File: is_openvpn_protocol.hpp

package info (click to toggle)
openvpn3-client 25%2Bdfsg-3
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 19,276 kB
  • sloc: cpp: 190,085; python: 7,218; ansic: 1,866; sh: 1,361; java: 402; lisp: 81; makefile: 17
file content (75 lines) | stat: -rw-r--r-- 2,497 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
 
//    OpenVPN -- An application to securely tunnel IP networks
//               over a single port, with support for SSL/TLS-based
//               session authentication and key exchange,
//               packet encryption, packet authentication, and
//               packet compression.
//
//    Copyright (C) 2012- OpenVPN Inc.
//
//    SPDX-License-Identifier: MPL-2.0 OR AGPL-3.0-only WITH openvpn3-openssl-exception
//
//

#ifndef OPENVPN_SSL_IS_OPENVPN_PROTOCOL_H
#define OPENVPN_SSL_IS_OPENVPN_PROTOCOL_H

#include <cstddef> // for std::size_t

namespace openvpn {

/**
 * @brief  Given either the first 2 or 3 bytes of an initial client -> server
 *         data payload, return true if the protocol is that of an OpenVPN
 *         client attempting to connect with an OpenVPN server.
 *
 * @param  p   Buffer containing packet data.
 * @param  len Packet (buffer) length.
 *
 * @return true if we're dealing with an OpenVPN client, false otherwise.
 */
inline bool is_openvpn_protocol(const unsigned char *p, std::size_t len)
{
    static constexpr int P_CONTROL_HARD_RESET_CLIENT_V2 = 7;
    static constexpr int P_CONTROL_HARD_RESET_CLIENT_V3 = 10;
    static constexpr int P_OPCODE_SHIFT = 3;

    if (len >= 3)
    {
        int plen = (p[0] << 8) | p[1];

        if (p[2] == (P_CONTROL_HARD_RESET_CLIENT_V3 << P_OPCODE_SHIFT))
        {
            /* WKc is at least 290 byte (not including metadata):
             *
             * 16 bit len + 256 bit HMAC + 2048 bit Kc = 2320 bit
             *
             * This is increased by the normal length of client handshake +
             * tls-crypt overhead (32)
             *
             * For metadata tls-crypt-v2.txt does not explicitly specify
             * an upper limit but we also have TLS_CRYPT_V2_MAX_WKC_LEN
             * as 1024 bytes. We err on the safe side with 255 extra overhead
             *
             * We don't do the 2 byte check for tls-crypt-v2 because it is very
             * unrealistic to have only 2 bytes available.
             */
            return (plen >= 336 && plen < (1024 + 255));
        }

        /* For non tls-crypt2 we assume the packet length to valid between
         * 14 and 255 */
        return plen >= 14 && plen <= 255
               && (p[2] == (P_CONTROL_HARD_RESET_CLIENT_V2 << P_OPCODE_SHIFT));
    }

    if (len >= 2)
    {
        int plen = (p[0] << 8) | p[1];
        return plen >= 14 && plen <= 255;
    }

    return true;
}

} // namespace openvpn
#endif