openvpn3/tls__crypt__v2_8hpp_source.html

//    OpenVPN -- An application to securely tunnel IP networks

//               over a single port, with support for SSL/TLS-based

//               session authentication and key exchange,

//               packet encryption, packet authentication, and

//               packet compression.

//

//    Copyright (C) 2017-2018 OpenVPN Technologies, Inc.

//

//    This program is free software: you can redistribute it and/or modify

//    it under the terms of the GNU General Public License Version 3

//    as published by the Free Software Foundation.

//

//    This program is distributed in the hope that it will be useful,

//    but WITHOUT ANY WARRANTY; without even the implied warranty of

//    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

//    GNU General Public License for more details.

//

//    You should have received a copy of the GNU General Public License

//    along with this program in the COPYING file.

//    If not, see <http://www.gnu.org/licenses/>.


// Classes for handling OpenVPN tls-crypt-v2 internals


#ifndef OPENVPN_CRYPTO_TLS_CRYPT_V2_H

#define OPENVPN_CRYPTO_TLS_CRYPT_V2_H


#include <string>


#include <openvpn/common/exception.hpp>

#include <openvpn/buffer/buffer.hpp>

#include <openvpn/crypto/static_key.hpp>

#include <openvpn/crypto/tls_crypt.hpp>

#include <openvpn/ssl/sslchoose.hpp>


namespace openvpn {

constexpr static const char *tls_crypt_v2_server_key_name = "OpenVPN tls-crypt-v2 server key";

constexpr static const char *tls_crypt_v2_client_key_name = "OpenVPN tls-crypt-v2 client key";


class TLSCryptV2ServerKey

{

  public:

    OPENVPN_SIMPLE_EXCEPTION(tls_crypt_v2_server_key_parse_error);

    OPENVPN_SIMPLE_EXCEPTION(tls_crypt_v2_server_key_encode_error);

    OPENVPN_SIMPLE_EXCEPTION(tls_crypt_v2_server_key_bad_size);


    TLSCryptV2ServerKey()

        : key_size(128),

          key(key_size, BufAllocFlags::DESTRUCT_ZERO)

    {

    }


    bool defined() const

    {

        return key.defined();

    }


    void parse(const std::string &key_text)

    {

        if (!SSLLib::PEMAPI::pem_decode(key, key_text.c_str(), key_text.length(), tls_crypt_v2_server_key_name))

            throw tls_crypt_v2_server_key_parse_error();


        if (key.size() != key_size)

            throw tls_crypt_v2_server_key_bad_size();

    }


    void extract_key(OpenVPNStaticKey &tls_key)

    {

        std::memcpy(tls_key.raw_alloc(), key.c_data(), key_size);

    }


    std::string render() const

    {

        BufferAllocated data(32 + 2 * key.size(), 0);


        if (!SSLLib::PEMAPI::pem_encode(data, key.c_data(), key.size(), tls_crypt_v2_server_key_name))

            throw tls_crypt_v2_server_key_encode_error();


        return std::string((const char *)data.c_data());

    }


  private:

    const size_t key_size;

    BufferAllocated key;

};


class TLSCryptV2ClientKey

{

  public:

    enum

    {

        WKC_MAX_SIZE = 1024, // bytes

    };


    OPENVPN_SIMPLE_EXCEPTION(tls_crypt_v2_client_key_parse_error);

    OPENVPN_SIMPLE_EXCEPTION(tls_crypt_v2_client_key_encode_error);

    OPENVPN_SIMPLE_EXCEPTION(tls_crypt_v2_client_key_bad_size);


    TLSCryptV2ClientKey() = delete;


    TLSCryptV2ClientKey(TLSCryptContext::Ptr context)

        : key_size(OpenVPNStaticKey::KEY_SIZE),

          tag_size(context->digest_size())

    {

    }


    bool defined() const

    {

        return key.defined() && wkc.defined();

    }


    void parse(const std::string &key_text)

    {

        BufferAllocated data(key_size + WKC_MAX_SIZE, BufAllocFlags::DESTRUCT_ZERO);


        if (!SSLLib::PEMAPI::pem_decode(data, key_text.c_str(), key_text.length(), tls_crypt_v2_client_key_name))

            throw tls_crypt_v2_client_key_parse_error();


        if (data.size() < (tag_size + key_size))

            throw tls_crypt_v2_client_key_bad_size();


        key.init(data.data(), key_size, BufAllocFlags::DESTRUCT_ZERO);

        wkc.init(data.data() + key_size, data.size() - key_size, BufAllocFlags::DESTRUCT_ZERO);

    }


    void extract_key(OpenVPNStaticKey &tls_key)

    {

        std::memcpy(tls_key.raw_alloc(), key.c_data(), key_size);

    }


    std::string render() const

    {

        BufferAllocated data(32 + 2 * (key.size() + wkc.size()), 0);

        BufferAllocated in(key, BufAllocFlags::GROW);

        in.append(wkc);


        if (!SSLLib::PEMAPI::pem_encode(data, in.c_data(), in.size(), tls_crypt_v2_client_key_name))

            throw tls_crypt_v2_client_key_encode_error();


        return std::string((const char *)data.c_data());

    }


    void extract_wkc(BufferAllocated &wkc_out) const

    {

        wkc_out = wkc;

    }


  private:

    BufferAllocated key;

    BufferAllocated wkc;


    const size_t key_size;

    const size_t tag_size;

};


// the user can extend the TLSCryptMetadata and the TLSCryptMetadataFactory

// classes to implement its own metadata verification method.

//

// default method is to *ignore* the metadata contained in the WKc sent by the client


class TLSCryptMetadata : public RC<thread_unsafe_refcount>

{

  public:

    typedef RCPtr<TLSCryptMetadata> Ptr;


    // override this method with your own verification mechanism.

    //

    // If type is -1 it means that metadata is empty.

    //


    virtual bool verify(int type, Buffer &metadata) const

    {

        return true;

    }


};


// abstract class to be extended when creating other factories


class TLSCryptMetadataFactory : public RC<thread_unsafe_refcount>

{

  public:

    typedef RCPtr<TLSCryptMetadataFactory> Ptr;


    virtual TLSCryptMetadata::Ptr new_obj() = 0;

};


// factory implementation for the basic verification method


class CryptoTLSCryptMetadataFactory : public TLSCryptMetadataFactory

{

  public:


    TLSCryptMetadata::Ptr new_obj()

    {

        return new TLSCryptMetadata();

    }


};


} // namespace openvpn


#endif /* OPENVPN_CRYPTO_TLS_CRYPT_V2_H */

buffer.hpp

openvpn::BufferAllocatedType< unsigned char >

openvpn::BufferAllocatedType::init
void init(const size_t capacity, const unsigned int flags)
Initializes the buffer with the specified capacity and flags.
Definition buffer.hpp:1707

openvpn::BufferType< unsigned char >

openvpn::ConstBufferType::defined
bool defined() const
Returns true if the buffer is not empty.
Definition buffer.hpp:1207

openvpn::ConstBufferType::c_data
const T * c_data() const
Returns a const pointer to the start of the buffer.
Definition buffer.hpp:1177

openvpn::ConstBufferType::append
void append(const B &other)
Append data from another buffer to this buffer.
Definition buffer.hpp:1607

openvpn::ConstBufferType::c_str
const T * c_str() const
Returns a const pointer to the null-terminated string representation of the buffer.
Definition buffer.hpp:1165

openvpn::ConstBufferType::size
size_t size() const
Returns the size of the buffer in T objects.
Definition buffer.hpp:1225

openvpn::CryptoTLSCryptMetadataFactory
Definition tls_crypt_v2.hpp:186

openvpn::CryptoTLSCryptMetadataFactory::new_obj
TLSCryptMetadata::Ptr new_obj()
Definition tls_crypt_v2.hpp:188

openvpn::OpenVPNStaticKey
Definition static_key.hpp:91

openvpn::OpenVPNStaticKey::raw_alloc
unsigned char * raw_alloc()
Definition static_key.hpp:179

openvpn::RCPtr< TLSCryptContext >

openvpn::RC
Reference count base class for objects tracked by RCPtr. Disallows copying and assignment.
Definition rc.hpp:912

openvpn::TLSCryptMetadataFactory
Definition tls_crypt_v2.hpp:177

openvpn::TLSCryptMetadataFactory::new_obj
virtual TLSCryptMetadata::Ptr new_obj()=0

openvpn::TLSCryptMetadataFactory::Ptr
RCPtr< TLSCryptMetadataFactory > Ptr
Definition tls_crypt_v2.hpp:179

openvpn::TLSCryptMetadata
Definition tls_crypt_v2.hpp:161

openvpn::TLSCryptMetadata::Ptr
RCPtr< TLSCryptMetadata > Ptr
Definition tls_crypt_v2.hpp:163

openvpn::TLSCryptMetadata::verify
virtual bool verify(int type, Buffer &metadata) const
Definition tls_crypt_v2.hpp:169

openvpn::TLSCryptV2ClientKey
Definition tls_crypt_v2.hpp:88

openvpn::TLSCryptV2ClientKey::parse
void parse(const std::string &key_text)
Definition tls_crypt_v2.hpp:112

openvpn::TLSCryptV2ClientKey::TLSCryptV2ClientKey
TLSCryptV2ClientKey(TLSCryptContext::Ptr context)
Definition tls_crypt_v2.hpp:101

openvpn::TLSCryptV2ClientKey::extract_wkc
void extract_wkc(BufferAllocated &wkc_out) const
Definition tls_crypt_v2.hpp:143

openvpn::TLSCryptV2ClientKey::tag_size
const size_t tag_size
Definition tls_crypt_v2.hpp:153

openvpn::TLSCryptV2ClientKey::wkc
BufferAllocated wkc
Definition tls_crypt_v2.hpp:150

openvpn::TLSCryptV2ClientKey::OPENVPN_SIMPLE_EXCEPTION
OPENVPN_SIMPLE_EXCEPTION(tls_crypt_v2_client_key_bad_size)

openvpn::TLSCryptV2ClientKey::render
std::string render() const
Definition tls_crypt_v2.hpp:131

openvpn::TLSCryptV2ClientKey::extract_key
void extract_key(OpenVPNStaticKey &tls_key)
Definition tls_crypt_v2.hpp:126

openvpn::TLSCryptV2ClientKey::WKC_MAX_SIZE
@ WKC_MAX_SIZE
Definition tls_crypt_v2.hpp:92

openvpn::TLSCryptV2ClientKey::TLSCryptV2ClientKey
TLSCryptV2ClientKey()=delete

openvpn::TLSCryptV2ClientKey::defined
bool defined() const
Definition tls_crypt_v2.hpp:107

openvpn::TLSCryptV2ClientKey::key
BufferAllocated key
Definition tls_crypt_v2.hpp:149

openvpn::TLSCryptV2ClientKey::key_size
const size_t key_size
Definition tls_crypt_v2.hpp:152

openvpn::TLSCryptV2ClientKey::OPENVPN_SIMPLE_EXCEPTION
OPENVPN_SIMPLE_EXCEPTION(tls_crypt_v2_client_key_parse_error)

openvpn::TLSCryptV2ClientKey::OPENVPN_SIMPLE_EXCEPTION
OPENVPN_SIMPLE_EXCEPTION(tls_crypt_v2_client_key_encode_error)

openvpn::TLSCryptV2ServerKey
Definition tls_crypt_v2.hpp:40

openvpn::TLSCryptV2ServerKey::key_size
const size_t key_size
Definition tls_crypt_v2.hpp:82

openvpn::TLSCryptV2ServerKey::OPENVPN_SIMPLE_EXCEPTION
OPENVPN_SIMPLE_EXCEPTION(tls_crypt_v2_server_key_bad_size)

openvpn::TLSCryptV2ServerKey::defined
bool defined() const
Definition tls_crypt_v2.hpp:52

openvpn::TLSCryptV2ServerKey::OPENVPN_SIMPLE_EXCEPTION
OPENVPN_SIMPLE_EXCEPTION(tls_crypt_v2_server_key_parse_error)

openvpn::TLSCryptV2ServerKey::extract_key
void extract_key(OpenVPNStaticKey &tls_key)
Definition tls_crypt_v2.hpp:66

openvpn::TLSCryptV2ServerKey::TLSCryptV2ServerKey
TLSCryptV2ServerKey()
Definition tls_crypt_v2.hpp:46

openvpn::TLSCryptV2ServerKey::parse
void parse(const std::string &key_text)
Definition tls_crypt_v2.hpp:57

openvpn::TLSCryptV2ServerKey::render
std::string render() const
Definition tls_crypt_v2.hpp:71

openvpn::TLSCryptV2ServerKey::key
BufferAllocated key
Definition tls_crypt_v2.hpp:83

openvpn::TLSCryptV2ServerKey::OPENVPN_SIMPLE_EXCEPTION
OPENVPN_SIMPLE_EXCEPTION(tls_crypt_v2_server_key_encode_error)

exception.hpp

openvpn
Support deferred server-side state creation when client connects.
Definition ovpncli.cpp:95

openvpn::tls_crypt_v2_client_key_name
static constexpr const char * tls_crypt_v2_client_key_name
Definition tls_crypt_v2.hpp:37

openvpn::tls_crypt_v2_server_key_name
static constexpr const char * tls_crypt_v2_server_key_name
Definition tls_crypt_v2.hpp:36

sslchoose.hpp

static_key.hpp

openvpn::BufAllocFlags
Definition buffer.hpp:867

openvpn::BufAllocFlags::DESTRUCT_ZERO
@ DESTRUCT_ZERO
if enabled, destructor will zero data before deletion
Definition buffer.hpp:871

openvpn::BufAllocFlags::GROW
@ GROW
if enabled, buffer will grow (otherwise buffer_full exception will be thrown)
Definition buffer.hpp:872

key_text
const char key_text[]
Definition test_statickey.cpp:11

tls_crypt.hpp