Newer
Older
XinYang_IOS / Carthage / Checkouts / OpenVPNAdapter / Sources / OpenVPN3 / openvpn / options / merge.hpp
@zhangfeng zhangfeng on 7 Dec 2023 13 KB 1.8.0
//    OpenVPN -- An application to securely tunnel IP networks
//               over a single port, with support for SSL/TLS-based
//               session authentication and key exchange,
//               packet encryption, packet authentication, and
//               packet compression.
//
//    Copyright (C) 2012-2020 OpenVPN Inc.
//
//    This program is free software: you can redistribute it and/or modify
//    it under the terms of the GNU Affero General Public License Version 3
//    as published by the Free Software Foundation.
//
//    This program is distributed in the hope that it will be useful,
//    but WITHOUT ANY WARRANTY; without even the implied warranty of
//    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
//    GNU Affero General Public License for more details.
//
//    You should have received a copy of the GNU Affero General Public License
//    along with this program in the COPYING file.
//    If not, see <http://www.gnu.org/licenses/>.

// This class will read a standard OpenVPN config file that might contain
// references to other files, and it will merge the included files into the
// config file, using inline configuration syntax, to produce a single,
// unified config file.

#ifndef OPENVPN_OPTIONS_MERGE_H
#define OPENVPN_OPTIONS_MERGE_H

#include <string>
#include <sstream>
#include <vector>

#include <openvpn/common/size.hpp>
#include <openvpn/common/exception.hpp>
#include <openvpn/common/options.hpp>
#include <openvpn/common/string.hpp>
#include <openvpn/common/split.hpp>
#include <openvpn/common/path.hpp>
#include <openvpn/common/file.hpp>
#include <openvpn/common/splitlines.hpp>

namespace openvpn {

  class ProfileMerge
  {
    // internal flags
    enum {
      F_MAY_INCLUDE_KEY_DIRECTION = (1<<0),
      F_PKCS12 = (1<<1),
      F_HTTP_PROXY = (1<<2),
    };

    // limits
    enum {
      MAX_FN_LIST_SIZE=16,
    };

  public:
    OPENVPN_EXCEPTION(merge_error);

    // public status values
    enum Status {
      MERGE_UNDEFINED,
      MERGE_SUCCESS,
      MERGE_EXCEPTION,
      MERGE_OVPN_EXT_FAIL,
      MERGE_OVPN_FILE_FAIL,
      MERGE_REF_FAIL,
      MERGE_MULTIPLE_REF_FAIL,
    };

    // merge status
    Status status() const { return status_; }
    const std::string& error() const { return error_; }

    // merge path basename
    const std::string& basename() const { return basename_; }

    // final unified profile
    const std::string& profile_content() const { return profile_content_; }

    // list of all reference paths successfully read
    const std::vector<std::string>& ref_path_list() const { return ref_succeed_list_; }

    // merge status as a string
    const char *status_string() const
    {
      switch (status_)
	{
	case MERGE_UNDEFINED:
	  return "MERGE_UNDEFINED";
	case MERGE_SUCCESS:
	  return "MERGE_SUCCESS";
	case MERGE_EXCEPTION:
	  return "MERGE_EXCEPTION";
	case MERGE_OVPN_EXT_FAIL:
	  return "MERGE_OVPN_EXT_FAIL";
	case MERGE_OVPN_FILE_FAIL:
	  return "MERGE_OVPN_FILE_FAIL";
	case MERGE_REF_FAIL:
	  return "MERGE_REF_FAIL";
	case MERGE_MULTIPLE_REF_FAIL:
	  return "MERGE_MULTIPLE_REF_FAIL";
	default:
	  return "MERGE_?";
	}
    }

    // allow following of external file references
    enum Follow {
      FOLLOW_NONE,
      FOLLOW_PARTIAL,
      FOLLOW_FULL,
    };

    ProfileMerge(const std::string& profile_path,
		 const std::string& profile_ext,
		 const std::string& profile_dir_override,
		 const Follow follow_references,
		 const size_t max_line_len,
		 const size_t max_size)
      : status_(MERGE_UNDEFINED)
    {
      try {
	size_t total_size = 0;

	// read the profile
	std::string orig_profile_content;
	std::string profile_dir;
	try {
	  profile_dir = !profile_dir_override.empty() ? profile_dir_override : path::dirname(profile_path);
	  basename_ = path::basename(profile_path);
	  const std::string ext = path::ext(basename_);
	  if (profile_ext.empty() || string::strcasecmp(ext, profile_ext) == 0)
	    {
	      orig_profile_content = read_text_utf8(profile_path, max_size);
	      total_size = orig_profile_content.size();
	    }
	  else
	    {
	      status_ = MERGE_OVPN_EXT_FAIL;
	      error_ = std::string("ERR_PROFILE_NO_OVPN_EXTENSION: ") + basename_;
	      return;
	    }
	}
	catch (const file_is_binary& e)
	  {
	    status_ = MERGE_OVPN_FILE_FAIL;
	    error_ = std::string("ERR_PROFILE_FILE_IS_BINARY: ") + e.what();
	    return;
	  }
	catch (const file_too_large& e)
	  {
	    status_ = MERGE_OVPN_FILE_FAIL;
	    error_ = std::string("ERR_PROFILE_FILE_TOO_LARGE: ") + e.what();
	    return;
	  }
	catch (const std::exception& e)
	  {
	    status_ = MERGE_OVPN_FILE_FAIL;
	    error_ = std::string("ERR_PROFILE_GENERIC: ") + e.what();
	    return;
	  }

	// expand the profile
	expand_profile(orig_profile_content, profile_dir, follow_references, max_line_len, max_size, total_size);
      }
      catch (const std::exception& e)
	{
	  status_ = MERGE_EXCEPTION;
	  error_ = std::string("ERR_PROFILE_GENERIC: ") + e.what();
	}
    }

    static std::string merge(const std::string& profile_path,
			     const std::string& profile_ext,
			     const std::string& profile_dir_override,
			     const Follow follow_references,
			     const size_t max_line_len,
			     const size_t max_size)
    {
      const ProfileMerge pm(profile_path, profile_ext, profile_dir_override,
			    follow_references, max_line_len, max_size);
      if (pm.status() == ProfileMerge::MERGE_SUCCESS)
	return pm.profile_content();
      else
	OPENVPN_THROW(merge_error, pm.status_string() << ": " << pm.error());
    }

  protected:
    ProfileMerge() : status_(MERGE_UNDEFINED) {}

    void expand_profile(const std::string& orig_profile_content,
			const std::string& profile_dir,
			const Follow follow_references,
			const size_t max_line_len,
			const size_t max_size,
			size_t total_size)
    {
      if (total_size > max_size)
	{
	  status_ = MERGE_EXCEPTION;
	  error_ = "ERR_PROFILE_FILE_TOO_LARGE: file too large";
	  return;
	}

      status_ = MERGE_SUCCESS;

      SplitLines in(orig_profile_content, max_line_len);
      int line_num = 0;
      bool in_multiline = false;
      bool opaque_multiline = false;
      Option multiline;

      profile_content_.reserve(orig_profile_content.length());
      while (in(true))
	{
	  if (in.line_overflow())
	    {
	      status_ = MERGE_EXCEPTION;
	      error_ = "ERR_PROFILE_LINE_TOO_LONG: line too long";
	      return;
	    }
	  const std::string& line = in.line_ref();
	  bool echo = true;
	  ++line_num;
	  if (in_multiline)
	    {
	      if (OptionList::is_close_tag(line, multiline.ref(0)))
		{
		  multiline.clear();
		  in_multiline = false;
		  opaque_multiline = false;
		}
	    }
	  else if (!OptionList::ignore_line(line))
	    {
	      Option opt = Split::by_space<Option, OptionList::LexComment, SpaceMatch, Split::NullLimit>(line);
	      if (opt.size())
		{
		  if (OptionList::is_open_tag(opt.ref(0)) && opt.size() == 1)
		    {
		      OptionList::untag_open_tag(opt.ref(0));
		      multiline = opt;
		      in_multiline = true;
		      unsigned int flags = 0; // not used
		      opaque_multiline = is_fileref_directive(multiline.ref(0), flags);
		    }
		  else
		    {
		      unsigned int flags = 0;
		      bool is_fileref = (!opaque_multiline
					 && opt.size() >= 2
					 && is_fileref_directive(opt.ref(0), flags));
		      if (is_fileref)
			{
			  // check if http-proxy directive references a creds file
			  if (flags & F_HTTP_PROXY)
			    {
			      is_fileref = false;
			      if (opt.size() >= 4)
				{
				  const std::string authfile = opt.get(3, 256);
				  if (authfile != "auto" && authfile != "auto-nct")
				    {
				      opt.ref(3) = "auto";
				      profile_content_ += opt.escape(false);
				      profile_content_ += '\n';
				      opt.ref(0) = "http-proxy-user-pass";
				      opt.ref(1) = authfile;
				      opt.resize(2);
				      is_fileref = true;
				    }
				}
			    }
			}
		      if (is_fileref)
			{
			  // found a directive referencing a file

			  // get basename of file and make sure that it doesn't
			  // attempt to traverse directories (unless
			  // follow_references == FOLLOW_FULL)
			  const std::string fn_str = opt.get(1, 256);
			  const std::string fn = (follow_references == FOLLOW_FULL ? fn_str : path::basename(fn_str));
			  if (fn.empty())
			    {
			      echo = false;
			      status_ = MERGE_REF_FAIL;
			      error_ = "ERR_PROFILE_NO_FILENAME: filename not provided";
			    }
			  else if (follow_references != FOLLOW_FULL && !path::is_flat(fn))
			    {
			      echo = false;
			      status_ = MERGE_REF_FAIL;
			      error_ = std::string("ERR_PROFILE_CANT_FOLLOW_LINK: ") + fn;
			      if (ref_fail_list_.size() < MAX_FN_LIST_SIZE)
				ref_fail_list_.push_back(fn);
			    }
			  else
			    {
			      std::string path;
			      std::string file_content;
			      bool error = false;
			      try {
				if (follow_references == FOLLOW_NONE)
				  {
				    status_ = MERGE_EXCEPTION;
				    error_ = std::string("ERR_PROFILE_CANT_FOLLOW_LINK: ") + fn + ": cannot follow file reference";
				    return;
				  }
				path = path::join(profile_dir, fn);
				file_content = read_text_utf8(path, max_size);
				total_size += file_content.size();
				if (total_size > max_size)
				  {
				    status_ = MERGE_EXCEPTION;
				    error_ = std::string("ERR_PROFILE_FILE_TOO_LARGE: ") + fn + ": file too large";
				    return;
				  }
				OptionList::detect_multiline_breakout(file_content, opt.ref(0));
			      }
			      catch (const std::exception& e)
				{
				  error = true;
				  status_ = MERGE_REF_FAIL;
				  error_ = std::string("ERR_PROFILE_GENERIC: ") + fn + " : " + e.what();
				  if (ref_fail_list_.size() < MAX_FN_LIST_SIZE)
				    ref_fail_list_.push_back(fn);
				}

			      if (!error) // succeeded in reading file?
				{
				  // don't echo this line, i.e. opt[], instead expand file_content into profile
				  echo = false;

				  // tls-auth or secret directive may include key-direction parameter
				  if (flags & F_MAY_INCLUDE_KEY_DIRECTION)
				    {
				      std::string key_direction;
				      if (opt.size() >= 3)
					key_direction = opt.get(2, 16);
				      else
					key_direction = "bidirectional";
				      profile_content_ += "key-direction " + key_direction + "\n";
				    }

				  // format file_content for appending to profile
				  {
				    std::ostringstream os;
				    const std::string& tag = opt.ref(0);
				    string::add_trailing(file_content, '\n');
				    os << '<' << tag << ">\n" << file_content << "</" << tag << ">\n";
				    profile_content_ += os.str();
				  }

				  // save file we referenced
				  if (ref_succeed_list_.size() < MAX_FN_LIST_SIZE)
				    ref_succeed_list_.push_back(path);
				}
			    }
			}
		    }
		}
	    }
	  if (echo)
	    {
	      profile_content_ += line;
	      profile_content_ += '\n';
	    }
	}

      // If more than 2 errors occurred, change status to
      // MERGE_MULTIPLE_REF_FAIL and enumerate each failed file.
      if (ref_fail_list_.size() >= 2)
	{
	  status_ = MERGE_MULTIPLE_REF_FAIL;
	  error_ = "ERR_PROFILE_GENERIC: ";
	  for (size_t i = 0; i < ref_fail_list_.size(); ++i)
	    {
	      if (i)
		error_ += ", ";
	      error_ += ref_fail_list_[i];
	    }
	}
    }

    static bool is_fileref_directive(const std::string& d, unsigned int& flags)
    {
      if (d.length() > 0)
	{
	  switch (d[0])
	    {
	    case 'a':
	      return d == "auth-user-pass";
	    case 'c':
	      return d == "ca" || d == "cert" || d == "crl-verify";
	    case 'd':
	      return d == "dh";
	    case 'e':
	      return d == "extra-certs";
	    case 'h':
	      if (d == "http-proxy")
		{
		  flags |= F_HTTP_PROXY;
		  return true;
		}
	      return false;
	    case 'k':
	      return d == "key";
#if 0 // define when we have capability to parse out pkcs12 from profile and add to Keychain (fixme)
	    case 'p':
	      if (d == "pkcs12")
		{
		  flags |= F_PKCS12;
		  return true;
		}
	      return false;
#endif
	    case 'r':
	      if (d == "relay-extra-ca")
		return true;
	      if (d == "relay-tls-auth")
		{
		  flags |= F_MAY_INCLUDE_KEY_DIRECTION;
		  return true;
		}
	      return false;
	    case 's':
	      if (d == "static-key")
		return true;
	      return false;
	    case 't':
	      if (d == "tls-auth")
		{
		  flags |= F_MAY_INCLUDE_KEY_DIRECTION;
		  return true;
		}
	      if (d == "tls-crypt")
		return true;
	      if (d == "tls-crypt-v2")
		return true;
	      return false;
	    }
	}
      return false;
    }

    Status status_;
    std::string profile_content_;
    std::string basename_;
    std::string error_;
    std::vector<std::string> ref_fail_list_;
    std::vector<std::string> ref_succeed_list_;
  };

  class ProfileMergeFromString : public ProfileMerge
  {
  public:
    ProfileMergeFromString(const std::string& profile_content,
			   const std::string& ref_dir,
			   const Follow follow_references,
			   const size_t max_line_len,
			   const size_t max_size)
    {
      try {
	// expand the profile
	expand_profile(profile_content, ref_dir, follow_references,
		       max_line_len, max_size, profile_content.size());
      }
      catch (const std::exception& e)
	{
	  status_ = MERGE_EXCEPTION;
	  error_ = std::string("ERR_PROFILE_GENERIC: ") + e.what();
	}
    }

    static std::string merge(const std::string& profile_content,
			     const std::string& ref_dir,
			     const Follow follow_references,
			     const size_t max_line_len,
			     const size_t max_size)
    {
      const ProfileMergeFromString pm(profile_content, ref_dir,
				      follow_references, max_line_len, max_size);
      if (pm.status() == ProfileMerge::MERGE_SUCCESS)
	return pm.profile_content();
      else
	OPENVPN_THROW(merge_error, pm.status_string() << ": " << pm.error());
    }

  };
}

#endif