
16e9160 mbedTLS: implement extended API for key material extraction
fe3d519 SSLAPI: extend API with methods to extract key material
2b4c850 Debugging: added header and build flag for valgrind run-time extensions.
b948cde ManClientInstance::Factory: added virtual stop() method.
121e975 client API: added portOverride
106981c JSON: allow alternative JSON library implementations
f206ae2 logging: added logdatetime.hpp which prepends date/time to log lines
49e933d Time: added to_double, delta_float, and delta_str methods
569b1da daemon.hpp: added class WritePid for managing pid files
63e9e04 ClientProto: reset CoarseTime object when AsioTimer is canceled
f64b501 Cleanup: allow functor to be passed by value.
ebe2560 RunContext: add configurable exit via EXIT_IN env var for debugging
1fbff4f tls-crypt: revised server-side validate_initial_packet() methods to use a BufferAllocated rather than a Buffer.
0090c51 SSLConst: added new ssl_flags() method which filters out non-ssl flags from given argument.
8379b0a CryptoDCInstance: added new RekeyType PRIMARY_SECONDARY_SWAP and use it in ProtoContext::promote_secondary_to_primary() since it more accurately reflects the underlying implementation.
18f45c2 ManClientInstance::Send: added AuthStatus::Type parameter to disconnect_user() method.
4bba803 Listen::List: added expand_ports() method.
5122e7d Listen::List: in port_offset(), set n_threads to 0 since number-of-threads data for port_offset items isn't really relevant.
4e11a6c StaticKey: added render_to_base64() and init_from_rng() methods.
190ece9 CryptoAlgs: added mode() method.
76e65cf CryptoAlgs: added AEAD_NONCE_TAIL_SIZE constant (set to 8 bytes) to represent the size in bytes of AEAD "nonce tail" normally taken from the HMAC key material.
2738718 compress: added method_to_string() method, i.e. the inverse of parse_method().
7b47f99 compress: since parse_method() performs a linear search on method, reorder so that more frequently used methods appear at the top of the list.
b428f74 library: added integer is_pow2() and log2() methods based on efficient __builtin_ffs and __builtin_clz intrinsics.
4926011 Android: adapt toolchain scripts to new SDK and move to API 26
ad4e995 mbedTLS: use mbedtls API to initialize cert object
908c611 transport: use socket_protect to communicate socket handle on UWP
92a6216 build win: read certain params from env
8166ea8 common: define uwp platform macro
0186bf6 common: report platform name as "uwp"
3f291b0 netconf: disable getting hwaddr for UWP
6365d26 transport: external factory
2ffa0c9 transport: synchronous DNS lookup
2c09c7c cliconnect.hpp: support for AsioWork always on
4f5a04d rand.hpp: allow external entropy source
b19c5da time.hpp: use GetTickCount64 on Vista and newer
712ccfc android: export DEP_DIR via vars files only if not already defined
1b5a784 asio: make sure to switch to DEP_DIR before building
4302651 changes to support android building
6f56b2b Merge pull request #21 from OpenVPN/make_test_proto_deterministic
3a5ef2b travis-ci: make testing binary deterministic
b76882d mbedtls: fix typ0 in exception message
40065a6 avoid "uninitialized variable warning"
f33e7c2 [OVPN3-5] tls-crypt: add tls-crypt support in proto.hpp test unit
74c5f4f [OVPN3-5] tls-crypt: introduce tls-crypt support
389353c proto.cpp: uninit process at the end of the execution
56a831f [OVPN3-5] crypto/ssl: add support for AES-256-CTR
7cbf539 [OVPN3-5] build script: allow user to specify its own mbedTLS folder and LDFLAGS
8ae2a3f Integrate Google Test framework
68ae101 Add swig build to jenkins pipeline
d496311 ovpncli.hpp: inline LogInfo constructor for clarity
96e0d89 Revert "Merged in OVPN3-21-prepend-log-record-with-unique- (pull request #7)"
7db95cc Make build fail on compilation errors
860129a TunBuilderCapture: make (to|from)_json methods public
2486494 random: added helper class Rand2 containing a crypto and non-crypto RNG
04175c2 appversion.hpp: Stringize VERSION -> MY_VERSION
81cb887 build script: added DPROF=1 flag
a3dd47f timestr.hpp: moved milliseconds_since_epoch() to time/epoch.hpp
59b9492 sslchoose.hpp: added SSL_LIB_NAME
8fcb797 ProtoContext::KeyContext::raw_recv() : fix state transition
e49e993 ProtoContext: comment edit
1d941aa VPNServerNetblock::Netblock refactor
7190495 Server-side renamings to break up long class names using namespaces.
3f74ec1 Listen::List: minor changes
79c789b RandomAPI: comment edit
5b5af36 Added SSLConst::SERVER_TO_SERVER flag
fe00df4 OpenSSLContext::Config::set_rng: call assert_crypto()
3ae0076 In sslchoose.hpp, move OPENVPN_LOG_SSL macro to new file ssllog.hpp
1502cf6 URL::Parse: made is_valid_uri_char() standalone and moved to validate_uri.hpp
2dcb189 Added HTTP::Status::SwitchingProtocols constant
2f57024 HTTP::HeaderList: added get_value_trim_lower() method
bee94d2 HTTP::HeaderList: get_value() and get_value_trim() should return std::string instead of const std::string
5debab1 Frame::Context: #define OPENVPN_NO_IO to allow building without i/o layer
faf8f8f StaticKey: added parse_from_base64() method
d11f250 HashString: added final_base64() method
c373bf8 CompressContext: use C++11 member initialization and remove explicit attribute on constructor
bd75cd7 RCPtr: added operator==() and operator!=() methods
7be33c5 PThreadBarrier: fixed incorrect comment
6f5f77b Link: use move semantics
17a5d89 inotify.hpp: no longer used
8ce39fc added render_hex() and render_hex_sep() methods that accept void* data
ddc8e8a Function: use std::forward
76ee587 write_binary_atomic(): added tmpdir (temporary directory) parameter
f366d55 base64: encode() now accepts void* data
462fe90 BufferType: added read(), write(), and prepend() variants that accept void* data
9ad1be4 IP::RouteType: added host_bits() method
3ebc8c7 IPv[46]::Addr::to_sockaddr() now accepts optional port number
ce0977b Support Cityhash.
fdbb0b9 IP::Addr: added validate_prefix_len()
25146d8 IP::Addr::from_ipv[4|6](): use move semantics
a264f99 Merge pull request #20 from OpenVPN/fix_travis_ci_coverity
966e212 travis: don't mess up the SSL libs for wget/curl
2b8f09d Merge pull request #19 from OpenVPN/antonio/travis-ci-to-coverity
127cbb0 travis.yml: send build to Coverity SCAN when building master
2bca49b Merge pull request #15 from OpenVPN/antonio/travis-ci
a5ce566 add basic support for Travis CI
f9b14e9 macOS: add basic logging support
2b9188d Remotelist: pass meaningful port value to resolve::async_resolve()
4ebdbd0 Merged in OVPN3-38-improve-jenkins-pipeline-script (pull request #8)
832cf7f Report build status to Bitbucket
62423c9 Merged in OVPN3-21-prepend-log-record-with-unique- (pull request #7)
cce2455 Prepend log string with unique reference.
f26b08b Merged in OVPN3-25-pipeline-build (pull request #4)
dc5ff1f Add OpenSSL version building.
c77e1d6 Add pipeline script for multiplatform build.
4fab9b0 Merged in OVPN3-18-vs-project (pull request #2)
8eb0d6c Add Visual Studio project info to README
67c4989 Visual Studio 2015 solution and project files
52bfcd3 Merged in OVPN3-17 (pull request #1)
5f648ce Document Windows build process
3213c48 Support for local build settings
b3ec01b Support for gpl version of mbedtls
903abc8 Support for zipballs
4029579 AsioPolySock: support bind to local address.
1e85566 Use openvpn::strerror_str() instead of std::strerror().
3ba37fc OpenVPN 3 client: added OPENVPN_OVPNCLI_ASYNC_SETUP flag.

git-subtree-dir: OpenVPN Adapter/Vendors/openvpn
git-subtree-split: 3e002c83ce2e9f9f40ddcee750d3cfa664238abe
2018-01-08 11:44:56 +03:00

712 lines
21 KiB
C++
Raw Blame History

// OpenVPN -- An application to securely tunnel IP networks
// over a single port, with support for SSL/TLS-based
// session authentication and key exchange,
// packet encryption, packet authentication, and
// packet compression.
//
// Copyright (C) 2012-2017 OpenVPN Inc.
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License Version 3
// as published by the Free Software Foundation.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program in the COPYING file.
// If not, see <http://www.gnu.org/licenses/>.
// A preliminary parser for OpenVPN client configuration files.
#ifndef OPENVPN_CLIENT_CLIOPTHELPER_H
#define OPENVPN_CLIENT_CLIOPTHELPER_H
#include <vector>
#include <string>
#include <sstream>
#ifdef HAVE_CONFIG_JSONCPP
#include "json/json.h"
#endif /* HAVE_CONFIG_JSONCPP */
#include <openvpn/common/size.hpp>
#include <openvpn/common/exception.hpp>
#include <openvpn/common/options.hpp>
#include <openvpn/common/string.hpp>
#include <openvpn/common/split.hpp>
#include <openvpn/common/splitlines.hpp>
#include <openvpn/common/userpass.hpp>
#include <openvpn/client/remotelist.hpp>
#include <openvpn/client/cliconstants.hpp>
#include <openvpn/ssl/peerinfo.hpp>
#include <openvpn/ssl/proto.hpp>
#include <openvpn/ssl/proto_context_options.hpp>
#include <openvpn/ssl/sslchoose.hpp>
namespace openvpn {
class ParseClientConfig {
public:
struct ServerEntry {
std::string server;
std::string friendlyName;
};
struct ServerList : public std::vector<ServerEntry>
{
};
struct RemoteItem {
std::string host;
std::string port;
std::string proto;
};
ParseClientConfig()
{
reset_pod();
}
ParseClientConfig(const OptionList& options)
{
try {
// reset POD types
reset_pod();
// limits
const size_t max_server_list_size = 64;
// setenv UV_x
PeerInfo::Set::Ptr peer_info_uv(new PeerInfo::Set);
// process setenv directives
{
const OptionList::IndexList* se = options.get_index_ptr("setenv");
if (se)
{
for (OptionList::IndexList::const_iterator i = se->begin(); i != se->end(); ++i)
{
const Option& o = options[*i];
o.touch();
const std::string arg1 = o.get_optional(1, 256);
// server-locked profiles not supported
if (arg1 == "GENERIC_CONFIG")
{
error_ = true;
message_ = "SERVER_LOCKED_UNSUPPORTED: server locked profiles are currently unsupported";
return;
}
else if (arg1 == "ALLOW_PASSWORD_SAVE")
allowPasswordSave_ = parse_bool(o, "setenv ALLOW_PASSWORD_SAVE", 2);
else if (arg1 == "CLIENT_CERT")
clientCertEnabled_ = parse_bool(o, "setenv CLIENT_CERT", 2);
else if (arg1 == "USERNAME")
userlockedUsername_ = o.get(2, 256);
else if (arg1 == "FRIENDLY_NAME")
friendlyName_ = o.get(2, 256);
else if (arg1 == "SERVER")
{
const std::string& serv = o.get(2, 256);
std::vector<std::string> slist = Split::by_char<std::vector<std::string>, NullLex, Split::NullLimit>(serv, '/', 0, 1);
ServerEntry se;
if (slist.size() == 1)
{
se.server = slist[0];
se.friendlyName = slist[0];
}
else if (slist.size() == 2)
{
se.server = slist[0];
se.friendlyName = slist[1];
}
if (!se.server.empty() && !se.friendlyName.empty() && serverList_.size() < max_server_list_size)
serverList_.push_back(se);
}
else if (arg1 == "PUSH_PEER_INFO")
pushPeerInfo_ = true;
else if (string::starts_with(arg1, "UV_") && arg1.length() >= 4 && string::is_word(arg1))
{
const std::string value = o.get_optional(2, 256);
if (string::is_printable(value))
peer_info_uv->emplace_back(arg1, value);
}
}
}
}
// Alternative to "setenv CLIENT_CERT 0". Note that as of OpenVPN 2.3, this option
// is only supported server-side, so this extends its meaning into the client realm.
if (options.exists("client-cert-not-required"))
clientCertEnabled_ = false;
// userlocked username
{
const Option* o = options.get_ptr("USERNAME");
if (o)
userlockedUsername_ = o->get(1, 256);
}
// userlocked username/password via <auth-user-pass>
std::vector<std::string> user_pass;
const bool auth_user_pass = parse_auth_user_pass(options, &user_pass);
if (auth_user_pass && user_pass.size() >= 1)
{
userlockedUsername_ = user_pass[0];
if (user_pass.size() >= 2)
{
hasEmbeddedPassword_ = true;
embeddedPassword_ = user_pass[1];
}
}
// External PKI
externalPki_ = (clientCertEnabled_ && is_external_pki(options));
// allow password save
{
const Option* o = options.get_ptr("allow-password-save");
if (o)
allowPasswordSave_ = parse_bool(*o, "allow-password-save", 1);
}
// autologin
{
autologin_ = is_autologin(options, auth_user_pass, user_pass);
if (autologin_)
allowPasswordSave_ = false; // saving passwords is incompatible with autologin
}
// static challenge
{
const Option* o = options.get_ptr("static-challenge");
if (o)
{
staticChallenge_ = o->get(1, 256);
if (o->get_optional(2, 16) == "1")
staticChallengeEcho_ = true;
}
}
// validate remote list
remoteList.reset(new RemoteList(options, "", 0, nullptr));
{
const RemoteList::Item* ri = remoteList->first_item();
if (ri)
{
firstRemoteListItem_.host = ri->server_host;
firstRemoteListItem_.port = ri->server_port;
if (ri->transport_protocol.is_udp())
firstRemoteListItem_.proto = "udp";
else if (ri->transport_protocol.is_tcp())
firstRemoteListItem_.proto = "tcp-client";
}
}
// determine if private key is encrypted
if (!externalPki_)
{
const Option* o = options.get_ptr("key");
if (o)
{
const std::string& key_txt = o->get(1, Option::MULTILINE);
privateKeyPasswordRequired_ = (
key_txt.find("-----BEGIN RSA PRIVATE KEY-----\nProc-Type: 4,ENCRYPTED\n") != std::string::npos
|| key_txt.find("-----BEGIN ENCRYPTED PRIVATE KEY-----") != std::string::npos
);
}
}
// profile name
{
const Option* o = options.get_ptr("PROFILE");
if (o)
{
// take PROFILE substring up to '/'
const std::string& pn = o->get(1, 256);
const size_t slashpos = pn.find('/');
if (slashpos != std::string::npos)
profileName_ = pn.substr(0, slashpos);
else
profileName_ = pn;
}
else
{
if (remoteList)
profileName_ = remoteList->first_server_host();
}
}
// friendly name
{
const Option* o = options.get_ptr("FRIENDLY_NAME");
if (o)
friendlyName_ = o->get(1, 256);
}
// server list
{
const Option* o = options.get_ptr("HOST_LIST");
if (o)
{
SplitLines in(o->get(1, 4096 | Option::MULTILINE), 0);
while (in(true))
{
ServerEntry se;
se.server = in.line_ref();
se.friendlyName = se.server;
Option::validate_string("HOST_LIST server", se.server, 256);
Option::validate_string("HOST_LIST friendly name", se.friendlyName, 256);
if (!se.server.empty() && !se.friendlyName.empty() && serverList_.size() < max_server_list_size)
serverList_.push_back(se);
}
}
}
// push-peer-info
{
if (options.exists("push-peer-info"))
pushPeerInfo_ = true;
if (pushPeerInfo_)
peerInfoUV_ = peer_info_uv;
}
// dev name
{
const Option *o = options.get_ptr("dev");
if (o)
{
dev = o->get(1, 256);
}
}
// protocol configuration
{
protoConfig.reset(new ProtoContext::Config());
protoConfig->tls_auth_factory.reset(new CryptoOvpnHMACFactory<SSLLib::CryptoAPI>());
protoConfig->tls_crypt_factory.reset(new CryptoTLSCryptFactory<SSLLib::CryptoAPI>());
protoConfig->load(options, ProtoContextOptions(), -1, false);
}
// ssl lib configuration
try {
sslConfig.reset(new SSLLib::SSLAPI::Config());
sslConfig->load(options, SSLConfigAPI::LF_PARSE_MODE);
} catch (...) {
sslConfig.reset();
}
}
catch (const std::exception& e)
{
error_ = true;
message_ = Unicode::utf8_printable<std::string>(e.what(), 256);
}
}
static ParseClientConfig parse(const std::string& content)
{
return parse(content, nullptr);
}
static ParseClientConfig parse(const std::string& content, OptionList::KeyValueList* content_list)
{
OptionList options;
return parse(content, content_list, options);
}
static ParseClientConfig parse(const std::string& content,
OptionList::KeyValueList* content_list,
OptionList& options)
{
try {
OptionList::Limits limits("profile is too large",
ProfileParseLimits::MAX_PROFILE_SIZE,
ProfileParseLimits::OPT_OVERHEAD,
ProfileParseLimits::TERM_OVERHEAD,
ProfileParseLimits::MAX_LINE_SIZE,
ProfileParseLimits::MAX_DIRECTIVE_SIZE);
options.clear();
options.parse_from_config(content, &limits);
options.parse_meta_from_config(content, "OVPN_ACCESS_SERVER", &limits);
if (content_list)
{
content_list->preprocess();
options.parse_from_key_value_list(*content_list, &limits);
}
process_setenv_opt(options);
options.update_map();
// add in missing options
bool added = false;
// client
if (!options.exists("client"))
{
Option opt;
opt.push_back("client");
options.push_back(opt);
added = true;
}
// dev
if (!options.exists("dev"))
{
Option opt;
opt.push_back("dev");
opt.push_back("tun");
options.push_back(opt);
added = true;
}
if (added)
options.update_map();
return ParseClientConfig(options);
}
catch (const std::exception& e)
{
ParseClientConfig ret;
ret.error_ = true;
ret.message_ = Unicode::utf8_printable<std::string>(e.what(), 256);
return ret;
}
}
// true if error
bool error() const { return error_; }
// if error, message given here
const std::string& message() const { return message_; }
// this username must be used with profile
const std::string& userlockedUsername() const { return userlockedUsername_; }
// profile name of config
const std::string& profileName() const { return profileName_; }
// "friendly" name of config
const std::string& friendlyName() const { return friendlyName_; }
// true: no creds required, false: username/password required
bool autologin() const { return autologin_; }
// profile embedded password via <auth-user-pass>
bool hasEmbeddedPassword() const { return hasEmbeddedPassword_; }
const std::string& embeddedPassword() const { return embeddedPassword_; }
// true: no client cert/key required, false: client cert/key required
bool clientCertEnabled() const { return clientCertEnabled_; }
// if true, this is an External PKI profile (no cert or key directives)
bool externalPki() const { return externalPki_; }
// static challenge, may be empty, ignored if autologin
const std::string& staticChallenge() const { return staticChallenge_; }
// true if static challenge response should be echoed to UI, ignored if autologin
bool staticChallengeEcho() const { return staticChallengeEcho_; }
// true if this profile requires a private key password
bool privateKeyPasswordRequired() const { return privateKeyPasswordRequired_; }
// true if user is allowed to save authentication password in UI
bool allowPasswordSave() const { return allowPasswordSave_; }
// true if "setenv PUSH_PEER_INFO" or "push-peer-info" are defined
bool pushPeerInfo() const { return pushPeerInfo_; }
// "setenv UV_x" directives if pushPeerInfo() is true
const PeerInfo::Set* peerInfoUV() const { return peerInfoUV_.get(); }
// optional list of user-selectable VPN servers
const ServerList& serverList() const { return serverList_; }
// return first remote directive in config
const RemoteItem& firstRemoteListItem() const { return firstRemoteListItem_; }
std::string to_string() const
{
std::ostringstream os;
os << "user=" << userlockedUsername_
<< " pn=" << profileName_
<< " fn=" << friendlyName_
<< " auto=" << autologin_
<< " embed_pw=" << hasEmbeddedPassword_
<< " epki=" << externalPki_
<< " schal=" << staticChallenge_
<< " scecho=" << staticChallengeEcho_;
return os.str();
}
std::string to_string_config() const
{
std::ostringstream os;
os << "client" << std::endl;
os << "dev " << dev << std::endl;
os << "dev-type " << protoConfig->layer.dev_type() << std::endl;
for (size_t i = 0; i < remoteList->size(); i++)
{
const RemoteList::Item& item = remoteList->get_item(i);
os << "remote " << item.server_host << " " << item.server_port;
const char *proto = item.transport_protocol.protocol_to_string();
if (proto)
os << " " << proto;
os << std::endl;
}
if (protoConfig->tls_crypt_context)
{
os << "<tls-crypt>" << std::endl << protoConfig->tls_key.render() << "</tls-crypt>"
<< std::endl;
}
else if (protoConfig->tls_auth_context)
{
os << "<tls-auth>" << std::endl << protoConfig->tls_key.render() << "</tls-auth>"
<< std::endl;
os << "key_direction " << protoConfig->key_direction << std::endl;
}
// SSL parameters
if (sslConfig)
{
print_pem(os, "ca", sslConfig->extract_ca());
print_pem(os, "crl", sslConfig->extract_crl());
print_pem(os, "key", sslConfig->extract_private_key());
print_pem(os, "cert", sslConfig->extract_cert());
std::vector<std::string> extra_certs = sslConfig->extract_extra_certs();
if (extra_certs.size() > 0)
{
os << "<extra-certs>" << std::endl;
for (auto& cert : extra_certs)
{
os << cert;
}
os << "</extra-certs>" << std::endl;
}
}
os << "cipher " << CryptoAlgs::name(protoConfig->dc.cipher(), "none")
<< std::endl;
os << "auth " << CryptoAlgs::name(protoConfig->dc.digest(), "none")
<< std::endl;
const char *comp = protoConfig->comp_ctx.method_to_string();
if (comp)
os << "compress " << comp << std::endl;
os << "keepalive " << protoConfig->keepalive_ping.to_seconds() << " "
<< protoConfig->keepalive_timeout.to_seconds() << std::endl;
os << "tun-mtu " << protoConfig->tun_mtu << std::endl;
os << "reneg-sec " << protoConfig->renegotiate.to_seconds() << std::endl;
return os.str();
}
#ifdef HAVE_CONFIG_JSONCPP
std::string to_json_config() const
{
std::ostringstream os;
Json::Value root(Json::objectValue);
root["mode"] = Json::Value("client");
root["dev"] = Json::Value(dev);
root["dev-type"] = Json::Value(protoConfig->layer.dev_type());
root["remotes"] = Json::Value(Json::arrayValue);
for (size_t i = 0; i < remoteList->size(); i++)
{
const RemoteList::Item& item = remoteList->get_item(i);
Json::Value el = Json::Value(Json::objectValue);
el["address"] = Json::Value(item.server_host);
el["port"] = Json::Value((Json::UInt)std::stoi(item.server_port));
if (item.transport_protocol() == Protocol::NONE)
el["proto"] = Json::Value("adaptive");
else
el["proto"] = Json::Value(item.transport_protocol.str());
root["remotes"].append(el);
}
if (protoConfig->tls_crypt_context)
{
root["tls_wrap"] = Json::Value(Json::objectValue);
root["tls_wrap"]["mode"] = Json::Value("tls_crypt");
root["tls_wrap"]["key"] = Json::Value(protoConfig->tls_key.render());
}
else if (protoConfig->tls_auth_context)
{
root["tls_wrap"] = Json::Value(Json::objectValue);
root["tls_wrap"]["mode"] = Json::Value("tls_auth");
root["tls_wrap"]["key_direction"] = Json::Value((Json::UInt)protoConfig->key_direction);
root["tls_wrap"]["key"] = Json::Value(protoConfig->tls_key.render());
}
// SSL parameters
if (sslConfig)
{
json_pem(root, "ca", sslConfig->extract_ca());
json_pem(root, "crl", sslConfig->extract_crl());
json_pem(root, "cert", sslConfig->extract_cert());
// JSON config is aimed to users, therefore we do not export the raw private
// key, but only some basic info
SSLConfigAPI::PKType priv_key_type = sslConfig->private_key_type();
if (priv_key_type != SSLConfigAPI::PK_NONE)
{
root["key"] = Json::Value(Json::objectValue);
root["key"]["type"] = Json::Value(sslConfig->private_key_type_string());
root["key"]["length"] = Json::Value((Json::UInt)sslConfig->private_key_length());
}
std::vector<std::string> extra_certs = sslConfig->extract_extra_certs();
if (extra_certs.size() > 0)
{
root["extra_certs"] = Json::Value(Json::arrayValue);
for (auto cert = extra_certs.begin(); cert != extra_certs.end(); cert++)
{
if (!cert->empty())
root["extra_certs"].append(Json::Value(*cert));
}
}
}
root["cipher"] = Json::Value(CryptoAlgs::name(protoConfig->dc.cipher(), "none"));
root["auth"] = Json::Value(CryptoAlgs::name(protoConfig->dc.digest(), "none"));
if (protoConfig->comp_ctx.type() != CompressContext::NONE)
root["compression"] = Json::Value(protoConfig->comp_ctx.str());
root["keepalive"] = Json::Value(Json::objectValue);
root["keepalive"]["ping"] = Json::Value((Json::UInt)protoConfig->keepalive_ping.to_seconds());
root["keepalive"]["timeout"] = Json::Value((Json::UInt)protoConfig->keepalive_timeout.to_seconds());
root["tun_mtu"] = Json::Value((Json::UInt)protoConfig->tun_mtu);
root["reneg_sec"] = Json::Value((Json::UInt)protoConfig->renegotiate.to_seconds());
return root.toStyledString();
}
#endif /* HAVE_CONFIG_JSONCPP */
private:
static void print_pem(std::ostream& os, std::string label, std::string pem)
{
if (pem.empty())
return;
os << "<" << label << ">" << std::endl << pem << "</" << label << ">" << std::endl;
}
#ifdef HAVE_CONFIG_JSONCPP
static void json_pem(Json::Value& obj, std::string key, std::string pem)
{
if (pem.empty())
return;
obj[key] = Json::Value(pem);
}
#endif /* HAVE_CONFIG_JSONCPP */
static bool parse_auth_user_pass(const OptionList& options, std::vector<std::string>* user_pass)
{
return UserPass::parse(options, "auth-user-pass", 0, user_pass);
}
static void process_setenv_opt(OptionList& options)
{
for (OptionList::iterator i = options.begin(); i != options.end(); ++i)
{
Option& o = *i;
if (o.size() >= 3 && o.ref(0) == "setenv" && o.ref(1) == "opt")
o.remove_first(2);
}
}
static bool is_autologin(const OptionList& options,
const bool auth_user_pass,
const std::vector<std::string>& user_pass)
{
if (auth_user_pass && user_pass.size() >= 2) // embedded password?
return true;
else
{
const Option* autologin = options.get_ptr("AUTOLOGIN");
if (autologin)
return string::is_true(autologin->get_optional(1, 16));
else
{
bool ret = !auth_user_pass;
if (ret)
{
// External PKI profiles from AS don't declare auth-user-pass,
// and we have no way of knowing if they are autologin unless
// we examine their cert, which requires accessing the system-level
// cert store on the client. For now, we are going to assume
// that External PKI profiles from the AS are always userlogin,
// unless explicitly overriden by AUTOLOGIN above.
if (options.exists("EXTERNAL_PKI"))
return false;
}
return ret;
}
}
}
static bool is_external_pki(const OptionList& options)
{
const Option* epki = options.get_ptr("EXTERNAL_PKI");
if (epki)
return string::is_true(epki->get_optional(1, 16));
else
{
const Option* cert = options.get_ptr("cert");
const Option* key = options.get_ptr("key");
return !cert || !key;
}
}
void reset_pod()
{
error_ = autologin_ = externalPki_ = staticChallengeEcho_ = false;
privateKeyPasswordRequired_ = hasEmbeddedPassword_ = false;
pushPeerInfo_ = false;
allowPasswordSave_ = clientCertEnabled_ = true;
}
bool parse_bool(const Option& o, const std::string& title, const size_t index)
{
const std::string parm = o.get(index, 16);
if (parm == "0")
return false;
else if (parm == "1")
return true;
else
throw option_error(title + ": parameter must be 0 or 1");
}
bool error_;
std::string message_;
std::string userlockedUsername_;
std::string profileName_;
std::string friendlyName_;
bool autologin_;
bool clientCertEnabled_;
bool externalPki_;
bool pushPeerInfo_;
std::string staticChallenge_;
bool staticChallengeEcho_;
bool privateKeyPasswordRequired_;
bool allowPasswordSave_;
ServerList serverList_;
bool hasEmbeddedPassword_;
std::string embeddedPassword_;
RemoteList::Ptr remoteList;
RemoteItem firstRemoteListItem_;
PeerInfo::Set::Ptr peerInfoUV_;
ProtoContext::Config::Ptr protoConfig;
SSLLib::SSLAPI::Config::Ptr sslConfig;
std::string dev;
};
}
#endif
Reference in New Issue View Git Blame Copy Permalink