OpenVPN 3 Core Library
Loading...
Searching...
No Matches
Public Member Functions | Static Public Member Functions | Static Public Attributes | Private Types | Private Member Functions | Static Private Member Functions | Private Attributes | Static Private Attributes | List of all members
openvpn::PsidCookieImpl Class Reference

Implements the PsidCookie interface. More...

#include <psid_cookie_impl.hpp>

Inheritance diagram for openvpn::PsidCookieImpl:
[legend]
Collaboration diagram for openvpn::PsidCookieImpl:
[legend]

Public Member Functions

 PsidCookieImpl (ServerProto::Factory *psfp)
 
virtual ~PsidCookieImpl ()=default
 
Intercept intercept (ConstBuffer &pkt_buf, const PsidCookieAddrInfoBase &pcaib) override
 Called when a potential new client session packet is received.
 
ProtoSessionID get_cookie_psid () override
 Get the cookie psid from client's 2nd packet.
 
void provide_psid_cookie_transport (PsidCookieTransportBase::Ptr pctb) override
 Give this component the transport needed to send the server's HARD_RESET.
 
- Public Member Functions inherited from openvpn::PsidCookie
virtual ~PsidCookie ()=default
 
- Public Member Functions inherited from openvpn::RC< thread_unsafe_refcount >
 RC () noexcept=default
 
 RC (const RC &)=delete
 
virtual ~RC ()=default
 
RCoperator= (const RC &)=delete
 
olong use_count () const noexcept
 Delegates call to RCImpl and returns the result.
 

Static Public Member Functions

static void pre_threading_setup ()
 
- Static Public Member Functions inherited from openvpn::RC< thread_unsafe_refcount >
static constexpr bool is_thread_safe ()
 Delegates call to RCImpl and returns the result.
 

Static Public Attributes

static constexpr int SID_SIZE = ProtoSessionID::SIZE
 

Private Types

using CookieHelper = ProtoContext::PsidCookieHelper
 

Private Member Functions

Intercept process_clients_initial_reset (ConstBuffer &pkt_buf, const PsidCookieAddrInfoBase &pcaib)
 
Intercept process_clients_server_reset_ack (ConstBuffer &pkt_buf, const PsidCookieAddrInfoBase &pcaib)
 
ProtoSessionID calculate_session_id_hmac (const ProtoSessionID &cli_psid, const PsidCookieAddrInfoBase &pcaib, unsigned int offset)
 Calculate the psid cookie, the ProtoSessionID hmac.
 
bool check_session_id_hmac (const ProtoSessionID &srv_psid, const ProtoSessionID &cli_psid, const PsidCookieAddrInfoBase &pcaib)
 

Static Private Member Functions

static StaticKey create_key ()
 
static const StaticKeyget_key ()
 

Private Attributes

const ProtoContext::ProtoConfigpcfg_
 
bool not_tls_auth_mode_
 
TimePtr now_
 
const Time::Duration & handwindow_
 
OvpnHMACInstance::Ptr ta_hmac_recv_
 
OvpnHMACInstance::Ptr ta_hmac_send_
 
SSLLib::CryptoAPI::HMACContext hmac_ctx_
 
PsidCookieTransportBase::Ptr pctb_
 
ProtoSessionID cookie_psid_
 

Static Private Attributes

static constexpr CryptoAlgs::Type digest_ = CryptoAlgs::Type::SHA256
 

Additional Inherited Members

- Public Types inherited from openvpn::PsidCookie
enum class  Intercept {
  DECLINE_HANDLING , EARLY_DROP , DROP_1ST , HANDLE_1ST ,
  DROP_2ND , HANDLE_2ND
}
 Values returned by the intercept() function. More...
 
typedef RCPtr< PsidCookiePtr
 
- Public Types inherited from openvpn::RC< thread_unsafe_refcount >
typedef RCPtr< RCPtr
 

Detailed Description

Implements the PsidCookie interface.

This code currently only supports tls-auth. The approach can be applied with minimal changes also to tls-crypt/no auth but requires more changes/protocol changes and updated clients for the tls-crypt-v2 case.

This class is not thread safe; it expects to be instantiated in each thread of a multi-threaded server implementation.

Definition at line 44 of file psid_cookie_impl.hpp.

Member Typedef Documentation

◆ CookieHelper

using openvpn::PsidCookieImpl::CookieHelper = ProtoContext::PsidCookieHelper
private

Definition at line 132 of file psid_cookie_impl.hpp.

Constructor & Destructor Documentation

◆ PsidCookieImpl()

openvpn::PsidCookieImpl::PsidCookieImpl ( ServerProto::Factory psfp)
inline

Definition at line 56 of file psid_cookie_impl.hpp.

◆ ~PsidCookieImpl()

virtual openvpn::PsidCookieImpl::~PsidCookieImpl ( )
virtualdefault

Member Function Documentation

◆ calculate_session_id_hmac()

ProtoSessionID openvpn::PsidCookieImpl::calculate_session_id_hmac ( const ProtoSessionID cli_psid,
const PsidCookieAddrInfoBase pcaib,
unsigned int  offset 
)
inlineprivate

Calculate the psid cookie, the ProtoSessionID hmac.

Parameters
cli_psidClient's protocol session id, ProtoSessionID
pcaibClient's address information, reproducibly hashable
offsetmoves the time valid time window backward from current
Returns
ProtoSessionID the psid cookie

Definition at line 288 of file psid_cookie_impl.hpp.

Here is the caller graph for this function:

◆ check_session_id_hmac()

bool openvpn::PsidCookieImpl::check_session_id_hmac ( const ProtoSessionID srv_psid,
const ProtoSessionID cli_psid,
const PsidCookieAddrInfoBase pcaib 
)
inlineprivate

Definition at line 328 of file psid_cookie_impl.hpp.

Here is the caller graph for this function:

◆ create_key()

static StaticKey openvpn::PsidCookieImpl::create_key ( )
inlinestaticprivate

Definition at line 263 of file psid_cookie_impl.hpp.

Here is the caller graph for this function:

◆ get_cookie_psid()

ProtoSessionID openvpn::PsidCookieImpl::get_cookie_psid ( )
inlineoverridevirtual

Get the cookie psid from client's 2nd packet.

This provides the server's psid (a.k.a, the cookie_psid) as returned by the client in it's 2nd packet. It may only be called after intercept() returns HANDLE_2ND, indicating a valid psid cookie. Further, it may only be called once as it invalidates the internal data source after it sets the return value.

Returns
ProtoSessionID

Implements openvpn::PsidCookie.

Definition at line 117 of file psid_cookie_impl.hpp.

◆ get_key()

static const StaticKey & openvpn::PsidCookieImpl::get_key ( )
inlinestaticprivate

Definition at line 274 of file psid_cookie_impl.hpp.

Here is the caller graph for this function:

◆ intercept()

Intercept openvpn::PsidCookieImpl::intercept ( ConstBuffer pkt_buf,
const PsidCookieAddrInfoBase pcaib 
)
inlineoverridevirtual

Called when a potential new client session packet is received.

Called by the server implementation when it recieves a packet for which it has no state information. Such a packet is potentially a client HARD_RESET or a 2nd client packet returning the psid cookie.

Parameters
pkt_bufThe packet received by the server implementation.
pcaibThe address information as contained in an instance of the class that the server implementation derived from the PsidCookieAddrInfoBase class
Returns
Intercept Status of the packet handling

Implements openvpn::PsidCookie.

Definition at line 91 of file psid_cookie_impl.hpp.

◆ pre_threading_setup()

static void openvpn::PsidCookieImpl::pre_threading_setup ( )
inlinestatic

Definition at line 51 of file psid_cookie_impl.hpp.

Here is the caller graph for this function:

◆ process_clients_initial_reset()

Intercept openvpn::PsidCookieImpl::process_clients_initial_reset ( ConstBuffer pkt_buf,
const PsidCookieAddrInfoBase pcaib 
)
inlineprivate

Definition at line 134 of file psid_cookie_impl.hpp.

Here is the caller graph for this function:

◆ process_clients_server_reset_ack()

Intercept openvpn::PsidCookieImpl::process_clients_server_reset_ack ( ConstBuffer pkt_buf,
const PsidCookieAddrInfoBase pcaib 
)
inlineprivate

Definition at line 210 of file psid_cookie_impl.hpp.

Here is the caller graph for this function:

◆ provide_psid_cookie_transport()

void openvpn::PsidCookieImpl::provide_psid_cookie_transport ( PsidCookieTransportBase::Ptr  pctb)
inlineoverridevirtual

Give this component the transport needed to send the server's HARD_RESET.

The server implementation must call this method before the intercept() function is asked to handle a packet

Parameters
pctbThe transport capability as provided by the server implementation's object derived from the PsidCookieTransportBase class

Implements openvpn::PsidCookie.

Definition at line 124 of file psid_cookie_impl.hpp.

Member Data Documentation

◆ cookie_psid_

ProtoSessionID openvpn::PsidCookieImpl::cookie_psid_
private

Definition at line 360 of file psid_cookie_impl.hpp.

◆ digest_

constexpr CryptoAlgs::Type openvpn::PsidCookieImpl::digest_ = CryptoAlgs::Type::SHA256
staticconstexprprivate

Definition at line 346 of file psid_cookie_impl.hpp.

◆ handwindow_

const Time::Duration& openvpn::PsidCookieImpl::handwindow_
private

Definition at line 351 of file psid_cookie_impl.hpp.

◆ hmac_ctx_

SSLLib::CryptoAPI::HMACContext openvpn::PsidCookieImpl::hmac_ctx_
private

Definition at line 357 of file psid_cookie_impl.hpp.

◆ not_tls_auth_mode_

bool openvpn::PsidCookieImpl::not_tls_auth_mode_
private

Definition at line 349 of file psid_cookie_impl.hpp.

◆ now_

TimePtr openvpn::PsidCookieImpl::now_
private

Definition at line 350 of file psid_cookie_impl.hpp.

◆ pcfg_

const ProtoContext::ProtoConfig& openvpn::PsidCookieImpl::pcfg_
private

Definition at line 348 of file psid_cookie_impl.hpp.

◆ pctb_

PsidCookieTransportBase::Ptr openvpn::PsidCookieImpl::pctb_
private

Definition at line 359 of file psid_cookie_impl.hpp.

◆ SID_SIZE

constexpr int openvpn::PsidCookieImpl::SID_SIZE = ProtoSessionID::SIZE
staticconstexpr

Definition at line 47 of file psid_cookie_impl.hpp.

◆ ta_hmac_recv_

OvpnHMACInstance::Ptr openvpn::PsidCookieImpl::ta_hmac_recv_
private

Definition at line 353 of file psid_cookie_impl.hpp.

◆ ta_hmac_send_

OvpnHMACInstance::Ptr openvpn::PsidCookieImpl::ta_hmac_send_
private

Definition at line 354 of file psid_cookie_impl.hpp.

The documentation for this class was generated from the following file: